5 * Bart De Schuymer <bdschuym@pandora.be>
7 * ebtables.c,v 2.0, July, 2002
9 * This code is stongly inspired on the iptables code which is
10 * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version
15 * 2 of the License, or (at your option) any later version.
19 #include <linux/kmod.h>
20 #include <linux/module.h>
21 #include <linux/vmalloc.h>
22 #include <linux/netfilter/x_tables.h>
23 #include <linux/netfilter_bridge/ebtables.h>
24 #include <linux/spinlock.h>
25 #include <linux/mutex.h>
26 #include <asm/uaccess.h>
27 #include <linux/smp.h>
28 #include <linux/cpumask.h>
30 /* needed for logical [in,out]-dev filtering */
31 #include "../br_private.h"
33 #define BUGPRINT(format, args...) printk("kernel msg: ebtables bug: please "\
34 "report to author: "format, ## args)
35 /* #define BUGPRINT(format, args...) */
36 #define MEMPRINT(format, args...) printk("kernel msg: ebtables "\
37 ": out of memory: "format, ## args)
38 /* #define MEMPRINT(format, args...) */
43 * Each cpu has its own set of counters, so there is no need for write_lock in
45 * For reading or updating the counters, the user context needs to
49 /* The size of each set of counters is altered to get cache alignment */
50 #define SMP_ALIGN(x) (((x) + SMP_CACHE_BYTES-1) & ~(SMP_CACHE_BYTES-1))
51 #define COUNTER_OFFSET(n) (SMP_ALIGN(n * sizeof(struct ebt_counter)))
52 #define COUNTER_BASE(c, n, cpu) ((struct ebt_counter *)(((char *)c) + \
53 COUNTER_OFFSET(n) * cpu))
57 static DEFINE_MUTEX(ebt_mutex);
59 static struct xt_target ebt_standard_target = {
62 .family = NFPROTO_BRIDGE,
63 .targetsize = sizeof(int),
67 ebt_do_watcher(const struct ebt_entry_watcher *w, struct sk_buff *skb,
68 struct xt_target_param *par)
70 par->target = w->u.watcher;
71 par->targinfo = w->data;
72 w->u.watcher->target(skb, par);
73 /* watchers don't give a verdict */
77 static inline int ebt_do_match (struct ebt_entry_match *m,
78 const struct sk_buff *skb, struct xt_match_param *par)
80 par->match = m->u.match;
81 par->matchinfo = m->data;
82 return m->u.match->match(skb, par) ? EBT_MATCH : EBT_NOMATCH;
85 static inline int ebt_dev_check(char *entry, const struct net_device *device)
94 devname = device->name;
95 /* 1 is the wildcard token */
96 while (entry[i] != '\0' && entry[i] != 1 && entry[i] == devname[i])
98 return (devname[i] != entry[i] && entry[i] != 1);
101 #define FWINV2(bool,invflg) ((bool) ^ !!(e->invflags & invflg))
102 /* process standard matches */
103 static inline int ebt_basic_match(struct ebt_entry *e, struct ethhdr *h,
104 const struct net_device *in, const struct net_device *out)
108 if (e->bitmask & EBT_802_3) {
109 if (FWINV2(ntohs(h->h_proto) >= 1536, EBT_IPROTO))
111 } else if (!(e->bitmask & EBT_NOPROTO) &&
112 FWINV2(e->ethproto != h->h_proto, EBT_IPROTO))
115 if (FWINV2(ebt_dev_check(e->in, in), EBT_IIN))
117 if (FWINV2(ebt_dev_check(e->out, out), EBT_IOUT))
119 if ((!in || !in->br_port) ? 0 : FWINV2(ebt_dev_check(
120 e->logical_in, in->br_port->br->dev), EBT_ILOGICALIN))
122 if ((!out || !out->br_port) ? 0 : FWINV2(ebt_dev_check(
123 e->logical_out, out->br_port->br->dev), EBT_ILOGICALOUT))
126 if (e->bitmask & EBT_SOURCEMAC) {
128 for (i = 0; i < 6; i++)
129 verdict |= (h->h_source[i] ^ e->sourcemac[i]) &
131 if (FWINV2(verdict != 0, EBT_ISOURCE) )
134 if (e->bitmask & EBT_DESTMAC) {
136 for (i = 0; i < 6; i++)
137 verdict |= (h->h_dest[i] ^ e->destmac[i]) &
139 if (FWINV2(verdict != 0, EBT_IDEST) )
146 struct ebt_entry *ebt_next_entry(const struct ebt_entry *entry)
148 return (void *)entry + entry->next_offset;
151 /* Do some firewalling */
152 unsigned int ebt_do_table (unsigned int hook, struct sk_buff *skb,
153 const struct net_device *in, const struct net_device *out,
154 struct ebt_table *table)
157 struct ebt_entry *point;
158 struct ebt_counter *counter_base, *cb_base;
159 struct ebt_entry_target *t;
161 struct ebt_chainstack *cs;
162 struct ebt_entries *chaininfo;
164 struct ebt_table_info *private;
165 bool hotdrop = false;
166 struct xt_match_param mtpar;
167 struct xt_target_param tgpar;
169 mtpar.family = tgpar.family = NFPROTO_BRIDGE;
170 mtpar.in = tgpar.in = in;
171 mtpar.out = tgpar.out = out;
172 mtpar.hotdrop = &hotdrop;
173 mtpar.hooknum = tgpar.hooknum = hook;
175 read_lock_bh(&table->lock);
176 private = table->private;
177 cb_base = COUNTER_BASE(private->counters, private->nentries,
179 if (private->chainstack)
180 cs = private->chainstack[smp_processor_id()];
183 chaininfo = private->hook_entry[hook];
184 nentries = private->hook_entry[hook]->nentries;
185 point = (struct ebt_entry *)(private->hook_entry[hook]->data);
186 counter_base = cb_base + private->hook_entry[hook]->counter_offset;
187 /* base for chain jumps */
188 base = private->entries;
190 while (i < nentries) {
191 if (ebt_basic_match(point, eth_hdr(skb), in, out))
194 if (EBT_MATCH_ITERATE(point, ebt_do_match, skb, &mtpar) != 0)
197 read_unlock_bh(&table->lock);
201 /* increase counter */
202 (*(counter_base + i)).pcnt++;
203 (*(counter_base + i)).bcnt += skb->len;
205 /* these should only watch: not modify, nor tell us
206 what to do with the packet */
207 EBT_WATCHER_ITERATE(point, ebt_do_watcher, skb, &tgpar);
209 t = (struct ebt_entry_target *)
210 (((char *)point) + point->target_offset);
211 /* standard target */
212 if (!t->u.target->target)
213 verdict = ((struct ebt_standard_target *)t)->verdict;
215 tgpar.target = t->u.target;
216 tgpar.targinfo = t->data;
217 verdict = t->u.target->target(skb, &tgpar);
219 if (verdict == EBT_ACCEPT) {
220 read_unlock_bh(&table->lock);
223 if (verdict == EBT_DROP) {
224 read_unlock_bh(&table->lock);
227 if (verdict == EBT_RETURN) {
229 #ifdef CONFIG_NETFILTER_DEBUG
231 BUGPRINT("RETURN on base chain");
232 /* act like this is EBT_CONTINUE */
237 /* put all the local variables right */
239 chaininfo = cs[sp].chaininfo;
240 nentries = chaininfo->nentries;
242 counter_base = cb_base +
243 chaininfo->counter_offset;
246 if (verdict == EBT_CONTINUE)
248 #ifdef CONFIG_NETFILTER_DEBUG
250 BUGPRINT("bogus standard verdict\n");
251 read_unlock_bh(&table->lock);
257 cs[sp].chaininfo = chaininfo;
258 cs[sp].e = ebt_next_entry(point);
260 chaininfo = (struct ebt_entries *) (base + verdict);
261 #ifdef CONFIG_NETFILTER_DEBUG
262 if (chaininfo->distinguisher) {
263 BUGPRINT("jump to non-chain\n");
264 read_unlock_bh(&table->lock);
268 nentries = chaininfo->nentries;
269 point = (struct ebt_entry *)chaininfo->data;
270 counter_base = cb_base + chaininfo->counter_offset;
274 point = ebt_next_entry(point);
278 /* I actually like this :) */
279 if (chaininfo->policy == EBT_RETURN)
281 if (chaininfo->policy == EBT_ACCEPT) {
282 read_unlock_bh(&table->lock);
285 read_unlock_bh(&table->lock);
289 /* If it succeeds, returns element and locks mutex */
291 find_inlist_lock_noload(struct list_head *head, const char *name, int *error,
295 struct list_head list;
296 char name[EBT_FUNCTION_MAXNAMELEN];
299 *error = mutex_lock_interruptible(mutex);
303 list_for_each_entry(e, head, list) {
304 if (strcmp(e->name, name) == 0)
313 find_inlist_lock(struct list_head *head, const char *name, const char *prefix,
314 int *error, struct mutex *mutex)
316 return try_then_request_module(
317 find_inlist_lock_noload(head, name, error, mutex),
318 "%s%s", prefix, name);
321 static inline struct ebt_table *
322 find_table_lock(struct net *net, const char *name, int *error,
325 return find_inlist_lock(&net->xt.tables[NFPROTO_BRIDGE], name,
326 "ebtable_", error, mutex);
330 ebt_check_match(struct ebt_entry_match *m, struct xt_mtchk_param *par,
333 const struct ebt_entry *e = par->entryinfo;
334 struct xt_match *match;
335 size_t left = ((char *)e + e->watchers_offset) - (char *)m;
338 if (left < sizeof(struct ebt_entry_match) ||
339 left - sizeof(struct ebt_entry_match) < m->match_size)
342 match = try_then_request_module(xt_find_match(NFPROTO_BRIDGE,
343 m->u.name, 0), "ebt_%s", m->u.name);
345 return PTR_ERR(match);
351 par->matchinfo = m->data;
352 ret = xt_check_match(par, m->match_size,
353 e->ethproto, e->invflags & EBT_IPROTO);
355 module_put(match->me);
364 ebt_check_watcher(struct ebt_entry_watcher *w, struct xt_tgchk_param *par,
367 const struct ebt_entry *e = par->entryinfo;
368 struct xt_target *watcher;
369 size_t left = ((char *)e + e->target_offset) - (char *)w;
372 if (left < sizeof(struct ebt_entry_watcher) ||
373 left - sizeof(struct ebt_entry_watcher) < w->watcher_size)
376 watcher = try_then_request_module(
377 xt_find_target(NFPROTO_BRIDGE, w->u.name, 0),
378 "ebt_%s", w->u.name);
380 return PTR_ERR(watcher);
383 w->u.watcher = watcher;
385 par->target = watcher;
386 par->targinfo = w->data;
387 ret = xt_check_target(par, w->watcher_size,
388 e->ethproto, e->invflags & EBT_IPROTO);
390 module_put(watcher->me);
398 static int ebt_verify_pointers(struct ebt_replace *repl,
399 struct ebt_table_info *newinfo)
401 unsigned int limit = repl->entries_size;
402 unsigned int valid_hooks = repl->valid_hooks;
403 unsigned int offset = 0;
406 for (i = 0; i < NF_BR_NUMHOOKS; i++)
407 newinfo->hook_entry[i] = NULL;
409 newinfo->entries_size = repl->entries_size;
410 newinfo->nentries = repl->nentries;
412 while (offset < limit) {
413 size_t left = limit - offset;
414 struct ebt_entry *e = (void *)newinfo->entries + offset;
416 if (left < sizeof(unsigned int))
419 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
420 if ((valid_hooks & (1 << i)) == 0)
422 if ((char __user *)repl->hook_entry[i] ==
423 repl->entries + offset)
427 if (i != NF_BR_NUMHOOKS || !(e->bitmask & EBT_ENTRY_OR_ENTRIES)) {
428 if (e->bitmask != 0) {
429 /* we make userspace set this right,
430 so there is no misunderstanding */
431 BUGPRINT("EBT_ENTRY_OR_ENTRIES shouldn't be set "
432 "in distinguisher\n");
435 if (i != NF_BR_NUMHOOKS)
436 newinfo->hook_entry[i] = (struct ebt_entries *)e;
437 if (left < sizeof(struct ebt_entries))
439 offset += sizeof(struct ebt_entries);
441 if (left < sizeof(struct ebt_entry))
443 if (left < e->next_offset)
445 offset += e->next_offset;
448 if (offset != limit) {
449 BUGPRINT("entries_size too small\n");
453 /* check if all valid hooks have a chain */
454 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
455 if (!newinfo->hook_entry[i] &&
456 (valid_hooks & (1 << i))) {
457 BUGPRINT("Valid hook without chain\n");
465 * this one is very careful, as it is the first function
466 * to parse the userspace data
469 ebt_check_entry_size_and_hooks(struct ebt_entry *e,
470 struct ebt_table_info *newinfo,
471 unsigned int *n, unsigned int *cnt,
472 unsigned int *totalcnt, unsigned int *udc_cnt)
476 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
477 if ((void *)e == (void *)newinfo->hook_entry[i])
480 /* beginning of a new chain
481 if i == NF_BR_NUMHOOKS it must be a user defined chain */
482 if (i != NF_BR_NUMHOOKS || !e->bitmask) {
483 /* this checks if the previous chain has as many entries
486 BUGPRINT("nentries does not equal the nr of entries "
490 if (((struct ebt_entries *)e)->policy != EBT_DROP &&
491 ((struct ebt_entries *)e)->policy != EBT_ACCEPT) {
492 /* only RETURN from udc */
493 if (i != NF_BR_NUMHOOKS ||
494 ((struct ebt_entries *)e)->policy != EBT_RETURN) {
495 BUGPRINT("bad policy\n");
499 if (i == NF_BR_NUMHOOKS) /* it's a user defined chain */
501 if (((struct ebt_entries *)e)->counter_offset != *totalcnt) {
502 BUGPRINT("counter_offset != totalcnt");
505 *n = ((struct ebt_entries *)e)->nentries;
509 /* a plain old entry, heh */
510 if (sizeof(struct ebt_entry) > e->watchers_offset ||
511 e->watchers_offset > e->target_offset ||
512 e->target_offset >= e->next_offset) {
513 BUGPRINT("entry offsets not in right order\n");
516 /* this is not checked anywhere else */
517 if (e->next_offset - e->target_offset < sizeof(struct ebt_entry_target)) {
518 BUGPRINT("target size too small\n");
528 struct ebt_chainstack cs;
530 unsigned int hookmask;
534 * we need these positions to check that the jumps to a different part of the
535 * entries is a jump to the beginning of a new chain.
538 ebt_get_udc_positions(struct ebt_entry *e, struct ebt_table_info *newinfo,
539 unsigned int *n, struct ebt_cl_stack *udc)
543 /* we're only interested in chain starts */
546 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
547 if (newinfo->hook_entry[i] == (struct ebt_entries *)e)
550 /* only care about udc */
551 if (i != NF_BR_NUMHOOKS)
554 udc[*n].cs.chaininfo = (struct ebt_entries *)e;
555 /* these initialisations are depended on later in check_chainloops() */
557 udc[*n].hookmask = 0;
564 ebt_cleanup_match(struct ebt_entry_match *m, struct net *net, unsigned int *i)
566 struct xt_mtdtor_param par;
568 if (i && (*i)-- == 0)
572 par.match = m->u.match;
573 par.matchinfo = m->data;
574 par.family = NFPROTO_BRIDGE;
575 if (par.match->destroy != NULL)
576 par.match->destroy(&par);
577 module_put(par.match->me);
582 ebt_cleanup_watcher(struct ebt_entry_watcher *w, struct net *net, unsigned int *i)
584 struct xt_tgdtor_param par;
586 if (i && (*i)-- == 0)
590 par.target = w->u.watcher;
591 par.targinfo = w->data;
592 par.family = NFPROTO_BRIDGE;
593 if (par.target->destroy != NULL)
594 par.target->destroy(&par);
595 module_put(par.target->me);
600 ebt_cleanup_entry(struct ebt_entry *e, struct net *net, unsigned int *cnt)
602 struct xt_tgdtor_param par;
603 struct ebt_entry_target *t;
608 if (cnt && (*cnt)-- == 0)
610 EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, net, NULL);
611 EBT_MATCH_ITERATE(e, ebt_cleanup_match, net, NULL);
612 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
615 par.target = t->u.target;
616 par.targinfo = t->data;
617 par.family = NFPROTO_BRIDGE;
618 if (par.target->destroy != NULL)
619 par.target->destroy(&par);
620 module_put(par.target->me);
625 ebt_check_entry(struct ebt_entry *e,
627 struct ebt_table_info *newinfo,
628 const char *name, unsigned int *cnt,
629 struct ebt_cl_stack *cl_s, unsigned int udc_cnt)
631 struct ebt_entry_target *t;
632 struct xt_target *target;
633 unsigned int i, j, hook = 0, hookmask = 0;
636 struct xt_mtchk_param mtpar;
637 struct xt_tgchk_param tgpar;
639 /* don't mess with the struct ebt_entries */
643 if (e->bitmask & ~EBT_F_MASK) {
644 BUGPRINT("Unknown flag for bitmask\n");
647 if (e->invflags & ~EBT_INV_MASK) {
648 BUGPRINT("Unknown flag for inv bitmask\n");
651 if ( (e->bitmask & EBT_NOPROTO) && (e->bitmask & EBT_802_3) ) {
652 BUGPRINT("NOPROTO & 802_3 not allowed\n");
655 /* what hook do we belong to? */
656 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
657 if (!newinfo->hook_entry[i])
659 if ((char *)newinfo->hook_entry[i] < (char *)e)
664 /* (1 << NF_BR_NUMHOOKS) tells the check functions the rule is on
666 if (i < NF_BR_NUMHOOKS)
667 hookmask = (1 << hook) | (1 << NF_BR_NUMHOOKS);
669 for (i = 0; i < udc_cnt; i++)
670 if ((char *)(cl_s[i].cs.chaininfo) > (char *)e)
673 hookmask = (1 << hook) | (1 << NF_BR_NUMHOOKS);
675 hookmask = cl_s[i - 1].hookmask;
679 mtpar.net = tgpar.net = net;
680 mtpar.table = tgpar.table = name;
681 mtpar.entryinfo = tgpar.entryinfo = e;
682 mtpar.hook_mask = tgpar.hook_mask = hookmask;
683 mtpar.family = tgpar.family = NFPROTO_BRIDGE;
684 ret = EBT_MATCH_ITERATE(e, ebt_check_match, &mtpar, &i);
686 goto cleanup_matches;
688 ret = EBT_WATCHER_ITERATE(e, ebt_check_watcher, &tgpar, &j);
690 goto cleanup_watchers;
691 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
692 gap = e->next_offset - e->target_offset;
694 target = try_then_request_module(
695 xt_find_target(NFPROTO_BRIDGE, t->u.name, 0),
696 "ebt_%s", t->u.name);
697 if (IS_ERR(target)) {
698 ret = PTR_ERR(target);
699 goto cleanup_watchers;
700 } else if (target == NULL) {
702 goto cleanup_watchers;
705 t->u.target = target;
706 if (t->u.target == &ebt_standard_target) {
707 if (gap < sizeof(struct ebt_standard_target)) {
708 BUGPRINT("Standard target size too big\n");
710 goto cleanup_watchers;
712 if (((struct ebt_standard_target *)t)->verdict <
713 -NUM_STANDARD_TARGETS) {
714 BUGPRINT("Invalid standard target\n");
716 goto cleanup_watchers;
718 } else if (t->target_size > gap - sizeof(struct ebt_entry_target)) {
719 module_put(t->u.target->me);
721 goto cleanup_watchers;
724 tgpar.target = target;
725 tgpar.targinfo = t->data;
726 ret = xt_check_target(&tgpar, t->target_size,
727 e->ethproto, e->invflags & EBT_IPROTO);
729 module_put(target->me);
730 goto cleanup_watchers;
735 EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, net, &j);
737 EBT_MATCH_ITERATE(e, ebt_cleanup_match, net, &i);
742 * checks for loops and sets the hook mask for udc
743 * the hook mask for udc tells us from which base chains the udc can be
744 * accessed. This mask is a parameter to the check() functions of the extensions
746 static int check_chainloops(struct ebt_entries *chain, struct ebt_cl_stack *cl_s,
747 unsigned int udc_cnt, unsigned int hooknr, char *base)
749 int i, chain_nr = -1, pos = 0, nentries = chain->nentries, verdict;
750 struct ebt_entry *e = (struct ebt_entry *)chain->data;
751 struct ebt_entry_target *t;
753 while (pos < nentries || chain_nr != -1) {
754 /* end of udc, go back one 'recursion' step */
755 if (pos == nentries) {
756 /* put back values of the time when this chain was called */
757 e = cl_s[chain_nr].cs.e;
758 if (cl_s[chain_nr].from != -1)
760 cl_s[cl_s[chain_nr].from].cs.chaininfo->nentries;
762 nentries = chain->nentries;
763 pos = cl_s[chain_nr].cs.n;
764 /* make sure we won't see a loop that isn't one */
765 cl_s[chain_nr].cs.n = 0;
766 chain_nr = cl_s[chain_nr].from;
770 t = (struct ebt_entry_target *)
771 (((char *)e) + e->target_offset);
772 if (strcmp(t->u.name, EBT_STANDARD_TARGET))
774 if (e->target_offset + sizeof(struct ebt_standard_target) >
776 BUGPRINT("Standard target size too big\n");
779 verdict = ((struct ebt_standard_target *)t)->verdict;
780 if (verdict >= 0) { /* jump to another chain */
781 struct ebt_entries *hlp2 =
782 (struct ebt_entries *)(base + verdict);
783 for (i = 0; i < udc_cnt; i++)
784 if (hlp2 == cl_s[i].cs.chaininfo)
786 /* bad destination or loop */
788 BUGPRINT("bad destination\n");
795 if (cl_s[i].hookmask & (1 << hooknr))
797 /* this can't be 0, so the loop test is correct */
798 cl_s[i].cs.n = pos + 1;
800 cl_s[i].cs.e = ebt_next_entry(e);
801 e = (struct ebt_entry *)(hlp2->data);
802 nentries = hlp2->nentries;
803 cl_s[i].from = chain_nr;
805 /* this udc is accessible from the base chain for hooknr */
806 cl_s[i].hookmask |= (1 << hooknr);
810 e = ebt_next_entry(e);
816 /* do the parsing of the table/chains/entries/matches/watchers/targets, heh */
817 static int translate_table(struct net *net, char *name,
818 struct ebt_table_info *newinfo)
820 unsigned int i, j, k, udc_cnt;
822 struct ebt_cl_stack *cl_s = NULL; /* used in the checking for chain loops */
825 while (i < NF_BR_NUMHOOKS && !newinfo->hook_entry[i])
827 if (i == NF_BR_NUMHOOKS) {
828 BUGPRINT("No valid hooks specified\n");
831 if (newinfo->hook_entry[i] != (struct ebt_entries *)newinfo->entries) {
832 BUGPRINT("Chains don't start at beginning\n");
835 /* make sure chains are ordered after each other in same order
836 as their corresponding hooks */
837 for (j = i + 1; j < NF_BR_NUMHOOKS; j++) {
838 if (!newinfo->hook_entry[j])
840 if (newinfo->hook_entry[j] <= newinfo->hook_entry[i]) {
841 BUGPRINT("Hook order must be followed\n");
847 /* do some early checkings and initialize some things */
848 i = 0; /* holds the expected nr. of entries for the chain */
849 j = 0; /* holds the up to now counted entries for the chain */
850 k = 0; /* holds the total nr. of entries, should equal
851 newinfo->nentries afterwards */
852 udc_cnt = 0; /* will hold the nr. of user defined chains (udc) */
853 ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
854 ebt_check_entry_size_and_hooks, newinfo,
855 &i, &j, &k, &udc_cnt);
861 BUGPRINT("nentries does not equal the nr of entries in the "
865 if (k != newinfo->nentries) {
866 BUGPRINT("Total nentries is wrong\n");
870 /* get the location of the udc, put them in an array
871 while we're at it, allocate the chainstack */
873 /* this will get free'd in do_replace()/ebt_register_table()
874 if an error occurs */
875 newinfo->chainstack =
876 vmalloc(nr_cpu_ids * sizeof(*(newinfo->chainstack)));
877 if (!newinfo->chainstack)
879 for_each_possible_cpu(i) {
880 newinfo->chainstack[i] =
881 vmalloc(udc_cnt * sizeof(*(newinfo->chainstack[0])));
882 if (!newinfo->chainstack[i]) {
884 vfree(newinfo->chainstack[--i]);
885 vfree(newinfo->chainstack);
886 newinfo->chainstack = NULL;
891 cl_s = vmalloc(udc_cnt * sizeof(*cl_s));
894 i = 0; /* the i'th udc */
895 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
896 ebt_get_udc_positions, newinfo, &i, cl_s);
899 BUGPRINT("i != udc_cnt\n");
905 /* Check for loops */
906 for (i = 0; i < NF_BR_NUMHOOKS; i++)
907 if (newinfo->hook_entry[i])
908 if (check_chainloops(newinfo->hook_entry[i],
909 cl_s, udc_cnt, i, newinfo->entries)) {
914 /* we now know the following (along with E=mc²):
915 - the nr of entries in each chain is right
916 - the size of the allocated space is right
917 - all valid hooks have a corresponding chain
919 - wrong data can still be on the level of a single entry
920 - could be there are jumps to places that are not the
921 beginning of a chain. This can only occur in chains that
922 are not accessible from any base chains, so we don't care. */
924 /* used to know what we need to clean up if something goes wrong */
926 ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
927 ebt_check_entry, net, newinfo, name, &i, cl_s, udc_cnt);
929 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
930 ebt_cleanup_entry, net, &i);
936 /* called under write_lock */
937 static void get_counters(struct ebt_counter *oldcounters,
938 struct ebt_counter *counters, unsigned int nentries)
941 struct ebt_counter *counter_base;
943 /* counters of cpu 0 */
944 memcpy(counters, oldcounters,
945 sizeof(struct ebt_counter) * nentries);
947 /* add other counters to those of cpu 0 */
948 for_each_possible_cpu(cpu) {
951 counter_base = COUNTER_BASE(oldcounters, nentries, cpu);
952 for (i = 0; i < nentries; i++) {
953 counters[i].pcnt += counter_base[i].pcnt;
954 counters[i].bcnt += counter_base[i].bcnt;
959 /* replace the table */
960 static int do_replace(struct net *net, void __user *user, unsigned int len)
962 int ret, i, countersize;
963 struct ebt_table_info *newinfo;
964 struct ebt_replace tmp;
966 struct ebt_counter *counterstmp = NULL;
967 /* used to be able to unlock earlier */
968 struct ebt_table_info *table;
970 if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
973 if (len != sizeof(tmp) + tmp.entries_size) {
974 BUGPRINT("Wrong len argument\n");
978 if (tmp.entries_size == 0) {
979 BUGPRINT("Entries_size never zero\n");
983 if (tmp.nentries >= ((INT_MAX - sizeof(struct ebt_table_info)) / NR_CPUS -
984 SMP_CACHE_BYTES) / sizeof(struct ebt_counter))
986 if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
989 countersize = COUNTER_OFFSET(tmp.nentries) * nr_cpu_ids;
990 newinfo = vmalloc(sizeof(*newinfo) + countersize);
995 memset(newinfo->counters, 0, countersize);
997 newinfo->entries = vmalloc(tmp.entries_size);
998 if (!newinfo->entries) {
1003 newinfo->entries, tmp.entries, tmp.entries_size) != 0) {
1004 BUGPRINT("Couldn't copy entries from userspace\n");
1009 /* the user wants counters back
1010 the check on the size is done later, when we have the lock */
1011 if (tmp.num_counters) {
1012 counterstmp = vmalloc(tmp.num_counters * sizeof(*counterstmp));
1021 /* this can get initialized by translate_table() */
1022 newinfo->chainstack = NULL;
1023 ret = ebt_verify_pointers(&tmp, newinfo);
1025 goto free_counterstmp;
1027 ret = translate_table(net, tmp.name, newinfo);
1030 goto free_counterstmp;
1032 t = find_table_lock(net, tmp.name, &ret, &ebt_mutex);
1038 /* the table doesn't like it */
1039 if (t->check && (ret = t->check(newinfo, tmp.valid_hooks)))
1042 if (tmp.num_counters && tmp.num_counters != t->private->nentries) {
1043 BUGPRINT("Wrong nr. of counters requested\n");
1048 /* we have the mutex lock, so no danger in reading this pointer */
1050 /* make sure the table can only be rmmod'ed if it contains no rules */
1051 if (!table->nentries && newinfo->nentries && !try_module_get(t->me)) {
1054 } else if (table->nentries && !newinfo->nentries)
1056 /* we need an atomic snapshot of the counters */
1057 write_lock_bh(&t->lock);
1058 if (tmp.num_counters)
1059 get_counters(t->private->counters, counterstmp,
1060 t->private->nentries);
1062 t->private = newinfo;
1063 write_unlock_bh(&t->lock);
1064 mutex_unlock(&ebt_mutex);
1065 /* so, a user can change the chains while having messed up her counter
1066 allocation. Only reason why this is done is because this way the lock
1067 is held only once, while this doesn't bring the kernel into a
1069 if (tmp.num_counters &&
1070 copy_to_user(tmp.counters, counterstmp,
1071 tmp.num_counters * sizeof(struct ebt_counter))) {
1072 BUGPRINT("Couldn't copy counters to userspace\n");
1078 /* decrease module count and free resources */
1079 EBT_ENTRY_ITERATE(table->entries, table->entries_size,
1080 ebt_cleanup_entry, net, NULL);
1082 vfree(table->entries);
1083 if (table->chainstack) {
1084 for_each_possible_cpu(i)
1085 vfree(table->chainstack[i]);
1086 vfree(table->chainstack);
1094 mutex_unlock(&ebt_mutex);
1096 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
1097 ebt_cleanup_entry, net, NULL);
1100 /* can be initialized in translate_table() */
1101 if (newinfo->chainstack) {
1102 for_each_possible_cpu(i)
1103 vfree(newinfo->chainstack[i]);
1104 vfree(newinfo->chainstack);
1107 vfree(newinfo->entries);
1114 ebt_register_table(struct net *net, const struct ebt_table *input_table)
1116 struct ebt_table_info *newinfo;
1117 struct ebt_table *t, *table;
1118 struct ebt_replace_kernel *repl;
1119 int ret, i, countersize;
1122 if (input_table == NULL || (repl = input_table->table) == NULL ||
1123 repl->entries == 0 || repl->entries_size == 0 ||
1124 repl->counters != NULL || input_table->private != NULL) {
1125 BUGPRINT("Bad table data for ebt_register_table!!!\n");
1126 return ERR_PTR(-EINVAL);
1129 /* Don't add one table to multiple lists. */
1130 table = kmemdup(input_table, sizeof(struct ebt_table), GFP_KERNEL);
1136 countersize = COUNTER_OFFSET(repl->nentries) * nr_cpu_ids;
1137 newinfo = vmalloc(sizeof(*newinfo) + countersize);
1142 p = vmalloc(repl->entries_size);
1146 memcpy(p, repl->entries, repl->entries_size);
1147 newinfo->entries = p;
1149 newinfo->entries_size = repl->entries_size;
1150 newinfo->nentries = repl->nentries;
1153 memset(newinfo->counters, 0, countersize);
1155 /* fill in newinfo and parse the entries */
1156 newinfo->chainstack = NULL;
1157 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
1158 if ((repl->valid_hooks & (1 << i)) == 0)
1159 newinfo->hook_entry[i] = NULL;
1161 newinfo->hook_entry[i] = p +
1162 ((char *)repl->hook_entry[i] - repl->entries);
1164 ret = translate_table(net, repl->name, newinfo);
1166 BUGPRINT("Translate_table failed\n");
1167 goto free_chainstack;
1170 if (table->check && table->check(newinfo, table->valid_hooks)) {
1171 BUGPRINT("The table doesn't like its own initial data, lol\n");
1172 return ERR_PTR(-EINVAL);
1175 table->private = newinfo;
1176 rwlock_init(&table->lock);
1177 ret = mutex_lock_interruptible(&ebt_mutex);
1179 goto free_chainstack;
1181 list_for_each_entry(t, &net->xt.tables[NFPROTO_BRIDGE], list) {
1182 if (strcmp(t->name, table->name) == 0) {
1184 BUGPRINT("Table name already exists\n");
1189 /* Hold a reference count if the chains aren't empty */
1190 if (newinfo->nentries && !try_module_get(table->me)) {
1194 list_add(&table->list, &net->xt.tables[NFPROTO_BRIDGE]);
1195 mutex_unlock(&ebt_mutex);
1198 mutex_unlock(&ebt_mutex);
1200 if (newinfo->chainstack) {
1201 for_each_possible_cpu(i)
1202 vfree(newinfo->chainstack[i]);
1203 vfree(newinfo->chainstack);
1205 vfree(newinfo->entries);
1211 return ERR_PTR(ret);
1214 void ebt_unregister_table(struct net *net, struct ebt_table *table)
1219 BUGPRINT("Request to unregister NULL table!!!\n");
1222 mutex_lock(&ebt_mutex);
1223 list_del(&table->list);
1224 mutex_unlock(&ebt_mutex);
1225 EBT_ENTRY_ITERATE(table->private->entries, table->private->entries_size,
1226 ebt_cleanup_entry, net, NULL);
1227 if (table->private->nentries)
1228 module_put(table->me);
1229 vfree(table->private->entries);
1230 if (table->private->chainstack) {
1231 for_each_possible_cpu(i)
1232 vfree(table->private->chainstack[i]);
1233 vfree(table->private->chainstack);
1235 vfree(table->private);
1239 /* userspace just supplied us with counters */
1240 static int update_counters(struct net *net, void __user *user, unsigned int len)
1243 struct ebt_counter *tmp;
1244 struct ebt_replace hlp;
1245 struct ebt_table *t;
1247 if (copy_from_user(&hlp, user, sizeof(hlp)))
1250 if (len != sizeof(hlp) + hlp.num_counters * sizeof(struct ebt_counter))
1252 if (hlp.num_counters == 0)
1255 if (!(tmp = vmalloc(hlp.num_counters * sizeof(*tmp)))) {
1256 MEMPRINT("Update_counters && nomemory\n");
1260 t = find_table_lock(net, hlp.name, &ret, &ebt_mutex);
1264 if (hlp.num_counters != t->private->nentries) {
1265 BUGPRINT("Wrong nr of counters\n");
1270 if ( copy_from_user(tmp, hlp.counters,
1271 hlp.num_counters * sizeof(struct ebt_counter)) ) {
1272 BUGPRINT("Updata_counters && !cfu\n");
1277 /* we want an atomic add of the counters */
1278 write_lock_bh(&t->lock);
1280 /* we add to the counters of the first cpu */
1281 for (i = 0; i < hlp.num_counters; i++) {
1282 t->private->counters[i].pcnt += tmp[i].pcnt;
1283 t->private->counters[i].bcnt += tmp[i].bcnt;
1286 write_unlock_bh(&t->lock);
1289 mutex_unlock(&ebt_mutex);
1295 static inline int ebt_make_matchname(struct ebt_entry_match *m,
1296 char *base, char __user *ubase)
1298 char __user *hlp = ubase + ((char *)m - base);
1299 if (copy_to_user(hlp, m->u.match->name, EBT_FUNCTION_MAXNAMELEN))
1304 static inline int ebt_make_watchername(struct ebt_entry_watcher *w,
1305 char *base, char __user *ubase)
1307 char __user *hlp = ubase + ((char *)w - base);
1308 if (copy_to_user(hlp , w->u.watcher->name, EBT_FUNCTION_MAXNAMELEN))
1313 static inline int ebt_make_names(struct ebt_entry *e, char *base, char __user *ubase)
1317 struct ebt_entry_target *t;
1319 if (e->bitmask == 0)
1322 hlp = ubase + (((char *)e + e->target_offset) - base);
1323 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
1325 ret = EBT_MATCH_ITERATE(e, ebt_make_matchname, base, ubase);
1328 ret = EBT_WATCHER_ITERATE(e, ebt_make_watchername, base, ubase);
1331 if (copy_to_user(hlp, t->u.target->name, EBT_FUNCTION_MAXNAMELEN))
1336 /* called with ebt_mutex locked */
1337 static int copy_everything_to_user(struct ebt_table *t, void __user *user,
1340 struct ebt_replace tmp;
1341 struct ebt_counter *counterstmp, *oldcounters;
1342 unsigned int entries_size, nentries;
1345 if (cmd == EBT_SO_GET_ENTRIES) {
1346 entries_size = t->private->entries_size;
1347 nentries = t->private->nentries;
1348 entries = t->private->entries;
1349 oldcounters = t->private->counters;
1351 entries_size = t->table->entries_size;
1352 nentries = t->table->nentries;
1353 entries = t->table->entries;
1354 oldcounters = t->table->counters;
1357 if (copy_from_user(&tmp, user, sizeof(tmp))) {
1358 BUGPRINT("Cfu didn't work\n");
1362 if (*len != sizeof(struct ebt_replace) + entries_size +
1363 (tmp.num_counters? nentries * sizeof(struct ebt_counter): 0)) {
1364 BUGPRINT("Wrong size\n");
1368 if (tmp.nentries != nentries) {
1369 BUGPRINT("Nentries wrong\n");
1373 if (tmp.entries_size != entries_size) {
1374 BUGPRINT("Wrong size\n");
1378 /* userspace might not need the counters */
1379 if (tmp.num_counters) {
1380 if (tmp.num_counters != nentries) {
1381 BUGPRINT("Num_counters wrong\n");
1384 counterstmp = vmalloc(nentries * sizeof(*counterstmp));
1386 MEMPRINT("Couldn't copy counters, out of memory\n");
1389 write_lock_bh(&t->lock);
1390 get_counters(oldcounters, counterstmp, nentries);
1391 write_unlock_bh(&t->lock);
1393 if (copy_to_user(tmp.counters, counterstmp,
1394 nentries * sizeof(struct ebt_counter))) {
1395 BUGPRINT("Couldn't copy counters to userspace\n");
1402 if (copy_to_user(tmp.entries, entries, entries_size)) {
1403 BUGPRINT("Couldn't copy entries to userspace\n");
1406 /* set the match/watcher/target names right */
1407 return EBT_ENTRY_ITERATE(entries, entries_size,
1408 ebt_make_names, entries, tmp.entries);
1411 static int do_ebt_set_ctl(struct sock *sk,
1412 int cmd, void __user *user, unsigned int len)
1416 if (!capable(CAP_NET_ADMIN))
1420 case EBT_SO_SET_ENTRIES:
1421 ret = do_replace(sock_net(sk), user, len);
1423 case EBT_SO_SET_COUNTERS:
1424 ret = update_counters(sock_net(sk), user, len);
1432 static int do_ebt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
1435 struct ebt_replace tmp;
1436 struct ebt_table *t;
1438 if (!capable(CAP_NET_ADMIN))
1441 if (copy_from_user(&tmp, user, sizeof(tmp)))
1444 t = find_table_lock(sock_net(sk), tmp.name, &ret, &ebt_mutex);
1449 case EBT_SO_GET_INFO:
1450 case EBT_SO_GET_INIT_INFO:
1451 if (*len != sizeof(struct ebt_replace)){
1453 mutex_unlock(&ebt_mutex);
1456 if (cmd == EBT_SO_GET_INFO) {
1457 tmp.nentries = t->private->nentries;
1458 tmp.entries_size = t->private->entries_size;
1459 tmp.valid_hooks = t->valid_hooks;
1461 tmp.nentries = t->table->nentries;
1462 tmp.entries_size = t->table->entries_size;
1463 tmp.valid_hooks = t->table->valid_hooks;
1465 mutex_unlock(&ebt_mutex);
1466 if (copy_to_user(user, &tmp, *len) != 0){
1467 BUGPRINT("c2u Didn't work\n");
1474 case EBT_SO_GET_ENTRIES:
1475 case EBT_SO_GET_INIT_ENTRIES:
1476 ret = copy_everything_to_user(t, user, len, cmd);
1477 mutex_unlock(&ebt_mutex);
1481 mutex_unlock(&ebt_mutex);
1488 static struct nf_sockopt_ops ebt_sockopts =
1491 .set_optmin = EBT_BASE_CTL,
1492 .set_optmax = EBT_SO_SET_MAX + 1,
1493 .set = do_ebt_set_ctl,
1494 .get_optmin = EBT_BASE_CTL,
1495 .get_optmax = EBT_SO_GET_MAX + 1,
1496 .get = do_ebt_get_ctl,
1497 .owner = THIS_MODULE,
1500 static int __init ebtables_init(void)
1504 ret = xt_register_target(&ebt_standard_target);
1507 ret = nf_register_sockopt(&ebt_sockopts);
1509 xt_unregister_target(&ebt_standard_target);
1513 printk(KERN_INFO "Ebtables v2.0 registered\n");
1517 static void __exit ebtables_fini(void)
1519 nf_unregister_sockopt(&ebt_sockopts);
1520 xt_unregister_target(&ebt_standard_target);
1521 printk(KERN_INFO "Ebtables v2.0 unregistered\n");
1524 EXPORT_SYMBOL(ebt_register_table);
1525 EXPORT_SYMBOL(ebt_unregister_table);
1526 EXPORT_SYMBOL(ebt_do_table);
1527 module_init(ebtables_init);
1528 module_exit(ebtables_fini);
1529 MODULE_LICENSE("GPL");