aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDavid Howells <dhowells@redhat.com>2012-10-09 04:48:58 -0400
committerDavid Howells <dhowells@redhat.com>2012-10-09 04:48:58 -0400
commit55c5cd3cc179eb87faa9cc2d9741047dd1642aaf (patch)
tree1f63053791d51ce418359f2f83dafcac195671ec
parent8922082ae6cd2783789e83ae9c67ffcbe5a2f4e1 (diff)
UAPI: (Scripted) Disintegrate include/linux/netfilter_bridge
Signed-off-by: David Howells <dhowells@redhat.com> Acked-by: Arnd Bergmann <arnd@arndb.de> Acked-by: Thomas Gleixner <tglx@linutronix.de> Acked-by: Michael Kerrisk <mtk.manpages@gmail.com> Acked-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com> Acked-by: Dave Jones <davej@redhat.com>
-rw-r--r--include/linux/netfilter_bridge/Kbuild18
-rw-r--r--include/linux/netfilter_bridge/ebt_802_3.h61
-rw-r--r--include/linux/netfilter_bridge/ebtables.h255
-rw-r--r--include/uapi/linux/netfilter_bridge/Kbuild18
-rw-r--r--include/uapi/linux/netfilter_bridge/ebt_802_3.h62
-rw-r--r--include/uapi/linux/netfilter_bridge/ebt_among.h (renamed from include/linux/netfilter_bridge/ebt_among.h)0
-rw-r--r--include/uapi/linux/netfilter_bridge/ebt_arp.h (renamed from include/linux/netfilter_bridge/ebt_arp.h)0
-rw-r--r--include/uapi/linux/netfilter_bridge/ebt_arpreply.h (renamed from include/linux/netfilter_bridge/ebt_arpreply.h)0
-rw-r--r--include/uapi/linux/netfilter_bridge/ebt_ip.h (renamed from include/linux/netfilter_bridge/ebt_ip.h)0
-rw-r--r--include/uapi/linux/netfilter_bridge/ebt_ip6.h (renamed from include/linux/netfilter_bridge/ebt_ip6.h)0
-rw-r--r--include/uapi/linux/netfilter_bridge/ebt_limit.h (renamed from include/linux/netfilter_bridge/ebt_limit.h)0
-rw-r--r--include/uapi/linux/netfilter_bridge/ebt_log.h (renamed from include/linux/netfilter_bridge/ebt_log.h)0
-rw-r--r--include/uapi/linux/netfilter_bridge/ebt_mark_m.h (renamed from include/linux/netfilter_bridge/ebt_mark_m.h)0
-rw-r--r--include/uapi/linux/netfilter_bridge/ebt_mark_t.h (renamed from include/linux/netfilter_bridge/ebt_mark_t.h)0
-rw-r--r--include/uapi/linux/netfilter_bridge/ebt_nat.h (renamed from include/linux/netfilter_bridge/ebt_nat.h)0
-rw-r--r--include/uapi/linux/netfilter_bridge/ebt_nflog.h (renamed from include/linux/netfilter_bridge/ebt_nflog.h)0
-rw-r--r--include/uapi/linux/netfilter_bridge/ebt_pkttype.h (renamed from include/linux/netfilter_bridge/ebt_pkttype.h)0
-rw-r--r--include/uapi/linux/netfilter_bridge/ebt_redirect.h (renamed from include/linux/netfilter_bridge/ebt_redirect.h)0
-rw-r--r--include/uapi/linux/netfilter_bridge/ebt_stp.h (renamed from include/linux/netfilter_bridge/ebt_stp.h)0
-rw-r--r--include/uapi/linux/netfilter_bridge/ebt_ulog.h (renamed from include/linux/netfilter_bridge/ebt_ulog.h)0
-rw-r--r--include/uapi/linux/netfilter_bridge/ebt_vlan.h (renamed from include/linux/netfilter_bridge/ebt_vlan.h)0
-rw-r--r--include/uapi/linux/netfilter_bridge/ebtables.h268
22 files changed, 350 insertions, 332 deletions
diff --git a/include/linux/netfilter_bridge/Kbuild b/include/linux/netfilter_bridge/Kbuild
index e48f1a3f5a4a..e69de29bb2d1 100644
--- a/include/linux/netfilter_bridge/Kbuild
+++ b/include/linux/netfilter_bridge/Kbuild
@@ -1,18 +0,0 @@
1header-y += ebt_802_3.h
2header-y += ebt_among.h
3header-y += ebt_arp.h
4header-y += ebt_arpreply.h
5header-y += ebt_ip.h
6header-y += ebt_ip6.h
7header-y += ebt_limit.h
8header-y += ebt_log.h
9header-y += ebt_mark_m.h
10header-y += ebt_mark_t.h
11header-y += ebt_nat.h
12header-y += ebt_nflog.h
13header-y += ebt_pkttype.h
14header-y += ebt_redirect.h
15header-y += ebt_stp.h
16header-y += ebt_ulog.h
17header-y += ebt_vlan.h
18header-y += ebtables.h
diff --git a/include/linux/netfilter_bridge/ebt_802_3.h b/include/linux/netfilter_bridge/ebt_802_3.h
index be5be1577a56..e17e8bfb4e8b 100644
--- a/include/linux/netfilter_bridge/ebt_802_3.h
+++ b/include/linux/netfilter_bridge/ebt_802_3.h
@@ -1,70 +1,11 @@
1#ifndef __LINUX_BRIDGE_EBT_802_3_H 1#ifndef __LINUX_BRIDGE_EBT_802_3_H
2#define __LINUX_BRIDGE_EBT_802_3_H 2#define __LINUX_BRIDGE_EBT_802_3_H
3 3
4#include <linux/types.h>
5
6#define EBT_802_3_SAP 0x01
7#define EBT_802_3_TYPE 0x02
8
9#define EBT_802_3_MATCH "802_3"
10
11/*
12 * If frame has DSAP/SSAP value 0xaa you must check the SNAP type
13 * to discover what kind of packet we're carrying.
14 */
15#define CHECK_TYPE 0xaa
16
17/*
18 * Control field may be one or two bytes. If the first byte has
19 * the value 0x03 then the entire length is one byte, otherwise it is two.
20 * One byte controls are used in Unnumbered Information frames.
21 * Two byte controls are used in Numbered Information frames.
22 */
23#define IS_UI 0x03
24
25#define EBT_802_3_MASK (EBT_802_3_SAP | EBT_802_3_TYPE | EBT_802_3)
26
27/* ui has one byte ctrl, ni has two */
28struct hdr_ui {
29 __u8 dsap;
30 __u8 ssap;
31 __u8 ctrl;
32 __u8 orig[3];
33 __be16 type;
34};
35
36struct hdr_ni {
37 __u8 dsap;
38 __u8 ssap;
39 __be16 ctrl;
40 __u8 orig[3];
41 __be16 type;
42};
43
44struct ebt_802_3_hdr {
45 __u8 daddr[6];
46 __u8 saddr[6];
47 __be16 len;
48 union {
49 struct hdr_ui ui;
50 struct hdr_ni ni;
51 } llc;
52};
53
54#ifdef __KERNEL__
55#include <linux/skbuff.h> 4#include <linux/skbuff.h>
5#include <uapi/linux/netfilter_bridge/ebt_802_3.h>
56 6
57static inline struct ebt_802_3_hdr *ebt_802_3_hdr(const struct sk_buff *skb) 7static inline struct ebt_802_3_hdr *ebt_802_3_hdr(const struct sk_buff *skb)
58{ 8{
59 return (struct ebt_802_3_hdr *)skb_mac_header(skb); 9 return (struct ebt_802_3_hdr *)skb_mac_header(skb);
60} 10}
61#endif 11#endif
62
63struct ebt_802_3_info {
64 __u8 sap;
65 __be16 type;
66 __u8 bitmask;
67 __u8 invflags;
68};
69
70#endif
diff --git a/include/linux/netfilter_bridge/ebtables.h b/include/linux/netfilter_bridge/ebtables.h
index 4dd5bd6994a8..34e7a2b7f867 100644
--- a/include/linux/netfilter_bridge/ebtables.h
+++ b/include/linux/netfilter_bridge/ebtables.h
@@ -9,191 +9,11 @@
9 * This code is stongly inspired on the iptables code which is 9 * This code is stongly inspired on the iptables code which is
10 * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling 10 * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
11 */ 11 */
12
13#ifndef __LINUX_BRIDGE_EFF_H 12#ifndef __LINUX_BRIDGE_EFF_H
14#define __LINUX_BRIDGE_EFF_H 13#define __LINUX_BRIDGE_EFF_H
15#include <linux/if.h>
16#include <linux/netfilter_bridge.h>
17#include <linux/if_ether.h>
18
19#define EBT_TABLE_MAXNAMELEN 32
20#define EBT_CHAIN_MAXNAMELEN EBT_TABLE_MAXNAMELEN
21#define EBT_FUNCTION_MAXNAMELEN EBT_TABLE_MAXNAMELEN
22
23/* verdicts >0 are "branches" */
24#define EBT_ACCEPT -1
25#define EBT_DROP -2
26#define EBT_CONTINUE -3
27#define EBT_RETURN -4
28#define NUM_STANDARD_TARGETS 4
29/* ebtables target modules store the verdict inside an int. We can
30 * reclaim a part of this int for backwards compatible extensions.
31 * The 4 lsb are more than enough to store the verdict. */
32#define EBT_VERDICT_BITS 0x0000000F
33
34struct xt_match;
35struct xt_target;
36
37struct ebt_counter {
38 uint64_t pcnt;
39 uint64_t bcnt;
40};
41 14
42struct ebt_replace { 15#include <uapi/linux/netfilter_bridge/ebtables.h>
43 char name[EBT_TABLE_MAXNAMELEN];
44 unsigned int valid_hooks;
45 /* nr of rules in the table */
46 unsigned int nentries;
47 /* total size of the entries */
48 unsigned int entries_size;
49 /* start of the chains */
50 struct ebt_entries __user *hook_entry[NF_BR_NUMHOOKS];
51 /* nr of counters userspace expects back */
52 unsigned int num_counters;
53 /* where the kernel will put the old counters */
54 struct ebt_counter __user *counters;
55 char __user *entries;
56};
57 16
58struct ebt_replace_kernel {
59 char name[EBT_TABLE_MAXNAMELEN];
60 unsigned int valid_hooks;
61 /* nr of rules in the table */
62 unsigned int nentries;
63 /* total size of the entries */
64 unsigned int entries_size;
65 /* start of the chains */
66 struct ebt_entries *hook_entry[NF_BR_NUMHOOKS];
67 /* nr of counters userspace expects back */
68 unsigned int num_counters;
69 /* where the kernel will put the old counters */
70 struct ebt_counter *counters;
71 char *entries;
72};
73
74struct ebt_entries {
75 /* this field is always set to zero
76 * See EBT_ENTRY_OR_ENTRIES.
77 * Must be same size as ebt_entry.bitmask */
78 unsigned int distinguisher;
79 /* the chain name */
80 char name[EBT_CHAIN_MAXNAMELEN];
81 /* counter offset for this chain */
82 unsigned int counter_offset;
83 /* one standard (accept, drop, return) per hook */
84 int policy;
85 /* nr. of entries */
86 unsigned int nentries;
87 /* entry list */
88 char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace))));
89};
90
91/* used for the bitmask of struct ebt_entry */
92
93/* This is a hack to make a difference between an ebt_entry struct and an
94 * ebt_entries struct when traversing the entries from start to end.
95 * Using this simplifies the code a lot, while still being able to use
96 * ebt_entries.
97 * Contrary, iptables doesn't use something like ebt_entries and therefore uses
98 * different techniques for naming the policy and such. So, iptables doesn't
99 * need a hack like this.
100 */
101#define EBT_ENTRY_OR_ENTRIES 0x01
102/* these are the normal masks */
103#define EBT_NOPROTO 0x02
104#define EBT_802_3 0x04
105#define EBT_SOURCEMAC 0x08
106#define EBT_DESTMAC 0x10
107#define EBT_F_MASK (EBT_NOPROTO | EBT_802_3 | EBT_SOURCEMAC | EBT_DESTMAC \
108 | EBT_ENTRY_OR_ENTRIES)
109
110#define EBT_IPROTO 0x01
111#define EBT_IIN 0x02
112#define EBT_IOUT 0x04
113#define EBT_ISOURCE 0x8
114#define EBT_IDEST 0x10
115#define EBT_ILOGICALIN 0x20
116#define EBT_ILOGICALOUT 0x40
117#define EBT_INV_MASK (EBT_IPROTO | EBT_IIN | EBT_IOUT | EBT_ILOGICALIN \
118 | EBT_ILOGICALOUT | EBT_ISOURCE | EBT_IDEST)
119
120struct ebt_entry_match {
121 union {
122 char name[EBT_FUNCTION_MAXNAMELEN];
123 struct xt_match *match;
124 } u;
125 /* size of data */
126 unsigned int match_size;
127 unsigned char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace))));
128};
129
130struct ebt_entry_watcher {
131 union {
132 char name[EBT_FUNCTION_MAXNAMELEN];
133 struct xt_target *watcher;
134 } u;
135 /* size of data */
136 unsigned int watcher_size;
137 unsigned char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace))));
138};
139
140struct ebt_entry_target {
141 union {
142 char name[EBT_FUNCTION_MAXNAMELEN];
143 struct xt_target *target;
144 } u;
145 /* size of data */
146 unsigned int target_size;
147 unsigned char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace))));
148};
149
150#define EBT_STANDARD_TARGET "standard"
151struct ebt_standard_target {
152 struct ebt_entry_target target;
153 int verdict;
154};
155
156/* one entry */
157struct ebt_entry {
158 /* this needs to be the first field */
159 unsigned int bitmask;
160 unsigned int invflags;
161 __be16 ethproto;
162 /* the physical in-dev */
163 char in[IFNAMSIZ];
164 /* the logical in-dev */
165 char logical_in[IFNAMSIZ];
166 /* the physical out-dev */
167 char out[IFNAMSIZ];
168 /* the logical out-dev */
169 char logical_out[IFNAMSIZ];
170 unsigned char sourcemac[ETH_ALEN];
171 unsigned char sourcemsk[ETH_ALEN];
172 unsigned char destmac[ETH_ALEN];
173 unsigned char destmsk[ETH_ALEN];
174 /* sizeof ebt_entry + matches */
175 unsigned int watchers_offset;
176 /* sizeof ebt_entry + matches + watchers */
177 unsigned int target_offset;
178 /* sizeof ebt_entry + matches + watchers + target */
179 unsigned int next_offset;
180 unsigned char elems[0] __attribute__ ((aligned (__alignof__(struct ebt_replace))));
181};
182
183/* {g,s}etsockopt numbers */
184#define EBT_BASE_CTL 128
185
186#define EBT_SO_SET_ENTRIES (EBT_BASE_CTL)
187#define EBT_SO_SET_COUNTERS (EBT_SO_SET_ENTRIES+1)
188#define EBT_SO_SET_MAX (EBT_SO_SET_COUNTERS+1)
189
190#define EBT_SO_GET_INFO (EBT_BASE_CTL)
191#define EBT_SO_GET_ENTRIES (EBT_SO_GET_INFO+1)
192#define EBT_SO_GET_INIT_INFO (EBT_SO_GET_ENTRIES+1)
193#define EBT_SO_GET_INIT_ENTRIES (EBT_SO_GET_INIT_INFO+1)
194#define EBT_SO_GET_MAX (EBT_SO_GET_INIT_ENTRIES+1)
195
196#ifdef __KERNEL__
197 17
198/* return values for match() functions */ 18/* return values for match() functions */
199#define EBT_MATCH 0 19#define EBT_MATCH 0
@@ -304,77 +124,4 @@ extern unsigned int ebt_do_table(unsigned int hook, struct sk_buff *skb,
304/* True if the target is not a standard target */ 124/* True if the target is not a standard target */
305#define INVALID_TARGET (info->target < -NUM_STANDARD_TARGETS || info->target >= 0) 125#define INVALID_TARGET (info->target < -NUM_STANDARD_TARGETS || info->target >= 0)
306 126
307#endif /* __KERNEL__ */
308
309/* blatently stolen from ip_tables.h
310 * fn returns 0 to continue iteration */
311#define EBT_MATCH_ITERATE(e, fn, args...) \
312({ \
313 unsigned int __i; \
314 int __ret = 0; \
315 struct ebt_entry_match *__match; \
316 \
317 for (__i = sizeof(struct ebt_entry); \
318 __i < (e)->watchers_offset; \
319 __i += __match->match_size + \
320 sizeof(struct ebt_entry_match)) { \
321 __match = (void *)(e) + __i; \
322 \
323 __ret = fn(__match , ## args); \
324 if (__ret != 0) \
325 break; \
326 } \
327 if (__ret == 0) { \
328 if (__i != (e)->watchers_offset) \
329 __ret = -EINVAL; \
330 } \
331 __ret; \
332})
333
334#define EBT_WATCHER_ITERATE(e, fn, args...) \
335({ \
336 unsigned int __i; \
337 int __ret = 0; \
338 struct ebt_entry_watcher *__watcher; \
339 \
340 for (__i = e->watchers_offset; \
341 __i < (e)->target_offset; \
342 __i += __watcher->watcher_size + \
343 sizeof(struct ebt_entry_watcher)) { \
344 __watcher = (void *)(e) + __i; \
345 \
346 __ret = fn(__watcher , ## args); \
347 if (__ret != 0) \
348 break; \
349 } \
350 if (__ret == 0) { \
351 if (__i != (e)->target_offset) \
352 __ret = -EINVAL; \
353 } \
354 __ret; \
355})
356
357#define EBT_ENTRY_ITERATE(entries, size, fn, args...) \
358({ \
359 unsigned int __i; \
360 int __ret = 0; \
361 struct ebt_entry *__entry; \
362 \
363 for (__i = 0; __i < (size);) { \
364 __entry = (void *)(entries) + __i; \
365 __ret = fn(__entry , ## args); \
366 if (__ret != 0) \
367 break; \
368 if (__entry->bitmask != 0) \
369 __i += __entry->next_offset; \
370 else \
371 __i += sizeof(struct ebt_entries); \
372 } \
373 if (__ret == 0) { \
374 if (__i != (size)) \
375 __ret = -EINVAL; \
376 } \
377 __ret; \
378})
379
380#endif 127#endif
diff --git a/include/uapi/linux/netfilter_bridge/Kbuild b/include/uapi/linux/netfilter_bridge/Kbuild
index aafaa5aa54d4..348717c3a22f 100644
--- a/include/uapi/linux/netfilter_bridge/Kbuild
+++ b/include/uapi/linux/netfilter_bridge/Kbuild
@@ -1 +1,19 @@
1# UAPI Header export list 1# UAPI Header export list
2header-y += ebt_802_3.h
3header-y += ebt_among.h
4header-y += ebt_arp.h
5header-y += ebt_arpreply.h
6header-y += ebt_ip.h
7header-y += ebt_ip6.h
8header-y += ebt_limit.h
9header-y += ebt_log.h
10header-y += ebt_mark_m.h
11header-y += ebt_mark_t.h
12header-y += ebt_nat.h
13header-y += ebt_nflog.h
14header-y += ebt_pkttype.h
15header-y += ebt_redirect.h
16header-y += ebt_stp.h
17header-y += ebt_ulog.h
18header-y += ebt_vlan.h
19header-y += ebtables.h
diff --git a/include/uapi/linux/netfilter_bridge/ebt_802_3.h b/include/uapi/linux/netfilter_bridge/ebt_802_3.h
new file mode 100644
index 000000000000..5bf84912a082
--- /dev/null
+++ b/include/uapi/linux/netfilter_bridge/ebt_802_3.h
@@ -0,0 +1,62 @@
1#ifndef _UAPI__LINUX_BRIDGE_EBT_802_3_H
2#define _UAPI__LINUX_BRIDGE_EBT_802_3_H
3
4#include <linux/types.h>
5
6#define EBT_802_3_SAP 0x01
7#define EBT_802_3_TYPE 0x02
8
9#define EBT_802_3_MATCH "802_3"
10
11/*
12 * If frame has DSAP/SSAP value 0xaa you must check the SNAP type
13 * to discover what kind of packet we're carrying.
14 */
15#define CHECK_TYPE 0xaa
16
17/*
18 * Control field may be one or two bytes. If the first byte has
19 * the value 0x03 then the entire length is one byte, otherwise it is two.
20 * One byte controls are used in Unnumbered Information frames.
21 * Two byte controls are used in Numbered Information frames.
22 */
23#define IS_UI 0x03
24
25#define EBT_802_3_MASK (EBT_802_3_SAP | EBT_802_3_TYPE | EBT_802_3)
26
27/* ui has one byte ctrl, ni has two */
28struct hdr_ui {
29 __u8 dsap;
30 __u8 ssap;
31 __u8 ctrl;
32 __u8 orig[3];
33 __be16 type;
34};
35
36struct hdr_ni {
37 __u8 dsap;
38 __u8 ssap;
39 __be16 ctrl;
40 __u8 orig[3];
41 __be16 type;
42};
43
44struct ebt_802_3_hdr {
45 __u8 daddr[6];
46 __u8 saddr[6];
47 __be16 len;
48 union {
49 struct hdr_ui ui;
50 struct hdr_ni ni;
51 } llc;
52};
53
54
55struct ebt_802_3_info {
56 __u8 sap;
57 __be16 type;
58 __u8 bitmask;
59 __u8 invflags;
60};
61
62#endif /* _UAPI__LINUX_BRIDGE_EBT_802_3_H */
diff --git a/include/linux/netfilter_bridge/ebt_among.h b/include/uapi/linux/netfilter_bridge/ebt_among.h
index bd4e3ad0b706..bd4e3ad0b706 100644
--- a/include/linux/netfilter_bridge/ebt_among.h
+++ b/include/uapi/linux/netfilter_bridge/ebt_among.h
diff --git a/include/linux/netfilter_bridge/ebt_arp.h b/include/uapi/linux/netfilter_bridge/ebt_arp.h
index 522f3e427f49..522f3e427f49 100644
--- a/include/linux/netfilter_bridge/ebt_arp.h
+++ b/include/uapi/linux/netfilter_bridge/ebt_arp.h
diff --git a/include/linux/netfilter_bridge/ebt_arpreply.h b/include/uapi/linux/netfilter_bridge/ebt_arpreply.h
index 7e77896e1fbf..7e77896e1fbf 100644
--- a/include/linux/netfilter_bridge/ebt_arpreply.h
+++ b/include/uapi/linux/netfilter_bridge/ebt_arpreply.h
diff --git a/include/linux/netfilter_bridge/ebt_ip.h b/include/uapi/linux/netfilter_bridge/ebt_ip.h
index c4bbc41b0ea4..c4bbc41b0ea4 100644
--- a/include/linux/netfilter_bridge/ebt_ip.h
+++ b/include/uapi/linux/netfilter_bridge/ebt_ip.h
diff --git a/include/linux/netfilter_bridge/ebt_ip6.h b/include/uapi/linux/netfilter_bridge/ebt_ip6.h
index 42b889682721..42b889682721 100644
--- a/include/linux/netfilter_bridge/ebt_ip6.h
+++ b/include/uapi/linux/netfilter_bridge/ebt_ip6.h
diff --git a/include/linux/netfilter_bridge/ebt_limit.h b/include/uapi/linux/netfilter_bridge/ebt_limit.h
index 66d80b30ba0e..66d80b30ba0e 100644
--- a/include/linux/netfilter_bridge/ebt_limit.h
+++ b/include/uapi/linux/netfilter_bridge/ebt_limit.h
diff --git a/include/linux/netfilter_bridge/ebt_log.h b/include/uapi/linux/netfilter_bridge/ebt_log.h
index 7e7f1d1fe494..7e7f1d1fe494 100644
--- a/include/linux/netfilter_bridge/ebt_log.h
+++ b/include/uapi/linux/netfilter_bridge/ebt_log.h
diff --git a/include/linux/netfilter_bridge/ebt_mark_m.h b/include/uapi/linux/netfilter_bridge/ebt_mark_m.h
index 410f9e5a71d4..410f9e5a71d4 100644
--- a/include/linux/netfilter_bridge/ebt_mark_m.h
+++ b/include/uapi/linux/netfilter_bridge/ebt_mark_m.h
diff --git a/include/linux/netfilter_bridge/ebt_mark_t.h b/include/uapi/linux/netfilter_bridge/ebt_mark_t.h
index 7d5a268a4311..7d5a268a4311 100644
--- a/include/linux/netfilter_bridge/ebt_mark_t.h
+++ b/include/uapi/linux/netfilter_bridge/ebt_mark_t.h
diff --git a/include/linux/netfilter_bridge/ebt_nat.h b/include/uapi/linux/netfilter_bridge/ebt_nat.h
index 5e74e3b03bd6..5e74e3b03bd6 100644
--- a/include/linux/netfilter_bridge/ebt_nat.h
+++ b/include/uapi/linux/netfilter_bridge/ebt_nat.h
diff --git a/include/linux/netfilter_bridge/ebt_nflog.h b/include/uapi/linux/netfilter_bridge/ebt_nflog.h
index df829fce9125..df829fce9125 100644
--- a/include/linux/netfilter_bridge/ebt_nflog.h
+++ b/include/uapi/linux/netfilter_bridge/ebt_nflog.h
diff --git a/include/linux/netfilter_bridge/ebt_pkttype.h b/include/uapi/linux/netfilter_bridge/ebt_pkttype.h
index c241badcd036..c241badcd036 100644
--- a/include/linux/netfilter_bridge/ebt_pkttype.h
+++ b/include/uapi/linux/netfilter_bridge/ebt_pkttype.h
diff --git a/include/linux/netfilter_bridge/ebt_redirect.h b/include/uapi/linux/netfilter_bridge/ebt_redirect.h
index dd9622ce8488..dd9622ce8488 100644
--- a/include/linux/netfilter_bridge/ebt_redirect.h
+++ b/include/uapi/linux/netfilter_bridge/ebt_redirect.h
diff --git a/include/linux/netfilter_bridge/ebt_stp.h b/include/uapi/linux/netfilter_bridge/ebt_stp.h
index 1025b9f5fb7d..1025b9f5fb7d 100644
--- a/include/linux/netfilter_bridge/ebt_stp.h
+++ b/include/uapi/linux/netfilter_bridge/ebt_stp.h
diff --git a/include/linux/netfilter_bridge/ebt_ulog.h b/include/uapi/linux/netfilter_bridge/ebt_ulog.h
index 89a6becb5269..89a6becb5269 100644
--- a/include/linux/netfilter_bridge/ebt_ulog.h
+++ b/include/uapi/linux/netfilter_bridge/ebt_ulog.h
diff --git a/include/linux/netfilter_bridge/ebt_vlan.h b/include/uapi/linux/netfilter_bridge/ebt_vlan.h
index 967d1d5cf98d..967d1d5cf98d 100644
--- a/include/linux/netfilter_bridge/ebt_vlan.h
+++ b/include/uapi/linux/netfilter_bridge/ebt_vlan.h
diff --git a/include/uapi/linux/netfilter_bridge/ebtables.h b/include/uapi/linux/netfilter_bridge/ebtables.h
new file mode 100644
index 000000000000..ba993360dbe9
--- /dev/null
+++ b/include/uapi/linux/netfilter_bridge/ebtables.h
@@ -0,0 +1,268 @@
1/*
2 * ebtables
3 *
4 * Authors:
5 * Bart De Schuymer <bdschuym@pandora.be>
6 *
7 * ebtables.c,v 2.0, April, 2002
8 *
9 * This code is stongly inspired on the iptables code which is
10 * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
11 */
12
13#ifndef _UAPI__LINUX_BRIDGE_EFF_H
14#define _UAPI__LINUX_BRIDGE_EFF_H
15#include <linux/if.h>
16#include <linux/netfilter_bridge.h>
17#include <linux/if_ether.h>
18
19#define EBT_TABLE_MAXNAMELEN 32
20#define EBT_CHAIN_MAXNAMELEN EBT_TABLE_MAXNAMELEN
21#define EBT_FUNCTION_MAXNAMELEN EBT_TABLE_MAXNAMELEN
22
23/* verdicts >0 are "branches" */
24#define EBT_ACCEPT -1
25#define EBT_DROP -2
26#define EBT_CONTINUE -3
27#define EBT_RETURN -4
28#define NUM_STANDARD_TARGETS 4
29/* ebtables target modules store the verdict inside an int. We can
30 * reclaim a part of this int for backwards compatible extensions.
31 * The 4 lsb are more than enough to store the verdict. */
32#define EBT_VERDICT_BITS 0x0000000F
33
34struct xt_match;
35struct xt_target;
36
37struct ebt_counter {
38 uint64_t pcnt;
39 uint64_t bcnt;
40};
41
42struct ebt_replace {
43 char name[EBT_TABLE_MAXNAMELEN];
44 unsigned int valid_hooks;
45 /* nr of rules in the table */
46 unsigned int nentries;
47 /* total size of the entries */
48 unsigned int entries_size;
49 /* start of the chains */
50 struct ebt_entries __user *hook_entry[NF_BR_NUMHOOKS];
51 /* nr of counters userspace expects back */
52 unsigned int num_counters;
53 /* where the kernel will put the old counters */
54 struct ebt_counter __user *counters;
55 char __user *entries;
56};
57
58struct ebt_replace_kernel {
59 char name[EBT_TABLE_MAXNAMELEN];
60 unsigned int valid_hooks;
61 /* nr of rules in the table */
62 unsigned int nentries;
63 /* total size of the entries */
64 unsigned int entries_size;
65 /* start of the chains */
66 struct ebt_entries *hook_entry[NF_BR_NUMHOOKS];
67 /* nr of counters userspace expects back */
68 unsigned int num_counters;
69 /* where the kernel will put the old counters */
70 struct ebt_counter *counters;
71 char *entries;
72};
73
74struct ebt_entries {
75 /* this field is always set to zero
76 * See EBT_ENTRY_OR_ENTRIES.
77 * Must be same size as ebt_entry.bitmask */
78 unsigned int distinguisher;
79 /* the chain name */
80 char name[EBT_CHAIN_MAXNAMELEN];
81 /* counter offset for this chain */
82 unsigned int counter_offset;
83 /* one standard (accept, drop, return) per hook */
84 int policy;
85 /* nr. of entries */
86 unsigned int nentries;
87 /* entry list */
88 char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace))));
89};
90
91/* used for the bitmask of struct ebt_entry */
92
93/* This is a hack to make a difference between an ebt_entry struct and an
94 * ebt_entries struct when traversing the entries from start to end.
95 * Using this simplifies the code a lot, while still being able to use
96 * ebt_entries.
97 * Contrary, iptables doesn't use something like ebt_entries and therefore uses
98 * different techniques for naming the policy and such. So, iptables doesn't
99 * need a hack like this.
100 */
101#define EBT_ENTRY_OR_ENTRIES 0x01
102/* these are the normal masks */
103#define EBT_NOPROTO 0x02
104#define EBT_802_3 0x04
105#define EBT_SOURCEMAC 0x08
106#define EBT_DESTMAC 0x10
107#define EBT_F_MASK (EBT_NOPROTO | EBT_802_3 | EBT_SOURCEMAC | EBT_DESTMAC \
108 | EBT_ENTRY_OR_ENTRIES)
109
110#define EBT_IPROTO 0x01
111#define EBT_IIN 0x02
112#define EBT_IOUT 0x04
113#define EBT_ISOURCE 0x8
114#define EBT_IDEST 0x10
115#define EBT_ILOGICALIN 0x20
116#define EBT_ILOGICALOUT 0x40
117#define EBT_INV_MASK (EBT_IPROTO | EBT_IIN | EBT_IOUT | EBT_ILOGICALIN \
118 | EBT_ILOGICALOUT | EBT_ISOURCE | EBT_IDEST)
119
120struct ebt_entry_match {
121 union {
122 char name[EBT_FUNCTION_MAXNAMELEN];
123 struct xt_match *match;
124 } u;
125 /* size of data */
126 unsigned int match_size;
127 unsigned char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace))));
128};
129
130struct ebt_entry_watcher {
131 union {
132 char name[EBT_FUNCTION_MAXNAMELEN];
133 struct xt_target *watcher;
134 } u;
135 /* size of data */
136 unsigned int watcher_size;
137 unsigned char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace))));
138};
139
140struct ebt_entry_target {
141 union {
142 char name[EBT_FUNCTION_MAXNAMELEN];
143 struct xt_target *target;
144 } u;
145 /* size of data */
146 unsigned int target_size;
147 unsigned char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace))));
148};
149
150#define EBT_STANDARD_TARGET "standard"
151struct ebt_standard_target {
152 struct ebt_entry_target target;
153 int verdict;
154};
155
156/* one entry */
157struct ebt_entry {
158 /* this needs to be the first field */
159 unsigned int bitmask;
160 unsigned int invflags;
161 __be16 ethproto;
162 /* the physical in-dev */
163 char in[IFNAMSIZ];
164 /* the logical in-dev */
165 char logical_in[IFNAMSIZ];
166 /* the physical out-dev */
167 char out[IFNAMSIZ];
168 /* the logical out-dev */
169 char logical_out[IFNAMSIZ];
170 unsigned char sourcemac[ETH_ALEN];
171 unsigned char sourcemsk[ETH_ALEN];
172 unsigned char destmac[ETH_ALEN];
173 unsigned char destmsk[ETH_ALEN];
174 /* sizeof ebt_entry + matches */
175 unsigned int watchers_offset;
176 /* sizeof ebt_entry + matches + watchers */
177 unsigned int target_offset;
178 /* sizeof ebt_entry + matches + watchers + target */
179 unsigned int next_offset;
180 unsigned char elems[0] __attribute__ ((aligned (__alignof__(struct ebt_replace))));
181};
182
183/* {g,s}etsockopt numbers */
184#define EBT_BASE_CTL 128
185
186#define EBT_SO_SET_ENTRIES (EBT_BASE_CTL)
187#define EBT_SO_SET_COUNTERS (EBT_SO_SET_ENTRIES+1)
188#define EBT_SO_SET_MAX (EBT_SO_SET_COUNTERS+1)
189
190#define EBT_SO_GET_INFO (EBT_BASE_CTL)
191#define EBT_SO_GET_ENTRIES (EBT_SO_GET_INFO+1)
192#define EBT_SO_GET_INIT_INFO (EBT_SO_GET_ENTRIES+1)
193#define EBT_SO_GET_INIT_ENTRIES (EBT_SO_GET_INIT_INFO+1)
194#define EBT_SO_GET_MAX (EBT_SO_GET_INIT_ENTRIES+1)
195
196
197/* blatently stolen from ip_tables.h
198 * fn returns 0 to continue iteration */
199#define EBT_MATCH_ITERATE(e, fn, args...) \
200({ \
201 unsigned int __i; \
202 int __ret = 0; \
203 struct ebt_entry_match *__match; \
204 \
205 for (__i = sizeof(struct ebt_entry); \
206 __i < (e)->watchers_offset; \
207 __i += __match->match_size + \
208 sizeof(struct ebt_entry_match)) { \
209 __match = (void *)(e) + __i; \
210 \
211 __ret = fn(__match , ## args); \
212 if (__ret != 0) \
213 break; \
214 } \
215 if (__ret == 0) { \
216 if (__i != (e)->watchers_offset) \
217 __ret = -EINVAL; \
218 } \
219 __ret; \
220})
221
222#define EBT_WATCHER_ITERATE(e, fn, args...) \
223({ \
224 unsigned int __i; \
225 int __ret = 0; \
226 struct ebt_entry_watcher *__watcher; \
227 \
228 for (__i = e->watchers_offset; \
229 __i < (e)->target_offset; \
230 __i += __watcher->watcher_size + \
231 sizeof(struct ebt_entry_watcher)) { \
232 __watcher = (void *)(e) + __i; \
233 \
234 __ret = fn(__watcher , ## args); \
235 if (__ret != 0) \
236 break; \
237 } \
238 if (__ret == 0) { \
239 if (__i != (e)->target_offset) \
240 __ret = -EINVAL; \
241 } \
242 __ret; \
243})
244
245#define EBT_ENTRY_ITERATE(entries, size, fn, args...) \
246({ \
247 unsigned int __i; \
248 int __ret = 0; \
249 struct ebt_entry *__entry; \
250 \
251 for (__i = 0; __i < (size);) { \
252 __entry = (void *)(entries) + __i; \
253 __ret = fn(__entry , ## args); \
254 if (__ret != 0) \
255 break; \
256 if (__entry->bitmask != 0) \
257 __i += __entry->next_offset; \
258 else \
259 __i += sizeof(struct ebt_entries); \
260 } \
261 if (__ret == 0) { \
262 if (__i != (size)) \
263 __ret = -EINVAL; \
264 } \
265 __ret; \
266})
267
268#endif /* _UAPI__LINUX_BRIDGE_EFF_H */