1 /* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
6 * Bart De Schuymer <bdschuym@pandora.be>
8 * ebtables.c,v 2.0, April, 2002
10 * This code is strongly inspired by the iptables code which is
11 * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
14 #ifndef _UAPI__LINUX_BRIDGE_EFF_H
15 #define _UAPI__LINUX_BRIDGE_EFF_H
16 #include <linux/types.h>
18 #include <linux/netfilter_bridge.h>
20 #define EBT_TABLE_MAXNAMELEN 32
21 #define EBT_CHAIN_MAXNAMELEN EBT_TABLE_MAXNAMELEN
22 #define EBT_FUNCTION_MAXNAMELEN EBT_TABLE_MAXNAMELEN
24 /* verdicts >0 are "branches" */
27 #define EBT_CONTINUE -3
29 #define NUM_STANDARD_TARGETS 4
30 /* ebtables target modules store the verdict inside an int. We can
31 * reclaim a part of this int for backwards compatible extensions.
32 * The 4 lsb are more than enough to store the verdict. */
33 #define EBT_VERDICT_BITS 0x0000000F
44 char name[EBT_TABLE_MAXNAMELEN];
45 unsigned int valid_hooks;
46 /* nr of rules in the table */
47 unsigned int nentries;
48 /* total size of the entries */
49 unsigned int entries_size;
50 /* start of the chains */
51 struct ebt_entries __user *hook_entry[NF_BR_NUMHOOKS];
52 /* nr of counters userspace expects back */
53 unsigned int num_counters;
54 /* where the kernel will put the old counters */
55 struct ebt_counter __user *counters;
59 struct ebt_replace_kernel {
60 char name[EBT_TABLE_MAXNAMELEN];
61 unsigned int valid_hooks;
62 /* nr of rules in the table */
63 unsigned int nentries;
64 /* total size of the entries */
65 unsigned int entries_size;
66 /* start of the chains */
67 struct ebt_entries *hook_entry[NF_BR_NUMHOOKS];
68 /* nr of counters userspace expects back */
69 unsigned int num_counters;
70 /* where the kernel will put the old counters */
71 struct ebt_counter *counters;
76 /* this field is always set to zero
77 * See EBT_ENTRY_OR_ENTRIES.
78 * Must be same size as ebt_entry.bitmask */
79 unsigned int distinguisher;
81 char name[EBT_CHAIN_MAXNAMELEN];
82 /* counter offset for this chain */
83 unsigned int counter_offset;
84 /* one standard (accept, drop, return) per hook */
87 unsigned int nentries;
89 char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace))));
92 /* used for the bitmask of struct ebt_entry */
94 /* This is a hack to make a difference between an ebt_entry struct and an
95 * ebt_entries struct when traversing the entries from start to end.
96 * Using this simplifies the code a lot, while still being able to use
98 * Contrary, iptables doesn't use something like ebt_entries and therefore uses
99 * different techniques for naming the policy and such. So, iptables doesn't
100 * need a hack like this.
102 #define EBT_ENTRY_OR_ENTRIES 0x01
103 /* these are the normal masks */
104 #define EBT_NOPROTO 0x02
105 #define EBT_802_3 0x04
106 #define EBT_SOURCEMAC 0x08
107 #define EBT_DESTMAC 0x10
108 #define EBT_F_MASK (EBT_NOPROTO | EBT_802_3 | EBT_SOURCEMAC | EBT_DESTMAC \
109 | EBT_ENTRY_OR_ENTRIES)
111 #define EBT_IPROTO 0x01
113 #define EBT_IOUT 0x04
114 #define EBT_ISOURCE 0x8
115 #define EBT_IDEST 0x10
116 #define EBT_ILOGICALIN 0x20
117 #define EBT_ILOGICALOUT 0x40
118 #define EBT_INV_MASK (EBT_IPROTO | EBT_IIN | EBT_IOUT | EBT_ILOGICALIN \
119 | EBT_ILOGICALOUT | EBT_ISOURCE | EBT_IDEST)
121 struct ebt_entry_match {
123 char name[EBT_FUNCTION_MAXNAMELEN];
124 struct xt_match *match;
127 unsigned int match_size;
128 unsigned char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace))));
131 struct ebt_entry_watcher {
133 char name[EBT_FUNCTION_MAXNAMELEN];
134 struct xt_target *watcher;
137 unsigned int watcher_size;
138 unsigned char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace))));
141 struct ebt_entry_target {
143 char name[EBT_FUNCTION_MAXNAMELEN];
144 struct xt_target *target;
147 unsigned int target_size;
148 unsigned char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace))));
151 #define EBT_STANDARD_TARGET "standard"
152 struct ebt_standard_target {
153 struct ebt_entry_target target;
159 /* this needs to be the first field */
160 unsigned int bitmask;
161 unsigned int invflags;
163 /* the physical in-dev */
165 /* the logical in-dev */
166 char logical_in[IFNAMSIZ];
167 /* the physical out-dev */
169 /* the logical out-dev */
170 char logical_out[IFNAMSIZ];
171 unsigned char sourcemac[ETH_ALEN];
172 unsigned char sourcemsk[ETH_ALEN];
173 unsigned char destmac[ETH_ALEN];
174 unsigned char destmsk[ETH_ALEN];
175 /* sizeof ebt_entry + matches */
176 unsigned int watchers_offset;
177 /* sizeof ebt_entry + matches + watchers */
178 unsigned int target_offset;
179 /* sizeof ebt_entry + matches + watchers + target */
180 unsigned int next_offset;
181 unsigned char elems[0] __attribute__ ((aligned (__alignof__(struct ebt_replace))));
184 /* {g,s}etsockopt numbers */
185 #define EBT_BASE_CTL 128
187 #define EBT_SO_SET_ENTRIES (EBT_BASE_CTL)
188 #define EBT_SO_SET_COUNTERS (EBT_SO_SET_ENTRIES+1)
189 #define EBT_SO_SET_MAX (EBT_SO_SET_COUNTERS+1)
191 #define EBT_SO_GET_INFO (EBT_BASE_CTL)
192 #define EBT_SO_GET_ENTRIES (EBT_SO_GET_INFO+1)
193 #define EBT_SO_GET_INIT_INFO (EBT_SO_GET_ENTRIES+1)
194 #define EBT_SO_GET_INIT_ENTRIES (EBT_SO_GET_INIT_INFO+1)
195 #define EBT_SO_GET_MAX (EBT_SO_GET_INIT_ENTRIES+1)
198 /* blatently stolen from ip_tables.h
199 * fn returns 0 to continue iteration */
200 #define EBT_MATCH_ITERATE(e, fn, args...) \
204 struct ebt_entry_match *__match; \
206 for (__i = sizeof(struct ebt_entry); \
207 __i < (e)->watchers_offset; \
208 __i += __match->match_size + \
209 sizeof(struct ebt_entry_match)) { \
210 __match = (void *)(e) + __i; \
212 __ret = fn(__match , ## args); \
217 if (__i != (e)->watchers_offset) \
223 #define EBT_WATCHER_ITERATE(e, fn, args...) \
227 struct ebt_entry_watcher *__watcher; \
229 for (__i = e->watchers_offset; \
230 __i < (e)->target_offset; \
231 __i += __watcher->watcher_size + \
232 sizeof(struct ebt_entry_watcher)) { \
233 __watcher = (void *)(e) + __i; \
235 __ret = fn(__watcher , ## args); \
240 if (__i != (e)->target_offset) \
246 #define EBT_ENTRY_ITERATE(entries, size, fn, args...) \
250 struct ebt_entry *__entry; \
252 for (__i = 0; __i < (size);) { \
253 __entry = (void *)(entries) + __i; \
254 __ret = fn(__entry , ## args); \
257 if (__entry->bitmask != 0) \
258 __i += __entry->next_offset; \
260 __i += sizeof(struct ebt_entries); \
269 #endif /* _UAPI__LINUX_BRIDGE_EFF_H */