5 * Bart De Schuymer <bdschuym@pandora.be>
7 * ebtables.c,v 2.0, July, 2002
9 * This code is stongly inspired on the iptables code which is
10 * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version
15 * 2 of the License, or (at your option) any later version.
18 /* used for print_string */
19 #include <linux/tty.h>
21 #include <linux/kmod.h>
22 #include <linux/module.h>
23 #include <linux/vmalloc.h>
24 #include <linux/netfilter_bridge/ebtables.h>
25 #include <linux/spinlock.h>
26 #include <linux/mutex.h>
27 #include <asm/uaccess.h>
28 #include <linux/smp.h>
29 #include <linux/cpumask.h>
31 /* needed for logical [in,out]-dev filtering */
32 #include "../br_private.h"
34 #define BUGPRINT(format, args...) printk("kernel msg: ebtables bug: please "\
35 "report to author: "format, ## args)
36 /* #define BUGPRINT(format, args...) */
37 #define MEMPRINT(format, args...) printk("kernel msg: ebtables "\
38 ": out of memory: "format, ## args)
39 /* #define MEMPRINT(format, args...) */
44 * Each cpu has its own set of counters, so there is no need for write_lock in
46 * For reading or updating the counters, the user context needs to
50 /* The size of each set of counters is altered to get cache alignment */
51 #define SMP_ALIGN(x) (((x) + SMP_CACHE_BYTES-1) & ~(SMP_CACHE_BYTES-1))
52 #define COUNTER_OFFSET(n) (SMP_ALIGN(n * sizeof(struct ebt_counter)))
53 #define COUNTER_BASE(c, n, cpu) ((struct ebt_counter *)(((char *)c) + \
54 COUNTER_OFFSET(n) * cpu))
58 static DEFINE_MUTEX(ebt_mutex);
59 static LIST_HEAD(ebt_tables);
60 static LIST_HEAD(ebt_targets);
61 static LIST_HEAD(ebt_matches);
62 static LIST_HEAD(ebt_watchers);
64 static struct ebt_target ebt_standard_target =
65 { {NULL, NULL}, EBT_STANDARD_TARGET, NULL, NULL, NULL, NULL};
67 static inline int ebt_do_watcher (struct ebt_entry_watcher *w,
68 const struct sk_buff *skb, unsigned int hooknr, const struct net_device *in,
69 const struct net_device *out)
71 w->u.watcher->watcher(skb, hooknr, in, out, w->data,
73 /* watchers don't give a verdict */
77 static inline int ebt_do_match (struct ebt_entry_match *m,
78 const struct sk_buff *skb, const struct net_device *in,
79 const struct net_device *out)
81 return m->u.match->match(skb, in, out, m->data,
85 static inline int ebt_dev_check(char *entry, const struct net_device *device)
88 const char *devname = device->name;
94 /* 1 is the wildcard token */
95 while (entry[i] != '\0' && entry[i] != 1 && entry[i] == devname[i])
97 return (devname[i] != entry[i] && entry[i] != 1);
100 #define FWINV2(bool,invflg) ((bool) ^ !!(e->invflags & invflg))
101 /* process standard matches */
102 static inline int ebt_basic_match(struct ebt_entry *e, struct ethhdr *h,
103 const struct net_device *in, const struct net_device *out)
107 if (e->bitmask & EBT_802_3) {
108 if (FWINV2(ntohs(h->h_proto) >= 1536, EBT_IPROTO))
110 } else if (!(e->bitmask & EBT_NOPROTO) &&
111 FWINV2(e->ethproto != h->h_proto, EBT_IPROTO))
114 if (FWINV2(ebt_dev_check(e->in, in), EBT_IIN))
116 if (FWINV2(ebt_dev_check(e->out, out), EBT_IOUT))
118 if ((!in || !in->br_port) ? 0 : FWINV2(ebt_dev_check(
119 e->logical_in, in->br_port->br->dev), EBT_ILOGICALIN))
121 if ((!out || !out->br_port) ? 0 : FWINV2(ebt_dev_check(
122 e->logical_out, out->br_port->br->dev), EBT_ILOGICALOUT))
125 if (e->bitmask & EBT_SOURCEMAC) {
127 for (i = 0; i < 6; i++)
128 verdict |= (h->h_source[i] ^ e->sourcemac[i]) &
130 if (FWINV2(verdict != 0, EBT_ISOURCE) )
133 if (e->bitmask & EBT_DESTMAC) {
135 for (i = 0; i < 6; i++)
136 verdict |= (h->h_dest[i] ^ e->destmac[i]) &
138 if (FWINV2(verdict != 0, EBT_IDEST) )
144 /* Do some firewalling */
145 unsigned int ebt_do_table (unsigned int hook, struct sk_buff **pskb,
146 const struct net_device *in, const struct net_device *out,
147 struct ebt_table *table)
150 struct ebt_entry *point;
151 struct ebt_counter *counter_base, *cb_base;
152 struct ebt_entry_target *t;
154 struct ebt_chainstack *cs;
155 struct ebt_entries *chaininfo;
157 struct ebt_table_info *private;
159 read_lock_bh(&table->lock);
160 private = table->private;
161 cb_base = COUNTER_BASE(private->counters, private->nentries,
163 if (private->chainstack)
164 cs = private->chainstack[smp_processor_id()];
167 chaininfo = private->hook_entry[hook];
168 nentries = private->hook_entry[hook]->nentries;
169 point = (struct ebt_entry *)(private->hook_entry[hook]->data);
170 counter_base = cb_base + private->hook_entry[hook]->counter_offset;
171 /* base for chain jumps */
172 base = private->entries;
174 while (i < nentries) {
175 if (ebt_basic_match(point, eth_hdr(*pskb), in, out))
178 if (EBT_MATCH_ITERATE(point, ebt_do_match, *pskb, in, out) != 0)
181 /* increase counter */
182 (*(counter_base + i)).pcnt++;
183 (*(counter_base + i)).bcnt+=(**pskb).len;
185 /* these should only watch: not modify, nor tell us
186 what to do with the packet */
187 EBT_WATCHER_ITERATE(point, ebt_do_watcher, *pskb, hook, in,
190 t = (struct ebt_entry_target *)
191 (((char *)point) + point->target_offset);
192 /* standard target */
193 if (!t->u.target->target)
194 verdict = ((struct ebt_standard_target *)t)->verdict;
196 verdict = t->u.target->target(pskb, hook,
197 in, out, t->data, t->target_size);
198 if (verdict == EBT_ACCEPT) {
199 read_unlock_bh(&table->lock);
202 if (verdict == EBT_DROP) {
203 read_unlock_bh(&table->lock);
206 if (verdict == EBT_RETURN) {
208 #ifdef CONFIG_NETFILTER_DEBUG
210 BUGPRINT("RETURN on base chain");
211 /* act like this is EBT_CONTINUE */
216 /* put all the local variables right */
218 chaininfo = cs[sp].chaininfo;
219 nentries = chaininfo->nentries;
221 counter_base = cb_base +
222 chaininfo->counter_offset;
225 if (verdict == EBT_CONTINUE)
227 #ifdef CONFIG_NETFILTER_DEBUG
229 BUGPRINT("bogus standard verdict\n");
230 read_unlock_bh(&table->lock);
236 cs[sp].chaininfo = chaininfo;
237 cs[sp].e = (struct ebt_entry *)
238 (((char *)point) + point->next_offset);
240 chaininfo = (struct ebt_entries *) (base + verdict);
241 #ifdef CONFIG_NETFILTER_DEBUG
242 if (chaininfo->distinguisher) {
243 BUGPRINT("jump to non-chain\n");
244 read_unlock_bh(&table->lock);
248 nentries = chaininfo->nentries;
249 point = (struct ebt_entry *)chaininfo->data;
250 counter_base = cb_base + chaininfo->counter_offset;
254 point = (struct ebt_entry *)
255 (((char *)point) + point->next_offset);
259 /* I actually like this :) */
260 if (chaininfo->policy == EBT_RETURN)
262 if (chaininfo->policy == EBT_ACCEPT) {
263 read_unlock_bh(&table->lock);
266 read_unlock_bh(&table->lock);
270 /* If it succeeds, returns element and locks mutex */
272 find_inlist_lock_noload(struct list_head *head, const char *name, int *error,
276 struct list_head list;
277 char name[EBT_FUNCTION_MAXNAMELEN];
280 *error = mutex_lock_interruptible(mutex);
284 list_for_each_entry(e, head, list) {
285 if (strcmp(e->name, name) == 0)
294 #define find_inlist_lock(h,n,p,e,m) find_inlist_lock_noload((h),(n),(e),(m))
297 find_inlist_lock(struct list_head *head, const char *name, const char *prefix,
298 int *error, struct mutex *mutex)
302 ret = find_inlist_lock_noload(head, name, error, mutex);
304 request_module("%s%s", prefix, name);
305 ret = find_inlist_lock_noload(head, name, error, mutex);
311 static inline struct ebt_table *
312 find_table_lock(const char *name, int *error, struct mutex *mutex)
314 return find_inlist_lock(&ebt_tables, name, "ebtable_", error, mutex);
317 static inline struct ebt_match *
318 find_match_lock(const char *name, int *error, struct mutex *mutex)
320 return find_inlist_lock(&ebt_matches, name, "ebt_", error, mutex);
323 static inline struct ebt_watcher *
324 find_watcher_lock(const char *name, int *error, struct mutex *mutex)
326 return find_inlist_lock(&ebt_watchers, name, "ebt_", error, mutex);
329 static inline struct ebt_target *
330 find_target_lock(const char *name, int *error, struct mutex *mutex)
332 return find_inlist_lock(&ebt_targets, name, "ebt_", error, mutex);
336 ebt_check_match(struct ebt_entry_match *m, struct ebt_entry *e,
337 const char *name, unsigned int hookmask, unsigned int *cnt)
339 struct ebt_match *match;
340 size_t left = ((char *)e + e->watchers_offset) - (char *)m;
343 if (left < sizeof(struct ebt_entry_match) ||
344 left - sizeof(struct ebt_entry_match) < m->match_size)
346 match = find_match_lock(m->u.name, &ret, &ebt_mutex);
350 if (!try_module_get(match->me)) {
351 mutex_unlock(&ebt_mutex);
354 mutex_unlock(&ebt_mutex);
356 match->check(name, hookmask, e, m->data, m->match_size) != 0) {
357 BUGPRINT("match->check failed\n");
358 module_put(match->me);
366 ebt_check_watcher(struct ebt_entry_watcher *w, struct ebt_entry *e,
367 const char *name, unsigned int hookmask, unsigned int *cnt)
369 struct ebt_watcher *watcher;
370 size_t left = ((char *)e + e->target_offset) - (char *)w;
373 if (left < sizeof(struct ebt_entry_watcher) ||
374 left - sizeof(struct ebt_entry_watcher) < w->watcher_size)
376 watcher = find_watcher_lock(w->u.name, &ret, &ebt_mutex);
379 w->u.watcher = watcher;
380 if (!try_module_get(watcher->me)) {
381 mutex_unlock(&ebt_mutex);
384 mutex_unlock(&ebt_mutex);
385 if (watcher->check &&
386 watcher->check(name, hookmask, e, w->data, w->watcher_size) != 0) {
387 BUGPRINT("watcher->check failed\n");
388 module_put(watcher->me);
395 static int ebt_verify_pointers(struct ebt_replace *repl,
396 struct ebt_table_info *newinfo)
398 unsigned int limit = repl->entries_size;
399 unsigned int valid_hooks = repl->valid_hooks;
400 unsigned int offset = 0;
403 for (i = 0; i < NF_BR_NUMHOOKS; i++)
404 newinfo->hook_entry[i] = NULL;
406 newinfo->entries_size = repl->entries_size;
407 newinfo->nentries = repl->nentries;
409 while (offset < limit) {
410 size_t left = limit - offset;
411 struct ebt_entry *e = (void *)newinfo->entries + offset;
413 if (left < sizeof(unsigned int))
416 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
417 if ((valid_hooks & (1 << i)) == 0)
419 if ((char __user *)repl->hook_entry[i] ==
420 repl->entries + offset)
424 if (i != NF_BR_NUMHOOKS || !(e->bitmask & EBT_ENTRY_OR_ENTRIES)) {
425 if (e->bitmask != 0) {
426 /* we make userspace set this right,
427 so there is no misunderstanding */
428 BUGPRINT("EBT_ENTRY_OR_ENTRIES shouldn't be set "
429 "in distinguisher\n");
432 if (i != NF_BR_NUMHOOKS)
433 newinfo->hook_entry[i] = (struct ebt_entries *)e;
434 if (left < sizeof(struct ebt_entries))
436 offset += sizeof(struct ebt_entries);
438 if (left < sizeof(struct ebt_entry))
440 if (left < e->next_offset)
442 offset += e->next_offset;
445 if (offset != limit) {
446 BUGPRINT("entries_size too small\n");
450 /* check if all valid hooks have a chain */
451 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
452 if (!newinfo->hook_entry[i] &&
453 (valid_hooks & (1 << i))) {
454 BUGPRINT("Valid hook without chain\n");
462 * this one is very careful, as it is the first function
463 * to parse the userspace data
466 ebt_check_entry_size_and_hooks(struct ebt_entry *e,
467 struct ebt_table_info *newinfo,
468 unsigned int *n, unsigned int *cnt,
469 unsigned int *totalcnt, unsigned int *udc_cnt)
473 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
474 if ((void *)e == (void *)newinfo->hook_entry[i])
477 /* beginning of a new chain
478 if i == NF_BR_NUMHOOKS it must be a user defined chain */
479 if (i != NF_BR_NUMHOOKS || !e->bitmask) {
480 /* this checks if the previous chain has as many entries
483 BUGPRINT("nentries does not equal the nr of entries "
487 if (((struct ebt_entries *)e)->policy != EBT_DROP &&
488 ((struct ebt_entries *)e)->policy != EBT_ACCEPT) {
489 /* only RETURN from udc */
490 if (i != NF_BR_NUMHOOKS ||
491 ((struct ebt_entries *)e)->policy != EBT_RETURN) {
492 BUGPRINT("bad policy\n");
496 if (i == NF_BR_NUMHOOKS) /* it's a user defined chain */
498 if (((struct ebt_entries *)e)->counter_offset != *totalcnt) {
499 BUGPRINT("counter_offset != totalcnt");
502 *n = ((struct ebt_entries *)e)->nentries;
506 /* a plain old entry, heh */
507 if (sizeof(struct ebt_entry) > e->watchers_offset ||
508 e->watchers_offset > e->target_offset ||
509 e->target_offset >= e->next_offset) {
510 BUGPRINT("entry offsets not in right order\n");
513 /* this is not checked anywhere else */
514 if (e->next_offset - e->target_offset < sizeof(struct ebt_entry_target)) {
515 BUGPRINT("target size too small\n");
525 struct ebt_chainstack cs;
527 unsigned int hookmask;
531 * we need these positions to check that the jumps to a different part of the
532 * entries is a jump to the beginning of a new chain.
535 ebt_get_udc_positions(struct ebt_entry *e, struct ebt_table_info *newinfo,
536 unsigned int *n, struct ebt_cl_stack *udc)
540 /* we're only interested in chain starts */
543 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
544 if (newinfo->hook_entry[i] == (struct ebt_entries *)e)
547 /* only care about udc */
548 if (i != NF_BR_NUMHOOKS)
551 udc[*n].cs.chaininfo = (struct ebt_entries *)e;
552 /* these initialisations are depended on later in check_chainloops() */
554 udc[*n].hookmask = 0;
561 ebt_cleanup_match(struct ebt_entry_match *m, unsigned int *i)
563 if (i && (*i)-- == 0)
565 if (m->u.match->destroy)
566 m->u.match->destroy(m->data, m->match_size);
567 module_put(m->u.match->me);
573 ebt_cleanup_watcher(struct ebt_entry_watcher *w, unsigned int *i)
575 if (i && (*i)-- == 0)
577 if (w->u.watcher->destroy)
578 w->u.watcher->destroy(w->data, w->watcher_size);
579 module_put(w->u.watcher->me);
585 ebt_cleanup_entry(struct ebt_entry *e, unsigned int *cnt)
587 struct ebt_entry_target *t;
592 if (cnt && (*cnt)-- == 0)
594 EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, NULL);
595 EBT_MATCH_ITERATE(e, ebt_cleanup_match, NULL);
596 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
597 if (t->u.target->destroy)
598 t->u.target->destroy(t->data, t->target_size);
599 module_put(t->u.target->me);
605 ebt_check_entry(struct ebt_entry *e, struct ebt_table_info *newinfo,
606 const char *name, unsigned int *cnt,
607 struct ebt_cl_stack *cl_s, unsigned int udc_cnt)
609 struct ebt_entry_target *t;
610 struct ebt_target *target;
611 unsigned int i, j, hook = 0, hookmask = 0;
615 /* don't mess with the struct ebt_entries */
619 if (e->bitmask & ~EBT_F_MASK) {
620 BUGPRINT("Unknown flag for bitmask\n");
623 if (e->invflags & ~EBT_INV_MASK) {
624 BUGPRINT("Unknown flag for inv bitmask\n");
627 if ( (e->bitmask & EBT_NOPROTO) && (e->bitmask & EBT_802_3) ) {
628 BUGPRINT("NOPROTO & 802_3 not allowed\n");
631 /* what hook do we belong to? */
632 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
633 if (!newinfo->hook_entry[i])
635 if ((char *)newinfo->hook_entry[i] < (char *)e)
640 /* (1 << NF_BR_NUMHOOKS) tells the check functions the rule is on
642 if (i < NF_BR_NUMHOOKS)
643 hookmask = (1 << hook) | (1 << NF_BR_NUMHOOKS);
645 for (i = 0; i < udc_cnt; i++)
646 if ((char *)(cl_s[i].cs.chaininfo) > (char *)e)
649 hookmask = (1 << hook) | (1 << NF_BR_NUMHOOKS);
651 hookmask = cl_s[i - 1].hookmask;
654 ret = EBT_MATCH_ITERATE(e, ebt_check_match, e, name, hookmask, &i);
656 goto cleanup_matches;
658 ret = EBT_WATCHER_ITERATE(e, ebt_check_watcher, e, name, hookmask, &j);
660 goto cleanup_watchers;
661 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
662 gap = e->next_offset - e->target_offset;
663 target = find_target_lock(t->u.name, &ret, &ebt_mutex);
665 goto cleanup_watchers;
666 if (!try_module_get(target->me)) {
667 mutex_unlock(&ebt_mutex);
669 goto cleanup_watchers;
671 mutex_unlock(&ebt_mutex);
673 t->u.target = target;
674 if (t->u.target == &ebt_standard_target) {
675 if (gap < sizeof(struct ebt_standard_target)) {
676 BUGPRINT("Standard target size too big\n");
678 goto cleanup_watchers;
680 if (((struct ebt_standard_target *)t)->verdict <
681 -NUM_STANDARD_TARGETS) {
682 BUGPRINT("Invalid standard target\n");
684 goto cleanup_watchers;
686 } else if (t->target_size > gap - sizeof(struct ebt_entry_target) ||
687 (t->u.target->check &&
688 t->u.target->check(name, hookmask, e, t->data, t->target_size) != 0)){
689 module_put(t->u.target->me);
691 goto cleanup_watchers;
696 EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, &j);
698 EBT_MATCH_ITERATE(e, ebt_cleanup_match, &i);
703 * checks for loops and sets the hook mask for udc
704 * the hook mask for udc tells us from which base chains the udc can be
705 * accessed. This mask is a parameter to the check() functions of the extensions
707 static int check_chainloops(struct ebt_entries *chain, struct ebt_cl_stack *cl_s,
708 unsigned int udc_cnt, unsigned int hooknr, char *base)
710 int i, chain_nr = -1, pos = 0, nentries = chain->nentries, verdict;
711 struct ebt_entry *e = (struct ebt_entry *)chain->data;
712 struct ebt_entry_target *t;
714 while (pos < nentries || chain_nr != -1) {
715 /* end of udc, go back one 'recursion' step */
716 if (pos == nentries) {
717 /* put back values of the time when this chain was called */
718 e = cl_s[chain_nr].cs.e;
719 if (cl_s[chain_nr].from != -1)
721 cl_s[cl_s[chain_nr].from].cs.chaininfo->nentries;
723 nentries = chain->nentries;
724 pos = cl_s[chain_nr].cs.n;
725 /* make sure we won't see a loop that isn't one */
726 cl_s[chain_nr].cs.n = 0;
727 chain_nr = cl_s[chain_nr].from;
731 t = (struct ebt_entry_target *)
732 (((char *)e) + e->target_offset);
733 if (strcmp(t->u.name, EBT_STANDARD_TARGET))
735 if (e->target_offset + sizeof(struct ebt_standard_target) >
737 BUGPRINT("Standard target size too big\n");
740 verdict = ((struct ebt_standard_target *)t)->verdict;
741 if (verdict >= 0) { /* jump to another chain */
742 struct ebt_entries *hlp2 =
743 (struct ebt_entries *)(base + verdict);
744 for (i = 0; i < udc_cnt; i++)
745 if (hlp2 == cl_s[i].cs.chaininfo)
747 /* bad destination or loop */
749 BUGPRINT("bad destination\n");
756 if (cl_s[i].hookmask & (1 << hooknr))
758 /* this can't be 0, so the loop test is correct */
759 cl_s[i].cs.n = pos + 1;
761 cl_s[i].cs.e = ((void *)e + e->next_offset);
762 e = (struct ebt_entry *)(hlp2->data);
763 nentries = hlp2->nentries;
764 cl_s[i].from = chain_nr;
766 /* this udc is accessible from the base chain for hooknr */
767 cl_s[i].hookmask |= (1 << hooknr);
771 e = (void *)e + e->next_offset;
777 /* do the parsing of the table/chains/entries/matches/watchers/targets, heh */
778 static int translate_table(char *name, struct ebt_table_info *newinfo)
780 unsigned int i, j, k, udc_cnt;
782 struct ebt_cl_stack *cl_s = NULL; /* used in the checking for chain loops */
785 while (i < NF_BR_NUMHOOKS && !newinfo->hook_entry[i])
787 if (i == NF_BR_NUMHOOKS) {
788 BUGPRINT("No valid hooks specified\n");
791 if (newinfo->hook_entry[i] != (struct ebt_entries *)newinfo->entries) {
792 BUGPRINT("Chains don't start at beginning\n");
795 /* make sure chains are ordered after each other in same order
796 as their corresponding hooks */
797 for (j = i + 1; j < NF_BR_NUMHOOKS; j++) {
798 if (!newinfo->hook_entry[j])
800 if (newinfo->hook_entry[j] <= newinfo->hook_entry[i]) {
801 BUGPRINT("Hook order must be followed\n");
807 /* do some early checkings and initialize some things */
808 i = 0; /* holds the expected nr. of entries for the chain */
809 j = 0; /* holds the up to now counted entries for the chain */
810 k = 0; /* holds the total nr. of entries, should equal
811 newinfo->nentries afterwards */
812 udc_cnt = 0; /* will hold the nr. of user defined chains (udc) */
813 ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
814 ebt_check_entry_size_and_hooks, newinfo,
815 &i, &j, &k, &udc_cnt);
821 BUGPRINT("nentries does not equal the nr of entries in the "
825 if (k != newinfo->nentries) {
826 BUGPRINT("Total nentries is wrong\n");
830 /* get the location of the udc, put them in an array
831 while we're at it, allocate the chainstack */
833 /* this will get free'd in do_replace()/ebt_register_table()
834 if an error occurs */
835 newinfo->chainstack =
836 vmalloc((highest_possible_processor_id()+1)
837 * sizeof(*(newinfo->chainstack)));
838 if (!newinfo->chainstack)
840 for_each_possible_cpu(i) {
841 newinfo->chainstack[i] =
842 vmalloc(udc_cnt * sizeof(*(newinfo->chainstack[0])));
843 if (!newinfo->chainstack[i]) {
845 vfree(newinfo->chainstack[--i]);
846 vfree(newinfo->chainstack);
847 newinfo->chainstack = NULL;
852 cl_s = vmalloc(udc_cnt * sizeof(*cl_s));
855 i = 0; /* the i'th udc */
856 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
857 ebt_get_udc_positions, newinfo, &i, cl_s);
860 BUGPRINT("i != udc_cnt\n");
866 /* Check for loops */
867 for (i = 0; i < NF_BR_NUMHOOKS; i++)
868 if (newinfo->hook_entry[i])
869 if (check_chainloops(newinfo->hook_entry[i],
870 cl_s, udc_cnt, i, newinfo->entries)) {
875 /* we now know the following (along with E=mc²):
876 - the nr of entries in each chain is right
877 - the size of the allocated space is right
878 - all valid hooks have a corresponding chain
880 - wrong data can still be on the level of a single entry
881 - could be there are jumps to places that are not the
882 beginning of a chain. This can only occur in chains that
883 are not accessible from any base chains, so we don't care. */
885 /* used to know what we need to clean up if something goes wrong */
887 ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
888 ebt_check_entry, newinfo, name, &i, cl_s, udc_cnt);
890 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
891 ebt_cleanup_entry, &i);
897 /* called under write_lock */
898 static void get_counters(struct ebt_counter *oldcounters,
899 struct ebt_counter *counters, unsigned int nentries)
902 struct ebt_counter *counter_base;
904 /* counters of cpu 0 */
905 memcpy(counters, oldcounters,
906 sizeof(struct ebt_counter) * nentries);
908 /* add other counters to those of cpu 0 */
909 for_each_possible_cpu(cpu) {
912 counter_base = COUNTER_BASE(oldcounters, nentries, cpu);
913 for (i = 0; i < nentries; i++) {
914 counters[i].pcnt += counter_base[i].pcnt;
915 counters[i].bcnt += counter_base[i].bcnt;
920 /* replace the table */
921 static int do_replace(void __user *user, unsigned int len)
923 int ret, i, countersize;
924 struct ebt_table_info *newinfo;
925 struct ebt_replace tmp;
927 struct ebt_counter *counterstmp = NULL;
928 /* used to be able to unlock earlier */
929 struct ebt_table_info *table;
931 if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
934 if (len != sizeof(tmp) + tmp.entries_size) {
935 BUGPRINT("Wrong len argument\n");
939 if (tmp.entries_size == 0) {
940 BUGPRINT("Entries_size never zero\n");
944 if (tmp.nentries >= ((INT_MAX - sizeof(struct ebt_table_info)) / NR_CPUS -
945 SMP_CACHE_BYTES) / sizeof(struct ebt_counter))
947 if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
950 countersize = COUNTER_OFFSET(tmp.nentries) *
951 (highest_possible_processor_id()+1);
952 newinfo = vmalloc(sizeof(*newinfo) + countersize);
957 memset(newinfo->counters, 0, countersize);
959 newinfo->entries = vmalloc(tmp.entries_size);
960 if (!newinfo->entries) {
965 newinfo->entries, tmp.entries, tmp.entries_size) != 0) {
966 BUGPRINT("Couldn't copy entries from userspace\n");
971 /* the user wants counters back
972 the check on the size is done later, when we have the lock */
973 if (tmp.num_counters) {
974 counterstmp = vmalloc(tmp.num_counters * sizeof(*counterstmp));
983 /* this can get initialized by translate_table() */
984 newinfo->chainstack = NULL;
985 ret = ebt_verify_pointers(&tmp, newinfo);
987 goto free_counterstmp;
989 ret = translate_table(tmp.name, newinfo);
992 goto free_counterstmp;
994 t = find_table_lock(tmp.name, &ret, &ebt_mutex);
1000 /* the table doesn't like it */
1001 if (t->check && (ret = t->check(newinfo, tmp.valid_hooks)))
1004 if (tmp.num_counters && tmp.num_counters != t->private->nentries) {
1005 BUGPRINT("Wrong nr. of counters requested\n");
1010 /* we have the mutex lock, so no danger in reading this pointer */
1012 /* make sure the table can only be rmmod'ed if it contains no rules */
1013 if (!table->nentries && newinfo->nentries && !try_module_get(t->me)) {
1016 } else if (table->nentries && !newinfo->nentries)
1018 /* we need an atomic snapshot of the counters */
1019 write_lock_bh(&t->lock);
1020 if (tmp.num_counters)
1021 get_counters(t->private->counters, counterstmp,
1022 t->private->nentries);
1024 t->private = newinfo;
1025 write_unlock_bh(&t->lock);
1026 mutex_unlock(&ebt_mutex);
1027 /* so, a user can change the chains while having messed up her counter
1028 allocation. Only reason why this is done is because this way the lock
1029 is held only once, while this doesn't bring the kernel into a
1031 if (tmp.num_counters &&
1032 copy_to_user(tmp.counters, counterstmp,
1033 tmp.num_counters * sizeof(struct ebt_counter))) {
1034 BUGPRINT("Couldn't copy counters to userspace\n");
1040 /* decrease module count and free resources */
1041 EBT_ENTRY_ITERATE(table->entries, table->entries_size,
1042 ebt_cleanup_entry, NULL);
1044 vfree(table->entries);
1045 if (table->chainstack) {
1046 for_each_possible_cpu(i)
1047 vfree(table->chainstack[i]);
1048 vfree(table->chainstack);
1056 mutex_unlock(&ebt_mutex);
1058 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
1059 ebt_cleanup_entry, NULL);
1062 /* can be initialized in translate_table() */
1063 if (newinfo->chainstack) {
1064 for_each_possible_cpu(i)
1065 vfree(newinfo->chainstack[i]);
1066 vfree(newinfo->chainstack);
1069 vfree(newinfo->entries);
1075 int ebt_register_target(struct ebt_target *target)
1077 struct ebt_target *t;
1080 ret = mutex_lock_interruptible(&ebt_mutex);
1083 list_for_each_entry(t, &ebt_targets, list) {
1084 if (strcmp(t->name, target->name) == 0) {
1085 mutex_unlock(&ebt_mutex);
1089 list_add(&target->list, &ebt_targets);
1090 mutex_unlock(&ebt_mutex);
1095 void ebt_unregister_target(struct ebt_target *target)
1097 mutex_lock(&ebt_mutex);
1098 list_del(&target->list);
1099 mutex_unlock(&ebt_mutex);
1102 int ebt_register_match(struct ebt_match *match)
1104 struct ebt_match *m;
1107 ret = mutex_lock_interruptible(&ebt_mutex);
1110 list_for_each_entry(m, &ebt_matches, list) {
1111 if (strcmp(m->name, match->name) == 0) {
1112 mutex_unlock(&ebt_mutex);
1116 list_add(&match->list, &ebt_matches);
1117 mutex_unlock(&ebt_mutex);
1122 void ebt_unregister_match(struct ebt_match *match)
1124 mutex_lock(&ebt_mutex);
1125 list_del(&match->list);
1126 mutex_unlock(&ebt_mutex);
1129 int ebt_register_watcher(struct ebt_watcher *watcher)
1131 struct ebt_watcher *w;
1134 ret = mutex_lock_interruptible(&ebt_mutex);
1137 list_for_each_entry(w, &ebt_watchers, list) {
1138 if (strcmp(w->name, watcher->name) == 0) {
1139 mutex_unlock(&ebt_mutex);
1143 list_add(&watcher->list, &ebt_watchers);
1144 mutex_unlock(&ebt_mutex);
1149 void ebt_unregister_watcher(struct ebt_watcher *watcher)
1151 mutex_lock(&ebt_mutex);
1152 list_del(&watcher->list);
1153 mutex_unlock(&ebt_mutex);
1156 int ebt_register_table(struct ebt_table *table)
1158 struct ebt_table_info *newinfo;
1159 struct ebt_table *t;
1160 struct ebt_replace_kernel *repl;
1161 int ret, i, countersize;
1164 if (!table || !(repl = table->table) || !repl->entries ||
1165 repl->entries_size == 0 ||
1166 repl->counters || table->private) {
1167 BUGPRINT("Bad table data for ebt_register_table!!!\n");
1171 countersize = COUNTER_OFFSET(repl->nentries) *
1172 (highest_possible_processor_id()+1);
1173 newinfo = vmalloc(sizeof(*newinfo) + countersize);
1178 p = vmalloc(repl->entries_size);
1182 memcpy(p, repl->entries, repl->entries_size);
1183 newinfo->entries = p;
1185 newinfo->entries_size = repl->entries_size;
1186 newinfo->nentries = repl->nentries;
1189 memset(newinfo->counters, 0, countersize);
1191 /* fill in newinfo and parse the entries */
1192 newinfo->chainstack = NULL;
1193 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
1194 if ((repl->valid_hooks & (1 << i)) == 0)
1195 newinfo->hook_entry[i] = NULL;
1197 newinfo->hook_entry[i] = p +
1198 ((char *)repl->hook_entry[i] - repl->entries);
1200 ret = translate_table(repl->name, newinfo);
1202 BUGPRINT("Translate_table failed\n");
1203 goto free_chainstack;
1206 if (table->check && table->check(newinfo, table->valid_hooks)) {
1207 BUGPRINT("The table doesn't like its own initial data, lol\n");
1211 table->private = newinfo;
1212 rwlock_init(&table->lock);
1213 ret = mutex_lock_interruptible(&ebt_mutex);
1215 goto free_chainstack;
1217 list_for_each_entry(t, &ebt_tables, list) {
1218 if (strcmp(t->name, table->name) == 0) {
1220 BUGPRINT("Table name already exists\n");
1225 /* Hold a reference count if the chains aren't empty */
1226 if (newinfo->nentries && !try_module_get(table->me)) {
1230 list_add(&table->list, &ebt_tables);
1231 mutex_unlock(&ebt_mutex);
1234 mutex_unlock(&ebt_mutex);
1236 if (newinfo->chainstack) {
1237 for_each_possible_cpu(i)
1238 vfree(newinfo->chainstack[i]);
1239 vfree(newinfo->chainstack);
1241 vfree(newinfo->entries);
1247 void ebt_unregister_table(struct ebt_table *table)
1252 BUGPRINT("Request to unregister NULL table!!!\n");
1255 mutex_lock(&ebt_mutex);
1256 list_del(&table->list);
1257 mutex_unlock(&ebt_mutex);
1258 vfree(table->private->entries);
1259 if (table->private->chainstack) {
1260 for_each_possible_cpu(i)
1261 vfree(table->private->chainstack[i]);
1262 vfree(table->private->chainstack);
1264 vfree(table->private);
1267 /* userspace just supplied us with counters */
1268 static int update_counters(void __user *user, unsigned int len)
1271 struct ebt_counter *tmp;
1272 struct ebt_replace hlp;
1273 struct ebt_table *t;
1275 if (copy_from_user(&hlp, user, sizeof(hlp)))
1278 if (len != sizeof(hlp) + hlp.num_counters * sizeof(struct ebt_counter))
1280 if (hlp.num_counters == 0)
1283 if (!(tmp = vmalloc(hlp.num_counters * sizeof(*tmp)))) {
1284 MEMPRINT("Update_counters && nomemory\n");
1288 t = find_table_lock(hlp.name, &ret, &ebt_mutex);
1292 if (hlp.num_counters != t->private->nentries) {
1293 BUGPRINT("Wrong nr of counters\n");
1298 if ( copy_from_user(tmp, hlp.counters,
1299 hlp.num_counters * sizeof(struct ebt_counter)) ) {
1300 BUGPRINT("Updata_counters && !cfu\n");
1305 /* we want an atomic add of the counters */
1306 write_lock_bh(&t->lock);
1308 /* we add to the counters of the first cpu */
1309 for (i = 0; i < hlp.num_counters; i++) {
1310 t->private->counters[i].pcnt += tmp[i].pcnt;
1311 t->private->counters[i].bcnt += tmp[i].bcnt;
1314 write_unlock_bh(&t->lock);
1317 mutex_unlock(&ebt_mutex);
1323 static inline int ebt_make_matchname(struct ebt_entry_match *m,
1324 char *base, char __user *ubase)
1326 char __user *hlp = ubase + ((char *)m - base);
1327 if (copy_to_user(hlp, m->u.match->name, EBT_FUNCTION_MAXNAMELEN))
1332 static inline int ebt_make_watchername(struct ebt_entry_watcher *w,
1333 char *base, char __user *ubase)
1335 char __user *hlp = ubase + ((char *)w - base);
1336 if (copy_to_user(hlp , w->u.watcher->name, EBT_FUNCTION_MAXNAMELEN))
1341 static inline int ebt_make_names(struct ebt_entry *e, char *base, char __user *ubase)
1345 struct ebt_entry_target *t;
1347 if (e->bitmask == 0)
1350 hlp = ubase + (((char *)e + e->target_offset) - base);
1351 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
1353 ret = EBT_MATCH_ITERATE(e, ebt_make_matchname, base, ubase);
1356 ret = EBT_WATCHER_ITERATE(e, ebt_make_watchername, base, ubase);
1359 if (copy_to_user(hlp, t->u.target->name, EBT_FUNCTION_MAXNAMELEN))
1364 /* called with ebt_mutex locked */
1365 static int copy_everything_to_user(struct ebt_table *t, void __user *user,
1368 struct ebt_replace tmp;
1369 struct ebt_counter *counterstmp, *oldcounters;
1370 unsigned int entries_size, nentries;
1373 if (cmd == EBT_SO_GET_ENTRIES) {
1374 entries_size = t->private->entries_size;
1375 nentries = t->private->nentries;
1376 entries = t->private->entries;
1377 oldcounters = t->private->counters;
1379 entries_size = t->table->entries_size;
1380 nentries = t->table->nentries;
1381 entries = t->table->entries;
1382 oldcounters = t->table->counters;
1385 if (copy_from_user(&tmp, user, sizeof(tmp))) {
1386 BUGPRINT("Cfu didn't work\n");
1390 if (*len != sizeof(struct ebt_replace) + entries_size +
1391 (tmp.num_counters? nentries * sizeof(struct ebt_counter): 0)) {
1392 BUGPRINT("Wrong size\n");
1396 if (tmp.nentries != nentries) {
1397 BUGPRINT("Nentries wrong\n");
1401 if (tmp.entries_size != entries_size) {
1402 BUGPRINT("Wrong size\n");
1406 /* userspace might not need the counters */
1407 if (tmp.num_counters) {
1408 if (tmp.num_counters != nentries) {
1409 BUGPRINT("Num_counters wrong\n");
1412 counterstmp = vmalloc(nentries * sizeof(*counterstmp));
1414 MEMPRINT("Couldn't copy counters, out of memory\n");
1417 write_lock_bh(&t->lock);
1418 get_counters(oldcounters, counterstmp, nentries);
1419 write_unlock_bh(&t->lock);
1421 if (copy_to_user(tmp.counters, counterstmp,
1422 nentries * sizeof(struct ebt_counter))) {
1423 BUGPRINT("Couldn't copy counters to userspace\n");
1430 if (copy_to_user(tmp.entries, entries, entries_size)) {
1431 BUGPRINT("Couldn't copy entries to userspace\n");
1434 /* set the match/watcher/target names right */
1435 return EBT_ENTRY_ITERATE(entries, entries_size,
1436 ebt_make_names, entries, tmp.entries);
1439 static int do_ebt_set_ctl(struct sock *sk,
1440 int cmd, void __user *user, unsigned int len)
1445 case EBT_SO_SET_ENTRIES:
1446 ret = do_replace(user, len);
1448 case EBT_SO_SET_COUNTERS:
1449 ret = update_counters(user, len);
1457 static int do_ebt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
1460 struct ebt_replace tmp;
1461 struct ebt_table *t;
1463 if (copy_from_user(&tmp, user, sizeof(tmp)))
1466 t = find_table_lock(tmp.name, &ret, &ebt_mutex);
1471 case EBT_SO_GET_INFO:
1472 case EBT_SO_GET_INIT_INFO:
1473 if (*len != sizeof(struct ebt_replace)){
1475 mutex_unlock(&ebt_mutex);
1478 if (cmd == EBT_SO_GET_INFO) {
1479 tmp.nentries = t->private->nentries;
1480 tmp.entries_size = t->private->entries_size;
1481 tmp.valid_hooks = t->valid_hooks;
1483 tmp.nentries = t->table->nentries;
1484 tmp.entries_size = t->table->entries_size;
1485 tmp.valid_hooks = t->table->valid_hooks;
1487 mutex_unlock(&ebt_mutex);
1488 if (copy_to_user(user, &tmp, *len) != 0){
1489 BUGPRINT("c2u Didn't work\n");
1496 case EBT_SO_GET_ENTRIES:
1497 case EBT_SO_GET_INIT_ENTRIES:
1498 ret = copy_everything_to_user(t, user, len, cmd);
1499 mutex_unlock(&ebt_mutex);
1503 mutex_unlock(&ebt_mutex);
1510 static struct nf_sockopt_ops ebt_sockopts =
1513 .set_optmin = EBT_BASE_CTL,
1514 .set_optmax = EBT_SO_SET_MAX + 1,
1515 .set = do_ebt_set_ctl,
1516 .get_optmin = EBT_BASE_CTL,
1517 .get_optmax = EBT_SO_GET_MAX + 1,
1518 .get = do_ebt_get_ctl,
1521 static int __init ebtables_init(void)
1525 mutex_lock(&ebt_mutex);
1526 list_add(&ebt_standard_target.list, &ebt_targets);
1527 mutex_unlock(&ebt_mutex);
1528 if ((ret = nf_register_sockopt(&ebt_sockopts)) < 0)
1531 printk(KERN_NOTICE "Ebtables v2.0 registered\n");
1535 static void __exit ebtables_fini(void)
1537 nf_unregister_sockopt(&ebt_sockopts);
1538 printk(KERN_NOTICE "Ebtables v2.0 unregistered\n");
1541 EXPORT_SYMBOL(ebt_register_table);
1542 EXPORT_SYMBOL(ebt_unregister_table);
1543 EXPORT_SYMBOL(ebt_register_match);
1544 EXPORT_SYMBOL(ebt_unregister_match);
1545 EXPORT_SYMBOL(ebt_register_watcher);
1546 EXPORT_SYMBOL(ebt_unregister_watcher);
1547 EXPORT_SYMBOL(ebt_register_target);
1548 EXPORT_SYMBOL(ebt_unregister_target);
1549 EXPORT_SYMBOL(ebt_do_table);
1550 module_init(ebtables_init);
1551 module_exit(ebtables_fini);
1552 MODULE_LICENSE("GPL");
projects / linux-2.6 / blob