5 * Bart De Schuymer <bdschuym@pandora.be>
7 * ebtables.c,v 2.0, July, 2002
9 * This code is stongly inspired on the iptables code which is
10 * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version
15 * 2 of the License, or (at your option) any later version.
19 #include <linux/kmod.h>
20 #include <linux/module.h>
21 #include <linux/vmalloc.h>
22 #include <linux/netfilter/x_tables.h>
23 #include <linux/netfilter_bridge/ebtables.h>
24 #include <linux/spinlock.h>
25 #include <linux/mutex.h>
26 #include <asm/uaccess.h>
27 #include <linux/smp.h>
28 #include <linux/cpumask.h>
30 /* needed for logical [in,out]-dev filtering */
31 #include "../br_private.h"
33 #define BUGPRINT(format, args...) printk("kernel msg: ebtables bug: please "\
34 "report to author: "format, ## args)
35 /* #define BUGPRINT(format, args...) */
36 #define MEMPRINT(format, args...) printk("kernel msg: ebtables "\
37 ": out of memory: "format, ## args)
38 /* #define MEMPRINT(format, args...) */
43 * Each cpu has its own set of counters, so there is no need for write_lock in
45 * For reading or updating the counters, the user context needs to
49 /* The size of each set of counters is altered to get cache alignment */
50 #define SMP_ALIGN(x) (((x) + SMP_CACHE_BYTES-1) & ~(SMP_CACHE_BYTES-1))
51 #define COUNTER_OFFSET(n) (SMP_ALIGN(n * sizeof(struct ebt_counter)))
52 #define COUNTER_BASE(c, n, cpu) ((struct ebt_counter *)(((char *)c) + \
53 COUNTER_OFFSET(n) * cpu))
57 static DEFINE_MUTEX(ebt_mutex);
58 static LIST_HEAD(ebt_tables);
59 static LIST_HEAD(ebt_targets);
60 static LIST_HEAD(ebt_matches);
61 static LIST_HEAD(ebt_watchers);
63 static struct ebt_target ebt_standard_target = {
66 .family = NFPROTO_BRIDGE,
69 static inline int ebt_do_watcher (struct ebt_entry_watcher *w,
70 struct sk_buff *skb, unsigned int hooknr, const struct net_device *in,
71 const struct net_device *out)
73 w->u.watcher->target(skb, in, out, hooknr, NULL, w->data);
74 /* watchers don't give a verdict */
78 static inline int ebt_do_match (struct ebt_entry_match *m,
79 const struct sk_buff *skb, const struct net_device *in,
80 const struct net_device *out)
82 return m->u.match->match(skb, in, out, NULL, m->data, 0, 0, NULL);
85 static inline int ebt_dev_check(char *entry, const struct net_device *device)
88 const char *devname = device->name;
94 /* 1 is the wildcard token */
95 while (entry[i] != '\0' && entry[i] != 1 && entry[i] == devname[i])
97 return (devname[i] != entry[i] && entry[i] != 1);
100 #define FWINV2(bool,invflg) ((bool) ^ !!(e->invflags & invflg))
101 /* process standard matches */
102 static inline int ebt_basic_match(struct ebt_entry *e, struct ethhdr *h,
103 const struct net_device *in, const struct net_device *out)
107 if (e->bitmask & EBT_802_3) {
108 if (FWINV2(ntohs(h->h_proto) >= 1536, EBT_IPROTO))
110 } else if (!(e->bitmask & EBT_NOPROTO) &&
111 FWINV2(e->ethproto != h->h_proto, EBT_IPROTO))
114 if (FWINV2(ebt_dev_check(e->in, in), EBT_IIN))
116 if (FWINV2(ebt_dev_check(e->out, out), EBT_IOUT))
118 if ((!in || !in->br_port) ? 0 : FWINV2(ebt_dev_check(
119 e->logical_in, in->br_port->br->dev), EBT_ILOGICALIN))
121 if ((!out || !out->br_port) ? 0 : FWINV2(ebt_dev_check(
122 e->logical_out, out->br_port->br->dev), EBT_ILOGICALOUT))
125 if (e->bitmask & EBT_SOURCEMAC) {
127 for (i = 0; i < 6; i++)
128 verdict |= (h->h_source[i] ^ e->sourcemac[i]) &
130 if (FWINV2(verdict != 0, EBT_ISOURCE) )
133 if (e->bitmask & EBT_DESTMAC) {
135 for (i = 0; i < 6; i++)
136 verdict |= (h->h_dest[i] ^ e->destmac[i]) &
138 if (FWINV2(verdict != 0, EBT_IDEST) )
144 /* Do some firewalling */
145 unsigned int ebt_do_table (unsigned int hook, struct sk_buff *skb,
146 const struct net_device *in, const struct net_device *out,
147 struct ebt_table *table)
150 struct ebt_entry *point;
151 struct ebt_counter *counter_base, *cb_base;
152 struct ebt_entry_target *t;
154 struct ebt_chainstack *cs;
155 struct ebt_entries *chaininfo;
157 struct ebt_table_info *private;
159 read_lock_bh(&table->lock);
160 private = table->private;
161 cb_base = COUNTER_BASE(private->counters, private->nentries,
163 if (private->chainstack)
164 cs = private->chainstack[smp_processor_id()];
167 chaininfo = private->hook_entry[hook];
168 nentries = private->hook_entry[hook]->nentries;
169 point = (struct ebt_entry *)(private->hook_entry[hook]->data);
170 counter_base = cb_base + private->hook_entry[hook]->counter_offset;
171 /* base for chain jumps */
172 base = private->entries;
174 while (i < nentries) {
175 if (ebt_basic_match(point, eth_hdr(skb), in, out))
178 if (EBT_MATCH_ITERATE(point, ebt_do_match, skb, in, out) != 0)
181 /* increase counter */
182 (*(counter_base + i)).pcnt++;
183 (*(counter_base + i)).bcnt += skb->len;
185 /* these should only watch: not modify, nor tell us
186 what to do with the packet */
187 EBT_WATCHER_ITERATE(point, ebt_do_watcher, skb, hook, in,
190 t = (struct ebt_entry_target *)
191 (((char *)point) + point->target_offset);
192 /* standard target */
193 if (!t->u.target->target)
194 verdict = ((struct ebt_standard_target *)t)->verdict;
196 verdict = t->u.target->target(skb, in, out, hook,
198 if (verdict == EBT_ACCEPT) {
199 read_unlock_bh(&table->lock);
202 if (verdict == EBT_DROP) {
203 read_unlock_bh(&table->lock);
206 if (verdict == EBT_RETURN) {
208 #ifdef CONFIG_NETFILTER_DEBUG
210 BUGPRINT("RETURN on base chain");
211 /* act like this is EBT_CONTINUE */
216 /* put all the local variables right */
218 chaininfo = cs[sp].chaininfo;
219 nentries = chaininfo->nentries;
221 counter_base = cb_base +
222 chaininfo->counter_offset;
225 if (verdict == EBT_CONTINUE)
227 #ifdef CONFIG_NETFILTER_DEBUG
229 BUGPRINT("bogus standard verdict\n");
230 read_unlock_bh(&table->lock);
236 cs[sp].chaininfo = chaininfo;
237 cs[sp].e = (struct ebt_entry *)
238 (((char *)point) + point->next_offset);
240 chaininfo = (struct ebt_entries *) (base + verdict);
241 #ifdef CONFIG_NETFILTER_DEBUG
242 if (chaininfo->distinguisher) {
243 BUGPRINT("jump to non-chain\n");
244 read_unlock_bh(&table->lock);
248 nentries = chaininfo->nentries;
249 point = (struct ebt_entry *)chaininfo->data;
250 counter_base = cb_base + chaininfo->counter_offset;
254 point = (struct ebt_entry *)
255 (((char *)point) + point->next_offset);
259 /* I actually like this :) */
260 if (chaininfo->policy == EBT_RETURN)
262 if (chaininfo->policy == EBT_ACCEPT) {
263 read_unlock_bh(&table->lock);
266 read_unlock_bh(&table->lock);
270 /* If it succeeds, returns element and locks mutex */
272 find_inlist_lock_noload(struct list_head *head, const char *name, int *error,
276 struct list_head list;
277 char name[EBT_FUNCTION_MAXNAMELEN];
280 *error = mutex_lock_interruptible(mutex);
284 list_for_each_entry(e, head, list) {
285 if (strcmp(e->name, name) == 0)
294 #define find_inlist_lock(h,n,p,e,m) find_inlist_lock_noload((h),(n),(e),(m))
297 find_inlist_lock(struct list_head *head, const char *name, const char *prefix,
298 int *error, struct mutex *mutex)
302 ret = find_inlist_lock_noload(head, name, error, mutex);
304 request_module("%s%s", prefix, name);
305 ret = find_inlist_lock_noload(head, name, error, mutex);
311 static inline struct ebt_table *
312 find_table_lock(const char *name, int *error, struct mutex *mutex)
314 return find_inlist_lock(&ebt_tables, name, "ebtable_", error, mutex);
317 static inline struct ebt_match *
318 find_match_lock(const char *name, int *error, struct mutex *mutex)
320 return find_inlist_lock(&ebt_matches, name, "ebt_", error, mutex);
323 static inline struct ebt_watcher *
324 find_watcher_lock(const char *name, int *error, struct mutex *mutex)
326 return find_inlist_lock(&ebt_watchers, name, "ebt_", error, mutex);
329 static inline struct ebt_target *
330 find_target_lock(const char *name, int *error, struct mutex *mutex)
332 return find_inlist_lock(&ebt_targets, name, "ebt_", error, mutex);
336 ebt_check_match(struct ebt_entry_match *m, struct ebt_entry *e,
337 const char *name, unsigned int hookmask, unsigned int *cnt)
339 struct ebt_match *match;
340 size_t left = ((char *)e + e->watchers_offset) - (char *)m;
343 if (left < sizeof(struct ebt_entry_match) ||
344 left - sizeof(struct ebt_entry_match) < m->match_size)
346 match = find_match_lock(m->u.name, &ret, &ebt_mutex);
350 if (!try_module_get(match->me)) {
351 mutex_unlock(&ebt_mutex);
354 mutex_unlock(&ebt_mutex);
355 if (match->family != NFPROTO_BRIDGE) {
356 printk(KERN_WARNING "ebtables: %s match: not for ebtables?\n",
360 if (match->revision != 0) {
361 printk(KERN_WARNING "ebtables: %s match: ebtables is not "
362 "supporting revisions at this time\n",
366 if (XT_ALIGN(match->matchsize) != m->match_size &&
367 match->matchsize != -1) {
369 * ebt_among is exempt from centralized matchsize checking
370 * because it uses a dynamic-size data set.
372 printk(KERN_WARNING "ebtables: %s match: "
373 "invalid size %Zu != %u\n",
374 match->name, XT_ALIGN(match->matchsize), m->match_size);
377 if (match->checkentry &&
378 !match->checkentry(name, e, NULL, m->data, hookmask)) {
379 BUGPRINT("match->check failed\n");
385 module_put(match->me);
390 ebt_check_watcher(struct ebt_entry_watcher *w, struct ebt_entry *e,
391 const char *name, unsigned int hookmask, unsigned int *cnt)
393 struct ebt_watcher *watcher;
394 size_t left = ((char *)e + e->target_offset) - (char *)w;
397 if (left < sizeof(struct ebt_entry_watcher) ||
398 left - sizeof(struct ebt_entry_watcher) < w->watcher_size)
400 watcher = find_watcher_lock(w->u.name, &ret, &ebt_mutex);
403 w->u.watcher = watcher;
404 if (!try_module_get(watcher->me)) {
405 mutex_unlock(&ebt_mutex);
408 mutex_unlock(&ebt_mutex);
409 if (watcher->family != NFPROTO_BRIDGE) {
410 printk(KERN_WARNING "ebtables: %s watcher: not for ebtables?\n",
414 if (watcher->revision != 0) {
415 printk(KERN_WARNING "ebtables: %s watcher: ebtables is not "
416 "supporting revisions at this time\n",
420 if (XT_ALIGN(watcher->targetsize) != w->watcher_size) {
421 printk(KERN_WARNING "ebtables: %s watcher: "
422 "invalid size %Zu != %u\n",
423 watcher->name, XT_ALIGN(watcher->targetsize),
427 if (watcher->checkentry &&
428 !watcher->checkentry(name, e, NULL, w->data, hookmask)) {
429 BUGPRINT("watcher->check failed\n");
435 module_put(watcher->me);
439 static int ebt_verify_pointers(struct ebt_replace *repl,
440 struct ebt_table_info *newinfo)
442 unsigned int limit = repl->entries_size;
443 unsigned int valid_hooks = repl->valid_hooks;
444 unsigned int offset = 0;
447 for (i = 0; i < NF_BR_NUMHOOKS; i++)
448 newinfo->hook_entry[i] = NULL;
450 newinfo->entries_size = repl->entries_size;
451 newinfo->nentries = repl->nentries;
453 while (offset < limit) {
454 size_t left = limit - offset;
455 struct ebt_entry *e = (void *)newinfo->entries + offset;
457 if (left < sizeof(unsigned int))
460 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
461 if ((valid_hooks & (1 << i)) == 0)
463 if ((char __user *)repl->hook_entry[i] ==
464 repl->entries + offset)
468 if (i != NF_BR_NUMHOOKS || !(e->bitmask & EBT_ENTRY_OR_ENTRIES)) {
469 if (e->bitmask != 0) {
470 /* we make userspace set this right,
471 so there is no misunderstanding */
472 BUGPRINT("EBT_ENTRY_OR_ENTRIES shouldn't be set "
473 "in distinguisher\n");
476 if (i != NF_BR_NUMHOOKS)
477 newinfo->hook_entry[i] = (struct ebt_entries *)e;
478 if (left < sizeof(struct ebt_entries))
480 offset += sizeof(struct ebt_entries);
482 if (left < sizeof(struct ebt_entry))
484 if (left < e->next_offset)
486 offset += e->next_offset;
489 if (offset != limit) {
490 BUGPRINT("entries_size too small\n");
494 /* check if all valid hooks have a chain */
495 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
496 if (!newinfo->hook_entry[i] &&
497 (valid_hooks & (1 << i))) {
498 BUGPRINT("Valid hook without chain\n");
506 * this one is very careful, as it is the first function
507 * to parse the userspace data
510 ebt_check_entry_size_and_hooks(struct ebt_entry *e,
511 struct ebt_table_info *newinfo,
512 unsigned int *n, unsigned int *cnt,
513 unsigned int *totalcnt, unsigned int *udc_cnt)
517 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
518 if ((void *)e == (void *)newinfo->hook_entry[i])
521 /* beginning of a new chain
522 if i == NF_BR_NUMHOOKS it must be a user defined chain */
523 if (i != NF_BR_NUMHOOKS || !e->bitmask) {
524 /* this checks if the previous chain has as many entries
527 BUGPRINT("nentries does not equal the nr of entries "
531 if (((struct ebt_entries *)e)->policy != EBT_DROP &&
532 ((struct ebt_entries *)e)->policy != EBT_ACCEPT) {
533 /* only RETURN from udc */
534 if (i != NF_BR_NUMHOOKS ||
535 ((struct ebt_entries *)e)->policy != EBT_RETURN) {
536 BUGPRINT("bad policy\n");
540 if (i == NF_BR_NUMHOOKS) /* it's a user defined chain */
542 if (((struct ebt_entries *)e)->counter_offset != *totalcnt) {
543 BUGPRINT("counter_offset != totalcnt");
546 *n = ((struct ebt_entries *)e)->nentries;
550 /* a plain old entry, heh */
551 if (sizeof(struct ebt_entry) > e->watchers_offset ||
552 e->watchers_offset > e->target_offset ||
553 e->target_offset >= e->next_offset) {
554 BUGPRINT("entry offsets not in right order\n");
557 /* this is not checked anywhere else */
558 if (e->next_offset - e->target_offset < sizeof(struct ebt_entry_target)) {
559 BUGPRINT("target size too small\n");
569 struct ebt_chainstack cs;
571 unsigned int hookmask;
575 * we need these positions to check that the jumps to a different part of the
576 * entries is a jump to the beginning of a new chain.
579 ebt_get_udc_positions(struct ebt_entry *e, struct ebt_table_info *newinfo,
580 unsigned int *n, struct ebt_cl_stack *udc)
584 /* we're only interested in chain starts */
587 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
588 if (newinfo->hook_entry[i] == (struct ebt_entries *)e)
591 /* only care about udc */
592 if (i != NF_BR_NUMHOOKS)
595 udc[*n].cs.chaininfo = (struct ebt_entries *)e;
596 /* these initialisations are depended on later in check_chainloops() */
598 udc[*n].hookmask = 0;
605 ebt_cleanup_match(struct ebt_entry_match *m, unsigned int *i)
607 if (i && (*i)-- == 0)
609 if (m->u.match->destroy)
610 m->u.match->destroy(NULL, m->data);
611 module_put(m->u.match->me);
617 ebt_cleanup_watcher(struct ebt_entry_watcher *w, unsigned int *i)
619 if (i && (*i)-- == 0)
621 if (w->u.watcher->destroy)
622 w->u.watcher->destroy(NULL, w->data);
623 module_put(w->u.watcher->me);
629 ebt_cleanup_entry(struct ebt_entry *e, unsigned int *cnt)
631 struct ebt_entry_target *t;
636 if (cnt && (*cnt)-- == 0)
638 EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, NULL);
639 EBT_MATCH_ITERATE(e, ebt_cleanup_match, NULL);
640 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
641 if (t->u.target->destroy)
642 t->u.target->destroy(NULL, t->data);
643 module_put(t->u.target->me);
649 ebt_check_entry(struct ebt_entry *e, struct ebt_table_info *newinfo,
650 const char *name, unsigned int *cnt,
651 struct ebt_cl_stack *cl_s, unsigned int udc_cnt)
653 struct ebt_entry_target *t;
654 struct ebt_target *target;
655 unsigned int i, j, hook = 0, hookmask = 0;
659 /* don't mess with the struct ebt_entries */
663 if (e->bitmask & ~EBT_F_MASK) {
664 BUGPRINT("Unknown flag for bitmask\n");
667 if (e->invflags & ~EBT_INV_MASK) {
668 BUGPRINT("Unknown flag for inv bitmask\n");
671 if ( (e->bitmask & EBT_NOPROTO) && (e->bitmask & EBT_802_3) ) {
672 BUGPRINT("NOPROTO & 802_3 not allowed\n");
675 /* what hook do we belong to? */
676 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
677 if (!newinfo->hook_entry[i])
679 if ((char *)newinfo->hook_entry[i] < (char *)e)
684 /* (1 << NF_BR_NUMHOOKS) tells the check functions the rule is on
686 if (i < NF_BR_NUMHOOKS)
687 hookmask = (1 << hook) | (1 << NF_BR_NUMHOOKS);
689 for (i = 0; i < udc_cnt; i++)
690 if ((char *)(cl_s[i].cs.chaininfo) > (char *)e)
693 hookmask = (1 << hook) | (1 << NF_BR_NUMHOOKS);
695 hookmask = cl_s[i - 1].hookmask;
698 ret = EBT_MATCH_ITERATE(e, ebt_check_match, e, name, hookmask, &i);
700 goto cleanup_matches;
702 ret = EBT_WATCHER_ITERATE(e, ebt_check_watcher, e, name, hookmask, &j);
704 goto cleanup_watchers;
705 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
706 gap = e->next_offset - e->target_offset;
707 target = find_target_lock(t->u.name, &ret, &ebt_mutex);
709 goto cleanup_watchers;
710 if (!try_module_get(target->me)) {
711 mutex_unlock(&ebt_mutex);
713 goto cleanup_watchers;
715 mutex_unlock(&ebt_mutex);
717 if (target->family != NFPROTO_BRIDGE) {
718 printk(KERN_WARNING "ebtables: %s target: not for ebtables?\n",
721 goto cleanup_watchers;
723 if (target->revision != 0) {
724 printk(KERN_WARNING "ebtables: %s target: ebtables is not "
725 "supporting revisions at this time\n",
728 goto cleanup_watchers;
731 t->u.target = target;
732 if (t->u.target == &ebt_standard_target) {
733 if (gap < sizeof(struct ebt_standard_target)) {
734 BUGPRINT("Standard target size too big\n");
736 goto cleanup_watchers;
738 if (((struct ebt_standard_target *)t)->verdict <
739 -NUM_STANDARD_TARGETS) {
740 BUGPRINT("Invalid standard target\n");
742 goto cleanup_watchers;
744 } else if (t->target_size > gap - sizeof(struct ebt_entry_target)) {
745 module_put(t->u.target->me);
747 goto cleanup_watchers;
748 } else if (XT_ALIGN(target->targetsize) != t->target_size) {
749 printk(KERN_WARNING "ebtables: %s target: "
750 "invalid size %Zu != %u\n",
751 target->name, XT_ALIGN(target->targetsize),
753 module_put(t->u.target->me);
755 goto cleanup_watchers;
756 } else if (t->u.target->checkentry &&
757 !t->u.target->checkentry(name, e, NULL, t->data, hookmask)) {
758 module_put(t->u.target->me);
760 goto cleanup_watchers;
765 EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, &j);
767 EBT_MATCH_ITERATE(e, ebt_cleanup_match, &i);
772 * checks for loops and sets the hook mask for udc
773 * the hook mask for udc tells us from which base chains the udc can be
774 * accessed. This mask is a parameter to the check() functions of the extensions
776 static int check_chainloops(struct ebt_entries *chain, struct ebt_cl_stack *cl_s,
777 unsigned int udc_cnt, unsigned int hooknr, char *base)
779 int i, chain_nr = -1, pos = 0, nentries = chain->nentries, verdict;
780 struct ebt_entry *e = (struct ebt_entry *)chain->data;
781 struct ebt_entry_target *t;
783 while (pos < nentries || chain_nr != -1) {
784 /* end of udc, go back one 'recursion' step */
785 if (pos == nentries) {
786 /* put back values of the time when this chain was called */
787 e = cl_s[chain_nr].cs.e;
788 if (cl_s[chain_nr].from != -1)
790 cl_s[cl_s[chain_nr].from].cs.chaininfo->nentries;
792 nentries = chain->nentries;
793 pos = cl_s[chain_nr].cs.n;
794 /* make sure we won't see a loop that isn't one */
795 cl_s[chain_nr].cs.n = 0;
796 chain_nr = cl_s[chain_nr].from;
800 t = (struct ebt_entry_target *)
801 (((char *)e) + e->target_offset);
802 if (strcmp(t->u.name, EBT_STANDARD_TARGET))
804 if (e->target_offset + sizeof(struct ebt_standard_target) >
806 BUGPRINT("Standard target size too big\n");
809 verdict = ((struct ebt_standard_target *)t)->verdict;
810 if (verdict >= 0) { /* jump to another chain */
811 struct ebt_entries *hlp2 =
812 (struct ebt_entries *)(base + verdict);
813 for (i = 0; i < udc_cnt; i++)
814 if (hlp2 == cl_s[i].cs.chaininfo)
816 /* bad destination or loop */
818 BUGPRINT("bad destination\n");
825 if (cl_s[i].hookmask & (1 << hooknr))
827 /* this can't be 0, so the loop test is correct */
828 cl_s[i].cs.n = pos + 1;
830 cl_s[i].cs.e = ((void *)e + e->next_offset);
831 e = (struct ebt_entry *)(hlp2->data);
832 nentries = hlp2->nentries;
833 cl_s[i].from = chain_nr;
835 /* this udc is accessible from the base chain for hooknr */
836 cl_s[i].hookmask |= (1 << hooknr);
840 e = (void *)e + e->next_offset;
846 /* do the parsing of the table/chains/entries/matches/watchers/targets, heh */
847 static int translate_table(char *name, struct ebt_table_info *newinfo)
849 unsigned int i, j, k, udc_cnt;
851 struct ebt_cl_stack *cl_s = NULL; /* used in the checking for chain loops */
854 while (i < NF_BR_NUMHOOKS && !newinfo->hook_entry[i])
856 if (i == NF_BR_NUMHOOKS) {
857 BUGPRINT("No valid hooks specified\n");
860 if (newinfo->hook_entry[i] != (struct ebt_entries *)newinfo->entries) {
861 BUGPRINT("Chains don't start at beginning\n");
864 /* make sure chains are ordered after each other in same order
865 as their corresponding hooks */
866 for (j = i + 1; j < NF_BR_NUMHOOKS; j++) {
867 if (!newinfo->hook_entry[j])
869 if (newinfo->hook_entry[j] <= newinfo->hook_entry[i]) {
870 BUGPRINT("Hook order must be followed\n");
876 /* do some early checkings and initialize some things */
877 i = 0; /* holds the expected nr. of entries for the chain */
878 j = 0; /* holds the up to now counted entries for the chain */
879 k = 0; /* holds the total nr. of entries, should equal
880 newinfo->nentries afterwards */
881 udc_cnt = 0; /* will hold the nr. of user defined chains (udc) */
882 ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
883 ebt_check_entry_size_and_hooks, newinfo,
884 &i, &j, &k, &udc_cnt);
890 BUGPRINT("nentries does not equal the nr of entries in the "
894 if (k != newinfo->nentries) {
895 BUGPRINT("Total nentries is wrong\n");
899 /* get the location of the udc, put them in an array
900 while we're at it, allocate the chainstack */
902 /* this will get free'd in do_replace()/ebt_register_table()
903 if an error occurs */
904 newinfo->chainstack =
905 vmalloc(nr_cpu_ids * sizeof(*(newinfo->chainstack)));
906 if (!newinfo->chainstack)
908 for_each_possible_cpu(i) {
909 newinfo->chainstack[i] =
910 vmalloc(udc_cnt * sizeof(*(newinfo->chainstack[0])));
911 if (!newinfo->chainstack[i]) {
913 vfree(newinfo->chainstack[--i]);
914 vfree(newinfo->chainstack);
915 newinfo->chainstack = NULL;
920 cl_s = vmalloc(udc_cnt * sizeof(*cl_s));
923 i = 0; /* the i'th udc */
924 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
925 ebt_get_udc_positions, newinfo, &i, cl_s);
928 BUGPRINT("i != udc_cnt\n");
934 /* Check for loops */
935 for (i = 0; i < NF_BR_NUMHOOKS; i++)
936 if (newinfo->hook_entry[i])
937 if (check_chainloops(newinfo->hook_entry[i],
938 cl_s, udc_cnt, i, newinfo->entries)) {
943 /* we now know the following (along with E=mc²):
944 - the nr of entries in each chain is right
945 - the size of the allocated space is right
946 - all valid hooks have a corresponding chain
948 - wrong data can still be on the level of a single entry
949 - could be there are jumps to places that are not the
950 beginning of a chain. This can only occur in chains that
951 are not accessible from any base chains, so we don't care. */
953 /* used to know what we need to clean up if something goes wrong */
955 ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
956 ebt_check_entry, newinfo, name, &i, cl_s, udc_cnt);
958 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
959 ebt_cleanup_entry, &i);
965 /* called under write_lock */
966 static void get_counters(struct ebt_counter *oldcounters,
967 struct ebt_counter *counters, unsigned int nentries)
970 struct ebt_counter *counter_base;
972 /* counters of cpu 0 */
973 memcpy(counters, oldcounters,
974 sizeof(struct ebt_counter) * nentries);
976 /* add other counters to those of cpu 0 */
977 for_each_possible_cpu(cpu) {
980 counter_base = COUNTER_BASE(oldcounters, nentries, cpu);
981 for (i = 0; i < nentries; i++) {
982 counters[i].pcnt += counter_base[i].pcnt;
983 counters[i].bcnt += counter_base[i].bcnt;
988 /* replace the table */
989 static int do_replace(void __user *user, unsigned int len)
991 int ret, i, countersize;
992 struct ebt_table_info *newinfo;
993 struct ebt_replace tmp;
995 struct ebt_counter *counterstmp = NULL;
996 /* used to be able to unlock earlier */
997 struct ebt_table_info *table;
999 if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
1002 if (len != sizeof(tmp) + tmp.entries_size) {
1003 BUGPRINT("Wrong len argument\n");
1007 if (tmp.entries_size == 0) {
1008 BUGPRINT("Entries_size never zero\n");
1011 /* overflow check */
1012 if (tmp.nentries >= ((INT_MAX - sizeof(struct ebt_table_info)) / NR_CPUS -
1013 SMP_CACHE_BYTES) / sizeof(struct ebt_counter))
1015 if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
1018 countersize = COUNTER_OFFSET(tmp.nentries) * nr_cpu_ids;
1019 newinfo = vmalloc(sizeof(*newinfo) + countersize);
1024 memset(newinfo->counters, 0, countersize);
1026 newinfo->entries = vmalloc(tmp.entries_size);
1027 if (!newinfo->entries) {
1032 newinfo->entries, tmp.entries, tmp.entries_size) != 0) {
1033 BUGPRINT("Couldn't copy entries from userspace\n");
1038 /* the user wants counters back
1039 the check on the size is done later, when we have the lock */
1040 if (tmp.num_counters) {
1041 counterstmp = vmalloc(tmp.num_counters * sizeof(*counterstmp));
1050 /* this can get initialized by translate_table() */
1051 newinfo->chainstack = NULL;
1052 ret = ebt_verify_pointers(&tmp, newinfo);
1054 goto free_counterstmp;
1056 ret = translate_table(tmp.name, newinfo);
1059 goto free_counterstmp;
1061 t = find_table_lock(tmp.name, &ret, &ebt_mutex);
1067 /* the table doesn't like it */
1068 if (t->check && (ret = t->check(newinfo, tmp.valid_hooks)))
1071 if (tmp.num_counters && tmp.num_counters != t->private->nentries) {
1072 BUGPRINT("Wrong nr. of counters requested\n");
1077 /* we have the mutex lock, so no danger in reading this pointer */
1079 /* make sure the table can only be rmmod'ed if it contains no rules */
1080 if (!table->nentries && newinfo->nentries && !try_module_get(t->me)) {
1083 } else if (table->nentries && !newinfo->nentries)
1085 /* we need an atomic snapshot of the counters */
1086 write_lock_bh(&t->lock);
1087 if (tmp.num_counters)
1088 get_counters(t->private->counters, counterstmp,
1089 t->private->nentries);
1091 t->private = newinfo;
1092 write_unlock_bh(&t->lock);
1093 mutex_unlock(&ebt_mutex);
1094 /* so, a user can change the chains while having messed up her counter
1095 allocation. Only reason why this is done is because this way the lock
1096 is held only once, while this doesn't bring the kernel into a
1098 if (tmp.num_counters &&
1099 copy_to_user(tmp.counters, counterstmp,
1100 tmp.num_counters * sizeof(struct ebt_counter))) {
1101 BUGPRINT("Couldn't copy counters to userspace\n");
1107 /* decrease module count and free resources */
1108 EBT_ENTRY_ITERATE(table->entries, table->entries_size,
1109 ebt_cleanup_entry, NULL);
1111 vfree(table->entries);
1112 if (table->chainstack) {
1113 for_each_possible_cpu(i)
1114 vfree(table->chainstack[i]);
1115 vfree(table->chainstack);
1123 mutex_unlock(&ebt_mutex);
1125 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
1126 ebt_cleanup_entry, NULL);
1129 /* can be initialized in translate_table() */
1130 if (newinfo->chainstack) {
1131 for_each_possible_cpu(i)
1132 vfree(newinfo->chainstack[i]);
1133 vfree(newinfo->chainstack);
1136 vfree(newinfo->entries);
1142 int ebt_register_target(struct ebt_target *target)
1144 struct ebt_target *t;
1147 ret = mutex_lock_interruptible(&ebt_mutex);
1150 list_for_each_entry(t, &ebt_targets, list) {
1151 if (strcmp(t->name, target->name) == 0) {
1152 mutex_unlock(&ebt_mutex);
1156 list_add(&target->list, &ebt_targets);
1157 mutex_unlock(&ebt_mutex);
1162 void ebt_unregister_target(struct ebt_target *target)
1164 mutex_lock(&ebt_mutex);
1165 list_del(&target->list);
1166 mutex_unlock(&ebt_mutex);
1169 int ebt_register_match(struct ebt_match *match)
1171 struct ebt_match *m;
1174 ret = mutex_lock_interruptible(&ebt_mutex);
1177 list_for_each_entry(m, &ebt_matches, list) {
1178 if (strcmp(m->name, match->name) == 0) {
1179 mutex_unlock(&ebt_mutex);
1183 list_add(&match->list, &ebt_matches);
1184 mutex_unlock(&ebt_mutex);
1189 void ebt_unregister_match(struct ebt_match *match)
1191 mutex_lock(&ebt_mutex);
1192 list_del(&match->list);
1193 mutex_unlock(&ebt_mutex);
1196 int ebt_register_watcher(struct ebt_watcher *watcher)
1198 struct ebt_watcher *w;
1201 ret = mutex_lock_interruptible(&ebt_mutex);
1204 list_for_each_entry(w, &ebt_watchers, list) {
1205 if (strcmp(w->name, watcher->name) == 0) {
1206 mutex_unlock(&ebt_mutex);
1210 list_add(&watcher->list, &ebt_watchers);
1211 mutex_unlock(&ebt_mutex);
1216 void ebt_unregister_watcher(struct ebt_watcher *watcher)
1218 mutex_lock(&ebt_mutex);
1219 list_del(&watcher->list);
1220 mutex_unlock(&ebt_mutex);
1223 int ebt_register_table(struct ebt_table *table)
1225 struct ebt_table_info *newinfo;
1226 struct ebt_table *t;
1227 struct ebt_replace_kernel *repl;
1228 int ret, i, countersize;
1231 if (!table || !(repl = table->table) || !repl->entries ||
1232 repl->entries_size == 0 ||
1233 repl->counters || table->private) {
1234 BUGPRINT("Bad table data for ebt_register_table!!!\n");
1238 countersize = COUNTER_OFFSET(repl->nentries) * nr_cpu_ids;
1239 newinfo = vmalloc(sizeof(*newinfo) + countersize);
1244 p = vmalloc(repl->entries_size);
1248 memcpy(p, repl->entries, repl->entries_size);
1249 newinfo->entries = p;
1251 newinfo->entries_size = repl->entries_size;
1252 newinfo->nentries = repl->nentries;
1255 memset(newinfo->counters, 0, countersize);
1257 /* fill in newinfo and parse the entries */
1258 newinfo->chainstack = NULL;
1259 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
1260 if ((repl->valid_hooks & (1 << i)) == 0)
1261 newinfo->hook_entry[i] = NULL;
1263 newinfo->hook_entry[i] = p +
1264 ((char *)repl->hook_entry[i] - repl->entries);
1266 ret = translate_table(repl->name, newinfo);
1268 BUGPRINT("Translate_table failed\n");
1269 goto free_chainstack;
1272 if (table->check && table->check(newinfo, table->valid_hooks)) {
1273 BUGPRINT("The table doesn't like its own initial data, lol\n");
1277 table->private = newinfo;
1278 rwlock_init(&table->lock);
1279 ret = mutex_lock_interruptible(&ebt_mutex);
1281 goto free_chainstack;
1283 list_for_each_entry(t, &ebt_tables, list) {
1284 if (strcmp(t->name, table->name) == 0) {
1286 BUGPRINT("Table name already exists\n");
1291 /* Hold a reference count if the chains aren't empty */
1292 if (newinfo->nentries && !try_module_get(table->me)) {
1296 list_add(&table->list, &ebt_tables);
1297 mutex_unlock(&ebt_mutex);
1300 mutex_unlock(&ebt_mutex);
1302 if (newinfo->chainstack) {
1303 for_each_possible_cpu(i)
1304 vfree(newinfo->chainstack[i]);
1305 vfree(newinfo->chainstack);
1307 vfree(newinfo->entries);
1313 void ebt_unregister_table(struct ebt_table *table)
1318 BUGPRINT("Request to unregister NULL table!!!\n");
1321 mutex_lock(&ebt_mutex);
1322 list_del(&table->list);
1323 mutex_unlock(&ebt_mutex);
1324 vfree(table->private->entries);
1325 if (table->private->chainstack) {
1326 for_each_possible_cpu(i)
1327 vfree(table->private->chainstack[i]);
1328 vfree(table->private->chainstack);
1330 vfree(table->private);
1333 /* userspace just supplied us with counters */
1334 static int update_counters(void __user *user, unsigned int len)
1337 struct ebt_counter *tmp;
1338 struct ebt_replace hlp;
1339 struct ebt_table *t;
1341 if (copy_from_user(&hlp, user, sizeof(hlp)))
1344 if (len != sizeof(hlp) + hlp.num_counters * sizeof(struct ebt_counter))
1346 if (hlp.num_counters == 0)
1349 if (!(tmp = vmalloc(hlp.num_counters * sizeof(*tmp)))) {
1350 MEMPRINT("Update_counters && nomemory\n");
1354 t = find_table_lock(hlp.name, &ret, &ebt_mutex);
1358 if (hlp.num_counters != t->private->nentries) {
1359 BUGPRINT("Wrong nr of counters\n");
1364 if ( copy_from_user(tmp, hlp.counters,
1365 hlp.num_counters * sizeof(struct ebt_counter)) ) {
1366 BUGPRINT("Updata_counters && !cfu\n");
1371 /* we want an atomic add of the counters */
1372 write_lock_bh(&t->lock);
1374 /* we add to the counters of the first cpu */
1375 for (i = 0; i < hlp.num_counters; i++) {
1376 t->private->counters[i].pcnt += tmp[i].pcnt;
1377 t->private->counters[i].bcnt += tmp[i].bcnt;
1380 write_unlock_bh(&t->lock);
1383 mutex_unlock(&ebt_mutex);
1389 static inline int ebt_make_matchname(struct ebt_entry_match *m,
1390 char *base, char __user *ubase)
1392 char __user *hlp = ubase + ((char *)m - base);
1393 if (copy_to_user(hlp, m->u.match->name, EBT_FUNCTION_MAXNAMELEN))
1398 static inline int ebt_make_watchername(struct ebt_entry_watcher *w,
1399 char *base, char __user *ubase)
1401 char __user *hlp = ubase + ((char *)w - base);
1402 if (copy_to_user(hlp , w->u.watcher->name, EBT_FUNCTION_MAXNAMELEN))
1407 static inline int ebt_make_names(struct ebt_entry *e, char *base, char __user *ubase)
1411 struct ebt_entry_target *t;
1413 if (e->bitmask == 0)
1416 hlp = ubase + (((char *)e + e->target_offset) - base);
1417 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
1419 ret = EBT_MATCH_ITERATE(e, ebt_make_matchname, base, ubase);
1422 ret = EBT_WATCHER_ITERATE(e, ebt_make_watchername, base, ubase);
1425 if (copy_to_user(hlp, t->u.target->name, EBT_FUNCTION_MAXNAMELEN))
1430 /* called with ebt_mutex locked */
1431 static int copy_everything_to_user(struct ebt_table *t, void __user *user,
1434 struct ebt_replace tmp;
1435 struct ebt_counter *counterstmp, *oldcounters;
1436 unsigned int entries_size, nentries;
1439 if (cmd == EBT_SO_GET_ENTRIES) {
1440 entries_size = t->private->entries_size;
1441 nentries = t->private->nentries;
1442 entries = t->private->entries;
1443 oldcounters = t->private->counters;
1445 entries_size = t->table->entries_size;
1446 nentries = t->table->nentries;
1447 entries = t->table->entries;
1448 oldcounters = t->table->counters;
1451 if (copy_from_user(&tmp, user, sizeof(tmp))) {
1452 BUGPRINT("Cfu didn't work\n");
1456 if (*len != sizeof(struct ebt_replace) + entries_size +
1457 (tmp.num_counters? nentries * sizeof(struct ebt_counter): 0)) {
1458 BUGPRINT("Wrong size\n");
1462 if (tmp.nentries != nentries) {
1463 BUGPRINT("Nentries wrong\n");
1467 if (tmp.entries_size != entries_size) {
1468 BUGPRINT("Wrong size\n");
1472 /* userspace might not need the counters */
1473 if (tmp.num_counters) {
1474 if (tmp.num_counters != nentries) {
1475 BUGPRINT("Num_counters wrong\n");
1478 counterstmp = vmalloc(nentries * sizeof(*counterstmp));
1480 MEMPRINT("Couldn't copy counters, out of memory\n");
1483 write_lock_bh(&t->lock);
1484 get_counters(oldcounters, counterstmp, nentries);
1485 write_unlock_bh(&t->lock);
1487 if (copy_to_user(tmp.counters, counterstmp,
1488 nentries * sizeof(struct ebt_counter))) {
1489 BUGPRINT("Couldn't copy counters to userspace\n");
1496 if (copy_to_user(tmp.entries, entries, entries_size)) {
1497 BUGPRINT("Couldn't copy entries to userspace\n");
1500 /* set the match/watcher/target names right */
1501 return EBT_ENTRY_ITERATE(entries, entries_size,
1502 ebt_make_names, entries, tmp.entries);
1505 static int do_ebt_set_ctl(struct sock *sk,
1506 int cmd, void __user *user, unsigned int len)
1511 case EBT_SO_SET_ENTRIES:
1512 ret = do_replace(user, len);
1514 case EBT_SO_SET_COUNTERS:
1515 ret = update_counters(user, len);
1523 static int do_ebt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
1526 struct ebt_replace tmp;
1527 struct ebt_table *t;
1529 if (copy_from_user(&tmp, user, sizeof(tmp)))
1532 t = find_table_lock(tmp.name, &ret, &ebt_mutex);
1537 case EBT_SO_GET_INFO:
1538 case EBT_SO_GET_INIT_INFO:
1539 if (*len != sizeof(struct ebt_replace)){
1541 mutex_unlock(&ebt_mutex);
1544 if (cmd == EBT_SO_GET_INFO) {
1545 tmp.nentries = t->private->nentries;
1546 tmp.entries_size = t->private->entries_size;
1547 tmp.valid_hooks = t->valid_hooks;
1549 tmp.nentries = t->table->nentries;
1550 tmp.entries_size = t->table->entries_size;
1551 tmp.valid_hooks = t->table->valid_hooks;
1553 mutex_unlock(&ebt_mutex);
1554 if (copy_to_user(user, &tmp, *len) != 0){
1555 BUGPRINT("c2u Didn't work\n");
1562 case EBT_SO_GET_ENTRIES:
1563 case EBT_SO_GET_INIT_ENTRIES:
1564 ret = copy_everything_to_user(t, user, len, cmd);
1565 mutex_unlock(&ebt_mutex);
1569 mutex_unlock(&ebt_mutex);
1576 static struct nf_sockopt_ops ebt_sockopts =
1579 .set_optmin = EBT_BASE_CTL,
1580 .set_optmax = EBT_SO_SET_MAX + 1,
1581 .set = do_ebt_set_ctl,
1582 .get_optmin = EBT_BASE_CTL,
1583 .get_optmax = EBT_SO_GET_MAX + 1,
1584 .get = do_ebt_get_ctl,
1585 .owner = THIS_MODULE,
1588 static int __init ebtables_init(void)
1592 mutex_lock(&ebt_mutex);
1593 list_add(&ebt_standard_target.list, &ebt_targets);
1594 mutex_unlock(&ebt_mutex);
1595 if ((ret = nf_register_sockopt(&ebt_sockopts)) < 0)
1598 printk(KERN_INFO "Ebtables v2.0 registered\n");
1602 static void __exit ebtables_fini(void)
1604 nf_unregister_sockopt(&ebt_sockopts);
1605 printk(KERN_INFO "Ebtables v2.0 unregistered\n");
1608 EXPORT_SYMBOL(ebt_register_table);
1609 EXPORT_SYMBOL(ebt_unregister_table);
1610 EXPORT_SYMBOL(ebt_register_match);
1611 EXPORT_SYMBOL(ebt_unregister_match);
1612 EXPORT_SYMBOL(ebt_register_watcher);
1613 EXPORT_SYMBOL(ebt_unregister_watcher);
1614 EXPORT_SYMBOL(ebt_register_target);
1615 EXPORT_SYMBOL(ebt_unregister_target);
1616 EXPORT_SYMBOL(ebt_do_table);
1617 module_init(ebtables_init);
1618 module_exit(ebtables_fini);
1619 MODULE_LICENSE("GPL");