5 * Bart De Schuymer <bdschuym@pandora.be>
7 * ebtables.c,v 2.0, July, 2002
9 * This code is stongly inspired on the iptables code which is
10 * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version
15 * 2 of the License, or (at your option) any later version.
19 #include <linux/kmod.h>
20 #include <linux/module.h>
21 #include <linux/vmalloc.h>
22 #include <linux/netfilter/x_tables.h>
23 #include <linux/netfilter_bridge/ebtables.h>
24 #include <linux/spinlock.h>
25 #include <linux/mutex.h>
26 #include <asm/uaccess.h>
27 #include <linux/smp.h>
28 #include <linux/cpumask.h>
30 /* needed for logical [in,out]-dev filtering */
31 #include "../br_private.h"
33 #define BUGPRINT(format, args...) printk("kernel msg: ebtables bug: please "\
34 "report to author: "format, ## args)
35 /* #define BUGPRINT(format, args...) */
38 * Each cpu has its own set of counters, so there is no need for write_lock in
40 * For reading or updating the counters, the user context needs to
44 /* The size of each set of counters is altered to get cache alignment */
45 #define SMP_ALIGN(x) (((x) + SMP_CACHE_BYTES-1) & ~(SMP_CACHE_BYTES-1))
46 #define COUNTER_OFFSET(n) (SMP_ALIGN(n * sizeof(struct ebt_counter)))
47 #define COUNTER_BASE(c, n, cpu) ((struct ebt_counter *)(((char *)c) + \
48 COUNTER_OFFSET(n) * cpu))
52 static DEFINE_MUTEX(ebt_mutex);
54 static struct xt_target ebt_standard_target = {
57 .family = NFPROTO_BRIDGE,
58 .targetsize = sizeof(int),
62 ebt_do_watcher(const struct ebt_entry_watcher *w, struct sk_buff *skb,
63 struct xt_target_param *par)
65 par->target = w->u.watcher;
66 par->targinfo = w->data;
67 w->u.watcher->target(skb, par);
68 /* watchers don't give a verdict */
72 static inline int ebt_do_match (struct ebt_entry_match *m,
73 const struct sk_buff *skb, struct xt_match_param *par)
75 par->match = m->u.match;
76 par->matchinfo = m->data;
77 return m->u.match->match(skb, par) ? EBT_MATCH : EBT_NOMATCH;
81 ebt_dev_check(const char *entry, const struct net_device *device)
90 devname = device->name;
91 /* 1 is the wildcard token */
92 while (entry[i] != '\0' && entry[i] != 1 && entry[i] == devname[i])
94 return (devname[i] != entry[i] && entry[i] != 1);
97 #define FWINV2(bool,invflg) ((bool) ^ !!(e->invflags & invflg))
98 /* process standard matches */
100 ebt_basic_match(const struct ebt_entry *e, const struct ethhdr *h,
101 const struct net_device *in, const struct net_device *out)
105 if (e->bitmask & EBT_802_3) {
106 if (FWINV2(ntohs(h->h_proto) >= 1536, EBT_IPROTO))
108 } else if (!(e->bitmask & EBT_NOPROTO) &&
109 FWINV2(e->ethproto != h->h_proto, EBT_IPROTO))
112 if (FWINV2(ebt_dev_check(e->in, in), EBT_IIN))
114 if (FWINV2(ebt_dev_check(e->out, out), EBT_IOUT))
116 if ((!in || !in->br_port) ? 0 : FWINV2(ebt_dev_check(
117 e->logical_in, in->br_port->br->dev), EBT_ILOGICALIN))
119 if ((!out || !out->br_port) ? 0 : FWINV2(ebt_dev_check(
120 e->logical_out, out->br_port->br->dev), EBT_ILOGICALOUT))
123 if (e->bitmask & EBT_SOURCEMAC) {
125 for (i = 0; i < 6; i++)
126 verdict |= (h->h_source[i] ^ e->sourcemac[i]) &
128 if (FWINV2(verdict != 0, EBT_ISOURCE) )
131 if (e->bitmask & EBT_DESTMAC) {
133 for (i = 0; i < 6; i++)
134 verdict |= (h->h_dest[i] ^ e->destmac[i]) &
136 if (FWINV2(verdict != 0, EBT_IDEST) )
143 struct ebt_entry *ebt_next_entry(const struct ebt_entry *entry)
145 return (void *)entry + entry->next_offset;
148 /* Do some firewalling */
149 unsigned int ebt_do_table (unsigned int hook, struct sk_buff *skb,
150 const struct net_device *in, const struct net_device *out,
151 struct ebt_table *table)
154 struct ebt_entry *point;
155 struct ebt_counter *counter_base, *cb_base;
156 const struct ebt_entry_target *t;
158 struct ebt_chainstack *cs;
159 struct ebt_entries *chaininfo;
161 const struct ebt_table_info *private;
162 bool hotdrop = false;
163 struct xt_match_param mtpar;
164 struct xt_target_param tgpar;
166 mtpar.family = tgpar.family = NFPROTO_BRIDGE;
167 mtpar.in = tgpar.in = in;
168 mtpar.out = tgpar.out = out;
169 mtpar.hotdrop = &hotdrop;
170 mtpar.hooknum = tgpar.hooknum = hook;
172 read_lock_bh(&table->lock);
173 private = table->private;
174 cb_base = COUNTER_BASE(private->counters, private->nentries,
176 if (private->chainstack)
177 cs = private->chainstack[smp_processor_id()];
180 chaininfo = private->hook_entry[hook];
181 nentries = private->hook_entry[hook]->nentries;
182 point = (struct ebt_entry *)(private->hook_entry[hook]->data);
183 counter_base = cb_base + private->hook_entry[hook]->counter_offset;
184 /* base for chain jumps */
185 base = private->entries;
187 while (i < nentries) {
188 if (ebt_basic_match(point, eth_hdr(skb), in, out))
191 if (EBT_MATCH_ITERATE(point, ebt_do_match, skb, &mtpar) != 0)
194 read_unlock_bh(&table->lock);
198 /* increase counter */
199 (*(counter_base + i)).pcnt++;
200 (*(counter_base + i)).bcnt += skb->len;
202 /* these should only watch: not modify, nor tell us
203 what to do with the packet */
204 EBT_WATCHER_ITERATE(point, ebt_do_watcher, skb, &tgpar);
206 t = (struct ebt_entry_target *)
207 (((char *)point) + point->target_offset);
208 /* standard target */
209 if (!t->u.target->target)
210 verdict = ((struct ebt_standard_target *)t)->verdict;
212 tgpar.target = t->u.target;
213 tgpar.targinfo = t->data;
214 verdict = t->u.target->target(skb, &tgpar);
216 if (verdict == EBT_ACCEPT) {
217 read_unlock_bh(&table->lock);
220 if (verdict == EBT_DROP) {
221 read_unlock_bh(&table->lock);
224 if (verdict == EBT_RETURN) {
226 #ifdef CONFIG_NETFILTER_DEBUG
228 BUGPRINT("RETURN on base chain");
229 /* act like this is EBT_CONTINUE */
234 /* put all the local variables right */
236 chaininfo = cs[sp].chaininfo;
237 nentries = chaininfo->nentries;
239 counter_base = cb_base +
240 chaininfo->counter_offset;
243 if (verdict == EBT_CONTINUE)
245 #ifdef CONFIG_NETFILTER_DEBUG
247 BUGPRINT("bogus standard verdict\n");
248 read_unlock_bh(&table->lock);
254 cs[sp].chaininfo = chaininfo;
255 cs[sp].e = ebt_next_entry(point);
257 chaininfo = (struct ebt_entries *) (base + verdict);
258 #ifdef CONFIG_NETFILTER_DEBUG
259 if (chaininfo->distinguisher) {
260 BUGPRINT("jump to non-chain\n");
261 read_unlock_bh(&table->lock);
265 nentries = chaininfo->nentries;
266 point = (struct ebt_entry *)chaininfo->data;
267 counter_base = cb_base + chaininfo->counter_offset;
271 point = ebt_next_entry(point);
275 /* I actually like this :) */
276 if (chaininfo->policy == EBT_RETURN)
278 if (chaininfo->policy == EBT_ACCEPT) {
279 read_unlock_bh(&table->lock);
282 read_unlock_bh(&table->lock);
286 /* If it succeeds, returns element and locks mutex */
288 find_inlist_lock_noload(struct list_head *head, const char *name, int *error,
292 struct list_head list;
293 char name[EBT_FUNCTION_MAXNAMELEN];
296 *error = mutex_lock_interruptible(mutex);
300 list_for_each_entry(e, head, list) {
301 if (strcmp(e->name, name) == 0)
310 find_inlist_lock(struct list_head *head, const char *name, const char *prefix,
311 int *error, struct mutex *mutex)
313 return try_then_request_module(
314 find_inlist_lock_noload(head, name, error, mutex),
315 "%s%s", prefix, name);
318 static inline struct ebt_table *
319 find_table_lock(struct net *net, const char *name, int *error,
322 return find_inlist_lock(&net->xt.tables[NFPROTO_BRIDGE], name,
323 "ebtable_", error, mutex);
327 ebt_check_match(struct ebt_entry_match *m, struct xt_mtchk_param *par,
330 const struct ebt_entry *e = par->entryinfo;
331 struct xt_match *match;
332 size_t left = ((char *)e + e->watchers_offset) - (char *)m;
335 if (left < sizeof(struct ebt_entry_match) ||
336 left - sizeof(struct ebt_entry_match) < m->match_size)
339 match = try_then_request_module(xt_find_match(NFPROTO_BRIDGE,
340 m->u.name, 0), "ebt_%s", m->u.name);
342 return PTR_ERR(match);
348 par->matchinfo = m->data;
349 ret = xt_check_match(par, m->match_size,
350 e->ethproto, e->invflags & EBT_IPROTO);
352 module_put(match->me);
361 ebt_check_watcher(struct ebt_entry_watcher *w, struct xt_tgchk_param *par,
364 const struct ebt_entry *e = par->entryinfo;
365 struct xt_target *watcher;
366 size_t left = ((char *)e + e->target_offset) - (char *)w;
369 if (left < sizeof(struct ebt_entry_watcher) ||
370 left - sizeof(struct ebt_entry_watcher) < w->watcher_size)
373 watcher = try_then_request_module(
374 xt_find_target(NFPROTO_BRIDGE, w->u.name, 0),
375 "ebt_%s", w->u.name);
377 return PTR_ERR(watcher);
380 w->u.watcher = watcher;
382 par->target = watcher;
383 par->targinfo = w->data;
384 ret = xt_check_target(par, w->watcher_size,
385 e->ethproto, e->invflags & EBT_IPROTO);
387 module_put(watcher->me);
395 static int ebt_verify_pointers(const struct ebt_replace *repl,
396 struct ebt_table_info *newinfo)
398 unsigned int limit = repl->entries_size;
399 unsigned int valid_hooks = repl->valid_hooks;
400 unsigned int offset = 0;
403 for (i = 0; i < NF_BR_NUMHOOKS; i++)
404 newinfo->hook_entry[i] = NULL;
406 newinfo->entries_size = repl->entries_size;
407 newinfo->nentries = repl->nentries;
409 while (offset < limit) {
410 size_t left = limit - offset;
411 struct ebt_entry *e = (void *)newinfo->entries + offset;
413 if (left < sizeof(unsigned int))
416 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
417 if ((valid_hooks & (1 << i)) == 0)
419 if ((char __user *)repl->hook_entry[i] ==
420 repl->entries + offset)
424 if (i != NF_BR_NUMHOOKS || !(e->bitmask & EBT_ENTRY_OR_ENTRIES)) {
425 if (e->bitmask != 0) {
426 /* we make userspace set this right,
427 so there is no misunderstanding */
428 BUGPRINT("EBT_ENTRY_OR_ENTRIES shouldn't be set "
429 "in distinguisher\n");
432 if (i != NF_BR_NUMHOOKS)
433 newinfo->hook_entry[i] = (struct ebt_entries *)e;
434 if (left < sizeof(struct ebt_entries))
436 offset += sizeof(struct ebt_entries);
438 if (left < sizeof(struct ebt_entry))
440 if (left < e->next_offset)
442 if (e->next_offset < sizeof(struct ebt_entry))
444 offset += e->next_offset;
447 if (offset != limit) {
448 BUGPRINT("entries_size too small\n");
452 /* check if all valid hooks have a chain */
453 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
454 if (!newinfo->hook_entry[i] &&
455 (valid_hooks & (1 << i))) {
456 BUGPRINT("Valid hook without chain\n");
464 * this one is very careful, as it is the first function
465 * to parse the userspace data
468 ebt_check_entry_size_and_hooks(const struct ebt_entry *e,
469 const struct ebt_table_info *newinfo,
470 unsigned int *n, unsigned int *cnt,
471 unsigned int *totalcnt, unsigned int *udc_cnt)
475 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
476 if ((void *)e == (void *)newinfo->hook_entry[i])
479 /* beginning of a new chain
480 if i == NF_BR_NUMHOOKS it must be a user defined chain */
481 if (i != NF_BR_NUMHOOKS || !e->bitmask) {
482 /* this checks if the previous chain has as many entries
485 BUGPRINT("nentries does not equal the nr of entries "
489 if (((struct ebt_entries *)e)->policy != EBT_DROP &&
490 ((struct ebt_entries *)e)->policy != EBT_ACCEPT) {
491 /* only RETURN from udc */
492 if (i != NF_BR_NUMHOOKS ||
493 ((struct ebt_entries *)e)->policy != EBT_RETURN) {
494 BUGPRINT("bad policy\n");
498 if (i == NF_BR_NUMHOOKS) /* it's a user defined chain */
500 if (((struct ebt_entries *)e)->counter_offset != *totalcnt) {
501 BUGPRINT("counter_offset != totalcnt");
504 *n = ((struct ebt_entries *)e)->nentries;
508 /* a plain old entry, heh */
509 if (sizeof(struct ebt_entry) > e->watchers_offset ||
510 e->watchers_offset > e->target_offset ||
511 e->target_offset >= e->next_offset) {
512 BUGPRINT("entry offsets not in right order\n");
515 /* this is not checked anywhere else */
516 if (e->next_offset - e->target_offset < sizeof(struct ebt_entry_target)) {
517 BUGPRINT("target size too small\n");
527 struct ebt_chainstack cs;
529 unsigned int hookmask;
533 * we need these positions to check that the jumps to a different part of the
534 * entries is a jump to the beginning of a new chain.
537 ebt_get_udc_positions(struct ebt_entry *e, struct ebt_table_info *newinfo,
538 unsigned int *n, struct ebt_cl_stack *udc)
542 /* we're only interested in chain starts */
545 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
546 if (newinfo->hook_entry[i] == (struct ebt_entries *)e)
549 /* only care about udc */
550 if (i != NF_BR_NUMHOOKS)
553 udc[*n].cs.chaininfo = (struct ebt_entries *)e;
554 /* these initialisations are depended on later in check_chainloops() */
556 udc[*n].hookmask = 0;
563 ebt_cleanup_match(struct ebt_entry_match *m, struct net *net, unsigned int *i)
565 struct xt_mtdtor_param par;
567 if (i && (*i)-- == 0)
571 par.match = m->u.match;
572 par.matchinfo = m->data;
573 par.family = NFPROTO_BRIDGE;
574 if (par.match->destroy != NULL)
575 par.match->destroy(&par);
576 module_put(par.match->me);
581 ebt_cleanup_watcher(struct ebt_entry_watcher *w, struct net *net, unsigned int *i)
583 struct xt_tgdtor_param par;
585 if (i && (*i)-- == 0)
589 par.target = w->u.watcher;
590 par.targinfo = w->data;
591 par.family = NFPROTO_BRIDGE;
592 if (par.target->destroy != NULL)
593 par.target->destroy(&par);
594 module_put(par.target->me);
599 ebt_cleanup_entry(struct ebt_entry *e, struct net *net, unsigned int *cnt)
601 struct xt_tgdtor_param par;
602 struct ebt_entry_target *t;
607 if (cnt && (*cnt)-- == 0)
609 EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, net, NULL);
610 EBT_MATCH_ITERATE(e, ebt_cleanup_match, net, NULL);
611 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
614 par.target = t->u.target;
615 par.targinfo = t->data;
616 par.family = NFPROTO_BRIDGE;
617 if (par.target->destroy != NULL)
618 par.target->destroy(&par);
619 module_put(par.target->me);
624 ebt_check_entry(struct ebt_entry *e, struct net *net,
625 const struct ebt_table_info *newinfo,
626 const char *name, unsigned int *cnt,
627 struct ebt_cl_stack *cl_s, unsigned int udc_cnt)
629 struct ebt_entry_target *t;
630 struct xt_target *target;
631 unsigned int i, j, hook = 0, hookmask = 0;
634 struct xt_mtchk_param mtpar;
635 struct xt_tgchk_param tgpar;
637 /* don't mess with the struct ebt_entries */
641 if (e->bitmask & ~EBT_F_MASK) {
642 BUGPRINT("Unknown flag for bitmask\n");
645 if (e->invflags & ~EBT_INV_MASK) {
646 BUGPRINT("Unknown flag for inv bitmask\n");
649 if ( (e->bitmask & EBT_NOPROTO) && (e->bitmask & EBT_802_3) ) {
650 BUGPRINT("NOPROTO & 802_3 not allowed\n");
653 /* what hook do we belong to? */
654 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
655 if (!newinfo->hook_entry[i])
657 if ((char *)newinfo->hook_entry[i] < (char *)e)
662 /* (1 << NF_BR_NUMHOOKS) tells the check functions the rule is on
664 if (i < NF_BR_NUMHOOKS)
665 hookmask = (1 << hook) | (1 << NF_BR_NUMHOOKS);
667 for (i = 0; i < udc_cnt; i++)
668 if ((char *)(cl_s[i].cs.chaininfo) > (char *)e)
671 hookmask = (1 << hook) | (1 << NF_BR_NUMHOOKS);
673 hookmask = cl_s[i - 1].hookmask;
677 mtpar.net = tgpar.net = net;
678 mtpar.table = tgpar.table = name;
679 mtpar.entryinfo = tgpar.entryinfo = e;
680 mtpar.hook_mask = tgpar.hook_mask = hookmask;
681 mtpar.family = tgpar.family = NFPROTO_BRIDGE;
682 ret = EBT_MATCH_ITERATE(e, ebt_check_match, &mtpar, &i);
684 goto cleanup_matches;
686 ret = EBT_WATCHER_ITERATE(e, ebt_check_watcher, &tgpar, &j);
688 goto cleanup_watchers;
689 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
690 gap = e->next_offset - e->target_offset;
692 target = try_then_request_module(
693 xt_find_target(NFPROTO_BRIDGE, t->u.name, 0),
694 "ebt_%s", t->u.name);
695 if (IS_ERR(target)) {
696 ret = PTR_ERR(target);
697 goto cleanup_watchers;
698 } else if (target == NULL) {
700 goto cleanup_watchers;
703 t->u.target = target;
704 if (t->u.target == &ebt_standard_target) {
705 if (gap < sizeof(struct ebt_standard_target)) {
706 BUGPRINT("Standard target size too big\n");
708 goto cleanup_watchers;
710 if (((struct ebt_standard_target *)t)->verdict <
711 -NUM_STANDARD_TARGETS) {
712 BUGPRINT("Invalid standard target\n");
714 goto cleanup_watchers;
716 } else if (t->target_size > gap - sizeof(struct ebt_entry_target)) {
717 module_put(t->u.target->me);
719 goto cleanup_watchers;
722 tgpar.target = target;
723 tgpar.targinfo = t->data;
724 ret = xt_check_target(&tgpar, t->target_size,
725 e->ethproto, e->invflags & EBT_IPROTO);
727 module_put(target->me);
728 goto cleanup_watchers;
733 EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, net, &j);
735 EBT_MATCH_ITERATE(e, ebt_cleanup_match, net, &i);
740 * checks for loops and sets the hook mask for udc
741 * the hook mask for udc tells us from which base chains the udc can be
742 * accessed. This mask is a parameter to the check() functions of the extensions
744 static int check_chainloops(const struct ebt_entries *chain, struct ebt_cl_stack *cl_s,
745 unsigned int udc_cnt, unsigned int hooknr, char *base)
747 int i, chain_nr = -1, pos = 0, nentries = chain->nentries, verdict;
748 const struct ebt_entry *e = (struct ebt_entry *)chain->data;
749 const struct ebt_entry_target *t;
751 while (pos < nentries || chain_nr != -1) {
752 /* end of udc, go back one 'recursion' step */
753 if (pos == nentries) {
754 /* put back values of the time when this chain was called */
755 e = cl_s[chain_nr].cs.e;
756 if (cl_s[chain_nr].from != -1)
758 cl_s[cl_s[chain_nr].from].cs.chaininfo->nentries;
760 nentries = chain->nentries;
761 pos = cl_s[chain_nr].cs.n;
762 /* make sure we won't see a loop that isn't one */
763 cl_s[chain_nr].cs.n = 0;
764 chain_nr = cl_s[chain_nr].from;
768 t = (struct ebt_entry_target *)
769 (((char *)e) + e->target_offset);
770 if (strcmp(t->u.name, EBT_STANDARD_TARGET))
772 if (e->target_offset + sizeof(struct ebt_standard_target) >
774 BUGPRINT("Standard target size too big\n");
777 verdict = ((struct ebt_standard_target *)t)->verdict;
778 if (verdict >= 0) { /* jump to another chain */
779 struct ebt_entries *hlp2 =
780 (struct ebt_entries *)(base + verdict);
781 for (i = 0; i < udc_cnt; i++)
782 if (hlp2 == cl_s[i].cs.chaininfo)
784 /* bad destination or loop */
786 BUGPRINT("bad destination\n");
793 if (cl_s[i].hookmask & (1 << hooknr))
795 /* this can't be 0, so the loop test is correct */
796 cl_s[i].cs.n = pos + 1;
798 cl_s[i].cs.e = ebt_next_entry(e);
799 e = (struct ebt_entry *)(hlp2->data);
800 nentries = hlp2->nentries;
801 cl_s[i].from = chain_nr;
803 /* this udc is accessible from the base chain for hooknr */
804 cl_s[i].hookmask |= (1 << hooknr);
808 e = ebt_next_entry(e);
814 /* do the parsing of the table/chains/entries/matches/watchers/targets, heh */
815 static int translate_table(struct net *net, const char *name,
816 struct ebt_table_info *newinfo)
818 unsigned int i, j, k, udc_cnt;
820 struct ebt_cl_stack *cl_s = NULL; /* used in the checking for chain loops */
823 while (i < NF_BR_NUMHOOKS && !newinfo->hook_entry[i])
825 if (i == NF_BR_NUMHOOKS) {
826 BUGPRINT("No valid hooks specified\n");
829 if (newinfo->hook_entry[i] != (struct ebt_entries *)newinfo->entries) {
830 BUGPRINT("Chains don't start at beginning\n");
833 /* make sure chains are ordered after each other in same order
834 as their corresponding hooks */
835 for (j = i + 1; j < NF_BR_NUMHOOKS; j++) {
836 if (!newinfo->hook_entry[j])
838 if (newinfo->hook_entry[j] <= newinfo->hook_entry[i]) {
839 BUGPRINT("Hook order must be followed\n");
845 /* do some early checkings and initialize some things */
846 i = 0; /* holds the expected nr. of entries for the chain */
847 j = 0; /* holds the up to now counted entries for the chain */
848 k = 0; /* holds the total nr. of entries, should equal
849 newinfo->nentries afterwards */
850 udc_cnt = 0; /* will hold the nr. of user defined chains (udc) */
851 ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
852 ebt_check_entry_size_and_hooks, newinfo,
853 &i, &j, &k, &udc_cnt);
859 BUGPRINT("nentries does not equal the nr of entries in the "
863 if (k != newinfo->nentries) {
864 BUGPRINT("Total nentries is wrong\n");
868 /* get the location of the udc, put them in an array
869 while we're at it, allocate the chainstack */
871 /* this will get free'd in do_replace()/ebt_register_table()
872 if an error occurs */
873 newinfo->chainstack =
874 vmalloc(nr_cpu_ids * sizeof(*(newinfo->chainstack)));
875 if (!newinfo->chainstack)
877 for_each_possible_cpu(i) {
878 newinfo->chainstack[i] =
879 vmalloc(udc_cnt * sizeof(*(newinfo->chainstack[0])));
880 if (!newinfo->chainstack[i]) {
882 vfree(newinfo->chainstack[--i]);
883 vfree(newinfo->chainstack);
884 newinfo->chainstack = NULL;
889 cl_s = vmalloc(udc_cnt * sizeof(*cl_s));
892 i = 0; /* the i'th udc */
893 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
894 ebt_get_udc_positions, newinfo, &i, cl_s);
897 BUGPRINT("i != udc_cnt\n");
903 /* Check for loops */
904 for (i = 0; i < NF_BR_NUMHOOKS; i++)
905 if (newinfo->hook_entry[i])
906 if (check_chainloops(newinfo->hook_entry[i],
907 cl_s, udc_cnt, i, newinfo->entries)) {
912 /* we now know the following (along with E=mc²):
913 - the nr of entries in each chain is right
914 - the size of the allocated space is right
915 - all valid hooks have a corresponding chain
917 - wrong data can still be on the level of a single entry
918 - could be there are jumps to places that are not the
919 beginning of a chain. This can only occur in chains that
920 are not accessible from any base chains, so we don't care. */
922 /* used to know what we need to clean up if something goes wrong */
924 ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
925 ebt_check_entry, net, newinfo, name, &i, cl_s, udc_cnt);
927 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
928 ebt_cleanup_entry, net, &i);
934 /* called under write_lock */
935 static void get_counters(const struct ebt_counter *oldcounters,
936 struct ebt_counter *counters, unsigned int nentries)
939 struct ebt_counter *counter_base;
941 /* counters of cpu 0 */
942 memcpy(counters, oldcounters,
943 sizeof(struct ebt_counter) * nentries);
945 /* add other counters to those of cpu 0 */
946 for_each_possible_cpu(cpu) {
949 counter_base = COUNTER_BASE(oldcounters, nentries, cpu);
950 for (i = 0; i < nentries; i++) {
951 counters[i].pcnt += counter_base[i].pcnt;
952 counters[i].bcnt += counter_base[i].bcnt;
957 static int do_replace_finish(struct net *net, struct ebt_replace *repl,
958 struct ebt_table_info *newinfo)
961 struct ebt_counter *counterstmp = NULL;
962 /* used to be able to unlock earlier */
963 struct ebt_table_info *table;
966 /* the user wants counters back
967 the check on the size is done later, when we have the lock */
968 if (repl->num_counters) {
969 unsigned long size = repl->num_counters * sizeof(*counterstmp);
970 counterstmp = vmalloc(size);
975 newinfo->chainstack = NULL;
976 ret = ebt_verify_pointers(repl, newinfo);
978 goto free_counterstmp;
980 ret = translate_table(net, repl->name, newinfo);
983 goto free_counterstmp;
985 t = find_table_lock(net, repl->name, &ret, &ebt_mutex);
991 /* the table doesn't like it */
992 if (t->check && (ret = t->check(newinfo, repl->valid_hooks)))
995 if (repl->num_counters && repl->num_counters != t->private->nentries) {
996 BUGPRINT("Wrong nr. of counters requested\n");
1001 /* we have the mutex lock, so no danger in reading this pointer */
1003 /* make sure the table can only be rmmod'ed if it contains no rules */
1004 if (!table->nentries && newinfo->nentries && !try_module_get(t->me)) {
1007 } else if (table->nentries && !newinfo->nentries)
1009 /* we need an atomic snapshot of the counters */
1010 write_lock_bh(&t->lock);
1011 if (repl->num_counters)
1012 get_counters(t->private->counters, counterstmp,
1013 t->private->nentries);
1015 t->private = newinfo;
1016 write_unlock_bh(&t->lock);
1017 mutex_unlock(&ebt_mutex);
1018 /* so, a user can change the chains while having messed up her counter
1019 allocation. Only reason why this is done is because this way the lock
1020 is held only once, while this doesn't bring the kernel into a
1022 if (repl->num_counters &&
1023 copy_to_user(repl->counters, counterstmp,
1024 repl->num_counters * sizeof(struct ebt_counter))) {
1030 /* decrease module count and free resources */
1031 EBT_ENTRY_ITERATE(table->entries, table->entries_size,
1032 ebt_cleanup_entry, net, NULL);
1034 vfree(table->entries);
1035 if (table->chainstack) {
1036 for_each_possible_cpu(i)
1037 vfree(table->chainstack[i]);
1038 vfree(table->chainstack);
1046 mutex_unlock(&ebt_mutex);
1048 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
1049 ebt_cleanup_entry, net, NULL);
1052 /* can be initialized in translate_table() */
1053 if (newinfo->chainstack) {
1054 for_each_possible_cpu(i)
1055 vfree(newinfo->chainstack[i]);
1056 vfree(newinfo->chainstack);
1061 /* replace the table */
1062 static int do_replace(struct net *net, const void __user *user,
1065 int ret, countersize;
1066 struct ebt_table_info *newinfo;
1067 struct ebt_replace tmp;
1069 if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
1072 if (len != sizeof(tmp) + tmp.entries_size) {
1073 BUGPRINT("Wrong len argument\n");
1077 if (tmp.entries_size == 0) {
1078 BUGPRINT("Entries_size never zero\n");
1081 /* overflow check */
1082 if (tmp.nentries >= ((INT_MAX - sizeof(struct ebt_table_info)) /
1083 NR_CPUS - SMP_CACHE_BYTES) / sizeof(struct ebt_counter))
1085 if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
1088 countersize = COUNTER_OFFSET(tmp.nentries) * nr_cpu_ids;
1089 newinfo = vmalloc(sizeof(*newinfo) + countersize);
1094 memset(newinfo->counters, 0, countersize);
1096 newinfo->entries = vmalloc(tmp.entries_size);
1097 if (!newinfo->entries) {
1102 newinfo->entries, tmp.entries, tmp.entries_size) != 0) {
1103 BUGPRINT("Couldn't copy entries from userspace\n");
1108 ret = do_replace_finish(net, &tmp, newinfo);
1112 vfree(newinfo->entries);
1119 ebt_register_table(struct net *net, const struct ebt_table *input_table)
1121 struct ebt_table_info *newinfo;
1122 struct ebt_table *t, *table;
1123 struct ebt_replace_kernel *repl;
1124 int ret, i, countersize;
1127 if (input_table == NULL || (repl = input_table->table) == NULL ||
1128 repl->entries == 0 || repl->entries_size == 0 ||
1129 repl->counters != NULL || input_table->private != NULL) {
1130 BUGPRINT("Bad table data for ebt_register_table!!!\n");
1131 return ERR_PTR(-EINVAL);
1134 /* Don't add one table to multiple lists. */
1135 table = kmemdup(input_table, sizeof(struct ebt_table), GFP_KERNEL);
1141 countersize = COUNTER_OFFSET(repl->nentries) * nr_cpu_ids;
1142 newinfo = vmalloc(sizeof(*newinfo) + countersize);
1147 p = vmalloc(repl->entries_size);
1151 memcpy(p, repl->entries, repl->entries_size);
1152 newinfo->entries = p;
1154 newinfo->entries_size = repl->entries_size;
1155 newinfo->nentries = repl->nentries;
1158 memset(newinfo->counters, 0, countersize);
1160 /* fill in newinfo and parse the entries */
1161 newinfo->chainstack = NULL;
1162 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
1163 if ((repl->valid_hooks & (1 << i)) == 0)
1164 newinfo->hook_entry[i] = NULL;
1166 newinfo->hook_entry[i] = p +
1167 ((char *)repl->hook_entry[i] - repl->entries);
1169 ret = translate_table(net, repl->name, newinfo);
1171 BUGPRINT("Translate_table failed\n");
1172 goto free_chainstack;
1175 if (table->check && table->check(newinfo, table->valid_hooks)) {
1176 BUGPRINT("The table doesn't like its own initial data, lol\n");
1177 return ERR_PTR(-EINVAL);
1180 table->private = newinfo;
1181 rwlock_init(&table->lock);
1182 ret = mutex_lock_interruptible(&ebt_mutex);
1184 goto free_chainstack;
1186 list_for_each_entry(t, &net->xt.tables[NFPROTO_BRIDGE], list) {
1187 if (strcmp(t->name, table->name) == 0) {
1189 BUGPRINT("Table name already exists\n");
1194 /* Hold a reference count if the chains aren't empty */
1195 if (newinfo->nentries && !try_module_get(table->me)) {
1199 list_add(&table->list, &net->xt.tables[NFPROTO_BRIDGE]);
1200 mutex_unlock(&ebt_mutex);
1203 mutex_unlock(&ebt_mutex);
1205 if (newinfo->chainstack) {
1206 for_each_possible_cpu(i)
1207 vfree(newinfo->chainstack[i]);
1208 vfree(newinfo->chainstack);
1210 vfree(newinfo->entries);
1216 return ERR_PTR(ret);
1219 void ebt_unregister_table(struct net *net, struct ebt_table *table)
1224 BUGPRINT("Request to unregister NULL table!!!\n");
1227 mutex_lock(&ebt_mutex);
1228 list_del(&table->list);
1229 mutex_unlock(&ebt_mutex);
1230 EBT_ENTRY_ITERATE(table->private->entries, table->private->entries_size,
1231 ebt_cleanup_entry, net, NULL);
1232 if (table->private->nentries)
1233 module_put(table->me);
1234 vfree(table->private->entries);
1235 if (table->private->chainstack) {
1236 for_each_possible_cpu(i)
1237 vfree(table->private->chainstack[i]);
1238 vfree(table->private->chainstack);
1240 vfree(table->private);
1244 /* userspace just supplied us with counters */
1245 static int update_counters(struct net *net, const void __user *user,
1249 struct ebt_counter *tmp;
1250 struct ebt_replace hlp;
1251 struct ebt_table *t;
1253 if (copy_from_user(&hlp, user, sizeof(hlp)))
1256 if (len != sizeof(hlp) + hlp.num_counters * sizeof(struct ebt_counter))
1258 if (hlp.num_counters == 0)
1261 if (!(tmp = vmalloc(hlp.num_counters * sizeof(*tmp))))
1264 t = find_table_lock(net, hlp.name, &ret, &ebt_mutex);
1268 if (hlp.num_counters != t->private->nentries) {
1269 BUGPRINT("Wrong nr of counters\n");
1274 if ( copy_from_user(tmp, hlp.counters,
1275 hlp.num_counters * sizeof(struct ebt_counter)) ) {
1276 BUGPRINT("Updata_counters && !cfu\n");
1281 /* we want an atomic add of the counters */
1282 write_lock_bh(&t->lock);
1284 /* we add to the counters of the first cpu */
1285 for (i = 0; i < hlp.num_counters; i++) {
1286 t->private->counters[i].pcnt += tmp[i].pcnt;
1287 t->private->counters[i].bcnt += tmp[i].bcnt;
1290 write_unlock_bh(&t->lock);
1293 mutex_unlock(&ebt_mutex);
1299 static inline int ebt_make_matchname(const struct ebt_entry_match *m,
1300 const char *base, char __user *ubase)
1302 char __user *hlp = ubase + ((char *)m - base);
1303 if (copy_to_user(hlp, m->u.match->name, EBT_FUNCTION_MAXNAMELEN))
1308 static inline int ebt_make_watchername(const struct ebt_entry_watcher *w,
1309 const char *base, char __user *ubase)
1311 char __user *hlp = ubase + ((char *)w - base);
1312 if (copy_to_user(hlp , w->u.watcher->name, EBT_FUNCTION_MAXNAMELEN))
1318 ebt_make_names(struct ebt_entry *e, const char *base, char __user *ubase)
1322 const struct ebt_entry_target *t;
1324 if (e->bitmask == 0)
1327 hlp = ubase + (((char *)e + e->target_offset) - base);
1328 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
1330 ret = EBT_MATCH_ITERATE(e, ebt_make_matchname, base, ubase);
1333 ret = EBT_WATCHER_ITERATE(e, ebt_make_watchername, base, ubase);
1336 if (copy_to_user(hlp, t->u.target->name, EBT_FUNCTION_MAXNAMELEN))
1341 static int copy_counters_to_user(struct ebt_table *t,
1342 const struct ebt_counter *oldcounters,
1343 void __user *user, unsigned int num_counters,
1344 unsigned int nentries)
1346 struct ebt_counter *counterstmp;
1349 /* userspace might not need the counters */
1350 if (num_counters == 0)
1353 if (num_counters != nentries) {
1354 BUGPRINT("Num_counters wrong\n");
1358 counterstmp = vmalloc(nentries * sizeof(*counterstmp));
1362 write_lock_bh(&t->lock);
1363 get_counters(oldcounters, counterstmp, nentries);
1364 write_unlock_bh(&t->lock);
1366 if (copy_to_user(user, counterstmp,
1367 nentries * sizeof(struct ebt_counter)))
1373 /* called with ebt_mutex locked */
1374 static int copy_everything_to_user(struct ebt_table *t, void __user *user,
1375 const int *len, int cmd)
1377 struct ebt_replace tmp;
1378 const struct ebt_counter *oldcounters;
1379 unsigned int entries_size, nentries;
1383 if (cmd == EBT_SO_GET_ENTRIES) {
1384 entries_size = t->private->entries_size;
1385 nentries = t->private->nentries;
1386 entries = t->private->entries;
1387 oldcounters = t->private->counters;
1389 entries_size = t->table->entries_size;
1390 nentries = t->table->nentries;
1391 entries = t->table->entries;
1392 oldcounters = t->table->counters;
1395 if (copy_from_user(&tmp, user, sizeof(tmp))) {
1396 BUGPRINT("Cfu didn't work\n");
1400 if (*len != sizeof(struct ebt_replace) + entries_size +
1401 (tmp.num_counters? nentries * sizeof(struct ebt_counter): 0)) {
1402 BUGPRINT("Wrong size\n");
1406 if (tmp.nentries != nentries) {
1407 BUGPRINT("Nentries wrong\n");
1411 if (tmp.entries_size != entries_size) {
1412 BUGPRINT("Wrong size\n");
1416 ret = copy_counters_to_user(t, oldcounters, tmp.counters,
1417 tmp.num_counters, nentries);
1421 if (copy_to_user(tmp.entries, entries, entries_size)) {
1422 BUGPRINT("Couldn't copy entries to userspace\n");
1425 /* set the match/watcher/target names right */
1426 return EBT_ENTRY_ITERATE(entries, entries_size,
1427 ebt_make_names, entries, tmp.entries);
1430 static int do_ebt_set_ctl(struct sock *sk,
1431 int cmd, void __user *user, unsigned int len)
1435 if (!capable(CAP_NET_ADMIN))
1439 case EBT_SO_SET_ENTRIES:
1440 ret = do_replace(sock_net(sk), user, len);
1442 case EBT_SO_SET_COUNTERS:
1443 ret = update_counters(sock_net(sk), user, len);
1451 static int do_ebt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
1454 struct ebt_replace tmp;
1455 struct ebt_table *t;
1457 if (!capable(CAP_NET_ADMIN))
1460 if (copy_from_user(&tmp, user, sizeof(tmp)))
1463 t = find_table_lock(sock_net(sk), tmp.name, &ret, &ebt_mutex);
1468 case EBT_SO_GET_INFO:
1469 case EBT_SO_GET_INIT_INFO:
1470 if (*len != sizeof(struct ebt_replace)){
1472 mutex_unlock(&ebt_mutex);
1475 if (cmd == EBT_SO_GET_INFO) {
1476 tmp.nentries = t->private->nentries;
1477 tmp.entries_size = t->private->entries_size;
1478 tmp.valid_hooks = t->valid_hooks;
1480 tmp.nentries = t->table->nentries;
1481 tmp.entries_size = t->table->entries_size;
1482 tmp.valid_hooks = t->table->valid_hooks;
1484 mutex_unlock(&ebt_mutex);
1485 if (copy_to_user(user, &tmp, *len) != 0){
1486 BUGPRINT("c2u Didn't work\n");
1493 case EBT_SO_GET_ENTRIES:
1494 case EBT_SO_GET_INIT_ENTRIES:
1495 ret = copy_everything_to_user(t, user, len, cmd);
1496 mutex_unlock(&ebt_mutex);
1500 mutex_unlock(&ebt_mutex);
1507 static struct nf_sockopt_ops ebt_sockopts =
1510 .set_optmin = EBT_BASE_CTL,
1511 .set_optmax = EBT_SO_SET_MAX + 1,
1512 .set = do_ebt_set_ctl,
1513 .get_optmin = EBT_BASE_CTL,
1514 .get_optmax = EBT_SO_GET_MAX + 1,
1515 .get = do_ebt_get_ctl,
1516 .owner = THIS_MODULE,
1519 static int __init ebtables_init(void)
1523 ret = xt_register_target(&ebt_standard_target);
1526 ret = nf_register_sockopt(&ebt_sockopts);
1528 xt_unregister_target(&ebt_standard_target);
1532 printk(KERN_INFO "Ebtables v2.0 registered\n");
1536 static void __exit ebtables_fini(void)
1538 nf_unregister_sockopt(&ebt_sockopts);
1539 xt_unregister_target(&ebt_standard_target);
1540 printk(KERN_INFO "Ebtables v2.0 unregistered\n");
1543 EXPORT_SYMBOL(ebt_register_table);
1544 EXPORT_SYMBOL(ebt_unregister_table);
1545 EXPORT_SYMBOL(ebt_do_table);
1546 module_init(ebtables_init);
1547 module_exit(ebtables_fini);
1548 MODULE_LICENSE("GPL");