• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 #ifndef _NFT_BRIDGE_H_
2 #define _NFT_BRIDGE_H_
3 
4 #include <netinet/in.h>
5 //#include <linux/netfilter_bridge/ebtables.h>
6 #include <linux/netfilter/x_tables.h>
7 #include <linux/netfilter/nf_tables.h>
8 #include <net/ethernet.h>
9 #include <libiptc/libxtc.h>
10 
11 /* We use replace->flags, so we can't use the following values:
12  * 0x01 == OPT_COMMAND, 0x02 == OPT_TABLE, 0x100 == OPT_ZERO */
13 #define LIST_N	  0x04
14 #define LIST_C	  0x08
15 #define LIST_X	  0x10
16 #define LIST_MAC2 0x20
17 
18 /* Be backwards compatible, so don't use '+' in kernel */
19 #define IF_WILDCARD 1
20 
21 extern unsigned char eb_mac_type_unicast[ETH_ALEN];
22 extern unsigned char eb_msk_type_unicast[ETH_ALEN];
23 extern unsigned char eb_mac_type_multicast[ETH_ALEN];
24 extern unsigned char eb_msk_type_multicast[ETH_ALEN];
25 extern unsigned char eb_mac_type_broadcast[ETH_ALEN];
26 extern unsigned char eb_msk_type_broadcast[ETH_ALEN];
27 extern unsigned char eb_mac_type_bridge_group[ETH_ALEN];
28 extern unsigned char eb_msk_type_bridge_group[ETH_ALEN];
29 
30 int ebt_get_mac_and_mask(const char *from, unsigned char *to, unsigned char *mask);
31 
32 /* From: include/linux/netfilter_bridge/ebtables.h
33  *
34  * Adapted for the need of the ebtables-compat.
35  */
36 
37 #define EBT_TABLE_MAXNAMELEN 32
38 #define EBT_CHAIN_MAXNAMELEN EBT_TABLE_MAXNAMELEN
39 #define EBT_FUNCTION_MAXNAMELEN EBT_TABLE_MAXNAMELEN
40 
41 /* verdicts >0 are "branches" */
42 #define EBT_ACCEPT   -1
43 #define EBT_DROP     -2
44 #define EBT_CONTINUE -3
45 #define EBT_RETURN   -4
46 #define NUM_STANDARD_TARGETS   4
47 
48 #define EBT_ENTRY_OR_ENTRIES 0x01
49 /* these are the normal masks */
50 #define EBT_NOPROTO 0x02
51 #define EBT_802_3 0x04
52 #define EBT_SOURCEMAC 0x08
53 #define EBT_DESTMAC 0x10
54 #define EBT_F_MASK (EBT_NOPROTO | EBT_802_3 | EBT_SOURCEMAC | EBT_DESTMAC \
55    | EBT_ENTRY_OR_ENTRIES)
56 
57 #define EBT_IPROTO 0x01
58 #define EBT_IIN 0x02
59 #define EBT_IOUT 0x04
60 #define EBT_ISOURCE 0x8
61 #define EBT_IDEST 0x10
62 #define EBT_ILOGICALIN 0x20
63 #define EBT_ILOGICALOUT 0x40
64 #define EBT_INV_MASK (EBT_IPROTO | EBT_IIN | EBT_IOUT | EBT_ILOGICALIN \
65    | EBT_ILOGICALOUT | EBT_ISOURCE | EBT_IDEST)
66 
67 /* ebtables target modules store the verdict inside an int. We can
68  * reclaim a part of this int for backwards compatible extensions.
69  * The 4 lsb are more than enough to store the verdict.
70  */
71 #define EBT_VERDICT_BITS 0x0000000F
72 
73 /* Fake ebt_entry */
74 struct ebt_entry {
75 	/* this needs to be the first field */
76 	unsigned int bitmask;
77 	unsigned int invflags;
78 	uint16_t ethproto;
79 	/* the physical in-dev */
80 	char in[IFNAMSIZ];
81 	/* the logical in-dev */
82 	char logical_in[IFNAMSIZ];
83 	/* the physical out-dev */
84 	char out[IFNAMSIZ];
85 	/* the logical out-dev */
86 	char logical_out[IFNAMSIZ];
87 	unsigned char sourcemac[ETH_ALEN];
88 	unsigned char sourcemsk[ETH_ALEN];
89 	unsigned char destmac[ETH_ALEN];
90 	unsigned char destmsk[ETH_ALEN];
91 
92 	unsigned char in_mask[IFNAMSIZ];
93 	unsigned char out_mask[IFNAMSIZ];
94 };
95 
96 /* trick for ebtables-compat, since watchers are targets */
97 struct ebt_match {
98 	struct ebt_match				*next;
99 	union {
100 		struct xtables_match		*match;
101 		struct xtables_target		*watcher;
102 	} u;
103 	bool					ismatch;
104 };
105 
106 struct ebtables_command_state {
107 	struct ebt_entry fw;
108 	struct xtables_target *target;
109 	struct xtables_rule_match *matches;
110 	struct ebt_match *match_list;
111 	const char *jumpto;
112 	struct xt_counters counters;
113 	int invert;
114 	int c;
115 	char **argv;
116 	int proto_used;
117 	char *protocol;
118 	unsigned int options;
119 };
120 
121 void nft_rule_to_ebtables_command_state(struct nftnl_rule *r,
122 					struct ebtables_command_state *cs);
123 
124 static const char *ebt_standard_targets[NUM_STANDARD_TARGETS] = {
125 	"ACCEPT",
126 	"DROP",
127 	"CONTINUE",
128 	"RETURN",
129 };
130 
nft_ebt_standard_target(unsigned int num)131 static inline const char *nft_ebt_standard_target(unsigned int num)
132 {
133 	if (num > NUM_STANDARD_TARGETS)
134 		return NULL;
135 
136 	return ebt_standard_targets[num];
137 }
138 
ebt_fill_target(const char * str,unsigned int * verdict)139 static inline int ebt_fill_target(const char *str, unsigned int *verdict)
140 {
141 	int i, ret = 0;
142 
143 	for (i = 0; i < NUM_STANDARD_TARGETS; i++) {
144 		if (!strcmp(str, nft_ebt_standard_target(i))) {
145 			*verdict = -i - 1;
146 			break;
147 		}
148 	}
149 
150 	if (i == NUM_STANDARD_TARGETS)
151 		ret = 1;
152 
153 	return ret;
154 }
155 
ebt_target_name(unsigned int verdict)156 static inline const char *ebt_target_name(unsigned int verdict)
157 {
158 	return nft_ebt_standard_target(-verdict - 1);
159 }
160 
161 #define EBT_CHECK_OPTION(flags, mask) ({			\
162 	if (*flags & mask)					\
163 		xtables_error(PARAMETER_PROBLEM,		\
164 			      "Multiple use of same "		\
165 			      "option not allowed");		\
166 	*flags |= mask;						\
167 })								\
168 
169 void ebt_cs_clean(struct ebtables_command_state *cs);
170 
171 #endif
172