5 * Bart De Schuymer <bdschuym@pandora.be>
7 * ebtables.c,v 2.0, July, 2002
9 * This code is stongly inspired on the iptables code which is
10 * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version
15 * 2 of the License, or (at your option) any later version.
17 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
18 #include <linux/kmod.h>
19 #include <linux/module.h>
20 #include <linux/vmalloc.h>
21 #include <linux/netfilter/x_tables.h>
22 #include <linux/netfilter_bridge/ebtables.h>
23 #include <linux/spinlock.h>
24 #include <linux/mutex.h>
25 #include <linux/slab.h>
26 #include <asm/uaccess.h>
27 #include <linux/smp.h>
28 #include <linux/cpumask.h>
30 /* needed for logical [in,out]-dev filtering */
31 #include "../br_private.h"
33 #define BUGPRINT(format, args...) printk("kernel msg: ebtables bug: please "\
34 "report to author: "format, ## args)
35 /* #define BUGPRINT(format, args...) */
38 * Each cpu has its own set of counters, so there is no need for write_lock in
40 * For reading or updating the counters, the user context needs to
44 /* The size of each set of counters is altered to get cache alignment */
45 #define SMP_ALIGN(x) (((x) + SMP_CACHE_BYTES-1) & ~(SMP_CACHE_BYTES-1))
46 #define COUNTER_OFFSET(n) (SMP_ALIGN(n * sizeof(struct ebt_counter)))
47 #define COUNTER_BASE(c, n, cpu) ((struct ebt_counter *)(((char *)c) + \
48 COUNTER_OFFSET(n) * cpu))
52 static DEFINE_MUTEX(ebt_mutex);
55 static void ebt_standard_compat_from_user(void *dst, const void *src)
57 int v = *(compat_int_t *)src;
60 v += xt_compat_calc_jump(NFPROTO_BRIDGE, v);
61 memcpy(dst, &v, sizeof(v));
64 static int ebt_standard_compat_to_user(void __user *dst, const void *src)
66 compat_int_t cv = *(int *)src;
69 cv -= xt_compat_calc_jump(NFPROTO_BRIDGE, cv);
70 return copy_to_user(dst, &cv, sizeof(cv)) ? -EFAULT : 0;
75 static struct xt_target ebt_standard_target = {
78 .family = NFPROTO_BRIDGE,
79 .targetsize = sizeof(int),
81 .compatsize = sizeof(compat_int_t),
82 .compat_from_user = ebt_standard_compat_from_user,
83 .compat_to_user = ebt_standard_compat_to_user,
88 ebt_do_watcher(const struct ebt_entry_watcher *w, struct sk_buff *skb,
89 struct xt_action_param *par)
91 par->target = w->u.watcher;
92 par->targinfo = w->data;
93 w->u.watcher->target(skb, par);
94 /* watchers don't give a verdict */
99 ebt_do_match(struct ebt_entry_match *m, const struct sk_buff *skb,
100 struct xt_action_param *par)
102 par->match = m->u.match;
103 par->matchinfo = m->data;
104 return m->u.match->match(skb, par) ? EBT_MATCH : EBT_NOMATCH;
108 ebt_dev_check(const char *entry, const struct net_device *device)
117 devname = device->name;
118 /* 1 is the wildcard token */
119 while (entry[i] != '\0' && entry[i] != 1 && entry[i] == devname[i])
121 return (devname[i] != entry[i] && entry[i] != 1);
124 #define FWINV2(bool,invflg) ((bool) ^ !!(e->invflags & invflg))
125 /* process standard matches */
127 ebt_basic_match(const struct ebt_entry *e, const struct sk_buff *skb,
128 const struct net_device *in, const struct net_device *out)
130 const struct ethhdr *h = eth_hdr(skb);
131 const struct net_bridge_port *p;
135 if (vlan_tx_tag_present(skb))
136 ethproto = htons(ETH_P_8021Q);
138 ethproto = h->h_proto;
140 if (e->bitmask & EBT_802_3) {
141 if (FWINV2(ntohs(ethproto) >= 1536, EBT_IPROTO))
143 } else if (!(e->bitmask & EBT_NOPROTO) &&
144 FWINV2(e->ethproto != ethproto, EBT_IPROTO))
147 if (FWINV2(ebt_dev_check(e->in, in), EBT_IIN))
149 if (FWINV2(ebt_dev_check(e->out, out), EBT_IOUT))
151 /* rcu_read_lock()ed by nf_hook_slow */
152 if (in && (p = br_port_get_rcu(in)) != NULL &&
153 FWINV2(ebt_dev_check(e->logical_in, p->br->dev), EBT_ILOGICALIN))
155 if (out && (p = br_port_get_rcu(out)) != NULL &&
156 FWINV2(ebt_dev_check(e->logical_out, p->br->dev), EBT_ILOGICALOUT))
159 if (e->bitmask & EBT_SOURCEMAC) {
161 for (i = 0; i < 6; i++)
162 verdict |= (h->h_source[i] ^ e->sourcemac[i]) &
164 if (FWINV2(verdict != 0, EBT_ISOURCE) )
167 if (e->bitmask & EBT_DESTMAC) {
169 for (i = 0; i < 6; i++)
170 verdict |= (h->h_dest[i] ^ e->destmac[i]) &
172 if (FWINV2(verdict != 0, EBT_IDEST) )
179 struct ebt_entry *ebt_next_entry(const struct ebt_entry *entry)
181 return (void *)entry + entry->next_offset;
184 /* Do some firewalling */
185 unsigned int ebt_do_table (unsigned int hook, struct sk_buff *skb,
186 const struct net_device *in, const struct net_device *out,
187 struct ebt_table *table)
190 struct ebt_entry *point;
191 struct ebt_counter *counter_base, *cb_base;
192 const struct ebt_entry_target *t;
194 struct ebt_chainstack *cs;
195 struct ebt_entries *chaininfo;
197 const struct ebt_table_info *private;
198 struct xt_action_param acpar;
200 acpar.family = NFPROTO_BRIDGE;
203 acpar.hotdrop = false;
204 acpar.hooknum = hook;
206 read_lock_bh(&table->lock);
207 private = table->private;
208 cb_base = COUNTER_BASE(private->counters, private->nentries,
210 if (private->chainstack)
211 cs = private->chainstack[smp_processor_id()];
214 chaininfo = private->hook_entry[hook];
215 nentries = private->hook_entry[hook]->nentries;
216 point = (struct ebt_entry *)(private->hook_entry[hook]->data);
217 counter_base = cb_base + private->hook_entry[hook]->counter_offset;
218 /* base for chain jumps */
219 base = private->entries;
221 while (i < nentries) {
222 if (ebt_basic_match(point, skb, in, out))
225 if (EBT_MATCH_ITERATE(point, ebt_do_match, skb, &acpar) != 0)
228 read_unlock_bh(&table->lock);
232 /* increase counter */
233 (*(counter_base + i)).pcnt++;
234 (*(counter_base + i)).bcnt += skb->len;
236 /* these should only watch: not modify, nor tell us
237 what to do with the packet */
238 EBT_WATCHER_ITERATE(point, ebt_do_watcher, skb, &acpar);
240 t = (struct ebt_entry_target *)
241 (((char *)point) + point->target_offset);
242 /* standard target */
243 if (!t->u.target->target)
244 verdict = ((struct ebt_standard_target *)t)->verdict;
246 acpar.target = t->u.target;
247 acpar.targinfo = t->data;
248 verdict = t->u.target->target(skb, &acpar);
250 if (verdict == EBT_ACCEPT) {
251 read_unlock_bh(&table->lock);
254 if (verdict == EBT_DROP) {
255 read_unlock_bh(&table->lock);
258 if (verdict == EBT_RETURN) {
260 #ifdef CONFIG_NETFILTER_DEBUG
262 BUGPRINT("RETURN on base chain");
263 /* act like this is EBT_CONTINUE */
268 /* put all the local variables right */
270 chaininfo = cs[sp].chaininfo;
271 nentries = chaininfo->nentries;
273 counter_base = cb_base +
274 chaininfo->counter_offset;
277 if (verdict == EBT_CONTINUE)
279 #ifdef CONFIG_NETFILTER_DEBUG
281 BUGPRINT("bogus standard verdict\n");
282 read_unlock_bh(&table->lock);
288 cs[sp].chaininfo = chaininfo;
289 cs[sp].e = ebt_next_entry(point);
291 chaininfo = (struct ebt_entries *) (base + verdict);
292 #ifdef CONFIG_NETFILTER_DEBUG
293 if (chaininfo->distinguisher) {
294 BUGPRINT("jump to non-chain\n");
295 read_unlock_bh(&table->lock);
299 nentries = chaininfo->nentries;
300 point = (struct ebt_entry *)chaininfo->data;
301 counter_base = cb_base + chaininfo->counter_offset;
305 point = ebt_next_entry(point);
309 /* I actually like this :) */
310 if (chaininfo->policy == EBT_RETURN)
312 if (chaininfo->policy == EBT_ACCEPT) {
313 read_unlock_bh(&table->lock);
316 read_unlock_bh(&table->lock);
320 /* If it succeeds, returns element and locks mutex */
322 find_inlist_lock_noload(struct list_head *head, const char *name, int *error,
326 struct list_head list;
327 char name[EBT_FUNCTION_MAXNAMELEN];
330 *error = mutex_lock_interruptible(mutex);
334 list_for_each_entry(e, head, list) {
335 if (strcmp(e->name, name) == 0)
344 find_inlist_lock(struct list_head *head, const char *name, const char *prefix,
345 int *error, struct mutex *mutex)
347 return try_then_request_module(
348 find_inlist_lock_noload(head, name, error, mutex),
349 "%s%s", prefix, name);
352 static inline struct ebt_table *
353 find_table_lock(struct net *net, const char *name, int *error,
356 return find_inlist_lock(&net->xt.tables[NFPROTO_BRIDGE], name,
357 "ebtable_", error, mutex);
361 ebt_check_match(struct ebt_entry_match *m, struct xt_mtchk_param *par,
364 const struct ebt_entry *e = par->entryinfo;
365 struct xt_match *match;
366 size_t left = ((char *)e + e->watchers_offset) - (char *)m;
369 if (left < sizeof(struct ebt_entry_match) ||
370 left - sizeof(struct ebt_entry_match) < m->match_size)
373 match = xt_request_find_match(NFPROTO_BRIDGE, m->u.name, 0);
375 return PTR_ERR(match);
379 par->matchinfo = m->data;
380 ret = xt_check_match(par, m->match_size,
381 e->ethproto, e->invflags & EBT_IPROTO);
383 module_put(match->me);
392 ebt_check_watcher(struct ebt_entry_watcher *w, struct xt_tgchk_param *par,
395 const struct ebt_entry *e = par->entryinfo;
396 struct xt_target *watcher;
397 size_t left = ((char *)e + e->target_offset) - (char *)w;
400 if (left < sizeof(struct ebt_entry_watcher) ||
401 left - sizeof(struct ebt_entry_watcher) < w->watcher_size)
404 watcher = xt_request_find_target(NFPROTO_BRIDGE, w->u.name, 0);
406 return PTR_ERR(watcher);
407 w->u.watcher = watcher;
409 par->target = watcher;
410 par->targinfo = w->data;
411 ret = xt_check_target(par, w->watcher_size,
412 e->ethproto, e->invflags & EBT_IPROTO);
414 module_put(watcher->me);
422 static int ebt_verify_pointers(const struct ebt_replace *repl,
423 struct ebt_table_info *newinfo)
425 unsigned int limit = repl->entries_size;
426 unsigned int valid_hooks = repl->valid_hooks;
427 unsigned int offset = 0;
430 for (i = 0; i < NF_BR_NUMHOOKS; i++)
431 newinfo->hook_entry[i] = NULL;
433 newinfo->entries_size = repl->entries_size;
434 newinfo->nentries = repl->nentries;
436 while (offset < limit) {
437 size_t left = limit - offset;
438 struct ebt_entry *e = (void *)newinfo->entries + offset;
440 if (left < sizeof(unsigned int))
443 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
444 if ((valid_hooks & (1 << i)) == 0)
446 if ((char __user *)repl->hook_entry[i] ==
447 repl->entries + offset)
451 if (i != NF_BR_NUMHOOKS || !(e->bitmask & EBT_ENTRY_OR_ENTRIES)) {
452 if (e->bitmask != 0) {
453 /* we make userspace set this right,
454 so there is no misunderstanding */
455 BUGPRINT("EBT_ENTRY_OR_ENTRIES shouldn't be set "
456 "in distinguisher\n");
459 if (i != NF_BR_NUMHOOKS)
460 newinfo->hook_entry[i] = (struct ebt_entries *)e;
461 if (left < sizeof(struct ebt_entries))
463 offset += sizeof(struct ebt_entries);
465 if (left < sizeof(struct ebt_entry))
467 if (left < e->next_offset)
469 if (e->next_offset < sizeof(struct ebt_entry))
471 offset += e->next_offset;
474 if (offset != limit) {
475 BUGPRINT("entries_size too small\n");
479 /* check if all valid hooks have a chain */
480 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
481 if (!newinfo->hook_entry[i] &&
482 (valid_hooks & (1 << i))) {
483 BUGPRINT("Valid hook without chain\n");
491 * this one is very careful, as it is the first function
492 * to parse the userspace data
495 ebt_check_entry_size_and_hooks(const struct ebt_entry *e,
496 const struct ebt_table_info *newinfo,
497 unsigned int *n, unsigned int *cnt,
498 unsigned int *totalcnt, unsigned int *udc_cnt)
502 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
503 if ((void *)e == (void *)newinfo->hook_entry[i])
506 /* beginning of a new chain
507 if i == NF_BR_NUMHOOKS it must be a user defined chain */
508 if (i != NF_BR_NUMHOOKS || !e->bitmask) {
509 /* this checks if the previous chain has as many entries
512 BUGPRINT("nentries does not equal the nr of entries "
516 if (((struct ebt_entries *)e)->policy != EBT_DROP &&
517 ((struct ebt_entries *)e)->policy != EBT_ACCEPT) {
518 /* only RETURN from udc */
519 if (i != NF_BR_NUMHOOKS ||
520 ((struct ebt_entries *)e)->policy != EBT_RETURN) {
521 BUGPRINT("bad policy\n");
525 if (i == NF_BR_NUMHOOKS) /* it's a user defined chain */
527 if (((struct ebt_entries *)e)->counter_offset != *totalcnt) {
528 BUGPRINT("counter_offset != totalcnt");
531 *n = ((struct ebt_entries *)e)->nentries;
535 /* a plain old entry, heh */
536 if (sizeof(struct ebt_entry) > e->watchers_offset ||
537 e->watchers_offset > e->target_offset ||
538 e->target_offset >= e->next_offset) {
539 BUGPRINT("entry offsets not in right order\n");
542 /* this is not checked anywhere else */
543 if (e->next_offset - e->target_offset < sizeof(struct ebt_entry_target)) {
544 BUGPRINT("target size too small\n");
554 struct ebt_chainstack cs;
556 unsigned int hookmask;
560 * we need these positions to check that the jumps to a different part of the
561 * entries is a jump to the beginning of a new chain.
564 ebt_get_udc_positions(struct ebt_entry *e, struct ebt_table_info *newinfo,
565 unsigned int *n, struct ebt_cl_stack *udc)
569 /* we're only interested in chain starts */
572 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
573 if (newinfo->hook_entry[i] == (struct ebt_entries *)e)
576 /* only care about udc */
577 if (i != NF_BR_NUMHOOKS)
580 udc[*n].cs.chaininfo = (struct ebt_entries *)e;
581 /* these initialisations are depended on later in check_chainloops() */
583 udc[*n].hookmask = 0;
590 ebt_cleanup_match(struct ebt_entry_match *m, struct net *net, unsigned int *i)
592 struct xt_mtdtor_param par;
594 if (i && (*i)-- == 0)
598 par.match = m->u.match;
599 par.matchinfo = m->data;
600 par.family = NFPROTO_BRIDGE;
601 if (par.match->destroy != NULL)
602 par.match->destroy(&par);
603 module_put(par.match->me);
608 ebt_cleanup_watcher(struct ebt_entry_watcher *w, struct net *net, unsigned int *i)
610 struct xt_tgdtor_param par;
612 if (i && (*i)-- == 0)
616 par.target = w->u.watcher;
617 par.targinfo = w->data;
618 par.family = NFPROTO_BRIDGE;
619 if (par.target->destroy != NULL)
620 par.target->destroy(&par);
621 module_put(par.target->me);
626 ebt_cleanup_entry(struct ebt_entry *e, struct net *net, unsigned int *cnt)
628 struct xt_tgdtor_param par;
629 struct ebt_entry_target *t;
634 if (cnt && (*cnt)-- == 0)
636 EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, net, NULL);
637 EBT_MATCH_ITERATE(e, ebt_cleanup_match, net, NULL);
638 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
641 par.target = t->u.target;
642 par.targinfo = t->data;
643 par.family = NFPROTO_BRIDGE;
644 if (par.target->destroy != NULL)
645 par.target->destroy(&par);
646 module_put(par.target->me);
651 ebt_check_entry(struct ebt_entry *e, struct net *net,
652 const struct ebt_table_info *newinfo,
653 const char *name, unsigned int *cnt,
654 struct ebt_cl_stack *cl_s, unsigned int udc_cnt)
656 struct ebt_entry_target *t;
657 struct xt_target *target;
658 unsigned int i, j, hook = 0, hookmask = 0;
661 struct xt_mtchk_param mtpar;
662 struct xt_tgchk_param tgpar;
664 /* don't mess with the struct ebt_entries */
668 if (e->bitmask & ~EBT_F_MASK) {
669 BUGPRINT("Unknown flag for bitmask\n");
672 if (e->invflags & ~EBT_INV_MASK) {
673 BUGPRINT("Unknown flag for inv bitmask\n");
676 if ( (e->bitmask & EBT_NOPROTO) && (e->bitmask & EBT_802_3) ) {
677 BUGPRINT("NOPROTO & 802_3 not allowed\n");
680 /* what hook do we belong to? */
681 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
682 if (!newinfo->hook_entry[i])
684 if ((char *)newinfo->hook_entry[i] < (char *)e)
689 /* (1 << NF_BR_NUMHOOKS) tells the check functions the rule is on
691 if (i < NF_BR_NUMHOOKS)
692 hookmask = (1 << hook) | (1 << NF_BR_NUMHOOKS);
694 for (i = 0; i < udc_cnt; i++)
695 if ((char *)(cl_s[i].cs.chaininfo) > (char *)e)
698 hookmask = (1 << hook) | (1 << NF_BR_NUMHOOKS);
700 hookmask = cl_s[i - 1].hookmask;
704 mtpar.net = tgpar.net = net;
705 mtpar.table = tgpar.table = name;
706 mtpar.entryinfo = tgpar.entryinfo = e;
707 mtpar.hook_mask = tgpar.hook_mask = hookmask;
708 mtpar.family = tgpar.family = NFPROTO_BRIDGE;
709 ret = EBT_MATCH_ITERATE(e, ebt_check_match, &mtpar, &i);
711 goto cleanup_matches;
713 ret = EBT_WATCHER_ITERATE(e, ebt_check_watcher, &tgpar, &j);
715 goto cleanup_watchers;
716 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
717 gap = e->next_offset - e->target_offset;
719 target = xt_request_find_target(NFPROTO_BRIDGE, t->u.name, 0);
720 if (IS_ERR(target)) {
721 ret = PTR_ERR(target);
722 goto cleanup_watchers;
725 t->u.target = target;
726 if (t->u.target == &ebt_standard_target) {
727 if (gap < sizeof(struct ebt_standard_target)) {
728 BUGPRINT("Standard target size too big\n");
730 goto cleanup_watchers;
732 if (((struct ebt_standard_target *)t)->verdict <
733 -NUM_STANDARD_TARGETS) {
734 BUGPRINT("Invalid standard target\n");
736 goto cleanup_watchers;
738 } else if (t->target_size > gap - sizeof(struct ebt_entry_target)) {
739 module_put(t->u.target->me);
741 goto cleanup_watchers;
744 tgpar.target = target;
745 tgpar.targinfo = t->data;
746 ret = xt_check_target(&tgpar, t->target_size,
747 e->ethproto, e->invflags & EBT_IPROTO);
749 module_put(target->me);
750 goto cleanup_watchers;
755 EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, net, &j);
757 EBT_MATCH_ITERATE(e, ebt_cleanup_match, net, &i);
762 * checks for loops and sets the hook mask for udc
763 * the hook mask for udc tells us from which base chains the udc can be
764 * accessed. This mask is a parameter to the check() functions of the extensions
766 static int check_chainloops(const struct ebt_entries *chain, struct ebt_cl_stack *cl_s,
767 unsigned int udc_cnt, unsigned int hooknr, char *base)
769 int i, chain_nr = -1, pos = 0, nentries = chain->nentries, verdict;
770 const struct ebt_entry *e = (struct ebt_entry *)chain->data;
771 const struct ebt_entry_target *t;
773 while (pos < nentries || chain_nr != -1) {
774 /* end of udc, go back one 'recursion' step */
775 if (pos == nentries) {
776 /* put back values of the time when this chain was called */
777 e = cl_s[chain_nr].cs.e;
778 if (cl_s[chain_nr].from != -1)
780 cl_s[cl_s[chain_nr].from].cs.chaininfo->nentries;
782 nentries = chain->nentries;
783 pos = cl_s[chain_nr].cs.n;
784 /* make sure we won't see a loop that isn't one */
785 cl_s[chain_nr].cs.n = 0;
786 chain_nr = cl_s[chain_nr].from;
790 t = (struct ebt_entry_target *)
791 (((char *)e) + e->target_offset);
792 if (strcmp(t->u.name, EBT_STANDARD_TARGET))
794 if (e->target_offset + sizeof(struct ebt_standard_target) >
796 BUGPRINT("Standard target size too big\n");
799 verdict = ((struct ebt_standard_target *)t)->verdict;
800 if (verdict >= 0) { /* jump to another chain */
801 struct ebt_entries *hlp2 =
802 (struct ebt_entries *)(base + verdict);
803 for (i = 0; i < udc_cnt; i++)
804 if (hlp2 == cl_s[i].cs.chaininfo)
806 /* bad destination or loop */
808 BUGPRINT("bad destination\n");
815 if (cl_s[i].hookmask & (1 << hooknr))
817 /* this can't be 0, so the loop test is correct */
818 cl_s[i].cs.n = pos + 1;
820 cl_s[i].cs.e = ebt_next_entry(e);
821 e = (struct ebt_entry *)(hlp2->data);
822 nentries = hlp2->nentries;
823 cl_s[i].from = chain_nr;
825 /* this udc is accessible from the base chain for hooknr */
826 cl_s[i].hookmask |= (1 << hooknr);
830 e = ebt_next_entry(e);
836 /* do the parsing of the table/chains/entries/matches/watchers/targets, heh */
837 static int translate_table(struct net *net, const char *name,
838 struct ebt_table_info *newinfo)
840 unsigned int i, j, k, udc_cnt;
842 struct ebt_cl_stack *cl_s = NULL; /* used in the checking for chain loops */
845 while (i < NF_BR_NUMHOOKS && !newinfo->hook_entry[i])
847 if (i == NF_BR_NUMHOOKS) {
848 BUGPRINT("No valid hooks specified\n");
851 if (newinfo->hook_entry[i] != (struct ebt_entries *)newinfo->entries) {
852 BUGPRINT("Chains don't start at beginning\n");
855 /* make sure chains are ordered after each other in same order
856 as their corresponding hooks */
857 for (j = i + 1; j < NF_BR_NUMHOOKS; j++) {
858 if (!newinfo->hook_entry[j])
860 if (newinfo->hook_entry[j] <= newinfo->hook_entry[i]) {
861 BUGPRINT("Hook order must be followed\n");
867 /* do some early checkings and initialize some things */
868 i = 0; /* holds the expected nr. of entries for the chain */
869 j = 0; /* holds the up to now counted entries for the chain */
870 k = 0; /* holds the total nr. of entries, should equal
871 newinfo->nentries afterwards */
872 udc_cnt = 0; /* will hold the nr. of user defined chains (udc) */
873 ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
874 ebt_check_entry_size_and_hooks, newinfo,
875 &i, &j, &k, &udc_cnt);
881 BUGPRINT("nentries does not equal the nr of entries in the "
885 if (k != newinfo->nentries) {
886 BUGPRINT("Total nentries is wrong\n");
890 /* get the location of the udc, put them in an array
891 while we're at it, allocate the chainstack */
893 /* this will get free'd in do_replace()/ebt_register_table()
894 if an error occurs */
895 newinfo->chainstack =
896 vmalloc(nr_cpu_ids * sizeof(*(newinfo->chainstack)));
897 if (!newinfo->chainstack)
899 for_each_possible_cpu(i) {
900 newinfo->chainstack[i] =
901 vmalloc(udc_cnt * sizeof(*(newinfo->chainstack[0])));
902 if (!newinfo->chainstack[i]) {
904 vfree(newinfo->chainstack[--i]);
905 vfree(newinfo->chainstack);
906 newinfo->chainstack = NULL;
911 cl_s = vmalloc(udc_cnt * sizeof(*cl_s));
914 i = 0; /* the i'th udc */
915 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
916 ebt_get_udc_positions, newinfo, &i, cl_s);
919 BUGPRINT("i != udc_cnt\n");
925 /* Check for loops */
926 for (i = 0; i < NF_BR_NUMHOOKS; i++)
927 if (newinfo->hook_entry[i])
928 if (check_chainloops(newinfo->hook_entry[i],
929 cl_s, udc_cnt, i, newinfo->entries)) {
934 /* we now know the following (along with E=mc²):
935 - the nr of entries in each chain is right
936 - the size of the allocated space is right
937 - all valid hooks have a corresponding chain
939 - wrong data can still be on the level of a single entry
940 - could be there are jumps to places that are not the
941 beginning of a chain. This can only occur in chains that
942 are not accessible from any base chains, so we don't care. */
944 /* used to know what we need to clean up if something goes wrong */
946 ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
947 ebt_check_entry, net, newinfo, name, &i, cl_s, udc_cnt);
949 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
950 ebt_cleanup_entry, net, &i);
956 /* called under write_lock */
957 static void get_counters(const struct ebt_counter *oldcounters,
958 struct ebt_counter *counters, unsigned int nentries)
961 struct ebt_counter *counter_base;
963 /* counters of cpu 0 */
964 memcpy(counters, oldcounters,
965 sizeof(struct ebt_counter) * nentries);
967 /* add other counters to those of cpu 0 */
968 for_each_possible_cpu(cpu) {
971 counter_base = COUNTER_BASE(oldcounters, nentries, cpu);
972 for (i = 0; i < nentries; i++) {
973 counters[i].pcnt += counter_base[i].pcnt;
974 counters[i].bcnt += counter_base[i].bcnt;
979 static int do_replace_finish(struct net *net, struct ebt_replace *repl,
980 struct ebt_table_info *newinfo)
983 struct ebt_counter *counterstmp = NULL;
984 /* used to be able to unlock earlier */
985 struct ebt_table_info *table;
988 /* the user wants counters back
989 the check on the size is done later, when we have the lock */
990 if (repl->num_counters) {
991 unsigned long size = repl->num_counters * sizeof(*counterstmp);
992 counterstmp = vmalloc(size);
997 newinfo->chainstack = NULL;
998 ret = ebt_verify_pointers(repl, newinfo);
1000 goto free_counterstmp;
1002 ret = translate_table(net, repl->name, newinfo);
1005 goto free_counterstmp;
1007 t = find_table_lock(net, repl->name, &ret, &ebt_mutex);
1013 /* the table doesn't like it */
1014 if (t->check && (ret = t->check(newinfo, repl->valid_hooks)))
1017 if (repl->num_counters && repl->num_counters != t->private->nentries) {
1018 BUGPRINT("Wrong nr. of counters requested\n");
1023 /* we have the mutex lock, so no danger in reading this pointer */
1025 /* make sure the table can only be rmmod'ed if it contains no rules */
1026 if (!table->nentries && newinfo->nentries && !try_module_get(t->me)) {
1029 } else if (table->nentries && !newinfo->nentries)
1031 /* we need an atomic snapshot of the counters */
1032 write_lock_bh(&t->lock);
1033 if (repl->num_counters)
1034 get_counters(t->private->counters, counterstmp,
1035 t->private->nentries);
1037 t->private = newinfo;
1038 write_unlock_bh(&t->lock);
1039 mutex_unlock(&ebt_mutex);
1040 /* so, a user can change the chains while having messed up her counter
1041 allocation. Only reason why this is done is because this way the lock
1042 is held only once, while this doesn't bring the kernel into a
1044 if (repl->num_counters &&
1045 copy_to_user(repl->counters, counterstmp,
1046 repl->num_counters * sizeof(struct ebt_counter))) {
1052 /* decrease module count and free resources */
1053 EBT_ENTRY_ITERATE(table->entries, table->entries_size,
1054 ebt_cleanup_entry, net, NULL);
1056 vfree(table->entries);
1057 if (table->chainstack) {
1058 for_each_possible_cpu(i)
1059 vfree(table->chainstack[i]);
1060 vfree(table->chainstack);
1068 mutex_unlock(&ebt_mutex);
1070 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
1071 ebt_cleanup_entry, net, NULL);
1074 /* can be initialized in translate_table() */
1075 if (newinfo->chainstack) {
1076 for_each_possible_cpu(i)
1077 vfree(newinfo->chainstack[i]);
1078 vfree(newinfo->chainstack);
1083 /* replace the table */
1084 static int do_replace(struct net *net, const void __user *user,
1087 int ret, countersize;
1088 struct ebt_table_info *newinfo;
1089 struct ebt_replace tmp;
1091 if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
1094 if (len != sizeof(tmp) + tmp.entries_size) {
1095 BUGPRINT("Wrong len argument\n");
1099 if (tmp.entries_size == 0) {
1100 BUGPRINT("Entries_size never zero\n");
1103 /* overflow check */
1104 if (tmp.nentries >= ((INT_MAX - sizeof(struct ebt_table_info)) /
1105 NR_CPUS - SMP_CACHE_BYTES) / sizeof(struct ebt_counter))
1107 if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
1110 countersize = COUNTER_OFFSET(tmp.nentries) * nr_cpu_ids;
1111 newinfo = vmalloc(sizeof(*newinfo) + countersize);
1116 memset(newinfo->counters, 0, countersize);
1118 newinfo->entries = vmalloc(tmp.entries_size);
1119 if (!newinfo->entries) {
1124 newinfo->entries, tmp.entries, tmp.entries_size) != 0) {
1125 BUGPRINT("Couldn't copy entries from userspace\n");
1130 ret = do_replace_finish(net, &tmp, newinfo);
1134 vfree(newinfo->entries);
1141 ebt_register_table(struct net *net, const struct ebt_table *input_table)
1143 struct ebt_table_info *newinfo;
1144 struct ebt_table *t, *table;
1145 struct ebt_replace_kernel *repl;
1146 int ret, i, countersize;
1149 if (input_table == NULL || (repl = input_table->table) == NULL ||
1150 repl->entries == 0 || repl->entries_size == 0 ||
1151 repl->counters != NULL || input_table->private != NULL) {
1152 BUGPRINT("Bad table data for ebt_register_table!!!\n");
1153 return ERR_PTR(-EINVAL);
1156 /* Don't add one table to multiple lists. */
1157 table = kmemdup(input_table, sizeof(struct ebt_table), GFP_KERNEL);
1163 countersize = COUNTER_OFFSET(repl->nentries) * nr_cpu_ids;
1164 newinfo = vmalloc(sizeof(*newinfo) + countersize);
1169 p = vmalloc(repl->entries_size);
1173 memcpy(p, repl->entries, repl->entries_size);
1174 newinfo->entries = p;
1176 newinfo->entries_size = repl->entries_size;
1177 newinfo->nentries = repl->nentries;
1180 memset(newinfo->counters, 0, countersize);
1182 /* fill in newinfo and parse the entries */
1183 newinfo->chainstack = NULL;
1184 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
1185 if ((repl->valid_hooks & (1 << i)) == 0)
1186 newinfo->hook_entry[i] = NULL;
1188 newinfo->hook_entry[i] = p +
1189 ((char *)repl->hook_entry[i] - repl->entries);
1191 ret = translate_table(net, repl->name, newinfo);
1193 BUGPRINT("Translate_table failed\n");
1194 goto free_chainstack;
1197 if (table->check && table->check(newinfo, table->valid_hooks)) {
1198 BUGPRINT("The table doesn't like its own initial data, lol\n");
1199 return ERR_PTR(-EINVAL);
1202 table->private = newinfo;
1203 rwlock_init(&table->lock);
1204 ret = mutex_lock_interruptible(&ebt_mutex);
1206 goto free_chainstack;
1208 list_for_each_entry(t, &net->xt.tables[NFPROTO_BRIDGE], list) {
1209 if (strcmp(t->name, table->name) == 0) {
1211 BUGPRINT("Table name already exists\n");
1216 /* Hold a reference count if the chains aren't empty */
1217 if (newinfo->nentries && !try_module_get(table->me)) {
1221 list_add(&table->list, &net->xt.tables[NFPROTO_BRIDGE]);
1222 mutex_unlock(&ebt_mutex);
1225 mutex_unlock(&ebt_mutex);
1227 if (newinfo->chainstack) {
1228 for_each_possible_cpu(i)
1229 vfree(newinfo->chainstack[i]);
1230 vfree(newinfo->chainstack);
1232 vfree(newinfo->entries);
1238 return ERR_PTR(ret);
1241 void ebt_unregister_table(struct net *net, struct ebt_table *table)
1246 BUGPRINT("Request to unregister NULL table!!!\n");
1249 mutex_lock(&ebt_mutex);
1250 list_del(&table->list);
1251 mutex_unlock(&ebt_mutex);
1252 EBT_ENTRY_ITERATE(table->private->entries, table->private->entries_size,
1253 ebt_cleanup_entry, net, NULL);
1254 if (table->private->nentries)
1255 module_put(table->me);
1256 vfree(table->private->entries);
1257 if (table->private->chainstack) {
1258 for_each_possible_cpu(i)
1259 vfree(table->private->chainstack[i]);
1260 vfree(table->private->chainstack);
1262 vfree(table->private);
1266 /* userspace just supplied us with counters */
1267 static int do_update_counters(struct net *net, const char *name,
1268 struct ebt_counter __user *counters,
1269 unsigned int num_counters,
1270 const void __user *user, unsigned int len)
1273 struct ebt_counter *tmp;
1274 struct ebt_table *t;
1276 if (num_counters == 0)
1279 tmp = vmalloc(num_counters * sizeof(*tmp));
1283 t = find_table_lock(net, name, &ret, &ebt_mutex);
1287 if (num_counters != t->private->nentries) {
1288 BUGPRINT("Wrong nr of counters\n");
1293 if (copy_from_user(tmp, counters, num_counters * sizeof(*counters))) {
1298 /* we want an atomic add of the counters */
1299 write_lock_bh(&t->lock);
1301 /* we add to the counters of the first cpu */
1302 for (i = 0; i < num_counters; i++) {
1303 t->private->counters[i].pcnt += tmp[i].pcnt;
1304 t->private->counters[i].bcnt += tmp[i].bcnt;
1307 write_unlock_bh(&t->lock);
1310 mutex_unlock(&ebt_mutex);
1316 static int update_counters(struct net *net, const void __user *user,
1319 struct ebt_replace hlp;
1321 if (copy_from_user(&hlp, user, sizeof(hlp)))
1324 if (len != sizeof(hlp) + hlp.num_counters * sizeof(struct ebt_counter))
1327 return do_update_counters(net, hlp.name, hlp.counters,
1328 hlp.num_counters, user, len);
1331 static inline int ebt_make_matchname(const struct ebt_entry_match *m,
1332 const char *base, char __user *ubase)
1334 char __user *hlp = ubase + ((char *)m - base);
1335 if (copy_to_user(hlp, m->u.match->name, EBT_FUNCTION_MAXNAMELEN))
1340 static inline int ebt_make_watchername(const struct ebt_entry_watcher *w,
1341 const char *base, char __user *ubase)
1343 char __user *hlp = ubase + ((char *)w - base);
1344 if (copy_to_user(hlp , w->u.watcher->name, EBT_FUNCTION_MAXNAMELEN))
1350 ebt_make_names(struct ebt_entry *e, const char *base, char __user *ubase)
1354 const struct ebt_entry_target *t;
1356 if (e->bitmask == 0)
1359 hlp = ubase + (((char *)e + e->target_offset) - base);
1360 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
1362 ret = EBT_MATCH_ITERATE(e, ebt_make_matchname, base, ubase);
1365 ret = EBT_WATCHER_ITERATE(e, ebt_make_watchername, base, ubase);
1368 if (copy_to_user(hlp, t->u.target->name, EBT_FUNCTION_MAXNAMELEN))
1373 static int copy_counters_to_user(struct ebt_table *t,
1374 const struct ebt_counter *oldcounters,
1375 void __user *user, unsigned int num_counters,
1376 unsigned int nentries)
1378 struct ebt_counter *counterstmp;
1381 /* userspace might not need the counters */
1382 if (num_counters == 0)
1385 if (num_counters != nentries) {
1386 BUGPRINT("Num_counters wrong\n");
1390 counterstmp = vmalloc(nentries * sizeof(*counterstmp));
1394 write_lock_bh(&t->lock);
1395 get_counters(oldcounters, counterstmp, nentries);
1396 write_unlock_bh(&t->lock);
1398 if (copy_to_user(user, counterstmp,
1399 nentries * sizeof(struct ebt_counter)))
1405 /* called with ebt_mutex locked */
1406 static int copy_everything_to_user(struct ebt_table *t, void __user *user,
1407 const int *len, int cmd)
1409 struct ebt_replace tmp;
1410 const struct ebt_counter *oldcounters;
1411 unsigned int entries_size, nentries;
1415 if (cmd == EBT_SO_GET_ENTRIES) {
1416 entries_size = t->private->entries_size;
1417 nentries = t->private->nentries;
1418 entries = t->private->entries;
1419 oldcounters = t->private->counters;
1421 entries_size = t->table->entries_size;
1422 nentries = t->table->nentries;
1423 entries = t->table->entries;
1424 oldcounters = t->table->counters;
1427 if (copy_from_user(&tmp, user, sizeof(tmp)))
1430 if (*len != sizeof(struct ebt_replace) + entries_size +
1431 (tmp.num_counters? nentries * sizeof(struct ebt_counter): 0))
1434 if (tmp.nentries != nentries) {
1435 BUGPRINT("Nentries wrong\n");
1439 if (tmp.entries_size != entries_size) {
1440 BUGPRINT("Wrong size\n");
1444 ret = copy_counters_to_user(t, oldcounters, tmp.counters,
1445 tmp.num_counters, nentries);
1449 if (copy_to_user(tmp.entries, entries, entries_size)) {
1450 BUGPRINT("Couldn't copy entries to userspace\n");
1453 /* set the match/watcher/target names right */
1454 return EBT_ENTRY_ITERATE(entries, entries_size,
1455 ebt_make_names, entries, tmp.entries);
1458 static int do_ebt_set_ctl(struct sock *sk,
1459 int cmd, void __user *user, unsigned int len)
1463 if (!capable(CAP_NET_ADMIN))
1467 case EBT_SO_SET_ENTRIES:
1468 ret = do_replace(sock_net(sk), user, len);
1470 case EBT_SO_SET_COUNTERS:
1471 ret = update_counters(sock_net(sk), user, len);
1479 static int do_ebt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
1482 struct ebt_replace tmp;
1483 struct ebt_table *t;
1485 if (!capable(CAP_NET_ADMIN))
1488 if (copy_from_user(&tmp, user, sizeof(tmp)))
1491 t = find_table_lock(sock_net(sk), tmp.name, &ret, &ebt_mutex);
1496 case EBT_SO_GET_INFO:
1497 case EBT_SO_GET_INIT_INFO:
1498 if (*len != sizeof(struct ebt_replace)){
1500 mutex_unlock(&ebt_mutex);
1503 if (cmd == EBT_SO_GET_INFO) {
1504 tmp.nentries = t->private->nentries;
1505 tmp.entries_size = t->private->entries_size;
1506 tmp.valid_hooks = t->valid_hooks;
1508 tmp.nentries = t->table->nentries;
1509 tmp.entries_size = t->table->entries_size;
1510 tmp.valid_hooks = t->table->valid_hooks;
1512 mutex_unlock(&ebt_mutex);
1513 if (copy_to_user(user, &tmp, *len) != 0){
1514 BUGPRINT("c2u Didn't work\n");
1521 case EBT_SO_GET_ENTRIES:
1522 case EBT_SO_GET_INIT_ENTRIES:
1523 ret = copy_everything_to_user(t, user, len, cmd);
1524 mutex_unlock(&ebt_mutex);
1528 mutex_unlock(&ebt_mutex);
1535 #ifdef CONFIG_COMPAT
1536 /* 32 bit-userspace compatibility definitions. */
1537 struct compat_ebt_replace {
1538 char name[EBT_TABLE_MAXNAMELEN];
1539 compat_uint_t valid_hooks;
1540 compat_uint_t nentries;
1541 compat_uint_t entries_size;
1542 /* start of the chains */
1543 compat_uptr_t hook_entry[NF_BR_NUMHOOKS];
1544 /* nr of counters userspace expects back */
1545 compat_uint_t num_counters;
1546 /* where the kernel will put the old counters. */
1547 compat_uptr_t counters;
1548 compat_uptr_t entries;
1551 /* struct ebt_entry_match, _target and _watcher have same layout */
1552 struct compat_ebt_entry_mwt {
1554 char name[EBT_FUNCTION_MAXNAMELEN];
1557 compat_uint_t match_size;
1558 compat_uint_t data[0];
1561 /* account for possible padding between match_size and ->data */
1562 static int ebt_compat_entry_padsize(void)
1564 BUILD_BUG_ON(XT_ALIGN(sizeof(struct ebt_entry_match)) <
1565 COMPAT_XT_ALIGN(sizeof(struct compat_ebt_entry_mwt)));
1566 return (int) XT_ALIGN(sizeof(struct ebt_entry_match)) -
1567 COMPAT_XT_ALIGN(sizeof(struct compat_ebt_entry_mwt));
1570 static int ebt_compat_match_offset(const struct xt_match *match,
1571 unsigned int userlen)
1574 * ebt_among needs special handling. The kernel .matchsize is
1575 * set to -1 at registration time; at runtime an EBT_ALIGN()ed
1576 * value is expected.
1577 * Example: userspace sends 4500, ebt_among.c wants 4504.
1579 if (unlikely(match->matchsize == -1))
1580 return XT_ALIGN(userlen) - COMPAT_XT_ALIGN(userlen);
1581 return xt_compat_match_offset(match);
1584 static int compat_match_to_user(struct ebt_entry_match *m, void __user **dstptr,
1587 const struct xt_match *match = m->u.match;
1588 struct compat_ebt_entry_mwt __user *cm = *dstptr;
1589 int off = ebt_compat_match_offset(match, m->match_size);
1590 compat_uint_t msize = m->match_size - off;
1592 BUG_ON(off >= m->match_size);
1594 if (copy_to_user(cm->u.name, match->name,
1595 strlen(match->name) + 1) || put_user(msize, &cm->match_size))
1598 if (match->compat_to_user) {
1599 if (match->compat_to_user(cm->data, m->data))
1601 } else if (copy_to_user(cm->data, m->data, msize))
1604 *size -= ebt_compat_entry_padsize() + off;
1610 static int compat_target_to_user(struct ebt_entry_target *t,
1611 void __user **dstptr,
1614 const struct xt_target *target = t->u.target;
1615 struct compat_ebt_entry_mwt __user *cm = *dstptr;
1616 int off = xt_compat_target_offset(target);
1617 compat_uint_t tsize = t->target_size - off;
1619 BUG_ON(off >= t->target_size);
1621 if (copy_to_user(cm->u.name, target->name,
1622 strlen(target->name) + 1) || put_user(tsize, &cm->match_size))
1625 if (target->compat_to_user) {
1626 if (target->compat_to_user(cm->data, t->data))
1628 } else if (copy_to_user(cm->data, t->data, tsize))
1631 *size -= ebt_compat_entry_padsize() + off;
1637 static int compat_watcher_to_user(struct ebt_entry_watcher *w,
1638 void __user **dstptr,
1641 return compat_target_to_user((struct ebt_entry_target *)w,
1645 static int compat_copy_entry_to_user(struct ebt_entry *e, void __user **dstptr,
1648 struct ebt_entry_target *t;
1649 struct ebt_entry __user *ce;
1650 u32 watchers_offset, target_offset, next_offset;
1651 compat_uint_t origsize;
1654 if (e->bitmask == 0) {
1655 if (*size < sizeof(struct ebt_entries))
1657 if (copy_to_user(*dstptr, e, sizeof(struct ebt_entries)))
1660 *dstptr += sizeof(struct ebt_entries);
1661 *size -= sizeof(struct ebt_entries);
1665 if (*size < sizeof(*ce))
1668 ce = (struct ebt_entry __user *)*dstptr;
1669 if (copy_to_user(ce, e, sizeof(*ce)))
1673 *dstptr += sizeof(*ce);
1675 ret = EBT_MATCH_ITERATE(e, compat_match_to_user, dstptr, size);
1678 watchers_offset = e->watchers_offset - (origsize - *size);
1680 ret = EBT_WATCHER_ITERATE(e, compat_watcher_to_user, dstptr, size);
1683 target_offset = e->target_offset - (origsize - *size);
1685 t = (struct ebt_entry_target *) ((char *) e + e->target_offset);
1687 ret = compat_target_to_user(t, dstptr, size);
1690 next_offset = e->next_offset - (origsize - *size);
1692 if (put_user(watchers_offset, &ce->watchers_offset) ||
1693 put_user(target_offset, &ce->target_offset) ||
1694 put_user(next_offset, &ce->next_offset))
1697 *size -= sizeof(*ce);
1701 static int compat_calc_match(struct ebt_entry_match *m, int *off)
1703 *off += ebt_compat_match_offset(m->u.match, m->match_size);
1704 *off += ebt_compat_entry_padsize();
1708 static int compat_calc_watcher(struct ebt_entry_watcher *w, int *off)
1710 *off += xt_compat_target_offset(w->u.watcher);
1711 *off += ebt_compat_entry_padsize();
1715 static int compat_calc_entry(const struct ebt_entry *e,
1716 const struct ebt_table_info *info,
1718 struct compat_ebt_replace *newinfo)
1720 const struct ebt_entry_target *t;
1721 unsigned int entry_offset;
1724 if (e->bitmask == 0)
1728 entry_offset = (void *)e - base;
1730 EBT_MATCH_ITERATE(e, compat_calc_match, &off);
1731 EBT_WATCHER_ITERATE(e, compat_calc_watcher, &off);
1733 t = (const struct ebt_entry_target *) ((char *) e + e->target_offset);
1735 off += xt_compat_target_offset(t->u.target);
1736 off += ebt_compat_entry_padsize();
1738 newinfo->entries_size -= off;
1740 ret = xt_compat_add_offset(NFPROTO_BRIDGE, entry_offset, off);
1744 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
1745 const void *hookptr = info->hook_entry[i];
1746 if (info->hook_entry[i] &&
1747 (e < (struct ebt_entry *)(base - hookptr))) {
1748 newinfo->hook_entry[i] -= off;
1749 pr_debug("0x%08X -> 0x%08X\n",
1750 newinfo->hook_entry[i] + off,
1751 newinfo->hook_entry[i]);
1759 static int compat_table_info(const struct ebt_table_info *info,
1760 struct compat_ebt_replace *newinfo)
1762 unsigned int size = info->entries_size;
1763 const void *entries = info->entries;
1765 newinfo->entries_size = size;
1767 return EBT_ENTRY_ITERATE(entries, size, compat_calc_entry, info,
1771 static int compat_copy_everything_to_user(struct ebt_table *t,
1772 void __user *user, int *len, int cmd)
1774 struct compat_ebt_replace repl, tmp;
1775 struct ebt_counter *oldcounters;
1776 struct ebt_table_info tinfo;
1780 memset(&tinfo, 0, sizeof(tinfo));
1782 if (cmd == EBT_SO_GET_ENTRIES) {
1783 tinfo.entries_size = t->private->entries_size;
1784 tinfo.nentries = t->private->nentries;
1785 tinfo.entries = t->private->entries;
1786 oldcounters = t->private->counters;
1788 tinfo.entries_size = t->table->entries_size;
1789 tinfo.nentries = t->table->nentries;
1790 tinfo.entries = t->table->entries;
1791 oldcounters = t->table->counters;
1794 if (copy_from_user(&tmp, user, sizeof(tmp)))
1797 if (tmp.nentries != tinfo.nentries ||
1798 (tmp.num_counters && tmp.num_counters != tinfo.nentries))
1801 memcpy(&repl, &tmp, sizeof(repl));
1802 if (cmd == EBT_SO_GET_ENTRIES)
1803 ret = compat_table_info(t->private, &repl);
1805 ret = compat_table_info(&tinfo, &repl);
1809 if (*len != sizeof(tmp) + repl.entries_size +
1810 (tmp.num_counters? tinfo.nentries * sizeof(struct ebt_counter): 0)) {
1811 pr_err("wrong size: *len %d, entries_size %u, replsz %d\n",
1812 *len, tinfo.entries_size, repl.entries_size);
1816 /* userspace might not need the counters */
1817 ret = copy_counters_to_user(t, oldcounters, compat_ptr(tmp.counters),
1818 tmp.num_counters, tinfo.nentries);
1822 pos = compat_ptr(tmp.entries);
1823 return EBT_ENTRY_ITERATE(tinfo.entries, tinfo.entries_size,
1824 compat_copy_entry_to_user, &pos, &tmp.entries_size);
1827 struct ebt_entries_buf_state {
1828 char *buf_kern_start; /* kernel buffer to copy (translated) data to */
1829 u32 buf_kern_len; /* total size of kernel buffer */
1830 u32 buf_kern_offset; /* amount of data copied so far */
1831 u32 buf_user_offset; /* read position in userspace buffer */
1834 static int ebt_buf_count(struct ebt_entries_buf_state *state, unsigned int sz)
1836 state->buf_kern_offset += sz;
1837 return state->buf_kern_offset >= sz ? 0 : -EINVAL;
1840 static int ebt_buf_add(struct ebt_entries_buf_state *state,
1841 void *data, unsigned int sz)
1843 if (state->buf_kern_start == NULL)
1846 BUG_ON(state->buf_kern_offset + sz > state->buf_kern_len);
1848 memcpy(state->buf_kern_start + state->buf_kern_offset, data, sz);
1851 state->buf_user_offset += sz;
1852 return ebt_buf_count(state, sz);
1855 static int ebt_buf_add_pad(struct ebt_entries_buf_state *state, unsigned int sz)
1857 char *b = state->buf_kern_start;
1859 BUG_ON(b && state->buf_kern_offset > state->buf_kern_len);
1861 if (b != NULL && sz > 0)
1862 memset(b + state->buf_kern_offset, 0, sz);
1863 /* do not adjust ->buf_user_offset here, we added kernel-side padding */
1864 return ebt_buf_count(state, sz);
1873 static int compat_mtw_from_user(struct compat_ebt_entry_mwt *mwt,
1874 enum compat_mwt compat_mwt,
1875 struct ebt_entries_buf_state *state,
1876 const unsigned char *base)
1878 char name[EBT_FUNCTION_MAXNAMELEN];
1879 struct xt_match *match;
1880 struct xt_target *wt;
1882 int off, pad = 0, ret = 0;
1883 unsigned int size_kern, entry_offset, match_size = mwt->match_size;
1885 strlcpy(name, mwt->u.name, sizeof(name));
1887 if (state->buf_kern_start)
1888 dst = state->buf_kern_start + state->buf_kern_offset;
1890 entry_offset = (unsigned char *) mwt - base;
1891 switch (compat_mwt) {
1892 case EBT_COMPAT_MATCH:
1893 match = try_then_request_module(xt_find_match(NFPROTO_BRIDGE,
1894 name, 0), "ebt_%s", name);
1898 return PTR_ERR(match);
1900 off = ebt_compat_match_offset(match, match_size);
1902 if (match->compat_from_user)
1903 match->compat_from_user(dst, mwt->data);
1905 memcpy(dst, mwt->data, match_size);
1908 size_kern = match->matchsize;
1909 if (unlikely(size_kern == -1))
1910 size_kern = match_size;
1911 module_put(match->me);
1913 case EBT_COMPAT_WATCHER: /* fallthrough */
1914 case EBT_COMPAT_TARGET:
1915 wt = try_then_request_module(xt_find_target(NFPROTO_BRIDGE,
1916 name, 0), "ebt_%s", name);
1921 off = xt_compat_target_offset(wt);
1924 if (wt->compat_from_user)
1925 wt->compat_from_user(dst, mwt->data);
1927 memcpy(dst, mwt->data, match_size);
1930 size_kern = wt->targetsize;
1936 ret = xt_compat_add_offset(NFPROTO_BRIDGE, entry_offset,
1937 off + ebt_compat_entry_padsize());
1942 state->buf_kern_offset += match_size + off;
1943 state->buf_user_offset += match_size;
1944 pad = XT_ALIGN(size_kern) - size_kern;
1946 if (pad > 0 && dst) {
1947 BUG_ON(state->buf_kern_len <= pad);
1948 BUG_ON(state->buf_kern_offset - (match_size + off) + size_kern > state->buf_kern_len - pad);
1949 memset(dst + size_kern, 0, pad);
1951 return off + match_size;
1955 * return size of all matches, watchers or target, including necessary
1956 * alignment and padding.
1958 static int ebt_size_mwt(struct compat_ebt_entry_mwt *match32,
1959 unsigned int size_left, enum compat_mwt type,
1960 struct ebt_entries_buf_state *state, const void *base)
1968 buf = (char *) match32;
1970 while (size_left >= sizeof(*match32)) {
1971 struct ebt_entry_match *match_kern;
1974 match_kern = (struct ebt_entry_match *) state->buf_kern_start;
1977 tmp = state->buf_kern_start + state->buf_kern_offset;
1978 match_kern = (struct ebt_entry_match *) tmp;
1980 ret = ebt_buf_add(state, buf, sizeof(*match32));
1983 size_left -= sizeof(*match32);
1985 /* add padding before match->data (if any) */
1986 ret = ebt_buf_add_pad(state, ebt_compat_entry_padsize());
1990 if (match32->match_size > size_left)
1993 size_left -= match32->match_size;
1995 ret = compat_mtw_from_user(match32, type, state, base);
1999 BUG_ON(ret < match32->match_size);
2000 growth += ret - match32->match_size;
2001 growth += ebt_compat_entry_padsize();
2003 buf += sizeof(*match32);
2004 buf += match32->match_size;
2007 match_kern->match_size = ret;
2009 WARN_ON(type == EBT_COMPAT_TARGET && size_left);
2010 match32 = (struct compat_ebt_entry_mwt *) buf;
2016 #define EBT_COMPAT_WATCHER_ITERATE(e, fn, args...) \
2020 struct compat_ebt_entry_mwt *__watcher; \
2022 for (__i = e->watchers_offset; \
2023 __i < (e)->target_offset; \
2024 __i += __watcher->watcher_size + \
2025 sizeof(struct compat_ebt_entry_mwt)) { \
2026 __watcher = (void *)(e) + __i; \
2027 __ret = fn(__watcher , ## args); \
2032 if (__i != (e)->target_offset) \
2038 #define EBT_COMPAT_MATCH_ITERATE(e, fn, args...) \
2042 struct compat_ebt_entry_mwt *__match; \
2044 for (__i = sizeof(struct ebt_entry); \
2045 __i < (e)->watchers_offset; \
2046 __i += __match->match_size + \
2047 sizeof(struct compat_ebt_entry_mwt)) { \
2048 __match = (void *)(e) + __i; \
2049 __ret = fn(__match , ## args); \
2054 if (__i != (e)->watchers_offset) \
2060 /* called for all ebt_entry structures. */
2061 static int size_entry_mwt(struct ebt_entry *entry, const unsigned char *base,
2062 unsigned int *total,
2063 struct ebt_entries_buf_state *state)
2065 unsigned int i, j, startoff, new_offset = 0;
2066 /* stores match/watchers/targets & offset of next struct ebt_entry: */
2067 unsigned int offsets[4];
2068 unsigned int *offsets_update = NULL;
2072 if (*total < sizeof(struct ebt_entries))
2075 if (!entry->bitmask) {
2076 *total -= sizeof(struct ebt_entries);
2077 return ebt_buf_add(state, entry, sizeof(struct ebt_entries));
2079 if (*total < sizeof(*entry) || entry->next_offset < sizeof(*entry))
2082 startoff = state->buf_user_offset;
2083 /* pull in most part of ebt_entry, it does not need to be changed. */
2084 ret = ebt_buf_add(state, entry,
2085 offsetof(struct ebt_entry, watchers_offset));
2089 offsets[0] = sizeof(struct ebt_entry); /* matches come first */
2090 memcpy(&offsets[1], &entry->watchers_offset,
2091 sizeof(offsets) - sizeof(offsets[0]));
2093 if (state->buf_kern_start) {
2094 buf_start = state->buf_kern_start + state->buf_kern_offset;
2095 offsets_update = (unsigned int *) buf_start;
2097 ret = ebt_buf_add(state, &offsets[1],
2098 sizeof(offsets) - sizeof(offsets[0]));
2101 buf_start = (char *) entry;
2103 * 0: matches offset, always follows ebt_entry.
2104 * 1: watchers offset, from ebt_entry structure
2105 * 2: target offset, from ebt_entry structure
2106 * 3: next ebt_entry offset, from ebt_entry structure
2108 * offsets are relative to beginning of struct ebt_entry (i.e., 0).
2110 for (i = 0, j = 1 ; j < 4 ; j++, i++) {
2111 struct compat_ebt_entry_mwt *match32;
2113 char *buf = buf_start;
2115 buf = buf_start + offsets[i];
2116 if (offsets[i] > offsets[j])
2119 match32 = (struct compat_ebt_entry_mwt *) buf;
2120 size = offsets[j] - offsets[i];
2121 ret = ebt_size_mwt(match32, size, i, state, base);
2125 if (offsets_update && new_offset) {
2126 pr_debug("change offset %d to %d\n",
2127 offsets_update[i], offsets[j] + new_offset);
2128 offsets_update[i] = offsets[j] + new_offset;
2132 startoff = state->buf_user_offset - startoff;
2134 BUG_ON(*total < startoff);
2140 * repl->entries_size is the size of the ebt_entry blob in userspace.
2141 * It might need more memory when copied to a 64 bit kernel in case
2142 * userspace is 32-bit. So, first task: find out how much memory is needed.
2144 * Called before validation is performed.
2146 static int compat_copy_entries(unsigned char *data, unsigned int size_user,
2147 struct ebt_entries_buf_state *state)
2149 unsigned int size_remaining = size_user;
2152 ret = EBT_ENTRY_ITERATE(data, size_user, size_entry_mwt, data,
2153 &size_remaining, state);
2157 WARN_ON(size_remaining);
2158 return state->buf_kern_offset;
2162 static int compat_copy_ebt_replace_from_user(struct ebt_replace *repl,
2163 void __user *user, unsigned int len)
2165 struct compat_ebt_replace tmp;
2168 if (len < sizeof(tmp))
2171 if (copy_from_user(&tmp, user, sizeof(tmp)))
2174 if (len != sizeof(tmp) + tmp.entries_size)
2177 if (tmp.entries_size == 0)
2180 if (tmp.nentries >= ((INT_MAX - sizeof(struct ebt_table_info)) /
2181 NR_CPUS - SMP_CACHE_BYTES) / sizeof(struct ebt_counter))
2183 if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
2186 memcpy(repl, &tmp, offsetof(struct ebt_replace, hook_entry));
2188 /* starting with hook_entry, 32 vs. 64 bit structures are different */
2189 for (i = 0; i < NF_BR_NUMHOOKS; i++)
2190 repl->hook_entry[i] = compat_ptr(tmp.hook_entry[i]);
2192 repl->num_counters = tmp.num_counters;
2193 repl->counters = compat_ptr(tmp.counters);
2194 repl->entries = compat_ptr(tmp.entries);
2198 static int compat_do_replace(struct net *net, void __user *user,
2201 int ret, i, countersize, size64;
2202 struct ebt_table_info *newinfo;
2203 struct ebt_replace tmp;
2204 struct ebt_entries_buf_state state;
2207 ret = compat_copy_ebt_replace_from_user(&tmp, user, len);
2209 /* try real handler in case userland supplied needed padding */
2210 if (ret == -EINVAL && do_replace(net, user, len) == 0)
2215 countersize = COUNTER_OFFSET(tmp.nentries) * nr_cpu_ids;
2216 newinfo = vmalloc(sizeof(*newinfo) + countersize);
2221 memset(newinfo->counters, 0, countersize);
2223 memset(&state, 0, sizeof(state));
2225 newinfo->entries = vmalloc(tmp.entries_size);
2226 if (!newinfo->entries) {
2231 newinfo->entries, tmp.entries, tmp.entries_size) != 0) {
2236 entries_tmp = newinfo->entries;
2238 xt_compat_lock(NFPROTO_BRIDGE);
2240 ret = compat_copy_entries(entries_tmp, tmp.entries_size, &state);
2244 pr_debug("tmp.entries_size %d, kern off %d, user off %d delta %d\n",
2245 tmp.entries_size, state.buf_kern_offset, state.buf_user_offset,
2246 xt_compat_calc_jump(NFPROTO_BRIDGE, tmp.entries_size));
2249 newinfo->entries = vmalloc(size64);
2250 if (!newinfo->entries) {
2256 memset(&state, 0, sizeof(state));
2257 state.buf_kern_start = newinfo->entries;
2258 state.buf_kern_len = size64;
2260 ret = compat_copy_entries(entries_tmp, tmp.entries_size, &state);
2261 BUG_ON(ret < 0); /* parses same data again */
2264 tmp.entries_size = size64;
2266 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
2267 char __user *usrptr;
2268 if (tmp.hook_entry[i]) {
2270 usrptr = (char __user *) tmp.hook_entry[i];
2271 delta = usrptr - tmp.entries;
2272 usrptr += xt_compat_calc_jump(NFPROTO_BRIDGE, delta);
2273 tmp.hook_entry[i] = (struct ebt_entries __user *)usrptr;
2277 xt_compat_flush_offsets(NFPROTO_BRIDGE);
2278 xt_compat_unlock(NFPROTO_BRIDGE);
2280 ret = do_replace_finish(net, &tmp, newinfo);
2284 vfree(newinfo->entries);
2289 xt_compat_flush_offsets(NFPROTO_BRIDGE);
2290 xt_compat_unlock(NFPROTO_BRIDGE);
2294 static int compat_update_counters(struct net *net, void __user *user,
2297 struct compat_ebt_replace hlp;
2299 if (copy_from_user(&hlp, user, sizeof(hlp)))
2302 /* try real handler in case userland supplied needed padding */
2303 if (len != sizeof(hlp) + hlp.num_counters * sizeof(struct ebt_counter))
2304 return update_counters(net, user, len);
2306 return do_update_counters(net, hlp.name, compat_ptr(hlp.counters),
2307 hlp.num_counters, user, len);
2310 static int compat_do_ebt_set_ctl(struct sock *sk,
2311 int cmd, void __user *user, unsigned int len)
2315 if (!capable(CAP_NET_ADMIN))
2319 case EBT_SO_SET_ENTRIES:
2320 ret = compat_do_replace(sock_net(sk), user, len);
2322 case EBT_SO_SET_COUNTERS:
2323 ret = compat_update_counters(sock_net(sk), user, len);
2331 static int compat_do_ebt_get_ctl(struct sock *sk, int cmd,
2332 void __user *user, int *len)
2335 struct compat_ebt_replace tmp;
2336 struct ebt_table *t;
2338 if (!capable(CAP_NET_ADMIN))
2341 /* try real handler in case userland supplied needed padding */
2342 if ((cmd == EBT_SO_GET_INFO ||
2343 cmd == EBT_SO_GET_INIT_INFO) && *len != sizeof(tmp))
2344 return do_ebt_get_ctl(sk, cmd, user, len);
2346 if (copy_from_user(&tmp, user, sizeof(tmp)))
2349 t = find_table_lock(sock_net(sk), tmp.name, &ret, &ebt_mutex);
2353 xt_compat_lock(NFPROTO_BRIDGE);
2355 case EBT_SO_GET_INFO:
2356 tmp.nentries = t->private->nentries;
2357 ret = compat_table_info(t->private, &tmp);
2360 tmp.valid_hooks = t->valid_hooks;
2362 if (copy_to_user(user, &tmp, *len) != 0) {
2368 case EBT_SO_GET_INIT_INFO:
2369 tmp.nentries = t->table->nentries;
2370 tmp.entries_size = t->table->entries_size;
2371 tmp.valid_hooks = t->table->valid_hooks;
2373 if (copy_to_user(user, &tmp, *len) != 0) {
2379 case EBT_SO_GET_ENTRIES:
2380 case EBT_SO_GET_INIT_ENTRIES:
2382 * try real handler first in case of userland-side padding.
2383 * in case we are dealing with an 'ordinary' 32 bit binary
2384 * without 64bit compatibility padding, this will fail right
2385 * after copy_from_user when the *len argument is validated.
2387 * the compat_ variant needs to do one pass over the kernel
2388 * data set to adjust for size differences before it the check.
2390 if (copy_everything_to_user(t, user, len, cmd) == 0)
2393 ret = compat_copy_everything_to_user(t, user, len, cmd);
2399 xt_compat_flush_offsets(NFPROTO_BRIDGE);
2400 xt_compat_unlock(NFPROTO_BRIDGE);
2401 mutex_unlock(&ebt_mutex);
2406 static struct nf_sockopt_ops ebt_sockopts =
2409 .set_optmin = EBT_BASE_CTL,
2410 .set_optmax = EBT_SO_SET_MAX + 1,
2411 .set = do_ebt_set_ctl,
2412 #ifdef CONFIG_COMPAT
2413 .compat_set = compat_do_ebt_set_ctl,
2415 .get_optmin = EBT_BASE_CTL,
2416 .get_optmax = EBT_SO_GET_MAX + 1,
2417 .get = do_ebt_get_ctl,
2418 #ifdef CONFIG_COMPAT
2419 .compat_get = compat_do_ebt_get_ctl,
2421 .owner = THIS_MODULE,
2424 static int __init ebtables_init(void)
2428 ret = xt_register_target(&ebt_standard_target);
2431 ret = nf_register_sockopt(&ebt_sockopts);
2433 xt_unregister_target(&ebt_standard_target);
2437 printk(KERN_INFO "Ebtables v2.0 registered\n");
2441 static void __exit ebtables_fini(void)
2443 nf_unregister_sockopt(&ebt_sockopts);
2444 xt_unregister_target(&ebt_standard_target);
2445 printk(KERN_INFO "Ebtables v2.0 unregistered\n");
2448 EXPORT_SYMBOL(ebt_register_table);
2449 EXPORT_SYMBOL(ebt_unregister_table);
2450 EXPORT_SYMBOL(ebt_do_table);
2451 module_init(ebtables_init);
2452 module_exit(ebtables_fini);
2453 MODULE_LICENSE("GPL");
git://bbs.cooldavid.org / net-next-2.6.git / blob