5 * Bart De Schuymer <bdschuym@pandora.be>
7 * ebtables.c,v 2.0, July, 2002
9 * This code is stongly inspired on the iptables code which is
10 * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version
15 * 2 of the License, or (at your option) any later version.
19 #include <linux/kmod.h>
20 #include <linux/module.h>
21 #include <linux/vmalloc.h>
22 #include <linux/netfilter/x_tables.h>
23 #include <linux/netfilter_bridge/ebtables.h>
24 #include <linux/spinlock.h>
25 #include <linux/mutex.h>
26 #include <asm/uaccess.h>
27 #include <linux/smp.h>
28 #include <linux/cpumask.h>
30 /* needed for logical [in,out]-dev filtering */
31 #include "../br_private.h"
33 #define BUGPRINT(format, args...) printk("kernel msg: ebtables bug: please "\
34 "report to author: "format, ## args)
35 /* #define BUGPRINT(format, args...) */
36 #define MEMPRINT(format, args...) printk("kernel msg: ebtables "\
37 ": out of memory: "format, ## args)
38 /* #define MEMPRINT(format, args...) */
43 * Each cpu has its own set of counters, so there is no need for write_lock in
45 * For reading or updating the counters, the user context needs to
49 /* The size of each set of counters is altered to get cache alignment */
50 #define SMP_ALIGN(x) (((x) + SMP_CACHE_BYTES-1) & ~(SMP_CACHE_BYTES-1))
51 #define COUNTER_OFFSET(n) (SMP_ALIGN(n * sizeof(struct ebt_counter)))
52 #define COUNTER_BASE(c, n, cpu) ((struct ebt_counter *)(((char *)c) + \
53 COUNTER_OFFSET(n) * cpu))
57 static DEFINE_MUTEX(ebt_mutex);
59 static struct xt_target ebt_standard_target = {
62 .family = NFPROTO_BRIDGE,
63 .targetsize = sizeof(int),
67 ebt_do_watcher(const struct ebt_entry_watcher *w, struct sk_buff *skb,
68 struct xt_target_param *par)
70 par->target = w->u.watcher;
71 par->targinfo = w->data;
72 w->u.watcher->target(skb, par);
73 /* watchers don't give a verdict */
77 static inline int ebt_do_match (struct ebt_entry_match *m,
78 const struct sk_buff *skb, struct xt_match_param *par)
80 par->match = m->u.match;
81 par->matchinfo = m->data;
82 return m->u.match->match(skb, par);
85 static inline int ebt_dev_check(char *entry, const struct net_device *device)
88 const char *devname = device->name;
94 /* 1 is the wildcard token */
95 while (entry[i] != '\0' && entry[i] != 1 && entry[i] == devname[i])
97 return (devname[i] != entry[i] && entry[i] != 1);
100 #define FWINV2(bool,invflg) ((bool) ^ !!(e->invflags & invflg))
101 /* process standard matches */
102 static inline int ebt_basic_match(struct ebt_entry *e, struct ethhdr *h,
103 const struct net_device *in, const struct net_device *out)
107 if (e->bitmask & EBT_802_3) {
108 if (FWINV2(ntohs(h->h_proto) >= 1536, EBT_IPROTO))
110 } else if (!(e->bitmask & EBT_NOPROTO) &&
111 FWINV2(e->ethproto != h->h_proto, EBT_IPROTO))
114 if (FWINV2(ebt_dev_check(e->in, in), EBT_IIN))
116 if (FWINV2(ebt_dev_check(e->out, out), EBT_IOUT))
118 if ((!in || !in->br_port) ? 0 : FWINV2(ebt_dev_check(
119 e->logical_in, in->br_port->br->dev), EBT_ILOGICALIN))
121 if ((!out || !out->br_port) ? 0 : FWINV2(ebt_dev_check(
122 e->logical_out, out->br_port->br->dev), EBT_ILOGICALOUT))
125 if (e->bitmask & EBT_SOURCEMAC) {
127 for (i = 0; i < 6; i++)
128 verdict |= (h->h_source[i] ^ e->sourcemac[i]) &
130 if (FWINV2(verdict != 0, EBT_ISOURCE) )
133 if (e->bitmask & EBT_DESTMAC) {
135 for (i = 0; i < 6; i++)
136 verdict |= (h->h_dest[i] ^ e->destmac[i]) &
138 if (FWINV2(verdict != 0, EBT_IDEST) )
144 /* Do some firewalling */
145 unsigned int ebt_do_table (unsigned int hook, struct sk_buff *skb,
146 const struct net_device *in, const struct net_device *out,
147 struct ebt_table *table)
150 struct ebt_entry *point;
151 struct ebt_counter *counter_base, *cb_base;
152 struct ebt_entry_target *t;
154 struct ebt_chainstack *cs;
155 struct ebt_entries *chaininfo;
157 struct ebt_table_info *private;
158 bool hotdrop = false;
159 struct xt_match_param mtpar;
160 struct xt_target_param tgpar;
162 mtpar.family = tgpar.family = NFPROTO_BRIDGE;
163 mtpar.in = tgpar.in = in;
164 mtpar.out = tgpar.out = out;
165 mtpar.hotdrop = &hotdrop;
166 tgpar.hooknum = hook;
168 read_lock_bh(&table->lock);
169 private = table->private;
170 cb_base = COUNTER_BASE(private->counters, private->nentries,
172 if (private->chainstack)
173 cs = private->chainstack[smp_processor_id()];
176 chaininfo = private->hook_entry[hook];
177 nentries = private->hook_entry[hook]->nentries;
178 point = (struct ebt_entry *)(private->hook_entry[hook]->data);
179 counter_base = cb_base + private->hook_entry[hook]->counter_offset;
180 /* base for chain jumps */
181 base = private->entries;
183 while (i < nentries) {
184 if (ebt_basic_match(point, eth_hdr(skb), in, out))
187 if (EBT_MATCH_ITERATE(point, ebt_do_match, skb, &mtpar) != 0)
190 read_unlock_bh(&table->lock);
194 /* increase counter */
195 (*(counter_base + i)).pcnt++;
196 (*(counter_base + i)).bcnt += skb->len;
198 /* these should only watch: not modify, nor tell us
199 what to do with the packet */
200 EBT_WATCHER_ITERATE(point, ebt_do_watcher, skb, &tgpar);
202 t = (struct ebt_entry_target *)
203 (((char *)point) + point->target_offset);
204 /* standard target */
205 if (!t->u.target->target)
206 verdict = ((struct ebt_standard_target *)t)->verdict;
208 tgpar.target = t->u.target;
209 tgpar.targinfo = t->data;
210 verdict = t->u.target->target(skb, &tgpar);
212 if (verdict == EBT_ACCEPT) {
213 read_unlock_bh(&table->lock);
216 if (verdict == EBT_DROP) {
217 read_unlock_bh(&table->lock);
220 if (verdict == EBT_RETURN) {
222 #ifdef CONFIG_NETFILTER_DEBUG
224 BUGPRINT("RETURN on base chain");
225 /* act like this is EBT_CONTINUE */
230 /* put all the local variables right */
232 chaininfo = cs[sp].chaininfo;
233 nentries = chaininfo->nentries;
235 counter_base = cb_base +
236 chaininfo->counter_offset;
239 if (verdict == EBT_CONTINUE)
241 #ifdef CONFIG_NETFILTER_DEBUG
243 BUGPRINT("bogus standard verdict\n");
244 read_unlock_bh(&table->lock);
250 cs[sp].chaininfo = chaininfo;
251 cs[sp].e = (struct ebt_entry *)
252 (((char *)point) + point->next_offset);
254 chaininfo = (struct ebt_entries *) (base + verdict);
255 #ifdef CONFIG_NETFILTER_DEBUG
256 if (chaininfo->distinguisher) {
257 BUGPRINT("jump to non-chain\n");
258 read_unlock_bh(&table->lock);
262 nentries = chaininfo->nentries;
263 point = (struct ebt_entry *)chaininfo->data;
264 counter_base = cb_base + chaininfo->counter_offset;
268 point = (struct ebt_entry *)
269 (((char *)point) + point->next_offset);
273 /* I actually like this :) */
274 if (chaininfo->policy == EBT_RETURN)
276 if (chaininfo->policy == EBT_ACCEPT) {
277 read_unlock_bh(&table->lock);
280 read_unlock_bh(&table->lock);
284 /* If it succeeds, returns element and locks mutex */
286 find_inlist_lock_noload(struct list_head *head, const char *name, int *error,
290 struct list_head list;
291 char name[EBT_FUNCTION_MAXNAMELEN];
294 *error = mutex_lock_interruptible(mutex);
298 list_for_each_entry(e, head, list) {
299 if (strcmp(e->name, name) == 0)
308 find_inlist_lock(struct list_head *head, const char *name, const char *prefix,
309 int *error, struct mutex *mutex)
311 return try_then_request_module(
312 find_inlist_lock_noload(head, name, error, mutex),
313 "%s%s", prefix, name);
316 static inline struct ebt_table *
317 find_table_lock(struct net *net, const char *name, int *error,
320 return find_inlist_lock(&net->xt.tables[NFPROTO_BRIDGE], name,
321 "ebtable_", error, mutex);
325 ebt_check_match(struct ebt_entry_match *m, struct xt_mtchk_param *par,
328 const struct ebt_entry *e = par->entryinfo;
329 struct xt_match *match;
330 size_t left = ((char *)e + e->watchers_offset) - (char *)m;
333 if (left < sizeof(struct ebt_entry_match) ||
334 left - sizeof(struct ebt_entry_match) < m->match_size)
337 match = try_then_request_module(xt_find_match(NFPROTO_BRIDGE,
338 m->u.name, 0), "ebt_%s", m->u.name);
340 return PTR_ERR(match);
346 par->matchinfo = m->data;
347 ret = xt_check_match(par, m->match_size,
348 e->ethproto, e->invflags & EBT_IPROTO);
350 module_put(match->me);
359 ebt_check_watcher(struct ebt_entry_watcher *w, struct xt_tgchk_param *par,
362 const struct ebt_entry *e = par->entryinfo;
363 struct xt_target *watcher;
364 size_t left = ((char *)e + e->target_offset) - (char *)w;
367 if (left < sizeof(struct ebt_entry_watcher) ||
368 left - sizeof(struct ebt_entry_watcher) < w->watcher_size)
371 watcher = try_then_request_module(
372 xt_find_target(NFPROTO_BRIDGE, w->u.name, 0),
373 "ebt_%s", w->u.name);
375 return PTR_ERR(watcher);
378 w->u.watcher = watcher;
380 par->target = watcher;
381 par->targinfo = w->data;
382 ret = xt_check_target(par, w->watcher_size,
383 e->ethproto, e->invflags & EBT_IPROTO);
385 module_put(watcher->me);
393 static int ebt_verify_pointers(struct ebt_replace *repl,
394 struct ebt_table_info *newinfo)
396 unsigned int limit = repl->entries_size;
397 unsigned int valid_hooks = repl->valid_hooks;
398 unsigned int offset = 0;
401 for (i = 0; i < NF_BR_NUMHOOKS; i++)
402 newinfo->hook_entry[i] = NULL;
404 newinfo->entries_size = repl->entries_size;
405 newinfo->nentries = repl->nentries;
407 while (offset < limit) {
408 size_t left = limit - offset;
409 struct ebt_entry *e = (void *)newinfo->entries + offset;
411 if (left < sizeof(unsigned int))
414 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
415 if ((valid_hooks & (1 << i)) == 0)
417 if ((char __user *)repl->hook_entry[i] ==
418 repl->entries + offset)
422 if (i != NF_BR_NUMHOOKS || !(e->bitmask & EBT_ENTRY_OR_ENTRIES)) {
423 if (e->bitmask != 0) {
424 /* we make userspace set this right,
425 so there is no misunderstanding */
426 BUGPRINT("EBT_ENTRY_OR_ENTRIES shouldn't be set "
427 "in distinguisher\n");
430 if (i != NF_BR_NUMHOOKS)
431 newinfo->hook_entry[i] = (struct ebt_entries *)e;
432 if (left < sizeof(struct ebt_entries))
434 offset += sizeof(struct ebt_entries);
436 if (left < sizeof(struct ebt_entry))
438 if (left < e->next_offset)
440 offset += e->next_offset;
443 if (offset != limit) {
444 BUGPRINT("entries_size too small\n");
448 /* check if all valid hooks have a chain */
449 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
450 if (!newinfo->hook_entry[i] &&
451 (valid_hooks & (1 << i))) {
452 BUGPRINT("Valid hook without chain\n");
460 * this one is very careful, as it is the first function
461 * to parse the userspace data
464 ebt_check_entry_size_and_hooks(struct ebt_entry *e,
465 struct ebt_table_info *newinfo,
466 unsigned int *n, unsigned int *cnt,
467 unsigned int *totalcnt, unsigned int *udc_cnt)
471 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
472 if ((void *)e == (void *)newinfo->hook_entry[i])
475 /* beginning of a new chain
476 if i == NF_BR_NUMHOOKS it must be a user defined chain */
477 if (i != NF_BR_NUMHOOKS || !e->bitmask) {
478 /* this checks if the previous chain has as many entries
481 BUGPRINT("nentries does not equal the nr of entries "
485 if (((struct ebt_entries *)e)->policy != EBT_DROP &&
486 ((struct ebt_entries *)e)->policy != EBT_ACCEPT) {
487 /* only RETURN from udc */
488 if (i != NF_BR_NUMHOOKS ||
489 ((struct ebt_entries *)e)->policy != EBT_RETURN) {
490 BUGPRINT("bad policy\n");
494 if (i == NF_BR_NUMHOOKS) /* it's a user defined chain */
496 if (((struct ebt_entries *)e)->counter_offset != *totalcnt) {
497 BUGPRINT("counter_offset != totalcnt");
500 *n = ((struct ebt_entries *)e)->nentries;
504 /* a plain old entry, heh */
505 if (sizeof(struct ebt_entry) > e->watchers_offset ||
506 e->watchers_offset > e->target_offset ||
507 e->target_offset >= e->next_offset) {
508 BUGPRINT("entry offsets not in right order\n");
511 /* this is not checked anywhere else */
512 if (e->next_offset - e->target_offset < sizeof(struct ebt_entry_target)) {
513 BUGPRINT("target size too small\n");
523 struct ebt_chainstack cs;
525 unsigned int hookmask;
529 * we need these positions to check that the jumps to a different part of the
530 * entries is a jump to the beginning of a new chain.
533 ebt_get_udc_positions(struct ebt_entry *e, struct ebt_table_info *newinfo,
534 unsigned int *n, struct ebt_cl_stack *udc)
538 /* we're only interested in chain starts */
541 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
542 if (newinfo->hook_entry[i] == (struct ebt_entries *)e)
545 /* only care about udc */
546 if (i != NF_BR_NUMHOOKS)
549 udc[*n].cs.chaininfo = (struct ebt_entries *)e;
550 /* these initialisations are depended on later in check_chainloops() */
552 udc[*n].hookmask = 0;
559 ebt_cleanup_match(struct ebt_entry_match *m, unsigned int *i)
561 struct xt_mtdtor_param par;
563 if (i && (*i)-- == 0)
566 par.match = m->u.match;
567 par.matchinfo = m->data;
568 par.family = NFPROTO_BRIDGE;
569 if (par.match->destroy != NULL)
570 par.match->destroy(&par);
571 module_put(par.match->me);
576 ebt_cleanup_watcher(struct ebt_entry_watcher *w, unsigned int *i)
578 struct xt_tgdtor_param par;
580 if (i && (*i)-- == 0)
583 par.target = w->u.watcher;
584 par.targinfo = w->data;
585 par.family = NFPROTO_BRIDGE;
586 if (par.target->destroy != NULL)
587 par.target->destroy(&par);
588 module_put(par.target->me);
593 ebt_cleanup_entry(struct ebt_entry *e, unsigned int *cnt)
595 struct xt_tgdtor_param par;
596 struct ebt_entry_target *t;
601 if (cnt && (*cnt)-- == 0)
603 EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, NULL);
604 EBT_MATCH_ITERATE(e, ebt_cleanup_match, NULL);
605 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
607 par.target = t->u.target;
608 par.targinfo = t->data;
609 par.family = NFPROTO_BRIDGE;
610 if (par.target->destroy != NULL)
611 par.target->destroy(&par);
612 module_put(par.target->me);
617 ebt_check_entry(struct ebt_entry *e, struct ebt_table_info *newinfo,
618 const char *name, unsigned int *cnt,
619 struct ebt_cl_stack *cl_s, unsigned int udc_cnt)
621 struct ebt_entry_target *t;
622 struct xt_target *target;
623 unsigned int i, j, hook = 0, hookmask = 0;
626 struct xt_mtchk_param mtpar;
627 struct xt_tgchk_param tgpar;
629 /* don't mess with the struct ebt_entries */
633 if (e->bitmask & ~EBT_F_MASK) {
634 BUGPRINT("Unknown flag for bitmask\n");
637 if (e->invflags & ~EBT_INV_MASK) {
638 BUGPRINT("Unknown flag for inv bitmask\n");
641 if ( (e->bitmask & EBT_NOPROTO) && (e->bitmask & EBT_802_3) ) {
642 BUGPRINT("NOPROTO & 802_3 not allowed\n");
645 /* what hook do we belong to? */
646 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
647 if (!newinfo->hook_entry[i])
649 if ((char *)newinfo->hook_entry[i] < (char *)e)
654 /* (1 << NF_BR_NUMHOOKS) tells the check functions the rule is on
656 if (i < NF_BR_NUMHOOKS)
657 hookmask = (1 << hook) | (1 << NF_BR_NUMHOOKS);
659 for (i = 0; i < udc_cnt; i++)
660 if ((char *)(cl_s[i].cs.chaininfo) > (char *)e)
663 hookmask = (1 << hook) | (1 << NF_BR_NUMHOOKS);
665 hookmask = cl_s[i - 1].hookmask;
669 mtpar.table = tgpar.table = name;
670 mtpar.entryinfo = tgpar.entryinfo = e;
671 mtpar.hook_mask = tgpar.hook_mask = hookmask;
672 mtpar.family = tgpar.family = NFPROTO_BRIDGE;
673 ret = EBT_MATCH_ITERATE(e, ebt_check_match, &mtpar, &i);
675 goto cleanup_matches;
677 ret = EBT_WATCHER_ITERATE(e, ebt_check_watcher, &tgpar, &j);
679 goto cleanup_watchers;
680 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
681 gap = e->next_offset - e->target_offset;
683 target = try_then_request_module(
684 xt_find_target(NFPROTO_BRIDGE, t->u.name, 0),
685 "ebt_%s", t->u.name);
686 if (IS_ERR(target)) {
687 ret = PTR_ERR(target);
688 goto cleanup_watchers;
689 } else if (target == NULL) {
691 goto cleanup_watchers;
694 t->u.target = target;
695 if (t->u.target == &ebt_standard_target) {
696 if (gap < sizeof(struct ebt_standard_target)) {
697 BUGPRINT("Standard target size too big\n");
699 goto cleanup_watchers;
701 if (((struct ebt_standard_target *)t)->verdict <
702 -NUM_STANDARD_TARGETS) {
703 BUGPRINT("Invalid standard target\n");
705 goto cleanup_watchers;
707 } else if (t->target_size > gap - sizeof(struct ebt_entry_target)) {
708 module_put(t->u.target->me);
710 goto cleanup_watchers;
713 tgpar.target = target;
714 tgpar.targinfo = t->data;
715 ret = xt_check_target(&tgpar, t->target_size,
716 e->ethproto, e->invflags & EBT_IPROTO);
718 module_put(target->me);
719 goto cleanup_watchers;
724 EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, &j);
726 EBT_MATCH_ITERATE(e, ebt_cleanup_match, &i);
731 * checks for loops and sets the hook mask for udc
732 * the hook mask for udc tells us from which base chains the udc can be
733 * accessed. This mask is a parameter to the check() functions of the extensions
735 static int check_chainloops(struct ebt_entries *chain, struct ebt_cl_stack *cl_s,
736 unsigned int udc_cnt, unsigned int hooknr, char *base)
738 int i, chain_nr = -1, pos = 0, nentries = chain->nentries, verdict;
739 struct ebt_entry *e = (struct ebt_entry *)chain->data;
740 struct ebt_entry_target *t;
742 while (pos < nentries || chain_nr != -1) {
743 /* end of udc, go back one 'recursion' step */
744 if (pos == nentries) {
745 /* put back values of the time when this chain was called */
746 e = cl_s[chain_nr].cs.e;
747 if (cl_s[chain_nr].from != -1)
749 cl_s[cl_s[chain_nr].from].cs.chaininfo->nentries;
751 nentries = chain->nentries;
752 pos = cl_s[chain_nr].cs.n;
753 /* make sure we won't see a loop that isn't one */
754 cl_s[chain_nr].cs.n = 0;
755 chain_nr = cl_s[chain_nr].from;
759 t = (struct ebt_entry_target *)
760 (((char *)e) + e->target_offset);
761 if (strcmp(t->u.name, EBT_STANDARD_TARGET))
763 if (e->target_offset + sizeof(struct ebt_standard_target) >
765 BUGPRINT("Standard target size too big\n");
768 verdict = ((struct ebt_standard_target *)t)->verdict;
769 if (verdict >= 0) { /* jump to another chain */
770 struct ebt_entries *hlp2 =
771 (struct ebt_entries *)(base + verdict);
772 for (i = 0; i < udc_cnt; i++)
773 if (hlp2 == cl_s[i].cs.chaininfo)
775 /* bad destination or loop */
777 BUGPRINT("bad destination\n");
784 if (cl_s[i].hookmask & (1 << hooknr))
786 /* this can't be 0, so the loop test is correct */
787 cl_s[i].cs.n = pos + 1;
789 cl_s[i].cs.e = ((void *)e + e->next_offset);
790 e = (struct ebt_entry *)(hlp2->data);
791 nentries = hlp2->nentries;
792 cl_s[i].from = chain_nr;
794 /* this udc is accessible from the base chain for hooknr */
795 cl_s[i].hookmask |= (1 << hooknr);
799 e = (void *)e + e->next_offset;
805 /* do the parsing of the table/chains/entries/matches/watchers/targets, heh */
806 static int translate_table(char *name, struct ebt_table_info *newinfo)
808 unsigned int i, j, k, udc_cnt;
810 struct ebt_cl_stack *cl_s = NULL; /* used in the checking for chain loops */
813 while (i < NF_BR_NUMHOOKS && !newinfo->hook_entry[i])
815 if (i == NF_BR_NUMHOOKS) {
816 BUGPRINT("No valid hooks specified\n");
819 if (newinfo->hook_entry[i] != (struct ebt_entries *)newinfo->entries) {
820 BUGPRINT("Chains don't start at beginning\n");
823 /* make sure chains are ordered after each other in same order
824 as their corresponding hooks */
825 for (j = i + 1; j < NF_BR_NUMHOOKS; j++) {
826 if (!newinfo->hook_entry[j])
828 if (newinfo->hook_entry[j] <= newinfo->hook_entry[i]) {
829 BUGPRINT("Hook order must be followed\n");
835 /* do some early checkings and initialize some things */
836 i = 0; /* holds the expected nr. of entries for the chain */
837 j = 0; /* holds the up to now counted entries for the chain */
838 k = 0; /* holds the total nr. of entries, should equal
839 newinfo->nentries afterwards */
840 udc_cnt = 0; /* will hold the nr. of user defined chains (udc) */
841 ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
842 ebt_check_entry_size_and_hooks, newinfo,
843 &i, &j, &k, &udc_cnt);
849 BUGPRINT("nentries does not equal the nr of entries in the "
853 if (k != newinfo->nentries) {
854 BUGPRINT("Total nentries is wrong\n");
858 /* get the location of the udc, put them in an array
859 while we're at it, allocate the chainstack */
861 /* this will get free'd in do_replace()/ebt_register_table()
862 if an error occurs */
863 newinfo->chainstack =
864 vmalloc(nr_cpu_ids * sizeof(*(newinfo->chainstack)));
865 if (!newinfo->chainstack)
867 for_each_possible_cpu(i) {
868 newinfo->chainstack[i] =
869 vmalloc(udc_cnt * sizeof(*(newinfo->chainstack[0])));
870 if (!newinfo->chainstack[i]) {
872 vfree(newinfo->chainstack[--i]);
873 vfree(newinfo->chainstack);
874 newinfo->chainstack = NULL;
879 cl_s = vmalloc(udc_cnt * sizeof(*cl_s));
882 i = 0; /* the i'th udc */
883 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
884 ebt_get_udc_positions, newinfo, &i, cl_s);
887 BUGPRINT("i != udc_cnt\n");
893 /* Check for loops */
894 for (i = 0; i < NF_BR_NUMHOOKS; i++)
895 if (newinfo->hook_entry[i])
896 if (check_chainloops(newinfo->hook_entry[i],
897 cl_s, udc_cnt, i, newinfo->entries)) {
902 /* we now know the following (along with E=mc²):
903 - the nr of entries in each chain is right
904 - the size of the allocated space is right
905 - all valid hooks have a corresponding chain
907 - wrong data can still be on the level of a single entry
908 - could be there are jumps to places that are not the
909 beginning of a chain. This can only occur in chains that
910 are not accessible from any base chains, so we don't care. */
912 /* used to know what we need to clean up if something goes wrong */
914 ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
915 ebt_check_entry, newinfo, name, &i, cl_s, udc_cnt);
917 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
918 ebt_cleanup_entry, &i);
924 /* called under write_lock */
925 static void get_counters(struct ebt_counter *oldcounters,
926 struct ebt_counter *counters, unsigned int nentries)
929 struct ebt_counter *counter_base;
931 /* counters of cpu 0 */
932 memcpy(counters, oldcounters,
933 sizeof(struct ebt_counter) * nentries);
935 /* add other counters to those of cpu 0 */
936 for_each_possible_cpu(cpu) {
939 counter_base = COUNTER_BASE(oldcounters, nentries, cpu);
940 for (i = 0; i < nentries; i++) {
941 counters[i].pcnt += counter_base[i].pcnt;
942 counters[i].bcnt += counter_base[i].bcnt;
947 /* replace the table */
948 static int do_replace(struct net *net, void __user *user, unsigned int len)
950 int ret, i, countersize;
951 struct ebt_table_info *newinfo;
952 struct ebt_replace tmp;
954 struct ebt_counter *counterstmp = NULL;
955 /* used to be able to unlock earlier */
956 struct ebt_table_info *table;
958 if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
961 if (len != sizeof(tmp) + tmp.entries_size) {
962 BUGPRINT("Wrong len argument\n");
966 if (tmp.entries_size == 0) {
967 BUGPRINT("Entries_size never zero\n");
971 if (tmp.nentries >= ((INT_MAX - sizeof(struct ebt_table_info)) / NR_CPUS -
972 SMP_CACHE_BYTES) / sizeof(struct ebt_counter))
974 if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
977 countersize = COUNTER_OFFSET(tmp.nentries) * nr_cpu_ids;
978 newinfo = vmalloc(sizeof(*newinfo) + countersize);
983 memset(newinfo->counters, 0, countersize);
985 newinfo->entries = vmalloc(tmp.entries_size);
986 if (!newinfo->entries) {
991 newinfo->entries, tmp.entries, tmp.entries_size) != 0) {
992 BUGPRINT("Couldn't copy entries from userspace\n");
997 /* the user wants counters back
998 the check on the size is done later, when we have the lock */
999 if (tmp.num_counters) {
1000 counterstmp = vmalloc(tmp.num_counters * sizeof(*counterstmp));
1009 /* this can get initialized by translate_table() */
1010 newinfo->chainstack = NULL;
1011 ret = ebt_verify_pointers(&tmp, newinfo);
1013 goto free_counterstmp;
1015 ret = translate_table(tmp.name, newinfo);
1018 goto free_counterstmp;
1020 t = find_table_lock(net, tmp.name, &ret, &ebt_mutex);
1026 /* the table doesn't like it */
1027 if (t->check && (ret = t->check(newinfo, tmp.valid_hooks)))
1030 if (tmp.num_counters && tmp.num_counters != t->private->nentries) {
1031 BUGPRINT("Wrong nr. of counters requested\n");
1036 /* we have the mutex lock, so no danger in reading this pointer */
1038 /* make sure the table can only be rmmod'ed if it contains no rules */
1039 if (!table->nentries && newinfo->nentries && !try_module_get(t->me)) {
1042 } else if (table->nentries && !newinfo->nentries)
1044 /* we need an atomic snapshot of the counters */
1045 write_lock_bh(&t->lock);
1046 if (tmp.num_counters)
1047 get_counters(t->private->counters, counterstmp,
1048 t->private->nentries);
1050 t->private = newinfo;
1051 write_unlock_bh(&t->lock);
1052 mutex_unlock(&ebt_mutex);
1053 /* so, a user can change the chains while having messed up her counter
1054 allocation. Only reason why this is done is because this way the lock
1055 is held only once, while this doesn't bring the kernel into a
1057 if (tmp.num_counters &&
1058 copy_to_user(tmp.counters, counterstmp,
1059 tmp.num_counters * sizeof(struct ebt_counter))) {
1060 BUGPRINT("Couldn't copy counters to userspace\n");
1066 /* decrease module count and free resources */
1067 EBT_ENTRY_ITERATE(table->entries, table->entries_size,
1068 ebt_cleanup_entry, NULL);
1070 vfree(table->entries);
1071 if (table->chainstack) {
1072 for_each_possible_cpu(i)
1073 vfree(table->chainstack[i]);
1074 vfree(table->chainstack);
1082 mutex_unlock(&ebt_mutex);
1084 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
1085 ebt_cleanup_entry, NULL);
1088 /* can be initialized in translate_table() */
1089 if (newinfo->chainstack) {
1090 for_each_possible_cpu(i)
1091 vfree(newinfo->chainstack[i]);
1092 vfree(newinfo->chainstack);
1095 vfree(newinfo->entries);
1101 struct ebt_table *ebt_register_table(struct net *net, struct ebt_table *table)
1103 struct ebt_table_info *newinfo;
1104 struct ebt_table *t;
1105 struct ebt_replace_kernel *repl;
1106 int ret, i, countersize;
1109 if (!table || !(repl = table->table) || !repl->entries ||
1110 repl->entries_size == 0 ||
1111 repl->counters || table->private) {
1112 BUGPRINT("Bad table data for ebt_register_table!!!\n");
1113 return ERR_PTR(-EINVAL);
1116 /* Don't add one table to multiple lists. */
1117 table = kmemdup(table, sizeof(struct ebt_table), GFP_KERNEL);
1123 countersize = COUNTER_OFFSET(repl->nentries) * nr_cpu_ids;
1124 newinfo = vmalloc(sizeof(*newinfo) + countersize);
1129 p = vmalloc(repl->entries_size);
1133 memcpy(p, repl->entries, repl->entries_size);
1134 newinfo->entries = p;
1136 newinfo->entries_size = repl->entries_size;
1137 newinfo->nentries = repl->nentries;
1140 memset(newinfo->counters, 0, countersize);
1142 /* fill in newinfo and parse the entries */
1143 newinfo->chainstack = NULL;
1144 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
1145 if ((repl->valid_hooks & (1 << i)) == 0)
1146 newinfo->hook_entry[i] = NULL;
1148 newinfo->hook_entry[i] = p +
1149 ((char *)repl->hook_entry[i] - repl->entries);
1151 ret = translate_table(repl->name, newinfo);
1153 BUGPRINT("Translate_table failed\n");
1154 goto free_chainstack;
1157 if (table->check && table->check(newinfo, table->valid_hooks)) {
1158 BUGPRINT("The table doesn't like its own initial data, lol\n");
1159 return ERR_PTR(-EINVAL);
1162 table->private = newinfo;
1163 rwlock_init(&table->lock);
1164 ret = mutex_lock_interruptible(&ebt_mutex);
1166 goto free_chainstack;
1168 list_for_each_entry(t, &net->xt.tables[NFPROTO_BRIDGE], list) {
1169 if (strcmp(t->name, table->name) == 0) {
1171 BUGPRINT("Table name already exists\n");
1176 /* Hold a reference count if the chains aren't empty */
1177 if (newinfo->nentries && !try_module_get(table->me)) {
1181 list_add(&table->list, &net->xt.tables[NFPROTO_BRIDGE]);
1182 mutex_unlock(&ebt_mutex);
1185 mutex_unlock(&ebt_mutex);
1187 if (newinfo->chainstack) {
1188 for_each_possible_cpu(i)
1189 vfree(newinfo->chainstack[i]);
1190 vfree(newinfo->chainstack);
1192 vfree(newinfo->entries);
1198 return ERR_PTR(ret);
1201 void ebt_unregister_table(struct ebt_table *table)
1206 BUGPRINT("Request to unregister NULL table!!!\n");
1209 mutex_lock(&ebt_mutex);
1210 list_del(&table->list);
1211 mutex_unlock(&ebt_mutex);
1212 EBT_ENTRY_ITERATE(table->private->entries, table->private->entries_size,
1213 ebt_cleanup_entry, NULL);
1214 if (table->private->nentries)
1215 module_put(table->me);
1216 vfree(table->private->entries);
1217 if (table->private->chainstack) {
1218 for_each_possible_cpu(i)
1219 vfree(table->private->chainstack[i]);
1220 vfree(table->private->chainstack);
1222 vfree(table->private);
1226 /* userspace just supplied us with counters */
1227 static int update_counters(struct net *net, void __user *user, unsigned int len)
1230 struct ebt_counter *tmp;
1231 struct ebt_replace hlp;
1232 struct ebt_table *t;
1234 if (copy_from_user(&hlp, user, sizeof(hlp)))
1237 if (len != sizeof(hlp) + hlp.num_counters * sizeof(struct ebt_counter))
1239 if (hlp.num_counters == 0)
1242 if (!(tmp = vmalloc(hlp.num_counters * sizeof(*tmp)))) {
1243 MEMPRINT("Update_counters && nomemory\n");
1247 t = find_table_lock(net, hlp.name, &ret, &ebt_mutex);
1251 if (hlp.num_counters != t->private->nentries) {
1252 BUGPRINT("Wrong nr of counters\n");
1257 if ( copy_from_user(tmp, hlp.counters,
1258 hlp.num_counters * sizeof(struct ebt_counter)) ) {
1259 BUGPRINT("Updata_counters && !cfu\n");
1264 /* we want an atomic add of the counters */
1265 write_lock_bh(&t->lock);
1267 /* we add to the counters of the first cpu */
1268 for (i = 0; i < hlp.num_counters; i++) {
1269 t->private->counters[i].pcnt += tmp[i].pcnt;
1270 t->private->counters[i].bcnt += tmp[i].bcnt;
1273 write_unlock_bh(&t->lock);
1276 mutex_unlock(&ebt_mutex);
1282 static inline int ebt_make_matchname(struct ebt_entry_match *m,
1283 char *base, char __user *ubase)
1285 char __user *hlp = ubase + ((char *)m - base);
1286 if (copy_to_user(hlp, m->u.match->name, EBT_FUNCTION_MAXNAMELEN))
1291 static inline int ebt_make_watchername(struct ebt_entry_watcher *w,
1292 char *base, char __user *ubase)
1294 char __user *hlp = ubase + ((char *)w - base);
1295 if (copy_to_user(hlp , w->u.watcher->name, EBT_FUNCTION_MAXNAMELEN))
1300 static inline int ebt_make_names(struct ebt_entry *e, char *base, char __user *ubase)
1304 struct ebt_entry_target *t;
1306 if (e->bitmask == 0)
1309 hlp = ubase + (((char *)e + e->target_offset) - base);
1310 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
1312 ret = EBT_MATCH_ITERATE(e, ebt_make_matchname, base, ubase);
1315 ret = EBT_WATCHER_ITERATE(e, ebt_make_watchername, base, ubase);
1318 if (copy_to_user(hlp, t->u.target->name, EBT_FUNCTION_MAXNAMELEN))
1323 /* called with ebt_mutex locked */
1324 static int copy_everything_to_user(struct ebt_table *t, void __user *user,
1327 struct ebt_replace tmp;
1328 struct ebt_counter *counterstmp, *oldcounters;
1329 unsigned int entries_size, nentries;
1332 if (cmd == EBT_SO_GET_ENTRIES) {
1333 entries_size = t->private->entries_size;
1334 nentries = t->private->nentries;
1335 entries = t->private->entries;
1336 oldcounters = t->private->counters;
1338 entries_size = t->table->entries_size;
1339 nentries = t->table->nentries;
1340 entries = t->table->entries;
1341 oldcounters = t->table->counters;
1344 if (copy_from_user(&tmp, user, sizeof(tmp))) {
1345 BUGPRINT("Cfu didn't work\n");
1349 if (*len != sizeof(struct ebt_replace) + entries_size +
1350 (tmp.num_counters? nentries * sizeof(struct ebt_counter): 0)) {
1351 BUGPRINT("Wrong size\n");
1355 if (tmp.nentries != nentries) {
1356 BUGPRINT("Nentries wrong\n");
1360 if (tmp.entries_size != entries_size) {
1361 BUGPRINT("Wrong size\n");
1365 /* userspace might not need the counters */
1366 if (tmp.num_counters) {
1367 if (tmp.num_counters != nentries) {
1368 BUGPRINT("Num_counters wrong\n");
1371 counterstmp = vmalloc(nentries * sizeof(*counterstmp));
1373 MEMPRINT("Couldn't copy counters, out of memory\n");
1376 write_lock_bh(&t->lock);
1377 get_counters(oldcounters, counterstmp, nentries);
1378 write_unlock_bh(&t->lock);
1380 if (copy_to_user(tmp.counters, counterstmp,
1381 nentries * sizeof(struct ebt_counter))) {
1382 BUGPRINT("Couldn't copy counters to userspace\n");
1389 if (copy_to_user(tmp.entries, entries, entries_size)) {
1390 BUGPRINT("Couldn't copy entries to userspace\n");
1393 /* set the match/watcher/target names right */
1394 return EBT_ENTRY_ITERATE(entries, entries_size,
1395 ebt_make_names, entries, tmp.entries);
1398 static int do_ebt_set_ctl(struct sock *sk,
1399 int cmd, void __user *user, unsigned int len)
1404 case EBT_SO_SET_ENTRIES:
1405 ret = do_replace(sock_net(sk), user, len);
1407 case EBT_SO_SET_COUNTERS:
1408 ret = update_counters(sock_net(sk), user, len);
1416 static int do_ebt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
1419 struct ebt_replace tmp;
1420 struct ebt_table *t;
1422 if (copy_from_user(&tmp, user, sizeof(tmp)))
1425 t = find_table_lock(sock_net(sk), tmp.name, &ret, &ebt_mutex);
1430 case EBT_SO_GET_INFO:
1431 case EBT_SO_GET_INIT_INFO:
1432 if (*len != sizeof(struct ebt_replace)){
1434 mutex_unlock(&ebt_mutex);
1437 if (cmd == EBT_SO_GET_INFO) {
1438 tmp.nentries = t->private->nentries;
1439 tmp.entries_size = t->private->entries_size;
1440 tmp.valid_hooks = t->valid_hooks;
1442 tmp.nentries = t->table->nentries;
1443 tmp.entries_size = t->table->entries_size;
1444 tmp.valid_hooks = t->table->valid_hooks;
1446 mutex_unlock(&ebt_mutex);
1447 if (copy_to_user(user, &tmp, *len) != 0){
1448 BUGPRINT("c2u Didn't work\n");
1455 case EBT_SO_GET_ENTRIES:
1456 case EBT_SO_GET_INIT_ENTRIES:
1457 ret = copy_everything_to_user(t, user, len, cmd);
1458 mutex_unlock(&ebt_mutex);
1462 mutex_unlock(&ebt_mutex);
1469 static struct nf_sockopt_ops ebt_sockopts =
1472 .set_optmin = EBT_BASE_CTL,
1473 .set_optmax = EBT_SO_SET_MAX + 1,
1474 .set = do_ebt_set_ctl,
1475 .get_optmin = EBT_BASE_CTL,
1476 .get_optmax = EBT_SO_GET_MAX + 1,
1477 .get = do_ebt_get_ctl,
1478 .owner = THIS_MODULE,
1481 static int __init ebtables_init(void)
1485 ret = xt_register_target(&ebt_standard_target);
1488 ret = nf_register_sockopt(&ebt_sockopts);
1490 xt_unregister_target(&ebt_standard_target);
1494 printk(KERN_INFO "Ebtables v2.0 registered\n");
1498 static void __exit ebtables_fini(void)
1500 nf_unregister_sockopt(&ebt_sockopts);
1501 xt_unregister_target(&ebt_standard_target);
1502 printk(KERN_INFO "Ebtables v2.0 unregistered\n");
1505 EXPORT_SYMBOL(ebt_register_table);
1506 EXPORT_SYMBOL(ebt_unregister_table);
1507 EXPORT_SYMBOL(ebt_do_table);
1508 module_init(ebtables_init);
1509 module_exit(ebtables_fini);
1510 MODULE_LICENSE("GPL");
projects / linux-2.6 / blob