5 * Bart De Schuymer <bdschuym@pandora.be>
7 * ebtables.c,v 2.0, July, 2002
9 * This code is stongly inspired on the iptables code which is
10 * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version
15 * 2 of the License, or (at your option) any later version.
18 /* used for print_string */
19 #include <linux/sched.h>
20 #include <linux/tty.h>
22 #include <linux/kmod.h>
23 #include <linux/module.h>
24 #include <linux/vmalloc.h>
25 #include <linux/netfilter_bridge/ebtables.h>
26 #include <linux/spinlock.h>
27 #include <asm/uaccess.h>
28 #include <linux/smp.h>
29 #include <linux/cpumask.h>
31 /* needed for logical [in,out]-dev filtering */
32 #include "../br_private.h"
35 #define ASSERT_READ_LOCK(x)
36 #define ASSERT_WRITE_LOCK(x)
37 #include <linux/netfilter_ipv4/listhelp.h>
40 /* use this for remote debugging
41 * Copyright (C) 1998 by Ori Pomerantz
42 * Print the string to the appropriate tty, the one
43 * the current task uses
45 static void print_string(char *str)
47 struct tty_struct *my_tty;
49 /* The tty for the current task */
50 my_tty = current->signal->tty;
52 my_tty->driver->write(my_tty, 0, str, strlen(str));
53 my_tty->driver->write(my_tty, 0, "\015\012", 2);
57 #define BUGPRINT(args) print_string(args);
59 #define BUGPRINT(format, args...) printk("kernel msg: ebtables bug: please "\
60 "report to author: "format, ## args)
61 /* #define BUGPRINT(format, args...) */
63 #define MEMPRINT(format, args...) printk("kernel msg: ebtables "\
64 ": out of memory: "format, ## args)
65 /* #define MEMPRINT(format, args...) */
70 * Each cpu has its own set of counters, so there is no need for write_lock in
72 * For reading or updating the counters, the user context needs to
76 /* The size of each set of counters is altered to get cache alignment */
77 #define SMP_ALIGN(x) (((x) + SMP_CACHE_BYTES-1) & ~(SMP_CACHE_BYTES-1))
78 #define COUNTER_OFFSET(n) (SMP_ALIGN(n * sizeof(struct ebt_counter)))
79 #define COUNTER_BASE(c, n, cpu) ((struct ebt_counter *)(((char *)c) + \
80 COUNTER_OFFSET(n) * cpu))
84 static DECLARE_MUTEX(ebt_mutex);
85 static LIST_HEAD(ebt_tables);
86 static LIST_HEAD(ebt_targets);
87 static LIST_HEAD(ebt_matches);
88 static LIST_HEAD(ebt_watchers);
90 static struct ebt_target ebt_standard_target =
91 { {NULL, NULL}, EBT_STANDARD_TARGET, NULL, NULL, NULL, NULL};
93 static inline int ebt_do_watcher (struct ebt_entry_watcher *w,
94 const struct sk_buff *skb, unsigned int hooknr, const struct net_device *in,
95 const struct net_device *out)
97 w->u.watcher->watcher(skb, hooknr, in, out, w->data,
99 /* watchers don't give a verdict */
103 static inline int ebt_do_match (struct ebt_entry_match *m,
104 const struct sk_buff *skb, const struct net_device *in,
105 const struct net_device *out)
107 return m->u.match->match(skb, in, out, m->data,
111 static inline int ebt_dev_check(char *entry, const struct net_device *device)
114 char *devname = device->name;
120 /* 1 is the wildcard token */
121 while (entry[i] != '\0' && entry[i] != 1 && entry[i] == devname[i])
123 return (devname[i] != entry[i] && entry[i] != 1);
126 #define FWINV2(bool,invflg) ((bool) ^ !!(e->invflags & invflg))
127 /* process standard matches */
128 static inline int ebt_basic_match(struct ebt_entry *e, struct ethhdr *h,
129 const struct net_device *in, const struct net_device *out)
133 if (e->bitmask & EBT_802_3) {
134 if (FWINV2(ntohs(h->h_proto) >= 1536, EBT_IPROTO))
136 } else if (!(e->bitmask & EBT_NOPROTO) &&
137 FWINV2(e->ethproto != h->h_proto, EBT_IPROTO))
140 if (FWINV2(ebt_dev_check(e->in, in), EBT_IIN))
142 if (FWINV2(ebt_dev_check(e->out, out), EBT_IOUT))
144 if ((!in || !in->br_port) ? 0 : FWINV2(ebt_dev_check(
145 e->logical_in, in->br_port->br->dev), EBT_ILOGICALIN))
147 if ((!out || !out->br_port) ? 0 : FWINV2(ebt_dev_check(
148 e->logical_out, out->br_port->br->dev), EBT_ILOGICALOUT))
151 if (e->bitmask & EBT_SOURCEMAC) {
153 for (i = 0; i < 6; i++)
154 verdict |= (h->h_source[i] ^ e->sourcemac[i]) &
156 if (FWINV2(verdict != 0, EBT_ISOURCE) )
159 if (e->bitmask & EBT_DESTMAC) {
161 for (i = 0; i < 6; i++)
162 verdict |= (h->h_dest[i] ^ e->destmac[i]) &
164 if (FWINV2(verdict != 0, EBT_IDEST) )
170 /* Do some firewalling */
171 unsigned int ebt_do_table (unsigned int hook, struct sk_buff **pskb,
172 const struct net_device *in, const struct net_device *out,
173 struct ebt_table *table)
176 struct ebt_entry *point;
177 struct ebt_counter *counter_base, *cb_base;
178 struct ebt_entry_target *t;
180 struct ebt_chainstack *cs;
181 struct ebt_entries *chaininfo;
183 struct ebt_table_info *private;
185 read_lock_bh(&table->lock);
186 private = table->private;
187 cb_base = COUNTER_BASE(private->counters, private->nentries,
189 if (private->chainstack)
190 cs = private->chainstack[smp_processor_id()];
193 chaininfo = private->hook_entry[hook];
194 nentries = private->hook_entry[hook]->nentries;
195 point = (struct ebt_entry *)(private->hook_entry[hook]->data);
196 counter_base = cb_base + private->hook_entry[hook]->counter_offset;
197 /* base for chain jumps */
198 base = private->entries;
200 while (i < nentries) {
201 if (ebt_basic_match(point, eth_hdr(*pskb), in, out))
204 if (EBT_MATCH_ITERATE(point, ebt_do_match, *pskb, in, out) != 0)
207 /* increase counter */
208 (*(counter_base + i)).pcnt++;
209 (*(counter_base + i)).bcnt+=(**pskb).len;
211 /* these should only watch: not modify, nor tell us
212 what to do with the packet */
213 EBT_WATCHER_ITERATE(point, ebt_do_watcher, *pskb, hook, in,
216 t = (struct ebt_entry_target *)
217 (((char *)point) + point->target_offset);
218 /* standard target */
219 if (!t->u.target->target)
220 verdict = ((struct ebt_standard_target *)t)->verdict;
222 verdict = t->u.target->target(pskb, hook,
223 in, out, t->data, t->target_size);
224 if (verdict == EBT_ACCEPT) {
225 read_unlock_bh(&table->lock);
228 if (verdict == EBT_DROP) {
229 read_unlock_bh(&table->lock);
232 if (verdict == EBT_RETURN) {
234 #ifdef CONFIG_NETFILTER_DEBUG
236 BUGPRINT("RETURN on base chain");
237 /* act like this is EBT_CONTINUE */
242 /* put all the local variables right */
244 chaininfo = cs[sp].chaininfo;
245 nentries = chaininfo->nentries;
247 counter_base = cb_base +
248 chaininfo->counter_offset;
251 if (verdict == EBT_CONTINUE)
253 #ifdef CONFIG_NETFILTER_DEBUG
255 BUGPRINT("bogus standard verdict\n");
256 read_unlock_bh(&table->lock);
262 cs[sp].chaininfo = chaininfo;
263 cs[sp].e = (struct ebt_entry *)
264 (((char *)point) + point->next_offset);
266 chaininfo = (struct ebt_entries *) (base + verdict);
267 #ifdef CONFIG_NETFILTER_DEBUG
268 if (chaininfo->distinguisher) {
269 BUGPRINT("jump to non-chain\n");
270 read_unlock_bh(&table->lock);
274 nentries = chaininfo->nentries;
275 point = (struct ebt_entry *)chaininfo->data;
276 counter_base = cb_base + chaininfo->counter_offset;
280 point = (struct ebt_entry *)
281 (((char *)point) + point->next_offset);
285 /* I actually like this :) */
286 if (chaininfo->policy == EBT_RETURN)
288 if (chaininfo->policy == EBT_ACCEPT) {
289 read_unlock_bh(&table->lock);
292 read_unlock_bh(&table->lock);
296 /* If it succeeds, returns element and locks mutex */
298 find_inlist_lock_noload(struct list_head *head, const char *name, int *error,
299 struct semaphore *mutex)
303 *error = down_interruptible(mutex);
307 ret = list_named_find(head, name);
316 #define find_inlist_lock(h,n,p,e,m) find_inlist_lock_noload((h),(n),(e),(m))
319 find_inlist_lock(struct list_head *head, const char *name, const char *prefix,
320 int *error, struct semaphore *mutex)
324 ret = find_inlist_lock_noload(head, name, error, mutex);
326 request_module("%s%s", prefix, name);
327 ret = find_inlist_lock_noload(head, name, error, mutex);
333 static inline struct ebt_table *
334 find_table_lock(const char *name, int *error, struct semaphore *mutex)
336 return find_inlist_lock(&ebt_tables, name, "ebtable_", error, mutex);
339 static inline struct ebt_match *
340 find_match_lock(const char *name, int *error, struct semaphore *mutex)
342 return find_inlist_lock(&ebt_matches, name, "ebt_", error, mutex);
345 static inline struct ebt_watcher *
346 find_watcher_lock(const char *name, int *error, struct semaphore *mutex)
348 return find_inlist_lock(&ebt_watchers, name, "ebt_", error, mutex);
351 static inline struct ebt_target *
352 find_target_lock(const char *name, int *error, struct semaphore *mutex)
354 return find_inlist_lock(&ebt_targets, name, "ebt_", error, mutex);
358 ebt_check_match(struct ebt_entry_match *m, struct ebt_entry *e,
359 const char *name, unsigned int hookmask, unsigned int *cnt)
361 struct ebt_match *match;
362 size_t left = ((char *)e + e->watchers_offset) - (char *)m;
365 if (left < sizeof(struct ebt_entry_match) ||
366 left - sizeof(struct ebt_entry_match) < m->match_size)
368 match = find_match_lock(m->u.name, &ret, &ebt_mutex);
372 if (!try_module_get(match->me)) {
378 match->check(name, hookmask, e, m->data, m->match_size) != 0) {
379 BUGPRINT("match->check failed\n");
380 module_put(match->me);
388 ebt_check_watcher(struct ebt_entry_watcher *w, struct ebt_entry *e,
389 const char *name, unsigned int hookmask, unsigned int *cnt)
391 struct ebt_watcher *watcher;
392 size_t left = ((char *)e + e->target_offset) - (char *)w;
395 if (left < sizeof(struct ebt_entry_watcher) ||
396 left - sizeof(struct ebt_entry_watcher) < w->watcher_size)
398 watcher = find_watcher_lock(w->u.name, &ret, &ebt_mutex);
401 w->u.watcher = watcher;
402 if (!try_module_get(watcher->me)) {
407 if (watcher->check &&
408 watcher->check(name, hookmask, e, w->data, w->watcher_size) != 0) {
409 BUGPRINT("watcher->check failed\n");
410 module_put(watcher->me);
418 * this one is very careful, as it is the first function
419 * to parse the userspace data
422 ebt_check_entry_size_and_hooks(struct ebt_entry *e,
423 struct ebt_table_info *newinfo, char *base, char *limit,
424 struct ebt_entries **hook_entries, unsigned int *n, unsigned int *cnt,
425 unsigned int *totalcnt, unsigned int *udc_cnt, unsigned int valid_hooks)
427 unsigned int offset = (char *)e - newinfo->entries;
428 size_t left = (limit - base) - offset;
431 if (left < sizeof(unsigned int))
434 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
435 if ((valid_hooks & (1 << i)) == 0)
437 if ((char *)hook_entries[i] == base + offset)
440 /* beginning of a new chain
441 if i == NF_BR_NUMHOOKS it must be a user defined chain */
442 if (i != NF_BR_NUMHOOKS || !(e->bitmask & EBT_ENTRY_OR_ENTRIES)) {
443 if (e->bitmask != 0) {
444 /* we make userspace set this right,
445 so there is no misunderstanding */
446 BUGPRINT("EBT_ENTRY_OR_ENTRIES shouldn't be set "
447 "in distinguisher\n");
450 /* this checks if the previous chain has as many entries
453 BUGPRINT("nentries does not equal the nr of entries "
457 /* before we look at the struct, be sure it is not too big */
458 if (left < sizeof(struct ebt_entries))
460 if (((struct ebt_entries *)e)->policy != EBT_DROP &&
461 ((struct ebt_entries *)e)->policy != EBT_ACCEPT) {
462 /* only RETURN from udc */
463 if (i != NF_BR_NUMHOOKS ||
464 ((struct ebt_entries *)e)->policy != EBT_RETURN) {
465 BUGPRINT("bad policy\n");
469 if (i == NF_BR_NUMHOOKS) /* it's a user defined chain */
472 newinfo->hook_entry[i] = (struct ebt_entries *)e;
473 if (((struct ebt_entries *)e)->counter_offset != *totalcnt) {
474 BUGPRINT("counter_offset != totalcnt");
477 *n = ((struct ebt_entries *)e)->nentries;
481 /* a plain old entry, heh */
482 if (left < sizeof(struct ebt_entry))
484 if (sizeof(struct ebt_entry) > e->watchers_offset ||
485 e->watchers_offset > e->target_offset ||
486 e->target_offset >= e->next_offset) {
487 BUGPRINT("entry offsets not in right order\n");
490 /* this is not checked anywhere else */
491 if (e->next_offset - e->target_offset < sizeof(struct ebt_entry_target)) {
492 BUGPRINT("target size too small\n");
495 if (left < e->next_offset)
503 BUGPRINT("entries_size too small\n");
509 struct ebt_chainstack cs;
511 unsigned int hookmask;
515 * we need these positions to check that the jumps to a different part of the
516 * entries is a jump to the beginning of a new chain.
519 ebt_get_udc_positions(struct ebt_entry *e, struct ebt_table_info *newinfo,
520 struct ebt_entries **hook_entries, unsigned int *n, unsigned int valid_hooks,
521 struct ebt_cl_stack *udc)
525 /* we're only interested in chain starts */
528 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
529 if ((valid_hooks & (1 << i)) == 0)
531 if (newinfo->hook_entry[i] == (struct ebt_entries *)e)
534 /* only care about udc */
535 if (i != NF_BR_NUMHOOKS)
538 udc[*n].cs.chaininfo = (struct ebt_entries *)e;
539 /* these initialisations are depended on later in check_chainloops() */
541 udc[*n].hookmask = 0;
548 ebt_cleanup_match(struct ebt_entry_match *m, unsigned int *i)
550 if (i && (*i)-- == 0)
552 if (m->u.match->destroy)
553 m->u.match->destroy(m->data, m->match_size);
554 module_put(m->u.match->me);
560 ebt_cleanup_watcher(struct ebt_entry_watcher *w, unsigned int *i)
562 if (i && (*i)-- == 0)
564 if (w->u.watcher->destroy)
565 w->u.watcher->destroy(w->data, w->watcher_size);
566 module_put(w->u.watcher->me);
572 ebt_cleanup_entry(struct ebt_entry *e, unsigned int *cnt)
574 struct ebt_entry_target *t;
579 if (cnt && (*cnt)-- == 0)
581 EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, NULL);
582 EBT_MATCH_ITERATE(e, ebt_cleanup_match, NULL);
583 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
584 if (t->u.target->destroy)
585 t->u.target->destroy(t->data, t->target_size);
586 module_put(t->u.target->me);
592 ebt_check_entry(struct ebt_entry *e, struct ebt_table_info *newinfo,
593 const char *name, unsigned int *cnt, unsigned int valid_hooks,
594 struct ebt_cl_stack *cl_s, unsigned int udc_cnt)
596 struct ebt_entry_target *t;
597 struct ebt_target *target;
598 unsigned int i, j, hook = 0, hookmask = 0;
602 /* don't mess with the struct ebt_entries */
606 if (e->bitmask & ~EBT_F_MASK) {
607 BUGPRINT("Unknown flag for bitmask\n");
610 if (e->invflags & ~EBT_INV_MASK) {
611 BUGPRINT("Unknown flag for inv bitmask\n");
614 if ( (e->bitmask & EBT_NOPROTO) && (e->bitmask & EBT_802_3) ) {
615 BUGPRINT("NOPROTO & 802_3 not allowed\n");
618 /* what hook do we belong to? */
619 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
620 if ((valid_hooks & (1 << i)) == 0)
622 if ((char *)newinfo->hook_entry[i] < (char *)e)
627 /* (1 << NF_BR_NUMHOOKS) tells the check functions the rule is on
629 if (i < NF_BR_NUMHOOKS)
630 hookmask = (1 << hook) | (1 << NF_BR_NUMHOOKS);
632 for (i = 0; i < udc_cnt; i++)
633 if ((char *)(cl_s[i].cs.chaininfo) > (char *)e)
636 hookmask = (1 << hook) | (1 << NF_BR_NUMHOOKS);
638 hookmask = cl_s[i - 1].hookmask;
641 ret = EBT_MATCH_ITERATE(e, ebt_check_match, e, name, hookmask, &i);
643 goto cleanup_matches;
645 ret = EBT_WATCHER_ITERATE(e, ebt_check_watcher, e, name, hookmask, &j);
647 goto cleanup_watchers;
648 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
649 gap = e->next_offset - e->target_offset;
650 target = find_target_lock(t->u.name, &ret, &ebt_mutex);
652 goto cleanup_watchers;
653 if (!try_module_get(target->me)) {
656 goto cleanup_watchers;
660 t->u.target = target;
661 if (t->u.target == &ebt_standard_target) {
662 if (gap < sizeof(struct ebt_standard_target)) {
663 BUGPRINT("Standard target size too big\n");
665 goto cleanup_watchers;
667 if (((struct ebt_standard_target *)t)->verdict <
668 -NUM_STANDARD_TARGETS) {
669 BUGPRINT("Invalid standard target\n");
671 goto cleanup_watchers;
673 } else if (t->target_size > gap - sizeof(struct ebt_entry_target) ||
674 (t->u.target->check &&
675 t->u.target->check(name, hookmask, e, t->data, t->target_size) != 0)){
676 module_put(t->u.target->me);
678 goto cleanup_watchers;
683 EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, &j);
685 EBT_MATCH_ITERATE(e, ebt_cleanup_match, &i);
690 * checks for loops and sets the hook mask for udc
691 * the hook mask for udc tells us from which base chains the udc can be
692 * accessed. This mask is a parameter to the check() functions of the extensions
694 static int check_chainloops(struct ebt_entries *chain, struct ebt_cl_stack *cl_s,
695 unsigned int udc_cnt, unsigned int hooknr, char *base)
697 int i, chain_nr = -1, pos = 0, nentries = chain->nentries, verdict;
698 struct ebt_entry *e = (struct ebt_entry *)chain->data;
699 struct ebt_entry_target *t;
701 while (pos < nentries || chain_nr != -1) {
702 /* end of udc, go back one 'recursion' step */
703 if (pos == nentries) {
704 /* put back values of the time when this chain was called */
705 e = cl_s[chain_nr].cs.e;
706 if (cl_s[chain_nr].from != -1)
708 cl_s[cl_s[chain_nr].from].cs.chaininfo->nentries;
710 nentries = chain->nentries;
711 pos = cl_s[chain_nr].cs.n;
712 /* make sure we won't see a loop that isn't one */
713 cl_s[chain_nr].cs.n = 0;
714 chain_nr = cl_s[chain_nr].from;
718 t = (struct ebt_entry_target *)
719 (((char *)e) + e->target_offset);
720 if (strcmp(t->u.name, EBT_STANDARD_TARGET))
722 if (e->target_offset + sizeof(struct ebt_standard_target) >
724 BUGPRINT("Standard target size too big\n");
727 verdict = ((struct ebt_standard_target *)t)->verdict;
728 if (verdict >= 0) { /* jump to another chain */
729 struct ebt_entries *hlp2 =
730 (struct ebt_entries *)(base + verdict);
731 for (i = 0; i < udc_cnt; i++)
732 if (hlp2 == cl_s[i].cs.chaininfo)
734 /* bad destination or loop */
736 BUGPRINT("bad destination\n");
743 if (cl_s[i].hookmask & (1 << hooknr))
745 /* this can't be 0, so the loop test is correct */
746 cl_s[i].cs.n = pos + 1;
748 cl_s[i].cs.e = ((void *)e + e->next_offset);
749 e = (struct ebt_entry *)(hlp2->data);
750 nentries = hlp2->nentries;
751 cl_s[i].from = chain_nr;
753 /* this udc is accessible from the base chain for hooknr */
754 cl_s[i].hookmask |= (1 << hooknr);
758 e = (void *)e + e->next_offset;
764 /* do the parsing of the table/chains/entries/matches/watchers/targets, heh */
765 static int translate_table(struct ebt_replace *repl,
766 struct ebt_table_info *newinfo)
768 unsigned int i, j, k, udc_cnt;
770 struct ebt_cl_stack *cl_s = NULL; /* used in the checking for chain loops */
773 while (i < NF_BR_NUMHOOKS && !(repl->valid_hooks & (1 << i)))
775 if (i == NF_BR_NUMHOOKS) {
776 BUGPRINT("No valid hooks specified\n");
779 if (repl->hook_entry[i] != (struct ebt_entries *)repl->entries) {
780 BUGPRINT("Chains don't start at beginning\n");
783 /* make sure chains are ordered after each other in same order
784 as their corresponding hooks */
785 for (j = i + 1; j < NF_BR_NUMHOOKS; j++) {
786 if (!(repl->valid_hooks & (1 << j)))
788 if ( repl->hook_entry[j] <= repl->hook_entry[i] ) {
789 BUGPRINT("Hook order must be followed\n");
795 for (i = 0; i < NF_BR_NUMHOOKS; i++)
796 newinfo->hook_entry[i] = NULL;
798 newinfo->entries_size = repl->entries_size;
799 newinfo->nentries = repl->nentries;
801 /* do some early checkings and initialize some things */
802 i = 0; /* holds the expected nr. of entries for the chain */
803 j = 0; /* holds the up to now counted entries for the chain */
804 k = 0; /* holds the total nr. of entries, should equal
805 newinfo->nentries afterwards */
806 udc_cnt = 0; /* will hold the nr. of user defined chains (udc) */
807 ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
808 ebt_check_entry_size_and_hooks, newinfo, repl->entries,
809 repl->entries + repl->entries_size, repl->hook_entry, &i, &j, &k,
810 &udc_cnt, repl->valid_hooks);
816 BUGPRINT("nentries does not equal the nr of entries in the "
820 if (k != newinfo->nentries) {
821 BUGPRINT("Total nentries is wrong\n");
825 /* check if all valid hooks have a chain */
826 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
827 if (newinfo->hook_entry[i] == NULL &&
828 (repl->valid_hooks & (1 << i))) {
829 BUGPRINT("Valid hook without chain\n");
834 /* get the location of the udc, put them in an array
835 while we're at it, allocate the chainstack */
837 /* this will get free'd in do_replace()/ebt_register_table()
838 if an error occurs */
839 newinfo->chainstack = (struct ebt_chainstack **)
840 vmalloc((highest_possible_processor_id()+1)
841 * sizeof(struct ebt_chainstack));
842 if (!newinfo->chainstack)
845 newinfo->chainstack[i] =
846 vmalloc(udc_cnt * sizeof(struct ebt_chainstack));
847 if (!newinfo->chainstack[i]) {
849 vfree(newinfo->chainstack[--i]);
850 vfree(newinfo->chainstack);
851 newinfo->chainstack = NULL;
856 cl_s = (struct ebt_cl_stack *)
857 vmalloc(udc_cnt * sizeof(struct ebt_cl_stack));
860 i = 0; /* the i'th udc */
861 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
862 ebt_get_udc_positions, newinfo, repl->hook_entry, &i,
863 repl->valid_hooks, cl_s);
866 BUGPRINT("i != udc_cnt\n");
872 /* Check for loops */
873 for (i = 0; i < NF_BR_NUMHOOKS; i++)
874 if (repl->valid_hooks & (1 << i))
875 if (check_chainloops(newinfo->hook_entry[i],
876 cl_s, udc_cnt, i, newinfo->entries)) {
881 /* we now know the following (along with E=mc²):
882 - the nr of entries in each chain is right
883 - the size of the allocated space is right
884 - all valid hooks have a corresponding chain
886 - wrong data can still be on the level of a single entry
887 - could be there are jumps to places that are not the
888 beginning of a chain. This can only occur in chains that
889 are not accessible from any base chains, so we don't care. */
891 /* used to know what we need to clean up if something goes wrong */
893 ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
894 ebt_check_entry, newinfo, repl->name, &i, repl->valid_hooks,
897 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
898 ebt_cleanup_entry, &i);
904 /* called under write_lock */
905 static void get_counters(struct ebt_counter *oldcounters,
906 struct ebt_counter *counters, unsigned int nentries)
909 struct ebt_counter *counter_base;
911 /* counters of cpu 0 */
912 memcpy(counters, oldcounters,
913 sizeof(struct ebt_counter) * nentries);
915 /* add other counters to those of cpu 0 */
919 counter_base = COUNTER_BASE(oldcounters, nentries, cpu);
920 for (i = 0; i < nentries; i++) {
921 counters[i].pcnt += counter_base[i].pcnt;
922 counters[i].bcnt += counter_base[i].bcnt;
927 /* replace the table */
928 static int do_replace(void __user *user, unsigned int len)
930 int ret, i, countersize;
931 struct ebt_table_info *newinfo;
932 struct ebt_replace tmp;
934 struct ebt_counter *counterstmp = NULL;
935 /* used to be able to unlock earlier */
936 struct ebt_table_info *table;
938 if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
941 if (len != sizeof(tmp) + tmp.entries_size) {
942 BUGPRINT("Wrong len argument\n");
946 if (tmp.entries_size == 0) {
947 BUGPRINT("Entries_size never zero\n");
951 if (tmp.nentries >= ((INT_MAX - sizeof(struct ebt_table_info)) / NR_CPUS -
952 SMP_CACHE_BYTES) / sizeof(struct ebt_counter))
954 if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
957 countersize = COUNTER_OFFSET(tmp.nentries) *
958 (highest_possible_processor_id()+1);
959 newinfo = (struct ebt_table_info *)
960 vmalloc(sizeof(struct ebt_table_info) + countersize);
965 memset(newinfo->counters, 0, countersize);
967 newinfo->entries = vmalloc(tmp.entries_size);
968 if (!newinfo->entries) {
973 newinfo->entries, tmp.entries, tmp.entries_size) != 0) {
974 BUGPRINT("Couldn't copy entries from userspace\n");
979 /* the user wants counters back
980 the check on the size is done later, when we have the lock */
981 if (tmp.num_counters) {
982 counterstmp = (struct ebt_counter *)
983 vmalloc(tmp.num_counters * sizeof(struct ebt_counter));
992 /* this can get initialized by translate_table() */
993 newinfo->chainstack = NULL;
994 ret = translate_table(&tmp, newinfo);
997 goto free_counterstmp;
999 t = find_table_lock(tmp.name, &ret, &ebt_mutex);
1005 /* the table doesn't like it */
1006 if (t->check && (ret = t->check(newinfo, tmp.valid_hooks)))
1009 if (tmp.num_counters && tmp.num_counters != t->private->nentries) {
1010 BUGPRINT("Wrong nr. of counters requested\n");
1015 /* we have the mutex lock, so no danger in reading this pointer */
1017 /* make sure the table can only be rmmod'ed if it contains no rules */
1018 if (!table->nentries && newinfo->nentries && !try_module_get(t->me)) {
1021 } else if (table->nentries && !newinfo->nentries)
1023 /* we need an atomic snapshot of the counters */
1024 write_lock_bh(&t->lock);
1025 if (tmp.num_counters)
1026 get_counters(t->private->counters, counterstmp,
1027 t->private->nentries);
1029 t->private = newinfo;
1030 write_unlock_bh(&t->lock);
1032 /* so, a user can change the chains while having messed up her counter
1033 allocation. Only reason why this is done is because this way the lock
1034 is held only once, while this doesn't bring the kernel into a
1036 if (tmp.num_counters &&
1037 copy_to_user(tmp.counters, counterstmp,
1038 tmp.num_counters * sizeof(struct ebt_counter))) {
1039 BUGPRINT("Couldn't copy counters to userspace\n");
1045 /* decrease module count and free resources */
1046 EBT_ENTRY_ITERATE(table->entries, table->entries_size,
1047 ebt_cleanup_entry, NULL);
1049 vfree(table->entries);
1050 if (table->chainstack) {
1052 vfree(table->chainstack[i]);
1053 vfree(table->chainstack);
1063 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
1064 ebt_cleanup_entry, NULL);
1067 /* can be initialized in translate_table() */
1068 if (newinfo->chainstack) {
1070 vfree(newinfo->chainstack[i]);
1071 vfree(newinfo->chainstack);
1074 vfree(newinfo->entries);
1080 int ebt_register_target(struct ebt_target *target)
1084 ret = down_interruptible(&ebt_mutex);
1087 if (!list_named_insert(&ebt_targets, target)) {
1096 void ebt_unregister_target(struct ebt_target *target)
1099 LIST_DELETE(&ebt_targets, target);
1103 int ebt_register_match(struct ebt_match *match)
1107 ret = down_interruptible(&ebt_mutex);
1110 if (!list_named_insert(&ebt_matches, match)) {
1119 void ebt_unregister_match(struct ebt_match *match)
1122 LIST_DELETE(&ebt_matches, match);
1126 int ebt_register_watcher(struct ebt_watcher *watcher)
1130 ret = down_interruptible(&ebt_mutex);
1133 if (!list_named_insert(&ebt_watchers, watcher)) {
1142 void ebt_unregister_watcher(struct ebt_watcher *watcher)
1145 LIST_DELETE(&ebt_watchers, watcher);
1149 int ebt_register_table(struct ebt_table *table)
1151 struct ebt_table_info *newinfo;
1152 int ret, i, countersize;
1154 if (!table || !table->table ||!table->table->entries ||
1155 table->table->entries_size == 0 ||
1156 table->table->counters || table->private) {
1157 BUGPRINT("Bad table data for ebt_register_table!!!\n");
1161 countersize = COUNTER_OFFSET(table->table->nentries) *
1162 (highest_possible_processor_id()+1);
1163 newinfo = (struct ebt_table_info *)
1164 vmalloc(sizeof(struct ebt_table_info) + countersize);
1169 newinfo->entries = vmalloc(table->table->entries_size);
1170 if (!(newinfo->entries))
1173 memcpy(newinfo->entries, table->table->entries,
1174 table->table->entries_size);
1177 memset(newinfo->counters, 0, countersize);
1179 /* fill in newinfo and parse the entries */
1180 newinfo->chainstack = NULL;
1181 ret = translate_table(table->table, newinfo);
1183 BUGPRINT("Translate_table failed\n");
1184 goto free_chainstack;
1187 if (table->check && table->check(newinfo, table->valid_hooks)) {
1188 BUGPRINT("The table doesn't like its own initial data, lol\n");
1192 table->private = newinfo;
1193 rwlock_init(&table->lock);
1194 ret = down_interruptible(&ebt_mutex);
1196 goto free_chainstack;
1198 if (list_named_find(&ebt_tables, table->name)) {
1200 BUGPRINT("Table name already exists\n");
1204 /* Hold a reference count if the chains aren't empty */
1205 if (newinfo->nentries && !try_module_get(table->me)) {
1209 list_prepend(&ebt_tables, table);
1215 if (newinfo->chainstack) {
1217 vfree(newinfo->chainstack[i]);
1218 vfree(newinfo->chainstack);
1220 vfree(newinfo->entries);
1226 void ebt_unregister_table(struct ebt_table *table)
1231 BUGPRINT("Request to unregister NULL table!!!\n");
1235 LIST_DELETE(&ebt_tables, table);
1237 vfree(table->private->entries);
1238 if (table->private->chainstack) {
1240 vfree(table->private->chainstack[i]);
1241 vfree(table->private->chainstack);
1243 vfree(table->private);
1246 /* userspace just supplied us with counters */
1247 static int update_counters(void __user *user, unsigned int len)
1250 struct ebt_counter *tmp;
1251 struct ebt_replace hlp;
1252 struct ebt_table *t;
1254 if (copy_from_user(&hlp, user, sizeof(hlp)))
1257 if (len != sizeof(hlp) + hlp.num_counters * sizeof(struct ebt_counter))
1259 if (hlp.num_counters == 0)
1262 if ( !(tmp = (struct ebt_counter *)
1263 vmalloc(hlp.num_counters * sizeof(struct ebt_counter))) ){
1264 MEMPRINT("Update_counters && nomemory\n");
1268 t = find_table_lock(hlp.name, &ret, &ebt_mutex);
1272 if (hlp.num_counters != t->private->nentries) {
1273 BUGPRINT("Wrong nr of counters\n");
1278 if ( copy_from_user(tmp, hlp.counters,
1279 hlp.num_counters * sizeof(struct ebt_counter)) ) {
1280 BUGPRINT("Updata_counters && !cfu\n");
1285 /* we want an atomic add of the counters */
1286 write_lock_bh(&t->lock);
1288 /* we add to the counters of the first cpu */
1289 for (i = 0; i < hlp.num_counters; i++) {
1290 t->private->counters[i].pcnt += tmp[i].pcnt;
1291 t->private->counters[i].bcnt += tmp[i].bcnt;
1294 write_unlock_bh(&t->lock);
1303 static inline int ebt_make_matchname(struct ebt_entry_match *m,
1304 char *base, char *ubase)
1306 char *hlp = ubase - base + (char *)m;
1307 if (copy_to_user(hlp, m->u.match->name, EBT_FUNCTION_MAXNAMELEN))
1312 static inline int ebt_make_watchername(struct ebt_entry_watcher *w,
1313 char *base, char *ubase)
1315 char *hlp = ubase - base + (char *)w;
1316 if (copy_to_user(hlp , w->u.watcher->name, EBT_FUNCTION_MAXNAMELEN))
1321 static inline int ebt_make_names(struct ebt_entry *e, char *base, char *ubase)
1325 struct ebt_entry_target *t;
1327 if (e->bitmask == 0)
1330 hlp = ubase - base + (char *)e + e->target_offset;
1331 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
1333 ret = EBT_MATCH_ITERATE(e, ebt_make_matchname, base, ubase);
1336 ret = EBT_WATCHER_ITERATE(e, ebt_make_watchername, base, ubase);
1339 if (copy_to_user(hlp, t->u.target->name, EBT_FUNCTION_MAXNAMELEN))
1344 /* called with ebt_mutex down */
1345 static int copy_everything_to_user(struct ebt_table *t, void __user *user,
1348 struct ebt_replace tmp;
1349 struct ebt_counter *counterstmp, *oldcounters;
1350 unsigned int entries_size, nentries;
1353 if (cmd == EBT_SO_GET_ENTRIES) {
1354 entries_size = t->private->entries_size;
1355 nentries = t->private->nentries;
1356 entries = t->private->entries;
1357 oldcounters = t->private->counters;
1359 entries_size = t->table->entries_size;
1360 nentries = t->table->nentries;
1361 entries = t->table->entries;
1362 oldcounters = t->table->counters;
1365 if (copy_from_user(&tmp, user, sizeof(tmp))) {
1366 BUGPRINT("Cfu didn't work\n");
1370 if (*len != sizeof(struct ebt_replace) + entries_size +
1371 (tmp.num_counters? nentries * sizeof(struct ebt_counter): 0)) {
1372 BUGPRINT("Wrong size\n");
1376 if (tmp.nentries != nentries) {
1377 BUGPRINT("Nentries wrong\n");
1381 if (tmp.entries_size != entries_size) {
1382 BUGPRINT("Wrong size\n");
1386 /* userspace might not need the counters */
1387 if (tmp.num_counters) {
1388 if (tmp.num_counters != nentries) {
1389 BUGPRINT("Num_counters wrong\n");
1392 counterstmp = (struct ebt_counter *)
1393 vmalloc(nentries * sizeof(struct ebt_counter));
1395 MEMPRINT("Couldn't copy counters, out of memory\n");
1398 write_lock_bh(&t->lock);
1399 get_counters(oldcounters, counterstmp, nentries);
1400 write_unlock_bh(&t->lock);
1402 if (copy_to_user(tmp.counters, counterstmp,
1403 nentries * sizeof(struct ebt_counter))) {
1404 BUGPRINT("Couldn't copy counters to userspace\n");
1411 if (copy_to_user(tmp.entries, entries, entries_size)) {
1412 BUGPRINT("Couldn't copy entries to userspace\n");
1415 /* set the match/watcher/target names right */
1416 return EBT_ENTRY_ITERATE(entries, entries_size,
1417 ebt_make_names, entries, tmp.entries);
1420 static int do_ebt_set_ctl(struct sock *sk,
1421 int cmd, void __user *user, unsigned int len)
1426 case EBT_SO_SET_ENTRIES:
1427 ret = do_replace(user, len);
1429 case EBT_SO_SET_COUNTERS:
1430 ret = update_counters(user, len);
1438 static int do_ebt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
1441 struct ebt_replace tmp;
1442 struct ebt_table *t;
1444 if (copy_from_user(&tmp, user, sizeof(tmp)))
1447 t = find_table_lock(tmp.name, &ret, &ebt_mutex);
1452 case EBT_SO_GET_INFO:
1453 case EBT_SO_GET_INIT_INFO:
1454 if (*len != sizeof(struct ebt_replace)){
1459 if (cmd == EBT_SO_GET_INFO) {
1460 tmp.nentries = t->private->nentries;
1461 tmp.entries_size = t->private->entries_size;
1462 tmp.valid_hooks = t->valid_hooks;
1464 tmp.nentries = t->table->nentries;
1465 tmp.entries_size = t->table->entries_size;
1466 tmp.valid_hooks = t->table->valid_hooks;
1469 if (copy_to_user(user, &tmp, *len) != 0){
1470 BUGPRINT("c2u Didn't work\n");
1477 case EBT_SO_GET_ENTRIES:
1478 case EBT_SO_GET_INIT_ENTRIES:
1479 ret = copy_everything_to_user(t, user, len, cmd);
1491 static struct nf_sockopt_ops ebt_sockopts =
1492 { { NULL, NULL }, PF_INET, EBT_BASE_CTL, EBT_SO_SET_MAX + 1, do_ebt_set_ctl,
1493 EBT_BASE_CTL, EBT_SO_GET_MAX + 1, do_ebt_get_ctl, 0, NULL
1496 static int __init init(void)
1501 list_named_insert(&ebt_targets, &ebt_standard_target);
1503 if ((ret = nf_register_sockopt(&ebt_sockopts)) < 0)
1506 printk(KERN_NOTICE "Ebtables v2.0 registered\n");
1510 static void __exit fini(void)
1512 nf_unregister_sockopt(&ebt_sockopts);
1513 printk(KERN_NOTICE "Ebtables v2.0 unregistered\n");
1516 EXPORT_SYMBOL(ebt_register_table);
1517 EXPORT_SYMBOL(ebt_unregister_table);
1518 EXPORT_SYMBOL(ebt_register_match);
1519 EXPORT_SYMBOL(ebt_unregister_match);
1520 EXPORT_SYMBOL(ebt_register_watcher);
1521 EXPORT_SYMBOL(ebt_unregister_watcher);
1522 EXPORT_SYMBOL(ebt_register_target);
1523 EXPORT_SYMBOL(ebt_unregister_target);
1524 EXPORT_SYMBOL(ebt_do_table);
1527 MODULE_LICENSE("GPL");