5 * Bart De Schuymer <bdschuym@pandora.be>
7 * ebtables.c,v 2.0, July, 2002
9 * This code is strongly inspired by the iptables code which is
10 * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version
15 * 2 of the License, or (at your option) any later version.
17 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
18 #include <linux/kmod.h>
19 #include <linux/module.h>
20 #include <linux/vmalloc.h>
21 #include <linux/netfilter/x_tables.h>
22 #include <linux/netfilter_bridge/ebtables.h>
23 #include <linux/spinlock.h>
24 #include <linux/mutex.h>
25 #include <linux/slab.h>
26 #include <asm/uaccess.h>
27 #include <linux/smp.h>
28 #include <linux/cpumask.h>
29 #include <linux/audit.h>
31 /* needed for logical [in,out]-dev filtering */
32 #include "../br_private.h"
34 #define BUGPRINT(format, args...) printk("kernel msg: ebtables bug: please "\
35 "report to author: "format, ## args)
36 /* #define BUGPRINT(format, args...) */
38 /* Each cpu has its own set of counters, so there is no need for write_lock in
40 * For reading or updating the counters, the user context needs to
44 /* The size of each set of counters is altered to get cache alignment */
45 #define SMP_ALIGN(x) (((x) + SMP_CACHE_BYTES-1) & ~(SMP_CACHE_BYTES-1))
46 #define COUNTER_OFFSET(n) (SMP_ALIGN(n * sizeof(struct ebt_counter)))
47 #define COUNTER_BASE(c, n, cpu) ((struct ebt_counter *)(((char *)c) + \
48 COUNTER_OFFSET(n) * cpu))
52 static DEFINE_MUTEX(ebt_mutex);
55 static void ebt_standard_compat_from_user(void *dst, const void *src)
57 int v = *(compat_int_t *)src;
60 v += xt_compat_calc_jump(NFPROTO_BRIDGE, v);
61 memcpy(dst, &v, sizeof(v));
64 static int ebt_standard_compat_to_user(void __user *dst, const void *src)
66 compat_int_t cv = *(int *)src;
69 cv -= xt_compat_calc_jump(NFPROTO_BRIDGE, cv);
70 return copy_to_user(dst, &cv, sizeof(cv)) ? -EFAULT : 0;
75 static struct xt_target ebt_standard_target = {
78 .family = NFPROTO_BRIDGE,
79 .targetsize = sizeof(int),
81 .compatsize = sizeof(compat_int_t),
82 .compat_from_user = ebt_standard_compat_from_user,
83 .compat_to_user = ebt_standard_compat_to_user,
88 ebt_do_watcher(const struct ebt_entry_watcher *w, struct sk_buff *skb,
89 struct xt_action_param *par)
91 par->target = w->u.watcher;
92 par->targinfo = w->data;
93 w->u.watcher->target(skb, par);
94 /* watchers don't give a verdict */
99 ebt_do_match(struct ebt_entry_match *m, const struct sk_buff *skb,
100 struct xt_action_param *par)
102 par->match = m->u.match;
103 par->matchinfo = m->data;
104 return m->u.match->match(skb, par) ? EBT_MATCH : EBT_NOMATCH;
108 ebt_dev_check(const char *entry, const struct net_device *device)
117 devname = device->name;
118 /* 1 is the wildcard token */
119 while (entry[i] != '\0' && entry[i] != 1 && entry[i] == devname[i])
121 return devname[i] != entry[i] && entry[i] != 1;
124 /* process standard matches */
126 ebt_basic_match(const struct ebt_entry *e, const struct sk_buff *skb,
127 const struct net_device *in, const struct net_device *out)
129 const struct ethhdr *h = eth_hdr(skb);
130 const struct net_bridge_port *p;
133 if (skb_vlan_tag_present(skb))
134 ethproto = htons(ETH_P_8021Q);
136 ethproto = h->h_proto;
138 if (e->bitmask & EBT_802_3) {
139 if (NF_INVF(e, EBT_IPROTO, eth_proto_is_802_3(ethproto)))
141 } else if (!(e->bitmask & EBT_NOPROTO) &&
142 NF_INVF(e, EBT_IPROTO, e->ethproto != ethproto))
145 if (NF_INVF(e, EBT_IIN, ebt_dev_check(e->in, in)))
147 if (NF_INVF(e, EBT_IOUT, ebt_dev_check(e->out, out)))
149 /* rcu_read_lock()ed by nf_hook_thresh */
150 if (in && (p = br_port_get_rcu(in)) != NULL &&
151 NF_INVF(e, EBT_ILOGICALIN,
152 ebt_dev_check(e->logical_in, p->br->dev)))
154 if (out && (p = br_port_get_rcu(out)) != NULL &&
155 NF_INVF(e, EBT_ILOGICALOUT,
156 ebt_dev_check(e->logical_out, p->br->dev)))
159 if (e->bitmask & EBT_SOURCEMAC) {
160 if (NF_INVF(e, EBT_ISOURCE,
161 !ether_addr_equal_masked(h->h_source, e->sourcemac,
165 if (e->bitmask & EBT_DESTMAC) {
166 if (NF_INVF(e, EBT_IDEST,
167 !ether_addr_equal_masked(h->h_dest, e->destmac,
175 struct ebt_entry *ebt_next_entry(const struct ebt_entry *entry)
177 return (void *)entry + entry->next_offset;
180 /* Do some firewalling */
181 unsigned int ebt_do_table(struct sk_buff *skb,
182 const struct nf_hook_state *state,
183 struct ebt_table *table)
185 unsigned int hook = state->hook;
187 struct ebt_entry *point;
188 struct ebt_counter *counter_base, *cb_base;
189 const struct ebt_entry_target *t;
191 struct ebt_chainstack *cs;
192 struct ebt_entries *chaininfo;
194 const struct ebt_table_info *private;
195 struct xt_action_param acpar;
197 acpar.family = NFPROTO_BRIDGE;
198 acpar.net = state->net;
199 acpar.in = state->in;
200 acpar.out = state->out;
201 acpar.hotdrop = false;
202 acpar.hooknum = hook;
204 read_lock_bh(&table->lock);
205 private = table->private;
206 cb_base = COUNTER_BASE(private->counters, private->nentries,
208 if (private->chainstack)
209 cs = private->chainstack[smp_processor_id()];
212 chaininfo = private->hook_entry[hook];
213 nentries = private->hook_entry[hook]->nentries;
214 point = (struct ebt_entry *)(private->hook_entry[hook]->data);
215 counter_base = cb_base + private->hook_entry[hook]->counter_offset;
216 /* base for chain jumps */
217 base = private->entries;
219 while (i < nentries) {
220 if (ebt_basic_match(point, skb, state->in, state->out))
223 if (EBT_MATCH_ITERATE(point, ebt_do_match, skb, &acpar) != 0)
226 read_unlock_bh(&table->lock);
230 /* increase counter */
231 (*(counter_base + i)).pcnt++;
232 (*(counter_base + i)).bcnt += skb->len;
234 /* these should only watch: not modify, nor tell us
235 * what to do with the packet
237 EBT_WATCHER_ITERATE(point, ebt_do_watcher, skb, &acpar);
239 t = (struct ebt_entry_target *)
240 (((char *)point) + point->target_offset);
241 /* standard target */
242 if (!t->u.target->target)
243 verdict = ((struct ebt_standard_target *)t)->verdict;
245 acpar.target = t->u.target;
246 acpar.targinfo = t->data;
247 verdict = t->u.target->target(skb, &acpar);
249 if (verdict == EBT_ACCEPT) {
250 read_unlock_bh(&table->lock);
253 if (verdict == EBT_DROP) {
254 read_unlock_bh(&table->lock);
257 if (verdict == EBT_RETURN) {
259 #ifdef CONFIG_NETFILTER_DEBUG
261 BUGPRINT("RETURN on base chain");
262 /* act like this is EBT_CONTINUE */
267 /* put all the local variables right */
269 chaininfo = cs[sp].chaininfo;
270 nentries = chaininfo->nentries;
272 counter_base = cb_base +
273 chaininfo->counter_offset;
276 if (verdict == EBT_CONTINUE)
278 #ifdef CONFIG_NETFILTER_DEBUG
280 BUGPRINT("bogus standard verdict\n");
281 read_unlock_bh(&table->lock);
287 cs[sp].chaininfo = chaininfo;
288 cs[sp].e = ebt_next_entry(point);
290 chaininfo = (struct ebt_entries *) (base + verdict);
291 #ifdef CONFIG_NETFILTER_DEBUG
292 if (chaininfo->distinguisher) {
293 BUGPRINT("jump to non-chain\n");
294 read_unlock_bh(&table->lock);
298 nentries = chaininfo->nentries;
299 point = (struct ebt_entry *)chaininfo->data;
300 counter_base = cb_base + chaininfo->counter_offset;
304 point = ebt_next_entry(point);
308 /* I actually like this :) */
309 if (chaininfo->policy == EBT_RETURN)
311 if (chaininfo->policy == EBT_ACCEPT) {
312 read_unlock_bh(&table->lock);
315 read_unlock_bh(&table->lock);
319 /* If it succeeds, returns element and locks mutex */
321 find_inlist_lock_noload(struct list_head *head, const char *name, int *error,
325 struct list_head list;
326 char name[EBT_FUNCTION_MAXNAMELEN];
330 list_for_each_entry(e, head, list) {
331 if (strcmp(e->name, name) == 0)
340 find_inlist_lock(struct list_head *head, const char *name, const char *prefix,
341 int *error, struct mutex *mutex)
343 return try_then_request_module(
344 find_inlist_lock_noload(head, name, error, mutex),
345 "%s%s", prefix, name);
348 static inline struct ebt_table *
349 find_table_lock(struct net *net, const char *name, int *error,
352 return find_inlist_lock(&net->xt.tables[NFPROTO_BRIDGE], name,
353 "ebtable_", error, mutex);
357 ebt_check_match(struct ebt_entry_match *m, struct xt_mtchk_param *par,
360 const struct ebt_entry *e = par->entryinfo;
361 struct xt_match *match;
362 size_t left = ((char *)e + e->watchers_offset) - (char *)m;
365 if (left < sizeof(struct ebt_entry_match) ||
366 left - sizeof(struct ebt_entry_match) < m->match_size)
369 match = xt_find_match(NFPROTO_BRIDGE, m->u.name, 0);
370 if (IS_ERR(match) || match->family != NFPROTO_BRIDGE) {
372 module_put(match->me);
373 request_module("ebt_%s", m->u.name);
374 match = xt_find_match(NFPROTO_BRIDGE, m->u.name, 0);
377 return PTR_ERR(match);
381 par->matchinfo = m->data;
382 ret = xt_check_match(par, m->match_size,
383 e->ethproto, e->invflags & EBT_IPROTO);
385 module_put(match->me);
394 ebt_check_watcher(struct ebt_entry_watcher *w, struct xt_tgchk_param *par,
397 const struct ebt_entry *e = par->entryinfo;
398 struct xt_target *watcher;
399 size_t left = ((char *)e + e->target_offset) - (char *)w;
402 if (left < sizeof(struct ebt_entry_watcher) ||
403 left - sizeof(struct ebt_entry_watcher) < w->watcher_size)
406 watcher = xt_request_find_target(NFPROTO_BRIDGE, w->u.name, 0);
408 return PTR_ERR(watcher);
410 if (watcher->family != NFPROTO_BRIDGE) {
411 module_put(watcher->me);
415 w->u.watcher = watcher;
417 par->target = watcher;
418 par->targinfo = w->data;
419 ret = xt_check_target(par, w->watcher_size,
420 e->ethproto, e->invflags & EBT_IPROTO);
422 module_put(watcher->me);
430 static int ebt_verify_pointers(const struct ebt_replace *repl,
431 struct ebt_table_info *newinfo)
433 unsigned int limit = repl->entries_size;
434 unsigned int valid_hooks = repl->valid_hooks;
435 unsigned int offset = 0;
438 for (i = 0; i < NF_BR_NUMHOOKS; i++)
439 newinfo->hook_entry[i] = NULL;
441 newinfo->entries_size = repl->entries_size;
442 newinfo->nentries = repl->nentries;
444 while (offset < limit) {
445 size_t left = limit - offset;
446 struct ebt_entry *e = (void *)newinfo->entries + offset;
448 if (left < sizeof(unsigned int))
451 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
452 if ((valid_hooks & (1 << i)) == 0)
454 if ((char __user *)repl->hook_entry[i] ==
455 repl->entries + offset)
459 if (i != NF_BR_NUMHOOKS || !(e->bitmask & EBT_ENTRY_OR_ENTRIES)) {
460 if (e->bitmask != 0) {
461 /* we make userspace set this right,
462 * so there is no misunderstanding
464 BUGPRINT("EBT_ENTRY_OR_ENTRIES shouldn't be set "
465 "in distinguisher\n");
468 if (i != NF_BR_NUMHOOKS)
469 newinfo->hook_entry[i] = (struct ebt_entries *)e;
470 if (left < sizeof(struct ebt_entries))
472 offset += sizeof(struct ebt_entries);
474 if (left < sizeof(struct ebt_entry))
476 if (left < e->next_offset)
478 if (e->next_offset < sizeof(struct ebt_entry))
480 offset += e->next_offset;
483 if (offset != limit) {
484 BUGPRINT("entries_size too small\n");
488 /* check if all valid hooks have a chain */
489 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
490 if (!newinfo->hook_entry[i] &&
491 (valid_hooks & (1 << i))) {
492 BUGPRINT("Valid hook without chain\n");
499 /* this one is very careful, as it is the first function
500 * to parse the userspace data
503 ebt_check_entry_size_and_hooks(const struct ebt_entry *e,
504 const struct ebt_table_info *newinfo,
505 unsigned int *n, unsigned int *cnt,
506 unsigned int *totalcnt, unsigned int *udc_cnt)
510 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
511 if ((void *)e == (void *)newinfo->hook_entry[i])
514 /* beginning of a new chain
515 * if i == NF_BR_NUMHOOKS it must be a user defined chain
517 if (i != NF_BR_NUMHOOKS || !e->bitmask) {
518 /* this checks if the previous chain has as many entries
522 BUGPRINT("nentries does not equal the nr of entries "
526 if (((struct ebt_entries *)e)->policy != EBT_DROP &&
527 ((struct ebt_entries *)e)->policy != EBT_ACCEPT) {
528 /* only RETURN from udc */
529 if (i != NF_BR_NUMHOOKS ||
530 ((struct ebt_entries *)e)->policy != EBT_RETURN) {
531 BUGPRINT("bad policy\n");
535 if (i == NF_BR_NUMHOOKS) /* it's a user defined chain */
537 if (((struct ebt_entries *)e)->counter_offset != *totalcnt) {
538 BUGPRINT("counter_offset != totalcnt");
541 *n = ((struct ebt_entries *)e)->nentries;
545 /* a plain old entry, heh */
546 if (sizeof(struct ebt_entry) > e->watchers_offset ||
547 e->watchers_offset > e->target_offset ||
548 e->target_offset >= e->next_offset) {
549 BUGPRINT("entry offsets not in right order\n");
552 /* this is not checked anywhere else */
553 if (e->next_offset - e->target_offset < sizeof(struct ebt_entry_target)) {
554 BUGPRINT("target size too small\n");
562 struct ebt_cl_stack {
563 struct ebt_chainstack cs;
565 unsigned int hookmask;
568 /* We need these positions to check that the jumps to a different part of the
569 * entries is a jump to the beginning of a new chain.
572 ebt_get_udc_positions(struct ebt_entry *e, struct ebt_table_info *newinfo,
573 unsigned int *n, struct ebt_cl_stack *udc)
577 /* we're only interested in chain starts */
580 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
581 if (newinfo->hook_entry[i] == (struct ebt_entries *)e)
584 /* only care about udc */
585 if (i != NF_BR_NUMHOOKS)
588 udc[*n].cs.chaininfo = (struct ebt_entries *)e;
589 /* these initialisations are depended on later in check_chainloops() */
591 udc[*n].hookmask = 0;
598 ebt_cleanup_match(struct ebt_entry_match *m, struct net *net, unsigned int *i)
600 struct xt_mtdtor_param par;
602 if (i && (*i)-- == 0)
606 par.match = m->u.match;
607 par.matchinfo = m->data;
608 par.family = NFPROTO_BRIDGE;
609 if (par.match->destroy != NULL)
610 par.match->destroy(&par);
611 module_put(par.match->me);
616 ebt_cleanup_watcher(struct ebt_entry_watcher *w, struct net *net, unsigned int *i)
618 struct xt_tgdtor_param par;
620 if (i && (*i)-- == 0)
624 par.target = w->u.watcher;
625 par.targinfo = w->data;
626 par.family = NFPROTO_BRIDGE;
627 if (par.target->destroy != NULL)
628 par.target->destroy(&par);
629 module_put(par.target->me);
634 ebt_cleanup_entry(struct ebt_entry *e, struct net *net, unsigned int *cnt)
636 struct xt_tgdtor_param par;
637 struct ebt_entry_target *t;
642 if (cnt && (*cnt)-- == 0)
644 EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, net, NULL);
645 EBT_MATCH_ITERATE(e, ebt_cleanup_match, net, NULL);
646 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
649 par.target = t->u.target;
650 par.targinfo = t->data;
651 par.family = NFPROTO_BRIDGE;
652 if (par.target->destroy != NULL)
653 par.target->destroy(&par);
654 module_put(par.target->me);
659 ebt_check_entry(struct ebt_entry *e, struct net *net,
660 const struct ebt_table_info *newinfo,
661 const char *name, unsigned int *cnt,
662 struct ebt_cl_stack *cl_s, unsigned int udc_cnt)
664 struct ebt_entry_target *t;
665 struct xt_target *target;
666 unsigned int i, j, hook = 0, hookmask = 0;
669 struct xt_mtchk_param mtpar;
670 struct xt_tgchk_param tgpar;
672 /* don't mess with the struct ebt_entries */
676 if (e->bitmask & ~EBT_F_MASK) {
677 BUGPRINT("Unknown flag for bitmask\n");
680 if (e->invflags & ~EBT_INV_MASK) {
681 BUGPRINT("Unknown flag for inv bitmask\n");
684 if ((e->bitmask & EBT_NOPROTO) && (e->bitmask & EBT_802_3)) {
685 BUGPRINT("NOPROTO & 802_3 not allowed\n");
688 /* what hook do we belong to? */
689 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
690 if (!newinfo->hook_entry[i])
692 if ((char *)newinfo->hook_entry[i] < (char *)e)
697 /* (1 << NF_BR_NUMHOOKS) tells the check functions the rule is on
700 if (i < NF_BR_NUMHOOKS)
701 hookmask = (1 << hook) | (1 << NF_BR_NUMHOOKS);
703 for (i = 0; i < udc_cnt; i++)
704 if ((char *)(cl_s[i].cs.chaininfo) > (char *)e)
707 hookmask = (1 << hook) | (1 << NF_BR_NUMHOOKS);
709 hookmask = cl_s[i - 1].hookmask;
713 memset(&mtpar, 0, sizeof(mtpar));
714 memset(&tgpar, 0, sizeof(tgpar));
715 mtpar.net = tgpar.net = net;
716 mtpar.table = tgpar.table = name;
717 mtpar.entryinfo = tgpar.entryinfo = e;
718 mtpar.hook_mask = tgpar.hook_mask = hookmask;
719 mtpar.family = tgpar.family = NFPROTO_BRIDGE;
720 ret = EBT_MATCH_ITERATE(e, ebt_check_match, &mtpar, &i);
722 goto cleanup_matches;
724 ret = EBT_WATCHER_ITERATE(e, ebt_check_watcher, &tgpar, &j);
726 goto cleanup_watchers;
727 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
728 gap = e->next_offset - e->target_offset;
730 target = xt_request_find_target(NFPROTO_BRIDGE, t->u.name, 0);
731 if (IS_ERR(target)) {
732 ret = PTR_ERR(target);
733 goto cleanup_watchers;
736 /* Reject UNSPEC, xtables verdicts/return values are incompatible */
737 if (target->family != NFPROTO_BRIDGE) {
738 module_put(target->me);
740 goto cleanup_watchers;
743 t->u.target = target;
744 if (t->u.target == &ebt_standard_target) {
745 if (gap < sizeof(struct ebt_standard_target)) {
746 BUGPRINT("Standard target size too big\n");
748 goto cleanup_watchers;
750 if (((struct ebt_standard_target *)t)->verdict <
751 -NUM_STANDARD_TARGETS) {
752 BUGPRINT("Invalid standard target\n");
754 goto cleanup_watchers;
756 } else if (t->target_size > gap - sizeof(struct ebt_entry_target)) {
757 module_put(t->u.target->me);
759 goto cleanup_watchers;
762 tgpar.target = target;
763 tgpar.targinfo = t->data;
764 ret = xt_check_target(&tgpar, t->target_size,
765 e->ethproto, e->invflags & EBT_IPROTO);
767 module_put(target->me);
768 goto cleanup_watchers;
773 EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, net, &j);
775 EBT_MATCH_ITERATE(e, ebt_cleanup_match, net, &i);
779 /* checks for loops and sets the hook mask for udc
780 * the hook mask for udc tells us from which base chains the udc can be
781 * accessed. This mask is a parameter to the check() functions of the extensions
783 static int check_chainloops(const struct ebt_entries *chain, struct ebt_cl_stack *cl_s,
784 unsigned int udc_cnt, unsigned int hooknr, char *base)
786 int i, chain_nr = -1, pos = 0, nentries = chain->nentries, verdict;
787 const struct ebt_entry *e = (struct ebt_entry *)chain->data;
788 const struct ebt_entry_target *t;
790 while (pos < nentries || chain_nr != -1) {
791 /* end of udc, go back one 'recursion' step */
792 if (pos == nentries) {
793 /* put back values of the time when this chain was called */
794 e = cl_s[chain_nr].cs.e;
795 if (cl_s[chain_nr].from != -1)
797 cl_s[cl_s[chain_nr].from].cs.chaininfo->nentries;
799 nentries = chain->nentries;
800 pos = cl_s[chain_nr].cs.n;
801 /* make sure we won't see a loop that isn't one */
802 cl_s[chain_nr].cs.n = 0;
803 chain_nr = cl_s[chain_nr].from;
807 t = (struct ebt_entry_target *)
808 (((char *)e) + e->target_offset);
809 if (strcmp(t->u.name, EBT_STANDARD_TARGET))
811 if (e->target_offset + sizeof(struct ebt_standard_target) >
813 BUGPRINT("Standard target size too big\n");
816 verdict = ((struct ebt_standard_target *)t)->verdict;
817 if (verdict >= 0) { /* jump to another chain */
818 struct ebt_entries *hlp2 =
819 (struct ebt_entries *)(base + verdict);
820 for (i = 0; i < udc_cnt; i++)
821 if (hlp2 == cl_s[i].cs.chaininfo)
823 /* bad destination or loop */
825 BUGPRINT("bad destination\n");
832 if (cl_s[i].hookmask & (1 << hooknr))
834 /* this can't be 0, so the loop test is correct */
835 cl_s[i].cs.n = pos + 1;
837 cl_s[i].cs.e = ebt_next_entry(e);
838 e = (struct ebt_entry *)(hlp2->data);
839 nentries = hlp2->nentries;
840 cl_s[i].from = chain_nr;
842 /* this udc is accessible from the base chain for hooknr */
843 cl_s[i].hookmask |= (1 << hooknr);
847 e = ebt_next_entry(e);
853 /* do the parsing of the table/chains/entries/matches/watchers/targets, heh */
854 static int translate_table(struct net *net, const char *name,
855 struct ebt_table_info *newinfo)
857 unsigned int i, j, k, udc_cnt;
859 struct ebt_cl_stack *cl_s = NULL; /* used in the checking for chain loops */
862 while (i < NF_BR_NUMHOOKS && !newinfo->hook_entry[i])
864 if (i == NF_BR_NUMHOOKS) {
865 BUGPRINT("No valid hooks specified\n");
868 if (newinfo->hook_entry[i] != (struct ebt_entries *)newinfo->entries) {
869 BUGPRINT("Chains don't start at beginning\n");
872 /* make sure chains are ordered after each other in same order
873 * as their corresponding hooks
875 for (j = i + 1; j < NF_BR_NUMHOOKS; j++) {
876 if (!newinfo->hook_entry[j])
878 if (newinfo->hook_entry[j] <= newinfo->hook_entry[i]) {
879 BUGPRINT("Hook order must be followed\n");
885 /* do some early checkings and initialize some things */
886 i = 0; /* holds the expected nr. of entries for the chain */
887 j = 0; /* holds the up to now counted entries for the chain */
888 k = 0; /* holds the total nr. of entries, should equal
889 * newinfo->nentries afterwards
891 udc_cnt = 0; /* will hold the nr. of user defined chains (udc) */
892 ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
893 ebt_check_entry_size_and_hooks, newinfo,
894 &i, &j, &k, &udc_cnt);
900 BUGPRINT("nentries does not equal the nr of entries in the "
904 if (k != newinfo->nentries) {
905 BUGPRINT("Total nentries is wrong\n");
909 /* get the location of the udc, put them in an array
910 * while we're at it, allocate the chainstack
913 /* this will get free'd in do_replace()/ebt_register_table()
916 newinfo->chainstack =
917 vmalloc(nr_cpu_ids * sizeof(*(newinfo->chainstack)));
918 if (!newinfo->chainstack)
920 for_each_possible_cpu(i) {
921 newinfo->chainstack[i] =
922 vmalloc(udc_cnt * sizeof(*(newinfo->chainstack[0])));
923 if (!newinfo->chainstack[i]) {
925 vfree(newinfo->chainstack[--i]);
926 vfree(newinfo->chainstack);
927 newinfo->chainstack = NULL;
932 cl_s = vmalloc(udc_cnt * sizeof(*cl_s));
935 i = 0; /* the i'th udc */
936 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
937 ebt_get_udc_positions, newinfo, &i, cl_s);
940 BUGPRINT("i != udc_cnt\n");
946 /* Check for loops */
947 for (i = 0; i < NF_BR_NUMHOOKS; i++)
948 if (newinfo->hook_entry[i])
949 if (check_chainloops(newinfo->hook_entry[i],
950 cl_s, udc_cnt, i, newinfo->entries)) {
955 /* we now know the following (along with E=mc²):
956 * - the nr of entries in each chain is right
957 * - the size of the allocated space is right
958 * - all valid hooks have a corresponding chain
959 * - there are no loops
960 * - wrong data can still be on the level of a single entry
961 * - could be there are jumps to places that are not the
962 * beginning of a chain. This can only occur in chains that
963 * are not accessible from any base chains, so we don't care.
966 /* used to know what we need to clean up if something goes wrong */
968 ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
969 ebt_check_entry, net, newinfo, name, &i, cl_s, udc_cnt);
971 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
972 ebt_cleanup_entry, net, &i);
978 /* called under write_lock */
979 static void get_counters(const struct ebt_counter *oldcounters,
980 struct ebt_counter *counters, unsigned int nentries)
983 struct ebt_counter *counter_base;
985 /* counters of cpu 0 */
986 memcpy(counters, oldcounters,
987 sizeof(struct ebt_counter) * nentries);
989 /* add other counters to those of cpu 0 */
990 for_each_possible_cpu(cpu) {
993 counter_base = COUNTER_BASE(oldcounters, nentries, cpu);
994 for (i = 0; i < nentries; i++) {
995 counters[i].pcnt += counter_base[i].pcnt;
996 counters[i].bcnt += counter_base[i].bcnt;
1001 static int do_replace_finish(struct net *net, struct ebt_replace *repl,
1002 struct ebt_table_info *newinfo)
1005 struct ebt_counter *counterstmp = NULL;
1006 /* used to be able to unlock earlier */
1007 struct ebt_table_info *table;
1008 struct ebt_table *t;
1010 /* the user wants counters back
1011 * the check on the size is done later, when we have the lock
1013 if (repl->num_counters) {
1014 unsigned long size = repl->num_counters * sizeof(*counterstmp);
1015 counterstmp = vmalloc(size);
1020 newinfo->chainstack = NULL;
1021 ret = ebt_verify_pointers(repl, newinfo);
1023 goto free_counterstmp;
1025 ret = translate_table(net, repl->name, newinfo);
1028 goto free_counterstmp;
1030 t = find_table_lock(net, repl->name, &ret, &ebt_mutex);
1036 /* the table doesn't like it */
1037 if (t->check && (ret = t->check(newinfo, repl->valid_hooks)))
1040 if (repl->num_counters && repl->num_counters != t->private->nentries) {
1041 BUGPRINT("Wrong nr. of counters requested\n");
1046 /* we have the mutex lock, so no danger in reading this pointer */
1048 /* make sure the table can only be rmmod'ed if it contains no rules */
1049 if (!table->nentries && newinfo->nentries && !try_module_get(t->me)) {
1052 } else if (table->nentries && !newinfo->nentries)
1054 /* we need an atomic snapshot of the counters */
1055 write_lock_bh(&t->lock);
1056 if (repl->num_counters)
1057 get_counters(t->private->counters, counterstmp,
1058 t->private->nentries);
1060 t->private = newinfo;
1061 write_unlock_bh(&t->lock);
1062 mutex_unlock(&ebt_mutex);
1063 /* so, a user can change the chains while having messed up her counter
1064 * allocation. Only reason why this is done is because this way the lock
1065 * is held only once, while this doesn't bring the kernel into a
1068 if (repl->num_counters &&
1069 copy_to_user(repl->counters, counterstmp,
1070 repl->num_counters * sizeof(struct ebt_counter))) {
1071 /* Silent error, can't fail, new table is already in place */
1072 net_warn_ratelimited("ebtables: counters copy to user failed while replacing table\n");
1075 /* decrease module count and free resources */
1076 EBT_ENTRY_ITERATE(table->entries, table->entries_size,
1077 ebt_cleanup_entry, net, NULL);
1079 vfree(table->entries);
1080 if (table->chainstack) {
1081 for_each_possible_cpu(i)
1082 vfree(table->chainstack[i]);
1083 vfree(table->chainstack);
1090 if (audit_enabled) {
1091 struct audit_buffer *ab;
1093 ab = audit_log_start(current->audit_context, GFP_KERNEL,
1094 AUDIT_NETFILTER_CFG);
1096 audit_log_format(ab, "table=%s family=%u entries=%u",
1097 repl->name, AF_BRIDGE, repl->nentries);
1105 mutex_unlock(&ebt_mutex);
1107 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
1108 ebt_cleanup_entry, net, NULL);
1111 /* can be initialized in translate_table() */
1112 if (newinfo->chainstack) {
1113 for_each_possible_cpu(i)
1114 vfree(newinfo->chainstack[i]);
1115 vfree(newinfo->chainstack);
1120 /* replace the table */
1121 static int do_replace(struct net *net, const void __user *user,
1124 int ret, countersize;
1125 struct ebt_table_info *newinfo;
1126 struct ebt_replace tmp;
1128 if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
1131 if (len != sizeof(tmp) + tmp.entries_size) {
1132 BUGPRINT("Wrong len argument\n");
1136 if (tmp.entries_size == 0) {
1137 BUGPRINT("Entries_size never zero\n");
1140 /* overflow check */
1141 if (tmp.nentries >= ((INT_MAX - sizeof(struct ebt_table_info)) /
1142 NR_CPUS - SMP_CACHE_BYTES) / sizeof(struct ebt_counter))
1144 if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
1147 tmp.name[sizeof(tmp.name) - 1] = 0;
1149 countersize = COUNTER_OFFSET(tmp.nentries) * nr_cpu_ids;
1150 newinfo = __vmalloc(sizeof(*newinfo) + countersize, GFP_KERNEL_ACCOUNT,
1156 memset(newinfo->counters, 0, countersize);
1158 newinfo->entries = __vmalloc(tmp.entries_size, GFP_KERNEL_ACCOUNT,
1160 if (!newinfo->entries) {
1165 newinfo->entries, tmp.entries, tmp.entries_size) != 0) {
1166 BUGPRINT("Couldn't copy entries from userspace\n");
1171 ret = do_replace_finish(net, &tmp, newinfo);
1175 vfree(newinfo->entries);
1182 ebt_register_table(struct net *net, const struct ebt_table *input_table)
1184 struct ebt_table_info *newinfo;
1185 struct ebt_table *t, *table;
1186 struct ebt_replace_kernel *repl;
1187 int ret, i, countersize;
1190 if (input_table == NULL || (repl = input_table->table) == NULL ||
1191 repl->entries == NULL || repl->entries_size == 0 ||
1192 repl->counters != NULL || input_table->private != NULL) {
1193 BUGPRINT("Bad table data for ebt_register_table!!!\n");
1194 return ERR_PTR(-EINVAL);
1197 /* Don't add one table to multiple lists. */
1198 table = kmemdup(input_table, sizeof(struct ebt_table), GFP_KERNEL);
1204 countersize = COUNTER_OFFSET(repl->nentries) * nr_cpu_ids;
1205 newinfo = vmalloc(sizeof(*newinfo) + countersize);
1210 p = vmalloc(repl->entries_size);
1214 memcpy(p, repl->entries, repl->entries_size);
1215 newinfo->entries = p;
1217 newinfo->entries_size = repl->entries_size;
1218 newinfo->nentries = repl->nentries;
1221 memset(newinfo->counters, 0, countersize);
1223 /* fill in newinfo and parse the entries */
1224 newinfo->chainstack = NULL;
1225 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
1226 if ((repl->valid_hooks & (1 << i)) == 0)
1227 newinfo->hook_entry[i] = NULL;
1229 newinfo->hook_entry[i] = p +
1230 ((char *)repl->hook_entry[i] - repl->entries);
1232 ret = translate_table(net, repl->name, newinfo);
1234 BUGPRINT("Translate_table failed\n");
1235 goto free_chainstack;
1238 if (table->check && table->check(newinfo, table->valid_hooks)) {
1239 BUGPRINT("The table doesn't like its own initial data, lol\n");
1241 goto free_chainstack;
1244 table->private = newinfo;
1245 rwlock_init(&table->lock);
1246 mutex_lock(&ebt_mutex);
1247 list_for_each_entry(t, &net->xt.tables[NFPROTO_BRIDGE], list) {
1248 if (strcmp(t->name, table->name) == 0) {
1250 BUGPRINT("Table name already exists\n");
1255 /* Hold a reference count if the chains aren't empty */
1256 if (newinfo->nentries && !try_module_get(table->me)) {
1260 list_add(&table->list, &net->xt.tables[NFPROTO_BRIDGE]);
1261 mutex_unlock(&ebt_mutex);
1264 mutex_unlock(&ebt_mutex);
1266 if (newinfo->chainstack) {
1267 for_each_possible_cpu(i)
1268 vfree(newinfo->chainstack[i]);
1269 vfree(newinfo->chainstack);
1271 vfree(newinfo->entries);
1277 return ERR_PTR(ret);
1280 void ebt_unregister_table(struct net *net, struct ebt_table *table)
1285 BUGPRINT("Request to unregister NULL table!!!\n");
1288 mutex_lock(&ebt_mutex);
1289 list_del(&table->list);
1290 mutex_unlock(&ebt_mutex);
1291 EBT_ENTRY_ITERATE(table->private->entries, table->private->entries_size,
1292 ebt_cleanup_entry, net, NULL);
1293 if (table->private->nentries)
1294 module_put(table->me);
1295 vfree(table->private->entries);
1296 if (table->private->chainstack) {
1297 for_each_possible_cpu(i)
1298 vfree(table->private->chainstack[i]);
1299 vfree(table->private->chainstack);
1301 vfree(table->private);
1305 /* userspace just supplied us with counters */
1306 static int do_update_counters(struct net *net, const char *name,
1307 struct ebt_counter __user *counters,
1308 unsigned int num_counters,
1309 const void __user *user, unsigned int len)
1312 struct ebt_counter *tmp;
1313 struct ebt_table *t;
1315 if (num_counters == 0)
1318 tmp = vmalloc(num_counters * sizeof(*tmp));
1322 t = find_table_lock(net, name, &ret, &ebt_mutex);
1326 if (num_counters != t->private->nentries) {
1327 BUGPRINT("Wrong nr of counters\n");
1332 if (copy_from_user(tmp, counters, num_counters * sizeof(*counters))) {
1337 /* we want an atomic add of the counters */
1338 write_lock_bh(&t->lock);
1340 /* we add to the counters of the first cpu */
1341 for (i = 0; i < num_counters; i++) {
1342 t->private->counters[i].pcnt += tmp[i].pcnt;
1343 t->private->counters[i].bcnt += tmp[i].bcnt;
1346 write_unlock_bh(&t->lock);
1349 mutex_unlock(&ebt_mutex);
1355 static int update_counters(struct net *net, const void __user *user,
1358 struct ebt_replace hlp;
1360 if (copy_from_user(&hlp, user, sizeof(hlp)))
1363 if (len != sizeof(hlp) + hlp.num_counters * sizeof(struct ebt_counter))
1366 return do_update_counters(net, hlp.name, hlp.counters,
1367 hlp.num_counters, user, len);
1370 static inline int ebt_make_matchname(const struct ebt_entry_match *m,
1371 const char *base, char __user *ubase)
1373 char __user *hlp = ubase + ((char *)m - base);
1374 char name[EBT_FUNCTION_MAXNAMELEN] = {};
1376 /* ebtables expects 32 bytes long names but xt_match names are 29 bytes
1377 * long. Copy 29 bytes and fill remaining bytes with zeroes.
1379 strlcpy(name, m->u.match->name, sizeof(name));
1380 if (copy_to_user(hlp, name, EBT_FUNCTION_MAXNAMELEN))
1385 static inline int ebt_make_watchername(const struct ebt_entry_watcher *w,
1386 const char *base, char __user *ubase)
1388 char __user *hlp = ubase + ((char *)w - base);
1389 char name[EBT_FUNCTION_MAXNAMELEN] = {};
1391 strlcpy(name, w->u.watcher->name, sizeof(name));
1392 if (copy_to_user(hlp, name, EBT_FUNCTION_MAXNAMELEN))
1397 static inline int ebt_make_names(struct ebt_entry *e, const char *base,
1402 const struct ebt_entry_target *t;
1403 char name[EBT_FUNCTION_MAXNAMELEN] = {};
1405 if (e->bitmask == 0)
1408 hlp = ubase + (((char *)e + e->target_offset) - base);
1409 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
1411 ret = EBT_MATCH_ITERATE(e, ebt_make_matchname, base, ubase);
1414 ret = EBT_WATCHER_ITERATE(e, ebt_make_watchername, base, ubase);
1417 strlcpy(name, t->u.target->name, sizeof(name));
1418 if (copy_to_user(hlp, name, EBT_FUNCTION_MAXNAMELEN))
1423 static int copy_counters_to_user(struct ebt_table *t,
1424 const struct ebt_counter *oldcounters,
1425 void __user *user, unsigned int num_counters,
1426 unsigned int nentries)
1428 struct ebt_counter *counterstmp;
1431 /* userspace might not need the counters */
1432 if (num_counters == 0)
1435 if (num_counters != nentries) {
1436 BUGPRINT("Num_counters wrong\n");
1440 counterstmp = vmalloc(nentries * sizeof(*counterstmp));
1444 write_lock_bh(&t->lock);
1445 get_counters(oldcounters, counterstmp, nentries);
1446 write_unlock_bh(&t->lock);
1448 if (copy_to_user(user, counterstmp,
1449 nentries * sizeof(struct ebt_counter)))
1455 /* called with ebt_mutex locked */
1456 static int copy_everything_to_user(struct ebt_table *t, void __user *user,
1457 const int *len, int cmd)
1459 struct ebt_replace tmp;
1460 const struct ebt_counter *oldcounters;
1461 unsigned int entries_size, nentries;
1465 if (cmd == EBT_SO_GET_ENTRIES) {
1466 entries_size = t->private->entries_size;
1467 nentries = t->private->nentries;
1468 entries = t->private->entries;
1469 oldcounters = t->private->counters;
1471 entries_size = t->table->entries_size;
1472 nentries = t->table->nentries;
1473 entries = t->table->entries;
1474 oldcounters = t->table->counters;
1477 if (copy_from_user(&tmp, user, sizeof(tmp)))
1480 if (*len != sizeof(struct ebt_replace) + entries_size +
1481 (tmp.num_counters ? nentries * sizeof(struct ebt_counter) : 0))
1484 if (tmp.nentries != nentries) {
1485 BUGPRINT("Nentries wrong\n");
1489 if (tmp.entries_size != entries_size) {
1490 BUGPRINT("Wrong size\n");
1494 ret = copy_counters_to_user(t, oldcounters, tmp.counters,
1495 tmp.num_counters, nentries);
1499 if (copy_to_user(tmp.entries, entries, entries_size)) {
1500 BUGPRINT("Couldn't copy entries to userspace\n");
1503 /* set the match/watcher/target names right */
1504 return EBT_ENTRY_ITERATE(entries, entries_size,
1505 ebt_make_names, entries, tmp.entries);
1508 static int do_ebt_set_ctl(struct sock *sk,
1509 int cmd, void __user *user, unsigned int len)
1512 struct net *net = sock_net(sk);
1514 if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
1518 case EBT_SO_SET_ENTRIES:
1519 ret = do_replace(net, user, len);
1521 case EBT_SO_SET_COUNTERS:
1522 ret = update_counters(net, user, len);
1530 static int do_ebt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
1533 struct ebt_replace tmp;
1534 struct ebt_table *t;
1535 struct net *net = sock_net(sk);
1537 if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
1540 if (copy_from_user(&tmp, user, sizeof(tmp)))
1543 tmp.name[sizeof(tmp.name) - 1] = '\0';
1545 t = find_table_lock(net, tmp.name, &ret, &ebt_mutex);
1550 case EBT_SO_GET_INFO:
1551 case EBT_SO_GET_INIT_INFO:
1552 if (*len != sizeof(struct ebt_replace)) {
1554 mutex_unlock(&ebt_mutex);
1557 if (cmd == EBT_SO_GET_INFO) {
1558 tmp.nentries = t->private->nentries;
1559 tmp.entries_size = t->private->entries_size;
1560 tmp.valid_hooks = t->valid_hooks;
1562 tmp.nentries = t->table->nentries;
1563 tmp.entries_size = t->table->entries_size;
1564 tmp.valid_hooks = t->table->valid_hooks;
1566 mutex_unlock(&ebt_mutex);
1567 if (copy_to_user(user, &tmp, *len) != 0) {
1568 BUGPRINT("c2u Didn't work\n");
1575 case EBT_SO_GET_ENTRIES:
1576 case EBT_SO_GET_INIT_ENTRIES:
1577 ret = copy_everything_to_user(t, user, len, cmd);
1578 mutex_unlock(&ebt_mutex);
1582 mutex_unlock(&ebt_mutex);
1589 #ifdef CONFIG_COMPAT
1590 /* 32 bit-userspace compatibility definitions. */
1591 struct compat_ebt_replace {
1592 char name[EBT_TABLE_MAXNAMELEN];
1593 compat_uint_t valid_hooks;
1594 compat_uint_t nentries;
1595 compat_uint_t entries_size;
1596 /* start of the chains */
1597 compat_uptr_t hook_entry[NF_BR_NUMHOOKS];
1598 /* nr of counters userspace expects back */
1599 compat_uint_t num_counters;
1600 /* where the kernel will put the old counters. */
1601 compat_uptr_t counters;
1602 compat_uptr_t entries;
1605 /* struct ebt_entry_match, _target and _watcher have same layout */
1606 struct compat_ebt_entry_mwt {
1608 char name[EBT_FUNCTION_MAXNAMELEN];
1611 compat_uint_t match_size;
1612 compat_uint_t data[0];
1615 /* account for possible padding between match_size and ->data */
1616 static int ebt_compat_entry_padsize(void)
1618 BUILD_BUG_ON(XT_ALIGN(sizeof(struct ebt_entry_match)) <
1619 COMPAT_XT_ALIGN(sizeof(struct compat_ebt_entry_mwt)));
1620 return (int) XT_ALIGN(sizeof(struct ebt_entry_match)) -
1621 COMPAT_XT_ALIGN(sizeof(struct compat_ebt_entry_mwt));
1624 static int ebt_compat_match_offset(const struct xt_match *match,
1625 unsigned int userlen)
1627 /* ebt_among needs special handling. The kernel .matchsize is
1628 * set to -1 at registration time; at runtime an EBT_ALIGN()ed
1629 * value is expected.
1630 * Example: userspace sends 4500, ebt_among.c wants 4504.
1632 if (unlikely(match->matchsize == -1))
1633 return XT_ALIGN(userlen) - COMPAT_XT_ALIGN(userlen);
1634 return xt_compat_match_offset(match);
1637 static int compat_match_to_user(struct ebt_entry_match *m, void __user **dstptr,
1640 const struct xt_match *match = m->u.match;
1641 struct compat_ebt_entry_mwt __user *cm = *dstptr;
1642 int off = ebt_compat_match_offset(match, m->match_size);
1643 compat_uint_t msize = m->match_size - off;
1645 if (WARN_ON(off >= m->match_size))
1648 if (copy_to_user(cm->u.name, match->name,
1649 strlen(match->name) + 1) || put_user(msize, &cm->match_size))
1652 if (match->compat_to_user) {
1653 if (match->compat_to_user(cm->data, m->data))
1655 } else if (copy_to_user(cm->data, m->data, msize))
1658 *size -= ebt_compat_entry_padsize() + off;
1664 static int compat_target_to_user(struct ebt_entry_target *t,
1665 void __user **dstptr,
1668 const struct xt_target *target = t->u.target;
1669 struct compat_ebt_entry_mwt __user *cm = *dstptr;
1670 int off = xt_compat_target_offset(target);
1671 compat_uint_t tsize = t->target_size - off;
1673 if (WARN_ON(off >= t->target_size))
1676 if (copy_to_user(cm->u.name, target->name,
1677 strlen(target->name) + 1) || put_user(tsize, &cm->match_size))
1680 if (target->compat_to_user) {
1681 if (target->compat_to_user(cm->data, t->data))
1683 } else if (copy_to_user(cm->data, t->data, tsize))
1686 *size -= ebt_compat_entry_padsize() + off;
1692 static int compat_watcher_to_user(struct ebt_entry_watcher *w,
1693 void __user **dstptr,
1696 return compat_target_to_user((struct ebt_entry_target *)w,
1700 static int compat_copy_entry_to_user(struct ebt_entry *e, void __user **dstptr,
1703 struct ebt_entry_target *t;
1704 struct ebt_entry __user *ce;
1705 u32 watchers_offset, target_offset, next_offset;
1706 compat_uint_t origsize;
1709 if (e->bitmask == 0) {
1710 if (*size < sizeof(struct ebt_entries))
1712 if (copy_to_user(*dstptr, e, sizeof(struct ebt_entries)))
1715 *dstptr += sizeof(struct ebt_entries);
1716 *size -= sizeof(struct ebt_entries);
1720 if (*size < sizeof(*ce))
1723 ce = (struct ebt_entry __user *)*dstptr;
1724 if (copy_to_user(ce, e, sizeof(*ce)))
1728 *dstptr += sizeof(*ce);
1730 ret = EBT_MATCH_ITERATE(e, compat_match_to_user, dstptr, size);
1733 watchers_offset = e->watchers_offset - (origsize - *size);
1735 ret = EBT_WATCHER_ITERATE(e, compat_watcher_to_user, dstptr, size);
1738 target_offset = e->target_offset - (origsize - *size);
1740 t = (struct ebt_entry_target *) ((char *) e + e->target_offset);
1742 ret = compat_target_to_user(t, dstptr, size);
1745 next_offset = e->next_offset - (origsize - *size);
1747 if (put_user(watchers_offset, &ce->watchers_offset) ||
1748 put_user(target_offset, &ce->target_offset) ||
1749 put_user(next_offset, &ce->next_offset))
1752 *size -= sizeof(*ce);
1756 static int compat_calc_match(struct ebt_entry_match *m, int *off)
1758 *off += ebt_compat_match_offset(m->u.match, m->match_size);
1759 *off += ebt_compat_entry_padsize();
1763 static int compat_calc_watcher(struct ebt_entry_watcher *w, int *off)
1765 *off += xt_compat_target_offset(w->u.watcher);
1766 *off += ebt_compat_entry_padsize();
1770 static int compat_calc_entry(const struct ebt_entry *e,
1771 const struct ebt_table_info *info,
1773 struct compat_ebt_replace *newinfo)
1775 const struct ebt_entry_target *t;
1776 unsigned int entry_offset;
1779 if (e->bitmask == 0)
1783 entry_offset = (void *)e - base;
1785 EBT_MATCH_ITERATE(e, compat_calc_match, &off);
1786 EBT_WATCHER_ITERATE(e, compat_calc_watcher, &off);
1788 t = (const struct ebt_entry_target *) ((char *) e + e->target_offset);
1790 off += xt_compat_target_offset(t->u.target);
1791 off += ebt_compat_entry_padsize();
1793 newinfo->entries_size -= off;
1795 ret = xt_compat_add_offset(NFPROTO_BRIDGE, entry_offset, off);
1799 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
1800 const void *hookptr = info->hook_entry[i];
1801 if (info->hook_entry[i] &&
1802 (e < (struct ebt_entry *)(base - hookptr))) {
1803 newinfo->hook_entry[i] -= off;
1804 pr_debug("0x%08X -> 0x%08X\n",
1805 newinfo->hook_entry[i] + off,
1806 newinfo->hook_entry[i]);
1814 static int compat_table_info(const struct ebt_table_info *info,
1815 struct compat_ebt_replace *newinfo)
1817 unsigned int size = info->entries_size;
1818 const void *entries = info->entries;
1820 newinfo->entries_size = size;
1822 xt_compat_init_offsets(NFPROTO_BRIDGE, info->nentries);
1823 return EBT_ENTRY_ITERATE(entries, size, compat_calc_entry, info,
1827 static int compat_copy_everything_to_user(struct ebt_table *t,
1828 void __user *user, int *len, int cmd)
1830 struct compat_ebt_replace repl, tmp;
1831 struct ebt_counter *oldcounters;
1832 struct ebt_table_info tinfo;
1836 memset(&tinfo, 0, sizeof(tinfo));
1838 if (cmd == EBT_SO_GET_ENTRIES) {
1839 tinfo.entries_size = t->private->entries_size;
1840 tinfo.nentries = t->private->nentries;
1841 tinfo.entries = t->private->entries;
1842 oldcounters = t->private->counters;
1844 tinfo.entries_size = t->table->entries_size;
1845 tinfo.nentries = t->table->nentries;
1846 tinfo.entries = t->table->entries;
1847 oldcounters = t->table->counters;
1850 if (copy_from_user(&tmp, user, sizeof(tmp)))
1853 if (tmp.nentries != tinfo.nentries ||
1854 (tmp.num_counters && tmp.num_counters != tinfo.nentries))
1857 memcpy(&repl, &tmp, sizeof(repl));
1858 if (cmd == EBT_SO_GET_ENTRIES)
1859 ret = compat_table_info(t->private, &repl);
1861 ret = compat_table_info(&tinfo, &repl);
1865 if (*len != sizeof(tmp) + repl.entries_size +
1866 (tmp.num_counters? tinfo.nentries * sizeof(struct ebt_counter): 0)) {
1867 pr_err("wrong size: *len %d, entries_size %u, replsz %d\n",
1868 *len, tinfo.entries_size, repl.entries_size);
1872 /* userspace might not need the counters */
1873 ret = copy_counters_to_user(t, oldcounters, compat_ptr(tmp.counters),
1874 tmp.num_counters, tinfo.nentries);
1878 pos = compat_ptr(tmp.entries);
1879 return EBT_ENTRY_ITERATE(tinfo.entries, tinfo.entries_size,
1880 compat_copy_entry_to_user, &pos, &tmp.entries_size);
1883 struct ebt_entries_buf_state {
1884 char *buf_kern_start; /* kernel buffer to copy (translated) data to */
1885 u32 buf_kern_len; /* total size of kernel buffer */
1886 u32 buf_kern_offset; /* amount of data copied so far */
1887 u32 buf_user_offset; /* read position in userspace buffer */
1890 static int ebt_buf_count(struct ebt_entries_buf_state *state, unsigned int sz)
1892 state->buf_kern_offset += sz;
1893 return state->buf_kern_offset >= sz ? 0 : -EINVAL;
1896 static int ebt_buf_add(struct ebt_entries_buf_state *state,
1897 const void *data, unsigned int sz)
1899 if (state->buf_kern_start == NULL)
1902 if (WARN_ON(state->buf_kern_offset + sz > state->buf_kern_len))
1905 memcpy(state->buf_kern_start + state->buf_kern_offset, data, sz);
1908 state->buf_user_offset += sz;
1909 return ebt_buf_count(state, sz);
1912 static int ebt_buf_add_pad(struct ebt_entries_buf_state *state, unsigned int sz)
1914 char *b = state->buf_kern_start;
1916 if (WARN_ON(b && state->buf_kern_offset > state->buf_kern_len))
1919 if (b != NULL && sz > 0)
1920 memset(b + state->buf_kern_offset, 0, sz);
1921 /* do not adjust ->buf_user_offset here, we added kernel-side padding */
1922 return ebt_buf_count(state, sz);
1931 static int compat_mtw_from_user(const struct compat_ebt_entry_mwt *mwt,
1932 enum compat_mwt compat_mwt,
1933 struct ebt_entries_buf_state *state,
1934 const unsigned char *base)
1936 char name[EBT_FUNCTION_MAXNAMELEN];
1937 struct xt_match *match;
1938 struct xt_target *wt;
1941 unsigned int size_kern, match_size = mwt->match_size;
1943 if (strscpy(name, mwt->u.name, sizeof(name)) < 0)
1946 if (state->buf_kern_start)
1947 dst = state->buf_kern_start + state->buf_kern_offset;
1949 switch (compat_mwt) {
1950 case EBT_COMPAT_MATCH:
1951 match = xt_request_find_match(NFPROTO_BRIDGE, name, 0);
1953 return PTR_ERR(match);
1955 off = ebt_compat_match_offset(match, match_size);
1957 if (match->compat_from_user)
1958 match->compat_from_user(dst, mwt->data);
1960 memcpy(dst, mwt->data, match_size);
1963 size_kern = match->matchsize;
1964 if (unlikely(size_kern == -1))
1965 size_kern = match_size;
1966 module_put(match->me);
1968 case EBT_COMPAT_WATCHER: /* fallthrough */
1969 case EBT_COMPAT_TARGET:
1970 wt = xt_request_find_target(NFPROTO_BRIDGE, name, 0);
1973 off = xt_compat_target_offset(wt);
1976 if (wt->compat_from_user)
1977 wt->compat_from_user(dst, mwt->data);
1979 memcpy(dst, mwt->data, match_size);
1982 size_kern = wt->targetsize;
1990 state->buf_kern_offset += match_size + off;
1991 state->buf_user_offset += match_size;
1992 pad = XT_ALIGN(size_kern) - size_kern;
1994 if (pad > 0 && dst) {
1995 if (WARN_ON(state->buf_kern_len <= pad))
1997 if (WARN_ON(state->buf_kern_offset - (match_size + off) + size_kern > state->buf_kern_len - pad))
1999 memset(dst + size_kern, 0, pad);
2001 return off + match_size;
2004 /* return size of all matches, watchers or target, including necessary
2005 * alignment and padding.
2007 static int ebt_size_mwt(const struct compat_ebt_entry_mwt *match32,
2008 unsigned int size_left, enum compat_mwt type,
2009 struct ebt_entries_buf_state *state, const void *base)
2011 const char *buf = (const char *)match32;
2018 struct ebt_entry_match *match_kern;
2021 if (size_left < sizeof(*match32))
2024 match_kern = (struct ebt_entry_match *) state->buf_kern_start;
2027 tmp = state->buf_kern_start + state->buf_kern_offset;
2028 match_kern = (struct ebt_entry_match *) tmp;
2030 ret = ebt_buf_add(state, buf, sizeof(*match32));
2033 size_left -= sizeof(*match32);
2035 /* add padding before match->data (if any) */
2036 ret = ebt_buf_add_pad(state, ebt_compat_entry_padsize());
2040 if (match32->match_size > size_left)
2043 size_left -= match32->match_size;
2045 ret = compat_mtw_from_user(match32, type, state, base);
2049 if (WARN_ON(ret < match32->match_size))
2051 growth += ret - match32->match_size;
2052 growth += ebt_compat_entry_padsize();
2054 buf += sizeof(*match32);
2055 buf += match32->match_size;
2058 match_kern->match_size = ret;
2060 match32 = (struct compat_ebt_entry_mwt *) buf;
2061 } while (size_left);
2066 /* called for all ebt_entry structures. */
2067 static int size_entry_mwt(const struct ebt_entry *entry, const unsigned char *base,
2068 unsigned int *total,
2069 struct ebt_entries_buf_state *state)
2071 unsigned int i, j, startoff, next_expected_off, new_offset = 0;
2072 /* stores match/watchers/targets & offset of next struct ebt_entry: */
2073 unsigned int offsets[4];
2074 unsigned int *offsets_update = NULL;
2078 if (*total < sizeof(struct ebt_entries))
2081 if (!entry->bitmask) {
2082 *total -= sizeof(struct ebt_entries);
2083 return ebt_buf_add(state, entry, sizeof(struct ebt_entries));
2085 if (*total < sizeof(*entry) || entry->next_offset < sizeof(*entry))
2088 startoff = state->buf_user_offset;
2089 /* pull in most part of ebt_entry, it does not need to be changed. */
2090 ret = ebt_buf_add(state, entry,
2091 offsetof(struct ebt_entry, watchers_offset));
2095 offsets[0] = sizeof(struct ebt_entry); /* matches come first */
2096 memcpy(&offsets[1], &entry->watchers_offset,
2097 sizeof(offsets) - sizeof(offsets[0]));
2099 if (state->buf_kern_start) {
2100 buf_start = state->buf_kern_start + state->buf_kern_offset;
2101 offsets_update = (unsigned int *) buf_start;
2103 ret = ebt_buf_add(state, &offsets[1],
2104 sizeof(offsets) - sizeof(offsets[0]));
2107 buf_start = (char *) entry;
2108 /* 0: matches offset, always follows ebt_entry.
2109 * 1: watchers offset, from ebt_entry structure
2110 * 2: target offset, from ebt_entry structure
2111 * 3: next ebt_entry offset, from ebt_entry structure
2113 * offsets are relative to beginning of struct ebt_entry (i.e., 0).
2115 for (i = 0; i < 4 ; ++i) {
2116 if (offsets[i] > *total)
2119 if (i < 3 && offsets[i] == *total)
2124 if (offsets[i-1] > offsets[i])
2128 for (i = 0, j = 1 ; j < 4 ; j++, i++) {
2129 struct compat_ebt_entry_mwt *match32;
2131 char *buf = buf_start;
2133 buf = buf_start + offsets[i];
2134 if (offsets[i] > offsets[j])
2137 match32 = (struct compat_ebt_entry_mwt *) buf;
2138 size = offsets[j] - offsets[i];
2139 ret = ebt_size_mwt(match32, size, i, state, base);
2143 if (offsets_update && new_offset) {
2144 pr_debug("change offset %d to %d\n",
2145 offsets_update[i], offsets[j] + new_offset);
2146 offsets_update[i] = offsets[j] + new_offset;
2150 if (state->buf_kern_start == NULL) {
2151 unsigned int offset = buf_start - (char *) base;
2153 ret = xt_compat_add_offset(NFPROTO_BRIDGE, offset, new_offset);
2158 next_expected_off = state->buf_user_offset - startoff;
2159 if (next_expected_off != entry->next_offset)
2162 if (*total < entry->next_offset)
2164 *total -= entry->next_offset;
2168 /* repl->entries_size is the size of the ebt_entry blob in userspace.
2169 * It might need more memory when copied to a 64 bit kernel in case
2170 * userspace is 32-bit. So, first task: find out how much memory is needed.
2172 * Called before validation is performed.
2174 static int compat_copy_entries(unsigned char *data, unsigned int size_user,
2175 struct ebt_entries_buf_state *state)
2177 unsigned int size_remaining = size_user;
2180 ret = EBT_ENTRY_ITERATE(data, size_user, size_entry_mwt, data,
2181 &size_remaining, state);
2188 return state->buf_kern_offset;
2192 static int compat_copy_ebt_replace_from_user(struct ebt_replace *repl,
2193 void __user *user, unsigned int len)
2195 struct compat_ebt_replace tmp;
2198 if (len < sizeof(tmp))
2201 if (copy_from_user(&tmp, user, sizeof(tmp)))
2204 if (len != sizeof(tmp) + tmp.entries_size)
2207 if (tmp.entries_size == 0)
2210 if (tmp.nentries >= ((INT_MAX - sizeof(struct ebt_table_info)) /
2211 NR_CPUS - SMP_CACHE_BYTES) / sizeof(struct ebt_counter))
2213 if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
2216 memcpy(repl, &tmp, offsetof(struct ebt_replace, hook_entry));
2218 /* starting with hook_entry, 32 vs. 64 bit structures are different */
2219 for (i = 0; i < NF_BR_NUMHOOKS; i++)
2220 repl->hook_entry[i] = compat_ptr(tmp.hook_entry[i]);
2222 repl->num_counters = tmp.num_counters;
2223 repl->counters = compat_ptr(tmp.counters);
2224 repl->entries = compat_ptr(tmp.entries);
2228 static int compat_do_replace(struct net *net, void __user *user,
2231 int ret, i, countersize, size64;
2232 struct ebt_table_info *newinfo;
2233 struct ebt_replace tmp;
2234 struct ebt_entries_buf_state state;
2237 ret = compat_copy_ebt_replace_from_user(&tmp, user, len);
2239 /* try real handler in case userland supplied needed padding */
2240 if (ret == -EINVAL && do_replace(net, user, len) == 0)
2245 countersize = COUNTER_OFFSET(tmp.nentries) * nr_cpu_ids;
2246 newinfo = vmalloc(sizeof(*newinfo) + countersize);
2251 memset(newinfo->counters, 0, countersize);
2253 memset(&state, 0, sizeof(state));
2255 newinfo->entries = vmalloc(tmp.entries_size);
2256 if (!newinfo->entries) {
2261 newinfo->entries, tmp.entries, tmp.entries_size) != 0) {
2266 entries_tmp = newinfo->entries;
2268 xt_compat_lock(NFPROTO_BRIDGE);
2270 xt_compat_init_offsets(NFPROTO_BRIDGE, tmp.nentries);
2271 ret = compat_copy_entries(entries_tmp, tmp.entries_size, &state);
2275 pr_debug("tmp.entries_size %d, kern off %d, user off %d delta %d\n",
2276 tmp.entries_size, state.buf_kern_offset, state.buf_user_offset,
2277 xt_compat_calc_jump(NFPROTO_BRIDGE, tmp.entries_size));
2280 newinfo->entries = vmalloc(size64);
2281 if (!newinfo->entries) {
2287 memset(&state, 0, sizeof(state));
2288 state.buf_kern_start = newinfo->entries;
2289 state.buf_kern_len = size64;
2291 ret = compat_copy_entries(entries_tmp, tmp.entries_size, &state);
2292 if (WARN_ON(ret < 0)) {
2298 tmp.entries_size = size64;
2300 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
2301 char __user *usrptr;
2302 if (tmp.hook_entry[i]) {
2304 usrptr = (char __user *) tmp.hook_entry[i];
2305 delta = usrptr - tmp.entries;
2306 usrptr += xt_compat_calc_jump(NFPROTO_BRIDGE, delta);
2307 tmp.hook_entry[i] = (struct ebt_entries __user *)usrptr;
2311 xt_compat_flush_offsets(NFPROTO_BRIDGE);
2312 xt_compat_unlock(NFPROTO_BRIDGE);
2314 ret = do_replace_finish(net, &tmp, newinfo);
2318 vfree(newinfo->entries);
2323 xt_compat_flush_offsets(NFPROTO_BRIDGE);
2324 xt_compat_unlock(NFPROTO_BRIDGE);
2328 static int compat_update_counters(struct net *net, void __user *user,
2331 struct compat_ebt_replace hlp;
2333 if (copy_from_user(&hlp, user, sizeof(hlp)))
2336 /* try real handler in case userland supplied needed padding */
2337 if (len != sizeof(hlp) + hlp.num_counters * sizeof(struct ebt_counter))
2338 return update_counters(net, user, len);
2340 return do_update_counters(net, hlp.name, compat_ptr(hlp.counters),
2341 hlp.num_counters, user, len);
2344 static int compat_do_ebt_set_ctl(struct sock *sk,
2345 int cmd, void __user *user, unsigned int len)
2348 struct net *net = sock_net(sk);
2350 if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
2354 case EBT_SO_SET_ENTRIES:
2355 ret = compat_do_replace(net, user, len);
2357 case EBT_SO_SET_COUNTERS:
2358 ret = compat_update_counters(net, user, len);
2366 static int compat_do_ebt_get_ctl(struct sock *sk, int cmd,
2367 void __user *user, int *len)
2370 struct compat_ebt_replace tmp;
2371 struct ebt_table *t;
2372 struct net *net = sock_net(sk);
2374 if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
2377 /* try real handler in case userland supplied needed padding */
2378 if ((cmd == EBT_SO_GET_INFO ||
2379 cmd == EBT_SO_GET_INIT_INFO) && *len != sizeof(tmp))
2380 return do_ebt_get_ctl(sk, cmd, user, len);
2382 if (copy_from_user(&tmp, user, sizeof(tmp)))
2385 tmp.name[sizeof(tmp.name) - 1] = '\0';
2387 t = find_table_lock(net, tmp.name, &ret, &ebt_mutex);
2391 xt_compat_lock(NFPROTO_BRIDGE);
2393 case EBT_SO_GET_INFO:
2394 tmp.nentries = t->private->nentries;
2395 ret = compat_table_info(t->private, &tmp);
2398 tmp.valid_hooks = t->valid_hooks;
2400 if (copy_to_user(user, &tmp, *len) != 0) {
2406 case EBT_SO_GET_INIT_INFO:
2407 tmp.nentries = t->table->nentries;
2408 tmp.entries_size = t->table->entries_size;
2409 tmp.valid_hooks = t->table->valid_hooks;
2411 if (copy_to_user(user, &tmp, *len) != 0) {
2417 case EBT_SO_GET_ENTRIES:
2418 case EBT_SO_GET_INIT_ENTRIES:
2419 /* try real handler first in case of userland-side padding.
2420 * in case we are dealing with an 'ordinary' 32 bit binary
2421 * without 64bit compatibility padding, this will fail right
2422 * after copy_from_user when the *len argument is validated.
2424 * the compat_ variant needs to do one pass over the kernel
2425 * data set to adjust for size differences before it the check.
2427 if (copy_everything_to_user(t, user, len, cmd) == 0)
2430 ret = compat_copy_everything_to_user(t, user, len, cmd);
2436 xt_compat_flush_offsets(NFPROTO_BRIDGE);
2437 xt_compat_unlock(NFPROTO_BRIDGE);
2438 mutex_unlock(&ebt_mutex);
2443 static struct nf_sockopt_ops ebt_sockopts = {
2445 .set_optmin = EBT_BASE_CTL,
2446 .set_optmax = EBT_SO_SET_MAX + 1,
2447 .set = do_ebt_set_ctl,
2448 #ifdef CONFIG_COMPAT
2449 .compat_set = compat_do_ebt_set_ctl,
2451 .get_optmin = EBT_BASE_CTL,
2452 .get_optmax = EBT_SO_GET_MAX + 1,
2453 .get = do_ebt_get_ctl,
2454 #ifdef CONFIG_COMPAT
2455 .compat_get = compat_do_ebt_get_ctl,
2457 .owner = THIS_MODULE,
2460 static int __init ebtables_init(void)
2464 ret = xt_register_target(&ebt_standard_target);
2467 ret = nf_register_sockopt(&ebt_sockopts);
2469 xt_unregister_target(&ebt_standard_target);
2473 printk(KERN_INFO "Ebtables v2.0 registered\n");
2477 static void __exit ebtables_fini(void)
2479 nf_unregister_sockopt(&ebt_sockopts);
2480 xt_unregister_target(&ebt_standard_target);
2481 printk(KERN_INFO "Ebtables v2.0 unregistered\n");
2484 EXPORT_SYMBOL(ebt_register_table);
2485 EXPORT_SYMBOL(ebt_unregister_table);
2486 EXPORT_SYMBOL(ebt_do_table);
2487 module_init(ebtables_init);
2488 module_exit(ebtables_fini);
2489 MODULE_LICENSE("GPL");
projects / releases.git / blob