5 * Bart De Schuymer <bdschuym@pandora.be>
7 * ebtables.c,v 2.0, July, 2002
9 * This code is stongly inspired on the iptables code which is
10 * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version
15 * 2 of the License, or (at your option) any later version.
19 #include <linux/kmod.h>
20 #include <linux/module.h>
21 #include <linux/vmalloc.h>
22 #include <linux/netfilter/x_tables.h>
23 #include <linux/netfilter_bridge/ebtables.h>
24 #include <linux/spinlock.h>
25 #include <linux/mutex.h>
26 #include <asm/uaccess.h>
27 #include <linux/smp.h>
28 #include <linux/cpumask.h>
30 /* needed for logical [in,out]-dev filtering */
31 #include "../br_private.h"
33 #define BUGPRINT(format, args...) printk("kernel msg: ebtables bug: please "\
34 "report to author: "format, ## args)
35 /* #define BUGPRINT(format, args...) */
36 #define MEMPRINT(format, args...) printk("kernel msg: ebtables "\
37 ": out of memory: "format, ## args)
38 /* #define MEMPRINT(format, args...) */
43 * Each cpu has its own set of counters, so there is no need for write_lock in
45 * For reading or updating the counters, the user context needs to
49 /* The size of each set of counters is altered to get cache alignment */
50 #define SMP_ALIGN(x) (((x) + SMP_CACHE_BYTES-1) & ~(SMP_CACHE_BYTES-1))
51 #define COUNTER_OFFSET(n) (SMP_ALIGN(n * sizeof(struct ebt_counter)))
52 #define COUNTER_BASE(c, n, cpu) ((struct ebt_counter *)(((char *)c) + \
53 COUNTER_OFFSET(n) * cpu))
57 static DEFINE_MUTEX(ebt_mutex);
58 static LIST_HEAD(ebt_tables);
60 static struct xt_target ebt_standard_target = {
63 .family = NFPROTO_BRIDGE,
64 .targetsize = sizeof(int),
68 ebt_do_watcher(const struct ebt_entry_watcher *w, struct sk_buff *skb,
69 struct xt_target_param *par)
71 par->target = w->u.watcher;
72 par->targinfo = w->data;
73 w->u.watcher->target(skb, par);
74 /* watchers don't give a verdict */
78 static inline int ebt_do_match (struct ebt_entry_match *m,
79 const struct sk_buff *skb, struct xt_match_param *par)
81 par->match = m->u.match;
82 par->matchinfo = m->data;
83 return m->u.match->match(skb, par);
86 static inline int ebt_dev_check(char *entry, const struct net_device *device)
89 const char *devname = device->name;
95 /* 1 is the wildcard token */
96 while (entry[i] != '\0' && entry[i] != 1 && entry[i] == devname[i])
98 return (devname[i] != entry[i] && entry[i] != 1);
101 #define FWINV2(bool,invflg) ((bool) ^ !!(e->invflags & invflg))
102 /* process standard matches */
103 static inline int ebt_basic_match(struct ebt_entry *e, struct ethhdr *h,
104 const struct net_device *in, const struct net_device *out)
108 if (e->bitmask & EBT_802_3) {
109 if (FWINV2(ntohs(h->h_proto) >= 1536, EBT_IPROTO))
111 } else if (!(e->bitmask & EBT_NOPROTO) &&
112 FWINV2(e->ethproto != h->h_proto, EBT_IPROTO))
115 if (FWINV2(ebt_dev_check(e->in, in), EBT_IIN))
117 if (FWINV2(ebt_dev_check(e->out, out), EBT_IOUT))
119 if ((!in || !in->br_port) ? 0 : FWINV2(ebt_dev_check(
120 e->logical_in, in->br_port->br->dev), EBT_ILOGICALIN))
122 if ((!out || !out->br_port) ? 0 : FWINV2(ebt_dev_check(
123 e->logical_out, out->br_port->br->dev), EBT_ILOGICALOUT))
126 if (e->bitmask & EBT_SOURCEMAC) {
128 for (i = 0; i < 6; i++)
129 verdict |= (h->h_source[i] ^ e->sourcemac[i]) &
131 if (FWINV2(verdict != 0, EBT_ISOURCE) )
134 if (e->bitmask & EBT_DESTMAC) {
136 for (i = 0; i < 6; i++)
137 verdict |= (h->h_dest[i] ^ e->destmac[i]) &
139 if (FWINV2(verdict != 0, EBT_IDEST) )
145 /* Do some firewalling */
146 unsigned int ebt_do_table (unsigned int hook, struct sk_buff *skb,
147 const struct net_device *in, const struct net_device *out,
148 struct ebt_table *table)
151 struct ebt_entry *point;
152 struct ebt_counter *counter_base, *cb_base;
153 struct ebt_entry_target *t;
155 struct ebt_chainstack *cs;
156 struct ebt_entries *chaininfo;
158 struct ebt_table_info *private;
159 bool hotdrop = false;
160 struct xt_match_param mtpar;
161 struct xt_target_param tgpar;
163 mtpar.family = tgpar.family = NFPROTO_BRIDGE;
164 mtpar.in = tgpar.in = in;
165 mtpar.out = tgpar.out = out;
166 mtpar.hotdrop = &hotdrop;
167 tgpar.hooknum = hook;
169 read_lock_bh(&table->lock);
170 private = table->private;
171 cb_base = COUNTER_BASE(private->counters, private->nentries,
173 if (private->chainstack)
174 cs = private->chainstack[smp_processor_id()];
177 chaininfo = private->hook_entry[hook];
178 nentries = private->hook_entry[hook]->nentries;
179 point = (struct ebt_entry *)(private->hook_entry[hook]->data);
180 counter_base = cb_base + private->hook_entry[hook]->counter_offset;
181 /* base for chain jumps */
182 base = private->entries;
184 while (i < nentries) {
185 if (ebt_basic_match(point, eth_hdr(skb), in, out))
188 if (EBT_MATCH_ITERATE(point, ebt_do_match, skb, &mtpar) != 0)
191 read_unlock_bh(&table->lock);
195 /* increase counter */
196 (*(counter_base + i)).pcnt++;
197 (*(counter_base + i)).bcnt += skb->len;
199 /* these should only watch: not modify, nor tell us
200 what to do with the packet */
201 EBT_WATCHER_ITERATE(point, ebt_do_watcher, skb, &tgpar);
203 t = (struct ebt_entry_target *)
204 (((char *)point) + point->target_offset);
205 /* standard target */
206 if (!t->u.target->target)
207 verdict = ((struct ebt_standard_target *)t)->verdict;
209 tgpar.target = t->u.target;
210 tgpar.targinfo = t->data;
211 verdict = t->u.target->target(skb, &tgpar);
213 if (verdict == EBT_ACCEPT) {
214 read_unlock_bh(&table->lock);
217 if (verdict == EBT_DROP) {
218 read_unlock_bh(&table->lock);
221 if (verdict == EBT_RETURN) {
223 #ifdef CONFIG_NETFILTER_DEBUG
225 BUGPRINT("RETURN on base chain");
226 /* act like this is EBT_CONTINUE */
231 /* put all the local variables right */
233 chaininfo = cs[sp].chaininfo;
234 nentries = chaininfo->nentries;
236 counter_base = cb_base +
237 chaininfo->counter_offset;
240 if (verdict == EBT_CONTINUE)
242 #ifdef CONFIG_NETFILTER_DEBUG
244 BUGPRINT("bogus standard verdict\n");
245 read_unlock_bh(&table->lock);
251 cs[sp].chaininfo = chaininfo;
252 cs[sp].e = (struct ebt_entry *)
253 (((char *)point) + point->next_offset);
255 chaininfo = (struct ebt_entries *) (base + verdict);
256 #ifdef CONFIG_NETFILTER_DEBUG
257 if (chaininfo->distinguisher) {
258 BUGPRINT("jump to non-chain\n");
259 read_unlock_bh(&table->lock);
263 nentries = chaininfo->nentries;
264 point = (struct ebt_entry *)chaininfo->data;
265 counter_base = cb_base + chaininfo->counter_offset;
269 point = (struct ebt_entry *)
270 (((char *)point) + point->next_offset);
274 /* I actually like this :) */
275 if (chaininfo->policy == EBT_RETURN)
277 if (chaininfo->policy == EBT_ACCEPT) {
278 read_unlock_bh(&table->lock);
281 read_unlock_bh(&table->lock);
285 /* If it succeeds, returns element and locks mutex */
287 find_inlist_lock_noload(struct list_head *head, const char *name, int *error,
291 struct list_head list;
292 char name[EBT_FUNCTION_MAXNAMELEN];
295 *error = mutex_lock_interruptible(mutex);
299 list_for_each_entry(e, head, list) {
300 if (strcmp(e->name, name) == 0)
309 #define find_inlist_lock(h,n,p,e,m) find_inlist_lock_noload((h),(n),(e),(m))
312 find_inlist_lock(struct list_head *head, const char *name, const char *prefix,
313 int *error, struct mutex *mutex)
317 ret = find_inlist_lock_noload(head, name, error, mutex);
319 request_module("%s%s", prefix, name);
320 ret = find_inlist_lock_noload(head, name, error, mutex);
326 static inline struct ebt_table *
327 find_table_lock(const char *name, int *error, struct mutex *mutex)
329 return find_inlist_lock(&ebt_tables, name, "ebtable_", error, mutex);
333 ebt_check_match(struct ebt_entry_match *m, struct xt_mtchk_param *par,
336 const struct ebt_entry *e = par->entryinfo;
337 struct xt_match *match;
338 size_t left = ((char *)e + e->watchers_offset) - (char *)m;
341 if (left < sizeof(struct ebt_entry_match) ||
342 left - sizeof(struct ebt_entry_match) < m->match_size)
345 match = try_then_request_module(xt_find_match(NFPROTO_BRIDGE,
346 m->u.name, 0), "ebt_%s", m->u.name);
348 return PTR_ERR(match);
354 par->matchinfo = m->data;
355 ret = xt_check_match(par, m->match_size,
356 e->ethproto, e->invflags & EBT_IPROTO);
358 module_put(match->me);
367 ebt_check_watcher(struct ebt_entry_watcher *w, struct xt_tgchk_param *par,
370 const struct ebt_entry *e = par->entryinfo;
371 struct xt_target *watcher;
372 size_t left = ((char *)e + e->target_offset) - (char *)w;
375 if (left < sizeof(struct ebt_entry_watcher) ||
376 left - sizeof(struct ebt_entry_watcher) < w->watcher_size)
379 watcher = try_then_request_module(
380 xt_find_target(NFPROTO_BRIDGE, w->u.name, 0),
381 "ebt_%s", w->u.name);
383 return PTR_ERR(watcher);
386 w->u.watcher = watcher;
388 par->target = watcher;
389 par->targinfo = w->data;
390 ret = xt_check_target(par, w->watcher_size,
391 e->ethproto, e->invflags & EBT_IPROTO);
393 module_put(watcher->me);
401 static int ebt_verify_pointers(struct ebt_replace *repl,
402 struct ebt_table_info *newinfo)
404 unsigned int limit = repl->entries_size;
405 unsigned int valid_hooks = repl->valid_hooks;
406 unsigned int offset = 0;
409 for (i = 0; i < NF_BR_NUMHOOKS; i++)
410 newinfo->hook_entry[i] = NULL;
412 newinfo->entries_size = repl->entries_size;
413 newinfo->nentries = repl->nentries;
415 while (offset < limit) {
416 size_t left = limit - offset;
417 struct ebt_entry *e = (void *)newinfo->entries + offset;
419 if (left < sizeof(unsigned int))
422 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
423 if ((valid_hooks & (1 << i)) == 0)
425 if ((char __user *)repl->hook_entry[i] ==
426 repl->entries + offset)
430 if (i != NF_BR_NUMHOOKS || !(e->bitmask & EBT_ENTRY_OR_ENTRIES)) {
431 if (e->bitmask != 0) {
432 /* we make userspace set this right,
433 so there is no misunderstanding */
434 BUGPRINT("EBT_ENTRY_OR_ENTRIES shouldn't be set "
435 "in distinguisher\n");
438 if (i != NF_BR_NUMHOOKS)
439 newinfo->hook_entry[i] = (struct ebt_entries *)e;
440 if (left < sizeof(struct ebt_entries))
442 offset += sizeof(struct ebt_entries);
444 if (left < sizeof(struct ebt_entry))
446 if (left < e->next_offset)
448 offset += e->next_offset;
451 if (offset != limit) {
452 BUGPRINT("entries_size too small\n");
456 /* check if all valid hooks have a chain */
457 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
458 if (!newinfo->hook_entry[i] &&
459 (valid_hooks & (1 << i))) {
460 BUGPRINT("Valid hook without chain\n");
468 * this one is very careful, as it is the first function
469 * to parse the userspace data
472 ebt_check_entry_size_and_hooks(struct ebt_entry *e,
473 struct ebt_table_info *newinfo,
474 unsigned int *n, unsigned int *cnt,
475 unsigned int *totalcnt, unsigned int *udc_cnt)
479 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
480 if ((void *)e == (void *)newinfo->hook_entry[i])
483 /* beginning of a new chain
484 if i == NF_BR_NUMHOOKS it must be a user defined chain */
485 if (i != NF_BR_NUMHOOKS || !e->bitmask) {
486 /* this checks if the previous chain has as many entries
489 BUGPRINT("nentries does not equal the nr of entries "
493 if (((struct ebt_entries *)e)->policy != EBT_DROP &&
494 ((struct ebt_entries *)e)->policy != EBT_ACCEPT) {
495 /* only RETURN from udc */
496 if (i != NF_BR_NUMHOOKS ||
497 ((struct ebt_entries *)e)->policy != EBT_RETURN) {
498 BUGPRINT("bad policy\n");
502 if (i == NF_BR_NUMHOOKS) /* it's a user defined chain */
504 if (((struct ebt_entries *)e)->counter_offset != *totalcnt) {
505 BUGPRINT("counter_offset != totalcnt");
508 *n = ((struct ebt_entries *)e)->nentries;
512 /* a plain old entry, heh */
513 if (sizeof(struct ebt_entry) > e->watchers_offset ||
514 e->watchers_offset > e->target_offset ||
515 e->target_offset >= e->next_offset) {
516 BUGPRINT("entry offsets not in right order\n");
519 /* this is not checked anywhere else */
520 if (e->next_offset - e->target_offset < sizeof(struct ebt_entry_target)) {
521 BUGPRINT("target size too small\n");
531 struct ebt_chainstack cs;
533 unsigned int hookmask;
537 * we need these positions to check that the jumps to a different part of the
538 * entries is a jump to the beginning of a new chain.
541 ebt_get_udc_positions(struct ebt_entry *e, struct ebt_table_info *newinfo,
542 unsigned int *n, struct ebt_cl_stack *udc)
546 /* we're only interested in chain starts */
549 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
550 if (newinfo->hook_entry[i] == (struct ebt_entries *)e)
553 /* only care about udc */
554 if (i != NF_BR_NUMHOOKS)
557 udc[*n].cs.chaininfo = (struct ebt_entries *)e;
558 /* these initialisations are depended on later in check_chainloops() */
560 udc[*n].hookmask = 0;
567 ebt_cleanup_match(struct ebt_entry_match *m, unsigned int *i)
569 struct xt_mtdtor_param par;
571 if (i && (*i)-- == 0)
574 par.match = m->u.match;
575 par.matchinfo = m->data;
576 par.family = NFPROTO_BRIDGE;
577 if (par.match->destroy != NULL)
578 par.match->destroy(&par);
579 module_put(par.match->me);
584 ebt_cleanup_watcher(struct ebt_entry_watcher *w, unsigned int *i)
586 struct xt_tgdtor_param par;
588 if (i && (*i)-- == 0)
591 par.target = w->u.watcher;
592 par.targinfo = w->data;
593 par.family = NFPROTO_BRIDGE;
594 if (par.target->destroy != NULL)
595 par.target->destroy(&par);
596 module_put(par.target->me);
601 ebt_cleanup_entry(struct ebt_entry *e, unsigned int *cnt)
603 struct xt_tgdtor_param par;
604 struct ebt_entry_target *t;
609 if (cnt && (*cnt)-- == 0)
611 EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, NULL);
612 EBT_MATCH_ITERATE(e, ebt_cleanup_match, NULL);
613 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
615 par.target = t->u.target;
616 par.targinfo = t->data;
617 par.family = NFPROTO_BRIDGE;
618 if (par.target->destroy != NULL)
619 par.target->destroy(&par);
620 module_put(par.target->me);
625 ebt_check_entry(struct ebt_entry *e, struct ebt_table_info *newinfo,
626 const char *name, unsigned int *cnt,
627 struct ebt_cl_stack *cl_s, unsigned int udc_cnt)
629 struct ebt_entry_target *t;
630 struct xt_target *target;
631 unsigned int i, j, hook = 0, hookmask = 0;
634 struct xt_mtchk_param mtpar;
635 struct xt_tgchk_param tgpar;
637 /* don't mess with the struct ebt_entries */
641 if (e->bitmask & ~EBT_F_MASK) {
642 BUGPRINT("Unknown flag for bitmask\n");
645 if (e->invflags & ~EBT_INV_MASK) {
646 BUGPRINT("Unknown flag for inv bitmask\n");
649 if ( (e->bitmask & EBT_NOPROTO) && (e->bitmask & EBT_802_3) ) {
650 BUGPRINT("NOPROTO & 802_3 not allowed\n");
653 /* what hook do we belong to? */
654 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
655 if (!newinfo->hook_entry[i])
657 if ((char *)newinfo->hook_entry[i] < (char *)e)
662 /* (1 << NF_BR_NUMHOOKS) tells the check functions the rule is on
664 if (i < NF_BR_NUMHOOKS)
665 hookmask = (1 << hook) | (1 << NF_BR_NUMHOOKS);
667 for (i = 0; i < udc_cnt; i++)
668 if ((char *)(cl_s[i].cs.chaininfo) > (char *)e)
671 hookmask = (1 << hook) | (1 << NF_BR_NUMHOOKS);
673 hookmask = cl_s[i - 1].hookmask;
677 mtpar.table = tgpar.table = name;
678 mtpar.entryinfo = tgpar.entryinfo = e;
679 mtpar.hook_mask = tgpar.hook_mask = hookmask;
680 mtpar.family = tgpar.family = NFPROTO_BRIDGE;
681 ret = EBT_MATCH_ITERATE(e, ebt_check_match, &mtpar, &i);
683 goto cleanup_matches;
685 ret = EBT_WATCHER_ITERATE(e, ebt_check_watcher, &tgpar, &j);
687 goto cleanup_watchers;
688 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
689 gap = e->next_offset - e->target_offset;
691 target = try_then_request_module(
692 xt_find_target(NFPROTO_BRIDGE, t->u.name, 0),
693 "ebt_%s", t->u.name);
694 if (IS_ERR(target)) {
695 ret = PTR_ERR(target);
696 goto cleanup_watchers;
697 } else if (target == NULL) {
699 goto cleanup_watchers;
702 t->u.target = target;
703 if (t->u.target == &ebt_standard_target) {
704 if (gap < sizeof(struct ebt_standard_target)) {
705 BUGPRINT("Standard target size too big\n");
707 goto cleanup_watchers;
709 if (((struct ebt_standard_target *)t)->verdict <
710 -NUM_STANDARD_TARGETS) {
711 BUGPRINT("Invalid standard target\n");
713 goto cleanup_watchers;
715 } else if (t->target_size > gap - sizeof(struct ebt_entry_target)) {
716 module_put(t->u.target->me);
718 goto cleanup_watchers;
721 tgpar.target = target;
722 tgpar.targinfo = t->data;
723 ret = xt_check_target(&tgpar, t->target_size,
724 e->ethproto, e->invflags & EBT_IPROTO);
726 module_put(target->me);
727 goto cleanup_watchers;
732 EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, &j);
734 EBT_MATCH_ITERATE(e, ebt_cleanup_match, &i);
739 * checks for loops and sets the hook mask for udc
740 * the hook mask for udc tells us from which base chains the udc can be
741 * accessed. This mask is a parameter to the check() functions of the extensions
743 static int check_chainloops(struct ebt_entries *chain, struct ebt_cl_stack *cl_s,
744 unsigned int udc_cnt, unsigned int hooknr, char *base)
746 int i, chain_nr = -1, pos = 0, nentries = chain->nentries, verdict;
747 struct ebt_entry *e = (struct ebt_entry *)chain->data;
748 struct ebt_entry_target *t;
750 while (pos < nentries || chain_nr != -1) {
751 /* end of udc, go back one 'recursion' step */
752 if (pos == nentries) {
753 /* put back values of the time when this chain was called */
754 e = cl_s[chain_nr].cs.e;
755 if (cl_s[chain_nr].from != -1)
757 cl_s[cl_s[chain_nr].from].cs.chaininfo->nentries;
759 nentries = chain->nentries;
760 pos = cl_s[chain_nr].cs.n;
761 /* make sure we won't see a loop that isn't one */
762 cl_s[chain_nr].cs.n = 0;
763 chain_nr = cl_s[chain_nr].from;
767 t = (struct ebt_entry_target *)
768 (((char *)e) + e->target_offset);
769 if (strcmp(t->u.name, EBT_STANDARD_TARGET))
771 if (e->target_offset + sizeof(struct ebt_standard_target) >
773 BUGPRINT("Standard target size too big\n");
776 verdict = ((struct ebt_standard_target *)t)->verdict;
777 if (verdict >= 0) { /* jump to another chain */
778 struct ebt_entries *hlp2 =
779 (struct ebt_entries *)(base + verdict);
780 for (i = 0; i < udc_cnt; i++)
781 if (hlp2 == cl_s[i].cs.chaininfo)
783 /* bad destination or loop */
785 BUGPRINT("bad destination\n");
792 if (cl_s[i].hookmask & (1 << hooknr))
794 /* this can't be 0, so the loop test is correct */
795 cl_s[i].cs.n = pos + 1;
797 cl_s[i].cs.e = ((void *)e + e->next_offset);
798 e = (struct ebt_entry *)(hlp2->data);
799 nentries = hlp2->nentries;
800 cl_s[i].from = chain_nr;
802 /* this udc is accessible from the base chain for hooknr */
803 cl_s[i].hookmask |= (1 << hooknr);
807 e = (void *)e + e->next_offset;
813 /* do the parsing of the table/chains/entries/matches/watchers/targets, heh */
814 static int translate_table(char *name, struct ebt_table_info *newinfo)
816 unsigned int i, j, k, udc_cnt;
818 struct ebt_cl_stack *cl_s = NULL; /* used in the checking for chain loops */
821 while (i < NF_BR_NUMHOOKS && !newinfo->hook_entry[i])
823 if (i == NF_BR_NUMHOOKS) {
824 BUGPRINT("No valid hooks specified\n");
827 if (newinfo->hook_entry[i] != (struct ebt_entries *)newinfo->entries) {
828 BUGPRINT("Chains don't start at beginning\n");
831 /* make sure chains are ordered after each other in same order
832 as their corresponding hooks */
833 for (j = i + 1; j < NF_BR_NUMHOOKS; j++) {
834 if (!newinfo->hook_entry[j])
836 if (newinfo->hook_entry[j] <= newinfo->hook_entry[i]) {
837 BUGPRINT("Hook order must be followed\n");
843 /* do some early checkings and initialize some things */
844 i = 0; /* holds the expected nr. of entries for the chain */
845 j = 0; /* holds the up to now counted entries for the chain */
846 k = 0; /* holds the total nr. of entries, should equal
847 newinfo->nentries afterwards */
848 udc_cnt = 0; /* will hold the nr. of user defined chains (udc) */
849 ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
850 ebt_check_entry_size_and_hooks, newinfo,
851 &i, &j, &k, &udc_cnt);
857 BUGPRINT("nentries does not equal the nr of entries in the "
861 if (k != newinfo->nentries) {
862 BUGPRINT("Total nentries is wrong\n");
866 /* get the location of the udc, put them in an array
867 while we're at it, allocate the chainstack */
869 /* this will get free'd in do_replace()/ebt_register_table()
870 if an error occurs */
871 newinfo->chainstack =
872 vmalloc(nr_cpu_ids * sizeof(*(newinfo->chainstack)));
873 if (!newinfo->chainstack)
875 for_each_possible_cpu(i) {
876 newinfo->chainstack[i] =
877 vmalloc(udc_cnt * sizeof(*(newinfo->chainstack[0])));
878 if (!newinfo->chainstack[i]) {
880 vfree(newinfo->chainstack[--i]);
881 vfree(newinfo->chainstack);
882 newinfo->chainstack = NULL;
887 cl_s = vmalloc(udc_cnt * sizeof(*cl_s));
890 i = 0; /* the i'th udc */
891 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
892 ebt_get_udc_positions, newinfo, &i, cl_s);
895 BUGPRINT("i != udc_cnt\n");
901 /* Check for loops */
902 for (i = 0; i < NF_BR_NUMHOOKS; i++)
903 if (newinfo->hook_entry[i])
904 if (check_chainloops(newinfo->hook_entry[i],
905 cl_s, udc_cnt, i, newinfo->entries)) {
910 /* we now know the following (along with E=mc²):
911 - the nr of entries in each chain is right
912 - the size of the allocated space is right
913 - all valid hooks have a corresponding chain
915 - wrong data can still be on the level of a single entry
916 - could be there are jumps to places that are not the
917 beginning of a chain. This can only occur in chains that
918 are not accessible from any base chains, so we don't care. */
920 /* used to know what we need to clean up if something goes wrong */
922 ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
923 ebt_check_entry, newinfo, name, &i, cl_s, udc_cnt);
925 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
926 ebt_cleanup_entry, &i);
932 /* called under write_lock */
933 static void get_counters(struct ebt_counter *oldcounters,
934 struct ebt_counter *counters, unsigned int nentries)
937 struct ebt_counter *counter_base;
939 /* counters of cpu 0 */
940 memcpy(counters, oldcounters,
941 sizeof(struct ebt_counter) * nentries);
943 /* add other counters to those of cpu 0 */
944 for_each_possible_cpu(cpu) {
947 counter_base = COUNTER_BASE(oldcounters, nentries, cpu);
948 for (i = 0; i < nentries; i++) {
949 counters[i].pcnt += counter_base[i].pcnt;
950 counters[i].bcnt += counter_base[i].bcnt;
955 /* replace the table */
956 static int do_replace(void __user *user, unsigned int len)
958 int ret, i, countersize;
959 struct ebt_table_info *newinfo;
960 struct ebt_replace tmp;
962 struct ebt_counter *counterstmp = NULL;
963 /* used to be able to unlock earlier */
964 struct ebt_table_info *table;
966 if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
969 if (len != sizeof(tmp) + tmp.entries_size) {
970 BUGPRINT("Wrong len argument\n");
974 if (tmp.entries_size == 0) {
975 BUGPRINT("Entries_size never zero\n");
979 if (tmp.nentries >= ((INT_MAX - sizeof(struct ebt_table_info)) / NR_CPUS -
980 SMP_CACHE_BYTES) / sizeof(struct ebt_counter))
982 if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
985 countersize = COUNTER_OFFSET(tmp.nentries) * nr_cpu_ids;
986 newinfo = vmalloc(sizeof(*newinfo) + countersize);
991 memset(newinfo->counters, 0, countersize);
993 newinfo->entries = vmalloc(tmp.entries_size);
994 if (!newinfo->entries) {
999 newinfo->entries, tmp.entries, tmp.entries_size) != 0) {
1000 BUGPRINT("Couldn't copy entries from userspace\n");
1005 /* the user wants counters back
1006 the check on the size is done later, when we have the lock */
1007 if (tmp.num_counters) {
1008 counterstmp = vmalloc(tmp.num_counters * sizeof(*counterstmp));
1017 /* this can get initialized by translate_table() */
1018 newinfo->chainstack = NULL;
1019 ret = ebt_verify_pointers(&tmp, newinfo);
1021 goto free_counterstmp;
1023 ret = translate_table(tmp.name, newinfo);
1026 goto free_counterstmp;
1028 t = find_table_lock(tmp.name, &ret, &ebt_mutex);
1034 /* the table doesn't like it */
1035 if (t->check && (ret = t->check(newinfo, tmp.valid_hooks)))
1038 if (tmp.num_counters && tmp.num_counters != t->private->nentries) {
1039 BUGPRINT("Wrong nr. of counters requested\n");
1044 /* we have the mutex lock, so no danger in reading this pointer */
1046 /* make sure the table can only be rmmod'ed if it contains no rules */
1047 if (!table->nentries && newinfo->nentries && !try_module_get(t->me)) {
1050 } else if (table->nentries && !newinfo->nentries)
1052 /* we need an atomic snapshot of the counters */
1053 write_lock_bh(&t->lock);
1054 if (tmp.num_counters)
1055 get_counters(t->private->counters, counterstmp,
1056 t->private->nentries);
1058 t->private = newinfo;
1059 write_unlock_bh(&t->lock);
1060 mutex_unlock(&ebt_mutex);
1061 /* so, a user can change the chains while having messed up her counter
1062 allocation. Only reason why this is done is because this way the lock
1063 is held only once, while this doesn't bring the kernel into a
1065 if (tmp.num_counters &&
1066 copy_to_user(tmp.counters, counterstmp,
1067 tmp.num_counters * sizeof(struct ebt_counter))) {
1068 BUGPRINT("Couldn't copy counters to userspace\n");
1074 /* decrease module count and free resources */
1075 EBT_ENTRY_ITERATE(table->entries, table->entries_size,
1076 ebt_cleanup_entry, NULL);
1078 vfree(table->entries);
1079 if (table->chainstack) {
1080 for_each_possible_cpu(i)
1081 vfree(table->chainstack[i]);
1082 vfree(table->chainstack);
1090 mutex_unlock(&ebt_mutex);
1092 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
1093 ebt_cleanup_entry, NULL);
1096 /* can be initialized in translate_table() */
1097 if (newinfo->chainstack) {
1098 for_each_possible_cpu(i)
1099 vfree(newinfo->chainstack[i]);
1100 vfree(newinfo->chainstack);
1103 vfree(newinfo->entries);
1109 int ebt_register_table(struct ebt_table *table)
1111 struct ebt_table_info *newinfo;
1112 struct ebt_table *t;
1113 struct ebt_replace_kernel *repl;
1114 int ret, i, countersize;
1117 if (!table || !(repl = table->table) || !repl->entries ||
1118 repl->entries_size == 0 ||
1119 repl->counters || table->private) {
1120 BUGPRINT("Bad table data for ebt_register_table!!!\n");
1124 countersize = COUNTER_OFFSET(repl->nentries) * nr_cpu_ids;
1125 newinfo = vmalloc(sizeof(*newinfo) + countersize);
1130 p = vmalloc(repl->entries_size);
1134 memcpy(p, repl->entries, repl->entries_size);
1135 newinfo->entries = p;
1137 newinfo->entries_size = repl->entries_size;
1138 newinfo->nentries = repl->nentries;
1141 memset(newinfo->counters, 0, countersize);
1143 /* fill in newinfo and parse the entries */
1144 newinfo->chainstack = NULL;
1145 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
1146 if ((repl->valid_hooks & (1 << i)) == 0)
1147 newinfo->hook_entry[i] = NULL;
1149 newinfo->hook_entry[i] = p +
1150 ((char *)repl->hook_entry[i] - repl->entries);
1152 ret = translate_table(repl->name, newinfo);
1154 BUGPRINT("Translate_table failed\n");
1155 goto free_chainstack;
1158 if (table->check && table->check(newinfo, table->valid_hooks)) {
1159 BUGPRINT("The table doesn't like its own initial data, lol\n");
1163 table->private = newinfo;
1164 rwlock_init(&table->lock);
1165 ret = mutex_lock_interruptible(&ebt_mutex);
1167 goto free_chainstack;
1169 list_for_each_entry(t, &ebt_tables, list) {
1170 if (strcmp(t->name, table->name) == 0) {
1172 BUGPRINT("Table name already exists\n");
1177 /* Hold a reference count if the chains aren't empty */
1178 if (newinfo->nentries && !try_module_get(table->me)) {
1182 list_add(&table->list, &ebt_tables);
1183 mutex_unlock(&ebt_mutex);
1186 mutex_unlock(&ebt_mutex);
1188 if (newinfo->chainstack) {
1189 for_each_possible_cpu(i)
1190 vfree(newinfo->chainstack[i]);
1191 vfree(newinfo->chainstack);
1193 vfree(newinfo->entries);
1199 void ebt_unregister_table(struct ebt_table *table)
1204 BUGPRINT("Request to unregister NULL table!!!\n");
1207 mutex_lock(&ebt_mutex);
1208 list_del(&table->list);
1209 mutex_unlock(&ebt_mutex);
1210 vfree(table->private->entries);
1211 if (table->private->chainstack) {
1212 for_each_possible_cpu(i)
1213 vfree(table->private->chainstack[i]);
1214 vfree(table->private->chainstack);
1216 vfree(table->private);
1219 /* userspace just supplied us with counters */
1220 static int update_counters(void __user *user, unsigned int len)
1223 struct ebt_counter *tmp;
1224 struct ebt_replace hlp;
1225 struct ebt_table *t;
1227 if (copy_from_user(&hlp, user, sizeof(hlp)))
1230 if (len != sizeof(hlp) + hlp.num_counters * sizeof(struct ebt_counter))
1232 if (hlp.num_counters == 0)
1235 if (!(tmp = vmalloc(hlp.num_counters * sizeof(*tmp)))) {
1236 MEMPRINT("Update_counters && nomemory\n");
1240 t = find_table_lock(hlp.name, &ret, &ebt_mutex);
1244 if (hlp.num_counters != t->private->nentries) {
1245 BUGPRINT("Wrong nr of counters\n");
1250 if ( copy_from_user(tmp, hlp.counters,
1251 hlp.num_counters * sizeof(struct ebt_counter)) ) {
1252 BUGPRINT("Updata_counters && !cfu\n");
1257 /* we want an atomic add of the counters */
1258 write_lock_bh(&t->lock);
1260 /* we add to the counters of the first cpu */
1261 for (i = 0; i < hlp.num_counters; i++) {
1262 t->private->counters[i].pcnt += tmp[i].pcnt;
1263 t->private->counters[i].bcnt += tmp[i].bcnt;
1266 write_unlock_bh(&t->lock);
1269 mutex_unlock(&ebt_mutex);
1275 static inline int ebt_make_matchname(struct ebt_entry_match *m,
1276 char *base, char __user *ubase)
1278 char __user *hlp = ubase + ((char *)m - base);
1279 if (copy_to_user(hlp, m->u.match->name, EBT_FUNCTION_MAXNAMELEN))
1284 static inline int ebt_make_watchername(struct ebt_entry_watcher *w,
1285 char *base, char __user *ubase)
1287 char __user *hlp = ubase + ((char *)w - base);
1288 if (copy_to_user(hlp , w->u.watcher->name, EBT_FUNCTION_MAXNAMELEN))
1293 static inline int ebt_make_names(struct ebt_entry *e, char *base, char __user *ubase)
1297 struct ebt_entry_target *t;
1299 if (e->bitmask == 0)
1302 hlp = ubase + (((char *)e + e->target_offset) - base);
1303 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
1305 ret = EBT_MATCH_ITERATE(e, ebt_make_matchname, base, ubase);
1308 ret = EBT_WATCHER_ITERATE(e, ebt_make_watchername, base, ubase);
1311 if (copy_to_user(hlp, t->u.target->name, EBT_FUNCTION_MAXNAMELEN))
1316 /* called with ebt_mutex locked */
1317 static int copy_everything_to_user(struct ebt_table *t, void __user *user,
1320 struct ebt_replace tmp;
1321 struct ebt_counter *counterstmp, *oldcounters;
1322 unsigned int entries_size, nentries;
1325 if (cmd == EBT_SO_GET_ENTRIES) {
1326 entries_size = t->private->entries_size;
1327 nentries = t->private->nentries;
1328 entries = t->private->entries;
1329 oldcounters = t->private->counters;
1331 entries_size = t->table->entries_size;
1332 nentries = t->table->nentries;
1333 entries = t->table->entries;
1334 oldcounters = t->table->counters;
1337 if (copy_from_user(&tmp, user, sizeof(tmp))) {
1338 BUGPRINT("Cfu didn't work\n");
1342 if (*len != sizeof(struct ebt_replace) + entries_size +
1343 (tmp.num_counters? nentries * sizeof(struct ebt_counter): 0)) {
1344 BUGPRINT("Wrong size\n");
1348 if (tmp.nentries != nentries) {
1349 BUGPRINT("Nentries wrong\n");
1353 if (tmp.entries_size != entries_size) {
1354 BUGPRINT("Wrong size\n");
1358 /* userspace might not need the counters */
1359 if (tmp.num_counters) {
1360 if (tmp.num_counters != nentries) {
1361 BUGPRINT("Num_counters wrong\n");
1364 counterstmp = vmalloc(nentries * sizeof(*counterstmp));
1366 MEMPRINT("Couldn't copy counters, out of memory\n");
1369 write_lock_bh(&t->lock);
1370 get_counters(oldcounters, counterstmp, nentries);
1371 write_unlock_bh(&t->lock);
1373 if (copy_to_user(tmp.counters, counterstmp,
1374 nentries * sizeof(struct ebt_counter))) {
1375 BUGPRINT("Couldn't copy counters to userspace\n");
1382 if (copy_to_user(tmp.entries, entries, entries_size)) {
1383 BUGPRINT("Couldn't copy entries to userspace\n");
1386 /* set the match/watcher/target names right */
1387 return EBT_ENTRY_ITERATE(entries, entries_size,
1388 ebt_make_names, entries, tmp.entries);
1391 static int do_ebt_set_ctl(struct sock *sk,
1392 int cmd, void __user *user, unsigned int len)
1397 case EBT_SO_SET_ENTRIES:
1398 ret = do_replace(user, len);
1400 case EBT_SO_SET_COUNTERS:
1401 ret = update_counters(user, len);
1409 static int do_ebt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
1412 struct ebt_replace tmp;
1413 struct ebt_table *t;
1415 if (copy_from_user(&tmp, user, sizeof(tmp)))
1418 t = find_table_lock(tmp.name, &ret, &ebt_mutex);
1423 case EBT_SO_GET_INFO:
1424 case EBT_SO_GET_INIT_INFO:
1425 if (*len != sizeof(struct ebt_replace)){
1427 mutex_unlock(&ebt_mutex);
1430 if (cmd == EBT_SO_GET_INFO) {
1431 tmp.nentries = t->private->nentries;
1432 tmp.entries_size = t->private->entries_size;
1433 tmp.valid_hooks = t->valid_hooks;
1435 tmp.nentries = t->table->nentries;
1436 tmp.entries_size = t->table->entries_size;
1437 tmp.valid_hooks = t->table->valid_hooks;
1439 mutex_unlock(&ebt_mutex);
1440 if (copy_to_user(user, &tmp, *len) != 0){
1441 BUGPRINT("c2u Didn't work\n");
1448 case EBT_SO_GET_ENTRIES:
1449 case EBT_SO_GET_INIT_ENTRIES:
1450 ret = copy_everything_to_user(t, user, len, cmd);
1451 mutex_unlock(&ebt_mutex);
1455 mutex_unlock(&ebt_mutex);
1462 static struct nf_sockopt_ops ebt_sockopts =
1465 .set_optmin = EBT_BASE_CTL,
1466 .set_optmax = EBT_SO_SET_MAX + 1,
1467 .set = do_ebt_set_ctl,
1468 .get_optmin = EBT_BASE_CTL,
1469 .get_optmax = EBT_SO_GET_MAX + 1,
1470 .get = do_ebt_get_ctl,
1471 .owner = THIS_MODULE,
1474 static int __init ebtables_init(void)
1478 ret = xt_register_target(&ebt_standard_target);
1481 ret = nf_register_sockopt(&ebt_sockopts);
1483 xt_unregister_target(&ebt_standard_target);
1487 printk(KERN_INFO "Ebtables v2.0 registered\n");
1491 static void __exit ebtables_fini(void)
1493 nf_unregister_sockopt(&ebt_sockopts);
1494 xt_unregister_target(&ebt_standard_target);
1495 printk(KERN_INFO "Ebtables v2.0 unregistered\n");
1498 EXPORT_SYMBOL(ebt_register_table);
1499 EXPORT_SYMBOL(ebt_unregister_table);
1500 EXPORT_SYMBOL(ebt_do_table);
1501 module_init(ebtables_init);
1502 module_exit(ebtables_fini);
1503 MODULE_LICENSE("GPL");