5 * Bart De Schuymer <bdschuym@pandora.be>
7 * ebtables.c,v 2.0, July, 2002
9 * This code is stongly inspired on the iptables code which is
10 * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version
15 * 2 of the License, or (at your option) any later version.
19 #include <linux/kmod.h>
20 #include <linux/module.h>
21 #include <linux/vmalloc.h>
22 #include <linux/netfilter/x_tables.h>
23 #include <linux/netfilter_bridge/ebtables.h>
24 #include <linux/spinlock.h>
25 #include <linux/mutex.h>
26 #include <asm/uaccess.h>
27 #include <linux/smp.h>
28 #include <linux/cpumask.h>
30 /* needed for logical [in,out]-dev filtering */
31 #include "../br_private.h"
33 #define BUGPRINT(format, args...) printk("kernel msg: ebtables bug: please "\
34 "report to author: "format, ## args)
35 /* #define BUGPRINT(format, args...) */
36 #define MEMPRINT(format, args...) printk("kernel msg: ebtables "\
37 ": out of memory: "format, ## args)
38 /* #define MEMPRINT(format, args...) */
43 * Each cpu has its own set of counters, so there is no need for write_lock in
45 * For reading or updating the counters, the user context needs to
49 /* The size of each set of counters is altered to get cache alignment */
50 #define SMP_ALIGN(x) (((x) + SMP_CACHE_BYTES-1) & ~(SMP_CACHE_BYTES-1))
51 #define COUNTER_OFFSET(n) (SMP_ALIGN(n * sizeof(struct ebt_counter)))
52 #define COUNTER_BASE(c, n, cpu) ((struct ebt_counter *)(((char *)c) + \
53 COUNTER_OFFSET(n) * cpu))
57 static DEFINE_MUTEX(ebt_mutex);
58 static LIST_HEAD(ebt_tables);
60 static struct xt_target ebt_standard_target = {
63 .family = NFPROTO_BRIDGE,
64 .targetsize = sizeof(int),
67 static inline int ebt_do_watcher (struct ebt_entry_watcher *w,
68 struct sk_buff *skb, unsigned int hooknr, const struct net_device *in,
69 const struct net_device *out)
71 w->u.watcher->target(skb, in, out, hooknr, w->u.watcher, w->data);
72 /* watchers don't give a verdict */
76 static inline int ebt_do_match (struct ebt_entry_match *m,
77 const struct sk_buff *skb, const struct net_device *in,
78 const struct net_device *out, bool *hotdrop)
80 return m->u.match->match(skb, in, out, m->u.match,
81 m->data, 0, 0, hotdrop);
84 static inline int ebt_dev_check(char *entry, const struct net_device *device)
87 const char *devname = device->name;
93 /* 1 is the wildcard token */
94 while (entry[i] != '\0' && entry[i] != 1 && entry[i] == devname[i])
96 return (devname[i] != entry[i] && entry[i] != 1);
99 #define FWINV2(bool,invflg) ((bool) ^ !!(e->invflags & invflg))
100 /* process standard matches */
101 static inline int ebt_basic_match(struct ebt_entry *e, struct ethhdr *h,
102 const struct net_device *in, const struct net_device *out)
106 if (e->bitmask & EBT_802_3) {
107 if (FWINV2(ntohs(h->h_proto) >= 1536, EBT_IPROTO))
109 } else if (!(e->bitmask & EBT_NOPROTO) &&
110 FWINV2(e->ethproto != h->h_proto, EBT_IPROTO))
113 if (FWINV2(ebt_dev_check(e->in, in), EBT_IIN))
115 if (FWINV2(ebt_dev_check(e->out, out), EBT_IOUT))
117 if ((!in || !in->br_port) ? 0 : FWINV2(ebt_dev_check(
118 e->logical_in, in->br_port->br->dev), EBT_ILOGICALIN))
120 if ((!out || !out->br_port) ? 0 : FWINV2(ebt_dev_check(
121 e->logical_out, out->br_port->br->dev), EBT_ILOGICALOUT))
124 if (e->bitmask & EBT_SOURCEMAC) {
126 for (i = 0; i < 6; i++)
127 verdict |= (h->h_source[i] ^ e->sourcemac[i]) &
129 if (FWINV2(verdict != 0, EBT_ISOURCE) )
132 if (e->bitmask & EBT_DESTMAC) {
134 for (i = 0; i < 6; i++)
135 verdict |= (h->h_dest[i] ^ e->destmac[i]) &
137 if (FWINV2(verdict != 0, EBT_IDEST) )
143 /* Do some firewalling */
144 unsigned int ebt_do_table (unsigned int hook, struct sk_buff *skb,
145 const struct net_device *in, const struct net_device *out,
146 struct ebt_table *table)
149 struct ebt_entry *point;
150 struct ebt_counter *counter_base, *cb_base;
151 struct ebt_entry_target *t;
153 struct ebt_chainstack *cs;
154 struct ebt_entries *chaininfo;
156 struct ebt_table_info *private;
157 bool hotdrop = false;
159 read_lock_bh(&table->lock);
160 private = table->private;
161 cb_base = COUNTER_BASE(private->counters, private->nentries,
163 if (private->chainstack)
164 cs = private->chainstack[smp_processor_id()];
167 chaininfo = private->hook_entry[hook];
168 nentries = private->hook_entry[hook]->nentries;
169 point = (struct ebt_entry *)(private->hook_entry[hook]->data);
170 counter_base = cb_base + private->hook_entry[hook]->counter_offset;
171 /* base for chain jumps */
172 base = private->entries;
174 while (i < nentries) {
175 if (ebt_basic_match(point, eth_hdr(skb), in, out))
178 if (EBT_MATCH_ITERATE(point, ebt_do_match, skb,
179 in, out, &hotdrop) != 0)
182 read_unlock_bh(&table->lock);
186 /* increase counter */
187 (*(counter_base + i)).pcnt++;
188 (*(counter_base + i)).bcnt += skb->len;
190 /* these should only watch: not modify, nor tell us
191 what to do with the packet */
192 EBT_WATCHER_ITERATE(point, ebt_do_watcher, skb, hook, in,
195 t = (struct ebt_entry_target *)
196 (((char *)point) + point->target_offset);
197 /* standard target */
198 if (!t->u.target->target)
199 verdict = ((struct ebt_standard_target *)t)->verdict;
201 verdict = t->u.target->target(skb, in, out, hook,
202 t->u.target, t->data);
203 if (verdict == EBT_ACCEPT) {
204 read_unlock_bh(&table->lock);
207 if (verdict == EBT_DROP) {
208 read_unlock_bh(&table->lock);
211 if (verdict == EBT_RETURN) {
213 #ifdef CONFIG_NETFILTER_DEBUG
215 BUGPRINT("RETURN on base chain");
216 /* act like this is EBT_CONTINUE */
221 /* put all the local variables right */
223 chaininfo = cs[sp].chaininfo;
224 nentries = chaininfo->nentries;
226 counter_base = cb_base +
227 chaininfo->counter_offset;
230 if (verdict == EBT_CONTINUE)
232 #ifdef CONFIG_NETFILTER_DEBUG
234 BUGPRINT("bogus standard verdict\n");
235 read_unlock_bh(&table->lock);
241 cs[sp].chaininfo = chaininfo;
242 cs[sp].e = (struct ebt_entry *)
243 (((char *)point) + point->next_offset);
245 chaininfo = (struct ebt_entries *) (base + verdict);
246 #ifdef CONFIG_NETFILTER_DEBUG
247 if (chaininfo->distinguisher) {
248 BUGPRINT("jump to non-chain\n");
249 read_unlock_bh(&table->lock);
253 nentries = chaininfo->nentries;
254 point = (struct ebt_entry *)chaininfo->data;
255 counter_base = cb_base + chaininfo->counter_offset;
259 point = (struct ebt_entry *)
260 (((char *)point) + point->next_offset);
264 /* I actually like this :) */
265 if (chaininfo->policy == EBT_RETURN)
267 if (chaininfo->policy == EBT_ACCEPT) {
268 read_unlock_bh(&table->lock);
271 read_unlock_bh(&table->lock);
275 /* If it succeeds, returns element and locks mutex */
277 find_inlist_lock_noload(struct list_head *head, const char *name, int *error,
281 struct list_head list;
282 char name[EBT_FUNCTION_MAXNAMELEN];
285 *error = mutex_lock_interruptible(mutex);
289 list_for_each_entry(e, head, list) {
290 if (strcmp(e->name, name) == 0)
299 #define find_inlist_lock(h,n,p,e,m) find_inlist_lock_noload((h),(n),(e),(m))
302 find_inlist_lock(struct list_head *head, const char *name, const char *prefix,
303 int *error, struct mutex *mutex)
307 ret = find_inlist_lock_noload(head, name, error, mutex);
309 request_module("%s%s", prefix, name);
310 ret = find_inlist_lock_noload(head, name, error, mutex);
316 static inline struct ebt_table *
317 find_table_lock(const char *name, int *error, struct mutex *mutex)
319 return find_inlist_lock(&ebt_tables, name, "ebtable_", error, mutex);
323 ebt_check_match(struct ebt_entry_match *m, struct ebt_entry *e,
324 const char *name, unsigned int hookmask, unsigned int *cnt)
326 struct xt_match *match;
327 size_t left = ((char *)e + e->watchers_offset) - (char *)m;
330 if (left < sizeof(struct ebt_entry_match) ||
331 left - sizeof(struct ebt_entry_match) < m->match_size)
334 match = try_then_request_module(xt_find_match(NFPROTO_BRIDGE,
335 m->u.name, 0), "ebt_%s", m->u.name);
337 return PTR_ERR(match);
342 ret = xt_check_match(match, NFPROTO_BRIDGE, m->match_size,
343 name, hookmask, e->ethproto, e->invflags & EBT_IPROTO,
346 module_put(match->me);
355 ebt_check_watcher(struct ebt_entry_watcher *w, struct ebt_entry *e,
356 const char *name, unsigned int hookmask, unsigned int *cnt)
358 struct xt_target *watcher;
359 size_t left = ((char *)e + e->target_offset) - (char *)w;
362 if (left < sizeof(struct ebt_entry_watcher) ||
363 left - sizeof(struct ebt_entry_watcher) < w->watcher_size)
366 watcher = try_then_request_module(
367 xt_find_target(NFPROTO_BRIDGE, w->u.name, 0),
368 "ebt_%s", w->u.name);
370 return PTR_ERR(watcher);
373 w->u.watcher = watcher;
375 ret = xt_check_target(watcher, NFPROTO_BRIDGE, w->watcher_size,
376 name, hookmask, e->ethproto, e->invflags & EBT_IPROTO,
379 module_put(watcher->me);
387 static int ebt_verify_pointers(struct ebt_replace *repl,
388 struct ebt_table_info *newinfo)
390 unsigned int limit = repl->entries_size;
391 unsigned int valid_hooks = repl->valid_hooks;
392 unsigned int offset = 0;
395 for (i = 0; i < NF_BR_NUMHOOKS; i++)
396 newinfo->hook_entry[i] = NULL;
398 newinfo->entries_size = repl->entries_size;
399 newinfo->nentries = repl->nentries;
401 while (offset < limit) {
402 size_t left = limit - offset;
403 struct ebt_entry *e = (void *)newinfo->entries + offset;
405 if (left < sizeof(unsigned int))
408 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
409 if ((valid_hooks & (1 << i)) == 0)
411 if ((char __user *)repl->hook_entry[i] ==
412 repl->entries + offset)
416 if (i != NF_BR_NUMHOOKS || !(e->bitmask & EBT_ENTRY_OR_ENTRIES)) {
417 if (e->bitmask != 0) {
418 /* we make userspace set this right,
419 so there is no misunderstanding */
420 BUGPRINT("EBT_ENTRY_OR_ENTRIES shouldn't be set "
421 "in distinguisher\n");
424 if (i != NF_BR_NUMHOOKS)
425 newinfo->hook_entry[i] = (struct ebt_entries *)e;
426 if (left < sizeof(struct ebt_entries))
428 offset += sizeof(struct ebt_entries);
430 if (left < sizeof(struct ebt_entry))
432 if (left < e->next_offset)
434 offset += e->next_offset;
437 if (offset != limit) {
438 BUGPRINT("entries_size too small\n");
442 /* check if all valid hooks have a chain */
443 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
444 if (!newinfo->hook_entry[i] &&
445 (valid_hooks & (1 << i))) {
446 BUGPRINT("Valid hook without chain\n");
454 * this one is very careful, as it is the first function
455 * to parse the userspace data
458 ebt_check_entry_size_and_hooks(struct ebt_entry *e,
459 struct ebt_table_info *newinfo,
460 unsigned int *n, unsigned int *cnt,
461 unsigned int *totalcnt, unsigned int *udc_cnt)
465 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
466 if ((void *)e == (void *)newinfo->hook_entry[i])
469 /* beginning of a new chain
470 if i == NF_BR_NUMHOOKS it must be a user defined chain */
471 if (i != NF_BR_NUMHOOKS || !e->bitmask) {
472 /* this checks if the previous chain has as many entries
475 BUGPRINT("nentries does not equal the nr of entries "
479 if (((struct ebt_entries *)e)->policy != EBT_DROP &&
480 ((struct ebt_entries *)e)->policy != EBT_ACCEPT) {
481 /* only RETURN from udc */
482 if (i != NF_BR_NUMHOOKS ||
483 ((struct ebt_entries *)e)->policy != EBT_RETURN) {
484 BUGPRINT("bad policy\n");
488 if (i == NF_BR_NUMHOOKS) /* it's a user defined chain */
490 if (((struct ebt_entries *)e)->counter_offset != *totalcnt) {
491 BUGPRINT("counter_offset != totalcnt");
494 *n = ((struct ebt_entries *)e)->nentries;
498 /* a plain old entry, heh */
499 if (sizeof(struct ebt_entry) > e->watchers_offset ||
500 e->watchers_offset > e->target_offset ||
501 e->target_offset >= e->next_offset) {
502 BUGPRINT("entry offsets not in right order\n");
505 /* this is not checked anywhere else */
506 if (e->next_offset - e->target_offset < sizeof(struct ebt_entry_target)) {
507 BUGPRINT("target size too small\n");
517 struct ebt_chainstack cs;
519 unsigned int hookmask;
523 * we need these positions to check that the jumps to a different part of the
524 * entries is a jump to the beginning of a new chain.
527 ebt_get_udc_positions(struct ebt_entry *e, struct ebt_table_info *newinfo,
528 unsigned int *n, struct ebt_cl_stack *udc)
532 /* we're only interested in chain starts */
535 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
536 if (newinfo->hook_entry[i] == (struct ebt_entries *)e)
539 /* only care about udc */
540 if (i != NF_BR_NUMHOOKS)
543 udc[*n].cs.chaininfo = (struct ebt_entries *)e;
544 /* these initialisations are depended on later in check_chainloops() */
546 udc[*n].hookmask = 0;
553 ebt_cleanup_match(struct ebt_entry_match *m, unsigned int *i)
555 if (i && (*i)-- == 0)
557 if (m->u.match->destroy)
558 m->u.match->destroy(m->u.match, m->data);
559 module_put(m->u.match->me);
565 ebt_cleanup_watcher(struct ebt_entry_watcher *w, unsigned int *i)
567 if (i && (*i)-- == 0)
569 if (w->u.watcher->destroy)
570 w->u.watcher->destroy(w->u.watcher, w->data);
571 module_put(w->u.watcher->me);
577 ebt_cleanup_entry(struct ebt_entry *e, unsigned int *cnt)
579 struct ebt_entry_target *t;
584 if (cnt && (*cnt)-- == 0)
586 EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, NULL);
587 EBT_MATCH_ITERATE(e, ebt_cleanup_match, NULL);
588 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
589 if (t->u.target->destroy)
590 t->u.target->destroy(t->u.target, t->data);
591 module_put(t->u.target->me);
597 ebt_check_entry(struct ebt_entry *e, struct ebt_table_info *newinfo,
598 const char *name, unsigned int *cnt,
599 struct ebt_cl_stack *cl_s, unsigned int udc_cnt)
601 struct ebt_entry_target *t;
602 struct xt_target *target;
603 unsigned int i, j, hook = 0, hookmask = 0;
607 /* don't mess with the struct ebt_entries */
611 if (e->bitmask & ~EBT_F_MASK) {
612 BUGPRINT("Unknown flag for bitmask\n");
615 if (e->invflags & ~EBT_INV_MASK) {
616 BUGPRINT("Unknown flag for inv bitmask\n");
619 if ( (e->bitmask & EBT_NOPROTO) && (e->bitmask & EBT_802_3) ) {
620 BUGPRINT("NOPROTO & 802_3 not allowed\n");
623 /* what hook do we belong to? */
624 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
625 if (!newinfo->hook_entry[i])
627 if ((char *)newinfo->hook_entry[i] < (char *)e)
632 /* (1 << NF_BR_NUMHOOKS) tells the check functions the rule is on
634 if (i < NF_BR_NUMHOOKS)
635 hookmask = (1 << hook) | (1 << NF_BR_NUMHOOKS);
637 for (i = 0; i < udc_cnt; i++)
638 if ((char *)(cl_s[i].cs.chaininfo) > (char *)e)
641 hookmask = (1 << hook) | (1 << NF_BR_NUMHOOKS);
643 hookmask = cl_s[i - 1].hookmask;
646 ret = EBT_MATCH_ITERATE(e, ebt_check_match, e, name, hookmask, &i);
648 goto cleanup_matches;
650 ret = EBT_WATCHER_ITERATE(e, ebt_check_watcher, e, name, hookmask, &j);
652 goto cleanup_watchers;
653 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
654 gap = e->next_offset - e->target_offset;
656 target = try_then_request_module(
657 xt_find_target(NFPROTO_BRIDGE, t->u.name, 0),
658 "ebt_%s", t->u.name);
659 if (IS_ERR(target)) {
660 ret = PTR_ERR(target);
661 goto cleanup_watchers;
662 } else if (target == NULL) {
664 goto cleanup_watchers;
667 t->u.target = target;
668 if (t->u.target == &ebt_standard_target) {
669 if (gap < sizeof(struct ebt_standard_target)) {
670 BUGPRINT("Standard target size too big\n");
672 goto cleanup_watchers;
674 if (((struct ebt_standard_target *)t)->verdict <
675 -NUM_STANDARD_TARGETS) {
676 BUGPRINT("Invalid standard target\n");
678 goto cleanup_watchers;
680 } else if (t->target_size > gap - sizeof(struct ebt_entry_target)) {
681 module_put(t->u.target->me);
683 goto cleanup_watchers;
686 ret = xt_check_target(target, NFPROTO_BRIDGE, t->target_size,
687 name, hookmask, e->ethproto, e->invflags & EBT_IPROTO,
690 module_put(target->me);
691 goto cleanup_watchers;
696 EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, &j);
698 EBT_MATCH_ITERATE(e, ebt_cleanup_match, &i);
703 * checks for loops and sets the hook mask for udc
704 * the hook mask for udc tells us from which base chains the udc can be
705 * accessed. This mask is a parameter to the check() functions of the extensions
707 static int check_chainloops(struct ebt_entries *chain, struct ebt_cl_stack *cl_s,
708 unsigned int udc_cnt, unsigned int hooknr, char *base)
710 int i, chain_nr = -1, pos = 0, nentries = chain->nentries, verdict;
711 struct ebt_entry *e = (struct ebt_entry *)chain->data;
712 struct ebt_entry_target *t;
714 while (pos < nentries || chain_nr != -1) {
715 /* end of udc, go back one 'recursion' step */
716 if (pos == nentries) {
717 /* put back values of the time when this chain was called */
718 e = cl_s[chain_nr].cs.e;
719 if (cl_s[chain_nr].from != -1)
721 cl_s[cl_s[chain_nr].from].cs.chaininfo->nentries;
723 nentries = chain->nentries;
724 pos = cl_s[chain_nr].cs.n;
725 /* make sure we won't see a loop that isn't one */
726 cl_s[chain_nr].cs.n = 0;
727 chain_nr = cl_s[chain_nr].from;
731 t = (struct ebt_entry_target *)
732 (((char *)e) + e->target_offset);
733 if (strcmp(t->u.name, EBT_STANDARD_TARGET))
735 if (e->target_offset + sizeof(struct ebt_standard_target) >
737 BUGPRINT("Standard target size too big\n");
740 verdict = ((struct ebt_standard_target *)t)->verdict;
741 if (verdict >= 0) { /* jump to another chain */
742 struct ebt_entries *hlp2 =
743 (struct ebt_entries *)(base + verdict);
744 for (i = 0; i < udc_cnt; i++)
745 if (hlp2 == cl_s[i].cs.chaininfo)
747 /* bad destination or loop */
749 BUGPRINT("bad destination\n");
756 if (cl_s[i].hookmask & (1 << hooknr))
758 /* this can't be 0, so the loop test is correct */
759 cl_s[i].cs.n = pos + 1;
761 cl_s[i].cs.e = ((void *)e + e->next_offset);
762 e = (struct ebt_entry *)(hlp2->data);
763 nentries = hlp2->nentries;
764 cl_s[i].from = chain_nr;
766 /* this udc is accessible from the base chain for hooknr */
767 cl_s[i].hookmask |= (1 << hooknr);
771 e = (void *)e + e->next_offset;
777 /* do the parsing of the table/chains/entries/matches/watchers/targets, heh */
778 static int translate_table(char *name, struct ebt_table_info *newinfo)
780 unsigned int i, j, k, udc_cnt;
782 struct ebt_cl_stack *cl_s = NULL; /* used in the checking for chain loops */
785 while (i < NF_BR_NUMHOOKS && !newinfo->hook_entry[i])
787 if (i == NF_BR_NUMHOOKS) {
788 BUGPRINT("No valid hooks specified\n");
791 if (newinfo->hook_entry[i] != (struct ebt_entries *)newinfo->entries) {
792 BUGPRINT("Chains don't start at beginning\n");
795 /* make sure chains are ordered after each other in same order
796 as their corresponding hooks */
797 for (j = i + 1; j < NF_BR_NUMHOOKS; j++) {
798 if (!newinfo->hook_entry[j])
800 if (newinfo->hook_entry[j] <= newinfo->hook_entry[i]) {
801 BUGPRINT("Hook order must be followed\n");
807 /* do some early checkings and initialize some things */
808 i = 0; /* holds the expected nr. of entries for the chain */
809 j = 0; /* holds the up to now counted entries for the chain */
810 k = 0; /* holds the total nr. of entries, should equal
811 newinfo->nentries afterwards */
812 udc_cnt = 0; /* will hold the nr. of user defined chains (udc) */
813 ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
814 ebt_check_entry_size_and_hooks, newinfo,
815 &i, &j, &k, &udc_cnt);
821 BUGPRINT("nentries does not equal the nr of entries in the "
825 if (k != newinfo->nentries) {
826 BUGPRINT("Total nentries is wrong\n");
830 /* get the location of the udc, put them in an array
831 while we're at it, allocate the chainstack */
833 /* this will get free'd in do_replace()/ebt_register_table()
834 if an error occurs */
835 newinfo->chainstack =
836 vmalloc(nr_cpu_ids * sizeof(*(newinfo->chainstack)));
837 if (!newinfo->chainstack)
839 for_each_possible_cpu(i) {
840 newinfo->chainstack[i] =
841 vmalloc(udc_cnt * sizeof(*(newinfo->chainstack[0])));
842 if (!newinfo->chainstack[i]) {
844 vfree(newinfo->chainstack[--i]);
845 vfree(newinfo->chainstack);
846 newinfo->chainstack = NULL;
851 cl_s = vmalloc(udc_cnt * sizeof(*cl_s));
854 i = 0; /* the i'th udc */
855 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
856 ebt_get_udc_positions, newinfo, &i, cl_s);
859 BUGPRINT("i != udc_cnt\n");
865 /* Check for loops */
866 for (i = 0; i < NF_BR_NUMHOOKS; i++)
867 if (newinfo->hook_entry[i])
868 if (check_chainloops(newinfo->hook_entry[i],
869 cl_s, udc_cnt, i, newinfo->entries)) {
874 /* we now know the following (along with E=mc²):
875 - the nr of entries in each chain is right
876 - the size of the allocated space is right
877 - all valid hooks have a corresponding chain
879 - wrong data can still be on the level of a single entry
880 - could be there are jumps to places that are not the
881 beginning of a chain. This can only occur in chains that
882 are not accessible from any base chains, so we don't care. */
884 /* used to know what we need to clean up if something goes wrong */
886 ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
887 ebt_check_entry, newinfo, name, &i, cl_s, udc_cnt);
889 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
890 ebt_cleanup_entry, &i);
896 /* called under write_lock */
897 static void get_counters(struct ebt_counter *oldcounters,
898 struct ebt_counter *counters, unsigned int nentries)
901 struct ebt_counter *counter_base;
903 /* counters of cpu 0 */
904 memcpy(counters, oldcounters,
905 sizeof(struct ebt_counter) * nentries);
907 /* add other counters to those of cpu 0 */
908 for_each_possible_cpu(cpu) {
911 counter_base = COUNTER_BASE(oldcounters, nentries, cpu);
912 for (i = 0; i < nentries; i++) {
913 counters[i].pcnt += counter_base[i].pcnt;
914 counters[i].bcnt += counter_base[i].bcnt;
919 /* replace the table */
920 static int do_replace(void __user *user, unsigned int len)
922 int ret, i, countersize;
923 struct ebt_table_info *newinfo;
924 struct ebt_replace tmp;
926 struct ebt_counter *counterstmp = NULL;
927 /* used to be able to unlock earlier */
928 struct ebt_table_info *table;
930 if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
933 if (len != sizeof(tmp) + tmp.entries_size) {
934 BUGPRINT("Wrong len argument\n");
938 if (tmp.entries_size == 0) {
939 BUGPRINT("Entries_size never zero\n");
943 if (tmp.nentries >= ((INT_MAX - sizeof(struct ebt_table_info)) / NR_CPUS -
944 SMP_CACHE_BYTES) / sizeof(struct ebt_counter))
946 if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
949 countersize = COUNTER_OFFSET(tmp.nentries) * nr_cpu_ids;
950 newinfo = vmalloc(sizeof(*newinfo) + countersize);
955 memset(newinfo->counters, 0, countersize);
957 newinfo->entries = vmalloc(tmp.entries_size);
958 if (!newinfo->entries) {
963 newinfo->entries, tmp.entries, tmp.entries_size) != 0) {
964 BUGPRINT("Couldn't copy entries from userspace\n");
969 /* the user wants counters back
970 the check on the size is done later, when we have the lock */
971 if (tmp.num_counters) {
972 counterstmp = vmalloc(tmp.num_counters * sizeof(*counterstmp));
981 /* this can get initialized by translate_table() */
982 newinfo->chainstack = NULL;
983 ret = ebt_verify_pointers(&tmp, newinfo);
985 goto free_counterstmp;
987 ret = translate_table(tmp.name, newinfo);
990 goto free_counterstmp;
992 t = find_table_lock(tmp.name, &ret, &ebt_mutex);
998 /* the table doesn't like it */
999 if (t->check && (ret = t->check(newinfo, tmp.valid_hooks)))
1002 if (tmp.num_counters && tmp.num_counters != t->private->nentries) {
1003 BUGPRINT("Wrong nr. of counters requested\n");
1008 /* we have the mutex lock, so no danger in reading this pointer */
1010 /* make sure the table can only be rmmod'ed if it contains no rules */
1011 if (!table->nentries && newinfo->nentries && !try_module_get(t->me)) {
1014 } else if (table->nentries && !newinfo->nentries)
1016 /* we need an atomic snapshot of the counters */
1017 write_lock_bh(&t->lock);
1018 if (tmp.num_counters)
1019 get_counters(t->private->counters, counterstmp,
1020 t->private->nentries);
1022 t->private = newinfo;
1023 write_unlock_bh(&t->lock);
1024 mutex_unlock(&ebt_mutex);
1025 /* so, a user can change the chains while having messed up her counter
1026 allocation. Only reason why this is done is because this way the lock
1027 is held only once, while this doesn't bring the kernel into a
1029 if (tmp.num_counters &&
1030 copy_to_user(tmp.counters, counterstmp,
1031 tmp.num_counters * sizeof(struct ebt_counter))) {
1032 BUGPRINT("Couldn't copy counters to userspace\n");
1038 /* decrease module count and free resources */
1039 EBT_ENTRY_ITERATE(table->entries, table->entries_size,
1040 ebt_cleanup_entry, NULL);
1042 vfree(table->entries);
1043 if (table->chainstack) {
1044 for_each_possible_cpu(i)
1045 vfree(table->chainstack[i]);
1046 vfree(table->chainstack);
1054 mutex_unlock(&ebt_mutex);
1056 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
1057 ebt_cleanup_entry, NULL);
1060 /* can be initialized in translate_table() */
1061 if (newinfo->chainstack) {
1062 for_each_possible_cpu(i)
1063 vfree(newinfo->chainstack[i]);
1064 vfree(newinfo->chainstack);
1067 vfree(newinfo->entries);
1073 int ebt_register_table(struct ebt_table *table)
1075 struct ebt_table_info *newinfo;
1076 struct ebt_table *t;
1077 struct ebt_replace_kernel *repl;
1078 int ret, i, countersize;
1081 if (!table || !(repl = table->table) || !repl->entries ||
1082 repl->entries_size == 0 ||
1083 repl->counters || table->private) {
1084 BUGPRINT("Bad table data for ebt_register_table!!!\n");
1088 countersize = COUNTER_OFFSET(repl->nentries) * nr_cpu_ids;
1089 newinfo = vmalloc(sizeof(*newinfo) + countersize);
1094 p = vmalloc(repl->entries_size);
1098 memcpy(p, repl->entries, repl->entries_size);
1099 newinfo->entries = p;
1101 newinfo->entries_size = repl->entries_size;
1102 newinfo->nentries = repl->nentries;
1105 memset(newinfo->counters, 0, countersize);
1107 /* fill in newinfo and parse the entries */
1108 newinfo->chainstack = NULL;
1109 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
1110 if ((repl->valid_hooks & (1 << i)) == 0)
1111 newinfo->hook_entry[i] = NULL;
1113 newinfo->hook_entry[i] = p +
1114 ((char *)repl->hook_entry[i] - repl->entries);
1116 ret = translate_table(repl->name, newinfo);
1118 BUGPRINT("Translate_table failed\n");
1119 goto free_chainstack;
1122 if (table->check && table->check(newinfo, table->valid_hooks)) {
1123 BUGPRINT("The table doesn't like its own initial data, lol\n");
1127 table->private = newinfo;
1128 rwlock_init(&table->lock);
1129 ret = mutex_lock_interruptible(&ebt_mutex);
1131 goto free_chainstack;
1133 list_for_each_entry(t, &ebt_tables, list) {
1134 if (strcmp(t->name, table->name) == 0) {
1136 BUGPRINT("Table name already exists\n");
1141 /* Hold a reference count if the chains aren't empty */
1142 if (newinfo->nentries && !try_module_get(table->me)) {
1146 list_add(&table->list, &ebt_tables);
1147 mutex_unlock(&ebt_mutex);
1150 mutex_unlock(&ebt_mutex);
1152 if (newinfo->chainstack) {
1153 for_each_possible_cpu(i)
1154 vfree(newinfo->chainstack[i]);
1155 vfree(newinfo->chainstack);
1157 vfree(newinfo->entries);
1163 void ebt_unregister_table(struct ebt_table *table)
1168 BUGPRINT("Request to unregister NULL table!!!\n");
1171 mutex_lock(&ebt_mutex);
1172 list_del(&table->list);
1173 mutex_unlock(&ebt_mutex);
1174 vfree(table->private->entries);
1175 if (table->private->chainstack) {
1176 for_each_possible_cpu(i)
1177 vfree(table->private->chainstack[i]);
1178 vfree(table->private->chainstack);
1180 vfree(table->private);
1183 /* userspace just supplied us with counters */
1184 static int update_counters(void __user *user, unsigned int len)
1187 struct ebt_counter *tmp;
1188 struct ebt_replace hlp;
1189 struct ebt_table *t;
1191 if (copy_from_user(&hlp, user, sizeof(hlp)))
1194 if (len != sizeof(hlp) + hlp.num_counters * sizeof(struct ebt_counter))
1196 if (hlp.num_counters == 0)
1199 if (!(tmp = vmalloc(hlp.num_counters * sizeof(*tmp)))) {
1200 MEMPRINT("Update_counters && nomemory\n");
1204 t = find_table_lock(hlp.name, &ret, &ebt_mutex);
1208 if (hlp.num_counters != t->private->nentries) {
1209 BUGPRINT("Wrong nr of counters\n");
1214 if ( copy_from_user(tmp, hlp.counters,
1215 hlp.num_counters * sizeof(struct ebt_counter)) ) {
1216 BUGPRINT("Updata_counters && !cfu\n");
1221 /* we want an atomic add of the counters */
1222 write_lock_bh(&t->lock);
1224 /* we add to the counters of the first cpu */
1225 for (i = 0; i < hlp.num_counters; i++) {
1226 t->private->counters[i].pcnt += tmp[i].pcnt;
1227 t->private->counters[i].bcnt += tmp[i].bcnt;
1230 write_unlock_bh(&t->lock);
1233 mutex_unlock(&ebt_mutex);
1239 static inline int ebt_make_matchname(struct ebt_entry_match *m,
1240 char *base, char __user *ubase)
1242 char __user *hlp = ubase + ((char *)m - base);
1243 if (copy_to_user(hlp, m->u.match->name, EBT_FUNCTION_MAXNAMELEN))
1248 static inline int ebt_make_watchername(struct ebt_entry_watcher *w,
1249 char *base, char __user *ubase)
1251 char __user *hlp = ubase + ((char *)w - base);
1252 if (copy_to_user(hlp , w->u.watcher->name, EBT_FUNCTION_MAXNAMELEN))
1257 static inline int ebt_make_names(struct ebt_entry *e, char *base, char __user *ubase)
1261 struct ebt_entry_target *t;
1263 if (e->bitmask == 0)
1266 hlp = ubase + (((char *)e + e->target_offset) - base);
1267 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
1269 ret = EBT_MATCH_ITERATE(e, ebt_make_matchname, base, ubase);
1272 ret = EBT_WATCHER_ITERATE(e, ebt_make_watchername, base, ubase);
1275 if (copy_to_user(hlp, t->u.target->name, EBT_FUNCTION_MAXNAMELEN))
1280 /* called with ebt_mutex locked */
1281 static int copy_everything_to_user(struct ebt_table *t, void __user *user,
1284 struct ebt_replace tmp;
1285 struct ebt_counter *counterstmp, *oldcounters;
1286 unsigned int entries_size, nentries;
1289 if (cmd == EBT_SO_GET_ENTRIES) {
1290 entries_size = t->private->entries_size;
1291 nentries = t->private->nentries;
1292 entries = t->private->entries;
1293 oldcounters = t->private->counters;
1295 entries_size = t->table->entries_size;
1296 nentries = t->table->nentries;
1297 entries = t->table->entries;
1298 oldcounters = t->table->counters;
1301 if (copy_from_user(&tmp, user, sizeof(tmp))) {
1302 BUGPRINT("Cfu didn't work\n");
1306 if (*len != sizeof(struct ebt_replace) + entries_size +
1307 (tmp.num_counters? nentries * sizeof(struct ebt_counter): 0)) {
1308 BUGPRINT("Wrong size\n");
1312 if (tmp.nentries != nentries) {
1313 BUGPRINT("Nentries wrong\n");
1317 if (tmp.entries_size != entries_size) {
1318 BUGPRINT("Wrong size\n");
1322 /* userspace might not need the counters */
1323 if (tmp.num_counters) {
1324 if (tmp.num_counters != nentries) {
1325 BUGPRINT("Num_counters wrong\n");
1328 counterstmp = vmalloc(nentries * sizeof(*counterstmp));
1330 MEMPRINT("Couldn't copy counters, out of memory\n");
1333 write_lock_bh(&t->lock);
1334 get_counters(oldcounters, counterstmp, nentries);
1335 write_unlock_bh(&t->lock);
1337 if (copy_to_user(tmp.counters, counterstmp,
1338 nentries * sizeof(struct ebt_counter))) {
1339 BUGPRINT("Couldn't copy counters to userspace\n");
1346 if (copy_to_user(tmp.entries, entries, entries_size)) {
1347 BUGPRINT("Couldn't copy entries to userspace\n");
1350 /* set the match/watcher/target names right */
1351 return EBT_ENTRY_ITERATE(entries, entries_size,
1352 ebt_make_names, entries, tmp.entries);
1355 static int do_ebt_set_ctl(struct sock *sk,
1356 int cmd, void __user *user, unsigned int len)
1361 case EBT_SO_SET_ENTRIES:
1362 ret = do_replace(user, len);
1364 case EBT_SO_SET_COUNTERS:
1365 ret = update_counters(user, len);
1373 static int do_ebt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
1376 struct ebt_replace tmp;
1377 struct ebt_table *t;
1379 if (copy_from_user(&tmp, user, sizeof(tmp)))
1382 t = find_table_lock(tmp.name, &ret, &ebt_mutex);
1387 case EBT_SO_GET_INFO:
1388 case EBT_SO_GET_INIT_INFO:
1389 if (*len != sizeof(struct ebt_replace)){
1391 mutex_unlock(&ebt_mutex);
1394 if (cmd == EBT_SO_GET_INFO) {
1395 tmp.nentries = t->private->nentries;
1396 tmp.entries_size = t->private->entries_size;
1397 tmp.valid_hooks = t->valid_hooks;
1399 tmp.nentries = t->table->nentries;
1400 tmp.entries_size = t->table->entries_size;
1401 tmp.valid_hooks = t->table->valid_hooks;
1403 mutex_unlock(&ebt_mutex);
1404 if (copy_to_user(user, &tmp, *len) != 0){
1405 BUGPRINT("c2u Didn't work\n");
1412 case EBT_SO_GET_ENTRIES:
1413 case EBT_SO_GET_INIT_ENTRIES:
1414 ret = copy_everything_to_user(t, user, len, cmd);
1415 mutex_unlock(&ebt_mutex);
1419 mutex_unlock(&ebt_mutex);
1426 static struct nf_sockopt_ops ebt_sockopts =
1429 .set_optmin = EBT_BASE_CTL,
1430 .set_optmax = EBT_SO_SET_MAX + 1,
1431 .set = do_ebt_set_ctl,
1432 .get_optmin = EBT_BASE_CTL,
1433 .get_optmax = EBT_SO_GET_MAX + 1,
1434 .get = do_ebt_get_ctl,
1435 .owner = THIS_MODULE,
1438 static int __init ebtables_init(void)
1442 ret = xt_register_target(&ebt_standard_target);
1445 ret = nf_register_sockopt(&ebt_sockopts);
1447 xt_unregister_target(&ebt_standard_target);
1451 printk(KERN_INFO "Ebtables v2.0 registered\n");
1455 static void __exit ebtables_fini(void)
1457 nf_unregister_sockopt(&ebt_sockopts);
1458 xt_unregister_target(&ebt_standard_target);
1459 printk(KERN_INFO "Ebtables v2.0 unregistered\n");
1462 EXPORT_SYMBOL(ebt_register_table);
1463 EXPORT_SYMBOL(ebt_unregister_table);
1464 EXPORT_SYMBOL(ebt_do_table);
1465 module_init(ebtables_init);
1466 module_exit(ebtables_fini);
1467 MODULE_LICENSE("GPL");