Commit | Line | Data |
---|---|---|
6f52b16c | 1 | /* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ |
55c5cd3c DH |
2 | /* |
3 | * ebtables | |
4 | * | |
5 | * Authors: | |
6 | * Bart De Schuymer <bdschuym@pandora.be> | |
7 | * | |
8 | * ebtables.c,v 2.0, April, 2002 | |
9 | * | |
069d4a7b | 10 | * This code is strongly inspired by the iptables code which is |
55c5cd3c DH |
11 | * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling |
12 | */ | |
13 | ||
14 | #ifndef _UAPI__LINUX_BRIDGE_EFF_H | |
15 | #define _UAPI__LINUX_BRIDGE_EFF_H | |
dad15819 MR |
16 | #include <linux/types.h> |
17 | #include <linux/if.h> | |
55c5cd3c | 18 | #include <linux/netfilter_bridge.h> |
55c5cd3c DH |
19 | |
20 | #define EBT_TABLE_MAXNAMELEN 32 | |
21 | #define EBT_CHAIN_MAXNAMELEN EBT_TABLE_MAXNAMELEN | |
22 | #define EBT_FUNCTION_MAXNAMELEN EBT_TABLE_MAXNAMELEN | |
39c202d2 | 23 | #define EBT_EXTENSION_MAXNAMELEN 31 |
55c5cd3c DH |
24 | |
25 | /* verdicts >0 are "branches" */ | |
26 | #define EBT_ACCEPT -1 | |
27 | #define EBT_DROP -2 | |
28 | #define EBT_CONTINUE -3 | |
29 | #define EBT_RETURN -4 | |
30 | #define NUM_STANDARD_TARGETS 4 | |
31 | /* ebtables target modules store the verdict inside an int. We can | |
32 | * reclaim a part of this int for backwards compatible extensions. | |
33 | * The 4 lsb are more than enough to store the verdict. */ | |
34 | #define EBT_VERDICT_BITS 0x0000000F | |
35 | ||
36 | struct xt_match; | |
37 | struct xt_target; | |
38 | ||
39 | struct ebt_counter { | |
dad15819 MR |
40 | __u64 pcnt; |
41 | __u64 bcnt; | |
55c5cd3c DH |
42 | }; |
43 | ||
44 | struct ebt_replace { | |
45 | char name[EBT_TABLE_MAXNAMELEN]; | |
46 | unsigned int valid_hooks; | |
47 | /* nr of rules in the table */ | |
48 | unsigned int nentries; | |
49 | /* total size of the entries */ | |
50 | unsigned int entries_size; | |
51 | /* start of the chains */ | |
52 | struct ebt_entries __user *hook_entry[NF_BR_NUMHOOKS]; | |
53 | /* nr of counters userspace expects back */ | |
54 | unsigned int num_counters; | |
55 | /* where the kernel will put the old counters */ | |
56 | struct ebt_counter __user *counters; | |
57 | char __user *entries; | |
58 | }; | |
59 | ||
60 | struct ebt_replace_kernel { | |
61 | char name[EBT_TABLE_MAXNAMELEN]; | |
62 | unsigned int valid_hooks; | |
63 | /* nr of rules in the table */ | |
64 | unsigned int nentries; | |
65 | /* total size of the entries */ | |
66 | unsigned int entries_size; | |
67 | /* start of the chains */ | |
68 | struct ebt_entries *hook_entry[NF_BR_NUMHOOKS]; | |
69 | /* nr of counters userspace expects back */ | |
70 | unsigned int num_counters; | |
71 | /* where the kernel will put the old counters */ | |
72 | struct ebt_counter *counters; | |
73 | char *entries; | |
74 | }; | |
75 | ||
76 | struct ebt_entries { | |
77 | /* this field is always set to zero | |
78 | * See EBT_ENTRY_OR_ENTRIES. | |
79 | * Must be same size as ebt_entry.bitmask */ | |
80 | unsigned int distinguisher; | |
81 | /* the chain name */ | |
82 | char name[EBT_CHAIN_MAXNAMELEN]; | |
83 | /* counter offset for this chain */ | |
84 | unsigned int counter_offset; | |
85 | /* one standard (accept, drop, return) per hook */ | |
86 | int policy; | |
87 | /* nr. of entries */ | |
88 | unsigned int nentries; | |
89 | /* entry list */ | |
90 | char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace)))); | |
91 | }; | |
92 | ||
93 | /* used for the bitmask of struct ebt_entry */ | |
94 | ||
95 | /* This is a hack to make a difference between an ebt_entry struct and an | |
96 | * ebt_entries struct when traversing the entries from start to end. | |
97 | * Using this simplifies the code a lot, while still being able to use | |
98 | * ebt_entries. | |
99 | * Contrary, iptables doesn't use something like ebt_entries and therefore uses | |
100 | * different techniques for naming the policy and such. So, iptables doesn't | |
101 | * need a hack like this. | |
102 | */ | |
103 | #define EBT_ENTRY_OR_ENTRIES 0x01 | |
104 | /* these are the normal masks */ | |
105 | #define EBT_NOPROTO 0x02 | |
106 | #define EBT_802_3 0x04 | |
107 | #define EBT_SOURCEMAC 0x08 | |
108 | #define EBT_DESTMAC 0x10 | |
109 | #define EBT_F_MASK (EBT_NOPROTO | EBT_802_3 | EBT_SOURCEMAC | EBT_DESTMAC \ | |
110 | | EBT_ENTRY_OR_ENTRIES) | |
111 | ||
112 | #define EBT_IPROTO 0x01 | |
113 | #define EBT_IIN 0x02 | |
114 | #define EBT_IOUT 0x04 | |
115 | #define EBT_ISOURCE 0x8 | |
116 | #define EBT_IDEST 0x10 | |
117 | #define EBT_ILOGICALIN 0x20 | |
118 | #define EBT_ILOGICALOUT 0x40 | |
119 | #define EBT_INV_MASK (EBT_IPROTO | EBT_IIN | EBT_IOUT | EBT_ILOGICALIN \ | |
120 | | EBT_ILOGICALOUT | EBT_ISOURCE | EBT_IDEST) | |
121 | ||
122 | struct ebt_entry_match { | |
123 | union { | |
39c202d2 BH |
124 | struct { |
125 | char name[EBT_EXTENSION_MAXNAMELEN]; | |
20ff1cb5 | 126 | __u8 revision; |
39c202d2 | 127 | }; |
55c5cd3c DH |
128 | struct xt_match *match; |
129 | } u; | |
130 | /* size of data */ | |
131 | unsigned int match_size; | |
132 | unsigned char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace)))); | |
133 | }; | |
134 | ||
135 | struct ebt_entry_watcher { | |
136 | union { | |
39c202d2 BH |
137 | struct { |
138 | char name[EBT_EXTENSION_MAXNAMELEN]; | |
20ff1cb5 | 139 | __u8 revision; |
39c202d2 | 140 | }; |
55c5cd3c DH |
141 | struct xt_target *watcher; |
142 | } u; | |
143 | /* size of data */ | |
144 | unsigned int watcher_size; | |
145 | unsigned char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace)))); | |
146 | }; | |
147 | ||
148 | struct ebt_entry_target { | |
149 | union { | |
39c202d2 BH |
150 | struct { |
151 | char name[EBT_EXTENSION_MAXNAMELEN]; | |
20ff1cb5 | 152 | __u8 revision; |
39c202d2 | 153 | }; |
55c5cd3c DH |
154 | struct xt_target *target; |
155 | } u; | |
156 | /* size of data */ | |
157 | unsigned int target_size; | |
158 | unsigned char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace)))); | |
159 | }; | |
160 | ||
161 | #define EBT_STANDARD_TARGET "standard" | |
162 | struct ebt_standard_target { | |
163 | struct ebt_entry_target target; | |
164 | int verdict; | |
165 | }; | |
166 | ||
167 | /* one entry */ | |
168 | struct ebt_entry { | |
169 | /* this needs to be the first field */ | |
170 | unsigned int bitmask; | |
171 | unsigned int invflags; | |
172 | __be16 ethproto; | |
173 | /* the physical in-dev */ | |
174 | char in[IFNAMSIZ]; | |
175 | /* the logical in-dev */ | |
176 | char logical_in[IFNAMSIZ]; | |
177 | /* the physical out-dev */ | |
178 | char out[IFNAMSIZ]; | |
179 | /* the logical out-dev */ | |
180 | char logical_out[IFNAMSIZ]; | |
181 | unsigned char sourcemac[ETH_ALEN]; | |
182 | unsigned char sourcemsk[ETH_ALEN]; | |
183 | unsigned char destmac[ETH_ALEN]; | |
184 | unsigned char destmsk[ETH_ALEN]; | |
185 | /* sizeof ebt_entry + matches */ | |
186 | unsigned int watchers_offset; | |
187 | /* sizeof ebt_entry + matches + watchers */ | |
188 | unsigned int target_offset; | |
189 | /* sizeof ebt_entry + matches + watchers + target */ | |
190 | unsigned int next_offset; | |
191 | unsigned char elems[0] __attribute__ ((aligned (__alignof__(struct ebt_replace)))); | |
192 | }; | |
193 | ||
a1d768f1 TY |
194 | static __inline__ struct ebt_entry_target * |
195 | ebt_get_target(struct ebt_entry *e) | |
196 | { | |
197 | return (void *)e + e->target_offset; | |
198 | } | |
199 | ||
55c5cd3c DH |
200 | /* {g,s}etsockopt numbers */ |
201 | #define EBT_BASE_CTL 128 | |
202 | ||
203 | #define EBT_SO_SET_ENTRIES (EBT_BASE_CTL) | |
204 | #define EBT_SO_SET_COUNTERS (EBT_SO_SET_ENTRIES+1) | |
205 | #define EBT_SO_SET_MAX (EBT_SO_SET_COUNTERS+1) | |
206 | ||
207 | #define EBT_SO_GET_INFO (EBT_BASE_CTL) | |
208 | #define EBT_SO_GET_ENTRIES (EBT_SO_GET_INFO+1) | |
209 | #define EBT_SO_GET_INIT_INFO (EBT_SO_GET_ENTRIES+1) | |
210 | #define EBT_SO_GET_INIT_ENTRIES (EBT_SO_GET_INIT_INFO+1) | |
211 | #define EBT_SO_GET_MAX (EBT_SO_GET_INIT_ENTRIES+1) | |
212 | ||
213 | ||
214 | /* blatently stolen from ip_tables.h | |
215 | * fn returns 0 to continue iteration */ | |
216 | #define EBT_MATCH_ITERATE(e, fn, args...) \ | |
217 | ({ \ | |
218 | unsigned int __i; \ | |
219 | int __ret = 0; \ | |
220 | struct ebt_entry_match *__match; \ | |
221 | \ | |
222 | for (__i = sizeof(struct ebt_entry); \ | |
223 | __i < (e)->watchers_offset; \ | |
224 | __i += __match->match_size + \ | |
225 | sizeof(struct ebt_entry_match)) { \ | |
226 | __match = (void *)(e) + __i; \ | |
227 | \ | |
228 | __ret = fn(__match , ## args); \ | |
229 | if (__ret != 0) \ | |
230 | break; \ | |
231 | } \ | |
232 | if (__ret == 0) { \ | |
233 | if (__i != (e)->watchers_offset) \ | |
234 | __ret = -EINVAL; \ | |
235 | } \ | |
236 | __ret; \ | |
237 | }) | |
238 | ||
239 | #define EBT_WATCHER_ITERATE(e, fn, args...) \ | |
240 | ({ \ | |
241 | unsigned int __i; \ | |
242 | int __ret = 0; \ | |
243 | struct ebt_entry_watcher *__watcher; \ | |
244 | \ | |
245 | for (__i = e->watchers_offset; \ | |
246 | __i < (e)->target_offset; \ | |
247 | __i += __watcher->watcher_size + \ | |
248 | sizeof(struct ebt_entry_watcher)) { \ | |
249 | __watcher = (void *)(e) + __i; \ | |
250 | \ | |
251 | __ret = fn(__watcher , ## args); \ | |
252 | if (__ret != 0) \ | |
253 | break; \ | |
254 | } \ | |
255 | if (__ret == 0) { \ | |
256 | if (__i != (e)->target_offset) \ | |
257 | __ret = -EINVAL; \ | |
258 | } \ | |
259 | __ret; \ | |
260 | }) | |
261 | ||
262 | #define EBT_ENTRY_ITERATE(entries, size, fn, args...) \ | |
263 | ({ \ | |
264 | unsigned int __i; \ | |
265 | int __ret = 0; \ | |
266 | struct ebt_entry *__entry; \ | |
267 | \ | |
268 | for (__i = 0; __i < (size);) { \ | |
269 | __entry = (void *)(entries) + __i; \ | |
270 | __ret = fn(__entry , ## args); \ | |
271 | if (__ret != 0) \ | |
272 | break; \ | |
273 | if (__entry->bitmask != 0) \ | |
274 | __i += __entry->next_offset; \ | |
275 | else \ | |
276 | __i += sizeof(struct ebt_entries); \ | |
277 | } \ | |
278 | if (__ret == 0) { \ | |
279 | if (__i != (size)) \ | |
280 | __ret = -EINVAL; \ | |
281 | } \ | |
282 | __ret; \ | |
283 | }) | |
284 | ||
285 | #endif /* _UAPI__LINUX_BRIDGE_EFF_H */ |