5 * Bart De Schuymer <bdschuym@pandora.be>
7 * ebtables.c,v 2.0, July, 2002
9 * This code is stongly inspired on the iptables code which is
10 * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version
15 * 2 of the License, or (at your option) any later version.
18 /* used for print_string */
19 #include <linux/sched.h>
20 #include <linux/tty.h>
22 #include <linux/kmod.h>
23 #include <linux/module.h>
24 #include <linux/vmalloc.h>
25 #include <linux/netfilter_bridge/ebtables.h>
26 #include <linux/spinlock.h>
27 #include <asm/uaccess.h>
28 #include <linux/smp.h>
29 #include <linux/cpumask.h>
31 /* needed for logical [in,out]-dev filtering */
32 #include "../br_private.h"
35 #define ASSERT_READ_LOCK(x)
36 #define ASSERT_WRITE_LOCK(x)
37 #include <linux/netfilter_ipv4/listhelp.h>
38 #include <linux/mutex.h>
40 #define BUGPRINT(format, args...) printk("kernel msg: ebtables bug: please "\
41 "report to author: "format, ## args)
42 /* #define BUGPRINT(format, args...) */
43 #define MEMPRINT(format, args...) printk("kernel msg: ebtables "\
44 ": out of memory: "format, ## args)
45 /* #define MEMPRINT(format, args...) */
50 * Each cpu has its own set of counters, so there is no need for write_lock in
52 * For reading or updating the counters, the user context needs to
56 /* The size of each set of counters is altered to get cache alignment */
57 #define SMP_ALIGN(x) (((x) + SMP_CACHE_BYTES-1) & ~(SMP_CACHE_BYTES-1))
58 #define COUNTER_OFFSET(n) (SMP_ALIGN(n * sizeof(struct ebt_counter)))
59 #define COUNTER_BASE(c, n, cpu) ((struct ebt_counter *)(((char *)c) + \
60 COUNTER_OFFSET(n) * cpu))
64 static DEFINE_MUTEX(ebt_mutex);
65 static LIST_HEAD(ebt_tables);
66 static LIST_HEAD(ebt_targets);
67 static LIST_HEAD(ebt_matches);
68 static LIST_HEAD(ebt_watchers);
70 static struct ebt_target ebt_standard_target =
71 { {NULL, NULL}, EBT_STANDARD_TARGET, NULL, NULL, NULL, NULL};
73 static inline int ebt_do_watcher (struct ebt_entry_watcher *w,
74 const struct sk_buff *skb, unsigned int hooknr, const struct net_device *in,
75 const struct net_device *out)
77 w->u.watcher->watcher(skb, hooknr, in, out, w->data,
79 /* watchers don't give a verdict */
83 static inline int ebt_do_match (struct ebt_entry_match *m,
84 const struct sk_buff *skb, const struct net_device *in,
85 const struct net_device *out)
87 return m->u.match->match(skb, in, out, m->data,
91 static inline int ebt_dev_check(char *entry, const struct net_device *device)
94 char *devname = device->name;
100 /* 1 is the wildcard token */
101 while (entry[i] != '\0' && entry[i] != 1 && entry[i] == devname[i])
103 return (devname[i] != entry[i] && entry[i] != 1);
106 #define FWINV2(bool,invflg) ((bool) ^ !!(e->invflags & invflg))
107 /* process standard matches */
108 static inline int ebt_basic_match(struct ebt_entry *e, struct ethhdr *h,
109 const struct net_device *in, const struct net_device *out)
113 if (e->bitmask & EBT_802_3) {
114 if (FWINV2(ntohs(h->h_proto) >= 1536, EBT_IPROTO))
116 } else if (!(e->bitmask & EBT_NOPROTO) &&
117 FWINV2(e->ethproto != h->h_proto, EBT_IPROTO))
120 if (FWINV2(ebt_dev_check(e->in, in), EBT_IIN))
122 if (FWINV2(ebt_dev_check(e->out, out), EBT_IOUT))
124 if ((!in || !in->br_port) ? 0 : FWINV2(ebt_dev_check(
125 e->logical_in, in->br_port->br->dev), EBT_ILOGICALIN))
127 if ((!out || !out->br_port) ? 0 : FWINV2(ebt_dev_check(
128 e->logical_out, out->br_port->br->dev), EBT_ILOGICALOUT))
131 if (e->bitmask & EBT_SOURCEMAC) {
133 for (i = 0; i < 6; i++)
134 verdict |= (h->h_source[i] ^ e->sourcemac[i]) &
136 if (FWINV2(verdict != 0, EBT_ISOURCE) )
139 if (e->bitmask & EBT_DESTMAC) {
141 for (i = 0; i < 6; i++)
142 verdict |= (h->h_dest[i] ^ e->destmac[i]) &
144 if (FWINV2(verdict != 0, EBT_IDEST) )
150 /* Do some firewalling */
151 unsigned int ebt_do_table (unsigned int hook, struct sk_buff **pskb,
152 const struct net_device *in, const struct net_device *out,
153 struct ebt_table *table)
156 struct ebt_entry *point;
157 struct ebt_counter *counter_base, *cb_base;
158 struct ebt_entry_target *t;
160 struct ebt_chainstack *cs;
161 struct ebt_entries *chaininfo;
163 struct ebt_table_info *private;
165 read_lock_bh(&table->lock);
166 private = table->private;
167 cb_base = COUNTER_BASE(private->counters, private->nentries,
169 if (private->chainstack)
170 cs = private->chainstack[smp_processor_id()];
173 chaininfo = private->hook_entry[hook];
174 nentries = private->hook_entry[hook]->nentries;
175 point = (struct ebt_entry *)(private->hook_entry[hook]->data);
176 counter_base = cb_base + private->hook_entry[hook]->counter_offset;
177 /* base for chain jumps */
178 base = private->entries;
180 while (i < nentries) {
181 if (ebt_basic_match(point, eth_hdr(*pskb), in, out))
184 if (EBT_MATCH_ITERATE(point, ebt_do_match, *pskb, in, out) != 0)
187 /* increase counter */
188 (*(counter_base + i)).pcnt++;
189 (*(counter_base + i)).bcnt+=(**pskb).len;
191 /* these should only watch: not modify, nor tell us
192 what to do with the packet */
193 EBT_WATCHER_ITERATE(point, ebt_do_watcher, *pskb, hook, in,
196 t = (struct ebt_entry_target *)
197 (((char *)point) + point->target_offset);
198 /* standard target */
199 if (!t->u.target->target)
200 verdict = ((struct ebt_standard_target *)t)->verdict;
202 verdict = t->u.target->target(pskb, hook,
203 in, out, t->data, t->target_size);
204 if (verdict == EBT_ACCEPT) {
205 read_unlock_bh(&table->lock);
208 if (verdict == EBT_DROP) {
209 read_unlock_bh(&table->lock);
212 if (verdict == EBT_RETURN) {
214 #ifdef CONFIG_NETFILTER_DEBUG
216 BUGPRINT("RETURN on base chain");
217 /* act like this is EBT_CONTINUE */
222 /* put all the local variables right */
224 chaininfo = cs[sp].chaininfo;
225 nentries = chaininfo->nentries;
227 counter_base = cb_base +
228 chaininfo->counter_offset;
231 if (verdict == EBT_CONTINUE)
233 #ifdef CONFIG_NETFILTER_DEBUG
235 BUGPRINT("bogus standard verdict\n");
236 read_unlock_bh(&table->lock);
242 cs[sp].chaininfo = chaininfo;
243 cs[sp].e = (struct ebt_entry *)
244 (((char *)point) + point->next_offset);
246 chaininfo = (struct ebt_entries *) (base + verdict);
247 #ifdef CONFIG_NETFILTER_DEBUG
248 if (chaininfo->distinguisher) {
249 BUGPRINT("jump to non-chain\n");
250 read_unlock_bh(&table->lock);
254 nentries = chaininfo->nentries;
255 point = (struct ebt_entry *)chaininfo->data;
256 counter_base = cb_base + chaininfo->counter_offset;
260 point = (struct ebt_entry *)
261 (((char *)point) + point->next_offset);
265 /* I actually like this :) */
266 if (chaininfo->policy == EBT_RETURN)
268 if (chaininfo->policy == EBT_ACCEPT) {
269 read_unlock_bh(&table->lock);
272 read_unlock_bh(&table->lock);
276 /* If it succeeds, returns element and locks mutex */
278 find_inlist_lock_noload(struct list_head *head, const char *name, int *error,
283 *error = mutex_lock_interruptible(mutex);
287 ret = list_named_find(head, name);
296 #define find_inlist_lock(h,n,p,e,m) find_inlist_lock_noload((h),(n),(e),(m))
299 find_inlist_lock(struct list_head *head, const char *name, const char *prefix,
300 int *error, struct mutex *mutex)
304 ret = find_inlist_lock_noload(head, name, error, mutex);
306 request_module("%s%s", prefix, name);
307 ret = find_inlist_lock_noload(head, name, error, mutex);
313 static inline struct ebt_table *
314 find_table_lock(const char *name, int *error, struct mutex *mutex)
316 return find_inlist_lock(&ebt_tables, name, "ebtable_", error, mutex);
319 static inline struct ebt_match *
320 find_match_lock(const char *name, int *error, struct mutex *mutex)
322 return find_inlist_lock(&ebt_matches, name, "ebt_", error, mutex);
325 static inline struct ebt_watcher *
326 find_watcher_lock(const char *name, int *error, struct mutex *mutex)
328 return find_inlist_lock(&ebt_watchers, name, "ebt_", error, mutex);
331 static inline struct ebt_target *
332 find_target_lock(const char *name, int *error, struct mutex *mutex)
334 return find_inlist_lock(&ebt_targets, name, "ebt_", error, mutex);
338 ebt_check_match(struct ebt_entry_match *m, struct ebt_entry *e,
339 const char *name, unsigned int hookmask, unsigned int *cnt)
341 struct ebt_match *match;
344 if (((char *)m) + m->match_size + sizeof(struct ebt_entry_match) >
345 ((char *)e) + e->watchers_offset)
347 match = find_match_lock(m->u.name, &ret, &ebt_mutex);
351 if (!try_module_get(match->me)) {
352 mutex_unlock(&ebt_mutex);
355 mutex_unlock(&ebt_mutex);
357 match->check(name, hookmask, e, m->data, m->match_size) != 0) {
358 BUGPRINT("match->check failed\n");
359 module_put(match->me);
367 ebt_check_watcher(struct ebt_entry_watcher *w, struct ebt_entry *e,
368 const char *name, unsigned int hookmask, unsigned int *cnt)
370 struct ebt_watcher *watcher;
373 if (((char *)w) + w->watcher_size + sizeof(struct ebt_entry_watcher) >
374 ((char *)e) + e->target_offset)
376 watcher = find_watcher_lock(w->u.name, &ret, &ebt_mutex);
379 w->u.watcher = watcher;
380 if (!try_module_get(watcher->me)) {
381 mutex_unlock(&ebt_mutex);
384 mutex_unlock(&ebt_mutex);
385 if (watcher->check &&
386 watcher->check(name, hookmask, e, w->data, w->watcher_size) != 0) {
387 BUGPRINT("watcher->check failed\n");
388 module_put(watcher->me);
396 * this one is very careful, as it is the first function
397 * to parse the userspace data
400 ebt_check_entry_size_and_hooks(struct ebt_entry *e,
401 struct ebt_table_info *newinfo, char *base, char *limit,
402 struct ebt_entries **hook_entries, unsigned int *n, unsigned int *cnt,
403 unsigned int *totalcnt, unsigned int *udc_cnt, unsigned int valid_hooks)
407 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
408 if ((valid_hooks & (1 << i)) == 0)
410 if ( (char *)hook_entries[i] - base ==
411 (char *)e - newinfo->entries)
414 /* beginning of a new chain
415 if i == NF_BR_NUMHOOKS it must be a user defined chain */
416 if (i != NF_BR_NUMHOOKS || !(e->bitmask & EBT_ENTRY_OR_ENTRIES)) {
417 if ((e->bitmask & EBT_ENTRY_OR_ENTRIES) != 0) {
418 /* we make userspace set this right,
419 so there is no misunderstanding */
420 BUGPRINT("EBT_ENTRY_OR_ENTRIES shouldn't be set "
421 "in distinguisher\n");
424 /* this checks if the previous chain has as many entries
427 BUGPRINT("nentries does not equal the nr of entries "
431 /* before we look at the struct, be sure it is not too big */
432 if ((char *)hook_entries[i] + sizeof(struct ebt_entries)
434 BUGPRINT("entries_size too small\n");
437 if (((struct ebt_entries *)e)->policy != EBT_DROP &&
438 ((struct ebt_entries *)e)->policy != EBT_ACCEPT) {
439 /* only RETURN from udc */
440 if (i != NF_BR_NUMHOOKS ||
441 ((struct ebt_entries *)e)->policy != EBT_RETURN) {
442 BUGPRINT("bad policy\n");
446 if (i == NF_BR_NUMHOOKS) /* it's a user defined chain */
449 newinfo->hook_entry[i] = (struct ebt_entries *)e;
450 if (((struct ebt_entries *)e)->counter_offset != *totalcnt) {
451 BUGPRINT("counter_offset != totalcnt");
454 *n = ((struct ebt_entries *)e)->nentries;
458 /* a plain old entry, heh */
459 if (sizeof(struct ebt_entry) > e->watchers_offset ||
460 e->watchers_offset > e->target_offset ||
461 e->target_offset >= e->next_offset) {
462 BUGPRINT("entry offsets not in right order\n");
465 /* this is not checked anywhere else */
466 if (e->next_offset - e->target_offset < sizeof(struct ebt_entry_target)) {
467 BUGPRINT("target size too small\n");
478 struct ebt_chainstack cs;
480 unsigned int hookmask;
484 * we need these positions to check that the jumps to a different part of the
485 * entries is a jump to the beginning of a new chain.
488 ebt_get_udc_positions(struct ebt_entry *e, struct ebt_table_info *newinfo,
489 struct ebt_entries **hook_entries, unsigned int *n, unsigned int valid_hooks,
490 struct ebt_cl_stack *udc)
494 /* we're only interested in chain starts */
495 if (e->bitmask & EBT_ENTRY_OR_ENTRIES)
497 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
498 if ((valid_hooks & (1 << i)) == 0)
500 if (newinfo->hook_entry[i] == (struct ebt_entries *)e)
503 /* only care about udc */
504 if (i != NF_BR_NUMHOOKS)
507 udc[*n].cs.chaininfo = (struct ebt_entries *)e;
508 /* these initialisations are depended on later in check_chainloops() */
510 udc[*n].hookmask = 0;
517 ebt_cleanup_match(struct ebt_entry_match *m, unsigned int *i)
519 if (i && (*i)-- == 0)
521 if (m->u.match->destroy)
522 m->u.match->destroy(m->data, m->match_size);
523 module_put(m->u.match->me);
529 ebt_cleanup_watcher(struct ebt_entry_watcher *w, unsigned int *i)
531 if (i && (*i)-- == 0)
533 if (w->u.watcher->destroy)
534 w->u.watcher->destroy(w->data, w->watcher_size);
535 module_put(w->u.watcher->me);
541 ebt_cleanup_entry(struct ebt_entry *e, unsigned int *cnt)
543 struct ebt_entry_target *t;
545 if ((e->bitmask & EBT_ENTRY_OR_ENTRIES) == 0)
548 if (cnt && (*cnt)-- == 0)
550 EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, NULL);
551 EBT_MATCH_ITERATE(e, ebt_cleanup_match, NULL);
552 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
553 if (t->u.target->destroy)
554 t->u.target->destroy(t->data, t->target_size);
555 module_put(t->u.target->me);
561 ebt_check_entry(struct ebt_entry *e, struct ebt_table_info *newinfo,
562 const char *name, unsigned int *cnt, unsigned int valid_hooks,
563 struct ebt_cl_stack *cl_s, unsigned int udc_cnt)
565 struct ebt_entry_target *t;
566 struct ebt_target *target;
567 unsigned int i, j, hook = 0, hookmask = 0;
570 /* don't mess with the struct ebt_entries */
571 if ((e->bitmask & EBT_ENTRY_OR_ENTRIES) == 0)
574 if (e->bitmask & ~EBT_F_MASK) {
575 BUGPRINT("Unknown flag for bitmask\n");
578 if (e->invflags & ~EBT_INV_MASK) {
579 BUGPRINT("Unknown flag for inv bitmask\n");
582 if ( (e->bitmask & EBT_NOPROTO) && (e->bitmask & EBT_802_3) ) {
583 BUGPRINT("NOPROTO & 802_3 not allowed\n");
586 /* what hook do we belong to? */
587 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
588 if ((valid_hooks & (1 << i)) == 0)
590 if ((char *)newinfo->hook_entry[i] < (char *)e)
595 /* (1 << NF_BR_NUMHOOKS) tells the check functions the rule is on
597 if (i < NF_BR_NUMHOOKS)
598 hookmask = (1 << hook) | (1 << NF_BR_NUMHOOKS);
600 for (i = 0; i < udc_cnt; i++)
601 if ((char *)(cl_s[i].cs.chaininfo) > (char *)e)
604 hookmask = (1 << hook) | (1 << NF_BR_NUMHOOKS);
606 hookmask = cl_s[i - 1].hookmask;
609 ret = EBT_MATCH_ITERATE(e, ebt_check_match, e, name, hookmask, &i);
611 goto cleanup_matches;
613 ret = EBT_WATCHER_ITERATE(e, ebt_check_watcher, e, name, hookmask, &j);
615 goto cleanup_watchers;
616 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
617 target = find_target_lock(t->u.name, &ret, &ebt_mutex);
619 goto cleanup_watchers;
620 if (!try_module_get(target->me)) {
621 mutex_unlock(&ebt_mutex);
623 goto cleanup_watchers;
625 mutex_unlock(&ebt_mutex);
627 t->u.target = target;
628 if (t->u.target == &ebt_standard_target) {
629 if (e->target_offset + sizeof(struct ebt_standard_target) >
631 BUGPRINT("Standard target size too big\n");
633 goto cleanup_watchers;
635 if (((struct ebt_standard_target *)t)->verdict <
636 -NUM_STANDARD_TARGETS) {
637 BUGPRINT("Invalid standard target\n");
639 goto cleanup_watchers;
641 } else if ((e->target_offset + t->target_size +
642 sizeof(struct ebt_entry_target) > e->next_offset) ||
643 (t->u.target->check &&
644 t->u.target->check(name, hookmask, e, t->data, t->target_size) != 0)){
645 module_put(t->u.target->me);
647 goto cleanup_watchers;
652 EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, &j);
654 EBT_MATCH_ITERATE(e, ebt_cleanup_match, &i);
659 * checks for loops and sets the hook mask for udc
660 * the hook mask for udc tells us from which base chains the udc can be
661 * accessed. This mask is a parameter to the check() functions of the extensions
663 static int check_chainloops(struct ebt_entries *chain, struct ebt_cl_stack *cl_s,
664 unsigned int udc_cnt, unsigned int hooknr, char *base)
666 int i, chain_nr = -1, pos = 0, nentries = chain->nentries, verdict;
667 struct ebt_entry *e = (struct ebt_entry *)chain->data;
668 struct ebt_entry_target *t;
670 while (pos < nentries || chain_nr != -1) {
671 /* end of udc, go back one 'recursion' step */
672 if (pos == nentries) {
673 /* put back values of the time when this chain was called */
674 e = cl_s[chain_nr].cs.e;
675 if (cl_s[chain_nr].from != -1)
677 cl_s[cl_s[chain_nr].from].cs.chaininfo->nentries;
679 nentries = chain->nentries;
680 pos = cl_s[chain_nr].cs.n;
681 /* make sure we won't see a loop that isn't one */
682 cl_s[chain_nr].cs.n = 0;
683 chain_nr = cl_s[chain_nr].from;
687 t = (struct ebt_entry_target *)
688 (((char *)e) + e->target_offset);
689 if (strcmp(t->u.name, EBT_STANDARD_TARGET))
691 if (e->target_offset + sizeof(struct ebt_standard_target) >
693 BUGPRINT("Standard target size too big\n");
696 verdict = ((struct ebt_standard_target *)t)->verdict;
697 if (verdict >= 0) { /* jump to another chain */
698 struct ebt_entries *hlp2 =
699 (struct ebt_entries *)(base + verdict);
700 for (i = 0; i < udc_cnt; i++)
701 if (hlp2 == cl_s[i].cs.chaininfo)
703 /* bad destination or loop */
705 BUGPRINT("bad destination\n");
712 /* this can't be 0, so the above test is correct */
713 cl_s[i].cs.n = pos + 1;
715 cl_s[i].cs.e = ((void *)e + e->next_offset);
716 e = (struct ebt_entry *)(hlp2->data);
717 nentries = hlp2->nentries;
718 cl_s[i].from = chain_nr;
720 /* this udc is accessible from the base chain for hooknr */
721 cl_s[i].hookmask |= (1 << hooknr);
725 e = (void *)e + e->next_offset;
731 /* do the parsing of the table/chains/entries/matches/watchers/targets, heh */
732 static int translate_table(struct ebt_replace *repl,
733 struct ebt_table_info *newinfo)
735 unsigned int i, j, k, udc_cnt;
737 struct ebt_cl_stack *cl_s = NULL; /* used in the checking for chain loops */
740 while (i < NF_BR_NUMHOOKS && !(repl->valid_hooks & (1 << i)))
742 if (i == NF_BR_NUMHOOKS) {
743 BUGPRINT("No valid hooks specified\n");
746 if (repl->hook_entry[i] != (struct ebt_entries *)repl->entries) {
747 BUGPRINT("Chains don't start at beginning\n");
750 /* make sure chains are ordered after each other in same order
751 as their corresponding hooks */
752 for (j = i + 1; j < NF_BR_NUMHOOKS; j++) {
753 if (!(repl->valid_hooks & (1 << j)))
755 if ( repl->hook_entry[j] <= repl->hook_entry[i] ) {
756 BUGPRINT("Hook order must be followed\n");
762 for (i = 0; i < NF_BR_NUMHOOKS; i++)
763 newinfo->hook_entry[i] = NULL;
765 newinfo->entries_size = repl->entries_size;
766 newinfo->nentries = repl->nentries;
768 /* do some early checkings and initialize some things */
769 i = 0; /* holds the expected nr. of entries for the chain */
770 j = 0; /* holds the up to now counted entries for the chain */
771 k = 0; /* holds the total nr. of entries, should equal
772 newinfo->nentries afterwards */
773 udc_cnt = 0; /* will hold the nr. of user defined chains (udc) */
774 ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
775 ebt_check_entry_size_and_hooks, newinfo, repl->entries,
776 repl->entries + repl->entries_size, repl->hook_entry, &i, &j, &k,
777 &udc_cnt, repl->valid_hooks);
783 BUGPRINT("nentries does not equal the nr of entries in the "
787 if (k != newinfo->nentries) {
788 BUGPRINT("Total nentries is wrong\n");
792 /* check if all valid hooks have a chain */
793 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
794 if (newinfo->hook_entry[i] == NULL &&
795 (repl->valid_hooks & (1 << i))) {
796 BUGPRINT("Valid hook without chain\n");
801 /* get the location of the udc, put them in an array
802 while we're at it, allocate the chainstack */
804 /* this will get free'd in do_replace()/ebt_register_table()
805 if an error occurs */
806 newinfo->chainstack =
807 vmalloc((highest_possible_processor_id()+1)
808 * sizeof(*(newinfo->chainstack)));
809 if (!newinfo->chainstack)
811 for_each_possible_cpu(i) {
812 newinfo->chainstack[i] =
813 vmalloc(udc_cnt * sizeof(*(newinfo->chainstack[0])));
814 if (!newinfo->chainstack[i]) {
816 vfree(newinfo->chainstack[--i]);
817 vfree(newinfo->chainstack);
818 newinfo->chainstack = NULL;
823 cl_s = vmalloc(udc_cnt * sizeof(*cl_s));
826 i = 0; /* the i'th udc */
827 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
828 ebt_get_udc_positions, newinfo, repl->hook_entry, &i,
829 repl->valid_hooks, cl_s);
832 BUGPRINT("i != udc_cnt\n");
838 /* Check for loops */
839 for (i = 0; i < NF_BR_NUMHOOKS; i++)
840 if (repl->valid_hooks & (1 << i))
841 if (check_chainloops(newinfo->hook_entry[i],
842 cl_s, udc_cnt, i, newinfo->entries)) {
847 /* we now know the following (along with E=mc²):
848 - the nr of entries in each chain is right
849 - the size of the allocated space is right
850 - all valid hooks have a corresponding chain
852 - wrong data can still be on the level of a single entry
853 - could be there are jumps to places that are not the
854 beginning of a chain. This can only occur in chains that
855 are not accessible from any base chains, so we don't care. */
857 /* used to know what we need to clean up if something goes wrong */
859 ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
860 ebt_check_entry, newinfo, repl->name, &i, repl->valid_hooks,
863 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
864 ebt_cleanup_entry, &i);
870 /* called under write_lock */
871 static void get_counters(struct ebt_counter *oldcounters,
872 struct ebt_counter *counters, unsigned int nentries)
875 struct ebt_counter *counter_base;
877 /* counters of cpu 0 */
878 memcpy(counters, oldcounters,
879 sizeof(struct ebt_counter) * nentries);
881 /* add other counters to those of cpu 0 */
882 for_each_possible_cpu(cpu) {
885 counter_base = COUNTER_BASE(oldcounters, nentries, cpu);
886 for (i = 0; i < nentries; i++) {
887 counters[i].pcnt += counter_base[i].pcnt;
888 counters[i].bcnt += counter_base[i].bcnt;
893 /* replace the table */
894 static int do_replace(void __user *user, unsigned int len)
896 int ret, i, countersize;
897 struct ebt_table_info *newinfo;
898 struct ebt_replace tmp;
900 struct ebt_counter *counterstmp = NULL;
901 /* used to be able to unlock earlier */
902 struct ebt_table_info *table;
904 if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
907 if (len != sizeof(tmp) + tmp.entries_size) {
908 BUGPRINT("Wrong len argument\n");
912 if (tmp.entries_size == 0) {
913 BUGPRINT("Entries_size never zero\n");
917 if (tmp.nentries >= ((INT_MAX - sizeof(struct ebt_table_info)) / NR_CPUS -
918 SMP_CACHE_BYTES) / sizeof(struct ebt_counter))
920 if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
923 countersize = COUNTER_OFFSET(tmp.nentries) *
924 (highest_possible_processor_id()+1);
925 newinfo = vmalloc(sizeof(*newinfo) + countersize);
930 memset(newinfo->counters, 0, countersize);
932 newinfo->entries = vmalloc(tmp.entries_size);
933 if (!newinfo->entries) {
938 newinfo->entries, tmp.entries, tmp.entries_size) != 0) {
939 BUGPRINT("Couldn't copy entries from userspace\n");
944 /* the user wants counters back
945 the check on the size is done later, when we have the lock */
946 if (tmp.num_counters) {
947 counterstmp = vmalloc(tmp.num_counters * sizeof(*counterstmp));
956 /* this can get initialized by translate_table() */
957 newinfo->chainstack = NULL;
958 ret = translate_table(&tmp, newinfo);
961 goto free_counterstmp;
963 t = find_table_lock(tmp.name, &ret, &ebt_mutex);
969 /* the table doesn't like it */
970 if (t->check && (ret = t->check(newinfo, tmp.valid_hooks)))
973 if (tmp.num_counters && tmp.num_counters != t->private->nentries) {
974 BUGPRINT("Wrong nr. of counters requested\n");
979 /* we have the mutex lock, so no danger in reading this pointer */
981 /* make sure the table can only be rmmod'ed if it contains no rules */
982 if (!table->nentries && newinfo->nentries && !try_module_get(t->me)) {
985 } else if (table->nentries && !newinfo->nentries)
987 /* we need an atomic snapshot of the counters */
988 write_lock_bh(&t->lock);
989 if (tmp.num_counters)
990 get_counters(t->private->counters, counterstmp,
991 t->private->nentries);
993 t->private = newinfo;
994 write_unlock_bh(&t->lock);
995 mutex_unlock(&ebt_mutex);
996 /* so, a user can change the chains while having messed up her counter
997 allocation. Only reason why this is done is because this way the lock
998 is held only once, while this doesn't bring the kernel into a
1000 if (tmp.num_counters &&
1001 copy_to_user(tmp.counters, counterstmp,
1002 tmp.num_counters * sizeof(struct ebt_counter))) {
1003 BUGPRINT("Couldn't copy counters to userspace\n");
1009 /* decrease module count and free resources */
1010 EBT_ENTRY_ITERATE(table->entries, table->entries_size,
1011 ebt_cleanup_entry, NULL);
1013 vfree(table->entries);
1014 if (table->chainstack) {
1015 for_each_possible_cpu(i)
1016 vfree(table->chainstack[i]);
1017 vfree(table->chainstack);
1025 mutex_unlock(&ebt_mutex);
1027 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
1028 ebt_cleanup_entry, NULL);
1031 /* can be initialized in translate_table() */
1032 if (newinfo->chainstack) {
1033 for_each_possible_cpu(i)
1034 vfree(newinfo->chainstack[i]);
1035 vfree(newinfo->chainstack);
1038 vfree(newinfo->entries);
1044 int ebt_register_target(struct ebt_target *target)
1048 ret = mutex_lock_interruptible(&ebt_mutex);
1051 if (!list_named_insert(&ebt_targets, target)) {
1052 mutex_unlock(&ebt_mutex);
1055 mutex_unlock(&ebt_mutex);
1060 void ebt_unregister_target(struct ebt_target *target)
1062 mutex_lock(&ebt_mutex);
1063 LIST_DELETE(&ebt_targets, target);
1064 mutex_unlock(&ebt_mutex);
1067 int ebt_register_match(struct ebt_match *match)
1071 ret = mutex_lock_interruptible(&ebt_mutex);
1074 if (!list_named_insert(&ebt_matches, match)) {
1075 mutex_unlock(&ebt_mutex);
1078 mutex_unlock(&ebt_mutex);
1083 void ebt_unregister_match(struct ebt_match *match)
1085 mutex_lock(&ebt_mutex);
1086 LIST_DELETE(&ebt_matches, match);
1087 mutex_unlock(&ebt_mutex);
1090 int ebt_register_watcher(struct ebt_watcher *watcher)
1094 ret = mutex_lock_interruptible(&ebt_mutex);
1097 if (!list_named_insert(&ebt_watchers, watcher)) {
1098 mutex_unlock(&ebt_mutex);
1101 mutex_unlock(&ebt_mutex);
1106 void ebt_unregister_watcher(struct ebt_watcher *watcher)
1108 mutex_lock(&ebt_mutex);
1109 LIST_DELETE(&ebt_watchers, watcher);
1110 mutex_unlock(&ebt_mutex);
1113 int ebt_register_table(struct ebt_table *table)
1115 struct ebt_table_info *newinfo;
1116 int ret, i, countersize;
1118 if (!table || !table->table ||!table->table->entries ||
1119 table->table->entries_size == 0 ||
1120 table->table->counters || table->private) {
1121 BUGPRINT("Bad table data for ebt_register_table!!!\n");
1125 countersize = COUNTER_OFFSET(table->table->nentries) *
1126 (highest_possible_processor_id()+1);
1127 newinfo = vmalloc(sizeof(*newinfo) + countersize);
1132 newinfo->entries = vmalloc(table->table->entries_size);
1133 if (!(newinfo->entries))
1136 memcpy(newinfo->entries, table->table->entries,
1137 table->table->entries_size);
1140 memset(newinfo->counters, 0, countersize);
1142 /* fill in newinfo and parse the entries */
1143 newinfo->chainstack = NULL;
1144 ret = translate_table(table->table, newinfo);
1146 BUGPRINT("Translate_table failed\n");
1147 goto free_chainstack;
1150 if (table->check && table->check(newinfo, table->valid_hooks)) {
1151 BUGPRINT("The table doesn't like its own initial data, lol\n");
1155 table->private = newinfo;
1156 rwlock_init(&table->lock);
1157 ret = mutex_lock_interruptible(&ebt_mutex);
1159 goto free_chainstack;
1161 if (list_named_find(&ebt_tables, table->name)) {
1163 BUGPRINT("Table name already exists\n");
1167 /* Hold a reference count if the chains aren't empty */
1168 if (newinfo->nentries && !try_module_get(table->me)) {
1172 list_prepend(&ebt_tables, table);
1173 mutex_unlock(&ebt_mutex);
1176 mutex_unlock(&ebt_mutex);
1178 if (newinfo->chainstack) {
1179 for_each_possible_cpu(i)
1180 vfree(newinfo->chainstack[i]);
1181 vfree(newinfo->chainstack);
1183 vfree(newinfo->entries);
1189 void ebt_unregister_table(struct ebt_table *table)
1194 BUGPRINT("Request to unregister NULL table!!!\n");
1197 mutex_lock(&ebt_mutex);
1198 LIST_DELETE(&ebt_tables, table);
1199 mutex_unlock(&ebt_mutex);
1200 vfree(table->private->entries);
1201 if (table->private->chainstack) {
1202 for_each_possible_cpu(i)
1203 vfree(table->private->chainstack[i]);
1204 vfree(table->private->chainstack);
1206 vfree(table->private);
1209 /* userspace just supplied us with counters */
1210 static int update_counters(void __user *user, unsigned int len)
1213 struct ebt_counter *tmp;
1214 struct ebt_replace hlp;
1215 struct ebt_table *t;
1217 if (copy_from_user(&hlp, user, sizeof(hlp)))
1220 if (len != sizeof(hlp) + hlp.num_counters * sizeof(struct ebt_counter))
1222 if (hlp.num_counters == 0)
1225 if (!(tmp = vmalloc(hlp.num_counters * sizeof(*tmp)))) {
1226 MEMPRINT("Update_counters && nomemory\n");
1230 t = find_table_lock(hlp.name, &ret, &ebt_mutex);
1234 if (hlp.num_counters != t->private->nentries) {
1235 BUGPRINT("Wrong nr of counters\n");
1240 if ( copy_from_user(tmp, hlp.counters,
1241 hlp.num_counters * sizeof(struct ebt_counter)) ) {
1242 BUGPRINT("Updata_counters && !cfu\n");
1247 /* we want an atomic add of the counters */
1248 write_lock_bh(&t->lock);
1250 /* we add to the counters of the first cpu */
1251 for (i = 0; i < hlp.num_counters; i++) {
1252 t->private->counters[i].pcnt += tmp[i].pcnt;
1253 t->private->counters[i].bcnt += tmp[i].bcnt;
1256 write_unlock_bh(&t->lock);
1259 mutex_unlock(&ebt_mutex);
1265 static inline int ebt_make_matchname(struct ebt_entry_match *m,
1266 char *base, char *ubase)
1268 char *hlp = ubase - base + (char *)m;
1269 if (copy_to_user(hlp, m->u.match->name, EBT_FUNCTION_MAXNAMELEN))
1274 static inline int ebt_make_watchername(struct ebt_entry_watcher *w,
1275 char *base, char *ubase)
1277 char *hlp = ubase - base + (char *)w;
1278 if (copy_to_user(hlp , w->u.watcher->name, EBT_FUNCTION_MAXNAMELEN))
1283 static inline int ebt_make_names(struct ebt_entry *e, char *base, char *ubase)
1287 struct ebt_entry_target *t;
1289 if ((e->bitmask & EBT_ENTRY_OR_ENTRIES) == 0)
1292 hlp = ubase - base + (char *)e + e->target_offset;
1293 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
1295 ret = EBT_MATCH_ITERATE(e, ebt_make_matchname, base, ubase);
1298 ret = EBT_WATCHER_ITERATE(e, ebt_make_watchername, base, ubase);
1301 if (copy_to_user(hlp, t->u.target->name, EBT_FUNCTION_MAXNAMELEN))
1306 /* called with ebt_mutex locked */
1307 static int copy_everything_to_user(struct ebt_table *t, void __user *user,
1310 struct ebt_replace tmp;
1311 struct ebt_counter *counterstmp, *oldcounters;
1312 unsigned int entries_size, nentries;
1315 if (cmd == EBT_SO_GET_ENTRIES) {
1316 entries_size = t->private->entries_size;
1317 nentries = t->private->nentries;
1318 entries = t->private->entries;
1319 oldcounters = t->private->counters;
1321 entries_size = t->table->entries_size;
1322 nentries = t->table->nentries;
1323 entries = t->table->entries;
1324 oldcounters = t->table->counters;
1327 if (copy_from_user(&tmp, user, sizeof(tmp))) {
1328 BUGPRINT("Cfu didn't work\n");
1332 if (*len != sizeof(struct ebt_replace) + entries_size +
1333 (tmp.num_counters? nentries * sizeof(struct ebt_counter): 0)) {
1334 BUGPRINT("Wrong size\n");
1338 if (tmp.nentries != nentries) {
1339 BUGPRINT("Nentries wrong\n");
1343 if (tmp.entries_size != entries_size) {
1344 BUGPRINT("Wrong size\n");
1348 /* userspace might not need the counters */
1349 if (tmp.num_counters) {
1350 if (tmp.num_counters != nentries) {
1351 BUGPRINT("Num_counters wrong\n");
1354 counterstmp = vmalloc(nentries * sizeof(*counterstmp));
1356 MEMPRINT("Couldn't copy counters, out of memory\n");
1359 write_lock_bh(&t->lock);
1360 get_counters(oldcounters, counterstmp, nentries);
1361 write_unlock_bh(&t->lock);
1363 if (copy_to_user(tmp.counters, counterstmp,
1364 nentries * sizeof(struct ebt_counter))) {
1365 BUGPRINT("Couldn't copy counters to userspace\n");
1372 if (copy_to_user(tmp.entries, entries, entries_size)) {
1373 BUGPRINT("Couldn't copy entries to userspace\n");
1376 /* set the match/watcher/target names right */
1377 return EBT_ENTRY_ITERATE(entries, entries_size,
1378 ebt_make_names, entries, tmp.entries);
1381 static int do_ebt_set_ctl(struct sock *sk,
1382 int cmd, void __user *user, unsigned int len)
1387 case EBT_SO_SET_ENTRIES:
1388 ret = do_replace(user, len);
1390 case EBT_SO_SET_COUNTERS:
1391 ret = update_counters(user, len);
1399 static int do_ebt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
1402 struct ebt_replace tmp;
1403 struct ebt_table *t;
1405 if (copy_from_user(&tmp, user, sizeof(tmp)))
1408 t = find_table_lock(tmp.name, &ret, &ebt_mutex);
1413 case EBT_SO_GET_INFO:
1414 case EBT_SO_GET_INIT_INFO:
1415 if (*len != sizeof(struct ebt_replace)){
1417 mutex_unlock(&ebt_mutex);
1420 if (cmd == EBT_SO_GET_INFO) {
1421 tmp.nentries = t->private->nentries;
1422 tmp.entries_size = t->private->entries_size;
1423 tmp.valid_hooks = t->valid_hooks;
1425 tmp.nentries = t->table->nentries;
1426 tmp.entries_size = t->table->entries_size;
1427 tmp.valid_hooks = t->table->valid_hooks;
1429 mutex_unlock(&ebt_mutex);
1430 if (copy_to_user(user, &tmp, *len) != 0){
1431 BUGPRINT("c2u Didn't work\n");
1438 case EBT_SO_GET_ENTRIES:
1439 case EBT_SO_GET_INIT_ENTRIES:
1440 ret = copy_everything_to_user(t, user, len, cmd);
1441 mutex_unlock(&ebt_mutex);
1445 mutex_unlock(&ebt_mutex);
1452 static struct nf_sockopt_ops ebt_sockopts =
1455 .set_optmin = EBT_BASE_CTL,
1456 .set_optmax = EBT_SO_SET_MAX + 1,
1457 .set = do_ebt_set_ctl,
1458 .get_optmin = EBT_BASE_CTL,
1459 .get_optmax = EBT_SO_GET_MAX + 1,
1460 .get = do_ebt_get_ctl,
1463 static int __init ebtables_init(void)
1467 mutex_lock(&ebt_mutex);
1468 list_named_insert(&ebt_targets, &ebt_standard_target);
1469 mutex_unlock(&ebt_mutex);
1470 if ((ret = nf_register_sockopt(&ebt_sockopts)) < 0)
1473 printk(KERN_NOTICE "Ebtables v2.0 registered\n");
1477 static void __exit ebtables_fini(void)
1479 nf_unregister_sockopt(&ebt_sockopts);
1480 printk(KERN_NOTICE "Ebtables v2.0 unregistered\n");
1483 EXPORT_SYMBOL(ebt_register_table);
1484 EXPORT_SYMBOL(ebt_unregister_table);
1485 EXPORT_SYMBOL(ebt_register_match);
1486 EXPORT_SYMBOL(ebt_unregister_match);
1487 EXPORT_SYMBOL(ebt_register_watcher);
1488 EXPORT_SYMBOL(ebt_unregister_watcher);
1489 EXPORT_SYMBOL(ebt_register_target);
1490 EXPORT_SYMBOL(ebt_unregister_target);
1491 EXPORT_SYMBOL(ebt_do_table);
1492 module_init(ebtables_init);
1493 module_exit(ebtables_fini);
1494 MODULE_LICENSE("GPL");