5 * Bart De Schuymer <bdschuym@pandora.be>
7 * ebtables.c,v 2.0, July, 2002
9 * This code is stongly inspired on the iptables code which is
10 * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version
15 * 2 of the License, or (at your option) any later version.
18 /* used for print_string */
19 #include <linux/sched.h>
20 #include <linux/tty.h>
22 #include <linux/kmod.h>
23 #include <linux/module.h>
24 #include <linux/vmalloc.h>
25 #include <linux/netfilter_bridge/ebtables.h>
26 #include <linux/spinlock.h>
27 #include <asm/uaccess.h>
28 #include <linux/smp.h>
29 #include <linux/cpumask.h>
31 /* needed for logical [in,out]-dev filtering */
32 #include "../br_private.h"
35 #define ASSERT_READ_LOCK(x)
36 #define ASSERT_WRITE_LOCK(x)
37 #include <linux/netfilter_ipv4/listhelp.h>
40 /* use this for remote debugging
41 * Copyright (C) 1998 by Ori Pomerantz
42 * Print the string to the appropriate tty, the one
43 * the current task uses
45 static void print_string(char *str
)
47 struct tty_struct
*my_tty
;
49 /* The tty for the current task */
50 my_tty
= current
->signal
->tty
;
52 my_tty
->driver
->write(my_tty
, 0, str
, strlen(str
));
53 my_tty
->driver
->write(my_tty
, 0, "\015\012", 2);
57 #define BUGPRINT(args) print_string(args);
59 #define BUGPRINT(format, args...) printk("kernel msg: ebtables bug: please "\
60 "report to author: "format, ## args)
61 /* #define BUGPRINT(format, args...) */
63 #define MEMPRINT(format, args...) printk("kernel msg: ebtables "\
64 ": out of memory: "format, ## args)
65 /* #define MEMPRINT(format, args...) */
70 * Each cpu has its own set of counters, so there is no need for write_lock in
72 * For reading or updating the counters, the user context needs to
76 /* The size of each set of counters is altered to get cache alignment */
77 #define SMP_ALIGN(x) (((x) + SMP_CACHE_BYTES-1) & ~(SMP_CACHE_BYTES-1))
78 #define COUNTER_OFFSET(n) (SMP_ALIGN(n * sizeof(struct ebt_counter)))
79 #define COUNTER_BASE(c, n, cpu) ((struct ebt_counter *)(((char *)c) + \
80 COUNTER_OFFSET(n) * cpu))
84 static DECLARE_MUTEX(ebt_mutex
);
85 static LIST_HEAD(ebt_tables
);
86 static LIST_HEAD(ebt_targets
);
87 static LIST_HEAD(ebt_matches
);
88 static LIST_HEAD(ebt_watchers
);
90 static struct ebt_target ebt_standard_target
=
91 { {NULL
, NULL
}, EBT_STANDARD_TARGET
, NULL
, NULL
, NULL
, NULL
};
93 static inline int ebt_do_watcher (struct ebt_entry_watcher
*w
,
94 const struct sk_buff
*skb
, unsigned int hooknr
, const struct net_device
*in
,
95 const struct net_device
*out
)
97 w
->u
.watcher
->watcher(skb
, hooknr
, in
, out
, w
->data
,
99 /* watchers don't give a verdict */
103 static inline int ebt_do_match (struct ebt_entry_match
*m
,
104 const struct sk_buff
*skb
, const struct net_device
*in
,
105 const struct net_device
*out
)
107 return m
->u
.match
->match(skb
, in
, out
, m
->data
,
111 static inline int ebt_dev_check(char *entry
, const struct net_device
*device
)
114 char *devname
= device
->name
;
120 /* 1 is the wildcard token */
121 while (entry
[i
] != '\0' && entry
[i
] != 1 && entry
[i
] == devname
[i
])
123 return (devname
[i
] != entry
[i
] && entry
[i
] != 1);
126 #define FWINV2(bool,invflg) ((bool) ^ !!(e->invflags & invflg))
127 /* process standard matches */
128 static inline int ebt_basic_match(struct ebt_entry
*e
, struct ethhdr
*h
,
129 const struct net_device
*in
, const struct net_device
*out
)
133 if (e
->bitmask
& EBT_802_3
) {
134 if (FWINV2(ntohs(h
->h_proto
) >= 1536, EBT_IPROTO
))
136 } else if (!(e
->bitmask
& EBT_NOPROTO
) &&
137 FWINV2(e
->ethproto
!= h
->h_proto
, EBT_IPROTO
))
140 if (FWINV2(ebt_dev_check(e
->in
, in
), EBT_IIN
))
142 if (FWINV2(ebt_dev_check(e
->out
, out
), EBT_IOUT
))
144 if ((!in
|| !in
->br_port
) ? 0 : FWINV2(ebt_dev_check(
145 e
->logical_in
, in
->br_port
->br
->dev
), EBT_ILOGICALIN
))
147 if ((!out
|| !out
->br_port
) ? 0 : FWINV2(ebt_dev_check(
148 e
->logical_out
, out
->br_port
->br
->dev
), EBT_ILOGICALOUT
))
151 if (e
->bitmask
& EBT_SOURCEMAC
) {
153 for (i
= 0; i
< 6; i
++)
154 verdict
|= (h
->h_source
[i
] ^ e
->sourcemac
[i
]) &
156 if (FWINV2(verdict
!= 0, EBT_ISOURCE
) )
159 if (e
->bitmask
& EBT_DESTMAC
) {
161 for (i
= 0; i
< 6; i
++)
162 verdict
|= (h
->h_dest
[i
] ^ e
->destmac
[i
]) &
164 if (FWINV2(verdict
!= 0, EBT_IDEST
) )
170 /* Do some firewalling */
171 unsigned int ebt_do_table (unsigned int hook
, struct sk_buff
**pskb
,
172 const struct net_device
*in
, const struct net_device
*out
,
173 struct ebt_table
*table
)
176 struct ebt_entry
*point
;
177 struct ebt_counter
*counter_base
, *cb_base
;
178 struct ebt_entry_target
*t
;
180 struct ebt_chainstack
*cs
;
181 struct ebt_entries
*chaininfo
;
183 struct ebt_table_info
*private;
185 read_lock_bh(&table
->lock
);
186 private = table
->private;
187 cb_base
= COUNTER_BASE(private->counters
, private->nentries
,
189 if (private->chainstack
)
190 cs
= private->chainstack
[smp_processor_id()];
193 chaininfo
= private->hook_entry
[hook
];
194 nentries
= private->hook_entry
[hook
]->nentries
;
195 point
= (struct ebt_entry
*)(private->hook_entry
[hook
]->data
);
196 counter_base
= cb_base
+ private->hook_entry
[hook
]->counter_offset
;
197 /* base for chain jumps */
198 base
= private->entries
;
200 while (i
< nentries
) {
201 if (ebt_basic_match(point
, eth_hdr(*pskb
), in
, out
))
204 if (EBT_MATCH_ITERATE(point
, ebt_do_match
, *pskb
, in
, out
) != 0)
207 /* increase counter */
208 (*(counter_base
+ i
)).pcnt
++;
209 (*(counter_base
+ i
)).bcnt
+=(**pskb
).len
;
211 /* these should only watch: not modify, nor tell us
212 what to do with the packet */
213 EBT_WATCHER_ITERATE(point
, ebt_do_watcher
, *pskb
, hook
, in
,
216 t
= (struct ebt_entry_target
*)
217 (((char *)point
) + point
->target_offset
);
218 /* standard target */
219 if (!t
->u
.target
->target
)
220 verdict
= ((struct ebt_standard_target
*)t
)->verdict
;
222 verdict
= t
->u
.target
->target(pskb
, hook
,
223 in
, out
, t
->data
, t
->target_size
);
224 if (verdict
== EBT_ACCEPT
) {
225 read_unlock_bh(&table
->lock
);
228 if (verdict
== EBT_DROP
) {
229 read_unlock_bh(&table
->lock
);
232 if (verdict
== EBT_RETURN
) {
234 #ifdef CONFIG_NETFILTER_DEBUG
236 BUGPRINT("RETURN on base chain");
237 /* act like this is EBT_CONTINUE */
242 /* put all the local variables right */
244 chaininfo
= cs
[sp
].chaininfo
;
245 nentries
= chaininfo
->nentries
;
247 counter_base
= cb_base
+
248 chaininfo
->counter_offset
;
251 if (verdict
== EBT_CONTINUE
)
253 #ifdef CONFIG_NETFILTER_DEBUG
255 BUGPRINT("bogus standard verdict\n");
256 read_unlock_bh(&table
->lock
);
262 cs
[sp
].chaininfo
= chaininfo
;
263 cs
[sp
].e
= (struct ebt_entry
*)
264 (((char *)point
) + point
->next_offset
);
266 chaininfo
= (struct ebt_entries
*) (base
+ verdict
);
267 #ifdef CONFIG_NETFILTER_DEBUG
268 if (chaininfo
->distinguisher
) {
269 BUGPRINT("jump to non-chain\n");
270 read_unlock_bh(&table
->lock
);
274 nentries
= chaininfo
->nentries
;
275 point
= (struct ebt_entry
*)chaininfo
->data
;
276 counter_base
= cb_base
+ chaininfo
->counter_offset
;
280 point
= (struct ebt_entry
*)
281 (((char *)point
) + point
->next_offset
);
285 /* I actually like this :) */
286 if (chaininfo
->policy
== EBT_RETURN
)
288 if (chaininfo
->policy
== EBT_ACCEPT
) {
289 read_unlock_bh(&table
->lock
);
292 read_unlock_bh(&table
->lock
);
296 /* If it succeeds, returns element and locks mutex */
298 find_inlist_lock_noload(struct list_head
*head
, const char *name
, int *error
,
299 struct semaphore
*mutex
)
303 *error
= down_interruptible(mutex
);
307 ret
= list_named_find(head
, name
);
316 #define find_inlist_lock(h,n,p,e,m) find_inlist_lock_noload((h),(n),(e),(m))
319 find_inlist_lock(struct list_head
*head
, const char *name
, const char *prefix
,
320 int *error
, struct semaphore
*mutex
)
324 ret
= find_inlist_lock_noload(head
, name
, error
, mutex
);
326 request_module("%s%s", prefix
, name
);
327 ret
= find_inlist_lock_noload(head
, name
, error
, mutex
);
333 static inline struct ebt_table
*
334 find_table_lock(const char *name
, int *error
, struct semaphore
*mutex
)
336 return find_inlist_lock(&ebt_tables
, name
, "ebtable_", error
, mutex
);
339 static inline struct ebt_match
*
340 find_match_lock(const char *name
, int *error
, struct semaphore
*mutex
)
342 return find_inlist_lock(&ebt_matches
, name
, "ebt_", error
, mutex
);
345 static inline struct ebt_watcher
*
346 find_watcher_lock(const char *name
, int *error
, struct semaphore
*mutex
)
348 return find_inlist_lock(&ebt_watchers
, name
, "ebt_", error
, mutex
);
351 static inline struct ebt_target
*
352 find_target_lock(const char *name
, int *error
, struct semaphore
*mutex
)
354 return find_inlist_lock(&ebt_targets
, name
, "ebt_", error
, mutex
);
358 ebt_check_match(struct ebt_entry_match
*m
, struct ebt_entry
*e
,
359 const char *name
, unsigned int hookmask
, unsigned int *cnt
)
361 struct ebt_match
*match
;
364 if (((char *)m
) + m
->match_size
+ sizeof(struct ebt_entry_match
) >
365 ((char *)e
) + e
->watchers_offset
)
367 match
= find_match_lock(m
->u
.name
, &ret
, &ebt_mutex
);
371 if (!try_module_get(match
->me
)) {
377 match
->check(name
, hookmask
, e
, m
->data
, m
->match_size
) != 0) {
378 BUGPRINT("match->check failed\n");
379 module_put(match
->me
);
387 ebt_check_watcher(struct ebt_entry_watcher
*w
, struct ebt_entry
*e
,
388 const char *name
, unsigned int hookmask
, unsigned int *cnt
)
390 struct ebt_watcher
*watcher
;
393 if (((char *)w
) + w
->watcher_size
+ sizeof(struct ebt_entry_watcher
) >
394 ((char *)e
) + e
->target_offset
)
396 watcher
= find_watcher_lock(w
->u
.name
, &ret
, &ebt_mutex
);
399 w
->u
.watcher
= watcher
;
400 if (!try_module_get(watcher
->me
)) {
405 if (watcher
->check
&&
406 watcher
->check(name
, hookmask
, e
, w
->data
, w
->watcher_size
) != 0) {
407 BUGPRINT("watcher->check failed\n");
408 module_put(watcher
->me
);
416 * this one is very careful, as it is the first function
417 * to parse the userspace data
420 ebt_check_entry_size_and_hooks(struct ebt_entry
*e
,
421 struct ebt_table_info
*newinfo
, char *base
, char *limit
,
422 struct ebt_entries
**hook_entries
, unsigned int *n
, unsigned int *cnt
,
423 unsigned int *totalcnt
, unsigned int *udc_cnt
, unsigned int valid_hooks
)
425 unsigned int offset
= (char *)e
- newinfo
->entries
;
426 size_t left
= (limit
- base
) - offset
;
429 if (left
< sizeof(unsigned int))
432 for (i
= 0; i
< NF_BR_NUMHOOKS
; i
++) {
433 if ((valid_hooks
& (1 << i
)) == 0)
435 if ((char *)hook_entries
[i
] == base
+ offset
)
438 /* beginning of a new chain
439 if i == NF_BR_NUMHOOKS it must be a user defined chain */
440 if (i
!= NF_BR_NUMHOOKS
|| !(e
->bitmask
& EBT_ENTRY_OR_ENTRIES
)) {
441 if (e
->bitmask
!= 0) {
442 /* we make userspace set this right,
443 so there is no misunderstanding */
444 BUGPRINT("EBT_ENTRY_OR_ENTRIES shouldn't be set "
445 "in distinguisher\n");
448 /* this checks if the previous chain has as many entries
451 BUGPRINT("nentries does not equal the nr of entries "
455 /* before we look at the struct, be sure it is not too big */
456 if (left
< sizeof(struct ebt_entries
))
458 if (((struct ebt_entries
*)e
)->policy
!= EBT_DROP
&&
459 ((struct ebt_entries
*)e
)->policy
!= EBT_ACCEPT
) {
460 /* only RETURN from udc */
461 if (i
!= NF_BR_NUMHOOKS
||
462 ((struct ebt_entries
*)e
)->policy
!= EBT_RETURN
) {
463 BUGPRINT("bad policy\n");
467 if (i
== NF_BR_NUMHOOKS
) /* it's a user defined chain */
470 newinfo
->hook_entry
[i
] = (struct ebt_entries
*)e
;
471 if (((struct ebt_entries
*)e
)->counter_offset
!= *totalcnt
) {
472 BUGPRINT("counter_offset != totalcnt");
475 *n
= ((struct ebt_entries
*)e
)->nentries
;
479 /* a plain old entry, heh */
480 if (left
< sizeof(struct ebt_entry
))
482 if (sizeof(struct ebt_entry
) > e
->watchers_offset
||
483 e
->watchers_offset
> e
->target_offset
||
484 e
->target_offset
>= e
->next_offset
) {
485 BUGPRINT("entry offsets not in right order\n");
488 /* this is not checked anywhere else */
489 if (e
->next_offset
- e
->target_offset
< sizeof(struct ebt_entry_target
)) {
490 BUGPRINT("target size too small\n");
493 if (left
< e
->next_offset
)
501 BUGPRINT("entries_size too small\n");
507 struct ebt_chainstack cs
;
509 unsigned int hookmask
;
513 * we need these positions to check that the jumps to a different part of the
514 * entries is a jump to the beginning of a new chain.
517 ebt_get_udc_positions(struct ebt_entry
*e
, struct ebt_table_info
*newinfo
,
518 struct ebt_entries
**hook_entries
, unsigned int *n
, unsigned int valid_hooks
,
519 struct ebt_cl_stack
*udc
)
523 /* we're only interested in chain starts */
526 for (i
= 0; i
< NF_BR_NUMHOOKS
; i
++) {
527 if ((valid_hooks
& (1 << i
)) == 0)
529 if (newinfo
->hook_entry
[i
] == (struct ebt_entries
*)e
)
532 /* only care about udc */
533 if (i
!= NF_BR_NUMHOOKS
)
536 udc
[*n
].cs
.chaininfo
= (struct ebt_entries
*)e
;
537 /* these initialisations are depended on later in check_chainloops() */
539 udc
[*n
].hookmask
= 0;
546 ebt_cleanup_match(struct ebt_entry_match
*m
, unsigned int *i
)
548 if (i
&& (*i
)-- == 0)
550 if (m
->u
.match
->destroy
)
551 m
->u
.match
->destroy(m
->data
, m
->match_size
);
552 module_put(m
->u
.match
->me
);
558 ebt_cleanup_watcher(struct ebt_entry_watcher
*w
, unsigned int *i
)
560 if (i
&& (*i
)-- == 0)
562 if (w
->u
.watcher
->destroy
)
563 w
->u
.watcher
->destroy(w
->data
, w
->watcher_size
);
564 module_put(w
->u
.watcher
->me
);
570 ebt_cleanup_entry(struct ebt_entry
*e
, unsigned int *cnt
)
572 struct ebt_entry_target
*t
;
577 if (cnt
&& (*cnt
)-- == 0)
579 EBT_WATCHER_ITERATE(e
, ebt_cleanup_watcher
, NULL
);
580 EBT_MATCH_ITERATE(e
, ebt_cleanup_match
, NULL
);
581 t
= (struct ebt_entry_target
*)(((char *)e
) + e
->target_offset
);
582 if (t
->u
.target
->destroy
)
583 t
->u
.target
->destroy(t
->data
, t
->target_size
);
584 module_put(t
->u
.target
->me
);
590 ebt_check_entry(struct ebt_entry
*e
, struct ebt_table_info
*newinfo
,
591 const char *name
, unsigned int *cnt
, unsigned int valid_hooks
,
592 struct ebt_cl_stack
*cl_s
, unsigned int udc_cnt
)
594 struct ebt_entry_target
*t
;
595 struct ebt_target
*target
;
596 unsigned int i
, j
, hook
= 0, hookmask
= 0;
599 /* don't mess with the struct ebt_entries */
603 if (e
->bitmask
& ~EBT_F_MASK
) {
604 BUGPRINT("Unknown flag for bitmask\n");
607 if (e
->invflags
& ~EBT_INV_MASK
) {
608 BUGPRINT("Unknown flag for inv bitmask\n");
611 if ( (e
->bitmask
& EBT_NOPROTO
) && (e
->bitmask
& EBT_802_3
) ) {
612 BUGPRINT("NOPROTO & 802_3 not allowed\n");
615 /* what hook do we belong to? */
616 for (i
= 0; i
< NF_BR_NUMHOOKS
; i
++) {
617 if ((valid_hooks
& (1 << i
)) == 0)
619 if ((char *)newinfo
->hook_entry
[i
] < (char *)e
)
624 /* (1 << NF_BR_NUMHOOKS) tells the check functions the rule is on
626 if (i
< NF_BR_NUMHOOKS
)
627 hookmask
= (1 << hook
) | (1 << NF_BR_NUMHOOKS
);
629 for (i
= 0; i
< udc_cnt
; i
++)
630 if ((char *)(cl_s
[i
].cs
.chaininfo
) > (char *)e
)
633 hookmask
= (1 << hook
) | (1 << NF_BR_NUMHOOKS
);
635 hookmask
= cl_s
[i
- 1].hookmask
;
638 ret
= EBT_MATCH_ITERATE(e
, ebt_check_match
, e
, name
, hookmask
, &i
);
640 goto cleanup_matches
;
642 ret
= EBT_WATCHER_ITERATE(e
, ebt_check_watcher
, e
, name
, hookmask
, &j
);
644 goto cleanup_watchers
;
645 t
= (struct ebt_entry_target
*)(((char *)e
) + e
->target_offset
);
646 target
= find_target_lock(t
->u
.name
, &ret
, &ebt_mutex
);
648 goto cleanup_watchers
;
649 if (!try_module_get(target
->me
)) {
652 goto cleanup_watchers
;
656 t
->u
.target
= target
;
657 if (t
->u
.target
== &ebt_standard_target
) {
658 if (e
->target_offset
+ sizeof(struct ebt_standard_target
) >
660 BUGPRINT("Standard target size too big\n");
662 goto cleanup_watchers
;
664 if (((struct ebt_standard_target
*)t
)->verdict
<
665 -NUM_STANDARD_TARGETS
) {
666 BUGPRINT("Invalid standard target\n");
668 goto cleanup_watchers
;
670 } else if ((e
->target_offset
+ t
->target_size
+
671 sizeof(struct ebt_entry_target
) > e
->next_offset
) ||
672 (t
->u
.target
->check
&&
673 t
->u
.target
->check(name
, hookmask
, e
, t
->data
, t
->target_size
) != 0)){
674 module_put(t
->u
.target
->me
);
676 goto cleanup_watchers
;
681 EBT_WATCHER_ITERATE(e
, ebt_cleanup_watcher
, &j
);
683 EBT_MATCH_ITERATE(e
, ebt_cleanup_match
, &i
);
688 * checks for loops and sets the hook mask for udc
689 * the hook mask for udc tells us from which base chains the udc can be
690 * accessed. This mask is a parameter to the check() functions of the extensions
692 static int check_chainloops(struct ebt_entries
*chain
, struct ebt_cl_stack
*cl_s
,
693 unsigned int udc_cnt
, unsigned int hooknr
, char *base
)
695 int i
, chain_nr
= -1, pos
= 0, nentries
= chain
->nentries
, verdict
;
696 struct ebt_entry
*e
= (struct ebt_entry
*)chain
->data
;
697 struct ebt_entry_target
*t
;
699 while (pos
< nentries
|| chain_nr
!= -1) {
700 /* end of udc, go back one 'recursion' step */
701 if (pos
== nentries
) {
702 /* put back values of the time when this chain was called */
703 e
= cl_s
[chain_nr
].cs
.e
;
704 if (cl_s
[chain_nr
].from
!= -1)
706 cl_s
[cl_s
[chain_nr
].from
].cs
.chaininfo
->nentries
;
708 nentries
= chain
->nentries
;
709 pos
= cl_s
[chain_nr
].cs
.n
;
710 /* make sure we won't see a loop that isn't one */
711 cl_s
[chain_nr
].cs
.n
= 0;
712 chain_nr
= cl_s
[chain_nr
].from
;
716 t
= (struct ebt_entry_target
*)
717 (((char *)e
) + e
->target_offset
);
718 if (strcmp(t
->u
.name
, EBT_STANDARD_TARGET
))
720 if (e
->target_offset
+ sizeof(struct ebt_standard_target
) >
722 BUGPRINT("Standard target size too big\n");
725 verdict
= ((struct ebt_standard_target
*)t
)->verdict
;
726 if (verdict
>= 0) { /* jump to another chain */
727 struct ebt_entries
*hlp2
=
728 (struct ebt_entries
*)(base
+ verdict
);
729 for (i
= 0; i
< udc_cnt
; i
++)
730 if (hlp2
== cl_s
[i
].cs
.chaininfo
)
732 /* bad destination or loop */
734 BUGPRINT("bad destination\n");
741 /* this can't be 0, so the above test is correct */
742 cl_s
[i
].cs
.n
= pos
+ 1;
744 cl_s
[i
].cs
.e
= ((void *)e
+ e
->next_offset
);
745 e
= (struct ebt_entry
*)(hlp2
->data
);
746 nentries
= hlp2
->nentries
;
747 cl_s
[i
].from
= chain_nr
;
749 /* this udc is accessible from the base chain for hooknr */
750 cl_s
[i
].hookmask
|= (1 << hooknr
);
754 e
= (void *)e
+ e
->next_offset
;
760 /* do the parsing of the table/chains/entries/matches/watchers/targets, heh */
761 static int translate_table(struct ebt_replace
*repl
,
762 struct ebt_table_info
*newinfo
)
764 unsigned int i
, j
, k
, udc_cnt
;
766 struct ebt_cl_stack
*cl_s
= NULL
; /* used in the checking for chain loops */
769 while (i
< NF_BR_NUMHOOKS
&& !(repl
->valid_hooks
& (1 << i
)))
771 if (i
== NF_BR_NUMHOOKS
) {
772 BUGPRINT("No valid hooks specified\n");
775 if (repl
->hook_entry
[i
] != (struct ebt_entries
*)repl
->entries
) {
776 BUGPRINT("Chains don't start at beginning\n");
779 /* make sure chains are ordered after each other in same order
780 as their corresponding hooks */
781 for (j
= i
+ 1; j
< NF_BR_NUMHOOKS
; j
++) {
782 if (!(repl
->valid_hooks
& (1 << j
)))
784 if ( repl
->hook_entry
[j
] <= repl
->hook_entry
[i
] ) {
785 BUGPRINT("Hook order must be followed\n");
791 for (i
= 0; i
< NF_BR_NUMHOOKS
; i
++)
792 newinfo
->hook_entry
[i
] = NULL
;
794 newinfo
->entries_size
= repl
->entries_size
;
795 newinfo
->nentries
= repl
->nentries
;
797 /* do some early checkings and initialize some things */
798 i
= 0; /* holds the expected nr. of entries for the chain */
799 j
= 0; /* holds the up to now counted entries for the chain */
800 k
= 0; /* holds the total nr. of entries, should equal
801 newinfo->nentries afterwards */
802 udc_cnt
= 0; /* will hold the nr. of user defined chains (udc) */
803 ret
= EBT_ENTRY_ITERATE(newinfo
->entries
, newinfo
->entries_size
,
804 ebt_check_entry_size_and_hooks
, newinfo
, repl
->entries
,
805 repl
->entries
+ repl
->entries_size
, repl
->hook_entry
, &i
, &j
, &k
,
806 &udc_cnt
, repl
->valid_hooks
);
812 BUGPRINT("nentries does not equal the nr of entries in the "
816 if (k
!= newinfo
->nentries
) {
817 BUGPRINT("Total nentries is wrong\n");
821 /* check if all valid hooks have a chain */
822 for (i
= 0; i
< NF_BR_NUMHOOKS
; i
++) {
823 if (newinfo
->hook_entry
[i
] == NULL
&&
824 (repl
->valid_hooks
& (1 << i
))) {
825 BUGPRINT("Valid hook without chain\n");
830 /* get the location of the udc, put them in an array
831 while we're at it, allocate the chainstack */
833 /* this will get free'd in do_replace()/ebt_register_table()
834 if an error occurs */
835 newinfo
->chainstack
= (struct ebt_chainstack
**)
836 vmalloc((highest_possible_processor_id()+1)
837 * sizeof(struct ebt_chainstack
));
838 if (!newinfo
->chainstack
)
841 newinfo
->chainstack
[i
] =
842 vmalloc(udc_cnt
* sizeof(struct ebt_chainstack
));
843 if (!newinfo
->chainstack
[i
]) {
845 vfree(newinfo
->chainstack
[--i
]);
846 vfree(newinfo
->chainstack
);
847 newinfo
->chainstack
= NULL
;
852 cl_s
= (struct ebt_cl_stack
*)
853 vmalloc(udc_cnt
* sizeof(struct ebt_cl_stack
));
856 i
= 0; /* the i'th udc */
857 EBT_ENTRY_ITERATE(newinfo
->entries
, newinfo
->entries_size
,
858 ebt_get_udc_positions
, newinfo
, repl
->hook_entry
, &i
,
859 repl
->valid_hooks
, cl_s
);
862 BUGPRINT("i != udc_cnt\n");
868 /* Check for loops */
869 for (i
= 0; i
< NF_BR_NUMHOOKS
; i
++)
870 if (repl
->valid_hooks
& (1 << i
))
871 if (check_chainloops(newinfo
->hook_entry
[i
],
872 cl_s
, udc_cnt
, i
, newinfo
->entries
)) {
877 /* we now know the following (along with E=mc²):
878 - the nr of entries in each chain is right
879 - the size of the allocated space is right
880 - all valid hooks have a corresponding chain
882 - wrong data can still be on the level of a single entry
883 - could be there are jumps to places that are not the
884 beginning of a chain. This can only occur in chains that
885 are not accessible from any base chains, so we don't care. */
887 /* used to know what we need to clean up if something goes wrong */
889 ret
= EBT_ENTRY_ITERATE(newinfo
->entries
, newinfo
->entries_size
,
890 ebt_check_entry
, newinfo
, repl
->name
, &i
, repl
->valid_hooks
,
893 EBT_ENTRY_ITERATE(newinfo
->entries
, newinfo
->entries_size
,
894 ebt_cleanup_entry
, &i
);
900 /* called under write_lock */
901 static void get_counters(struct ebt_counter
*oldcounters
,
902 struct ebt_counter
*counters
, unsigned int nentries
)
905 struct ebt_counter
*counter_base
;
907 /* counters of cpu 0 */
908 memcpy(counters
, oldcounters
,
909 sizeof(struct ebt_counter
) * nentries
);
911 /* add other counters to those of cpu 0 */
915 counter_base
= COUNTER_BASE(oldcounters
, nentries
, cpu
);
916 for (i
= 0; i
< nentries
; i
++) {
917 counters
[i
].pcnt
+= counter_base
[i
].pcnt
;
918 counters
[i
].bcnt
+= counter_base
[i
].bcnt
;
923 /* replace the table */
924 static int do_replace(void __user
*user
, unsigned int len
)
926 int ret
, i
, countersize
;
927 struct ebt_table_info
*newinfo
;
928 struct ebt_replace tmp
;
930 struct ebt_counter
*counterstmp
= NULL
;
931 /* used to be able to unlock earlier */
932 struct ebt_table_info
*table
;
934 if (copy_from_user(&tmp
, user
, sizeof(tmp
)) != 0)
937 if (len
!= sizeof(tmp
) + tmp
.entries_size
) {
938 BUGPRINT("Wrong len argument\n");
942 if (tmp
.entries_size
== 0) {
943 BUGPRINT("Entries_size never zero\n");
947 if (tmp
.nentries
>= ((INT_MAX
- sizeof(struct ebt_table_info
)) / NR_CPUS
-
948 SMP_CACHE_BYTES
) / sizeof(struct ebt_counter
))
950 if (tmp
.num_counters
>= INT_MAX
/ sizeof(struct ebt_counter
))
953 countersize
= COUNTER_OFFSET(tmp
.nentries
) *
954 (highest_possible_processor_id()+1);
955 newinfo
= (struct ebt_table_info
*)
956 vmalloc(sizeof(struct ebt_table_info
) + countersize
);
961 memset(newinfo
->counters
, 0, countersize
);
963 newinfo
->entries
= vmalloc(tmp
.entries_size
);
964 if (!newinfo
->entries
) {
969 newinfo
->entries
, tmp
.entries
, tmp
.entries_size
) != 0) {
970 BUGPRINT("Couldn't copy entries from userspace\n");
975 /* the user wants counters back
976 the check on the size is done later, when we have the lock */
977 if (tmp
.num_counters
) {
978 counterstmp
= (struct ebt_counter
*)
979 vmalloc(tmp
.num_counters
* sizeof(struct ebt_counter
));
988 /* this can get initialized by translate_table() */
989 newinfo
->chainstack
= NULL
;
990 ret
= translate_table(&tmp
, newinfo
);
993 goto free_counterstmp
;
995 t
= find_table_lock(tmp
.name
, &ret
, &ebt_mutex
);
1001 /* the table doesn't like it */
1002 if (t
->check
&& (ret
= t
->check(newinfo
, tmp
.valid_hooks
)))
1005 if (tmp
.num_counters
&& tmp
.num_counters
!= t
->private->nentries
) {
1006 BUGPRINT("Wrong nr. of counters requested\n");
1011 /* we have the mutex lock, so no danger in reading this pointer */
1013 /* make sure the table can only be rmmod'ed if it contains no rules */
1014 if (!table
->nentries
&& newinfo
->nentries
&& !try_module_get(t
->me
)) {
1017 } else if (table
->nentries
&& !newinfo
->nentries
)
1019 /* we need an atomic snapshot of the counters */
1020 write_lock_bh(&t
->lock
);
1021 if (tmp
.num_counters
)
1022 get_counters(t
->private->counters
, counterstmp
,
1023 t
->private->nentries
);
1025 t
->private = newinfo
;
1026 write_unlock_bh(&t
->lock
);
1028 /* so, a user can change the chains while having messed up her counter
1029 allocation. Only reason why this is done is because this way the lock
1030 is held only once, while this doesn't bring the kernel into a
1032 if (tmp
.num_counters
&&
1033 copy_to_user(tmp
.counters
, counterstmp
,
1034 tmp
.num_counters
* sizeof(struct ebt_counter
))) {
1035 BUGPRINT("Couldn't copy counters to userspace\n");
1041 /* decrease module count and free resources */
1042 EBT_ENTRY_ITERATE(table
->entries
, table
->entries_size
,
1043 ebt_cleanup_entry
, NULL
);
1045 vfree(table
->entries
);
1046 if (table
->chainstack
) {
1048 vfree(table
->chainstack
[i
]);
1049 vfree(table
->chainstack
);
1059 EBT_ENTRY_ITERATE(newinfo
->entries
, newinfo
->entries_size
,
1060 ebt_cleanup_entry
, NULL
);
1063 /* can be initialized in translate_table() */
1064 if (newinfo
->chainstack
) {
1066 vfree(newinfo
->chainstack
[i
]);
1067 vfree(newinfo
->chainstack
);
1070 vfree(newinfo
->entries
);
1076 int ebt_register_target(struct ebt_target
*target
)
1080 ret
= down_interruptible(&ebt_mutex
);
1083 if (!list_named_insert(&ebt_targets
, target
)) {
1092 void ebt_unregister_target(struct ebt_target
*target
)
1095 LIST_DELETE(&ebt_targets
, target
);
1099 int ebt_register_match(struct ebt_match
*match
)
1103 ret
= down_interruptible(&ebt_mutex
);
1106 if (!list_named_insert(&ebt_matches
, match
)) {
1115 void ebt_unregister_match(struct ebt_match
*match
)
1118 LIST_DELETE(&ebt_matches
, match
);
1122 int ebt_register_watcher(struct ebt_watcher
*watcher
)
1126 ret
= down_interruptible(&ebt_mutex
);
1129 if (!list_named_insert(&ebt_watchers
, watcher
)) {
1138 void ebt_unregister_watcher(struct ebt_watcher
*watcher
)
1141 LIST_DELETE(&ebt_watchers
, watcher
);
1145 int ebt_register_table(struct ebt_table
*table
)
1147 struct ebt_table_info
*newinfo
;
1148 int ret
, i
, countersize
;
1150 if (!table
|| !table
->table
||!table
->table
->entries
||
1151 table
->table
->entries_size
== 0 ||
1152 table
->table
->counters
|| table
->private) {
1153 BUGPRINT("Bad table data for ebt_register_table!!!\n");
1157 countersize
= COUNTER_OFFSET(table
->table
->nentries
) *
1158 (highest_possible_processor_id()+1);
1159 newinfo
= (struct ebt_table_info
*)
1160 vmalloc(sizeof(struct ebt_table_info
) + countersize
);
1165 newinfo
->entries
= vmalloc(table
->table
->entries_size
);
1166 if (!(newinfo
->entries
))
1169 memcpy(newinfo
->entries
, table
->table
->entries
,
1170 table
->table
->entries_size
);
1173 memset(newinfo
->counters
, 0, countersize
);
1175 /* fill in newinfo and parse the entries */
1176 newinfo
->chainstack
= NULL
;
1177 ret
= translate_table(table
->table
, newinfo
);
1179 BUGPRINT("Translate_table failed\n");
1180 goto free_chainstack
;
1183 if (table
->check
&& table
->check(newinfo
, table
->valid_hooks
)) {
1184 BUGPRINT("The table doesn't like its own initial data, lol\n");
1188 table
->private = newinfo
;
1189 rwlock_init(&table
->lock
);
1190 ret
= down_interruptible(&ebt_mutex
);
1192 goto free_chainstack
;
1194 if (list_named_find(&ebt_tables
, table
->name
)) {
1196 BUGPRINT("Table name already exists\n");
1200 /* Hold a reference count if the chains aren't empty */
1201 if (newinfo
->nentries
&& !try_module_get(table
->me
)) {
1205 list_prepend(&ebt_tables
, table
);
1211 if (newinfo
->chainstack
) {
1213 vfree(newinfo
->chainstack
[i
]);
1214 vfree(newinfo
->chainstack
);
1216 vfree(newinfo
->entries
);
1222 void ebt_unregister_table(struct ebt_table
*table
)
1227 BUGPRINT("Request to unregister NULL table!!!\n");
1231 LIST_DELETE(&ebt_tables
, table
);
1233 vfree(table
->private->entries
);
1234 if (table
->private->chainstack
) {
1236 vfree(table
->private->chainstack
[i
]);
1237 vfree(table
->private->chainstack
);
1239 vfree(table
->private);
1242 /* userspace just supplied us with counters */
1243 static int update_counters(void __user
*user
, unsigned int len
)
1246 struct ebt_counter
*tmp
;
1247 struct ebt_replace hlp
;
1248 struct ebt_table
*t
;
1250 if (copy_from_user(&hlp
, user
, sizeof(hlp
)))
1253 if (len
!= sizeof(hlp
) + hlp
.num_counters
* sizeof(struct ebt_counter
))
1255 if (hlp
.num_counters
== 0)
1258 if ( !(tmp
= (struct ebt_counter
*)
1259 vmalloc(hlp
.num_counters
* sizeof(struct ebt_counter
))) ){
1260 MEMPRINT("Update_counters && nomemory\n");
1264 t
= find_table_lock(hlp
.name
, &ret
, &ebt_mutex
);
1268 if (hlp
.num_counters
!= t
->private->nentries
) {
1269 BUGPRINT("Wrong nr of counters\n");
1274 if ( copy_from_user(tmp
, hlp
.counters
,
1275 hlp
.num_counters
* sizeof(struct ebt_counter
)) ) {
1276 BUGPRINT("Updata_counters && !cfu\n");
1281 /* we want an atomic add of the counters */
1282 write_lock_bh(&t
->lock
);
1284 /* we add to the counters of the first cpu */
1285 for (i
= 0; i
< hlp
.num_counters
; i
++) {
1286 t
->private->counters
[i
].pcnt
+= tmp
[i
].pcnt
;
1287 t
->private->counters
[i
].bcnt
+= tmp
[i
].bcnt
;
1290 write_unlock_bh(&t
->lock
);
1299 static inline int ebt_make_matchname(struct ebt_entry_match
*m
,
1300 char *base
, char *ubase
)
1302 char *hlp
= ubase
- base
+ (char *)m
;
1303 if (copy_to_user(hlp
, m
->u
.match
->name
, EBT_FUNCTION_MAXNAMELEN
))
1308 static inline int ebt_make_watchername(struct ebt_entry_watcher
*w
,
1309 char *base
, char *ubase
)
1311 char *hlp
= ubase
- base
+ (char *)w
;
1312 if (copy_to_user(hlp
, w
->u
.watcher
->name
, EBT_FUNCTION_MAXNAMELEN
))
1317 static inline int ebt_make_names(struct ebt_entry
*e
, char *base
, char *ubase
)
1321 struct ebt_entry_target
*t
;
1323 if (e
->bitmask
== 0)
1326 hlp
= ubase
- base
+ (char *)e
+ e
->target_offset
;
1327 t
= (struct ebt_entry_target
*)(((char *)e
) + e
->target_offset
);
1329 ret
= EBT_MATCH_ITERATE(e
, ebt_make_matchname
, base
, ubase
);
1332 ret
= EBT_WATCHER_ITERATE(e
, ebt_make_watchername
, base
, ubase
);
1335 if (copy_to_user(hlp
, t
->u
.target
->name
, EBT_FUNCTION_MAXNAMELEN
))
1340 /* called with ebt_mutex down */
1341 static int copy_everything_to_user(struct ebt_table
*t
, void __user
*user
,
1344 struct ebt_replace tmp
;
1345 struct ebt_counter
*counterstmp
, *oldcounters
;
1346 unsigned int entries_size
, nentries
;
1349 if (cmd
== EBT_SO_GET_ENTRIES
) {
1350 entries_size
= t
->private->entries_size
;
1351 nentries
= t
->private->nentries
;
1352 entries
= t
->private->entries
;
1353 oldcounters
= t
->private->counters
;
1355 entries_size
= t
->table
->entries_size
;
1356 nentries
= t
->table
->nentries
;
1357 entries
= t
->table
->entries
;
1358 oldcounters
= t
->table
->counters
;
1361 if (copy_from_user(&tmp
, user
, sizeof(tmp
))) {
1362 BUGPRINT("Cfu didn't work\n");
1366 if (*len
!= sizeof(struct ebt_replace
) + entries_size
+
1367 (tmp
.num_counters
? nentries
* sizeof(struct ebt_counter
): 0)) {
1368 BUGPRINT("Wrong size\n");
1372 if (tmp
.nentries
!= nentries
) {
1373 BUGPRINT("Nentries wrong\n");
1377 if (tmp
.entries_size
!= entries_size
) {
1378 BUGPRINT("Wrong size\n");
1382 /* userspace might not need the counters */
1383 if (tmp
.num_counters
) {
1384 if (tmp
.num_counters
!= nentries
) {
1385 BUGPRINT("Num_counters wrong\n");
1388 counterstmp
= (struct ebt_counter
*)
1389 vmalloc(nentries
* sizeof(struct ebt_counter
));
1391 MEMPRINT("Couldn't copy counters, out of memory\n");
1394 write_lock_bh(&t
->lock
);
1395 get_counters(oldcounters
, counterstmp
, nentries
);
1396 write_unlock_bh(&t
->lock
);
1398 if (copy_to_user(tmp
.counters
, counterstmp
,
1399 nentries
* sizeof(struct ebt_counter
))) {
1400 BUGPRINT("Couldn't copy counters to userspace\n");
1407 if (copy_to_user(tmp
.entries
, entries
, entries_size
)) {
1408 BUGPRINT("Couldn't copy entries to userspace\n");
1411 /* set the match/watcher/target names right */
1412 return EBT_ENTRY_ITERATE(entries
, entries_size
,
1413 ebt_make_names
, entries
, tmp
.entries
);
1416 static int do_ebt_set_ctl(struct sock
*sk
,
1417 int cmd
, void __user
*user
, unsigned int len
)
1422 case EBT_SO_SET_ENTRIES
:
1423 ret
= do_replace(user
, len
);
1425 case EBT_SO_SET_COUNTERS
:
1426 ret
= update_counters(user
, len
);
1434 static int do_ebt_get_ctl(struct sock
*sk
, int cmd
, void __user
*user
, int *len
)
1437 struct ebt_replace tmp
;
1438 struct ebt_table
*t
;
1440 if (copy_from_user(&tmp
, user
, sizeof(tmp
)))
1443 t
= find_table_lock(tmp
.name
, &ret
, &ebt_mutex
);
1448 case EBT_SO_GET_INFO
:
1449 case EBT_SO_GET_INIT_INFO
:
1450 if (*len
!= sizeof(struct ebt_replace
)){
1455 if (cmd
== EBT_SO_GET_INFO
) {
1456 tmp
.nentries
= t
->private->nentries
;
1457 tmp
.entries_size
= t
->private->entries_size
;
1458 tmp
.valid_hooks
= t
->valid_hooks
;
1460 tmp
.nentries
= t
->table
->nentries
;
1461 tmp
.entries_size
= t
->table
->entries_size
;
1462 tmp
.valid_hooks
= t
->table
->valid_hooks
;
1465 if (copy_to_user(user
, &tmp
, *len
) != 0){
1466 BUGPRINT("c2u Didn't work\n");
1473 case EBT_SO_GET_ENTRIES
:
1474 case EBT_SO_GET_INIT_ENTRIES
:
1475 ret
= copy_everything_to_user(t
, user
, len
, cmd
);
1487 static struct nf_sockopt_ops ebt_sockopts
=
1488 { { NULL
, NULL
}, PF_INET
, EBT_BASE_CTL
, EBT_SO_SET_MAX
+ 1, do_ebt_set_ctl
,
1489 EBT_BASE_CTL
, EBT_SO_GET_MAX
+ 1, do_ebt_get_ctl
, 0, NULL
1492 static int __init
init(void)
1497 list_named_insert(&ebt_targets
, &ebt_standard_target
);
1499 if ((ret
= nf_register_sockopt(&ebt_sockopts
)) < 0)
1502 printk(KERN_NOTICE
"Ebtables v2.0 registered\n");
1506 static void __exit
fini(void)
1508 nf_unregister_sockopt(&ebt_sockopts
);
1509 printk(KERN_NOTICE
"Ebtables v2.0 unregistered\n");
1512 EXPORT_SYMBOL(ebt_register_table
);
1513 EXPORT_SYMBOL(ebt_unregister_table
);
1514 EXPORT_SYMBOL(ebt_register_match
);
1515 EXPORT_SYMBOL(ebt_unregister_match
);
1516 EXPORT_SYMBOL(ebt_register_watcher
);
1517 EXPORT_SYMBOL(ebt_unregister_watcher
);
1518 EXPORT_SYMBOL(ebt_register_target
);
1519 EXPORT_SYMBOL(ebt_unregister_target
);
1520 EXPORT_SYMBOL(ebt_do_table
);
1523 MODULE_LICENSE("GPL");