5 * Bart De Schuymer <bdschuym@pandora.be>
7 * ebtables.c,v 2.0, July, 2002
9 * This code is stongly inspired on the iptables code which is
10 * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version
15 * 2 of the License, or (at your option) any later version.
18 /* used for print_string */
19 #include <linux/sched.h>
20 #include <linux/tty.h>
22 #include <linux/kmod.h>
23 #include <linux/module.h>
24 #include <linux/vmalloc.h>
25 #include <linux/netfilter_bridge/ebtables.h>
26 #include <linux/spinlock.h>
27 #include <linux/mutex.h>
28 #include <asm/uaccess.h>
29 #include <linux/smp.h>
30 #include <linux/cpumask.h>
32 /* needed for logical [in,out]-dev filtering */
33 #include "../br_private.h"
35 #define BUGPRINT(format, args...) printk("kernel msg: ebtables bug: please "\
36 "report to author: "format, ## args)
37 /* #define BUGPRINT(format, args...) */
38 #define MEMPRINT(format, args...) printk("kernel msg: ebtables "\
39 ": out of memory: "format, ## args)
40 /* #define MEMPRINT(format, args...) */
45 * Each cpu has its own set of counters, so there is no need for write_lock in
47 * For reading or updating the counters, the user context needs to
51 /* The size of each set of counters is altered to get cache alignment */
52 #define SMP_ALIGN(x) (((x) + SMP_CACHE_BYTES-1) & ~(SMP_CACHE_BYTES-1))
53 #define COUNTER_OFFSET(n) (SMP_ALIGN(n * sizeof(struct ebt_counter)))
54 #define COUNTER_BASE(c, n, cpu) ((struct ebt_counter *)(((char *)c) + \
55 COUNTER_OFFSET(n) * cpu))
59 static DEFINE_MUTEX(ebt_mutex);
60 static LIST_HEAD(ebt_tables);
61 static LIST_HEAD(ebt_targets);
62 static LIST_HEAD(ebt_matches);
63 static LIST_HEAD(ebt_watchers);
65 static struct ebt_target ebt_standard_target =
66 { {NULL, NULL}, EBT_STANDARD_TARGET, NULL, NULL, NULL, NULL};
68 static inline int ebt_do_watcher (struct ebt_entry_watcher *w,
69 const struct sk_buff *skb, unsigned int hooknr, const struct net_device *in,
70 const struct net_device *out)
72 w->u.watcher->watcher(skb, hooknr, in, out, w->data,
74 /* watchers don't give a verdict */
78 static inline int ebt_do_match (struct ebt_entry_match *m,
79 const struct sk_buff *skb, const struct net_device *in,
80 const struct net_device *out)
82 return m->u.match->match(skb, in, out, m->data,
86 static inline int ebt_dev_check(char *entry, const struct net_device *device)
89 const char *devname = device->name;
95 /* 1 is the wildcard token */
96 while (entry[i] != '\0' && entry[i] != 1 && entry[i] == devname[i])
98 return (devname[i] != entry[i] && entry[i] != 1);
101 #define FWINV2(bool,invflg) ((bool) ^ !!(e->invflags & invflg))
102 /* process standard matches */
103 static inline int ebt_basic_match(struct ebt_entry *e, struct ethhdr *h,
104 const struct net_device *in, const struct net_device *out)
108 if (e->bitmask & EBT_802_3) {
109 if (FWINV2(ntohs(h->h_proto) >= 1536, EBT_IPROTO))
111 } else if (!(e->bitmask & EBT_NOPROTO) &&
112 FWINV2(e->ethproto != h->h_proto, EBT_IPROTO))
115 if (FWINV2(ebt_dev_check(e->in, in), EBT_IIN))
117 if (FWINV2(ebt_dev_check(e->out, out), EBT_IOUT))
119 if ((!in || !in->br_port) ? 0 : FWINV2(ebt_dev_check(
120 e->logical_in, in->br_port->br->dev), EBT_ILOGICALIN))
122 if ((!out || !out->br_port) ? 0 : FWINV2(ebt_dev_check(
123 e->logical_out, out->br_port->br->dev), EBT_ILOGICALOUT))
126 if (e->bitmask & EBT_SOURCEMAC) {
128 for (i = 0; i < 6; i++)
129 verdict |= (h->h_source[i] ^ e->sourcemac[i]) &
131 if (FWINV2(verdict != 0, EBT_ISOURCE) )
134 if (e->bitmask & EBT_DESTMAC) {
136 for (i = 0; i < 6; i++)
137 verdict |= (h->h_dest[i] ^ e->destmac[i]) &
139 if (FWINV2(verdict != 0, EBT_IDEST) )
145 /* Do some firewalling */
146 unsigned int ebt_do_table (unsigned int hook, struct sk_buff **pskb,
147 const struct net_device *in, const struct net_device *out,
148 struct ebt_table *table)
151 struct ebt_entry *point;
152 struct ebt_counter *counter_base, *cb_base;
153 struct ebt_entry_target *t;
155 struct ebt_chainstack *cs;
156 struct ebt_entries *chaininfo;
158 struct ebt_table_info *private;
160 read_lock_bh(&table->lock);
161 private = table->private;
162 cb_base = COUNTER_BASE(private->counters, private->nentries,
164 if (private->chainstack)
165 cs = private->chainstack[smp_processor_id()];
168 chaininfo = private->hook_entry[hook];
169 nentries = private->hook_entry[hook]->nentries;
170 point = (struct ebt_entry *)(private->hook_entry[hook]->data);
171 counter_base = cb_base + private->hook_entry[hook]->counter_offset;
172 /* base for chain jumps */
173 base = private->entries;
175 while (i < nentries) {
176 if (ebt_basic_match(point, eth_hdr(*pskb), in, out))
179 if (EBT_MATCH_ITERATE(point, ebt_do_match, *pskb, in, out) != 0)
182 /* increase counter */
183 (*(counter_base + i)).pcnt++;
184 (*(counter_base + i)).bcnt+=(**pskb).len;
186 /* these should only watch: not modify, nor tell us
187 what to do with the packet */
188 EBT_WATCHER_ITERATE(point, ebt_do_watcher, *pskb, hook, in,
191 t = (struct ebt_entry_target *)
192 (((char *)point) + point->target_offset);
193 /* standard target */
194 if (!t->u.target->target)
195 verdict = ((struct ebt_standard_target *)t)->verdict;
197 verdict = t->u.target->target(pskb, hook,
198 in, out, t->data, t->target_size);
199 if (verdict == EBT_ACCEPT) {
200 read_unlock_bh(&table->lock);
203 if (verdict == EBT_DROP) {
204 read_unlock_bh(&table->lock);
207 if (verdict == EBT_RETURN) {
209 #ifdef CONFIG_NETFILTER_DEBUG
211 BUGPRINT("RETURN on base chain");
212 /* act like this is EBT_CONTINUE */
217 /* put all the local variables right */
219 chaininfo = cs[sp].chaininfo;
220 nentries = chaininfo->nentries;
222 counter_base = cb_base +
223 chaininfo->counter_offset;
226 if (verdict == EBT_CONTINUE)
228 #ifdef CONFIG_NETFILTER_DEBUG
230 BUGPRINT("bogus standard verdict\n");
231 read_unlock_bh(&table->lock);
237 cs[sp].chaininfo = chaininfo;
238 cs[sp].e = (struct ebt_entry *)
239 (((char *)point) + point->next_offset);
241 chaininfo = (struct ebt_entries *) (base + verdict);
242 #ifdef CONFIG_NETFILTER_DEBUG
243 if (chaininfo->distinguisher) {
244 BUGPRINT("jump to non-chain\n");
245 read_unlock_bh(&table->lock);
249 nentries = chaininfo->nentries;
250 point = (struct ebt_entry *)chaininfo->data;
251 counter_base = cb_base + chaininfo->counter_offset;
255 point = (struct ebt_entry *)
256 (((char *)point) + point->next_offset);
260 /* I actually like this :) */
261 if (chaininfo->policy == EBT_RETURN)
263 if (chaininfo->policy == EBT_ACCEPT) {
264 read_unlock_bh(&table->lock);
267 read_unlock_bh(&table->lock);
271 /* If it succeeds, returns element and locks mutex */
273 find_inlist_lock_noload(struct list_head *head, const char *name, int *error,
277 struct list_head list;
278 char name[EBT_FUNCTION_MAXNAMELEN];
281 *error = mutex_lock_interruptible(mutex);
285 list_for_each_entry(e, head, list) {
286 if (strcmp(e->name, name) == 0)
295 #define find_inlist_lock(h,n,p,e,m) find_inlist_lock_noload((h),(n),(e),(m))
298 find_inlist_lock(struct list_head *head, const char *name, const char *prefix,
299 int *error, struct mutex *mutex)
303 ret = find_inlist_lock_noload(head, name, error, mutex);
305 request_module("%s%s", prefix, name);
306 ret = find_inlist_lock_noload(head, name, error, mutex);
312 static inline struct ebt_table *
313 find_table_lock(const char *name, int *error, struct mutex *mutex)
315 return find_inlist_lock(&ebt_tables, name, "ebtable_", error, mutex);
318 static inline struct ebt_match *
319 find_match_lock(const char *name, int *error, struct mutex *mutex)
321 return find_inlist_lock(&ebt_matches, name, "ebt_", error, mutex);
324 static inline struct ebt_watcher *
325 find_watcher_lock(const char *name, int *error, struct mutex *mutex)
327 return find_inlist_lock(&ebt_watchers, name, "ebt_", error, mutex);
330 static inline struct ebt_target *
331 find_target_lock(const char *name, int *error, struct mutex *mutex)
333 return find_inlist_lock(&ebt_targets, name, "ebt_", error, mutex);
337 ebt_check_match(struct ebt_entry_match *m, struct ebt_entry *e,
338 const char *name, unsigned int hookmask, unsigned int *cnt)
340 struct ebt_match *match;
341 size_t left = ((char *)e + e->watchers_offset) - (char *)m;
344 if (left < sizeof(struct ebt_entry_match) ||
345 left - sizeof(struct ebt_entry_match) < m->match_size)
347 match = find_match_lock(m->u.name, &ret, &ebt_mutex);
351 if (!try_module_get(match->me)) {
352 mutex_unlock(&ebt_mutex);
355 mutex_unlock(&ebt_mutex);
357 match->check(name, hookmask, e, m->data, m->match_size) != 0) {
358 BUGPRINT("match->check failed\n");
359 module_put(match->me);
367 ebt_check_watcher(struct ebt_entry_watcher *w, struct ebt_entry *e,
368 const char *name, unsigned int hookmask, unsigned int *cnt)
370 struct ebt_watcher *watcher;
371 size_t left = ((char *)e + e->target_offset) - (char *)w;
374 if (left < sizeof(struct ebt_entry_watcher) ||
375 left - sizeof(struct ebt_entry_watcher) < w->watcher_size)
377 watcher = find_watcher_lock(w->u.name, &ret, &ebt_mutex);
380 w->u.watcher = watcher;
381 if (!try_module_get(watcher->me)) {
382 mutex_unlock(&ebt_mutex);
385 mutex_unlock(&ebt_mutex);
386 if (watcher->check &&
387 watcher->check(name, hookmask, e, w->data, w->watcher_size) != 0) {
388 BUGPRINT("watcher->check failed\n");
389 module_put(watcher->me);
396 static int ebt_verify_pointers(struct ebt_replace *repl,
397 struct ebt_table_info *newinfo)
399 unsigned int limit = repl->entries_size;
400 unsigned int valid_hooks = repl->valid_hooks;
401 unsigned int offset = 0;
404 for (i = 0; i < NF_BR_NUMHOOKS; i++)
405 newinfo->hook_entry[i] = NULL;
407 newinfo->entries_size = repl->entries_size;
408 newinfo->nentries = repl->nentries;
410 while (offset < limit) {
411 size_t left = limit - offset;
412 struct ebt_entry *e = (void *)newinfo->entries + offset;
414 if (left < sizeof(unsigned int))
417 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
418 if ((valid_hooks & (1 << i)) == 0)
420 if ((char __user *)repl->hook_entry[i] ==
421 repl->entries + offset)
425 if (i != NF_BR_NUMHOOKS || !(e->bitmask & EBT_ENTRY_OR_ENTRIES)) {
426 if (e->bitmask != 0) {
427 /* we make userspace set this right,
428 so there is no misunderstanding */
429 BUGPRINT("EBT_ENTRY_OR_ENTRIES shouldn't be set "
430 "in distinguisher\n");
433 if (i != NF_BR_NUMHOOKS)
434 newinfo->hook_entry[i] = (struct ebt_entries *)e;
435 if (left < sizeof(struct ebt_entries))
437 offset += sizeof(struct ebt_entries);
439 if (left < sizeof(struct ebt_entry))
441 if (left < e->next_offset)
443 offset += e->next_offset;
446 if (offset != limit) {
447 BUGPRINT("entries_size too small\n");
451 /* check if all valid hooks have a chain */
452 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
453 if (!newinfo->hook_entry[i] &&
454 (valid_hooks & (1 << i))) {
455 BUGPRINT("Valid hook without chain\n");
463 * this one is very careful, as it is the first function
464 * to parse the userspace data
467 ebt_check_entry_size_and_hooks(struct ebt_entry *e,
468 struct ebt_table_info *newinfo,
469 unsigned int *n, unsigned int *cnt,
470 unsigned int *totalcnt, unsigned int *udc_cnt)
474 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
475 if ((void *)e == (void *)newinfo->hook_entry[i])
478 /* beginning of a new chain
479 if i == NF_BR_NUMHOOKS it must be a user defined chain */
480 if (i != NF_BR_NUMHOOKS || !e->bitmask) {
481 /* this checks if the previous chain has as many entries
484 BUGPRINT("nentries does not equal the nr of entries "
488 if (((struct ebt_entries *)e)->policy != EBT_DROP &&
489 ((struct ebt_entries *)e)->policy != EBT_ACCEPT) {
490 /* only RETURN from udc */
491 if (i != NF_BR_NUMHOOKS ||
492 ((struct ebt_entries *)e)->policy != EBT_RETURN) {
493 BUGPRINT("bad policy\n");
497 if (i == NF_BR_NUMHOOKS) /* it's a user defined chain */
499 if (((struct ebt_entries *)e)->counter_offset != *totalcnt) {
500 BUGPRINT("counter_offset != totalcnt");
503 *n = ((struct ebt_entries *)e)->nentries;
507 /* a plain old entry, heh */
508 if (sizeof(struct ebt_entry) > e->watchers_offset ||
509 e->watchers_offset > e->target_offset ||
510 e->target_offset >= e->next_offset) {
511 BUGPRINT("entry offsets not in right order\n");
514 /* this is not checked anywhere else */
515 if (e->next_offset - e->target_offset < sizeof(struct ebt_entry_target)) {
516 BUGPRINT("target size too small\n");
526 struct ebt_chainstack cs;
528 unsigned int hookmask;
532 * we need these positions to check that the jumps to a different part of the
533 * entries is a jump to the beginning of a new chain.
536 ebt_get_udc_positions(struct ebt_entry *e, struct ebt_table_info *newinfo,
537 unsigned int *n, struct ebt_cl_stack *udc)
541 /* we're only interested in chain starts */
544 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
545 if (newinfo->hook_entry[i] == (struct ebt_entries *)e)
548 /* only care about udc */
549 if (i != NF_BR_NUMHOOKS)
552 udc[*n].cs.chaininfo = (struct ebt_entries *)e;
553 /* these initialisations are depended on later in check_chainloops() */
555 udc[*n].hookmask = 0;
562 ebt_cleanup_match(struct ebt_entry_match *m, unsigned int *i)
564 if (i && (*i)-- == 0)
566 if (m->u.match->destroy)
567 m->u.match->destroy(m->data, m->match_size);
568 module_put(m->u.match->me);
574 ebt_cleanup_watcher(struct ebt_entry_watcher *w, unsigned int *i)
576 if (i && (*i)-- == 0)
578 if (w->u.watcher->destroy)
579 w->u.watcher->destroy(w->data, w->watcher_size);
580 module_put(w->u.watcher->me);
586 ebt_cleanup_entry(struct ebt_entry *e, unsigned int *cnt)
588 struct ebt_entry_target *t;
593 if (cnt && (*cnt)-- == 0)
595 EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, NULL);
596 EBT_MATCH_ITERATE(e, ebt_cleanup_match, NULL);
597 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
598 if (t->u.target->destroy)
599 t->u.target->destroy(t->data, t->target_size);
600 module_put(t->u.target->me);
606 ebt_check_entry(struct ebt_entry *e, struct ebt_table_info *newinfo,
607 const char *name, unsigned int *cnt,
608 struct ebt_cl_stack *cl_s, unsigned int udc_cnt)
610 struct ebt_entry_target *t;
611 struct ebt_target *target;
612 unsigned int i, j, hook = 0, hookmask = 0;
616 /* don't mess with the struct ebt_entries */
620 if (e->bitmask & ~EBT_F_MASK) {
621 BUGPRINT("Unknown flag for bitmask\n");
624 if (e->invflags & ~EBT_INV_MASK) {
625 BUGPRINT("Unknown flag for inv bitmask\n");
628 if ( (e->bitmask & EBT_NOPROTO) && (e->bitmask & EBT_802_3) ) {
629 BUGPRINT("NOPROTO & 802_3 not allowed\n");
632 /* what hook do we belong to? */
633 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
634 if (!newinfo->hook_entry[i])
636 if ((char *)newinfo->hook_entry[i] < (char *)e)
641 /* (1 << NF_BR_NUMHOOKS) tells the check functions the rule is on
643 if (i < NF_BR_NUMHOOKS)
644 hookmask = (1 << hook) | (1 << NF_BR_NUMHOOKS);
646 for (i = 0; i < udc_cnt; i++)
647 if ((char *)(cl_s[i].cs.chaininfo) > (char *)e)
650 hookmask = (1 << hook) | (1 << NF_BR_NUMHOOKS);
652 hookmask = cl_s[i - 1].hookmask;
655 ret = EBT_MATCH_ITERATE(e, ebt_check_match, e, name, hookmask, &i);
657 goto cleanup_matches;
659 ret = EBT_WATCHER_ITERATE(e, ebt_check_watcher, e, name, hookmask, &j);
661 goto cleanup_watchers;
662 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
663 gap = e->next_offset - e->target_offset;
664 target = find_target_lock(t->u.name, &ret, &ebt_mutex);
666 goto cleanup_watchers;
667 if (!try_module_get(target->me)) {
668 mutex_unlock(&ebt_mutex);
670 goto cleanup_watchers;
672 mutex_unlock(&ebt_mutex);
674 t->u.target = target;
675 if (t->u.target == &ebt_standard_target) {
676 if (gap < sizeof(struct ebt_standard_target)) {
677 BUGPRINT("Standard target size too big\n");
679 goto cleanup_watchers;
681 if (((struct ebt_standard_target *)t)->verdict <
682 -NUM_STANDARD_TARGETS) {
683 BUGPRINT("Invalid standard target\n");
685 goto cleanup_watchers;
687 } else if (t->target_size > gap - sizeof(struct ebt_entry_target) ||
688 (t->u.target->check &&
689 t->u.target->check(name, hookmask, e, t->data, t->target_size) != 0)){
690 module_put(t->u.target->me);
692 goto cleanup_watchers;
697 EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, &j);
699 EBT_MATCH_ITERATE(e, ebt_cleanup_match, &i);
704 * checks for loops and sets the hook mask for udc
705 * the hook mask for udc tells us from which base chains the udc can be
706 * accessed. This mask is a parameter to the check() functions of the extensions
708 static int check_chainloops(struct ebt_entries *chain, struct ebt_cl_stack *cl_s,
709 unsigned int udc_cnt, unsigned int hooknr, char *base)
711 int i, chain_nr = -1, pos = 0, nentries = chain->nentries, verdict;
712 struct ebt_entry *e = (struct ebt_entry *)chain->data;
713 struct ebt_entry_target *t;
715 while (pos < nentries || chain_nr != -1) {
716 /* end of udc, go back one 'recursion' step */
717 if (pos == nentries) {
718 /* put back values of the time when this chain was called */
719 e = cl_s[chain_nr].cs.e;
720 if (cl_s[chain_nr].from != -1)
722 cl_s[cl_s[chain_nr].from].cs.chaininfo->nentries;
724 nentries = chain->nentries;
725 pos = cl_s[chain_nr].cs.n;
726 /* make sure we won't see a loop that isn't one */
727 cl_s[chain_nr].cs.n = 0;
728 chain_nr = cl_s[chain_nr].from;
732 t = (struct ebt_entry_target *)
733 (((char *)e) + e->target_offset);
734 if (strcmp(t->u.name, EBT_STANDARD_TARGET))
736 if (e->target_offset + sizeof(struct ebt_standard_target) >
738 BUGPRINT("Standard target size too big\n");
741 verdict = ((struct ebt_standard_target *)t)->verdict;
742 if (verdict >= 0) { /* jump to another chain */
743 struct ebt_entries *hlp2 =
744 (struct ebt_entries *)(base + verdict);
745 for (i = 0; i < udc_cnt; i++)
746 if (hlp2 == cl_s[i].cs.chaininfo)
748 /* bad destination or loop */
750 BUGPRINT("bad destination\n");
757 if (cl_s[i].hookmask & (1 << hooknr))
759 /* this can't be 0, so the loop test is correct */
760 cl_s[i].cs.n = pos + 1;
762 cl_s[i].cs.e = ((void *)e + e->next_offset);
763 e = (struct ebt_entry *)(hlp2->data);
764 nentries = hlp2->nentries;
765 cl_s[i].from = chain_nr;
767 /* this udc is accessible from the base chain for hooknr */
768 cl_s[i].hookmask |= (1 << hooknr);
772 e = (void *)e + e->next_offset;
778 /* do the parsing of the table/chains/entries/matches/watchers/targets, heh */
779 static int translate_table(char *name, struct ebt_table_info *newinfo)
781 unsigned int i, j, k, udc_cnt;
783 struct ebt_cl_stack *cl_s = NULL; /* used in the checking for chain loops */
786 while (i < NF_BR_NUMHOOKS && !newinfo->hook_entry[i])
788 if (i == NF_BR_NUMHOOKS) {
789 BUGPRINT("No valid hooks specified\n");
792 if (newinfo->hook_entry[i] != (struct ebt_entries *)newinfo->entries) {
793 BUGPRINT("Chains don't start at beginning\n");
796 /* make sure chains are ordered after each other in same order
797 as their corresponding hooks */
798 for (j = i + 1; j < NF_BR_NUMHOOKS; j++) {
799 if (!newinfo->hook_entry[j])
801 if (newinfo->hook_entry[j] <= newinfo->hook_entry[i]) {
802 BUGPRINT("Hook order must be followed\n");
808 /* do some early checkings and initialize some things */
809 i = 0; /* holds the expected nr. of entries for the chain */
810 j = 0; /* holds the up to now counted entries for the chain */
811 k = 0; /* holds the total nr. of entries, should equal
812 newinfo->nentries afterwards */
813 udc_cnt = 0; /* will hold the nr. of user defined chains (udc) */
814 ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
815 ebt_check_entry_size_and_hooks, newinfo,
816 &i, &j, &k, &udc_cnt);
822 BUGPRINT("nentries does not equal the nr of entries in the "
826 if (k != newinfo->nentries) {
827 BUGPRINT("Total nentries is wrong\n");
831 /* get the location of the udc, put them in an array
832 while we're at it, allocate the chainstack */
834 /* this will get free'd in do_replace()/ebt_register_table()
835 if an error occurs */
836 newinfo->chainstack =
837 vmalloc((highest_possible_processor_id()+1)
838 * sizeof(*(newinfo->chainstack)));
839 if (!newinfo->chainstack)
841 for_each_possible_cpu(i) {
842 newinfo->chainstack[i] =
843 vmalloc(udc_cnt * sizeof(*(newinfo->chainstack[0])));
844 if (!newinfo->chainstack[i]) {
846 vfree(newinfo->chainstack[--i]);
847 vfree(newinfo->chainstack);
848 newinfo->chainstack = NULL;
853 cl_s = vmalloc(udc_cnt * sizeof(*cl_s));
856 i = 0; /* the i'th udc */
857 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
858 ebt_get_udc_positions, newinfo, &i, cl_s);
861 BUGPRINT("i != udc_cnt\n");
867 /* Check for loops */
868 for (i = 0; i < NF_BR_NUMHOOKS; i++)
869 if (newinfo->hook_entry[i])
870 if (check_chainloops(newinfo->hook_entry[i],
871 cl_s, udc_cnt, i, newinfo->entries)) {
876 /* we now know the following (along with E=mc²):
877 - the nr of entries in each chain is right
878 - the size of the allocated space is right
879 - all valid hooks have a corresponding chain
881 - wrong data can still be on the level of a single entry
882 - could be there are jumps to places that are not the
883 beginning of a chain. This can only occur in chains that
884 are not accessible from any base chains, so we don't care. */
886 /* used to know what we need to clean up if something goes wrong */
888 ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
889 ebt_check_entry, newinfo, name, &i, cl_s, udc_cnt);
891 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
892 ebt_cleanup_entry, &i);
898 /* called under write_lock */
899 static void get_counters(struct ebt_counter *oldcounters,
900 struct ebt_counter *counters, unsigned int nentries)
903 struct ebt_counter *counter_base;
905 /* counters of cpu 0 */
906 memcpy(counters, oldcounters,
907 sizeof(struct ebt_counter) * nentries);
909 /* add other counters to those of cpu 0 */
910 for_each_possible_cpu(cpu) {
913 counter_base = COUNTER_BASE(oldcounters, nentries, cpu);
914 for (i = 0; i < nentries; i++) {
915 counters[i].pcnt += counter_base[i].pcnt;
916 counters[i].bcnt += counter_base[i].bcnt;
921 /* replace the table */
922 static int do_replace(void __user *user, unsigned int len)
924 int ret, i, countersize;
925 struct ebt_table_info *newinfo;
926 struct ebt_replace tmp;
928 struct ebt_counter *counterstmp = NULL;
929 /* used to be able to unlock earlier */
930 struct ebt_table_info *table;
932 if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
935 if (len != sizeof(tmp) + tmp.entries_size) {
936 BUGPRINT("Wrong len argument\n");
940 if (tmp.entries_size == 0) {
941 BUGPRINT("Entries_size never zero\n");
945 if (tmp.nentries >= ((INT_MAX - sizeof(struct ebt_table_info)) / NR_CPUS -
946 SMP_CACHE_BYTES) / sizeof(struct ebt_counter))
948 if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
951 countersize = COUNTER_OFFSET(tmp.nentries) *
952 (highest_possible_processor_id()+1);
953 newinfo = vmalloc(sizeof(*newinfo) + countersize);
958 memset(newinfo->counters, 0, countersize);
960 newinfo->entries = vmalloc(tmp.entries_size);
961 if (!newinfo->entries) {
966 newinfo->entries, tmp.entries, tmp.entries_size) != 0) {
967 BUGPRINT("Couldn't copy entries from userspace\n");
972 /* the user wants counters back
973 the check on the size is done later, when we have the lock */
974 if (tmp.num_counters) {
975 counterstmp = vmalloc(tmp.num_counters * sizeof(*counterstmp));
984 /* this can get initialized by translate_table() */
985 newinfo->chainstack = NULL;
986 ret = ebt_verify_pointers(&tmp, newinfo);
988 goto free_counterstmp;
990 ret = translate_table(tmp.name, newinfo);
993 goto free_counterstmp;
995 t = find_table_lock(tmp.name, &ret, &ebt_mutex);
1001 /* the table doesn't like it */
1002 if (t->check && (ret = t->check(newinfo, tmp.valid_hooks)))
1005 if (tmp.num_counters && tmp.num_counters != t->private->nentries) {
1006 BUGPRINT("Wrong nr. of counters requested\n");
1011 /* we have the mutex lock, so no danger in reading this pointer */
1013 /* make sure the table can only be rmmod'ed if it contains no rules */
1014 if (!table->nentries && newinfo->nentries && !try_module_get(t->me)) {
1017 } else if (table->nentries && !newinfo->nentries)
1019 /* we need an atomic snapshot of the counters */
1020 write_lock_bh(&t->lock);
1021 if (tmp.num_counters)
1022 get_counters(t->private->counters, counterstmp,
1023 t->private->nentries);
1025 t->private = newinfo;
1026 write_unlock_bh(&t->lock);
1027 mutex_unlock(&ebt_mutex);
1028 /* so, a user can change the chains while having messed up her counter
1029 allocation. Only reason why this is done is because this way the lock
1030 is held only once, while this doesn't bring the kernel into a
1032 if (tmp.num_counters &&
1033 copy_to_user(tmp.counters, counterstmp,
1034 tmp.num_counters * sizeof(struct ebt_counter))) {
1035 BUGPRINT("Couldn't copy counters to userspace\n");
1041 /* decrease module count and free resources */
1042 EBT_ENTRY_ITERATE(table->entries, table->entries_size,
1043 ebt_cleanup_entry, NULL);
1045 vfree(table->entries);
1046 if (table->chainstack) {
1047 for_each_possible_cpu(i)
1048 vfree(table->chainstack[i]);
1049 vfree(table->chainstack);
1057 mutex_unlock(&ebt_mutex);
1059 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
1060 ebt_cleanup_entry, NULL);
1063 /* can be initialized in translate_table() */
1064 if (newinfo->chainstack) {
1065 for_each_possible_cpu(i)
1066 vfree(newinfo->chainstack[i]);
1067 vfree(newinfo->chainstack);
1070 vfree(newinfo->entries);
1076 int ebt_register_target(struct ebt_target *target)
1078 struct ebt_target *t;
1081 ret = mutex_lock_interruptible(&ebt_mutex);
1084 list_for_each_entry(t, &ebt_targets, list) {
1085 if (strcmp(t->name, target->name) == 0) {
1086 mutex_unlock(&ebt_mutex);
1090 list_add(&target->list, &ebt_targets);
1091 mutex_unlock(&ebt_mutex);
1096 void ebt_unregister_target(struct ebt_target *target)
1098 mutex_lock(&ebt_mutex);
1099 list_del(&target->list);
1100 mutex_unlock(&ebt_mutex);
1103 int ebt_register_match(struct ebt_match *match)
1105 struct ebt_match *m;
1108 ret = mutex_lock_interruptible(&ebt_mutex);
1111 list_for_each_entry(m, &ebt_matches, list) {
1112 if (strcmp(m->name, match->name) == 0) {
1113 mutex_unlock(&ebt_mutex);
1117 list_add(&match->list, &ebt_matches);
1118 mutex_unlock(&ebt_mutex);
1123 void ebt_unregister_match(struct ebt_match *match)
1125 mutex_lock(&ebt_mutex);
1126 list_del(&match->list);
1127 mutex_unlock(&ebt_mutex);
1130 int ebt_register_watcher(struct ebt_watcher *watcher)
1132 struct ebt_watcher *w;
1135 ret = mutex_lock_interruptible(&ebt_mutex);
1138 list_for_each_entry(w, &ebt_watchers, list) {
1139 if (strcmp(w->name, watcher->name) == 0) {
1140 mutex_unlock(&ebt_mutex);
1144 list_add(&watcher->list, &ebt_watchers);
1145 mutex_unlock(&ebt_mutex);
1150 void ebt_unregister_watcher(struct ebt_watcher *watcher)
1152 mutex_lock(&ebt_mutex);
1153 list_del(&watcher->list);
1154 mutex_unlock(&ebt_mutex);
1157 int ebt_register_table(struct ebt_table *table)
1159 struct ebt_table_info *newinfo;
1160 struct ebt_table *t;
1161 struct ebt_replace_kernel *repl;
1162 int ret, i, countersize;
1165 if (!table || !(repl = table->table) || !repl->entries ||
1166 repl->entries_size == 0 ||
1167 repl->counters || table->private) {
1168 BUGPRINT("Bad table data for ebt_register_table!!!\n");
1172 countersize = COUNTER_OFFSET(repl->nentries) *
1173 (highest_possible_processor_id()+1);
1174 newinfo = vmalloc(sizeof(*newinfo) + countersize);
1179 p = vmalloc(repl->entries_size);
1183 memcpy(p, repl->entries, repl->entries_size);
1184 newinfo->entries = p;
1186 newinfo->entries_size = repl->entries_size;
1187 newinfo->nentries = repl->nentries;
1190 memset(newinfo->counters, 0, countersize);
1192 /* fill in newinfo and parse the entries */
1193 newinfo->chainstack = NULL;
1194 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
1195 if ((repl->valid_hooks & (1 << i)) == 0)
1196 newinfo->hook_entry[i] = NULL;
1198 newinfo->hook_entry[i] = p +
1199 ((char *)repl->hook_entry[i] - repl->entries);
1201 ret = translate_table(repl->name, newinfo);
1203 BUGPRINT("Translate_table failed\n");
1204 goto free_chainstack;
1207 if (table->check && table->check(newinfo, table->valid_hooks)) {
1208 BUGPRINT("The table doesn't like its own initial data, lol\n");
1212 table->private = newinfo;
1213 rwlock_init(&table->lock);
1214 ret = mutex_lock_interruptible(&ebt_mutex);
1216 goto free_chainstack;
1218 list_for_each_entry(t, &ebt_tables, list) {
1219 if (strcmp(t->name, table->name) == 0) {
1221 BUGPRINT("Table name already exists\n");
1226 /* Hold a reference count if the chains aren't empty */
1227 if (newinfo->nentries && !try_module_get(table->me)) {
1231 list_add(&table->list, &ebt_tables);
1232 mutex_unlock(&ebt_mutex);
1235 mutex_unlock(&ebt_mutex);
1237 if (newinfo->chainstack) {
1238 for_each_possible_cpu(i)
1239 vfree(newinfo->chainstack[i]);
1240 vfree(newinfo->chainstack);
1242 vfree(newinfo->entries);
1248 void ebt_unregister_table(struct ebt_table *table)
1253 BUGPRINT("Request to unregister NULL table!!!\n");
1256 mutex_lock(&ebt_mutex);
1257 list_del(&table->list);
1258 mutex_unlock(&ebt_mutex);
1259 vfree(table->private->entries);
1260 if (table->private->chainstack) {
1261 for_each_possible_cpu(i)
1262 vfree(table->private->chainstack[i]);
1263 vfree(table->private->chainstack);
1265 vfree(table->private);
1268 /* userspace just supplied us with counters */
1269 static int update_counters(void __user *user, unsigned int len)
1272 struct ebt_counter *tmp;
1273 struct ebt_replace hlp;
1274 struct ebt_table *t;
1276 if (copy_from_user(&hlp, user, sizeof(hlp)))
1279 if (len != sizeof(hlp) + hlp.num_counters * sizeof(struct ebt_counter))
1281 if (hlp.num_counters == 0)
1284 if (!(tmp = vmalloc(hlp.num_counters * sizeof(*tmp)))) {
1285 MEMPRINT("Update_counters && nomemory\n");
1289 t = find_table_lock(hlp.name, &ret, &ebt_mutex);
1293 if (hlp.num_counters != t->private->nentries) {
1294 BUGPRINT("Wrong nr of counters\n");
1299 if ( copy_from_user(tmp, hlp.counters,
1300 hlp.num_counters * sizeof(struct ebt_counter)) ) {
1301 BUGPRINT("Updata_counters && !cfu\n");
1306 /* we want an atomic add of the counters */
1307 write_lock_bh(&t->lock);
1309 /* we add to the counters of the first cpu */
1310 for (i = 0; i < hlp.num_counters; i++) {
1311 t->private->counters[i].pcnt += tmp[i].pcnt;
1312 t->private->counters[i].bcnt += tmp[i].bcnt;
1315 write_unlock_bh(&t->lock);
1318 mutex_unlock(&ebt_mutex);
1324 static inline int ebt_make_matchname(struct ebt_entry_match *m,
1325 char *base, char __user *ubase)
1327 char __user *hlp = ubase + ((char *)m - base);
1328 if (copy_to_user(hlp, m->u.match->name, EBT_FUNCTION_MAXNAMELEN))
1333 static inline int ebt_make_watchername(struct ebt_entry_watcher *w,
1334 char *base, char __user *ubase)
1336 char __user *hlp = ubase + ((char *)w - base);
1337 if (copy_to_user(hlp , w->u.watcher->name, EBT_FUNCTION_MAXNAMELEN))
1342 static inline int ebt_make_names(struct ebt_entry *e, char *base, char __user *ubase)
1346 struct ebt_entry_target *t;
1348 if (e->bitmask == 0)
1351 hlp = ubase + (((char *)e + e->target_offset) - base);
1352 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
1354 ret = EBT_MATCH_ITERATE(e, ebt_make_matchname, base, ubase);
1357 ret = EBT_WATCHER_ITERATE(e, ebt_make_watchername, base, ubase);
1360 if (copy_to_user(hlp, t->u.target->name, EBT_FUNCTION_MAXNAMELEN))
1365 /* called with ebt_mutex locked */
1366 static int copy_everything_to_user(struct ebt_table *t, void __user *user,
1369 struct ebt_replace tmp;
1370 struct ebt_counter *counterstmp, *oldcounters;
1371 unsigned int entries_size, nentries;
1374 if (cmd == EBT_SO_GET_ENTRIES) {
1375 entries_size = t->private->entries_size;
1376 nentries = t->private->nentries;
1377 entries = t->private->entries;
1378 oldcounters = t->private->counters;
1380 entries_size = t->table->entries_size;
1381 nentries = t->table->nentries;
1382 entries = t->table->entries;
1383 oldcounters = t->table->counters;
1386 if (copy_from_user(&tmp, user, sizeof(tmp))) {
1387 BUGPRINT("Cfu didn't work\n");
1391 if (*len != sizeof(struct ebt_replace) + entries_size +
1392 (tmp.num_counters? nentries * sizeof(struct ebt_counter): 0)) {
1393 BUGPRINT("Wrong size\n");
1397 if (tmp.nentries != nentries) {
1398 BUGPRINT("Nentries wrong\n");
1402 if (tmp.entries_size != entries_size) {
1403 BUGPRINT("Wrong size\n");
1407 /* userspace might not need the counters */
1408 if (tmp.num_counters) {
1409 if (tmp.num_counters != nentries) {
1410 BUGPRINT("Num_counters wrong\n");
1413 counterstmp = vmalloc(nentries * sizeof(*counterstmp));
1415 MEMPRINT("Couldn't copy counters, out of memory\n");
1418 write_lock_bh(&t->lock);
1419 get_counters(oldcounters, counterstmp, nentries);
1420 write_unlock_bh(&t->lock);
1422 if (copy_to_user(tmp.counters, counterstmp,
1423 nentries * sizeof(struct ebt_counter))) {
1424 BUGPRINT("Couldn't copy counters to userspace\n");
1431 if (copy_to_user(tmp.entries, entries, entries_size)) {
1432 BUGPRINT("Couldn't copy entries to userspace\n");
1435 /* set the match/watcher/target names right */
1436 return EBT_ENTRY_ITERATE(entries, entries_size,
1437 ebt_make_names, entries, tmp.entries);
1440 static int do_ebt_set_ctl(struct sock *sk,
1441 int cmd, void __user *user, unsigned int len)
1446 case EBT_SO_SET_ENTRIES:
1447 ret = do_replace(user, len);
1449 case EBT_SO_SET_COUNTERS:
1450 ret = update_counters(user, len);
1458 static int do_ebt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
1461 struct ebt_replace tmp;
1462 struct ebt_table *t;
1464 if (copy_from_user(&tmp, user, sizeof(tmp)))
1467 t = find_table_lock(tmp.name, &ret, &ebt_mutex);
1472 case EBT_SO_GET_INFO:
1473 case EBT_SO_GET_INIT_INFO:
1474 if (*len != sizeof(struct ebt_replace)){
1476 mutex_unlock(&ebt_mutex);
1479 if (cmd == EBT_SO_GET_INFO) {
1480 tmp.nentries = t->private->nentries;
1481 tmp.entries_size = t->private->entries_size;
1482 tmp.valid_hooks = t->valid_hooks;
1484 tmp.nentries = t->table->nentries;
1485 tmp.entries_size = t->table->entries_size;
1486 tmp.valid_hooks = t->table->valid_hooks;
1488 mutex_unlock(&ebt_mutex);
1489 if (copy_to_user(user, &tmp, *len) != 0){
1490 BUGPRINT("c2u Didn't work\n");
1497 case EBT_SO_GET_ENTRIES:
1498 case EBT_SO_GET_INIT_ENTRIES:
1499 ret = copy_everything_to_user(t, user, len, cmd);
1500 mutex_unlock(&ebt_mutex);
1504 mutex_unlock(&ebt_mutex);
1511 static struct nf_sockopt_ops ebt_sockopts =
1514 .set_optmin = EBT_BASE_CTL,
1515 .set_optmax = EBT_SO_SET_MAX + 1,
1516 .set = do_ebt_set_ctl,
1517 .get_optmin = EBT_BASE_CTL,
1518 .get_optmax = EBT_SO_GET_MAX + 1,
1519 .get = do_ebt_get_ctl,
1522 static int __init ebtables_init(void)
1526 mutex_lock(&ebt_mutex);
1527 list_add(&ebt_standard_target.list, &ebt_targets);
1528 mutex_unlock(&ebt_mutex);
1529 if ((ret = nf_register_sockopt(&ebt_sockopts)) < 0)
1532 printk(KERN_NOTICE "Ebtables v2.0 registered\n");
1536 static void __exit ebtables_fini(void)
1538 nf_unregister_sockopt(&ebt_sockopts);
1539 printk(KERN_NOTICE "Ebtables v2.0 unregistered\n");
1542 EXPORT_SYMBOL(ebt_register_table);
1543 EXPORT_SYMBOL(ebt_unregister_table);
1544 EXPORT_SYMBOL(ebt_register_match);
1545 EXPORT_SYMBOL(ebt_unregister_match);
1546 EXPORT_SYMBOL(ebt_register_watcher);
1547 EXPORT_SYMBOL(ebt_unregister_watcher);
1548 EXPORT_SYMBOL(ebt_register_target);
1549 EXPORT_SYMBOL(ebt_unregister_target);
1550 EXPORT_SYMBOL(ebt_do_table);
1551 module_init(ebtables_init);
1552 module_exit(ebtables_fini);
1553 MODULE_LICENSE("GPL");
projects / linux-2.6 / blob