5 * Bart De Schuymer <bdschuym@pandora.be>
7 * ebtables.c,v 2.0, July, 2002
9 * This code is stongly inspired on the iptables code which is
10 * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version
15 * 2 of the License, or (at your option) any later version.
19 #include <linux/kmod.h>
20 #include <linux/module.h>
21 #include <linux/vmalloc.h>
22 #include <linux/netfilter/x_tables.h>
23 #include <linux/netfilter_bridge/ebtables.h>
24 #include <linux/spinlock.h>
25 #include <linux/mutex.h>
26 #include <asm/uaccess.h>
27 #include <linux/smp.h>
28 #include <linux/cpumask.h>
30 /* needed for logical [in,out]-dev filtering */
31 #include "../br_private.h"
33 #define BUGPRINT(format, args...) printk("kernel msg: ebtables bug: please "\
34 "report to author: "format, ## args)
35 /* #define BUGPRINT(format, args...) */
36 #define MEMPRINT(format, args...) printk("kernel msg: ebtables "\
37 ": out of memory: "format, ## args)
38 /* #define MEMPRINT(format, args...) */
43 * Each cpu has its own set of counters, so there is no need for write_lock in
45 * For reading or updating the counters, the user context needs to
49 /* The size of each set of counters is altered to get cache alignment */
50 #define SMP_ALIGN(x) (((x) + SMP_CACHE_BYTES-1) & ~(SMP_CACHE_BYTES-1))
51 #define COUNTER_OFFSET(n) (SMP_ALIGN(n * sizeof(struct ebt_counter)))
52 #define COUNTER_BASE(c, n, cpu) ((struct ebt_counter *)(((char *)c) + \
53 COUNTER_OFFSET(n) * cpu))
57 static DEFINE_MUTEX(ebt_mutex);
59 static struct xt_target ebt_standard_target = {
62 .family = NFPROTO_BRIDGE,
63 .targetsize = sizeof(int),
67 ebt_do_watcher(const struct ebt_entry_watcher *w, struct sk_buff *skb,
68 struct xt_target_param *par)
70 par->target = w->u.watcher;
71 par->targinfo = w->data;
72 w->u.watcher->target(skb, par);
73 /* watchers don't give a verdict */
77 static inline int ebt_do_match (struct ebt_entry_match *m,
78 const struct sk_buff *skb, struct xt_match_param *par)
80 par->match = m->u.match;
81 par->matchinfo = m->data;
82 return m->u.match->match(skb, par) ? EBT_MATCH : EBT_NOMATCH;
85 static inline int ebt_dev_check(char *entry, const struct net_device *device)
94 devname = device->name;
95 /* 1 is the wildcard token */
96 while (entry[i] != '\0' && entry[i] != 1 && entry[i] == devname[i])
98 return (devname[i] != entry[i] && entry[i] != 1);
101 #define FWINV2(bool,invflg) ((bool) ^ !!(e->invflags & invflg))
102 /* process standard matches */
103 static inline int ebt_basic_match(struct ebt_entry *e, struct ethhdr *h,
104 const struct net_device *in, const struct net_device *out)
108 if (e->bitmask & EBT_802_3) {
109 if (FWINV2(ntohs(h->h_proto) >= 1536, EBT_IPROTO))
111 } else if (!(e->bitmask & EBT_NOPROTO) &&
112 FWINV2(e->ethproto != h->h_proto, EBT_IPROTO))
115 if (FWINV2(ebt_dev_check(e->in, in), EBT_IIN))
117 if (FWINV2(ebt_dev_check(e->out, out), EBT_IOUT))
119 if ((!in || !in->br_port) ? 0 : FWINV2(ebt_dev_check(
120 e->logical_in, in->br_port->br->dev), EBT_ILOGICALIN))
122 if ((!out || !out->br_port) ? 0 : FWINV2(ebt_dev_check(
123 e->logical_out, out->br_port->br->dev), EBT_ILOGICALOUT))
126 if (e->bitmask & EBT_SOURCEMAC) {
128 for (i = 0; i < 6; i++)
129 verdict |= (h->h_source[i] ^ e->sourcemac[i]) &
131 if (FWINV2(verdict != 0, EBT_ISOURCE) )
134 if (e->bitmask & EBT_DESTMAC) {
136 for (i = 0; i < 6; i++)
137 verdict |= (h->h_dest[i] ^ e->destmac[i]) &
139 if (FWINV2(verdict != 0, EBT_IDEST) )
146 struct ebt_entry *ebt_next_entry(const struct ebt_entry *entry)
148 return (void *)entry + entry->next_offset;
151 /* Do some firewalling */
152 unsigned int ebt_do_table (unsigned int hook, struct sk_buff *skb,
153 const struct net_device *in, const struct net_device *out,
154 struct ebt_table *table)
157 struct ebt_entry *point;
158 struct ebt_counter *counter_base, *cb_base;
159 struct ebt_entry_target *t;
161 struct ebt_chainstack *cs;
162 struct ebt_entries *chaininfo;
164 struct ebt_table_info *private;
165 bool hotdrop = false;
166 struct xt_match_param mtpar;
167 struct xt_target_param tgpar;
169 mtpar.family = tgpar.family = NFPROTO_BRIDGE;
170 mtpar.in = tgpar.in = in;
171 mtpar.out = tgpar.out = out;
172 mtpar.hotdrop = &hotdrop;
173 mtpar.hooknum = tgpar.hooknum = hook;
175 read_lock_bh(&table->lock);
176 private = table->private;
177 cb_base = COUNTER_BASE(private->counters, private->nentries,
179 if (private->chainstack)
180 cs = private->chainstack[smp_processor_id()];
183 chaininfo = private->hook_entry[hook];
184 nentries = private->hook_entry[hook]->nentries;
185 point = (struct ebt_entry *)(private->hook_entry[hook]->data);
186 counter_base = cb_base + private->hook_entry[hook]->counter_offset;
187 /* base for chain jumps */
188 base = private->entries;
190 while (i < nentries) {
191 if (ebt_basic_match(point, eth_hdr(skb), in, out))
194 if (EBT_MATCH_ITERATE(point, ebt_do_match, skb, &mtpar) != 0)
197 read_unlock_bh(&table->lock);
201 /* increase counter */
202 (*(counter_base + i)).pcnt++;
203 (*(counter_base + i)).bcnt += skb->len;
205 /* these should only watch: not modify, nor tell us
206 what to do with the packet */
207 EBT_WATCHER_ITERATE(point, ebt_do_watcher, skb, &tgpar);
209 t = (struct ebt_entry_target *)
210 (((char *)point) + point->target_offset);
211 /* standard target */
212 if (!t->u.target->target)
213 verdict = ((struct ebt_standard_target *)t)->verdict;
215 tgpar.target = t->u.target;
216 tgpar.targinfo = t->data;
217 verdict = t->u.target->target(skb, &tgpar);
219 if (verdict == EBT_ACCEPT) {
220 read_unlock_bh(&table->lock);
223 if (verdict == EBT_DROP) {
224 read_unlock_bh(&table->lock);
227 if (verdict == EBT_RETURN) {
229 #ifdef CONFIG_NETFILTER_DEBUG
231 BUGPRINT("RETURN on base chain");
232 /* act like this is EBT_CONTINUE */
237 /* put all the local variables right */
239 chaininfo = cs[sp].chaininfo;
240 nentries = chaininfo->nentries;
242 counter_base = cb_base +
243 chaininfo->counter_offset;
246 if (verdict == EBT_CONTINUE)
248 #ifdef CONFIG_NETFILTER_DEBUG
250 BUGPRINT("bogus standard verdict\n");
251 read_unlock_bh(&table->lock);
257 cs[sp].chaininfo = chaininfo;
258 cs[sp].e = ebt_next_entry(point);
260 chaininfo = (struct ebt_entries *) (base + verdict);
261 #ifdef CONFIG_NETFILTER_DEBUG
262 if (chaininfo->distinguisher) {
263 BUGPRINT("jump to non-chain\n");
264 read_unlock_bh(&table->lock);
268 nentries = chaininfo->nentries;
269 point = (struct ebt_entry *)chaininfo->data;
270 counter_base = cb_base + chaininfo->counter_offset;
274 point = ebt_next_entry(point);
278 /* I actually like this :) */
279 if (chaininfo->policy == EBT_RETURN)
281 if (chaininfo->policy == EBT_ACCEPT) {
282 read_unlock_bh(&table->lock);
285 read_unlock_bh(&table->lock);
289 /* If it succeeds, returns element and locks mutex */
291 find_inlist_lock_noload(struct list_head *head, const char *name, int *error,
295 struct list_head list;
296 char name[EBT_FUNCTION_MAXNAMELEN];
299 *error = mutex_lock_interruptible(mutex);
303 list_for_each_entry(e, head, list) {
304 if (strcmp(e->name, name) == 0)
313 find_inlist_lock(struct list_head *head, const char *name, const char *prefix,
314 int *error, struct mutex *mutex)
316 return try_then_request_module(
317 find_inlist_lock_noload(head, name, error, mutex),
318 "%s%s", prefix, name);
321 static inline struct ebt_table *
322 find_table_lock(struct net *net, const char *name, int *error,
325 return find_inlist_lock(&net->xt.tables[NFPROTO_BRIDGE], name,
326 "ebtable_", error, mutex);
330 ebt_check_match(struct ebt_entry_match *m, struct xt_mtchk_param *par,
333 const struct ebt_entry *e = par->entryinfo;
334 struct xt_match *match;
335 size_t left = ((char *)e + e->watchers_offset) - (char *)m;
338 if (left < sizeof(struct ebt_entry_match) ||
339 left - sizeof(struct ebt_entry_match) < m->match_size)
342 match = try_then_request_module(xt_find_match(NFPROTO_BRIDGE,
343 m->u.name, 0), "ebt_%s", m->u.name);
345 return PTR_ERR(match);
351 par->matchinfo = m->data;
352 ret = xt_check_match(par, m->match_size,
353 e->ethproto, e->invflags & EBT_IPROTO);
355 module_put(match->me);
364 ebt_check_watcher(struct ebt_entry_watcher *w, struct xt_tgchk_param *par,
367 const struct ebt_entry *e = par->entryinfo;
368 struct xt_target *watcher;
369 size_t left = ((char *)e + e->target_offset) - (char *)w;
372 if (left < sizeof(struct ebt_entry_watcher) ||
373 left - sizeof(struct ebt_entry_watcher) < w->watcher_size)
376 watcher = try_then_request_module(
377 xt_find_target(NFPROTO_BRIDGE, w->u.name, 0),
378 "ebt_%s", w->u.name);
380 return PTR_ERR(watcher);
383 w->u.watcher = watcher;
385 par->target = watcher;
386 par->targinfo = w->data;
387 ret = xt_check_target(par, w->watcher_size,
388 e->ethproto, e->invflags & EBT_IPROTO);
390 module_put(watcher->me);
398 static int ebt_verify_pointers(struct ebt_replace *repl,
399 struct ebt_table_info *newinfo)
401 unsigned int limit = repl->entries_size;
402 unsigned int valid_hooks = repl->valid_hooks;
403 unsigned int offset = 0;
406 for (i = 0; i < NF_BR_NUMHOOKS; i++)
407 newinfo->hook_entry[i] = NULL;
409 newinfo->entries_size = repl->entries_size;
410 newinfo->nentries = repl->nentries;
412 while (offset < limit) {
413 size_t left = limit - offset;
414 struct ebt_entry *e = (void *)newinfo->entries + offset;
416 if (left < sizeof(unsigned int))
419 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
420 if ((valid_hooks & (1 << i)) == 0)
422 if ((char __user *)repl->hook_entry[i] ==
423 repl->entries + offset)
427 if (i != NF_BR_NUMHOOKS || !(e->bitmask & EBT_ENTRY_OR_ENTRIES)) {
428 if (e->bitmask != 0) {
429 /* we make userspace set this right,
430 so there is no misunderstanding */
431 BUGPRINT("EBT_ENTRY_OR_ENTRIES shouldn't be set "
432 "in distinguisher\n");
435 if (i != NF_BR_NUMHOOKS)
436 newinfo->hook_entry[i] = (struct ebt_entries *)e;
437 if (left < sizeof(struct ebt_entries))
439 offset += sizeof(struct ebt_entries);
441 if (left < sizeof(struct ebt_entry))
443 if (left < e->next_offset)
445 offset += e->next_offset;
448 if (offset != limit) {
449 BUGPRINT("entries_size too small\n");
453 /* check if all valid hooks have a chain */
454 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
455 if (!newinfo->hook_entry[i] &&
456 (valid_hooks & (1 << i))) {
457 BUGPRINT("Valid hook without chain\n");
465 * this one is very careful, as it is the first function
466 * to parse the userspace data
469 ebt_check_entry_size_and_hooks(struct ebt_entry *e,
470 struct ebt_table_info *newinfo,
471 unsigned int *n, unsigned int *cnt,
472 unsigned int *totalcnt, unsigned int *udc_cnt)
476 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
477 if ((void *)e == (void *)newinfo->hook_entry[i])
480 /* beginning of a new chain
481 if i == NF_BR_NUMHOOKS it must be a user defined chain */
482 if (i != NF_BR_NUMHOOKS || !e->bitmask) {
483 /* this checks if the previous chain has as many entries
486 BUGPRINT("nentries does not equal the nr of entries "
490 if (((struct ebt_entries *)e)->policy != EBT_DROP &&
491 ((struct ebt_entries *)e)->policy != EBT_ACCEPT) {
492 /* only RETURN from udc */
493 if (i != NF_BR_NUMHOOKS ||
494 ((struct ebt_entries *)e)->policy != EBT_RETURN) {
495 BUGPRINT("bad policy\n");
499 if (i == NF_BR_NUMHOOKS) /* it's a user defined chain */
501 if (((struct ebt_entries *)e)->counter_offset != *totalcnt) {
502 BUGPRINT("counter_offset != totalcnt");
505 *n = ((struct ebt_entries *)e)->nentries;
509 /* a plain old entry, heh */
510 if (sizeof(struct ebt_entry) > e->watchers_offset ||
511 e->watchers_offset > e->target_offset ||
512 e->target_offset >= e->next_offset) {
513 BUGPRINT("entry offsets not in right order\n");
516 /* this is not checked anywhere else */
517 if (e->next_offset - e->target_offset < sizeof(struct ebt_entry_target)) {
518 BUGPRINT("target size too small\n");
528 struct ebt_chainstack cs;
530 unsigned int hookmask;
534 * we need these positions to check that the jumps to a different part of the
535 * entries is a jump to the beginning of a new chain.
538 ebt_get_udc_positions(struct ebt_entry *e, struct ebt_table_info *newinfo,
539 unsigned int *n, struct ebt_cl_stack *udc)
543 /* we're only interested in chain starts */
546 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
547 if (newinfo->hook_entry[i] == (struct ebt_entries *)e)
550 /* only care about udc */
551 if (i != NF_BR_NUMHOOKS)
554 udc[*n].cs.chaininfo = (struct ebt_entries *)e;
555 /* these initialisations are depended on later in check_chainloops() */
557 udc[*n].hookmask = 0;
564 ebt_cleanup_match(struct ebt_entry_match *m, unsigned int *i)
566 struct xt_mtdtor_param par;
568 if (i && (*i)-- == 0)
571 par.match = m->u.match;
572 par.matchinfo = m->data;
573 par.family = NFPROTO_BRIDGE;
574 if (par.match->destroy != NULL)
575 par.match->destroy(&par);
576 module_put(par.match->me);
581 ebt_cleanup_watcher(struct ebt_entry_watcher *w, unsigned int *i)
583 struct xt_tgdtor_param par;
585 if (i && (*i)-- == 0)
588 par.target = w->u.watcher;
589 par.targinfo = w->data;
590 par.family = NFPROTO_BRIDGE;
591 if (par.target->destroy != NULL)
592 par.target->destroy(&par);
593 module_put(par.target->me);
598 ebt_cleanup_entry(struct ebt_entry *e, unsigned int *cnt)
600 struct xt_tgdtor_param par;
601 struct ebt_entry_target *t;
606 if (cnt && (*cnt)-- == 0)
608 EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, NULL);
609 EBT_MATCH_ITERATE(e, ebt_cleanup_match, NULL);
610 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
612 par.target = t->u.target;
613 par.targinfo = t->data;
614 par.family = NFPROTO_BRIDGE;
615 if (par.target->destroy != NULL)
616 par.target->destroy(&par);
617 module_put(par.target->me);
622 ebt_check_entry(struct ebt_entry *e, struct ebt_table_info *newinfo,
623 const char *name, unsigned int *cnt,
624 struct ebt_cl_stack *cl_s, unsigned int udc_cnt)
626 struct ebt_entry_target *t;
627 struct xt_target *target;
628 unsigned int i, j, hook = 0, hookmask = 0;
631 struct xt_mtchk_param mtpar;
632 struct xt_tgchk_param tgpar;
634 /* don't mess with the struct ebt_entries */
638 if (e->bitmask & ~EBT_F_MASK) {
639 BUGPRINT("Unknown flag for bitmask\n");
642 if (e->invflags & ~EBT_INV_MASK) {
643 BUGPRINT("Unknown flag for inv bitmask\n");
646 if ( (e->bitmask & EBT_NOPROTO) && (e->bitmask & EBT_802_3) ) {
647 BUGPRINT("NOPROTO & 802_3 not allowed\n");
650 /* what hook do we belong to? */
651 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
652 if (!newinfo->hook_entry[i])
654 if ((char *)newinfo->hook_entry[i] < (char *)e)
659 /* (1 << NF_BR_NUMHOOKS) tells the check functions the rule is on
661 if (i < NF_BR_NUMHOOKS)
662 hookmask = (1 << hook) | (1 << NF_BR_NUMHOOKS);
664 for (i = 0; i < udc_cnt; i++)
665 if ((char *)(cl_s[i].cs.chaininfo) > (char *)e)
668 hookmask = (1 << hook) | (1 << NF_BR_NUMHOOKS);
670 hookmask = cl_s[i - 1].hookmask;
674 mtpar.table = tgpar.table = name;
675 mtpar.entryinfo = tgpar.entryinfo = e;
676 mtpar.hook_mask = tgpar.hook_mask = hookmask;
677 mtpar.family = tgpar.family = NFPROTO_BRIDGE;
678 ret = EBT_MATCH_ITERATE(e, ebt_check_match, &mtpar, &i);
680 goto cleanup_matches;
682 ret = EBT_WATCHER_ITERATE(e, ebt_check_watcher, &tgpar, &j);
684 goto cleanup_watchers;
685 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
686 gap = e->next_offset - e->target_offset;
688 target = try_then_request_module(
689 xt_find_target(NFPROTO_BRIDGE, t->u.name, 0),
690 "ebt_%s", t->u.name);
691 if (IS_ERR(target)) {
692 ret = PTR_ERR(target);
693 goto cleanup_watchers;
694 } else if (target == NULL) {
696 goto cleanup_watchers;
699 t->u.target = target;
700 if (t->u.target == &ebt_standard_target) {
701 if (gap < sizeof(struct ebt_standard_target)) {
702 BUGPRINT("Standard target size too big\n");
704 goto cleanup_watchers;
706 if (((struct ebt_standard_target *)t)->verdict <
707 -NUM_STANDARD_TARGETS) {
708 BUGPRINT("Invalid standard target\n");
710 goto cleanup_watchers;
712 } else if (t->target_size > gap - sizeof(struct ebt_entry_target)) {
713 module_put(t->u.target->me);
715 goto cleanup_watchers;
718 tgpar.target = target;
719 tgpar.targinfo = t->data;
720 ret = xt_check_target(&tgpar, t->target_size,
721 e->ethproto, e->invflags & EBT_IPROTO);
723 module_put(target->me);
724 goto cleanup_watchers;
729 EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, &j);
731 EBT_MATCH_ITERATE(e, ebt_cleanup_match, &i);
736 * checks for loops and sets the hook mask for udc
737 * the hook mask for udc tells us from which base chains the udc can be
738 * accessed. This mask is a parameter to the check() functions of the extensions
740 static int check_chainloops(struct ebt_entries *chain, struct ebt_cl_stack *cl_s,
741 unsigned int udc_cnt, unsigned int hooknr, char *base)
743 int i, chain_nr = -1, pos = 0, nentries = chain->nentries, verdict;
744 struct ebt_entry *e = (struct ebt_entry *)chain->data;
745 struct ebt_entry_target *t;
747 while (pos < nentries || chain_nr != -1) {
748 /* end of udc, go back one 'recursion' step */
749 if (pos == nentries) {
750 /* put back values of the time when this chain was called */
751 e = cl_s[chain_nr].cs.e;
752 if (cl_s[chain_nr].from != -1)
754 cl_s[cl_s[chain_nr].from].cs.chaininfo->nentries;
756 nentries = chain->nentries;
757 pos = cl_s[chain_nr].cs.n;
758 /* make sure we won't see a loop that isn't one */
759 cl_s[chain_nr].cs.n = 0;
760 chain_nr = cl_s[chain_nr].from;
764 t = (struct ebt_entry_target *)
765 (((char *)e) + e->target_offset);
766 if (strcmp(t->u.name, EBT_STANDARD_TARGET))
768 if (e->target_offset + sizeof(struct ebt_standard_target) >
770 BUGPRINT("Standard target size too big\n");
773 verdict = ((struct ebt_standard_target *)t)->verdict;
774 if (verdict >= 0) { /* jump to another chain */
775 struct ebt_entries *hlp2 =
776 (struct ebt_entries *)(base + verdict);
777 for (i = 0; i < udc_cnt; i++)
778 if (hlp2 == cl_s[i].cs.chaininfo)
780 /* bad destination or loop */
782 BUGPRINT("bad destination\n");
789 if (cl_s[i].hookmask & (1 << hooknr))
791 /* this can't be 0, so the loop test is correct */
792 cl_s[i].cs.n = pos + 1;
794 cl_s[i].cs.e = ebt_next_entry(e);
795 e = (struct ebt_entry *)(hlp2->data);
796 nentries = hlp2->nentries;
797 cl_s[i].from = chain_nr;
799 /* this udc is accessible from the base chain for hooknr */
800 cl_s[i].hookmask |= (1 << hooknr);
804 e = ebt_next_entry(e);
810 /* do the parsing of the table/chains/entries/matches/watchers/targets, heh */
811 static int translate_table(char *name, struct ebt_table_info *newinfo)
813 unsigned int i, j, k, udc_cnt;
815 struct ebt_cl_stack *cl_s = NULL; /* used in the checking for chain loops */
818 while (i < NF_BR_NUMHOOKS && !newinfo->hook_entry[i])
820 if (i == NF_BR_NUMHOOKS) {
821 BUGPRINT("No valid hooks specified\n");
824 if (newinfo->hook_entry[i] != (struct ebt_entries *)newinfo->entries) {
825 BUGPRINT("Chains don't start at beginning\n");
828 /* make sure chains are ordered after each other in same order
829 as their corresponding hooks */
830 for (j = i + 1; j < NF_BR_NUMHOOKS; j++) {
831 if (!newinfo->hook_entry[j])
833 if (newinfo->hook_entry[j] <= newinfo->hook_entry[i]) {
834 BUGPRINT("Hook order must be followed\n");
840 /* do some early checkings and initialize some things */
841 i = 0; /* holds the expected nr. of entries for the chain */
842 j = 0; /* holds the up to now counted entries for the chain */
843 k = 0; /* holds the total nr. of entries, should equal
844 newinfo->nentries afterwards */
845 udc_cnt = 0; /* will hold the nr. of user defined chains (udc) */
846 ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
847 ebt_check_entry_size_and_hooks, newinfo,
848 &i, &j, &k, &udc_cnt);
854 BUGPRINT("nentries does not equal the nr of entries in the "
858 if (k != newinfo->nentries) {
859 BUGPRINT("Total nentries is wrong\n");
863 /* get the location of the udc, put them in an array
864 while we're at it, allocate the chainstack */
866 /* this will get free'd in do_replace()/ebt_register_table()
867 if an error occurs */
868 newinfo->chainstack =
869 vmalloc(nr_cpu_ids * sizeof(*(newinfo->chainstack)));
870 if (!newinfo->chainstack)
872 for_each_possible_cpu(i) {
873 newinfo->chainstack[i] =
874 vmalloc(udc_cnt * sizeof(*(newinfo->chainstack[0])));
875 if (!newinfo->chainstack[i]) {
877 vfree(newinfo->chainstack[--i]);
878 vfree(newinfo->chainstack);
879 newinfo->chainstack = NULL;
884 cl_s = vmalloc(udc_cnt * sizeof(*cl_s));
887 i = 0; /* the i'th udc */
888 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
889 ebt_get_udc_positions, newinfo, &i, cl_s);
892 BUGPRINT("i != udc_cnt\n");
898 /* Check for loops */
899 for (i = 0; i < NF_BR_NUMHOOKS; i++)
900 if (newinfo->hook_entry[i])
901 if (check_chainloops(newinfo->hook_entry[i],
902 cl_s, udc_cnt, i, newinfo->entries)) {
907 /* we now know the following (along with E=mc²):
908 - the nr of entries in each chain is right
909 - the size of the allocated space is right
910 - all valid hooks have a corresponding chain
912 - wrong data can still be on the level of a single entry
913 - could be there are jumps to places that are not the
914 beginning of a chain. This can only occur in chains that
915 are not accessible from any base chains, so we don't care. */
917 /* used to know what we need to clean up if something goes wrong */
919 ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
920 ebt_check_entry, newinfo, name, &i, cl_s, udc_cnt);
922 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
923 ebt_cleanup_entry, &i);
929 /* called under write_lock */
930 static void get_counters(struct ebt_counter *oldcounters,
931 struct ebt_counter *counters, unsigned int nentries)
934 struct ebt_counter *counter_base;
936 /* counters of cpu 0 */
937 memcpy(counters, oldcounters,
938 sizeof(struct ebt_counter) * nentries);
940 /* add other counters to those of cpu 0 */
941 for_each_possible_cpu(cpu) {
944 counter_base = COUNTER_BASE(oldcounters, nentries, cpu);
945 for (i = 0; i < nentries; i++) {
946 counters[i].pcnt += counter_base[i].pcnt;
947 counters[i].bcnt += counter_base[i].bcnt;
952 /* replace the table */
953 static int do_replace(struct net *net, void __user *user, unsigned int len)
955 int ret, i, countersize;
956 struct ebt_table_info *newinfo;
957 struct ebt_replace tmp;
959 struct ebt_counter *counterstmp = NULL;
960 /* used to be able to unlock earlier */
961 struct ebt_table_info *table;
963 if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
966 if (len != sizeof(tmp) + tmp.entries_size) {
967 BUGPRINT("Wrong len argument\n");
971 if (tmp.entries_size == 0) {
972 BUGPRINT("Entries_size never zero\n");
976 if (tmp.nentries >= ((INT_MAX - sizeof(struct ebt_table_info)) / NR_CPUS -
977 SMP_CACHE_BYTES) / sizeof(struct ebt_counter))
979 if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
982 tmp.name[sizeof(tmp.name) - 1] = 0;
984 countersize = COUNTER_OFFSET(tmp.nentries) * nr_cpu_ids;
985 newinfo = vmalloc(sizeof(*newinfo) + countersize);
990 memset(newinfo->counters, 0, countersize);
992 newinfo->entries = vmalloc(tmp.entries_size);
993 if (!newinfo->entries) {
998 newinfo->entries, tmp.entries, tmp.entries_size) != 0) {
999 BUGPRINT("Couldn't copy entries from userspace\n");
1004 /* the user wants counters back
1005 the check on the size is done later, when we have the lock */
1006 if (tmp.num_counters) {
1007 counterstmp = vmalloc(tmp.num_counters * sizeof(*counterstmp));
1016 /* this can get initialized by translate_table() */
1017 newinfo->chainstack = NULL;
1018 ret = ebt_verify_pointers(&tmp, newinfo);
1020 goto free_counterstmp;
1022 ret = translate_table(tmp.name, newinfo);
1025 goto free_counterstmp;
1027 t = find_table_lock(net, tmp.name, &ret, &ebt_mutex);
1033 /* the table doesn't like it */
1034 if (t->check && (ret = t->check(newinfo, tmp.valid_hooks)))
1037 if (tmp.num_counters && tmp.num_counters != t->private->nentries) {
1038 BUGPRINT("Wrong nr. of counters requested\n");
1043 /* we have the mutex lock, so no danger in reading this pointer */
1045 /* make sure the table can only be rmmod'ed if it contains no rules */
1046 if (!table->nentries && newinfo->nentries && !try_module_get(t->me)) {
1049 } else if (table->nentries && !newinfo->nentries)
1051 /* we need an atomic snapshot of the counters */
1052 write_lock_bh(&t->lock);
1053 if (tmp.num_counters)
1054 get_counters(t->private->counters, counterstmp,
1055 t->private->nentries);
1057 t->private = newinfo;
1058 write_unlock_bh(&t->lock);
1059 mutex_unlock(&ebt_mutex);
1060 /* so, a user can change the chains while having messed up her counter
1061 allocation. Only reason why this is done is because this way the lock
1062 is held only once, while this doesn't bring the kernel into a
1064 if (tmp.num_counters &&
1065 copy_to_user(tmp.counters, counterstmp,
1066 tmp.num_counters * sizeof(struct ebt_counter))) {
1067 BUGPRINT("Couldn't copy counters to userspace\n");
1073 /* decrease module count and free resources */
1074 EBT_ENTRY_ITERATE(table->entries, table->entries_size,
1075 ebt_cleanup_entry, NULL);
1077 vfree(table->entries);
1078 if (table->chainstack) {
1079 for_each_possible_cpu(i)
1080 vfree(table->chainstack[i]);
1081 vfree(table->chainstack);
1089 mutex_unlock(&ebt_mutex);
1091 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
1092 ebt_cleanup_entry, NULL);
1095 /* can be initialized in translate_table() */
1096 if (newinfo->chainstack) {
1097 for_each_possible_cpu(i)
1098 vfree(newinfo->chainstack[i]);
1099 vfree(newinfo->chainstack);
1102 vfree(newinfo->entries);
1109 ebt_register_table(struct net *net, const struct ebt_table *input_table)
1111 struct ebt_table_info *newinfo;
1112 struct ebt_table *t, *table;
1113 struct ebt_replace_kernel *repl;
1114 int ret, i, countersize;
1117 if (input_table == NULL || (repl = input_table->table) == NULL ||
1118 repl->entries == 0 || repl->entries_size == 0 ||
1119 repl->counters != NULL || input_table->private != NULL) {
1120 BUGPRINT("Bad table data for ebt_register_table!!!\n");
1121 return ERR_PTR(-EINVAL);
1124 /* Don't add one table to multiple lists. */
1125 table = kmemdup(input_table, sizeof(struct ebt_table), GFP_KERNEL);
1131 countersize = COUNTER_OFFSET(repl->nentries) * nr_cpu_ids;
1132 newinfo = vmalloc(sizeof(*newinfo) + countersize);
1137 p = vmalloc(repl->entries_size);
1141 memcpy(p, repl->entries, repl->entries_size);
1142 newinfo->entries = p;
1144 newinfo->entries_size = repl->entries_size;
1145 newinfo->nentries = repl->nentries;
1148 memset(newinfo->counters, 0, countersize);
1150 /* fill in newinfo and parse the entries */
1151 newinfo->chainstack = NULL;
1152 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
1153 if ((repl->valid_hooks & (1 << i)) == 0)
1154 newinfo->hook_entry[i] = NULL;
1156 newinfo->hook_entry[i] = p +
1157 ((char *)repl->hook_entry[i] - repl->entries);
1159 ret = translate_table(repl->name, newinfo);
1161 BUGPRINT("Translate_table failed\n");
1162 goto free_chainstack;
1165 if (table->check && table->check(newinfo, table->valid_hooks)) {
1166 BUGPRINT("The table doesn't like its own initial data, lol\n");
1167 return ERR_PTR(-EINVAL);
1170 table->private = newinfo;
1171 rwlock_init(&table->lock);
1172 ret = mutex_lock_interruptible(&ebt_mutex);
1174 goto free_chainstack;
1176 list_for_each_entry(t, &net->xt.tables[NFPROTO_BRIDGE], list) {
1177 if (strcmp(t->name, table->name) == 0) {
1179 BUGPRINT("Table name already exists\n");
1184 /* Hold a reference count if the chains aren't empty */
1185 if (newinfo->nentries && !try_module_get(table->me)) {
1189 list_add(&table->list, &net->xt.tables[NFPROTO_BRIDGE]);
1190 mutex_unlock(&ebt_mutex);
1193 mutex_unlock(&ebt_mutex);
1195 if (newinfo->chainstack) {
1196 for_each_possible_cpu(i)
1197 vfree(newinfo->chainstack[i]);
1198 vfree(newinfo->chainstack);
1200 vfree(newinfo->entries);
1206 return ERR_PTR(ret);
1209 void ebt_unregister_table(struct ebt_table *table)
1214 BUGPRINT("Request to unregister NULL table!!!\n");
1217 mutex_lock(&ebt_mutex);
1218 list_del(&table->list);
1219 mutex_unlock(&ebt_mutex);
1220 EBT_ENTRY_ITERATE(table->private->entries, table->private->entries_size,
1221 ebt_cleanup_entry, NULL);
1222 if (table->private->nentries)
1223 module_put(table->me);
1224 vfree(table->private->entries);
1225 if (table->private->chainstack) {
1226 for_each_possible_cpu(i)
1227 vfree(table->private->chainstack[i]);
1228 vfree(table->private->chainstack);
1230 vfree(table->private);
1234 /* userspace just supplied us with counters */
1235 static int update_counters(struct net *net, void __user *user, unsigned int len)
1238 struct ebt_counter *tmp;
1239 struct ebt_replace hlp;
1240 struct ebt_table *t;
1242 if (copy_from_user(&hlp, user, sizeof(hlp)))
1245 if (len != sizeof(hlp) + hlp.num_counters * sizeof(struct ebt_counter))
1247 if (hlp.num_counters == 0)
1250 if (!(tmp = vmalloc(hlp.num_counters * sizeof(*tmp)))) {
1251 MEMPRINT("Update_counters && nomemory\n");
1255 t = find_table_lock(net, hlp.name, &ret, &ebt_mutex);
1259 if (hlp.num_counters != t->private->nentries) {
1260 BUGPRINT("Wrong nr of counters\n");
1265 if ( copy_from_user(tmp, hlp.counters,
1266 hlp.num_counters * sizeof(struct ebt_counter)) ) {
1267 BUGPRINT("Updata_counters && !cfu\n");
1272 /* we want an atomic add of the counters */
1273 write_lock_bh(&t->lock);
1275 /* we add to the counters of the first cpu */
1276 for (i = 0; i < hlp.num_counters; i++) {
1277 t->private->counters[i].pcnt += tmp[i].pcnt;
1278 t->private->counters[i].bcnt += tmp[i].bcnt;
1281 write_unlock_bh(&t->lock);
1284 mutex_unlock(&ebt_mutex);
1290 static inline int ebt_make_matchname(struct ebt_entry_match *m,
1291 char *base, char __user *ubase)
1293 char __user *hlp = ubase + ((char *)m - base);
1294 if (copy_to_user(hlp, m->u.match->name, EBT_FUNCTION_MAXNAMELEN))
1299 static inline int ebt_make_watchername(struct ebt_entry_watcher *w,
1300 char *base, char __user *ubase)
1302 char __user *hlp = ubase + ((char *)w - base);
1303 if (copy_to_user(hlp , w->u.watcher->name, EBT_FUNCTION_MAXNAMELEN))
1308 static inline int ebt_make_names(struct ebt_entry *e, char *base, char __user *ubase)
1312 struct ebt_entry_target *t;
1314 if (e->bitmask == 0)
1317 hlp = ubase + (((char *)e + e->target_offset) - base);
1318 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
1320 ret = EBT_MATCH_ITERATE(e, ebt_make_matchname, base, ubase);
1323 ret = EBT_WATCHER_ITERATE(e, ebt_make_watchername, base, ubase);
1326 if (copy_to_user(hlp, t->u.target->name, EBT_FUNCTION_MAXNAMELEN))
1331 /* called with ebt_mutex locked */
1332 static int copy_everything_to_user(struct ebt_table *t, void __user *user,
1335 struct ebt_replace tmp;
1336 struct ebt_counter *counterstmp, *oldcounters;
1337 unsigned int entries_size, nentries;
1340 if (cmd == EBT_SO_GET_ENTRIES) {
1341 entries_size = t->private->entries_size;
1342 nentries = t->private->nentries;
1343 entries = t->private->entries;
1344 oldcounters = t->private->counters;
1346 entries_size = t->table->entries_size;
1347 nentries = t->table->nentries;
1348 entries = t->table->entries;
1349 oldcounters = t->table->counters;
1352 if (copy_from_user(&tmp, user, sizeof(tmp))) {
1353 BUGPRINT("Cfu didn't work\n");
1357 if (*len != sizeof(struct ebt_replace) + entries_size +
1358 (tmp.num_counters? nentries * sizeof(struct ebt_counter): 0)) {
1359 BUGPRINT("Wrong size\n");
1363 if (tmp.nentries != nentries) {
1364 BUGPRINT("Nentries wrong\n");
1368 if (tmp.entries_size != entries_size) {
1369 BUGPRINT("Wrong size\n");
1373 /* userspace might not need the counters */
1374 if (tmp.num_counters) {
1375 if (tmp.num_counters != nentries) {
1376 BUGPRINT("Num_counters wrong\n");
1379 counterstmp = vmalloc(nentries * sizeof(*counterstmp));
1381 MEMPRINT("Couldn't copy counters, out of memory\n");
1384 write_lock_bh(&t->lock);
1385 get_counters(oldcounters, counterstmp, nentries);
1386 write_unlock_bh(&t->lock);
1388 if (copy_to_user(tmp.counters, counterstmp,
1389 nentries * sizeof(struct ebt_counter))) {
1390 BUGPRINT("Couldn't copy counters to userspace\n");
1397 if (copy_to_user(tmp.entries, entries, entries_size)) {
1398 BUGPRINT("Couldn't copy entries to userspace\n");
1401 /* set the match/watcher/target names right */
1402 return EBT_ENTRY_ITERATE(entries, entries_size,
1403 ebt_make_names, entries, tmp.entries);
1406 static int do_ebt_set_ctl(struct sock *sk,
1407 int cmd, void __user *user, unsigned int len)
1411 if (!capable(CAP_NET_ADMIN))
1415 case EBT_SO_SET_ENTRIES:
1416 ret = do_replace(sock_net(sk), user, len);
1418 case EBT_SO_SET_COUNTERS:
1419 ret = update_counters(sock_net(sk), user, len);
1427 static int do_ebt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
1430 struct ebt_replace tmp;
1431 struct ebt_table *t;
1433 if (!capable(CAP_NET_ADMIN))
1436 if (copy_from_user(&tmp, user, sizeof(tmp)))
1439 t = find_table_lock(sock_net(sk), tmp.name, &ret, &ebt_mutex);
1444 case EBT_SO_GET_INFO:
1445 case EBT_SO_GET_INIT_INFO:
1446 if (*len != sizeof(struct ebt_replace)){
1448 mutex_unlock(&ebt_mutex);
1451 if (cmd == EBT_SO_GET_INFO) {
1452 tmp.nentries = t->private->nentries;
1453 tmp.entries_size = t->private->entries_size;
1454 tmp.valid_hooks = t->valid_hooks;
1456 tmp.nentries = t->table->nentries;
1457 tmp.entries_size = t->table->entries_size;
1458 tmp.valid_hooks = t->table->valid_hooks;
1460 mutex_unlock(&ebt_mutex);
1461 if (copy_to_user(user, &tmp, *len) != 0){
1462 BUGPRINT("c2u Didn't work\n");
1469 case EBT_SO_GET_ENTRIES:
1470 case EBT_SO_GET_INIT_ENTRIES:
1471 ret = copy_everything_to_user(t, user, len, cmd);
1472 mutex_unlock(&ebt_mutex);
1476 mutex_unlock(&ebt_mutex);
1483 static struct nf_sockopt_ops ebt_sockopts =
1486 .set_optmin = EBT_BASE_CTL,
1487 .set_optmax = EBT_SO_SET_MAX + 1,
1488 .set = do_ebt_set_ctl,
1489 .get_optmin = EBT_BASE_CTL,
1490 .get_optmax = EBT_SO_GET_MAX + 1,
1491 .get = do_ebt_get_ctl,
1492 .owner = THIS_MODULE,
1495 static int __init ebtables_init(void)
1499 ret = xt_register_target(&ebt_standard_target);
1502 ret = nf_register_sockopt(&ebt_sockopts);
1504 xt_unregister_target(&ebt_standard_target);
1508 printk(KERN_INFO "Ebtables v2.0 registered\n");
1512 static void __exit ebtables_fini(void)
1514 nf_unregister_sockopt(&ebt_sockopts);
1515 xt_unregister_target(&ebt_standard_target);
1516 printk(KERN_INFO "Ebtables v2.0 unregistered\n");
1519 EXPORT_SYMBOL(ebt_register_table);
1520 EXPORT_SYMBOL(ebt_unregister_table);
1521 EXPORT_SYMBOL(ebt_do_table);
1522 module_init(ebtables_init);
1523 module_exit(ebtables_fini);
1524 MODULE_LICENSE("GPL");
projects / librecmc / linux-libre.git / blob