5 * Bart De Schuymer <bdschuym@pandora.be>
7 * ebtables.c,v 2.0, July, 2002
9 * This code is stongly inspired on the iptables code which is
10 * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version
15 * 2 of the License, or (at your option) any later version.
19 #include <linux/kmod.h>
20 #include <linux/module.h>
21 #include <linux/vmalloc.h>
22 #include <linux/netfilter/x_tables.h>
23 #include <linux/netfilter_bridge/ebtables.h>
24 #include <linux/spinlock.h>
25 #include <linux/mutex.h>
26 #include <asm/uaccess.h>
27 #include <linux/smp.h>
28 #include <linux/cpumask.h>
30 /* needed for logical [in,out]-dev filtering */
31 #include "../br_private.h"
33 #define BUGPRINT(format, args...) printk("kernel msg: ebtables bug: please "\
34 "report to author: "format, ## args)
35 /* #define BUGPRINT(format, args...) */
36 #define MEMPRINT(format, args...) printk("kernel msg: ebtables "\
37 ": out of memory: "format, ## args)
38 /* #define MEMPRINT(format, args...) */
43 * Each cpu has its own set of counters, so there is no need for write_lock in
45 * For reading or updating the counters, the user context needs to
49 /* The size of each set of counters is altered to get cache alignment */
50 #define SMP_ALIGN(x) (((x) + SMP_CACHE_BYTES-1) & ~(SMP_CACHE_BYTES-1))
51 #define COUNTER_OFFSET(n) (SMP_ALIGN(n * sizeof(struct ebt_counter)))
52 #define COUNTER_BASE(c, n, cpu) ((struct ebt_counter *)(((char *)c) + \
53 COUNTER_OFFSET(n) * cpu))
57 static DEFINE_MUTEX(ebt_mutex);
58 static LIST_HEAD(ebt_tables);
60 static struct xt_target ebt_standard_target = {
63 .family = NFPROTO_BRIDGE,
64 .targetsize = sizeof(int),
67 static inline int ebt_do_watcher (struct ebt_entry_watcher *w,
68 struct sk_buff *skb, unsigned int hooknr, const struct net_device *in,
69 const struct net_device *out)
71 w->u.watcher->target(skb, in, out, hooknr, w->u.watcher, w->data);
72 /* watchers don't give a verdict */
76 static inline int ebt_do_match (struct ebt_entry_match *m,
77 const struct sk_buff *skb, struct xt_match_param *par)
79 par->match = m->u.match;
80 par->matchinfo = m->data;
81 return m->u.match->match(skb, par);
84 static inline int ebt_dev_check(char *entry, const struct net_device *device)
87 const char *devname = device->name;
93 /* 1 is the wildcard token */
94 while (entry[i] != '\0' && entry[i] != 1 && entry[i] == devname[i])
96 return (devname[i] != entry[i] && entry[i] != 1);
99 #define FWINV2(bool,invflg) ((bool) ^ !!(e->invflags & invflg))
100 /* process standard matches */
101 static inline int ebt_basic_match(struct ebt_entry *e, struct ethhdr *h,
102 const struct net_device *in, const struct net_device *out)
106 if (e->bitmask & EBT_802_3) {
107 if (FWINV2(ntohs(h->h_proto) >= 1536, EBT_IPROTO))
109 } else if (!(e->bitmask & EBT_NOPROTO) &&
110 FWINV2(e->ethproto != h->h_proto, EBT_IPROTO))
113 if (FWINV2(ebt_dev_check(e->in, in), EBT_IIN))
115 if (FWINV2(ebt_dev_check(e->out, out), EBT_IOUT))
117 if ((!in || !in->br_port) ? 0 : FWINV2(ebt_dev_check(
118 e->logical_in, in->br_port->br->dev), EBT_ILOGICALIN))
120 if ((!out || !out->br_port) ? 0 : FWINV2(ebt_dev_check(
121 e->logical_out, out->br_port->br->dev), EBT_ILOGICALOUT))
124 if (e->bitmask & EBT_SOURCEMAC) {
126 for (i = 0; i < 6; i++)
127 verdict |= (h->h_source[i] ^ e->sourcemac[i]) &
129 if (FWINV2(verdict != 0, EBT_ISOURCE) )
132 if (e->bitmask & EBT_DESTMAC) {
134 for (i = 0; i < 6; i++)
135 verdict |= (h->h_dest[i] ^ e->destmac[i]) &
137 if (FWINV2(verdict != 0, EBT_IDEST) )
143 /* Do some firewalling */
144 unsigned int ebt_do_table (unsigned int hook, struct sk_buff *skb,
145 const struct net_device *in, const struct net_device *out,
146 struct ebt_table *table)
149 struct ebt_entry *point;
150 struct ebt_counter *counter_base, *cb_base;
151 struct ebt_entry_target *t;
153 struct ebt_chainstack *cs;
154 struct ebt_entries *chaininfo;
156 struct ebt_table_info *private;
157 bool hotdrop = false;
158 struct xt_match_param mtpar;
162 mtpar.hotdrop = &hotdrop;
164 read_lock_bh(&table->lock);
165 private = table->private;
166 cb_base = COUNTER_BASE(private->counters, private->nentries,
168 if (private->chainstack)
169 cs = private->chainstack[smp_processor_id()];
172 chaininfo = private->hook_entry[hook];
173 nentries = private->hook_entry[hook]->nentries;
174 point = (struct ebt_entry *)(private->hook_entry[hook]->data);
175 counter_base = cb_base + private->hook_entry[hook]->counter_offset;
176 /* base for chain jumps */
177 base = private->entries;
179 while (i < nentries) {
180 if (ebt_basic_match(point, eth_hdr(skb), in, out))
183 if (EBT_MATCH_ITERATE(point, ebt_do_match, skb, &mtpar) != 0)
186 read_unlock_bh(&table->lock);
190 /* increase counter */
191 (*(counter_base + i)).pcnt++;
192 (*(counter_base + i)).bcnt += skb->len;
194 /* these should only watch: not modify, nor tell us
195 what to do with the packet */
196 EBT_WATCHER_ITERATE(point, ebt_do_watcher, skb, hook, in,
199 t = (struct ebt_entry_target *)
200 (((char *)point) + point->target_offset);
201 /* standard target */
202 if (!t->u.target->target)
203 verdict = ((struct ebt_standard_target *)t)->verdict;
205 verdict = t->u.target->target(skb, in, out, hook,
206 t->u.target, t->data);
207 if (verdict == EBT_ACCEPT) {
208 read_unlock_bh(&table->lock);
211 if (verdict == EBT_DROP) {
212 read_unlock_bh(&table->lock);
215 if (verdict == EBT_RETURN) {
217 #ifdef CONFIG_NETFILTER_DEBUG
219 BUGPRINT("RETURN on base chain");
220 /* act like this is EBT_CONTINUE */
225 /* put all the local variables right */
227 chaininfo = cs[sp].chaininfo;
228 nentries = chaininfo->nentries;
230 counter_base = cb_base +
231 chaininfo->counter_offset;
234 if (verdict == EBT_CONTINUE)
236 #ifdef CONFIG_NETFILTER_DEBUG
238 BUGPRINT("bogus standard verdict\n");
239 read_unlock_bh(&table->lock);
245 cs[sp].chaininfo = chaininfo;
246 cs[sp].e = (struct ebt_entry *)
247 (((char *)point) + point->next_offset);
249 chaininfo = (struct ebt_entries *) (base + verdict);
250 #ifdef CONFIG_NETFILTER_DEBUG
251 if (chaininfo->distinguisher) {
252 BUGPRINT("jump to non-chain\n");
253 read_unlock_bh(&table->lock);
257 nentries = chaininfo->nentries;
258 point = (struct ebt_entry *)chaininfo->data;
259 counter_base = cb_base + chaininfo->counter_offset;
263 point = (struct ebt_entry *)
264 (((char *)point) + point->next_offset);
268 /* I actually like this :) */
269 if (chaininfo->policy == EBT_RETURN)
271 if (chaininfo->policy == EBT_ACCEPT) {
272 read_unlock_bh(&table->lock);
275 read_unlock_bh(&table->lock);
279 /* If it succeeds, returns element and locks mutex */
281 find_inlist_lock_noload(struct list_head *head, const char *name, int *error,
285 struct list_head list;
286 char name[EBT_FUNCTION_MAXNAMELEN];
289 *error = mutex_lock_interruptible(mutex);
293 list_for_each_entry(e, head, list) {
294 if (strcmp(e->name, name) == 0)
303 #define find_inlist_lock(h,n,p,e,m) find_inlist_lock_noload((h),(n),(e),(m))
306 find_inlist_lock(struct list_head *head, const char *name, const char *prefix,
307 int *error, struct mutex *mutex)
311 ret = find_inlist_lock_noload(head, name, error, mutex);
313 request_module("%s%s", prefix, name);
314 ret = find_inlist_lock_noload(head, name, error, mutex);
320 static inline struct ebt_table *
321 find_table_lock(const char *name, int *error, struct mutex *mutex)
323 return find_inlist_lock(&ebt_tables, name, "ebtable_", error, mutex);
327 ebt_check_match(struct ebt_entry_match *m, struct ebt_entry *e,
328 const char *name, unsigned int hookmask, unsigned int *cnt)
330 struct xt_match *match;
331 size_t left = ((char *)e + e->watchers_offset) - (char *)m;
334 if (left < sizeof(struct ebt_entry_match) ||
335 left - sizeof(struct ebt_entry_match) < m->match_size)
338 match = try_then_request_module(xt_find_match(NFPROTO_BRIDGE,
339 m->u.name, 0), "ebt_%s", m->u.name);
341 return PTR_ERR(match);
346 ret = xt_check_match(match, NFPROTO_BRIDGE, m->match_size,
347 name, hookmask, e->ethproto, e->invflags & EBT_IPROTO,
350 module_put(match->me);
359 ebt_check_watcher(struct ebt_entry_watcher *w, struct ebt_entry *e,
360 const char *name, unsigned int hookmask, unsigned int *cnt)
362 struct xt_target *watcher;
363 size_t left = ((char *)e + e->target_offset) - (char *)w;
366 if (left < sizeof(struct ebt_entry_watcher) ||
367 left - sizeof(struct ebt_entry_watcher) < w->watcher_size)
370 watcher = try_then_request_module(
371 xt_find_target(NFPROTO_BRIDGE, w->u.name, 0),
372 "ebt_%s", w->u.name);
374 return PTR_ERR(watcher);
377 w->u.watcher = watcher;
379 ret = xt_check_target(watcher, NFPROTO_BRIDGE, w->watcher_size,
380 name, hookmask, e->ethproto, e->invflags & EBT_IPROTO,
383 module_put(watcher->me);
391 static int ebt_verify_pointers(struct ebt_replace *repl,
392 struct ebt_table_info *newinfo)
394 unsigned int limit = repl->entries_size;
395 unsigned int valid_hooks = repl->valid_hooks;
396 unsigned int offset = 0;
399 for (i = 0; i < NF_BR_NUMHOOKS; i++)
400 newinfo->hook_entry[i] = NULL;
402 newinfo->entries_size = repl->entries_size;
403 newinfo->nentries = repl->nentries;
405 while (offset < limit) {
406 size_t left = limit - offset;
407 struct ebt_entry *e = (void *)newinfo->entries + offset;
409 if (left < sizeof(unsigned int))
412 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
413 if ((valid_hooks & (1 << i)) == 0)
415 if ((char __user *)repl->hook_entry[i] ==
416 repl->entries + offset)
420 if (i != NF_BR_NUMHOOKS || !(e->bitmask & EBT_ENTRY_OR_ENTRIES)) {
421 if (e->bitmask != 0) {
422 /* we make userspace set this right,
423 so there is no misunderstanding */
424 BUGPRINT("EBT_ENTRY_OR_ENTRIES shouldn't be set "
425 "in distinguisher\n");
428 if (i != NF_BR_NUMHOOKS)
429 newinfo->hook_entry[i] = (struct ebt_entries *)e;
430 if (left < sizeof(struct ebt_entries))
432 offset += sizeof(struct ebt_entries);
434 if (left < sizeof(struct ebt_entry))
436 if (left < e->next_offset)
438 offset += e->next_offset;
441 if (offset != limit) {
442 BUGPRINT("entries_size too small\n");
446 /* check if all valid hooks have a chain */
447 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
448 if (!newinfo->hook_entry[i] &&
449 (valid_hooks & (1 << i))) {
450 BUGPRINT("Valid hook without chain\n");
458 * this one is very careful, as it is the first function
459 * to parse the userspace data
462 ebt_check_entry_size_and_hooks(struct ebt_entry *e,
463 struct ebt_table_info *newinfo,
464 unsigned int *n, unsigned int *cnt,
465 unsigned int *totalcnt, unsigned int *udc_cnt)
469 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
470 if ((void *)e == (void *)newinfo->hook_entry[i])
473 /* beginning of a new chain
474 if i == NF_BR_NUMHOOKS it must be a user defined chain */
475 if (i != NF_BR_NUMHOOKS || !e->bitmask) {
476 /* this checks if the previous chain has as many entries
479 BUGPRINT("nentries does not equal the nr of entries "
483 if (((struct ebt_entries *)e)->policy != EBT_DROP &&
484 ((struct ebt_entries *)e)->policy != EBT_ACCEPT) {
485 /* only RETURN from udc */
486 if (i != NF_BR_NUMHOOKS ||
487 ((struct ebt_entries *)e)->policy != EBT_RETURN) {
488 BUGPRINT("bad policy\n");
492 if (i == NF_BR_NUMHOOKS) /* it's a user defined chain */
494 if (((struct ebt_entries *)e)->counter_offset != *totalcnt) {
495 BUGPRINT("counter_offset != totalcnt");
498 *n = ((struct ebt_entries *)e)->nentries;
502 /* a plain old entry, heh */
503 if (sizeof(struct ebt_entry) > e->watchers_offset ||
504 e->watchers_offset > e->target_offset ||
505 e->target_offset >= e->next_offset) {
506 BUGPRINT("entry offsets not in right order\n");
509 /* this is not checked anywhere else */
510 if (e->next_offset - e->target_offset < sizeof(struct ebt_entry_target)) {
511 BUGPRINT("target size too small\n");
521 struct ebt_chainstack cs;
523 unsigned int hookmask;
527 * we need these positions to check that the jumps to a different part of the
528 * entries is a jump to the beginning of a new chain.
531 ebt_get_udc_positions(struct ebt_entry *e, struct ebt_table_info *newinfo,
532 unsigned int *n, struct ebt_cl_stack *udc)
536 /* we're only interested in chain starts */
539 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
540 if (newinfo->hook_entry[i] == (struct ebt_entries *)e)
543 /* only care about udc */
544 if (i != NF_BR_NUMHOOKS)
547 udc[*n].cs.chaininfo = (struct ebt_entries *)e;
548 /* these initialisations are depended on later in check_chainloops() */
550 udc[*n].hookmask = 0;
557 ebt_cleanup_match(struct ebt_entry_match *m, unsigned int *i)
559 if (i && (*i)-- == 0)
561 if (m->u.match->destroy)
562 m->u.match->destroy(m->u.match, m->data);
563 module_put(m->u.match->me);
569 ebt_cleanup_watcher(struct ebt_entry_watcher *w, unsigned int *i)
571 if (i && (*i)-- == 0)
573 if (w->u.watcher->destroy)
574 w->u.watcher->destroy(w->u.watcher, w->data);
575 module_put(w->u.watcher->me);
581 ebt_cleanup_entry(struct ebt_entry *e, unsigned int *cnt)
583 struct ebt_entry_target *t;
588 if (cnt && (*cnt)-- == 0)
590 EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, NULL);
591 EBT_MATCH_ITERATE(e, ebt_cleanup_match, NULL);
592 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
593 if (t->u.target->destroy)
594 t->u.target->destroy(t->u.target, t->data);
595 module_put(t->u.target->me);
601 ebt_check_entry(struct ebt_entry *e, struct ebt_table_info *newinfo,
602 const char *name, unsigned int *cnt,
603 struct ebt_cl_stack *cl_s, unsigned int udc_cnt)
605 struct ebt_entry_target *t;
606 struct xt_target *target;
607 unsigned int i, j, hook = 0, hookmask = 0;
611 /* don't mess with the struct ebt_entries */
615 if (e->bitmask & ~EBT_F_MASK) {
616 BUGPRINT("Unknown flag for bitmask\n");
619 if (e->invflags & ~EBT_INV_MASK) {
620 BUGPRINT("Unknown flag for inv bitmask\n");
623 if ( (e->bitmask & EBT_NOPROTO) && (e->bitmask & EBT_802_3) ) {
624 BUGPRINT("NOPROTO & 802_3 not allowed\n");
627 /* what hook do we belong to? */
628 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
629 if (!newinfo->hook_entry[i])
631 if ((char *)newinfo->hook_entry[i] < (char *)e)
636 /* (1 << NF_BR_NUMHOOKS) tells the check functions the rule is on
638 if (i < NF_BR_NUMHOOKS)
639 hookmask = (1 << hook) | (1 << NF_BR_NUMHOOKS);
641 for (i = 0; i < udc_cnt; i++)
642 if ((char *)(cl_s[i].cs.chaininfo) > (char *)e)
645 hookmask = (1 << hook) | (1 << NF_BR_NUMHOOKS);
647 hookmask = cl_s[i - 1].hookmask;
650 ret = EBT_MATCH_ITERATE(e, ebt_check_match, e, name, hookmask, &i);
652 goto cleanup_matches;
654 ret = EBT_WATCHER_ITERATE(e, ebt_check_watcher, e, name, hookmask, &j);
656 goto cleanup_watchers;
657 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
658 gap = e->next_offset - e->target_offset;
660 target = try_then_request_module(
661 xt_find_target(NFPROTO_BRIDGE, t->u.name, 0),
662 "ebt_%s", t->u.name);
663 if (IS_ERR(target)) {
664 ret = PTR_ERR(target);
665 goto cleanup_watchers;
666 } else if (target == NULL) {
668 goto cleanup_watchers;
671 t->u.target = target;
672 if (t->u.target == &ebt_standard_target) {
673 if (gap < sizeof(struct ebt_standard_target)) {
674 BUGPRINT("Standard target size too big\n");
676 goto cleanup_watchers;
678 if (((struct ebt_standard_target *)t)->verdict <
679 -NUM_STANDARD_TARGETS) {
680 BUGPRINT("Invalid standard target\n");
682 goto cleanup_watchers;
684 } else if (t->target_size > gap - sizeof(struct ebt_entry_target)) {
685 module_put(t->u.target->me);
687 goto cleanup_watchers;
690 ret = xt_check_target(target, NFPROTO_BRIDGE, t->target_size,
691 name, hookmask, e->ethproto, e->invflags & EBT_IPROTO,
694 module_put(target->me);
695 goto cleanup_watchers;
700 EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, &j);
702 EBT_MATCH_ITERATE(e, ebt_cleanup_match, &i);
707 * checks for loops and sets the hook mask for udc
708 * the hook mask for udc tells us from which base chains the udc can be
709 * accessed. This mask is a parameter to the check() functions of the extensions
711 static int check_chainloops(struct ebt_entries *chain, struct ebt_cl_stack *cl_s,
712 unsigned int udc_cnt, unsigned int hooknr, char *base)
714 int i, chain_nr = -1, pos = 0, nentries = chain->nentries, verdict;
715 struct ebt_entry *e = (struct ebt_entry *)chain->data;
716 struct ebt_entry_target *t;
718 while (pos < nentries || chain_nr != -1) {
719 /* end of udc, go back one 'recursion' step */
720 if (pos == nentries) {
721 /* put back values of the time when this chain was called */
722 e = cl_s[chain_nr].cs.e;
723 if (cl_s[chain_nr].from != -1)
725 cl_s[cl_s[chain_nr].from].cs.chaininfo->nentries;
727 nentries = chain->nentries;
728 pos = cl_s[chain_nr].cs.n;
729 /* make sure we won't see a loop that isn't one */
730 cl_s[chain_nr].cs.n = 0;
731 chain_nr = cl_s[chain_nr].from;
735 t = (struct ebt_entry_target *)
736 (((char *)e) + e->target_offset);
737 if (strcmp(t->u.name, EBT_STANDARD_TARGET))
739 if (e->target_offset + sizeof(struct ebt_standard_target) >
741 BUGPRINT("Standard target size too big\n");
744 verdict = ((struct ebt_standard_target *)t)->verdict;
745 if (verdict >= 0) { /* jump to another chain */
746 struct ebt_entries *hlp2 =
747 (struct ebt_entries *)(base + verdict);
748 for (i = 0; i < udc_cnt; i++)
749 if (hlp2 == cl_s[i].cs.chaininfo)
751 /* bad destination or loop */
753 BUGPRINT("bad destination\n");
760 if (cl_s[i].hookmask & (1 << hooknr))
762 /* this can't be 0, so the loop test is correct */
763 cl_s[i].cs.n = pos + 1;
765 cl_s[i].cs.e = ((void *)e + e->next_offset);
766 e = (struct ebt_entry *)(hlp2->data);
767 nentries = hlp2->nentries;
768 cl_s[i].from = chain_nr;
770 /* this udc is accessible from the base chain for hooknr */
771 cl_s[i].hookmask |= (1 << hooknr);
775 e = (void *)e + e->next_offset;
781 /* do the parsing of the table/chains/entries/matches/watchers/targets, heh */
782 static int translate_table(char *name, struct ebt_table_info *newinfo)
784 unsigned int i, j, k, udc_cnt;
786 struct ebt_cl_stack *cl_s = NULL; /* used in the checking for chain loops */
789 while (i < NF_BR_NUMHOOKS && !newinfo->hook_entry[i])
791 if (i == NF_BR_NUMHOOKS) {
792 BUGPRINT("No valid hooks specified\n");
795 if (newinfo->hook_entry[i] != (struct ebt_entries *)newinfo->entries) {
796 BUGPRINT("Chains don't start at beginning\n");
799 /* make sure chains are ordered after each other in same order
800 as their corresponding hooks */
801 for (j = i + 1; j < NF_BR_NUMHOOKS; j++) {
802 if (!newinfo->hook_entry[j])
804 if (newinfo->hook_entry[j] <= newinfo->hook_entry[i]) {
805 BUGPRINT("Hook order must be followed\n");
811 /* do some early checkings and initialize some things */
812 i = 0; /* holds the expected nr. of entries for the chain */
813 j = 0; /* holds the up to now counted entries for the chain */
814 k = 0; /* holds the total nr. of entries, should equal
815 newinfo->nentries afterwards */
816 udc_cnt = 0; /* will hold the nr. of user defined chains (udc) */
817 ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
818 ebt_check_entry_size_and_hooks, newinfo,
819 &i, &j, &k, &udc_cnt);
825 BUGPRINT("nentries does not equal the nr of entries in the "
829 if (k != newinfo->nentries) {
830 BUGPRINT("Total nentries is wrong\n");
834 /* get the location of the udc, put them in an array
835 while we're at it, allocate the chainstack */
837 /* this will get free'd in do_replace()/ebt_register_table()
838 if an error occurs */
839 newinfo->chainstack =
840 vmalloc(nr_cpu_ids * sizeof(*(newinfo->chainstack)));
841 if (!newinfo->chainstack)
843 for_each_possible_cpu(i) {
844 newinfo->chainstack[i] =
845 vmalloc(udc_cnt * sizeof(*(newinfo->chainstack[0])));
846 if (!newinfo->chainstack[i]) {
848 vfree(newinfo->chainstack[--i]);
849 vfree(newinfo->chainstack);
850 newinfo->chainstack = NULL;
855 cl_s = vmalloc(udc_cnt * sizeof(*cl_s));
858 i = 0; /* the i'th udc */
859 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
860 ebt_get_udc_positions, newinfo, &i, cl_s);
863 BUGPRINT("i != udc_cnt\n");
869 /* Check for loops */
870 for (i = 0; i < NF_BR_NUMHOOKS; i++)
871 if (newinfo->hook_entry[i])
872 if (check_chainloops(newinfo->hook_entry[i],
873 cl_s, udc_cnt, i, newinfo->entries)) {
878 /* we now know the following (along with E=mc²):
879 - the nr of entries in each chain is right
880 - the size of the allocated space is right
881 - all valid hooks have a corresponding chain
883 - wrong data can still be on the level of a single entry
884 - could be there are jumps to places that are not the
885 beginning of a chain. This can only occur in chains that
886 are not accessible from any base chains, so we don't care. */
888 /* used to know what we need to clean up if something goes wrong */
890 ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
891 ebt_check_entry, newinfo, name, &i, cl_s, udc_cnt);
893 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
894 ebt_cleanup_entry, &i);
900 /* called under write_lock */
901 static void get_counters(struct ebt_counter *oldcounters,
902 struct ebt_counter *counters, unsigned int nentries)
905 struct ebt_counter *counter_base;
907 /* counters of cpu 0 */
908 memcpy(counters, oldcounters,
909 sizeof(struct ebt_counter) * nentries);
911 /* add other counters to those of cpu 0 */
912 for_each_possible_cpu(cpu) {
915 counter_base = COUNTER_BASE(oldcounters, nentries, cpu);
916 for (i = 0; i < nentries; i++) {
917 counters[i].pcnt += counter_base[i].pcnt;
918 counters[i].bcnt += counter_base[i].bcnt;
923 /* replace the table */
924 static int do_replace(void __user *user, unsigned int len)
926 int ret, i, countersize;
927 struct ebt_table_info *newinfo;
928 struct ebt_replace tmp;
930 struct ebt_counter *counterstmp = NULL;
931 /* used to be able to unlock earlier */
932 struct ebt_table_info *table;
934 if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
937 if (len != sizeof(tmp) + tmp.entries_size) {
938 BUGPRINT("Wrong len argument\n");
942 if (tmp.entries_size == 0) {
943 BUGPRINT("Entries_size never zero\n");
947 if (tmp.nentries >= ((INT_MAX - sizeof(struct ebt_table_info)) / NR_CPUS -
948 SMP_CACHE_BYTES) / sizeof(struct ebt_counter))
950 if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
953 countersize = COUNTER_OFFSET(tmp.nentries) * nr_cpu_ids;
954 newinfo = vmalloc(sizeof(*newinfo) + countersize);
959 memset(newinfo->counters, 0, countersize);
961 newinfo->entries = vmalloc(tmp.entries_size);
962 if (!newinfo->entries) {
967 newinfo->entries, tmp.entries, tmp.entries_size) != 0) {
968 BUGPRINT("Couldn't copy entries from userspace\n");
973 /* the user wants counters back
974 the check on the size is done later, when we have the lock */
975 if (tmp.num_counters) {
976 counterstmp = vmalloc(tmp.num_counters * sizeof(*counterstmp));
985 /* this can get initialized by translate_table() */
986 newinfo->chainstack = NULL;
987 ret = ebt_verify_pointers(&tmp, newinfo);
989 goto free_counterstmp;
991 ret = translate_table(tmp.name, newinfo);
994 goto free_counterstmp;
996 t = find_table_lock(tmp.name, &ret, &ebt_mutex);
1002 /* the table doesn't like it */
1003 if (t->check && (ret = t->check(newinfo, tmp.valid_hooks)))
1006 if (tmp.num_counters && tmp.num_counters != t->private->nentries) {
1007 BUGPRINT("Wrong nr. of counters requested\n");
1012 /* we have the mutex lock, so no danger in reading this pointer */
1014 /* make sure the table can only be rmmod'ed if it contains no rules */
1015 if (!table->nentries && newinfo->nentries && !try_module_get(t->me)) {
1018 } else if (table->nentries && !newinfo->nentries)
1020 /* we need an atomic snapshot of the counters */
1021 write_lock_bh(&t->lock);
1022 if (tmp.num_counters)
1023 get_counters(t->private->counters, counterstmp,
1024 t->private->nentries);
1026 t->private = newinfo;
1027 write_unlock_bh(&t->lock);
1028 mutex_unlock(&ebt_mutex);
1029 /* so, a user can change the chains while having messed up her counter
1030 allocation. Only reason why this is done is because this way the lock
1031 is held only once, while this doesn't bring the kernel into a
1033 if (tmp.num_counters &&
1034 copy_to_user(tmp.counters, counterstmp,
1035 tmp.num_counters * sizeof(struct ebt_counter))) {
1036 BUGPRINT("Couldn't copy counters to userspace\n");
1042 /* decrease module count and free resources */
1043 EBT_ENTRY_ITERATE(table->entries, table->entries_size,
1044 ebt_cleanup_entry, NULL);
1046 vfree(table->entries);
1047 if (table->chainstack) {
1048 for_each_possible_cpu(i)
1049 vfree(table->chainstack[i]);
1050 vfree(table->chainstack);
1058 mutex_unlock(&ebt_mutex);
1060 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
1061 ebt_cleanup_entry, NULL);
1064 /* can be initialized in translate_table() */
1065 if (newinfo->chainstack) {
1066 for_each_possible_cpu(i)
1067 vfree(newinfo->chainstack[i]);
1068 vfree(newinfo->chainstack);
1071 vfree(newinfo->entries);
1077 int ebt_register_table(struct ebt_table *table)
1079 struct ebt_table_info *newinfo;
1080 struct ebt_table *t;
1081 struct ebt_replace_kernel *repl;
1082 int ret, i, countersize;
1085 if (!table || !(repl = table->table) || !repl->entries ||
1086 repl->entries_size == 0 ||
1087 repl->counters || table->private) {
1088 BUGPRINT("Bad table data for ebt_register_table!!!\n");
1092 countersize = COUNTER_OFFSET(repl->nentries) * nr_cpu_ids;
1093 newinfo = vmalloc(sizeof(*newinfo) + countersize);
1098 p = vmalloc(repl->entries_size);
1102 memcpy(p, repl->entries, repl->entries_size);
1103 newinfo->entries = p;
1105 newinfo->entries_size = repl->entries_size;
1106 newinfo->nentries = repl->nentries;
1109 memset(newinfo->counters, 0, countersize);
1111 /* fill in newinfo and parse the entries */
1112 newinfo->chainstack = NULL;
1113 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
1114 if ((repl->valid_hooks & (1 << i)) == 0)
1115 newinfo->hook_entry[i] = NULL;
1117 newinfo->hook_entry[i] = p +
1118 ((char *)repl->hook_entry[i] - repl->entries);
1120 ret = translate_table(repl->name, newinfo);
1122 BUGPRINT("Translate_table failed\n");
1123 goto free_chainstack;
1126 if (table->check && table->check(newinfo, table->valid_hooks)) {
1127 BUGPRINT("The table doesn't like its own initial data, lol\n");
1131 table->private = newinfo;
1132 rwlock_init(&table->lock);
1133 ret = mutex_lock_interruptible(&ebt_mutex);
1135 goto free_chainstack;
1137 list_for_each_entry(t, &ebt_tables, list) {
1138 if (strcmp(t->name, table->name) == 0) {
1140 BUGPRINT("Table name already exists\n");
1145 /* Hold a reference count if the chains aren't empty */
1146 if (newinfo->nentries && !try_module_get(table->me)) {
1150 list_add(&table->list, &ebt_tables);
1151 mutex_unlock(&ebt_mutex);
1154 mutex_unlock(&ebt_mutex);
1156 if (newinfo->chainstack) {
1157 for_each_possible_cpu(i)
1158 vfree(newinfo->chainstack[i]);
1159 vfree(newinfo->chainstack);
1161 vfree(newinfo->entries);
1167 void ebt_unregister_table(struct ebt_table *table)
1172 BUGPRINT("Request to unregister NULL table!!!\n");
1175 mutex_lock(&ebt_mutex);
1176 list_del(&table->list);
1177 mutex_unlock(&ebt_mutex);
1178 vfree(table->private->entries);
1179 if (table->private->chainstack) {
1180 for_each_possible_cpu(i)
1181 vfree(table->private->chainstack[i]);
1182 vfree(table->private->chainstack);
1184 vfree(table->private);
1187 /* userspace just supplied us with counters */
1188 static int update_counters(void __user *user, unsigned int len)
1191 struct ebt_counter *tmp;
1192 struct ebt_replace hlp;
1193 struct ebt_table *t;
1195 if (copy_from_user(&hlp, user, sizeof(hlp)))
1198 if (len != sizeof(hlp) + hlp.num_counters * sizeof(struct ebt_counter))
1200 if (hlp.num_counters == 0)
1203 if (!(tmp = vmalloc(hlp.num_counters * sizeof(*tmp)))) {
1204 MEMPRINT("Update_counters && nomemory\n");
1208 t = find_table_lock(hlp.name, &ret, &ebt_mutex);
1212 if (hlp.num_counters != t->private->nentries) {
1213 BUGPRINT("Wrong nr of counters\n");
1218 if ( copy_from_user(tmp, hlp.counters,
1219 hlp.num_counters * sizeof(struct ebt_counter)) ) {
1220 BUGPRINT("Updata_counters && !cfu\n");
1225 /* we want an atomic add of the counters */
1226 write_lock_bh(&t->lock);
1228 /* we add to the counters of the first cpu */
1229 for (i = 0; i < hlp.num_counters; i++) {
1230 t->private->counters[i].pcnt += tmp[i].pcnt;
1231 t->private->counters[i].bcnt += tmp[i].bcnt;
1234 write_unlock_bh(&t->lock);
1237 mutex_unlock(&ebt_mutex);
1243 static inline int ebt_make_matchname(struct ebt_entry_match *m,
1244 char *base, char __user *ubase)
1246 char __user *hlp = ubase + ((char *)m - base);
1247 if (copy_to_user(hlp, m->u.match->name, EBT_FUNCTION_MAXNAMELEN))
1252 static inline int ebt_make_watchername(struct ebt_entry_watcher *w,
1253 char *base, char __user *ubase)
1255 char __user *hlp = ubase + ((char *)w - base);
1256 if (copy_to_user(hlp , w->u.watcher->name, EBT_FUNCTION_MAXNAMELEN))
1261 static inline int ebt_make_names(struct ebt_entry *e, char *base, char __user *ubase)
1265 struct ebt_entry_target *t;
1267 if (e->bitmask == 0)
1270 hlp = ubase + (((char *)e + e->target_offset) - base);
1271 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
1273 ret = EBT_MATCH_ITERATE(e, ebt_make_matchname, base, ubase);
1276 ret = EBT_WATCHER_ITERATE(e, ebt_make_watchername, base, ubase);
1279 if (copy_to_user(hlp, t->u.target->name, EBT_FUNCTION_MAXNAMELEN))
1284 /* called with ebt_mutex locked */
1285 static int copy_everything_to_user(struct ebt_table *t, void __user *user,
1288 struct ebt_replace tmp;
1289 struct ebt_counter *counterstmp, *oldcounters;
1290 unsigned int entries_size, nentries;
1293 if (cmd == EBT_SO_GET_ENTRIES) {
1294 entries_size = t->private->entries_size;
1295 nentries = t->private->nentries;
1296 entries = t->private->entries;
1297 oldcounters = t->private->counters;
1299 entries_size = t->table->entries_size;
1300 nentries = t->table->nentries;
1301 entries = t->table->entries;
1302 oldcounters = t->table->counters;
1305 if (copy_from_user(&tmp, user, sizeof(tmp))) {
1306 BUGPRINT("Cfu didn't work\n");
1310 if (*len != sizeof(struct ebt_replace) + entries_size +
1311 (tmp.num_counters? nentries * sizeof(struct ebt_counter): 0)) {
1312 BUGPRINT("Wrong size\n");
1316 if (tmp.nentries != nentries) {
1317 BUGPRINT("Nentries wrong\n");
1321 if (tmp.entries_size != entries_size) {
1322 BUGPRINT("Wrong size\n");
1326 /* userspace might not need the counters */
1327 if (tmp.num_counters) {
1328 if (tmp.num_counters != nentries) {
1329 BUGPRINT("Num_counters wrong\n");
1332 counterstmp = vmalloc(nentries * sizeof(*counterstmp));
1334 MEMPRINT("Couldn't copy counters, out of memory\n");
1337 write_lock_bh(&t->lock);
1338 get_counters(oldcounters, counterstmp, nentries);
1339 write_unlock_bh(&t->lock);
1341 if (copy_to_user(tmp.counters, counterstmp,
1342 nentries * sizeof(struct ebt_counter))) {
1343 BUGPRINT("Couldn't copy counters to userspace\n");
1350 if (copy_to_user(tmp.entries, entries, entries_size)) {
1351 BUGPRINT("Couldn't copy entries to userspace\n");
1354 /* set the match/watcher/target names right */
1355 return EBT_ENTRY_ITERATE(entries, entries_size,
1356 ebt_make_names, entries, tmp.entries);
1359 static int do_ebt_set_ctl(struct sock *sk,
1360 int cmd, void __user *user, unsigned int len)
1365 case EBT_SO_SET_ENTRIES:
1366 ret = do_replace(user, len);
1368 case EBT_SO_SET_COUNTERS:
1369 ret = update_counters(user, len);
1377 static int do_ebt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
1380 struct ebt_replace tmp;
1381 struct ebt_table *t;
1383 if (copy_from_user(&tmp, user, sizeof(tmp)))
1386 t = find_table_lock(tmp.name, &ret, &ebt_mutex);
1391 case EBT_SO_GET_INFO:
1392 case EBT_SO_GET_INIT_INFO:
1393 if (*len != sizeof(struct ebt_replace)){
1395 mutex_unlock(&ebt_mutex);
1398 if (cmd == EBT_SO_GET_INFO) {
1399 tmp.nentries = t->private->nentries;
1400 tmp.entries_size = t->private->entries_size;
1401 tmp.valid_hooks = t->valid_hooks;
1403 tmp.nentries = t->table->nentries;
1404 tmp.entries_size = t->table->entries_size;
1405 tmp.valid_hooks = t->table->valid_hooks;
1407 mutex_unlock(&ebt_mutex);
1408 if (copy_to_user(user, &tmp, *len) != 0){
1409 BUGPRINT("c2u Didn't work\n");
1416 case EBT_SO_GET_ENTRIES:
1417 case EBT_SO_GET_INIT_ENTRIES:
1418 ret = copy_everything_to_user(t, user, len, cmd);
1419 mutex_unlock(&ebt_mutex);
1423 mutex_unlock(&ebt_mutex);
1430 static struct nf_sockopt_ops ebt_sockopts =
1433 .set_optmin = EBT_BASE_CTL,
1434 .set_optmax = EBT_SO_SET_MAX + 1,
1435 .set = do_ebt_set_ctl,
1436 .get_optmin = EBT_BASE_CTL,
1437 .get_optmax = EBT_SO_GET_MAX + 1,
1438 .get = do_ebt_get_ctl,
1439 .owner = THIS_MODULE,
1442 static int __init ebtables_init(void)
1446 ret = xt_register_target(&ebt_standard_target);
1449 ret = nf_register_sockopt(&ebt_sockopts);
1451 xt_unregister_target(&ebt_standard_target);
1455 printk(KERN_INFO "Ebtables v2.0 registered\n");
1459 static void __exit ebtables_fini(void)
1461 nf_unregister_sockopt(&ebt_sockopts);
1462 xt_unregister_target(&ebt_standard_target);
1463 printk(KERN_INFO "Ebtables v2.0 unregistered\n");
1466 EXPORT_SYMBOL(ebt_register_table);
1467 EXPORT_SYMBOL(ebt_unregister_table);
1468 EXPORT_SYMBOL(ebt_do_table);
1469 module_init(ebtables_init);
1470 module_exit(ebtables_fini);
1471 MODULE_LICENSE("GPL");