LXR linux/include/uapi/linux/netfilter

   1/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
   2/*
   3 *  ebtables
   4 *
   5 *      Authors:
   6 *      Bart De Schuymer                <bdschuym@pandora.be>
   7 *
   8 *  ebtables.c,v 2.0, April, 2002
   9 *
  10 *  This code is strongly inspired by the iptables code which is
  11 *  Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
  12 */
  13
  14#ifndef _UAPI__LINUX_BRIDGE_EFF_H
  15#define _UAPI__LINUX_BRIDGE_EFF_H
  16#include <linux/types.h>
  17#include <linux/if.h>
  18#include <linux/netfilter_bridge.h>
  19
  20#define EBT_TABLE_MAXNAMELEN 32
  21#define EBT_CHAIN_MAXNAMELEN EBT_TABLE_MAXNAMELEN
  22#define EBT_FUNCTION_MAXNAMELEN EBT_TABLE_MAXNAMELEN
  23
  24/* verdicts >0 are "branches" */
  25#define EBT_ACCEPT   -1
  26#define EBT_DROP     -2
  27#define EBT_CONTINUE -3
  28#define EBT_RETURN   -4
  29#define NUM_STANDARD_TARGETS   4
  30/* ebtables target modules store the verdict inside an int. We can
  31 * reclaim a part of this int for backwards compatible extensions.
  32 * The 4 lsb are more than enough to store the verdict. */
  33#define EBT_VERDICT_BITS 0x0000000F
  34
  35struct xt_match;
  36struct xt_target;
  37
  38struct ebt_counter {
  39        __u64 pcnt;
  40        __u64 bcnt;
  41};
  42
  43struct ebt_replace {
  44        char name[EBT_TABLE_MAXNAMELEN];
  45        unsigned int valid_hooks;
  46        /* nr of rules in the table */
  47        unsigned int nentries;
  48        /* total size of the entries */
  49        unsigned int entries_size;
  50        /* start of the chains */
  51        struct ebt_entries __user *hook_entry[NF_BR_NUMHOOKS];
  52        /* nr of counters userspace expects back */
  53        unsigned int num_counters;
  54        /* where the kernel will put the old counters */
  55        struct ebt_counter __user *counters;
  56        char __user *entries;
  57};
  58
  59struct ebt_replace_kernel {
  60        char name[EBT_TABLE_MAXNAMELEN];
  61        unsigned int valid_hooks;
  62        /* nr of rules in the table */
  63        unsigned int nentries;
  64        /* total size of the entries */
  65        unsigned int entries_size;
  66        /* start of the chains */
  67        struct ebt_entries *hook_entry[NF_BR_NUMHOOKS];
  68        /* nr of counters userspace expects back */
  69        unsigned int num_counters;
  70        /* where the kernel will put the old counters */
  71        struct ebt_counter *counters;
  72        char *entries;
  73};
  74
  75struct ebt_entries {
  76        /* this field is always set to zero
  77         * See EBT_ENTRY_OR_ENTRIES.
  78         * Must be same size as ebt_entry.bitmask */
  79        unsigned int distinguisher;
  80        /* the chain name */
  81        char name[EBT_CHAIN_MAXNAMELEN];
  82        /* counter offset for this chain */
  83        unsigned int counter_offset;
  84        /* one standard (accept, drop, return) per hook */
  85        int policy;
  86        /* nr. of entries */
  87        unsigned int nentries;
  88        /* entry list */
  89        char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace))));
  90};
  91
  92/* used for the bitmask of struct ebt_entry */
  93
  94/* This is a hack to make a difference between an ebt_entry struct and an
  95 * ebt_entries struct when traversing the entries from start to end.
  96 * Using this simplifies the code a lot, while still being able to use
  97 * ebt_entries.
  98 * Contrary, iptables doesn't use something like ebt_entries and therefore uses
  99 * different techniques for naming the policy and such. So, iptables doesn't
 100 * need a hack like this.
 101 */
 102#define EBT_ENTRY_OR_ENTRIES 0x01
 103/* these are the normal masks */
 104#define EBT_NOPROTO 0x02
 105#define EBT_802_3 0x04
 106#define EBT_SOURCEMAC 0x08
 107#define EBT_DESTMAC 0x10
 108#define EBT_F_MASK (EBT_NOPROTO | EBT_802_3 | EBT_SOURCEMAC | EBT_DESTMAC \
 109   | EBT_ENTRY_OR_ENTRIES)
 110
 111#define EBT_IPROTO 0x01
 112#define EBT_IIN 0x02
 113#define EBT_IOUT 0x04
 114#define EBT_ISOURCE 0x8
 115#define EBT_IDEST 0x10
 116#define EBT_ILOGICALIN 0x20
 117#define EBT_ILOGICALOUT 0x40
 118#define EBT_INV_MASK (EBT_IPROTO | EBT_IIN | EBT_IOUT | EBT_ILOGICALIN \
 119   | EBT_ILOGICALOUT | EBT_ISOURCE | EBT_IDEST)
 120
 121struct ebt_entry_match {
 122        union {
 123                char name[EBT_FUNCTION_MAXNAMELEN];
 124                struct xt_match *match;
 125        } u;
 126        /* size of data */
 127        unsigned int match_size;
 128        unsigned char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace))));
 129};
 130
 131struct ebt_entry_watcher {
 132        union {
 133                char name[EBT_FUNCTION_MAXNAMELEN];
 134                struct xt_target *watcher;
 135        } u;
 136        /* size of data */
 137        unsigned int watcher_size;
 138        unsigned char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace))));
 139};
 140
 141struct ebt_entry_target {
 142        union {
 143                char name[EBT_FUNCTION_MAXNAMELEN];
 144                struct xt_target *target;
 145        } u;
 146        /* size of data */
 147        unsigned int target_size;
 148        unsigned char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace))));
 149};
 150
 151#define EBT_STANDARD_TARGET "standard"
 152struct ebt_standard_target {
 153        struct ebt_entry_target target;
 154        int verdict;
 155};
 156
 157/* one entry */
 158struct ebt_entry {
 159        /* this needs to be the first field */
 160        unsigned int bitmask;
 161        unsigned int invflags;
 162        __be16 ethproto;
 163        /* the physical in-dev */
 164        char in[IFNAMSIZ];
 165        /* the logical in-dev */
 166        char logical_in[IFNAMSIZ];
 167        /* the physical out-dev */
 168        char out[IFNAMSIZ];
 169        /* the logical out-dev */
 170        char logical_out[IFNAMSIZ];
 171        unsigned char sourcemac[ETH_ALEN];
 172        unsigned char sourcemsk[ETH_ALEN];
 173        unsigned char destmac[ETH_ALEN];
 174        unsigned char destmsk[ETH_ALEN];
 175        /* sizeof ebt_entry + matches */
 176        unsigned int watchers_offset;
 177        /* sizeof ebt_entry + matches + watchers */
 178        unsigned int target_offset;
 179        /* sizeof ebt_entry + matches + watchers + target */
 180        unsigned int next_offset;
 181        unsigned char elems[0] __attribute__ ((aligned (__alignof__(struct ebt_replace))));
 182};
 183
 184/* {g,s}etsockopt numbers */
 185#define EBT_BASE_CTL            128
 186
 187#define EBT_SO_SET_ENTRIES      (EBT_BASE_CTL)
 188#define EBT_SO_SET_COUNTERS     (EBT_SO_SET_ENTRIES+1)
 189#define EBT_SO_SET_MAX          (EBT_SO_SET_COUNTERS+1)
 190
 191#define EBT_SO_GET_INFO         (EBT_BASE_CTL)
 192#define EBT_SO_GET_ENTRIES      (EBT_SO_GET_INFO+1)
 193#define EBT_SO_GET_INIT_INFO    (EBT_SO_GET_ENTRIES+1)
 194#define EBT_SO_GET_INIT_ENTRIES (EBT_SO_GET_INIT_INFO+1)
 195#define EBT_SO_GET_MAX          (EBT_SO_GET_INIT_ENTRIES+1)
 196
 197
 198/* blatently stolen from ip_tables.h
 199 * fn returns 0 to continue iteration */
 200#define EBT_MATCH_ITERATE(e, fn, args...)                   \
 201({                                                          \
 202        unsigned int __i;                                   \
 203        int __ret = 0;                                      \
 204        struct ebt_entry_match *__match;                    \
 205                                                            \
 206        for (__i = sizeof(struct ebt_entry);                \
 207             __i < (e)->watchers_offset;                    \
 208             __i += __match->match_size +                   \
 209             sizeof(struct ebt_entry_match)) {              \
 210                __match = (void *)(e) + __i;                \
 211                                                            \
 212                __ret = fn(__match , ## args);              \
 213                if (__ret != 0)                             \
 214                        break;                              \
 215        }                                                   \
 216        if (__ret == 0) {                                   \
 217                if (__i != (e)->watchers_offset)            \
 218                        __ret = -EINVAL;                    \
 219        }                                                   \
 220        __ret;                                              \
 221})
 222
 223#define EBT_WATCHER_ITERATE(e, fn, args...)                 \
 224({                                                          \
 225        unsigned int __i;                                   \
 226        int __ret = 0;                                      \
 227        struct ebt_entry_watcher *__watcher;                \
 228                                                            \
 229        for (__i = e->watchers_offset;                      \
 230             __i < (e)->target_offset;                      \
 231             __i += __watcher->watcher_size +               \
 232             sizeof(struct ebt_entry_watcher)) {            \
 233                __watcher = (void *)(e) + __i;              \
 234                                                            \
 235                __ret = fn(__watcher , ## args);            \
 236                if (__ret != 0)                             \
 237                        break;                              \
 238        }                                                   \
 239        if (__ret == 0) {                                   \
 240                if (__i != (e)->target_offset)              \
 241                        __ret = -EINVAL;                    \
 242        }                                                   \
 243        __ret;                                              \
 244})
 245
 246#define EBT_ENTRY_ITERATE(entries, size, fn, args...)       \
 247({                                                          \
 248        unsigned int __i;                                   \
 249        int __ret = 0;                                      \
 250        struct ebt_entry *__entry;                          \
 251                                                            \
 252        for (__i = 0; __i < (size);) {                      \
 253                __entry = (void *)(entries) + __i;          \
 254                __ret = fn(__entry , ## args);              \
 255                if (__ret != 0)                             \
 256                        break;                              \
 257                if (__entry->bitmask != 0)                  \
 258                        __i += __entry->next_offset;        \
 259                else                                        \
 260                        __i += sizeof(struct ebt_entries);  \
 261        }                                                   \
 262        if (__ret == 0) {                                   \
 263                if (__i != (size))                          \
 264                        __ret = -EINVAL;                    \
 265        }                                                   \
 266        __ret;                                              \
 267})
 268
 269#endif /* _UAPI__LINUX_BRIDGE_EFF_H */
 270