5 * Bart De Schuymer <bdschuym@pandora.be>
7 * ebtables.c,v 2.0, July, 2002
9 * This code is stongly inspired on the iptables code which is
10 * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version
15 * 2 of the License, or (at your option) any later version.
19 #include <linux/kmod.h>
20 #include <linux/module.h>
21 #include <linux/vmalloc.h>
22 #include <linux/netfilter/x_tables.h>
23 #include <linux/netfilter_bridge/ebtables.h>
24 #include <linux/spinlock.h>
25 #include <linux/mutex.h>
26 #include <asm/uaccess.h>
27 #include <linux/smp.h>
28 #include <linux/cpumask.h>
30 /* needed for logical [in,out]-dev filtering */
31 #include "../br_private.h"
33 #define BUGPRINT(format, args...) printk("kernel msg: ebtables bug: please "\
34 "report to author: "format, ## args)
35 /* #define BUGPRINT(format, args...) */
36 #define MEMPRINT(format, args...) printk("kernel msg: ebtables "\
37 ": out of memory: "format, ## args)
38 /* #define MEMPRINT(format, args...) */
43 * Each cpu has its own set of counters, so there is no need for write_lock in
45 * For reading or updating the counters, the user context needs to
49 /* The size of each set of counters is altered to get cache alignment */
50 #define SMP_ALIGN(x) (((x) + SMP_CACHE_BYTES-1) & ~(SMP_CACHE_BYTES-1))
51 #define COUNTER_OFFSET(n) (SMP_ALIGN(n * sizeof(struct ebt_counter)))
52 #define COUNTER_BASE(c, n, cpu) ((struct ebt_counter *)(((char *)c) + \
53 COUNTER_OFFSET(n) * cpu))
57 static DEFINE_MUTEX(ebt_mutex);
59 static struct xt_target ebt_standard_target = {
62 .family = NFPROTO_BRIDGE,
63 .targetsize = sizeof(int),
67 ebt_do_watcher(const struct ebt_entry_watcher *w, struct sk_buff *skb,
68 struct xt_target_param *par)
70 par->target = w->u.watcher;
71 par->targinfo = w->data;
72 w->u.watcher->target(skb, par);
73 /* watchers don't give a verdict */
77 static inline int ebt_do_match (struct ebt_entry_match *m,
78 const struct sk_buff *skb, struct xt_match_param *par)
80 par->match = m->u.match;
81 par->matchinfo = m->data;
82 return m->u.match->match(skb, par) ? EBT_MATCH : EBT_NOMATCH;
85 static inline int ebt_dev_check(char *entry, const struct net_device *device)
94 devname = device->name;
95 /* 1 is the wildcard token */
96 while (entry[i] != '\0' && entry[i] != 1 && entry[i] == devname[i])
98 return (devname[i] != entry[i] && entry[i] != 1);
101 #define FWINV2(bool,invflg) ((bool) ^ !!(e->invflags & invflg))
102 /* process standard matches */
103 static inline int ebt_basic_match(struct ebt_entry *e, struct ethhdr *h,
104 const struct net_device *in, const struct net_device *out)
108 if (e->bitmask & EBT_802_3) {
109 if (FWINV2(ntohs(h->h_proto) >= 1536, EBT_IPROTO))
111 } else if (!(e->bitmask & EBT_NOPROTO) &&
112 FWINV2(e->ethproto != h->h_proto, EBT_IPROTO))
115 if (FWINV2(ebt_dev_check(e->in, in), EBT_IIN))
117 if (FWINV2(ebt_dev_check(e->out, out), EBT_IOUT))
119 if ((!in || !in->br_port) ? 0 : FWINV2(ebt_dev_check(
120 e->logical_in, in->br_port->br->dev), EBT_ILOGICALIN))
122 if ((!out || !out->br_port) ? 0 : FWINV2(ebt_dev_check(
123 e->logical_out, out->br_port->br->dev), EBT_ILOGICALOUT))
126 if (e->bitmask & EBT_SOURCEMAC) {
128 for (i = 0; i < 6; i++)
129 verdict |= (h->h_source[i] ^ e->sourcemac[i]) &
131 if (FWINV2(verdict != 0, EBT_ISOURCE) )
134 if (e->bitmask & EBT_DESTMAC) {
136 for (i = 0; i < 6; i++)
137 verdict |= (h->h_dest[i] ^ e->destmac[i]) &
139 if (FWINV2(verdict != 0, EBT_IDEST) )
146 struct ebt_entry *ebt_next_entry(const struct ebt_entry *entry)
148 return (void *)entry + entry->next_offset;
151 /* Do some firewalling */
152 unsigned int ebt_do_table (unsigned int hook, struct sk_buff *skb,
153 const struct net_device *in, const struct net_device *out,
154 struct ebt_table *table)
157 struct ebt_entry *point;
158 struct ebt_counter *counter_base, *cb_base;
159 struct ebt_entry_target *t;
161 struct ebt_chainstack *cs;
162 struct ebt_entries *chaininfo;
164 struct ebt_table_info *private;
165 bool hotdrop = false;
166 struct xt_match_param mtpar;
167 struct xt_target_param tgpar;
169 mtpar.family = tgpar.family = NFPROTO_BRIDGE;
170 mtpar.in = tgpar.in = in;
171 mtpar.out = tgpar.out = out;
172 mtpar.hotdrop = &hotdrop;
173 mtpar.hooknum = tgpar.hooknum = hook;
175 read_lock_bh(&table->lock);
176 private = table->private;
177 cb_base = COUNTER_BASE(private->counters, private->nentries,
179 if (private->chainstack)
180 cs = private->chainstack[smp_processor_id()];
183 chaininfo = private->hook_entry[hook];
184 nentries = private->hook_entry[hook]->nentries;
185 point = (struct ebt_entry *)(private->hook_entry[hook]->data);
186 counter_base = cb_base + private->hook_entry[hook]->counter_offset;
187 /* base for chain jumps */
188 base = private->entries;
190 while (i < nentries) {
191 if (ebt_basic_match(point, eth_hdr(skb), in, out))
194 if (EBT_MATCH_ITERATE(point, ebt_do_match, skb, &mtpar) != 0)
197 read_unlock_bh(&table->lock);
201 /* increase counter */
202 (*(counter_base + i)).pcnt++;
203 (*(counter_base + i)).bcnt += skb->len;
205 /* these should only watch: not modify, nor tell us
206 what to do with the packet */
207 EBT_WATCHER_ITERATE(point, ebt_do_watcher, skb, &tgpar);
209 t = (struct ebt_entry_target *)
210 (((char *)point) + point->target_offset);
211 /* standard target */
212 if (!t->u.target->target)
213 verdict = ((struct ebt_standard_target *)t)->verdict;
215 tgpar.target = t->u.target;
216 tgpar.targinfo = t->data;
217 verdict = t->u.target->target(skb, &tgpar);
219 if (verdict == EBT_ACCEPT) {
220 read_unlock_bh(&table->lock);
223 if (verdict == EBT_DROP) {
224 read_unlock_bh(&table->lock);
227 if (verdict == EBT_RETURN) {
229 #ifdef CONFIG_NETFILTER_DEBUG
231 BUGPRINT("RETURN on base chain");
232 /* act like this is EBT_CONTINUE */
237 /* put all the local variables right */
239 chaininfo = cs[sp].chaininfo;
240 nentries = chaininfo->nentries;
242 counter_base = cb_base +
243 chaininfo->counter_offset;
246 if (verdict == EBT_CONTINUE)
248 #ifdef CONFIG_NETFILTER_DEBUG
250 BUGPRINT("bogus standard verdict\n");
251 read_unlock_bh(&table->lock);
257 cs[sp].chaininfo = chaininfo;
258 cs[sp].e = ebt_next_entry(point);
260 chaininfo = (struct ebt_entries *) (base + verdict);
261 #ifdef CONFIG_NETFILTER_DEBUG
262 if (chaininfo->distinguisher) {
263 BUGPRINT("jump to non-chain\n");
264 read_unlock_bh(&table->lock);
268 nentries = chaininfo->nentries;
269 point = (struct ebt_entry *)chaininfo->data;
270 counter_base = cb_base + chaininfo->counter_offset;
274 point = ebt_next_entry(point);
278 /* I actually like this :) */
279 if (chaininfo->policy == EBT_RETURN)
281 if (chaininfo->policy == EBT_ACCEPT) {
282 read_unlock_bh(&table->lock);
285 read_unlock_bh(&table->lock);
289 /* If it succeeds, returns element and locks mutex */
291 find_inlist_lock_noload(struct list_head *head, const char *name, int *error,
295 struct list_head list;
296 char name[EBT_FUNCTION_MAXNAMELEN];
299 *error = mutex_lock_interruptible(mutex);
303 list_for_each_entry(e, head, list) {
304 if (strcmp(e->name, name) == 0)
313 find_inlist_lock(struct list_head *head, const char *name, const char *prefix,
314 int *error, struct mutex *mutex)
316 return try_then_request_module(
317 find_inlist_lock_noload(head, name, error, mutex),
318 "%s%s", prefix, name);
321 static inline struct ebt_table *
322 find_table_lock(struct net *net, const char *name, int *error,
325 return find_inlist_lock(&net->xt.tables[NFPROTO_BRIDGE], name,
326 "ebtable_", error, mutex);
330 ebt_check_match(struct ebt_entry_match *m, struct xt_mtchk_param *par,
333 const struct ebt_entry *e = par->entryinfo;
334 struct xt_match *match;
335 size_t left = ((char *)e + e->watchers_offset) - (char *)m;
338 if (left < sizeof(struct ebt_entry_match) ||
339 left - sizeof(struct ebt_entry_match) < m->match_size)
342 match = try_then_request_module(xt_find_match(NFPROTO_BRIDGE,
343 m->u.name, 0), "ebt_%s", m->u.name);
345 return PTR_ERR(match);
351 par->matchinfo = m->data;
352 ret = xt_check_match(par, m->match_size,
353 e->ethproto, e->invflags & EBT_IPROTO);
355 module_put(match->me);
364 ebt_check_watcher(struct ebt_entry_watcher *w, struct xt_tgchk_param *par,
367 const struct ebt_entry *e = par->entryinfo;
368 struct xt_target *watcher;
369 size_t left = ((char *)e + e->target_offset) - (char *)w;
372 if (left < sizeof(struct ebt_entry_watcher) ||
373 left - sizeof(struct ebt_entry_watcher) < w->watcher_size)
376 watcher = try_then_request_module(
377 xt_find_target(NFPROTO_BRIDGE, w->u.name, 0),
378 "ebt_%s", w->u.name);
380 return PTR_ERR(watcher);
383 w->u.watcher = watcher;
385 par->target = watcher;
386 par->targinfo = w->data;
387 ret = xt_check_target(par, w->watcher_size,
388 e->ethproto, e->invflags & EBT_IPROTO);
390 module_put(watcher->me);
398 static int ebt_verify_pointers(struct ebt_replace *repl,
399 struct ebt_table_info *newinfo)
401 unsigned int limit = repl->entries_size;
402 unsigned int valid_hooks = repl->valid_hooks;
403 unsigned int offset = 0;
406 for (i = 0; i < NF_BR_NUMHOOKS; i++)
407 newinfo->hook_entry[i] = NULL;
409 newinfo->entries_size = repl->entries_size;
410 newinfo->nentries = repl->nentries;
412 while (offset < limit) {
413 size_t left = limit - offset;
414 struct ebt_entry *e = (void *)newinfo->entries + offset;
416 if (left < sizeof(unsigned int))
419 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
420 if ((valid_hooks & (1 << i)) == 0)
422 if ((char __user *)repl->hook_entry[i] ==
423 repl->entries + offset)
427 if (i != NF_BR_NUMHOOKS || !(e->bitmask & EBT_ENTRY_OR_ENTRIES)) {
428 if (e->bitmask != 0) {
429 /* we make userspace set this right,
430 so there is no misunderstanding */
431 BUGPRINT("EBT_ENTRY_OR_ENTRIES shouldn't be set "
432 "in distinguisher\n");
435 if (i != NF_BR_NUMHOOKS)
436 newinfo->hook_entry[i] = (struct ebt_entries *)e;
437 if (left < sizeof(struct ebt_entries))
439 offset += sizeof(struct ebt_entries);
441 if (left < sizeof(struct ebt_entry))
443 if (left < e->next_offset)
445 offset += e->next_offset;
448 if (offset != limit) {
449 BUGPRINT("entries_size too small\n");
453 /* check if all valid hooks have a chain */
454 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
455 if (!newinfo->hook_entry[i] &&
456 (valid_hooks & (1 << i))) {
457 BUGPRINT("Valid hook without chain\n");
465 * this one is very careful, as it is the first function
466 * to parse the userspace data
469 ebt_check_entry_size_and_hooks(struct ebt_entry *e,
470 struct ebt_table_info *newinfo,
471 unsigned int *n, unsigned int *cnt,
472 unsigned int *totalcnt, unsigned int *udc_cnt)
476 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
477 if ((void *)e == (void *)newinfo->hook_entry[i])
480 /* beginning of a new chain
481 if i == NF_BR_NUMHOOKS it must be a user defined chain */
482 if (i != NF_BR_NUMHOOKS || !e->bitmask) {
483 /* this checks if the previous chain has as many entries
486 BUGPRINT("nentries does not equal the nr of entries "
490 if (((struct ebt_entries *)e)->policy != EBT_DROP &&
491 ((struct ebt_entries *)e)->policy != EBT_ACCEPT) {
492 /* only RETURN from udc */
493 if (i != NF_BR_NUMHOOKS ||
494 ((struct ebt_entries *)e)->policy != EBT_RETURN) {
495 BUGPRINT("bad policy\n");
499 if (i == NF_BR_NUMHOOKS) /* it's a user defined chain */
501 if (((struct ebt_entries *)e)->counter_offset != *totalcnt) {
502 BUGPRINT("counter_offset != totalcnt");
505 *n = ((struct ebt_entries *)e)->nentries;
509 /* a plain old entry, heh */
510 if (sizeof(struct ebt_entry) > e->watchers_offset ||
511 e->watchers_offset > e->target_offset ||
512 e->target_offset >= e->next_offset) {
513 BUGPRINT("entry offsets not in right order\n");
516 /* this is not checked anywhere else */
517 if (e->next_offset - e->target_offset < sizeof(struct ebt_entry_target)) {
518 BUGPRINT("target size too small\n");
528 struct ebt_chainstack cs;
530 unsigned int hookmask;
534 * we need these positions to check that the jumps to a different part of the
535 * entries is a jump to the beginning of a new chain.
538 ebt_get_udc_positions(struct ebt_entry *e, struct ebt_table_info *newinfo,
539 unsigned int *n, struct ebt_cl_stack *udc)
543 /* we're only interested in chain starts */
546 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
547 if (newinfo->hook_entry[i] == (struct ebt_entries *)e)
550 /* only care about udc */
551 if (i != NF_BR_NUMHOOKS)
554 udc[*n].cs.chaininfo = (struct ebt_entries *)e;
555 /* these initialisations are depended on later in check_chainloops() */
557 udc[*n].hookmask = 0;
564 ebt_cleanup_match(struct ebt_entry_match *m, unsigned int *i)
566 struct xt_mtdtor_param par;
568 if (i && (*i)-- == 0)
571 par.match = m->u.match;
572 par.matchinfo = m->data;
573 par.family = NFPROTO_BRIDGE;
574 if (par.match->destroy != NULL)
575 par.match->destroy(&par);
576 module_put(par.match->me);
581 ebt_cleanup_watcher(struct ebt_entry_watcher *w, unsigned int *i)
583 struct xt_tgdtor_param par;
585 if (i && (*i)-- == 0)
588 par.target = w->u.watcher;
589 par.targinfo = w->data;
590 par.family = NFPROTO_BRIDGE;
591 if (par.target->destroy != NULL)
592 par.target->destroy(&par);
593 module_put(par.target->me);
598 ebt_cleanup_entry(struct ebt_entry *e, unsigned int *cnt)
600 struct xt_tgdtor_param par;
601 struct ebt_entry_target *t;
606 if (cnt && (*cnt)-- == 0)
608 EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, NULL);
609 EBT_MATCH_ITERATE(e, ebt_cleanup_match, NULL);
610 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
612 par.target = t->u.target;
613 par.targinfo = t->data;
614 par.family = NFPROTO_BRIDGE;
615 if (par.target->destroy != NULL)
616 par.target->destroy(&par);
617 module_put(par.target->me);
622 ebt_check_entry(struct ebt_entry *e, struct ebt_table_info *newinfo,
623 const char *name, unsigned int *cnt,
624 struct ebt_cl_stack *cl_s, unsigned int udc_cnt)
626 struct ebt_entry_target *t;
627 struct xt_target *target;
628 unsigned int i, j, hook = 0, hookmask = 0;
631 struct xt_mtchk_param mtpar;
632 struct xt_tgchk_param tgpar;
634 /* don't mess with the struct ebt_entries */
638 if (e->bitmask & ~EBT_F_MASK) {
639 BUGPRINT("Unknown flag for bitmask\n");
642 if (e->invflags & ~EBT_INV_MASK) {
643 BUGPRINT("Unknown flag for inv bitmask\n");
646 if ( (e->bitmask & EBT_NOPROTO) && (e->bitmask & EBT_802_3) ) {
647 BUGPRINT("NOPROTO & 802_3 not allowed\n");
650 /* what hook do we belong to? */
651 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
652 if (!newinfo->hook_entry[i])
654 if ((char *)newinfo->hook_entry[i] < (char *)e)
659 /* (1 << NF_BR_NUMHOOKS) tells the check functions the rule is on
661 if (i < NF_BR_NUMHOOKS)
662 hookmask = (1 << hook) | (1 << NF_BR_NUMHOOKS);
664 for (i = 0; i < udc_cnt; i++)
665 if ((char *)(cl_s[i].cs.chaininfo) > (char *)e)
668 hookmask = (1 << hook) | (1 << NF_BR_NUMHOOKS);
670 hookmask = cl_s[i - 1].hookmask;
674 mtpar.table = tgpar.table = name;
675 mtpar.entryinfo = tgpar.entryinfo = e;
676 mtpar.hook_mask = tgpar.hook_mask = hookmask;
677 mtpar.family = tgpar.family = NFPROTO_BRIDGE;
678 ret = EBT_MATCH_ITERATE(e, ebt_check_match, &mtpar, &i);
680 goto cleanup_matches;
682 ret = EBT_WATCHER_ITERATE(e, ebt_check_watcher, &tgpar, &j);
684 goto cleanup_watchers;
685 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
686 gap = e->next_offset - e->target_offset;
688 target = try_then_request_module(
689 xt_find_target(NFPROTO_BRIDGE, t->u.name, 0),
690 "ebt_%s", t->u.name);
691 if (IS_ERR(target)) {
692 ret = PTR_ERR(target);
693 goto cleanup_watchers;
694 } else if (target == NULL) {
696 goto cleanup_watchers;
699 t->u.target = target;
700 if (t->u.target == &ebt_standard_target) {
701 if (gap < sizeof(struct ebt_standard_target)) {
702 BUGPRINT("Standard target size too big\n");
704 goto cleanup_watchers;
706 if (((struct ebt_standard_target *)t)->verdict <
707 -NUM_STANDARD_TARGETS) {
708 BUGPRINT("Invalid standard target\n");
710 goto cleanup_watchers;
712 } else if (t->target_size > gap - sizeof(struct ebt_entry_target)) {
713 module_put(t->u.target->me);
715 goto cleanup_watchers;
718 tgpar.target = target;
719 tgpar.targinfo = t->data;
720 ret = xt_check_target(&tgpar, t->target_size,
721 e->ethproto, e->invflags & EBT_IPROTO);
723 module_put(target->me);
724 goto cleanup_watchers;
729 EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, &j);
731 EBT_MATCH_ITERATE(e, ebt_cleanup_match, &i);
736 * checks for loops and sets the hook mask for udc
737 * the hook mask for udc tells us from which base chains the udc can be
738 * accessed. This mask is a parameter to the check() functions of the extensions
740 static int check_chainloops(struct ebt_entries *chain, struct ebt_cl_stack *cl_s,
741 unsigned int udc_cnt, unsigned int hooknr, char *base)
743 int i, chain_nr = -1, pos = 0, nentries = chain->nentries, verdict;
744 struct ebt_entry *e = (struct ebt_entry *)chain->data;
745 struct ebt_entry_target *t;
747 while (pos < nentries || chain_nr != -1) {
748 /* end of udc, go back one 'recursion' step */
749 if (pos == nentries) {
750 /* put back values of the time when this chain was called */
751 e = cl_s[chain_nr].cs.e;
752 if (cl_s[chain_nr].from != -1)
754 cl_s[cl_s[chain_nr].from].cs.chaininfo->nentries;
756 nentries = chain->nentries;
757 pos = cl_s[chain_nr].cs.n;
758 /* make sure we won't see a loop that isn't one */
759 cl_s[chain_nr].cs.n = 0;
760 chain_nr = cl_s[chain_nr].from;
764 t = (struct ebt_entry_target *)
765 (((char *)e) + e->target_offset);
766 if (strcmp(t->u.name, EBT_STANDARD_TARGET))
768 if (e->target_offset + sizeof(struct ebt_standard_target) >
770 BUGPRINT("Standard target size too big\n");
773 verdict = ((struct ebt_standard_target *)t)->verdict;
774 if (verdict >= 0) { /* jump to another chain */
775 struct ebt_entries *hlp2 =
776 (struct ebt_entries *)(base + verdict);
777 for (i = 0; i < udc_cnt; i++)
778 if (hlp2 == cl_s[i].cs.chaininfo)
780 /* bad destination or loop */
782 BUGPRINT("bad destination\n");
789 if (cl_s[i].hookmask & (1 << hooknr))
791 /* this can't be 0, so the loop test is correct */
792 cl_s[i].cs.n = pos + 1;
794 cl_s[i].cs.e = ebt_next_entry(e);
795 e = (struct ebt_entry *)(hlp2->data);
796 nentries = hlp2->nentries;
797 cl_s[i].from = chain_nr;
799 /* this udc is accessible from the base chain for hooknr */
800 cl_s[i].hookmask |= (1 << hooknr);
804 e = ebt_next_entry(e);
810 /* do the parsing of the table/chains/entries/matches/watchers/targets, heh */
811 static int translate_table(char *name, struct ebt_table_info *newinfo)
813 unsigned int i, j, k, udc_cnt;
815 struct ebt_cl_stack *cl_s = NULL; /* used in the checking for chain loops */
818 while (i < NF_BR_NUMHOOKS && !newinfo->hook_entry[i])
820 if (i == NF_BR_NUMHOOKS) {
821 BUGPRINT("No valid hooks specified\n");
824 if (newinfo->hook_entry[i] != (struct ebt_entries *)newinfo->entries) {
825 BUGPRINT("Chains don't start at beginning\n");
828 /* make sure chains are ordered after each other in same order
829 as their corresponding hooks */
830 for (j = i + 1; j < NF_BR_NUMHOOKS; j++) {
831 if (!newinfo->hook_entry[j])
833 if (newinfo->hook_entry[j] <= newinfo->hook_entry[i]) {
834 BUGPRINT("Hook order must be followed\n");
840 /* do some early checkings and initialize some things */
841 i = 0; /* holds the expected nr. of entries for the chain */
842 j = 0; /* holds the up to now counted entries for the chain */
843 k = 0; /* holds the total nr. of entries, should equal
844 newinfo->nentries afterwards */
845 udc_cnt = 0; /* will hold the nr. of user defined chains (udc) */
846 ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
847 ebt_check_entry_size_and_hooks, newinfo,
848 &i, &j, &k, &udc_cnt);
854 BUGPRINT("nentries does not equal the nr of entries in the "
858 if (k != newinfo->nentries) {
859 BUGPRINT("Total nentries is wrong\n");
863 /* get the location of the udc, put them in an array
864 while we're at it, allocate the chainstack */
866 /* this will get free'd in do_replace()/ebt_register_table()
867 if an error occurs */
868 newinfo->chainstack =
869 vmalloc(nr_cpu_ids * sizeof(*(newinfo->chainstack)));
870 if (!newinfo->chainstack)
872 for_each_possible_cpu(i) {
873 newinfo->chainstack[i] =
874 vmalloc(udc_cnt * sizeof(*(newinfo->chainstack[0])));
875 if (!newinfo->chainstack[i]) {
877 vfree(newinfo->chainstack[--i]);
878 vfree(newinfo->chainstack);
879 newinfo->chainstack = NULL;
884 cl_s = vmalloc(udc_cnt * sizeof(*cl_s));
887 i = 0; /* the i'th udc */
888 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
889 ebt_get_udc_positions, newinfo, &i, cl_s);
892 BUGPRINT("i != udc_cnt\n");
898 /* Check for loops */
899 for (i = 0; i < NF_BR_NUMHOOKS; i++)
900 if (newinfo->hook_entry[i])
901 if (check_chainloops(newinfo->hook_entry[i],
902 cl_s, udc_cnt, i, newinfo->entries)) {
907 /* we now know the following (along with E=mc²):
908 - the nr of entries in each chain is right
909 - the size of the allocated space is right
910 - all valid hooks have a corresponding chain
912 - wrong data can still be on the level of a single entry
913 - could be there are jumps to places that are not the
914 beginning of a chain. This can only occur in chains that
915 are not accessible from any base chains, so we don't care. */
917 /* used to know what we need to clean up if something goes wrong */
919 ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
920 ebt_check_entry, newinfo, name, &i, cl_s, udc_cnt);
922 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
923 ebt_cleanup_entry, &i);
929 /* called under write_lock */
930 static void get_counters(struct ebt_counter *oldcounters,
931 struct ebt_counter *counters, unsigned int nentries)
934 struct ebt_counter *counter_base;
936 /* counters of cpu 0 */
937 memcpy(counters, oldcounters,
938 sizeof(struct ebt_counter) * nentries);
940 /* add other counters to those of cpu 0 */
941 for_each_possible_cpu(cpu) {
944 counter_base = COUNTER_BASE(oldcounters, nentries, cpu);
945 for (i = 0; i < nentries; i++) {
946 counters[i].pcnt += counter_base[i].pcnt;
947 counters[i].bcnt += counter_base[i].bcnt;
952 /* replace the table */
953 static int do_replace(struct net *net, void __user *user, unsigned int len)
955 int ret, i, countersize;
956 struct ebt_table_info *newinfo;
957 struct ebt_replace tmp;
959 struct ebt_counter *counterstmp = NULL;
960 /* used to be able to unlock earlier */
961 struct ebt_table_info *table;
963 if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
966 if (len != sizeof(tmp) + tmp.entries_size) {
967 BUGPRINT("Wrong len argument\n");
971 if (tmp.entries_size == 0) {
972 BUGPRINT("Entries_size never zero\n");
976 if (tmp.nentries >= ((INT_MAX - sizeof(struct ebt_table_info)) / NR_CPUS -
977 SMP_CACHE_BYTES) / sizeof(struct ebt_counter))
979 if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
982 countersize = COUNTER_OFFSET(tmp.nentries) * nr_cpu_ids;
983 newinfo = vmalloc(sizeof(*newinfo) + countersize);
988 memset(newinfo->counters, 0, countersize);
990 newinfo->entries = vmalloc(tmp.entries_size);
991 if (!newinfo->entries) {
996 newinfo->entries, tmp.entries, tmp.entries_size) != 0) {
997 BUGPRINT("Couldn't copy entries from userspace\n");
1002 /* the user wants counters back
1003 the check on the size is done later, when we have the lock */
1004 if (tmp.num_counters) {
1005 counterstmp = vmalloc(tmp.num_counters * sizeof(*counterstmp));
1014 /* this can get initialized by translate_table() */
1015 newinfo->chainstack = NULL;
1016 ret = ebt_verify_pointers(&tmp, newinfo);
1018 goto free_counterstmp;
1020 ret = translate_table(tmp.name, newinfo);
1023 goto free_counterstmp;
1025 t = find_table_lock(net, tmp.name, &ret, &ebt_mutex);
1031 /* the table doesn't like it */
1032 if (t->check && (ret = t->check(newinfo, tmp.valid_hooks)))
1035 if (tmp.num_counters && tmp.num_counters != t->private->nentries) {
1036 BUGPRINT("Wrong nr. of counters requested\n");
1041 /* we have the mutex lock, so no danger in reading this pointer */
1043 /* make sure the table can only be rmmod'ed if it contains no rules */
1044 if (!table->nentries && newinfo->nentries && !try_module_get(t->me)) {
1047 } else if (table->nentries && !newinfo->nentries)
1049 /* we need an atomic snapshot of the counters */
1050 write_lock_bh(&t->lock);
1051 if (tmp.num_counters)
1052 get_counters(t->private->counters, counterstmp,
1053 t->private->nentries);
1055 t->private = newinfo;
1056 write_unlock_bh(&t->lock);
1057 mutex_unlock(&ebt_mutex);
1058 /* so, a user can change the chains while having messed up her counter
1059 allocation. Only reason why this is done is because this way the lock
1060 is held only once, while this doesn't bring the kernel into a
1062 if (tmp.num_counters &&
1063 copy_to_user(tmp.counters, counterstmp,
1064 tmp.num_counters * sizeof(struct ebt_counter))) {
1065 BUGPRINT("Couldn't copy counters to userspace\n");
1071 /* decrease module count and free resources */
1072 EBT_ENTRY_ITERATE(table->entries, table->entries_size,
1073 ebt_cleanup_entry, NULL);
1075 vfree(table->entries);
1076 if (table->chainstack) {
1077 for_each_possible_cpu(i)
1078 vfree(table->chainstack[i]);
1079 vfree(table->chainstack);
1087 mutex_unlock(&ebt_mutex);
1089 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
1090 ebt_cleanup_entry, NULL);
1093 /* can be initialized in translate_table() */
1094 if (newinfo->chainstack) {
1095 for_each_possible_cpu(i)
1096 vfree(newinfo->chainstack[i]);
1097 vfree(newinfo->chainstack);
1100 vfree(newinfo->entries);
1106 struct ebt_table *ebt_register_table(struct net *net, struct ebt_table *table)
1108 struct ebt_table_info *newinfo;
1109 struct ebt_table *t;
1110 struct ebt_replace_kernel *repl;
1111 int ret, i, countersize;
1114 if (!table || !(repl = table->table) || !repl->entries ||
1115 repl->entries_size == 0 ||
1116 repl->counters || table->private) {
1117 BUGPRINT("Bad table data for ebt_register_table!!!\n");
1118 return ERR_PTR(-EINVAL);
1121 /* Don't add one table to multiple lists. */
1122 table = kmemdup(table, sizeof(struct ebt_table), GFP_KERNEL);
1128 countersize = COUNTER_OFFSET(repl->nentries) * nr_cpu_ids;
1129 newinfo = vmalloc(sizeof(*newinfo) + countersize);
1134 p = vmalloc(repl->entries_size);
1138 memcpy(p, repl->entries, repl->entries_size);
1139 newinfo->entries = p;
1141 newinfo->entries_size = repl->entries_size;
1142 newinfo->nentries = repl->nentries;
1145 memset(newinfo->counters, 0, countersize);
1147 /* fill in newinfo and parse the entries */
1148 newinfo->chainstack = NULL;
1149 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
1150 if ((repl->valid_hooks & (1 << i)) == 0)
1151 newinfo->hook_entry[i] = NULL;
1153 newinfo->hook_entry[i] = p +
1154 ((char *)repl->hook_entry[i] - repl->entries);
1156 ret = translate_table(repl->name, newinfo);
1158 BUGPRINT("Translate_table failed\n");
1159 goto free_chainstack;
1162 if (table->check && table->check(newinfo, table->valid_hooks)) {
1163 BUGPRINT("The table doesn't like its own initial data, lol\n");
1164 return ERR_PTR(-EINVAL);
1167 table->private = newinfo;
1168 rwlock_init(&table->lock);
1169 ret = mutex_lock_interruptible(&ebt_mutex);
1171 goto free_chainstack;
1173 list_for_each_entry(t, &net->xt.tables[NFPROTO_BRIDGE], list) {
1174 if (strcmp(t->name, table->name) == 0) {
1176 BUGPRINT("Table name already exists\n");
1181 /* Hold a reference count if the chains aren't empty */
1182 if (newinfo->nentries && !try_module_get(table->me)) {
1186 list_add(&table->list, &net->xt.tables[NFPROTO_BRIDGE]);
1187 mutex_unlock(&ebt_mutex);
1190 mutex_unlock(&ebt_mutex);
1192 if (newinfo->chainstack) {
1193 for_each_possible_cpu(i)
1194 vfree(newinfo->chainstack[i]);
1195 vfree(newinfo->chainstack);
1197 vfree(newinfo->entries);
1203 return ERR_PTR(ret);
1206 void ebt_unregister_table(struct ebt_table *table)
1211 BUGPRINT("Request to unregister NULL table!!!\n");
1214 mutex_lock(&ebt_mutex);
1215 list_del(&table->list);
1216 mutex_unlock(&ebt_mutex);
1217 EBT_ENTRY_ITERATE(table->private->entries, table->private->entries_size,
1218 ebt_cleanup_entry, NULL);
1219 if (table->private->nentries)
1220 module_put(table->me);
1221 vfree(table->private->entries);
1222 if (table->private->chainstack) {
1223 for_each_possible_cpu(i)
1224 vfree(table->private->chainstack[i]);
1225 vfree(table->private->chainstack);
1227 vfree(table->private);
1231 /* userspace just supplied us with counters */
1232 static int update_counters(struct net *net, void __user *user, unsigned int len)
1235 struct ebt_counter *tmp;
1236 struct ebt_replace hlp;
1237 struct ebt_table *t;
1239 if (copy_from_user(&hlp, user, sizeof(hlp)))
1242 if (len != sizeof(hlp) + hlp.num_counters * sizeof(struct ebt_counter))
1244 if (hlp.num_counters == 0)
1247 if (!(tmp = vmalloc(hlp.num_counters * sizeof(*tmp)))) {
1248 MEMPRINT("Update_counters && nomemory\n");
1252 t = find_table_lock(net, hlp.name, &ret, &ebt_mutex);
1256 if (hlp.num_counters != t->private->nentries) {
1257 BUGPRINT("Wrong nr of counters\n");
1262 if ( copy_from_user(tmp, hlp.counters,
1263 hlp.num_counters * sizeof(struct ebt_counter)) ) {
1264 BUGPRINT("Updata_counters && !cfu\n");
1269 /* we want an atomic add of the counters */
1270 write_lock_bh(&t->lock);
1272 /* we add to the counters of the first cpu */
1273 for (i = 0; i < hlp.num_counters; i++) {
1274 t->private->counters[i].pcnt += tmp[i].pcnt;
1275 t->private->counters[i].bcnt += tmp[i].bcnt;
1278 write_unlock_bh(&t->lock);
1281 mutex_unlock(&ebt_mutex);
1287 static inline int ebt_make_matchname(struct ebt_entry_match *m,
1288 char *base, char __user *ubase)
1290 char __user *hlp = ubase + ((char *)m - base);
1291 if (copy_to_user(hlp, m->u.match->name, EBT_FUNCTION_MAXNAMELEN))
1296 static inline int ebt_make_watchername(struct ebt_entry_watcher *w,
1297 char *base, char __user *ubase)
1299 char __user *hlp = ubase + ((char *)w - base);
1300 if (copy_to_user(hlp , w->u.watcher->name, EBT_FUNCTION_MAXNAMELEN))
1305 static inline int ebt_make_names(struct ebt_entry *e, char *base, char __user *ubase)
1309 struct ebt_entry_target *t;
1311 if (e->bitmask == 0)
1314 hlp = ubase + (((char *)e + e->target_offset) - base);
1315 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
1317 ret = EBT_MATCH_ITERATE(e, ebt_make_matchname, base, ubase);
1320 ret = EBT_WATCHER_ITERATE(e, ebt_make_watchername, base, ubase);
1323 if (copy_to_user(hlp, t->u.target->name, EBT_FUNCTION_MAXNAMELEN))
1328 /* called with ebt_mutex locked */
1329 static int copy_everything_to_user(struct ebt_table *t, void __user *user,
1332 struct ebt_replace tmp;
1333 struct ebt_counter *counterstmp, *oldcounters;
1334 unsigned int entries_size, nentries;
1337 if (cmd == EBT_SO_GET_ENTRIES) {
1338 entries_size = t->private->entries_size;
1339 nentries = t->private->nentries;
1340 entries = t->private->entries;
1341 oldcounters = t->private->counters;
1343 entries_size = t->table->entries_size;
1344 nentries = t->table->nentries;
1345 entries = t->table->entries;
1346 oldcounters = t->table->counters;
1349 if (copy_from_user(&tmp, user, sizeof(tmp))) {
1350 BUGPRINT("Cfu didn't work\n");
1354 if (*len != sizeof(struct ebt_replace) + entries_size +
1355 (tmp.num_counters? nentries * sizeof(struct ebt_counter): 0)) {
1356 BUGPRINT("Wrong size\n");
1360 if (tmp.nentries != nentries) {
1361 BUGPRINT("Nentries wrong\n");
1365 if (tmp.entries_size != entries_size) {
1366 BUGPRINT("Wrong size\n");
1370 /* userspace might not need the counters */
1371 if (tmp.num_counters) {
1372 if (tmp.num_counters != nentries) {
1373 BUGPRINT("Num_counters wrong\n");
1376 counterstmp = vmalloc(nentries * sizeof(*counterstmp));
1378 MEMPRINT("Couldn't copy counters, out of memory\n");
1381 write_lock_bh(&t->lock);
1382 get_counters(oldcounters, counterstmp, nentries);
1383 write_unlock_bh(&t->lock);
1385 if (copy_to_user(tmp.counters, counterstmp,
1386 nentries * sizeof(struct ebt_counter))) {
1387 BUGPRINT("Couldn't copy counters to userspace\n");
1394 if (copy_to_user(tmp.entries, entries, entries_size)) {
1395 BUGPRINT("Couldn't copy entries to userspace\n");
1398 /* set the match/watcher/target names right */
1399 return EBT_ENTRY_ITERATE(entries, entries_size,
1400 ebt_make_names, entries, tmp.entries);
1403 static int do_ebt_set_ctl(struct sock *sk,
1404 int cmd, void __user *user, unsigned int len)
1409 case EBT_SO_SET_ENTRIES:
1410 ret = do_replace(sock_net(sk), user, len);
1412 case EBT_SO_SET_COUNTERS:
1413 ret = update_counters(sock_net(sk), user, len);
1421 static int do_ebt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
1424 struct ebt_replace tmp;
1425 struct ebt_table *t;
1427 if (copy_from_user(&tmp, user, sizeof(tmp)))
1430 t = find_table_lock(sock_net(sk), tmp.name, &ret, &ebt_mutex);
1435 case EBT_SO_GET_INFO:
1436 case EBT_SO_GET_INIT_INFO:
1437 if (*len != sizeof(struct ebt_replace)){
1439 mutex_unlock(&ebt_mutex);
1442 if (cmd == EBT_SO_GET_INFO) {
1443 tmp.nentries = t->private->nentries;
1444 tmp.entries_size = t->private->entries_size;
1445 tmp.valid_hooks = t->valid_hooks;
1447 tmp.nentries = t->table->nentries;
1448 tmp.entries_size = t->table->entries_size;
1449 tmp.valid_hooks = t->table->valid_hooks;
1451 mutex_unlock(&ebt_mutex);
1452 if (copy_to_user(user, &tmp, *len) != 0){
1453 BUGPRINT("c2u Didn't work\n");
1460 case EBT_SO_GET_ENTRIES:
1461 case EBT_SO_GET_INIT_ENTRIES:
1462 ret = copy_everything_to_user(t, user, len, cmd);
1463 mutex_unlock(&ebt_mutex);
1467 mutex_unlock(&ebt_mutex);
1474 static struct nf_sockopt_ops ebt_sockopts =
1477 .set_optmin = EBT_BASE_CTL,
1478 .set_optmax = EBT_SO_SET_MAX + 1,
1479 .set = do_ebt_set_ctl,
1480 .get_optmin = EBT_BASE_CTL,
1481 .get_optmax = EBT_SO_GET_MAX + 1,
1482 .get = do_ebt_get_ctl,
1483 .owner = THIS_MODULE,
1486 static int __init ebtables_init(void)
1490 ret = xt_register_target(&ebt_standard_target);
1493 ret = nf_register_sockopt(&ebt_sockopts);
1495 xt_unregister_target(&ebt_standard_target);
1499 printk(KERN_INFO "Ebtables v2.0 registered\n");
1503 static void __exit ebtables_fini(void)
1505 nf_unregister_sockopt(&ebt_sockopts);
1506 xt_unregister_target(&ebt_standard_target);
1507 printk(KERN_INFO "Ebtables v2.0 unregistered\n");
1510 EXPORT_SYMBOL(ebt_register_table);
1511 EXPORT_SYMBOL(ebt_unregister_table);
1512 EXPORT_SYMBOL(ebt_do_table);
1513 module_init(ebtables_init);
1514 module_exit(ebtables_fini);
1515 MODULE_LICENSE("GPL");
git://ftp.safe.ca / safe / jmp / linux-2.6 / blob