5 * Bart De Schuymer <bdschuym@pandora.be>
7 * ebtables.c,v 2.0, July, 2002
9 * This code is stongly inspired on the iptables code which is
10 * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version
15 * 2 of the License, or (at your option) any later version.
18 /* used for print_string */
19 #include <linux/sched.h>
20 #include <linux/tty.h>
22 #include <linux/kmod.h>
23 #include <linux/module.h>
24 #include <linux/vmalloc.h>
25 #include <linux/netfilter_bridge/ebtables.h>
26 #include <linux/spinlock.h>
27 #include <linux/mutex.h>
28 #include <asm/uaccess.h>
29 #include <linux/smp.h>
30 #include <linux/cpumask.h>
32 /* needed for logical [in,out]-dev filtering */
33 #include "../br_private.h"
35 #define BUGPRINT(format, args...) printk("kernel msg: ebtables bug: please "\
36 "report to author: "format, ## args)
37 /* #define BUGPRINT(format, args...) */
38 #define MEMPRINT(format, args...) printk("kernel msg: ebtables "\
39 ": out of memory: "format, ## args)
40 /* #define MEMPRINT(format, args...) */
45 * Each cpu has its own set of counters, so there is no need for write_lock in
47 * For reading or updating the counters, the user context needs to
51 /* The size of each set of counters is altered to get cache alignment */
52 #define SMP_ALIGN(x) (((x) + SMP_CACHE_BYTES-1) & ~(SMP_CACHE_BYTES-1))
53 #define COUNTER_OFFSET(n) (SMP_ALIGN(n * sizeof(struct ebt_counter)))
54 #define COUNTER_BASE(c, n, cpu) ((struct ebt_counter *)(((char *)c) + \
55 COUNTER_OFFSET(n) * cpu))
59 static DEFINE_MUTEX(ebt_mutex);
60 static LIST_HEAD(ebt_tables);
61 static LIST_HEAD(ebt_targets);
62 static LIST_HEAD(ebt_matches);
63 static LIST_HEAD(ebt_watchers);
65 static struct ebt_target ebt_standard_target =
66 { {NULL, NULL}, EBT_STANDARD_TARGET, NULL, NULL, NULL, NULL};
68 static inline int ebt_do_watcher (struct ebt_entry_watcher *w,
69 const struct sk_buff *skb, unsigned int hooknr, const struct net_device *in,
70 const struct net_device *out)
72 w->u.watcher->watcher(skb, hooknr, in, out, w->data,
74 /* watchers don't give a verdict */
78 static inline int ebt_do_match (struct ebt_entry_match *m,
79 const struct sk_buff *skb, const struct net_device *in,
80 const struct net_device *out)
82 return m->u.match->match(skb, in, out, m->data,
86 static inline int ebt_dev_check(char *entry, const struct net_device *device)
89 const char *devname = device->name;
95 /* 1 is the wildcard token */
96 while (entry[i] != '\0' && entry[i] != 1 && entry[i] == devname[i])
98 return (devname[i] != entry[i] && entry[i] != 1);
101 #define FWINV2(bool,invflg) ((bool) ^ !!(e->invflags & invflg))
102 /* process standard matches */
103 static inline int ebt_basic_match(struct ebt_entry *e, struct ethhdr *h,
104 const struct net_device *in, const struct net_device *out)
108 if (e->bitmask & EBT_802_3) {
109 if (FWINV2(ntohs(h->h_proto) >= 1536, EBT_IPROTO))
111 } else if (!(e->bitmask & EBT_NOPROTO) &&
112 FWINV2(e->ethproto != h->h_proto, EBT_IPROTO))
115 if (FWINV2(ebt_dev_check(e->in, in), EBT_IIN))
117 if (FWINV2(ebt_dev_check(e->out, out), EBT_IOUT))
119 if ((!in || !in->br_port) ? 0 : FWINV2(ebt_dev_check(
120 e->logical_in, in->br_port->br->dev), EBT_ILOGICALIN))
122 if ((!out || !out->br_port) ? 0 : FWINV2(ebt_dev_check(
123 e->logical_out, out->br_port->br->dev), EBT_ILOGICALOUT))
126 if (e->bitmask & EBT_SOURCEMAC) {
128 for (i = 0; i < 6; i++)
129 verdict |= (h->h_source[i] ^ e->sourcemac[i]) &
131 if (FWINV2(verdict != 0, EBT_ISOURCE) )
134 if (e->bitmask & EBT_DESTMAC) {
136 for (i = 0; i < 6; i++)
137 verdict |= (h->h_dest[i] ^ e->destmac[i]) &
139 if (FWINV2(verdict != 0, EBT_IDEST) )
145 /* Do some firewalling */
146 unsigned int ebt_do_table (unsigned int hook, struct sk_buff **pskb,
147 const struct net_device *in, const struct net_device *out,
148 struct ebt_table *table)
151 struct ebt_entry *point;
152 struct ebt_counter *counter_base, *cb_base;
153 struct ebt_entry_target *t;
155 struct ebt_chainstack *cs;
156 struct ebt_entries *chaininfo;
158 struct ebt_table_info *private;
160 read_lock_bh(&table->lock);
161 private = table->private;
162 cb_base = COUNTER_BASE(private->counters, private->nentries,
164 if (private->chainstack)
165 cs = private->chainstack[smp_processor_id()];
168 chaininfo = private->hook_entry[hook];
169 nentries = private->hook_entry[hook]->nentries;
170 point = (struct ebt_entry *)(private->hook_entry[hook]->data);
171 counter_base = cb_base + private->hook_entry[hook]->counter_offset;
172 /* base for chain jumps */
173 base = private->entries;
175 while (i < nentries) {
176 if (ebt_basic_match(point, eth_hdr(*pskb), in, out))
179 if (EBT_MATCH_ITERATE(point, ebt_do_match, *pskb, in, out) != 0)
182 /* increase counter */
183 (*(counter_base + i)).pcnt++;
184 (*(counter_base + i)).bcnt+=(**pskb).len;
186 /* these should only watch: not modify, nor tell us
187 what to do with the packet */
188 EBT_WATCHER_ITERATE(point, ebt_do_watcher, *pskb, hook, in,
191 t = (struct ebt_entry_target *)
192 (((char *)point) + point->target_offset);
193 /* standard target */
194 if (!t->u.target->target)
195 verdict = ((struct ebt_standard_target *)t)->verdict;
197 verdict = t->u.target->target(pskb, hook,
198 in, out, t->data, t->target_size);
199 if (verdict == EBT_ACCEPT) {
200 read_unlock_bh(&table->lock);
203 if (verdict == EBT_DROP) {
204 read_unlock_bh(&table->lock);
207 if (verdict == EBT_RETURN) {
209 #ifdef CONFIG_NETFILTER_DEBUG
211 BUGPRINT("RETURN on base chain");
212 /* act like this is EBT_CONTINUE */
217 /* put all the local variables right */
219 chaininfo = cs[sp].chaininfo;
220 nentries = chaininfo->nentries;
222 counter_base = cb_base +
223 chaininfo->counter_offset;
226 if (verdict == EBT_CONTINUE)
228 #ifdef CONFIG_NETFILTER_DEBUG
230 BUGPRINT("bogus standard verdict\n");
231 read_unlock_bh(&table->lock);
237 cs[sp].chaininfo = chaininfo;
238 cs[sp].e = (struct ebt_entry *)
239 (((char *)point) + point->next_offset);
241 chaininfo = (struct ebt_entries *) (base + verdict);
242 #ifdef CONFIG_NETFILTER_DEBUG
243 if (chaininfo->distinguisher) {
244 BUGPRINT("jump to non-chain\n");
245 read_unlock_bh(&table->lock);
249 nentries = chaininfo->nentries;
250 point = (struct ebt_entry *)chaininfo->data;
251 counter_base = cb_base + chaininfo->counter_offset;
255 point = (struct ebt_entry *)
256 (((char *)point) + point->next_offset);
260 /* I actually like this :) */
261 if (chaininfo->policy == EBT_RETURN)
263 if (chaininfo->policy == EBT_ACCEPT) {
264 read_unlock_bh(&table->lock);
267 read_unlock_bh(&table->lock);
271 /* If it succeeds, returns element and locks mutex */
273 find_inlist_lock_noload(struct list_head *head, const char *name, int *error,
277 struct list_head list;
278 char name[EBT_FUNCTION_MAXNAMELEN];
281 *error = mutex_lock_interruptible(mutex);
285 list_for_each_entry(e, head, list) {
286 if (strcmp(e->name, name) == 0)
295 #define find_inlist_lock(h,n,p,e,m) find_inlist_lock_noload((h),(n),(e),(m))
298 find_inlist_lock(struct list_head *head, const char *name, const char *prefix,
299 int *error, struct mutex *mutex)
303 ret = find_inlist_lock_noload(head, name, error, mutex);
305 request_module("%s%s", prefix, name);
306 ret = find_inlist_lock_noload(head, name, error, mutex);
312 static inline struct ebt_table *
313 find_table_lock(const char *name, int *error, struct mutex *mutex)
315 return find_inlist_lock(&ebt_tables, name, "ebtable_", error, mutex);
318 static inline struct ebt_match *
319 find_match_lock(const char *name, int *error, struct mutex *mutex)
321 return find_inlist_lock(&ebt_matches, name, "ebt_", error, mutex);
324 static inline struct ebt_watcher *
325 find_watcher_lock(const char *name, int *error, struct mutex *mutex)
327 return find_inlist_lock(&ebt_watchers, name, "ebt_", error, mutex);
330 static inline struct ebt_target *
331 find_target_lock(const char *name, int *error, struct mutex *mutex)
333 return find_inlist_lock(&ebt_targets, name, "ebt_", error, mutex);
337 ebt_check_match(struct ebt_entry_match *m, struct ebt_entry *e,
338 const char *name, unsigned int hookmask, unsigned int *cnt)
340 struct ebt_match *match;
343 if (((char *)m) + m->match_size + sizeof(struct ebt_entry_match) >
344 ((char *)e) + e->watchers_offset)
346 match = find_match_lock(m->u.name, &ret, &ebt_mutex);
350 if (!try_module_get(match->me)) {
351 mutex_unlock(&ebt_mutex);
354 mutex_unlock(&ebt_mutex);
356 match->check(name, hookmask, e, m->data, m->match_size) != 0) {
357 BUGPRINT("match->check failed\n");
358 module_put(match->me);
366 ebt_check_watcher(struct ebt_entry_watcher *w, struct ebt_entry *e,
367 const char *name, unsigned int hookmask, unsigned int *cnt)
369 struct ebt_watcher *watcher;
372 if (((char *)w) + w->watcher_size + sizeof(struct ebt_entry_watcher) >
373 ((char *)e) + e->target_offset)
375 watcher = find_watcher_lock(w->u.name, &ret, &ebt_mutex);
378 w->u.watcher = watcher;
379 if (!try_module_get(watcher->me)) {
380 mutex_unlock(&ebt_mutex);
383 mutex_unlock(&ebt_mutex);
384 if (watcher->check &&
385 watcher->check(name, hookmask, e, w->data, w->watcher_size) != 0) {
386 BUGPRINT("watcher->check failed\n");
387 module_put(watcher->me);
395 * this one is very careful, as it is the first function
396 * to parse the userspace data
399 ebt_check_entry_size_and_hooks(struct ebt_entry *e,
400 struct ebt_table_info *newinfo, char *base, char *limit,
401 struct ebt_entries **hook_entries, unsigned int *n, unsigned int *cnt,
402 unsigned int *totalcnt, unsigned int *udc_cnt, unsigned int valid_hooks)
404 unsigned int offset = (char *)e - newinfo->entries;
405 size_t left = (limit - base) - offset;
408 if (left < sizeof(unsigned int))
411 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
412 if ((valid_hooks & (1 << i)) == 0)
414 if ((char *)hook_entries[i] == base + offset)
417 /* beginning of a new chain
418 if i == NF_BR_NUMHOOKS it must be a user defined chain */
419 if (i != NF_BR_NUMHOOKS || !(e->bitmask & EBT_ENTRY_OR_ENTRIES)) {
420 if (e->bitmask != 0) {
421 /* we make userspace set this right,
422 so there is no misunderstanding */
423 BUGPRINT("EBT_ENTRY_OR_ENTRIES shouldn't be set "
424 "in distinguisher\n");
427 /* this checks if the previous chain has as many entries
430 BUGPRINT("nentries does not equal the nr of entries "
434 /* before we look at the struct, be sure it is not too big */
435 if (left < sizeof(struct ebt_entries))
437 if (((struct ebt_entries *)e)->policy != EBT_DROP &&
438 ((struct ebt_entries *)e)->policy != EBT_ACCEPT) {
439 /* only RETURN from udc */
440 if (i != NF_BR_NUMHOOKS ||
441 ((struct ebt_entries *)e)->policy != EBT_RETURN) {
442 BUGPRINT("bad policy\n");
446 if (i == NF_BR_NUMHOOKS) /* it's a user defined chain */
449 newinfo->hook_entry[i] = (struct ebt_entries *)e;
450 if (((struct ebt_entries *)e)->counter_offset != *totalcnt) {
451 BUGPRINT("counter_offset != totalcnt");
454 *n = ((struct ebt_entries *)e)->nentries;
458 /* a plain old entry, heh */
459 if (left < sizeof(struct ebt_entry))
461 if (sizeof(struct ebt_entry) > e->watchers_offset ||
462 e->watchers_offset > e->target_offset ||
463 e->target_offset >= e->next_offset) {
464 BUGPRINT("entry offsets not in right order\n");
467 /* this is not checked anywhere else */
468 if (e->next_offset - e->target_offset < sizeof(struct ebt_entry_target)) {
469 BUGPRINT("target size too small\n");
472 if (left < e->next_offset)
480 BUGPRINT("entries_size too small\n");
486 struct ebt_chainstack cs;
488 unsigned int hookmask;
492 * we need these positions to check that the jumps to a different part of the
493 * entries is a jump to the beginning of a new chain.
496 ebt_get_udc_positions(struct ebt_entry *e, struct ebt_table_info *newinfo,
497 struct ebt_entries **hook_entries, unsigned int *n, unsigned int valid_hooks,
498 struct ebt_cl_stack *udc)
502 /* we're only interested in chain starts */
505 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
506 if ((valid_hooks & (1 << i)) == 0)
508 if (newinfo->hook_entry[i] == (struct ebt_entries *)e)
511 /* only care about udc */
512 if (i != NF_BR_NUMHOOKS)
515 udc[*n].cs.chaininfo = (struct ebt_entries *)e;
516 /* these initialisations are depended on later in check_chainloops() */
518 udc[*n].hookmask = 0;
525 ebt_cleanup_match(struct ebt_entry_match *m, unsigned int *i)
527 if (i && (*i)-- == 0)
529 if (m->u.match->destroy)
530 m->u.match->destroy(m->data, m->match_size);
531 module_put(m->u.match->me);
537 ebt_cleanup_watcher(struct ebt_entry_watcher *w, unsigned int *i)
539 if (i && (*i)-- == 0)
541 if (w->u.watcher->destroy)
542 w->u.watcher->destroy(w->data, w->watcher_size);
543 module_put(w->u.watcher->me);
549 ebt_cleanup_entry(struct ebt_entry *e, unsigned int *cnt)
551 struct ebt_entry_target *t;
556 if (cnt && (*cnt)-- == 0)
558 EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, NULL);
559 EBT_MATCH_ITERATE(e, ebt_cleanup_match, NULL);
560 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
561 if (t->u.target->destroy)
562 t->u.target->destroy(t->data, t->target_size);
563 module_put(t->u.target->me);
569 ebt_check_entry(struct ebt_entry *e, struct ebt_table_info *newinfo,
570 const char *name, unsigned int *cnt, unsigned int valid_hooks,
571 struct ebt_cl_stack *cl_s, unsigned int udc_cnt)
573 struct ebt_entry_target *t;
574 struct ebt_target *target;
575 unsigned int i, j, hook = 0, hookmask = 0;
578 /* don't mess with the struct ebt_entries */
582 if (e->bitmask & ~EBT_F_MASK) {
583 BUGPRINT("Unknown flag for bitmask\n");
586 if (e->invflags & ~EBT_INV_MASK) {
587 BUGPRINT("Unknown flag for inv bitmask\n");
590 if ( (e->bitmask & EBT_NOPROTO) && (e->bitmask & EBT_802_3) ) {
591 BUGPRINT("NOPROTO & 802_3 not allowed\n");
594 /* what hook do we belong to? */
595 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
596 if ((valid_hooks & (1 << i)) == 0)
598 if ((char *)newinfo->hook_entry[i] < (char *)e)
603 /* (1 << NF_BR_NUMHOOKS) tells the check functions the rule is on
605 if (i < NF_BR_NUMHOOKS)
606 hookmask = (1 << hook) | (1 << NF_BR_NUMHOOKS);
608 for (i = 0; i < udc_cnt; i++)
609 if ((char *)(cl_s[i].cs.chaininfo) > (char *)e)
612 hookmask = (1 << hook) | (1 << NF_BR_NUMHOOKS);
614 hookmask = cl_s[i - 1].hookmask;
617 ret = EBT_MATCH_ITERATE(e, ebt_check_match, e, name, hookmask, &i);
619 goto cleanup_matches;
621 ret = EBT_WATCHER_ITERATE(e, ebt_check_watcher, e, name, hookmask, &j);
623 goto cleanup_watchers;
624 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
625 target = find_target_lock(t->u.name, &ret, &ebt_mutex);
627 goto cleanup_watchers;
628 if (!try_module_get(target->me)) {
629 mutex_unlock(&ebt_mutex);
631 goto cleanup_watchers;
633 mutex_unlock(&ebt_mutex);
635 t->u.target = target;
636 if (t->u.target == &ebt_standard_target) {
637 if (e->target_offset + sizeof(struct ebt_standard_target) >
639 BUGPRINT("Standard target size too big\n");
641 goto cleanup_watchers;
643 if (((struct ebt_standard_target *)t)->verdict <
644 -NUM_STANDARD_TARGETS) {
645 BUGPRINT("Invalid standard target\n");
647 goto cleanup_watchers;
649 } else if ((e->target_offset + t->target_size +
650 sizeof(struct ebt_entry_target) > e->next_offset) ||
651 (t->u.target->check &&
652 t->u.target->check(name, hookmask, e, t->data, t->target_size) != 0)){
653 module_put(t->u.target->me);
655 goto cleanup_watchers;
660 EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, &j);
662 EBT_MATCH_ITERATE(e, ebt_cleanup_match, &i);
667 * checks for loops and sets the hook mask for udc
668 * the hook mask for udc tells us from which base chains the udc can be
669 * accessed. This mask is a parameter to the check() functions of the extensions
671 static int check_chainloops(struct ebt_entries *chain, struct ebt_cl_stack *cl_s,
672 unsigned int udc_cnt, unsigned int hooknr, char *base)
674 int i, chain_nr = -1, pos = 0, nentries = chain->nentries, verdict;
675 struct ebt_entry *e = (struct ebt_entry *)chain->data;
676 struct ebt_entry_target *t;
678 while (pos < nentries || chain_nr != -1) {
679 /* end of udc, go back one 'recursion' step */
680 if (pos == nentries) {
681 /* put back values of the time when this chain was called */
682 e = cl_s[chain_nr].cs.e;
683 if (cl_s[chain_nr].from != -1)
685 cl_s[cl_s[chain_nr].from].cs.chaininfo->nentries;
687 nentries = chain->nentries;
688 pos = cl_s[chain_nr].cs.n;
689 /* make sure we won't see a loop that isn't one */
690 cl_s[chain_nr].cs.n = 0;
691 chain_nr = cl_s[chain_nr].from;
695 t = (struct ebt_entry_target *)
696 (((char *)e) + e->target_offset);
697 if (strcmp(t->u.name, EBT_STANDARD_TARGET))
699 if (e->target_offset + sizeof(struct ebt_standard_target) >
701 BUGPRINT("Standard target size too big\n");
704 verdict = ((struct ebt_standard_target *)t)->verdict;
705 if (verdict >= 0) { /* jump to another chain */
706 struct ebt_entries *hlp2 =
707 (struct ebt_entries *)(base + verdict);
708 for (i = 0; i < udc_cnt; i++)
709 if (hlp2 == cl_s[i].cs.chaininfo)
711 /* bad destination or loop */
713 BUGPRINT("bad destination\n");
720 /* this can't be 0, so the above test is correct */
721 cl_s[i].cs.n = pos + 1;
723 cl_s[i].cs.e = ((void *)e + e->next_offset);
724 e = (struct ebt_entry *)(hlp2->data);
725 nentries = hlp2->nentries;
726 cl_s[i].from = chain_nr;
728 /* this udc is accessible from the base chain for hooknr */
729 cl_s[i].hookmask |= (1 << hooknr);
733 e = (void *)e + e->next_offset;
739 /* do the parsing of the table/chains/entries/matches/watchers/targets, heh */
740 static int translate_table(struct ebt_replace *repl,
741 struct ebt_table_info *newinfo)
743 unsigned int i, j, k, udc_cnt;
745 struct ebt_cl_stack *cl_s = NULL; /* used in the checking for chain loops */
748 while (i < NF_BR_NUMHOOKS && !(repl->valid_hooks & (1 << i)))
750 if (i == NF_BR_NUMHOOKS) {
751 BUGPRINT("No valid hooks specified\n");
754 if (repl->hook_entry[i] != (struct ebt_entries *)repl->entries) {
755 BUGPRINT("Chains don't start at beginning\n");
758 /* make sure chains are ordered after each other in same order
759 as their corresponding hooks */
760 for (j = i + 1; j < NF_BR_NUMHOOKS; j++) {
761 if (!(repl->valid_hooks & (1 << j)))
763 if ( repl->hook_entry[j] <= repl->hook_entry[i] ) {
764 BUGPRINT("Hook order must be followed\n");
770 for (i = 0; i < NF_BR_NUMHOOKS; i++)
771 newinfo->hook_entry[i] = NULL;
773 newinfo->entries_size = repl->entries_size;
774 newinfo->nentries = repl->nentries;
776 /* do some early checkings and initialize some things */
777 i = 0; /* holds the expected nr. of entries for the chain */
778 j = 0; /* holds the up to now counted entries for the chain */
779 k = 0; /* holds the total nr. of entries, should equal
780 newinfo->nentries afterwards */
781 udc_cnt = 0; /* will hold the nr. of user defined chains (udc) */
782 ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
783 ebt_check_entry_size_and_hooks, newinfo, repl->entries,
784 repl->entries + repl->entries_size, repl->hook_entry, &i, &j, &k,
785 &udc_cnt, repl->valid_hooks);
791 BUGPRINT("nentries does not equal the nr of entries in the "
795 if (k != newinfo->nentries) {
796 BUGPRINT("Total nentries is wrong\n");
800 /* check if all valid hooks have a chain */
801 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
802 if (newinfo->hook_entry[i] == NULL &&
803 (repl->valid_hooks & (1 << i))) {
804 BUGPRINT("Valid hook without chain\n");
809 /* get the location of the udc, put them in an array
810 while we're at it, allocate the chainstack */
812 /* this will get free'd in do_replace()/ebt_register_table()
813 if an error occurs */
814 newinfo->chainstack =
815 vmalloc((highest_possible_processor_id()+1)
816 * sizeof(*(newinfo->chainstack)));
817 if (!newinfo->chainstack)
819 for_each_possible_cpu(i) {
820 newinfo->chainstack[i] =
821 vmalloc(udc_cnt * sizeof(*(newinfo->chainstack[0])));
822 if (!newinfo->chainstack[i]) {
824 vfree(newinfo->chainstack[--i]);
825 vfree(newinfo->chainstack);
826 newinfo->chainstack = NULL;
831 cl_s = vmalloc(udc_cnt * sizeof(*cl_s));
834 i = 0; /* the i'th udc */
835 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
836 ebt_get_udc_positions, newinfo, repl->hook_entry, &i,
837 repl->valid_hooks, cl_s);
840 BUGPRINT("i != udc_cnt\n");
846 /* Check for loops */
847 for (i = 0; i < NF_BR_NUMHOOKS; i++)
848 if (repl->valid_hooks & (1 << i))
849 if (check_chainloops(newinfo->hook_entry[i],
850 cl_s, udc_cnt, i, newinfo->entries)) {
855 /* we now know the following (along with E=mc²):
856 - the nr of entries in each chain is right
857 - the size of the allocated space is right
858 - all valid hooks have a corresponding chain
860 - wrong data can still be on the level of a single entry
861 - could be there are jumps to places that are not the
862 beginning of a chain. This can only occur in chains that
863 are not accessible from any base chains, so we don't care. */
865 /* used to know what we need to clean up if something goes wrong */
867 ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
868 ebt_check_entry, newinfo, repl->name, &i, repl->valid_hooks,
871 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
872 ebt_cleanup_entry, &i);
878 /* called under write_lock */
879 static void get_counters(struct ebt_counter *oldcounters,
880 struct ebt_counter *counters, unsigned int nentries)
883 struct ebt_counter *counter_base;
885 /* counters of cpu 0 */
886 memcpy(counters, oldcounters,
887 sizeof(struct ebt_counter) * nentries);
889 /* add other counters to those of cpu 0 */
890 for_each_possible_cpu(cpu) {
893 counter_base = COUNTER_BASE(oldcounters, nentries, cpu);
894 for (i = 0; i < nentries; i++) {
895 counters[i].pcnt += counter_base[i].pcnt;
896 counters[i].bcnt += counter_base[i].bcnt;
901 /* replace the table */
902 static int do_replace(void __user *user, unsigned int len)
904 int ret, i, countersize;
905 struct ebt_table_info *newinfo;
906 struct ebt_replace tmp;
908 struct ebt_counter *counterstmp = NULL;
909 /* used to be able to unlock earlier */
910 struct ebt_table_info *table;
912 if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
915 if (len != sizeof(tmp) + tmp.entries_size) {
916 BUGPRINT("Wrong len argument\n");
920 if (tmp.entries_size == 0) {
921 BUGPRINT("Entries_size never zero\n");
925 if (tmp.nentries >= ((INT_MAX - sizeof(struct ebt_table_info)) / NR_CPUS -
926 SMP_CACHE_BYTES) / sizeof(struct ebt_counter))
928 if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
931 countersize = COUNTER_OFFSET(tmp.nentries) *
932 (highest_possible_processor_id()+1);
933 newinfo = vmalloc(sizeof(*newinfo) + countersize);
938 memset(newinfo->counters, 0, countersize);
940 newinfo->entries = vmalloc(tmp.entries_size);
941 if (!newinfo->entries) {
946 newinfo->entries, tmp.entries, tmp.entries_size) != 0) {
947 BUGPRINT("Couldn't copy entries from userspace\n");
952 /* the user wants counters back
953 the check on the size is done later, when we have the lock */
954 if (tmp.num_counters) {
955 counterstmp = vmalloc(tmp.num_counters * sizeof(*counterstmp));
964 /* this can get initialized by translate_table() */
965 newinfo->chainstack = NULL;
966 ret = translate_table(&tmp, newinfo);
969 goto free_counterstmp;
971 t = find_table_lock(tmp.name, &ret, &ebt_mutex);
977 /* the table doesn't like it */
978 if (t->check && (ret = t->check(newinfo, tmp.valid_hooks)))
981 if (tmp.num_counters && tmp.num_counters != t->private->nentries) {
982 BUGPRINT("Wrong nr. of counters requested\n");
987 /* we have the mutex lock, so no danger in reading this pointer */
989 /* make sure the table can only be rmmod'ed if it contains no rules */
990 if (!table->nentries && newinfo->nentries && !try_module_get(t->me)) {
993 } else if (table->nentries && !newinfo->nentries)
995 /* we need an atomic snapshot of the counters */
996 write_lock_bh(&t->lock);
997 if (tmp.num_counters)
998 get_counters(t->private->counters, counterstmp,
999 t->private->nentries);
1001 t->private = newinfo;
1002 write_unlock_bh(&t->lock);
1003 mutex_unlock(&ebt_mutex);
1004 /* so, a user can change the chains while having messed up her counter
1005 allocation. Only reason why this is done is because this way the lock
1006 is held only once, while this doesn't bring the kernel into a
1008 if (tmp.num_counters &&
1009 copy_to_user(tmp.counters, counterstmp,
1010 tmp.num_counters * sizeof(struct ebt_counter))) {
1011 BUGPRINT("Couldn't copy counters to userspace\n");
1017 /* decrease module count and free resources */
1018 EBT_ENTRY_ITERATE(table->entries, table->entries_size,
1019 ebt_cleanup_entry, NULL);
1021 vfree(table->entries);
1022 if (table->chainstack) {
1023 for_each_possible_cpu(i)
1024 vfree(table->chainstack[i]);
1025 vfree(table->chainstack);
1033 mutex_unlock(&ebt_mutex);
1035 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
1036 ebt_cleanup_entry, NULL);
1039 /* can be initialized in translate_table() */
1040 if (newinfo->chainstack) {
1041 for_each_possible_cpu(i)
1042 vfree(newinfo->chainstack[i]);
1043 vfree(newinfo->chainstack);
1046 vfree(newinfo->entries);
1052 int ebt_register_target(struct ebt_target *target)
1054 struct ebt_target *t;
1057 ret = mutex_lock_interruptible(&ebt_mutex);
1060 list_for_each_entry(t, &ebt_targets, list) {
1061 if (strcmp(t->name, target->name) == 0) {
1062 mutex_unlock(&ebt_mutex);
1066 list_add(&target->list, &ebt_targets);
1067 mutex_unlock(&ebt_mutex);
1072 void ebt_unregister_target(struct ebt_target *target)
1074 mutex_lock(&ebt_mutex);
1075 list_del(&target->list);
1076 mutex_unlock(&ebt_mutex);
1079 int ebt_register_match(struct ebt_match *match)
1081 struct ebt_match *m;
1084 ret = mutex_lock_interruptible(&ebt_mutex);
1087 list_for_each_entry(m, &ebt_matches, list) {
1088 if (strcmp(m->name, match->name) == 0) {
1089 mutex_unlock(&ebt_mutex);
1093 list_add(&match->list, &ebt_matches);
1094 mutex_unlock(&ebt_mutex);
1099 void ebt_unregister_match(struct ebt_match *match)
1101 mutex_lock(&ebt_mutex);
1102 list_del(&match->list);
1103 mutex_unlock(&ebt_mutex);
1106 int ebt_register_watcher(struct ebt_watcher *watcher)
1108 struct ebt_watcher *w;
1111 ret = mutex_lock_interruptible(&ebt_mutex);
1114 list_for_each_entry(w, &ebt_watchers, list) {
1115 if (strcmp(w->name, watcher->name) == 0) {
1116 mutex_unlock(&ebt_mutex);
1120 list_add(&watcher->list, &ebt_watchers);
1121 mutex_unlock(&ebt_mutex);
1126 void ebt_unregister_watcher(struct ebt_watcher *watcher)
1128 mutex_lock(&ebt_mutex);
1129 list_del(&watcher->list);
1130 mutex_unlock(&ebt_mutex);
1133 int ebt_register_table(struct ebt_table *table)
1135 struct ebt_table_info *newinfo;
1136 struct ebt_table *t;
1137 int ret, i, countersize;
1139 if (!table || !table->table ||!table->table->entries ||
1140 table->table->entries_size == 0 ||
1141 table->table->counters || table->private) {
1142 BUGPRINT("Bad table data for ebt_register_table!!!\n");
1146 countersize = COUNTER_OFFSET(table->table->nentries) *
1147 (highest_possible_processor_id()+1);
1148 newinfo = vmalloc(sizeof(*newinfo) + countersize);
1153 newinfo->entries = vmalloc(table->table->entries_size);
1154 if (!(newinfo->entries))
1157 memcpy(newinfo->entries, table->table->entries,
1158 table->table->entries_size);
1161 memset(newinfo->counters, 0, countersize);
1163 /* fill in newinfo and parse the entries */
1164 newinfo->chainstack = NULL;
1165 ret = translate_table(table->table, newinfo);
1167 BUGPRINT("Translate_table failed\n");
1168 goto free_chainstack;
1171 if (table->check && table->check(newinfo, table->valid_hooks)) {
1172 BUGPRINT("The table doesn't like its own initial data, lol\n");
1176 table->private = newinfo;
1177 rwlock_init(&table->lock);
1178 ret = mutex_lock_interruptible(&ebt_mutex);
1180 goto free_chainstack;
1182 list_for_each_entry(t, &ebt_tables, list) {
1183 if (strcmp(t->name, table->name) == 0) {
1185 BUGPRINT("Table name already exists\n");
1190 /* Hold a reference count if the chains aren't empty */
1191 if (newinfo->nentries && !try_module_get(table->me)) {
1195 list_add(&table->list, &ebt_tables);
1196 mutex_unlock(&ebt_mutex);
1199 mutex_unlock(&ebt_mutex);
1201 if (newinfo->chainstack) {
1202 for_each_possible_cpu(i)
1203 vfree(newinfo->chainstack[i]);
1204 vfree(newinfo->chainstack);
1206 vfree(newinfo->entries);
1212 void ebt_unregister_table(struct ebt_table *table)
1217 BUGPRINT("Request to unregister NULL table!!!\n");
1220 mutex_lock(&ebt_mutex);
1221 list_del(&table->list);
1222 mutex_unlock(&ebt_mutex);
1223 vfree(table->private->entries);
1224 if (table->private->chainstack) {
1225 for_each_possible_cpu(i)
1226 vfree(table->private->chainstack[i]);
1227 vfree(table->private->chainstack);
1229 vfree(table->private);
1232 /* userspace just supplied us with counters */
1233 static int update_counters(void __user *user, unsigned int len)
1236 struct ebt_counter *tmp;
1237 struct ebt_replace hlp;
1238 struct ebt_table *t;
1240 if (copy_from_user(&hlp, user, sizeof(hlp)))
1243 if (len != sizeof(hlp) + hlp.num_counters * sizeof(struct ebt_counter))
1245 if (hlp.num_counters == 0)
1248 if (!(tmp = vmalloc(hlp.num_counters * sizeof(*tmp)))) {
1249 MEMPRINT("Update_counters && nomemory\n");
1253 t = find_table_lock(hlp.name, &ret, &ebt_mutex);
1257 if (hlp.num_counters != t->private->nentries) {
1258 BUGPRINT("Wrong nr of counters\n");
1263 if ( copy_from_user(tmp, hlp.counters,
1264 hlp.num_counters * sizeof(struct ebt_counter)) ) {
1265 BUGPRINT("Updata_counters && !cfu\n");
1270 /* we want an atomic add of the counters */
1271 write_lock_bh(&t->lock);
1273 /* we add to the counters of the first cpu */
1274 for (i = 0; i < hlp.num_counters; i++) {
1275 t->private->counters[i].pcnt += tmp[i].pcnt;
1276 t->private->counters[i].bcnt += tmp[i].bcnt;
1279 write_unlock_bh(&t->lock);
1282 mutex_unlock(&ebt_mutex);
1288 static inline int ebt_make_matchname(struct ebt_entry_match *m,
1289 char *base, char *ubase)
1291 char *hlp = ubase - base + (char *)m;
1292 if (copy_to_user(hlp, m->u.match->name, EBT_FUNCTION_MAXNAMELEN))
1297 static inline int ebt_make_watchername(struct ebt_entry_watcher *w,
1298 char *base, char *ubase)
1300 char *hlp = ubase - base + (char *)w;
1301 if (copy_to_user(hlp , w->u.watcher->name, EBT_FUNCTION_MAXNAMELEN))
1306 static inline int ebt_make_names(struct ebt_entry *e, char *base, char *ubase)
1310 struct ebt_entry_target *t;
1312 if (e->bitmask == 0)
1315 hlp = ubase - base + (char *)e + e->target_offset;
1316 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
1318 ret = EBT_MATCH_ITERATE(e, ebt_make_matchname, base, ubase);
1321 ret = EBT_WATCHER_ITERATE(e, ebt_make_watchername, base, ubase);
1324 if (copy_to_user(hlp, t->u.target->name, EBT_FUNCTION_MAXNAMELEN))
1329 /* called with ebt_mutex locked */
1330 static int copy_everything_to_user(struct ebt_table *t, void __user *user,
1333 struct ebt_replace tmp;
1334 struct ebt_counter *counterstmp, *oldcounters;
1335 unsigned int entries_size, nentries;
1338 if (cmd == EBT_SO_GET_ENTRIES) {
1339 entries_size = t->private->entries_size;
1340 nentries = t->private->nentries;
1341 entries = t->private->entries;
1342 oldcounters = t->private->counters;
1344 entries_size = t->table->entries_size;
1345 nentries = t->table->nentries;
1346 entries = t->table->entries;
1347 oldcounters = t->table->counters;
1350 if (copy_from_user(&tmp, user, sizeof(tmp))) {
1351 BUGPRINT("Cfu didn't work\n");
1355 if (*len != sizeof(struct ebt_replace) + entries_size +
1356 (tmp.num_counters? nentries * sizeof(struct ebt_counter): 0)) {
1357 BUGPRINT("Wrong size\n");
1361 if (tmp.nentries != nentries) {
1362 BUGPRINT("Nentries wrong\n");
1366 if (tmp.entries_size != entries_size) {
1367 BUGPRINT("Wrong size\n");
1371 /* userspace might not need the counters */
1372 if (tmp.num_counters) {
1373 if (tmp.num_counters != nentries) {
1374 BUGPRINT("Num_counters wrong\n");
1377 counterstmp = vmalloc(nentries * sizeof(*counterstmp));
1379 MEMPRINT("Couldn't copy counters, out of memory\n");
1382 write_lock_bh(&t->lock);
1383 get_counters(oldcounters, counterstmp, nentries);
1384 write_unlock_bh(&t->lock);
1386 if (copy_to_user(tmp.counters, counterstmp,
1387 nentries * sizeof(struct ebt_counter))) {
1388 BUGPRINT("Couldn't copy counters to userspace\n");
1395 if (copy_to_user(tmp.entries, entries, entries_size)) {
1396 BUGPRINT("Couldn't copy entries to userspace\n");
1399 /* set the match/watcher/target names right */
1400 return EBT_ENTRY_ITERATE(entries, entries_size,
1401 ebt_make_names, entries, tmp.entries);
1404 static int do_ebt_set_ctl(struct sock *sk,
1405 int cmd, void __user *user, unsigned int len)
1410 case EBT_SO_SET_ENTRIES:
1411 ret = do_replace(user, len);
1413 case EBT_SO_SET_COUNTERS:
1414 ret = update_counters(user, len);
1422 static int do_ebt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
1425 struct ebt_replace tmp;
1426 struct ebt_table *t;
1428 if (copy_from_user(&tmp, user, sizeof(tmp)))
1431 t = find_table_lock(tmp.name, &ret, &ebt_mutex);
1436 case EBT_SO_GET_INFO:
1437 case EBT_SO_GET_INIT_INFO:
1438 if (*len != sizeof(struct ebt_replace)){
1440 mutex_unlock(&ebt_mutex);
1443 if (cmd == EBT_SO_GET_INFO) {
1444 tmp.nentries = t->private->nentries;
1445 tmp.entries_size = t->private->entries_size;
1446 tmp.valid_hooks = t->valid_hooks;
1448 tmp.nentries = t->table->nentries;
1449 tmp.entries_size = t->table->entries_size;
1450 tmp.valid_hooks = t->table->valid_hooks;
1452 mutex_unlock(&ebt_mutex);
1453 if (copy_to_user(user, &tmp, *len) != 0){
1454 BUGPRINT("c2u Didn't work\n");
1461 case EBT_SO_GET_ENTRIES:
1462 case EBT_SO_GET_INIT_ENTRIES:
1463 ret = copy_everything_to_user(t, user, len, cmd);
1464 mutex_unlock(&ebt_mutex);
1468 mutex_unlock(&ebt_mutex);
1475 static struct nf_sockopt_ops ebt_sockopts =
1478 .set_optmin = EBT_BASE_CTL,
1479 .set_optmax = EBT_SO_SET_MAX + 1,
1480 .set = do_ebt_set_ctl,
1481 .get_optmin = EBT_BASE_CTL,
1482 .get_optmax = EBT_SO_GET_MAX + 1,
1483 .get = do_ebt_get_ctl,
1486 static int __init ebtables_init(void)
1490 mutex_lock(&ebt_mutex);
1491 list_add(&ebt_standard_target.list, &ebt_targets);
1492 mutex_unlock(&ebt_mutex);
1493 if ((ret = nf_register_sockopt(&ebt_sockopts)) < 0)
1496 printk(KERN_NOTICE "Ebtables v2.0 registered\n");
1500 static void __exit ebtables_fini(void)
1502 nf_unregister_sockopt(&ebt_sockopts);
1503 printk(KERN_NOTICE "Ebtables v2.0 unregistered\n");
1506 EXPORT_SYMBOL(ebt_register_table);
1507 EXPORT_SYMBOL(ebt_unregister_table);
1508 EXPORT_SYMBOL(ebt_register_match);
1509 EXPORT_SYMBOL(ebt_unregister_match);
1510 EXPORT_SYMBOL(ebt_register_watcher);
1511 EXPORT_SYMBOL(ebt_unregister_watcher);
1512 EXPORT_SYMBOL(ebt_register_target);
1513 EXPORT_SYMBOL(ebt_unregister_target);
1514 EXPORT_SYMBOL(ebt_do_table);
1515 module_init(ebtables_init);
1516 module_exit(ebtables_fini);
1517 MODULE_LICENSE("GPL");