5 * Bart De Schuymer <bdschuym@pandora.be>
7 * ebtables.c,v 2.0, July, 2002
9 * This code is stongly inspired on the iptables code which is
10 * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version
15 * 2 of the License, or (at your option) any later version.
19 #include <linux/kmod.h>
20 #include <linux/module.h>
21 #include <linux/vmalloc.h>
22 #include <linux/netfilter/x_tables.h>
23 #include <linux/netfilter_bridge/ebtables.h>
24 #include <linux/spinlock.h>
25 #include <linux/mutex.h>
26 #include <asm/uaccess.h>
27 #include <linux/smp.h>
28 #include <linux/cpumask.h>
30 /* needed for logical [in,out]-dev filtering */
31 #include "../br_private.h"
33 #define BUGPRINT(format, args...) printk("kernel msg: ebtables bug: please "\
34 "report to author: "format, ## args)
35 /* #define BUGPRINT(format, args...) */
36 #define MEMPRINT(format, args...) printk("kernel msg: ebtables "\
37 ": out of memory: "format, ## args)
38 /* #define MEMPRINT(format, args...) */
43 * Each cpu has its own set of counters, so there is no need for write_lock in
45 * For reading or updating the counters, the user context needs to
49 /* The size of each set of counters is altered to get cache alignment */
50 #define SMP_ALIGN(x) (((x) + SMP_CACHE_BYTES-1) & ~(SMP_CACHE_BYTES-1))
51 #define COUNTER_OFFSET(n) (SMP_ALIGN(n * sizeof(struct ebt_counter)))
52 #define COUNTER_BASE(c, n, cpu) ((struct ebt_counter *)(((char *)c) + \
53 COUNTER_OFFSET(n) * cpu))
57 static DEFINE_MUTEX(ebt_mutex);
59 static struct xt_target ebt_standard_target = {
62 .family = NFPROTO_BRIDGE,
63 .targetsize = sizeof(int),
67 ebt_do_watcher(const struct ebt_entry_watcher *w, struct sk_buff *skb,
68 struct xt_target_param *par)
70 par->target = w->u.watcher;
71 par->targinfo = w->data;
72 w->u.watcher->target(skb, par);
73 /* watchers don't give a verdict */
77 static inline int ebt_do_match (struct ebt_entry_match *m,
78 const struct sk_buff *skb, struct xt_match_param *par)
80 par->match = m->u.match;
81 par->matchinfo = m->data;
82 return m->u.match->match(skb, par) ? EBT_MATCH : EBT_NOMATCH;
85 static inline int ebt_dev_check(char *entry, const struct net_device *device)
94 devname = device->name;
95 /* 1 is the wildcard token */
96 while (entry[i] != '\0' && entry[i] != 1 && entry[i] == devname[i])
98 return (devname[i] != entry[i] && entry[i] != 1);
101 #define FWINV2(bool,invflg) ((bool) ^ !!(e->invflags & invflg))
102 /* process standard matches */
103 static inline int ebt_basic_match(struct ebt_entry *e, struct ethhdr *h,
104 const struct net_device *in, const struct net_device *out)
108 if (e->bitmask & EBT_802_3) {
109 if (FWINV2(ntohs(h->h_proto) >= 1536, EBT_IPROTO))
111 } else if (!(e->bitmask & EBT_NOPROTO) &&
112 FWINV2(e->ethproto != h->h_proto, EBT_IPROTO))
115 if (FWINV2(ebt_dev_check(e->in, in), EBT_IIN))
117 if (FWINV2(ebt_dev_check(e->out, out), EBT_IOUT))
119 if ((!in || !in->br_port) ? 0 : FWINV2(ebt_dev_check(
120 e->logical_in, in->br_port->br->dev), EBT_ILOGICALIN))
122 if ((!out || !out->br_port) ? 0 : FWINV2(ebt_dev_check(
123 e->logical_out, out->br_port->br->dev), EBT_ILOGICALOUT))
126 if (e->bitmask & EBT_SOURCEMAC) {
128 for (i = 0; i < 6; i++)
129 verdict |= (h->h_source[i] ^ e->sourcemac[i]) &
131 if (FWINV2(verdict != 0, EBT_ISOURCE) )
134 if (e->bitmask & EBT_DESTMAC) {
136 for (i = 0; i < 6; i++)
137 verdict |= (h->h_dest[i] ^ e->destmac[i]) &
139 if (FWINV2(verdict != 0, EBT_IDEST) )
146 struct ebt_entry *ebt_next_entry(const struct ebt_entry *entry)
148 return (void *)entry + entry->next_offset;
151 /* Do some firewalling */
152 unsigned int ebt_do_table (unsigned int hook, struct sk_buff *skb,
153 const struct net_device *in, const struct net_device *out,
154 struct ebt_table *table)
157 struct ebt_entry *point;
158 struct ebt_counter *counter_base, *cb_base;
159 struct ebt_entry_target *t;
161 struct ebt_chainstack *cs;
162 struct ebt_entries *chaininfo;
164 struct ebt_table_info *private;
165 bool hotdrop = false;
166 struct xt_match_param mtpar;
167 struct xt_target_param tgpar;
169 mtpar.family = tgpar.family = NFPROTO_BRIDGE;
170 mtpar.in = tgpar.in = in;
171 mtpar.out = tgpar.out = out;
172 mtpar.hotdrop = &hotdrop;
173 mtpar.hooknum = tgpar.hooknum = hook;
175 read_lock_bh(&table->lock);
176 private = table->private;
177 cb_base = COUNTER_BASE(private->counters, private->nentries,
179 if (private->chainstack)
180 cs = private->chainstack[smp_processor_id()];
183 chaininfo = private->hook_entry[hook];
184 nentries = private->hook_entry[hook]->nentries;
185 point = (struct ebt_entry *)(private->hook_entry[hook]->data);
186 counter_base = cb_base + private->hook_entry[hook]->counter_offset;
187 /* base for chain jumps */
188 base = private->entries;
190 while (i < nentries) {
191 if (ebt_basic_match(point, eth_hdr(skb), in, out))
194 if (EBT_MATCH_ITERATE(point, ebt_do_match, skb, &mtpar) != 0)
197 read_unlock_bh(&table->lock);
201 /* increase counter */
202 (*(counter_base + i)).pcnt++;
203 (*(counter_base + i)).bcnt += skb->len;
205 /* these should only watch: not modify, nor tell us
206 what to do with the packet */
207 EBT_WATCHER_ITERATE(point, ebt_do_watcher, skb, &tgpar);
209 t = (struct ebt_entry_target *)
210 (((char *)point) + point->target_offset);
211 /* standard target */
212 if (!t->u.target->target)
213 verdict = ((struct ebt_standard_target *)t)->verdict;
215 tgpar.target = t->u.target;
216 tgpar.targinfo = t->data;
217 verdict = t->u.target->target(skb, &tgpar);
219 if (verdict == EBT_ACCEPT) {
220 read_unlock_bh(&table->lock);
223 if (verdict == EBT_DROP) {
224 read_unlock_bh(&table->lock);
227 if (verdict == EBT_RETURN) {
229 #ifdef CONFIG_NETFILTER_DEBUG
231 BUGPRINT("RETURN on base chain");
232 /* act like this is EBT_CONTINUE */
237 /* put all the local variables right */
239 chaininfo = cs[sp].chaininfo;
240 nentries = chaininfo->nentries;
242 counter_base = cb_base +
243 chaininfo->counter_offset;
246 if (verdict == EBT_CONTINUE)
248 #ifdef CONFIG_NETFILTER_DEBUG
250 BUGPRINT("bogus standard verdict\n");
251 read_unlock_bh(&table->lock);
257 cs[sp].chaininfo = chaininfo;
258 cs[sp].e = ebt_next_entry(point);
260 chaininfo = (struct ebt_entries *) (base + verdict);
261 #ifdef CONFIG_NETFILTER_DEBUG
262 if (chaininfo->distinguisher) {
263 BUGPRINT("jump to non-chain\n");
264 read_unlock_bh(&table->lock);
268 nentries = chaininfo->nentries;
269 point = (struct ebt_entry *)chaininfo->data;
270 counter_base = cb_base + chaininfo->counter_offset;
274 point = ebt_next_entry(point);
278 /* I actually like this :) */
279 if (chaininfo->policy == EBT_RETURN)
281 if (chaininfo->policy == EBT_ACCEPT) {
282 read_unlock_bh(&table->lock);
285 read_unlock_bh(&table->lock);
289 /* If it succeeds, returns element and locks mutex */
291 find_inlist_lock_noload(struct list_head *head, const char *name, int *error,
295 struct list_head list;
296 char name[EBT_FUNCTION_MAXNAMELEN];
299 *error = mutex_lock_interruptible(mutex);
303 list_for_each_entry(e, head, list) {
304 if (strcmp(e->name, name) == 0)
313 find_inlist_lock(struct list_head *head, const char *name, const char *prefix,
314 int *error, struct mutex *mutex)
316 return try_then_request_module(
317 find_inlist_lock_noload(head, name, error, mutex),
318 "%s%s", prefix, name);
321 static inline struct ebt_table *
322 find_table_lock(struct net *net, const char *name, int *error,
325 return find_inlist_lock(&net->xt.tables[NFPROTO_BRIDGE], name,
326 "ebtable_", error, mutex);
330 ebt_check_match(struct ebt_entry_match *m, struct xt_mtchk_param *par,
333 const struct ebt_entry *e = par->entryinfo;
334 struct xt_match *match;
335 size_t left = ((char *)e + e->watchers_offset) - (char *)m;
338 if (left < sizeof(struct ebt_entry_match) ||
339 left - sizeof(struct ebt_entry_match) < m->match_size)
342 match = try_then_request_module(xt_find_match(NFPROTO_BRIDGE,
343 m->u.name, 0), "ebt_%s", m->u.name);
345 return PTR_ERR(match);
351 par->matchinfo = m->data;
352 ret = xt_check_match(par, m->match_size,
353 e->ethproto, e->invflags & EBT_IPROTO);
355 module_put(match->me);
364 ebt_check_watcher(struct ebt_entry_watcher *w, struct xt_tgchk_param *par,
367 const struct ebt_entry *e = par->entryinfo;
368 struct xt_target *watcher;
369 size_t left = ((char *)e + e->target_offset) - (char *)w;
372 if (left < sizeof(struct ebt_entry_watcher) ||
373 left - sizeof(struct ebt_entry_watcher) < w->watcher_size)
376 watcher = try_then_request_module(
377 xt_find_target(NFPROTO_BRIDGE, w->u.name, 0),
378 "ebt_%s", w->u.name);
380 return PTR_ERR(watcher);
383 w->u.watcher = watcher;
385 par->target = watcher;
386 par->targinfo = w->data;
387 ret = xt_check_target(par, w->watcher_size,
388 e->ethproto, e->invflags & EBT_IPROTO);
390 module_put(watcher->me);
398 static int ebt_verify_pointers(struct ebt_replace *repl,
399 struct ebt_table_info *newinfo)
401 unsigned int limit = repl->entries_size;
402 unsigned int valid_hooks = repl->valid_hooks;
403 unsigned int offset = 0;
406 for (i = 0; i < NF_BR_NUMHOOKS; i++)
407 newinfo->hook_entry[i] = NULL;
409 newinfo->entries_size = repl->entries_size;
410 newinfo->nentries = repl->nentries;
412 while (offset < limit) {
413 size_t left = limit - offset;
414 struct ebt_entry *e = (void *)newinfo->entries + offset;
416 if (left < sizeof(unsigned int))
419 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
420 if ((valid_hooks & (1 << i)) == 0)
422 if ((char __user *)repl->hook_entry[i] ==
423 repl->entries + offset)
427 if (i != NF_BR_NUMHOOKS || !(e->bitmask & EBT_ENTRY_OR_ENTRIES)) {
428 if (e->bitmask != 0) {
429 /* we make userspace set this right,
430 so there is no misunderstanding */
431 BUGPRINT("EBT_ENTRY_OR_ENTRIES shouldn't be set "
432 "in distinguisher\n");
435 if (i != NF_BR_NUMHOOKS)
436 newinfo->hook_entry[i] = (struct ebt_entries *)e;
437 if (left < sizeof(struct ebt_entries))
439 offset += sizeof(struct ebt_entries);
441 if (left < sizeof(struct ebt_entry))
443 if (left < e->next_offset)
445 offset += e->next_offset;
448 if (offset != limit) {
449 BUGPRINT("entries_size too small\n");
453 /* check if all valid hooks have a chain */
454 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
455 if (!newinfo->hook_entry[i] &&
456 (valid_hooks & (1 << i))) {
457 BUGPRINT("Valid hook without chain\n");
465 * this one is very careful, as it is the first function
466 * to parse the userspace data
469 ebt_check_entry_size_and_hooks(struct ebt_entry *e,
470 struct ebt_table_info *newinfo,
471 unsigned int *n, unsigned int *cnt,
472 unsigned int *totalcnt, unsigned int *udc_cnt)
476 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
477 if ((void *)e == (void *)newinfo->hook_entry[i])
480 /* beginning of a new chain
481 if i == NF_BR_NUMHOOKS it must be a user defined chain */
482 if (i != NF_BR_NUMHOOKS || !e->bitmask) {
483 /* this checks if the previous chain has as many entries
486 BUGPRINT("nentries does not equal the nr of entries "
490 if (((struct ebt_entries *)e)->policy != EBT_DROP &&
491 ((struct ebt_entries *)e)->policy != EBT_ACCEPT) {
492 /* only RETURN from udc */
493 if (i != NF_BR_NUMHOOKS ||
494 ((struct ebt_entries *)e)->policy != EBT_RETURN) {
495 BUGPRINT("bad policy\n");
499 if (i == NF_BR_NUMHOOKS) /* it's a user defined chain */
501 if (((struct ebt_entries *)e)->counter_offset != *totalcnt) {
502 BUGPRINT("counter_offset != totalcnt");
505 *n = ((struct ebt_entries *)e)->nentries;
509 /* a plain old entry, heh */
510 if (sizeof(struct ebt_entry) > e->watchers_offset ||
511 e->watchers_offset > e->target_offset ||
512 e->target_offset >= e->next_offset) {
513 BUGPRINT("entry offsets not in right order\n");
516 /* this is not checked anywhere else */
517 if (e->next_offset - e->target_offset < sizeof(struct ebt_entry_target)) {
518 BUGPRINT("target size too small\n");
528 struct ebt_chainstack cs;
530 unsigned int hookmask;
534 * we need these positions to check that the jumps to a different part of the
535 * entries is a jump to the beginning of a new chain.
538 ebt_get_udc_positions(struct ebt_entry *e, struct ebt_table_info *newinfo,
539 unsigned int *n, struct ebt_cl_stack *udc)
543 /* we're only interested in chain starts */
546 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
547 if (newinfo->hook_entry[i] == (struct ebt_entries *)e)
550 /* only care about udc */
551 if (i != NF_BR_NUMHOOKS)
554 udc[*n].cs.chaininfo = (struct ebt_entries *)e;
555 /* these initialisations are depended on later in check_chainloops() */
557 udc[*n].hookmask = 0;
564 ebt_cleanup_match(struct ebt_entry_match *m, unsigned int *i)
566 struct xt_mtdtor_param par;
568 if (i && (*i)-- == 0)
571 par.match = m->u.match;
572 par.matchinfo = m->data;
573 par.family = NFPROTO_BRIDGE;
574 if (par.match->destroy != NULL)
575 par.match->destroy(&par);
576 module_put(par.match->me);
581 ebt_cleanup_watcher(struct ebt_entry_watcher *w, unsigned int *i)
583 struct xt_tgdtor_param par;
585 if (i && (*i)-- == 0)
588 par.target = w->u.watcher;
589 par.targinfo = w->data;
590 par.family = NFPROTO_BRIDGE;
591 if (par.target->destroy != NULL)
592 par.target->destroy(&par);
593 module_put(par.target->me);
598 ebt_cleanup_entry(struct ebt_entry *e, unsigned int *cnt)
600 struct xt_tgdtor_param par;
601 struct ebt_entry_target *t;
606 if (cnt && (*cnt)-- == 0)
608 EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, NULL);
609 EBT_MATCH_ITERATE(e, ebt_cleanup_match, NULL);
610 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
612 par.target = t->u.target;
613 par.targinfo = t->data;
614 par.family = NFPROTO_BRIDGE;
615 if (par.target->destroy != NULL)
616 par.target->destroy(&par);
617 module_put(par.target->me);
622 ebt_check_entry(struct ebt_entry *e,
624 struct ebt_table_info *newinfo,
625 const char *name, unsigned int *cnt,
626 struct ebt_cl_stack *cl_s, unsigned int udc_cnt)
628 struct ebt_entry_target *t;
629 struct xt_target *target;
630 unsigned int i, j, hook = 0, hookmask = 0;
633 struct xt_mtchk_param mtpar;
634 struct xt_tgchk_param tgpar;
636 /* don't mess with the struct ebt_entries */
640 if (e->bitmask & ~EBT_F_MASK) {
641 BUGPRINT("Unknown flag for bitmask\n");
644 if (e->invflags & ~EBT_INV_MASK) {
645 BUGPRINT("Unknown flag for inv bitmask\n");
648 if ( (e->bitmask & EBT_NOPROTO) && (e->bitmask & EBT_802_3) ) {
649 BUGPRINT("NOPROTO & 802_3 not allowed\n");
652 /* what hook do we belong to? */
653 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
654 if (!newinfo->hook_entry[i])
656 if ((char *)newinfo->hook_entry[i] < (char *)e)
661 /* (1 << NF_BR_NUMHOOKS) tells the check functions the rule is on
663 if (i < NF_BR_NUMHOOKS)
664 hookmask = (1 << hook) | (1 << NF_BR_NUMHOOKS);
666 for (i = 0; i < udc_cnt; i++)
667 if ((char *)(cl_s[i].cs.chaininfo) > (char *)e)
670 hookmask = (1 << hook) | (1 << NF_BR_NUMHOOKS);
672 hookmask = cl_s[i - 1].hookmask;
677 mtpar.table = tgpar.table = name;
678 mtpar.entryinfo = tgpar.entryinfo = e;
679 mtpar.hook_mask = tgpar.hook_mask = hookmask;
680 mtpar.family = tgpar.family = NFPROTO_BRIDGE;
681 ret = EBT_MATCH_ITERATE(e, ebt_check_match, &mtpar, &i);
683 goto cleanup_matches;
685 ret = EBT_WATCHER_ITERATE(e, ebt_check_watcher, &tgpar, &j);
687 goto cleanup_watchers;
688 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
689 gap = e->next_offset - e->target_offset;
691 target = try_then_request_module(
692 xt_find_target(NFPROTO_BRIDGE, t->u.name, 0),
693 "ebt_%s", t->u.name);
694 if (IS_ERR(target)) {
695 ret = PTR_ERR(target);
696 goto cleanup_watchers;
697 } else if (target == NULL) {
699 goto cleanup_watchers;
702 t->u.target = target;
703 if (t->u.target == &ebt_standard_target) {
704 if (gap < sizeof(struct ebt_standard_target)) {
705 BUGPRINT("Standard target size too big\n");
707 goto cleanup_watchers;
709 if (((struct ebt_standard_target *)t)->verdict <
710 -NUM_STANDARD_TARGETS) {
711 BUGPRINT("Invalid standard target\n");
713 goto cleanup_watchers;
715 } else if (t->target_size > gap - sizeof(struct ebt_entry_target)) {
716 module_put(t->u.target->me);
718 goto cleanup_watchers;
721 tgpar.target = target;
722 tgpar.targinfo = t->data;
723 ret = xt_check_target(&tgpar, t->target_size,
724 e->ethproto, e->invflags & EBT_IPROTO);
726 module_put(target->me);
727 goto cleanup_watchers;
732 EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, &j);
734 EBT_MATCH_ITERATE(e, ebt_cleanup_match, &i);
739 * checks for loops and sets the hook mask for udc
740 * the hook mask for udc tells us from which base chains the udc can be
741 * accessed. This mask is a parameter to the check() functions of the extensions
743 static int check_chainloops(struct ebt_entries *chain, struct ebt_cl_stack *cl_s,
744 unsigned int udc_cnt, unsigned int hooknr, char *base)
746 int i, chain_nr = -1, pos = 0, nentries = chain->nentries, verdict;
747 struct ebt_entry *e = (struct ebt_entry *)chain->data;
748 struct ebt_entry_target *t;
750 while (pos < nentries || chain_nr != -1) {
751 /* end of udc, go back one 'recursion' step */
752 if (pos == nentries) {
753 /* put back values of the time when this chain was called */
754 e = cl_s[chain_nr].cs.e;
755 if (cl_s[chain_nr].from != -1)
757 cl_s[cl_s[chain_nr].from].cs.chaininfo->nentries;
759 nentries = chain->nentries;
760 pos = cl_s[chain_nr].cs.n;
761 /* make sure we won't see a loop that isn't one */
762 cl_s[chain_nr].cs.n = 0;
763 chain_nr = cl_s[chain_nr].from;
767 t = (struct ebt_entry_target *)
768 (((char *)e) + e->target_offset);
769 if (strcmp(t->u.name, EBT_STANDARD_TARGET))
771 if (e->target_offset + sizeof(struct ebt_standard_target) >
773 BUGPRINT("Standard target size too big\n");
776 verdict = ((struct ebt_standard_target *)t)->verdict;
777 if (verdict >= 0) { /* jump to another chain */
778 struct ebt_entries *hlp2 =
779 (struct ebt_entries *)(base + verdict);
780 for (i = 0; i < udc_cnt; i++)
781 if (hlp2 == cl_s[i].cs.chaininfo)
783 /* bad destination or loop */
785 BUGPRINT("bad destination\n");
792 if (cl_s[i].hookmask & (1 << hooknr))
794 /* this can't be 0, so the loop test is correct */
795 cl_s[i].cs.n = pos + 1;
797 cl_s[i].cs.e = ebt_next_entry(e);
798 e = (struct ebt_entry *)(hlp2->data);
799 nentries = hlp2->nentries;
800 cl_s[i].from = chain_nr;
802 /* this udc is accessible from the base chain for hooknr */
803 cl_s[i].hookmask |= (1 << hooknr);
807 e = ebt_next_entry(e);
813 /* do the parsing of the table/chains/entries/matches/watchers/targets, heh */
814 static int translate_table(struct net *net, char *name,
815 struct ebt_table_info *newinfo)
817 unsigned int i, j, k, udc_cnt;
819 struct ebt_cl_stack *cl_s = NULL; /* used in the checking for chain loops */
822 while (i < NF_BR_NUMHOOKS && !newinfo->hook_entry[i])
824 if (i == NF_BR_NUMHOOKS) {
825 BUGPRINT("No valid hooks specified\n");
828 if (newinfo->hook_entry[i] != (struct ebt_entries *)newinfo->entries) {
829 BUGPRINT("Chains don't start at beginning\n");
832 /* make sure chains are ordered after each other in same order
833 as their corresponding hooks */
834 for (j = i + 1; j < NF_BR_NUMHOOKS; j++) {
835 if (!newinfo->hook_entry[j])
837 if (newinfo->hook_entry[j] <= newinfo->hook_entry[i]) {
838 BUGPRINT("Hook order must be followed\n");
844 /* do some early checkings and initialize some things */
845 i = 0; /* holds the expected nr. of entries for the chain */
846 j = 0; /* holds the up to now counted entries for the chain */
847 k = 0; /* holds the total nr. of entries, should equal
848 newinfo->nentries afterwards */
849 udc_cnt = 0; /* will hold the nr. of user defined chains (udc) */
850 ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
851 ebt_check_entry_size_and_hooks, newinfo,
852 &i, &j, &k, &udc_cnt);
858 BUGPRINT("nentries does not equal the nr of entries in the "
862 if (k != newinfo->nentries) {
863 BUGPRINT("Total nentries is wrong\n");
867 /* get the location of the udc, put them in an array
868 while we're at it, allocate the chainstack */
870 /* this will get free'd in do_replace()/ebt_register_table()
871 if an error occurs */
872 newinfo->chainstack =
873 vmalloc(nr_cpu_ids * sizeof(*(newinfo->chainstack)));
874 if (!newinfo->chainstack)
876 for_each_possible_cpu(i) {
877 newinfo->chainstack[i] =
878 vmalloc(udc_cnt * sizeof(*(newinfo->chainstack[0])));
879 if (!newinfo->chainstack[i]) {
881 vfree(newinfo->chainstack[--i]);
882 vfree(newinfo->chainstack);
883 newinfo->chainstack = NULL;
888 cl_s = vmalloc(udc_cnt * sizeof(*cl_s));
891 i = 0; /* the i'th udc */
892 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
893 ebt_get_udc_positions, newinfo, &i, cl_s);
896 BUGPRINT("i != udc_cnt\n");
902 /* Check for loops */
903 for (i = 0; i < NF_BR_NUMHOOKS; i++)
904 if (newinfo->hook_entry[i])
905 if (check_chainloops(newinfo->hook_entry[i],
906 cl_s, udc_cnt, i, newinfo->entries)) {
911 /* we now know the following (along with E=mc²):
912 - the nr of entries in each chain is right
913 - the size of the allocated space is right
914 - all valid hooks have a corresponding chain
916 - wrong data can still be on the level of a single entry
917 - could be there are jumps to places that are not the
918 beginning of a chain. This can only occur in chains that
919 are not accessible from any base chains, so we don't care. */
921 /* used to know what we need to clean up if something goes wrong */
923 ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
924 ebt_check_entry, net, newinfo, name, &i, cl_s, udc_cnt);
926 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
927 ebt_cleanup_entry, &i);
933 /* called under write_lock */
934 static void get_counters(struct ebt_counter *oldcounters,
935 struct ebt_counter *counters, unsigned int nentries)
938 struct ebt_counter *counter_base;
940 /* counters of cpu 0 */
941 memcpy(counters, oldcounters,
942 sizeof(struct ebt_counter) * nentries);
944 /* add other counters to those of cpu 0 */
945 for_each_possible_cpu(cpu) {
948 counter_base = COUNTER_BASE(oldcounters, nentries, cpu);
949 for (i = 0; i < nentries; i++) {
950 counters[i].pcnt += counter_base[i].pcnt;
951 counters[i].bcnt += counter_base[i].bcnt;
956 /* replace the table */
957 static int do_replace(struct net *net, void __user *user, unsigned int len)
959 int ret, i, countersize;
960 struct ebt_table_info *newinfo;
961 struct ebt_replace tmp;
963 struct ebt_counter *counterstmp = NULL;
964 /* used to be able to unlock earlier */
965 struct ebt_table_info *table;
967 if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
970 if (len != sizeof(tmp) + tmp.entries_size) {
971 BUGPRINT("Wrong len argument\n");
975 if (tmp.entries_size == 0) {
976 BUGPRINT("Entries_size never zero\n");
980 if (tmp.nentries >= ((INT_MAX - sizeof(struct ebt_table_info)) / NR_CPUS -
981 SMP_CACHE_BYTES) / sizeof(struct ebt_counter))
983 if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
986 countersize = COUNTER_OFFSET(tmp.nentries) * nr_cpu_ids;
987 newinfo = vmalloc(sizeof(*newinfo) + countersize);
992 memset(newinfo->counters, 0, countersize);
994 newinfo->entries = vmalloc(tmp.entries_size);
995 if (!newinfo->entries) {
1000 newinfo->entries, tmp.entries, tmp.entries_size) != 0) {
1001 BUGPRINT("Couldn't copy entries from userspace\n");
1006 /* the user wants counters back
1007 the check on the size is done later, when we have the lock */
1008 if (tmp.num_counters) {
1009 counterstmp = vmalloc(tmp.num_counters * sizeof(*counterstmp));
1018 /* this can get initialized by translate_table() */
1019 newinfo->chainstack = NULL;
1020 ret = ebt_verify_pointers(&tmp, newinfo);
1022 goto free_counterstmp;
1024 ret = translate_table(net, tmp.name, newinfo);
1027 goto free_counterstmp;
1029 t = find_table_lock(net, tmp.name, &ret, &ebt_mutex);
1035 /* the table doesn't like it */
1036 if (t->check && (ret = t->check(newinfo, tmp.valid_hooks)))
1039 if (tmp.num_counters && tmp.num_counters != t->private->nentries) {
1040 BUGPRINT("Wrong nr. of counters requested\n");
1045 /* we have the mutex lock, so no danger in reading this pointer */
1047 /* make sure the table can only be rmmod'ed if it contains no rules */
1048 if (!table->nentries && newinfo->nentries && !try_module_get(t->me)) {
1051 } else if (table->nentries && !newinfo->nentries)
1053 /* we need an atomic snapshot of the counters */
1054 write_lock_bh(&t->lock);
1055 if (tmp.num_counters)
1056 get_counters(t->private->counters, counterstmp,
1057 t->private->nentries);
1059 t->private = newinfo;
1060 write_unlock_bh(&t->lock);
1061 mutex_unlock(&ebt_mutex);
1062 /* so, a user can change the chains while having messed up her counter
1063 allocation. Only reason why this is done is because this way the lock
1064 is held only once, while this doesn't bring the kernel into a
1066 if (tmp.num_counters &&
1067 copy_to_user(tmp.counters, counterstmp,
1068 tmp.num_counters * sizeof(struct ebt_counter))) {
1069 BUGPRINT("Couldn't copy counters to userspace\n");
1075 /* decrease module count and free resources */
1076 EBT_ENTRY_ITERATE(table->entries, table->entries_size,
1077 ebt_cleanup_entry, NULL);
1079 vfree(table->entries);
1080 if (table->chainstack) {
1081 for_each_possible_cpu(i)
1082 vfree(table->chainstack[i]);
1083 vfree(table->chainstack);
1091 mutex_unlock(&ebt_mutex);
1093 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
1094 ebt_cleanup_entry, NULL);
1097 /* can be initialized in translate_table() */
1098 if (newinfo->chainstack) {
1099 for_each_possible_cpu(i)
1100 vfree(newinfo->chainstack[i]);
1101 vfree(newinfo->chainstack);
1104 vfree(newinfo->entries);
1111 ebt_register_table(struct net *net, const struct ebt_table *input_table)
1113 struct ebt_table_info *newinfo;
1114 struct ebt_table *t, *table;
1115 struct ebt_replace_kernel *repl;
1116 int ret, i, countersize;
1119 if (input_table == NULL || (repl = input_table->table) == NULL ||
1120 repl->entries == 0 || repl->entries_size == 0 ||
1121 repl->counters != NULL || input_table->private != NULL) {
1122 BUGPRINT("Bad table data for ebt_register_table!!!\n");
1123 return ERR_PTR(-EINVAL);
1126 /* Don't add one table to multiple lists. */
1127 table = kmemdup(input_table, sizeof(struct ebt_table), GFP_KERNEL);
1133 countersize = COUNTER_OFFSET(repl->nentries) * nr_cpu_ids;
1134 newinfo = vmalloc(sizeof(*newinfo) + countersize);
1139 p = vmalloc(repl->entries_size);
1143 memcpy(p, repl->entries, repl->entries_size);
1144 newinfo->entries = p;
1146 newinfo->entries_size = repl->entries_size;
1147 newinfo->nentries = repl->nentries;
1150 memset(newinfo->counters, 0, countersize);
1152 /* fill in newinfo and parse the entries */
1153 newinfo->chainstack = NULL;
1154 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
1155 if ((repl->valid_hooks & (1 << i)) == 0)
1156 newinfo->hook_entry[i] = NULL;
1158 newinfo->hook_entry[i] = p +
1159 ((char *)repl->hook_entry[i] - repl->entries);
1161 ret = translate_table(net, repl->name, newinfo);
1163 BUGPRINT("Translate_table failed\n");
1164 goto free_chainstack;
1167 if (table->check && table->check(newinfo, table->valid_hooks)) {
1168 BUGPRINT("The table doesn't like its own initial data, lol\n");
1169 return ERR_PTR(-EINVAL);
1172 table->private = newinfo;
1173 rwlock_init(&table->lock);
1174 ret = mutex_lock_interruptible(&ebt_mutex);
1176 goto free_chainstack;
1178 list_for_each_entry(t, &net->xt.tables[NFPROTO_BRIDGE], list) {
1179 if (strcmp(t->name, table->name) == 0) {
1181 BUGPRINT("Table name already exists\n");
1186 /* Hold a reference count if the chains aren't empty */
1187 if (newinfo->nentries && !try_module_get(table->me)) {
1191 list_add(&table->list, &net->xt.tables[NFPROTO_BRIDGE]);
1192 mutex_unlock(&ebt_mutex);
1195 mutex_unlock(&ebt_mutex);
1197 if (newinfo->chainstack) {
1198 for_each_possible_cpu(i)
1199 vfree(newinfo->chainstack[i]);
1200 vfree(newinfo->chainstack);
1202 vfree(newinfo->entries);
1208 return ERR_PTR(ret);
1211 void ebt_unregister_table(struct ebt_table *table)
1216 BUGPRINT("Request to unregister NULL table!!!\n");
1219 mutex_lock(&ebt_mutex);
1220 list_del(&table->list);
1221 mutex_unlock(&ebt_mutex);
1222 EBT_ENTRY_ITERATE(table->private->entries, table->private->entries_size,
1223 ebt_cleanup_entry, NULL);
1224 if (table->private->nentries)
1225 module_put(table->me);
1226 vfree(table->private->entries);
1227 if (table->private->chainstack) {
1228 for_each_possible_cpu(i)
1229 vfree(table->private->chainstack[i]);
1230 vfree(table->private->chainstack);
1232 vfree(table->private);
1236 /* userspace just supplied us with counters */
1237 static int update_counters(struct net *net, void __user *user, unsigned int len)
1240 struct ebt_counter *tmp;
1241 struct ebt_replace hlp;
1242 struct ebt_table *t;
1244 if (copy_from_user(&hlp, user, sizeof(hlp)))
1247 if (len != sizeof(hlp) + hlp.num_counters * sizeof(struct ebt_counter))
1249 if (hlp.num_counters == 0)
1252 if (!(tmp = vmalloc(hlp.num_counters * sizeof(*tmp)))) {
1253 MEMPRINT("Update_counters && nomemory\n");
1257 t = find_table_lock(net, hlp.name, &ret, &ebt_mutex);
1261 if (hlp.num_counters != t->private->nentries) {
1262 BUGPRINT("Wrong nr of counters\n");
1267 if ( copy_from_user(tmp, hlp.counters,
1268 hlp.num_counters * sizeof(struct ebt_counter)) ) {
1269 BUGPRINT("Updata_counters && !cfu\n");
1274 /* we want an atomic add of the counters */
1275 write_lock_bh(&t->lock);
1277 /* we add to the counters of the first cpu */
1278 for (i = 0; i < hlp.num_counters; i++) {
1279 t->private->counters[i].pcnt += tmp[i].pcnt;
1280 t->private->counters[i].bcnt += tmp[i].bcnt;
1283 write_unlock_bh(&t->lock);
1286 mutex_unlock(&ebt_mutex);
1292 static inline int ebt_make_matchname(struct ebt_entry_match *m,
1293 char *base, char __user *ubase)
1295 char __user *hlp = ubase + ((char *)m - base);
1296 if (copy_to_user(hlp, m->u.match->name, EBT_FUNCTION_MAXNAMELEN))
1301 static inline int ebt_make_watchername(struct ebt_entry_watcher *w,
1302 char *base, char __user *ubase)
1304 char __user *hlp = ubase + ((char *)w - base);
1305 if (copy_to_user(hlp , w->u.watcher->name, EBT_FUNCTION_MAXNAMELEN))
1310 static inline int ebt_make_names(struct ebt_entry *e, char *base, char __user *ubase)
1314 struct ebt_entry_target *t;
1316 if (e->bitmask == 0)
1319 hlp = ubase + (((char *)e + e->target_offset) - base);
1320 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
1322 ret = EBT_MATCH_ITERATE(e, ebt_make_matchname, base, ubase);
1325 ret = EBT_WATCHER_ITERATE(e, ebt_make_watchername, base, ubase);
1328 if (copy_to_user(hlp, t->u.target->name, EBT_FUNCTION_MAXNAMELEN))
1333 /* called with ebt_mutex locked */
1334 static int copy_everything_to_user(struct ebt_table *t, void __user *user,
1337 struct ebt_replace tmp;
1338 struct ebt_counter *counterstmp, *oldcounters;
1339 unsigned int entries_size, nentries;
1342 if (cmd == EBT_SO_GET_ENTRIES) {
1343 entries_size = t->private->entries_size;
1344 nentries = t->private->nentries;
1345 entries = t->private->entries;
1346 oldcounters = t->private->counters;
1348 entries_size = t->table->entries_size;
1349 nentries = t->table->nentries;
1350 entries = t->table->entries;
1351 oldcounters = t->table->counters;
1354 if (copy_from_user(&tmp, user, sizeof(tmp))) {
1355 BUGPRINT("Cfu didn't work\n");
1359 if (*len != sizeof(struct ebt_replace) + entries_size +
1360 (tmp.num_counters? nentries * sizeof(struct ebt_counter): 0)) {
1361 BUGPRINT("Wrong size\n");
1365 if (tmp.nentries != nentries) {
1366 BUGPRINT("Nentries wrong\n");
1370 if (tmp.entries_size != entries_size) {
1371 BUGPRINT("Wrong size\n");
1375 /* userspace might not need the counters */
1376 if (tmp.num_counters) {
1377 if (tmp.num_counters != nentries) {
1378 BUGPRINT("Num_counters wrong\n");
1381 counterstmp = vmalloc(nentries * sizeof(*counterstmp));
1383 MEMPRINT("Couldn't copy counters, out of memory\n");
1386 write_lock_bh(&t->lock);
1387 get_counters(oldcounters, counterstmp, nentries);
1388 write_unlock_bh(&t->lock);
1390 if (copy_to_user(tmp.counters, counterstmp,
1391 nentries * sizeof(struct ebt_counter))) {
1392 BUGPRINT("Couldn't copy counters to userspace\n");
1399 if (copy_to_user(tmp.entries, entries, entries_size)) {
1400 BUGPRINT("Couldn't copy entries to userspace\n");
1403 /* set the match/watcher/target names right */
1404 return EBT_ENTRY_ITERATE(entries, entries_size,
1405 ebt_make_names, entries, tmp.entries);
1408 static int do_ebt_set_ctl(struct sock *sk,
1409 int cmd, void __user *user, unsigned int len)
1414 case EBT_SO_SET_ENTRIES:
1415 ret = do_replace(sock_net(sk), user, len);
1417 case EBT_SO_SET_COUNTERS:
1418 ret = update_counters(sock_net(sk), user, len);
1426 static int do_ebt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
1429 struct ebt_replace tmp;
1430 struct ebt_table *t;
1432 if (copy_from_user(&tmp, user, sizeof(tmp)))
1435 t = find_table_lock(sock_net(sk), tmp.name, &ret, &ebt_mutex);
1440 case EBT_SO_GET_INFO:
1441 case EBT_SO_GET_INIT_INFO:
1442 if (*len != sizeof(struct ebt_replace)){
1444 mutex_unlock(&ebt_mutex);
1447 if (cmd == EBT_SO_GET_INFO) {
1448 tmp.nentries = t->private->nentries;
1449 tmp.entries_size = t->private->entries_size;
1450 tmp.valid_hooks = t->valid_hooks;
1452 tmp.nentries = t->table->nentries;
1453 tmp.entries_size = t->table->entries_size;
1454 tmp.valid_hooks = t->table->valid_hooks;
1456 mutex_unlock(&ebt_mutex);
1457 if (copy_to_user(user, &tmp, *len) != 0){
1458 BUGPRINT("c2u Didn't work\n");
1465 case EBT_SO_GET_ENTRIES:
1466 case EBT_SO_GET_INIT_ENTRIES:
1467 ret = copy_everything_to_user(t, user, len, cmd);
1468 mutex_unlock(&ebt_mutex);
1472 mutex_unlock(&ebt_mutex);
1479 static struct nf_sockopt_ops ebt_sockopts =
1482 .set_optmin = EBT_BASE_CTL,
1483 .set_optmax = EBT_SO_SET_MAX + 1,
1484 .set = do_ebt_set_ctl,
1485 .get_optmin = EBT_BASE_CTL,
1486 .get_optmax = EBT_SO_GET_MAX + 1,
1487 .get = do_ebt_get_ctl,
1488 .owner = THIS_MODULE,
1491 static int __init ebtables_init(void)
1495 ret = xt_register_target(&ebt_standard_target);
1498 ret = nf_register_sockopt(&ebt_sockopts);
1500 xt_unregister_target(&ebt_standard_target);
1504 printk(KERN_INFO "Ebtables v2.0 registered\n");
1508 static void __exit ebtables_fini(void)
1510 nf_unregister_sockopt(&ebt_sockopts);
1511 xt_unregister_target(&ebt_standard_target);
1512 printk(KERN_INFO "Ebtables v2.0 unregistered\n");
1515 EXPORT_SYMBOL(ebt_register_table);
1516 EXPORT_SYMBOL(ebt_unregister_table);
1517 EXPORT_SYMBOL(ebt_do_table);
1518 module_init(ebtables_init);
1519 module_exit(ebtables_fini);
1520 MODULE_LICENSE("GPL");