[NETFILTER]: ebtables: don't compute gap before checking struct type
[linux-2.6] / net / bridge / netfilter / ebtables.c
1 /*
2  *  ebtables
3  *
4  *  Author:
5  *  Bart De Schuymer            <bdschuym@pandora.be>
6  *
7  *  ebtables.c,v 2.0, July, 2002
8  *
9  *  This code is stongly inspired on the iptables code which is
10  *  Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
11  *
12  *  This program is free software; you can redistribute it and/or
13  *  modify it under the terms of the GNU General Public License
14  *  as published by the Free Software Foundation; either version
15  *  2 of the License, or (at your option) any later version.
16  */
17
18 /* used for print_string */
19 #include <linux/sched.h>
20 #include <linux/tty.h>
21
22 #include <linux/kmod.h>
23 #include <linux/module.h>
24 #include <linux/vmalloc.h>
25 #include <linux/netfilter_bridge/ebtables.h>
26 #include <linux/spinlock.h>
27 #include <linux/mutex.h>
28 #include <asm/uaccess.h>
29 #include <linux/smp.h>
30 #include <linux/cpumask.h>
31 #include <net/sock.h>
32 /* needed for logical [in,out]-dev filtering */
33 #include "../br_private.h"
34
35 #define BUGPRINT(format, args...) printk("kernel msg: ebtables bug: please "\
36                                          "report to author: "format, ## args)
37 /* #define BUGPRINT(format, args...) */
38 #define MEMPRINT(format, args...) printk("kernel msg: ebtables "\
39                                          ": out of memory: "format, ## args)
40 /* #define MEMPRINT(format, args...) */
41
42
43
44 /*
45  * Each cpu has its own set of counters, so there is no need for write_lock in
46  * the softirq
47  * For reading or updating the counters, the user context needs to
48  * get a write_lock
49  */
50
51 /* The size of each set of counters is altered to get cache alignment */
52 #define SMP_ALIGN(x) (((x) + SMP_CACHE_BYTES-1) & ~(SMP_CACHE_BYTES-1))
53 #define COUNTER_OFFSET(n) (SMP_ALIGN(n * sizeof(struct ebt_counter)))
54 #define COUNTER_BASE(c, n, cpu) ((struct ebt_counter *)(((char *)c) + \
55    COUNTER_OFFSET(n) * cpu))
56
57
58
59 static DEFINE_MUTEX(ebt_mutex);
60 static LIST_HEAD(ebt_tables);
61 static LIST_HEAD(ebt_targets);
62 static LIST_HEAD(ebt_matches);
63 static LIST_HEAD(ebt_watchers);
64
65 static struct ebt_target ebt_standard_target =
66 { {NULL, NULL}, EBT_STANDARD_TARGET, NULL, NULL, NULL, NULL};
67
68 static inline int ebt_do_watcher (struct ebt_entry_watcher *w,
69    const struct sk_buff *skb, unsigned int hooknr, const struct net_device *in,
70    const struct net_device *out)
71 {
72         w->u.watcher->watcher(skb, hooknr, in, out, w->data,
73            w->watcher_size);
74         /* watchers don't give a verdict */
75         return 0;
76 }
77
78 static inline int ebt_do_match (struct ebt_entry_match *m,
79    const struct sk_buff *skb, const struct net_device *in,
80    const struct net_device *out)
81 {
82         return m->u.match->match(skb, in, out, m->data,
83            m->match_size);
84 }
85
86 static inline int ebt_dev_check(char *entry, const struct net_device *device)
87 {
88         int i = 0;
89         const char *devname = device->name;
90
91         if (*entry == '\0')
92                 return 0;
93         if (!device)
94                 return 1;
95         /* 1 is the wildcard token */
96         while (entry[i] != '\0' && entry[i] != 1 && entry[i] == devname[i])
97                 i++;
98         return (devname[i] != entry[i] && entry[i] != 1);
99 }
100
101 #define FWINV2(bool,invflg) ((bool) ^ !!(e->invflags & invflg))
102 /* process standard matches */
103 static inline int ebt_basic_match(struct ebt_entry *e, struct ethhdr *h,
104    const struct net_device *in, const struct net_device *out)
105 {
106         int verdict, i;
107
108         if (e->bitmask & EBT_802_3) {
109                 if (FWINV2(ntohs(h->h_proto) >= 1536, EBT_IPROTO))
110                         return 1;
111         } else if (!(e->bitmask & EBT_NOPROTO) &&
112            FWINV2(e->ethproto != h->h_proto, EBT_IPROTO))
113                 return 1;
114
115         if (FWINV2(ebt_dev_check(e->in, in), EBT_IIN))
116                 return 1;
117         if (FWINV2(ebt_dev_check(e->out, out), EBT_IOUT))
118                 return 1;
119         if ((!in || !in->br_port) ? 0 : FWINV2(ebt_dev_check(
120            e->logical_in, in->br_port->br->dev), EBT_ILOGICALIN))
121                 return 1;
122         if ((!out || !out->br_port) ? 0 : FWINV2(ebt_dev_check(
123            e->logical_out, out->br_port->br->dev), EBT_ILOGICALOUT))
124                 return 1;
125
126         if (e->bitmask & EBT_SOURCEMAC) {
127                 verdict = 0;
128                 for (i = 0; i < 6; i++)
129                         verdict |= (h->h_source[i] ^ e->sourcemac[i]) &
130                            e->sourcemsk[i];
131                 if (FWINV2(verdict != 0, EBT_ISOURCE) )
132                         return 1;
133         }
134         if (e->bitmask & EBT_DESTMAC) {
135                 verdict = 0;
136                 for (i = 0; i < 6; i++)
137                         verdict |= (h->h_dest[i] ^ e->destmac[i]) &
138                            e->destmsk[i];
139                 if (FWINV2(verdict != 0, EBT_IDEST) )
140                         return 1;
141         }
142         return 0;
143 }
144
145 /* Do some firewalling */
146 unsigned int ebt_do_table (unsigned int hook, struct sk_buff **pskb,
147    const struct net_device *in, const struct net_device *out,
148    struct ebt_table *table)
149 {
150         int i, nentries;
151         struct ebt_entry *point;
152         struct ebt_counter *counter_base, *cb_base;
153         struct ebt_entry_target *t;
154         int verdict, sp = 0;
155         struct ebt_chainstack *cs;
156         struct ebt_entries *chaininfo;
157         char *base;
158         struct ebt_table_info *private;
159
160         read_lock_bh(&table->lock);
161         private = table->private;
162         cb_base = COUNTER_BASE(private->counters, private->nentries,
163            smp_processor_id());
164         if (private->chainstack)
165                 cs = private->chainstack[smp_processor_id()];
166         else
167                 cs = NULL;
168         chaininfo = private->hook_entry[hook];
169         nentries = private->hook_entry[hook]->nentries;
170         point = (struct ebt_entry *)(private->hook_entry[hook]->data);
171         counter_base = cb_base + private->hook_entry[hook]->counter_offset;
172         /* base for chain jumps */
173         base = private->entries;
174         i = 0;
175         while (i < nentries) {
176                 if (ebt_basic_match(point, eth_hdr(*pskb), in, out))
177                         goto letscontinue;
178
179                 if (EBT_MATCH_ITERATE(point, ebt_do_match, *pskb, in, out) != 0)
180                         goto letscontinue;
181
182                 /* increase counter */
183                 (*(counter_base + i)).pcnt++;
184                 (*(counter_base + i)).bcnt+=(**pskb).len;
185
186                 /* these should only watch: not modify, nor tell us
187                    what to do with the packet */
188                 EBT_WATCHER_ITERATE(point, ebt_do_watcher, *pskb, hook, in,
189                    out);
190
191                 t = (struct ebt_entry_target *)
192                    (((char *)point) + point->target_offset);
193                 /* standard target */
194                 if (!t->u.target->target)
195                         verdict = ((struct ebt_standard_target *)t)->verdict;
196                 else
197                         verdict = t->u.target->target(pskb, hook,
198                            in, out, t->data, t->target_size);
199                 if (verdict == EBT_ACCEPT) {
200                         read_unlock_bh(&table->lock);
201                         return NF_ACCEPT;
202                 }
203                 if (verdict == EBT_DROP) {
204                         read_unlock_bh(&table->lock);
205                         return NF_DROP;
206                 }
207                 if (verdict == EBT_RETURN) {
208 letsreturn:
209 #ifdef CONFIG_NETFILTER_DEBUG
210                         if (sp == 0) {
211                                 BUGPRINT("RETURN on base chain");
212                                 /* act like this is EBT_CONTINUE */
213                                 goto letscontinue;
214                         }
215 #endif
216                         sp--;
217                         /* put all the local variables right */
218                         i = cs[sp].n;
219                         chaininfo = cs[sp].chaininfo;
220                         nentries = chaininfo->nentries;
221                         point = cs[sp].e;
222                         counter_base = cb_base +
223                            chaininfo->counter_offset;
224                         continue;
225                 }
226                 if (verdict == EBT_CONTINUE)
227                         goto letscontinue;
228 #ifdef CONFIG_NETFILTER_DEBUG
229                 if (verdict < 0) {
230                         BUGPRINT("bogus standard verdict\n");
231                         read_unlock_bh(&table->lock);
232                         return NF_DROP;
233                 }
234 #endif
235                 /* jump to a udc */
236                 cs[sp].n = i + 1;
237                 cs[sp].chaininfo = chaininfo;
238                 cs[sp].e = (struct ebt_entry *)
239                    (((char *)point) + point->next_offset);
240                 i = 0;
241                 chaininfo = (struct ebt_entries *) (base + verdict);
242 #ifdef CONFIG_NETFILTER_DEBUG
243                 if (chaininfo->distinguisher) {
244                         BUGPRINT("jump to non-chain\n");
245                         read_unlock_bh(&table->lock);
246                         return NF_DROP;
247                 }
248 #endif
249                 nentries = chaininfo->nentries;
250                 point = (struct ebt_entry *)chaininfo->data;
251                 counter_base = cb_base + chaininfo->counter_offset;
252                 sp++;
253                 continue;
254 letscontinue:
255                 point = (struct ebt_entry *)
256                    (((char *)point) + point->next_offset);
257                 i++;
258         }
259
260         /* I actually like this :) */
261         if (chaininfo->policy == EBT_RETURN)
262                 goto letsreturn;
263         if (chaininfo->policy == EBT_ACCEPT) {
264                 read_unlock_bh(&table->lock);
265                 return NF_ACCEPT;
266         }
267         read_unlock_bh(&table->lock);
268         return NF_DROP;
269 }
270
271 /* If it succeeds, returns element and locks mutex */
272 static inline void *
273 find_inlist_lock_noload(struct list_head *head, const char *name, int *error,
274    struct mutex *mutex)
275 {
276         struct {
277                 struct list_head list;
278                 char name[EBT_FUNCTION_MAXNAMELEN];
279         } *e;
280
281         *error = mutex_lock_interruptible(mutex);
282         if (*error != 0)
283                 return NULL;
284
285         list_for_each_entry(e, head, list) {
286                 if (strcmp(e->name, name) == 0)
287                         return e;
288         }
289         *error = -ENOENT;
290         mutex_unlock(mutex);
291         return NULL;
292 }
293
294 #ifndef CONFIG_KMOD
295 #define find_inlist_lock(h,n,p,e,m) find_inlist_lock_noload((h),(n),(e),(m))
296 #else
297 static void *
298 find_inlist_lock(struct list_head *head, const char *name, const char *prefix,
299    int *error, struct mutex *mutex)
300 {
301         void *ret;
302
303         ret = find_inlist_lock_noload(head, name, error, mutex);
304         if (!ret) {
305                 request_module("%s%s", prefix, name);
306                 ret = find_inlist_lock_noload(head, name, error, mutex);
307         }
308         return ret;
309 }
310 #endif
311
312 static inline struct ebt_table *
313 find_table_lock(const char *name, int *error, struct mutex *mutex)
314 {
315         return find_inlist_lock(&ebt_tables, name, "ebtable_", error, mutex);
316 }
317
318 static inline struct ebt_match *
319 find_match_lock(const char *name, int *error, struct mutex *mutex)
320 {
321         return find_inlist_lock(&ebt_matches, name, "ebt_", error, mutex);
322 }
323
324 static inline struct ebt_watcher *
325 find_watcher_lock(const char *name, int *error, struct mutex *mutex)
326 {
327         return find_inlist_lock(&ebt_watchers, name, "ebt_", error, mutex);
328 }
329
330 static inline struct ebt_target *
331 find_target_lock(const char *name, int *error, struct mutex *mutex)
332 {
333         return find_inlist_lock(&ebt_targets, name, "ebt_", error, mutex);
334 }
335
336 static inline int
337 ebt_check_match(struct ebt_entry_match *m, struct ebt_entry *e,
338    const char *name, unsigned int hookmask, unsigned int *cnt)
339 {
340         struct ebt_match *match;
341         size_t left = ((char *)e + e->watchers_offset) - (char *)m;
342         int ret;
343
344         if (left < sizeof(struct ebt_entry_match) ||
345             left - sizeof(struct ebt_entry_match) < m->match_size)
346                 return -EINVAL;
347         match = find_match_lock(m->u.name, &ret, &ebt_mutex);
348         if (!match)
349                 return ret;
350         m->u.match = match;
351         if (!try_module_get(match->me)) {
352                 mutex_unlock(&ebt_mutex);
353                 return -ENOENT;
354         }
355         mutex_unlock(&ebt_mutex);
356         if (match->check &&
357            match->check(name, hookmask, e, m->data, m->match_size) != 0) {
358                 BUGPRINT("match->check failed\n");
359                 module_put(match->me);
360                 return -EINVAL;
361         }
362         (*cnt)++;
363         return 0;
364 }
365
366 static inline int
367 ebt_check_watcher(struct ebt_entry_watcher *w, struct ebt_entry *e,
368    const char *name, unsigned int hookmask, unsigned int *cnt)
369 {
370         struct ebt_watcher *watcher;
371         size_t left = ((char *)e + e->target_offset) - (char *)w;
372         int ret;
373
374         if (left < sizeof(struct ebt_entry_watcher) ||
375            left - sizeof(struct ebt_entry_watcher) < w->watcher_size)
376                 return -EINVAL;
377         watcher = find_watcher_lock(w->u.name, &ret, &ebt_mutex);
378         if (!watcher)
379                 return ret;
380         w->u.watcher = watcher;
381         if (!try_module_get(watcher->me)) {
382                 mutex_unlock(&ebt_mutex);
383                 return -ENOENT;
384         }
385         mutex_unlock(&ebt_mutex);
386         if (watcher->check &&
387            watcher->check(name, hookmask, e, w->data, w->watcher_size) != 0) {
388                 BUGPRINT("watcher->check failed\n");
389                 module_put(watcher->me);
390                 return -EINVAL;
391         }
392         (*cnt)++;
393         return 0;
394 }
395
396 static int ebt_verify_pointers(struct ebt_replace *repl,
397                                struct ebt_table_info *newinfo)
398 {
399         unsigned int limit = repl->entries_size;
400         unsigned int valid_hooks = repl->valid_hooks;
401         unsigned int offset = 0;
402         int i;
403
404         for (i = 0; i < NF_BR_NUMHOOKS; i++)
405                 newinfo->hook_entry[i] = NULL;
406
407         newinfo->entries_size = repl->entries_size;
408         newinfo->nentries = repl->nentries;
409
410         while (offset < limit) {
411                 size_t left = limit - offset;
412                 struct ebt_entry *e = (void *)newinfo->entries + offset;
413
414                 if (left < sizeof(unsigned int))
415                         break;
416
417                 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
418                         if ((valid_hooks & (1 << i)) == 0)
419                                 continue;
420                         if ((char __user *)repl->hook_entry[i] ==
421                              repl->entries + offset)
422                                 break;
423                 }
424
425                 if (i != NF_BR_NUMHOOKS || !(e->bitmask & EBT_ENTRY_OR_ENTRIES)) {
426                         if (e->bitmask != 0) {
427                                 /* we make userspace set this right,
428                                    so there is no misunderstanding */
429                                 BUGPRINT("EBT_ENTRY_OR_ENTRIES shouldn't be set "
430                                          "in distinguisher\n");
431                                 return -EINVAL;
432                         }
433                         if (i != NF_BR_NUMHOOKS)
434                                 newinfo->hook_entry[i] = (struct ebt_entries *)e;
435                         if (left < sizeof(struct ebt_entries))
436                                 break;
437                         offset += sizeof(struct ebt_entries);
438                 } else {
439                         if (left < sizeof(struct ebt_entry))
440                                 break;
441                         if (left < e->next_offset)
442                                 break;
443                         offset += e->next_offset;
444                 }
445         }
446         if (offset != limit) {
447                 BUGPRINT("entries_size too small\n");
448                 return -EINVAL;
449         }
450
451         /* check if all valid hooks have a chain */
452         for (i = 0; i < NF_BR_NUMHOOKS; i++) {
453                 if (!newinfo->hook_entry[i] &&
454                    (valid_hooks & (1 << i))) {
455                         BUGPRINT("Valid hook without chain\n");
456                         return -EINVAL;
457                 }
458         }
459         return 0;
460 }
461
462 /*
463  * this one is very careful, as it is the first function
464  * to parse the userspace data
465  */
466 static inline int
467 ebt_check_entry_size_and_hooks(struct ebt_entry *e,
468    struct ebt_table_info *newinfo,
469    unsigned int *n, unsigned int *cnt,
470    unsigned int *totalcnt, unsigned int *udc_cnt)
471 {
472         int i;
473
474         for (i = 0; i < NF_BR_NUMHOOKS; i++) {
475                 if ((void *)e == (void *)newinfo->hook_entry[i])
476                         break;
477         }
478         /* beginning of a new chain
479            if i == NF_BR_NUMHOOKS it must be a user defined chain */
480         if (i != NF_BR_NUMHOOKS || !e->bitmask) {
481                 /* this checks if the previous chain has as many entries
482                    as it said it has */
483                 if (*n != *cnt) {
484                         BUGPRINT("nentries does not equal the nr of entries "
485                                  "in the chain\n");
486                         return -EINVAL;
487                 }
488                 if (((struct ebt_entries *)e)->policy != EBT_DROP &&
489                    ((struct ebt_entries *)e)->policy != EBT_ACCEPT) {
490                         /* only RETURN from udc */
491                         if (i != NF_BR_NUMHOOKS ||
492                            ((struct ebt_entries *)e)->policy != EBT_RETURN) {
493                                 BUGPRINT("bad policy\n");
494                                 return -EINVAL;
495                         }
496                 }
497                 if (i == NF_BR_NUMHOOKS) /* it's a user defined chain */
498                         (*udc_cnt)++;
499                 if (((struct ebt_entries *)e)->counter_offset != *totalcnt) {
500                         BUGPRINT("counter_offset != totalcnt");
501                         return -EINVAL;
502                 }
503                 *n = ((struct ebt_entries *)e)->nentries;
504                 *cnt = 0;
505                 return 0;
506         }
507         /* a plain old entry, heh */
508         if (sizeof(struct ebt_entry) > e->watchers_offset ||
509            e->watchers_offset > e->target_offset ||
510            e->target_offset >= e->next_offset) {
511                 BUGPRINT("entry offsets not in right order\n");
512                 return -EINVAL;
513         }
514         /* this is not checked anywhere else */
515         if (e->next_offset - e->target_offset < sizeof(struct ebt_entry_target)) {
516                 BUGPRINT("target size too small\n");
517                 return -EINVAL;
518         }
519         (*cnt)++;
520         (*totalcnt)++;
521         return 0;
522 }
523
524 struct ebt_cl_stack
525 {
526         struct ebt_chainstack cs;
527         int from;
528         unsigned int hookmask;
529 };
530
531 /*
532  * we need these positions to check that the jumps to a different part of the
533  * entries is a jump to the beginning of a new chain.
534  */
535 static inline int
536 ebt_get_udc_positions(struct ebt_entry *e, struct ebt_table_info *newinfo,
537    unsigned int *n, struct ebt_cl_stack *udc)
538 {
539         int i;
540
541         /* we're only interested in chain starts */
542         if (e->bitmask)
543                 return 0;
544         for (i = 0; i < NF_BR_NUMHOOKS; i++) {
545                 if (newinfo->hook_entry[i] == (struct ebt_entries *)e)
546                         break;
547         }
548         /* only care about udc */
549         if (i != NF_BR_NUMHOOKS)
550                 return 0;
551
552         udc[*n].cs.chaininfo = (struct ebt_entries *)e;
553         /* these initialisations are depended on later in check_chainloops() */
554         udc[*n].cs.n = 0;
555         udc[*n].hookmask = 0;
556
557         (*n)++;
558         return 0;
559 }
560
561 static inline int
562 ebt_cleanup_match(struct ebt_entry_match *m, unsigned int *i)
563 {
564         if (i && (*i)-- == 0)
565                 return 1;
566         if (m->u.match->destroy)
567                 m->u.match->destroy(m->data, m->match_size);
568         module_put(m->u.match->me);
569
570         return 0;
571 }
572
573 static inline int
574 ebt_cleanup_watcher(struct ebt_entry_watcher *w, unsigned int *i)
575 {
576         if (i && (*i)-- == 0)
577                 return 1;
578         if (w->u.watcher->destroy)
579                 w->u.watcher->destroy(w->data, w->watcher_size);
580         module_put(w->u.watcher->me);
581
582         return 0;
583 }
584
585 static inline int
586 ebt_cleanup_entry(struct ebt_entry *e, unsigned int *cnt)
587 {
588         struct ebt_entry_target *t;
589
590         if (e->bitmask == 0)
591                 return 0;
592         /* we're done */
593         if (cnt && (*cnt)-- == 0)
594                 return 1;
595         EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, NULL);
596         EBT_MATCH_ITERATE(e, ebt_cleanup_match, NULL);
597         t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
598         if (t->u.target->destroy)
599                 t->u.target->destroy(t->data, t->target_size);
600         module_put(t->u.target->me);
601
602         return 0;
603 }
604
605 static inline int
606 ebt_check_entry(struct ebt_entry *e, struct ebt_table_info *newinfo,
607    const char *name, unsigned int *cnt,
608    struct ebt_cl_stack *cl_s, unsigned int udc_cnt)
609 {
610         struct ebt_entry_target *t;
611         struct ebt_target *target;
612         unsigned int i, j, hook = 0, hookmask = 0;
613         size_t gap;
614         int ret;
615
616         /* don't mess with the struct ebt_entries */
617         if (e->bitmask == 0)
618                 return 0;
619
620         if (e->bitmask & ~EBT_F_MASK) {
621                 BUGPRINT("Unknown flag for bitmask\n");
622                 return -EINVAL;
623         }
624         if (e->invflags & ~EBT_INV_MASK) {
625                 BUGPRINT("Unknown flag for inv bitmask\n");
626                 return -EINVAL;
627         }
628         if ( (e->bitmask & EBT_NOPROTO) && (e->bitmask & EBT_802_3) ) {
629                 BUGPRINT("NOPROTO & 802_3 not allowed\n");
630                 return -EINVAL;
631         }
632         /* what hook do we belong to? */
633         for (i = 0; i < NF_BR_NUMHOOKS; i++) {
634                 if (!newinfo->hook_entry[i])
635                         continue;
636                 if ((char *)newinfo->hook_entry[i] < (char *)e)
637                         hook = i;
638                 else
639                         break;
640         }
641         /* (1 << NF_BR_NUMHOOKS) tells the check functions the rule is on
642            a base chain */
643         if (i < NF_BR_NUMHOOKS)
644                 hookmask = (1 << hook) | (1 << NF_BR_NUMHOOKS);
645         else {
646                 for (i = 0; i < udc_cnt; i++)
647                         if ((char *)(cl_s[i].cs.chaininfo) > (char *)e)
648                                 break;
649                 if (i == 0)
650                         hookmask = (1 << hook) | (1 << NF_BR_NUMHOOKS);
651                 else
652                         hookmask = cl_s[i - 1].hookmask;
653         }
654         i = 0;
655         ret = EBT_MATCH_ITERATE(e, ebt_check_match, e, name, hookmask, &i);
656         if (ret != 0)
657                 goto cleanup_matches;
658         j = 0;
659         ret = EBT_WATCHER_ITERATE(e, ebt_check_watcher, e, name, hookmask, &j);
660         if (ret != 0)
661                 goto cleanup_watchers;
662         t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
663         gap = e->next_offset - e->target_offset;
664         target = find_target_lock(t->u.name, &ret, &ebt_mutex);
665         if (!target)
666                 goto cleanup_watchers;
667         if (!try_module_get(target->me)) {
668                 mutex_unlock(&ebt_mutex);
669                 ret = -ENOENT;
670                 goto cleanup_watchers;
671         }
672         mutex_unlock(&ebt_mutex);
673
674         t->u.target = target;
675         if (t->u.target == &ebt_standard_target) {
676                 if (gap < sizeof(struct ebt_standard_target)) {
677                         BUGPRINT("Standard target size too big\n");
678                         ret = -EFAULT;
679                         goto cleanup_watchers;
680                 }
681                 if (((struct ebt_standard_target *)t)->verdict <
682                    -NUM_STANDARD_TARGETS) {
683                         BUGPRINT("Invalid standard target\n");
684                         ret = -EFAULT;
685                         goto cleanup_watchers;
686                 }
687         } else if (t->target_size > gap - sizeof(struct ebt_entry_target) ||
688            (t->u.target->check &&
689            t->u.target->check(name, hookmask, e, t->data, t->target_size) != 0)){
690                 module_put(t->u.target->me);
691                 ret = -EFAULT;
692                 goto cleanup_watchers;
693         }
694         (*cnt)++;
695         return 0;
696 cleanup_watchers:
697         EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, &j);
698 cleanup_matches:
699         EBT_MATCH_ITERATE(e, ebt_cleanup_match, &i);
700         return ret;
701 }
702
703 /*
704  * checks for loops and sets the hook mask for udc
705  * the hook mask for udc tells us from which base chains the udc can be
706  * accessed. This mask is a parameter to the check() functions of the extensions
707  */
708 static int check_chainloops(struct ebt_entries *chain, struct ebt_cl_stack *cl_s,
709    unsigned int udc_cnt, unsigned int hooknr, char *base)
710 {
711         int i, chain_nr = -1, pos = 0, nentries = chain->nentries, verdict;
712         struct ebt_entry *e = (struct ebt_entry *)chain->data;
713         struct ebt_entry_target *t;
714
715         while (pos < nentries || chain_nr != -1) {
716                 /* end of udc, go back one 'recursion' step */
717                 if (pos == nentries) {
718                         /* put back values of the time when this chain was called */
719                         e = cl_s[chain_nr].cs.e;
720                         if (cl_s[chain_nr].from != -1)
721                                 nentries =
722                                 cl_s[cl_s[chain_nr].from].cs.chaininfo->nentries;
723                         else
724                                 nentries = chain->nentries;
725                         pos = cl_s[chain_nr].cs.n;
726                         /* make sure we won't see a loop that isn't one */
727                         cl_s[chain_nr].cs.n = 0;
728                         chain_nr = cl_s[chain_nr].from;
729                         if (pos == nentries)
730                                 continue;
731                 }
732                 t = (struct ebt_entry_target *)
733                    (((char *)e) + e->target_offset);
734                 if (strcmp(t->u.name, EBT_STANDARD_TARGET))
735                         goto letscontinue;
736                 if (e->target_offset + sizeof(struct ebt_standard_target) >
737                    e->next_offset) {
738                         BUGPRINT("Standard target size too big\n");
739                         return -1;
740                 }
741                 verdict = ((struct ebt_standard_target *)t)->verdict;
742                 if (verdict >= 0) { /* jump to another chain */
743                         struct ebt_entries *hlp2 =
744                            (struct ebt_entries *)(base + verdict);
745                         for (i = 0; i < udc_cnt; i++)
746                                 if (hlp2 == cl_s[i].cs.chaininfo)
747                                         break;
748                         /* bad destination or loop */
749                         if (i == udc_cnt) {
750                                 BUGPRINT("bad destination\n");
751                                 return -1;
752                         }
753                         if (cl_s[i].cs.n) {
754                                 BUGPRINT("loop\n");
755                                 return -1;
756                         }
757                         if (cl_s[i].hookmask & (1 << hooknr))
758                                 goto letscontinue;
759                         /* this can't be 0, so the loop test is correct */
760                         cl_s[i].cs.n = pos + 1;
761                         pos = 0;
762                         cl_s[i].cs.e = ((void *)e + e->next_offset);
763                         e = (struct ebt_entry *)(hlp2->data);
764                         nentries = hlp2->nentries;
765                         cl_s[i].from = chain_nr;
766                         chain_nr = i;
767                         /* this udc is accessible from the base chain for hooknr */
768                         cl_s[i].hookmask |= (1 << hooknr);
769                         continue;
770                 }
771 letscontinue:
772                 e = (void *)e + e->next_offset;
773                 pos++;
774         }
775         return 0;
776 }
777
778 /* do the parsing of the table/chains/entries/matches/watchers/targets, heh */
779 static int translate_table(char *name, struct ebt_table_info *newinfo)
780 {
781         unsigned int i, j, k, udc_cnt;
782         int ret;
783         struct ebt_cl_stack *cl_s = NULL; /* used in the checking for chain loops */
784
785         i = 0;
786         while (i < NF_BR_NUMHOOKS && !newinfo->hook_entry[i])
787                 i++;
788         if (i == NF_BR_NUMHOOKS) {
789                 BUGPRINT("No valid hooks specified\n");
790                 return -EINVAL;
791         }
792         if (newinfo->hook_entry[i] != (struct ebt_entries *)newinfo->entries) {
793                 BUGPRINT("Chains don't start at beginning\n");
794                 return -EINVAL;
795         }
796         /* make sure chains are ordered after each other in same order
797            as their corresponding hooks */
798         for (j = i + 1; j < NF_BR_NUMHOOKS; j++) {
799                 if (!newinfo->hook_entry[j])
800                         continue;
801                 if (newinfo->hook_entry[j] <= newinfo->hook_entry[i]) {
802                         BUGPRINT("Hook order must be followed\n");
803                         return -EINVAL;
804                 }
805                 i = j;
806         }
807
808         /* do some early checkings and initialize some things */
809         i = 0; /* holds the expected nr. of entries for the chain */
810         j = 0; /* holds the up to now counted entries for the chain */
811         k = 0; /* holds the total nr. of entries, should equal
812                   newinfo->nentries afterwards */
813         udc_cnt = 0; /* will hold the nr. of user defined chains (udc) */
814         ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
815            ebt_check_entry_size_and_hooks, newinfo,
816            &i, &j, &k, &udc_cnt);
817
818         if (ret != 0)
819                 return ret;
820
821         if (i != j) {
822                 BUGPRINT("nentries does not equal the nr of entries in the "
823                          "(last) chain\n");
824                 return -EINVAL;
825         }
826         if (k != newinfo->nentries) {
827                 BUGPRINT("Total nentries is wrong\n");
828                 return -EINVAL;
829         }
830
831         /* get the location of the udc, put them in an array
832            while we're at it, allocate the chainstack */
833         if (udc_cnt) {
834                 /* this will get free'd in do_replace()/ebt_register_table()
835                    if an error occurs */
836                 newinfo->chainstack =
837                         vmalloc((highest_possible_processor_id()+1)
838                                         * sizeof(*(newinfo->chainstack)));
839                 if (!newinfo->chainstack)
840                         return -ENOMEM;
841                 for_each_possible_cpu(i) {
842                         newinfo->chainstack[i] =
843                           vmalloc(udc_cnt * sizeof(*(newinfo->chainstack[0])));
844                         if (!newinfo->chainstack[i]) {
845                                 while (i)
846                                         vfree(newinfo->chainstack[--i]);
847                                 vfree(newinfo->chainstack);
848                                 newinfo->chainstack = NULL;
849                                 return -ENOMEM;
850                         }
851                 }
852
853                 cl_s = vmalloc(udc_cnt * sizeof(*cl_s));
854                 if (!cl_s)
855                         return -ENOMEM;
856                 i = 0; /* the i'th udc */
857                 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
858                    ebt_get_udc_positions, newinfo, &i, cl_s);
859                 /* sanity check */
860                 if (i != udc_cnt) {
861                         BUGPRINT("i != udc_cnt\n");
862                         vfree(cl_s);
863                         return -EFAULT;
864                 }
865         }
866
867         /* Check for loops */
868         for (i = 0; i < NF_BR_NUMHOOKS; i++)
869                 if (newinfo->hook_entry[i])
870                         if (check_chainloops(newinfo->hook_entry[i],
871                            cl_s, udc_cnt, i, newinfo->entries)) {
872                                 vfree(cl_s);
873                                 return -EINVAL;
874                         }
875
876         /* we now know the following (along with E=mc²):
877            - the nr of entries in each chain is right
878            - the size of the allocated space is right
879            - all valid hooks have a corresponding chain
880            - there are no loops
881            - wrong data can still be on the level of a single entry
882            - could be there are jumps to places that are not the
883              beginning of a chain. This can only occur in chains that
884              are not accessible from any base chains, so we don't care. */
885
886         /* used to know what we need to clean up if something goes wrong */
887         i = 0;
888         ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
889            ebt_check_entry, newinfo, name, &i, cl_s, udc_cnt);
890         if (ret != 0) {
891                 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
892                    ebt_cleanup_entry, &i);
893         }
894         vfree(cl_s);
895         return ret;
896 }
897
898 /* called under write_lock */
899 static void get_counters(struct ebt_counter *oldcounters,
900    struct ebt_counter *counters, unsigned int nentries)
901 {
902         int i, cpu;
903         struct ebt_counter *counter_base;
904
905         /* counters of cpu 0 */
906         memcpy(counters, oldcounters,
907                sizeof(struct ebt_counter) * nentries);
908
909         /* add other counters to those of cpu 0 */
910         for_each_possible_cpu(cpu) {
911                 if (cpu == 0)
912                         continue;
913                 counter_base = COUNTER_BASE(oldcounters, nentries, cpu);
914                 for (i = 0; i < nentries; i++) {
915                         counters[i].pcnt += counter_base[i].pcnt;
916                         counters[i].bcnt += counter_base[i].bcnt;
917                 }
918         }
919 }
920
921 /* replace the table */
922 static int do_replace(void __user *user, unsigned int len)
923 {
924         int ret, i, countersize;
925         struct ebt_table_info *newinfo;
926         struct ebt_replace tmp;
927         struct ebt_table *t;
928         struct ebt_counter *counterstmp = NULL;
929         /* used to be able to unlock earlier */
930         struct ebt_table_info *table;
931
932         if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
933                 return -EFAULT;
934
935         if (len != sizeof(tmp) + tmp.entries_size) {
936                 BUGPRINT("Wrong len argument\n");
937                 return -EINVAL;
938         }
939
940         if (tmp.entries_size == 0) {
941                 BUGPRINT("Entries_size never zero\n");
942                 return -EINVAL;
943         }
944         /* overflow check */
945         if (tmp.nentries >= ((INT_MAX - sizeof(struct ebt_table_info)) / NR_CPUS -
946                         SMP_CACHE_BYTES) / sizeof(struct ebt_counter))
947                 return -ENOMEM;
948         if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
949                 return -ENOMEM;
950
951         countersize = COUNTER_OFFSET(tmp.nentries) * 
952                                         (highest_possible_processor_id()+1);
953         newinfo = vmalloc(sizeof(*newinfo) + countersize);
954         if (!newinfo)
955                 return -ENOMEM;
956
957         if (countersize)
958                 memset(newinfo->counters, 0, countersize);
959
960         newinfo->entries = vmalloc(tmp.entries_size);
961         if (!newinfo->entries) {
962                 ret = -ENOMEM;
963                 goto free_newinfo;
964         }
965         if (copy_from_user(
966            newinfo->entries, tmp.entries, tmp.entries_size) != 0) {
967                 BUGPRINT("Couldn't copy entries from userspace\n");
968                 ret = -EFAULT;
969                 goto free_entries;
970         }
971
972         /* the user wants counters back
973            the check on the size is done later, when we have the lock */
974         if (tmp.num_counters) {
975                 counterstmp = vmalloc(tmp.num_counters * sizeof(*counterstmp));
976                 if (!counterstmp) {
977                         ret = -ENOMEM;
978                         goto free_entries;
979                 }
980         }
981         else
982                 counterstmp = NULL;
983
984         /* this can get initialized by translate_table() */
985         newinfo->chainstack = NULL;
986         ret = ebt_verify_pointers(&tmp, newinfo);
987         if (ret != 0)
988                 goto free_counterstmp;
989
990         ret = translate_table(tmp.name, newinfo);
991
992         if (ret != 0)
993                 goto free_counterstmp;
994
995         t = find_table_lock(tmp.name, &ret, &ebt_mutex);
996         if (!t) {
997                 ret = -ENOENT;
998                 goto free_iterate;
999         }
1000
1001         /* the table doesn't like it */
1002         if (t->check && (ret = t->check(newinfo, tmp.valid_hooks)))
1003                 goto free_unlock;
1004
1005         if (tmp.num_counters && tmp.num_counters != t->private->nentries) {
1006                 BUGPRINT("Wrong nr. of counters requested\n");
1007                 ret = -EINVAL;
1008                 goto free_unlock;
1009         }
1010
1011         /* we have the mutex lock, so no danger in reading this pointer */
1012         table = t->private;
1013         /* make sure the table can only be rmmod'ed if it contains no rules */
1014         if (!table->nentries && newinfo->nentries && !try_module_get(t->me)) {
1015                 ret = -ENOENT;
1016                 goto free_unlock;
1017         } else if (table->nentries && !newinfo->nentries)
1018                 module_put(t->me);
1019         /* we need an atomic snapshot of the counters */
1020         write_lock_bh(&t->lock);
1021         if (tmp.num_counters)
1022                 get_counters(t->private->counters, counterstmp,
1023                    t->private->nentries);
1024
1025         t->private = newinfo;
1026         write_unlock_bh(&t->lock);
1027         mutex_unlock(&ebt_mutex);
1028         /* so, a user can change the chains while having messed up her counter
1029            allocation. Only reason why this is done is because this way the lock
1030            is held only once, while this doesn't bring the kernel into a
1031            dangerous state. */
1032         if (tmp.num_counters &&
1033            copy_to_user(tmp.counters, counterstmp,
1034            tmp.num_counters * sizeof(struct ebt_counter))) {
1035                 BUGPRINT("Couldn't copy counters to userspace\n");
1036                 ret = -EFAULT;
1037         }
1038         else
1039                 ret = 0;
1040
1041         /* decrease module count and free resources */
1042         EBT_ENTRY_ITERATE(table->entries, table->entries_size,
1043            ebt_cleanup_entry, NULL);
1044
1045         vfree(table->entries);
1046         if (table->chainstack) {
1047                 for_each_possible_cpu(i)
1048                         vfree(table->chainstack[i]);
1049                 vfree(table->chainstack);
1050         }
1051         vfree(table);
1052
1053         vfree(counterstmp);
1054         return ret;
1055
1056 free_unlock:
1057         mutex_unlock(&ebt_mutex);
1058 free_iterate:
1059         EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
1060            ebt_cleanup_entry, NULL);
1061 free_counterstmp:
1062         vfree(counterstmp);
1063         /* can be initialized in translate_table() */
1064         if (newinfo->chainstack) {
1065                 for_each_possible_cpu(i)
1066                         vfree(newinfo->chainstack[i]);
1067                 vfree(newinfo->chainstack);
1068         }
1069 free_entries:
1070         vfree(newinfo->entries);
1071 free_newinfo:
1072         vfree(newinfo);
1073         return ret;
1074 }
1075
1076 int ebt_register_target(struct ebt_target *target)
1077 {
1078         struct ebt_target *t;
1079         int ret;
1080
1081         ret = mutex_lock_interruptible(&ebt_mutex);
1082         if (ret != 0)
1083                 return ret;
1084         list_for_each_entry(t, &ebt_targets, list) {
1085                 if (strcmp(t->name, target->name) == 0) {
1086                         mutex_unlock(&ebt_mutex);
1087                         return -EEXIST;
1088                 }
1089         }
1090         list_add(&target->list, &ebt_targets);
1091         mutex_unlock(&ebt_mutex);
1092
1093         return 0;
1094 }
1095
1096 void ebt_unregister_target(struct ebt_target *target)
1097 {
1098         mutex_lock(&ebt_mutex);
1099         list_del(&target->list);
1100         mutex_unlock(&ebt_mutex);
1101 }
1102
1103 int ebt_register_match(struct ebt_match *match)
1104 {
1105         struct ebt_match *m;
1106         int ret;
1107
1108         ret = mutex_lock_interruptible(&ebt_mutex);
1109         if (ret != 0)
1110                 return ret;
1111         list_for_each_entry(m, &ebt_matches, list) {
1112                 if (strcmp(m->name, match->name) == 0) {
1113                         mutex_unlock(&ebt_mutex);
1114                         return -EEXIST;
1115                 }
1116         }
1117         list_add(&match->list, &ebt_matches);
1118         mutex_unlock(&ebt_mutex);
1119
1120         return 0;
1121 }
1122
1123 void ebt_unregister_match(struct ebt_match *match)
1124 {
1125         mutex_lock(&ebt_mutex);
1126         list_del(&match->list);
1127         mutex_unlock(&ebt_mutex);
1128 }
1129
1130 int ebt_register_watcher(struct ebt_watcher *watcher)
1131 {
1132         struct ebt_watcher *w;
1133         int ret;
1134
1135         ret = mutex_lock_interruptible(&ebt_mutex);
1136         if (ret != 0)
1137                 return ret;
1138         list_for_each_entry(w, &ebt_watchers, list) {
1139                 if (strcmp(w->name, watcher->name) == 0) {
1140                         mutex_unlock(&ebt_mutex);
1141                         return -EEXIST;
1142                 }
1143         }
1144         list_add(&watcher->list, &ebt_watchers);
1145         mutex_unlock(&ebt_mutex);
1146
1147         return 0;
1148 }
1149
1150 void ebt_unregister_watcher(struct ebt_watcher *watcher)
1151 {
1152         mutex_lock(&ebt_mutex);
1153         list_del(&watcher->list);
1154         mutex_unlock(&ebt_mutex);
1155 }
1156
1157 int ebt_register_table(struct ebt_table *table)
1158 {
1159         struct ebt_table_info *newinfo;
1160         struct ebt_table *t;
1161         struct ebt_replace_kernel *repl;
1162         int ret, i, countersize;
1163         void *p;
1164
1165         if (!table || !(repl = table->table) || !repl->entries ||
1166             repl->entries_size == 0 ||
1167             repl->counters || table->private) {
1168                 BUGPRINT("Bad table data for ebt_register_table!!!\n");
1169                 return -EINVAL;
1170         }
1171
1172         countersize = COUNTER_OFFSET(repl->nentries) *
1173                                         (highest_possible_processor_id()+1);
1174         newinfo = vmalloc(sizeof(*newinfo) + countersize);
1175         ret = -ENOMEM;
1176         if (!newinfo)
1177                 return -ENOMEM;
1178
1179         p = vmalloc(repl->entries_size);
1180         if (!p)
1181                 goto free_newinfo;
1182
1183         memcpy(p, repl->entries, repl->entries_size);
1184         newinfo->entries = p;
1185
1186         newinfo->entries_size = repl->entries_size;
1187         newinfo->nentries = repl->nentries;
1188
1189         if (countersize)
1190                 memset(newinfo->counters, 0, countersize);
1191
1192         /* fill in newinfo and parse the entries */
1193         newinfo->chainstack = NULL;
1194         for (i = 0; i < NF_BR_NUMHOOKS; i++) {
1195                 if ((repl->valid_hooks & (1 << i)) == 0)
1196                         newinfo->hook_entry[i] = NULL;
1197                 else
1198                         newinfo->hook_entry[i] = p +
1199                                 ((char *)repl->hook_entry[i] - repl->entries);
1200         }
1201         ret = translate_table(repl->name, newinfo);
1202         if (ret != 0) {
1203                 BUGPRINT("Translate_table failed\n");
1204                 goto free_chainstack;
1205         }
1206
1207         if (table->check && table->check(newinfo, table->valid_hooks)) {
1208                 BUGPRINT("The table doesn't like its own initial data, lol\n");
1209                 return -EINVAL;
1210         }
1211
1212         table->private = newinfo;
1213         rwlock_init(&table->lock);
1214         ret = mutex_lock_interruptible(&ebt_mutex);
1215         if (ret != 0)
1216                 goto free_chainstack;
1217
1218         list_for_each_entry(t, &ebt_tables, list) {
1219                 if (strcmp(t->name, table->name) == 0) {
1220                         ret = -EEXIST;
1221                         BUGPRINT("Table name already exists\n");
1222                         goto free_unlock;
1223                 }
1224         }
1225
1226         /* Hold a reference count if the chains aren't empty */
1227         if (newinfo->nentries && !try_module_get(table->me)) {
1228                 ret = -ENOENT;
1229                 goto free_unlock;
1230         }
1231         list_add(&table->list, &ebt_tables);
1232         mutex_unlock(&ebt_mutex);
1233         return 0;
1234 free_unlock:
1235         mutex_unlock(&ebt_mutex);
1236 free_chainstack:
1237         if (newinfo->chainstack) {
1238                 for_each_possible_cpu(i)
1239                         vfree(newinfo->chainstack[i]);
1240                 vfree(newinfo->chainstack);
1241         }
1242         vfree(newinfo->entries);
1243 free_newinfo:
1244         vfree(newinfo);
1245         return ret;
1246 }
1247
1248 void ebt_unregister_table(struct ebt_table *table)
1249 {
1250         int i;
1251
1252         if (!table) {
1253                 BUGPRINT("Request to unregister NULL table!!!\n");
1254                 return;
1255         }
1256         mutex_lock(&ebt_mutex);
1257         list_del(&table->list);
1258         mutex_unlock(&ebt_mutex);
1259         vfree(table->private->entries);
1260         if (table->private->chainstack) {
1261                 for_each_possible_cpu(i)
1262                         vfree(table->private->chainstack[i]);
1263                 vfree(table->private->chainstack);
1264         }
1265         vfree(table->private);
1266 }
1267
1268 /* userspace just supplied us with counters */
1269 static int update_counters(void __user *user, unsigned int len)
1270 {
1271         int i, ret;
1272         struct ebt_counter *tmp;
1273         struct ebt_replace hlp;
1274         struct ebt_table *t;
1275
1276         if (copy_from_user(&hlp, user, sizeof(hlp)))
1277                 return -EFAULT;
1278
1279         if (len != sizeof(hlp) + hlp.num_counters * sizeof(struct ebt_counter))
1280                 return -EINVAL;
1281         if (hlp.num_counters == 0)
1282                 return -EINVAL;
1283
1284         if (!(tmp = vmalloc(hlp.num_counters * sizeof(*tmp)))) {
1285                 MEMPRINT("Update_counters && nomemory\n");
1286                 return -ENOMEM;
1287         }
1288
1289         t = find_table_lock(hlp.name, &ret, &ebt_mutex);
1290         if (!t)
1291                 goto free_tmp;
1292
1293         if (hlp.num_counters != t->private->nentries) {
1294                 BUGPRINT("Wrong nr of counters\n");
1295                 ret = -EINVAL;
1296                 goto unlock_mutex;
1297         }
1298
1299         if ( copy_from_user(tmp, hlp.counters,
1300            hlp.num_counters * sizeof(struct ebt_counter)) ) {
1301                 BUGPRINT("Updata_counters && !cfu\n");
1302                 ret = -EFAULT;
1303                 goto unlock_mutex;
1304         }
1305
1306         /* we want an atomic add of the counters */
1307         write_lock_bh(&t->lock);
1308
1309         /* we add to the counters of the first cpu */
1310         for (i = 0; i < hlp.num_counters; i++) {
1311                 t->private->counters[i].pcnt += tmp[i].pcnt;
1312                 t->private->counters[i].bcnt += tmp[i].bcnt;
1313         }
1314
1315         write_unlock_bh(&t->lock);
1316         ret = 0;
1317 unlock_mutex:
1318         mutex_unlock(&ebt_mutex);
1319 free_tmp:
1320         vfree(tmp);
1321         return ret;
1322 }
1323
1324 static inline int ebt_make_matchname(struct ebt_entry_match *m,
1325    char *base, char __user *ubase)
1326 {
1327         char __user *hlp = ubase + ((char *)m - base);
1328         if (copy_to_user(hlp, m->u.match->name, EBT_FUNCTION_MAXNAMELEN))
1329                 return -EFAULT;
1330         return 0;
1331 }
1332
1333 static inline int ebt_make_watchername(struct ebt_entry_watcher *w,
1334    char *base, char __user *ubase)
1335 {
1336         char __user *hlp = ubase + ((char *)w - base);
1337         if (copy_to_user(hlp , w->u.watcher->name, EBT_FUNCTION_MAXNAMELEN))
1338                 return -EFAULT;
1339         return 0;
1340 }
1341
1342 static inline int ebt_make_names(struct ebt_entry *e, char *base, char __user *ubase)
1343 {
1344         int ret;
1345         char __user *hlp;
1346         struct ebt_entry_target *t;
1347
1348         if (e->bitmask == 0)
1349                 return 0;
1350
1351         hlp = ubase + (((char *)e + e->target_offset) - base);
1352         t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
1353         
1354         ret = EBT_MATCH_ITERATE(e, ebt_make_matchname, base, ubase);
1355         if (ret != 0)
1356                 return ret;
1357         ret = EBT_WATCHER_ITERATE(e, ebt_make_watchername, base, ubase);
1358         if (ret != 0)
1359                 return ret;
1360         if (copy_to_user(hlp, t->u.target->name, EBT_FUNCTION_MAXNAMELEN))
1361                 return -EFAULT;
1362         return 0;
1363 }
1364
1365 /* called with ebt_mutex locked */
1366 static int copy_everything_to_user(struct ebt_table *t, void __user *user,
1367    int *len, int cmd)
1368 {
1369         struct ebt_replace tmp;
1370         struct ebt_counter *counterstmp, *oldcounters;
1371         unsigned int entries_size, nentries;
1372         char *entries;
1373
1374         if (cmd == EBT_SO_GET_ENTRIES) {
1375                 entries_size = t->private->entries_size;
1376                 nentries = t->private->nentries;
1377                 entries = t->private->entries;
1378                 oldcounters = t->private->counters;
1379         } else {
1380                 entries_size = t->table->entries_size;
1381                 nentries = t->table->nentries;
1382                 entries = t->table->entries;
1383                 oldcounters = t->table->counters;
1384         }
1385
1386         if (copy_from_user(&tmp, user, sizeof(tmp))) {
1387                 BUGPRINT("Cfu didn't work\n");
1388                 return -EFAULT;
1389         }
1390
1391         if (*len != sizeof(struct ebt_replace) + entries_size +
1392            (tmp.num_counters? nentries * sizeof(struct ebt_counter): 0)) {
1393                 BUGPRINT("Wrong size\n");
1394                 return -EINVAL;
1395         }
1396
1397         if (tmp.nentries != nentries) {
1398                 BUGPRINT("Nentries wrong\n");
1399                 return -EINVAL;
1400         }
1401
1402         if (tmp.entries_size != entries_size) {
1403                 BUGPRINT("Wrong size\n");
1404                 return -EINVAL;
1405         }
1406
1407         /* userspace might not need the counters */
1408         if (tmp.num_counters) {
1409                 if (tmp.num_counters != nentries) {
1410                         BUGPRINT("Num_counters wrong\n");
1411                         return -EINVAL;
1412                 }
1413                 counterstmp = vmalloc(nentries * sizeof(*counterstmp));
1414                 if (!counterstmp) {
1415                         MEMPRINT("Couldn't copy counters, out of memory\n");
1416                         return -ENOMEM;
1417                 }
1418                 write_lock_bh(&t->lock);
1419                 get_counters(oldcounters, counterstmp, nentries);
1420                 write_unlock_bh(&t->lock);
1421
1422                 if (copy_to_user(tmp.counters, counterstmp,
1423                    nentries * sizeof(struct ebt_counter))) {
1424                         BUGPRINT("Couldn't copy counters to userspace\n");
1425                         vfree(counterstmp);
1426                         return -EFAULT;
1427                 }
1428                 vfree(counterstmp);
1429         }
1430
1431         if (copy_to_user(tmp.entries, entries, entries_size)) {
1432                 BUGPRINT("Couldn't copy entries to userspace\n");
1433                 return -EFAULT;
1434         }
1435         /* set the match/watcher/target names right */
1436         return EBT_ENTRY_ITERATE(entries, entries_size,
1437            ebt_make_names, entries, tmp.entries);
1438 }
1439
1440 static int do_ebt_set_ctl(struct sock *sk,
1441         int cmd, void __user *user, unsigned int len)
1442 {
1443         int ret;
1444
1445         switch(cmd) {
1446         case EBT_SO_SET_ENTRIES:
1447                 ret = do_replace(user, len);
1448                 break;
1449         case EBT_SO_SET_COUNTERS:
1450                 ret = update_counters(user, len);
1451                 break;
1452         default:
1453                 ret = -EINVAL;
1454   }
1455         return ret;
1456 }
1457
1458 static int do_ebt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
1459 {
1460         int ret;
1461         struct ebt_replace tmp;
1462         struct ebt_table *t;
1463
1464         if (copy_from_user(&tmp, user, sizeof(tmp)))
1465                 return -EFAULT;
1466
1467         t = find_table_lock(tmp.name, &ret, &ebt_mutex);
1468         if (!t)
1469                 return ret;
1470
1471         switch(cmd) {
1472         case EBT_SO_GET_INFO:
1473         case EBT_SO_GET_INIT_INFO:
1474                 if (*len != sizeof(struct ebt_replace)){
1475                         ret = -EINVAL;
1476                         mutex_unlock(&ebt_mutex);
1477                         break;
1478                 }
1479                 if (cmd == EBT_SO_GET_INFO) {
1480                         tmp.nentries = t->private->nentries;
1481                         tmp.entries_size = t->private->entries_size;
1482                         tmp.valid_hooks = t->valid_hooks;
1483                 } else {
1484                         tmp.nentries = t->table->nentries;
1485                         tmp.entries_size = t->table->entries_size;
1486                         tmp.valid_hooks = t->table->valid_hooks;
1487                 }
1488                 mutex_unlock(&ebt_mutex);
1489                 if (copy_to_user(user, &tmp, *len) != 0){
1490                         BUGPRINT("c2u Didn't work\n");
1491                         ret = -EFAULT;
1492                         break;
1493                 }
1494                 ret = 0;
1495                 break;
1496
1497         case EBT_SO_GET_ENTRIES:
1498         case EBT_SO_GET_INIT_ENTRIES:
1499                 ret = copy_everything_to_user(t, user, len, cmd);
1500                 mutex_unlock(&ebt_mutex);
1501                 break;
1502
1503         default:
1504                 mutex_unlock(&ebt_mutex);
1505                 ret = -EINVAL;
1506         }
1507
1508         return ret;
1509 }
1510
1511 static struct nf_sockopt_ops ebt_sockopts =
1512 {
1513         .pf             = PF_INET,
1514         .set_optmin     = EBT_BASE_CTL,
1515         .set_optmax     = EBT_SO_SET_MAX + 1,
1516         .set            = do_ebt_set_ctl,
1517         .get_optmin     = EBT_BASE_CTL,
1518         .get_optmax     = EBT_SO_GET_MAX + 1,
1519         .get            = do_ebt_get_ctl,
1520 };
1521
1522 static int __init ebtables_init(void)
1523 {
1524         int ret;
1525
1526         mutex_lock(&ebt_mutex);
1527         list_add(&ebt_standard_target.list, &ebt_targets);
1528         mutex_unlock(&ebt_mutex);
1529         if ((ret = nf_register_sockopt(&ebt_sockopts)) < 0)
1530                 return ret;
1531
1532         printk(KERN_NOTICE "Ebtables v2.0 registered\n");
1533         return 0;
1534 }
1535
1536 static void __exit ebtables_fini(void)
1537 {
1538         nf_unregister_sockopt(&ebt_sockopts);
1539         printk(KERN_NOTICE "Ebtables v2.0 unregistered\n");
1540 }
1541
1542 EXPORT_SYMBOL(ebt_register_table);
1543 EXPORT_SYMBOL(ebt_unregister_table);
1544 EXPORT_SYMBOL(ebt_register_match);
1545 EXPORT_SYMBOL(ebt_unregister_match);
1546 EXPORT_SYMBOL(ebt_register_watcher);
1547 EXPORT_SYMBOL(ebt_unregister_watcher);
1548 EXPORT_SYMBOL(ebt_register_target);
1549 EXPORT_SYMBOL(ebt_unregister_target);
1550 EXPORT_SYMBOL(ebt_do_table);
1551 module_init(ebtables_init);
1552 module_exit(ebtables_fini);
1553 MODULE_LICENSE("GPL");