5 * Bart De Schuymer <bdschuym@pandora.be>
7 * ebtables.c,v 2.0, July, 2002
9 * This code is stongly inspired on the iptables code which is
10 * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version
15 * 2 of the License, or (at your option) any later version.
19 #include <linux/kmod.h>
20 #include <linux/module.h>
21 #include <linux/vmalloc.h>
22 #include <linux/netfilter/x_tables.h>
23 #include <linux/netfilter_bridge/ebtables.h>
24 #include <linux/spinlock.h>
25 #include <linux/mutex.h>
26 #include <asm/uaccess.h>
27 #include <linux/smp.h>
28 #include <linux/cpumask.h>
30 /* needed for logical [in,out]-dev filtering */
31 #include "../br_private.h"
33 #define BUGPRINT(format, args...) printk("kernel msg: ebtables bug: please "\
34 "report to author: "format, ## args)
35 /* #define BUGPRINT(format, args...) */
36 #define MEMPRINT(format, args...) printk("kernel msg: ebtables "\
37 ": out of memory: "format, ## args)
38 /* #define MEMPRINT(format, args...) */
43 * Each cpu has its own set of counters, so there is no need for write_lock in
45 * For reading or updating the counters, the user context needs to
49 /* The size of each set of counters is altered to get cache alignment */
50 #define SMP_ALIGN(x) (((x) + SMP_CACHE_BYTES-1) & ~(SMP_CACHE_BYTES-1))
51 #define COUNTER_OFFSET(n) (SMP_ALIGN(n * sizeof(struct ebt_counter)))
52 #define COUNTER_BASE(c, n, cpu) ((struct ebt_counter *)(((char *)c) + \
53 COUNTER_OFFSET(n) * cpu))
57 static DEFINE_MUTEX(ebt_mutex);
58 static LIST_HEAD(ebt_tables);
59 static LIST_HEAD(ebt_targets);
60 static LIST_HEAD(ebt_matches);
61 static LIST_HEAD(ebt_watchers);
63 static struct ebt_target ebt_standard_target = {
66 .family = NFPROTO_BRIDGE,
69 static inline int ebt_do_watcher (struct ebt_entry_watcher *w,
70 const struct sk_buff *skb, unsigned int hooknr, const struct net_device *in,
71 const struct net_device *out)
73 w->u.watcher->watcher(skb, hooknr, in, out, w->data,
75 /* watchers don't give a verdict */
79 static inline int ebt_do_match (struct ebt_entry_match *m,
80 const struct sk_buff *skb, const struct net_device *in,
81 const struct net_device *out)
83 return m->u.match->match(skb, in, out, m->data,
87 static inline int ebt_dev_check(char *entry, const struct net_device *device)
90 const char *devname = device->name;
96 /* 1 is the wildcard token */
97 while (entry[i] != '\0' && entry[i] != 1 && entry[i] == devname[i])
99 return (devname[i] != entry[i] && entry[i] != 1);
102 #define FWINV2(bool,invflg) ((bool) ^ !!(e->invflags & invflg))
103 /* process standard matches */
104 static inline int ebt_basic_match(struct ebt_entry *e, struct ethhdr *h,
105 const struct net_device *in, const struct net_device *out)
109 if (e->bitmask & EBT_802_3) {
110 if (FWINV2(ntohs(h->h_proto) >= 1536, EBT_IPROTO))
112 } else if (!(e->bitmask & EBT_NOPROTO) &&
113 FWINV2(e->ethproto != h->h_proto, EBT_IPROTO))
116 if (FWINV2(ebt_dev_check(e->in, in), EBT_IIN))
118 if (FWINV2(ebt_dev_check(e->out, out), EBT_IOUT))
120 if ((!in || !in->br_port) ? 0 : FWINV2(ebt_dev_check(
121 e->logical_in, in->br_port->br->dev), EBT_ILOGICALIN))
123 if ((!out || !out->br_port) ? 0 : FWINV2(ebt_dev_check(
124 e->logical_out, out->br_port->br->dev), EBT_ILOGICALOUT))
127 if (e->bitmask & EBT_SOURCEMAC) {
129 for (i = 0; i < 6; i++)
130 verdict |= (h->h_source[i] ^ e->sourcemac[i]) &
132 if (FWINV2(verdict != 0, EBT_ISOURCE) )
135 if (e->bitmask & EBT_DESTMAC) {
137 for (i = 0; i < 6; i++)
138 verdict |= (h->h_dest[i] ^ e->destmac[i]) &
140 if (FWINV2(verdict != 0, EBT_IDEST) )
146 /* Do some firewalling */
147 unsigned int ebt_do_table (unsigned int hook, struct sk_buff *skb,
148 const struct net_device *in, const struct net_device *out,
149 struct ebt_table *table)
152 struct ebt_entry *point;
153 struct ebt_counter *counter_base, *cb_base;
154 struct ebt_entry_target *t;
156 struct ebt_chainstack *cs;
157 struct ebt_entries *chaininfo;
159 struct ebt_table_info *private;
161 read_lock_bh(&table->lock);
162 private = table->private;
163 cb_base = COUNTER_BASE(private->counters, private->nentries,
165 if (private->chainstack)
166 cs = private->chainstack[smp_processor_id()];
169 chaininfo = private->hook_entry[hook];
170 nentries = private->hook_entry[hook]->nentries;
171 point = (struct ebt_entry *)(private->hook_entry[hook]->data);
172 counter_base = cb_base + private->hook_entry[hook]->counter_offset;
173 /* base for chain jumps */
174 base = private->entries;
176 while (i < nentries) {
177 if (ebt_basic_match(point, eth_hdr(skb), in, out))
180 if (EBT_MATCH_ITERATE(point, ebt_do_match, skb, in, out) != 0)
183 /* increase counter */
184 (*(counter_base + i)).pcnt++;
185 (*(counter_base + i)).bcnt += skb->len;
187 /* these should only watch: not modify, nor tell us
188 what to do with the packet */
189 EBT_WATCHER_ITERATE(point, ebt_do_watcher, skb, hook, in,
192 t = (struct ebt_entry_target *)
193 (((char *)point) + point->target_offset);
194 /* standard target */
195 if (!t->u.target->target)
196 verdict = ((struct ebt_standard_target *)t)->verdict;
198 verdict = t->u.target->target(skb, hook,
199 in, out, t->data, t->target_size);
200 if (verdict == EBT_ACCEPT) {
201 read_unlock_bh(&table->lock);
204 if (verdict == EBT_DROP) {
205 read_unlock_bh(&table->lock);
208 if (verdict == EBT_RETURN) {
210 #ifdef CONFIG_NETFILTER_DEBUG
212 BUGPRINT("RETURN on base chain");
213 /* act like this is EBT_CONTINUE */
218 /* put all the local variables right */
220 chaininfo = cs[sp].chaininfo;
221 nentries = chaininfo->nentries;
223 counter_base = cb_base +
224 chaininfo->counter_offset;
227 if (verdict == EBT_CONTINUE)
229 #ifdef CONFIG_NETFILTER_DEBUG
231 BUGPRINT("bogus standard verdict\n");
232 read_unlock_bh(&table->lock);
238 cs[sp].chaininfo = chaininfo;
239 cs[sp].e = (struct ebt_entry *)
240 (((char *)point) + point->next_offset);
242 chaininfo = (struct ebt_entries *) (base + verdict);
243 #ifdef CONFIG_NETFILTER_DEBUG
244 if (chaininfo->distinguisher) {
245 BUGPRINT("jump to non-chain\n");
246 read_unlock_bh(&table->lock);
250 nentries = chaininfo->nentries;
251 point = (struct ebt_entry *)chaininfo->data;
252 counter_base = cb_base + chaininfo->counter_offset;
256 point = (struct ebt_entry *)
257 (((char *)point) + point->next_offset);
261 /* I actually like this :) */
262 if (chaininfo->policy == EBT_RETURN)
264 if (chaininfo->policy == EBT_ACCEPT) {
265 read_unlock_bh(&table->lock);
268 read_unlock_bh(&table->lock);
272 /* If it succeeds, returns element and locks mutex */
274 find_inlist_lock_noload(struct list_head *head, const char *name, int *error,
278 struct list_head list;
279 char name[EBT_FUNCTION_MAXNAMELEN];
282 *error = mutex_lock_interruptible(mutex);
286 list_for_each_entry(e, head, list) {
287 if (strcmp(e->name, name) == 0)
296 #define find_inlist_lock(h,n,p,e,m) find_inlist_lock_noload((h),(n),(e),(m))
299 find_inlist_lock(struct list_head *head, const char *name, const char *prefix,
300 int *error, struct mutex *mutex)
304 ret = find_inlist_lock_noload(head, name, error, mutex);
306 request_module("%s%s", prefix, name);
307 ret = find_inlist_lock_noload(head, name, error, mutex);
313 static inline struct ebt_table *
314 find_table_lock(const char *name, int *error, struct mutex *mutex)
316 return find_inlist_lock(&ebt_tables, name, "ebtable_", error, mutex);
319 static inline struct ebt_match *
320 find_match_lock(const char *name, int *error, struct mutex *mutex)
322 return find_inlist_lock(&ebt_matches, name, "ebt_", error, mutex);
325 static inline struct ebt_watcher *
326 find_watcher_lock(const char *name, int *error, struct mutex *mutex)
328 return find_inlist_lock(&ebt_watchers, name, "ebt_", error, mutex);
331 static inline struct ebt_target *
332 find_target_lock(const char *name, int *error, struct mutex *mutex)
334 return find_inlist_lock(&ebt_targets, name, "ebt_", error, mutex);
338 ebt_check_match(struct ebt_entry_match *m, struct ebt_entry *e,
339 const char *name, unsigned int hookmask, unsigned int *cnt)
341 struct ebt_match *match;
342 size_t left = ((char *)e + e->watchers_offset) - (char *)m;
345 if (left < sizeof(struct ebt_entry_match) ||
346 left - sizeof(struct ebt_entry_match) < m->match_size)
348 match = find_match_lock(m->u.name, &ret, &ebt_mutex);
352 if (!try_module_get(match->me)) {
353 mutex_unlock(&ebt_mutex);
356 mutex_unlock(&ebt_mutex);
357 if (match->family != NFPROTO_BRIDGE) {
358 printk(KERN_WARNING "ebtables: %s match: not for ebtables?\n",
362 if (match->revision != 0) {
363 printk(KERN_WARNING "ebtables: %s match: ebtables is not "
364 "supporting revisions at this time\n",
368 if (XT_ALIGN(match->matchsize) != m->match_size &&
369 match->matchsize != -1) {
371 * ebt_among is exempt from centralized matchsize checking
372 * because it uses a dynamic-size data set.
374 printk(KERN_WARNING "ebtables: %s match: "
375 "invalid size %Zu != %u\n",
376 match->name, XT_ALIGN(match->matchsize), m->match_size);
380 !match->check(name, hookmask, e, m->data, m->match_size)) {
381 BUGPRINT("match->check failed\n");
387 module_put(match->me);
392 ebt_check_watcher(struct ebt_entry_watcher *w, struct ebt_entry *e,
393 const char *name, unsigned int hookmask, unsigned int *cnt)
395 struct ebt_watcher *watcher;
396 size_t left = ((char *)e + e->target_offset) - (char *)w;
399 if (left < sizeof(struct ebt_entry_watcher) ||
400 left - sizeof(struct ebt_entry_watcher) < w->watcher_size)
402 watcher = find_watcher_lock(w->u.name, &ret, &ebt_mutex);
405 w->u.watcher = watcher;
406 if (!try_module_get(watcher->me)) {
407 mutex_unlock(&ebt_mutex);
410 mutex_unlock(&ebt_mutex);
411 if (watcher->family != NFPROTO_BRIDGE) {
412 printk(KERN_WARNING "ebtables: %s watcher: not for ebtables?\n",
416 if (watcher->revision != 0) {
417 printk(KERN_WARNING "ebtables: %s watcher: ebtables is not "
418 "supporting revisions at this time\n",
422 if (XT_ALIGN(watcher->targetsize) != w->watcher_size) {
423 printk(KERN_WARNING "ebtables: %s watcher: "
424 "invalid size %Zu != %u\n",
425 watcher->name, XT_ALIGN(watcher->targetsize),
429 if (watcher->check &&
430 !watcher->check(name, hookmask, e, w->data, w->watcher_size)) {
431 BUGPRINT("watcher->check failed\n");
437 module_put(watcher->me);
441 static int ebt_verify_pointers(struct ebt_replace *repl,
442 struct ebt_table_info *newinfo)
444 unsigned int limit = repl->entries_size;
445 unsigned int valid_hooks = repl->valid_hooks;
446 unsigned int offset = 0;
449 for (i = 0; i < NF_BR_NUMHOOKS; i++)
450 newinfo->hook_entry[i] = NULL;
452 newinfo->entries_size = repl->entries_size;
453 newinfo->nentries = repl->nentries;
455 while (offset < limit) {
456 size_t left = limit - offset;
457 struct ebt_entry *e = (void *)newinfo->entries + offset;
459 if (left < sizeof(unsigned int))
462 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
463 if ((valid_hooks & (1 << i)) == 0)
465 if ((char __user *)repl->hook_entry[i] ==
466 repl->entries + offset)
470 if (i != NF_BR_NUMHOOKS || !(e->bitmask & EBT_ENTRY_OR_ENTRIES)) {
471 if (e->bitmask != 0) {
472 /* we make userspace set this right,
473 so there is no misunderstanding */
474 BUGPRINT("EBT_ENTRY_OR_ENTRIES shouldn't be set "
475 "in distinguisher\n");
478 if (i != NF_BR_NUMHOOKS)
479 newinfo->hook_entry[i] = (struct ebt_entries *)e;
480 if (left < sizeof(struct ebt_entries))
482 offset += sizeof(struct ebt_entries);
484 if (left < sizeof(struct ebt_entry))
486 if (left < e->next_offset)
488 offset += e->next_offset;
491 if (offset != limit) {
492 BUGPRINT("entries_size too small\n");
496 /* check if all valid hooks have a chain */
497 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
498 if (!newinfo->hook_entry[i] &&
499 (valid_hooks & (1 << i))) {
500 BUGPRINT("Valid hook without chain\n");
508 * this one is very careful, as it is the first function
509 * to parse the userspace data
512 ebt_check_entry_size_and_hooks(struct ebt_entry *e,
513 struct ebt_table_info *newinfo,
514 unsigned int *n, unsigned int *cnt,
515 unsigned int *totalcnt, unsigned int *udc_cnt)
519 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
520 if ((void *)e == (void *)newinfo->hook_entry[i])
523 /* beginning of a new chain
524 if i == NF_BR_NUMHOOKS it must be a user defined chain */
525 if (i != NF_BR_NUMHOOKS || !e->bitmask) {
526 /* this checks if the previous chain has as many entries
529 BUGPRINT("nentries does not equal the nr of entries "
533 if (((struct ebt_entries *)e)->policy != EBT_DROP &&
534 ((struct ebt_entries *)e)->policy != EBT_ACCEPT) {
535 /* only RETURN from udc */
536 if (i != NF_BR_NUMHOOKS ||
537 ((struct ebt_entries *)e)->policy != EBT_RETURN) {
538 BUGPRINT("bad policy\n");
542 if (i == NF_BR_NUMHOOKS) /* it's a user defined chain */
544 if (((struct ebt_entries *)e)->counter_offset != *totalcnt) {
545 BUGPRINT("counter_offset != totalcnt");
548 *n = ((struct ebt_entries *)e)->nentries;
552 /* a plain old entry, heh */
553 if (sizeof(struct ebt_entry) > e->watchers_offset ||
554 e->watchers_offset > e->target_offset ||
555 e->target_offset >= e->next_offset) {
556 BUGPRINT("entry offsets not in right order\n");
559 /* this is not checked anywhere else */
560 if (e->next_offset - e->target_offset < sizeof(struct ebt_entry_target)) {
561 BUGPRINT("target size too small\n");
571 struct ebt_chainstack cs;
573 unsigned int hookmask;
577 * we need these positions to check that the jumps to a different part of the
578 * entries is a jump to the beginning of a new chain.
581 ebt_get_udc_positions(struct ebt_entry *e, struct ebt_table_info *newinfo,
582 unsigned int *n, struct ebt_cl_stack *udc)
586 /* we're only interested in chain starts */
589 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
590 if (newinfo->hook_entry[i] == (struct ebt_entries *)e)
593 /* only care about udc */
594 if (i != NF_BR_NUMHOOKS)
597 udc[*n].cs.chaininfo = (struct ebt_entries *)e;
598 /* these initialisations are depended on later in check_chainloops() */
600 udc[*n].hookmask = 0;
607 ebt_cleanup_match(struct ebt_entry_match *m, unsigned int *i)
609 if (i && (*i)-- == 0)
611 if (m->u.match->destroy)
612 m->u.match->destroy(m->data, m->match_size);
613 module_put(m->u.match->me);
619 ebt_cleanup_watcher(struct ebt_entry_watcher *w, unsigned int *i)
621 if (i && (*i)-- == 0)
623 if (w->u.watcher->destroy)
624 w->u.watcher->destroy(w->data, w->watcher_size);
625 module_put(w->u.watcher->me);
631 ebt_cleanup_entry(struct ebt_entry *e, unsigned int *cnt)
633 struct ebt_entry_target *t;
638 if (cnt && (*cnt)-- == 0)
640 EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, NULL);
641 EBT_MATCH_ITERATE(e, ebt_cleanup_match, NULL);
642 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
643 if (t->u.target->destroy)
644 t->u.target->destroy(t->data, t->target_size);
645 module_put(t->u.target->me);
651 ebt_check_entry(struct ebt_entry *e, struct ebt_table_info *newinfo,
652 const char *name, unsigned int *cnt,
653 struct ebt_cl_stack *cl_s, unsigned int udc_cnt)
655 struct ebt_entry_target *t;
656 struct ebt_target *target;
657 unsigned int i, j, hook = 0, hookmask = 0;
661 /* don't mess with the struct ebt_entries */
665 if (e->bitmask & ~EBT_F_MASK) {
666 BUGPRINT("Unknown flag for bitmask\n");
669 if (e->invflags & ~EBT_INV_MASK) {
670 BUGPRINT("Unknown flag for inv bitmask\n");
673 if ( (e->bitmask & EBT_NOPROTO) && (e->bitmask & EBT_802_3) ) {
674 BUGPRINT("NOPROTO & 802_3 not allowed\n");
677 /* what hook do we belong to? */
678 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
679 if (!newinfo->hook_entry[i])
681 if ((char *)newinfo->hook_entry[i] < (char *)e)
686 /* (1 << NF_BR_NUMHOOKS) tells the check functions the rule is on
688 if (i < NF_BR_NUMHOOKS)
689 hookmask = (1 << hook) | (1 << NF_BR_NUMHOOKS);
691 for (i = 0; i < udc_cnt; i++)
692 if ((char *)(cl_s[i].cs.chaininfo) > (char *)e)
695 hookmask = (1 << hook) | (1 << NF_BR_NUMHOOKS);
697 hookmask = cl_s[i - 1].hookmask;
700 ret = EBT_MATCH_ITERATE(e, ebt_check_match, e, name, hookmask, &i);
702 goto cleanup_matches;
704 ret = EBT_WATCHER_ITERATE(e, ebt_check_watcher, e, name, hookmask, &j);
706 goto cleanup_watchers;
707 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
708 gap = e->next_offset - e->target_offset;
709 target = find_target_lock(t->u.name, &ret, &ebt_mutex);
711 goto cleanup_watchers;
712 if (!try_module_get(target->me)) {
713 mutex_unlock(&ebt_mutex);
715 goto cleanup_watchers;
717 mutex_unlock(&ebt_mutex);
719 if (target->family != NFPROTO_BRIDGE) {
720 printk(KERN_WARNING "ebtables: %s target: not for ebtables?\n",
723 goto cleanup_watchers;
725 if (target->revision != 0) {
726 printk(KERN_WARNING "ebtables: %s target: ebtables is not "
727 "supporting revisions at this time\n",
730 goto cleanup_watchers;
733 t->u.target = target;
734 if (t->u.target == &ebt_standard_target) {
735 if (gap < sizeof(struct ebt_standard_target)) {
736 BUGPRINT("Standard target size too big\n");
738 goto cleanup_watchers;
740 if (((struct ebt_standard_target *)t)->verdict <
741 -NUM_STANDARD_TARGETS) {
742 BUGPRINT("Invalid standard target\n");
744 goto cleanup_watchers;
746 } else if (t->target_size > gap - sizeof(struct ebt_entry_target)) {
747 module_put(t->u.target->me);
749 goto cleanup_watchers;
750 } else if (XT_ALIGN(target->targetsize) != t->target_size) {
751 printk(KERN_WARNING "ebtables: %s target: "
752 "invalid size %Zu != %u\n",
753 target->name, XT_ALIGN(target->targetsize),
755 module_put(t->u.target->me);
757 goto cleanup_watchers;
758 } else if (t->u.target->check &&
759 !t->u.target->check(name, hookmask, e, t->data, t->target_size)) {
760 module_put(t->u.target->me);
762 goto cleanup_watchers;
767 EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, &j);
769 EBT_MATCH_ITERATE(e, ebt_cleanup_match, &i);
774 * checks for loops and sets the hook mask for udc
775 * the hook mask for udc tells us from which base chains the udc can be
776 * accessed. This mask is a parameter to the check() functions of the extensions
778 static int check_chainloops(struct ebt_entries *chain, struct ebt_cl_stack *cl_s,
779 unsigned int udc_cnt, unsigned int hooknr, char *base)
781 int i, chain_nr = -1, pos = 0, nentries = chain->nentries, verdict;
782 struct ebt_entry *e = (struct ebt_entry *)chain->data;
783 struct ebt_entry_target *t;
785 while (pos < nentries || chain_nr != -1) {
786 /* end of udc, go back one 'recursion' step */
787 if (pos == nentries) {
788 /* put back values of the time when this chain was called */
789 e = cl_s[chain_nr].cs.e;
790 if (cl_s[chain_nr].from != -1)
792 cl_s[cl_s[chain_nr].from].cs.chaininfo->nentries;
794 nentries = chain->nentries;
795 pos = cl_s[chain_nr].cs.n;
796 /* make sure we won't see a loop that isn't one */
797 cl_s[chain_nr].cs.n = 0;
798 chain_nr = cl_s[chain_nr].from;
802 t = (struct ebt_entry_target *)
803 (((char *)e) + e->target_offset);
804 if (strcmp(t->u.name, EBT_STANDARD_TARGET))
806 if (e->target_offset + sizeof(struct ebt_standard_target) >
808 BUGPRINT("Standard target size too big\n");
811 verdict = ((struct ebt_standard_target *)t)->verdict;
812 if (verdict >= 0) { /* jump to another chain */
813 struct ebt_entries *hlp2 =
814 (struct ebt_entries *)(base + verdict);
815 for (i = 0; i < udc_cnt; i++)
816 if (hlp2 == cl_s[i].cs.chaininfo)
818 /* bad destination or loop */
820 BUGPRINT("bad destination\n");
827 if (cl_s[i].hookmask & (1 << hooknr))
829 /* this can't be 0, so the loop test is correct */
830 cl_s[i].cs.n = pos + 1;
832 cl_s[i].cs.e = ((void *)e + e->next_offset);
833 e = (struct ebt_entry *)(hlp2->data);
834 nentries = hlp2->nentries;
835 cl_s[i].from = chain_nr;
837 /* this udc is accessible from the base chain for hooknr */
838 cl_s[i].hookmask |= (1 << hooknr);
842 e = (void *)e + e->next_offset;
848 /* do the parsing of the table/chains/entries/matches/watchers/targets, heh */
849 static int translate_table(char *name, struct ebt_table_info *newinfo)
851 unsigned int i, j, k, udc_cnt;
853 struct ebt_cl_stack *cl_s = NULL; /* used in the checking for chain loops */
856 while (i < NF_BR_NUMHOOKS && !newinfo->hook_entry[i])
858 if (i == NF_BR_NUMHOOKS) {
859 BUGPRINT("No valid hooks specified\n");
862 if (newinfo->hook_entry[i] != (struct ebt_entries *)newinfo->entries) {
863 BUGPRINT("Chains don't start at beginning\n");
866 /* make sure chains are ordered after each other in same order
867 as their corresponding hooks */
868 for (j = i + 1; j < NF_BR_NUMHOOKS; j++) {
869 if (!newinfo->hook_entry[j])
871 if (newinfo->hook_entry[j] <= newinfo->hook_entry[i]) {
872 BUGPRINT("Hook order must be followed\n");
878 /* do some early checkings and initialize some things */
879 i = 0; /* holds the expected nr. of entries for the chain */
880 j = 0; /* holds the up to now counted entries for the chain */
881 k = 0; /* holds the total nr. of entries, should equal
882 newinfo->nentries afterwards */
883 udc_cnt = 0; /* will hold the nr. of user defined chains (udc) */
884 ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
885 ebt_check_entry_size_and_hooks, newinfo,
886 &i, &j, &k, &udc_cnt);
892 BUGPRINT("nentries does not equal the nr of entries in the "
896 if (k != newinfo->nentries) {
897 BUGPRINT("Total nentries is wrong\n");
901 /* get the location of the udc, put them in an array
902 while we're at it, allocate the chainstack */
904 /* this will get free'd in do_replace()/ebt_register_table()
905 if an error occurs */
906 newinfo->chainstack =
907 vmalloc(nr_cpu_ids * sizeof(*(newinfo->chainstack)));
908 if (!newinfo->chainstack)
910 for_each_possible_cpu(i) {
911 newinfo->chainstack[i] =
912 vmalloc(udc_cnt * sizeof(*(newinfo->chainstack[0])));
913 if (!newinfo->chainstack[i]) {
915 vfree(newinfo->chainstack[--i]);
916 vfree(newinfo->chainstack);
917 newinfo->chainstack = NULL;
922 cl_s = vmalloc(udc_cnt * sizeof(*cl_s));
925 i = 0; /* the i'th udc */
926 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
927 ebt_get_udc_positions, newinfo, &i, cl_s);
930 BUGPRINT("i != udc_cnt\n");
936 /* Check for loops */
937 for (i = 0; i < NF_BR_NUMHOOKS; i++)
938 if (newinfo->hook_entry[i])
939 if (check_chainloops(newinfo->hook_entry[i],
940 cl_s, udc_cnt, i, newinfo->entries)) {
945 /* we now know the following (along with E=mc²):
946 - the nr of entries in each chain is right
947 - the size of the allocated space is right
948 - all valid hooks have a corresponding chain
950 - wrong data can still be on the level of a single entry
951 - could be there are jumps to places that are not the
952 beginning of a chain. This can only occur in chains that
953 are not accessible from any base chains, so we don't care. */
955 /* used to know what we need to clean up if something goes wrong */
957 ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
958 ebt_check_entry, newinfo, name, &i, cl_s, udc_cnt);
960 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
961 ebt_cleanup_entry, &i);
967 /* called under write_lock */
968 static void get_counters(struct ebt_counter *oldcounters,
969 struct ebt_counter *counters, unsigned int nentries)
972 struct ebt_counter *counter_base;
974 /* counters of cpu 0 */
975 memcpy(counters, oldcounters,
976 sizeof(struct ebt_counter) * nentries);
978 /* add other counters to those of cpu 0 */
979 for_each_possible_cpu(cpu) {
982 counter_base = COUNTER_BASE(oldcounters, nentries, cpu);
983 for (i = 0; i < nentries; i++) {
984 counters[i].pcnt += counter_base[i].pcnt;
985 counters[i].bcnt += counter_base[i].bcnt;
990 /* replace the table */
991 static int do_replace(void __user *user, unsigned int len)
993 int ret, i, countersize;
994 struct ebt_table_info *newinfo;
995 struct ebt_replace tmp;
997 struct ebt_counter *counterstmp = NULL;
998 /* used to be able to unlock earlier */
999 struct ebt_table_info *table;
1001 if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
1004 if (len != sizeof(tmp) + tmp.entries_size) {
1005 BUGPRINT("Wrong len argument\n");
1009 if (tmp.entries_size == 0) {
1010 BUGPRINT("Entries_size never zero\n");
1013 /* overflow check */
1014 if (tmp.nentries >= ((INT_MAX - sizeof(struct ebt_table_info)) / NR_CPUS -
1015 SMP_CACHE_BYTES) / sizeof(struct ebt_counter))
1017 if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
1020 countersize = COUNTER_OFFSET(tmp.nentries) * nr_cpu_ids;
1021 newinfo = vmalloc(sizeof(*newinfo) + countersize);
1026 memset(newinfo->counters, 0, countersize);
1028 newinfo->entries = vmalloc(tmp.entries_size);
1029 if (!newinfo->entries) {
1034 newinfo->entries, tmp.entries, tmp.entries_size) != 0) {
1035 BUGPRINT("Couldn't copy entries from userspace\n");
1040 /* the user wants counters back
1041 the check on the size is done later, when we have the lock */
1042 if (tmp.num_counters) {
1043 counterstmp = vmalloc(tmp.num_counters * sizeof(*counterstmp));
1052 /* this can get initialized by translate_table() */
1053 newinfo->chainstack = NULL;
1054 ret = ebt_verify_pointers(&tmp, newinfo);
1056 goto free_counterstmp;
1058 ret = translate_table(tmp.name, newinfo);
1061 goto free_counterstmp;
1063 t = find_table_lock(tmp.name, &ret, &ebt_mutex);
1069 /* the table doesn't like it */
1070 if (t->check && (ret = t->check(newinfo, tmp.valid_hooks)))
1073 if (tmp.num_counters && tmp.num_counters != t->private->nentries) {
1074 BUGPRINT("Wrong nr. of counters requested\n");
1079 /* we have the mutex lock, so no danger in reading this pointer */
1081 /* make sure the table can only be rmmod'ed if it contains no rules */
1082 if (!table->nentries && newinfo->nentries && !try_module_get(t->me)) {
1085 } else if (table->nentries && !newinfo->nentries)
1087 /* we need an atomic snapshot of the counters */
1088 write_lock_bh(&t->lock);
1089 if (tmp.num_counters)
1090 get_counters(t->private->counters, counterstmp,
1091 t->private->nentries);
1093 t->private = newinfo;
1094 write_unlock_bh(&t->lock);
1095 mutex_unlock(&ebt_mutex);
1096 /* so, a user can change the chains while having messed up her counter
1097 allocation. Only reason why this is done is because this way the lock
1098 is held only once, while this doesn't bring the kernel into a
1100 if (tmp.num_counters &&
1101 copy_to_user(tmp.counters, counterstmp,
1102 tmp.num_counters * sizeof(struct ebt_counter))) {
1103 BUGPRINT("Couldn't copy counters to userspace\n");
1109 /* decrease module count and free resources */
1110 EBT_ENTRY_ITERATE(table->entries, table->entries_size,
1111 ebt_cleanup_entry, NULL);
1113 vfree(table->entries);
1114 if (table->chainstack) {
1115 for_each_possible_cpu(i)
1116 vfree(table->chainstack[i]);
1117 vfree(table->chainstack);
1125 mutex_unlock(&ebt_mutex);
1127 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
1128 ebt_cleanup_entry, NULL);
1131 /* can be initialized in translate_table() */
1132 if (newinfo->chainstack) {
1133 for_each_possible_cpu(i)
1134 vfree(newinfo->chainstack[i]);
1135 vfree(newinfo->chainstack);
1138 vfree(newinfo->entries);
1144 int ebt_register_target(struct ebt_target *target)
1146 struct ebt_target *t;
1149 ret = mutex_lock_interruptible(&ebt_mutex);
1152 list_for_each_entry(t, &ebt_targets, list) {
1153 if (strcmp(t->name, target->name) == 0) {
1154 mutex_unlock(&ebt_mutex);
1158 list_add(&target->list, &ebt_targets);
1159 mutex_unlock(&ebt_mutex);
1164 void ebt_unregister_target(struct ebt_target *target)
1166 mutex_lock(&ebt_mutex);
1167 list_del(&target->list);
1168 mutex_unlock(&ebt_mutex);
1171 int ebt_register_match(struct ebt_match *match)
1173 struct ebt_match *m;
1176 ret = mutex_lock_interruptible(&ebt_mutex);
1179 list_for_each_entry(m, &ebt_matches, list) {
1180 if (strcmp(m->name, match->name) == 0) {
1181 mutex_unlock(&ebt_mutex);
1185 list_add(&match->list, &ebt_matches);
1186 mutex_unlock(&ebt_mutex);
1191 void ebt_unregister_match(struct ebt_match *match)
1193 mutex_lock(&ebt_mutex);
1194 list_del(&match->list);
1195 mutex_unlock(&ebt_mutex);
1198 int ebt_register_watcher(struct ebt_watcher *watcher)
1200 struct ebt_watcher *w;
1203 ret = mutex_lock_interruptible(&ebt_mutex);
1206 list_for_each_entry(w, &ebt_watchers, list) {
1207 if (strcmp(w->name, watcher->name) == 0) {
1208 mutex_unlock(&ebt_mutex);
1212 list_add(&watcher->list, &ebt_watchers);
1213 mutex_unlock(&ebt_mutex);
1218 void ebt_unregister_watcher(struct ebt_watcher *watcher)
1220 mutex_lock(&ebt_mutex);
1221 list_del(&watcher->list);
1222 mutex_unlock(&ebt_mutex);
1225 int ebt_register_table(struct ebt_table *table)
1227 struct ebt_table_info *newinfo;
1228 struct ebt_table *t;
1229 struct ebt_replace_kernel *repl;
1230 int ret, i, countersize;
1233 if (!table || !(repl = table->table) || !repl->entries ||
1234 repl->entries_size == 0 ||
1235 repl->counters || table->private) {
1236 BUGPRINT("Bad table data for ebt_register_table!!!\n");
1240 countersize = COUNTER_OFFSET(repl->nentries) * nr_cpu_ids;
1241 newinfo = vmalloc(sizeof(*newinfo) + countersize);
1246 p = vmalloc(repl->entries_size);
1250 memcpy(p, repl->entries, repl->entries_size);
1251 newinfo->entries = p;
1253 newinfo->entries_size = repl->entries_size;
1254 newinfo->nentries = repl->nentries;
1257 memset(newinfo->counters, 0, countersize);
1259 /* fill in newinfo and parse the entries */
1260 newinfo->chainstack = NULL;
1261 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
1262 if ((repl->valid_hooks & (1 << i)) == 0)
1263 newinfo->hook_entry[i] = NULL;
1265 newinfo->hook_entry[i] = p +
1266 ((char *)repl->hook_entry[i] - repl->entries);
1268 ret = translate_table(repl->name, newinfo);
1270 BUGPRINT("Translate_table failed\n");
1271 goto free_chainstack;
1274 if (table->check && table->check(newinfo, table->valid_hooks)) {
1275 BUGPRINT("The table doesn't like its own initial data, lol\n");
1279 table->private = newinfo;
1280 rwlock_init(&table->lock);
1281 ret = mutex_lock_interruptible(&ebt_mutex);
1283 goto free_chainstack;
1285 list_for_each_entry(t, &ebt_tables, list) {
1286 if (strcmp(t->name, table->name) == 0) {
1288 BUGPRINT("Table name already exists\n");
1293 /* Hold a reference count if the chains aren't empty */
1294 if (newinfo->nentries && !try_module_get(table->me)) {
1298 list_add(&table->list, &ebt_tables);
1299 mutex_unlock(&ebt_mutex);
1302 mutex_unlock(&ebt_mutex);
1304 if (newinfo->chainstack) {
1305 for_each_possible_cpu(i)
1306 vfree(newinfo->chainstack[i]);
1307 vfree(newinfo->chainstack);
1309 vfree(newinfo->entries);
1315 void ebt_unregister_table(struct ebt_table *table)
1320 BUGPRINT("Request to unregister NULL table!!!\n");
1323 mutex_lock(&ebt_mutex);
1324 list_del(&table->list);
1325 mutex_unlock(&ebt_mutex);
1326 vfree(table->private->entries);
1327 if (table->private->chainstack) {
1328 for_each_possible_cpu(i)
1329 vfree(table->private->chainstack[i]);
1330 vfree(table->private->chainstack);
1332 vfree(table->private);
1335 /* userspace just supplied us with counters */
1336 static int update_counters(void __user *user, unsigned int len)
1339 struct ebt_counter *tmp;
1340 struct ebt_replace hlp;
1341 struct ebt_table *t;
1343 if (copy_from_user(&hlp, user, sizeof(hlp)))
1346 if (len != sizeof(hlp) + hlp.num_counters * sizeof(struct ebt_counter))
1348 if (hlp.num_counters == 0)
1351 if (!(tmp = vmalloc(hlp.num_counters * sizeof(*tmp)))) {
1352 MEMPRINT("Update_counters && nomemory\n");
1356 t = find_table_lock(hlp.name, &ret, &ebt_mutex);
1360 if (hlp.num_counters != t->private->nentries) {
1361 BUGPRINT("Wrong nr of counters\n");
1366 if ( copy_from_user(tmp, hlp.counters,
1367 hlp.num_counters * sizeof(struct ebt_counter)) ) {
1368 BUGPRINT("Updata_counters && !cfu\n");
1373 /* we want an atomic add of the counters */
1374 write_lock_bh(&t->lock);
1376 /* we add to the counters of the first cpu */
1377 for (i = 0; i < hlp.num_counters; i++) {
1378 t->private->counters[i].pcnt += tmp[i].pcnt;
1379 t->private->counters[i].bcnt += tmp[i].bcnt;
1382 write_unlock_bh(&t->lock);
1385 mutex_unlock(&ebt_mutex);
1391 static inline int ebt_make_matchname(struct ebt_entry_match *m,
1392 char *base, char __user *ubase)
1394 char __user *hlp = ubase + ((char *)m - base);
1395 if (copy_to_user(hlp, m->u.match->name, EBT_FUNCTION_MAXNAMELEN))
1400 static inline int ebt_make_watchername(struct ebt_entry_watcher *w,
1401 char *base, char __user *ubase)
1403 char __user *hlp = ubase + ((char *)w - base);
1404 if (copy_to_user(hlp , w->u.watcher->name, EBT_FUNCTION_MAXNAMELEN))
1409 static inline int ebt_make_names(struct ebt_entry *e, char *base, char __user *ubase)
1413 struct ebt_entry_target *t;
1415 if (e->bitmask == 0)
1418 hlp = ubase + (((char *)e + e->target_offset) - base);
1419 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
1421 ret = EBT_MATCH_ITERATE(e, ebt_make_matchname, base, ubase);
1424 ret = EBT_WATCHER_ITERATE(e, ebt_make_watchername, base, ubase);
1427 if (copy_to_user(hlp, t->u.target->name, EBT_FUNCTION_MAXNAMELEN))
1432 /* called with ebt_mutex locked */
1433 static int copy_everything_to_user(struct ebt_table *t, void __user *user,
1436 struct ebt_replace tmp;
1437 struct ebt_counter *counterstmp, *oldcounters;
1438 unsigned int entries_size, nentries;
1441 if (cmd == EBT_SO_GET_ENTRIES) {
1442 entries_size = t->private->entries_size;
1443 nentries = t->private->nentries;
1444 entries = t->private->entries;
1445 oldcounters = t->private->counters;
1447 entries_size = t->table->entries_size;
1448 nentries = t->table->nentries;
1449 entries = t->table->entries;
1450 oldcounters = t->table->counters;
1453 if (copy_from_user(&tmp, user, sizeof(tmp))) {
1454 BUGPRINT("Cfu didn't work\n");
1458 if (*len != sizeof(struct ebt_replace) + entries_size +
1459 (tmp.num_counters? nentries * sizeof(struct ebt_counter): 0)) {
1460 BUGPRINT("Wrong size\n");
1464 if (tmp.nentries != nentries) {
1465 BUGPRINT("Nentries wrong\n");
1469 if (tmp.entries_size != entries_size) {
1470 BUGPRINT("Wrong size\n");
1474 /* userspace might not need the counters */
1475 if (tmp.num_counters) {
1476 if (tmp.num_counters != nentries) {
1477 BUGPRINT("Num_counters wrong\n");
1480 counterstmp = vmalloc(nentries * sizeof(*counterstmp));
1482 MEMPRINT("Couldn't copy counters, out of memory\n");
1485 write_lock_bh(&t->lock);
1486 get_counters(oldcounters, counterstmp, nentries);
1487 write_unlock_bh(&t->lock);
1489 if (copy_to_user(tmp.counters, counterstmp,
1490 nentries * sizeof(struct ebt_counter))) {
1491 BUGPRINT("Couldn't copy counters to userspace\n");
1498 if (copy_to_user(tmp.entries, entries, entries_size)) {
1499 BUGPRINT("Couldn't copy entries to userspace\n");
1502 /* set the match/watcher/target names right */
1503 return EBT_ENTRY_ITERATE(entries, entries_size,
1504 ebt_make_names, entries, tmp.entries);
1507 static int do_ebt_set_ctl(struct sock *sk,
1508 int cmd, void __user *user, unsigned int len)
1513 case EBT_SO_SET_ENTRIES:
1514 ret = do_replace(user, len);
1516 case EBT_SO_SET_COUNTERS:
1517 ret = update_counters(user, len);
1525 static int do_ebt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
1528 struct ebt_replace tmp;
1529 struct ebt_table *t;
1531 if (copy_from_user(&tmp, user, sizeof(tmp)))
1534 t = find_table_lock(tmp.name, &ret, &ebt_mutex);
1539 case EBT_SO_GET_INFO:
1540 case EBT_SO_GET_INIT_INFO:
1541 if (*len != sizeof(struct ebt_replace)){
1543 mutex_unlock(&ebt_mutex);
1546 if (cmd == EBT_SO_GET_INFO) {
1547 tmp.nentries = t->private->nentries;
1548 tmp.entries_size = t->private->entries_size;
1549 tmp.valid_hooks = t->valid_hooks;
1551 tmp.nentries = t->table->nentries;
1552 tmp.entries_size = t->table->entries_size;
1553 tmp.valid_hooks = t->table->valid_hooks;
1555 mutex_unlock(&ebt_mutex);
1556 if (copy_to_user(user, &tmp, *len) != 0){
1557 BUGPRINT("c2u Didn't work\n");
1564 case EBT_SO_GET_ENTRIES:
1565 case EBT_SO_GET_INIT_ENTRIES:
1566 ret = copy_everything_to_user(t, user, len, cmd);
1567 mutex_unlock(&ebt_mutex);
1571 mutex_unlock(&ebt_mutex);
1578 static struct nf_sockopt_ops ebt_sockopts =
1581 .set_optmin = EBT_BASE_CTL,
1582 .set_optmax = EBT_SO_SET_MAX + 1,
1583 .set = do_ebt_set_ctl,
1584 .get_optmin = EBT_BASE_CTL,
1585 .get_optmax = EBT_SO_GET_MAX + 1,
1586 .get = do_ebt_get_ctl,
1587 .owner = THIS_MODULE,
1590 static int __init ebtables_init(void)
1594 mutex_lock(&ebt_mutex);
1595 list_add(&ebt_standard_target.list, &ebt_targets);
1596 mutex_unlock(&ebt_mutex);
1597 if ((ret = nf_register_sockopt(&ebt_sockopts)) < 0)
1600 printk(KERN_INFO "Ebtables v2.0 registered\n");
1604 static void __exit ebtables_fini(void)
1606 nf_unregister_sockopt(&ebt_sockopts);
1607 printk(KERN_INFO "Ebtables v2.0 unregistered\n");
1610 EXPORT_SYMBOL(ebt_register_table);
1611 EXPORT_SYMBOL(ebt_unregister_table);
1612 EXPORT_SYMBOL(ebt_register_match);
1613 EXPORT_SYMBOL(ebt_unregister_match);
1614 EXPORT_SYMBOL(ebt_register_watcher);
1615 EXPORT_SYMBOL(ebt_unregister_watcher);
1616 EXPORT_SYMBOL(ebt_register_target);
1617 EXPORT_SYMBOL(ebt_unregister_target);
1618 EXPORT_SYMBOL(ebt_do_table);
1619 module_init(ebtables_init);
1620 module_exit(ebtables_fini);
1621 MODULE_LICENSE("GPL");