]>
Commit | Line | Data |
---|---|---|
1da177e4 LT |
1 | /* |
2 | * ebtables | |
3 | * | |
4 | * Author: | |
5 | * Bart De Schuymer <bdschuym@pandora.be> | |
6 | * | |
7 | * ebtables.c,v 2.0, July, 2002 | |
8 | * | |
9 | * This code is stongly inspired on the iptables code which is | |
10 | * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling | |
11 | * | |
12 | * This program is free software; you can redistribute it and/or | |
13 | * modify it under the terms of the GNU General Public License | |
14 | * as published by the Free Software Foundation; either version | |
15 | * 2 of the License, or (at your option) any later version. | |
16 | */ | |
17 | ||
1da177e4 LT |
18 | |
19 | #include <linux/kmod.h> | |
20 | #include <linux/module.h> | |
21 | #include <linux/vmalloc.h> | |
18219d3f | 22 | #include <linux/netfilter/x_tables.h> |
1da177e4 LT |
23 | #include <linux/netfilter_bridge/ebtables.h> |
24 | #include <linux/spinlock.h> | |
df0933dc | 25 | #include <linux/mutex.h> |
1da177e4 LT |
26 | #include <asm/uaccess.h> |
27 | #include <linux/smp.h> | |
c8923c6b | 28 | #include <linux/cpumask.h> |
1da177e4 LT |
29 | #include <net/sock.h> |
30 | /* needed for logical [in,out]-dev filtering */ | |
31 | #include "../br_private.h" | |
32 | ||
1da177e4 | 33 | #define BUGPRINT(format, args...) printk("kernel msg: ebtables bug: please "\ |
9d6f229f | 34 | "report to author: "format, ## args) |
1da177e4 | 35 | /* #define BUGPRINT(format, args...) */ |
1da177e4 LT |
36 | |
37 | /* | |
38 | * Each cpu has its own set of counters, so there is no need for write_lock in | |
39 | * the softirq | |
40 | * For reading or updating the counters, the user context needs to | |
41 | * get a write_lock | |
42 | */ | |
43 | ||
44 | /* The size of each set of counters is altered to get cache alignment */ | |
45 | #define SMP_ALIGN(x) (((x) + SMP_CACHE_BYTES-1) & ~(SMP_CACHE_BYTES-1)) | |
46 | #define COUNTER_OFFSET(n) (SMP_ALIGN(n * sizeof(struct ebt_counter))) | |
47 | #define COUNTER_BASE(c, n, cpu) ((struct ebt_counter *)(((char *)c) + \ | |
48 | COUNTER_OFFSET(n) * cpu)) | |
49 | ||
50 | ||
51 | ||
57b47a53 | 52 | static DEFINE_MUTEX(ebt_mutex); |
1da177e4 | 53 | |
043ef46c | 54 | static struct xt_target ebt_standard_target = { |
001a18d3 JE |
55 | .name = "standard", |
56 | .revision = 0, | |
57 | .family = NFPROTO_BRIDGE, | |
043ef46c | 58 | .targetsize = sizeof(int), |
18219d3f | 59 | }; |
1da177e4 | 60 | |
7eb35586 JE |
61 | static inline int |
62 | ebt_do_watcher(const struct ebt_entry_watcher *w, struct sk_buff *skb, | |
63 | struct xt_target_param *par) | |
1da177e4 | 64 | { |
7eb35586 JE |
65 | par->target = w->u.watcher; |
66 | par->targinfo = w->data; | |
67 | w->u.watcher->target(skb, par); | |
1da177e4 LT |
68 | /* watchers don't give a verdict */ |
69 | return 0; | |
70 | } | |
71 | ||
72 | static inline int ebt_do_match (struct ebt_entry_match *m, | |
f7108a20 | 73 | const struct sk_buff *skb, struct xt_match_param *par) |
1da177e4 | 74 | { |
f7108a20 JE |
75 | par->match = m->u.match; |
76 | par->matchinfo = m->data; | |
d61ba9fd | 77 | return m->u.match->match(skb, par) ? EBT_MATCH : EBT_NOMATCH; |
1da177e4 LT |
78 | } |
79 | ||
d5d1baa1 JE |
80 | static inline int |
81 | ebt_dev_check(const char *entry, const struct net_device *device) | |
1da177e4 LT |
82 | { |
83 | int i = 0; | |
f3d8b2e4 | 84 | const char *devname; |
1da177e4 LT |
85 | |
86 | if (*entry == '\0') | |
87 | return 0; | |
88 | if (!device) | |
89 | return 1; | |
f3d8b2e4 | 90 | devname = device->name; |
1da177e4 LT |
91 | /* 1 is the wildcard token */ |
92 | while (entry[i] != '\0' && entry[i] != 1 && entry[i] == devname[i]) | |
93 | i++; | |
94 | return (devname[i] != entry[i] && entry[i] != 1); | |
95 | } | |
96 | ||
97 | #define FWINV2(bool,invflg) ((bool) ^ !!(e->invflags & invflg)) | |
98 | /* process standard matches */ | |
d5d1baa1 JE |
99 | static inline int |
100 | ebt_basic_match(const struct ebt_entry *e, const struct ethhdr *h, | |
101 | const struct net_device *in, const struct net_device *out) | |
1da177e4 LT |
102 | { |
103 | int verdict, i; | |
104 | ||
105 | if (e->bitmask & EBT_802_3) { | |
106 | if (FWINV2(ntohs(h->h_proto) >= 1536, EBT_IPROTO)) | |
107 | return 1; | |
108 | } else if (!(e->bitmask & EBT_NOPROTO) && | |
109 | FWINV2(e->ethproto != h->h_proto, EBT_IPROTO)) | |
110 | return 1; | |
111 | ||
112 | if (FWINV2(ebt_dev_check(e->in, in), EBT_IIN)) | |
113 | return 1; | |
114 | if (FWINV2(ebt_dev_check(e->out, out), EBT_IOUT)) | |
115 | return 1; | |
116 | if ((!in || !in->br_port) ? 0 : FWINV2(ebt_dev_check( | |
117 | e->logical_in, in->br_port->br->dev), EBT_ILOGICALIN)) | |
118 | return 1; | |
119 | if ((!out || !out->br_port) ? 0 : FWINV2(ebt_dev_check( | |
120 | e->logical_out, out->br_port->br->dev), EBT_ILOGICALOUT)) | |
121 | return 1; | |
122 | ||
123 | if (e->bitmask & EBT_SOURCEMAC) { | |
124 | verdict = 0; | |
125 | for (i = 0; i < 6; i++) | |
126 | verdict |= (h->h_source[i] ^ e->sourcemac[i]) & | |
127 | e->sourcemsk[i]; | |
128 | if (FWINV2(verdict != 0, EBT_ISOURCE) ) | |
129 | return 1; | |
130 | } | |
131 | if (e->bitmask & EBT_DESTMAC) { | |
132 | verdict = 0; | |
133 | for (i = 0; i < 6; i++) | |
134 | verdict |= (h->h_dest[i] ^ e->destmac[i]) & | |
135 | e->destmsk[i]; | |
136 | if (FWINV2(verdict != 0, EBT_IDEST) ) | |
137 | return 1; | |
138 | } | |
139 | return 0; | |
140 | } | |
141 | ||
98e86403 JE |
142 | static inline __pure |
143 | struct ebt_entry *ebt_next_entry(const struct ebt_entry *entry) | |
144 | { | |
145 | return (void *)entry + entry->next_offset; | |
146 | } | |
147 | ||
1da177e4 | 148 | /* Do some firewalling */ |
3db05fea | 149 | unsigned int ebt_do_table (unsigned int hook, struct sk_buff *skb, |
1da177e4 LT |
150 | const struct net_device *in, const struct net_device *out, |
151 | struct ebt_table *table) | |
152 | { | |
153 | int i, nentries; | |
154 | struct ebt_entry *point; | |
155 | struct ebt_counter *counter_base, *cb_base; | |
d5d1baa1 | 156 | const struct ebt_entry_target *t; |
1da177e4 LT |
157 | int verdict, sp = 0; |
158 | struct ebt_chainstack *cs; | |
159 | struct ebt_entries *chaininfo; | |
d5d1baa1 JE |
160 | const char *base; |
161 | const struct ebt_table_info *private; | |
5365f802 | 162 | bool hotdrop = false; |
f7108a20 | 163 | struct xt_match_param mtpar; |
7eb35586 | 164 | struct xt_target_param tgpar; |
f7108a20 | 165 | |
916a917d | 166 | mtpar.family = tgpar.family = NFPROTO_BRIDGE; |
7eb35586 JE |
167 | mtpar.in = tgpar.in = in; |
168 | mtpar.out = tgpar.out = out; | |
f7108a20 | 169 | mtpar.hotdrop = &hotdrop; |
a5e78820 | 170 | mtpar.hooknum = tgpar.hooknum = hook; |
1da177e4 LT |
171 | |
172 | read_lock_bh(&table->lock); | |
173 | private = table->private; | |
174 | cb_base = COUNTER_BASE(private->counters, private->nentries, | |
175 | smp_processor_id()); | |
176 | if (private->chainstack) | |
177 | cs = private->chainstack[smp_processor_id()]; | |
178 | else | |
179 | cs = NULL; | |
180 | chaininfo = private->hook_entry[hook]; | |
181 | nentries = private->hook_entry[hook]->nentries; | |
182 | point = (struct ebt_entry *)(private->hook_entry[hook]->data); | |
183 | counter_base = cb_base + private->hook_entry[hook]->counter_offset; | |
184 | /* base for chain jumps */ | |
185 | base = private->entries; | |
186 | i = 0; | |
187 | while (i < nentries) { | |
3db05fea | 188 | if (ebt_basic_match(point, eth_hdr(skb), in, out)) |
1da177e4 LT |
189 | goto letscontinue; |
190 | ||
f7108a20 | 191 | if (EBT_MATCH_ITERATE(point, ebt_do_match, skb, &mtpar) != 0) |
1da177e4 | 192 | goto letscontinue; |
5365f802 JE |
193 | if (hotdrop) { |
194 | read_unlock_bh(&table->lock); | |
195 | return NF_DROP; | |
196 | } | |
1da177e4 LT |
197 | |
198 | /* increase counter */ | |
199 | (*(counter_base + i)).pcnt++; | |
3db05fea | 200 | (*(counter_base + i)).bcnt += skb->len; |
1da177e4 LT |
201 | |
202 | /* these should only watch: not modify, nor tell us | |
203 | what to do with the packet */ | |
7eb35586 | 204 | EBT_WATCHER_ITERATE(point, ebt_do_watcher, skb, &tgpar); |
1da177e4 LT |
205 | |
206 | t = (struct ebt_entry_target *) | |
207 | (((char *)point) + point->target_offset); | |
208 | /* standard target */ | |
209 | if (!t->u.target->target) | |
210 | verdict = ((struct ebt_standard_target *)t)->verdict; | |
7eb35586 JE |
211 | else { |
212 | tgpar.target = t->u.target; | |
213 | tgpar.targinfo = t->data; | |
214 | verdict = t->u.target->target(skb, &tgpar); | |
215 | } | |
1da177e4 LT |
216 | if (verdict == EBT_ACCEPT) { |
217 | read_unlock_bh(&table->lock); | |
218 | return NF_ACCEPT; | |
219 | } | |
220 | if (verdict == EBT_DROP) { | |
221 | read_unlock_bh(&table->lock); | |
222 | return NF_DROP; | |
223 | } | |
224 | if (verdict == EBT_RETURN) { | |
225 | letsreturn: | |
226 | #ifdef CONFIG_NETFILTER_DEBUG | |
227 | if (sp == 0) { | |
228 | BUGPRINT("RETURN on base chain"); | |
229 | /* act like this is EBT_CONTINUE */ | |
230 | goto letscontinue; | |
231 | } | |
232 | #endif | |
233 | sp--; | |
234 | /* put all the local variables right */ | |
235 | i = cs[sp].n; | |
236 | chaininfo = cs[sp].chaininfo; | |
237 | nentries = chaininfo->nentries; | |
238 | point = cs[sp].e; | |
239 | counter_base = cb_base + | |
240 | chaininfo->counter_offset; | |
241 | continue; | |
242 | } | |
243 | if (verdict == EBT_CONTINUE) | |
244 | goto letscontinue; | |
245 | #ifdef CONFIG_NETFILTER_DEBUG | |
246 | if (verdict < 0) { | |
247 | BUGPRINT("bogus standard verdict\n"); | |
248 | read_unlock_bh(&table->lock); | |
249 | return NF_DROP; | |
250 | } | |
251 | #endif | |
252 | /* jump to a udc */ | |
253 | cs[sp].n = i + 1; | |
254 | cs[sp].chaininfo = chaininfo; | |
98e86403 | 255 | cs[sp].e = ebt_next_entry(point); |
1da177e4 LT |
256 | i = 0; |
257 | chaininfo = (struct ebt_entries *) (base + verdict); | |
258 | #ifdef CONFIG_NETFILTER_DEBUG | |
259 | if (chaininfo->distinguisher) { | |
260 | BUGPRINT("jump to non-chain\n"); | |
261 | read_unlock_bh(&table->lock); | |
262 | return NF_DROP; | |
263 | } | |
264 | #endif | |
265 | nentries = chaininfo->nentries; | |
266 | point = (struct ebt_entry *)chaininfo->data; | |
267 | counter_base = cb_base + chaininfo->counter_offset; | |
268 | sp++; | |
269 | continue; | |
270 | letscontinue: | |
98e86403 | 271 | point = ebt_next_entry(point); |
1da177e4 LT |
272 | i++; |
273 | } | |
274 | ||
275 | /* I actually like this :) */ | |
276 | if (chaininfo->policy == EBT_RETURN) | |
277 | goto letsreturn; | |
278 | if (chaininfo->policy == EBT_ACCEPT) { | |
279 | read_unlock_bh(&table->lock); | |
280 | return NF_ACCEPT; | |
281 | } | |
282 | read_unlock_bh(&table->lock); | |
283 | return NF_DROP; | |
284 | } | |
285 | ||
286 | /* If it succeeds, returns element and locks mutex */ | |
287 | static inline void * | |
288 | find_inlist_lock_noload(struct list_head *head, const char *name, int *error, | |
57b47a53 | 289 | struct mutex *mutex) |
1da177e4 | 290 | { |
df0933dc PM |
291 | struct { |
292 | struct list_head list; | |
293 | char name[EBT_FUNCTION_MAXNAMELEN]; | |
294 | } *e; | |
1da177e4 | 295 | |
57b47a53 | 296 | *error = mutex_lock_interruptible(mutex); |
1da177e4 LT |
297 | if (*error != 0) |
298 | return NULL; | |
299 | ||
df0933dc PM |
300 | list_for_each_entry(e, head, list) { |
301 | if (strcmp(e->name, name) == 0) | |
302 | return e; | |
1da177e4 | 303 | } |
df0933dc PM |
304 | *error = -ENOENT; |
305 | mutex_unlock(mutex); | |
306 | return NULL; | |
1da177e4 LT |
307 | } |
308 | ||
1da177e4 LT |
309 | static void * |
310 | find_inlist_lock(struct list_head *head, const char *name, const char *prefix, | |
57b47a53 | 311 | int *error, struct mutex *mutex) |
1da177e4 | 312 | { |
95a5afca JB |
313 | return try_then_request_module( |
314 | find_inlist_lock_noload(head, name, error, mutex), | |
315 | "%s%s", prefix, name); | |
1da177e4 | 316 | } |
1da177e4 LT |
317 | |
318 | static inline struct ebt_table * | |
511061e2 AD |
319 | find_table_lock(struct net *net, const char *name, int *error, |
320 | struct mutex *mutex) | |
1da177e4 | 321 | { |
511061e2 AD |
322 | return find_inlist_lock(&net->xt.tables[NFPROTO_BRIDGE], name, |
323 | "ebtable_", error, mutex); | |
1da177e4 LT |
324 | } |
325 | ||
1da177e4 | 326 | static inline int |
9b4fce7a JE |
327 | ebt_check_match(struct ebt_entry_match *m, struct xt_mtchk_param *par, |
328 | unsigned int *cnt) | |
1da177e4 | 329 | { |
9b4fce7a | 330 | const struct ebt_entry *e = par->entryinfo; |
043ef46c | 331 | struct xt_match *match; |
14197d54 | 332 | size_t left = ((char *)e + e->watchers_offset) - (char *)m; |
1da177e4 LT |
333 | int ret; |
334 | ||
14197d54 AV |
335 | if (left < sizeof(struct ebt_entry_match) || |
336 | left - sizeof(struct ebt_entry_match) < m->match_size) | |
1da177e4 | 337 | return -EINVAL; |
043ef46c JE |
338 | |
339 | match = try_then_request_module(xt_find_match(NFPROTO_BRIDGE, | |
340 | m->u.name, 0), "ebt_%s", m->u.name); | |
341 | if (IS_ERR(match)) | |
342 | return PTR_ERR(match); | |
343 | if (match == NULL) | |
1da177e4 | 344 | return -ENOENT; |
043ef46c JE |
345 | m->u.match = match; |
346 | ||
9b4fce7a JE |
347 | par->match = match; |
348 | par->matchinfo = m->data; | |
916a917d | 349 | ret = xt_check_match(par, m->match_size, |
9b4fce7a | 350 | e->ethproto, e->invflags & EBT_IPROTO); |
043ef46c JE |
351 | if (ret < 0) { |
352 | module_put(match->me); | |
353 | return ret; | |
1da177e4 | 354 | } |
043ef46c | 355 | |
1da177e4 LT |
356 | (*cnt)++; |
357 | return 0; | |
358 | } | |
359 | ||
360 | static inline int | |
af5d6dc2 JE |
361 | ebt_check_watcher(struct ebt_entry_watcher *w, struct xt_tgchk_param *par, |
362 | unsigned int *cnt) | |
1da177e4 | 363 | { |
af5d6dc2 | 364 | const struct ebt_entry *e = par->entryinfo; |
043ef46c | 365 | struct xt_target *watcher; |
14197d54 | 366 | size_t left = ((char *)e + e->target_offset) - (char *)w; |
1da177e4 LT |
367 | int ret; |
368 | ||
14197d54 AV |
369 | if (left < sizeof(struct ebt_entry_watcher) || |
370 | left - sizeof(struct ebt_entry_watcher) < w->watcher_size) | |
1da177e4 | 371 | return -EINVAL; |
043ef46c JE |
372 | |
373 | watcher = try_then_request_module( | |
374 | xt_find_target(NFPROTO_BRIDGE, w->u.name, 0), | |
375 | "ebt_%s", w->u.name); | |
376 | if (IS_ERR(watcher)) | |
377 | return PTR_ERR(watcher); | |
378 | if (watcher == NULL) | |
1da177e4 | 379 | return -ENOENT; |
043ef46c JE |
380 | w->u.watcher = watcher; |
381 | ||
af5d6dc2 JE |
382 | par->target = watcher; |
383 | par->targinfo = w->data; | |
916a917d | 384 | ret = xt_check_target(par, w->watcher_size, |
af5d6dc2 | 385 | e->ethproto, e->invflags & EBT_IPROTO); |
043ef46c JE |
386 | if (ret < 0) { |
387 | module_put(watcher->me); | |
388 | return ret; | |
1da177e4 | 389 | } |
043ef46c | 390 | |
1da177e4 LT |
391 | (*cnt)++; |
392 | return 0; | |
393 | } | |
394 | ||
d5d1baa1 | 395 | static int ebt_verify_pointers(const struct ebt_replace *repl, |
70fe9af4 | 396 | struct ebt_table_info *newinfo) |
1da177e4 | 397 | { |
70fe9af4 AV |
398 | unsigned int limit = repl->entries_size; |
399 | unsigned int valid_hooks = repl->valid_hooks; | |
400 | unsigned int offset = 0; | |
1da177e4 LT |
401 | int i; |
402 | ||
e4fd77de AV |
403 | for (i = 0; i < NF_BR_NUMHOOKS; i++) |
404 | newinfo->hook_entry[i] = NULL; | |
405 | ||
406 | newinfo->entries_size = repl->entries_size; | |
407 | newinfo->nentries = repl->nentries; | |
408 | ||
70fe9af4 AV |
409 | while (offset < limit) { |
410 | size_t left = limit - offset; | |
411 | struct ebt_entry *e = (void *)newinfo->entries + offset; | |
bb2ef25c | 412 | |
70fe9af4 | 413 | if (left < sizeof(unsigned int)) |
1da177e4 | 414 | break; |
70fe9af4 AV |
415 | |
416 | for (i = 0; i < NF_BR_NUMHOOKS; i++) { | |
417 | if ((valid_hooks & (1 << i)) == 0) | |
418 | continue; | |
1e419cd9 AV |
419 | if ((char __user *)repl->hook_entry[i] == |
420 | repl->entries + offset) | |
70fe9af4 AV |
421 | break; |
422 | } | |
423 | ||
424 | if (i != NF_BR_NUMHOOKS || !(e->bitmask & EBT_ENTRY_OR_ENTRIES)) { | |
425 | if (e->bitmask != 0) { | |
426 | /* we make userspace set this right, | |
427 | so there is no misunderstanding */ | |
428 | BUGPRINT("EBT_ENTRY_OR_ENTRIES shouldn't be set " | |
429 | "in distinguisher\n"); | |
430 | return -EINVAL; | |
431 | } | |
432 | if (i != NF_BR_NUMHOOKS) | |
433 | newinfo->hook_entry[i] = (struct ebt_entries *)e; | |
434 | if (left < sizeof(struct ebt_entries)) | |
435 | break; | |
436 | offset += sizeof(struct ebt_entries); | |
437 | } else { | |
438 | if (left < sizeof(struct ebt_entry)) | |
439 | break; | |
440 | if (left < e->next_offset) | |
441 | break; | |
1756de26 FW |
442 | if (e->next_offset < sizeof(struct ebt_entry)) |
443 | return -EINVAL; | |
70fe9af4 | 444 | offset += e->next_offset; |
1da177e4 | 445 | } |
22b440bf | 446 | } |
70fe9af4 AV |
447 | if (offset != limit) { |
448 | BUGPRINT("entries_size too small\n"); | |
449 | return -EINVAL; | |
450 | } | |
e4fd77de AV |
451 | |
452 | /* check if all valid hooks have a chain */ | |
453 | for (i = 0; i < NF_BR_NUMHOOKS; i++) { | |
454 | if (!newinfo->hook_entry[i] && | |
455 | (valid_hooks & (1 << i))) { | |
456 | BUGPRINT("Valid hook without chain\n"); | |
457 | return -EINVAL; | |
458 | } | |
459 | } | |
22b440bf | 460 | return 0; |
22b440bf AV |
461 | } |
462 | ||
463 | /* | |
464 | * this one is very careful, as it is the first function | |
465 | * to parse the userspace data | |
466 | */ | |
467 | static inline int | |
d5d1baa1 JE |
468 | ebt_check_entry_size_and_hooks(const struct ebt_entry *e, |
469 | const struct ebt_table_info *newinfo, | |
0e795531 AV |
470 | unsigned int *n, unsigned int *cnt, |
471 | unsigned int *totalcnt, unsigned int *udc_cnt) | |
22b440bf | 472 | { |
22b440bf AV |
473 | int i; |
474 | ||
475 | for (i = 0; i < NF_BR_NUMHOOKS; i++) { | |
0e795531 | 476 | if ((void *)e == (void *)newinfo->hook_entry[i]) |
22b440bf AV |
477 | break; |
478 | } | |
479 | /* beginning of a new chain | |
480 | if i == NF_BR_NUMHOOKS it must be a user defined chain */ | |
481 | if (i != NF_BR_NUMHOOKS || !e->bitmask) { | |
1da177e4 LT |
482 | /* this checks if the previous chain has as many entries |
483 | as it said it has */ | |
484 | if (*n != *cnt) { | |
485 | BUGPRINT("nentries does not equal the nr of entries " | |
9d6f229f | 486 | "in the chain\n"); |
1da177e4 LT |
487 | return -EINVAL; |
488 | } | |
1da177e4 LT |
489 | if (((struct ebt_entries *)e)->policy != EBT_DROP && |
490 | ((struct ebt_entries *)e)->policy != EBT_ACCEPT) { | |
491 | /* only RETURN from udc */ | |
492 | if (i != NF_BR_NUMHOOKS || | |
493 | ((struct ebt_entries *)e)->policy != EBT_RETURN) { | |
494 | BUGPRINT("bad policy\n"); | |
495 | return -EINVAL; | |
496 | } | |
497 | } | |
498 | if (i == NF_BR_NUMHOOKS) /* it's a user defined chain */ | |
499 | (*udc_cnt)++; | |
1da177e4 LT |
500 | if (((struct ebt_entries *)e)->counter_offset != *totalcnt) { |
501 | BUGPRINT("counter_offset != totalcnt"); | |
502 | return -EINVAL; | |
503 | } | |
504 | *n = ((struct ebt_entries *)e)->nentries; | |
505 | *cnt = 0; | |
506 | return 0; | |
507 | } | |
508 | /* a plain old entry, heh */ | |
509 | if (sizeof(struct ebt_entry) > e->watchers_offset || | |
510 | e->watchers_offset > e->target_offset || | |
511 | e->target_offset >= e->next_offset) { | |
512 | BUGPRINT("entry offsets not in right order\n"); | |
513 | return -EINVAL; | |
514 | } | |
515 | /* this is not checked anywhere else */ | |
516 | if (e->next_offset - e->target_offset < sizeof(struct ebt_entry_target)) { | |
517 | BUGPRINT("target size too small\n"); | |
518 | return -EINVAL; | |
519 | } | |
1da177e4 LT |
520 | (*cnt)++; |
521 | (*totalcnt)++; | |
522 | return 0; | |
523 | } | |
524 | ||
525 | struct ebt_cl_stack | |
526 | { | |
527 | struct ebt_chainstack cs; | |
528 | int from; | |
529 | unsigned int hookmask; | |
530 | }; | |
531 | ||
532 | /* | |
533 | * we need these positions to check that the jumps to a different part of the | |
534 | * entries is a jump to the beginning of a new chain. | |
535 | */ | |
536 | static inline int | |
537 | ebt_get_udc_positions(struct ebt_entry *e, struct ebt_table_info *newinfo, | |
177abc34 | 538 | unsigned int *n, struct ebt_cl_stack *udc) |
1da177e4 LT |
539 | { |
540 | int i; | |
541 | ||
542 | /* we're only interested in chain starts */ | |
40642f95 | 543 | if (e->bitmask) |
1da177e4 LT |
544 | return 0; |
545 | for (i = 0; i < NF_BR_NUMHOOKS; i++) { | |
1da177e4 LT |
546 | if (newinfo->hook_entry[i] == (struct ebt_entries *)e) |
547 | break; | |
548 | } | |
549 | /* only care about udc */ | |
550 | if (i != NF_BR_NUMHOOKS) | |
551 | return 0; | |
552 | ||
553 | udc[*n].cs.chaininfo = (struct ebt_entries *)e; | |
554 | /* these initialisations are depended on later in check_chainloops() */ | |
555 | udc[*n].cs.n = 0; | |
556 | udc[*n].hookmask = 0; | |
557 | ||
558 | (*n)++; | |
559 | return 0; | |
560 | } | |
561 | ||
562 | static inline int | |
f54e9367 | 563 | ebt_cleanup_match(struct ebt_entry_match *m, struct net *net, unsigned int *i) |
1da177e4 | 564 | { |
6be3d859 JE |
565 | struct xt_mtdtor_param par; |
566 | ||
1da177e4 LT |
567 | if (i && (*i)-- == 0) |
568 | return 1; | |
1da177e4 | 569 | |
f54e9367 | 570 | par.net = net; |
6be3d859 JE |
571 | par.match = m->u.match; |
572 | par.matchinfo = m->data; | |
916a917d | 573 | par.family = NFPROTO_BRIDGE; |
6be3d859 JE |
574 | if (par.match->destroy != NULL) |
575 | par.match->destroy(&par); | |
576 | module_put(par.match->me); | |
1da177e4 LT |
577 | return 0; |
578 | } | |
579 | ||
580 | static inline int | |
add67461 | 581 | ebt_cleanup_watcher(struct ebt_entry_watcher *w, struct net *net, unsigned int *i) |
1da177e4 | 582 | { |
a2df1648 JE |
583 | struct xt_tgdtor_param par; |
584 | ||
1da177e4 LT |
585 | if (i && (*i)-- == 0) |
586 | return 1; | |
1da177e4 | 587 | |
add67461 | 588 | par.net = net; |
a2df1648 JE |
589 | par.target = w->u.watcher; |
590 | par.targinfo = w->data; | |
916a917d | 591 | par.family = NFPROTO_BRIDGE; |
a2df1648 JE |
592 | if (par.target->destroy != NULL) |
593 | par.target->destroy(&par); | |
594 | module_put(par.target->me); | |
1da177e4 LT |
595 | return 0; |
596 | } | |
597 | ||
598 | static inline int | |
f54e9367 | 599 | ebt_cleanup_entry(struct ebt_entry *e, struct net *net, unsigned int *cnt) |
1da177e4 | 600 | { |
a2df1648 | 601 | struct xt_tgdtor_param par; |
1da177e4 LT |
602 | struct ebt_entry_target *t; |
603 | ||
40642f95 | 604 | if (e->bitmask == 0) |
1da177e4 LT |
605 | return 0; |
606 | /* we're done */ | |
607 | if (cnt && (*cnt)-- == 0) | |
608 | return 1; | |
add67461 | 609 | EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, net, NULL); |
f54e9367 | 610 | EBT_MATCH_ITERATE(e, ebt_cleanup_match, net, NULL); |
1da177e4 | 611 | t = (struct ebt_entry_target *)(((char *)e) + e->target_offset); |
1da177e4 | 612 | |
add67461 | 613 | par.net = net; |
a2df1648 JE |
614 | par.target = t->u.target; |
615 | par.targinfo = t->data; | |
916a917d | 616 | par.family = NFPROTO_BRIDGE; |
a2df1648 JE |
617 | if (par.target->destroy != NULL) |
618 | par.target->destroy(&par); | |
619 | module_put(par.target->me); | |
1da177e4 LT |
620 | return 0; |
621 | } | |
622 | ||
623 | static inline int | |
d5d1baa1 JE |
624 | ebt_check_entry(struct ebt_entry *e, struct net *net, |
625 | const struct ebt_table_info *newinfo, | |
f7da79d9 | 626 | const char *name, unsigned int *cnt, |
1da177e4 LT |
627 | struct ebt_cl_stack *cl_s, unsigned int udc_cnt) |
628 | { | |
629 | struct ebt_entry_target *t; | |
043ef46c | 630 | struct xt_target *target; |
1da177e4 | 631 | unsigned int i, j, hook = 0, hookmask = 0; |
44f9a2fd | 632 | size_t gap; |
1da177e4 | 633 | int ret; |
6be3d859 | 634 | struct xt_mtchk_param mtpar; |
af5d6dc2 | 635 | struct xt_tgchk_param tgpar; |
1da177e4 LT |
636 | |
637 | /* don't mess with the struct ebt_entries */ | |
40642f95 | 638 | if (e->bitmask == 0) |
1da177e4 LT |
639 | return 0; |
640 | ||
641 | if (e->bitmask & ~EBT_F_MASK) { | |
642 | BUGPRINT("Unknown flag for bitmask\n"); | |
643 | return -EINVAL; | |
644 | } | |
645 | if (e->invflags & ~EBT_INV_MASK) { | |
646 | BUGPRINT("Unknown flag for inv bitmask\n"); | |
647 | return -EINVAL; | |
648 | } | |
649 | if ( (e->bitmask & EBT_NOPROTO) && (e->bitmask & EBT_802_3) ) { | |
650 | BUGPRINT("NOPROTO & 802_3 not allowed\n"); | |
651 | return -EINVAL; | |
652 | } | |
653 | /* what hook do we belong to? */ | |
654 | for (i = 0; i < NF_BR_NUMHOOKS; i++) { | |
f7da79d9 | 655 | if (!newinfo->hook_entry[i]) |
1da177e4 LT |
656 | continue; |
657 | if ((char *)newinfo->hook_entry[i] < (char *)e) | |
658 | hook = i; | |
659 | else | |
660 | break; | |
661 | } | |
662 | /* (1 << NF_BR_NUMHOOKS) tells the check functions the rule is on | |
663 | a base chain */ | |
664 | if (i < NF_BR_NUMHOOKS) | |
665 | hookmask = (1 << hook) | (1 << NF_BR_NUMHOOKS); | |
666 | else { | |
667 | for (i = 0; i < udc_cnt; i++) | |
668 | if ((char *)(cl_s[i].cs.chaininfo) > (char *)e) | |
669 | break; | |
670 | if (i == 0) | |
671 | hookmask = (1 << hook) | (1 << NF_BR_NUMHOOKS); | |
672 | else | |
673 | hookmask = cl_s[i - 1].hookmask; | |
674 | } | |
675 | i = 0; | |
9b4fce7a | 676 | |
add67461 | 677 | mtpar.net = tgpar.net = net; |
af5d6dc2 JE |
678 | mtpar.table = tgpar.table = name; |
679 | mtpar.entryinfo = tgpar.entryinfo = e; | |
680 | mtpar.hook_mask = tgpar.hook_mask = hookmask; | |
916a917d | 681 | mtpar.family = tgpar.family = NFPROTO_BRIDGE; |
6be3d859 | 682 | ret = EBT_MATCH_ITERATE(e, ebt_check_match, &mtpar, &i); |
1da177e4 LT |
683 | if (ret != 0) |
684 | goto cleanup_matches; | |
685 | j = 0; | |
af5d6dc2 | 686 | ret = EBT_WATCHER_ITERATE(e, ebt_check_watcher, &tgpar, &j); |
1da177e4 LT |
687 | if (ret != 0) |
688 | goto cleanup_watchers; | |
689 | t = (struct ebt_entry_target *)(((char *)e) + e->target_offset); | |
44f9a2fd | 690 | gap = e->next_offset - e->target_offset; |
1da177e4 | 691 | |
043ef46c JE |
692 | target = try_then_request_module( |
693 | xt_find_target(NFPROTO_BRIDGE, t->u.name, 0), | |
694 | "ebt_%s", t->u.name); | |
695 | if (IS_ERR(target)) { | |
696 | ret = PTR_ERR(target); | |
001a18d3 | 697 | goto cleanup_watchers; |
043ef46c JE |
698 | } else if (target == NULL) { |
699 | ret = -ENOENT; | |
001a18d3 JE |
700 | goto cleanup_watchers; |
701 | } | |
702 | ||
1da177e4 LT |
703 | t->u.target = target; |
704 | if (t->u.target == &ebt_standard_target) { | |
14197d54 | 705 | if (gap < sizeof(struct ebt_standard_target)) { |
1da177e4 LT |
706 | BUGPRINT("Standard target size too big\n"); |
707 | ret = -EFAULT; | |
708 | goto cleanup_watchers; | |
709 | } | |
710 | if (((struct ebt_standard_target *)t)->verdict < | |
711 | -NUM_STANDARD_TARGETS) { | |
712 | BUGPRINT("Invalid standard target\n"); | |
713 | ret = -EFAULT; | |
714 | goto cleanup_watchers; | |
715 | } | |
18219d3f JE |
716 | } else if (t->target_size > gap - sizeof(struct ebt_entry_target)) { |
717 | module_put(t->u.target->me); | |
718 | ret = -EFAULT; | |
719 | goto cleanup_watchers; | |
043ef46c JE |
720 | } |
721 | ||
af5d6dc2 JE |
722 | tgpar.target = target; |
723 | tgpar.targinfo = t->data; | |
916a917d | 724 | ret = xt_check_target(&tgpar, t->target_size, |
af5d6dc2 | 725 | e->ethproto, e->invflags & EBT_IPROTO); |
043ef46c JE |
726 | if (ret < 0) { |
727 | module_put(target->me); | |
18219d3f | 728 | goto cleanup_watchers; |
1da177e4 LT |
729 | } |
730 | (*cnt)++; | |
731 | return 0; | |
732 | cleanup_watchers: | |
add67461 | 733 | EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, net, &j); |
1da177e4 | 734 | cleanup_matches: |
f54e9367 | 735 | EBT_MATCH_ITERATE(e, ebt_cleanup_match, net, &i); |
1da177e4 LT |
736 | return ret; |
737 | } | |
738 | ||
739 | /* | |
740 | * checks for loops and sets the hook mask for udc | |
741 | * the hook mask for udc tells us from which base chains the udc can be | |
742 | * accessed. This mask is a parameter to the check() functions of the extensions | |
743 | */ | |
d5d1baa1 | 744 | static int check_chainloops(const struct ebt_entries *chain, struct ebt_cl_stack *cl_s, |
1da177e4 LT |
745 | unsigned int udc_cnt, unsigned int hooknr, char *base) |
746 | { | |
747 | int i, chain_nr = -1, pos = 0, nentries = chain->nentries, verdict; | |
d5d1baa1 JE |
748 | const struct ebt_entry *e = (struct ebt_entry *)chain->data; |
749 | const struct ebt_entry_target *t; | |
1da177e4 LT |
750 | |
751 | while (pos < nentries || chain_nr != -1) { | |
752 | /* end of udc, go back one 'recursion' step */ | |
753 | if (pos == nentries) { | |
754 | /* put back values of the time when this chain was called */ | |
755 | e = cl_s[chain_nr].cs.e; | |
756 | if (cl_s[chain_nr].from != -1) | |
757 | nentries = | |
758 | cl_s[cl_s[chain_nr].from].cs.chaininfo->nentries; | |
759 | else | |
760 | nentries = chain->nentries; | |
761 | pos = cl_s[chain_nr].cs.n; | |
762 | /* make sure we won't see a loop that isn't one */ | |
763 | cl_s[chain_nr].cs.n = 0; | |
764 | chain_nr = cl_s[chain_nr].from; | |
765 | if (pos == nentries) | |
766 | continue; | |
767 | } | |
768 | t = (struct ebt_entry_target *) | |
769 | (((char *)e) + e->target_offset); | |
770 | if (strcmp(t->u.name, EBT_STANDARD_TARGET)) | |
771 | goto letscontinue; | |
772 | if (e->target_offset + sizeof(struct ebt_standard_target) > | |
773 | e->next_offset) { | |
774 | BUGPRINT("Standard target size too big\n"); | |
775 | return -1; | |
776 | } | |
777 | verdict = ((struct ebt_standard_target *)t)->verdict; | |
778 | if (verdict >= 0) { /* jump to another chain */ | |
779 | struct ebt_entries *hlp2 = | |
780 | (struct ebt_entries *)(base + verdict); | |
781 | for (i = 0; i < udc_cnt; i++) | |
782 | if (hlp2 == cl_s[i].cs.chaininfo) | |
783 | break; | |
784 | /* bad destination or loop */ | |
785 | if (i == udc_cnt) { | |
786 | BUGPRINT("bad destination\n"); | |
787 | return -1; | |
788 | } | |
789 | if (cl_s[i].cs.n) { | |
790 | BUGPRINT("loop\n"); | |
791 | return -1; | |
792 | } | |
98a0824a AV |
793 | if (cl_s[i].hookmask & (1 << hooknr)) |
794 | goto letscontinue; | |
795 | /* this can't be 0, so the loop test is correct */ | |
1da177e4 LT |
796 | cl_s[i].cs.n = pos + 1; |
797 | pos = 0; | |
98e86403 | 798 | cl_s[i].cs.e = ebt_next_entry(e); |
1da177e4 LT |
799 | e = (struct ebt_entry *)(hlp2->data); |
800 | nentries = hlp2->nentries; | |
801 | cl_s[i].from = chain_nr; | |
802 | chain_nr = i; | |
803 | /* this udc is accessible from the base chain for hooknr */ | |
804 | cl_s[i].hookmask |= (1 << hooknr); | |
805 | continue; | |
806 | } | |
807 | letscontinue: | |
98e86403 | 808 | e = ebt_next_entry(e); |
1da177e4 LT |
809 | pos++; |
810 | } | |
811 | return 0; | |
812 | } | |
813 | ||
814 | /* do the parsing of the table/chains/entries/matches/watchers/targets, heh */ | |
d5d1baa1 | 815 | static int translate_table(struct net *net, const char *name, |
a83d8e8d | 816 | struct ebt_table_info *newinfo) |
1da177e4 LT |
817 | { |
818 | unsigned int i, j, k, udc_cnt; | |
819 | int ret; | |
820 | struct ebt_cl_stack *cl_s = NULL; /* used in the checking for chain loops */ | |
821 | ||
822 | i = 0; | |
1f072c96 | 823 | while (i < NF_BR_NUMHOOKS && !newinfo->hook_entry[i]) |
1da177e4 LT |
824 | i++; |
825 | if (i == NF_BR_NUMHOOKS) { | |
826 | BUGPRINT("No valid hooks specified\n"); | |
827 | return -EINVAL; | |
828 | } | |
1f072c96 | 829 | if (newinfo->hook_entry[i] != (struct ebt_entries *)newinfo->entries) { |
1da177e4 LT |
830 | BUGPRINT("Chains don't start at beginning\n"); |
831 | return -EINVAL; | |
832 | } | |
833 | /* make sure chains are ordered after each other in same order | |
834 | as their corresponding hooks */ | |
835 | for (j = i + 1; j < NF_BR_NUMHOOKS; j++) { | |
1f072c96 | 836 | if (!newinfo->hook_entry[j]) |
1da177e4 | 837 | continue; |
1f072c96 | 838 | if (newinfo->hook_entry[j] <= newinfo->hook_entry[i]) { |
1da177e4 LT |
839 | BUGPRINT("Hook order must be followed\n"); |
840 | return -EINVAL; | |
841 | } | |
842 | i = j; | |
843 | } | |
844 | ||
1da177e4 LT |
845 | /* do some early checkings and initialize some things */ |
846 | i = 0; /* holds the expected nr. of entries for the chain */ | |
847 | j = 0; /* holds the up to now counted entries for the chain */ | |
848 | k = 0; /* holds the total nr. of entries, should equal | |
9d6f229f | 849 | newinfo->nentries afterwards */ |
1da177e4 LT |
850 | udc_cnt = 0; /* will hold the nr. of user defined chains (udc) */ |
851 | ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size, | |
0e795531 AV |
852 | ebt_check_entry_size_and_hooks, newinfo, |
853 | &i, &j, &k, &udc_cnt); | |
1da177e4 LT |
854 | |
855 | if (ret != 0) | |
856 | return ret; | |
857 | ||
858 | if (i != j) { | |
859 | BUGPRINT("nentries does not equal the nr of entries in the " | |
9d6f229f | 860 | "(last) chain\n"); |
1da177e4 LT |
861 | return -EINVAL; |
862 | } | |
863 | if (k != newinfo->nentries) { | |
864 | BUGPRINT("Total nentries is wrong\n"); | |
865 | return -EINVAL; | |
866 | } | |
867 | ||
1da177e4 LT |
868 | /* get the location of the udc, put them in an array |
869 | while we're at it, allocate the chainstack */ | |
870 | if (udc_cnt) { | |
871 | /* this will get free'd in do_replace()/ebt_register_table() | |
872 | if an error occurs */ | |
7ad4d2f6 | 873 | newinfo->chainstack = |
53b8a315 | 874 | vmalloc(nr_cpu_ids * sizeof(*(newinfo->chainstack))); |
1da177e4 LT |
875 | if (!newinfo->chainstack) |
876 | return -ENOMEM; | |
6f912042 | 877 | for_each_possible_cpu(i) { |
1da177e4 | 878 | newinfo->chainstack[i] = |
18bc89aa | 879 | vmalloc(udc_cnt * sizeof(*(newinfo->chainstack[0]))); |
1da177e4 LT |
880 | if (!newinfo->chainstack[i]) { |
881 | while (i) | |
882 | vfree(newinfo->chainstack[--i]); | |
883 | vfree(newinfo->chainstack); | |
884 | newinfo->chainstack = NULL; | |
885 | return -ENOMEM; | |
886 | } | |
887 | } | |
888 | ||
18bc89aa | 889 | cl_s = vmalloc(udc_cnt * sizeof(*cl_s)); |
1da177e4 LT |
890 | if (!cl_s) |
891 | return -ENOMEM; | |
892 | i = 0; /* the i'th udc */ | |
893 | EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size, | |
177abc34 | 894 | ebt_get_udc_positions, newinfo, &i, cl_s); |
1da177e4 LT |
895 | /* sanity check */ |
896 | if (i != udc_cnt) { | |
897 | BUGPRINT("i != udc_cnt\n"); | |
898 | vfree(cl_s); | |
899 | return -EFAULT; | |
900 | } | |
901 | } | |
902 | ||
903 | /* Check for loops */ | |
904 | for (i = 0; i < NF_BR_NUMHOOKS; i++) | |
1f072c96 | 905 | if (newinfo->hook_entry[i]) |
1da177e4 LT |
906 | if (check_chainloops(newinfo->hook_entry[i], |
907 | cl_s, udc_cnt, i, newinfo->entries)) { | |
68d31872 | 908 | vfree(cl_s); |
1da177e4 LT |
909 | return -EINVAL; |
910 | } | |
911 | ||
96de0e25 | 912 | /* we now know the following (along with E=mc²): |
1da177e4 LT |
913 | - the nr of entries in each chain is right |
914 | - the size of the allocated space is right | |
915 | - all valid hooks have a corresponding chain | |
916 | - there are no loops | |
917 | - wrong data can still be on the level of a single entry | |
918 | - could be there are jumps to places that are not the | |
919 | beginning of a chain. This can only occur in chains that | |
920 | are not accessible from any base chains, so we don't care. */ | |
921 | ||
922 | /* used to know what we need to clean up if something goes wrong */ | |
923 | i = 0; | |
924 | ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size, | |
a83d8e8d | 925 | ebt_check_entry, net, newinfo, name, &i, cl_s, udc_cnt); |
1da177e4 LT |
926 | if (ret != 0) { |
927 | EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size, | |
f54e9367 | 928 | ebt_cleanup_entry, net, &i); |
1da177e4 | 929 | } |
68d31872 | 930 | vfree(cl_s); |
1da177e4 LT |
931 | return ret; |
932 | } | |
933 | ||
934 | /* called under write_lock */ | |
d5d1baa1 | 935 | static void get_counters(const struct ebt_counter *oldcounters, |
1da177e4 LT |
936 | struct ebt_counter *counters, unsigned int nentries) |
937 | { | |
938 | int i, cpu; | |
939 | struct ebt_counter *counter_base; | |
940 | ||
941 | /* counters of cpu 0 */ | |
942 | memcpy(counters, oldcounters, | |
c8923c6b DM |
943 | sizeof(struct ebt_counter) * nentries); |
944 | ||
1da177e4 | 945 | /* add other counters to those of cpu 0 */ |
6f912042 | 946 | for_each_possible_cpu(cpu) { |
c8923c6b DM |
947 | if (cpu == 0) |
948 | continue; | |
1da177e4 LT |
949 | counter_base = COUNTER_BASE(oldcounters, nentries, cpu); |
950 | for (i = 0; i < nentries; i++) { | |
951 | counters[i].pcnt += counter_base[i].pcnt; | |
952 | counters[i].bcnt += counter_base[i].bcnt; | |
953 | } | |
954 | } | |
955 | } | |
956 | ||
e788759f FW |
957 | static int do_replace_finish(struct net *net, struct ebt_replace *repl, |
958 | struct ebt_table_info *newinfo) | |
1da177e4 | 959 | { |
e788759f | 960 | int ret, i; |
1da177e4 LT |
961 | struct ebt_counter *counterstmp = NULL; |
962 | /* used to be able to unlock earlier */ | |
963 | struct ebt_table_info *table; | |
e788759f | 964 | struct ebt_table *t; |
1da177e4 LT |
965 | |
966 | /* the user wants counters back | |
967 | the check on the size is done later, when we have the lock */ | |
e788759f FW |
968 | if (repl->num_counters) { |
969 | unsigned long size = repl->num_counters * sizeof(*counterstmp); | |
970 | counterstmp = vmalloc(size); | |
971 | if (!counterstmp) | |
972 | return -ENOMEM; | |
1da177e4 | 973 | } |
1da177e4 | 974 | |
1da177e4 | 975 | newinfo->chainstack = NULL; |
e788759f | 976 | ret = ebt_verify_pointers(repl, newinfo); |
1bc2326c AV |
977 | if (ret != 0) |
978 | goto free_counterstmp; | |
979 | ||
e788759f | 980 | ret = translate_table(net, repl->name, newinfo); |
1da177e4 LT |
981 | |
982 | if (ret != 0) | |
983 | goto free_counterstmp; | |
984 | ||
e788759f | 985 | t = find_table_lock(net, repl->name, &ret, &ebt_mutex); |
1da177e4 LT |
986 | if (!t) { |
987 | ret = -ENOENT; | |
988 | goto free_iterate; | |
989 | } | |
990 | ||
991 | /* the table doesn't like it */ | |
e788759f | 992 | if (t->check && (ret = t->check(newinfo, repl->valid_hooks))) |
1da177e4 LT |
993 | goto free_unlock; |
994 | ||
e788759f | 995 | if (repl->num_counters && repl->num_counters != t->private->nentries) { |
1da177e4 LT |
996 | BUGPRINT("Wrong nr. of counters requested\n"); |
997 | ret = -EINVAL; | |
998 | goto free_unlock; | |
999 | } | |
1000 | ||
1001 | /* we have the mutex lock, so no danger in reading this pointer */ | |
1002 | table = t->private; | |
1003 | /* make sure the table can only be rmmod'ed if it contains no rules */ | |
1004 | if (!table->nentries && newinfo->nentries && !try_module_get(t->me)) { | |
1005 | ret = -ENOENT; | |
1006 | goto free_unlock; | |
1007 | } else if (table->nentries && !newinfo->nentries) | |
1008 | module_put(t->me); | |
1009 | /* we need an atomic snapshot of the counters */ | |
1010 | write_lock_bh(&t->lock); | |
e788759f | 1011 | if (repl->num_counters) |
1da177e4 LT |
1012 | get_counters(t->private->counters, counterstmp, |
1013 | t->private->nentries); | |
1014 | ||
1015 | t->private = newinfo; | |
1016 | write_unlock_bh(&t->lock); | |
57b47a53 | 1017 | mutex_unlock(&ebt_mutex); |
1da177e4 LT |
1018 | /* so, a user can change the chains while having messed up her counter |
1019 | allocation. Only reason why this is done is because this way the lock | |
1020 | is held only once, while this doesn't bring the kernel into a | |
1021 | dangerous state. */ | |
e788759f FW |
1022 | if (repl->num_counters && |
1023 | copy_to_user(repl->counters, counterstmp, | |
1024 | repl->num_counters * sizeof(struct ebt_counter))) { | |
1da177e4 LT |
1025 | ret = -EFAULT; |
1026 | } | |
1027 | else | |
1028 | ret = 0; | |
1029 | ||
1030 | /* decrease module count and free resources */ | |
1031 | EBT_ENTRY_ITERATE(table->entries, table->entries_size, | |
f54e9367 | 1032 | ebt_cleanup_entry, net, NULL); |
1da177e4 LT |
1033 | |
1034 | vfree(table->entries); | |
1035 | if (table->chainstack) { | |
6f912042 | 1036 | for_each_possible_cpu(i) |
1da177e4 LT |
1037 | vfree(table->chainstack[i]); |
1038 | vfree(table->chainstack); | |
1039 | } | |
1040 | vfree(table); | |
1041 | ||
68d31872 | 1042 | vfree(counterstmp); |
1da177e4 LT |
1043 | return ret; |
1044 | ||
1045 | free_unlock: | |
57b47a53 | 1046 | mutex_unlock(&ebt_mutex); |
1da177e4 LT |
1047 | free_iterate: |
1048 | EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size, | |
f54e9367 | 1049 | ebt_cleanup_entry, net, NULL); |
1da177e4 | 1050 | free_counterstmp: |
68d31872 | 1051 | vfree(counterstmp); |
1da177e4 LT |
1052 | /* can be initialized in translate_table() */ |
1053 | if (newinfo->chainstack) { | |
6f912042 | 1054 | for_each_possible_cpu(i) |
1da177e4 LT |
1055 | vfree(newinfo->chainstack[i]); |
1056 | vfree(newinfo->chainstack); | |
1057 | } | |
e788759f FW |
1058 | return ret; |
1059 | } | |
1060 | ||
1061 | /* replace the table */ | |
1062 | static int do_replace(struct net *net, const void __user *user, | |
1063 | unsigned int len) | |
1064 | { | |
1065 | int ret, countersize; | |
1066 | struct ebt_table_info *newinfo; | |
1067 | struct ebt_replace tmp; | |
1068 | ||
1069 | if (copy_from_user(&tmp, user, sizeof(tmp)) != 0) | |
1070 | return -EFAULT; | |
1071 | ||
1072 | if (len != sizeof(tmp) + tmp.entries_size) { | |
1073 | BUGPRINT("Wrong len argument\n"); | |
1074 | return -EINVAL; | |
1075 | } | |
1076 | ||
1077 | if (tmp.entries_size == 0) { | |
1078 | BUGPRINT("Entries_size never zero\n"); | |
1079 | return -EINVAL; | |
1080 | } | |
1081 | /* overflow check */ | |
1082 | if (tmp.nentries >= ((INT_MAX - sizeof(struct ebt_table_info)) / | |
1083 | NR_CPUS - SMP_CACHE_BYTES) / sizeof(struct ebt_counter)) | |
1084 | return -ENOMEM; | |
1085 | if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter)) | |
1086 | return -ENOMEM; | |
1087 | ||
1088 | countersize = COUNTER_OFFSET(tmp.nentries) * nr_cpu_ids; | |
1089 | newinfo = vmalloc(sizeof(*newinfo) + countersize); | |
1090 | if (!newinfo) | |
1091 | return -ENOMEM; | |
1092 | ||
1093 | if (countersize) | |
1094 | memset(newinfo->counters, 0, countersize); | |
1095 | ||
1096 | newinfo->entries = vmalloc(tmp.entries_size); | |
1097 | if (!newinfo->entries) { | |
1098 | ret = -ENOMEM; | |
1099 | goto free_newinfo; | |
1100 | } | |
1101 | if (copy_from_user( | |
1102 | newinfo->entries, tmp.entries, tmp.entries_size) != 0) { | |
1103 | BUGPRINT("Couldn't copy entries from userspace\n"); | |
1104 | ret = -EFAULT; | |
1105 | goto free_entries; | |
1106 | } | |
1107 | ||
1108 | ret = do_replace_finish(net, &tmp, newinfo); | |
1109 | if (ret == 0) | |
1110 | return ret; | |
1da177e4 | 1111 | free_entries: |
68d31872 | 1112 | vfree(newinfo->entries); |
1da177e4 | 1113 | free_newinfo: |
68d31872 | 1114 | vfree(newinfo); |
1da177e4 LT |
1115 | return ret; |
1116 | } | |
1117 | ||
35aad0ff JE |
1118 | struct ebt_table * |
1119 | ebt_register_table(struct net *net, const struct ebt_table *input_table) | |
1da177e4 LT |
1120 | { |
1121 | struct ebt_table_info *newinfo; | |
35aad0ff | 1122 | struct ebt_table *t, *table; |
1e419cd9 | 1123 | struct ebt_replace_kernel *repl; |
1da177e4 | 1124 | int ret, i, countersize; |
df07a81e | 1125 | void *p; |
1da177e4 | 1126 | |
35aad0ff JE |
1127 | if (input_table == NULL || (repl = input_table->table) == NULL || |
1128 | repl->entries == 0 || repl->entries_size == 0 || | |
1129 | repl->counters != NULL || input_table->private != NULL) { | |
1da177e4 | 1130 | BUGPRINT("Bad table data for ebt_register_table!!!\n"); |
6beceee5 AD |
1131 | return ERR_PTR(-EINVAL); |
1132 | } | |
1133 | ||
1134 | /* Don't add one table to multiple lists. */ | |
35aad0ff | 1135 | table = kmemdup(input_table, sizeof(struct ebt_table), GFP_KERNEL); |
6beceee5 AD |
1136 | if (!table) { |
1137 | ret = -ENOMEM; | |
1138 | goto out; | |
1da177e4 LT |
1139 | } |
1140 | ||
53b8a315 | 1141 | countersize = COUNTER_OFFSET(repl->nentries) * nr_cpu_ids; |
18bc89aa | 1142 | newinfo = vmalloc(sizeof(*newinfo) + countersize); |
1da177e4 LT |
1143 | ret = -ENOMEM; |
1144 | if (!newinfo) | |
6beceee5 | 1145 | goto free_table; |
1da177e4 | 1146 | |
df07a81e AV |
1147 | p = vmalloc(repl->entries_size); |
1148 | if (!p) | |
1da177e4 LT |
1149 | goto free_newinfo; |
1150 | ||
df07a81e AV |
1151 | memcpy(p, repl->entries, repl->entries_size); |
1152 | newinfo->entries = p; | |
1153 | ||
1154 | newinfo->entries_size = repl->entries_size; | |
1155 | newinfo->nentries = repl->nentries; | |
1da177e4 LT |
1156 | |
1157 | if (countersize) | |
1158 | memset(newinfo->counters, 0, countersize); | |
1159 | ||
1160 | /* fill in newinfo and parse the entries */ | |
1161 | newinfo->chainstack = NULL; | |
df07a81e AV |
1162 | for (i = 0; i < NF_BR_NUMHOOKS; i++) { |
1163 | if ((repl->valid_hooks & (1 << i)) == 0) | |
1164 | newinfo->hook_entry[i] = NULL; | |
1165 | else | |
1166 | newinfo->hook_entry[i] = p + | |
1167 | ((char *)repl->hook_entry[i] - repl->entries); | |
1168 | } | |
a83d8e8d | 1169 | ret = translate_table(net, repl->name, newinfo); |
1da177e4 LT |
1170 | if (ret != 0) { |
1171 | BUGPRINT("Translate_table failed\n"); | |
1172 | goto free_chainstack; | |
1173 | } | |
1174 | ||
1175 | if (table->check && table->check(newinfo, table->valid_hooks)) { | |
1176 | BUGPRINT("The table doesn't like its own initial data, lol\n"); | |
6beceee5 | 1177 | return ERR_PTR(-EINVAL); |
1da177e4 LT |
1178 | } |
1179 | ||
1180 | table->private = newinfo; | |
1181 | rwlock_init(&table->lock); | |
57b47a53 | 1182 | ret = mutex_lock_interruptible(&ebt_mutex); |
1da177e4 LT |
1183 | if (ret != 0) |
1184 | goto free_chainstack; | |
1185 | ||
511061e2 | 1186 | list_for_each_entry(t, &net->xt.tables[NFPROTO_BRIDGE], list) { |
df0933dc PM |
1187 | if (strcmp(t->name, table->name) == 0) { |
1188 | ret = -EEXIST; | |
1189 | BUGPRINT("Table name already exists\n"); | |
1190 | goto free_unlock; | |
1191 | } | |
1da177e4 LT |
1192 | } |
1193 | ||
1194 | /* Hold a reference count if the chains aren't empty */ | |
1195 | if (newinfo->nentries && !try_module_get(table->me)) { | |
1196 | ret = -ENOENT; | |
1197 | goto free_unlock; | |
1198 | } | |
511061e2 | 1199 | list_add(&table->list, &net->xt.tables[NFPROTO_BRIDGE]); |
57b47a53 | 1200 | mutex_unlock(&ebt_mutex); |
6beceee5 | 1201 | return table; |
1da177e4 | 1202 | free_unlock: |
57b47a53 | 1203 | mutex_unlock(&ebt_mutex); |
1da177e4 LT |
1204 | free_chainstack: |
1205 | if (newinfo->chainstack) { | |
6f912042 | 1206 | for_each_possible_cpu(i) |
1da177e4 LT |
1207 | vfree(newinfo->chainstack[i]); |
1208 | vfree(newinfo->chainstack); | |
1209 | } | |
1210 | vfree(newinfo->entries); | |
1211 | free_newinfo: | |
1212 | vfree(newinfo); | |
6beceee5 AD |
1213 | free_table: |
1214 | kfree(table); | |
1215 | out: | |
1216 | return ERR_PTR(ret); | |
1da177e4 LT |
1217 | } |
1218 | ||
f54e9367 | 1219 | void ebt_unregister_table(struct net *net, struct ebt_table *table) |
1da177e4 LT |
1220 | { |
1221 | int i; | |
1222 | ||
1223 | if (!table) { | |
1224 | BUGPRINT("Request to unregister NULL table!!!\n"); | |
1225 | return; | |
1226 | } | |
57b47a53 | 1227 | mutex_lock(&ebt_mutex); |
df0933dc | 1228 | list_del(&table->list); |
57b47a53 | 1229 | mutex_unlock(&ebt_mutex); |
dbcdf85a | 1230 | EBT_ENTRY_ITERATE(table->private->entries, table->private->entries_size, |
f54e9367 | 1231 | ebt_cleanup_entry, net, NULL); |
dbcdf85a AD |
1232 | if (table->private->nentries) |
1233 | module_put(table->me); | |
68d31872 | 1234 | vfree(table->private->entries); |
1da177e4 | 1235 | if (table->private->chainstack) { |
6f912042 | 1236 | for_each_possible_cpu(i) |
1da177e4 LT |
1237 | vfree(table->private->chainstack[i]); |
1238 | vfree(table->private->chainstack); | |
1239 | } | |
1240 | vfree(table->private); | |
6beceee5 | 1241 | kfree(table); |
1da177e4 LT |
1242 | } |
1243 | ||
1244 | /* userspace just supplied us with counters */ | |
d5d1baa1 JE |
1245 | static int update_counters(struct net *net, const void __user *user, |
1246 | unsigned int len) | |
1da177e4 LT |
1247 | { |
1248 | int i, ret; | |
1249 | struct ebt_counter *tmp; | |
1250 | struct ebt_replace hlp; | |
1251 | struct ebt_table *t; | |
1252 | ||
1253 | if (copy_from_user(&hlp, user, sizeof(hlp))) | |
1254 | return -EFAULT; | |
1255 | ||
1256 | if (len != sizeof(hlp) + hlp.num_counters * sizeof(struct ebt_counter)) | |
1257 | return -EINVAL; | |
1258 | if (hlp.num_counters == 0) | |
1259 | return -EINVAL; | |
1260 | ||
837395aa | 1261 | if (!(tmp = vmalloc(hlp.num_counters * sizeof(*tmp)))) |
1da177e4 | 1262 | return -ENOMEM; |
1da177e4 | 1263 | |
511061e2 | 1264 | t = find_table_lock(net, hlp.name, &ret, &ebt_mutex); |
1da177e4 LT |
1265 | if (!t) |
1266 | goto free_tmp; | |
1267 | ||
1268 | if (hlp.num_counters != t->private->nentries) { | |
1269 | BUGPRINT("Wrong nr of counters\n"); | |
1270 | ret = -EINVAL; | |
1271 | goto unlock_mutex; | |
1272 | } | |
1273 | ||
1274 | if ( copy_from_user(tmp, hlp.counters, | |
1275 | hlp.num_counters * sizeof(struct ebt_counter)) ) { | |
1276 | BUGPRINT("Updata_counters && !cfu\n"); | |
1277 | ret = -EFAULT; | |
1278 | goto unlock_mutex; | |
1279 | } | |
1280 | ||
1281 | /* we want an atomic add of the counters */ | |
1282 | write_lock_bh(&t->lock); | |
1283 | ||
1284 | /* we add to the counters of the first cpu */ | |
1285 | for (i = 0; i < hlp.num_counters; i++) { | |
1286 | t->private->counters[i].pcnt += tmp[i].pcnt; | |
1287 | t->private->counters[i].bcnt += tmp[i].bcnt; | |
1288 | } | |
1289 | ||
1290 | write_unlock_bh(&t->lock); | |
1291 | ret = 0; | |
1292 | unlock_mutex: | |
57b47a53 | 1293 | mutex_unlock(&ebt_mutex); |
1da177e4 LT |
1294 | free_tmp: |
1295 | vfree(tmp); | |
1296 | return ret; | |
1297 | } | |
1298 | ||
d5d1baa1 JE |
1299 | static inline int ebt_make_matchname(const struct ebt_entry_match *m, |
1300 | const char *base, char __user *ubase) | |
1da177e4 | 1301 | { |
1e419cd9 | 1302 | char __user *hlp = ubase + ((char *)m - base); |
1da177e4 LT |
1303 | if (copy_to_user(hlp, m->u.match->name, EBT_FUNCTION_MAXNAMELEN)) |
1304 | return -EFAULT; | |
1305 | return 0; | |
1306 | } | |
1307 | ||
d5d1baa1 JE |
1308 | static inline int ebt_make_watchername(const struct ebt_entry_watcher *w, |
1309 | const char *base, char __user *ubase) | |
1da177e4 | 1310 | { |
1e419cd9 | 1311 | char __user *hlp = ubase + ((char *)w - base); |
1da177e4 LT |
1312 | if (copy_to_user(hlp , w->u.watcher->name, EBT_FUNCTION_MAXNAMELEN)) |
1313 | return -EFAULT; | |
1314 | return 0; | |
1315 | } | |
1316 | ||
d5d1baa1 JE |
1317 | static inline int |
1318 | ebt_make_names(struct ebt_entry *e, const char *base, char __user *ubase) | |
1da177e4 LT |
1319 | { |
1320 | int ret; | |
1e419cd9 | 1321 | char __user *hlp; |
d5d1baa1 | 1322 | const struct ebt_entry_target *t; |
1da177e4 | 1323 | |
40642f95 | 1324 | if (e->bitmask == 0) |
1da177e4 LT |
1325 | return 0; |
1326 | ||
1e419cd9 | 1327 | hlp = ubase + (((char *)e + e->target_offset) - base); |
1da177e4 | 1328 | t = (struct ebt_entry_target *)(((char *)e) + e->target_offset); |
9d6f229f | 1329 | |
1da177e4 LT |
1330 | ret = EBT_MATCH_ITERATE(e, ebt_make_matchname, base, ubase); |
1331 | if (ret != 0) | |
1332 | return ret; | |
1333 | ret = EBT_WATCHER_ITERATE(e, ebt_make_watchername, base, ubase); | |
1334 | if (ret != 0) | |
1335 | return ret; | |
1336 | if (copy_to_user(hlp, t->u.target->name, EBT_FUNCTION_MAXNAMELEN)) | |
1337 | return -EFAULT; | |
1338 | return 0; | |
1339 | } | |
1340 | ||
837395aa FW |
1341 | static int copy_counters_to_user(struct ebt_table *t, |
1342 | const struct ebt_counter *oldcounters, | |
1343 | void __user *user, unsigned int num_counters, | |
1344 | unsigned int nentries) | |
1345 | { | |
1346 | struct ebt_counter *counterstmp; | |
1347 | int ret = 0; | |
1348 | ||
1349 | /* userspace might not need the counters */ | |
1350 | if (num_counters == 0) | |
1351 | return 0; | |
1352 | ||
1353 | if (num_counters != nentries) { | |
1354 | BUGPRINT("Num_counters wrong\n"); | |
1355 | return -EINVAL; | |
1356 | } | |
1357 | ||
1358 | counterstmp = vmalloc(nentries * sizeof(*counterstmp)); | |
1359 | if (!counterstmp) | |
1360 | return -ENOMEM; | |
1361 | ||
1362 | write_lock_bh(&t->lock); | |
1363 | get_counters(oldcounters, counterstmp, nentries); | |
1364 | write_unlock_bh(&t->lock); | |
1365 | ||
1366 | if (copy_to_user(user, counterstmp, | |
1367 | nentries * sizeof(struct ebt_counter))) | |
1368 | ret = -EFAULT; | |
1369 | vfree(counterstmp); | |
1370 | return ret; | |
1371 | } | |
1372 | ||
57b47a53 | 1373 | /* called with ebt_mutex locked */ |
1da177e4 | 1374 | static int copy_everything_to_user(struct ebt_table *t, void __user *user, |
d5d1baa1 | 1375 | const int *len, int cmd) |
1da177e4 LT |
1376 | { |
1377 | struct ebt_replace tmp; | |
d5d1baa1 | 1378 | const struct ebt_counter *oldcounters; |
1da177e4 | 1379 | unsigned int entries_size, nentries; |
837395aa | 1380 | int ret; |
1da177e4 LT |
1381 | char *entries; |
1382 | ||
1383 | if (cmd == EBT_SO_GET_ENTRIES) { | |
1384 | entries_size = t->private->entries_size; | |
1385 | nentries = t->private->nentries; | |
1386 | entries = t->private->entries; | |
1387 | oldcounters = t->private->counters; | |
1388 | } else { | |
1389 | entries_size = t->table->entries_size; | |
1390 | nentries = t->table->nentries; | |
1391 | entries = t->table->entries; | |
1392 | oldcounters = t->table->counters; | |
1393 | } | |
1394 | ||
1395 | if (copy_from_user(&tmp, user, sizeof(tmp))) { | |
1396 | BUGPRINT("Cfu didn't work\n"); | |
1397 | return -EFAULT; | |
1398 | } | |
1399 | ||
1400 | if (*len != sizeof(struct ebt_replace) + entries_size + | |
1401 | (tmp.num_counters? nentries * sizeof(struct ebt_counter): 0)) { | |
1402 | BUGPRINT("Wrong size\n"); | |
1403 | return -EINVAL; | |
1404 | } | |
1405 | ||
1406 | if (tmp.nentries != nentries) { | |
1407 | BUGPRINT("Nentries wrong\n"); | |
1408 | return -EINVAL; | |
1409 | } | |
1410 | ||
1411 | if (tmp.entries_size != entries_size) { | |
1412 | BUGPRINT("Wrong size\n"); | |
1413 | return -EINVAL; | |
1414 | } | |
1415 | ||
837395aa FW |
1416 | ret = copy_counters_to_user(t, oldcounters, tmp.counters, |
1417 | tmp.num_counters, nentries); | |
1418 | if (ret) | |
1419 | return ret; | |
1da177e4 LT |
1420 | |
1421 | if (copy_to_user(tmp.entries, entries, entries_size)) { | |
1422 | BUGPRINT("Couldn't copy entries to userspace\n"); | |
1423 | return -EFAULT; | |
1424 | } | |
1425 | /* set the match/watcher/target names right */ | |
1426 | return EBT_ENTRY_ITERATE(entries, entries_size, | |
1427 | ebt_make_names, entries, tmp.entries); | |
1428 | } | |
1429 | ||
1430 | static int do_ebt_set_ctl(struct sock *sk, | |
1431 | int cmd, void __user *user, unsigned int len) | |
1432 | { | |
1433 | int ret; | |
1434 | ||
dce766af FW |
1435 | if (!capable(CAP_NET_ADMIN)) |
1436 | return -EPERM; | |
1437 | ||
1da177e4 LT |
1438 | switch(cmd) { |
1439 | case EBT_SO_SET_ENTRIES: | |
511061e2 | 1440 | ret = do_replace(sock_net(sk), user, len); |
1da177e4 LT |
1441 | break; |
1442 | case EBT_SO_SET_COUNTERS: | |
511061e2 | 1443 | ret = update_counters(sock_net(sk), user, len); |
1da177e4 LT |
1444 | break; |
1445 | default: | |
1446 | ret = -EINVAL; | |
1447 | } | |
1448 | return ret; | |
1449 | } | |
1450 | ||
1451 | static int do_ebt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len) | |
1452 | { | |
1453 | int ret; | |
1454 | struct ebt_replace tmp; | |
1455 | struct ebt_table *t; | |
1456 | ||
dce766af FW |
1457 | if (!capable(CAP_NET_ADMIN)) |
1458 | return -EPERM; | |
1459 | ||
1da177e4 LT |
1460 | if (copy_from_user(&tmp, user, sizeof(tmp))) |
1461 | return -EFAULT; | |
1462 | ||
511061e2 | 1463 | t = find_table_lock(sock_net(sk), tmp.name, &ret, &ebt_mutex); |
1da177e4 LT |
1464 | if (!t) |
1465 | return ret; | |
1466 | ||
1467 | switch(cmd) { | |
1468 | case EBT_SO_GET_INFO: | |
1469 | case EBT_SO_GET_INIT_INFO: | |
1470 | if (*len != sizeof(struct ebt_replace)){ | |
1471 | ret = -EINVAL; | |
57b47a53 | 1472 | mutex_unlock(&ebt_mutex); |
1da177e4 LT |
1473 | break; |
1474 | } | |
1475 | if (cmd == EBT_SO_GET_INFO) { | |
1476 | tmp.nentries = t->private->nentries; | |
1477 | tmp.entries_size = t->private->entries_size; | |
1478 | tmp.valid_hooks = t->valid_hooks; | |
1479 | } else { | |
1480 | tmp.nentries = t->table->nentries; | |
1481 | tmp.entries_size = t->table->entries_size; | |
1482 | tmp.valid_hooks = t->table->valid_hooks; | |
1483 | } | |
57b47a53 | 1484 | mutex_unlock(&ebt_mutex); |
1da177e4 LT |
1485 | if (copy_to_user(user, &tmp, *len) != 0){ |
1486 | BUGPRINT("c2u Didn't work\n"); | |
1487 | ret = -EFAULT; | |
1488 | break; | |
1489 | } | |
1490 | ret = 0; | |
1491 | break; | |
1492 | ||
1493 | case EBT_SO_GET_ENTRIES: | |
1494 | case EBT_SO_GET_INIT_ENTRIES: | |
1495 | ret = copy_everything_to_user(t, user, len, cmd); | |
57b47a53 | 1496 | mutex_unlock(&ebt_mutex); |
1da177e4 LT |
1497 | break; |
1498 | ||
1499 | default: | |
57b47a53 | 1500 | mutex_unlock(&ebt_mutex); |
1da177e4 LT |
1501 | ret = -EINVAL; |
1502 | } | |
1503 | ||
1504 | return ret; | |
1505 | } | |
1506 | ||
1507 | static struct nf_sockopt_ops ebt_sockopts = | |
74ca4e5a AM |
1508 | { |
1509 | .pf = PF_INET, | |
1510 | .set_optmin = EBT_BASE_CTL, | |
1511 | .set_optmax = EBT_SO_SET_MAX + 1, | |
1512 | .set = do_ebt_set_ctl, | |
1513 | .get_optmin = EBT_BASE_CTL, | |
1514 | .get_optmax = EBT_SO_GET_MAX + 1, | |
1515 | .get = do_ebt_get_ctl, | |
16fcec35 | 1516 | .owner = THIS_MODULE, |
1da177e4 LT |
1517 | }; |
1518 | ||
65b4b4e8 | 1519 | static int __init ebtables_init(void) |
1da177e4 LT |
1520 | { |
1521 | int ret; | |
1522 | ||
043ef46c JE |
1523 | ret = xt_register_target(&ebt_standard_target); |
1524 | if (ret < 0) | |
1da177e4 | 1525 | return ret; |
043ef46c JE |
1526 | ret = nf_register_sockopt(&ebt_sockopts); |
1527 | if (ret < 0) { | |
1528 | xt_unregister_target(&ebt_standard_target); | |
1529 | return ret; | |
1530 | } | |
1da177e4 | 1531 | |
a887c1c1 | 1532 | printk(KERN_INFO "Ebtables v2.0 registered\n"); |
1da177e4 LT |
1533 | return 0; |
1534 | } | |
1535 | ||
65b4b4e8 | 1536 | static void __exit ebtables_fini(void) |
1da177e4 LT |
1537 | { |
1538 | nf_unregister_sockopt(&ebt_sockopts); | |
043ef46c | 1539 | xt_unregister_target(&ebt_standard_target); |
a887c1c1 | 1540 | printk(KERN_INFO "Ebtables v2.0 unregistered\n"); |
1da177e4 LT |
1541 | } |
1542 | ||
1543 | EXPORT_SYMBOL(ebt_register_table); | |
1544 | EXPORT_SYMBOL(ebt_unregister_table); | |
1da177e4 | 1545 | EXPORT_SYMBOL(ebt_do_table); |
65b4b4e8 AM |
1546 | module_init(ebtables_init); |
1547 | module_exit(ebtables_fini); | |
1da177e4 | 1548 | MODULE_LICENSE("GPL"); |