diff options
author | David Howells <dhowells@redhat.com> | 2012-10-09 04:48:58 -0400 |
---|---|---|
committer | David Howells <dhowells@redhat.com> | 2012-10-09 04:48:58 -0400 |
commit | 55c5cd3cc179eb87faa9cc2d9741047dd1642aaf (patch) | |
tree | 1f63053791d51ce418359f2f83dafcac195671ec | |
parent | 8922082ae6cd2783789e83ae9c67ffcbe5a2f4e1 (diff) |
UAPI: (Scripted) Disintegrate include/linux/netfilter_bridge
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Michael Kerrisk <mtk.manpages@gmail.com>
Acked-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Acked-by: Dave Jones <davej@redhat.com>
-rw-r--r-- | include/linux/netfilter_bridge/Kbuild | 18 | ||||
-rw-r--r-- | include/linux/netfilter_bridge/ebt_802_3.h | 61 | ||||
-rw-r--r-- | include/linux/netfilter_bridge/ebtables.h | 255 | ||||
-rw-r--r-- | include/uapi/linux/netfilter_bridge/Kbuild | 18 | ||||
-rw-r--r-- | include/uapi/linux/netfilter_bridge/ebt_802_3.h | 62 | ||||
-rw-r--r-- | include/uapi/linux/netfilter_bridge/ebt_among.h (renamed from include/linux/netfilter_bridge/ebt_among.h) | 0 | ||||
-rw-r--r-- | include/uapi/linux/netfilter_bridge/ebt_arp.h (renamed from include/linux/netfilter_bridge/ebt_arp.h) | 0 | ||||
-rw-r--r-- | include/uapi/linux/netfilter_bridge/ebt_arpreply.h (renamed from include/linux/netfilter_bridge/ebt_arpreply.h) | 0 | ||||
-rw-r--r-- | include/uapi/linux/netfilter_bridge/ebt_ip.h (renamed from include/linux/netfilter_bridge/ebt_ip.h) | 0 | ||||
-rw-r--r-- | include/uapi/linux/netfilter_bridge/ebt_ip6.h (renamed from include/linux/netfilter_bridge/ebt_ip6.h) | 0 | ||||
-rw-r--r-- | include/uapi/linux/netfilter_bridge/ebt_limit.h (renamed from include/linux/netfilter_bridge/ebt_limit.h) | 0 | ||||
-rw-r--r-- | include/uapi/linux/netfilter_bridge/ebt_log.h (renamed from include/linux/netfilter_bridge/ebt_log.h) | 0 | ||||
-rw-r--r-- | include/uapi/linux/netfilter_bridge/ebt_mark_m.h (renamed from include/linux/netfilter_bridge/ebt_mark_m.h) | 0 | ||||
-rw-r--r-- | include/uapi/linux/netfilter_bridge/ebt_mark_t.h (renamed from include/linux/netfilter_bridge/ebt_mark_t.h) | 0 | ||||
-rw-r--r-- | include/uapi/linux/netfilter_bridge/ebt_nat.h (renamed from include/linux/netfilter_bridge/ebt_nat.h) | 0 | ||||
-rw-r--r-- | include/uapi/linux/netfilter_bridge/ebt_nflog.h (renamed from include/linux/netfilter_bridge/ebt_nflog.h) | 0 | ||||
-rw-r--r-- | include/uapi/linux/netfilter_bridge/ebt_pkttype.h (renamed from include/linux/netfilter_bridge/ebt_pkttype.h) | 0 | ||||
-rw-r--r-- | include/uapi/linux/netfilter_bridge/ebt_redirect.h (renamed from include/linux/netfilter_bridge/ebt_redirect.h) | 0 | ||||
-rw-r--r-- | include/uapi/linux/netfilter_bridge/ebt_stp.h (renamed from include/linux/netfilter_bridge/ebt_stp.h) | 0 | ||||
-rw-r--r-- | include/uapi/linux/netfilter_bridge/ebt_ulog.h (renamed from include/linux/netfilter_bridge/ebt_ulog.h) | 0 | ||||
-rw-r--r-- | include/uapi/linux/netfilter_bridge/ebt_vlan.h (renamed from include/linux/netfilter_bridge/ebt_vlan.h) | 0 | ||||
-rw-r--r-- | include/uapi/linux/netfilter_bridge/ebtables.h | 268 |
22 files changed, 350 insertions, 332 deletions
diff --git a/include/linux/netfilter_bridge/Kbuild b/include/linux/netfilter_bridge/Kbuild index e48f1a3f5a4a..e69de29bb2d1 100644 --- a/include/linux/netfilter_bridge/Kbuild +++ b/include/linux/netfilter_bridge/Kbuild | |||
@@ -1,18 +0,0 @@ | |||
1 | header-y += ebt_802_3.h | ||
2 | header-y += ebt_among.h | ||
3 | header-y += ebt_arp.h | ||
4 | header-y += ebt_arpreply.h | ||
5 | header-y += ebt_ip.h | ||
6 | header-y += ebt_ip6.h | ||
7 | header-y += ebt_limit.h | ||
8 | header-y += ebt_log.h | ||
9 | header-y += ebt_mark_m.h | ||
10 | header-y += ebt_mark_t.h | ||
11 | header-y += ebt_nat.h | ||
12 | header-y += ebt_nflog.h | ||
13 | header-y += ebt_pkttype.h | ||
14 | header-y += ebt_redirect.h | ||
15 | header-y += ebt_stp.h | ||
16 | header-y += ebt_ulog.h | ||
17 | header-y += ebt_vlan.h | ||
18 | header-y += ebtables.h | ||
diff --git a/include/linux/netfilter_bridge/ebt_802_3.h b/include/linux/netfilter_bridge/ebt_802_3.h index be5be1577a56..e17e8bfb4e8b 100644 --- a/include/linux/netfilter_bridge/ebt_802_3.h +++ b/include/linux/netfilter_bridge/ebt_802_3.h | |||
@@ -1,70 +1,11 @@ | |||
1 | #ifndef __LINUX_BRIDGE_EBT_802_3_H | 1 | #ifndef __LINUX_BRIDGE_EBT_802_3_H |
2 | #define __LINUX_BRIDGE_EBT_802_3_H | 2 | #define __LINUX_BRIDGE_EBT_802_3_H |
3 | 3 | ||
4 | #include <linux/types.h> | ||
5 | |||
6 | #define EBT_802_3_SAP 0x01 | ||
7 | #define EBT_802_3_TYPE 0x02 | ||
8 | |||
9 | #define EBT_802_3_MATCH "802_3" | ||
10 | |||
11 | /* | ||
12 | * If frame has DSAP/SSAP value 0xaa you must check the SNAP type | ||
13 | * to discover what kind of packet we're carrying. | ||
14 | */ | ||
15 | #define CHECK_TYPE 0xaa | ||
16 | |||
17 | /* | ||
18 | * Control field may be one or two bytes. If the first byte has | ||
19 | * the value 0x03 then the entire length is one byte, otherwise it is two. | ||
20 | * One byte controls are used in Unnumbered Information frames. | ||
21 | * Two byte controls are used in Numbered Information frames. | ||
22 | */ | ||
23 | #define IS_UI 0x03 | ||
24 | |||
25 | #define EBT_802_3_MASK (EBT_802_3_SAP | EBT_802_3_TYPE | EBT_802_3) | ||
26 | |||
27 | /* ui has one byte ctrl, ni has two */ | ||
28 | struct hdr_ui { | ||
29 | __u8 dsap; | ||
30 | __u8 ssap; | ||
31 | __u8 ctrl; | ||
32 | __u8 orig[3]; | ||
33 | __be16 type; | ||
34 | }; | ||
35 | |||
36 | struct hdr_ni { | ||
37 | __u8 dsap; | ||
38 | __u8 ssap; | ||
39 | __be16 ctrl; | ||
40 | __u8 orig[3]; | ||
41 | __be16 type; | ||
42 | }; | ||
43 | |||
44 | struct ebt_802_3_hdr { | ||
45 | __u8 daddr[6]; | ||
46 | __u8 saddr[6]; | ||
47 | __be16 len; | ||
48 | union { | ||
49 | struct hdr_ui ui; | ||
50 | struct hdr_ni ni; | ||
51 | } llc; | ||
52 | }; | ||
53 | |||
54 | #ifdef __KERNEL__ | ||
55 | #include <linux/skbuff.h> | 4 | #include <linux/skbuff.h> |
5 | #include <uapi/linux/netfilter_bridge/ebt_802_3.h> | ||
56 | 6 | ||
57 | static inline struct ebt_802_3_hdr *ebt_802_3_hdr(const struct sk_buff *skb) | 7 | static inline struct ebt_802_3_hdr *ebt_802_3_hdr(const struct sk_buff *skb) |
58 | { | 8 | { |
59 | return (struct ebt_802_3_hdr *)skb_mac_header(skb); | 9 | return (struct ebt_802_3_hdr *)skb_mac_header(skb); |
60 | } | 10 | } |
61 | #endif | 11 | #endif |
62 | |||
63 | struct ebt_802_3_info { | ||
64 | __u8 sap; | ||
65 | __be16 type; | ||
66 | __u8 bitmask; | ||
67 | __u8 invflags; | ||
68 | }; | ||
69 | |||
70 | #endif | ||
diff --git a/include/linux/netfilter_bridge/ebtables.h b/include/linux/netfilter_bridge/ebtables.h index 4dd5bd6994a8..34e7a2b7f867 100644 --- a/include/linux/netfilter_bridge/ebtables.h +++ b/include/linux/netfilter_bridge/ebtables.h | |||
@@ -9,191 +9,11 @@ | |||
9 | * This code is stongly inspired on the iptables code which is | 9 | * This code is stongly inspired on the iptables code which is |
10 | * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling | 10 | * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling |
11 | */ | 11 | */ |
12 | |||
13 | #ifndef __LINUX_BRIDGE_EFF_H | 12 | #ifndef __LINUX_BRIDGE_EFF_H |
14 | #define __LINUX_BRIDGE_EFF_H | 13 | #define __LINUX_BRIDGE_EFF_H |
15 | #include <linux/if.h> | ||
16 | #include <linux/netfilter_bridge.h> | ||
17 | #include <linux/if_ether.h> | ||
18 | |||
19 | #define EBT_TABLE_MAXNAMELEN 32 | ||
20 | #define EBT_CHAIN_MAXNAMELEN EBT_TABLE_MAXNAMELEN | ||
21 | #define EBT_FUNCTION_MAXNAMELEN EBT_TABLE_MAXNAMELEN | ||
22 | |||
23 | /* verdicts >0 are "branches" */ | ||
24 | #define EBT_ACCEPT -1 | ||
25 | #define EBT_DROP -2 | ||
26 | #define EBT_CONTINUE -3 | ||
27 | #define EBT_RETURN -4 | ||
28 | #define NUM_STANDARD_TARGETS 4 | ||
29 | /* ebtables target modules store the verdict inside an int. We can | ||
30 | * reclaim a part of this int for backwards compatible extensions. | ||
31 | * The 4 lsb are more than enough to store the verdict. */ | ||
32 | #define EBT_VERDICT_BITS 0x0000000F | ||
33 | |||
34 | struct xt_match; | ||
35 | struct xt_target; | ||
36 | |||
37 | struct ebt_counter { | ||
38 | uint64_t pcnt; | ||
39 | uint64_t bcnt; | ||
40 | }; | ||
41 | 14 | ||
42 | struct ebt_replace { | 15 | #include <uapi/linux/netfilter_bridge/ebtables.h> |
43 | char name[EBT_TABLE_MAXNAMELEN]; | ||
44 | unsigned int valid_hooks; | ||
45 | /* nr of rules in the table */ | ||
46 | unsigned int nentries; | ||
47 | /* total size of the entries */ | ||
48 | unsigned int entries_size; | ||
49 | /* start of the chains */ | ||
50 | struct ebt_entries __user *hook_entry[NF_BR_NUMHOOKS]; | ||
51 | /* nr of counters userspace expects back */ | ||
52 | unsigned int num_counters; | ||
53 | /* where the kernel will put the old counters */ | ||
54 | struct ebt_counter __user *counters; | ||
55 | char __user *entries; | ||
56 | }; | ||
57 | 16 | ||
58 | struct ebt_replace_kernel { | ||
59 | char name[EBT_TABLE_MAXNAMELEN]; | ||
60 | unsigned int valid_hooks; | ||
61 | /* nr of rules in the table */ | ||
62 | unsigned int nentries; | ||
63 | /* total size of the entries */ | ||
64 | unsigned int entries_size; | ||
65 | /* start of the chains */ | ||
66 | struct ebt_entries *hook_entry[NF_BR_NUMHOOKS]; | ||
67 | /* nr of counters userspace expects back */ | ||
68 | unsigned int num_counters; | ||
69 | /* where the kernel will put the old counters */ | ||
70 | struct ebt_counter *counters; | ||
71 | char *entries; | ||
72 | }; | ||
73 | |||
74 | struct ebt_entries { | ||
75 | /* this field is always set to zero | ||
76 | * See EBT_ENTRY_OR_ENTRIES. | ||
77 | * Must be same size as ebt_entry.bitmask */ | ||
78 | unsigned int distinguisher; | ||
79 | /* the chain name */ | ||
80 | char name[EBT_CHAIN_MAXNAMELEN]; | ||
81 | /* counter offset for this chain */ | ||
82 | unsigned int counter_offset; | ||
83 | /* one standard (accept, drop, return) per hook */ | ||
84 | int policy; | ||
85 | /* nr. of entries */ | ||
86 | unsigned int nentries; | ||
87 | /* entry list */ | ||
88 | char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace)))); | ||
89 | }; | ||
90 | |||
91 | /* used for the bitmask of struct ebt_entry */ | ||
92 | |||
93 | /* This is a hack to make a difference between an ebt_entry struct and an | ||
94 | * ebt_entries struct when traversing the entries from start to end. | ||
95 | * Using this simplifies the code a lot, while still being able to use | ||
96 | * ebt_entries. | ||
97 | * Contrary, iptables doesn't use something like ebt_entries and therefore uses | ||
98 | * different techniques for naming the policy and such. So, iptables doesn't | ||
99 | * need a hack like this. | ||
100 | */ | ||
101 | #define EBT_ENTRY_OR_ENTRIES 0x01 | ||
102 | /* these are the normal masks */ | ||
103 | #define EBT_NOPROTO 0x02 | ||
104 | #define EBT_802_3 0x04 | ||
105 | #define EBT_SOURCEMAC 0x08 | ||
106 | #define EBT_DESTMAC 0x10 | ||
107 | #define EBT_F_MASK (EBT_NOPROTO | EBT_802_3 | EBT_SOURCEMAC | EBT_DESTMAC \ | ||
108 | | EBT_ENTRY_OR_ENTRIES) | ||
109 | |||
110 | #define EBT_IPROTO 0x01 | ||
111 | #define EBT_IIN 0x02 | ||
112 | #define EBT_IOUT 0x04 | ||
113 | #define EBT_ISOURCE 0x8 | ||
114 | #define EBT_IDEST 0x10 | ||
115 | #define EBT_ILOGICALIN 0x20 | ||
116 | #define EBT_ILOGICALOUT 0x40 | ||
117 | #define EBT_INV_MASK (EBT_IPROTO | EBT_IIN | EBT_IOUT | EBT_ILOGICALIN \ | ||
118 | | EBT_ILOGICALOUT | EBT_ISOURCE | EBT_IDEST) | ||
119 | |||
120 | struct ebt_entry_match { | ||
121 | union { | ||
122 | char name[EBT_FUNCTION_MAXNAMELEN]; | ||
123 | struct xt_match *match; | ||
124 | } u; | ||
125 | /* size of data */ | ||
126 | unsigned int match_size; | ||
127 | unsigned char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace)))); | ||
128 | }; | ||
129 | |||
130 | struct ebt_entry_watcher { | ||
131 | union { | ||
132 | char name[EBT_FUNCTION_MAXNAMELEN]; | ||
133 | struct xt_target *watcher; | ||
134 | } u; | ||
135 | /* size of data */ | ||
136 | unsigned int watcher_size; | ||
137 | unsigned char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace)))); | ||
138 | }; | ||
139 | |||
140 | struct ebt_entry_target { | ||
141 | union { | ||
142 | char name[EBT_FUNCTION_MAXNAMELEN]; | ||
143 | struct xt_target *target; | ||
144 | } u; | ||
145 | /* size of data */ | ||
146 | unsigned int target_size; | ||
147 | unsigned char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace)))); | ||
148 | }; | ||
149 | |||
150 | #define EBT_STANDARD_TARGET "standard" | ||
151 | struct ebt_standard_target { | ||
152 | struct ebt_entry_target target; | ||
153 | int verdict; | ||
154 | }; | ||
155 | |||
156 | /* one entry */ | ||
157 | struct ebt_entry { | ||
158 | /* this needs to be the first field */ | ||
159 | unsigned int bitmask; | ||
160 | unsigned int invflags; | ||
161 | __be16 ethproto; | ||
162 | /* the physical in-dev */ | ||
163 | char in[IFNAMSIZ]; | ||
164 | /* the logical in-dev */ | ||
165 | char logical_in[IFNAMSIZ]; | ||
166 | /* the physical out-dev */ | ||
167 | char out[IFNAMSIZ]; | ||
168 | /* the logical out-dev */ | ||
169 | char logical_out[IFNAMSIZ]; | ||
170 | unsigned char sourcemac[ETH_ALEN]; | ||
171 | unsigned char sourcemsk[ETH_ALEN]; | ||
172 | unsigned char destmac[ETH_ALEN]; | ||
173 | unsigned char destmsk[ETH_ALEN]; | ||
174 | /* sizeof ebt_entry + matches */ | ||
175 | unsigned int watchers_offset; | ||
176 | /* sizeof ebt_entry + matches + watchers */ | ||
177 | unsigned int target_offset; | ||
178 | /* sizeof ebt_entry + matches + watchers + target */ | ||
179 | unsigned int next_offset; | ||
180 | unsigned char elems[0] __attribute__ ((aligned (__alignof__(struct ebt_replace)))); | ||
181 | }; | ||
182 | |||
183 | /* {g,s}etsockopt numbers */ | ||
184 | #define EBT_BASE_CTL 128 | ||
185 | |||
186 | #define EBT_SO_SET_ENTRIES (EBT_BASE_CTL) | ||
187 | #define EBT_SO_SET_COUNTERS (EBT_SO_SET_ENTRIES+1) | ||
188 | #define EBT_SO_SET_MAX (EBT_SO_SET_COUNTERS+1) | ||
189 | |||
190 | #define EBT_SO_GET_INFO (EBT_BASE_CTL) | ||
191 | #define EBT_SO_GET_ENTRIES (EBT_SO_GET_INFO+1) | ||
192 | #define EBT_SO_GET_INIT_INFO (EBT_SO_GET_ENTRIES+1) | ||
193 | #define EBT_SO_GET_INIT_ENTRIES (EBT_SO_GET_INIT_INFO+1) | ||
194 | #define EBT_SO_GET_MAX (EBT_SO_GET_INIT_ENTRIES+1) | ||
195 | |||
196 | #ifdef __KERNEL__ | ||
197 | 17 | ||
198 | /* return values for match() functions */ | 18 | /* return values for match() functions */ |
199 | #define EBT_MATCH 0 | 19 | #define EBT_MATCH 0 |
@@ -304,77 +124,4 @@ extern unsigned int ebt_do_table(unsigned int hook, struct sk_buff *skb, | |||
304 | /* True if the target is not a standard target */ | 124 | /* True if the target is not a standard target */ |
305 | #define INVALID_TARGET (info->target < -NUM_STANDARD_TARGETS || info->target >= 0) | 125 | #define INVALID_TARGET (info->target < -NUM_STANDARD_TARGETS || info->target >= 0) |
306 | 126 | ||
307 | #endif /* __KERNEL__ */ | ||
308 | |||
309 | /* blatently stolen from ip_tables.h | ||
310 | * fn returns 0 to continue iteration */ | ||
311 | #define EBT_MATCH_ITERATE(e, fn, args...) \ | ||
312 | ({ \ | ||
313 | unsigned int __i; \ | ||
314 | int __ret = 0; \ | ||
315 | struct ebt_entry_match *__match; \ | ||
316 | \ | ||
317 | for (__i = sizeof(struct ebt_entry); \ | ||
318 | __i < (e)->watchers_offset; \ | ||
319 | __i += __match->match_size + \ | ||
320 | sizeof(struct ebt_entry_match)) { \ | ||
321 | __match = (void *)(e) + __i; \ | ||
322 | \ | ||
323 | __ret = fn(__match , ## args); \ | ||
324 | if (__ret != 0) \ | ||
325 | break; \ | ||
326 | } \ | ||
327 | if (__ret == 0) { \ | ||
328 | if (__i != (e)->watchers_offset) \ | ||
329 | __ret = -EINVAL; \ | ||
330 | } \ | ||
331 | __ret; \ | ||
332 | }) | ||
333 | |||
334 | #define EBT_WATCHER_ITERATE(e, fn, args...) \ | ||
335 | ({ \ | ||
336 | unsigned int __i; \ | ||
337 | int __ret = 0; \ | ||
338 | struct ebt_entry_watcher *__watcher; \ | ||
339 | \ | ||
340 | for (__i = e->watchers_offset; \ | ||
341 | __i < (e)->target_offset; \ | ||
342 | __i += __watcher->watcher_size + \ | ||
343 | sizeof(struct ebt_entry_watcher)) { \ | ||
344 | __watcher = (void *)(e) + __i; \ | ||
345 | \ | ||
346 | __ret = fn(__watcher , ## args); \ | ||
347 | if (__ret != 0) \ | ||
348 | break; \ | ||
349 | } \ | ||
350 | if (__ret == 0) { \ | ||
351 | if (__i != (e)->target_offset) \ | ||
352 | __ret = -EINVAL; \ | ||
353 | } \ | ||
354 | __ret; \ | ||
355 | }) | ||
356 | |||
357 | #define EBT_ENTRY_ITERATE(entries, size, fn, args...) \ | ||
358 | ({ \ | ||
359 | unsigned int __i; \ | ||
360 | int __ret = 0; \ | ||
361 | struct ebt_entry *__entry; \ | ||
362 | \ | ||
363 | for (__i = 0; __i < (size);) { \ | ||
364 | __entry = (void *)(entries) + __i; \ | ||
365 | __ret = fn(__entry , ## args); \ | ||
366 | if (__ret != 0) \ | ||
367 | break; \ | ||
368 | if (__entry->bitmask != 0) \ | ||
369 | __i += __entry->next_offset; \ | ||
370 | else \ | ||
371 | __i += sizeof(struct ebt_entries); \ | ||
372 | } \ | ||
373 | if (__ret == 0) { \ | ||
374 | if (__i != (size)) \ | ||
375 | __ret = -EINVAL; \ | ||
376 | } \ | ||
377 | __ret; \ | ||
378 | }) | ||
379 | |||
380 | #endif | 127 | #endif |
diff --git a/include/uapi/linux/netfilter_bridge/Kbuild b/include/uapi/linux/netfilter_bridge/Kbuild index aafaa5aa54d4..348717c3a22f 100644 --- a/include/uapi/linux/netfilter_bridge/Kbuild +++ b/include/uapi/linux/netfilter_bridge/Kbuild | |||
@@ -1 +1,19 @@ | |||
1 | # UAPI Header export list | 1 | # UAPI Header export list |
2 | header-y += ebt_802_3.h | ||
3 | header-y += ebt_among.h | ||
4 | header-y += ebt_arp.h | ||
5 | header-y += ebt_arpreply.h | ||
6 | header-y += ebt_ip.h | ||
7 | header-y += ebt_ip6.h | ||
8 | header-y += ebt_limit.h | ||
9 | header-y += ebt_log.h | ||
10 | header-y += ebt_mark_m.h | ||
11 | header-y += ebt_mark_t.h | ||
12 | header-y += ebt_nat.h | ||
13 | header-y += ebt_nflog.h | ||
14 | header-y += ebt_pkttype.h | ||
15 | header-y += ebt_redirect.h | ||
16 | header-y += ebt_stp.h | ||
17 | header-y += ebt_ulog.h | ||
18 | header-y += ebt_vlan.h | ||
19 | header-y += ebtables.h | ||
diff --git a/include/uapi/linux/netfilter_bridge/ebt_802_3.h b/include/uapi/linux/netfilter_bridge/ebt_802_3.h new file mode 100644 index 000000000000..5bf84912a082 --- /dev/null +++ b/include/uapi/linux/netfilter_bridge/ebt_802_3.h | |||
@@ -0,0 +1,62 @@ | |||
1 | #ifndef _UAPI__LINUX_BRIDGE_EBT_802_3_H | ||
2 | #define _UAPI__LINUX_BRIDGE_EBT_802_3_H | ||
3 | |||
4 | #include <linux/types.h> | ||
5 | |||
6 | #define EBT_802_3_SAP 0x01 | ||
7 | #define EBT_802_3_TYPE 0x02 | ||
8 | |||
9 | #define EBT_802_3_MATCH "802_3" | ||
10 | |||
11 | /* | ||
12 | * If frame has DSAP/SSAP value 0xaa you must check the SNAP type | ||
13 | * to discover what kind of packet we're carrying. | ||
14 | */ | ||
15 | #define CHECK_TYPE 0xaa | ||
16 | |||
17 | /* | ||
18 | * Control field may be one or two bytes. If the first byte has | ||
19 | * the value 0x03 then the entire length is one byte, otherwise it is two. | ||
20 | * One byte controls are used in Unnumbered Information frames. | ||
21 | * Two byte controls are used in Numbered Information frames. | ||
22 | */ | ||
23 | #define IS_UI 0x03 | ||
24 | |||
25 | #define EBT_802_3_MASK (EBT_802_3_SAP | EBT_802_3_TYPE | EBT_802_3) | ||
26 | |||
27 | /* ui has one byte ctrl, ni has two */ | ||
28 | struct hdr_ui { | ||
29 | __u8 dsap; | ||
30 | __u8 ssap; | ||
31 | __u8 ctrl; | ||
32 | __u8 orig[3]; | ||
33 | __be16 type; | ||
34 | }; | ||
35 | |||
36 | struct hdr_ni { | ||
37 | __u8 dsap; | ||
38 | __u8 ssap; | ||
39 | __be16 ctrl; | ||
40 | __u8 orig[3]; | ||
41 | __be16 type; | ||
42 | }; | ||
43 | |||
44 | struct ebt_802_3_hdr { | ||
45 | __u8 daddr[6]; | ||
46 | __u8 saddr[6]; | ||
47 | __be16 len; | ||
48 | union { | ||
49 | struct hdr_ui ui; | ||
50 | struct hdr_ni ni; | ||
51 | } llc; | ||
52 | }; | ||
53 | |||
54 | |||
55 | struct ebt_802_3_info { | ||
56 | __u8 sap; | ||
57 | __be16 type; | ||
58 | __u8 bitmask; | ||
59 | __u8 invflags; | ||
60 | }; | ||
61 | |||
62 | #endif /* _UAPI__LINUX_BRIDGE_EBT_802_3_H */ | ||
diff --git a/include/linux/netfilter_bridge/ebt_among.h b/include/uapi/linux/netfilter_bridge/ebt_among.h index bd4e3ad0b706..bd4e3ad0b706 100644 --- a/include/linux/netfilter_bridge/ebt_among.h +++ b/include/uapi/linux/netfilter_bridge/ebt_among.h | |||
diff --git a/include/linux/netfilter_bridge/ebt_arp.h b/include/uapi/linux/netfilter_bridge/ebt_arp.h index 522f3e427f49..522f3e427f49 100644 --- a/include/linux/netfilter_bridge/ebt_arp.h +++ b/include/uapi/linux/netfilter_bridge/ebt_arp.h | |||
diff --git a/include/linux/netfilter_bridge/ebt_arpreply.h b/include/uapi/linux/netfilter_bridge/ebt_arpreply.h index 7e77896e1fbf..7e77896e1fbf 100644 --- a/include/linux/netfilter_bridge/ebt_arpreply.h +++ b/include/uapi/linux/netfilter_bridge/ebt_arpreply.h | |||
diff --git a/include/linux/netfilter_bridge/ebt_ip.h b/include/uapi/linux/netfilter_bridge/ebt_ip.h index c4bbc41b0ea4..c4bbc41b0ea4 100644 --- a/include/linux/netfilter_bridge/ebt_ip.h +++ b/include/uapi/linux/netfilter_bridge/ebt_ip.h | |||
diff --git a/include/linux/netfilter_bridge/ebt_ip6.h b/include/uapi/linux/netfilter_bridge/ebt_ip6.h index 42b889682721..42b889682721 100644 --- a/include/linux/netfilter_bridge/ebt_ip6.h +++ b/include/uapi/linux/netfilter_bridge/ebt_ip6.h | |||
diff --git a/include/linux/netfilter_bridge/ebt_limit.h b/include/uapi/linux/netfilter_bridge/ebt_limit.h index 66d80b30ba0e..66d80b30ba0e 100644 --- a/include/linux/netfilter_bridge/ebt_limit.h +++ b/include/uapi/linux/netfilter_bridge/ebt_limit.h | |||
diff --git a/include/linux/netfilter_bridge/ebt_log.h b/include/uapi/linux/netfilter_bridge/ebt_log.h index 7e7f1d1fe494..7e7f1d1fe494 100644 --- a/include/linux/netfilter_bridge/ebt_log.h +++ b/include/uapi/linux/netfilter_bridge/ebt_log.h | |||
diff --git a/include/linux/netfilter_bridge/ebt_mark_m.h b/include/uapi/linux/netfilter_bridge/ebt_mark_m.h index 410f9e5a71d4..410f9e5a71d4 100644 --- a/include/linux/netfilter_bridge/ebt_mark_m.h +++ b/include/uapi/linux/netfilter_bridge/ebt_mark_m.h | |||
diff --git a/include/linux/netfilter_bridge/ebt_mark_t.h b/include/uapi/linux/netfilter_bridge/ebt_mark_t.h index 7d5a268a4311..7d5a268a4311 100644 --- a/include/linux/netfilter_bridge/ebt_mark_t.h +++ b/include/uapi/linux/netfilter_bridge/ebt_mark_t.h | |||
diff --git a/include/linux/netfilter_bridge/ebt_nat.h b/include/uapi/linux/netfilter_bridge/ebt_nat.h index 5e74e3b03bd6..5e74e3b03bd6 100644 --- a/include/linux/netfilter_bridge/ebt_nat.h +++ b/include/uapi/linux/netfilter_bridge/ebt_nat.h | |||
diff --git a/include/linux/netfilter_bridge/ebt_nflog.h b/include/uapi/linux/netfilter_bridge/ebt_nflog.h index df829fce9125..df829fce9125 100644 --- a/include/linux/netfilter_bridge/ebt_nflog.h +++ b/include/uapi/linux/netfilter_bridge/ebt_nflog.h | |||
diff --git a/include/linux/netfilter_bridge/ebt_pkttype.h b/include/uapi/linux/netfilter_bridge/ebt_pkttype.h index c241badcd036..c241badcd036 100644 --- a/include/linux/netfilter_bridge/ebt_pkttype.h +++ b/include/uapi/linux/netfilter_bridge/ebt_pkttype.h | |||
diff --git a/include/linux/netfilter_bridge/ebt_redirect.h b/include/uapi/linux/netfilter_bridge/ebt_redirect.h index dd9622ce8488..dd9622ce8488 100644 --- a/include/linux/netfilter_bridge/ebt_redirect.h +++ b/include/uapi/linux/netfilter_bridge/ebt_redirect.h | |||
diff --git a/include/linux/netfilter_bridge/ebt_stp.h b/include/uapi/linux/netfilter_bridge/ebt_stp.h index 1025b9f5fb7d..1025b9f5fb7d 100644 --- a/include/linux/netfilter_bridge/ebt_stp.h +++ b/include/uapi/linux/netfilter_bridge/ebt_stp.h | |||
diff --git a/include/linux/netfilter_bridge/ebt_ulog.h b/include/uapi/linux/netfilter_bridge/ebt_ulog.h index 89a6becb5269..89a6becb5269 100644 --- a/include/linux/netfilter_bridge/ebt_ulog.h +++ b/include/uapi/linux/netfilter_bridge/ebt_ulog.h | |||
diff --git a/include/linux/netfilter_bridge/ebt_vlan.h b/include/uapi/linux/netfilter_bridge/ebt_vlan.h index 967d1d5cf98d..967d1d5cf98d 100644 --- a/include/linux/netfilter_bridge/ebt_vlan.h +++ b/include/uapi/linux/netfilter_bridge/ebt_vlan.h | |||
diff --git a/include/uapi/linux/netfilter_bridge/ebtables.h b/include/uapi/linux/netfilter_bridge/ebtables.h new file mode 100644 index 000000000000..ba993360dbe9 --- /dev/null +++ b/include/uapi/linux/netfilter_bridge/ebtables.h | |||
@@ -0,0 +1,268 @@ | |||
1 | /* | ||
2 | * ebtables | ||
3 | * | ||
4 | * Authors: | ||
5 | * Bart De Schuymer <bdschuym@pandora.be> | ||
6 | * | ||
7 | * ebtables.c,v 2.0, April, 2002 | ||
8 | * | ||
9 | * This code is stongly inspired on the iptables code which is | ||
10 | * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling | ||
11 | */ | ||
12 | |||
13 | #ifndef _UAPI__LINUX_BRIDGE_EFF_H | ||
14 | #define _UAPI__LINUX_BRIDGE_EFF_H | ||
15 | #include <linux/if.h> | ||
16 | #include <linux/netfilter_bridge.h> | ||
17 | #include <linux/if_ether.h> | ||
18 | |||
19 | #define EBT_TABLE_MAXNAMELEN 32 | ||
20 | #define EBT_CHAIN_MAXNAMELEN EBT_TABLE_MAXNAMELEN | ||
21 | #define EBT_FUNCTION_MAXNAMELEN EBT_TABLE_MAXNAMELEN | ||
22 | |||
23 | /* verdicts >0 are "branches" */ | ||
24 | #define EBT_ACCEPT -1 | ||
25 | #define EBT_DROP -2 | ||
26 | #define EBT_CONTINUE -3 | ||
27 | #define EBT_RETURN -4 | ||
28 | #define NUM_STANDARD_TARGETS 4 | ||
29 | /* ebtables target modules store the verdict inside an int. We can | ||
30 | * reclaim a part of this int for backwards compatible extensions. | ||
31 | * The 4 lsb are more than enough to store the verdict. */ | ||
32 | #define EBT_VERDICT_BITS 0x0000000F | ||
33 | |||
34 | struct xt_match; | ||
35 | struct xt_target; | ||
36 | |||
37 | struct ebt_counter { | ||
38 | uint64_t pcnt; | ||
39 | uint64_t bcnt; | ||
40 | }; | ||
41 | |||
42 | struct ebt_replace { | ||
43 | char name[EBT_TABLE_MAXNAMELEN]; | ||
44 | unsigned int valid_hooks; | ||
45 | /* nr of rules in the table */ | ||
46 | unsigned int nentries; | ||
47 | /* total size of the entries */ | ||
48 | unsigned int entries_size; | ||
49 | /* start of the chains */ | ||
50 | struct ebt_entries __user *hook_entry[NF_BR_NUMHOOKS]; | ||
51 | /* nr of counters userspace expects back */ | ||
52 | unsigned int num_counters; | ||
53 | /* where the kernel will put the old counters */ | ||
54 | struct ebt_counter __user *counters; | ||
55 | char __user *entries; | ||
56 | }; | ||
57 | |||
58 | struct ebt_replace_kernel { | ||
59 | char name[EBT_TABLE_MAXNAMELEN]; | ||
60 | unsigned int valid_hooks; | ||
61 | /* nr of rules in the table */ | ||
62 | unsigned int nentries; | ||
63 | /* total size of the entries */ | ||
64 | unsigned int entries_size; | ||
65 | /* start of the chains */ | ||
66 | struct ebt_entries *hook_entry[NF_BR_NUMHOOKS]; | ||
67 | /* nr of counters userspace expects back */ | ||
68 | unsigned int num_counters; | ||
69 | /* where the kernel will put the old counters */ | ||
70 | struct ebt_counter *counters; | ||
71 | char *entries; | ||
72 | }; | ||
73 | |||
74 | struct ebt_entries { | ||
75 | /* this field is always set to zero | ||
76 | * See EBT_ENTRY_OR_ENTRIES. | ||
77 | * Must be same size as ebt_entry.bitmask */ | ||
78 | unsigned int distinguisher; | ||
79 | /* the chain name */ | ||
80 | char name[EBT_CHAIN_MAXNAMELEN]; | ||
81 | /* counter offset for this chain */ | ||
82 | unsigned int counter_offset; | ||
83 | /* one standard (accept, drop, return) per hook */ | ||
84 | int policy; | ||
85 | /* nr. of entries */ | ||
86 | unsigned int nentries; | ||
87 | /* entry list */ | ||
88 | char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace)))); | ||
89 | }; | ||
90 | |||
91 | /* used for the bitmask of struct ebt_entry */ | ||
92 | |||
93 | /* This is a hack to make a difference between an ebt_entry struct and an | ||
94 | * ebt_entries struct when traversing the entries from start to end. | ||
95 | * Using this simplifies the code a lot, while still being able to use | ||
96 | * ebt_entries. | ||
97 | * Contrary, iptables doesn't use something like ebt_entries and therefore uses | ||
98 | * different techniques for naming the policy and such. So, iptables doesn't | ||
99 | * need a hack like this. | ||
100 | */ | ||
101 | #define EBT_ENTRY_OR_ENTRIES 0x01 | ||
102 | /* these are the normal masks */ | ||
103 | #define EBT_NOPROTO 0x02 | ||
104 | #define EBT_802_3 0x04 | ||
105 | #define EBT_SOURCEMAC 0x08 | ||
106 | #define EBT_DESTMAC 0x10 | ||
107 | #define EBT_F_MASK (EBT_NOPROTO | EBT_802_3 | EBT_SOURCEMAC | EBT_DESTMAC \ | ||
108 | | EBT_ENTRY_OR_ENTRIES) | ||
109 | |||
110 | #define EBT_IPROTO 0x01 | ||
111 | #define EBT_IIN 0x02 | ||
112 | #define EBT_IOUT 0x04 | ||
113 | #define EBT_ISOURCE 0x8 | ||
114 | #define EBT_IDEST 0x10 | ||
115 | #define EBT_ILOGICALIN 0x20 | ||
116 | #define EBT_ILOGICALOUT 0x40 | ||
117 | #define EBT_INV_MASK (EBT_IPROTO | EBT_IIN | EBT_IOUT | EBT_ILOGICALIN \ | ||
118 | | EBT_ILOGICALOUT | EBT_ISOURCE | EBT_IDEST) | ||
119 | |||
120 | struct ebt_entry_match { | ||
121 | union { | ||
122 | char name[EBT_FUNCTION_MAXNAMELEN]; | ||
123 | struct xt_match *match; | ||
124 | } u; | ||
125 | /* size of data */ | ||
126 | unsigned int match_size; | ||
127 | unsigned char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace)))); | ||
128 | }; | ||
129 | |||
130 | struct ebt_entry_watcher { | ||
131 | union { | ||
132 | char name[EBT_FUNCTION_MAXNAMELEN]; | ||
133 | struct xt_target *watcher; | ||
134 | } u; | ||
135 | /* size of data */ | ||
136 | unsigned int watcher_size; | ||
137 | unsigned char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace)))); | ||
138 | }; | ||
139 | |||
140 | struct ebt_entry_target { | ||
141 | union { | ||
142 | char name[EBT_FUNCTION_MAXNAMELEN]; | ||
143 | struct xt_target *target; | ||
144 | } u; | ||
145 | /* size of data */ | ||
146 | unsigned int target_size; | ||
147 | unsigned char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace)))); | ||
148 | }; | ||
149 | |||
150 | #define EBT_STANDARD_TARGET "standard" | ||
151 | struct ebt_standard_target { | ||
152 | struct ebt_entry_target target; | ||
153 | int verdict; | ||
154 | }; | ||
155 | |||
156 | /* one entry */ | ||
157 | struct ebt_entry { | ||
158 | /* this needs to be the first field */ | ||
159 | unsigned int bitmask; | ||
160 | unsigned int invflags; | ||
161 | __be16 ethproto; | ||
162 | /* the physical in-dev */ | ||
163 | char in[IFNAMSIZ]; | ||
164 | /* the logical in-dev */ | ||
165 | char logical_in[IFNAMSIZ]; | ||
166 | /* the physical out-dev */ | ||
167 | char out[IFNAMSIZ]; | ||
168 | /* the logical out-dev */ | ||
169 | char logical_out[IFNAMSIZ]; | ||
170 | unsigned char sourcemac[ETH_ALEN]; | ||
171 | unsigned char sourcemsk[ETH_ALEN]; | ||
172 | unsigned char destmac[ETH_ALEN]; | ||
173 | unsigned char destmsk[ETH_ALEN]; | ||
174 | /* sizeof ebt_entry + matches */ | ||
175 | unsigned int watchers_offset; | ||
176 | /* sizeof ebt_entry + matches + watchers */ | ||
177 | unsigned int target_offset; | ||
178 | /* sizeof ebt_entry + matches + watchers + target */ | ||
179 | unsigned int next_offset; | ||
180 | unsigned char elems[0] __attribute__ ((aligned (__alignof__(struct ebt_replace)))); | ||
181 | }; | ||
182 | |||
183 | /* {g,s}etsockopt numbers */ | ||
184 | #define EBT_BASE_CTL 128 | ||
185 | |||
186 | #define EBT_SO_SET_ENTRIES (EBT_BASE_CTL) | ||
187 | #define EBT_SO_SET_COUNTERS (EBT_SO_SET_ENTRIES+1) | ||
188 | #define EBT_SO_SET_MAX (EBT_SO_SET_COUNTERS+1) | ||
189 | |||
190 | #define EBT_SO_GET_INFO (EBT_BASE_CTL) | ||
191 | #define EBT_SO_GET_ENTRIES (EBT_SO_GET_INFO+1) | ||
192 | #define EBT_SO_GET_INIT_INFO (EBT_SO_GET_ENTRIES+1) | ||
193 | #define EBT_SO_GET_INIT_ENTRIES (EBT_SO_GET_INIT_INFO+1) | ||
194 | #define EBT_SO_GET_MAX (EBT_SO_GET_INIT_ENTRIES+1) | ||
195 | |||
196 | |||
197 | /* blatently stolen from ip_tables.h | ||
198 | * fn returns 0 to continue iteration */ | ||
199 | #define EBT_MATCH_ITERATE(e, fn, args...) \ | ||
200 | ({ \ | ||
201 | unsigned int __i; \ | ||
202 | int __ret = 0; \ | ||
203 | struct ebt_entry_match *__match; \ | ||
204 | \ | ||
205 | for (__i = sizeof(struct ebt_entry); \ | ||
206 | __i < (e)->watchers_offset; \ | ||
207 | __i += __match->match_size + \ | ||
208 | sizeof(struct ebt_entry_match)) { \ | ||
209 | __match = (void *)(e) + __i; \ | ||
210 | \ | ||
211 | __ret = fn(__match , ## args); \ | ||
212 | if (__ret != 0) \ | ||
213 | break; \ | ||
214 | } \ | ||
215 | if (__ret == 0) { \ | ||
216 | if (__i != (e)->watchers_offset) \ | ||
217 | __ret = -EINVAL; \ | ||
218 | } \ | ||
219 | __ret; \ | ||
220 | }) | ||
221 | |||
222 | #define EBT_WATCHER_ITERATE(e, fn, args...) \ | ||
223 | ({ \ | ||
224 | unsigned int __i; \ | ||
225 | int __ret = 0; \ | ||
226 | struct ebt_entry_watcher *__watcher; \ | ||
227 | \ | ||
228 | for (__i = e->watchers_offset; \ | ||
229 | __i < (e)->target_offset; \ | ||
230 | __i += __watcher->watcher_size + \ | ||
231 | sizeof(struct ebt_entry_watcher)) { \ | ||
232 | __watcher = (void *)(e) + __i; \ | ||
233 | \ | ||
234 | __ret = fn(__watcher , ## args); \ | ||
235 | if (__ret != 0) \ | ||
236 | break; \ | ||
237 | } \ | ||
238 | if (__ret == 0) { \ | ||
239 | if (__i != (e)->target_offset) \ | ||
240 | __ret = -EINVAL; \ | ||
241 | } \ | ||
242 | __ret; \ | ||
243 | }) | ||
244 | |||
245 | #define EBT_ENTRY_ITERATE(entries, size, fn, args...) \ | ||
246 | ({ \ | ||
247 | unsigned int __i; \ | ||
248 | int __ret = 0; \ | ||
249 | struct ebt_entry *__entry; \ | ||
250 | \ | ||
251 | for (__i = 0; __i < (size);) { \ | ||
252 | __entry = (void *)(entries) + __i; \ | ||
253 | __ret = fn(__entry , ## args); \ | ||
254 | if (__ret != 0) \ | ||
255 | break; \ | ||
256 | if (__entry->bitmask != 0) \ | ||
257 | __i += __entry->next_offset; \ | ||
258 | else \ | ||
259 | __i += sizeof(struct ebt_entries); \ | ||
260 | } \ | ||
261 | if (__ret == 0) { \ | ||
262 | if (__i != (size)) \ | ||
263 | __ret = -EINVAL; \ | ||
264 | } \ | ||
265 | __ret; \ | ||
266 | }) | ||
267 | |||
268 | #endif /* _UAPI__LINUX_BRIDGE_EFF_H */ | ||