5 * Bart De Schuymer <bdschuym@pandora.be>
7 * ebtables.c,v 2.0, July, 2002
9 * This code is stongly inspired on the iptables code which is
10 * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version
15 * 2 of the License, or (at your option) any later version.
19 #include <linux/kmod.h>
20 #include <linux/module.h>
21 #include <linux/vmalloc.h>
22 #include <linux/netfilter/x_tables.h>
23 #include <linux/netfilter_bridge/ebtables.h>
24 #include <linux/spinlock.h>
25 #include <linux/mutex.h>
26 #include <asm/uaccess.h>
27 #include <linux/smp.h>
28 #include <linux/cpumask.h>
30 /* needed for logical [in,out]-dev filtering */
31 #include "../br_private.h"
33 #define BUGPRINT(format, args...) printk("kernel msg: ebtables bug: please "\
34 "report to author: "format, ## args)
35 /* #define BUGPRINT(format, args...) */
36 #define MEMPRINT(format, args...) printk("kernel msg: ebtables "\
37 ": out of memory: "format, ## args)
38 /* #define MEMPRINT(format, args...) */
43 * Each cpu has its own set of counters, so there is no need for write_lock in
45 * For reading or updating the counters, the user context needs to
49 /* The size of each set of counters is altered to get cache alignment */
50 #define SMP_ALIGN(x) (((x) + SMP_CACHE_BYTES-1) & ~(SMP_CACHE_BYTES-1))
51 #define COUNTER_OFFSET(n) (SMP_ALIGN(n * sizeof(struct ebt_counter)))
52 #define COUNTER_BASE(c, n, cpu) ((struct ebt_counter *)(((char *)c) + \
53 COUNTER_OFFSET(n) * cpu))
57 static DEFINE_MUTEX(ebt_mutex
);
59 static struct xt_target ebt_standard_target
= {
62 .family
= NFPROTO_BRIDGE
,
63 .targetsize
= sizeof(int),
67 ebt_do_watcher(const struct ebt_entry_watcher
*w
, struct sk_buff
*skb
,
68 struct xt_target_param
*par
)
70 par
->target
= w
->u
.watcher
;
71 par
->targinfo
= w
->data
;
72 w
->u
.watcher
->target(skb
, par
);
73 /* watchers don't give a verdict */
77 static inline int ebt_do_match (struct ebt_entry_match
*m
,
78 const struct sk_buff
*skb
, struct xt_match_param
*par
)
80 par
->match
= m
->u
.match
;
81 par
->matchinfo
= m
->data
;
82 return m
->u
.match
->match(skb
, par
) ? EBT_MATCH
: EBT_NOMATCH
;
86 ebt_dev_check(const char *entry
, const struct net_device
*device
)
95 devname
= device
->name
;
96 /* 1 is the wildcard token */
97 while (entry
[i
] != '\0' && entry
[i
] != 1 && entry
[i
] == devname
[i
])
99 return (devname
[i
] != entry
[i
] && entry
[i
] != 1);
102 #define FWINV2(bool,invflg) ((bool) ^ !!(e->invflags & invflg))
103 /* process standard matches */
105 ebt_basic_match(const struct ebt_entry
*e
, const struct ethhdr
*h
,
106 const struct net_device
*in
, const struct net_device
*out
)
110 if (e
->bitmask
& EBT_802_3
) {
111 if (FWINV2(ntohs(h
->h_proto
) >= 1536, EBT_IPROTO
))
113 } else if (!(e
->bitmask
& EBT_NOPROTO
) &&
114 FWINV2(e
->ethproto
!= h
->h_proto
, EBT_IPROTO
))
117 if (FWINV2(ebt_dev_check(e
->in
, in
), EBT_IIN
))
119 if (FWINV2(ebt_dev_check(e
->out
, out
), EBT_IOUT
))
121 if ((!in
|| !in
->br_port
) ? 0 : FWINV2(ebt_dev_check(
122 e
->logical_in
, in
->br_port
->br
->dev
), EBT_ILOGICALIN
))
124 if ((!out
|| !out
->br_port
) ? 0 : FWINV2(ebt_dev_check(
125 e
->logical_out
, out
->br_port
->br
->dev
), EBT_ILOGICALOUT
))
128 if (e
->bitmask
& EBT_SOURCEMAC
) {
130 for (i
= 0; i
< 6; i
++)
131 verdict
|= (h
->h_source
[i
] ^ e
->sourcemac
[i
]) &
133 if (FWINV2(verdict
!= 0, EBT_ISOURCE
) )
136 if (e
->bitmask
& EBT_DESTMAC
) {
138 for (i
= 0; i
< 6; i
++)
139 verdict
|= (h
->h_dest
[i
] ^ e
->destmac
[i
]) &
141 if (FWINV2(verdict
!= 0, EBT_IDEST
) )
148 struct ebt_entry
*ebt_next_entry(const struct ebt_entry
*entry
)
150 return (void *)entry
+ entry
->next_offset
;
153 /* Do some firewalling */
154 unsigned int ebt_do_table (unsigned int hook
, struct sk_buff
*skb
,
155 const struct net_device
*in
, const struct net_device
*out
,
156 struct ebt_table
*table
)
159 struct ebt_entry
*point
;
160 struct ebt_counter
*counter_base
, *cb_base
;
161 const struct ebt_entry_target
*t
;
163 struct ebt_chainstack
*cs
;
164 struct ebt_entries
*chaininfo
;
166 const struct ebt_table_info
*private;
167 bool hotdrop
= false;
168 struct xt_match_param mtpar
;
169 struct xt_target_param tgpar
;
171 mtpar
.family
= tgpar
.family
= NFPROTO_BRIDGE
;
172 mtpar
.in
= tgpar
.in
= in
;
173 mtpar
.out
= tgpar
.out
= out
;
174 mtpar
.hotdrop
= &hotdrop
;
175 mtpar
.hooknum
= tgpar
.hooknum
= hook
;
177 read_lock_bh(&table
->lock
);
178 private = table
->private;
179 cb_base
= COUNTER_BASE(private->counters
, private->nentries
,
181 if (private->chainstack
)
182 cs
= private->chainstack
[smp_processor_id()];
185 chaininfo
= private->hook_entry
[hook
];
186 nentries
= private->hook_entry
[hook
]->nentries
;
187 point
= (struct ebt_entry
*)(private->hook_entry
[hook
]->data
);
188 counter_base
= cb_base
+ private->hook_entry
[hook
]->counter_offset
;
189 /* base for chain jumps */
190 base
= private->entries
;
192 while (i
< nentries
) {
193 if (ebt_basic_match(point
, eth_hdr(skb
), in
, out
))
196 if (EBT_MATCH_ITERATE(point
, ebt_do_match
, skb
, &mtpar
) != 0)
199 read_unlock_bh(&table
->lock
);
203 /* increase counter */
204 (*(counter_base
+ i
)).pcnt
++;
205 (*(counter_base
+ i
)).bcnt
+= skb
->len
;
207 /* these should only watch: not modify, nor tell us
208 what to do with the packet */
209 EBT_WATCHER_ITERATE(point
, ebt_do_watcher
, skb
, &tgpar
);
211 t
= (struct ebt_entry_target
*)
212 (((char *)point
) + point
->target_offset
);
213 /* standard target */
214 if (!t
->u
.target
->target
)
215 verdict
= ((struct ebt_standard_target
*)t
)->verdict
;
217 tgpar
.target
= t
->u
.target
;
218 tgpar
.targinfo
= t
->data
;
219 verdict
= t
->u
.target
->target(skb
, &tgpar
);
221 if (verdict
== EBT_ACCEPT
) {
222 read_unlock_bh(&table
->lock
);
225 if (verdict
== EBT_DROP
) {
226 read_unlock_bh(&table
->lock
);
229 if (verdict
== EBT_RETURN
) {
231 #ifdef CONFIG_NETFILTER_DEBUG
233 BUGPRINT("RETURN on base chain");
234 /* act like this is EBT_CONTINUE */
239 /* put all the local variables right */
241 chaininfo
= cs
[sp
].chaininfo
;
242 nentries
= chaininfo
->nentries
;
244 counter_base
= cb_base
+
245 chaininfo
->counter_offset
;
248 if (verdict
== EBT_CONTINUE
)
250 #ifdef CONFIG_NETFILTER_DEBUG
252 BUGPRINT("bogus standard verdict\n");
253 read_unlock_bh(&table
->lock
);
259 cs
[sp
].chaininfo
= chaininfo
;
260 cs
[sp
].e
= ebt_next_entry(point
);
262 chaininfo
= (struct ebt_entries
*) (base
+ verdict
);
263 #ifdef CONFIG_NETFILTER_DEBUG
264 if (chaininfo
->distinguisher
) {
265 BUGPRINT("jump to non-chain\n");
266 read_unlock_bh(&table
->lock
);
270 nentries
= chaininfo
->nentries
;
271 point
= (struct ebt_entry
*)chaininfo
->data
;
272 counter_base
= cb_base
+ chaininfo
->counter_offset
;
276 point
= ebt_next_entry(point
);
280 /* I actually like this :) */
281 if (chaininfo
->policy
== EBT_RETURN
)
283 if (chaininfo
->policy
== EBT_ACCEPT
) {
284 read_unlock_bh(&table
->lock
);
287 read_unlock_bh(&table
->lock
);
291 /* If it succeeds, returns element and locks mutex */
293 find_inlist_lock_noload(struct list_head
*head
, const char *name
, int *error
,
297 struct list_head list
;
298 char name
[EBT_FUNCTION_MAXNAMELEN
];
301 *error
= mutex_lock_interruptible(mutex
);
305 list_for_each_entry(e
, head
, list
) {
306 if (strcmp(e
->name
, name
) == 0)
315 find_inlist_lock(struct list_head
*head
, const char *name
, const char *prefix
,
316 int *error
, struct mutex
*mutex
)
318 return try_then_request_module(
319 find_inlist_lock_noload(head
, name
, error
, mutex
),
320 "%s%s", prefix
, name
);
323 static inline struct ebt_table
*
324 find_table_lock(struct net
*net
, const char *name
, int *error
,
327 return find_inlist_lock(&net
->xt
.tables
[NFPROTO_BRIDGE
], name
,
328 "ebtable_", error
, mutex
);
332 ebt_check_match(struct ebt_entry_match
*m
, struct xt_mtchk_param
*par
,
335 const struct ebt_entry
*e
= par
->entryinfo
;
336 struct xt_match
*match
;
337 size_t left
= ((char *)e
+ e
->watchers_offset
) - (char *)m
;
340 if (left
< sizeof(struct ebt_entry_match
) ||
341 left
- sizeof(struct ebt_entry_match
) < m
->match_size
)
344 match
= try_then_request_module(xt_find_match(NFPROTO_BRIDGE
,
345 m
->u
.name
, 0), "ebt_%s", m
->u
.name
);
347 return PTR_ERR(match
);
353 par
->matchinfo
= m
->data
;
354 ret
= xt_check_match(par
, m
->match_size
,
355 e
->ethproto
, e
->invflags
& EBT_IPROTO
);
357 module_put(match
->me
);
366 ebt_check_watcher(struct ebt_entry_watcher
*w
, struct xt_tgchk_param
*par
,
369 const struct ebt_entry
*e
= par
->entryinfo
;
370 struct xt_target
*watcher
;
371 size_t left
= ((char *)e
+ e
->target_offset
) - (char *)w
;
374 if (left
< sizeof(struct ebt_entry_watcher
) ||
375 left
- sizeof(struct ebt_entry_watcher
) < w
->watcher_size
)
378 watcher
= try_then_request_module(
379 xt_find_target(NFPROTO_BRIDGE
, w
->u
.name
, 0),
380 "ebt_%s", w
->u
.name
);
382 return PTR_ERR(watcher
);
385 w
->u
.watcher
= watcher
;
387 par
->target
= watcher
;
388 par
->targinfo
= w
->data
;
389 ret
= xt_check_target(par
, w
->watcher_size
,
390 e
->ethproto
, e
->invflags
& EBT_IPROTO
);
392 module_put(watcher
->me
);
400 static int ebt_verify_pointers(const struct ebt_replace
*repl
,
401 struct ebt_table_info
*newinfo
)
403 unsigned int limit
= repl
->entries_size
;
404 unsigned int valid_hooks
= repl
->valid_hooks
;
405 unsigned int offset
= 0;
408 for (i
= 0; i
< NF_BR_NUMHOOKS
; i
++)
409 newinfo
->hook_entry
[i
] = NULL
;
411 newinfo
->entries_size
= repl
->entries_size
;
412 newinfo
->nentries
= repl
->nentries
;
414 while (offset
< limit
) {
415 size_t left
= limit
- offset
;
416 struct ebt_entry
*e
= (void *)newinfo
->entries
+ offset
;
418 if (left
< sizeof(unsigned int))
421 for (i
= 0; i
< NF_BR_NUMHOOKS
; i
++) {
422 if ((valid_hooks
& (1 << i
)) == 0)
424 if ((char __user
*)repl
->hook_entry
[i
] ==
425 repl
->entries
+ offset
)
429 if (i
!= NF_BR_NUMHOOKS
|| !(e
->bitmask
& EBT_ENTRY_OR_ENTRIES
)) {
430 if (e
->bitmask
!= 0) {
431 /* we make userspace set this right,
432 so there is no misunderstanding */
433 BUGPRINT("EBT_ENTRY_OR_ENTRIES shouldn't be set "
434 "in distinguisher\n");
437 if (i
!= NF_BR_NUMHOOKS
)
438 newinfo
->hook_entry
[i
] = (struct ebt_entries
*)e
;
439 if (left
< sizeof(struct ebt_entries
))
441 offset
+= sizeof(struct ebt_entries
);
443 if (left
< sizeof(struct ebt_entry
))
445 if (left
< e
->next_offset
)
447 offset
+= e
->next_offset
;
450 if (offset
!= limit
) {
451 BUGPRINT("entries_size too small\n");
455 /* check if all valid hooks have a chain */
456 for (i
= 0; i
< NF_BR_NUMHOOKS
; i
++) {
457 if (!newinfo
->hook_entry
[i
] &&
458 (valid_hooks
& (1 << i
))) {
459 BUGPRINT("Valid hook without chain\n");
467 * this one is very careful, as it is the first function
468 * to parse the userspace data
471 ebt_check_entry_size_and_hooks(const struct ebt_entry
*e
,
472 const struct ebt_table_info
*newinfo
,
473 unsigned int *n
, unsigned int *cnt
,
474 unsigned int *totalcnt
, unsigned int *udc_cnt
)
478 for (i
= 0; i
< NF_BR_NUMHOOKS
; i
++) {
479 if ((void *)e
== (void *)newinfo
->hook_entry
[i
])
482 /* beginning of a new chain
483 if i == NF_BR_NUMHOOKS it must be a user defined chain */
484 if (i
!= NF_BR_NUMHOOKS
|| !e
->bitmask
) {
485 /* this checks if the previous chain has as many entries
488 BUGPRINT("nentries does not equal the nr of entries "
492 if (((struct ebt_entries
*)e
)->policy
!= EBT_DROP
&&
493 ((struct ebt_entries
*)e
)->policy
!= EBT_ACCEPT
) {
494 /* only RETURN from udc */
495 if (i
!= NF_BR_NUMHOOKS
||
496 ((struct ebt_entries
*)e
)->policy
!= EBT_RETURN
) {
497 BUGPRINT("bad policy\n");
501 if (i
== NF_BR_NUMHOOKS
) /* it's a user defined chain */
503 if (((struct ebt_entries
*)e
)->counter_offset
!= *totalcnt
) {
504 BUGPRINT("counter_offset != totalcnt");
507 *n
= ((struct ebt_entries
*)e
)->nentries
;
511 /* a plain old entry, heh */
512 if (sizeof(struct ebt_entry
) > e
->watchers_offset
||
513 e
->watchers_offset
> e
->target_offset
||
514 e
->target_offset
>= e
->next_offset
) {
515 BUGPRINT("entry offsets not in right order\n");
518 /* this is not checked anywhere else */
519 if (e
->next_offset
- e
->target_offset
< sizeof(struct ebt_entry_target
)) {
520 BUGPRINT("target size too small\n");
530 struct ebt_chainstack cs
;
532 unsigned int hookmask
;
536 * we need these positions to check that the jumps to a different part of the
537 * entries is a jump to the beginning of a new chain.
540 ebt_get_udc_positions(struct ebt_entry
*e
, struct ebt_table_info
*newinfo
,
541 unsigned int *n
, struct ebt_cl_stack
*udc
)
545 /* we're only interested in chain starts */
548 for (i
= 0; i
< NF_BR_NUMHOOKS
; i
++) {
549 if (newinfo
->hook_entry
[i
] == (struct ebt_entries
*)e
)
552 /* only care about udc */
553 if (i
!= NF_BR_NUMHOOKS
)
556 udc
[*n
].cs
.chaininfo
= (struct ebt_entries
*)e
;
557 /* these initialisations are depended on later in check_chainloops() */
559 udc
[*n
].hookmask
= 0;
566 ebt_cleanup_match(struct ebt_entry_match
*m
, struct net
*net
, unsigned int *i
)
568 struct xt_mtdtor_param par
;
570 if (i
&& (*i
)-- == 0)
574 par
.match
= m
->u
.match
;
575 par
.matchinfo
= m
->data
;
576 par
.family
= NFPROTO_BRIDGE
;
577 if (par
.match
->destroy
!= NULL
)
578 par
.match
->destroy(&par
);
579 module_put(par
.match
->me
);
584 ebt_cleanup_watcher(struct ebt_entry_watcher
*w
, struct net
*net
, unsigned int *i
)
586 struct xt_tgdtor_param par
;
588 if (i
&& (*i
)-- == 0)
592 par
.target
= w
->u
.watcher
;
593 par
.targinfo
= w
->data
;
594 par
.family
= NFPROTO_BRIDGE
;
595 if (par
.target
->destroy
!= NULL
)
596 par
.target
->destroy(&par
);
597 module_put(par
.target
->me
);
602 ebt_cleanup_entry(struct ebt_entry
*e
, struct net
*net
, unsigned int *cnt
)
604 struct xt_tgdtor_param par
;
605 struct ebt_entry_target
*t
;
610 if (cnt
&& (*cnt
)-- == 0)
612 EBT_WATCHER_ITERATE(e
, ebt_cleanup_watcher
, net
, NULL
);
613 EBT_MATCH_ITERATE(e
, ebt_cleanup_match
, net
, NULL
);
614 t
= (struct ebt_entry_target
*)(((char *)e
) + e
->target_offset
);
617 par
.target
= t
->u
.target
;
618 par
.targinfo
= t
->data
;
619 par
.family
= NFPROTO_BRIDGE
;
620 if (par
.target
->destroy
!= NULL
)
621 par
.target
->destroy(&par
);
622 module_put(par
.target
->me
);
627 ebt_check_entry(struct ebt_entry
*e
, struct net
*net
,
628 const struct ebt_table_info
*newinfo
,
629 const char *name
, unsigned int *cnt
,
630 struct ebt_cl_stack
*cl_s
, unsigned int udc_cnt
)
632 struct ebt_entry_target
*t
;
633 struct xt_target
*target
;
634 unsigned int i
, j
, hook
= 0, hookmask
= 0;
637 struct xt_mtchk_param mtpar
;
638 struct xt_tgchk_param tgpar
;
640 /* don't mess with the struct ebt_entries */
644 if (e
->bitmask
& ~EBT_F_MASK
) {
645 BUGPRINT("Unknown flag for bitmask\n");
648 if (e
->invflags
& ~EBT_INV_MASK
) {
649 BUGPRINT("Unknown flag for inv bitmask\n");
652 if ( (e
->bitmask
& EBT_NOPROTO
) && (e
->bitmask
& EBT_802_3
) ) {
653 BUGPRINT("NOPROTO & 802_3 not allowed\n");
656 /* what hook do we belong to? */
657 for (i
= 0; i
< NF_BR_NUMHOOKS
; i
++) {
658 if (!newinfo
->hook_entry
[i
])
660 if ((char *)newinfo
->hook_entry
[i
] < (char *)e
)
665 /* (1 << NF_BR_NUMHOOKS) tells the check functions the rule is on
667 if (i
< NF_BR_NUMHOOKS
)
668 hookmask
= (1 << hook
) | (1 << NF_BR_NUMHOOKS
);
670 for (i
= 0; i
< udc_cnt
; i
++)
671 if ((char *)(cl_s
[i
].cs
.chaininfo
) > (char *)e
)
674 hookmask
= (1 << hook
) | (1 << NF_BR_NUMHOOKS
);
676 hookmask
= cl_s
[i
- 1].hookmask
;
680 mtpar
.net
= tgpar
.net
= net
;
681 mtpar
.table
= tgpar
.table
= name
;
682 mtpar
.entryinfo
= tgpar
.entryinfo
= e
;
683 mtpar
.hook_mask
= tgpar
.hook_mask
= hookmask
;
684 mtpar
.family
= tgpar
.family
= NFPROTO_BRIDGE
;
685 ret
= EBT_MATCH_ITERATE(e
, ebt_check_match
, &mtpar
, &i
);
687 goto cleanup_matches
;
689 ret
= EBT_WATCHER_ITERATE(e
, ebt_check_watcher
, &tgpar
, &j
);
691 goto cleanup_watchers
;
692 t
= (struct ebt_entry_target
*)(((char *)e
) + e
->target_offset
);
693 gap
= e
->next_offset
- e
->target_offset
;
695 target
= try_then_request_module(
696 xt_find_target(NFPROTO_BRIDGE
, t
->u
.name
, 0),
697 "ebt_%s", t
->u
.name
);
698 if (IS_ERR(target
)) {
699 ret
= PTR_ERR(target
);
700 goto cleanup_watchers
;
701 } else if (target
== NULL
) {
703 goto cleanup_watchers
;
706 t
->u
.target
= target
;
707 if (t
->u
.target
== &ebt_standard_target
) {
708 if (gap
< sizeof(struct ebt_standard_target
)) {
709 BUGPRINT("Standard target size too big\n");
711 goto cleanup_watchers
;
713 if (((struct ebt_standard_target
*)t
)->verdict
<
714 -NUM_STANDARD_TARGETS
) {
715 BUGPRINT("Invalid standard target\n");
717 goto cleanup_watchers
;
719 } else if (t
->target_size
> gap
- sizeof(struct ebt_entry_target
)) {
720 module_put(t
->u
.target
->me
);
722 goto cleanup_watchers
;
725 tgpar
.target
= target
;
726 tgpar
.targinfo
= t
->data
;
727 ret
= xt_check_target(&tgpar
, t
->target_size
,
728 e
->ethproto
, e
->invflags
& EBT_IPROTO
);
730 module_put(target
->me
);
731 goto cleanup_watchers
;
736 EBT_WATCHER_ITERATE(e
, ebt_cleanup_watcher
, net
, &j
);
738 EBT_MATCH_ITERATE(e
, ebt_cleanup_match
, net
, &i
);
743 * checks for loops and sets the hook mask for udc
744 * the hook mask for udc tells us from which base chains the udc can be
745 * accessed. This mask is a parameter to the check() functions of the extensions
747 static int check_chainloops(const struct ebt_entries
*chain
, struct ebt_cl_stack
*cl_s
,
748 unsigned int udc_cnt
, unsigned int hooknr
, char *base
)
750 int i
, chain_nr
= -1, pos
= 0, nentries
= chain
->nentries
, verdict
;
751 const struct ebt_entry
*e
= (struct ebt_entry
*)chain
->data
;
752 const struct ebt_entry_target
*t
;
754 while (pos
< nentries
|| chain_nr
!= -1) {
755 /* end of udc, go back one 'recursion' step */
756 if (pos
== nentries
) {
757 /* put back values of the time when this chain was called */
758 e
= cl_s
[chain_nr
].cs
.e
;
759 if (cl_s
[chain_nr
].from
!= -1)
761 cl_s
[cl_s
[chain_nr
].from
].cs
.chaininfo
->nentries
;
763 nentries
= chain
->nentries
;
764 pos
= cl_s
[chain_nr
].cs
.n
;
765 /* make sure we won't see a loop that isn't one */
766 cl_s
[chain_nr
].cs
.n
= 0;
767 chain_nr
= cl_s
[chain_nr
].from
;
771 t
= (struct ebt_entry_target
*)
772 (((char *)e
) + e
->target_offset
);
773 if (strcmp(t
->u
.name
, EBT_STANDARD_TARGET
))
775 if (e
->target_offset
+ sizeof(struct ebt_standard_target
) >
777 BUGPRINT("Standard target size too big\n");
780 verdict
= ((struct ebt_standard_target
*)t
)->verdict
;
781 if (verdict
>= 0) { /* jump to another chain */
782 struct ebt_entries
*hlp2
=
783 (struct ebt_entries
*)(base
+ verdict
);
784 for (i
= 0; i
< udc_cnt
; i
++)
785 if (hlp2
== cl_s
[i
].cs
.chaininfo
)
787 /* bad destination or loop */
789 BUGPRINT("bad destination\n");
796 if (cl_s
[i
].hookmask
& (1 << hooknr
))
798 /* this can't be 0, so the loop test is correct */
799 cl_s
[i
].cs
.n
= pos
+ 1;
801 cl_s
[i
].cs
.e
= ebt_next_entry(e
);
802 e
= (struct ebt_entry
*)(hlp2
->data
);
803 nentries
= hlp2
->nentries
;
804 cl_s
[i
].from
= chain_nr
;
806 /* this udc is accessible from the base chain for hooknr */
807 cl_s
[i
].hookmask
|= (1 << hooknr
);
811 e
= ebt_next_entry(e
);
817 /* do the parsing of the table/chains/entries/matches/watchers/targets, heh */
818 static int translate_table(struct net
*net
, const char *name
,
819 struct ebt_table_info
*newinfo
)
821 unsigned int i
, j
, k
, udc_cnt
;
823 struct ebt_cl_stack
*cl_s
= NULL
; /* used in the checking for chain loops */
826 while (i
< NF_BR_NUMHOOKS
&& !newinfo
->hook_entry
[i
])
828 if (i
== NF_BR_NUMHOOKS
) {
829 BUGPRINT("No valid hooks specified\n");
832 if (newinfo
->hook_entry
[i
] != (struct ebt_entries
*)newinfo
->entries
) {
833 BUGPRINT("Chains don't start at beginning\n");
836 /* make sure chains are ordered after each other in same order
837 as their corresponding hooks */
838 for (j
= i
+ 1; j
< NF_BR_NUMHOOKS
; j
++) {
839 if (!newinfo
->hook_entry
[j
])
841 if (newinfo
->hook_entry
[j
] <= newinfo
->hook_entry
[i
]) {
842 BUGPRINT("Hook order must be followed\n");
848 /* do some early checkings and initialize some things */
849 i
= 0; /* holds the expected nr. of entries for the chain */
850 j
= 0; /* holds the up to now counted entries for the chain */
851 k
= 0; /* holds the total nr. of entries, should equal
852 newinfo->nentries afterwards */
853 udc_cnt
= 0; /* will hold the nr. of user defined chains (udc) */
854 ret
= EBT_ENTRY_ITERATE(newinfo
->entries
, newinfo
->entries_size
,
855 ebt_check_entry_size_and_hooks
, newinfo
,
856 &i
, &j
, &k
, &udc_cnt
);
862 BUGPRINT("nentries does not equal the nr of entries in the "
866 if (k
!= newinfo
->nentries
) {
867 BUGPRINT("Total nentries is wrong\n");
871 /* get the location of the udc, put them in an array
872 while we're at it, allocate the chainstack */
874 /* this will get free'd in do_replace()/ebt_register_table()
875 if an error occurs */
876 newinfo
->chainstack
=
877 vmalloc(nr_cpu_ids
* sizeof(*(newinfo
->chainstack
)));
878 if (!newinfo
->chainstack
)
880 for_each_possible_cpu(i
) {
881 newinfo
->chainstack
[i
] =
882 vmalloc(udc_cnt
* sizeof(*(newinfo
->chainstack
[0])));
883 if (!newinfo
->chainstack
[i
]) {
885 vfree(newinfo
->chainstack
[--i
]);
886 vfree(newinfo
->chainstack
);
887 newinfo
->chainstack
= NULL
;
892 cl_s
= vmalloc(udc_cnt
* sizeof(*cl_s
));
895 i
= 0; /* the i'th udc */
896 EBT_ENTRY_ITERATE(newinfo
->entries
, newinfo
->entries_size
,
897 ebt_get_udc_positions
, newinfo
, &i
, cl_s
);
900 BUGPRINT("i != udc_cnt\n");
906 /* Check for loops */
907 for (i
= 0; i
< NF_BR_NUMHOOKS
; i
++)
908 if (newinfo
->hook_entry
[i
])
909 if (check_chainloops(newinfo
->hook_entry
[i
],
910 cl_s
, udc_cnt
, i
, newinfo
->entries
)) {
915 /* we now know the following (along with E=mc²):
916 - the nr of entries in each chain is right
917 - the size of the allocated space is right
918 - all valid hooks have a corresponding chain
920 - wrong data can still be on the level of a single entry
921 - could be there are jumps to places that are not the
922 beginning of a chain. This can only occur in chains that
923 are not accessible from any base chains, so we don't care. */
925 /* used to know what we need to clean up if something goes wrong */
927 ret
= EBT_ENTRY_ITERATE(newinfo
->entries
, newinfo
->entries_size
,
928 ebt_check_entry
, net
, newinfo
, name
, &i
, cl_s
, udc_cnt
);
930 EBT_ENTRY_ITERATE(newinfo
->entries
, newinfo
->entries_size
,
931 ebt_cleanup_entry
, net
, &i
);
937 /* called under write_lock */
938 static void get_counters(const struct ebt_counter
*oldcounters
,
939 struct ebt_counter
*counters
, unsigned int nentries
)
942 struct ebt_counter
*counter_base
;
944 /* counters of cpu 0 */
945 memcpy(counters
, oldcounters
,
946 sizeof(struct ebt_counter
) * nentries
);
948 /* add other counters to those of cpu 0 */
949 for_each_possible_cpu(cpu
) {
952 counter_base
= COUNTER_BASE(oldcounters
, nentries
, cpu
);
953 for (i
= 0; i
< nentries
; i
++) {
954 counters
[i
].pcnt
+= counter_base
[i
].pcnt
;
955 counters
[i
].bcnt
+= counter_base
[i
].bcnt
;
960 /* replace the table */
961 static int do_replace(struct net
*net
, const void __user
*user
,
964 int ret
, i
, countersize
;
965 struct ebt_table_info
*newinfo
;
966 struct ebt_replace tmp
;
968 struct ebt_counter
*counterstmp
= NULL
;
969 /* used to be able to unlock earlier */
970 struct ebt_table_info
*table
;
972 if (copy_from_user(&tmp
, user
, sizeof(tmp
)) != 0)
975 if (len
!= sizeof(tmp
) + tmp
.entries_size
) {
976 BUGPRINT("Wrong len argument\n");
980 if (tmp
.entries_size
== 0) {
981 BUGPRINT("Entries_size never zero\n");
985 if (tmp
.nentries
>= ((INT_MAX
- sizeof(struct ebt_table_info
)) / NR_CPUS
-
986 SMP_CACHE_BYTES
) / sizeof(struct ebt_counter
))
988 if (tmp
.num_counters
>= INT_MAX
/ sizeof(struct ebt_counter
))
991 countersize
= COUNTER_OFFSET(tmp
.nentries
) * nr_cpu_ids
;
992 newinfo
= vmalloc(sizeof(*newinfo
) + countersize
);
997 memset(newinfo
->counters
, 0, countersize
);
999 newinfo
->entries
= vmalloc(tmp
.entries_size
);
1000 if (!newinfo
->entries
) {
1005 newinfo
->entries
, tmp
.entries
, tmp
.entries_size
) != 0) {
1006 BUGPRINT("Couldn't copy entries from userspace\n");
1011 /* the user wants counters back
1012 the check on the size is done later, when we have the lock */
1013 if (tmp
.num_counters
) {
1014 counterstmp
= vmalloc(tmp
.num_counters
* sizeof(*counterstmp
));
1023 /* this can get initialized by translate_table() */
1024 newinfo
->chainstack
= NULL
;
1025 ret
= ebt_verify_pointers(&tmp
, newinfo
);
1027 goto free_counterstmp
;
1029 ret
= translate_table(net
, tmp
.name
, newinfo
);
1032 goto free_counterstmp
;
1034 t
= find_table_lock(net
, tmp
.name
, &ret
, &ebt_mutex
);
1040 /* the table doesn't like it */
1041 if (t
->check
&& (ret
= t
->check(newinfo
, tmp
.valid_hooks
)))
1044 if (tmp
.num_counters
&& tmp
.num_counters
!= t
->private->nentries
) {
1045 BUGPRINT("Wrong nr. of counters requested\n");
1050 /* we have the mutex lock, so no danger in reading this pointer */
1052 /* make sure the table can only be rmmod'ed if it contains no rules */
1053 if (!table
->nentries
&& newinfo
->nentries
&& !try_module_get(t
->me
)) {
1056 } else if (table
->nentries
&& !newinfo
->nentries
)
1058 /* we need an atomic snapshot of the counters */
1059 write_lock_bh(&t
->lock
);
1060 if (tmp
.num_counters
)
1061 get_counters(t
->private->counters
, counterstmp
,
1062 t
->private->nentries
);
1064 t
->private = newinfo
;
1065 write_unlock_bh(&t
->lock
);
1066 mutex_unlock(&ebt_mutex
);
1067 /* so, a user can change the chains while having messed up her counter
1068 allocation. Only reason why this is done is because this way the lock
1069 is held only once, while this doesn't bring the kernel into a
1071 if (tmp
.num_counters
&&
1072 copy_to_user(tmp
.counters
, counterstmp
,
1073 tmp
.num_counters
* sizeof(struct ebt_counter
))) {
1074 BUGPRINT("Couldn't copy counters to userspace\n");
1080 /* decrease module count and free resources */
1081 EBT_ENTRY_ITERATE(table
->entries
, table
->entries_size
,
1082 ebt_cleanup_entry
, net
, NULL
);
1084 vfree(table
->entries
);
1085 if (table
->chainstack
) {
1086 for_each_possible_cpu(i
)
1087 vfree(table
->chainstack
[i
]);
1088 vfree(table
->chainstack
);
1096 mutex_unlock(&ebt_mutex
);
1098 EBT_ENTRY_ITERATE(newinfo
->entries
, newinfo
->entries_size
,
1099 ebt_cleanup_entry
, net
, NULL
);
1102 /* can be initialized in translate_table() */
1103 if (newinfo
->chainstack
) {
1104 for_each_possible_cpu(i
)
1105 vfree(newinfo
->chainstack
[i
]);
1106 vfree(newinfo
->chainstack
);
1109 vfree(newinfo
->entries
);
1116 ebt_register_table(struct net
*net
, const struct ebt_table
*input_table
)
1118 struct ebt_table_info
*newinfo
;
1119 struct ebt_table
*t
, *table
;
1120 struct ebt_replace_kernel
*repl
;
1121 int ret
, i
, countersize
;
1124 if (input_table
== NULL
|| (repl
= input_table
->table
) == NULL
||
1125 repl
->entries
== 0 || repl
->entries_size
== 0 ||
1126 repl
->counters
!= NULL
|| input_table
->private != NULL
) {
1127 BUGPRINT("Bad table data for ebt_register_table!!!\n");
1128 return ERR_PTR(-EINVAL
);
1131 /* Don't add one table to multiple lists. */
1132 table
= kmemdup(input_table
, sizeof(struct ebt_table
), GFP_KERNEL
);
1138 countersize
= COUNTER_OFFSET(repl
->nentries
) * nr_cpu_ids
;
1139 newinfo
= vmalloc(sizeof(*newinfo
) + countersize
);
1144 p
= vmalloc(repl
->entries_size
);
1148 memcpy(p
, repl
->entries
, repl
->entries_size
);
1149 newinfo
->entries
= p
;
1151 newinfo
->entries_size
= repl
->entries_size
;
1152 newinfo
->nentries
= repl
->nentries
;
1155 memset(newinfo
->counters
, 0, countersize
);
1157 /* fill in newinfo and parse the entries */
1158 newinfo
->chainstack
= NULL
;
1159 for (i
= 0; i
< NF_BR_NUMHOOKS
; i
++) {
1160 if ((repl
->valid_hooks
& (1 << i
)) == 0)
1161 newinfo
->hook_entry
[i
] = NULL
;
1163 newinfo
->hook_entry
[i
] = p
+
1164 ((char *)repl
->hook_entry
[i
] - repl
->entries
);
1166 ret
= translate_table(net
, repl
->name
, newinfo
);
1168 BUGPRINT("Translate_table failed\n");
1169 goto free_chainstack
;
1172 if (table
->check
&& table
->check(newinfo
, table
->valid_hooks
)) {
1173 BUGPRINT("The table doesn't like its own initial data, lol\n");
1174 return ERR_PTR(-EINVAL
);
1177 table
->private = newinfo
;
1178 rwlock_init(&table
->lock
);
1179 ret
= mutex_lock_interruptible(&ebt_mutex
);
1181 goto free_chainstack
;
1183 list_for_each_entry(t
, &net
->xt
.tables
[NFPROTO_BRIDGE
], list
) {
1184 if (strcmp(t
->name
, table
->name
) == 0) {
1186 BUGPRINT("Table name already exists\n");
1191 /* Hold a reference count if the chains aren't empty */
1192 if (newinfo
->nentries
&& !try_module_get(table
->me
)) {
1196 list_add(&table
->list
, &net
->xt
.tables
[NFPROTO_BRIDGE
]);
1197 mutex_unlock(&ebt_mutex
);
1200 mutex_unlock(&ebt_mutex
);
1202 if (newinfo
->chainstack
) {
1203 for_each_possible_cpu(i
)
1204 vfree(newinfo
->chainstack
[i
]);
1205 vfree(newinfo
->chainstack
);
1207 vfree(newinfo
->entries
);
1213 return ERR_PTR(ret
);
1216 void ebt_unregister_table(struct net
*net
, struct ebt_table
*table
)
1221 BUGPRINT("Request to unregister NULL table!!!\n");
1224 mutex_lock(&ebt_mutex
);
1225 list_del(&table
->list
);
1226 mutex_unlock(&ebt_mutex
);
1227 EBT_ENTRY_ITERATE(table
->private->entries
, table
->private->entries_size
,
1228 ebt_cleanup_entry
, net
, NULL
);
1229 if (table
->private->nentries
)
1230 module_put(table
->me
);
1231 vfree(table
->private->entries
);
1232 if (table
->private->chainstack
) {
1233 for_each_possible_cpu(i
)
1234 vfree(table
->private->chainstack
[i
]);
1235 vfree(table
->private->chainstack
);
1237 vfree(table
->private);
1241 /* userspace just supplied us with counters */
1242 static int update_counters(struct net
*net
, const void __user
*user
,
1246 struct ebt_counter
*tmp
;
1247 struct ebt_replace hlp
;
1248 struct ebt_table
*t
;
1250 if (copy_from_user(&hlp
, user
, sizeof(hlp
)))
1253 if (len
!= sizeof(hlp
) + hlp
.num_counters
* sizeof(struct ebt_counter
))
1255 if (hlp
.num_counters
== 0)
1258 if (!(tmp
= vmalloc(hlp
.num_counters
* sizeof(*tmp
)))) {
1259 MEMPRINT("Update_counters && nomemory\n");
1263 t
= find_table_lock(net
, hlp
.name
, &ret
, &ebt_mutex
);
1267 if (hlp
.num_counters
!= t
->private->nentries
) {
1268 BUGPRINT("Wrong nr of counters\n");
1273 if ( copy_from_user(tmp
, hlp
.counters
,
1274 hlp
.num_counters
* sizeof(struct ebt_counter
)) ) {
1275 BUGPRINT("Updata_counters && !cfu\n");
1280 /* we want an atomic add of the counters */
1281 write_lock_bh(&t
->lock
);
1283 /* we add to the counters of the first cpu */
1284 for (i
= 0; i
< hlp
.num_counters
; i
++) {
1285 t
->private->counters
[i
].pcnt
+= tmp
[i
].pcnt
;
1286 t
->private->counters
[i
].bcnt
+= tmp
[i
].bcnt
;
1289 write_unlock_bh(&t
->lock
);
1292 mutex_unlock(&ebt_mutex
);
1298 static inline int ebt_make_matchname(const struct ebt_entry_match
*m
,
1299 const char *base
, char __user
*ubase
)
1301 char __user
*hlp
= ubase
+ ((char *)m
- base
);
1302 if (copy_to_user(hlp
, m
->u
.match
->name
, EBT_FUNCTION_MAXNAMELEN
))
1307 static inline int ebt_make_watchername(const struct ebt_entry_watcher
*w
,
1308 const char *base
, char __user
*ubase
)
1310 char __user
*hlp
= ubase
+ ((char *)w
- base
);
1311 if (copy_to_user(hlp
, w
->u
.watcher
->name
, EBT_FUNCTION_MAXNAMELEN
))
1317 ebt_make_names(struct ebt_entry
*e
, const char *base
, char __user
*ubase
)
1321 const struct ebt_entry_target
*t
;
1323 if (e
->bitmask
== 0)
1326 hlp
= ubase
+ (((char *)e
+ e
->target_offset
) - base
);
1327 t
= (struct ebt_entry_target
*)(((char *)e
) + e
->target_offset
);
1329 ret
= EBT_MATCH_ITERATE(e
, ebt_make_matchname
, base
, ubase
);
1332 ret
= EBT_WATCHER_ITERATE(e
, ebt_make_watchername
, base
, ubase
);
1335 if (copy_to_user(hlp
, t
->u
.target
->name
, EBT_FUNCTION_MAXNAMELEN
))
1340 /* called with ebt_mutex locked */
1341 static int copy_everything_to_user(struct ebt_table
*t
, void __user
*user
,
1342 const int *len
, int cmd
)
1344 struct ebt_replace tmp
;
1345 struct ebt_counter
*counterstmp
;
1346 const struct ebt_counter
*oldcounters
;
1347 unsigned int entries_size
, nentries
;
1350 if (cmd
== EBT_SO_GET_ENTRIES
) {
1351 entries_size
= t
->private->entries_size
;
1352 nentries
= t
->private->nentries
;
1353 entries
= t
->private->entries
;
1354 oldcounters
= t
->private->counters
;
1356 entries_size
= t
->table
->entries_size
;
1357 nentries
= t
->table
->nentries
;
1358 entries
= t
->table
->entries
;
1359 oldcounters
= t
->table
->counters
;
1362 if (copy_from_user(&tmp
, user
, sizeof(tmp
))) {
1363 BUGPRINT("Cfu didn't work\n");
1367 if (*len
!= sizeof(struct ebt_replace
) + entries_size
+
1368 (tmp
.num_counters
? nentries
* sizeof(struct ebt_counter
): 0)) {
1369 BUGPRINT("Wrong size\n");
1373 if (tmp
.nentries
!= nentries
) {
1374 BUGPRINT("Nentries wrong\n");
1378 if (tmp
.entries_size
!= entries_size
) {
1379 BUGPRINT("Wrong size\n");
1383 /* userspace might not need the counters */
1384 if (tmp
.num_counters
) {
1385 if (tmp
.num_counters
!= nentries
) {
1386 BUGPRINT("Num_counters wrong\n");
1389 counterstmp
= vmalloc(nentries
* sizeof(*counterstmp
));
1391 MEMPRINT("Couldn't copy counters, out of memory\n");
1394 write_lock_bh(&t
->lock
);
1395 get_counters(oldcounters
, counterstmp
, nentries
);
1396 write_unlock_bh(&t
->lock
);
1398 if (copy_to_user(tmp
.counters
, counterstmp
,
1399 nentries
* sizeof(struct ebt_counter
))) {
1400 BUGPRINT("Couldn't copy counters to userspace\n");
1407 if (copy_to_user(tmp
.entries
, entries
, entries_size
)) {
1408 BUGPRINT("Couldn't copy entries to userspace\n");
1411 /* set the match/watcher/target names right */
1412 return EBT_ENTRY_ITERATE(entries
, entries_size
,
1413 ebt_make_names
, entries
, tmp
.entries
);
1416 static int do_ebt_set_ctl(struct sock
*sk
,
1417 int cmd
, void __user
*user
, unsigned int len
)
1421 if (!capable(CAP_NET_ADMIN
))
1425 case EBT_SO_SET_ENTRIES
:
1426 ret
= do_replace(sock_net(sk
), user
, len
);
1428 case EBT_SO_SET_COUNTERS
:
1429 ret
= update_counters(sock_net(sk
), user
, len
);
1437 static int do_ebt_get_ctl(struct sock
*sk
, int cmd
, void __user
*user
, int *len
)
1440 struct ebt_replace tmp
;
1441 struct ebt_table
*t
;
1443 if (!capable(CAP_NET_ADMIN
))
1446 if (copy_from_user(&tmp
, user
, sizeof(tmp
)))
1449 t
= find_table_lock(sock_net(sk
), tmp
.name
, &ret
, &ebt_mutex
);
1454 case EBT_SO_GET_INFO
:
1455 case EBT_SO_GET_INIT_INFO
:
1456 if (*len
!= sizeof(struct ebt_replace
)){
1458 mutex_unlock(&ebt_mutex
);
1461 if (cmd
== EBT_SO_GET_INFO
) {
1462 tmp
.nentries
= t
->private->nentries
;
1463 tmp
.entries_size
= t
->private->entries_size
;
1464 tmp
.valid_hooks
= t
->valid_hooks
;
1466 tmp
.nentries
= t
->table
->nentries
;
1467 tmp
.entries_size
= t
->table
->entries_size
;
1468 tmp
.valid_hooks
= t
->table
->valid_hooks
;
1470 mutex_unlock(&ebt_mutex
);
1471 if (copy_to_user(user
, &tmp
, *len
) != 0){
1472 BUGPRINT("c2u Didn't work\n");
1479 case EBT_SO_GET_ENTRIES
:
1480 case EBT_SO_GET_INIT_ENTRIES
:
1481 ret
= copy_everything_to_user(t
, user
, len
, cmd
);
1482 mutex_unlock(&ebt_mutex
);
1486 mutex_unlock(&ebt_mutex
);
1493 static struct nf_sockopt_ops ebt_sockopts
=
1496 .set_optmin
= EBT_BASE_CTL
,
1497 .set_optmax
= EBT_SO_SET_MAX
+ 1,
1498 .set
= do_ebt_set_ctl
,
1499 .get_optmin
= EBT_BASE_CTL
,
1500 .get_optmax
= EBT_SO_GET_MAX
+ 1,
1501 .get
= do_ebt_get_ctl
,
1502 .owner
= THIS_MODULE
,
1505 static int __init
ebtables_init(void)
1509 ret
= xt_register_target(&ebt_standard_target
);
1512 ret
= nf_register_sockopt(&ebt_sockopts
);
1514 xt_unregister_target(&ebt_standard_target
);
1518 printk(KERN_INFO
"Ebtables v2.0 registered\n");
1522 static void __exit
ebtables_fini(void)
1524 nf_unregister_sockopt(&ebt_sockopts
);
1525 xt_unregister_target(&ebt_standard_target
);
1526 printk(KERN_INFO
"Ebtables v2.0 unregistered\n");
1529 EXPORT_SYMBOL(ebt_register_table
);
1530 EXPORT_SYMBOL(ebt_unregister_table
);
1531 EXPORT_SYMBOL(ebt_do_table
);
1532 module_init(ebtables_init
);
1533 module_exit(ebtables_fini
);
1534 MODULE_LICENSE("GPL");