1 /* 2 * ebtables 3 * 4 * Authors: 5 * Bart De Schuymer <bdschuym@pandora.be> 6 * 7 * ebtables.c,v 2.0, April, 2002 8 * 9 * This code is strongly inspired by the iptables code which is 10 * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling 11 */ 12 13 #ifndef _UAPI__LINUX_BRIDGE_EFF_H 14 #define _UAPI__LINUX_BRIDGE_EFF_H 15 #include <linux/netfilter_bridge.h> 16 17 #define EBT_TABLE_MAXNAMELEN 32 18 #define EBT_CHAIN_MAXNAMELEN EBT_TABLE_MAXNAMELEN 19 #define EBT_FUNCTION_MAXNAMELEN EBT_TABLE_MAXNAMELEN 20 21 /* verdicts >0 are "branches" */ 22 #define EBT_ACCEPT -1 23 #define EBT_DROP -2 24 #define EBT_CONTINUE -3 25 #define EBT_RETURN -4 26 #define NUM_STANDARD_TARGETS 4 27 /* ebtables target modules store the verdict inside an int. We can 28 * reclaim a part of this int for backwards compatible extensions. 29 * The 4 lsb are more than enough to store the verdict. */ 30 #define EBT_VERDICT_BITS 0x0000000F 31 32 struct xt_match; 33 struct xt_target; 34 35 struct ebt_counter { 36 uint64_t pcnt; 37 uint64_t bcnt; 38 }; 39 40 struct ebt_replace { 41 char name[EBT_TABLE_MAXNAMELEN]; 42 unsigned int valid_hooks; 43 /* nr of rules in the table */ 44 unsigned int nentries; 45 /* total size of the entries */ 46 unsigned int entries_size; 47 /* start of the chains */ 48 struct ebt_entries __user *hook_entry[NF_BR_NUMHOOKS]; 49 /* nr of counters userspace expects back */ 50 unsigned int num_counters; 51 /* where the kernel will put the old counters */ 52 struct ebt_counter __user *counters; 53 char __user *entries; 54 }; 55 56 struct ebt_replace_kernel { 57 char name[EBT_TABLE_MAXNAMELEN]; 58 unsigned int valid_hooks; 59 /* nr of rules in the table */ 60 unsigned int nentries; 61 /* total size of the entries */ 62 unsigned int entries_size; 63 /* start of the chains */ 64 struct ebt_entries *hook_entry[NF_BR_NUMHOOKS]; 65 /* nr of counters userspace expects back */ 66 unsigned int num_counters; 67 /* where the kernel will put the old counters */ 68 struct ebt_counter *counters; 69 char *entries; 70 }; 71 72 struct ebt_entries { 73 /* this field is always set to zero 74 * See EBT_ENTRY_OR_ENTRIES. 75 * Must be same size as ebt_entry.bitmask */ 76 unsigned int distinguisher; 77 /* the chain name */ 78 char name[EBT_CHAIN_MAXNAMELEN]; 79 /* counter offset for this chain */ 80 unsigned int counter_offset; 81 /* one standard (accept, drop, return) per hook */ 82 int policy; 83 /* nr. of entries */ 84 unsigned int nentries; 85 /* entry list */ 86 char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace)))); 87 }; 88 89 /* used for the bitmask of struct ebt_entry */ 90 91 /* This is a hack to make a difference between an ebt_entry struct and an 92 * ebt_entries struct when traversing the entries from start to end. 93 * Using this simplifies the code a lot, while still being able to use 94 * ebt_entries. 95 * Contrary, iptables doesn't use something like ebt_entries and therefore uses 96 * different techniques for naming the policy and such. So, iptables doesn't 97 * need a hack like this. 98 */ 99 #define EBT_ENTRY_OR_ENTRIES 0x01 100 /* these are the normal masks */ 101 #define EBT_NOPROTO 0x02 102 #define EBT_802_3 0x04 103 #define EBT_SOURCEMAC 0x08 104 #define EBT_DESTMAC 0x10 105 #define EBT_F_MASK (EBT_NOPROTO | EBT_802_3 | EBT_SOURCEMAC | EBT_DESTMAC \ 106 | EBT_ENTRY_OR_ENTRIES) 107 108 #define EBT_IPROTO 0x01 109 #define EBT_IIN 0x02 110 #define EBT_IOUT 0x04 111 #define EBT_ISOURCE 0x8 112 #define EBT_IDEST 0x10 113 #define EBT_ILOGICALIN 0x20 114 #define EBT_ILOGICALOUT 0x40 115 #define EBT_INV_MASK (EBT_IPROTO | EBT_IIN | EBT_IOUT | EBT_ILOGICALIN \ 116 | EBT_ILOGICALOUT | EBT_ISOURCE | EBT_IDEST) 117 118 struct ebt_entry_match { 119 union { 120 char name[EBT_FUNCTION_MAXNAMELEN]; 121 struct xt_match *match; 122 } u; 123 /* size of data */ 124 unsigned int match_size; 125 unsigned char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace)))); 126 }; 127 128 struct ebt_entry_watcher { 129 union { 130 char name[EBT_FUNCTION_MAXNAMELEN]; 131 struct xt_target *watcher; 132 } u; 133 /* size of data */ 134 unsigned int watcher_size; 135 unsigned char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace)))); 136 }; 137 138 struct ebt_entry_target { 139 union { 140 char name[EBT_FUNCTION_MAXNAMELEN]; 141 struct xt_target *target; 142 } u; 143 /* size of data */ 144 unsigned int target_size; 145 unsigned char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace)))); 146 }; 147 148 #define EBT_STANDARD_TARGET "standard" 149 struct ebt_standard_target { 150 struct ebt_entry_target target; 151 int verdict; 152 }; 153 154 /* one entry */ 155 struct ebt_entry { 156 /* this needs to be the first field */ 157 unsigned int bitmask; 158 unsigned int invflags; 159 __be16 ethproto; 160 /* the physical in-dev */ 161 char in[IFNAMSIZ]; 162 /* the logical in-dev */ 163 char logical_in[IFNAMSIZ]; 164 /* the physical out-dev */ 165 char out[IFNAMSIZ]; 166 /* the logical out-dev */ 167 char logical_out[IFNAMSIZ]; 168 unsigned char sourcemac[ETH_ALEN]; 169 unsigned char sourcemsk[ETH_ALEN]; 170 unsigned char destmac[ETH_ALEN]; 171 unsigned char destmsk[ETH_ALEN]; 172 /* sizeof ebt_entry + matches */ 173 unsigned int watchers_offset; 174 /* sizeof ebt_entry + matches + watchers */ 175 unsigned int target_offset; 176 /* sizeof ebt_entry + matches + watchers + target */ 177 unsigned int next_offset; 178 unsigned char elems[0] __attribute__ ((aligned (__alignof__(struct ebt_replace)))); 179 }; 180 181 /* {g,s}etsockopt numbers */ 182 #define EBT_BASE_CTL 128 183 184 #define EBT_SO_SET_ENTRIES (EBT_BASE_CTL) 185 #define EBT_SO_SET_COUNTERS (EBT_SO_SET_ENTRIES+1) 186 #define EBT_SO_SET_MAX (EBT_SO_SET_COUNTERS+1) 187 188 #define EBT_SO_GET_INFO (EBT_BASE_CTL) 189 #define EBT_SO_GET_ENTRIES (EBT_SO_GET_INFO+1) 190 #define EBT_SO_GET_INIT_INFO (EBT_SO_GET_ENTRIES+1) 191 #define EBT_SO_GET_INIT_ENTRIES (EBT_SO_GET_INIT_INFO+1) 192 #define EBT_SO_GET_MAX (EBT_SO_GET_INIT_ENTRIES+1) 193 194 195 /* blatently stolen from ip_tables.h 196 * fn returns 0 to continue iteration */ 197 #define EBT_MATCH_ITERATE(e, fn, args...) \ 198 ({ \ 199 unsigned int __i; \ 200 int __ret = 0; \ 201 struct ebt_entry_match *__match; \ 202 \ 203 for (__i = sizeof(struct ebt_entry); \ 204 __i < (e)->watchers_offset; \ 205 __i += __match->match_size + \ 206 sizeof(struct ebt_entry_match)) { \ 207 __match = (void *)(e) + __i; \ 208 \ 209 __ret = fn(__match , ## args); \ 210 if (__ret != 0) \ 211 break; \ 212 } \ 213 if (__ret == 0) { \ 214 if (__i != (e)->watchers_offset) \ 215 __ret = -EINVAL; \ 216 } \ 217 __ret; \ 218 }) 219 220 #define EBT_WATCHER_ITERATE(e, fn, args...) \ 221 ({ \ 222 unsigned int __i; \ 223 int __ret = 0; \ 224 struct ebt_entry_watcher *__watcher; \ 225 \ 226 for (__i = e->watchers_offset; \ 227 __i < (e)->target_offset; \ 228 __i += __watcher->watcher_size + \ 229 sizeof(struct ebt_entry_watcher)) { \ 230 __watcher = (void *)(e) + __i; \ 231 \ 232 __ret = fn(__watcher , ## args); \ 233 if (__ret != 0) \ 234 break; \ 235 } \ 236 if (__ret == 0) { \ 237 if (__i != (e)->target_offset) \ 238 __ret = -EINVAL; \ 239 } \ 240 __ret; \ 241 }) 242 243 #define EBT_ENTRY_ITERATE(entries, size, fn, args...) \ 244 ({ \ 245 unsigned int __i; \ 246 int __ret = 0; \ 247 struct ebt_entry *__entry; \ 248 \ 249 for (__i = 0; __i < (size);) { \ 250 __entry = (void *)(entries) + __i; \ 251 __ret = fn(__entry , ## args); \ 252 if (__ret != 0) \ 253 break; \ 254 if (__entry->bitmask != 0) \ 255 __i += __entry->next_offset; \ 256 else \ 257 __i += sizeof(struct ebt_entries); \ 258 } \ 259 if (__ret == 0) { \ 260 if (__i != (size)) \ 261 __ret = -EINVAL; \ 262 } \ 263 __ret; \ 264 }) 265 266 #endif /* _UAPI__LINUX_BRIDGE_EFF_H */ 267