5 * Bart De Schuymer <bdschuym@pandora.be>
7 * ebtables.c,v 2.0, July, 2002
9 * This code is stongly inspired on the iptables code which is
10 * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version
15 * 2 of the License, or (at your option) any later version.
19 #include <linux/kmod.h>
20 #include <linux/module.h>
21 #include <linux/vmalloc.h>
22 #include <linux/netfilter/x_tables.h>
23 #include <linux/netfilter_bridge/ebtables.h>
24 #include <linux/spinlock.h>
25 #include <linux/mutex.h>
26 #include <asm/uaccess.h>
27 #include <linux/smp.h>
28 #include <linux/cpumask.h>
30 /* needed for logical [in,out]-dev filtering */
31 #include "../br_private.h"
33 #define BUGPRINT(format, args...) printk("kernel msg: ebtables bug: please "\
34 "report to author: "format, ## args)
35 /* #define BUGPRINT(format, args...) */
36 #define MEMPRINT(format, args...) printk("kernel msg: ebtables "\
37 ": out of memory: "format, ## args)
38 /* #define MEMPRINT(format, args...) */
43 * Each cpu has its own set of counters, so there is no need for write_lock in
45 * For reading or updating the counters, the user context needs to
49 /* The size of each set of counters is altered to get cache alignment */
50 #define SMP_ALIGN(x) (((x) + SMP_CACHE_BYTES-1) & ~(SMP_CACHE_BYTES-1))
51 #define COUNTER_OFFSET(n) (SMP_ALIGN(n * sizeof(struct ebt_counter)))
52 #define COUNTER_BASE(c, n, cpu) ((struct ebt_counter *)(((char *)c) + \
53 COUNTER_OFFSET(n) * cpu))
57 static DEFINE_MUTEX(ebt_mutex);
58 static LIST_HEAD(ebt_tables);
59 static LIST_HEAD(ebt_targets);
60 static LIST_HEAD(ebt_matches);
61 static LIST_HEAD(ebt_watchers);
63 static struct xt_target ebt_standard_target = {
66 .family = NFPROTO_BRIDGE,
67 .targetsize = sizeof(int),
70 static inline int ebt_do_watcher (struct ebt_entry_watcher *w,
71 struct sk_buff *skb, unsigned int hooknr, const struct net_device *in,
72 const struct net_device *out)
74 w->u.watcher->target(skb, in, out, hooknr, w->u.watcher, w->data);
75 /* watchers don't give a verdict */
79 static inline int ebt_do_match (struct ebt_entry_match *m,
80 const struct sk_buff *skb, const struct net_device *in,
81 const struct net_device *out)
83 return m->u.match->match(skb, in, out, m->u.match, m->data, 0, 0, NULL);
86 static inline int ebt_dev_check(char *entry, const struct net_device *device)
89 const char *devname = device->name;
95 /* 1 is the wildcard token */
96 while (entry[i] != '\0' && entry[i] != 1 && entry[i] == devname[i])
98 return (devname[i] != entry[i] && entry[i] != 1);
101 #define FWINV2(bool,invflg) ((bool) ^ !!(e->invflags & invflg))
102 /* process standard matches */
103 static inline int ebt_basic_match(struct ebt_entry *e, struct ethhdr *h,
104 const struct net_device *in, const struct net_device *out)
108 if (e->bitmask & EBT_802_3) {
109 if (FWINV2(ntohs(h->h_proto) >= 1536, EBT_IPROTO))
111 } else if (!(e->bitmask & EBT_NOPROTO) &&
112 FWINV2(e->ethproto != h->h_proto, EBT_IPROTO))
115 if (FWINV2(ebt_dev_check(e->in, in), EBT_IIN))
117 if (FWINV2(ebt_dev_check(e->out, out), EBT_IOUT))
119 if ((!in || !in->br_port) ? 0 : FWINV2(ebt_dev_check(
120 e->logical_in, in->br_port->br->dev), EBT_ILOGICALIN))
122 if ((!out || !out->br_port) ? 0 : FWINV2(ebt_dev_check(
123 e->logical_out, out->br_port->br->dev), EBT_ILOGICALOUT))
126 if (e->bitmask & EBT_SOURCEMAC) {
128 for (i = 0; i < 6; i++)
129 verdict |= (h->h_source[i] ^ e->sourcemac[i]) &
131 if (FWINV2(verdict != 0, EBT_ISOURCE) )
134 if (e->bitmask & EBT_DESTMAC) {
136 for (i = 0; i < 6; i++)
137 verdict |= (h->h_dest[i] ^ e->destmac[i]) &
139 if (FWINV2(verdict != 0, EBT_IDEST) )
145 /* Do some firewalling */
146 unsigned int ebt_do_table (unsigned int hook, struct sk_buff *skb,
147 const struct net_device *in, const struct net_device *out,
148 struct ebt_table *table)
151 struct ebt_entry *point;
152 struct ebt_counter *counter_base, *cb_base;
153 struct ebt_entry_target *t;
155 struct ebt_chainstack *cs;
156 struct ebt_entries *chaininfo;
158 struct ebt_table_info *private;
160 read_lock_bh(&table->lock);
161 private = table->private;
162 cb_base = COUNTER_BASE(private->counters, private->nentries,
164 if (private->chainstack)
165 cs = private->chainstack[smp_processor_id()];
168 chaininfo = private->hook_entry[hook];
169 nentries = private->hook_entry[hook]->nentries;
170 point = (struct ebt_entry *)(private->hook_entry[hook]->data);
171 counter_base = cb_base + private->hook_entry[hook]->counter_offset;
172 /* base for chain jumps */
173 base = private->entries;
175 while (i < nentries) {
176 if (ebt_basic_match(point, eth_hdr(skb), in, out))
179 if (EBT_MATCH_ITERATE(point, ebt_do_match, skb, in, out) != 0)
182 /* increase counter */
183 (*(counter_base + i)).pcnt++;
184 (*(counter_base + i)).bcnt += skb->len;
186 /* these should only watch: not modify, nor tell us
187 what to do with the packet */
188 EBT_WATCHER_ITERATE(point, ebt_do_watcher, skb, hook, in,
191 t = (struct ebt_entry_target *)
192 (((char *)point) + point->target_offset);
193 /* standard target */
194 if (!t->u.target->target)
195 verdict = ((struct ebt_standard_target *)t)->verdict;
197 verdict = t->u.target->target(skb, in, out, hook,
198 t->u.target, t->data);
199 if (verdict == EBT_ACCEPT) {
200 read_unlock_bh(&table->lock);
203 if (verdict == EBT_DROP) {
204 read_unlock_bh(&table->lock);
207 if (verdict == EBT_RETURN) {
209 #ifdef CONFIG_NETFILTER_DEBUG
211 BUGPRINT("RETURN on base chain");
212 /* act like this is EBT_CONTINUE */
217 /* put all the local variables right */
219 chaininfo = cs[sp].chaininfo;
220 nentries = chaininfo->nentries;
222 counter_base = cb_base +
223 chaininfo->counter_offset;
226 if (verdict == EBT_CONTINUE)
228 #ifdef CONFIG_NETFILTER_DEBUG
230 BUGPRINT("bogus standard verdict\n");
231 read_unlock_bh(&table->lock);
237 cs[sp].chaininfo = chaininfo;
238 cs[sp].e = (struct ebt_entry *)
239 (((char *)point) + point->next_offset);
241 chaininfo = (struct ebt_entries *) (base + verdict);
242 #ifdef CONFIG_NETFILTER_DEBUG
243 if (chaininfo->distinguisher) {
244 BUGPRINT("jump to non-chain\n");
245 read_unlock_bh(&table->lock);
249 nentries = chaininfo->nentries;
250 point = (struct ebt_entry *)chaininfo->data;
251 counter_base = cb_base + chaininfo->counter_offset;
255 point = (struct ebt_entry *)
256 (((char *)point) + point->next_offset);
260 /* I actually like this :) */
261 if (chaininfo->policy == EBT_RETURN)
263 if (chaininfo->policy == EBT_ACCEPT) {
264 read_unlock_bh(&table->lock);
267 read_unlock_bh(&table->lock);
271 /* If it succeeds, returns element and locks mutex */
273 find_inlist_lock_noload(struct list_head *head, const char *name, int *error,
277 struct list_head list;
278 char name[EBT_FUNCTION_MAXNAMELEN];
281 *error = mutex_lock_interruptible(mutex);
285 list_for_each_entry(e, head, list) {
286 if (strcmp(e->name, name) == 0)
295 #define find_inlist_lock(h,n,p,e,m) find_inlist_lock_noload((h),(n),(e),(m))
298 find_inlist_lock(struct list_head *head, const char *name, const char *prefix,
299 int *error, struct mutex *mutex)
303 ret = find_inlist_lock_noload(head, name, error, mutex);
305 request_module("%s%s", prefix, name);
306 ret = find_inlist_lock_noload(head, name, error, mutex);
312 static inline struct ebt_table *
313 find_table_lock(const char *name, int *error, struct mutex *mutex)
315 return find_inlist_lock(&ebt_tables, name, "ebtable_", error, mutex);
318 static inline struct ebt_match *
319 find_match_lock(const char *name, int *error, struct mutex *mutex)
321 return find_inlist_lock(&ebt_matches, name, "ebt_", error, mutex);
324 static inline struct ebt_watcher *
325 find_watcher_lock(const char *name, int *error, struct mutex *mutex)
327 return find_inlist_lock(&ebt_watchers, name, "ebt_", error, mutex);
330 static inline struct ebt_target *
331 find_target_lock(const char *name, int *error, struct mutex *mutex)
333 return find_inlist_lock(&ebt_targets, name, "ebt_", error, mutex);
337 ebt_check_match(struct ebt_entry_match *m, struct ebt_entry *e,
338 const char *name, unsigned int hookmask, unsigned int *cnt)
340 struct xt_match *match;
341 size_t left = ((char *)e + e->watchers_offset) - (char *)m;
344 if (left < sizeof(struct ebt_entry_match) ||
345 left - sizeof(struct ebt_entry_match) < m->match_size)
348 match = try_then_request_module(xt_find_match(NFPROTO_BRIDGE,
349 m->u.name, 0), "ebt_%s", m->u.name);
351 return PTR_ERR(match);
356 ret = xt_check_match(match, NFPROTO_BRIDGE, m->match_size,
357 name, hookmask, e->ethproto, e->invflags & EBT_IPROTO);
359 module_put(match->me);
361 } else if (match->checkentry != NULL &&
362 !match->checkentry(name, e, NULL, m->data, hookmask)) {
363 module_put(match->me);
364 BUGPRINT("match->check failed\n");
373 ebt_check_watcher(struct ebt_entry_watcher *w, struct ebt_entry *e,
374 const char *name, unsigned int hookmask, unsigned int *cnt)
376 struct xt_target *watcher;
377 size_t left = ((char *)e + e->target_offset) - (char *)w;
380 if (left < sizeof(struct ebt_entry_watcher) ||
381 left - sizeof(struct ebt_entry_watcher) < w->watcher_size)
384 watcher = try_then_request_module(
385 xt_find_target(NFPROTO_BRIDGE, w->u.name, 0),
386 "ebt_%s", w->u.name);
388 return PTR_ERR(watcher);
391 w->u.watcher = watcher;
393 ret = xt_check_target(watcher, NFPROTO_BRIDGE, w->watcher_size,
394 name, hookmask, e->ethproto, e->invflags & EBT_IPROTO);
396 module_put(watcher->me);
398 } else if (watcher->checkentry != NULL &&
399 !watcher->checkentry(name, e, NULL, w->data, hookmask)) {
400 module_put(watcher->me);
401 BUGPRINT("watcher->check failed\n");
409 static int ebt_verify_pointers(struct ebt_replace *repl,
410 struct ebt_table_info *newinfo)
412 unsigned int limit = repl->entries_size;
413 unsigned int valid_hooks = repl->valid_hooks;
414 unsigned int offset = 0;
417 for (i = 0; i < NF_BR_NUMHOOKS; i++)
418 newinfo->hook_entry[i] = NULL;
420 newinfo->entries_size = repl->entries_size;
421 newinfo->nentries = repl->nentries;
423 while (offset < limit) {
424 size_t left = limit - offset;
425 struct ebt_entry *e = (void *)newinfo->entries + offset;
427 if (left < sizeof(unsigned int))
430 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
431 if ((valid_hooks & (1 << i)) == 0)
433 if ((char __user *)repl->hook_entry[i] ==
434 repl->entries + offset)
438 if (i != NF_BR_NUMHOOKS || !(e->bitmask & EBT_ENTRY_OR_ENTRIES)) {
439 if (e->bitmask != 0) {
440 /* we make userspace set this right,
441 so there is no misunderstanding */
442 BUGPRINT("EBT_ENTRY_OR_ENTRIES shouldn't be set "
443 "in distinguisher\n");
446 if (i != NF_BR_NUMHOOKS)
447 newinfo->hook_entry[i] = (struct ebt_entries *)e;
448 if (left < sizeof(struct ebt_entries))
450 offset += sizeof(struct ebt_entries);
452 if (left < sizeof(struct ebt_entry))
454 if (left < e->next_offset)
456 offset += e->next_offset;
459 if (offset != limit) {
460 BUGPRINT("entries_size too small\n");
464 /* check if all valid hooks have a chain */
465 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
466 if (!newinfo->hook_entry[i] &&
467 (valid_hooks & (1 << i))) {
468 BUGPRINT("Valid hook without chain\n");
476 * this one is very careful, as it is the first function
477 * to parse the userspace data
480 ebt_check_entry_size_and_hooks(struct ebt_entry *e,
481 struct ebt_table_info *newinfo,
482 unsigned int *n, unsigned int *cnt,
483 unsigned int *totalcnt, unsigned int *udc_cnt)
487 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
488 if ((void *)e == (void *)newinfo->hook_entry[i])
491 /* beginning of a new chain
492 if i == NF_BR_NUMHOOKS it must be a user defined chain */
493 if (i != NF_BR_NUMHOOKS || !e->bitmask) {
494 /* this checks if the previous chain has as many entries
497 BUGPRINT("nentries does not equal the nr of entries "
501 if (((struct ebt_entries *)e)->policy != EBT_DROP &&
502 ((struct ebt_entries *)e)->policy != EBT_ACCEPT) {
503 /* only RETURN from udc */
504 if (i != NF_BR_NUMHOOKS ||
505 ((struct ebt_entries *)e)->policy != EBT_RETURN) {
506 BUGPRINT("bad policy\n");
510 if (i == NF_BR_NUMHOOKS) /* it's a user defined chain */
512 if (((struct ebt_entries *)e)->counter_offset != *totalcnt) {
513 BUGPRINT("counter_offset != totalcnt");
516 *n = ((struct ebt_entries *)e)->nentries;
520 /* a plain old entry, heh */
521 if (sizeof(struct ebt_entry) > e->watchers_offset ||
522 e->watchers_offset > e->target_offset ||
523 e->target_offset >= e->next_offset) {
524 BUGPRINT("entry offsets not in right order\n");
527 /* this is not checked anywhere else */
528 if (e->next_offset - e->target_offset < sizeof(struct ebt_entry_target)) {
529 BUGPRINT("target size too small\n");
539 struct ebt_chainstack cs;
541 unsigned int hookmask;
545 * we need these positions to check that the jumps to a different part of the
546 * entries is a jump to the beginning of a new chain.
549 ebt_get_udc_positions(struct ebt_entry *e, struct ebt_table_info *newinfo,
550 unsigned int *n, struct ebt_cl_stack *udc)
554 /* we're only interested in chain starts */
557 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
558 if (newinfo->hook_entry[i] == (struct ebt_entries *)e)
561 /* only care about udc */
562 if (i != NF_BR_NUMHOOKS)
565 udc[*n].cs.chaininfo = (struct ebt_entries *)e;
566 /* these initialisations are depended on later in check_chainloops() */
568 udc[*n].hookmask = 0;
575 ebt_cleanup_match(struct ebt_entry_match *m, unsigned int *i)
577 if (i && (*i)-- == 0)
579 if (m->u.match->destroy)
580 m->u.match->destroy(m->u.match, m->data);
581 module_put(m->u.match->me);
587 ebt_cleanup_watcher(struct ebt_entry_watcher *w, unsigned int *i)
589 if (i && (*i)-- == 0)
591 if (w->u.watcher->destroy)
592 w->u.watcher->destroy(w->u.watcher, w->data);
593 module_put(w->u.watcher->me);
599 ebt_cleanup_entry(struct ebt_entry *e, unsigned int *cnt)
601 struct ebt_entry_target *t;
606 if (cnt && (*cnt)-- == 0)
608 EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, NULL);
609 EBT_MATCH_ITERATE(e, ebt_cleanup_match, NULL);
610 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
611 if (t->u.target->destroy)
612 t->u.target->destroy(t->u.target, t->data);
613 module_put(t->u.target->me);
619 ebt_check_entry(struct ebt_entry *e, struct ebt_table_info *newinfo,
620 const char *name, unsigned int *cnt,
621 struct ebt_cl_stack *cl_s, unsigned int udc_cnt)
623 struct ebt_entry_target *t;
624 struct xt_target *target;
625 unsigned int i, j, hook = 0, hookmask = 0;
629 /* don't mess with the struct ebt_entries */
633 if (e->bitmask & ~EBT_F_MASK) {
634 BUGPRINT("Unknown flag for bitmask\n");
637 if (e->invflags & ~EBT_INV_MASK) {
638 BUGPRINT("Unknown flag for inv bitmask\n");
641 if ( (e->bitmask & EBT_NOPROTO) && (e->bitmask & EBT_802_3) ) {
642 BUGPRINT("NOPROTO & 802_3 not allowed\n");
645 /* what hook do we belong to? */
646 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
647 if (!newinfo->hook_entry[i])
649 if ((char *)newinfo->hook_entry[i] < (char *)e)
654 /* (1 << NF_BR_NUMHOOKS) tells the check functions the rule is on
656 if (i < NF_BR_NUMHOOKS)
657 hookmask = (1 << hook) | (1 << NF_BR_NUMHOOKS);
659 for (i = 0; i < udc_cnt; i++)
660 if ((char *)(cl_s[i].cs.chaininfo) > (char *)e)
663 hookmask = (1 << hook) | (1 << NF_BR_NUMHOOKS);
665 hookmask = cl_s[i - 1].hookmask;
668 ret = EBT_MATCH_ITERATE(e, ebt_check_match, e, name, hookmask, &i);
670 goto cleanup_matches;
672 ret = EBT_WATCHER_ITERATE(e, ebt_check_watcher, e, name, hookmask, &j);
674 goto cleanup_watchers;
675 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
676 gap = e->next_offset - e->target_offset;
678 target = try_then_request_module(
679 xt_find_target(NFPROTO_BRIDGE, t->u.name, 0),
680 "ebt_%s", t->u.name);
681 if (IS_ERR(target)) {
682 ret = PTR_ERR(target);
683 goto cleanup_watchers;
684 } else if (target == NULL) {
686 goto cleanup_watchers;
689 t->u.target = target;
690 if (t->u.target == &ebt_standard_target) {
691 if (gap < sizeof(struct ebt_standard_target)) {
692 BUGPRINT("Standard target size too big\n");
694 goto cleanup_watchers;
696 if (((struct ebt_standard_target *)t)->verdict <
697 -NUM_STANDARD_TARGETS) {
698 BUGPRINT("Invalid standard target\n");
700 goto cleanup_watchers;
702 } else if (t->target_size > gap - sizeof(struct ebt_entry_target)) {
703 module_put(t->u.target->me);
705 goto cleanup_watchers;
708 ret = xt_check_target(target, NFPROTO_BRIDGE, t->target_size,
709 name, hookmask, e->ethproto, e->invflags & EBT_IPROTO);
711 module_put(target->me);
712 goto cleanup_watchers;
713 } else if (t->u.target->checkentry &&
714 !t->u.target->checkentry(name, e, NULL, t->data, hookmask)) {
715 module_put(t->u.target->me);
717 goto cleanup_watchers;
722 EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, &j);
724 EBT_MATCH_ITERATE(e, ebt_cleanup_match, &i);
729 * checks for loops and sets the hook mask for udc
730 * the hook mask for udc tells us from which base chains the udc can be
731 * accessed. This mask is a parameter to the check() functions of the extensions
733 static int check_chainloops(struct ebt_entries *chain, struct ebt_cl_stack *cl_s,
734 unsigned int udc_cnt, unsigned int hooknr, char *base)
736 int i, chain_nr = -1, pos = 0, nentries = chain->nentries, verdict;
737 struct ebt_entry *e = (struct ebt_entry *)chain->data;
738 struct ebt_entry_target *t;
740 while (pos < nentries || chain_nr != -1) {
741 /* end of udc, go back one 'recursion' step */
742 if (pos == nentries) {
743 /* put back values of the time when this chain was called */
744 e = cl_s[chain_nr].cs.e;
745 if (cl_s[chain_nr].from != -1)
747 cl_s[cl_s[chain_nr].from].cs.chaininfo->nentries;
749 nentries = chain->nentries;
750 pos = cl_s[chain_nr].cs.n;
751 /* make sure we won't see a loop that isn't one */
752 cl_s[chain_nr].cs.n = 0;
753 chain_nr = cl_s[chain_nr].from;
757 t = (struct ebt_entry_target *)
758 (((char *)e) + e->target_offset);
759 if (strcmp(t->u.name, EBT_STANDARD_TARGET))
761 if (e->target_offset + sizeof(struct ebt_standard_target) >
763 BUGPRINT("Standard target size too big\n");
766 verdict = ((struct ebt_standard_target *)t)->verdict;
767 if (verdict >= 0) { /* jump to another chain */
768 struct ebt_entries *hlp2 =
769 (struct ebt_entries *)(base + verdict);
770 for (i = 0; i < udc_cnt; i++)
771 if (hlp2 == cl_s[i].cs.chaininfo)
773 /* bad destination or loop */
775 BUGPRINT("bad destination\n");
782 if (cl_s[i].hookmask & (1 << hooknr))
784 /* this can't be 0, so the loop test is correct */
785 cl_s[i].cs.n = pos + 1;
787 cl_s[i].cs.e = ((void *)e + e->next_offset);
788 e = (struct ebt_entry *)(hlp2->data);
789 nentries = hlp2->nentries;
790 cl_s[i].from = chain_nr;
792 /* this udc is accessible from the base chain for hooknr */
793 cl_s[i].hookmask |= (1 << hooknr);
797 e = (void *)e + e->next_offset;
803 /* do the parsing of the table/chains/entries/matches/watchers/targets, heh */
804 static int translate_table(char *name, struct ebt_table_info *newinfo)
806 unsigned int i, j, k, udc_cnt;
808 struct ebt_cl_stack *cl_s = NULL; /* used in the checking for chain loops */
811 while (i < NF_BR_NUMHOOKS && !newinfo->hook_entry[i])
813 if (i == NF_BR_NUMHOOKS) {
814 BUGPRINT("No valid hooks specified\n");
817 if (newinfo->hook_entry[i] != (struct ebt_entries *)newinfo->entries) {
818 BUGPRINT("Chains don't start at beginning\n");
821 /* make sure chains are ordered after each other in same order
822 as their corresponding hooks */
823 for (j = i + 1; j < NF_BR_NUMHOOKS; j++) {
824 if (!newinfo->hook_entry[j])
826 if (newinfo->hook_entry[j] <= newinfo->hook_entry[i]) {
827 BUGPRINT("Hook order must be followed\n");
833 /* do some early checkings and initialize some things */
834 i = 0; /* holds the expected nr. of entries for the chain */
835 j = 0; /* holds the up to now counted entries for the chain */
836 k = 0; /* holds the total nr. of entries, should equal
837 newinfo->nentries afterwards */
838 udc_cnt = 0; /* will hold the nr. of user defined chains (udc) */
839 ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
840 ebt_check_entry_size_and_hooks, newinfo,
841 &i, &j, &k, &udc_cnt);
847 BUGPRINT("nentries does not equal the nr of entries in the "
851 if (k != newinfo->nentries) {
852 BUGPRINT("Total nentries is wrong\n");
856 /* get the location of the udc, put them in an array
857 while we're at it, allocate the chainstack */
859 /* this will get free'd in do_replace()/ebt_register_table()
860 if an error occurs */
861 newinfo->chainstack =
862 vmalloc(nr_cpu_ids * sizeof(*(newinfo->chainstack)));
863 if (!newinfo->chainstack)
865 for_each_possible_cpu(i) {
866 newinfo->chainstack[i] =
867 vmalloc(udc_cnt * sizeof(*(newinfo->chainstack[0])));
868 if (!newinfo->chainstack[i]) {
870 vfree(newinfo->chainstack[--i]);
871 vfree(newinfo->chainstack);
872 newinfo->chainstack = NULL;
877 cl_s = vmalloc(udc_cnt * sizeof(*cl_s));
880 i = 0; /* the i'th udc */
881 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
882 ebt_get_udc_positions, newinfo, &i, cl_s);
885 BUGPRINT("i != udc_cnt\n");
891 /* Check for loops */
892 for (i = 0; i < NF_BR_NUMHOOKS; i++)
893 if (newinfo->hook_entry[i])
894 if (check_chainloops(newinfo->hook_entry[i],
895 cl_s, udc_cnt, i, newinfo->entries)) {
900 /* we now know the following (along with E=mc²):
901 - the nr of entries in each chain is right
902 - the size of the allocated space is right
903 - all valid hooks have a corresponding chain
905 - wrong data can still be on the level of a single entry
906 - could be there are jumps to places that are not the
907 beginning of a chain. This can only occur in chains that
908 are not accessible from any base chains, so we don't care. */
910 /* used to know what we need to clean up if something goes wrong */
912 ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
913 ebt_check_entry, newinfo, name, &i, cl_s, udc_cnt);
915 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
916 ebt_cleanup_entry, &i);
922 /* called under write_lock */
923 static void get_counters(struct ebt_counter *oldcounters,
924 struct ebt_counter *counters, unsigned int nentries)
927 struct ebt_counter *counter_base;
929 /* counters of cpu 0 */
930 memcpy(counters, oldcounters,
931 sizeof(struct ebt_counter) * nentries);
933 /* add other counters to those of cpu 0 */
934 for_each_possible_cpu(cpu) {
937 counter_base = COUNTER_BASE(oldcounters, nentries, cpu);
938 for (i = 0; i < nentries; i++) {
939 counters[i].pcnt += counter_base[i].pcnt;
940 counters[i].bcnt += counter_base[i].bcnt;
945 /* replace the table */
946 static int do_replace(void __user *user, unsigned int len)
948 int ret, i, countersize;
949 struct ebt_table_info *newinfo;
950 struct ebt_replace tmp;
952 struct ebt_counter *counterstmp = NULL;
953 /* used to be able to unlock earlier */
954 struct ebt_table_info *table;
956 if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
959 if (len != sizeof(tmp) + tmp.entries_size) {
960 BUGPRINT("Wrong len argument\n");
964 if (tmp.entries_size == 0) {
965 BUGPRINT("Entries_size never zero\n");
969 if (tmp.nentries >= ((INT_MAX - sizeof(struct ebt_table_info)) / NR_CPUS -
970 SMP_CACHE_BYTES) / sizeof(struct ebt_counter))
972 if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
975 countersize = COUNTER_OFFSET(tmp.nentries) * nr_cpu_ids;
976 newinfo = vmalloc(sizeof(*newinfo) + countersize);
981 memset(newinfo->counters, 0, countersize);
983 newinfo->entries = vmalloc(tmp.entries_size);
984 if (!newinfo->entries) {
989 newinfo->entries, tmp.entries, tmp.entries_size) != 0) {
990 BUGPRINT("Couldn't copy entries from userspace\n");
995 /* the user wants counters back
996 the check on the size is done later, when we have the lock */
997 if (tmp.num_counters) {
998 counterstmp = vmalloc(tmp.num_counters * sizeof(*counterstmp));
1007 /* this can get initialized by translate_table() */
1008 newinfo->chainstack = NULL;
1009 ret = ebt_verify_pointers(&tmp, newinfo);
1011 goto free_counterstmp;
1013 ret = translate_table(tmp.name, newinfo);
1016 goto free_counterstmp;
1018 t = find_table_lock(tmp.name, &ret, &ebt_mutex);
1024 /* the table doesn't like it */
1025 if (t->check && (ret = t->check(newinfo, tmp.valid_hooks)))
1028 if (tmp.num_counters && tmp.num_counters != t->private->nentries) {
1029 BUGPRINT("Wrong nr. of counters requested\n");
1034 /* we have the mutex lock, so no danger in reading this pointer */
1036 /* make sure the table can only be rmmod'ed if it contains no rules */
1037 if (!table->nentries && newinfo->nentries && !try_module_get(t->me)) {
1040 } else if (table->nentries && !newinfo->nentries)
1042 /* we need an atomic snapshot of the counters */
1043 write_lock_bh(&t->lock);
1044 if (tmp.num_counters)
1045 get_counters(t->private->counters, counterstmp,
1046 t->private->nentries);
1048 t->private = newinfo;
1049 write_unlock_bh(&t->lock);
1050 mutex_unlock(&ebt_mutex);
1051 /* so, a user can change the chains while having messed up her counter
1052 allocation. Only reason why this is done is because this way the lock
1053 is held only once, while this doesn't bring the kernel into a
1055 if (tmp.num_counters &&
1056 copy_to_user(tmp.counters, counterstmp,
1057 tmp.num_counters * sizeof(struct ebt_counter))) {
1058 BUGPRINT("Couldn't copy counters to userspace\n");
1064 /* decrease module count and free resources */
1065 EBT_ENTRY_ITERATE(table->entries, table->entries_size,
1066 ebt_cleanup_entry, NULL);
1068 vfree(table->entries);
1069 if (table->chainstack) {
1070 for_each_possible_cpu(i)
1071 vfree(table->chainstack[i]);
1072 vfree(table->chainstack);
1080 mutex_unlock(&ebt_mutex);
1082 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
1083 ebt_cleanup_entry, NULL);
1086 /* can be initialized in translate_table() */
1087 if (newinfo->chainstack) {
1088 for_each_possible_cpu(i)
1089 vfree(newinfo->chainstack[i]);
1090 vfree(newinfo->chainstack);
1093 vfree(newinfo->entries);
1099 int ebt_register_target(struct ebt_target *target)
1101 struct ebt_target *t;
1104 ret = mutex_lock_interruptible(&ebt_mutex);
1107 list_for_each_entry(t, &ebt_targets, list) {
1108 if (strcmp(t->name, target->name) == 0) {
1109 mutex_unlock(&ebt_mutex);
1113 list_add(&target->list, &ebt_targets);
1114 mutex_unlock(&ebt_mutex);
1119 void ebt_unregister_target(struct ebt_target *target)
1121 mutex_lock(&ebt_mutex);
1122 list_del(&target->list);
1123 mutex_unlock(&ebt_mutex);
1126 int ebt_register_match(struct ebt_match *match)
1128 struct ebt_match *m;
1131 ret = mutex_lock_interruptible(&ebt_mutex);
1134 list_for_each_entry(m, &ebt_matches, list) {
1135 if (strcmp(m->name, match->name) == 0) {
1136 mutex_unlock(&ebt_mutex);
1140 list_add(&match->list, &ebt_matches);
1141 mutex_unlock(&ebt_mutex);
1146 void ebt_unregister_match(struct ebt_match *match)
1148 mutex_lock(&ebt_mutex);
1149 list_del(&match->list);
1150 mutex_unlock(&ebt_mutex);
1153 int ebt_register_watcher(struct ebt_watcher *watcher)
1155 struct ebt_watcher *w;
1158 ret = mutex_lock_interruptible(&ebt_mutex);
1161 list_for_each_entry(w, &ebt_watchers, list) {
1162 if (strcmp(w->name, watcher->name) == 0) {
1163 mutex_unlock(&ebt_mutex);
1167 list_add(&watcher->list, &ebt_watchers);
1168 mutex_unlock(&ebt_mutex);
1173 void ebt_unregister_watcher(struct ebt_watcher *watcher)
1175 mutex_lock(&ebt_mutex);
1176 list_del(&watcher->list);
1177 mutex_unlock(&ebt_mutex);
1180 int ebt_register_table(struct ebt_table *table)
1182 struct ebt_table_info *newinfo;
1183 struct ebt_table *t;
1184 struct ebt_replace_kernel *repl;
1185 int ret, i, countersize;
1188 if (!table || !(repl = table->table) || !repl->entries ||
1189 repl->entries_size == 0 ||
1190 repl->counters || table->private) {
1191 BUGPRINT("Bad table data for ebt_register_table!!!\n");
1195 countersize = COUNTER_OFFSET(repl->nentries) * nr_cpu_ids;
1196 newinfo = vmalloc(sizeof(*newinfo) + countersize);
1201 p = vmalloc(repl->entries_size);
1205 memcpy(p, repl->entries, repl->entries_size);
1206 newinfo->entries = p;
1208 newinfo->entries_size = repl->entries_size;
1209 newinfo->nentries = repl->nentries;
1212 memset(newinfo->counters, 0, countersize);
1214 /* fill in newinfo and parse the entries */
1215 newinfo->chainstack = NULL;
1216 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
1217 if ((repl->valid_hooks & (1 << i)) == 0)
1218 newinfo->hook_entry[i] = NULL;
1220 newinfo->hook_entry[i] = p +
1221 ((char *)repl->hook_entry[i] - repl->entries);
1223 ret = translate_table(repl->name, newinfo);
1225 BUGPRINT("Translate_table failed\n");
1226 goto free_chainstack;
1229 if (table->check && table->check(newinfo, table->valid_hooks)) {
1230 BUGPRINT("The table doesn't like its own initial data, lol\n");
1234 table->private = newinfo;
1235 rwlock_init(&table->lock);
1236 ret = mutex_lock_interruptible(&ebt_mutex);
1238 goto free_chainstack;
1240 list_for_each_entry(t, &ebt_tables, list) {
1241 if (strcmp(t->name, table->name) == 0) {
1243 BUGPRINT("Table name already exists\n");
1248 /* Hold a reference count if the chains aren't empty */
1249 if (newinfo->nentries && !try_module_get(table->me)) {
1253 list_add(&table->list, &ebt_tables);
1254 mutex_unlock(&ebt_mutex);
1257 mutex_unlock(&ebt_mutex);
1259 if (newinfo->chainstack) {
1260 for_each_possible_cpu(i)
1261 vfree(newinfo->chainstack[i]);
1262 vfree(newinfo->chainstack);
1264 vfree(newinfo->entries);
1270 void ebt_unregister_table(struct ebt_table *table)
1275 BUGPRINT("Request to unregister NULL table!!!\n");
1278 mutex_lock(&ebt_mutex);
1279 list_del(&table->list);
1280 mutex_unlock(&ebt_mutex);
1281 vfree(table->private->entries);
1282 if (table->private->chainstack) {
1283 for_each_possible_cpu(i)
1284 vfree(table->private->chainstack[i]);
1285 vfree(table->private->chainstack);
1287 vfree(table->private);
1290 /* userspace just supplied us with counters */
1291 static int update_counters(void __user *user, unsigned int len)
1294 struct ebt_counter *tmp;
1295 struct ebt_replace hlp;
1296 struct ebt_table *t;
1298 if (copy_from_user(&hlp, user, sizeof(hlp)))
1301 if (len != sizeof(hlp) + hlp.num_counters * sizeof(struct ebt_counter))
1303 if (hlp.num_counters == 0)
1306 if (!(tmp = vmalloc(hlp.num_counters * sizeof(*tmp)))) {
1307 MEMPRINT("Update_counters && nomemory\n");
1311 t = find_table_lock(hlp.name, &ret, &ebt_mutex);
1315 if (hlp.num_counters != t->private->nentries) {
1316 BUGPRINT("Wrong nr of counters\n");
1321 if ( copy_from_user(tmp, hlp.counters,
1322 hlp.num_counters * sizeof(struct ebt_counter)) ) {
1323 BUGPRINT("Updata_counters && !cfu\n");
1328 /* we want an atomic add of the counters */
1329 write_lock_bh(&t->lock);
1331 /* we add to the counters of the first cpu */
1332 for (i = 0; i < hlp.num_counters; i++) {
1333 t->private->counters[i].pcnt += tmp[i].pcnt;
1334 t->private->counters[i].bcnt += tmp[i].bcnt;
1337 write_unlock_bh(&t->lock);
1340 mutex_unlock(&ebt_mutex);
1346 static inline int ebt_make_matchname(struct ebt_entry_match *m,
1347 char *base, char __user *ubase)
1349 char __user *hlp = ubase + ((char *)m - base);
1350 if (copy_to_user(hlp, m->u.match->name, EBT_FUNCTION_MAXNAMELEN))
1355 static inline int ebt_make_watchername(struct ebt_entry_watcher *w,
1356 char *base, char __user *ubase)
1358 char __user *hlp = ubase + ((char *)w - base);
1359 if (copy_to_user(hlp , w->u.watcher->name, EBT_FUNCTION_MAXNAMELEN))
1364 static inline int ebt_make_names(struct ebt_entry *e, char *base, char __user *ubase)
1368 struct ebt_entry_target *t;
1370 if (e->bitmask == 0)
1373 hlp = ubase + (((char *)e + e->target_offset) - base);
1374 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
1376 ret = EBT_MATCH_ITERATE(e, ebt_make_matchname, base, ubase);
1379 ret = EBT_WATCHER_ITERATE(e, ebt_make_watchername, base, ubase);
1382 if (copy_to_user(hlp, t->u.target->name, EBT_FUNCTION_MAXNAMELEN))
1387 /* called with ebt_mutex locked */
1388 static int copy_everything_to_user(struct ebt_table *t, void __user *user,
1391 struct ebt_replace tmp;
1392 struct ebt_counter *counterstmp, *oldcounters;
1393 unsigned int entries_size, nentries;
1396 if (cmd == EBT_SO_GET_ENTRIES) {
1397 entries_size = t->private->entries_size;
1398 nentries = t->private->nentries;
1399 entries = t->private->entries;
1400 oldcounters = t->private->counters;
1402 entries_size = t->table->entries_size;
1403 nentries = t->table->nentries;
1404 entries = t->table->entries;
1405 oldcounters = t->table->counters;
1408 if (copy_from_user(&tmp, user, sizeof(tmp))) {
1409 BUGPRINT("Cfu didn't work\n");
1413 if (*len != sizeof(struct ebt_replace) + entries_size +
1414 (tmp.num_counters? nentries * sizeof(struct ebt_counter): 0)) {
1415 BUGPRINT("Wrong size\n");
1419 if (tmp.nentries != nentries) {
1420 BUGPRINT("Nentries wrong\n");
1424 if (tmp.entries_size != entries_size) {
1425 BUGPRINT("Wrong size\n");
1429 /* userspace might not need the counters */
1430 if (tmp.num_counters) {
1431 if (tmp.num_counters != nentries) {
1432 BUGPRINT("Num_counters wrong\n");
1435 counterstmp = vmalloc(nentries * sizeof(*counterstmp));
1437 MEMPRINT("Couldn't copy counters, out of memory\n");
1440 write_lock_bh(&t->lock);
1441 get_counters(oldcounters, counterstmp, nentries);
1442 write_unlock_bh(&t->lock);
1444 if (copy_to_user(tmp.counters, counterstmp,
1445 nentries * sizeof(struct ebt_counter))) {
1446 BUGPRINT("Couldn't copy counters to userspace\n");
1453 if (copy_to_user(tmp.entries, entries, entries_size)) {
1454 BUGPRINT("Couldn't copy entries to userspace\n");
1457 /* set the match/watcher/target names right */
1458 return EBT_ENTRY_ITERATE(entries, entries_size,
1459 ebt_make_names, entries, tmp.entries);
1462 static int do_ebt_set_ctl(struct sock *sk,
1463 int cmd, void __user *user, unsigned int len)
1468 case EBT_SO_SET_ENTRIES:
1469 ret = do_replace(user, len);
1471 case EBT_SO_SET_COUNTERS:
1472 ret = update_counters(user, len);
1480 static int do_ebt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
1483 struct ebt_replace tmp;
1484 struct ebt_table *t;
1486 if (copy_from_user(&tmp, user, sizeof(tmp)))
1489 t = find_table_lock(tmp.name, &ret, &ebt_mutex);
1494 case EBT_SO_GET_INFO:
1495 case EBT_SO_GET_INIT_INFO:
1496 if (*len != sizeof(struct ebt_replace)){
1498 mutex_unlock(&ebt_mutex);
1501 if (cmd == EBT_SO_GET_INFO) {
1502 tmp.nentries = t->private->nentries;
1503 tmp.entries_size = t->private->entries_size;
1504 tmp.valid_hooks = t->valid_hooks;
1506 tmp.nentries = t->table->nentries;
1507 tmp.entries_size = t->table->entries_size;
1508 tmp.valid_hooks = t->table->valid_hooks;
1510 mutex_unlock(&ebt_mutex);
1511 if (copy_to_user(user, &tmp, *len) != 0){
1512 BUGPRINT("c2u Didn't work\n");
1519 case EBT_SO_GET_ENTRIES:
1520 case EBT_SO_GET_INIT_ENTRIES:
1521 ret = copy_everything_to_user(t, user, len, cmd);
1522 mutex_unlock(&ebt_mutex);
1526 mutex_unlock(&ebt_mutex);
1533 static struct nf_sockopt_ops ebt_sockopts =
1536 .set_optmin = EBT_BASE_CTL,
1537 .set_optmax = EBT_SO_SET_MAX + 1,
1538 .set = do_ebt_set_ctl,
1539 .get_optmin = EBT_BASE_CTL,
1540 .get_optmax = EBT_SO_GET_MAX + 1,
1541 .get = do_ebt_get_ctl,
1542 .owner = THIS_MODULE,
1545 static int __init ebtables_init(void)
1549 ret = xt_register_target(&ebt_standard_target);
1552 ret = nf_register_sockopt(&ebt_sockopts);
1554 xt_unregister_target(&ebt_standard_target);
1558 printk(KERN_INFO "Ebtables v2.0 registered\n");
1562 static void __exit ebtables_fini(void)
1564 nf_unregister_sockopt(&ebt_sockopts);
1565 xt_unregister_target(&ebt_standard_target);
1566 printk(KERN_INFO "Ebtables v2.0 unregistered\n");
1569 EXPORT_SYMBOL(ebt_register_table);
1570 EXPORT_SYMBOL(ebt_unregister_table);
1571 EXPORT_SYMBOL(ebt_register_match);
1572 EXPORT_SYMBOL(ebt_unregister_match);
1573 EXPORT_SYMBOL(ebt_register_watcher);
1574 EXPORT_SYMBOL(ebt_unregister_watcher);
1575 EXPORT_SYMBOL(ebt_register_target);
1576 EXPORT_SYMBOL(ebt_unregister_target);
1577 EXPORT_SYMBOL(ebt_do_table);
1578 module_init(ebtables_init);
1579 module_exit(ebtables_fini);
1580 MODULE_LICENSE("GPL");