1 #ifndef _NFT_BRIDGE_H_
2 #define _NFT_BRIDGE_H_
3
4 #include <netinet/in.h>
5 //#include <linux/netfilter_bridge/ebtables.h>
6 #include <linux/netfilter/x_tables.h>
7 #include <linux/netfilter/nf_tables.h>
8 #include <net/ethernet.h>
9 #include <libiptc/libxtc.h>
10
11 extern unsigned char eb_mac_type_unicast[ETH_ALEN];
12 extern unsigned char eb_msk_type_unicast[ETH_ALEN];
13 extern unsigned char eb_mac_type_multicast[ETH_ALEN];
14 extern unsigned char eb_msk_type_multicast[ETH_ALEN];
15 extern unsigned char eb_mac_type_broadcast[ETH_ALEN];
16 extern unsigned char eb_msk_type_broadcast[ETH_ALEN];
17 extern unsigned char eb_mac_type_bridge_group[ETH_ALEN];
18 extern unsigned char eb_msk_type_bridge_group[ETH_ALEN];
19
20 int ebt_get_mac_and_mask(const char *from, unsigned char *to, unsigned char *mask);
21
22 /* From: include/linux/netfilter_bridge/ebtables.h
23 *
24 * Adapted for the need of the ebtables-compat.
25 */
26
27 #define EBT_TABLE_MAXNAMELEN 32
28 #define EBT_FUNCTION_MAXNAMELEN EBT_TABLE_MAXNAMELEN
29
30 /* verdicts >0 are "branches" */
31 #define EBT_ACCEPT -1
32 #define EBT_DROP -2
33 #define EBT_CONTINUE -3
34 #define EBT_RETURN -4
35 #define NUM_STANDARD_TARGETS 4
36
37 #define EBT_ENTRY_OR_ENTRIES 0x01
38 /* these are the normal masks */
39 #define EBT_NOPROTO 0x02
40 #define EBT_802_3 0x04
41 #define EBT_SOURCEMAC 0x08
42 #define EBT_DESTMAC 0x10
43 #define EBT_F_MASK (EBT_NOPROTO | EBT_802_3 | EBT_SOURCEMAC | EBT_DESTMAC \
44 | EBT_ENTRY_OR_ENTRIES)
45
46 #define EBT_IPROTO 0x01
47 #define EBT_IIN 0x02
48 #define EBT_IOUT 0x04
49 #define EBT_ISOURCE 0x8
50 #define EBT_IDEST 0x10
51 #define EBT_ILOGICALIN 0x20
52 #define EBT_ILOGICALOUT 0x40
53 #define EBT_INV_MASK (EBT_IPROTO | EBT_IIN | EBT_IOUT | EBT_ILOGICALIN \
54 | EBT_ILOGICALOUT | EBT_ISOURCE | EBT_IDEST)
55
56 /* ebtables target modules store the verdict inside an int. We can
57 * reclaim a part of this int for backwards compatible extensions.
58 * The 4 lsb are more than enough to store the verdict.
59 */
60 #define EBT_VERDICT_BITS 0x0000000F
61
62 struct nftnl_rule;
63 struct iptables_command_state;
64
65 static const char *ebt_standard_targets[NUM_STANDARD_TARGETS] = {
66 "ACCEPT",
67 "DROP",
68 "CONTINUE",
69 "RETURN",
70 };
71
nft_ebt_standard_target(unsigned int num)72 static inline const char *nft_ebt_standard_target(unsigned int num)
73 {
74 if (num >= NUM_STANDARD_TARGETS)
75 return NULL;
76
77 return ebt_standard_targets[num];
78 }
79
ebt_fill_target(const char * str,unsigned int * verdict)80 static inline int ebt_fill_target(const char *str, unsigned int *verdict)
81 {
82 int i, ret = 0;
83
84 for (i = 0; i < NUM_STANDARD_TARGETS; i++) {
85 if (!strcmp(str, nft_ebt_standard_target(i))) {
86 *verdict = -i - 1;
87 break;
88 }
89 }
90
91 if (i == NUM_STANDARD_TARGETS)
92 ret = 1;
93
94 return ret;
95 }
96
ebt_target_name(unsigned int verdict)97 static inline const char *ebt_target_name(unsigned int verdict)
98 {
99 return nft_ebt_standard_target(-verdict - 1);
100 }
101
102 #define EBT_CHECK_OPTION(flags, mask) ({ \
103 if (*flags & mask) \
104 xtables_error(PARAMETER_PROBLEM, \
105 "Multiple use of same " \
106 "option not allowed"); \
107 *flags |= mask; \
108 }) \
109
110 void ebt_cs_clean(struct iptables_command_state *cs);
111 struct xtables_match *ebt_add_match(struct xtables_match *m,
112 struct iptables_command_state *cs);
113 struct xtables_target *ebt_add_watcher(struct xtables_target *watcher,
114 struct iptables_command_state *cs);
115 int ebt_command_default(struct iptables_command_state *cs,
116 struct xtables_globals *unused, bool ebt_invert);
117
118 struct nft_among_pair {
119 struct ether_addr ether;
120 struct in_addr in __attribute__((aligned (4)));
121 };
122
123 struct nft_among_data {
124 struct {
125 size_t cnt;
126 bool inv;
127 bool ip;
128 } src, dst;
129 /* first source, then dest pairs */
130 struct nft_among_pair pairs[0];
131 };
132
133 /* initialize fields, return offset into pairs array to write pairs to */
134 static inline size_t
nft_among_prepare_data(struct nft_among_data * data,bool dst,size_t cnt,bool inv,bool ip)135 nft_among_prepare_data(struct nft_among_data *data, bool dst,
136 size_t cnt, bool inv, bool ip)
137 {
138 size_t poff;
139
140 if (dst) {
141 data->dst.cnt = cnt;
142 data->dst.inv = inv;
143 data->dst.ip = ip;
144 poff = data->src.cnt;
145 } else {
146 data->src.cnt = cnt;
147 data->src.inv = inv;
148 data->src.ip = ip;
149 poff = 0;
150 memmove(data->pairs + cnt, data->pairs,
151 data->dst.cnt * sizeof(*data->pairs));
152 }
153 return poff;
154 }
155
156 static inline void
nft_among_insert_pair(struct nft_among_pair * pairs,size_t * pcount,const struct nft_among_pair * new)157 nft_among_insert_pair(struct nft_among_pair *pairs,
158 size_t *pcount, const struct nft_among_pair *new)
159 {
160 int i;
161
162 /* nftables automatically sorts set elements from smallest to largest,
163 * insert sorted so extension comparison works */
164
165 for (i = 0; i < *pcount; i++) {
166 if (memcmp(new, &pairs[i], sizeof(*new)) < 0)
167 break;
168 }
169 memmove(&pairs[i + 1], &pairs[i], sizeof(*pairs) * (*pcount - i));
170 memcpy(&pairs[i], new, sizeof(*new));
171 (*pcount)++;
172 }
173
174 /* from xtables-eb.c */
175 void nft_bridge_print_help(struct iptables_command_state *cs);
176
177 #endif
178