5 * Bart De Schuymer <bdschuym@pandora.be>
7 * ebtables.c,v 2.0, July, 2002
9 * This code is stongly inspired on the iptables code which is
10 * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version
15 * 2 of the License, or (at your option) any later version.
19 #include <linux/kmod.h>
20 #include <linux/module.h>
21 #include <linux/vmalloc.h>
22 #include <linux/netfilter/x_tables.h>
23 #include <linux/netfilter_bridge/ebtables.h>
24 #include <linux/spinlock.h>
25 #include <linux/mutex.h>
26 #include <asm/uaccess.h>
27 #include <linux/smp.h>
28 #include <linux/cpumask.h>
30 /* needed for logical [in,out]-dev filtering */
31 #include "../br_private.h"
33 #define BUGPRINT(format, args...) printk("kernel msg: ebtables bug: please "\
34 "report to author: "format, ## args)
35 /* #define BUGPRINT(format, args...) */
36 #define MEMPRINT(format, args...) printk("kernel msg: ebtables "\
37 ": out of memory: "format, ## args)
38 /* #define MEMPRINT(format, args...) */
43 * Each cpu has its own set of counters, so there is no need for write_lock in
45 * For reading or updating the counters, the user context needs to
49 /* The size of each set of counters is altered to get cache alignment */
50 #define SMP_ALIGN(x) (((x) + SMP_CACHE_BYTES-1) & ~(SMP_CACHE_BYTES-1))
51 #define COUNTER_OFFSET(n) (SMP_ALIGN(n * sizeof(struct ebt_counter)))
52 #define COUNTER_BASE(c, n, cpu) ((struct ebt_counter *)(((char *)c) + \
53 COUNTER_OFFSET(n) * cpu))
57 static DEFINE_MUTEX(ebt_mutex);
58 static LIST_HEAD(ebt_tables);
60 static struct xt_target ebt_standard_target = {
63 .family = NFPROTO_BRIDGE,
64 .targetsize = sizeof(int),
68 ebt_do_watcher(const struct ebt_entry_watcher *w, struct sk_buff *skb,
69 struct xt_target_param *par)
71 par->target = w->u.watcher;
72 par->targinfo = w->data;
73 w->u.watcher->target(skb, par);
74 /* watchers don't give a verdict */
78 static inline int ebt_do_match (struct ebt_entry_match *m,
79 const struct sk_buff *skb, struct xt_match_param *par)
81 par->match = m->u.match;
82 par->matchinfo = m->data;
83 return m->u.match->match(skb, par);
86 static inline int ebt_dev_check(char *entry, const struct net_device *device)
89 const char *devname = device->name;
95 /* 1 is the wildcard token */
96 while (entry[i] != '\0' && entry[i] != 1 && entry[i] == devname[i])
98 return (devname[i] != entry[i] && entry[i] != 1);
101 #define FWINV2(bool,invflg) ((bool) ^ !!(e->invflags & invflg))
102 /* process standard matches */
103 static inline int ebt_basic_match(struct ebt_entry *e, struct ethhdr *h,
104 const struct net_device *in, const struct net_device *out)
108 if (e->bitmask & EBT_802_3) {
109 if (FWINV2(ntohs(h->h_proto) >= 1536, EBT_IPROTO))
111 } else if (!(e->bitmask & EBT_NOPROTO) &&
112 FWINV2(e->ethproto != h->h_proto, EBT_IPROTO))
115 if (FWINV2(ebt_dev_check(e->in, in), EBT_IIN))
117 if (FWINV2(ebt_dev_check(e->out, out), EBT_IOUT))
119 if ((!in || !in->br_port) ? 0 : FWINV2(ebt_dev_check(
120 e->logical_in, in->br_port->br->dev), EBT_ILOGICALIN))
122 if ((!out || !out->br_port) ? 0 : FWINV2(ebt_dev_check(
123 e->logical_out, out->br_port->br->dev), EBT_ILOGICALOUT))
126 if (e->bitmask & EBT_SOURCEMAC) {
128 for (i = 0; i < 6; i++)
129 verdict |= (h->h_source[i] ^ e->sourcemac[i]) &
131 if (FWINV2(verdict != 0, EBT_ISOURCE) )
134 if (e->bitmask & EBT_DESTMAC) {
136 for (i = 0; i < 6; i++)
137 verdict |= (h->h_dest[i] ^ e->destmac[i]) &
139 if (FWINV2(verdict != 0, EBT_IDEST) )
145 /* Do some firewalling */
146 unsigned int ebt_do_table (unsigned int hook, struct sk_buff *skb,
147 const struct net_device *in, const struct net_device *out,
148 struct ebt_table *table)
151 struct ebt_entry *point;
152 struct ebt_counter *counter_base, *cb_base;
153 struct ebt_entry_target *t;
155 struct ebt_chainstack *cs;
156 struct ebt_entries *chaininfo;
158 struct ebt_table_info *private;
159 bool hotdrop = false;
160 struct xt_match_param mtpar;
161 struct xt_target_param tgpar;
163 mtpar.family = tgpar.family = NFPROTO_BRIDGE;
164 mtpar.in = tgpar.in = in;
165 mtpar.out = tgpar.out = out;
166 mtpar.hotdrop = &hotdrop;
167 tgpar.hooknum = hook;
169 read_lock_bh(&table->lock);
170 private = table->private;
171 cb_base = COUNTER_BASE(private->counters, private->nentries,
173 if (private->chainstack)
174 cs = private->chainstack[smp_processor_id()];
177 chaininfo = private->hook_entry[hook];
178 nentries = private->hook_entry[hook]->nentries;
179 point = (struct ebt_entry *)(private->hook_entry[hook]->data);
180 counter_base = cb_base + private->hook_entry[hook]->counter_offset;
181 /* base for chain jumps */
182 base = private->entries;
184 while (i < nentries) {
185 if (ebt_basic_match(point, eth_hdr(skb), in, out))
188 if (EBT_MATCH_ITERATE(point, ebt_do_match, skb, &mtpar) != 0)
191 read_unlock_bh(&table->lock);
195 /* increase counter */
196 (*(counter_base + i)).pcnt++;
197 (*(counter_base + i)).bcnt += skb->len;
199 /* these should only watch: not modify, nor tell us
200 what to do with the packet */
201 EBT_WATCHER_ITERATE(point, ebt_do_watcher, skb, &tgpar);
203 t = (struct ebt_entry_target *)
204 (((char *)point) + point->target_offset);
205 /* standard target */
206 if (!t->u.target->target)
207 verdict = ((struct ebt_standard_target *)t)->verdict;
209 tgpar.target = t->u.target;
210 tgpar.targinfo = t->data;
211 verdict = t->u.target->target(skb, &tgpar);
213 if (verdict == EBT_ACCEPT) {
214 read_unlock_bh(&table->lock);
217 if (verdict == EBT_DROP) {
218 read_unlock_bh(&table->lock);
221 if (verdict == EBT_RETURN) {
223 #ifdef CONFIG_NETFILTER_DEBUG
225 BUGPRINT("RETURN on base chain");
226 /* act like this is EBT_CONTINUE */
231 /* put all the local variables right */
233 chaininfo = cs[sp].chaininfo;
234 nentries = chaininfo->nentries;
236 counter_base = cb_base +
237 chaininfo->counter_offset;
240 if (verdict == EBT_CONTINUE)
242 #ifdef CONFIG_NETFILTER_DEBUG
244 BUGPRINT("bogus standard verdict\n");
245 read_unlock_bh(&table->lock);
251 cs[sp].chaininfo = chaininfo;
252 cs[sp].e = (struct ebt_entry *)
253 (((char *)point) + point->next_offset);
255 chaininfo = (struct ebt_entries *) (base + verdict);
256 #ifdef CONFIG_NETFILTER_DEBUG
257 if (chaininfo->distinguisher) {
258 BUGPRINT("jump to non-chain\n");
259 read_unlock_bh(&table->lock);
263 nentries = chaininfo->nentries;
264 point = (struct ebt_entry *)chaininfo->data;
265 counter_base = cb_base + chaininfo->counter_offset;
269 point = (struct ebt_entry *)
270 (((char *)point) + point->next_offset);
274 /* I actually like this :) */
275 if (chaininfo->policy == EBT_RETURN)
277 if (chaininfo->policy == EBT_ACCEPT) {
278 read_unlock_bh(&table->lock);
281 read_unlock_bh(&table->lock);
285 /* If it succeeds, returns element and locks mutex */
287 find_inlist_lock_noload(struct list_head *head, const char *name, int *error,
291 struct list_head list;
292 char name[EBT_FUNCTION_MAXNAMELEN];
295 *error = mutex_lock_interruptible(mutex);
299 list_for_each_entry(e, head, list) {
300 if (strcmp(e->name, name) == 0)
309 find_inlist_lock(struct list_head *head, const char *name, const char *prefix,
310 int *error, struct mutex *mutex)
312 return try_then_request_module(
313 find_inlist_lock_noload(head, name, error, mutex),
314 "%s%s", prefix, name);
317 static inline struct ebt_table *
318 find_table_lock(const char *name, int *error, struct mutex *mutex)
320 return find_inlist_lock(&ebt_tables, name, "ebtable_", error, mutex);
324 ebt_check_match(struct ebt_entry_match *m, struct xt_mtchk_param *par,
327 const struct ebt_entry *e = par->entryinfo;
328 struct xt_match *match;
329 size_t left = ((char *)e + e->watchers_offset) - (char *)m;
332 if (left < sizeof(struct ebt_entry_match) ||
333 left - sizeof(struct ebt_entry_match) < m->match_size)
336 match = try_then_request_module(xt_find_match(NFPROTO_BRIDGE,
337 m->u.name, 0), "ebt_%s", m->u.name);
339 return PTR_ERR(match);
345 par->matchinfo = m->data;
346 ret = xt_check_match(par, m->match_size,
347 e->ethproto, e->invflags & EBT_IPROTO);
349 module_put(match->me);
358 ebt_check_watcher(struct ebt_entry_watcher *w, struct xt_tgchk_param *par,
361 const struct ebt_entry *e = par->entryinfo;
362 struct xt_target *watcher;
363 size_t left = ((char *)e + e->target_offset) - (char *)w;
366 if (left < sizeof(struct ebt_entry_watcher) ||
367 left - sizeof(struct ebt_entry_watcher) < w->watcher_size)
370 watcher = try_then_request_module(
371 xt_find_target(NFPROTO_BRIDGE, w->u.name, 0),
372 "ebt_%s", w->u.name);
374 return PTR_ERR(watcher);
377 w->u.watcher = watcher;
379 par->target = watcher;
380 par->targinfo = w->data;
381 ret = xt_check_target(par, w->watcher_size,
382 e->ethproto, e->invflags & EBT_IPROTO);
384 module_put(watcher->me);
392 static int ebt_verify_pointers(struct ebt_replace *repl,
393 struct ebt_table_info *newinfo)
395 unsigned int limit = repl->entries_size;
396 unsigned int valid_hooks = repl->valid_hooks;
397 unsigned int offset = 0;
400 for (i = 0; i < NF_BR_NUMHOOKS; i++)
401 newinfo->hook_entry[i] = NULL;
403 newinfo->entries_size = repl->entries_size;
404 newinfo->nentries = repl->nentries;
406 while (offset < limit) {
407 size_t left = limit - offset;
408 struct ebt_entry *e = (void *)newinfo->entries + offset;
410 if (left < sizeof(unsigned int))
413 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
414 if ((valid_hooks & (1 << i)) == 0)
416 if ((char __user *)repl->hook_entry[i] ==
417 repl->entries + offset)
421 if (i != NF_BR_NUMHOOKS || !(e->bitmask & EBT_ENTRY_OR_ENTRIES)) {
422 if (e->bitmask != 0) {
423 /* we make userspace set this right,
424 so there is no misunderstanding */
425 BUGPRINT("EBT_ENTRY_OR_ENTRIES shouldn't be set "
426 "in distinguisher\n");
429 if (i != NF_BR_NUMHOOKS)
430 newinfo->hook_entry[i] = (struct ebt_entries *)e;
431 if (left < sizeof(struct ebt_entries))
433 offset += sizeof(struct ebt_entries);
435 if (left < sizeof(struct ebt_entry))
437 if (left < e->next_offset)
439 offset += e->next_offset;
442 if (offset != limit) {
443 BUGPRINT("entries_size too small\n");
447 /* check if all valid hooks have a chain */
448 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
449 if (!newinfo->hook_entry[i] &&
450 (valid_hooks & (1 << i))) {
451 BUGPRINT("Valid hook without chain\n");
459 * this one is very careful, as it is the first function
460 * to parse the userspace data
463 ebt_check_entry_size_and_hooks(struct ebt_entry *e,
464 struct ebt_table_info *newinfo,
465 unsigned int *n, unsigned int *cnt,
466 unsigned int *totalcnt, unsigned int *udc_cnt)
470 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
471 if ((void *)e == (void *)newinfo->hook_entry[i])
474 /* beginning of a new chain
475 if i == NF_BR_NUMHOOKS it must be a user defined chain */
476 if (i != NF_BR_NUMHOOKS || !e->bitmask) {
477 /* this checks if the previous chain has as many entries
480 BUGPRINT("nentries does not equal the nr of entries "
484 if (((struct ebt_entries *)e)->policy != EBT_DROP &&
485 ((struct ebt_entries *)e)->policy != EBT_ACCEPT) {
486 /* only RETURN from udc */
487 if (i != NF_BR_NUMHOOKS ||
488 ((struct ebt_entries *)e)->policy != EBT_RETURN) {
489 BUGPRINT("bad policy\n");
493 if (i == NF_BR_NUMHOOKS) /* it's a user defined chain */
495 if (((struct ebt_entries *)e)->counter_offset != *totalcnt) {
496 BUGPRINT("counter_offset != totalcnt");
499 *n = ((struct ebt_entries *)e)->nentries;
503 /* a plain old entry, heh */
504 if (sizeof(struct ebt_entry) > e->watchers_offset ||
505 e->watchers_offset > e->target_offset ||
506 e->target_offset >= e->next_offset) {
507 BUGPRINT("entry offsets not in right order\n");
510 /* this is not checked anywhere else */
511 if (e->next_offset - e->target_offset < sizeof(struct ebt_entry_target)) {
512 BUGPRINT("target size too small\n");
522 struct ebt_chainstack cs;
524 unsigned int hookmask;
528 * we need these positions to check that the jumps to a different part of the
529 * entries is a jump to the beginning of a new chain.
532 ebt_get_udc_positions(struct ebt_entry *e, struct ebt_table_info *newinfo,
533 unsigned int *n, struct ebt_cl_stack *udc)
537 /* we're only interested in chain starts */
540 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
541 if (newinfo->hook_entry[i] == (struct ebt_entries *)e)
544 /* only care about udc */
545 if (i != NF_BR_NUMHOOKS)
548 udc[*n].cs.chaininfo = (struct ebt_entries *)e;
549 /* these initialisations are depended on later in check_chainloops() */
551 udc[*n].hookmask = 0;
558 ebt_cleanup_match(struct ebt_entry_match *m, unsigned int *i)
560 struct xt_mtdtor_param par;
562 if (i && (*i)-- == 0)
565 par.match = m->u.match;
566 par.matchinfo = m->data;
567 par.family = NFPROTO_BRIDGE;
568 if (par.match->destroy != NULL)
569 par.match->destroy(&par);
570 module_put(par.match->me);
575 ebt_cleanup_watcher(struct ebt_entry_watcher *w, unsigned int *i)
577 struct xt_tgdtor_param par;
579 if (i && (*i)-- == 0)
582 par.target = w->u.watcher;
583 par.targinfo = w->data;
584 par.family = NFPROTO_BRIDGE;
585 if (par.target->destroy != NULL)
586 par.target->destroy(&par);
587 module_put(par.target->me);
592 ebt_cleanup_entry(struct ebt_entry *e, unsigned int *cnt)
594 struct xt_tgdtor_param par;
595 struct ebt_entry_target *t;
600 if (cnt && (*cnt)-- == 0)
602 EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, NULL);
603 EBT_MATCH_ITERATE(e, ebt_cleanup_match, NULL);
604 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
606 par.target = t->u.target;
607 par.targinfo = t->data;
608 par.family = NFPROTO_BRIDGE;
609 if (par.target->destroy != NULL)
610 par.target->destroy(&par);
611 module_put(par.target->me);
616 ebt_check_entry(struct ebt_entry *e, struct ebt_table_info *newinfo,
617 const char *name, unsigned int *cnt,
618 struct ebt_cl_stack *cl_s, unsigned int udc_cnt)
620 struct ebt_entry_target *t;
621 struct xt_target *target;
622 unsigned int i, j, hook = 0, hookmask = 0;
625 struct xt_mtchk_param mtpar;
626 struct xt_tgchk_param tgpar;
628 /* don't mess with the struct ebt_entries */
632 if (e->bitmask & ~EBT_F_MASK) {
633 BUGPRINT("Unknown flag for bitmask\n");
636 if (e->invflags & ~EBT_INV_MASK) {
637 BUGPRINT("Unknown flag for inv bitmask\n");
640 if ( (e->bitmask & EBT_NOPROTO) && (e->bitmask & EBT_802_3) ) {
641 BUGPRINT("NOPROTO & 802_3 not allowed\n");
644 /* what hook do we belong to? */
645 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
646 if (!newinfo->hook_entry[i])
648 if ((char *)newinfo->hook_entry[i] < (char *)e)
653 /* (1 << NF_BR_NUMHOOKS) tells the check functions the rule is on
655 if (i < NF_BR_NUMHOOKS)
656 hookmask = (1 << hook) | (1 << NF_BR_NUMHOOKS);
658 for (i = 0; i < udc_cnt; i++)
659 if ((char *)(cl_s[i].cs.chaininfo) > (char *)e)
662 hookmask = (1 << hook) | (1 << NF_BR_NUMHOOKS);
664 hookmask = cl_s[i - 1].hookmask;
668 mtpar.table = tgpar.table = name;
669 mtpar.entryinfo = tgpar.entryinfo = e;
670 mtpar.hook_mask = tgpar.hook_mask = hookmask;
671 mtpar.family = tgpar.family = NFPROTO_BRIDGE;
672 ret = EBT_MATCH_ITERATE(e, ebt_check_match, &mtpar, &i);
674 goto cleanup_matches;
676 ret = EBT_WATCHER_ITERATE(e, ebt_check_watcher, &tgpar, &j);
678 goto cleanup_watchers;
679 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
680 gap = e->next_offset - e->target_offset;
682 target = try_then_request_module(
683 xt_find_target(NFPROTO_BRIDGE, t->u.name, 0),
684 "ebt_%s", t->u.name);
685 if (IS_ERR(target)) {
686 ret = PTR_ERR(target);
687 goto cleanup_watchers;
688 } else if (target == NULL) {
690 goto cleanup_watchers;
693 t->u.target = target;
694 if (t->u.target == &ebt_standard_target) {
695 if (gap < sizeof(struct ebt_standard_target)) {
696 BUGPRINT("Standard target size too big\n");
698 goto cleanup_watchers;
700 if (((struct ebt_standard_target *)t)->verdict <
701 -NUM_STANDARD_TARGETS) {
702 BUGPRINT("Invalid standard target\n");
704 goto cleanup_watchers;
706 } else if (t->target_size > gap - sizeof(struct ebt_entry_target)) {
707 module_put(t->u.target->me);
709 goto cleanup_watchers;
712 tgpar.target = target;
713 tgpar.targinfo = t->data;
714 ret = xt_check_target(&tgpar, t->target_size,
715 e->ethproto, e->invflags & EBT_IPROTO);
717 module_put(target->me);
718 goto cleanup_watchers;
723 EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, &j);
725 EBT_MATCH_ITERATE(e, ebt_cleanup_match, &i);
730 * checks for loops and sets the hook mask for udc
731 * the hook mask for udc tells us from which base chains the udc can be
732 * accessed. This mask is a parameter to the check() functions of the extensions
734 static int check_chainloops(struct ebt_entries *chain, struct ebt_cl_stack *cl_s,
735 unsigned int udc_cnt, unsigned int hooknr, char *base)
737 int i, chain_nr = -1, pos = 0, nentries = chain->nentries, verdict;
738 struct ebt_entry *e = (struct ebt_entry *)chain->data;
739 struct ebt_entry_target *t;
741 while (pos < nentries || chain_nr != -1) {
742 /* end of udc, go back one 'recursion' step */
743 if (pos == nentries) {
744 /* put back values of the time when this chain was called */
745 e = cl_s[chain_nr].cs.e;
746 if (cl_s[chain_nr].from != -1)
748 cl_s[cl_s[chain_nr].from].cs.chaininfo->nentries;
750 nentries = chain->nentries;
751 pos = cl_s[chain_nr].cs.n;
752 /* make sure we won't see a loop that isn't one */
753 cl_s[chain_nr].cs.n = 0;
754 chain_nr = cl_s[chain_nr].from;
758 t = (struct ebt_entry_target *)
759 (((char *)e) + e->target_offset);
760 if (strcmp(t->u.name, EBT_STANDARD_TARGET))
762 if (e->target_offset + sizeof(struct ebt_standard_target) >
764 BUGPRINT("Standard target size too big\n");
767 verdict = ((struct ebt_standard_target *)t)->verdict;
768 if (verdict >= 0) { /* jump to another chain */
769 struct ebt_entries *hlp2 =
770 (struct ebt_entries *)(base + verdict);
771 for (i = 0; i < udc_cnt; i++)
772 if (hlp2 == cl_s[i].cs.chaininfo)
774 /* bad destination or loop */
776 BUGPRINT("bad destination\n");
783 if (cl_s[i].hookmask & (1 << hooknr))
785 /* this can't be 0, so the loop test is correct */
786 cl_s[i].cs.n = pos + 1;
788 cl_s[i].cs.e = ((void *)e + e->next_offset);
789 e = (struct ebt_entry *)(hlp2->data);
790 nentries = hlp2->nentries;
791 cl_s[i].from = chain_nr;
793 /* this udc is accessible from the base chain for hooknr */
794 cl_s[i].hookmask |= (1 << hooknr);
798 e = (void *)e + e->next_offset;
804 /* do the parsing of the table/chains/entries/matches/watchers/targets, heh */
805 static int translate_table(char *name, struct ebt_table_info *newinfo)
807 unsigned int i, j, k, udc_cnt;
809 struct ebt_cl_stack *cl_s = NULL; /* used in the checking for chain loops */
812 while (i < NF_BR_NUMHOOKS && !newinfo->hook_entry[i])
814 if (i == NF_BR_NUMHOOKS) {
815 BUGPRINT("No valid hooks specified\n");
818 if (newinfo->hook_entry[i] != (struct ebt_entries *)newinfo->entries) {
819 BUGPRINT("Chains don't start at beginning\n");
822 /* make sure chains are ordered after each other in same order
823 as their corresponding hooks */
824 for (j = i + 1; j < NF_BR_NUMHOOKS; j++) {
825 if (!newinfo->hook_entry[j])
827 if (newinfo->hook_entry[j] <= newinfo->hook_entry[i]) {
828 BUGPRINT("Hook order must be followed\n");
834 /* do some early checkings and initialize some things */
835 i = 0; /* holds the expected nr. of entries for the chain */
836 j = 0; /* holds the up to now counted entries for the chain */
837 k = 0; /* holds the total nr. of entries, should equal
838 newinfo->nentries afterwards */
839 udc_cnt = 0; /* will hold the nr. of user defined chains (udc) */
840 ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
841 ebt_check_entry_size_and_hooks, newinfo,
842 &i, &j, &k, &udc_cnt);
848 BUGPRINT("nentries does not equal the nr of entries in the "
852 if (k != newinfo->nentries) {
853 BUGPRINT("Total nentries is wrong\n");
857 /* get the location of the udc, put them in an array
858 while we're at it, allocate the chainstack */
860 /* this will get free'd in do_replace()/ebt_register_table()
861 if an error occurs */
862 newinfo->chainstack =
863 vmalloc(nr_cpu_ids * sizeof(*(newinfo->chainstack)));
864 if (!newinfo->chainstack)
866 for_each_possible_cpu(i) {
867 newinfo->chainstack[i] =
868 vmalloc(udc_cnt * sizeof(*(newinfo->chainstack[0])));
869 if (!newinfo->chainstack[i]) {
871 vfree(newinfo->chainstack[--i]);
872 vfree(newinfo->chainstack);
873 newinfo->chainstack = NULL;
878 cl_s = vmalloc(udc_cnt * sizeof(*cl_s));
881 i = 0; /* the i'th udc */
882 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
883 ebt_get_udc_positions, newinfo, &i, cl_s);
886 BUGPRINT("i != udc_cnt\n");
892 /* Check for loops */
893 for (i = 0; i < NF_BR_NUMHOOKS; i++)
894 if (newinfo->hook_entry[i])
895 if (check_chainloops(newinfo->hook_entry[i],
896 cl_s, udc_cnt, i, newinfo->entries)) {
901 /* we now know the following (along with E=mc²):
902 - the nr of entries in each chain is right
903 - the size of the allocated space is right
904 - all valid hooks have a corresponding chain
906 - wrong data can still be on the level of a single entry
907 - could be there are jumps to places that are not the
908 beginning of a chain. This can only occur in chains that
909 are not accessible from any base chains, so we don't care. */
911 /* used to know what we need to clean up if something goes wrong */
913 ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
914 ebt_check_entry, newinfo, name, &i, cl_s, udc_cnt);
916 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
917 ebt_cleanup_entry, &i);
923 /* called under write_lock */
924 static void get_counters(struct ebt_counter *oldcounters,
925 struct ebt_counter *counters, unsigned int nentries)
928 struct ebt_counter *counter_base;
930 /* counters of cpu 0 */
931 memcpy(counters, oldcounters,
932 sizeof(struct ebt_counter) * nentries);
934 /* add other counters to those of cpu 0 */
935 for_each_possible_cpu(cpu) {
938 counter_base = COUNTER_BASE(oldcounters, nentries, cpu);
939 for (i = 0; i < nentries; i++) {
940 counters[i].pcnt += counter_base[i].pcnt;
941 counters[i].bcnt += counter_base[i].bcnt;
946 /* replace the table */
947 static int do_replace(void __user *user, unsigned int len)
949 int ret, i, countersize;
950 struct ebt_table_info *newinfo;
951 struct ebt_replace tmp;
953 struct ebt_counter *counterstmp = NULL;
954 /* used to be able to unlock earlier */
955 struct ebt_table_info *table;
957 if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
960 if (len != sizeof(tmp) + tmp.entries_size) {
961 BUGPRINT("Wrong len argument\n");
965 if (tmp.entries_size == 0) {
966 BUGPRINT("Entries_size never zero\n");
970 if (tmp.nentries >= ((INT_MAX - sizeof(struct ebt_table_info)) / NR_CPUS -
971 SMP_CACHE_BYTES) / sizeof(struct ebt_counter))
973 if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
976 countersize = COUNTER_OFFSET(tmp.nentries) * nr_cpu_ids;
977 newinfo = vmalloc(sizeof(*newinfo) + countersize);
982 memset(newinfo->counters, 0, countersize);
984 newinfo->entries = vmalloc(tmp.entries_size);
985 if (!newinfo->entries) {
990 newinfo->entries, tmp.entries, tmp.entries_size) != 0) {
991 BUGPRINT("Couldn't copy entries from userspace\n");
996 /* the user wants counters back
997 the check on the size is done later, when we have the lock */
998 if (tmp.num_counters) {
999 counterstmp = vmalloc(tmp.num_counters * sizeof(*counterstmp));
1008 /* this can get initialized by translate_table() */
1009 newinfo->chainstack = NULL;
1010 ret = ebt_verify_pointers(&tmp, newinfo);
1012 goto free_counterstmp;
1014 ret = translate_table(tmp.name, newinfo);
1017 goto free_counterstmp;
1019 t = find_table_lock(tmp.name, &ret, &ebt_mutex);
1025 /* the table doesn't like it */
1026 if (t->check && (ret = t->check(newinfo, tmp.valid_hooks)))
1029 if (tmp.num_counters && tmp.num_counters != t->private->nentries) {
1030 BUGPRINT("Wrong nr. of counters requested\n");
1035 /* we have the mutex lock, so no danger in reading this pointer */
1037 /* make sure the table can only be rmmod'ed if it contains no rules */
1038 if (!table->nentries && newinfo->nentries && !try_module_get(t->me)) {
1041 } else if (table->nentries && !newinfo->nentries)
1043 /* we need an atomic snapshot of the counters */
1044 write_lock_bh(&t->lock);
1045 if (tmp.num_counters)
1046 get_counters(t->private->counters, counterstmp,
1047 t->private->nentries);
1049 t->private = newinfo;
1050 write_unlock_bh(&t->lock);
1051 mutex_unlock(&ebt_mutex);
1052 /* so, a user can change the chains while having messed up her counter
1053 allocation. Only reason why this is done is because this way the lock
1054 is held only once, while this doesn't bring the kernel into a
1056 if (tmp.num_counters &&
1057 copy_to_user(tmp.counters, counterstmp,
1058 tmp.num_counters * sizeof(struct ebt_counter))) {
1059 BUGPRINT("Couldn't copy counters to userspace\n");
1065 /* decrease module count and free resources */
1066 EBT_ENTRY_ITERATE(table->entries, table->entries_size,
1067 ebt_cleanup_entry, NULL);
1069 vfree(table->entries);
1070 if (table->chainstack) {
1071 for_each_possible_cpu(i)
1072 vfree(table->chainstack[i]);
1073 vfree(table->chainstack);
1081 mutex_unlock(&ebt_mutex);
1083 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
1084 ebt_cleanup_entry, NULL);
1087 /* can be initialized in translate_table() */
1088 if (newinfo->chainstack) {
1089 for_each_possible_cpu(i)
1090 vfree(newinfo->chainstack[i]);
1091 vfree(newinfo->chainstack);
1094 vfree(newinfo->entries);
1100 int ebt_register_table(struct ebt_table *table)
1102 struct ebt_table_info *newinfo;
1103 struct ebt_table *t;
1104 struct ebt_replace_kernel *repl;
1105 int ret, i, countersize;
1108 if (!table || !(repl = table->table) || !repl->entries ||
1109 repl->entries_size == 0 ||
1110 repl->counters || table->private) {
1111 BUGPRINT("Bad table data for ebt_register_table!!!\n");
1115 countersize = COUNTER_OFFSET(repl->nentries) * nr_cpu_ids;
1116 newinfo = vmalloc(sizeof(*newinfo) + countersize);
1121 p = vmalloc(repl->entries_size);
1125 memcpy(p, repl->entries, repl->entries_size);
1126 newinfo->entries = p;
1128 newinfo->entries_size = repl->entries_size;
1129 newinfo->nentries = repl->nentries;
1132 memset(newinfo->counters, 0, countersize);
1134 /* fill in newinfo and parse the entries */
1135 newinfo->chainstack = NULL;
1136 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
1137 if ((repl->valid_hooks & (1 << i)) == 0)
1138 newinfo->hook_entry[i] = NULL;
1140 newinfo->hook_entry[i] = p +
1141 ((char *)repl->hook_entry[i] - repl->entries);
1143 ret = translate_table(repl->name, newinfo);
1145 BUGPRINT("Translate_table failed\n");
1146 goto free_chainstack;
1149 if (table->check && table->check(newinfo, table->valid_hooks)) {
1150 BUGPRINT("The table doesn't like its own initial data, lol\n");
1154 table->private = newinfo;
1155 rwlock_init(&table->lock);
1156 ret = mutex_lock_interruptible(&ebt_mutex);
1158 goto free_chainstack;
1160 list_for_each_entry(t, &ebt_tables, list) {
1161 if (strcmp(t->name, table->name) == 0) {
1163 BUGPRINT("Table name already exists\n");
1168 /* Hold a reference count if the chains aren't empty */
1169 if (newinfo->nentries && !try_module_get(table->me)) {
1173 list_add(&table->list, &ebt_tables);
1174 mutex_unlock(&ebt_mutex);
1177 mutex_unlock(&ebt_mutex);
1179 if (newinfo->chainstack) {
1180 for_each_possible_cpu(i)
1181 vfree(newinfo->chainstack[i]);
1182 vfree(newinfo->chainstack);
1184 vfree(newinfo->entries);
1190 void ebt_unregister_table(struct ebt_table *table)
1195 BUGPRINT("Request to unregister NULL table!!!\n");
1198 mutex_lock(&ebt_mutex);
1199 list_del(&table->list);
1200 mutex_unlock(&ebt_mutex);
1201 vfree(table->private->entries);
1202 if (table->private->chainstack) {
1203 for_each_possible_cpu(i)
1204 vfree(table->private->chainstack[i]);
1205 vfree(table->private->chainstack);
1207 vfree(table->private);
1210 /* userspace just supplied us with counters */
1211 static int update_counters(void __user *user, unsigned int len)
1214 struct ebt_counter *tmp;
1215 struct ebt_replace hlp;
1216 struct ebt_table *t;
1218 if (copy_from_user(&hlp, user, sizeof(hlp)))
1221 if (len != sizeof(hlp) + hlp.num_counters * sizeof(struct ebt_counter))
1223 if (hlp.num_counters == 0)
1226 if (!(tmp = vmalloc(hlp.num_counters * sizeof(*tmp)))) {
1227 MEMPRINT("Update_counters && nomemory\n");
1231 t = find_table_lock(hlp.name, &ret, &ebt_mutex);
1235 if (hlp.num_counters != t->private->nentries) {
1236 BUGPRINT("Wrong nr of counters\n");
1241 if ( copy_from_user(tmp, hlp.counters,
1242 hlp.num_counters * sizeof(struct ebt_counter)) ) {
1243 BUGPRINT("Updata_counters && !cfu\n");
1248 /* we want an atomic add of the counters */
1249 write_lock_bh(&t->lock);
1251 /* we add to the counters of the first cpu */
1252 for (i = 0; i < hlp.num_counters; i++) {
1253 t->private->counters[i].pcnt += tmp[i].pcnt;
1254 t->private->counters[i].bcnt += tmp[i].bcnt;
1257 write_unlock_bh(&t->lock);
1260 mutex_unlock(&ebt_mutex);
1266 static inline int ebt_make_matchname(struct ebt_entry_match *m,
1267 char *base, char __user *ubase)
1269 char __user *hlp = ubase + ((char *)m - base);
1270 if (copy_to_user(hlp, m->u.match->name, EBT_FUNCTION_MAXNAMELEN))
1275 static inline int ebt_make_watchername(struct ebt_entry_watcher *w,
1276 char *base, char __user *ubase)
1278 char __user *hlp = ubase + ((char *)w - base);
1279 if (copy_to_user(hlp , w->u.watcher->name, EBT_FUNCTION_MAXNAMELEN))
1284 static inline int ebt_make_names(struct ebt_entry *e, char *base, char __user *ubase)
1288 struct ebt_entry_target *t;
1290 if (e->bitmask == 0)
1293 hlp = ubase + (((char *)e + e->target_offset) - base);
1294 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
1296 ret = EBT_MATCH_ITERATE(e, ebt_make_matchname, base, ubase);
1299 ret = EBT_WATCHER_ITERATE(e, ebt_make_watchername, base, ubase);
1302 if (copy_to_user(hlp, t->u.target->name, EBT_FUNCTION_MAXNAMELEN))
1307 /* called with ebt_mutex locked */
1308 static int copy_everything_to_user(struct ebt_table *t, void __user *user,
1311 struct ebt_replace tmp;
1312 struct ebt_counter *counterstmp, *oldcounters;
1313 unsigned int entries_size, nentries;
1316 if (cmd == EBT_SO_GET_ENTRIES) {
1317 entries_size = t->private->entries_size;
1318 nentries = t->private->nentries;
1319 entries = t->private->entries;
1320 oldcounters = t->private->counters;
1322 entries_size = t->table->entries_size;
1323 nentries = t->table->nentries;
1324 entries = t->table->entries;
1325 oldcounters = t->table->counters;
1328 if (copy_from_user(&tmp, user, sizeof(tmp))) {
1329 BUGPRINT("Cfu didn't work\n");
1333 if (*len != sizeof(struct ebt_replace) + entries_size +
1334 (tmp.num_counters? nentries * sizeof(struct ebt_counter): 0)) {
1335 BUGPRINT("Wrong size\n");
1339 if (tmp.nentries != nentries) {
1340 BUGPRINT("Nentries wrong\n");
1344 if (tmp.entries_size != entries_size) {
1345 BUGPRINT("Wrong size\n");
1349 /* userspace might not need the counters */
1350 if (tmp.num_counters) {
1351 if (tmp.num_counters != nentries) {
1352 BUGPRINT("Num_counters wrong\n");
1355 counterstmp = vmalloc(nentries * sizeof(*counterstmp));
1357 MEMPRINT("Couldn't copy counters, out of memory\n");
1360 write_lock_bh(&t->lock);
1361 get_counters(oldcounters, counterstmp, nentries);
1362 write_unlock_bh(&t->lock);
1364 if (copy_to_user(tmp.counters, counterstmp,
1365 nentries * sizeof(struct ebt_counter))) {
1366 BUGPRINT("Couldn't copy counters to userspace\n");
1373 if (copy_to_user(tmp.entries, entries, entries_size)) {
1374 BUGPRINT("Couldn't copy entries to userspace\n");
1377 /* set the match/watcher/target names right */
1378 return EBT_ENTRY_ITERATE(entries, entries_size,
1379 ebt_make_names, entries, tmp.entries);
1382 static int do_ebt_set_ctl(struct sock *sk,
1383 int cmd, void __user *user, unsigned int len)
1388 case EBT_SO_SET_ENTRIES:
1389 ret = do_replace(user, len);
1391 case EBT_SO_SET_COUNTERS:
1392 ret = update_counters(user, len);
1400 static int do_ebt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
1403 struct ebt_replace tmp;
1404 struct ebt_table *t;
1406 if (copy_from_user(&tmp, user, sizeof(tmp)))
1409 t = find_table_lock(tmp.name, &ret, &ebt_mutex);
1414 case EBT_SO_GET_INFO:
1415 case EBT_SO_GET_INIT_INFO:
1416 if (*len != sizeof(struct ebt_replace)){
1418 mutex_unlock(&ebt_mutex);
1421 if (cmd == EBT_SO_GET_INFO) {
1422 tmp.nentries = t->private->nentries;
1423 tmp.entries_size = t->private->entries_size;
1424 tmp.valid_hooks = t->valid_hooks;
1426 tmp.nentries = t->table->nentries;
1427 tmp.entries_size = t->table->entries_size;
1428 tmp.valid_hooks = t->table->valid_hooks;
1430 mutex_unlock(&ebt_mutex);
1431 if (copy_to_user(user, &tmp, *len) != 0){
1432 BUGPRINT("c2u Didn't work\n");
1439 case EBT_SO_GET_ENTRIES:
1440 case EBT_SO_GET_INIT_ENTRIES:
1441 ret = copy_everything_to_user(t, user, len, cmd);
1442 mutex_unlock(&ebt_mutex);
1446 mutex_unlock(&ebt_mutex);
1453 static struct nf_sockopt_ops ebt_sockopts =
1456 .set_optmin = EBT_BASE_CTL,
1457 .set_optmax = EBT_SO_SET_MAX + 1,
1458 .set = do_ebt_set_ctl,
1459 .get_optmin = EBT_BASE_CTL,
1460 .get_optmax = EBT_SO_GET_MAX + 1,
1461 .get = do_ebt_get_ctl,
1462 .owner = THIS_MODULE,
1465 static int __init ebtables_init(void)
1469 ret = xt_register_target(&ebt_standard_target);
1472 ret = nf_register_sockopt(&ebt_sockopts);
1474 xt_unregister_target(&ebt_standard_target);
1478 printk(KERN_INFO "Ebtables v2.0 registered\n");
1482 static void __exit ebtables_fini(void)
1484 nf_unregister_sockopt(&ebt_sockopts);
1485 xt_unregister_target(&ebt_standard_target);
1486 printk(KERN_INFO "Ebtables v2.0 unregistered\n");
1489 EXPORT_SYMBOL(ebt_register_table);
1490 EXPORT_SYMBOL(ebt_unregister_table);
1491 EXPORT_SYMBOL(ebt_do_table);
1492 module_init(ebtables_init);
1493 module_exit(ebtables_fini);
1494 MODULE_LICENSE("GPL");