1
2
3
4
5
6
7
8
9
10
11
12
13#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
14#include <linux/kmod.h>
15#include <linux/module.h>
16#include <linux/vmalloc.h>
17#include <linux/netfilter/x_tables.h>
18#include <linux/netfilter_bridge/ebtables.h>
19#include <linux/spinlock.h>
20#include <linux/mutex.h>
21#include <linux/slab.h>
22#include <linux/uaccess.h>
23#include <linux/smp.h>
24#include <linux/cpumask.h>
25#include <linux/audit.h>
26#include <net/sock.h>
27#include <net/netns/generic.h>
28
29#include "../br_private.h"
30
31
32
33
34
35
36
37
38#define SMP_ALIGN(x) (((x) + SMP_CACHE_BYTES-1) & ~(SMP_CACHE_BYTES-1))
39#define COUNTER_OFFSET(n) (SMP_ALIGN(n * sizeof(struct ebt_counter)))
40#define COUNTER_BASE(c, n, cpu) ((struct ebt_counter *)(((char *)c) + \
41 COUNTER_OFFSET(n) * cpu))
42
43struct ebt_pernet {
44 struct list_head tables;
45};
46
47struct ebt_template {
48 struct list_head list;
49 char name[EBT_TABLE_MAXNAMELEN];
50 struct module *owner;
51
52 int (*table_init)(struct net *net);
53};
54
55static unsigned int ebt_pernet_id __read_mostly;
56static LIST_HEAD(template_tables);
57static DEFINE_MUTEX(ebt_mutex);
58
59#ifdef CONFIG_NETFILTER_XTABLES_COMPAT
60static void ebt_standard_compat_from_user(void *dst, const void *src)
61{
62 int v = *(compat_int_t *)src;
63
64 if (v >= 0)
65 v += xt_compat_calc_jump(NFPROTO_BRIDGE, v);
66 memcpy(dst, &v, sizeof(v));
67}
68
69static int ebt_standard_compat_to_user(void __user *dst, const void *src)
70{
71 compat_int_t cv = *(int *)src;
72
73 if (cv >= 0)
74 cv -= xt_compat_calc_jump(NFPROTO_BRIDGE, cv);
75 return copy_to_user(dst, &cv, sizeof(cv)) ? -EFAULT : 0;
76}
77#endif
78
79
80static struct xt_target ebt_standard_target = {
81 .name = "standard",
82 .revision = 0,
83 .family = NFPROTO_BRIDGE,
84 .targetsize = sizeof(int),
85#ifdef CONFIG_NETFILTER_XTABLES_COMPAT
86 .compatsize = sizeof(compat_int_t),
87 .compat_from_user = ebt_standard_compat_from_user,
88 .compat_to_user = ebt_standard_compat_to_user,
89#endif
90};
91
92static inline int
93ebt_do_watcher(const struct ebt_entry_watcher *w, struct sk_buff *skb,
94 struct xt_action_param *par)
95{
96 par->target = w->u.watcher;
97 par->targinfo = w->data;
98 w->u.watcher->target(skb, par);
99
100 return 0;
101}
102
103static inline int
104ebt_do_match(struct ebt_entry_match *m, const struct sk_buff *skb,
105 struct xt_action_param *par)
106{
107 par->match = m->u.match;
108 par->matchinfo = m->data;
109 return !m->u.match->match(skb, par);
110}
111
112static inline int
113ebt_dev_check(const char *entry, const struct net_device *device)
114{
115 int i = 0;
116 const char *devname;
117
118 if (*entry == '\0')
119 return 0;
120 if (!device)
121 return 1;
122 devname = device->name;
123
124 while (entry[i] != '\0' && entry[i] != 1 && entry[i] == devname[i])
125 i++;
126 return devname[i] != entry[i] && entry[i] != 1;
127}
128
129
130static inline int
131ebt_basic_match(const struct ebt_entry *e, const struct sk_buff *skb,
132 const struct net_device *in, const struct net_device *out)
133{
134 const struct ethhdr *h = eth_hdr(skb);
135 const struct net_bridge_port *p;
136 __be16 ethproto;
137
138 if (skb_vlan_tag_present(skb))
139 ethproto = htons(ETH_P_8021Q);
140 else
141 ethproto = h->h_proto;
142
143 if (e->bitmask & EBT_802_3) {
144 if (NF_INVF(e, EBT_IPROTO, eth_proto_is_802_3(ethproto)))
145 return 1;
146 } else if (!(e->bitmask & EBT_NOPROTO) &&
147 NF_INVF(e, EBT_IPROTO, e->ethproto != ethproto))
148 return 1;
149
150 if (NF_INVF(e, EBT_IIN, ebt_dev_check(e->in, in)))
151 return 1;
152 if (NF_INVF(e, EBT_IOUT, ebt_dev_check(e->out, out)))
153 return 1;
154
155 if (in && (p = br_port_get_rcu(in)) != NULL &&
156 NF_INVF(e, EBT_ILOGICALIN,
157 ebt_dev_check(e->logical_in, p->br->dev)))
158 return 1;
159 if (out && (p = br_port_get_rcu(out)) != NULL &&
160 NF_INVF(e, EBT_ILOGICALOUT,
161 ebt_dev_check(e->logical_out, p->br->dev)))
162 return 1;
163
164 if (e->bitmask & EBT_SOURCEMAC) {
165 if (NF_INVF(e, EBT_ISOURCE,
166 !ether_addr_equal_masked(h->h_source, e->sourcemac,
167 e->sourcemsk)))
168 return 1;
169 }
170 if (e->bitmask & EBT_DESTMAC) {
171 if (NF_INVF(e, EBT_IDEST,
172 !ether_addr_equal_masked(h->h_dest, e->destmac,
173 e->destmsk)))
174 return 1;
175 }
176 return 0;
177}
178
179static inline
180struct ebt_entry *ebt_next_entry(const struct ebt_entry *entry)
181{
182 return (void *)entry + entry->next_offset;
183}
184
185static inline const struct ebt_entry_target *
186ebt_get_target_c(const struct ebt_entry *e)
187{
188 return ebt_get_target((struct ebt_entry *)e);
189}
190
191
192unsigned int ebt_do_table(struct sk_buff *skb,
193 const struct nf_hook_state *state,
194 struct ebt_table *table)
195{
196 unsigned int hook = state->hook;
197 int i, nentries;
198 struct ebt_entry *point;
199 struct ebt_counter *counter_base, *cb_base;
200 const struct ebt_entry_target *t;
201 int verdict, sp = 0;
202 struct ebt_chainstack *cs;
203 struct ebt_entries *chaininfo;
204 const char *base;
205 const struct ebt_table_info *private;
206 struct xt_action_param acpar;
207
208 acpar.state = state;
209 acpar.hotdrop = false;
210
211 read_lock_bh(&table->lock);
212 private = table->private;
213 cb_base = COUNTER_BASE(private->counters, private->nentries,
214 smp_processor_id());
215 if (private->chainstack)
216 cs = private->chainstack[smp_processor_id()];
217 else
218 cs = NULL;
219 chaininfo = private->hook_entry[hook];
220 nentries = private->hook_entry[hook]->nentries;
221 point = (struct ebt_entry *)(private->hook_entry[hook]->data);
222 counter_base = cb_base + private->hook_entry[hook]->counter_offset;
223
224 base = private->entries;
225 i = 0;
226 while (i < nentries) {
227 if (ebt_basic_match(point, skb, state->in, state->out))
228 goto letscontinue;
229
230 if (EBT_MATCH_ITERATE(point, ebt_do_match, skb, &acpar) != 0)
231 goto letscontinue;
232 if (acpar.hotdrop) {
233 read_unlock_bh(&table->lock);
234 return NF_DROP;
235 }
236
237 ADD_COUNTER(*(counter_base + i), skb->len, 1);
238
239
240
241
242 EBT_WATCHER_ITERATE(point, ebt_do_watcher, skb, &acpar);
243
244 t = ebt_get_target_c(point);
245
246 if (!t->u.target->target)
247 verdict = ((struct ebt_standard_target *)t)->verdict;
248 else {
249 acpar.target = t->u.target;
250 acpar.targinfo = t->data;
251 verdict = t->u.target->target(skb, &acpar);
252 }
253 if (verdict == EBT_ACCEPT) {
254 read_unlock_bh(&table->lock);
255 return NF_ACCEPT;
256 }
257 if (verdict == EBT_DROP) {
258 read_unlock_bh(&table->lock);
259 return NF_DROP;
260 }
261 if (verdict == EBT_RETURN) {
262letsreturn:
263 if (WARN(sp == 0, "RETURN on base chain")) {
264
265 goto letscontinue;
266 }
267
268 sp--;
269
270 i = cs[sp].n;
271 chaininfo = cs[sp].chaininfo;
272 nentries = chaininfo->nentries;
273 point = cs[sp].e;
274 counter_base = cb_base +
275 chaininfo->counter_offset;
276 continue;
277 }
278 if (verdict == EBT_CONTINUE)
279 goto letscontinue;
280
281 if (WARN(verdict < 0, "bogus standard verdict\n")) {
282 read_unlock_bh(&table->lock);
283 return NF_DROP;
284 }
285
286
287 cs[sp].n = i + 1;
288 cs[sp].chaininfo = chaininfo;
289 cs[sp].e = ebt_next_entry(point);
290 i = 0;
291 chaininfo = (struct ebt_entries *) (base + verdict);
292
293 if (WARN(chaininfo->distinguisher, "jump to non-chain\n")) {
294 read_unlock_bh(&table->lock);
295 return NF_DROP;
296 }
297
298 nentries = chaininfo->nentries;
299 point = (struct ebt_entry *)chaininfo->data;
300 counter_base = cb_base + chaininfo->counter_offset;
301 sp++;
302 continue;
303letscontinue:
304 point = ebt_next_entry(point);
305 i++;
306 }
307
308
309 if (chaininfo->policy == EBT_RETURN)
310 goto letsreturn;
311 if (chaininfo->policy == EBT_ACCEPT) {
312 read_unlock_bh(&table->lock);
313 return NF_ACCEPT;
314 }
315 read_unlock_bh(&table->lock);
316 return NF_DROP;
317}
318
319
320static inline void *
321find_inlist_lock_noload(struct net *net, const char *name, int *error,
322 struct mutex *mutex)
323{
324 struct ebt_pernet *ebt_net = net_generic(net, ebt_pernet_id);
325 struct ebt_template *tmpl;
326 struct ebt_table *table;
327
328 mutex_lock(mutex);
329 list_for_each_entry(table, &ebt_net->tables, list) {
330 if (strcmp(table->name, name) == 0)
331 return table;
332 }
333
334 list_for_each_entry(tmpl, &template_tables, list) {
335 if (strcmp(name, tmpl->name) == 0) {
336 struct module *owner = tmpl->owner;
337
338 if (!try_module_get(owner))
339 goto out;
340
341 mutex_unlock(mutex);
342
343 *error = tmpl->table_init(net);
344 if (*error) {
345 module_put(owner);
346 return NULL;
347 }
348
349 mutex_lock(mutex);
350 module_put(owner);
351 break;
352 }
353 }
354
355 list_for_each_entry(table, &ebt_net->tables, list) {
356 if (strcmp(table->name, name) == 0)
357 return table;
358 }
359
360out:
361 *error = -ENOENT;
362 mutex_unlock(mutex);
363 return NULL;
364}
365
366static void *
367find_inlist_lock(struct net *net, const char *name, const char *prefix,
368 int *error, struct mutex *mutex)
369{
370 return try_then_request_module(
371 find_inlist_lock_noload(net, name, error, mutex),
372 "%s%s", prefix, name);
373}
374
375static inline struct ebt_table *
376find_table_lock(struct net *net, const char *name, int *error,
377 struct mutex *mutex)
378{
379 return find_inlist_lock(net, name, "ebtable_", error, mutex);
380}
381
382static inline void ebt_free_table_info(struct ebt_table_info *info)
383{
384 int i;
385
386 if (info->chainstack) {
387 for_each_possible_cpu(i)
388 vfree(info->chainstack[i]);
389 vfree(info->chainstack);
390 }
391}
392static inline int
393ebt_check_match(struct ebt_entry_match *m, struct xt_mtchk_param *par,
394 unsigned int *cnt)
395{
396 const struct ebt_entry *e = par->entryinfo;
397 struct xt_match *match;
398 size_t left = ((char *)e + e->watchers_offset) - (char *)m;
399 int ret;
400
401 if (left < sizeof(struct ebt_entry_match) ||
402 left - sizeof(struct ebt_entry_match) < m->match_size)
403 return -EINVAL;
404
405 match = xt_find_match(NFPROTO_BRIDGE, m->u.name, m->u.revision);
406 if (IS_ERR(match) || match->family != NFPROTO_BRIDGE) {
407 if (!IS_ERR(match))
408 module_put(match->me);
409 request_module("ebt_%s", m->u.name);
410 match = xt_find_match(NFPROTO_BRIDGE, m->u.name, m->u.revision);
411 }
412 if (IS_ERR(match))
413 return PTR_ERR(match);
414 m->u.match = match;
415
416 par->match = match;
417 par->matchinfo = m->data;
418 ret = xt_check_match(par, m->match_size,
419 ntohs(e->ethproto), e->invflags & EBT_IPROTO);
420 if (ret < 0) {
421 module_put(match->me);
422 return ret;
423 }
424
425 (*cnt)++;
426 return 0;
427}
428
429static inline int
430ebt_check_watcher(struct ebt_entry_watcher *w, struct xt_tgchk_param *par,
431 unsigned int *cnt)
432{
433 const struct ebt_entry *e = par->entryinfo;
434 struct xt_target *watcher;
435 size_t left = ((char *)e + e->target_offset) - (char *)w;
436 int ret;
437
438 if (left < sizeof(struct ebt_entry_watcher) ||
439 left - sizeof(struct ebt_entry_watcher) < w->watcher_size)
440 return -EINVAL;
441
442 watcher = xt_request_find_target(NFPROTO_BRIDGE, w->u.name, 0);
443 if (IS_ERR(watcher))
444 return PTR_ERR(watcher);
445
446 if (watcher->family != NFPROTO_BRIDGE) {
447 module_put(watcher->me);
448 return -ENOENT;
449 }
450
451 w->u.watcher = watcher;
452
453 par->target = watcher;
454 par->targinfo = w->data;
455 ret = xt_check_target(par, w->watcher_size,
456 ntohs(e->ethproto), e->invflags & EBT_IPROTO);
457 if (ret < 0) {
458 module_put(watcher->me);
459 return ret;
460 }
461
462 (*cnt)++;
463 return 0;
464}
465
466static int ebt_verify_pointers(const struct ebt_replace *repl,
467 struct ebt_table_info *newinfo)
468{
469 unsigned int limit = repl->entries_size;
470 unsigned int valid_hooks = repl->valid_hooks;
471 unsigned int offset = 0;
472 int i;
473
474 for (i = 0; i < NF_BR_NUMHOOKS; i++)
475 newinfo->hook_entry[i] = NULL;
476
477 newinfo->entries_size = repl->entries_size;
478 newinfo->nentries = repl->nentries;
479
480 while (offset < limit) {
481 size_t left = limit - offset;
482 struct ebt_entry *e = (void *)newinfo->entries + offset;
483
484 if (left < sizeof(unsigned int))
485 break;
486
487 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
488 if ((valid_hooks & (1 << i)) == 0)
489 continue;
490 if ((char __user *)repl->hook_entry[i] ==
491 repl->entries + offset)
492 break;
493 }
494
495 if (i != NF_BR_NUMHOOKS || !(e->bitmask & EBT_ENTRY_OR_ENTRIES)) {
496 if (e->bitmask != 0) {
497
498
499
500 return -EINVAL;
501 }
502 if (i != NF_BR_NUMHOOKS)
503 newinfo->hook_entry[i] = (struct ebt_entries *)e;
504 if (left < sizeof(struct ebt_entries))
505 break;
506 offset += sizeof(struct ebt_entries);
507 } else {
508 if (left < sizeof(struct ebt_entry))
509 break;
510 if (left < e->next_offset)
511 break;
512 if (e->next_offset < sizeof(struct ebt_entry))
513 return -EINVAL;
514 offset += e->next_offset;
515 }
516 }
517 if (offset != limit)
518 return -EINVAL;
519
520
521 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
522 if (!newinfo->hook_entry[i] &&
523 (valid_hooks & (1 << i)))
524 return -EINVAL;
525 }
526 return 0;
527}
528
529
530
531
532static inline int
533ebt_check_entry_size_and_hooks(const struct ebt_entry *e,
534 const struct ebt_table_info *newinfo,
535 unsigned int *n, unsigned int *cnt,
536 unsigned int *totalcnt, unsigned int *udc_cnt)
537{
538 int i;
539
540 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
541 if ((void *)e == (void *)newinfo->hook_entry[i])
542 break;
543 }
544
545
546
547 if (i != NF_BR_NUMHOOKS || !e->bitmask) {
548
549
550
551 if (*n != *cnt)
552 return -EINVAL;
553
554 if (((struct ebt_entries *)e)->policy != EBT_DROP &&
555 ((struct ebt_entries *)e)->policy != EBT_ACCEPT) {
556
557 if (i != NF_BR_NUMHOOKS ||
558 ((struct ebt_entries *)e)->policy != EBT_RETURN)
559 return -EINVAL;
560 }
561 if (i == NF_BR_NUMHOOKS)
562 (*udc_cnt)++;
563 if (((struct ebt_entries *)e)->counter_offset != *totalcnt)
564 return -EINVAL;
565 *n = ((struct ebt_entries *)e)->nentries;
566 *cnt = 0;
567 return 0;
568 }
569
570 if (sizeof(struct ebt_entry) > e->watchers_offset ||
571 e->watchers_offset > e->target_offset ||
572 e->target_offset >= e->next_offset)
573 return -EINVAL;
574
575
576 if (e->next_offset - e->target_offset < sizeof(struct ebt_entry_target))
577 return -EINVAL;
578
579 (*cnt)++;
580 (*totalcnt)++;
581 return 0;
582}
583
584struct ebt_cl_stack {
585 struct ebt_chainstack cs;
586 int from;
587 unsigned int hookmask;
588};
589
590
591
592
593static inline int
594ebt_get_udc_positions(struct ebt_entry *e, struct ebt_table_info *newinfo,
595 unsigned int *n, struct ebt_cl_stack *udc)
596{
597 int i;
598
599
600 if (e->bitmask)
601 return 0;
602 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
603 if (newinfo->hook_entry[i] == (struct ebt_entries *)e)
604 break;
605 }
606
607 if (i != NF_BR_NUMHOOKS)
608 return 0;
609
610 udc[*n].cs.chaininfo = (struct ebt_entries *)e;
611
612 udc[*n].cs.n = 0;
613 udc[*n].hookmask = 0;
614
615 (*n)++;
616 return 0;
617}
618
619static inline int
620ebt_cleanup_match(struct ebt_entry_match *m, struct net *net, unsigned int *i)
621{
622 struct xt_mtdtor_param par;
623
624 if (i && (*i)-- == 0)
625 return 1;
626
627 par.net = net;
628 par.match = m->u.match;
629 par.matchinfo = m->data;
630 par.family = NFPROTO_BRIDGE;
631 if (par.match->destroy != NULL)
632 par.match->destroy(&par);
633 module_put(par.match->me);
634 return 0;
635}
636
637static inline int
638ebt_cleanup_watcher(struct ebt_entry_watcher *w, struct net *net, unsigned int *i)
639{
640 struct xt_tgdtor_param par;
641
642 if (i && (*i)-- == 0)
643 return 1;
644
645 par.net = net;
646 par.target = w->u.watcher;
647 par.targinfo = w->data;
648 par.family = NFPROTO_BRIDGE;
649 if (par.target->destroy != NULL)
650 par.target->destroy(&par);
651 module_put(par.target->me);
652 return 0;
653}
654
655static inline int
656ebt_cleanup_entry(struct ebt_entry *e, struct net *net, unsigned int *cnt)
657{
658 struct xt_tgdtor_param par;
659 struct ebt_entry_target *t;
660
661 if (e->bitmask == 0)
662 return 0;
663
664 if (cnt && (*cnt)-- == 0)
665 return 1;
666 EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, net, NULL);
667 EBT_MATCH_ITERATE(e, ebt_cleanup_match, net, NULL);
668 t = ebt_get_target(e);
669
670 par.net = net;
671 par.target = t->u.target;
672 par.targinfo = t->data;
673 par.family = NFPROTO_BRIDGE;
674 if (par.target->destroy != NULL)
675 par.target->destroy(&par);
676 module_put(par.target->me);
677 return 0;
678}
679
680static inline int
681ebt_check_entry(struct ebt_entry *e, struct net *net,
682 const struct ebt_table_info *newinfo,
683 const char *name, unsigned int *cnt,
684 struct ebt_cl_stack *cl_s, unsigned int udc_cnt)
685{
686 struct ebt_entry_target *t;
687 struct xt_target *target;
688 unsigned int i, j, hook = 0, hookmask = 0;
689 size_t gap;
690 int ret;
691 struct xt_mtchk_param mtpar;
692 struct xt_tgchk_param tgpar;
693
694
695 if (e->bitmask == 0)
696 return 0;
697
698 if (e->bitmask & ~EBT_F_MASK)
699 return -EINVAL;
700
701 if (e->invflags & ~EBT_INV_MASK)
702 return -EINVAL;
703
704 if ((e->bitmask & EBT_NOPROTO) && (e->bitmask & EBT_802_3))
705 return -EINVAL;
706
707
708 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
709 if (!newinfo->hook_entry[i])
710 continue;
711 if ((char *)newinfo->hook_entry[i] < (char *)e)
712 hook = i;
713 else
714 break;
715 }
716
717
718
719 if (i < NF_BR_NUMHOOKS)
720 hookmask = (1 << hook) | (1 << NF_BR_NUMHOOKS);
721 else {
722 for (i = 0; i < udc_cnt; i++)
723 if ((char *)(cl_s[i].cs.chaininfo) > (char *)e)
724 break;
725 if (i == 0)
726 hookmask = (1 << hook) | (1 << NF_BR_NUMHOOKS);
727 else
728 hookmask = cl_s[i - 1].hookmask;
729 }
730 i = 0;
731
732 memset(&mtpar, 0, sizeof(mtpar));
733 memset(&tgpar, 0, sizeof(tgpar));
734 mtpar.net = tgpar.net = net;
735 mtpar.table = tgpar.table = name;
736 mtpar.entryinfo = tgpar.entryinfo = e;
737 mtpar.hook_mask = tgpar.hook_mask = hookmask;
738 mtpar.family = tgpar.family = NFPROTO_BRIDGE;
739 ret = EBT_MATCH_ITERATE(e, ebt_check_match, &mtpar, &i);
740 if (ret != 0)
741 goto cleanup_matches;
742 j = 0;
743 ret = EBT_WATCHER_ITERATE(e, ebt_check_watcher, &tgpar, &j);
744 if (ret != 0)
745 goto cleanup_watchers;
746 t = ebt_get_target(e);
747 gap = e->next_offset - e->target_offset;
748
749 target = xt_request_find_target(NFPROTO_BRIDGE, t->u.name, 0);
750 if (IS_ERR(target)) {
751 ret = PTR_ERR(target);
752 goto cleanup_watchers;
753 }
754
755
756 if (target->family != NFPROTO_BRIDGE) {
757 module_put(target->me);
758 ret = -ENOENT;
759 goto cleanup_watchers;
760 }
761
762 t->u.target = target;
763 if (t->u.target == &ebt_standard_target) {
764 if (gap < sizeof(struct ebt_standard_target)) {
765 ret = -EFAULT;
766 goto cleanup_watchers;
767 }
768 if (((struct ebt_standard_target *)t)->verdict <
769 -NUM_STANDARD_TARGETS) {
770 ret = -EFAULT;
771 goto cleanup_watchers;
772 }
773 } else if (t->target_size > gap - sizeof(struct ebt_entry_target)) {
774 module_put(t->u.target->me);
775 ret = -EFAULT;
776 goto cleanup_watchers;
777 }
778
779 tgpar.target = target;
780 tgpar.targinfo = t->data;
781 ret = xt_check_target(&tgpar, t->target_size,
782 ntohs(e->ethproto), e->invflags & EBT_IPROTO);
783 if (ret < 0) {
784 module_put(target->me);
785 goto cleanup_watchers;
786 }
787 (*cnt)++;
788 return 0;
789cleanup_watchers:
790 EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, net, &j);
791cleanup_matches:
792 EBT_MATCH_ITERATE(e, ebt_cleanup_match, net, &i);
793 return ret;
794}
795
796
797
798
799
800static int check_chainloops(const struct ebt_entries *chain, struct ebt_cl_stack *cl_s,
801 unsigned int udc_cnt, unsigned int hooknr, char *base)
802{
803 int i, chain_nr = -1, pos = 0, nentries = chain->nentries, verdict;
804 const struct ebt_entry *e = (struct ebt_entry *)chain->data;
805 const struct ebt_entry_target *t;
806
807 while (pos < nentries || chain_nr != -1) {
808
809 if (pos == nentries) {
810
811 e = cl_s[chain_nr].cs.e;
812 if (cl_s[chain_nr].from != -1)
813 nentries =
814 cl_s[cl_s[chain_nr].from].cs.chaininfo->nentries;
815 else
816 nentries = chain->nentries;
817 pos = cl_s[chain_nr].cs.n;
818
819 cl_s[chain_nr].cs.n = 0;
820 chain_nr = cl_s[chain_nr].from;
821 if (pos == nentries)
822 continue;
823 }
824 t = ebt_get_target_c(e);
825 if (strcmp(t->u.name, EBT_STANDARD_TARGET))
826 goto letscontinue;
827 if (e->target_offset + sizeof(struct ebt_standard_target) >
828 e->next_offset)
829 return -1;
830
831 verdict = ((struct ebt_standard_target *)t)->verdict;
832 if (verdict >= 0) {
833 struct ebt_entries *hlp2 =
834 (struct ebt_entries *)(base + verdict);
835 for (i = 0; i < udc_cnt; i++)
836 if (hlp2 == cl_s[i].cs.chaininfo)
837 break;
838
839 if (i == udc_cnt)
840 return -1;
841
842 if (cl_s[i].cs.n)
843 return -1;
844
845 if (cl_s[i].hookmask & (1 << hooknr))
846 goto letscontinue;
847
848 cl_s[i].cs.n = pos + 1;
849 pos = 0;
850 cl_s[i].cs.e = ebt_next_entry(e);
851 e = (struct ebt_entry *)(hlp2->data);
852 nentries = hlp2->nentries;
853 cl_s[i].from = chain_nr;
854 chain_nr = i;
855
856 cl_s[i].hookmask |= (1 << hooknr);
857 continue;
858 }
859letscontinue:
860 e = ebt_next_entry(e);
861 pos++;
862 }
863 return 0;
864}
865
866
867static int translate_table(struct net *net, const char *name,
868 struct ebt_table_info *newinfo)
869{
870 unsigned int i, j, k, udc_cnt;
871 int ret;
872 struct ebt_cl_stack *cl_s = NULL;
873
874 i = 0;
875 while (i < NF_BR_NUMHOOKS && !newinfo->hook_entry[i])
876 i++;
877 if (i == NF_BR_NUMHOOKS)
878 return -EINVAL;
879
880 if (newinfo->hook_entry[i] != (struct ebt_entries *)newinfo->entries)
881 return -EINVAL;
882
883
884
885
886 for (j = i + 1; j < NF_BR_NUMHOOKS; j++) {
887 if (!newinfo->hook_entry[j])
888 continue;
889 if (newinfo->hook_entry[j] <= newinfo->hook_entry[i])
890 return -EINVAL;
891
892 i = j;
893 }
894
895
896 i = 0;
897 j = 0;
898 k = 0;
899
900
901 udc_cnt = 0;
902 ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
903 ebt_check_entry_size_and_hooks, newinfo,
904 &i, &j, &k, &udc_cnt);
905
906 if (ret != 0)
907 return ret;
908
909 if (i != j)
910 return -EINVAL;
911
912 if (k != newinfo->nentries)
913 return -EINVAL;
914
915
916
917
918 if (udc_cnt) {
919
920
921
922 newinfo->chainstack =
923 vmalloc(array_size(nr_cpu_ids,
924 sizeof(*(newinfo->chainstack))));
925 if (!newinfo->chainstack)
926 return -ENOMEM;
927 for_each_possible_cpu(i) {
928 newinfo->chainstack[i] =
929 vmalloc_node(array_size(udc_cnt,
930 sizeof(*(newinfo->chainstack[0]))),
931 cpu_to_node(i));
932 if (!newinfo->chainstack[i]) {
933 while (i)
934 vfree(newinfo->chainstack[--i]);
935 vfree(newinfo->chainstack);
936 newinfo->chainstack = NULL;
937 return -ENOMEM;
938 }
939 }
940
941 cl_s = vmalloc(array_size(udc_cnt, sizeof(*cl_s)));
942 if (!cl_s)
943 return -ENOMEM;
944 i = 0;
945 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
946 ebt_get_udc_positions, newinfo, &i, cl_s);
947
948 if (i != udc_cnt) {
949 vfree(cl_s);
950 return -EFAULT;
951 }
952 }
953
954
955 for (i = 0; i < NF_BR_NUMHOOKS; i++)
956 if (newinfo->hook_entry[i])
957 if (check_chainloops(newinfo->hook_entry[i],
958 cl_s, udc_cnt, i, newinfo->entries)) {
959 vfree(cl_s);
960 return -EINVAL;
961 }
962
963
964
965
966
967
968
969
970
971
972
973
974
975 i = 0;
976 ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
977 ebt_check_entry, net, newinfo, name, &i, cl_s, udc_cnt);
978 if (ret != 0) {
979 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
980 ebt_cleanup_entry, net, &i);
981 }
982 vfree(cl_s);
983 return ret;
984}
985
986
987static void get_counters(const struct ebt_counter *oldcounters,
988 struct ebt_counter *counters, unsigned int nentries)
989{
990 int i, cpu;
991 struct ebt_counter *counter_base;
992
993
994 memcpy(counters, oldcounters,
995 sizeof(struct ebt_counter) * nentries);
996
997
998 for_each_possible_cpu(cpu) {
999 if (cpu == 0)
1000 continue;
1001 counter_base = COUNTER_BASE(oldcounters, nentries, cpu);
1002 for (i = 0; i < nentries; i++)
1003 ADD_COUNTER(counters[i], counter_base[i].bcnt,
1004 counter_base[i].pcnt);
1005 }
1006}
1007
1008static int do_replace_finish(struct net *net, struct ebt_replace *repl,
1009 struct ebt_table_info *newinfo)
1010{
1011 int ret;
1012 struct ebt_counter *counterstmp = NULL;
1013
1014 struct ebt_table_info *table;
1015 struct ebt_table *t;
1016
1017
1018
1019
1020 if (repl->num_counters) {
1021 unsigned long size = repl->num_counters * sizeof(*counterstmp);
1022 counterstmp = vmalloc(size);
1023 if (!counterstmp)
1024 return -ENOMEM;
1025 }
1026
1027 newinfo->chainstack = NULL;
1028 ret = ebt_verify_pointers(repl, newinfo);
1029 if (ret != 0)
1030 goto free_counterstmp;
1031
1032 ret = translate_table(net, repl->name, newinfo);
1033
1034 if (ret != 0)
1035 goto free_counterstmp;
1036
1037 t = find_table_lock(net, repl->name, &ret, &ebt_mutex);
1038 if (!t) {
1039 ret = -ENOENT;
1040 goto free_iterate;
1041 }
1042
1043
1044 if (t->check && (ret = t->check(newinfo, repl->valid_hooks)))
1045 goto free_unlock;
1046
1047 if (repl->num_counters && repl->num_counters != t->private->nentries) {
1048 ret = -EINVAL;
1049 goto free_unlock;
1050 }
1051
1052
1053 table = t->private;
1054
1055 if (!table->nentries && newinfo->nentries && !try_module_get(t->me)) {
1056 ret = -ENOENT;
1057 goto free_unlock;
1058 } else if (table->nentries && !newinfo->nentries)
1059 module_put(t->me);
1060
1061 write_lock_bh(&t->lock);
1062 if (repl->num_counters)
1063 get_counters(t->private->counters, counterstmp,
1064 t->private->nentries);
1065
1066 t->private = newinfo;
1067 write_unlock_bh(&t->lock);
1068 mutex_unlock(&ebt_mutex);
1069
1070
1071
1072
1073
1074 if (repl->num_counters &&
1075 copy_to_user(repl->counters, counterstmp,
1076 repl->num_counters * sizeof(struct ebt_counter))) {
1077
1078 net_warn_ratelimited("ebtables: counters copy to user failed while replacing table\n");
1079 }
1080
1081
1082 EBT_ENTRY_ITERATE(table->entries, table->entries_size,
1083 ebt_cleanup_entry, net, NULL);
1084
1085 vfree(table->entries);
1086 ebt_free_table_info(table);
1087 vfree(table);
1088 vfree(counterstmp);
1089
1090 audit_log_nfcfg(repl->name, AF_BRIDGE, repl->nentries,
1091 AUDIT_XT_OP_REPLACE, GFP_KERNEL);
1092 return ret;
1093
1094free_unlock:
1095 mutex_unlock(&ebt_mutex);
1096free_iterate:
1097 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
1098 ebt_cleanup_entry, net, NULL);
1099free_counterstmp:
1100 vfree(counterstmp);
1101
1102 ebt_free_table_info(newinfo);
1103 return ret;
1104}
1105
1106
1107static int do_replace(struct net *net, sockptr_t arg, unsigned int len)
1108{
1109 int ret, countersize;
1110 struct ebt_table_info *newinfo;
1111 struct ebt_replace tmp;
1112
1113 if (copy_from_sockptr(&tmp, arg, sizeof(tmp)) != 0)
1114 return -EFAULT;
1115
1116 if (len != sizeof(tmp) + tmp.entries_size)
1117 return -EINVAL;
1118
1119 if (tmp.entries_size == 0)
1120 return -EINVAL;
1121
1122
1123 if (tmp.nentries >= ((INT_MAX - sizeof(struct ebt_table_info)) /
1124 NR_CPUS - SMP_CACHE_BYTES) / sizeof(struct ebt_counter))
1125 return -ENOMEM;
1126 if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
1127 return -ENOMEM;
1128
1129 tmp.name[sizeof(tmp.name) - 1] = 0;
1130
1131 countersize = COUNTER_OFFSET(tmp.nentries) * nr_cpu_ids;
1132 newinfo = __vmalloc(sizeof(*newinfo) + countersize, GFP_KERNEL_ACCOUNT);
1133 if (!newinfo)
1134 return -ENOMEM;
1135
1136 if (countersize)
1137 memset(newinfo->counters, 0, countersize);
1138
1139 newinfo->entries = __vmalloc(tmp.entries_size, GFP_KERNEL_ACCOUNT);
1140 if (!newinfo->entries) {
1141 ret = -ENOMEM;
1142 goto free_newinfo;
1143 }
1144 if (copy_from_user(
1145 newinfo->entries, tmp.entries, tmp.entries_size) != 0) {
1146 ret = -EFAULT;
1147 goto free_entries;
1148 }
1149
1150 ret = do_replace_finish(net, &tmp, newinfo);
1151 if (ret == 0)
1152 return ret;
1153free_entries:
1154 vfree(newinfo->entries);
1155free_newinfo:
1156 vfree(newinfo);
1157 return ret;
1158}
1159
1160static void __ebt_unregister_table(struct net *net, struct ebt_table *table)
1161{
1162 mutex_lock(&ebt_mutex);
1163 list_del(&table->list);
1164 mutex_unlock(&ebt_mutex);
1165 audit_log_nfcfg(table->name, AF_BRIDGE, table->private->nentries,
1166 AUDIT_XT_OP_UNREGISTER, GFP_KERNEL);
1167 EBT_ENTRY_ITERATE(table->private->entries, table->private->entries_size,
1168 ebt_cleanup_entry, net, NULL);
1169 if (table->private->nentries)
1170 module_put(table->me);
1171 vfree(table->private->entries);
1172 ebt_free_table_info(table->private);
1173 vfree(table->private);
1174 kfree(table->ops);
1175 kfree(table);
1176}
1177
1178int ebt_register_table(struct net *net, const struct ebt_table *input_table,
1179 const struct nf_hook_ops *template_ops)
1180{
1181 struct ebt_pernet *ebt_net = net_generic(net, ebt_pernet_id);
1182 struct ebt_table_info *newinfo;
1183 struct ebt_table *t, *table;
1184 struct nf_hook_ops *ops;
1185 unsigned int num_ops;
1186 struct ebt_replace_kernel *repl;
1187 int ret, i, countersize;
1188 void *p;
1189
1190 if (input_table == NULL || (repl = input_table->table) == NULL ||
1191 repl->entries == NULL || repl->entries_size == 0 ||
1192 repl->counters != NULL || input_table->private != NULL)
1193 return -EINVAL;
1194
1195
1196 table = kmemdup(input_table, sizeof(struct ebt_table), GFP_KERNEL);
1197 if (!table) {
1198 ret = -ENOMEM;
1199 goto out;
1200 }
1201
1202 countersize = COUNTER_OFFSET(repl->nentries) * nr_cpu_ids;
1203 newinfo = vmalloc(sizeof(*newinfo) + countersize);
1204 ret = -ENOMEM;
1205 if (!newinfo)
1206 goto free_table;
1207
1208 p = vmalloc(repl->entries_size);
1209 if (!p)
1210 goto free_newinfo;
1211
1212 memcpy(p, repl->entries, repl->entries_size);
1213 newinfo->entries = p;
1214
1215 newinfo->entries_size = repl->entries_size;
1216 newinfo->nentries = repl->nentries;
1217
1218 if (countersize)
1219 memset(newinfo->counters, 0, countersize);
1220
1221
1222 newinfo->chainstack = NULL;
1223 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
1224 if ((repl->valid_hooks & (1 << i)) == 0)
1225 newinfo->hook_entry[i] = NULL;
1226 else
1227 newinfo->hook_entry[i] = p +
1228 ((char *)repl->hook_entry[i] - repl->entries);
1229 }
1230 ret = translate_table(net, repl->name, newinfo);
1231 if (ret != 0)
1232 goto free_chainstack;
1233
1234 if (table->check && table->check(newinfo, table->valid_hooks)) {
1235 ret = -EINVAL;
1236 goto free_chainstack;
1237 }
1238
1239 table->private = newinfo;
1240 rwlock_init(&table->lock);
1241 mutex_lock(&ebt_mutex);
1242 list_for_each_entry(t, &ebt_net->tables, list) {
1243 if (strcmp(t->name, table->name) == 0) {
1244 ret = -EEXIST;
1245 goto free_unlock;
1246 }
1247 }
1248
1249
1250 if (newinfo->nentries && !try_module_get(table->me)) {
1251 ret = -ENOENT;
1252 goto free_unlock;
1253 }
1254
1255 num_ops = hweight32(table->valid_hooks);
1256 if (num_ops == 0) {
1257 ret = -EINVAL;
1258 goto free_unlock;
1259 }
1260
1261 ops = kmemdup(template_ops, sizeof(*ops) * num_ops, GFP_KERNEL);
1262 if (!ops) {
1263 ret = -ENOMEM;
1264 if (newinfo->nentries)
1265 module_put(table->me);
1266 goto free_unlock;
1267 }
1268
1269 for (i = 0; i < num_ops; i++)
1270 ops[i].priv = table;
1271
1272 list_add(&table->list, &ebt_net->tables);
1273 mutex_unlock(&ebt_mutex);
1274
1275 table->ops = ops;
1276 ret = nf_register_net_hooks(net, ops, num_ops);
1277 if (ret)
1278 __ebt_unregister_table(net, table);
1279
1280 audit_log_nfcfg(repl->name, AF_BRIDGE, repl->nentries,
1281 AUDIT_XT_OP_REGISTER, GFP_KERNEL);
1282 return ret;
1283free_unlock:
1284 mutex_unlock(&ebt_mutex);
1285free_chainstack:
1286 ebt_free_table_info(newinfo);
1287 vfree(newinfo->entries);
1288free_newinfo:
1289 vfree(newinfo);
1290free_table:
1291 kfree(table);
1292out:
1293 return ret;
1294}
1295
1296int ebt_register_template(const struct ebt_table *t, int (*table_init)(struct net *net))
1297{
1298 struct ebt_template *tmpl;
1299
1300 mutex_lock(&ebt_mutex);
1301 list_for_each_entry(tmpl, &template_tables, list) {
1302 if (WARN_ON_ONCE(strcmp(t->name, tmpl->name) == 0)) {
1303 mutex_unlock(&ebt_mutex);
1304 return -EEXIST;
1305 }
1306 }
1307
1308 tmpl = kzalloc(sizeof(*tmpl), GFP_KERNEL);
1309 if (!tmpl) {
1310 mutex_unlock(&ebt_mutex);
1311 return -ENOMEM;
1312 }
1313
1314 tmpl->table_init = table_init;
1315 strscpy(tmpl->name, t->name, sizeof(tmpl->name));
1316 tmpl->owner = t->me;
1317 list_add(&tmpl->list, &template_tables);
1318
1319 mutex_unlock(&ebt_mutex);
1320 return 0;
1321}
1322EXPORT_SYMBOL(ebt_register_template);
1323
1324void ebt_unregister_template(const struct ebt_table *t)
1325{
1326 struct ebt_template *tmpl;
1327
1328 mutex_lock(&ebt_mutex);
1329 list_for_each_entry(tmpl, &template_tables, list) {
1330 if (strcmp(t->name, tmpl->name))
1331 continue;
1332
1333 list_del(&tmpl->list);
1334 mutex_unlock(&ebt_mutex);
1335 kfree(tmpl);
1336 return;
1337 }
1338
1339 mutex_unlock(&ebt_mutex);
1340 WARN_ON_ONCE(1);
1341}
1342EXPORT_SYMBOL(ebt_unregister_template);
1343
1344static struct ebt_table *__ebt_find_table(struct net *net, const char *name)
1345{
1346 struct ebt_pernet *ebt_net = net_generic(net, ebt_pernet_id);
1347 struct ebt_table *t;
1348
1349 mutex_lock(&ebt_mutex);
1350
1351 list_for_each_entry(t, &ebt_net->tables, list) {
1352 if (strcmp(t->name, name) == 0) {
1353 mutex_unlock(&ebt_mutex);
1354 return t;
1355 }
1356 }
1357
1358 mutex_unlock(&ebt_mutex);
1359 return NULL;
1360}
1361
1362void ebt_unregister_table_pre_exit(struct net *net, const char *name)
1363{
1364 struct ebt_table *table = __ebt_find_table(net, name);
1365
1366 if (table)
1367 nf_unregister_net_hooks(net, table->ops, hweight32(table->valid_hooks));
1368}
1369EXPORT_SYMBOL(ebt_unregister_table_pre_exit);
1370
1371void ebt_unregister_table(struct net *net, const char *name)
1372{
1373 struct ebt_table *table = __ebt_find_table(net, name);
1374
1375 if (table)
1376 __ebt_unregister_table(net, table);
1377}
1378
1379
1380static int do_update_counters(struct net *net, const char *name,
1381 struct ebt_counter __user *counters,
1382 unsigned int num_counters, unsigned int len)
1383{
1384 int i, ret;
1385 struct ebt_counter *tmp;
1386 struct ebt_table *t;
1387
1388 if (num_counters == 0)
1389 return -EINVAL;
1390
1391 tmp = vmalloc(array_size(num_counters, sizeof(*tmp)));
1392 if (!tmp)
1393 return -ENOMEM;
1394
1395 t = find_table_lock(net, name, &ret, &ebt_mutex);
1396 if (!t)
1397 goto free_tmp;
1398
1399 if (num_counters != t->private->nentries) {
1400 ret = -EINVAL;
1401 goto unlock_mutex;
1402 }
1403
1404 if (copy_from_user(tmp, counters, num_counters * sizeof(*counters))) {
1405 ret = -EFAULT;
1406 goto unlock_mutex;
1407 }
1408
1409
1410 write_lock_bh(&t->lock);
1411
1412
1413 for (i = 0; i < num_counters; i++)
1414 ADD_COUNTER(t->private->counters[i], tmp[i].bcnt, tmp[i].pcnt);
1415
1416 write_unlock_bh(&t->lock);
1417 ret = 0;
1418unlock_mutex:
1419 mutex_unlock(&ebt_mutex);
1420free_tmp:
1421 vfree(tmp);
1422 return ret;
1423}
1424
1425static int update_counters(struct net *net, sockptr_t arg, unsigned int len)
1426{
1427 struct ebt_replace hlp;
1428
1429 if (copy_from_sockptr(&hlp, arg, sizeof(hlp)))
1430 return -EFAULT;
1431
1432 if (len != sizeof(hlp) + hlp.num_counters * sizeof(struct ebt_counter))
1433 return -EINVAL;
1434
1435 return do_update_counters(net, hlp.name, hlp.counters,
1436 hlp.num_counters, len);
1437}
1438
1439static inline int ebt_obj_to_user(char __user *um, const char *_name,
1440 const char *data, int entrysize,
1441 int usersize, int datasize, u8 revision)
1442{
1443 char name[EBT_EXTENSION_MAXNAMELEN] = {0};
1444
1445
1446
1447
1448 strlcpy(name, _name, sizeof(name));
1449 if (copy_to_user(um, name, EBT_EXTENSION_MAXNAMELEN) ||
1450 put_user(revision, (u8 __user *)(um + EBT_EXTENSION_MAXNAMELEN)) ||
1451 put_user(datasize, (int __user *)(um + EBT_EXTENSION_MAXNAMELEN + 1)) ||
1452 xt_data_to_user(um + entrysize, data, usersize, datasize,
1453 XT_ALIGN(datasize)))
1454 return -EFAULT;
1455
1456 return 0;
1457}
1458
1459static inline int ebt_match_to_user(const struct ebt_entry_match *m,
1460 const char *base, char __user *ubase)
1461{
1462 return ebt_obj_to_user(ubase + ((char *)m - base),
1463 m->u.match->name, m->data, sizeof(*m),
1464 m->u.match->usersize, m->match_size,
1465 m->u.match->revision);
1466}
1467
1468static inline int ebt_watcher_to_user(const struct ebt_entry_watcher *w,
1469 const char *base, char __user *ubase)
1470{
1471 return ebt_obj_to_user(ubase + ((char *)w - base),
1472 w->u.watcher->name, w->data, sizeof(*w),
1473 w->u.watcher->usersize, w->watcher_size,
1474 w->u.watcher->revision);
1475}
1476
1477static inline int ebt_entry_to_user(struct ebt_entry *e, const char *base,
1478 char __user *ubase)
1479{
1480 int ret;
1481 char __user *hlp;
1482 const struct ebt_entry_target *t;
1483
1484 if (e->bitmask == 0) {
1485
1486 if (copy_to_user(ubase + ((char *)e - base), e,
1487 sizeof(struct ebt_entries)))
1488 return -EFAULT;
1489 return 0;
1490 }
1491
1492 if (copy_to_user(ubase + ((char *)e - base), e, sizeof(*e)))
1493 return -EFAULT;
1494
1495 hlp = ubase + (((char *)e + e->target_offset) - base);
1496 t = ebt_get_target_c(e);
1497
1498 ret = EBT_MATCH_ITERATE(e, ebt_match_to_user, base, ubase);
1499 if (ret != 0)
1500 return ret;
1501 ret = EBT_WATCHER_ITERATE(e, ebt_watcher_to_user, base, ubase);
1502 if (ret != 0)
1503 return ret;
1504 ret = ebt_obj_to_user(hlp, t->u.target->name, t->data, sizeof(*t),
1505 t->u.target->usersize, t->target_size,
1506 t->u.target->revision);
1507 if (ret != 0)
1508 return ret;
1509
1510 return 0;
1511}
1512
1513static int copy_counters_to_user(struct ebt_table *t,
1514 const struct ebt_counter *oldcounters,
1515 void __user *user, unsigned int num_counters,
1516 unsigned int nentries)
1517{
1518 struct ebt_counter *counterstmp;
1519 int ret = 0;
1520
1521
1522 if (num_counters == 0)
1523 return 0;
1524
1525 if (num_counters != nentries)
1526 return -EINVAL;
1527
1528 counterstmp = vmalloc(array_size(nentries, sizeof(*counterstmp)));
1529 if (!counterstmp)
1530 return -ENOMEM;
1531
1532 write_lock_bh(&t->lock);
1533 get_counters(oldcounters, counterstmp, nentries);
1534 write_unlock_bh(&t->lock);
1535
1536 if (copy_to_user(user, counterstmp,
1537 nentries * sizeof(struct ebt_counter)))
1538 ret = -EFAULT;
1539 vfree(counterstmp);
1540 return ret;
1541}
1542
1543
1544static int copy_everything_to_user(struct ebt_table *t, void __user *user,
1545 const int *len, int cmd)
1546{
1547 struct ebt_replace tmp;
1548 const struct ebt_counter *oldcounters;
1549 unsigned int entries_size, nentries;
1550 int ret;
1551 char *entries;
1552
1553 if (cmd == EBT_SO_GET_ENTRIES) {
1554 entries_size = t->private->entries_size;
1555 nentries = t->private->nentries;
1556 entries = t->private->entries;
1557 oldcounters = t->private->counters;
1558 } else {
1559 entries_size = t->table->entries_size;
1560 nentries = t->table->nentries;
1561 entries = t->table->entries;
1562 oldcounters = t->table->counters;
1563 }
1564
1565 if (copy_from_user(&tmp, user, sizeof(tmp)))
1566 return -EFAULT;
1567
1568 if (*len != sizeof(struct ebt_replace) + entries_size +
1569 (tmp.num_counters ? nentries * sizeof(struct ebt_counter) : 0))
1570 return -EINVAL;
1571
1572 if (tmp.nentries != nentries)
1573 return -EINVAL;
1574
1575 if (tmp.entries_size != entries_size)
1576 return -EINVAL;
1577
1578 ret = copy_counters_to_user(t, oldcounters, tmp.counters,
1579 tmp.num_counters, nentries);
1580 if (ret)
1581 return ret;
1582
1583
1584 return EBT_ENTRY_ITERATE(entries, entries_size,
1585 ebt_entry_to_user, entries, tmp.entries);
1586}
1587
1588#ifdef CONFIG_NETFILTER_XTABLES_COMPAT
1589
1590struct compat_ebt_replace {
1591 char name[EBT_TABLE_MAXNAMELEN];
1592 compat_uint_t valid_hooks;
1593 compat_uint_t nentries;
1594 compat_uint_t entries_size;
1595
1596 compat_uptr_t hook_entry[NF_BR_NUMHOOKS];
1597
1598 compat_uint_t num_counters;
1599
1600 compat_uptr_t counters;
1601 compat_uptr_t entries;
1602};
1603
1604
1605struct compat_ebt_entry_mwt {
1606 union {
1607 struct {
1608 char name[EBT_EXTENSION_MAXNAMELEN];
1609 u8 revision;
1610 };
1611 compat_uptr_t ptr;
1612 } u;
1613 compat_uint_t match_size;
1614 compat_uint_t data[] __aligned(__alignof__(struct compat_ebt_replace));
1615};
1616
1617
1618static int ebt_compat_entry_padsize(void)
1619{
1620 BUILD_BUG_ON(sizeof(struct ebt_entry_match) <
1621 sizeof(struct compat_ebt_entry_mwt));
1622 return (int) sizeof(struct ebt_entry_match) -
1623 sizeof(struct compat_ebt_entry_mwt);
1624}
1625
1626static int ebt_compat_match_offset(const struct xt_match *match,
1627 unsigned int userlen)
1628{
1629
1630
1631
1632
1633
1634 if (unlikely(match->matchsize == -1))
1635 return XT_ALIGN(userlen) - COMPAT_XT_ALIGN(userlen);
1636 return xt_compat_match_offset(match);
1637}
1638
1639static int compat_match_to_user(struct ebt_entry_match *m, void __user **dstptr,
1640 unsigned int *size)
1641{
1642 const struct xt_match *match = m->u.match;
1643 struct compat_ebt_entry_mwt __user *cm = *dstptr;
1644 int off = ebt_compat_match_offset(match, m->match_size);
1645 compat_uint_t msize = m->match_size - off;
1646
1647 if (WARN_ON(off >= m->match_size))
1648 return -EINVAL;
1649
1650 if (copy_to_user(cm->u.name, match->name, strlen(match->name) + 1) ||
1651 put_user(match->revision, &cm->u.revision) ||
1652 put_user(msize, &cm->match_size))
1653 return -EFAULT;
1654
1655 if (match->compat_to_user) {
1656 if (match->compat_to_user(cm->data, m->data))
1657 return -EFAULT;
1658 } else {
1659 if (xt_data_to_user(cm->data, m->data, match->usersize, msize,
1660 COMPAT_XT_ALIGN(msize)))
1661 return -EFAULT;
1662 }
1663
1664 *size -= ebt_compat_entry_padsize() + off;
1665 *dstptr = cm->data;
1666 *dstptr += msize;
1667 return 0;
1668}
1669
1670static int compat_target_to_user(struct ebt_entry_target *t,
1671 void __user **dstptr,
1672 unsigned int *size)
1673{
1674 const struct xt_target *target = t->u.target;
1675 struct compat_ebt_entry_mwt __user *cm = *dstptr;
1676 int off = xt_compat_target_offset(target);
1677 compat_uint_t tsize = t->target_size - off;
1678
1679 if (WARN_ON(off >= t->target_size))
1680 return -EINVAL;
1681
1682 if (copy_to_user(cm->u.name, target->name, strlen(target->name) + 1) ||
1683 put_user(target->revision, &cm->u.revision) ||
1684 put_user(tsize, &cm->match_size))
1685 return -EFAULT;
1686
1687 if (target->compat_to_user) {
1688 if (target->compat_to_user(cm->data, t->data))
1689 return -EFAULT;
1690 } else {
1691 if (xt_data_to_user(cm->data, t->data, target->usersize, tsize,
1692 COMPAT_XT_ALIGN(tsize)))
1693 return -EFAULT;
1694 }
1695
1696 *size -= ebt_compat_entry_padsize() + off;
1697 *dstptr = cm->data;
1698 *dstptr += tsize;
1699 return 0;
1700}
1701
1702static int compat_watcher_to_user(struct ebt_entry_watcher *w,
1703 void __user **dstptr,
1704 unsigned int *size)
1705{
1706 return compat_target_to_user((struct ebt_entry_target *)w,
1707 dstptr, size);
1708}
1709
1710static int compat_copy_entry_to_user(struct ebt_entry *e, void __user **dstptr,
1711 unsigned int *size)
1712{
1713 struct ebt_entry_target *t;
1714 struct ebt_entry __user *ce;
1715 u32 watchers_offset, target_offset, next_offset;
1716 compat_uint_t origsize;
1717 int ret;
1718
1719 if (e->bitmask == 0) {
1720 if (*size < sizeof(struct ebt_entries))
1721 return -EINVAL;
1722 if (copy_to_user(*dstptr, e, sizeof(struct ebt_entries)))
1723 return -EFAULT;
1724
1725 *dstptr += sizeof(struct ebt_entries);
1726 *size -= sizeof(struct ebt_entries);
1727 return 0;
1728 }
1729
1730 if (*size < sizeof(*ce))
1731 return -EINVAL;
1732
1733 ce = *dstptr;
1734 if (copy_to_user(ce, e, sizeof(*ce)))
1735 return -EFAULT;
1736
1737 origsize = *size;
1738 *dstptr += sizeof(*ce);
1739
1740 ret = EBT_MATCH_ITERATE(e, compat_match_to_user, dstptr, size);
1741 if (ret)
1742 return ret;
1743 watchers_offset = e->watchers_offset - (origsize - *size);
1744
1745 ret = EBT_WATCHER_ITERATE(e, compat_watcher_to_user, dstptr, size);
1746 if (ret)
1747 return ret;
1748 target_offset = e->target_offset - (origsize - *size);
1749
1750 t = ebt_get_target(e);
1751
1752 ret = compat_target_to_user(t, dstptr, size);
1753 if (ret)
1754 return ret;
1755 next_offset = e->next_offset - (origsize - *size);
1756
1757 if (put_user(watchers_offset, &ce->watchers_offset) ||
1758 put_user(target_offset, &ce->target_offset) ||
1759 put_user(next_offset, &ce->next_offset))
1760 return -EFAULT;
1761
1762 *size -= sizeof(*ce);
1763 return 0;
1764}
1765
1766static int compat_calc_match(struct ebt_entry_match *m, int *off)
1767{
1768 *off += ebt_compat_match_offset(m->u.match, m->match_size);
1769 *off += ebt_compat_entry_padsize();
1770 return 0;
1771}
1772
1773static int compat_calc_watcher(struct ebt_entry_watcher *w, int *off)
1774{
1775 *off += xt_compat_target_offset(w->u.watcher);
1776 *off += ebt_compat_entry_padsize();
1777 return 0;
1778}
1779
1780static int compat_calc_entry(const struct ebt_entry *e,
1781 const struct ebt_table_info *info,
1782 const void *base,
1783 struct compat_ebt_replace *newinfo)
1784{
1785 const struct ebt_entry_target *t;
1786 unsigned int entry_offset;
1787 int off, ret, i;
1788
1789 if (e->bitmask == 0)
1790 return 0;
1791
1792 off = 0;
1793 entry_offset = (void *)e - base;
1794
1795 EBT_MATCH_ITERATE(e, compat_calc_match, &off);
1796 EBT_WATCHER_ITERATE(e, compat_calc_watcher, &off);
1797
1798 t = ebt_get_target_c(e);
1799
1800 off += xt_compat_target_offset(t->u.target);
1801 off += ebt_compat_entry_padsize();
1802
1803 newinfo->entries_size -= off;
1804
1805 ret = xt_compat_add_offset(NFPROTO_BRIDGE, entry_offset, off);
1806 if (ret)
1807 return ret;
1808
1809 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
1810 const void *hookptr = info->hook_entry[i];
1811 if (info->hook_entry[i] &&
1812 (e < (struct ebt_entry *)(base - hookptr))) {
1813 newinfo->hook_entry[i] -= off;
1814 pr_debug("0x%08X -> 0x%08X\n",
1815 newinfo->hook_entry[i] + off,
1816 newinfo->hook_entry[i]);
1817 }
1818 }
1819
1820 return 0;
1821}
1822
1823static int ebt_compat_init_offsets(unsigned int number)
1824{
1825 if (number > INT_MAX)
1826 return -EINVAL;
1827
1828
1829 number += NF_BR_NUMHOOKS;
1830
1831 return xt_compat_init_offsets(NFPROTO_BRIDGE, number);
1832}
1833
1834static int compat_table_info(const struct ebt_table_info *info,
1835 struct compat_ebt_replace *newinfo)
1836{
1837 unsigned int size = info->entries_size;
1838 const void *entries = info->entries;
1839 int ret;
1840
1841 newinfo->entries_size = size;
1842 ret = ebt_compat_init_offsets(info->nentries);
1843 if (ret)
1844 return ret;
1845
1846 return EBT_ENTRY_ITERATE(entries, size, compat_calc_entry, info,
1847 entries, newinfo);
1848}
1849
1850static int compat_copy_everything_to_user(struct ebt_table *t,
1851 void __user *user, int *len, int cmd)
1852{
1853 struct compat_ebt_replace repl, tmp;
1854 struct ebt_counter *oldcounters;
1855 struct ebt_table_info tinfo;
1856 int ret;
1857 void __user *pos;
1858
1859 memset(&tinfo, 0, sizeof(tinfo));
1860
1861 if (cmd == EBT_SO_GET_ENTRIES) {
1862 tinfo.entries_size = t->private->entries_size;
1863 tinfo.nentries = t->private->nentries;
1864 tinfo.entries = t->private->entries;
1865 oldcounters = t->private->counters;
1866 } else {
1867 tinfo.entries_size = t->table->entries_size;
1868 tinfo.nentries = t->table->nentries;
1869 tinfo.entries = t->table->entries;
1870 oldcounters = t->table->counters;
1871 }
1872
1873 if (copy_from_user(&tmp, user, sizeof(tmp)))
1874 return -EFAULT;
1875
1876 if (tmp.nentries != tinfo.nentries ||
1877 (tmp.num_counters && tmp.num_counters != tinfo.nentries))
1878 return -EINVAL;
1879
1880 memcpy(&repl, &tmp, sizeof(repl));
1881 if (cmd == EBT_SO_GET_ENTRIES)
1882 ret = compat_table_info(t->private, &repl);
1883 else
1884 ret = compat_table_info(&tinfo, &repl);
1885 if (ret)
1886 return ret;
1887
1888 if (*len != sizeof(tmp) + repl.entries_size +
1889 (tmp.num_counters? tinfo.nentries * sizeof(struct ebt_counter): 0)) {
1890 pr_err("wrong size: *len %d, entries_size %u, replsz %d\n",
1891 *len, tinfo.entries_size, repl.entries_size);
1892 return -EINVAL;
1893 }
1894
1895
1896 ret = copy_counters_to_user(t, oldcounters, compat_ptr(tmp.counters),
1897 tmp.num_counters, tinfo.nentries);
1898 if (ret)
1899 return ret;
1900
1901 pos = compat_ptr(tmp.entries);
1902 return EBT_ENTRY_ITERATE(tinfo.entries, tinfo.entries_size,
1903 compat_copy_entry_to_user, &pos, &tmp.entries_size);
1904}
1905
1906struct ebt_entries_buf_state {
1907 char *buf_kern_start;
1908 u32 buf_kern_len;
1909 u32 buf_kern_offset;
1910 u32 buf_user_offset;
1911};
1912
1913static int ebt_buf_count(struct ebt_entries_buf_state *state, unsigned int sz)
1914{
1915 state->buf_kern_offset += sz;
1916 return state->buf_kern_offset >= sz ? 0 : -EINVAL;
1917}
1918
1919static int ebt_buf_add(struct ebt_entries_buf_state *state,
1920 const void *data, unsigned int sz)
1921{
1922 if (state->buf_kern_start == NULL)
1923 goto count_only;
1924
1925 if (WARN_ON(state->buf_kern_offset + sz > state->buf_kern_len))
1926 return -EINVAL;
1927
1928 memcpy(state->buf_kern_start + state->buf_kern_offset, data, sz);
1929
1930 count_only:
1931 state->buf_user_offset += sz;
1932 return ebt_buf_count(state, sz);
1933}
1934
1935static int ebt_buf_add_pad(struct ebt_entries_buf_state *state, unsigned int sz)
1936{
1937 char *b = state->buf_kern_start;
1938
1939 if (WARN_ON(b && state->buf_kern_offset > state->buf_kern_len))
1940 return -EINVAL;
1941
1942 if (b != NULL && sz > 0)
1943 memset(b + state->buf_kern_offset, 0, sz);
1944
1945 return ebt_buf_count(state, sz);
1946}
1947
1948enum compat_mwt {
1949 EBT_COMPAT_MATCH,
1950 EBT_COMPAT_WATCHER,
1951 EBT_COMPAT_TARGET,
1952};
1953
1954static int compat_mtw_from_user(const struct compat_ebt_entry_mwt *mwt,
1955 enum compat_mwt compat_mwt,
1956 struct ebt_entries_buf_state *state,
1957 const unsigned char *base)
1958{
1959 char name[EBT_EXTENSION_MAXNAMELEN];
1960 struct xt_match *match;
1961 struct xt_target *wt;
1962 void *dst = NULL;
1963 int off, pad = 0;
1964 unsigned int size_kern, match_size = mwt->match_size;
1965
1966 if (strscpy(name, mwt->u.name, sizeof(name)) < 0)
1967 return -EINVAL;
1968
1969 if (state->buf_kern_start)
1970 dst = state->buf_kern_start + state->buf_kern_offset;
1971
1972 switch (compat_mwt) {
1973 case EBT_COMPAT_MATCH:
1974 match = xt_request_find_match(NFPROTO_BRIDGE, name,
1975 mwt->u.revision);
1976 if (IS_ERR(match))
1977 return PTR_ERR(match);
1978
1979 off = ebt_compat_match_offset(match, match_size);
1980 if (dst) {
1981 if (match->compat_from_user)
1982 match->compat_from_user(dst, mwt->data);
1983 else
1984 memcpy(dst, mwt->data, match_size);
1985 }
1986
1987 size_kern = match->matchsize;
1988 if (unlikely(size_kern == -1))
1989 size_kern = match_size;
1990 module_put(match->me);
1991 break;
1992 case EBT_COMPAT_WATCHER:
1993 case EBT_COMPAT_TARGET:
1994 wt = xt_request_find_target(NFPROTO_BRIDGE, name,
1995 mwt->u.revision);
1996 if (IS_ERR(wt))
1997 return PTR_ERR(wt);
1998 off = xt_compat_target_offset(wt);
1999
2000 if (dst) {
2001 if (wt->compat_from_user)
2002 wt->compat_from_user(dst, mwt->data);
2003 else
2004 memcpy(dst, mwt->data, match_size);
2005 }
2006
2007 size_kern = wt->targetsize;
2008 module_put(wt->me);
2009 break;
2010
2011 default:
2012 return -EINVAL;
2013 }
2014
2015 state->buf_kern_offset += match_size + off;
2016 state->buf_user_offset += match_size;
2017 pad = XT_ALIGN(size_kern) - size_kern;
2018
2019 if (pad > 0 && dst) {
2020 if (WARN_ON(state->buf_kern_len <= pad))
2021 return -EINVAL;
2022 if (WARN_ON(state->buf_kern_offset - (match_size + off) + size_kern > state->buf_kern_len - pad))
2023 return -EINVAL;
2024 memset(dst + size_kern, 0, pad);
2025 }
2026 return off + match_size;
2027}
2028
2029
2030
2031
2032static int ebt_size_mwt(const struct compat_ebt_entry_mwt *match32,
2033 unsigned int size_left, enum compat_mwt type,
2034 struct ebt_entries_buf_state *state, const void *base)
2035{
2036 const char *buf = (const char *)match32;
2037 int growth = 0;
2038
2039 if (size_left == 0)
2040 return 0;
2041
2042 do {
2043 struct ebt_entry_match *match_kern;
2044 int ret;
2045
2046 if (size_left < sizeof(*match32))
2047 return -EINVAL;
2048
2049 match_kern = (struct ebt_entry_match *) state->buf_kern_start;
2050 if (match_kern) {
2051 char *tmp;
2052 tmp = state->buf_kern_start + state->buf_kern_offset;
2053 match_kern = (struct ebt_entry_match *) tmp;
2054 }
2055 ret = ebt_buf_add(state, buf, sizeof(*match32));
2056 if (ret < 0)
2057 return ret;
2058 size_left -= sizeof(*match32);
2059
2060
2061 ret = ebt_buf_add_pad(state, ebt_compat_entry_padsize());
2062 if (ret < 0)
2063 return ret;
2064
2065 if (match32->match_size > size_left)
2066 return -EINVAL;
2067
2068 size_left -= match32->match_size;
2069
2070 ret = compat_mtw_from_user(match32, type, state, base);
2071 if (ret < 0)
2072 return ret;
2073
2074 if (WARN_ON(ret < match32->match_size))
2075 return -EINVAL;
2076 growth += ret - match32->match_size;
2077 growth += ebt_compat_entry_padsize();
2078
2079 buf += sizeof(*match32);
2080 buf += match32->match_size;
2081
2082 if (match_kern)
2083 match_kern->match_size = ret;
2084
2085 match32 = (struct compat_ebt_entry_mwt *) buf;
2086 } while (size_left);
2087
2088 return growth;
2089}
2090
2091
2092static int size_entry_mwt(const struct ebt_entry *entry, const unsigned char *base,
2093 unsigned int *total,
2094 struct ebt_entries_buf_state *state)
2095{
2096 unsigned int i, j, startoff, next_expected_off, new_offset = 0;
2097
2098 unsigned int offsets[4];
2099 unsigned int *offsets_update = NULL;
2100 int ret;
2101 char *buf_start;
2102
2103 if (*total < sizeof(struct ebt_entries))
2104 return -EINVAL;
2105
2106 if (!entry->bitmask) {
2107 *total -= sizeof(struct ebt_entries);
2108 return ebt_buf_add(state, entry, sizeof(struct ebt_entries));
2109 }
2110 if (*total < sizeof(*entry) || entry->next_offset < sizeof(*entry))
2111 return -EINVAL;
2112
2113 startoff = state->buf_user_offset;
2114
2115 ret = ebt_buf_add(state, entry,
2116 offsetof(struct ebt_entry, watchers_offset));
2117 if (ret < 0)
2118 return ret;
2119
2120 offsets[0] = sizeof(struct ebt_entry);
2121 memcpy(&offsets[1], &entry->watchers_offset,
2122 sizeof(offsets) - sizeof(offsets[0]));
2123
2124 if (state->buf_kern_start) {
2125 buf_start = state->buf_kern_start + state->buf_kern_offset;
2126 offsets_update = (unsigned int *) buf_start;
2127 }
2128 ret = ebt_buf_add(state, &offsets[1],
2129 sizeof(offsets) - sizeof(offsets[0]));
2130 if (ret < 0)
2131 return ret;
2132 buf_start = (char *) entry;
2133
2134
2135
2136
2137
2138
2139
2140 for (i = 0; i < 4 ; ++i) {
2141 if (offsets[i] > *total)
2142 return -EINVAL;
2143
2144 if (i < 3 && offsets[i] == *total)
2145 return -EINVAL;
2146
2147 if (i == 0)
2148 continue;
2149 if (offsets[i-1] > offsets[i])
2150 return -EINVAL;
2151 }
2152
2153 for (i = 0, j = 1 ; j < 4 ; j++, i++) {
2154 struct compat_ebt_entry_mwt *match32;
2155 unsigned int size;
2156 char *buf = buf_start + offsets[i];
2157
2158 if (offsets[i] > offsets[j])
2159 return -EINVAL;
2160
2161 match32 = (struct compat_ebt_entry_mwt *) buf;
2162 size = offsets[j] - offsets[i];
2163 ret = ebt_size_mwt(match32, size, i, state, base);
2164 if (ret < 0)
2165 return ret;
2166 new_offset += ret;
2167 if (offsets_update && new_offset) {
2168 pr_debug("change offset %d to %d\n",
2169 offsets_update[i], offsets[j] + new_offset);
2170 offsets_update[i] = offsets[j] + new_offset;
2171 }
2172 }
2173
2174 if (state->buf_kern_start == NULL) {
2175 unsigned int offset = buf_start - (char *) base;
2176
2177 ret = xt_compat_add_offset(NFPROTO_BRIDGE, offset, new_offset);
2178 if (ret < 0)
2179 return ret;
2180 }
2181
2182 next_expected_off = state->buf_user_offset - startoff;
2183 if (next_expected_off != entry->next_offset)
2184 return -EINVAL;
2185
2186 if (*total < entry->next_offset)
2187 return -EINVAL;
2188 *total -= entry->next_offset;
2189 return 0;
2190}
2191
2192
2193
2194
2195
2196
2197
2198static int compat_copy_entries(unsigned char *data, unsigned int size_user,
2199 struct ebt_entries_buf_state *state)
2200{
2201 unsigned int size_remaining = size_user;
2202 int ret;
2203
2204 ret = EBT_ENTRY_ITERATE(data, size_user, size_entry_mwt, data,
2205 &size_remaining, state);
2206 if (ret < 0)
2207 return ret;
2208
2209 if (size_remaining)
2210 return -EINVAL;
2211
2212 return state->buf_kern_offset;
2213}
2214
2215
2216static int compat_copy_ebt_replace_from_user(struct ebt_replace *repl,
2217 sockptr_t arg, unsigned int len)
2218{
2219 struct compat_ebt_replace tmp;
2220 int i;
2221
2222 if (len < sizeof(tmp))
2223 return -EINVAL;
2224
2225 if (copy_from_sockptr(&tmp, arg, sizeof(tmp)))
2226 return -EFAULT;
2227
2228 if (len != sizeof(tmp) + tmp.entries_size)
2229 return -EINVAL;
2230
2231 if (tmp.entries_size == 0)
2232 return -EINVAL;
2233
2234 if (tmp.nentries >= ((INT_MAX - sizeof(struct ebt_table_info)) /
2235 NR_CPUS - SMP_CACHE_BYTES) / sizeof(struct ebt_counter))
2236 return -ENOMEM;
2237 if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
2238 return -ENOMEM;
2239
2240 memcpy(repl, &tmp, offsetof(struct ebt_replace, hook_entry));
2241
2242
2243 for (i = 0; i < NF_BR_NUMHOOKS; i++)
2244 repl->hook_entry[i] = compat_ptr(tmp.hook_entry[i]);
2245
2246 repl->num_counters = tmp.num_counters;
2247 repl->counters = compat_ptr(tmp.counters);
2248 repl->entries = compat_ptr(tmp.entries);
2249 return 0;
2250}
2251
2252static int compat_do_replace(struct net *net, sockptr_t arg, unsigned int len)
2253{
2254 int ret, i, countersize, size64;
2255 struct ebt_table_info *newinfo;
2256 struct ebt_replace tmp;
2257 struct ebt_entries_buf_state state;
2258 void *entries_tmp;
2259
2260 ret = compat_copy_ebt_replace_from_user(&tmp, arg, len);
2261 if (ret) {
2262
2263 if (ret == -EINVAL && do_replace(net, arg, len) == 0)
2264 ret = 0;
2265 return ret;
2266 }
2267
2268 countersize = COUNTER_OFFSET(tmp.nentries) * nr_cpu_ids;
2269 newinfo = vmalloc(sizeof(*newinfo) + countersize);
2270 if (!newinfo)
2271 return -ENOMEM;
2272
2273 if (countersize)
2274 memset(newinfo->counters, 0, countersize);
2275
2276 memset(&state, 0, sizeof(state));
2277
2278 newinfo->entries = vmalloc(tmp.entries_size);
2279 if (!newinfo->entries) {
2280 ret = -ENOMEM;
2281 goto free_newinfo;
2282 }
2283 if (copy_from_user(
2284 newinfo->entries, tmp.entries, tmp.entries_size) != 0) {
2285 ret = -EFAULT;
2286 goto free_entries;
2287 }
2288
2289 entries_tmp = newinfo->entries;
2290
2291 xt_compat_lock(NFPROTO_BRIDGE);
2292
2293 ret = ebt_compat_init_offsets(tmp.nentries);
2294 if (ret < 0)
2295 goto out_unlock;
2296
2297 ret = compat_copy_entries(entries_tmp, tmp.entries_size, &state);
2298 if (ret < 0)
2299 goto out_unlock;
2300
2301 pr_debug("tmp.entries_size %d, kern off %d, user off %d delta %d\n",
2302 tmp.entries_size, state.buf_kern_offset, state.buf_user_offset,
2303 xt_compat_calc_jump(NFPROTO_BRIDGE, tmp.entries_size));
2304
2305 size64 = ret;
2306 newinfo->entries = vmalloc(size64);
2307 if (!newinfo->entries) {
2308 vfree(entries_tmp);
2309 ret = -ENOMEM;
2310 goto out_unlock;
2311 }
2312
2313 memset(&state, 0, sizeof(state));
2314 state.buf_kern_start = newinfo->entries;
2315 state.buf_kern_len = size64;
2316
2317 ret = compat_copy_entries(entries_tmp, tmp.entries_size, &state);
2318 if (WARN_ON(ret < 0)) {
2319 vfree(entries_tmp);
2320 goto out_unlock;
2321 }
2322
2323 vfree(entries_tmp);
2324 tmp.entries_size = size64;
2325
2326 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
2327 char __user *usrptr;
2328 if (tmp.hook_entry[i]) {
2329 unsigned int delta;
2330 usrptr = (char __user *) tmp.hook_entry[i];
2331 delta = usrptr - tmp.entries;
2332 usrptr += xt_compat_calc_jump(NFPROTO_BRIDGE, delta);
2333 tmp.hook_entry[i] = (struct ebt_entries __user *)usrptr;
2334 }
2335 }
2336
2337 xt_compat_flush_offsets(NFPROTO_BRIDGE);
2338 xt_compat_unlock(NFPROTO_BRIDGE);
2339
2340 ret = do_replace_finish(net, &tmp, newinfo);
2341 if (ret == 0)
2342 return ret;
2343free_entries:
2344 vfree(newinfo->entries);
2345free_newinfo:
2346 vfree(newinfo);
2347 return ret;
2348out_unlock:
2349 xt_compat_flush_offsets(NFPROTO_BRIDGE);
2350 xt_compat_unlock(NFPROTO_BRIDGE);
2351 goto free_entries;
2352}
2353
2354static int compat_update_counters(struct net *net, sockptr_t arg,
2355 unsigned int len)
2356{
2357 struct compat_ebt_replace hlp;
2358
2359 if (copy_from_sockptr(&hlp, arg, sizeof(hlp)))
2360 return -EFAULT;
2361
2362
2363 if (len != sizeof(hlp) + hlp.num_counters * sizeof(struct ebt_counter))
2364 return update_counters(net, arg, len);
2365
2366 return do_update_counters(net, hlp.name, compat_ptr(hlp.counters),
2367 hlp.num_counters, len);
2368}
2369
2370static int compat_do_ebt_get_ctl(struct sock *sk, int cmd,
2371 void __user *user, int *len)
2372{
2373 int ret;
2374 struct compat_ebt_replace tmp;
2375 struct ebt_table *t;
2376 struct net *net = sock_net(sk);
2377
2378 if ((cmd == EBT_SO_GET_INFO || cmd == EBT_SO_GET_INIT_INFO) &&
2379 *len != sizeof(struct compat_ebt_replace))
2380 return -EINVAL;
2381
2382 if (copy_from_user(&tmp, user, sizeof(tmp)))
2383 return -EFAULT;
2384
2385 tmp.name[sizeof(tmp.name) - 1] = '\0';
2386
2387 t = find_table_lock(net, tmp.name, &ret, &ebt_mutex);
2388 if (!t)
2389 return ret;
2390
2391 xt_compat_lock(NFPROTO_BRIDGE);
2392 switch (cmd) {
2393 case EBT_SO_GET_INFO:
2394 tmp.nentries = t->private->nentries;
2395 ret = compat_table_info(t->private, &tmp);
2396 if (ret)
2397 goto out;
2398 tmp.valid_hooks = t->valid_hooks;
2399
2400 if (copy_to_user(user, &tmp, *len) != 0) {
2401 ret = -EFAULT;
2402 break;
2403 }
2404 ret = 0;
2405 break;
2406 case EBT_SO_GET_INIT_INFO:
2407 tmp.nentries = t->table->nentries;
2408 tmp.entries_size = t->table->entries_size;
2409 tmp.valid_hooks = t->table->valid_hooks;
2410
2411 if (copy_to_user(user, &tmp, *len) != 0) {
2412 ret = -EFAULT;
2413 break;
2414 }
2415 ret = 0;
2416 break;
2417 case EBT_SO_GET_ENTRIES:
2418 case EBT_SO_GET_INIT_ENTRIES:
2419
2420
2421
2422
2423
2424
2425
2426
2427 if (copy_everything_to_user(t, user, len, cmd) == 0)
2428 ret = 0;
2429 else
2430 ret = compat_copy_everything_to_user(t, user, len, cmd);
2431 break;
2432 default:
2433 ret = -EINVAL;
2434 }
2435 out:
2436 xt_compat_flush_offsets(NFPROTO_BRIDGE);
2437 xt_compat_unlock(NFPROTO_BRIDGE);
2438 mutex_unlock(&ebt_mutex);
2439 return ret;
2440}
2441#endif
2442
2443static int do_ebt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
2444{
2445 struct net *net = sock_net(sk);
2446 struct ebt_replace tmp;
2447 struct ebt_table *t;
2448 int ret;
2449
2450 if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
2451 return -EPERM;
2452
2453#ifdef CONFIG_NETFILTER_XTABLES_COMPAT
2454
2455 if (in_compat_syscall() &&
2456 ((cmd != EBT_SO_GET_INFO && cmd != EBT_SO_GET_INIT_INFO) ||
2457 *len != sizeof(tmp)))
2458 return compat_do_ebt_get_ctl(sk, cmd, user, len);
2459#endif
2460
2461 if (copy_from_user(&tmp, user, sizeof(tmp)))
2462 return -EFAULT;
2463
2464 tmp.name[sizeof(tmp.name) - 1] = '\0';
2465
2466 t = find_table_lock(net, tmp.name, &ret, &ebt_mutex);
2467 if (!t)
2468 return ret;
2469
2470 switch (cmd) {
2471 case EBT_SO_GET_INFO:
2472 case EBT_SO_GET_INIT_INFO:
2473 if (*len != sizeof(struct ebt_replace)) {
2474 ret = -EINVAL;
2475 mutex_unlock(&ebt_mutex);
2476 break;
2477 }
2478 if (cmd == EBT_SO_GET_INFO) {
2479 tmp.nentries = t->private->nentries;
2480 tmp.entries_size = t->private->entries_size;
2481 tmp.valid_hooks = t->valid_hooks;
2482 } else {
2483 tmp.nentries = t->table->nentries;
2484 tmp.entries_size = t->table->entries_size;
2485 tmp.valid_hooks = t->table->valid_hooks;
2486 }
2487 mutex_unlock(&ebt_mutex);
2488 if (copy_to_user(user, &tmp, *len) != 0) {
2489 ret = -EFAULT;
2490 break;
2491 }
2492 ret = 0;
2493 break;
2494
2495 case EBT_SO_GET_ENTRIES:
2496 case EBT_SO_GET_INIT_ENTRIES:
2497 ret = copy_everything_to_user(t, user, len, cmd);
2498 mutex_unlock(&ebt_mutex);
2499 break;
2500
2501 default:
2502 mutex_unlock(&ebt_mutex);
2503 ret = -EINVAL;
2504 }
2505
2506 return ret;
2507}
2508
2509static int do_ebt_set_ctl(struct sock *sk, int cmd, sockptr_t arg,
2510 unsigned int len)
2511{
2512 struct net *net = sock_net(sk);
2513 int ret;
2514
2515 if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
2516 return -EPERM;
2517
2518 switch (cmd) {
2519 case EBT_SO_SET_ENTRIES:
2520#ifdef CONFIG_NETFILTER_XTABLES_COMPAT
2521 if (in_compat_syscall())
2522 ret = compat_do_replace(net, arg, len);
2523 else
2524#endif
2525 ret = do_replace(net, arg, len);
2526 break;
2527 case EBT_SO_SET_COUNTERS:
2528#ifdef CONFIG_NETFILTER_XTABLES_COMPAT
2529 if (in_compat_syscall())
2530 ret = compat_update_counters(net, arg, len);
2531 else
2532#endif
2533 ret = update_counters(net, arg, len);
2534 break;
2535 default:
2536 ret = -EINVAL;
2537 }
2538 return ret;
2539}
2540
2541static struct nf_sockopt_ops ebt_sockopts = {
2542 .pf = PF_INET,
2543 .set_optmin = EBT_BASE_CTL,
2544 .set_optmax = EBT_SO_SET_MAX + 1,
2545 .set = do_ebt_set_ctl,
2546 .get_optmin = EBT_BASE_CTL,
2547 .get_optmax = EBT_SO_GET_MAX + 1,
2548 .get = do_ebt_get_ctl,
2549 .owner = THIS_MODULE,
2550};
2551
2552static int __net_init ebt_pernet_init(struct net *net)
2553{
2554 struct ebt_pernet *ebt_net = net_generic(net, ebt_pernet_id);
2555
2556 INIT_LIST_HEAD(&ebt_net->tables);
2557 return 0;
2558}
2559
2560static struct pernet_operations ebt_net_ops = {
2561 .init = ebt_pernet_init,
2562 .id = &ebt_pernet_id,
2563 .size = sizeof(struct ebt_pernet),
2564};
2565
2566static int __init ebtables_init(void)
2567{
2568 int ret;
2569
2570 ret = xt_register_target(&ebt_standard_target);
2571 if (ret < 0)
2572 return ret;
2573 ret = nf_register_sockopt(&ebt_sockopts);
2574 if (ret < 0) {
2575 xt_unregister_target(&ebt_standard_target);
2576 return ret;
2577 }
2578
2579 ret = register_pernet_subsys(&ebt_net_ops);
2580 if (ret < 0) {
2581 nf_unregister_sockopt(&ebt_sockopts);
2582 xt_unregister_target(&ebt_standard_target);
2583 return ret;
2584 }
2585
2586 return 0;
2587}
2588
2589static void ebtables_fini(void)
2590{
2591 nf_unregister_sockopt(&ebt_sockopts);
2592 xt_unregister_target(&ebt_standard_target);
2593 unregister_pernet_subsys(&ebt_net_ops);
2594}
2595
2596EXPORT_SYMBOL(ebt_register_table);
2597EXPORT_SYMBOL(ebt_unregister_table);
2598EXPORT_SYMBOL(ebt_do_table);
2599module_init(ebtables_init);
2600module_exit(ebtables_fini);
2601MODULE_LICENSE("GPL");
2602
