5 * Bart De Schuymer <bdschuym@pandora.be>
7 * ebtables.c,v 2.0, July, 2002
9 * This code is stongly inspired on the iptables code which is
10 * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version
15 * 2 of the License, or (at your option) any later version.
18 /* used for print_string */
19 #include <linux/sched.h>
20 #include <linux/tty.h>
22 #include <linux/kmod.h>
23 #include <linux/module.h>
24 #include <linux/vmalloc.h>
25 #include <linux/netfilter_bridge/ebtables.h>
26 #include <linux/spinlock.h>
27 #include <asm/uaccess.h>
28 #include <linux/smp.h>
30 /* needed for logical [in,out]-dev filtering */
31 #include "../br_private.h"
34 #define ASSERT_READ_LOCK(x)
35 #define ASSERT_WRITE_LOCK(x)
36 #include <linux/netfilter_ipv4/listhelp.h>
39 /* use this for remote debugging
40 * Copyright (C) 1998 by Ori Pomerantz
41 * Print the string to the appropriate tty, the one
42 * the current task uses
44 static void print_string(char *str)
46 struct tty_struct *my_tty;
48 /* The tty for the current task */
49 my_tty = current->signal->tty;
51 my_tty->driver->write(my_tty, 0, str, strlen(str));
52 my_tty->driver->write(my_tty, 0, "\015\012", 2);
56 #define BUGPRINT(args) print_string(args);
58 #define BUGPRINT(format, args...) printk("kernel msg: ebtables bug: please "\
59 "report to author: "format, ## args)
60 /* #define BUGPRINT(format, args...) */
62 #define MEMPRINT(format, args...) printk("kernel msg: ebtables "\
63 ": out of memory: "format, ## args)
64 /* #define MEMPRINT(format, args...) */
69 * Each cpu has its own set of counters, so there is no need for write_lock in
71 * For reading or updating the counters, the user context needs to
75 /* The size of each set of counters is altered to get cache alignment */
76 #define SMP_ALIGN(x) (((x) + SMP_CACHE_BYTES-1) & ~(SMP_CACHE_BYTES-1))
77 #define COUNTER_OFFSET(n) (SMP_ALIGN(n * sizeof(struct ebt_counter)))
78 #define COUNTER_BASE(c, n, cpu) ((struct ebt_counter *)(((char *)c) + \
79 COUNTER_OFFSET(n) * cpu))
83 static DECLARE_MUTEX(ebt_mutex);
84 static LIST_HEAD(ebt_tables);
85 static LIST_HEAD(ebt_targets);
86 static LIST_HEAD(ebt_matches);
87 static LIST_HEAD(ebt_watchers);
89 static struct ebt_target ebt_standard_target =
90 { {NULL, NULL}, EBT_STANDARD_TARGET, NULL, NULL, NULL, NULL};
92 static inline int ebt_do_watcher (struct ebt_entry_watcher *w,
93 const struct sk_buff *skb, const struct net_device *in,
94 const struct net_device *out)
96 w->u.watcher->watcher(skb, in, out, w->data,
98 /* watchers don't give a verdict */
102 static inline int ebt_do_match (struct ebt_entry_match *m,
103 const struct sk_buff *skb, const struct net_device *in,
104 const struct net_device *out)
106 return m->u.match->match(skb, in, out, m->data,
110 static inline int ebt_dev_check(char *entry, const struct net_device *device)
116 return !!strcmp(entry, device->name);
119 #define FWINV2(bool,invflg) ((bool) ^ !!(e->invflags & invflg))
120 /* process standard matches */
121 static inline int ebt_basic_match(struct ebt_entry *e, struct ethhdr *h,
122 const struct net_device *in, const struct net_device *out)
126 if (e->bitmask & EBT_802_3) {
127 if (FWINV2(ntohs(h->h_proto) >= 1536, EBT_IPROTO))
129 } else if (!(e->bitmask & EBT_NOPROTO) &&
130 FWINV2(e->ethproto != h->h_proto, EBT_IPROTO))
132 if(h->h_proto!=ETH_P_PPP_SES)
135 if (FWINV2(ebt_dev_check(e->in, in), EBT_IIN))
137 if (FWINV2(ebt_dev_check(e->out, out), EBT_IOUT))
139 if ((!in || !in->br_port) ? 0 : FWINV2(ebt_dev_check(
140 e->logical_in, in->br_port->br->dev), EBT_ILOGICALIN))
142 if ((!out || !out->br_port) ? 0 : FWINV2(ebt_dev_check(
143 e->logical_out, out->br_port->br->dev), EBT_ILOGICALOUT))
146 if (e->bitmask & EBT_SOURCEMAC) {
148 for (i = 0; i < 6; i++)
149 verdict |= (h->h_source[i] ^ e->sourcemac[i]) &
151 if (FWINV2(verdict != 0, EBT_ISOURCE) )
154 if (e->bitmask & EBT_DESTMAC) {
156 for (i = 0; i < 6; i++)
157 verdict |= (h->h_dest[i] ^ e->destmac[i]) &
159 if (FWINV2(verdict != 0, EBT_IDEST) )
165 /* Do some firewalling */
166 unsigned int ebt_do_table (unsigned int hook, struct sk_buff **pskb,
167 const struct net_device *in, const struct net_device *out,
168 struct ebt_table *table)
171 struct ebt_entry *point;
172 struct ebt_counter *counter_base, *cb_base;
173 struct ebt_entry_target *t;
175 struct ebt_chainstack *cs;
176 struct ebt_entries *chaininfo;
178 struct ebt_table_info *private = table->private;
180 read_lock_bh(&table->lock);
181 cb_base = COUNTER_BASE(private->counters, private->nentries,
183 if (private->chainstack)
184 cs = private->chainstack[smp_processor_id()];
187 chaininfo = private->hook_entry[hook];
188 nentries = private->hook_entry[hook]->nentries;
189 point = (struct ebt_entry *)(private->hook_entry[hook]->data);
190 counter_base = cb_base + private->hook_entry[hook]->counter_offset;
191 /* base for chain jumps */
192 base = private->entries;
194 while (i < nentries) {
195 if (ebt_basic_match(point, (**pskb).mac.ethernet, in, out))
198 if (EBT_MATCH_ITERATE(point, ebt_do_match, *pskb, in, out) != 0)
201 /* increase counter */
202 (*(counter_base + i)).pcnt++;
203 (*(counter_base + i)).bcnt+=(**pskb).len;
205 /* these should only watch: not modify, nor tell us
206 what to do with the packet */
207 EBT_WATCHER_ITERATE(point, ebt_do_watcher, *pskb, in,
210 t = (struct ebt_entry_target *)
211 (((char *)point) + point->target_offset);
212 /* standard target */
213 if (!t->u.target->target)
214 verdict = ((struct ebt_standard_target *)t)->verdict;
216 verdict = t->u.target->target(pskb, hook,
217 in, out, t->data, t->target_size);
218 if (verdict == EBT_ACCEPT) {
219 read_unlock_bh(&table->lock);
222 if (verdict == EBT_DROP) {
223 read_unlock_bh(&table->lock);
226 if (verdict == EBT_RETURN) {
228 #ifdef CONFIG_NETFILTER_DEBUG
230 BUGPRINT("RETURN on base chain");
231 /* act like this is EBT_CONTINUE */
236 /* put all the local variables right */
238 chaininfo = cs[sp].chaininfo;
239 nentries = chaininfo->nentries;
241 counter_base = cb_base +
242 chaininfo->counter_offset;
245 if (verdict == EBT_CONTINUE)
247 #ifdef CONFIG_NETFILTER_DEBUG
249 BUGPRINT("bogus standard verdict\n");
250 read_unlock_bh(&table->lock);
256 cs[sp].chaininfo = chaininfo;
257 cs[sp].e = (struct ebt_entry *)
258 (((char *)point) + point->next_offset);
260 chaininfo = (struct ebt_entries *) (base + verdict);
261 #ifdef CONFIG_NETFILTER_DEBUG
262 if (chaininfo->distinguisher) {
263 BUGPRINT("jump to non-chain\n");
264 read_unlock_bh(&table->lock);
268 nentries = chaininfo->nentries;
269 point = (struct ebt_entry *)chaininfo->data;
270 counter_base = cb_base + chaininfo->counter_offset;
274 point = (struct ebt_entry *)
275 (((char *)point) + point->next_offset);
279 /* I actually like this :) */
280 if (chaininfo->policy == EBT_RETURN)
282 if (chaininfo->policy == EBT_ACCEPT) {
283 read_unlock_bh(&table->lock);
286 read_unlock_bh(&table->lock);
290 /* If it succeeds, returns element and locks mutex */
292 find_inlist_lock_noload(struct list_head *head, const char *name, int *error,
293 struct semaphore *mutex)
297 *error = down_interruptible(mutex);
301 ret = list_named_find(head, name);
310 #define find_inlist_lock(h,n,p,e,m) find_inlist_lock_noload((h),(n),(e),(m))
313 find_inlist_lock(struct list_head *head, const char *name, const char *prefix,
314 int *error, struct semaphore *mutex)
318 ret = find_inlist_lock_noload(head, name, error, mutex);
320 request_module("%s%s", prefix, name);
321 ret = find_inlist_lock_noload(head, name, error, mutex);
327 static inline struct ebt_table *
328 find_table_lock(const char *name, int *error, struct semaphore *mutex)
330 return find_inlist_lock(&ebt_tables, name, "ebtable_", error, mutex);
333 static inline struct ebt_match *
334 find_match_lock(const char *name, int *error, struct semaphore *mutex)
336 return find_inlist_lock(&ebt_matches, name, "ebt_", error, mutex);
339 static inline struct ebt_watcher *
340 find_watcher_lock(const char *name, int *error, struct semaphore *mutex)
342 return find_inlist_lock(&ebt_watchers, name, "ebt_", error, mutex);
345 static inline struct ebt_target *
346 find_target_lock(const char *name, int *error, struct semaphore *mutex)
348 return find_inlist_lock(&ebt_targets, name, "ebt_", error, mutex);
352 ebt_check_match(struct ebt_entry_match *m, struct ebt_entry *e,
353 const char *name, unsigned int hookmask, unsigned int *cnt)
355 struct ebt_match *match;
358 if (((char *)m) + m->match_size + sizeof(struct ebt_entry_match) >
359 ((char *)e) + e->watchers_offset)
361 match = find_match_lock(m->u.name, &ret, &ebt_mutex);
365 if (!try_module_get(match->me)) {
371 match->check(name, hookmask, e, m->data, m->match_size) != 0) {
372 BUGPRINT("match->check failed\n");
373 module_put(match->me);
381 ebt_check_watcher(struct ebt_entry_watcher *w, struct ebt_entry *e,
382 const char *name, unsigned int hookmask, unsigned int *cnt)
384 struct ebt_watcher *watcher;
387 if (((char *)w) + w->watcher_size + sizeof(struct ebt_entry_watcher) >
388 ((char *)e) + e->target_offset)
390 watcher = find_watcher_lock(w->u.name, &ret, &ebt_mutex);
393 w->u.watcher = watcher;
394 if (!try_module_get(watcher->me)) {
399 if (watcher->check &&
400 watcher->check(name, hookmask, e, w->data, w->watcher_size) != 0) {
401 BUGPRINT("watcher->check failed\n");
402 module_put(watcher->me);
410 * this one is very careful, as it is the first function
411 * to parse the userspace data
414 ebt_check_entry_size_and_hooks(struct ebt_entry *e,
415 struct ebt_table_info *newinfo, char *base, char *limit,
416 struct ebt_entries **hook_entries, unsigned int *n, unsigned int *cnt,
417 unsigned int *totalcnt, unsigned int *udc_cnt, unsigned int valid_hooks)
421 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
422 if ((valid_hooks & (1 << i)) == 0)
424 if ( (char *)hook_entries[i] - base ==
425 (char *)e - newinfo->entries)
428 /* beginning of a new chain
429 if i == NF_BR_NUMHOOKS it must be a user defined chain */
430 if (i != NF_BR_NUMHOOKS || !(e->bitmask & EBT_ENTRY_OR_ENTRIES)) {
431 if ((e->bitmask & EBT_ENTRY_OR_ENTRIES) != 0) {
432 /* we make userspace set this right,
433 so there is no misunderstanding */
434 BUGPRINT("EBT_ENTRY_OR_ENTRIES shouldn't be set "
435 "in distinguisher\n");
438 /* this checks if the previous chain has as many entries
441 BUGPRINT("nentries does not equal the nr of entries "
445 /* before we look at the struct, be sure it is not too big */
446 if ((char *)hook_entries[i] + sizeof(struct ebt_entries)
448 BUGPRINT("entries_size too small\n");
451 if (((struct ebt_entries *)e)->policy != EBT_DROP &&
452 ((struct ebt_entries *)e)->policy != EBT_ACCEPT) {
453 /* only RETURN from udc */
454 if (i != NF_BR_NUMHOOKS ||
455 ((struct ebt_entries *)e)->policy != EBT_RETURN) {
456 BUGPRINT("bad policy\n");
460 if (i == NF_BR_NUMHOOKS) /* it's a user defined chain */
463 newinfo->hook_entry[i] = (struct ebt_entries *)e;
464 if (((struct ebt_entries *)e)->counter_offset != *totalcnt) {
465 BUGPRINT("counter_offset != totalcnt");
468 *n = ((struct ebt_entries *)e)->nentries;
472 /* a plain old entry, heh */
473 if (sizeof(struct ebt_entry) > e->watchers_offset ||
474 e->watchers_offset > e->target_offset ||
475 e->target_offset >= e->next_offset) {
476 BUGPRINT("entry offsets not in right order\n");
479 /* this is not checked anywhere else */
480 if (e->next_offset - e->target_offset < sizeof(struct ebt_entry_target)) {
481 BUGPRINT("target size too small\n");
492 struct ebt_chainstack cs;
494 unsigned int hookmask;
498 * we need these positions to check that the jumps to a different part of the
499 * entries is a jump to the beginning of a new chain.
502 ebt_get_udc_positions(struct ebt_entry *e, struct ebt_table_info *newinfo,
503 struct ebt_entries **hook_entries, unsigned int *n, unsigned int valid_hooks,
504 struct ebt_cl_stack *udc)
508 /* we're only interested in chain starts */
509 if (e->bitmask & EBT_ENTRY_OR_ENTRIES)
511 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
512 if ((valid_hooks & (1 << i)) == 0)
514 if (newinfo->hook_entry[i] == (struct ebt_entries *)e)
517 /* only care about udc */
518 if (i != NF_BR_NUMHOOKS)
521 udc[*n].cs.chaininfo = (struct ebt_entries *)e;
522 /* these initialisations are depended on later in check_chainloops() */
524 udc[*n].hookmask = 0;
531 ebt_cleanup_match(struct ebt_entry_match *m, unsigned int *i)
533 if (i && (*i)-- == 0)
535 if (m->u.match->destroy)
536 m->u.match->destroy(m->data, m->match_size);
537 module_put(m->u.match->me);
543 ebt_cleanup_watcher(struct ebt_entry_watcher *w, unsigned int *i)
545 if (i && (*i)-- == 0)
547 if (w->u.watcher->destroy)
548 w->u.watcher->destroy(w->data, w->watcher_size);
549 module_put(w->u.watcher->me);
555 ebt_cleanup_entry(struct ebt_entry *e, unsigned int *cnt)
557 struct ebt_entry_target *t;
559 if ((e->bitmask & EBT_ENTRY_OR_ENTRIES) == 0)
562 if (cnt && (*cnt)-- == 0)
564 EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, NULL);
565 EBT_MATCH_ITERATE(e, ebt_cleanup_match, NULL);
566 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
567 if (t->u.target->destroy)
568 t->u.target->destroy(t->data, t->target_size);
569 module_put(t->u.target->me);
575 ebt_check_entry(struct ebt_entry *e, struct ebt_table_info *newinfo,
576 const char *name, unsigned int *cnt, unsigned int valid_hooks,
577 struct ebt_cl_stack *cl_s, unsigned int udc_cnt)
579 struct ebt_entry_target *t;
580 struct ebt_target *target;
581 unsigned int i, j, hook = 0, hookmask = 0;
584 /* don't mess with the struct ebt_entries */
585 if ((e->bitmask & EBT_ENTRY_OR_ENTRIES) == 0)
588 if (e->bitmask & ~EBT_F_MASK) {
589 BUGPRINT("Unknown flag for bitmask\n");
592 if (e->invflags & ~EBT_INV_MASK) {
593 BUGPRINT("Unknown flag for inv bitmask\n");
596 if ( (e->bitmask & EBT_NOPROTO) && (e->bitmask & EBT_802_3) ) {
597 BUGPRINT("NOPROTO & 802_3 not allowed\n");
600 /* what hook do we belong to? */
601 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
602 if ((valid_hooks & (1 << i)) == 0)
604 if ((char *)newinfo->hook_entry[i] < (char *)e)
609 /* (1 << NF_BR_NUMHOOKS) tells the check functions the rule is on
611 if (i < NF_BR_NUMHOOKS)
612 hookmask = (1 << hook) | (1 << NF_BR_NUMHOOKS);
614 for (i = 0; i < udc_cnt; i++)
615 if ((char *)(cl_s[i].cs.chaininfo) > (char *)e)
618 hookmask = (1 << hook) | (1 << NF_BR_NUMHOOKS);
620 hookmask = cl_s[i - 1].hookmask;
623 ret = EBT_MATCH_ITERATE(e, ebt_check_match, e, name, hookmask, &i);
625 goto cleanup_matches;
627 ret = EBT_WATCHER_ITERATE(e, ebt_check_watcher, e, name, hookmask, &j);
629 goto cleanup_watchers;
630 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
631 target = find_target_lock(t->u.name, &ret, &ebt_mutex);
633 goto cleanup_watchers;
634 if (!try_module_get(target->me)) {
637 goto cleanup_watchers;
641 t->u.target = target;
642 if (t->u.target == &ebt_standard_target) {
643 if (e->target_offset + sizeof(struct ebt_standard_target) >
645 BUGPRINT("Standard target size too big\n");
647 goto cleanup_watchers;
649 if (((struct ebt_standard_target *)t)->verdict <
650 -NUM_STANDARD_TARGETS) {
651 BUGPRINT("Invalid standard target\n");
653 goto cleanup_watchers;
655 } else if ((e->target_offset + t->target_size +
656 sizeof(struct ebt_entry_target) > e->next_offset) ||
657 (t->u.target->check &&
658 t->u.target->check(name, hookmask, e, t->data, t->target_size) != 0)){
659 module_put(t->u.target->me);
661 goto cleanup_watchers;
666 EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, &j);
668 EBT_MATCH_ITERATE(e, ebt_cleanup_match, &i);
673 * checks for loops and sets the hook mask for udc
674 * the hook mask for udc tells us from which base chains the udc can be
675 * accessed. This mask is a parameter to the check() functions of the extensions
677 static int check_chainloops(struct ebt_entries *chain, struct ebt_cl_stack *cl_s,
678 unsigned int udc_cnt, unsigned int hooknr, char *base)
680 int i, chain_nr = -1, pos = 0, nentries = chain->nentries, verdict;
681 struct ebt_entry *e = (struct ebt_entry *)chain->data;
682 struct ebt_entry_target *t;
684 while (pos < nentries || chain_nr != -1) {
685 /* end of udc, go back one 'recursion' step */
686 if (pos == nentries) {
687 /* put back values of the time when this chain was called */
688 e = cl_s[chain_nr].cs.e;
689 if (cl_s[chain_nr].from != -1)
691 cl_s[cl_s[chain_nr].from].cs.chaininfo->nentries;
693 nentries = chain->nentries;
694 pos = cl_s[chain_nr].cs.n;
695 /* make sure we won't see a loop that isn't one */
696 cl_s[chain_nr].cs.n = 0;
697 chain_nr = cl_s[chain_nr].from;
701 t = (struct ebt_entry_target *)
702 (((char *)e) + e->target_offset);
703 if (strcmp(t->u.name, EBT_STANDARD_TARGET))
705 if (e->target_offset + sizeof(struct ebt_standard_target) >
707 BUGPRINT("Standard target size too big\n");
710 verdict = ((struct ebt_standard_target *)t)->verdict;
711 if (verdict >= 0) { /* jump to another chain */
712 struct ebt_entries *hlp2 =
713 (struct ebt_entries *)(base + verdict);
714 for (i = 0; i < udc_cnt; i++)
715 if (hlp2 == cl_s[i].cs.chaininfo)
717 /* bad destination or loop */
719 BUGPRINT("bad destination\n");
726 /* this can't be 0, so the above test is correct */
727 cl_s[i].cs.n = pos + 1;
729 cl_s[i].cs.e = ((void *)e + e->next_offset);
730 e = (struct ebt_entry *)(hlp2->data);
731 nentries = hlp2->nentries;
732 cl_s[i].from = chain_nr;
734 /* this udc is accessible from the base chain for hooknr */
735 cl_s[i].hookmask |= (1 << hooknr);
739 e = (void *)e + e->next_offset;
745 /* do the parsing of the table/chains/entries/matches/watchers/targets, heh */
746 static int translate_table(struct ebt_replace *repl,
747 struct ebt_table_info *newinfo)
749 unsigned int i, j, k, udc_cnt;
751 struct ebt_cl_stack *cl_s = NULL; /* used in the checking for chain loops */
754 while (i < NF_BR_NUMHOOKS && !(repl->valid_hooks & (1 << i)))
756 if (i == NF_BR_NUMHOOKS) {
757 BUGPRINT("No valid hooks specified\n");
760 if (repl->hook_entry[i] != (struct ebt_entries *)repl->entries) {
761 BUGPRINT("Chains don't start at beginning\n");
764 /* make sure chains are ordered after each other in same order
765 as their corresponding hooks */
766 for (j = i + 1; j < NF_BR_NUMHOOKS; j++) {
767 if (!(repl->valid_hooks & (1 << j)))
769 if ( repl->hook_entry[j] <= repl->hook_entry[i] ) {
770 BUGPRINT("Hook order must be followed\n");
776 for (i = 0; i < NF_BR_NUMHOOKS; i++)
777 newinfo->hook_entry[i] = NULL;
779 newinfo->entries_size = repl->entries_size;
780 newinfo->nentries = repl->nentries;
782 /* do some early checkings and initialize some things */
783 i = 0; /* holds the expected nr. of entries for the chain */
784 j = 0; /* holds the up to now counted entries for the chain */
785 k = 0; /* holds the total nr. of entries, should equal
786 newinfo->nentries afterwards */
787 udc_cnt = 0; /* will hold the nr. of user defined chains (udc) */
788 ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
789 ebt_check_entry_size_and_hooks, newinfo, repl->entries,
790 repl->entries + repl->entries_size, repl->hook_entry, &i, &j, &k,
791 &udc_cnt, repl->valid_hooks);
797 BUGPRINT("nentries does not equal the nr of entries in the "
801 if (k != newinfo->nentries) {
802 BUGPRINT("Total nentries is wrong\n");
806 /* check if all valid hooks have a chain */
807 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
808 if (newinfo->hook_entry[i] == NULL &&
809 (repl->valid_hooks & (1 << i))) {
810 BUGPRINT("Valid hook without chain\n");
815 /* get the location of the udc, put them in an array
816 while we're at it, allocate the chainstack */
818 /* this will get free'd in do_replace()/ebt_register_table()
819 if an error occurs */
820 newinfo->chainstack = (struct ebt_chainstack **)
821 vmalloc(NR_CPUS * sizeof(struct ebt_chainstack));
822 if (!newinfo->chainstack)
824 for (i = 0; i < NR_CPUS; i++) {
825 newinfo->chainstack[i] =
826 vmalloc(udc_cnt * sizeof(struct ebt_chainstack));
827 if (!newinfo->chainstack[i]) {
829 vfree(newinfo->chainstack[--i]);
830 vfree(newinfo->chainstack);
831 newinfo->chainstack = NULL;
836 cl_s = (struct ebt_cl_stack *)
837 vmalloc(udc_cnt * sizeof(struct ebt_cl_stack));
840 i = 0; /* the i'th udc */
841 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
842 ebt_get_udc_positions, newinfo, repl->hook_entry, &i,
843 repl->valid_hooks, cl_s);
846 BUGPRINT("i != udc_cnt\n");
852 /* Check for loops */
853 for (i = 0; i < NF_BR_NUMHOOKS; i++)
854 if (repl->valid_hooks & (1 << i))
855 if (check_chainloops(newinfo->hook_entry[i],
856 cl_s, udc_cnt, i, newinfo->entries)) {
862 /* we now know the following (along with E=mc²):
863 - the nr of entries in each chain is right
864 - the size of the allocated space is right
865 - all valid hooks have a corresponding chain
867 - wrong data can still be on the level of a single entry
868 - could be there are jumps to places that are not the
869 beginning of a chain. This can only occur in chains that
870 are not accessible from any base chains, so we don't care. */
872 /* used to know what we need to clean up if something goes wrong */
874 ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
875 ebt_check_entry, newinfo, repl->name, &i, repl->valid_hooks,
878 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
879 ebt_cleanup_entry, &i);
886 /* called under write_lock */
887 static void get_counters(struct ebt_counter *oldcounters,
888 struct ebt_counter *counters, unsigned int nentries)
891 struct ebt_counter *counter_base;
893 /* counters of cpu 0 */
894 memcpy(counters, oldcounters,
895 sizeof(struct ebt_counter) * nentries);
896 /* add other counters to those of cpu 0 */
897 for (cpu = 1; cpu < NR_CPUS; cpu++) {
898 counter_base = COUNTER_BASE(oldcounters, nentries, cpu);
899 for (i = 0; i < nentries; i++) {
900 counters[i].pcnt += counter_base[i].pcnt;
901 counters[i].bcnt += counter_base[i].bcnt;
906 /* replace the table */
907 static int do_replace(void __user *user, unsigned int len)
909 int ret, i, countersize;
910 struct ebt_table_info *newinfo;
911 struct ebt_replace tmp;
913 struct ebt_counter *counterstmp = NULL;
914 /* used to be able to unlock earlier */
915 struct ebt_table_info *table;
917 if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
920 if (len != sizeof(tmp) + tmp.entries_size) {
921 BUGPRINT("Wrong len argument\n");
925 if (tmp.entries_size == 0) {
926 BUGPRINT("Entries_size never zero\n");
929 countersize = COUNTER_OFFSET(tmp.nentries) * NR_CPUS;
930 newinfo = (struct ebt_table_info *)
931 vmalloc(sizeof(struct ebt_table_info) + countersize);
936 memset(newinfo->counters, 0, countersize);
938 newinfo->entries = (char *)vmalloc(tmp.entries_size);
939 if (!newinfo->entries) {
944 newinfo->entries, tmp.entries, tmp.entries_size) != 0) {
945 BUGPRINT("Couldn't copy entries from userspace\n");
950 /* the user wants counters back
951 the check on the size is done later, when we have the lock */
952 if (tmp.num_counters) {
953 counterstmp = (struct ebt_counter *)
954 vmalloc(tmp.num_counters * sizeof(struct ebt_counter));
963 /* this can get initialized by translate_table() */
964 newinfo->chainstack = NULL;
965 ret = translate_table(&tmp, newinfo);
968 goto free_counterstmp;
970 t = find_table_lock(tmp.name, &ret, &ebt_mutex);
976 /* the table doesn't like it */
977 if (t->check && (ret = t->check(newinfo, tmp.valid_hooks)))
980 if (tmp.num_counters && tmp.num_counters != t->private->nentries) {
981 BUGPRINT("Wrong nr. of counters requested\n");
986 /* we have the mutex lock, so no danger in reading this pointer */
988 /* make sure the table can only be rmmod'ed if it contains no rules */
989 if (!table->nentries && newinfo->nentries && !try_module_get(t->me)) {
992 } else if (table->nentries && !newinfo->nentries)
994 /* we need an atomic snapshot of the counters */
995 write_lock_bh(&t->lock);
996 if (tmp.num_counters)
997 get_counters(t->private->counters, counterstmp,
998 t->private->nentries);
1000 t->private = newinfo;
1001 write_unlock_bh(&t->lock);
1003 /* so, a user can change the chains while having messed up her counter
1004 allocation. Only reason why this is done is because this way the lock
1005 is held only once, while this doesn't bring the kernel into a
1007 if (tmp.num_counters &&
1008 copy_to_user(tmp.counters, counterstmp,
1009 tmp.num_counters * sizeof(struct ebt_counter))) {
1010 BUGPRINT("Couldn't copy counters to userspace\n");
1016 /* decrease module count and free resources */
1017 EBT_ENTRY_ITERATE(table->entries, table->entries_size,
1018 ebt_cleanup_entry, NULL);
1020 vfree(table->entries);
1021 if (table->chainstack) {
1022 for (i = 0; i < NR_CPUS; i++)
1023 vfree(table->chainstack[i]);
1024 vfree(table->chainstack);
1035 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
1036 ebt_cleanup_entry, NULL);
1040 /* can be initialized in translate_table() */
1041 if (newinfo->chainstack) {
1042 for (i = 0; i < NR_CPUS; i++)
1043 vfree(newinfo->chainstack[i]);
1044 vfree(newinfo->chainstack);
1047 if (newinfo->entries)
1048 vfree(newinfo->entries);
1055 int ebt_register_target(struct ebt_target *target)
1059 ret = down_interruptible(&ebt_mutex);
1062 if (!list_named_insert(&ebt_targets, target)) {
1071 void ebt_unregister_target(struct ebt_target *target)
1074 LIST_DELETE(&ebt_targets, target);
1078 int ebt_register_match(struct ebt_match *match)
1082 ret = down_interruptible(&ebt_mutex);
1085 if (!list_named_insert(&ebt_matches, match)) {
1094 void ebt_unregister_match(struct ebt_match *match)
1097 LIST_DELETE(&ebt_matches, match);
1101 int ebt_register_watcher(struct ebt_watcher *watcher)
1105 ret = down_interruptible(&ebt_mutex);
1108 if (!list_named_insert(&ebt_watchers, watcher)) {
1117 void ebt_unregister_watcher(struct ebt_watcher *watcher)
1120 LIST_DELETE(&ebt_watchers, watcher);
1124 int ebt_register_table(struct ebt_table *table)
1126 struct ebt_table_info *newinfo;
1127 int ret, i, countersize;
1129 if (!table || !table->table ||!table->table->entries ||
1130 table->table->entries_size == 0 ||
1131 table->table->counters || table->private) {
1132 BUGPRINT("Bad table data for ebt_register_table!!!\n");
1136 countersize = COUNTER_OFFSET(table->table->nentries) * NR_CPUS;
1137 newinfo = (struct ebt_table_info *)
1138 vmalloc(sizeof(struct ebt_table_info) + countersize);
1143 newinfo->entries = (char *)vmalloc(table->table->entries_size);
1144 if (!(newinfo->entries))
1147 memcpy(newinfo->entries, table->table->entries,
1148 table->table->entries_size);
1151 memset(newinfo->counters, 0, countersize);
1153 /* fill in newinfo and parse the entries */
1154 newinfo->chainstack = NULL;
1155 ret = translate_table(table->table, newinfo);
1157 BUGPRINT("Translate_table failed\n");
1158 goto free_chainstack;
1161 if (table->check && table->check(newinfo, table->valid_hooks)) {
1162 BUGPRINT("The table doesn't like its own initial data, lol\n");
1166 table->private = newinfo;
1167 table->lock = RW_LOCK_UNLOCKED;
1168 ret = down_interruptible(&ebt_mutex);
1170 goto free_chainstack;
1172 if (list_named_find(&ebt_tables, table->name)) {
1174 BUGPRINT("Table name already exists\n");
1178 /* Hold a reference count if the chains aren't empty */
1179 if (newinfo->nentries && !try_module_get(table->me)) {
1183 list_prepend(&ebt_tables, table);
1189 if (newinfo->chainstack) {
1190 for (i = 0; i < NR_CPUS; i++)
1191 vfree(newinfo->chainstack[i]);
1192 vfree(newinfo->chainstack);
1194 vfree(newinfo->entries);
1200 void ebt_unregister_table(struct ebt_table *table)
1205 BUGPRINT("Request to unregister NULL table!!!\n");
1209 LIST_DELETE(&ebt_tables, table);
1211 if (table->private->entries)
1212 vfree(table->private->entries);
1213 if (table->private->chainstack) {
1214 for (i = 0; i < NR_CPUS; i++)
1215 vfree(table->private->chainstack[i]);
1216 vfree(table->private->chainstack);
1218 vfree(table->private);
1221 /* userspace just supplied us with counters */
1222 static int update_counters(void __user *user, unsigned int len)
1225 struct ebt_counter *tmp;
1226 struct ebt_replace hlp;
1227 struct ebt_table *t;
1229 if (copy_from_user(&hlp, user, sizeof(hlp)))
1232 if (len != sizeof(hlp) + hlp.num_counters * sizeof(struct ebt_counter))
1234 if (hlp.num_counters == 0)
1237 if ( !(tmp = (struct ebt_counter *)
1238 vmalloc(hlp.num_counters * sizeof(struct ebt_counter))) ){
1239 MEMPRINT("Update_counters && nomemory\n");
1243 t = find_table_lock(hlp.name, &ret, &ebt_mutex);
1247 if (hlp.num_counters != t->private->nentries) {
1248 BUGPRINT("Wrong nr of counters\n");
1253 if ( copy_from_user(tmp, hlp.counters,
1254 hlp.num_counters * sizeof(struct ebt_counter)) ) {
1255 BUGPRINT("Updata_counters && !cfu\n");
1260 /* we want an atomic add of the counters */
1261 write_lock_bh(&t->lock);
1263 /* we add to the counters of the first cpu */
1264 for (i = 0; i < hlp.num_counters; i++) {
1265 t->private->counters[i].pcnt += tmp[i].pcnt;
1266 t->private->counters[i].bcnt += tmp[i].bcnt;
1269 write_unlock_bh(&t->lock);
1278 static inline int ebt_make_matchname(struct ebt_entry_match *m,
1279 char *base, char *ubase)
1281 char *hlp = ubase - base + (char *)m;
1282 if (copy_to_user(hlp, m->u.match->name, EBT_FUNCTION_MAXNAMELEN))
1287 static inline int ebt_make_watchername(struct ebt_entry_watcher *w,
1288 char *base, char *ubase)
1290 char *hlp = ubase - base + (char *)w;
1291 if (copy_to_user(hlp , w->u.watcher->name, EBT_FUNCTION_MAXNAMELEN))
1296 static inline int ebt_make_names(struct ebt_entry *e, char *base, char *ubase)
1300 struct ebt_entry_target *t;
1302 if ((e->bitmask & EBT_ENTRY_OR_ENTRIES) == 0)
1305 hlp = ubase - base + (char *)e + e->target_offset;
1306 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
1308 ret = EBT_MATCH_ITERATE(e, ebt_make_matchname, base, ubase);
1311 ret = EBT_WATCHER_ITERATE(e, ebt_make_watchername, base, ubase);
1314 if (copy_to_user(hlp, t->u.target->name, EBT_FUNCTION_MAXNAMELEN))
1319 /* called with ebt_mutex down */
1320 static int copy_everything_to_user(struct ebt_table *t, void __user *user,
1323 struct ebt_replace tmp;
1324 struct ebt_counter *counterstmp, *oldcounters;
1325 unsigned int entries_size, nentries;
1328 if (cmd == EBT_SO_GET_ENTRIES) {
1329 entries_size = t->private->entries_size;
1330 nentries = t->private->nentries;
1331 entries = t->private->entries;
1332 oldcounters = t->private->counters;
1334 entries_size = t->table->entries_size;
1335 nentries = t->table->nentries;
1336 entries = t->table->entries;
1337 oldcounters = t->table->counters;
1340 if (copy_from_user(&tmp, user, sizeof(tmp))) {
1341 BUGPRINT("Cfu didn't work\n");
1345 if (*len != sizeof(struct ebt_replace) + entries_size +
1346 (tmp.num_counters? nentries * sizeof(struct ebt_counter): 0)) {
1347 BUGPRINT("Wrong size\n");
1351 if (tmp.nentries != nentries) {
1352 BUGPRINT("Nentries wrong\n");
1356 if (tmp.entries_size != entries_size) {
1357 BUGPRINT("Wrong size\n");
1361 /* userspace might not need the counters */
1362 if (tmp.num_counters) {
1363 if (tmp.num_counters != nentries) {
1364 BUGPRINT("Num_counters wrong\n");
1367 counterstmp = (struct ebt_counter *)
1368 vmalloc(nentries * sizeof(struct ebt_counter));
1370 MEMPRINT("Couldn't copy counters, out of memory\n");
1373 write_lock_bh(&t->lock);
1374 get_counters(oldcounters, counterstmp, nentries);
1375 write_unlock_bh(&t->lock);
1377 if (copy_to_user(tmp.counters, counterstmp,
1378 nentries * sizeof(struct ebt_counter))) {
1379 BUGPRINT("Couldn't copy counters to userspace\n");
1386 if (copy_to_user(tmp.entries, entries, entries_size)) {
1387 BUGPRINT("Couldn't copy entries to userspace\n");
1390 /* set the match/watcher/target names right */
1391 return EBT_ENTRY_ITERATE(entries, entries_size,
1392 ebt_make_names, entries, tmp.entries);
1395 static int do_ebt_set_ctl(struct sock *sk,
1396 int cmd, void __user *user, unsigned int len)
1401 case EBT_SO_SET_ENTRIES:
1402 ret = do_replace(user, len);
1404 case EBT_SO_SET_COUNTERS:
1405 ret = update_counters(user, len);
1413 static int do_ebt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
1416 struct ebt_replace tmp;
1417 struct ebt_table *t;
1419 if (copy_from_user(&tmp, user, sizeof(tmp)))
1422 t = find_table_lock(tmp.name, &ret, &ebt_mutex);
1427 case EBT_SO_GET_INFO:
1428 case EBT_SO_GET_INIT_INFO:
1429 if (*len != sizeof(struct ebt_replace)){
1434 if (cmd == EBT_SO_GET_INFO) {
1435 tmp.nentries = t->private->nentries;
1436 tmp.entries_size = t->private->entries_size;
1437 tmp.valid_hooks = t->valid_hooks;
1439 tmp.nentries = t->table->nentries;
1440 tmp.entries_size = t->table->entries_size;
1441 tmp.valid_hooks = t->table->valid_hooks;
1444 if (copy_to_user(user, &tmp, *len) != 0){
1445 BUGPRINT("c2u Didn't work\n");
1452 case EBT_SO_GET_ENTRIES:
1453 case EBT_SO_GET_INIT_ENTRIES:
1454 ret = copy_everything_to_user(t, user, len, cmd);
1466 static struct nf_sockopt_ops ebt_sockopts =
1467 { { NULL, NULL }, PF_INET, EBT_BASE_CTL, EBT_SO_SET_MAX + 1, do_ebt_set_ctl,
1468 EBT_BASE_CTL, EBT_SO_GET_MAX + 1, do_ebt_get_ctl, 0, NULL
1471 static int __init init(void)
1476 list_named_insert(&ebt_targets, &ebt_standard_target);
1478 if ((ret = nf_register_sockopt(&ebt_sockopts)) < 0)
1481 printk(KERN_NOTICE "Ebtables v2.0 registered\n");
1485 static void __exit fini(void)
1487 nf_unregister_sockopt(&ebt_sockopts);
1488 printk(KERN_NOTICE "Ebtables v2.0 unregistered\n");
1491 EXPORT_SYMBOL(ebt_register_table);
1492 EXPORT_SYMBOL(ebt_unregister_table);
1493 EXPORT_SYMBOL(ebt_register_match);
1494 EXPORT_SYMBOL(ebt_unregister_match);
1495 EXPORT_SYMBOL(ebt_register_watcher);
1496 EXPORT_SYMBOL(ebt_unregister_watcher);
1497 EXPORT_SYMBOL(ebt_register_target);
1498 EXPORT_SYMBOL(ebt_unregister_target);
1499 EXPORT_SYMBOL(ebt_do_table);
1502 MODULE_LICENSE("GPL");