5 * Bart De Schuymer <bdschuym@pandora.be>
7 * ebtables.c,v 2.0, July, 2002
9 * This code is stongly inspired on the iptables code which is
10 * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version
15 * 2 of the License, or (at your option) any later version.
18 /* used for print_string */
19 #include <linux/sched.h>
20 #include <linux/tty.h>
22 #include <linux/kmod.h>
23 #include <linux/module.h>
24 #include <linux/vmalloc.h>
25 #include <linux/netfilter_bridge/ebtables.h>
26 #include <linux/spinlock.h>
27 #include <asm/uaccess.h>
28 #include <linux/smp.h>
29 #include <linux/cpumask.h>
31 /* needed for logical [in,out]-dev filtering */
32 #include "../br_private.h"
35 #define ASSERT_READ_LOCK(x)
36 #define ASSERT_WRITE_LOCK(x)
37 #include <linux/netfilter_ipv4/listhelp.h>
38 #include <linux/mutex.h>
41 /* use this for remote debugging
42 * Copyright (C) 1998 by Ori Pomerantz
43 * Print the string to the appropriate tty, the one
44 * the current task uses
46 static void print_string(char *str)
48 struct tty_struct *my_tty;
50 /* The tty for the current task */
51 my_tty = current->signal->tty;
53 my_tty->driver->write(my_tty, 0, str, strlen(str));
54 my_tty->driver->write(my_tty, 0, "\015\012", 2);
58 #define BUGPRINT(args) print_string(args);
60 #define BUGPRINT(format, args...) printk("kernel msg: ebtables bug: please "\
61 "report to author: "format, ## args)
62 /* #define BUGPRINT(format, args...) */
64 #define MEMPRINT(format, args...) printk("kernel msg: ebtables "\
65 ": out of memory: "format, ## args)
66 /* #define MEMPRINT(format, args...) */
71 * Each cpu has its own set of counters, so there is no need for write_lock in
73 * For reading or updating the counters, the user context needs to
77 /* The size of each set of counters is altered to get cache alignment */
78 #define SMP_ALIGN(x) (((x) + SMP_CACHE_BYTES-1) & ~(SMP_CACHE_BYTES-1))
79 #define COUNTER_OFFSET(n) (SMP_ALIGN(n * sizeof(struct ebt_counter)))
80 #define COUNTER_BASE(c, n, cpu) ((struct ebt_counter *)(((char *)c) + \
81 COUNTER_OFFSET(n) * cpu))
85 static DEFINE_MUTEX(ebt_mutex);
86 static LIST_HEAD(ebt_tables);
87 static LIST_HEAD(ebt_targets);
88 static LIST_HEAD(ebt_matches);
89 static LIST_HEAD(ebt_watchers);
91 static struct ebt_target ebt_standard_target =
92 { {NULL, NULL}, EBT_STANDARD_TARGET, NULL, NULL, NULL, NULL};
94 static inline int ebt_do_watcher (struct ebt_entry_watcher *w,
95 const struct sk_buff *skb, unsigned int hooknr, const struct net_device *in,
96 const struct net_device *out)
98 w->u.watcher->watcher(skb, hooknr, in, out, w->data,
100 /* watchers don't give a verdict */
104 static inline int ebt_do_match (struct ebt_entry_match *m,
105 const struct sk_buff *skb, const struct net_device *in,
106 const struct net_device *out)
108 return m->u.match->match(skb, in, out, m->data,
112 static inline int ebt_dev_check(char *entry, const struct net_device *device)
115 char *devname = device->name;
121 /* 1 is the wildcard token */
122 while (entry[i] != '\0' && entry[i] != 1 && entry[i] == devname[i])
124 return (devname[i] != entry[i] && entry[i] != 1);
127 #define FWINV2(bool,invflg) ((bool) ^ !!(e->invflags & invflg))
128 /* process standard matches */
129 static inline int ebt_basic_match(struct ebt_entry *e, struct ethhdr *h,
130 const struct net_device *in, const struct net_device *out)
134 if (e->bitmask & EBT_802_3) {
135 if (FWINV2(ntohs(h->h_proto) >= 1536, EBT_IPROTO))
137 } else if (!(e->bitmask & EBT_NOPROTO) &&
138 FWINV2(e->ethproto != h->h_proto, EBT_IPROTO))
141 if (FWINV2(ebt_dev_check(e->in, in), EBT_IIN))
143 if (FWINV2(ebt_dev_check(e->out, out), EBT_IOUT))
145 if ((!in || !in->br_port) ? 0 : FWINV2(ebt_dev_check(
146 e->logical_in, in->br_port->br->dev), EBT_ILOGICALIN))
148 if ((!out || !out->br_port) ? 0 : FWINV2(ebt_dev_check(
149 e->logical_out, out->br_port->br->dev), EBT_ILOGICALOUT))
152 if (e->bitmask & EBT_SOURCEMAC) {
154 for (i = 0; i < 6; i++)
155 verdict |= (h->h_source[i] ^ e->sourcemac[i]) &
157 if (FWINV2(verdict != 0, EBT_ISOURCE) )
160 if (e->bitmask & EBT_DESTMAC) {
162 for (i = 0; i < 6; i++)
163 verdict |= (h->h_dest[i] ^ e->destmac[i]) &
165 if (FWINV2(verdict != 0, EBT_IDEST) )
171 /* Do some firewalling */
172 unsigned int ebt_do_table (unsigned int hook, struct sk_buff **pskb,
173 const struct net_device *in, const struct net_device *out,
174 struct ebt_table *table)
177 struct ebt_entry *point;
178 struct ebt_counter *counter_base, *cb_base;
179 struct ebt_entry_target *t;
181 struct ebt_chainstack *cs;
182 struct ebt_entries *chaininfo;
184 struct ebt_table_info *private;
186 read_lock_bh(&table->lock);
187 private = table->private;
188 cb_base = COUNTER_BASE(private->counters, private->nentries,
190 if (private->chainstack)
191 cs = private->chainstack[smp_processor_id()];
194 chaininfo = private->hook_entry[hook];
195 nentries = private->hook_entry[hook]->nentries;
196 point = (struct ebt_entry *)(private->hook_entry[hook]->data);
197 counter_base = cb_base + private->hook_entry[hook]->counter_offset;
198 /* base for chain jumps */
199 base = private->entries;
201 while (i < nentries) {
202 if (ebt_basic_match(point, eth_hdr(*pskb), in, out))
205 if (EBT_MATCH_ITERATE(point, ebt_do_match, *pskb, in, out) != 0)
208 /* increase counter */
209 (*(counter_base + i)).pcnt++;
210 (*(counter_base + i)).bcnt+=(**pskb).len;
212 /* these should only watch: not modify, nor tell us
213 what to do with the packet */
214 EBT_WATCHER_ITERATE(point, ebt_do_watcher, *pskb, hook, in,
217 t = (struct ebt_entry_target *)
218 (((char *)point) + point->target_offset);
219 /* standard target */
220 if (!t->u.target->target)
221 verdict = ((struct ebt_standard_target *)t)->verdict;
223 verdict = t->u.target->target(pskb, hook,
224 in, out, t->data, t->target_size);
225 if (verdict == EBT_ACCEPT) {
226 read_unlock_bh(&table->lock);
229 if (verdict == EBT_DROP) {
230 read_unlock_bh(&table->lock);
233 if (verdict == EBT_RETURN) {
235 #ifdef CONFIG_NETFILTER_DEBUG
237 BUGPRINT("RETURN on base chain");
238 /* act like this is EBT_CONTINUE */
243 /* put all the local variables right */
245 chaininfo = cs[sp].chaininfo;
246 nentries = chaininfo->nentries;
248 counter_base = cb_base +
249 chaininfo->counter_offset;
252 if (verdict == EBT_CONTINUE)
254 #ifdef CONFIG_NETFILTER_DEBUG
256 BUGPRINT("bogus standard verdict\n");
257 read_unlock_bh(&table->lock);
263 cs[sp].chaininfo = chaininfo;
264 cs[sp].e = (struct ebt_entry *)
265 (((char *)point) + point->next_offset);
267 chaininfo = (struct ebt_entries *) (base + verdict);
268 #ifdef CONFIG_NETFILTER_DEBUG
269 if (chaininfo->distinguisher) {
270 BUGPRINT("jump to non-chain\n");
271 read_unlock_bh(&table->lock);
275 nentries = chaininfo->nentries;
276 point = (struct ebt_entry *)chaininfo->data;
277 counter_base = cb_base + chaininfo->counter_offset;
281 point = (struct ebt_entry *)
282 (((char *)point) + point->next_offset);
286 /* I actually like this :) */
287 if (chaininfo->policy == EBT_RETURN)
289 if (chaininfo->policy == EBT_ACCEPT) {
290 read_unlock_bh(&table->lock);
293 read_unlock_bh(&table->lock);
297 /* If it succeeds, returns element and locks mutex */
299 find_inlist_lock_noload(struct list_head *head, const char *name, int *error,
304 *error = mutex_lock_interruptible(mutex);
308 ret = list_named_find(head, name);
317 #define find_inlist_lock(h,n,p,e,m) find_inlist_lock_noload((h),(n),(e),(m))
320 find_inlist_lock(struct list_head *head, const char *name, const char *prefix,
321 int *error, struct mutex *mutex)
325 ret = find_inlist_lock_noload(head, name, error, mutex);
327 request_module("%s%s", prefix, name);
328 ret = find_inlist_lock_noload(head, name, error, mutex);
334 static inline struct ebt_table *
335 find_table_lock(const char *name, int *error, struct mutex *mutex)
337 return find_inlist_lock(&ebt_tables, name, "ebtable_", error, mutex);
340 static inline struct ebt_match *
341 find_match_lock(const char *name, int *error, struct mutex *mutex)
343 return find_inlist_lock(&ebt_matches, name, "ebt_", error, mutex);
346 static inline struct ebt_watcher *
347 find_watcher_lock(const char *name, int *error, struct mutex *mutex)
349 return find_inlist_lock(&ebt_watchers, name, "ebt_", error, mutex);
352 static inline struct ebt_target *
353 find_target_lock(const char *name, int *error, struct mutex *mutex)
355 return find_inlist_lock(&ebt_targets, name, "ebt_", error, mutex);
359 ebt_check_match(struct ebt_entry_match *m, struct ebt_entry *e,
360 const char *name, unsigned int hookmask, unsigned int *cnt)
362 struct ebt_match *match;
363 size_t left = ((char *)e + e->watchers_offset) - (char *)m;
366 if (left < sizeof(struct ebt_entry_match) ||
367 left - sizeof(struct ebt_entry_match) < m->match_size)
369 match = find_match_lock(m->u.name, &ret, &ebt_mutex);
373 if (!try_module_get(match->me)) {
374 mutex_unlock(&ebt_mutex);
377 mutex_unlock(&ebt_mutex);
379 match->check(name, hookmask, e, m->data, m->match_size) != 0) {
380 BUGPRINT("match->check failed\n");
381 module_put(match->me);
389 ebt_check_watcher(struct ebt_entry_watcher *w, struct ebt_entry *e,
390 const char *name, unsigned int hookmask, unsigned int *cnt)
392 struct ebt_watcher *watcher;
393 size_t left = ((char *)e + e->target_offset) - (char *)w;
396 if (left < sizeof(struct ebt_entry_watcher) ||
397 left - sizeof(struct ebt_entry_watcher) < w->watcher_size)
399 watcher = find_watcher_lock(w->u.name, &ret, &ebt_mutex);
402 w->u.watcher = watcher;
403 if (!try_module_get(watcher->me)) {
404 mutex_unlock(&ebt_mutex);
407 mutex_unlock(&ebt_mutex);
408 if (watcher->check &&
409 watcher->check(name, hookmask, e, w->data, w->watcher_size) != 0) {
410 BUGPRINT("watcher->check failed\n");
411 module_put(watcher->me);
419 * this one is very careful, as it is the first function
420 * to parse the userspace data
423 ebt_check_entry_size_and_hooks(struct ebt_entry *e,
424 struct ebt_table_info *newinfo, char *base, char *limit,
425 struct ebt_entries **hook_entries, unsigned int *n, unsigned int *cnt,
426 unsigned int *totalcnt, unsigned int *udc_cnt, unsigned int valid_hooks)
428 unsigned int offset = (char *)e - newinfo->entries;
429 size_t left = (limit - base) - offset;
432 if (left < sizeof(unsigned int))
435 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
436 if ((valid_hooks & (1 << i)) == 0)
438 if ((char *)hook_entries[i] == base + offset)
441 /* beginning of a new chain
442 if i == NF_BR_NUMHOOKS it must be a user defined chain */
443 if (i != NF_BR_NUMHOOKS || !(e->bitmask & EBT_ENTRY_OR_ENTRIES)) {
444 if (e->bitmask != 0) {
445 /* we make userspace set this right,
446 so there is no misunderstanding */
447 BUGPRINT("EBT_ENTRY_OR_ENTRIES shouldn't be set "
448 "in distinguisher\n");
451 /* this checks if the previous chain has as many entries
454 BUGPRINT("nentries does not equal the nr of entries "
458 /* before we look at the struct, be sure it is not too big */
459 if (left < sizeof(struct ebt_entries))
461 if (((struct ebt_entries *)e)->policy != EBT_DROP &&
462 ((struct ebt_entries *)e)->policy != EBT_ACCEPT) {
463 /* only RETURN from udc */
464 if (i != NF_BR_NUMHOOKS ||
465 ((struct ebt_entries *)e)->policy != EBT_RETURN) {
466 BUGPRINT("bad policy\n");
470 if (i == NF_BR_NUMHOOKS) /* it's a user defined chain */
473 newinfo->hook_entry[i] = (struct ebt_entries *)e;
474 if (((struct ebt_entries *)e)->counter_offset != *totalcnt) {
475 BUGPRINT("counter_offset != totalcnt");
478 *n = ((struct ebt_entries *)e)->nentries;
482 /* a plain old entry, heh */
483 if (left < sizeof(struct ebt_entry))
485 if (sizeof(struct ebt_entry) > e->watchers_offset ||
486 e->watchers_offset > e->target_offset ||
487 e->target_offset >= e->next_offset) {
488 BUGPRINT("entry offsets not in right order\n");
491 /* this is not checked anywhere else */
492 if (e->next_offset - e->target_offset < sizeof(struct ebt_entry_target)) {
493 BUGPRINT("target size too small\n");
496 if (left < e->next_offset)
504 BUGPRINT("entries_size too small\n");
510 struct ebt_chainstack cs;
512 unsigned int hookmask;
516 * we need these positions to check that the jumps to a different part of the
517 * entries is a jump to the beginning of a new chain.
520 ebt_get_udc_positions(struct ebt_entry *e, struct ebt_table_info *newinfo,
521 struct ebt_entries **hook_entries, unsigned int *n, unsigned int valid_hooks,
522 struct ebt_cl_stack *udc)
526 /* we're only interested in chain starts */
529 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
530 if ((valid_hooks & (1 << i)) == 0)
532 if (newinfo->hook_entry[i] == (struct ebt_entries *)e)
535 /* only care about udc */
536 if (i != NF_BR_NUMHOOKS)
539 udc[*n].cs.chaininfo = (struct ebt_entries *)e;
540 /* these initialisations are depended on later in check_chainloops() */
542 udc[*n].hookmask = 0;
549 ebt_cleanup_match(struct ebt_entry_match *m, unsigned int *i)
551 if (i && (*i)-- == 0)
553 if (m->u.match->destroy)
554 m->u.match->destroy(m->data, m->match_size);
555 module_put(m->u.match->me);
561 ebt_cleanup_watcher(struct ebt_entry_watcher *w, unsigned int *i)
563 if (i && (*i)-- == 0)
565 if (w->u.watcher->destroy)
566 w->u.watcher->destroy(w->data, w->watcher_size);
567 module_put(w->u.watcher->me);
573 ebt_cleanup_entry(struct ebt_entry *e, unsigned int *cnt)
575 struct ebt_entry_target *t;
580 if (cnt && (*cnt)-- == 0)
582 EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, NULL);
583 EBT_MATCH_ITERATE(e, ebt_cleanup_match, NULL);
584 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
585 if (t->u.target->destroy)
586 t->u.target->destroy(t->data, t->target_size);
587 module_put(t->u.target->me);
593 ebt_check_entry(struct ebt_entry *e, struct ebt_table_info *newinfo,
594 const char *name, unsigned int *cnt, unsigned int valid_hooks,
595 struct ebt_cl_stack *cl_s, unsigned int udc_cnt)
597 struct ebt_entry_target *t;
598 struct ebt_target *target;
599 unsigned int i, j, hook = 0, hookmask = 0;
600 size_t gap = e->next_offset - e->target_offset;
603 /* don't mess with the struct ebt_entries */
607 if (e->bitmask & ~EBT_F_MASK) {
608 BUGPRINT("Unknown flag for bitmask\n");
611 if (e->invflags & ~EBT_INV_MASK) {
612 BUGPRINT("Unknown flag for inv bitmask\n");
615 if ( (e->bitmask & EBT_NOPROTO) && (e->bitmask & EBT_802_3) ) {
616 BUGPRINT("NOPROTO & 802_3 not allowed\n");
619 /* what hook do we belong to? */
620 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
621 if ((valid_hooks & (1 << i)) == 0)
623 if ((char *)newinfo->hook_entry[i] < (char *)e)
628 /* (1 << NF_BR_NUMHOOKS) tells the check functions the rule is on
630 if (i < NF_BR_NUMHOOKS)
631 hookmask = (1 << hook) | (1 << NF_BR_NUMHOOKS);
633 for (i = 0; i < udc_cnt; i++)
634 if ((char *)(cl_s[i].cs.chaininfo) > (char *)e)
637 hookmask = (1 << hook) | (1 << NF_BR_NUMHOOKS);
639 hookmask = cl_s[i - 1].hookmask;
642 ret = EBT_MATCH_ITERATE(e, ebt_check_match, e, name, hookmask, &i);
644 goto cleanup_matches;
646 ret = EBT_WATCHER_ITERATE(e, ebt_check_watcher, e, name, hookmask, &j);
648 goto cleanup_watchers;
649 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
650 target = find_target_lock(t->u.name, &ret, &ebt_mutex);
652 goto cleanup_watchers;
653 if (!try_module_get(target->me)) {
654 mutex_unlock(&ebt_mutex);
656 goto cleanup_watchers;
658 mutex_unlock(&ebt_mutex);
660 t->u.target = target;
661 if (t->u.target == &ebt_standard_target) {
662 if (gap < sizeof(struct ebt_standard_target)) {
663 BUGPRINT("Standard target size too big\n");
665 goto cleanup_watchers;
667 if (((struct ebt_standard_target *)t)->verdict <
668 -NUM_STANDARD_TARGETS) {
669 BUGPRINT("Invalid standard target\n");
671 goto cleanup_watchers;
673 } else if (t->target_size > gap - sizeof(struct ebt_entry_target) ||
674 (t->u.target->check &&
675 t->u.target->check(name, hookmask, e, t->data, t->target_size) != 0)){
676 module_put(t->u.target->me);
678 goto cleanup_watchers;
683 EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, &j);
685 EBT_MATCH_ITERATE(e, ebt_cleanup_match, &i);
690 * checks for loops and sets the hook mask for udc
691 * the hook mask for udc tells us from which base chains the udc can be
692 * accessed. This mask is a parameter to the check() functions of the extensions
694 static int check_chainloops(struct ebt_entries *chain, struct ebt_cl_stack *cl_s,
695 unsigned int udc_cnt, unsigned int hooknr, char *base)
697 int i, chain_nr = -1, pos = 0, nentries = chain->nentries, verdict;
698 struct ebt_entry *e = (struct ebt_entry *)chain->data;
699 struct ebt_entry_target *t;
701 while (pos < nentries || chain_nr != -1) {
702 /* end of udc, go back one 'recursion' step */
703 if (pos == nentries) {
704 /* put back values of the time when this chain was called */
705 e = cl_s[chain_nr].cs.e;
706 if (cl_s[chain_nr].from != -1)
708 cl_s[cl_s[chain_nr].from].cs.chaininfo->nentries;
710 nentries = chain->nentries;
711 pos = cl_s[chain_nr].cs.n;
712 /* make sure we won't see a loop that isn't one */
713 cl_s[chain_nr].cs.n = 0;
714 chain_nr = cl_s[chain_nr].from;
718 t = (struct ebt_entry_target *)
719 (((char *)e) + e->target_offset);
720 if (strcmp(t->u.name, EBT_STANDARD_TARGET))
722 if (e->target_offset + sizeof(struct ebt_standard_target) >
724 BUGPRINT("Standard target size too big\n");
727 verdict = ((struct ebt_standard_target *)t)->verdict;
728 if (verdict >= 0) { /* jump to another chain */
729 struct ebt_entries *hlp2 =
730 (struct ebt_entries *)(base + verdict);
731 for (i = 0; i < udc_cnt; i++)
732 if (hlp2 == cl_s[i].cs.chaininfo)
734 /* bad destination or loop */
736 BUGPRINT("bad destination\n");
743 if (cl_s[i].hookmask & (1 << hooknr))
745 /* this can't be 0, so the loop test is correct */
746 cl_s[i].cs.n = pos + 1;
748 cl_s[i].cs.e = ((void *)e + e->next_offset);
749 e = (struct ebt_entry *)(hlp2->data);
750 nentries = hlp2->nentries;
751 cl_s[i].from = chain_nr;
753 /* this udc is accessible from the base chain for hooknr */
754 cl_s[i].hookmask |= (1 << hooknr);
758 e = (void *)e + e->next_offset;
764 /* do the parsing of the table/chains/entries/matches/watchers/targets, heh */
765 static int translate_table(struct ebt_replace *repl,
766 struct ebt_table_info *newinfo)
768 unsigned int i, j, k, udc_cnt;
770 struct ebt_cl_stack *cl_s = NULL; /* used in the checking for chain loops */
773 while (i < NF_BR_NUMHOOKS && !(repl->valid_hooks & (1 << i)))
775 if (i == NF_BR_NUMHOOKS) {
776 BUGPRINT("No valid hooks specified\n");
779 if (repl->hook_entry[i] != (struct ebt_entries *)repl->entries) {
780 BUGPRINT("Chains don't start at beginning\n");
783 /* make sure chains are ordered after each other in same order
784 as their corresponding hooks */
785 for (j = i + 1; j < NF_BR_NUMHOOKS; j++) {
786 if (!(repl->valid_hooks & (1 << j)))
788 if ( repl->hook_entry[j] <= repl->hook_entry[i] ) {
789 BUGPRINT("Hook order must be followed\n");
795 for (i = 0; i < NF_BR_NUMHOOKS; i++)
796 newinfo->hook_entry[i] = NULL;
798 newinfo->entries_size = repl->entries_size;
799 newinfo->nentries = repl->nentries;
801 /* do some early checkings and initialize some things */
802 i = 0; /* holds the expected nr. of entries for the chain */
803 j = 0; /* holds the up to now counted entries for the chain */
804 k = 0; /* holds the total nr. of entries, should equal
805 newinfo->nentries afterwards */
806 udc_cnt = 0; /* will hold the nr. of user defined chains (udc) */
807 ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
808 ebt_check_entry_size_and_hooks, newinfo, repl->entries,
809 repl->entries + repl->entries_size, repl->hook_entry, &i, &j, &k,
810 &udc_cnt, repl->valid_hooks);
816 BUGPRINT("nentries does not equal the nr of entries in the "
820 if (k != newinfo->nentries) {
821 BUGPRINT("Total nentries is wrong\n");
825 /* check if all valid hooks have a chain */
826 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
827 if (newinfo->hook_entry[i] == NULL &&
828 (repl->valid_hooks & (1 << i))) {
829 BUGPRINT("Valid hook without chain\n");
834 /* get the location of the udc, put them in an array
835 while we're at it, allocate the chainstack */
837 /* this will get free'd in do_replace()/ebt_register_table()
838 if an error occurs */
839 newinfo->chainstack =
840 vmalloc((highest_possible_processor_id()+1)
841 * sizeof(*(newinfo->chainstack)));
842 if (!newinfo->chainstack)
844 for_each_possible_cpu(i) {
845 newinfo->chainstack[i] =
846 vmalloc(udc_cnt * sizeof(*(newinfo->chainstack[0])));
847 if (!newinfo->chainstack[i]) {
849 vfree(newinfo->chainstack[--i]);
850 vfree(newinfo->chainstack);
851 newinfo->chainstack = NULL;
856 cl_s = vmalloc(udc_cnt * sizeof(*cl_s));
859 i = 0; /* the i'th udc */
860 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
861 ebt_get_udc_positions, newinfo, repl->hook_entry, &i,
862 repl->valid_hooks, cl_s);
865 BUGPRINT("i != udc_cnt\n");
871 /* Check for loops */
872 for (i = 0; i < NF_BR_NUMHOOKS; i++)
873 if (repl->valid_hooks & (1 << i))
874 if (check_chainloops(newinfo->hook_entry[i],
875 cl_s, udc_cnt, i, newinfo->entries)) {
880 /* we now know the following (along with E=mc²):
881 - the nr of entries in each chain is right
882 - the size of the allocated space is right
883 - all valid hooks have a corresponding chain
885 - wrong data can still be on the level of a single entry
886 - could be there are jumps to places that are not the
887 beginning of a chain. This can only occur in chains that
888 are not accessible from any base chains, so we don't care. */
890 /* used to know what we need to clean up if something goes wrong */
892 ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
893 ebt_check_entry, newinfo, repl->name, &i, repl->valid_hooks,
896 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
897 ebt_cleanup_entry, &i);
903 /* called under write_lock */
904 static void get_counters(struct ebt_counter *oldcounters,
905 struct ebt_counter *counters, unsigned int nentries)
908 struct ebt_counter *counter_base;
910 /* counters of cpu 0 */
911 memcpy(counters, oldcounters,
912 sizeof(struct ebt_counter) * nentries);
914 /* add other counters to those of cpu 0 */
915 for_each_possible_cpu(cpu) {
918 counter_base = COUNTER_BASE(oldcounters, nentries, cpu);
919 for (i = 0; i < nentries; i++) {
920 counters[i].pcnt += counter_base[i].pcnt;
921 counters[i].bcnt += counter_base[i].bcnt;
926 /* replace the table */
927 static int do_replace(void __user *user, unsigned int len)
929 int ret, i, countersize;
930 struct ebt_table_info *newinfo;
931 struct ebt_replace tmp;
933 struct ebt_counter *counterstmp = NULL;
934 /* used to be able to unlock earlier */
935 struct ebt_table_info *table;
937 if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
940 if (len != sizeof(tmp) + tmp.entries_size) {
941 BUGPRINT("Wrong len argument\n");
945 if (tmp.entries_size == 0) {
946 BUGPRINT("Entries_size never zero\n");
950 if (tmp.nentries >= ((INT_MAX - sizeof(struct ebt_table_info)) / NR_CPUS -
951 SMP_CACHE_BYTES) / sizeof(struct ebt_counter))
953 if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
956 countersize = COUNTER_OFFSET(tmp.nentries) *
957 (highest_possible_processor_id()+1);
958 newinfo = vmalloc(sizeof(*newinfo) + countersize);
963 memset(newinfo->counters, 0, countersize);
965 newinfo->entries = vmalloc(tmp.entries_size);
966 if (!newinfo->entries) {
971 newinfo->entries, tmp.entries, tmp.entries_size) != 0) {
972 BUGPRINT("Couldn't copy entries from userspace\n");
977 /* the user wants counters back
978 the check on the size is done later, when we have the lock */
979 if (tmp.num_counters) {
980 counterstmp = vmalloc(tmp.num_counters * sizeof(*counterstmp));
989 /* this can get initialized by translate_table() */
990 newinfo->chainstack = NULL;
991 ret = translate_table(&tmp, newinfo);
994 goto free_counterstmp;
996 t = find_table_lock(tmp.name, &ret, &ebt_mutex);
1002 /* the table doesn't like it */
1003 if (t->check && (ret = t->check(newinfo, tmp.valid_hooks)))
1006 if (tmp.num_counters && tmp.num_counters != t->private->nentries) {
1007 BUGPRINT("Wrong nr. of counters requested\n");
1012 /* we have the mutex lock, so no danger in reading this pointer */
1014 /* make sure the table can only be rmmod'ed if it contains no rules */
1015 if (!table->nentries && newinfo->nentries && !try_module_get(t->me)) {
1018 } else if (table->nentries && !newinfo->nentries)
1020 /* we need an atomic snapshot of the counters */
1021 write_lock_bh(&t->lock);
1022 if (tmp.num_counters)
1023 get_counters(t->private->counters, counterstmp,
1024 t->private->nentries);
1026 t->private = newinfo;
1027 write_unlock_bh(&t->lock);
1028 mutex_unlock(&ebt_mutex);
1029 /* so, a user can change the chains while having messed up her counter
1030 allocation. Only reason why this is done is because this way the lock
1031 is held only once, while this doesn't bring the kernel into a
1033 if (tmp.num_counters &&
1034 copy_to_user(tmp.counters, counterstmp,
1035 tmp.num_counters * sizeof(struct ebt_counter))) {
1036 BUGPRINT("Couldn't copy counters to userspace\n");
1042 /* decrease module count and free resources */
1043 EBT_ENTRY_ITERATE(table->entries, table->entries_size,
1044 ebt_cleanup_entry, NULL);
1046 vfree(table->entries);
1047 if (table->chainstack) {
1048 for_each_possible_cpu(i)
1049 vfree(table->chainstack[i]);
1050 vfree(table->chainstack);
1058 mutex_unlock(&ebt_mutex);
1060 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
1061 ebt_cleanup_entry, NULL);
1064 /* can be initialized in translate_table() */
1065 if (newinfo->chainstack) {
1066 for_each_possible_cpu(i)
1067 vfree(newinfo->chainstack[i]);
1068 vfree(newinfo->chainstack);
1071 vfree(newinfo->entries);
1077 int ebt_register_target(struct ebt_target *target)
1081 ret = mutex_lock_interruptible(&ebt_mutex);
1084 if (!list_named_insert(&ebt_targets, target)) {
1085 mutex_unlock(&ebt_mutex);
1088 mutex_unlock(&ebt_mutex);
1093 void ebt_unregister_target(struct ebt_target *target)
1095 mutex_lock(&ebt_mutex);
1096 LIST_DELETE(&ebt_targets, target);
1097 mutex_unlock(&ebt_mutex);
1100 int ebt_register_match(struct ebt_match *match)
1104 ret = mutex_lock_interruptible(&ebt_mutex);
1107 if (!list_named_insert(&ebt_matches, match)) {
1108 mutex_unlock(&ebt_mutex);
1111 mutex_unlock(&ebt_mutex);
1116 void ebt_unregister_match(struct ebt_match *match)
1118 mutex_lock(&ebt_mutex);
1119 LIST_DELETE(&ebt_matches, match);
1120 mutex_unlock(&ebt_mutex);
1123 int ebt_register_watcher(struct ebt_watcher *watcher)
1127 ret = mutex_lock_interruptible(&ebt_mutex);
1130 if (!list_named_insert(&ebt_watchers, watcher)) {
1131 mutex_unlock(&ebt_mutex);
1134 mutex_unlock(&ebt_mutex);
1139 void ebt_unregister_watcher(struct ebt_watcher *watcher)
1141 mutex_lock(&ebt_mutex);
1142 LIST_DELETE(&ebt_watchers, watcher);
1143 mutex_unlock(&ebt_mutex);
1146 int ebt_register_table(struct ebt_table *table)
1148 struct ebt_table_info *newinfo;
1149 int ret, i, countersize;
1151 if (!table || !table->table ||!table->table->entries ||
1152 table->table->entries_size == 0 ||
1153 table->table->counters || table->private) {
1154 BUGPRINT("Bad table data for ebt_register_table!!!\n");
1158 countersize = COUNTER_OFFSET(table->table->nentries) *
1159 (highest_possible_processor_id()+1);
1160 newinfo = vmalloc(sizeof(*newinfo) + countersize);
1165 newinfo->entries = vmalloc(table->table->entries_size);
1166 if (!(newinfo->entries))
1169 memcpy(newinfo->entries, table->table->entries,
1170 table->table->entries_size);
1173 memset(newinfo->counters, 0, countersize);
1175 /* fill in newinfo and parse the entries */
1176 newinfo->chainstack = NULL;
1177 ret = translate_table(table->table, newinfo);
1179 BUGPRINT("Translate_table failed\n");
1180 goto free_chainstack;
1183 if (table->check && table->check(newinfo, table->valid_hooks)) {
1184 BUGPRINT("The table doesn't like its own initial data, lol\n");
1188 table->private = newinfo;
1189 rwlock_init(&table->lock);
1190 ret = mutex_lock_interruptible(&ebt_mutex);
1192 goto free_chainstack;
1194 if (list_named_find(&ebt_tables, table->name)) {
1196 BUGPRINT("Table name already exists\n");
1200 /* Hold a reference count if the chains aren't empty */
1201 if (newinfo->nentries && !try_module_get(table->me)) {
1205 list_prepend(&ebt_tables, table);
1206 mutex_unlock(&ebt_mutex);
1209 mutex_unlock(&ebt_mutex);
1211 if (newinfo->chainstack) {
1212 for_each_possible_cpu(i)
1213 vfree(newinfo->chainstack[i]);
1214 vfree(newinfo->chainstack);
1216 vfree(newinfo->entries);
1222 void ebt_unregister_table(struct ebt_table *table)
1227 BUGPRINT("Request to unregister NULL table!!!\n");
1230 mutex_lock(&ebt_mutex);
1231 LIST_DELETE(&ebt_tables, table);
1232 mutex_unlock(&ebt_mutex);
1233 vfree(table->private->entries);
1234 if (table->private->chainstack) {
1235 for_each_possible_cpu(i)
1236 vfree(table->private->chainstack[i]);
1237 vfree(table->private->chainstack);
1239 vfree(table->private);
1242 /* userspace just supplied us with counters */
1243 static int update_counters(void __user *user, unsigned int len)
1246 struct ebt_counter *tmp;
1247 struct ebt_replace hlp;
1248 struct ebt_table *t;
1250 if (copy_from_user(&hlp, user, sizeof(hlp)))
1253 if (len != sizeof(hlp) + hlp.num_counters * sizeof(struct ebt_counter))
1255 if (hlp.num_counters == 0)
1258 if (!(tmp = vmalloc(hlp.num_counters * sizeof(*tmp)))) {
1259 MEMPRINT("Update_counters && nomemory\n");
1263 t = find_table_lock(hlp.name, &ret, &ebt_mutex);
1267 if (hlp.num_counters != t->private->nentries) {
1268 BUGPRINT("Wrong nr of counters\n");
1273 if ( copy_from_user(tmp, hlp.counters,
1274 hlp.num_counters * sizeof(struct ebt_counter)) ) {
1275 BUGPRINT("Updata_counters && !cfu\n");
1280 /* we want an atomic add of the counters */
1281 write_lock_bh(&t->lock);
1283 /* we add to the counters of the first cpu */
1284 for (i = 0; i < hlp.num_counters; i++) {
1285 t->private->counters[i].pcnt += tmp[i].pcnt;
1286 t->private->counters[i].bcnt += tmp[i].bcnt;
1289 write_unlock_bh(&t->lock);
1292 mutex_unlock(&ebt_mutex);
1298 static inline int ebt_make_matchname(struct ebt_entry_match *m,
1299 char *base, char *ubase)
1301 char *hlp = ubase - base + (char *)m;
1302 if (copy_to_user(hlp, m->u.match->name, EBT_FUNCTION_MAXNAMELEN))
1307 static inline int ebt_make_watchername(struct ebt_entry_watcher *w,
1308 char *base, char *ubase)
1310 char *hlp = ubase - base + (char *)w;
1311 if (copy_to_user(hlp , w->u.watcher->name, EBT_FUNCTION_MAXNAMELEN))
1316 static inline int ebt_make_names(struct ebt_entry *e, char *base, char *ubase)
1320 struct ebt_entry_target *t;
1322 if (e->bitmask == 0)
1325 hlp = ubase - base + (char *)e + e->target_offset;
1326 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
1328 ret = EBT_MATCH_ITERATE(e, ebt_make_matchname, base, ubase);
1331 ret = EBT_WATCHER_ITERATE(e, ebt_make_watchername, base, ubase);
1334 if (copy_to_user(hlp, t->u.target->name, EBT_FUNCTION_MAXNAMELEN))
1339 /* called with ebt_mutex locked */
1340 static int copy_everything_to_user(struct ebt_table *t, void __user *user,
1343 struct ebt_replace tmp;
1344 struct ebt_counter *counterstmp, *oldcounters;
1345 unsigned int entries_size, nentries;
1348 if (cmd == EBT_SO_GET_ENTRIES) {
1349 entries_size = t->private->entries_size;
1350 nentries = t->private->nentries;
1351 entries = t->private->entries;
1352 oldcounters = t->private->counters;
1354 entries_size = t->table->entries_size;
1355 nentries = t->table->nentries;
1356 entries = t->table->entries;
1357 oldcounters = t->table->counters;
1360 if (copy_from_user(&tmp, user, sizeof(tmp))) {
1361 BUGPRINT("Cfu didn't work\n");
1365 if (*len != sizeof(struct ebt_replace) + entries_size +
1366 (tmp.num_counters? nentries * sizeof(struct ebt_counter): 0)) {
1367 BUGPRINT("Wrong size\n");
1371 if (tmp.nentries != nentries) {
1372 BUGPRINT("Nentries wrong\n");
1376 if (tmp.entries_size != entries_size) {
1377 BUGPRINT("Wrong size\n");
1381 /* userspace might not need the counters */
1382 if (tmp.num_counters) {
1383 if (tmp.num_counters != nentries) {
1384 BUGPRINT("Num_counters wrong\n");
1387 counterstmp = vmalloc(nentries * sizeof(*counterstmp));
1389 MEMPRINT("Couldn't copy counters, out of memory\n");
1392 write_lock_bh(&t->lock);
1393 get_counters(oldcounters, counterstmp, nentries);
1394 write_unlock_bh(&t->lock);
1396 if (copy_to_user(tmp.counters, counterstmp,
1397 nentries * sizeof(struct ebt_counter))) {
1398 BUGPRINT("Couldn't copy counters to userspace\n");
1405 if (copy_to_user(tmp.entries, entries, entries_size)) {
1406 BUGPRINT("Couldn't copy entries to userspace\n");
1409 /* set the match/watcher/target names right */
1410 return EBT_ENTRY_ITERATE(entries, entries_size,
1411 ebt_make_names, entries, tmp.entries);
1414 static int do_ebt_set_ctl(struct sock *sk,
1415 int cmd, void __user *user, unsigned int len)
1420 case EBT_SO_SET_ENTRIES:
1421 ret = do_replace(user, len);
1423 case EBT_SO_SET_COUNTERS:
1424 ret = update_counters(user, len);
1432 static int do_ebt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
1435 struct ebt_replace tmp;
1436 struct ebt_table *t;
1438 if (copy_from_user(&tmp, user, sizeof(tmp)))
1441 t = find_table_lock(tmp.name, &ret, &ebt_mutex);
1446 case EBT_SO_GET_INFO:
1447 case EBT_SO_GET_INIT_INFO:
1448 if (*len != sizeof(struct ebt_replace)){
1450 mutex_unlock(&ebt_mutex);
1453 if (cmd == EBT_SO_GET_INFO) {
1454 tmp.nentries = t->private->nentries;
1455 tmp.entries_size = t->private->entries_size;
1456 tmp.valid_hooks = t->valid_hooks;
1458 tmp.nentries = t->table->nentries;
1459 tmp.entries_size = t->table->entries_size;
1460 tmp.valid_hooks = t->table->valid_hooks;
1462 mutex_unlock(&ebt_mutex);
1463 if (copy_to_user(user, &tmp, *len) != 0){
1464 BUGPRINT("c2u Didn't work\n");
1471 case EBT_SO_GET_ENTRIES:
1472 case EBT_SO_GET_INIT_ENTRIES:
1473 ret = copy_everything_to_user(t, user, len, cmd);
1474 mutex_unlock(&ebt_mutex);
1478 mutex_unlock(&ebt_mutex);
1485 static struct nf_sockopt_ops ebt_sockopts =
1488 .set_optmin = EBT_BASE_CTL,
1489 .set_optmax = EBT_SO_SET_MAX + 1,
1490 .set = do_ebt_set_ctl,
1491 .get_optmin = EBT_BASE_CTL,
1492 .get_optmax = EBT_SO_GET_MAX + 1,
1493 .get = do_ebt_get_ctl,
1496 static int __init ebtables_init(void)
1500 mutex_lock(&ebt_mutex);
1501 list_named_insert(&ebt_targets, &ebt_standard_target);
1502 mutex_unlock(&ebt_mutex);
1503 if ((ret = nf_register_sockopt(&ebt_sockopts)) < 0)
1506 printk(KERN_NOTICE "Ebtables v2.0 registered\n");
1510 static void __exit ebtables_fini(void)
1512 nf_unregister_sockopt(&ebt_sockopts);
1513 printk(KERN_NOTICE "Ebtables v2.0 unregistered\n");
1516 EXPORT_SYMBOL(ebt_register_table);
1517 EXPORT_SYMBOL(ebt_unregister_table);
1518 EXPORT_SYMBOL(ebt_register_match);
1519 EXPORT_SYMBOL(ebt_unregister_match);
1520 EXPORT_SYMBOL(ebt_register_watcher);
1521 EXPORT_SYMBOL(ebt_unregister_watcher);
1522 EXPORT_SYMBOL(ebt_register_target);
1523 EXPORT_SYMBOL(ebt_unregister_target);
1524 EXPORT_SYMBOL(ebt_do_table);
1525 module_init(ebtables_init);
1526 module_exit(ebtables_fini);
1527 MODULE_LICENSE("GPL");