5 * Bart De Schuymer <bdschuym@pandora.be>
7 * ebtables.c,v 2.0, July, 2002
9 * This code is stongly inspired on the iptables code which is
10 * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version
15 * 2 of the License, or (at your option) any later version.
19 #include <linux/kmod.h>
20 #include <linux/module.h>
21 #include <linux/vmalloc.h>
22 #include <linux/netfilter/x_tables.h>
23 #include <linux/netfilter_bridge/ebtables.h>
24 #include <linux/spinlock.h>
25 #include <linux/mutex.h>
26 #include <asm/uaccess.h>
27 #include <linux/smp.h>
28 #include <linux/cpumask.h>
30 /* needed for logical [in,out]-dev filtering */
31 #include "../br_private.h"
33 #define BUGPRINT(format, args...) printk("kernel msg: ebtables bug: please "\
34 "report to author: "format, ## args)
35 /* #define BUGPRINT(format, args...) */
36 #define MEMPRINT(format, args...) printk("kernel msg: ebtables "\
37 ": out of memory: "format, ## args)
38 /* #define MEMPRINT(format, args...) */
43 * Each cpu has its own set of counters, so there is no need for write_lock in
45 * For reading or updating the counters, the user context needs to
49 /* The size of each set of counters is altered to get cache alignment */
50 #define SMP_ALIGN(x) (((x) + SMP_CACHE_BYTES-1) & ~(SMP_CACHE_BYTES-1))
51 #define COUNTER_OFFSET(n) (SMP_ALIGN(n * sizeof(struct ebt_counter)))
52 #define COUNTER_BASE(c, n, cpu) ((struct ebt_counter *)(((char *)c) + \
53 COUNTER_OFFSET(n) * cpu))
57 static DEFINE_MUTEX(ebt_mutex);
59 static struct xt_target ebt_standard_target = {
62 .family = NFPROTO_BRIDGE,
63 .targetsize = sizeof(int),
67 ebt_do_watcher(const struct ebt_entry_watcher *w, struct sk_buff *skb,
68 struct xt_target_param *par)
70 par->target = w->u.watcher;
71 par->targinfo = w->data;
72 w->u.watcher->target(skb, par);
73 /* watchers don't give a verdict */
77 static inline int ebt_do_match (struct ebt_entry_match *m,
78 const struct sk_buff *skb, struct xt_match_param *par)
80 par->match = m->u.match;
81 par->matchinfo = m->data;
82 return m->u.match->match(skb, par) ? EBT_MATCH : EBT_NOMATCH;
86 ebt_dev_check(const char *entry, const struct net_device *device)
95 devname = device->name;
96 /* 1 is the wildcard token */
97 while (entry[i] != '\0' && entry[i] != 1 && entry[i] == devname[i])
99 return (devname[i] != entry[i] && entry[i] != 1);
102 #define FWINV2(bool,invflg) ((bool) ^ !!(e->invflags & invflg))
103 /* process standard matches */
105 ebt_basic_match(const struct ebt_entry *e, const struct ethhdr *h,
106 const struct net_device *in, const struct net_device *out)
110 if (e->bitmask & EBT_802_3) {
111 if (FWINV2(ntohs(h->h_proto) >= 1536, EBT_IPROTO))
113 } else if (!(e->bitmask & EBT_NOPROTO) &&
114 FWINV2(e->ethproto != h->h_proto, EBT_IPROTO))
117 if (FWINV2(ebt_dev_check(e->in, in), EBT_IIN))
119 if (FWINV2(ebt_dev_check(e->out, out), EBT_IOUT))
121 if ((!in || !in->br_port) ? 0 : FWINV2(ebt_dev_check(
122 e->logical_in, in->br_port->br->dev), EBT_ILOGICALIN))
124 if ((!out || !out->br_port) ? 0 : FWINV2(ebt_dev_check(
125 e->logical_out, out->br_port->br->dev), EBT_ILOGICALOUT))
128 if (e->bitmask & EBT_SOURCEMAC) {
130 for (i = 0; i < 6; i++)
131 verdict |= (h->h_source[i] ^ e->sourcemac[i]) &
133 if (FWINV2(verdict != 0, EBT_ISOURCE) )
136 if (e->bitmask & EBT_DESTMAC) {
138 for (i = 0; i < 6; i++)
139 verdict |= (h->h_dest[i] ^ e->destmac[i]) &
141 if (FWINV2(verdict != 0, EBT_IDEST) )
148 struct ebt_entry *ebt_next_entry(const struct ebt_entry *entry)
150 return (void *)entry + entry->next_offset;
153 /* Do some firewalling */
154 unsigned int ebt_do_table (unsigned int hook, struct sk_buff *skb,
155 const struct net_device *in, const struct net_device *out,
156 struct ebt_table *table)
159 struct ebt_entry *point;
160 struct ebt_counter *counter_base, *cb_base;
161 const struct ebt_entry_target *t;
163 struct ebt_chainstack *cs;
164 struct ebt_entries *chaininfo;
166 const struct ebt_table_info *private;
167 bool hotdrop = false;
168 struct xt_match_param mtpar;
169 struct xt_target_param tgpar;
171 mtpar.family = tgpar.family = NFPROTO_BRIDGE;
172 mtpar.in = tgpar.in = in;
173 mtpar.out = tgpar.out = out;
174 mtpar.hotdrop = &hotdrop;
175 mtpar.hooknum = tgpar.hooknum = hook;
177 read_lock_bh(&table->lock);
178 private = table->private;
179 cb_base = COUNTER_BASE(private->counters, private->nentries,
181 if (private->chainstack)
182 cs = private->chainstack[smp_processor_id()];
185 chaininfo = private->hook_entry[hook];
186 nentries = private->hook_entry[hook]->nentries;
187 point = (struct ebt_entry *)(private->hook_entry[hook]->data);
188 counter_base = cb_base + private->hook_entry[hook]->counter_offset;
189 /* base for chain jumps */
190 base = private->entries;
192 while (i < nentries) {
193 if (ebt_basic_match(point, eth_hdr(skb), in, out))
196 if (EBT_MATCH_ITERATE(point, ebt_do_match, skb, &mtpar) != 0)
199 read_unlock_bh(&table->lock);
203 /* increase counter */
204 (*(counter_base + i)).pcnt++;
205 (*(counter_base + i)).bcnt += skb->len;
207 /* these should only watch: not modify, nor tell us
208 what to do with the packet */
209 EBT_WATCHER_ITERATE(point, ebt_do_watcher, skb, &tgpar);
211 t = (struct ebt_entry_target *)
212 (((char *)point) + point->target_offset);
213 /* standard target */
214 if (!t->u.target->target)
215 verdict = ((struct ebt_standard_target *)t)->verdict;
217 tgpar.target = t->u.target;
218 tgpar.targinfo = t->data;
219 verdict = t->u.target->target(skb, &tgpar);
221 if (verdict == EBT_ACCEPT) {
222 read_unlock_bh(&table->lock);
225 if (verdict == EBT_DROP) {
226 read_unlock_bh(&table->lock);
229 if (verdict == EBT_RETURN) {
231 #ifdef CONFIG_NETFILTER_DEBUG
233 BUGPRINT("RETURN on base chain");
234 /* act like this is EBT_CONTINUE */
239 /* put all the local variables right */
241 chaininfo = cs[sp].chaininfo;
242 nentries = chaininfo->nentries;
244 counter_base = cb_base +
245 chaininfo->counter_offset;
248 if (verdict == EBT_CONTINUE)
250 #ifdef CONFIG_NETFILTER_DEBUG
252 BUGPRINT("bogus standard verdict\n");
253 read_unlock_bh(&table->lock);
259 cs[sp].chaininfo = chaininfo;
260 cs[sp].e = ebt_next_entry(point);
262 chaininfo = (struct ebt_entries *) (base + verdict);
263 #ifdef CONFIG_NETFILTER_DEBUG
264 if (chaininfo->distinguisher) {
265 BUGPRINT("jump to non-chain\n");
266 read_unlock_bh(&table->lock);
270 nentries = chaininfo->nentries;
271 point = (struct ebt_entry *)chaininfo->data;
272 counter_base = cb_base + chaininfo->counter_offset;
276 point = ebt_next_entry(point);
280 /* I actually like this :) */
281 if (chaininfo->policy == EBT_RETURN)
283 if (chaininfo->policy == EBT_ACCEPT) {
284 read_unlock_bh(&table->lock);
287 read_unlock_bh(&table->lock);
291 /* If it succeeds, returns element and locks mutex */
293 find_inlist_lock_noload(struct list_head *head, const char *name, int *error,
297 struct list_head list;
298 char name[EBT_FUNCTION_MAXNAMELEN];
301 *error = mutex_lock_interruptible(mutex);
305 list_for_each_entry(e, head, list) {
306 if (strcmp(e->name, name) == 0)
315 find_inlist_lock(struct list_head *head, const char *name, const char *prefix,
316 int *error, struct mutex *mutex)
318 return try_then_request_module(
319 find_inlist_lock_noload(head, name, error, mutex),
320 "%s%s", prefix, name);
323 static inline struct ebt_table *
324 find_table_lock(struct net *net, const char *name, int *error,
327 return find_inlist_lock(&net->xt.tables[NFPROTO_BRIDGE], name,
328 "ebtable_", error, mutex);
332 ebt_check_match(struct ebt_entry_match *m, struct xt_mtchk_param *par,
335 const struct ebt_entry *e = par->entryinfo;
336 struct xt_match *match;
337 size_t left = ((char *)e + e->watchers_offset) - (char *)m;
340 if (left < sizeof(struct ebt_entry_match) ||
341 left - sizeof(struct ebt_entry_match) < m->match_size)
344 match = try_then_request_module(xt_find_match(NFPROTO_BRIDGE,
345 m->u.name, 0), "ebt_%s", m->u.name);
347 return PTR_ERR(match);
353 par->matchinfo = m->data;
354 ret = xt_check_match(par, m->match_size,
355 e->ethproto, e->invflags & EBT_IPROTO);
357 module_put(match->me);
366 ebt_check_watcher(struct ebt_entry_watcher *w, struct xt_tgchk_param *par,
369 const struct ebt_entry *e = par->entryinfo;
370 struct xt_target *watcher;
371 size_t left = ((char *)e + e->target_offset) - (char *)w;
374 if (left < sizeof(struct ebt_entry_watcher) ||
375 left - sizeof(struct ebt_entry_watcher) < w->watcher_size)
378 watcher = try_then_request_module(
379 xt_find_target(NFPROTO_BRIDGE, w->u.name, 0),
380 "ebt_%s", w->u.name);
382 return PTR_ERR(watcher);
385 w->u.watcher = watcher;
387 par->target = watcher;
388 par->targinfo = w->data;
389 ret = xt_check_target(par, w->watcher_size,
390 e->ethproto, e->invflags & EBT_IPROTO);
392 module_put(watcher->me);
400 static int ebt_verify_pointers(const struct ebt_replace *repl,
401 struct ebt_table_info *newinfo)
403 unsigned int limit = repl->entries_size;
404 unsigned int valid_hooks = repl->valid_hooks;
405 unsigned int offset = 0;
408 for (i = 0; i < NF_BR_NUMHOOKS; i++)
409 newinfo->hook_entry[i] = NULL;
411 newinfo->entries_size = repl->entries_size;
412 newinfo->nentries = repl->nentries;
414 while (offset < limit) {
415 size_t left = limit - offset;
416 struct ebt_entry *e = (void *)newinfo->entries + offset;
418 if (left < sizeof(unsigned int))
421 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
422 if ((valid_hooks & (1 << i)) == 0)
424 if ((char __user *)repl->hook_entry[i] ==
425 repl->entries + offset)
429 if (i != NF_BR_NUMHOOKS || !(e->bitmask & EBT_ENTRY_OR_ENTRIES)) {
430 if (e->bitmask != 0) {
431 /* we make userspace set this right,
432 so there is no misunderstanding */
433 BUGPRINT("EBT_ENTRY_OR_ENTRIES shouldn't be set "
434 "in distinguisher\n");
437 if (i != NF_BR_NUMHOOKS)
438 newinfo->hook_entry[i] = (struct ebt_entries *)e;
439 if (left < sizeof(struct ebt_entries))
441 offset += sizeof(struct ebt_entries);
443 if (left < sizeof(struct ebt_entry))
445 if (left < e->next_offset)
447 if (e->next_offset < sizeof(struct ebt_entry))
449 offset += e->next_offset;
452 if (offset != limit) {
453 BUGPRINT("entries_size too small\n");
457 /* check if all valid hooks have a chain */
458 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
459 if (!newinfo->hook_entry[i] &&
460 (valid_hooks & (1 << i))) {
461 BUGPRINT("Valid hook without chain\n");
469 * this one is very careful, as it is the first function
470 * to parse the userspace data
473 ebt_check_entry_size_and_hooks(const struct ebt_entry *e,
474 const struct ebt_table_info *newinfo,
475 unsigned int *n, unsigned int *cnt,
476 unsigned int *totalcnt, unsigned int *udc_cnt)
480 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
481 if ((void *)e == (void *)newinfo->hook_entry[i])
484 /* beginning of a new chain
485 if i == NF_BR_NUMHOOKS it must be a user defined chain */
486 if (i != NF_BR_NUMHOOKS || !e->bitmask) {
487 /* this checks if the previous chain has as many entries
490 BUGPRINT("nentries does not equal the nr of entries "
494 if (((struct ebt_entries *)e)->policy != EBT_DROP &&
495 ((struct ebt_entries *)e)->policy != EBT_ACCEPT) {
496 /* only RETURN from udc */
497 if (i != NF_BR_NUMHOOKS ||
498 ((struct ebt_entries *)e)->policy != EBT_RETURN) {
499 BUGPRINT("bad policy\n");
503 if (i == NF_BR_NUMHOOKS) /* it's a user defined chain */
505 if (((struct ebt_entries *)e)->counter_offset != *totalcnt) {
506 BUGPRINT("counter_offset != totalcnt");
509 *n = ((struct ebt_entries *)e)->nentries;
513 /* a plain old entry, heh */
514 if (sizeof(struct ebt_entry) > e->watchers_offset ||
515 e->watchers_offset > e->target_offset ||
516 e->target_offset >= e->next_offset) {
517 BUGPRINT("entry offsets not in right order\n");
520 /* this is not checked anywhere else */
521 if (e->next_offset - e->target_offset < sizeof(struct ebt_entry_target)) {
522 BUGPRINT("target size too small\n");
532 struct ebt_chainstack cs;
534 unsigned int hookmask;
538 * we need these positions to check that the jumps to a different part of the
539 * entries is a jump to the beginning of a new chain.
542 ebt_get_udc_positions(struct ebt_entry *e, struct ebt_table_info *newinfo,
543 unsigned int *n, struct ebt_cl_stack *udc)
547 /* we're only interested in chain starts */
550 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
551 if (newinfo->hook_entry[i] == (struct ebt_entries *)e)
554 /* only care about udc */
555 if (i != NF_BR_NUMHOOKS)
558 udc[*n].cs.chaininfo = (struct ebt_entries *)e;
559 /* these initialisations are depended on later in check_chainloops() */
561 udc[*n].hookmask = 0;
568 ebt_cleanup_match(struct ebt_entry_match *m, struct net *net, unsigned int *i)
570 struct xt_mtdtor_param par;
572 if (i && (*i)-- == 0)
576 par.match = m->u.match;
577 par.matchinfo = m->data;
578 par.family = NFPROTO_BRIDGE;
579 if (par.match->destroy != NULL)
580 par.match->destroy(&par);
581 module_put(par.match->me);
586 ebt_cleanup_watcher(struct ebt_entry_watcher *w, struct net *net, unsigned int *i)
588 struct xt_tgdtor_param par;
590 if (i && (*i)-- == 0)
594 par.target = w->u.watcher;
595 par.targinfo = w->data;
596 par.family = NFPROTO_BRIDGE;
597 if (par.target->destroy != NULL)
598 par.target->destroy(&par);
599 module_put(par.target->me);
604 ebt_cleanup_entry(struct ebt_entry *e, struct net *net, unsigned int *cnt)
606 struct xt_tgdtor_param par;
607 struct ebt_entry_target *t;
612 if (cnt && (*cnt)-- == 0)
614 EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, net, NULL);
615 EBT_MATCH_ITERATE(e, ebt_cleanup_match, net, NULL);
616 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
619 par.target = t->u.target;
620 par.targinfo = t->data;
621 par.family = NFPROTO_BRIDGE;
622 if (par.target->destroy != NULL)
623 par.target->destroy(&par);
624 module_put(par.target->me);
629 ebt_check_entry(struct ebt_entry *e, struct net *net,
630 const struct ebt_table_info *newinfo,
631 const char *name, unsigned int *cnt,
632 struct ebt_cl_stack *cl_s, unsigned int udc_cnt)
634 struct ebt_entry_target *t;
635 struct xt_target *target;
636 unsigned int i, j, hook = 0, hookmask = 0;
639 struct xt_mtchk_param mtpar;
640 struct xt_tgchk_param tgpar;
642 /* don't mess with the struct ebt_entries */
646 if (e->bitmask & ~EBT_F_MASK) {
647 BUGPRINT("Unknown flag for bitmask\n");
650 if (e->invflags & ~EBT_INV_MASK) {
651 BUGPRINT("Unknown flag for inv bitmask\n");
654 if ( (e->bitmask & EBT_NOPROTO) && (e->bitmask & EBT_802_3) ) {
655 BUGPRINT("NOPROTO & 802_3 not allowed\n");
658 /* what hook do we belong to? */
659 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
660 if (!newinfo->hook_entry[i])
662 if ((char *)newinfo->hook_entry[i] < (char *)e)
667 /* (1 << NF_BR_NUMHOOKS) tells the check functions the rule is on
669 if (i < NF_BR_NUMHOOKS)
670 hookmask = (1 << hook) | (1 << NF_BR_NUMHOOKS);
672 for (i = 0; i < udc_cnt; i++)
673 if ((char *)(cl_s[i].cs.chaininfo) > (char *)e)
676 hookmask = (1 << hook) | (1 << NF_BR_NUMHOOKS);
678 hookmask = cl_s[i - 1].hookmask;
682 mtpar.net = tgpar.net = net;
683 mtpar.table = tgpar.table = name;
684 mtpar.entryinfo = tgpar.entryinfo = e;
685 mtpar.hook_mask = tgpar.hook_mask = hookmask;
686 mtpar.family = tgpar.family = NFPROTO_BRIDGE;
687 ret = EBT_MATCH_ITERATE(e, ebt_check_match, &mtpar, &i);
689 goto cleanup_matches;
691 ret = EBT_WATCHER_ITERATE(e, ebt_check_watcher, &tgpar, &j);
693 goto cleanup_watchers;
694 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
695 gap = e->next_offset - e->target_offset;
697 target = try_then_request_module(
698 xt_find_target(NFPROTO_BRIDGE, t->u.name, 0),
699 "ebt_%s", t->u.name);
700 if (IS_ERR(target)) {
701 ret = PTR_ERR(target);
702 goto cleanup_watchers;
703 } else if (target == NULL) {
705 goto cleanup_watchers;
708 t->u.target = target;
709 if (t->u.target == &ebt_standard_target) {
710 if (gap < sizeof(struct ebt_standard_target)) {
711 BUGPRINT("Standard target size too big\n");
713 goto cleanup_watchers;
715 if (((struct ebt_standard_target *)t)->verdict <
716 -NUM_STANDARD_TARGETS) {
717 BUGPRINT("Invalid standard target\n");
719 goto cleanup_watchers;
721 } else if (t->target_size > gap - sizeof(struct ebt_entry_target)) {
722 module_put(t->u.target->me);
724 goto cleanup_watchers;
727 tgpar.target = target;
728 tgpar.targinfo = t->data;
729 ret = xt_check_target(&tgpar, t->target_size,
730 e->ethproto, e->invflags & EBT_IPROTO);
732 module_put(target->me);
733 goto cleanup_watchers;
738 EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, net, &j);
740 EBT_MATCH_ITERATE(e, ebt_cleanup_match, net, &i);
745 * checks for loops and sets the hook mask for udc
746 * the hook mask for udc tells us from which base chains the udc can be
747 * accessed. This mask is a parameter to the check() functions of the extensions
749 static int check_chainloops(const struct ebt_entries *chain, struct ebt_cl_stack *cl_s,
750 unsigned int udc_cnt, unsigned int hooknr, char *base)
752 int i, chain_nr = -1, pos = 0, nentries = chain->nentries, verdict;
753 const struct ebt_entry *e = (struct ebt_entry *)chain->data;
754 const struct ebt_entry_target *t;
756 while (pos < nentries || chain_nr != -1) {
757 /* end of udc, go back one 'recursion' step */
758 if (pos == nentries) {
759 /* put back values of the time when this chain was called */
760 e = cl_s[chain_nr].cs.e;
761 if (cl_s[chain_nr].from != -1)
763 cl_s[cl_s[chain_nr].from].cs.chaininfo->nentries;
765 nentries = chain->nentries;
766 pos = cl_s[chain_nr].cs.n;
767 /* make sure we won't see a loop that isn't one */
768 cl_s[chain_nr].cs.n = 0;
769 chain_nr = cl_s[chain_nr].from;
773 t = (struct ebt_entry_target *)
774 (((char *)e) + e->target_offset);
775 if (strcmp(t->u.name, EBT_STANDARD_TARGET))
777 if (e->target_offset + sizeof(struct ebt_standard_target) >
779 BUGPRINT("Standard target size too big\n");
782 verdict = ((struct ebt_standard_target *)t)->verdict;
783 if (verdict >= 0) { /* jump to another chain */
784 struct ebt_entries *hlp2 =
785 (struct ebt_entries *)(base + verdict);
786 for (i = 0; i < udc_cnt; i++)
787 if (hlp2 == cl_s[i].cs.chaininfo)
789 /* bad destination or loop */
791 BUGPRINT("bad destination\n");
798 if (cl_s[i].hookmask & (1 << hooknr))
800 /* this can't be 0, so the loop test is correct */
801 cl_s[i].cs.n = pos + 1;
803 cl_s[i].cs.e = ebt_next_entry(e);
804 e = (struct ebt_entry *)(hlp2->data);
805 nentries = hlp2->nentries;
806 cl_s[i].from = chain_nr;
808 /* this udc is accessible from the base chain for hooknr */
809 cl_s[i].hookmask |= (1 << hooknr);
813 e = ebt_next_entry(e);
819 /* do the parsing of the table/chains/entries/matches/watchers/targets, heh */
820 static int translate_table(struct net *net, const char *name,
821 struct ebt_table_info *newinfo)
823 unsigned int i, j, k, udc_cnt;
825 struct ebt_cl_stack *cl_s = NULL; /* used in the checking for chain loops */
828 while (i < NF_BR_NUMHOOKS && !newinfo->hook_entry[i])
830 if (i == NF_BR_NUMHOOKS) {
831 BUGPRINT("No valid hooks specified\n");
834 if (newinfo->hook_entry[i] != (struct ebt_entries *)newinfo->entries) {
835 BUGPRINT("Chains don't start at beginning\n");
838 /* make sure chains are ordered after each other in same order
839 as their corresponding hooks */
840 for (j = i + 1; j < NF_BR_NUMHOOKS; j++) {
841 if (!newinfo->hook_entry[j])
843 if (newinfo->hook_entry[j] <= newinfo->hook_entry[i]) {
844 BUGPRINT("Hook order must be followed\n");
850 /* do some early checkings and initialize some things */
851 i = 0; /* holds the expected nr. of entries for the chain */
852 j = 0; /* holds the up to now counted entries for the chain */
853 k = 0; /* holds the total nr. of entries, should equal
854 newinfo->nentries afterwards */
855 udc_cnt = 0; /* will hold the nr. of user defined chains (udc) */
856 ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
857 ebt_check_entry_size_and_hooks, newinfo,
858 &i, &j, &k, &udc_cnt);
864 BUGPRINT("nentries does not equal the nr of entries in the "
868 if (k != newinfo->nentries) {
869 BUGPRINT("Total nentries is wrong\n");
873 /* get the location of the udc, put them in an array
874 while we're at it, allocate the chainstack */
876 /* this will get free'd in do_replace()/ebt_register_table()
877 if an error occurs */
878 newinfo->chainstack =
879 vmalloc(nr_cpu_ids * sizeof(*(newinfo->chainstack)));
880 if (!newinfo->chainstack)
882 for_each_possible_cpu(i) {
883 newinfo->chainstack[i] =
884 vmalloc(udc_cnt * sizeof(*(newinfo->chainstack[0])));
885 if (!newinfo->chainstack[i]) {
887 vfree(newinfo->chainstack[--i]);
888 vfree(newinfo->chainstack);
889 newinfo->chainstack = NULL;
894 cl_s = vmalloc(udc_cnt * sizeof(*cl_s));
897 i = 0; /* the i'th udc */
898 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
899 ebt_get_udc_positions, newinfo, &i, cl_s);
902 BUGPRINT("i != udc_cnt\n");
908 /* Check for loops */
909 for (i = 0; i < NF_BR_NUMHOOKS; i++)
910 if (newinfo->hook_entry[i])
911 if (check_chainloops(newinfo->hook_entry[i],
912 cl_s, udc_cnt, i, newinfo->entries)) {
917 /* we now know the following (along with E=mc²):
918 - the nr of entries in each chain is right
919 - the size of the allocated space is right
920 - all valid hooks have a corresponding chain
922 - wrong data can still be on the level of a single entry
923 - could be there are jumps to places that are not the
924 beginning of a chain. This can only occur in chains that
925 are not accessible from any base chains, so we don't care. */
927 /* used to know what we need to clean up if something goes wrong */
929 ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
930 ebt_check_entry, net, newinfo, name, &i, cl_s, udc_cnt);
932 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
933 ebt_cleanup_entry, net, &i);
939 /* called under write_lock */
940 static void get_counters(const struct ebt_counter *oldcounters,
941 struct ebt_counter *counters, unsigned int nentries)
944 struct ebt_counter *counter_base;
946 /* counters of cpu 0 */
947 memcpy(counters, oldcounters,
948 sizeof(struct ebt_counter) * nentries);
950 /* add other counters to those of cpu 0 */
951 for_each_possible_cpu(cpu) {
954 counter_base = COUNTER_BASE(oldcounters, nentries, cpu);
955 for (i = 0; i < nentries; i++) {
956 counters[i].pcnt += counter_base[i].pcnt;
957 counters[i].bcnt += counter_base[i].bcnt;
962 /* replace the table */
963 static int do_replace(struct net *net, const void __user *user,
966 int ret, i, countersize;
967 struct ebt_table_info *newinfo;
968 struct ebt_replace tmp;
970 struct ebt_counter *counterstmp = NULL;
971 /* used to be able to unlock earlier */
972 struct ebt_table_info *table;
974 if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
977 if (len != sizeof(tmp) + tmp.entries_size) {
978 BUGPRINT("Wrong len argument\n");
982 if (tmp.entries_size == 0) {
983 BUGPRINT("Entries_size never zero\n");
987 if (tmp.nentries >= ((INT_MAX - sizeof(struct ebt_table_info)) / NR_CPUS -
988 SMP_CACHE_BYTES) / sizeof(struct ebt_counter))
990 if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
993 countersize = COUNTER_OFFSET(tmp.nentries) * nr_cpu_ids;
994 newinfo = vmalloc(sizeof(*newinfo) + countersize);
999 memset(newinfo->counters, 0, countersize);
1001 newinfo->entries = vmalloc(tmp.entries_size);
1002 if (!newinfo->entries) {
1007 newinfo->entries, tmp.entries, tmp.entries_size) != 0) {
1008 BUGPRINT("Couldn't copy entries from userspace\n");
1013 /* the user wants counters back
1014 the check on the size is done later, when we have the lock */
1015 if (tmp.num_counters) {
1016 counterstmp = vmalloc(tmp.num_counters * sizeof(*counterstmp));
1025 /* this can get initialized by translate_table() */
1026 newinfo->chainstack = NULL;
1027 ret = ebt_verify_pointers(&tmp, newinfo);
1029 goto free_counterstmp;
1031 ret = translate_table(net, tmp.name, newinfo);
1034 goto free_counterstmp;
1036 t = find_table_lock(net, tmp.name, &ret, &ebt_mutex);
1042 /* the table doesn't like it */
1043 if (t->check && (ret = t->check(newinfo, tmp.valid_hooks)))
1046 if (tmp.num_counters && tmp.num_counters != t->private->nentries) {
1047 BUGPRINT("Wrong nr. of counters requested\n");
1052 /* we have the mutex lock, so no danger in reading this pointer */
1054 /* make sure the table can only be rmmod'ed if it contains no rules */
1055 if (!table->nentries && newinfo->nentries && !try_module_get(t->me)) {
1058 } else if (table->nentries && !newinfo->nentries)
1060 /* we need an atomic snapshot of the counters */
1061 write_lock_bh(&t->lock);
1062 if (tmp.num_counters)
1063 get_counters(t->private->counters, counterstmp,
1064 t->private->nentries);
1066 t->private = newinfo;
1067 write_unlock_bh(&t->lock);
1068 mutex_unlock(&ebt_mutex);
1069 /* so, a user can change the chains while having messed up her counter
1070 allocation. Only reason why this is done is because this way the lock
1071 is held only once, while this doesn't bring the kernel into a
1073 if (tmp.num_counters &&
1074 copy_to_user(tmp.counters, counterstmp,
1075 tmp.num_counters * sizeof(struct ebt_counter))) {
1076 BUGPRINT("Couldn't copy counters to userspace\n");
1082 /* decrease module count and free resources */
1083 EBT_ENTRY_ITERATE(table->entries, table->entries_size,
1084 ebt_cleanup_entry, net, NULL);
1086 vfree(table->entries);
1087 if (table->chainstack) {
1088 for_each_possible_cpu(i)
1089 vfree(table->chainstack[i]);
1090 vfree(table->chainstack);
1098 mutex_unlock(&ebt_mutex);
1100 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
1101 ebt_cleanup_entry, net, NULL);
1104 /* can be initialized in translate_table() */
1105 if (newinfo->chainstack) {
1106 for_each_possible_cpu(i)
1107 vfree(newinfo->chainstack[i]);
1108 vfree(newinfo->chainstack);
1111 vfree(newinfo->entries);
1118 ebt_register_table(struct net *net, const struct ebt_table *input_table)
1120 struct ebt_table_info *newinfo;
1121 struct ebt_table *t, *table;
1122 struct ebt_replace_kernel *repl;
1123 int ret, i, countersize;
1126 if (input_table == NULL || (repl = input_table->table) == NULL ||
1127 repl->entries == 0 || repl->entries_size == 0 ||
1128 repl->counters != NULL || input_table->private != NULL) {
1129 BUGPRINT("Bad table data for ebt_register_table!!!\n");
1130 return ERR_PTR(-EINVAL);
1133 /* Don't add one table to multiple lists. */
1134 table = kmemdup(input_table, sizeof(struct ebt_table), GFP_KERNEL);
1140 countersize = COUNTER_OFFSET(repl->nentries) * nr_cpu_ids;
1141 newinfo = vmalloc(sizeof(*newinfo) + countersize);
1146 p = vmalloc(repl->entries_size);
1150 memcpy(p, repl->entries, repl->entries_size);
1151 newinfo->entries = p;
1153 newinfo->entries_size = repl->entries_size;
1154 newinfo->nentries = repl->nentries;
1157 memset(newinfo->counters, 0, countersize);
1159 /* fill in newinfo and parse the entries */
1160 newinfo->chainstack = NULL;
1161 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
1162 if ((repl->valid_hooks & (1 << i)) == 0)
1163 newinfo->hook_entry[i] = NULL;
1165 newinfo->hook_entry[i] = p +
1166 ((char *)repl->hook_entry[i] - repl->entries);
1168 ret = translate_table(net, repl->name, newinfo);
1170 BUGPRINT("Translate_table failed\n");
1171 goto free_chainstack;
1174 if (table->check && table->check(newinfo, table->valid_hooks)) {
1175 BUGPRINT("The table doesn't like its own initial data, lol\n");
1176 return ERR_PTR(-EINVAL);
1179 table->private = newinfo;
1180 rwlock_init(&table->lock);
1181 ret = mutex_lock_interruptible(&ebt_mutex);
1183 goto free_chainstack;
1185 list_for_each_entry(t, &net->xt.tables[NFPROTO_BRIDGE], list) {
1186 if (strcmp(t->name, table->name) == 0) {
1188 BUGPRINT("Table name already exists\n");
1193 /* Hold a reference count if the chains aren't empty */
1194 if (newinfo->nentries && !try_module_get(table->me)) {
1198 list_add(&table->list, &net->xt.tables[NFPROTO_BRIDGE]);
1199 mutex_unlock(&ebt_mutex);
1202 mutex_unlock(&ebt_mutex);
1204 if (newinfo->chainstack) {
1205 for_each_possible_cpu(i)
1206 vfree(newinfo->chainstack[i]);
1207 vfree(newinfo->chainstack);
1209 vfree(newinfo->entries);
1215 return ERR_PTR(ret);
1218 void ebt_unregister_table(struct net *net, struct ebt_table *table)
1223 BUGPRINT("Request to unregister NULL table!!!\n");
1226 mutex_lock(&ebt_mutex);
1227 list_del(&table->list);
1228 mutex_unlock(&ebt_mutex);
1229 EBT_ENTRY_ITERATE(table->private->entries, table->private->entries_size,
1230 ebt_cleanup_entry, net, NULL);
1231 if (table->private->nentries)
1232 module_put(table->me);
1233 vfree(table->private->entries);
1234 if (table->private->chainstack) {
1235 for_each_possible_cpu(i)
1236 vfree(table->private->chainstack[i]);
1237 vfree(table->private->chainstack);
1239 vfree(table->private);
1243 /* userspace just supplied us with counters */
1244 static int update_counters(struct net *net, const void __user *user,
1248 struct ebt_counter *tmp;
1249 struct ebt_replace hlp;
1250 struct ebt_table *t;
1252 if (copy_from_user(&hlp, user, sizeof(hlp)))
1255 if (len != sizeof(hlp) + hlp.num_counters * sizeof(struct ebt_counter))
1257 if (hlp.num_counters == 0)
1260 if (!(tmp = vmalloc(hlp.num_counters * sizeof(*tmp)))) {
1261 MEMPRINT("Update_counters && nomemory\n");
1265 t = find_table_lock(net, hlp.name, &ret, &ebt_mutex);
1269 if (hlp.num_counters != t->private->nentries) {
1270 BUGPRINT("Wrong nr of counters\n");
1275 if ( copy_from_user(tmp, hlp.counters,
1276 hlp.num_counters * sizeof(struct ebt_counter)) ) {
1277 BUGPRINT("Updata_counters && !cfu\n");
1282 /* we want an atomic add of the counters */
1283 write_lock_bh(&t->lock);
1285 /* we add to the counters of the first cpu */
1286 for (i = 0; i < hlp.num_counters; i++) {
1287 t->private->counters[i].pcnt += tmp[i].pcnt;
1288 t->private->counters[i].bcnt += tmp[i].bcnt;
1291 write_unlock_bh(&t->lock);
1294 mutex_unlock(&ebt_mutex);
1300 static inline int ebt_make_matchname(const struct ebt_entry_match *m,
1301 const char *base, char __user *ubase)
1303 char __user *hlp = ubase + ((char *)m - base);
1304 if (copy_to_user(hlp, m->u.match->name, EBT_FUNCTION_MAXNAMELEN))
1309 static inline int ebt_make_watchername(const struct ebt_entry_watcher *w,
1310 const char *base, char __user *ubase)
1312 char __user *hlp = ubase + ((char *)w - base);
1313 if (copy_to_user(hlp , w->u.watcher->name, EBT_FUNCTION_MAXNAMELEN))
1319 ebt_make_names(struct ebt_entry *e, const char *base, char __user *ubase)
1323 const struct ebt_entry_target *t;
1325 if (e->bitmask == 0)
1328 hlp = ubase + (((char *)e + e->target_offset) - base);
1329 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
1331 ret = EBT_MATCH_ITERATE(e, ebt_make_matchname, base, ubase);
1334 ret = EBT_WATCHER_ITERATE(e, ebt_make_watchername, base, ubase);
1337 if (copy_to_user(hlp, t->u.target->name, EBT_FUNCTION_MAXNAMELEN))
1342 /* called with ebt_mutex locked */
1343 static int copy_everything_to_user(struct ebt_table *t, void __user *user,
1344 const int *len, int cmd)
1346 struct ebt_replace tmp;
1347 struct ebt_counter *counterstmp;
1348 const struct ebt_counter *oldcounters;
1349 unsigned int entries_size, nentries;
1352 if (cmd == EBT_SO_GET_ENTRIES) {
1353 entries_size = t->private->entries_size;
1354 nentries = t->private->nentries;
1355 entries = t->private->entries;
1356 oldcounters = t->private->counters;
1358 entries_size = t->table->entries_size;
1359 nentries = t->table->nentries;
1360 entries = t->table->entries;
1361 oldcounters = t->table->counters;
1364 if (copy_from_user(&tmp, user, sizeof(tmp))) {
1365 BUGPRINT("Cfu didn't work\n");
1369 if (*len != sizeof(struct ebt_replace) + entries_size +
1370 (tmp.num_counters? nentries * sizeof(struct ebt_counter): 0)) {
1371 BUGPRINT("Wrong size\n");
1375 if (tmp.nentries != nentries) {
1376 BUGPRINT("Nentries wrong\n");
1380 if (tmp.entries_size != entries_size) {
1381 BUGPRINT("Wrong size\n");
1385 /* userspace might not need the counters */
1386 if (tmp.num_counters) {
1387 if (tmp.num_counters != nentries) {
1388 BUGPRINT("Num_counters wrong\n");
1391 counterstmp = vmalloc(nentries * sizeof(*counterstmp));
1393 MEMPRINT("Couldn't copy counters, out of memory\n");
1396 write_lock_bh(&t->lock);
1397 get_counters(oldcounters, counterstmp, nentries);
1398 write_unlock_bh(&t->lock);
1400 if (copy_to_user(tmp.counters, counterstmp,
1401 nentries * sizeof(struct ebt_counter))) {
1402 BUGPRINT("Couldn't copy counters to userspace\n");
1409 if (copy_to_user(tmp.entries, entries, entries_size)) {
1410 BUGPRINT("Couldn't copy entries to userspace\n");
1413 /* set the match/watcher/target names right */
1414 return EBT_ENTRY_ITERATE(entries, entries_size,
1415 ebt_make_names, entries, tmp.entries);
1418 static int do_ebt_set_ctl(struct sock *sk,
1419 int cmd, void __user *user, unsigned int len)
1423 if (!capable(CAP_NET_ADMIN))
1427 case EBT_SO_SET_ENTRIES:
1428 ret = do_replace(sock_net(sk), user, len);
1430 case EBT_SO_SET_COUNTERS:
1431 ret = update_counters(sock_net(sk), user, len);
1439 static int do_ebt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
1442 struct ebt_replace tmp;
1443 struct ebt_table *t;
1445 if (!capable(CAP_NET_ADMIN))
1448 if (copy_from_user(&tmp, user, sizeof(tmp)))
1451 t = find_table_lock(sock_net(sk), tmp.name, &ret, &ebt_mutex);
1456 case EBT_SO_GET_INFO:
1457 case EBT_SO_GET_INIT_INFO:
1458 if (*len != sizeof(struct ebt_replace)){
1460 mutex_unlock(&ebt_mutex);
1463 if (cmd == EBT_SO_GET_INFO) {
1464 tmp.nentries = t->private->nentries;
1465 tmp.entries_size = t->private->entries_size;
1466 tmp.valid_hooks = t->valid_hooks;
1468 tmp.nentries = t->table->nentries;
1469 tmp.entries_size = t->table->entries_size;
1470 tmp.valid_hooks = t->table->valid_hooks;
1472 mutex_unlock(&ebt_mutex);
1473 if (copy_to_user(user, &tmp, *len) != 0){
1474 BUGPRINT("c2u Didn't work\n");
1481 case EBT_SO_GET_ENTRIES:
1482 case EBT_SO_GET_INIT_ENTRIES:
1483 ret = copy_everything_to_user(t, user, len, cmd);
1484 mutex_unlock(&ebt_mutex);
1488 mutex_unlock(&ebt_mutex);
1495 static struct nf_sockopt_ops ebt_sockopts =
1498 .set_optmin = EBT_BASE_CTL,
1499 .set_optmax = EBT_SO_SET_MAX + 1,
1500 .set = do_ebt_set_ctl,
1501 .get_optmin = EBT_BASE_CTL,
1502 .get_optmax = EBT_SO_GET_MAX + 1,
1503 .get = do_ebt_get_ctl,
1504 .owner = THIS_MODULE,
1507 static int __init ebtables_init(void)
1511 ret = xt_register_target(&ebt_standard_target);
1514 ret = nf_register_sockopt(&ebt_sockopts);
1516 xt_unregister_target(&ebt_standard_target);
1520 printk(KERN_INFO "Ebtables v2.0 registered\n");
1524 static void __exit ebtables_fini(void)
1526 nf_unregister_sockopt(&ebt_sockopts);
1527 xt_unregister_target(&ebt_standard_target);
1528 printk(KERN_INFO "Ebtables v2.0 unregistered\n");
1531 EXPORT_SYMBOL(ebt_register_table);
1532 EXPORT_SYMBOL(ebt_unregister_table);
1533 EXPORT_SYMBOL(ebt_do_table);
1534 module_init(ebtables_init);
1535 module_exit(ebtables_fini);
1536 MODULE_LICENSE("GPL");