Commit | Line | Data |
---|---|---|
1da177e4 LT |
1 | /* |
2 | * ebtables | |
3 | * | |
4 | * Author: | |
5 | * Bart De Schuymer <bdschuym@pandora.be> | |
6 | * | |
7 | * ebtables.c,v 2.0, July, 2002 | |
8 | * | |
9 | * This code is stongly inspired on the iptables code which is | |
10 | * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling | |
11 | * | |
12 | * This program is free software; you can redistribute it and/or | |
13 | * modify it under the terms of the GNU General Public License | |
14 | * as published by the Free Software Foundation; either version | |
15 | * 2 of the License, or (at your option) any later version. | |
16 | */ | |
ff67e4e4 | 17 | #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt |
1da177e4 LT |
18 | #include <linux/kmod.h> |
19 | #include <linux/module.h> | |
20 | #include <linux/vmalloc.h> | |
18219d3f | 21 | #include <linux/netfilter/x_tables.h> |
1da177e4 LT |
22 | #include <linux/netfilter_bridge/ebtables.h> |
23 | #include <linux/spinlock.h> | |
df0933dc | 24 | #include <linux/mutex.h> |
5a0e3ad6 | 25 | #include <linux/slab.h> |
1da177e4 LT |
26 | #include <asm/uaccess.h> |
27 | #include <linux/smp.h> | |
c8923c6b | 28 | #include <linux/cpumask.h> |
1da177e4 LT |
29 | #include <net/sock.h> |
30 | /* needed for logical [in,out]-dev filtering */ | |
31 | #include "../br_private.h" | |
32 | ||
1da177e4 | 33 | #define BUGPRINT(format, args...) printk("kernel msg: ebtables bug: please "\ |
9d6f229f | 34 | "report to author: "format, ## args) |
1da177e4 | 35 | /* #define BUGPRINT(format, args...) */ |
1da177e4 LT |
36 | |
37 | /* | |
38 | * Each cpu has its own set of counters, so there is no need for write_lock in | |
39 | * the softirq | |
40 | * For reading or updating the counters, the user context needs to | |
41 | * get a write_lock | |
42 | */ | |
43 | ||
44 | /* The size of each set of counters is altered to get cache alignment */ | |
45 | #define SMP_ALIGN(x) (((x) + SMP_CACHE_BYTES-1) & ~(SMP_CACHE_BYTES-1)) | |
46 | #define COUNTER_OFFSET(n) (SMP_ALIGN(n * sizeof(struct ebt_counter))) | |
47 | #define COUNTER_BASE(c, n, cpu) ((struct ebt_counter *)(((char *)c) + \ | |
48 | COUNTER_OFFSET(n) * cpu)) | |
49 | ||
50 | ||
51 | ||
57b47a53 | 52 | static DEFINE_MUTEX(ebt_mutex); |
1da177e4 | 53 | |
81e675c2 FW |
54 | #ifdef CONFIG_COMPAT |
55 | static void ebt_standard_compat_from_user(void *dst, const void *src) | |
56 | { | |
57 | int v = *(compat_int_t *)src; | |
58 | ||
59 | if (v >= 0) | |
60 | v += xt_compat_calc_jump(NFPROTO_BRIDGE, v); | |
61 | memcpy(dst, &v, sizeof(v)); | |
62 | } | |
63 | ||
64 | static int ebt_standard_compat_to_user(void __user *dst, const void *src) | |
65 | { | |
66 | compat_int_t cv = *(int *)src; | |
67 | ||
68 | if (cv >= 0) | |
69 | cv -= xt_compat_calc_jump(NFPROTO_BRIDGE, cv); | |
70 | return copy_to_user(dst, &cv, sizeof(cv)) ? -EFAULT : 0; | |
71 | } | |
72 | #endif | |
73 | ||
74 | ||
043ef46c | 75 | static struct xt_target ebt_standard_target = { |
001a18d3 JE |
76 | .name = "standard", |
77 | .revision = 0, | |
78 | .family = NFPROTO_BRIDGE, | |
043ef46c | 79 | .targetsize = sizeof(int), |
81e675c2 FW |
80 | #ifdef CONFIG_COMPAT |
81 | .compatsize = sizeof(compat_int_t), | |
82 | .compat_from_user = ebt_standard_compat_from_user, | |
83 | .compat_to_user = ebt_standard_compat_to_user, | |
84 | #endif | |
18219d3f | 85 | }; |
1da177e4 | 86 | |
7eb35586 JE |
87 | static inline int |
88 | ebt_do_watcher(const struct ebt_entry_watcher *w, struct sk_buff *skb, | |
de74c169 | 89 | struct xt_action_param *par) |
1da177e4 | 90 | { |
7eb35586 JE |
91 | par->target = w->u.watcher; |
92 | par->targinfo = w->data; | |
93 | w->u.watcher->target(skb, par); | |
1da177e4 LT |
94 | /* watchers don't give a verdict */ |
95 | return 0; | |
96 | } | |
97 | ||
de74c169 JE |
98 | static inline int |
99 | ebt_do_match(struct ebt_entry_match *m, const struct sk_buff *skb, | |
100 | struct xt_action_param *par) | |
1da177e4 | 101 | { |
f7108a20 JE |
102 | par->match = m->u.match; |
103 | par->matchinfo = m->data; | |
d61ba9fd | 104 | return m->u.match->match(skb, par) ? EBT_MATCH : EBT_NOMATCH; |
1da177e4 LT |
105 | } |
106 | ||
d5d1baa1 JE |
107 | static inline int |
108 | ebt_dev_check(const char *entry, const struct net_device *device) | |
1da177e4 LT |
109 | { |
110 | int i = 0; | |
f3d8b2e4 | 111 | const char *devname; |
1da177e4 LT |
112 | |
113 | if (*entry == '\0') | |
114 | return 0; | |
115 | if (!device) | |
116 | return 1; | |
f3d8b2e4 | 117 | devname = device->name; |
1da177e4 LT |
118 | /* 1 is the wildcard token */ |
119 | while (entry[i] != '\0' && entry[i] != 1 && entry[i] == devname[i]) | |
120 | i++; | |
121 | return (devname[i] != entry[i] && entry[i] != 1); | |
122 | } | |
123 | ||
124 | #define FWINV2(bool,invflg) ((bool) ^ !!(e->invflags & invflg)) | |
125 | /* process standard matches */ | |
d5d1baa1 JE |
126 | static inline int |
127 | ebt_basic_match(const struct ebt_entry *e, const struct ethhdr *h, | |
128 | const struct net_device *in, const struct net_device *out) | |
1da177e4 LT |
129 | { |
130 | int verdict, i; | |
131 | ||
132 | if (e->bitmask & EBT_802_3) { | |
133 | if (FWINV2(ntohs(h->h_proto) >= 1536, EBT_IPROTO)) | |
134 | return 1; | |
135 | } else if (!(e->bitmask & EBT_NOPROTO) && | |
136 | FWINV2(e->ethproto != h->h_proto, EBT_IPROTO)) | |
137 | return 1; | |
138 | ||
139 | if (FWINV2(ebt_dev_check(e->in, in), EBT_IIN)) | |
140 | return 1; | |
141 | if (FWINV2(ebt_dev_check(e->out, out), EBT_IOUT)) | |
142 | return 1; | |
143 | if ((!in || !in->br_port) ? 0 : FWINV2(ebt_dev_check( | |
144 | e->logical_in, in->br_port->br->dev), EBT_ILOGICALIN)) | |
145 | return 1; | |
146 | if ((!out || !out->br_port) ? 0 : FWINV2(ebt_dev_check( | |
147 | e->logical_out, out->br_port->br->dev), EBT_ILOGICALOUT)) | |
148 | return 1; | |
149 | ||
150 | if (e->bitmask & EBT_SOURCEMAC) { | |
151 | verdict = 0; | |
152 | for (i = 0; i < 6; i++) | |
153 | verdict |= (h->h_source[i] ^ e->sourcemac[i]) & | |
154 | e->sourcemsk[i]; | |
155 | if (FWINV2(verdict != 0, EBT_ISOURCE) ) | |
156 | return 1; | |
157 | } | |
158 | if (e->bitmask & EBT_DESTMAC) { | |
159 | verdict = 0; | |
160 | for (i = 0; i < 6; i++) | |
161 | verdict |= (h->h_dest[i] ^ e->destmac[i]) & | |
162 | e->destmsk[i]; | |
163 | if (FWINV2(verdict != 0, EBT_IDEST) ) | |
164 | return 1; | |
165 | } | |
166 | return 0; | |
167 | } | |
168 | ||
98e86403 JE |
169 | static inline __pure |
170 | struct ebt_entry *ebt_next_entry(const struct ebt_entry *entry) | |
171 | { | |
172 | return (void *)entry + entry->next_offset; | |
173 | } | |
174 | ||
1da177e4 | 175 | /* Do some firewalling */ |
3db05fea | 176 | unsigned int ebt_do_table (unsigned int hook, struct sk_buff *skb, |
1da177e4 LT |
177 | const struct net_device *in, const struct net_device *out, |
178 | struct ebt_table *table) | |
179 | { | |
180 | int i, nentries; | |
181 | struct ebt_entry *point; | |
182 | struct ebt_counter *counter_base, *cb_base; | |
d5d1baa1 | 183 | const struct ebt_entry_target *t; |
1da177e4 LT |
184 | int verdict, sp = 0; |
185 | struct ebt_chainstack *cs; | |
186 | struct ebt_entries *chaininfo; | |
d5d1baa1 JE |
187 | const char *base; |
188 | const struct ebt_table_info *private; | |
5365f802 | 189 | bool hotdrop = false; |
de74c169 | 190 | struct xt_action_param acpar; |
f7108a20 | 191 | |
de74c169 JE |
192 | acpar.family = NFPROTO_BRIDGE; |
193 | acpar.in = in; | |
194 | acpar.out = out; | |
195 | acpar.hotdrop = &hotdrop; | |
196 | acpar.hooknum = hook; | |
1da177e4 LT |
197 | |
198 | read_lock_bh(&table->lock); | |
199 | private = table->private; | |
200 | cb_base = COUNTER_BASE(private->counters, private->nentries, | |
201 | smp_processor_id()); | |
202 | if (private->chainstack) | |
203 | cs = private->chainstack[smp_processor_id()]; | |
204 | else | |
205 | cs = NULL; | |
206 | chaininfo = private->hook_entry[hook]; | |
207 | nentries = private->hook_entry[hook]->nentries; | |
208 | point = (struct ebt_entry *)(private->hook_entry[hook]->data); | |
209 | counter_base = cb_base + private->hook_entry[hook]->counter_offset; | |
210 | /* base for chain jumps */ | |
211 | base = private->entries; | |
212 | i = 0; | |
213 | while (i < nentries) { | |
3db05fea | 214 | if (ebt_basic_match(point, eth_hdr(skb), in, out)) |
1da177e4 LT |
215 | goto letscontinue; |
216 | ||
de74c169 | 217 | if (EBT_MATCH_ITERATE(point, ebt_do_match, skb, &acpar) != 0) |
1da177e4 | 218 | goto letscontinue; |
5365f802 JE |
219 | if (hotdrop) { |
220 | read_unlock_bh(&table->lock); | |
221 | return NF_DROP; | |
222 | } | |
1da177e4 LT |
223 | |
224 | /* increase counter */ | |
225 | (*(counter_base + i)).pcnt++; | |
3db05fea | 226 | (*(counter_base + i)).bcnt += skb->len; |
1da177e4 LT |
227 | |
228 | /* these should only watch: not modify, nor tell us | |
229 | what to do with the packet */ | |
de74c169 | 230 | EBT_WATCHER_ITERATE(point, ebt_do_watcher, skb, &acpar); |
1da177e4 LT |
231 | |
232 | t = (struct ebt_entry_target *) | |
233 | (((char *)point) + point->target_offset); | |
234 | /* standard target */ | |
235 | if (!t->u.target->target) | |
236 | verdict = ((struct ebt_standard_target *)t)->verdict; | |
7eb35586 | 237 | else { |
de74c169 JE |
238 | acpar.target = t->u.target; |
239 | acpar.targinfo = t->data; | |
240 | verdict = t->u.target->target(skb, &acpar); | |
7eb35586 | 241 | } |
1da177e4 LT |
242 | if (verdict == EBT_ACCEPT) { |
243 | read_unlock_bh(&table->lock); | |
244 | return NF_ACCEPT; | |
245 | } | |
246 | if (verdict == EBT_DROP) { | |
247 | read_unlock_bh(&table->lock); | |
248 | return NF_DROP; | |
249 | } | |
250 | if (verdict == EBT_RETURN) { | |
251 | letsreturn: | |
252 | #ifdef CONFIG_NETFILTER_DEBUG | |
253 | if (sp == 0) { | |
254 | BUGPRINT("RETURN on base chain"); | |
255 | /* act like this is EBT_CONTINUE */ | |
256 | goto letscontinue; | |
257 | } | |
258 | #endif | |
259 | sp--; | |
260 | /* put all the local variables right */ | |
261 | i = cs[sp].n; | |
262 | chaininfo = cs[sp].chaininfo; | |
263 | nentries = chaininfo->nentries; | |
264 | point = cs[sp].e; | |
265 | counter_base = cb_base + | |
266 | chaininfo->counter_offset; | |
267 | continue; | |
268 | } | |
269 | if (verdict == EBT_CONTINUE) | |
270 | goto letscontinue; | |
271 | #ifdef CONFIG_NETFILTER_DEBUG | |
272 | if (verdict < 0) { | |
273 | BUGPRINT("bogus standard verdict\n"); | |
274 | read_unlock_bh(&table->lock); | |
275 | return NF_DROP; | |
276 | } | |
277 | #endif | |
278 | /* jump to a udc */ | |
279 | cs[sp].n = i + 1; | |
280 | cs[sp].chaininfo = chaininfo; | |
98e86403 | 281 | cs[sp].e = ebt_next_entry(point); |
1da177e4 LT |
282 | i = 0; |
283 | chaininfo = (struct ebt_entries *) (base + verdict); | |
284 | #ifdef CONFIG_NETFILTER_DEBUG | |
285 | if (chaininfo->distinguisher) { | |
286 | BUGPRINT("jump to non-chain\n"); | |
287 | read_unlock_bh(&table->lock); | |
288 | return NF_DROP; | |
289 | } | |
290 | #endif | |
291 | nentries = chaininfo->nentries; | |
292 | point = (struct ebt_entry *)chaininfo->data; | |
293 | counter_base = cb_base + chaininfo->counter_offset; | |
294 | sp++; | |
295 | continue; | |
296 | letscontinue: | |
98e86403 | 297 | point = ebt_next_entry(point); |
1da177e4 LT |
298 | i++; |
299 | } | |
300 | ||
301 | /* I actually like this :) */ | |
302 | if (chaininfo->policy == EBT_RETURN) | |
303 | goto letsreturn; | |
304 | if (chaininfo->policy == EBT_ACCEPT) { | |
305 | read_unlock_bh(&table->lock); | |
306 | return NF_ACCEPT; | |
307 | } | |
308 | read_unlock_bh(&table->lock); | |
309 | return NF_DROP; | |
310 | } | |
311 | ||
312 | /* If it succeeds, returns element and locks mutex */ | |
313 | static inline void * | |
314 | find_inlist_lock_noload(struct list_head *head, const char *name, int *error, | |
57b47a53 | 315 | struct mutex *mutex) |
1da177e4 | 316 | { |
df0933dc PM |
317 | struct { |
318 | struct list_head list; | |
319 | char name[EBT_FUNCTION_MAXNAMELEN]; | |
320 | } *e; | |
1da177e4 | 321 | |
57b47a53 | 322 | *error = mutex_lock_interruptible(mutex); |
1da177e4 LT |
323 | if (*error != 0) |
324 | return NULL; | |
325 | ||
df0933dc PM |
326 | list_for_each_entry(e, head, list) { |
327 | if (strcmp(e->name, name) == 0) | |
328 | return e; | |
1da177e4 | 329 | } |
df0933dc PM |
330 | *error = -ENOENT; |
331 | mutex_unlock(mutex); | |
332 | return NULL; | |
1da177e4 LT |
333 | } |
334 | ||
1da177e4 LT |
335 | static void * |
336 | find_inlist_lock(struct list_head *head, const char *name, const char *prefix, | |
57b47a53 | 337 | int *error, struct mutex *mutex) |
1da177e4 | 338 | { |
95a5afca JB |
339 | return try_then_request_module( |
340 | find_inlist_lock_noload(head, name, error, mutex), | |
341 | "%s%s", prefix, name); | |
1da177e4 | 342 | } |
1da177e4 LT |
343 | |
344 | static inline struct ebt_table * | |
511061e2 AD |
345 | find_table_lock(struct net *net, const char *name, int *error, |
346 | struct mutex *mutex) | |
1da177e4 | 347 | { |
511061e2 AD |
348 | return find_inlist_lock(&net->xt.tables[NFPROTO_BRIDGE], name, |
349 | "ebtable_", error, mutex); | |
1da177e4 LT |
350 | } |
351 | ||
1da177e4 | 352 | static inline int |
9b4fce7a JE |
353 | ebt_check_match(struct ebt_entry_match *m, struct xt_mtchk_param *par, |
354 | unsigned int *cnt) | |
1da177e4 | 355 | { |
9b4fce7a | 356 | const struct ebt_entry *e = par->entryinfo; |
043ef46c | 357 | struct xt_match *match; |
14197d54 | 358 | size_t left = ((char *)e + e->watchers_offset) - (char *)m; |
1da177e4 LT |
359 | int ret; |
360 | ||
14197d54 AV |
361 | if (left < sizeof(struct ebt_entry_match) || |
362 | left - sizeof(struct ebt_entry_match) < m->match_size) | |
1da177e4 | 363 | return -EINVAL; |
043ef46c | 364 | |
fd0ec0e6 | 365 | match = xt_request_find_match(NFPROTO_BRIDGE, m->u.name, 0); |
043ef46c JE |
366 | if (IS_ERR(match)) |
367 | return PTR_ERR(match); | |
043ef46c JE |
368 | m->u.match = match; |
369 | ||
9b4fce7a JE |
370 | par->match = match; |
371 | par->matchinfo = m->data; | |
916a917d | 372 | ret = xt_check_match(par, m->match_size, |
9b4fce7a | 373 | e->ethproto, e->invflags & EBT_IPROTO); |
043ef46c JE |
374 | if (ret < 0) { |
375 | module_put(match->me); | |
376 | return ret; | |
1da177e4 | 377 | } |
043ef46c | 378 | |
1da177e4 LT |
379 | (*cnt)++; |
380 | return 0; | |
381 | } | |
382 | ||
383 | static inline int | |
af5d6dc2 JE |
384 | ebt_check_watcher(struct ebt_entry_watcher *w, struct xt_tgchk_param *par, |
385 | unsigned int *cnt) | |
1da177e4 | 386 | { |
af5d6dc2 | 387 | const struct ebt_entry *e = par->entryinfo; |
043ef46c | 388 | struct xt_target *watcher; |
14197d54 | 389 | size_t left = ((char *)e + e->target_offset) - (char *)w; |
1da177e4 LT |
390 | int ret; |
391 | ||
14197d54 AV |
392 | if (left < sizeof(struct ebt_entry_watcher) || |
393 | left - sizeof(struct ebt_entry_watcher) < w->watcher_size) | |
1da177e4 | 394 | return -EINVAL; |
043ef46c | 395 | |
d2a7b6ba | 396 | watcher = xt_request_find_target(NFPROTO_BRIDGE, w->u.name, 0); |
043ef46c JE |
397 | if (IS_ERR(watcher)) |
398 | return PTR_ERR(watcher); | |
043ef46c JE |
399 | w->u.watcher = watcher; |
400 | ||
af5d6dc2 JE |
401 | par->target = watcher; |
402 | par->targinfo = w->data; | |
916a917d | 403 | ret = xt_check_target(par, w->watcher_size, |
af5d6dc2 | 404 | e->ethproto, e->invflags & EBT_IPROTO); |
043ef46c JE |
405 | if (ret < 0) { |
406 | module_put(watcher->me); | |
407 | return ret; | |
1da177e4 | 408 | } |
043ef46c | 409 | |
1da177e4 LT |
410 | (*cnt)++; |
411 | return 0; | |
412 | } | |
413 | ||
d5d1baa1 | 414 | static int ebt_verify_pointers(const struct ebt_replace *repl, |
70fe9af4 | 415 | struct ebt_table_info *newinfo) |
1da177e4 | 416 | { |
70fe9af4 AV |
417 | unsigned int limit = repl->entries_size; |
418 | unsigned int valid_hooks = repl->valid_hooks; | |
419 | unsigned int offset = 0; | |
1da177e4 LT |
420 | int i; |
421 | ||
e4fd77de AV |
422 | for (i = 0; i < NF_BR_NUMHOOKS; i++) |
423 | newinfo->hook_entry[i] = NULL; | |
424 | ||
425 | newinfo->entries_size = repl->entries_size; | |
426 | newinfo->nentries = repl->nentries; | |
427 | ||
70fe9af4 AV |
428 | while (offset < limit) { |
429 | size_t left = limit - offset; | |
430 | struct ebt_entry *e = (void *)newinfo->entries + offset; | |
bb2ef25c | 431 | |
70fe9af4 | 432 | if (left < sizeof(unsigned int)) |
1da177e4 | 433 | break; |
70fe9af4 AV |
434 | |
435 | for (i = 0; i < NF_BR_NUMHOOKS; i++) { | |
436 | if ((valid_hooks & (1 << i)) == 0) | |
437 | continue; | |
1e419cd9 AV |
438 | if ((char __user *)repl->hook_entry[i] == |
439 | repl->entries + offset) | |
70fe9af4 AV |
440 | break; |
441 | } | |
442 | ||
443 | if (i != NF_BR_NUMHOOKS || !(e->bitmask & EBT_ENTRY_OR_ENTRIES)) { | |
444 | if (e->bitmask != 0) { | |
445 | /* we make userspace set this right, | |
446 | so there is no misunderstanding */ | |
447 | BUGPRINT("EBT_ENTRY_OR_ENTRIES shouldn't be set " | |
448 | "in distinguisher\n"); | |
449 | return -EINVAL; | |
450 | } | |
451 | if (i != NF_BR_NUMHOOKS) | |
452 | newinfo->hook_entry[i] = (struct ebt_entries *)e; | |
453 | if (left < sizeof(struct ebt_entries)) | |
454 | break; | |
455 | offset += sizeof(struct ebt_entries); | |
456 | } else { | |
457 | if (left < sizeof(struct ebt_entry)) | |
458 | break; | |
459 | if (left < e->next_offset) | |
460 | break; | |
1756de26 FW |
461 | if (e->next_offset < sizeof(struct ebt_entry)) |
462 | return -EINVAL; | |
70fe9af4 | 463 | offset += e->next_offset; |
1da177e4 | 464 | } |
22b440bf | 465 | } |
70fe9af4 AV |
466 | if (offset != limit) { |
467 | BUGPRINT("entries_size too small\n"); | |
468 | return -EINVAL; | |
469 | } | |
e4fd77de AV |
470 | |
471 | /* check if all valid hooks have a chain */ | |
472 | for (i = 0; i < NF_BR_NUMHOOKS; i++) { | |
473 | if (!newinfo->hook_entry[i] && | |
474 | (valid_hooks & (1 << i))) { | |
475 | BUGPRINT("Valid hook without chain\n"); | |
476 | return -EINVAL; | |
477 | } | |
478 | } | |
22b440bf | 479 | return 0; |
22b440bf AV |
480 | } |
481 | ||
482 | /* | |
483 | * this one is very careful, as it is the first function | |
484 | * to parse the userspace data | |
485 | */ | |
486 | static inline int | |
d5d1baa1 JE |
487 | ebt_check_entry_size_and_hooks(const struct ebt_entry *e, |
488 | const struct ebt_table_info *newinfo, | |
0e795531 AV |
489 | unsigned int *n, unsigned int *cnt, |
490 | unsigned int *totalcnt, unsigned int *udc_cnt) | |
22b440bf | 491 | { |
22b440bf AV |
492 | int i; |
493 | ||
494 | for (i = 0; i < NF_BR_NUMHOOKS; i++) { | |
0e795531 | 495 | if ((void *)e == (void *)newinfo->hook_entry[i]) |
22b440bf AV |
496 | break; |
497 | } | |
498 | /* beginning of a new chain | |
499 | if i == NF_BR_NUMHOOKS it must be a user defined chain */ | |
500 | if (i != NF_BR_NUMHOOKS || !e->bitmask) { | |
1da177e4 LT |
501 | /* this checks if the previous chain has as many entries |
502 | as it said it has */ | |
503 | if (*n != *cnt) { | |
504 | BUGPRINT("nentries does not equal the nr of entries " | |
9d6f229f | 505 | "in the chain\n"); |
1da177e4 LT |
506 | return -EINVAL; |
507 | } | |
1da177e4 LT |
508 | if (((struct ebt_entries *)e)->policy != EBT_DROP && |
509 | ((struct ebt_entries *)e)->policy != EBT_ACCEPT) { | |
510 | /* only RETURN from udc */ | |
511 | if (i != NF_BR_NUMHOOKS || | |
512 | ((struct ebt_entries *)e)->policy != EBT_RETURN) { | |
513 | BUGPRINT("bad policy\n"); | |
514 | return -EINVAL; | |
515 | } | |
516 | } | |
517 | if (i == NF_BR_NUMHOOKS) /* it's a user defined chain */ | |
518 | (*udc_cnt)++; | |
1da177e4 LT |
519 | if (((struct ebt_entries *)e)->counter_offset != *totalcnt) { |
520 | BUGPRINT("counter_offset != totalcnt"); | |
521 | return -EINVAL; | |
522 | } | |
523 | *n = ((struct ebt_entries *)e)->nentries; | |
524 | *cnt = 0; | |
525 | return 0; | |
526 | } | |
527 | /* a plain old entry, heh */ | |
528 | if (sizeof(struct ebt_entry) > e->watchers_offset || | |
529 | e->watchers_offset > e->target_offset || | |
530 | e->target_offset >= e->next_offset) { | |
531 | BUGPRINT("entry offsets not in right order\n"); | |
532 | return -EINVAL; | |
533 | } | |
534 | /* this is not checked anywhere else */ | |
535 | if (e->next_offset - e->target_offset < sizeof(struct ebt_entry_target)) { | |
536 | BUGPRINT("target size too small\n"); | |
537 | return -EINVAL; | |
538 | } | |
1da177e4 LT |
539 | (*cnt)++; |
540 | (*totalcnt)++; | |
541 | return 0; | |
542 | } | |
543 | ||
544 | struct ebt_cl_stack | |
545 | { | |
546 | struct ebt_chainstack cs; | |
547 | int from; | |
548 | unsigned int hookmask; | |
549 | }; | |
550 | ||
551 | /* | |
552 | * we need these positions to check that the jumps to a different part of the | |
553 | * entries is a jump to the beginning of a new chain. | |
554 | */ | |
555 | static inline int | |
556 | ebt_get_udc_positions(struct ebt_entry *e, struct ebt_table_info *newinfo, | |
177abc34 | 557 | unsigned int *n, struct ebt_cl_stack *udc) |
1da177e4 LT |
558 | { |
559 | int i; | |
560 | ||
561 | /* we're only interested in chain starts */ | |
40642f95 | 562 | if (e->bitmask) |
1da177e4 LT |
563 | return 0; |
564 | for (i = 0; i < NF_BR_NUMHOOKS; i++) { | |
1da177e4 LT |
565 | if (newinfo->hook_entry[i] == (struct ebt_entries *)e) |
566 | break; | |
567 | } | |
568 | /* only care about udc */ | |
569 | if (i != NF_BR_NUMHOOKS) | |
570 | return 0; | |
571 | ||
572 | udc[*n].cs.chaininfo = (struct ebt_entries *)e; | |
573 | /* these initialisations are depended on later in check_chainloops() */ | |
574 | udc[*n].cs.n = 0; | |
575 | udc[*n].hookmask = 0; | |
576 | ||
577 | (*n)++; | |
578 | return 0; | |
579 | } | |
580 | ||
581 | static inline int | |
f54e9367 | 582 | ebt_cleanup_match(struct ebt_entry_match *m, struct net *net, unsigned int *i) |
1da177e4 | 583 | { |
6be3d859 JE |
584 | struct xt_mtdtor_param par; |
585 | ||
1da177e4 LT |
586 | if (i && (*i)-- == 0) |
587 | return 1; | |
1da177e4 | 588 | |
f54e9367 | 589 | par.net = net; |
6be3d859 JE |
590 | par.match = m->u.match; |
591 | par.matchinfo = m->data; | |
916a917d | 592 | par.family = NFPROTO_BRIDGE; |
6be3d859 JE |
593 | if (par.match->destroy != NULL) |
594 | par.match->destroy(&par); | |
595 | module_put(par.match->me); | |
1da177e4 LT |
596 | return 0; |
597 | } | |
598 | ||
599 | static inline int | |
add67461 | 600 | ebt_cleanup_watcher(struct ebt_entry_watcher *w, struct net *net, unsigned int *i) |
1da177e4 | 601 | { |
a2df1648 JE |
602 | struct xt_tgdtor_param par; |
603 | ||
1da177e4 LT |
604 | if (i && (*i)-- == 0) |
605 | return 1; | |
1da177e4 | 606 | |
add67461 | 607 | par.net = net; |
a2df1648 JE |
608 | par.target = w->u.watcher; |
609 | par.targinfo = w->data; | |
916a917d | 610 | par.family = NFPROTO_BRIDGE; |
a2df1648 JE |
611 | if (par.target->destroy != NULL) |
612 | par.target->destroy(&par); | |
613 | module_put(par.target->me); | |
1da177e4 LT |
614 | return 0; |
615 | } | |
616 | ||
617 | static inline int | |
f54e9367 | 618 | ebt_cleanup_entry(struct ebt_entry *e, struct net *net, unsigned int *cnt) |
1da177e4 | 619 | { |
a2df1648 | 620 | struct xt_tgdtor_param par; |
1da177e4 LT |
621 | struct ebt_entry_target *t; |
622 | ||
40642f95 | 623 | if (e->bitmask == 0) |
1da177e4 LT |
624 | return 0; |
625 | /* we're done */ | |
626 | if (cnt && (*cnt)-- == 0) | |
627 | return 1; | |
add67461 | 628 | EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, net, NULL); |
f54e9367 | 629 | EBT_MATCH_ITERATE(e, ebt_cleanup_match, net, NULL); |
1da177e4 | 630 | t = (struct ebt_entry_target *)(((char *)e) + e->target_offset); |
1da177e4 | 631 | |
add67461 | 632 | par.net = net; |
a2df1648 JE |
633 | par.target = t->u.target; |
634 | par.targinfo = t->data; | |
916a917d | 635 | par.family = NFPROTO_BRIDGE; |
a2df1648 JE |
636 | if (par.target->destroy != NULL) |
637 | par.target->destroy(&par); | |
638 | module_put(par.target->me); | |
1da177e4 LT |
639 | return 0; |
640 | } | |
641 | ||
642 | static inline int | |
d5d1baa1 JE |
643 | ebt_check_entry(struct ebt_entry *e, struct net *net, |
644 | const struct ebt_table_info *newinfo, | |
f7da79d9 | 645 | const char *name, unsigned int *cnt, |
1da177e4 LT |
646 | struct ebt_cl_stack *cl_s, unsigned int udc_cnt) |
647 | { | |
648 | struct ebt_entry_target *t; | |
043ef46c | 649 | struct xt_target *target; |
1da177e4 | 650 | unsigned int i, j, hook = 0, hookmask = 0; |
44f9a2fd | 651 | size_t gap; |
1da177e4 | 652 | int ret; |
6be3d859 | 653 | struct xt_mtchk_param mtpar; |
af5d6dc2 | 654 | struct xt_tgchk_param tgpar; |
1da177e4 LT |
655 | |
656 | /* don't mess with the struct ebt_entries */ | |
40642f95 | 657 | if (e->bitmask == 0) |
1da177e4 LT |
658 | return 0; |
659 | ||
660 | if (e->bitmask & ~EBT_F_MASK) { | |
661 | BUGPRINT("Unknown flag for bitmask\n"); | |
662 | return -EINVAL; | |
663 | } | |
664 | if (e->invflags & ~EBT_INV_MASK) { | |
665 | BUGPRINT("Unknown flag for inv bitmask\n"); | |
666 | return -EINVAL; | |
667 | } | |
668 | if ( (e->bitmask & EBT_NOPROTO) && (e->bitmask & EBT_802_3) ) { | |
669 | BUGPRINT("NOPROTO & 802_3 not allowed\n"); | |
670 | return -EINVAL; | |
671 | } | |
672 | /* what hook do we belong to? */ | |
673 | for (i = 0; i < NF_BR_NUMHOOKS; i++) { | |
f7da79d9 | 674 | if (!newinfo->hook_entry[i]) |
1da177e4 LT |
675 | continue; |
676 | if ((char *)newinfo->hook_entry[i] < (char *)e) | |
677 | hook = i; | |
678 | else | |
679 | break; | |
680 | } | |
681 | /* (1 << NF_BR_NUMHOOKS) tells the check functions the rule is on | |
682 | a base chain */ | |
683 | if (i < NF_BR_NUMHOOKS) | |
684 | hookmask = (1 << hook) | (1 << NF_BR_NUMHOOKS); | |
685 | else { | |
686 | for (i = 0; i < udc_cnt; i++) | |
687 | if ((char *)(cl_s[i].cs.chaininfo) > (char *)e) | |
688 | break; | |
689 | if (i == 0) | |
690 | hookmask = (1 << hook) | (1 << NF_BR_NUMHOOKS); | |
691 | else | |
692 | hookmask = cl_s[i - 1].hookmask; | |
693 | } | |
694 | i = 0; | |
9b4fce7a | 695 | |
add67461 | 696 | mtpar.net = tgpar.net = net; |
af5d6dc2 JE |
697 | mtpar.table = tgpar.table = name; |
698 | mtpar.entryinfo = tgpar.entryinfo = e; | |
699 | mtpar.hook_mask = tgpar.hook_mask = hookmask; | |
916a917d | 700 | mtpar.family = tgpar.family = NFPROTO_BRIDGE; |
6be3d859 | 701 | ret = EBT_MATCH_ITERATE(e, ebt_check_match, &mtpar, &i); |
1da177e4 LT |
702 | if (ret != 0) |
703 | goto cleanup_matches; | |
704 | j = 0; | |
af5d6dc2 | 705 | ret = EBT_WATCHER_ITERATE(e, ebt_check_watcher, &tgpar, &j); |
1da177e4 LT |
706 | if (ret != 0) |
707 | goto cleanup_watchers; | |
708 | t = (struct ebt_entry_target *)(((char *)e) + e->target_offset); | |
44f9a2fd | 709 | gap = e->next_offset - e->target_offset; |
1da177e4 | 710 | |
d2a7b6ba | 711 | target = xt_request_find_target(NFPROTO_BRIDGE, t->u.name, 0); |
043ef46c JE |
712 | if (IS_ERR(target)) { |
713 | ret = PTR_ERR(target); | |
001a18d3 | 714 | goto cleanup_watchers; |
001a18d3 JE |
715 | } |
716 | ||
1da177e4 LT |
717 | t->u.target = target; |
718 | if (t->u.target == &ebt_standard_target) { | |
14197d54 | 719 | if (gap < sizeof(struct ebt_standard_target)) { |
1da177e4 LT |
720 | BUGPRINT("Standard target size too big\n"); |
721 | ret = -EFAULT; | |
722 | goto cleanup_watchers; | |
723 | } | |
724 | if (((struct ebt_standard_target *)t)->verdict < | |
725 | -NUM_STANDARD_TARGETS) { | |
726 | BUGPRINT("Invalid standard target\n"); | |
727 | ret = -EFAULT; | |
728 | goto cleanup_watchers; | |
729 | } | |
18219d3f JE |
730 | } else if (t->target_size > gap - sizeof(struct ebt_entry_target)) { |
731 | module_put(t->u.target->me); | |
732 | ret = -EFAULT; | |
733 | goto cleanup_watchers; | |
043ef46c JE |
734 | } |
735 | ||
af5d6dc2 JE |
736 | tgpar.target = target; |
737 | tgpar.targinfo = t->data; | |
916a917d | 738 | ret = xt_check_target(&tgpar, t->target_size, |
af5d6dc2 | 739 | e->ethproto, e->invflags & EBT_IPROTO); |
043ef46c JE |
740 | if (ret < 0) { |
741 | module_put(target->me); | |
18219d3f | 742 | goto cleanup_watchers; |
1da177e4 LT |
743 | } |
744 | (*cnt)++; | |
745 | return 0; | |
746 | cleanup_watchers: | |
add67461 | 747 | EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, net, &j); |
1da177e4 | 748 | cleanup_matches: |
f54e9367 | 749 | EBT_MATCH_ITERATE(e, ebt_cleanup_match, net, &i); |
1da177e4 LT |
750 | return ret; |
751 | } | |
752 | ||
753 | /* | |
754 | * checks for loops and sets the hook mask for udc | |
755 | * the hook mask for udc tells us from which base chains the udc can be | |
756 | * accessed. This mask is a parameter to the check() functions of the extensions | |
757 | */ | |
d5d1baa1 | 758 | static int check_chainloops(const struct ebt_entries *chain, struct ebt_cl_stack *cl_s, |
1da177e4 LT |
759 | unsigned int udc_cnt, unsigned int hooknr, char *base) |
760 | { | |
761 | int i, chain_nr = -1, pos = 0, nentries = chain->nentries, verdict; | |
d5d1baa1 JE |
762 | const struct ebt_entry *e = (struct ebt_entry *)chain->data; |
763 | const struct ebt_entry_target *t; | |
1da177e4 LT |
764 | |
765 | while (pos < nentries || chain_nr != -1) { | |
766 | /* end of udc, go back one 'recursion' step */ | |
767 | if (pos == nentries) { | |
768 | /* put back values of the time when this chain was called */ | |
769 | e = cl_s[chain_nr].cs.e; | |
770 | if (cl_s[chain_nr].from != -1) | |
771 | nentries = | |
772 | cl_s[cl_s[chain_nr].from].cs.chaininfo->nentries; | |
773 | else | |
774 | nentries = chain->nentries; | |
775 | pos = cl_s[chain_nr].cs.n; | |
776 | /* make sure we won't see a loop that isn't one */ | |
777 | cl_s[chain_nr].cs.n = 0; | |
778 | chain_nr = cl_s[chain_nr].from; | |
779 | if (pos == nentries) | |
780 | continue; | |
781 | } | |
782 | t = (struct ebt_entry_target *) | |
783 | (((char *)e) + e->target_offset); | |
784 | if (strcmp(t->u.name, EBT_STANDARD_TARGET)) | |
785 | goto letscontinue; | |
786 | if (e->target_offset + sizeof(struct ebt_standard_target) > | |
787 | e->next_offset) { | |
788 | BUGPRINT("Standard target size too big\n"); | |
789 | return -1; | |
790 | } | |
791 | verdict = ((struct ebt_standard_target *)t)->verdict; | |
792 | if (verdict >= 0) { /* jump to another chain */ | |
793 | struct ebt_entries *hlp2 = | |
794 | (struct ebt_entries *)(base + verdict); | |
795 | for (i = 0; i < udc_cnt; i++) | |
796 | if (hlp2 == cl_s[i].cs.chaininfo) | |
797 | break; | |
798 | /* bad destination or loop */ | |
799 | if (i == udc_cnt) { | |
800 | BUGPRINT("bad destination\n"); | |
801 | return -1; | |
802 | } | |
803 | if (cl_s[i].cs.n) { | |
804 | BUGPRINT("loop\n"); | |
805 | return -1; | |
806 | } | |
98a0824a AV |
807 | if (cl_s[i].hookmask & (1 << hooknr)) |
808 | goto letscontinue; | |
809 | /* this can't be 0, so the loop test is correct */ | |
1da177e4 LT |
810 | cl_s[i].cs.n = pos + 1; |
811 | pos = 0; | |
98e86403 | 812 | cl_s[i].cs.e = ebt_next_entry(e); |
1da177e4 LT |
813 | e = (struct ebt_entry *)(hlp2->data); |
814 | nentries = hlp2->nentries; | |
815 | cl_s[i].from = chain_nr; | |
816 | chain_nr = i; | |
817 | /* this udc is accessible from the base chain for hooknr */ | |
818 | cl_s[i].hookmask |= (1 << hooknr); | |
819 | continue; | |
820 | } | |
821 | letscontinue: | |
98e86403 | 822 | e = ebt_next_entry(e); |
1da177e4 LT |
823 | pos++; |
824 | } | |
825 | return 0; | |
826 | } | |
827 | ||
828 | /* do the parsing of the table/chains/entries/matches/watchers/targets, heh */ | |
d5d1baa1 | 829 | static int translate_table(struct net *net, const char *name, |
a83d8e8d | 830 | struct ebt_table_info *newinfo) |
1da177e4 LT |
831 | { |
832 | unsigned int i, j, k, udc_cnt; | |
833 | int ret; | |
834 | struct ebt_cl_stack *cl_s = NULL; /* used in the checking for chain loops */ | |
835 | ||
836 | i = 0; | |
1f072c96 | 837 | while (i < NF_BR_NUMHOOKS && !newinfo->hook_entry[i]) |
1da177e4 LT |
838 | i++; |
839 | if (i == NF_BR_NUMHOOKS) { | |
840 | BUGPRINT("No valid hooks specified\n"); | |
841 | return -EINVAL; | |
842 | } | |
1f072c96 | 843 | if (newinfo->hook_entry[i] != (struct ebt_entries *)newinfo->entries) { |
1da177e4 LT |
844 | BUGPRINT("Chains don't start at beginning\n"); |
845 | return -EINVAL; | |
846 | } | |
847 | /* make sure chains are ordered after each other in same order | |
848 | as their corresponding hooks */ | |
849 | for (j = i + 1; j < NF_BR_NUMHOOKS; j++) { | |
1f072c96 | 850 | if (!newinfo->hook_entry[j]) |
1da177e4 | 851 | continue; |
1f072c96 | 852 | if (newinfo->hook_entry[j] <= newinfo->hook_entry[i]) { |
1da177e4 LT |
853 | BUGPRINT("Hook order must be followed\n"); |
854 | return -EINVAL; | |
855 | } | |
856 | i = j; | |
857 | } | |
858 | ||
1da177e4 LT |
859 | /* do some early checkings and initialize some things */ |
860 | i = 0; /* holds the expected nr. of entries for the chain */ | |
861 | j = 0; /* holds the up to now counted entries for the chain */ | |
862 | k = 0; /* holds the total nr. of entries, should equal | |
9d6f229f | 863 | newinfo->nentries afterwards */ |
1da177e4 LT |
864 | udc_cnt = 0; /* will hold the nr. of user defined chains (udc) */ |
865 | ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size, | |
0e795531 AV |
866 | ebt_check_entry_size_and_hooks, newinfo, |
867 | &i, &j, &k, &udc_cnt); | |
1da177e4 LT |
868 | |
869 | if (ret != 0) | |
870 | return ret; | |
871 | ||
872 | if (i != j) { | |
873 | BUGPRINT("nentries does not equal the nr of entries in the " | |
9d6f229f | 874 | "(last) chain\n"); |
1da177e4 LT |
875 | return -EINVAL; |
876 | } | |
877 | if (k != newinfo->nentries) { | |
878 | BUGPRINT("Total nentries is wrong\n"); | |
879 | return -EINVAL; | |
880 | } | |
881 | ||
1da177e4 LT |
882 | /* get the location of the udc, put them in an array |
883 | while we're at it, allocate the chainstack */ | |
884 | if (udc_cnt) { | |
885 | /* this will get free'd in do_replace()/ebt_register_table() | |
886 | if an error occurs */ | |
7ad4d2f6 | 887 | newinfo->chainstack = |
53b8a315 | 888 | vmalloc(nr_cpu_ids * sizeof(*(newinfo->chainstack))); |
1da177e4 LT |
889 | if (!newinfo->chainstack) |
890 | return -ENOMEM; | |
6f912042 | 891 | for_each_possible_cpu(i) { |
1da177e4 | 892 | newinfo->chainstack[i] = |
18bc89aa | 893 | vmalloc(udc_cnt * sizeof(*(newinfo->chainstack[0]))); |
1da177e4 LT |
894 | if (!newinfo->chainstack[i]) { |
895 | while (i) | |
896 | vfree(newinfo->chainstack[--i]); | |
897 | vfree(newinfo->chainstack); | |
898 | newinfo->chainstack = NULL; | |
899 | return -ENOMEM; | |
900 | } | |
901 | } | |
902 | ||
18bc89aa | 903 | cl_s = vmalloc(udc_cnt * sizeof(*cl_s)); |
1da177e4 LT |
904 | if (!cl_s) |
905 | return -ENOMEM; | |
906 | i = 0; /* the i'th udc */ | |
907 | EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size, | |
177abc34 | 908 | ebt_get_udc_positions, newinfo, &i, cl_s); |
1da177e4 LT |
909 | /* sanity check */ |
910 | if (i != udc_cnt) { | |
911 | BUGPRINT("i != udc_cnt\n"); | |
912 | vfree(cl_s); | |
913 | return -EFAULT; | |
914 | } | |
915 | } | |
916 | ||
917 | /* Check for loops */ | |
918 | for (i = 0; i < NF_BR_NUMHOOKS; i++) | |
1f072c96 | 919 | if (newinfo->hook_entry[i]) |
1da177e4 LT |
920 | if (check_chainloops(newinfo->hook_entry[i], |
921 | cl_s, udc_cnt, i, newinfo->entries)) { | |
68d31872 | 922 | vfree(cl_s); |
1da177e4 LT |
923 | return -EINVAL; |
924 | } | |
925 | ||
96de0e25 | 926 | /* we now know the following (along with E=mc²): |
1da177e4 LT |
927 | - the nr of entries in each chain is right |
928 | - the size of the allocated space is right | |
929 | - all valid hooks have a corresponding chain | |
930 | - there are no loops | |
931 | - wrong data can still be on the level of a single entry | |
932 | - could be there are jumps to places that are not the | |
933 | beginning of a chain. This can only occur in chains that | |
934 | are not accessible from any base chains, so we don't care. */ | |
935 | ||
936 | /* used to know what we need to clean up if something goes wrong */ | |
937 | i = 0; | |
938 | ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size, | |
a83d8e8d | 939 | ebt_check_entry, net, newinfo, name, &i, cl_s, udc_cnt); |
1da177e4 LT |
940 | if (ret != 0) { |
941 | EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size, | |
f54e9367 | 942 | ebt_cleanup_entry, net, &i); |
1da177e4 | 943 | } |
68d31872 | 944 | vfree(cl_s); |
1da177e4 LT |
945 | return ret; |
946 | } | |
947 | ||
948 | /* called under write_lock */ | |
d5d1baa1 | 949 | static void get_counters(const struct ebt_counter *oldcounters, |
1da177e4 LT |
950 | struct ebt_counter *counters, unsigned int nentries) |
951 | { | |
952 | int i, cpu; | |
953 | struct ebt_counter *counter_base; | |
954 | ||
955 | /* counters of cpu 0 */ | |
956 | memcpy(counters, oldcounters, | |
c8923c6b DM |
957 | sizeof(struct ebt_counter) * nentries); |
958 | ||
1da177e4 | 959 | /* add other counters to those of cpu 0 */ |
6f912042 | 960 | for_each_possible_cpu(cpu) { |
c8923c6b DM |
961 | if (cpu == 0) |
962 | continue; | |
1da177e4 LT |
963 | counter_base = COUNTER_BASE(oldcounters, nentries, cpu); |
964 | for (i = 0; i < nentries; i++) { | |
965 | counters[i].pcnt += counter_base[i].pcnt; | |
966 | counters[i].bcnt += counter_base[i].bcnt; | |
967 | } | |
968 | } | |
969 | } | |
970 | ||
e788759f FW |
971 | static int do_replace_finish(struct net *net, struct ebt_replace *repl, |
972 | struct ebt_table_info *newinfo) | |
1da177e4 | 973 | { |
e788759f | 974 | int ret, i; |
1da177e4 LT |
975 | struct ebt_counter *counterstmp = NULL; |
976 | /* used to be able to unlock earlier */ | |
977 | struct ebt_table_info *table; | |
e788759f | 978 | struct ebt_table *t; |
1da177e4 LT |
979 | |
980 | /* the user wants counters back | |
981 | the check on the size is done later, when we have the lock */ | |
e788759f FW |
982 | if (repl->num_counters) { |
983 | unsigned long size = repl->num_counters * sizeof(*counterstmp); | |
984 | counterstmp = vmalloc(size); | |
985 | if (!counterstmp) | |
986 | return -ENOMEM; | |
1da177e4 | 987 | } |
1da177e4 | 988 | |
1da177e4 | 989 | newinfo->chainstack = NULL; |
e788759f | 990 | ret = ebt_verify_pointers(repl, newinfo); |
1bc2326c AV |
991 | if (ret != 0) |
992 | goto free_counterstmp; | |
993 | ||
e788759f | 994 | ret = translate_table(net, repl->name, newinfo); |
1da177e4 LT |
995 | |
996 | if (ret != 0) | |
997 | goto free_counterstmp; | |
998 | ||
e788759f | 999 | t = find_table_lock(net, repl->name, &ret, &ebt_mutex); |
1da177e4 LT |
1000 | if (!t) { |
1001 | ret = -ENOENT; | |
1002 | goto free_iterate; | |
1003 | } | |
1004 | ||
1005 | /* the table doesn't like it */ | |
e788759f | 1006 | if (t->check && (ret = t->check(newinfo, repl->valid_hooks))) |
1da177e4 LT |
1007 | goto free_unlock; |
1008 | ||
e788759f | 1009 | if (repl->num_counters && repl->num_counters != t->private->nentries) { |
1da177e4 LT |
1010 | BUGPRINT("Wrong nr. of counters requested\n"); |
1011 | ret = -EINVAL; | |
1012 | goto free_unlock; | |
1013 | } | |
1014 | ||
1015 | /* we have the mutex lock, so no danger in reading this pointer */ | |
1016 | table = t->private; | |
1017 | /* make sure the table can only be rmmod'ed if it contains no rules */ | |
1018 | if (!table->nentries && newinfo->nentries && !try_module_get(t->me)) { | |
1019 | ret = -ENOENT; | |
1020 | goto free_unlock; | |
1021 | } else if (table->nentries && !newinfo->nentries) | |
1022 | module_put(t->me); | |
1023 | /* we need an atomic snapshot of the counters */ | |
1024 | write_lock_bh(&t->lock); | |
e788759f | 1025 | if (repl->num_counters) |
1da177e4 LT |
1026 | get_counters(t->private->counters, counterstmp, |
1027 | t->private->nentries); | |
1028 | ||
1029 | t->private = newinfo; | |
1030 | write_unlock_bh(&t->lock); | |
57b47a53 | 1031 | mutex_unlock(&ebt_mutex); |
1da177e4 LT |
1032 | /* so, a user can change the chains while having messed up her counter |
1033 | allocation. Only reason why this is done is because this way the lock | |
1034 | is held only once, while this doesn't bring the kernel into a | |
1035 | dangerous state. */ | |
e788759f FW |
1036 | if (repl->num_counters && |
1037 | copy_to_user(repl->counters, counterstmp, | |
1038 | repl->num_counters * sizeof(struct ebt_counter))) { | |
1da177e4 LT |
1039 | ret = -EFAULT; |
1040 | } | |
1041 | else | |
1042 | ret = 0; | |
1043 | ||
1044 | /* decrease module count and free resources */ | |
1045 | EBT_ENTRY_ITERATE(table->entries, table->entries_size, | |
f54e9367 | 1046 | ebt_cleanup_entry, net, NULL); |
1da177e4 LT |
1047 | |
1048 | vfree(table->entries); | |
1049 | if (table->chainstack) { | |
6f912042 | 1050 | for_each_possible_cpu(i) |
1da177e4 LT |
1051 | vfree(table->chainstack[i]); |
1052 | vfree(table->chainstack); | |
1053 | } | |
1054 | vfree(table); | |
1055 | ||
68d31872 | 1056 | vfree(counterstmp); |
1da177e4 LT |
1057 | return ret; |
1058 | ||
1059 | free_unlock: | |
57b47a53 | 1060 | mutex_unlock(&ebt_mutex); |
1da177e4 LT |
1061 | free_iterate: |
1062 | EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size, | |
f54e9367 | 1063 | ebt_cleanup_entry, net, NULL); |
1da177e4 | 1064 | free_counterstmp: |
68d31872 | 1065 | vfree(counterstmp); |
1da177e4 LT |
1066 | /* can be initialized in translate_table() */ |
1067 | if (newinfo->chainstack) { | |
6f912042 | 1068 | for_each_possible_cpu(i) |
1da177e4 LT |
1069 | vfree(newinfo->chainstack[i]); |
1070 | vfree(newinfo->chainstack); | |
1071 | } | |
e788759f FW |
1072 | return ret; |
1073 | } | |
1074 | ||
1075 | /* replace the table */ | |
1076 | static int do_replace(struct net *net, const void __user *user, | |
1077 | unsigned int len) | |
1078 | { | |
1079 | int ret, countersize; | |
1080 | struct ebt_table_info *newinfo; | |
1081 | struct ebt_replace tmp; | |
1082 | ||
1083 | if (copy_from_user(&tmp, user, sizeof(tmp)) != 0) | |
1084 | return -EFAULT; | |
1085 | ||
1086 | if (len != sizeof(tmp) + tmp.entries_size) { | |
1087 | BUGPRINT("Wrong len argument\n"); | |
1088 | return -EINVAL; | |
1089 | } | |
1090 | ||
1091 | if (tmp.entries_size == 0) { | |
1092 | BUGPRINT("Entries_size never zero\n"); | |
1093 | return -EINVAL; | |
1094 | } | |
1095 | /* overflow check */ | |
1096 | if (tmp.nentries >= ((INT_MAX - sizeof(struct ebt_table_info)) / | |
1097 | NR_CPUS - SMP_CACHE_BYTES) / sizeof(struct ebt_counter)) | |
1098 | return -ENOMEM; | |
1099 | if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter)) | |
1100 | return -ENOMEM; | |
1101 | ||
1102 | countersize = COUNTER_OFFSET(tmp.nentries) * nr_cpu_ids; | |
1103 | newinfo = vmalloc(sizeof(*newinfo) + countersize); | |
1104 | if (!newinfo) | |
1105 | return -ENOMEM; | |
1106 | ||
1107 | if (countersize) | |
1108 | memset(newinfo->counters, 0, countersize); | |
1109 | ||
1110 | newinfo->entries = vmalloc(tmp.entries_size); | |
1111 | if (!newinfo->entries) { | |
1112 | ret = -ENOMEM; | |
1113 | goto free_newinfo; | |
1114 | } | |
1115 | if (copy_from_user( | |
1116 | newinfo->entries, tmp.entries, tmp.entries_size) != 0) { | |
1117 | BUGPRINT("Couldn't copy entries from userspace\n"); | |
1118 | ret = -EFAULT; | |
1119 | goto free_entries; | |
1120 | } | |
1121 | ||
1122 | ret = do_replace_finish(net, &tmp, newinfo); | |
1123 | if (ret == 0) | |
1124 | return ret; | |
1da177e4 | 1125 | free_entries: |
68d31872 | 1126 | vfree(newinfo->entries); |
1da177e4 | 1127 | free_newinfo: |
68d31872 | 1128 | vfree(newinfo); |
1da177e4 LT |
1129 | return ret; |
1130 | } | |
1131 | ||
35aad0ff JE |
1132 | struct ebt_table * |
1133 | ebt_register_table(struct net *net, const struct ebt_table *input_table) | |
1da177e4 LT |
1134 | { |
1135 | struct ebt_table_info *newinfo; | |
35aad0ff | 1136 | struct ebt_table *t, *table; |
1e419cd9 | 1137 | struct ebt_replace_kernel *repl; |
1da177e4 | 1138 | int ret, i, countersize; |
df07a81e | 1139 | void *p; |
1da177e4 | 1140 | |
35aad0ff JE |
1141 | if (input_table == NULL || (repl = input_table->table) == NULL || |
1142 | repl->entries == 0 || repl->entries_size == 0 || | |
1143 | repl->counters != NULL || input_table->private != NULL) { | |
1da177e4 | 1144 | BUGPRINT("Bad table data for ebt_register_table!!!\n"); |
6beceee5 AD |
1145 | return ERR_PTR(-EINVAL); |
1146 | } | |
1147 | ||
1148 | /* Don't add one table to multiple lists. */ | |
35aad0ff | 1149 | table = kmemdup(input_table, sizeof(struct ebt_table), GFP_KERNEL); |
6beceee5 AD |
1150 | if (!table) { |
1151 | ret = -ENOMEM; | |
1152 | goto out; | |
1da177e4 LT |
1153 | } |
1154 | ||
53b8a315 | 1155 | countersize = COUNTER_OFFSET(repl->nentries) * nr_cpu_ids; |
18bc89aa | 1156 | newinfo = vmalloc(sizeof(*newinfo) + countersize); |
1da177e4 LT |
1157 | ret = -ENOMEM; |
1158 | if (!newinfo) | |
6beceee5 | 1159 | goto free_table; |
1da177e4 | 1160 | |
df07a81e AV |
1161 | p = vmalloc(repl->entries_size); |
1162 | if (!p) | |
1da177e4 LT |
1163 | goto free_newinfo; |
1164 | ||
df07a81e AV |
1165 | memcpy(p, repl->entries, repl->entries_size); |
1166 | newinfo->entries = p; | |
1167 | ||
1168 | newinfo->entries_size = repl->entries_size; | |
1169 | newinfo->nentries = repl->nentries; | |
1da177e4 LT |
1170 | |
1171 | if (countersize) | |
1172 | memset(newinfo->counters, 0, countersize); | |
1173 | ||
1174 | /* fill in newinfo and parse the entries */ | |
1175 | newinfo->chainstack = NULL; | |
df07a81e AV |
1176 | for (i = 0; i < NF_BR_NUMHOOKS; i++) { |
1177 | if ((repl->valid_hooks & (1 << i)) == 0) | |
1178 | newinfo->hook_entry[i] = NULL; | |
1179 | else | |
1180 | newinfo->hook_entry[i] = p + | |
1181 | ((char *)repl->hook_entry[i] - repl->entries); | |
1182 | } | |
a83d8e8d | 1183 | ret = translate_table(net, repl->name, newinfo); |
1da177e4 LT |
1184 | if (ret != 0) { |
1185 | BUGPRINT("Translate_table failed\n"); | |
1186 | goto free_chainstack; | |
1187 | } | |
1188 | ||
1189 | if (table->check && table->check(newinfo, table->valid_hooks)) { | |
1190 | BUGPRINT("The table doesn't like its own initial data, lol\n"); | |
6beceee5 | 1191 | return ERR_PTR(-EINVAL); |
1da177e4 LT |
1192 | } |
1193 | ||
1194 | table->private = newinfo; | |
1195 | rwlock_init(&table->lock); | |
57b47a53 | 1196 | ret = mutex_lock_interruptible(&ebt_mutex); |
1da177e4 LT |
1197 | if (ret != 0) |
1198 | goto free_chainstack; | |
1199 | ||
511061e2 | 1200 | list_for_each_entry(t, &net->xt.tables[NFPROTO_BRIDGE], list) { |
df0933dc PM |
1201 | if (strcmp(t->name, table->name) == 0) { |
1202 | ret = -EEXIST; | |
1203 | BUGPRINT("Table name already exists\n"); | |
1204 | goto free_unlock; | |
1205 | } | |
1da177e4 LT |
1206 | } |
1207 | ||
1208 | /* Hold a reference count if the chains aren't empty */ | |
1209 | if (newinfo->nentries && !try_module_get(table->me)) { | |
1210 | ret = -ENOENT; | |
1211 | goto free_unlock; | |
1212 | } | |
511061e2 | 1213 | list_add(&table->list, &net->xt.tables[NFPROTO_BRIDGE]); |
57b47a53 | 1214 | mutex_unlock(&ebt_mutex); |
6beceee5 | 1215 | return table; |
1da177e4 | 1216 | free_unlock: |
57b47a53 | 1217 | mutex_unlock(&ebt_mutex); |
1da177e4 LT |
1218 | free_chainstack: |
1219 | if (newinfo->chainstack) { | |
6f912042 | 1220 | for_each_possible_cpu(i) |
1da177e4 LT |
1221 | vfree(newinfo->chainstack[i]); |
1222 | vfree(newinfo->chainstack); | |
1223 | } | |
1224 | vfree(newinfo->entries); | |
1225 | free_newinfo: | |
1226 | vfree(newinfo); | |
6beceee5 AD |
1227 | free_table: |
1228 | kfree(table); | |
1229 | out: | |
1230 | return ERR_PTR(ret); | |
1da177e4 LT |
1231 | } |
1232 | ||
f54e9367 | 1233 | void ebt_unregister_table(struct net *net, struct ebt_table *table) |
1da177e4 LT |
1234 | { |
1235 | int i; | |
1236 | ||
1237 | if (!table) { | |
1238 | BUGPRINT("Request to unregister NULL table!!!\n"); | |
1239 | return; | |
1240 | } | |
57b47a53 | 1241 | mutex_lock(&ebt_mutex); |
df0933dc | 1242 | list_del(&table->list); |
57b47a53 | 1243 | mutex_unlock(&ebt_mutex); |
dbcdf85a | 1244 | EBT_ENTRY_ITERATE(table->private->entries, table->private->entries_size, |
f54e9367 | 1245 | ebt_cleanup_entry, net, NULL); |
dbcdf85a AD |
1246 | if (table->private->nentries) |
1247 | module_put(table->me); | |
68d31872 | 1248 | vfree(table->private->entries); |
1da177e4 | 1249 | if (table->private->chainstack) { |
6f912042 | 1250 | for_each_possible_cpu(i) |
1da177e4 LT |
1251 | vfree(table->private->chainstack[i]); |
1252 | vfree(table->private->chainstack); | |
1253 | } | |
1254 | vfree(table->private); | |
6beceee5 | 1255 | kfree(table); |
1da177e4 LT |
1256 | } |
1257 | ||
1258 | /* userspace just supplied us with counters */ | |
49facff9 FW |
1259 | static int do_update_counters(struct net *net, const char *name, |
1260 | struct ebt_counter __user *counters, | |
1261 | unsigned int num_counters, | |
1262 | const void __user *user, unsigned int len) | |
1da177e4 LT |
1263 | { |
1264 | int i, ret; | |
1265 | struct ebt_counter *tmp; | |
1da177e4 LT |
1266 | struct ebt_table *t; |
1267 | ||
49facff9 | 1268 | if (num_counters == 0) |
1da177e4 LT |
1269 | return -EINVAL; |
1270 | ||
49facff9 FW |
1271 | tmp = vmalloc(num_counters * sizeof(*tmp)); |
1272 | if (!tmp) | |
1da177e4 | 1273 | return -ENOMEM; |
1da177e4 | 1274 | |
49facff9 | 1275 | t = find_table_lock(net, name, &ret, &ebt_mutex); |
1da177e4 LT |
1276 | if (!t) |
1277 | goto free_tmp; | |
1278 | ||
49facff9 | 1279 | if (num_counters != t->private->nentries) { |
1da177e4 LT |
1280 | BUGPRINT("Wrong nr of counters\n"); |
1281 | ret = -EINVAL; | |
1282 | goto unlock_mutex; | |
1283 | } | |
1284 | ||
49facff9 | 1285 | if (copy_from_user(tmp, counters, num_counters * sizeof(*counters))) { |
1da177e4 LT |
1286 | ret = -EFAULT; |
1287 | goto unlock_mutex; | |
1288 | } | |
1289 | ||
1290 | /* we want an atomic add of the counters */ | |
1291 | write_lock_bh(&t->lock); | |
1292 | ||
1293 | /* we add to the counters of the first cpu */ | |
49facff9 | 1294 | for (i = 0; i < num_counters; i++) { |
1da177e4 LT |
1295 | t->private->counters[i].pcnt += tmp[i].pcnt; |
1296 | t->private->counters[i].bcnt += tmp[i].bcnt; | |
1297 | } | |
1298 | ||
1299 | write_unlock_bh(&t->lock); | |
1300 | ret = 0; | |
1301 | unlock_mutex: | |
57b47a53 | 1302 | mutex_unlock(&ebt_mutex); |
1da177e4 LT |
1303 | free_tmp: |
1304 | vfree(tmp); | |
1305 | return ret; | |
1306 | } | |
1307 | ||
49facff9 FW |
1308 | static int update_counters(struct net *net, const void __user *user, |
1309 | unsigned int len) | |
1310 | { | |
1311 | struct ebt_replace hlp; | |
1312 | ||
1313 | if (copy_from_user(&hlp, user, sizeof(hlp))) | |
1314 | return -EFAULT; | |
1315 | ||
1316 | if (len != sizeof(hlp) + hlp.num_counters * sizeof(struct ebt_counter)) | |
1317 | return -EINVAL; | |
1318 | ||
1319 | return do_update_counters(net, hlp.name, hlp.counters, | |
1320 | hlp.num_counters, user, len); | |
1321 | } | |
1322 | ||
d5d1baa1 JE |
1323 | static inline int ebt_make_matchname(const struct ebt_entry_match *m, |
1324 | const char *base, char __user *ubase) | |
1da177e4 | 1325 | { |
1e419cd9 | 1326 | char __user *hlp = ubase + ((char *)m - base); |
1da177e4 LT |
1327 | if (copy_to_user(hlp, m->u.match->name, EBT_FUNCTION_MAXNAMELEN)) |
1328 | return -EFAULT; | |
1329 | return 0; | |
1330 | } | |
1331 | ||
d5d1baa1 JE |
1332 | static inline int ebt_make_watchername(const struct ebt_entry_watcher *w, |
1333 | const char *base, char __user *ubase) | |
1da177e4 | 1334 | { |
1e419cd9 | 1335 | char __user *hlp = ubase + ((char *)w - base); |
1da177e4 LT |
1336 | if (copy_to_user(hlp , w->u.watcher->name, EBT_FUNCTION_MAXNAMELEN)) |
1337 | return -EFAULT; | |
1338 | return 0; | |
1339 | } | |
1340 | ||
d5d1baa1 JE |
1341 | static inline int |
1342 | ebt_make_names(struct ebt_entry *e, const char *base, char __user *ubase) | |
1da177e4 LT |
1343 | { |
1344 | int ret; | |
1e419cd9 | 1345 | char __user *hlp; |
d5d1baa1 | 1346 | const struct ebt_entry_target *t; |
1da177e4 | 1347 | |
40642f95 | 1348 | if (e->bitmask == 0) |
1da177e4 LT |
1349 | return 0; |
1350 | ||
1e419cd9 | 1351 | hlp = ubase + (((char *)e + e->target_offset) - base); |
1da177e4 | 1352 | t = (struct ebt_entry_target *)(((char *)e) + e->target_offset); |
9d6f229f | 1353 | |
1da177e4 LT |
1354 | ret = EBT_MATCH_ITERATE(e, ebt_make_matchname, base, ubase); |
1355 | if (ret != 0) | |
1356 | return ret; | |
1357 | ret = EBT_WATCHER_ITERATE(e, ebt_make_watchername, base, ubase); | |
1358 | if (ret != 0) | |
1359 | return ret; | |
1360 | if (copy_to_user(hlp, t->u.target->name, EBT_FUNCTION_MAXNAMELEN)) | |
1361 | return -EFAULT; | |
1362 | return 0; | |
1363 | } | |
1364 | ||
837395aa FW |
1365 | static int copy_counters_to_user(struct ebt_table *t, |
1366 | const struct ebt_counter *oldcounters, | |
1367 | void __user *user, unsigned int num_counters, | |
1368 | unsigned int nentries) | |
1369 | { | |
1370 | struct ebt_counter *counterstmp; | |
1371 | int ret = 0; | |
1372 | ||
1373 | /* userspace might not need the counters */ | |
1374 | if (num_counters == 0) | |
1375 | return 0; | |
1376 | ||
1377 | if (num_counters != nentries) { | |
1378 | BUGPRINT("Num_counters wrong\n"); | |
1379 | return -EINVAL; | |
1380 | } | |
1381 | ||
1382 | counterstmp = vmalloc(nentries * sizeof(*counterstmp)); | |
1383 | if (!counterstmp) | |
1384 | return -ENOMEM; | |
1385 | ||
1386 | write_lock_bh(&t->lock); | |
1387 | get_counters(oldcounters, counterstmp, nentries); | |
1388 | write_unlock_bh(&t->lock); | |
1389 | ||
1390 | if (copy_to_user(user, counterstmp, | |
1391 | nentries * sizeof(struct ebt_counter))) | |
1392 | ret = -EFAULT; | |
1393 | vfree(counterstmp); | |
1394 | return ret; | |
1395 | } | |
1396 | ||
57b47a53 | 1397 | /* called with ebt_mutex locked */ |
1da177e4 | 1398 | static int copy_everything_to_user(struct ebt_table *t, void __user *user, |
d5d1baa1 | 1399 | const int *len, int cmd) |
1da177e4 LT |
1400 | { |
1401 | struct ebt_replace tmp; | |
d5d1baa1 | 1402 | const struct ebt_counter *oldcounters; |
1da177e4 | 1403 | unsigned int entries_size, nentries; |
837395aa | 1404 | int ret; |
1da177e4 LT |
1405 | char *entries; |
1406 | ||
1407 | if (cmd == EBT_SO_GET_ENTRIES) { | |
1408 | entries_size = t->private->entries_size; | |
1409 | nentries = t->private->nentries; | |
1410 | entries = t->private->entries; | |
1411 | oldcounters = t->private->counters; | |
1412 | } else { | |
1413 | entries_size = t->table->entries_size; | |
1414 | nentries = t->table->nentries; | |
1415 | entries = t->table->entries; | |
1416 | oldcounters = t->table->counters; | |
1417 | } | |
1418 | ||
90b89af7 | 1419 | if (copy_from_user(&tmp, user, sizeof(tmp))) |
1da177e4 | 1420 | return -EFAULT; |
1da177e4 LT |
1421 | |
1422 | if (*len != sizeof(struct ebt_replace) + entries_size + | |
90b89af7 | 1423 | (tmp.num_counters? nentries * sizeof(struct ebt_counter): 0)) |
1da177e4 | 1424 | return -EINVAL; |
1da177e4 LT |
1425 | |
1426 | if (tmp.nentries != nentries) { | |
1427 | BUGPRINT("Nentries wrong\n"); | |
1428 | return -EINVAL; | |
1429 | } | |
1430 | ||
1431 | if (tmp.entries_size != entries_size) { | |
1432 | BUGPRINT("Wrong size\n"); | |
1433 | return -EINVAL; | |
1434 | } | |
1435 | ||
837395aa FW |
1436 | ret = copy_counters_to_user(t, oldcounters, tmp.counters, |
1437 | tmp.num_counters, nentries); | |
1438 | if (ret) | |
1439 | return ret; | |
1da177e4 LT |
1440 | |
1441 | if (copy_to_user(tmp.entries, entries, entries_size)) { | |
1442 | BUGPRINT("Couldn't copy entries to userspace\n"); | |
1443 | return -EFAULT; | |
1444 | } | |
1445 | /* set the match/watcher/target names right */ | |
1446 | return EBT_ENTRY_ITERATE(entries, entries_size, | |
1447 | ebt_make_names, entries, tmp.entries); | |
1448 | } | |
1449 | ||
1450 | static int do_ebt_set_ctl(struct sock *sk, | |
1451 | int cmd, void __user *user, unsigned int len) | |
1452 | { | |
1453 | int ret; | |
1454 | ||
dce766af FW |
1455 | if (!capable(CAP_NET_ADMIN)) |
1456 | return -EPERM; | |
1457 | ||
1da177e4 LT |
1458 | switch(cmd) { |
1459 | case EBT_SO_SET_ENTRIES: | |
511061e2 | 1460 | ret = do_replace(sock_net(sk), user, len); |
1da177e4 LT |
1461 | break; |
1462 | case EBT_SO_SET_COUNTERS: | |
511061e2 | 1463 | ret = update_counters(sock_net(sk), user, len); |
1da177e4 LT |
1464 | break; |
1465 | default: | |
1466 | ret = -EINVAL; | |
81e675c2 | 1467 | } |
1da177e4 LT |
1468 | return ret; |
1469 | } | |
1470 | ||
1471 | static int do_ebt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len) | |
1472 | { | |
1473 | int ret; | |
1474 | struct ebt_replace tmp; | |
1475 | struct ebt_table *t; | |
1476 | ||
dce766af FW |
1477 | if (!capable(CAP_NET_ADMIN)) |
1478 | return -EPERM; | |
1479 | ||
1da177e4 LT |
1480 | if (copy_from_user(&tmp, user, sizeof(tmp))) |
1481 | return -EFAULT; | |
1482 | ||
511061e2 | 1483 | t = find_table_lock(sock_net(sk), tmp.name, &ret, &ebt_mutex); |
1da177e4 LT |
1484 | if (!t) |
1485 | return ret; | |
1486 | ||
1487 | switch(cmd) { | |
1488 | case EBT_SO_GET_INFO: | |
1489 | case EBT_SO_GET_INIT_INFO: | |
1490 | if (*len != sizeof(struct ebt_replace)){ | |
1491 | ret = -EINVAL; | |
57b47a53 | 1492 | mutex_unlock(&ebt_mutex); |
1da177e4 LT |
1493 | break; |
1494 | } | |
1495 | if (cmd == EBT_SO_GET_INFO) { | |
1496 | tmp.nentries = t->private->nentries; | |
1497 | tmp.entries_size = t->private->entries_size; | |
1498 | tmp.valid_hooks = t->valid_hooks; | |
1499 | } else { | |
1500 | tmp.nentries = t->table->nentries; | |
1501 | tmp.entries_size = t->table->entries_size; | |
1502 | tmp.valid_hooks = t->table->valid_hooks; | |
1503 | } | |
57b47a53 | 1504 | mutex_unlock(&ebt_mutex); |
1da177e4 LT |
1505 | if (copy_to_user(user, &tmp, *len) != 0){ |
1506 | BUGPRINT("c2u Didn't work\n"); | |
1507 | ret = -EFAULT; | |
1508 | break; | |
1509 | } | |
1510 | ret = 0; | |
1511 | break; | |
1512 | ||
1513 | case EBT_SO_GET_ENTRIES: | |
1514 | case EBT_SO_GET_INIT_ENTRIES: | |
1515 | ret = copy_everything_to_user(t, user, len, cmd); | |
57b47a53 | 1516 | mutex_unlock(&ebt_mutex); |
1da177e4 LT |
1517 | break; |
1518 | ||
1519 | default: | |
57b47a53 | 1520 | mutex_unlock(&ebt_mutex); |
1da177e4 LT |
1521 | ret = -EINVAL; |
1522 | } | |
1523 | ||
1524 | return ret; | |
1525 | } | |
1526 | ||
81e675c2 FW |
1527 | #ifdef CONFIG_COMPAT |
1528 | /* 32 bit-userspace compatibility definitions. */ | |
1529 | struct compat_ebt_replace { | |
1530 | char name[EBT_TABLE_MAXNAMELEN]; | |
1531 | compat_uint_t valid_hooks; | |
1532 | compat_uint_t nentries; | |
1533 | compat_uint_t entries_size; | |
1534 | /* start of the chains */ | |
1535 | compat_uptr_t hook_entry[NF_BR_NUMHOOKS]; | |
1536 | /* nr of counters userspace expects back */ | |
1537 | compat_uint_t num_counters; | |
1538 | /* where the kernel will put the old counters. */ | |
1539 | compat_uptr_t counters; | |
1540 | compat_uptr_t entries; | |
1541 | }; | |
1542 | ||
1543 | /* struct ebt_entry_match, _target and _watcher have same layout */ | |
1544 | struct compat_ebt_entry_mwt { | |
1545 | union { | |
1546 | char name[EBT_FUNCTION_MAXNAMELEN]; | |
1547 | compat_uptr_t ptr; | |
1548 | } u; | |
1549 | compat_uint_t match_size; | |
1550 | compat_uint_t data[0]; | |
1551 | }; | |
1552 | ||
1553 | /* account for possible padding between match_size and ->data */ | |
1554 | static int ebt_compat_entry_padsize(void) | |
1555 | { | |
1556 | BUILD_BUG_ON(XT_ALIGN(sizeof(struct ebt_entry_match)) < | |
1557 | COMPAT_XT_ALIGN(sizeof(struct compat_ebt_entry_mwt))); | |
1558 | return (int) XT_ALIGN(sizeof(struct ebt_entry_match)) - | |
1559 | COMPAT_XT_ALIGN(sizeof(struct compat_ebt_entry_mwt)); | |
1560 | } | |
1561 | ||
1562 | static int ebt_compat_match_offset(const struct xt_match *match, | |
1563 | unsigned int userlen) | |
1564 | { | |
1565 | /* | |
1566 | * ebt_among needs special handling. The kernel .matchsize is | |
1567 | * set to -1 at registration time; at runtime an EBT_ALIGN()ed | |
1568 | * value is expected. | |
1569 | * Example: userspace sends 4500, ebt_among.c wants 4504. | |
1570 | */ | |
1571 | if (unlikely(match->matchsize == -1)) | |
1572 | return XT_ALIGN(userlen) - COMPAT_XT_ALIGN(userlen); | |
1573 | return xt_compat_match_offset(match); | |
1574 | } | |
1575 | ||
1576 | static int compat_match_to_user(struct ebt_entry_match *m, void __user **dstptr, | |
1577 | unsigned int *size) | |
1578 | { | |
1579 | const struct xt_match *match = m->u.match; | |
1580 | struct compat_ebt_entry_mwt __user *cm = *dstptr; | |
1581 | int off = ebt_compat_match_offset(match, m->match_size); | |
1582 | compat_uint_t msize = m->match_size - off; | |
1583 | ||
1584 | BUG_ON(off >= m->match_size); | |
1585 | ||
1586 | if (copy_to_user(cm->u.name, match->name, | |
1587 | strlen(match->name) + 1) || put_user(msize, &cm->match_size)) | |
1588 | return -EFAULT; | |
1589 | ||
1590 | if (match->compat_to_user) { | |
1591 | if (match->compat_to_user(cm->data, m->data)) | |
1592 | return -EFAULT; | |
1593 | } else if (copy_to_user(cm->data, m->data, msize)) | |
1594 | return -EFAULT; | |
1595 | ||
1596 | *size -= ebt_compat_entry_padsize() + off; | |
1597 | *dstptr = cm->data; | |
1598 | *dstptr += msize; | |
1599 | return 0; | |
1600 | } | |
1601 | ||
1602 | static int compat_target_to_user(struct ebt_entry_target *t, | |
1603 | void __user **dstptr, | |
1604 | unsigned int *size) | |
1605 | { | |
1606 | const struct xt_target *target = t->u.target; | |
1607 | struct compat_ebt_entry_mwt __user *cm = *dstptr; | |
1608 | int off = xt_compat_target_offset(target); | |
1609 | compat_uint_t tsize = t->target_size - off; | |
1610 | ||
1611 | BUG_ON(off >= t->target_size); | |
1612 | ||
1613 | if (copy_to_user(cm->u.name, target->name, | |
1614 | strlen(target->name) + 1) || put_user(tsize, &cm->match_size)) | |
1615 | return -EFAULT; | |
1616 | ||
1617 | if (target->compat_to_user) { | |
1618 | if (target->compat_to_user(cm->data, t->data)) | |
1619 | return -EFAULT; | |
1620 | } else if (copy_to_user(cm->data, t->data, tsize)) | |
1621 | return -EFAULT; | |
1622 | ||
1623 | *size -= ebt_compat_entry_padsize() + off; | |
1624 | *dstptr = cm->data; | |
1625 | *dstptr += tsize; | |
1626 | return 0; | |
1627 | } | |
1628 | ||
1629 | static int compat_watcher_to_user(struct ebt_entry_watcher *w, | |
1630 | void __user **dstptr, | |
1631 | unsigned int *size) | |
1632 | { | |
1633 | return compat_target_to_user((struct ebt_entry_target *)w, | |
1634 | dstptr, size); | |
1635 | } | |
1636 | ||
1637 | static int compat_copy_entry_to_user(struct ebt_entry *e, void __user **dstptr, | |
1638 | unsigned int *size) | |
1639 | { | |
1640 | struct ebt_entry_target *t; | |
1641 | struct ebt_entry __user *ce; | |
1642 | u32 watchers_offset, target_offset, next_offset; | |
1643 | compat_uint_t origsize; | |
1644 | int ret; | |
1645 | ||
1646 | if (e->bitmask == 0) { | |
1647 | if (*size < sizeof(struct ebt_entries)) | |
1648 | return -EINVAL; | |
1649 | if (copy_to_user(*dstptr, e, sizeof(struct ebt_entries))) | |
1650 | return -EFAULT; | |
1651 | ||
1652 | *dstptr += sizeof(struct ebt_entries); | |
1653 | *size -= sizeof(struct ebt_entries); | |
1654 | return 0; | |
1655 | } | |
1656 | ||
1657 | if (*size < sizeof(*ce)) | |
1658 | return -EINVAL; | |
1659 | ||
1660 | ce = (struct ebt_entry __user *)*dstptr; | |
1661 | if (copy_to_user(ce, e, sizeof(*ce))) | |
1662 | return -EFAULT; | |
1663 | ||
1664 | origsize = *size; | |
1665 | *dstptr += sizeof(*ce); | |
1666 | ||
1667 | ret = EBT_MATCH_ITERATE(e, compat_match_to_user, dstptr, size); | |
1668 | if (ret) | |
1669 | return ret; | |
1670 | watchers_offset = e->watchers_offset - (origsize - *size); | |
1671 | ||
1672 | ret = EBT_WATCHER_ITERATE(e, compat_watcher_to_user, dstptr, size); | |
1673 | if (ret) | |
1674 | return ret; | |
1675 | target_offset = e->target_offset - (origsize - *size); | |
1676 | ||
1677 | t = (struct ebt_entry_target *) ((char *) e + e->target_offset); | |
1678 | ||
1679 | ret = compat_target_to_user(t, dstptr, size); | |
1680 | if (ret) | |
1681 | return ret; | |
1682 | next_offset = e->next_offset - (origsize - *size); | |
1683 | ||
1684 | if (put_user(watchers_offset, &ce->watchers_offset) || | |
1685 | put_user(target_offset, &ce->target_offset) || | |
1686 | put_user(next_offset, &ce->next_offset)) | |
1687 | return -EFAULT; | |
1688 | ||
1689 | *size -= sizeof(*ce); | |
1690 | return 0; | |
1691 | } | |
1692 | ||
1693 | static int compat_calc_match(struct ebt_entry_match *m, int *off) | |
1694 | { | |
1695 | *off += ebt_compat_match_offset(m->u.match, m->match_size); | |
1696 | *off += ebt_compat_entry_padsize(); | |
1697 | return 0; | |
1698 | } | |
1699 | ||
1700 | static int compat_calc_watcher(struct ebt_entry_watcher *w, int *off) | |
1701 | { | |
1702 | *off += xt_compat_target_offset(w->u.watcher); | |
1703 | *off += ebt_compat_entry_padsize(); | |
1704 | return 0; | |
1705 | } | |
1706 | ||
1707 | static int compat_calc_entry(const struct ebt_entry *e, | |
1708 | const struct ebt_table_info *info, | |
1709 | const void *base, | |
1710 | struct compat_ebt_replace *newinfo) | |
1711 | { | |
1712 | const struct ebt_entry_target *t; | |
1713 | unsigned int entry_offset; | |
1714 | int off, ret, i; | |
1715 | ||
1716 | if (e->bitmask == 0) | |
1717 | return 0; | |
1718 | ||
1719 | off = 0; | |
1720 | entry_offset = (void *)e - base; | |
1721 | ||
1722 | EBT_MATCH_ITERATE(e, compat_calc_match, &off); | |
1723 | EBT_WATCHER_ITERATE(e, compat_calc_watcher, &off); | |
1724 | ||
1725 | t = (const struct ebt_entry_target *) ((char *) e + e->target_offset); | |
1726 | ||
1727 | off += xt_compat_target_offset(t->u.target); | |
1728 | off += ebt_compat_entry_padsize(); | |
1729 | ||
1730 | newinfo->entries_size -= off; | |
1731 | ||
1732 | ret = xt_compat_add_offset(NFPROTO_BRIDGE, entry_offset, off); | |
1733 | if (ret) | |
1734 | return ret; | |
1735 | ||
1736 | for (i = 0; i < NF_BR_NUMHOOKS; i++) { | |
1737 | const void *hookptr = info->hook_entry[i]; | |
1738 | if (info->hook_entry[i] && | |
1739 | (e < (struct ebt_entry *)(base - hookptr))) { | |
1740 | newinfo->hook_entry[i] -= off; | |
1741 | pr_debug("0x%08X -> 0x%08X\n", | |
1742 | newinfo->hook_entry[i] + off, | |
1743 | newinfo->hook_entry[i]); | |
1744 | } | |
1745 | } | |
1746 | ||
1747 | return 0; | |
1748 | } | |
1749 | ||
1750 | ||
1751 | static int compat_table_info(const struct ebt_table_info *info, | |
1752 | struct compat_ebt_replace *newinfo) | |
1753 | { | |
1754 | unsigned int size = info->entries_size; | |
1755 | const void *entries = info->entries; | |
1756 | ||
1757 | newinfo->entries_size = size; | |
1758 | ||
1759 | return EBT_ENTRY_ITERATE(entries, size, compat_calc_entry, info, | |
1760 | entries, newinfo); | |
1761 | } | |
1762 | ||
1763 | static int compat_copy_everything_to_user(struct ebt_table *t, | |
1764 | void __user *user, int *len, int cmd) | |
1765 | { | |
1766 | struct compat_ebt_replace repl, tmp; | |
1767 | struct ebt_counter *oldcounters; | |
1768 | struct ebt_table_info tinfo; | |
1769 | int ret; | |
1770 | void __user *pos; | |
1771 | ||
1772 | memset(&tinfo, 0, sizeof(tinfo)); | |
1773 | ||
1774 | if (cmd == EBT_SO_GET_ENTRIES) { | |
1775 | tinfo.entries_size = t->private->entries_size; | |
1776 | tinfo.nentries = t->private->nentries; | |
1777 | tinfo.entries = t->private->entries; | |
1778 | oldcounters = t->private->counters; | |
1779 | } else { | |
1780 | tinfo.entries_size = t->table->entries_size; | |
1781 | tinfo.nentries = t->table->nentries; | |
1782 | tinfo.entries = t->table->entries; | |
1783 | oldcounters = t->table->counters; | |
1784 | } | |
1785 | ||
1786 | if (copy_from_user(&tmp, user, sizeof(tmp))) | |
1787 | return -EFAULT; | |
1788 | ||
1789 | if (tmp.nentries != tinfo.nentries || | |
1790 | (tmp.num_counters && tmp.num_counters != tinfo.nentries)) | |
1791 | return -EINVAL; | |
1792 | ||
1793 | memcpy(&repl, &tmp, sizeof(repl)); | |
1794 | if (cmd == EBT_SO_GET_ENTRIES) | |
1795 | ret = compat_table_info(t->private, &repl); | |
1796 | else | |
1797 | ret = compat_table_info(&tinfo, &repl); | |
1798 | if (ret) | |
1799 | return ret; | |
1800 | ||
1801 | if (*len != sizeof(tmp) + repl.entries_size + | |
1802 | (tmp.num_counters? tinfo.nentries * sizeof(struct ebt_counter): 0)) { | |
1803 | pr_err("wrong size: *len %d, entries_size %u, replsz %d\n", | |
1804 | *len, tinfo.entries_size, repl.entries_size); | |
1805 | return -EINVAL; | |
1806 | } | |
1807 | ||
1808 | /* userspace might not need the counters */ | |
1809 | ret = copy_counters_to_user(t, oldcounters, compat_ptr(tmp.counters), | |
1810 | tmp.num_counters, tinfo.nentries); | |
1811 | if (ret) | |
1812 | return ret; | |
1813 | ||
1814 | pos = compat_ptr(tmp.entries); | |
1815 | return EBT_ENTRY_ITERATE(tinfo.entries, tinfo.entries_size, | |
1816 | compat_copy_entry_to_user, &pos, &tmp.entries_size); | |
1817 | } | |
1818 | ||
1819 | struct ebt_entries_buf_state { | |
1820 | char *buf_kern_start; /* kernel buffer to copy (translated) data to */ | |
1821 | u32 buf_kern_len; /* total size of kernel buffer */ | |
1822 | u32 buf_kern_offset; /* amount of data copied so far */ | |
1823 | u32 buf_user_offset; /* read position in userspace buffer */ | |
1824 | }; | |
1825 | ||
1826 | static int ebt_buf_count(struct ebt_entries_buf_state *state, unsigned int sz) | |
1827 | { | |
1828 | state->buf_kern_offset += sz; | |
1829 | return state->buf_kern_offset >= sz ? 0 : -EINVAL; | |
1830 | } | |
1831 | ||
1832 | static int ebt_buf_add(struct ebt_entries_buf_state *state, | |
1833 | void *data, unsigned int sz) | |
1834 | { | |
1835 | if (state->buf_kern_start == NULL) | |
1836 | goto count_only; | |
1837 | ||
1838 | BUG_ON(state->buf_kern_offset + sz > state->buf_kern_len); | |
1839 | ||
1840 | memcpy(state->buf_kern_start + state->buf_kern_offset, data, sz); | |
1841 | ||
1842 | count_only: | |
1843 | state->buf_user_offset += sz; | |
1844 | return ebt_buf_count(state, sz); | |
1845 | } | |
1846 | ||
1847 | static int ebt_buf_add_pad(struct ebt_entries_buf_state *state, unsigned int sz) | |
1848 | { | |
1849 | char *b = state->buf_kern_start; | |
1850 | ||
1851 | BUG_ON(b && state->buf_kern_offset > state->buf_kern_len); | |
1852 | ||
1853 | if (b != NULL && sz > 0) | |
1854 | memset(b + state->buf_kern_offset, 0, sz); | |
1855 | /* do not adjust ->buf_user_offset here, we added kernel-side padding */ | |
1856 | return ebt_buf_count(state, sz); | |
1857 | } | |
1858 | ||
1859 | enum compat_mwt { | |
1860 | EBT_COMPAT_MATCH, | |
1861 | EBT_COMPAT_WATCHER, | |
1862 | EBT_COMPAT_TARGET, | |
1863 | }; | |
1864 | ||
1865 | static int compat_mtw_from_user(struct compat_ebt_entry_mwt *mwt, | |
1866 | enum compat_mwt compat_mwt, | |
1867 | struct ebt_entries_buf_state *state, | |
1868 | const unsigned char *base) | |
1869 | { | |
1870 | char name[EBT_FUNCTION_MAXNAMELEN]; | |
1871 | struct xt_match *match; | |
1872 | struct xt_target *wt; | |
1873 | void *dst = NULL; | |
1874 | int off, pad = 0, ret = 0; | |
1875 | unsigned int size_kern, entry_offset, match_size = mwt->match_size; | |
1876 | ||
1877 | strlcpy(name, mwt->u.name, sizeof(name)); | |
1878 | ||
1879 | if (state->buf_kern_start) | |
1880 | dst = state->buf_kern_start + state->buf_kern_offset; | |
1881 | ||
1882 | entry_offset = (unsigned char *) mwt - base; | |
1883 | switch (compat_mwt) { | |
1884 | case EBT_COMPAT_MATCH: | |
1885 | match = try_then_request_module(xt_find_match(NFPROTO_BRIDGE, | |
1886 | name, 0), "ebt_%s", name); | |
1887 | if (match == NULL) | |
1888 | return -ENOENT; | |
1889 | if (IS_ERR(match)) | |
1890 | return PTR_ERR(match); | |
1891 | ||
1892 | off = ebt_compat_match_offset(match, match_size); | |
1893 | if (dst) { | |
1894 | if (match->compat_from_user) | |
1895 | match->compat_from_user(dst, mwt->data); | |
1896 | else | |
1897 | memcpy(dst, mwt->data, match_size); | |
1898 | } | |
1899 | ||
1900 | size_kern = match->matchsize; | |
1901 | if (unlikely(size_kern == -1)) | |
1902 | size_kern = match_size; | |
1903 | module_put(match->me); | |
1904 | break; | |
1905 | case EBT_COMPAT_WATCHER: /* fallthrough */ | |
1906 | case EBT_COMPAT_TARGET: | |
1907 | wt = try_then_request_module(xt_find_target(NFPROTO_BRIDGE, | |
1908 | name, 0), "ebt_%s", name); | |
1909 | if (wt == NULL) | |
1910 | return -ENOENT; | |
1911 | if (IS_ERR(wt)) | |
1912 | return PTR_ERR(wt); | |
1913 | off = xt_compat_target_offset(wt); | |
1914 | ||
1915 | if (dst) { | |
1916 | if (wt->compat_from_user) | |
1917 | wt->compat_from_user(dst, mwt->data); | |
1918 | else | |
1919 | memcpy(dst, mwt->data, match_size); | |
1920 | } | |
1921 | ||
1922 | size_kern = wt->targetsize; | |
1923 | module_put(wt->me); | |
1924 | break; | |
1925 | } | |
1926 | ||
1927 | if (!dst) { | |
1928 | ret = xt_compat_add_offset(NFPROTO_BRIDGE, entry_offset, | |
1929 | off + ebt_compat_entry_padsize()); | |
1930 | if (ret < 0) | |
1931 | return ret; | |
1932 | } | |
1933 | ||
1934 | state->buf_kern_offset += match_size + off; | |
1935 | state->buf_user_offset += match_size; | |
1936 | pad = XT_ALIGN(size_kern) - size_kern; | |
1937 | ||
1938 | if (pad > 0 && dst) { | |
1939 | BUG_ON(state->buf_kern_len <= pad); | |
1940 | BUG_ON(state->buf_kern_offset - (match_size + off) + size_kern > state->buf_kern_len - pad); | |
1941 | memset(dst + size_kern, 0, pad); | |
1942 | } | |
1943 | return off + match_size; | |
1944 | } | |
1945 | ||
1946 | /* | |
1947 | * return size of all matches, watchers or target, including necessary | |
1948 | * alignment and padding. | |
1949 | */ | |
1950 | static int ebt_size_mwt(struct compat_ebt_entry_mwt *match32, | |
1951 | unsigned int size_left, enum compat_mwt type, | |
1952 | struct ebt_entries_buf_state *state, const void *base) | |
1953 | { | |
1954 | int growth = 0; | |
1955 | char *buf; | |
1956 | ||
1957 | if (size_left == 0) | |
1958 | return 0; | |
1959 | ||
1960 | buf = (char *) match32; | |
1961 | ||
1962 | while (size_left >= sizeof(*match32)) { | |
1963 | struct ebt_entry_match *match_kern; | |
1964 | int ret; | |
1965 | ||
1966 | match_kern = (struct ebt_entry_match *) state->buf_kern_start; | |
1967 | if (match_kern) { | |
1968 | char *tmp; | |
1969 | tmp = state->buf_kern_start + state->buf_kern_offset; | |
1970 | match_kern = (struct ebt_entry_match *) tmp; | |
1971 | } | |
1972 | ret = ebt_buf_add(state, buf, sizeof(*match32)); | |
1973 | if (ret < 0) | |
1974 | return ret; | |
1975 | size_left -= sizeof(*match32); | |
1976 | ||
1977 | /* add padding before match->data (if any) */ | |
1978 | ret = ebt_buf_add_pad(state, ebt_compat_entry_padsize()); | |
1979 | if (ret < 0) | |
1980 | return ret; | |
1981 | ||
1982 | if (match32->match_size > size_left) | |
1983 | return -EINVAL; | |
1984 | ||
1985 | size_left -= match32->match_size; | |
1986 | ||
1987 | ret = compat_mtw_from_user(match32, type, state, base); | |
1988 | if (ret < 0) | |
1989 | return ret; | |
1990 | ||
1991 | BUG_ON(ret < match32->match_size); | |
1992 | growth += ret - match32->match_size; | |
1993 | growth += ebt_compat_entry_padsize(); | |
1994 | ||
1995 | buf += sizeof(*match32); | |
1996 | buf += match32->match_size; | |
1997 | ||
1998 | if (match_kern) | |
1999 | match_kern->match_size = ret; | |
2000 | ||
2001 | WARN_ON(type == EBT_COMPAT_TARGET && size_left); | |
2002 | match32 = (struct compat_ebt_entry_mwt *) buf; | |
2003 | } | |
2004 | ||
2005 | return growth; | |
2006 | } | |
2007 | ||
2008 | #define EBT_COMPAT_WATCHER_ITERATE(e, fn, args...) \ | |
2009 | ({ \ | |
2010 | unsigned int __i; \ | |
2011 | int __ret = 0; \ | |
2012 | struct compat_ebt_entry_mwt *__watcher; \ | |
2013 | \ | |
2014 | for (__i = e->watchers_offset; \ | |
2015 | __i < (e)->target_offset; \ | |
2016 | __i += __watcher->watcher_size + \ | |
2017 | sizeof(struct compat_ebt_entry_mwt)) { \ | |
2018 | __watcher = (void *)(e) + __i; \ | |
2019 | __ret = fn(__watcher , ## args); \ | |
2020 | if (__ret != 0) \ | |
2021 | break; \ | |
2022 | } \ | |
2023 | if (__ret == 0) { \ | |
2024 | if (__i != (e)->target_offset) \ | |
2025 | __ret = -EINVAL; \ | |
2026 | } \ | |
2027 | __ret; \ | |
2028 | }) | |
2029 | ||
2030 | #define EBT_COMPAT_MATCH_ITERATE(e, fn, args...) \ | |
2031 | ({ \ | |
2032 | unsigned int __i; \ | |
2033 | int __ret = 0; \ | |
2034 | struct compat_ebt_entry_mwt *__match; \ | |
2035 | \ | |
2036 | for (__i = sizeof(struct ebt_entry); \ | |
2037 | __i < (e)->watchers_offset; \ | |
2038 | __i += __match->match_size + \ | |
2039 | sizeof(struct compat_ebt_entry_mwt)) { \ | |
2040 | __match = (void *)(e) + __i; \ | |
2041 | __ret = fn(__match , ## args); \ | |
2042 | if (__ret != 0) \ | |
2043 | break; \ | |
2044 | } \ | |
2045 | if (__ret == 0) { \ | |
2046 | if (__i != (e)->watchers_offset) \ | |
2047 | __ret = -EINVAL; \ | |
2048 | } \ | |
2049 | __ret; \ | |
2050 | }) | |
2051 | ||
2052 | /* called for all ebt_entry structures. */ | |
2053 | static int size_entry_mwt(struct ebt_entry *entry, const unsigned char *base, | |
2054 | unsigned int *total, | |
2055 | struct ebt_entries_buf_state *state) | |
2056 | { | |
2057 | unsigned int i, j, startoff, new_offset = 0; | |
2058 | /* stores match/watchers/targets & offset of next struct ebt_entry: */ | |
2059 | unsigned int offsets[4]; | |
2060 | unsigned int *offsets_update = NULL; | |
2061 | int ret; | |
2062 | char *buf_start; | |
2063 | ||
2064 | if (*total < sizeof(struct ebt_entries)) | |
2065 | return -EINVAL; | |
2066 | ||
2067 | if (!entry->bitmask) { | |
2068 | *total -= sizeof(struct ebt_entries); | |
2069 | return ebt_buf_add(state, entry, sizeof(struct ebt_entries)); | |
2070 | } | |
2071 | if (*total < sizeof(*entry) || entry->next_offset < sizeof(*entry)) | |
2072 | return -EINVAL; | |
2073 | ||
2074 | startoff = state->buf_user_offset; | |
2075 | /* pull in most part of ebt_entry, it does not need to be changed. */ | |
2076 | ret = ebt_buf_add(state, entry, | |
2077 | offsetof(struct ebt_entry, watchers_offset)); | |
2078 | if (ret < 0) | |
2079 | return ret; | |
2080 | ||
2081 | offsets[0] = sizeof(struct ebt_entry); /* matches come first */ | |
2082 | memcpy(&offsets[1], &entry->watchers_offset, | |
2083 | sizeof(offsets) - sizeof(offsets[0])); | |
2084 | ||
2085 | if (state->buf_kern_start) { | |
2086 | buf_start = state->buf_kern_start + state->buf_kern_offset; | |
2087 | offsets_update = (unsigned int *) buf_start; | |
2088 | } | |
2089 | ret = ebt_buf_add(state, &offsets[1], | |
2090 | sizeof(offsets) - sizeof(offsets[0])); | |
2091 | if (ret < 0) | |
2092 | return ret; | |
2093 | buf_start = (char *) entry; | |
2094 | /* | |
2095 | * 0: matches offset, always follows ebt_entry. | |
2096 | * 1: watchers offset, from ebt_entry structure | |
2097 | * 2: target offset, from ebt_entry structure | |
2098 | * 3: next ebt_entry offset, from ebt_entry structure | |
2099 | * | |
2100 | * offsets are relative to beginning of struct ebt_entry (i.e., 0). | |
2101 | */ | |
2102 | for (i = 0, j = 1 ; j < 4 ; j++, i++) { | |
2103 | struct compat_ebt_entry_mwt *match32; | |
2104 | unsigned int size; | |
2105 | char *buf = buf_start; | |
2106 | ||
2107 | buf = buf_start + offsets[i]; | |
2108 | if (offsets[i] > offsets[j]) | |
2109 | return -EINVAL; | |
2110 | ||
2111 | match32 = (struct compat_ebt_entry_mwt *) buf; | |
2112 | size = offsets[j] - offsets[i]; | |
2113 | ret = ebt_size_mwt(match32, size, i, state, base); | |
2114 | if (ret < 0) | |
2115 | return ret; | |
2116 | new_offset += ret; | |
2117 | if (offsets_update && new_offset) { | |
ff67e4e4 | 2118 | pr_debug("change offset %d to %d\n", |
81e675c2 FW |
2119 | offsets_update[i], offsets[j] + new_offset); |
2120 | offsets_update[i] = offsets[j] + new_offset; | |
2121 | } | |
2122 | } | |
2123 | ||
2124 | startoff = state->buf_user_offset - startoff; | |
2125 | ||
2126 | BUG_ON(*total < startoff); | |
2127 | *total -= startoff; | |
2128 | return 0; | |
2129 | } | |
2130 | ||
2131 | /* | |
2132 | * repl->entries_size is the size of the ebt_entry blob in userspace. | |
2133 | * It might need more memory when copied to a 64 bit kernel in case | |
2134 | * userspace is 32-bit. So, first task: find out how much memory is needed. | |
2135 | * | |
2136 | * Called before validation is performed. | |
2137 | */ | |
2138 | static int compat_copy_entries(unsigned char *data, unsigned int size_user, | |
2139 | struct ebt_entries_buf_state *state) | |
2140 | { | |
2141 | unsigned int size_remaining = size_user; | |
2142 | int ret; | |
2143 | ||
2144 | ret = EBT_ENTRY_ITERATE(data, size_user, size_entry_mwt, data, | |
2145 | &size_remaining, state); | |
2146 | if (ret < 0) | |
2147 | return ret; | |
2148 | ||
2149 | WARN_ON(size_remaining); | |
2150 | return state->buf_kern_offset; | |
2151 | } | |
2152 | ||
2153 | ||
2154 | static int compat_copy_ebt_replace_from_user(struct ebt_replace *repl, | |
2155 | void __user *user, unsigned int len) | |
2156 | { | |
2157 | struct compat_ebt_replace tmp; | |
2158 | int i; | |
2159 | ||
2160 | if (len < sizeof(tmp)) | |
2161 | return -EINVAL; | |
2162 | ||
2163 | if (copy_from_user(&tmp, user, sizeof(tmp))) | |
2164 | return -EFAULT; | |
2165 | ||
2166 | if (len != sizeof(tmp) + tmp.entries_size) | |
2167 | return -EINVAL; | |
2168 | ||
2169 | if (tmp.entries_size == 0) | |
2170 | return -EINVAL; | |
2171 | ||
2172 | if (tmp.nentries >= ((INT_MAX - sizeof(struct ebt_table_info)) / | |
2173 | NR_CPUS - SMP_CACHE_BYTES) / sizeof(struct ebt_counter)) | |
2174 | return -ENOMEM; | |
2175 | if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter)) | |
2176 | return -ENOMEM; | |
2177 | ||
2178 | memcpy(repl, &tmp, offsetof(struct ebt_replace, hook_entry)); | |
2179 | ||
2180 | /* starting with hook_entry, 32 vs. 64 bit structures are different */ | |
2181 | for (i = 0; i < NF_BR_NUMHOOKS; i++) | |
2182 | repl->hook_entry[i] = compat_ptr(tmp.hook_entry[i]); | |
2183 | ||
2184 | repl->num_counters = tmp.num_counters; | |
2185 | repl->counters = compat_ptr(tmp.counters); | |
2186 | repl->entries = compat_ptr(tmp.entries); | |
2187 | return 0; | |
2188 | } | |
2189 | ||
2190 | static int compat_do_replace(struct net *net, void __user *user, | |
2191 | unsigned int len) | |
2192 | { | |
2193 | int ret, i, countersize, size64; | |
2194 | struct ebt_table_info *newinfo; | |
2195 | struct ebt_replace tmp; | |
2196 | struct ebt_entries_buf_state state; | |
2197 | void *entries_tmp; | |
2198 | ||
2199 | ret = compat_copy_ebt_replace_from_user(&tmp, user, len); | |
90b89af7 FW |
2200 | if (ret) { |
2201 | /* try real handler in case userland supplied needed padding */ | |
2202 | if (ret == -EINVAL && do_replace(net, user, len) == 0) | |
2203 | ret = 0; | |
81e675c2 | 2204 | return ret; |
90b89af7 | 2205 | } |
81e675c2 FW |
2206 | |
2207 | countersize = COUNTER_OFFSET(tmp.nentries) * nr_cpu_ids; | |
2208 | newinfo = vmalloc(sizeof(*newinfo) + countersize); | |
2209 | if (!newinfo) | |
2210 | return -ENOMEM; | |
2211 | ||
2212 | if (countersize) | |
2213 | memset(newinfo->counters, 0, countersize); | |
2214 | ||
2215 | memset(&state, 0, sizeof(state)); | |
2216 | ||
2217 | newinfo->entries = vmalloc(tmp.entries_size); | |
2218 | if (!newinfo->entries) { | |
2219 | ret = -ENOMEM; | |
2220 | goto free_newinfo; | |
2221 | } | |
2222 | if (copy_from_user( | |
2223 | newinfo->entries, tmp.entries, tmp.entries_size) != 0) { | |
2224 | ret = -EFAULT; | |
2225 | goto free_entries; | |
2226 | } | |
2227 | ||
2228 | entries_tmp = newinfo->entries; | |
2229 | ||
2230 | xt_compat_lock(NFPROTO_BRIDGE); | |
2231 | ||
2232 | ret = compat_copy_entries(entries_tmp, tmp.entries_size, &state); | |
2233 | if (ret < 0) | |
2234 | goto out_unlock; | |
2235 | ||
2236 | pr_debug("tmp.entries_size %d, kern off %d, user off %d delta %d\n", | |
2237 | tmp.entries_size, state.buf_kern_offset, state.buf_user_offset, | |
2238 | xt_compat_calc_jump(NFPROTO_BRIDGE, tmp.entries_size)); | |
2239 | ||
2240 | size64 = ret; | |
2241 | newinfo->entries = vmalloc(size64); | |
2242 | if (!newinfo->entries) { | |
2243 | vfree(entries_tmp); | |
2244 | ret = -ENOMEM; | |
2245 | goto out_unlock; | |
2246 | } | |
2247 | ||
2248 | memset(&state, 0, sizeof(state)); | |
2249 | state.buf_kern_start = newinfo->entries; | |
2250 | state.buf_kern_len = size64; | |
2251 | ||
2252 | ret = compat_copy_entries(entries_tmp, tmp.entries_size, &state); | |
2253 | BUG_ON(ret < 0); /* parses same data again */ | |
2254 | ||
2255 | vfree(entries_tmp); | |
2256 | tmp.entries_size = size64; | |
2257 | ||
2258 | for (i = 0; i < NF_BR_NUMHOOKS; i++) { | |
2259 | char __user *usrptr; | |
2260 | if (tmp.hook_entry[i]) { | |
2261 | unsigned int delta; | |
2262 | usrptr = (char __user *) tmp.hook_entry[i]; | |
2263 | delta = usrptr - tmp.entries; | |
2264 | usrptr += xt_compat_calc_jump(NFPROTO_BRIDGE, delta); | |
2265 | tmp.hook_entry[i] = (struct ebt_entries __user *)usrptr; | |
2266 | } | |
2267 | } | |
2268 | ||
2269 | xt_compat_flush_offsets(NFPROTO_BRIDGE); | |
2270 | xt_compat_unlock(NFPROTO_BRIDGE); | |
2271 | ||
2272 | ret = do_replace_finish(net, &tmp, newinfo); | |
2273 | if (ret == 0) | |
2274 | return ret; | |
2275 | free_entries: | |
2276 | vfree(newinfo->entries); | |
2277 | free_newinfo: | |
2278 | vfree(newinfo); | |
2279 | return ret; | |
2280 | out_unlock: | |
2281 | xt_compat_flush_offsets(NFPROTO_BRIDGE); | |
2282 | xt_compat_unlock(NFPROTO_BRIDGE); | |
2283 | goto free_entries; | |
2284 | } | |
2285 | ||
2286 | static int compat_update_counters(struct net *net, void __user *user, | |
2287 | unsigned int len) | |
2288 | { | |
2289 | struct compat_ebt_replace hlp; | |
2290 | ||
2291 | if (copy_from_user(&hlp, user, sizeof(hlp))) | |
2292 | return -EFAULT; | |
2293 | ||
90b89af7 | 2294 | /* try real handler in case userland supplied needed padding */ |
81e675c2 | 2295 | if (len != sizeof(hlp) + hlp.num_counters * sizeof(struct ebt_counter)) |
90b89af7 | 2296 | return update_counters(net, user, len); |
81e675c2 FW |
2297 | |
2298 | return do_update_counters(net, hlp.name, compat_ptr(hlp.counters), | |
2299 | hlp.num_counters, user, len); | |
2300 | } | |
2301 | ||
2302 | static int compat_do_ebt_set_ctl(struct sock *sk, | |
2303 | int cmd, void __user *user, unsigned int len) | |
2304 | { | |
2305 | int ret; | |
2306 | ||
2307 | if (!capable(CAP_NET_ADMIN)) | |
2308 | return -EPERM; | |
2309 | ||
2310 | switch (cmd) { | |
2311 | case EBT_SO_SET_ENTRIES: | |
2312 | ret = compat_do_replace(sock_net(sk), user, len); | |
2313 | break; | |
2314 | case EBT_SO_SET_COUNTERS: | |
2315 | ret = compat_update_counters(sock_net(sk), user, len); | |
2316 | break; | |
2317 | default: | |
2318 | ret = -EINVAL; | |
2319 | } | |
2320 | return ret; | |
2321 | } | |
2322 | ||
2323 | static int compat_do_ebt_get_ctl(struct sock *sk, int cmd, | |
2324 | void __user *user, int *len) | |
2325 | { | |
2326 | int ret; | |
2327 | struct compat_ebt_replace tmp; | |
2328 | struct ebt_table *t; | |
2329 | ||
2330 | if (!capable(CAP_NET_ADMIN)) | |
2331 | return -EPERM; | |
2332 | ||
90b89af7 | 2333 | /* try real handler in case userland supplied needed padding */ |
81e675c2 FW |
2334 | if ((cmd == EBT_SO_GET_INFO || |
2335 | cmd == EBT_SO_GET_INIT_INFO) && *len != sizeof(tmp)) | |
90b89af7 | 2336 | return do_ebt_get_ctl(sk, cmd, user, len); |
81e675c2 FW |
2337 | |
2338 | if (copy_from_user(&tmp, user, sizeof(tmp))) | |
2339 | return -EFAULT; | |
2340 | ||
2341 | t = find_table_lock(sock_net(sk), tmp.name, &ret, &ebt_mutex); | |
2342 | if (!t) | |
2343 | return ret; | |
2344 | ||
2345 | xt_compat_lock(NFPROTO_BRIDGE); | |
2346 | switch (cmd) { | |
2347 | case EBT_SO_GET_INFO: | |
2348 | tmp.nentries = t->private->nentries; | |
2349 | ret = compat_table_info(t->private, &tmp); | |
2350 | if (ret) | |
2351 | goto out; | |
2352 | tmp.valid_hooks = t->valid_hooks; | |
2353 | ||
2354 | if (copy_to_user(user, &tmp, *len) != 0) { | |
2355 | ret = -EFAULT; | |
2356 | break; | |
2357 | } | |
2358 | ret = 0; | |
2359 | break; | |
2360 | case EBT_SO_GET_INIT_INFO: | |
2361 | tmp.nentries = t->table->nentries; | |
2362 | tmp.entries_size = t->table->entries_size; | |
2363 | tmp.valid_hooks = t->table->valid_hooks; | |
2364 | ||
2365 | if (copy_to_user(user, &tmp, *len) != 0) { | |
2366 | ret = -EFAULT; | |
2367 | break; | |
2368 | } | |
2369 | ret = 0; | |
2370 | break; | |
2371 | case EBT_SO_GET_ENTRIES: | |
2372 | case EBT_SO_GET_INIT_ENTRIES: | |
90b89af7 FW |
2373 | /* |
2374 | * try real handler first in case of userland-side padding. | |
2375 | * in case we are dealing with an 'ordinary' 32 bit binary | |
2376 | * without 64bit compatibility padding, this will fail right | |
2377 | * after copy_from_user when the *len argument is validated. | |
2378 | * | |
2379 | * the compat_ variant needs to do one pass over the kernel | |
2380 | * data set to adjust for size differences before it the check. | |
2381 | */ | |
2382 | if (copy_everything_to_user(t, user, len, cmd) == 0) | |
2383 | ret = 0; | |
2384 | else | |
2385 | ret = compat_copy_everything_to_user(t, user, len, cmd); | |
81e675c2 FW |
2386 | break; |
2387 | default: | |
2388 | ret = -EINVAL; | |
2389 | } | |
2390 | out: | |
2391 | xt_compat_flush_offsets(NFPROTO_BRIDGE); | |
2392 | xt_compat_unlock(NFPROTO_BRIDGE); | |
2393 | mutex_unlock(&ebt_mutex); | |
2394 | return ret; | |
2395 | } | |
2396 | #endif | |
2397 | ||
1da177e4 | 2398 | static struct nf_sockopt_ops ebt_sockopts = |
74ca4e5a AM |
2399 | { |
2400 | .pf = PF_INET, | |
2401 | .set_optmin = EBT_BASE_CTL, | |
2402 | .set_optmax = EBT_SO_SET_MAX + 1, | |
2403 | .set = do_ebt_set_ctl, | |
81e675c2 FW |
2404 | #ifdef CONFIG_COMPAT |
2405 | .compat_set = compat_do_ebt_set_ctl, | |
2406 | #endif | |
74ca4e5a AM |
2407 | .get_optmin = EBT_BASE_CTL, |
2408 | .get_optmax = EBT_SO_GET_MAX + 1, | |
2409 | .get = do_ebt_get_ctl, | |
81e675c2 FW |
2410 | #ifdef CONFIG_COMPAT |
2411 | .compat_get = compat_do_ebt_get_ctl, | |
2412 | #endif | |
16fcec35 | 2413 | .owner = THIS_MODULE, |
1da177e4 LT |
2414 | }; |
2415 | ||
65b4b4e8 | 2416 | static int __init ebtables_init(void) |
1da177e4 LT |
2417 | { |
2418 | int ret; | |
2419 | ||
043ef46c JE |
2420 | ret = xt_register_target(&ebt_standard_target); |
2421 | if (ret < 0) | |
1da177e4 | 2422 | return ret; |
043ef46c JE |
2423 | ret = nf_register_sockopt(&ebt_sockopts); |
2424 | if (ret < 0) { | |
2425 | xt_unregister_target(&ebt_standard_target); | |
2426 | return ret; | |
2427 | } | |
1da177e4 | 2428 | |
a887c1c1 | 2429 | printk(KERN_INFO "Ebtables v2.0 registered\n"); |
1da177e4 LT |
2430 | return 0; |
2431 | } | |
2432 | ||
65b4b4e8 | 2433 | static void __exit ebtables_fini(void) |
1da177e4 LT |
2434 | { |
2435 | nf_unregister_sockopt(&ebt_sockopts); | |
043ef46c | 2436 | xt_unregister_target(&ebt_standard_target); |
a887c1c1 | 2437 | printk(KERN_INFO "Ebtables v2.0 unregistered\n"); |
1da177e4 LT |
2438 | } |
2439 | ||
2440 | EXPORT_SYMBOL(ebt_register_table); | |
2441 | EXPORT_SYMBOL(ebt_unregister_table); | |
1da177e4 | 2442 | EXPORT_SYMBOL(ebt_do_table); |
65b4b4e8 AM |
2443 | module_init(ebtables_init); |
2444 | module_exit(ebtables_fini); | |
1da177e4 | 2445 | MODULE_LICENSE("GPL"); |