1
2
3
4
5
6
7
8
9
10
11
12
13#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
14#include <linux/kmod.h>
15#include <linux/module.h>
16#include <linux/vmalloc.h>
17#include <linux/netfilter/x_tables.h>
18#include <linux/netfilter_bridge/ebtables.h>
19#include <linux/spinlock.h>
20#include <linux/mutex.h>
21#include <linux/slab.h>
22#include <linux/uaccess.h>
23#include <linux/smp.h>
24#include <linux/cpumask.h>
25#include <linux/audit.h>
26#include <net/sock.h>
27#include <net/netns/generic.h>
28
29#include "../br_private.h"
30
31
32
33
34
35
36
37
38#define SMP_ALIGN(x) (((x) + SMP_CACHE_BYTES-1) & ~(SMP_CACHE_BYTES-1))
39#define COUNTER_OFFSET(n) (SMP_ALIGN(n * sizeof(struct ebt_counter)))
40#define COUNTER_BASE(c, n, cpu) ((struct ebt_counter *)(((char *)c) + \
41 COUNTER_OFFSET(n) * cpu))
42
43struct ebt_pernet {
44 struct list_head tables;
45};
46
47static unsigned int ebt_pernet_id __read_mostly;
48static DEFINE_MUTEX(ebt_mutex);
49
50#ifdef CONFIG_NETFILTER_XTABLES_COMPAT
51static void ebt_standard_compat_from_user(void *dst, const void *src)
52{
53 int v = *(compat_int_t *)src;
54
55 if (v >= 0)
56 v += xt_compat_calc_jump(NFPROTO_BRIDGE, v);
57 memcpy(dst, &v, sizeof(v));
58}
59
60static int ebt_standard_compat_to_user(void __user *dst, const void *src)
61{
62 compat_int_t cv = *(int *)src;
63
64 if (cv >= 0)
65 cv -= xt_compat_calc_jump(NFPROTO_BRIDGE, cv);
66 return copy_to_user(dst, &cv, sizeof(cv)) ? -EFAULT : 0;
67}
68#endif
69
70
71static struct xt_target ebt_standard_target = {
72 .name = "standard",
73 .revision = 0,
74 .family = NFPROTO_BRIDGE,
75 .targetsize = sizeof(int),
76#ifdef CONFIG_NETFILTER_XTABLES_COMPAT
77 .compatsize = sizeof(compat_int_t),
78 .compat_from_user = ebt_standard_compat_from_user,
79 .compat_to_user = ebt_standard_compat_to_user,
80#endif
81};
82
83static inline int
84ebt_do_watcher(const struct ebt_entry_watcher *w, struct sk_buff *skb,
85 struct xt_action_param *par)
86{
87 par->target = w->u.watcher;
88 par->targinfo = w->data;
89 w->u.watcher->target(skb, par);
90
91 return 0;
92}
93
94static inline int
95ebt_do_match(struct ebt_entry_match *m, const struct sk_buff *skb,
96 struct xt_action_param *par)
97{
98 par->match = m->u.match;
99 par->matchinfo = m->data;
100 return !m->u.match->match(skb, par);
101}
102
103static inline int
104ebt_dev_check(const char *entry, const struct net_device *device)
105{
106 int i = 0;
107 const char *devname;
108
109 if (*entry == '\0')
110 return 0;
111 if (!device)
112 return 1;
113 devname = device->name;
114
115 while (entry[i] != '\0' && entry[i] != 1 && entry[i] == devname[i])
116 i++;
117 return devname[i] != entry[i] && entry[i] != 1;
118}
119
120
121static inline int
122ebt_basic_match(const struct ebt_entry *e, const struct sk_buff *skb,
123 const struct net_device *in, const struct net_device *out)
124{
125 const struct ethhdr *h = eth_hdr(skb);
126 const struct net_bridge_port *p;
127 __be16 ethproto;
128
129 if (skb_vlan_tag_present(skb))
130 ethproto = htons(ETH_P_8021Q);
131 else
132 ethproto = h->h_proto;
133
134 if (e->bitmask & EBT_802_3) {
135 if (NF_INVF(e, EBT_IPROTO, eth_proto_is_802_3(ethproto)))
136 return 1;
137 } else if (!(e->bitmask & EBT_NOPROTO) &&
138 NF_INVF(e, EBT_IPROTO, e->ethproto != ethproto))
139 return 1;
140
141 if (NF_INVF(e, EBT_IIN, ebt_dev_check(e->in, in)))
142 return 1;
143 if (NF_INVF(e, EBT_IOUT, ebt_dev_check(e->out, out)))
144 return 1;
145
146 if (in && (p = br_port_get_rcu(in)) != NULL &&
147 NF_INVF(e, EBT_ILOGICALIN,
148 ebt_dev_check(e->logical_in, p->br->dev)))
149 return 1;
150 if (out && (p = br_port_get_rcu(out)) != NULL &&
151 NF_INVF(e, EBT_ILOGICALOUT,
152 ebt_dev_check(e->logical_out, p->br->dev)))
153 return 1;
154
155 if (e->bitmask & EBT_SOURCEMAC) {
156 if (NF_INVF(e, EBT_ISOURCE,
157 !ether_addr_equal_masked(h->h_source, e->sourcemac,
158 e->sourcemsk)))
159 return 1;
160 }
161 if (e->bitmask & EBT_DESTMAC) {
162 if (NF_INVF(e, EBT_IDEST,
163 !ether_addr_equal_masked(h->h_dest, e->destmac,
164 e->destmsk)))
165 return 1;
166 }
167 return 0;
168}
169
170static inline
171struct ebt_entry *ebt_next_entry(const struct ebt_entry *entry)
172{
173 return (void *)entry + entry->next_offset;
174}
175
176static inline const struct ebt_entry_target *
177ebt_get_target_c(const struct ebt_entry *e)
178{
179 return ebt_get_target((struct ebt_entry *)e);
180}
181
182
183unsigned int ebt_do_table(struct sk_buff *skb,
184 const struct nf_hook_state *state,
185 struct ebt_table *table)
186{
187 unsigned int hook = state->hook;
188 int i, nentries;
189 struct ebt_entry *point;
190 struct ebt_counter *counter_base, *cb_base;
191 const struct ebt_entry_target *t;
192 int verdict, sp = 0;
193 struct ebt_chainstack *cs;
194 struct ebt_entries *chaininfo;
195 const char *base;
196 const struct ebt_table_info *private;
197 struct xt_action_param acpar;
198
199 acpar.state = state;
200 acpar.hotdrop = false;
201
202 read_lock_bh(&table->lock);
203 private = table->private;
204 cb_base = COUNTER_BASE(private->counters, private->nentries,
205 smp_processor_id());
206 if (private->chainstack)
207 cs = private->chainstack[smp_processor_id()];
208 else
209 cs = NULL;
210 chaininfo = private->hook_entry[hook];
211 nentries = private->hook_entry[hook]->nentries;
212 point = (struct ebt_entry *)(private->hook_entry[hook]->data);
213 counter_base = cb_base + private->hook_entry[hook]->counter_offset;
214
215 base = private->entries;
216 i = 0;
217 while (i < nentries) {
218 if (ebt_basic_match(point, skb, state->in, state->out))
219 goto letscontinue;
220
221 if (EBT_MATCH_ITERATE(point, ebt_do_match, skb, &acpar) != 0)
222 goto letscontinue;
223 if (acpar.hotdrop) {
224 read_unlock_bh(&table->lock);
225 return NF_DROP;
226 }
227
228 ADD_COUNTER(*(counter_base + i), skb->len, 1);
229
230
231
232
233 EBT_WATCHER_ITERATE(point, ebt_do_watcher, skb, &acpar);
234
235 t = ebt_get_target_c(point);
236
237 if (!t->u.target->target)
238 verdict = ((struct ebt_standard_target *)t)->verdict;
239 else {
240 acpar.target = t->u.target;
241 acpar.targinfo = t->data;
242 verdict = t->u.target->target(skb, &acpar);
243 }
244 if (verdict == EBT_ACCEPT) {
245 read_unlock_bh(&table->lock);
246 return NF_ACCEPT;
247 }
248 if (verdict == EBT_DROP) {
249 read_unlock_bh(&table->lock);
250 return NF_DROP;
251 }
252 if (verdict == EBT_RETURN) {
253letsreturn:
254 if (WARN(sp == 0, "RETURN on base chain")) {
255
256 goto letscontinue;
257 }
258
259 sp--;
260
261 i = cs[sp].n;
262 chaininfo = cs[sp].chaininfo;
263 nentries = chaininfo->nentries;
264 point = cs[sp].e;
265 counter_base = cb_base +
266 chaininfo->counter_offset;
267 continue;
268 }
269 if (verdict == EBT_CONTINUE)
270 goto letscontinue;
271
272 if (WARN(verdict < 0, "bogus standard verdict\n")) {
273 read_unlock_bh(&table->lock);
274 return NF_DROP;
275 }
276
277
278 cs[sp].n = i + 1;
279 cs[sp].chaininfo = chaininfo;
280 cs[sp].e = ebt_next_entry(point);
281 i = 0;
282 chaininfo = (struct ebt_entries *) (base + verdict);
283
284 if (WARN(chaininfo->distinguisher, "jump to non-chain\n")) {
285 read_unlock_bh(&table->lock);
286 return NF_DROP;
287 }
288
289 nentries = chaininfo->nentries;
290 point = (struct ebt_entry *)chaininfo->data;
291 counter_base = cb_base + chaininfo->counter_offset;
292 sp++;
293 continue;
294letscontinue:
295 point = ebt_next_entry(point);
296 i++;
297 }
298
299
300 if (chaininfo->policy == EBT_RETURN)
301 goto letsreturn;
302 if (chaininfo->policy == EBT_ACCEPT) {
303 read_unlock_bh(&table->lock);
304 return NF_ACCEPT;
305 }
306 read_unlock_bh(&table->lock);
307 return NF_DROP;
308}
309
310
311static inline void *
312find_inlist_lock_noload(struct list_head *head, const char *name, int *error,
313 struct mutex *mutex)
314{
315 struct {
316 struct list_head list;
317 char name[EBT_FUNCTION_MAXNAMELEN];
318 } *e;
319
320 mutex_lock(mutex);
321 list_for_each_entry(e, head, list) {
322 if (strcmp(e->name, name) == 0)
323 return e;
324 }
325 *error = -ENOENT;
326 mutex_unlock(mutex);
327 return NULL;
328}
329
330static void *
331find_inlist_lock(struct list_head *head, const char *name, const char *prefix,
332 int *error, struct mutex *mutex)
333{
334 return try_then_request_module(
335 find_inlist_lock_noload(head, name, error, mutex),
336 "%s%s", prefix, name);
337}
338
339static inline struct ebt_table *
340find_table_lock(struct net *net, const char *name, int *error,
341 struct mutex *mutex)
342{
343 struct ebt_pernet *ebt_net = net_generic(net, ebt_pernet_id);
344
345 return find_inlist_lock(&ebt_net->tables, name,
346 "ebtable_", error, mutex);
347}
348
349static inline void ebt_free_table_info(struct ebt_table_info *info)
350{
351 int i;
352
353 if (info->chainstack) {
354 for_each_possible_cpu(i)
355 vfree(info->chainstack[i]);
356 vfree(info->chainstack);
357 }
358}
359static inline int
360ebt_check_match(struct ebt_entry_match *m, struct xt_mtchk_param *par,
361 unsigned int *cnt)
362{
363 const struct ebt_entry *e = par->entryinfo;
364 struct xt_match *match;
365 size_t left = ((char *)e + e->watchers_offset) - (char *)m;
366 int ret;
367
368 if (left < sizeof(struct ebt_entry_match) ||
369 left - sizeof(struct ebt_entry_match) < m->match_size)
370 return -EINVAL;
371
372 match = xt_find_match(NFPROTO_BRIDGE, m->u.name, m->u.revision);
373 if (IS_ERR(match) || match->family != NFPROTO_BRIDGE) {
374 if (!IS_ERR(match))
375 module_put(match->me);
376 request_module("ebt_%s", m->u.name);
377 match = xt_find_match(NFPROTO_BRIDGE, m->u.name, m->u.revision);
378 }
379 if (IS_ERR(match))
380 return PTR_ERR(match);
381 m->u.match = match;
382
383 par->match = match;
384 par->matchinfo = m->data;
385 ret = xt_check_match(par, m->match_size,
386 ntohs(e->ethproto), e->invflags & EBT_IPROTO);
387 if (ret < 0) {
388 module_put(match->me);
389 return ret;
390 }
391
392 (*cnt)++;
393 return 0;
394}
395
396static inline int
397ebt_check_watcher(struct ebt_entry_watcher *w, struct xt_tgchk_param *par,
398 unsigned int *cnt)
399{
400 const struct ebt_entry *e = par->entryinfo;
401 struct xt_target *watcher;
402 size_t left = ((char *)e + e->target_offset) - (char *)w;
403 int ret;
404
405 if (left < sizeof(struct ebt_entry_watcher) ||
406 left - sizeof(struct ebt_entry_watcher) < w->watcher_size)
407 return -EINVAL;
408
409 watcher = xt_request_find_target(NFPROTO_BRIDGE, w->u.name, 0);
410 if (IS_ERR(watcher))
411 return PTR_ERR(watcher);
412
413 if (watcher->family != NFPROTO_BRIDGE) {
414 module_put(watcher->me);
415 return -ENOENT;
416 }
417
418 w->u.watcher = watcher;
419
420 par->target = watcher;
421 par->targinfo = w->data;
422 ret = xt_check_target(par, w->watcher_size,
423 ntohs(e->ethproto), e->invflags & EBT_IPROTO);
424 if (ret < 0) {
425 module_put(watcher->me);
426 return ret;
427 }
428
429 (*cnt)++;
430 return 0;
431}
432
433static int ebt_verify_pointers(const struct ebt_replace *repl,
434 struct ebt_table_info *newinfo)
435{
436 unsigned int limit = repl->entries_size;
437 unsigned int valid_hooks = repl->valid_hooks;
438 unsigned int offset = 0;
439 int i;
440
441 for (i = 0; i < NF_BR_NUMHOOKS; i++)
442 newinfo->hook_entry[i] = NULL;
443
444 newinfo->entries_size = repl->entries_size;
445 newinfo->nentries = repl->nentries;
446
447 while (offset < limit) {
448 size_t left = limit - offset;
449 struct ebt_entry *e = (void *)newinfo->entries + offset;
450
451 if (left < sizeof(unsigned int))
452 break;
453
454 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
455 if ((valid_hooks & (1 << i)) == 0)
456 continue;
457 if ((char __user *)repl->hook_entry[i] ==
458 repl->entries + offset)
459 break;
460 }
461
462 if (i != NF_BR_NUMHOOKS || !(e->bitmask & EBT_ENTRY_OR_ENTRIES)) {
463 if (e->bitmask != 0) {
464
465
466
467 return -EINVAL;
468 }
469 if (i != NF_BR_NUMHOOKS)
470 newinfo->hook_entry[i] = (struct ebt_entries *)e;
471 if (left < sizeof(struct ebt_entries))
472 break;
473 offset += sizeof(struct ebt_entries);
474 } else {
475 if (left < sizeof(struct ebt_entry))
476 break;
477 if (left < e->next_offset)
478 break;
479 if (e->next_offset < sizeof(struct ebt_entry))
480 return -EINVAL;
481 offset += e->next_offset;
482 }
483 }
484 if (offset != limit)
485 return -EINVAL;
486
487
488 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
489 if (!newinfo->hook_entry[i] &&
490 (valid_hooks & (1 << i)))
491 return -EINVAL;
492 }
493 return 0;
494}
495
496
497
498
499static inline int
500ebt_check_entry_size_and_hooks(const struct ebt_entry *e,
501 const struct ebt_table_info *newinfo,
502 unsigned int *n, unsigned int *cnt,
503 unsigned int *totalcnt, unsigned int *udc_cnt)
504{
505 int i;
506
507 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
508 if ((void *)e == (void *)newinfo->hook_entry[i])
509 break;
510 }
511
512
513
514 if (i != NF_BR_NUMHOOKS || !e->bitmask) {
515
516
517
518 if (*n != *cnt)
519 return -EINVAL;
520
521 if (((struct ebt_entries *)e)->policy != EBT_DROP &&
522 ((struct ebt_entries *)e)->policy != EBT_ACCEPT) {
523
524 if (i != NF_BR_NUMHOOKS ||
525 ((struct ebt_entries *)e)->policy != EBT_RETURN)
526 return -EINVAL;
527 }
528 if (i == NF_BR_NUMHOOKS)
529 (*udc_cnt)++;
530 if (((struct ebt_entries *)e)->counter_offset != *totalcnt)
531 return -EINVAL;
532 *n = ((struct ebt_entries *)e)->nentries;
533 *cnt = 0;
534 return 0;
535 }
536
537 if (sizeof(struct ebt_entry) > e->watchers_offset ||
538 e->watchers_offset > e->target_offset ||
539 e->target_offset >= e->next_offset)
540 return -EINVAL;
541
542
543 if (e->next_offset - e->target_offset < sizeof(struct ebt_entry_target))
544 return -EINVAL;
545
546 (*cnt)++;
547 (*totalcnt)++;
548 return 0;
549}
550
551struct ebt_cl_stack {
552 struct ebt_chainstack cs;
553 int from;
554 unsigned int hookmask;
555};
556
557
558
559
560static inline int
561ebt_get_udc_positions(struct ebt_entry *e, struct ebt_table_info *newinfo,
562 unsigned int *n, struct ebt_cl_stack *udc)
563{
564 int i;
565
566
567 if (e->bitmask)
568 return 0;
569 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
570 if (newinfo->hook_entry[i] == (struct ebt_entries *)e)
571 break;
572 }
573
574 if (i != NF_BR_NUMHOOKS)
575 return 0;
576
577 udc[*n].cs.chaininfo = (struct ebt_entries *)e;
578
579 udc[*n].cs.n = 0;
580 udc[*n].hookmask = 0;
581
582 (*n)++;
583 return 0;
584}
585
586static inline int
587ebt_cleanup_match(struct ebt_entry_match *m, struct net *net, unsigned int *i)
588{
589 struct xt_mtdtor_param par;
590
591 if (i && (*i)-- == 0)
592 return 1;
593
594 par.net = net;
595 par.match = m->u.match;
596 par.matchinfo = m->data;
597 par.family = NFPROTO_BRIDGE;
598 if (par.match->destroy != NULL)
599 par.match->destroy(&par);
600 module_put(par.match->me);
601 return 0;
602}
603
604static inline int
605ebt_cleanup_watcher(struct ebt_entry_watcher *w, struct net *net, unsigned int *i)
606{
607 struct xt_tgdtor_param par;
608
609 if (i && (*i)-- == 0)
610 return 1;
611
612 par.net = net;
613 par.target = w->u.watcher;
614 par.targinfo = w->data;
615 par.family = NFPROTO_BRIDGE;
616 if (par.target->destroy != NULL)
617 par.target->destroy(&par);
618 module_put(par.target->me);
619 return 0;
620}
621
622static inline int
623ebt_cleanup_entry(struct ebt_entry *e, struct net *net, unsigned int *cnt)
624{
625 struct xt_tgdtor_param par;
626 struct ebt_entry_target *t;
627
628 if (e->bitmask == 0)
629 return 0;
630
631 if (cnt && (*cnt)-- == 0)
632 return 1;
633 EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, net, NULL);
634 EBT_MATCH_ITERATE(e, ebt_cleanup_match, net, NULL);
635 t = ebt_get_target(e);
636
637 par.net = net;
638 par.target = t->u.target;
639 par.targinfo = t->data;
640 par.family = NFPROTO_BRIDGE;
641 if (par.target->destroy != NULL)
642 par.target->destroy(&par);
643 module_put(par.target->me);
644 return 0;
645}
646
647static inline int
648ebt_check_entry(struct ebt_entry *e, struct net *net,
649 const struct ebt_table_info *newinfo,
650 const char *name, unsigned int *cnt,
651 struct ebt_cl_stack *cl_s, unsigned int udc_cnt)
652{
653 struct ebt_entry_target *t;
654 struct xt_target *target;
655 unsigned int i, j, hook = 0, hookmask = 0;
656 size_t gap;
657 int ret;
658 struct xt_mtchk_param mtpar;
659 struct xt_tgchk_param tgpar;
660
661
662 if (e->bitmask == 0)
663 return 0;
664
665 if (e->bitmask & ~EBT_F_MASK)
666 return -EINVAL;
667
668 if (e->invflags & ~EBT_INV_MASK)
669 return -EINVAL;
670
671 if ((e->bitmask & EBT_NOPROTO) && (e->bitmask & EBT_802_3))
672 return -EINVAL;
673
674
675 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
676 if (!newinfo->hook_entry[i])
677 continue;
678 if ((char *)newinfo->hook_entry[i] < (char *)e)
679 hook = i;
680 else
681 break;
682 }
683
684
685
686 if (i < NF_BR_NUMHOOKS)
687 hookmask = (1 << hook) | (1 << NF_BR_NUMHOOKS);
688 else {
689 for (i = 0; i < udc_cnt; i++)
690 if ((char *)(cl_s[i].cs.chaininfo) > (char *)e)
691 break;
692 if (i == 0)
693 hookmask = (1 << hook) | (1 << NF_BR_NUMHOOKS);
694 else
695 hookmask = cl_s[i - 1].hookmask;
696 }
697 i = 0;
698
699 memset(&mtpar, 0, sizeof(mtpar));
700 memset(&tgpar, 0, sizeof(tgpar));
701 mtpar.net = tgpar.net = net;
702 mtpar.table = tgpar.table = name;
703 mtpar.entryinfo = tgpar.entryinfo = e;
704 mtpar.hook_mask = tgpar.hook_mask = hookmask;
705 mtpar.family = tgpar.family = NFPROTO_BRIDGE;
706 ret = EBT_MATCH_ITERATE(e, ebt_check_match, &mtpar, &i);
707 if (ret != 0)
708 goto cleanup_matches;
709 j = 0;
710 ret = EBT_WATCHER_ITERATE(e, ebt_check_watcher, &tgpar, &j);
711 if (ret != 0)
712 goto cleanup_watchers;
713 t = ebt_get_target(e);
714 gap = e->next_offset - e->target_offset;
715
716 target = xt_request_find_target(NFPROTO_BRIDGE, t->u.name, 0);
717 if (IS_ERR(target)) {
718 ret = PTR_ERR(target);
719 goto cleanup_watchers;
720 }
721
722
723 if (target->family != NFPROTO_BRIDGE) {
724 module_put(target->me);
725 ret = -ENOENT;
726 goto cleanup_watchers;
727 }
728
729 t->u.target = target;
730 if (t->u.target == &ebt_standard_target) {
731 if (gap < sizeof(struct ebt_standard_target)) {
732 ret = -EFAULT;
733 goto cleanup_watchers;
734 }
735 if (((struct ebt_standard_target *)t)->verdict <
736 -NUM_STANDARD_TARGETS) {
737 ret = -EFAULT;
738 goto cleanup_watchers;
739 }
740 } else if (t->target_size > gap - sizeof(struct ebt_entry_target)) {
741 module_put(t->u.target->me);
742 ret = -EFAULT;
743 goto cleanup_watchers;
744 }
745
746 tgpar.target = target;
747 tgpar.targinfo = t->data;
748 ret = xt_check_target(&tgpar, t->target_size,
749 ntohs(e->ethproto), e->invflags & EBT_IPROTO);
750 if (ret < 0) {
751 module_put(target->me);
752 goto cleanup_watchers;
753 }
754 (*cnt)++;
755 return 0;
756cleanup_watchers:
757 EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, net, &j);
758cleanup_matches:
759 EBT_MATCH_ITERATE(e, ebt_cleanup_match, net, &i);
760 return ret;
761}
762
763
764
765
766
767static int check_chainloops(const struct ebt_entries *chain, struct ebt_cl_stack *cl_s,
768 unsigned int udc_cnt, unsigned int hooknr, char *base)
769{
770 int i, chain_nr = -1, pos = 0, nentries = chain->nentries, verdict;
771 const struct ebt_entry *e = (struct ebt_entry *)chain->data;
772 const struct ebt_entry_target *t;
773
774 while (pos < nentries || chain_nr != -1) {
775
776 if (pos == nentries) {
777
778 e = cl_s[chain_nr].cs.e;
779 if (cl_s[chain_nr].from != -1)
780 nentries =
781 cl_s[cl_s[chain_nr].from].cs.chaininfo->nentries;
782 else
783 nentries = chain->nentries;
784 pos = cl_s[chain_nr].cs.n;
785
786 cl_s[chain_nr].cs.n = 0;
787 chain_nr = cl_s[chain_nr].from;
788 if (pos == nentries)
789 continue;
790 }
791 t = ebt_get_target_c(e);
792 if (strcmp(t->u.name, EBT_STANDARD_TARGET))
793 goto letscontinue;
794 if (e->target_offset + sizeof(struct ebt_standard_target) >
795 e->next_offset)
796 return -1;
797
798 verdict = ((struct ebt_standard_target *)t)->verdict;
799 if (verdict >= 0) {
800 struct ebt_entries *hlp2 =
801 (struct ebt_entries *)(base + verdict);
802 for (i = 0; i < udc_cnt; i++)
803 if (hlp2 == cl_s[i].cs.chaininfo)
804 break;
805
806 if (i == udc_cnt)
807 return -1;
808
809 if (cl_s[i].cs.n)
810 return -1;
811
812 if (cl_s[i].hookmask & (1 << hooknr))
813 goto letscontinue;
814
815 cl_s[i].cs.n = pos + 1;
816 pos = 0;
817 cl_s[i].cs.e = ebt_next_entry(e);
818 e = (struct ebt_entry *)(hlp2->data);
819 nentries = hlp2->nentries;
820 cl_s[i].from = chain_nr;
821 chain_nr = i;
822
823 cl_s[i].hookmask |= (1 << hooknr);
824 continue;
825 }
826letscontinue:
827 e = ebt_next_entry(e);
828 pos++;
829 }
830 return 0;
831}
832
833
834static int translate_table(struct net *net, const char *name,
835 struct ebt_table_info *newinfo)
836{
837 unsigned int i, j, k, udc_cnt;
838 int ret;
839 struct ebt_cl_stack *cl_s = NULL;
840
841 i = 0;
842 while (i < NF_BR_NUMHOOKS && !newinfo->hook_entry[i])
843 i++;
844 if (i == NF_BR_NUMHOOKS)
845 return -EINVAL;
846
847 if (newinfo->hook_entry[i] != (struct ebt_entries *)newinfo->entries)
848 return -EINVAL;
849
850
851
852
853 for (j = i + 1; j < NF_BR_NUMHOOKS; j++) {
854 if (!newinfo->hook_entry[j])
855 continue;
856 if (newinfo->hook_entry[j] <= newinfo->hook_entry[i])
857 return -EINVAL;
858
859 i = j;
860 }
861
862
863 i = 0;
864 j = 0;
865 k = 0;
866
867
868 udc_cnt = 0;
869 ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
870 ebt_check_entry_size_and_hooks, newinfo,
871 &i, &j, &k, &udc_cnt);
872
873 if (ret != 0)
874 return ret;
875
876 if (i != j)
877 return -EINVAL;
878
879 if (k != newinfo->nentries)
880 return -EINVAL;
881
882
883
884
885 if (udc_cnt) {
886
887
888
889 newinfo->chainstack =
890 vmalloc(array_size(nr_cpu_ids,
891 sizeof(*(newinfo->chainstack))));
892 if (!newinfo->chainstack)
893 return -ENOMEM;
894 for_each_possible_cpu(i) {
895 newinfo->chainstack[i] =
896 vmalloc(array_size(udc_cnt, sizeof(*(newinfo->chainstack[0]))));
897 if (!newinfo->chainstack[i]) {
898 while (i)
899 vfree(newinfo->chainstack[--i]);
900 vfree(newinfo->chainstack);
901 newinfo->chainstack = NULL;
902 return -ENOMEM;
903 }
904 }
905
906 cl_s = vmalloc(array_size(udc_cnt, sizeof(*cl_s)));
907 if (!cl_s)
908 return -ENOMEM;
909 i = 0;
910 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
911 ebt_get_udc_positions, newinfo, &i, cl_s);
912
913 if (i != udc_cnt) {
914 vfree(cl_s);
915 return -EFAULT;
916 }
917 }
918
919
920 for (i = 0; i < NF_BR_NUMHOOKS; i++)
921 if (newinfo->hook_entry[i])
922 if (check_chainloops(newinfo->hook_entry[i],
923 cl_s, udc_cnt, i, newinfo->entries)) {
924 vfree(cl_s);
925 return -EINVAL;
926 }
927
928
929
930
931
932
933
934
935
936
937
938
939
940 i = 0;
941 ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
942 ebt_check_entry, net, newinfo, name, &i, cl_s, udc_cnt);
943 if (ret != 0) {
944 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
945 ebt_cleanup_entry, net, &i);
946 }
947 vfree(cl_s);
948 return ret;
949}
950
951
952static void get_counters(const struct ebt_counter *oldcounters,
953 struct ebt_counter *counters, unsigned int nentries)
954{
955 int i, cpu;
956 struct ebt_counter *counter_base;
957
958
959 memcpy(counters, oldcounters,
960 sizeof(struct ebt_counter) * nentries);
961
962
963 for_each_possible_cpu(cpu) {
964 if (cpu == 0)
965 continue;
966 counter_base = COUNTER_BASE(oldcounters, nentries, cpu);
967 for (i = 0; i < nentries; i++)
968 ADD_COUNTER(counters[i], counter_base[i].bcnt,
969 counter_base[i].pcnt);
970 }
971}
972
973static int do_replace_finish(struct net *net, struct ebt_replace *repl,
974 struct ebt_table_info *newinfo)
975{
976 int ret;
977 struct ebt_counter *counterstmp = NULL;
978
979 struct ebt_table_info *table;
980 struct ebt_table *t;
981
982
983
984
985 if (repl->num_counters) {
986 unsigned long size = repl->num_counters * sizeof(*counterstmp);
987 counterstmp = vmalloc(size);
988 if (!counterstmp)
989 return -ENOMEM;
990 }
991
992 newinfo->chainstack = NULL;
993 ret = ebt_verify_pointers(repl, newinfo);
994 if (ret != 0)
995 goto free_counterstmp;
996
997 ret = translate_table(net, repl->name, newinfo);
998
999 if (ret != 0)
1000 goto free_counterstmp;
1001
1002 t = find_table_lock(net, repl->name, &ret, &ebt_mutex);
1003 if (!t) {
1004 ret = -ENOENT;
1005 goto free_iterate;
1006 }
1007
1008
1009 if (t->check && (ret = t->check(newinfo, repl->valid_hooks)))
1010 goto free_unlock;
1011
1012 if (repl->num_counters && repl->num_counters != t->private->nentries) {
1013 ret = -EINVAL;
1014 goto free_unlock;
1015 }
1016
1017
1018 table = t->private;
1019
1020 if (!table->nentries && newinfo->nentries && !try_module_get(t->me)) {
1021 ret = -ENOENT;
1022 goto free_unlock;
1023 } else if (table->nentries && !newinfo->nentries)
1024 module_put(t->me);
1025
1026 write_lock_bh(&t->lock);
1027 if (repl->num_counters)
1028 get_counters(t->private->counters, counterstmp,
1029 t->private->nentries);
1030
1031 t->private = newinfo;
1032 write_unlock_bh(&t->lock);
1033 mutex_unlock(&ebt_mutex);
1034
1035
1036
1037
1038
1039 if (repl->num_counters &&
1040 copy_to_user(repl->counters, counterstmp,
1041 repl->num_counters * sizeof(struct ebt_counter))) {
1042
1043 net_warn_ratelimited("ebtables: counters copy to user failed while replacing table\n");
1044 }
1045
1046
1047 EBT_ENTRY_ITERATE(table->entries, table->entries_size,
1048 ebt_cleanup_entry, net, NULL);
1049
1050 vfree(table->entries);
1051 ebt_free_table_info(table);
1052 vfree(table);
1053 vfree(counterstmp);
1054
1055 audit_log_nfcfg(repl->name, AF_BRIDGE, repl->nentries,
1056 AUDIT_XT_OP_REPLACE, GFP_KERNEL);
1057 return ret;
1058
1059free_unlock:
1060 mutex_unlock(&ebt_mutex);
1061free_iterate:
1062 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
1063 ebt_cleanup_entry, net, NULL);
1064free_counterstmp:
1065 vfree(counterstmp);
1066
1067 ebt_free_table_info(newinfo);
1068 return ret;
1069}
1070
1071
1072static int do_replace(struct net *net, sockptr_t arg, unsigned int len)
1073{
1074 int ret, countersize;
1075 struct ebt_table_info *newinfo;
1076 struct ebt_replace tmp;
1077
1078 if (copy_from_sockptr(&tmp, arg, sizeof(tmp)) != 0)
1079 return -EFAULT;
1080
1081 if (len != sizeof(tmp) + tmp.entries_size)
1082 return -EINVAL;
1083
1084 if (tmp.entries_size == 0)
1085 return -EINVAL;
1086
1087
1088 if (tmp.nentries >= ((INT_MAX - sizeof(struct ebt_table_info)) /
1089 NR_CPUS - SMP_CACHE_BYTES) / sizeof(struct ebt_counter))
1090 return -ENOMEM;
1091 if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
1092 return -ENOMEM;
1093
1094 tmp.name[sizeof(tmp.name) - 1] = 0;
1095
1096 countersize = COUNTER_OFFSET(tmp.nentries) * nr_cpu_ids;
1097 newinfo = __vmalloc(sizeof(*newinfo) + countersize, GFP_KERNEL_ACCOUNT);
1098 if (!newinfo)
1099 return -ENOMEM;
1100
1101 if (countersize)
1102 memset(newinfo->counters, 0, countersize);
1103
1104 newinfo->entries = __vmalloc(tmp.entries_size, GFP_KERNEL_ACCOUNT);
1105 if (!newinfo->entries) {
1106 ret = -ENOMEM;
1107 goto free_newinfo;
1108 }
1109 if (copy_from_user(
1110 newinfo->entries, tmp.entries, tmp.entries_size) != 0) {
1111 ret = -EFAULT;
1112 goto free_entries;
1113 }
1114
1115 ret = do_replace_finish(net, &tmp, newinfo);
1116 if (ret == 0)
1117 return ret;
1118free_entries:
1119 vfree(newinfo->entries);
1120free_newinfo:
1121 vfree(newinfo);
1122 return ret;
1123}
1124
1125static void __ebt_unregister_table(struct net *net, struct ebt_table *table)
1126{
1127 mutex_lock(&ebt_mutex);
1128 list_del(&table->list);
1129 mutex_unlock(&ebt_mutex);
1130 audit_log_nfcfg(table->name, AF_BRIDGE, table->private->nentries,
1131 AUDIT_XT_OP_UNREGISTER, GFP_KERNEL);
1132 EBT_ENTRY_ITERATE(table->private->entries, table->private->entries_size,
1133 ebt_cleanup_entry, net, NULL);
1134 if (table->private->nentries)
1135 module_put(table->me);
1136 vfree(table->private->entries);
1137 ebt_free_table_info(table->private);
1138 vfree(table->private);
1139 kfree(table->ops);
1140 kfree(table);
1141}
1142
1143int ebt_register_table(struct net *net, const struct ebt_table *input_table,
1144 const struct nf_hook_ops *template_ops)
1145{
1146 struct ebt_pernet *ebt_net = net_generic(net, ebt_pernet_id);
1147 struct ebt_table_info *newinfo;
1148 struct ebt_table *t, *table;
1149 struct nf_hook_ops *ops;
1150 unsigned int num_ops;
1151 struct ebt_replace_kernel *repl;
1152 int ret, i, countersize;
1153 void *p;
1154
1155 if (input_table == NULL || (repl = input_table->table) == NULL ||
1156 repl->entries == NULL || repl->entries_size == 0 ||
1157 repl->counters != NULL || input_table->private != NULL)
1158 return -EINVAL;
1159
1160
1161 table = kmemdup(input_table, sizeof(struct ebt_table), GFP_KERNEL);
1162 if (!table) {
1163 ret = -ENOMEM;
1164 goto out;
1165 }
1166
1167 countersize = COUNTER_OFFSET(repl->nentries) * nr_cpu_ids;
1168 newinfo = vmalloc(sizeof(*newinfo) + countersize);
1169 ret = -ENOMEM;
1170 if (!newinfo)
1171 goto free_table;
1172
1173 p = vmalloc(repl->entries_size);
1174 if (!p)
1175 goto free_newinfo;
1176
1177 memcpy(p, repl->entries, repl->entries_size);
1178 newinfo->entries = p;
1179
1180 newinfo->entries_size = repl->entries_size;
1181 newinfo->nentries = repl->nentries;
1182
1183 if (countersize)
1184 memset(newinfo->counters, 0, countersize);
1185
1186
1187 newinfo->chainstack = NULL;
1188 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
1189 if ((repl->valid_hooks & (1 << i)) == 0)
1190 newinfo->hook_entry[i] = NULL;
1191 else
1192 newinfo->hook_entry[i] = p +
1193 ((char *)repl->hook_entry[i] - repl->entries);
1194 }
1195 ret = translate_table(net, repl->name, newinfo);
1196 if (ret != 0)
1197 goto free_chainstack;
1198
1199 if (table->check && table->check(newinfo, table->valid_hooks)) {
1200 ret = -EINVAL;
1201 goto free_chainstack;
1202 }
1203
1204 table->private = newinfo;
1205 rwlock_init(&table->lock);
1206 mutex_lock(&ebt_mutex);
1207 list_for_each_entry(t, &ebt_net->tables, list) {
1208 if (strcmp(t->name, table->name) == 0) {
1209 ret = -EEXIST;
1210 goto free_unlock;
1211 }
1212 }
1213
1214
1215 if (newinfo->nentries && !try_module_get(table->me)) {
1216 ret = -ENOENT;
1217 goto free_unlock;
1218 }
1219
1220 num_ops = hweight32(table->valid_hooks);
1221 if (num_ops == 0) {
1222 ret = -EINVAL;
1223 goto free_unlock;
1224 }
1225
1226 ops = kmemdup(template_ops, sizeof(*ops) * num_ops, GFP_KERNEL);
1227 if (!ops) {
1228 ret = -ENOMEM;
1229 if (newinfo->nentries)
1230 module_put(table->me);
1231 goto free_unlock;
1232 }
1233
1234 for (i = 0; i < num_ops; i++)
1235 ops[i].priv = table;
1236
1237 list_add(&table->list, &ebt_net->tables);
1238 mutex_unlock(&ebt_mutex);
1239
1240 table->ops = ops;
1241 ret = nf_register_net_hooks(net, ops, num_ops);
1242 if (ret)
1243 __ebt_unregister_table(net, table);
1244
1245 audit_log_nfcfg(repl->name, AF_BRIDGE, repl->nentries,
1246 AUDIT_XT_OP_REGISTER, GFP_KERNEL);
1247 return ret;
1248free_unlock:
1249 mutex_unlock(&ebt_mutex);
1250free_chainstack:
1251 ebt_free_table_info(newinfo);
1252 vfree(newinfo->entries);
1253free_newinfo:
1254 vfree(newinfo);
1255free_table:
1256 kfree(table);
1257out:
1258 return ret;
1259}
1260
1261static struct ebt_table *__ebt_find_table(struct net *net, const char *name)
1262{
1263 struct ebt_pernet *ebt_net = net_generic(net, ebt_pernet_id);
1264 struct ebt_table *t;
1265
1266 mutex_lock(&ebt_mutex);
1267
1268 list_for_each_entry(t, &ebt_net->tables, list) {
1269 if (strcmp(t->name, name) == 0) {
1270 mutex_unlock(&ebt_mutex);
1271 return t;
1272 }
1273 }
1274
1275 mutex_unlock(&ebt_mutex);
1276 return NULL;
1277}
1278
1279void ebt_unregister_table_pre_exit(struct net *net, const char *name)
1280{
1281 struct ebt_table *table = __ebt_find_table(net, name);
1282
1283 if (table)
1284 nf_unregister_net_hooks(net, table->ops, hweight32(table->valid_hooks));
1285}
1286EXPORT_SYMBOL(ebt_unregister_table_pre_exit);
1287
1288void ebt_unregister_table(struct net *net, const char *name)
1289{
1290 struct ebt_table *table = __ebt_find_table(net, name);
1291
1292 if (table)
1293 __ebt_unregister_table(net, table);
1294}
1295
1296
1297static int do_update_counters(struct net *net, const char *name,
1298 struct ebt_counter __user *counters,
1299 unsigned int num_counters, unsigned int len)
1300{
1301 int i, ret;
1302 struct ebt_counter *tmp;
1303 struct ebt_table *t;
1304
1305 if (num_counters == 0)
1306 return -EINVAL;
1307
1308 tmp = vmalloc(array_size(num_counters, sizeof(*tmp)));
1309 if (!tmp)
1310 return -ENOMEM;
1311
1312 t = find_table_lock(net, name, &ret, &ebt_mutex);
1313 if (!t)
1314 goto free_tmp;
1315
1316 if (num_counters != t->private->nentries) {
1317 ret = -EINVAL;
1318 goto unlock_mutex;
1319 }
1320
1321 if (copy_from_user(tmp, counters, num_counters * sizeof(*counters))) {
1322 ret = -EFAULT;
1323 goto unlock_mutex;
1324 }
1325
1326
1327 write_lock_bh(&t->lock);
1328
1329
1330 for (i = 0; i < num_counters; i++)
1331 ADD_COUNTER(t->private->counters[i], tmp[i].bcnt, tmp[i].pcnt);
1332
1333 write_unlock_bh(&t->lock);
1334 ret = 0;
1335unlock_mutex:
1336 mutex_unlock(&ebt_mutex);
1337free_tmp:
1338 vfree(tmp);
1339 return ret;
1340}
1341
1342static int update_counters(struct net *net, sockptr_t arg, unsigned int len)
1343{
1344 struct ebt_replace hlp;
1345
1346 if (copy_from_sockptr(&hlp, arg, sizeof(hlp)))
1347 return -EFAULT;
1348
1349 if (len != sizeof(hlp) + hlp.num_counters * sizeof(struct ebt_counter))
1350 return -EINVAL;
1351
1352 return do_update_counters(net, hlp.name, hlp.counters,
1353 hlp.num_counters, len);
1354}
1355
1356static inline int ebt_obj_to_user(char __user *um, const char *_name,
1357 const char *data, int entrysize,
1358 int usersize, int datasize, u8 revision)
1359{
1360 char name[EBT_EXTENSION_MAXNAMELEN] = {0};
1361
1362
1363
1364
1365 strlcpy(name, _name, sizeof(name));
1366 if (copy_to_user(um, name, EBT_EXTENSION_MAXNAMELEN) ||
1367 put_user(revision, (u8 __user *)(um + EBT_EXTENSION_MAXNAMELEN)) ||
1368 put_user(datasize, (int __user *)(um + EBT_EXTENSION_MAXNAMELEN + 1)) ||
1369 xt_data_to_user(um + entrysize, data, usersize, datasize,
1370 XT_ALIGN(datasize)))
1371 return -EFAULT;
1372
1373 return 0;
1374}
1375
1376static inline int ebt_match_to_user(const struct ebt_entry_match *m,
1377 const char *base, char __user *ubase)
1378{
1379 return ebt_obj_to_user(ubase + ((char *)m - base),
1380 m->u.match->name, m->data, sizeof(*m),
1381 m->u.match->usersize, m->match_size,
1382 m->u.match->revision);
1383}
1384
1385static inline int ebt_watcher_to_user(const struct ebt_entry_watcher *w,
1386 const char *base, char __user *ubase)
1387{
1388 return ebt_obj_to_user(ubase + ((char *)w - base),
1389 w->u.watcher->name, w->data, sizeof(*w),
1390 w->u.watcher->usersize, w->watcher_size,
1391 w->u.watcher->revision);
1392}
1393
1394static inline int ebt_entry_to_user(struct ebt_entry *e, const char *base,
1395 char __user *ubase)
1396{
1397 int ret;
1398 char __user *hlp;
1399 const struct ebt_entry_target *t;
1400
1401 if (e->bitmask == 0) {
1402
1403 if (copy_to_user(ubase + ((char *)e - base), e,
1404 sizeof(struct ebt_entries)))
1405 return -EFAULT;
1406 return 0;
1407 }
1408
1409 if (copy_to_user(ubase + ((char *)e - base), e, sizeof(*e)))
1410 return -EFAULT;
1411
1412 hlp = ubase + (((char *)e + e->target_offset) - base);
1413 t = ebt_get_target_c(e);
1414
1415 ret = EBT_MATCH_ITERATE(e, ebt_match_to_user, base, ubase);
1416 if (ret != 0)
1417 return ret;
1418 ret = EBT_WATCHER_ITERATE(e, ebt_watcher_to_user, base, ubase);
1419 if (ret != 0)
1420 return ret;
1421 ret = ebt_obj_to_user(hlp, t->u.target->name, t->data, sizeof(*t),
1422 t->u.target->usersize, t->target_size,
1423 t->u.target->revision);
1424 if (ret != 0)
1425 return ret;
1426
1427 return 0;
1428}
1429
1430static int copy_counters_to_user(struct ebt_table *t,
1431 const struct ebt_counter *oldcounters,
1432 void __user *user, unsigned int num_counters,
1433 unsigned int nentries)
1434{
1435 struct ebt_counter *counterstmp;
1436 int ret = 0;
1437
1438
1439 if (num_counters == 0)
1440 return 0;
1441
1442 if (num_counters != nentries)
1443 return -EINVAL;
1444
1445 counterstmp = vmalloc(array_size(nentries, sizeof(*counterstmp)));
1446 if (!counterstmp)
1447 return -ENOMEM;
1448
1449 write_lock_bh(&t->lock);
1450 get_counters(oldcounters, counterstmp, nentries);
1451 write_unlock_bh(&t->lock);
1452
1453 if (copy_to_user(user, counterstmp,
1454 nentries * sizeof(struct ebt_counter)))
1455 ret = -EFAULT;
1456 vfree(counterstmp);
1457 return ret;
1458}
1459
1460
1461static int copy_everything_to_user(struct ebt_table *t, void __user *user,
1462 const int *len, int cmd)
1463{
1464 struct ebt_replace tmp;
1465 const struct ebt_counter *oldcounters;
1466 unsigned int entries_size, nentries;
1467 int ret;
1468 char *entries;
1469
1470 if (cmd == EBT_SO_GET_ENTRIES) {
1471 entries_size = t->private->entries_size;
1472 nentries = t->private->nentries;
1473 entries = t->private->entries;
1474 oldcounters = t->private->counters;
1475 } else {
1476 entries_size = t->table->entries_size;
1477 nentries = t->table->nentries;
1478 entries = t->table->entries;
1479 oldcounters = t->table->counters;
1480 }
1481
1482 if (copy_from_user(&tmp, user, sizeof(tmp)))
1483 return -EFAULT;
1484
1485 if (*len != sizeof(struct ebt_replace) + entries_size +
1486 (tmp.num_counters ? nentries * sizeof(struct ebt_counter) : 0))
1487 return -EINVAL;
1488
1489 if (tmp.nentries != nentries)
1490 return -EINVAL;
1491
1492 if (tmp.entries_size != entries_size)
1493 return -EINVAL;
1494
1495 ret = copy_counters_to_user(t, oldcounters, tmp.counters,
1496 tmp.num_counters, nentries);
1497 if (ret)
1498 return ret;
1499
1500
1501 return EBT_ENTRY_ITERATE(entries, entries_size,
1502 ebt_entry_to_user, entries, tmp.entries);
1503}
1504
1505#ifdef CONFIG_NETFILTER_XTABLES_COMPAT
1506
1507struct compat_ebt_replace {
1508 char name[EBT_TABLE_MAXNAMELEN];
1509 compat_uint_t valid_hooks;
1510 compat_uint_t nentries;
1511 compat_uint_t entries_size;
1512
1513 compat_uptr_t hook_entry[NF_BR_NUMHOOKS];
1514
1515 compat_uint_t num_counters;
1516
1517 compat_uptr_t counters;
1518 compat_uptr_t entries;
1519};
1520
1521
1522struct compat_ebt_entry_mwt {
1523 union {
1524 struct {
1525 char name[EBT_EXTENSION_MAXNAMELEN];
1526 u8 revision;
1527 };
1528 compat_uptr_t ptr;
1529 } u;
1530 compat_uint_t match_size;
1531 compat_uint_t data[] __aligned(__alignof__(struct compat_ebt_replace));
1532};
1533
1534
1535static int ebt_compat_entry_padsize(void)
1536{
1537 BUILD_BUG_ON(sizeof(struct ebt_entry_match) <
1538 sizeof(struct compat_ebt_entry_mwt));
1539 return (int) sizeof(struct ebt_entry_match) -
1540 sizeof(struct compat_ebt_entry_mwt);
1541}
1542
1543static int ebt_compat_match_offset(const struct xt_match *match,
1544 unsigned int userlen)
1545{
1546
1547
1548
1549
1550
1551 if (unlikely(match->matchsize == -1))
1552 return XT_ALIGN(userlen) - COMPAT_XT_ALIGN(userlen);
1553 return xt_compat_match_offset(match);
1554}
1555
1556static int compat_match_to_user(struct ebt_entry_match *m, void __user **dstptr,
1557 unsigned int *size)
1558{
1559 const struct xt_match *match = m->u.match;
1560 struct compat_ebt_entry_mwt __user *cm = *dstptr;
1561 int off = ebt_compat_match_offset(match, m->match_size);
1562 compat_uint_t msize = m->match_size - off;
1563
1564 if (WARN_ON(off >= m->match_size))
1565 return -EINVAL;
1566
1567 if (copy_to_user(cm->u.name, match->name, strlen(match->name) + 1) ||
1568 put_user(match->revision, &cm->u.revision) ||
1569 put_user(msize, &cm->match_size))
1570 return -EFAULT;
1571
1572 if (match->compat_to_user) {
1573 if (match->compat_to_user(cm->data, m->data))
1574 return -EFAULT;
1575 } else {
1576 if (xt_data_to_user(cm->data, m->data, match->usersize, msize,
1577 COMPAT_XT_ALIGN(msize)))
1578 return -EFAULT;
1579 }
1580
1581 *size -= ebt_compat_entry_padsize() + off;
1582 *dstptr = cm->data;
1583 *dstptr += msize;
1584 return 0;
1585}
1586
1587static int compat_target_to_user(struct ebt_entry_target *t,
1588 void __user **dstptr,
1589 unsigned int *size)
1590{
1591 const struct xt_target *target = t->u.target;
1592 struct compat_ebt_entry_mwt __user *cm = *dstptr;
1593 int off = xt_compat_target_offset(target);
1594 compat_uint_t tsize = t->target_size - off;
1595
1596 if (WARN_ON(off >= t->target_size))
1597 return -EINVAL;
1598
1599 if (copy_to_user(cm->u.name, target->name, strlen(target->name) + 1) ||
1600 put_user(target->revision, &cm->u.revision) ||
1601 put_user(tsize, &cm->match_size))
1602 return -EFAULT;
1603
1604 if (target->compat_to_user) {
1605 if (target->compat_to_user(cm->data, t->data))
1606 return -EFAULT;
1607 } else {
1608 if (xt_data_to_user(cm->data, t->data, target->usersize, tsize,
1609 COMPAT_XT_ALIGN(tsize)))
1610 return -EFAULT;
1611 }
1612
1613 *size -= ebt_compat_entry_padsize() + off;
1614 *dstptr = cm->data;
1615 *dstptr += tsize;
1616 return 0;
1617}
1618
1619static int compat_watcher_to_user(struct ebt_entry_watcher *w,
1620 void __user **dstptr,
1621 unsigned int *size)
1622{
1623 return compat_target_to_user((struct ebt_entry_target *)w,
1624 dstptr, size);
1625}
1626
1627static int compat_copy_entry_to_user(struct ebt_entry *e, void __user **dstptr,
1628 unsigned int *size)
1629{
1630 struct ebt_entry_target *t;
1631 struct ebt_entry __user *ce;
1632 u32 watchers_offset, target_offset, next_offset;
1633 compat_uint_t origsize;
1634 int ret;
1635
1636 if (e->bitmask == 0) {
1637 if (*size < sizeof(struct ebt_entries))
1638 return -EINVAL;
1639 if (copy_to_user(*dstptr, e, sizeof(struct ebt_entries)))
1640 return -EFAULT;
1641
1642 *dstptr += sizeof(struct ebt_entries);
1643 *size -= sizeof(struct ebt_entries);
1644 return 0;
1645 }
1646
1647 if (*size < sizeof(*ce))
1648 return -EINVAL;
1649
1650 ce = *dstptr;
1651 if (copy_to_user(ce, e, sizeof(*ce)))
1652 return -EFAULT;
1653
1654 origsize = *size;
1655 *dstptr += sizeof(*ce);
1656
1657 ret = EBT_MATCH_ITERATE(e, compat_match_to_user, dstptr, size);
1658 if (ret)
1659 return ret;
1660 watchers_offset = e->watchers_offset - (origsize - *size);
1661
1662 ret = EBT_WATCHER_ITERATE(e, compat_watcher_to_user, dstptr, size);
1663 if (ret)
1664 return ret;
1665 target_offset = e->target_offset - (origsize - *size);
1666
1667 t = ebt_get_target(e);
1668
1669 ret = compat_target_to_user(t, dstptr, size);
1670 if (ret)
1671 return ret;
1672 next_offset = e->next_offset - (origsize - *size);
1673
1674 if (put_user(watchers_offset, &ce->watchers_offset) ||
1675 put_user(target_offset, &ce->target_offset) ||
1676 put_user(next_offset, &ce->next_offset))
1677 return -EFAULT;
1678
1679 *size -= sizeof(*ce);
1680 return 0;
1681}
1682
1683static int compat_calc_match(struct ebt_entry_match *m, int *off)
1684{
1685 *off += ebt_compat_match_offset(m->u.match, m->match_size);
1686 *off += ebt_compat_entry_padsize();
1687 return 0;
1688}
1689
1690static int compat_calc_watcher(struct ebt_entry_watcher *w, int *off)
1691{
1692 *off += xt_compat_target_offset(w->u.watcher);
1693 *off += ebt_compat_entry_padsize();
1694 return 0;
1695}
1696
1697static int compat_calc_entry(const struct ebt_entry *e,
1698 const struct ebt_table_info *info,
1699 const void *base,
1700 struct compat_ebt_replace *newinfo)
1701{
1702 const struct ebt_entry_target *t;
1703 unsigned int entry_offset;
1704 int off, ret, i;
1705
1706 if (e->bitmask == 0)
1707 return 0;
1708
1709 off = 0;
1710 entry_offset = (void *)e - base;
1711
1712 EBT_MATCH_ITERATE(e, compat_calc_match, &off);
1713 EBT_WATCHER_ITERATE(e, compat_calc_watcher, &off);
1714
1715 t = ebt_get_target_c(e);
1716
1717 off += xt_compat_target_offset(t->u.target);
1718 off += ebt_compat_entry_padsize();
1719
1720 newinfo->entries_size -= off;
1721
1722 ret = xt_compat_add_offset(NFPROTO_BRIDGE, entry_offset, off);
1723 if (ret)
1724 return ret;
1725
1726 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
1727 const void *hookptr = info->hook_entry[i];
1728 if (info->hook_entry[i] &&
1729 (e < (struct ebt_entry *)(base - hookptr))) {
1730 newinfo->hook_entry[i] -= off;
1731 pr_debug("0x%08X -> 0x%08X\n",
1732 newinfo->hook_entry[i] + off,
1733 newinfo->hook_entry[i]);
1734 }
1735 }
1736
1737 return 0;
1738}
1739
1740static int ebt_compat_init_offsets(unsigned int number)
1741{
1742 if (number > INT_MAX)
1743 return -EINVAL;
1744
1745
1746 number += NF_BR_NUMHOOKS;
1747
1748 return xt_compat_init_offsets(NFPROTO_BRIDGE, number);
1749}
1750
1751static int compat_table_info(const struct ebt_table_info *info,
1752 struct compat_ebt_replace *newinfo)
1753{
1754 unsigned int size = info->entries_size;
1755 const void *entries = info->entries;
1756 int ret;
1757
1758 newinfo->entries_size = size;
1759 ret = ebt_compat_init_offsets(info->nentries);
1760 if (ret)
1761 return ret;
1762
1763 return EBT_ENTRY_ITERATE(entries, size, compat_calc_entry, info,
1764 entries, newinfo);
1765}
1766
1767static int compat_copy_everything_to_user(struct ebt_table *t,
1768 void __user *user, int *len, int cmd)
1769{
1770 struct compat_ebt_replace repl, tmp;
1771 struct ebt_counter *oldcounters;
1772 struct ebt_table_info tinfo;
1773 int ret;
1774 void __user *pos;
1775
1776 memset(&tinfo, 0, sizeof(tinfo));
1777
1778 if (cmd == EBT_SO_GET_ENTRIES) {
1779 tinfo.entries_size = t->private->entries_size;
1780 tinfo.nentries = t->private->nentries;
1781 tinfo.entries = t->private->entries;
1782 oldcounters = t->private->counters;
1783 } else {
1784 tinfo.entries_size = t->table->entries_size;
1785 tinfo.nentries = t->table->nentries;
1786 tinfo.entries = t->table->entries;
1787 oldcounters = t->table->counters;
1788 }
1789
1790 if (copy_from_user(&tmp, user, sizeof(tmp)))
1791 return -EFAULT;
1792
1793 if (tmp.nentries != tinfo.nentries ||
1794 (tmp.num_counters && tmp.num_counters != tinfo.nentries))
1795 return -EINVAL;
1796
1797 memcpy(&repl, &tmp, sizeof(repl));
1798 if (cmd == EBT_SO_GET_ENTRIES)
1799 ret = compat_table_info(t->private, &repl);
1800 else
1801 ret = compat_table_info(&tinfo, &repl);
1802 if (ret)
1803 return ret;
1804
1805 if (*len != sizeof(tmp) + repl.entries_size +
1806 (tmp.num_counters? tinfo.nentries * sizeof(struct ebt_counter): 0)) {
1807 pr_err("wrong size: *len %d, entries_size %u, replsz %d\n",
1808 *len, tinfo.entries_size, repl.entries_size);
1809 return -EINVAL;
1810 }
1811
1812
1813 ret = copy_counters_to_user(t, oldcounters, compat_ptr(tmp.counters),
1814 tmp.num_counters, tinfo.nentries);
1815 if (ret)
1816 return ret;
1817
1818 pos = compat_ptr(tmp.entries);
1819 return EBT_ENTRY_ITERATE(tinfo.entries, tinfo.entries_size,
1820 compat_copy_entry_to_user, &pos, &tmp.entries_size);
1821}
1822
1823struct ebt_entries_buf_state {
1824 char *buf_kern_start;
1825 u32 buf_kern_len;
1826 u32 buf_kern_offset;
1827 u32 buf_user_offset;
1828};
1829
1830static int ebt_buf_count(struct ebt_entries_buf_state *state, unsigned int sz)
1831{
1832 state->buf_kern_offset += sz;
1833 return state->buf_kern_offset >= sz ? 0 : -EINVAL;
1834}
1835
1836static int ebt_buf_add(struct ebt_entries_buf_state *state,
1837 const void *data, unsigned int sz)
1838{
1839 if (state->buf_kern_start == NULL)
1840 goto count_only;
1841
1842 if (WARN_ON(state->buf_kern_offset + sz > state->buf_kern_len))
1843 return -EINVAL;
1844
1845 memcpy(state->buf_kern_start + state->buf_kern_offset, data, sz);
1846
1847 count_only:
1848 state->buf_user_offset += sz;
1849 return ebt_buf_count(state, sz);
1850}
1851
1852static int ebt_buf_add_pad(struct ebt_entries_buf_state *state, unsigned int sz)
1853{
1854 char *b = state->buf_kern_start;
1855
1856 if (WARN_ON(b && state->buf_kern_offset > state->buf_kern_len))
1857 return -EINVAL;
1858
1859 if (b != NULL && sz > 0)
1860 memset(b + state->buf_kern_offset, 0, sz);
1861
1862 return ebt_buf_count(state, sz);
1863}
1864
1865enum compat_mwt {
1866 EBT_COMPAT_MATCH,
1867 EBT_COMPAT_WATCHER,
1868 EBT_COMPAT_TARGET,
1869};
1870
1871static int compat_mtw_from_user(const struct compat_ebt_entry_mwt *mwt,
1872 enum compat_mwt compat_mwt,
1873 struct ebt_entries_buf_state *state,
1874 const unsigned char *base)
1875{
1876 char name[EBT_EXTENSION_MAXNAMELEN];
1877 struct xt_match *match;
1878 struct xt_target *wt;
1879 void *dst = NULL;
1880 int off, pad = 0;
1881 unsigned int size_kern, match_size = mwt->match_size;
1882
1883 if (strscpy(name, mwt->u.name, sizeof(name)) < 0)
1884 return -EINVAL;
1885
1886 if (state->buf_kern_start)
1887 dst = state->buf_kern_start + state->buf_kern_offset;
1888
1889 switch (compat_mwt) {
1890 case EBT_COMPAT_MATCH:
1891 match = xt_request_find_match(NFPROTO_BRIDGE, name,
1892 mwt->u.revision);
1893 if (IS_ERR(match))
1894 return PTR_ERR(match);
1895
1896 off = ebt_compat_match_offset(match, match_size);
1897 if (dst) {
1898 if (match->compat_from_user)
1899 match->compat_from_user(dst, mwt->data);
1900 else
1901 memcpy(dst, mwt->data, match_size);
1902 }
1903
1904 size_kern = match->matchsize;
1905 if (unlikely(size_kern == -1))
1906 size_kern = match_size;
1907 module_put(match->me);
1908 break;
1909 case EBT_COMPAT_WATCHER:
1910 case EBT_COMPAT_TARGET:
1911 wt = xt_request_find_target(NFPROTO_BRIDGE, name,
1912 mwt->u.revision);
1913 if (IS_ERR(wt))
1914 return PTR_ERR(wt);
1915 off = xt_compat_target_offset(wt);
1916
1917 if (dst) {
1918 if (wt->compat_from_user)
1919 wt->compat_from_user(dst, mwt->data);
1920 else
1921 memcpy(dst, mwt->data, match_size);
1922 }
1923
1924 size_kern = wt->targetsize;
1925 module_put(wt->me);
1926 break;
1927
1928 default:
1929 return -EINVAL;
1930 }
1931
1932 state->buf_kern_offset += match_size + off;
1933 state->buf_user_offset += match_size;
1934 pad = XT_ALIGN(size_kern) - size_kern;
1935
1936 if (pad > 0 && dst) {
1937 if (WARN_ON(state->buf_kern_len <= pad))
1938 return -EINVAL;
1939 if (WARN_ON(state->buf_kern_offset - (match_size + off) + size_kern > state->buf_kern_len - pad))
1940 return -EINVAL;
1941 memset(dst + size_kern, 0, pad);
1942 }
1943 return off + match_size;
1944}
1945
1946
1947
1948
1949static int ebt_size_mwt(const struct compat_ebt_entry_mwt *match32,
1950 unsigned int size_left, enum compat_mwt type,
1951 struct ebt_entries_buf_state *state, const void *base)
1952{
1953 const char *buf = (const char *)match32;
1954 int growth = 0;
1955
1956 if (size_left == 0)
1957 return 0;
1958
1959 do {
1960 struct ebt_entry_match *match_kern;
1961 int ret;
1962
1963 if (size_left < sizeof(*match32))
1964 return -EINVAL;
1965
1966 match_kern = (struct ebt_entry_match *) state->buf_kern_start;
1967 if (match_kern) {
1968 char *tmp;
1969 tmp = state->buf_kern_start + state->buf_kern_offset;
1970 match_kern = (struct ebt_entry_match *) tmp;
1971 }
1972 ret = ebt_buf_add(state, buf, sizeof(*match32));
1973 if (ret < 0)
1974 return ret;
1975 size_left -= sizeof(*match32);
1976
1977
1978 ret = ebt_buf_add_pad(state, ebt_compat_entry_padsize());
1979 if (ret < 0)
1980 return ret;
1981
1982 if (match32->match_size > size_left)
1983 return -EINVAL;
1984
1985 size_left -= match32->match_size;
1986
1987 ret = compat_mtw_from_user(match32, type, state, base);
1988 if (ret < 0)
1989 return ret;
1990
1991 if (WARN_ON(ret < match32->match_size))
1992 return -EINVAL;
1993 growth += ret - match32->match_size;
1994 growth += ebt_compat_entry_padsize();
1995
1996 buf += sizeof(*match32);
1997 buf += match32->match_size;
1998
1999 if (match_kern)
2000 match_kern->match_size = ret;
2001
2002 match32 = (struct compat_ebt_entry_mwt *) buf;
2003 } while (size_left);
2004
2005 return growth;
2006}
2007
2008
2009static int size_entry_mwt(const struct ebt_entry *entry, const unsigned char *base,
2010 unsigned int *total,
2011 struct ebt_entries_buf_state *state)
2012{
2013 unsigned int i, j, startoff, next_expected_off, new_offset = 0;
2014
2015 unsigned int offsets[4];
2016 unsigned int *offsets_update = NULL;
2017 int ret;
2018 char *buf_start;
2019
2020 if (*total < sizeof(struct ebt_entries))
2021 return -EINVAL;
2022
2023 if (!entry->bitmask) {
2024 *total -= sizeof(struct ebt_entries);
2025 return ebt_buf_add(state, entry, sizeof(struct ebt_entries));
2026 }
2027 if (*total < sizeof(*entry) || entry->next_offset < sizeof(*entry))
2028 return -EINVAL;
2029
2030 startoff = state->buf_user_offset;
2031
2032 ret = ebt_buf_add(state, entry,
2033 offsetof(struct ebt_entry, watchers_offset));
2034 if (ret < 0)
2035 return ret;
2036
2037 offsets[0] = sizeof(struct ebt_entry);
2038 memcpy(&offsets[1], &entry->watchers_offset,
2039 sizeof(offsets) - sizeof(offsets[0]));
2040
2041 if (state->buf_kern_start) {
2042 buf_start = state->buf_kern_start + state->buf_kern_offset;
2043 offsets_update = (unsigned int *) buf_start;
2044 }
2045 ret = ebt_buf_add(state, &offsets[1],
2046 sizeof(offsets) - sizeof(offsets[0]));
2047 if (ret < 0)
2048 return ret;
2049 buf_start = (char *) entry;
2050
2051
2052
2053
2054
2055
2056
2057 for (i = 0; i < 4 ; ++i) {
2058 if (offsets[i] > *total)
2059 return -EINVAL;
2060
2061 if (i < 3 && offsets[i] == *total)
2062 return -EINVAL;
2063
2064 if (i == 0)
2065 continue;
2066 if (offsets[i-1] > offsets[i])
2067 return -EINVAL;
2068 }
2069
2070 for (i = 0, j = 1 ; j < 4 ; j++, i++) {
2071 struct compat_ebt_entry_mwt *match32;
2072 unsigned int size;
2073 char *buf = buf_start + offsets[i];
2074
2075 if (offsets[i] > offsets[j])
2076 return -EINVAL;
2077
2078 match32 = (struct compat_ebt_entry_mwt *) buf;
2079 size = offsets[j] - offsets[i];
2080 ret = ebt_size_mwt(match32, size, i, state, base);
2081 if (ret < 0)
2082 return ret;
2083 new_offset += ret;
2084 if (offsets_update && new_offset) {
2085 pr_debug("change offset %d to %d\n",
2086 offsets_update[i], offsets[j] + new_offset);
2087 offsets_update[i] = offsets[j] + new_offset;
2088 }
2089 }
2090
2091 if (state->buf_kern_start == NULL) {
2092 unsigned int offset = buf_start - (char *) base;
2093
2094 ret = xt_compat_add_offset(NFPROTO_BRIDGE, offset, new_offset);
2095 if (ret < 0)
2096 return ret;
2097 }
2098
2099 next_expected_off = state->buf_user_offset - startoff;
2100 if (next_expected_off != entry->next_offset)
2101 return -EINVAL;
2102
2103 if (*total < entry->next_offset)
2104 return -EINVAL;
2105 *total -= entry->next_offset;
2106 return 0;
2107}
2108
2109
2110
2111
2112
2113
2114
2115static int compat_copy_entries(unsigned char *data, unsigned int size_user,
2116 struct ebt_entries_buf_state *state)
2117{
2118 unsigned int size_remaining = size_user;
2119 int ret;
2120
2121 ret = EBT_ENTRY_ITERATE(data, size_user, size_entry_mwt, data,
2122 &size_remaining, state);
2123 if (ret < 0)
2124 return ret;
2125
2126 if (size_remaining)
2127 return -EINVAL;
2128
2129 return state->buf_kern_offset;
2130}
2131
2132
2133static int compat_copy_ebt_replace_from_user(struct ebt_replace *repl,
2134 sockptr_t arg, unsigned int len)
2135{
2136 struct compat_ebt_replace tmp;
2137 int i;
2138
2139 if (len < sizeof(tmp))
2140 return -EINVAL;
2141
2142 if (copy_from_sockptr(&tmp, arg, sizeof(tmp)))
2143 return -EFAULT;
2144
2145 if (len != sizeof(tmp) + tmp.entries_size)
2146 return -EINVAL;
2147
2148 if (tmp.entries_size == 0)
2149 return -EINVAL;
2150
2151 if (tmp.nentries >= ((INT_MAX - sizeof(struct ebt_table_info)) /
2152 NR_CPUS - SMP_CACHE_BYTES) / sizeof(struct ebt_counter))
2153 return -ENOMEM;
2154 if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
2155 return -ENOMEM;
2156
2157 memcpy(repl, &tmp, offsetof(struct ebt_replace, hook_entry));
2158
2159
2160 for (i = 0; i < NF_BR_NUMHOOKS; i++)
2161 repl->hook_entry[i] = compat_ptr(tmp.hook_entry[i]);
2162
2163 repl->num_counters = tmp.num_counters;
2164 repl->counters = compat_ptr(tmp.counters);
2165 repl->entries = compat_ptr(tmp.entries);
2166 return 0;
2167}
2168
2169static int compat_do_replace(struct net *net, sockptr_t arg, unsigned int len)
2170{
2171 int ret, i, countersize, size64;
2172 struct ebt_table_info *newinfo;
2173 struct ebt_replace tmp;
2174 struct ebt_entries_buf_state state;
2175 void *entries_tmp;
2176
2177 ret = compat_copy_ebt_replace_from_user(&tmp, arg, len);
2178 if (ret) {
2179
2180 if (ret == -EINVAL && do_replace(net, arg, len) == 0)
2181 ret = 0;
2182 return ret;
2183 }
2184
2185 countersize = COUNTER_OFFSET(tmp.nentries) * nr_cpu_ids;
2186 newinfo = vmalloc(sizeof(*newinfo) + countersize);
2187 if (!newinfo)
2188 return -ENOMEM;
2189
2190 if (countersize)
2191 memset(newinfo->counters, 0, countersize);
2192
2193 memset(&state, 0, sizeof(state));
2194
2195 newinfo->entries = vmalloc(tmp.entries_size);
2196 if (!newinfo->entries) {
2197 ret = -ENOMEM;
2198 goto free_newinfo;
2199 }
2200 if (copy_from_user(
2201 newinfo->entries, tmp.entries, tmp.entries_size) != 0) {
2202 ret = -EFAULT;
2203 goto free_entries;
2204 }
2205
2206 entries_tmp = newinfo->entries;
2207
2208 xt_compat_lock(NFPROTO_BRIDGE);
2209
2210 ret = ebt_compat_init_offsets(tmp.nentries);
2211 if (ret < 0)
2212 goto out_unlock;
2213
2214 ret = compat_copy_entries(entries_tmp, tmp.entries_size, &state);
2215 if (ret < 0)
2216 goto out_unlock;
2217
2218 pr_debug("tmp.entries_size %d, kern off %d, user off %d delta %d\n",
2219 tmp.entries_size, state.buf_kern_offset, state.buf_user_offset,
2220 xt_compat_calc_jump(NFPROTO_BRIDGE, tmp.entries_size));
2221
2222 size64 = ret;
2223 newinfo->entries = vmalloc(size64);
2224 if (!newinfo->entries) {
2225 vfree(entries_tmp);
2226 ret = -ENOMEM;
2227 goto out_unlock;
2228 }
2229
2230 memset(&state, 0, sizeof(state));
2231 state.buf_kern_start = newinfo->entries;
2232 state.buf_kern_len = size64;
2233
2234 ret = compat_copy_entries(entries_tmp, tmp.entries_size, &state);
2235 if (WARN_ON(ret < 0)) {
2236 vfree(entries_tmp);
2237 goto out_unlock;
2238 }
2239
2240 vfree(entries_tmp);
2241 tmp.entries_size = size64;
2242
2243 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
2244 char __user *usrptr;
2245 if (tmp.hook_entry[i]) {
2246 unsigned int delta;
2247 usrptr = (char __user *) tmp.hook_entry[i];
2248 delta = usrptr - tmp.entries;
2249 usrptr += xt_compat_calc_jump(NFPROTO_BRIDGE, delta);
2250 tmp.hook_entry[i] = (struct ebt_entries __user *)usrptr;
2251 }
2252 }
2253
2254 xt_compat_flush_offsets(NFPROTO_BRIDGE);
2255 xt_compat_unlock(NFPROTO_BRIDGE);
2256
2257 ret = do_replace_finish(net, &tmp, newinfo);
2258 if (ret == 0)
2259 return ret;
2260free_entries:
2261 vfree(newinfo->entries);
2262free_newinfo:
2263 vfree(newinfo);
2264 return ret;
2265out_unlock:
2266 xt_compat_flush_offsets(NFPROTO_BRIDGE);
2267 xt_compat_unlock(NFPROTO_BRIDGE);
2268 goto free_entries;
2269}
2270
2271static int compat_update_counters(struct net *net, sockptr_t arg,
2272 unsigned int len)
2273{
2274 struct compat_ebt_replace hlp;
2275
2276 if (copy_from_sockptr(&hlp, arg, sizeof(hlp)))
2277 return -EFAULT;
2278
2279
2280 if (len != sizeof(hlp) + hlp.num_counters * sizeof(struct ebt_counter))
2281 return update_counters(net, arg, len);
2282
2283 return do_update_counters(net, hlp.name, compat_ptr(hlp.counters),
2284 hlp.num_counters, len);
2285}
2286
2287static int compat_do_ebt_get_ctl(struct sock *sk, int cmd,
2288 void __user *user, int *len)
2289{
2290 int ret;
2291 struct compat_ebt_replace tmp;
2292 struct ebt_table *t;
2293 struct net *net = sock_net(sk);
2294
2295 if ((cmd == EBT_SO_GET_INFO || cmd == EBT_SO_GET_INIT_INFO) &&
2296 *len != sizeof(struct compat_ebt_replace))
2297 return -EINVAL;
2298
2299 if (copy_from_user(&tmp, user, sizeof(tmp)))
2300 return -EFAULT;
2301
2302 tmp.name[sizeof(tmp.name) - 1] = '\0';
2303
2304 t = find_table_lock(net, tmp.name, &ret, &ebt_mutex);
2305 if (!t)
2306 return ret;
2307
2308 xt_compat_lock(NFPROTO_BRIDGE);
2309 switch (cmd) {
2310 case EBT_SO_GET_INFO:
2311 tmp.nentries = t->private->nentries;
2312 ret = compat_table_info(t->private, &tmp);
2313 if (ret)
2314 goto out;
2315 tmp.valid_hooks = t->valid_hooks;
2316
2317 if (copy_to_user(user, &tmp, *len) != 0) {
2318 ret = -EFAULT;
2319 break;
2320 }
2321 ret = 0;
2322 break;
2323 case EBT_SO_GET_INIT_INFO:
2324 tmp.nentries = t->table->nentries;
2325 tmp.entries_size = t->table->entries_size;
2326 tmp.valid_hooks = t->table->valid_hooks;
2327
2328 if (copy_to_user(user, &tmp, *len) != 0) {
2329 ret = -EFAULT;
2330 break;
2331 }
2332 ret = 0;
2333 break;
2334 case EBT_SO_GET_ENTRIES:
2335 case EBT_SO_GET_INIT_ENTRIES:
2336
2337
2338
2339
2340
2341
2342
2343
2344 if (copy_everything_to_user(t, user, len, cmd) == 0)
2345 ret = 0;
2346 else
2347 ret = compat_copy_everything_to_user(t, user, len, cmd);
2348 break;
2349 default:
2350 ret = -EINVAL;
2351 }
2352 out:
2353 xt_compat_flush_offsets(NFPROTO_BRIDGE);
2354 xt_compat_unlock(NFPROTO_BRIDGE);
2355 mutex_unlock(&ebt_mutex);
2356 return ret;
2357}
2358#endif
2359
2360static int do_ebt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
2361{
2362 struct net *net = sock_net(sk);
2363 struct ebt_replace tmp;
2364 struct ebt_table *t;
2365 int ret;
2366
2367 if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
2368 return -EPERM;
2369
2370#ifdef CONFIG_NETFILTER_XTABLES_COMPAT
2371
2372 if (in_compat_syscall() &&
2373 ((cmd != EBT_SO_GET_INFO && cmd != EBT_SO_GET_INIT_INFO) ||
2374 *len != sizeof(tmp)))
2375 return compat_do_ebt_get_ctl(sk, cmd, user, len);
2376#endif
2377
2378 if (copy_from_user(&tmp, user, sizeof(tmp)))
2379 return -EFAULT;
2380
2381 tmp.name[sizeof(tmp.name) - 1] = '\0';
2382
2383 t = find_table_lock(net, tmp.name, &ret, &ebt_mutex);
2384 if (!t)
2385 return ret;
2386
2387 switch (cmd) {
2388 case EBT_SO_GET_INFO:
2389 case EBT_SO_GET_INIT_INFO:
2390 if (*len != sizeof(struct ebt_replace)) {
2391 ret = -EINVAL;
2392 mutex_unlock(&ebt_mutex);
2393 break;
2394 }
2395 if (cmd == EBT_SO_GET_INFO) {
2396 tmp.nentries = t->private->nentries;
2397 tmp.entries_size = t->private->entries_size;
2398 tmp.valid_hooks = t->valid_hooks;
2399 } else {
2400 tmp.nentries = t->table->nentries;
2401 tmp.entries_size = t->table->entries_size;
2402 tmp.valid_hooks = t->table->valid_hooks;
2403 }
2404 mutex_unlock(&ebt_mutex);
2405 if (copy_to_user(user, &tmp, *len) != 0) {
2406 ret = -EFAULT;
2407 break;
2408 }
2409 ret = 0;
2410 break;
2411
2412 case EBT_SO_GET_ENTRIES:
2413 case EBT_SO_GET_INIT_ENTRIES:
2414 ret = copy_everything_to_user(t, user, len, cmd);
2415 mutex_unlock(&ebt_mutex);
2416 break;
2417
2418 default:
2419 mutex_unlock(&ebt_mutex);
2420 ret = -EINVAL;
2421 }
2422
2423 return ret;
2424}
2425
2426static int do_ebt_set_ctl(struct sock *sk, int cmd, sockptr_t arg,
2427 unsigned int len)
2428{
2429 struct net *net = sock_net(sk);
2430 int ret;
2431
2432 if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
2433 return -EPERM;
2434
2435 switch (cmd) {
2436 case EBT_SO_SET_ENTRIES:
2437#ifdef CONFIG_NETFILTER_XTABLES_COMPAT
2438 if (in_compat_syscall())
2439 ret = compat_do_replace(net, arg, len);
2440 else
2441#endif
2442 ret = do_replace(net, arg, len);
2443 break;
2444 case EBT_SO_SET_COUNTERS:
2445#ifdef CONFIG_NETFILTER_XTABLES_COMPAT
2446 if (in_compat_syscall())
2447 ret = compat_update_counters(net, arg, len);
2448 else
2449#endif
2450 ret = update_counters(net, arg, len);
2451 break;
2452 default:
2453 ret = -EINVAL;
2454 }
2455 return ret;
2456}
2457
2458static struct nf_sockopt_ops ebt_sockopts = {
2459 .pf = PF_INET,
2460 .set_optmin = EBT_BASE_CTL,
2461 .set_optmax = EBT_SO_SET_MAX + 1,
2462 .set = do_ebt_set_ctl,
2463 .get_optmin = EBT_BASE_CTL,
2464 .get_optmax = EBT_SO_GET_MAX + 1,
2465 .get = do_ebt_get_ctl,
2466 .owner = THIS_MODULE,
2467};
2468
2469static int __net_init ebt_pernet_init(struct net *net)
2470{
2471 struct ebt_pernet *ebt_net = net_generic(net, ebt_pernet_id);
2472
2473 INIT_LIST_HEAD(&ebt_net->tables);
2474 return 0;
2475}
2476
2477static struct pernet_operations ebt_net_ops = {
2478 .init = ebt_pernet_init,
2479 .id = &ebt_pernet_id,
2480 .size = sizeof(struct ebt_pernet),
2481};
2482
2483static int __init ebtables_init(void)
2484{
2485 int ret;
2486
2487 ret = xt_register_target(&ebt_standard_target);
2488 if (ret < 0)
2489 return ret;
2490 ret = nf_register_sockopt(&ebt_sockopts);
2491 if (ret < 0) {
2492 xt_unregister_target(&ebt_standard_target);
2493 return ret;
2494 }
2495
2496 ret = register_pernet_subsys(&ebt_net_ops);
2497 if (ret < 0) {
2498 nf_unregister_sockopt(&ebt_sockopts);
2499 xt_unregister_target(&ebt_standard_target);
2500 return ret;
2501 }
2502
2503 return 0;
2504}
2505
2506static void ebtables_fini(void)
2507{
2508 nf_unregister_sockopt(&ebt_sockopts);
2509 xt_unregister_target(&ebt_standard_target);
2510 unregister_pernet_subsys(&ebt_net_ops);
2511}
2512
2513EXPORT_SYMBOL(ebt_register_table);
2514EXPORT_SYMBOL(ebt_unregister_table);
2515EXPORT_SYMBOL(ebt_do_table);
2516module_init(ebtables_init);
2517module_exit(ebtables_fini);
2518MODULE_LICENSE("GPL");
2519