LXR linux/include/uapi/linux/netfilter

   1/*
   2 *  ebtables
   3 *
   4 *      Authors:
   5 *      Bart De Schuymer                <bdschuym@pandora.be>
   6 *
   7 *  ebtables.c,v 2.0, April, 2002
   8 *
   9 *  This code is strongly inspired by the iptables code which is
  10 *  Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
  11 */
  12
  13#ifndef _UAPI__LINUX_BRIDGE_EFF_H
  14#define _UAPI__LINUX_BRIDGE_EFF_H
  15#include <linux/types.h>
  16#include <linux/if.h>
  17#include <linux/netfilter_bridge.h>
  18
  19#define EBT_TABLE_MAXNAMELEN 32
  20#define EBT_CHAIN_MAXNAMELEN EBT_TABLE_MAXNAMELEN
  21#define EBT_FUNCTION_MAXNAMELEN EBT_TABLE_MAXNAMELEN
  22
  23/* verdicts >0 are "branches" */
  24#define EBT_ACCEPT   -1
  25#define EBT_DROP     -2
  26#define EBT_CONTINUE -3
  27#define EBT_RETURN   -4
  28#define NUM_STANDARD_TARGETS   4
  29/* ebtables target modules store the verdict inside an int. We can
  30 * reclaim a part of this int for backwards compatible extensions.
  31 * The 4 lsb are more than enough to store the verdict. */
  32#define EBT_VERDICT_BITS 0x0000000F
  33
  34struct xt_match;
  35struct xt_target;
  36
  37struct ebt_counter {
  38        __u64 pcnt;
  39        __u64 bcnt;
  40};
  41
  42struct ebt_replace {
  43        char name[EBT_TABLE_MAXNAMELEN];
  44        unsigned int valid_hooks;
  45        /* nr of rules in the table */
  46        unsigned int nentries;
  47        /* total size of the entries */
  48        unsigned int entries_size;
  49        /* start of the chains */
  50        struct ebt_entries __user *hook_entry[NF_BR_NUMHOOKS];
  51        /* nr of counters userspace expects back */
  52        unsigned int num_counters;
  53        /* where the kernel will put the old counters */
  54        struct ebt_counter __user *counters;
  55        char __user *entries;
  56};
  57
  58struct ebt_replace_kernel {
  59        char name[EBT_TABLE_MAXNAMELEN];
  60        unsigned int valid_hooks;
  61        /* nr of rules in the table */
  62        unsigned int nentries;
  63        /* total size of the entries */
  64        unsigned int entries_size;
  65        /* start of the chains */
  66        struct ebt_entries *hook_entry[NF_BR_NUMHOOKS];
  67        /* nr of counters userspace expects back */
  68        unsigned int num_counters;
  69        /* where the kernel will put the old counters */
  70        struct ebt_counter *counters;
  71        char *entries;
  72};
  73
  74struct ebt_entries {
  75        /* this field is always set to zero
  76         * See EBT_ENTRY_OR_ENTRIES.
  77         * Must be same size as ebt_entry.bitmask */
  78        unsigned int distinguisher;
  79        /* the chain name */
  80        char name[EBT_CHAIN_MAXNAMELEN];
  81        /* counter offset for this chain */
  82        unsigned int counter_offset;
  83        /* one standard (accept, drop, return) per hook */
  84        int policy;
  85        /* nr. of entries */
  86        unsigned int nentries;
  87        /* entry list */
  88        char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace))));
  89};
  90
  91/* used for the bitmask of struct ebt_entry */
  92
  93/* This is a hack to make a difference between an ebt_entry struct and an
  94 * ebt_entries struct when traversing the entries from start to end.
  95 * Using this simplifies the code a lot, while still being able to use
  96 * ebt_entries.
  97 * Contrary, iptables doesn't use something like ebt_entries and therefore uses
  98 * different techniques for naming the policy and such. So, iptables doesn't
  99 * need a hack like this.
 100 */
 101#define EBT_ENTRY_OR_ENTRIES 0x01
 102/* these are the normal masks */
 103#define EBT_NOPROTO 0x02
 104#define EBT_802_3 0x04
 105#define EBT_SOURCEMAC 0x08
 106#define EBT_DESTMAC 0x10
 107#define EBT_F_MASK (EBT_NOPROTO | EBT_802_3 | EBT_SOURCEMAC | EBT_DESTMAC \
 108   | EBT_ENTRY_OR_ENTRIES)
 109
 110#define EBT_IPROTO 0x01
 111#define EBT_IIN 0x02
 112#define EBT_IOUT 0x04
 113#define EBT_ISOURCE 0x8
 114#define EBT_IDEST 0x10
 115#define EBT_ILOGICALIN 0x20
 116#define EBT_ILOGICALOUT 0x40
 117#define EBT_INV_MASK (EBT_IPROTO | EBT_IIN | EBT_IOUT | EBT_ILOGICALIN \
 118   | EBT_ILOGICALOUT | EBT_ISOURCE | EBT_IDEST)
 119
 120struct ebt_entry_match {
 121        union {
 122                char name[EBT_FUNCTION_MAXNAMELEN];
 123                struct xt_match *match;
 124        } u;
 125        /* size of data */
 126        unsigned int match_size;
 127        unsigned char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace))));
 128};
 129
 130struct ebt_entry_watcher {
 131        union {
 132                char name[EBT_FUNCTION_MAXNAMELEN];
 133                struct xt_target *watcher;
 134        } u;
 135        /* size of data */
 136        unsigned int watcher_size;
 137        unsigned char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace))));
 138};
 139
 140struct ebt_entry_target {
 141        union {
 142                char name[EBT_FUNCTION_MAXNAMELEN];
 143                struct xt_target *target;
 144        } u;
 145        /* size of data */
 146        unsigned int target_size;
 147        unsigned char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace))));
 148};
 149
 150#define EBT_STANDARD_TARGET "standard"
 151struct ebt_standard_target {
 152        struct ebt_entry_target target;
 153        int verdict;
 154};
 155
 156/* one entry */
 157struct ebt_entry {
 158        /* this needs to be the first field */
 159        unsigned int bitmask;
 160        unsigned int invflags;
 161        __be16 ethproto;
 162        /* the physical in-dev */
 163        char in[IFNAMSIZ];
 164        /* the logical in-dev */
 165        char logical_in[IFNAMSIZ];
 166        /* the physical out-dev */
 167        char out[IFNAMSIZ];
 168        /* the logical out-dev */
 169        char logical_out[IFNAMSIZ];
 170        unsigned char sourcemac[ETH_ALEN];
 171        unsigned char sourcemsk[ETH_ALEN];
 172        unsigned char destmac[ETH_ALEN];
 173        unsigned char destmsk[ETH_ALEN];
 174        /* sizeof ebt_entry + matches */
 175        unsigned int watchers_offset;
 176        /* sizeof ebt_entry + matches + watchers */
 177        unsigned int target_offset;
 178        /* sizeof ebt_entry + matches + watchers + target */
 179        unsigned int next_offset;
 180        unsigned char elems[0] __attribute__ ((aligned (__alignof__(struct ebt_replace))));
 181};
 182
 183/* {g,s}etsockopt numbers */
 184#define EBT_BASE_CTL            128
 185
 186#define EBT_SO_SET_ENTRIES      (EBT_BASE_CTL)
 187#define EBT_SO_SET_COUNTERS     (EBT_SO_SET_ENTRIES+1)
 188#define EBT_SO_SET_MAX          (EBT_SO_SET_COUNTERS+1)
 189
 190#define EBT_SO_GET_INFO         (EBT_BASE_CTL)
 191#define EBT_SO_GET_ENTRIES      (EBT_SO_GET_INFO+1)
 192#define EBT_SO_GET_INIT_INFO    (EBT_SO_GET_ENTRIES+1)
 193#define EBT_SO_GET_INIT_ENTRIES (EBT_SO_GET_INIT_INFO+1)
 194#define EBT_SO_GET_MAX          (EBT_SO_GET_INIT_ENTRIES+1)
 195
 196
 197/* blatently stolen from ip_tables.h
 198 * fn returns 0 to continue iteration */
 199#define EBT_MATCH_ITERATE(e, fn, args...)                   \
 200({                                                          \
 201        unsigned int __i;                                   \
 202        int __ret = 0;                                      \
 203        struct ebt_entry_match *__match;                    \
 204                                                            \
 205        for (__i = sizeof(struct ebt_entry);                \
 206             __i < (e)->watchers_offset;                    \
 207             __i += __match->match_size +                   \
 208             sizeof(struct ebt_entry_match)) {              \
 209                __match = (void *)(e) + __i;                \
 210                                                            \
 211                __ret = fn(__match , ## args);              \
 212                if (__ret != 0)                             \
 213                        break;                              \
 214        }                                                   \
 215        if (__ret == 0) {                                   \
 216                if (__i != (e)->watchers_offset)            \
 217                        __ret = -EINVAL;                    \
 218        }                                                   \
 219        __ret;                                              \
 220})
 221
 222#define EBT_WATCHER_ITERATE(e, fn, args...)                 \
 223({                                                          \
 224        unsigned int __i;                                   \
 225        int __ret = 0;                                      \
 226        struct ebt_entry_watcher *__watcher;                \
 227                                                            \
 228        for (__i = e->watchers_offset;                      \
 229             __i < (e)->target_offset;                      \
 230             __i += __watcher->watcher_size +               \
 231             sizeof(struct ebt_entry_watcher)) {            \
 232                __watcher = (void *)(e) + __i;              \
 233                                                            \
 234                __ret = fn(__watcher , ## args);            \
 235                if (__ret != 0)                             \
 236                        break;                              \
 237        }                                                   \
 238        if (__ret == 0) {                                   \
 239                if (__i != (e)->target_offset)              \
 240                        __ret = -EINVAL;                    \
 241        }                                                   \
 242        __ret;                                              \
 243})
 244
 245#define EBT_ENTRY_ITERATE(entries, size, fn, args...)       \
 246({                                                          \
 247        unsigned int __i;                                   \
 248        int __ret = 0;                                      \
 249        struct ebt_entry *__entry;                          \
 250                                                            \
 251        for (__i = 0; __i < (size);) {                      \
 252                __entry = (void *)(entries) + __i;          \
 253                __ret = fn(__entry , ## args);              \
 254                if (__ret != 0)                             \
 255                        break;                              \
 256                if (__entry->bitmask != 0)                  \
 257                        __i += __entry->next_offset;        \
 258                else                                        \
 259                        __i += sizeof(struct ebt_entries);  \
 260        }                                                   \
 261        if (__ret == 0) {                                   \
 262                if (__i != (size))                          \
 263                        __ret = -EINVAL;                    \
 264        }                                                   \
 265        __ret;                                              \
 266})
 267
 268#endif /* _UAPI__LINUX_BRIDGE_EFF_H */
 269