5 * Bart De Schuymer <bdschuym@pandora.be>
7 * ebtables.c,v 2.0, July, 2002
9 * This code is stongly inspired on the iptables code which is
10 * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version
15 * 2 of the License, or (at your option) any later version.
18 /* used for print_string */
19 #include <linux/sched.h>
20 #include <linux/tty.h>
22 #include <linux/kmod.h>
23 #include <linux/module.h>
24 #include <linux/vmalloc.h>
25 #include <linux/netfilter_bridge/ebtables.h>
26 #include <linux/spinlock.h>
27 #include <linux/mutex.h>
28 #include <asm/uaccess.h>
29 #include <linux/smp.h>
30 #include <linux/cpumask.h>
32 /* needed for logical [in,out]-dev filtering */
33 #include "../br_private.h"
35 #define BUGPRINT(format, args...) printk("kernel msg: ebtables bug: please "\
36 "report to author: "format, ## args)
37 /* #define BUGPRINT(format, args...) */
38 #define MEMPRINT(format, args...) printk("kernel msg: ebtables "\
39 ": out of memory: "format, ## args)
40 /* #define MEMPRINT(format, args...) */
45 * Each cpu has its own set of counters, so there is no need for write_lock in
47 * For reading or updating the counters, the user context needs to
51 /* The size of each set of counters is altered to get cache alignment */
52 #define SMP_ALIGN(x) (((x) + SMP_CACHE_BYTES-1) & ~(SMP_CACHE_BYTES-1))
53 #define COUNTER_OFFSET(n) (SMP_ALIGN(n * sizeof(struct ebt_counter)))
54 #define COUNTER_BASE(c, n, cpu) ((struct ebt_counter *)(((char *)c) + \
55 COUNTER_OFFSET(n) * cpu))
59 static DEFINE_MUTEX(ebt_mutex);
60 static LIST_HEAD(ebt_tables);
61 static LIST_HEAD(ebt_targets);
62 static LIST_HEAD(ebt_matches);
63 static LIST_HEAD(ebt_watchers);
65 static struct ebt_target ebt_standard_target =
66 { {NULL, NULL}, EBT_STANDARD_TARGET, NULL, NULL, NULL, NULL};
68 static inline int ebt_do_watcher (struct ebt_entry_watcher *w,
69 const struct sk_buff *skb, unsigned int hooknr, const struct net_device *in,
70 const struct net_device *out)
72 w->u.watcher->watcher(skb, hooknr, in, out, w->data,
74 /* watchers don't give a verdict */
78 static inline int ebt_do_match (struct ebt_entry_match *m,
79 const struct sk_buff *skb, const struct net_device *in,
80 const struct net_device *out)
82 return m->u.match->match(skb, in, out, m->data,
86 static inline int ebt_dev_check(char *entry, const struct net_device *device)
89 const char *devname = device->name;
95 /* 1 is the wildcard token */
96 while (entry[i] != '\0' && entry[i] != 1 && entry[i] == devname[i])
98 return (devname[i] != entry[i] && entry[i] != 1);
101 #define FWINV2(bool,invflg) ((bool) ^ !!(e->invflags & invflg))
102 /* process standard matches */
103 static inline int ebt_basic_match(struct ebt_entry *e, struct ethhdr *h,
104 const struct net_device *in, const struct net_device *out)
108 if (e->bitmask & EBT_802_3) {
109 if (FWINV2(ntohs(h->h_proto) >= 1536, EBT_IPROTO))
111 } else if (!(e->bitmask & EBT_NOPROTO) &&
112 FWINV2(e->ethproto != h->h_proto, EBT_IPROTO))
115 if (FWINV2(ebt_dev_check(e->in, in), EBT_IIN))
117 if (FWINV2(ebt_dev_check(e->out, out), EBT_IOUT))
119 if ((!in || !in->br_port) ? 0 : FWINV2(ebt_dev_check(
120 e->logical_in, in->br_port->br->dev), EBT_ILOGICALIN))
122 if ((!out || !out->br_port) ? 0 : FWINV2(ebt_dev_check(
123 e->logical_out, out->br_port->br->dev), EBT_ILOGICALOUT))
126 if (e->bitmask & EBT_SOURCEMAC) {
128 for (i = 0; i < 6; i++)
129 verdict |= (h->h_source[i] ^ e->sourcemac[i]) &
131 if (FWINV2(verdict != 0, EBT_ISOURCE) )
134 if (e->bitmask & EBT_DESTMAC) {
136 for (i = 0; i < 6; i++)
137 verdict |= (h->h_dest[i] ^ e->destmac[i]) &
139 if (FWINV2(verdict != 0, EBT_IDEST) )
145 /* Do some firewalling */
146 unsigned int ebt_do_table (unsigned int hook, struct sk_buff **pskb,
147 const struct net_device *in, const struct net_device *out,
148 struct ebt_table *table)
151 struct ebt_entry *point;
152 struct ebt_counter *counter_base, *cb_base;
153 struct ebt_entry_target *t;
155 struct ebt_chainstack *cs;
156 struct ebt_entries *chaininfo;
158 struct ebt_table_info *private;
160 read_lock_bh(&table->lock);
161 private = table->private;
162 cb_base = COUNTER_BASE(private->counters, private->nentries,
164 if (private->chainstack)
165 cs = private->chainstack[smp_processor_id()];
168 chaininfo = private->hook_entry[hook];
169 nentries = private->hook_entry[hook]->nentries;
170 point = (struct ebt_entry *)(private->hook_entry[hook]->data);
171 counter_base = cb_base + private->hook_entry[hook]->counter_offset;
172 /* base for chain jumps */
173 base = private->entries;
175 while (i < nentries) {
176 if (ebt_basic_match(point, eth_hdr(*pskb), in, out))
179 if (EBT_MATCH_ITERATE(point, ebt_do_match, *pskb, in, out) != 0)
182 /* increase counter */
183 (*(counter_base + i)).pcnt++;
184 (*(counter_base + i)).bcnt+=(**pskb).len;
186 /* these should only watch: not modify, nor tell us
187 what to do with the packet */
188 EBT_WATCHER_ITERATE(point, ebt_do_watcher, *pskb, hook, in,
191 t = (struct ebt_entry_target *)
192 (((char *)point) + point->target_offset);
193 /* standard target */
194 if (!t->u.target->target)
195 verdict = ((struct ebt_standard_target *)t)->verdict;
197 verdict = t->u.target->target(pskb, hook,
198 in, out, t->data, t->target_size);
199 if (verdict == EBT_ACCEPT) {
200 read_unlock_bh(&table->lock);
203 if (verdict == EBT_DROP) {
204 read_unlock_bh(&table->lock);
207 if (verdict == EBT_RETURN) {
209 #ifdef CONFIG_NETFILTER_DEBUG
211 BUGPRINT("RETURN on base chain");
212 /* act like this is EBT_CONTINUE */
217 /* put all the local variables right */
219 chaininfo = cs[sp].chaininfo;
220 nentries = chaininfo->nentries;
222 counter_base = cb_base +
223 chaininfo->counter_offset;
226 if (verdict == EBT_CONTINUE)
228 #ifdef CONFIG_NETFILTER_DEBUG
230 BUGPRINT("bogus standard verdict\n");
231 read_unlock_bh(&table->lock);
237 cs[sp].chaininfo = chaininfo;
238 cs[sp].e = (struct ebt_entry *)
239 (((char *)point) + point->next_offset);
241 chaininfo = (struct ebt_entries *) (base + verdict);
242 #ifdef CONFIG_NETFILTER_DEBUG
243 if (chaininfo->distinguisher) {
244 BUGPRINT("jump to non-chain\n");
245 read_unlock_bh(&table->lock);
249 nentries = chaininfo->nentries;
250 point = (struct ebt_entry *)chaininfo->data;
251 counter_base = cb_base + chaininfo->counter_offset;
255 point = (struct ebt_entry *)
256 (((char *)point) + point->next_offset);
260 /* I actually like this :) */
261 if (chaininfo->policy == EBT_RETURN)
263 if (chaininfo->policy == EBT_ACCEPT) {
264 read_unlock_bh(&table->lock);
267 read_unlock_bh(&table->lock);
271 /* If it succeeds, returns element and locks mutex */
273 find_inlist_lock_noload(struct list_head *head, const char *name, int *error,
277 struct list_head list;
278 char name[EBT_FUNCTION_MAXNAMELEN];
281 *error = mutex_lock_interruptible(mutex);
285 list_for_each_entry(e, head, list) {
286 if (strcmp(e->name, name) == 0)
295 #define find_inlist_lock(h,n,p,e,m) find_inlist_lock_noload((h),(n),(e),(m))
298 find_inlist_lock(struct list_head *head, const char *name, const char *prefix,
299 int *error, struct mutex *mutex)
303 ret = find_inlist_lock_noload(head, name, error, mutex);
305 request_module("%s%s", prefix, name);
306 ret = find_inlist_lock_noload(head, name, error, mutex);
312 static inline struct ebt_table *
313 find_table_lock(const char *name, int *error, struct mutex *mutex)
315 return find_inlist_lock(&ebt_tables, name, "ebtable_", error, mutex);
318 static inline struct ebt_match *
319 find_match_lock(const char *name, int *error, struct mutex *mutex)
321 return find_inlist_lock(&ebt_matches, name, "ebt_", error, mutex);
324 static inline struct ebt_watcher *
325 find_watcher_lock(const char *name, int *error, struct mutex *mutex)
327 return find_inlist_lock(&ebt_watchers, name, "ebt_", error, mutex);
330 static inline struct ebt_target *
331 find_target_lock(const char *name, int *error, struct mutex *mutex)
333 return find_inlist_lock(&ebt_targets, name, "ebt_", error, mutex);
337 ebt_check_match(struct ebt_entry_match *m, struct ebt_entry *e,
338 const char *name, unsigned int hookmask, unsigned int *cnt)
340 struct ebt_match *match;
341 size_t left = ((char *)e + e->watchers_offset) - (char *)m;
344 if (left < sizeof(struct ebt_entry_match) ||
345 left - sizeof(struct ebt_entry_match) < m->match_size)
347 match = find_match_lock(m->u.name, &ret, &ebt_mutex);
351 if (!try_module_get(match->me)) {
352 mutex_unlock(&ebt_mutex);
355 mutex_unlock(&ebt_mutex);
357 match->check(name, hookmask, e, m->data, m->match_size) != 0) {
358 BUGPRINT("match->check failed\n");
359 module_put(match->me);
367 ebt_check_watcher(struct ebt_entry_watcher *w, struct ebt_entry *e,
368 const char *name, unsigned int hookmask, unsigned int *cnt)
370 struct ebt_watcher *watcher;
371 size_t left = ((char *)e + e->target_offset) - (char *)w;
374 if (left < sizeof(struct ebt_entry_watcher) ||
375 left - sizeof(struct ebt_entry_watcher) < w->watcher_size)
377 watcher = find_watcher_lock(w->u.name, &ret, &ebt_mutex);
380 w->u.watcher = watcher;
381 if (!try_module_get(watcher->me)) {
382 mutex_unlock(&ebt_mutex);
385 mutex_unlock(&ebt_mutex);
386 if (watcher->check &&
387 watcher->check(name, hookmask, e, w->data, w->watcher_size) != 0) {
388 BUGPRINT("watcher->check failed\n");
389 module_put(watcher->me);
396 static int ebt_verify_pointers(struct ebt_replace *repl,
397 struct ebt_table_info *newinfo)
399 unsigned int limit = repl->entries_size;
400 unsigned int valid_hooks = repl->valid_hooks;
401 unsigned int offset = 0;
404 for (i = 0; i < NF_BR_NUMHOOKS; i++)
405 newinfo->hook_entry[i] = NULL;
407 newinfo->entries_size = repl->entries_size;
408 newinfo->nentries = repl->nentries;
410 while (offset < limit) {
411 size_t left = limit - offset;
412 struct ebt_entry *e = (void *)newinfo->entries + offset;
414 if (left < sizeof(unsigned int))
417 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
418 if ((valid_hooks & (1 << i)) == 0)
420 if ((char *)repl->hook_entry[i] == repl->entries + offset)
424 if (i != NF_BR_NUMHOOKS || !(e->bitmask & EBT_ENTRY_OR_ENTRIES)) {
425 if (e->bitmask != 0) {
426 /* we make userspace set this right,
427 so there is no misunderstanding */
428 BUGPRINT("EBT_ENTRY_OR_ENTRIES shouldn't be set "
429 "in distinguisher\n");
432 if (i != NF_BR_NUMHOOKS)
433 newinfo->hook_entry[i] = (struct ebt_entries *)e;
434 if (left < sizeof(struct ebt_entries))
436 offset += sizeof(struct ebt_entries);
438 if (left < sizeof(struct ebt_entry))
440 if (left < e->next_offset)
442 offset += e->next_offset;
445 if (offset != limit) {
446 BUGPRINT("entries_size too small\n");
450 /* check if all valid hooks have a chain */
451 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
452 if (!newinfo->hook_entry[i] &&
453 (valid_hooks & (1 << i))) {
454 BUGPRINT("Valid hook without chain\n");
462 * this one is very careful, as it is the first function
463 * to parse the userspace data
466 ebt_check_entry_size_and_hooks(struct ebt_entry *e,
467 struct ebt_table_info *newinfo,
468 unsigned int *n, unsigned int *cnt,
469 unsigned int *totalcnt, unsigned int *udc_cnt)
473 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
474 if ((void *)e == (void *)newinfo->hook_entry[i])
477 /* beginning of a new chain
478 if i == NF_BR_NUMHOOKS it must be a user defined chain */
479 if (i != NF_BR_NUMHOOKS || !e->bitmask) {
480 /* this checks if the previous chain has as many entries
483 BUGPRINT("nentries does not equal the nr of entries "
487 if (((struct ebt_entries *)e)->policy != EBT_DROP &&
488 ((struct ebt_entries *)e)->policy != EBT_ACCEPT) {
489 /* only RETURN from udc */
490 if (i != NF_BR_NUMHOOKS ||
491 ((struct ebt_entries *)e)->policy != EBT_RETURN) {
492 BUGPRINT("bad policy\n");
496 if (i == NF_BR_NUMHOOKS) /* it's a user defined chain */
498 if (((struct ebt_entries *)e)->counter_offset != *totalcnt) {
499 BUGPRINT("counter_offset != totalcnt");
502 *n = ((struct ebt_entries *)e)->nentries;
506 /* a plain old entry, heh */
507 if (sizeof(struct ebt_entry) > e->watchers_offset ||
508 e->watchers_offset > e->target_offset ||
509 e->target_offset >= e->next_offset) {
510 BUGPRINT("entry offsets not in right order\n");
513 /* this is not checked anywhere else */
514 if (e->next_offset - e->target_offset < sizeof(struct ebt_entry_target)) {
515 BUGPRINT("target size too small\n");
525 struct ebt_chainstack cs;
527 unsigned int hookmask;
531 * we need these positions to check that the jumps to a different part of the
532 * entries is a jump to the beginning of a new chain.
535 ebt_get_udc_positions(struct ebt_entry *e, struct ebt_table_info *newinfo,
536 unsigned int *n, struct ebt_cl_stack *udc)
540 /* we're only interested in chain starts */
543 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
544 if (newinfo->hook_entry[i] == (struct ebt_entries *)e)
547 /* only care about udc */
548 if (i != NF_BR_NUMHOOKS)
551 udc[*n].cs.chaininfo = (struct ebt_entries *)e;
552 /* these initialisations are depended on later in check_chainloops() */
554 udc[*n].hookmask = 0;
561 ebt_cleanup_match(struct ebt_entry_match *m, unsigned int *i)
563 if (i && (*i)-- == 0)
565 if (m->u.match->destroy)
566 m->u.match->destroy(m->data, m->match_size);
567 module_put(m->u.match->me);
573 ebt_cleanup_watcher(struct ebt_entry_watcher *w, unsigned int *i)
575 if (i && (*i)-- == 0)
577 if (w->u.watcher->destroy)
578 w->u.watcher->destroy(w->data, w->watcher_size);
579 module_put(w->u.watcher->me);
585 ebt_cleanup_entry(struct ebt_entry *e, unsigned int *cnt)
587 struct ebt_entry_target *t;
592 if (cnt && (*cnt)-- == 0)
594 EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, NULL);
595 EBT_MATCH_ITERATE(e, ebt_cleanup_match, NULL);
596 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
597 if (t->u.target->destroy)
598 t->u.target->destroy(t->data, t->target_size);
599 module_put(t->u.target->me);
605 ebt_check_entry(struct ebt_entry *e, struct ebt_table_info *newinfo,
606 const char *name, unsigned int *cnt,
607 struct ebt_cl_stack *cl_s, unsigned int udc_cnt)
609 struct ebt_entry_target *t;
610 struct ebt_target *target;
611 unsigned int i, j, hook = 0, hookmask = 0;
612 size_t gap = e->next_offset - e->target_offset;
615 /* don't mess with the struct ebt_entries */
619 if (e->bitmask & ~EBT_F_MASK) {
620 BUGPRINT("Unknown flag for bitmask\n");
623 if (e->invflags & ~EBT_INV_MASK) {
624 BUGPRINT("Unknown flag for inv bitmask\n");
627 if ( (e->bitmask & EBT_NOPROTO) && (e->bitmask & EBT_802_3) ) {
628 BUGPRINT("NOPROTO & 802_3 not allowed\n");
631 /* what hook do we belong to? */
632 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
633 if (!newinfo->hook_entry[i])
635 if ((char *)newinfo->hook_entry[i] < (char *)e)
640 /* (1 << NF_BR_NUMHOOKS) tells the check functions the rule is on
642 if (i < NF_BR_NUMHOOKS)
643 hookmask = (1 << hook) | (1 << NF_BR_NUMHOOKS);
645 for (i = 0; i < udc_cnt; i++)
646 if ((char *)(cl_s[i].cs.chaininfo) > (char *)e)
649 hookmask = (1 << hook) | (1 << NF_BR_NUMHOOKS);
651 hookmask = cl_s[i - 1].hookmask;
654 ret = EBT_MATCH_ITERATE(e, ebt_check_match, e, name, hookmask, &i);
656 goto cleanup_matches;
658 ret = EBT_WATCHER_ITERATE(e, ebt_check_watcher, e, name, hookmask, &j);
660 goto cleanup_watchers;
661 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
662 target = find_target_lock(t->u.name, &ret, &ebt_mutex);
664 goto cleanup_watchers;
665 if (!try_module_get(target->me)) {
666 mutex_unlock(&ebt_mutex);
668 goto cleanup_watchers;
670 mutex_unlock(&ebt_mutex);
672 t->u.target = target;
673 if (t->u.target == &ebt_standard_target) {
674 if (gap < sizeof(struct ebt_standard_target)) {
675 BUGPRINT("Standard target size too big\n");
677 goto cleanup_watchers;
679 if (((struct ebt_standard_target *)t)->verdict <
680 -NUM_STANDARD_TARGETS) {
681 BUGPRINT("Invalid standard target\n");
683 goto cleanup_watchers;
685 } else if (t->target_size > gap - sizeof(struct ebt_entry_target) ||
686 (t->u.target->check &&
687 t->u.target->check(name, hookmask, e, t->data, t->target_size) != 0)){
688 module_put(t->u.target->me);
690 goto cleanup_watchers;
695 EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, &j);
697 EBT_MATCH_ITERATE(e, ebt_cleanup_match, &i);
702 * checks for loops and sets the hook mask for udc
703 * the hook mask for udc tells us from which base chains the udc can be
704 * accessed. This mask is a parameter to the check() functions of the extensions
706 static int check_chainloops(struct ebt_entries *chain, struct ebt_cl_stack *cl_s,
707 unsigned int udc_cnt, unsigned int hooknr, char *base)
709 int i, chain_nr = -1, pos = 0, nentries = chain->nentries, verdict;
710 struct ebt_entry *e = (struct ebt_entry *)chain->data;
711 struct ebt_entry_target *t;
713 while (pos < nentries || chain_nr != -1) {
714 /* end of udc, go back one 'recursion' step */
715 if (pos == nentries) {
716 /* put back values of the time when this chain was called */
717 e = cl_s[chain_nr].cs.e;
718 if (cl_s[chain_nr].from != -1)
720 cl_s[cl_s[chain_nr].from].cs.chaininfo->nentries;
722 nentries = chain->nentries;
723 pos = cl_s[chain_nr].cs.n;
724 /* make sure we won't see a loop that isn't one */
725 cl_s[chain_nr].cs.n = 0;
726 chain_nr = cl_s[chain_nr].from;
730 t = (struct ebt_entry_target *)
731 (((char *)e) + e->target_offset);
732 if (strcmp(t->u.name, EBT_STANDARD_TARGET))
734 if (e->target_offset + sizeof(struct ebt_standard_target) >
736 BUGPRINT("Standard target size too big\n");
739 verdict = ((struct ebt_standard_target *)t)->verdict;
740 if (verdict >= 0) { /* jump to another chain */
741 struct ebt_entries *hlp2 =
742 (struct ebt_entries *)(base + verdict);
743 for (i = 0; i < udc_cnt; i++)
744 if (hlp2 == cl_s[i].cs.chaininfo)
746 /* bad destination or loop */
748 BUGPRINT("bad destination\n");
755 if (cl_s[i].hookmask & (1 << hooknr))
757 /* this can't be 0, so the loop test is correct */
758 cl_s[i].cs.n = pos + 1;
760 cl_s[i].cs.e = ((void *)e + e->next_offset);
761 e = (struct ebt_entry *)(hlp2->data);
762 nentries = hlp2->nentries;
763 cl_s[i].from = chain_nr;
765 /* this udc is accessible from the base chain for hooknr */
766 cl_s[i].hookmask |= (1 << hooknr);
770 e = (void *)e + e->next_offset;
776 /* do the parsing of the table/chains/entries/matches/watchers/targets, heh */
777 static int translate_table(char *name, struct ebt_table_info *newinfo)
779 unsigned int i, j, k, udc_cnt;
781 struct ebt_cl_stack *cl_s = NULL; /* used in the checking for chain loops */
784 while (i < NF_BR_NUMHOOKS && !newinfo->hook_entry[i])
786 if (i == NF_BR_NUMHOOKS) {
787 BUGPRINT("No valid hooks specified\n");
790 if (newinfo->hook_entry[i] != (struct ebt_entries *)newinfo->entries) {
791 BUGPRINT("Chains don't start at beginning\n");
794 /* make sure chains are ordered after each other in same order
795 as their corresponding hooks */
796 for (j = i + 1; j < NF_BR_NUMHOOKS; j++) {
797 if (!newinfo->hook_entry[j])
799 if (newinfo->hook_entry[j] <= newinfo->hook_entry[i]) {
800 BUGPRINT("Hook order must be followed\n");
806 /* do some early checkings and initialize some things */
807 i = 0; /* holds the expected nr. of entries for the chain */
808 j = 0; /* holds the up to now counted entries for the chain */
809 k = 0; /* holds the total nr. of entries, should equal
810 newinfo->nentries afterwards */
811 udc_cnt = 0; /* will hold the nr. of user defined chains (udc) */
812 ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
813 ebt_check_entry_size_and_hooks, newinfo,
814 &i, &j, &k, &udc_cnt);
820 BUGPRINT("nentries does not equal the nr of entries in the "
824 if (k != newinfo->nentries) {
825 BUGPRINT("Total nentries is wrong\n");
829 /* get the location of the udc, put them in an array
830 while we're at it, allocate the chainstack */
832 /* this will get free'd in do_replace()/ebt_register_table()
833 if an error occurs */
834 newinfo->chainstack =
835 vmalloc((highest_possible_processor_id()+1)
836 * sizeof(*(newinfo->chainstack)));
837 if (!newinfo->chainstack)
839 for_each_possible_cpu(i) {
840 newinfo->chainstack[i] =
841 vmalloc(udc_cnt * sizeof(*(newinfo->chainstack[0])));
842 if (!newinfo->chainstack[i]) {
844 vfree(newinfo->chainstack[--i]);
845 vfree(newinfo->chainstack);
846 newinfo->chainstack = NULL;
851 cl_s = vmalloc(udc_cnt * sizeof(*cl_s));
854 i = 0; /* the i'th udc */
855 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
856 ebt_get_udc_positions, newinfo, &i, cl_s);
859 BUGPRINT("i != udc_cnt\n");
865 /* Check for loops */
866 for (i = 0; i < NF_BR_NUMHOOKS; i++)
867 if (newinfo->hook_entry[i])
868 if (check_chainloops(newinfo->hook_entry[i],
869 cl_s, udc_cnt, i, newinfo->entries)) {
874 /* we now know the following (along with E=mc²):
875 - the nr of entries in each chain is right
876 - the size of the allocated space is right
877 - all valid hooks have a corresponding chain
879 - wrong data can still be on the level of a single entry
880 - could be there are jumps to places that are not the
881 beginning of a chain. This can only occur in chains that
882 are not accessible from any base chains, so we don't care. */
884 /* used to know what we need to clean up if something goes wrong */
886 ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
887 ebt_check_entry, newinfo, name, &i, cl_s, udc_cnt);
889 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
890 ebt_cleanup_entry, &i);
896 /* called under write_lock */
897 static void get_counters(struct ebt_counter *oldcounters,
898 struct ebt_counter *counters, unsigned int nentries)
901 struct ebt_counter *counter_base;
903 /* counters of cpu 0 */
904 memcpy(counters, oldcounters,
905 sizeof(struct ebt_counter) * nentries);
907 /* add other counters to those of cpu 0 */
908 for_each_possible_cpu(cpu) {
911 counter_base = COUNTER_BASE(oldcounters, nentries, cpu);
912 for (i = 0; i < nentries; i++) {
913 counters[i].pcnt += counter_base[i].pcnt;
914 counters[i].bcnt += counter_base[i].bcnt;
919 /* replace the table */
920 static int do_replace(void __user *user, unsigned int len)
922 int ret, i, countersize;
923 struct ebt_table_info *newinfo;
924 struct ebt_replace tmp;
926 struct ebt_counter *counterstmp = NULL;
927 /* used to be able to unlock earlier */
928 struct ebt_table_info *table;
930 if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
933 if (len != sizeof(tmp) + tmp.entries_size) {
934 BUGPRINT("Wrong len argument\n");
938 if (tmp.entries_size == 0) {
939 BUGPRINT("Entries_size never zero\n");
943 if (tmp.nentries >= ((INT_MAX - sizeof(struct ebt_table_info)) / NR_CPUS -
944 SMP_CACHE_BYTES) / sizeof(struct ebt_counter))
946 if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
949 countersize = COUNTER_OFFSET(tmp.nentries) *
950 (highest_possible_processor_id()+1);
951 newinfo = vmalloc(sizeof(*newinfo) + countersize);
956 memset(newinfo->counters, 0, countersize);
958 newinfo->entries = vmalloc(tmp.entries_size);
959 if (!newinfo->entries) {
964 newinfo->entries, tmp.entries, tmp.entries_size) != 0) {
965 BUGPRINT("Couldn't copy entries from userspace\n");
970 /* the user wants counters back
971 the check on the size is done later, when we have the lock */
972 if (tmp.num_counters) {
973 counterstmp = vmalloc(tmp.num_counters * sizeof(*counterstmp));
982 /* this can get initialized by translate_table() */
983 newinfo->chainstack = NULL;
984 ret = ebt_verify_pointers(&tmp, newinfo);
986 goto free_counterstmp;
988 ret = translate_table(tmp.name, newinfo);
991 goto free_counterstmp;
993 t = find_table_lock(tmp.name, &ret, &ebt_mutex);
999 /* the table doesn't like it */
1000 if (t->check && (ret = t->check(newinfo, tmp.valid_hooks)))
1003 if (tmp.num_counters && tmp.num_counters != t->private->nentries) {
1004 BUGPRINT("Wrong nr. of counters requested\n");
1009 /* we have the mutex lock, so no danger in reading this pointer */
1011 /* make sure the table can only be rmmod'ed if it contains no rules */
1012 if (!table->nentries && newinfo->nentries && !try_module_get(t->me)) {
1015 } else if (table->nentries && !newinfo->nentries)
1017 /* we need an atomic snapshot of the counters */
1018 write_lock_bh(&t->lock);
1019 if (tmp.num_counters)
1020 get_counters(t->private->counters, counterstmp,
1021 t->private->nentries);
1023 t->private = newinfo;
1024 write_unlock_bh(&t->lock);
1025 mutex_unlock(&ebt_mutex);
1026 /* so, a user can change the chains while having messed up her counter
1027 allocation. Only reason why this is done is because this way the lock
1028 is held only once, while this doesn't bring the kernel into a
1030 if (tmp.num_counters &&
1031 copy_to_user(tmp.counters, counterstmp,
1032 tmp.num_counters * sizeof(struct ebt_counter))) {
1033 BUGPRINT("Couldn't copy counters to userspace\n");
1039 /* decrease module count and free resources */
1040 EBT_ENTRY_ITERATE(table->entries, table->entries_size,
1041 ebt_cleanup_entry, NULL);
1043 vfree(table->entries);
1044 if (table->chainstack) {
1045 for_each_possible_cpu(i)
1046 vfree(table->chainstack[i]);
1047 vfree(table->chainstack);
1055 mutex_unlock(&ebt_mutex);
1057 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
1058 ebt_cleanup_entry, NULL);
1061 /* can be initialized in translate_table() */
1062 if (newinfo->chainstack) {
1063 for_each_possible_cpu(i)
1064 vfree(newinfo->chainstack[i]);
1065 vfree(newinfo->chainstack);
1068 vfree(newinfo->entries);
1074 int ebt_register_target(struct ebt_target *target)
1076 struct ebt_target *t;
1079 ret = mutex_lock_interruptible(&ebt_mutex);
1082 list_for_each_entry(t, &ebt_targets, list) {
1083 if (strcmp(t->name, target->name) == 0) {
1084 mutex_unlock(&ebt_mutex);
1088 list_add(&target->list, &ebt_targets);
1089 mutex_unlock(&ebt_mutex);
1094 void ebt_unregister_target(struct ebt_target *target)
1096 mutex_lock(&ebt_mutex);
1097 list_del(&target->list);
1098 mutex_unlock(&ebt_mutex);
1101 int ebt_register_match(struct ebt_match *match)
1103 struct ebt_match *m;
1106 ret = mutex_lock_interruptible(&ebt_mutex);
1109 list_for_each_entry(m, &ebt_matches, list) {
1110 if (strcmp(m->name, match->name) == 0) {
1111 mutex_unlock(&ebt_mutex);
1115 list_add(&match->list, &ebt_matches);
1116 mutex_unlock(&ebt_mutex);
1121 void ebt_unregister_match(struct ebt_match *match)
1123 mutex_lock(&ebt_mutex);
1124 list_del(&match->list);
1125 mutex_unlock(&ebt_mutex);
1128 int ebt_register_watcher(struct ebt_watcher *watcher)
1130 struct ebt_watcher *w;
1133 ret = mutex_lock_interruptible(&ebt_mutex);
1136 list_for_each_entry(w, &ebt_watchers, list) {
1137 if (strcmp(w->name, watcher->name) == 0) {
1138 mutex_unlock(&ebt_mutex);
1142 list_add(&watcher->list, &ebt_watchers);
1143 mutex_unlock(&ebt_mutex);
1148 void ebt_unregister_watcher(struct ebt_watcher *watcher)
1150 mutex_lock(&ebt_mutex);
1151 list_del(&watcher->list);
1152 mutex_unlock(&ebt_mutex);
1155 int ebt_register_table(struct ebt_table *table)
1157 struct ebt_table_info *newinfo;
1158 struct ebt_table *t;
1159 struct ebt_replace *repl;
1160 int ret, i, countersize;
1163 if (!table || !(repl = table->table) || !repl->entries ||
1164 repl->entries_size == 0 ||
1165 repl->counters || table->private) {
1166 BUGPRINT("Bad table data for ebt_register_table!!!\n");
1170 countersize = COUNTER_OFFSET(repl->nentries) *
1171 (highest_possible_processor_id()+1);
1172 newinfo = vmalloc(sizeof(*newinfo) + countersize);
1177 p = vmalloc(repl->entries_size);
1181 memcpy(p, repl->entries, repl->entries_size);
1182 newinfo->entries = p;
1184 newinfo->entries_size = repl->entries_size;
1185 newinfo->nentries = repl->nentries;
1188 memset(newinfo->counters, 0, countersize);
1190 /* fill in newinfo and parse the entries */
1191 newinfo->chainstack = NULL;
1192 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
1193 if ((repl->valid_hooks & (1 << i)) == 0)
1194 newinfo->hook_entry[i] = NULL;
1196 newinfo->hook_entry[i] = p +
1197 ((char *)repl->hook_entry[i] - repl->entries);
1199 ret = translate_table(repl->name, newinfo);
1201 BUGPRINT("Translate_table failed\n");
1202 goto free_chainstack;
1205 if (table->check && table->check(newinfo, table->valid_hooks)) {
1206 BUGPRINT("The table doesn't like its own initial data, lol\n");
1210 table->private = newinfo;
1211 rwlock_init(&table->lock);
1212 ret = mutex_lock_interruptible(&ebt_mutex);
1214 goto free_chainstack;
1216 list_for_each_entry(t, &ebt_tables, list) {
1217 if (strcmp(t->name, table->name) == 0) {
1219 BUGPRINT("Table name already exists\n");
1224 /* Hold a reference count if the chains aren't empty */
1225 if (newinfo->nentries && !try_module_get(table->me)) {
1229 list_add(&table->list, &ebt_tables);
1230 mutex_unlock(&ebt_mutex);
1233 mutex_unlock(&ebt_mutex);
1235 if (newinfo->chainstack) {
1236 for_each_possible_cpu(i)
1237 vfree(newinfo->chainstack[i]);
1238 vfree(newinfo->chainstack);
1240 vfree(newinfo->entries);
1246 void ebt_unregister_table(struct ebt_table *table)
1251 BUGPRINT("Request to unregister NULL table!!!\n");
1254 mutex_lock(&ebt_mutex);
1255 list_del(&table->list);
1256 mutex_unlock(&ebt_mutex);
1257 vfree(table->private->entries);
1258 if (table->private->chainstack) {
1259 for_each_possible_cpu(i)
1260 vfree(table->private->chainstack[i]);
1261 vfree(table->private->chainstack);
1263 vfree(table->private);
1266 /* userspace just supplied us with counters */
1267 static int update_counters(void __user *user, unsigned int len)
1270 struct ebt_counter *tmp;
1271 struct ebt_replace hlp;
1272 struct ebt_table *t;
1274 if (copy_from_user(&hlp, user, sizeof(hlp)))
1277 if (len != sizeof(hlp) + hlp.num_counters * sizeof(struct ebt_counter))
1279 if (hlp.num_counters == 0)
1282 if (!(tmp = vmalloc(hlp.num_counters * sizeof(*tmp)))) {
1283 MEMPRINT("Update_counters && nomemory\n");
1287 t = find_table_lock(hlp.name, &ret, &ebt_mutex);
1291 if (hlp.num_counters != t->private->nentries) {
1292 BUGPRINT("Wrong nr of counters\n");
1297 if ( copy_from_user(tmp, hlp.counters,
1298 hlp.num_counters * sizeof(struct ebt_counter)) ) {
1299 BUGPRINT("Updata_counters && !cfu\n");
1304 /* we want an atomic add of the counters */
1305 write_lock_bh(&t->lock);
1307 /* we add to the counters of the first cpu */
1308 for (i = 0; i < hlp.num_counters; i++) {
1309 t->private->counters[i].pcnt += tmp[i].pcnt;
1310 t->private->counters[i].bcnt += tmp[i].bcnt;
1313 write_unlock_bh(&t->lock);
1316 mutex_unlock(&ebt_mutex);
1322 static inline int ebt_make_matchname(struct ebt_entry_match *m,
1323 char *base, char *ubase)
1325 char *hlp = ubase - base + (char *)m;
1326 if (copy_to_user(hlp, m->u.match->name, EBT_FUNCTION_MAXNAMELEN))
1331 static inline int ebt_make_watchername(struct ebt_entry_watcher *w,
1332 char *base, char *ubase)
1334 char *hlp = ubase - base + (char *)w;
1335 if (copy_to_user(hlp , w->u.watcher->name, EBT_FUNCTION_MAXNAMELEN))
1340 static inline int ebt_make_names(struct ebt_entry *e, char *base, char *ubase)
1344 struct ebt_entry_target *t;
1346 if (e->bitmask == 0)
1349 hlp = ubase - base + (char *)e + e->target_offset;
1350 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
1352 ret = EBT_MATCH_ITERATE(e, ebt_make_matchname, base, ubase);
1355 ret = EBT_WATCHER_ITERATE(e, ebt_make_watchername, base, ubase);
1358 if (copy_to_user(hlp, t->u.target->name, EBT_FUNCTION_MAXNAMELEN))
1363 /* called with ebt_mutex locked */
1364 static int copy_everything_to_user(struct ebt_table *t, void __user *user,
1367 struct ebt_replace tmp;
1368 struct ebt_counter *counterstmp, *oldcounters;
1369 unsigned int entries_size, nentries;
1372 if (cmd == EBT_SO_GET_ENTRIES) {
1373 entries_size = t->private->entries_size;
1374 nentries = t->private->nentries;
1375 entries = t->private->entries;
1376 oldcounters = t->private->counters;
1378 entries_size = t->table->entries_size;
1379 nentries = t->table->nentries;
1380 entries = t->table->entries;
1381 oldcounters = t->table->counters;
1384 if (copy_from_user(&tmp, user, sizeof(tmp))) {
1385 BUGPRINT("Cfu didn't work\n");
1389 if (*len != sizeof(struct ebt_replace) + entries_size +
1390 (tmp.num_counters? nentries * sizeof(struct ebt_counter): 0)) {
1391 BUGPRINT("Wrong size\n");
1395 if (tmp.nentries != nentries) {
1396 BUGPRINT("Nentries wrong\n");
1400 if (tmp.entries_size != entries_size) {
1401 BUGPRINT("Wrong size\n");
1405 /* userspace might not need the counters */
1406 if (tmp.num_counters) {
1407 if (tmp.num_counters != nentries) {
1408 BUGPRINT("Num_counters wrong\n");
1411 counterstmp = vmalloc(nentries * sizeof(*counterstmp));
1413 MEMPRINT("Couldn't copy counters, out of memory\n");
1416 write_lock_bh(&t->lock);
1417 get_counters(oldcounters, counterstmp, nentries);
1418 write_unlock_bh(&t->lock);
1420 if (copy_to_user(tmp.counters, counterstmp,
1421 nentries * sizeof(struct ebt_counter))) {
1422 BUGPRINT("Couldn't copy counters to userspace\n");
1429 if (copy_to_user(tmp.entries, entries, entries_size)) {
1430 BUGPRINT("Couldn't copy entries to userspace\n");
1433 /* set the match/watcher/target names right */
1434 return EBT_ENTRY_ITERATE(entries, entries_size,
1435 ebt_make_names, entries, tmp.entries);
1438 static int do_ebt_set_ctl(struct sock *sk,
1439 int cmd, void __user *user, unsigned int len)
1444 case EBT_SO_SET_ENTRIES:
1445 ret = do_replace(user, len);
1447 case EBT_SO_SET_COUNTERS:
1448 ret = update_counters(user, len);
1456 static int do_ebt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
1459 struct ebt_replace tmp;
1460 struct ebt_table *t;
1462 if (copy_from_user(&tmp, user, sizeof(tmp)))
1465 t = find_table_lock(tmp.name, &ret, &ebt_mutex);
1470 case EBT_SO_GET_INFO:
1471 case EBT_SO_GET_INIT_INFO:
1472 if (*len != sizeof(struct ebt_replace)){
1474 mutex_unlock(&ebt_mutex);
1477 if (cmd == EBT_SO_GET_INFO) {
1478 tmp.nentries = t->private->nentries;
1479 tmp.entries_size = t->private->entries_size;
1480 tmp.valid_hooks = t->valid_hooks;
1482 tmp.nentries = t->table->nentries;
1483 tmp.entries_size = t->table->entries_size;
1484 tmp.valid_hooks = t->table->valid_hooks;
1486 mutex_unlock(&ebt_mutex);
1487 if (copy_to_user(user, &tmp, *len) != 0){
1488 BUGPRINT("c2u Didn't work\n");
1495 case EBT_SO_GET_ENTRIES:
1496 case EBT_SO_GET_INIT_ENTRIES:
1497 ret = copy_everything_to_user(t, user, len, cmd);
1498 mutex_unlock(&ebt_mutex);
1502 mutex_unlock(&ebt_mutex);
1509 static struct nf_sockopt_ops ebt_sockopts =
1512 .set_optmin = EBT_BASE_CTL,
1513 .set_optmax = EBT_SO_SET_MAX + 1,
1514 .set = do_ebt_set_ctl,
1515 .get_optmin = EBT_BASE_CTL,
1516 .get_optmax = EBT_SO_GET_MAX + 1,
1517 .get = do_ebt_get_ctl,
1520 static int __init ebtables_init(void)
1524 mutex_lock(&ebt_mutex);
1525 list_add(&ebt_standard_target.list, &ebt_targets);
1526 mutex_unlock(&ebt_mutex);
1527 if ((ret = nf_register_sockopt(&ebt_sockopts)) < 0)
1530 printk(KERN_NOTICE "Ebtables v2.0 registered\n");
1534 static void __exit ebtables_fini(void)
1536 nf_unregister_sockopt(&ebt_sockopts);
1537 printk(KERN_NOTICE "Ebtables v2.0 unregistered\n");
1540 EXPORT_SYMBOL(ebt_register_table);
1541 EXPORT_SYMBOL(ebt_unregister_table);
1542 EXPORT_SYMBOL(ebt_register_match);
1543 EXPORT_SYMBOL(ebt_unregister_match);
1544 EXPORT_SYMBOL(ebt_register_watcher);
1545 EXPORT_SYMBOL(ebt_unregister_watcher);
1546 EXPORT_SYMBOL(ebt_register_target);
1547 EXPORT_SYMBOL(ebt_unregister_target);
1548 EXPORT_SYMBOL(ebt_do_table);
1549 module_init(ebtables_init);
1550 module_exit(ebtables_fini);
1551 MODULE_LICENSE("GPL");
projects / linux-2.6 / blob