LXR linux/include/uapi/linux/netfilter

   1/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
   2/*
   3 *  ebtables
   4 *
   5 *      Authors:
   6 *      Bart De Schuymer                <bdschuym@pandora.be>
   7 *
   8 *  ebtables.c,v 2.0, April, 2002
   9 *
  10 *  This code is strongly inspired by the iptables code which is
  11 *  Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
  12 */
  13
  14#ifndef _UAPI__LINUX_BRIDGE_EFF_H
  15#define _UAPI__LINUX_BRIDGE_EFF_H
  16#include <linux/types.h>
  17#include <linux/if.h>
  18#include <linux/netfilter_bridge.h>
  19
  20#define EBT_TABLE_MAXNAMELEN 32
  21#define EBT_CHAIN_MAXNAMELEN EBT_TABLE_MAXNAMELEN
  22#define EBT_FUNCTION_MAXNAMELEN EBT_TABLE_MAXNAMELEN
  23#define EBT_EXTENSION_MAXNAMELEN 31
  24
  25/* verdicts >0 are "branches" */
  26#define EBT_ACCEPT   -1
  27#define EBT_DROP     -2
  28#define EBT_CONTINUE -3
  29#define EBT_RETURN   -4
  30#define NUM_STANDARD_TARGETS   4
  31/* ebtables target modules store the verdict inside an int. We can
  32 * reclaim a part of this int for backwards compatible extensions.
  33 * The 4 lsb are more than enough to store the verdict. */
  34#define EBT_VERDICT_BITS 0x0000000F
  35
  36struct xt_match;
  37struct xt_target;
  38
  39struct ebt_counter {
  40        __u64 pcnt;
  41        __u64 bcnt;
  42};
  43
  44struct ebt_replace {
  45        char name[EBT_TABLE_MAXNAMELEN];
  46        unsigned int valid_hooks;
  47        /* nr of rules in the table */
  48        unsigned int nentries;
  49        /* total size of the entries */
  50        unsigned int entries_size;
  51        /* start of the chains */
  52        struct ebt_entries __user *hook_entry[NF_BR_NUMHOOKS];
  53        /* nr of counters userspace expects back */
  54        unsigned int num_counters;
  55        /* where the kernel will put the old counters */
  56        struct ebt_counter __user *counters;
  57        char __user *entries;
  58};
  59
  60struct ebt_replace_kernel {
  61        char name[EBT_TABLE_MAXNAMELEN];
  62        unsigned int valid_hooks;
  63        /* nr of rules in the table */
  64        unsigned int nentries;
  65        /* total size of the entries */
  66        unsigned int entries_size;
  67        /* start of the chains */
  68        struct ebt_entries *hook_entry[NF_BR_NUMHOOKS];
  69        /* nr of counters userspace expects back */
  70        unsigned int num_counters;
  71        /* where the kernel will put the old counters */
  72        struct ebt_counter *counters;
  73        char *entries;
  74};
  75
  76struct ebt_entries {
  77        /* this field is always set to zero
  78         * See EBT_ENTRY_OR_ENTRIES.
  79         * Must be same size as ebt_entry.bitmask */
  80        unsigned int distinguisher;
  81        /* the chain name */
  82        char name[EBT_CHAIN_MAXNAMELEN];
  83        /* counter offset for this chain */
  84        unsigned int counter_offset;
  85        /* one standard (accept, drop, return) per hook */
  86        int policy;
  87        /* nr. of entries */
  88        unsigned int nentries;
  89        /* entry list */
  90        char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace))));
  91};
  92
  93/* used for the bitmask of struct ebt_entry */
  94
  95/* This is a hack to make a difference between an ebt_entry struct and an
  96 * ebt_entries struct when traversing the entries from start to end.
  97 * Using this simplifies the code a lot, while still being able to use
  98 * ebt_entries.
  99 * Contrary, iptables doesn't use something like ebt_entries and therefore uses
 100 * different techniques for naming the policy and such. So, iptables doesn't
 101 * need a hack like this.
 102 */
 103#define EBT_ENTRY_OR_ENTRIES 0x01
 104/* these are the normal masks */
 105#define EBT_NOPROTO 0x02
 106#define EBT_802_3 0x04
 107#define EBT_SOURCEMAC 0x08
 108#define EBT_DESTMAC 0x10
 109#define EBT_F_MASK (EBT_NOPROTO | EBT_802_3 | EBT_SOURCEMAC | EBT_DESTMAC \
 110   | EBT_ENTRY_OR_ENTRIES)
 111
 112#define EBT_IPROTO 0x01
 113#define EBT_IIN 0x02
 114#define EBT_IOUT 0x04
 115#define EBT_ISOURCE 0x8
 116#define EBT_IDEST 0x10
 117#define EBT_ILOGICALIN 0x20
 118#define EBT_ILOGICALOUT 0x40
 119#define EBT_INV_MASK (EBT_IPROTO | EBT_IIN | EBT_IOUT | EBT_ILOGICALIN \
 120   | EBT_ILOGICALOUT | EBT_ISOURCE | EBT_IDEST)
 121
 122struct ebt_entry_match {
 123        union {
 124                struct {
 125                        char name[EBT_EXTENSION_MAXNAMELEN];
 126                        __u8 revision;
 127                };
 128                struct xt_match *match;
 129        } u;
 130        /* size of data */
 131        unsigned int match_size;
 132        unsigned char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace))));
 133};
 134
 135struct ebt_entry_watcher {
 136        union {
 137                struct {
 138                        char name[EBT_EXTENSION_MAXNAMELEN];
 139                        __u8 revision;
 140                };
 141                struct xt_target *watcher;
 142        } u;
 143        /* size of data */
 144        unsigned int watcher_size;
 145        unsigned char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace))));
 146};
 147
 148struct ebt_entry_target {
 149        union {
 150                struct {
 151                        char name[EBT_EXTENSION_MAXNAMELEN];
 152                        __u8 revision;
 153                };
 154                struct xt_target *target;
 155        } u;
 156        /* size of data */
 157        unsigned int target_size;
 158        unsigned char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace))));
 159};
 160
 161#define EBT_STANDARD_TARGET "standard"
 162struct ebt_standard_target {
 163        struct ebt_entry_target target;
 164        int verdict;
 165};
 166
 167/* one entry */
 168struct ebt_entry {
 169        /* this needs to be the first field */
 170        unsigned int bitmask;
 171        unsigned int invflags;
 172        __be16 ethproto;
 173        /* the physical in-dev */
 174        char in[IFNAMSIZ];
 175        /* the logical in-dev */
 176        char logical_in[IFNAMSIZ];
 177        /* the physical out-dev */
 178        char out[IFNAMSIZ];
 179        /* the logical out-dev */
 180        char logical_out[IFNAMSIZ];
 181        unsigned char sourcemac[ETH_ALEN];
 182        unsigned char sourcemsk[ETH_ALEN];
 183        unsigned char destmac[ETH_ALEN];
 184        unsigned char destmsk[ETH_ALEN];
 185        /* sizeof ebt_entry + matches */
 186        unsigned int watchers_offset;
 187        /* sizeof ebt_entry + matches + watchers */
 188        unsigned int target_offset;
 189        /* sizeof ebt_entry + matches + watchers + target */
 190        unsigned int next_offset;
 191        unsigned char elems[0] __attribute__ ((aligned (__alignof__(struct ebt_replace))));
 192};
 193
 194static __inline__ struct ebt_entry_target *
 195ebt_get_target(struct ebt_entry *e)
 196{
 197        return (struct ebt_entry_target *)((char *)e + e->target_offset);
 198}
 199
 200/* {g,s}etsockopt numbers */
 201#define EBT_BASE_CTL            128
 202
 203#define EBT_SO_SET_ENTRIES      (EBT_BASE_CTL)
 204#define EBT_SO_SET_COUNTERS     (EBT_SO_SET_ENTRIES+1)
 205#define EBT_SO_SET_MAX          (EBT_SO_SET_COUNTERS+1)
 206
 207#define EBT_SO_GET_INFO         (EBT_BASE_CTL)
 208#define EBT_SO_GET_ENTRIES      (EBT_SO_GET_INFO+1)
 209#define EBT_SO_GET_INIT_INFO    (EBT_SO_GET_ENTRIES+1)
 210#define EBT_SO_GET_INIT_ENTRIES (EBT_SO_GET_INIT_INFO+1)
 211#define EBT_SO_GET_MAX          (EBT_SO_GET_INIT_ENTRIES+1)
 212
 213
 214/* blatently stolen from ip_tables.h
 215 * fn returns 0 to continue iteration */
 216#define EBT_MATCH_ITERATE(e, fn, args...)                   \
 217({                                                          \
 218        unsigned int __i;                                   \
 219        int __ret = 0;                                      \
 220        struct ebt_entry_match *__match;                    \
 221                                                            \
 222        for (__i = sizeof(struct ebt_entry);                \
 223             __i < (e)->watchers_offset;                    \
 224             __i += __match->match_size +                   \
 225             sizeof(struct ebt_entry_match)) {              \
 226                __match = (void *)(e) + __i;                \
 227                                                            \
 228                __ret = fn(__match , ## args);              \
 229                if (__ret != 0)                             \
 230                        break;                              \
 231        }                                                   \
 232        if (__ret == 0) {                                   \
 233                if (__i != (e)->watchers_offset)            \
 234                        __ret = -EINVAL;                    \
 235        }                                                   \
 236        __ret;                                              \
 237})
 238
 239#define EBT_WATCHER_ITERATE(e, fn, args...)                 \
 240({                                                          \
 241        unsigned int __i;                                   \
 242        int __ret = 0;                                      \
 243        struct ebt_entry_watcher *__watcher;                \
 244                                                            \
 245        for (__i = e->watchers_offset;                      \
 246             __i < (e)->target_offset;                      \
 247             __i += __watcher->watcher_size +               \
 248             sizeof(struct ebt_entry_watcher)) {            \
 249                __watcher = (void *)(e) + __i;              \
 250                                                            \
 251                __ret = fn(__watcher , ## args);            \
 252                if (__ret != 0)                             \
 253                        break;                              \
 254        }                                                   \
 255        if (__ret == 0) {                                   \
 256                if (__i != (e)->target_offset)              \
 257                        __ret = -EINVAL;                    \
 258        }                                                   \
 259        __ret;                                              \
 260})
 261
 262#define EBT_ENTRY_ITERATE(entries, size, fn, args...)       \
 263({                                                          \
 264        unsigned int __i;                                   \
 265        int __ret = 0;                                      \
 266        struct ebt_entry *__entry;                          \
 267                                                            \
 268        for (__i = 0; __i < (size);) {                      \
 269                __entry = (void *)(entries) + __i;          \
 270                __ret = fn(__entry , ## args);              \
 271                if (__ret != 0)                             \
 272                        break;                              \
 273                if (__entry->bitmask != 0)                  \
 274                        __i += __entry->next_offset;        \
 275                else                                        \
 276                        __i += sizeof(struct ebt_entries);  \
 277        }                                                   \
 278        if (__ret == 0) {                                   \
 279                if (__i != (size))                          \
 280                        __ret = -EINVAL;                    \
 281        }                                                   \
 282        __ret;                                              \
 283})
 284
 285#endif /* _UAPI__LINUX_BRIDGE_EFF_H */
 286