// SPDX-License-Identifier: GPL-2.0-or-later /* * ebtables * * Author: * Bart De Schuymer <[email protected]> * * ebtables.c,v 2.0, July, 2002 * * This code is strongly inspired by the iptables code which is * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling */ #define pr_fmt(fmt) … #include <linux/kmod.h> #include <linux/module.h> #include <linux/vmalloc.h> #include <linux/netfilter/x_tables.h> #include <linux/netfilter_bridge/ebtables.h> #include <linux/spinlock.h> #include <linux/mutex.h> #include <linux/slab.h> #include <linux/uaccess.h> #include <linux/smp.h> #include <linux/cpumask.h> #include <linux/audit.h> #include <net/sock.h> #include <net/netns/generic.h> /* needed for logical [in,out]-dev filtering */ #include "../br_private.h" /* Each cpu has its own set of counters, so there is no need for write_lock in * the softirq * For reading or updating the counters, the user context needs to * get a write_lock */ /* The size of each set of counters is altered to get cache alignment */ #define SMP_ALIGN(x) … #define COUNTER_OFFSET(n) … #define COUNTER_BASE(c, n, cpu) … struct ebt_pernet { … }; struct ebt_template { … }; static unsigned int ebt_pernet_id __read_mostly; static LIST_HEAD(template_tables); static DEFINE_MUTEX(ebt_mutex); #ifdef CONFIG_NETFILTER_XTABLES_COMPAT static void ebt_standard_compat_from_user(void *dst, const void *src) { … } static int ebt_standard_compat_to_user(void __user *dst, const void *src) { … } #endif static struct xt_target ebt_standard_target = …; static inline int ebt_do_watcher(const struct ebt_entry_watcher *w, struct sk_buff *skb, struct xt_action_param *par) { … } static inline int ebt_do_match(struct ebt_entry_match *m, const struct sk_buff *skb, struct xt_action_param *par) { … } static inline int ebt_dev_check(const char *entry, const struct net_device *device) { … } /* process standard matches */ static inline int ebt_basic_match(const struct ebt_entry *e, const struct sk_buff *skb, const struct net_device *in, const struct net_device *out) { … } static inline struct ebt_entry *ebt_next_entry(const struct ebt_entry *entry) { … } static inline const struct ebt_entry_target * ebt_get_target_c(const struct ebt_entry *e) { … } /* Do some firewalling */ unsigned int ebt_do_table(void *priv, struct sk_buff *skb, const struct nf_hook_state *state) { … } /* If it succeeds, returns element and locks mutex */ static inline void * find_inlist_lock_noload(struct net *net, const char *name, int *error, struct mutex *mutex) { … } static void * find_inlist_lock(struct net *net, const char *name, const char *prefix, int *error, struct mutex *mutex) { … } static inline struct ebt_table * find_table_lock(struct net *net, const char *name, int *error, struct mutex *mutex) { … } static inline void ebt_free_table_info(struct ebt_table_info *info) { … } static inline int ebt_check_match(struct ebt_entry_match *m, struct xt_mtchk_param *par, unsigned int *cnt) { … } static inline int ebt_check_watcher(struct ebt_entry_watcher *w, struct xt_tgchk_param *par, unsigned int *cnt) { … } static int ebt_verify_pointers(const struct ebt_replace *repl, struct ebt_table_info *newinfo) { … } /* this one is very careful, as it is the first function * to parse the userspace data */ static inline int ebt_check_entry_size_and_hooks(const struct ebt_entry *e, const struct ebt_table_info *newinfo, unsigned int *n, unsigned int *cnt, unsigned int *totalcnt, unsigned int *udc_cnt) { … } struct ebt_cl_stack { … }; /* We need these positions to check that the jumps to a different part of the * entries is a jump to the beginning of a new chain. */ static inline int ebt_get_udc_positions(struct ebt_entry *e, struct ebt_table_info *newinfo, unsigned int *n, struct ebt_cl_stack *udc) { … } static inline int ebt_cleanup_match(struct ebt_entry_match *m, struct net *net, unsigned int *i) { … } static inline int ebt_cleanup_watcher(struct ebt_entry_watcher *w, struct net *net, unsigned int *i) { … } static inline int ebt_cleanup_entry(struct ebt_entry *e, struct net *net, unsigned int *cnt) { … } static inline int ebt_check_entry(struct ebt_entry *e, struct net *net, const struct ebt_table_info *newinfo, const char *name, unsigned int *cnt, struct ebt_cl_stack *cl_s, unsigned int udc_cnt) { … } /* checks for loops and sets the hook mask for udc * the hook mask for udc tells us from which base chains the udc can be * accessed. This mask is a parameter to the check() functions of the extensions */ static int check_chainloops(const struct ebt_entries *chain, struct ebt_cl_stack *cl_s, unsigned int udc_cnt, unsigned int hooknr, char *base) { … } /* do the parsing of the table/chains/entries/matches/watchers/targets, heh */ static int translate_table(struct net *net, const char *name, struct ebt_table_info *newinfo) { … } /* called under write_lock */ static void get_counters(const struct ebt_counter *oldcounters, struct ebt_counter *counters, unsigned int nentries) { … } static int do_replace_finish(struct net *net, struct ebt_replace *repl, struct ebt_table_info *newinfo) { … } /* replace the table */ static int do_replace(struct net *net, sockptr_t arg, unsigned int len) { … } static void __ebt_unregister_table(struct net *net, struct ebt_table *table) { … } int ebt_register_table(struct net *net, const struct ebt_table *input_table, const struct nf_hook_ops *template_ops) { … } int ebt_register_template(const struct ebt_table *t, int (*table_init)(struct net *net)) { … } EXPORT_SYMBOL(…); void ebt_unregister_template(const struct ebt_table *t) { … } EXPORT_SYMBOL(…); static struct ebt_table *__ebt_find_table(struct net *net, const char *name) { … } void ebt_unregister_table_pre_exit(struct net *net, const char *name) { … } EXPORT_SYMBOL(…); void ebt_unregister_table(struct net *net, const char *name) { … } /* userspace just supplied us with counters */ static int do_update_counters(struct net *net, const char *name, struct ebt_counter __user *counters, unsigned int num_counters, unsigned int len) { … } static int update_counters(struct net *net, sockptr_t arg, unsigned int len) { … } static inline int ebt_obj_to_user(char __user *um, const char *_name, const char *data, int entrysize, int usersize, int datasize, u8 revision) { … } static inline int ebt_match_to_user(const struct ebt_entry_match *m, const char *base, char __user *ubase) { … } static inline int ebt_watcher_to_user(const struct ebt_entry_watcher *w, const char *base, char __user *ubase) { … } static inline int ebt_entry_to_user(struct ebt_entry *e, const char *base, char __user *ubase) { … } static int copy_counters_to_user(struct ebt_table *t, const struct ebt_counter *oldcounters, void __user *user, unsigned int num_counters, unsigned int nentries) { … } /* called with ebt_mutex locked */ static int copy_everything_to_user(struct ebt_table *t, void __user *user, const int *len, int cmd) { … } #ifdef CONFIG_NETFILTER_XTABLES_COMPAT /* 32 bit-userspace compatibility definitions. */ struct compat_ebt_replace { … }; /* struct ebt_entry_match, _target and _watcher have same layout */ struct compat_ebt_entry_mwt { … }; /* account for possible padding between match_size and ->data */ static int ebt_compat_entry_padsize(void) { … } static int ebt_compat_match_offset(const struct xt_match *match, unsigned int userlen) { … } static int compat_match_to_user(struct ebt_entry_match *m, void __user **dstptr, unsigned int *size) { … } static int compat_target_to_user(struct ebt_entry_target *t, void __user **dstptr, unsigned int *size) { … } static int compat_watcher_to_user(struct ebt_entry_watcher *w, void __user **dstptr, unsigned int *size) { … } static int compat_copy_entry_to_user(struct ebt_entry *e, void __user **dstptr, unsigned int *size) { … } static int compat_calc_match(struct ebt_entry_match *m, int *off) { … } static int compat_calc_watcher(struct ebt_entry_watcher *w, int *off) { … } static int compat_calc_entry(const struct ebt_entry *e, const struct ebt_table_info *info, const void *base, struct compat_ebt_replace *newinfo) { … } static int ebt_compat_init_offsets(unsigned int number) { … } static int compat_table_info(const struct ebt_table_info *info, struct compat_ebt_replace *newinfo) { … } static int compat_copy_everything_to_user(struct ebt_table *t, void __user *user, int *len, int cmd) { … } struct ebt_entries_buf_state { … }; static int ebt_buf_count(struct ebt_entries_buf_state *state, unsigned int sz) { … } static int ebt_buf_add(struct ebt_entries_buf_state *state, const void *data, unsigned int sz) { … } static int ebt_buf_add_pad(struct ebt_entries_buf_state *state, unsigned int sz) { … } enum compat_mwt { … }; static int compat_mtw_from_user(const struct compat_ebt_entry_mwt *mwt, enum compat_mwt compat_mwt, struct ebt_entries_buf_state *state, const unsigned char *base) { … } /* return size of all matches, watchers or target, including necessary * alignment and padding. */ static int ebt_size_mwt(const struct compat_ebt_entry_mwt *match32, unsigned int size_left, enum compat_mwt type, struct ebt_entries_buf_state *state, const void *base) { … } /* called for all ebt_entry structures. */ static int size_entry_mwt(const struct ebt_entry *entry, const unsigned char *base, unsigned int *total, struct ebt_entries_buf_state *state) { … } /* repl->entries_size is the size of the ebt_entry blob in userspace. * It might need more memory when copied to a 64 bit kernel in case * userspace is 32-bit. So, first task: find out how much memory is needed. * * Called before validation is performed. */ static int compat_copy_entries(unsigned char *data, unsigned int size_user, struct ebt_entries_buf_state *state) { … } static int compat_copy_ebt_replace_from_user(struct ebt_replace *repl, sockptr_t arg, unsigned int len) { … } static int compat_do_replace(struct net *net, sockptr_t arg, unsigned int len) { … } static int compat_update_counters(struct net *net, sockptr_t arg, unsigned int len) { … } static int compat_do_ebt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len) { … } #endif static int do_ebt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len) { … } static int do_ebt_set_ctl(struct sock *sk, int cmd, sockptr_t arg, unsigned int len) { … } static struct nf_sockopt_ops ebt_sockopts = …; static int __net_init ebt_pernet_init(struct net *net) { … } static struct pernet_operations ebt_net_ops = …; static int __init ebtables_init(void) { … } static void ebtables_fini(void) { … } EXPORT_SYMBOL(…); EXPORT_SYMBOL(…); EXPORT_SYMBOL(…); module_init(…) …; module_exit(ebtables_fini); MODULE_LICENSE(…) …; MODULE_DESCRIPTION(…) …;
Codebase Browser
linux