5 * Bart De Schuymer <bdschuym@pandora.be>
7 * ebtables.c,v 2.0, July, 2002
9 * This code is stongly inspired on the iptables code which is
10 * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version
15 * 2 of the License, or (at your option) any later version.
18 /* used for print_string */
19 #include <linux/sched.h>
20 #include <linux/tty.h>
22 #include <linux/kmod.h>
23 #include <linux/module.h>
24 #include <linux/vmalloc.h>
25 #include <linux/netfilter_bridge/ebtables.h>
26 #include <linux/spinlock.h>
27 #include <asm/uaccess.h>
28 #include <linux/smp.h>
30 /* needed for logical [in,out]-dev filtering */
31 #include "../br_private.h"
34 #define ASSERT_READ_LOCK(x)
35 #define ASSERT_WRITE_LOCK(x)
36 #include <linux/netfilter_ipv4/listhelp.h>
39 /* use this for remote debugging
40 * Copyright (C) 1998 by Ori Pomerantz
41 * Print the string to the appropriate tty, the one
42 * the current task uses
44 static void print_string(char *str)
46 struct tty_struct *my_tty;
48 /* The tty for the current task */
49 my_tty = current->signal->tty;
51 my_tty->driver->write(my_tty, 0, str, strlen(str));
52 my_tty->driver->write(my_tty, 0, "\015\012", 2);
56 #define BUGPRINT(args) print_string(args);
58 #define BUGPRINT(format, args...) printk("kernel msg: ebtables bug: please "\
59 "report to author: "format, ## args)
60 /* #define BUGPRINT(format, args...) */
62 #define MEMPRINT(format, args...) printk("kernel msg: ebtables "\
63 ": out of memory: "format, ## args)
64 /* #define MEMPRINT(format, args...) */
69 * Each cpu has its own set of counters, so there is no need for write_lock in
71 * For reading or updating the counters, the user context needs to
75 /* The size of each set of counters is altered to get cache alignment */
76 #define SMP_ALIGN(x) (((x) + SMP_CACHE_BYTES-1) & ~(SMP_CACHE_BYTES-1))
77 #define COUNTER_OFFSET(n) (SMP_ALIGN(n * sizeof(struct ebt_counter)))
78 #define COUNTER_BASE(c, n, cpu) ((struct ebt_counter *)(((char *)c) + \
79 COUNTER_OFFSET(n) * cpu))
83 static DECLARE_MUTEX(ebt_mutex);
84 static LIST_HEAD(ebt_tables);
85 static LIST_HEAD(ebt_targets);
86 static LIST_HEAD(ebt_matches);
87 static LIST_HEAD(ebt_watchers);
89 static struct ebt_target ebt_standard_target =
90 { {NULL, NULL}, EBT_STANDARD_TARGET, NULL, NULL, NULL, NULL};
92 static inline int ebt_do_watcher (struct ebt_entry_watcher *w,
93 const struct sk_buff *skb, unsigned int hooknr, const struct net_device *in,
94 const struct net_device *out)
96 w->u.watcher->watcher(skb, hooknr, in, out, w->data,
98 /* watchers don't give a verdict */
102 static inline int ebt_do_match (struct ebt_entry_match *m,
103 const struct sk_buff *skb, const struct net_device *in,
104 const struct net_device *out)
106 return m->u.match->match(skb, in, out, m->data,
110 static inline int ebt_dev_check(char *entry, const struct net_device *device)
113 char *devname = device->name;
119 /* 1 is the wildcard token */
120 while (entry[i] != '\0' && entry[i] != 1 && entry[i] == devname[i])
122 return (devname[i] != entry[i] && entry[i] != 1);
125 #define FWINV2(bool,invflg) ((bool) ^ !!(e->invflags & invflg))
126 /* process standard matches */
127 static inline int ebt_basic_match(struct ebt_entry *e, struct ethhdr *h,
128 const struct net_device *in, const struct net_device *out)
132 if (e->bitmask & EBT_802_3) {
133 if (FWINV2(ntohs(h->h_proto) >= 1536, EBT_IPROTO))
135 } else if (!(e->bitmask & EBT_NOPROTO) &&
136 FWINV2(e->ethproto != h->h_proto, EBT_IPROTO))
139 if (FWINV2(ebt_dev_check(e->in, in), EBT_IIN))
141 if (FWINV2(ebt_dev_check(e->out, out), EBT_IOUT))
143 if ((!in || !in->br_port) ? 0 : FWINV2(ebt_dev_check(
144 e->logical_in, in->br_port->br->dev), EBT_ILOGICALIN))
146 if ((!out || !out->br_port) ? 0 : FWINV2(ebt_dev_check(
147 e->logical_out, out->br_port->br->dev), EBT_ILOGICALOUT))
150 if (e->bitmask & EBT_SOURCEMAC) {
152 for (i = 0; i < 6; i++)
153 verdict |= (h->h_source[i] ^ e->sourcemac[i]) &
155 if (FWINV2(verdict != 0, EBT_ISOURCE) )
158 if (e->bitmask & EBT_DESTMAC) {
160 for (i = 0; i < 6; i++)
161 verdict |= (h->h_dest[i] ^ e->destmac[i]) &
163 if (FWINV2(verdict != 0, EBT_IDEST) )
169 /* Do some firewalling */
170 unsigned int ebt_do_table (unsigned int hook, struct sk_buff **pskb,
171 const struct net_device *in, const struct net_device *out,
172 struct ebt_table *table)
175 struct ebt_entry *point;
176 struct ebt_counter *counter_base, *cb_base;
177 struct ebt_entry_target *t;
179 struct ebt_chainstack *cs;
180 struct ebt_entries *chaininfo;
182 struct ebt_table_info *private = table->private;
184 read_lock_bh(&table->lock);
185 cb_base = COUNTER_BASE(private->counters, private->nentries,
187 if (private->chainstack)
188 cs = private->chainstack[smp_processor_id()];
191 chaininfo = private->hook_entry[hook];
192 nentries = private->hook_entry[hook]->nentries;
193 point = (struct ebt_entry *)(private->hook_entry[hook]->data);
194 counter_base = cb_base + private->hook_entry[hook]->counter_offset;
195 /* base for chain jumps */
196 base = private->entries;
198 while (i < nentries) {
199 if (ebt_basic_match(point, eth_hdr(*pskb), in, out))
202 if (EBT_MATCH_ITERATE(point, ebt_do_match, *pskb, in, out) != 0)
205 /* increase counter */
206 (*(counter_base + i)).pcnt++;
207 (*(counter_base + i)).bcnt+=(**pskb).len;
209 /* these should only watch: not modify, nor tell us
210 what to do with the packet */
211 EBT_WATCHER_ITERATE(point, ebt_do_watcher, *pskb, hook, in,
214 t = (struct ebt_entry_target *)
215 (((char *)point) + point->target_offset);
216 /* standard target */
217 if (!t->u.target->target)
218 verdict = ((struct ebt_standard_target *)t)->verdict;
220 verdict = t->u.target->target(pskb, hook,
221 in, out, t->data, t->target_size);
222 if (verdict == EBT_ACCEPT) {
223 read_unlock_bh(&table->lock);
226 if (verdict == EBT_DROP) {
227 read_unlock_bh(&table->lock);
230 if (verdict == EBT_RETURN) {
232 #ifdef CONFIG_NETFILTER_DEBUG
234 BUGPRINT("RETURN on base chain");
235 /* act like this is EBT_CONTINUE */
240 /* put all the local variables right */
242 chaininfo = cs[sp].chaininfo;
243 nentries = chaininfo->nentries;
245 counter_base = cb_base +
246 chaininfo->counter_offset;
249 if (verdict == EBT_CONTINUE)
251 #ifdef CONFIG_NETFILTER_DEBUG
253 BUGPRINT("bogus standard verdict\n");
254 read_unlock_bh(&table->lock);
260 cs[sp].chaininfo = chaininfo;
261 cs[sp].e = (struct ebt_entry *)
262 (((char *)point) + point->next_offset);
264 chaininfo = (struct ebt_entries *) (base + verdict);
265 #ifdef CONFIG_NETFILTER_DEBUG
266 if (chaininfo->distinguisher) {
267 BUGPRINT("jump to non-chain\n");
268 read_unlock_bh(&table->lock);
272 nentries = chaininfo->nentries;
273 point = (struct ebt_entry *)chaininfo->data;
274 counter_base = cb_base + chaininfo->counter_offset;
278 point = (struct ebt_entry *)
279 (((char *)point) + point->next_offset);
283 /* I actually like this :) */
284 if (chaininfo->policy == EBT_RETURN)
286 if (chaininfo->policy == EBT_ACCEPT) {
287 read_unlock_bh(&table->lock);
290 read_unlock_bh(&table->lock);
294 /* If it succeeds, returns element and locks mutex */
296 find_inlist_lock_noload(struct list_head *head, const char *name, int *error,
297 struct semaphore *mutex)
301 *error = down_interruptible(mutex);
305 ret = list_named_find(head, name);
314 #define find_inlist_lock(h,n,p,e,m) find_inlist_lock_noload((h),(n),(e),(m))
317 find_inlist_lock(struct list_head *head, const char *name, const char *prefix,
318 int *error, struct semaphore *mutex)
322 ret = find_inlist_lock_noload(head, name, error, mutex);
324 request_module("%s%s", prefix, name);
325 ret = find_inlist_lock_noload(head, name, error, mutex);
331 static inline struct ebt_table *
332 find_table_lock(const char *name, int *error, struct semaphore *mutex)
334 return find_inlist_lock(&ebt_tables, name, "ebtable_", error, mutex);
337 static inline struct ebt_match *
338 find_match_lock(const char *name, int *error, struct semaphore *mutex)
340 return find_inlist_lock(&ebt_matches, name, "ebt_", error, mutex);
343 static inline struct ebt_watcher *
344 find_watcher_lock(const char *name, int *error, struct semaphore *mutex)
346 return find_inlist_lock(&ebt_watchers, name, "ebt_", error, mutex);
349 static inline struct ebt_target *
350 find_target_lock(const char *name, int *error, struct semaphore *mutex)
352 return find_inlist_lock(&ebt_targets, name, "ebt_", error, mutex);
356 ebt_check_match(struct ebt_entry_match *m, struct ebt_entry *e,
357 const char *name, unsigned int hookmask, unsigned int *cnt)
359 struct ebt_match *match;
362 if (((char *)m) + m->match_size + sizeof(struct ebt_entry_match) >
363 ((char *)e) + e->watchers_offset)
365 match = find_match_lock(m->u.name, &ret, &ebt_mutex);
369 if (!try_module_get(match->me)) {
375 match->check(name, hookmask, e, m->data, m->match_size) != 0) {
376 BUGPRINT("match->check failed\n");
377 module_put(match->me);
385 ebt_check_watcher(struct ebt_entry_watcher *w, struct ebt_entry *e,
386 const char *name, unsigned int hookmask, unsigned int *cnt)
388 struct ebt_watcher *watcher;
391 if (((char *)w) + w->watcher_size + sizeof(struct ebt_entry_watcher) >
392 ((char *)e) + e->target_offset)
394 watcher = find_watcher_lock(w->u.name, &ret, &ebt_mutex);
397 w->u.watcher = watcher;
398 if (!try_module_get(watcher->me)) {
403 if (watcher->check &&
404 watcher->check(name, hookmask, e, w->data, w->watcher_size) != 0) {
405 BUGPRINT("watcher->check failed\n");
406 module_put(watcher->me);
414 * this one is very careful, as it is the first function
415 * to parse the userspace data
418 ebt_check_entry_size_and_hooks(struct ebt_entry *e,
419 struct ebt_table_info *newinfo, char *base, char *limit,
420 struct ebt_entries **hook_entries, unsigned int *n, unsigned int *cnt,
421 unsigned int *totalcnt, unsigned int *udc_cnt, unsigned int valid_hooks)
425 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
426 if ((valid_hooks & (1 << i)) == 0)
428 if ( (char *)hook_entries[i] - base ==
429 (char *)e - newinfo->entries)
432 /* beginning of a new chain
433 if i == NF_BR_NUMHOOKS it must be a user defined chain */
434 if (i != NF_BR_NUMHOOKS || !(e->bitmask & EBT_ENTRY_OR_ENTRIES)) {
435 if ((e->bitmask & EBT_ENTRY_OR_ENTRIES) != 0) {
436 /* we make userspace set this right,
437 so there is no misunderstanding */
438 BUGPRINT("EBT_ENTRY_OR_ENTRIES shouldn't be set "
439 "in distinguisher\n");
442 /* this checks if the previous chain has as many entries
445 BUGPRINT("nentries does not equal the nr of entries "
449 /* before we look at the struct, be sure it is not too big */
450 if ((char *)hook_entries[i] + sizeof(struct ebt_entries)
452 BUGPRINT("entries_size too small\n");
455 if (((struct ebt_entries *)e)->policy != EBT_DROP &&
456 ((struct ebt_entries *)e)->policy != EBT_ACCEPT) {
457 /* only RETURN from udc */
458 if (i != NF_BR_NUMHOOKS ||
459 ((struct ebt_entries *)e)->policy != EBT_RETURN) {
460 BUGPRINT("bad policy\n");
464 if (i == NF_BR_NUMHOOKS) /* it's a user defined chain */
467 newinfo->hook_entry[i] = (struct ebt_entries *)e;
468 if (((struct ebt_entries *)e)->counter_offset != *totalcnt) {
469 BUGPRINT("counter_offset != totalcnt");
472 *n = ((struct ebt_entries *)e)->nentries;
476 /* a plain old entry, heh */
477 if (sizeof(struct ebt_entry) > e->watchers_offset ||
478 e->watchers_offset > e->target_offset ||
479 e->target_offset >= e->next_offset) {
480 BUGPRINT("entry offsets not in right order\n");
483 /* this is not checked anywhere else */
484 if (e->next_offset - e->target_offset < sizeof(struct ebt_entry_target)) {
485 BUGPRINT("target size too small\n");
496 struct ebt_chainstack cs;
498 unsigned int hookmask;
502 * we need these positions to check that the jumps to a different part of the
503 * entries is a jump to the beginning of a new chain.
506 ebt_get_udc_positions(struct ebt_entry *e, struct ebt_table_info *newinfo,
507 struct ebt_entries **hook_entries, unsigned int *n, unsigned int valid_hooks,
508 struct ebt_cl_stack *udc)
512 /* we're only interested in chain starts */
513 if (e->bitmask & EBT_ENTRY_OR_ENTRIES)
515 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
516 if ((valid_hooks & (1 << i)) == 0)
518 if (newinfo->hook_entry[i] == (struct ebt_entries *)e)
521 /* only care about udc */
522 if (i != NF_BR_NUMHOOKS)
525 udc[*n].cs.chaininfo = (struct ebt_entries *)e;
526 /* these initialisations are depended on later in check_chainloops() */
528 udc[*n].hookmask = 0;
535 ebt_cleanup_match(struct ebt_entry_match *m, unsigned int *i)
537 if (i && (*i)-- == 0)
539 if (m->u.match->destroy)
540 m->u.match->destroy(m->data, m->match_size);
541 module_put(m->u.match->me);
547 ebt_cleanup_watcher(struct ebt_entry_watcher *w, unsigned int *i)
549 if (i && (*i)-- == 0)
551 if (w->u.watcher->destroy)
552 w->u.watcher->destroy(w->data, w->watcher_size);
553 module_put(w->u.watcher->me);
559 ebt_cleanup_entry(struct ebt_entry *e, unsigned int *cnt)
561 struct ebt_entry_target *t;
563 if ((e->bitmask & EBT_ENTRY_OR_ENTRIES) == 0)
566 if (cnt && (*cnt)-- == 0)
568 EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, NULL);
569 EBT_MATCH_ITERATE(e, ebt_cleanup_match, NULL);
570 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
571 if (t->u.target->destroy)
572 t->u.target->destroy(t->data, t->target_size);
573 module_put(t->u.target->me);
579 ebt_check_entry(struct ebt_entry *e, struct ebt_table_info *newinfo,
580 const char *name, unsigned int *cnt, unsigned int valid_hooks,
581 struct ebt_cl_stack *cl_s, unsigned int udc_cnt)
583 struct ebt_entry_target *t;
584 struct ebt_target *target;
585 unsigned int i, j, hook = 0, hookmask = 0;
588 /* don't mess with the struct ebt_entries */
589 if ((e->bitmask & EBT_ENTRY_OR_ENTRIES) == 0)
592 if (e->bitmask & ~EBT_F_MASK) {
593 BUGPRINT("Unknown flag for bitmask\n");
596 if (e->invflags & ~EBT_INV_MASK) {
597 BUGPRINT("Unknown flag for inv bitmask\n");
600 if ( (e->bitmask & EBT_NOPROTO) && (e->bitmask & EBT_802_3) ) {
601 BUGPRINT("NOPROTO & 802_3 not allowed\n");
604 /* what hook do we belong to? */
605 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
606 if ((valid_hooks & (1 << i)) == 0)
608 if ((char *)newinfo->hook_entry[i] < (char *)e)
613 /* (1 << NF_BR_NUMHOOKS) tells the check functions the rule is on
615 if (i < NF_BR_NUMHOOKS)
616 hookmask = (1 << hook) | (1 << NF_BR_NUMHOOKS);
618 for (i = 0; i < udc_cnt; i++)
619 if ((char *)(cl_s[i].cs.chaininfo) > (char *)e)
622 hookmask = (1 << hook) | (1 << NF_BR_NUMHOOKS);
624 hookmask = cl_s[i - 1].hookmask;
627 ret = EBT_MATCH_ITERATE(e, ebt_check_match, e, name, hookmask, &i);
629 goto cleanup_matches;
631 ret = EBT_WATCHER_ITERATE(e, ebt_check_watcher, e, name, hookmask, &j);
633 goto cleanup_watchers;
634 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
635 target = find_target_lock(t->u.name, &ret, &ebt_mutex);
637 goto cleanup_watchers;
638 if (!try_module_get(target->me)) {
641 goto cleanup_watchers;
645 t->u.target = target;
646 if (t->u.target == &ebt_standard_target) {
647 if (e->target_offset + sizeof(struct ebt_standard_target) >
649 BUGPRINT("Standard target size too big\n");
651 goto cleanup_watchers;
653 if (((struct ebt_standard_target *)t)->verdict <
654 -NUM_STANDARD_TARGETS) {
655 BUGPRINT("Invalid standard target\n");
657 goto cleanup_watchers;
659 } else if ((e->target_offset + t->target_size +
660 sizeof(struct ebt_entry_target) > e->next_offset) ||
661 (t->u.target->check &&
662 t->u.target->check(name, hookmask, e, t->data, t->target_size) != 0)){
663 module_put(t->u.target->me);
665 goto cleanup_watchers;
670 EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, &j);
672 EBT_MATCH_ITERATE(e, ebt_cleanup_match, &i);
677 * checks for loops and sets the hook mask for udc
678 * the hook mask for udc tells us from which base chains the udc can be
679 * accessed. This mask is a parameter to the check() functions of the extensions
681 static int check_chainloops(struct ebt_entries *chain, struct ebt_cl_stack *cl_s,
682 unsigned int udc_cnt, unsigned int hooknr, char *base)
684 int i, chain_nr = -1, pos = 0, nentries = chain->nentries, verdict;
685 struct ebt_entry *e = (struct ebt_entry *)chain->data;
686 struct ebt_entry_target *t;
688 while (pos < nentries || chain_nr != -1) {
689 /* end of udc, go back one 'recursion' step */
690 if (pos == nentries) {
691 /* put back values of the time when this chain was called */
692 e = cl_s[chain_nr].cs.e;
693 if (cl_s[chain_nr].from != -1)
695 cl_s[cl_s[chain_nr].from].cs.chaininfo->nentries;
697 nentries = chain->nentries;
698 pos = cl_s[chain_nr].cs.n;
699 /* make sure we won't see a loop that isn't one */
700 cl_s[chain_nr].cs.n = 0;
701 chain_nr = cl_s[chain_nr].from;
705 t = (struct ebt_entry_target *)
706 (((char *)e) + e->target_offset);
707 if (strcmp(t->u.name, EBT_STANDARD_TARGET))
709 if (e->target_offset + sizeof(struct ebt_standard_target) >
711 BUGPRINT("Standard target size too big\n");
714 verdict = ((struct ebt_standard_target *)t)->verdict;
715 if (verdict >= 0) { /* jump to another chain */
716 struct ebt_entries *hlp2 =
717 (struct ebt_entries *)(base + verdict);
718 for (i = 0; i < udc_cnt; i++)
719 if (hlp2 == cl_s[i].cs.chaininfo)
721 /* bad destination or loop */
723 BUGPRINT("bad destination\n");
730 /* this can't be 0, so the above test is correct */
731 cl_s[i].cs.n = pos + 1;
733 cl_s[i].cs.e = ((void *)e + e->next_offset);
734 e = (struct ebt_entry *)(hlp2->data);
735 nentries = hlp2->nentries;
736 cl_s[i].from = chain_nr;
738 /* this udc is accessible from the base chain for hooknr */
739 cl_s[i].hookmask |= (1 << hooknr);
743 e = (void *)e + e->next_offset;
749 /* do the parsing of the table/chains/entries/matches/watchers/targets, heh */
750 static int translate_table(struct ebt_replace *repl,
751 struct ebt_table_info *newinfo)
753 unsigned int i, j, k, udc_cnt;
755 struct ebt_cl_stack *cl_s = NULL; /* used in the checking for chain loops */
758 while (i < NF_BR_NUMHOOKS && !(repl->valid_hooks & (1 << i)))
760 if (i == NF_BR_NUMHOOKS) {
761 BUGPRINT("No valid hooks specified\n");
764 if (repl->hook_entry[i] != (struct ebt_entries *)repl->entries) {
765 BUGPRINT("Chains don't start at beginning\n");
768 /* make sure chains are ordered after each other in same order
769 as their corresponding hooks */
770 for (j = i + 1; j < NF_BR_NUMHOOKS; j++) {
771 if (!(repl->valid_hooks & (1 << j)))
773 if ( repl->hook_entry[j] <= repl->hook_entry[i] ) {
774 BUGPRINT("Hook order must be followed\n");
780 for (i = 0; i < NF_BR_NUMHOOKS; i++)
781 newinfo->hook_entry[i] = NULL;
783 newinfo->entries_size = repl->entries_size;
784 newinfo->nentries = repl->nentries;
786 /* do some early checkings and initialize some things */
787 i = 0; /* holds the expected nr. of entries for the chain */
788 j = 0; /* holds the up to now counted entries for the chain */
789 k = 0; /* holds the total nr. of entries, should equal
790 newinfo->nentries afterwards */
791 udc_cnt = 0; /* will hold the nr. of user defined chains (udc) */
792 ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
793 ebt_check_entry_size_and_hooks, newinfo, repl->entries,
794 repl->entries + repl->entries_size, repl->hook_entry, &i, &j, &k,
795 &udc_cnt, repl->valid_hooks);
801 BUGPRINT("nentries does not equal the nr of entries in the "
805 if (k != newinfo->nentries) {
806 BUGPRINT("Total nentries is wrong\n");
810 /* check if all valid hooks have a chain */
811 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
812 if (newinfo->hook_entry[i] == NULL &&
813 (repl->valid_hooks & (1 << i))) {
814 BUGPRINT("Valid hook without chain\n");
819 /* get the location of the udc, put them in an array
820 while we're at it, allocate the chainstack */
822 /* this will get free'd in do_replace()/ebt_register_table()
823 if an error occurs */
824 newinfo->chainstack = (struct ebt_chainstack **)
825 vmalloc(NR_CPUS * sizeof(struct ebt_chainstack));
826 if (!newinfo->chainstack)
828 for (i = 0; i < NR_CPUS; i++) {
829 newinfo->chainstack[i] =
830 vmalloc(udc_cnt * sizeof(struct ebt_chainstack));
831 if (!newinfo->chainstack[i]) {
833 vfree(newinfo->chainstack[--i]);
834 vfree(newinfo->chainstack);
835 newinfo->chainstack = NULL;
840 cl_s = (struct ebt_cl_stack *)
841 vmalloc(udc_cnt * sizeof(struct ebt_cl_stack));
844 i = 0; /* the i'th udc */
845 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
846 ebt_get_udc_positions, newinfo, repl->hook_entry, &i,
847 repl->valid_hooks, cl_s);
850 BUGPRINT("i != udc_cnt\n");
856 /* Check for loops */
857 for (i = 0; i < NF_BR_NUMHOOKS; i++)
858 if (repl->valid_hooks & (1 << i))
859 if (check_chainloops(newinfo->hook_entry[i],
860 cl_s, udc_cnt, i, newinfo->entries)) {
866 /* we now know the following (along with E=mc²):
867 - the nr of entries in each chain is right
868 - the size of the allocated space is right
869 - all valid hooks have a corresponding chain
871 - wrong data can still be on the level of a single entry
872 - could be there are jumps to places that are not the
873 beginning of a chain. This can only occur in chains that
874 are not accessible from any base chains, so we don't care. */
876 /* used to know what we need to clean up if something goes wrong */
878 ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
879 ebt_check_entry, newinfo, repl->name, &i, repl->valid_hooks,
882 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
883 ebt_cleanup_entry, &i);
890 /* called under write_lock */
891 static void get_counters(struct ebt_counter *oldcounters,
892 struct ebt_counter *counters, unsigned int nentries)
895 struct ebt_counter *counter_base;
897 /* counters of cpu 0 */
898 memcpy(counters, oldcounters,
899 sizeof(struct ebt_counter) * nentries);
900 /* add other counters to those of cpu 0 */
901 for (cpu = 1; cpu < NR_CPUS; cpu++) {
902 counter_base = COUNTER_BASE(oldcounters, nentries, cpu);
903 for (i = 0; i < nentries; i++) {
904 counters[i].pcnt += counter_base[i].pcnt;
905 counters[i].bcnt += counter_base[i].bcnt;
910 /* replace the table */
911 static int do_replace(void __user *user, unsigned int len)
913 int ret, i, countersize;
914 struct ebt_table_info *newinfo;
915 struct ebt_replace tmp;
917 struct ebt_counter *counterstmp = NULL;
918 /* used to be able to unlock earlier */
919 struct ebt_table_info *table;
921 if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
924 if (len != sizeof(tmp) + tmp.entries_size) {
925 BUGPRINT("Wrong len argument\n");
929 if (tmp.entries_size == 0) {
930 BUGPRINT("Entries_size never zero\n");
933 countersize = COUNTER_OFFSET(tmp.nentries) * NR_CPUS;
934 newinfo = (struct ebt_table_info *)
935 vmalloc(sizeof(struct ebt_table_info) + countersize);
940 memset(newinfo->counters, 0, countersize);
942 newinfo->entries = (char *)vmalloc(tmp.entries_size);
943 if (!newinfo->entries) {
948 newinfo->entries, tmp.entries, tmp.entries_size) != 0) {
949 BUGPRINT("Couldn't copy entries from userspace\n");
954 /* the user wants counters back
955 the check on the size is done later, when we have the lock */
956 if (tmp.num_counters) {
957 counterstmp = (struct ebt_counter *)
958 vmalloc(tmp.num_counters * sizeof(struct ebt_counter));
967 /* this can get initialized by translate_table() */
968 newinfo->chainstack = NULL;
969 ret = translate_table(&tmp, newinfo);
972 goto free_counterstmp;
974 t = find_table_lock(tmp.name, &ret, &ebt_mutex);
980 /* the table doesn't like it */
981 if (t->check && (ret = t->check(newinfo, tmp.valid_hooks)))
984 if (tmp.num_counters && tmp.num_counters != t->private->nentries) {
985 BUGPRINT("Wrong nr. of counters requested\n");
990 /* we have the mutex lock, so no danger in reading this pointer */
992 /* make sure the table can only be rmmod'ed if it contains no rules */
993 if (!table->nentries && newinfo->nentries && !try_module_get(t->me)) {
996 } else if (table->nentries && !newinfo->nentries)
998 /* we need an atomic snapshot of the counters */
999 write_lock_bh(&t->lock);
1000 if (tmp.num_counters)
1001 get_counters(t->private->counters, counterstmp,
1002 t->private->nentries);
1004 t->private = newinfo;
1005 write_unlock_bh(&t->lock);
1007 /* so, a user can change the chains while having messed up her counter
1008 allocation. Only reason why this is done is because this way the lock
1009 is held only once, while this doesn't bring the kernel into a
1011 if (tmp.num_counters &&
1012 copy_to_user(tmp.counters, counterstmp,
1013 tmp.num_counters * sizeof(struct ebt_counter))) {
1014 BUGPRINT("Couldn't copy counters to userspace\n");
1020 /* decrease module count and free resources */
1021 EBT_ENTRY_ITERATE(table->entries, table->entries_size,
1022 ebt_cleanup_entry, NULL);
1024 vfree(table->entries);
1025 if (table->chainstack) {
1026 for (i = 0; i < NR_CPUS; i++)
1027 vfree(table->chainstack[i]);
1028 vfree(table->chainstack);
1039 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
1040 ebt_cleanup_entry, NULL);
1044 /* can be initialized in translate_table() */
1045 if (newinfo->chainstack) {
1046 for (i = 0; i < NR_CPUS; i++)
1047 vfree(newinfo->chainstack[i]);
1048 vfree(newinfo->chainstack);
1051 if (newinfo->entries)
1052 vfree(newinfo->entries);
1059 int ebt_register_target(struct ebt_target *target)
1063 ret = down_interruptible(&ebt_mutex);
1066 if (!list_named_insert(&ebt_targets, target)) {
1075 void ebt_unregister_target(struct ebt_target *target)
1078 LIST_DELETE(&ebt_targets, target);
1082 int ebt_register_match(struct ebt_match *match)
1086 ret = down_interruptible(&ebt_mutex);
1089 if (!list_named_insert(&ebt_matches, match)) {
1098 void ebt_unregister_match(struct ebt_match *match)
1101 LIST_DELETE(&ebt_matches, match);
1105 int ebt_register_watcher(struct ebt_watcher *watcher)
1109 ret = down_interruptible(&ebt_mutex);
1112 if (!list_named_insert(&ebt_watchers, watcher)) {
1121 void ebt_unregister_watcher(struct ebt_watcher *watcher)
1124 LIST_DELETE(&ebt_watchers, watcher);
1128 int ebt_register_table(struct ebt_table *table)
1130 struct ebt_table_info *newinfo;
1131 int ret, i, countersize;
1133 if (!table || !table->table ||!table->table->entries ||
1134 table->table->entries_size == 0 ||
1135 table->table->counters || table->private) {
1136 BUGPRINT("Bad table data for ebt_register_table!!!\n");
1140 countersize = COUNTER_OFFSET(table->table->nentries) * NR_CPUS;
1141 newinfo = (struct ebt_table_info *)
1142 vmalloc(sizeof(struct ebt_table_info) + countersize);
1147 newinfo->entries = (char *)vmalloc(table->table->entries_size);
1148 if (!(newinfo->entries))
1151 memcpy(newinfo->entries, table->table->entries,
1152 table->table->entries_size);
1155 memset(newinfo->counters, 0, countersize);
1157 /* fill in newinfo and parse the entries */
1158 newinfo->chainstack = NULL;
1159 ret = translate_table(table->table, newinfo);
1161 BUGPRINT("Translate_table failed\n");
1162 goto free_chainstack;
1165 if (table->check && table->check(newinfo, table->valid_hooks)) {
1166 BUGPRINT("The table doesn't like its own initial data, lol\n");
1170 table->private = newinfo;
1171 rwlock_init(&table->lock);
1172 ret = down_interruptible(&ebt_mutex);
1174 goto free_chainstack;
1176 if (list_named_find(&ebt_tables, table->name)) {
1178 BUGPRINT("Table name already exists\n");
1182 /* Hold a reference count if the chains aren't empty */
1183 if (newinfo->nentries && !try_module_get(table->me)) {
1187 list_prepend(&ebt_tables, table);
1193 if (newinfo->chainstack) {
1194 for (i = 0; i < NR_CPUS; i++)
1195 vfree(newinfo->chainstack[i]);
1196 vfree(newinfo->chainstack);
1198 vfree(newinfo->entries);
1204 void ebt_unregister_table(struct ebt_table *table)
1209 BUGPRINT("Request to unregister NULL table!!!\n");
1213 LIST_DELETE(&ebt_tables, table);
1215 if (table->private->entries)
1216 vfree(table->private->entries);
1217 if (table->private->chainstack) {
1218 for (i = 0; i < NR_CPUS; i++)
1219 vfree(table->private->chainstack[i]);
1220 vfree(table->private->chainstack);
1222 vfree(table->private);
1225 /* userspace just supplied us with counters */
1226 static int update_counters(void __user *user, unsigned int len)
1229 struct ebt_counter *tmp;
1230 struct ebt_replace hlp;
1231 struct ebt_table *t;
1233 if (copy_from_user(&hlp, user, sizeof(hlp)))
1236 if (len != sizeof(hlp) + hlp.num_counters * sizeof(struct ebt_counter))
1238 if (hlp.num_counters == 0)
1241 if ( !(tmp = (struct ebt_counter *)
1242 vmalloc(hlp.num_counters * sizeof(struct ebt_counter))) ){
1243 MEMPRINT("Update_counters && nomemory\n");
1247 t = find_table_lock(hlp.name, &ret, &ebt_mutex);
1251 if (hlp.num_counters != t->private->nentries) {
1252 BUGPRINT("Wrong nr of counters\n");
1257 if ( copy_from_user(tmp, hlp.counters,
1258 hlp.num_counters * sizeof(struct ebt_counter)) ) {
1259 BUGPRINT("Updata_counters && !cfu\n");
1264 /* we want an atomic add of the counters */
1265 write_lock_bh(&t->lock);
1267 /* we add to the counters of the first cpu */
1268 for (i = 0; i < hlp.num_counters; i++) {
1269 t->private->counters[i].pcnt += tmp[i].pcnt;
1270 t->private->counters[i].bcnt += tmp[i].bcnt;
1273 write_unlock_bh(&t->lock);
1282 static inline int ebt_make_matchname(struct ebt_entry_match *m,
1283 char *base, char *ubase)
1285 char *hlp = ubase - base + (char *)m;
1286 if (copy_to_user(hlp, m->u.match->name, EBT_FUNCTION_MAXNAMELEN))
1291 static inline int ebt_make_watchername(struct ebt_entry_watcher *w,
1292 char *base, char *ubase)
1294 char *hlp = ubase - base + (char *)w;
1295 if (copy_to_user(hlp , w->u.watcher->name, EBT_FUNCTION_MAXNAMELEN))
1300 static inline int ebt_make_names(struct ebt_entry *e, char *base, char *ubase)
1304 struct ebt_entry_target *t;
1306 if ((e->bitmask & EBT_ENTRY_OR_ENTRIES) == 0)
1309 hlp = ubase - base + (char *)e + e->target_offset;
1310 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
1312 ret = EBT_MATCH_ITERATE(e, ebt_make_matchname, base, ubase);
1315 ret = EBT_WATCHER_ITERATE(e, ebt_make_watchername, base, ubase);
1318 if (copy_to_user(hlp, t->u.target->name, EBT_FUNCTION_MAXNAMELEN))
1323 /* called with ebt_mutex down */
1324 static int copy_everything_to_user(struct ebt_table *t, void __user *user,
1327 struct ebt_replace tmp;
1328 struct ebt_counter *counterstmp, *oldcounters;
1329 unsigned int entries_size, nentries;
1332 if (cmd == EBT_SO_GET_ENTRIES) {
1333 entries_size = t->private->entries_size;
1334 nentries = t->private->nentries;
1335 entries = t->private->entries;
1336 oldcounters = t->private->counters;
1338 entries_size = t->table->entries_size;
1339 nentries = t->table->nentries;
1340 entries = t->table->entries;
1341 oldcounters = t->table->counters;
1344 if (copy_from_user(&tmp, user, sizeof(tmp))) {
1345 BUGPRINT("Cfu didn't work\n");
1349 if (*len != sizeof(struct ebt_replace) + entries_size +
1350 (tmp.num_counters? nentries * sizeof(struct ebt_counter): 0)) {
1351 BUGPRINT("Wrong size\n");
1355 if (tmp.nentries != nentries) {
1356 BUGPRINT("Nentries wrong\n");
1360 if (tmp.entries_size != entries_size) {
1361 BUGPRINT("Wrong size\n");
1365 /* userspace might not need the counters */
1366 if (tmp.num_counters) {
1367 if (tmp.num_counters != nentries) {
1368 BUGPRINT("Num_counters wrong\n");
1371 counterstmp = (struct ebt_counter *)
1372 vmalloc(nentries * sizeof(struct ebt_counter));
1374 MEMPRINT("Couldn't copy counters, out of memory\n");
1377 write_lock_bh(&t->lock);
1378 get_counters(oldcounters, counterstmp, nentries);
1379 write_unlock_bh(&t->lock);
1381 if (copy_to_user(tmp.counters, counterstmp,
1382 nentries * sizeof(struct ebt_counter))) {
1383 BUGPRINT("Couldn't copy counters to userspace\n");
1390 if (copy_to_user(tmp.entries, entries, entries_size)) {
1391 BUGPRINT("Couldn't copy entries to userspace\n");
1394 /* set the match/watcher/target names right */
1395 return EBT_ENTRY_ITERATE(entries, entries_size,
1396 ebt_make_names, entries, tmp.entries);
1399 static int do_ebt_set_ctl(struct sock *sk,
1400 int cmd, void __user *user, unsigned int len)
1405 case EBT_SO_SET_ENTRIES:
1406 ret = do_replace(user, len);
1408 case EBT_SO_SET_COUNTERS:
1409 ret = update_counters(user, len);
1417 static int do_ebt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
1420 struct ebt_replace tmp;
1421 struct ebt_table *t;
1423 if (copy_from_user(&tmp, user, sizeof(tmp)))
1426 t = find_table_lock(tmp.name, &ret, &ebt_mutex);
1431 case EBT_SO_GET_INFO:
1432 case EBT_SO_GET_INIT_INFO:
1433 if (*len != sizeof(struct ebt_replace)){
1438 if (cmd == EBT_SO_GET_INFO) {
1439 tmp.nentries = t->private->nentries;
1440 tmp.entries_size = t->private->entries_size;
1441 tmp.valid_hooks = t->valid_hooks;
1443 tmp.nentries = t->table->nentries;
1444 tmp.entries_size = t->table->entries_size;
1445 tmp.valid_hooks = t->table->valid_hooks;
1448 if (copy_to_user(user, &tmp, *len) != 0){
1449 BUGPRINT("c2u Didn't work\n");
1456 case EBT_SO_GET_ENTRIES:
1457 case EBT_SO_GET_INIT_ENTRIES:
1458 ret = copy_everything_to_user(t, user, len, cmd);
1470 static struct nf_sockopt_ops ebt_sockopts =
1471 { { NULL, NULL }, PF_INET, EBT_BASE_CTL, EBT_SO_SET_MAX + 1, do_ebt_set_ctl,
1472 EBT_BASE_CTL, EBT_SO_GET_MAX + 1, do_ebt_get_ctl, 0, NULL
1475 static int __init init(void)
1480 list_named_insert(&ebt_targets, &ebt_standard_target);
1482 if ((ret = nf_register_sockopt(&ebt_sockopts)) < 0)
1485 printk(KERN_NOTICE "Ebtables v2.0 registered\n");
1489 static void __exit fini(void)
1491 nf_unregister_sockopt(&ebt_sockopts);
1492 printk(KERN_NOTICE "Ebtables v2.0 unregistered\n");
1495 EXPORT_SYMBOL(ebt_register_table);
1496 EXPORT_SYMBOL(ebt_unregister_table);
1497 EXPORT_SYMBOL(ebt_register_match);
1498 EXPORT_SYMBOL(ebt_unregister_match);
1499 EXPORT_SYMBOL(ebt_register_watcher);
1500 EXPORT_SYMBOL(ebt_unregister_watcher);
1501 EXPORT_SYMBOL(ebt_register_target);
1502 EXPORT_SYMBOL(ebt_unregister_target);
1503 EXPORT_SYMBOL(ebt_do_table);
1506 MODULE_LICENSE("GPL");