1 | /* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ |
2 | /* |
3 | * ebtables |
4 | * |
5 | * Authors: |
6 | * Bart De Schuymer <bdschuym@pandora.be> |
7 | * |
8 | * ebtables.c,v 2.0, April, 2002 |
9 | * |
10 | * This code is strongly inspired by the iptables code which is |
11 | * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling |
12 | */ |
13 | |
14 | #ifndef _UAPI__LINUX_BRIDGE_EFF_H |
15 | #define _UAPI__LINUX_BRIDGE_EFF_H |
16 | #include <linux/types.h> |
17 | #include <linux/if.h> |
18 | #include <linux/netfilter_bridge.h> |
19 | |
20 | #define EBT_TABLE_MAXNAMELEN 32 |
21 | #define EBT_CHAIN_MAXNAMELEN EBT_TABLE_MAXNAMELEN |
22 | #define EBT_FUNCTION_MAXNAMELEN EBT_TABLE_MAXNAMELEN |
23 | #define EBT_EXTENSION_MAXNAMELEN 31 |
24 | |
25 | /* verdicts >0 are "branches" */ |
26 | #define EBT_ACCEPT -1 |
27 | #define EBT_DROP -2 |
28 | #define EBT_CONTINUE -3 |
29 | #define EBT_RETURN -4 |
30 | #define NUM_STANDARD_TARGETS 4 |
31 | /* ebtables target modules store the verdict inside an int. We can |
32 | * reclaim a part of this int for backwards compatible extensions. |
33 | * The 4 lsb are more than enough to store the verdict. */ |
34 | #define EBT_VERDICT_BITS 0x0000000F |
35 | |
36 | struct xt_match; |
37 | struct xt_target; |
38 | |
39 | struct ebt_counter { |
40 | __u64 pcnt; |
41 | __u64 bcnt; |
42 | }; |
43 | |
44 | struct ebt_replace { |
45 | char name[EBT_TABLE_MAXNAMELEN]; |
46 | unsigned int valid_hooks; |
47 | /* nr of rules in the table */ |
48 | unsigned int nentries; |
49 | /* total size of the entries */ |
50 | unsigned int entries_size; |
51 | /* start of the chains */ |
52 | struct ebt_entries __user *hook_entry[NF_BR_NUMHOOKS]; |
53 | /* nr of counters userspace expects back */ |
54 | unsigned int num_counters; |
55 | /* where the kernel will put the old counters */ |
56 | struct ebt_counter __user *counters; |
57 | char __user *entries; |
58 | }; |
59 | |
60 | struct ebt_replace_kernel { |
61 | char name[EBT_TABLE_MAXNAMELEN]; |
62 | unsigned int valid_hooks; |
63 | /* nr of rules in the table */ |
64 | unsigned int nentries; |
65 | /* total size of the entries */ |
66 | unsigned int entries_size; |
67 | /* start of the chains */ |
68 | struct ebt_entries *hook_entry[NF_BR_NUMHOOKS]; |
69 | /* nr of counters userspace expects back */ |
70 | unsigned int num_counters; |
71 | /* where the kernel will put the old counters */ |
72 | struct ebt_counter *counters; |
73 | char *entries; |
74 | }; |
75 | |
76 | struct ebt_entries { |
77 | /* this field is always set to zero |
78 | * See EBT_ENTRY_OR_ENTRIES. |
79 | * Must be same size as ebt_entry.bitmask */ |
80 | unsigned int distinguisher; |
81 | /* the chain name */ |
82 | char name[EBT_CHAIN_MAXNAMELEN]; |
83 | /* counter offset for this chain */ |
84 | unsigned int counter_offset; |
85 | /* one standard (accept, drop, return) per hook */ |
86 | int policy; |
87 | /* nr. of entries */ |
88 | unsigned int nentries; |
89 | /* entry list */ |
90 | char data[] __attribute__ ((aligned (__alignof__(struct ebt_replace)))); |
91 | }; |
92 | |
93 | /* used for the bitmask of struct ebt_entry */ |
94 | |
95 | /* This is a hack to make a difference between an ebt_entry struct and an |
96 | * ebt_entries struct when traversing the entries from start to end. |
97 | * Using this simplifies the code a lot, while still being able to use |
98 | * ebt_entries. |
99 | * Contrary, iptables doesn't use something like ebt_entries and therefore uses |
100 | * different techniques for naming the policy and such. So, iptables doesn't |
101 | * need a hack like this. |
102 | */ |
103 | #define EBT_ENTRY_OR_ENTRIES 0x01 |
104 | /* these are the normal masks */ |
105 | #define EBT_NOPROTO 0x02 |
106 | #define EBT_802_3 0x04 |
107 | #define EBT_SOURCEMAC 0x08 |
108 | #define EBT_DESTMAC 0x10 |
109 | #define EBT_F_MASK (EBT_NOPROTO | EBT_802_3 | EBT_SOURCEMAC | EBT_DESTMAC \ |
110 | | EBT_ENTRY_OR_ENTRIES) |
111 | |
112 | #define EBT_IPROTO 0x01 |
113 | #define EBT_IIN 0x02 |
114 | #define EBT_IOUT 0x04 |
115 | #define EBT_ISOURCE 0x8 |
116 | #define EBT_IDEST 0x10 |
117 | #define EBT_ILOGICALIN 0x20 |
118 | #define EBT_ILOGICALOUT 0x40 |
119 | #define EBT_INV_MASK (EBT_IPROTO | EBT_IIN | EBT_IOUT | EBT_ILOGICALIN \ |
120 | | EBT_ILOGICALOUT | EBT_ISOURCE | EBT_IDEST) |
121 | |
122 | struct ebt_entry_match { |
123 | union { |
124 | struct { |
125 | char name[EBT_EXTENSION_MAXNAMELEN]; |
126 | __u8 revision; |
127 | }; |
128 | struct xt_match *match; |
129 | } u; |
130 | /* size of data */ |
131 | unsigned int match_size; |
132 | unsigned char data[] __attribute__ ((aligned (__alignof__(struct ebt_replace)))); |
133 | }; |
134 | |
135 | struct ebt_entry_watcher { |
136 | union { |
137 | struct { |
138 | char name[EBT_EXTENSION_MAXNAMELEN]; |
139 | __u8 revision; |
140 | }; |
141 | struct xt_target *watcher; |
142 | } u; |
143 | /* size of data */ |
144 | unsigned int watcher_size; |
145 | unsigned char data[] __attribute__ ((aligned (__alignof__(struct ebt_replace)))); |
146 | }; |
147 | |
148 | struct ebt_entry_target { |
149 | union { |
150 | struct { |
151 | char name[EBT_EXTENSION_MAXNAMELEN]; |
152 | __u8 revision; |
153 | }; |
154 | struct xt_target *target; |
155 | } u; |
156 | /* size of data */ |
157 | unsigned int target_size; |
158 | unsigned char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace)))); |
159 | }; |
160 | |
161 | #define EBT_STANDARD_TARGET "standard" |
162 | struct ebt_standard_target { |
163 | struct ebt_entry_target target; |
164 | int verdict; |
165 | }; |
166 | |
167 | /* one entry */ |
168 | struct ebt_entry { |
169 | /* this needs to be the first field */ |
170 | unsigned int bitmask; |
171 | unsigned int invflags; |
172 | __be16 ethproto; |
173 | /* the physical in-dev */ |
174 | char in[IFNAMSIZ]; |
175 | /* the logical in-dev */ |
176 | char logical_in[IFNAMSIZ]; |
177 | /* the physical out-dev */ |
178 | char out[IFNAMSIZ]; |
179 | /* the logical out-dev */ |
180 | char logical_out[IFNAMSIZ]; |
181 | unsigned char sourcemac[ETH_ALEN]; |
182 | unsigned char sourcemsk[ETH_ALEN]; |
183 | unsigned char destmac[ETH_ALEN]; |
184 | unsigned char destmsk[ETH_ALEN]; |
185 | __struct_group(/* no tag */, offsets, /* no attrs */, |
186 | /* sizeof ebt_entry + matches */ |
187 | unsigned int watchers_offset; |
188 | /* sizeof ebt_entry + matches + watchers */ |
189 | unsigned int target_offset; |
190 | /* sizeof ebt_entry + matches + watchers + target */ |
191 | unsigned int next_offset; |
192 | ); |
193 | unsigned char elems[] __attribute__ ((aligned (__alignof__(struct ebt_replace)))); |
194 | }; |
195 | |
196 | static __inline__ struct ebt_entry_target * |
197 | ebt_get_target(struct ebt_entry *e) |
198 | { |
199 | return (struct ebt_entry_target *)((char *)e + e->target_offset); |
200 | } |
201 | |
202 | /* {g,s}etsockopt numbers */ |
203 | #define EBT_BASE_CTL 128 |
204 | |
205 | #define EBT_SO_SET_ENTRIES (EBT_BASE_CTL) |
206 | #define EBT_SO_SET_COUNTERS (EBT_SO_SET_ENTRIES+1) |
207 | #define EBT_SO_SET_MAX (EBT_SO_SET_COUNTERS+1) |
208 | |
209 | #define EBT_SO_GET_INFO (EBT_BASE_CTL) |
210 | #define EBT_SO_GET_ENTRIES (EBT_SO_GET_INFO+1) |
211 | #define EBT_SO_GET_INIT_INFO (EBT_SO_GET_ENTRIES+1) |
212 | #define EBT_SO_GET_INIT_ENTRIES (EBT_SO_GET_INIT_INFO+1) |
213 | #define EBT_SO_GET_MAX (EBT_SO_GET_INIT_ENTRIES+1) |
214 | |
215 | |
216 | /* blatently stolen from ip_tables.h |
217 | * fn returns 0 to continue iteration */ |
218 | #define EBT_MATCH_ITERATE(e, fn, args...) \ |
219 | ({ \ |
220 | unsigned int __i; \ |
221 | int __ret = 0; \ |
222 | struct ebt_entry_match *__match; \ |
223 | \ |
224 | for (__i = sizeof(struct ebt_entry); \ |
225 | __i < (e)->watchers_offset; \ |
226 | __i += __match->match_size + \ |
227 | sizeof(struct ebt_entry_match)) { \ |
228 | __match = (void *)(e) + __i; \ |
229 | \ |
230 | __ret = fn(__match , ## args); \ |
231 | if (__ret != 0) \ |
232 | break; \ |
233 | } \ |
234 | if (__ret == 0) { \ |
235 | if (__i != (e)->watchers_offset) \ |
236 | __ret = -EINVAL; \ |
237 | } \ |
238 | __ret; \ |
239 | }) |
240 | |
241 | #define EBT_WATCHER_ITERATE(e, fn, args...) \ |
242 | ({ \ |
243 | unsigned int __i; \ |
244 | int __ret = 0; \ |
245 | struct ebt_entry_watcher *__watcher; \ |
246 | \ |
247 | for (__i = e->watchers_offset; \ |
248 | __i < (e)->target_offset; \ |
249 | __i += __watcher->watcher_size + \ |
250 | sizeof(struct ebt_entry_watcher)) { \ |
251 | __watcher = (void *)(e) + __i; \ |
252 | \ |
253 | __ret = fn(__watcher , ## args); \ |
254 | if (__ret != 0) \ |
255 | break; \ |
256 | } \ |
257 | if (__ret == 0) { \ |
258 | if (__i != (e)->target_offset) \ |
259 | __ret = -EINVAL; \ |
260 | } \ |
261 | __ret; \ |
262 | }) |
263 | |
264 | #define EBT_ENTRY_ITERATE(entries, size, fn, args...) \ |
265 | ({ \ |
266 | unsigned int __i; \ |
267 | int __ret = 0; \ |
268 | struct ebt_entry *__entry; \ |
269 | \ |
270 | for (__i = 0; __i < (size);) { \ |
271 | __entry = (void *)(entries) + __i; \ |
272 | __ret = fn(__entry , ## args); \ |
273 | if (__ret != 0) \ |
274 | break; \ |
275 | if (__entry->bitmask != 0) \ |
276 | __i += __entry->next_offset; \ |
277 | else \ |
278 | __i += sizeof(struct ebt_entries); \ |
279 | } \ |
280 | if (__ret == 0) { \ |
281 | if (__i != (size)) \ |
282 | __ret = -EINVAL; \ |
283 | } \ |
284 | __ret; \ |
285 | }) |
286 | |
287 | #endif /* _UAPI__LINUX_BRIDGE_EFF_H */ |
288 | |