5 * Bart De Schuymer <bdschuym@pandora.be>
7 * ebtables.c,v 2.0, July, 2002
9 * This code is stongly inspired on the iptables code which is
10 * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version
15 * 2 of the License, or (at your option) any later version.
19 #include <linux/kmod.h>
20 #include <linux/module.h>
21 #include <linux/vmalloc.h>
22 #include <linux/netfilter/x_tables.h>
23 #include <linux/netfilter_bridge/ebtables.h>
24 #include <linux/spinlock.h>
25 #include <linux/mutex.h>
26 #include <asm/uaccess.h>
27 #include <linux/smp.h>
28 #include <linux/cpumask.h>
30 /* needed for logical [in,out]-dev filtering */
31 #include "../br_private.h"
33 #define BUGPRINT(format, args...) printk("kernel msg: ebtables bug: please "\
34 "report to author: "format, ## args)
35 /* #define BUGPRINT(format, args...) */
36 #define MEMPRINT(format, args...) printk("kernel msg: ebtables "\
37 ": out of memory: "format, ## args)
38 /* #define MEMPRINT(format, args...) */
43 * Each cpu has its own set of counters, so there is no need for write_lock in
45 * For reading or updating the counters, the user context needs to
49 /* The size of each set of counters is altered to get cache alignment */
50 #define SMP_ALIGN(x) (((x) + SMP_CACHE_BYTES-1) & ~(SMP_CACHE_BYTES-1))
51 #define COUNTER_OFFSET(n) (SMP_ALIGN(n * sizeof(struct ebt_counter)))
52 #define COUNTER_BASE(c, n, cpu) ((struct ebt_counter *)(((char *)c) + \
53 COUNTER_OFFSET(n) * cpu))
57 static DEFINE_MUTEX(ebt_mutex);
58 static LIST_HEAD(ebt_tables);
60 static struct xt_target ebt_standard_target = {
63 .family = NFPROTO_BRIDGE,
64 .targetsize = sizeof(int),
68 ebt_do_watcher(const struct ebt_entry_watcher *w, struct sk_buff *skb,
69 struct xt_target_param *par)
71 par->target = w->u.watcher;
72 par->targinfo = w->data;
73 w->u.watcher->target(skb, par);
74 /* watchers don't give a verdict */
78 static inline int ebt_do_match (struct ebt_entry_match *m,
79 const struct sk_buff *skb, struct xt_match_param *par)
81 par->match = m->u.match;
82 par->matchinfo = m->data;
83 return m->u.match->match(skb, par);
86 static inline int ebt_dev_check(char *entry, const struct net_device *device)
89 const char *devname = device->name;
95 /* 1 is the wildcard token */
96 while (entry[i] != '\0' && entry[i] != 1 && entry[i] == devname[i])
98 return (devname[i] != entry[i] && entry[i] != 1);
101 #define FWINV2(bool,invflg) ((bool) ^ !!(e->invflags & invflg))
102 /* process standard matches */
103 static inline int ebt_basic_match(struct ebt_entry *e, struct ethhdr *h,
104 const struct net_device *in, const struct net_device *out)
108 if (e->bitmask & EBT_802_3) {
109 if (FWINV2(ntohs(h->h_proto) >= 1536, EBT_IPROTO))
111 } else if (!(e->bitmask & EBT_NOPROTO) &&
112 FWINV2(e->ethproto != h->h_proto, EBT_IPROTO))
115 if (FWINV2(ebt_dev_check(e->in, in), EBT_IIN))
117 if (FWINV2(ebt_dev_check(e->out, out), EBT_IOUT))
119 if ((!in || !in->br_port) ? 0 : FWINV2(ebt_dev_check(
120 e->logical_in, in->br_port->br->dev), EBT_ILOGICALIN))
122 if ((!out || !out->br_port) ? 0 : FWINV2(ebt_dev_check(
123 e->logical_out, out->br_port->br->dev), EBT_ILOGICALOUT))
126 if (e->bitmask & EBT_SOURCEMAC) {
128 for (i = 0; i < 6; i++)
129 verdict |= (h->h_source[i] ^ e->sourcemac[i]) &
131 if (FWINV2(verdict != 0, EBT_ISOURCE) )
134 if (e->bitmask & EBT_DESTMAC) {
136 for (i = 0; i < 6; i++)
137 verdict |= (h->h_dest[i] ^ e->destmac[i]) &
139 if (FWINV2(verdict != 0, EBT_IDEST) )
145 /* Do some firewalling */
146 unsigned int ebt_do_table (unsigned int hook, struct sk_buff *skb,
147 const struct net_device *in, const struct net_device *out,
148 struct ebt_table *table)
151 struct ebt_entry *point;
152 struct ebt_counter *counter_base, *cb_base;
153 struct ebt_entry_target *t;
155 struct ebt_chainstack *cs;
156 struct ebt_entries *chaininfo;
158 struct ebt_table_info *private;
159 bool hotdrop = false;
160 struct xt_match_param mtpar;
161 struct xt_target_param tgpar;
163 mtpar.in = tgpar.in = in;
164 mtpar.out = tgpar.out = out;
165 mtpar.hotdrop = &hotdrop;
166 tgpar.hooknum = hook;
168 read_lock_bh(&table->lock);
169 private = table->private;
170 cb_base = COUNTER_BASE(private->counters, private->nentries,
172 if (private->chainstack)
173 cs = private->chainstack[smp_processor_id()];
176 chaininfo = private->hook_entry[hook];
177 nentries = private->hook_entry[hook]->nentries;
178 point = (struct ebt_entry *)(private->hook_entry[hook]->data);
179 counter_base = cb_base + private->hook_entry[hook]->counter_offset;
180 /* base for chain jumps */
181 base = private->entries;
183 while (i < nentries) {
184 if (ebt_basic_match(point, eth_hdr(skb), in, out))
187 if (EBT_MATCH_ITERATE(point, ebt_do_match, skb, &mtpar) != 0)
190 read_unlock_bh(&table->lock);
194 /* increase counter */
195 (*(counter_base + i)).pcnt++;
196 (*(counter_base + i)).bcnt += skb->len;
198 /* these should only watch: not modify, nor tell us
199 what to do with the packet */
200 EBT_WATCHER_ITERATE(point, ebt_do_watcher, skb, &tgpar);
202 t = (struct ebt_entry_target *)
203 (((char *)point) + point->target_offset);
204 /* standard target */
205 if (!t->u.target->target)
206 verdict = ((struct ebt_standard_target *)t)->verdict;
208 tgpar.target = t->u.target;
209 tgpar.targinfo = t->data;
210 verdict = t->u.target->target(skb, &tgpar);
212 if (verdict == EBT_ACCEPT) {
213 read_unlock_bh(&table->lock);
216 if (verdict == EBT_DROP) {
217 read_unlock_bh(&table->lock);
220 if (verdict == EBT_RETURN) {
222 #ifdef CONFIG_NETFILTER_DEBUG
224 BUGPRINT("RETURN on base chain");
225 /* act like this is EBT_CONTINUE */
230 /* put all the local variables right */
232 chaininfo = cs[sp].chaininfo;
233 nentries = chaininfo->nentries;
235 counter_base = cb_base +
236 chaininfo->counter_offset;
239 if (verdict == EBT_CONTINUE)
241 #ifdef CONFIG_NETFILTER_DEBUG
243 BUGPRINT("bogus standard verdict\n");
244 read_unlock_bh(&table->lock);
250 cs[sp].chaininfo = chaininfo;
251 cs[sp].e = (struct ebt_entry *)
252 (((char *)point) + point->next_offset);
254 chaininfo = (struct ebt_entries *) (base + verdict);
255 #ifdef CONFIG_NETFILTER_DEBUG
256 if (chaininfo->distinguisher) {
257 BUGPRINT("jump to non-chain\n");
258 read_unlock_bh(&table->lock);
262 nentries = chaininfo->nentries;
263 point = (struct ebt_entry *)chaininfo->data;
264 counter_base = cb_base + chaininfo->counter_offset;
268 point = (struct ebt_entry *)
269 (((char *)point) + point->next_offset);
273 /* I actually like this :) */
274 if (chaininfo->policy == EBT_RETURN)
276 if (chaininfo->policy == EBT_ACCEPT) {
277 read_unlock_bh(&table->lock);
280 read_unlock_bh(&table->lock);
284 /* If it succeeds, returns element and locks mutex */
286 find_inlist_lock_noload(struct list_head *head, const char *name, int *error,
290 struct list_head list;
291 char name[EBT_FUNCTION_MAXNAMELEN];
294 *error = mutex_lock_interruptible(mutex);
298 list_for_each_entry(e, head, list) {
299 if (strcmp(e->name, name) == 0)
308 #define find_inlist_lock(h,n,p,e,m) find_inlist_lock_noload((h),(n),(e),(m))
311 find_inlist_lock(struct list_head *head, const char *name, const char *prefix,
312 int *error, struct mutex *mutex)
316 ret = find_inlist_lock_noload(head, name, error, mutex);
318 request_module("%s%s", prefix, name);
319 ret = find_inlist_lock_noload(head, name, error, mutex);
325 static inline struct ebt_table *
326 find_table_lock(const char *name, int *error, struct mutex *mutex)
328 return find_inlist_lock(&ebt_tables, name, "ebtable_", error, mutex);
332 ebt_check_match(struct ebt_entry_match *m, struct xt_mtchk_param *par,
335 const struct ebt_entry *e = par->entryinfo;
336 struct xt_match *match;
337 size_t left = ((char *)e + e->watchers_offset) - (char *)m;
340 if (left < sizeof(struct ebt_entry_match) ||
341 left - sizeof(struct ebt_entry_match) < m->match_size)
344 match = try_then_request_module(xt_find_match(NFPROTO_BRIDGE,
345 m->u.name, 0), "ebt_%s", m->u.name);
347 return PTR_ERR(match);
353 par->matchinfo = m->data;
354 ret = xt_check_match(par, NFPROTO_BRIDGE, m->match_size,
355 e->ethproto, e->invflags & EBT_IPROTO);
357 module_put(match->me);
366 ebt_check_watcher(struct ebt_entry_watcher *w, struct xt_tgchk_param *par,
369 const struct ebt_entry *e = par->entryinfo;
370 struct xt_target *watcher;
371 size_t left = ((char *)e + e->target_offset) - (char *)w;
374 if (left < sizeof(struct ebt_entry_watcher) ||
375 left - sizeof(struct ebt_entry_watcher) < w->watcher_size)
378 watcher = try_then_request_module(
379 xt_find_target(NFPROTO_BRIDGE, w->u.name, 0),
380 "ebt_%s", w->u.name);
382 return PTR_ERR(watcher);
385 w->u.watcher = watcher;
387 par->target = watcher;
388 par->targinfo = w->data;
389 ret = xt_check_target(par, NFPROTO_BRIDGE, w->watcher_size,
390 e->ethproto, e->invflags & EBT_IPROTO);
392 module_put(watcher->me);
400 static int ebt_verify_pointers(struct ebt_replace *repl,
401 struct ebt_table_info *newinfo)
403 unsigned int limit = repl->entries_size;
404 unsigned int valid_hooks = repl->valid_hooks;
405 unsigned int offset = 0;
408 for (i = 0; i < NF_BR_NUMHOOKS; i++)
409 newinfo->hook_entry[i] = NULL;
411 newinfo->entries_size = repl->entries_size;
412 newinfo->nentries = repl->nentries;
414 while (offset < limit) {
415 size_t left = limit - offset;
416 struct ebt_entry *e = (void *)newinfo->entries + offset;
418 if (left < sizeof(unsigned int))
421 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
422 if ((valid_hooks & (1 << i)) == 0)
424 if ((char __user *)repl->hook_entry[i] ==
425 repl->entries + offset)
429 if (i != NF_BR_NUMHOOKS || !(e->bitmask & EBT_ENTRY_OR_ENTRIES)) {
430 if (e->bitmask != 0) {
431 /* we make userspace set this right,
432 so there is no misunderstanding */
433 BUGPRINT("EBT_ENTRY_OR_ENTRIES shouldn't be set "
434 "in distinguisher\n");
437 if (i != NF_BR_NUMHOOKS)
438 newinfo->hook_entry[i] = (struct ebt_entries *)e;
439 if (left < sizeof(struct ebt_entries))
441 offset += sizeof(struct ebt_entries);
443 if (left < sizeof(struct ebt_entry))
445 if (left < e->next_offset)
447 offset += e->next_offset;
450 if (offset != limit) {
451 BUGPRINT("entries_size too small\n");
455 /* check if all valid hooks have a chain */
456 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
457 if (!newinfo->hook_entry[i] &&
458 (valid_hooks & (1 << i))) {
459 BUGPRINT("Valid hook without chain\n");
467 * this one is very careful, as it is the first function
468 * to parse the userspace data
471 ebt_check_entry_size_and_hooks(struct ebt_entry *e,
472 struct ebt_table_info *newinfo,
473 unsigned int *n, unsigned int *cnt,
474 unsigned int *totalcnt, unsigned int *udc_cnt)
478 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
479 if ((void *)e == (void *)newinfo->hook_entry[i])
482 /* beginning of a new chain
483 if i == NF_BR_NUMHOOKS it must be a user defined chain */
484 if (i != NF_BR_NUMHOOKS || !e->bitmask) {
485 /* this checks if the previous chain has as many entries
488 BUGPRINT("nentries does not equal the nr of entries "
492 if (((struct ebt_entries *)e)->policy != EBT_DROP &&
493 ((struct ebt_entries *)e)->policy != EBT_ACCEPT) {
494 /* only RETURN from udc */
495 if (i != NF_BR_NUMHOOKS ||
496 ((struct ebt_entries *)e)->policy != EBT_RETURN) {
497 BUGPRINT("bad policy\n");
501 if (i == NF_BR_NUMHOOKS) /* it's a user defined chain */
503 if (((struct ebt_entries *)e)->counter_offset != *totalcnt) {
504 BUGPRINT("counter_offset != totalcnt");
507 *n = ((struct ebt_entries *)e)->nentries;
511 /* a plain old entry, heh */
512 if (sizeof(struct ebt_entry) > e->watchers_offset ||
513 e->watchers_offset > e->target_offset ||
514 e->target_offset >= e->next_offset) {
515 BUGPRINT("entry offsets not in right order\n");
518 /* this is not checked anywhere else */
519 if (e->next_offset - e->target_offset < sizeof(struct ebt_entry_target)) {
520 BUGPRINT("target size too small\n");
530 struct ebt_chainstack cs;
532 unsigned int hookmask;
536 * we need these positions to check that the jumps to a different part of the
537 * entries is a jump to the beginning of a new chain.
540 ebt_get_udc_positions(struct ebt_entry *e, struct ebt_table_info *newinfo,
541 unsigned int *n, struct ebt_cl_stack *udc)
545 /* we're only interested in chain starts */
548 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
549 if (newinfo->hook_entry[i] == (struct ebt_entries *)e)
552 /* only care about udc */
553 if (i != NF_BR_NUMHOOKS)
556 udc[*n].cs.chaininfo = (struct ebt_entries *)e;
557 /* these initialisations are depended on later in check_chainloops() */
559 udc[*n].hookmask = 0;
566 ebt_cleanup_match(struct ebt_entry_match *m, unsigned int *i)
568 struct xt_mtdtor_param par;
570 if (i && (*i)-- == 0)
573 par.match = m->u.match;
574 par.matchinfo = m->data;
575 if (par.match->destroy != NULL)
576 par.match->destroy(&par);
577 module_put(par.match->me);
582 ebt_cleanup_watcher(struct ebt_entry_watcher *w, unsigned int *i)
584 struct xt_tgdtor_param par;
586 if (i && (*i)-- == 0)
589 par.target = w->u.watcher;
590 par.targinfo = w->data;
591 if (par.target->destroy != NULL)
592 par.target->destroy(&par);
593 module_put(par.target->me);
598 ebt_cleanup_entry(struct ebt_entry *e, unsigned int *cnt)
600 struct xt_tgdtor_param par;
601 struct ebt_entry_target *t;
606 if (cnt && (*cnt)-- == 0)
608 EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, NULL);
609 EBT_MATCH_ITERATE(e, ebt_cleanup_match, NULL);
610 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
612 par.target = t->u.target;
613 par.targinfo = t->data;
614 if (par.target->destroy != NULL)
615 par.target->destroy(&par);
616 module_put(par.target->me);
621 ebt_check_entry(struct ebt_entry *e, struct ebt_table_info *newinfo,
622 const char *name, unsigned int *cnt,
623 struct ebt_cl_stack *cl_s, unsigned int udc_cnt)
625 struct ebt_entry_target *t;
626 struct xt_target *target;
627 unsigned int i, j, hook = 0, hookmask = 0;
630 struct xt_mtchk_param mtpar;
631 struct xt_tgchk_param tgpar;
633 /* don't mess with the struct ebt_entries */
637 if (e->bitmask & ~EBT_F_MASK) {
638 BUGPRINT("Unknown flag for bitmask\n");
641 if (e->invflags & ~EBT_INV_MASK) {
642 BUGPRINT("Unknown flag for inv bitmask\n");
645 if ( (e->bitmask & EBT_NOPROTO) && (e->bitmask & EBT_802_3) ) {
646 BUGPRINT("NOPROTO & 802_3 not allowed\n");
649 /* what hook do we belong to? */
650 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
651 if (!newinfo->hook_entry[i])
653 if ((char *)newinfo->hook_entry[i] < (char *)e)
658 /* (1 << NF_BR_NUMHOOKS) tells the check functions the rule is on
660 if (i < NF_BR_NUMHOOKS)
661 hookmask = (1 << hook) | (1 << NF_BR_NUMHOOKS);
663 for (i = 0; i < udc_cnt; i++)
664 if ((char *)(cl_s[i].cs.chaininfo) > (char *)e)
667 hookmask = (1 << hook) | (1 << NF_BR_NUMHOOKS);
669 hookmask = cl_s[i - 1].hookmask;
673 mtpar.table = tgpar.table = name;
674 mtpar.entryinfo = tgpar.entryinfo = e;
675 mtpar.hook_mask = tgpar.hook_mask = hookmask;
676 ret = EBT_MATCH_ITERATE(e, ebt_check_match, &mtpar, &i);
678 goto cleanup_matches;
680 ret = EBT_WATCHER_ITERATE(e, ebt_check_watcher, &tgpar, &j);
682 goto cleanup_watchers;
683 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
684 gap = e->next_offset - e->target_offset;
686 target = try_then_request_module(
687 xt_find_target(NFPROTO_BRIDGE, t->u.name, 0),
688 "ebt_%s", t->u.name);
689 if (IS_ERR(target)) {
690 ret = PTR_ERR(target);
691 goto cleanup_watchers;
692 } else if (target == NULL) {
694 goto cleanup_watchers;
697 t->u.target = target;
698 if (t->u.target == &ebt_standard_target) {
699 if (gap < sizeof(struct ebt_standard_target)) {
700 BUGPRINT("Standard target size too big\n");
702 goto cleanup_watchers;
704 if (((struct ebt_standard_target *)t)->verdict <
705 -NUM_STANDARD_TARGETS) {
706 BUGPRINT("Invalid standard target\n");
708 goto cleanup_watchers;
710 } else if (t->target_size > gap - sizeof(struct ebt_entry_target)) {
711 module_put(t->u.target->me);
713 goto cleanup_watchers;
716 tgpar.target = target;
717 tgpar.targinfo = t->data;
718 ret = xt_check_target(&tgpar, NFPROTO_BRIDGE, t->target_size,
719 e->ethproto, e->invflags & EBT_IPROTO);
721 module_put(target->me);
722 goto cleanup_watchers;
727 EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, &j);
729 EBT_MATCH_ITERATE(e, ebt_cleanup_match, &i);
734 * checks for loops and sets the hook mask for udc
735 * the hook mask for udc tells us from which base chains the udc can be
736 * accessed. This mask is a parameter to the check() functions of the extensions
738 static int check_chainloops(struct ebt_entries *chain, struct ebt_cl_stack *cl_s,
739 unsigned int udc_cnt, unsigned int hooknr, char *base)
741 int i, chain_nr = -1, pos = 0, nentries = chain->nentries, verdict;
742 struct ebt_entry *e = (struct ebt_entry *)chain->data;
743 struct ebt_entry_target *t;
745 while (pos < nentries || chain_nr != -1) {
746 /* end of udc, go back one 'recursion' step */
747 if (pos == nentries) {
748 /* put back values of the time when this chain was called */
749 e = cl_s[chain_nr].cs.e;
750 if (cl_s[chain_nr].from != -1)
752 cl_s[cl_s[chain_nr].from].cs.chaininfo->nentries;
754 nentries = chain->nentries;
755 pos = cl_s[chain_nr].cs.n;
756 /* make sure we won't see a loop that isn't one */
757 cl_s[chain_nr].cs.n = 0;
758 chain_nr = cl_s[chain_nr].from;
762 t = (struct ebt_entry_target *)
763 (((char *)e) + e->target_offset);
764 if (strcmp(t->u.name, EBT_STANDARD_TARGET))
766 if (e->target_offset + sizeof(struct ebt_standard_target) >
768 BUGPRINT("Standard target size too big\n");
771 verdict = ((struct ebt_standard_target *)t)->verdict;
772 if (verdict >= 0) { /* jump to another chain */
773 struct ebt_entries *hlp2 =
774 (struct ebt_entries *)(base + verdict);
775 for (i = 0; i < udc_cnt; i++)
776 if (hlp2 == cl_s[i].cs.chaininfo)
778 /* bad destination or loop */
780 BUGPRINT("bad destination\n");
787 if (cl_s[i].hookmask & (1 << hooknr))
789 /* this can't be 0, so the loop test is correct */
790 cl_s[i].cs.n = pos + 1;
792 cl_s[i].cs.e = ((void *)e + e->next_offset);
793 e = (struct ebt_entry *)(hlp2->data);
794 nentries = hlp2->nentries;
795 cl_s[i].from = chain_nr;
797 /* this udc is accessible from the base chain for hooknr */
798 cl_s[i].hookmask |= (1 << hooknr);
802 e = (void *)e + e->next_offset;
808 /* do the parsing of the table/chains/entries/matches/watchers/targets, heh */
809 static int translate_table(char *name, struct ebt_table_info *newinfo)
811 unsigned int i, j, k, udc_cnt;
813 struct ebt_cl_stack *cl_s = NULL; /* used in the checking for chain loops */
816 while (i < NF_BR_NUMHOOKS && !newinfo->hook_entry[i])
818 if (i == NF_BR_NUMHOOKS) {
819 BUGPRINT("No valid hooks specified\n");
822 if (newinfo->hook_entry[i] != (struct ebt_entries *)newinfo->entries) {
823 BUGPRINT("Chains don't start at beginning\n");
826 /* make sure chains are ordered after each other in same order
827 as their corresponding hooks */
828 for (j = i + 1; j < NF_BR_NUMHOOKS; j++) {
829 if (!newinfo->hook_entry[j])
831 if (newinfo->hook_entry[j] <= newinfo->hook_entry[i]) {
832 BUGPRINT("Hook order must be followed\n");
838 /* do some early checkings and initialize some things */
839 i = 0; /* holds the expected nr. of entries for the chain */
840 j = 0; /* holds the up to now counted entries for the chain */
841 k = 0; /* holds the total nr. of entries, should equal
842 newinfo->nentries afterwards */
843 udc_cnt = 0; /* will hold the nr. of user defined chains (udc) */
844 ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
845 ebt_check_entry_size_and_hooks, newinfo,
846 &i, &j, &k, &udc_cnt);
852 BUGPRINT("nentries does not equal the nr of entries in the "
856 if (k != newinfo->nentries) {
857 BUGPRINT("Total nentries is wrong\n");
861 /* get the location of the udc, put them in an array
862 while we're at it, allocate the chainstack */
864 /* this will get free'd in do_replace()/ebt_register_table()
865 if an error occurs */
866 newinfo->chainstack =
867 vmalloc(nr_cpu_ids * sizeof(*(newinfo->chainstack)));
868 if (!newinfo->chainstack)
870 for_each_possible_cpu(i) {
871 newinfo->chainstack[i] =
872 vmalloc(udc_cnt * sizeof(*(newinfo->chainstack[0])));
873 if (!newinfo->chainstack[i]) {
875 vfree(newinfo->chainstack[--i]);
876 vfree(newinfo->chainstack);
877 newinfo->chainstack = NULL;
882 cl_s = vmalloc(udc_cnt * sizeof(*cl_s));
885 i = 0; /* the i'th udc */
886 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
887 ebt_get_udc_positions, newinfo, &i, cl_s);
890 BUGPRINT("i != udc_cnt\n");
896 /* Check for loops */
897 for (i = 0; i < NF_BR_NUMHOOKS; i++)
898 if (newinfo->hook_entry[i])
899 if (check_chainloops(newinfo->hook_entry[i],
900 cl_s, udc_cnt, i, newinfo->entries)) {
905 /* we now know the following (along with E=mc²):
906 - the nr of entries in each chain is right
907 - the size of the allocated space is right
908 - all valid hooks have a corresponding chain
910 - wrong data can still be on the level of a single entry
911 - could be there are jumps to places that are not the
912 beginning of a chain. This can only occur in chains that
913 are not accessible from any base chains, so we don't care. */
915 /* used to know what we need to clean up if something goes wrong */
917 ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
918 ebt_check_entry, newinfo, name, &i, cl_s, udc_cnt);
920 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
921 ebt_cleanup_entry, &i);
927 /* called under write_lock */
928 static void get_counters(struct ebt_counter *oldcounters,
929 struct ebt_counter *counters, unsigned int nentries)
932 struct ebt_counter *counter_base;
934 /* counters of cpu 0 */
935 memcpy(counters, oldcounters,
936 sizeof(struct ebt_counter) * nentries);
938 /* add other counters to those of cpu 0 */
939 for_each_possible_cpu(cpu) {
942 counter_base = COUNTER_BASE(oldcounters, nentries, cpu);
943 for (i = 0; i < nentries; i++) {
944 counters[i].pcnt += counter_base[i].pcnt;
945 counters[i].bcnt += counter_base[i].bcnt;
950 /* replace the table */
951 static int do_replace(void __user *user, unsigned int len)
953 int ret, i, countersize;
954 struct ebt_table_info *newinfo;
955 struct ebt_replace tmp;
957 struct ebt_counter *counterstmp = NULL;
958 /* used to be able to unlock earlier */
959 struct ebt_table_info *table;
961 if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
964 if (len != sizeof(tmp) + tmp.entries_size) {
965 BUGPRINT("Wrong len argument\n");
969 if (tmp.entries_size == 0) {
970 BUGPRINT("Entries_size never zero\n");
974 if (tmp.nentries >= ((INT_MAX - sizeof(struct ebt_table_info)) / NR_CPUS -
975 SMP_CACHE_BYTES) / sizeof(struct ebt_counter))
977 if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
980 countersize = COUNTER_OFFSET(tmp.nentries) * nr_cpu_ids;
981 newinfo = vmalloc(sizeof(*newinfo) + countersize);
986 memset(newinfo->counters, 0, countersize);
988 newinfo->entries = vmalloc(tmp.entries_size);
989 if (!newinfo->entries) {
994 newinfo->entries, tmp.entries, tmp.entries_size) != 0) {
995 BUGPRINT("Couldn't copy entries from userspace\n");
1000 /* the user wants counters back
1001 the check on the size is done later, when we have the lock */
1002 if (tmp.num_counters) {
1003 counterstmp = vmalloc(tmp.num_counters * sizeof(*counterstmp));
1012 /* this can get initialized by translate_table() */
1013 newinfo->chainstack = NULL;
1014 ret = ebt_verify_pointers(&tmp, newinfo);
1016 goto free_counterstmp;
1018 ret = translate_table(tmp.name, newinfo);
1021 goto free_counterstmp;
1023 t = find_table_lock(tmp.name, &ret, &ebt_mutex);
1029 /* the table doesn't like it */
1030 if (t->check && (ret = t->check(newinfo, tmp.valid_hooks)))
1033 if (tmp.num_counters && tmp.num_counters != t->private->nentries) {
1034 BUGPRINT("Wrong nr. of counters requested\n");
1039 /* we have the mutex lock, so no danger in reading this pointer */
1041 /* make sure the table can only be rmmod'ed if it contains no rules */
1042 if (!table->nentries && newinfo->nentries && !try_module_get(t->me)) {
1045 } else if (table->nentries && !newinfo->nentries)
1047 /* we need an atomic snapshot of the counters */
1048 write_lock_bh(&t->lock);
1049 if (tmp.num_counters)
1050 get_counters(t->private->counters, counterstmp,
1051 t->private->nentries);
1053 t->private = newinfo;
1054 write_unlock_bh(&t->lock);
1055 mutex_unlock(&ebt_mutex);
1056 /* so, a user can change the chains while having messed up her counter
1057 allocation. Only reason why this is done is because this way the lock
1058 is held only once, while this doesn't bring the kernel into a
1060 if (tmp.num_counters &&
1061 copy_to_user(tmp.counters, counterstmp,
1062 tmp.num_counters * sizeof(struct ebt_counter))) {
1063 BUGPRINT("Couldn't copy counters to userspace\n");
1069 /* decrease module count and free resources */
1070 EBT_ENTRY_ITERATE(table->entries, table->entries_size,
1071 ebt_cleanup_entry, NULL);
1073 vfree(table->entries);
1074 if (table->chainstack) {
1075 for_each_possible_cpu(i)
1076 vfree(table->chainstack[i]);
1077 vfree(table->chainstack);
1085 mutex_unlock(&ebt_mutex);
1087 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
1088 ebt_cleanup_entry, NULL);
1091 /* can be initialized in translate_table() */
1092 if (newinfo->chainstack) {
1093 for_each_possible_cpu(i)
1094 vfree(newinfo->chainstack[i]);
1095 vfree(newinfo->chainstack);
1098 vfree(newinfo->entries);
1104 int ebt_register_table(struct ebt_table *table)
1106 struct ebt_table_info *newinfo;
1107 struct ebt_table *t;
1108 struct ebt_replace_kernel *repl;
1109 int ret, i, countersize;
1112 if (!table || !(repl = table->table) || !repl->entries ||
1113 repl->entries_size == 0 ||
1114 repl->counters || table->private) {
1115 BUGPRINT("Bad table data for ebt_register_table!!!\n");
1119 countersize = COUNTER_OFFSET(repl->nentries) * nr_cpu_ids;
1120 newinfo = vmalloc(sizeof(*newinfo) + countersize);
1125 p = vmalloc(repl->entries_size);
1129 memcpy(p, repl->entries, repl->entries_size);
1130 newinfo->entries = p;
1132 newinfo->entries_size = repl->entries_size;
1133 newinfo->nentries = repl->nentries;
1136 memset(newinfo->counters, 0, countersize);
1138 /* fill in newinfo and parse the entries */
1139 newinfo->chainstack = NULL;
1140 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
1141 if ((repl->valid_hooks & (1 << i)) == 0)
1142 newinfo->hook_entry[i] = NULL;
1144 newinfo->hook_entry[i] = p +
1145 ((char *)repl->hook_entry[i] - repl->entries);
1147 ret = translate_table(repl->name, newinfo);
1149 BUGPRINT("Translate_table failed\n");
1150 goto free_chainstack;
1153 if (table->check && table->check(newinfo, table->valid_hooks)) {
1154 BUGPRINT("The table doesn't like its own initial data, lol\n");
1158 table->private = newinfo;
1159 rwlock_init(&table->lock);
1160 ret = mutex_lock_interruptible(&ebt_mutex);
1162 goto free_chainstack;
1164 list_for_each_entry(t, &ebt_tables, list) {
1165 if (strcmp(t->name, table->name) == 0) {
1167 BUGPRINT("Table name already exists\n");
1172 /* Hold a reference count if the chains aren't empty */
1173 if (newinfo->nentries && !try_module_get(table->me)) {
1177 list_add(&table->list, &ebt_tables);
1178 mutex_unlock(&ebt_mutex);
1181 mutex_unlock(&ebt_mutex);
1183 if (newinfo->chainstack) {
1184 for_each_possible_cpu(i)
1185 vfree(newinfo->chainstack[i]);
1186 vfree(newinfo->chainstack);
1188 vfree(newinfo->entries);
1194 void ebt_unregister_table(struct ebt_table *table)
1199 BUGPRINT("Request to unregister NULL table!!!\n");
1202 mutex_lock(&ebt_mutex);
1203 list_del(&table->list);
1204 mutex_unlock(&ebt_mutex);
1205 vfree(table->private->entries);
1206 if (table->private->chainstack) {
1207 for_each_possible_cpu(i)
1208 vfree(table->private->chainstack[i]);
1209 vfree(table->private->chainstack);
1211 vfree(table->private);
1214 /* userspace just supplied us with counters */
1215 static int update_counters(void __user *user, unsigned int len)
1218 struct ebt_counter *tmp;
1219 struct ebt_replace hlp;
1220 struct ebt_table *t;
1222 if (copy_from_user(&hlp, user, sizeof(hlp)))
1225 if (len != sizeof(hlp) + hlp.num_counters * sizeof(struct ebt_counter))
1227 if (hlp.num_counters == 0)
1230 if (!(tmp = vmalloc(hlp.num_counters * sizeof(*tmp)))) {
1231 MEMPRINT("Update_counters && nomemory\n");
1235 t = find_table_lock(hlp.name, &ret, &ebt_mutex);
1239 if (hlp.num_counters != t->private->nentries) {
1240 BUGPRINT("Wrong nr of counters\n");
1245 if ( copy_from_user(tmp, hlp.counters,
1246 hlp.num_counters * sizeof(struct ebt_counter)) ) {
1247 BUGPRINT("Updata_counters && !cfu\n");
1252 /* we want an atomic add of the counters */
1253 write_lock_bh(&t->lock);
1255 /* we add to the counters of the first cpu */
1256 for (i = 0; i < hlp.num_counters; i++) {
1257 t->private->counters[i].pcnt += tmp[i].pcnt;
1258 t->private->counters[i].bcnt += tmp[i].bcnt;
1261 write_unlock_bh(&t->lock);
1264 mutex_unlock(&ebt_mutex);
1270 static inline int ebt_make_matchname(struct ebt_entry_match *m,
1271 char *base, char __user *ubase)
1273 char __user *hlp = ubase + ((char *)m - base);
1274 if (copy_to_user(hlp, m->u.match->name, EBT_FUNCTION_MAXNAMELEN))
1279 static inline int ebt_make_watchername(struct ebt_entry_watcher *w,
1280 char *base, char __user *ubase)
1282 char __user *hlp = ubase + ((char *)w - base);
1283 if (copy_to_user(hlp , w->u.watcher->name, EBT_FUNCTION_MAXNAMELEN))
1288 static inline int ebt_make_names(struct ebt_entry *e, char *base, char __user *ubase)
1292 struct ebt_entry_target *t;
1294 if (e->bitmask == 0)
1297 hlp = ubase + (((char *)e + e->target_offset) - base);
1298 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
1300 ret = EBT_MATCH_ITERATE(e, ebt_make_matchname, base, ubase);
1303 ret = EBT_WATCHER_ITERATE(e, ebt_make_watchername, base, ubase);
1306 if (copy_to_user(hlp, t->u.target->name, EBT_FUNCTION_MAXNAMELEN))
1311 /* called with ebt_mutex locked */
1312 static int copy_everything_to_user(struct ebt_table *t, void __user *user,
1315 struct ebt_replace tmp;
1316 struct ebt_counter *counterstmp, *oldcounters;
1317 unsigned int entries_size, nentries;
1320 if (cmd == EBT_SO_GET_ENTRIES) {
1321 entries_size = t->private->entries_size;
1322 nentries = t->private->nentries;
1323 entries = t->private->entries;
1324 oldcounters = t->private->counters;
1326 entries_size = t->table->entries_size;
1327 nentries = t->table->nentries;
1328 entries = t->table->entries;
1329 oldcounters = t->table->counters;
1332 if (copy_from_user(&tmp, user, sizeof(tmp))) {
1333 BUGPRINT("Cfu didn't work\n");
1337 if (*len != sizeof(struct ebt_replace) + entries_size +
1338 (tmp.num_counters? nentries * sizeof(struct ebt_counter): 0)) {
1339 BUGPRINT("Wrong size\n");
1343 if (tmp.nentries != nentries) {
1344 BUGPRINT("Nentries wrong\n");
1348 if (tmp.entries_size != entries_size) {
1349 BUGPRINT("Wrong size\n");
1353 /* userspace might not need the counters */
1354 if (tmp.num_counters) {
1355 if (tmp.num_counters != nentries) {
1356 BUGPRINT("Num_counters wrong\n");
1359 counterstmp = vmalloc(nentries * sizeof(*counterstmp));
1361 MEMPRINT("Couldn't copy counters, out of memory\n");
1364 write_lock_bh(&t->lock);
1365 get_counters(oldcounters, counterstmp, nentries);
1366 write_unlock_bh(&t->lock);
1368 if (copy_to_user(tmp.counters, counterstmp,
1369 nentries * sizeof(struct ebt_counter))) {
1370 BUGPRINT("Couldn't copy counters to userspace\n");
1377 if (copy_to_user(tmp.entries, entries, entries_size)) {
1378 BUGPRINT("Couldn't copy entries to userspace\n");
1381 /* set the match/watcher/target names right */
1382 return EBT_ENTRY_ITERATE(entries, entries_size,
1383 ebt_make_names, entries, tmp.entries);
1386 static int do_ebt_set_ctl(struct sock *sk,
1387 int cmd, void __user *user, unsigned int len)
1392 case EBT_SO_SET_ENTRIES:
1393 ret = do_replace(user, len);
1395 case EBT_SO_SET_COUNTERS:
1396 ret = update_counters(user, len);
1404 static int do_ebt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
1407 struct ebt_replace tmp;
1408 struct ebt_table *t;
1410 if (copy_from_user(&tmp, user, sizeof(tmp)))
1413 t = find_table_lock(tmp.name, &ret, &ebt_mutex);
1418 case EBT_SO_GET_INFO:
1419 case EBT_SO_GET_INIT_INFO:
1420 if (*len != sizeof(struct ebt_replace)){
1422 mutex_unlock(&ebt_mutex);
1425 if (cmd == EBT_SO_GET_INFO) {
1426 tmp.nentries = t->private->nentries;
1427 tmp.entries_size = t->private->entries_size;
1428 tmp.valid_hooks = t->valid_hooks;
1430 tmp.nentries = t->table->nentries;
1431 tmp.entries_size = t->table->entries_size;
1432 tmp.valid_hooks = t->table->valid_hooks;
1434 mutex_unlock(&ebt_mutex);
1435 if (copy_to_user(user, &tmp, *len) != 0){
1436 BUGPRINT("c2u Didn't work\n");
1443 case EBT_SO_GET_ENTRIES:
1444 case EBT_SO_GET_INIT_ENTRIES:
1445 ret = copy_everything_to_user(t, user, len, cmd);
1446 mutex_unlock(&ebt_mutex);
1450 mutex_unlock(&ebt_mutex);
1457 static struct nf_sockopt_ops ebt_sockopts =
1460 .set_optmin = EBT_BASE_CTL,
1461 .set_optmax = EBT_SO_SET_MAX + 1,
1462 .set = do_ebt_set_ctl,
1463 .get_optmin = EBT_BASE_CTL,
1464 .get_optmax = EBT_SO_GET_MAX + 1,
1465 .get = do_ebt_get_ctl,
1466 .owner = THIS_MODULE,
1469 static int __init ebtables_init(void)
1473 ret = xt_register_target(&ebt_standard_target);
1476 ret = nf_register_sockopt(&ebt_sockopts);
1478 xt_unregister_target(&ebt_standard_target);
1482 printk(KERN_INFO "Ebtables v2.0 registered\n");
1486 static void __exit ebtables_fini(void)
1488 nf_unregister_sockopt(&ebt_sockopts);
1489 xt_unregister_target(&ebt_standard_target);
1490 printk(KERN_INFO "Ebtables v2.0 unregistered\n");
1493 EXPORT_SYMBOL(ebt_register_table);
1494 EXPORT_SYMBOL(ebt_unregister_table);
1495 EXPORT_SYMBOL(ebt_do_table);
1496 module_init(ebtables_init);
1497 module_exit(ebtables_fini);
1498 MODULE_LICENSE("GPL");