5 * Bart De Schuymer <bdschuym@pandora.be>
7 * ebtables.c,v 2.0, July, 2002
9 * This code is stongly inspired on the iptables code which is
10 * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version
15 * 2 of the License, or (at your option) any later version.
18 /* used for print_string */
19 #include <linux/sched.h>
20 #include <linux/tty.h>
22 #include <linux/kmod.h>
23 #include <linux/module.h>
24 #include <linux/vmalloc.h>
25 #include <linux/netfilter_bridge/ebtables.h>
26 #include <linux/spinlock.h>
27 #include <linux/mutex.h>
28 #include <asm/uaccess.h>
29 #include <linux/smp.h>
30 #include <linux/cpumask.h>
32 /* needed for logical [in,out]-dev filtering */
33 #include "../br_private.h"
35 #define BUGPRINT(format, args...) printk("kernel msg: ebtables bug: please "\
36 "report to author: "format, ## args)
37 /* #define BUGPRINT(format, args...) */
38 #define MEMPRINT(format, args...) printk("kernel msg: ebtables "\
39 ": out of memory: "format, ## args)
40 /* #define MEMPRINT(format, args...) */
45 * Each cpu has its own set of counters, so there is no need for write_lock in
47 * For reading or updating the counters, the user context needs to
51 /* The size of each set of counters is altered to get cache alignment */
52 #define SMP_ALIGN(x) (((x) + SMP_CACHE_BYTES-1) & ~(SMP_CACHE_BYTES-1))
53 #define COUNTER_OFFSET(n) (SMP_ALIGN(n * sizeof(struct ebt_counter)))
54 #define COUNTER_BASE(c, n, cpu) ((struct ebt_counter *)(((char *)c) + \
55 COUNTER_OFFSET(n) * cpu))
59 static DEFINE_MUTEX(ebt_mutex);
60 static LIST_HEAD(ebt_tables);
61 static LIST_HEAD(ebt_targets);
62 static LIST_HEAD(ebt_matches);
63 static LIST_HEAD(ebt_watchers);
65 static struct ebt_target ebt_standard_target =
66 { {NULL, NULL}, EBT_STANDARD_TARGET, NULL, NULL, NULL, NULL};
68 static inline int ebt_do_watcher (struct ebt_entry_watcher *w,
69 const struct sk_buff *skb, unsigned int hooknr, const struct net_device *in,
70 const struct net_device *out)
72 w->u.watcher->watcher(skb, hooknr, in, out, w->data,
74 /* watchers don't give a verdict */
78 static inline int ebt_do_match (struct ebt_entry_match *m,
79 const struct sk_buff *skb, const struct net_device *in,
80 const struct net_device *out)
82 return m->u.match->match(skb, in, out, m->data,
86 static inline int ebt_dev_check(char *entry, const struct net_device *device)
89 const char *devname = device->name;
95 /* 1 is the wildcard token */
96 while (entry[i] != '\0' && entry[i] != 1 && entry[i] == devname[i])
98 return (devname[i] != entry[i] && entry[i] != 1);
101 #define FWINV2(bool,invflg) ((bool) ^ !!(e->invflags & invflg))
102 /* process standard matches */
103 static inline int ebt_basic_match(struct ebt_entry *e, struct ethhdr *h,
104 const struct net_device *in, const struct net_device *out)
108 if (e->bitmask & EBT_802_3) {
109 if (FWINV2(ntohs(h->h_proto) >= 1536, EBT_IPROTO))
111 } else if (!(e->bitmask & EBT_NOPROTO) &&
112 FWINV2(e->ethproto != h->h_proto, EBT_IPROTO))
115 if (FWINV2(ebt_dev_check(e->in, in), EBT_IIN))
117 if (FWINV2(ebt_dev_check(e->out, out), EBT_IOUT))
119 if ((!in || !in->br_port) ? 0 : FWINV2(ebt_dev_check(
120 e->logical_in, in->br_port->br->dev), EBT_ILOGICALIN))
122 if ((!out || !out->br_port) ? 0 : FWINV2(ebt_dev_check(
123 e->logical_out, out->br_port->br->dev), EBT_ILOGICALOUT))
126 if (e->bitmask & EBT_SOURCEMAC) {
128 for (i = 0; i < 6; i++)
129 verdict |= (h->h_source[i] ^ e->sourcemac[i]) &
131 if (FWINV2(verdict != 0, EBT_ISOURCE) )
134 if (e->bitmask & EBT_DESTMAC) {
136 for (i = 0; i < 6; i++)
137 verdict |= (h->h_dest[i] ^ e->destmac[i]) &
139 if (FWINV2(verdict != 0, EBT_IDEST) )
145 /* Do some firewalling */
146 unsigned int ebt_do_table (unsigned int hook, struct sk_buff **pskb,
147 const struct net_device *in, const struct net_device *out,
148 struct ebt_table *table)
151 struct ebt_entry *point;
152 struct ebt_counter *counter_base, *cb_base;
153 struct ebt_entry_target *t;
155 struct ebt_chainstack *cs;
156 struct ebt_entries *chaininfo;
158 struct ebt_table_info *private;
160 read_lock_bh(&table->lock);
161 private = table->private;
162 cb_base = COUNTER_BASE(private->counters, private->nentries,
164 if (private->chainstack)
165 cs = private->chainstack[smp_processor_id()];
168 chaininfo = private->hook_entry[hook];
169 nentries = private->hook_entry[hook]->nentries;
170 point = (struct ebt_entry *)(private->hook_entry[hook]->data);
171 counter_base = cb_base + private->hook_entry[hook]->counter_offset;
172 /* base for chain jumps */
173 base = private->entries;
175 while (i < nentries) {
176 if (ebt_basic_match(point, eth_hdr(*pskb), in, out))
179 if (EBT_MATCH_ITERATE(point, ebt_do_match, *pskb, in, out) != 0)
182 /* increase counter */
183 (*(counter_base + i)).pcnt++;
184 (*(counter_base + i)).bcnt+=(**pskb).len;
186 /* these should only watch: not modify, nor tell us
187 what to do with the packet */
188 EBT_WATCHER_ITERATE(point, ebt_do_watcher, *pskb, hook, in,
191 t = (struct ebt_entry_target *)
192 (((char *)point) + point->target_offset);
193 /* standard target */
194 if (!t->u.target->target)
195 verdict = ((struct ebt_standard_target *)t)->verdict;
197 verdict = t->u.target->target(pskb, hook,
198 in, out, t->data, t->target_size);
199 if (verdict == EBT_ACCEPT) {
200 read_unlock_bh(&table->lock);
203 if (verdict == EBT_DROP) {
204 read_unlock_bh(&table->lock);
207 if (verdict == EBT_RETURN) {
209 #ifdef CONFIG_NETFILTER_DEBUG
211 BUGPRINT("RETURN on base chain");
212 /* act like this is EBT_CONTINUE */
217 /* put all the local variables right */
219 chaininfo = cs[sp].chaininfo;
220 nentries = chaininfo->nentries;
222 counter_base = cb_base +
223 chaininfo->counter_offset;
226 if (verdict == EBT_CONTINUE)
228 #ifdef CONFIG_NETFILTER_DEBUG
230 BUGPRINT("bogus standard verdict\n");
231 read_unlock_bh(&table->lock);
237 cs[sp].chaininfo = chaininfo;
238 cs[sp].e = (struct ebt_entry *)
239 (((char *)point) + point->next_offset);
241 chaininfo = (struct ebt_entries *) (base + verdict);
242 #ifdef CONFIG_NETFILTER_DEBUG
243 if (chaininfo->distinguisher) {
244 BUGPRINT("jump to non-chain\n");
245 read_unlock_bh(&table->lock);
249 nentries = chaininfo->nentries;
250 point = (struct ebt_entry *)chaininfo->data;
251 counter_base = cb_base + chaininfo->counter_offset;
255 point = (struct ebt_entry *)
256 (((char *)point) + point->next_offset);
260 /* I actually like this :) */
261 if (chaininfo->policy == EBT_RETURN)
263 if (chaininfo->policy == EBT_ACCEPT) {
264 read_unlock_bh(&table->lock);
267 read_unlock_bh(&table->lock);
271 /* If it succeeds, returns element and locks mutex */
273 find_inlist_lock_noload(struct list_head *head, const char *name, int *error,
277 struct list_head list;
278 char name[EBT_FUNCTION_MAXNAMELEN];
281 *error = mutex_lock_interruptible(mutex);
285 list_for_each_entry(e, head, list) {
286 if (strcmp(e->name, name) == 0)
295 #define find_inlist_lock(h,n,p,e,m) find_inlist_lock_noload((h),(n),(e),(m))
298 find_inlist_lock(struct list_head *head, const char *name, const char *prefix,
299 int *error, struct mutex *mutex)
303 ret = find_inlist_lock_noload(head, name, error, mutex);
305 request_module("%s%s", prefix, name);
306 ret = find_inlist_lock_noload(head, name, error, mutex);
312 static inline struct ebt_table *
313 find_table_lock(const char *name, int *error, struct mutex *mutex)
315 return find_inlist_lock(&ebt_tables, name, "ebtable_", error, mutex);
318 static inline struct ebt_match *
319 find_match_lock(const char *name, int *error, struct mutex *mutex)
321 return find_inlist_lock(&ebt_matches, name, "ebt_", error, mutex);
324 static inline struct ebt_watcher *
325 find_watcher_lock(const char *name, int *error, struct mutex *mutex)
327 return find_inlist_lock(&ebt_watchers, name, "ebt_", error, mutex);
330 static inline struct ebt_target *
331 find_target_lock(const char *name, int *error, struct mutex *mutex)
333 return find_inlist_lock(&ebt_targets, name, "ebt_", error, mutex);
337 ebt_check_match(struct ebt_entry_match *m, struct ebt_entry *e,
338 const char *name, unsigned int hookmask, unsigned int *cnt)
340 struct ebt_match *match;
341 size_t left = ((char *)e + e->watchers_offset) - (char *)m;
344 if (left < sizeof(struct ebt_entry_match) ||
345 left - sizeof(struct ebt_entry_match) < m->match_size)
347 match = find_match_lock(m->u.name, &ret, &ebt_mutex);
351 if (!try_module_get(match->me)) {
352 mutex_unlock(&ebt_mutex);
355 mutex_unlock(&ebt_mutex);
357 match->check(name, hookmask, e, m->data, m->match_size) != 0) {
358 BUGPRINT("match->check failed\n");
359 module_put(match->me);
367 ebt_check_watcher(struct ebt_entry_watcher *w, struct ebt_entry *e,
368 const char *name, unsigned int hookmask, unsigned int *cnt)
370 struct ebt_watcher *watcher;
371 size_t left = ((char *)e + e->target_offset) - (char *)w;
374 if (left < sizeof(struct ebt_entry_watcher) ||
375 left - sizeof(struct ebt_entry_watcher) < w->watcher_size)
377 watcher = find_watcher_lock(w->u.name, &ret, &ebt_mutex);
380 w->u.watcher = watcher;
381 if (!try_module_get(watcher->me)) {
382 mutex_unlock(&ebt_mutex);
385 mutex_unlock(&ebt_mutex);
386 if (watcher->check &&
387 watcher->check(name, hookmask, e, w->data, w->watcher_size) != 0) {
388 BUGPRINT("watcher->check failed\n");
389 module_put(watcher->me);
396 static int ebt_verify_pointers(struct ebt_replace *repl,
397 struct ebt_table_info *newinfo)
399 unsigned int limit = repl->entries_size;
400 unsigned int valid_hooks = repl->valid_hooks;
401 unsigned int offset = 0;
404 while (offset < limit) {
405 size_t left = limit - offset;
406 struct ebt_entry *e = (void *)newinfo->entries + offset;
408 if (left < sizeof(unsigned int))
411 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
412 if ((valid_hooks & (1 << i)) == 0)
414 if ((char *)repl->hook_entry[i] == repl->entries + offset)
418 if (i != NF_BR_NUMHOOKS || !(e->bitmask & EBT_ENTRY_OR_ENTRIES)) {
419 if (e->bitmask != 0) {
420 /* we make userspace set this right,
421 so there is no misunderstanding */
422 BUGPRINT("EBT_ENTRY_OR_ENTRIES shouldn't be set "
423 "in distinguisher\n");
426 if (i != NF_BR_NUMHOOKS)
427 newinfo->hook_entry[i] = (struct ebt_entries *)e;
428 if (left < sizeof(struct ebt_entries))
430 offset += sizeof(struct ebt_entries);
432 if (left < sizeof(struct ebt_entry))
434 if (left < e->next_offset)
436 offset += e->next_offset;
439 if (offset != limit) {
440 BUGPRINT("entries_size too small\n");
447 * this one is very careful, as it is the first function
448 * to parse the userspace data
451 ebt_check_entry_size_and_hooks(struct ebt_entry *e,
452 struct ebt_table_info *newinfo, char *base,
453 struct ebt_entries **hook_entries, unsigned int *n, unsigned int *cnt,
454 unsigned int *totalcnt, unsigned int *udc_cnt, unsigned int valid_hooks)
456 unsigned int offset = (char *)e - newinfo->entries;
459 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
460 if ((valid_hooks & (1 << i)) == 0)
462 if ((char *)hook_entries[i] == base + offset)
465 /* beginning of a new chain
466 if i == NF_BR_NUMHOOKS it must be a user defined chain */
467 if (i != NF_BR_NUMHOOKS || !e->bitmask) {
468 /* this checks if the previous chain has as many entries
471 BUGPRINT("nentries does not equal the nr of entries "
475 if (((struct ebt_entries *)e)->policy != EBT_DROP &&
476 ((struct ebt_entries *)e)->policy != EBT_ACCEPT) {
477 /* only RETURN from udc */
478 if (i != NF_BR_NUMHOOKS ||
479 ((struct ebt_entries *)e)->policy != EBT_RETURN) {
480 BUGPRINT("bad policy\n");
484 if (i == NF_BR_NUMHOOKS) /* it's a user defined chain */
486 if (((struct ebt_entries *)e)->counter_offset != *totalcnt) {
487 BUGPRINT("counter_offset != totalcnt");
490 *n = ((struct ebt_entries *)e)->nentries;
494 /* a plain old entry, heh */
495 if (sizeof(struct ebt_entry) > e->watchers_offset ||
496 e->watchers_offset > e->target_offset ||
497 e->target_offset >= e->next_offset) {
498 BUGPRINT("entry offsets not in right order\n");
501 /* this is not checked anywhere else */
502 if (e->next_offset - e->target_offset < sizeof(struct ebt_entry_target)) {
503 BUGPRINT("target size too small\n");
513 struct ebt_chainstack cs;
515 unsigned int hookmask;
519 * we need these positions to check that the jumps to a different part of the
520 * entries is a jump to the beginning of a new chain.
523 ebt_get_udc_positions(struct ebt_entry *e, struct ebt_table_info *newinfo,
524 struct ebt_entries **hook_entries, unsigned int *n, unsigned int valid_hooks,
525 struct ebt_cl_stack *udc)
529 /* we're only interested in chain starts */
532 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
533 if ((valid_hooks & (1 << i)) == 0)
535 if (newinfo->hook_entry[i] == (struct ebt_entries *)e)
538 /* only care about udc */
539 if (i != NF_BR_NUMHOOKS)
542 udc[*n].cs.chaininfo = (struct ebt_entries *)e;
543 /* these initialisations are depended on later in check_chainloops() */
545 udc[*n].hookmask = 0;
552 ebt_cleanup_match(struct ebt_entry_match *m, unsigned int *i)
554 if (i && (*i)-- == 0)
556 if (m->u.match->destroy)
557 m->u.match->destroy(m->data, m->match_size);
558 module_put(m->u.match->me);
564 ebt_cleanup_watcher(struct ebt_entry_watcher *w, unsigned int *i)
566 if (i && (*i)-- == 0)
568 if (w->u.watcher->destroy)
569 w->u.watcher->destroy(w->data, w->watcher_size);
570 module_put(w->u.watcher->me);
576 ebt_cleanup_entry(struct ebt_entry *e, unsigned int *cnt)
578 struct ebt_entry_target *t;
583 if (cnt && (*cnt)-- == 0)
585 EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, NULL);
586 EBT_MATCH_ITERATE(e, ebt_cleanup_match, NULL);
587 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
588 if (t->u.target->destroy)
589 t->u.target->destroy(t->data, t->target_size);
590 module_put(t->u.target->me);
596 ebt_check_entry(struct ebt_entry *e, struct ebt_table_info *newinfo,
597 const char *name, unsigned int *cnt, unsigned int valid_hooks,
598 struct ebt_cl_stack *cl_s, unsigned int udc_cnt)
600 struct ebt_entry_target *t;
601 struct ebt_target *target;
602 unsigned int i, j, hook = 0, hookmask = 0;
603 size_t gap = e->next_offset - e->target_offset;
606 /* don't mess with the struct ebt_entries */
610 if (e->bitmask & ~EBT_F_MASK) {
611 BUGPRINT("Unknown flag for bitmask\n");
614 if (e->invflags & ~EBT_INV_MASK) {
615 BUGPRINT("Unknown flag for inv bitmask\n");
618 if ( (e->bitmask & EBT_NOPROTO) && (e->bitmask & EBT_802_3) ) {
619 BUGPRINT("NOPROTO & 802_3 not allowed\n");
622 /* what hook do we belong to? */
623 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
624 if ((valid_hooks & (1 << i)) == 0)
626 if ((char *)newinfo->hook_entry[i] < (char *)e)
631 /* (1 << NF_BR_NUMHOOKS) tells the check functions the rule is on
633 if (i < NF_BR_NUMHOOKS)
634 hookmask = (1 << hook) | (1 << NF_BR_NUMHOOKS);
636 for (i = 0; i < udc_cnt; i++)
637 if ((char *)(cl_s[i].cs.chaininfo) > (char *)e)
640 hookmask = (1 << hook) | (1 << NF_BR_NUMHOOKS);
642 hookmask = cl_s[i - 1].hookmask;
645 ret = EBT_MATCH_ITERATE(e, ebt_check_match, e, name, hookmask, &i);
647 goto cleanup_matches;
649 ret = EBT_WATCHER_ITERATE(e, ebt_check_watcher, e, name, hookmask, &j);
651 goto cleanup_watchers;
652 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
653 target = find_target_lock(t->u.name, &ret, &ebt_mutex);
655 goto cleanup_watchers;
656 if (!try_module_get(target->me)) {
657 mutex_unlock(&ebt_mutex);
659 goto cleanup_watchers;
661 mutex_unlock(&ebt_mutex);
663 t->u.target = target;
664 if (t->u.target == &ebt_standard_target) {
665 if (gap < sizeof(struct ebt_standard_target)) {
666 BUGPRINT("Standard target size too big\n");
668 goto cleanup_watchers;
670 if (((struct ebt_standard_target *)t)->verdict <
671 -NUM_STANDARD_TARGETS) {
672 BUGPRINT("Invalid standard target\n");
674 goto cleanup_watchers;
676 } else if (t->target_size > gap - sizeof(struct ebt_entry_target) ||
677 (t->u.target->check &&
678 t->u.target->check(name, hookmask, e, t->data, t->target_size) != 0)){
679 module_put(t->u.target->me);
681 goto cleanup_watchers;
686 EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, &j);
688 EBT_MATCH_ITERATE(e, ebt_cleanup_match, &i);
693 * checks for loops and sets the hook mask for udc
694 * the hook mask for udc tells us from which base chains the udc can be
695 * accessed. This mask is a parameter to the check() functions of the extensions
697 static int check_chainloops(struct ebt_entries *chain, struct ebt_cl_stack *cl_s,
698 unsigned int udc_cnt, unsigned int hooknr, char *base)
700 int i, chain_nr = -1, pos = 0, nentries = chain->nentries, verdict;
701 struct ebt_entry *e = (struct ebt_entry *)chain->data;
702 struct ebt_entry_target *t;
704 while (pos < nentries || chain_nr != -1) {
705 /* end of udc, go back one 'recursion' step */
706 if (pos == nentries) {
707 /* put back values of the time when this chain was called */
708 e = cl_s[chain_nr].cs.e;
709 if (cl_s[chain_nr].from != -1)
711 cl_s[cl_s[chain_nr].from].cs.chaininfo->nentries;
713 nentries = chain->nentries;
714 pos = cl_s[chain_nr].cs.n;
715 /* make sure we won't see a loop that isn't one */
716 cl_s[chain_nr].cs.n = 0;
717 chain_nr = cl_s[chain_nr].from;
721 t = (struct ebt_entry_target *)
722 (((char *)e) + e->target_offset);
723 if (strcmp(t->u.name, EBT_STANDARD_TARGET))
725 if (e->target_offset + sizeof(struct ebt_standard_target) >
727 BUGPRINT("Standard target size too big\n");
730 verdict = ((struct ebt_standard_target *)t)->verdict;
731 if (verdict >= 0) { /* jump to another chain */
732 struct ebt_entries *hlp2 =
733 (struct ebt_entries *)(base + verdict);
734 for (i = 0; i < udc_cnt; i++)
735 if (hlp2 == cl_s[i].cs.chaininfo)
737 /* bad destination or loop */
739 BUGPRINT("bad destination\n");
746 if (cl_s[i].hookmask & (1 << hooknr))
748 /* this can't be 0, so the loop test is correct */
749 cl_s[i].cs.n = pos + 1;
751 cl_s[i].cs.e = ((void *)e + e->next_offset);
752 e = (struct ebt_entry *)(hlp2->data);
753 nentries = hlp2->nentries;
754 cl_s[i].from = chain_nr;
756 /* this udc is accessible from the base chain for hooknr */
757 cl_s[i].hookmask |= (1 << hooknr);
761 e = (void *)e + e->next_offset;
767 /* do the parsing of the table/chains/entries/matches/watchers/targets, heh */
768 static int translate_table(struct ebt_replace *repl,
769 struct ebt_table_info *newinfo)
771 unsigned int i, j, k, udc_cnt;
773 struct ebt_cl_stack *cl_s = NULL; /* used in the checking for chain loops */
776 while (i < NF_BR_NUMHOOKS && !(repl->valid_hooks & (1 << i)))
778 if (i == NF_BR_NUMHOOKS) {
779 BUGPRINT("No valid hooks specified\n");
782 if (repl->hook_entry[i] != (struct ebt_entries *)repl->entries) {
783 BUGPRINT("Chains don't start at beginning\n");
786 /* make sure chains are ordered after each other in same order
787 as their corresponding hooks */
788 for (j = i + 1; j < NF_BR_NUMHOOKS; j++) {
789 if (!(repl->valid_hooks & (1 << j)))
791 if ( repl->hook_entry[j] <= repl->hook_entry[i] ) {
792 BUGPRINT("Hook order must be followed\n");
798 for (i = 0; i < NF_BR_NUMHOOKS; i++)
799 newinfo->hook_entry[i] = NULL;
801 newinfo->entries_size = repl->entries_size;
802 newinfo->nentries = repl->nentries;
804 ret = ebt_verify_pointers(repl, newinfo);
808 /* do some early checkings and initialize some things */
809 i = 0; /* holds the expected nr. of entries for the chain */
810 j = 0; /* holds the up to now counted entries for the chain */
811 k = 0; /* holds the total nr. of entries, should equal
812 newinfo->nentries afterwards */
813 udc_cnt = 0; /* will hold the nr. of user defined chains (udc) */
814 ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
815 ebt_check_entry_size_and_hooks, newinfo, repl->entries,
816 repl->hook_entry, &i, &j, &k,
817 &udc_cnt, repl->valid_hooks);
823 BUGPRINT("nentries does not equal the nr of entries in the "
827 if (k != newinfo->nentries) {
828 BUGPRINT("Total nentries is wrong\n");
832 /* check if all valid hooks have a chain */
833 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
834 if (newinfo->hook_entry[i] == NULL &&
835 (repl->valid_hooks & (1 << i))) {
836 BUGPRINT("Valid hook without chain\n");
841 /* get the location of the udc, put them in an array
842 while we're at it, allocate the chainstack */
844 /* this will get free'd in do_replace()/ebt_register_table()
845 if an error occurs */
846 newinfo->chainstack =
847 vmalloc((highest_possible_processor_id()+1)
848 * sizeof(*(newinfo->chainstack)));
849 if (!newinfo->chainstack)
851 for_each_possible_cpu(i) {
852 newinfo->chainstack[i] =
853 vmalloc(udc_cnt * sizeof(*(newinfo->chainstack[0])));
854 if (!newinfo->chainstack[i]) {
856 vfree(newinfo->chainstack[--i]);
857 vfree(newinfo->chainstack);
858 newinfo->chainstack = NULL;
863 cl_s = vmalloc(udc_cnt * sizeof(*cl_s));
866 i = 0; /* the i'th udc */
867 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
868 ebt_get_udc_positions, newinfo, repl->hook_entry, &i,
869 repl->valid_hooks, cl_s);
872 BUGPRINT("i != udc_cnt\n");
878 /* Check for loops */
879 for (i = 0; i < NF_BR_NUMHOOKS; i++)
880 if (repl->valid_hooks & (1 << i))
881 if (check_chainloops(newinfo->hook_entry[i],
882 cl_s, udc_cnt, i, newinfo->entries)) {
887 /* we now know the following (along with E=mc²):
888 - the nr of entries in each chain is right
889 - the size of the allocated space is right
890 - all valid hooks have a corresponding chain
892 - wrong data can still be on the level of a single entry
893 - could be there are jumps to places that are not the
894 beginning of a chain. This can only occur in chains that
895 are not accessible from any base chains, so we don't care. */
897 /* used to know what we need to clean up if something goes wrong */
899 ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
900 ebt_check_entry, newinfo, repl->name, &i, repl->valid_hooks,
903 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
904 ebt_cleanup_entry, &i);
910 /* called under write_lock */
911 static void get_counters(struct ebt_counter *oldcounters,
912 struct ebt_counter *counters, unsigned int nentries)
915 struct ebt_counter *counter_base;
917 /* counters of cpu 0 */
918 memcpy(counters, oldcounters,
919 sizeof(struct ebt_counter) * nentries);
921 /* add other counters to those of cpu 0 */
922 for_each_possible_cpu(cpu) {
925 counter_base = COUNTER_BASE(oldcounters, nentries, cpu);
926 for (i = 0; i < nentries; i++) {
927 counters[i].pcnt += counter_base[i].pcnt;
928 counters[i].bcnt += counter_base[i].bcnt;
933 /* replace the table */
934 static int do_replace(void __user *user, unsigned int len)
936 int ret, i, countersize;
937 struct ebt_table_info *newinfo;
938 struct ebt_replace tmp;
940 struct ebt_counter *counterstmp = NULL;
941 /* used to be able to unlock earlier */
942 struct ebt_table_info *table;
944 if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
947 if (len != sizeof(tmp) + tmp.entries_size) {
948 BUGPRINT("Wrong len argument\n");
952 if (tmp.entries_size == 0) {
953 BUGPRINT("Entries_size never zero\n");
957 if (tmp.nentries >= ((INT_MAX - sizeof(struct ebt_table_info)) / NR_CPUS -
958 SMP_CACHE_BYTES) / sizeof(struct ebt_counter))
960 if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
963 countersize = COUNTER_OFFSET(tmp.nentries) *
964 (highest_possible_processor_id()+1);
965 newinfo = vmalloc(sizeof(*newinfo) + countersize);
970 memset(newinfo->counters, 0, countersize);
972 newinfo->entries = vmalloc(tmp.entries_size);
973 if (!newinfo->entries) {
978 newinfo->entries, tmp.entries, tmp.entries_size) != 0) {
979 BUGPRINT("Couldn't copy entries from userspace\n");
984 /* the user wants counters back
985 the check on the size is done later, when we have the lock */
986 if (tmp.num_counters) {
987 counterstmp = vmalloc(tmp.num_counters * sizeof(*counterstmp));
996 /* this can get initialized by translate_table() */
997 newinfo->chainstack = NULL;
998 ret = translate_table(&tmp, newinfo);
1001 goto free_counterstmp;
1003 t = find_table_lock(tmp.name, &ret, &ebt_mutex);
1009 /* the table doesn't like it */
1010 if (t->check && (ret = t->check(newinfo, tmp.valid_hooks)))
1013 if (tmp.num_counters && tmp.num_counters != t->private->nentries) {
1014 BUGPRINT("Wrong nr. of counters requested\n");
1019 /* we have the mutex lock, so no danger in reading this pointer */
1021 /* make sure the table can only be rmmod'ed if it contains no rules */
1022 if (!table->nentries && newinfo->nentries && !try_module_get(t->me)) {
1025 } else if (table->nentries && !newinfo->nentries)
1027 /* we need an atomic snapshot of the counters */
1028 write_lock_bh(&t->lock);
1029 if (tmp.num_counters)
1030 get_counters(t->private->counters, counterstmp,
1031 t->private->nentries);
1033 t->private = newinfo;
1034 write_unlock_bh(&t->lock);
1035 mutex_unlock(&ebt_mutex);
1036 /* so, a user can change the chains while having messed up her counter
1037 allocation. Only reason why this is done is because this way the lock
1038 is held only once, while this doesn't bring the kernel into a
1040 if (tmp.num_counters &&
1041 copy_to_user(tmp.counters, counterstmp,
1042 tmp.num_counters * sizeof(struct ebt_counter))) {
1043 BUGPRINT("Couldn't copy counters to userspace\n");
1049 /* decrease module count and free resources */
1050 EBT_ENTRY_ITERATE(table->entries, table->entries_size,
1051 ebt_cleanup_entry, NULL);
1053 vfree(table->entries);
1054 if (table->chainstack) {
1055 for_each_possible_cpu(i)
1056 vfree(table->chainstack[i]);
1057 vfree(table->chainstack);
1065 mutex_unlock(&ebt_mutex);
1067 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
1068 ebt_cleanup_entry, NULL);
1071 /* can be initialized in translate_table() */
1072 if (newinfo->chainstack) {
1073 for_each_possible_cpu(i)
1074 vfree(newinfo->chainstack[i]);
1075 vfree(newinfo->chainstack);
1078 vfree(newinfo->entries);
1084 int ebt_register_target(struct ebt_target *target)
1086 struct ebt_target *t;
1089 ret = mutex_lock_interruptible(&ebt_mutex);
1092 list_for_each_entry(t, &ebt_targets, list) {
1093 if (strcmp(t->name, target->name) == 0) {
1094 mutex_unlock(&ebt_mutex);
1098 list_add(&target->list, &ebt_targets);
1099 mutex_unlock(&ebt_mutex);
1104 void ebt_unregister_target(struct ebt_target *target)
1106 mutex_lock(&ebt_mutex);
1107 list_del(&target->list);
1108 mutex_unlock(&ebt_mutex);
1111 int ebt_register_match(struct ebt_match *match)
1113 struct ebt_match *m;
1116 ret = mutex_lock_interruptible(&ebt_mutex);
1119 list_for_each_entry(m, &ebt_matches, list) {
1120 if (strcmp(m->name, match->name) == 0) {
1121 mutex_unlock(&ebt_mutex);
1125 list_add(&match->list, &ebt_matches);
1126 mutex_unlock(&ebt_mutex);
1131 void ebt_unregister_match(struct ebt_match *match)
1133 mutex_lock(&ebt_mutex);
1134 list_del(&match->list);
1135 mutex_unlock(&ebt_mutex);
1138 int ebt_register_watcher(struct ebt_watcher *watcher)
1140 struct ebt_watcher *w;
1143 ret = mutex_lock_interruptible(&ebt_mutex);
1146 list_for_each_entry(w, &ebt_watchers, list) {
1147 if (strcmp(w->name, watcher->name) == 0) {
1148 mutex_unlock(&ebt_mutex);
1152 list_add(&watcher->list, &ebt_watchers);
1153 mutex_unlock(&ebt_mutex);
1158 void ebt_unregister_watcher(struct ebt_watcher *watcher)
1160 mutex_lock(&ebt_mutex);
1161 list_del(&watcher->list);
1162 mutex_unlock(&ebt_mutex);
1165 int ebt_register_table(struct ebt_table *table)
1167 struct ebt_table_info *newinfo;
1168 struct ebt_table *t;
1169 int ret, i, countersize;
1171 if (!table || !table->table ||!table->table->entries ||
1172 table->table->entries_size == 0 ||
1173 table->table->counters || table->private) {
1174 BUGPRINT("Bad table data for ebt_register_table!!!\n");
1178 countersize = COUNTER_OFFSET(table->table->nentries) *
1179 (highest_possible_processor_id()+1);
1180 newinfo = vmalloc(sizeof(*newinfo) + countersize);
1185 newinfo->entries = vmalloc(table->table->entries_size);
1186 if (!(newinfo->entries))
1189 memcpy(newinfo->entries, table->table->entries,
1190 table->table->entries_size);
1193 memset(newinfo->counters, 0, countersize);
1195 /* fill in newinfo and parse the entries */
1196 newinfo->chainstack = NULL;
1197 ret = translate_table(table->table, newinfo);
1199 BUGPRINT("Translate_table failed\n");
1200 goto free_chainstack;
1203 if (table->check && table->check(newinfo, table->valid_hooks)) {
1204 BUGPRINT("The table doesn't like its own initial data, lol\n");
1208 table->private = newinfo;
1209 rwlock_init(&table->lock);
1210 ret = mutex_lock_interruptible(&ebt_mutex);
1212 goto free_chainstack;
1214 list_for_each_entry(t, &ebt_tables, list) {
1215 if (strcmp(t->name, table->name) == 0) {
1217 BUGPRINT("Table name already exists\n");
1222 /* Hold a reference count if the chains aren't empty */
1223 if (newinfo->nentries && !try_module_get(table->me)) {
1227 list_add(&table->list, &ebt_tables);
1228 mutex_unlock(&ebt_mutex);
1231 mutex_unlock(&ebt_mutex);
1233 if (newinfo->chainstack) {
1234 for_each_possible_cpu(i)
1235 vfree(newinfo->chainstack[i]);
1236 vfree(newinfo->chainstack);
1238 vfree(newinfo->entries);
1244 void ebt_unregister_table(struct ebt_table *table)
1249 BUGPRINT("Request to unregister NULL table!!!\n");
1252 mutex_lock(&ebt_mutex);
1253 list_del(&table->list);
1254 mutex_unlock(&ebt_mutex);
1255 vfree(table->private->entries);
1256 if (table->private->chainstack) {
1257 for_each_possible_cpu(i)
1258 vfree(table->private->chainstack[i]);
1259 vfree(table->private->chainstack);
1261 vfree(table->private);
1264 /* userspace just supplied us with counters */
1265 static int update_counters(void __user *user, unsigned int len)
1268 struct ebt_counter *tmp;
1269 struct ebt_replace hlp;
1270 struct ebt_table *t;
1272 if (copy_from_user(&hlp, user, sizeof(hlp)))
1275 if (len != sizeof(hlp) + hlp.num_counters * sizeof(struct ebt_counter))
1277 if (hlp.num_counters == 0)
1280 if (!(tmp = vmalloc(hlp.num_counters * sizeof(*tmp)))) {
1281 MEMPRINT("Update_counters && nomemory\n");
1285 t = find_table_lock(hlp.name, &ret, &ebt_mutex);
1289 if (hlp.num_counters != t->private->nentries) {
1290 BUGPRINT("Wrong nr of counters\n");
1295 if ( copy_from_user(tmp, hlp.counters,
1296 hlp.num_counters * sizeof(struct ebt_counter)) ) {
1297 BUGPRINT("Updata_counters && !cfu\n");
1302 /* we want an atomic add of the counters */
1303 write_lock_bh(&t->lock);
1305 /* we add to the counters of the first cpu */
1306 for (i = 0; i < hlp.num_counters; i++) {
1307 t->private->counters[i].pcnt += tmp[i].pcnt;
1308 t->private->counters[i].bcnt += tmp[i].bcnt;
1311 write_unlock_bh(&t->lock);
1314 mutex_unlock(&ebt_mutex);
1320 static inline int ebt_make_matchname(struct ebt_entry_match *m,
1321 char *base, char *ubase)
1323 char *hlp = ubase - base + (char *)m;
1324 if (copy_to_user(hlp, m->u.match->name, EBT_FUNCTION_MAXNAMELEN))
1329 static inline int ebt_make_watchername(struct ebt_entry_watcher *w,
1330 char *base, char *ubase)
1332 char *hlp = ubase - base + (char *)w;
1333 if (copy_to_user(hlp , w->u.watcher->name, EBT_FUNCTION_MAXNAMELEN))
1338 static inline int ebt_make_names(struct ebt_entry *e, char *base, char *ubase)
1342 struct ebt_entry_target *t;
1344 if (e->bitmask == 0)
1347 hlp = ubase - base + (char *)e + e->target_offset;
1348 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
1350 ret = EBT_MATCH_ITERATE(e, ebt_make_matchname, base, ubase);
1353 ret = EBT_WATCHER_ITERATE(e, ebt_make_watchername, base, ubase);
1356 if (copy_to_user(hlp, t->u.target->name, EBT_FUNCTION_MAXNAMELEN))
1361 /* called with ebt_mutex locked */
1362 static int copy_everything_to_user(struct ebt_table *t, void __user *user,
1365 struct ebt_replace tmp;
1366 struct ebt_counter *counterstmp, *oldcounters;
1367 unsigned int entries_size, nentries;
1370 if (cmd == EBT_SO_GET_ENTRIES) {
1371 entries_size = t->private->entries_size;
1372 nentries = t->private->nentries;
1373 entries = t->private->entries;
1374 oldcounters = t->private->counters;
1376 entries_size = t->table->entries_size;
1377 nentries = t->table->nentries;
1378 entries = t->table->entries;
1379 oldcounters = t->table->counters;
1382 if (copy_from_user(&tmp, user, sizeof(tmp))) {
1383 BUGPRINT("Cfu didn't work\n");
1387 if (*len != sizeof(struct ebt_replace) + entries_size +
1388 (tmp.num_counters? nentries * sizeof(struct ebt_counter): 0)) {
1389 BUGPRINT("Wrong size\n");
1393 if (tmp.nentries != nentries) {
1394 BUGPRINT("Nentries wrong\n");
1398 if (tmp.entries_size != entries_size) {
1399 BUGPRINT("Wrong size\n");
1403 /* userspace might not need the counters */
1404 if (tmp.num_counters) {
1405 if (tmp.num_counters != nentries) {
1406 BUGPRINT("Num_counters wrong\n");
1409 counterstmp = vmalloc(nentries * sizeof(*counterstmp));
1411 MEMPRINT("Couldn't copy counters, out of memory\n");
1414 write_lock_bh(&t->lock);
1415 get_counters(oldcounters, counterstmp, nentries);
1416 write_unlock_bh(&t->lock);
1418 if (copy_to_user(tmp.counters, counterstmp,
1419 nentries * sizeof(struct ebt_counter))) {
1420 BUGPRINT("Couldn't copy counters to userspace\n");
1427 if (copy_to_user(tmp.entries, entries, entries_size)) {
1428 BUGPRINT("Couldn't copy entries to userspace\n");
1431 /* set the match/watcher/target names right */
1432 return EBT_ENTRY_ITERATE(entries, entries_size,
1433 ebt_make_names, entries, tmp.entries);
1436 static int do_ebt_set_ctl(struct sock *sk,
1437 int cmd, void __user *user, unsigned int len)
1442 case EBT_SO_SET_ENTRIES:
1443 ret = do_replace(user, len);
1445 case EBT_SO_SET_COUNTERS:
1446 ret = update_counters(user, len);
1454 static int do_ebt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
1457 struct ebt_replace tmp;
1458 struct ebt_table *t;
1460 if (copy_from_user(&tmp, user, sizeof(tmp)))
1463 t = find_table_lock(tmp.name, &ret, &ebt_mutex);
1468 case EBT_SO_GET_INFO:
1469 case EBT_SO_GET_INIT_INFO:
1470 if (*len != sizeof(struct ebt_replace)){
1472 mutex_unlock(&ebt_mutex);
1475 if (cmd == EBT_SO_GET_INFO) {
1476 tmp.nentries = t->private->nentries;
1477 tmp.entries_size = t->private->entries_size;
1478 tmp.valid_hooks = t->valid_hooks;
1480 tmp.nentries = t->table->nentries;
1481 tmp.entries_size = t->table->entries_size;
1482 tmp.valid_hooks = t->table->valid_hooks;
1484 mutex_unlock(&ebt_mutex);
1485 if (copy_to_user(user, &tmp, *len) != 0){
1486 BUGPRINT("c2u Didn't work\n");
1493 case EBT_SO_GET_ENTRIES:
1494 case EBT_SO_GET_INIT_ENTRIES:
1495 ret = copy_everything_to_user(t, user, len, cmd);
1496 mutex_unlock(&ebt_mutex);
1500 mutex_unlock(&ebt_mutex);
1507 static struct nf_sockopt_ops ebt_sockopts =
1510 .set_optmin = EBT_BASE_CTL,
1511 .set_optmax = EBT_SO_SET_MAX + 1,
1512 .set = do_ebt_set_ctl,
1513 .get_optmin = EBT_BASE_CTL,
1514 .get_optmax = EBT_SO_GET_MAX + 1,
1515 .get = do_ebt_get_ctl,
1518 static int __init ebtables_init(void)
1522 mutex_lock(&ebt_mutex);
1523 list_add(&ebt_standard_target.list, &ebt_targets);
1524 mutex_unlock(&ebt_mutex);
1525 if ((ret = nf_register_sockopt(&ebt_sockopts)) < 0)
1528 printk(KERN_NOTICE "Ebtables v2.0 registered\n");
1532 static void __exit ebtables_fini(void)
1534 nf_unregister_sockopt(&ebt_sockopts);
1535 printk(KERN_NOTICE "Ebtables v2.0 unregistered\n");
1538 EXPORT_SYMBOL(ebt_register_table);
1539 EXPORT_SYMBOL(ebt_unregister_table);
1540 EXPORT_SYMBOL(ebt_register_match);
1541 EXPORT_SYMBOL(ebt_unregister_match);
1542 EXPORT_SYMBOL(ebt_register_watcher);
1543 EXPORT_SYMBOL(ebt_unregister_watcher);
1544 EXPORT_SYMBOL(ebt_register_target);
1545 EXPORT_SYMBOL(ebt_unregister_target);
1546 EXPORT_SYMBOL(ebt_do_table);
1547 module_init(ebtables_init);
1548 module_exit(ebtables_fini);
1549 MODULE_LICENSE("GPL");
git.openpandora.org / pandora-kernel.git / blob