5 * Bart De Schuymer <bdschuym@pandora.be>
7 * ebtables.c,v 2.0, July, 2002
9 * This code is stongly inspired on the iptables code which is
10 * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version
15 * 2 of the License, or (at your option) any later version.
18 /* used for print_string */
19 #include <linux/sched.h>
20 #include <linux/tty.h>
22 #include <linux/kmod.h>
23 #include <linux/module.h>
24 #include <linux/vmalloc.h>
25 #include <linux/netfilter_bridge/ebtables.h>
26 #include <linux/spinlock.h>
27 #include <asm/uaccess.h>
28 #include <linux/smp.h>
29 #include <linux/cpumask.h>
31 /* needed for logical [in,out]-dev filtering */
32 #include "../br_private.h"
35 #define ASSERT_READ_LOCK(x)
36 #define ASSERT_WRITE_LOCK(x)
37 #include <linux/netfilter_ipv4/listhelp.h>
38 #include <linux/mutex.h>
41 /* use this for remote debugging
42 * Copyright (C) 1998 by Ori Pomerantz
43 * Print the string to the appropriate tty, the one
44 * the current task uses
46 static void print_string(char *str)
48 struct tty_struct *my_tty;
50 /* The tty for the current task */
51 my_tty = current->signal->tty;
53 my_tty->driver->write(my_tty, 0, str, strlen(str));
54 my_tty->driver->write(my_tty, 0, "\015\012", 2);
58 #define BUGPRINT(args) print_string(args);
60 #define BUGPRINT(format, args...) printk("kernel msg: ebtables bug: please "\
61 "report to author: "format, ## args)
62 /* #define BUGPRINT(format, args...) */
64 #define MEMPRINT(format, args...) printk("kernel msg: ebtables "\
65 ": out of memory: "format, ## args)
66 /* #define MEMPRINT(format, args...) */
71 * Each cpu has its own set of counters, so there is no need for write_lock in
73 * For reading or updating the counters, the user context needs to
77 /* The size of each set of counters is altered to get cache alignment */
78 #define SMP_ALIGN(x) (((x) + SMP_CACHE_BYTES-1) & ~(SMP_CACHE_BYTES-1))
79 #define COUNTER_OFFSET(n) (SMP_ALIGN(n * sizeof(struct ebt_counter)))
80 #define COUNTER_BASE(c, n, cpu) ((struct ebt_counter *)(((char *)c) + \
81 COUNTER_OFFSET(n) * cpu))
85 static DEFINE_MUTEX(ebt_mutex);
86 static LIST_HEAD(ebt_tables);
87 static LIST_HEAD(ebt_targets);
88 static LIST_HEAD(ebt_matches);
89 static LIST_HEAD(ebt_watchers);
91 static struct ebt_target ebt_standard_target =
92 { {NULL, NULL}, EBT_STANDARD_TARGET, NULL, NULL, NULL, NULL};
94 static inline int ebt_do_watcher (struct ebt_entry_watcher *w,
95 const struct sk_buff *skb, unsigned int hooknr, const struct net_device *in,
96 const struct net_device *out)
98 w->u.watcher->watcher(skb, hooknr, in, out, w->data,
100 /* watchers don't give a verdict */
104 static inline int ebt_do_match (struct ebt_entry_match *m,
105 const struct sk_buff *skb, const struct net_device *in,
106 const struct net_device *out)
108 return m->u.match->match(skb, in, out, m->data,
112 static inline int ebt_dev_check(char *entry, const struct net_device *device)
115 char *devname = device->name;
121 /* 1 is the wildcard token */
122 while (entry[i] != '\0' && entry[i] != 1 && entry[i] == devname[i])
124 return (devname[i] != entry[i] && entry[i] != 1);
127 #define FWINV2(bool,invflg) ((bool) ^ !!(e->invflags & invflg))
128 /* process standard matches */
129 static inline int ebt_basic_match(struct ebt_entry *e, struct ethhdr *h,
130 const struct net_device *in, const struct net_device *out)
134 if (e->bitmask & EBT_802_3) {
135 if (FWINV2(ntohs(h->h_proto) >= 1536, EBT_IPROTO))
137 } else if (!(e->bitmask & EBT_NOPROTO) &&
138 FWINV2(e->ethproto != h->h_proto, EBT_IPROTO))
141 if (FWINV2(ebt_dev_check(e->in, in), EBT_IIN))
143 if (FWINV2(ebt_dev_check(e->out, out), EBT_IOUT))
145 if ((!in || !in->br_port) ? 0 : FWINV2(ebt_dev_check(
146 e->logical_in, in->br_port->br->dev), EBT_ILOGICALIN))
148 if ((!out || !out->br_port) ? 0 : FWINV2(ebt_dev_check(
149 e->logical_out, out->br_port->br->dev), EBT_ILOGICALOUT))
152 if (e->bitmask & EBT_SOURCEMAC) {
154 for (i = 0; i < 6; i++)
155 verdict |= (h->h_source[i] ^ e->sourcemac[i]) &
157 if (FWINV2(verdict != 0, EBT_ISOURCE) )
160 if (e->bitmask & EBT_DESTMAC) {
162 for (i = 0; i < 6; i++)
163 verdict |= (h->h_dest[i] ^ e->destmac[i]) &
165 if (FWINV2(verdict != 0, EBT_IDEST) )
171 /* Do some firewalling */
172 unsigned int ebt_do_table (unsigned int hook, struct sk_buff **pskb,
173 const struct net_device *in, const struct net_device *out,
174 struct ebt_table *table)
177 struct ebt_entry *point;
178 struct ebt_counter *counter_base, *cb_base;
179 struct ebt_entry_target *t;
181 struct ebt_chainstack *cs;
182 struct ebt_entries *chaininfo;
184 struct ebt_table_info *private;
186 read_lock_bh(&table->lock);
187 private = table->private;
188 cb_base = COUNTER_BASE(private->counters, private->nentries,
190 if (private->chainstack)
191 cs = private->chainstack[smp_processor_id()];
194 chaininfo = private->hook_entry[hook];
195 nentries = private->hook_entry[hook]->nentries;
196 point = (struct ebt_entry *)(private->hook_entry[hook]->data);
197 counter_base = cb_base + private->hook_entry[hook]->counter_offset;
198 /* base for chain jumps */
199 base = private->entries;
201 while (i < nentries) {
202 if (ebt_basic_match(point, eth_hdr(*pskb), in, out))
205 if (EBT_MATCH_ITERATE(point, ebt_do_match, *pskb, in, out) != 0)
208 /* increase counter */
209 (*(counter_base + i)).pcnt++;
210 (*(counter_base + i)).bcnt+=(**pskb).len;
212 /* these should only watch: not modify, nor tell us
213 what to do with the packet */
214 EBT_WATCHER_ITERATE(point, ebt_do_watcher, *pskb, hook, in,
217 t = (struct ebt_entry_target *)
218 (((char *)point) + point->target_offset);
219 /* standard target */
220 if (!t->u.target->target)
221 verdict = ((struct ebt_standard_target *)t)->verdict;
223 verdict = t->u.target->target(pskb, hook,
224 in, out, t->data, t->target_size);
225 if (verdict == EBT_ACCEPT) {
226 read_unlock_bh(&table->lock);
229 if (verdict == EBT_DROP) {
230 read_unlock_bh(&table->lock);
233 if (verdict == EBT_RETURN) {
235 #ifdef CONFIG_NETFILTER_DEBUG
237 BUGPRINT("RETURN on base chain");
238 /* act like this is EBT_CONTINUE */
243 /* put all the local variables right */
245 chaininfo = cs[sp].chaininfo;
246 nentries = chaininfo->nentries;
248 counter_base = cb_base +
249 chaininfo->counter_offset;
252 if (verdict == EBT_CONTINUE)
254 #ifdef CONFIG_NETFILTER_DEBUG
256 BUGPRINT("bogus standard verdict\n");
257 read_unlock_bh(&table->lock);
263 cs[sp].chaininfo = chaininfo;
264 cs[sp].e = (struct ebt_entry *)
265 (((char *)point) + point->next_offset);
267 chaininfo = (struct ebt_entries *) (base + verdict);
268 #ifdef CONFIG_NETFILTER_DEBUG
269 if (chaininfo->distinguisher) {
270 BUGPRINT("jump to non-chain\n");
271 read_unlock_bh(&table->lock);
275 nentries = chaininfo->nentries;
276 point = (struct ebt_entry *)chaininfo->data;
277 counter_base = cb_base + chaininfo->counter_offset;
281 point = (struct ebt_entry *)
282 (((char *)point) + point->next_offset);
286 /* I actually like this :) */
287 if (chaininfo->policy == EBT_RETURN)
289 if (chaininfo->policy == EBT_ACCEPT) {
290 read_unlock_bh(&table->lock);
293 read_unlock_bh(&table->lock);
297 /* If it succeeds, returns element and locks mutex */
299 find_inlist_lock_noload(struct list_head *head, const char *name, int *error,
304 *error = mutex_lock_interruptible(mutex);
308 ret = list_named_find(head, name);
317 #define find_inlist_lock(h,n,p,e,m) find_inlist_lock_noload((h),(n),(e),(m))
320 find_inlist_lock(struct list_head *head, const char *name, const char *prefix,
321 int *error, struct mutex *mutex)
325 ret = find_inlist_lock_noload(head, name, error, mutex);
327 request_module("%s%s", prefix, name);
328 ret = find_inlist_lock_noload(head, name, error, mutex);
334 static inline struct ebt_table *
335 find_table_lock(const char *name, int *error, struct mutex *mutex)
337 return find_inlist_lock(&ebt_tables, name, "ebtable_", error, mutex);
340 static inline struct ebt_match *
341 find_match_lock(const char *name, int *error, struct mutex *mutex)
343 return find_inlist_lock(&ebt_matches, name, "ebt_", error, mutex);
346 static inline struct ebt_watcher *
347 find_watcher_lock(const char *name, int *error, struct mutex *mutex)
349 return find_inlist_lock(&ebt_watchers, name, "ebt_", error, mutex);
352 static inline struct ebt_target *
353 find_target_lock(const char *name, int *error, struct mutex *mutex)
355 return find_inlist_lock(&ebt_targets, name, "ebt_", error, mutex);
359 ebt_check_match(struct ebt_entry_match *m, struct ebt_entry *e,
360 const char *name, unsigned int hookmask, unsigned int *cnt)
362 struct ebt_match *match;
365 if (((char *)m) + m->match_size + sizeof(struct ebt_entry_match) >
366 ((char *)e) + e->watchers_offset)
368 match = find_match_lock(m->u.name, &ret, &ebt_mutex);
372 if (!try_module_get(match->me)) {
373 mutex_unlock(&ebt_mutex);
376 mutex_unlock(&ebt_mutex);
378 match->check(name, hookmask, e, m->data, m->match_size) != 0) {
379 BUGPRINT("match->check failed\n");
380 module_put(match->me);
388 ebt_check_watcher(struct ebt_entry_watcher *w, struct ebt_entry *e,
389 const char *name, unsigned int hookmask, unsigned int *cnt)
391 struct ebt_watcher *watcher;
394 if (((char *)w) + w->watcher_size + sizeof(struct ebt_entry_watcher) >
395 ((char *)e) + e->target_offset)
397 watcher = find_watcher_lock(w->u.name, &ret, &ebt_mutex);
400 w->u.watcher = watcher;
401 if (!try_module_get(watcher->me)) {
402 mutex_unlock(&ebt_mutex);
405 mutex_unlock(&ebt_mutex);
406 if (watcher->check &&
407 watcher->check(name, hookmask, e, w->data, w->watcher_size) != 0) {
408 BUGPRINT("watcher->check failed\n");
409 module_put(watcher->me);
417 * this one is very careful, as it is the first function
418 * to parse the userspace data
421 ebt_check_entry_size_and_hooks(struct ebt_entry *e,
422 struct ebt_table_info *newinfo, char *base, char *limit,
423 struct ebt_entries **hook_entries, unsigned int *n, unsigned int *cnt,
424 unsigned int *totalcnt, unsigned int *udc_cnt, unsigned int valid_hooks)
428 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
429 if ((valid_hooks & (1 << i)) == 0)
431 if ( (char *)hook_entries[i] - base ==
432 (char *)e - newinfo->entries)
435 /* beginning of a new chain
436 if i == NF_BR_NUMHOOKS it must be a user defined chain */
437 if (i != NF_BR_NUMHOOKS || !(e->bitmask & EBT_ENTRY_OR_ENTRIES)) {
438 if ((e->bitmask & EBT_ENTRY_OR_ENTRIES) != 0) {
439 /* we make userspace set this right,
440 so there is no misunderstanding */
441 BUGPRINT("EBT_ENTRY_OR_ENTRIES shouldn't be set "
442 "in distinguisher\n");
445 /* this checks if the previous chain has as many entries
448 BUGPRINT("nentries does not equal the nr of entries "
452 /* before we look at the struct, be sure it is not too big */
453 if ((char *)hook_entries[i] + sizeof(struct ebt_entries)
455 BUGPRINT("entries_size too small\n");
458 if (((struct ebt_entries *)e)->policy != EBT_DROP &&
459 ((struct ebt_entries *)e)->policy != EBT_ACCEPT) {
460 /* only RETURN from udc */
461 if (i != NF_BR_NUMHOOKS ||
462 ((struct ebt_entries *)e)->policy != EBT_RETURN) {
463 BUGPRINT("bad policy\n");
467 if (i == NF_BR_NUMHOOKS) /* it's a user defined chain */
470 newinfo->hook_entry[i] = (struct ebt_entries *)e;
471 if (((struct ebt_entries *)e)->counter_offset != *totalcnt) {
472 BUGPRINT("counter_offset != totalcnt");
475 *n = ((struct ebt_entries *)e)->nentries;
479 /* a plain old entry, heh */
480 if (sizeof(struct ebt_entry) > e->watchers_offset ||
481 e->watchers_offset > e->target_offset ||
482 e->target_offset >= e->next_offset) {
483 BUGPRINT("entry offsets not in right order\n");
486 /* this is not checked anywhere else */
487 if (e->next_offset - e->target_offset < sizeof(struct ebt_entry_target)) {
488 BUGPRINT("target size too small\n");
499 struct ebt_chainstack cs;
501 unsigned int hookmask;
505 * we need these positions to check that the jumps to a different part of the
506 * entries is a jump to the beginning of a new chain.
509 ebt_get_udc_positions(struct ebt_entry *e, struct ebt_table_info *newinfo,
510 struct ebt_entries **hook_entries, unsigned int *n, unsigned int valid_hooks,
511 struct ebt_cl_stack *udc)
515 /* we're only interested in chain starts */
516 if (e->bitmask & EBT_ENTRY_OR_ENTRIES)
518 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
519 if ((valid_hooks & (1 << i)) == 0)
521 if (newinfo->hook_entry[i] == (struct ebt_entries *)e)
524 /* only care about udc */
525 if (i != NF_BR_NUMHOOKS)
528 udc[*n].cs.chaininfo = (struct ebt_entries *)e;
529 /* these initialisations are depended on later in check_chainloops() */
531 udc[*n].hookmask = 0;
538 ebt_cleanup_match(struct ebt_entry_match *m, unsigned int *i)
540 if (i && (*i)-- == 0)
542 if (m->u.match->destroy)
543 m->u.match->destroy(m->data, m->match_size);
544 module_put(m->u.match->me);
550 ebt_cleanup_watcher(struct ebt_entry_watcher *w, unsigned int *i)
552 if (i && (*i)-- == 0)
554 if (w->u.watcher->destroy)
555 w->u.watcher->destroy(w->data, w->watcher_size);
556 module_put(w->u.watcher->me);
562 ebt_cleanup_entry(struct ebt_entry *e, unsigned int *cnt)
564 struct ebt_entry_target *t;
566 if ((e->bitmask & EBT_ENTRY_OR_ENTRIES) == 0)
569 if (cnt && (*cnt)-- == 0)
571 EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, NULL);
572 EBT_MATCH_ITERATE(e, ebt_cleanup_match, NULL);
573 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
574 if (t->u.target->destroy)
575 t->u.target->destroy(t->data, t->target_size);
576 module_put(t->u.target->me);
582 ebt_check_entry(struct ebt_entry *e, struct ebt_table_info *newinfo,
583 const char *name, unsigned int *cnt, unsigned int valid_hooks,
584 struct ebt_cl_stack *cl_s, unsigned int udc_cnt)
586 struct ebt_entry_target *t;
587 struct ebt_target *target;
588 unsigned int i, j, hook = 0, hookmask = 0;
591 /* don't mess with the struct ebt_entries */
592 if ((e->bitmask & EBT_ENTRY_OR_ENTRIES) == 0)
595 if (e->bitmask & ~EBT_F_MASK) {
596 BUGPRINT("Unknown flag for bitmask\n");
599 if (e->invflags & ~EBT_INV_MASK) {
600 BUGPRINT("Unknown flag for inv bitmask\n");
603 if ( (e->bitmask & EBT_NOPROTO) && (e->bitmask & EBT_802_3) ) {
604 BUGPRINT("NOPROTO & 802_3 not allowed\n");
607 /* what hook do we belong to? */
608 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
609 if ((valid_hooks & (1 << i)) == 0)
611 if ((char *)newinfo->hook_entry[i] < (char *)e)
616 /* (1 << NF_BR_NUMHOOKS) tells the check functions the rule is on
618 if (i < NF_BR_NUMHOOKS)
619 hookmask = (1 << hook) | (1 << NF_BR_NUMHOOKS);
621 for (i = 0; i < udc_cnt; i++)
622 if ((char *)(cl_s[i].cs.chaininfo) > (char *)e)
625 hookmask = (1 << hook) | (1 << NF_BR_NUMHOOKS);
627 hookmask = cl_s[i - 1].hookmask;
630 ret = EBT_MATCH_ITERATE(e, ebt_check_match, e, name, hookmask, &i);
632 goto cleanup_matches;
634 ret = EBT_WATCHER_ITERATE(e, ebt_check_watcher, e, name, hookmask, &j);
636 goto cleanup_watchers;
637 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
638 target = find_target_lock(t->u.name, &ret, &ebt_mutex);
640 goto cleanup_watchers;
641 if (!try_module_get(target->me)) {
642 mutex_unlock(&ebt_mutex);
644 goto cleanup_watchers;
646 mutex_unlock(&ebt_mutex);
648 t->u.target = target;
649 if (t->u.target == &ebt_standard_target) {
650 if (e->target_offset + sizeof(struct ebt_standard_target) >
652 BUGPRINT("Standard target size too big\n");
654 goto cleanup_watchers;
656 if (((struct ebt_standard_target *)t)->verdict <
657 -NUM_STANDARD_TARGETS) {
658 BUGPRINT("Invalid standard target\n");
660 goto cleanup_watchers;
662 } else if ((e->target_offset + t->target_size +
663 sizeof(struct ebt_entry_target) > e->next_offset) ||
664 (t->u.target->check &&
665 t->u.target->check(name, hookmask, e, t->data, t->target_size) != 0)){
666 module_put(t->u.target->me);
668 goto cleanup_watchers;
673 EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, &j);
675 EBT_MATCH_ITERATE(e, ebt_cleanup_match, &i);
680 * checks for loops and sets the hook mask for udc
681 * the hook mask for udc tells us from which base chains the udc can be
682 * accessed. This mask is a parameter to the check() functions of the extensions
684 static int check_chainloops(struct ebt_entries *chain, struct ebt_cl_stack *cl_s,
685 unsigned int udc_cnt, unsigned int hooknr, char *base)
687 int i, chain_nr = -1, pos = 0, nentries = chain->nentries, verdict;
688 struct ebt_entry *e = (struct ebt_entry *)chain->data;
689 struct ebt_entry_target *t;
691 while (pos < nentries || chain_nr != -1) {
692 /* end of udc, go back one 'recursion' step */
693 if (pos == nentries) {
694 /* put back values of the time when this chain was called */
695 e = cl_s[chain_nr].cs.e;
696 if (cl_s[chain_nr].from != -1)
698 cl_s[cl_s[chain_nr].from].cs.chaininfo->nentries;
700 nentries = chain->nentries;
701 pos = cl_s[chain_nr].cs.n;
702 /* make sure we won't see a loop that isn't one */
703 cl_s[chain_nr].cs.n = 0;
704 chain_nr = cl_s[chain_nr].from;
708 t = (struct ebt_entry_target *)
709 (((char *)e) + e->target_offset);
710 if (strcmp(t->u.name, EBT_STANDARD_TARGET))
712 if (e->target_offset + sizeof(struct ebt_standard_target) >
714 BUGPRINT("Standard target size too big\n");
717 verdict = ((struct ebt_standard_target *)t)->verdict;
718 if (verdict >= 0) { /* jump to another chain */
719 struct ebt_entries *hlp2 =
720 (struct ebt_entries *)(base + verdict);
721 for (i = 0; i < udc_cnt; i++)
722 if (hlp2 == cl_s[i].cs.chaininfo)
724 /* bad destination or loop */
726 BUGPRINT("bad destination\n");
733 /* this can't be 0, so the above test is correct */
734 cl_s[i].cs.n = pos + 1;
736 cl_s[i].cs.e = ((void *)e + e->next_offset);
737 e = (struct ebt_entry *)(hlp2->data);
738 nentries = hlp2->nentries;
739 cl_s[i].from = chain_nr;
741 /* this udc is accessible from the base chain for hooknr */
742 cl_s[i].hookmask |= (1 << hooknr);
746 e = (void *)e + e->next_offset;
752 /* do the parsing of the table/chains/entries/matches/watchers/targets, heh */
753 static int translate_table(struct ebt_replace *repl,
754 struct ebt_table_info *newinfo)
756 unsigned int i, j, k, udc_cnt;
758 struct ebt_cl_stack *cl_s = NULL; /* used in the checking for chain loops */
761 while (i < NF_BR_NUMHOOKS && !(repl->valid_hooks & (1 << i)))
763 if (i == NF_BR_NUMHOOKS) {
764 BUGPRINT("No valid hooks specified\n");
767 if (repl->hook_entry[i] != (struct ebt_entries *)repl->entries) {
768 BUGPRINT("Chains don't start at beginning\n");
771 /* make sure chains are ordered after each other in same order
772 as their corresponding hooks */
773 for (j = i + 1; j < NF_BR_NUMHOOKS; j++) {
774 if (!(repl->valid_hooks & (1 << j)))
776 if ( repl->hook_entry[j] <= repl->hook_entry[i] ) {
777 BUGPRINT("Hook order must be followed\n");
783 for (i = 0; i < NF_BR_NUMHOOKS; i++)
784 newinfo->hook_entry[i] = NULL;
786 newinfo->entries_size = repl->entries_size;
787 newinfo->nentries = repl->nentries;
789 /* do some early checkings and initialize some things */
790 i = 0; /* holds the expected nr. of entries for the chain */
791 j = 0; /* holds the up to now counted entries for the chain */
792 k = 0; /* holds the total nr. of entries, should equal
793 newinfo->nentries afterwards */
794 udc_cnt = 0; /* will hold the nr. of user defined chains (udc) */
795 ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
796 ebt_check_entry_size_and_hooks, newinfo, repl->entries,
797 repl->entries + repl->entries_size, repl->hook_entry, &i, &j, &k,
798 &udc_cnt, repl->valid_hooks);
804 BUGPRINT("nentries does not equal the nr of entries in the "
808 if (k != newinfo->nentries) {
809 BUGPRINT("Total nentries is wrong\n");
813 /* check if all valid hooks have a chain */
814 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
815 if (newinfo->hook_entry[i] == NULL &&
816 (repl->valid_hooks & (1 << i))) {
817 BUGPRINT("Valid hook without chain\n");
822 /* get the location of the udc, put them in an array
823 while we're at it, allocate the chainstack */
825 /* this will get free'd in do_replace()/ebt_register_table()
826 if an error occurs */
827 newinfo->chainstack = (struct ebt_chainstack **)
828 vmalloc((highest_possible_processor_id()+1)
829 * sizeof(struct ebt_chainstack));
830 if (!newinfo->chainstack)
833 newinfo->chainstack[i] =
834 vmalloc(udc_cnt * sizeof(struct ebt_chainstack));
835 if (!newinfo->chainstack[i]) {
837 vfree(newinfo->chainstack[--i]);
838 vfree(newinfo->chainstack);
839 newinfo->chainstack = NULL;
844 cl_s = (struct ebt_cl_stack *)
845 vmalloc(udc_cnt * sizeof(struct ebt_cl_stack));
848 i = 0; /* the i'th udc */
849 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
850 ebt_get_udc_positions, newinfo, repl->hook_entry, &i,
851 repl->valid_hooks, cl_s);
854 BUGPRINT("i != udc_cnt\n");
860 /* Check for loops */
861 for (i = 0; i < NF_BR_NUMHOOKS; i++)
862 if (repl->valid_hooks & (1 << i))
863 if (check_chainloops(newinfo->hook_entry[i],
864 cl_s, udc_cnt, i, newinfo->entries)) {
869 /* we now know the following (along with E=mc²):
870 - the nr of entries in each chain is right
871 - the size of the allocated space is right
872 - all valid hooks have a corresponding chain
874 - wrong data can still be on the level of a single entry
875 - could be there are jumps to places that are not the
876 beginning of a chain. This can only occur in chains that
877 are not accessible from any base chains, so we don't care. */
879 /* used to know what we need to clean up if something goes wrong */
881 ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
882 ebt_check_entry, newinfo, repl->name, &i, repl->valid_hooks,
885 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
886 ebt_cleanup_entry, &i);
892 /* called under write_lock */
893 static void get_counters(struct ebt_counter *oldcounters,
894 struct ebt_counter *counters, unsigned int nentries)
897 struct ebt_counter *counter_base;
899 /* counters of cpu 0 */
900 memcpy(counters, oldcounters,
901 sizeof(struct ebt_counter) * nentries);
903 /* add other counters to those of cpu 0 */
907 counter_base = COUNTER_BASE(oldcounters, nentries, cpu);
908 for (i = 0; i < nentries; i++) {
909 counters[i].pcnt += counter_base[i].pcnt;
910 counters[i].bcnt += counter_base[i].bcnt;
915 /* replace the table */
916 static int do_replace(void __user *user, unsigned int len)
918 int ret, i, countersize;
919 struct ebt_table_info *newinfo;
920 struct ebt_replace tmp;
922 struct ebt_counter *counterstmp = NULL;
923 /* used to be able to unlock earlier */
924 struct ebt_table_info *table;
926 if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
929 if (len != sizeof(tmp) + tmp.entries_size) {
930 BUGPRINT("Wrong len argument\n");
934 if (tmp.entries_size == 0) {
935 BUGPRINT("Entries_size never zero\n");
939 if (tmp.nentries >= ((INT_MAX - sizeof(struct ebt_table_info)) / NR_CPUS -
940 SMP_CACHE_BYTES) / sizeof(struct ebt_counter))
942 if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
945 countersize = COUNTER_OFFSET(tmp.nentries) *
946 (highest_possible_processor_id()+1);
947 newinfo = (struct ebt_table_info *)
948 vmalloc(sizeof(struct ebt_table_info) + countersize);
953 memset(newinfo->counters, 0, countersize);
955 newinfo->entries = vmalloc(tmp.entries_size);
956 if (!newinfo->entries) {
961 newinfo->entries, tmp.entries, tmp.entries_size) != 0) {
962 BUGPRINT("Couldn't copy entries from userspace\n");
967 /* the user wants counters back
968 the check on the size is done later, when we have the lock */
969 if (tmp.num_counters) {
970 counterstmp = (struct ebt_counter *)
971 vmalloc(tmp.num_counters * sizeof(struct ebt_counter));
980 /* this can get initialized by translate_table() */
981 newinfo->chainstack = NULL;
982 ret = translate_table(&tmp, newinfo);
985 goto free_counterstmp;
987 t = find_table_lock(tmp.name, &ret, &ebt_mutex);
993 /* the table doesn't like it */
994 if (t->check && (ret = t->check(newinfo, tmp.valid_hooks)))
997 if (tmp.num_counters && tmp.num_counters != t->private->nentries) {
998 BUGPRINT("Wrong nr. of counters requested\n");
1003 /* we have the mutex lock, so no danger in reading this pointer */
1005 /* make sure the table can only be rmmod'ed if it contains no rules */
1006 if (!table->nentries && newinfo->nentries && !try_module_get(t->me)) {
1009 } else if (table->nentries && !newinfo->nentries)
1011 /* we need an atomic snapshot of the counters */
1012 write_lock_bh(&t->lock);
1013 if (tmp.num_counters)
1014 get_counters(t->private->counters, counterstmp,
1015 t->private->nentries);
1017 t->private = newinfo;
1018 write_unlock_bh(&t->lock);
1019 mutex_unlock(&ebt_mutex);
1020 /* so, a user can change the chains while having messed up her counter
1021 allocation. Only reason why this is done is because this way the lock
1022 is held only once, while this doesn't bring the kernel into a
1024 if (tmp.num_counters &&
1025 copy_to_user(tmp.counters, counterstmp,
1026 tmp.num_counters * sizeof(struct ebt_counter))) {
1027 BUGPRINT("Couldn't copy counters to userspace\n");
1033 /* decrease module count and free resources */
1034 EBT_ENTRY_ITERATE(table->entries, table->entries_size,
1035 ebt_cleanup_entry, NULL);
1037 vfree(table->entries);
1038 if (table->chainstack) {
1040 vfree(table->chainstack[i]);
1041 vfree(table->chainstack);
1049 mutex_unlock(&ebt_mutex);
1051 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
1052 ebt_cleanup_entry, NULL);
1055 /* can be initialized in translate_table() */
1056 if (newinfo->chainstack) {
1058 vfree(newinfo->chainstack[i]);
1059 vfree(newinfo->chainstack);
1062 vfree(newinfo->entries);
1068 int ebt_register_target(struct ebt_target *target)
1072 ret = mutex_lock_interruptible(&ebt_mutex);
1075 if (!list_named_insert(&ebt_targets, target)) {
1076 mutex_unlock(&ebt_mutex);
1079 mutex_unlock(&ebt_mutex);
1084 void ebt_unregister_target(struct ebt_target *target)
1086 mutex_lock(&ebt_mutex);
1087 LIST_DELETE(&ebt_targets, target);
1088 mutex_unlock(&ebt_mutex);
1091 int ebt_register_match(struct ebt_match *match)
1095 ret = mutex_lock_interruptible(&ebt_mutex);
1098 if (!list_named_insert(&ebt_matches, match)) {
1099 mutex_unlock(&ebt_mutex);
1102 mutex_unlock(&ebt_mutex);
1107 void ebt_unregister_match(struct ebt_match *match)
1109 mutex_lock(&ebt_mutex);
1110 LIST_DELETE(&ebt_matches, match);
1111 mutex_unlock(&ebt_mutex);
1114 int ebt_register_watcher(struct ebt_watcher *watcher)
1118 ret = mutex_lock_interruptible(&ebt_mutex);
1121 if (!list_named_insert(&ebt_watchers, watcher)) {
1122 mutex_unlock(&ebt_mutex);
1125 mutex_unlock(&ebt_mutex);
1130 void ebt_unregister_watcher(struct ebt_watcher *watcher)
1132 mutex_lock(&ebt_mutex);
1133 LIST_DELETE(&ebt_watchers, watcher);
1134 mutex_unlock(&ebt_mutex);
1137 int ebt_register_table(struct ebt_table *table)
1139 struct ebt_table_info *newinfo;
1140 int ret, i, countersize;
1142 if (!table || !table->table ||!table->table->entries ||
1143 table->table->entries_size == 0 ||
1144 table->table->counters || table->private) {
1145 BUGPRINT("Bad table data for ebt_register_table!!!\n");
1149 countersize = COUNTER_OFFSET(table->table->nentries) *
1150 (highest_possible_processor_id()+1);
1151 newinfo = (struct ebt_table_info *)
1152 vmalloc(sizeof(struct ebt_table_info) + countersize);
1157 newinfo->entries = vmalloc(table->table->entries_size);
1158 if (!(newinfo->entries))
1161 memcpy(newinfo->entries, table->table->entries,
1162 table->table->entries_size);
1165 memset(newinfo->counters, 0, countersize);
1167 /* fill in newinfo and parse the entries */
1168 newinfo->chainstack = NULL;
1169 ret = translate_table(table->table, newinfo);
1171 BUGPRINT("Translate_table failed\n");
1172 goto free_chainstack;
1175 if (table->check && table->check(newinfo, table->valid_hooks)) {
1176 BUGPRINT("The table doesn't like its own initial data, lol\n");
1180 table->private = newinfo;
1181 rwlock_init(&table->lock);
1182 ret = mutex_lock_interruptible(&ebt_mutex);
1184 goto free_chainstack;
1186 if (list_named_find(&ebt_tables, table->name)) {
1188 BUGPRINT("Table name already exists\n");
1192 /* Hold a reference count if the chains aren't empty */
1193 if (newinfo->nentries && !try_module_get(table->me)) {
1197 list_prepend(&ebt_tables, table);
1198 mutex_unlock(&ebt_mutex);
1201 mutex_unlock(&ebt_mutex);
1203 if (newinfo->chainstack) {
1205 vfree(newinfo->chainstack[i]);
1206 vfree(newinfo->chainstack);
1208 vfree(newinfo->entries);
1214 void ebt_unregister_table(struct ebt_table *table)
1219 BUGPRINT("Request to unregister NULL table!!!\n");
1222 mutex_lock(&ebt_mutex);
1223 LIST_DELETE(&ebt_tables, table);
1224 mutex_unlock(&ebt_mutex);
1225 vfree(table->private->entries);
1226 if (table->private->chainstack) {
1228 vfree(table->private->chainstack[i]);
1229 vfree(table->private->chainstack);
1231 vfree(table->private);
1234 /* userspace just supplied us with counters */
1235 static int update_counters(void __user *user, unsigned int len)
1238 struct ebt_counter *tmp;
1239 struct ebt_replace hlp;
1240 struct ebt_table *t;
1242 if (copy_from_user(&hlp, user, sizeof(hlp)))
1245 if (len != sizeof(hlp) + hlp.num_counters * sizeof(struct ebt_counter))
1247 if (hlp.num_counters == 0)
1250 if ( !(tmp = (struct ebt_counter *)
1251 vmalloc(hlp.num_counters * sizeof(struct ebt_counter))) ){
1252 MEMPRINT("Update_counters && nomemory\n");
1256 t = find_table_lock(hlp.name, &ret, &ebt_mutex);
1260 if (hlp.num_counters != t->private->nentries) {
1261 BUGPRINT("Wrong nr of counters\n");
1266 if ( copy_from_user(tmp, hlp.counters,
1267 hlp.num_counters * sizeof(struct ebt_counter)) ) {
1268 BUGPRINT("Updata_counters && !cfu\n");
1273 /* we want an atomic add of the counters */
1274 write_lock_bh(&t->lock);
1276 /* we add to the counters of the first cpu */
1277 for (i = 0; i < hlp.num_counters; i++) {
1278 t->private->counters[i].pcnt += tmp[i].pcnt;
1279 t->private->counters[i].bcnt += tmp[i].bcnt;
1282 write_unlock_bh(&t->lock);
1285 mutex_unlock(&ebt_mutex);
1291 static inline int ebt_make_matchname(struct ebt_entry_match *m,
1292 char *base, char *ubase)
1294 char *hlp = ubase - base + (char *)m;
1295 if (copy_to_user(hlp, m->u.match->name, EBT_FUNCTION_MAXNAMELEN))
1300 static inline int ebt_make_watchername(struct ebt_entry_watcher *w,
1301 char *base, char *ubase)
1303 char *hlp = ubase - base + (char *)w;
1304 if (copy_to_user(hlp , w->u.watcher->name, EBT_FUNCTION_MAXNAMELEN))
1309 static inline int ebt_make_names(struct ebt_entry *e, char *base, char *ubase)
1313 struct ebt_entry_target *t;
1315 if ((e->bitmask & EBT_ENTRY_OR_ENTRIES) == 0)
1318 hlp = ubase - base + (char *)e + e->target_offset;
1319 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
1321 ret = EBT_MATCH_ITERATE(e, ebt_make_matchname, base, ubase);
1324 ret = EBT_WATCHER_ITERATE(e, ebt_make_watchername, base, ubase);
1327 if (copy_to_user(hlp, t->u.target->name, EBT_FUNCTION_MAXNAMELEN))
1332 /* called with ebt_mutex locked */
1333 static int copy_everything_to_user(struct ebt_table *t, void __user *user,
1336 struct ebt_replace tmp;
1337 struct ebt_counter *counterstmp, *oldcounters;
1338 unsigned int entries_size, nentries;
1341 if (cmd == EBT_SO_GET_ENTRIES) {
1342 entries_size = t->private->entries_size;
1343 nentries = t->private->nentries;
1344 entries = t->private->entries;
1345 oldcounters = t->private->counters;
1347 entries_size = t->table->entries_size;
1348 nentries = t->table->nentries;
1349 entries = t->table->entries;
1350 oldcounters = t->table->counters;
1353 if (copy_from_user(&tmp, user, sizeof(tmp))) {
1354 BUGPRINT("Cfu didn't work\n");
1358 if (*len != sizeof(struct ebt_replace) + entries_size +
1359 (tmp.num_counters? nentries * sizeof(struct ebt_counter): 0)) {
1360 BUGPRINT("Wrong size\n");
1364 if (tmp.nentries != nentries) {
1365 BUGPRINT("Nentries wrong\n");
1369 if (tmp.entries_size != entries_size) {
1370 BUGPRINT("Wrong size\n");
1374 /* userspace might not need the counters */
1375 if (tmp.num_counters) {
1376 if (tmp.num_counters != nentries) {
1377 BUGPRINT("Num_counters wrong\n");
1380 counterstmp = (struct ebt_counter *)
1381 vmalloc(nentries * sizeof(struct ebt_counter));
1383 MEMPRINT("Couldn't copy counters, out of memory\n");
1386 write_lock_bh(&t->lock);
1387 get_counters(oldcounters, counterstmp, nentries);
1388 write_unlock_bh(&t->lock);
1390 if (copy_to_user(tmp.counters, counterstmp,
1391 nentries * sizeof(struct ebt_counter))) {
1392 BUGPRINT("Couldn't copy counters to userspace\n");
1399 if (copy_to_user(tmp.entries, entries, entries_size)) {
1400 BUGPRINT("Couldn't copy entries to userspace\n");
1403 /* set the match/watcher/target names right */
1404 return EBT_ENTRY_ITERATE(entries, entries_size,
1405 ebt_make_names, entries, tmp.entries);
1408 static int do_ebt_set_ctl(struct sock *sk,
1409 int cmd, void __user *user, unsigned int len)
1414 case EBT_SO_SET_ENTRIES:
1415 ret = do_replace(user, len);
1417 case EBT_SO_SET_COUNTERS:
1418 ret = update_counters(user, len);
1426 static int do_ebt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
1429 struct ebt_replace tmp;
1430 struct ebt_table *t;
1432 if (copy_from_user(&tmp, user, sizeof(tmp)))
1435 t = find_table_lock(tmp.name, &ret, &ebt_mutex);
1440 case EBT_SO_GET_INFO:
1441 case EBT_SO_GET_INIT_INFO:
1442 if (*len != sizeof(struct ebt_replace)){
1444 mutex_unlock(&ebt_mutex);
1447 if (cmd == EBT_SO_GET_INFO) {
1448 tmp.nentries = t->private->nentries;
1449 tmp.entries_size = t->private->entries_size;
1450 tmp.valid_hooks = t->valid_hooks;
1452 tmp.nentries = t->table->nentries;
1453 tmp.entries_size = t->table->entries_size;
1454 tmp.valid_hooks = t->table->valid_hooks;
1456 mutex_unlock(&ebt_mutex);
1457 if (copy_to_user(user, &tmp, *len) != 0){
1458 BUGPRINT("c2u Didn't work\n");
1465 case EBT_SO_GET_ENTRIES:
1466 case EBT_SO_GET_INIT_ENTRIES:
1467 ret = copy_everything_to_user(t, user, len, cmd);
1468 mutex_unlock(&ebt_mutex);
1472 mutex_unlock(&ebt_mutex);
1479 static struct nf_sockopt_ops ebt_sockopts =
1482 .set_optmin = EBT_BASE_CTL,
1483 .set_optmax = EBT_SO_SET_MAX + 1,
1484 .set = do_ebt_set_ctl,
1485 .get_optmin = EBT_BASE_CTL,
1486 .get_optmax = EBT_SO_GET_MAX + 1,
1487 .get = do_ebt_get_ctl,
1490 static int __init ebtables_init(void)
1494 mutex_lock(&ebt_mutex);
1495 list_named_insert(&ebt_targets, &ebt_standard_target);
1496 mutex_unlock(&ebt_mutex);
1497 if ((ret = nf_register_sockopt(&ebt_sockopts)) < 0)
1500 printk(KERN_NOTICE "Ebtables v2.0 registered\n");
1504 static void __exit ebtables_fini(void)
1506 nf_unregister_sockopt(&ebt_sockopts);
1507 printk(KERN_NOTICE "Ebtables v2.0 unregistered\n");
1510 EXPORT_SYMBOL(ebt_register_table);
1511 EXPORT_SYMBOL(ebt_unregister_table);
1512 EXPORT_SYMBOL(ebt_register_match);
1513 EXPORT_SYMBOL(ebt_unregister_match);
1514 EXPORT_SYMBOL(ebt_register_watcher);
1515 EXPORT_SYMBOL(ebt_unregister_watcher);
1516 EXPORT_SYMBOL(ebt_register_target);
1517 EXPORT_SYMBOL(ebt_unregister_target);
1518 EXPORT_SYMBOL(ebt_do_table);
1519 module_init(ebtables_init);
1520 module_exit(ebtables_fini);
1521 MODULE_LICENSE("GPL");
git://ftp.safe.ca / safe / jmp / linux-2.6 / blob