5 * Bart De Schuymer <bdschuym@pandora.be>
7 * ebtables.c,v 2.0, July, 2002
9 * This code is stongly inspired on the iptables code which is
10 * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version
15 * 2 of the License, or (at your option) any later version.
18 /* used for print_string */
19 #include <linux/sched.h>
20 #include <linux/tty.h>
22 #include <linux/kmod.h>
23 #include <linux/module.h>
24 #include <linux/vmalloc.h>
25 #include <linux/netfilter_bridge/ebtables.h>
26 #include <linux/spinlock.h>
27 #include <linux/mutex.h>
28 #include <asm/uaccess.h>
29 #include <linux/smp.h>
30 #include <linux/cpumask.h>
32 /* needed for logical [in,out]-dev filtering */
33 #include "../br_private.h"
35 #define BUGPRINT(format, args...) printk("kernel msg: ebtables bug: please "\
36 "report to author: "format, ## args)
37 /* #define BUGPRINT(format, args...) */
38 #define MEMPRINT(format, args...) printk("kernel msg: ebtables "\
39 ": out of memory: "format, ## args)
40 /* #define MEMPRINT(format, args...) */
45 * Each cpu has its own set of counters, so there is no need for write_lock in
47 * For reading or updating the counters, the user context needs to
51 /* The size of each set of counters is altered to get cache alignment */
52 #define SMP_ALIGN(x) (((x) + SMP_CACHE_BYTES-1) & ~(SMP_CACHE_BYTES-1))
53 #define COUNTER_OFFSET(n) (SMP_ALIGN(n * sizeof(struct ebt_counter)))
54 #define COUNTER_BASE(c, n, cpu) ((struct ebt_counter *)(((char *)c) + \
55 COUNTER_OFFSET(n) * cpu))
59 static DEFINE_MUTEX(ebt_mutex);
60 static LIST_HEAD(ebt_tables);
61 static LIST_HEAD(ebt_targets);
62 static LIST_HEAD(ebt_matches);
63 static LIST_HEAD(ebt_watchers);
65 static struct ebt_target ebt_standard_target =
66 { {NULL, NULL}, EBT_STANDARD_TARGET, NULL, NULL, NULL, NULL};
68 static inline int ebt_do_watcher (struct ebt_entry_watcher *w,
69 const struct sk_buff *skb, unsigned int hooknr, const struct net_device *in,
70 const struct net_device *out)
72 w->u.watcher->watcher(skb, hooknr, in, out, w->data,
74 /* watchers don't give a verdict */
78 static inline int ebt_do_match (struct ebt_entry_match *m,
79 const struct sk_buff *skb, const struct net_device *in,
80 const struct net_device *out)
82 return m->u.match->match(skb, in, out, m->data,
86 static inline int ebt_dev_check(char *entry, const struct net_device *device)
89 const char *devname = device->name;
95 /* 1 is the wildcard token */
96 while (entry[i] != '\0' && entry[i] != 1 && entry[i] == devname[i])
98 return (devname[i] != entry[i] && entry[i] != 1);
101 #define FWINV2(bool,invflg) ((bool) ^ !!(e->invflags & invflg))
102 /* process standard matches */
103 static inline int ebt_basic_match(struct ebt_entry *e, struct ethhdr *h,
104 const struct net_device *in, const struct net_device *out)
108 if (e->bitmask & EBT_802_3) {
109 if (FWINV2(ntohs(h->h_proto) >= 1536, EBT_IPROTO))
111 } else if (!(e->bitmask & EBT_NOPROTO) &&
112 FWINV2(e->ethproto != h->h_proto, EBT_IPROTO))
115 if (FWINV2(ebt_dev_check(e->in, in), EBT_IIN))
117 if (FWINV2(ebt_dev_check(e->out, out), EBT_IOUT))
119 if ((!in || !in->br_port) ? 0 : FWINV2(ebt_dev_check(
120 e->logical_in, in->br_port->br->dev), EBT_ILOGICALIN))
122 if ((!out || !out->br_port) ? 0 : FWINV2(ebt_dev_check(
123 e->logical_out, out->br_port->br->dev), EBT_ILOGICALOUT))
126 if (e->bitmask & EBT_SOURCEMAC) {
128 for (i = 0; i < 6; i++)
129 verdict |= (h->h_source[i] ^ e->sourcemac[i]) &
131 if (FWINV2(verdict != 0, EBT_ISOURCE) )
134 if (e->bitmask & EBT_DESTMAC) {
136 for (i = 0; i < 6; i++)
137 verdict |= (h->h_dest[i] ^ e->destmac[i]) &
139 if (FWINV2(verdict != 0, EBT_IDEST) )
145 /* Do some firewalling */
146 unsigned int ebt_do_table (unsigned int hook, struct sk_buff **pskb,
147 const struct net_device *in, const struct net_device *out,
148 struct ebt_table *table)
151 struct ebt_entry *point;
152 struct ebt_counter *counter_base, *cb_base;
153 struct ebt_entry_target *t;
155 struct ebt_chainstack *cs;
156 struct ebt_entries *chaininfo;
158 struct ebt_table_info *private;
160 read_lock_bh(&table->lock);
161 private = table->private;
162 cb_base = COUNTER_BASE(private->counters, private->nentries,
164 if (private->chainstack)
165 cs = private->chainstack[smp_processor_id()];
168 chaininfo = private->hook_entry[hook];
169 nentries = private->hook_entry[hook]->nentries;
170 point = (struct ebt_entry *)(private->hook_entry[hook]->data);
171 counter_base = cb_base + private->hook_entry[hook]->counter_offset;
172 /* base for chain jumps */
173 base = private->entries;
175 while (i < nentries) {
176 if (ebt_basic_match(point, eth_hdr(*pskb), in, out))
179 if (EBT_MATCH_ITERATE(point, ebt_do_match, *pskb, in, out) != 0)
182 /* increase counter */
183 (*(counter_base + i)).pcnt++;
184 (*(counter_base + i)).bcnt+=(**pskb).len;
186 /* these should only watch: not modify, nor tell us
187 what to do with the packet */
188 EBT_WATCHER_ITERATE(point, ebt_do_watcher, *pskb, hook, in,
191 t = (struct ebt_entry_target *)
192 (((char *)point) + point->target_offset);
193 /* standard target */
194 if (!t->u.target->target)
195 verdict = ((struct ebt_standard_target *)t)->verdict;
197 verdict = t->u.target->target(pskb, hook,
198 in, out, t->data, t->target_size);
199 if (verdict == EBT_ACCEPT) {
200 read_unlock_bh(&table->lock);
203 if (verdict == EBT_DROP) {
204 read_unlock_bh(&table->lock);
207 if (verdict == EBT_RETURN) {
209 #ifdef CONFIG_NETFILTER_DEBUG
211 BUGPRINT("RETURN on base chain");
212 /* act like this is EBT_CONTINUE */
217 /* put all the local variables right */
219 chaininfo = cs[sp].chaininfo;
220 nentries = chaininfo->nentries;
222 counter_base = cb_base +
223 chaininfo->counter_offset;
226 if (verdict == EBT_CONTINUE)
228 #ifdef CONFIG_NETFILTER_DEBUG
230 BUGPRINT("bogus standard verdict\n");
231 read_unlock_bh(&table->lock);
237 cs[sp].chaininfo = chaininfo;
238 cs[sp].e = (struct ebt_entry *)
239 (((char *)point) + point->next_offset);
241 chaininfo = (struct ebt_entries *) (base + verdict);
242 #ifdef CONFIG_NETFILTER_DEBUG
243 if (chaininfo->distinguisher) {
244 BUGPRINT("jump to non-chain\n");
245 read_unlock_bh(&table->lock);
249 nentries = chaininfo->nentries;
250 point = (struct ebt_entry *)chaininfo->data;
251 counter_base = cb_base + chaininfo->counter_offset;
255 point = (struct ebt_entry *)
256 (((char *)point) + point->next_offset);
260 /* I actually like this :) */
261 if (chaininfo->policy == EBT_RETURN)
263 if (chaininfo->policy == EBT_ACCEPT) {
264 read_unlock_bh(&table->lock);
267 read_unlock_bh(&table->lock);
271 /* If it succeeds, returns element and locks mutex */
273 find_inlist_lock_noload(struct list_head *head, const char *name, int *error,
277 struct list_head list;
278 char name[EBT_FUNCTION_MAXNAMELEN];
281 *error = mutex_lock_interruptible(mutex);
285 list_for_each_entry(e, head, list) {
286 if (strcmp(e->name, name) == 0)
295 #define find_inlist_lock(h,n,p,e,m) find_inlist_lock_noload((h),(n),(e),(m))
298 find_inlist_lock(struct list_head *head, const char *name, const char *prefix,
299 int *error, struct mutex *mutex)
303 ret = find_inlist_lock_noload(head, name, error, mutex);
305 request_module("%s%s", prefix, name);
306 ret = find_inlist_lock_noload(head, name, error, mutex);
312 static inline struct ebt_table *
313 find_table_lock(const char *name, int *error, struct mutex *mutex)
315 return find_inlist_lock(&ebt_tables, name, "ebtable_", error, mutex);
318 static inline struct ebt_match *
319 find_match_lock(const char *name, int *error, struct mutex *mutex)
321 return find_inlist_lock(&ebt_matches, name, "ebt_", error, mutex);
324 static inline struct ebt_watcher *
325 find_watcher_lock(const char *name, int *error, struct mutex *mutex)
327 return find_inlist_lock(&ebt_watchers, name, "ebt_", error, mutex);
330 static inline struct ebt_target *
331 find_target_lock(const char *name, int *error, struct mutex *mutex)
333 return find_inlist_lock(&ebt_targets, name, "ebt_", error, mutex);
337 ebt_check_match(struct ebt_entry_match *m, struct ebt_entry *e,
338 const char *name, unsigned int hookmask, unsigned int *cnt)
340 struct ebt_match *match;
343 if (((char *)m) + m->match_size + sizeof(struct ebt_entry_match) >
344 ((char *)e) + e->watchers_offset)
346 match = find_match_lock(m->u.name, &ret, &ebt_mutex);
350 if (!try_module_get(match->me)) {
351 mutex_unlock(&ebt_mutex);
354 mutex_unlock(&ebt_mutex);
356 match->check(name, hookmask, e, m->data, m->match_size) != 0) {
357 BUGPRINT("match->check failed\n");
358 module_put(match->me);
366 ebt_check_watcher(struct ebt_entry_watcher *w, struct ebt_entry *e,
367 const char *name, unsigned int hookmask, unsigned int *cnt)
369 struct ebt_watcher *watcher;
372 if (((char *)w) + w->watcher_size + sizeof(struct ebt_entry_watcher) >
373 ((char *)e) + e->target_offset)
375 watcher = find_watcher_lock(w->u.name, &ret, &ebt_mutex);
378 w->u.watcher = watcher;
379 if (!try_module_get(watcher->me)) {
380 mutex_unlock(&ebt_mutex);
383 mutex_unlock(&ebt_mutex);
384 if (watcher->check &&
385 watcher->check(name, hookmask, e, w->data, w->watcher_size) != 0) {
386 BUGPRINT("watcher->check failed\n");
387 module_put(watcher->me);
395 * this one is very careful, as it is the first function
396 * to parse the userspace data
399 ebt_check_entry_size_and_hooks(struct ebt_entry *e,
400 struct ebt_table_info *newinfo, char *base, char *limit,
401 struct ebt_entries **hook_entries, unsigned int *n, unsigned int *cnt,
402 unsigned int *totalcnt, unsigned int *udc_cnt, unsigned int valid_hooks)
404 unsigned int offset = (char *)e - newinfo->entries;
405 size_t left = (limit - base) - offset;
408 if (left < sizeof(unsigned int))
411 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
412 if ((valid_hooks & (1 << i)) == 0)
414 if ((char *)hook_entries[i] == base + offset)
417 /* beginning of a new chain
418 if i == NF_BR_NUMHOOKS it must be a user defined chain */
419 if (i != NF_BR_NUMHOOKS || !(e->bitmask & EBT_ENTRY_OR_ENTRIES)) {
420 if (e->bitmask != 0) {
421 /* we make userspace set this right,
422 so there is no misunderstanding */
423 BUGPRINT("EBT_ENTRY_OR_ENTRIES shouldn't be set "
424 "in distinguisher\n");
427 /* this checks if the previous chain has as many entries
430 BUGPRINT("nentries does not equal the nr of entries "
434 /* before we look at the struct, be sure it is not too big */
435 if (left < sizeof(struct ebt_entries))
437 if (((struct ebt_entries *)e)->policy != EBT_DROP &&
438 ((struct ebt_entries *)e)->policy != EBT_ACCEPT) {
439 /* only RETURN from udc */
440 if (i != NF_BR_NUMHOOKS ||
441 ((struct ebt_entries *)e)->policy != EBT_RETURN) {
442 BUGPRINT("bad policy\n");
446 if (i == NF_BR_NUMHOOKS) /* it's a user defined chain */
449 newinfo->hook_entry[i] = (struct ebt_entries *)e;
450 if (((struct ebt_entries *)e)->counter_offset != *totalcnt) {
451 BUGPRINT("counter_offset != totalcnt");
454 *n = ((struct ebt_entries *)e)->nentries;
458 /* a plain old entry, heh */
459 if (left < sizeof(struct ebt_entry))
461 if (sizeof(struct ebt_entry) > e->watchers_offset ||
462 e->watchers_offset > e->target_offset ||
463 e->target_offset >= e->next_offset) {
464 BUGPRINT("entry offsets not in right order\n");
467 /* this is not checked anywhere else */
468 if (e->next_offset - e->target_offset < sizeof(struct ebt_entry_target)) {
469 BUGPRINT("target size too small\n");
472 if (left < e->next_offset)
480 BUGPRINT("entries_size too small\n");
486 struct ebt_chainstack cs;
488 unsigned int hookmask;
492 * we need these positions to check that the jumps to a different part of the
493 * entries is a jump to the beginning of a new chain.
496 ebt_get_udc_positions(struct ebt_entry *e, struct ebt_table_info *newinfo,
497 struct ebt_entries **hook_entries, unsigned int *n, unsigned int valid_hooks,
498 struct ebt_cl_stack *udc)
502 /* we're only interested in chain starts */
505 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
506 if ((valid_hooks & (1 << i)) == 0)
508 if (newinfo->hook_entry[i] == (struct ebt_entries *)e)
511 /* only care about udc */
512 if (i != NF_BR_NUMHOOKS)
515 udc[*n].cs.chaininfo = (struct ebt_entries *)e;
516 /* these initialisations are depended on later in check_chainloops() */
518 udc[*n].hookmask = 0;
525 ebt_cleanup_match(struct ebt_entry_match *m, unsigned int *i)
527 if (i && (*i)-- == 0)
529 if (m->u.match->destroy)
530 m->u.match->destroy(m->data, m->match_size);
531 module_put(m->u.match->me);
537 ebt_cleanup_watcher(struct ebt_entry_watcher *w, unsigned int *i)
539 if (i && (*i)-- == 0)
541 if (w->u.watcher->destroy)
542 w->u.watcher->destroy(w->data, w->watcher_size);
543 module_put(w->u.watcher->me);
549 ebt_cleanup_entry(struct ebt_entry *e, unsigned int *cnt)
551 struct ebt_entry_target *t;
556 if (cnt && (*cnt)-- == 0)
558 EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, NULL);
559 EBT_MATCH_ITERATE(e, ebt_cleanup_match, NULL);
560 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
561 if (t->u.target->destroy)
562 t->u.target->destroy(t->data, t->target_size);
563 module_put(t->u.target->me);
569 ebt_check_entry(struct ebt_entry *e, struct ebt_table_info *newinfo,
570 const char *name, unsigned int *cnt, unsigned int valid_hooks,
571 struct ebt_cl_stack *cl_s, unsigned int udc_cnt)
573 struct ebt_entry_target *t;
574 struct ebt_target *target;
575 unsigned int i, j, hook = 0, hookmask = 0;
578 /* don't mess with the struct ebt_entries */
582 if (e->bitmask & ~EBT_F_MASK) {
583 BUGPRINT("Unknown flag for bitmask\n");
586 if (e->invflags & ~EBT_INV_MASK) {
587 BUGPRINT("Unknown flag for inv bitmask\n");
590 if ( (e->bitmask & EBT_NOPROTO) && (e->bitmask & EBT_802_3) ) {
591 BUGPRINT("NOPROTO & 802_3 not allowed\n");
594 /* what hook do we belong to? */
595 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
596 if ((valid_hooks & (1 << i)) == 0)
598 if ((char *)newinfo->hook_entry[i] < (char *)e)
603 /* (1 << NF_BR_NUMHOOKS) tells the check functions the rule is on
605 if (i < NF_BR_NUMHOOKS)
606 hookmask = (1 << hook) | (1 << NF_BR_NUMHOOKS);
608 for (i = 0; i < udc_cnt; i++)
609 if ((char *)(cl_s[i].cs.chaininfo) > (char *)e)
612 hookmask = (1 << hook) | (1 << NF_BR_NUMHOOKS);
614 hookmask = cl_s[i - 1].hookmask;
617 ret = EBT_MATCH_ITERATE(e, ebt_check_match, e, name, hookmask, &i);
619 goto cleanup_matches;
621 ret = EBT_WATCHER_ITERATE(e, ebt_check_watcher, e, name, hookmask, &j);
623 goto cleanup_watchers;
624 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
625 target = find_target_lock(t->u.name, &ret, &ebt_mutex);
627 goto cleanup_watchers;
628 if (!try_module_get(target->me)) {
629 mutex_unlock(&ebt_mutex);
631 goto cleanup_watchers;
633 mutex_unlock(&ebt_mutex);
635 t->u.target = target;
636 if (t->u.target == &ebt_standard_target) {
637 if (e->target_offset + sizeof(struct ebt_standard_target) >
639 BUGPRINT("Standard target size too big\n");
641 goto cleanup_watchers;
643 if (((struct ebt_standard_target *)t)->verdict <
644 -NUM_STANDARD_TARGETS) {
645 BUGPRINT("Invalid standard target\n");
647 goto cleanup_watchers;
649 } else if ((e->target_offset + t->target_size +
650 sizeof(struct ebt_entry_target) > e->next_offset) ||
651 (t->u.target->check &&
652 t->u.target->check(name, hookmask, e, t->data, t->target_size) != 0)){
653 module_put(t->u.target->me);
655 goto cleanup_watchers;
660 EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, &j);
662 EBT_MATCH_ITERATE(e, ebt_cleanup_match, &i);
667 * checks for loops and sets the hook mask for udc
668 * the hook mask for udc tells us from which base chains the udc can be
669 * accessed. This mask is a parameter to the check() functions of the extensions
671 static int check_chainloops(struct ebt_entries *chain, struct ebt_cl_stack *cl_s,
672 unsigned int udc_cnt, unsigned int hooknr, char *base)
674 int i, chain_nr = -1, pos = 0, nentries = chain->nentries, verdict;
675 struct ebt_entry *e = (struct ebt_entry *)chain->data;
676 struct ebt_entry_target *t;
678 while (pos < nentries || chain_nr != -1) {
679 /* end of udc, go back one 'recursion' step */
680 if (pos == nentries) {
681 /* put back values of the time when this chain was called */
682 e = cl_s[chain_nr].cs.e;
683 if (cl_s[chain_nr].from != -1)
685 cl_s[cl_s[chain_nr].from].cs.chaininfo->nentries;
687 nentries = chain->nentries;
688 pos = cl_s[chain_nr].cs.n;
689 /* make sure we won't see a loop that isn't one */
690 cl_s[chain_nr].cs.n = 0;
691 chain_nr = cl_s[chain_nr].from;
695 t = (struct ebt_entry_target *)
696 (((char *)e) + e->target_offset);
697 if (strcmp(t->u.name, EBT_STANDARD_TARGET))
699 if (e->target_offset + sizeof(struct ebt_standard_target) >
701 BUGPRINT("Standard target size too big\n");
704 verdict = ((struct ebt_standard_target *)t)->verdict;
705 if (verdict >= 0) { /* jump to another chain */
706 struct ebt_entries *hlp2 =
707 (struct ebt_entries *)(base + verdict);
708 for (i = 0; i < udc_cnt; i++)
709 if (hlp2 == cl_s[i].cs.chaininfo)
711 /* bad destination or loop */
713 BUGPRINT("bad destination\n");
720 if (cl_s[i].hookmask & (1 << hooknr))
722 /* this can't be 0, so the loop test is correct */
723 cl_s[i].cs.n = pos + 1;
725 cl_s[i].cs.e = ((void *)e + e->next_offset);
726 e = (struct ebt_entry *)(hlp2->data);
727 nentries = hlp2->nentries;
728 cl_s[i].from = chain_nr;
730 /* this udc is accessible from the base chain for hooknr */
731 cl_s[i].hookmask |= (1 << hooknr);
735 e = (void *)e + e->next_offset;
741 /* do the parsing of the table/chains/entries/matches/watchers/targets, heh */
742 static int translate_table(struct ebt_replace *repl,
743 struct ebt_table_info *newinfo)
745 unsigned int i, j, k, udc_cnt;
747 struct ebt_cl_stack *cl_s = NULL; /* used in the checking for chain loops */
750 while (i < NF_BR_NUMHOOKS && !(repl->valid_hooks & (1 << i)))
752 if (i == NF_BR_NUMHOOKS) {
753 BUGPRINT("No valid hooks specified\n");
756 if (repl->hook_entry[i] != (struct ebt_entries *)repl->entries) {
757 BUGPRINT("Chains don't start at beginning\n");
760 /* make sure chains are ordered after each other in same order
761 as their corresponding hooks */
762 for (j = i + 1; j < NF_BR_NUMHOOKS; j++) {
763 if (!(repl->valid_hooks & (1 << j)))
765 if ( repl->hook_entry[j] <= repl->hook_entry[i] ) {
766 BUGPRINT("Hook order must be followed\n");
772 for (i = 0; i < NF_BR_NUMHOOKS; i++)
773 newinfo->hook_entry[i] = NULL;
775 newinfo->entries_size = repl->entries_size;
776 newinfo->nentries = repl->nentries;
778 /* do some early checkings and initialize some things */
779 i = 0; /* holds the expected nr. of entries for the chain */
780 j = 0; /* holds the up to now counted entries for the chain */
781 k = 0; /* holds the total nr. of entries, should equal
782 newinfo->nentries afterwards */
783 udc_cnt = 0; /* will hold the nr. of user defined chains (udc) */
784 ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
785 ebt_check_entry_size_and_hooks, newinfo, repl->entries,
786 repl->entries + repl->entries_size, repl->hook_entry, &i, &j, &k,
787 &udc_cnt, repl->valid_hooks);
793 BUGPRINT("nentries does not equal the nr of entries in the "
797 if (k != newinfo->nentries) {
798 BUGPRINT("Total nentries is wrong\n");
802 /* check if all valid hooks have a chain */
803 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
804 if (newinfo->hook_entry[i] == NULL &&
805 (repl->valid_hooks & (1 << i))) {
806 BUGPRINT("Valid hook without chain\n");
811 /* get the location of the udc, put them in an array
812 while we're at it, allocate the chainstack */
814 /* this will get free'd in do_replace()/ebt_register_table()
815 if an error occurs */
816 newinfo->chainstack =
817 vmalloc((highest_possible_processor_id()+1)
818 * sizeof(*(newinfo->chainstack)));
819 if (!newinfo->chainstack)
821 for_each_possible_cpu(i) {
822 newinfo->chainstack[i] =
823 vmalloc(udc_cnt * sizeof(*(newinfo->chainstack[0])));
824 if (!newinfo->chainstack[i]) {
826 vfree(newinfo->chainstack[--i]);
827 vfree(newinfo->chainstack);
828 newinfo->chainstack = NULL;
833 cl_s = vmalloc(udc_cnt * sizeof(*cl_s));
836 i = 0; /* the i'th udc */
837 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
838 ebt_get_udc_positions, newinfo, repl->hook_entry, &i,
839 repl->valid_hooks, cl_s);
842 BUGPRINT("i != udc_cnt\n");
848 /* Check for loops */
849 for (i = 0; i < NF_BR_NUMHOOKS; i++)
850 if (repl->valid_hooks & (1 << i))
851 if (check_chainloops(newinfo->hook_entry[i],
852 cl_s, udc_cnt, i, newinfo->entries)) {
857 /* we now know the following (along with E=mc²):
858 - the nr of entries in each chain is right
859 - the size of the allocated space is right
860 - all valid hooks have a corresponding chain
862 - wrong data can still be on the level of a single entry
863 - could be there are jumps to places that are not the
864 beginning of a chain. This can only occur in chains that
865 are not accessible from any base chains, so we don't care. */
867 /* used to know what we need to clean up if something goes wrong */
869 ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
870 ebt_check_entry, newinfo, repl->name, &i, repl->valid_hooks,
873 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
874 ebt_cleanup_entry, &i);
880 /* called under write_lock */
881 static void get_counters(struct ebt_counter *oldcounters,
882 struct ebt_counter *counters, unsigned int nentries)
885 struct ebt_counter *counter_base;
887 /* counters of cpu 0 */
888 memcpy(counters, oldcounters,
889 sizeof(struct ebt_counter) * nentries);
891 /* add other counters to those of cpu 0 */
892 for_each_possible_cpu(cpu) {
895 counter_base = COUNTER_BASE(oldcounters, nentries, cpu);
896 for (i = 0; i < nentries; i++) {
897 counters[i].pcnt += counter_base[i].pcnt;
898 counters[i].bcnt += counter_base[i].bcnt;
903 /* replace the table */
904 static int do_replace(void __user *user, unsigned int len)
906 int ret, i, countersize;
907 struct ebt_table_info *newinfo;
908 struct ebt_replace tmp;
910 struct ebt_counter *counterstmp = NULL;
911 /* used to be able to unlock earlier */
912 struct ebt_table_info *table;
914 if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
917 if (len != sizeof(tmp) + tmp.entries_size) {
918 BUGPRINT("Wrong len argument\n");
922 if (tmp.entries_size == 0) {
923 BUGPRINT("Entries_size never zero\n");
927 if (tmp.nentries >= ((INT_MAX - sizeof(struct ebt_table_info)) / NR_CPUS -
928 SMP_CACHE_BYTES) / sizeof(struct ebt_counter))
930 if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
933 countersize = COUNTER_OFFSET(tmp.nentries) *
934 (highest_possible_processor_id()+1);
935 newinfo = vmalloc(sizeof(*newinfo) + countersize);
940 memset(newinfo->counters, 0, countersize);
942 newinfo->entries = vmalloc(tmp.entries_size);
943 if (!newinfo->entries) {
948 newinfo->entries, tmp.entries, tmp.entries_size) != 0) {
949 BUGPRINT("Couldn't copy entries from userspace\n");
954 /* the user wants counters back
955 the check on the size is done later, when we have the lock */
956 if (tmp.num_counters) {
957 counterstmp = vmalloc(tmp.num_counters * sizeof(*counterstmp));
966 /* this can get initialized by translate_table() */
967 newinfo->chainstack = NULL;
968 ret = translate_table(&tmp, newinfo);
971 goto free_counterstmp;
973 t = find_table_lock(tmp.name, &ret, &ebt_mutex);
979 /* the table doesn't like it */
980 if (t->check && (ret = t->check(newinfo, tmp.valid_hooks)))
983 if (tmp.num_counters && tmp.num_counters != t->private->nentries) {
984 BUGPRINT("Wrong nr. of counters requested\n");
989 /* we have the mutex lock, so no danger in reading this pointer */
991 /* make sure the table can only be rmmod'ed if it contains no rules */
992 if (!table->nentries && newinfo->nentries && !try_module_get(t->me)) {
995 } else if (table->nentries && !newinfo->nentries)
997 /* we need an atomic snapshot of the counters */
998 write_lock_bh(&t->lock);
999 if (tmp.num_counters)
1000 get_counters(t->private->counters, counterstmp,
1001 t->private->nentries);
1003 t->private = newinfo;
1004 write_unlock_bh(&t->lock);
1005 mutex_unlock(&ebt_mutex);
1006 /* so, a user can change the chains while having messed up her counter
1007 allocation. Only reason why this is done is because this way the lock
1008 is held only once, while this doesn't bring the kernel into a
1010 if (tmp.num_counters &&
1011 copy_to_user(tmp.counters, counterstmp,
1012 tmp.num_counters * sizeof(struct ebt_counter))) {
1013 BUGPRINT("Couldn't copy counters to userspace\n");
1019 /* decrease module count and free resources */
1020 EBT_ENTRY_ITERATE(table->entries, table->entries_size,
1021 ebt_cleanup_entry, NULL);
1023 vfree(table->entries);
1024 if (table->chainstack) {
1025 for_each_possible_cpu(i)
1026 vfree(table->chainstack[i]);
1027 vfree(table->chainstack);
1035 mutex_unlock(&ebt_mutex);
1037 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
1038 ebt_cleanup_entry, NULL);
1041 /* can be initialized in translate_table() */
1042 if (newinfo->chainstack) {
1043 for_each_possible_cpu(i)
1044 vfree(newinfo->chainstack[i]);
1045 vfree(newinfo->chainstack);
1048 vfree(newinfo->entries);
1054 int ebt_register_target(struct ebt_target *target)
1056 struct ebt_target *t;
1059 ret = mutex_lock_interruptible(&ebt_mutex);
1062 list_for_each_entry(t, &ebt_targets, list) {
1063 if (strcmp(t->name, target->name) == 0) {
1064 mutex_unlock(&ebt_mutex);
1068 list_add(&target->list, &ebt_targets);
1069 mutex_unlock(&ebt_mutex);
1074 void ebt_unregister_target(struct ebt_target *target)
1076 mutex_lock(&ebt_mutex);
1077 list_del(&target->list);
1078 mutex_unlock(&ebt_mutex);
1081 int ebt_register_match(struct ebt_match *match)
1083 struct ebt_match *m;
1086 ret = mutex_lock_interruptible(&ebt_mutex);
1089 list_for_each_entry(m, &ebt_matches, list) {
1090 if (strcmp(m->name, match->name) == 0) {
1091 mutex_unlock(&ebt_mutex);
1095 list_add(&match->list, &ebt_matches);
1096 mutex_unlock(&ebt_mutex);
1101 void ebt_unregister_match(struct ebt_match *match)
1103 mutex_lock(&ebt_mutex);
1104 list_del(&match->list);
1105 mutex_unlock(&ebt_mutex);
1108 int ebt_register_watcher(struct ebt_watcher *watcher)
1110 struct ebt_watcher *w;
1113 ret = mutex_lock_interruptible(&ebt_mutex);
1116 list_for_each_entry(w, &ebt_watchers, list) {
1117 if (strcmp(w->name, watcher->name) == 0) {
1118 mutex_unlock(&ebt_mutex);
1122 list_add(&watcher->list, &ebt_watchers);
1123 mutex_unlock(&ebt_mutex);
1128 void ebt_unregister_watcher(struct ebt_watcher *watcher)
1130 mutex_lock(&ebt_mutex);
1131 list_del(&watcher->list);
1132 mutex_unlock(&ebt_mutex);
1135 int ebt_register_table(struct ebt_table *table)
1137 struct ebt_table_info *newinfo;
1138 struct ebt_table *t;
1139 int ret, i, countersize;
1141 if (!table || !table->table ||!table->table->entries ||
1142 table->table->entries_size == 0 ||
1143 table->table->counters || table->private) {
1144 BUGPRINT("Bad table data for ebt_register_table!!!\n");
1148 countersize = COUNTER_OFFSET(table->table->nentries) *
1149 (highest_possible_processor_id()+1);
1150 newinfo = vmalloc(sizeof(*newinfo) + countersize);
1155 newinfo->entries = vmalloc(table->table->entries_size);
1156 if (!(newinfo->entries))
1159 memcpy(newinfo->entries, table->table->entries,
1160 table->table->entries_size);
1163 memset(newinfo->counters, 0, countersize);
1165 /* fill in newinfo and parse the entries */
1166 newinfo->chainstack = NULL;
1167 ret = translate_table(table->table, newinfo);
1169 BUGPRINT("Translate_table failed\n");
1170 goto free_chainstack;
1173 if (table->check && table->check(newinfo, table->valid_hooks)) {
1174 BUGPRINT("The table doesn't like its own initial data, lol\n");
1178 table->private = newinfo;
1179 rwlock_init(&table->lock);
1180 ret = mutex_lock_interruptible(&ebt_mutex);
1182 goto free_chainstack;
1184 list_for_each_entry(t, &ebt_tables, list) {
1185 if (strcmp(t->name, table->name) == 0) {
1187 BUGPRINT("Table name already exists\n");
1192 /* Hold a reference count if the chains aren't empty */
1193 if (newinfo->nentries && !try_module_get(table->me)) {
1197 list_add(&table->list, &ebt_tables);
1198 mutex_unlock(&ebt_mutex);
1201 mutex_unlock(&ebt_mutex);
1203 if (newinfo->chainstack) {
1204 for_each_possible_cpu(i)
1205 vfree(newinfo->chainstack[i]);
1206 vfree(newinfo->chainstack);
1208 vfree(newinfo->entries);
1214 void ebt_unregister_table(struct ebt_table *table)
1219 BUGPRINT("Request to unregister NULL table!!!\n");
1222 mutex_lock(&ebt_mutex);
1223 list_del(&table->list);
1224 mutex_unlock(&ebt_mutex);
1225 vfree(table->private->entries);
1226 if (table->private->chainstack) {
1227 for_each_possible_cpu(i)
1228 vfree(table->private->chainstack[i]);
1229 vfree(table->private->chainstack);
1231 vfree(table->private);
1234 /* userspace just supplied us with counters */
1235 static int update_counters(void __user *user, unsigned int len)
1238 struct ebt_counter *tmp;
1239 struct ebt_replace hlp;
1240 struct ebt_table *t;
1242 if (copy_from_user(&hlp, user, sizeof(hlp)))
1245 if (len != sizeof(hlp) + hlp.num_counters * sizeof(struct ebt_counter))
1247 if (hlp.num_counters == 0)
1250 if (!(tmp = vmalloc(hlp.num_counters * sizeof(*tmp)))) {
1251 MEMPRINT("Update_counters && nomemory\n");
1255 t = find_table_lock(hlp.name, &ret, &ebt_mutex);
1259 if (hlp.num_counters != t->private->nentries) {
1260 BUGPRINT("Wrong nr of counters\n");
1265 if ( copy_from_user(tmp, hlp.counters,
1266 hlp.num_counters * sizeof(struct ebt_counter)) ) {
1267 BUGPRINT("Updata_counters && !cfu\n");
1272 /* we want an atomic add of the counters */
1273 write_lock_bh(&t->lock);
1275 /* we add to the counters of the first cpu */
1276 for (i = 0; i < hlp.num_counters; i++) {
1277 t->private->counters[i].pcnt += tmp[i].pcnt;
1278 t->private->counters[i].bcnt += tmp[i].bcnt;
1281 write_unlock_bh(&t->lock);
1284 mutex_unlock(&ebt_mutex);
1290 static inline int ebt_make_matchname(struct ebt_entry_match *m,
1291 char *base, char *ubase)
1293 char *hlp = ubase - base + (char *)m;
1294 if (copy_to_user(hlp, m->u.match->name, EBT_FUNCTION_MAXNAMELEN))
1299 static inline int ebt_make_watchername(struct ebt_entry_watcher *w,
1300 char *base, char *ubase)
1302 char *hlp = ubase - base + (char *)w;
1303 if (copy_to_user(hlp , w->u.watcher->name, EBT_FUNCTION_MAXNAMELEN))
1308 static inline int ebt_make_names(struct ebt_entry *e, char *base, char *ubase)
1312 struct ebt_entry_target *t;
1314 if (e->bitmask == 0)
1317 hlp = ubase - base + (char *)e + e->target_offset;
1318 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
1320 ret = EBT_MATCH_ITERATE(e, ebt_make_matchname, base, ubase);
1323 ret = EBT_WATCHER_ITERATE(e, ebt_make_watchername, base, ubase);
1326 if (copy_to_user(hlp, t->u.target->name, EBT_FUNCTION_MAXNAMELEN))
1331 /* called with ebt_mutex locked */
1332 static int copy_everything_to_user(struct ebt_table *t, void __user *user,
1335 struct ebt_replace tmp;
1336 struct ebt_counter *counterstmp, *oldcounters;
1337 unsigned int entries_size, nentries;
1340 if (cmd == EBT_SO_GET_ENTRIES) {
1341 entries_size = t->private->entries_size;
1342 nentries = t->private->nentries;
1343 entries = t->private->entries;
1344 oldcounters = t->private->counters;
1346 entries_size = t->table->entries_size;
1347 nentries = t->table->nentries;
1348 entries = t->table->entries;
1349 oldcounters = t->table->counters;
1352 if (copy_from_user(&tmp, user, sizeof(tmp))) {
1353 BUGPRINT("Cfu didn't work\n");
1357 if (*len != sizeof(struct ebt_replace) + entries_size +
1358 (tmp.num_counters? nentries * sizeof(struct ebt_counter): 0)) {
1359 BUGPRINT("Wrong size\n");
1363 if (tmp.nentries != nentries) {
1364 BUGPRINT("Nentries wrong\n");
1368 if (tmp.entries_size != entries_size) {
1369 BUGPRINT("Wrong size\n");
1373 /* userspace might not need the counters */
1374 if (tmp.num_counters) {
1375 if (tmp.num_counters != nentries) {
1376 BUGPRINT("Num_counters wrong\n");
1379 counterstmp = vmalloc(nentries * sizeof(*counterstmp));
1381 MEMPRINT("Couldn't copy counters, out of memory\n");
1384 write_lock_bh(&t->lock);
1385 get_counters(oldcounters, counterstmp, nentries);
1386 write_unlock_bh(&t->lock);
1388 if (copy_to_user(tmp.counters, counterstmp,
1389 nentries * sizeof(struct ebt_counter))) {
1390 BUGPRINT("Couldn't copy counters to userspace\n");
1397 if (copy_to_user(tmp.entries, entries, entries_size)) {
1398 BUGPRINT("Couldn't copy entries to userspace\n");
1401 /* set the match/watcher/target names right */
1402 return EBT_ENTRY_ITERATE(entries, entries_size,
1403 ebt_make_names, entries, tmp.entries);
1406 static int do_ebt_set_ctl(struct sock *sk,
1407 int cmd, void __user *user, unsigned int len)
1412 case EBT_SO_SET_ENTRIES:
1413 ret = do_replace(user, len);
1415 case EBT_SO_SET_COUNTERS:
1416 ret = update_counters(user, len);
1424 static int do_ebt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
1427 struct ebt_replace tmp;
1428 struct ebt_table *t;
1430 if (copy_from_user(&tmp, user, sizeof(tmp)))
1433 t = find_table_lock(tmp.name, &ret, &ebt_mutex);
1438 case EBT_SO_GET_INFO:
1439 case EBT_SO_GET_INIT_INFO:
1440 if (*len != sizeof(struct ebt_replace)){
1442 mutex_unlock(&ebt_mutex);
1445 if (cmd == EBT_SO_GET_INFO) {
1446 tmp.nentries = t->private->nentries;
1447 tmp.entries_size = t->private->entries_size;
1448 tmp.valid_hooks = t->valid_hooks;
1450 tmp.nentries = t->table->nentries;
1451 tmp.entries_size = t->table->entries_size;
1452 tmp.valid_hooks = t->table->valid_hooks;
1454 mutex_unlock(&ebt_mutex);
1455 if (copy_to_user(user, &tmp, *len) != 0){
1456 BUGPRINT("c2u Didn't work\n");
1463 case EBT_SO_GET_ENTRIES:
1464 case EBT_SO_GET_INIT_ENTRIES:
1465 ret = copy_everything_to_user(t, user, len, cmd);
1466 mutex_unlock(&ebt_mutex);
1470 mutex_unlock(&ebt_mutex);
1477 static struct nf_sockopt_ops ebt_sockopts =
1480 .set_optmin = EBT_BASE_CTL,
1481 .set_optmax = EBT_SO_SET_MAX + 1,
1482 .set = do_ebt_set_ctl,
1483 .get_optmin = EBT_BASE_CTL,
1484 .get_optmax = EBT_SO_GET_MAX + 1,
1485 .get = do_ebt_get_ctl,
1488 static int __init ebtables_init(void)
1492 mutex_lock(&ebt_mutex);
1493 list_add(&ebt_standard_target.list, &ebt_targets);
1494 mutex_unlock(&ebt_mutex);
1495 if ((ret = nf_register_sockopt(&ebt_sockopts)) < 0)
1498 printk(KERN_NOTICE "Ebtables v2.0 registered\n");
1502 static void __exit ebtables_fini(void)
1504 nf_unregister_sockopt(&ebt_sockopts);
1505 printk(KERN_NOTICE "Ebtables v2.0 unregistered\n");
1508 EXPORT_SYMBOL(ebt_register_table);
1509 EXPORT_SYMBOL(ebt_unregister_table);
1510 EXPORT_SYMBOL(ebt_register_match);
1511 EXPORT_SYMBOL(ebt_unregister_match);
1512 EXPORT_SYMBOL(ebt_register_watcher);
1513 EXPORT_SYMBOL(ebt_unregister_watcher);
1514 EXPORT_SYMBOL(ebt_register_target);
1515 EXPORT_SYMBOL(ebt_unregister_target);
1516 EXPORT_SYMBOL(ebt_do_table);
1517 module_init(ebtables_init);
1518 module_exit(ebtables_fini);
1519 MODULE_LICENSE("GPL");