5 * Bart De Schuymer <bdschuym@pandora.be>
7 * ebtables.c,v 2.0, July, 2002
9 * This code is stongly inspired on the iptables code which is
10 * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version
15 * 2 of the License, or (at your option) any later version.
19 #include <linux/kmod.h>
20 #include <linux/module.h>
21 #include <linux/vmalloc.h>
22 #include <linux/netfilter/x_tables.h>
23 #include <linux/netfilter_bridge/ebtables.h>
24 #include <linux/spinlock.h>
25 #include <linux/mutex.h>
26 #include <asm/uaccess.h>
27 #include <linux/smp.h>
28 #include <linux/cpumask.h>
30 /* needed for logical [in,out]-dev filtering */
31 #include "../br_private.h"
33 #define BUGPRINT(format, args...) printk("kernel msg: ebtables bug: please "\
34 "report to author: "format, ## args)
35 /* #define BUGPRINT(format, args...) */
36 #define MEMPRINT(format, args...) printk("kernel msg: ebtables "\
37 ": out of memory: "format, ## args)
38 /* #define MEMPRINT(format, args...) */
43 * Each cpu has its own set of counters, so there is no need for write_lock in
45 * For reading or updating the counters, the user context needs to
49 /* The size of each set of counters is altered to get cache alignment */
50 #define SMP_ALIGN(x) (((x) + SMP_CACHE_BYTES-1) & ~(SMP_CACHE_BYTES-1))
51 #define COUNTER_OFFSET(n) (SMP_ALIGN(n * sizeof(struct ebt_counter)))
52 #define COUNTER_BASE(c, n, cpu) ((struct ebt_counter *)(((char *)c) + \
53 COUNTER_OFFSET(n) * cpu))
57 static DEFINE_MUTEX(ebt_mutex);
59 static struct xt_target ebt_standard_target = {
62 .family = NFPROTO_BRIDGE,
63 .targetsize = sizeof(int),
67 ebt_do_watcher(const struct ebt_entry_watcher *w, struct sk_buff *skb,
68 struct xt_target_param *par)
70 par->target = w->u.watcher;
71 par->targinfo = w->data;
72 w->u.watcher->target(skb, par);
73 /* watchers don't give a verdict */
77 static inline int ebt_do_match (struct ebt_entry_match *m,
78 const struct sk_buff *skb, struct xt_match_param *par)
80 par->match = m->u.match;
81 par->matchinfo = m->data;
82 return m->u.match->match(skb, par) ? EBT_MATCH : EBT_NOMATCH;
85 static inline int ebt_dev_check(char *entry, const struct net_device *device)
94 devname = device->name;
95 /* 1 is the wildcard token */
96 while (entry[i] != '\0' && entry[i] != 1 && entry[i] == devname[i])
98 return (devname[i] != entry[i] && entry[i] != 1);
101 #define FWINV2(bool,invflg) ((bool) ^ !!(e->invflags & invflg))
102 /* process standard matches */
103 static inline int ebt_basic_match(struct ebt_entry *e, struct ethhdr *h,
104 const struct net_device *in, const struct net_device *out)
108 if (e->bitmask & EBT_802_3) {
109 if (FWINV2(ntohs(h->h_proto) >= 1536, EBT_IPROTO))
111 } else if (!(e->bitmask & EBT_NOPROTO) &&
112 FWINV2(e->ethproto != h->h_proto, EBT_IPROTO))
115 if (FWINV2(ebt_dev_check(e->in, in), EBT_IIN))
117 if (FWINV2(ebt_dev_check(e->out, out), EBT_IOUT))
119 if ((!in || !in->br_port) ? 0 : FWINV2(ebt_dev_check(
120 e->logical_in, in->br_port->br->dev), EBT_ILOGICALIN))
122 if ((!out || !out->br_port) ? 0 : FWINV2(ebt_dev_check(
123 e->logical_out, out->br_port->br->dev), EBT_ILOGICALOUT))
126 if (e->bitmask & EBT_SOURCEMAC) {
128 for (i = 0; i < 6; i++)
129 verdict |= (h->h_source[i] ^ e->sourcemac[i]) &
131 if (FWINV2(verdict != 0, EBT_ISOURCE) )
134 if (e->bitmask & EBT_DESTMAC) {
136 for (i = 0; i < 6; i++)
137 verdict |= (h->h_dest[i] ^ e->destmac[i]) &
139 if (FWINV2(verdict != 0, EBT_IDEST) )
146 struct ebt_entry *ebt_next_entry(const struct ebt_entry *entry)
148 return (void *)entry + entry->next_offset;
151 /* Do some firewalling */
152 unsigned int ebt_do_table (unsigned int hook, struct sk_buff *skb,
153 const struct net_device *in, const struct net_device *out,
154 struct ebt_table *table)
157 struct ebt_entry *point;
158 struct ebt_counter *counter_base, *cb_base;
159 struct ebt_entry_target *t;
161 struct ebt_chainstack *cs;
162 struct ebt_entries *chaininfo;
164 struct ebt_table_info *private;
165 bool hotdrop = false;
166 struct xt_match_param mtpar;
167 struct xt_target_param tgpar;
169 mtpar.family = tgpar.family = NFPROTO_BRIDGE;
170 mtpar.in = tgpar.in = in;
171 mtpar.out = tgpar.out = out;
172 mtpar.hotdrop = &hotdrop;
173 mtpar.hooknum = tgpar.hooknum = hook;
175 read_lock_bh(&table->lock);
176 private = table->private;
177 cb_base = COUNTER_BASE(private->counters, private->nentries,
179 if (private->chainstack)
180 cs = private->chainstack[smp_processor_id()];
183 chaininfo = private->hook_entry[hook];
184 nentries = private->hook_entry[hook]->nentries;
185 point = (struct ebt_entry *)(private->hook_entry[hook]->data);
186 counter_base = cb_base + private->hook_entry[hook]->counter_offset;
187 /* base for chain jumps */
188 base = private->entries;
190 while (i < nentries) {
191 if (ebt_basic_match(point, eth_hdr(skb), in, out))
194 if (EBT_MATCH_ITERATE(point, ebt_do_match, skb, &mtpar) != 0)
197 read_unlock_bh(&table->lock);
201 /* increase counter */
202 (*(counter_base + i)).pcnt++;
203 (*(counter_base + i)).bcnt += skb->len;
205 /* these should only watch: not modify, nor tell us
206 what to do with the packet */
207 EBT_WATCHER_ITERATE(point, ebt_do_watcher, skb, &tgpar);
209 t = (struct ebt_entry_target *)
210 (((char *)point) + point->target_offset);
211 /* standard target */
212 if (!t->u.target->target)
213 verdict = ((struct ebt_standard_target *)t)->verdict;
215 tgpar.target = t->u.target;
216 tgpar.targinfo = t->data;
217 verdict = t->u.target->target(skb, &tgpar);
219 if (verdict == EBT_ACCEPT) {
220 read_unlock_bh(&table->lock);
223 if (verdict == EBT_DROP) {
224 read_unlock_bh(&table->lock);
227 if (verdict == EBT_RETURN) {
229 #ifdef CONFIG_NETFILTER_DEBUG
231 BUGPRINT("RETURN on base chain");
232 /* act like this is EBT_CONTINUE */
237 /* put all the local variables right */
239 chaininfo = cs[sp].chaininfo;
240 nentries = chaininfo->nentries;
242 counter_base = cb_base +
243 chaininfo->counter_offset;
246 if (verdict == EBT_CONTINUE)
248 #ifdef CONFIG_NETFILTER_DEBUG
250 BUGPRINT("bogus standard verdict\n");
251 read_unlock_bh(&table->lock);
257 cs[sp].chaininfo = chaininfo;
258 cs[sp].e = ebt_next_entry(point);
260 chaininfo = (struct ebt_entries *) (base + verdict);
261 #ifdef CONFIG_NETFILTER_DEBUG
262 if (chaininfo->distinguisher) {
263 BUGPRINT("jump to non-chain\n");
264 read_unlock_bh(&table->lock);
268 nentries = chaininfo->nentries;
269 point = (struct ebt_entry *)chaininfo->data;
270 counter_base = cb_base + chaininfo->counter_offset;
274 point = ebt_next_entry(point);
278 /* I actually like this :) */
279 if (chaininfo->policy == EBT_RETURN)
281 if (chaininfo->policy == EBT_ACCEPT) {
282 read_unlock_bh(&table->lock);
285 read_unlock_bh(&table->lock);
289 /* If it succeeds, returns element and locks mutex */
291 find_inlist_lock_noload(struct list_head *head, const char *name, int *error,
295 struct list_head list;
296 char name[EBT_FUNCTION_MAXNAMELEN];
299 *error = mutex_lock_interruptible(mutex);
303 list_for_each_entry(e, head, list) {
304 if (strcmp(e->name, name) == 0)
313 find_inlist_lock(struct list_head *head, const char *name, const char *prefix,
314 int *error, struct mutex *mutex)
316 return try_then_request_module(
317 find_inlist_lock_noload(head, name, error, mutex),
318 "%s%s", prefix, name);
321 static inline struct ebt_table *
322 find_table_lock(struct net *net, const char *name, int *error,
325 return find_inlist_lock(&net->xt.tables[NFPROTO_BRIDGE], name,
326 "ebtable_", error, mutex);
330 ebt_check_match(struct ebt_entry_match *m, struct xt_mtchk_param *par,
333 const struct ebt_entry *e = par->entryinfo;
334 struct xt_match *match;
335 size_t left = ((char *)e + e->watchers_offset) - (char *)m;
338 if (left < sizeof(struct ebt_entry_match) ||
339 left - sizeof(struct ebt_entry_match) < m->match_size)
342 match = try_then_request_module(xt_find_match(NFPROTO_BRIDGE,
343 m->u.name, 0), "ebt_%s", m->u.name);
345 return PTR_ERR(match);
351 par->matchinfo = m->data;
352 ret = xt_check_match(par, m->match_size,
353 e->ethproto, e->invflags & EBT_IPROTO);
355 module_put(match->me);
364 ebt_check_watcher(struct ebt_entry_watcher *w, struct xt_tgchk_param *par,
367 const struct ebt_entry *e = par->entryinfo;
368 struct xt_target *watcher;
369 size_t left = ((char *)e + e->target_offset) - (char *)w;
372 if (left < sizeof(struct ebt_entry_watcher) ||
373 left - sizeof(struct ebt_entry_watcher) < w->watcher_size)
376 watcher = try_then_request_module(
377 xt_find_target(NFPROTO_BRIDGE, w->u.name, 0),
378 "ebt_%s", w->u.name);
380 return PTR_ERR(watcher);
383 w->u.watcher = watcher;
385 par->target = watcher;
386 par->targinfo = w->data;
387 ret = xt_check_target(par, w->watcher_size,
388 e->ethproto, e->invflags & EBT_IPROTO);
390 module_put(watcher->me);
398 static int ebt_verify_pointers(struct ebt_replace *repl,
399 struct ebt_table_info *newinfo)
401 unsigned int limit = repl->entries_size;
402 unsigned int valid_hooks = repl->valid_hooks;
403 unsigned int offset = 0;
406 for (i = 0; i < NF_BR_NUMHOOKS; i++)
407 newinfo->hook_entry[i] = NULL;
409 newinfo->entries_size = repl->entries_size;
410 newinfo->nentries = repl->nentries;
412 while (offset < limit) {
413 size_t left = limit - offset;
414 struct ebt_entry *e = (void *)newinfo->entries + offset;
416 if (left < sizeof(unsigned int))
419 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
420 if ((valid_hooks & (1 << i)) == 0)
422 if ((char __user *)repl->hook_entry[i] ==
423 repl->entries + offset)
427 if (i != NF_BR_NUMHOOKS || !(e->bitmask & EBT_ENTRY_OR_ENTRIES)) {
428 if (e->bitmask != 0) {
429 /* we make userspace set this right,
430 so there is no misunderstanding */
431 BUGPRINT("EBT_ENTRY_OR_ENTRIES shouldn't be set "
432 "in distinguisher\n");
435 if (i != NF_BR_NUMHOOKS)
436 newinfo->hook_entry[i] = (struct ebt_entries *)e;
437 if (left < sizeof(struct ebt_entries))
439 offset += sizeof(struct ebt_entries);
441 if (left < sizeof(struct ebt_entry))
443 if (left < e->next_offset)
445 offset += e->next_offset;
448 if (offset != limit) {
449 BUGPRINT("entries_size too small\n");
453 /* check if all valid hooks have a chain */
454 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
455 if (!newinfo->hook_entry[i] &&
456 (valid_hooks & (1 << i))) {
457 BUGPRINT("Valid hook without chain\n");
465 * this one is very careful, as it is the first function
466 * to parse the userspace data
469 ebt_check_entry_size_and_hooks(struct ebt_entry *e,
470 struct ebt_table_info *newinfo,
471 unsigned int *n, unsigned int *cnt,
472 unsigned int *totalcnt, unsigned int *udc_cnt)
476 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
477 if ((void *)e == (void *)newinfo->hook_entry[i])
480 /* beginning of a new chain
481 if i == NF_BR_NUMHOOKS it must be a user defined chain */
482 if (i != NF_BR_NUMHOOKS || !e->bitmask) {
483 /* this checks if the previous chain has as many entries
486 BUGPRINT("nentries does not equal the nr of entries "
490 if (((struct ebt_entries *)e)->policy != EBT_DROP &&
491 ((struct ebt_entries *)e)->policy != EBT_ACCEPT) {
492 /* only RETURN from udc */
493 if (i != NF_BR_NUMHOOKS ||
494 ((struct ebt_entries *)e)->policy != EBT_RETURN) {
495 BUGPRINT("bad policy\n");
499 if (i == NF_BR_NUMHOOKS) /* it's a user defined chain */
501 if (((struct ebt_entries *)e)->counter_offset != *totalcnt) {
502 BUGPRINT("counter_offset != totalcnt");
505 *n = ((struct ebt_entries *)e)->nentries;
509 /* a plain old entry, heh */
510 if (sizeof(struct ebt_entry) > e->watchers_offset ||
511 e->watchers_offset > e->target_offset ||
512 e->target_offset >= e->next_offset) {
513 BUGPRINT("entry offsets not in right order\n");
516 /* this is not checked anywhere else */
517 if (e->next_offset - e->target_offset < sizeof(struct ebt_entry_target)) {
518 BUGPRINT("target size too small\n");
528 struct ebt_chainstack cs;
530 unsigned int hookmask;
534 * we need these positions to check that the jumps to a different part of the
535 * entries is a jump to the beginning of a new chain.
538 ebt_get_udc_positions(struct ebt_entry *e, struct ebt_table_info *newinfo,
539 unsigned int *n, struct ebt_cl_stack *udc)
543 /* we're only interested in chain starts */
546 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
547 if (newinfo->hook_entry[i] == (struct ebt_entries *)e)
550 /* only care about udc */
551 if (i != NF_BR_NUMHOOKS)
554 udc[*n].cs.chaininfo = (struct ebt_entries *)e;
555 /* these initialisations are depended on later in check_chainloops() */
557 udc[*n].hookmask = 0;
564 ebt_cleanup_match(struct ebt_entry_match *m, struct net *net, unsigned int *i)
566 struct xt_mtdtor_param par;
568 if (i && (*i)-- == 0)
572 par.match = m->u.match;
573 par.matchinfo = m->data;
574 par.family = NFPROTO_BRIDGE;
575 if (par.match->destroy != NULL)
576 par.match->destroy(&par);
577 module_put(par.match->me);
582 ebt_cleanup_watcher(struct ebt_entry_watcher *w, unsigned int *i)
584 struct xt_tgdtor_param par;
586 if (i && (*i)-- == 0)
589 par.target = w->u.watcher;
590 par.targinfo = w->data;
591 par.family = NFPROTO_BRIDGE;
592 if (par.target->destroy != NULL)
593 par.target->destroy(&par);
594 module_put(par.target->me);
599 ebt_cleanup_entry(struct ebt_entry *e, struct net *net, unsigned int *cnt)
601 struct xt_tgdtor_param par;
602 struct ebt_entry_target *t;
607 if (cnt && (*cnt)-- == 0)
609 EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, NULL);
610 EBT_MATCH_ITERATE(e, ebt_cleanup_match, net, NULL);
611 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
613 par.target = t->u.target;
614 par.targinfo = t->data;
615 par.family = NFPROTO_BRIDGE;
616 if (par.target->destroy != NULL)
617 par.target->destroy(&par);
618 module_put(par.target->me);
623 ebt_check_entry(struct ebt_entry *e,
625 struct ebt_table_info *newinfo,
626 const char *name, unsigned int *cnt,
627 struct ebt_cl_stack *cl_s, unsigned int udc_cnt)
629 struct ebt_entry_target *t;
630 struct xt_target *target;
631 unsigned int i, j, hook = 0, hookmask = 0;
634 struct xt_mtchk_param mtpar;
635 struct xt_tgchk_param tgpar;
637 /* don't mess with the struct ebt_entries */
641 if (e->bitmask & ~EBT_F_MASK) {
642 BUGPRINT("Unknown flag for bitmask\n");
645 if (e->invflags & ~EBT_INV_MASK) {
646 BUGPRINT("Unknown flag for inv bitmask\n");
649 if ( (e->bitmask & EBT_NOPROTO) && (e->bitmask & EBT_802_3) ) {
650 BUGPRINT("NOPROTO & 802_3 not allowed\n");
653 /* what hook do we belong to? */
654 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
655 if (!newinfo->hook_entry[i])
657 if ((char *)newinfo->hook_entry[i] < (char *)e)
662 /* (1 << NF_BR_NUMHOOKS) tells the check functions the rule is on
664 if (i < NF_BR_NUMHOOKS)
665 hookmask = (1 << hook) | (1 << NF_BR_NUMHOOKS);
667 for (i = 0; i < udc_cnt; i++)
668 if ((char *)(cl_s[i].cs.chaininfo) > (char *)e)
671 hookmask = (1 << hook) | (1 << NF_BR_NUMHOOKS);
673 hookmask = cl_s[i - 1].hookmask;
678 mtpar.table = tgpar.table = name;
679 mtpar.entryinfo = tgpar.entryinfo = e;
680 mtpar.hook_mask = tgpar.hook_mask = hookmask;
681 mtpar.family = tgpar.family = NFPROTO_BRIDGE;
682 ret = EBT_MATCH_ITERATE(e, ebt_check_match, &mtpar, &i);
684 goto cleanup_matches;
686 ret = EBT_WATCHER_ITERATE(e, ebt_check_watcher, &tgpar, &j);
688 goto cleanup_watchers;
689 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
690 gap = e->next_offset - e->target_offset;
692 target = try_then_request_module(
693 xt_find_target(NFPROTO_BRIDGE, t->u.name, 0),
694 "ebt_%s", t->u.name);
695 if (IS_ERR(target)) {
696 ret = PTR_ERR(target);
697 goto cleanup_watchers;
698 } else if (target == NULL) {
700 goto cleanup_watchers;
703 t->u.target = target;
704 if (t->u.target == &ebt_standard_target) {
705 if (gap < sizeof(struct ebt_standard_target)) {
706 BUGPRINT("Standard target size too big\n");
708 goto cleanup_watchers;
710 if (((struct ebt_standard_target *)t)->verdict <
711 -NUM_STANDARD_TARGETS) {
712 BUGPRINT("Invalid standard target\n");
714 goto cleanup_watchers;
716 } else if (t->target_size > gap - sizeof(struct ebt_entry_target)) {
717 module_put(t->u.target->me);
719 goto cleanup_watchers;
722 tgpar.target = target;
723 tgpar.targinfo = t->data;
724 ret = xt_check_target(&tgpar, t->target_size,
725 e->ethproto, e->invflags & EBT_IPROTO);
727 module_put(target->me);
728 goto cleanup_watchers;
733 EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, &j);
735 EBT_MATCH_ITERATE(e, ebt_cleanup_match, net, &i);
740 * checks for loops and sets the hook mask for udc
741 * the hook mask for udc tells us from which base chains the udc can be
742 * accessed. This mask is a parameter to the check() functions of the extensions
744 static int check_chainloops(struct ebt_entries *chain, struct ebt_cl_stack *cl_s,
745 unsigned int udc_cnt, unsigned int hooknr, char *base)
747 int i, chain_nr = -1, pos = 0, nentries = chain->nentries, verdict;
748 struct ebt_entry *e = (struct ebt_entry *)chain->data;
749 struct ebt_entry_target *t;
751 while (pos < nentries || chain_nr != -1) {
752 /* end of udc, go back one 'recursion' step */
753 if (pos == nentries) {
754 /* put back values of the time when this chain was called */
755 e = cl_s[chain_nr].cs.e;
756 if (cl_s[chain_nr].from != -1)
758 cl_s[cl_s[chain_nr].from].cs.chaininfo->nentries;
760 nentries = chain->nentries;
761 pos = cl_s[chain_nr].cs.n;
762 /* make sure we won't see a loop that isn't one */
763 cl_s[chain_nr].cs.n = 0;
764 chain_nr = cl_s[chain_nr].from;
768 t = (struct ebt_entry_target *)
769 (((char *)e) + e->target_offset);
770 if (strcmp(t->u.name, EBT_STANDARD_TARGET))
772 if (e->target_offset + sizeof(struct ebt_standard_target) >
774 BUGPRINT("Standard target size too big\n");
777 verdict = ((struct ebt_standard_target *)t)->verdict;
778 if (verdict >= 0) { /* jump to another chain */
779 struct ebt_entries *hlp2 =
780 (struct ebt_entries *)(base + verdict);
781 for (i = 0; i < udc_cnt; i++)
782 if (hlp2 == cl_s[i].cs.chaininfo)
784 /* bad destination or loop */
786 BUGPRINT("bad destination\n");
793 if (cl_s[i].hookmask & (1 << hooknr))
795 /* this can't be 0, so the loop test is correct */
796 cl_s[i].cs.n = pos + 1;
798 cl_s[i].cs.e = ebt_next_entry(e);
799 e = (struct ebt_entry *)(hlp2->data);
800 nentries = hlp2->nentries;
801 cl_s[i].from = chain_nr;
803 /* this udc is accessible from the base chain for hooknr */
804 cl_s[i].hookmask |= (1 << hooknr);
808 e = ebt_next_entry(e);
814 /* do the parsing of the table/chains/entries/matches/watchers/targets, heh */
815 static int translate_table(struct net *net, char *name,
816 struct ebt_table_info *newinfo)
818 unsigned int i, j, k, udc_cnt;
820 struct ebt_cl_stack *cl_s = NULL; /* used in the checking for chain loops */
823 while (i < NF_BR_NUMHOOKS && !newinfo->hook_entry[i])
825 if (i == NF_BR_NUMHOOKS) {
826 BUGPRINT("No valid hooks specified\n");
829 if (newinfo->hook_entry[i] != (struct ebt_entries *)newinfo->entries) {
830 BUGPRINT("Chains don't start at beginning\n");
833 /* make sure chains are ordered after each other in same order
834 as their corresponding hooks */
835 for (j = i + 1; j < NF_BR_NUMHOOKS; j++) {
836 if (!newinfo->hook_entry[j])
838 if (newinfo->hook_entry[j] <= newinfo->hook_entry[i]) {
839 BUGPRINT("Hook order must be followed\n");
845 /* do some early checkings and initialize some things */
846 i = 0; /* holds the expected nr. of entries for the chain */
847 j = 0; /* holds the up to now counted entries for the chain */
848 k = 0; /* holds the total nr. of entries, should equal
849 newinfo->nentries afterwards */
850 udc_cnt = 0; /* will hold the nr. of user defined chains (udc) */
851 ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
852 ebt_check_entry_size_and_hooks, newinfo,
853 &i, &j, &k, &udc_cnt);
859 BUGPRINT("nentries does not equal the nr of entries in the "
863 if (k != newinfo->nentries) {
864 BUGPRINT("Total nentries is wrong\n");
868 /* get the location of the udc, put them in an array
869 while we're at it, allocate the chainstack */
871 /* this will get free'd in do_replace()/ebt_register_table()
872 if an error occurs */
873 newinfo->chainstack =
874 vmalloc(nr_cpu_ids * sizeof(*(newinfo->chainstack)));
875 if (!newinfo->chainstack)
877 for_each_possible_cpu(i) {
878 newinfo->chainstack[i] =
879 vmalloc(udc_cnt * sizeof(*(newinfo->chainstack[0])));
880 if (!newinfo->chainstack[i]) {
882 vfree(newinfo->chainstack[--i]);
883 vfree(newinfo->chainstack);
884 newinfo->chainstack = NULL;
889 cl_s = vmalloc(udc_cnt * sizeof(*cl_s));
892 i = 0; /* the i'th udc */
893 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
894 ebt_get_udc_positions, newinfo, &i, cl_s);
897 BUGPRINT("i != udc_cnt\n");
903 /* Check for loops */
904 for (i = 0; i < NF_BR_NUMHOOKS; i++)
905 if (newinfo->hook_entry[i])
906 if (check_chainloops(newinfo->hook_entry[i],
907 cl_s, udc_cnt, i, newinfo->entries)) {
912 /* we now know the following (along with E=mc²):
913 - the nr of entries in each chain is right
914 - the size of the allocated space is right
915 - all valid hooks have a corresponding chain
917 - wrong data can still be on the level of a single entry
918 - could be there are jumps to places that are not the
919 beginning of a chain. This can only occur in chains that
920 are not accessible from any base chains, so we don't care. */
922 /* used to know what we need to clean up if something goes wrong */
924 ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
925 ebt_check_entry, net, newinfo, name, &i, cl_s, udc_cnt);
927 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
928 ebt_cleanup_entry, net, &i);
934 /* called under write_lock */
935 static void get_counters(struct ebt_counter *oldcounters,
936 struct ebt_counter *counters, unsigned int nentries)
939 struct ebt_counter *counter_base;
941 /* counters of cpu 0 */
942 memcpy(counters, oldcounters,
943 sizeof(struct ebt_counter) * nentries);
945 /* add other counters to those of cpu 0 */
946 for_each_possible_cpu(cpu) {
949 counter_base = COUNTER_BASE(oldcounters, nentries, cpu);
950 for (i = 0; i < nentries; i++) {
951 counters[i].pcnt += counter_base[i].pcnt;
952 counters[i].bcnt += counter_base[i].bcnt;
957 /* replace the table */
958 static int do_replace(struct net *net, void __user *user, unsigned int len)
960 int ret, i, countersize;
961 struct ebt_table_info *newinfo;
962 struct ebt_replace tmp;
964 struct ebt_counter *counterstmp = NULL;
965 /* used to be able to unlock earlier */
966 struct ebt_table_info *table;
968 if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
971 if (len != sizeof(tmp) + tmp.entries_size) {
972 BUGPRINT("Wrong len argument\n");
976 if (tmp.entries_size == 0) {
977 BUGPRINT("Entries_size never zero\n");
981 if (tmp.nentries >= ((INT_MAX - sizeof(struct ebt_table_info)) / NR_CPUS -
982 SMP_CACHE_BYTES) / sizeof(struct ebt_counter))
984 if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
987 countersize = COUNTER_OFFSET(tmp.nentries) * nr_cpu_ids;
988 newinfo = vmalloc(sizeof(*newinfo) + countersize);
993 memset(newinfo->counters, 0, countersize);
995 newinfo->entries = vmalloc(tmp.entries_size);
996 if (!newinfo->entries) {
1001 newinfo->entries, tmp.entries, tmp.entries_size) != 0) {
1002 BUGPRINT("Couldn't copy entries from userspace\n");
1007 /* the user wants counters back
1008 the check on the size is done later, when we have the lock */
1009 if (tmp.num_counters) {
1010 counterstmp = vmalloc(tmp.num_counters * sizeof(*counterstmp));
1019 /* this can get initialized by translate_table() */
1020 newinfo->chainstack = NULL;
1021 ret = ebt_verify_pointers(&tmp, newinfo);
1023 goto free_counterstmp;
1025 ret = translate_table(net, tmp.name, newinfo);
1028 goto free_counterstmp;
1030 t = find_table_lock(net, tmp.name, &ret, &ebt_mutex);
1036 /* the table doesn't like it */
1037 if (t->check && (ret = t->check(newinfo, tmp.valid_hooks)))
1040 if (tmp.num_counters && tmp.num_counters != t->private->nentries) {
1041 BUGPRINT("Wrong nr. of counters requested\n");
1046 /* we have the mutex lock, so no danger in reading this pointer */
1048 /* make sure the table can only be rmmod'ed if it contains no rules */
1049 if (!table->nentries && newinfo->nentries && !try_module_get(t->me)) {
1052 } else if (table->nentries && !newinfo->nentries)
1054 /* we need an atomic snapshot of the counters */
1055 write_lock_bh(&t->lock);
1056 if (tmp.num_counters)
1057 get_counters(t->private->counters, counterstmp,
1058 t->private->nentries);
1060 t->private = newinfo;
1061 write_unlock_bh(&t->lock);
1062 mutex_unlock(&ebt_mutex);
1063 /* so, a user can change the chains while having messed up her counter
1064 allocation. Only reason why this is done is because this way the lock
1065 is held only once, while this doesn't bring the kernel into a
1067 if (tmp.num_counters &&
1068 copy_to_user(tmp.counters, counterstmp,
1069 tmp.num_counters * sizeof(struct ebt_counter))) {
1070 BUGPRINT("Couldn't copy counters to userspace\n");
1076 /* decrease module count and free resources */
1077 EBT_ENTRY_ITERATE(table->entries, table->entries_size,
1078 ebt_cleanup_entry, net, NULL);
1080 vfree(table->entries);
1081 if (table->chainstack) {
1082 for_each_possible_cpu(i)
1083 vfree(table->chainstack[i]);
1084 vfree(table->chainstack);
1092 mutex_unlock(&ebt_mutex);
1094 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
1095 ebt_cleanup_entry, net, NULL);
1098 /* can be initialized in translate_table() */
1099 if (newinfo->chainstack) {
1100 for_each_possible_cpu(i)
1101 vfree(newinfo->chainstack[i]);
1102 vfree(newinfo->chainstack);
1105 vfree(newinfo->entries);
1112 ebt_register_table(struct net *net, const struct ebt_table *input_table)
1114 struct ebt_table_info *newinfo;
1115 struct ebt_table *t, *table;
1116 struct ebt_replace_kernel *repl;
1117 int ret, i, countersize;
1120 if (input_table == NULL || (repl = input_table->table) == NULL ||
1121 repl->entries == 0 || repl->entries_size == 0 ||
1122 repl->counters != NULL || input_table->private != NULL) {
1123 BUGPRINT("Bad table data for ebt_register_table!!!\n");
1124 return ERR_PTR(-EINVAL);
1127 /* Don't add one table to multiple lists. */
1128 table = kmemdup(input_table, sizeof(struct ebt_table), GFP_KERNEL);
1134 countersize = COUNTER_OFFSET(repl->nentries) * nr_cpu_ids;
1135 newinfo = vmalloc(sizeof(*newinfo) + countersize);
1140 p = vmalloc(repl->entries_size);
1144 memcpy(p, repl->entries, repl->entries_size);
1145 newinfo->entries = p;
1147 newinfo->entries_size = repl->entries_size;
1148 newinfo->nentries = repl->nentries;
1151 memset(newinfo->counters, 0, countersize);
1153 /* fill in newinfo and parse the entries */
1154 newinfo->chainstack = NULL;
1155 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
1156 if ((repl->valid_hooks & (1 << i)) == 0)
1157 newinfo->hook_entry[i] = NULL;
1159 newinfo->hook_entry[i] = p +
1160 ((char *)repl->hook_entry[i] - repl->entries);
1162 ret = translate_table(net, repl->name, newinfo);
1164 BUGPRINT("Translate_table failed\n");
1165 goto free_chainstack;
1168 if (table->check && table->check(newinfo, table->valid_hooks)) {
1169 BUGPRINT("The table doesn't like its own initial data, lol\n");
1170 return ERR_PTR(-EINVAL);
1173 table->private = newinfo;
1174 rwlock_init(&table->lock);
1175 ret = mutex_lock_interruptible(&ebt_mutex);
1177 goto free_chainstack;
1179 list_for_each_entry(t, &net->xt.tables[NFPROTO_BRIDGE], list) {
1180 if (strcmp(t->name, table->name) == 0) {
1182 BUGPRINT("Table name already exists\n");
1187 /* Hold a reference count if the chains aren't empty */
1188 if (newinfo->nentries && !try_module_get(table->me)) {
1192 list_add(&table->list, &net->xt.tables[NFPROTO_BRIDGE]);
1193 mutex_unlock(&ebt_mutex);
1196 mutex_unlock(&ebt_mutex);
1198 if (newinfo->chainstack) {
1199 for_each_possible_cpu(i)
1200 vfree(newinfo->chainstack[i]);
1201 vfree(newinfo->chainstack);
1203 vfree(newinfo->entries);
1209 return ERR_PTR(ret);
1212 void ebt_unregister_table(struct net *net, struct ebt_table *table)
1217 BUGPRINT("Request to unregister NULL table!!!\n");
1220 mutex_lock(&ebt_mutex);
1221 list_del(&table->list);
1222 mutex_unlock(&ebt_mutex);
1223 EBT_ENTRY_ITERATE(table->private->entries, table->private->entries_size,
1224 ebt_cleanup_entry, net, NULL);
1225 if (table->private->nentries)
1226 module_put(table->me);
1227 vfree(table->private->entries);
1228 if (table->private->chainstack) {
1229 for_each_possible_cpu(i)
1230 vfree(table->private->chainstack[i]);
1231 vfree(table->private->chainstack);
1233 vfree(table->private);
1237 /* userspace just supplied us with counters */
1238 static int update_counters(struct net *net, void __user *user, unsigned int len)
1241 struct ebt_counter *tmp;
1242 struct ebt_replace hlp;
1243 struct ebt_table *t;
1245 if (copy_from_user(&hlp, user, sizeof(hlp)))
1248 if (len != sizeof(hlp) + hlp.num_counters * sizeof(struct ebt_counter))
1250 if (hlp.num_counters == 0)
1253 if (!(tmp = vmalloc(hlp.num_counters * sizeof(*tmp)))) {
1254 MEMPRINT("Update_counters && nomemory\n");
1258 t = find_table_lock(net, hlp.name, &ret, &ebt_mutex);
1262 if (hlp.num_counters != t->private->nentries) {
1263 BUGPRINT("Wrong nr of counters\n");
1268 if ( copy_from_user(tmp, hlp.counters,
1269 hlp.num_counters * sizeof(struct ebt_counter)) ) {
1270 BUGPRINT("Updata_counters && !cfu\n");
1275 /* we want an atomic add of the counters */
1276 write_lock_bh(&t->lock);
1278 /* we add to the counters of the first cpu */
1279 for (i = 0; i < hlp.num_counters; i++) {
1280 t->private->counters[i].pcnt += tmp[i].pcnt;
1281 t->private->counters[i].bcnt += tmp[i].bcnt;
1284 write_unlock_bh(&t->lock);
1287 mutex_unlock(&ebt_mutex);
1293 static inline int ebt_make_matchname(struct ebt_entry_match *m,
1294 char *base, char __user *ubase)
1296 char __user *hlp = ubase + ((char *)m - base);
1297 if (copy_to_user(hlp, m->u.match->name, EBT_FUNCTION_MAXNAMELEN))
1302 static inline int ebt_make_watchername(struct ebt_entry_watcher *w,
1303 char *base, char __user *ubase)
1305 char __user *hlp = ubase + ((char *)w - base);
1306 if (copy_to_user(hlp , w->u.watcher->name, EBT_FUNCTION_MAXNAMELEN))
1311 static inline int ebt_make_names(struct ebt_entry *e, char *base, char __user *ubase)
1315 struct ebt_entry_target *t;
1317 if (e->bitmask == 0)
1320 hlp = ubase + (((char *)e + e->target_offset) - base);
1321 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
1323 ret = EBT_MATCH_ITERATE(e, ebt_make_matchname, base, ubase);
1326 ret = EBT_WATCHER_ITERATE(e, ebt_make_watchername, base, ubase);
1329 if (copy_to_user(hlp, t->u.target->name, EBT_FUNCTION_MAXNAMELEN))
1334 /* called with ebt_mutex locked */
1335 static int copy_everything_to_user(struct ebt_table *t, void __user *user,
1338 struct ebt_replace tmp;
1339 struct ebt_counter *counterstmp, *oldcounters;
1340 unsigned int entries_size, nentries;
1343 if (cmd == EBT_SO_GET_ENTRIES) {
1344 entries_size = t->private->entries_size;
1345 nentries = t->private->nentries;
1346 entries = t->private->entries;
1347 oldcounters = t->private->counters;
1349 entries_size = t->table->entries_size;
1350 nentries = t->table->nentries;
1351 entries = t->table->entries;
1352 oldcounters = t->table->counters;
1355 if (copy_from_user(&tmp, user, sizeof(tmp))) {
1356 BUGPRINT("Cfu didn't work\n");
1360 if (*len != sizeof(struct ebt_replace) + entries_size +
1361 (tmp.num_counters? nentries * sizeof(struct ebt_counter): 0)) {
1362 BUGPRINT("Wrong size\n");
1366 if (tmp.nentries != nentries) {
1367 BUGPRINT("Nentries wrong\n");
1371 if (tmp.entries_size != entries_size) {
1372 BUGPRINT("Wrong size\n");
1376 /* userspace might not need the counters */
1377 if (tmp.num_counters) {
1378 if (tmp.num_counters != nentries) {
1379 BUGPRINT("Num_counters wrong\n");
1382 counterstmp = vmalloc(nentries * sizeof(*counterstmp));
1384 MEMPRINT("Couldn't copy counters, out of memory\n");
1387 write_lock_bh(&t->lock);
1388 get_counters(oldcounters, counterstmp, nentries);
1389 write_unlock_bh(&t->lock);
1391 if (copy_to_user(tmp.counters, counterstmp,
1392 nentries * sizeof(struct ebt_counter))) {
1393 BUGPRINT("Couldn't copy counters to userspace\n");
1400 if (copy_to_user(tmp.entries, entries, entries_size)) {
1401 BUGPRINT("Couldn't copy entries to userspace\n");
1404 /* set the match/watcher/target names right */
1405 return EBT_ENTRY_ITERATE(entries, entries_size,
1406 ebt_make_names, entries, tmp.entries);
1409 static int do_ebt_set_ctl(struct sock *sk,
1410 int cmd, void __user *user, unsigned int len)
1415 case EBT_SO_SET_ENTRIES:
1416 ret = do_replace(sock_net(sk), user, len);
1418 case EBT_SO_SET_COUNTERS:
1419 ret = update_counters(sock_net(sk), user, len);
1427 static int do_ebt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
1430 struct ebt_replace tmp;
1431 struct ebt_table *t;
1433 if (copy_from_user(&tmp, user, sizeof(tmp)))
1436 t = find_table_lock(sock_net(sk), tmp.name, &ret, &ebt_mutex);
1441 case EBT_SO_GET_INFO:
1442 case EBT_SO_GET_INIT_INFO:
1443 if (*len != sizeof(struct ebt_replace)){
1445 mutex_unlock(&ebt_mutex);
1448 if (cmd == EBT_SO_GET_INFO) {
1449 tmp.nentries = t->private->nentries;
1450 tmp.entries_size = t->private->entries_size;
1451 tmp.valid_hooks = t->valid_hooks;
1453 tmp.nentries = t->table->nentries;
1454 tmp.entries_size = t->table->entries_size;
1455 tmp.valid_hooks = t->table->valid_hooks;
1457 mutex_unlock(&ebt_mutex);
1458 if (copy_to_user(user, &tmp, *len) != 0){
1459 BUGPRINT("c2u Didn't work\n");
1466 case EBT_SO_GET_ENTRIES:
1467 case EBT_SO_GET_INIT_ENTRIES:
1468 ret = copy_everything_to_user(t, user, len, cmd);
1469 mutex_unlock(&ebt_mutex);
1473 mutex_unlock(&ebt_mutex);
1480 static struct nf_sockopt_ops ebt_sockopts =
1483 .set_optmin = EBT_BASE_CTL,
1484 .set_optmax = EBT_SO_SET_MAX + 1,
1485 .set = do_ebt_set_ctl,
1486 .get_optmin = EBT_BASE_CTL,
1487 .get_optmax = EBT_SO_GET_MAX + 1,
1488 .get = do_ebt_get_ctl,
1489 .owner = THIS_MODULE,
1492 static int __init ebtables_init(void)
1496 ret = xt_register_target(&ebt_standard_target);
1499 ret = nf_register_sockopt(&ebt_sockopts);
1501 xt_unregister_target(&ebt_standard_target);
1505 printk(KERN_INFO "Ebtables v2.0 registered\n");
1509 static void __exit ebtables_fini(void)
1511 nf_unregister_sockopt(&ebt_sockopts);
1512 xt_unregister_target(&ebt_standard_target);
1513 printk(KERN_INFO "Ebtables v2.0 unregistered\n");
1516 EXPORT_SYMBOL(ebt_register_table);
1517 EXPORT_SYMBOL(ebt_unregister_table);
1518 EXPORT_SYMBOL(ebt_do_table);
1519 module_init(ebtables_init);
1520 module_exit(ebtables_fini);
1521 MODULE_LICENSE("GPL");