5 * Bart De Schuymer <bdschuym@pandora.be>
7 * ebtables.c,v 2.0, July, 2002
9 * This code is stongly inspired on the iptables code which is
10 * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version
15 * 2 of the License, or (at your option) any later version.
18 /* used for print_string */
19 #include <linux/sched.h>
20 #include <linux/tty.h>
22 #include <linux/kmod.h>
23 #include <linux/module.h>
24 #include <linux/vmalloc.h>
25 #include <linux/netfilter_bridge/ebtables.h>
26 #include <linux/spinlock.h>
27 #include <asm/uaccess.h>
28 #include <linux/smp.h>
30 /* needed for logical [in,out]-dev filtering */
31 #include "../br_private.h"
34 #define ASSERT_READ_LOCK(x)
35 #define ASSERT_WRITE_LOCK(x)
36 #include <linux/netfilter_ipv4/listhelp.h>
39 /* use this for remote debugging
40 * Copyright (C) 1998 by Ori Pomerantz
41 * Print the string to the appropriate tty, the one
42 * the current task uses
44 static void print_string(char *str)
46 struct tty_struct *my_tty;
48 /* The tty for the current task */
49 my_tty = current->signal->tty;
51 my_tty->driver->write(my_tty, 0, str, strlen(str));
52 my_tty->driver->write(my_tty, 0, "\015\012", 2);
56 #define BUGPRINT(args) print_string(args);
58 #define BUGPRINT(format, args...) printk("kernel msg: ebtables bug: please "\
59 "report to author: "format, ## args)
60 /* #define BUGPRINT(format, args...) */
62 #define MEMPRINT(format, args...) printk("kernel msg: ebtables "\
63 ": out of memory: "format, ## args)
64 /* #define MEMPRINT(format, args...) */
69 * Each cpu has its own set of counters, so there is no need for write_lock in
71 * For reading or updating the counters, the user context needs to
75 /* The size of each set of counters is altered to get cache alignment */
76 #define SMP_ALIGN(x) (((x) + SMP_CACHE_BYTES-1) & ~(SMP_CACHE_BYTES-1))
77 #define COUNTER_OFFSET(n) (SMP_ALIGN(n * sizeof(struct ebt_counter)))
78 #define COUNTER_BASE(c, n, cpu) ((struct ebt_counter *)(((char *)c) + \
79 COUNTER_OFFSET(n) * cpu))
83 static DECLARE_MUTEX(ebt_mutex);
84 static LIST_HEAD(ebt_tables);
85 static LIST_HEAD(ebt_targets);
86 static LIST_HEAD(ebt_matches);
87 static LIST_HEAD(ebt_watchers);
89 static struct ebt_target ebt_standard_target =
90 { {NULL, NULL}, EBT_STANDARD_TARGET, NULL, NULL, NULL, NULL};
92 static inline int ebt_do_watcher (struct ebt_entry_watcher *w,
93 const struct sk_buff *skb, unsigned int hooknr, const struct net_device *in,
94 const struct net_device *out)
96 w->u.watcher->watcher(skb, hooknr, in, out, w->data,
98 /* watchers don't give a verdict */
102 static inline int ebt_do_match (struct ebt_entry_match *m,
103 const struct sk_buff *skb, const struct net_device *in,
104 const struct net_device *out)
106 return m->u.match->match(skb, in, out, m->data,
110 static inline int ebt_dev_check(char *entry, const struct net_device *device)
113 char *devname = device->name;
119 /* 1 is the wildcard token */
120 while (entry[i] != '\0' && entry[i] != 1 && entry[i] == devname[i])
122 return (devname[i] != entry[i] && entry[i] != 1);
125 #define FWINV2(bool,invflg) ((bool) ^ !!(e->invflags & invflg))
126 /* process standard matches */
127 static inline int ebt_basic_match(struct ebt_entry *e, struct ethhdr *h,
128 const struct net_device *in, const struct net_device *out)
132 if (e->bitmask & EBT_802_3) {
133 if (FWINV2(ntohs(h->h_proto) >= 1536, EBT_IPROTO))
135 } else if (!(e->bitmask & EBT_NOPROTO) &&
136 FWINV2(e->ethproto != h->h_proto, EBT_IPROTO))
139 if (FWINV2(ebt_dev_check(e->in, in), EBT_IIN))
141 if (FWINV2(ebt_dev_check(e->out, out), EBT_IOUT))
143 if ((!in || !in->br_port) ? 0 : FWINV2(ebt_dev_check(
144 e->logical_in, in->br_port->br->dev), EBT_ILOGICALIN))
146 if ((!out || !out->br_port) ? 0 : FWINV2(ebt_dev_check(
147 e->logical_out, out->br_port->br->dev), EBT_ILOGICALOUT))
150 if (e->bitmask & EBT_SOURCEMAC) {
152 for (i = 0; i < 6; i++)
153 verdict |= (h->h_source[i] ^ e->sourcemac[i]) &
155 if (FWINV2(verdict != 0, EBT_ISOURCE) )
158 if (e->bitmask & EBT_DESTMAC) {
160 for (i = 0; i < 6; i++)
161 verdict |= (h->h_dest[i] ^ e->destmac[i]) &
163 if (FWINV2(verdict != 0, EBT_IDEST) )
169 /* Do some firewalling */
170 unsigned int ebt_do_table (unsigned int hook, struct sk_buff **pskb,
171 const struct net_device *in, const struct net_device *out,
172 struct ebt_table *table)
175 struct ebt_entry *point;
176 struct ebt_counter *counter_base, *cb_base;
177 struct ebt_entry_target *t;
179 struct ebt_chainstack *cs;
180 struct ebt_entries *chaininfo;
182 struct ebt_table_info *private;
184 read_lock_bh(&table->lock);
185 private = table->private;
186 cb_base = COUNTER_BASE(private->counters, private->nentries,
188 if (private->chainstack)
189 cs = private->chainstack[smp_processor_id()];
192 chaininfo = private->hook_entry[hook];
193 nentries = private->hook_entry[hook]->nentries;
194 point = (struct ebt_entry *)(private->hook_entry[hook]->data);
195 counter_base = cb_base + private->hook_entry[hook]->counter_offset;
196 /* base for chain jumps */
197 base = private->entries;
199 while (i < nentries) {
200 if (ebt_basic_match(point, eth_hdr(*pskb), in, out))
203 if (EBT_MATCH_ITERATE(point, ebt_do_match, *pskb, in, out) != 0)
206 /* increase counter */
207 (*(counter_base + i)).pcnt++;
208 (*(counter_base + i)).bcnt+=(**pskb).len;
210 /* these should only watch: not modify, nor tell us
211 what to do with the packet */
212 EBT_WATCHER_ITERATE(point, ebt_do_watcher, *pskb, hook, in,
215 t = (struct ebt_entry_target *)
216 (((char *)point) + point->target_offset);
217 /* standard target */
218 if (!t->u.target->target)
219 verdict = ((struct ebt_standard_target *)t)->verdict;
221 verdict = t->u.target->target(pskb, hook,
222 in, out, t->data, t->target_size);
223 if (verdict == EBT_ACCEPT) {
224 read_unlock_bh(&table->lock);
227 if (verdict == EBT_DROP) {
228 read_unlock_bh(&table->lock);
231 if (verdict == EBT_RETURN) {
233 #ifdef CONFIG_NETFILTER_DEBUG
235 BUGPRINT("RETURN on base chain");
236 /* act like this is EBT_CONTINUE */
241 /* put all the local variables right */
243 chaininfo = cs[sp].chaininfo;
244 nentries = chaininfo->nentries;
246 counter_base = cb_base +
247 chaininfo->counter_offset;
250 if (verdict == EBT_CONTINUE)
252 #ifdef CONFIG_NETFILTER_DEBUG
254 BUGPRINT("bogus standard verdict\n");
255 read_unlock_bh(&table->lock);
261 cs[sp].chaininfo = chaininfo;
262 cs[sp].e = (struct ebt_entry *)
263 (((char *)point) + point->next_offset);
265 chaininfo = (struct ebt_entries *) (base + verdict);
266 #ifdef CONFIG_NETFILTER_DEBUG
267 if (chaininfo->distinguisher) {
268 BUGPRINT("jump to non-chain\n");
269 read_unlock_bh(&table->lock);
273 nentries = chaininfo->nentries;
274 point = (struct ebt_entry *)chaininfo->data;
275 counter_base = cb_base + chaininfo->counter_offset;
279 point = (struct ebt_entry *)
280 (((char *)point) + point->next_offset);
284 /* I actually like this :) */
285 if (chaininfo->policy == EBT_RETURN)
287 if (chaininfo->policy == EBT_ACCEPT) {
288 read_unlock_bh(&table->lock);
291 read_unlock_bh(&table->lock);
295 /* If it succeeds, returns element and locks mutex */
297 find_inlist_lock_noload(struct list_head *head, const char *name, int *error,
298 struct semaphore *mutex)
302 *error = down_interruptible(mutex);
306 ret = list_named_find(head, name);
315 #define find_inlist_lock(h,n,p,e,m) find_inlist_lock_noload((h),(n),(e),(m))
318 find_inlist_lock(struct list_head *head, const char *name, const char *prefix,
319 int *error, struct semaphore *mutex)
323 ret = find_inlist_lock_noload(head, name, error, mutex);
325 request_module("%s%s", prefix, name);
326 ret = find_inlist_lock_noload(head, name, error, mutex);
332 static inline struct ebt_table *
333 find_table_lock(const char *name, int *error, struct semaphore *mutex)
335 return find_inlist_lock(&ebt_tables, name, "ebtable_", error, mutex);
338 static inline struct ebt_match *
339 find_match_lock(const char *name, int *error, struct semaphore *mutex)
341 return find_inlist_lock(&ebt_matches, name, "ebt_", error, mutex);
344 static inline struct ebt_watcher *
345 find_watcher_lock(const char *name, int *error, struct semaphore *mutex)
347 return find_inlist_lock(&ebt_watchers, name, "ebt_", error, mutex);
350 static inline struct ebt_target *
351 find_target_lock(const char *name, int *error, struct semaphore *mutex)
353 return find_inlist_lock(&ebt_targets, name, "ebt_", error, mutex);
357 ebt_check_match(struct ebt_entry_match *m, struct ebt_entry *e,
358 const char *name, unsigned int hookmask, unsigned int *cnt)
360 struct ebt_match *match;
363 if (((char *)m) + m->match_size + sizeof(struct ebt_entry_match) >
364 ((char *)e) + e->watchers_offset)
366 match = find_match_lock(m->u.name, &ret, &ebt_mutex);
370 if (!try_module_get(match->me)) {
376 match->check(name, hookmask, e, m->data, m->match_size) != 0) {
377 BUGPRINT("match->check failed\n");
378 module_put(match->me);
386 ebt_check_watcher(struct ebt_entry_watcher *w, struct ebt_entry *e,
387 const char *name, unsigned int hookmask, unsigned int *cnt)
389 struct ebt_watcher *watcher;
392 if (((char *)w) + w->watcher_size + sizeof(struct ebt_entry_watcher) >
393 ((char *)e) + e->target_offset)
395 watcher = find_watcher_lock(w->u.name, &ret, &ebt_mutex);
398 w->u.watcher = watcher;
399 if (!try_module_get(watcher->me)) {
404 if (watcher->check &&
405 watcher->check(name, hookmask, e, w->data, w->watcher_size) != 0) {
406 BUGPRINT("watcher->check failed\n");
407 module_put(watcher->me);
415 * this one is very careful, as it is the first function
416 * to parse the userspace data
419 ebt_check_entry_size_and_hooks(struct ebt_entry *e,
420 struct ebt_table_info *newinfo, char *base, char *limit,
421 struct ebt_entries **hook_entries, unsigned int *n, unsigned int *cnt,
422 unsigned int *totalcnt, unsigned int *udc_cnt, unsigned int valid_hooks)
426 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
427 if ((valid_hooks & (1 << i)) == 0)
429 if ( (char *)hook_entries[i] - base ==
430 (char *)e - newinfo->entries)
433 /* beginning of a new chain
434 if i == NF_BR_NUMHOOKS it must be a user defined chain */
435 if (i != NF_BR_NUMHOOKS || !(e->bitmask & EBT_ENTRY_OR_ENTRIES)) {
436 if ((e->bitmask & EBT_ENTRY_OR_ENTRIES) != 0) {
437 /* we make userspace set this right,
438 so there is no misunderstanding */
439 BUGPRINT("EBT_ENTRY_OR_ENTRIES shouldn't be set "
440 "in distinguisher\n");
443 /* this checks if the previous chain has as many entries
446 BUGPRINT("nentries does not equal the nr of entries "
450 /* before we look at the struct, be sure it is not too big */
451 if ((char *)hook_entries[i] + sizeof(struct ebt_entries)
453 BUGPRINT("entries_size too small\n");
456 if (((struct ebt_entries *)e)->policy != EBT_DROP &&
457 ((struct ebt_entries *)e)->policy != EBT_ACCEPT) {
458 /* only RETURN from udc */
459 if (i != NF_BR_NUMHOOKS ||
460 ((struct ebt_entries *)e)->policy != EBT_RETURN) {
461 BUGPRINT("bad policy\n");
465 if (i == NF_BR_NUMHOOKS) /* it's a user defined chain */
468 newinfo->hook_entry[i] = (struct ebt_entries *)e;
469 if (((struct ebt_entries *)e)->counter_offset != *totalcnt) {
470 BUGPRINT("counter_offset != totalcnt");
473 *n = ((struct ebt_entries *)e)->nentries;
477 /* a plain old entry, heh */
478 if (sizeof(struct ebt_entry) > e->watchers_offset ||
479 e->watchers_offset > e->target_offset ||
480 e->target_offset >= e->next_offset) {
481 BUGPRINT("entry offsets not in right order\n");
484 /* this is not checked anywhere else */
485 if (e->next_offset - e->target_offset < sizeof(struct ebt_entry_target)) {
486 BUGPRINT("target size too small\n");
497 struct ebt_chainstack cs;
499 unsigned int hookmask;
503 * we need these positions to check that the jumps to a different part of the
504 * entries is a jump to the beginning of a new chain.
507 ebt_get_udc_positions(struct ebt_entry *e, struct ebt_table_info *newinfo,
508 struct ebt_entries **hook_entries, unsigned int *n, unsigned int valid_hooks,
509 struct ebt_cl_stack *udc)
513 /* we're only interested in chain starts */
514 if (e->bitmask & EBT_ENTRY_OR_ENTRIES)
516 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
517 if ((valid_hooks & (1 << i)) == 0)
519 if (newinfo->hook_entry[i] == (struct ebt_entries *)e)
522 /* only care about udc */
523 if (i != NF_BR_NUMHOOKS)
526 udc[*n].cs.chaininfo = (struct ebt_entries *)e;
527 /* these initialisations are depended on later in check_chainloops() */
529 udc[*n].hookmask = 0;
536 ebt_cleanup_match(struct ebt_entry_match *m, unsigned int *i)
538 if (i && (*i)-- == 0)
540 if (m->u.match->destroy)
541 m->u.match->destroy(m->data, m->match_size);
542 module_put(m->u.match->me);
548 ebt_cleanup_watcher(struct ebt_entry_watcher *w, unsigned int *i)
550 if (i && (*i)-- == 0)
552 if (w->u.watcher->destroy)
553 w->u.watcher->destroy(w->data, w->watcher_size);
554 module_put(w->u.watcher->me);
560 ebt_cleanup_entry(struct ebt_entry *e, unsigned int *cnt)
562 struct ebt_entry_target *t;
564 if ((e->bitmask & EBT_ENTRY_OR_ENTRIES) == 0)
567 if (cnt && (*cnt)-- == 0)
569 EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, NULL);
570 EBT_MATCH_ITERATE(e, ebt_cleanup_match, NULL);
571 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
572 if (t->u.target->destroy)
573 t->u.target->destroy(t->data, t->target_size);
574 module_put(t->u.target->me);
580 ebt_check_entry(struct ebt_entry *e, struct ebt_table_info *newinfo,
581 const char *name, unsigned int *cnt, unsigned int valid_hooks,
582 struct ebt_cl_stack *cl_s, unsigned int udc_cnt)
584 struct ebt_entry_target *t;
585 struct ebt_target *target;
586 unsigned int i, j, hook = 0, hookmask = 0;
589 /* don't mess with the struct ebt_entries */
590 if ((e->bitmask & EBT_ENTRY_OR_ENTRIES) == 0)
593 if (e->bitmask & ~EBT_F_MASK) {
594 BUGPRINT("Unknown flag for bitmask\n");
597 if (e->invflags & ~EBT_INV_MASK) {
598 BUGPRINT("Unknown flag for inv bitmask\n");
601 if ( (e->bitmask & EBT_NOPROTO) && (e->bitmask & EBT_802_3) ) {
602 BUGPRINT("NOPROTO & 802_3 not allowed\n");
605 /* what hook do we belong to? */
606 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
607 if ((valid_hooks & (1 << i)) == 0)
609 if ((char *)newinfo->hook_entry[i] < (char *)e)
614 /* (1 << NF_BR_NUMHOOKS) tells the check functions the rule is on
616 if (i < NF_BR_NUMHOOKS)
617 hookmask = (1 << hook) | (1 << NF_BR_NUMHOOKS);
619 for (i = 0; i < udc_cnt; i++)
620 if ((char *)(cl_s[i].cs.chaininfo) > (char *)e)
623 hookmask = (1 << hook) | (1 << NF_BR_NUMHOOKS);
625 hookmask = cl_s[i - 1].hookmask;
628 ret = EBT_MATCH_ITERATE(e, ebt_check_match, e, name, hookmask, &i);
630 goto cleanup_matches;
632 ret = EBT_WATCHER_ITERATE(e, ebt_check_watcher, e, name, hookmask, &j);
634 goto cleanup_watchers;
635 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
636 target = find_target_lock(t->u.name, &ret, &ebt_mutex);
638 goto cleanup_watchers;
639 if (!try_module_get(target->me)) {
642 goto cleanup_watchers;
646 t->u.target = target;
647 if (t->u.target == &ebt_standard_target) {
648 if (e->target_offset + sizeof(struct ebt_standard_target) >
650 BUGPRINT("Standard target size too big\n");
652 goto cleanup_watchers;
654 if (((struct ebt_standard_target *)t)->verdict <
655 -NUM_STANDARD_TARGETS) {
656 BUGPRINT("Invalid standard target\n");
658 goto cleanup_watchers;
660 } else if ((e->target_offset + t->target_size +
661 sizeof(struct ebt_entry_target) > e->next_offset) ||
662 (t->u.target->check &&
663 t->u.target->check(name, hookmask, e, t->data, t->target_size) != 0)){
664 module_put(t->u.target->me);
666 goto cleanup_watchers;
671 EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, &j);
673 EBT_MATCH_ITERATE(e, ebt_cleanup_match, &i);
678 * checks for loops and sets the hook mask for udc
679 * the hook mask for udc tells us from which base chains the udc can be
680 * accessed. This mask is a parameter to the check() functions of the extensions
682 static int check_chainloops(struct ebt_entries *chain, struct ebt_cl_stack *cl_s,
683 unsigned int udc_cnt, unsigned int hooknr, char *base)
685 int i, chain_nr = -1, pos = 0, nentries = chain->nentries, verdict;
686 struct ebt_entry *e = (struct ebt_entry *)chain->data;
687 struct ebt_entry_target *t;
689 while (pos < nentries || chain_nr != -1) {
690 /* end of udc, go back one 'recursion' step */
691 if (pos == nentries) {
692 /* put back values of the time when this chain was called */
693 e = cl_s[chain_nr].cs.e;
694 if (cl_s[chain_nr].from != -1)
696 cl_s[cl_s[chain_nr].from].cs.chaininfo->nentries;
698 nentries = chain->nentries;
699 pos = cl_s[chain_nr].cs.n;
700 /* make sure we won't see a loop that isn't one */
701 cl_s[chain_nr].cs.n = 0;
702 chain_nr = cl_s[chain_nr].from;
706 t = (struct ebt_entry_target *)
707 (((char *)e) + e->target_offset);
708 if (strcmp(t->u.name, EBT_STANDARD_TARGET))
710 if (e->target_offset + sizeof(struct ebt_standard_target) >
712 BUGPRINT("Standard target size too big\n");
715 verdict = ((struct ebt_standard_target *)t)->verdict;
716 if (verdict >= 0) { /* jump to another chain */
717 struct ebt_entries *hlp2 =
718 (struct ebt_entries *)(base + verdict);
719 for (i = 0; i < udc_cnt; i++)
720 if (hlp2 == cl_s[i].cs.chaininfo)
722 /* bad destination or loop */
724 BUGPRINT("bad destination\n");
731 /* this can't be 0, so the above test is correct */
732 cl_s[i].cs.n = pos + 1;
734 cl_s[i].cs.e = ((void *)e + e->next_offset);
735 e = (struct ebt_entry *)(hlp2->data);
736 nentries = hlp2->nentries;
737 cl_s[i].from = chain_nr;
739 /* this udc is accessible from the base chain for hooknr */
740 cl_s[i].hookmask |= (1 << hooknr);
744 e = (void *)e + e->next_offset;
750 /* do the parsing of the table/chains/entries/matches/watchers/targets, heh */
751 static int translate_table(struct ebt_replace *repl,
752 struct ebt_table_info *newinfo)
754 unsigned int i, j, k, udc_cnt;
756 struct ebt_cl_stack *cl_s = NULL; /* used in the checking for chain loops */
759 while (i < NF_BR_NUMHOOKS && !(repl->valid_hooks & (1 << i)))
761 if (i == NF_BR_NUMHOOKS) {
762 BUGPRINT("No valid hooks specified\n");
765 if (repl->hook_entry[i] != (struct ebt_entries *)repl->entries) {
766 BUGPRINT("Chains don't start at beginning\n");
769 /* make sure chains are ordered after each other in same order
770 as their corresponding hooks */
771 for (j = i + 1; j < NF_BR_NUMHOOKS; j++) {
772 if (!(repl->valid_hooks & (1 << j)))
774 if ( repl->hook_entry[j] <= repl->hook_entry[i] ) {
775 BUGPRINT("Hook order must be followed\n");
781 for (i = 0; i < NF_BR_NUMHOOKS; i++)
782 newinfo->hook_entry[i] = NULL;
784 newinfo->entries_size = repl->entries_size;
785 newinfo->nentries = repl->nentries;
787 /* do some early checkings and initialize some things */
788 i = 0; /* holds the expected nr. of entries for the chain */
789 j = 0; /* holds the up to now counted entries for the chain */
790 k = 0; /* holds the total nr. of entries, should equal
791 newinfo->nentries afterwards */
792 udc_cnt = 0; /* will hold the nr. of user defined chains (udc) */
793 ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
794 ebt_check_entry_size_and_hooks, newinfo, repl->entries,
795 repl->entries + repl->entries_size, repl->hook_entry, &i, &j, &k,
796 &udc_cnt, repl->valid_hooks);
802 BUGPRINT("nentries does not equal the nr of entries in the "
806 if (k != newinfo->nentries) {
807 BUGPRINT("Total nentries is wrong\n");
811 /* check if all valid hooks have a chain */
812 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
813 if (newinfo->hook_entry[i] == NULL &&
814 (repl->valid_hooks & (1 << i))) {
815 BUGPRINT("Valid hook without chain\n");
820 /* get the location of the udc, put them in an array
821 while we're at it, allocate the chainstack */
823 /* this will get free'd in do_replace()/ebt_register_table()
824 if an error occurs */
825 newinfo->chainstack = (struct ebt_chainstack **)
826 vmalloc(num_possible_cpus() * sizeof(struct ebt_chainstack));
827 if (!newinfo->chainstack)
829 for (i = 0; i < num_possible_cpus(); i++) {
830 newinfo->chainstack[i] =
831 vmalloc(udc_cnt * sizeof(struct ebt_chainstack));
832 if (!newinfo->chainstack[i]) {
834 vfree(newinfo->chainstack[--i]);
835 vfree(newinfo->chainstack);
836 newinfo->chainstack = NULL;
841 cl_s = (struct ebt_cl_stack *)
842 vmalloc(udc_cnt * sizeof(struct ebt_cl_stack));
845 i = 0; /* the i'th udc */
846 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
847 ebt_get_udc_positions, newinfo, repl->hook_entry, &i,
848 repl->valid_hooks, cl_s);
851 BUGPRINT("i != udc_cnt\n");
857 /* Check for loops */
858 for (i = 0; i < NF_BR_NUMHOOKS; i++)
859 if (repl->valid_hooks & (1 << i))
860 if (check_chainloops(newinfo->hook_entry[i],
861 cl_s, udc_cnt, i, newinfo->entries)) {
867 /* we now know the following (along with E=mc²):
868 - the nr of entries in each chain is right
869 - the size of the allocated space is right
870 - all valid hooks have a corresponding chain
872 - wrong data can still be on the level of a single entry
873 - could be there are jumps to places that are not the
874 beginning of a chain. This can only occur in chains that
875 are not accessible from any base chains, so we don't care. */
877 /* used to know what we need to clean up if something goes wrong */
879 ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
880 ebt_check_entry, newinfo, repl->name, &i, repl->valid_hooks,
883 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
884 ebt_cleanup_entry, &i);
891 /* called under write_lock */
892 static void get_counters(struct ebt_counter *oldcounters,
893 struct ebt_counter *counters, unsigned int nentries)
896 struct ebt_counter *counter_base;
898 /* counters of cpu 0 */
899 memcpy(counters, oldcounters,
900 sizeof(struct ebt_counter) * nentries);
901 /* add other counters to those of cpu 0 */
902 for (cpu = 1; cpu < num_possible_cpus(); cpu++) {
903 counter_base = COUNTER_BASE(oldcounters, nentries, cpu);
904 for (i = 0; i < nentries; i++) {
905 counters[i].pcnt += counter_base[i].pcnt;
906 counters[i].bcnt += counter_base[i].bcnt;
911 /* replace the table */
912 static int do_replace(void __user *user, unsigned int len)
914 int ret, i, countersize;
915 struct ebt_table_info *newinfo;
916 struct ebt_replace tmp;
918 struct ebt_counter *counterstmp = NULL;
919 /* used to be able to unlock earlier */
920 struct ebt_table_info *table;
922 if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
925 if (len != sizeof(tmp) + tmp.entries_size) {
926 BUGPRINT("Wrong len argument\n");
930 if (tmp.entries_size == 0) {
931 BUGPRINT("Entries_size never zero\n");
934 countersize = COUNTER_OFFSET(tmp.nentries) * num_possible_cpus();
935 newinfo = (struct ebt_table_info *)
936 vmalloc(sizeof(struct ebt_table_info) + countersize);
941 memset(newinfo->counters, 0, countersize);
943 newinfo->entries = (char *)vmalloc(tmp.entries_size);
944 if (!newinfo->entries) {
949 newinfo->entries, tmp.entries, tmp.entries_size) != 0) {
950 BUGPRINT("Couldn't copy entries from userspace\n");
955 /* the user wants counters back
956 the check on the size is done later, when we have the lock */
957 if (tmp.num_counters) {
958 counterstmp = (struct ebt_counter *)
959 vmalloc(tmp.num_counters * sizeof(struct ebt_counter));
968 /* this can get initialized by translate_table() */
969 newinfo->chainstack = NULL;
970 ret = translate_table(&tmp, newinfo);
973 goto free_counterstmp;
975 t = find_table_lock(tmp.name, &ret, &ebt_mutex);
981 /* the table doesn't like it */
982 if (t->check && (ret = t->check(newinfo, tmp.valid_hooks)))
985 if (tmp.num_counters && tmp.num_counters != t->private->nentries) {
986 BUGPRINT("Wrong nr. of counters requested\n");
991 /* we have the mutex lock, so no danger in reading this pointer */
993 /* make sure the table can only be rmmod'ed if it contains no rules */
994 if (!table->nentries && newinfo->nentries && !try_module_get(t->me)) {
997 } else if (table->nentries && !newinfo->nentries)
999 /* we need an atomic snapshot of the counters */
1000 write_lock_bh(&t->lock);
1001 if (tmp.num_counters)
1002 get_counters(t->private->counters, counterstmp,
1003 t->private->nentries);
1005 t->private = newinfo;
1006 write_unlock_bh(&t->lock);
1008 /* so, a user can change the chains while having messed up her counter
1009 allocation. Only reason why this is done is because this way the lock
1010 is held only once, while this doesn't bring the kernel into a
1012 if (tmp.num_counters &&
1013 copy_to_user(tmp.counters, counterstmp,
1014 tmp.num_counters * sizeof(struct ebt_counter))) {
1015 BUGPRINT("Couldn't copy counters to userspace\n");
1021 /* decrease module count and free resources */
1022 EBT_ENTRY_ITERATE(table->entries, table->entries_size,
1023 ebt_cleanup_entry, NULL);
1025 vfree(table->entries);
1026 if (table->chainstack) {
1027 for (i = 0; i < num_possible_cpus(); i++)
1028 vfree(table->chainstack[i]);
1029 vfree(table->chainstack);
1040 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
1041 ebt_cleanup_entry, NULL);
1045 /* can be initialized in translate_table() */
1046 if (newinfo->chainstack) {
1047 for (i = 0; i < num_possible_cpus(); i++)
1048 vfree(newinfo->chainstack[i]);
1049 vfree(newinfo->chainstack);
1052 if (newinfo->entries)
1053 vfree(newinfo->entries);
1060 int ebt_register_target(struct ebt_target *target)
1064 ret = down_interruptible(&ebt_mutex);
1067 if (!list_named_insert(&ebt_targets, target)) {
1076 void ebt_unregister_target(struct ebt_target *target)
1079 LIST_DELETE(&ebt_targets, target);
1083 int ebt_register_match(struct ebt_match *match)
1087 ret = down_interruptible(&ebt_mutex);
1090 if (!list_named_insert(&ebt_matches, match)) {
1099 void ebt_unregister_match(struct ebt_match *match)
1102 LIST_DELETE(&ebt_matches, match);
1106 int ebt_register_watcher(struct ebt_watcher *watcher)
1110 ret = down_interruptible(&ebt_mutex);
1113 if (!list_named_insert(&ebt_watchers, watcher)) {
1122 void ebt_unregister_watcher(struct ebt_watcher *watcher)
1125 LIST_DELETE(&ebt_watchers, watcher);
1129 int ebt_register_table(struct ebt_table *table)
1131 struct ebt_table_info *newinfo;
1132 int ret, i, countersize;
1134 if (!table || !table->table ||!table->table->entries ||
1135 table->table->entries_size == 0 ||
1136 table->table->counters || table->private) {
1137 BUGPRINT("Bad table data for ebt_register_table!!!\n");
1141 countersize = COUNTER_OFFSET(table->table->nentries) * num_possible_cpus();
1142 newinfo = (struct ebt_table_info *)
1143 vmalloc(sizeof(struct ebt_table_info) + countersize);
1148 newinfo->entries = (char *)vmalloc(table->table->entries_size);
1149 if (!(newinfo->entries))
1152 memcpy(newinfo->entries, table->table->entries,
1153 table->table->entries_size);
1156 memset(newinfo->counters, 0, countersize);
1158 /* fill in newinfo and parse the entries */
1159 newinfo->chainstack = NULL;
1160 ret = translate_table(table->table, newinfo);
1162 BUGPRINT("Translate_table failed\n");
1163 goto free_chainstack;
1166 if (table->check && table->check(newinfo, table->valid_hooks)) {
1167 BUGPRINT("The table doesn't like its own initial data, lol\n");
1171 table->private = newinfo;
1172 rwlock_init(&table->lock);
1173 ret = down_interruptible(&ebt_mutex);
1175 goto free_chainstack;
1177 if (list_named_find(&ebt_tables, table->name)) {
1179 BUGPRINT("Table name already exists\n");
1183 /* Hold a reference count if the chains aren't empty */
1184 if (newinfo->nentries && !try_module_get(table->me)) {
1188 list_prepend(&ebt_tables, table);
1194 if (newinfo->chainstack) {
1195 for (i = 0; i < num_possible_cpus(); i++)
1196 vfree(newinfo->chainstack[i]);
1197 vfree(newinfo->chainstack);
1199 vfree(newinfo->entries);
1205 void ebt_unregister_table(struct ebt_table *table)
1210 BUGPRINT("Request to unregister NULL table!!!\n");
1214 LIST_DELETE(&ebt_tables, table);
1216 if (table->private->entries)
1217 vfree(table->private->entries);
1218 if (table->private->chainstack) {
1219 for (i = 0; i < num_possible_cpus(); i++)
1220 vfree(table->private->chainstack[i]);
1221 vfree(table->private->chainstack);
1223 vfree(table->private);
1226 /* userspace just supplied us with counters */
1227 static int update_counters(void __user *user, unsigned int len)
1230 struct ebt_counter *tmp;
1231 struct ebt_replace hlp;
1232 struct ebt_table *t;
1234 if (copy_from_user(&hlp, user, sizeof(hlp)))
1237 if (len != sizeof(hlp) + hlp.num_counters * sizeof(struct ebt_counter))
1239 if (hlp.num_counters == 0)
1242 if ( !(tmp = (struct ebt_counter *)
1243 vmalloc(hlp.num_counters * sizeof(struct ebt_counter))) ){
1244 MEMPRINT("Update_counters && nomemory\n");
1248 t = find_table_lock(hlp.name, &ret, &ebt_mutex);
1252 if (hlp.num_counters != t->private->nentries) {
1253 BUGPRINT("Wrong nr of counters\n");
1258 if ( copy_from_user(tmp, hlp.counters,
1259 hlp.num_counters * sizeof(struct ebt_counter)) ) {
1260 BUGPRINT("Updata_counters && !cfu\n");
1265 /* we want an atomic add of the counters */
1266 write_lock_bh(&t->lock);
1268 /* we add to the counters of the first cpu */
1269 for (i = 0; i < hlp.num_counters; i++) {
1270 t->private->counters[i].pcnt += tmp[i].pcnt;
1271 t->private->counters[i].bcnt += tmp[i].bcnt;
1274 write_unlock_bh(&t->lock);
1283 static inline int ebt_make_matchname(struct ebt_entry_match *m,
1284 char *base, char *ubase)
1286 char *hlp = ubase - base + (char *)m;
1287 if (copy_to_user(hlp, m->u.match->name, EBT_FUNCTION_MAXNAMELEN))
1292 static inline int ebt_make_watchername(struct ebt_entry_watcher *w,
1293 char *base, char *ubase)
1295 char *hlp = ubase - base + (char *)w;
1296 if (copy_to_user(hlp , w->u.watcher->name, EBT_FUNCTION_MAXNAMELEN))
1301 static inline int ebt_make_names(struct ebt_entry *e, char *base, char *ubase)
1305 struct ebt_entry_target *t;
1307 if ((e->bitmask & EBT_ENTRY_OR_ENTRIES) == 0)
1310 hlp = ubase - base + (char *)e + e->target_offset;
1311 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
1313 ret = EBT_MATCH_ITERATE(e, ebt_make_matchname, base, ubase);
1316 ret = EBT_WATCHER_ITERATE(e, ebt_make_watchername, base, ubase);
1319 if (copy_to_user(hlp, t->u.target->name, EBT_FUNCTION_MAXNAMELEN))
1324 /* called with ebt_mutex down */
1325 static int copy_everything_to_user(struct ebt_table *t, void __user *user,
1328 struct ebt_replace tmp;
1329 struct ebt_counter *counterstmp, *oldcounters;
1330 unsigned int entries_size, nentries;
1333 if (cmd == EBT_SO_GET_ENTRIES) {
1334 entries_size = t->private->entries_size;
1335 nentries = t->private->nentries;
1336 entries = t->private->entries;
1337 oldcounters = t->private->counters;
1339 entries_size = t->table->entries_size;
1340 nentries = t->table->nentries;
1341 entries = t->table->entries;
1342 oldcounters = t->table->counters;
1345 if (copy_from_user(&tmp, user, sizeof(tmp))) {
1346 BUGPRINT("Cfu didn't work\n");
1350 if (*len != sizeof(struct ebt_replace) + entries_size +
1351 (tmp.num_counters? nentries * sizeof(struct ebt_counter): 0)) {
1352 BUGPRINT("Wrong size\n");
1356 if (tmp.nentries != nentries) {
1357 BUGPRINT("Nentries wrong\n");
1361 if (tmp.entries_size != entries_size) {
1362 BUGPRINT("Wrong size\n");
1366 /* userspace might not need the counters */
1367 if (tmp.num_counters) {
1368 if (tmp.num_counters != nentries) {
1369 BUGPRINT("Num_counters wrong\n");
1372 counterstmp = (struct ebt_counter *)
1373 vmalloc(nentries * sizeof(struct ebt_counter));
1375 MEMPRINT("Couldn't copy counters, out of memory\n");
1378 write_lock_bh(&t->lock);
1379 get_counters(oldcounters, counterstmp, nentries);
1380 write_unlock_bh(&t->lock);
1382 if (copy_to_user(tmp.counters, counterstmp,
1383 nentries * sizeof(struct ebt_counter))) {
1384 BUGPRINT("Couldn't copy counters to userspace\n");
1391 if (copy_to_user(tmp.entries, entries, entries_size)) {
1392 BUGPRINT("Couldn't copy entries to userspace\n");
1395 /* set the match/watcher/target names right */
1396 return EBT_ENTRY_ITERATE(entries, entries_size,
1397 ebt_make_names, entries, tmp.entries);
1400 static int do_ebt_set_ctl(struct sock *sk,
1401 int cmd, void __user *user, unsigned int len)
1406 case EBT_SO_SET_ENTRIES:
1407 ret = do_replace(user, len);
1409 case EBT_SO_SET_COUNTERS:
1410 ret = update_counters(user, len);
1418 static int do_ebt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
1421 struct ebt_replace tmp;
1422 struct ebt_table *t;
1424 if (copy_from_user(&tmp, user, sizeof(tmp)))
1427 t = find_table_lock(tmp.name, &ret, &ebt_mutex);
1432 case EBT_SO_GET_INFO:
1433 case EBT_SO_GET_INIT_INFO:
1434 if (*len != sizeof(struct ebt_replace)){
1439 if (cmd == EBT_SO_GET_INFO) {
1440 tmp.nentries = t->private->nentries;
1441 tmp.entries_size = t->private->entries_size;
1442 tmp.valid_hooks = t->valid_hooks;
1444 tmp.nentries = t->table->nentries;
1445 tmp.entries_size = t->table->entries_size;
1446 tmp.valid_hooks = t->table->valid_hooks;
1449 if (copy_to_user(user, &tmp, *len) != 0){
1450 BUGPRINT("c2u Didn't work\n");
1457 case EBT_SO_GET_ENTRIES:
1458 case EBT_SO_GET_INIT_ENTRIES:
1459 ret = copy_everything_to_user(t, user, len, cmd);
1471 static struct nf_sockopt_ops ebt_sockopts =
1472 { { NULL, NULL }, PF_INET, EBT_BASE_CTL, EBT_SO_SET_MAX + 1, do_ebt_set_ctl,
1473 EBT_BASE_CTL, EBT_SO_GET_MAX + 1, do_ebt_get_ctl, 0, NULL
1476 static int __init init(void)
1481 list_named_insert(&ebt_targets, &ebt_standard_target);
1483 if ((ret = nf_register_sockopt(&ebt_sockopts)) < 0)
1486 printk(KERN_NOTICE "Ebtables v2.0 registered\n");
1490 static void __exit fini(void)
1492 nf_unregister_sockopt(&ebt_sockopts);
1493 printk(KERN_NOTICE "Ebtables v2.0 unregistered\n");
1496 EXPORT_SYMBOL(ebt_register_table);
1497 EXPORT_SYMBOL(ebt_unregister_table);
1498 EXPORT_SYMBOL(ebt_register_match);
1499 EXPORT_SYMBOL(ebt_unregister_match);
1500 EXPORT_SYMBOL(ebt_register_watcher);
1501 EXPORT_SYMBOL(ebt_unregister_watcher);
1502 EXPORT_SYMBOL(ebt_register_target);
1503 EXPORT_SYMBOL(ebt_unregister_target);
1504 EXPORT_SYMBOL(ebt_do_table);
1507 MODULE_LICENSE("GPL");
git://ftp.safe.ca / safe / jmp / linux-2.6 / blob