5 * Bart De Schuymer <bdschuym@pandora.be>
7 * ebtables.c,v 2.0, July, 2002
9 * This code is stongly inspired on the iptables code which is
10 * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version
15 * 2 of the License, or (at your option) any later version.
19 #include <linux/kmod.h>
20 #include <linux/module.h>
21 #include <linux/vmalloc.h>
22 #include <linux/netfilter/x_tables.h>
23 #include <linux/netfilter_bridge/ebtables.h>
24 #include <linux/spinlock.h>
25 #include <linux/mutex.h>
26 #include <asm/uaccess.h>
27 #include <linux/smp.h>
28 #include <linux/cpumask.h>
30 /* needed for logical [in,out]-dev filtering */
31 #include "../br_private.h"
33 #define BUGPRINT(format, args...) printk("kernel msg: ebtables bug: please "\
34 "report to author: "format, ## args)
35 /* #define BUGPRINT(format, args...) */
36 #define MEMPRINT(format, args...) printk("kernel msg: ebtables "\
37 ": out of memory: "format, ## args)
38 /* #define MEMPRINT(format, args...) */
43 * Each cpu has its own set of counters, so there is no need for write_lock in
45 * For reading or updating the counters, the user context needs to
49 /* The size of each set of counters is altered to get cache alignment */
50 #define SMP_ALIGN(x) (((x) + SMP_CACHE_BYTES-1) & ~(SMP_CACHE_BYTES-1))
51 #define COUNTER_OFFSET(n) (SMP_ALIGN(n * sizeof(struct ebt_counter)))
52 #define COUNTER_BASE(c, n, cpu) ((struct ebt_counter *)(((char *)c) + \
53 COUNTER_OFFSET(n) * cpu))
57 static DEFINE_MUTEX(ebt_mutex);
59 static struct xt_target ebt_standard_target = {
62 .family = NFPROTO_BRIDGE,
63 .targetsize = sizeof(int),
67 ebt_do_watcher(const struct ebt_entry_watcher *w, struct sk_buff *skb,
68 struct xt_target_param *par)
70 par->target = w->u.watcher;
71 par->targinfo = w->data;
72 w->u.watcher->target(skb, par);
73 /* watchers don't give a verdict */
77 static inline int ebt_do_match (struct ebt_entry_match *m,
78 const struct sk_buff *skb, struct xt_match_param *par)
80 par->match = m->u.match;
81 par->matchinfo = m->data;
82 return m->u.match->match(skb, par);
85 static inline int ebt_dev_check(char *entry, const struct net_device *device)
88 const char *devname = device->name;
94 /* 1 is the wildcard token */
95 while (entry[i] != '\0' && entry[i] != 1 && entry[i] == devname[i])
97 return (devname[i] != entry[i] && entry[i] != 1);
100 #define FWINV2(bool,invflg) ((bool) ^ !!(e->invflags & invflg))
101 /* process standard matches */
102 static inline int ebt_basic_match(struct ebt_entry *e, struct ethhdr *h,
103 const struct net_device *in, const struct net_device *out)
107 if (e->bitmask & EBT_802_3) {
108 if (FWINV2(ntohs(h->h_proto) >= 1536, EBT_IPROTO))
110 } else if (!(e->bitmask & EBT_NOPROTO) &&
111 FWINV2(e->ethproto != h->h_proto, EBT_IPROTO))
114 if (FWINV2(ebt_dev_check(e->in, in), EBT_IIN))
116 if (FWINV2(ebt_dev_check(e->out, out), EBT_IOUT))
118 if ((!in || !in->br_port) ? 0 : FWINV2(ebt_dev_check(
119 e->logical_in, in->br_port->br->dev), EBT_ILOGICALIN))
121 if ((!out || !out->br_port) ? 0 : FWINV2(ebt_dev_check(
122 e->logical_out, out->br_port->br->dev), EBT_ILOGICALOUT))
125 if (e->bitmask & EBT_SOURCEMAC) {
127 for (i = 0; i < 6; i++)
128 verdict |= (h->h_source[i] ^ e->sourcemac[i]) &
130 if (FWINV2(verdict != 0, EBT_ISOURCE) )
133 if (e->bitmask & EBT_DESTMAC) {
135 for (i = 0; i < 6; i++)
136 verdict |= (h->h_dest[i] ^ e->destmac[i]) &
138 if (FWINV2(verdict != 0, EBT_IDEST) )
144 /* Do some firewalling */
145 unsigned int ebt_do_table (unsigned int hook, struct sk_buff *skb,
146 const struct net_device *in, const struct net_device *out,
147 struct ebt_table *table)
150 struct ebt_entry *point;
151 struct ebt_counter *counter_base, *cb_base;
152 struct ebt_entry_target *t;
154 struct ebt_chainstack *cs;
155 struct ebt_entries *chaininfo;
157 struct ebt_table_info *private;
158 bool hotdrop = false;
159 struct xt_match_param mtpar;
160 struct xt_target_param tgpar;
162 mtpar.family = tgpar.family = NFPROTO_BRIDGE;
163 mtpar.in = tgpar.in = in;
164 mtpar.out = tgpar.out = out;
165 mtpar.hotdrop = &hotdrop;
166 tgpar.hooknum = hook;
168 read_lock_bh(&table->lock);
169 private = table->private;
170 cb_base = COUNTER_BASE(private->counters, private->nentries,
172 if (private->chainstack)
173 cs = private->chainstack[smp_processor_id()];
176 chaininfo = private->hook_entry[hook];
177 nentries = private->hook_entry[hook]->nentries;
178 point = (struct ebt_entry *)(private->hook_entry[hook]->data);
179 counter_base = cb_base + private->hook_entry[hook]->counter_offset;
180 /* base for chain jumps */
181 base = private->entries;
183 while (i < nentries) {
184 if (ebt_basic_match(point, eth_hdr(skb), in, out))
187 if (EBT_MATCH_ITERATE(point, ebt_do_match, skb, &mtpar) != 0)
190 read_unlock_bh(&table->lock);
194 /* increase counter */
195 (*(counter_base + i)).pcnt++;
196 (*(counter_base + i)).bcnt += skb->len;
198 /* these should only watch: not modify, nor tell us
199 what to do with the packet */
200 EBT_WATCHER_ITERATE(point, ebt_do_watcher, skb, &tgpar);
202 t = (struct ebt_entry_target *)
203 (((char *)point) + point->target_offset);
204 /* standard target */
205 if (!t->u.target->target)
206 verdict = ((struct ebt_standard_target *)t)->verdict;
208 tgpar.target = t->u.target;
209 tgpar.targinfo = t->data;
210 verdict = t->u.target->target(skb, &tgpar);
212 if (verdict == EBT_ACCEPT) {
213 read_unlock_bh(&table->lock);
216 if (verdict == EBT_DROP) {
217 read_unlock_bh(&table->lock);
220 if (verdict == EBT_RETURN) {
222 #ifdef CONFIG_NETFILTER_DEBUG
224 BUGPRINT("RETURN on base chain");
225 /* act like this is EBT_CONTINUE */
230 /* put all the local variables right */
232 chaininfo = cs[sp].chaininfo;
233 nentries = chaininfo->nentries;
235 counter_base = cb_base +
236 chaininfo->counter_offset;
239 if (verdict == EBT_CONTINUE)
241 #ifdef CONFIG_NETFILTER_DEBUG
243 BUGPRINT("bogus standard verdict\n");
244 read_unlock_bh(&table->lock);
250 cs[sp].chaininfo = chaininfo;
251 cs[sp].e = (struct ebt_entry *)
252 (((char *)point) + point->next_offset);
254 chaininfo = (struct ebt_entries *) (base + verdict);
255 #ifdef CONFIG_NETFILTER_DEBUG
256 if (chaininfo->distinguisher) {
257 BUGPRINT("jump to non-chain\n");
258 read_unlock_bh(&table->lock);
262 nentries = chaininfo->nentries;
263 point = (struct ebt_entry *)chaininfo->data;
264 counter_base = cb_base + chaininfo->counter_offset;
268 point = (struct ebt_entry *)
269 (((char *)point) + point->next_offset);
273 /* I actually like this :) */
274 if (chaininfo->policy == EBT_RETURN)
276 if (chaininfo->policy == EBT_ACCEPT) {
277 read_unlock_bh(&table->lock);
280 read_unlock_bh(&table->lock);
284 /* If it succeeds, returns element and locks mutex */
286 find_inlist_lock_noload(struct list_head *head, const char *name, int *error,
290 struct list_head list;
291 char name[EBT_FUNCTION_MAXNAMELEN];
294 *error = mutex_lock_interruptible(mutex);
298 list_for_each_entry(e, head, list) {
299 if (strcmp(e->name, name) == 0)
308 find_inlist_lock(struct list_head *head, const char *name, const char *prefix,
309 int *error, struct mutex *mutex)
311 return try_then_request_module(
312 find_inlist_lock_noload(head, name, error, mutex),
313 "%s%s", prefix, name);
316 static inline struct ebt_table *
317 find_table_lock(struct net *net, const char *name, int *error,
320 return find_inlist_lock(&net->xt.tables[NFPROTO_BRIDGE], name,
321 "ebtable_", error, mutex);
325 ebt_check_match(struct ebt_entry_match *m, struct xt_mtchk_param *par,
328 const struct ebt_entry *e = par->entryinfo;
329 struct xt_match *match;
330 size_t left = ((char *)e + e->watchers_offset) - (char *)m;
333 if (left < sizeof(struct ebt_entry_match) ||
334 left - sizeof(struct ebt_entry_match) < m->match_size)
337 match = try_then_request_module(xt_find_match(NFPROTO_BRIDGE,
338 m->u.name, 0), "ebt_%s", m->u.name);
340 return PTR_ERR(match);
346 par->matchinfo = m->data;
347 ret = xt_check_match(par, m->match_size,
348 e->ethproto, e->invflags & EBT_IPROTO);
350 module_put(match->me);
359 ebt_check_watcher(struct ebt_entry_watcher *w, struct xt_tgchk_param *par,
362 const struct ebt_entry *e = par->entryinfo;
363 struct xt_target *watcher;
364 size_t left = ((char *)e + e->target_offset) - (char *)w;
367 if (left < sizeof(struct ebt_entry_watcher) ||
368 left - sizeof(struct ebt_entry_watcher) < w->watcher_size)
371 watcher = try_then_request_module(
372 xt_find_target(NFPROTO_BRIDGE, w->u.name, 0),
373 "ebt_%s", w->u.name);
375 return PTR_ERR(watcher);
378 w->u.watcher = watcher;
380 par->target = watcher;
381 par->targinfo = w->data;
382 ret = xt_check_target(par, w->watcher_size,
383 e->ethproto, e->invflags & EBT_IPROTO);
385 module_put(watcher->me);
393 static int ebt_verify_pointers(struct ebt_replace *repl,
394 struct ebt_table_info *newinfo)
396 unsigned int limit = repl->entries_size;
397 unsigned int valid_hooks = repl->valid_hooks;
398 unsigned int offset = 0;
401 for (i = 0; i < NF_BR_NUMHOOKS; i++)
402 newinfo->hook_entry[i] = NULL;
404 newinfo->entries_size = repl->entries_size;
405 newinfo->nentries = repl->nentries;
407 while (offset < limit) {
408 size_t left = limit - offset;
409 struct ebt_entry *e = (void *)newinfo->entries + offset;
411 if (left < sizeof(unsigned int))
414 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
415 if ((valid_hooks & (1 << i)) == 0)
417 if ((char __user *)repl->hook_entry[i] ==
418 repl->entries + offset)
422 if (i != NF_BR_NUMHOOKS || !(e->bitmask & EBT_ENTRY_OR_ENTRIES)) {
423 if (e->bitmask != 0) {
424 /* we make userspace set this right,
425 so there is no misunderstanding */
426 BUGPRINT("EBT_ENTRY_OR_ENTRIES shouldn't be set "
427 "in distinguisher\n");
430 if (i != NF_BR_NUMHOOKS)
431 newinfo->hook_entry[i] = (struct ebt_entries *)e;
432 if (left < sizeof(struct ebt_entries))
434 offset += sizeof(struct ebt_entries);
436 if (left < sizeof(struct ebt_entry))
438 if (left < e->next_offset)
440 offset += e->next_offset;
443 if (offset != limit) {
444 BUGPRINT("entries_size too small\n");
448 /* check if all valid hooks have a chain */
449 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
450 if (!newinfo->hook_entry[i] &&
451 (valid_hooks & (1 << i))) {
452 BUGPRINT("Valid hook without chain\n");
460 * this one is very careful, as it is the first function
461 * to parse the userspace data
464 ebt_check_entry_size_and_hooks(struct ebt_entry *e,
465 struct ebt_table_info *newinfo,
466 unsigned int *n, unsigned int *cnt,
467 unsigned int *totalcnt, unsigned int *udc_cnt)
471 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
472 if ((void *)e == (void *)newinfo->hook_entry[i])
475 /* beginning of a new chain
476 if i == NF_BR_NUMHOOKS it must be a user defined chain */
477 if (i != NF_BR_NUMHOOKS || !e->bitmask) {
478 /* this checks if the previous chain has as many entries
481 BUGPRINT("nentries does not equal the nr of entries "
485 if (((struct ebt_entries *)e)->policy != EBT_DROP &&
486 ((struct ebt_entries *)e)->policy != EBT_ACCEPT) {
487 /* only RETURN from udc */
488 if (i != NF_BR_NUMHOOKS ||
489 ((struct ebt_entries *)e)->policy != EBT_RETURN) {
490 BUGPRINT("bad policy\n");
494 if (i == NF_BR_NUMHOOKS) /* it's a user defined chain */
496 if (((struct ebt_entries *)e)->counter_offset != *totalcnt) {
497 BUGPRINT("counter_offset != totalcnt");
500 *n = ((struct ebt_entries *)e)->nentries;
504 /* a plain old entry, heh */
505 if (sizeof(struct ebt_entry) > e->watchers_offset ||
506 e->watchers_offset > e->target_offset ||
507 e->target_offset >= e->next_offset) {
508 BUGPRINT("entry offsets not in right order\n");
511 /* this is not checked anywhere else */
512 if (e->next_offset - e->target_offset < sizeof(struct ebt_entry_target)) {
513 BUGPRINT("target size too small\n");
523 struct ebt_chainstack cs;
525 unsigned int hookmask;
529 * we need these positions to check that the jumps to a different part of the
530 * entries is a jump to the beginning of a new chain.
533 ebt_get_udc_positions(struct ebt_entry *e, struct ebt_table_info *newinfo,
534 unsigned int *n, struct ebt_cl_stack *udc)
538 /* we're only interested in chain starts */
541 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
542 if (newinfo->hook_entry[i] == (struct ebt_entries *)e)
545 /* only care about udc */
546 if (i != NF_BR_NUMHOOKS)
549 udc[*n].cs.chaininfo = (struct ebt_entries *)e;
550 /* these initialisations are depended on later in check_chainloops() */
552 udc[*n].hookmask = 0;
559 ebt_cleanup_match(struct ebt_entry_match *m, unsigned int *i)
561 struct xt_mtdtor_param par;
563 if (i && (*i)-- == 0)
566 par.match = m->u.match;
567 par.matchinfo = m->data;
568 par.family = NFPROTO_BRIDGE;
569 if (par.match->destroy != NULL)
570 par.match->destroy(&par);
571 module_put(par.match->me);
576 ebt_cleanup_watcher(struct ebt_entry_watcher *w, unsigned int *i)
578 struct xt_tgdtor_param par;
580 if (i && (*i)-- == 0)
583 par.target = w->u.watcher;
584 par.targinfo = w->data;
585 par.family = NFPROTO_BRIDGE;
586 if (par.target->destroy != NULL)
587 par.target->destroy(&par);
588 module_put(par.target->me);
593 ebt_cleanup_entry(struct ebt_entry *e, unsigned int *cnt)
595 struct xt_tgdtor_param par;
596 struct ebt_entry_target *t;
601 if (cnt && (*cnt)-- == 0)
603 EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, NULL);
604 EBT_MATCH_ITERATE(e, ebt_cleanup_match, NULL);
605 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
607 par.target = t->u.target;
608 par.targinfo = t->data;
609 par.family = NFPROTO_BRIDGE;
610 if (par.target->destroy != NULL)
611 par.target->destroy(&par);
612 module_put(par.target->me);
617 ebt_check_entry(struct ebt_entry *e, struct ebt_table_info *newinfo,
618 const char *name, unsigned int *cnt,
619 struct ebt_cl_stack *cl_s, unsigned int udc_cnt)
621 struct ebt_entry_target *t;
622 struct xt_target *target;
623 unsigned int i, j, hook = 0, hookmask = 0;
626 struct xt_mtchk_param mtpar;
627 struct xt_tgchk_param tgpar;
629 /* don't mess with the struct ebt_entries */
633 if (e->bitmask & ~EBT_F_MASK) {
634 BUGPRINT("Unknown flag for bitmask\n");
637 if (e->invflags & ~EBT_INV_MASK) {
638 BUGPRINT("Unknown flag for inv bitmask\n");
641 if ( (e->bitmask & EBT_NOPROTO) && (e->bitmask & EBT_802_3) ) {
642 BUGPRINT("NOPROTO & 802_3 not allowed\n");
645 /* what hook do we belong to? */
646 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
647 if (!newinfo->hook_entry[i])
649 if ((char *)newinfo->hook_entry[i] < (char *)e)
654 /* (1 << NF_BR_NUMHOOKS) tells the check functions the rule is on
656 if (i < NF_BR_NUMHOOKS)
657 hookmask = (1 << hook) | (1 << NF_BR_NUMHOOKS);
659 for (i = 0; i < udc_cnt; i++)
660 if ((char *)(cl_s[i].cs.chaininfo) > (char *)e)
663 hookmask = (1 << hook) | (1 << NF_BR_NUMHOOKS);
665 hookmask = cl_s[i - 1].hookmask;
669 mtpar.table = tgpar.table = name;
670 mtpar.entryinfo = tgpar.entryinfo = e;
671 mtpar.hook_mask = tgpar.hook_mask = hookmask;
672 mtpar.family = tgpar.family = NFPROTO_BRIDGE;
673 ret = EBT_MATCH_ITERATE(e, ebt_check_match, &mtpar, &i);
675 goto cleanup_matches;
677 ret = EBT_WATCHER_ITERATE(e, ebt_check_watcher, &tgpar, &j);
679 goto cleanup_watchers;
680 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
681 gap = e->next_offset - e->target_offset;
683 target = try_then_request_module(
684 xt_find_target(NFPROTO_BRIDGE, t->u.name, 0),
685 "ebt_%s", t->u.name);
686 if (IS_ERR(target)) {
687 ret = PTR_ERR(target);
688 goto cleanup_watchers;
689 } else if (target == NULL) {
691 goto cleanup_watchers;
694 t->u.target = target;
695 if (t->u.target == &ebt_standard_target) {
696 if (gap < sizeof(struct ebt_standard_target)) {
697 BUGPRINT("Standard target size too big\n");
699 goto cleanup_watchers;
701 if (((struct ebt_standard_target *)t)->verdict <
702 -NUM_STANDARD_TARGETS) {
703 BUGPRINT("Invalid standard target\n");
705 goto cleanup_watchers;
707 } else if (t->target_size > gap - sizeof(struct ebt_entry_target)) {
708 module_put(t->u.target->me);
710 goto cleanup_watchers;
713 tgpar.target = target;
714 tgpar.targinfo = t->data;
715 ret = xt_check_target(&tgpar, t->target_size,
716 e->ethproto, e->invflags & EBT_IPROTO);
718 module_put(target->me);
719 goto cleanup_watchers;
724 EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, &j);
726 EBT_MATCH_ITERATE(e, ebt_cleanup_match, &i);
731 * checks for loops and sets the hook mask for udc
732 * the hook mask for udc tells us from which base chains the udc can be
733 * accessed. This mask is a parameter to the check() functions of the extensions
735 static int check_chainloops(struct ebt_entries *chain, struct ebt_cl_stack *cl_s,
736 unsigned int udc_cnt, unsigned int hooknr, char *base)
738 int i, chain_nr = -1, pos = 0, nentries = chain->nentries, verdict;
739 struct ebt_entry *e = (struct ebt_entry *)chain->data;
740 struct ebt_entry_target *t;
742 while (pos < nentries || chain_nr != -1) {
743 /* end of udc, go back one 'recursion' step */
744 if (pos == nentries) {
745 /* put back values of the time when this chain was called */
746 e = cl_s[chain_nr].cs.e;
747 if (cl_s[chain_nr].from != -1)
749 cl_s[cl_s[chain_nr].from].cs.chaininfo->nentries;
751 nentries = chain->nentries;
752 pos = cl_s[chain_nr].cs.n;
753 /* make sure we won't see a loop that isn't one */
754 cl_s[chain_nr].cs.n = 0;
755 chain_nr = cl_s[chain_nr].from;
759 t = (struct ebt_entry_target *)
760 (((char *)e) + e->target_offset);
761 if (strcmp(t->u.name, EBT_STANDARD_TARGET))
763 if (e->target_offset + sizeof(struct ebt_standard_target) >
765 BUGPRINT("Standard target size too big\n");
768 verdict = ((struct ebt_standard_target *)t)->verdict;
769 if (verdict >= 0) { /* jump to another chain */
770 struct ebt_entries *hlp2 =
771 (struct ebt_entries *)(base + verdict);
772 for (i = 0; i < udc_cnt; i++)
773 if (hlp2 == cl_s[i].cs.chaininfo)
775 /* bad destination or loop */
777 BUGPRINT("bad destination\n");
784 if (cl_s[i].hookmask & (1 << hooknr))
786 /* this can't be 0, so the loop test is correct */
787 cl_s[i].cs.n = pos + 1;
789 cl_s[i].cs.e = ((void *)e + e->next_offset);
790 e = (struct ebt_entry *)(hlp2->data);
791 nentries = hlp2->nentries;
792 cl_s[i].from = chain_nr;
794 /* this udc is accessible from the base chain for hooknr */
795 cl_s[i].hookmask |= (1 << hooknr);
799 e = (void *)e + e->next_offset;
805 /* do the parsing of the table/chains/entries/matches/watchers/targets, heh */
806 static int translate_table(char *name, struct ebt_table_info *newinfo)
808 unsigned int i, j, k, udc_cnt;
810 struct ebt_cl_stack *cl_s = NULL; /* used in the checking for chain loops */
813 while (i < NF_BR_NUMHOOKS && !newinfo->hook_entry[i])
815 if (i == NF_BR_NUMHOOKS) {
816 BUGPRINT("No valid hooks specified\n");
819 if (newinfo->hook_entry[i] != (struct ebt_entries *)newinfo->entries) {
820 BUGPRINT("Chains don't start at beginning\n");
823 /* make sure chains are ordered after each other in same order
824 as their corresponding hooks */
825 for (j = i + 1; j < NF_BR_NUMHOOKS; j++) {
826 if (!newinfo->hook_entry[j])
828 if (newinfo->hook_entry[j] <= newinfo->hook_entry[i]) {
829 BUGPRINT("Hook order must be followed\n");
835 /* do some early checkings and initialize some things */
836 i = 0; /* holds the expected nr. of entries for the chain */
837 j = 0; /* holds the up to now counted entries for the chain */
838 k = 0; /* holds the total nr. of entries, should equal
839 newinfo->nentries afterwards */
840 udc_cnt = 0; /* will hold the nr. of user defined chains (udc) */
841 ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
842 ebt_check_entry_size_and_hooks, newinfo,
843 &i, &j, &k, &udc_cnt);
849 BUGPRINT("nentries does not equal the nr of entries in the "
853 if (k != newinfo->nentries) {
854 BUGPRINT("Total nentries is wrong\n");
858 /* get the location of the udc, put them in an array
859 while we're at it, allocate the chainstack */
861 /* this will get free'd in do_replace()/ebt_register_table()
862 if an error occurs */
863 newinfo->chainstack =
864 vmalloc(nr_cpu_ids * sizeof(*(newinfo->chainstack)));
865 if (!newinfo->chainstack)
867 for_each_possible_cpu(i) {
868 newinfo->chainstack[i] =
869 vmalloc(udc_cnt * sizeof(*(newinfo->chainstack[0])));
870 if (!newinfo->chainstack[i]) {
872 vfree(newinfo->chainstack[--i]);
873 vfree(newinfo->chainstack);
874 newinfo->chainstack = NULL;
879 cl_s = vmalloc(udc_cnt * sizeof(*cl_s));
882 i = 0; /* the i'th udc */
883 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
884 ebt_get_udc_positions, newinfo, &i, cl_s);
887 BUGPRINT("i != udc_cnt\n");
893 /* Check for loops */
894 for (i = 0; i < NF_BR_NUMHOOKS; i++)
895 if (newinfo->hook_entry[i])
896 if (check_chainloops(newinfo->hook_entry[i],
897 cl_s, udc_cnt, i, newinfo->entries)) {
902 /* we now know the following (along with E=mc²):
903 - the nr of entries in each chain is right
904 - the size of the allocated space is right
905 - all valid hooks have a corresponding chain
907 - wrong data can still be on the level of a single entry
908 - could be there are jumps to places that are not the
909 beginning of a chain. This can only occur in chains that
910 are not accessible from any base chains, so we don't care. */
912 /* used to know what we need to clean up if something goes wrong */
914 ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
915 ebt_check_entry, newinfo, name, &i, cl_s, udc_cnt);
917 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
918 ebt_cleanup_entry, &i);
924 /* called under write_lock */
925 static void get_counters(struct ebt_counter *oldcounters,
926 struct ebt_counter *counters, unsigned int nentries)
929 struct ebt_counter *counter_base;
931 /* counters of cpu 0 */
932 memcpy(counters, oldcounters,
933 sizeof(struct ebt_counter) * nentries);
935 /* add other counters to those of cpu 0 */
936 for_each_possible_cpu(cpu) {
939 counter_base = COUNTER_BASE(oldcounters, nentries, cpu);
940 for (i = 0; i < nentries; i++) {
941 counters[i].pcnt += counter_base[i].pcnt;
942 counters[i].bcnt += counter_base[i].bcnt;
947 /* replace the table */
948 static int do_replace(struct net *net, void __user *user, unsigned int len)
950 int ret, i, countersize;
951 struct ebt_table_info *newinfo;
952 struct ebt_replace tmp;
954 struct ebt_counter *counterstmp = NULL;
955 /* used to be able to unlock earlier */
956 struct ebt_table_info *table;
958 if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
961 if (len != sizeof(tmp) + tmp.entries_size) {
962 BUGPRINT("Wrong len argument\n");
966 if (tmp.entries_size == 0) {
967 BUGPRINT("Entries_size never zero\n");
971 if (tmp.nentries >= ((INT_MAX - sizeof(struct ebt_table_info)) / NR_CPUS -
972 SMP_CACHE_BYTES) / sizeof(struct ebt_counter))
974 if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
977 countersize = COUNTER_OFFSET(tmp.nentries) * nr_cpu_ids;
978 newinfo = vmalloc(sizeof(*newinfo) + countersize);
983 memset(newinfo->counters, 0, countersize);
985 newinfo->entries = vmalloc(tmp.entries_size);
986 if (!newinfo->entries) {
991 newinfo->entries, tmp.entries, tmp.entries_size) != 0) {
992 BUGPRINT("Couldn't copy entries from userspace\n");
997 /* the user wants counters back
998 the check on the size is done later, when we have the lock */
999 if (tmp.num_counters) {
1000 counterstmp = vmalloc(tmp.num_counters * sizeof(*counterstmp));
1009 /* this can get initialized by translate_table() */
1010 newinfo->chainstack = NULL;
1011 ret = ebt_verify_pointers(&tmp, newinfo);
1013 goto free_counterstmp;
1015 ret = translate_table(tmp.name, newinfo);
1018 goto free_counterstmp;
1020 t = find_table_lock(net, tmp.name, &ret, &ebt_mutex);
1026 /* the table doesn't like it */
1027 if (t->check && (ret = t->check(newinfo, tmp.valid_hooks)))
1030 if (tmp.num_counters && tmp.num_counters != t->private->nentries) {
1031 BUGPRINT("Wrong nr. of counters requested\n");
1036 /* we have the mutex lock, so no danger in reading this pointer */
1038 /* make sure the table can only be rmmod'ed if it contains no rules */
1039 if (!table->nentries && newinfo->nentries && !try_module_get(t->me)) {
1042 } else if (table->nentries && !newinfo->nentries)
1044 /* we need an atomic snapshot of the counters */
1045 write_lock_bh(&t->lock);
1046 if (tmp.num_counters)
1047 get_counters(t->private->counters, counterstmp,
1048 t->private->nentries);
1050 t->private = newinfo;
1051 write_unlock_bh(&t->lock);
1052 mutex_unlock(&ebt_mutex);
1053 /* so, a user can change the chains while having messed up her counter
1054 allocation. Only reason why this is done is because this way the lock
1055 is held only once, while this doesn't bring the kernel into a
1057 if (tmp.num_counters &&
1058 copy_to_user(tmp.counters, counterstmp,
1059 tmp.num_counters * sizeof(struct ebt_counter))) {
1060 BUGPRINT("Couldn't copy counters to userspace\n");
1066 /* decrease module count and free resources */
1067 EBT_ENTRY_ITERATE(table->entries, table->entries_size,
1068 ebt_cleanup_entry, NULL);
1070 vfree(table->entries);
1071 if (table->chainstack) {
1072 for_each_possible_cpu(i)
1073 vfree(table->chainstack[i]);
1074 vfree(table->chainstack);
1082 mutex_unlock(&ebt_mutex);
1084 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
1085 ebt_cleanup_entry, NULL);
1088 /* can be initialized in translate_table() */
1089 if (newinfo->chainstack) {
1090 for_each_possible_cpu(i)
1091 vfree(newinfo->chainstack[i]);
1092 vfree(newinfo->chainstack);
1095 vfree(newinfo->entries);
1101 int ebt_register_table(struct net *net, struct ebt_table *table)
1103 struct ebt_table_info *newinfo;
1104 struct ebt_table *t;
1105 struct ebt_replace_kernel *repl;
1106 int ret, i, countersize;
1109 if (!table || !(repl = table->table) || !repl->entries ||
1110 repl->entries_size == 0 ||
1111 repl->counters || table->private) {
1112 BUGPRINT("Bad table data for ebt_register_table!!!\n");
1116 countersize = COUNTER_OFFSET(repl->nentries) * nr_cpu_ids;
1117 newinfo = vmalloc(sizeof(*newinfo) + countersize);
1122 p = vmalloc(repl->entries_size);
1126 memcpy(p, repl->entries, repl->entries_size);
1127 newinfo->entries = p;
1129 newinfo->entries_size = repl->entries_size;
1130 newinfo->nentries = repl->nentries;
1133 memset(newinfo->counters, 0, countersize);
1135 /* fill in newinfo and parse the entries */
1136 newinfo->chainstack = NULL;
1137 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
1138 if ((repl->valid_hooks & (1 << i)) == 0)
1139 newinfo->hook_entry[i] = NULL;
1141 newinfo->hook_entry[i] = p +
1142 ((char *)repl->hook_entry[i] - repl->entries);
1144 ret = translate_table(repl->name, newinfo);
1146 BUGPRINT("Translate_table failed\n");
1147 goto free_chainstack;
1150 if (table->check && table->check(newinfo, table->valid_hooks)) {
1151 BUGPRINT("The table doesn't like its own initial data, lol\n");
1155 table->private = newinfo;
1156 rwlock_init(&table->lock);
1157 ret = mutex_lock_interruptible(&ebt_mutex);
1159 goto free_chainstack;
1161 list_for_each_entry(t, &net->xt.tables[NFPROTO_BRIDGE], list) {
1162 if (strcmp(t->name, table->name) == 0) {
1164 BUGPRINT("Table name already exists\n");
1169 /* Hold a reference count if the chains aren't empty */
1170 if (newinfo->nentries && !try_module_get(table->me)) {
1174 list_add(&table->list, &net->xt.tables[NFPROTO_BRIDGE]);
1175 mutex_unlock(&ebt_mutex);
1178 mutex_unlock(&ebt_mutex);
1180 if (newinfo->chainstack) {
1181 for_each_possible_cpu(i)
1182 vfree(newinfo->chainstack[i]);
1183 vfree(newinfo->chainstack);
1185 vfree(newinfo->entries);
1191 void ebt_unregister_table(struct ebt_table *table)
1196 BUGPRINT("Request to unregister NULL table!!!\n");
1199 mutex_lock(&ebt_mutex);
1200 list_del(&table->list);
1201 mutex_unlock(&ebt_mutex);
1202 vfree(table->private->entries);
1203 if (table->private->chainstack) {
1204 for_each_possible_cpu(i)
1205 vfree(table->private->chainstack[i]);
1206 vfree(table->private->chainstack);
1208 vfree(table->private);
1211 /* userspace just supplied us with counters */
1212 static int update_counters(struct net *net, void __user *user, unsigned int len)
1215 struct ebt_counter *tmp;
1216 struct ebt_replace hlp;
1217 struct ebt_table *t;
1219 if (copy_from_user(&hlp, user, sizeof(hlp)))
1222 if (len != sizeof(hlp) + hlp.num_counters * sizeof(struct ebt_counter))
1224 if (hlp.num_counters == 0)
1227 if (!(tmp = vmalloc(hlp.num_counters * sizeof(*tmp)))) {
1228 MEMPRINT("Update_counters && nomemory\n");
1232 t = find_table_lock(net, hlp.name, &ret, &ebt_mutex);
1236 if (hlp.num_counters != t->private->nentries) {
1237 BUGPRINT("Wrong nr of counters\n");
1242 if ( copy_from_user(tmp, hlp.counters,
1243 hlp.num_counters * sizeof(struct ebt_counter)) ) {
1244 BUGPRINT("Updata_counters && !cfu\n");
1249 /* we want an atomic add of the counters */
1250 write_lock_bh(&t->lock);
1252 /* we add to the counters of the first cpu */
1253 for (i = 0; i < hlp.num_counters; i++) {
1254 t->private->counters[i].pcnt += tmp[i].pcnt;
1255 t->private->counters[i].bcnt += tmp[i].bcnt;
1258 write_unlock_bh(&t->lock);
1261 mutex_unlock(&ebt_mutex);
1267 static inline int ebt_make_matchname(struct ebt_entry_match *m,
1268 char *base, char __user *ubase)
1270 char __user *hlp = ubase + ((char *)m - base);
1271 if (copy_to_user(hlp, m->u.match->name, EBT_FUNCTION_MAXNAMELEN))
1276 static inline int ebt_make_watchername(struct ebt_entry_watcher *w,
1277 char *base, char __user *ubase)
1279 char __user *hlp = ubase + ((char *)w - base);
1280 if (copy_to_user(hlp , w->u.watcher->name, EBT_FUNCTION_MAXNAMELEN))
1285 static inline int ebt_make_names(struct ebt_entry *e, char *base, char __user *ubase)
1289 struct ebt_entry_target *t;
1291 if (e->bitmask == 0)
1294 hlp = ubase + (((char *)e + e->target_offset) - base);
1295 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
1297 ret = EBT_MATCH_ITERATE(e, ebt_make_matchname, base, ubase);
1300 ret = EBT_WATCHER_ITERATE(e, ebt_make_watchername, base, ubase);
1303 if (copy_to_user(hlp, t->u.target->name, EBT_FUNCTION_MAXNAMELEN))
1308 /* called with ebt_mutex locked */
1309 static int copy_everything_to_user(struct ebt_table *t, void __user *user,
1312 struct ebt_replace tmp;
1313 struct ebt_counter *counterstmp, *oldcounters;
1314 unsigned int entries_size, nentries;
1317 if (cmd == EBT_SO_GET_ENTRIES) {
1318 entries_size = t->private->entries_size;
1319 nentries = t->private->nentries;
1320 entries = t->private->entries;
1321 oldcounters = t->private->counters;
1323 entries_size = t->table->entries_size;
1324 nentries = t->table->nentries;
1325 entries = t->table->entries;
1326 oldcounters = t->table->counters;
1329 if (copy_from_user(&tmp, user, sizeof(tmp))) {
1330 BUGPRINT("Cfu didn't work\n");
1334 if (*len != sizeof(struct ebt_replace) + entries_size +
1335 (tmp.num_counters? nentries * sizeof(struct ebt_counter): 0)) {
1336 BUGPRINT("Wrong size\n");
1340 if (tmp.nentries != nentries) {
1341 BUGPRINT("Nentries wrong\n");
1345 if (tmp.entries_size != entries_size) {
1346 BUGPRINT("Wrong size\n");
1350 /* userspace might not need the counters */
1351 if (tmp.num_counters) {
1352 if (tmp.num_counters != nentries) {
1353 BUGPRINT("Num_counters wrong\n");
1356 counterstmp = vmalloc(nentries * sizeof(*counterstmp));
1358 MEMPRINT("Couldn't copy counters, out of memory\n");
1361 write_lock_bh(&t->lock);
1362 get_counters(oldcounters, counterstmp, nentries);
1363 write_unlock_bh(&t->lock);
1365 if (copy_to_user(tmp.counters, counterstmp,
1366 nentries * sizeof(struct ebt_counter))) {
1367 BUGPRINT("Couldn't copy counters to userspace\n");
1374 if (copy_to_user(tmp.entries, entries, entries_size)) {
1375 BUGPRINT("Couldn't copy entries to userspace\n");
1378 /* set the match/watcher/target names right */
1379 return EBT_ENTRY_ITERATE(entries, entries_size,
1380 ebt_make_names, entries, tmp.entries);
1383 static int do_ebt_set_ctl(struct sock *sk,
1384 int cmd, void __user *user, unsigned int len)
1389 case EBT_SO_SET_ENTRIES:
1390 ret = do_replace(sock_net(sk), user, len);
1392 case EBT_SO_SET_COUNTERS:
1393 ret = update_counters(sock_net(sk), user, len);
1401 static int do_ebt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
1404 struct ebt_replace tmp;
1405 struct ebt_table *t;
1407 if (copy_from_user(&tmp, user, sizeof(tmp)))
1410 t = find_table_lock(sock_net(sk), tmp.name, &ret, &ebt_mutex);
1415 case EBT_SO_GET_INFO:
1416 case EBT_SO_GET_INIT_INFO:
1417 if (*len != sizeof(struct ebt_replace)){
1419 mutex_unlock(&ebt_mutex);
1422 if (cmd == EBT_SO_GET_INFO) {
1423 tmp.nentries = t->private->nentries;
1424 tmp.entries_size = t->private->entries_size;
1425 tmp.valid_hooks = t->valid_hooks;
1427 tmp.nentries = t->table->nentries;
1428 tmp.entries_size = t->table->entries_size;
1429 tmp.valid_hooks = t->table->valid_hooks;
1431 mutex_unlock(&ebt_mutex);
1432 if (copy_to_user(user, &tmp, *len) != 0){
1433 BUGPRINT("c2u Didn't work\n");
1440 case EBT_SO_GET_ENTRIES:
1441 case EBT_SO_GET_INIT_ENTRIES:
1442 ret = copy_everything_to_user(t, user, len, cmd);
1443 mutex_unlock(&ebt_mutex);
1447 mutex_unlock(&ebt_mutex);
1454 static struct nf_sockopt_ops ebt_sockopts =
1457 .set_optmin = EBT_BASE_CTL,
1458 .set_optmax = EBT_SO_SET_MAX + 1,
1459 .set = do_ebt_set_ctl,
1460 .get_optmin = EBT_BASE_CTL,
1461 .get_optmax = EBT_SO_GET_MAX + 1,
1462 .get = do_ebt_get_ctl,
1463 .owner = THIS_MODULE,
1466 static int __init ebtables_init(void)
1470 ret = xt_register_target(&ebt_standard_target);
1473 ret = nf_register_sockopt(&ebt_sockopts);
1475 xt_unregister_target(&ebt_standard_target);
1479 printk(KERN_INFO "Ebtables v2.0 registered\n");
1483 static void __exit ebtables_fini(void)
1485 nf_unregister_sockopt(&ebt_sockopts);
1486 xt_unregister_target(&ebt_standard_target);
1487 printk(KERN_INFO "Ebtables v2.0 unregistered\n");
1490 EXPORT_SYMBOL(ebt_register_table);
1491 EXPORT_SYMBOL(ebt_unregister_table);
1492 EXPORT_SYMBOL(ebt_do_table);
1493 module_init(ebtables_init);
1494 module_exit(ebtables_fini);
1495 MODULE_LICENSE("GPL");