include/uapi/linux/netfilter_bridge/ebtables.h

   1 /* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
   2 /*
   3  *  ebtables
   4  *
   5  *      Authors:
   6  *      Bart De Schuymer                <bdschuym@pandora.be>
   7  *
   8  *  ebtables.c,v 2.0, April, 2002
   9  *
  10  *  This code is strongly inspired by the iptables code which is
  11  *  Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
  12  */
  13
  14 #ifndef _UAPI__LINUX_BRIDGE_EFF_H
  15 #define _UAPI__LINUX_BRIDGE_EFF_H
  16 #include <linux/types.h>
  17 #include <linux/if.h>
  18 #include <linux/netfilter_bridge.h>
  19
  20 #define EBT_TABLE_MAXNAMELEN 32
  21 #define EBT_CHAIN_MAXNAMELEN EBT_TABLE_MAXNAMELEN
  22 #define EBT_FUNCTION_MAXNAMELEN EBT_TABLE_MAXNAMELEN
  23
  24 /* verdicts >0 are "branches" */
  25 #define EBT_ACCEPT   -1
  26 #define EBT_DROP     -2
  27 #define EBT_CONTINUE -3
  28 #define EBT_RETURN   -4
  29 #define NUM_STANDARD_TARGETS   4
  30 /* ebtables target modules store the verdict inside an int. We can
  31  * reclaim a part of this int for backwards compatible extensions.
  32  * The 4 lsb are more than enough to store the verdict. */
  33 #define EBT_VERDICT_BITS 0x0000000F
  34
  35 struct xt_match;
  36 struct xt_target;
  37
  38 struct ebt_counter {
  39         __u64 pcnt;
  40         __u64 bcnt;
  41 };
  42
  43 struct ebt_replace {
  44         char name[EBT_TABLE_MAXNAMELEN];
  45         unsigned int valid_hooks;
  46         /* nr of rules in the table */
  47         unsigned int nentries;
  48         /* total size of the entries */
  49         unsigned int entries_size;
  50         /* start of the chains */
  51         struct ebt_entries __user *hook_entry[NF_BR_NUMHOOKS];
  52         /* nr of counters userspace expects back */
  53         unsigned int num_counters;
  54         /* where the kernel will put the old counters */
  55         struct ebt_counter __user *counters;
  56         char __user *entries;
  57 };
  58
  59 struct ebt_replace_kernel {
  60         char name[EBT_TABLE_MAXNAMELEN];
  61         unsigned int valid_hooks;
  62         /* nr of rules in the table */
  63         unsigned int nentries;
  64         /* total size of the entries */
  65         unsigned int entries_size;
  66         /* start of the chains */
  67         struct ebt_entries *hook_entry[NF_BR_NUMHOOKS];
  68         /* nr of counters userspace expects back */
  69         unsigned int num_counters;
  70         /* where the kernel will put the old counters */
  71         struct ebt_counter *counters;
  72         char *entries;
  73 };
  74
  75 struct ebt_entries {
  76         /* this field is always set to zero
  77          * See EBT_ENTRY_OR_ENTRIES.
  78          * Must be same size as ebt_entry.bitmask */
  79         unsigned int distinguisher;
  80         /* the chain name */
  81         char name[EBT_CHAIN_MAXNAMELEN];
  82         /* counter offset for this chain */
  83         unsigned int counter_offset;
  84         /* one standard (accept, drop, return) per hook */
  85         int policy;
  86         /* nr. of entries */
  87         unsigned int nentries;
  88         /* entry list */
  89         char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace))));
  90 };
  91
  92 /* used for the bitmask of struct ebt_entry */
  93
  94 /* This is a hack to make a difference between an ebt_entry struct and an
  95  * ebt_entries struct when traversing the entries from start to end.
  96  * Using this simplifies the code a lot, while still being able to use
  97  * ebt_entries.
  98  * Contrary, iptables doesn't use something like ebt_entries and therefore uses
  99  * different techniques for naming the policy and such. So, iptables doesn't
 100  * need a hack like this.
 101  */
 102 #define EBT_ENTRY_OR_ENTRIES 0x01
 103 /* these are the normal masks */
 104 #define EBT_NOPROTO 0x02
 105 #define EBT_802_3 0x04
 106 #define EBT_SOURCEMAC 0x08
 107 #define EBT_DESTMAC 0x10
 108 #define EBT_F_MASK (EBT_NOPROTO | EBT_802_3 | EBT_SOURCEMAC | EBT_DESTMAC \
 109    | EBT_ENTRY_OR_ENTRIES)
 110
 111 #define EBT_IPROTO 0x01
 112 #define EBT_IIN 0x02
 113 #define EBT_IOUT 0x04
 114 #define EBT_ISOURCE 0x8
 115 #define EBT_IDEST 0x10
 116 #define EBT_ILOGICALIN 0x20
 117 #define EBT_ILOGICALOUT 0x40
 118 #define EBT_INV_MASK (EBT_IPROTO | EBT_IIN | EBT_IOUT | EBT_ILOGICALIN \
 119    | EBT_ILOGICALOUT | EBT_ISOURCE | EBT_IDEST)
 120
 121 struct ebt_entry_match {
 122         union {
 123                 char name[EBT_FUNCTION_MAXNAMELEN];
 124                 struct xt_match *match;
 125         } u;
 126         /* size of data */
 127         unsigned int match_size;
 128         unsigned char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace))));
 129 };
 130
 131 struct ebt_entry_watcher {
 132         union {
 133                 char name[EBT_FUNCTION_MAXNAMELEN];
 134                 struct xt_target *watcher;
 135         } u;
 136         /* size of data */
 137         unsigned int watcher_size;
 138         unsigned char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace))));
 139 };
 140
 141 struct ebt_entry_target {
 142         union {
 143                 char name[EBT_FUNCTION_MAXNAMELEN];
 144                 struct xt_target *target;
 145         } u;
 146         /* size of data */
 147         unsigned int target_size;
 148         unsigned char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace))));
 149 };
 150
 151 #define EBT_STANDARD_TARGET "standard"
 152 struct ebt_standard_target {
 153         struct ebt_entry_target target;
 154         int verdict;
 155 };
 156
 157 /* one entry */
 158 struct ebt_entry {
 159         /* this needs to be the first field */
 160         unsigned int bitmask;
 161         unsigned int invflags;
 162         __be16 ethproto;
 163         /* the physical in-dev */
 164         char in[IFNAMSIZ];
 165         /* the logical in-dev */
 166         char logical_in[IFNAMSIZ];
 167         /* the physical out-dev */
 168         char out[IFNAMSIZ];
 169         /* the logical out-dev */
 170         char logical_out[IFNAMSIZ];
 171         unsigned char sourcemac[ETH_ALEN];
 172         unsigned char sourcemsk[ETH_ALEN];
 173         unsigned char destmac[ETH_ALEN];
 174         unsigned char destmsk[ETH_ALEN];
 175         /* sizeof ebt_entry + matches */
 176         unsigned int watchers_offset;
 177         /* sizeof ebt_entry + matches + watchers */
 178         unsigned int target_offset;
 179         /* sizeof ebt_entry + matches + watchers + target */
 180         unsigned int next_offset;
 181         unsigned char elems[0] __attribute__ ((aligned (__alignof__(struct ebt_replace))));
 182 };
 183
 184 /* {g,s}etsockopt numbers */
 185 #define EBT_BASE_CTL            128
 186
 187 #define EBT_SO_SET_ENTRIES      (EBT_BASE_CTL)
 188 #define EBT_SO_SET_COUNTERS     (EBT_SO_SET_ENTRIES+1)
 189 #define EBT_SO_SET_MAX          (EBT_SO_SET_COUNTERS+1)
 190
 191 #define EBT_SO_GET_INFO         (EBT_BASE_CTL)
 192 #define EBT_SO_GET_ENTRIES      (EBT_SO_GET_INFO+1)
 193 #define EBT_SO_GET_INIT_INFO    (EBT_SO_GET_ENTRIES+1)
 194 #define EBT_SO_GET_INIT_ENTRIES (EBT_SO_GET_INIT_INFO+1)
 195 #define EBT_SO_GET_MAX          (EBT_SO_GET_INIT_ENTRIES+1)
 196
 197
 198 /* blatently stolen from ip_tables.h
 199  * fn returns 0 to continue iteration */
 200 #define EBT_MATCH_ITERATE(e, fn, args...)                   \
 201 ({                                                          \
 202         unsigned int __i;                                   \
 203         int __ret = 0;                                      \
 204         struct ebt_entry_match *__match;                    \
 205                                                             \
 206         for (__i = sizeof(struct ebt_entry);                \
 207              __i < (e)->watchers_offset;                    \
 208              __i += __match->match_size +                   \
 209              sizeof(struct ebt_entry_match)) {              \
 210                 __match = (void *)(e) + __i;                \
 211                                                             \
 212                 __ret = fn(__match , ## args);              \
 213                 if (__ret != 0)                             \
 214                         break;                              \
 215         }                                                   \
 216         if (__ret == 0) {                                   \
 217                 if (__i != (e)->watchers_offset)            \
 218                         __ret = -EINVAL;                    \
 219         }                                                   \
 220         __ret;                                              \
 221 })
 222
 223 #define EBT_WATCHER_ITERATE(e, fn, args...)                 \
 224 ({                                                          \
 225         unsigned int __i;                                   \
 226         int __ret = 0;                                      \
 227         struct ebt_entry_watcher *__watcher;                \
 228                                                             \
 229         for (__i = e->watchers_offset;                      \
 230              __i < (e)->target_offset;                      \
 231              __i += __watcher->watcher_size +               \
 232              sizeof(struct ebt_entry_watcher)) {            \
 233                 __watcher = (void *)(e) + __i;              \
 234                                                             \
 235                 __ret = fn(__watcher , ## args);            \
 236                 if (__ret != 0)                             \
 237                         break;                              \
 238         }                                                   \
 239         if (__ret == 0) {                                   \
 240                 if (__i != (e)->target_offset)              \
 241                         __ret = -EINVAL;                    \
 242         }                                                   \
 243         __ret;                                              \
 244 })
 245
 246 #define EBT_ENTRY_ITERATE(entries, size, fn, args...)       \
 247 ({                                                          \
 248         unsigned int __i;                                   \
 249         int __ret = 0;                                      \
 250         struct ebt_entry *__entry;                          \
 251                                                             \
 252         for (__i = 0; __i < (size);) {                      \
 253                 __entry = (void *)(entries) + __i;          \
 254                 __ret = fn(__entry , ## args);              \
 255                 if (__ret != 0)                             \
 256                         break;                              \
 257                 if (__entry->bitmask != 0)                  \
 258                         __i += __entry->next_offset;        \
 259                 else                                        \
 260                         __i += sizeof(struct ebt_entries);  \
 261         }                                                   \
 262         if (__ret == 0) {                                   \
 263                 if (__i != (size))                          \
 264                         __ret = -EINVAL;                    \
 265         }                                                   \
 266         __ret;                                              \
 267 })
 268
 269 #endif /* _UAPI__LINUX_BRIDGE_EFF_H */