5 * Bart De Schuymer <bdschuym@pandora.be>
7 * ebtables.c,v 2.0, July, 2002
9 * This code is stongly inspired on the iptables code which is
10 * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version
15 * 2 of the License, or (at your option) any later version.
18 /* used for print_string */
19 #include <linux/sched.h>
20 #include <linux/tty.h>
22 #include <linux/kmod.h>
23 #include <linux/module.h>
24 #include <linux/vmalloc.h>
25 #include <linux/netfilter_bridge/ebtables.h>
26 #include <linux/spinlock.h>
27 #include <asm/uaccess.h>
28 #include <linux/smp.h>
29 #include <linux/cpumask.h>
31 /* needed for logical [in,out]-dev filtering */
32 #include "../br_private.h"
35 #define ASSERT_READ_LOCK(x)
36 #define ASSERT_WRITE_LOCK(x)
37 #include <linux/netfilter_ipv4/listhelp.h>
38 #include <linux/mutex.h>
41 /* use this for remote debugging
42 * Copyright (C) 1998 by Ori Pomerantz
43 * Print the string to the appropriate tty, the one
44 * the current task uses
46 static void print_string(char *str
)
48 struct tty_struct
*my_tty
;
50 /* The tty for the current task */
51 my_tty
= current
->signal
->tty
;
53 my_tty
->driver
->write(my_tty
, 0, str
, strlen(str
));
54 my_tty
->driver
->write(my_tty
, 0, "\015\012", 2);
58 #define BUGPRINT(args) print_string(args);
60 #define BUGPRINT(format, args...) printk("kernel msg: ebtables bug: please "\
61 "report to author: "format, ## args)
62 /* #define BUGPRINT(format, args...) */
64 #define MEMPRINT(format, args...) printk("kernel msg: ebtables "\
65 ": out of memory: "format, ## args)
66 /* #define MEMPRINT(format, args...) */
71 * Each cpu has its own set of counters, so there is no need for write_lock in
73 * For reading or updating the counters, the user context needs to
77 /* The size of each set of counters is altered to get cache alignment */
78 #define SMP_ALIGN(x) (((x) + SMP_CACHE_BYTES-1) & ~(SMP_CACHE_BYTES-1))
79 #define COUNTER_OFFSET(n) (SMP_ALIGN(n * sizeof(struct ebt_counter)))
80 #define COUNTER_BASE(c, n, cpu) ((struct ebt_counter *)(((char *)c) + \
81 COUNTER_OFFSET(n) * cpu))
85 static DEFINE_MUTEX(ebt_mutex
);
86 static LIST_HEAD(ebt_tables
);
87 static LIST_HEAD(ebt_targets
);
88 static LIST_HEAD(ebt_matches
);
89 static LIST_HEAD(ebt_watchers
);
91 static struct ebt_target ebt_standard_target
=
92 { {NULL
, NULL
}, EBT_STANDARD_TARGET
, NULL
, NULL
, NULL
, NULL
};
94 static inline int ebt_do_watcher (struct ebt_entry_watcher
*w
,
95 const struct sk_buff
*skb
, unsigned int hooknr
, const struct net_device
*in
,
96 const struct net_device
*out
)
98 w
->u
.watcher
->watcher(skb
, hooknr
, in
, out
, w
->data
,
100 /* watchers don't give a verdict */
104 static inline int ebt_do_match (struct ebt_entry_match
*m
,
105 const struct sk_buff
*skb
, const struct net_device
*in
,
106 const struct net_device
*out
)
108 return m
->u
.match
->match(skb
, in
, out
, m
->data
,
112 static inline int ebt_dev_check(char *entry
, const struct net_device
*device
)
115 char *devname
= device
->name
;
121 /* 1 is the wildcard token */
122 while (entry
[i
] != '\0' && entry
[i
] != 1 && entry
[i
] == devname
[i
])
124 return (devname
[i
] != entry
[i
] && entry
[i
] != 1);
127 #define FWINV2(bool,invflg) ((bool) ^ !!(e->invflags & invflg))
128 /* process standard matches */
129 static inline int ebt_basic_match(struct ebt_entry
*e
, struct ethhdr
*h
,
130 const struct net_device
*in
, const struct net_device
*out
)
134 if (e
->bitmask
& EBT_802_3
) {
135 if (FWINV2(ntohs(h
->h_proto
) >= 1536, EBT_IPROTO
))
137 } else if (!(e
->bitmask
& EBT_NOPROTO
) &&
138 FWINV2(e
->ethproto
!= h
->h_proto
, EBT_IPROTO
))
141 if (FWINV2(ebt_dev_check(e
->in
, in
), EBT_IIN
))
143 if (FWINV2(ebt_dev_check(e
->out
, out
), EBT_IOUT
))
145 if ((!in
|| !in
->br_port
) ? 0 : FWINV2(ebt_dev_check(
146 e
->logical_in
, in
->br_port
->br
->dev
), EBT_ILOGICALIN
))
148 if ((!out
|| !out
->br_port
) ? 0 : FWINV2(ebt_dev_check(
149 e
->logical_out
, out
->br_port
->br
->dev
), EBT_ILOGICALOUT
))
152 if (e
->bitmask
& EBT_SOURCEMAC
) {
154 for (i
= 0; i
< 6; i
++)
155 verdict
|= (h
->h_source
[i
] ^ e
->sourcemac
[i
]) &
157 if (FWINV2(verdict
!= 0, EBT_ISOURCE
) )
160 if (e
->bitmask
& EBT_DESTMAC
) {
162 for (i
= 0; i
< 6; i
++)
163 verdict
|= (h
->h_dest
[i
] ^ e
->destmac
[i
]) &
165 if (FWINV2(verdict
!= 0, EBT_IDEST
) )
171 /* Do some firewalling */
172 unsigned int ebt_do_table (unsigned int hook
, struct sk_buff
**pskb
,
173 const struct net_device
*in
, const struct net_device
*out
,
174 struct ebt_table
*table
)
177 struct ebt_entry
*point
;
178 struct ebt_counter
*counter_base
, *cb_base
;
179 struct ebt_entry_target
*t
;
181 struct ebt_chainstack
*cs
;
182 struct ebt_entries
*chaininfo
;
184 struct ebt_table_info
*private;
186 read_lock_bh(&table
->lock
);
187 private = table
->private;
188 cb_base
= COUNTER_BASE(private->counters
, private->nentries
,
190 if (private->chainstack
)
191 cs
= private->chainstack
[smp_processor_id()];
194 chaininfo
= private->hook_entry
[hook
];
195 nentries
= private->hook_entry
[hook
]->nentries
;
196 point
= (struct ebt_entry
*)(private->hook_entry
[hook
]->data
);
197 counter_base
= cb_base
+ private->hook_entry
[hook
]->counter_offset
;
198 /* base for chain jumps */
199 base
= private->entries
;
201 while (i
< nentries
) {
202 if (ebt_basic_match(point
, eth_hdr(*pskb
), in
, out
))
205 if (EBT_MATCH_ITERATE(point
, ebt_do_match
, *pskb
, in
, out
) != 0)
208 /* increase counter */
209 (*(counter_base
+ i
)).pcnt
++;
210 (*(counter_base
+ i
)).bcnt
+=(**pskb
).len
;
212 /* these should only watch: not modify, nor tell us
213 what to do with the packet */
214 EBT_WATCHER_ITERATE(point
, ebt_do_watcher
, *pskb
, hook
, in
,
217 t
= (struct ebt_entry_target
*)
218 (((char *)point
) + point
->target_offset
);
219 /* standard target */
220 if (!t
->u
.target
->target
)
221 verdict
= ((struct ebt_standard_target
*)t
)->verdict
;
223 verdict
= t
->u
.target
->target(pskb
, hook
,
224 in
, out
, t
->data
, t
->target_size
);
225 if (verdict
== EBT_ACCEPT
) {
226 read_unlock_bh(&table
->lock
);
229 if (verdict
== EBT_DROP
) {
230 read_unlock_bh(&table
->lock
);
233 if (verdict
== EBT_RETURN
) {
235 #ifdef CONFIG_NETFILTER_DEBUG
237 BUGPRINT("RETURN on base chain");
238 /* act like this is EBT_CONTINUE */
243 /* put all the local variables right */
245 chaininfo
= cs
[sp
].chaininfo
;
246 nentries
= chaininfo
->nentries
;
248 counter_base
= cb_base
+
249 chaininfo
->counter_offset
;
252 if (verdict
== EBT_CONTINUE
)
254 #ifdef CONFIG_NETFILTER_DEBUG
256 BUGPRINT("bogus standard verdict\n");
257 read_unlock_bh(&table
->lock
);
263 cs
[sp
].chaininfo
= chaininfo
;
264 cs
[sp
].e
= (struct ebt_entry
*)
265 (((char *)point
) + point
->next_offset
);
267 chaininfo
= (struct ebt_entries
*) (base
+ verdict
);
268 #ifdef CONFIG_NETFILTER_DEBUG
269 if (chaininfo
->distinguisher
) {
270 BUGPRINT("jump to non-chain\n");
271 read_unlock_bh(&table
->lock
);
275 nentries
= chaininfo
->nentries
;
276 point
= (struct ebt_entry
*)chaininfo
->data
;
277 counter_base
= cb_base
+ chaininfo
->counter_offset
;
281 point
= (struct ebt_entry
*)
282 (((char *)point
) + point
->next_offset
);
286 /* I actually like this :) */
287 if (chaininfo
->policy
== EBT_RETURN
)
289 if (chaininfo
->policy
== EBT_ACCEPT
) {
290 read_unlock_bh(&table
->lock
);
293 read_unlock_bh(&table
->lock
);
297 /* If it succeeds, returns element and locks mutex */
299 find_inlist_lock_noload(struct list_head
*head
, const char *name
, int *error
,
304 *error
= mutex_lock_interruptible(mutex
);
308 ret
= list_named_find(head
, name
);
317 #define find_inlist_lock(h,n,p,e,m) find_inlist_lock_noload((h),(n),(e),(m))
320 find_inlist_lock(struct list_head
*head
, const char *name
, const char *prefix
,
321 int *error
, struct mutex
*mutex
)
325 ret
= find_inlist_lock_noload(head
, name
, error
, mutex
);
327 request_module("%s%s", prefix
, name
);
328 ret
= find_inlist_lock_noload(head
, name
, error
, mutex
);
334 static inline struct ebt_table
*
335 find_table_lock(const char *name
, int *error
, struct mutex
*mutex
)
337 return find_inlist_lock(&ebt_tables
, name
, "ebtable_", error
, mutex
);
340 static inline struct ebt_match
*
341 find_match_lock(const char *name
, int *error
, struct mutex
*mutex
)
343 return find_inlist_lock(&ebt_matches
, name
, "ebt_", error
, mutex
);
346 static inline struct ebt_watcher
*
347 find_watcher_lock(const char *name
, int *error
, struct mutex
*mutex
)
349 return find_inlist_lock(&ebt_watchers
, name
, "ebt_", error
, mutex
);
352 static inline struct ebt_target
*
353 find_target_lock(const char *name
, int *error
, struct mutex
*mutex
)
355 return find_inlist_lock(&ebt_targets
, name
, "ebt_", error
, mutex
);
359 ebt_check_match(struct ebt_entry_match
*m
, struct ebt_entry
*e
,
360 const char *name
, unsigned int hookmask
, unsigned int *cnt
)
362 struct ebt_match
*match
;
365 if (((char *)m
) + m
->match_size
+ sizeof(struct ebt_entry_match
) >
366 ((char *)e
) + e
->watchers_offset
)
368 match
= find_match_lock(m
->u
.name
, &ret
, &ebt_mutex
);
372 if (!try_module_get(match
->me
)) {
373 mutex_unlock(&ebt_mutex
);
376 mutex_unlock(&ebt_mutex
);
378 match
->check(name
, hookmask
, e
, m
->data
, m
->match_size
) != 0) {
379 BUGPRINT("match->check failed\n");
380 module_put(match
->me
);
388 ebt_check_watcher(struct ebt_entry_watcher
*w
, struct ebt_entry
*e
,
389 const char *name
, unsigned int hookmask
, unsigned int *cnt
)
391 struct ebt_watcher
*watcher
;
394 if (((char *)w
) + w
->watcher_size
+ sizeof(struct ebt_entry_watcher
) >
395 ((char *)e
) + e
->target_offset
)
397 watcher
= find_watcher_lock(w
->u
.name
, &ret
, &ebt_mutex
);
400 w
->u
.watcher
= watcher
;
401 if (!try_module_get(watcher
->me
)) {
402 mutex_unlock(&ebt_mutex
);
405 mutex_unlock(&ebt_mutex
);
406 if (watcher
->check
&&
407 watcher
->check(name
, hookmask
, e
, w
->data
, w
->watcher_size
) != 0) {
408 BUGPRINT("watcher->check failed\n");
409 module_put(watcher
->me
);
417 * this one is very careful, as it is the first function
418 * to parse the userspace data
421 ebt_check_entry_size_and_hooks(struct ebt_entry
*e
,
422 struct ebt_table_info
*newinfo
, char *base
, char *limit
,
423 struct ebt_entries
**hook_entries
, unsigned int *n
, unsigned int *cnt
,
424 unsigned int *totalcnt
, unsigned int *udc_cnt
, unsigned int valid_hooks
)
428 for (i
= 0; i
< NF_BR_NUMHOOKS
; i
++) {
429 if ((valid_hooks
& (1 << i
)) == 0)
431 if ( (char *)hook_entries
[i
] - base
==
432 (char *)e
- newinfo
->entries
)
435 /* beginning of a new chain
436 if i == NF_BR_NUMHOOKS it must be a user defined chain */
437 if (i
!= NF_BR_NUMHOOKS
|| !(e
->bitmask
& EBT_ENTRY_OR_ENTRIES
)) {
438 if ((e
->bitmask
& EBT_ENTRY_OR_ENTRIES
) != 0) {
439 /* we make userspace set this right,
440 so there is no misunderstanding */
441 BUGPRINT("EBT_ENTRY_OR_ENTRIES shouldn't be set "
442 "in distinguisher\n");
445 /* this checks if the previous chain has as many entries
448 BUGPRINT("nentries does not equal the nr of entries "
452 /* before we look at the struct, be sure it is not too big */
453 if ((char *)hook_entries
[i
] + sizeof(struct ebt_entries
)
455 BUGPRINT("entries_size too small\n");
458 if (((struct ebt_entries
*)e
)->policy
!= EBT_DROP
&&
459 ((struct ebt_entries
*)e
)->policy
!= EBT_ACCEPT
) {
460 /* only RETURN from udc */
461 if (i
!= NF_BR_NUMHOOKS
||
462 ((struct ebt_entries
*)e
)->policy
!= EBT_RETURN
) {
463 BUGPRINT("bad policy\n");
467 if (i
== NF_BR_NUMHOOKS
) /* it's a user defined chain */
470 newinfo
->hook_entry
[i
] = (struct ebt_entries
*)e
;
471 if (((struct ebt_entries
*)e
)->counter_offset
!= *totalcnt
) {
472 BUGPRINT("counter_offset != totalcnt");
475 *n
= ((struct ebt_entries
*)e
)->nentries
;
479 /* a plain old entry, heh */
480 if (sizeof(struct ebt_entry
) > e
->watchers_offset
||
481 e
->watchers_offset
> e
->target_offset
||
482 e
->target_offset
>= e
->next_offset
) {
483 BUGPRINT("entry offsets not in right order\n");
486 /* this is not checked anywhere else */
487 if (e
->next_offset
- e
->target_offset
< sizeof(struct ebt_entry_target
)) {
488 BUGPRINT("target size too small\n");
499 struct ebt_chainstack cs
;
501 unsigned int hookmask
;
505 * we need these positions to check that the jumps to a different part of the
506 * entries is a jump to the beginning of a new chain.
509 ebt_get_udc_positions(struct ebt_entry
*e
, struct ebt_table_info
*newinfo
,
510 struct ebt_entries
**hook_entries
, unsigned int *n
, unsigned int valid_hooks
,
511 struct ebt_cl_stack
*udc
)
515 /* we're only interested in chain starts */
516 if (e
->bitmask
& EBT_ENTRY_OR_ENTRIES
)
518 for (i
= 0; i
< NF_BR_NUMHOOKS
; i
++) {
519 if ((valid_hooks
& (1 << i
)) == 0)
521 if (newinfo
->hook_entry
[i
] == (struct ebt_entries
*)e
)
524 /* only care about udc */
525 if (i
!= NF_BR_NUMHOOKS
)
528 udc
[*n
].cs
.chaininfo
= (struct ebt_entries
*)e
;
529 /* these initialisations are depended on later in check_chainloops() */
531 udc
[*n
].hookmask
= 0;
538 ebt_cleanup_match(struct ebt_entry_match
*m
, unsigned int *i
)
540 if (i
&& (*i
)-- == 0)
542 if (m
->u
.match
->destroy
)
543 m
->u
.match
->destroy(m
->data
, m
->match_size
);
544 module_put(m
->u
.match
->me
);
550 ebt_cleanup_watcher(struct ebt_entry_watcher
*w
, unsigned int *i
)
552 if (i
&& (*i
)-- == 0)
554 if (w
->u
.watcher
->destroy
)
555 w
->u
.watcher
->destroy(w
->data
, w
->watcher_size
);
556 module_put(w
->u
.watcher
->me
);
562 ebt_cleanup_entry(struct ebt_entry
*e
, unsigned int *cnt
)
564 struct ebt_entry_target
*t
;
566 if ((e
->bitmask
& EBT_ENTRY_OR_ENTRIES
) == 0)
569 if (cnt
&& (*cnt
)-- == 0)
571 EBT_WATCHER_ITERATE(e
, ebt_cleanup_watcher
, NULL
);
572 EBT_MATCH_ITERATE(e
, ebt_cleanup_match
, NULL
);
573 t
= (struct ebt_entry_target
*)(((char *)e
) + e
->target_offset
);
574 if (t
->u
.target
->destroy
)
575 t
->u
.target
->destroy(t
->data
, t
->target_size
);
576 module_put(t
->u
.target
->me
);
582 ebt_check_entry(struct ebt_entry
*e
, struct ebt_table_info
*newinfo
,
583 const char *name
, unsigned int *cnt
, unsigned int valid_hooks
,
584 struct ebt_cl_stack
*cl_s
, unsigned int udc_cnt
)
586 struct ebt_entry_target
*t
;
587 struct ebt_target
*target
;
588 unsigned int i
, j
, hook
= 0, hookmask
= 0;
591 /* don't mess with the struct ebt_entries */
592 if ((e
->bitmask
& EBT_ENTRY_OR_ENTRIES
) == 0)
595 if (e
->bitmask
& ~EBT_F_MASK
) {
596 BUGPRINT("Unknown flag for bitmask\n");
599 if (e
->invflags
& ~EBT_INV_MASK
) {
600 BUGPRINT("Unknown flag for inv bitmask\n");
603 if ( (e
->bitmask
& EBT_NOPROTO
) && (e
->bitmask
& EBT_802_3
) ) {
604 BUGPRINT("NOPROTO & 802_3 not allowed\n");
607 /* what hook do we belong to? */
608 for (i
= 0; i
< NF_BR_NUMHOOKS
; i
++) {
609 if ((valid_hooks
& (1 << i
)) == 0)
611 if ((char *)newinfo
->hook_entry
[i
] < (char *)e
)
616 /* (1 << NF_BR_NUMHOOKS) tells the check functions the rule is on
618 if (i
< NF_BR_NUMHOOKS
)
619 hookmask
= (1 << hook
) | (1 << NF_BR_NUMHOOKS
);
621 for (i
= 0; i
< udc_cnt
; i
++)
622 if ((char *)(cl_s
[i
].cs
.chaininfo
) > (char *)e
)
625 hookmask
= (1 << hook
) | (1 << NF_BR_NUMHOOKS
);
627 hookmask
= cl_s
[i
- 1].hookmask
;
630 ret
= EBT_MATCH_ITERATE(e
, ebt_check_match
, e
, name
, hookmask
, &i
);
632 goto cleanup_matches
;
634 ret
= EBT_WATCHER_ITERATE(e
, ebt_check_watcher
, e
, name
, hookmask
, &j
);
636 goto cleanup_watchers
;
637 t
= (struct ebt_entry_target
*)(((char *)e
) + e
->target_offset
);
638 target
= find_target_lock(t
->u
.name
, &ret
, &ebt_mutex
);
640 goto cleanup_watchers
;
641 if (!try_module_get(target
->me
)) {
642 mutex_unlock(&ebt_mutex
);
644 goto cleanup_watchers
;
646 mutex_unlock(&ebt_mutex
);
648 t
->u
.target
= target
;
649 if (t
->u
.target
== &ebt_standard_target
) {
650 if (e
->target_offset
+ sizeof(struct ebt_standard_target
) >
652 BUGPRINT("Standard target size too big\n");
654 goto cleanup_watchers
;
656 if (((struct ebt_standard_target
*)t
)->verdict
<
657 -NUM_STANDARD_TARGETS
) {
658 BUGPRINT("Invalid standard target\n");
660 goto cleanup_watchers
;
662 } else if ((e
->target_offset
+ t
->target_size
+
663 sizeof(struct ebt_entry_target
) > e
->next_offset
) ||
664 (t
->u
.target
->check
&&
665 t
->u
.target
->check(name
, hookmask
, e
, t
->data
, t
->target_size
) != 0)){
666 module_put(t
->u
.target
->me
);
668 goto cleanup_watchers
;
673 EBT_WATCHER_ITERATE(e
, ebt_cleanup_watcher
, &j
);
675 EBT_MATCH_ITERATE(e
, ebt_cleanup_match
, &i
);
680 * checks for loops and sets the hook mask for udc
681 * the hook mask for udc tells us from which base chains the udc can be
682 * accessed. This mask is a parameter to the check() functions of the extensions
684 static int check_chainloops(struct ebt_entries
*chain
, struct ebt_cl_stack
*cl_s
,
685 unsigned int udc_cnt
, unsigned int hooknr
, char *base
)
687 int i
, chain_nr
= -1, pos
= 0, nentries
= chain
->nentries
, verdict
;
688 struct ebt_entry
*e
= (struct ebt_entry
*)chain
->data
;
689 struct ebt_entry_target
*t
;
691 while (pos
< nentries
|| chain_nr
!= -1) {
692 /* end of udc, go back one 'recursion' step */
693 if (pos
== nentries
) {
694 /* put back values of the time when this chain was called */
695 e
= cl_s
[chain_nr
].cs
.e
;
696 if (cl_s
[chain_nr
].from
!= -1)
698 cl_s
[cl_s
[chain_nr
].from
].cs
.chaininfo
->nentries
;
700 nentries
= chain
->nentries
;
701 pos
= cl_s
[chain_nr
].cs
.n
;
702 /* make sure we won't see a loop that isn't one */
703 cl_s
[chain_nr
].cs
.n
= 0;
704 chain_nr
= cl_s
[chain_nr
].from
;
708 t
= (struct ebt_entry_target
*)
709 (((char *)e
) + e
->target_offset
);
710 if (strcmp(t
->u
.name
, EBT_STANDARD_TARGET
))
712 if (e
->target_offset
+ sizeof(struct ebt_standard_target
) >
714 BUGPRINT("Standard target size too big\n");
717 verdict
= ((struct ebt_standard_target
*)t
)->verdict
;
718 if (verdict
>= 0) { /* jump to another chain */
719 struct ebt_entries
*hlp2
=
720 (struct ebt_entries
*)(base
+ verdict
);
721 for (i
= 0; i
< udc_cnt
; i
++)
722 if (hlp2
== cl_s
[i
].cs
.chaininfo
)
724 /* bad destination or loop */
726 BUGPRINT("bad destination\n");
733 /* this can't be 0, so the above test is correct */
734 cl_s
[i
].cs
.n
= pos
+ 1;
736 cl_s
[i
].cs
.e
= ((void *)e
+ e
->next_offset
);
737 e
= (struct ebt_entry
*)(hlp2
->data
);
738 nentries
= hlp2
->nentries
;
739 cl_s
[i
].from
= chain_nr
;
741 /* this udc is accessible from the base chain for hooknr */
742 cl_s
[i
].hookmask
|= (1 << hooknr
);
746 e
= (void *)e
+ e
->next_offset
;
752 /* do the parsing of the table/chains/entries/matches/watchers/targets, heh */
753 static int translate_table(struct ebt_replace
*repl
,
754 struct ebt_table_info
*newinfo
)
756 unsigned int i
, j
, k
, udc_cnt
;
758 struct ebt_cl_stack
*cl_s
= NULL
; /* used in the checking for chain loops */
761 while (i
< NF_BR_NUMHOOKS
&& !(repl
->valid_hooks
& (1 << i
)))
763 if (i
== NF_BR_NUMHOOKS
) {
764 BUGPRINT("No valid hooks specified\n");
767 if (repl
->hook_entry
[i
] != (struct ebt_entries
*)repl
->entries
) {
768 BUGPRINT("Chains don't start at beginning\n");
771 /* make sure chains are ordered after each other in same order
772 as their corresponding hooks */
773 for (j
= i
+ 1; j
< NF_BR_NUMHOOKS
; j
++) {
774 if (!(repl
->valid_hooks
& (1 << j
)))
776 if ( repl
->hook_entry
[j
] <= repl
->hook_entry
[i
] ) {
777 BUGPRINT("Hook order must be followed\n");
783 for (i
= 0; i
< NF_BR_NUMHOOKS
; i
++)
784 newinfo
->hook_entry
[i
] = NULL
;
786 newinfo
->entries_size
= repl
->entries_size
;
787 newinfo
->nentries
= repl
->nentries
;
789 /* do some early checkings and initialize some things */
790 i
= 0; /* holds the expected nr. of entries for the chain */
791 j
= 0; /* holds the up to now counted entries for the chain */
792 k
= 0; /* holds the total nr. of entries, should equal
793 newinfo->nentries afterwards */
794 udc_cnt
= 0; /* will hold the nr. of user defined chains (udc) */
795 ret
= EBT_ENTRY_ITERATE(newinfo
->entries
, newinfo
->entries_size
,
796 ebt_check_entry_size_and_hooks
, newinfo
, repl
->entries
,
797 repl
->entries
+ repl
->entries_size
, repl
->hook_entry
, &i
, &j
, &k
,
798 &udc_cnt
, repl
->valid_hooks
);
804 BUGPRINT("nentries does not equal the nr of entries in the "
808 if (k
!= newinfo
->nentries
) {
809 BUGPRINT("Total nentries is wrong\n");
813 /* check if all valid hooks have a chain */
814 for (i
= 0; i
< NF_BR_NUMHOOKS
; i
++) {
815 if (newinfo
->hook_entry
[i
] == NULL
&&
816 (repl
->valid_hooks
& (1 << i
))) {
817 BUGPRINT("Valid hook without chain\n");
822 /* get the location of the udc, put them in an array
823 while we're at it, allocate the chainstack */
825 /* this will get free'd in do_replace()/ebt_register_table()
826 if an error occurs */
827 newinfo
->chainstack
=
828 vmalloc((highest_possible_processor_id()+1)
829 * sizeof(*(newinfo
->chainstack
)));
830 if (!newinfo
->chainstack
)
832 for_each_possible_cpu(i
) {
833 newinfo
->chainstack
[i
] =
834 vmalloc(udc_cnt
* sizeof(*(newinfo
->chainstack
[0])));
835 if (!newinfo
->chainstack
[i
]) {
837 vfree(newinfo
->chainstack
[--i
]);
838 vfree(newinfo
->chainstack
);
839 newinfo
->chainstack
= NULL
;
844 cl_s
= vmalloc(udc_cnt
* sizeof(*cl_s
));
847 i
= 0; /* the i'th udc */
848 EBT_ENTRY_ITERATE(newinfo
->entries
, newinfo
->entries_size
,
849 ebt_get_udc_positions
, newinfo
, repl
->hook_entry
, &i
,
850 repl
->valid_hooks
, cl_s
);
853 BUGPRINT("i != udc_cnt\n");
859 /* Check for loops */
860 for (i
= 0; i
< NF_BR_NUMHOOKS
; i
++)
861 if (repl
->valid_hooks
& (1 << i
))
862 if (check_chainloops(newinfo
->hook_entry
[i
],
863 cl_s
, udc_cnt
, i
, newinfo
->entries
)) {
868 /* we now know the following (along with E=mc²):
869 - the nr of entries in each chain is right
870 - the size of the allocated space is right
871 - all valid hooks have a corresponding chain
873 - wrong data can still be on the level of a single entry
874 - could be there are jumps to places that are not the
875 beginning of a chain. This can only occur in chains that
876 are not accessible from any base chains, so we don't care. */
878 /* used to know what we need to clean up if something goes wrong */
880 ret
= EBT_ENTRY_ITERATE(newinfo
->entries
, newinfo
->entries_size
,
881 ebt_check_entry
, newinfo
, repl
->name
, &i
, repl
->valid_hooks
,
884 EBT_ENTRY_ITERATE(newinfo
->entries
, newinfo
->entries_size
,
885 ebt_cleanup_entry
, &i
);
891 /* called under write_lock */
892 static void get_counters(struct ebt_counter
*oldcounters
,
893 struct ebt_counter
*counters
, unsigned int nentries
)
896 struct ebt_counter
*counter_base
;
898 /* counters of cpu 0 */
899 memcpy(counters
, oldcounters
,
900 sizeof(struct ebt_counter
) * nentries
);
902 /* add other counters to those of cpu 0 */
903 for_each_possible_cpu(cpu
) {
906 counter_base
= COUNTER_BASE(oldcounters
, nentries
, cpu
);
907 for (i
= 0; i
< nentries
; i
++) {
908 counters
[i
].pcnt
+= counter_base
[i
].pcnt
;
909 counters
[i
].bcnt
+= counter_base
[i
].bcnt
;
914 /* replace the table */
915 static int do_replace(void __user
*user
, unsigned int len
)
917 int ret
, i
, countersize
;
918 struct ebt_table_info
*newinfo
;
919 struct ebt_replace tmp
;
921 struct ebt_counter
*counterstmp
= NULL
;
922 /* used to be able to unlock earlier */
923 struct ebt_table_info
*table
;
925 if (copy_from_user(&tmp
, user
, sizeof(tmp
)) != 0)
928 if (len
!= sizeof(tmp
) + tmp
.entries_size
) {
929 BUGPRINT("Wrong len argument\n");
933 if (tmp
.entries_size
== 0) {
934 BUGPRINT("Entries_size never zero\n");
938 if (tmp
.nentries
>= ((INT_MAX
- sizeof(struct ebt_table_info
)) / NR_CPUS
-
939 SMP_CACHE_BYTES
) / sizeof(struct ebt_counter
))
941 if (tmp
.num_counters
>= INT_MAX
/ sizeof(struct ebt_counter
))
944 countersize
= COUNTER_OFFSET(tmp
.nentries
) *
945 (highest_possible_processor_id()+1);
946 newinfo
= vmalloc(sizeof(*newinfo
) + countersize
);
951 memset(newinfo
->counters
, 0, countersize
);
953 newinfo
->entries
= vmalloc(tmp
.entries_size
);
954 if (!newinfo
->entries
) {
959 newinfo
->entries
, tmp
.entries
, tmp
.entries_size
) != 0) {
960 BUGPRINT("Couldn't copy entries from userspace\n");
965 /* the user wants counters back
966 the check on the size is done later, when we have the lock */
967 if (tmp
.num_counters
) {
968 counterstmp
= vmalloc(tmp
.num_counters
* sizeof(*counterstmp
));
977 /* this can get initialized by translate_table() */
978 newinfo
->chainstack
= NULL
;
979 ret
= translate_table(&tmp
, newinfo
);
982 goto free_counterstmp
;
984 t
= find_table_lock(tmp
.name
, &ret
, &ebt_mutex
);
990 /* the table doesn't like it */
991 if (t
->check
&& (ret
= t
->check(newinfo
, tmp
.valid_hooks
)))
994 if (tmp
.num_counters
&& tmp
.num_counters
!= t
->private->nentries
) {
995 BUGPRINT("Wrong nr. of counters requested\n");
1000 /* we have the mutex lock, so no danger in reading this pointer */
1002 /* make sure the table can only be rmmod'ed if it contains no rules */
1003 if (!table
->nentries
&& newinfo
->nentries
&& !try_module_get(t
->me
)) {
1006 } else if (table
->nentries
&& !newinfo
->nentries
)
1008 /* we need an atomic snapshot of the counters */
1009 write_lock_bh(&t
->lock
);
1010 if (tmp
.num_counters
)
1011 get_counters(t
->private->counters
, counterstmp
,
1012 t
->private->nentries
);
1014 t
->private = newinfo
;
1015 write_unlock_bh(&t
->lock
);
1016 mutex_unlock(&ebt_mutex
);
1017 /* so, a user can change the chains while having messed up her counter
1018 allocation. Only reason why this is done is because this way the lock
1019 is held only once, while this doesn't bring the kernel into a
1021 if (tmp
.num_counters
&&
1022 copy_to_user(tmp
.counters
, counterstmp
,
1023 tmp
.num_counters
* sizeof(struct ebt_counter
))) {
1024 BUGPRINT("Couldn't copy counters to userspace\n");
1030 /* decrease module count and free resources */
1031 EBT_ENTRY_ITERATE(table
->entries
, table
->entries_size
,
1032 ebt_cleanup_entry
, NULL
);
1034 vfree(table
->entries
);
1035 if (table
->chainstack
) {
1036 for_each_possible_cpu(i
)
1037 vfree(table
->chainstack
[i
]);
1038 vfree(table
->chainstack
);
1046 mutex_unlock(&ebt_mutex
);
1048 EBT_ENTRY_ITERATE(newinfo
->entries
, newinfo
->entries_size
,
1049 ebt_cleanup_entry
, NULL
);
1052 /* can be initialized in translate_table() */
1053 if (newinfo
->chainstack
) {
1054 for_each_possible_cpu(i
)
1055 vfree(newinfo
->chainstack
[i
]);
1056 vfree(newinfo
->chainstack
);
1059 vfree(newinfo
->entries
);
1065 int ebt_register_target(struct ebt_target
*target
)
1069 ret
= mutex_lock_interruptible(&ebt_mutex
);
1072 if (!list_named_insert(&ebt_targets
, target
)) {
1073 mutex_unlock(&ebt_mutex
);
1076 mutex_unlock(&ebt_mutex
);
1081 void ebt_unregister_target(struct ebt_target
*target
)
1083 mutex_lock(&ebt_mutex
);
1084 LIST_DELETE(&ebt_targets
, target
);
1085 mutex_unlock(&ebt_mutex
);
1088 int ebt_register_match(struct ebt_match
*match
)
1092 ret
= mutex_lock_interruptible(&ebt_mutex
);
1095 if (!list_named_insert(&ebt_matches
, match
)) {
1096 mutex_unlock(&ebt_mutex
);
1099 mutex_unlock(&ebt_mutex
);
1104 void ebt_unregister_match(struct ebt_match
*match
)
1106 mutex_lock(&ebt_mutex
);
1107 LIST_DELETE(&ebt_matches
, match
);
1108 mutex_unlock(&ebt_mutex
);
1111 int ebt_register_watcher(struct ebt_watcher
*watcher
)
1115 ret
= mutex_lock_interruptible(&ebt_mutex
);
1118 if (!list_named_insert(&ebt_watchers
, watcher
)) {
1119 mutex_unlock(&ebt_mutex
);
1122 mutex_unlock(&ebt_mutex
);
1127 void ebt_unregister_watcher(struct ebt_watcher
*watcher
)
1129 mutex_lock(&ebt_mutex
);
1130 LIST_DELETE(&ebt_watchers
, watcher
);
1131 mutex_unlock(&ebt_mutex
);
1134 int ebt_register_table(struct ebt_table
*table
)
1136 struct ebt_table_info
*newinfo
;
1137 int ret
, i
, countersize
;
1139 if (!table
|| !table
->table
||!table
->table
->entries
||
1140 table
->table
->entries_size
== 0 ||
1141 table
->table
->counters
|| table
->private) {
1142 BUGPRINT("Bad table data for ebt_register_table!!!\n");
1146 countersize
= COUNTER_OFFSET(table
->table
->nentries
) *
1147 (highest_possible_processor_id()+1);
1148 newinfo
= vmalloc(sizeof(*newinfo
) + countersize
);
1153 newinfo
->entries
= vmalloc(table
->table
->entries_size
);
1154 if (!(newinfo
->entries
))
1157 memcpy(newinfo
->entries
, table
->table
->entries
,
1158 table
->table
->entries_size
);
1161 memset(newinfo
->counters
, 0, countersize
);
1163 /* fill in newinfo and parse the entries */
1164 newinfo
->chainstack
= NULL
;
1165 ret
= translate_table(table
->table
, newinfo
);
1167 BUGPRINT("Translate_table failed\n");
1168 goto free_chainstack
;
1171 if (table
->check
&& table
->check(newinfo
, table
->valid_hooks
)) {
1172 BUGPRINT("The table doesn't like its own initial data, lol\n");
1176 table
->private = newinfo
;
1177 rwlock_init(&table
->lock
);
1178 ret
= mutex_lock_interruptible(&ebt_mutex
);
1180 goto free_chainstack
;
1182 if (list_named_find(&ebt_tables
, table
->name
)) {
1184 BUGPRINT("Table name already exists\n");
1188 /* Hold a reference count if the chains aren't empty */
1189 if (newinfo
->nentries
&& !try_module_get(table
->me
)) {
1193 list_prepend(&ebt_tables
, table
);
1194 mutex_unlock(&ebt_mutex
);
1197 mutex_unlock(&ebt_mutex
);
1199 if (newinfo
->chainstack
) {
1200 for_each_possible_cpu(i
)
1201 vfree(newinfo
->chainstack
[i
]);
1202 vfree(newinfo
->chainstack
);
1204 vfree(newinfo
->entries
);
1210 void ebt_unregister_table(struct ebt_table
*table
)
1215 BUGPRINT("Request to unregister NULL table!!!\n");
1218 mutex_lock(&ebt_mutex
);
1219 LIST_DELETE(&ebt_tables
, table
);
1220 mutex_unlock(&ebt_mutex
);
1221 vfree(table
->private->entries
);
1222 if (table
->private->chainstack
) {
1223 for_each_possible_cpu(i
)
1224 vfree(table
->private->chainstack
[i
]);
1225 vfree(table
->private->chainstack
);
1227 vfree(table
->private);
1230 /* userspace just supplied us with counters */
1231 static int update_counters(void __user
*user
, unsigned int len
)
1234 struct ebt_counter
*tmp
;
1235 struct ebt_replace hlp
;
1236 struct ebt_table
*t
;
1238 if (copy_from_user(&hlp
, user
, sizeof(hlp
)))
1241 if (len
!= sizeof(hlp
) + hlp
.num_counters
* sizeof(struct ebt_counter
))
1243 if (hlp
.num_counters
== 0)
1246 if (!(tmp
= vmalloc(hlp
.num_counters
* sizeof(*tmp
)))) {
1247 MEMPRINT("Update_counters && nomemory\n");
1251 t
= find_table_lock(hlp
.name
, &ret
, &ebt_mutex
);
1255 if (hlp
.num_counters
!= t
->private->nentries
) {
1256 BUGPRINT("Wrong nr of counters\n");
1261 if ( copy_from_user(tmp
, hlp
.counters
,
1262 hlp
.num_counters
* sizeof(struct ebt_counter
)) ) {
1263 BUGPRINT("Updata_counters && !cfu\n");
1268 /* we want an atomic add of the counters */
1269 write_lock_bh(&t
->lock
);
1271 /* we add to the counters of the first cpu */
1272 for (i
= 0; i
< hlp
.num_counters
; i
++) {
1273 t
->private->counters
[i
].pcnt
+= tmp
[i
].pcnt
;
1274 t
->private->counters
[i
].bcnt
+= tmp
[i
].bcnt
;
1277 write_unlock_bh(&t
->lock
);
1280 mutex_unlock(&ebt_mutex
);
1286 static inline int ebt_make_matchname(struct ebt_entry_match
*m
,
1287 char *base
, char *ubase
)
1289 char *hlp
= ubase
- base
+ (char *)m
;
1290 if (copy_to_user(hlp
, m
->u
.match
->name
, EBT_FUNCTION_MAXNAMELEN
))
1295 static inline int ebt_make_watchername(struct ebt_entry_watcher
*w
,
1296 char *base
, char *ubase
)
1298 char *hlp
= ubase
- base
+ (char *)w
;
1299 if (copy_to_user(hlp
, w
->u
.watcher
->name
, EBT_FUNCTION_MAXNAMELEN
))
1304 static inline int ebt_make_names(struct ebt_entry
*e
, char *base
, char *ubase
)
1308 struct ebt_entry_target
*t
;
1310 if ((e
->bitmask
& EBT_ENTRY_OR_ENTRIES
) == 0)
1313 hlp
= ubase
- base
+ (char *)e
+ e
->target_offset
;
1314 t
= (struct ebt_entry_target
*)(((char *)e
) + e
->target_offset
);
1316 ret
= EBT_MATCH_ITERATE(e
, ebt_make_matchname
, base
, ubase
);
1319 ret
= EBT_WATCHER_ITERATE(e
, ebt_make_watchername
, base
, ubase
);
1322 if (copy_to_user(hlp
, t
->u
.target
->name
, EBT_FUNCTION_MAXNAMELEN
))
1327 /* called with ebt_mutex locked */
1328 static int copy_everything_to_user(struct ebt_table
*t
, void __user
*user
,
1331 struct ebt_replace tmp
;
1332 struct ebt_counter
*counterstmp
, *oldcounters
;
1333 unsigned int entries_size
, nentries
;
1336 if (cmd
== EBT_SO_GET_ENTRIES
) {
1337 entries_size
= t
->private->entries_size
;
1338 nentries
= t
->private->nentries
;
1339 entries
= t
->private->entries
;
1340 oldcounters
= t
->private->counters
;
1342 entries_size
= t
->table
->entries_size
;
1343 nentries
= t
->table
->nentries
;
1344 entries
= t
->table
->entries
;
1345 oldcounters
= t
->table
->counters
;
1348 if (copy_from_user(&tmp
, user
, sizeof(tmp
))) {
1349 BUGPRINT("Cfu didn't work\n");
1353 if (*len
!= sizeof(struct ebt_replace
) + entries_size
+
1354 (tmp
.num_counters
? nentries
* sizeof(struct ebt_counter
): 0)) {
1355 BUGPRINT("Wrong size\n");
1359 if (tmp
.nentries
!= nentries
) {
1360 BUGPRINT("Nentries wrong\n");
1364 if (tmp
.entries_size
!= entries_size
) {
1365 BUGPRINT("Wrong size\n");
1369 /* userspace might not need the counters */
1370 if (tmp
.num_counters
) {
1371 if (tmp
.num_counters
!= nentries
) {
1372 BUGPRINT("Num_counters wrong\n");
1375 counterstmp
= vmalloc(nentries
* sizeof(*counterstmp
));
1377 MEMPRINT("Couldn't copy counters, out of memory\n");
1380 write_lock_bh(&t
->lock
);
1381 get_counters(oldcounters
, counterstmp
, nentries
);
1382 write_unlock_bh(&t
->lock
);
1384 if (copy_to_user(tmp
.counters
, counterstmp
,
1385 nentries
* sizeof(struct ebt_counter
))) {
1386 BUGPRINT("Couldn't copy counters to userspace\n");
1393 if (copy_to_user(tmp
.entries
, entries
, entries_size
)) {
1394 BUGPRINT("Couldn't copy entries to userspace\n");
1397 /* set the match/watcher/target names right */
1398 return EBT_ENTRY_ITERATE(entries
, entries_size
,
1399 ebt_make_names
, entries
, tmp
.entries
);
1402 static int do_ebt_set_ctl(struct sock
*sk
,
1403 int cmd
, void __user
*user
, unsigned int len
)
1408 case EBT_SO_SET_ENTRIES
:
1409 ret
= do_replace(user
, len
);
1411 case EBT_SO_SET_COUNTERS
:
1412 ret
= update_counters(user
, len
);
1420 static int do_ebt_get_ctl(struct sock
*sk
, int cmd
, void __user
*user
, int *len
)
1423 struct ebt_replace tmp
;
1424 struct ebt_table
*t
;
1426 if (copy_from_user(&tmp
, user
, sizeof(tmp
)))
1429 t
= find_table_lock(tmp
.name
, &ret
, &ebt_mutex
);
1434 case EBT_SO_GET_INFO
:
1435 case EBT_SO_GET_INIT_INFO
:
1436 if (*len
!= sizeof(struct ebt_replace
)){
1438 mutex_unlock(&ebt_mutex
);
1441 if (cmd
== EBT_SO_GET_INFO
) {
1442 tmp
.nentries
= t
->private->nentries
;
1443 tmp
.entries_size
= t
->private->entries_size
;
1444 tmp
.valid_hooks
= t
->valid_hooks
;
1446 tmp
.nentries
= t
->table
->nentries
;
1447 tmp
.entries_size
= t
->table
->entries_size
;
1448 tmp
.valid_hooks
= t
->table
->valid_hooks
;
1450 mutex_unlock(&ebt_mutex
);
1451 if (copy_to_user(user
, &tmp
, *len
) != 0){
1452 BUGPRINT("c2u Didn't work\n");
1459 case EBT_SO_GET_ENTRIES
:
1460 case EBT_SO_GET_INIT_ENTRIES
:
1461 ret
= copy_everything_to_user(t
, user
, len
, cmd
);
1462 mutex_unlock(&ebt_mutex
);
1466 mutex_unlock(&ebt_mutex
);
1473 static struct nf_sockopt_ops ebt_sockopts
=
1476 .set_optmin
= EBT_BASE_CTL
,
1477 .set_optmax
= EBT_SO_SET_MAX
+ 1,
1478 .set
= do_ebt_set_ctl
,
1479 .get_optmin
= EBT_BASE_CTL
,
1480 .get_optmax
= EBT_SO_GET_MAX
+ 1,
1481 .get
= do_ebt_get_ctl
,
1484 static int __init
ebtables_init(void)
1488 mutex_lock(&ebt_mutex
);
1489 list_named_insert(&ebt_targets
, &ebt_standard_target
);
1490 mutex_unlock(&ebt_mutex
);
1491 if ((ret
= nf_register_sockopt(&ebt_sockopts
)) < 0)
1494 printk(KERN_NOTICE
"Ebtables v2.0 registered\n");
1498 static void __exit
ebtables_fini(void)
1500 nf_unregister_sockopt(&ebt_sockopts
);
1501 printk(KERN_NOTICE
"Ebtables v2.0 unregistered\n");
1504 EXPORT_SYMBOL(ebt_register_table
);
1505 EXPORT_SYMBOL(ebt_unregister_table
);
1506 EXPORT_SYMBOL(ebt_register_match
);
1507 EXPORT_SYMBOL(ebt_unregister_match
);
1508 EXPORT_SYMBOL(ebt_register_watcher
);
1509 EXPORT_SYMBOL(ebt_unregister_watcher
);
1510 EXPORT_SYMBOL(ebt_register_target
);
1511 EXPORT_SYMBOL(ebt_unregister_target
);
1512 EXPORT_SYMBOL(ebt_do_table
);
1513 module_init(ebtables_init
);
1514 module_exit(ebtables_fini
);
1515 MODULE_LICENSE("GPL");