linux-bk/include/linux/netfilter_bridge/ebtables.h
<<
>>
Prefs 
   1/*
   2 *  ebtables
   3 *
   4 *      Authors:
   5 *      Bart De Schuymer                <bdschuym@pandora.be>
   6 *
   7 *  ebtables.c,v 2.0, April, 2002
   8 *
   9 *  This code is stongly inspired on the iptables code which is
  10 *  Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
  11 */
  12
  13#ifndef __LINUX_BRIDGE_EFF_H
  14#define __LINUX_BRIDGE_EFF_H
  15#include <linux/if.h>
  16#include <linux/netfilter_bridge.h>
  17#include <linux/if_ether.h>
  18
  19#define EBT_TABLE_MAXNAMELEN 32
  20#define EBT_CHAIN_MAXNAMELEN EBT_TABLE_MAXNAMELEN
  21#define EBT_FUNCTION_MAXNAMELEN EBT_TABLE_MAXNAMELEN
  22
  23/* verdicts >0 are "branches" */
  24#define EBT_ACCEPT   -1
  25#define EBT_DROP     -2
  26#define EBT_CONTINUE -3
  27#define EBT_RETURN   -4
  28#define NUM_STANDARD_TARGETS   4
  29
  30struct ebt_counter
  31{
  32        uint64_t pcnt;
  33        uint64_t bcnt;
  34};
  35
  36struct ebt_replace
  37{
  38        char name[EBT_TABLE_MAXNAMELEN];
  39        unsigned int valid_hooks;
  40        /* nr of rules in the table */
  41        unsigned int nentries;
  42        /* total size of the entries */
  43        unsigned int entries_size;
  44        /* start of the chains */
  45        struct ebt_entries *hook_entry[NF_BR_NUMHOOKS];
  46        /* nr of counters userspace expects back */
  47        unsigned int num_counters;
  48        /* where the kernel will put the old counters */
  49        struct ebt_counter *counters;
  50        char *entries;
  51};
  52
  53struct ebt_entries {
  54        /* this field is always set to zero
  55         * See EBT_ENTRY_OR_ENTRIES.
  56         * Must be same size as ebt_entry.bitmask */
  57        unsigned int distinguisher;
  58        /* the chain name */
  59        char name[EBT_CHAIN_MAXNAMELEN];
  60        /* counter offset for this chain */
  61        unsigned int counter_offset;
  62        /* one standard (accept, drop, return) per hook */
  63        int policy;
  64        /* nr. of entries */
  65        unsigned int nentries;
  66        /* entry list */
  67        char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace))));
  68};
  69
  70/* used for the bitmask of struct ebt_entry */
  71
  72/* This is a hack to make a difference between an ebt_entry struct and an
  73 * ebt_entries struct when traversing the entries from start to end.
  74 * Using this simplifies the code alot, while still being able to use
  75 * ebt_entries.
  76 * Contrary, iptables doesn't use something like ebt_entries and therefore uses
  77 * different techniques for naming the policy and such. So, iptables doesn't
  78 * need a hack like this.
  79 */
  80#define EBT_ENTRY_OR_ENTRIES 0x01
  81/* these are the normal masks */
  82#define EBT_NOPROTO 0x02
  83#define EBT_802_3 0x04
  84#define EBT_SOURCEMAC 0x08
  85#define EBT_DESTMAC 0x10
  86#define EBT_F_MASK (EBT_NOPROTO | EBT_802_3 | EBT_SOURCEMAC | EBT_DESTMAC \
  87   | EBT_ENTRY_OR_ENTRIES)
  88
  89#define EBT_IPROTO 0x01
  90#define EBT_IIN 0x02
  91#define EBT_IOUT 0x04
  92#define EBT_ISOURCE 0x8
  93#define EBT_IDEST 0x10
  94#define EBT_ILOGICALIN 0x20
  95#define EBT_ILOGICALOUT 0x40
  96#define EBT_INV_MASK (EBT_IPROTO | EBT_IIN | EBT_IOUT | EBT_ILOGICALIN \
  97   | EBT_ILOGICALOUT | EBT_ISOURCE | EBT_IDEST)
  98
  99struct ebt_entry_match
 100{
 101        union {
 102                char name[EBT_FUNCTION_MAXNAMELEN];
 103                struct ebt_match *match;
 104        } u;
 105        /* size of data */
 106        unsigned int match_size;
 107        unsigned char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace))));
 108};
 109
 110struct ebt_entry_watcher
 111{
 112        union {
 113                char name[EBT_FUNCTION_MAXNAMELEN];
 114                struct ebt_watcher *watcher;
 115        } u;
 116        /* size of data */
 117        unsigned int watcher_size;
 118        unsigned char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace))));
 119};
 120
 121struct ebt_entry_target
 122{
 123        union {
 124                char name[EBT_FUNCTION_MAXNAMELEN];
 125                struct ebt_target *target;
 126        } u;
 127        /* size of data */
 128        unsigned int target_size;
 129        unsigned char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace))));
 130};
 131
 132#define EBT_STANDARD_TARGET "standard"
 133struct ebt_standard_target
 134{
 135        struct ebt_entry_target target;
 136        int verdict;
 137};
 138
 139/* one entry */
 140struct ebt_entry {
 141        /* this needs to be the first field */
 142        unsigned int bitmask;
 143        unsigned int invflags;
 144        uint16_t ethproto;
 145        /* the physical in-dev */
 146        char in[IFNAMSIZ];
 147        /* the logical in-dev */
 148        char logical_in[IFNAMSIZ];
 149        /* the physical out-dev */
 150        char out[IFNAMSIZ];
 151        /* the logical out-dev */
 152        char logical_out[IFNAMSIZ];
 153        unsigned char sourcemac[ETH_ALEN];
 154        unsigned char sourcemsk[ETH_ALEN];
 155        unsigned char destmac[ETH_ALEN];
 156        unsigned char destmsk[ETH_ALEN];
 157        /* sizeof ebt_entry + matches */
 158        unsigned int watchers_offset;
 159        /* sizeof ebt_entry + matches + watchers */
 160        unsigned int target_offset;
 161        /* sizeof ebt_entry + matches + watchers + target */
 162        unsigned int next_offset;
 163        unsigned char elems[0] __attribute__ ((aligned (__alignof__(struct ebt_replace))));
 164};
 165
 166/* {g,s}etsockopt numbers */
 167#define EBT_BASE_CTL            128
 168
 169#define EBT_SO_SET_ENTRIES      (EBT_BASE_CTL)
 170#define EBT_SO_SET_COUNTERS     (EBT_SO_SET_ENTRIES+1)
 171#define EBT_SO_SET_MAX          (EBT_SO_SET_COUNTERS+1)
 172
 173#define EBT_SO_GET_INFO         (EBT_BASE_CTL)
 174#define EBT_SO_GET_ENTRIES      (EBT_SO_GET_INFO+1)
 175#define EBT_SO_GET_INIT_INFO    (EBT_SO_GET_ENTRIES+1)
 176#define EBT_SO_GET_INIT_ENTRIES (EBT_SO_GET_INIT_INFO+1)
 177#define EBT_SO_GET_MAX          (EBT_SO_GET_INIT_ENTRIES+1)
 178
 179#ifdef __KERNEL__
 180
 181/* return values for match() functions */
 182#define EBT_MATCH 0
 183#define EBT_NOMATCH 1
 184
 185struct ebt_match
 186{
 187        struct list_head list;
 188        const char name[EBT_FUNCTION_MAXNAMELEN];
 189        /* 0 == it matches */
 190        int (*match)(const struct sk_buff *skb, const struct net_device *in,
 191           const struct net_device *out, const void *matchdata,
 192           unsigned int datalen);
 193        /* 0 == let it in */
 194        int (*check)(const char *tablename, unsigned int hookmask,
 195           const struct ebt_entry *e, void *matchdata, unsigned int datalen);
 196        void (*destroy)(void *matchdata, unsigned int datalen);
 197        struct module *me;
 198};
 199
 200struct ebt_watcher
 201{
 202        struct list_head list;
 203        const char name[EBT_FUNCTION_MAXNAMELEN];
 204        void (*watcher)(const struct sk_buff *skb, unsigned int hooknr,
 205           const struct net_device *in, const struct net_device *out,
 206           const void *watcherdata, unsigned int datalen);
 207        /* 0 == let it in */
 208        int (*check)(const char *tablename, unsigned int hookmask,
 209           const struct ebt_entry *e, void *watcherdata, unsigned int datalen);
 210        void (*destroy)(void *watcherdata, unsigned int datalen);
 211        struct module *me;
 212};
 213
 214struct ebt_target
 215{
 216        struct list_head list;
 217        const char name[EBT_FUNCTION_MAXNAMELEN];
 218        /* returns one of the standard verdicts */
 219        int (*target)(struct sk_buff **pskb, unsigned int hooknr,
 220           const struct net_device *in, const struct net_device *out,
 221           const void *targetdata, unsigned int datalen);
 222        /* 0 == let it in */
 223        int (*check)(const char *tablename, unsigned int hookmask,
 224           const struct ebt_entry *e, void *targetdata, unsigned int datalen);
 225        void (*destroy)(void *targetdata, unsigned int datalen);
 226        struct module *me;
 227};
 228
 229/* used for jumping from and into user defined chains (udc) */
 230struct ebt_chainstack
 231{
 232        struct ebt_entries *chaininfo; /* pointer to chain data */
 233        struct ebt_entry *e; /* pointer to entry data */
 234        unsigned int n; /* n'th entry */
 235};
 236
 237struct ebt_table_info
 238{
 239        /* total size of the entries */
 240        unsigned int entries_size;
 241        unsigned int nentries;
 242        /* pointers to the start of the chains */
 243        struct ebt_entries *hook_entry[NF_BR_NUMHOOKS];
 244        /* room to maintain the stack used for jumping from and into udc */
 245        struct ebt_chainstack **chainstack;
 246        char *entries;
 247        struct ebt_counter counters[0] ____cacheline_aligned;
 248};
 249
 250struct ebt_table
 251{
 252        struct list_head list;
 253        char name[EBT_TABLE_MAXNAMELEN];
 254        struct ebt_replace *table;
 255        unsigned int valid_hooks;
 256        rwlock_t lock;
 257        /* e.g. could be the table explicitly only allows certain
 258         * matches, targets, ... 0 == let it in */
 259        int (*check)(const struct ebt_table_info *info,
 260           unsigned int valid_hooks);
 261        /* the data used by the kernel */
 262        struct ebt_table_info *private;
 263        struct module *me;
 264};
 265
 266#define EBT_ALIGN(s) (((s) + (__alignof__(struct ebt_replace)-1)) & \
 267                     ~(__alignof__(struct ebt_replace)-1))
 268extern int ebt_register_table(struct ebt_table *table);
 269extern void ebt_unregister_table(struct ebt_table *table);
 270extern int ebt_register_match(struct ebt_match *match);
 271extern void ebt_unregister_match(struct ebt_match *match);
 272extern int ebt_register_watcher(struct ebt_watcher *watcher);
 273extern void ebt_unregister_watcher(struct ebt_watcher *watcher);
 274extern int ebt_register_target(struct ebt_target *target);
 275extern void ebt_unregister_target(struct ebt_target *target);
 276extern unsigned int ebt_do_table(unsigned int hook, struct sk_buff **pskb,
 277   const struct net_device *in, const struct net_device *out,
 278   struct ebt_table *table);
 279
 280/* Used in the kernel match() functions */
 281#define FWINV(bool,invflg) ((bool) ^ !!(info->invflags & invflg))
 282/* True if the hook mask denotes that the rule is in a base chain,
 283 * used in the check() functions */
 284#define BASE_CHAIN (hookmask & (1 << NF_BR_NUMHOOKS))
 285/* Clear the bit in the hook mask that tells if the rule is on a base chain */
 286#define CLEAR_BASE_CHAIN_BIT (hookmask &= ~(1 << NF_BR_NUMHOOKS))
 287/* True if the target is not a standard target */
 288#define INVALID_TARGET (info->target < -NUM_STANDARD_TARGETS || info->target >= 0)
 289
 290#endif /* __KERNEL__ */
 291
 292/* blatently stolen from ip_tables.h
 293 * fn returns 0 to continue iteration */
 294#define EBT_MATCH_ITERATE(e, fn, args...)                   \
 295({                                                          \
 296        unsigned int __i;                                   \
 297        int __ret = 0;                                      \
 298        struct ebt_entry_match *__match;                    \
 299                                                            \
 300        for (__i = sizeof(struct ebt_entry);                \
 301             __i < (e)->watchers_offset;                    \
 302             __i += __match->match_size +                   \
 303             sizeof(struct ebt_entry_match)) {              \
 304                __match = (void *)(e) + __i;                \
 305                                                            \
 306                __ret = fn(__match , ## args);              \
 307                if (__ret != 0)                             \
 308                        break;                              \
 309        }                                                   \
 310        if (__ret == 0) {                                   \
 311                if (__i != (e)->watchers_offset)            \
 312                        __ret = -EINVAL;                    \
 313        }                                                   \
 314        __ret;                                              \
 315})
 316
 317#define EBT_WATCHER_ITERATE(e, fn, args...)                 \
 318({                                                          \
 319        unsigned int __i;                                   \
 320        int __ret = 0;                                      \
 321        struct ebt_entry_watcher *__watcher;                \
 322                                                            \
 323        for (__i = e->watchers_offset;                      \
 324             __i < (e)->target_offset;                      \
 325             __i += __watcher->watcher_size +               \
 326             sizeof(struct ebt_entry_watcher)) {            \
 327                __watcher = (void *)(e) + __i;              \
 328                                                            \
 329                __ret = fn(__watcher , ## args);            \
 330                if (__ret != 0)                             \
 331                        break;                              \
 332        }                                                   \
 333        if (__ret == 0) {                                   \
 334                if (__i != (e)->target_offset)              \
 335                        __ret = -EINVAL;                    \
 336        }                                                   \
 337        __ret;                                              \
 338})
 339
 340#define EBT_ENTRY_ITERATE(entries, size, fn, args...)       \
 341({                                                          \
 342        unsigned int __i;                                   \
 343        int __ret = 0;                                      \
 344        struct ebt_entry *__entry;                          \
 345                                                            \
 346        for (__i = 0; __i < (size);) {                      \
 347                __entry = (void *)(entries) + __i;          \
 348                __ret = fn(__entry , ## args);              \
 349                if (__ret != 0)                             \
 350                        break;                              \
 351                if (__entry->bitmask != 0)                  \
 352                        __i += __entry->next_offset;        \
 353                else                                        \
 354                        __i += sizeof(struct ebt_entries);  \
 355        }                                                   \
 356        if (__ret == 0) {                                   \
 357                if (__i != (size))                          \
 358                        __ret = -EINVAL;                    \
 359        }                                                   \
 360        __ret;                                              \
 361})
 362
 363#endif
 364
The original LXR software by the LXR community, this experimental version by lxr@linux.no.
lxr.linux.no kindly hosted by Redpill Linpro AS, provider of Linux consulting and operations services since 1995.