xattr: use memdup_user()
[linux-2.6] / net / bridge / netfilter / ebtables.c
1 /*
2  *  ebtables
3  *
4  *  Author:
5  *  Bart De Schuymer            <bdschuym@pandora.be>
6  *
7  *  ebtables.c,v 2.0, July, 2002
8  *
9  *  This code is stongly inspired on the iptables code which is
10  *  Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
11  *
12  *  This program is free software; you can redistribute it and/or
13  *  modify it under the terms of the GNU General Public License
14  *  as published by the Free Software Foundation; either version
15  *  2 of the License, or (at your option) any later version.
16  */
17
18
19 #include <linux/kmod.h>
20 #include <linux/module.h>
21 #include <linux/vmalloc.h>
22 #include <linux/netfilter/x_tables.h>
23 #include <linux/netfilter_bridge/ebtables.h>
24 #include <linux/spinlock.h>
25 #include <linux/mutex.h>
26 #include <asm/uaccess.h>
27 #include <linux/smp.h>
28 #include <linux/cpumask.h>
29 #include <net/sock.h>
30 /* needed for logical [in,out]-dev filtering */
31 #include "../br_private.h"
32
33 #define BUGPRINT(format, args...) printk("kernel msg: ebtables bug: please "\
34                                          "report to author: "format, ## args)
35 /* #define BUGPRINT(format, args...) */
36 #define MEMPRINT(format, args...) printk("kernel msg: ebtables "\
37                                          ": out of memory: "format, ## args)
38 /* #define MEMPRINT(format, args...) */
39
40
41
42 /*
43  * Each cpu has its own set of counters, so there is no need for write_lock in
44  * the softirq
45  * For reading or updating the counters, the user context needs to
46  * get a write_lock
47  */
48
49 /* The size of each set of counters is altered to get cache alignment */
50 #define SMP_ALIGN(x) (((x) + SMP_CACHE_BYTES-1) & ~(SMP_CACHE_BYTES-1))
51 #define COUNTER_OFFSET(n) (SMP_ALIGN(n * sizeof(struct ebt_counter)))
52 #define COUNTER_BASE(c, n, cpu) ((struct ebt_counter *)(((char *)c) + \
53    COUNTER_OFFSET(n) * cpu))
54
55
56
57 static DEFINE_MUTEX(ebt_mutex);
58
59 static struct xt_target ebt_standard_target = {
60         .name       = "standard",
61         .revision   = 0,
62         .family     = NFPROTO_BRIDGE,
63         .targetsize = sizeof(int),
64 };
65
66 static inline int
67 ebt_do_watcher(const struct ebt_entry_watcher *w, struct sk_buff *skb,
68                struct xt_target_param *par)
69 {
70         par->target   = w->u.watcher;
71         par->targinfo = w->data;
72         w->u.watcher->target(skb, par);
73         /* watchers don't give a verdict */
74         return 0;
75 }
76
77 static inline int ebt_do_match (struct ebt_entry_match *m,
78    const struct sk_buff *skb, struct xt_match_param *par)
79 {
80         par->match     = m->u.match;
81         par->matchinfo = m->data;
82         return m->u.match->match(skb, par) ? EBT_MATCH : EBT_NOMATCH;
83 }
84
85 static inline int ebt_dev_check(char *entry, const struct net_device *device)
86 {
87         int i = 0;
88         const char *devname;
89
90         if (*entry == '\0')
91                 return 0;
92         if (!device)
93                 return 1;
94         devname = device->name;
95         /* 1 is the wildcard token */
96         while (entry[i] != '\0' && entry[i] != 1 && entry[i] == devname[i])
97                 i++;
98         return (devname[i] != entry[i] && entry[i] != 1);
99 }
100
101 #define FWINV2(bool,invflg) ((bool) ^ !!(e->invflags & invflg))
102 /* process standard matches */
103 static inline int ebt_basic_match(struct ebt_entry *e, struct ethhdr *h,
104    const struct net_device *in, const struct net_device *out)
105 {
106         int verdict, i;
107
108         if (e->bitmask & EBT_802_3) {
109                 if (FWINV2(ntohs(h->h_proto) >= 1536, EBT_IPROTO))
110                         return 1;
111         } else if (!(e->bitmask & EBT_NOPROTO) &&
112            FWINV2(e->ethproto != h->h_proto, EBT_IPROTO))
113                 return 1;
114
115         if (FWINV2(ebt_dev_check(e->in, in), EBT_IIN))
116                 return 1;
117         if (FWINV2(ebt_dev_check(e->out, out), EBT_IOUT))
118                 return 1;
119         if ((!in || !in->br_port) ? 0 : FWINV2(ebt_dev_check(
120            e->logical_in, in->br_port->br->dev), EBT_ILOGICALIN))
121                 return 1;
122         if ((!out || !out->br_port) ? 0 : FWINV2(ebt_dev_check(
123            e->logical_out, out->br_port->br->dev), EBT_ILOGICALOUT))
124                 return 1;
125
126         if (e->bitmask & EBT_SOURCEMAC) {
127                 verdict = 0;
128                 for (i = 0; i < 6; i++)
129                         verdict |= (h->h_source[i] ^ e->sourcemac[i]) &
130                            e->sourcemsk[i];
131                 if (FWINV2(verdict != 0, EBT_ISOURCE) )
132                         return 1;
133         }
134         if (e->bitmask & EBT_DESTMAC) {
135                 verdict = 0;
136                 for (i = 0; i < 6; i++)
137                         verdict |= (h->h_dest[i] ^ e->destmac[i]) &
138                            e->destmsk[i];
139                 if (FWINV2(verdict != 0, EBT_IDEST) )
140                         return 1;
141         }
142         return 0;
143 }
144
145 /* Do some firewalling */
146 unsigned int ebt_do_table (unsigned int hook, struct sk_buff *skb,
147    const struct net_device *in, const struct net_device *out,
148    struct ebt_table *table)
149 {
150         int i, nentries;
151         struct ebt_entry *point;
152         struct ebt_counter *counter_base, *cb_base;
153         struct ebt_entry_target *t;
154         int verdict, sp = 0;
155         struct ebt_chainstack *cs;
156         struct ebt_entries *chaininfo;
157         char *base;
158         struct ebt_table_info *private;
159         bool hotdrop = false;
160         struct xt_match_param mtpar;
161         struct xt_target_param tgpar;
162
163         mtpar.family  = tgpar.family = NFPROTO_BRIDGE;
164         mtpar.in      = tgpar.in  = in;
165         mtpar.out     = tgpar.out = out;
166         mtpar.hotdrop = &hotdrop;
167         tgpar.hooknum = hook;
168
169         read_lock_bh(&table->lock);
170         private = table->private;
171         cb_base = COUNTER_BASE(private->counters, private->nentries,
172            smp_processor_id());
173         if (private->chainstack)
174                 cs = private->chainstack[smp_processor_id()];
175         else
176                 cs = NULL;
177         chaininfo = private->hook_entry[hook];
178         nentries = private->hook_entry[hook]->nentries;
179         point = (struct ebt_entry *)(private->hook_entry[hook]->data);
180         counter_base = cb_base + private->hook_entry[hook]->counter_offset;
181         /* base for chain jumps */
182         base = private->entries;
183         i = 0;
184         while (i < nentries) {
185                 if (ebt_basic_match(point, eth_hdr(skb), in, out))
186                         goto letscontinue;
187
188                 if (EBT_MATCH_ITERATE(point, ebt_do_match, skb, &mtpar) != 0)
189                         goto letscontinue;
190                 if (hotdrop) {
191                         read_unlock_bh(&table->lock);
192                         return NF_DROP;
193                 }
194
195                 /* increase counter */
196                 (*(counter_base + i)).pcnt++;
197                 (*(counter_base + i)).bcnt += skb->len;
198
199                 /* these should only watch: not modify, nor tell us
200                    what to do with the packet */
201                 EBT_WATCHER_ITERATE(point, ebt_do_watcher, skb, &tgpar);
202
203                 t = (struct ebt_entry_target *)
204                    (((char *)point) + point->target_offset);
205                 /* standard target */
206                 if (!t->u.target->target)
207                         verdict = ((struct ebt_standard_target *)t)->verdict;
208                 else {
209                         tgpar.target   = t->u.target;
210                         tgpar.targinfo = t->data;
211                         verdict = t->u.target->target(skb, &tgpar);
212                 }
213                 if (verdict == EBT_ACCEPT) {
214                         read_unlock_bh(&table->lock);
215                         return NF_ACCEPT;
216                 }
217                 if (verdict == EBT_DROP) {
218                         read_unlock_bh(&table->lock);
219                         return NF_DROP;
220                 }
221                 if (verdict == EBT_RETURN) {
222 letsreturn:
223 #ifdef CONFIG_NETFILTER_DEBUG
224                         if (sp == 0) {
225                                 BUGPRINT("RETURN on base chain");
226                                 /* act like this is EBT_CONTINUE */
227                                 goto letscontinue;
228                         }
229 #endif
230                         sp--;
231                         /* put all the local variables right */
232                         i = cs[sp].n;
233                         chaininfo = cs[sp].chaininfo;
234                         nentries = chaininfo->nentries;
235                         point = cs[sp].e;
236                         counter_base = cb_base +
237                            chaininfo->counter_offset;
238                         continue;
239                 }
240                 if (verdict == EBT_CONTINUE)
241                         goto letscontinue;
242 #ifdef CONFIG_NETFILTER_DEBUG
243                 if (verdict < 0) {
244                         BUGPRINT("bogus standard verdict\n");
245                         read_unlock_bh(&table->lock);
246                         return NF_DROP;
247                 }
248 #endif
249                 /* jump to a udc */
250                 cs[sp].n = i + 1;
251                 cs[sp].chaininfo = chaininfo;
252                 cs[sp].e = (struct ebt_entry *)
253                    (((char *)point) + point->next_offset);
254                 i = 0;
255                 chaininfo = (struct ebt_entries *) (base + verdict);
256 #ifdef CONFIG_NETFILTER_DEBUG
257                 if (chaininfo->distinguisher) {
258                         BUGPRINT("jump to non-chain\n");
259                         read_unlock_bh(&table->lock);
260                         return NF_DROP;
261                 }
262 #endif
263                 nentries = chaininfo->nentries;
264                 point = (struct ebt_entry *)chaininfo->data;
265                 counter_base = cb_base + chaininfo->counter_offset;
266                 sp++;
267                 continue;
268 letscontinue:
269                 point = (struct ebt_entry *)
270                    (((char *)point) + point->next_offset);
271                 i++;
272         }
273
274         /* I actually like this :) */
275         if (chaininfo->policy == EBT_RETURN)
276                 goto letsreturn;
277         if (chaininfo->policy == EBT_ACCEPT) {
278                 read_unlock_bh(&table->lock);
279                 return NF_ACCEPT;
280         }
281         read_unlock_bh(&table->lock);
282         return NF_DROP;
283 }
284
285 /* If it succeeds, returns element and locks mutex */
286 static inline void *
287 find_inlist_lock_noload(struct list_head *head, const char *name, int *error,
288    struct mutex *mutex)
289 {
290         struct {
291                 struct list_head list;
292                 char name[EBT_FUNCTION_MAXNAMELEN];
293         } *e;
294
295         *error = mutex_lock_interruptible(mutex);
296         if (*error != 0)
297                 return NULL;
298
299         list_for_each_entry(e, head, list) {
300                 if (strcmp(e->name, name) == 0)
301                         return e;
302         }
303         *error = -ENOENT;
304         mutex_unlock(mutex);
305         return NULL;
306 }
307
308 static void *
309 find_inlist_lock(struct list_head *head, const char *name, const char *prefix,
310    int *error, struct mutex *mutex)
311 {
312         return try_then_request_module(
313                         find_inlist_lock_noload(head, name, error, mutex),
314                         "%s%s", prefix, name);
315 }
316
317 static inline struct ebt_table *
318 find_table_lock(struct net *net, const char *name, int *error,
319                 struct mutex *mutex)
320 {
321         return find_inlist_lock(&net->xt.tables[NFPROTO_BRIDGE], name,
322                                 "ebtable_", error, mutex);
323 }
324
325 static inline int
326 ebt_check_match(struct ebt_entry_match *m, struct xt_mtchk_param *par,
327                 unsigned int *cnt)
328 {
329         const struct ebt_entry *e = par->entryinfo;
330         struct xt_match *match;
331         size_t left = ((char *)e + e->watchers_offset) - (char *)m;
332         int ret;
333
334         if (left < sizeof(struct ebt_entry_match) ||
335             left - sizeof(struct ebt_entry_match) < m->match_size)
336                 return -EINVAL;
337
338         match = try_then_request_module(xt_find_match(NFPROTO_BRIDGE,
339                 m->u.name, 0), "ebt_%s", m->u.name);
340         if (IS_ERR(match))
341                 return PTR_ERR(match);
342         if (match == NULL)
343                 return -ENOENT;
344         m->u.match = match;
345
346         par->match     = match;
347         par->matchinfo = m->data;
348         ret = xt_check_match(par, m->match_size,
349               e->ethproto, e->invflags & EBT_IPROTO);
350         if (ret < 0) {
351                 module_put(match->me);
352                 return ret;
353         }
354
355         (*cnt)++;
356         return 0;
357 }
358
359 static inline int
360 ebt_check_watcher(struct ebt_entry_watcher *w, struct xt_tgchk_param *par,
361                   unsigned int *cnt)
362 {
363         const struct ebt_entry *e = par->entryinfo;
364         struct xt_target *watcher;
365         size_t left = ((char *)e + e->target_offset) - (char *)w;
366         int ret;
367
368         if (left < sizeof(struct ebt_entry_watcher) ||
369            left - sizeof(struct ebt_entry_watcher) < w->watcher_size)
370                 return -EINVAL;
371
372         watcher = try_then_request_module(
373                   xt_find_target(NFPROTO_BRIDGE, w->u.name, 0),
374                   "ebt_%s", w->u.name);
375         if (IS_ERR(watcher))
376                 return PTR_ERR(watcher);
377         if (watcher == NULL)
378                 return -ENOENT;
379         w->u.watcher = watcher;
380
381         par->target   = watcher;
382         par->targinfo = w->data;
383         ret = xt_check_target(par, w->watcher_size,
384               e->ethproto, e->invflags & EBT_IPROTO);
385         if (ret < 0) {
386                 module_put(watcher->me);
387                 return ret;
388         }
389
390         (*cnt)++;
391         return 0;
392 }
393
394 static int ebt_verify_pointers(struct ebt_replace *repl,
395                                struct ebt_table_info *newinfo)
396 {
397         unsigned int limit = repl->entries_size;
398         unsigned int valid_hooks = repl->valid_hooks;
399         unsigned int offset = 0;
400         int i;
401
402         for (i = 0; i < NF_BR_NUMHOOKS; i++)
403                 newinfo->hook_entry[i] = NULL;
404
405         newinfo->entries_size = repl->entries_size;
406         newinfo->nentries = repl->nentries;
407
408         while (offset < limit) {
409                 size_t left = limit - offset;
410                 struct ebt_entry *e = (void *)newinfo->entries + offset;
411
412                 if (left < sizeof(unsigned int))
413                         break;
414
415                 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
416                         if ((valid_hooks & (1 << i)) == 0)
417                                 continue;
418                         if ((char __user *)repl->hook_entry[i] ==
419                              repl->entries + offset)
420                                 break;
421                 }
422
423                 if (i != NF_BR_NUMHOOKS || !(e->bitmask & EBT_ENTRY_OR_ENTRIES)) {
424                         if (e->bitmask != 0) {
425                                 /* we make userspace set this right,
426                                    so there is no misunderstanding */
427                                 BUGPRINT("EBT_ENTRY_OR_ENTRIES shouldn't be set "
428                                          "in distinguisher\n");
429                                 return -EINVAL;
430                         }
431                         if (i != NF_BR_NUMHOOKS)
432                                 newinfo->hook_entry[i] = (struct ebt_entries *)e;
433                         if (left < sizeof(struct ebt_entries))
434                                 break;
435                         offset += sizeof(struct ebt_entries);
436                 } else {
437                         if (left < sizeof(struct ebt_entry))
438                                 break;
439                         if (left < e->next_offset)
440                                 break;
441                         offset += e->next_offset;
442                 }
443         }
444         if (offset != limit) {
445                 BUGPRINT("entries_size too small\n");
446                 return -EINVAL;
447         }
448
449         /* check if all valid hooks have a chain */
450         for (i = 0; i < NF_BR_NUMHOOKS; i++) {
451                 if (!newinfo->hook_entry[i] &&
452                    (valid_hooks & (1 << i))) {
453                         BUGPRINT("Valid hook without chain\n");
454                         return -EINVAL;
455                 }
456         }
457         return 0;
458 }
459
460 /*
461  * this one is very careful, as it is the first function
462  * to parse the userspace data
463  */
464 static inline int
465 ebt_check_entry_size_and_hooks(struct ebt_entry *e,
466    struct ebt_table_info *newinfo,
467    unsigned int *n, unsigned int *cnt,
468    unsigned int *totalcnt, unsigned int *udc_cnt)
469 {
470         int i;
471
472         for (i = 0; i < NF_BR_NUMHOOKS; i++) {
473                 if ((void *)e == (void *)newinfo->hook_entry[i])
474                         break;
475         }
476         /* beginning of a new chain
477            if i == NF_BR_NUMHOOKS it must be a user defined chain */
478         if (i != NF_BR_NUMHOOKS || !e->bitmask) {
479                 /* this checks if the previous chain has as many entries
480                    as it said it has */
481                 if (*n != *cnt) {
482                         BUGPRINT("nentries does not equal the nr of entries "
483                                  "in the chain\n");
484                         return -EINVAL;
485                 }
486                 if (((struct ebt_entries *)e)->policy != EBT_DROP &&
487                    ((struct ebt_entries *)e)->policy != EBT_ACCEPT) {
488                         /* only RETURN from udc */
489                         if (i != NF_BR_NUMHOOKS ||
490                            ((struct ebt_entries *)e)->policy != EBT_RETURN) {
491                                 BUGPRINT("bad policy\n");
492                                 return -EINVAL;
493                         }
494                 }
495                 if (i == NF_BR_NUMHOOKS) /* it's a user defined chain */
496                         (*udc_cnt)++;
497                 if (((struct ebt_entries *)e)->counter_offset != *totalcnt) {
498                         BUGPRINT("counter_offset != totalcnt");
499                         return -EINVAL;
500                 }
501                 *n = ((struct ebt_entries *)e)->nentries;
502                 *cnt = 0;
503                 return 0;
504         }
505         /* a plain old entry, heh */
506         if (sizeof(struct ebt_entry) > e->watchers_offset ||
507            e->watchers_offset > e->target_offset ||
508            e->target_offset >= e->next_offset) {
509                 BUGPRINT("entry offsets not in right order\n");
510                 return -EINVAL;
511         }
512         /* this is not checked anywhere else */
513         if (e->next_offset - e->target_offset < sizeof(struct ebt_entry_target)) {
514                 BUGPRINT("target size too small\n");
515                 return -EINVAL;
516         }
517         (*cnt)++;
518         (*totalcnt)++;
519         return 0;
520 }
521
522 struct ebt_cl_stack
523 {
524         struct ebt_chainstack cs;
525         int from;
526         unsigned int hookmask;
527 };
528
529 /*
530  * we need these positions to check that the jumps to a different part of the
531  * entries is a jump to the beginning of a new chain.
532  */
533 static inline int
534 ebt_get_udc_positions(struct ebt_entry *e, struct ebt_table_info *newinfo,
535    unsigned int *n, struct ebt_cl_stack *udc)
536 {
537         int i;
538
539         /* we're only interested in chain starts */
540         if (e->bitmask)
541                 return 0;
542         for (i = 0; i < NF_BR_NUMHOOKS; i++) {
543                 if (newinfo->hook_entry[i] == (struct ebt_entries *)e)
544                         break;
545         }
546         /* only care about udc */
547         if (i != NF_BR_NUMHOOKS)
548                 return 0;
549
550         udc[*n].cs.chaininfo = (struct ebt_entries *)e;
551         /* these initialisations are depended on later in check_chainloops() */
552         udc[*n].cs.n = 0;
553         udc[*n].hookmask = 0;
554
555         (*n)++;
556         return 0;
557 }
558
559 static inline int
560 ebt_cleanup_match(struct ebt_entry_match *m, unsigned int *i)
561 {
562         struct xt_mtdtor_param par;
563
564         if (i && (*i)-- == 0)
565                 return 1;
566
567         par.match     = m->u.match;
568         par.matchinfo = m->data;
569         par.family    = NFPROTO_BRIDGE;
570         if (par.match->destroy != NULL)
571                 par.match->destroy(&par);
572         module_put(par.match->me);
573         return 0;
574 }
575
576 static inline int
577 ebt_cleanup_watcher(struct ebt_entry_watcher *w, unsigned int *i)
578 {
579         struct xt_tgdtor_param par;
580
581         if (i && (*i)-- == 0)
582                 return 1;
583
584         par.target   = w->u.watcher;
585         par.targinfo = w->data;
586         par.family   = NFPROTO_BRIDGE;
587         if (par.target->destroy != NULL)
588                 par.target->destroy(&par);
589         module_put(par.target->me);
590         return 0;
591 }
592
593 static inline int
594 ebt_cleanup_entry(struct ebt_entry *e, unsigned int *cnt)
595 {
596         struct xt_tgdtor_param par;
597         struct ebt_entry_target *t;
598
599         if (e->bitmask == 0)
600                 return 0;
601         /* we're done */
602         if (cnt && (*cnt)-- == 0)
603                 return 1;
604         EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, NULL);
605         EBT_MATCH_ITERATE(e, ebt_cleanup_match, NULL);
606         t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
607
608         par.target   = t->u.target;
609         par.targinfo = t->data;
610         par.family   = NFPROTO_BRIDGE;
611         if (par.target->destroy != NULL)
612                 par.target->destroy(&par);
613         module_put(par.target->me);
614         return 0;
615 }
616
617 static inline int
618 ebt_check_entry(struct ebt_entry *e, struct ebt_table_info *newinfo,
619    const char *name, unsigned int *cnt,
620    struct ebt_cl_stack *cl_s, unsigned int udc_cnt)
621 {
622         struct ebt_entry_target *t;
623         struct xt_target *target;
624         unsigned int i, j, hook = 0, hookmask = 0;
625         size_t gap;
626         int ret;
627         struct xt_mtchk_param mtpar;
628         struct xt_tgchk_param tgpar;
629
630         /* don't mess with the struct ebt_entries */
631         if (e->bitmask == 0)
632                 return 0;
633
634         if (e->bitmask & ~EBT_F_MASK) {
635                 BUGPRINT("Unknown flag for bitmask\n");
636                 return -EINVAL;
637         }
638         if (e->invflags & ~EBT_INV_MASK) {
639                 BUGPRINT("Unknown flag for inv bitmask\n");
640                 return -EINVAL;
641         }
642         if ( (e->bitmask & EBT_NOPROTO) && (e->bitmask & EBT_802_3) ) {
643                 BUGPRINT("NOPROTO & 802_3 not allowed\n");
644                 return -EINVAL;
645         }
646         /* what hook do we belong to? */
647         for (i = 0; i < NF_BR_NUMHOOKS; i++) {
648                 if (!newinfo->hook_entry[i])
649                         continue;
650                 if ((char *)newinfo->hook_entry[i] < (char *)e)
651                         hook = i;
652                 else
653                         break;
654         }
655         /* (1 << NF_BR_NUMHOOKS) tells the check functions the rule is on
656            a base chain */
657         if (i < NF_BR_NUMHOOKS)
658                 hookmask = (1 << hook) | (1 << NF_BR_NUMHOOKS);
659         else {
660                 for (i = 0; i < udc_cnt; i++)
661                         if ((char *)(cl_s[i].cs.chaininfo) > (char *)e)
662                                 break;
663                 if (i == 0)
664                         hookmask = (1 << hook) | (1 << NF_BR_NUMHOOKS);
665                 else
666                         hookmask = cl_s[i - 1].hookmask;
667         }
668         i = 0;
669
670         mtpar.table     = tgpar.table     = name;
671         mtpar.entryinfo = tgpar.entryinfo = e;
672         mtpar.hook_mask = tgpar.hook_mask = hookmask;
673         mtpar.family    = tgpar.family    = NFPROTO_BRIDGE;
674         ret = EBT_MATCH_ITERATE(e, ebt_check_match, &mtpar, &i);
675         if (ret != 0)
676                 goto cleanup_matches;
677         j = 0;
678         ret = EBT_WATCHER_ITERATE(e, ebt_check_watcher, &tgpar, &j);
679         if (ret != 0)
680                 goto cleanup_watchers;
681         t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
682         gap = e->next_offset - e->target_offset;
683
684         target = try_then_request_module(
685                  xt_find_target(NFPROTO_BRIDGE, t->u.name, 0),
686                  "ebt_%s", t->u.name);
687         if (IS_ERR(target)) {
688                 ret = PTR_ERR(target);
689                 goto cleanup_watchers;
690         } else if (target == NULL) {
691                 ret = -ENOENT;
692                 goto cleanup_watchers;
693         }
694
695         t->u.target = target;
696         if (t->u.target == &ebt_standard_target) {
697                 if (gap < sizeof(struct ebt_standard_target)) {
698                         BUGPRINT("Standard target size too big\n");
699                         ret = -EFAULT;
700                         goto cleanup_watchers;
701                 }
702                 if (((struct ebt_standard_target *)t)->verdict <
703                    -NUM_STANDARD_TARGETS) {
704                         BUGPRINT("Invalid standard target\n");
705                         ret = -EFAULT;
706                         goto cleanup_watchers;
707                 }
708         } else if (t->target_size > gap - sizeof(struct ebt_entry_target)) {
709                 module_put(t->u.target->me);
710                 ret = -EFAULT;
711                 goto cleanup_watchers;
712         }
713
714         tgpar.target   = target;
715         tgpar.targinfo = t->data;
716         ret = xt_check_target(&tgpar, t->target_size,
717               e->ethproto, e->invflags & EBT_IPROTO);
718         if (ret < 0) {
719                 module_put(target->me);
720                 goto cleanup_watchers;
721         }
722         (*cnt)++;
723         return 0;
724 cleanup_watchers:
725         EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, &j);
726 cleanup_matches:
727         EBT_MATCH_ITERATE(e, ebt_cleanup_match, &i);
728         return ret;
729 }
730
731 /*
732  * checks for loops and sets the hook mask for udc
733  * the hook mask for udc tells us from which base chains the udc can be
734  * accessed. This mask is a parameter to the check() functions of the extensions
735  */
736 static int check_chainloops(struct ebt_entries *chain, struct ebt_cl_stack *cl_s,
737    unsigned int udc_cnt, unsigned int hooknr, char *base)
738 {
739         int i, chain_nr = -1, pos = 0, nentries = chain->nentries, verdict;
740         struct ebt_entry *e = (struct ebt_entry *)chain->data;
741         struct ebt_entry_target *t;
742
743         while (pos < nentries || chain_nr != -1) {
744                 /* end of udc, go back one 'recursion' step */
745                 if (pos == nentries) {
746                         /* put back values of the time when this chain was called */
747                         e = cl_s[chain_nr].cs.e;
748                         if (cl_s[chain_nr].from != -1)
749                                 nentries =
750                                 cl_s[cl_s[chain_nr].from].cs.chaininfo->nentries;
751                         else
752                                 nentries = chain->nentries;
753                         pos = cl_s[chain_nr].cs.n;
754                         /* make sure we won't see a loop that isn't one */
755                         cl_s[chain_nr].cs.n = 0;
756                         chain_nr = cl_s[chain_nr].from;
757                         if (pos == nentries)
758                                 continue;
759                 }
760                 t = (struct ebt_entry_target *)
761                    (((char *)e) + e->target_offset);
762                 if (strcmp(t->u.name, EBT_STANDARD_TARGET))
763                         goto letscontinue;
764                 if (e->target_offset + sizeof(struct ebt_standard_target) >
765                    e->next_offset) {
766                         BUGPRINT("Standard target size too big\n");
767                         return -1;
768                 }
769                 verdict = ((struct ebt_standard_target *)t)->verdict;
770                 if (verdict >= 0) { /* jump to another chain */
771                         struct ebt_entries *hlp2 =
772                            (struct ebt_entries *)(base + verdict);
773                         for (i = 0; i < udc_cnt; i++)
774                                 if (hlp2 == cl_s[i].cs.chaininfo)
775                                         break;
776                         /* bad destination or loop */
777                         if (i == udc_cnt) {
778                                 BUGPRINT("bad destination\n");
779                                 return -1;
780                         }
781                         if (cl_s[i].cs.n) {
782                                 BUGPRINT("loop\n");
783                                 return -1;
784                         }
785                         if (cl_s[i].hookmask & (1 << hooknr))
786                                 goto letscontinue;
787                         /* this can't be 0, so the loop test is correct */
788                         cl_s[i].cs.n = pos + 1;
789                         pos = 0;
790                         cl_s[i].cs.e = ((void *)e + e->next_offset);
791                         e = (struct ebt_entry *)(hlp2->data);
792                         nentries = hlp2->nentries;
793                         cl_s[i].from = chain_nr;
794                         chain_nr = i;
795                         /* this udc is accessible from the base chain for hooknr */
796                         cl_s[i].hookmask |= (1 << hooknr);
797                         continue;
798                 }
799 letscontinue:
800                 e = (void *)e + e->next_offset;
801                 pos++;
802         }
803         return 0;
804 }
805
806 /* do the parsing of the table/chains/entries/matches/watchers/targets, heh */
807 static int translate_table(char *name, struct ebt_table_info *newinfo)
808 {
809         unsigned int i, j, k, udc_cnt;
810         int ret;
811         struct ebt_cl_stack *cl_s = NULL; /* used in the checking for chain loops */
812
813         i = 0;
814         while (i < NF_BR_NUMHOOKS && !newinfo->hook_entry[i])
815                 i++;
816         if (i == NF_BR_NUMHOOKS) {
817                 BUGPRINT("No valid hooks specified\n");
818                 return -EINVAL;
819         }
820         if (newinfo->hook_entry[i] != (struct ebt_entries *)newinfo->entries) {
821                 BUGPRINT("Chains don't start at beginning\n");
822                 return -EINVAL;
823         }
824         /* make sure chains are ordered after each other in same order
825            as their corresponding hooks */
826         for (j = i + 1; j < NF_BR_NUMHOOKS; j++) {
827                 if (!newinfo->hook_entry[j])
828                         continue;
829                 if (newinfo->hook_entry[j] <= newinfo->hook_entry[i]) {
830                         BUGPRINT("Hook order must be followed\n");
831                         return -EINVAL;
832                 }
833                 i = j;
834         }
835
836         /* do some early checkings and initialize some things */
837         i = 0; /* holds the expected nr. of entries for the chain */
838         j = 0; /* holds the up to now counted entries for the chain */
839         k = 0; /* holds the total nr. of entries, should equal
840                   newinfo->nentries afterwards */
841         udc_cnt = 0; /* will hold the nr. of user defined chains (udc) */
842         ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
843            ebt_check_entry_size_and_hooks, newinfo,
844            &i, &j, &k, &udc_cnt);
845
846         if (ret != 0)
847                 return ret;
848
849         if (i != j) {
850                 BUGPRINT("nentries does not equal the nr of entries in the "
851                          "(last) chain\n");
852                 return -EINVAL;
853         }
854         if (k != newinfo->nentries) {
855                 BUGPRINT("Total nentries is wrong\n");
856                 return -EINVAL;
857         }
858
859         /* get the location of the udc, put them in an array
860            while we're at it, allocate the chainstack */
861         if (udc_cnt) {
862                 /* this will get free'd in do_replace()/ebt_register_table()
863                    if an error occurs */
864                 newinfo->chainstack =
865                         vmalloc(nr_cpu_ids * sizeof(*(newinfo->chainstack)));
866                 if (!newinfo->chainstack)
867                         return -ENOMEM;
868                 for_each_possible_cpu(i) {
869                         newinfo->chainstack[i] =
870                           vmalloc(udc_cnt * sizeof(*(newinfo->chainstack[0])));
871                         if (!newinfo->chainstack[i]) {
872                                 while (i)
873                                         vfree(newinfo->chainstack[--i]);
874                                 vfree(newinfo->chainstack);
875                                 newinfo->chainstack = NULL;
876                                 return -ENOMEM;
877                         }
878                 }
879
880                 cl_s = vmalloc(udc_cnt * sizeof(*cl_s));
881                 if (!cl_s)
882                         return -ENOMEM;
883                 i = 0; /* the i'th udc */
884                 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
885                    ebt_get_udc_positions, newinfo, &i, cl_s);
886                 /* sanity check */
887                 if (i != udc_cnt) {
888                         BUGPRINT("i != udc_cnt\n");
889                         vfree(cl_s);
890                         return -EFAULT;
891                 }
892         }
893
894         /* Check for loops */
895         for (i = 0; i < NF_BR_NUMHOOKS; i++)
896                 if (newinfo->hook_entry[i])
897                         if (check_chainloops(newinfo->hook_entry[i],
898                            cl_s, udc_cnt, i, newinfo->entries)) {
899                                 vfree(cl_s);
900                                 return -EINVAL;
901                         }
902
903         /* we now know the following (along with E=mc²):
904            - the nr of entries in each chain is right
905            - the size of the allocated space is right
906            - all valid hooks have a corresponding chain
907            - there are no loops
908            - wrong data can still be on the level of a single entry
909            - could be there are jumps to places that are not the
910              beginning of a chain. This can only occur in chains that
911              are not accessible from any base chains, so we don't care. */
912
913         /* used to know what we need to clean up if something goes wrong */
914         i = 0;
915         ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
916            ebt_check_entry, newinfo, name, &i, cl_s, udc_cnt);
917         if (ret != 0) {
918                 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
919                    ebt_cleanup_entry, &i);
920         }
921         vfree(cl_s);
922         return ret;
923 }
924
925 /* called under write_lock */
926 static void get_counters(struct ebt_counter *oldcounters,
927    struct ebt_counter *counters, unsigned int nentries)
928 {
929         int i, cpu;
930         struct ebt_counter *counter_base;
931
932         /* counters of cpu 0 */
933         memcpy(counters, oldcounters,
934                sizeof(struct ebt_counter) * nentries);
935
936         /* add other counters to those of cpu 0 */
937         for_each_possible_cpu(cpu) {
938                 if (cpu == 0)
939                         continue;
940                 counter_base = COUNTER_BASE(oldcounters, nentries, cpu);
941                 for (i = 0; i < nentries; i++) {
942                         counters[i].pcnt += counter_base[i].pcnt;
943                         counters[i].bcnt += counter_base[i].bcnt;
944                 }
945         }
946 }
947
948 /* replace the table */
949 static int do_replace(struct net *net, void __user *user, unsigned int len)
950 {
951         int ret, i, countersize;
952         struct ebt_table_info *newinfo;
953         struct ebt_replace tmp;
954         struct ebt_table *t;
955         struct ebt_counter *counterstmp = NULL;
956         /* used to be able to unlock earlier */
957         struct ebt_table_info *table;
958
959         if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
960                 return -EFAULT;
961
962         if (len != sizeof(tmp) + tmp.entries_size) {
963                 BUGPRINT("Wrong len argument\n");
964                 return -EINVAL;
965         }
966
967         if (tmp.entries_size == 0) {
968                 BUGPRINT("Entries_size never zero\n");
969                 return -EINVAL;
970         }
971         /* overflow check */
972         if (tmp.nentries >= ((INT_MAX - sizeof(struct ebt_table_info)) / NR_CPUS -
973                         SMP_CACHE_BYTES) / sizeof(struct ebt_counter))
974                 return -ENOMEM;
975         if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
976                 return -ENOMEM;
977
978         countersize = COUNTER_OFFSET(tmp.nentries) * nr_cpu_ids;
979         newinfo = vmalloc(sizeof(*newinfo) + countersize);
980         if (!newinfo)
981                 return -ENOMEM;
982
983         if (countersize)
984                 memset(newinfo->counters, 0, countersize);
985
986         newinfo->entries = vmalloc(tmp.entries_size);
987         if (!newinfo->entries) {
988                 ret = -ENOMEM;
989                 goto free_newinfo;
990         }
991         if (copy_from_user(
992            newinfo->entries, tmp.entries, tmp.entries_size) != 0) {
993                 BUGPRINT("Couldn't copy entries from userspace\n");
994                 ret = -EFAULT;
995                 goto free_entries;
996         }
997
998         /* the user wants counters back
999            the check on the size is done later, when we have the lock */
1000         if (tmp.num_counters) {
1001                 counterstmp = vmalloc(tmp.num_counters * sizeof(*counterstmp));
1002                 if (!counterstmp) {
1003                         ret = -ENOMEM;
1004                         goto free_entries;
1005                 }
1006         }
1007         else
1008                 counterstmp = NULL;
1009
1010         /* this can get initialized by translate_table() */
1011         newinfo->chainstack = NULL;
1012         ret = ebt_verify_pointers(&tmp, newinfo);
1013         if (ret != 0)
1014                 goto free_counterstmp;
1015
1016         ret = translate_table(tmp.name, newinfo);
1017
1018         if (ret != 0)
1019                 goto free_counterstmp;
1020
1021         t = find_table_lock(net, tmp.name, &ret, &ebt_mutex);
1022         if (!t) {
1023                 ret = -ENOENT;
1024                 goto free_iterate;
1025         }
1026
1027         /* the table doesn't like it */
1028         if (t->check && (ret = t->check(newinfo, tmp.valid_hooks)))
1029                 goto free_unlock;
1030
1031         if (tmp.num_counters && tmp.num_counters != t->private->nentries) {
1032                 BUGPRINT("Wrong nr. of counters requested\n");
1033                 ret = -EINVAL;
1034                 goto free_unlock;
1035         }
1036
1037         /* we have the mutex lock, so no danger in reading this pointer */
1038         table = t->private;
1039         /* make sure the table can only be rmmod'ed if it contains no rules */
1040         if (!table->nentries && newinfo->nentries && !try_module_get(t->me)) {
1041                 ret = -ENOENT;
1042                 goto free_unlock;
1043         } else if (table->nentries && !newinfo->nentries)
1044                 module_put(t->me);
1045         /* we need an atomic snapshot of the counters */
1046         write_lock_bh(&t->lock);
1047         if (tmp.num_counters)
1048                 get_counters(t->private->counters, counterstmp,
1049                    t->private->nentries);
1050
1051         t->private = newinfo;
1052         write_unlock_bh(&t->lock);
1053         mutex_unlock(&ebt_mutex);
1054         /* so, a user can change the chains while having messed up her counter
1055            allocation. Only reason why this is done is because this way the lock
1056            is held only once, while this doesn't bring the kernel into a
1057            dangerous state. */
1058         if (tmp.num_counters &&
1059            copy_to_user(tmp.counters, counterstmp,
1060            tmp.num_counters * sizeof(struct ebt_counter))) {
1061                 BUGPRINT("Couldn't copy counters to userspace\n");
1062                 ret = -EFAULT;
1063         }
1064         else
1065                 ret = 0;
1066
1067         /* decrease module count and free resources */
1068         EBT_ENTRY_ITERATE(table->entries, table->entries_size,
1069            ebt_cleanup_entry, NULL);
1070
1071         vfree(table->entries);
1072         if (table->chainstack) {
1073                 for_each_possible_cpu(i)
1074                         vfree(table->chainstack[i]);
1075                 vfree(table->chainstack);
1076         }
1077         vfree(table);
1078
1079         vfree(counterstmp);
1080         return ret;
1081
1082 free_unlock:
1083         mutex_unlock(&ebt_mutex);
1084 free_iterate:
1085         EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
1086            ebt_cleanup_entry, NULL);
1087 free_counterstmp:
1088         vfree(counterstmp);
1089         /* can be initialized in translate_table() */
1090         if (newinfo->chainstack) {
1091                 for_each_possible_cpu(i)
1092                         vfree(newinfo->chainstack[i]);
1093                 vfree(newinfo->chainstack);
1094         }
1095 free_entries:
1096         vfree(newinfo->entries);
1097 free_newinfo:
1098         vfree(newinfo);
1099         return ret;
1100 }
1101
1102 struct ebt_table *ebt_register_table(struct net *net, struct ebt_table *table)
1103 {
1104         struct ebt_table_info *newinfo;
1105         struct ebt_table *t;
1106         struct ebt_replace_kernel *repl;
1107         int ret, i, countersize;
1108         void *p;
1109
1110         if (!table || !(repl = table->table) || !repl->entries ||
1111             repl->entries_size == 0 ||
1112             repl->counters || table->private) {
1113                 BUGPRINT("Bad table data for ebt_register_table!!!\n");
1114                 return ERR_PTR(-EINVAL);
1115         }
1116
1117         /* Don't add one table to multiple lists. */
1118         table = kmemdup(table, sizeof(struct ebt_table), GFP_KERNEL);
1119         if (!table) {
1120                 ret = -ENOMEM;
1121                 goto out;
1122         }
1123
1124         countersize = COUNTER_OFFSET(repl->nentries) * nr_cpu_ids;
1125         newinfo = vmalloc(sizeof(*newinfo) + countersize);
1126         ret = -ENOMEM;
1127         if (!newinfo)
1128                 goto free_table;
1129
1130         p = vmalloc(repl->entries_size);
1131         if (!p)
1132                 goto free_newinfo;
1133
1134         memcpy(p, repl->entries, repl->entries_size);
1135         newinfo->entries = p;
1136
1137         newinfo->entries_size = repl->entries_size;
1138         newinfo->nentries = repl->nentries;
1139
1140         if (countersize)
1141                 memset(newinfo->counters, 0, countersize);
1142
1143         /* fill in newinfo and parse the entries */
1144         newinfo->chainstack = NULL;
1145         for (i = 0; i < NF_BR_NUMHOOKS; i++) {
1146                 if ((repl->valid_hooks & (1 << i)) == 0)
1147                         newinfo->hook_entry[i] = NULL;
1148                 else
1149                         newinfo->hook_entry[i] = p +
1150                                 ((char *)repl->hook_entry[i] - repl->entries);
1151         }
1152         ret = translate_table(repl->name, newinfo);
1153         if (ret != 0) {
1154                 BUGPRINT("Translate_table failed\n");
1155                 goto free_chainstack;
1156         }
1157
1158         if (table->check && table->check(newinfo, table->valid_hooks)) {
1159                 BUGPRINT("The table doesn't like its own initial data, lol\n");
1160                 return ERR_PTR(-EINVAL);
1161         }
1162
1163         table->private = newinfo;
1164         rwlock_init(&table->lock);
1165         ret = mutex_lock_interruptible(&ebt_mutex);
1166         if (ret != 0)
1167                 goto free_chainstack;
1168
1169         list_for_each_entry(t, &net->xt.tables[NFPROTO_BRIDGE], list) {
1170                 if (strcmp(t->name, table->name) == 0) {
1171                         ret = -EEXIST;
1172                         BUGPRINT("Table name already exists\n");
1173                         goto free_unlock;
1174                 }
1175         }
1176
1177         /* Hold a reference count if the chains aren't empty */
1178         if (newinfo->nentries && !try_module_get(table->me)) {
1179                 ret = -ENOENT;
1180                 goto free_unlock;
1181         }
1182         list_add(&table->list, &net->xt.tables[NFPROTO_BRIDGE]);
1183         mutex_unlock(&ebt_mutex);
1184         return table;
1185 free_unlock:
1186         mutex_unlock(&ebt_mutex);
1187 free_chainstack:
1188         if (newinfo->chainstack) {
1189                 for_each_possible_cpu(i)
1190                         vfree(newinfo->chainstack[i]);
1191                 vfree(newinfo->chainstack);
1192         }
1193         vfree(newinfo->entries);
1194 free_newinfo:
1195         vfree(newinfo);
1196 free_table:
1197         kfree(table);
1198 out:
1199         return ERR_PTR(ret);
1200 }
1201
1202 void ebt_unregister_table(struct ebt_table *table)
1203 {
1204         int i;
1205
1206         if (!table) {
1207                 BUGPRINT("Request to unregister NULL table!!!\n");
1208                 return;
1209         }
1210         mutex_lock(&ebt_mutex);
1211         list_del(&table->list);
1212         mutex_unlock(&ebt_mutex);
1213         EBT_ENTRY_ITERATE(table->private->entries, table->private->entries_size,
1214                           ebt_cleanup_entry, NULL);
1215         if (table->private->nentries)
1216                 module_put(table->me);
1217         vfree(table->private->entries);
1218         if (table->private->chainstack) {
1219                 for_each_possible_cpu(i)
1220                         vfree(table->private->chainstack[i]);
1221                 vfree(table->private->chainstack);
1222         }
1223         vfree(table->private);
1224         kfree(table);
1225 }
1226
1227 /* userspace just supplied us with counters */
1228 static int update_counters(struct net *net, void __user *user, unsigned int len)
1229 {
1230         int i, ret;
1231         struct ebt_counter *tmp;
1232         struct ebt_replace hlp;
1233         struct ebt_table *t;
1234
1235         if (copy_from_user(&hlp, user, sizeof(hlp)))
1236                 return -EFAULT;
1237
1238         if (len != sizeof(hlp) + hlp.num_counters * sizeof(struct ebt_counter))
1239                 return -EINVAL;
1240         if (hlp.num_counters == 0)
1241                 return -EINVAL;
1242
1243         if (!(tmp = vmalloc(hlp.num_counters * sizeof(*tmp)))) {
1244                 MEMPRINT("Update_counters && nomemory\n");
1245                 return -ENOMEM;
1246         }
1247
1248         t = find_table_lock(net, hlp.name, &ret, &ebt_mutex);
1249         if (!t)
1250                 goto free_tmp;
1251
1252         if (hlp.num_counters != t->private->nentries) {
1253                 BUGPRINT("Wrong nr of counters\n");
1254                 ret = -EINVAL;
1255                 goto unlock_mutex;
1256         }
1257
1258         if ( copy_from_user(tmp, hlp.counters,
1259            hlp.num_counters * sizeof(struct ebt_counter)) ) {
1260                 BUGPRINT("Updata_counters && !cfu\n");
1261                 ret = -EFAULT;
1262                 goto unlock_mutex;
1263         }
1264
1265         /* we want an atomic add of the counters */
1266         write_lock_bh(&t->lock);
1267
1268         /* we add to the counters of the first cpu */
1269         for (i = 0; i < hlp.num_counters; i++) {
1270                 t->private->counters[i].pcnt += tmp[i].pcnt;
1271                 t->private->counters[i].bcnt += tmp[i].bcnt;
1272         }
1273
1274         write_unlock_bh(&t->lock);
1275         ret = 0;
1276 unlock_mutex:
1277         mutex_unlock(&ebt_mutex);
1278 free_tmp:
1279         vfree(tmp);
1280         return ret;
1281 }
1282
1283 static inline int ebt_make_matchname(struct ebt_entry_match *m,
1284    char *base, char __user *ubase)
1285 {
1286         char __user *hlp = ubase + ((char *)m - base);
1287         if (copy_to_user(hlp, m->u.match->name, EBT_FUNCTION_MAXNAMELEN))
1288                 return -EFAULT;
1289         return 0;
1290 }
1291
1292 static inline int ebt_make_watchername(struct ebt_entry_watcher *w,
1293    char *base, char __user *ubase)
1294 {
1295         char __user *hlp = ubase + ((char *)w - base);
1296         if (copy_to_user(hlp , w->u.watcher->name, EBT_FUNCTION_MAXNAMELEN))
1297                 return -EFAULT;
1298         return 0;
1299 }
1300
1301 static inline int ebt_make_names(struct ebt_entry *e, char *base, char __user *ubase)
1302 {
1303         int ret;
1304         char __user *hlp;
1305         struct ebt_entry_target *t;
1306
1307         if (e->bitmask == 0)
1308                 return 0;
1309
1310         hlp = ubase + (((char *)e + e->target_offset) - base);
1311         t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
1312
1313         ret = EBT_MATCH_ITERATE(e, ebt_make_matchname, base, ubase);
1314         if (ret != 0)
1315                 return ret;
1316         ret = EBT_WATCHER_ITERATE(e, ebt_make_watchername, base, ubase);
1317         if (ret != 0)
1318                 return ret;
1319         if (copy_to_user(hlp, t->u.target->name, EBT_FUNCTION_MAXNAMELEN))
1320                 return -EFAULT;
1321         return 0;
1322 }
1323
1324 /* called with ebt_mutex locked */
1325 static int copy_everything_to_user(struct ebt_table *t, void __user *user,
1326    int *len, int cmd)
1327 {
1328         struct ebt_replace tmp;
1329         struct ebt_counter *counterstmp, *oldcounters;
1330         unsigned int entries_size, nentries;
1331         char *entries;
1332
1333         if (cmd == EBT_SO_GET_ENTRIES) {
1334                 entries_size = t->private->entries_size;
1335                 nentries = t->private->nentries;
1336                 entries = t->private->entries;
1337                 oldcounters = t->private->counters;
1338         } else {
1339                 entries_size = t->table->entries_size;
1340                 nentries = t->table->nentries;
1341                 entries = t->table->entries;
1342                 oldcounters = t->table->counters;
1343         }
1344
1345         if (copy_from_user(&tmp, user, sizeof(tmp))) {
1346                 BUGPRINT("Cfu didn't work\n");
1347                 return -EFAULT;
1348         }
1349
1350         if (*len != sizeof(struct ebt_replace) + entries_size +
1351            (tmp.num_counters? nentries * sizeof(struct ebt_counter): 0)) {
1352                 BUGPRINT("Wrong size\n");
1353                 return -EINVAL;
1354         }
1355
1356         if (tmp.nentries != nentries) {
1357                 BUGPRINT("Nentries wrong\n");
1358                 return -EINVAL;
1359         }
1360
1361         if (tmp.entries_size != entries_size) {
1362                 BUGPRINT("Wrong size\n");
1363                 return -EINVAL;
1364         }
1365
1366         /* userspace might not need the counters */
1367         if (tmp.num_counters) {
1368                 if (tmp.num_counters != nentries) {
1369                         BUGPRINT("Num_counters wrong\n");
1370                         return -EINVAL;
1371                 }
1372                 counterstmp = vmalloc(nentries * sizeof(*counterstmp));
1373                 if (!counterstmp) {
1374                         MEMPRINT("Couldn't copy counters, out of memory\n");
1375                         return -ENOMEM;
1376                 }
1377                 write_lock_bh(&t->lock);
1378                 get_counters(oldcounters, counterstmp, nentries);
1379                 write_unlock_bh(&t->lock);
1380
1381                 if (copy_to_user(tmp.counters, counterstmp,
1382                    nentries * sizeof(struct ebt_counter))) {
1383                         BUGPRINT("Couldn't copy counters to userspace\n");
1384                         vfree(counterstmp);
1385                         return -EFAULT;
1386                 }
1387                 vfree(counterstmp);
1388         }
1389
1390         if (copy_to_user(tmp.entries, entries, entries_size)) {
1391                 BUGPRINT("Couldn't copy entries to userspace\n");
1392                 return -EFAULT;
1393         }
1394         /* set the match/watcher/target names right */
1395         return EBT_ENTRY_ITERATE(entries, entries_size,
1396            ebt_make_names, entries, tmp.entries);
1397 }
1398
1399 static int do_ebt_set_ctl(struct sock *sk,
1400         int cmd, void __user *user, unsigned int len)
1401 {
1402         int ret;
1403
1404         switch(cmd) {
1405         case EBT_SO_SET_ENTRIES:
1406                 ret = do_replace(sock_net(sk), user, len);
1407                 break;
1408         case EBT_SO_SET_COUNTERS:
1409                 ret = update_counters(sock_net(sk), user, len);
1410                 break;
1411         default:
1412                 ret = -EINVAL;
1413   }
1414         return ret;
1415 }
1416
1417 static int do_ebt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
1418 {
1419         int ret;
1420         struct ebt_replace tmp;
1421         struct ebt_table *t;
1422
1423         if (copy_from_user(&tmp, user, sizeof(tmp)))
1424                 return -EFAULT;
1425
1426         t = find_table_lock(sock_net(sk), tmp.name, &ret, &ebt_mutex);
1427         if (!t)
1428                 return ret;
1429
1430         switch(cmd) {
1431         case EBT_SO_GET_INFO:
1432         case EBT_SO_GET_INIT_INFO:
1433                 if (*len != sizeof(struct ebt_replace)){
1434                         ret = -EINVAL;
1435                         mutex_unlock(&ebt_mutex);
1436                         break;
1437                 }
1438                 if (cmd == EBT_SO_GET_INFO) {
1439                         tmp.nentries = t->private->nentries;
1440                         tmp.entries_size = t->private->entries_size;
1441                         tmp.valid_hooks = t->valid_hooks;
1442                 } else {
1443                         tmp.nentries = t->table->nentries;
1444                         tmp.entries_size = t->table->entries_size;
1445                         tmp.valid_hooks = t->table->valid_hooks;
1446                 }
1447                 mutex_unlock(&ebt_mutex);
1448                 if (copy_to_user(user, &tmp, *len) != 0){
1449                         BUGPRINT("c2u Didn't work\n");
1450                         ret = -EFAULT;
1451                         break;
1452                 }
1453                 ret = 0;
1454                 break;
1455
1456         case EBT_SO_GET_ENTRIES:
1457         case EBT_SO_GET_INIT_ENTRIES:
1458                 ret = copy_everything_to_user(t, user, len, cmd);
1459                 mutex_unlock(&ebt_mutex);
1460                 break;
1461
1462         default:
1463                 mutex_unlock(&ebt_mutex);
1464                 ret = -EINVAL;
1465         }
1466
1467         return ret;
1468 }
1469
1470 static struct nf_sockopt_ops ebt_sockopts =
1471 {
1472         .pf             = PF_INET,
1473         .set_optmin     = EBT_BASE_CTL,
1474         .set_optmax     = EBT_SO_SET_MAX + 1,
1475         .set            = do_ebt_set_ctl,
1476         .get_optmin     = EBT_BASE_CTL,
1477         .get_optmax     = EBT_SO_GET_MAX + 1,
1478         .get            = do_ebt_get_ctl,
1479         .owner          = THIS_MODULE,
1480 };
1481
1482 static int __init ebtables_init(void)
1483 {
1484         int ret;
1485
1486         ret = xt_register_target(&ebt_standard_target);
1487         if (ret < 0)
1488                 return ret;
1489         ret = nf_register_sockopt(&ebt_sockopts);
1490         if (ret < 0) {
1491                 xt_unregister_target(&ebt_standard_target);
1492                 return ret;
1493         }
1494
1495         printk(KERN_INFO "Ebtables v2.0 registered\n");
1496         return 0;
1497 }
1498
1499 static void __exit ebtables_fini(void)
1500 {
1501         nf_unregister_sockopt(&ebt_sockopts);
1502         xt_unregister_target(&ebt_standard_target);
1503         printk(KERN_INFO "Ebtables v2.0 unregistered\n");
1504 }
1505
1506 EXPORT_SYMBOL(ebt_register_table);
1507 EXPORT_SYMBOL(ebt_unregister_table);
1508 EXPORT_SYMBOL(ebt_do_table);
1509 module_init(ebtables_init);
1510 module_exit(ebtables_fini);
1511 MODULE_LICENSE("GPL");