5 * Bart De Schuymer <bdschuym@pandora.be>
7 * ebtables.c,v 2.0, July, 2002
9 * This code is stongly inspired on the iptables code which is
10 * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version
15 * 2 of the License, or (at your option) any later version.
18 /* used for print_string */
19 #include <linux/sched.h>
20 #include <linux/tty.h>
22 #include <linux/kmod.h>
23 #include <linux/module.h>
24 #include <linux/vmalloc.h>
25 #include <linux/netfilter_bridge/ebtables.h>
26 #include <linux/spinlock.h>
27 #include <linux/mutex.h>
28 #include <asm/uaccess.h>
29 #include <linux/smp.h>
30 #include <linux/cpumask.h>
32 /* needed for logical [in,out]-dev filtering */
33 #include "../br_private.h"
35 #define BUGPRINT(format, args...) printk("kernel msg: ebtables bug: please "\
36 "report to author: "format, ## args)
37 /* #define BUGPRINT(format, args...) */
38 #define MEMPRINT(format, args...) printk("kernel msg: ebtables "\
39 ": out of memory: "format, ## args)
40 /* #define MEMPRINT(format, args...) */
45 * Each cpu has its own set of counters, so there is no need for write_lock in
47 * For reading or updating the counters, the user context needs to
51 /* The size of each set of counters is altered to get cache alignment */
52 #define SMP_ALIGN(x) (((x) + SMP_CACHE_BYTES-1) & ~(SMP_CACHE_BYTES-1))
53 #define COUNTER_OFFSET(n) (SMP_ALIGN(n * sizeof(struct ebt_counter)))
54 #define COUNTER_BASE(c, n, cpu) ((struct ebt_counter *)(((char *)c) + \
55 COUNTER_OFFSET(n) * cpu))
59 static DEFINE_MUTEX(ebt_mutex);
60 static LIST_HEAD(ebt_tables);
61 static LIST_HEAD(ebt_targets);
62 static LIST_HEAD(ebt_matches);
63 static LIST_HEAD(ebt_watchers);
65 static struct ebt_target ebt_standard_target =
66 { {NULL, NULL}, EBT_STANDARD_TARGET, NULL, NULL, NULL, NULL};
68 static inline int ebt_do_watcher (struct ebt_entry_watcher *w,
69 const struct sk_buff *skb, unsigned int hooknr, const struct net_device *in,
70 const struct net_device *out)
72 w->u.watcher->watcher(skb, hooknr, in, out, w->data,
74 /* watchers don't give a verdict */
78 static inline int ebt_do_match (struct ebt_entry_match *m,
79 const struct sk_buff *skb, const struct net_device *in,
80 const struct net_device *out)
82 return m->u.match->match(skb, in, out, m->data,
86 static inline int ebt_dev_check(char *entry, const struct net_device *device)
89 const char *devname = device->name;
95 /* 1 is the wildcard token */
96 while (entry[i] != '\0' && entry[i] != 1 && entry[i] == devname[i])
98 return (devname[i] != entry[i] && entry[i] != 1);
101 #define FWINV2(bool,invflg) ((bool) ^ !!(e->invflags & invflg))
102 /* process standard matches */
103 static inline int ebt_basic_match(struct ebt_entry *e, struct ethhdr *h,
104 const struct net_device *in, const struct net_device *out)
108 if (e->bitmask & EBT_802_3) {
109 if (FWINV2(ntohs(h->h_proto) >= 1536, EBT_IPROTO))
111 } else if (!(e->bitmask & EBT_NOPROTO) &&
112 FWINV2(e->ethproto != h->h_proto, EBT_IPROTO))
115 if (FWINV2(ebt_dev_check(e->in, in), EBT_IIN))
117 if (FWINV2(ebt_dev_check(e->out, out), EBT_IOUT))
119 if ((!in || !in->br_port) ? 0 : FWINV2(ebt_dev_check(
120 e->logical_in, in->br_port->br->dev), EBT_ILOGICALIN))
122 if ((!out || !out->br_port) ? 0 : FWINV2(ebt_dev_check(
123 e->logical_out, out->br_port->br->dev), EBT_ILOGICALOUT))
126 if (e->bitmask & EBT_SOURCEMAC) {
128 for (i = 0; i < 6; i++)
129 verdict |= (h->h_source[i] ^ e->sourcemac[i]) &
131 if (FWINV2(verdict != 0, EBT_ISOURCE) )
134 if (e->bitmask & EBT_DESTMAC) {
136 for (i = 0; i < 6; i++)
137 verdict |= (h->h_dest[i] ^ e->destmac[i]) &
139 if (FWINV2(verdict != 0, EBT_IDEST) )
145 /* Do some firewalling */
146 unsigned int ebt_do_table (unsigned int hook, struct sk_buff **pskb,
147 const struct net_device *in, const struct net_device *out,
148 struct ebt_table *table)
151 struct ebt_entry *point;
152 struct ebt_counter *counter_base, *cb_base;
153 struct ebt_entry_target *t;
155 struct ebt_chainstack *cs;
156 struct ebt_entries *chaininfo;
158 struct ebt_table_info *private;
160 read_lock_bh(&table->lock);
161 private = table->private;
162 cb_base = COUNTER_BASE(private->counters, private->nentries,
164 if (private->chainstack)
165 cs = private->chainstack[smp_processor_id()];
168 chaininfo = private->hook_entry[hook];
169 nentries = private->hook_entry[hook]->nentries;
170 point = (struct ebt_entry *)(private->hook_entry[hook]->data);
171 counter_base = cb_base + private->hook_entry[hook]->counter_offset;
172 /* base for chain jumps */
173 base = private->entries;
175 while (i < nentries) {
176 if (ebt_basic_match(point, eth_hdr(*pskb), in, out))
179 if (EBT_MATCH_ITERATE(point, ebt_do_match, *pskb, in, out) != 0)
182 /* increase counter */
183 (*(counter_base + i)).pcnt++;
184 (*(counter_base + i)).bcnt+=(**pskb).len;
186 /* these should only watch: not modify, nor tell us
187 what to do with the packet */
188 EBT_WATCHER_ITERATE(point, ebt_do_watcher, *pskb, hook, in,
191 t = (struct ebt_entry_target *)
192 (((char *)point) + point->target_offset);
193 /* standard target */
194 if (!t->u.target->target)
195 verdict = ((struct ebt_standard_target *)t)->verdict;
197 verdict = t->u.target->target(pskb, hook,
198 in, out, t->data, t->target_size);
199 if (verdict == EBT_ACCEPT) {
200 read_unlock_bh(&table->lock);
203 if (verdict == EBT_DROP) {
204 read_unlock_bh(&table->lock);
207 if (verdict == EBT_RETURN) {
209 #ifdef CONFIG_NETFILTER_DEBUG
211 BUGPRINT("RETURN on base chain");
212 /* act like this is EBT_CONTINUE */
217 /* put all the local variables right */
219 chaininfo = cs[sp].chaininfo;
220 nentries = chaininfo->nentries;
222 counter_base = cb_base +
223 chaininfo->counter_offset;
226 if (verdict == EBT_CONTINUE)
228 #ifdef CONFIG_NETFILTER_DEBUG
230 BUGPRINT("bogus standard verdict\n");
231 read_unlock_bh(&table->lock);
237 cs[sp].chaininfo = chaininfo;
238 cs[sp].e = (struct ebt_entry *)
239 (((char *)point) + point->next_offset);
241 chaininfo = (struct ebt_entries *) (base + verdict);
242 #ifdef CONFIG_NETFILTER_DEBUG
243 if (chaininfo->distinguisher) {
244 BUGPRINT("jump to non-chain\n");
245 read_unlock_bh(&table->lock);
249 nentries = chaininfo->nentries;
250 point = (struct ebt_entry *)chaininfo->data;
251 counter_base = cb_base + chaininfo->counter_offset;
255 point = (struct ebt_entry *)
256 (((char *)point) + point->next_offset);
260 /* I actually like this :) */
261 if (chaininfo->policy == EBT_RETURN)
263 if (chaininfo->policy == EBT_ACCEPT) {
264 read_unlock_bh(&table->lock);
267 read_unlock_bh(&table->lock);
271 /* If it succeeds, returns element and locks mutex */
273 find_inlist_lock_noload(struct list_head *head, const char *name, int *error,
277 struct list_head list;
278 char name[EBT_FUNCTION_MAXNAMELEN];
281 *error = mutex_lock_interruptible(mutex);
285 list_for_each_entry(e, head, list) {
286 if (strcmp(e->name, name) == 0)
295 #define find_inlist_lock(h,n,p,e,m) find_inlist_lock_noload((h),(n),(e),(m))
298 find_inlist_lock(struct list_head *head, const char *name, const char *prefix,
299 int *error, struct mutex *mutex)
303 ret = find_inlist_lock_noload(head, name, error, mutex);
305 request_module("%s%s", prefix, name);
306 ret = find_inlist_lock_noload(head, name, error, mutex);
312 static inline struct ebt_table *
313 find_table_lock(const char *name, int *error, struct mutex *mutex)
315 return find_inlist_lock(&ebt_tables, name, "ebtable_", error, mutex);
318 static inline struct ebt_match *
319 find_match_lock(const char *name, int *error, struct mutex *mutex)
321 return find_inlist_lock(&ebt_matches, name, "ebt_", error, mutex);
324 static inline struct ebt_watcher *
325 find_watcher_lock(const char *name, int *error, struct mutex *mutex)
327 return find_inlist_lock(&ebt_watchers, name, "ebt_", error, mutex);
330 static inline struct ebt_target *
331 find_target_lock(const char *name, int *error, struct mutex *mutex)
333 return find_inlist_lock(&ebt_targets, name, "ebt_", error, mutex);
337 ebt_check_match(struct ebt_entry_match *m, struct ebt_entry *e,
338 const char *name, unsigned int hookmask, unsigned int *cnt)
340 struct ebt_match *match;
341 size_t left = ((char *)e + e->watchers_offset) - (char *)m;
344 if (left < sizeof(struct ebt_entry_match) ||
345 left - sizeof(struct ebt_entry_match) < m->match_size)
347 match = find_match_lock(m->u.name, &ret, &ebt_mutex);
351 if (!try_module_get(match->me)) {
352 mutex_unlock(&ebt_mutex);
355 mutex_unlock(&ebt_mutex);
357 match->check(name, hookmask, e, m->data, m->match_size) != 0) {
358 BUGPRINT("match->check failed\n");
359 module_put(match->me);
367 ebt_check_watcher(struct ebt_entry_watcher *w, struct ebt_entry *e,
368 const char *name, unsigned int hookmask, unsigned int *cnt)
370 struct ebt_watcher *watcher;
371 size_t left = ((char *)e + e->target_offset) - (char *)w;
374 if (left < sizeof(struct ebt_entry_watcher) ||
375 left - sizeof(struct ebt_entry_watcher) < w->watcher_size)
377 watcher = find_watcher_lock(w->u.name, &ret, &ebt_mutex);
380 w->u.watcher = watcher;
381 if (!try_module_get(watcher->me)) {
382 mutex_unlock(&ebt_mutex);
385 mutex_unlock(&ebt_mutex);
386 if (watcher->check &&
387 watcher->check(name, hookmask, e, w->data, w->watcher_size) != 0) {
388 BUGPRINT("watcher->check failed\n");
389 module_put(watcher->me);
397 * this one is very careful, as it is the first function
398 * to parse the userspace data
401 ebt_check_entry_size_and_hooks(struct ebt_entry *e,
402 struct ebt_table_info *newinfo, char *base, char *limit,
403 struct ebt_entries **hook_entries, unsigned int *n, unsigned int *cnt,
404 unsigned int *totalcnt, unsigned int *udc_cnt, unsigned int valid_hooks)
406 unsigned int offset = (char *)e - newinfo->entries;
407 size_t left = (limit - base) - offset;
410 if (left < sizeof(unsigned int))
413 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
414 if ((valid_hooks & (1 << i)) == 0)
416 if ((char *)hook_entries[i] == base + offset)
419 /* beginning of a new chain
420 if i == NF_BR_NUMHOOKS it must be a user defined chain */
421 if (i != NF_BR_NUMHOOKS || !(e->bitmask & EBT_ENTRY_OR_ENTRIES)) {
422 if (e->bitmask != 0) {
423 /* we make userspace set this right,
424 so there is no misunderstanding */
425 BUGPRINT("EBT_ENTRY_OR_ENTRIES shouldn't be set "
426 "in distinguisher\n");
429 /* this checks if the previous chain has as many entries
432 BUGPRINT("nentries does not equal the nr of entries "
436 /* before we look at the struct, be sure it is not too big */
437 if (left < sizeof(struct ebt_entries))
439 if (((struct ebt_entries *)e)->policy != EBT_DROP &&
440 ((struct ebt_entries *)e)->policy != EBT_ACCEPT) {
441 /* only RETURN from udc */
442 if (i != NF_BR_NUMHOOKS ||
443 ((struct ebt_entries *)e)->policy != EBT_RETURN) {
444 BUGPRINT("bad policy\n");
448 if (i == NF_BR_NUMHOOKS) /* it's a user defined chain */
451 newinfo->hook_entry[i] = (struct ebt_entries *)e;
452 if (((struct ebt_entries *)e)->counter_offset != *totalcnt) {
453 BUGPRINT("counter_offset != totalcnt");
456 *n = ((struct ebt_entries *)e)->nentries;
460 /* a plain old entry, heh */
461 if (left < sizeof(struct ebt_entry))
463 if (sizeof(struct ebt_entry) > e->watchers_offset ||
464 e->watchers_offset > e->target_offset ||
465 e->target_offset >= e->next_offset) {
466 BUGPRINT("entry offsets not in right order\n");
469 /* this is not checked anywhere else */
470 if (e->next_offset - e->target_offset < sizeof(struct ebt_entry_target)) {
471 BUGPRINT("target size too small\n");
474 if (left < e->next_offset)
482 BUGPRINT("entries_size too small\n");
488 struct ebt_chainstack cs;
490 unsigned int hookmask;
494 * we need these positions to check that the jumps to a different part of the
495 * entries is a jump to the beginning of a new chain.
498 ebt_get_udc_positions(struct ebt_entry *e, struct ebt_table_info *newinfo,
499 struct ebt_entries **hook_entries, unsigned int *n, unsigned int valid_hooks,
500 struct ebt_cl_stack *udc)
504 /* we're only interested in chain starts */
507 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
508 if ((valid_hooks & (1 << i)) == 0)
510 if (newinfo->hook_entry[i] == (struct ebt_entries *)e)
513 /* only care about udc */
514 if (i != NF_BR_NUMHOOKS)
517 udc[*n].cs.chaininfo = (struct ebt_entries *)e;
518 /* these initialisations are depended on later in check_chainloops() */
520 udc[*n].hookmask = 0;
527 ebt_cleanup_match(struct ebt_entry_match *m, unsigned int *i)
529 if (i && (*i)-- == 0)
531 if (m->u.match->destroy)
532 m->u.match->destroy(m->data, m->match_size);
533 module_put(m->u.match->me);
539 ebt_cleanup_watcher(struct ebt_entry_watcher *w, unsigned int *i)
541 if (i && (*i)-- == 0)
543 if (w->u.watcher->destroy)
544 w->u.watcher->destroy(w->data, w->watcher_size);
545 module_put(w->u.watcher->me);
551 ebt_cleanup_entry(struct ebt_entry *e, unsigned int *cnt)
553 struct ebt_entry_target *t;
558 if (cnt && (*cnt)-- == 0)
560 EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, NULL);
561 EBT_MATCH_ITERATE(e, ebt_cleanup_match, NULL);
562 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
563 if (t->u.target->destroy)
564 t->u.target->destroy(t->data, t->target_size);
565 module_put(t->u.target->me);
571 ebt_check_entry(struct ebt_entry *e, struct ebt_table_info *newinfo,
572 const char *name, unsigned int *cnt, unsigned int valid_hooks,
573 struct ebt_cl_stack *cl_s, unsigned int udc_cnt)
575 struct ebt_entry_target *t;
576 struct ebt_target *target;
577 unsigned int i, j, hook = 0, hookmask = 0;
578 size_t gap = e->next_offset - e->target_offset;
581 /* don't mess with the struct ebt_entries */
585 if (e->bitmask & ~EBT_F_MASK) {
586 BUGPRINT("Unknown flag for bitmask\n");
589 if (e->invflags & ~EBT_INV_MASK) {
590 BUGPRINT("Unknown flag for inv bitmask\n");
593 if ( (e->bitmask & EBT_NOPROTO) && (e->bitmask & EBT_802_3) ) {
594 BUGPRINT("NOPROTO & 802_3 not allowed\n");
597 /* what hook do we belong to? */
598 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
599 if ((valid_hooks & (1 << i)) == 0)
601 if ((char *)newinfo->hook_entry[i] < (char *)e)
606 /* (1 << NF_BR_NUMHOOKS) tells the check functions the rule is on
608 if (i < NF_BR_NUMHOOKS)
609 hookmask = (1 << hook) | (1 << NF_BR_NUMHOOKS);
611 for (i = 0; i < udc_cnt; i++)
612 if ((char *)(cl_s[i].cs.chaininfo) > (char *)e)
615 hookmask = (1 << hook) | (1 << NF_BR_NUMHOOKS);
617 hookmask = cl_s[i - 1].hookmask;
620 ret = EBT_MATCH_ITERATE(e, ebt_check_match, e, name, hookmask, &i);
622 goto cleanup_matches;
624 ret = EBT_WATCHER_ITERATE(e, ebt_check_watcher, e, name, hookmask, &j);
626 goto cleanup_watchers;
627 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
628 target = find_target_lock(t->u.name, &ret, &ebt_mutex);
630 goto cleanup_watchers;
631 if (!try_module_get(target->me)) {
632 mutex_unlock(&ebt_mutex);
634 goto cleanup_watchers;
636 mutex_unlock(&ebt_mutex);
638 t->u.target = target;
639 if (t->u.target == &ebt_standard_target) {
640 if (gap < sizeof(struct ebt_standard_target)) {
641 BUGPRINT("Standard target size too big\n");
643 goto cleanup_watchers;
645 if (((struct ebt_standard_target *)t)->verdict <
646 -NUM_STANDARD_TARGETS) {
647 BUGPRINT("Invalid standard target\n");
649 goto cleanup_watchers;
651 } else if (t->target_size > gap - sizeof(struct ebt_entry_target) ||
652 (t->u.target->check &&
653 t->u.target->check(name, hookmask, e, t->data, t->target_size) != 0)){
654 module_put(t->u.target->me);
656 goto cleanup_watchers;
661 EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, &j);
663 EBT_MATCH_ITERATE(e, ebt_cleanup_match, &i);
668 * checks for loops and sets the hook mask for udc
669 * the hook mask for udc tells us from which base chains the udc can be
670 * accessed. This mask is a parameter to the check() functions of the extensions
672 static int check_chainloops(struct ebt_entries *chain, struct ebt_cl_stack *cl_s,
673 unsigned int udc_cnt, unsigned int hooknr, char *base)
675 int i, chain_nr = -1, pos = 0, nentries = chain->nentries, verdict;
676 struct ebt_entry *e = (struct ebt_entry *)chain->data;
677 struct ebt_entry_target *t;
679 while (pos < nentries || chain_nr != -1) {
680 /* end of udc, go back one 'recursion' step */
681 if (pos == nentries) {
682 /* put back values of the time when this chain was called */
683 e = cl_s[chain_nr].cs.e;
684 if (cl_s[chain_nr].from != -1)
686 cl_s[cl_s[chain_nr].from].cs.chaininfo->nentries;
688 nentries = chain->nentries;
689 pos = cl_s[chain_nr].cs.n;
690 /* make sure we won't see a loop that isn't one */
691 cl_s[chain_nr].cs.n = 0;
692 chain_nr = cl_s[chain_nr].from;
696 t = (struct ebt_entry_target *)
697 (((char *)e) + e->target_offset);
698 if (strcmp(t->u.name, EBT_STANDARD_TARGET))
700 if (e->target_offset + sizeof(struct ebt_standard_target) >
702 BUGPRINT("Standard target size too big\n");
705 verdict = ((struct ebt_standard_target *)t)->verdict;
706 if (verdict >= 0) { /* jump to another chain */
707 struct ebt_entries *hlp2 =
708 (struct ebt_entries *)(base + verdict);
709 for (i = 0; i < udc_cnt; i++)
710 if (hlp2 == cl_s[i].cs.chaininfo)
712 /* bad destination or loop */
714 BUGPRINT("bad destination\n");
721 if (cl_s[i].hookmask & (1 << hooknr))
723 /* this can't be 0, so the loop test is correct */
724 cl_s[i].cs.n = pos + 1;
726 cl_s[i].cs.e = ((void *)e + e->next_offset);
727 e = (struct ebt_entry *)(hlp2->data);
728 nentries = hlp2->nentries;
729 cl_s[i].from = chain_nr;
731 /* this udc is accessible from the base chain for hooknr */
732 cl_s[i].hookmask |= (1 << hooknr);
736 e = (void *)e + e->next_offset;
742 /* do the parsing of the table/chains/entries/matches/watchers/targets, heh */
743 static int translate_table(struct ebt_replace *repl,
744 struct ebt_table_info *newinfo)
746 unsigned int i, j, k, udc_cnt;
748 struct ebt_cl_stack *cl_s = NULL; /* used in the checking for chain loops */
751 while (i < NF_BR_NUMHOOKS && !(repl->valid_hooks & (1 << i)))
753 if (i == NF_BR_NUMHOOKS) {
754 BUGPRINT("No valid hooks specified\n");
757 if (repl->hook_entry[i] != (struct ebt_entries *)repl->entries) {
758 BUGPRINT("Chains don't start at beginning\n");
761 /* make sure chains are ordered after each other in same order
762 as their corresponding hooks */
763 for (j = i + 1; j < NF_BR_NUMHOOKS; j++) {
764 if (!(repl->valid_hooks & (1 << j)))
766 if ( repl->hook_entry[j] <= repl->hook_entry[i] ) {
767 BUGPRINT("Hook order must be followed\n");
773 for (i = 0; i < NF_BR_NUMHOOKS; i++)
774 newinfo->hook_entry[i] = NULL;
776 newinfo->entries_size = repl->entries_size;
777 newinfo->nentries = repl->nentries;
779 /* do some early checkings and initialize some things */
780 i = 0; /* holds the expected nr. of entries for the chain */
781 j = 0; /* holds the up to now counted entries for the chain */
782 k = 0; /* holds the total nr. of entries, should equal
783 newinfo->nentries afterwards */
784 udc_cnt = 0; /* will hold the nr. of user defined chains (udc) */
785 ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
786 ebt_check_entry_size_and_hooks, newinfo, repl->entries,
787 repl->entries + repl->entries_size, repl->hook_entry, &i, &j, &k,
788 &udc_cnt, repl->valid_hooks);
794 BUGPRINT("nentries does not equal the nr of entries in the "
798 if (k != newinfo->nentries) {
799 BUGPRINT("Total nentries is wrong\n");
803 /* check if all valid hooks have a chain */
804 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
805 if (newinfo->hook_entry[i] == NULL &&
806 (repl->valid_hooks & (1 << i))) {
807 BUGPRINT("Valid hook without chain\n");
812 /* get the location of the udc, put them in an array
813 while we're at it, allocate the chainstack */
815 /* this will get free'd in do_replace()/ebt_register_table()
816 if an error occurs */
817 newinfo->chainstack =
818 vmalloc((highest_possible_processor_id()+1)
819 * sizeof(*(newinfo->chainstack)));
820 if (!newinfo->chainstack)
822 for_each_possible_cpu(i) {
823 newinfo->chainstack[i] =
824 vmalloc(udc_cnt * sizeof(*(newinfo->chainstack[0])));
825 if (!newinfo->chainstack[i]) {
827 vfree(newinfo->chainstack[--i]);
828 vfree(newinfo->chainstack);
829 newinfo->chainstack = NULL;
834 cl_s = vmalloc(udc_cnt * sizeof(*cl_s));
837 i = 0; /* the i'th udc */
838 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
839 ebt_get_udc_positions, newinfo, repl->hook_entry, &i,
840 repl->valid_hooks, cl_s);
843 BUGPRINT("i != udc_cnt\n");
849 /* Check for loops */
850 for (i = 0; i < NF_BR_NUMHOOKS; i++)
851 if (repl->valid_hooks & (1 << i))
852 if (check_chainloops(newinfo->hook_entry[i],
853 cl_s, udc_cnt, i, newinfo->entries)) {
858 /* we now know the following (along with E=mc²):
859 - the nr of entries in each chain is right
860 - the size of the allocated space is right
861 - all valid hooks have a corresponding chain
863 - wrong data can still be on the level of a single entry
864 - could be there are jumps to places that are not the
865 beginning of a chain. This can only occur in chains that
866 are not accessible from any base chains, so we don't care. */
868 /* used to know what we need to clean up if something goes wrong */
870 ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
871 ebt_check_entry, newinfo, repl->name, &i, repl->valid_hooks,
874 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
875 ebt_cleanup_entry, &i);
881 /* called under write_lock */
882 static void get_counters(struct ebt_counter *oldcounters,
883 struct ebt_counter *counters, unsigned int nentries)
886 struct ebt_counter *counter_base;
888 /* counters of cpu 0 */
889 memcpy(counters, oldcounters,
890 sizeof(struct ebt_counter) * nentries);
892 /* add other counters to those of cpu 0 */
893 for_each_possible_cpu(cpu) {
896 counter_base = COUNTER_BASE(oldcounters, nentries, cpu);
897 for (i = 0; i < nentries; i++) {
898 counters[i].pcnt += counter_base[i].pcnt;
899 counters[i].bcnt += counter_base[i].bcnt;
904 /* replace the table */
905 static int do_replace(void __user *user, unsigned int len)
907 int ret, i, countersize;
908 struct ebt_table_info *newinfo;
909 struct ebt_replace tmp;
911 struct ebt_counter *counterstmp = NULL;
912 /* used to be able to unlock earlier */
913 struct ebt_table_info *table;
915 if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
918 if (len != sizeof(tmp) + tmp.entries_size) {
919 BUGPRINT("Wrong len argument\n");
923 if (tmp.entries_size == 0) {
924 BUGPRINT("Entries_size never zero\n");
928 if (tmp.nentries >= ((INT_MAX - sizeof(struct ebt_table_info)) / NR_CPUS -
929 SMP_CACHE_BYTES) / sizeof(struct ebt_counter))
931 if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
934 countersize = COUNTER_OFFSET(tmp.nentries) *
935 (highest_possible_processor_id()+1);
936 newinfo = vmalloc(sizeof(*newinfo) + countersize);
941 memset(newinfo->counters, 0, countersize);
943 newinfo->entries = vmalloc(tmp.entries_size);
944 if (!newinfo->entries) {
949 newinfo->entries, tmp.entries, tmp.entries_size) != 0) {
950 BUGPRINT("Couldn't copy entries from userspace\n");
955 /* the user wants counters back
956 the check on the size is done later, when we have the lock */
957 if (tmp.num_counters) {
958 counterstmp = vmalloc(tmp.num_counters * sizeof(*counterstmp));
967 /* this can get initialized by translate_table() */
968 newinfo->chainstack = NULL;
969 ret = translate_table(&tmp, newinfo);
972 goto free_counterstmp;
974 t = find_table_lock(tmp.name, &ret, &ebt_mutex);
980 /* the table doesn't like it */
981 if (t->check && (ret = t->check(newinfo, tmp.valid_hooks)))
984 if (tmp.num_counters && tmp.num_counters != t->private->nentries) {
985 BUGPRINT("Wrong nr. of counters requested\n");
990 /* we have the mutex lock, so no danger in reading this pointer */
992 /* make sure the table can only be rmmod'ed if it contains no rules */
993 if (!table->nentries && newinfo->nentries && !try_module_get(t->me)) {
996 } else if (table->nentries && !newinfo->nentries)
998 /* we need an atomic snapshot of the counters */
999 write_lock_bh(&t->lock);
1000 if (tmp.num_counters)
1001 get_counters(t->private->counters, counterstmp,
1002 t->private->nentries);
1004 t->private = newinfo;
1005 write_unlock_bh(&t->lock);
1006 mutex_unlock(&ebt_mutex);
1007 /* so, a user can change the chains while having messed up her counter
1008 allocation. Only reason why this is done is because this way the lock
1009 is held only once, while this doesn't bring the kernel into a
1011 if (tmp.num_counters &&
1012 copy_to_user(tmp.counters, counterstmp,
1013 tmp.num_counters * sizeof(struct ebt_counter))) {
1014 BUGPRINT("Couldn't copy counters to userspace\n");
1020 /* decrease module count and free resources */
1021 EBT_ENTRY_ITERATE(table->entries, table->entries_size,
1022 ebt_cleanup_entry, NULL);
1024 vfree(table->entries);
1025 if (table->chainstack) {
1026 for_each_possible_cpu(i)
1027 vfree(table->chainstack[i]);
1028 vfree(table->chainstack);
1036 mutex_unlock(&ebt_mutex);
1038 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
1039 ebt_cleanup_entry, NULL);
1042 /* can be initialized in translate_table() */
1043 if (newinfo->chainstack) {
1044 for_each_possible_cpu(i)
1045 vfree(newinfo->chainstack[i]);
1046 vfree(newinfo->chainstack);
1049 vfree(newinfo->entries);
1055 int ebt_register_target(struct ebt_target *target)
1057 struct ebt_target *t;
1060 ret = mutex_lock_interruptible(&ebt_mutex);
1063 list_for_each_entry(t, &ebt_targets, list) {
1064 if (strcmp(t->name, target->name) == 0) {
1065 mutex_unlock(&ebt_mutex);
1069 list_add(&target->list, &ebt_targets);
1070 mutex_unlock(&ebt_mutex);
1075 void ebt_unregister_target(struct ebt_target *target)
1077 mutex_lock(&ebt_mutex);
1078 list_del(&target->list);
1079 mutex_unlock(&ebt_mutex);
1082 int ebt_register_match(struct ebt_match *match)
1084 struct ebt_match *m;
1087 ret = mutex_lock_interruptible(&ebt_mutex);
1090 list_for_each_entry(m, &ebt_matches, list) {
1091 if (strcmp(m->name, match->name) == 0) {
1092 mutex_unlock(&ebt_mutex);
1096 list_add(&match->list, &ebt_matches);
1097 mutex_unlock(&ebt_mutex);
1102 void ebt_unregister_match(struct ebt_match *match)
1104 mutex_lock(&ebt_mutex);
1105 list_del(&match->list);
1106 mutex_unlock(&ebt_mutex);
1109 int ebt_register_watcher(struct ebt_watcher *watcher)
1111 struct ebt_watcher *w;
1114 ret = mutex_lock_interruptible(&ebt_mutex);
1117 list_for_each_entry(w, &ebt_watchers, list) {
1118 if (strcmp(w->name, watcher->name) == 0) {
1119 mutex_unlock(&ebt_mutex);
1123 list_add(&watcher->list, &ebt_watchers);
1124 mutex_unlock(&ebt_mutex);
1129 void ebt_unregister_watcher(struct ebt_watcher *watcher)
1131 mutex_lock(&ebt_mutex);
1132 list_del(&watcher->list);
1133 mutex_unlock(&ebt_mutex);
1136 int ebt_register_table(struct ebt_table *table)
1138 struct ebt_table_info *newinfo;
1139 struct ebt_table *t;
1140 int ret, i, countersize;
1142 if (!table || !table->table ||!table->table->entries ||
1143 table->table->entries_size == 0 ||
1144 table->table->counters || table->private) {
1145 BUGPRINT("Bad table data for ebt_register_table!!!\n");
1149 countersize = COUNTER_OFFSET(table->table->nentries) *
1150 (highest_possible_processor_id()+1);
1151 newinfo = vmalloc(sizeof(*newinfo) + countersize);
1156 newinfo->entries = vmalloc(table->table->entries_size);
1157 if (!(newinfo->entries))
1160 memcpy(newinfo->entries, table->table->entries,
1161 table->table->entries_size);
1164 memset(newinfo->counters, 0, countersize);
1166 /* fill in newinfo and parse the entries */
1167 newinfo->chainstack = NULL;
1168 ret = translate_table(table->table, newinfo);
1170 BUGPRINT("Translate_table failed\n");
1171 goto free_chainstack;
1174 if (table->check && table->check(newinfo, table->valid_hooks)) {
1175 BUGPRINT("The table doesn't like its own initial data, lol\n");
1179 table->private = newinfo;
1180 rwlock_init(&table->lock);
1181 ret = mutex_lock_interruptible(&ebt_mutex);
1183 goto free_chainstack;
1185 list_for_each_entry(t, &ebt_tables, list) {
1186 if (strcmp(t->name, table->name) == 0) {
1188 BUGPRINT("Table name already exists\n");
1193 /* Hold a reference count if the chains aren't empty */
1194 if (newinfo->nentries && !try_module_get(table->me)) {
1198 list_add(&table->list, &ebt_tables);
1199 mutex_unlock(&ebt_mutex);
1202 mutex_unlock(&ebt_mutex);
1204 if (newinfo->chainstack) {
1205 for_each_possible_cpu(i)
1206 vfree(newinfo->chainstack[i]);
1207 vfree(newinfo->chainstack);
1209 vfree(newinfo->entries);
1215 void ebt_unregister_table(struct ebt_table *table)
1220 BUGPRINT("Request to unregister NULL table!!!\n");
1223 mutex_lock(&ebt_mutex);
1224 list_del(&table->list);
1225 mutex_unlock(&ebt_mutex);
1226 vfree(table->private->entries);
1227 if (table->private->chainstack) {
1228 for_each_possible_cpu(i)
1229 vfree(table->private->chainstack[i]);
1230 vfree(table->private->chainstack);
1232 vfree(table->private);
1235 /* userspace just supplied us with counters */
1236 static int update_counters(void __user *user, unsigned int len)
1239 struct ebt_counter *tmp;
1240 struct ebt_replace hlp;
1241 struct ebt_table *t;
1243 if (copy_from_user(&hlp, user, sizeof(hlp)))
1246 if (len != sizeof(hlp) + hlp.num_counters * sizeof(struct ebt_counter))
1248 if (hlp.num_counters == 0)
1251 if (!(tmp = vmalloc(hlp.num_counters * sizeof(*tmp)))) {
1252 MEMPRINT("Update_counters && nomemory\n");
1256 t = find_table_lock(hlp.name, &ret, &ebt_mutex);
1260 if (hlp.num_counters != t->private->nentries) {
1261 BUGPRINT("Wrong nr of counters\n");
1266 if ( copy_from_user(tmp, hlp.counters,
1267 hlp.num_counters * sizeof(struct ebt_counter)) ) {
1268 BUGPRINT("Updata_counters && !cfu\n");
1273 /* we want an atomic add of the counters */
1274 write_lock_bh(&t->lock);
1276 /* we add to the counters of the first cpu */
1277 for (i = 0; i < hlp.num_counters; i++) {
1278 t->private->counters[i].pcnt += tmp[i].pcnt;
1279 t->private->counters[i].bcnt += tmp[i].bcnt;
1282 write_unlock_bh(&t->lock);
1285 mutex_unlock(&ebt_mutex);
1291 static inline int ebt_make_matchname(struct ebt_entry_match *m,
1292 char *base, char *ubase)
1294 char *hlp = ubase - base + (char *)m;
1295 if (copy_to_user(hlp, m->u.match->name, EBT_FUNCTION_MAXNAMELEN))
1300 static inline int ebt_make_watchername(struct ebt_entry_watcher *w,
1301 char *base, char *ubase)
1303 char *hlp = ubase - base + (char *)w;
1304 if (copy_to_user(hlp , w->u.watcher->name, EBT_FUNCTION_MAXNAMELEN))
1309 static inline int ebt_make_names(struct ebt_entry *e, char *base, char *ubase)
1313 struct ebt_entry_target *t;
1315 if (e->bitmask == 0)
1318 hlp = ubase - base + (char *)e + e->target_offset;
1319 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
1321 ret = EBT_MATCH_ITERATE(e, ebt_make_matchname, base, ubase);
1324 ret = EBT_WATCHER_ITERATE(e, ebt_make_watchername, base, ubase);
1327 if (copy_to_user(hlp, t->u.target->name, EBT_FUNCTION_MAXNAMELEN))
1332 /* called with ebt_mutex locked */
1333 static int copy_everything_to_user(struct ebt_table *t, void __user *user,
1336 struct ebt_replace tmp;
1337 struct ebt_counter *counterstmp, *oldcounters;
1338 unsigned int entries_size, nentries;
1341 if (cmd == EBT_SO_GET_ENTRIES) {
1342 entries_size = t->private->entries_size;
1343 nentries = t->private->nentries;
1344 entries = t->private->entries;
1345 oldcounters = t->private->counters;
1347 entries_size = t->table->entries_size;
1348 nentries = t->table->nentries;
1349 entries = t->table->entries;
1350 oldcounters = t->table->counters;
1353 if (copy_from_user(&tmp, user, sizeof(tmp))) {
1354 BUGPRINT("Cfu didn't work\n");
1358 if (*len != sizeof(struct ebt_replace) + entries_size +
1359 (tmp.num_counters? nentries * sizeof(struct ebt_counter): 0)) {
1360 BUGPRINT("Wrong size\n");
1364 if (tmp.nentries != nentries) {
1365 BUGPRINT("Nentries wrong\n");
1369 if (tmp.entries_size != entries_size) {
1370 BUGPRINT("Wrong size\n");
1374 /* userspace might not need the counters */
1375 if (tmp.num_counters) {
1376 if (tmp.num_counters != nentries) {
1377 BUGPRINT("Num_counters wrong\n");
1380 counterstmp = vmalloc(nentries * sizeof(*counterstmp));
1382 MEMPRINT("Couldn't copy counters, out of memory\n");
1385 write_lock_bh(&t->lock);
1386 get_counters(oldcounters, counterstmp, nentries);
1387 write_unlock_bh(&t->lock);
1389 if (copy_to_user(tmp.counters, counterstmp,
1390 nentries * sizeof(struct ebt_counter))) {
1391 BUGPRINT("Couldn't copy counters to userspace\n");
1398 if (copy_to_user(tmp.entries, entries, entries_size)) {
1399 BUGPRINT("Couldn't copy entries to userspace\n");
1402 /* set the match/watcher/target names right */
1403 return EBT_ENTRY_ITERATE(entries, entries_size,
1404 ebt_make_names, entries, tmp.entries);
1407 static int do_ebt_set_ctl(struct sock *sk,
1408 int cmd, void __user *user, unsigned int len)
1413 case EBT_SO_SET_ENTRIES:
1414 ret = do_replace(user, len);
1416 case EBT_SO_SET_COUNTERS:
1417 ret = update_counters(user, len);
1425 static int do_ebt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
1428 struct ebt_replace tmp;
1429 struct ebt_table *t;
1431 if (copy_from_user(&tmp, user, sizeof(tmp)))
1434 t = find_table_lock(tmp.name, &ret, &ebt_mutex);
1439 case EBT_SO_GET_INFO:
1440 case EBT_SO_GET_INIT_INFO:
1441 if (*len != sizeof(struct ebt_replace)){
1443 mutex_unlock(&ebt_mutex);
1446 if (cmd == EBT_SO_GET_INFO) {
1447 tmp.nentries = t->private->nentries;
1448 tmp.entries_size = t->private->entries_size;
1449 tmp.valid_hooks = t->valid_hooks;
1451 tmp.nentries = t->table->nentries;
1452 tmp.entries_size = t->table->entries_size;
1453 tmp.valid_hooks = t->table->valid_hooks;
1455 mutex_unlock(&ebt_mutex);
1456 if (copy_to_user(user, &tmp, *len) != 0){
1457 BUGPRINT("c2u Didn't work\n");
1464 case EBT_SO_GET_ENTRIES:
1465 case EBT_SO_GET_INIT_ENTRIES:
1466 ret = copy_everything_to_user(t, user, len, cmd);
1467 mutex_unlock(&ebt_mutex);
1471 mutex_unlock(&ebt_mutex);
1478 static struct nf_sockopt_ops ebt_sockopts =
1481 .set_optmin = EBT_BASE_CTL,
1482 .set_optmax = EBT_SO_SET_MAX + 1,
1483 .set = do_ebt_set_ctl,
1484 .get_optmin = EBT_BASE_CTL,
1485 .get_optmax = EBT_SO_GET_MAX + 1,
1486 .get = do_ebt_get_ctl,
1489 static int __init ebtables_init(void)
1493 mutex_lock(&ebt_mutex);
1494 list_add(&ebt_standard_target.list, &ebt_targets);
1495 mutex_unlock(&ebt_mutex);
1496 if ((ret = nf_register_sockopt(&ebt_sockopts)) < 0)
1499 printk(KERN_NOTICE "Ebtables v2.0 registered\n");
1503 static void __exit ebtables_fini(void)
1505 nf_unregister_sockopt(&ebt_sockopts);
1506 printk(KERN_NOTICE "Ebtables v2.0 unregistered\n");
1509 EXPORT_SYMBOL(ebt_register_table);
1510 EXPORT_SYMBOL(ebt_unregister_table);
1511 EXPORT_SYMBOL(ebt_register_match);
1512 EXPORT_SYMBOL(ebt_unregister_match);
1513 EXPORT_SYMBOL(ebt_register_watcher);
1514 EXPORT_SYMBOL(ebt_unregister_watcher);
1515 EXPORT_SYMBOL(ebt_register_target);
1516 EXPORT_SYMBOL(ebt_unregister_target);
1517 EXPORT_SYMBOL(ebt_do_table);
1518 module_init(ebtables_init);
1519 module_exit(ebtables_fini);
1520 MODULE_LICENSE("GPL");