5 * Bart De Schuymer <bdschuym@pandora.be>
7 * ebtables.c,v 2.0, July, 2002
9 * This code is stongly inspired on the iptables code which is
10 * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version
15 * 2 of the License, or (at your option) any later version.
19 #include <linux/kmod.h>
20 #include <linux/module.h>
21 #include <linux/vmalloc.h>
22 #include <linux/netfilter/x_tables.h>
23 #include <linux/netfilter_bridge/ebtables.h>
24 #include <linux/spinlock.h>
25 #include <linux/mutex.h>
26 #include <asm/uaccess.h>
27 #include <linux/smp.h>
28 #include <linux/cpumask.h>
30 /* needed for logical [in,out]-dev filtering */
31 #include "../br_private.h"
33 #define BUGPRINT(format, args...) printk("kernel msg: ebtables bug: please "\
34 "report to author: "format, ## args)
35 /* #define BUGPRINT(format, args...) */
36 #define MEMPRINT(format, args...) printk("kernel msg: ebtables "\
37 ": out of memory: "format, ## args)
38 /* #define MEMPRINT(format, args...) */
43 * Each cpu has its own set of counters, so there is no need for write_lock in
45 * For reading or updating the counters, the user context needs to
49 /* The size of each set of counters is altered to get cache alignment */
50 #define SMP_ALIGN(x) (((x) + SMP_CACHE_BYTES-1) & ~(SMP_CACHE_BYTES-1))
51 #define COUNTER_OFFSET(n) (SMP_ALIGN(n * sizeof(struct ebt_counter)))
52 #define COUNTER_BASE(c, n, cpu) ((struct ebt_counter *)(((char *)c) + \
53 COUNTER_OFFSET(n) * cpu))
57 static DEFINE_MUTEX(ebt_mutex);
58 static LIST_HEAD(ebt_tables);
60 static struct xt_target ebt_standard_target = {
63 .family = NFPROTO_BRIDGE,
64 .targetsize = sizeof(int),
67 static inline int ebt_do_watcher (struct ebt_entry_watcher *w,
68 struct sk_buff *skb, unsigned int hooknr, const struct net_device *in,
69 const struct net_device *out)
71 w->u.watcher->target(skb, in, out, hooknr, w->u.watcher, w->data);
72 /* watchers don't give a verdict */
76 static inline int ebt_do_match (struct ebt_entry_match *m,
77 const struct sk_buff *skb, struct xt_match_param *par)
79 par->match = m->u.match;
80 par->matchinfo = m->data;
81 return m->u.match->match(skb, par);
84 static inline int ebt_dev_check(char *entry, const struct net_device *device)
87 const char *devname = device->name;
93 /* 1 is the wildcard token */
94 while (entry[i] != '\0' && entry[i] != 1 && entry[i] == devname[i])
96 return (devname[i] != entry[i] && entry[i] != 1);
99 #define FWINV2(bool,invflg) ((bool) ^ !!(e->invflags & invflg))
100 /* process standard matches */
101 static inline int ebt_basic_match(struct ebt_entry *e, struct ethhdr *h,
102 const struct net_device *in, const struct net_device *out)
106 if (e->bitmask & EBT_802_3) {
107 if (FWINV2(ntohs(h->h_proto) >= 1536, EBT_IPROTO))
109 } else if (!(e->bitmask & EBT_NOPROTO) &&
110 FWINV2(e->ethproto != h->h_proto, EBT_IPROTO))
113 if (FWINV2(ebt_dev_check(e->in, in), EBT_IIN))
115 if (FWINV2(ebt_dev_check(e->out, out), EBT_IOUT))
117 if ((!in || !in->br_port) ? 0 : FWINV2(ebt_dev_check(
118 e->logical_in, in->br_port->br->dev), EBT_ILOGICALIN))
120 if ((!out || !out->br_port) ? 0 : FWINV2(ebt_dev_check(
121 e->logical_out, out->br_port->br->dev), EBT_ILOGICALOUT))
124 if (e->bitmask & EBT_SOURCEMAC) {
126 for (i = 0; i < 6; i++)
127 verdict |= (h->h_source[i] ^ e->sourcemac[i]) &
129 if (FWINV2(verdict != 0, EBT_ISOURCE) )
132 if (e->bitmask & EBT_DESTMAC) {
134 for (i = 0; i < 6; i++)
135 verdict |= (h->h_dest[i] ^ e->destmac[i]) &
137 if (FWINV2(verdict != 0, EBT_IDEST) )
143 /* Do some firewalling */
144 unsigned int ebt_do_table (unsigned int hook, struct sk_buff *skb,
145 const struct net_device *in, const struct net_device *out,
146 struct ebt_table *table)
149 struct ebt_entry *point;
150 struct ebt_counter *counter_base, *cb_base;
151 struct ebt_entry_target *t;
153 struct ebt_chainstack *cs;
154 struct ebt_entries *chaininfo;
156 struct ebt_table_info *private;
157 bool hotdrop = false;
158 struct xt_match_param mtpar;
162 mtpar.hotdrop = &hotdrop;
164 read_lock_bh(&table->lock);
165 private = table->private;
166 cb_base = COUNTER_BASE(private->counters, private->nentries,
168 if (private->chainstack)
169 cs = private->chainstack[smp_processor_id()];
172 chaininfo = private->hook_entry[hook];
173 nentries = private->hook_entry[hook]->nentries;
174 point = (struct ebt_entry *)(private->hook_entry[hook]->data);
175 counter_base = cb_base + private->hook_entry[hook]->counter_offset;
176 /* base for chain jumps */
177 base = private->entries;
179 while (i < nentries) {
180 if (ebt_basic_match(point, eth_hdr(skb), in, out))
183 if (EBT_MATCH_ITERATE(point, ebt_do_match, skb, &mtpar) != 0)
186 read_unlock_bh(&table->lock);
190 /* increase counter */
191 (*(counter_base + i)).pcnt++;
192 (*(counter_base + i)).bcnt += skb->len;
194 /* these should only watch: not modify, nor tell us
195 what to do with the packet */
196 EBT_WATCHER_ITERATE(point, ebt_do_watcher, skb, hook, in,
199 t = (struct ebt_entry_target *)
200 (((char *)point) + point->target_offset);
201 /* standard target */
202 if (!t->u.target->target)
203 verdict = ((struct ebt_standard_target *)t)->verdict;
205 verdict = t->u.target->target(skb, in, out, hook,
206 t->u.target, t->data);
207 if (verdict == EBT_ACCEPT) {
208 read_unlock_bh(&table->lock);
211 if (verdict == EBT_DROP) {
212 read_unlock_bh(&table->lock);
215 if (verdict == EBT_RETURN) {
217 #ifdef CONFIG_NETFILTER_DEBUG
219 BUGPRINT("RETURN on base chain");
220 /* act like this is EBT_CONTINUE */
225 /* put all the local variables right */
227 chaininfo = cs[sp].chaininfo;
228 nentries = chaininfo->nentries;
230 counter_base = cb_base +
231 chaininfo->counter_offset;
234 if (verdict == EBT_CONTINUE)
236 #ifdef CONFIG_NETFILTER_DEBUG
238 BUGPRINT("bogus standard verdict\n");
239 read_unlock_bh(&table->lock);
245 cs[sp].chaininfo = chaininfo;
246 cs[sp].e = (struct ebt_entry *)
247 (((char *)point) + point->next_offset);
249 chaininfo = (struct ebt_entries *) (base + verdict);
250 #ifdef CONFIG_NETFILTER_DEBUG
251 if (chaininfo->distinguisher) {
252 BUGPRINT("jump to non-chain\n");
253 read_unlock_bh(&table->lock);
257 nentries = chaininfo->nentries;
258 point = (struct ebt_entry *)chaininfo->data;
259 counter_base = cb_base + chaininfo->counter_offset;
263 point = (struct ebt_entry *)
264 (((char *)point) + point->next_offset);
268 /* I actually like this :) */
269 if (chaininfo->policy == EBT_RETURN)
271 if (chaininfo->policy == EBT_ACCEPT) {
272 read_unlock_bh(&table->lock);
275 read_unlock_bh(&table->lock);
279 /* If it succeeds, returns element and locks mutex */
281 find_inlist_lock_noload(struct list_head *head, const char *name, int *error,
285 struct list_head list;
286 char name[EBT_FUNCTION_MAXNAMELEN];
289 *error = mutex_lock_interruptible(mutex);
293 list_for_each_entry(e, head, list) {
294 if (strcmp(e->name, name) == 0)
303 #define find_inlist_lock(h,n,p,e,m) find_inlist_lock_noload((h),(n),(e),(m))
306 find_inlist_lock(struct list_head *head, const char *name, const char *prefix,
307 int *error, struct mutex *mutex)
311 ret = find_inlist_lock_noload(head, name, error, mutex);
313 request_module("%s%s", prefix, name);
314 ret = find_inlist_lock_noload(head, name, error, mutex);
320 static inline struct ebt_table *
321 find_table_lock(const char *name, int *error, struct mutex *mutex)
323 return find_inlist_lock(&ebt_tables, name, "ebtable_", error, mutex);
327 ebt_check_match(struct ebt_entry_match *m, struct xt_mtchk_param *par,
330 const struct ebt_entry *e = par->entryinfo;
331 struct xt_match *match;
332 size_t left = ((char *)e + e->watchers_offset) - (char *)m;
335 if (left < sizeof(struct ebt_entry_match) ||
336 left - sizeof(struct ebt_entry_match) < m->match_size)
339 match = try_then_request_module(xt_find_match(NFPROTO_BRIDGE,
340 m->u.name, 0), "ebt_%s", m->u.name);
342 return PTR_ERR(match);
348 par->matchinfo = m->data;
349 ret = xt_check_match(par, NFPROTO_BRIDGE, m->match_size,
350 e->ethproto, e->invflags & EBT_IPROTO);
352 module_put(match->me);
361 ebt_check_watcher(struct ebt_entry_watcher *w, struct ebt_entry *e,
362 const char *name, unsigned int hookmask, unsigned int *cnt)
364 struct xt_target *watcher;
365 size_t left = ((char *)e + e->target_offset) - (char *)w;
368 if (left < sizeof(struct ebt_entry_watcher) ||
369 left - sizeof(struct ebt_entry_watcher) < w->watcher_size)
372 watcher = try_then_request_module(
373 xt_find_target(NFPROTO_BRIDGE, w->u.name, 0),
374 "ebt_%s", w->u.name);
376 return PTR_ERR(watcher);
379 w->u.watcher = watcher;
381 ret = xt_check_target(watcher, NFPROTO_BRIDGE, w->watcher_size,
382 name, hookmask, e->ethproto, e->invflags & EBT_IPROTO,
385 module_put(watcher->me);
393 static int ebt_verify_pointers(struct ebt_replace *repl,
394 struct ebt_table_info *newinfo)
396 unsigned int limit = repl->entries_size;
397 unsigned int valid_hooks = repl->valid_hooks;
398 unsigned int offset = 0;
401 for (i = 0; i < NF_BR_NUMHOOKS; i++)
402 newinfo->hook_entry[i] = NULL;
404 newinfo->entries_size = repl->entries_size;
405 newinfo->nentries = repl->nentries;
407 while (offset < limit) {
408 size_t left = limit - offset;
409 struct ebt_entry *e = (void *)newinfo->entries + offset;
411 if (left < sizeof(unsigned int))
414 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
415 if ((valid_hooks & (1 << i)) == 0)
417 if ((char __user *)repl->hook_entry[i] ==
418 repl->entries + offset)
422 if (i != NF_BR_NUMHOOKS || !(e->bitmask & EBT_ENTRY_OR_ENTRIES)) {
423 if (e->bitmask != 0) {
424 /* we make userspace set this right,
425 so there is no misunderstanding */
426 BUGPRINT("EBT_ENTRY_OR_ENTRIES shouldn't be set "
427 "in distinguisher\n");
430 if (i != NF_BR_NUMHOOKS)
431 newinfo->hook_entry[i] = (struct ebt_entries *)e;
432 if (left < sizeof(struct ebt_entries))
434 offset += sizeof(struct ebt_entries);
436 if (left < sizeof(struct ebt_entry))
438 if (left < e->next_offset)
440 offset += e->next_offset;
443 if (offset != limit) {
444 BUGPRINT("entries_size too small\n");
448 /* check if all valid hooks have a chain */
449 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
450 if (!newinfo->hook_entry[i] &&
451 (valid_hooks & (1 << i))) {
452 BUGPRINT("Valid hook without chain\n");
460 * this one is very careful, as it is the first function
461 * to parse the userspace data
464 ebt_check_entry_size_and_hooks(struct ebt_entry *e,
465 struct ebt_table_info *newinfo,
466 unsigned int *n, unsigned int *cnt,
467 unsigned int *totalcnt, unsigned int *udc_cnt)
471 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
472 if ((void *)e == (void *)newinfo->hook_entry[i])
475 /* beginning of a new chain
476 if i == NF_BR_NUMHOOKS it must be a user defined chain */
477 if (i != NF_BR_NUMHOOKS || !e->bitmask) {
478 /* this checks if the previous chain has as many entries
481 BUGPRINT("nentries does not equal the nr of entries "
485 if (((struct ebt_entries *)e)->policy != EBT_DROP &&
486 ((struct ebt_entries *)e)->policy != EBT_ACCEPT) {
487 /* only RETURN from udc */
488 if (i != NF_BR_NUMHOOKS ||
489 ((struct ebt_entries *)e)->policy != EBT_RETURN) {
490 BUGPRINT("bad policy\n");
494 if (i == NF_BR_NUMHOOKS) /* it's a user defined chain */
496 if (((struct ebt_entries *)e)->counter_offset != *totalcnt) {
497 BUGPRINT("counter_offset != totalcnt");
500 *n = ((struct ebt_entries *)e)->nentries;
504 /* a plain old entry, heh */
505 if (sizeof(struct ebt_entry) > e->watchers_offset ||
506 e->watchers_offset > e->target_offset ||
507 e->target_offset >= e->next_offset) {
508 BUGPRINT("entry offsets not in right order\n");
511 /* this is not checked anywhere else */
512 if (e->next_offset - e->target_offset < sizeof(struct ebt_entry_target)) {
513 BUGPRINT("target size too small\n");
523 struct ebt_chainstack cs;
525 unsigned int hookmask;
529 * we need these positions to check that the jumps to a different part of the
530 * entries is a jump to the beginning of a new chain.
533 ebt_get_udc_positions(struct ebt_entry *e, struct ebt_table_info *newinfo,
534 unsigned int *n, struct ebt_cl_stack *udc)
538 /* we're only interested in chain starts */
541 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
542 if (newinfo->hook_entry[i] == (struct ebt_entries *)e)
545 /* only care about udc */
546 if (i != NF_BR_NUMHOOKS)
549 udc[*n].cs.chaininfo = (struct ebt_entries *)e;
550 /* these initialisations are depended on later in check_chainloops() */
552 udc[*n].hookmask = 0;
559 ebt_cleanup_match(struct ebt_entry_match *m, unsigned int *i)
561 struct xt_mtdtor_param par;
563 if (i && (*i)-- == 0)
566 par.match = m->u.match;
567 par.matchinfo = m->data;
568 if (par.match->destroy != NULL)
569 par.match->destroy(&par);
570 module_put(par.match->me);
575 ebt_cleanup_watcher(struct ebt_entry_watcher *w, unsigned int *i)
577 if (i && (*i)-- == 0)
579 if (w->u.watcher->destroy)
580 w->u.watcher->destroy(w->u.watcher, w->data);
581 module_put(w->u.watcher->me);
587 ebt_cleanup_entry(struct ebt_entry *e, unsigned int *cnt)
589 struct ebt_entry_target *t;
594 if (cnt && (*cnt)-- == 0)
596 EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, NULL);
597 EBT_MATCH_ITERATE(e, ebt_cleanup_match, NULL);
598 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
599 if (t->u.target->destroy)
600 t->u.target->destroy(t->u.target, t->data);
601 module_put(t->u.target->me);
607 ebt_check_entry(struct ebt_entry *e, struct ebt_table_info *newinfo,
608 const char *name, unsigned int *cnt,
609 struct ebt_cl_stack *cl_s, unsigned int udc_cnt)
611 struct ebt_entry_target *t;
612 struct xt_target *target;
613 unsigned int i, j, hook = 0, hookmask = 0;
616 struct xt_mtchk_param mtpar;
618 /* don't mess with the struct ebt_entries */
622 if (e->bitmask & ~EBT_F_MASK) {
623 BUGPRINT("Unknown flag for bitmask\n");
626 if (e->invflags & ~EBT_INV_MASK) {
627 BUGPRINT("Unknown flag for inv bitmask\n");
630 if ( (e->bitmask & EBT_NOPROTO) && (e->bitmask & EBT_802_3) ) {
631 BUGPRINT("NOPROTO & 802_3 not allowed\n");
634 /* what hook do we belong to? */
635 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
636 if (!newinfo->hook_entry[i])
638 if ((char *)newinfo->hook_entry[i] < (char *)e)
643 /* (1 << NF_BR_NUMHOOKS) tells the check functions the rule is on
645 if (i < NF_BR_NUMHOOKS)
646 hookmask = (1 << hook) | (1 << NF_BR_NUMHOOKS);
648 for (i = 0; i < udc_cnt; i++)
649 if ((char *)(cl_s[i].cs.chaininfo) > (char *)e)
652 hookmask = (1 << hook) | (1 << NF_BR_NUMHOOKS);
654 hookmask = cl_s[i - 1].hookmask;
660 mtpar.hook_mask = hookmask;
661 ret = EBT_MATCH_ITERATE(e, ebt_check_match, &mtpar, &i);
663 goto cleanup_matches;
665 ret = EBT_WATCHER_ITERATE(e, ebt_check_watcher, e, name, hookmask, &j);
667 goto cleanup_watchers;
668 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
669 gap = e->next_offset - e->target_offset;
671 target = try_then_request_module(
672 xt_find_target(NFPROTO_BRIDGE, t->u.name, 0),
673 "ebt_%s", t->u.name);
674 if (IS_ERR(target)) {
675 ret = PTR_ERR(target);
676 goto cleanup_watchers;
677 } else if (target == NULL) {
679 goto cleanup_watchers;
682 t->u.target = target;
683 if (t->u.target == &ebt_standard_target) {
684 if (gap < sizeof(struct ebt_standard_target)) {
685 BUGPRINT("Standard target size too big\n");
687 goto cleanup_watchers;
689 if (((struct ebt_standard_target *)t)->verdict <
690 -NUM_STANDARD_TARGETS) {
691 BUGPRINT("Invalid standard target\n");
693 goto cleanup_watchers;
695 } else if (t->target_size > gap - sizeof(struct ebt_entry_target)) {
696 module_put(t->u.target->me);
698 goto cleanup_watchers;
701 ret = xt_check_target(target, NFPROTO_BRIDGE, t->target_size,
702 name, hookmask, e->ethproto, e->invflags & EBT_IPROTO,
705 module_put(target->me);
706 goto cleanup_watchers;
711 EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, &j);
713 EBT_MATCH_ITERATE(e, ebt_cleanup_match, &i);
718 * checks for loops and sets the hook mask for udc
719 * the hook mask for udc tells us from which base chains the udc can be
720 * accessed. This mask is a parameter to the check() functions of the extensions
722 static int check_chainloops(struct ebt_entries *chain, struct ebt_cl_stack *cl_s,
723 unsigned int udc_cnt, unsigned int hooknr, char *base)
725 int i, chain_nr = -1, pos = 0, nentries = chain->nentries, verdict;
726 struct ebt_entry *e = (struct ebt_entry *)chain->data;
727 struct ebt_entry_target *t;
729 while (pos < nentries || chain_nr != -1) {
730 /* end of udc, go back one 'recursion' step */
731 if (pos == nentries) {
732 /* put back values of the time when this chain was called */
733 e = cl_s[chain_nr].cs.e;
734 if (cl_s[chain_nr].from != -1)
736 cl_s[cl_s[chain_nr].from].cs.chaininfo->nentries;
738 nentries = chain->nentries;
739 pos = cl_s[chain_nr].cs.n;
740 /* make sure we won't see a loop that isn't one */
741 cl_s[chain_nr].cs.n = 0;
742 chain_nr = cl_s[chain_nr].from;
746 t = (struct ebt_entry_target *)
747 (((char *)e) + e->target_offset);
748 if (strcmp(t->u.name, EBT_STANDARD_TARGET))
750 if (e->target_offset + sizeof(struct ebt_standard_target) >
752 BUGPRINT("Standard target size too big\n");
755 verdict = ((struct ebt_standard_target *)t)->verdict;
756 if (verdict >= 0) { /* jump to another chain */
757 struct ebt_entries *hlp2 =
758 (struct ebt_entries *)(base + verdict);
759 for (i = 0; i < udc_cnt; i++)
760 if (hlp2 == cl_s[i].cs.chaininfo)
762 /* bad destination or loop */
764 BUGPRINT("bad destination\n");
771 if (cl_s[i].hookmask & (1 << hooknr))
773 /* this can't be 0, so the loop test is correct */
774 cl_s[i].cs.n = pos + 1;
776 cl_s[i].cs.e = ((void *)e + e->next_offset);
777 e = (struct ebt_entry *)(hlp2->data);
778 nentries = hlp2->nentries;
779 cl_s[i].from = chain_nr;
781 /* this udc is accessible from the base chain for hooknr */
782 cl_s[i].hookmask |= (1 << hooknr);
786 e = (void *)e + e->next_offset;
792 /* do the parsing of the table/chains/entries/matches/watchers/targets, heh */
793 static int translate_table(char *name, struct ebt_table_info *newinfo)
795 unsigned int i, j, k, udc_cnt;
797 struct ebt_cl_stack *cl_s = NULL; /* used in the checking for chain loops */
800 while (i < NF_BR_NUMHOOKS && !newinfo->hook_entry[i])
802 if (i == NF_BR_NUMHOOKS) {
803 BUGPRINT("No valid hooks specified\n");
806 if (newinfo->hook_entry[i] != (struct ebt_entries *)newinfo->entries) {
807 BUGPRINT("Chains don't start at beginning\n");
810 /* make sure chains are ordered after each other in same order
811 as their corresponding hooks */
812 for (j = i + 1; j < NF_BR_NUMHOOKS; j++) {
813 if (!newinfo->hook_entry[j])
815 if (newinfo->hook_entry[j] <= newinfo->hook_entry[i]) {
816 BUGPRINT("Hook order must be followed\n");
822 /* do some early checkings and initialize some things */
823 i = 0; /* holds the expected nr. of entries for the chain */
824 j = 0; /* holds the up to now counted entries for the chain */
825 k = 0; /* holds the total nr. of entries, should equal
826 newinfo->nentries afterwards */
827 udc_cnt = 0; /* will hold the nr. of user defined chains (udc) */
828 ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
829 ebt_check_entry_size_and_hooks, newinfo,
830 &i, &j, &k, &udc_cnt);
836 BUGPRINT("nentries does not equal the nr of entries in the "
840 if (k != newinfo->nentries) {
841 BUGPRINT("Total nentries is wrong\n");
845 /* get the location of the udc, put them in an array
846 while we're at it, allocate the chainstack */
848 /* this will get free'd in do_replace()/ebt_register_table()
849 if an error occurs */
850 newinfo->chainstack =
851 vmalloc(nr_cpu_ids * sizeof(*(newinfo->chainstack)));
852 if (!newinfo->chainstack)
854 for_each_possible_cpu(i) {
855 newinfo->chainstack[i] =
856 vmalloc(udc_cnt * sizeof(*(newinfo->chainstack[0])));
857 if (!newinfo->chainstack[i]) {
859 vfree(newinfo->chainstack[--i]);
860 vfree(newinfo->chainstack);
861 newinfo->chainstack = NULL;
866 cl_s = vmalloc(udc_cnt * sizeof(*cl_s));
869 i = 0; /* the i'th udc */
870 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
871 ebt_get_udc_positions, newinfo, &i, cl_s);
874 BUGPRINT("i != udc_cnt\n");
880 /* Check for loops */
881 for (i = 0; i < NF_BR_NUMHOOKS; i++)
882 if (newinfo->hook_entry[i])
883 if (check_chainloops(newinfo->hook_entry[i],
884 cl_s, udc_cnt, i, newinfo->entries)) {
889 /* we now know the following (along with E=mc²):
890 - the nr of entries in each chain is right
891 - the size of the allocated space is right
892 - all valid hooks have a corresponding chain
894 - wrong data can still be on the level of a single entry
895 - could be there are jumps to places that are not the
896 beginning of a chain. This can only occur in chains that
897 are not accessible from any base chains, so we don't care. */
899 /* used to know what we need to clean up if something goes wrong */
901 ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
902 ebt_check_entry, newinfo, name, &i, cl_s, udc_cnt);
904 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
905 ebt_cleanup_entry, &i);
911 /* called under write_lock */
912 static void get_counters(struct ebt_counter *oldcounters,
913 struct ebt_counter *counters, unsigned int nentries)
916 struct ebt_counter *counter_base;
918 /* counters of cpu 0 */
919 memcpy(counters, oldcounters,
920 sizeof(struct ebt_counter) * nentries);
922 /* add other counters to those of cpu 0 */
923 for_each_possible_cpu(cpu) {
926 counter_base = COUNTER_BASE(oldcounters, nentries, cpu);
927 for (i = 0; i < nentries; i++) {
928 counters[i].pcnt += counter_base[i].pcnt;
929 counters[i].bcnt += counter_base[i].bcnt;
934 /* replace the table */
935 static int do_replace(void __user *user, unsigned int len)
937 int ret, i, countersize;
938 struct ebt_table_info *newinfo;
939 struct ebt_replace tmp;
941 struct ebt_counter *counterstmp = NULL;
942 /* used to be able to unlock earlier */
943 struct ebt_table_info *table;
945 if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
948 if (len != sizeof(tmp) + tmp.entries_size) {
949 BUGPRINT("Wrong len argument\n");
953 if (tmp.entries_size == 0) {
954 BUGPRINT("Entries_size never zero\n");
958 if (tmp.nentries >= ((INT_MAX - sizeof(struct ebt_table_info)) / NR_CPUS -
959 SMP_CACHE_BYTES) / sizeof(struct ebt_counter))
961 if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
964 countersize = COUNTER_OFFSET(tmp.nentries) * nr_cpu_ids;
965 newinfo = vmalloc(sizeof(*newinfo) + countersize);
970 memset(newinfo->counters, 0, countersize);
972 newinfo->entries = vmalloc(tmp.entries_size);
973 if (!newinfo->entries) {
978 newinfo->entries, tmp.entries, tmp.entries_size) != 0) {
979 BUGPRINT("Couldn't copy entries from userspace\n");
984 /* the user wants counters back
985 the check on the size is done later, when we have the lock */
986 if (tmp.num_counters) {
987 counterstmp = vmalloc(tmp.num_counters * sizeof(*counterstmp));
996 /* this can get initialized by translate_table() */
997 newinfo->chainstack = NULL;
998 ret = ebt_verify_pointers(&tmp, newinfo);
1000 goto free_counterstmp;
1002 ret = translate_table(tmp.name, newinfo);
1005 goto free_counterstmp;
1007 t = find_table_lock(tmp.name, &ret, &ebt_mutex);
1013 /* the table doesn't like it */
1014 if (t->check && (ret = t->check(newinfo, tmp.valid_hooks)))
1017 if (tmp.num_counters && tmp.num_counters != t->private->nentries) {
1018 BUGPRINT("Wrong nr. of counters requested\n");
1023 /* we have the mutex lock, so no danger in reading this pointer */
1025 /* make sure the table can only be rmmod'ed if it contains no rules */
1026 if (!table->nentries && newinfo->nentries && !try_module_get(t->me)) {
1029 } else if (table->nentries && !newinfo->nentries)
1031 /* we need an atomic snapshot of the counters */
1032 write_lock_bh(&t->lock);
1033 if (tmp.num_counters)
1034 get_counters(t->private->counters, counterstmp,
1035 t->private->nentries);
1037 t->private = newinfo;
1038 write_unlock_bh(&t->lock);
1039 mutex_unlock(&ebt_mutex);
1040 /* so, a user can change the chains while having messed up her counter
1041 allocation. Only reason why this is done is because this way the lock
1042 is held only once, while this doesn't bring the kernel into a
1044 if (tmp.num_counters &&
1045 copy_to_user(tmp.counters, counterstmp,
1046 tmp.num_counters * sizeof(struct ebt_counter))) {
1047 BUGPRINT("Couldn't copy counters to userspace\n");
1053 /* decrease module count and free resources */
1054 EBT_ENTRY_ITERATE(table->entries, table->entries_size,
1055 ebt_cleanup_entry, NULL);
1057 vfree(table->entries);
1058 if (table->chainstack) {
1059 for_each_possible_cpu(i)
1060 vfree(table->chainstack[i]);
1061 vfree(table->chainstack);
1069 mutex_unlock(&ebt_mutex);
1071 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
1072 ebt_cleanup_entry, NULL);
1075 /* can be initialized in translate_table() */
1076 if (newinfo->chainstack) {
1077 for_each_possible_cpu(i)
1078 vfree(newinfo->chainstack[i]);
1079 vfree(newinfo->chainstack);
1082 vfree(newinfo->entries);
1088 int ebt_register_table(struct ebt_table *table)
1090 struct ebt_table_info *newinfo;
1091 struct ebt_table *t;
1092 struct ebt_replace_kernel *repl;
1093 int ret, i, countersize;
1096 if (!table || !(repl = table->table) || !repl->entries ||
1097 repl->entries_size == 0 ||
1098 repl->counters || table->private) {
1099 BUGPRINT("Bad table data for ebt_register_table!!!\n");
1103 countersize = COUNTER_OFFSET(repl->nentries) * nr_cpu_ids;
1104 newinfo = vmalloc(sizeof(*newinfo) + countersize);
1109 p = vmalloc(repl->entries_size);
1113 memcpy(p, repl->entries, repl->entries_size);
1114 newinfo->entries = p;
1116 newinfo->entries_size = repl->entries_size;
1117 newinfo->nentries = repl->nentries;
1120 memset(newinfo->counters, 0, countersize);
1122 /* fill in newinfo and parse the entries */
1123 newinfo->chainstack = NULL;
1124 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
1125 if ((repl->valid_hooks & (1 << i)) == 0)
1126 newinfo->hook_entry[i] = NULL;
1128 newinfo->hook_entry[i] = p +
1129 ((char *)repl->hook_entry[i] - repl->entries);
1131 ret = translate_table(repl->name, newinfo);
1133 BUGPRINT("Translate_table failed\n");
1134 goto free_chainstack;
1137 if (table->check && table->check(newinfo, table->valid_hooks)) {
1138 BUGPRINT("The table doesn't like its own initial data, lol\n");
1142 table->private = newinfo;
1143 rwlock_init(&table->lock);
1144 ret = mutex_lock_interruptible(&ebt_mutex);
1146 goto free_chainstack;
1148 list_for_each_entry(t, &ebt_tables, list) {
1149 if (strcmp(t->name, table->name) == 0) {
1151 BUGPRINT("Table name already exists\n");
1156 /* Hold a reference count if the chains aren't empty */
1157 if (newinfo->nentries && !try_module_get(table->me)) {
1161 list_add(&table->list, &ebt_tables);
1162 mutex_unlock(&ebt_mutex);
1165 mutex_unlock(&ebt_mutex);
1167 if (newinfo->chainstack) {
1168 for_each_possible_cpu(i)
1169 vfree(newinfo->chainstack[i]);
1170 vfree(newinfo->chainstack);
1172 vfree(newinfo->entries);
1178 void ebt_unregister_table(struct ebt_table *table)
1183 BUGPRINT("Request to unregister NULL table!!!\n");
1186 mutex_lock(&ebt_mutex);
1187 list_del(&table->list);
1188 mutex_unlock(&ebt_mutex);
1189 vfree(table->private->entries);
1190 if (table->private->chainstack) {
1191 for_each_possible_cpu(i)
1192 vfree(table->private->chainstack[i]);
1193 vfree(table->private->chainstack);
1195 vfree(table->private);
1198 /* userspace just supplied us with counters */
1199 static int update_counters(void __user *user, unsigned int len)
1202 struct ebt_counter *tmp;
1203 struct ebt_replace hlp;
1204 struct ebt_table *t;
1206 if (copy_from_user(&hlp, user, sizeof(hlp)))
1209 if (len != sizeof(hlp) + hlp.num_counters * sizeof(struct ebt_counter))
1211 if (hlp.num_counters == 0)
1214 if (!(tmp = vmalloc(hlp.num_counters * sizeof(*tmp)))) {
1215 MEMPRINT("Update_counters && nomemory\n");
1219 t = find_table_lock(hlp.name, &ret, &ebt_mutex);
1223 if (hlp.num_counters != t->private->nentries) {
1224 BUGPRINT("Wrong nr of counters\n");
1229 if ( copy_from_user(tmp, hlp.counters,
1230 hlp.num_counters * sizeof(struct ebt_counter)) ) {
1231 BUGPRINT("Updata_counters && !cfu\n");
1236 /* we want an atomic add of the counters */
1237 write_lock_bh(&t->lock);
1239 /* we add to the counters of the first cpu */
1240 for (i = 0; i < hlp.num_counters; i++) {
1241 t->private->counters[i].pcnt += tmp[i].pcnt;
1242 t->private->counters[i].bcnt += tmp[i].bcnt;
1245 write_unlock_bh(&t->lock);
1248 mutex_unlock(&ebt_mutex);
1254 static inline int ebt_make_matchname(struct ebt_entry_match *m,
1255 char *base, char __user *ubase)
1257 char __user *hlp = ubase + ((char *)m - base);
1258 if (copy_to_user(hlp, m->u.match->name, EBT_FUNCTION_MAXNAMELEN))
1263 static inline int ebt_make_watchername(struct ebt_entry_watcher *w,
1264 char *base, char __user *ubase)
1266 char __user *hlp = ubase + ((char *)w - base);
1267 if (copy_to_user(hlp , w->u.watcher->name, EBT_FUNCTION_MAXNAMELEN))
1272 static inline int ebt_make_names(struct ebt_entry *e, char *base, char __user *ubase)
1276 struct ebt_entry_target *t;
1278 if (e->bitmask == 0)
1281 hlp = ubase + (((char *)e + e->target_offset) - base);
1282 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
1284 ret = EBT_MATCH_ITERATE(e, ebt_make_matchname, base, ubase);
1287 ret = EBT_WATCHER_ITERATE(e, ebt_make_watchername, base, ubase);
1290 if (copy_to_user(hlp, t->u.target->name, EBT_FUNCTION_MAXNAMELEN))
1295 /* called with ebt_mutex locked */
1296 static int copy_everything_to_user(struct ebt_table *t, void __user *user,
1299 struct ebt_replace tmp;
1300 struct ebt_counter *counterstmp, *oldcounters;
1301 unsigned int entries_size, nentries;
1304 if (cmd == EBT_SO_GET_ENTRIES) {
1305 entries_size = t->private->entries_size;
1306 nentries = t->private->nentries;
1307 entries = t->private->entries;
1308 oldcounters = t->private->counters;
1310 entries_size = t->table->entries_size;
1311 nentries = t->table->nentries;
1312 entries = t->table->entries;
1313 oldcounters = t->table->counters;
1316 if (copy_from_user(&tmp, user, sizeof(tmp))) {
1317 BUGPRINT("Cfu didn't work\n");
1321 if (*len != sizeof(struct ebt_replace) + entries_size +
1322 (tmp.num_counters? nentries * sizeof(struct ebt_counter): 0)) {
1323 BUGPRINT("Wrong size\n");
1327 if (tmp.nentries != nentries) {
1328 BUGPRINT("Nentries wrong\n");
1332 if (tmp.entries_size != entries_size) {
1333 BUGPRINT("Wrong size\n");
1337 /* userspace might not need the counters */
1338 if (tmp.num_counters) {
1339 if (tmp.num_counters != nentries) {
1340 BUGPRINT("Num_counters wrong\n");
1343 counterstmp = vmalloc(nentries * sizeof(*counterstmp));
1345 MEMPRINT("Couldn't copy counters, out of memory\n");
1348 write_lock_bh(&t->lock);
1349 get_counters(oldcounters, counterstmp, nentries);
1350 write_unlock_bh(&t->lock);
1352 if (copy_to_user(tmp.counters, counterstmp,
1353 nentries * sizeof(struct ebt_counter))) {
1354 BUGPRINT("Couldn't copy counters to userspace\n");
1361 if (copy_to_user(tmp.entries, entries, entries_size)) {
1362 BUGPRINT("Couldn't copy entries to userspace\n");
1365 /* set the match/watcher/target names right */
1366 return EBT_ENTRY_ITERATE(entries, entries_size,
1367 ebt_make_names, entries, tmp.entries);
1370 static int do_ebt_set_ctl(struct sock *sk,
1371 int cmd, void __user *user, unsigned int len)
1376 case EBT_SO_SET_ENTRIES:
1377 ret = do_replace(user, len);
1379 case EBT_SO_SET_COUNTERS:
1380 ret = update_counters(user, len);
1388 static int do_ebt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
1391 struct ebt_replace tmp;
1392 struct ebt_table *t;
1394 if (copy_from_user(&tmp, user, sizeof(tmp)))
1397 t = find_table_lock(tmp.name, &ret, &ebt_mutex);
1402 case EBT_SO_GET_INFO:
1403 case EBT_SO_GET_INIT_INFO:
1404 if (*len != sizeof(struct ebt_replace)){
1406 mutex_unlock(&ebt_mutex);
1409 if (cmd == EBT_SO_GET_INFO) {
1410 tmp.nentries = t->private->nentries;
1411 tmp.entries_size = t->private->entries_size;
1412 tmp.valid_hooks = t->valid_hooks;
1414 tmp.nentries = t->table->nentries;
1415 tmp.entries_size = t->table->entries_size;
1416 tmp.valid_hooks = t->table->valid_hooks;
1418 mutex_unlock(&ebt_mutex);
1419 if (copy_to_user(user, &tmp, *len) != 0){
1420 BUGPRINT("c2u Didn't work\n");
1427 case EBT_SO_GET_ENTRIES:
1428 case EBT_SO_GET_INIT_ENTRIES:
1429 ret = copy_everything_to_user(t, user, len, cmd);
1430 mutex_unlock(&ebt_mutex);
1434 mutex_unlock(&ebt_mutex);
1441 static struct nf_sockopt_ops ebt_sockopts =
1444 .set_optmin = EBT_BASE_CTL,
1445 .set_optmax = EBT_SO_SET_MAX + 1,
1446 .set = do_ebt_set_ctl,
1447 .get_optmin = EBT_BASE_CTL,
1448 .get_optmax = EBT_SO_GET_MAX + 1,
1449 .get = do_ebt_get_ctl,
1450 .owner = THIS_MODULE,
1453 static int __init ebtables_init(void)
1457 ret = xt_register_target(&ebt_standard_target);
1460 ret = nf_register_sockopt(&ebt_sockopts);
1462 xt_unregister_target(&ebt_standard_target);
1466 printk(KERN_INFO "Ebtables v2.0 registered\n");
1470 static void __exit ebtables_fini(void)
1472 nf_unregister_sockopt(&ebt_sockopts);
1473 xt_unregister_target(&ebt_standard_target);
1474 printk(KERN_INFO "Ebtables v2.0 unregistered\n");
1477 EXPORT_SYMBOL(ebt_register_table);
1478 EXPORT_SYMBOL(ebt_unregister_table);
1479 EXPORT_SYMBOL(ebt_do_table);
1480 module_init(ebtables_init);
1481 module_exit(ebtables_fini);
1482 MODULE_LICENSE("GPL");