5 * Bart De Schuymer <bdschuym@pandora.be>
7 * ebtables.c,v 2.0, July, 2002
9 * This code is stongly inspired on the iptables code which is
10 * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version
15 * 2 of the License, or (at your option) any later version.
19 #include <linux/kmod.h>
20 #include <linux/module.h>
21 #include <linux/vmalloc.h>
22 #include <linux/netfilter/x_tables.h>
23 #include <linux/netfilter_bridge/ebtables.h>
24 #include <linux/spinlock.h>
25 #include <linux/mutex.h>
26 #include <asm/uaccess.h>
27 #include <linux/smp.h>
28 #include <linux/cpumask.h>
30 /* needed for logical [in,out]-dev filtering */
31 #include "../br_private.h"
33 #define BUGPRINT(format, args...) printk("kernel msg: ebtables bug: please "\
34 "report to author: "format, ## args)
35 /* #define BUGPRINT(format, args...) */
36 #define MEMPRINT(format, args...) printk("kernel msg: ebtables "\
37 ": out of memory: "format, ## args)
38 /* #define MEMPRINT(format, args...) */
43 * Each cpu has its own set of counters, so there is no need for write_lock in
45 * For reading or updating the counters, the user context needs to
49 /* The size of each set of counters is altered to get cache alignment */
50 #define SMP_ALIGN(x) (((x) + SMP_CACHE_BYTES-1) & ~(SMP_CACHE_BYTES-1))
51 #define COUNTER_OFFSET(n) (SMP_ALIGN(n * sizeof(struct ebt_counter)))
52 #define COUNTER_BASE(c, n, cpu) ((struct ebt_counter *)(((char *)c) + \
53 COUNTER_OFFSET(n) * cpu))
57 static DEFINE_MUTEX(ebt_mutex);
58 static LIST_HEAD(ebt_tables);
59 static LIST_HEAD(ebt_targets);
60 static LIST_HEAD(ebt_matches);
61 static LIST_HEAD(ebt_watchers);
63 static struct ebt_target ebt_standard_target = {
67 static inline int ebt_do_watcher (struct ebt_entry_watcher *w,
68 const struct sk_buff *skb, unsigned int hooknr, const struct net_device *in,
69 const struct net_device *out)
71 w->u.watcher->watcher(skb, hooknr, in, out, w->data,
73 /* watchers don't give a verdict */
77 static inline int ebt_do_match (struct ebt_entry_match *m,
78 const struct sk_buff *skb, const struct net_device *in,
79 const struct net_device *out)
81 return m->u.match->match(skb, in, out, m->data,
85 static inline int ebt_dev_check(char *entry, const struct net_device *device)
88 const char *devname = device->name;
94 /* 1 is the wildcard token */
95 while (entry[i] != '\0' && entry[i] != 1 && entry[i] == devname[i])
97 return (devname[i] != entry[i] && entry[i] != 1);
100 #define FWINV2(bool,invflg) ((bool) ^ !!(e->invflags & invflg))
101 /* process standard matches */
102 static inline int ebt_basic_match(struct ebt_entry *e, struct ethhdr *h,
103 const struct net_device *in, const struct net_device *out)
107 if (e->bitmask & EBT_802_3) {
108 if (FWINV2(ntohs(h->h_proto) >= 1536, EBT_IPROTO))
110 } else if (!(e->bitmask & EBT_NOPROTO) &&
111 FWINV2(e->ethproto != h->h_proto, EBT_IPROTO))
114 if (FWINV2(ebt_dev_check(e->in, in), EBT_IIN))
116 if (FWINV2(ebt_dev_check(e->out, out), EBT_IOUT))
118 if ((!in || !in->br_port) ? 0 : FWINV2(ebt_dev_check(
119 e->logical_in, in->br_port->br->dev), EBT_ILOGICALIN))
121 if ((!out || !out->br_port) ? 0 : FWINV2(ebt_dev_check(
122 e->logical_out, out->br_port->br->dev), EBT_ILOGICALOUT))
125 if (e->bitmask & EBT_SOURCEMAC) {
127 for (i = 0; i < 6; i++)
128 verdict |= (h->h_source[i] ^ e->sourcemac[i]) &
130 if (FWINV2(verdict != 0, EBT_ISOURCE) )
133 if (e->bitmask & EBT_DESTMAC) {
135 for (i = 0; i < 6; i++)
136 verdict |= (h->h_dest[i] ^ e->destmac[i]) &
138 if (FWINV2(verdict != 0, EBT_IDEST) )
144 /* Do some firewalling */
145 unsigned int ebt_do_table (unsigned int hook, struct sk_buff *skb,
146 const struct net_device *in, const struct net_device *out,
147 struct ebt_table *table)
150 struct ebt_entry *point;
151 struct ebt_counter *counter_base, *cb_base;
152 struct ebt_entry_target *t;
154 struct ebt_chainstack *cs;
155 struct ebt_entries *chaininfo;
157 struct ebt_table_info *private;
159 read_lock_bh(&table->lock);
160 private = table->private;
161 cb_base = COUNTER_BASE(private->counters, private->nentries,
163 if (private->chainstack)
164 cs = private->chainstack[smp_processor_id()];
167 chaininfo = private->hook_entry[hook];
168 nentries = private->hook_entry[hook]->nentries;
169 point = (struct ebt_entry *)(private->hook_entry[hook]->data);
170 counter_base = cb_base + private->hook_entry[hook]->counter_offset;
171 /* base for chain jumps */
172 base = private->entries;
174 while (i < nentries) {
175 if (ebt_basic_match(point, eth_hdr(skb), in, out))
178 if (EBT_MATCH_ITERATE(point, ebt_do_match, skb, in, out) != 0)
181 /* increase counter */
182 (*(counter_base + i)).pcnt++;
183 (*(counter_base + i)).bcnt += skb->len;
185 /* these should only watch: not modify, nor tell us
186 what to do with the packet */
187 EBT_WATCHER_ITERATE(point, ebt_do_watcher, skb, hook, in,
190 t = (struct ebt_entry_target *)
191 (((char *)point) + point->target_offset);
192 /* standard target */
193 if (!t->u.target->target)
194 verdict = ((struct ebt_standard_target *)t)->verdict;
196 verdict = t->u.target->target(skb, hook,
197 in, out, t->data, t->target_size);
198 if (verdict == EBT_ACCEPT) {
199 read_unlock_bh(&table->lock);
202 if (verdict == EBT_DROP) {
203 read_unlock_bh(&table->lock);
206 if (verdict == EBT_RETURN) {
208 #ifdef CONFIG_NETFILTER_DEBUG
210 BUGPRINT("RETURN on base chain");
211 /* act like this is EBT_CONTINUE */
216 /* put all the local variables right */
218 chaininfo = cs[sp].chaininfo;
219 nentries = chaininfo->nentries;
221 counter_base = cb_base +
222 chaininfo->counter_offset;
225 if (verdict == EBT_CONTINUE)
227 #ifdef CONFIG_NETFILTER_DEBUG
229 BUGPRINT("bogus standard verdict\n");
230 read_unlock_bh(&table->lock);
236 cs[sp].chaininfo = chaininfo;
237 cs[sp].e = (struct ebt_entry *)
238 (((char *)point) + point->next_offset);
240 chaininfo = (struct ebt_entries *) (base + verdict);
241 #ifdef CONFIG_NETFILTER_DEBUG
242 if (chaininfo->distinguisher) {
243 BUGPRINT("jump to non-chain\n");
244 read_unlock_bh(&table->lock);
248 nentries = chaininfo->nentries;
249 point = (struct ebt_entry *)chaininfo->data;
250 counter_base = cb_base + chaininfo->counter_offset;
254 point = (struct ebt_entry *)
255 (((char *)point) + point->next_offset);
259 /* I actually like this :) */
260 if (chaininfo->policy == EBT_RETURN)
262 if (chaininfo->policy == EBT_ACCEPT) {
263 read_unlock_bh(&table->lock);
266 read_unlock_bh(&table->lock);
270 /* If it succeeds, returns element and locks mutex */
272 find_inlist_lock_noload(struct list_head *head, const char *name, int *error,
276 struct list_head list;
277 char name[EBT_FUNCTION_MAXNAMELEN];
280 *error = mutex_lock_interruptible(mutex);
284 list_for_each_entry(e, head, list) {
285 if (strcmp(e->name, name) == 0)
294 #define find_inlist_lock(h,n,p,e,m) find_inlist_lock_noload((h),(n),(e),(m))
297 find_inlist_lock(struct list_head *head, const char *name, const char *prefix,
298 int *error, struct mutex *mutex)
302 ret = find_inlist_lock_noload(head, name, error, mutex);
304 request_module("%s%s", prefix, name);
305 ret = find_inlist_lock_noload(head, name, error, mutex);
311 static inline struct ebt_table *
312 find_table_lock(const char *name, int *error, struct mutex *mutex)
314 return find_inlist_lock(&ebt_tables, name, "ebtable_", error, mutex);
317 static inline struct ebt_match *
318 find_match_lock(const char *name, int *error, struct mutex *mutex)
320 return find_inlist_lock(&ebt_matches, name, "ebt_", error, mutex);
323 static inline struct ebt_watcher *
324 find_watcher_lock(const char *name, int *error, struct mutex *mutex)
326 return find_inlist_lock(&ebt_watchers, name, "ebt_", error, mutex);
329 static inline struct ebt_target *
330 find_target_lock(const char *name, int *error, struct mutex *mutex)
332 return find_inlist_lock(&ebt_targets, name, "ebt_", error, mutex);
336 ebt_check_match(struct ebt_entry_match *m, struct ebt_entry *e,
337 const char *name, unsigned int hookmask, unsigned int *cnt)
339 struct ebt_match *match;
340 size_t left = ((char *)e + e->watchers_offset) - (char *)m;
343 if (left < sizeof(struct ebt_entry_match) ||
344 left - sizeof(struct ebt_entry_match) < m->match_size)
346 match = find_match_lock(m->u.name, &ret, &ebt_mutex);
350 if (!try_module_get(match->me)) {
351 mutex_unlock(&ebt_mutex);
354 mutex_unlock(&ebt_mutex);
355 if (XT_ALIGN(match->matchsize) != m->match_size &&
356 match->matchsize != -1) {
358 * ebt_among is exempt from centralized matchsize checking
359 * because it uses a dynamic-size data set.
361 printk(KERN_WARNING "ebtables: %s match: "
362 "invalid size %Zu != %u\n",
363 match->name, XT_ALIGN(match->matchsize), m->match_size);
364 module_put(match->me);
368 match->check(name, hookmask, e, m->data, m->match_size) != 0) {
369 BUGPRINT("match->check failed\n");
370 module_put(match->me);
378 ebt_check_watcher(struct ebt_entry_watcher *w, struct ebt_entry *e,
379 const char *name, unsigned int hookmask, unsigned int *cnt)
381 struct ebt_watcher *watcher;
382 size_t left = ((char *)e + e->target_offset) - (char *)w;
385 if (left < sizeof(struct ebt_entry_watcher) ||
386 left - sizeof(struct ebt_entry_watcher) < w->watcher_size)
388 watcher = find_watcher_lock(w->u.name, &ret, &ebt_mutex);
391 w->u.watcher = watcher;
392 if (!try_module_get(watcher->me)) {
393 mutex_unlock(&ebt_mutex);
396 mutex_unlock(&ebt_mutex);
397 if (XT_ALIGN(watcher->targetsize) != w->watcher_size) {
398 printk(KERN_WARNING "ebtables: %s watcher: "
399 "invalid size %Zu != %u\n",
400 watcher->name, XT_ALIGN(watcher->targetsize),
402 module_put(watcher->me);
405 if (watcher->check &&
406 watcher->check(name, hookmask, e, w->data, w->watcher_size) != 0) {
407 BUGPRINT("watcher->check failed\n");
408 module_put(watcher->me);
415 static int ebt_verify_pointers(struct ebt_replace *repl,
416 struct ebt_table_info *newinfo)
418 unsigned int limit = repl->entries_size;
419 unsigned int valid_hooks = repl->valid_hooks;
420 unsigned int offset = 0;
423 for (i = 0; i < NF_BR_NUMHOOKS; i++)
424 newinfo->hook_entry[i] = NULL;
426 newinfo->entries_size = repl->entries_size;
427 newinfo->nentries = repl->nentries;
429 while (offset < limit) {
430 size_t left = limit - offset;
431 struct ebt_entry *e = (void *)newinfo->entries + offset;
433 if (left < sizeof(unsigned int))
436 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
437 if ((valid_hooks & (1 << i)) == 0)
439 if ((char __user *)repl->hook_entry[i] ==
440 repl->entries + offset)
444 if (i != NF_BR_NUMHOOKS || !(e->bitmask & EBT_ENTRY_OR_ENTRIES)) {
445 if (e->bitmask != 0) {
446 /* we make userspace set this right,
447 so there is no misunderstanding */
448 BUGPRINT("EBT_ENTRY_OR_ENTRIES shouldn't be set "
449 "in distinguisher\n");
452 if (i != NF_BR_NUMHOOKS)
453 newinfo->hook_entry[i] = (struct ebt_entries *)e;
454 if (left < sizeof(struct ebt_entries))
456 offset += sizeof(struct ebt_entries);
458 if (left < sizeof(struct ebt_entry))
460 if (left < e->next_offset)
462 offset += e->next_offset;
465 if (offset != limit) {
466 BUGPRINT("entries_size too small\n");
470 /* check if all valid hooks have a chain */
471 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
472 if (!newinfo->hook_entry[i] &&
473 (valid_hooks & (1 << i))) {
474 BUGPRINT("Valid hook without chain\n");
482 * this one is very careful, as it is the first function
483 * to parse the userspace data
486 ebt_check_entry_size_and_hooks(struct ebt_entry *e,
487 struct ebt_table_info *newinfo,
488 unsigned int *n, unsigned int *cnt,
489 unsigned int *totalcnt, unsigned int *udc_cnt)
493 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
494 if ((void *)e == (void *)newinfo->hook_entry[i])
497 /* beginning of a new chain
498 if i == NF_BR_NUMHOOKS it must be a user defined chain */
499 if (i != NF_BR_NUMHOOKS || !e->bitmask) {
500 /* this checks if the previous chain has as many entries
503 BUGPRINT("nentries does not equal the nr of entries "
507 if (((struct ebt_entries *)e)->policy != EBT_DROP &&
508 ((struct ebt_entries *)e)->policy != EBT_ACCEPT) {
509 /* only RETURN from udc */
510 if (i != NF_BR_NUMHOOKS ||
511 ((struct ebt_entries *)e)->policy != EBT_RETURN) {
512 BUGPRINT("bad policy\n");
516 if (i == NF_BR_NUMHOOKS) /* it's a user defined chain */
518 if (((struct ebt_entries *)e)->counter_offset != *totalcnt) {
519 BUGPRINT("counter_offset != totalcnt");
522 *n = ((struct ebt_entries *)e)->nentries;
526 /* a plain old entry, heh */
527 if (sizeof(struct ebt_entry) > e->watchers_offset ||
528 e->watchers_offset > e->target_offset ||
529 e->target_offset >= e->next_offset) {
530 BUGPRINT("entry offsets not in right order\n");
533 /* this is not checked anywhere else */
534 if (e->next_offset - e->target_offset < sizeof(struct ebt_entry_target)) {
535 BUGPRINT("target size too small\n");
545 struct ebt_chainstack cs;
547 unsigned int hookmask;
551 * we need these positions to check that the jumps to a different part of the
552 * entries is a jump to the beginning of a new chain.
555 ebt_get_udc_positions(struct ebt_entry *e, struct ebt_table_info *newinfo,
556 unsigned int *n, struct ebt_cl_stack *udc)
560 /* we're only interested in chain starts */
563 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
564 if (newinfo->hook_entry[i] == (struct ebt_entries *)e)
567 /* only care about udc */
568 if (i != NF_BR_NUMHOOKS)
571 udc[*n].cs.chaininfo = (struct ebt_entries *)e;
572 /* these initialisations are depended on later in check_chainloops() */
574 udc[*n].hookmask = 0;
581 ebt_cleanup_match(struct ebt_entry_match *m, unsigned int *i)
583 if (i && (*i)-- == 0)
585 if (m->u.match->destroy)
586 m->u.match->destroy(m->data, m->match_size);
587 module_put(m->u.match->me);
593 ebt_cleanup_watcher(struct ebt_entry_watcher *w, unsigned int *i)
595 if (i && (*i)-- == 0)
597 if (w->u.watcher->destroy)
598 w->u.watcher->destroy(w->data, w->watcher_size);
599 module_put(w->u.watcher->me);
605 ebt_cleanup_entry(struct ebt_entry *e, unsigned int *cnt)
607 struct ebt_entry_target *t;
612 if (cnt && (*cnt)-- == 0)
614 EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, NULL);
615 EBT_MATCH_ITERATE(e, ebt_cleanup_match, NULL);
616 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
617 if (t->u.target->destroy)
618 t->u.target->destroy(t->data, t->target_size);
619 module_put(t->u.target->me);
625 ebt_check_entry(struct ebt_entry *e, struct ebt_table_info *newinfo,
626 const char *name, unsigned int *cnt,
627 struct ebt_cl_stack *cl_s, unsigned int udc_cnt)
629 struct ebt_entry_target *t;
630 struct ebt_target *target;
631 unsigned int i, j, hook = 0, hookmask = 0;
635 /* don't mess with the struct ebt_entries */
639 if (e->bitmask & ~EBT_F_MASK) {
640 BUGPRINT("Unknown flag for bitmask\n");
643 if (e->invflags & ~EBT_INV_MASK) {
644 BUGPRINT("Unknown flag for inv bitmask\n");
647 if ( (e->bitmask & EBT_NOPROTO) && (e->bitmask & EBT_802_3) ) {
648 BUGPRINT("NOPROTO & 802_3 not allowed\n");
651 /* what hook do we belong to? */
652 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
653 if (!newinfo->hook_entry[i])
655 if ((char *)newinfo->hook_entry[i] < (char *)e)
660 /* (1 << NF_BR_NUMHOOKS) tells the check functions the rule is on
662 if (i < NF_BR_NUMHOOKS)
663 hookmask = (1 << hook) | (1 << NF_BR_NUMHOOKS);
665 for (i = 0; i < udc_cnt; i++)
666 if ((char *)(cl_s[i].cs.chaininfo) > (char *)e)
669 hookmask = (1 << hook) | (1 << NF_BR_NUMHOOKS);
671 hookmask = cl_s[i - 1].hookmask;
674 ret = EBT_MATCH_ITERATE(e, ebt_check_match, e, name, hookmask, &i);
676 goto cleanup_matches;
678 ret = EBT_WATCHER_ITERATE(e, ebt_check_watcher, e, name, hookmask, &j);
680 goto cleanup_watchers;
681 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
682 gap = e->next_offset - e->target_offset;
683 target = find_target_lock(t->u.name, &ret, &ebt_mutex);
685 goto cleanup_watchers;
686 if (!try_module_get(target->me)) {
687 mutex_unlock(&ebt_mutex);
689 goto cleanup_watchers;
691 mutex_unlock(&ebt_mutex);
693 t->u.target = target;
694 if (t->u.target == &ebt_standard_target) {
695 if (gap < sizeof(struct ebt_standard_target)) {
696 BUGPRINT("Standard target size too big\n");
698 goto cleanup_watchers;
700 if (((struct ebt_standard_target *)t)->verdict <
701 -NUM_STANDARD_TARGETS) {
702 BUGPRINT("Invalid standard target\n");
704 goto cleanup_watchers;
706 } else if (t->target_size > gap - sizeof(struct ebt_entry_target)) {
707 module_put(t->u.target->me);
709 goto cleanup_watchers;
710 } else if (XT_ALIGN(target->targetsize) != t->target_size) {
711 printk(KERN_WARNING "ebtables: %s target: "
712 "invalid size %Zu != %u\n",
713 target->name, XT_ALIGN(target->targetsize),
715 module_put(t->u.target->me);
717 goto cleanup_watchers;
718 } else if (t->u.target->check &&
719 t->u.target->check(name, hookmask, e, t->data, t->target_size) != 0) {
720 module_put(t->u.target->me);
722 goto cleanup_watchers;
727 EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, &j);
729 EBT_MATCH_ITERATE(e, ebt_cleanup_match, &i);
734 * checks for loops and sets the hook mask for udc
735 * the hook mask for udc tells us from which base chains the udc can be
736 * accessed. This mask is a parameter to the check() functions of the extensions
738 static int check_chainloops(struct ebt_entries *chain, struct ebt_cl_stack *cl_s,
739 unsigned int udc_cnt, unsigned int hooknr, char *base)
741 int i, chain_nr = -1, pos = 0, nentries = chain->nentries, verdict;
742 struct ebt_entry *e = (struct ebt_entry *)chain->data;
743 struct ebt_entry_target *t;
745 while (pos < nentries || chain_nr != -1) {
746 /* end of udc, go back one 'recursion' step */
747 if (pos == nentries) {
748 /* put back values of the time when this chain was called */
749 e = cl_s[chain_nr].cs.e;
750 if (cl_s[chain_nr].from != -1)
752 cl_s[cl_s[chain_nr].from].cs.chaininfo->nentries;
754 nentries = chain->nentries;
755 pos = cl_s[chain_nr].cs.n;
756 /* make sure we won't see a loop that isn't one */
757 cl_s[chain_nr].cs.n = 0;
758 chain_nr = cl_s[chain_nr].from;
762 t = (struct ebt_entry_target *)
763 (((char *)e) + e->target_offset);
764 if (strcmp(t->u.name, EBT_STANDARD_TARGET))
766 if (e->target_offset + sizeof(struct ebt_standard_target) >
768 BUGPRINT("Standard target size too big\n");
771 verdict = ((struct ebt_standard_target *)t)->verdict;
772 if (verdict >= 0) { /* jump to another chain */
773 struct ebt_entries *hlp2 =
774 (struct ebt_entries *)(base + verdict);
775 for (i = 0; i < udc_cnt; i++)
776 if (hlp2 == cl_s[i].cs.chaininfo)
778 /* bad destination or loop */
780 BUGPRINT("bad destination\n");
787 if (cl_s[i].hookmask & (1 << hooknr))
789 /* this can't be 0, so the loop test is correct */
790 cl_s[i].cs.n = pos + 1;
792 cl_s[i].cs.e = ((void *)e + e->next_offset);
793 e = (struct ebt_entry *)(hlp2->data);
794 nentries = hlp2->nentries;
795 cl_s[i].from = chain_nr;
797 /* this udc is accessible from the base chain for hooknr */
798 cl_s[i].hookmask |= (1 << hooknr);
802 e = (void *)e + e->next_offset;
808 /* do the parsing of the table/chains/entries/matches/watchers/targets, heh */
809 static int translate_table(char *name, struct ebt_table_info *newinfo)
811 unsigned int i, j, k, udc_cnt;
813 struct ebt_cl_stack *cl_s = NULL; /* used in the checking for chain loops */
816 while (i < NF_BR_NUMHOOKS && !newinfo->hook_entry[i])
818 if (i == NF_BR_NUMHOOKS) {
819 BUGPRINT("No valid hooks specified\n");
822 if (newinfo->hook_entry[i] != (struct ebt_entries *)newinfo->entries) {
823 BUGPRINT("Chains don't start at beginning\n");
826 /* make sure chains are ordered after each other in same order
827 as their corresponding hooks */
828 for (j = i + 1; j < NF_BR_NUMHOOKS; j++) {
829 if (!newinfo->hook_entry[j])
831 if (newinfo->hook_entry[j] <= newinfo->hook_entry[i]) {
832 BUGPRINT("Hook order must be followed\n");
838 /* do some early checkings and initialize some things */
839 i = 0; /* holds the expected nr. of entries for the chain */
840 j = 0; /* holds the up to now counted entries for the chain */
841 k = 0; /* holds the total nr. of entries, should equal
842 newinfo->nentries afterwards */
843 udc_cnt = 0; /* will hold the nr. of user defined chains (udc) */
844 ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
845 ebt_check_entry_size_and_hooks, newinfo,
846 &i, &j, &k, &udc_cnt);
852 BUGPRINT("nentries does not equal the nr of entries in the "
856 if (k != newinfo->nentries) {
857 BUGPRINT("Total nentries is wrong\n");
861 /* get the location of the udc, put them in an array
862 while we're at it, allocate the chainstack */
864 /* this will get free'd in do_replace()/ebt_register_table()
865 if an error occurs */
866 newinfo->chainstack =
867 vmalloc(nr_cpu_ids * sizeof(*(newinfo->chainstack)));
868 if (!newinfo->chainstack)
870 for_each_possible_cpu(i) {
871 newinfo->chainstack[i] =
872 vmalloc(udc_cnt * sizeof(*(newinfo->chainstack[0])));
873 if (!newinfo->chainstack[i]) {
875 vfree(newinfo->chainstack[--i]);
876 vfree(newinfo->chainstack);
877 newinfo->chainstack = NULL;
882 cl_s = vmalloc(udc_cnt * sizeof(*cl_s));
885 i = 0; /* the i'th udc */
886 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
887 ebt_get_udc_positions, newinfo, &i, cl_s);
890 BUGPRINT("i != udc_cnt\n");
896 /* Check for loops */
897 for (i = 0; i < NF_BR_NUMHOOKS; i++)
898 if (newinfo->hook_entry[i])
899 if (check_chainloops(newinfo->hook_entry[i],
900 cl_s, udc_cnt, i, newinfo->entries)) {
905 /* we now know the following (along with E=mc²):
906 - the nr of entries in each chain is right
907 - the size of the allocated space is right
908 - all valid hooks have a corresponding chain
910 - wrong data can still be on the level of a single entry
911 - could be there are jumps to places that are not the
912 beginning of a chain. This can only occur in chains that
913 are not accessible from any base chains, so we don't care. */
915 /* used to know what we need to clean up if something goes wrong */
917 ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
918 ebt_check_entry, newinfo, name, &i, cl_s, udc_cnt);
920 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
921 ebt_cleanup_entry, &i);
927 /* called under write_lock */
928 static void get_counters(struct ebt_counter *oldcounters,
929 struct ebt_counter *counters, unsigned int nentries)
932 struct ebt_counter *counter_base;
934 /* counters of cpu 0 */
935 memcpy(counters, oldcounters,
936 sizeof(struct ebt_counter) * nentries);
938 /* add other counters to those of cpu 0 */
939 for_each_possible_cpu(cpu) {
942 counter_base = COUNTER_BASE(oldcounters, nentries, cpu);
943 for (i = 0; i < nentries; i++) {
944 counters[i].pcnt += counter_base[i].pcnt;
945 counters[i].bcnt += counter_base[i].bcnt;
950 /* replace the table */
951 static int do_replace(void __user *user, unsigned int len)
953 int ret, i, countersize;
954 struct ebt_table_info *newinfo;
955 struct ebt_replace tmp;
957 struct ebt_counter *counterstmp = NULL;
958 /* used to be able to unlock earlier */
959 struct ebt_table_info *table;
961 if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
964 if (len != sizeof(tmp) + tmp.entries_size) {
965 BUGPRINT("Wrong len argument\n");
969 if (tmp.entries_size == 0) {
970 BUGPRINT("Entries_size never zero\n");
974 if (tmp.nentries >= ((INT_MAX - sizeof(struct ebt_table_info)) / NR_CPUS -
975 SMP_CACHE_BYTES) / sizeof(struct ebt_counter))
977 if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
980 countersize = COUNTER_OFFSET(tmp.nentries) * nr_cpu_ids;
981 newinfo = vmalloc(sizeof(*newinfo) + countersize);
986 memset(newinfo->counters, 0, countersize);
988 newinfo->entries = vmalloc(tmp.entries_size);
989 if (!newinfo->entries) {
994 newinfo->entries, tmp.entries, tmp.entries_size) != 0) {
995 BUGPRINT("Couldn't copy entries from userspace\n");
1000 /* the user wants counters back
1001 the check on the size is done later, when we have the lock */
1002 if (tmp.num_counters) {
1003 counterstmp = vmalloc(tmp.num_counters * sizeof(*counterstmp));
1012 /* this can get initialized by translate_table() */
1013 newinfo->chainstack = NULL;
1014 ret = ebt_verify_pointers(&tmp, newinfo);
1016 goto free_counterstmp;
1018 ret = translate_table(tmp.name, newinfo);
1021 goto free_counterstmp;
1023 t = find_table_lock(tmp.name, &ret, &ebt_mutex);
1029 /* the table doesn't like it */
1030 if (t->check && (ret = t->check(newinfo, tmp.valid_hooks)))
1033 if (tmp.num_counters && tmp.num_counters != t->private->nentries) {
1034 BUGPRINT("Wrong nr. of counters requested\n");
1039 /* we have the mutex lock, so no danger in reading this pointer */
1041 /* make sure the table can only be rmmod'ed if it contains no rules */
1042 if (!table->nentries && newinfo->nentries && !try_module_get(t->me)) {
1045 } else if (table->nentries && !newinfo->nentries)
1047 /* we need an atomic snapshot of the counters */
1048 write_lock_bh(&t->lock);
1049 if (tmp.num_counters)
1050 get_counters(t->private->counters, counterstmp,
1051 t->private->nentries);
1053 t->private = newinfo;
1054 write_unlock_bh(&t->lock);
1055 mutex_unlock(&ebt_mutex);
1056 /* so, a user can change the chains while having messed up her counter
1057 allocation. Only reason why this is done is because this way the lock
1058 is held only once, while this doesn't bring the kernel into a
1060 if (tmp.num_counters &&
1061 copy_to_user(tmp.counters, counterstmp,
1062 tmp.num_counters * sizeof(struct ebt_counter))) {
1063 BUGPRINT("Couldn't copy counters to userspace\n");
1069 /* decrease module count and free resources */
1070 EBT_ENTRY_ITERATE(table->entries, table->entries_size,
1071 ebt_cleanup_entry, NULL);
1073 vfree(table->entries);
1074 if (table->chainstack) {
1075 for_each_possible_cpu(i)
1076 vfree(table->chainstack[i]);
1077 vfree(table->chainstack);
1085 mutex_unlock(&ebt_mutex);
1087 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
1088 ebt_cleanup_entry, NULL);
1091 /* can be initialized in translate_table() */
1092 if (newinfo->chainstack) {
1093 for_each_possible_cpu(i)
1094 vfree(newinfo->chainstack[i]);
1095 vfree(newinfo->chainstack);
1098 vfree(newinfo->entries);
1104 int ebt_register_target(struct ebt_target *target)
1106 struct ebt_target *t;
1109 ret = mutex_lock_interruptible(&ebt_mutex);
1112 list_for_each_entry(t, &ebt_targets, list) {
1113 if (strcmp(t->name, target->name) == 0) {
1114 mutex_unlock(&ebt_mutex);
1118 list_add(&target->list, &ebt_targets);
1119 mutex_unlock(&ebt_mutex);
1124 void ebt_unregister_target(struct ebt_target *target)
1126 mutex_lock(&ebt_mutex);
1127 list_del(&target->list);
1128 mutex_unlock(&ebt_mutex);
1131 int ebt_register_match(struct ebt_match *match)
1133 struct ebt_match *m;
1136 ret = mutex_lock_interruptible(&ebt_mutex);
1139 list_for_each_entry(m, &ebt_matches, list) {
1140 if (strcmp(m->name, match->name) == 0) {
1141 mutex_unlock(&ebt_mutex);
1145 list_add(&match->list, &ebt_matches);
1146 mutex_unlock(&ebt_mutex);
1151 void ebt_unregister_match(struct ebt_match *match)
1153 mutex_lock(&ebt_mutex);
1154 list_del(&match->list);
1155 mutex_unlock(&ebt_mutex);
1158 int ebt_register_watcher(struct ebt_watcher *watcher)
1160 struct ebt_watcher *w;
1163 ret = mutex_lock_interruptible(&ebt_mutex);
1166 list_for_each_entry(w, &ebt_watchers, list) {
1167 if (strcmp(w->name, watcher->name) == 0) {
1168 mutex_unlock(&ebt_mutex);
1172 list_add(&watcher->list, &ebt_watchers);
1173 mutex_unlock(&ebt_mutex);
1178 void ebt_unregister_watcher(struct ebt_watcher *watcher)
1180 mutex_lock(&ebt_mutex);
1181 list_del(&watcher->list);
1182 mutex_unlock(&ebt_mutex);
1185 int ebt_register_table(struct ebt_table *table)
1187 struct ebt_table_info *newinfo;
1188 struct ebt_table *t;
1189 struct ebt_replace_kernel *repl;
1190 int ret, i, countersize;
1193 if (!table || !(repl = table->table) || !repl->entries ||
1194 repl->entries_size == 0 ||
1195 repl->counters || table->private) {
1196 BUGPRINT("Bad table data for ebt_register_table!!!\n");
1200 countersize = COUNTER_OFFSET(repl->nentries) * nr_cpu_ids;
1201 newinfo = vmalloc(sizeof(*newinfo) + countersize);
1206 p = vmalloc(repl->entries_size);
1210 memcpy(p, repl->entries, repl->entries_size);
1211 newinfo->entries = p;
1213 newinfo->entries_size = repl->entries_size;
1214 newinfo->nentries = repl->nentries;
1217 memset(newinfo->counters, 0, countersize);
1219 /* fill in newinfo and parse the entries */
1220 newinfo->chainstack = NULL;
1221 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
1222 if ((repl->valid_hooks & (1 << i)) == 0)
1223 newinfo->hook_entry[i] = NULL;
1225 newinfo->hook_entry[i] = p +
1226 ((char *)repl->hook_entry[i] - repl->entries);
1228 ret = translate_table(repl->name, newinfo);
1230 BUGPRINT("Translate_table failed\n");
1231 goto free_chainstack;
1234 if (table->check && table->check(newinfo, table->valid_hooks)) {
1235 BUGPRINT("The table doesn't like its own initial data, lol\n");
1239 table->private = newinfo;
1240 rwlock_init(&table->lock);
1241 ret = mutex_lock_interruptible(&ebt_mutex);
1243 goto free_chainstack;
1245 list_for_each_entry(t, &ebt_tables, list) {
1246 if (strcmp(t->name, table->name) == 0) {
1248 BUGPRINT("Table name already exists\n");
1253 /* Hold a reference count if the chains aren't empty */
1254 if (newinfo->nentries && !try_module_get(table->me)) {
1258 list_add(&table->list, &ebt_tables);
1259 mutex_unlock(&ebt_mutex);
1262 mutex_unlock(&ebt_mutex);
1264 if (newinfo->chainstack) {
1265 for_each_possible_cpu(i)
1266 vfree(newinfo->chainstack[i]);
1267 vfree(newinfo->chainstack);
1269 vfree(newinfo->entries);
1275 void ebt_unregister_table(struct ebt_table *table)
1280 BUGPRINT("Request to unregister NULL table!!!\n");
1283 mutex_lock(&ebt_mutex);
1284 list_del(&table->list);
1285 mutex_unlock(&ebt_mutex);
1286 vfree(table->private->entries);
1287 if (table->private->chainstack) {
1288 for_each_possible_cpu(i)
1289 vfree(table->private->chainstack[i]);
1290 vfree(table->private->chainstack);
1292 vfree(table->private);
1295 /* userspace just supplied us with counters */
1296 static int update_counters(void __user *user, unsigned int len)
1299 struct ebt_counter *tmp;
1300 struct ebt_replace hlp;
1301 struct ebt_table *t;
1303 if (copy_from_user(&hlp, user, sizeof(hlp)))
1306 if (len != sizeof(hlp) + hlp.num_counters * sizeof(struct ebt_counter))
1308 if (hlp.num_counters == 0)
1311 if (!(tmp = vmalloc(hlp.num_counters * sizeof(*tmp)))) {
1312 MEMPRINT("Update_counters && nomemory\n");
1316 t = find_table_lock(hlp.name, &ret, &ebt_mutex);
1320 if (hlp.num_counters != t->private->nentries) {
1321 BUGPRINT("Wrong nr of counters\n");
1326 if ( copy_from_user(tmp, hlp.counters,
1327 hlp.num_counters * sizeof(struct ebt_counter)) ) {
1328 BUGPRINT("Updata_counters && !cfu\n");
1333 /* we want an atomic add of the counters */
1334 write_lock_bh(&t->lock);
1336 /* we add to the counters of the first cpu */
1337 for (i = 0; i < hlp.num_counters; i++) {
1338 t->private->counters[i].pcnt += tmp[i].pcnt;
1339 t->private->counters[i].bcnt += tmp[i].bcnt;
1342 write_unlock_bh(&t->lock);
1345 mutex_unlock(&ebt_mutex);
1351 static inline int ebt_make_matchname(struct ebt_entry_match *m,
1352 char *base, char __user *ubase)
1354 char __user *hlp = ubase + ((char *)m - base);
1355 if (copy_to_user(hlp, m->u.match->name, EBT_FUNCTION_MAXNAMELEN))
1360 static inline int ebt_make_watchername(struct ebt_entry_watcher *w,
1361 char *base, char __user *ubase)
1363 char __user *hlp = ubase + ((char *)w - base);
1364 if (copy_to_user(hlp , w->u.watcher->name, EBT_FUNCTION_MAXNAMELEN))
1369 static inline int ebt_make_names(struct ebt_entry *e, char *base, char __user *ubase)
1373 struct ebt_entry_target *t;
1375 if (e->bitmask == 0)
1378 hlp = ubase + (((char *)e + e->target_offset) - base);
1379 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
1381 ret = EBT_MATCH_ITERATE(e, ebt_make_matchname, base, ubase);
1384 ret = EBT_WATCHER_ITERATE(e, ebt_make_watchername, base, ubase);
1387 if (copy_to_user(hlp, t->u.target->name, EBT_FUNCTION_MAXNAMELEN))
1392 /* called with ebt_mutex locked */
1393 static int copy_everything_to_user(struct ebt_table *t, void __user *user,
1396 struct ebt_replace tmp;
1397 struct ebt_counter *counterstmp, *oldcounters;
1398 unsigned int entries_size, nentries;
1401 if (cmd == EBT_SO_GET_ENTRIES) {
1402 entries_size = t->private->entries_size;
1403 nentries = t->private->nentries;
1404 entries = t->private->entries;
1405 oldcounters = t->private->counters;
1407 entries_size = t->table->entries_size;
1408 nentries = t->table->nentries;
1409 entries = t->table->entries;
1410 oldcounters = t->table->counters;
1413 if (copy_from_user(&tmp, user, sizeof(tmp))) {
1414 BUGPRINT("Cfu didn't work\n");
1418 if (*len != sizeof(struct ebt_replace) + entries_size +
1419 (tmp.num_counters? nentries * sizeof(struct ebt_counter): 0)) {
1420 BUGPRINT("Wrong size\n");
1424 if (tmp.nentries != nentries) {
1425 BUGPRINT("Nentries wrong\n");
1429 if (tmp.entries_size != entries_size) {
1430 BUGPRINT("Wrong size\n");
1434 /* userspace might not need the counters */
1435 if (tmp.num_counters) {
1436 if (tmp.num_counters != nentries) {
1437 BUGPRINT("Num_counters wrong\n");
1440 counterstmp = vmalloc(nentries * sizeof(*counterstmp));
1442 MEMPRINT("Couldn't copy counters, out of memory\n");
1445 write_lock_bh(&t->lock);
1446 get_counters(oldcounters, counterstmp, nentries);
1447 write_unlock_bh(&t->lock);
1449 if (copy_to_user(tmp.counters, counterstmp,
1450 nentries * sizeof(struct ebt_counter))) {
1451 BUGPRINT("Couldn't copy counters to userspace\n");
1458 if (copy_to_user(tmp.entries, entries, entries_size)) {
1459 BUGPRINT("Couldn't copy entries to userspace\n");
1462 /* set the match/watcher/target names right */
1463 return EBT_ENTRY_ITERATE(entries, entries_size,
1464 ebt_make_names, entries, tmp.entries);
1467 static int do_ebt_set_ctl(struct sock *sk,
1468 int cmd, void __user *user, unsigned int len)
1473 case EBT_SO_SET_ENTRIES:
1474 ret = do_replace(user, len);
1476 case EBT_SO_SET_COUNTERS:
1477 ret = update_counters(user, len);
1485 static int do_ebt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
1488 struct ebt_replace tmp;
1489 struct ebt_table *t;
1491 if (copy_from_user(&tmp, user, sizeof(tmp)))
1494 t = find_table_lock(tmp.name, &ret, &ebt_mutex);
1499 case EBT_SO_GET_INFO:
1500 case EBT_SO_GET_INIT_INFO:
1501 if (*len != sizeof(struct ebt_replace)){
1503 mutex_unlock(&ebt_mutex);
1506 if (cmd == EBT_SO_GET_INFO) {
1507 tmp.nentries = t->private->nentries;
1508 tmp.entries_size = t->private->entries_size;
1509 tmp.valid_hooks = t->valid_hooks;
1511 tmp.nentries = t->table->nentries;
1512 tmp.entries_size = t->table->entries_size;
1513 tmp.valid_hooks = t->table->valid_hooks;
1515 mutex_unlock(&ebt_mutex);
1516 if (copy_to_user(user, &tmp, *len) != 0){
1517 BUGPRINT("c2u Didn't work\n");
1524 case EBT_SO_GET_ENTRIES:
1525 case EBT_SO_GET_INIT_ENTRIES:
1526 ret = copy_everything_to_user(t, user, len, cmd);
1527 mutex_unlock(&ebt_mutex);
1531 mutex_unlock(&ebt_mutex);
1538 static struct nf_sockopt_ops ebt_sockopts =
1541 .set_optmin = EBT_BASE_CTL,
1542 .set_optmax = EBT_SO_SET_MAX + 1,
1543 .set = do_ebt_set_ctl,
1544 .get_optmin = EBT_BASE_CTL,
1545 .get_optmax = EBT_SO_GET_MAX + 1,
1546 .get = do_ebt_get_ctl,
1547 .owner = THIS_MODULE,
1550 static int __init ebtables_init(void)
1554 mutex_lock(&ebt_mutex);
1555 list_add(&ebt_standard_target.list, &ebt_targets);
1556 mutex_unlock(&ebt_mutex);
1557 if ((ret = nf_register_sockopt(&ebt_sockopts)) < 0)
1560 printk(KERN_INFO "Ebtables v2.0 registered\n");
1564 static void __exit ebtables_fini(void)
1566 nf_unregister_sockopt(&ebt_sockopts);
1567 printk(KERN_INFO "Ebtables v2.0 unregistered\n");
1570 EXPORT_SYMBOL(ebt_register_table);
1571 EXPORT_SYMBOL(ebt_unregister_table);
1572 EXPORT_SYMBOL(ebt_register_match);
1573 EXPORT_SYMBOL(ebt_unregister_match);
1574 EXPORT_SYMBOL(ebt_register_watcher);
1575 EXPORT_SYMBOL(ebt_unregister_watcher);
1576 EXPORT_SYMBOL(ebt_register_target);
1577 EXPORT_SYMBOL(ebt_unregister_target);
1578 EXPORT_SYMBOL(ebt_do_table);
1579 module_init(ebtables_init);
1580 module_exit(ebtables_fini);
1581 MODULE_LICENSE("GPL");