5 * Bart De Schuymer <bdschuym@pandora.be>
7 * ebtables.c,v 2.0, July, 2002
9 * This code is stongly inspired on the iptables code which is
10 * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version
15 * 2 of the License, or (at your option) any later version.
17 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
18 #include <linux/kmod.h>
19 #include <linux/module.h>
20 #include <linux/vmalloc.h>
21 #include <linux/netfilter/x_tables.h>
22 #include <linux/netfilter_bridge/ebtables.h>
23 #include <linux/spinlock.h>
24 #include <linux/mutex.h>
25 #include <linux/slab.h>
26 #include <asm/uaccess.h>
27 #include <linux/smp.h>
28 #include <linux/cpumask.h>
30 /* needed for logical [in,out]-dev filtering */
31 #include "../br_private.h"
33 #define BUGPRINT(format, args...) printk("kernel msg: ebtables bug: please "\
34 "report to author: "format, ## args)
35 /* #define BUGPRINT(format, args...) */
38 * Each cpu has its own set of counters, so there is no need for write_lock in
40 * For reading or updating the counters, the user context needs to
44 /* The size of each set of counters is altered to get cache alignment */
45 #define SMP_ALIGN(x) (((x) + SMP_CACHE_BYTES-1) & ~(SMP_CACHE_BYTES-1))
46 #define COUNTER_OFFSET(n) (SMP_ALIGN(n * sizeof(struct ebt_counter)))
47 #define COUNTER_BASE(c, n, cpu) ((struct ebt_counter *)(((char *)c) + \
48 COUNTER_OFFSET(n) * cpu))
52 static DEFINE_MUTEX(ebt_mutex);
55 static void ebt_standard_compat_from_user(void *dst, const void *src)
57 int v = *(compat_int_t *)src;
60 v += xt_compat_calc_jump(NFPROTO_BRIDGE, v);
61 memcpy(dst, &v, sizeof(v));
64 static int ebt_standard_compat_to_user(void __user *dst, const void *src)
66 compat_int_t cv = *(int *)src;
69 cv -= xt_compat_calc_jump(NFPROTO_BRIDGE, cv);
70 return copy_to_user(dst, &cv, sizeof(cv)) ? -EFAULT : 0;
75 static struct xt_target ebt_standard_target = {
78 .family = NFPROTO_BRIDGE,
79 .targetsize = sizeof(int),
81 .compatsize = sizeof(compat_int_t),
82 .compat_from_user = ebt_standard_compat_from_user,
83 .compat_to_user = ebt_standard_compat_to_user,
88 ebt_do_watcher(const struct ebt_entry_watcher *w, struct sk_buff *skb,
89 struct xt_action_param *par)
91 par->target = w->u.watcher;
92 par->targinfo = w->data;
93 w->u.watcher->target(skb, par);
94 /* watchers don't give a verdict */
99 ebt_do_match(struct ebt_entry_match *m, const struct sk_buff *skb,
100 struct xt_action_param *par)
102 par->match = m->u.match;
103 par->matchinfo = m->data;
104 return m->u.match->match(skb, par) ? EBT_MATCH : EBT_NOMATCH;
108 ebt_dev_check(const char *entry, const struct net_device *device)
117 devname = device->name;
118 /* 1 is the wildcard token */
119 while (entry[i] != '\0' && entry[i] != 1 && entry[i] == devname[i])
121 return devname[i] != entry[i] && entry[i] != 1;
124 #define FWINV2(bool, invflg) ((bool) ^ !!(e->invflags & invflg))
125 /* process standard matches */
127 ebt_basic_match(const struct ebt_entry *e, const struct sk_buff *skb,
128 const struct net_device *in, const struct net_device *out)
130 const struct ethhdr *h = eth_hdr(skb);
131 const struct net_bridge_port *p;
135 if (vlan_tx_tag_present(skb))
136 ethproto = htons(ETH_P_8021Q);
138 ethproto = h->h_proto;
140 if (e->bitmask & EBT_802_3) {
141 if (FWINV2(ntohs(ethproto) >= ETH_P_802_3_MIN, EBT_IPROTO))
143 } else if (!(e->bitmask & EBT_NOPROTO) &&
144 FWINV2(e->ethproto != ethproto, EBT_IPROTO))
147 if (FWINV2(ebt_dev_check(e->in, in), EBT_IIN))
149 if (FWINV2(ebt_dev_check(e->out, out), EBT_IOUT))
151 /* rcu_read_lock()ed by nf_hook_slow */
152 if (in && (p = br_port_get_rcu(in)) != NULL &&
153 FWINV2(ebt_dev_check(e->logical_in, p->br->dev), EBT_ILOGICALIN))
155 if (out && (p = br_port_get_rcu(out)) != NULL &&
156 FWINV2(ebt_dev_check(e->logical_out, p->br->dev), EBT_ILOGICALOUT))
159 if (e->bitmask & EBT_SOURCEMAC) {
161 for (i = 0; i < 6; i++)
162 verdict |= (h->h_source[i] ^ e->sourcemac[i]) &
164 if (FWINV2(verdict != 0, EBT_ISOURCE) )
167 if (e->bitmask & EBT_DESTMAC) {
169 for (i = 0; i < 6; i++)
170 verdict |= (h->h_dest[i] ^ e->destmac[i]) &
172 if (FWINV2(verdict != 0, EBT_IDEST) )
179 struct ebt_entry *ebt_next_entry(const struct ebt_entry *entry)
181 return (void *)entry + entry->next_offset;
184 /* Do some firewalling */
185 unsigned int ebt_do_table (unsigned int hook, struct sk_buff *skb,
186 const struct net_device *in, const struct net_device *out,
187 struct ebt_table *table)
190 struct ebt_entry *point;
191 struct ebt_counter *counter_base, *cb_base;
192 const struct ebt_entry_target *t;
194 struct ebt_chainstack *cs;
195 struct ebt_entries *chaininfo;
197 const struct ebt_table_info *private;
198 struct xt_action_param acpar;
200 acpar.family = NFPROTO_BRIDGE;
203 acpar.hotdrop = false;
204 acpar.hooknum = hook;
206 read_lock_bh(&table->lock);
207 private = table->private;
208 cb_base = COUNTER_BASE(private->counters, private->nentries,
210 if (private->chainstack)
211 cs = private->chainstack[smp_processor_id()];
214 chaininfo = private->hook_entry[hook];
215 nentries = private->hook_entry[hook]->nentries;
216 point = (struct ebt_entry *)(private->hook_entry[hook]->data);
217 counter_base = cb_base + private->hook_entry[hook]->counter_offset;
218 /* base for chain jumps */
219 base = private->entries;
221 while (i < nentries) {
222 if (ebt_basic_match(point, skb, in, out))
225 if (EBT_MATCH_ITERATE(point, ebt_do_match, skb, &acpar) != 0)
228 read_unlock_bh(&table->lock);
232 /* increase counter */
233 (*(counter_base + i)).pcnt++;
234 (*(counter_base + i)).bcnt += skb->len;
236 /* these should only watch: not modify, nor tell us
237 what to do with the packet */
238 EBT_WATCHER_ITERATE(point, ebt_do_watcher, skb, &acpar);
240 t = (struct ebt_entry_target *)
241 (((char *)point) + point->target_offset);
242 /* standard target */
243 if (!t->u.target->target)
244 verdict = ((struct ebt_standard_target *)t)->verdict;
246 acpar.target = t->u.target;
247 acpar.targinfo = t->data;
248 verdict = t->u.target->target(skb, &acpar);
250 if (verdict == EBT_ACCEPT) {
251 read_unlock_bh(&table->lock);
254 if (verdict == EBT_DROP) {
255 read_unlock_bh(&table->lock);
258 if (verdict == EBT_RETURN) {
260 #ifdef CONFIG_NETFILTER_DEBUG
262 BUGPRINT("RETURN on base chain");
263 /* act like this is EBT_CONTINUE */
268 /* put all the local variables right */
270 chaininfo = cs[sp].chaininfo;
271 nentries = chaininfo->nentries;
273 counter_base = cb_base +
274 chaininfo->counter_offset;
277 if (verdict == EBT_CONTINUE)
279 #ifdef CONFIG_NETFILTER_DEBUG
281 BUGPRINT("bogus standard verdict\n");
282 read_unlock_bh(&table->lock);
288 cs[sp].chaininfo = chaininfo;
289 cs[sp].e = ebt_next_entry(point);
291 chaininfo = (struct ebt_entries *) (base + verdict);
292 #ifdef CONFIG_NETFILTER_DEBUG
293 if (chaininfo->distinguisher) {
294 BUGPRINT("jump to non-chain\n");
295 read_unlock_bh(&table->lock);
299 nentries = chaininfo->nentries;
300 point = (struct ebt_entry *)chaininfo->data;
301 counter_base = cb_base + chaininfo->counter_offset;
305 point = ebt_next_entry(point);
309 /* I actually like this :) */
310 if (chaininfo->policy == EBT_RETURN)
312 if (chaininfo->policy == EBT_ACCEPT) {
313 read_unlock_bh(&table->lock);
316 read_unlock_bh(&table->lock);
320 /* If it succeeds, returns element and locks mutex */
322 find_inlist_lock_noload(struct list_head *head, const char *name, int *error,
326 struct list_head list;
327 char name[EBT_FUNCTION_MAXNAMELEN];
331 list_for_each_entry(e, head, list) {
332 if (strcmp(e->name, name) == 0)
341 find_inlist_lock(struct list_head *head, const char *name, const char *prefix,
342 int *error, struct mutex *mutex)
344 return try_then_request_module(
345 find_inlist_lock_noload(head, name, error, mutex),
346 "%s%s", prefix, name);
349 static inline struct ebt_table *
350 find_table_lock(struct net *net, const char *name, int *error,
353 return find_inlist_lock(&net->xt.tables[NFPROTO_BRIDGE], name,
354 "ebtable_", error, mutex);
358 ebt_check_match(struct ebt_entry_match *m, struct xt_mtchk_param *par,
361 const struct ebt_entry *e = par->entryinfo;
362 struct xt_match *match;
363 size_t left = ((char *)e + e->watchers_offset) - (char *)m;
366 if (left < sizeof(struct ebt_entry_match) ||
367 left - sizeof(struct ebt_entry_match) < m->match_size)
370 match = xt_request_find_match(NFPROTO_BRIDGE, m->u.name, 0);
372 return PTR_ERR(match);
376 par->matchinfo = m->data;
377 ret = xt_check_match(par, m->match_size,
378 e->ethproto, e->invflags & EBT_IPROTO);
380 module_put(match->me);
389 ebt_check_watcher(struct ebt_entry_watcher *w, struct xt_tgchk_param *par,
392 const struct ebt_entry *e = par->entryinfo;
393 struct xt_target *watcher;
394 size_t left = ((char *)e + e->target_offset) - (char *)w;
397 if (left < sizeof(struct ebt_entry_watcher) ||
398 left - sizeof(struct ebt_entry_watcher) < w->watcher_size)
401 watcher = xt_request_find_target(NFPROTO_BRIDGE, w->u.name, 0);
403 return PTR_ERR(watcher);
404 w->u.watcher = watcher;
406 par->target = watcher;
407 par->targinfo = w->data;
408 ret = xt_check_target(par, w->watcher_size,
409 e->ethproto, e->invflags & EBT_IPROTO);
411 module_put(watcher->me);
419 static int ebt_verify_pointers(const struct ebt_replace *repl,
420 struct ebt_table_info *newinfo)
422 unsigned int limit = repl->entries_size;
423 unsigned int valid_hooks = repl->valid_hooks;
424 unsigned int offset = 0;
427 for (i = 0; i < NF_BR_NUMHOOKS; i++)
428 newinfo->hook_entry[i] = NULL;
430 newinfo->entries_size = repl->entries_size;
431 newinfo->nentries = repl->nentries;
433 while (offset < limit) {
434 size_t left = limit - offset;
435 struct ebt_entry *e = (void *)newinfo->entries + offset;
437 if (left < sizeof(unsigned int))
440 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
441 if ((valid_hooks & (1 << i)) == 0)
443 if ((char __user *)repl->hook_entry[i] ==
444 repl->entries + offset)
448 if (i != NF_BR_NUMHOOKS || !(e->bitmask & EBT_ENTRY_OR_ENTRIES)) {
449 if (e->bitmask != 0) {
450 /* we make userspace set this right,
451 so there is no misunderstanding */
452 BUGPRINT("EBT_ENTRY_OR_ENTRIES shouldn't be set "
453 "in distinguisher\n");
456 if (i != NF_BR_NUMHOOKS)
457 newinfo->hook_entry[i] = (struct ebt_entries *)e;
458 if (left < sizeof(struct ebt_entries))
460 offset += sizeof(struct ebt_entries);
462 if (left < sizeof(struct ebt_entry))
464 if (left < e->next_offset)
466 if (e->next_offset < sizeof(struct ebt_entry))
468 offset += e->next_offset;
471 if (offset != limit) {
472 BUGPRINT("entries_size too small\n");
476 /* check if all valid hooks have a chain */
477 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
478 if (!newinfo->hook_entry[i] &&
479 (valid_hooks & (1 << i))) {
480 BUGPRINT("Valid hook without chain\n");
488 * this one is very careful, as it is the first function
489 * to parse the userspace data
492 ebt_check_entry_size_and_hooks(const struct ebt_entry *e,
493 const struct ebt_table_info *newinfo,
494 unsigned int *n, unsigned int *cnt,
495 unsigned int *totalcnt, unsigned int *udc_cnt)
499 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
500 if ((void *)e == (void *)newinfo->hook_entry[i])
503 /* beginning of a new chain
504 if i == NF_BR_NUMHOOKS it must be a user defined chain */
505 if (i != NF_BR_NUMHOOKS || !e->bitmask) {
506 /* this checks if the previous chain has as many entries
509 BUGPRINT("nentries does not equal the nr of entries "
513 if (((struct ebt_entries *)e)->policy != EBT_DROP &&
514 ((struct ebt_entries *)e)->policy != EBT_ACCEPT) {
515 /* only RETURN from udc */
516 if (i != NF_BR_NUMHOOKS ||
517 ((struct ebt_entries *)e)->policy != EBT_RETURN) {
518 BUGPRINT("bad policy\n");
522 if (i == NF_BR_NUMHOOKS) /* it's a user defined chain */
524 if (((struct ebt_entries *)e)->counter_offset != *totalcnt) {
525 BUGPRINT("counter_offset != totalcnt");
528 *n = ((struct ebt_entries *)e)->nentries;
532 /* a plain old entry, heh */
533 if (sizeof(struct ebt_entry) > e->watchers_offset ||
534 e->watchers_offset > e->target_offset ||
535 e->target_offset >= e->next_offset) {
536 BUGPRINT("entry offsets not in right order\n");
539 /* this is not checked anywhere else */
540 if (e->next_offset - e->target_offset < sizeof(struct ebt_entry_target)) {
541 BUGPRINT("target size too small\n");
551 struct ebt_chainstack cs;
553 unsigned int hookmask;
557 * we need these positions to check that the jumps to a different part of the
558 * entries is a jump to the beginning of a new chain.
561 ebt_get_udc_positions(struct ebt_entry *e, struct ebt_table_info *newinfo,
562 unsigned int *n, struct ebt_cl_stack *udc)
566 /* we're only interested in chain starts */
569 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
570 if (newinfo->hook_entry[i] == (struct ebt_entries *)e)
573 /* only care about udc */
574 if (i != NF_BR_NUMHOOKS)
577 udc[*n].cs.chaininfo = (struct ebt_entries *)e;
578 /* these initialisations are depended on later in check_chainloops() */
580 udc[*n].hookmask = 0;
587 ebt_cleanup_match(struct ebt_entry_match *m, struct net *net, unsigned int *i)
589 struct xt_mtdtor_param par;
591 if (i && (*i)-- == 0)
595 par.match = m->u.match;
596 par.matchinfo = m->data;
597 par.family = NFPROTO_BRIDGE;
598 if (par.match->destroy != NULL)
599 par.match->destroy(&par);
600 module_put(par.match->me);
605 ebt_cleanup_watcher(struct ebt_entry_watcher *w, struct net *net, unsigned int *i)
607 struct xt_tgdtor_param par;
609 if (i && (*i)-- == 0)
613 par.target = w->u.watcher;
614 par.targinfo = w->data;
615 par.family = NFPROTO_BRIDGE;
616 if (par.target->destroy != NULL)
617 par.target->destroy(&par);
618 module_put(par.target->me);
623 ebt_cleanup_entry(struct ebt_entry *e, struct net *net, unsigned int *cnt)
625 struct xt_tgdtor_param par;
626 struct ebt_entry_target *t;
631 if (cnt && (*cnt)-- == 0)
633 EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, net, NULL);
634 EBT_MATCH_ITERATE(e, ebt_cleanup_match, net, NULL);
635 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
638 par.target = t->u.target;
639 par.targinfo = t->data;
640 par.family = NFPROTO_BRIDGE;
641 if (par.target->destroy != NULL)
642 par.target->destroy(&par);
643 module_put(par.target->me);
648 ebt_check_entry(struct ebt_entry *e, struct net *net,
649 const struct ebt_table_info *newinfo,
650 const char *name, unsigned int *cnt,
651 struct ebt_cl_stack *cl_s, unsigned int udc_cnt)
653 struct ebt_entry_target *t;
654 struct xt_target *target;
655 unsigned int i, j, hook = 0, hookmask = 0;
658 struct xt_mtchk_param mtpar;
659 struct xt_tgchk_param tgpar;
661 /* don't mess with the struct ebt_entries */
665 if (e->bitmask & ~EBT_F_MASK) {
666 BUGPRINT("Unknown flag for bitmask\n");
669 if (e->invflags & ~EBT_INV_MASK) {
670 BUGPRINT("Unknown flag for inv bitmask\n");
673 if ( (e->bitmask & EBT_NOPROTO) && (e->bitmask & EBT_802_3) ) {
674 BUGPRINT("NOPROTO & 802_3 not allowed\n");
677 /* what hook do we belong to? */
678 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
679 if (!newinfo->hook_entry[i])
681 if ((char *)newinfo->hook_entry[i] < (char *)e)
686 /* (1 << NF_BR_NUMHOOKS) tells the check functions the rule is on
688 if (i < NF_BR_NUMHOOKS)
689 hookmask = (1 << hook) | (1 << NF_BR_NUMHOOKS);
691 for (i = 0; i < udc_cnt; i++)
692 if ((char *)(cl_s[i].cs.chaininfo) > (char *)e)
695 hookmask = (1 << hook) | (1 << NF_BR_NUMHOOKS);
697 hookmask = cl_s[i - 1].hookmask;
701 mtpar.net = tgpar.net = net;
702 mtpar.table = tgpar.table = name;
703 mtpar.entryinfo = tgpar.entryinfo = e;
704 mtpar.hook_mask = tgpar.hook_mask = hookmask;
705 mtpar.family = tgpar.family = NFPROTO_BRIDGE;
706 ret = EBT_MATCH_ITERATE(e, ebt_check_match, &mtpar, &i);
708 goto cleanup_matches;
710 ret = EBT_WATCHER_ITERATE(e, ebt_check_watcher, &tgpar, &j);
712 goto cleanup_watchers;
713 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
714 gap = e->next_offset - e->target_offset;
716 target = xt_request_find_target(NFPROTO_BRIDGE, t->u.name, 0);
717 if (IS_ERR(target)) {
718 ret = PTR_ERR(target);
719 goto cleanup_watchers;
722 t->u.target = target;
723 if (t->u.target == &ebt_standard_target) {
724 if (gap < sizeof(struct ebt_standard_target)) {
725 BUGPRINT("Standard target size too big\n");
727 goto cleanup_watchers;
729 if (((struct ebt_standard_target *)t)->verdict <
730 -NUM_STANDARD_TARGETS) {
731 BUGPRINT("Invalid standard target\n");
733 goto cleanup_watchers;
735 } else if (t->target_size > gap - sizeof(struct ebt_entry_target)) {
736 module_put(t->u.target->me);
738 goto cleanup_watchers;
741 tgpar.target = target;
742 tgpar.targinfo = t->data;
743 ret = xt_check_target(&tgpar, t->target_size,
744 e->ethproto, e->invflags & EBT_IPROTO);
746 module_put(target->me);
747 goto cleanup_watchers;
752 EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, net, &j);
754 EBT_MATCH_ITERATE(e, ebt_cleanup_match, net, &i);
759 * checks for loops and sets the hook mask for udc
760 * the hook mask for udc tells us from which base chains the udc can be
761 * accessed. This mask is a parameter to the check() functions of the extensions
763 static int check_chainloops(const struct ebt_entries *chain, struct ebt_cl_stack *cl_s,
764 unsigned int udc_cnt, unsigned int hooknr, char *base)
766 int i, chain_nr = -1, pos = 0, nentries = chain->nentries, verdict;
767 const struct ebt_entry *e = (struct ebt_entry *)chain->data;
768 const struct ebt_entry_target *t;
770 while (pos < nentries || chain_nr != -1) {
771 /* end of udc, go back one 'recursion' step */
772 if (pos == nentries) {
773 /* put back values of the time when this chain was called */
774 e = cl_s[chain_nr].cs.e;
775 if (cl_s[chain_nr].from != -1)
777 cl_s[cl_s[chain_nr].from].cs.chaininfo->nentries;
779 nentries = chain->nentries;
780 pos = cl_s[chain_nr].cs.n;
781 /* make sure we won't see a loop that isn't one */
782 cl_s[chain_nr].cs.n = 0;
783 chain_nr = cl_s[chain_nr].from;
787 t = (struct ebt_entry_target *)
788 (((char *)e) + e->target_offset);
789 if (strcmp(t->u.name, EBT_STANDARD_TARGET))
791 if (e->target_offset + sizeof(struct ebt_standard_target) >
793 BUGPRINT("Standard target size too big\n");
796 verdict = ((struct ebt_standard_target *)t)->verdict;
797 if (verdict >= 0) { /* jump to another chain */
798 struct ebt_entries *hlp2 =
799 (struct ebt_entries *)(base + verdict);
800 for (i = 0; i < udc_cnt; i++)
801 if (hlp2 == cl_s[i].cs.chaininfo)
803 /* bad destination or loop */
805 BUGPRINT("bad destination\n");
812 if (cl_s[i].hookmask & (1 << hooknr))
814 /* this can't be 0, so the loop test is correct */
815 cl_s[i].cs.n = pos + 1;
817 cl_s[i].cs.e = ebt_next_entry(e);
818 e = (struct ebt_entry *)(hlp2->data);
819 nentries = hlp2->nentries;
820 cl_s[i].from = chain_nr;
822 /* this udc is accessible from the base chain for hooknr */
823 cl_s[i].hookmask |= (1 << hooknr);
827 e = ebt_next_entry(e);
833 /* do the parsing of the table/chains/entries/matches/watchers/targets, heh */
834 static int translate_table(struct net *net, const char *name,
835 struct ebt_table_info *newinfo)
837 unsigned int i, j, k, udc_cnt;
839 struct ebt_cl_stack *cl_s = NULL; /* used in the checking for chain loops */
842 while (i < NF_BR_NUMHOOKS && !newinfo->hook_entry[i])
844 if (i == NF_BR_NUMHOOKS) {
845 BUGPRINT("No valid hooks specified\n");
848 if (newinfo->hook_entry[i] != (struct ebt_entries *)newinfo->entries) {
849 BUGPRINT("Chains don't start at beginning\n");
852 /* make sure chains are ordered after each other in same order
853 as their corresponding hooks */
854 for (j = i + 1; j < NF_BR_NUMHOOKS; j++) {
855 if (!newinfo->hook_entry[j])
857 if (newinfo->hook_entry[j] <= newinfo->hook_entry[i]) {
858 BUGPRINT("Hook order must be followed\n");
864 /* do some early checkings and initialize some things */
865 i = 0; /* holds the expected nr. of entries for the chain */
866 j = 0; /* holds the up to now counted entries for the chain */
867 k = 0; /* holds the total nr. of entries, should equal
868 newinfo->nentries afterwards */
869 udc_cnt = 0; /* will hold the nr. of user defined chains (udc) */
870 ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
871 ebt_check_entry_size_and_hooks, newinfo,
872 &i, &j, &k, &udc_cnt);
878 BUGPRINT("nentries does not equal the nr of entries in the "
882 if (k != newinfo->nentries) {
883 BUGPRINT("Total nentries is wrong\n");
887 /* get the location of the udc, put them in an array
888 while we're at it, allocate the chainstack */
890 /* this will get free'd in do_replace()/ebt_register_table()
891 if an error occurs */
892 newinfo->chainstack =
893 vmalloc(nr_cpu_ids * sizeof(*(newinfo->chainstack)));
894 if (!newinfo->chainstack)
896 for_each_possible_cpu(i) {
897 newinfo->chainstack[i] =
898 vmalloc(udc_cnt * sizeof(*(newinfo->chainstack[0])));
899 if (!newinfo->chainstack[i]) {
901 vfree(newinfo->chainstack[--i]);
902 vfree(newinfo->chainstack);
903 newinfo->chainstack = NULL;
908 cl_s = vmalloc(udc_cnt * sizeof(*cl_s));
911 i = 0; /* the i'th udc */
912 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
913 ebt_get_udc_positions, newinfo, &i, cl_s);
916 BUGPRINT("i != udc_cnt\n");
922 /* Check for loops */
923 for (i = 0; i < NF_BR_NUMHOOKS; i++)
924 if (newinfo->hook_entry[i])
925 if (check_chainloops(newinfo->hook_entry[i],
926 cl_s, udc_cnt, i, newinfo->entries)) {
931 /* we now know the following (along with E=mc²):
932 - the nr of entries in each chain is right
933 - the size of the allocated space is right
934 - all valid hooks have a corresponding chain
936 - wrong data can still be on the level of a single entry
937 - could be there are jumps to places that are not the
938 beginning of a chain. This can only occur in chains that
939 are not accessible from any base chains, so we don't care. */
941 /* used to know what we need to clean up if something goes wrong */
943 ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
944 ebt_check_entry, net, newinfo, name, &i, cl_s, udc_cnt);
946 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
947 ebt_cleanup_entry, net, &i);
953 /* called under write_lock */
954 static void get_counters(const struct ebt_counter *oldcounters,
955 struct ebt_counter *counters, unsigned int nentries)
958 struct ebt_counter *counter_base;
960 /* counters of cpu 0 */
961 memcpy(counters, oldcounters,
962 sizeof(struct ebt_counter) * nentries);
964 /* add other counters to those of cpu 0 */
965 for_each_possible_cpu(cpu) {
968 counter_base = COUNTER_BASE(oldcounters, nentries, cpu);
969 for (i = 0; i < nentries; i++) {
970 counters[i].pcnt += counter_base[i].pcnt;
971 counters[i].bcnt += counter_base[i].bcnt;
976 static int do_replace_finish(struct net *net, struct ebt_replace *repl,
977 struct ebt_table_info *newinfo)
980 struct ebt_counter *counterstmp = NULL;
981 /* used to be able to unlock earlier */
982 struct ebt_table_info *table;
985 /* the user wants counters back
986 the check on the size is done later, when we have the lock */
987 if (repl->num_counters) {
988 unsigned long size = repl->num_counters * sizeof(*counterstmp);
989 counterstmp = vmalloc(size);
994 newinfo->chainstack = NULL;
995 ret = ebt_verify_pointers(repl, newinfo);
997 goto free_counterstmp;
999 ret = translate_table(net, repl->name, newinfo);
1002 goto free_counterstmp;
1004 t = find_table_lock(net, repl->name, &ret, &ebt_mutex);
1010 /* the table doesn't like it */
1011 if (t->check && (ret = t->check(newinfo, repl->valid_hooks)))
1014 if (repl->num_counters && repl->num_counters != t->private->nentries) {
1015 BUGPRINT("Wrong nr. of counters requested\n");
1020 /* we have the mutex lock, so no danger in reading this pointer */
1022 /* make sure the table can only be rmmod'ed if it contains no rules */
1023 if (!table->nentries && newinfo->nentries && !try_module_get(t->me)) {
1026 } else if (table->nentries && !newinfo->nentries)
1028 /* we need an atomic snapshot of the counters */
1029 write_lock_bh(&t->lock);
1030 if (repl->num_counters)
1031 get_counters(t->private->counters, counterstmp,
1032 t->private->nentries);
1034 t->private = newinfo;
1035 write_unlock_bh(&t->lock);
1036 mutex_unlock(&ebt_mutex);
1037 /* so, a user can change the chains while having messed up her counter
1038 allocation. Only reason why this is done is because this way the lock
1039 is held only once, while this doesn't bring the kernel into a
1041 if (repl->num_counters &&
1042 copy_to_user(repl->counters, counterstmp,
1043 repl->num_counters * sizeof(struct ebt_counter))) {
1044 /* Silent error, can't fail, new table is already in place */
1045 net_warn_ratelimited("ebtables: counters copy to user failed while replacing table\n");
1048 /* decrease module count and free resources */
1049 EBT_ENTRY_ITERATE(table->entries, table->entries_size,
1050 ebt_cleanup_entry, net, NULL);
1052 vfree(table->entries);
1053 if (table->chainstack) {
1054 for_each_possible_cpu(i)
1055 vfree(table->chainstack[i]);
1056 vfree(table->chainstack);
1064 mutex_unlock(&ebt_mutex);
1066 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
1067 ebt_cleanup_entry, net, NULL);
1070 /* can be initialized in translate_table() */
1071 if (newinfo->chainstack) {
1072 for_each_possible_cpu(i)
1073 vfree(newinfo->chainstack[i]);
1074 vfree(newinfo->chainstack);
1079 /* replace the table */
1080 static int do_replace(struct net *net, const void __user *user,
1083 int ret, countersize;
1084 struct ebt_table_info *newinfo;
1085 struct ebt_replace tmp;
1087 if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
1090 if (len != sizeof(tmp) + tmp.entries_size) {
1091 BUGPRINT("Wrong len argument\n");
1095 if (tmp.entries_size == 0) {
1096 BUGPRINT("Entries_size never zero\n");
1099 /* overflow check */
1100 if (tmp.nentries >= ((INT_MAX - sizeof(struct ebt_table_info)) /
1101 NR_CPUS - SMP_CACHE_BYTES) / sizeof(struct ebt_counter))
1103 if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
1106 tmp.name[sizeof(tmp.name) - 1] = 0;
1108 countersize = COUNTER_OFFSET(tmp.nentries) * nr_cpu_ids;
1109 newinfo = vmalloc(sizeof(*newinfo) + countersize);
1114 memset(newinfo->counters, 0, countersize);
1116 newinfo->entries = vmalloc(tmp.entries_size);
1117 if (!newinfo->entries) {
1122 newinfo->entries, tmp.entries, tmp.entries_size) != 0) {
1123 BUGPRINT("Couldn't copy entries from userspace\n");
1128 ret = do_replace_finish(net, &tmp, newinfo);
1132 vfree(newinfo->entries);
1139 ebt_register_table(struct net *net, const struct ebt_table *input_table)
1141 struct ebt_table_info *newinfo;
1142 struct ebt_table *t, *table;
1143 struct ebt_replace_kernel *repl;
1144 int ret, i, countersize;
1147 if (input_table == NULL || (repl = input_table->table) == NULL ||
1148 repl->entries == NULL || repl->entries_size == 0 ||
1149 repl->counters != NULL || input_table->private != NULL) {
1150 BUGPRINT("Bad table data for ebt_register_table!!!\n");
1151 return ERR_PTR(-EINVAL);
1154 /* Don't add one table to multiple lists. */
1155 table = kmemdup(input_table, sizeof(struct ebt_table), GFP_KERNEL);
1161 countersize = COUNTER_OFFSET(repl->nentries) * nr_cpu_ids;
1162 newinfo = vmalloc(sizeof(*newinfo) + countersize);
1167 p = vmalloc(repl->entries_size);
1171 memcpy(p, repl->entries, repl->entries_size);
1172 newinfo->entries = p;
1174 newinfo->entries_size = repl->entries_size;
1175 newinfo->nentries = repl->nentries;
1178 memset(newinfo->counters, 0, countersize);
1180 /* fill in newinfo and parse the entries */
1181 newinfo->chainstack = NULL;
1182 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
1183 if ((repl->valid_hooks & (1 << i)) == 0)
1184 newinfo->hook_entry[i] = NULL;
1186 newinfo->hook_entry[i] = p +
1187 ((char *)repl->hook_entry[i] - repl->entries);
1189 ret = translate_table(net, repl->name, newinfo);
1191 BUGPRINT("Translate_table failed\n");
1192 goto free_chainstack;
1195 if (table->check && table->check(newinfo, table->valid_hooks)) {
1196 BUGPRINT("The table doesn't like its own initial data, lol\n");
1198 goto free_chainstack;
1201 table->private = newinfo;
1202 rwlock_init(&table->lock);
1203 mutex_lock(&ebt_mutex);
1204 list_for_each_entry(t, &net->xt.tables[NFPROTO_BRIDGE], list) {
1205 if (strcmp(t->name, table->name) == 0) {
1207 BUGPRINT("Table name already exists\n");
1212 /* Hold a reference count if the chains aren't empty */
1213 if (newinfo->nentries && !try_module_get(table->me)) {
1217 list_add(&table->list, &net->xt.tables[NFPROTO_BRIDGE]);
1218 mutex_unlock(&ebt_mutex);
1221 mutex_unlock(&ebt_mutex);
1223 if (newinfo->chainstack) {
1224 for_each_possible_cpu(i)
1225 vfree(newinfo->chainstack[i]);
1226 vfree(newinfo->chainstack);
1228 vfree(newinfo->entries);
1234 return ERR_PTR(ret);
1237 void ebt_unregister_table(struct net *net, struct ebt_table *table)
1242 BUGPRINT("Request to unregister NULL table!!!\n");
1245 mutex_lock(&ebt_mutex);
1246 list_del(&table->list);
1247 mutex_unlock(&ebt_mutex);
1248 EBT_ENTRY_ITERATE(table->private->entries, table->private->entries_size,
1249 ebt_cleanup_entry, net, NULL);
1250 if (table->private->nentries)
1251 module_put(table->me);
1252 vfree(table->private->entries);
1253 if (table->private->chainstack) {
1254 for_each_possible_cpu(i)
1255 vfree(table->private->chainstack[i]);
1256 vfree(table->private->chainstack);
1258 vfree(table->private);
1262 /* userspace just supplied us with counters */
1263 static int do_update_counters(struct net *net, const char *name,
1264 struct ebt_counter __user *counters,
1265 unsigned int num_counters,
1266 const void __user *user, unsigned int len)
1269 struct ebt_counter *tmp;
1270 struct ebt_table *t;
1272 if (num_counters == 0)
1275 tmp = vmalloc(num_counters * sizeof(*tmp));
1279 t = find_table_lock(net, name, &ret, &ebt_mutex);
1283 if (num_counters != t->private->nentries) {
1284 BUGPRINT("Wrong nr of counters\n");
1289 if (copy_from_user(tmp, counters, num_counters * sizeof(*counters))) {
1294 /* we want an atomic add of the counters */
1295 write_lock_bh(&t->lock);
1297 /* we add to the counters of the first cpu */
1298 for (i = 0; i < num_counters; i++) {
1299 t->private->counters[i].pcnt += tmp[i].pcnt;
1300 t->private->counters[i].bcnt += tmp[i].bcnt;
1303 write_unlock_bh(&t->lock);
1306 mutex_unlock(&ebt_mutex);
1312 static int update_counters(struct net *net, const void __user *user,
1315 struct ebt_replace hlp;
1317 if (copy_from_user(&hlp, user, sizeof(hlp)))
1320 if (len != sizeof(hlp) + hlp.num_counters * sizeof(struct ebt_counter))
1323 return do_update_counters(net, hlp.name, hlp.counters,
1324 hlp.num_counters, user, len);
1327 static inline int ebt_make_matchname(const struct ebt_entry_match *m,
1328 const char *base, char __user *ubase)
1330 char __user *hlp = ubase + ((char *)m - base);
1331 char name[EBT_FUNCTION_MAXNAMELEN] = {};
1333 /* ebtables expects 32 bytes long names but xt_match names are 29 bytes
1334 long. Copy 29 bytes and fill remaining bytes with zeroes. */
1335 strlcpy(name, m->u.match->name, sizeof(name));
1336 if (copy_to_user(hlp, name, EBT_FUNCTION_MAXNAMELEN))
1341 static inline int ebt_make_watchername(const struct ebt_entry_watcher *w,
1342 const char *base, char __user *ubase)
1344 char __user *hlp = ubase + ((char *)w - base);
1345 char name[EBT_FUNCTION_MAXNAMELEN] = {};
1347 strlcpy(name, w->u.watcher->name, sizeof(name));
1348 if (copy_to_user(hlp , name, EBT_FUNCTION_MAXNAMELEN))
1354 ebt_make_names(struct ebt_entry *e, const char *base, char __user *ubase)
1358 const struct ebt_entry_target *t;
1359 char name[EBT_FUNCTION_MAXNAMELEN] = {};
1361 if (e->bitmask == 0)
1364 hlp = ubase + (((char *)e + e->target_offset) - base);
1365 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
1367 ret = EBT_MATCH_ITERATE(e, ebt_make_matchname, base, ubase);
1370 ret = EBT_WATCHER_ITERATE(e, ebt_make_watchername, base, ubase);
1373 strlcpy(name, t->u.target->name, sizeof(name));
1374 if (copy_to_user(hlp, name, EBT_FUNCTION_MAXNAMELEN))
1379 static int copy_counters_to_user(struct ebt_table *t,
1380 const struct ebt_counter *oldcounters,
1381 void __user *user, unsigned int num_counters,
1382 unsigned int nentries)
1384 struct ebt_counter *counterstmp;
1387 /* userspace might not need the counters */
1388 if (num_counters == 0)
1391 if (num_counters != nentries) {
1392 BUGPRINT("Num_counters wrong\n");
1396 counterstmp = vmalloc(nentries * sizeof(*counterstmp));
1400 write_lock_bh(&t->lock);
1401 get_counters(oldcounters, counterstmp, nentries);
1402 write_unlock_bh(&t->lock);
1404 if (copy_to_user(user, counterstmp,
1405 nentries * sizeof(struct ebt_counter)))
1411 /* called with ebt_mutex locked */
1412 static int copy_everything_to_user(struct ebt_table *t, void __user *user,
1413 const int *len, int cmd)
1415 struct ebt_replace tmp;
1416 const struct ebt_counter *oldcounters;
1417 unsigned int entries_size, nentries;
1421 if (cmd == EBT_SO_GET_ENTRIES) {
1422 entries_size = t->private->entries_size;
1423 nentries = t->private->nentries;
1424 entries = t->private->entries;
1425 oldcounters = t->private->counters;
1427 entries_size = t->table->entries_size;
1428 nentries = t->table->nentries;
1429 entries = t->table->entries;
1430 oldcounters = t->table->counters;
1433 if (copy_from_user(&tmp, user, sizeof(tmp)))
1436 if (*len != sizeof(struct ebt_replace) + entries_size +
1437 (tmp.num_counters ? nentries * sizeof(struct ebt_counter) : 0))
1440 if (tmp.nentries != nentries) {
1441 BUGPRINT("Nentries wrong\n");
1445 if (tmp.entries_size != entries_size) {
1446 BUGPRINT("Wrong size\n");
1450 ret = copy_counters_to_user(t, oldcounters, tmp.counters,
1451 tmp.num_counters, nentries);
1455 if (copy_to_user(tmp.entries, entries, entries_size)) {
1456 BUGPRINT("Couldn't copy entries to userspace\n");
1459 /* set the match/watcher/target names right */
1460 return EBT_ENTRY_ITERATE(entries, entries_size,
1461 ebt_make_names, entries, tmp.entries);
1464 static int do_ebt_set_ctl(struct sock *sk,
1465 int cmd, void __user *user, unsigned int len)
1468 struct net *net = sock_net(sk);
1470 if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
1474 case EBT_SO_SET_ENTRIES:
1475 ret = do_replace(net, user, len);
1477 case EBT_SO_SET_COUNTERS:
1478 ret = update_counters(net, user, len);
1486 static int do_ebt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
1489 struct ebt_replace tmp;
1490 struct ebt_table *t;
1491 struct net *net = sock_net(sk);
1493 if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
1496 if (copy_from_user(&tmp, user, sizeof(tmp)))
1499 t = find_table_lock(net, tmp.name, &ret, &ebt_mutex);
1504 case EBT_SO_GET_INFO:
1505 case EBT_SO_GET_INIT_INFO:
1506 if (*len != sizeof(struct ebt_replace)) {
1508 mutex_unlock(&ebt_mutex);
1511 if (cmd == EBT_SO_GET_INFO) {
1512 tmp.nentries = t->private->nentries;
1513 tmp.entries_size = t->private->entries_size;
1514 tmp.valid_hooks = t->valid_hooks;
1516 tmp.nentries = t->table->nentries;
1517 tmp.entries_size = t->table->entries_size;
1518 tmp.valid_hooks = t->table->valid_hooks;
1520 mutex_unlock(&ebt_mutex);
1521 if (copy_to_user(user, &tmp, *len) != 0) {
1522 BUGPRINT("c2u Didn't work\n");
1529 case EBT_SO_GET_ENTRIES:
1530 case EBT_SO_GET_INIT_ENTRIES:
1531 ret = copy_everything_to_user(t, user, len, cmd);
1532 mutex_unlock(&ebt_mutex);
1536 mutex_unlock(&ebt_mutex);
1543 #ifdef CONFIG_COMPAT
1544 /* 32 bit-userspace compatibility definitions. */
1545 struct compat_ebt_replace {
1546 char name[EBT_TABLE_MAXNAMELEN];
1547 compat_uint_t valid_hooks;
1548 compat_uint_t nentries;
1549 compat_uint_t entries_size;
1550 /* start of the chains */
1551 compat_uptr_t hook_entry[NF_BR_NUMHOOKS];
1552 /* nr of counters userspace expects back */
1553 compat_uint_t num_counters;
1554 /* where the kernel will put the old counters. */
1555 compat_uptr_t counters;
1556 compat_uptr_t entries;
1559 /* struct ebt_entry_match, _target and _watcher have same layout */
1560 struct compat_ebt_entry_mwt {
1562 char name[EBT_FUNCTION_MAXNAMELEN];
1565 compat_uint_t match_size;
1566 compat_uint_t data[0];
1569 /* account for possible padding between match_size and ->data */
1570 static int ebt_compat_entry_padsize(void)
1572 BUILD_BUG_ON(XT_ALIGN(sizeof(struct ebt_entry_match)) <
1573 COMPAT_XT_ALIGN(sizeof(struct compat_ebt_entry_mwt)));
1574 return (int) XT_ALIGN(sizeof(struct ebt_entry_match)) -
1575 COMPAT_XT_ALIGN(sizeof(struct compat_ebt_entry_mwt));
1578 static int ebt_compat_match_offset(const struct xt_match *match,
1579 unsigned int userlen)
1582 * ebt_among needs special handling. The kernel .matchsize is
1583 * set to -1 at registration time; at runtime an EBT_ALIGN()ed
1584 * value is expected.
1585 * Example: userspace sends 4500, ebt_among.c wants 4504.
1587 if (unlikely(match->matchsize == -1))
1588 return XT_ALIGN(userlen) - COMPAT_XT_ALIGN(userlen);
1589 return xt_compat_match_offset(match);
1592 static int compat_match_to_user(struct ebt_entry_match *m, void __user **dstptr,
1595 const struct xt_match *match = m->u.match;
1596 struct compat_ebt_entry_mwt __user *cm = *dstptr;
1597 int off = ebt_compat_match_offset(match, m->match_size);
1598 compat_uint_t msize = m->match_size - off;
1600 BUG_ON(off >= m->match_size);
1602 if (copy_to_user(cm->u.name, match->name,
1603 strlen(match->name) + 1) || put_user(msize, &cm->match_size))
1606 if (match->compat_to_user) {
1607 if (match->compat_to_user(cm->data, m->data))
1609 } else if (copy_to_user(cm->data, m->data, msize))
1612 *size -= ebt_compat_entry_padsize() + off;
1618 static int compat_target_to_user(struct ebt_entry_target *t,
1619 void __user **dstptr,
1622 const struct xt_target *target = t->u.target;
1623 struct compat_ebt_entry_mwt __user *cm = *dstptr;
1624 int off = xt_compat_target_offset(target);
1625 compat_uint_t tsize = t->target_size - off;
1627 BUG_ON(off >= t->target_size);
1629 if (copy_to_user(cm->u.name, target->name,
1630 strlen(target->name) + 1) || put_user(tsize, &cm->match_size))
1633 if (target->compat_to_user) {
1634 if (target->compat_to_user(cm->data, t->data))
1636 } else if (copy_to_user(cm->data, t->data, tsize))
1639 *size -= ebt_compat_entry_padsize() + off;
1645 static int compat_watcher_to_user(struct ebt_entry_watcher *w,
1646 void __user **dstptr,
1649 return compat_target_to_user((struct ebt_entry_target *)w,
1653 static int compat_copy_entry_to_user(struct ebt_entry *e, void __user **dstptr,
1656 struct ebt_entry_target *t;
1657 struct ebt_entry __user *ce;
1658 u32 watchers_offset, target_offset, next_offset;
1659 compat_uint_t origsize;
1662 if (e->bitmask == 0) {
1663 if (*size < sizeof(struct ebt_entries))
1665 if (copy_to_user(*dstptr, e, sizeof(struct ebt_entries)))
1668 *dstptr += sizeof(struct ebt_entries);
1669 *size -= sizeof(struct ebt_entries);
1673 if (*size < sizeof(*ce))
1676 ce = (struct ebt_entry __user *)*dstptr;
1677 if (copy_to_user(ce, e, sizeof(*ce)))
1681 *dstptr += sizeof(*ce);
1683 ret = EBT_MATCH_ITERATE(e, compat_match_to_user, dstptr, size);
1686 watchers_offset = e->watchers_offset - (origsize - *size);
1688 ret = EBT_WATCHER_ITERATE(e, compat_watcher_to_user, dstptr, size);
1691 target_offset = e->target_offset - (origsize - *size);
1693 t = (struct ebt_entry_target *) ((char *) e + e->target_offset);
1695 ret = compat_target_to_user(t, dstptr, size);
1698 next_offset = e->next_offset - (origsize - *size);
1700 if (put_user(watchers_offset, &ce->watchers_offset) ||
1701 put_user(target_offset, &ce->target_offset) ||
1702 put_user(next_offset, &ce->next_offset))
1705 *size -= sizeof(*ce);
1709 static int compat_calc_match(struct ebt_entry_match *m, int *off)
1711 *off += ebt_compat_match_offset(m->u.match, m->match_size);
1712 *off += ebt_compat_entry_padsize();
1716 static int compat_calc_watcher(struct ebt_entry_watcher *w, int *off)
1718 *off += xt_compat_target_offset(w->u.watcher);
1719 *off += ebt_compat_entry_padsize();
1723 static int compat_calc_entry(const struct ebt_entry *e,
1724 const struct ebt_table_info *info,
1726 struct compat_ebt_replace *newinfo)
1728 const struct ebt_entry_target *t;
1729 unsigned int entry_offset;
1732 if (e->bitmask == 0)
1736 entry_offset = (void *)e - base;
1738 EBT_MATCH_ITERATE(e, compat_calc_match, &off);
1739 EBT_WATCHER_ITERATE(e, compat_calc_watcher, &off);
1741 t = (const struct ebt_entry_target *) ((char *) e + e->target_offset);
1743 off += xt_compat_target_offset(t->u.target);
1744 off += ebt_compat_entry_padsize();
1746 newinfo->entries_size -= off;
1748 ret = xt_compat_add_offset(NFPROTO_BRIDGE, entry_offset, off);
1752 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
1753 const void *hookptr = info->hook_entry[i];
1754 if (info->hook_entry[i] &&
1755 (e < (struct ebt_entry *)(base - hookptr))) {
1756 newinfo->hook_entry[i] -= off;
1757 pr_debug("0x%08X -> 0x%08X\n",
1758 newinfo->hook_entry[i] + off,
1759 newinfo->hook_entry[i]);
1767 static int compat_table_info(const struct ebt_table_info *info,
1768 struct compat_ebt_replace *newinfo)
1770 unsigned int size = info->entries_size;
1771 const void *entries = info->entries;
1773 newinfo->entries_size = size;
1775 xt_compat_init_offsets(NFPROTO_BRIDGE, info->nentries);
1776 return EBT_ENTRY_ITERATE(entries, size, compat_calc_entry, info,
1780 static int compat_copy_everything_to_user(struct ebt_table *t,
1781 void __user *user, int *len, int cmd)
1783 struct compat_ebt_replace repl, tmp;
1784 struct ebt_counter *oldcounters;
1785 struct ebt_table_info tinfo;
1789 memset(&tinfo, 0, sizeof(tinfo));
1791 if (cmd == EBT_SO_GET_ENTRIES) {
1792 tinfo.entries_size = t->private->entries_size;
1793 tinfo.nentries = t->private->nentries;
1794 tinfo.entries = t->private->entries;
1795 oldcounters = t->private->counters;
1797 tinfo.entries_size = t->table->entries_size;
1798 tinfo.nentries = t->table->nentries;
1799 tinfo.entries = t->table->entries;
1800 oldcounters = t->table->counters;
1803 if (copy_from_user(&tmp, user, sizeof(tmp)))
1806 if (tmp.nentries != tinfo.nentries ||
1807 (tmp.num_counters && tmp.num_counters != tinfo.nentries))
1810 memcpy(&repl, &tmp, sizeof(repl));
1811 if (cmd == EBT_SO_GET_ENTRIES)
1812 ret = compat_table_info(t->private, &repl);
1814 ret = compat_table_info(&tinfo, &repl);
1818 if (*len != sizeof(tmp) + repl.entries_size +
1819 (tmp.num_counters? tinfo.nentries * sizeof(struct ebt_counter): 0)) {
1820 pr_err("wrong size: *len %d, entries_size %u, replsz %d\n",
1821 *len, tinfo.entries_size, repl.entries_size);
1825 /* userspace might not need the counters */
1826 ret = copy_counters_to_user(t, oldcounters, compat_ptr(tmp.counters),
1827 tmp.num_counters, tinfo.nentries);
1831 pos = compat_ptr(tmp.entries);
1832 return EBT_ENTRY_ITERATE(tinfo.entries, tinfo.entries_size,
1833 compat_copy_entry_to_user, &pos, &tmp.entries_size);
1836 struct ebt_entries_buf_state {
1837 char *buf_kern_start; /* kernel buffer to copy (translated) data to */
1838 u32 buf_kern_len; /* total size of kernel buffer */
1839 u32 buf_kern_offset; /* amount of data copied so far */
1840 u32 buf_user_offset; /* read position in userspace buffer */
1843 static int ebt_buf_count(struct ebt_entries_buf_state *state, unsigned int sz)
1845 state->buf_kern_offset += sz;
1846 return state->buf_kern_offset >= sz ? 0 : -EINVAL;
1849 static int ebt_buf_add(struct ebt_entries_buf_state *state,
1850 void *data, unsigned int sz)
1852 if (state->buf_kern_start == NULL)
1855 BUG_ON(state->buf_kern_offset + sz > state->buf_kern_len);
1857 memcpy(state->buf_kern_start + state->buf_kern_offset, data, sz);
1860 state->buf_user_offset += sz;
1861 return ebt_buf_count(state, sz);
1864 static int ebt_buf_add_pad(struct ebt_entries_buf_state *state, unsigned int sz)
1866 char *b = state->buf_kern_start;
1868 BUG_ON(b && state->buf_kern_offset > state->buf_kern_len);
1870 if (b != NULL && sz > 0)
1871 memset(b + state->buf_kern_offset, 0, sz);
1872 /* do not adjust ->buf_user_offset here, we added kernel-side padding */
1873 return ebt_buf_count(state, sz);
1882 static int compat_mtw_from_user(struct compat_ebt_entry_mwt *mwt,
1883 enum compat_mwt compat_mwt,
1884 struct ebt_entries_buf_state *state,
1885 const unsigned char *base)
1887 char name[EBT_FUNCTION_MAXNAMELEN];
1888 struct xt_match *match;
1889 struct xt_target *wt;
1892 unsigned int size_kern, match_size = mwt->match_size;
1894 strlcpy(name, mwt->u.name, sizeof(name));
1896 if (state->buf_kern_start)
1897 dst = state->buf_kern_start + state->buf_kern_offset;
1899 switch (compat_mwt) {
1900 case EBT_COMPAT_MATCH:
1901 match = xt_request_find_match(NFPROTO_BRIDGE, name, 0);
1903 return PTR_ERR(match);
1905 off = ebt_compat_match_offset(match, match_size);
1907 if (match->compat_from_user)
1908 match->compat_from_user(dst, mwt->data);
1910 memcpy(dst, mwt->data, match_size);
1913 size_kern = match->matchsize;
1914 if (unlikely(size_kern == -1))
1915 size_kern = match_size;
1916 module_put(match->me);
1918 case EBT_COMPAT_WATCHER: /* fallthrough */
1919 case EBT_COMPAT_TARGET:
1920 wt = xt_request_find_target(NFPROTO_BRIDGE, name, 0);
1923 off = xt_compat_target_offset(wt);
1926 if (wt->compat_from_user)
1927 wt->compat_from_user(dst, mwt->data);
1929 memcpy(dst, mwt->data, match_size);
1932 size_kern = wt->targetsize;
1940 state->buf_kern_offset += match_size + off;
1941 state->buf_user_offset += match_size;
1942 pad = XT_ALIGN(size_kern) - size_kern;
1944 if (pad > 0 && dst) {
1945 BUG_ON(state->buf_kern_len <= pad);
1946 BUG_ON(state->buf_kern_offset - (match_size + off) + size_kern > state->buf_kern_len - pad);
1947 memset(dst + size_kern, 0, pad);
1949 return off + match_size;
1953 * return size of all matches, watchers or target, including necessary
1954 * alignment and padding.
1956 static int ebt_size_mwt(struct compat_ebt_entry_mwt *match32,
1957 unsigned int size_left, enum compat_mwt type,
1958 struct ebt_entries_buf_state *state, const void *base)
1966 buf = (char *) match32;
1968 while (size_left >= sizeof(*match32)) {
1969 struct ebt_entry_match *match_kern;
1972 match_kern = (struct ebt_entry_match *) state->buf_kern_start;
1975 tmp = state->buf_kern_start + state->buf_kern_offset;
1976 match_kern = (struct ebt_entry_match *) tmp;
1978 ret = ebt_buf_add(state, buf, sizeof(*match32));
1981 size_left -= sizeof(*match32);
1983 /* add padding before match->data (if any) */
1984 ret = ebt_buf_add_pad(state, ebt_compat_entry_padsize());
1988 if (match32->match_size > size_left)
1991 size_left -= match32->match_size;
1993 ret = compat_mtw_from_user(match32, type, state, base);
1997 BUG_ON(ret < match32->match_size);
1998 growth += ret - match32->match_size;
1999 growth += ebt_compat_entry_padsize();
2001 buf += sizeof(*match32);
2002 buf += match32->match_size;
2005 match_kern->match_size = ret;
2007 WARN_ON(type == EBT_COMPAT_TARGET && size_left);
2008 match32 = (struct compat_ebt_entry_mwt *) buf;
2014 /* called for all ebt_entry structures. */
2015 static int size_entry_mwt(struct ebt_entry *entry, const unsigned char *base,
2016 unsigned int *total,
2017 struct ebt_entries_buf_state *state)
2019 unsigned int i, j, startoff, new_offset = 0;
2020 /* stores match/watchers/targets & offset of next struct ebt_entry: */
2021 unsigned int offsets[4];
2022 unsigned int *offsets_update = NULL;
2026 if (*total < sizeof(struct ebt_entries))
2029 if (!entry->bitmask) {
2030 *total -= sizeof(struct ebt_entries);
2031 return ebt_buf_add(state, entry, sizeof(struct ebt_entries));
2033 if (*total < sizeof(*entry) || entry->next_offset < sizeof(*entry))
2036 startoff = state->buf_user_offset;
2037 /* pull in most part of ebt_entry, it does not need to be changed. */
2038 ret = ebt_buf_add(state, entry,
2039 offsetof(struct ebt_entry, watchers_offset));
2043 offsets[0] = sizeof(struct ebt_entry); /* matches come first */
2044 memcpy(&offsets[1], &entry->watchers_offset,
2045 sizeof(offsets) - sizeof(offsets[0]));
2047 if (state->buf_kern_start) {
2048 buf_start = state->buf_kern_start + state->buf_kern_offset;
2049 offsets_update = (unsigned int *) buf_start;
2051 ret = ebt_buf_add(state, &offsets[1],
2052 sizeof(offsets) - sizeof(offsets[0]));
2055 buf_start = (char *) entry;
2057 * 0: matches offset, always follows ebt_entry.
2058 * 1: watchers offset, from ebt_entry structure
2059 * 2: target offset, from ebt_entry structure
2060 * 3: next ebt_entry offset, from ebt_entry structure
2062 * offsets are relative to beginning of struct ebt_entry (i.e., 0).
2064 for (i = 0, j = 1 ; j < 4 ; j++, i++) {
2065 struct compat_ebt_entry_mwt *match32;
2067 char *buf = buf_start;
2069 buf = buf_start + offsets[i];
2070 if (offsets[i] > offsets[j])
2073 match32 = (struct compat_ebt_entry_mwt *) buf;
2074 size = offsets[j] - offsets[i];
2075 ret = ebt_size_mwt(match32, size, i, state, base);
2079 if (offsets_update && new_offset) {
2080 pr_debug("change offset %d to %d\n",
2081 offsets_update[i], offsets[j] + new_offset);
2082 offsets_update[i] = offsets[j] + new_offset;
2086 if (state->buf_kern_start == NULL) {
2087 unsigned int offset = buf_start - (char *) base;
2089 ret = xt_compat_add_offset(NFPROTO_BRIDGE, offset, new_offset);
2094 startoff = state->buf_user_offset - startoff;
2096 BUG_ON(*total < startoff);
2102 * repl->entries_size is the size of the ebt_entry blob in userspace.
2103 * It might need more memory when copied to a 64 bit kernel in case
2104 * userspace is 32-bit. So, first task: find out how much memory is needed.
2106 * Called before validation is performed.
2108 static int compat_copy_entries(unsigned char *data, unsigned int size_user,
2109 struct ebt_entries_buf_state *state)
2111 unsigned int size_remaining = size_user;
2114 ret = EBT_ENTRY_ITERATE(data, size_user, size_entry_mwt, data,
2115 &size_remaining, state);
2119 WARN_ON(size_remaining);
2120 return state->buf_kern_offset;
2124 static int compat_copy_ebt_replace_from_user(struct ebt_replace *repl,
2125 void __user *user, unsigned int len)
2127 struct compat_ebt_replace tmp;
2130 if (len < sizeof(tmp))
2133 if (copy_from_user(&tmp, user, sizeof(tmp)))
2136 if (len != sizeof(tmp) + tmp.entries_size)
2139 if (tmp.entries_size == 0)
2142 if (tmp.nentries >= ((INT_MAX - sizeof(struct ebt_table_info)) /
2143 NR_CPUS - SMP_CACHE_BYTES) / sizeof(struct ebt_counter))
2145 if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
2148 memcpy(repl, &tmp, offsetof(struct ebt_replace, hook_entry));
2150 /* starting with hook_entry, 32 vs. 64 bit structures are different */
2151 for (i = 0; i < NF_BR_NUMHOOKS; i++)
2152 repl->hook_entry[i] = compat_ptr(tmp.hook_entry[i]);
2154 repl->num_counters = tmp.num_counters;
2155 repl->counters = compat_ptr(tmp.counters);
2156 repl->entries = compat_ptr(tmp.entries);
2160 static int compat_do_replace(struct net *net, void __user *user,
2163 int ret, i, countersize, size64;
2164 struct ebt_table_info *newinfo;
2165 struct ebt_replace tmp;
2166 struct ebt_entries_buf_state state;
2169 ret = compat_copy_ebt_replace_from_user(&tmp, user, len);
2171 /* try real handler in case userland supplied needed padding */
2172 if (ret == -EINVAL && do_replace(net, user, len) == 0)
2177 countersize = COUNTER_OFFSET(tmp.nentries) * nr_cpu_ids;
2178 newinfo = vmalloc(sizeof(*newinfo) + countersize);
2183 memset(newinfo->counters, 0, countersize);
2185 memset(&state, 0, sizeof(state));
2187 newinfo->entries = vmalloc(tmp.entries_size);
2188 if (!newinfo->entries) {
2193 newinfo->entries, tmp.entries, tmp.entries_size) != 0) {
2198 entries_tmp = newinfo->entries;
2200 xt_compat_lock(NFPROTO_BRIDGE);
2202 xt_compat_init_offsets(NFPROTO_BRIDGE, tmp.nentries);
2203 ret = compat_copy_entries(entries_tmp, tmp.entries_size, &state);
2207 pr_debug("tmp.entries_size %d, kern off %d, user off %d delta %d\n",
2208 tmp.entries_size, state.buf_kern_offset, state.buf_user_offset,
2209 xt_compat_calc_jump(NFPROTO_BRIDGE, tmp.entries_size));
2212 newinfo->entries = vmalloc(size64);
2213 if (!newinfo->entries) {
2219 memset(&state, 0, sizeof(state));
2220 state.buf_kern_start = newinfo->entries;
2221 state.buf_kern_len = size64;
2223 ret = compat_copy_entries(entries_tmp, tmp.entries_size, &state);
2224 BUG_ON(ret < 0); /* parses same data again */
2227 tmp.entries_size = size64;
2229 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
2230 char __user *usrptr;
2231 if (tmp.hook_entry[i]) {
2233 usrptr = (char __user *) tmp.hook_entry[i];
2234 delta = usrptr - tmp.entries;
2235 usrptr += xt_compat_calc_jump(NFPROTO_BRIDGE, delta);
2236 tmp.hook_entry[i] = (struct ebt_entries __user *)usrptr;
2240 xt_compat_flush_offsets(NFPROTO_BRIDGE);
2241 xt_compat_unlock(NFPROTO_BRIDGE);
2243 ret = do_replace_finish(net, &tmp, newinfo);
2247 vfree(newinfo->entries);
2252 xt_compat_flush_offsets(NFPROTO_BRIDGE);
2253 xt_compat_unlock(NFPROTO_BRIDGE);
2257 static int compat_update_counters(struct net *net, void __user *user,
2260 struct compat_ebt_replace hlp;
2262 if (copy_from_user(&hlp, user, sizeof(hlp)))
2265 /* try real handler in case userland supplied needed padding */
2266 if (len != sizeof(hlp) + hlp.num_counters * sizeof(struct ebt_counter))
2267 return update_counters(net, user, len);
2269 return do_update_counters(net, hlp.name, compat_ptr(hlp.counters),
2270 hlp.num_counters, user, len);
2273 static int compat_do_ebt_set_ctl(struct sock *sk,
2274 int cmd, void __user *user, unsigned int len)
2277 struct net *net = sock_net(sk);
2279 if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
2283 case EBT_SO_SET_ENTRIES:
2284 ret = compat_do_replace(net, user, len);
2286 case EBT_SO_SET_COUNTERS:
2287 ret = compat_update_counters(net, user, len);
2295 static int compat_do_ebt_get_ctl(struct sock *sk, int cmd,
2296 void __user *user, int *len)
2299 struct compat_ebt_replace tmp;
2300 struct ebt_table *t;
2301 struct net *net = sock_net(sk);
2303 if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
2306 /* try real handler in case userland supplied needed padding */
2307 if ((cmd == EBT_SO_GET_INFO ||
2308 cmd == EBT_SO_GET_INIT_INFO) && *len != sizeof(tmp))
2309 return do_ebt_get_ctl(sk, cmd, user, len);
2311 if (copy_from_user(&tmp, user, sizeof(tmp)))
2314 t = find_table_lock(net, tmp.name, &ret, &ebt_mutex);
2318 xt_compat_lock(NFPROTO_BRIDGE);
2320 case EBT_SO_GET_INFO:
2321 tmp.nentries = t->private->nentries;
2322 ret = compat_table_info(t->private, &tmp);
2325 tmp.valid_hooks = t->valid_hooks;
2327 if (copy_to_user(user, &tmp, *len) != 0) {
2333 case EBT_SO_GET_INIT_INFO:
2334 tmp.nentries = t->table->nentries;
2335 tmp.entries_size = t->table->entries_size;
2336 tmp.valid_hooks = t->table->valid_hooks;
2338 if (copy_to_user(user, &tmp, *len) != 0) {
2344 case EBT_SO_GET_ENTRIES:
2345 case EBT_SO_GET_INIT_ENTRIES:
2347 * try real handler first in case of userland-side padding.
2348 * in case we are dealing with an 'ordinary' 32 bit binary
2349 * without 64bit compatibility padding, this will fail right
2350 * after copy_from_user when the *len argument is validated.
2352 * the compat_ variant needs to do one pass over the kernel
2353 * data set to adjust for size differences before it the check.
2355 if (copy_everything_to_user(t, user, len, cmd) == 0)
2358 ret = compat_copy_everything_to_user(t, user, len, cmd);
2364 xt_compat_flush_offsets(NFPROTO_BRIDGE);
2365 xt_compat_unlock(NFPROTO_BRIDGE);
2366 mutex_unlock(&ebt_mutex);
2371 static struct nf_sockopt_ops ebt_sockopts = {
2373 .set_optmin = EBT_BASE_CTL,
2374 .set_optmax = EBT_SO_SET_MAX + 1,
2375 .set = do_ebt_set_ctl,
2376 #ifdef CONFIG_COMPAT
2377 .compat_set = compat_do_ebt_set_ctl,
2379 .get_optmin = EBT_BASE_CTL,
2380 .get_optmax = EBT_SO_GET_MAX + 1,
2381 .get = do_ebt_get_ctl,
2382 #ifdef CONFIG_COMPAT
2383 .compat_get = compat_do_ebt_get_ctl,
2385 .owner = THIS_MODULE,
2388 static int __init ebtables_init(void)
2392 ret = xt_register_target(&ebt_standard_target);
2395 ret = nf_register_sockopt(&ebt_sockopts);
2397 xt_unregister_target(&ebt_standard_target);
2401 printk(KERN_INFO "Ebtables v2.0 registered\n");
2405 static void __exit ebtables_fini(void)
2407 nf_unregister_sockopt(&ebt_sockopts);
2408 xt_unregister_target(&ebt_standard_target);
2409 printk(KERN_INFO "Ebtables v2.0 unregistered\n");
2412 EXPORT_SYMBOL(ebt_register_table);
2413 EXPORT_SYMBOL(ebt_unregister_table);
2414 EXPORT_SYMBOL(ebt_do_table);
2415 module_init(ebtables_init);
2416 module_exit(ebtables_fini);
2417 MODULE_LICENSE("GPL");
projects / linux-2.6-block.git / blob