projects / linux-2.6-block.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
[TCP]: Fix RFC2465 typo.
[linux-2.6-block.git] / net / bridge / netfilter / ebtables.c
CommitLineData
1da177e4
LT		 1/*
2 * ebtables
3 *
4 * Author:
5 * Bart De Schuymer <bdschuym@pandora.be>
6 *
7 * ebtables.c,v 2.0, July, 2002
8 *
9 * This code is stongly inspired on the iptables code which is
10 * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
11 *
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version
15 * 2 of the License, or (at your option) any later version.
16 */
17
18/* used for print_string */
19#include <linux/sched.h>
20#include <linux/tty.h>
21
22#include <linux/kmod.h>
23#include <linux/module.h>
24#include <linux/vmalloc.h>
25#include <linux/netfilter_bridge/ebtables.h>
26#include <linux/spinlock.h>
27#include <asm/uaccess.h>
28#include <linux/smp.h>
c8923c6b 29#include <linux/cpumask.h>
1da177e4
LT		 30#include <net/sock.h>
31/* needed for logical [in,out]-dev filtering */
32#include "../br_private.h"
33
34/* list_named_find */
35#define ASSERT_READ_LOCK(x)
36#define ASSERT_WRITE_LOCK(x)
37#include <linux/netfilter_ipv4/listhelp.h>
57b47a53 38#include <linux/mutex.h>
1da177e4
LT		 39
40#if 0
41/* use this for remote debugging
42 * Copyright (C) 1998 by Ori Pomerantz
43 * Print the string to the appropriate tty, the one
44 * the current task uses
45 */
46static void print_string(char *str)
47{
48 struct tty_struct *my_tty;
49
50 /* The tty for the current task */
51 my_tty = current->signal->tty;
52 if (my_tty != NULL) {
53 my_tty->driver->write(my_tty, 0, str, strlen(str));
54 my_tty->driver->write(my_tty, 0, "\015\012", 2);
55 }
56}
57
58#define BUGPRINT(args) print_string(args);
59#else
60#define BUGPRINT(format, args...) printk("kernel msg: ebtables bug: please "\
61 "report to author: "format, ## args)
62/* #define BUGPRINT(format, args...) */
63#endif
64#define MEMPRINT(format, args...) printk("kernel msg: ebtables "\
65 ": out of memory: "format, ## args)
66/* #define MEMPRINT(format, args...) */
67
68
69
70/*
71 * Each cpu has its own set of counters, so there is no need for write_lock in
72 * the softirq
73 * For reading or updating the counters, the user context needs to
74 * get a write_lock
75 */
76
77/* The size of each set of counters is altered to get cache alignment */
78#define SMP_ALIGN(x) (((x) + SMP_CACHE_BYTES-1) & ~(SMP_CACHE_BYTES-1))
79#define COUNTER_OFFSET(n) (SMP_ALIGN(n * sizeof(struct ebt_counter)))
80#define COUNTER_BASE(c, n, cpu) ((struct ebt_counter *)(((char *)c) + \
81 COUNTER_OFFSET(n) * cpu))
82
83
84
57b47a53 85static DEFINE_MUTEX(ebt_mutex);
1da177e4
LT		 86static LIST_HEAD(ebt_tables);
87static LIST_HEAD(ebt_targets);
88static LIST_HEAD(ebt_matches);
89static LIST_HEAD(ebt_watchers);
90
91static struct ebt_target ebt_standard_target =
92{ {NULL, NULL}, EBT_STANDARD_TARGET, NULL, NULL, NULL, NULL};
93
94static inline int ebt_do_watcher (struct ebt_entry_watcher *w,
95 const struct sk_buff *skb, unsigned int hooknr, const struct net_device *in,
96 const struct net_device *out)
97{
98 w->u.watcher->watcher(skb, hooknr, in, out, w->data,
99 w->watcher_size);
100 /* watchers don't give a verdict */
101 return 0;
102}
103
104static inline int ebt_do_match (struct ebt_entry_match *m,
105 const struct sk_buff *skb, const struct net_device *in,
106 const struct net_device *out)
107{
108 return m->u.match->match(skb, in, out, m->data,
109 m->match_size);
110}
111
112static inline int ebt_dev_check(char *entry, const struct net_device *device)
113{
114 int i = 0;
115 char *devname = device->name;
116
117 if (*entry == '\0')
118 return 0;
119 if (!device)
120 return 1;
121 /* 1 is the wildcard token */
122 while (entry[i] != '\0' && entry[i] != 1 && entry[i] == devname[i])
123 i++;
124 return (devname[i] != entry[i] && entry[i] != 1);
125}
126
127#define FWINV2(bool,invflg) ((bool) ^ !!(e->invflags & invflg))
128/* process standard matches */
129static inline int ebt_basic_match(struct ebt_entry *e, struct ethhdr *h,
130 const struct net_device *in, const struct net_device *out)
131{
132 int verdict, i;
133
134 if (e->bitmask & EBT_802_3) {
135 if (FWINV2(ntohs(h->h_proto) >= 1536, EBT_IPROTO))
136 return 1;
137 } else if (!(e->bitmask & EBT_NOPROTO) &&
138 FWINV2(e->ethproto != h->h_proto, EBT_IPROTO))
139 return 1;
140
141 if (FWINV2(ebt_dev_check(e->in, in), EBT_IIN))
142 return 1;
143 if (FWINV2(ebt_dev_check(e->out, out), EBT_IOUT))
144 return 1;
145 if ((!in || !in->br_port) ? 0 : FWINV2(ebt_dev_check(
146 e->logical_in, in->br_port->br->dev), EBT_ILOGICALIN))
147 return 1;
148 if ((!out || !out->br_port) ? 0 : FWINV2(ebt_dev_check(
149 e->logical_out, out->br_port->br->dev), EBT_ILOGICALOUT))
150 return 1;
151
152 if (e->bitmask & EBT_SOURCEMAC) {
153 verdict = 0;
154 for (i = 0; i < 6; i++)
155 verdict |= (h->h_source[i] ^ e->sourcemac[i]) &
156 e->sourcemsk[i];
157 if (FWINV2(verdict != 0, EBT_ISOURCE) )
158 return 1;
159 }
160 if (e->bitmask & EBT_DESTMAC) {
161 verdict = 0;
162 for (i = 0; i < 6; i++)
163 verdict |= (h->h_dest[i] ^ e->destmac[i]) &
164 e->destmsk[i];
165 if (FWINV2(verdict != 0, EBT_IDEST) )
166 return 1;
167 }
168 return 0;
169}
170
171/* Do some firewalling */
172unsigned int ebt_do_table (unsigned int hook, struct sk_buff **pskb,
173 const struct net_device *in, const struct net_device *out,
174 struct ebt_table *table)
175{
176 int i, nentries;
177 struct ebt_entry *point;
178 struct ebt_counter *counter_base, *cb_base;
179 struct ebt_entry_target *t;
180 int verdict, sp = 0;
181 struct ebt_chainstack *cs;
182 struct ebt_entries *chaininfo;
183 char *base;
184 struct ebt_table_info *private;
185
186 read_lock_bh(&table->lock);
187 private = table->private;
188 cb_base = COUNTER_BASE(private->counters, private->nentries,
189 smp_processor_id());
190 if (private->chainstack)
191 cs = private->chainstack[smp_processor_id()];
192 else
193 cs = NULL;
194 chaininfo = private->hook_entry[hook];
195 nentries = private->hook_entry[hook]->nentries;
196 point = (struct ebt_entry *)(private->hook_entry[hook]->data);
197 counter_base = cb_base + private->hook_entry[hook]->counter_offset;
198 /* base for chain jumps */
199 base = private->entries;
200 i = 0;
201 while (i < nentries) {
202 if (ebt_basic_match(point, eth_hdr(*pskb), in, out))
203 goto letscontinue;
204
205 if (EBT_MATCH_ITERATE(point, ebt_do_match, *pskb, in, out) != 0)
206 goto letscontinue;
207
208 /* increase counter */
209 (*(counter_base + i)).pcnt++;
210 (*(counter_base + i)).bcnt+=(**pskb).len;
211
212 /* these should only watch: not modify, nor tell us
213 what to do with the packet */
214 EBT_WATCHER_ITERATE(point, ebt_do_watcher, *pskb, hook, in,
215 out);
216
217 t = (struct ebt_entry_target *)
218 (((char *)point) + point->target_offset);
219 /* standard target */
220 if (!t->u.target->target)
221 verdict = ((struct ebt_standard_target *)t)->verdict;
222 else
223 verdict = t->u.target->target(pskb, hook,
224 in, out, t->data, t->target_size);
225 if (verdict == EBT_ACCEPT) {
226 read_unlock_bh(&table->lock);
227 return NF_ACCEPT;
228 }
229 if (verdict == EBT_DROP) {
230 read_unlock_bh(&table->lock);
231 return NF_DROP;
232 }
233 if (verdict == EBT_RETURN) {
234letsreturn:
235#ifdef CONFIG_NETFILTER_DEBUG
236 if (sp == 0) {
237 BUGPRINT("RETURN on base chain");
238 /* act like this is EBT_CONTINUE */
239 goto letscontinue;
240 }
241#endif
242 sp--;
243 /* put all the local variables right */
244 i = cs[sp].n;
245 chaininfo = cs[sp].chaininfo;
246 nentries = chaininfo->nentries;
247 point = cs[sp].e;
248 counter_base = cb_base +
249 chaininfo->counter_offset;
250 continue;
251 }
252 if (verdict == EBT_CONTINUE)
253 goto letscontinue;
254#ifdef CONFIG_NETFILTER_DEBUG
255 if (verdict < 0) {
256 BUGPRINT("bogus standard verdict\n");
257 read_unlock_bh(&table->lock);
258 return NF_DROP;
259 }
260#endif
261 /* jump to a udc */
262 cs[sp].n = i + 1;
263 cs[sp].chaininfo = chaininfo;
264 cs[sp].e = (struct ebt_entry *)
265 (((char *)point) + point->next_offset);
266 i = 0;
267 chaininfo = (struct ebt_entries *) (base + verdict);
268#ifdef CONFIG_NETFILTER_DEBUG
269 if (chaininfo->distinguisher) {
270 BUGPRINT("jump to non-chain\n");
271 read_unlock_bh(&table->lock);
272 return NF_DROP;
273 }
274#endif
275 nentries = chaininfo->nentries;
276 point = (struct ebt_entry *)chaininfo->data;
277 counter_base = cb_base + chaininfo->counter_offset;
278 sp++;
279 continue;
280letscontinue:
281 point = (struct ebt_entry *)
282 (((char *)point) + point->next_offset);
283 i++;
284 }
285
286 /* I actually like this :) */
287 if (chaininfo->policy == EBT_RETURN)
288 goto letsreturn;
289 if (chaininfo->policy == EBT_ACCEPT) {
290 read_unlock_bh(&table->lock);
291 return NF_ACCEPT;
292 }
293 read_unlock_bh(&table->lock);
294 return NF_DROP;
295}
296
297/* If it succeeds, returns element and locks mutex */
298static inline void *
299find_inlist_lock_noload(struct list_head *head, const char *name, int *error,
57b47a53 300 struct mutex *mutex)
1da177e4
LT		 301{
302 void *ret;
303
57b47a53 304 *error = mutex_lock_interruptible(mutex);
1da177e4
LT		 305 if (*error != 0)
306 return NULL;
307
308 ret = list_named_find(head, name);
309 if (!ret) {
310 *error = -ENOENT;
57b47a53 311 mutex_unlock(mutex);
1da177e4
LT		 312 }
313 return ret;
314}
315
316#ifndef CONFIG_KMOD
317#define find_inlist_lock(h,n,p,e,m) find_inlist_lock_noload((h),(n),(e),(m))
318#else
319static void *
320find_inlist_lock(struct list_head *head, const char *name, const char *prefix,
57b47a53 321 int *error, struct mutex *mutex)
1da177e4
LT		 322{
323 void *ret;
324
325 ret = find_inlist_lock_noload(head, name, error, mutex);
326 if (!ret) {
327 request_module("%s%s", prefix, name);
328 ret = find_inlist_lock_noload(head, name, error, mutex);
329 }
330 return ret;
331}
332#endif
333
334static inline struct ebt_table *
57b47a53 335find_table_lock(const char *name, int *error, struct mutex *mutex)
1da177e4
LT		 336{
337 return find_inlist_lock(&ebt_tables, name, "ebtable_", error, mutex);
338}
339
340static inline struct ebt_match *
57b47a53 341find_match_lock(const char *name, int *error, struct mutex *mutex)
1da177e4
LT		 342{
343 return find_inlist_lock(&ebt_matches, name, "ebt_", error, mutex);
344}
345
346static inline struct ebt_watcher *
57b47a53 347find_watcher_lock(const char *name, int *error, struct mutex *mutex)
1da177e4
LT		 348{
349 return find_inlist_lock(&ebt_watchers, name, "ebt_", error, mutex);
350}
351
352static inline struct ebt_target *
57b47a53 353find_target_lock(const char *name, int *error, struct mutex *mutex)
1da177e4
LT		 354{
355 return find_inlist_lock(&ebt_targets, name, "ebt_", error, mutex);
356}
357
358static inline int
359ebt_check_match(struct ebt_entry_match *m, struct ebt_entry *e,
360 const char *name, unsigned int hookmask, unsigned int *cnt)
361{
362 struct ebt_match *match;
363 int ret;
364
365 if (((char *)m) + m->match_size + sizeof(struct ebt_entry_match) >
366 ((char *)e) + e->watchers_offset)
367 return -EINVAL;
368 match = find_match_lock(m->u.name, &ret, &ebt_mutex);
369 if (!match)
370 return ret;
371 m->u.match = match;
372 if (!try_module_get(match->me)) {
57b47a53 373 mutex_unlock(&ebt_mutex);
1da177e4
LT		 374 return -ENOENT;
375 }
57b47a53 376 mutex_unlock(&ebt_mutex);
1da177e4
LT		 377 if (match->check &&
378 match->check(name, hookmask, e, m->data, m->match_size) != 0) {
379 BUGPRINT("match->check failed\n");
380 module_put(match->me);
381 return -EINVAL;
382 }
383 (*cnt)++;
384 return 0;
385}
386
387static inline int
388ebt_check_watcher(struct ebt_entry_watcher *w, struct ebt_entry *e,
389 const char *name, unsigned int hookmask, unsigned int *cnt)
390{
391 struct ebt_watcher *watcher;
392 int ret;
393
394 if (((char *)w) + w->watcher_size + sizeof(struct ebt_entry_watcher) >
395 ((char *)e) + e->target_offset)
396 return -EINVAL;
397 watcher = find_watcher_lock(w->u.name, &ret, &ebt_mutex);
398 if (!watcher)
399 return ret;
400 w->u.watcher = watcher;
401 if (!try_module_get(watcher->me)) {
57b47a53 402 mutex_unlock(&ebt_mutex);
1da177e4
LT		 403 return -ENOENT;
404 }
57b47a53 405 mutex_unlock(&ebt_mutex);
1da177e4
LT		 406 if (watcher->check &&
407 watcher->check(name, hookmask, e, w->data, w->watcher_size) != 0) {
408 BUGPRINT("watcher->check failed\n");
409 module_put(watcher->me);
410 return -EINVAL;
411 }
412 (*cnt)++;
413 return 0;
414}
415
416/*
417 * this one is very careful, as it is the first function
418 * to parse the userspace data
419 */
420static inline int
421ebt_check_entry_size_and_hooks(struct ebt_entry *e,
422 struct ebt_table_info *newinfo, char *base, char *limit,
423 struct ebt_entries **hook_entries, unsigned int *n, unsigned int *cnt,
424 unsigned int *totalcnt, unsigned int *udc_cnt, unsigned int valid_hooks)
425{
426 int i;
427
428 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
429 if ((valid_hooks & (1 << i)) == 0)
430 continue;
431 if ( (char *)hook_entries[i] - base ==
432 (char *)e - newinfo->entries)
433 break;
434 }
435 /* beginning of a new chain
436 if i == NF_BR_NUMHOOKS it must be a user defined chain */
437 if (i != NF_BR_NUMHOOKS || !(e->bitmask & EBT_ENTRY_OR_ENTRIES)) {
438 if ((e->bitmask & EBT_ENTRY_OR_ENTRIES) != 0) {
439 /* we make userspace set this right,
440 so there is no misunderstanding */
441 BUGPRINT("EBT_ENTRY_OR_ENTRIES shouldn't be set "
442 "in distinguisher\n");
443 return -EINVAL;
444 }
445 /* this checks if the previous chain has as many entries
446 as it said it has */
447 if (*n != *cnt) {
448 BUGPRINT("nentries does not equal the nr of entries "
449 "in the chain\n");
450 return -EINVAL;
451 }
452 /* before we look at the struct, be sure it is not too big */
453 if ((char *)hook_entries[i] + sizeof(struct ebt_entries)
454 > limit) {
455 BUGPRINT("entries_size too small\n");
456 return -EINVAL;
457 }
458 if (((struct ebt_entries *)e)->policy != EBT_DROP &&
459 ((struct ebt_entries *)e)->policy != EBT_ACCEPT) {
460 /* only RETURN from udc */
461 if (i != NF_BR_NUMHOOKS ||
462 ((struct ebt_entries *)e)->policy != EBT_RETURN) {
463 BUGPRINT("bad policy\n");
464 return -EINVAL;
465 }
466 }
467 if (i == NF_BR_NUMHOOKS) /* it's a user defined chain */
468 (*udc_cnt)++;
469 else
470 newinfo->hook_entry[i] = (struct ebt_entries *)e;
471 if (((struct ebt_entries *)e)->counter_offset != *totalcnt) {
472 BUGPRINT("counter_offset != totalcnt");
473 return -EINVAL;
474 }
475 *n = ((struct ebt_entries *)e)->nentries;
476 *cnt = 0;
477 return 0;
478 }
479 /* a plain old entry, heh */
480 if (sizeof(struct ebt_entry) > e->watchers_offset ||
481 e->watchers_offset > e->target_offset ||
482 e->target_offset >= e->next_offset) {
483 BUGPRINT("entry offsets not in right order\n");
484 return -EINVAL;
485 }
486 /* this is not checked anywhere else */
487 if (e->next_offset - e->target_offset < sizeof(struct ebt_entry_target)) {
488 BUGPRINT("target size too small\n");
489 return -EINVAL;
490 }
491
492 (*cnt)++;
493 (*totalcnt)++;
494 return 0;
495}
496
497struct ebt_cl_stack
498{
499 struct ebt_chainstack cs;
500 int from;
501 unsigned int hookmask;
502};
503
504/*
505 * we need these positions to check that the jumps to a different part of the
506 * entries is a jump to the beginning of a new chain.
507 */
508static inline int
509ebt_get_udc_positions(struct ebt_entry *e, struct ebt_table_info *newinfo,
510 struct ebt_entries **hook_entries, unsigned int *n, unsigned int valid_hooks,
511 struct ebt_cl_stack *udc)
512{
513 int i;
514
515 /* we're only interested in chain starts */
516 if (e->bitmask & EBT_ENTRY_OR_ENTRIES)
517 return 0;
518 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
519 if ((valid_hooks & (1 << i)) == 0)
520 continue;
521 if (newinfo->hook_entry[i] == (struct ebt_entries *)e)
522 break;
523 }
524 /* only care about udc */
525 if (i != NF_BR_NUMHOOKS)
526 return 0;
527
528 udc[*n].cs.chaininfo = (struct ebt_entries *)e;
529 /* these initialisations are depended on later in check_chainloops() */
530 udc[*n].cs.n = 0;
531 udc[*n].hookmask = 0;
532
533 (*n)++;
534 return 0;
535}
536
537static inline int
538ebt_cleanup_match(struct ebt_entry_match *m, unsigned int *i)
539{
540 if (i && (*i)-- == 0)
541 return 1;
542 if (m->u.match->destroy)
543 m->u.match->destroy(m->data, m->match_size);
544 module_put(m->u.match->me);
545
546 return 0;
547}
548
549static inline int
550ebt_cleanup_watcher(struct ebt_entry_watcher *w, unsigned int *i)
551{
552 if (i && (*i)-- == 0)
553 return 1;
554 if (w->u.watcher->destroy)
555 w->u.watcher->destroy(w->data, w->watcher_size);
556 module_put(w->u.watcher->me);
557
558 return 0;
559}
560
561static inline int
562ebt_cleanup_entry(struct ebt_entry *e, unsigned int *cnt)
563{
564 struct ebt_entry_target *t;
565
566 if ((e->bitmask & EBT_ENTRY_OR_ENTRIES) == 0)
567 return 0;
568 /* we're done */
569 if (cnt && (*cnt)-- == 0)
570 return 1;
571 EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, NULL);
572 EBT_MATCH_ITERATE(e, ebt_cleanup_match, NULL);
573 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
574 if (t->u.target->destroy)
575 t->u.target->destroy(t->data, t->target_size);
576 module_put(t->u.target->me);
577
578 return 0;
579}
580
581static inline int
582ebt_check_entry(struct ebt_entry *e, struct ebt_table_info *newinfo,
583 const char *name, unsigned int *cnt, unsigned int valid_hooks,
584 struct ebt_cl_stack *cl_s, unsigned int udc_cnt)
585{
586 struct ebt_entry_target *t;
587 struct ebt_target *target;
588 unsigned int i, j, hook = 0, hookmask = 0;
589 int ret;
590
591 /* don't mess with the struct ebt_entries */
592 if ((e->bitmask & EBT_ENTRY_OR_ENTRIES) == 0)
593 return 0;
594
595 if (e->bitmask & ~EBT_F_MASK) {
596 BUGPRINT("Unknown flag for bitmask\n");
597 return -EINVAL;
598 }
599 if (e->invflags & ~EBT_INV_MASK) {
600 BUGPRINT("Unknown flag for inv bitmask\n");
601 return -EINVAL;
602 }
603 if ( (e->bitmask & EBT_NOPROTO) && (e->bitmask & EBT_802_3) ) {
604 BUGPRINT("NOPROTO & 802_3 not allowed\n");
605 return -EINVAL;
606 }
607 /* what hook do we belong to? */
608 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
609 if ((valid_hooks & (1 << i)) == 0)
610 continue;
611 if ((char *)newinfo->hook_entry[i] < (char *)e)
612 hook = i;
613 else
614 break;
615 }
616 /* (1 << NF_BR_NUMHOOKS) tells the check functions the rule is on
617 a base chain */
618 if (i < NF_BR_NUMHOOKS)
619 hookmask = (1 << hook) | (1 << NF_BR_NUMHOOKS);
620 else {
621 for (i = 0; i < udc_cnt; i++)
622 if ((char *)(cl_s[i].cs.chaininfo) > (char *)e)
623 break;
624 if (i == 0)
625 hookmask = (1 << hook) | (1 << NF_BR_NUMHOOKS);
626 else
627 hookmask = cl_s[i - 1].hookmask;
628 }
629 i = 0;
630 ret = EBT_MATCH_ITERATE(e, ebt_check_match, e, name, hookmask, &i);
631 if (ret != 0)
632 goto cleanup_matches;
633 j = 0;
634 ret = EBT_WATCHER_ITERATE(e, ebt_check_watcher, e, name, hookmask, &j);
635 if (ret != 0)
636 goto cleanup_watchers;
637 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
638 target = find_target_lock(t->u.name, &ret, &ebt_mutex);
639 if (!target)
640 goto cleanup_watchers;
641 if (!try_module_get(target->me)) {
57b47a53 642 mutex_unlock(&ebt_mutex);
1da177e4
LT		 643 ret = -ENOENT;
644 goto cleanup_watchers;
645 }
57b47a53 646 mutex_unlock(&ebt_mutex);
1da177e4
LT		 647
648 t->u.target = target;
649 if (t->u.target == &ebt_standard_target) {
650 if (e->target_offset + sizeof(struct ebt_standard_target) >
651 e->next_offset) {
652 BUGPRINT("Standard target size too big\n");
653 ret = -EFAULT;
654 goto cleanup_watchers;
655 }
656 if (((struct ebt_standard_target *)t)->verdict <
657 -NUM_STANDARD_TARGETS) {
658 BUGPRINT("Invalid standard target\n");
659 ret = -EFAULT;
660 goto cleanup_watchers;
661 }
662 } else if ((e->target_offset + t->target_size +
663 sizeof(struct ebt_entry_target) > e->next_offset) ||
664 (t->u.target->check &&
665 t->u.target->check(name, hookmask, e, t->data, t->target_size) != 0)){
666 module_put(t->u.target->me);
667 ret = -EFAULT;
668 goto cleanup_watchers;
669 }
670 (*cnt)++;
671 return 0;
672cleanup_watchers:
673 EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, &j);
674cleanup_matches:
675 EBT_MATCH_ITERATE(e, ebt_cleanup_match, &i);
676 return ret;
677}
678
679/*
680 * checks for loops and sets the hook mask for udc
681 * the hook mask for udc tells us from which base chains the udc can be
682 * accessed. This mask is a parameter to the check() functions of the extensions
683 */
684static int check_chainloops(struct ebt_entries *chain, struct ebt_cl_stack *cl_s,
685 unsigned int udc_cnt, unsigned int hooknr, char *base)
686{
687 int i, chain_nr = -1, pos = 0, nentries = chain->nentries, verdict;
688 struct ebt_entry *e = (struct ebt_entry *)chain->data;
689 struct ebt_entry_target *t;
690
691 while (pos < nentries || chain_nr != -1) {
692 /* end of udc, go back one 'recursion' step */
693 if (pos == nentries) {
694 /* put back values of the time when this chain was called */
695 e = cl_s[chain_nr].cs.e;
696 if (cl_s[chain_nr].from != -1)
697 nentries =
698 cl_s[cl_s[chain_nr].from].cs.chaininfo->nentries;
699 else
700 nentries = chain->nentries;
701 pos = cl_s[chain_nr].cs.n;
702 /* make sure we won't see a loop that isn't one */
703 cl_s[chain_nr].cs.n = 0;
704 chain_nr = cl_s[chain_nr].from;
705 if (pos == nentries)
706 continue;
707 }
708 t = (struct ebt_entry_target *)
709 (((char *)e) + e->target_offset);
710 if (strcmp(t->u.name, EBT_STANDARD_TARGET))
711 goto letscontinue;
712 if (e->target_offset + sizeof(struct ebt_standard_target) >
713 e->next_offset) {
714 BUGPRINT("Standard target size too big\n");
715 return -1;
716 }
717 verdict = ((struct ebt_standard_target *)t)->verdict;
718 if (verdict >= 0) { /* jump to another chain */
719 struct ebt_entries *hlp2 =
720 (struct ebt_entries *)(base + verdict);
721 for (i = 0; i < udc_cnt; i++)
722 if (hlp2 == cl_s[i].cs.chaininfo)
723 break;
724 /* bad destination or loop */
725 if (i == udc_cnt) {
726 BUGPRINT("bad destination\n");
727 return -1;
728 }
729 if (cl_s[i].cs.n) {
730 BUGPRINT("loop\n");
731 return -1;
732 }
733 /* this can't be 0, so the above test is correct */
734 cl_s[i].cs.n = pos + 1;
735 pos = 0;
736 cl_s[i].cs.e = ((void *)e + e->next_offset);
737 e = (struct ebt_entry *)(hlp2->data);
738 nentries = hlp2->nentries;
739 cl_s[i].from = chain_nr;
740 chain_nr = i;
741 /* this udc is accessible from the base chain for hooknr */
742 cl_s[i].hookmask |= (1 << hooknr);
743 continue;
744 }
745letscontinue:
746 e = (void *)e + e->next_offset;
747 pos++;
748 }
749 return 0;
750}
751
752/* do the parsing of the table/chains/entries/matches/watchers/targets, heh */
753static int translate_table(struct ebt_replace *repl,
754 struct ebt_table_info *newinfo)
755{
756 unsigned int i, j, k, udc_cnt;
757 int ret;
758 struct ebt_cl_stack *cl_s = NULL; /* used in the checking for chain loops */
759
760 i = 0;
761 while (i < NF_BR_NUMHOOKS && !(repl->valid_hooks & (1 << i)))
762 i++;
763 if (i == NF_BR_NUMHOOKS) {
764 BUGPRINT("No valid hooks specified\n");
765 return -EINVAL;
766 }
767 if (repl->hook_entry[i] != (struct ebt_entries *)repl->entries) {
768 BUGPRINT("Chains don't start at beginning\n");
769 return -EINVAL;
770 }
771 /* make sure chains are ordered after each other in same order
772 as their corresponding hooks */
773 for (j = i + 1; j < NF_BR_NUMHOOKS; j++) {
774 if (!(repl->valid_hooks & (1 << j)))
775 continue;
776 if ( repl->hook_entry[j] <= repl->hook_entry[i] ) {
777 BUGPRINT("Hook order must be followed\n");
778 return -EINVAL;
779 }
780 i = j;
781 }
782
783 for (i = 0; i < NF_BR_NUMHOOKS; i++)
784 newinfo->hook_entry[i] = NULL;
785
786 newinfo->entries_size = repl->entries_size;
787 newinfo->nentries = repl->nentries;
788
789 /* do some early checkings and initialize some things */
790 i = 0; /* holds the expected nr. of entries for the chain */
791 j = 0; /* holds the up to now counted entries for the chain */
792 k = 0; /* holds the total nr. of entries, should equal
793 newinfo->nentries afterwards */
794 udc_cnt = 0; /* will hold the nr. of user defined chains (udc) */
795 ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
796 ebt_check_entry_size_and_hooks, newinfo, repl->entries,
797 repl->entries + repl->entries_size, repl->hook_entry, &i, &j, &k,
798 &udc_cnt, repl->valid_hooks);
799
800 if (ret != 0)
801 return ret;
802
803 if (i != j) {
804 BUGPRINT("nentries does not equal the nr of entries in the "
805 "(last) chain\n");
806 return -EINVAL;
807 }
808 if (k != newinfo->nentries) {
809 BUGPRINT("Total nentries is wrong\n");
810 return -EINVAL;
811 }
812
813 /* check if all valid hooks have a chain */
814 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
815 if (newinfo->hook_entry[i] == NULL &&
816 (repl->valid_hooks & (1 << i))) {
817 BUGPRINT("Valid hook without chain\n");
818 return -EINVAL;
819 }
820 }
821
822 /* get the location of the udc, put them in an array
823 while we're at it, allocate the chainstack */
824 if (udc_cnt) {
825 /* this will get free'd in do_replace()/ebt_register_table()
826 if an error occurs */
827 newinfo->chainstack = (struct ebt_chainstack **)
c8923c6b
DM		 828 vmalloc((highest_possible_processor_id()+1)
829 * sizeof(struct ebt_chainstack));
1da177e4
LT		 830 if (!newinfo->chainstack)
831 return -ENOMEM;
c8923c6b 832 for_each_cpu(i) {
1da177e4
LT		 833 newinfo->chainstack[i] =
834 vmalloc(udc_cnt * sizeof(struct ebt_chainstack));
835 if (!newinfo->chainstack[i]) {
836 while (i)
837 vfree(newinfo->chainstack[--i]);
838 vfree(newinfo->chainstack);
839 newinfo->chainstack = NULL;
840 return -ENOMEM;
841 }
842 }
843
844 cl_s = (struct ebt_cl_stack *)
845 vmalloc(udc_cnt * sizeof(struct ebt_cl_stack));
846 if (!cl_s)
847 return -ENOMEM;
848 i = 0; /* the i'th udc */
849 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
850 ebt_get_udc_positions, newinfo, repl->hook_entry, &i,
851 repl->valid_hooks, cl_s);
852 /* sanity check */
853 if (i != udc_cnt) {
854 BUGPRINT("i != udc_cnt\n");
855 vfree(cl_s);
856 return -EFAULT;
857 }
858 }
859
860 /* Check for loops */
861 for (i = 0; i < NF_BR_NUMHOOKS; i++)
862 if (repl->valid_hooks & (1 << i))
863 if (check_chainloops(newinfo->hook_entry[i],
864 cl_s, udc_cnt, i, newinfo->entries)) {
68d31872 865 vfree(cl_s);
1da177e4
LT		 866 return -EINVAL;
867 }
868
869