7964d3f03886ad48dfcaebc658eeaab38357e2bc
[linux-3.10.git] / net / bridge / netfilter / ebtables.c
1 /*
2  *  ebtables
3  *
4  *  Author:
5  *  Bart De Schuymer            <bdschuym@pandora.be>
6  *
7  *  ebtables.c,v 2.0, July, 2002
8  *
9  *  This code is stongly inspired on the iptables code which is
10  *  Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
11  *
12  *  This program is free software; you can redistribute it and/or
13  *  modify it under the terms of the GNU General Public License
14  *  as published by the Free Software Foundation; either version
15  *  2 of the License, or (at your option) any later version.
16  */
17
18
19 #include <linux/kmod.h>
20 #include <linux/module.h>
21 #include <linux/vmalloc.h>
22 #include <linux/netfilter/x_tables.h>
23 #include <linux/netfilter_bridge/ebtables.h>
24 #include <linux/spinlock.h>
25 #include <linux/mutex.h>
26 #include <asm/uaccess.h>
27 #include <linux/smp.h>
28 #include <linux/cpumask.h>
29 #include <net/sock.h>
30 /* needed for logical [in,out]-dev filtering */
31 #include "../br_private.h"
32
33 #define BUGPRINT(format, args...) printk("kernel msg: ebtables bug: please "\
34                                          "report to author: "format, ## args)
35 /* #define BUGPRINT(format, args...) */
36 #define MEMPRINT(format, args...) printk("kernel msg: ebtables "\
37                                          ": out of memory: "format, ## args)
38 /* #define MEMPRINT(format, args...) */
39
40
41
42 /*
43  * Each cpu has its own set of counters, so there is no need for write_lock in
44  * the softirq
45  * For reading or updating the counters, the user context needs to
46  * get a write_lock
47  */
48
49 /* The size of each set of counters is altered to get cache alignment */
50 #define SMP_ALIGN(x) (((x) + SMP_CACHE_BYTES-1) & ~(SMP_CACHE_BYTES-1))
51 #define COUNTER_OFFSET(n) (SMP_ALIGN(n * sizeof(struct ebt_counter)))
52 #define COUNTER_BASE(c, n, cpu) ((struct ebt_counter *)(((char *)c) + \
53    COUNTER_OFFSET(n) * cpu))
54
55
56
57 static DEFINE_MUTEX(ebt_mutex);
58 static LIST_HEAD(ebt_tables);
59 static LIST_HEAD(ebt_targets);
60 static LIST_HEAD(ebt_matches);
61 static LIST_HEAD(ebt_watchers);
62
63 static struct xt_target ebt_standard_target = {
64         .name       = "standard",
65         .revision   = 0,
66         .family     = NFPROTO_BRIDGE,
67         .targetsize = sizeof(int),
68 };
69
70 static inline int ebt_do_watcher (struct ebt_entry_watcher *w,
71    struct sk_buff *skb, unsigned int hooknr, const struct net_device *in,
72    const struct net_device *out)
73 {
74         w->u.watcher->target(skb, in, out, hooknr, w->u.watcher, w->data);
75         /* watchers don't give a verdict */
76         return 0;
77 }
78
79 static inline int ebt_do_match (struct ebt_entry_match *m,
80    const struct sk_buff *skb, const struct net_device *in,
81    const struct net_device *out, bool *hotdrop)
82 {
83         return m->u.match->match(skb, in, out, m->u.match,
84                m->data, 0, 0, hotdrop);
85 }
86
87 static inline int ebt_dev_check(char *entry, const struct net_device *device)
88 {
89         int i = 0;
90         const char *devname = device->name;
91
92         if (*entry == '\0')
93                 return 0;
94         if (!device)
95                 return 1;
96         /* 1 is the wildcard token */
97         while (entry[i] != '\0' && entry[i] != 1 && entry[i] == devname[i])
98                 i++;
99         return (devname[i] != entry[i] && entry[i] != 1);
100 }
101
102 #define FWINV2(bool,invflg) ((bool) ^ !!(e->invflags & invflg))
103 /* process standard matches */
104 static inline int ebt_basic_match(struct ebt_entry *e, struct ethhdr *h,
105    const struct net_device *in, const struct net_device *out)
106 {
107         int verdict, i;
108
109         if (e->bitmask & EBT_802_3) {
110                 if (FWINV2(ntohs(h->h_proto) >= 1536, EBT_IPROTO))
111                         return 1;
112         } else if (!(e->bitmask & EBT_NOPROTO) &&
113            FWINV2(e->ethproto != h->h_proto, EBT_IPROTO))
114                 return 1;
115
116         if (FWINV2(ebt_dev_check(e->in, in), EBT_IIN))
117                 return 1;
118         if (FWINV2(ebt_dev_check(e->out, out), EBT_IOUT))
119                 return 1;
120         if ((!in || !in->br_port) ? 0 : FWINV2(ebt_dev_check(
121            e->logical_in, in->br_port->br->dev), EBT_ILOGICALIN))
122                 return 1;
123         if ((!out || !out->br_port) ? 0 : FWINV2(ebt_dev_check(
124            e->logical_out, out->br_port->br->dev), EBT_ILOGICALOUT))
125                 return 1;
126
127         if (e->bitmask & EBT_SOURCEMAC) {
128                 verdict = 0;
129                 for (i = 0; i < 6; i++)
130                         verdict |= (h->h_source[i] ^ e->sourcemac[i]) &
131                            e->sourcemsk[i];
132                 if (FWINV2(verdict != 0, EBT_ISOURCE) )
133                         return 1;
134         }
135         if (e->bitmask & EBT_DESTMAC) {
136                 verdict = 0;
137                 for (i = 0; i < 6; i++)
138                         verdict |= (h->h_dest[i] ^ e->destmac[i]) &
139                            e->destmsk[i];
140                 if (FWINV2(verdict != 0, EBT_IDEST) )
141                         return 1;
142         }
143         return 0;
144 }
145
146 /* Do some firewalling */
147 unsigned int ebt_do_table (unsigned int hook, struct sk_buff *skb,
148    const struct net_device *in, const struct net_device *out,
149    struct ebt_table *table)
150 {
151         int i, nentries;
152         struct ebt_entry *point;
153         struct ebt_counter *counter_base, *cb_base;
154         struct ebt_entry_target *t;
155         int verdict, sp = 0;
156         struct ebt_chainstack *cs;
157         struct ebt_entries *chaininfo;
158         char *base;
159         struct ebt_table_info *private;
160         bool hotdrop = false;
161
162         read_lock_bh(&table->lock);
163         private = table->private;
164         cb_base = COUNTER_BASE(private->counters, private->nentries,
165            smp_processor_id());
166         if (private->chainstack)
167                 cs = private->chainstack[smp_processor_id()];
168         else
169                 cs = NULL;
170         chaininfo = private->hook_entry[hook];
171         nentries = private->hook_entry[hook]->nentries;
172         point = (struct ebt_entry *)(private->hook_entry[hook]->data);
173         counter_base = cb_base + private->hook_entry[hook]->counter_offset;
174         /* base for chain jumps */
175         base = private->entries;
176         i = 0;
177         while (i < nentries) {
178                 if (ebt_basic_match(point, eth_hdr(skb), in, out))
179                         goto letscontinue;
180
181                 if (EBT_MATCH_ITERATE(point, ebt_do_match, skb,
182                     in, out, &hotdrop) != 0)
183                         goto letscontinue;
184                 if (hotdrop) {
185                         read_unlock_bh(&table->lock);
186                         return NF_DROP;
187                 }
188
189                 /* increase counter */
190                 (*(counter_base + i)).pcnt++;
191                 (*(counter_base + i)).bcnt += skb->len;
192
193                 /* these should only watch: not modify, nor tell us
194                    what to do with the packet */
195                 EBT_WATCHER_ITERATE(point, ebt_do_watcher, skb, hook, in,
196                    out);
197
198                 t = (struct ebt_entry_target *)
199                    (((char *)point) + point->target_offset);
200                 /* standard target */
201                 if (!t->u.target->target)
202                         verdict = ((struct ebt_standard_target *)t)->verdict;
203                 else
204                         verdict = t->u.target->target(skb, in, out, hook,
205                                   t->u.target, t->data);
206                 if (verdict == EBT_ACCEPT) {
207                         read_unlock_bh(&table->lock);
208                         return NF_ACCEPT;
209                 }
210                 if (verdict == EBT_DROP) {
211                         read_unlock_bh(&table->lock);
212                         return NF_DROP;
213                 }
214                 if (verdict == EBT_RETURN) {
215 letsreturn:
216 #ifdef CONFIG_NETFILTER_DEBUG
217                         if (sp == 0) {
218                                 BUGPRINT("RETURN on base chain");
219                                 /* act like this is EBT_CONTINUE */
220                                 goto letscontinue;
221                         }
222 #endif
223                         sp--;
224                         /* put all the local variables right */
225                         i = cs[sp].n;
226                         chaininfo = cs[sp].chaininfo;
227                         nentries = chaininfo->nentries;
228                         point = cs[sp].e;
229                         counter_base = cb_base +
230                            chaininfo->counter_offset;
231                         continue;
232                 }
233                 if (verdict == EBT_CONTINUE)
234                         goto letscontinue;
235 #ifdef CONFIG_NETFILTER_DEBUG
236                 if (verdict < 0) {
237                         BUGPRINT("bogus standard verdict\n");
238                         read_unlock_bh(&table->lock);
239                         return NF_DROP;
240                 }
241 #endif
242                 /* jump to a udc */
243                 cs[sp].n = i + 1;
244                 cs[sp].chaininfo = chaininfo;
245                 cs[sp].e = (struct ebt_entry *)
246                    (((char *)point) + point->next_offset);
247                 i = 0;
248                 chaininfo = (struct ebt_entries *) (base + verdict);
249 #ifdef CONFIG_NETFILTER_DEBUG
250                 if (chaininfo->distinguisher) {
251                         BUGPRINT("jump to non-chain\n");
252                         read_unlock_bh(&table->lock);
253                         return NF_DROP;
254                 }
255 #endif
256                 nentries = chaininfo->nentries;
257                 point = (struct ebt_entry *)chaininfo->data;
258                 counter_base = cb_base + chaininfo->counter_offset;
259                 sp++;
260                 continue;
261 letscontinue:
262                 point = (struct ebt_entry *)
263                    (((char *)point) + point->next_offset);
264                 i++;
265         }
266
267         /* I actually like this :) */
268         if (chaininfo->policy == EBT_RETURN)
269                 goto letsreturn;
270         if (chaininfo->policy == EBT_ACCEPT) {
271                 read_unlock_bh(&table->lock);
272                 return NF_ACCEPT;
273         }
274         read_unlock_bh(&table->lock);
275         return NF_DROP;
276 }
277
278 /* If it succeeds, returns element and locks mutex */
279 static inline void *
280 find_inlist_lock_noload(struct list_head *head, const char *name, int *error,
281    struct mutex *mutex)
282 {
283         struct {
284                 struct list_head list;
285                 char name[EBT_FUNCTION_MAXNAMELEN];
286         } *e;
287
288         *error = mutex_lock_interruptible(mutex);
289         if (*error != 0)
290                 return NULL;
291
292         list_for_each_entry(e, head, list) {
293                 if (strcmp(e->name, name) == 0)
294                         return e;
295         }
296         *error = -ENOENT;
297         mutex_unlock(mutex);
298         return NULL;
299 }
300
301 #ifndef CONFIG_KMOD
302 #define find_inlist_lock(h,n,p,e,m) find_inlist_lock_noload((h),(n),(e),(m))
303 #else
304 static void *
305 find_inlist_lock(struct list_head *head, const char *name, const char *prefix,
306    int *error, struct mutex *mutex)
307 {
308         void *ret;
309
310         ret = find_inlist_lock_noload(head, name, error, mutex);
311         if (!ret) {
312                 request_module("%s%s", prefix, name);
313                 ret = find_inlist_lock_noload(head, name, error, mutex);
314         }
315         return ret;
316 }
317 #endif
318
319 static inline struct ebt_table *
320 find_table_lock(const char *name, int *error, struct mutex *mutex)
321 {
322         return find_inlist_lock(&ebt_tables, name, "ebtable_", error, mutex);
323 }
324
325 static inline struct ebt_match *
326 find_match_lock(const char *name, int *error, struct mutex *mutex)
327 {
328         return find_inlist_lock(&ebt_matches, name, "ebt_", error, mutex);
329 }
330
331 static inline struct ebt_watcher *
332 find_watcher_lock(const char *name, int *error, struct mutex *mutex)
333 {
334         return find_inlist_lock(&ebt_watchers, name, "ebt_", error, mutex);
335 }
336
337 static inline struct ebt_target *
338 find_target_lock(const char *name, int *error, struct mutex *mutex)
339 {
340         return find_inlist_lock(&ebt_targets, name, "ebt_", error, mutex);
341 }
342
343 static inline int
344 ebt_check_match(struct ebt_entry_match *m, struct ebt_entry *e,
345    const char *name, unsigned int hookmask, unsigned int *cnt)
346 {
347         struct xt_match *match;
348         size_t left = ((char *)e + e->watchers_offset) - (char *)m;
349         int ret;
350
351         if (left < sizeof(struct ebt_entry_match) ||
352             left - sizeof(struct ebt_entry_match) < m->match_size)
353                 return -EINVAL;
354
355         match = try_then_request_module(xt_find_match(NFPROTO_BRIDGE,
356                 m->u.name, 0), "ebt_%s", m->u.name);
357         if (IS_ERR(match))
358                 return PTR_ERR(match);
359         if (match == NULL)
360                 return -ENOENT;
361         m->u.match = match;
362
363         ret = xt_check_match(match, NFPROTO_BRIDGE, m->match_size,
364               name, hookmask, e->ethproto, e->invflags & EBT_IPROTO);
365         if (ret < 0) {
366                 module_put(match->me);
367                 return ret;
368         } else if (match->checkentry != NULL &&
369             !match->checkentry(name, e, NULL, m->data, hookmask)) {
370                 module_put(match->me);
371                 BUGPRINT("match->check failed\n");
372                 return -EINVAL;
373         }
374
375         (*cnt)++;
376         return 0;
377 }
378
379 static inline int
380 ebt_check_watcher(struct ebt_entry_watcher *w, struct ebt_entry *e,
381    const char *name, unsigned int hookmask, unsigned int *cnt)
382 {
383         struct xt_target *watcher;
384         size_t left = ((char *)e + e->target_offset) - (char *)w;
385         int ret;
386
387         if (left < sizeof(struct ebt_entry_watcher) ||
388            left - sizeof(struct ebt_entry_watcher) < w->watcher_size)
389                 return -EINVAL;
390
391         watcher = try_then_request_module(
392                   xt_find_target(NFPROTO_BRIDGE, w->u.name, 0),
393                   "ebt_%s", w->u.name);
394         if (IS_ERR(watcher))
395                 return PTR_ERR(watcher);
396         if (watcher == NULL)
397                 return -ENOENT;
398         w->u.watcher = watcher;
399
400         ret = xt_check_target(watcher, NFPROTO_BRIDGE, w->watcher_size,
401               name, hookmask, e->ethproto, e->invflags & EBT_IPROTO);
402         if (ret < 0) {
403                 module_put(watcher->me);
404                 return ret;
405         } else if (watcher->checkentry != NULL &&
406             !watcher->checkentry(name, e, NULL, w->data, hookmask)) {
407                 module_put(watcher->me);
408                 BUGPRINT("watcher->check failed\n");
409                 return -EINVAL;
410         }
411
412         (*cnt)++;
413         return 0;
414 }
415
416 static int ebt_verify_pointers(struct ebt_replace *repl,
417                                struct ebt_table_info *newinfo)
418 {
419         unsigned int limit = repl->entries_size;
420         unsigned int valid_hooks = repl->valid_hooks;
421         unsigned int offset = 0;
422         int i;
423
424         for (i = 0; i < NF_BR_NUMHOOKS; i++)
425                 newinfo->hook_entry[i] = NULL;
426
427         newinfo->entries_size = repl->entries_size;
428         newinfo->nentries = repl->nentries;
429
430         while (offset < limit) {
431                 size_t left = limit - offset;
432                 struct ebt_entry *e = (void *)newinfo->entries + offset;
433
434                 if (left < sizeof(unsigned int))
435                         break;
436
437                 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
438                         if ((valid_hooks & (1 << i)) == 0)
439                                 continue;
440                         if ((char __user *)repl->hook_entry[i] ==
441                              repl->entries + offset)
442                                 break;
443                 }
444
445                 if (i != NF_BR_NUMHOOKS || !(e->bitmask & EBT_ENTRY_OR_ENTRIES)) {
446                         if (e->bitmask != 0) {
447                                 /* we make userspace set this right,
448                                    so there is no misunderstanding */
449                                 BUGPRINT("EBT_ENTRY_OR_ENTRIES shouldn't be set "
450                                          "in distinguisher\n");
451                                 return -EINVAL;
452                         }
453                         if (i != NF_BR_NUMHOOKS)
454                                 newinfo->hook_entry[i] = (struct ebt_entries *)e;
455                         if (left < sizeof(struct ebt_entries))
456                                 break;
457                         offset += sizeof(struct ebt_entries);
458                 } else {
459                         if (left < sizeof(struct ebt_entry))
460                                 break;
461                         if (left < e->next_offset)
462                                 break;
463                         offset += e->next_offset;
464                 }
465         }
466         if (offset != limit) {
467                 BUGPRINT("entries_size too small\n");
468                 return -EINVAL;
469         }
470
471         /* check if all valid hooks have a chain */
472         for (i = 0; i < NF_BR_NUMHOOKS; i++) {
473                 if (!newinfo->hook_entry[i] &&
474                    (valid_hooks & (1 << i))) {
475                         BUGPRINT("Valid hook without chain\n");
476                         return -EINVAL;
477                 }
478         }
479         return 0;
480 }
481
482 /*
483  * this one is very careful, as it is the first function
484  * to parse the userspace data
485  */
486 static inline int
487 ebt_check_entry_size_and_hooks(struct ebt_entry *e,
488    struct ebt_table_info *newinfo,
489    unsigned int *n, unsigned int *cnt,
490    unsigned int *totalcnt, unsigned int *udc_cnt)
491 {
492         int i;
493
494         for (i = 0; i < NF_BR_NUMHOOKS; i++) {
495                 if ((void *)e == (void *)newinfo->hook_entry[i])
496                         break;
497         }
498         /* beginning of a new chain
499            if i == NF_BR_NUMHOOKS it must be a user defined chain */
500         if (i != NF_BR_NUMHOOKS || !e->bitmask) {
501                 /* this checks if the previous chain has as many entries
502                    as it said it has */
503                 if (*n != *cnt) {
504                         BUGPRINT("nentries does not equal the nr of entries "
505                                  "in the chain\n");
506                         return -EINVAL;
507                 }
508                 if (((struct ebt_entries *)e)->policy != EBT_DROP &&
509                    ((struct ebt_entries *)e)->policy != EBT_ACCEPT) {
510                         /* only RETURN from udc */
511                         if (i != NF_BR_NUMHOOKS ||
512                            ((struct ebt_entries *)e)->policy != EBT_RETURN) {
513                                 BUGPRINT("bad policy\n");
514                                 return -EINVAL;
515                         }
516                 }
517                 if (i == NF_BR_NUMHOOKS) /* it's a user defined chain */
518                         (*udc_cnt)++;
519                 if (((struct ebt_entries *)e)->counter_offset != *totalcnt) {
520                         BUGPRINT("counter_offset != totalcnt");
521                         return -EINVAL;
522                 }
523                 *n = ((struct ebt_entries *)e)->nentries;
524                 *cnt = 0;
525                 return 0;
526         }
527         /* a plain old entry, heh */
528         if (sizeof(struct ebt_entry) > e->watchers_offset ||
529            e->watchers_offset > e->target_offset ||
530            e->target_offset >= e->next_offset) {
531                 BUGPRINT("entry offsets not in right order\n");
532                 return -EINVAL;
533         }
534         /* this is not checked anywhere else */
535         if (e->next_offset - e->target_offset < sizeof(struct ebt_entry_target)) {
536                 BUGPRINT("target size too small\n");
537                 return -EINVAL;
538         }
539         (*cnt)++;
540         (*totalcnt)++;
541         return 0;
542 }
543
544 struct ebt_cl_stack
545 {
546         struct ebt_chainstack cs;
547         int from;
548         unsigned int hookmask;
549 };
550
551 /*
552  * we need these positions to check that the jumps to a different part of the
553  * entries is a jump to the beginning of a new chain.
554  */
555 static inline int
556 ebt_get_udc_positions(struct ebt_entry *e, struct ebt_table_info *newinfo,
557    unsigned int *n, struct ebt_cl_stack *udc)
558 {
559         int i;
560
561         /* we're only interested in chain starts */
562         if (e->bitmask)
563                 return 0;
564         for (i = 0; i < NF_BR_NUMHOOKS; i++) {
565                 if (newinfo->hook_entry[i] == (struct ebt_entries *)e)
566                         break;
567         }
568         /* only care about udc */
569         if (i != NF_BR_NUMHOOKS)
570                 return 0;
571
572         udc[*n].cs.chaininfo = (struct ebt_entries *)e;
573         /* these initialisations are depended on later in check_chainloops() */
574         udc[*n].cs.n = 0;
575         udc[*n].hookmask = 0;
576
577         (*n)++;
578         return 0;
579 }
580
581 static inline int
582 ebt_cleanup_match(struct ebt_entry_match *m, unsigned int *i)
583 {
584         if (i && (*i)-- == 0)
585                 return 1;
586         if (m->u.match->destroy)
587                 m->u.match->destroy(m->u.match, m->data);
588         module_put(m->u.match->me);
589
590         return 0;
591 }
592
593 static inline int
594 ebt_cleanup_watcher(struct ebt_entry_watcher *w, unsigned int *i)
595 {
596         if (i && (*i)-- == 0)
597                 return 1;
598         if (w->u.watcher->destroy)
599                 w->u.watcher->destroy(w->u.watcher, w->data);
600         module_put(w->u.watcher->me);
601
602         return 0;
603 }
604
605 static inline int
606 ebt_cleanup_entry(struct ebt_entry *e, unsigned int *cnt)
607 {
608         struct ebt_entry_target *t;
609
610         if (e->bitmask == 0)
611                 return 0;
612         /* we're done */
613         if (cnt && (*cnt)-- == 0)
614                 return 1;
615         EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, NULL);
616         EBT_MATCH_ITERATE(e, ebt_cleanup_match, NULL);
617         t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
618         if (t->u.target->destroy)
619                 t->u.target->destroy(t->u.target, t->data);
620         module_put(t->u.target->me);
621
622         return 0;
623 }
624
625 static inline int
626 ebt_check_entry(struct ebt_entry *e, struct ebt_table_info *newinfo,
627    const char *name, unsigned int *cnt,
628    struct ebt_cl_stack *cl_s, unsigned int udc_cnt)
629 {
630         struct ebt_entry_target *t;
631         struct xt_target *target;
632         unsigned int i, j, hook = 0, hookmask = 0;
633         size_t gap;
634         int ret;
635
636         /* don't mess with the struct ebt_entries */
637         if (e->bitmask == 0)
638                 return 0;
639
640         if (e->bitmask & ~EBT_F_MASK) {
641                 BUGPRINT("Unknown flag for bitmask\n");
642                 return -EINVAL;
643         }
644         if (e->invflags & ~EBT_INV_MASK) {
645                 BUGPRINT("Unknown flag for inv bitmask\n");
646                 return -EINVAL;
647         }
648         if ( (e->bitmask & EBT_NOPROTO) && (e->bitmask & EBT_802_3) ) {
649                 BUGPRINT("NOPROTO & 802_3 not allowed\n");
650                 return -EINVAL;
651         }
652         /* what hook do we belong to? */
653         for (i = 0; i < NF_BR_NUMHOOKS; i++) {
654                 if (!newinfo->hook_entry[i])
655                         continue;
656                 if ((char *)newinfo->hook_entry[i] < (char *)e)
657                         hook = i;
658                 else
659                         break;
660         }
661         /* (1 << NF_BR_NUMHOOKS) tells the check functions the rule is on
662            a base chain */
663         if (i < NF_BR_NUMHOOKS)
664                 hookmask = (1 << hook) | (1 << NF_BR_NUMHOOKS);
665         else {
666                 for (i = 0; i < udc_cnt; i++)
667                         if ((char *)(cl_s[i].cs.chaininfo) > (char *)e)
668                                 break;
669                 if (i == 0)
670                         hookmask = (1 << hook) | (1 << NF_BR_NUMHOOKS);
671                 else
672                         hookmask = cl_s[i - 1].hookmask;
673         }
674         i = 0;
675         ret = EBT_MATCH_ITERATE(e, ebt_check_match, e, name, hookmask, &i);
676         if (ret != 0)
677                 goto cleanup_matches;
678         j = 0;
679         ret = EBT_WATCHER_ITERATE(e, ebt_check_watcher, e, name, hookmask, &j);
680         if (ret != 0)
681                 goto cleanup_watchers;
682         t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
683         gap = e->next_offset - e->target_offset;
684
685         target = try_then_request_module(
686                  xt_find_target(NFPROTO_BRIDGE, t->u.name, 0),
687                  "ebt_%s", t->u.name);
688         if (IS_ERR(target)) {
689                 ret = PTR_ERR(target);
690                 goto cleanup_watchers;
691         } else if (target == NULL) {
692                 ret = -ENOENT;
693                 goto cleanup_watchers;
694         }
695
696         t->u.target = target;
697         if (t->u.target == &ebt_standard_target) {
698                 if (gap < sizeof(struct ebt_standard_target)) {
699                         BUGPRINT("Standard target size too big\n");
700                         ret = -EFAULT;
701                         goto cleanup_watchers;
702                 }
703                 if (((struct ebt_standard_target *)t)->verdict <
704                    -NUM_STANDARD_TARGETS) {
705                         BUGPRINT("Invalid standard target\n");
706                         ret = -EFAULT;
707                         goto cleanup_watchers;
708                 }
709         } else if (t->target_size > gap - sizeof(struct ebt_entry_target)) {
710                 module_put(t->u.target->me);
711                 ret = -EFAULT;
712                 goto cleanup_watchers;
713         }
714
715         ret = xt_check_target(target, NFPROTO_BRIDGE, t->target_size,
716               name, hookmask, e->ethproto, e->invflags & EBT_IPROTO);
717         if (ret < 0) {
718                 module_put(target->me);
719                 goto cleanup_watchers;
720         } else if (t->u.target->checkentry &&
721             !t->u.target->checkentry(name, e, NULL, t->data, hookmask)) {
722                 module_put(t->u.target->me);
723                 ret = -EFAULT;
724                 goto cleanup_watchers;
725         }
726         (*cnt)++;
727         return 0;
728 cleanup_watchers:
729         EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, &j);
730 cleanup_matches:
731         EBT_MATCH_ITERATE(e, ebt_cleanup_match, &i);
732         return ret;
733 }
734
735 /*
736  * checks for loops and sets the hook mask for udc
737  * the hook mask for udc tells us from which base chains the udc can be
738  * accessed. This mask is a parameter to the check() functions of the extensions
739  */
740 static int check_chainloops(struct ebt_entries *chain, struct ebt_cl_stack *cl_s,
741    unsigned int udc_cnt, unsigned int hooknr, char *base)
742 {
743         int i, chain_nr = -1, pos = 0, nentries = chain->nentries, verdict;
744         struct ebt_entry *e = (struct ebt_entry *)chain->data;
745         struct ebt_entry_target *t;
746
747         while (pos < nentries || chain_nr != -1) {
748                 /* end of udc, go back one 'recursion' step */
749                 if (pos == nentries) {
750                         /* put back values of the time when this chain was called */
751                         e = cl_s[chain_nr].cs.e;
752                         if (cl_s[chain_nr].from != -1)
753                                 nentries =
754                                 cl_s[cl_s[chain_nr].from].cs.chaininfo->nentries;
755                         else
756                                 nentries = chain->nentries;
757                         pos = cl_s[chain_nr].cs.n;
758                         /* make sure we won't see a loop that isn't one */
759                         cl_s[chain_nr].cs.n = 0;
760                         chain_nr = cl_s[chain_nr].from;
761                         if (pos == nentries)
762                                 continue;
763                 }
764                 t = (struct ebt_entry_target *)
765                    (((char *)e) + e->target_offset);
766                 if (strcmp(t->u.name, EBT_STANDARD_TARGET))
767                         goto letscontinue;
768                 if (e->target_offset + sizeof(struct ebt_standard_target) >
769                    e->next_offset) {
770                         BUGPRINT("Standard target size too big\n");
771                         return -1;
772                 }
773                 verdict = ((struct ebt_standard_target *)t)->verdict;
774                 if (verdict >= 0) { /* jump to another chain */
775                         struct ebt_entries *hlp2 =
776                            (struct ebt_entries *)(base + verdict);
777                         for (i = 0; i < udc_cnt; i++)
778                                 if (hlp2 == cl_s[i].cs.chaininfo)
779                                         break;
780                         /* bad destination or loop */
781                         if (i == udc_cnt) {
782                                 BUGPRINT("bad destination\n");
783                                 return -1;
784                         }
785                         if (cl_s[i].cs.n) {
786                                 BUGPRINT("loop\n");
787                                 return -1;
788                         }
789                         if (cl_s[i].hookmask & (1 << hooknr))
790                                 goto letscontinue;
791                         /* this can't be 0, so the loop test is correct */
792                         cl_s[i].cs.n = pos + 1;
793                         pos = 0;
794                         cl_s[i].cs.e = ((void *)e + e->next_offset);
795                         e = (struct ebt_entry *)(hlp2->data);
796                         nentries = hlp2->nentries;
797                         cl_s[i].from = chain_nr;
798                         chain_nr = i;
799                         /* this udc is accessible from the base chain for hooknr */
800                         cl_s[i].hookmask |= (1 << hooknr);
801                         continue;
802                 }
803 letscontinue:
804                 e = (void *)e + e->next_offset;
805                 pos++;
806         }
807         return 0;
808 }
809
810 /* do the parsing of the table/chains/entries/matches/watchers/targets, heh */
811 static int translate_table(char *name, struct ebt_table_info *newinfo)
812 {
813         unsigned int i, j, k, udc_cnt;
814         int ret;
815         struct ebt_cl_stack *cl_s = NULL; /* used in the checking for chain loops */
816
817         i = 0;
818         while (i < NF_BR_NUMHOOKS && !newinfo->hook_entry[i])
819                 i++;
820         if (i == NF_BR_NUMHOOKS) {
821                 BUGPRINT("No valid hooks specified\n");
822                 return -EINVAL;
823         }
824         if (newinfo->hook_entry[i] != (struct ebt_entries *)newinfo->entries) {
825                 BUGPRINT("Chains don't start at beginning\n");
826                 return -EINVAL;
827         }
828         /* make sure chains are ordered after each other in same order
829            as their corresponding hooks */
830         for (j = i + 1; j < NF_BR_NUMHOOKS; j++) {
831                 if (!newinfo->hook_entry[j])
832                         continue;
833                 if (newinfo->hook_entry[j] <= newinfo->hook_entry[i]) {
834                         BUGPRINT("Hook order must be followed\n");
835                         return -EINVAL;
836                 }
837                 i = j;
838         }
839
840         /* do some early checkings and initialize some things */
841         i = 0; /* holds the expected nr. of entries for the chain */
842         j = 0; /* holds the up to now counted entries for the chain */
843         k = 0; /* holds the total nr. of entries, should equal
844                   newinfo->nentries afterwards */
845         udc_cnt = 0; /* will hold the nr. of user defined chains (udc) */
846         ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
847            ebt_check_entry_size_and_hooks, newinfo,
848            &i, &j, &k, &udc_cnt);
849
850         if (ret != 0)
851                 return ret;
852
853         if (i != j) {
854                 BUGPRINT("nentries does not equal the nr of entries in the "
855                          "(last) chain\n");
856                 return -EINVAL;
857         }
858         if (k != newinfo->nentries) {
859                 BUGPRINT("Total nentries is wrong\n");
860                 return -EINVAL;
861         }
862
863         /* get the location of the udc, put them in an array
864            while we're at it, allocate the chainstack */
865         if (udc_cnt) {
866                 /* this will get free'd in do_replace()/ebt_register_table()
867                    if an error occurs */
868                 newinfo->chainstack =
869                         vmalloc(nr_cpu_ids * sizeof(*(newinfo->chainstack)));
870                 if (!newinfo->chainstack)
871                         return -ENOMEM;
872                 for_each_possible_cpu(i) {
873                         newinfo->chainstack[i] =
874                           vmalloc(udc_cnt * sizeof(*(newinfo->chainstack[0])));
875                         if (!newinfo->chainstack[i]) {
876                                 while (i)
877                                         vfree(newinfo->chainstack[--i]);
878                                 vfree(newinfo->chainstack);
879                                 newinfo->chainstack = NULL;
880                                 return -ENOMEM;
881                         }
882                 }
883
884                 cl_s = vmalloc(udc_cnt * sizeof(*cl_s));
885                 if (!cl_s)
886                         return -ENOMEM;
887                 i = 0; /* the i'th udc */
888                 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
889                    ebt_get_udc_positions, newinfo, &i, cl_s);
890                 /* sanity check */
891                 if (i != udc_cnt) {
892                         BUGPRINT("i != udc_cnt\n");
893                         vfree(cl_s);
894                         return -EFAULT;
895                 }
896         }
897
898         /* Check for loops */
899         for (i = 0; i < NF_BR_NUMHOOKS; i++)
900                 if (newinfo->hook_entry[i])
901                         if (check_chainloops(newinfo->hook_entry[i],
902                            cl_s, udc_cnt, i, newinfo->entries)) {
903                                 vfree(cl_s);
904                                 return -EINVAL;
905                         }
906
907         /* we now know the following (along with E=mc²):
908            - the nr of entries in each chain is right
909            - the size of the allocated space is right
910            - all valid hooks have a corresponding chain
911            - there are no loops
912            - wrong data can still be on the level of a single entry
913            - could be there are jumps to places that are not the
914              beginning of a chain. This can only occur in chains that
915              are not accessible from any base chains, so we don't care. */
916
917         /* used to know what we need to clean up if something goes wrong */
918         i = 0;
919         ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
920            ebt_check_entry, newinfo, name, &i, cl_s, udc_cnt);
921         if (ret != 0) {
922                 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
923                    ebt_cleanup_entry, &i);
924         }
925         vfree(cl_s);
926         return ret;
927 }
928
929 /* called under write_lock */
930 static void get_counters(struct ebt_counter *oldcounters,
931    struct ebt_counter *counters, unsigned int nentries)
932 {
933         int i, cpu;
934         struct ebt_counter *counter_base;
935
936         /* counters of cpu 0 */
937         memcpy(counters, oldcounters,
938                sizeof(struct ebt_counter) * nentries);
939
940         /* add other counters to those of cpu 0 */
941         for_each_possible_cpu(cpu) {
942                 if (cpu == 0)
943                         continue;
944                 counter_base = COUNTER_BASE(oldcounters, nentries, cpu);
945                 for (i = 0; i < nentries; i++) {
946                         counters[i].pcnt += counter_base[i].pcnt;
947                         counters[i].bcnt += counter_base[i].bcnt;
948                 }
949         }
950 }
951
952 /* replace the table */
953 static int do_replace(void __user *user, unsigned int len)
954 {
955         int ret, i, countersize;
956         struct ebt_table_info *newinfo;
957         struct ebt_replace tmp;
958         struct ebt_table *t;
959         struct ebt_counter *counterstmp = NULL;
960         /* used to be able to unlock earlier */
961         struct ebt_table_info *table;
962
963         if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
964                 return -EFAULT;
965
966         if (len != sizeof(tmp) + tmp.entries_size) {
967                 BUGPRINT("Wrong len argument\n");
968                 return -EINVAL;
969         }
970
971         if (tmp.entries_size == 0) {
972                 BUGPRINT("Entries_size never zero\n");
973                 return -EINVAL;
974         }
975         /* overflow check */
976         if (tmp.nentries >= ((INT_MAX - sizeof(struct ebt_table_info)) / NR_CPUS -
977                         SMP_CACHE_BYTES) / sizeof(struct ebt_counter))
978                 return -ENOMEM;
979         if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
980                 return -ENOMEM;
981
982         countersize = COUNTER_OFFSET(tmp.nentries) * nr_cpu_ids;
983         newinfo = vmalloc(sizeof(*newinfo) + countersize);
984         if (!newinfo)
985                 return -ENOMEM;
986
987         if (countersize)
988                 memset(newinfo->counters, 0, countersize);
989
990         newinfo->entries = vmalloc(tmp.entries_size);
991         if (!newinfo->entries) {
992                 ret = -ENOMEM;
993                 goto free_newinfo;
994         }
995         if (copy_from_user(
996            newinfo->entries, tmp.entries, tmp.entries_size) != 0) {
997                 BUGPRINT("Couldn't copy entries from userspace\n");
998                 ret = -EFAULT;
999                 goto free_entries;
1000         }
1001
1002         /* the user wants counters back
1003            the check on the size is done later, when we have the lock */
1004         if (tmp.num_counters) {
1005                 counterstmp = vmalloc(tmp.num_counters * sizeof(*counterstmp));
1006                 if (!counterstmp) {
1007                         ret = -ENOMEM;
1008                         goto free_entries;
1009                 }
1010         }
1011         else
1012                 counterstmp = NULL;
1013
1014         /* this can get initialized by translate_table() */
1015         newinfo->chainstack = NULL;
1016         ret = ebt_verify_pointers(&tmp, newinfo);
1017         if (ret != 0)
1018                 goto free_counterstmp;
1019
1020         ret = translate_table(tmp.name, newinfo);
1021
1022         if (ret != 0)
1023                 goto free_counterstmp;
1024
1025         t = find_table_lock(tmp.name, &ret, &ebt_mutex);
1026         if (!t) {
1027                 ret = -ENOENT;
1028                 goto free_iterate;
1029         }
1030
1031         /* the table doesn't like it */
1032         if (t->check && (ret = t->check(newinfo, tmp.valid_hooks)))
1033                 goto free_unlock;
1034
1035         if (tmp.num_counters && tmp.num_counters != t->private->nentries) {
1036                 BUGPRINT("Wrong nr. of counters requested\n");
1037                 ret = -EINVAL;
1038                 goto free_unlock;
1039         }
1040
1041         /* we have the mutex lock, so no danger in reading this pointer */
1042         table = t->private;
1043         /* make sure the table can only be rmmod'ed if it contains no rules */
1044         if (!table->nentries && newinfo->nentries && !try_module_get(t->me)) {
1045                 ret = -ENOENT;
1046                 goto free_unlock;
1047         } else if (table->nentries && !newinfo->nentries)
1048                 module_put(t->me);
1049         /* we need an atomic snapshot of the counters */
1050         write_lock_bh(&t->lock);
1051         if (tmp.num_counters)
1052                 get_counters(t->private->counters, counterstmp,
1053                    t->private->nentries);
1054
1055         t->private = newinfo;
1056         write_unlock_bh(&t->lock);
1057         mutex_unlock(&ebt_mutex);
1058         /* so, a user can change the chains while having messed up her counter
1059            allocation. Only reason why this is done is because this way the lock
1060            is held only once, while this doesn't bring the kernel into a
1061            dangerous state. */
1062         if (tmp.num_counters &&
1063            copy_to_user(tmp.counters, counterstmp,
1064            tmp.num_counters * sizeof(struct ebt_counter))) {
1065                 BUGPRINT("Couldn't copy counters to userspace\n");
1066                 ret = -EFAULT;
1067         }
1068         else
1069                 ret = 0;
1070
1071         /* decrease module count and free resources */
1072         EBT_ENTRY_ITERATE(table->entries, table->entries_size,
1073            ebt_cleanup_entry, NULL);
1074
1075         vfree(table->entries);
1076         if (table->chainstack) {
1077                 for_each_possible_cpu(i)
1078                         vfree(table->chainstack[i]);
1079                 vfree(table->chainstack);
1080         }
1081         vfree(table);
1082
1083         vfree(counterstmp);
1084         return ret;
1085
1086 free_unlock:
1087         mutex_unlock(&ebt_mutex);
1088 free_iterate:
1089         EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
1090            ebt_cleanup_entry, NULL);
1091 free_counterstmp:
1092         vfree(counterstmp);
1093         /* can be initialized in translate_table() */
1094         if (newinfo->chainstack) {
1095                 for_each_possible_cpu(i)
1096                         vfree(newinfo->chainstack[i]);
1097                 vfree(newinfo->chainstack);
1098         }
1099 free_entries:
1100         vfree(newinfo->entries);
1101 free_newinfo:
1102         vfree(newinfo);
1103         return ret;
1104 }
1105
1106 int ebt_register_target(struct ebt_target *target)
1107 {
1108         struct ebt_target *t;
1109         int ret;
1110
1111         ret = mutex_lock_interruptible(&ebt_mutex);
1112         if (ret != 0)
1113                 return ret;
1114         list_for_each_entry(t, &ebt_targets, list) {
1115                 if (strcmp(t->name, target->name) == 0) {
1116                         mutex_unlock(&ebt_mutex);
1117                         return -EEXIST;
1118                 }
1119         }
1120         list_add(&target->list, &ebt_targets);
1121         mutex_unlock(&ebt_mutex);
1122
1123         return 0;
1124 }
1125
1126 void ebt_unregister_target(struct ebt_target *target)
1127 {
1128         mutex_lock(&ebt_mutex);
1129         list_del(&target->list);
1130         mutex_unlock(&ebt_mutex);
1131 }
1132
1133 int ebt_register_match(struct ebt_match *match)
1134 {
1135         struct ebt_match *m;
1136         int ret;
1137
1138         ret = mutex_lock_interruptible(&ebt_mutex);
1139         if (ret != 0)
1140                 return ret;
1141         list_for_each_entry(m, &ebt_matches, list) {
1142                 if (strcmp(m->name, match->name) == 0) {
1143                         mutex_unlock(&ebt_mutex);
1144                         return -EEXIST;
1145                 }
1146         }
1147         list_add(&match->list, &ebt_matches);
1148         mutex_unlock(&ebt_mutex);
1149
1150         return 0;
1151 }
1152
1153 void ebt_unregister_match(struct ebt_match *match)
1154 {
1155         mutex_lock(&ebt_mutex);
1156         list_del(&match->list);
1157         mutex_unlock(&ebt_mutex);
1158 }
1159
1160 int ebt_register_watcher(struct ebt_watcher *watcher)
1161 {
1162         struct ebt_watcher *w;
1163         int ret;
1164
1165         ret = mutex_lock_interruptible(&ebt_mutex);
1166         if (ret != 0)
1167                 return ret;
1168         list_for_each_entry(w, &ebt_watchers, list) {
1169                 if (strcmp(w->name, watcher->name) == 0) {
1170                         mutex_unlock(&ebt_mutex);
1171                         return -EEXIST;
1172                 }
1173         }
1174         list_add(&watcher->list, &ebt_watchers);
1175         mutex_unlock(&ebt_mutex);
1176
1177         return 0;
1178 }
1179
1180 void ebt_unregister_watcher(struct ebt_watcher *watcher)
1181 {
1182         mutex_lock(&ebt_mutex);
1183         list_del(&watcher->list);
1184         mutex_unlock(&ebt_mutex);
1185 }
1186
1187 int ebt_register_table(struct ebt_table *table)
1188 {
1189         struct ebt_table_info *newinfo;
1190         struct ebt_table *t;
1191         struct ebt_replace_kernel *repl;
1192         int ret, i, countersize;
1193         void *p;
1194
1195         if (!table || !(repl = table->table) || !repl->entries ||
1196             repl->entries_size == 0 ||
1197             repl->counters || table->private) {
1198                 BUGPRINT("Bad table data for ebt_register_table!!!\n");
1199                 return -EINVAL;
1200         }
1201
1202         countersize = COUNTER_OFFSET(repl->nentries) * nr_cpu_ids;
1203         newinfo = vmalloc(sizeof(*newinfo) + countersize);
1204         ret = -ENOMEM;
1205         if (!newinfo)
1206                 return -ENOMEM;
1207
1208         p = vmalloc(repl->entries_size);
1209         if (!p)
1210                 goto free_newinfo;
1211
1212         memcpy(p, repl->entries, repl->entries_size);
1213         newinfo->entries = p;
1214
1215         newinfo->entries_size = repl->entries_size;
1216         newinfo->nentries = repl->nentries;
1217
1218         if (countersize)
1219                 memset(newinfo->counters, 0, countersize);
1220
1221         /* fill in newinfo and parse the entries */
1222         newinfo->chainstack = NULL;
1223         for (i = 0; i < NF_BR_NUMHOOKS; i++) {
1224                 if ((repl->valid_hooks & (1 << i)) == 0)
1225                         newinfo->hook_entry[i] = NULL;
1226                 else
1227                         newinfo->hook_entry[i] = p +
1228                                 ((char *)repl->hook_entry[i] - repl->entries);
1229         }
1230         ret = translate_table(repl->name, newinfo);
1231         if (ret != 0) {
1232                 BUGPRINT("Translate_table failed\n");
1233                 goto free_chainstack;
1234         }
1235
1236         if (table->check && table->check(newinfo, table->valid_hooks)) {
1237                 BUGPRINT("The table doesn't like its own initial data, lol\n");
1238                 return -EINVAL;
1239         }
1240
1241         table->private = newinfo;
1242         rwlock_init(&table->lock);
1243         ret = mutex_lock_interruptible(&ebt_mutex);
1244         if (ret != 0)
1245                 goto free_chainstack;
1246
1247         list_for_each_entry(t, &ebt_tables, list) {
1248                 if (strcmp(t->name, table->name) == 0) {
1249                         ret = -EEXIST;
1250                         BUGPRINT("Table name already exists\n");
1251                         goto free_unlock;
1252                 }
1253         }
1254
1255         /* Hold a reference count if the chains aren't empty */
1256         if (newinfo->nentries && !try_module_get(table->me)) {
1257                 ret = -ENOENT;
1258                 goto free_unlock;
1259         }
1260         list_add(&table->list, &ebt_tables);
1261         mutex_unlock(&ebt_mutex);
1262         return 0;
1263 free_unlock:
1264         mutex_unlock(&ebt_mutex);
1265 free_chainstack:
1266         if (newinfo->chainstack) {
1267                 for_each_possible_cpu(i)
1268                         vfree(newinfo->chainstack[i]);
1269                 vfree(newinfo->chainstack);
1270         }
1271         vfree(newinfo->entries);
1272 free_newinfo:
1273         vfree(newinfo);
1274         return ret;
1275 }
1276
1277 void ebt_unregister_table(struct ebt_table *table)
1278 {
1279         int i;
1280
1281         if (!table) {
1282                 BUGPRINT("Request to unregister NULL table!!!\n");
1283                 return;
1284         }
1285         mutex_lock(&ebt_mutex);
1286         list_del(&table->list);
1287         mutex_unlock(&ebt_mutex);
1288         vfree(table->private->entries);
1289         if (table->private->chainstack) {
1290                 for_each_possible_cpu(i)
1291                         vfree(table->private->chainstack[i]);
1292                 vfree(table->private->chainstack);
1293         }
1294         vfree(table->private);
1295 }
1296
1297 /* userspace just supplied us with counters */
1298 static int update_counters(void __user *user, unsigned int len)
1299 {
1300         int i, ret;
1301         struct ebt_counter *tmp;
1302         struct ebt_replace hlp;
1303         struct ebt_table *t;
1304
1305         if (copy_from_user(&hlp, user, sizeof(hlp)))
1306                 return -EFAULT;
1307
1308         if (len != sizeof(hlp) + hlp.num_counters * sizeof(struct ebt_counter))
1309                 return -EINVAL;
1310         if (hlp.num_counters == 0)
1311                 return -EINVAL;
1312
1313         if (!(tmp = vmalloc(hlp.num_counters * sizeof(*tmp)))) {
1314                 MEMPRINT("Update_counters && nomemory\n");
1315                 return -ENOMEM;
1316         }
1317
1318         t = find_table_lock(hlp.name, &ret, &ebt_mutex);
1319         if (!t)
1320                 goto free_tmp;
1321
1322         if (hlp.num_counters != t->private->nentries) {
1323                 BUGPRINT("Wrong nr of counters\n");
1324                 ret = -EINVAL;
1325                 goto unlock_mutex;
1326         }
1327
1328         if ( copy_from_user(tmp, hlp.counters,
1329            hlp.num_counters * sizeof(struct ebt_counter)) ) {
1330                 BUGPRINT("Updata_counters && !cfu\n");
1331                 ret = -EFAULT;
1332                 goto unlock_mutex;
1333         }
1334
1335         /* we want an atomic add of the counters */
1336         write_lock_bh(&t->lock);
1337
1338         /* we add to the counters of the first cpu */
1339         for (i = 0; i < hlp.num_counters; i++) {
1340                 t->private->counters[i].pcnt += tmp[i].pcnt;
1341                 t->private->counters[i].bcnt += tmp[i].bcnt;
1342         }
1343
1344         write_unlock_bh(&t->lock);
1345         ret = 0;
1346 unlock_mutex:
1347         mutex_unlock(&ebt_mutex);
1348 free_tmp:
1349         vfree(tmp);
1350         return ret;
1351 }
1352
1353 static inline int ebt_make_matchname(struct ebt_entry_match *m,
1354    char *base, char __user *ubase)
1355 {
1356         char __user *hlp = ubase + ((char *)m - base);
1357         if (copy_to_user(hlp, m->u.match->name, EBT_FUNCTION_MAXNAMELEN))
1358                 return -EFAULT;
1359         return 0;
1360 }
1361
1362 static inline int ebt_make_watchername(struct ebt_entry_watcher *w,
1363    char *base, char __user *ubase)
1364 {
1365         char __user *hlp = ubase + ((char *)w - base);
1366         if (copy_to_user(hlp , w->u.watcher->name, EBT_FUNCTION_MAXNAMELEN))
1367                 return -EFAULT;
1368         return 0;
1369 }
1370
1371 static inline int ebt_make_names(struct ebt_entry *e, char *base, char __user *ubase)
1372 {
1373         int ret;
1374         char __user *hlp;
1375         struct ebt_entry_target *t;
1376
1377         if (e->bitmask == 0)
1378                 return 0;
1379
1380         hlp = ubase + (((char *)e + e->target_offset) - base);
1381         t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
1382
1383         ret = EBT_MATCH_ITERATE(e, ebt_make_matchname, base, ubase);
1384         if (ret != 0)
1385                 return ret;
1386         ret = EBT_WATCHER_ITERATE(e, ebt_make_watchername, base, ubase);
1387         if (ret != 0)
1388                 return ret;
1389         if (copy_to_user(hlp, t->u.target->name, EBT_FUNCTION_MAXNAMELEN))
1390                 return -EFAULT;
1391         return 0;
1392 }
1393
1394 /* called with ebt_mutex locked */
1395 static int copy_everything_to_user(struct ebt_table *t, void __user *user,
1396    int *len, int cmd)
1397 {
1398         struct ebt_replace tmp;
1399         struct ebt_counter *counterstmp, *oldcounters;
1400         unsigned int entries_size, nentries;
1401         char *entries;
1402
1403         if (cmd == EBT_SO_GET_ENTRIES) {
1404                 entries_size = t->private->entries_size;
1405                 nentries = t->private->nentries;
1406                 entries = t->private->entries;
1407                 oldcounters = t->private->counters;
1408         } else {
1409                 entries_size = t->table->entries_size;
1410                 nentries = t->table->nentries;
1411                 entries = t->table->entries;
1412                 oldcounters = t->table->counters;
1413         }
1414
1415         if (copy_from_user(&tmp, user, sizeof(tmp))) {
1416                 BUGPRINT("Cfu didn't work\n");
1417                 return -EFAULT;
1418         }
1419
1420         if (*len != sizeof(struct ebt_replace) + entries_size +
1421            (tmp.num_counters? nentries * sizeof(struct ebt_counter): 0)) {
1422                 BUGPRINT("Wrong size\n");
1423                 return -EINVAL;
1424         }
1425
1426         if (tmp.nentries != nentries) {
1427                 BUGPRINT("Nentries wrong\n");
1428                 return -EINVAL;
1429         }
1430
1431         if (tmp.entries_size != entries_size) {
1432                 BUGPRINT("Wrong size\n");
1433                 return -EINVAL;
1434         }
1435
1436         /* userspace might not need the counters */
1437         if (tmp.num_counters) {
1438                 if (tmp.num_counters != nentries) {
1439                         BUGPRINT("Num_counters wrong\n");
1440                         return -EINVAL;
1441                 }
1442                 counterstmp = vmalloc(nentries * sizeof(*counterstmp));
1443                 if (!counterstmp) {
1444                         MEMPRINT("Couldn't copy counters, out of memory\n");
1445                         return -ENOMEM;
1446                 }
1447                 write_lock_bh(&t->lock);
1448                 get_counters(oldcounters, counterstmp, nentries);
1449                 write_unlock_bh(&t->lock);
1450
1451                 if (copy_to_user(tmp.counters, counterstmp,
1452                    nentries * sizeof(struct ebt_counter))) {
1453                         BUGPRINT("Couldn't copy counters to userspace\n");
1454                         vfree(counterstmp);
1455                         return -EFAULT;
1456                 }
1457                 vfree(counterstmp);
1458         }
1459
1460         if (copy_to_user(tmp.entries, entries, entries_size)) {
1461                 BUGPRINT("Couldn't copy entries to userspace\n");
1462                 return -EFAULT;
1463         }
1464         /* set the match/watcher/target names right */
1465         return EBT_ENTRY_ITERATE(entries, entries_size,
1466            ebt_make_names, entries, tmp.entries);
1467 }
1468
1469 static int do_ebt_set_ctl(struct sock *sk,
1470         int cmd, void __user *user, unsigned int len)
1471 {
1472         int ret;
1473
1474         switch(cmd) {
1475         case EBT_SO_SET_ENTRIES:
1476                 ret = do_replace(user, len);
1477                 break;
1478         case EBT_SO_SET_COUNTERS:
1479                 ret = update_counters(user, len);
1480                 break;
1481         default:
1482                 ret = -EINVAL;
1483   }
1484         return ret;
1485 }
1486
1487 static int do_ebt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
1488 {
1489         int ret;
1490         struct ebt_replace tmp;
1491         struct ebt_table *t;
1492
1493         if (copy_from_user(&tmp, user, sizeof(tmp)))
1494                 return -EFAULT;
1495
1496         t = find_table_lock(tmp.name, &ret, &ebt_mutex);
1497         if (!t)
1498                 return ret;
1499
1500         switch(cmd) {
1501         case EBT_SO_GET_INFO:
1502         case EBT_SO_GET_INIT_INFO:
1503                 if (*len != sizeof(struct ebt_replace)){
1504                         ret = -EINVAL;
1505                         mutex_unlock(&ebt_mutex);
1506                         break;
1507                 }
1508                 if (cmd == EBT_SO_GET_INFO) {
1509                         tmp.nentries = t->private->nentries;
1510                         tmp.entries_size = t->private->entries_size;
1511                         tmp.valid_hooks = t->valid_hooks;
1512                 } else {
1513                         tmp.nentries = t->table->nentries;
1514                         tmp.entries_size = t->table->entries_size;
1515                         tmp.valid_hooks = t->table->valid_hooks;
1516                 }
1517                 mutex_unlock(&ebt_mutex);
1518                 if (copy_to_user(user, &tmp, *len) != 0){
1519                         BUGPRINT("c2u Didn't work\n");
1520                         ret = -EFAULT;
1521                         break;
1522                 }
1523                 ret = 0;
1524                 break;
1525
1526         case EBT_SO_GET_ENTRIES:
1527         case EBT_SO_GET_INIT_ENTRIES:
1528                 ret = copy_everything_to_user(t, user, len, cmd);
1529                 mutex_unlock(&ebt_mutex);
1530                 break;
1531
1532         default:
1533                 mutex_unlock(&ebt_mutex);
1534                 ret = -EINVAL;
1535         }
1536
1537         return ret;
1538 }
1539
1540 static struct nf_sockopt_ops ebt_sockopts =
1541 {
1542         .pf             = PF_INET,
1543         .set_optmin     = EBT_BASE_CTL,
1544         .set_optmax     = EBT_SO_SET_MAX + 1,
1545         .set            = do_ebt_set_ctl,
1546         .get_optmin     = EBT_BASE_CTL,
1547         .get_optmax     = EBT_SO_GET_MAX + 1,
1548         .get            = do_ebt_get_ctl,
1549         .owner          = THIS_MODULE,
1550 };
1551
1552 static int __init ebtables_init(void)
1553 {
1554         int ret;
1555
1556         ret = xt_register_target(&ebt_standard_target);
1557         if (ret < 0)
1558                 return ret;
1559         ret = nf_register_sockopt(&ebt_sockopts);
1560         if (ret < 0) {
1561                 xt_unregister_target(&ebt_standard_target);
1562                 return ret;
1563         }
1564
1565         printk(KERN_INFO "Ebtables v2.0 registered\n");
1566         return 0;
1567 }
1568
1569 static void __exit ebtables_fini(void)
1570 {
1571         nf_unregister_sockopt(&ebt_sockopts);
1572         xt_unregister_target(&ebt_standard_target);
1573         printk(KERN_INFO "Ebtables v2.0 unregistered\n");
1574 }
1575
1576 EXPORT_SYMBOL(ebt_register_table);
1577 EXPORT_SYMBOL(ebt_unregister_table);
1578 EXPORT_SYMBOL(ebt_register_match);
1579 EXPORT_SYMBOL(ebt_unregister_match);
1580 EXPORT_SYMBOL(ebt_register_watcher);
1581 EXPORT_SYMBOL(ebt_unregister_watcher);
1582 EXPORT_SYMBOL(ebt_register_target);
1583 EXPORT_SYMBOL(ebt_unregister_target);
1584 EXPORT_SYMBOL(ebt_do_table);
1585 module_init(ebtables_init);
1586 module_exit(ebtables_fini);
1587 MODULE_LICENSE("GPL");