Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 1e419cd9 authored by Al Viro's avatar Al Viro Committed by David S. Miller
Browse files

[EBTABLES]: Split ebt_replace into user and kernel variants, annotate. 



Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent df07a81e

include/linux/netfilter_bridge/ebtables.h

+18 −1
Original line number Original line Diff line number Diff line
@@ -38,6 +38,23 @@ struct ebt_counter 
};

};





struct ebt_replace

struct ebt_replace

{

	char name[EBT_TABLE_MAXNAMELEN];

	unsigned int valid_hooks;

	/* nr of rules in the table */

	unsigned int nentries;

	/* total size of the entries */

	unsigned int entries_size;

	/* start of the chains */

	struct ebt_entries __user *hook_entry[NF_BR_NUMHOOKS];

	/* nr of counters userspace expects back */

	unsigned int num_counters;

	/* where the kernel will put the old counters */

	struct ebt_counter __user *counters;

	char __user *entries;

};



struct ebt_replace_kernel

{

{

	char name[EBT_TABLE_MAXNAMELEN];

	char name[EBT_TABLE_MAXNAMELEN];

	unsigned int valid_hooks;

	unsigned int valid_hooks;
@@ -255,7 +272,7 @@ struct ebt_table 
{

{

	struct list_head list;

	struct list_head list;

	char name[EBT_TABLE_MAXNAMELEN];

	char name[EBT_TABLE_MAXNAMELEN];

	struct ebt_replace *table;

	struct ebt_replace_kernel *table;

	unsigned int valid_hooks;

	unsigned int valid_hooks;

	rwlock_t lock;

	rwlock_t lock;

	/* e.g. could be the table explicitly only allows certain

	/* e.g. could be the table explicitly only allows certain

net/bridge/netfilter/ebtable_broute.c

+1 −1
Original line number Original line Diff line number Diff line
@@ -23,7 +23,7 @@ static struct ebt_entries initial_chain = { 
	.policy		= EBT_ACCEPT,

	.policy		= EBT_ACCEPT,

};

};





static struct ebt_replace initial_table =

static struct ebt_replace_kernel initial_table =

{

{

	.name		= "broute",

	.name		= "broute",

	.valid_hooks	= 1 << NF_BR_BROUTING,

	.valid_hooks	= 1 << NF_BR_BROUTING,

net/bridge/netfilter/ebtable_filter.c

+1 −1
Original line number Original line Diff line number Diff line
@@ -30,7 +30,7 @@ static struct ebt_entries initial_chains[] = 
	},

	},

};

};





static struct ebt_replace initial_table =

static struct ebt_replace_kernel initial_table =

{

{

	.name		= "filter",

	.name		= "filter",

	.valid_hooks	= FILTER_VALID_HOOKS,

	.valid_hooks	= FILTER_VALID_HOOKS,

net/bridge/netfilter/ebtable_nat.c

+1 −1
Original line number Original line Diff line number Diff line
@@ -30,7 +30,7 @@ static struct ebt_entries initial_chains[] = 
	}

	}

};

};





static struct ebt_replace initial_table =

static struct ebt_replace_kernel initial_table =

{

{

	.name		= "nat",

	.name		= "nat",

	.valid_hooks	= NAT_VALID_HOOKS,

	.valid_hooks	= NAT_VALID_HOOKS,

net/bridge/netfilter/ebtables.c

+10 −9
Original line number Original line Diff line number Diff line
@@ -417,7 +417,8 @@ static int ebt_verify_pointers(struct ebt_replace *repl, 
		for (i = 0; i < NF_BR_NUMHOOKS; i++) {

		for (i = 0; i < NF_BR_NUMHOOKS; i++) {

			if ((valid_hooks & (1 << i)) == 0)

			if ((valid_hooks & (1 << i)) == 0)

				continue;

				continue;

			if ((char *)repl->hook_entry[i] == repl->entries + offset)

			if ((char __user *)repl->hook_entry[i] ==

			     repl->entries + offset)

				break;

				break;

		}

		}
@@ -1156,7 +1157,7 @@ int ebt_register_table(struct ebt_table *table) 
{

{

	struct ebt_table_info *newinfo;

	struct ebt_table_info *newinfo;

	struct ebt_table *t;

	struct ebt_table *t;

	struct ebt_replace *repl;

	struct ebt_replace_kernel *repl;

	int ret, i, countersize;

	int ret, i, countersize;

	void *p;

	void *p;
@@ -1320,33 +1321,33 @@ static int update_counters(void __user *user, unsigned int len) 
}

}





static inline int ebt_make_matchname(struct ebt_entry_match *m,

static inline int ebt_make_matchname(struct ebt_entry_match *m,

   char *base, char *ubase)

   char *base, char __user *ubase)

{

{

	char *hlp = ubase - base + (char *)m;

	char __user *hlp = ubase + ((char *)m - base);

	if (copy_to_user(hlp, m->u.match->name, EBT_FUNCTION_MAXNAMELEN))

	if (copy_to_user(hlp, m->u.match->name, EBT_FUNCTION_MAXNAMELEN))

		return -EFAULT;

		return -EFAULT;

	return 0;

	return 0;

}

}





static inline int ebt_make_watchername(struct ebt_entry_watcher *w,

static inline int ebt_make_watchername(struct ebt_entry_watcher *w,

   char *base, char *ubase)

   char *base, char __user *ubase)

{

{

	char *hlp = ubase - base + (char *)w;

	char __user *hlp = ubase + ((char *)w - base);

	if (copy_to_user(hlp , w->u.watcher->name, EBT_FUNCTION_MAXNAMELEN))

	if (copy_to_user(hlp , w->u.watcher->name, EBT_FUNCTION_MAXNAMELEN))

		return -EFAULT;

		return -EFAULT;

	return 0;

	return 0;

}

}





static inline int ebt_make_names(struct ebt_entry *e, char *base, char *ubase)

static inline int ebt_make_names(struct ebt_entry *e, char *base, char __user *ubase)

{

{

	int ret;

	int ret;

	char *hlp;

	char __user *hlp;

	struct ebt_entry_target *t;

	struct ebt_entry_target *t;





	if (e->bitmask == 0)

	if (e->bitmask == 0)

		return 0;

		return 0;





	hlp = ubase - base + (char *)e + e->target_offset;

	hlp = ubase + (((char *)e + e->target_offset) - base);

	t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);

	t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);

	

	

	ret = EBT_MATCH_ITERATE(e, ebt_make_matchname, base, ubase);

	ret = EBT_MATCH_ITERATE(e, ebt_make_matchname, base, ubase);