Linux 2.6.19-rc6
[cris-mirror.git] / net / bridge / netfilter / ebtables.c
blob9f85666f29f75dd322c6672f7e72b8433fbc52d2
1 /*
2 * ebtables
4 * Author:
5 * Bart De Schuymer <bdschuym@pandora.be>
7 * ebtables.c,v 2.0, July, 2002
9 * This code is stongly inspired on the iptables code which is
10 * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version
15 * 2 of the License, or (at your option) any later version.
18 /* used for print_string */
19 #include <linux/sched.h>
20 #include <linux/tty.h>
22 #include <linux/kmod.h>
23 #include <linux/module.h>
24 #include <linux/vmalloc.h>
25 #include <linux/netfilter_bridge/ebtables.h>
26 #include <linux/spinlock.h>
27 #include <linux/mutex.h>
28 #include <asm/uaccess.h>
29 #include <linux/smp.h>
30 #include <linux/cpumask.h>
31 #include <net/sock.h>
32 /* needed for logical [in,out]-dev filtering */
33 #include "../br_private.h"
35 #define BUGPRINT(format, args...) printk("kernel msg: ebtables bug: please "\
36 "report to author: "format, ## args)
37 /* #define BUGPRINT(format, args...) */
38 #define MEMPRINT(format, args...) printk("kernel msg: ebtables "\
39 ": out of memory: "format, ## args)
40 /* #define MEMPRINT(format, args...) */
45 * Each cpu has its own set of counters, so there is no need for write_lock in
46 * the softirq
47 * For reading or updating the counters, the user context needs to
48 * get a write_lock
51 /* The size of each set of counters is altered to get cache alignment */
52 #define SMP_ALIGN(x) (((x) + SMP_CACHE_BYTES-1) & ~(SMP_CACHE_BYTES-1))
53 #define COUNTER_OFFSET(n) (SMP_ALIGN(n * sizeof(struct ebt_counter)))
54 #define COUNTER_BASE(c, n, cpu) ((struct ebt_counter *)(((char *)c) + \
55 COUNTER_OFFSET(n) * cpu))
59 static DEFINE_MUTEX(ebt_mutex);
60 static LIST_HEAD(ebt_tables);
61 static LIST_HEAD(ebt_targets);
62 static LIST_HEAD(ebt_matches);
63 static LIST_HEAD(ebt_watchers);
65 static struct ebt_target ebt_standard_target =
66 { {NULL, NULL}, EBT_STANDARD_TARGET, NULL, NULL, NULL, NULL};
68 static inline int ebt_do_watcher (struct ebt_entry_watcher *w,
69 const struct sk_buff *skb, unsigned int hooknr, const struct net_device *in,
70 const struct net_device *out)
72 w->u.watcher->watcher(skb, hooknr, in, out, w->data,
73 w->watcher_size);
74 /* watchers don't give a verdict */
75 return 0;
78 static inline int ebt_do_match (struct ebt_entry_match *m,
79 const struct sk_buff *skb, const struct net_device *in,
80 const struct net_device *out)
82 return m->u.match->match(skb, in, out, m->data,
83 m->match_size);
86 static inline int ebt_dev_check(char *entry, const struct net_device *device)
88 int i = 0;
89 const char *devname = device->name;
91 if (*entry == '\0')
92 return 0;
93 if (!device)
94 return 1;
95 /* 1 is the wildcard token */
96 while (entry[i] != '\0' && entry[i] != 1 && entry[i] == devname[i])
97 i++;
98 return (devname[i] != entry[i] && entry[i] != 1);
101 #define FWINV2(bool,invflg) ((bool) ^ !!(e->invflags & invflg))
102 /* process standard matches */
103 static inline int ebt_basic_match(struct ebt_entry *e, struct ethhdr *h,
104 const struct net_device *in, const struct net_device *out)
106 int verdict, i;
108 if (e->bitmask & EBT_802_3) {
109 if (FWINV2(ntohs(h->h_proto) >= 1536, EBT_IPROTO))
110 return 1;
111 } else if (!(e->bitmask & EBT_NOPROTO) &&
112 FWINV2(e->ethproto != h->h_proto, EBT_IPROTO))
113 return 1;
115 if (FWINV2(ebt_dev_check(e->in, in), EBT_IIN))
116 return 1;
117 if (FWINV2(ebt_dev_check(e->out, out), EBT_IOUT))
118 return 1;
119 if ((!in || !in->br_port) ? 0 : FWINV2(ebt_dev_check(
120 e->logical_in, in->br_port->br->dev), EBT_ILOGICALIN))
121 return 1;
122 if ((!out || !out->br_port) ? 0 : FWINV2(ebt_dev_check(
123 e->logical_out, out->br_port->br->dev), EBT_ILOGICALOUT))
124 return 1;
126 if (e->bitmask & EBT_SOURCEMAC) {
127 verdict = 0;
128 for (i = 0; i < 6; i++)
129 verdict |= (h->h_source[i] ^ e->sourcemac[i]) &
130 e->sourcemsk[i];
131 if (FWINV2(verdict != 0, EBT_ISOURCE) )
132 return 1;
134 if (e->bitmask & EBT_DESTMAC) {
135 verdict = 0;
136 for (i = 0; i < 6; i++)
137 verdict |= (h->h_dest[i] ^ e->destmac[i]) &
138 e->destmsk[i];
139 if (FWINV2(verdict != 0, EBT_IDEST) )
140 return 1;
142 return 0;
145 /* Do some firewalling */
146 unsigned int ebt_do_table (unsigned int hook, struct sk_buff **pskb,
147 const struct net_device *in, const struct net_device *out,
148 struct ebt_table *table)
150 int i, nentries;
151 struct ebt_entry *point;
152 struct ebt_counter *counter_base, *cb_base;
153 struct ebt_entry_target *t;
154 int verdict, sp = 0;
155 struct ebt_chainstack *cs;
156 struct ebt_entries *chaininfo;
157 char *base;
158 struct ebt_table_info *private;
160 read_lock_bh(&table->lock);
161 private = table->private;
162 cb_base = COUNTER_BASE(private->counters, private->nentries,
163 smp_processor_id());
164 if (private->chainstack)
165 cs = private->chainstack[smp_processor_id()];
166 else
167 cs = NULL;
168 chaininfo = private->hook_entry[hook];
169 nentries = private->hook_entry[hook]->nentries;
170 point = (struct ebt_entry *)(private->hook_entry[hook]->data);
171 counter_base = cb_base + private->hook_entry[hook]->counter_offset;
172 /* base for chain jumps */
173 base = private->entries;
174 i = 0;
175 while (i < nentries) {
176 if (ebt_basic_match(point, eth_hdr(*pskb), in, out))
177 goto letscontinue;
179 if (EBT_MATCH_ITERATE(point, ebt_do_match, *pskb, in, out) != 0)
180 goto letscontinue;
182 /* increase counter */
183 (*(counter_base + i)).pcnt++;
184 (*(counter_base + i)).bcnt+=(**pskb).len;
186 /* these should only watch: not modify, nor tell us
187 what to do with the packet */
188 EBT_WATCHER_ITERATE(point, ebt_do_watcher, *pskb, hook, in,
189 out);
191 t = (struct ebt_entry_target *)
192 (((char *)point) + point->target_offset);
193 /* standard target */
194 if (!t->u.target->target)
195 verdict = ((struct ebt_standard_target *)t)->verdict;
196 else
197 verdict = t->u.target->target(pskb, hook,
198 in, out, t->data, t->target_size);
199 if (verdict == EBT_ACCEPT) {
200 read_unlock_bh(&table->lock);
201 return NF_ACCEPT;
203 if (verdict == EBT_DROP) {
204 read_unlock_bh(&table->lock);
205 return NF_DROP;
207 if (verdict == EBT_RETURN) {
208 letsreturn:
209 #ifdef CONFIG_NETFILTER_DEBUG
210 if (sp == 0) {
211 BUGPRINT("RETURN on base chain");
212 /* act like this is EBT_CONTINUE */
213 goto letscontinue;
215 #endif
216 sp--;
217 /* put all the local variables right */
218 i = cs[sp].n;
219 chaininfo = cs[sp].chaininfo;
220 nentries = chaininfo->nentries;
221 point = cs[sp].e;
222 counter_base = cb_base +
223 chaininfo->counter_offset;
224 continue;
226 if (verdict == EBT_CONTINUE)
227 goto letscontinue;
228 #ifdef CONFIG_NETFILTER_DEBUG
229 if (verdict < 0) {
230 BUGPRINT("bogus standard verdict\n");
231 read_unlock_bh(&table->lock);
232 return NF_DROP;
234 #endif
235 /* jump to a udc */
236 cs[sp].n = i + 1;
237 cs[sp].chaininfo = chaininfo;
238 cs[sp].e = (struct ebt_entry *)
239 (((char *)point) + point->next_offset);
240 i = 0;
241 chaininfo = (struct ebt_entries *) (base + verdict);
242 #ifdef CONFIG_NETFILTER_DEBUG
243 if (chaininfo->distinguisher) {
244 BUGPRINT("jump to non-chain\n");
245 read_unlock_bh(&table->lock);
246 return NF_DROP;
248 #endif
249 nentries = chaininfo->nentries;
250 point = (struct ebt_entry *)chaininfo->data;
251 counter_base = cb_base + chaininfo->counter_offset;
252 sp++;
253 continue;
254 letscontinue:
255 point = (struct ebt_entry *)
256 (((char *)point) + point->next_offset);
257 i++;
260 /* I actually like this :) */
261 if (chaininfo->policy == EBT_RETURN)
262 goto letsreturn;
263 if (chaininfo->policy == EBT_ACCEPT) {
264 read_unlock_bh(&table->lock);
265 return NF_ACCEPT;
267 read_unlock_bh(&table->lock);
268 return NF_DROP;
271 /* If it succeeds, returns element and locks mutex */
272 static inline void *
273 find_inlist_lock_noload(struct list_head *head, const char *name, int *error,
274 struct mutex *mutex)
276 struct {
277 struct list_head list;
278 char name[EBT_FUNCTION_MAXNAMELEN];
279 } *e;
281 *error = mutex_lock_interruptible(mutex);
282 if (*error != 0)
283 return NULL;
285 list_for_each_entry(e, head, list) {
286 if (strcmp(e->name, name) == 0)
287 return e;
289 *error = -ENOENT;
290 mutex_unlock(mutex);
291 return NULL;
294 #ifndef CONFIG_KMOD
295 #define find_inlist_lock(h,n,p,e,m) find_inlist_lock_noload((h),(n),(e),(m))
296 #else
297 static void *
298 find_inlist_lock(struct list_head *head, const char *name, const char *prefix,
299 int *error, struct mutex *mutex)
301 void *ret;
303 ret = find_inlist_lock_noload(head, name, error, mutex);
304 if (!ret) {
305 request_module("%s%s", prefix, name);
306 ret = find_inlist_lock_noload(head, name, error, mutex);
308 return ret;
310 #endif
312 static inline struct ebt_table *
313 find_table_lock(const char *name, int *error, struct mutex *mutex)
315 return find_inlist_lock(&ebt_tables, name, "ebtable_", error, mutex);
318 static inline struct ebt_match *
319 find_match_lock(const char *name, int *error, struct mutex *mutex)
321 return find_inlist_lock(&ebt_matches, name, "ebt_", error, mutex);
324 static inline struct ebt_watcher *
325 find_watcher_lock(const char *name, int *error, struct mutex *mutex)
327 return find_inlist_lock(&ebt_watchers, name, "ebt_", error, mutex);
330 static inline struct ebt_target *
331 find_target_lock(const char *name, int *error, struct mutex *mutex)
333 return find_inlist_lock(&ebt_targets, name, "ebt_", error, mutex);
336 static inline int
337 ebt_check_match(struct ebt_entry_match *m, struct ebt_entry *e,
338 const char *name, unsigned int hookmask, unsigned int *cnt)
340 struct ebt_match *match;
341 int ret;
343 if (((char *)m) + m->match_size + sizeof(struct ebt_entry_match) >
344 ((char *)e) + e->watchers_offset)
345 return -EINVAL;
346 match = find_match_lock(m->u.name, &ret, &ebt_mutex);
347 if (!match)
348 return ret;
349 m->u.match = match;
350 if (!try_module_get(match->me)) {
351 mutex_unlock(&ebt_mutex);
352 return -ENOENT;
354 mutex_unlock(&ebt_mutex);
355 if (match->check &&
356 match->check(name, hookmask, e, m->data, m->match_size) != 0) {
357 BUGPRINT("match->check failed\n");
358 module_put(match->me);
359 return -EINVAL;
361 (*cnt)++;
362 return 0;
365 static inline int
366 ebt_check_watcher(struct ebt_entry_watcher *w, struct ebt_entry *e,
367 const char *name, unsigned int hookmask, unsigned int *cnt)
369 struct ebt_watcher *watcher;
370 int ret;
372 if (((char *)w) + w->watcher_size + sizeof(struct ebt_entry_watcher) >
373 ((char *)e) + e->target_offset)
374 return -EINVAL;
375 watcher = find_watcher_lock(w->u.name, &ret, &ebt_mutex);
376 if (!watcher)
377 return ret;
378 w->u.watcher = watcher;
379 if (!try_module_get(watcher->me)) {
380 mutex_unlock(&ebt_mutex);
381 return -ENOENT;
383 mutex_unlock(&ebt_mutex);
384 if (watcher->check &&
385 watcher->check(name, hookmask, e, w->data, w->watcher_size) != 0) {
386 BUGPRINT("watcher->check failed\n");
387 module_put(watcher->me);
388 return -EINVAL;
390 (*cnt)++;
391 return 0;
395 * this one is very careful, as it is the first function
396 * to parse the userspace data
398 static inline int
399 ebt_check_entry_size_and_hooks(struct ebt_entry *e,
400 struct ebt_table_info *newinfo, char *base, char *limit,
401 struct ebt_entries **hook_entries, unsigned int *n, unsigned int *cnt,
402 unsigned int *totalcnt, unsigned int *udc_cnt, unsigned int valid_hooks)
404 int i;
406 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
407 if ((valid_hooks & (1 << i)) == 0)
408 continue;
409 if ( (char *)hook_entries[i] - base ==
410 (char *)e - newinfo->entries)
411 break;
413 /* beginning of a new chain
414 if i == NF_BR_NUMHOOKS it must be a user defined chain */
415 if (i != NF_BR_NUMHOOKS || !(e->bitmask & EBT_ENTRY_OR_ENTRIES)) {
416 if ((e->bitmask & EBT_ENTRY_OR_ENTRIES) != 0) {
417 /* we make userspace set this right,
418 so there is no misunderstanding */
419 BUGPRINT("EBT_ENTRY_OR_ENTRIES shouldn't be set "
420 "in distinguisher\n");
421 return -EINVAL;
423 /* this checks if the previous chain has as many entries
424 as it said it has */
425 if (*n != *cnt) {
426 BUGPRINT("nentries does not equal the nr of entries "
427 "in the chain\n");
428 return -EINVAL;
430 /* before we look at the struct, be sure it is not too big */
431 if ((char *)hook_entries[i] + sizeof(struct ebt_entries)
432 > limit) {
433 BUGPRINT("entries_size too small\n");
434 return -EINVAL;
436 if (((struct ebt_entries *)e)->policy != EBT_DROP &&
437 ((struct ebt_entries *)e)->policy != EBT_ACCEPT) {
438 /* only RETURN from udc */
439 if (i != NF_BR_NUMHOOKS ||
440 ((struct ebt_entries *)e)->policy != EBT_RETURN) {
441 BUGPRINT("bad policy\n");
442 return -EINVAL;
445 if (i == NF_BR_NUMHOOKS) /* it's a user defined chain */
446 (*udc_cnt)++;
447 else
448 newinfo->hook_entry[i] = (struct ebt_entries *)e;
449 if (((struct ebt_entries *)e)->counter_offset != *totalcnt) {
450 BUGPRINT("counter_offset != totalcnt");
451 return -EINVAL;
453 *n = ((struct ebt_entries *)e)->nentries;
454 *cnt = 0;
455 return 0;
457 /* a plain old entry, heh */
458 if (sizeof(struct ebt_entry) > e->watchers_offset ||
459 e->watchers_offset > e->target_offset ||
460 e->target_offset >= e->next_offset) {
461 BUGPRINT("entry offsets not in right order\n");
462 return -EINVAL;
464 /* this is not checked anywhere else */
465 if (e->next_offset - e->target_offset < sizeof(struct ebt_entry_target)) {
466 BUGPRINT("target size too small\n");
467 return -EINVAL;
470 (*cnt)++;
471 (*totalcnt)++;
472 return 0;
475 struct ebt_cl_stack
477 struct ebt_chainstack cs;
478 int from;
479 unsigned int hookmask;
483 * we need these positions to check that the jumps to a different part of the
484 * entries is a jump to the beginning of a new chain.
486 static inline int
487 ebt_get_udc_positions(struct ebt_entry *e, struct ebt_table_info *newinfo,
488 struct ebt_entries **hook_entries, unsigned int *n, unsigned int valid_hooks,
489 struct ebt_cl_stack *udc)
491 int i;
493 /* we're only interested in chain starts */
494 if (e->bitmask & EBT_ENTRY_OR_ENTRIES)
495 return 0;
496 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
497 if ((valid_hooks & (1 << i)) == 0)
498 continue;
499 if (newinfo->hook_entry[i] == (struct ebt_entries *)e)
500 break;
502 /* only care about udc */
503 if (i != NF_BR_NUMHOOKS)
504 return 0;
506 udc[*n].cs.chaininfo = (struct ebt_entries *)e;
507 /* these initialisations are depended on later in check_chainloops() */
508 udc[*n].cs.n = 0;
509 udc[*n].hookmask = 0;
511 (*n)++;
512 return 0;
515 static inline int
516 ebt_cleanup_match(struct ebt_entry_match *m, unsigned int *i)
518 if (i && (*i)-- == 0)
519 return 1;
520 if (m->u.match->destroy)
521 m->u.match->destroy(m->data, m->match_size);
522 module_put(m->u.match->me);
524 return 0;
527 static inline int
528 ebt_cleanup_watcher(struct ebt_entry_watcher *w, unsigned int *i)
530 if (i && (*i)-- == 0)
531 return 1;
532 if (w->u.watcher->destroy)
533 w->u.watcher->destroy(w->data, w->watcher_size);
534 module_put(w->u.watcher->me);
536 return 0;
539 static inline int
540 ebt_cleanup_entry(struct ebt_entry *e, unsigned int *cnt)
542 struct ebt_entry_target *t;
544 if ((e->bitmask & EBT_ENTRY_OR_ENTRIES) == 0)
545 return 0;
546 /* we're done */
547 if (cnt && (*cnt)-- == 0)
548 return 1;
549 EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, NULL);
550 EBT_MATCH_ITERATE(e, ebt_cleanup_match, NULL);
551 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
552 if (t->u.target->destroy)
553 t->u.target->destroy(t->data, t->target_size);
554 module_put(t->u.target->me);
556 return 0;
559 static inline int
560 ebt_check_entry(struct ebt_entry *e, struct ebt_table_info *newinfo,
561 const char *name, unsigned int *cnt, unsigned int valid_hooks,
562 struct ebt_cl_stack *cl_s, unsigned int udc_cnt)
564 struct ebt_entry_target *t;
565 struct ebt_target *target;
566 unsigned int i, j, hook = 0, hookmask = 0;
567 int ret;
569 /* don't mess with the struct ebt_entries */
570 if ((e->bitmask & EBT_ENTRY_OR_ENTRIES) == 0)
571 return 0;
573 if (e->bitmask & ~EBT_F_MASK) {
574 BUGPRINT("Unknown flag for bitmask\n");
575 return -EINVAL;
577 if (e->invflags & ~EBT_INV_MASK) {
578 BUGPRINT("Unknown flag for inv bitmask\n");
579 return -EINVAL;
581 if ( (e->bitmask & EBT_NOPROTO) && (e->bitmask & EBT_802_3) ) {
582 BUGPRINT("NOPROTO & 802_3 not allowed\n");
583 return -EINVAL;
585 /* what hook do we belong to? */
586 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
587 if ((valid_hooks & (1 << i)) == 0)
588 continue;
589 if ((char *)newinfo->hook_entry[i] < (char *)e)
590 hook = i;
591 else
592 break;
594 /* (1 << NF_BR_NUMHOOKS) tells the check functions the rule is on
595 a base chain */
596 if (i < NF_BR_NUMHOOKS)
597 hookmask = (1 << hook) | (1 << NF_BR_NUMHOOKS);
598 else {
599 for (i = 0; i < udc_cnt; i++)
600 if ((char *)(cl_s[i].cs.chaininfo) > (char *)e)
601 break;
602 if (i == 0)
603 hookmask = (1 << hook) | (1 << NF_BR_NUMHOOKS);
604 else
605 hookmask = cl_s[i - 1].hookmask;
607 i = 0;
608 ret = EBT_MATCH_ITERATE(e, ebt_check_match, e, name, hookmask, &i);
609 if (ret != 0)
610 goto cleanup_matches;
611 j = 0;
612 ret = EBT_WATCHER_ITERATE(e, ebt_check_watcher, e, name, hookmask, &j);
613 if (ret != 0)
614 goto cleanup_watchers;
615 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
616 target = find_target_lock(t->u.name, &ret, &ebt_mutex);
617 if (!target)
618 goto cleanup_watchers;
619 if (!try_module_get(target->me)) {
620 mutex_unlock(&ebt_mutex);
621 ret = -ENOENT;
622 goto cleanup_watchers;
624 mutex_unlock(&ebt_mutex);
626 t->u.target = target;
627 if (t->u.target == &ebt_standard_target) {
628 if (e->target_offset + sizeof(struct ebt_standard_target) >
629 e->next_offset) {
630 BUGPRINT("Standard target size too big\n");
631 ret = -EFAULT;
632 goto cleanup_watchers;
634 if (((struct ebt_standard_target *)t)->verdict <
635 -NUM_STANDARD_TARGETS) {
636 BUGPRINT("Invalid standard target\n");
637 ret = -EFAULT;
638 goto cleanup_watchers;
640 } else if ((e->target_offset + t->target_size +
641 sizeof(struct ebt_entry_target) > e->next_offset) ||
642 (t->u.target->check &&
643 t->u.target->check(name, hookmask, e, t->data, t->target_size) != 0)){
644 module_put(t->u.target->me);
645 ret = -EFAULT;
646 goto cleanup_watchers;
648 (*cnt)++;
649 return 0;
650 cleanup_watchers:
651 EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, &j);
652 cleanup_matches:
653 EBT_MATCH_ITERATE(e, ebt_cleanup_match, &i);
654 return ret;
658 * checks for loops and sets the hook mask for udc
659 * the hook mask for udc tells us from which base chains the udc can be
660 * accessed. This mask is a parameter to the check() functions of the extensions
662 static int check_chainloops(struct ebt_entries *chain, struct ebt_cl_stack *cl_s,
663 unsigned int udc_cnt, unsigned int hooknr, char *base)
665 int i, chain_nr = -1, pos = 0, nentries = chain->nentries, verdict;
666 struct ebt_entry *e = (struct ebt_entry *)chain->data;
667 struct ebt_entry_target *t;
669 while (pos < nentries || chain_nr != -1) {
670 /* end of udc, go back one 'recursion' step */
671 if (pos == nentries) {
672 /* put back values of the time when this chain was called */
673 e = cl_s[chain_nr].cs.e;
674 if (cl_s[chain_nr].from != -1)
675 nentries =
676 cl_s[cl_s[chain_nr].from].cs.chaininfo->nentries;
677 else
678 nentries = chain->nentries;
679 pos = cl_s[chain_nr].cs.n;
680 /* make sure we won't see a loop that isn't one */
681 cl_s[chain_nr].cs.n = 0;
682 chain_nr = cl_s[chain_nr].from;
683 if (pos == nentries)
684 continue;
686 t = (struct ebt_entry_target *)
687 (((char *)e) + e->target_offset);
688 if (strcmp(t->u.name, EBT_STANDARD_TARGET))
689 goto letscontinue;
690 if (e->target_offset + sizeof(struct ebt_standard_target) >
691 e->next_offset) {
692 BUGPRINT("Standard target size too big\n");
693 return -1;
695 verdict = ((struct ebt_standard_target *)t)->verdict;
696 if (verdict >= 0) { /* jump to another chain */
697 struct ebt_entries *hlp2 =
698 (struct ebt_entries *)(base + verdict);
699 for (i = 0; i < udc_cnt; i++)
700 if (hlp2 == cl_s[i].cs.chaininfo)
701 break;
702 /* bad destination or loop */
703 if (i == udc_cnt) {
704 BUGPRINT("bad destination\n");
705 return -1;
707 if (cl_s[i].cs.n) {
708 BUGPRINT("loop\n");
709 return -1;
711 /* this can't be 0, so the above test is correct */
712 cl_s[i].cs.n = pos + 1;
713 pos = 0;
714 cl_s[i].cs.e = ((void *)e + e->next_offset);
715 e = (struct ebt_entry *)(hlp2->data);
716 nentries = hlp2->nentries;
717 cl_s[i].from = chain_nr;
718 chain_nr = i;
719 /* this udc is accessible from the base chain for hooknr */
720 cl_s[i].hookmask |= (1 << hooknr);
721 continue;
723 letscontinue:
724 e = (void *)e + e->next_offset;
725 pos++;
727 return 0;
730 /* do the parsing of the table/chains/entries/matches/watchers/targets, heh */
731 static int translate_table(struct ebt_replace *repl,
732 struct ebt_table_info *newinfo)
734 unsigned int i, j, k, udc_cnt;
735 int ret;
736 struct ebt_cl_stack *cl_s = NULL; /* used in the checking for chain loops */
738 i = 0;
739 while (i < NF_BR_NUMHOOKS && !(repl->valid_hooks & (1 << i)))
740 i++;
741 if (i == NF_BR_NUMHOOKS) {
742 BUGPRINT("No valid hooks specified\n");
743 return -EINVAL;
745 if (repl->hook_entry[i] != (struct ebt_entries *)repl->entries) {
746 BUGPRINT("Chains don't start at beginning\n");
747 return -EINVAL;
749 /* make sure chains are ordered after each other in same order
750 as their corresponding hooks */
751 for (j = i + 1; j < NF_BR_NUMHOOKS; j++) {
752 if (!(repl->valid_hooks & (1 << j)))
753 continue;
754 if ( repl->hook_entry[j] <= repl->hook_entry[i] ) {
755 BUGPRINT("Hook order must be followed\n");
756 return -EINVAL;
758 i = j;
761 for (i = 0; i < NF_BR_NUMHOOKS; i++)
762 newinfo->hook_entry[i] = NULL;
764 newinfo->entries_size = repl->entries_size;
765 newinfo->nentries = repl->nentries;
767 /* do some early checkings and initialize some things */
768 i = 0; /* holds the expected nr. of entries for the chain */
769 j = 0; /* holds the up to now counted entries for the chain */
770 k = 0; /* holds the total nr. of entries, should equal
771 newinfo->nentries afterwards */
772 udc_cnt = 0; /* will hold the nr. of user defined chains (udc) */
773 ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
774 ebt_check_entry_size_and_hooks, newinfo, repl->entries,
775 repl->entries + repl->entries_size, repl->hook_entry, &i, &j, &k,
776 &udc_cnt, repl->valid_hooks);
778 if (ret != 0)
779 return ret;
781 if (i != j) {
782 BUGPRINT("nentries does not equal the nr of entries in the "
783 "(last) chain\n");
784 return -EINVAL;
786 if (k != newinfo->nentries) {
787 BUGPRINT("Total nentries is wrong\n");
788 return -EINVAL;
791 /* check if all valid hooks have a chain */
792 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
793 if (newinfo->hook_entry[i] == NULL &&
794 (repl->valid_hooks & (1 << i))) {
795 BUGPRINT("Valid hook without chain\n");
796 return -EINVAL;
800 /* get the location of the udc, put them in an array
801 while we're at it, allocate the chainstack */
802 if (udc_cnt) {
803 /* this will get free'd in do_replace()/ebt_register_table()
804 if an error occurs */
805 newinfo->chainstack =
806 vmalloc((highest_possible_processor_id()+1)
807 * sizeof(*(newinfo->chainstack)));
808 if (!newinfo->chainstack)
809 return -ENOMEM;
810 for_each_possible_cpu(i) {
811 newinfo->chainstack[i] =
812 vmalloc(udc_cnt * sizeof(*(newinfo->chainstack[0])));
813 if (!newinfo->chainstack[i]) {
814 while (i)
815 vfree(newinfo->chainstack[--i]);
816 vfree(newinfo->chainstack);
817 newinfo->chainstack = NULL;
818 return -ENOMEM;
822 cl_s = vmalloc(udc_cnt * sizeof(*cl_s));
823 if (!cl_s)
824 return -ENOMEM;
825 i = 0; /* the i'th udc */
826 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
827 ebt_get_udc_positions, newinfo, repl->hook_entry, &i,
828 repl->valid_hooks, cl_s);
829 /* sanity check */
830 if (i != udc_cnt) {
831 BUGPRINT("i != udc_cnt\n");
832 vfree(cl_s);
833 return -EFAULT;
837 /* Check for loops */
838 for (i = 0; i < NF_BR_NUMHOOKS; i++)
839 if (repl->valid_hooks & (1 << i))
840 if (check_chainloops(newinfo->hook_entry[i],
841 cl_s, udc_cnt, i, newinfo->entries)) {
842 vfree(cl_s);
843 return -EINVAL;
846 /* we now know the following (along with E=mc²):
847 - the nr of entries in each chain is right
848 - the size of the allocated space is right
849 - all valid hooks have a corresponding chain
850 - there are no loops
851 - wrong data can still be on the level of a single entry
852 - could be there are jumps to places that are not the
853 beginning of a chain. This can only occur in chains that
854 are not accessible from any base chains, so we don't care. */
856 /* used to know what we need to clean up if something goes wrong */
857 i = 0;
858 ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
859 ebt_check_entry, newinfo, repl->name, &i, repl->valid_hooks,
860 cl_s, udc_cnt);
861 if (ret != 0) {
862 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
863 ebt_cleanup_entry, &i);
865 vfree(cl_s);
866 return ret;
869 /* called under write_lock */
870 static void get_counters(struct ebt_counter *oldcounters,
871 struct ebt_counter *counters, unsigned int nentries)
873 int i, cpu;
874 struct ebt_counter *counter_base;
876 /* counters of cpu 0 */
877 memcpy(counters, oldcounters,
878 sizeof(struct ebt_counter) * nentries);
880 /* add other counters to those of cpu 0 */
881 for_each_possible_cpu(cpu) {
882 if (cpu == 0)
883 continue;
884 counter_base = COUNTER_BASE(oldcounters, nentries, cpu);
885 for (i = 0; i < nentries; i++) {
886 counters[i].pcnt += counter_base[i].pcnt;
887 counters[i].bcnt += counter_base[i].bcnt;
892 /* replace the table */
893 static int do_replace(void __user *user, unsigned int len)
895 int ret, i, countersize;
896 struct ebt_table_info *newinfo;
897 struct ebt_replace tmp;
898 struct ebt_table *t;
899 struct ebt_counter *counterstmp = NULL;
900 /* used to be able to unlock earlier */
901 struct ebt_table_info *table;
903 if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
904 return -EFAULT;
906 if (len != sizeof(tmp) + tmp.entries_size) {
907 BUGPRINT("Wrong len argument\n");
908 return -EINVAL;
911 if (tmp.entries_size == 0) {
912 BUGPRINT("Entries_size never zero\n");
913 return -EINVAL;
915 /* overflow check */
916 if (tmp.nentries >= ((INT_MAX - sizeof(struct ebt_table_info)) / NR_CPUS -
917 SMP_CACHE_BYTES) / sizeof(struct ebt_counter))
918 return -ENOMEM;
919 if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
920 return -ENOMEM;
922 countersize = COUNTER_OFFSET(tmp.nentries) *
923 (highest_possible_processor_id()+1);
924 newinfo = vmalloc(sizeof(*newinfo) + countersize);
925 if (!newinfo)
926 return -ENOMEM;
928 if (countersize)
929 memset(newinfo->counters, 0, countersize);
931 newinfo->entries = vmalloc(tmp.entries_size);
932 if (!newinfo->entries) {
933 ret = -ENOMEM;
934 goto free_newinfo;
936 if (copy_from_user(
937 newinfo->entries, tmp.entries, tmp.entries_size) != 0) {
938 BUGPRINT("Couldn't copy entries from userspace\n");
939 ret = -EFAULT;
940 goto free_entries;
943 /* the user wants counters back
944 the check on the size is done later, when we have the lock */
945 if (tmp.num_counters) {
946 counterstmp = vmalloc(tmp.num_counters * sizeof(*counterstmp));
947 if (!counterstmp) {
948 ret = -ENOMEM;
949 goto free_entries;
952 else
953 counterstmp = NULL;
955 /* this can get initialized by translate_table() */
956 newinfo->chainstack = NULL;
957 ret = translate_table(&tmp, newinfo);
959 if (ret != 0)
960 goto free_counterstmp;
962 t = find_table_lock(tmp.name, &ret, &ebt_mutex);
963 if (!t) {
964 ret = -ENOENT;
965 goto free_iterate;
968 /* the table doesn't like it */
969 if (t->check && (ret = t->check(newinfo, tmp.valid_hooks)))
970 goto free_unlock;
972 if (tmp.num_counters && tmp.num_counters != t->private->nentries) {
973 BUGPRINT("Wrong nr. of counters requested\n");
974 ret = -EINVAL;
975 goto free_unlock;
978 /* we have the mutex lock, so no danger in reading this pointer */
979 table = t->private;
980 /* make sure the table can only be rmmod'ed if it contains no rules */
981 if (!table->nentries && newinfo->nentries && !try_module_get(t->me)) {
982 ret = -ENOENT;
983 goto free_unlock;
984 } else if (table->nentries && !newinfo->nentries)
985 module_put(t->me);
986 /* we need an atomic snapshot of the counters */
987 write_lock_bh(&t->lock);
988 if (tmp.num_counters)
989 get_counters(t->private->counters, counterstmp,
990 t->private->nentries);
992 t->private = newinfo;
993 write_unlock_bh(&t->lock);
994 mutex_unlock(&ebt_mutex);
995 /* so, a user can change the chains while having messed up her counter
996 allocation. Only reason why this is done is because this way the lock
997 is held only once, while this doesn't bring the kernel into a
998 dangerous state. */
999 if (tmp.num_counters &&
1000 copy_to_user(tmp.counters, counterstmp,
1001 tmp.num_counters * sizeof(struct ebt_counter))) {
1002 BUGPRINT("Couldn't copy counters to userspace\n");
1003 ret = -EFAULT;
1005 else
1006 ret = 0;
1008 /* decrease module count and free resources */
1009 EBT_ENTRY_ITERATE(table->entries, table->entries_size,
1010 ebt_cleanup_entry, NULL);
1012 vfree(table->entries);
1013 if (table->chainstack) {
1014 for_each_possible_cpu(i)
1015 vfree(table->chainstack[i]);
1016 vfree(table->chainstack);
1018 vfree(table);
1020 vfree(counterstmp);
1021 return ret;
1023 free_unlock:
1024 mutex_unlock(&ebt_mutex);
1025 free_iterate:
1026 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
1027 ebt_cleanup_entry, NULL);
1028 free_counterstmp:
1029 vfree(counterstmp);
1030 /* can be initialized in translate_table() */
1031 if (newinfo->chainstack) {
1032 for_each_possible_cpu(i)
1033 vfree(newinfo->chainstack[i]);
1034 vfree(newinfo->chainstack);
1036 free_entries:
1037 vfree(newinfo->entries);
1038 free_newinfo:
1039 vfree(newinfo);
1040 return ret;
1043 int ebt_register_target(struct ebt_target *target)
1045 struct ebt_target *t;
1046 int ret;
1048 ret = mutex_lock_interruptible(&ebt_mutex);
1049 if (ret != 0)
1050 return ret;
1051 list_for_each_entry(t, &ebt_targets, list) {
1052 if (strcmp(t->name, target->name) == 0) {
1053 mutex_unlock(&ebt_mutex);
1054 return -EEXIST;
1057 list_add(&target->list, &ebt_targets);
1058 mutex_unlock(&ebt_mutex);
1060 return 0;
1063 void ebt_unregister_target(struct ebt_target *target)
1065 mutex_lock(&ebt_mutex);
1066 list_del(&target->list);
1067 mutex_unlock(&ebt_mutex);
1070 int ebt_register_match(struct ebt_match *match)
1072 struct ebt_match *m;
1073 int ret;
1075 ret = mutex_lock_interruptible(&ebt_mutex);
1076 if (ret != 0)
1077 return ret;
1078 list_for_each_entry(m, &ebt_matches, list) {
1079 if (strcmp(m->name, match->name) == 0) {
1080 mutex_unlock(&ebt_mutex);
1081 return -EEXIST;
1084 list_add(&match->list, &ebt_matches);
1085 mutex_unlock(&ebt_mutex);
1087 return 0;
1090 void ebt_unregister_match(struct ebt_match *match)
1092 mutex_lock(&ebt_mutex);
1093 list_del(&match->list);
1094 mutex_unlock(&ebt_mutex);
1097 int ebt_register_watcher(struct ebt_watcher *watcher)
1099 struct ebt_watcher *w;
1100 int ret;
1102 ret = mutex_lock_interruptible(&ebt_mutex);
1103 if (ret != 0)
1104 return ret;
1105 list_for_each_entry(w, &ebt_watchers, list) {
1106 if (strcmp(w->name, watcher->name) == 0) {
1107 mutex_unlock(&ebt_mutex);
1108 return -EEXIST;
1111 list_add(&watcher->list, &ebt_watchers);
1112 mutex_unlock(&ebt_mutex);
1114 return 0;
1117 void ebt_unregister_watcher(struct ebt_watcher *watcher)
1119 mutex_lock(&ebt_mutex);
1120 list_del(&watcher->list);
1121 mutex_unlock(&ebt_mutex);
1124 int ebt_register_table(struct ebt_table *table)
1126 struct ebt_table_info *newinfo;
1127 struct ebt_table *t;
1128 int ret, i, countersize;
1130 if (!table || !table->table ||!table->table->entries ||
1131 table->table->entries_size == 0 ||
1132 table->table->counters || table->private) {
1133 BUGPRINT("Bad table data for ebt_register_table!!!\n");
1134 return -EINVAL;
1137 countersize = COUNTER_OFFSET(table->table->nentries) *
1138 (highest_possible_processor_id()+1);
1139 newinfo = vmalloc(sizeof(*newinfo) + countersize);
1140 ret = -ENOMEM;
1141 if (!newinfo)
1142 return -ENOMEM;
1144 newinfo->entries = vmalloc(table->table->entries_size);
1145 if (!(newinfo->entries))
1146 goto free_newinfo;
1148 memcpy(newinfo->entries, table->table->entries,
1149 table->table->entries_size);
1151 if (countersize)
1152 memset(newinfo->counters, 0, countersize);
1154 /* fill in newinfo and parse the entries */
1155 newinfo->chainstack = NULL;
1156 ret = translate_table(table->table, newinfo);
1157 if (ret != 0) {
1158 BUGPRINT("Translate_table failed\n");
1159 goto free_chainstack;
1162 if (table->check && table->check(newinfo, table->valid_hooks)) {
1163 BUGPRINT("The table doesn't like its own initial data, lol\n");
1164 return -EINVAL;
1167 table->private = newinfo;
1168 rwlock_init(&table->lock);
1169 ret = mutex_lock_interruptible(&ebt_mutex);
1170 if (ret != 0)
1171 goto free_chainstack;
1173 list_for_each_entry(t, &ebt_tables, list) {
1174 if (strcmp(t->name, table->name) == 0) {
1175 ret = -EEXIST;
1176 BUGPRINT("Table name already exists\n");
1177 goto free_unlock;
1181 /* Hold a reference count if the chains aren't empty */
1182 if (newinfo->nentries && !try_module_get(table->me)) {
1183 ret = -ENOENT;
1184 goto free_unlock;
1186 list_add(&table->list, &ebt_tables);
1187 mutex_unlock(&ebt_mutex);
1188 return 0;
1189 free_unlock:
1190 mutex_unlock(&ebt_mutex);
1191 free_chainstack:
1192 if (newinfo->chainstack) {
1193 for_each_possible_cpu(i)
1194 vfree(newinfo->chainstack[i]);
1195 vfree(newinfo->chainstack);
1197 vfree(newinfo->entries);
1198 free_newinfo:
1199 vfree(newinfo);
1200 return ret;
1203 void ebt_unregister_table(struct ebt_table *table)
1205 int i;
1207 if (!table) {
1208 BUGPRINT("Request to unregister NULL table!!!\n");
1209 return;
1211 mutex_lock(&ebt_mutex);
1212 list_del(&table->list);
1213 mutex_unlock(&ebt_mutex);
1214 vfree(table->private->entries);
1215 if (table->private->chainstack) {
1216 for_each_possible_cpu(i)
1217 vfree(table->private->chainstack[i]);
1218 vfree(table->private->chainstack);
1220 vfree(table->private);
1223 /* userspace just supplied us with counters */
1224 static int update_counters(void __user *user, unsigned int len)
1226 int i, ret;
1227 struct ebt_counter *tmp;
1228 struct ebt_replace hlp;
1229 struct ebt_table *t;
1231 if (copy_from_user(&hlp, user, sizeof(hlp)))
1232 return -EFAULT;
1234 if (len != sizeof(hlp) + hlp.num_counters * sizeof(struct ebt_counter))
1235 return -EINVAL;
1236 if (hlp.num_counters == 0)
1237 return -EINVAL;
1239 if (!(tmp = vmalloc(hlp.num_counters * sizeof(*tmp)))) {
1240 MEMPRINT("Update_counters && nomemory\n");
1241 return -ENOMEM;
1244 t = find_table_lock(hlp.name, &ret, &ebt_mutex);
1245 if (!t)
1246 goto free_tmp;
1248 if (hlp.num_counters != t->private->nentries) {
1249 BUGPRINT("Wrong nr of counters\n");
1250 ret = -EINVAL;
1251 goto unlock_mutex;
1254 if ( copy_from_user(tmp, hlp.counters,
1255 hlp.num_counters * sizeof(struct ebt_counter)) ) {
1256 BUGPRINT("Updata_counters && !cfu\n");
1257 ret = -EFAULT;
1258 goto unlock_mutex;
1261 /* we want an atomic add of the counters */
1262 write_lock_bh(&t->lock);
1264 /* we add to the counters of the first cpu */
1265 for (i = 0; i < hlp.num_counters; i++) {
1266 t->private->counters[i].pcnt += tmp[i].pcnt;
1267 t->private->counters[i].bcnt += tmp[i].bcnt;
1270 write_unlock_bh(&t->lock);
1271 ret = 0;
1272 unlock_mutex:
1273 mutex_unlock(&ebt_mutex);
1274 free_tmp:
1275 vfree(tmp);
1276 return ret;
1279 static inline int ebt_make_matchname(struct ebt_entry_match *m,
1280 char *base, char *ubase)
1282 char *hlp = ubase - base + (char *)m;
1283 if (copy_to_user(hlp, m->u.match->name, EBT_FUNCTION_MAXNAMELEN))
1284 return -EFAULT;
1285 return 0;
1288 static inline int ebt_make_watchername(struct ebt_entry_watcher *w,
1289 char *base, char *ubase)
1291 char *hlp = ubase - base + (char *)w;
1292 if (copy_to_user(hlp , w->u.watcher->name, EBT_FUNCTION_MAXNAMELEN))
1293 return -EFAULT;
1294 return 0;
1297 static inline int ebt_make_names(struct ebt_entry *e, char *base, char *ubase)
1299 int ret;
1300 char *hlp;
1301 struct ebt_entry_target *t;
1303 if ((e->bitmask & EBT_ENTRY_OR_ENTRIES) == 0)
1304 return 0;
1306 hlp = ubase - base + (char *)e + e->target_offset;
1307 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
1309 ret = EBT_MATCH_ITERATE(e, ebt_make_matchname, base, ubase);
1310 if (ret != 0)
1311 return ret;
1312 ret = EBT_WATCHER_ITERATE(e, ebt_make_watchername, base, ubase);
1313 if (ret != 0)
1314 return ret;
1315 if (copy_to_user(hlp, t->u.target->name, EBT_FUNCTION_MAXNAMELEN))
1316 return -EFAULT;
1317 return 0;
1320 /* called with ebt_mutex locked */
1321 static int copy_everything_to_user(struct ebt_table *t, void __user *user,
1322 int *len, int cmd)
1324 struct ebt_replace tmp;
1325 struct ebt_counter *counterstmp, *oldcounters;
1326 unsigned int entries_size, nentries;
1327 char *entries;
1329 if (cmd == EBT_SO_GET_ENTRIES) {
1330 entries_size = t->private->entries_size;
1331 nentries = t->private->nentries;
1332 entries = t->private->entries;
1333 oldcounters = t->private->counters;
1334 } else {
1335 entries_size = t->table->entries_size;
1336 nentries = t->table->nentries;
1337 entries = t->table->entries;
1338 oldcounters = t->table->counters;
1341 if (copy_from_user(&tmp, user, sizeof(tmp))) {
1342 BUGPRINT("Cfu didn't work\n");
1343 return -EFAULT;
1346 if (*len != sizeof(struct ebt_replace) + entries_size +
1347 (tmp.num_counters? nentries * sizeof(struct ebt_counter): 0)) {
1348 BUGPRINT("Wrong size\n");
1349 return -EINVAL;
1352 if (tmp.nentries != nentries) {
1353 BUGPRINT("Nentries wrong\n");
1354 return -EINVAL;
1357 if (tmp.entries_size != entries_size) {
1358 BUGPRINT("Wrong size\n");
1359 return -EINVAL;
1362 /* userspace might not need the counters */
1363 if (tmp.num_counters) {
1364 if (tmp.num_counters != nentries) {
1365 BUGPRINT("Num_counters wrong\n");
1366 return -EINVAL;
1368 counterstmp = vmalloc(nentries * sizeof(*counterstmp));
1369 if (!counterstmp) {
1370 MEMPRINT("Couldn't copy counters, out of memory\n");
1371 return -ENOMEM;
1373 write_lock_bh(&t->lock);
1374 get_counters(oldcounters, counterstmp, nentries);
1375 write_unlock_bh(&t->lock);
1377 if (copy_to_user(tmp.counters, counterstmp,
1378 nentries * sizeof(struct ebt_counter))) {
1379 BUGPRINT("Couldn't copy counters to userspace\n");
1380 vfree(counterstmp);
1381 return -EFAULT;
1383 vfree(counterstmp);
1386 if (copy_to_user(tmp.entries, entries, entries_size)) {
1387 BUGPRINT("Couldn't copy entries to userspace\n");
1388 return -EFAULT;
1390 /* set the match/watcher/target names right */
1391 return EBT_ENTRY_ITERATE(entries, entries_size,
1392 ebt_make_names, entries, tmp.entries);
1395 static int do_ebt_set_ctl(struct sock *sk,
1396 int cmd, void __user *user, unsigned int len)
1398 int ret;
1400 switch(cmd) {
1401 case EBT_SO_SET_ENTRIES:
1402 ret = do_replace(user, len);
1403 break;
1404 case EBT_SO_SET_COUNTERS:
1405 ret = update_counters(user, len);
1406 break;
1407 default:
1408 ret = -EINVAL;
1410 return ret;
1413 static int do_ebt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
1415 int ret;
1416 struct ebt_replace tmp;
1417 struct ebt_table *t;
1419 if (copy_from_user(&tmp, user, sizeof(tmp)))
1420 return -EFAULT;
1422 t = find_table_lock(tmp.name, &ret, &ebt_mutex);
1423 if (!t)
1424 return ret;
1426 switch(cmd) {
1427 case EBT_SO_GET_INFO:
1428 case EBT_SO_GET_INIT_INFO:
1429 if (*len != sizeof(struct ebt_replace)){
1430 ret = -EINVAL;
1431 mutex_unlock(&ebt_mutex);
1432 break;
1434 if (cmd == EBT_SO_GET_INFO) {
1435 tmp.nentries = t->private->nentries;
1436 tmp.entries_size = t->private->entries_size;
1437 tmp.valid_hooks = t->valid_hooks;
1438 } else {
1439 tmp.nentries = t->table->nentries;
1440 tmp.entries_size = t->table->entries_size;
1441 tmp.valid_hooks = t->table->valid_hooks;
1443 mutex_unlock(&ebt_mutex);
1444 if (copy_to_user(user, &tmp, *len) != 0){
1445 BUGPRINT("c2u Didn't work\n");
1446 ret = -EFAULT;
1447 break;
1449 ret = 0;
1450 break;
1452 case EBT_SO_GET_ENTRIES:
1453 case EBT_SO_GET_INIT_ENTRIES:
1454 ret = copy_everything_to_user(t, user, len, cmd);
1455 mutex_unlock(&ebt_mutex);
1456 break;
1458 default:
1459 mutex_unlock(&ebt_mutex);
1460 ret = -EINVAL;
1463 return ret;
1466 static struct nf_sockopt_ops ebt_sockopts =
1468 .pf = PF_INET,
1469 .set_optmin = EBT_BASE_CTL,
1470 .set_optmax = EBT_SO_SET_MAX + 1,
1471 .set = do_ebt_set_ctl,
1472 .get_optmin = EBT_BASE_CTL,
1473 .get_optmax = EBT_SO_GET_MAX + 1,
1474 .get = do_ebt_get_ctl,
1477 static int __init ebtables_init(void)
1479 int ret;
1481 mutex_lock(&ebt_mutex);
1482 list_add(&ebt_standard_target.list, &ebt_targets);
1483 mutex_unlock(&ebt_mutex);
1484 if ((ret = nf_register_sockopt(&ebt_sockopts)) < 0)
1485 return ret;
1487 printk(KERN_NOTICE "Ebtables v2.0 registered\n");
1488 return 0;
1491 static void __exit ebtables_fini(void)
1493 nf_unregister_sockopt(&ebt_sockopts);
1494 printk(KERN_NOTICE "Ebtables v2.0 unregistered\n");
1497 EXPORT_SYMBOL(ebt_register_table);
1498 EXPORT_SYMBOL(ebt_unregister_table);
1499 EXPORT_SYMBOL(ebt_register_match);
1500 EXPORT_SYMBOL(ebt_unregister_match);
1501 EXPORT_SYMBOL(ebt_register_watcher);
1502 EXPORT_SYMBOL(ebt_unregister_watcher);
1503 EXPORT_SYMBOL(ebt_register_target);
1504 EXPORT_SYMBOL(ebt_unregister_target);
1505 EXPORT_SYMBOL(ebt_do_table);
1506 module_init(ebtables_init);
1507 module_exit(ebtables_fini);
1508 MODULE_LICENSE("GPL");