5 * Bart De Schuymer <bdschuym@pandora.be>
7 * ebtables.c,v 2.0, July, 2002
9 * This code is stongly inspired on the iptables code which is
10 * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version
15 * 2 of the License, or (at your option) any later version.
18 /* used for print_string */
19 #include <linux/sched.h>
20 #include <linux/tty.h>
22 #include <linux/kmod.h>
23 #include <linux/module.h>
24 #include <linux/vmalloc.h>
25 #include <linux/netfilter_bridge/ebtables.h>
26 #include <linux/spinlock.h>
27 #include <asm/uaccess.h>
28 #include <linux/smp.h>
29 #include <linux/cpumask.h>
31 /* needed for logical [in,out]-dev filtering */
32 #include "../br_private.h"
35 #define ASSERT_READ_LOCK(x)
36 #define ASSERT_WRITE_LOCK(x)
37 #include <linux/netfilter_ipv4/listhelp.h>
40 /* use this for remote debugging
41 * Copyright (C) 1998 by Ori Pomerantz
42 * Print the string to the appropriate tty, the one
43 * the current task uses
45 static void print_string(char *str)
47 struct tty_struct *my_tty;
49 /* The tty for the current task */
50 my_tty = current->signal->tty;
52 my_tty->driver->write(my_tty, 0, str, strlen(str));
53 my_tty->driver->write(my_tty, 0, "\015\012", 2);
57 #define BUGPRINT(args) print_string(args);
59 #define BUGPRINT(format, args...) printk("kernel msg: ebtables bug: please "\
60 "report to author: "format, ## args)
61 /* #define BUGPRINT(format, args...) */
63 #define MEMPRINT(format, args...) printk("kernel msg: ebtables "\
64 ": out of memory: "format, ## args)
65 /* #define MEMPRINT(format, args...) */
70 * Each cpu has its own set of counters, so there is no need for write_lock in
72 * For reading or updating the counters, the user context needs to
76 /* The size of each set of counters is altered to get cache alignment */
77 #define SMP_ALIGN(x) (((x) + SMP_CACHE_BYTES-1) & ~(SMP_CACHE_BYTES-1))
78 #define COUNTER_OFFSET(n) (SMP_ALIGN(n * sizeof(struct ebt_counter)))
79 #define COUNTER_BASE(c, n, cpu) ((struct ebt_counter *)(((char *)c) + \
80 COUNTER_OFFSET(n) * cpu))
84 static DECLARE_MUTEX(ebt_mutex);
85 static LIST_HEAD(ebt_tables);
86 static LIST_HEAD(ebt_targets);
87 static LIST_HEAD(ebt_matches);
88 static LIST_HEAD(ebt_watchers);
90 static struct ebt_target ebt_standard_target =
91 { {NULL, NULL}, EBT_STANDARD_TARGET, NULL, NULL, NULL, NULL};
93 static inline int ebt_do_watcher (struct ebt_entry_watcher *w,
94 const struct sk_buff *skb, unsigned int hooknr, const struct net_device *in,
95 const struct net_device *out)
97 w->u.watcher->watcher(skb, hooknr, in, out, w->data,
99 /* watchers don't give a verdict */
103 static inline int ebt_do_match (struct ebt_entry_match *m,
104 const struct sk_buff *skb, const struct net_device *in,
105 const struct net_device *out)
107 return m->u.match->match(skb, in, out, m->data,
111 static inline int ebt_dev_check(char *entry, const struct net_device *device)
114 char *devname = device->name;
120 /* 1 is the wildcard token */
121 while (entry[i] != '\0' && entry[i] != 1 && entry[i] == devname[i])
123 return (devname[i] != entry[i] && entry[i] != 1);
126 #define FWINV2(bool,invflg) ((bool) ^ !!(e->invflags & invflg))
127 /* process standard matches */
128 static inline int ebt_basic_match(struct ebt_entry *e, struct ethhdr *h,
129 const struct net_device *in, const struct net_device *out)
133 if (e->bitmask & EBT_802_3) {
134 if (FWINV2(ntohs(h->h_proto) >= 1536, EBT_IPROTO))
136 } else if (!(e->bitmask & EBT_NOPROTO) &&
137 FWINV2(e->ethproto != h->h_proto, EBT_IPROTO))
140 if (FWINV2(ebt_dev_check(e->in, in), EBT_IIN))
142 if (FWINV2(ebt_dev_check(e->out, out), EBT_IOUT))
144 if ((!in || !in->br_port) ? 0 : FWINV2(ebt_dev_check(
145 e->logical_in, in->br_port->br->dev), EBT_ILOGICALIN))
147 if ((!out || !out->br_port) ? 0 : FWINV2(ebt_dev_check(
148 e->logical_out, out->br_port->br->dev), EBT_ILOGICALOUT))
151 if (e->bitmask & EBT_SOURCEMAC) {
153 for (i = 0; i < 6; i++)
154 verdict |= (h->h_source[i] ^ e->sourcemac[i]) &
156 if (FWINV2(verdict != 0, EBT_ISOURCE) )
159 if (e->bitmask & EBT_DESTMAC) {
161 for (i = 0; i < 6; i++)
162 verdict |= (h->h_dest[i] ^ e->destmac[i]) &
164 if (FWINV2(verdict != 0, EBT_IDEST) )
170 /* Do some firewalling */
171 unsigned int ebt_do_table (unsigned int hook, struct sk_buff **pskb,
172 const struct net_device *in, const struct net_device *out,
173 struct ebt_table *table)
176 struct ebt_entry *point;
177 struct ebt_counter *counter_base, *cb_base;
178 struct ebt_entry_target *t;
180 struct ebt_chainstack *cs;
181 struct ebt_entries *chaininfo;
183 struct ebt_table_info *private;
185 read_lock_bh(&table->lock);
186 private = table->private;
187 cb_base = COUNTER_BASE(private->counters, private->nentries,
189 if (private->chainstack)
190 cs = private->chainstack[smp_processor_id()];
193 chaininfo = private->hook_entry[hook];
194 nentries = private->hook_entry[hook]->nentries;
195 point = (struct ebt_entry *)(private->hook_entry[hook]->data);
196 counter_base = cb_base + private->hook_entry[hook]->counter_offset;
197 /* base for chain jumps */
198 base = private->entries;
200 while (i < nentries) {
201 if (ebt_basic_match(point, eth_hdr(*pskb), in, out))
204 if (EBT_MATCH_ITERATE(point, ebt_do_match, *pskb, in, out) != 0)
207 /* increase counter */
208 (*(counter_base + i)).pcnt++;
209 (*(counter_base + i)).bcnt+=(**pskb).len;
211 /* these should only watch: not modify, nor tell us
212 what to do with the packet */
213 EBT_WATCHER_ITERATE(point, ebt_do_watcher, *pskb, hook, in,
216 t = (struct ebt_entry_target *)
217 (((char *)point) + point->target_offset);
218 /* standard target */
219 if (!t->u.target->target)
220 verdict = ((struct ebt_standard_target *)t)->verdict;
222 verdict = t->u.target->target(pskb, hook,
223 in, out, t->data, t->target_size);
224 if (verdict == EBT_ACCEPT) {
225 read_unlock_bh(&table->lock);
228 if (verdict == EBT_DROP) {
229 read_unlock_bh(&table->lock);
232 if (verdict == EBT_RETURN) {
234 #ifdef CONFIG_NETFILTER_DEBUG
236 BUGPRINT("RETURN on base chain");
237 /* act like this is EBT_CONTINUE */
242 /* put all the local variables right */
244 chaininfo = cs[sp].chaininfo;
245 nentries = chaininfo->nentries;
247 counter_base = cb_base +
248 chaininfo->counter_offset;
251 if (verdict == EBT_CONTINUE)
253 #ifdef CONFIG_NETFILTER_DEBUG
255 BUGPRINT("bogus standard verdict\n");
256 read_unlock_bh(&table->lock);
262 cs[sp].chaininfo = chaininfo;
263 cs[sp].e = (struct ebt_entry *)
264 (((char *)point) + point->next_offset);
266 chaininfo = (struct ebt_entries *) (base + verdict);
267 #ifdef CONFIG_NETFILTER_DEBUG
268 if (chaininfo->distinguisher) {
269 BUGPRINT("jump to non-chain\n");
270 read_unlock_bh(&table->lock);
274 nentries = chaininfo->nentries;
275 point = (struct ebt_entry *)chaininfo->data;
276 counter_base = cb_base + chaininfo->counter_offset;
280 point = (struct ebt_entry *)
281 (((char *)point) + point->next_offset);
285 /* I actually like this :) */
286 if (chaininfo->policy == EBT_RETURN)
288 if (chaininfo->policy == EBT_ACCEPT) {
289 read_unlock_bh(&table->lock);
292 read_unlock_bh(&table->lock);
296 /* If it succeeds, returns element and locks mutex */
298 find_inlist_lock_noload(struct list_head *head, const char *name, int *error,
299 struct semaphore *mutex)
303 *error = down_interruptible(mutex);
307 ret = list_named_find(head, name);
316 #define find_inlist_lock(h,n,p,e,m) find_inlist_lock_noload((h),(n),(e),(m))
319 find_inlist_lock(struct list_head *head, const char *name, const char *prefix,
320 int *error, struct semaphore *mutex)
324 ret = find_inlist_lock_noload(head, name, error, mutex);
326 request_module("%s%s", prefix, name);
327 ret = find_inlist_lock_noload(head, name, error, mutex);
333 static inline struct ebt_table *
334 find_table_lock(const char *name, int *error, struct semaphore *mutex)
336 return find_inlist_lock(&ebt_tables, name, "ebtable_", error, mutex);
339 static inline struct ebt_match *
340 find_match_lock(const char *name, int *error, struct semaphore *mutex)
342 return find_inlist_lock(&ebt_matches, name, "ebt_", error, mutex);
345 static inline struct ebt_watcher *
346 find_watcher_lock(const char *name, int *error, struct semaphore *mutex)
348 return find_inlist_lock(&ebt_watchers, name, "ebt_", error, mutex);
351 static inline struct ebt_target *
352 find_target_lock(const char *name, int *error, struct semaphore *mutex)
354 return find_inlist_lock(&ebt_targets, name, "ebt_", error, mutex);
358 ebt_check_match(struct ebt_entry_match *m, struct ebt_entry *e,
359 const char *name, unsigned int hookmask, unsigned int *cnt)
361 struct ebt_match *match;
364 if (((char *)m) + m->match_size + sizeof(struct ebt_entry_match) >
365 ((char *)e) + e->watchers_offset)
367 match = find_match_lock(m->u.name, &ret, &ebt_mutex);
371 if (!try_module_get(match->me)) {
377 match->check(name, hookmask, e, m->data, m->match_size) != 0) {
378 BUGPRINT("match->check failed\n");
379 module_put(match->me);
387 ebt_check_watcher(struct ebt_entry_watcher *w, struct ebt_entry *e,
388 const char *name, unsigned int hookmask, unsigned int *cnt)
390 struct ebt_watcher *watcher;
393 if (((char *)w) + w->watcher_size + sizeof(struct ebt_entry_watcher) >
394 ((char *)e) + e->target_offset)
396 watcher = find_watcher_lock(w->u.name, &ret, &ebt_mutex);
399 w->u.watcher = watcher;
400 if (!try_module_get(watcher->me)) {
405 if (watcher->check &&
406 watcher->check(name, hookmask, e, w->data, w->watcher_size) != 0) {
407 BUGPRINT("watcher->check failed\n");
408 module_put(watcher->me);
416 * this one is very careful, as it is the first function
417 * to parse the userspace data
420 ebt_check_entry_size_and_hooks(struct ebt_entry *e,
421 struct ebt_table_info *newinfo, char *base, char *limit,
422 struct ebt_entries **hook_entries, unsigned int *n, unsigned int *cnt,
423 unsigned int *totalcnt, unsigned int *udc_cnt, unsigned int valid_hooks)
427 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
428 if ((valid_hooks & (1 << i)) == 0)
430 if ( (char *)hook_entries[i] - base ==
431 (char *)e - newinfo->entries)
434 /* beginning of a new chain
435 if i == NF_BR_NUMHOOKS it must be a user defined chain */
436 if (i != NF_BR_NUMHOOKS || !(e->bitmask & EBT_ENTRY_OR_ENTRIES)) {
437 if ((e->bitmask & EBT_ENTRY_OR_ENTRIES) != 0) {
438 /* we make userspace set this right,
439 so there is no misunderstanding */
440 BUGPRINT("EBT_ENTRY_OR_ENTRIES shouldn't be set "
441 "in distinguisher\n");
444 /* this checks if the previous chain has as many entries
447 BUGPRINT("nentries does not equal the nr of entries "
451 /* before we look at the struct, be sure it is not too big */
452 if ((char *)hook_entries[i] + sizeof(struct ebt_entries)
454 BUGPRINT("entries_size too small\n");
457 if (((struct ebt_entries *)e)->policy != EBT_DROP &&
458 ((struct ebt_entries *)e)->policy != EBT_ACCEPT) {
459 /* only RETURN from udc */
460 if (i != NF_BR_NUMHOOKS ||
461 ((struct ebt_entries *)e)->policy != EBT_RETURN) {
462 BUGPRINT("bad policy\n");
466 if (i == NF_BR_NUMHOOKS) /* it's a user defined chain */
469 newinfo->hook_entry[i] = (struct ebt_entries *)e;
470 if (((struct ebt_entries *)e)->counter_offset != *totalcnt) {
471 BUGPRINT("counter_offset != totalcnt");
474 *n = ((struct ebt_entries *)e)->nentries;
478 /* a plain old entry, heh */
479 if (sizeof(struct ebt_entry) > e->watchers_offset ||
480 e->watchers_offset > e->target_offset ||
481 e->target_offset >= e->next_offset) {
482 BUGPRINT("entry offsets not in right order\n");
485 /* this is not checked anywhere else */
486 if (e->next_offset - e->target_offset < sizeof(struct ebt_entry_target)) {
487 BUGPRINT("target size too small\n");
498 struct ebt_chainstack cs;
500 unsigned int hookmask;
504 * we need these positions to check that the jumps to a different part of the
505 * entries is a jump to the beginning of a new chain.
508 ebt_get_udc_positions(struct ebt_entry *e, struct ebt_table_info *newinfo,
509 struct ebt_entries **hook_entries, unsigned int *n, unsigned int valid_hooks,
510 struct ebt_cl_stack *udc)
514 /* we're only interested in chain starts */
515 if (e->bitmask & EBT_ENTRY_OR_ENTRIES)
517 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
518 if ((valid_hooks & (1 << i)) == 0)
520 if (newinfo->hook_entry[i] == (struct ebt_entries *)e)
523 /* only care about udc */
524 if (i != NF_BR_NUMHOOKS)
527 udc[*n].cs.chaininfo = (struct ebt_entries *)e;
528 /* these initialisations are depended on later in check_chainloops() */
530 udc[*n].hookmask = 0;
537 ebt_cleanup_match(struct ebt_entry_match *m, unsigned int *i)
539 if (i && (*i)-- == 0)
541 if (m->u.match->destroy)
542 m->u.match->destroy(m->data, m->match_size);
543 module_put(m->u.match->me);
549 ebt_cleanup_watcher(struct ebt_entry_watcher *w, unsigned int *i)
551 if (i && (*i)-- == 0)
553 if (w->u.watcher->destroy)
554 w->u.watcher->destroy(w->data, w->watcher_size);
555 module_put(w->u.watcher->me);
561 ebt_cleanup_entry(struct ebt_entry *e, unsigned int *cnt)
563 struct ebt_entry_target *t;
565 if ((e->bitmask & EBT_ENTRY_OR_ENTRIES) == 0)
568 if (cnt && (*cnt)-- == 0)
570 EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, NULL);
571 EBT_MATCH_ITERATE(e, ebt_cleanup_match, NULL);
572 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
573 if (t->u.target->destroy)
574 t->u.target->destroy(t->data, t->target_size);
575 module_put(t->u.target->me);
581 ebt_check_entry(struct ebt_entry *e, struct ebt_table_info *newinfo,
582 const char *name, unsigned int *cnt, unsigned int valid_hooks,
583 struct ebt_cl_stack *cl_s, unsigned int udc_cnt)
585 struct ebt_entry_target *t;
586 struct ebt_target *target;
587 unsigned int i, j, hook = 0, hookmask = 0;
590 /* don't mess with the struct ebt_entries */
591 if ((e->bitmask & EBT_ENTRY_OR_ENTRIES) == 0)
594 if (e->bitmask & ~EBT_F_MASK) {
595 BUGPRINT("Unknown flag for bitmask\n");
598 if (e->invflags & ~EBT_INV_MASK) {
599 BUGPRINT("Unknown flag for inv bitmask\n");
602 if ( (e->bitmask & EBT_NOPROTO) && (e->bitmask & EBT_802_3) ) {
603 BUGPRINT("NOPROTO & 802_3 not allowed\n");
606 /* what hook do we belong to? */
607 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
608 if ((valid_hooks & (1 << i)) == 0)
610 if ((char *)newinfo->hook_entry[i] < (char *)e)
615 /* (1 << NF_BR_NUMHOOKS) tells the check functions the rule is on
617 if (i < NF_BR_NUMHOOKS)
618 hookmask = (1 << hook) | (1 << NF_BR_NUMHOOKS);
620 for (i = 0; i < udc_cnt; i++)
621 if ((char *)(cl_s[i].cs.chaininfo) > (char *)e)
624 hookmask = (1 << hook) | (1 << NF_BR_NUMHOOKS);
626 hookmask = cl_s[i - 1].hookmask;
629 ret = EBT_MATCH_ITERATE(e, ebt_check_match, e, name, hookmask, &i);
631 goto cleanup_matches;
633 ret = EBT_WATCHER_ITERATE(e, ebt_check_watcher, e, name, hookmask, &j);
635 goto cleanup_watchers;
636 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
637 target = find_target_lock(t->u.name, &ret, &ebt_mutex);
639 goto cleanup_watchers;
640 if (!try_module_get(target->me)) {
643 goto cleanup_watchers;
647 t->u.target = target;
648 if (t->u.target == &ebt_standard_target) {
649 if (e->target_offset + sizeof(struct ebt_standard_target) >
651 BUGPRINT("Standard target size too big\n");
653 goto cleanup_watchers;
655 if (((struct ebt_standard_target *)t)->verdict <
656 -NUM_STANDARD_TARGETS) {
657 BUGPRINT("Invalid standard target\n");
659 goto cleanup_watchers;
661 } else if ((e->target_offset + t->target_size +
662 sizeof(struct ebt_entry_target) > e->next_offset) ||
663 (t->u.target->check &&
664 t->u.target->check(name, hookmask, e, t->data, t->target_size) != 0)){
665 module_put(t->u.target->me);
667 goto cleanup_watchers;
672 EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, &j);
674 EBT_MATCH_ITERATE(e, ebt_cleanup_match, &i);
679 * checks for loops and sets the hook mask for udc
680 * the hook mask for udc tells us from which base chains the udc can be
681 * accessed. This mask is a parameter to the check() functions of the extensions
683 static int check_chainloops(struct ebt_entries *chain, struct ebt_cl_stack *cl_s,
684 unsigned int udc_cnt, unsigned int hooknr, char *base)
686 int i, chain_nr = -1, pos = 0, nentries = chain->nentries, verdict;
687 struct ebt_entry *e = (struct ebt_entry *)chain->data;
688 struct ebt_entry_target *t;
690 while (pos < nentries || chain_nr != -1) {
691 /* end of udc, go back one 'recursion' step */
692 if (pos == nentries) {
693 /* put back values of the time when this chain was called */
694 e = cl_s[chain_nr].cs.e;
695 if (cl_s[chain_nr].from != -1)
697 cl_s[cl_s[chain_nr].from].cs.chaininfo->nentries;
699 nentries = chain->nentries;
700 pos = cl_s[chain_nr].cs.n;
701 /* make sure we won't see a loop that isn't one */
702 cl_s[chain_nr].cs.n = 0;
703 chain_nr = cl_s[chain_nr].from;
707 t = (struct ebt_entry_target *)
708 (((char *)e) + e->target_offset);
709 if (strcmp(t->u.name, EBT_STANDARD_TARGET))
711 if (e->target_offset + sizeof(struct ebt_standard_target) >
713 BUGPRINT("Standard target size too big\n");
716 verdict = ((struct ebt_standard_target *)t)->verdict;
717 if (verdict >= 0) { /* jump to another chain */
718 struct ebt_entries *hlp2 =
719 (struct ebt_entries *)(base + verdict);
720 for (i = 0; i < udc_cnt; i++)
721 if (hlp2 == cl_s[i].cs.chaininfo)
723 /* bad destination or loop */
725 BUGPRINT("bad destination\n");
732 /* this can't be 0, so the above test is correct */
733 cl_s[i].cs.n = pos + 1;
735 cl_s[i].cs.e = ((void *)e + e->next_offset);
736 e = (struct ebt_entry *)(hlp2->data);
737 nentries = hlp2->nentries;
738 cl_s[i].from = chain_nr;
740 /* this udc is accessible from the base chain for hooknr */
741 cl_s[i].hookmask |= (1 << hooknr);
745 e = (void *)e + e->next_offset;
751 /* do the parsing of the table/chains/entries/matches/watchers/targets, heh */
752 static int translate_table(struct ebt_replace *repl,
753 struct ebt_table_info *newinfo)
755 unsigned int i, j, k, udc_cnt;
757 struct ebt_cl_stack *cl_s = NULL; /* used in the checking for chain loops */
760 while (i < NF_BR_NUMHOOKS && !(repl->valid_hooks & (1 << i)))
762 if (i == NF_BR_NUMHOOKS) {
763 BUGPRINT("No valid hooks specified\n");
766 if (repl->hook_entry[i] != (struct ebt_entries *)repl->entries) {
767 BUGPRINT("Chains don't start at beginning\n");
770 /* make sure chains are ordered after each other in same order
771 as their corresponding hooks */
772 for (j = i + 1; j < NF_BR_NUMHOOKS; j++) {
773 if (!(repl->valid_hooks & (1 << j)))
775 if ( repl->hook_entry[j] <= repl->hook_entry[i] ) {
776 BUGPRINT("Hook order must be followed\n");
782 for (i = 0; i < NF_BR_NUMHOOKS; i++)
783 newinfo->hook_entry[i] = NULL;
785 newinfo->entries_size = repl->entries_size;
786 newinfo->nentries = repl->nentries;
788 /* do some early checkings and initialize some things */
789 i = 0; /* holds the expected nr. of entries for the chain */
790 j = 0; /* holds the up to now counted entries for the chain */
791 k = 0; /* holds the total nr. of entries, should equal
792 newinfo->nentries afterwards */
793 udc_cnt = 0; /* will hold the nr. of user defined chains (udc) */
794 ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
795 ebt_check_entry_size_and_hooks, newinfo, repl->entries,
796 repl->entries + repl->entries_size, repl->hook_entry, &i, &j, &k,
797 &udc_cnt, repl->valid_hooks);
803 BUGPRINT("nentries does not equal the nr of entries in the "
807 if (k != newinfo->nentries) {
808 BUGPRINT("Total nentries is wrong\n");
812 /* check if all valid hooks have a chain */
813 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
814 if (newinfo->hook_entry[i] == NULL &&
815 (repl->valid_hooks & (1 << i))) {
816 BUGPRINT("Valid hook without chain\n");
821 /* get the location of the udc, put them in an array
822 while we're at it, allocate the chainstack */
824 /* this will get free'd in do_replace()/ebt_register_table()
825 if an error occurs */
826 newinfo->chainstack = (struct ebt_chainstack **)
827 vmalloc((highest_possible_processor_id()+1)
828 * sizeof(struct ebt_chainstack));
829 if (!newinfo->chainstack)
832 newinfo->chainstack[i] =
833 vmalloc(udc_cnt * sizeof(struct ebt_chainstack));
834 if (!newinfo->chainstack[i]) {
836 vfree(newinfo->chainstack[--i]);
837 vfree(newinfo->chainstack);
838 newinfo->chainstack = NULL;
843 cl_s = (struct ebt_cl_stack *)
844 vmalloc(udc_cnt * sizeof(struct ebt_cl_stack));
847 i = 0; /* the i'th udc */
848 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
849 ebt_get_udc_positions, newinfo, repl->hook_entry, &i,
850 repl->valid_hooks, cl_s);
853 BUGPRINT("i != udc_cnt\n");
859 /* Check for loops */
860 for (i = 0; i < NF_BR_NUMHOOKS; i++)
861 if (repl->valid_hooks & (1 << i))
862 if (check_chainloops(newinfo->hook_entry[i],
863 cl_s, udc_cnt, i, newinfo->entries)) {
868 /* we now know the following (along with E=mc²):
869 - the nr of entries in each chain is right
870 - the size of the allocated space is right
871 - all valid hooks have a corresponding chain
873 - wrong data can still be on the level of a single entry
874 - could be there are jumps to places that are not the
875 beginning of a chain. This can only occur in chains that
876 are not accessible from any base chains, so we don't care. */
878 /* used to know what we need to clean up if something goes wrong */
880 ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
881 ebt_check_entry, newinfo, repl->name, &i, repl->valid_hooks,
884 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
885 ebt_cleanup_entry, &i);
891 /* called under write_lock */
892 static void get_counters(struct ebt_counter *oldcounters,
893 struct ebt_counter *counters, unsigned int nentries)
896 struct ebt_counter *counter_base;
898 /* counters of cpu 0 */
899 memcpy(counters, oldcounters,
900 sizeof(struct ebt_counter) * nentries);
902 /* add other counters to those of cpu 0 */
906 counter_base = COUNTER_BASE(oldcounters, nentries, cpu);
907 for (i = 0; i < nentries; i++) {
908 counters[i].pcnt += counter_base[i].pcnt;
909 counters[i].bcnt += counter_base[i].bcnt;
914 /* replace the table */
915 static int do_replace(void __user *user, unsigned int len)
917 int ret, i, countersize;
918 struct ebt_table_info *newinfo;
919 struct ebt_replace tmp;
921 struct ebt_counter *counterstmp = NULL;
922 /* used to be able to unlock earlier */
923 struct ebt_table_info *table;
925 if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
928 if (len != sizeof(tmp) + tmp.entries_size) {
929 BUGPRINT("Wrong len argument\n");
933 if (tmp.entries_size == 0) {
934 BUGPRINT("Entries_size never zero\n");
938 if (tmp.nentries >= ((INT_MAX - sizeof(struct ebt_table_info)) / NR_CPUS -
939 SMP_CACHE_BYTES) / sizeof(struct ebt_counter))
941 if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
944 countersize = COUNTER_OFFSET(tmp.nentries) *
945 (highest_possible_processor_id()+1);
946 newinfo = (struct ebt_table_info *)
947 vmalloc(sizeof(struct ebt_table_info) + countersize);
952 memset(newinfo->counters, 0, countersize);
954 newinfo->entries = vmalloc(tmp.entries_size);
955 if (!newinfo->entries) {
960 newinfo->entries, tmp.entries, tmp.entries_size) != 0) {
961 BUGPRINT("Couldn't copy entries from userspace\n");
966 /* the user wants counters back
967 the check on the size is done later, when we have the lock */
968 if (tmp.num_counters) {
969 counterstmp = (struct ebt_counter *)
970 vmalloc(tmp.num_counters * sizeof(struct ebt_counter));
979 /* this can get initialized by translate_table() */
980 newinfo->chainstack = NULL;
981 ret = translate_table(&tmp, newinfo);
984 goto free_counterstmp;
986 t = find_table_lock(tmp.name, &ret, &ebt_mutex);
992 /* the table doesn't like it */
993 if (t->check && (ret = t->check(newinfo, tmp.valid_hooks)))
996 if (tmp.num_counters && tmp.num_counters != t->private->nentries) {
997 BUGPRINT("Wrong nr. of counters requested\n");
1002 /* we have the mutex lock, so no danger in reading this pointer */
1004 /* make sure the table can only be rmmod'ed if it contains no rules */
1005 if (!table->nentries && newinfo->nentries && !try_module_get(t->me)) {
1008 } else if (table->nentries && !newinfo->nentries)
1010 /* we need an atomic snapshot of the counters */
1011 write_lock_bh(&t->lock);
1012 if (tmp.num_counters)
1013 get_counters(t->private->counters, counterstmp,
1014 t->private->nentries);
1016 t->private = newinfo;
1017 write_unlock_bh(&t->lock);
1019 /* so, a user can change the chains while having messed up her counter
1020 allocation. Only reason why this is done is because this way the lock
1021 is held only once, while this doesn't bring the kernel into a
1023 if (tmp.num_counters &&
1024 copy_to_user(tmp.counters, counterstmp,
1025 tmp.num_counters * sizeof(struct ebt_counter))) {
1026 BUGPRINT("Couldn't copy counters to userspace\n");
1032 /* decrease module count and free resources */
1033 EBT_ENTRY_ITERATE(table->entries, table->entries_size,
1034 ebt_cleanup_entry, NULL);
1036 vfree(table->entries);
1037 if (table->chainstack) {
1039 vfree(table->chainstack[i]);
1040 vfree(table->chainstack);
1050 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
1051 ebt_cleanup_entry, NULL);
1054 /* can be initialized in translate_table() */
1055 if (newinfo->chainstack) {
1057 vfree(newinfo->chainstack[i]);
1058 vfree(newinfo->chainstack);
1061 vfree(newinfo->entries);
1067 int ebt_register_target(struct ebt_target *target)
1071 ret = down_interruptible(&ebt_mutex);
1074 if (!list_named_insert(&ebt_targets, target)) {
1083 void ebt_unregister_target(struct ebt_target *target)
1086 LIST_DELETE(&ebt_targets, target);
1090 int ebt_register_match(struct ebt_match *match)
1094 ret = down_interruptible(&ebt_mutex);
1097 if (!list_named_insert(&ebt_matches, match)) {
1106 void ebt_unregister_match(struct ebt_match *match)
1109 LIST_DELETE(&ebt_matches, match);
1113 int ebt_register_watcher(struct ebt_watcher *watcher)
1117 ret = down_interruptible(&ebt_mutex);
1120 if (!list_named_insert(&ebt_watchers, watcher)) {
1129 void ebt_unregister_watcher(struct ebt_watcher *watcher)
1132 LIST_DELETE(&ebt_watchers, watcher);
1136 int ebt_register_table(struct ebt_table *table)
1138 struct ebt_table_info *newinfo;
1139 int ret, i, countersize;
1141 if (!table || !table->table ||!table->table->entries ||
1142 table->table->entries_size == 0 ||
1143 table->table->counters || table->private) {
1144 BUGPRINT("Bad table data for ebt_register_table!!!\n");
1148 countersize = COUNTER_OFFSET(table->table->nentries) *
1149 (highest_possible_processor_id()+1);
1150 newinfo = (struct ebt_table_info *)
1151 vmalloc(sizeof(struct ebt_table_info) + countersize);
1156 newinfo->entries = vmalloc(table->table->entries_size);
1157 if (!(newinfo->entries))
1160 memcpy(newinfo->entries, table->table->entries,
1161 table->table->entries_size);
1164 memset(newinfo->counters, 0, countersize);
1166 /* fill in newinfo and parse the entries */
1167 newinfo->chainstack = NULL;
1168 ret = translate_table(table->table, newinfo);
1170 BUGPRINT("Translate_table failed\n");
1171 goto free_chainstack;
1174 if (table->check && table->check(newinfo, table->valid_hooks)) {
1175 BUGPRINT("The table doesn't like its own initial data, lol\n");
1179 table->private = newinfo;
1180 rwlock_init(&table->lock);
1181 ret = down_interruptible(&ebt_mutex);
1183 goto free_chainstack;
1185 if (list_named_find(&ebt_tables, table->name)) {
1187 BUGPRINT("Table name already exists\n");
1191 /* Hold a reference count if the chains aren't empty */
1192 if (newinfo->nentries && !try_module_get(table->me)) {
1196 list_prepend(&ebt_tables, table);
1202 if (newinfo->chainstack) {
1204 vfree(newinfo->chainstack[i]);
1205 vfree(newinfo->chainstack);
1207 vfree(newinfo->entries);
1213 void ebt_unregister_table(struct ebt_table *table)
1218 BUGPRINT("Request to unregister NULL table!!!\n");
1222 LIST_DELETE(&ebt_tables, table);
1224 vfree(table->private->entries);
1225 if (table->private->chainstack) {
1227 vfree(table->private->chainstack[i]);
1228 vfree(table->private->chainstack);
1230 vfree(table->private);
1233 /* userspace just supplied us with counters */
1234 static int update_counters(void __user *user, unsigned int len)
1237 struct ebt_counter *tmp;
1238 struct ebt_replace hlp;
1239 struct ebt_table *t;
1241 if (copy_from_user(&hlp, user, sizeof(hlp)))
1244 if (len != sizeof(hlp) + hlp.num_counters * sizeof(struct ebt_counter))
1246 if (hlp.num_counters == 0)
1249 if ( !(tmp = (struct ebt_counter *)
1250 vmalloc(hlp.num_counters * sizeof(struct ebt_counter))) ){
1251 MEMPRINT("Update_counters && nomemory\n");
1255 t = find_table_lock(hlp.name, &ret, &ebt_mutex);
1259 if (hlp.num_counters != t->private->nentries) {
1260 BUGPRINT("Wrong nr of counters\n");
1265 if ( copy_from_user(tmp, hlp.counters,
1266 hlp.num_counters * sizeof(struct ebt_counter)) ) {
1267 BUGPRINT("Updata_counters && !cfu\n");
1272 /* we want an atomic add of the counters */
1273 write_lock_bh(&t->lock);
1275 /* we add to the counters of the first cpu */
1276 for (i = 0; i < hlp.num_counters; i++) {
1277 t->private->counters[i].pcnt += tmp[i].pcnt;
1278 t->private->counters[i].bcnt += tmp[i].bcnt;
1281 write_unlock_bh(&t->lock);
1290 static inline int ebt_make_matchname(struct ebt_entry_match *m,
1291 char *base, char *ubase)
1293 char *hlp = ubase - base + (char *)m;
1294 if (copy_to_user(hlp, m->u.match->name, EBT_FUNCTION_MAXNAMELEN))
1299 static inline int ebt_make_watchername(struct ebt_entry_watcher *w,
1300 char *base, char *ubase)
1302 char *hlp = ubase - base + (char *)w;
1303 if (copy_to_user(hlp , w->u.watcher->name, EBT_FUNCTION_MAXNAMELEN))
1308 static inline int ebt_make_names(struct ebt_entry *e, char *base, char *ubase)
1312 struct ebt_entry_target *t;
1314 if ((e->bitmask & EBT_ENTRY_OR_ENTRIES) == 0)
1317 hlp = ubase - base + (char *)e + e->target_offset;
1318 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
1320 ret = EBT_MATCH_ITERATE(e, ebt_make_matchname, base, ubase);
1323 ret = EBT_WATCHER_ITERATE(e, ebt_make_watchername, base, ubase);
1326 if (copy_to_user(hlp, t->u.target->name, EBT_FUNCTION_MAXNAMELEN))
1331 /* called with ebt_mutex down */
1332 static int copy_everything_to_user(struct ebt_table *t, void __user *user,
1335 struct ebt_replace tmp;
1336 struct ebt_counter *counterstmp, *oldcounters;
1337 unsigned int entries_size, nentries;
1340 if (cmd == EBT_SO_GET_ENTRIES) {
1341 entries_size = t->private->entries_size;
1342 nentries = t->private->nentries;
1343 entries = t->private->entries;
1344 oldcounters = t->private->counters;
1346 entries_size = t->table->entries_size;
1347 nentries = t->table->nentries;
1348 entries = t->table->entries;
1349 oldcounters = t->table->counters;
1352 if (copy_from_user(&tmp, user, sizeof(tmp))) {
1353 BUGPRINT("Cfu didn't work\n");
1357 if (*len != sizeof(struct ebt_replace) + entries_size +
1358 (tmp.num_counters? nentries * sizeof(struct ebt_counter): 0)) {
1359 BUGPRINT("Wrong size\n");
1363 if (tmp.nentries != nentries) {
1364 BUGPRINT("Nentries wrong\n");
1368 if (tmp.entries_size != entries_size) {
1369 BUGPRINT("Wrong size\n");
1373 /* userspace might not need the counters */
1374 if (tmp.num_counters) {
1375 if (tmp.num_counters != nentries) {
1376 BUGPRINT("Num_counters wrong\n");
1379 counterstmp = (struct ebt_counter *)
1380 vmalloc(nentries * sizeof(struct ebt_counter));
1382 MEMPRINT("Couldn't copy counters, out of memory\n");
1385 write_lock_bh(&t->lock);
1386 get_counters(oldcounters, counterstmp, nentries);
1387 write_unlock_bh(&t->lock);
1389 if (copy_to_user(tmp.counters, counterstmp,
1390 nentries * sizeof(struct ebt_counter))) {
1391 BUGPRINT("Couldn't copy counters to userspace\n");
1398 if (copy_to_user(tmp.entries, entries, entries_size)) {
1399 BUGPRINT("Couldn't copy entries to userspace\n");
1402 /* set the match/watcher/target names right */
1403 return EBT_ENTRY_ITERATE(entries, entries_size,
1404 ebt_make_names, entries, tmp.entries);
1407 static int do_ebt_set_ctl(struct sock *sk,
1408 int cmd, void __user *user, unsigned int len)
1413 case EBT_SO_SET_ENTRIES:
1414 ret = do_replace(user, len);
1416 case EBT_SO_SET_COUNTERS:
1417 ret = update_counters(user, len);
1425 static int do_ebt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
1428 struct ebt_replace tmp;
1429 struct ebt_table *t;
1431 if (copy_from_user(&tmp, user, sizeof(tmp)))
1434 t = find_table_lock(tmp.name, &ret, &ebt_mutex);
1439 case EBT_SO_GET_INFO:
1440 case EBT_SO_GET_INIT_INFO:
1441 if (*len != sizeof(struct ebt_replace)){
1446 if (cmd == EBT_SO_GET_INFO) {
1447 tmp.nentries = t->private->nentries;
1448 tmp.entries_size = t->private->entries_size;
1449 tmp.valid_hooks = t->valid_hooks;
1451 tmp.nentries = t->table->nentries;
1452 tmp.entries_size = t->table->entries_size;
1453 tmp.valid_hooks = t->table->valid_hooks;
1456 if (copy_to_user(user, &tmp, *len) != 0){
1457 BUGPRINT("c2u Didn't work\n");
1464 case EBT_SO_GET_ENTRIES:
1465 case EBT_SO_GET_INIT_ENTRIES:
1466 ret = copy_everything_to_user(t, user, len, cmd);
1478 static struct nf_sockopt_ops ebt_sockopts =
1479 { { NULL, NULL }, PF_INET, EBT_BASE_CTL, EBT_SO_SET_MAX + 1, do_ebt_set_ctl,
1480 EBT_BASE_CTL, EBT_SO_GET_MAX + 1, do_ebt_get_ctl, 0, NULL
1483 static int __init init(void)
1488 list_named_insert(&ebt_targets, &ebt_standard_target);
1490 if ((ret = nf_register_sockopt(&ebt_sockopts)) < 0)
1493 printk(KERN_NOTICE "Ebtables v2.0 registered\n");
1497 static void __exit fini(void)
1499 nf_unregister_sockopt(&ebt_sockopts);
1500 printk(KERN_NOTICE "Ebtables v2.0 unregistered\n");
1503 EXPORT_SYMBOL(ebt_register_table);
1504 EXPORT_SYMBOL(ebt_unregister_table);
1505 EXPORT_SYMBOL(ebt_register_match);
1506 EXPORT_SYMBOL(ebt_unregister_match);
1507 EXPORT_SYMBOL(ebt_register_watcher);
1508 EXPORT_SYMBOL(ebt_unregister_watcher);
1509 EXPORT_SYMBOL(ebt_register_target);
1510 EXPORT_SYMBOL(ebt_unregister_target);
1511 EXPORT_SYMBOL(ebt_do_table);
1514 MODULE_LICENSE("GPL");
projects / linux-2.6 / blob