5 * Bart De Schuymer <bdschuym@pandora.be>
7 * ebtables.c,v 2.0, July, 2002
9 * This code is stongly inspired on the iptables code which is
10 * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version
15 * 2 of the License, or (at your option) any later version.
19 #include <linux/kmod.h>
20 #include <linux/module.h>
21 #include <linux/vmalloc.h>
22 #include <linux/netfilter/x_tables.h>
23 #include <linux/netfilter_bridge/ebtables.h>
24 #include <linux/spinlock.h>
25 #include <linux/mutex.h>
26 #include <asm/uaccess.h>
27 #include <linux/smp.h>
28 #include <linux/cpumask.h>
30 /* needed for logical [in,out]-dev filtering */
31 #include "../br_private.h"
33 #define BUGPRINT(format, args...) printk("kernel msg: ebtables bug: please "\
34 "report to author: "format, ## args)
35 /* #define BUGPRINT(format, args...) */
36 #define MEMPRINT(format, args...) printk("kernel msg: ebtables "\
37 ": out of memory: "format, ## args)
38 /* #define MEMPRINT(format, args...) */
43 * Each cpu has its own set of counters, so there is no need for write_lock in
45 * For reading or updating the counters, the user context needs to
49 /* The size of each set of counters is altered to get cache alignment */
50 #define SMP_ALIGN(x) (((x) + SMP_CACHE_BYTES-1) & ~(SMP_CACHE_BYTES-1))
51 #define COUNTER_OFFSET(n) (SMP_ALIGN(n * sizeof(struct ebt_counter)))
52 #define COUNTER_BASE(c, n, cpu) ((struct ebt_counter *)(((char *)c) + \
53 COUNTER_OFFSET(n) * cpu))
57 static DEFINE_MUTEX(ebt_mutex
);
58 static LIST_HEAD(ebt_tables
);
60 static struct xt_target ebt_standard_target
= {
63 .family
= NFPROTO_BRIDGE
,
64 .targetsize
= sizeof(int),
68 ebt_do_watcher(const struct ebt_entry_watcher
*w
, struct sk_buff
*skb
,
69 struct xt_target_param
*par
)
71 par
->target
= w
->u
.watcher
;
72 par
->targinfo
= w
->data
;
73 w
->u
.watcher
->target(skb
, par
);
74 /* watchers don't give a verdict */
78 static inline int ebt_do_match (struct ebt_entry_match
*m
,
79 const struct sk_buff
*skb
, struct xt_match_param
*par
)
81 par
->match
= m
->u
.match
;
82 par
->matchinfo
= m
->data
;
83 return m
->u
.match
->match(skb
, par
);
86 static inline int ebt_dev_check(char *entry
, const struct net_device
*device
)
89 const char *devname
= device
->name
;
95 /* 1 is the wildcard token */
96 while (entry
[i
] != '\0' && entry
[i
] != 1 && entry
[i
] == devname
[i
])
98 return (devname
[i
] != entry
[i
] && entry
[i
] != 1);
101 #define FWINV2(bool,invflg) ((bool) ^ !!(e->invflags & invflg))
102 /* process standard matches */
103 static inline int ebt_basic_match(struct ebt_entry
*e
, struct ethhdr
*h
,
104 const struct net_device
*in
, const struct net_device
*out
)
108 if (e
->bitmask
& EBT_802_3
) {
109 if (FWINV2(ntohs(h
->h_proto
) >= 1536, EBT_IPROTO
))
111 } else if (!(e
->bitmask
& EBT_NOPROTO
) &&
112 FWINV2(e
->ethproto
!= h
->h_proto
, EBT_IPROTO
))
115 if (FWINV2(ebt_dev_check(e
->in
, in
), EBT_IIN
))
117 if (FWINV2(ebt_dev_check(e
->out
, out
), EBT_IOUT
))
119 if ((!in
|| !in
->br_port
) ? 0 : FWINV2(ebt_dev_check(
120 e
->logical_in
, in
->br_port
->br
->dev
), EBT_ILOGICALIN
))
122 if ((!out
|| !out
->br_port
) ? 0 : FWINV2(ebt_dev_check(
123 e
->logical_out
, out
->br_port
->br
->dev
), EBT_ILOGICALOUT
))
126 if (e
->bitmask
& EBT_SOURCEMAC
) {
128 for (i
= 0; i
< 6; i
++)
129 verdict
|= (h
->h_source
[i
] ^ e
->sourcemac
[i
]) &
131 if (FWINV2(verdict
!= 0, EBT_ISOURCE
) )
134 if (e
->bitmask
& EBT_DESTMAC
) {
136 for (i
= 0; i
< 6; i
++)
137 verdict
|= (h
->h_dest
[i
] ^ e
->destmac
[i
]) &
139 if (FWINV2(verdict
!= 0, EBT_IDEST
) )
145 /* Do some firewalling */
146 unsigned int ebt_do_table (unsigned int hook
, struct sk_buff
*skb
,
147 const struct net_device
*in
, const struct net_device
*out
,
148 struct ebt_table
*table
)
151 struct ebt_entry
*point
;
152 struct ebt_counter
*counter_base
, *cb_base
;
153 struct ebt_entry_target
*t
;
155 struct ebt_chainstack
*cs
;
156 struct ebt_entries
*chaininfo
;
158 struct ebt_table_info
*private;
159 bool hotdrop
= false;
160 struct xt_match_param mtpar
;
161 struct xt_target_param tgpar
;
163 mtpar
.in
= tgpar
.in
= in
;
164 mtpar
.out
= tgpar
.out
= out
;
165 mtpar
.hotdrop
= &hotdrop
;
166 tgpar
.hooknum
= hook
;
168 read_lock_bh(&table
->lock
);
169 private = table
->private;
170 cb_base
= COUNTER_BASE(private->counters
, private->nentries
,
172 if (private->chainstack
)
173 cs
= private->chainstack
[smp_processor_id()];
176 chaininfo
= private->hook_entry
[hook
];
177 nentries
= private->hook_entry
[hook
]->nentries
;
178 point
= (struct ebt_entry
*)(private->hook_entry
[hook
]->data
);
179 counter_base
= cb_base
+ private->hook_entry
[hook
]->counter_offset
;
180 /* base for chain jumps */
181 base
= private->entries
;
183 while (i
< nentries
) {
184 if (ebt_basic_match(point
, eth_hdr(skb
), in
, out
))
187 if (EBT_MATCH_ITERATE(point
, ebt_do_match
, skb
, &mtpar
) != 0)
190 read_unlock_bh(&table
->lock
);
194 /* increase counter */
195 (*(counter_base
+ i
)).pcnt
++;
196 (*(counter_base
+ i
)).bcnt
+= skb
->len
;
198 /* these should only watch: not modify, nor tell us
199 what to do with the packet */
200 EBT_WATCHER_ITERATE(point
, ebt_do_watcher
, skb
, &tgpar
);
202 t
= (struct ebt_entry_target
*)
203 (((char *)point
) + point
->target_offset
);
204 /* standard target */
205 if (!t
->u
.target
->target
)
206 verdict
= ((struct ebt_standard_target
*)t
)->verdict
;
208 tgpar
.target
= t
->u
.target
;
209 tgpar
.targinfo
= t
->data
;
210 verdict
= t
->u
.target
->target(skb
, &tgpar
);
212 if (verdict
== EBT_ACCEPT
) {
213 read_unlock_bh(&table
->lock
);
216 if (verdict
== EBT_DROP
) {
217 read_unlock_bh(&table
->lock
);
220 if (verdict
== EBT_RETURN
) {
222 #ifdef CONFIG_NETFILTER_DEBUG
224 BUGPRINT("RETURN on base chain");
225 /* act like this is EBT_CONTINUE */
230 /* put all the local variables right */
232 chaininfo
= cs
[sp
].chaininfo
;
233 nentries
= chaininfo
->nentries
;
235 counter_base
= cb_base
+
236 chaininfo
->counter_offset
;
239 if (verdict
== EBT_CONTINUE
)
241 #ifdef CONFIG_NETFILTER_DEBUG
243 BUGPRINT("bogus standard verdict\n");
244 read_unlock_bh(&table
->lock
);
250 cs
[sp
].chaininfo
= chaininfo
;
251 cs
[sp
].e
= (struct ebt_entry
*)
252 (((char *)point
) + point
->next_offset
);
254 chaininfo
= (struct ebt_entries
*) (base
+ verdict
);
255 #ifdef CONFIG_NETFILTER_DEBUG
256 if (chaininfo
->distinguisher
) {
257 BUGPRINT("jump to non-chain\n");
258 read_unlock_bh(&table
->lock
);
262 nentries
= chaininfo
->nentries
;
263 point
= (struct ebt_entry
*)chaininfo
->data
;
264 counter_base
= cb_base
+ chaininfo
->counter_offset
;
268 point
= (struct ebt_entry
*)
269 (((char *)point
) + point
->next_offset
);
273 /* I actually like this :) */
274 if (chaininfo
->policy
== EBT_RETURN
)
276 if (chaininfo
->policy
== EBT_ACCEPT
) {
277 read_unlock_bh(&table
->lock
);
280 read_unlock_bh(&table
->lock
);
284 /* If it succeeds, returns element and locks mutex */
286 find_inlist_lock_noload(struct list_head
*head
, const char *name
, int *error
,
290 struct list_head list
;
291 char name
[EBT_FUNCTION_MAXNAMELEN
];
294 *error
= mutex_lock_interruptible(mutex
);
298 list_for_each_entry(e
, head
, list
) {
299 if (strcmp(e
->name
, name
) == 0)
308 #define find_inlist_lock(h,n,p,e,m) find_inlist_lock_noload((h),(n),(e),(m))
311 find_inlist_lock(struct list_head
*head
, const char *name
, const char *prefix
,
312 int *error
, struct mutex
*mutex
)
316 ret
= find_inlist_lock_noload(head
, name
, error
, mutex
);
318 request_module("%s%s", prefix
, name
);
319 ret
= find_inlist_lock_noload(head
, name
, error
, mutex
);
325 static inline struct ebt_table
*
326 find_table_lock(const char *name
, int *error
, struct mutex
*mutex
)
328 return find_inlist_lock(&ebt_tables
, name
, "ebtable_", error
, mutex
);
332 ebt_check_match(struct ebt_entry_match
*m
, struct xt_mtchk_param
*par
,
335 const struct ebt_entry
*e
= par
->entryinfo
;
336 struct xt_match
*match
;
337 size_t left
= ((char *)e
+ e
->watchers_offset
) - (char *)m
;
340 if (left
< sizeof(struct ebt_entry_match
) ||
341 left
- sizeof(struct ebt_entry_match
) < m
->match_size
)
344 match
= try_then_request_module(xt_find_match(NFPROTO_BRIDGE
,
345 m
->u
.name
, 0), "ebt_%s", m
->u
.name
);
347 return PTR_ERR(match
);
353 par
->matchinfo
= m
->data
;
354 ret
= xt_check_match(par
, NFPROTO_BRIDGE
, m
->match_size
,
355 e
->ethproto
, e
->invflags
& EBT_IPROTO
);
357 module_put(match
->me
);
366 ebt_check_watcher(struct ebt_entry_watcher
*w
, struct ebt_entry
*e
,
367 const char *name
, unsigned int hookmask
, unsigned int *cnt
)
369 struct xt_target
*watcher
;
370 size_t left
= ((char *)e
+ e
->target_offset
) - (char *)w
;
373 if (left
< sizeof(struct ebt_entry_watcher
) ||
374 left
- sizeof(struct ebt_entry_watcher
) < w
->watcher_size
)
377 watcher
= try_then_request_module(
378 xt_find_target(NFPROTO_BRIDGE
, w
->u
.name
, 0),
379 "ebt_%s", w
->u
.name
);
381 return PTR_ERR(watcher
);
384 w
->u
.watcher
= watcher
;
386 ret
= xt_check_target(watcher
, NFPROTO_BRIDGE
, w
->watcher_size
,
387 name
, hookmask
, e
->ethproto
, e
->invflags
& EBT_IPROTO
,
390 module_put(watcher
->me
);
398 static int ebt_verify_pointers(struct ebt_replace
*repl
,
399 struct ebt_table_info
*newinfo
)
401 unsigned int limit
= repl
->entries_size
;
402 unsigned int valid_hooks
= repl
->valid_hooks
;
403 unsigned int offset
= 0;
406 for (i
= 0; i
< NF_BR_NUMHOOKS
; i
++)
407 newinfo
->hook_entry
[i
] = NULL
;
409 newinfo
->entries_size
= repl
->entries_size
;
410 newinfo
->nentries
= repl
->nentries
;
412 while (offset
< limit
) {
413 size_t left
= limit
- offset
;
414 struct ebt_entry
*e
= (void *)newinfo
->entries
+ offset
;
416 if (left
< sizeof(unsigned int))
419 for (i
= 0; i
< NF_BR_NUMHOOKS
; i
++) {
420 if ((valid_hooks
& (1 << i
)) == 0)
422 if ((char __user
*)repl
->hook_entry
[i
] ==
423 repl
->entries
+ offset
)
427 if (i
!= NF_BR_NUMHOOKS
|| !(e
->bitmask
& EBT_ENTRY_OR_ENTRIES
)) {
428 if (e
->bitmask
!= 0) {
429 /* we make userspace set this right,
430 so there is no misunderstanding */
431 BUGPRINT("EBT_ENTRY_OR_ENTRIES shouldn't be set "
432 "in distinguisher\n");
435 if (i
!= NF_BR_NUMHOOKS
)
436 newinfo
->hook_entry
[i
] = (struct ebt_entries
*)e
;
437 if (left
< sizeof(struct ebt_entries
))
439 offset
+= sizeof(struct ebt_entries
);
441 if (left
< sizeof(struct ebt_entry
))
443 if (left
< e
->next_offset
)
445 offset
+= e
->next_offset
;
448 if (offset
!= limit
) {
449 BUGPRINT("entries_size too small\n");
453 /* check if all valid hooks have a chain */
454 for (i
= 0; i
< NF_BR_NUMHOOKS
; i
++) {
455 if (!newinfo
->hook_entry
[i
] &&
456 (valid_hooks
& (1 << i
))) {
457 BUGPRINT("Valid hook without chain\n");
465 * this one is very careful, as it is the first function
466 * to parse the userspace data
469 ebt_check_entry_size_and_hooks(struct ebt_entry
*e
,
470 struct ebt_table_info
*newinfo
,
471 unsigned int *n
, unsigned int *cnt
,
472 unsigned int *totalcnt
, unsigned int *udc_cnt
)
476 for (i
= 0; i
< NF_BR_NUMHOOKS
; i
++) {
477 if ((void *)e
== (void *)newinfo
->hook_entry
[i
])
480 /* beginning of a new chain
481 if i == NF_BR_NUMHOOKS it must be a user defined chain */
482 if (i
!= NF_BR_NUMHOOKS
|| !e
->bitmask
) {
483 /* this checks if the previous chain has as many entries
486 BUGPRINT("nentries does not equal the nr of entries "
490 if (((struct ebt_entries
*)e
)->policy
!= EBT_DROP
&&
491 ((struct ebt_entries
*)e
)->policy
!= EBT_ACCEPT
) {
492 /* only RETURN from udc */
493 if (i
!= NF_BR_NUMHOOKS
||
494 ((struct ebt_entries
*)e
)->policy
!= EBT_RETURN
) {
495 BUGPRINT("bad policy\n");
499 if (i
== NF_BR_NUMHOOKS
) /* it's a user defined chain */
501 if (((struct ebt_entries
*)e
)->counter_offset
!= *totalcnt
) {
502 BUGPRINT("counter_offset != totalcnt");
505 *n
= ((struct ebt_entries
*)e
)->nentries
;
509 /* a plain old entry, heh */
510 if (sizeof(struct ebt_entry
) > e
->watchers_offset
||
511 e
->watchers_offset
> e
->target_offset
||
512 e
->target_offset
>= e
->next_offset
) {
513 BUGPRINT("entry offsets not in right order\n");
516 /* this is not checked anywhere else */
517 if (e
->next_offset
- e
->target_offset
< sizeof(struct ebt_entry_target
)) {
518 BUGPRINT("target size too small\n");
528 struct ebt_chainstack cs
;
530 unsigned int hookmask
;
534 * we need these positions to check that the jumps to a different part of the
535 * entries is a jump to the beginning of a new chain.
538 ebt_get_udc_positions(struct ebt_entry
*e
, struct ebt_table_info
*newinfo
,
539 unsigned int *n
, struct ebt_cl_stack
*udc
)
543 /* we're only interested in chain starts */
546 for (i
= 0; i
< NF_BR_NUMHOOKS
; i
++) {
547 if (newinfo
->hook_entry
[i
] == (struct ebt_entries
*)e
)
550 /* only care about udc */
551 if (i
!= NF_BR_NUMHOOKS
)
554 udc
[*n
].cs
.chaininfo
= (struct ebt_entries
*)e
;
555 /* these initialisations are depended on later in check_chainloops() */
557 udc
[*n
].hookmask
= 0;
564 ebt_cleanup_match(struct ebt_entry_match
*m
, unsigned int *i
)
566 struct xt_mtdtor_param par
;
568 if (i
&& (*i
)-- == 0)
571 par
.match
= m
->u
.match
;
572 par
.matchinfo
= m
->data
;
573 if (par
.match
->destroy
!= NULL
)
574 par
.match
->destroy(&par
);
575 module_put(par
.match
->me
);
580 ebt_cleanup_watcher(struct ebt_entry_watcher
*w
, unsigned int *i
)
582 if (i
&& (*i
)-- == 0)
584 if (w
->u
.watcher
->destroy
)
585 w
->u
.watcher
->destroy(w
->u
.watcher
, w
->data
);
586 module_put(w
->u
.watcher
->me
);
592 ebt_cleanup_entry(struct ebt_entry
*e
, unsigned int *cnt
)
594 struct ebt_entry_target
*t
;
599 if (cnt
&& (*cnt
)-- == 0)
601 EBT_WATCHER_ITERATE(e
, ebt_cleanup_watcher
, NULL
);
602 EBT_MATCH_ITERATE(e
, ebt_cleanup_match
, NULL
);
603 t
= (struct ebt_entry_target
*)(((char *)e
) + e
->target_offset
);
604 if (t
->u
.target
->destroy
)
605 t
->u
.target
->destroy(t
->u
.target
, t
->data
);
606 module_put(t
->u
.target
->me
);
612 ebt_check_entry(struct ebt_entry
*e
, struct ebt_table_info
*newinfo
,
613 const char *name
, unsigned int *cnt
,
614 struct ebt_cl_stack
*cl_s
, unsigned int udc_cnt
)
616 struct ebt_entry_target
*t
;
617 struct xt_target
*target
;
618 unsigned int i
, j
, hook
= 0, hookmask
= 0;
621 struct xt_mtchk_param mtpar
;
623 /* don't mess with the struct ebt_entries */
627 if (e
->bitmask
& ~EBT_F_MASK
) {
628 BUGPRINT("Unknown flag for bitmask\n");
631 if (e
->invflags
& ~EBT_INV_MASK
) {
632 BUGPRINT("Unknown flag for inv bitmask\n");
635 if ( (e
->bitmask
& EBT_NOPROTO
) && (e
->bitmask
& EBT_802_3
) ) {
636 BUGPRINT("NOPROTO & 802_3 not allowed\n");
639 /* what hook do we belong to? */
640 for (i
= 0; i
< NF_BR_NUMHOOKS
; i
++) {
641 if (!newinfo
->hook_entry
[i
])
643 if ((char *)newinfo
->hook_entry
[i
] < (char *)e
)
648 /* (1 << NF_BR_NUMHOOKS) tells the check functions the rule is on
650 if (i
< NF_BR_NUMHOOKS
)
651 hookmask
= (1 << hook
) | (1 << NF_BR_NUMHOOKS
);
653 for (i
= 0; i
< udc_cnt
; i
++)
654 if ((char *)(cl_s
[i
].cs
.chaininfo
) > (char *)e
)
657 hookmask
= (1 << hook
) | (1 << NF_BR_NUMHOOKS
);
659 hookmask
= cl_s
[i
- 1].hookmask
;
665 mtpar
.hook_mask
= hookmask
;
666 ret
= EBT_MATCH_ITERATE(e
, ebt_check_match
, &mtpar
, &i
);
668 goto cleanup_matches
;
670 ret
= EBT_WATCHER_ITERATE(e
, ebt_check_watcher
, e
, name
, hookmask
, &j
);
672 goto cleanup_watchers
;
673 t
= (struct ebt_entry_target
*)(((char *)e
) + e
->target_offset
);
674 gap
= e
->next_offset
- e
->target_offset
;
676 target
= try_then_request_module(
677 xt_find_target(NFPROTO_BRIDGE
, t
->u
.name
, 0),
678 "ebt_%s", t
->u
.name
);
679 if (IS_ERR(target
)) {
680 ret
= PTR_ERR(target
);
681 goto cleanup_watchers
;
682 } else if (target
== NULL
) {
684 goto cleanup_watchers
;
687 t
->u
.target
= target
;
688 if (t
->u
.target
== &ebt_standard_target
) {
689 if (gap
< sizeof(struct ebt_standard_target
)) {
690 BUGPRINT("Standard target size too big\n");
692 goto cleanup_watchers
;
694 if (((struct ebt_standard_target
*)t
)->verdict
<
695 -NUM_STANDARD_TARGETS
) {
696 BUGPRINT("Invalid standard target\n");
698 goto cleanup_watchers
;
700 } else if (t
->target_size
> gap
- sizeof(struct ebt_entry_target
)) {
701 module_put(t
->u
.target
->me
);
703 goto cleanup_watchers
;
706 ret
= xt_check_target(target
, NFPROTO_BRIDGE
, t
->target_size
,
707 name
, hookmask
, e
->ethproto
, e
->invflags
& EBT_IPROTO
,
710 module_put(target
->me
);
711 goto cleanup_watchers
;
716 EBT_WATCHER_ITERATE(e
, ebt_cleanup_watcher
, &j
);
718 EBT_MATCH_ITERATE(e
, ebt_cleanup_match
, &i
);
723 * checks for loops and sets the hook mask for udc
724 * the hook mask for udc tells us from which base chains the udc can be
725 * accessed. This mask is a parameter to the check() functions of the extensions
727 static int check_chainloops(struct ebt_entries
*chain
, struct ebt_cl_stack
*cl_s
,
728 unsigned int udc_cnt
, unsigned int hooknr
, char *base
)
730 int i
, chain_nr
= -1, pos
= 0, nentries
= chain
->nentries
, verdict
;
731 struct ebt_entry
*e
= (struct ebt_entry
*)chain
->data
;
732 struct ebt_entry_target
*t
;
734 while (pos
< nentries
|| chain_nr
!= -1) {
735 /* end of udc, go back one 'recursion' step */
736 if (pos
== nentries
) {
737 /* put back values of the time when this chain was called */
738 e
= cl_s
[chain_nr
].cs
.e
;
739 if (cl_s
[chain_nr
].from
!= -1)
741 cl_s
[cl_s
[chain_nr
].from
].cs
.chaininfo
->nentries
;
743 nentries
= chain
->nentries
;
744 pos
= cl_s
[chain_nr
].cs
.n
;
745 /* make sure we won't see a loop that isn't one */
746 cl_s
[chain_nr
].cs
.n
= 0;
747 chain_nr
= cl_s
[chain_nr
].from
;
751 t
= (struct ebt_entry_target
*)
752 (((char *)e
) + e
->target_offset
);
753 if (strcmp(t
->u
.name
, EBT_STANDARD_TARGET
))
755 if (e
->target_offset
+ sizeof(struct ebt_standard_target
) >
757 BUGPRINT("Standard target size too big\n");
760 verdict
= ((struct ebt_standard_target
*)t
)->verdict
;
761 if (verdict
>= 0) { /* jump to another chain */
762 struct ebt_entries
*hlp2
=
763 (struct ebt_entries
*)(base
+ verdict
);
764 for (i
= 0; i
< udc_cnt
; i
++)
765 if (hlp2
== cl_s
[i
].cs
.chaininfo
)
767 /* bad destination or loop */
769 BUGPRINT("bad destination\n");
776 if (cl_s
[i
].hookmask
& (1 << hooknr
))
778 /* this can't be 0, so the loop test is correct */
779 cl_s
[i
].cs
.n
= pos
+ 1;
781 cl_s
[i
].cs
.e
= ((void *)e
+ e
->next_offset
);
782 e
= (struct ebt_entry
*)(hlp2
->data
);
783 nentries
= hlp2
->nentries
;
784 cl_s
[i
].from
= chain_nr
;
786 /* this udc is accessible from the base chain for hooknr */
787 cl_s
[i
].hookmask
|= (1 << hooknr
);
791 e
= (void *)e
+ e
->next_offset
;
797 /* do the parsing of the table/chains/entries/matches/watchers/targets, heh */
798 static int translate_table(char *name
, struct ebt_table_info
*newinfo
)
800 unsigned int i
, j
, k
, udc_cnt
;
802 struct ebt_cl_stack
*cl_s
= NULL
; /* used in the checking for chain loops */
805 while (i
< NF_BR_NUMHOOKS
&& !newinfo
->hook_entry
[i
])
807 if (i
== NF_BR_NUMHOOKS
) {
808 BUGPRINT("No valid hooks specified\n");
811 if (newinfo
->hook_entry
[i
] != (struct ebt_entries
*)newinfo
->entries
) {
812 BUGPRINT("Chains don't start at beginning\n");
815 /* make sure chains are ordered after each other in same order
816 as their corresponding hooks */
817 for (j
= i
+ 1; j
< NF_BR_NUMHOOKS
; j
++) {
818 if (!newinfo
->hook_entry
[j
])
820 if (newinfo
->hook_entry
[j
] <= newinfo
->hook_entry
[i
]) {
821 BUGPRINT("Hook order must be followed\n");
827 /* do some early checkings and initialize some things */
828 i
= 0; /* holds the expected nr. of entries for the chain */
829 j
= 0; /* holds the up to now counted entries for the chain */
830 k
= 0; /* holds the total nr. of entries, should equal
831 newinfo->nentries afterwards */
832 udc_cnt
= 0; /* will hold the nr. of user defined chains (udc) */
833 ret
= EBT_ENTRY_ITERATE(newinfo
->entries
, newinfo
->entries_size
,
834 ebt_check_entry_size_and_hooks
, newinfo
,
835 &i
, &j
, &k
, &udc_cnt
);
841 BUGPRINT("nentries does not equal the nr of entries in the "
845 if (k
!= newinfo
->nentries
) {
846 BUGPRINT("Total nentries is wrong\n");
850 /* get the location of the udc, put them in an array
851 while we're at it, allocate the chainstack */
853 /* this will get free'd in do_replace()/ebt_register_table()
854 if an error occurs */
855 newinfo
->chainstack
=
856 vmalloc(nr_cpu_ids
* sizeof(*(newinfo
->chainstack
)));
857 if (!newinfo
->chainstack
)
859 for_each_possible_cpu(i
) {
860 newinfo
->chainstack
[i
] =
861 vmalloc(udc_cnt
* sizeof(*(newinfo
->chainstack
[0])));
862 if (!newinfo
->chainstack
[i
]) {
864 vfree(newinfo
->chainstack
[--i
]);
865 vfree(newinfo
->chainstack
);
866 newinfo
->chainstack
= NULL
;
871 cl_s
= vmalloc(udc_cnt
* sizeof(*cl_s
));
874 i
= 0; /* the i'th udc */
875 EBT_ENTRY_ITERATE(newinfo
->entries
, newinfo
->entries_size
,
876 ebt_get_udc_positions
, newinfo
, &i
, cl_s
);
879 BUGPRINT("i != udc_cnt\n");
885 /* Check for loops */
886 for (i
= 0; i
< NF_BR_NUMHOOKS
; i
++)
887 if (newinfo
->hook_entry
[i
])
888 if (check_chainloops(newinfo
->hook_entry
[i
],
889 cl_s
, udc_cnt
, i
, newinfo
->entries
)) {
894 /* we now know the following (along with E=mc²):
895 - the nr of entries in each chain is right
896 - the size of the allocated space is right
897 - all valid hooks have a corresponding chain
899 - wrong data can still be on the level of a single entry
900 - could be there are jumps to places that are not the
901 beginning of a chain. This can only occur in chains that
902 are not accessible from any base chains, so we don't care. */
904 /* used to know what we need to clean up if something goes wrong */
906 ret
= EBT_ENTRY_ITERATE(newinfo
->entries
, newinfo
->entries_size
,
907 ebt_check_entry
, newinfo
, name
, &i
, cl_s
, udc_cnt
);
909 EBT_ENTRY_ITERATE(newinfo
->entries
, newinfo
->entries_size
,
910 ebt_cleanup_entry
, &i
);
916 /* called under write_lock */
917 static void get_counters(struct ebt_counter
*oldcounters
,
918 struct ebt_counter
*counters
, unsigned int nentries
)
921 struct ebt_counter
*counter_base
;
923 /* counters of cpu 0 */
924 memcpy(counters
, oldcounters
,
925 sizeof(struct ebt_counter
) * nentries
);
927 /* add other counters to those of cpu 0 */
928 for_each_possible_cpu(cpu
) {
931 counter_base
= COUNTER_BASE(oldcounters
, nentries
, cpu
);
932 for (i
= 0; i
< nentries
; i
++) {
933 counters
[i
].pcnt
+= counter_base
[i
].pcnt
;
934 counters
[i
].bcnt
+= counter_base
[i
].bcnt
;
939 /* replace the table */
940 static int do_replace(void __user
*user
, unsigned int len
)
942 int ret
, i
, countersize
;
943 struct ebt_table_info
*newinfo
;
944 struct ebt_replace tmp
;
946 struct ebt_counter
*counterstmp
= NULL
;
947 /* used to be able to unlock earlier */
948 struct ebt_table_info
*table
;
950 if (copy_from_user(&tmp
, user
, sizeof(tmp
)) != 0)
953 if (len
!= sizeof(tmp
) + tmp
.entries_size
) {
954 BUGPRINT("Wrong len argument\n");
958 if (tmp
.entries_size
== 0) {
959 BUGPRINT("Entries_size never zero\n");
963 if (tmp
.nentries
>= ((INT_MAX
- sizeof(struct ebt_table_info
)) / NR_CPUS
-
964 SMP_CACHE_BYTES
) / sizeof(struct ebt_counter
))
966 if (tmp
.num_counters
>= INT_MAX
/ sizeof(struct ebt_counter
))
969 countersize
= COUNTER_OFFSET(tmp
.nentries
) * nr_cpu_ids
;
970 newinfo
= vmalloc(sizeof(*newinfo
) + countersize
);
975 memset(newinfo
->counters
, 0, countersize
);
977 newinfo
->entries
= vmalloc(tmp
.entries_size
);
978 if (!newinfo
->entries
) {
983 newinfo
->entries
, tmp
.entries
, tmp
.entries_size
) != 0) {
984 BUGPRINT("Couldn't copy entries from userspace\n");
989 /* the user wants counters back
990 the check on the size is done later, when we have the lock */
991 if (tmp
.num_counters
) {
992 counterstmp
= vmalloc(tmp
.num_counters
* sizeof(*counterstmp
));
1001 /* this can get initialized by translate_table() */
1002 newinfo
->chainstack
= NULL
;
1003 ret
= ebt_verify_pointers(&tmp
, newinfo
);
1005 goto free_counterstmp
;
1007 ret
= translate_table(tmp
.name
, newinfo
);
1010 goto free_counterstmp
;
1012 t
= find_table_lock(tmp
.name
, &ret
, &ebt_mutex
);
1018 /* the table doesn't like it */
1019 if (t
->check
&& (ret
= t
->check(newinfo
, tmp
.valid_hooks
)))
1022 if (tmp
.num_counters
&& tmp
.num_counters
!= t
->private->nentries
) {
1023 BUGPRINT("Wrong nr. of counters requested\n");
1028 /* we have the mutex lock, so no danger in reading this pointer */
1030 /* make sure the table can only be rmmod'ed if it contains no rules */
1031 if (!table
->nentries
&& newinfo
->nentries
&& !try_module_get(t
->me
)) {
1034 } else if (table
->nentries
&& !newinfo
->nentries
)
1036 /* we need an atomic snapshot of the counters */
1037 write_lock_bh(&t
->lock
);
1038 if (tmp
.num_counters
)
1039 get_counters(t
->private->counters
, counterstmp
,
1040 t
->private->nentries
);
1042 t
->private = newinfo
;
1043 write_unlock_bh(&t
->lock
);
1044 mutex_unlock(&ebt_mutex
);
1045 /* so, a user can change the chains while having messed up her counter
1046 allocation. Only reason why this is done is because this way the lock
1047 is held only once, while this doesn't bring the kernel into a
1049 if (tmp
.num_counters
&&
1050 copy_to_user(tmp
.counters
, counterstmp
,
1051 tmp
.num_counters
* sizeof(struct ebt_counter
))) {
1052 BUGPRINT("Couldn't copy counters to userspace\n");
1058 /* decrease module count and free resources */
1059 EBT_ENTRY_ITERATE(table
->entries
, table
->entries_size
,
1060 ebt_cleanup_entry
, NULL
);
1062 vfree(table
->entries
);
1063 if (table
->chainstack
) {
1064 for_each_possible_cpu(i
)
1065 vfree(table
->chainstack
[i
]);
1066 vfree(table
->chainstack
);
1074 mutex_unlock(&ebt_mutex
);
1076 EBT_ENTRY_ITERATE(newinfo
->entries
, newinfo
->entries_size
,
1077 ebt_cleanup_entry
, NULL
);
1080 /* can be initialized in translate_table() */
1081 if (newinfo
->chainstack
) {
1082 for_each_possible_cpu(i
)
1083 vfree(newinfo
->chainstack
[i
]);
1084 vfree(newinfo
->chainstack
);
1087 vfree(newinfo
->entries
);
1093 int ebt_register_table(struct ebt_table
*table
)
1095 struct ebt_table_info
*newinfo
;
1096 struct ebt_table
*t
;
1097 struct ebt_replace_kernel
*repl
;
1098 int ret
, i
, countersize
;
1101 if (!table
|| !(repl
= table
->table
) || !repl
->entries
||
1102 repl
->entries_size
== 0 ||
1103 repl
->counters
|| table
->private) {
1104 BUGPRINT("Bad table data for ebt_register_table!!!\n");
1108 countersize
= COUNTER_OFFSET(repl
->nentries
) * nr_cpu_ids
;
1109 newinfo
= vmalloc(sizeof(*newinfo
) + countersize
);
1114 p
= vmalloc(repl
->entries_size
);
1118 memcpy(p
, repl
->entries
, repl
->entries_size
);
1119 newinfo
->entries
= p
;
1121 newinfo
->entries_size
= repl
->entries_size
;
1122 newinfo
->nentries
= repl
->nentries
;
1125 memset(newinfo
->counters
, 0, countersize
);
1127 /* fill in newinfo and parse the entries */
1128 newinfo
->chainstack
= NULL
;
1129 for (i
= 0; i
< NF_BR_NUMHOOKS
; i
++) {
1130 if ((repl
->valid_hooks
& (1 << i
)) == 0)
1131 newinfo
->hook_entry
[i
] = NULL
;
1133 newinfo
->hook_entry
[i
] = p
+
1134 ((char *)repl
->hook_entry
[i
] - repl
->entries
);
1136 ret
= translate_table(repl
->name
, newinfo
);
1138 BUGPRINT("Translate_table failed\n");
1139 goto free_chainstack
;
1142 if (table
->check
&& table
->check(newinfo
, table
->valid_hooks
)) {
1143 BUGPRINT("The table doesn't like its own initial data, lol\n");
1147 table
->private = newinfo
;
1148 rwlock_init(&table
->lock
);
1149 ret
= mutex_lock_interruptible(&ebt_mutex
);
1151 goto free_chainstack
;
1153 list_for_each_entry(t
, &ebt_tables
, list
) {
1154 if (strcmp(t
->name
, table
->name
) == 0) {
1156 BUGPRINT("Table name already exists\n");
1161 /* Hold a reference count if the chains aren't empty */
1162 if (newinfo
->nentries
&& !try_module_get(table
->me
)) {
1166 list_add(&table
->list
, &ebt_tables
);
1167 mutex_unlock(&ebt_mutex
);
1170 mutex_unlock(&ebt_mutex
);
1172 if (newinfo
->chainstack
) {
1173 for_each_possible_cpu(i
)
1174 vfree(newinfo
->chainstack
[i
]);
1175 vfree(newinfo
->chainstack
);
1177 vfree(newinfo
->entries
);
1183 void ebt_unregister_table(struct ebt_table
*table
)
1188 BUGPRINT("Request to unregister NULL table!!!\n");
1191 mutex_lock(&ebt_mutex
);
1192 list_del(&table
->list
);
1193 mutex_unlock(&ebt_mutex
);
1194 vfree(table
->private->entries
);
1195 if (table
->private->chainstack
) {
1196 for_each_possible_cpu(i
)
1197 vfree(table
->private->chainstack
[i
]);
1198 vfree(table
->private->chainstack
);
1200 vfree(table
->private);
1203 /* userspace just supplied us with counters */
1204 static int update_counters(void __user
*user
, unsigned int len
)
1207 struct ebt_counter
*tmp
;
1208 struct ebt_replace hlp
;
1209 struct ebt_table
*t
;
1211 if (copy_from_user(&hlp
, user
, sizeof(hlp
)))
1214 if (len
!= sizeof(hlp
) + hlp
.num_counters
* sizeof(struct ebt_counter
))
1216 if (hlp
.num_counters
== 0)
1219 if (!(tmp
= vmalloc(hlp
.num_counters
* sizeof(*tmp
)))) {
1220 MEMPRINT("Update_counters && nomemory\n");
1224 t
= find_table_lock(hlp
.name
, &ret
, &ebt_mutex
);
1228 if (hlp
.num_counters
!= t
->private->nentries
) {
1229 BUGPRINT("Wrong nr of counters\n");
1234 if ( copy_from_user(tmp
, hlp
.counters
,
1235 hlp
.num_counters
* sizeof(struct ebt_counter
)) ) {
1236 BUGPRINT("Updata_counters && !cfu\n");
1241 /* we want an atomic add of the counters */
1242 write_lock_bh(&t
->lock
);
1244 /* we add to the counters of the first cpu */
1245 for (i
= 0; i
< hlp
.num_counters
; i
++) {
1246 t
->private->counters
[i
].pcnt
+= tmp
[i
].pcnt
;
1247 t
->private->counters
[i
].bcnt
+= tmp
[i
].bcnt
;
1250 write_unlock_bh(&t
->lock
);
1253 mutex_unlock(&ebt_mutex
);
1259 static inline int ebt_make_matchname(struct ebt_entry_match
*m
,
1260 char *base
, char __user
*ubase
)
1262 char __user
*hlp
= ubase
+ ((char *)m
- base
);
1263 if (copy_to_user(hlp
, m
->u
.match
->name
, EBT_FUNCTION_MAXNAMELEN
))
1268 static inline int ebt_make_watchername(struct ebt_entry_watcher
*w
,
1269 char *base
, char __user
*ubase
)
1271 char __user
*hlp
= ubase
+ ((char *)w
- base
);
1272 if (copy_to_user(hlp
, w
->u
.watcher
->name
, EBT_FUNCTION_MAXNAMELEN
))
1277 static inline int ebt_make_names(struct ebt_entry
*e
, char *base
, char __user
*ubase
)
1281 struct ebt_entry_target
*t
;
1283 if (e
->bitmask
== 0)
1286 hlp
= ubase
+ (((char *)e
+ e
->target_offset
) - base
);
1287 t
= (struct ebt_entry_target
*)(((char *)e
) + e
->target_offset
);
1289 ret
= EBT_MATCH_ITERATE(e
, ebt_make_matchname
, base
, ubase
);
1292 ret
= EBT_WATCHER_ITERATE(e
, ebt_make_watchername
, base
, ubase
);
1295 if (copy_to_user(hlp
, t
->u
.target
->name
, EBT_FUNCTION_MAXNAMELEN
))
1300 /* called with ebt_mutex locked */
1301 static int copy_everything_to_user(struct ebt_table
*t
, void __user
*user
,
1304 struct ebt_replace tmp
;
1305 struct ebt_counter
*counterstmp
, *oldcounters
;
1306 unsigned int entries_size
, nentries
;
1309 if (cmd
== EBT_SO_GET_ENTRIES
) {
1310 entries_size
= t
->private->entries_size
;
1311 nentries
= t
->private->nentries
;
1312 entries
= t
->private->entries
;
1313 oldcounters
= t
->private->counters
;
1315 entries_size
= t
->table
->entries_size
;
1316 nentries
= t
->table
->nentries
;
1317 entries
= t
->table
->entries
;
1318 oldcounters
= t
->table
->counters
;
1321 if (copy_from_user(&tmp
, user
, sizeof(tmp
))) {
1322 BUGPRINT("Cfu didn't work\n");
1326 if (*len
!= sizeof(struct ebt_replace
) + entries_size
+
1327 (tmp
.num_counters
? nentries
* sizeof(struct ebt_counter
): 0)) {
1328 BUGPRINT("Wrong size\n");
1332 if (tmp
.nentries
!= nentries
) {
1333 BUGPRINT("Nentries wrong\n");
1337 if (tmp
.entries_size
!= entries_size
) {
1338 BUGPRINT("Wrong size\n");
1342 /* userspace might not need the counters */
1343 if (tmp
.num_counters
) {
1344 if (tmp
.num_counters
!= nentries
) {
1345 BUGPRINT("Num_counters wrong\n");
1348 counterstmp
= vmalloc(nentries
* sizeof(*counterstmp
));
1350 MEMPRINT("Couldn't copy counters, out of memory\n");
1353 write_lock_bh(&t
->lock
);
1354 get_counters(oldcounters
, counterstmp
, nentries
);
1355 write_unlock_bh(&t
->lock
);
1357 if (copy_to_user(tmp
.counters
, counterstmp
,
1358 nentries
* sizeof(struct ebt_counter
))) {
1359 BUGPRINT("Couldn't copy counters to userspace\n");
1366 if (copy_to_user(tmp
.entries
, entries
, entries_size
)) {
1367 BUGPRINT("Couldn't copy entries to userspace\n");
1370 /* set the match/watcher/target names right */
1371 return EBT_ENTRY_ITERATE(entries
, entries_size
,
1372 ebt_make_names
, entries
, tmp
.entries
);
1375 static int do_ebt_set_ctl(struct sock
*sk
,
1376 int cmd
, void __user
*user
, unsigned int len
)
1381 case EBT_SO_SET_ENTRIES
:
1382 ret
= do_replace(user
, len
);
1384 case EBT_SO_SET_COUNTERS
:
1385 ret
= update_counters(user
, len
);
1393 static int do_ebt_get_ctl(struct sock
*sk
, int cmd
, void __user
*user
, int *len
)
1396 struct ebt_replace tmp
;
1397 struct ebt_table
*t
;
1399 if (copy_from_user(&tmp
, user
, sizeof(tmp
)))
1402 t
= find_table_lock(tmp
.name
, &ret
, &ebt_mutex
);
1407 case EBT_SO_GET_INFO
:
1408 case EBT_SO_GET_INIT_INFO
:
1409 if (*len
!= sizeof(struct ebt_replace
)){
1411 mutex_unlock(&ebt_mutex
);
1414 if (cmd
== EBT_SO_GET_INFO
) {
1415 tmp
.nentries
= t
->private->nentries
;
1416 tmp
.entries_size
= t
->private->entries_size
;
1417 tmp
.valid_hooks
= t
->valid_hooks
;
1419 tmp
.nentries
= t
->table
->nentries
;
1420 tmp
.entries_size
= t
->table
->entries_size
;
1421 tmp
.valid_hooks
= t
->table
->valid_hooks
;
1423 mutex_unlock(&ebt_mutex
);
1424 if (copy_to_user(user
, &tmp
, *len
) != 0){
1425 BUGPRINT("c2u Didn't work\n");
1432 case EBT_SO_GET_ENTRIES
:
1433 case EBT_SO_GET_INIT_ENTRIES
:
1434 ret
= copy_everything_to_user(t
, user
, len
, cmd
);
1435 mutex_unlock(&ebt_mutex
);
1439 mutex_unlock(&ebt_mutex
);
1446 static struct nf_sockopt_ops ebt_sockopts
=
1449 .set_optmin
= EBT_BASE_CTL
,
1450 .set_optmax
= EBT_SO_SET_MAX
+ 1,
1451 .set
= do_ebt_set_ctl
,
1452 .get_optmin
= EBT_BASE_CTL
,
1453 .get_optmax
= EBT_SO_GET_MAX
+ 1,
1454 .get
= do_ebt_get_ctl
,
1455 .owner
= THIS_MODULE
,
1458 static int __init
ebtables_init(void)
1462 ret
= xt_register_target(&ebt_standard_target
);
1465 ret
= nf_register_sockopt(&ebt_sockopts
);
1467 xt_unregister_target(&ebt_standard_target
);
1471 printk(KERN_INFO
"Ebtables v2.0 registered\n");
1475 static void __exit
ebtables_fini(void)
1477 nf_unregister_sockopt(&ebt_sockopts
);
1478 xt_unregister_target(&ebt_standard_target
);
1479 printk(KERN_INFO
"Ebtables v2.0 unregistered\n");
1482 EXPORT_SYMBOL(ebt_register_table
);
1483 EXPORT_SYMBOL(ebt_unregister_table
);
1484 EXPORT_SYMBOL(ebt_do_table
);
1485 module_init(ebtables_init
);
1486 module_exit(ebtables_fini
);
1487 MODULE_LICENSE("GPL");