5 * Bart De Schuymer <bdschuym@pandora.be>
7 * ebtables.c,v 2.0, July, 2002
9 * This code is stongly inspired on the iptables code which is
10 * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version
15 * 2 of the License, or (at your option) any later version.
18 /* used for print_string */
19 #include <linux/sched.h>
20 #include <linux/tty.h>
22 #include <linux/kmod.h>
23 #include <linux/module.h>
24 #include <linux/vmalloc.h>
25 #include <linux/netfilter_bridge/ebtables.h>
26 #include <linux/spinlock.h>
27 #include <linux/mutex.h>
28 #include <asm/uaccess.h>
29 #include <linux/smp.h>
30 #include <linux/cpumask.h>
32 /* needed for logical [in,out]-dev filtering */
33 #include "../br_private.h"
35 #define BUGPRINT(format, args...) printk("kernel msg: ebtables bug: please "\
36 "report to author: "format, ## args)
37 /* #define BUGPRINT(format, args...) */
38 #define MEMPRINT(format, args...) printk("kernel msg: ebtables "\
39 ": out of memory: "format, ## args)
40 /* #define MEMPRINT(format, args...) */
45 * Each cpu has its own set of counters, so there is no need for write_lock in
47 * For reading or updating the counters, the user context needs to
51 /* The size of each set of counters is altered to get cache alignment */
52 #define SMP_ALIGN(x) (((x) + SMP_CACHE_BYTES-1) & ~(SMP_CACHE_BYTES-1))
53 #define COUNTER_OFFSET(n) (SMP_ALIGN(n * sizeof(struct ebt_counter)))
54 #define COUNTER_BASE(c, n, cpu) ((struct ebt_counter *)(((char *)c) + \
55 COUNTER_OFFSET(n) * cpu))
59 static DEFINE_MUTEX(ebt_mutex);
60 static LIST_HEAD(ebt_tables);
61 static LIST_HEAD(ebt_targets);
62 static LIST_HEAD(ebt_matches);
63 static LIST_HEAD(ebt_watchers);
65 static struct ebt_target ebt_standard_target =
66 { {NULL, NULL}, EBT_STANDARD_TARGET, NULL, NULL, NULL, NULL};
68 static inline int ebt_do_watcher (struct ebt_entry_watcher *w,
69 const struct sk_buff *skb, unsigned int hooknr, const struct net_device *in,
70 const struct net_device *out)
72 w->u.watcher->watcher(skb, hooknr, in, out, w->data,
74 /* watchers don't give a verdict */
78 static inline int ebt_do_match (struct ebt_entry_match *m,
79 const struct sk_buff *skb, const struct net_device *in,
80 const struct net_device *out)
82 return m->u.match->match(skb, in, out, m->data,
86 static inline int ebt_dev_check(char *entry, const struct net_device *device)
89 const char *devname = device->name;
95 /* 1 is the wildcard token */
96 while (entry[i] != '\0' && entry[i] != 1 && entry[i] == devname[i])
98 return (devname[i] != entry[i] && entry[i] != 1);
101 #define FWINV2(bool,invflg) ((bool) ^ !!(e->invflags & invflg))
102 /* process standard matches */
103 static inline int ebt_basic_match(struct ebt_entry *e, struct ethhdr *h,
104 const struct net_device *in, const struct net_device *out)
108 if (e->bitmask & EBT_802_3) {
109 if (FWINV2(ntohs(h->h_proto) >= 1536, EBT_IPROTO))
111 } else if (!(e->bitmask & EBT_NOPROTO) &&
112 FWINV2(e->ethproto != h->h_proto, EBT_IPROTO))
115 if (FWINV2(ebt_dev_check(e->in, in), EBT_IIN))
117 if (FWINV2(ebt_dev_check(e->out, out), EBT_IOUT))
119 if ((!in || !in->br_port) ? 0 : FWINV2(ebt_dev_check(
120 e->logical_in, in->br_port->br->dev), EBT_ILOGICALIN))
122 if ((!out || !out->br_port) ? 0 : FWINV2(ebt_dev_check(
123 e->logical_out, out->br_port->br->dev), EBT_ILOGICALOUT))
126 if (e->bitmask & EBT_SOURCEMAC) {
128 for (i = 0; i < 6; i++)
129 verdict |= (h->h_source[i] ^ e->sourcemac[i]) &
131 if (FWINV2(verdict != 0, EBT_ISOURCE) )
134 if (e->bitmask & EBT_DESTMAC) {
136 for (i = 0; i < 6; i++)
137 verdict |= (h->h_dest[i] ^ e->destmac[i]) &
139 if (FWINV2(verdict != 0, EBT_IDEST) )
145 /* Do some firewalling */
146 unsigned int ebt_do_table (unsigned int hook, struct sk_buff **pskb,
147 const struct net_device *in, const struct net_device *out,
148 struct ebt_table *table)
151 struct ebt_entry *point;
152 struct ebt_counter *counter_base, *cb_base;
153 struct ebt_entry_target *t;
155 struct ebt_chainstack *cs;
156 struct ebt_entries *chaininfo;
158 struct ebt_table_info *private;
160 read_lock_bh(&table->lock);
161 private = table->private;
162 cb_base = COUNTER_BASE(private->counters, private->nentries,
164 if (private->chainstack)
165 cs = private->chainstack[smp_processor_id()];
168 chaininfo = private->hook_entry[hook];
169 nentries = private->hook_entry[hook]->nentries;
170 point = (struct ebt_entry *)(private->hook_entry[hook]->data);
171 counter_base = cb_base + private->hook_entry[hook]->counter_offset;
172 /* base for chain jumps */
173 base = private->entries;
175 while (i < nentries) {
176 if (ebt_basic_match(point, eth_hdr(*pskb), in, out))
179 if (EBT_MATCH_ITERATE(point, ebt_do_match, *pskb, in, out) != 0)
182 /* increase counter */
183 (*(counter_base + i)).pcnt++;
184 (*(counter_base + i)).bcnt+=(**pskb).len;
186 /* these should only watch: not modify, nor tell us
187 what to do with the packet */
188 EBT_WATCHER_ITERATE(point, ebt_do_watcher, *pskb, hook, in,
191 t = (struct ebt_entry_target *)
192 (((char *)point) + point->target_offset);
193 /* standard target */
194 if (!t->u.target->target)
195 verdict = ((struct ebt_standard_target *)t)->verdict;
197 verdict = t->u.target->target(pskb, hook,
198 in, out, t->data, t->target_size);
199 if (verdict == EBT_ACCEPT) {
200 read_unlock_bh(&table->lock);
203 if (verdict == EBT_DROP) {
204 read_unlock_bh(&table->lock);
207 if (verdict == EBT_RETURN) {
209 #ifdef CONFIG_NETFILTER_DEBUG
211 BUGPRINT("RETURN on base chain");
212 /* act like this is EBT_CONTINUE */
217 /* put all the local variables right */
219 chaininfo = cs[sp].chaininfo;
220 nentries = chaininfo->nentries;
222 counter_base = cb_base +
223 chaininfo->counter_offset;
226 if (verdict == EBT_CONTINUE)
228 #ifdef CONFIG_NETFILTER_DEBUG
230 BUGPRINT("bogus standard verdict\n");
231 read_unlock_bh(&table->lock);
237 cs[sp].chaininfo = chaininfo;
238 cs[sp].e = (struct ebt_entry *)
239 (((char *)point) + point->next_offset);
241 chaininfo = (struct ebt_entries *) (base + verdict);
242 #ifdef CONFIG_NETFILTER_DEBUG
243 if (chaininfo->distinguisher) {
244 BUGPRINT("jump to non-chain\n");
245 read_unlock_bh(&table->lock);
249 nentries = chaininfo->nentries;
250 point = (struct ebt_entry *)chaininfo->data;
251 counter_base = cb_base + chaininfo->counter_offset;
255 point = (struct ebt_entry *)
256 (((char *)point) + point->next_offset);
260 /* I actually like this :) */
261 if (chaininfo->policy == EBT_RETURN)
263 if (chaininfo->policy == EBT_ACCEPT) {
264 read_unlock_bh(&table->lock);
267 read_unlock_bh(&table->lock);
271 /* If it succeeds, returns element and locks mutex */
273 find_inlist_lock_noload(struct list_head *head, const char *name, int *error,
277 struct list_head list;
278 char name[EBT_FUNCTION_MAXNAMELEN];
281 *error = mutex_lock_interruptible(mutex);
285 list_for_each_entry(e, head, list) {
286 if (strcmp(e->name, name) == 0)
295 #define find_inlist_lock(h,n,p,e,m) find_inlist_lock_noload((h),(n),(e),(m))
298 find_inlist_lock(struct list_head *head, const char *name, const char *prefix,
299 int *error, struct mutex *mutex)
303 ret = find_inlist_lock_noload(head, name, error, mutex);
305 request_module("%s%s", prefix, name);
306 ret = find_inlist_lock_noload(head, name, error, mutex);
312 static inline struct ebt_table *
313 find_table_lock(const char *name, int *error, struct mutex *mutex)
315 return find_inlist_lock(&ebt_tables, name, "ebtable_", error, mutex);
318 static inline struct ebt_match *
319 find_match_lock(const char *name, int *error, struct mutex *mutex)
321 return find_inlist_lock(&ebt_matches, name, "ebt_", error, mutex);
324 static inline struct ebt_watcher *
325 find_watcher_lock(const char *name, int *error, struct mutex *mutex)
327 return find_inlist_lock(&ebt_watchers, name, "ebt_", error, mutex);
330 static inline struct ebt_target *
331 find_target_lock(const char *name, int *error, struct mutex *mutex)
333 return find_inlist_lock(&ebt_targets, name, "ebt_", error, mutex);
337 ebt_check_match(struct ebt_entry_match *m, struct ebt_entry *e,
338 const char *name, unsigned int hookmask, unsigned int *cnt)
340 struct ebt_match *match;
343 if (((char *)m) + m->match_size + sizeof(struct ebt_entry_match) >
344 ((char *)e) + e->watchers_offset)
346 match = find_match_lock(m->u.name, &ret, &ebt_mutex);
350 if (!try_module_get(match->me)) {
351 mutex_unlock(&ebt_mutex);
354 mutex_unlock(&ebt_mutex);
356 match->check(name, hookmask, e, m->data, m->match_size) != 0) {
357 BUGPRINT("match->check failed\n");
358 module_put(match->me);
366 ebt_check_watcher(struct ebt_entry_watcher *w, struct ebt_entry *e,
367 const char *name, unsigned int hookmask, unsigned int *cnt)
369 struct ebt_watcher *watcher;
372 if (((char *)w) + w->watcher_size + sizeof(struct ebt_entry_watcher) >
373 ((char *)e) + e->target_offset)
375 watcher = find_watcher_lock(w->u.name, &ret, &ebt_mutex);
378 w->u.watcher = watcher;
379 if (!try_module_get(watcher->me)) {
380 mutex_unlock(&ebt_mutex);
383 mutex_unlock(&ebt_mutex);
384 if (watcher->check &&
385 watcher->check(name, hookmask, e, w->data, w->watcher_size) != 0) {
386 BUGPRINT("watcher->check failed\n");
387 module_put(watcher->me);
395 * this one is very careful, as it is the first function
396 * to parse the userspace data
399 ebt_check_entry_size_and_hooks(struct ebt_entry *e,
400 struct ebt_table_info *newinfo, char *base, char *limit,
401 struct ebt_entries **hook_entries, unsigned int *n, unsigned int *cnt,
402 unsigned int *totalcnt, unsigned int *udc_cnt, unsigned int valid_hooks)
406 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
407 if ((valid_hooks & (1 << i)) == 0)
409 if ( (char *)hook_entries[i] - base ==
410 (char *)e - newinfo->entries)
413 /* beginning of a new chain
414 if i == NF_BR_NUMHOOKS it must be a user defined chain */
415 if (i != NF_BR_NUMHOOKS || !(e->bitmask & EBT_ENTRY_OR_ENTRIES)) {
416 if ((e->bitmask & EBT_ENTRY_OR_ENTRIES) != 0) {
417 /* we make userspace set this right,
418 so there is no misunderstanding */
419 BUGPRINT("EBT_ENTRY_OR_ENTRIES shouldn't be set "
420 "in distinguisher\n");
423 /* this checks if the previous chain has as many entries
426 BUGPRINT("nentries does not equal the nr of entries "
430 /* before we look at the struct, be sure it is not too big */
431 if ((char *)hook_entries[i] + sizeof(struct ebt_entries)
433 BUGPRINT("entries_size too small\n");
436 if (((struct ebt_entries *)e)->policy != EBT_DROP &&
437 ((struct ebt_entries *)e)->policy != EBT_ACCEPT) {
438 /* only RETURN from udc */
439 if (i != NF_BR_NUMHOOKS ||
440 ((struct ebt_entries *)e)->policy != EBT_RETURN) {
441 BUGPRINT("bad policy\n");
445 if (i == NF_BR_NUMHOOKS) /* it's a user defined chain */
448 newinfo->hook_entry[i] = (struct ebt_entries *)e;
449 if (((struct ebt_entries *)e)->counter_offset != *totalcnt) {
450 BUGPRINT("counter_offset != totalcnt");
453 *n = ((struct ebt_entries *)e)->nentries;
457 /* a plain old entry, heh */
458 if (sizeof(struct ebt_entry) > e->watchers_offset ||
459 e->watchers_offset > e->target_offset ||
460 e->target_offset >= e->next_offset) {
461 BUGPRINT("entry offsets not in right order\n");
464 /* this is not checked anywhere else */
465 if (e->next_offset - e->target_offset < sizeof(struct ebt_entry_target)) {
466 BUGPRINT("target size too small\n");
477 struct ebt_chainstack cs;
479 unsigned int hookmask;
483 * we need these positions to check that the jumps to a different part of the
484 * entries is a jump to the beginning of a new chain.
487 ebt_get_udc_positions(struct ebt_entry *e, struct ebt_table_info *newinfo,
488 struct ebt_entries **hook_entries, unsigned int *n, unsigned int valid_hooks,
489 struct ebt_cl_stack *udc)
493 /* we're only interested in chain starts */
494 if (e->bitmask & EBT_ENTRY_OR_ENTRIES)
496 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
497 if ((valid_hooks & (1 << i)) == 0)
499 if (newinfo->hook_entry[i] == (struct ebt_entries *)e)
502 /* only care about udc */
503 if (i != NF_BR_NUMHOOKS)
506 udc[*n].cs.chaininfo = (struct ebt_entries *)e;
507 /* these initialisations are depended on later in check_chainloops() */
509 udc[*n].hookmask = 0;
516 ebt_cleanup_match(struct ebt_entry_match *m, unsigned int *i)
518 if (i && (*i)-- == 0)
520 if (m->u.match->destroy)
521 m->u.match->destroy(m->data, m->match_size);
522 module_put(m->u.match->me);
528 ebt_cleanup_watcher(struct ebt_entry_watcher *w, unsigned int *i)
530 if (i && (*i)-- == 0)
532 if (w->u.watcher->destroy)
533 w->u.watcher->destroy(w->data, w->watcher_size);
534 module_put(w->u.watcher->me);
540 ebt_cleanup_entry(struct ebt_entry *e, unsigned int *cnt)
542 struct ebt_entry_target *t;
544 if ((e->bitmask & EBT_ENTRY_OR_ENTRIES) == 0)
547 if (cnt && (*cnt)-- == 0)
549 EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, NULL);
550 EBT_MATCH_ITERATE(e, ebt_cleanup_match, NULL);
551 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
552 if (t->u.target->destroy)
553 t->u.target->destroy(t->data, t->target_size);
554 module_put(t->u.target->me);
560 ebt_check_entry(struct ebt_entry *e, struct ebt_table_info *newinfo,
561 const char *name, unsigned int *cnt, unsigned int valid_hooks,
562 struct ebt_cl_stack *cl_s, unsigned int udc_cnt)
564 struct ebt_entry_target *t;
565 struct ebt_target *target;
566 unsigned int i, j, hook = 0, hookmask = 0;
569 /* don't mess with the struct ebt_entries */
570 if ((e->bitmask & EBT_ENTRY_OR_ENTRIES) == 0)
573 if (e->bitmask & ~EBT_F_MASK) {
574 BUGPRINT("Unknown flag for bitmask\n");
577 if (e->invflags & ~EBT_INV_MASK) {
578 BUGPRINT("Unknown flag for inv bitmask\n");
581 if ( (e->bitmask & EBT_NOPROTO) && (e->bitmask & EBT_802_3) ) {
582 BUGPRINT("NOPROTO & 802_3 not allowed\n");
585 /* what hook do we belong to? */
586 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
587 if ((valid_hooks & (1 << i)) == 0)
589 if ((char *)newinfo->hook_entry[i] < (char *)e)
594 /* (1 << NF_BR_NUMHOOKS) tells the check functions the rule is on
596 if (i < NF_BR_NUMHOOKS)
597 hookmask = (1 << hook) | (1 << NF_BR_NUMHOOKS);
599 for (i = 0; i < udc_cnt; i++)
600 if ((char *)(cl_s[i].cs.chaininfo) > (char *)e)
603 hookmask = (1 << hook) | (1 << NF_BR_NUMHOOKS);
605 hookmask = cl_s[i - 1].hookmask;
608 ret = EBT_MATCH_ITERATE(e, ebt_check_match, e, name, hookmask, &i);
610 goto cleanup_matches;
612 ret = EBT_WATCHER_ITERATE(e, ebt_check_watcher, e, name, hookmask, &j);
614 goto cleanup_watchers;
615 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
616 target = find_target_lock(t->u.name, &ret, &ebt_mutex);
618 goto cleanup_watchers;
619 if (!try_module_get(target->me)) {
620 mutex_unlock(&ebt_mutex);
622 goto cleanup_watchers;
624 mutex_unlock(&ebt_mutex);
626 t->u.target = target;
627 if (t->u.target == &ebt_standard_target) {
628 if (e->target_offset + sizeof(struct ebt_standard_target) >
630 BUGPRINT("Standard target size too big\n");
632 goto cleanup_watchers;
634 if (((struct ebt_standard_target *)t)->verdict <
635 -NUM_STANDARD_TARGETS) {
636 BUGPRINT("Invalid standard target\n");
638 goto cleanup_watchers;
640 } else if ((e->target_offset + t->target_size +
641 sizeof(struct ebt_entry_target) > e->next_offset) ||
642 (t->u.target->check &&
643 t->u.target->check(name, hookmask, e, t->data, t->target_size) != 0)){
644 module_put(t->u.target->me);
646 goto cleanup_watchers;
651 EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, &j);
653 EBT_MATCH_ITERATE(e, ebt_cleanup_match, &i);
658 * checks for loops and sets the hook mask for udc
659 * the hook mask for udc tells us from which base chains the udc can be
660 * accessed. This mask is a parameter to the check() functions of the extensions
662 static int check_chainloops(struct ebt_entries *chain, struct ebt_cl_stack *cl_s,
663 unsigned int udc_cnt, unsigned int hooknr, char *base)
665 int i, chain_nr = -1, pos = 0, nentries = chain->nentries, verdict;
666 struct ebt_entry *e = (struct ebt_entry *)chain->data;
667 struct ebt_entry_target *t;
669 while (pos < nentries || chain_nr != -1) {
670 /* end of udc, go back one 'recursion' step */
671 if (pos == nentries) {
672 /* put back values of the time when this chain was called */
673 e = cl_s[chain_nr].cs.e;
674 if (cl_s[chain_nr].from != -1)
676 cl_s[cl_s[chain_nr].from].cs.chaininfo->nentries;
678 nentries = chain->nentries;
679 pos = cl_s[chain_nr].cs.n;
680 /* make sure we won't see a loop that isn't one */
681 cl_s[chain_nr].cs.n = 0;
682 chain_nr = cl_s[chain_nr].from;
686 t = (struct ebt_entry_target *)
687 (((char *)e) + e->target_offset);
688 if (strcmp(t->u.name, EBT_STANDARD_TARGET))
690 if (e->target_offset + sizeof(struct ebt_standard_target) >
692 BUGPRINT("Standard target size too big\n");
695 verdict = ((struct ebt_standard_target *)t)->verdict;
696 if (verdict >= 0) { /* jump to another chain */
697 struct ebt_entries *hlp2 =
698 (struct ebt_entries *)(base + verdict);
699 for (i = 0; i < udc_cnt; i++)
700 if (hlp2 == cl_s[i].cs.chaininfo)
702 /* bad destination or loop */
704 BUGPRINT("bad destination\n");
711 /* this can't be 0, so the above test is correct */
712 cl_s[i].cs.n = pos + 1;
714 cl_s[i].cs.e = ((void *)e + e->next_offset);
715 e = (struct ebt_entry *)(hlp2->data);
716 nentries = hlp2->nentries;
717 cl_s[i].from = chain_nr;
719 /* this udc is accessible from the base chain for hooknr */
720 cl_s[i].hookmask |= (1 << hooknr);
724 e = (void *)e + e->next_offset;
730 /* do the parsing of the table/chains/entries/matches/watchers/targets, heh */
731 static int translate_table(struct ebt_replace *repl,
732 struct ebt_table_info *newinfo)
734 unsigned int i, j, k, udc_cnt;
736 struct ebt_cl_stack *cl_s = NULL; /* used in the checking for chain loops */
739 while (i < NF_BR_NUMHOOKS && !(repl->valid_hooks & (1 << i)))
741 if (i == NF_BR_NUMHOOKS) {
742 BUGPRINT("No valid hooks specified\n");
745 if (repl->hook_entry[i] != (struct ebt_entries *)repl->entries) {
746 BUGPRINT("Chains don't start at beginning\n");
749 /* make sure chains are ordered after each other in same order
750 as their corresponding hooks */
751 for (j = i + 1; j < NF_BR_NUMHOOKS; j++) {
752 if (!(repl->valid_hooks & (1 << j)))
754 if ( repl->hook_entry[j] <= repl->hook_entry[i] ) {
755 BUGPRINT("Hook order must be followed\n");
761 for (i = 0; i < NF_BR_NUMHOOKS; i++)
762 newinfo->hook_entry[i] = NULL;
764 newinfo->entries_size = repl->entries_size;
765 newinfo->nentries = repl->nentries;
767 /* do some early checkings and initialize some things */
768 i = 0; /* holds the expected nr. of entries for the chain */
769 j = 0; /* holds the up to now counted entries for the chain */
770 k = 0; /* holds the total nr. of entries, should equal
771 newinfo->nentries afterwards */
772 udc_cnt = 0; /* will hold the nr. of user defined chains (udc) */
773 ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
774 ebt_check_entry_size_and_hooks, newinfo, repl->entries,
775 repl->entries + repl->entries_size, repl->hook_entry, &i, &j, &k,
776 &udc_cnt, repl->valid_hooks);
782 BUGPRINT("nentries does not equal the nr of entries in the "
786 if (k != newinfo->nentries) {
787 BUGPRINT("Total nentries is wrong\n");
791 /* check if all valid hooks have a chain */
792 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
793 if (newinfo->hook_entry[i] == NULL &&
794 (repl->valid_hooks & (1 << i))) {
795 BUGPRINT("Valid hook without chain\n");
800 /* get the location of the udc, put them in an array
801 while we're at it, allocate the chainstack */
803 /* this will get free'd in do_replace()/ebt_register_table()
804 if an error occurs */
805 newinfo->chainstack =
806 vmalloc((highest_possible_processor_id()+1)
807 * sizeof(*(newinfo->chainstack)));
808 if (!newinfo->chainstack)
810 for_each_possible_cpu(i) {
811 newinfo->chainstack[i] =
812 vmalloc(udc_cnt * sizeof(*(newinfo->chainstack[0])));
813 if (!newinfo->chainstack[i]) {
815 vfree(newinfo->chainstack[--i]);
816 vfree(newinfo->chainstack);
817 newinfo->chainstack = NULL;
822 cl_s = vmalloc(udc_cnt * sizeof(*cl_s));
825 i = 0; /* the i'th udc */
826 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
827 ebt_get_udc_positions, newinfo, repl->hook_entry, &i,
828 repl->valid_hooks, cl_s);
831 BUGPRINT("i != udc_cnt\n");
837 /* Check for loops */
838 for (i = 0; i < NF_BR_NUMHOOKS; i++)
839 if (repl->valid_hooks & (1 << i))
840 if (check_chainloops(newinfo->hook_entry[i],
841 cl_s, udc_cnt, i, newinfo->entries)) {
846 /* we now know the following (along with E=mc²):
847 - the nr of entries in each chain is right
848 - the size of the allocated space is right
849 - all valid hooks have a corresponding chain
851 - wrong data can still be on the level of a single entry
852 - could be there are jumps to places that are not the
853 beginning of a chain. This can only occur in chains that
854 are not accessible from any base chains, so we don't care. */
856 /* used to know what we need to clean up if something goes wrong */
858 ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
859 ebt_check_entry, newinfo, repl->name, &i, repl->valid_hooks,
862 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
863 ebt_cleanup_entry, &i);
869 /* called under write_lock */
870 static void get_counters(struct ebt_counter *oldcounters,
871 struct ebt_counter *counters, unsigned int nentries)
874 struct ebt_counter *counter_base;
876 /* counters of cpu 0 */
877 memcpy(counters, oldcounters,
878 sizeof(struct ebt_counter) * nentries);
880 /* add other counters to those of cpu 0 */
881 for_each_possible_cpu(cpu) {
884 counter_base = COUNTER_BASE(oldcounters, nentries, cpu);
885 for (i = 0; i < nentries; i++) {
886 counters[i].pcnt += counter_base[i].pcnt;
887 counters[i].bcnt += counter_base[i].bcnt;
892 /* replace the table */
893 static int do_replace(void __user *user, unsigned int len)
895 int ret, i, countersize;
896 struct ebt_table_info *newinfo;
897 struct ebt_replace tmp;
899 struct ebt_counter *counterstmp = NULL;
900 /* used to be able to unlock earlier */
901 struct ebt_table_info *table;
903 if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
906 if (len != sizeof(tmp) + tmp.entries_size) {
907 BUGPRINT("Wrong len argument\n");
911 if (tmp.entries_size == 0) {
912 BUGPRINT("Entries_size never zero\n");
916 if (tmp.nentries >= ((INT_MAX - sizeof(struct ebt_table_info)) / NR_CPUS -
917 SMP_CACHE_BYTES) / sizeof(struct ebt_counter))
919 if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
922 countersize = COUNTER_OFFSET(tmp.nentries) *
923 (highest_possible_processor_id()+1);
924 newinfo = vmalloc(sizeof(*newinfo) + countersize);
929 memset(newinfo->counters, 0, countersize);
931 newinfo->entries = vmalloc(tmp.entries_size);
932 if (!newinfo->entries) {
937 newinfo->entries, tmp.entries, tmp.entries_size) != 0) {
938 BUGPRINT("Couldn't copy entries from userspace\n");
943 /* the user wants counters back
944 the check on the size is done later, when we have the lock */
945 if (tmp.num_counters) {
946 counterstmp = vmalloc(tmp.num_counters * sizeof(*counterstmp));
955 /* this can get initialized by translate_table() */
956 newinfo->chainstack = NULL;
957 ret = translate_table(&tmp, newinfo);
960 goto free_counterstmp;
962 t = find_table_lock(tmp.name, &ret, &ebt_mutex);
968 /* the table doesn't like it */
969 if (t->check && (ret = t->check(newinfo, tmp.valid_hooks)))
972 if (tmp.num_counters && tmp.num_counters != t->private->nentries) {
973 BUGPRINT("Wrong nr. of counters requested\n");
978 /* we have the mutex lock, so no danger in reading this pointer */
980 /* make sure the table can only be rmmod'ed if it contains no rules */
981 if (!table->nentries && newinfo->nentries && !try_module_get(t->me)) {
984 } else if (table->nentries && !newinfo->nentries)
986 /* we need an atomic snapshot of the counters */
987 write_lock_bh(&t->lock);
988 if (tmp.num_counters)
989 get_counters(t->private->counters, counterstmp,
990 t->private->nentries);
992 t->private = newinfo;
993 write_unlock_bh(&t->lock);
994 mutex_unlock(&ebt_mutex);
995 /* so, a user can change the chains while having messed up her counter
996 allocation. Only reason why this is done is because this way the lock
997 is held only once, while this doesn't bring the kernel into a
999 if (tmp.num_counters &&
1000 copy_to_user(tmp.counters, counterstmp,
1001 tmp.num_counters * sizeof(struct ebt_counter))) {
1002 BUGPRINT("Couldn't copy counters to userspace\n");
1008 /* decrease module count and free resources */
1009 EBT_ENTRY_ITERATE(table->entries, table->entries_size,
1010 ebt_cleanup_entry, NULL);
1012 vfree(table->entries);
1013 if (table->chainstack) {
1014 for_each_possible_cpu(i)
1015 vfree(table->chainstack[i]);
1016 vfree(table->chainstack);
1024 mutex_unlock(&ebt_mutex);
1026 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
1027 ebt_cleanup_entry, NULL);
1030 /* can be initialized in translate_table() */
1031 if (newinfo->chainstack) {
1032 for_each_possible_cpu(i)
1033 vfree(newinfo->chainstack[i]);
1034 vfree(newinfo->chainstack);
1037 vfree(newinfo->entries);
1043 int ebt_register_target(struct ebt_target *target)
1045 struct ebt_target *t;
1048 ret = mutex_lock_interruptible(&ebt_mutex);
1051 list_for_each_entry(t, &ebt_targets, list) {
1052 if (strcmp(t->name, target->name) == 0) {
1053 mutex_unlock(&ebt_mutex);
1057 list_add(&target->list, &ebt_targets);
1058 mutex_unlock(&ebt_mutex);
1063 void ebt_unregister_target(struct ebt_target *target)
1065 mutex_lock(&ebt_mutex);
1066 list_del(&target->list);
1067 mutex_unlock(&ebt_mutex);
1070 int ebt_register_match(struct ebt_match *match)
1072 struct ebt_match *m;
1075 ret = mutex_lock_interruptible(&ebt_mutex);
1078 list_for_each_entry(m, &ebt_matches, list) {
1079 if (strcmp(m->name, match->name) == 0) {
1080 mutex_unlock(&ebt_mutex);
1084 list_add(&match->list, &ebt_matches);
1085 mutex_unlock(&ebt_mutex);
1090 void ebt_unregister_match(struct ebt_match *match)
1092 mutex_lock(&ebt_mutex);
1093 list_del(&match->list);
1094 mutex_unlock(&ebt_mutex);
1097 int ebt_register_watcher(struct ebt_watcher *watcher)
1099 struct ebt_watcher *w;
1102 ret = mutex_lock_interruptible(&ebt_mutex);
1105 list_for_each_entry(w, &ebt_watchers, list) {
1106 if (strcmp(w->name, watcher->name) == 0) {
1107 mutex_unlock(&ebt_mutex);
1111 list_add(&watcher->list, &ebt_watchers);
1112 mutex_unlock(&ebt_mutex);
1117 void ebt_unregister_watcher(struct ebt_watcher *watcher)
1119 mutex_lock(&ebt_mutex);
1120 list_del(&watcher->list);
1121 mutex_unlock(&ebt_mutex);
1124 int ebt_register_table(struct ebt_table *table)
1126 struct ebt_table_info *newinfo;
1127 struct ebt_table *t;
1128 int ret, i, countersize;
1130 if (!table || !table->table ||!table->table->entries ||
1131 table->table->entries_size == 0 ||
1132 table->table->counters || table->private) {
1133 BUGPRINT("Bad table data for ebt_register_table!!!\n");
1137 countersize = COUNTER_OFFSET(table->table->nentries) *
1138 (highest_possible_processor_id()+1);
1139 newinfo = vmalloc(sizeof(*newinfo) + countersize);
1144 newinfo->entries = vmalloc(table->table->entries_size);
1145 if (!(newinfo->entries))
1148 memcpy(newinfo->entries, table->table->entries,
1149 table->table->entries_size);
1152 memset(newinfo->counters, 0, countersize);
1154 /* fill in newinfo and parse the entries */
1155 newinfo->chainstack = NULL;
1156 ret = translate_table(table->table, newinfo);
1158 BUGPRINT("Translate_table failed\n");
1159 goto free_chainstack;
1162 if (table->check && table->check(newinfo, table->valid_hooks)) {
1163 BUGPRINT("The table doesn't like its own initial data, lol\n");
1167 table->private = newinfo;
1168 rwlock_init(&table->lock);
1169 ret = mutex_lock_interruptible(&ebt_mutex);
1171 goto free_chainstack;
1173 list_for_each_entry(t, &ebt_tables, list) {
1174 if (strcmp(t->name, table->name) == 0) {
1176 BUGPRINT("Table name already exists\n");
1181 /* Hold a reference count if the chains aren't empty */
1182 if (newinfo->nentries && !try_module_get(table->me)) {
1186 list_add(&table->list, &ebt_tables);
1187 mutex_unlock(&ebt_mutex);
1190 mutex_unlock(&ebt_mutex);
1192 if (newinfo->chainstack) {
1193 for_each_possible_cpu(i)
1194 vfree(newinfo->chainstack[i]);
1195 vfree(newinfo->chainstack);
1197 vfree(newinfo->entries);
1203 void ebt_unregister_table(struct ebt_table *table)
1208 BUGPRINT("Request to unregister NULL table!!!\n");
1211 mutex_lock(&ebt_mutex);
1212 list_del(&table->list);
1213 mutex_unlock(&ebt_mutex);
1214 vfree(table->private->entries);
1215 if (table->private->chainstack) {
1216 for_each_possible_cpu(i)
1217 vfree(table->private->chainstack[i]);
1218 vfree(table->private->chainstack);
1220 vfree(table->private);
1223 /* userspace just supplied us with counters */
1224 static int update_counters(void __user *user, unsigned int len)
1227 struct ebt_counter *tmp;
1228 struct ebt_replace hlp;
1229 struct ebt_table *t;
1231 if (copy_from_user(&hlp, user, sizeof(hlp)))
1234 if (len != sizeof(hlp) + hlp.num_counters * sizeof(struct ebt_counter))
1236 if (hlp.num_counters == 0)
1239 if (!(tmp = vmalloc(hlp.num_counters * sizeof(*tmp)))) {
1240 MEMPRINT("Update_counters && nomemory\n");
1244 t = find_table_lock(hlp.name, &ret, &ebt_mutex);
1248 if (hlp.num_counters != t->private->nentries) {
1249 BUGPRINT("Wrong nr of counters\n");
1254 if ( copy_from_user(tmp, hlp.counters,
1255 hlp.num_counters * sizeof(struct ebt_counter)) ) {
1256 BUGPRINT("Updata_counters && !cfu\n");
1261 /* we want an atomic add of the counters */
1262 write_lock_bh(&t->lock);
1264 /* we add to the counters of the first cpu */
1265 for (i = 0; i < hlp.num_counters; i++) {
1266 t->private->counters[i].pcnt += tmp[i].pcnt;
1267 t->private->counters[i].bcnt += tmp[i].bcnt;
1270 write_unlock_bh(&t->lock);
1273 mutex_unlock(&ebt_mutex);
1279 static inline int ebt_make_matchname(struct ebt_entry_match *m,
1280 char *base, char *ubase)
1282 char *hlp = ubase - base + (char *)m;
1283 if (copy_to_user(hlp, m->u.match->name, EBT_FUNCTION_MAXNAMELEN))
1288 static inline int ebt_make_watchername(struct ebt_entry_watcher *w,
1289 char *base, char *ubase)
1291 char *hlp = ubase - base + (char *)w;
1292 if (copy_to_user(hlp , w->u.watcher->name, EBT_FUNCTION_MAXNAMELEN))
1297 static inline int ebt_make_names(struct ebt_entry *e, char *base, char *ubase)
1301 struct ebt_entry_target *t;
1303 if ((e->bitmask & EBT_ENTRY_OR_ENTRIES) == 0)
1306 hlp = ubase - base + (char *)e + e->target_offset;
1307 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
1309 ret = EBT_MATCH_ITERATE(e, ebt_make_matchname, base, ubase);
1312 ret = EBT_WATCHER_ITERATE(e, ebt_make_watchername, base, ubase);
1315 if (copy_to_user(hlp, t->u.target->name, EBT_FUNCTION_MAXNAMELEN))
1320 /* called with ebt_mutex locked */
1321 static int copy_everything_to_user(struct ebt_table *t, void __user *user,
1324 struct ebt_replace tmp;
1325 struct ebt_counter *counterstmp, *oldcounters;
1326 unsigned int entries_size, nentries;
1329 if (cmd == EBT_SO_GET_ENTRIES) {
1330 entries_size = t->private->entries_size;
1331 nentries = t->private->nentries;
1332 entries = t->private->entries;
1333 oldcounters = t->private->counters;
1335 entries_size = t->table->entries_size;
1336 nentries = t->table->nentries;
1337 entries = t->table->entries;
1338 oldcounters = t->table->counters;
1341 if (copy_from_user(&tmp, user, sizeof(tmp))) {
1342 BUGPRINT("Cfu didn't work\n");
1346 if (*len != sizeof(struct ebt_replace) + entries_size +
1347 (tmp.num_counters? nentries * sizeof(struct ebt_counter): 0)) {
1348 BUGPRINT("Wrong size\n");
1352 if (tmp.nentries != nentries) {
1353 BUGPRINT("Nentries wrong\n");
1357 if (tmp.entries_size != entries_size) {
1358 BUGPRINT("Wrong size\n");
1362 /* userspace might not need the counters */
1363 if (tmp.num_counters) {
1364 if (tmp.num_counters != nentries) {
1365 BUGPRINT("Num_counters wrong\n");
1368 counterstmp = vmalloc(nentries * sizeof(*counterstmp));
1370 MEMPRINT("Couldn't copy counters, out of memory\n");
1373 write_lock_bh(&t->lock);
1374 get_counters(oldcounters, counterstmp, nentries);
1375 write_unlock_bh(&t->lock);
1377 if (copy_to_user(tmp.counters, counterstmp,
1378 nentries * sizeof(struct ebt_counter))) {
1379 BUGPRINT("Couldn't copy counters to userspace\n");
1386 if (copy_to_user(tmp.entries, entries, entries_size)) {
1387 BUGPRINT("Couldn't copy entries to userspace\n");
1390 /* set the match/watcher/target names right */
1391 return EBT_ENTRY_ITERATE(entries, entries_size,
1392 ebt_make_names, entries, tmp.entries);
1395 static int do_ebt_set_ctl(struct sock *sk,
1396 int cmd, void __user *user, unsigned int len)
1401 case EBT_SO_SET_ENTRIES:
1402 ret = do_replace(user, len);
1404 case EBT_SO_SET_COUNTERS:
1405 ret = update_counters(user, len);
1413 static int do_ebt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
1416 struct ebt_replace tmp;
1417 struct ebt_table *t;
1419 if (copy_from_user(&tmp, user, sizeof(tmp)))
1422 t = find_table_lock(tmp.name, &ret, &ebt_mutex);
1427 case EBT_SO_GET_INFO:
1428 case EBT_SO_GET_INIT_INFO:
1429 if (*len != sizeof(struct ebt_replace)){
1431 mutex_unlock(&ebt_mutex);
1434 if (cmd == EBT_SO_GET_INFO) {
1435 tmp.nentries = t->private->nentries;
1436 tmp.entries_size = t->private->entries_size;
1437 tmp.valid_hooks = t->valid_hooks;
1439 tmp.nentries = t->table->nentries;
1440 tmp.entries_size = t->table->entries_size;
1441 tmp.valid_hooks = t->table->valid_hooks;
1443 mutex_unlock(&ebt_mutex);
1444 if (copy_to_user(user, &tmp, *len) != 0){
1445 BUGPRINT("c2u Didn't work\n");
1452 case EBT_SO_GET_ENTRIES:
1453 case EBT_SO_GET_INIT_ENTRIES:
1454 ret = copy_everything_to_user(t, user, len, cmd);
1455 mutex_unlock(&ebt_mutex);
1459 mutex_unlock(&ebt_mutex);
1466 static struct nf_sockopt_ops ebt_sockopts =
1469 .set_optmin = EBT_BASE_CTL,
1470 .set_optmax = EBT_SO_SET_MAX + 1,
1471 .set = do_ebt_set_ctl,
1472 .get_optmin = EBT_BASE_CTL,
1473 .get_optmax = EBT_SO_GET_MAX + 1,
1474 .get = do_ebt_get_ctl,
1477 static int __init ebtables_init(void)
1481 mutex_lock(&ebt_mutex);
1482 list_add(&ebt_standard_target.list, &ebt_targets);
1483 mutex_unlock(&ebt_mutex);
1484 if ((ret = nf_register_sockopt(&ebt_sockopts)) < 0)
1487 printk(KERN_NOTICE "Ebtables v2.0 registered\n");
1491 static void __exit ebtables_fini(void)
1493 nf_unregister_sockopt(&ebt_sockopts);
1494 printk(KERN_NOTICE "Ebtables v2.0 unregistered\n");
1497 EXPORT_SYMBOL(ebt_register_table);
1498 EXPORT_SYMBOL(ebt_unregister_table);
1499 EXPORT_SYMBOL(ebt_register_match);
1500 EXPORT_SYMBOL(ebt_unregister_match);
1501 EXPORT_SYMBOL(ebt_register_watcher);
1502 EXPORT_SYMBOL(ebt_unregister_watcher);
1503 EXPORT_SYMBOL(ebt_register_target);
1504 EXPORT_SYMBOL(ebt_unregister_target);
1505 EXPORT_SYMBOL(ebt_do_table);
1506 module_init(ebtables_init);
1507 module_exit(ebtables_fini);
1508 MODULE_LICENSE("GPL");