1/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
2/*
3 * ebtables
4 *
5 * Authors:
6 * Bart De Schuymer <bdschuym@pandora.be>
7 *
8 * ebtables.c,v 2.0, April, 2002
9 *
10 * This code is strongly inspired by the iptables code which is
11 * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
12 */
13
14#ifndef _UAPI__LINUX_BRIDGE_EFF_H
15#define _UAPI__LINUX_BRIDGE_EFF_H
16#include <linux/types.h>
17#include <linux/if.h>
18#include <linux/netfilter_bridge.h>
19
20#define EBT_TABLE_MAXNAMELEN 32
21#define EBT_CHAIN_MAXNAMELEN EBT_TABLE_MAXNAMELEN
22#define EBT_FUNCTION_MAXNAMELEN EBT_TABLE_MAXNAMELEN
23#define EBT_EXTENSION_MAXNAMELEN 31
24
25/* verdicts >0 are "branches" */
26#define EBT_ACCEPT -1
27#define EBT_DROP -2
28#define EBT_CONTINUE -3
29#define EBT_RETURN -4
30#define NUM_STANDARD_TARGETS 4
31/* ebtables target modules store the verdict inside an int. We can
32 * reclaim a part of this int for backwards compatible extensions.
33 * The 4 lsb are more than enough to store the verdict. */
34#define EBT_VERDICT_BITS 0x0000000F
35
36struct xt_match;
37struct xt_target;
38
39struct ebt_counter {
40 __u64 pcnt;
41 __u64 bcnt;
42};
43
44struct ebt_replace {
45 char name[EBT_TABLE_MAXNAMELEN];
46 unsigned int valid_hooks;
47 /* nr of rules in the table */
48 unsigned int nentries;
49 /* total size of the entries */
50 unsigned int entries_size;
51 /* start of the chains */
52 struct ebt_entries __user *hook_entry[NF_BR_NUMHOOKS];
53 /* nr of counters userspace expects back */
54 unsigned int num_counters;
55 /* where the kernel will put the old counters */
56 struct ebt_counter __user *counters;
57 char __user *entries;
58};
59
60struct ebt_replace_kernel {
61 char name[EBT_TABLE_MAXNAMELEN];
62 unsigned int valid_hooks;
63 /* nr of rules in the table */
64 unsigned int nentries;
65 /* total size of the entries */
66 unsigned int entries_size;
67 /* start of the chains */
68 struct ebt_entries *hook_entry[NF_BR_NUMHOOKS];
69 /* nr of counters userspace expects back */
70 unsigned int num_counters;
71 /* where the kernel will put the old counters */
72 struct ebt_counter *counters;
73 char *entries;
74};
75
76struct ebt_entries {
77 /* this field is always set to zero
78 * See EBT_ENTRY_OR_ENTRIES.
79 * Must be same size as ebt_entry.bitmask */
80 unsigned int distinguisher;
81 /* the chain name */
82 char name[EBT_CHAIN_MAXNAMELEN];
83 /* counter offset for this chain */
84 unsigned int counter_offset;
85 /* one standard (accept, drop, return) per hook */
86 int policy;
87 /* nr. of entries */
88 unsigned int nentries;
89 /* entry list */
90 char data[] __attribute__ ((aligned (__alignof__(struct ebt_replace))));
91};
92
93/* used for the bitmask of struct ebt_entry */
94
95/* This is a hack to make a difference between an ebt_entry struct and an
96 * ebt_entries struct when traversing the entries from start to end.
97 * Using this simplifies the code a lot, while still being able to use
98 * ebt_entries.
99 * Contrary, iptables doesn't use something like ebt_entries and therefore uses
100 * different techniques for naming the policy and such. So, iptables doesn't
101 * need a hack like this.
102 */
103#define EBT_ENTRY_OR_ENTRIES 0x01
104/* these are the normal masks */
105#define EBT_NOPROTO 0x02
106#define EBT_802_3 0x04
107#define EBT_SOURCEMAC 0x08
108#define EBT_DESTMAC 0x10
109#define EBT_F_MASK (EBT_NOPROTO | EBT_802_3 | EBT_SOURCEMAC | EBT_DESTMAC \
110 | EBT_ENTRY_OR_ENTRIES)
111
112#define EBT_IPROTO 0x01
113#define EBT_IIN 0x02
114#define EBT_IOUT 0x04
115#define EBT_ISOURCE 0x8
116#define EBT_IDEST 0x10
117#define EBT_ILOGICALIN 0x20
118#define EBT_ILOGICALOUT 0x40
119#define EBT_INV_MASK (EBT_IPROTO | EBT_IIN | EBT_IOUT | EBT_ILOGICALIN \
120 | EBT_ILOGICALOUT | EBT_ISOURCE | EBT_IDEST)
121
122struct ebt_entry_match {
123 union {
124 struct {
125 char name[EBT_EXTENSION_MAXNAMELEN];
126 __u8 revision;
127 };
128 struct xt_match *match;
129 } u;
130 /* size of data */
131 unsigned int match_size;
132 unsigned char data[] __attribute__ ((aligned (__alignof__(struct ebt_replace))));
133};
134
135struct ebt_entry_watcher {
136 union {
137 struct {
138 char name[EBT_EXTENSION_MAXNAMELEN];
139 __u8 revision;
140 };
141 struct xt_target *watcher;
142 } u;
143 /* size of data */
144 unsigned int watcher_size;
145 unsigned char data[] __attribute__ ((aligned (__alignof__(struct ebt_replace))));
146};
147
148struct ebt_entry_target {
149 union {
150 struct {
151 char name[EBT_EXTENSION_MAXNAMELEN];
152 __u8 revision;
153 };
154 struct xt_target *target;
155 } u;
156 /* size of data */
157 unsigned int target_size;
158 unsigned char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace))));
159};
160
161#define EBT_STANDARD_TARGET "standard"
162struct ebt_standard_target {
163 struct ebt_entry_target target;
164 int verdict;
165};
166
167/* one entry */
168struct ebt_entry {
169 /* this needs to be the first field */
170 unsigned int bitmask;
171 unsigned int invflags;
172 __be16 ethproto;
173 /* the physical in-dev */
174 char in[IFNAMSIZ];
175 /* the logical in-dev */
176 char logical_in[IFNAMSIZ];
177 /* the physical out-dev */
178 char out[IFNAMSIZ];
179 /* the logical out-dev */
180 char logical_out[IFNAMSIZ];
181 unsigned char sourcemac[ETH_ALEN];
182 unsigned char sourcemsk[ETH_ALEN];
183 unsigned char destmac[ETH_ALEN];
184 unsigned char destmsk[ETH_ALEN];
185 __struct_group(/* no tag */, offsets, /* no attrs */,
186 /* sizeof ebt_entry + matches */
187 unsigned int watchers_offset;
188 /* sizeof ebt_entry + matches + watchers */
189 unsigned int target_offset;
190 /* sizeof ebt_entry + matches + watchers + target */
191 unsigned int next_offset;
192 );
193 unsigned char elems[] __attribute__ ((aligned (__alignof__(struct ebt_replace))));
194};
195
196static __inline__ struct ebt_entry_target *
197ebt_get_target(struct ebt_entry *e)
198{
199 return (struct ebt_entry_target *)((char *)e + e->target_offset);
200}
201
202/* {g,s}etsockopt numbers */
203#define EBT_BASE_CTL 128
204
205#define EBT_SO_SET_ENTRIES (EBT_BASE_CTL)
206#define EBT_SO_SET_COUNTERS (EBT_SO_SET_ENTRIES+1)
207#define EBT_SO_SET_MAX (EBT_SO_SET_COUNTERS+1)
208
209#define EBT_SO_GET_INFO (EBT_BASE_CTL)
210#define EBT_SO_GET_ENTRIES (EBT_SO_GET_INFO+1)
211#define EBT_SO_GET_INIT_INFO (EBT_SO_GET_ENTRIES+1)
212#define EBT_SO_GET_INIT_ENTRIES (EBT_SO_GET_INIT_INFO+1)
213#define EBT_SO_GET_MAX (EBT_SO_GET_INIT_ENTRIES+1)
214
215
216/* blatently stolen from ip_tables.h
217 * fn returns 0 to continue iteration */
218#define EBT_MATCH_ITERATE(e, fn, args...) \
219({ \
220 unsigned int __i; \
221 int __ret = 0; \
222 struct ebt_entry_match *__match; \
223 \
224 for (__i = sizeof(struct ebt_entry); \
225 __i < (e)->watchers_offset; \
226 __i += __match->match_size + \
227 sizeof(struct ebt_entry_match)) { \
228 __match = (void *)(e) + __i; \
229 \
230 __ret = fn(__match , ## args); \
231 if (__ret != 0) \
232 break; \
233 } \
234 if (__ret == 0) { \
235 if (__i != (e)->watchers_offset) \
236 __ret = -EINVAL; \
237 } \
238 __ret; \
239})
240
241#define EBT_WATCHER_ITERATE(e, fn, args...) \
242({ \
243 unsigned int __i; \
244 int __ret = 0; \
245 struct ebt_entry_watcher *__watcher; \
246 \
247 for (__i = e->watchers_offset; \
248 __i < (e)->target_offset; \
249 __i += __watcher->watcher_size + \
250 sizeof(struct ebt_entry_watcher)) { \
251 __watcher = (void *)(e) + __i; \
252 \
253 __ret = fn(__watcher , ## args); \
254 if (__ret != 0) \
255 break; \
256 } \
257 if (__ret == 0) { \
258 if (__i != (e)->target_offset) \
259 __ret = -EINVAL; \
260 } \
261 __ret; \
262})
263
264#define EBT_ENTRY_ITERATE(entries, size, fn, args...) \
265({ \
266 unsigned int __i; \
267 int __ret = 0; \
268 struct ebt_entry *__entry; \
269 \
270 for (__i = 0; __i < (size);) { \
271 __entry = (void *)(entries) + __i; \
272 __ret = fn(__entry , ## args); \
273 if (__ret != 0) \
274 break; \
275 if (__entry->bitmask != 0) \
276 __i += __entry->next_offset; \
277 else \
278 __i += sizeof(struct ebt_entries); \
279 } \
280 if (__ret == 0) { \
281 if (__i != (size)) \
282 __ret = -EINVAL; \
283 } \
284 __ret; \
285})
286
287#endif /* _UAPI__LINUX_BRIDGE_EFF_H */
288

source code of linux/include/uapi/linux/netfilter_bridge/ebtables.h