UAPI: (Scripted) Disintegrate include/linux/netfilter_bridge

Signed-off-by: David Howells <dhowells@redhat.com> Acked-by: Arnd Bergmann <arnd@arndb.de> Acked-by: Thomas Gleixner <tglx@linutronix.de> Acked-by: Michael Kerrisk <mtk.manpages@gmail.com> Acked-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com> Acked-by: Dave Jones <davej@redhat.com>
author: David Howells <dhowells@redhat.com> 2012-10-09 04:48:58 -0400
committer: David Howells <dhowells@redhat.com> 2012-10-09 04:48:58 -0400
commit: 55c5cd3cc179eb87faa9cc2d9741047dd1642aaf (patch)
tree: 1f63053791d51ce418359f2f83dafcac195671ec
parent: 8922082ae6cd2783789e83ae9c67ffcbe5a2f4e1 (diff)
22 files changed, 350 insertions, 332 deletions
diff --git a/include/linux/netfilter_bridge/Kbuild b/include/linux/netfilter_bridge/Kbuild
index e48f1a3f5a4a..e69de29bb2d1 100644
--- a/include/linux/netfilter_bridge/Kbuild
+++ b/include/linux/netfilter_bridge/Kbuild
@@ -1,18 +0,0 @@
-header-y += ebt_802_3.h
-header-y += ebt_among.h
-header-y += ebt_arp.h
-header-y += ebt_arpreply.h
-header-y += ebt_ip.h
-header-y += ebt_ip6.h
-header-y += ebt_limit.h
-header-y += ebt_log.h
-header-y += ebt_mark_m.h
-header-y += ebt_mark_t.h
-header-y += ebt_nat.h
-header-y += ebt_nflog.h
-header-y += ebt_pkttype.h
-header-y += ebt_redirect.h
-header-y += ebt_stp.h
-header-y += ebt_ulog.h
-header-y += ebt_vlan.h
-header-y += ebtables.h
diff --git a/include/linux/netfilter_bridge/ebt_802_3.h b/include/linux/netfilter_bridge/ebt_802_3.h
index be5be1577a56..e17e8bfb4e8b 100644
--- a/include/linux/netfilter_bridge/ebt_802_3.h
+++ b/include/linux/netfilter_bridge/ebt_802_3.h
@@ -1,70 +1,11 @@
 #ifndef __LINUX_BRIDGE_EBT_802_3_H
 #define __LINUX_BRIDGE_EBT_802_3_H
-#include <linux/types.h>
-#define EBT_802_3_SAP 0x01
-#define EBT_802_3_TYPE 0x02
-#define EBT_802_3_MATCH "802_3"
-/*
- * If frame has DSAP/SSAP value 0xaa you must check the SNAP type
- * to discover what kind of packet we're carrying. 
- */
-#define CHECK_TYPE 0xaa
-/*
- * Control field may be one or two bytes.  If the first byte has
- * the value 0x03 then the entire length is one byte, otherwise it is two.
- * One byte controls are used in Unnumbered Information frames.
- * Two byte controls are used in Numbered Information frames.
- */
-#define IS_UI 0x03
-#define EBT_802_3_MASK (EBT_802_3_SAP | EBT_802_3_TYPE | EBT_802_3)
-/* ui has one byte ctrl, ni has two */
-struct hdr_ui {
-        __u8 dsap;
-        __u8 ssap;
-        __u8 ctrl;
-        __u8 orig[3];
-        __be16 type;
-};
-struct hdr_ni {
-        __u8 dsap;
-        __u8 ssap;
-        __be16 ctrl;
-        __u8  orig[3];
-        __be16 type;
-};
-struct ebt_802_3_hdr {
-        __u8  daddr[6];
-        __u8  saddr[6];
-        __be16 len;
-        union {
-                struct hdr_ui ui;
-                struct hdr_ni ni;
-        } llc;
-};
-#ifdef __KERNEL__
 #include <linux/skbuff.h>
+#include <uapi/linux/netfilter_bridge/ebt_802_3.h>
 static inline struct ebt_802_3_hdr *ebt_802_3_hdr(const struct sk_buff *skb)
 {
        return (struct ebt_802_3_hdr *)skb_mac_header(skb);
 }
 #endif
-struct ebt_802_3_info {
-        __u8  sap;
-        __be16 type;
-        __u8  bitmask;
-        __u8  invflags;
-};
-#endif
diff --git a/include/linux/netfilter_bridge/ebtables.h b/include/linux/netfilter_bridge/ebtables.h
index 4dd5bd6994a8..34e7a2b7f867 100644
--- a/include/linux/netfilter_bridge/ebtables.h
+++ b/include/linux/netfilter_bridge/ebtables.h
@@ -9,191 +9,11 @@
 *  This code is stongly inspired on the iptables code which is
 *  Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
 */
 #ifndef __LINUX_BRIDGE_EFF_H
 #define __LINUX_BRIDGE_EFF_H
-#include <linux/if.h>
-#include <linux/netfilter_bridge.h>
-#include <linux/if_ether.h>
-#define EBT_TABLE_MAXNAMELEN 32
-#define EBT_CHAIN_MAXNAMELEN EBT_TABLE_MAXNAMELEN
-#define EBT_FUNCTION_MAXNAMELEN EBT_TABLE_MAXNAMELEN
-/* verdicts >0 are "branches" */
-#define EBT_ACCEPT   -1
-#define EBT_DROP     -2
-#define EBT_CONTINUE -3
-#define EBT_RETURN   -4
-#define NUM_STANDARD_TARGETS   4
-/* ebtables target modules store the verdict inside an int. We can
- * reclaim a part of this int for backwards compatible extensions.
- * The 4 lsb are more than enough to store the verdict. */
-#define EBT_VERDICT_BITS 0x0000000F
-struct xt_match;
-struct xt_target;
-struct ebt_counter {
-        uint64_t pcnt;
-        uint64_t bcnt;
-};
-struct ebt_replace {
+#include <uapi/linux/netfilter_bridge/ebtables.h>
-        char name[EBT_TABLE_MAXNAMELEN];
-        unsigned int valid_hooks;
-        /* nr of rules in the table */
-        unsigned int nentries;
-        /* total size of the entries */
-        unsigned int entries_size;
-        /* start of the chains */
-        struct ebt_entries __user *hook_entry[NF_BR_NUMHOOKS];
-        /* nr of counters userspace expects back */
-        unsigned int num_counters;
-        /* where the kernel will put the old counters */
-        struct ebt_counter __user *counters;
-        char __user *entries;
-};
-struct ebt_replace_kernel {
-        char name[EBT_TABLE_MAXNAMELEN];
-        unsigned int valid_hooks;
-        /* nr of rules in the table */
-        unsigned int nentries;
-        /* total size of the entries */
-        unsigned int entries_size;
-        /* start of the chains */
-        struct ebt_entries *hook_entry[NF_BR_NUMHOOKS];
-        /* nr of counters userspace expects back */
-        unsigned int num_counters;
-        /* where the kernel will put the old counters */
-        struct ebt_counter *counters;
-        char *entries;
-};
-struct ebt_entries {
-        /* this field is always set to zero
-         * See EBT_ENTRY_OR_ENTRIES.
-         * Must be same size as ebt_entry.bitmask */
-        unsigned int distinguisher;
-        /* the chain name */
-        char name[EBT_CHAIN_MAXNAMELEN];
-        /* counter offset for this chain */
-        unsigned int counter_offset;
-        /* one standard (accept, drop, return) per hook */
-        int policy;
-        /* nr. of entries */
-        unsigned int nentries;
-        /* entry list */
-        char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace))));
-};
-/* used for the bitmask of struct ebt_entry */
-/* This is a hack to make a difference between an ebt_entry struct and an
- * ebt_entries struct when traversing the entries from start to end.
- * Using this simplifies the code a lot, while still being able to use
- * ebt_entries.
- * Contrary, iptables doesn't use something like ebt_entries and therefore uses
- * different techniques for naming the policy and such. So, iptables doesn't
- * need a hack like this.
- */
-#define EBT_ENTRY_OR_ENTRIES 0x01
-/* these are the normal masks */
-#define EBT_NOPROTO 0x02
-#define EBT_802_3 0x04
-#define EBT_SOURCEMAC 0x08
-#define EBT_DESTMAC 0x10
-#define EBT_F_MASK (EBT_NOPROTO | EBT_802_3 | EBT_SOURCEMAC | EBT_DESTMAC \
-   | EBT_ENTRY_OR_ENTRIES)
-#define EBT_IPROTO 0x01
-#define EBT_IIN 0x02
-#define EBT_IOUT 0x04
-#define EBT_ISOURCE 0x8
-#define EBT_IDEST 0x10
-#define EBT_ILOGICALIN 0x20
-#define EBT_ILOGICALOUT 0x40
-#define EBT_INV_MASK (EBT_IPROTO | EBT_IIN | EBT_IOUT | EBT_ILOGICALIN \
-   | EBT_ILOGICALOUT | EBT_ISOURCE | EBT_IDEST)
-struct ebt_entry_match {
-        union {
-                char name[EBT_FUNCTION_MAXNAMELEN];
-                struct xt_match *match;
-        } u;
-        /* size of data */
-        unsigned int match_size;
-        unsigned char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace))));
-};
-struct ebt_entry_watcher {
-        union {
-                char name[EBT_FUNCTION_MAXNAMELEN];
-                struct xt_target *watcher;
-        } u;
-        /* size of data */
-        unsigned int watcher_size;
-        unsigned char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace))));
-};
-struct ebt_entry_target {
-        union {
-                char name[EBT_FUNCTION_MAXNAMELEN];
-                struct xt_target *target;
-        } u;
-        /* size of data */
-        unsigned int target_size;
-        unsigned char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace))));
-};
-#define EBT_STANDARD_TARGET "standard"
-struct ebt_standard_target {
-        struct ebt_entry_target target;
-        int verdict;
-};
-/* one entry */
-struct ebt_entry {
-        /* this needs to be the first field */
-        unsigned int bitmask;
-        unsigned int invflags;
-        __be16 ethproto;
-        /* the physical in-dev */
-        char in[IFNAMSIZ];
-        /* the logical in-dev */
-        char logical_in[IFNAMSIZ];
-        /* the physical out-dev */
-        char out[IFNAMSIZ];
-        /* the logical out-dev */
-        char logical_out[IFNAMSIZ];
-        unsigned char sourcemac[ETH_ALEN];
-        unsigned char sourcemsk[ETH_ALEN];
-        unsigned char destmac[ETH_ALEN];
-        unsigned char destmsk[ETH_ALEN];
-        /* sizeof ebt_entry + matches */
-        unsigned int watchers_offset;
-        /* sizeof ebt_entry + matches + watchers */
-        unsigned int target_offset;
-        /* sizeof ebt_entry + matches + watchers + target */
-        unsigned int next_offset;
-        unsigned char elems[0] __attribute__ ((aligned (__alignof__(struct ebt_replace))));
-};
-/* {g,s}etsockopt numbers */
-#define EBT_BASE_CTL            128
-#define EBT_SO_SET_ENTRIES      (EBT_BASE_CTL)
-#define EBT_SO_SET_COUNTERS     (EBT_SO_SET_ENTRIES+1)
-#define EBT_SO_SET_MAX          (EBT_SO_SET_COUNTERS+1)
-#define EBT_SO_GET_INFO         (EBT_BASE_CTL)
-#define EBT_SO_GET_ENTRIES      (EBT_SO_GET_INFO+1)
-#define EBT_SO_GET_INIT_INFO    (EBT_SO_GET_ENTRIES+1)
-#define EBT_SO_GET_INIT_ENTRIES (EBT_SO_GET_INIT_INFO+1)
-#define EBT_SO_GET_MAX          (EBT_SO_GET_INIT_ENTRIES+1)
-#ifdef __KERNEL__
 /* return values for match() functions */
 #define EBT_MATCH 0
@@ -304,77 +124,4 @@ extern unsigned int ebt_do_table(unsigned int hook, struct sk_buff *skb,
 /* True if the target is not a standard target */
 #define INVALID_TARGET (info->target < -NUM_STANDARD_TARGETS || info->target >= 0)
-#endif /* __KERNEL__ */
-/* blatently stolen from ip_tables.h
- * fn returns 0 to continue iteration */
-#define EBT_MATCH_ITERATE(e, fn, args...)                   \
-({                                                          \
-        unsigned int __i;                                   \
-        int __ret = 0;                                      \
-        struct ebt_entry_match *__match;                    \
-                                                            \
-        for (__i = sizeof(struct ebt_entry);                \
-             __i < (e)->watchers_offset;                    \
-             __i += __match->match_size +                   \
-             sizeof(struct ebt_entry_match)) {              \
-                __match = (void *)(e) + __i;                \
-                                                            \
-                __ret = fn(__match , ## args);              \
-                if (__ret != 0)                             \
-                        break;                              \
-        }                                                   \
-        if (__ret == 0) {                                   \
-                if (__i != (e)->watchers_offset)            \
-                        __ret = -EINVAL;                    \
-        }                                                   \
-        __ret;                                              \
-})
-#define EBT_WATCHER_ITERATE(e, fn, args...)                 \
-({                                                          \
-        unsigned int __i;                                   \
-        int __ret = 0;                                      \
-        struct ebt_entry_watcher *__watcher;                \
-                                                            \
-        for (__i = e->watchers_offset;                      \
-             __i < (e)->target_offset;                      \
-             __i += __watcher->watcher_size +               \
-             sizeof(struct ebt_entry_watcher)) {            \
-                __watcher = (void *)(e) + __i;              \
-                                                            \
-                __ret = fn(__watcher , ## args);            \
-                if (__ret != 0)                             \
-                        break;                              \
-        }                                                   \
-        if (__ret == 0) {                                   \
-                if (__i != (e)->target_offset)              \
-                        __ret = -EINVAL;                    \
-        }                                                   \
-        __ret;                                              \
-})
-#define EBT_ENTRY_ITERATE(entries, size, fn, args...)       \
-({                                                          \
-        unsigned int __i;                                   \
-        int __ret = 0;                                      \
-        struct ebt_entry *__entry;                          \
-                                                            \
-        for (__i = 0; __i < (size);) {                      \
-                __entry = (void *)(entries) + __i;          \
-                __ret = fn(__entry , ## args);              \
-                if (__ret != 0)                             \
-                        break;                              \
-                if (__entry->bitmask != 0)                  \
-                        __i += __entry->next_offset;        \
-                else                                        \
-                        __i += sizeof(struct ebt_entries);  \
-        }                                                   \
-        if (__ret == 0) {                                   \
-                if (__i != (size))                          \
-                        __ret = -EINVAL;                    \
-        }                                                   \
-        __ret;                                              \
-})
 #endif
diff --git a/include/uapi/linux/netfilter_bridge/Kbuild b/include/uapi/linux/netfilter_bridge/Kbuild
index aafaa5aa54d4..348717c3a22f 100644
--- a/include/uapi/linux/netfilter_bridge/Kbuild
+++ b/include/uapi/linux/netfilter_bridge/Kbuild
@@ -1 +1,19 @@
 # UAPI Header export list
+header-y += ebt_802_3.h
+header-y += ebt_among.h
+header-y += ebt_arp.h
+header-y += ebt_arpreply.h
+header-y += ebt_ip.h
+header-y += ebt_ip6.h
+header-y += ebt_limit.h
+header-y += ebt_log.h
+header-y += ebt_mark_m.h
+header-y += ebt_mark_t.h
+header-y += ebt_nat.h
+header-y += ebt_nflog.h
+header-y += ebt_pkttype.h
+header-y += ebt_redirect.h
+header-y += ebt_stp.h
+header-y += ebt_ulog.h
+header-y += ebt_vlan.h
+header-y += ebtables.h
diff --git a/include/uapi/linux/netfilter_bridge/ebt_802_3.h b/include/uapi/linux/netfilter_bridge/ebt_802_3.h
new file mode 100644
index 000000000000..5bf84912a082
--- /dev/null
+++ b/include/uapi/linux/netfilter_bridge/ebt_802_3.h
@@ -0,0 +1,62 @@
+#ifndef _UAPI__LINUX_BRIDGE_EBT_802_3_H
+#define _UAPI__LINUX_BRIDGE_EBT_802_3_H
+#include <linux/types.h>
+#define EBT_802_3_SAP 0x01
+#define EBT_802_3_TYPE 0x02
+#define EBT_802_3_MATCH "802_3"
+/*
+ * If frame has DSAP/SSAP value 0xaa you must check the SNAP type
+ * to discover what kind of packet we're carrying. 
+ */
+#define CHECK_TYPE 0xaa
+/*
+ * Control field may be one or two bytes.  If the first byte has
+ * the value 0x03 then the entire length is one byte, otherwise it is two.
+ * One byte controls are used in Unnumbered Information frames.
+ * Two byte controls are used in Numbered Information frames.
+ */
+#define IS_UI 0x03
+#define EBT_802_3_MASK (EBT_802_3_SAP | EBT_802_3_TYPE | EBT_802_3)
+/* ui has one byte ctrl, ni has two */
+struct hdr_ui {
+        __u8 dsap;
+        __u8 ssap;
+        __u8 ctrl;
+        __u8 orig[3];
+        __be16 type;
+};
+struct hdr_ni {
+        __u8 dsap;
+        __u8 ssap;
+        __be16 ctrl;
+        __u8  orig[3];
+        __be16 type;
+};
+struct ebt_802_3_hdr {
+        __u8  daddr[6];
+        __u8  saddr[6];
+        __be16 len;
+        union {
+                struct hdr_ui ui;
+                struct hdr_ni ni;
+        } llc;
+};
+struct ebt_802_3_info {
+        __u8  sap;
+        __be16 type;
+        __u8  bitmask;
+        __u8  invflags;
+};
+#endif /* _UAPI__LINUX_BRIDGE_EBT_802_3_H */
diff --git a/include/linux/netfilter_bridge/ebt_among.h b/include/uapi/linux/netfilter_bridge/ebt_among.h
index bd4e3ad0b706..bd4e3ad0b706 100644
--- a/include/linux/netfilter_bridge/ebt_among.h
+++ b/include/uapi/linux/netfilter_bridge/ebt_among.h
diff --git a/include/linux/netfilter_bridge/ebt_arp.h b/include/uapi/linux/netfilter_bridge/ebt_arp.h
index 522f3e427f49..522f3e427f49 100644
--- a/include/linux/netfilter_bridge/ebt_arp.h
+++ b/include/uapi/linux/netfilter_bridge/ebt_arp.h
diff --git a/include/linux/netfilter_bridge/ebt_arpreply.h b/include/uapi/linux/netfilter_bridge/ebt_arpreply.h
index 7e77896e1fbf..7e77896e1fbf 100644
--- a/include/linux/netfilter_bridge/ebt_arpreply.h
+++ b/include/uapi/linux/netfilter_bridge/ebt_arpreply.h
diff --git a/include/linux/netfilter_bridge/ebt_ip.h b/include/uapi/linux/netfilter_bridge/ebt_ip.h
index c4bbc41b0ea4..c4bbc41b0ea4 100644
--- a/include/linux/netfilter_bridge/ebt_ip.h
+++ b/include/uapi/linux/netfilter_bridge/ebt_ip.h
diff --git a/include/linux/netfilter_bridge/ebt_ip6.h b/include/uapi/linux/netfilter_bridge/ebt_ip6.h
index 42b889682721..42b889682721 100644
--- a/include/linux/netfilter_bridge/ebt_ip6.h
+++ b/include/uapi/linux/netfilter_bridge/ebt_ip6.h
diff --git a/include/linux/netfilter_bridge/ebt_limit.h b/include/uapi/linux/netfilter_bridge/ebt_limit.h
index 66d80b30ba0e..66d80b30ba0e 100644
--- a/include/linux/netfilter_bridge/ebt_limit.h
+++ b/include/uapi/linux/netfilter_bridge/ebt_limit.h
diff --git a/include/linux/netfilter_bridge/ebt_log.h b/include/uapi/linux/netfilter_bridge/ebt_log.h
index 7e7f1d1fe494..7e7f1d1fe494 100644
--- a/include/linux/netfilter_bridge/ebt_log.h
+++ b/include/uapi/linux/netfilter_bridge/ebt_log.h
diff --git a/include/linux/netfilter_bridge/ebt_mark_m.h b/include/uapi/linux/netfilter_bridge/ebt_mark_m.h
index 410f9e5a71d4..410f9e5a71d4 100644
--- a/include/linux/netfilter_bridge/ebt_mark_m.h
+++ b/include/uapi/linux/netfilter_bridge/ebt_mark_m.h
diff --git a/include/linux/netfilter_bridge/ebt_mark_t.h b/include/uapi/linux/netfilter_bridge/ebt_mark_t.h
index 7d5a268a4311..7d5a268a4311 100644
--- a/include/linux/netfilter_bridge/ebt_mark_t.h
+++ b/include/uapi/linux/netfilter_bridge/ebt_mark_t.h
diff --git a/include/linux/netfilter_bridge/ebt_nat.h b/include/uapi/linux/netfilter_bridge/ebt_nat.h
index 5e74e3b03bd6..5e74e3b03bd6 100644
--- a/include/linux/netfilter_bridge/ebt_nat.h
+++ b/include/uapi/linux/netfilter_bridge/ebt_nat.h
diff --git a/include/linux/netfilter_bridge/ebt_nflog.h b/include/uapi/linux/netfilter_bridge/ebt_nflog.h
index df829fce9125..df829fce9125 100644
--- a/include/linux/netfilter_bridge/ebt_nflog.h
+++ b/include/uapi/linux/netfilter_bridge/ebt_nflog.h
diff --git a/include/linux/netfilter_bridge/ebt_pkttype.h b/include/uapi/linux/netfilter_bridge/ebt_pkttype.h
index c241badcd036..c241badcd036 100644
--- a/include/linux/netfilter_bridge/ebt_pkttype.h
+++ b/include/uapi/linux/netfilter_bridge/ebt_pkttype.h
diff --git a/include/linux/netfilter_bridge/ebt_redirect.h b/include/uapi/linux/netfilter_bridge/ebt_redirect.h
index dd9622ce8488..dd9622ce8488 100644
--- a/include/linux/netfilter_bridge/ebt_redirect.h
+++ b/include/uapi/linux/netfilter_bridge/ebt_redirect.h
diff --git a/include/linux/netfilter_bridge/ebt_stp.h b/include/uapi/linux/netfilter_bridge/ebt_stp.h
index 1025b9f5fb7d..1025b9f5fb7d 100644
--- a/include/linux/netfilter_bridge/ebt_stp.h
+++ b/include/uapi/linux/netfilter_bridge/ebt_stp.h
diff --git a/include/linux/netfilter_bridge/ebt_ulog.h b/include/uapi/linux/netfilter_bridge/ebt_ulog.h
index 89a6becb5269..89a6becb5269 100644
--- a/include/linux/netfilter_bridge/ebt_ulog.h
+++ b/include/uapi/linux/netfilter_bridge/ebt_ulog.h
diff --git a/include/linux/netfilter_bridge/ebt_vlan.h b/include/uapi/linux/netfilter_bridge/ebt_vlan.h
index 967d1d5cf98d..967d1d5cf98d 100644
--- a/include/linux/netfilter_bridge/ebt_vlan.h
+++ b/include/uapi/linux/netfilter_bridge/ebt_vlan.h
diff --git a/include/uapi/linux/netfilter_bridge/ebtables.h b/include/uapi/linux/netfilter_bridge/ebtables.h
new file mode 100644
index 000000000000..ba993360dbe9
--- /dev/null
+++ b/include/uapi/linux/netfilter_bridge/ebtables.h
@@ -0,0 +1,268 @@
+/*
+ *  ebtables
+ *
+ *      Authors:
+ *      Bart De Schuymer                <bdschuym@pandora.be>
+ *
+ *  ebtables.c,v 2.0, April, 2002
+ *
+ *  This code is stongly inspired on the iptables code which is
+ *  Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
+ */
+#ifndef _UAPI__LINUX_BRIDGE_EFF_H
+#define _UAPI__LINUX_BRIDGE_EFF_H
+#include <linux/if.h>
+#include <linux/netfilter_bridge.h>
+#include <linux/if_ether.h>
+#define EBT_TABLE_MAXNAMELEN 32
+#define EBT_CHAIN_MAXNAMELEN EBT_TABLE_MAXNAMELEN
+#define EBT_FUNCTION_MAXNAMELEN EBT_TABLE_MAXNAMELEN
+/* verdicts >0 are "branches" */
+#define EBT_ACCEPT   -1
+#define EBT_DROP     -2
+#define EBT_CONTINUE -3
+#define EBT_RETURN   -4
+#define NUM_STANDARD_TARGETS   4
+/* ebtables target modules store the verdict inside an int. We can
+ * reclaim a part of this int for backwards compatible extensions.
+ * The 4 lsb are more than enough to store the verdict. */
+#define EBT_VERDICT_BITS 0x0000000F
+struct xt_match;
+struct xt_target;
+struct ebt_counter {
+        uint64_t pcnt;
+        uint64_t bcnt;
+};
+struct ebt_replace {
+        char name[EBT_TABLE_MAXNAMELEN];
+        unsigned int valid_hooks;
+        /* nr of rules in the table */
+        unsigned int nentries;
+        /* total size of the entries */
+        unsigned int entries_size;
+        /* start of the chains */
+        struct ebt_entries __user *hook_entry[NF_BR_NUMHOOKS];
+        /* nr of counters userspace expects back */
+        unsigned int num_counters;
+        /* where the kernel will put the old counters */
+        struct ebt_counter __user *counters;
+        char __user *entries;
+};
+struct ebt_replace_kernel {
+        char name[EBT_TABLE_MAXNAMELEN];
+        unsigned int valid_hooks;
+        /* nr of rules in the table */
+        unsigned int nentries;
+        /* total size of the entries */
+        unsigned int entries_size;
+        /* start of the chains */
+        struct ebt_entries *hook_entry[NF_BR_NUMHOOKS];
+        /* nr of counters userspace expects back */
+        unsigned int num_counters;
+        /* where the kernel will put the old counters */
+        struct ebt_counter *counters;
+        char *entries;
+};
+struct ebt_entries {
+        /* this field is always set to zero
+         * See EBT_ENTRY_OR_ENTRIES.
+         * Must be same size as ebt_entry.bitmask */
+        unsigned int distinguisher;
+        /* the chain name */
+        char name[EBT_CHAIN_MAXNAMELEN];
+        /* counter offset for this chain */
+        unsigned int counter_offset;
+        /* one standard (accept, drop, return) per hook */
+        int policy;
+        /* nr. of entries */
+        unsigned int nentries;
+        /* entry list */
+        char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace))));
+};
+/* used for the bitmask of struct ebt_entry */
+/* This is a hack to make a difference between an ebt_entry struct and an
+ * ebt_entries struct when traversing the entries from start to end.
+ * Using this simplifies the code a lot, while still being able to use
+ * ebt_entries.
+ * Contrary, iptables doesn't use something like ebt_entries and therefore uses
+ * different techniques for naming the policy and such. So, iptables doesn't
+ * need a hack like this.
+ */
+#define EBT_ENTRY_OR_ENTRIES 0x01
+/* these are the normal masks */
+#define EBT_NOPROTO 0x02
+#define EBT_802_3 0x04
+#define EBT_SOURCEMAC 0x08
+#define EBT_DESTMAC 0x10
+#define EBT_F_MASK (EBT_NOPROTO | EBT_802_3 | EBT_SOURCEMAC | EBT_DESTMAC \
+   | EBT_ENTRY_OR_ENTRIES)
+#define EBT_IPROTO 0x01
+#define EBT_IIN 0x02
+#define EBT_IOUT 0x04
+#define EBT_ISOURCE 0x8
+#define EBT_IDEST 0x10
+#define EBT_ILOGICALIN 0x20
+#define EBT_ILOGICALOUT 0x40
+#define EBT_INV_MASK (EBT_IPROTO | EBT_IIN | EBT_IOUT | EBT_ILOGICALIN \
+   | EBT_ILOGICALOUT | EBT_ISOURCE | EBT_IDEST)
+struct ebt_entry_match {
+        union {
+                char name[EBT_FUNCTION_MAXNAMELEN];
+                struct xt_match *match;
+        } u;
+        /* size of data */
+        unsigned int match_size;
+        unsigned char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace))));
+};
+struct ebt_entry_watcher {
+        union {
+                char name[EBT_FUNCTION_MAXNAMELEN];
+                struct xt_target *watcher;
+        } u;
+        /* size of data */
+        unsigned int watcher_size;
+        unsigned char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace))));
+};
+struct ebt_entry_target {
+        union {
+                char name[EBT_FUNCTION_MAXNAMELEN];
+                struct xt_target *target;
+        } u;
+        /* size of data */
+        unsigned int target_size;
+        unsigned char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace))));
+};
+#define EBT_STANDARD_TARGET "standard"
+struct ebt_standard_target {
+        struct ebt_entry_target target;
+        int verdict;
+};
+/* one entry */
+struct ebt_entry {
+        /* this needs to be the first field */
+        unsigned int bitmask;
+        unsigned int invflags;
+        __be16 ethproto;
+        /* the physical in-dev */
+        char in[IFNAMSIZ];
+        /* the logical in-dev */
+        char logical_in[IFNAMSIZ];
+        /* the physical out-dev */
+        char out[IFNAMSIZ];
+        /* the logical out-dev */
+        char logical_out[IFNAMSIZ];
+        unsigned char sourcemac[ETH_ALEN];
+        unsigned char sourcemsk[ETH_ALEN];
+        unsigned char destmac[ETH_ALEN];
+        unsigned char destmsk[ETH_ALEN];
+        /* sizeof ebt_entry + matches */
+        unsigned int watchers_offset;
+        /* sizeof ebt_entry + matches + watchers */
+        unsigned int target_offset;
+        /* sizeof ebt_entry + matches + watchers + target */
+        unsigned int next_offset;
+        unsigned char elems[0] __attribute__ ((aligned (__alignof__(struct ebt_replace))));
+};
+/* {g,s}etsockopt numbers */
+#define EBT_BASE_CTL            128
+#define EBT_SO_SET_ENTRIES      (EBT_BASE_CTL)
+#define EBT_SO_SET_COUNTERS     (EBT_SO_SET_ENTRIES+1)
+#define EBT_SO_SET_MAX          (EBT_SO_SET_COUNTERS+1)
+#define EBT_SO_GET_INFO         (EBT_BASE_CTL)
+#define EBT_SO_GET_ENTRIES      (EBT_SO_GET_INFO+1)
+#define EBT_SO_GET_INIT_INFO    (EBT_SO_GET_ENTRIES+1)
+#define EBT_SO_GET_INIT_ENTRIES (EBT_SO_GET_INIT_INFO+1)
+#define EBT_SO_GET_MAX          (EBT_SO_GET_INIT_ENTRIES+1)
+/* blatently stolen from ip_tables.h
+ * fn returns 0 to continue iteration */
+#define EBT_MATCH_ITERATE(e, fn, args...)                   \
+({                                                          \
+        unsigned int __i;                                   \
+        int __ret = 0;                                      \
+        struct ebt_entry_match *__match;                    \
+                                                            \
+        for (__i = sizeof(struct ebt_entry);                \
+             __i < (e)->watchers_offset;                    \
+             __i += __match->match_size +                   \
+             sizeof(struct ebt_entry_match)) {              \
+                __match = (void *)(e) + __i;                \
+                                                            \
+                __ret = fn(__match , ## args);              \
+                if (__ret != 0)                             \
+                        break;                              \
+        }                                                   \
+        if (__ret == 0) {                                   \
+                if (__i != (e)->watchers_offset)            \
+                        __ret = -EINVAL;                    \
+        }                                                   \
+        __ret;                                              \
+})
+#define EBT_WATCHER_ITERATE(e, fn, args...)                 \
+({                                                          \
+        unsigned int __i;                                   \
+        int __ret = 0;                                      \
+        struct ebt_entry_watcher *__watcher;                \
+                                                            \
+        for (__i = e->watchers_offset;                      \
+             __i < (e)->target_offset;                      \
+             __i += __watcher->watcher_size +               \
+             sizeof(struct ebt_entry_watcher)) {            \
+                __watcher = (void *)(e) + __i;              \
+                                                            \
+                __ret = fn(__watcher , ## args);            \
+                if (__ret != 0)                             \
+                        break;                              \
+        }                                                   \
+        if (__ret == 0) {                                   \
+                if (__i != (e)->target_offset)              \
+                        __ret = -EINVAL;                    \
+        }                                                   \
+        __ret;                                              \
+})
+#define EBT_ENTRY_ITERATE(entries, size, fn, args...)       \
+({                                                          \
+        unsigned int __i;                                   \
+        int __ret = 0;                                      \
+        struct ebt_entry *__entry;                          \
+                                                            \
+        for (__i = 0; __i < (size);) {                      \
+                __entry = (void *)(entries) + __i;          \
+                __ret = fn(__entry , ## args);              \
+                if (__ret != 0)                             \
+                        break;                              \
+                if (__entry->bitmask != 0)                  \
+                        __i += __entry->next_offset;        \
+                else                                        \
+                        __i += sizeof(struct ebt_entries);  \
+        }                                                   \
+        if (__ret == 0) {                                   \
+                if (__i != (size))                          \
+                        __ret = -EINVAL;                    \
+        }                                                   \
+        __ret;                                              \
+})
+#endif /* _UAPI__LINUX_BRIDGE_EFF_H */
author	David Howells <dhowells@redhat.com>	2012-10-09 04:48:58 -0400
committer	David Howells <dhowells@redhat.com>	2012-10-09 04:48:58 -0400
commit	55c5cd3cc179eb87faa9cc2d9741047dd1642aaf (patch)
tree	1f63053791d51ce418359f2f83dafcac195671ec
parent	8922082ae6cd2783789e83ae9c67ffcbe5a2f4e1 (diff)