5 * Bart De Schuymer <bdschuym@pandora.be>
7 * ebtables.c,v 2.0, July, 2002
9 * This code is stongly inspired on the iptables code which is
10 * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version
15 * 2 of the License, or (at your option) any later version.
19 #include <linux/kmod.h>
20 #include <linux/module.h>
21 #include <linux/vmalloc.h>
22 #include <linux/netfilter/x_tables.h>
23 #include <linux/netfilter_bridge/ebtables.h>
24 #include <linux/spinlock.h>
25 #include <linux/mutex.h>
26 #include <asm/uaccess.h>
27 #include <linux/smp.h>
28 #include <linux/cpumask.h>
30 /* needed for logical [in,out]-dev filtering */
31 #include "../br_private.h"
33 #define BUGPRINT(format, args...) printk("kernel msg: ebtables bug: please "\
34 "report to author: "format, ## args)
35 /* #define BUGPRINT(format, args...) */
36 #define MEMPRINT(format, args...) printk("kernel msg: ebtables "\
37 ": out of memory: "format, ## args)
38 /* #define MEMPRINT(format, args...) */
43 * Each cpu has its own set of counters, so there is no need for write_lock in
45 * For reading or updating the counters, the user context needs to
49 /* The size of each set of counters is altered to get cache alignment */
50 #define SMP_ALIGN(x) (((x) + SMP_CACHE_BYTES-1) & ~(SMP_CACHE_BYTES-1))
51 #define COUNTER_OFFSET(n) (SMP_ALIGN(n * sizeof(struct ebt_counter)))
52 #define COUNTER_BASE(c, n, cpu) ((struct ebt_counter *)(((char *)c) + \
53 COUNTER_OFFSET(n) * cpu))
57 static DEFINE_MUTEX(ebt_mutex);
58 static LIST_HEAD(ebt_tables);
60 static struct xt_target ebt_standard_target = {
63 .family = NFPROTO_BRIDGE,
64 .targetsize = sizeof(int),
67 static inline int ebt_do_watcher (struct ebt_entry_watcher *w,
68 struct sk_buff *skb, unsigned int hooknr, const struct net_device *in,
69 const struct net_device *out)
71 w->u.watcher->target(skb, in, out, hooknr, w->u.watcher, w->data);
72 /* watchers don't give a verdict */
76 static inline int ebt_do_match (struct ebt_entry_match *m,
77 const struct sk_buff *skb, const struct net_device *in,
78 const struct net_device *out, bool *hotdrop)
80 return m->u.match->match(skb, in, out, m->u.match,
81 m->data, 0, 0, hotdrop);
84 static inline int ebt_dev_check(char *entry, const struct net_device *device)
87 const char *devname = device->name;
93 /* 1 is the wildcard token */
94 while (entry[i] != '\0' && entry[i] != 1 && entry[i] == devname[i])
96 return (devname[i] != entry[i] && entry[i] != 1);
99 #define FWINV2(bool,invflg) ((bool) ^ !!(e->invflags & invflg))
100 /* process standard matches */
101 static inline int ebt_basic_match(struct ebt_entry *e, struct ethhdr *h,
102 const struct net_device *in, const struct net_device *out)
106 if (e->bitmask & EBT_802_3) {
107 if (FWINV2(ntohs(h->h_proto) >= 1536, EBT_IPROTO))
109 } else if (!(e->bitmask & EBT_NOPROTO) &&
110 FWINV2(e->ethproto != h->h_proto, EBT_IPROTO))
113 if (FWINV2(ebt_dev_check(e->in, in), EBT_IIN))
115 if (FWINV2(ebt_dev_check(e->out, out), EBT_IOUT))
117 if ((!in || !in->br_port) ? 0 : FWINV2(ebt_dev_check(
118 e->logical_in, in->br_port->br->dev), EBT_ILOGICALIN))
120 if ((!out || !out->br_port) ? 0 : FWINV2(ebt_dev_check(
121 e->logical_out, out->br_port->br->dev), EBT_ILOGICALOUT))
124 if (e->bitmask & EBT_SOURCEMAC) {
126 for (i = 0; i < 6; i++)
127 verdict |= (h->h_source[i] ^ e->sourcemac[i]) &
129 if (FWINV2(verdict != 0, EBT_ISOURCE) )
132 if (e->bitmask & EBT_DESTMAC) {
134 for (i = 0; i < 6; i++)
135 verdict |= (h->h_dest[i] ^ e->destmac[i]) &
137 if (FWINV2(verdict != 0, EBT_IDEST) )
143 /* Do some firewalling */
144 unsigned int ebt_do_table (unsigned int hook, struct sk_buff *skb,
145 const struct net_device *in, const struct net_device *out,
146 struct ebt_table *table)
149 struct ebt_entry *point;
150 struct ebt_counter *counter_base, *cb_base;
151 struct ebt_entry_target *t;
153 struct ebt_chainstack *cs;
154 struct ebt_entries *chaininfo;
156 struct ebt_table_info *private;
157 bool hotdrop = false;
159 read_lock_bh(&table->lock);
160 private = table->private;
161 cb_base = COUNTER_BASE(private->counters, private->nentries,
163 if (private->chainstack)
164 cs = private->chainstack[smp_processor_id()];
167 chaininfo = private->hook_entry[hook];
168 nentries = private->hook_entry[hook]->nentries;
169 point = (struct ebt_entry *)(private->hook_entry[hook]->data);
170 counter_base = cb_base + private->hook_entry[hook]->counter_offset;
171 /* base for chain jumps */
172 base = private->entries;
174 while (i < nentries) {
175 if (ebt_basic_match(point, eth_hdr(skb), in, out))
178 if (EBT_MATCH_ITERATE(point, ebt_do_match, skb,
179 in, out, &hotdrop) != 0)
182 read_unlock_bh(&table->lock);
186 /* increase counter */
187 (*(counter_base + i)).pcnt++;
188 (*(counter_base + i)).bcnt += skb->len;
190 /* these should only watch: not modify, nor tell us
191 what to do with the packet */
192 EBT_WATCHER_ITERATE(point, ebt_do_watcher, skb, hook, in,
195 t = (struct ebt_entry_target *)
196 (((char *)point) + point->target_offset);
197 /* standard target */
198 if (!t->u.target->target)
199 verdict = ((struct ebt_standard_target *)t)->verdict;
201 verdict = t->u.target->target(skb, in, out, hook,
202 t->u.target, t->data);
203 if (verdict == EBT_ACCEPT) {
204 read_unlock_bh(&table->lock);
207 if (verdict == EBT_DROP) {
208 read_unlock_bh(&table->lock);
211 if (verdict == EBT_RETURN) {
213 #ifdef CONFIG_NETFILTER_DEBUG
215 BUGPRINT("RETURN on base chain");
216 /* act like this is EBT_CONTINUE */
221 /* put all the local variables right */
223 chaininfo = cs[sp].chaininfo;
224 nentries = chaininfo->nentries;
226 counter_base = cb_base +
227 chaininfo->counter_offset;
230 if (verdict == EBT_CONTINUE)
232 #ifdef CONFIG_NETFILTER_DEBUG
234 BUGPRINT("bogus standard verdict\n");
235 read_unlock_bh(&table->lock);
241 cs[sp].chaininfo = chaininfo;
242 cs[sp].e = (struct ebt_entry *)
243 (((char *)point) + point->next_offset);
245 chaininfo = (struct ebt_entries *) (base + verdict);
246 #ifdef CONFIG_NETFILTER_DEBUG
247 if (chaininfo->distinguisher) {
248 BUGPRINT("jump to non-chain\n");
249 read_unlock_bh(&table->lock);
253 nentries = chaininfo->nentries;
254 point = (struct ebt_entry *)chaininfo->data;
255 counter_base = cb_base + chaininfo->counter_offset;
259 point = (struct ebt_entry *)
260 (((char *)point) + point->next_offset);
264 /* I actually like this :) */
265 if (chaininfo->policy == EBT_RETURN)
267 if (chaininfo->policy == EBT_ACCEPT) {
268 read_unlock_bh(&table->lock);
271 read_unlock_bh(&table->lock);
275 /* If it succeeds, returns element and locks mutex */
277 find_inlist_lock_noload(struct list_head *head, const char *name, int *error,
281 struct list_head list;
282 char name[EBT_FUNCTION_MAXNAMELEN];
285 *error = mutex_lock_interruptible(mutex);
289 list_for_each_entry(e, head, list) {
290 if (strcmp(e->name, name) == 0)
299 #define find_inlist_lock(h,n,p,e,m) find_inlist_lock_noload((h),(n),(e),(m))
302 find_inlist_lock(struct list_head *head, const char *name, const char *prefix,
303 int *error, struct mutex *mutex)
307 ret = find_inlist_lock_noload(head, name, error, mutex);
309 request_module("%s%s", prefix, name);
310 ret = find_inlist_lock_noload(head, name, error, mutex);
316 static inline struct ebt_table *
317 find_table_lock(const char *name, int *error, struct mutex *mutex)
319 return find_inlist_lock(&ebt_tables, name, "ebtable_", error, mutex);
323 ebt_check_match(struct ebt_entry_match *m, struct ebt_entry *e,
324 const char *name, unsigned int hookmask, unsigned int *cnt)
326 struct xt_match *match;
327 size_t left = ((char *)e + e->watchers_offset) - (char *)m;
330 if (left < sizeof(struct ebt_entry_match) ||
331 left - sizeof(struct ebt_entry_match) < m->match_size)
334 match = try_then_request_module(xt_find_match(NFPROTO_BRIDGE,
335 m->u.name, 0), "ebt_%s", m->u.name);
337 return PTR_ERR(match);
342 ret = xt_check_match(match, NFPROTO_BRIDGE, m->match_size,
343 name, hookmask, e->ethproto, e->invflags & EBT_IPROTO);
345 module_put(match->me);
347 } else if (match->checkentry != NULL &&
348 !match->checkentry(name, e, NULL, m->data, hookmask)) {
349 module_put(match->me);
350 BUGPRINT("match->check failed\n");
359 ebt_check_watcher(struct ebt_entry_watcher *w, struct ebt_entry *e,
360 const char *name, unsigned int hookmask, unsigned int *cnt)
362 struct xt_target *watcher;
363 size_t left = ((char *)e + e->target_offset) - (char *)w;
366 if (left < sizeof(struct ebt_entry_watcher) ||
367 left - sizeof(struct ebt_entry_watcher) < w->watcher_size)
370 watcher = try_then_request_module(
371 xt_find_target(NFPROTO_BRIDGE, w->u.name, 0),
372 "ebt_%s", w->u.name);
374 return PTR_ERR(watcher);
377 w->u.watcher = watcher;
379 ret = xt_check_target(watcher, NFPROTO_BRIDGE, w->watcher_size,
380 name, hookmask, e->ethproto, e->invflags & EBT_IPROTO);
382 module_put(watcher->me);
384 } else if (watcher->checkentry != NULL &&
385 !watcher->checkentry(name, e, NULL, w->data, hookmask)) {
386 module_put(watcher->me);
387 BUGPRINT("watcher->check failed\n");
395 static int ebt_verify_pointers(struct ebt_replace *repl,
396 struct ebt_table_info *newinfo)
398 unsigned int limit = repl->entries_size;
399 unsigned int valid_hooks = repl->valid_hooks;
400 unsigned int offset = 0;
403 for (i = 0; i < NF_BR_NUMHOOKS; i++)
404 newinfo->hook_entry[i] = NULL;
406 newinfo->entries_size = repl->entries_size;
407 newinfo->nentries = repl->nentries;
409 while (offset < limit) {
410 size_t left = limit - offset;
411 struct ebt_entry *e = (void *)newinfo->entries + offset;
413 if (left < sizeof(unsigned int))
416 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
417 if ((valid_hooks & (1 << i)) == 0)
419 if ((char __user *)repl->hook_entry[i] ==
420 repl->entries + offset)
424 if (i != NF_BR_NUMHOOKS || !(e->bitmask & EBT_ENTRY_OR_ENTRIES)) {
425 if (e->bitmask != 0) {
426 /* we make userspace set this right,
427 so there is no misunderstanding */
428 BUGPRINT("EBT_ENTRY_OR_ENTRIES shouldn't be set "
429 "in distinguisher\n");
432 if (i != NF_BR_NUMHOOKS)
433 newinfo->hook_entry[i] = (struct ebt_entries *)e;
434 if (left < sizeof(struct ebt_entries))
436 offset += sizeof(struct ebt_entries);
438 if (left < sizeof(struct ebt_entry))
440 if (left < e->next_offset)
442 offset += e->next_offset;
445 if (offset != limit) {
446 BUGPRINT("entries_size too small\n");
450 /* check if all valid hooks have a chain */
451 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
452 if (!newinfo->hook_entry[i] &&
453 (valid_hooks & (1 << i))) {
454 BUGPRINT("Valid hook without chain\n");
462 * this one is very careful, as it is the first function
463 * to parse the userspace data
466 ebt_check_entry_size_and_hooks(struct ebt_entry *e,
467 struct ebt_table_info *newinfo,
468 unsigned int *n, unsigned int *cnt,
469 unsigned int *totalcnt, unsigned int *udc_cnt)
473 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
474 if ((void *)e == (void *)newinfo->hook_entry[i])
477 /* beginning of a new chain
478 if i == NF_BR_NUMHOOKS it must be a user defined chain */
479 if (i != NF_BR_NUMHOOKS || !e->bitmask) {
480 /* this checks if the previous chain has as many entries
483 BUGPRINT("nentries does not equal the nr of entries "
487 if (((struct ebt_entries *)e)->policy != EBT_DROP &&
488 ((struct ebt_entries *)e)->policy != EBT_ACCEPT) {
489 /* only RETURN from udc */
490 if (i != NF_BR_NUMHOOKS ||
491 ((struct ebt_entries *)e)->policy != EBT_RETURN) {
492 BUGPRINT("bad policy\n");
496 if (i == NF_BR_NUMHOOKS) /* it's a user defined chain */
498 if (((struct ebt_entries *)e)->counter_offset != *totalcnt) {
499 BUGPRINT("counter_offset != totalcnt");
502 *n = ((struct ebt_entries *)e)->nentries;
506 /* a plain old entry, heh */
507 if (sizeof(struct ebt_entry) > e->watchers_offset ||
508 e->watchers_offset > e->target_offset ||
509 e->target_offset >= e->next_offset) {
510 BUGPRINT("entry offsets not in right order\n");
513 /* this is not checked anywhere else */
514 if (e->next_offset - e->target_offset < sizeof(struct ebt_entry_target)) {
515 BUGPRINT("target size too small\n");
525 struct ebt_chainstack cs;
527 unsigned int hookmask;
531 * we need these positions to check that the jumps to a different part of the
532 * entries is a jump to the beginning of a new chain.
535 ebt_get_udc_positions(struct ebt_entry *e, struct ebt_table_info *newinfo,
536 unsigned int *n, struct ebt_cl_stack *udc)
540 /* we're only interested in chain starts */
543 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
544 if (newinfo->hook_entry[i] == (struct ebt_entries *)e)
547 /* only care about udc */
548 if (i != NF_BR_NUMHOOKS)
551 udc[*n].cs.chaininfo = (struct ebt_entries *)e;
552 /* these initialisations are depended on later in check_chainloops() */
554 udc[*n].hookmask = 0;
561 ebt_cleanup_match(struct ebt_entry_match *m, unsigned int *i)
563 if (i && (*i)-- == 0)
565 if (m->u.match->destroy)
566 m->u.match->destroy(m->u.match, m->data);
567 module_put(m->u.match->me);
573 ebt_cleanup_watcher(struct ebt_entry_watcher *w, unsigned int *i)
575 if (i && (*i)-- == 0)
577 if (w->u.watcher->destroy)
578 w->u.watcher->destroy(w->u.watcher, w->data);
579 module_put(w->u.watcher->me);
585 ebt_cleanup_entry(struct ebt_entry *e, unsigned int *cnt)
587 struct ebt_entry_target *t;
592 if (cnt && (*cnt)-- == 0)
594 EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, NULL);
595 EBT_MATCH_ITERATE(e, ebt_cleanup_match, NULL);
596 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
597 if (t->u.target->destroy)
598 t->u.target->destroy(t->u.target, t->data);
599 module_put(t->u.target->me);
605 ebt_check_entry(struct ebt_entry *e, struct ebt_table_info *newinfo,
606 const char *name, unsigned int *cnt,
607 struct ebt_cl_stack *cl_s, unsigned int udc_cnt)
609 struct ebt_entry_target *t;
610 struct xt_target *target;
611 unsigned int i, j, hook = 0, hookmask = 0;
615 /* don't mess with the struct ebt_entries */
619 if (e->bitmask & ~EBT_F_MASK) {
620 BUGPRINT("Unknown flag for bitmask\n");
623 if (e->invflags & ~EBT_INV_MASK) {
624 BUGPRINT("Unknown flag for inv bitmask\n");
627 if ( (e->bitmask & EBT_NOPROTO) && (e->bitmask & EBT_802_3) ) {
628 BUGPRINT("NOPROTO & 802_3 not allowed\n");
631 /* what hook do we belong to? */
632 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
633 if (!newinfo->hook_entry[i])
635 if ((char *)newinfo->hook_entry[i] < (char *)e)
640 /* (1 << NF_BR_NUMHOOKS) tells the check functions the rule is on
642 if (i < NF_BR_NUMHOOKS)
643 hookmask = (1 << hook) | (1 << NF_BR_NUMHOOKS);
645 for (i = 0; i < udc_cnt; i++)
646 if ((char *)(cl_s[i].cs.chaininfo) > (char *)e)
649 hookmask = (1 << hook) | (1 << NF_BR_NUMHOOKS);
651 hookmask = cl_s[i - 1].hookmask;
654 ret = EBT_MATCH_ITERATE(e, ebt_check_match, e, name, hookmask, &i);
656 goto cleanup_matches;
658 ret = EBT_WATCHER_ITERATE(e, ebt_check_watcher, e, name, hookmask, &j);
660 goto cleanup_watchers;
661 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
662 gap = e->next_offset - e->target_offset;
664 target = try_then_request_module(
665 xt_find_target(NFPROTO_BRIDGE, t->u.name, 0),
666 "ebt_%s", t->u.name);
667 if (IS_ERR(target)) {
668 ret = PTR_ERR(target);
669 goto cleanup_watchers;
670 } else if (target == NULL) {
672 goto cleanup_watchers;
675 t->u.target = target;
676 if (t->u.target == &ebt_standard_target) {
677 if (gap < sizeof(struct ebt_standard_target)) {
678 BUGPRINT("Standard target size too big\n");
680 goto cleanup_watchers;
682 if (((struct ebt_standard_target *)t)->verdict <
683 -NUM_STANDARD_TARGETS) {
684 BUGPRINT("Invalid standard target\n");
686 goto cleanup_watchers;
688 } else if (t->target_size > gap - sizeof(struct ebt_entry_target)) {
689 module_put(t->u.target->me);
691 goto cleanup_watchers;
694 ret = xt_check_target(target, NFPROTO_BRIDGE, t->target_size,
695 name, hookmask, e->ethproto, e->invflags & EBT_IPROTO);
697 module_put(target->me);
698 goto cleanup_watchers;
699 } else if (t->u.target->checkentry &&
700 !t->u.target->checkentry(name, e, NULL, t->data, hookmask)) {
701 module_put(t->u.target->me);
703 goto cleanup_watchers;
708 EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, &j);
710 EBT_MATCH_ITERATE(e, ebt_cleanup_match, &i);
715 * checks for loops and sets the hook mask for udc
716 * the hook mask for udc tells us from which base chains the udc can be
717 * accessed. This mask is a parameter to the check() functions of the extensions
719 static int check_chainloops(struct ebt_entries *chain, struct ebt_cl_stack *cl_s,
720 unsigned int udc_cnt, unsigned int hooknr, char *base)
722 int i, chain_nr = -1, pos = 0, nentries = chain->nentries, verdict;
723 struct ebt_entry *e = (struct ebt_entry *)chain->data;
724 struct ebt_entry_target *t;
726 while (pos < nentries || chain_nr != -1) {
727 /* end of udc, go back one 'recursion' step */
728 if (pos == nentries) {
729 /* put back values of the time when this chain was called */
730 e = cl_s[chain_nr].cs.e;
731 if (cl_s[chain_nr].from != -1)
733 cl_s[cl_s[chain_nr].from].cs.chaininfo->nentries;
735 nentries = chain->nentries;
736 pos = cl_s[chain_nr].cs.n;
737 /* make sure we won't see a loop that isn't one */
738 cl_s[chain_nr].cs.n = 0;
739 chain_nr = cl_s[chain_nr].from;
743 t = (struct ebt_entry_target *)
744 (((char *)e) + e->target_offset);
745 if (strcmp(t->u.name, EBT_STANDARD_TARGET))
747 if (e->target_offset + sizeof(struct ebt_standard_target) >
749 BUGPRINT("Standard target size too big\n");
752 verdict = ((struct ebt_standard_target *)t)->verdict;
753 if (verdict >= 0) { /* jump to another chain */
754 struct ebt_entries *hlp2 =
755 (struct ebt_entries *)(base + verdict);
756 for (i = 0; i < udc_cnt; i++)
757 if (hlp2 == cl_s[i].cs.chaininfo)
759 /* bad destination or loop */
761 BUGPRINT("bad destination\n");
768 if (cl_s[i].hookmask & (1 << hooknr))
770 /* this can't be 0, so the loop test is correct */
771 cl_s[i].cs.n = pos + 1;
773 cl_s[i].cs.e = ((void *)e + e->next_offset);
774 e = (struct ebt_entry *)(hlp2->data);
775 nentries = hlp2->nentries;
776 cl_s[i].from = chain_nr;
778 /* this udc is accessible from the base chain for hooknr */
779 cl_s[i].hookmask |= (1 << hooknr);
783 e = (void *)e + e->next_offset;
789 /* do the parsing of the table/chains/entries/matches/watchers/targets, heh */
790 static int translate_table(char *name, struct ebt_table_info *newinfo)
792 unsigned int i, j, k, udc_cnt;
794 struct ebt_cl_stack *cl_s = NULL; /* used in the checking for chain loops */
797 while (i < NF_BR_NUMHOOKS && !newinfo->hook_entry[i])
799 if (i == NF_BR_NUMHOOKS) {
800 BUGPRINT("No valid hooks specified\n");
803 if (newinfo->hook_entry[i] != (struct ebt_entries *)newinfo->entries) {
804 BUGPRINT("Chains don't start at beginning\n");
807 /* make sure chains are ordered after each other in same order
808 as their corresponding hooks */
809 for (j = i + 1; j < NF_BR_NUMHOOKS; j++) {
810 if (!newinfo->hook_entry[j])
812 if (newinfo->hook_entry[j] <= newinfo->hook_entry[i]) {
813 BUGPRINT("Hook order must be followed\n");
819 /* do some early checkings and initialize some things */
820 i = 0; /* holds the expected nr. of entries for the chain */
821 j = 0; /* holds the up to now counted entries for the chain */
822 k = 0; /* holds the total nr. of entries, should equal
823 newinfo->nentries afterwards */
824 udc_cnt = 0; /* will hold the nr. of user defined chains (udc) */
825 ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
826 ebt_check_entry_size_and_hooks, newinfo,
827 &i, &j, &k, &udc_cnt);
833 BUGPRINT("nentries does not equal the nr of entries in the "
837 if (k != newinfo->nentries) {
838 BUGPRINT("Total nentries is wrong\n");
842 /* get the location of the udc, put them in an array
843 while we're at it, allocate the chainstack */
845 /* this will get free'd in do_replace()/ebt_register_table()
846 if an error occurs */
847 newinfo->chainstack =
848 vmalloc(nr_cpu_ids * sizeof(*(newinfo->chainstack)));
849 if (!newinfo->chainstack)
851 for_each_possible_cpu(i) {
852 newinfo->chainstack[i] =
853 vmalloc(udc_cnt * sizeof(*(newinfo->chainstack[0])));
854 if (!newinfo->chainstack[i]) {
856 vfree(newinfo->chainstack[--i]);
857 vfree(newinfo->chainstack);
858 newinfo->chainstack = NULL;
863 cl_s = vmalloc(udc_cnt * sizeof(*cl_s));
866 i = 0; /* the i'th udc */
867 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
868 ebt_get_udc_positions, newinfo, &i, cl_s);
871 BUGPRINT("i != udc_cnt\n");
877 /* Check for loops */
878 for (i = 0; i < NF_BR_NUMHOOKS; i++)
879 if (newinfo->hook_entry[i])
880 if (check_chainloops(newinfo->hook_entry[i],
881 cl_s, udc_cnt, i, newinfo->entries)) {
886 /* we now know the following (along with E=mc²):
887 - the nr of entries in each chain is right
888 - the size of the allocated space is right
889 - all valid hooks have a corresponding chain
891 - wrong data can still be on the level of a single entry
892 - could be there are jumps to places that are not the
893 beginning of a chain. This can only occur in chains that
894 are not accessible from any base chains, so we don't care. */
896 /* used to know what we need to clean up if something goes wrong */
898 ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
899 ebt_check_entry, newinfo, name, &i, cl_s, udc_cnt);
901 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
902 ebt_cleanup_entry, &i);
908 /* called under write_lock */
909 static void get_counters(struct ebt_counter *oldcounters,
910 struct ebt_counter *counters, unsigned int nentries)
913 struct ebt_counter *counter_base;
915 /* counters of cpu 0 */
916 memcpy(counters, oldcounters,
917 sizeof(struct ebt_counter) * nentries);
919 /* add other counters to those of cpu 0 */
920 for_each_possible_cpu(cpu) {
923 counter_base = COUNTER_BASE(oldcounters, nentries, cpu);
924 for (i = 0; i < nentries; i++) {
925 counters[i].pcnt += counter_base[i].pcnt;
926 counters[i].bcnt += counter_base[i].bcnt;
931 /* replace the table */
932 static int do_replace(void __user *user, unsigned int len)
934 int ret, i, countersize;
935 struct ebt_table_info *newinfo;
936 struct ebt_replace tmp;
938 struct ebt_counter *counterstmp = NULL;
939 /* used to be able to unlock earlier */
940 struct ebt_table_info *table;
942 if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
945 if (len != sizeof(tmp) + tmp.entries_size) {
946 BUGPRINT("Wrong len argument\n");
950 if (tmp.entries_size == 0) {
951 BUGPRINT("Entries_size never zero\n");
955 if (tmp.nentries >= ((INT_MAX - sizeof(struct ebt_table_info)) / NR_CPUS -
956 SMP_CACHE_BYTES) / sizeof(struct ebt_counter))
958 if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
961 countersize = COUNTER_OFFSET(tmp.nentries) * nr_cpu_ids;
962 newinfo = vmalloc(sizeof(*newinfo) + countersize);
967 memset(newinfo->counters, 0, countersize);
969 newinfo->entries = vmalloc(tmp.entries_size);
970 if (!newinfo->entries) {
975 newinfo->entries, tmp.entries, tmp.entries_size) != 0) {
976 BUGPRINT("Couldn't copy entries from userspace\n");
981 /* the user wants counters back
982 the check on the size is done later, when we have the lock */
983 if (tmp.num_counters) {
984 counterstmp = vmalloc(tmp.num_counters * sizeof(*counterstmp));
993 /* this can get initialized by translate_table() */
994 newinfo->chainstack = NULL;
995 ret = ebt_verify_pointers(&tmp, newinfo);
997 goto free_counterstmp;
999 ret = translate_table(tmp.name, newinfo);
1002 goto free_counterstmp;
1004 t = find_table_lock(tmp.name, &ret, &ebt_mutex);
1010 /* the table doesn't like it */
1011 if (t->check && (ret = t->check(newinfo, tmp.valid_hooks)))
1014 if (tmp.num_counters && tmp.num_counters != t->private->nentries) {
1015 BUGPRINT("Wrong nr. of counters requested\n");
1020 /* we have the mutex lock, so no danger in reading this pointer */
1022 /* make sure the table can only be rmmod'ed if it contains no rules */
1023 if (!table->nentries && newinfo->nentries && !try_module_get(t->me)) {
1026 } else if (table->nentries && !newinfo->nentries)
1028 /* we need an atomic snapshot of the counters */
1029 write_lock_bh(&t->lock);
1030 if (tmp.num_counters)
1031 get_counters(t->private->counters, counterstmp,
1032 t->private->nentries);
1034 t->private = newinfo;
1035 write_unlock_bh(&t->lock);
1036 mutex_unlock(&ebt_mutex);
1037 /* so, a user can change the chains while having messed up her counter
1038 allocation. Only reason why this is done is because this way the lock
1039 is held only once, while this doesn't bring the kernel into a
1041 if (tmp.num_counters &&
1042 copy_to_user(tmp.counters, counterstmp,
1043 tmp.num_counters * sizeof(struct ebt_counter))) {
1044 BUGPRINT("Couldn't copy counters to userspace\n");
1050 /* decrease module count and free resources */
1051 EBT_ENTRY_ITERATE(table->entries, table->entries_size,
1052 ebt_cleanup_entry, NULL);
1054 vfree(table->entries);
1055 if (table->chainstack) {
1056 for_each_possible_cpu(i)
1057 vfree(table->chainstack[i]);
1058 vfree(table->chainstack);
1066 mutex_unlock(&ebt_mutex);
1068 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
1069 ebt_cleanup_entry, NULL);
1072 /* can be initialized in translate_table() */
1073 if (newinfo->chainstack) {
1074 for_each_possible_cpu(i)
1075 vfree(newinfo->chainstack[i]);
1076 vfree(newinfo->chainstack);
1079 vfree(newinfo->entries);
1085 int ebt_register_table(struct ebt_table *table)
1087 struct ebt_table_info *newinfo;
1088 struct ebt_table *t;
1089 struct ebt_replace_kernel *repl;
1090 int ret, i, countersize;
1093 if (!table || !(repl = table->table) || !repl->entries ||
1094 repl->entries_size == 0 ||
1095 repl->counters || table->private) {
1096 BUGPRINT("Bad table data for ebt_register_table!!!\n");
1100 countersize = COUNTER_OFFSET(repl->nentries) * nr_cpu_ids;
1101 newinfo = vmalloc(sizeof(*newinfo) + countersize);
1106 p = vmalloc(repl->entries_size);
1110 memcpy(p, repl->entries, repl->entries_size);
1111 newinfo->entries = p;
1113 newinfo->entries_size = repl->entries_size;
1114 newinfo->nentries = repl->nentries;
1117 memset(newinfo->counters, 0, countersize);
1119 /* fill in newinfo and parse the entries */
1120 newinfo->chainstack = NULL;
1121 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
1122 if ((repl->valid_hooks & (1 << i)) == 0)
1123 newinfo->hook_entry[i] = NULL;
1125 newinfo->hook_entry[i] = p +
1126 ((char *)repl->hook_entry[i] - repl->entries);
1128 ret = translate_table(repl->name, newinfo);
1130 BUGPRINT("Translate_table failed\n");
1131 goto free_chainstack;
1134 if (table->check && table->check(newinfo, table->valid_hooks)) {
1135 BUGPRINT("The table doesn't like its own initial data, lol\n");
1139 table->private = newinfo;
1140 rwlock_init(&table->lock);
1141 ret = mutex_lock_interruptible(&ebt_mutex);
1143 goto free_chainstack;
1145 list_for_each_entry(t, &ebt_tables, list) {
1146 if (strcmp(t->name, table->name) == 0) {
1148 BUGPRINT("Table name already exists\n");
1153 /* Hold a reference count if the chains aren't empty */
1154 if (newinfo->nentries && !try_module_get(table->me)) {
1158 list_add(&table->list, &ebt_tables);
1159 mutex_unlock(&ebt_mutex);
1162 mutex_unlock(&ebt_mutex);
1164 if (newinfo->chainstack) {
1165 for_each_possible_cpu(i)
1166 vfree(newinfo->chainstack[i]);
1167 vfree(newinfo->chainstack);
1169 vfree(newinfo->entries);
1175 void ebt_unregister_table(struct ebt_table *table)
1180 BUGPRINT("Request to unregister NULL table!!!\n");
1183 mutex_lock(&ebt_mutex);
1184 list_del(&table->list);
1185 mutex_unlock(&ebt_mutex);
1186 vfree(table->private->entries);
1187 if (table->private->chainstack) {
1188 for_each_possible_cpu(i)
1189 vfree(table->private->chainstack[i]);
1190 vfree(table->private->chainstack);
1192 vfree(table->private);
1195 /* userspace just supplied us with counters */
1196 static int update_counters(void __user *user, unsigned int len)
1199 struct ebt_counter *tmp;
1200 struct ebt_replace hlp;
1201 struct ebt_table *t;
1203 if (copy_from_user(&hlp, user, sizeof(hlp)))
1206 if (len != sizeof(hlp) + hlp.num_counters * sizeof(struct ebt_counter))
1208 if (hlp.num_counters == 0)
1211 if (!(tmp = vmalloc(hlp.num_counters * sizeof(*tmp)))) {
1212 MEMPRINT("Update_counters && nomemory\n");
1216 t = find_table_lock(hlp.name, &ret, &ebt_mutex);
1220 if (hlp.num_counters != t->private->nentries) {
1221 BUGPRINT("Wrong nr of counters\n");
1226 if ( copy_from_user(tmp, hlp.counters,
1227 hlp.num_counters * sizeof(struct ebt_counter)) ) {
1228 BUGPRINT("Updata_counters && !cfu\n");
1233 /* we want an atomic add of the counters */
1234 write_lock_bh(&t->lock);
1236 /* we add to the counters of the first cpu */
1237 for (i = 0; i < hlp.num_counters; i++) {
1238 t->private->counters[i].pcnt += tmp[i].pcnt;
1239 t->private->counters[i].bcnt += tmp[i].bcnt;
1242 write_unlock_bh(&t->lock);
1245 mutex_unlock(&ebt_mutex);
1251 static inline int ebt_make_matchname(struct ebt_entry_match *m,
1252 char *base, char __user *ubase)
1254 char __user *hlp = ubase + ((char *)m - base);
1255 if (copy_to_user(hlp, m->u.match->name, EBT_FUNCTION_MAXNAMELEN))
1260 static inline int ebt_make_watchername(struct ebt_entry_watcher *w,
1261 char *base, char __user *ubase)
1263 char __user *hlp = ubase + ((char *)w - base);
1264 if (copy_to_user(hlp , w->u.watcher->name, EBT_FUNCTION_MAXNAMELEN))
1269 static inline int ebt_make_names(struct ebt_entry *e, char *base, char __user *ubase)
1273 struct ebt_entry_target *t;
1275 if (e->bitmask == 0)
1278 hlp = ubase + (((char *)e + e->target_offset) - base);
1279 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
1281 ret = EBT_MATCH_ITERATE(e, ebt_make_matchname, base, ubase);
1284 ret = EBT_WATCHER_ITERATE(e, ebt_make_watchername, base, ubase);
1287 if (copy_to_user(hlp, t->u.target->name, EBT_FUNCTION_MAXNAMELEN))
1292 /* called with ebt_mutex locked */
1293 static int copy_everything_to_user(struct ebt_table *t, void __user *user,
1296 struct ebt_replace tmp;
1297 struct ebt_counter *counterstmp, *oldcounters;
1298 unsigned int entries_size, nentries;
1301 if (cmd == EBT_SO_GET_ENTRIES) {
1302 entries_size = t->private->entries_size;
1303 nentries = t->private->nentries;
1304 entries = t->private->entries;
1305 oldcounters = t->private->counters;
1307 entries_size = t->table->entries_size;
1308 nentries = t->table->nentries;
1309 entries = t->table->entries;
1310 oldcounters = t->table->counters;
1313 if (copy_from_user(&tmp, user, sizeof(tmp))) {
1314 BUGPRINT("Cfu didn't work\n");
1318 if (*len != sizeof(struct ebt_replace) + entries_size +
1319 (tmp.num_counters? nentries * sizeof(struct ebt_counter): 0)) {
1320 BUGPRINT("Wrong size\n");
1324 if (tmp.nentries != nentries) {
1325 BUGPRINT("Nentries wrong\n");
1329 if (tmp.entries_size != entries_size) {
1330 BUGPRINT("Wrong size\n");
1334 /* userspace might not need the counters */
1335 if (tmp.num_counters) {
1336 if (tmp.num_counters != nentries) {
1337 BUGPRINT("Num_counters wrong\n");
1340 counterstmp = vmalloc(nentries * sizeof(*counterstmp));
1342 MEMPRINT("Couldn't copy counters, out of memory\n");
1345 write_lock_bh(&t->lock);
1346 get_counters(oldcounters, counterstmp, nentries);
1347 write_unlock_bh(&t->lock);
1349 if (copy_to_user(tmp.counters, counterstmp,
1350 nentries * sizeof(struct ebt_counter))) {
1351 BUGPRINT("Couldn't copy counters to userspace\n");
1358 if (copy_to_user(tmp.entries, entries, entries_size)) {
1359 BUGPRINT("Couldn't copy entries to userspace\n");
1362 /* set the match/watcher/target names right */
1363 return EBT_ENTRY_ITERATE(entries, entries_size,
1364 ebt_make_names, entries, tmp.entries);
1367 static int do_ebt_set_ctl(struct sock *sk,
1368 int cmd, void __user *user, unsigned int len)
1373 case EBT_SO_SET_ENTRIES:
1374 ret = do_replace(user, len);
1376 case EBT_SO_SET_COUNTERS:
1377 ret = update_counters(user, len);
1385 static int do_ebt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
1388 struct ebt_replace tmp;
1389 struct ebt_table *t;
1391 if (copy_from_user(&tmp, user, sizeof(tmp)))
1394 t = find_table_lock(tmp.name, &ret, &ebt_mutex);
1399 case EBT_SO_GET_INFO:
1400 case EBT_SO_GET_INIT_INFO:
1401 if (*len != sizeof(struct ebt_replace)){
1403 mutex_unlock(&ebt_mutex);
1406 if (cmd == EBT_SO_GET_INFO) {
1407 tmp.nentries = t->private->nentries;
1408 tmp.entries_size = t->private->entries_size;
1409 tmp.valid_hooks = t->valid_hooks;
1411 tmp.nentries = t->table->nentries;
1412 tmp.entries_size = t->table->entries_size;
1413 tmp.valid_hooks = t->table->valid_hooks;
1415 mutex_unlock(&ebt_mutex);
1416 if (copy_to_user(user, &tmp, *len) != 0){
1417 BUGPRINT("c2u Didn't work\n");
1424 case EBT_SO_GET_ENTRIES:
1425 case EBT_SO_GET_INIT_ENTRIES:
1426 ret = copy_everything_to_user(t, user, len, cmd);
1427 mutex_unlock(&ebt_mutex);
1431 mutex_unlock(&ebt_mutex);
1438 static struct nf_sockopt_ops ebt_sockopts =
1441 .set_optmin = EBT_BASE_CTL,
1442 .set_optmax = EBT_SO_SET_MAX + 1,
1443 .set = do_ebt_set_ctl,
1444 .get_optmin = EBT_BASE_CTL,
1445 .get_optmax = EBT_SO_GET_MAX + 1,
1446 .get = do_ebt_get_ctl,
1447 .owner = THIS_MODULE,
1450 static int __init ebtables_init(void)
1454 ret = xt_register_target(&ebt_standard_target);
1457 ret = nf_register_sockopt(&ebt_sockopts);
1459 xt_unregister_target(&ebt_standard_target);
1463 printk(KERN_INFO "Ebtables v2.0 registered\n");
1467 static void __exit ebtables_fini(void)
1469 nf_unregister_sockopt(&ebt_sockopts);
1470 xt_unregister_target(&ebt_standard_target);
1471 printk(KERN_INFO "Ebtables v2.0 unregistered\n");
1474 EXPORT_SYMBOL(ebt_register_table);
1475 EXPORT_SYMBOL(ebt_unregister_table);
1476 EXPORT_SYMBOL(ebt_do_table);
1477 module_init(ebtables_init);
1478 module_exit(ebtables_fini);
1479 MODULE_LICENSE("GPL");