1 /* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ 2 /* 3 * ebtables 4 * 5 * Authors: 6 * Bart De Schuymer <bdschuym@pandora.be> 7 * 8 * ebtables.c,v 2.0, April, 2002 9 * 10 * This code is strongly inspired by the iptables code which is 11 * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling 12 */ 13 14 #ifndef _UAPI__LINUX_BRIDGE_EFF_H 15 #define _UAPI__LINUX_BRIDGE_EFF_H 16 #include <linux/types.h> 17 #include <linux/if.h> 18 #include <linux/netfilter_bridge.h> 19 20 #define EBT_TABLE_MAXNAMELEN 32 21 #define EBT_CHAIN_MAXNAMELEN EBT_TABLE_MAXNAMELEN 22 #define EBT_FUNCTION_MAXNAMELEN EBT_TABLE_MAXNAMELEN 23 24 /* verdicts >0 are "branches" */ 25 #define EBT_ACCEPT -1 26 #define EBT_DROP -2 27 #define EBT_CONTINUE -3 28 #define EBT_RETURN -4 29 #define NUM_STANDARD_TARGETS 4 30 /* ebtables target modules store the verdict inside an int. We can 31 * reclaim a part of this int for backwards compatible extensions. 32 * The 4 lsb are more than enough to store the verdict. */ 33 #define EBT_VERDICT_BITS 0x0000000F 34 35 struct xt_match; 36 struct xt_target; 37 38 struct ebt_counter { 39 __u64 pcnt; 40 __u64 bcnt; 41 }; 42 43 struct ebt_replace { 44 char name[EBT_TABLE_MAXNAMELEN]; 45 unsigned int valid_hooks; 46 /* nr of rules in the table */ 47 unsigned int nentries; 48 /* total size of the entries */ 49 unsigned int entries_size; 50 /* start of the chains */ 51 struct ebt_entries __user *hook_entry[NF_BR_NUMHOOKS]; 52 /* nr of counters userspace expects back */ 53 unsigned int num_counters; 54 /* where the kernel will put the old counters */ 55 struct ebt_counter __user *counters; 56 char __user *entries; 57 }; 58 59 struct ebt_replace_kernel { 60 char name[EBT_TABLE_MAXNAMELEN]; 61 unsigned int valid_hooks; 62 /* nr of rules in the table */ 63 unsigned int nentries; 64 /* total size of the entries */ 65 unsigned int entries_size; 66 /* start of the chains */ 67 struct ebt_entries *hook_entry[NF_BR_NUMHOOKS]; 68 /* nr of counters userspace expects back */ 69 unsigned int num_counters; 70 /* where the kernel will put the old counters */ 71 struct ebt_counter *counters; 72 char *entries; 73 }; 74 75 struct ebt_entries { 76 /* this field is always set to zero 77 * See EBT_ENTRY_OR_ENTRIES. 78 * Must be same size as ebt_entry.bitmask */ 79 unsigned int distinguisher; 80 /* the chain name */ 81 char name[EBT_CHAIN_MAXNAMELEN]; 82 /* counter offset for this chain */ 83 unsigned int counter_offset; 84 /* one standard (accept, drop, return) per hook */ 85 int policy; 86 /* nr. of entries */ 87 unsigned int nentries; 88 /* entry list */ 89 char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace)))); 90 }; 91 92 /* used for the bitmask of struct ebt_entry */ 93 94 /* This is a hack to make a difference between an ebt_entry struct and an 95 * ebt_entries struct when traversing the entries from start to end. 96 * Using this simplifies the code a lot, while still being able to use 97 * ebt_entries. 98 * Contrary, iptables doesn't use something like ebt_entries and therefore uses 99 * different techniques for naming the policy and such. So, iptables doesn't 100 * need a hack like this. 101 */ 102 #define EBT_ENTRY_OR_ENTRIES 0x01 103 /* these are the normal masks */ 104 #define EBT_NOPROTO 0x02 105 #define EBT_802_3 0x04 106 #define EBT_SOURCEMAC 0x08 107 #define EBT_DESTMAC 0x10 108 #define EBT_F_MASK (EBT_NOPROTO | EBT_802_3 | EBT_SOURCEMAC | EBT_DESTMAC \ 109 | EBT_ENTRY_OR_ENTRIES) 110 111 #define EBT_IPROTO 0x01 112 #define EBT_IIN 0x02 113 #define EBT_IOUT 0x04 114 #define EBT_ISOURCE 0x8 115 #define EBT_IDEST 0x10 116 #define EBT_ILOGICALIN 0x20 117 #define EBT_ILOGICALOUT 0x40 118 #define EBT_INV_MASK (EBT_IPROTO | EBT_IIN | EBT_IOUT | EBT_ILOGICALIN \ 119 | EBT_ILOGICALOUT | EBT_ISOURCE | EBT_IDEST) 120 121 struct ebt_entry_match { 122 union { 123 char name[EBT_FUNCTION_MAXNAMELEN]; 124 struct xt_match *match; 125 } u; 126 /* size of data */ 127 unsigned int match_size; 128 unsigned char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace)))); 129 }; 130 131 struct ebt_entry_watcher { 132 union { 133 char name[EBT_FUNCTION_MAXNAMELEN]; 134 struct xt_target *watcher; 135 } u; 136 /* size of data */ 137 unsigned int watcher_size; 138 unsigned char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace)))); 139 }; 140 141 struct ebt_entry_target { 142 union { 143 char name[EBT_FUNCTION_MAXNAMELEN]; 144 struct xt_target *target; 145 } u; 146 /* size of data */ 147 unsigned int target_size; 148 unsigned char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace)))); 149 }; 150 151 #define EBT_STANDARD_TARGET "standard" 152 struct ebt_standard_target { 153 struct ebt_entry_target target; 154 int verdict; 155 }; 156 157 /* one entry */ 158 struct ebt_entry { 159 /* this needs to be the first field */ 160 unsigned int bitmask; 161 unsigned int invflags; 162 __be16 ethproto; 163 /* the physical in-dev */ 164 char in[IFNAMSIZ]; 165 /* the logical in-dev */ 166 char logical_in[IFNAMSIZ]; 167 /* the physical out-dev */ 168 char out[IFNAMSIZ]; 169 /* the logical out-dev */ 170 char logical_out[IFNAMSIZ]; 171 unsigned char sourcemac[ETH_ALEN]; 172 unsigned char sourcemsk[ETH_ALEN]; 173 unsigned char destmac[ETH_ALEN]; 174 unsigned char destmsk[ETH_ALEN]; 175 /* sizeof ebt_entry + matches */ 176 unsigned int watchers_offset; 177 /* sizeof ebt_entry + matches + watchers */ 178 unsigned int target_offset; 179 /* sizeof ebt_entry + matches + watchers + target */ 180 unsigned int next_offset; 181 unsigned char elems[0] __attribute__ ((aligned (__alignof__(struct ebt_replace)))); 182 }; 183 184 /* {g,s}etsockopt numbers */ 185 #define EBT_BASE_CTL 128 186 187 #define EBT_SO_SET_ENTRIES (EBT_BASE_CTL) 188 #define EBT_SO_SET_COUNTERS (EBT_SO_SET_ENTRIES+1) 189 #define EBT_SO_SET_MAX (EBT_SO_SET_COUNTERS+1) 190 191 #define EBT_SO_GET_INFO (EBT_BASE_CTL) 192 #define EBT_SO_GET_ENTRIES (EBT_SO_GET_INFO+1) 193 #define EBT_SO_GET_INIT_INFO (EBT_SO_GET_ENTRIES+1) 194 #define EBT_SO_GET_INIT_ENTRIES (EBT_SO_GET_INIT_INFO+1) 195 #define EBT_SO_GET_MAX (EBT_SO_GET_INIT_ENTRIES+1) 196 197 198 /* blatently stolen from ip_tables.h 199 * fn returns 0 to continue iteration */ 200 #define EBT_MATCH_ITERATE(e, fn, args...) \ 201 ({ \ 202 unsigned int __i; \ 203 int __ret = 0; \ 204 struct ebt_entry_match *__match; \ 205 \ 206 for (__i = sizeof(struct ebt_entry); \ 207 __i < (e)->watchers_offset; \ 208 __i += __match->match_size + \ 209 sizeof(struct ebt_entry_match)) { \ 210 __match = (void *)(e) + __i; \ 211 \ 212 __ret = fn(__match , ## args); \ 213 if (__ret != 0) \ 214 break; \ 215 } \ 216 if (__ret == 0) { \ 217 if (__i != (e)->watchers_offset) \ 218 __ret = -EINVAL; \ 219 } \ 220 __ret; \ 221 }) 222 223 #define EBT_WATCHER_ITERATE(e, fn, args...) \ 224 ({ \ 225 unsigned int __i; \ 226 int __ret = 0; \ 227 struct ebt_entry_watcher *__watcher; \ 228 \ 229 for (__i = e->watchers_offset; \ 230 __i < (e)->target_offset; \ 231 __i += __watcher->watcher_size + \ 232 sizeof(struct ebt_entry_watcher)) { \ 233 __watcher = (void *)(e) + __i; \ 234 \ 235 __ret = fn(__watcher , ## args); \ 236 if (__ret != 0) \ 237 break; \ 238 } \ 239 if (__ret == 0) { \ 240 if (__i != (e)->target_offset) \ 241 __ret = -EINVAL; \ 242 } \ 243 __ret; \ 244 }) 245 246 #define EBT_ENTRY_ITERATE(entries, size, fn, args...) \ 247 ({ \ 248 unsigned int __i; \ 249 int __ret = 0; \ 250 struct ebt_entry *__entry; \ 251 \ 252 for (__i = 0; __i < (size);) { \ 253 __entry = (void *)(entries) + __i; \ 254 __ret = fn(__entry , ## args); \ 255 if (__ret != 0) \ 256 break; \ 257 if (__entry->bitmask != 0) \ 258 __i += __entry->next_offset; \ 259 else \ 260 __i += sizeof(struct ebt_entries); \ 261 } \ 262 if (__ret == 0) { \ 263 if (__i != (size)) \ 264 __ret = -EINVAL; \ 265 } \ 266 __ret; \ 267 }) 268 269 #endif /* _UAPI__LINUX_BRIDGE_EFF_H */ 270