diff options
Diffstat (limited to 'include')
| -rw-r--r-- | include/linux/netfilter_bridge/Kbuild | 18 | ||||
| -rw-r--r-- | include/linux/netfilter_bridge/ebt_802_3.h | 61 | ||||
| -rw-r--r-- | include/linux/netfilter_bridge/ebtables.h | 255 | ||||
| -rw-r--r-- | include/uapi/linux/netfilter_bridge/Kbuild | 18 | ||||
| -rw-r--r-- | include/uapi/linux/netfilter_bridge/ebt_802_3.h | 62 | ||||
| -rw-r--r-- | include/uapi/linux/netfilter_bridge/ebt_among.h (renamed from include/linux/netfilter_bridge/ebt_among.h) | 0 | ||||
| -rw-r--r-- | include/uapi/linux/netfilter_bridge/ebt_arp.h (renamed from include/linux/netfilter_bridge/ebt_arp.h) | 0 | ||||
| -rw-r--r-- | include/uapi/linux/netfilter_bridge/ebt_arpreply.h (renamed from include/linux/netfilter_bridge/ebt_arpreply.h) | 0 | ||||
| -rw-r--r-- | include/uapi/linux/netfilter_bridge/ebt_ip.h (renamed from include/linux/netfilter_bridge/ebt_ip.h) | 0 | ||||
| -rw-r--r-- | include/uapi/linux/netfilter_bridge/ebt_ip6.h (renamed from include/linux/netfilter_bridge/ebt_ip6.h) | 0 | ||||
| -rw-r--r-- | include/uapi/linux/netfilter_bridge/ebt_limit.h (renamed from include/linux/netfilter_bridge/ebt_limit.h) | 0 | ||||
| -rw-r--r-- | include/uapi/linux/netfilter_bridge/ebt_log.h (renamed from include/linux/netfilter_bridge/ebt_log.h) | 0 | ||||
| -rw-r--r-- | include/uapi/linux/netfilter_bridge/ebt_mark_m.h (renamed from include/linux/netfilter_bridge/ebt_mark_m.h) | 0 | ||||
| -rw-r--r-- | include/uapi/linux/netfilter_bridge/ebt_mark_t.h (renamed from include/linux/netfilter_bridge/ebt_mark_t.h) | 0 | ||||
| -rw-r--r-- | include/uapi/linux/netfilter_bridge/ebt_nat.h (renamed from include/linux/netfilter_bridge/ebt_nat.h) | 0 | ||||
| -rw-r--r-- | include/uapi/linux/netfilter_bridge/ebt_nflog.h (renamed from include/linux/netfilter_bridge/ebt_nflog.h) | 0 | ||||
| -rw-r--r-- | include/uapi/linux/netfilter_bridge/ebt_pkttype.h (renamed from include/linux/netfilter_bridge/ebt_pkttype.h) | 0 | ||||
| -rw-r--r-- | include/uapi/linux/netfilter_bridge/ebt_redirect.h (renamed from include/linux/netfilter_bridge/ebt_redirect.h) | 0 | ||||
| -rw-r--r-- | include/uapi/linux/netfilter_bridge/ebt_stp.h (renamed from include/linux/netfilter_bridge/ebt_stp.h) | 0 | ||||
| -rw-r--r-- | include/uapi/linux/netfilter_bridge/ebt_ulog.h (renamed from include/linux/netfilter_bridge/ebt_ulog.h) | 0 | ||||
| -rw-r--r-- | include/uapi/linux/netfilter_bridge/ebt_vlan.h (renamed from include/linux/netfilter_bridge/ebt_vlan.h) | 0 | ||||
| -rw-r--r-- | include/uapi/linux/netfilter_bridge/ebtables.h | 268 |
22 files changed, 350 insertions, 332 deletions
diff --git a/include/linux/netfilter_bridge/Kbuild b/include/linux/netfilter_bridge/Kbuild index e48f1a3f5a4a..e69de29bb2d1 100644 --- a/include/linux/netfilter_bridge/Kbuild +++ b/include/linux/netfilter_bridge/Kbuild | |||
| @@ -1,18 +0,0 @@ | |||
| 1 | header-y += ebt_802_3.h | ||
| 2 | header-y += ebt_among.h | ||
| 3 | header-y += ebt_arp.h | ||
| 4 | header-y += ebt_arpreply.h | ||
| 5 | header-y += ebt_ip.h | ||
| 6 | header-y += ebt_ip6.h | ||
| 7 | header-y += ebt_limit.h | ||
| 8 | header-y += ebt_log.h | ||
| 9 | header-y += ebt_mark_m.h | ||
| 10 | header-y += ebt_mark_t.h | ||
| 11 | header-y += ebt_nat.h | ||
| 12 | header-y += ebt_nflog.h | ||
| 13 | header-y += ebt_pkttype.h | ||
| 14 | header-y += ebt_redirect.h | ||
| 15 | header-y += ebt_stp.h | ||
| 16 | header-y += ebt_ulog.h | ||
| 17 | header-y += ebt_vlan.h | ||
| 18 | header-y += ebtables.h | ||
diff --git a/include/linux/netfilter_bridge/ebt_802_3.h b/include/linux/netfilter_bridge/ebt_802_3.h index be5be1577a56..e17e8bfb4e8b 100644 --- a/include/linux/netfilter_bridge/ebt_802_3.h +++ b/include/linux/netfilter_bridge/ebt_802_3.h | |||
| @@ -1,70 +1,11 @@ | |||
| 1 | #ifndef __LINUX_BRIDGE_EBT_802_3_H | 1 | #ifndef __LINUX_BRIDGE_EBT_802_3_H |
| 2 | #define __LINUX_BRIDGE_EBT_802_3_H | 2 | #define __LINUX_BRIDGE_EBT_802_3_H |
| 3 | 3 | ||
| 4 | #include <linux/types.h> | ||
| 5 | |||
| 6 | #define EBT_802_3_SAP 0x01 | ||
| 7 | #define EBT_802_3_TYPE 0x02 | ||
| 8 | |||
| 9 | #define EBT_802_3_MATCH "802_3" | ||
| 10 | |||
| 11 | /* | ||
| 12 | * If frame has DSAP/SSAP value 0xaa you must check the SNAP type | ||
| 13 | * to discover what kind of packet we're carrying. | ||
| 14 | */ | ||
| 15 | #define CHECK_TYPE 0xaa | ||
| 16 | |||
| 17 | /* | ||
| 18 | * Control field may be one or two bytes. If the first byte has | ||
| 19 | * the value 0x03 then the entire length is one byte, otherwise it is two. | ||
| 20 | * One byte controls are used in Unnumbered Information frames. | ||
| 21 | * Two byte controls are used in Numbered Information frames. | ||
| 22 | */ | ||
| 23 | #define IS_UI 0x03 | ||
| 24 | |||
| 25 | #define EBT_802_3_MASK (EBT_802_3_SAP | EBT_802_3_TYPE | EBT_802_3) | ||
| 26 | |||
| 27 | /* ui has one byte ctrl, ni has two */ | ||
| 28 | struct hdr_ui { | ||
| 29 | __u8 dsap; | ||
| 30 | __u8 ssap; | ||
| 31 | __u8 ctrl; | ||
| 32 | __u8 orig[3]; | ||
| 33 | __be16 type; | ||
| 34 | }; | ||
| 35 | |||
| 36 | struct hdr_ni { | ||
| 37 | __u8 dsap; | ||
| 38 | __u8 ssap; | ||
| 39 | __be16 ctrl; | ||
| 40 | __u8 orig[3]; | ||
| 41 | __be16 type; | ||
| 42 | }; | ||
| 43 | |||
| 44 | struct ebt_802_3_hdr { | ||
| 45 | __u8 daddr[6]; | ||
| 46 | __u8 saddr[6]; | ||
| 47 | __be16 len; | ||
| 48 | union { | ||
| 49 | struct hdr_ui ui; | ||
| 50 | struct hdr_ni ni; | ||
| 51 | } llc; | ||
| 52 | }; | ||
| 53 | |||
| 54 | #ifdef __KERNEL__ | ||
| 55 | #include <linux/skbuff.h> | 4 | #include <linux/skbuff.h> |
| 5 | #include <uapi/linux/netfilter_bridge/ebt_802_3.h> | ||
| 56 | 6 | ||
| 57 | static inline struct ebt_802_3_hdr *ebt_802_3_hdr(const struct sk_buff *skb) | 7 | static inline struct ebt_802_3_hdr *ebt_802_3_hdr(const struct sk_buff *skb) |
| 58 | { | 8 | { |
| 59 | return (struct ebt_802_3_hdr *)skb_mac_header(skb); | 9 | return (struct ebt_802_3_hdr *)skb_mac_header(skb); |
| 60 | } | 10 | } |
| 61 | #endif | 11 | #endif |
| 62 | |||
| 63 | struct ebt_802_3_info { | ||
| 64 | __u8 sap; | ||
| 65 | __be16 type; | ||
| 66 | __u8 bitmask; | ||
| 67 | __u8 invflags; | ||
| 68 | }; | ||
| 69 | |||
| 70 | #endif | ||
diff --git a/include/linux/netfilter_bridge/ebtables.h b/include/linux/netfilter_bridge/ebtables.h index 4dd5bd6994a8..34e7a2b7f867 100644 --- a/include/linux/netfilter_bridge/ebtables.h +++ b/include/linux/netfilter_bridge/ebtables.h | |||
| @@ -9,191 +9,11 @@ | |||
| 9 | * This code is stongly inspired on the iptables code which is | 9 | * This code is stongly inspired on the iptables code which is |
| 10 | * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling | 10 | * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling |
| 11 | */ | 11 | */ |
| 12 | |||
| 13 | #ifndef __LINUX_BRIDGE_EFF_H | 12 | #ifndef __LINUX_BRIDGE_EFF_H |
| 14 | #define __LINUX_BRIDGE_EFF_H | 13 | #define __LINUX_BRIDGE_EFF_H |
| 15 | #include <linux/if.h> | ||
| 16 | #include <linux/netfilter_bridge.h> | ||
| 17 | #include <linux/if_ether.h> | ||
| 18 | |||
| 19 | #define EBT_TABLE_MAXNAMELEN 32 | ||
| 20 | #define EBT_CHAIN_MAXNAMELEN EBT_TABLE_MAXNAMELEN | ||
| 21 | #define EBT_FUNCTION_MAXNAMELEN EBT_TABLE_MAXNAMELEN | ||
| 22 | |||
| 23 | /* verdicts >0 are "branches" */ | ||
| 24 | #define EBT_ACCEPT -1 | ||
| 25 | #define EBT_DROP -2 | ||
| 26 | #define EBT_CONTINUE -3 | ||
| 27 | #define EBT_RETURN -4 | ||
| 28 | #define NUM_STANDARD_TARGETS 4 | ||
| 29 | /* ebtables target modules store the verdict inside an int. We can | ||
| 30 | * reclaim a part of this int for backwards compatible extensions. | ||
| 31 | * The 4 lsb are more than enough to store the verdict. */ | ||
| 32 | #define EBT_VERDICT_BITS 0x0000000F | ||
| 33 | |||
| 34 | struct xt_match; | ||
| 35 | struct xt_target; | ||
| 36 | |||
| 37 | struct ebt_counter { | ||
| 38 | uint64_t pcnt; | ||
| 39 | uint64_t bcnt; | ||
| 40 | }; | ||
| 41 | 14 | ||
| 42 | struct ebt_replace { | 15 | #include <uapi/linux/netfilter_bridge/ebtables.h> |
| 43 | char name[EBT_TABLE_MAXNAMELEN]; | ||
| 44 | unsigned int valid_hooks; | ||
| 45 | /* nr of rules in the table */ | ||
| 46 | unsigned int nentries; | ||
| 47 | /* total size of the entries */ | ||
| 48 | unsigned int entries_size; | ||
| 49 | /* start of the chains */ | ||
| 50 | struct ebt_entries __user *hook_entry[NF_BR_NUMHOOKS]; | ||
| 51 | /* nr of counters userspace expects back */ | ||
| 52 | unsigned int num_counters; | ||
| 53 | /* where the kernel will put the old counters */ | ||
| 54 | struct ebt_counter __user *counters; | ||
| 55 | char __user *entries; | ||
| 56 | }; | ||
| 57 | 16 | ||
| 58 | struct ebt_replace_kernel { | ||
| 59 | char name[EBT_TABLE_MAXNAMELEN]; | ||
| 60 | unsigned int valid_hooks; | ||
| 61 | /* nr of rules in the table */ | ||
| 62 | unsigned int nentries; | ||
| 63 | /* total size of the entries */ | ||
| 64 | unsigned int entries_size; | ||
| 65 | /* start of the chains */ | ||
| 66 | struct ebt_entries *hook_entry[NF_BR_NUMHOOKS]; | ||
| 67 | /* nr of counters userspace expects back */ | ||
| 68 | unsigned int num_counters; | ||
| 69 | /* where the kernel will put the old counters */ | ||
| 70 | struct ebt_counter *counters; | ||
| 71 | char *entries; | ||
| 72 | }; | ||
| 73 | |||
| 74 | struct ebt_entries { | ||
| 75 | /* this field is always set to zero | ||
| 76 | * See EBT_ENTRY_OR_ENTRIES. | ||
| 77 | * Must be same size as ebt_entry.bitmask */ | ||
| 78 | unsigned int distinguisher; | ||
| 79 | /* the chain name */ | ||
| 80 | char name[EBT_CHAIN_MAXNAMELEN]; | ||
| 81 | /* counter offset for this chain */ | ||
| 82 | unsigned int counter_offset; | ||
| 83 | /* one standard (accept, drop, return) per hook */ | ||
| 84 | int policy; | ||
| 85 | /* nr. of entries */ | ||
| 86 | unsigned int nentries; | ||
| 87 | /* entry list */ | ||
| 88 | char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace)))); | ||
| 89 | }; | ||
| 90 | |||
| 91 | /* used for the bitmask of struct ebt_entry */ | ||
| 92 | |||
| 93 | /* This is a hack to make a difference between an ebt_entry struct and an | ||
| 94 | * ebt_entries struct when traversing the entries from start to end. | ||
| 95 | * Using this simplifies the code a lot, while still being able to use | ||
| 96 | * ebt_entries. | ||
| 97 | * Contrary, iptables doesn't use something like ebt_entries and therefore uses | ||
| 98 | * different techniques for naming the policy and such. So, iptables doesn't | ||
| 99 | * need a hack like this. | ||
| 100 | */ | ||
| 101 | #define EBT_ENTRY_OR_ENTRIES 0x01 | ||
| 102 | /* these are the normal masks */ | ||
| 103 | #define EBT_NOPROTO 0x02 | ||
| 104 | #define EBT_802_3 0x04 | ||
| 105 | #define EBT_SOURCEMAC 0x08 | ||
| 106 | #define EBT_DESTMAC 0x10 | ||
| 107 | #define EBT_F_MASK (EBT_NOPROTO | EBT_802_3 | EBT_SOURCEMAC | EBT_DESTMAC \ | ||
| 108 | | EBT_ENTRY_OR_ENTRIES) | ||
| 109 | |||
| 110 | #define EBT_IPROTO 0x01 | ||
| 111 | #define EBT_IIN 0x02 | ||
| 112 | #define EBT_IOUT 0x04 | ||
| 113 | #define EBT_ISOURCE 0x8 | ||
| 114 | #define EBT_IDEST 0x10 | ||
| 115 | #define EBT_ILOGICALIN 0x20 | ||
| 116 | #define EBT_ILOGICALOUT 0x40 | ||
| 117 | #define EBT_INV_MASK (EBT_IPROTO | EBT_IIN | EBT_IOUT | EBT_ILOGICALIN \ | ||
| 118 | | EBT_ILOGICALOUT | EBT_ISOURCE | EBT_IDEST) | ||
| 119 | |||
| 120 | struct ebt_entry_match { | ||
| 121 | union { | ||
| 122 | char name[EBT_FUNCTION_MAXNAMELEN]; | ||
| 123 | struct xt_match *match; | ||
| 124 | } u; | ||
| 125 | /* size of data */ | ||
| 126 | unsigned int match_size; | ||
| 127 | unsigned char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace)))); | ||
| 128 | }; | ||
| 129 | |||
| 130 | struct ebt_entry_watcher { | ||
| 131 | union { | ||
| 132 | char name[EBT_FUNCTION_MAXNAMELEN]; | ||
| 133 | struct xt_target *watcher; | ||
| 134 | } u; | ||
| 135 | /* size of data */ | ||
| 136 | unsigned int watcher_size; | ||
| 137 | unsigned char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace)))); | ||
| 138 | }; | ||
| 139 | |||
| 140 | struct ebt_entry_target { | ||
| 141 | union { | ||
| 142 | char name[EBT_FUNCTION_MAXNAMELEN]; | ||
| 143 | struct xt_target *target; | ||
| 144 | } u; | ||
| 145 | /* size of data */ | ||
| 146 | unsigned int target_size; | ||
| 147 | unsigned char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace)))); | ||
| 148 | }; | ||
| 149 | |||
| 150 | #define EBT_STANDARD_TARGET "standard" | ||
| 151 | struct ebt_standard_target { | ||
| 152 | struct ebt_entry_target target; | ||
| 153 | int verdict; | ||
| 154 | }; | ||
| 155 | |||
| 156 | /* one entry */ | ||
| 157 | struct ebt_entry { | ||
| 158 | /* this needs to be the first field */ | ||
| 159 | unsigned int bitmask; | ||
| 160 | unsigned int invflags; | ||
| 161 | __be16 ethproto; | ||
| 162 | /* the physical in-dev */ | ||
| 163 | char in[IFNAMSIZ]; | ||
| 164 | /* the logical in-dev */ | ||
| 165 | char logical_in[IFNAMSIZ]; | ||
| 166 | /* the physical out-dev */ | ||
| 167 | char out[IFNAMSIZ]; | ||
| 168 | /* the logical out-dev */ | ||
| 169 | char logical_out[IFNAMSIZ]; | ||
| 170 | unsigned char sourcemac[ETH_ALEN]; | ||
| 171 | unsigned char sourcemsk[ETH_ALEN]; | ||
| 172 | unsigned char destmac[ETH_ALEN]; | ||
| 173 | unsigned char destmsk[ETH_ALEN]; | ||
| 174 | /* sizeof ebt_entry + matches */ | ||
| 175 | unsigned int watchers_offset; | ||
| 176 | /* sizeof ebt_entry + matches + watchers */ | ||
| 177 | unsigned int target_offset; | ||
| 178 | /* sizeof ebt_entry + matches + watchers + target */ | ||
| 179 | unsigned int next_offset; | ||
| 180 | unsigned char elems[0] __attribute__ ((aligned (__alignof__(struct ebt_replace)))); | ||
| 181 | }; | ||
| 182 | |||
| 183 | /* {g,s}etsockopt numbers */ | ||
| 184 | #define EBT_BASE_CTL 128 | ||
| 185 | |||
| 186 | #define EBT_SO_SET_ENTRIES (EBT_BASE_CTL) | ||
| 187 | #define EBT_SO_SET_COUNTERS (EBT_SO_SET_ENTRIES+1) | ||
| 188 | #define EBT_SO_SET_MAX (EBT_SO_SET_COUNTERS+1) | ||
| 189 | |||
| 190 | #define EBT_SO_GET_INFO (EBT_BASE_CTL) | ||
| 191 | #define EBT_SO_GET_ENTRIES (EBT_SO_GET_INFO+1) | ||
| 192 | #define EBT_SO_GET_INIT_INFO (EBT_SO_GET_ENTRIES+1) | ||
| 193 | #define EBT_SO_GET_INIT_ENTRIES (EBT_SO_GET_INIT_INFO+1) | ||
| 194 | #define EBT_SO_GET_MAX (EBT_SO_GET_INIT_ENTRIES+1) | ||
| 195 | |||
| 196 | #ifdef __KERNEL__ | ||
| 197 | 17 | ||
| 198 | /* return values for match() functions */ | 18 | /* return values for match() functions */ |
| 199 | #define EBT_MATCH 0 | 19 | #define EBT_MATCH 0 |
| @@ -304,77 +124,4 @@ extern unsigned int ebt_do_table(unsigned int hook, struct sk_buff *skb, | |||
| 304 | /* True if the target is not a standard target */ | 124 | /* True if the target is not a standard target */ |
| 305 | #define INVALID_TARGET (info->target < -NUM_STANDARD_TARGETS || info->target >= 0) | 125 | #define INVALID_TARGET (info->target < -NUM_STANDARD_TARGETS || info->target >= 0) |
| 306 | 126 | ||
| 307 | #endif /* __KERNEL__ */ | ||
| 308 | |||
| 309 | /* blatently stolen from ip_tables.h | ||
| 310 | * fn returns 0 to continue iteration */ | ||
| 311 | #define EBT_MATCH_ITERATE(e, fn, args...) \ | ||
| 312 | ({ \ | ||
| 313 | unsigned int __i; \ | ||
| 314 | int __ret = 0; \ | ||
| 315 | struct ebt_entry_match *__match; \ | ||
| 316 | \ | ||
| 317 | for (__i = sizeof(struct ebt_entry); \ | ||
| 318 | __i < (e)->watchers_offset; \ | ||
| 319 | __i += __match->match_size + \ | ||
| 320 | sizeof(struct ebt_entry_match)) { \ | ||
| 321 | __match = (void *)(e) + __i; \ | ||
| 322 | \ | ||
| 323 | __ret = fn(__match , ## args); \ | ||
| 324 | if (__ret != 0) \ | ||
| 325 | break; \ | ||
| 326 | } \ | ||
| 327 | if (__ret == 0) { \ | ||
| 328 | if (__i != (e)->watchers_offset) \ | ||
| 329 | __ret = -EINVAL; \ | ||
| 330 | } \ | ||
| 331 | __ret; \ | ||
| 332 | }) | ||
| 333 | |||
| 334 | #define EBT_WATCHER_ITERATE(e, fn, args...) \ | ||
| 335 | ({ \ | ||
| 336 | unsigned int __i; \ | ||
| 337 | int __ret = 0; \ | ||
| 338 | struct ebt_entry_watcher *__watcher; \ | ||
| 339 | \ | ||
| 340 | for (__i = e->watchers_offset; \ | ||
| 341 | __i < (e)->target_offset; \ | ||
| 342 | __i += __watcher->watcher_size + \ | ||
| 343 | sizeof(struct ebt_entry_watcher)) { \ | ||
| 344 | __watcher = (void *)(e) + __i; \ | ||
| 345 | \ | ||
| 346 | __ret = fn(__watcher , ## args); \ | ||
| 347 | if (__ret != 0) \ | ||
| 348 | break; \ | ||
| 349 | } \ | ||
| 350 | if (__ret == 0) { \ | ||
| 351 | if (__i != (e)->target_offset) \ | ||
| 352 | __ret = -EINVAL; \ | ||
| 353 | } \ | ||
| 354 | __ret; \ | ||
| 355 | }) | ||
| 356 | |||
| 357 | #define EBT_ENTRY_ITERATE(entries, size, fn, args...) \ | ||
| 358 | ({ \ | ||
| 359 | unsigned int __i; \ | ||
| 360 | int __ret = 0; \ | ||
| 361 | struct ebt_entry *__entry; \ | ||
| 362 | \ | ||
| 363 | for (__i = 0; __i < (size);) { \ | ||
| 364 | __entry = (void *)(entries) + __i; \ | ||
| 365 | __ret = fn(__entry , ## args); \ | ||
| 366 | if (__ret != 0) \ | ||
| 367 | break; \ | ||
| 368 | if (__entry->bitmask != 0) \ | ||
| 369 | __i += __entry->next_offset; \ | ||
| 370 | else \ | ||
| 371 | __i += sizeof(struct ebt_entries); \ | ||
| 372 | } \ | ||
| 373 | if (__ret == 0) { \ | ||
| 374 | if (__i != (size)) \ | ||
| 375 | __ret = -EINVAL; \ | ||
| 376 | } \ | ||
| 377 | __ret; \ | ||
| 378 | }) | ||
| 379 | |||
| 380 | #endif | 127 | #endif |
diff --git a/include/uapi/linux/netfilter_bridge/Kbuild b/include/uapi/linux/netfilter_bridge/Kbuild index aafaa5aa54d4..348717c3a22f 100644 --- a/include/uapi/linux/netfilter_bridge/Kbuild +++ b/include/uapi/linux/netfilter_bridge/Kbuild | |||
| @@ -1 +1,19 @@ | |||
| 1 | # UAPI Header export list | 1 | # UAPI Header export list |
| 2 | header-y += ebt_802_3.h | ||
| 3 | header-y += ebt_among.h | ||
| 4 | header-y += ebt_arp.h | ||
| 5 | header-y += ebt_arpreply.h | ||
| 6 | header-y += ebt_ip.h | ||
| 7 | header-y += ebt_ip6.h | ||
| 8 | header-y += ebt_limit.h | ||
| 9 | header-y += ebt_log.h | ||
| 10 | header-y += ebt_mark_m.h | ||
| 11 | header-y += ebt_mark_t.h | ||
| 12 | header-y += ebt_nat.h | ||
| 13 | header-y += ebt_nflog.h | ||
| 14 | header-y += ebt_pkttype.h | ||
| 15 | header-y += ebt_redirect.h | ||
| 16 | header-y += ebt_stp.h | ||
| 17 | header-y += ebt_ulog.h | ||
| 18 | header-y += ebt_vlan.h | ||
| 19 | header-y += ebtables.h | ||
diff --git a/include/uapi/linux/netfilter_bridge/ebt_802_3.h b/include/uapi/linux/netfilter_bridge/ebt_802_3.h new file mode 100644 index 000000000000..5bf84912a082 --- /dev/null +++ b/include/uapi/linux/netfilter_bridge/ebt_802_3.h | |||
| @@ -0,0 +1,62 @@ | |||
| 1 | #ifndef _UAPI__LINUX_BRIDGE_EBT_802_3_H | ||
| 2 | #define _UAPI__LINUX_BRIDGE_EBT_802_3_H | ||
| 3 | |||
| 4 | #include <linux/types.h> | ||
| 5 | |||
| 6 | #define EBT_802_3_SAP 0x01 | ||
| 7 | #define EBT_802_3_TYPE 0x02 | ||
| 8 | |||
| 9 | #define EBT_802_3_MATCH "802_3" | ||
| 10 | |||
| 11 | /* | ||
| 12 | * If frame has DSAP/SSAP value 0xaa you must check the SNAP type | ||
| 13 | * to discover what kind of packet we're carrying. | ||
| 14 | */ | ||
| 15 | #define CHECK_TYPE 0xaa | ||
| 16 | |||
| 17 | /* | ||
| 18 | * Control field may be one or two bytes. If the first byte has | ||
| 19 | * the value 0x03 then the entire length is one byte, otherwise it is two. | ||
| 20 | * One byte controls are used in Unnumbered Information frames. | ||
| 21 | * Two byte controls are used in Numbered Information frames. | ||
| 22 | */ | ||
| 23 | #define IS_UI 0x03 | ||
| 24 | |||
| 25 | #define EBT_802_3_MASK (EBT_802_3_SAP | EBT_802_3_TYPE | EBT_802_3) | ||
| 26 | |||
| 27 | /* ui has one byte ctrl, ni has two */ | ||
| 28 | struct hdr_ui { | ||
| 29 | __u8 dsap; | ||
| 30 | __u8 ssap; | ||
| 31 | __u8 ctrl; | ||
| 32 | __u8 orig[3]; | ||
| 33 | __be16 type; | ||
| 34 | }; | ||
| 35 | |||
| 36 | struct hdr_ni { | ||
| 37 | __u8 dsap; | ||
| 38 | __u8 ssap; | ||
| 39 | __be16 ctrl; | ||
| 40 | __u8 orig[3]; | ||
| 41 | __be16 type; | ||
| 42 | }; | ||
| 43 | |||
| 44 | struct ebt_802_3_hdr { | ||
| 45 | __u8 daddr[6]; | ||
| 46 | __u8 saddr[6]; | ||
| 47 | __be16 len; | ||
| 48 | union { | ||
| 49 | struct hdr_ui ui; | ||
| 50 | struct hdr_ni ni; | ||
| 51 | } llc; | ||
| 52 | }; | ||
| 53 | |||
| 54 | |||
| 55 | struct ebt_802_3_info { | ||
| 56 | __u8 sap; | ||
| 57 | __be16 type; | ||
| 58 | __u8 bitmask; | ||
| 59 | __u8 invflags; | ||
| 60 | }; | ||
| 61 | |||
| 62 | #endif /* _UAPI__LINUX_BRIDGE_EBT_802_3_H */ | ||
diff --git a/include/linux/netfilter_bridge/ebt_among.h b/include/uapi/linux/netfilter_bridge/ebt_among.h index bd4e3ad0b706..bd4e3ad0b706 100644 --- a/include/linux/netfilter_bridge/ebt_among.h +++ b/include/uapi/linux/netfilter_bridge/ebt_among.h | |||
diff --git a/include/linux/netfilter_bridge/ebt_arp.h b/include/uapi/linux/netfilter_bridge/ebt_arp.h index 522f3e427f49..522f3e427f49 100644 --- a/include/linux/netfilter_bridge/ebt_arp.h +++ b/include/uapi/linux/netfilter_bridge/ebt_arp.h | |||
diff --git a/include/linux/netfilter_bridge/ebt_arpreply.h b/include/uapi/linux/netfilter_bridge/ebt_arpreply.h index 7e77896e1fbf..7e77896e1fbf 100644 --- a/include/linux/netfilter_bridge/ebt_arpreply.h +++ b/include/uapi/linux/netfilter_bridge/ebt_arpreply.h | |||
diff --git a/include/linux/netfilter_bridge/ebt_ip.h b/include/uapi/linux/netfilter_bridge/ebt_ip.h index c4bbc41b0ea4..c4bbc41b0ea4 100644 --- a/include/linux/netfilter_bridge/ebt_ip.h +++ b/include/uapi/linux/netfilter_bridge/ebt_ip.h | |||
diff --git a/include/linux/netfilter_bridge/ebt_ip6.h b/include/uapi/linux/netfilter_bridge/ebt_ip6.h index 42b889682721..42b889682721 100644 --- a/include/linux/netfilter_bridge/ebt_ip6.h +++ b/include/uapi/linux/netfilter_bridge/ebt_ip6.h | |||
diff --git a/include/linux/netfilter_bridge/ebt_limit.h b/include/uapi/linux/netfilter_bridge/ebt_limit.h index 66d80b30ba0e..66d80b30ba0e 100644 --- a/include/linux/netfilter_bridge/ebt_limit.h +++ b/include/uapi/linux/netfilter_bridge/ebt_limit.h | |||
diff --git a/include/linux/netfilter_bridge/ebt_log.h b/include/uapi/linux/netfilter_bridge/ebt_log.h index 7e7f1d1fe494..7e7f1d1fe494 100644 --- a/include/linux/netfilter_bridge/ebt_log.h +++ b/include/uapi/linux/netfilter_bridge/ebt_log.h | |||
diff --git a/include/linux/netfilter_bridge/ebt_mark_m.h b/include/uapi/linux/netfilter_bridge/ebt_mark_m.h index 410f9e5a71d4..410f9e5a71d4 100644 --- a/include/linux/netfilter_bridge/ebt_mark_m.h +++ b/include/uapi/linux/netfilter_bridge/ebt_mark_m.h | |||
diff --git a/include/linux/netfilter_bridge/ebt_mark_t.h b/include/uapi/linux/netfilter_bridge/ebt_mark_t.h index 7d5a268a4311..7d5a268a4311 100644 --- a/include/linux/netfilter_bridge/ebt_mark_t.h +++ b/include/uapi/linux/netfilter_bridge/ebt_mark_t.h | |||
diff --git a/include/linux/netfilter_bridge/ebt_nat.h b/include/uapi/linux/netfilter_bridge/ebt_nat.h index 5e74e3b03bd6..5e74e3b03bd6 100644 --- a/include/linux/netfilter_bridge/ebt_nat.h +++ b/include/uapi/linux/netfilter_bridge/ebt_nat.h | |||
diff --git a/include/linux/netfilter_bridge/ebt_nflog.h b/include/uapi/linux/netfilter_bridge/ebt_nflog.h index df829fce9125..df829fce9125 100644 --- a/include/linux/netfilter_bridge/ebt_nflog.h +++ b/include/uapi/linux/netfilter_bridge/ebt_nflog.h | |||
diff --git a/include/linux/netfilter_bridge/ebt_pkttype.h b/include/uapi/linux/netfilter_bridge/ebt_pkttype.h index c241badcd036..c241badcd036 100644 --- a/include/linux/netfilter_bridge/ebt_pkttype.h +++ b/include/uapi/linux/netfilter_bridge/ebt_pkttype.h | |||
diff --git a/include/linux/netfilter_bridge/ebt_redirect.h b/include/uapi/linux/netfilter_bridge/ebt_redirect.h index dd9622ce8488..dd9622ce8488 100644 --- a/include/linux/netfilter_bridge/ebt_redirect.h +++ b/include/uapi/linux/netfilter_bridge/ebt_redirect.h | |||
diff --git a/include/linux/netfilter_bridge/ebt_stp.h b/include/uapi/linux/netfilter_bridge/ebt_stp.h index 1025b9f5fb7d..1025b9f5fb7d 100644 --- a/include/linux/netfilter_bridge/ebt_stp.h +++ b/include/uapi/linux/netfilter_bridge/ebt_stp.h | |||
diff --git a/include/linux/netfilter_bridge/ebt_ulog.h b/include/uapi/linux/netfilter_bridge/ebt_ulog.h index 89a6becb5269..89a6becb5269 100644 --- a/include/linux/netfilter_bridge/ebt_ulog.h +++ b/include/uapi/linux/netfilter_bridge/ebt_ulog.h | |||
diff --git a/include/linux/netfilter_bridge/ebt_vlan.h b/include/uapi/linux/netfilter_bridge/ebt_vlan.h index 967d1d5cf98d..967d1d5cf98d 100644 --- a/include/linux/netfilter_bridge/ebt_vlan.h +++ b/include/uapi/linux/netfilter_bridge/ebt_vlan.h | |||
diff --git a/include/uapi/linux/netfilter_bridge/ebtables.h b/include/uapi/linux/netfilter_bridge/ebtables.h new file mode 100644 index 000000000000..ba993360dbe9 --- /dev/null +++ b/include/uapi/linux/netfilter_bridge/ebtables.h | |||
| @@ -0,0 +1,268 @@ | |||
| 1 | /* | ||
| 2 | * ebtables | ||
| 3 | * | ||
| 4 | * Authors: | ||
| 5 | * Bart De Schuymer <bdschuym@pandora.be> | ||
| 6 | * | ||
| 7 | * ebtables.c,v 2.0, April, 2002 | ||
| 8 | * | ||
| 9 | * This code is stongly inspired on the iptables code which is | ||
| 10 | * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling | ||
| 11 | */ | ||
| 12 | |||
| 13 | #ifndef _UAPI__LINUX_BRIDGE_EFF_H | ||
| 14 | #define _UAPI__LINUX_BRIDGE_EFF_H | ||
| 15 | #include <linux/if.h> | ||
| 16 | #include <linux/netfilter_bridge.h> | ||
| 17 | #include <linux/if_ether.h> | ||
| 18 | |||
| 19 | #define EBT_TABLE_MAXNAMELEN 32 | ||
| 20 | #define EBT_CHAIN_MAXNAMELEN EBT_TABLE_MAXNAMELEN | ||
| 21 | #define EBT_FUNCTION_MAXNAMELEN EBT_TABLE_MAXNAMELEN | ||
| 22 | |||
| 23 | /* verdicts >0 are "branches" */ | ||
| 24 | #define EBT_ACCEPT -1 | ||
| 25 | #define EBT_DROP -2 | ||
| 26 | #define EBT_CONTINUE -3 | ||
| 27 | #define EBT_RETURN -4 | ||
| 28 | #define NUM_STANDARD_TARGETS 4 | ||
| 29 | /* ebtables target modules store the verdict inside an int. We can | ||
| 30 | * reclaim a part of this int for backwards compatible extensions. | ||
| 31 | * The 4 lsb are more than enough to store the verdict. */ | ||
| 32 | #define EBT_VERDICT_BITS 0x0000000F | ||
| 33 | |||
| 34 | struct xt_match; | ||
| 35 | struct xt_target; | ||
| 36 | |||
| 37 | struct ebt_counter { | ||
| 38 | uint64_t pcnt; | ||
| 39 | uint64_t bcnt; | ||
| 40 | }; | ||
| 41 | |||
| 42 | struct ebt_replace { | ||
| 43 | char name[EBT_TABLE_MAXNAMELEN]; | ||
| 44 | unsigned int valid_hooks; | ||
| 45 | /* nr of rules in the table */ | ||
| 46 | unsigned int nentries; | ||
| 47 | /* total size of the entries */ | ||
| 48 | unsigned int entries_size; | ||
| 49 | /* start of the chains */ | ||
| 50 | struct ebt_entries __user *hook_entry[NF_BR_NUMHOOKS]; | ||
| 51 | /* nr of counters userspace expects back */ | ||
| 52 | unsigned int num_counters; | ||
| 53 | /* where the kernel will put the old counters */ | ||
| 54 | struct ebt_counter __user *counters; | ||
| 55 | char __user *entries; | ||
| 56 | }; | ||
| 57 | |||
| 58 | struct ebt_replace_kernel { | ||
| 59 | char name[EBT_TABLE_MAXNAMELEN]; | ||
| 60 | unsigned int valid_hooks; | ||
| 61 | /* nr of rules in the table */ | ||
| 62 | unsigned int nentries; | ||
| 63 | /* total size of the entries */ | ||
| 64 | unsigned int entries_size; | ||
| 65 | /* start of the chains */ | ||
| 66 | struct ebt_entries *hook_entry[NF_BR_NUMHOOKS]; | ||
| 67 | /* nr of counters userspace expects back */ | ||
| 68 | unsigned int num_counters; | ||
| 69 | /* where the kernel will put the old counters */ | ||
| 70 | struct ebt_counter *counters; | ||
| 71 | char *entries; | ||
| 72 | }; | ||
| 73 | |||
| 74 | struct ebt_entries { | ||
| 75 | /* this field is always set to zero | ||
| 76 | * See EBT_ENTRY_OR_ENTRIES. | ||
| 77 | * Must be same size as ebt_entry.bitmask */ | ||
| 78 | unsigned int distinguisher; | ||
| 79 | /* the chain name */ | ||
| 80 | char name[EBT_CHAIN_MAXNAMELEN]; | ||
| 81 | /* counter offset for this chain */ | ||
| 82 | unsigned int counter_offset; | ||
| 83 | /* one standard (accept, drop, return) per hook */ | ||
| 84 | int policy; | ||
| 85 | /* nr. of entries */ | ||
| 86 | unsigned int nentries; | ||
| 87 | /* entry list */ | ||
| 88 | char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace)))); | ||
| 89 | }; | ||
| 90 | |||
| 91 | /* used for the bitmask of struct ebt_entry */ | ||
| 92 | |||
| 93 | /* This is a hack to make a difference between an ebt_entry struct and an | ||
| 94 | * ebt_entries struct when traversing the entries from start to end. | ||
| 95 | * Using this simplifies the code a lot, while still being able to use | ||
| 96 | * ebt_entries. | ||
| 97 | * Contrary, iptables doesn't use something like ebt_entries and therefore uses | ||
| 98 | * different techniques for naming the policy and such. So, iptables doesn't | ||
| 99 | * need a hack like this. | ||
| 100 | */ | ||
| 101 | #define EBT_ENTRY_OR_ENTRIES 0x01 | ||
| 102 | /* these are the normal masks */ | ||
| 103 | #define EBT_NOPROTO 0x02 | ||
| 104 | #define EBT_802_3 0x04 | ||
| 105 | #define EBT_SOURCEMAC 0x08 | ||
| 106 | #define EBT_DESTMAC 0x10 | ||
| 107 | #define EBT_F_MASK (EBT_NOPROTO | EBT_802_3 | EBT_SOURCEMAC | EBT_DESTMAC \ | ||
| 108 | | EBT_ENTRY_OR_ENTRIES) | ||
| 109 | |||
| 110 | #define EBT_IPROTO 0x01 | ||
| 111 | #define EBT_IIN 0x02 | ||
| 112 | #define EBT_IOUT 0x04 | ||
| 113 | #define EBT_ISOURCE 0x8 | ||
| 114 | #define EBT_IDEST 0x10 | ||
| 115 | #define EBT_ILOGICALIN 0x20 | ||
| 116 | #define EBT_ILOGICALOUT 0x40 | ||
| 117 | #define EBT_INV_MASK (EBT_IPROTO | EBT_IIN | EBT_IOUT | EBT_ILOGICALIN \ | ||
| 118 | | EBT_ILOGICALOUT | EBT_ISOURCE | EBT_IDEST) | ||
| 119 | |||
| 120 | struct ebt_entry_match { | ||
| 121 | union { | ||
| 122 | char name[EBT_FUNCTION_MAXNAMELEN]; | ||
| 123 | struct xt_match *match; | ||
| 124 | } u; | ||
| 125 | /* size of data */ | ||
| 126 | unsigned int match_size; | ||
| 127 | unsigned char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace)))); | ||
| 128 | }; | ||
| 129 | |||
| 130 | struct ebt_entry_watcher { | ||
| 131 | union { | ||
| 132 | char name[EBT_FUNCTION_MAXNAMELEN]; | ||
| 133 | struct xt_target *watcher; | ||
| 134 | } u; | ||
| 135 | /* size of data */ | ||
| 136 | unsigned int watcher_size; | ||
| 137 | unsigned char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace)))); | ||
| 138 | }; | ||
| 139 | |||
| 140 | struct ebt_entry_target { | ||
| 141 | union { | ||
| 142 | char name[EBT_FUNCTION_MAXNAMELEN]; | ||
| 143 | struct xt_target *target; | ||
| 144 | } u; | ||
| 145 | /* size of data */ | ||
| 146 | unsigned int target_size; | ||
| 147 | unsigned char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace)))); | ||
| 148 | }; | ||
| 149 | |||
| 150 | #define EBT_STANDARD_TARGET "standard" | ||
| 151 | struct ebt_standard_target { | ||
| 152 | struct ebt_entry_target target; | ||
| 153 | int verdict; | ||
| 154 | }; | ||
| 155 | |||
| 156 | /* one entry */ | ||
| 157 | struct ebt_entry { | ||
| 158 | /* this needs to be the first field */ | ||
| 159 | unsigned int bitmask; | ||
| 160 | unsigned int invflags; | ||
| 161 | __be16 ethproto; | ||
| 162 | /* the physical in-dev */ | ||
| 163 | char in[IFNAMSIZ]; | ||
| 164 | /* the logical in-dev */ | ||
| 165 | char logical_in[IFNAMSIZ]; | ||
| 166 | /* the physical out-dev */ | ||
| 167 | char out[IFNAMSIZ]; | ||
| 168 | /* the logical out-dev */ | ||
| 169 | char logical_out[IFNAMSIZ]; | ||
| 170 | unsigned char sourcemac[ETH_ALEN]; | ||
| 171 | unsigned char sourcemsk[ETH_ALEN]; | ||
| 172 | unsigned char destmac[ETH_ALEN]; | ||
| 173 | unsigned char destmsk[ETH_ALEN]; | ||
| 174 | /* sizeof ebt_entry + matches */ | ||
| 175 | unsigned int watchers_offset; | ||
| 176 | /* sizeof ebt_entry + matches + watchers */ | ||
| 177 | unsigned int target_offset; | ||
| 178 | /* sizeof ebt_entry + matches + watchers + target */ | ||
| 179 | unsigned int next_offset; | ||
| 180 | unsigned char elems[0] __attribute__ ((aligned (__alignof__(struct ebt_replace)))); | ||
| 181 | }; | ||
| 182 | |||
| 183 | /* {g,s}etsockopt numbers */ | ||
| 184 | #define EBT_BASE_CTL 128 | ||
| 185 | |||
| 186 | #define EBT_SO_SET_ENTRIES (EBT_BASE_CTL) | ||
| 187 | #define EBT_SO_SET_COUNTERS (EBT_SO_SET_ENTRIES+1) | ||
| 188 | #define EBT_SO_SET_MAX (EBT_SO_SET_COUNTERS+1) | ||
| 189 | |||
| 190 | #define EBT_SO_GET_INFO (EBT_BASE_CTL) | ||
| 191 | #define EBT_SO_GET_ENTRIES (EBT_SO_GET_INFO+1) | ||
| 192 | #define EBT_SO_GET_INIT_INFO (EBT_SO_GET_ENTRIES+1) | ||
| 193 | #define EBT_SO_GET_INIT_ENTRIES (EBT_SO_GET_INIT_INFO+1) | ||
| 194 | #define EBT_SO_GET_MAX (EBT_SO_GET_INIT_ENTRIES+1) | ||
| 195 | |||
| 196 | |||
| 197 | /* blatently stolen from ip_tables.h | ||
| 198 | * fn returns 0 to continue iteration */ | ||
| 199 | #define EBT_MATCH_ITERATE(e, fn, args...) \ | ||
| 200 | ({ \ | ||
| 201 | unsigned int __i; \ | ||
| 202 | int __ret = 0; \ | ||
| 203 | struct ebt_entry_match *__match; \ | ||
| 204 | \ | ||
| 205 | for (__i = sizeof(struct ebt_entry); \ | ||
| 206 | __i < (e)->watchers_offset; \ | ||
| 207 | __i += __match->match_size + \ | ||
| 208 | sizeof(struct ebt_entry_match)) { \ | ||
| 209 | __match = (void *)(e) + __i; \ | ||
| 210 | \ | ||
| 211 | __ret = fn(__match , ## args); \ | ||
| 212 | if (__ret != 0) \ | ||
| 213 | break; \ | ||
| 214 | } \ | ||
| 215 | if (__ret == 0) { \ | ||
| 216 | if (__i != (e)->watchers_offset) \ | ||
| 217 | __ret = -EINVAL; \ | ||
| 218 | } \ | ||
| 219 | __ret; \ | ||
| 220 | }) | ||
| 221 | |||
| 222 | #define EBT_WATCHER_ITERATE(e, fn, args...) \ | ||
| 223 | ({ \ | ||
| 224 | unsigned int __i; \ | ||
| 225 | int __ret = 0; \ | ||
| 226 | struct ebt_entry_watcher *__watcher; \ | ||
| 227 | \ | ||
| 228 | for (__i = e->watchers_offset; \ | ||
| 229 | __i < (e)->target_offset; \ | ||
| 230 | __i += __watcher->watcher_size + \ | ||
| 231 | sizeof(struct ebt_entry_watcher)) { \ | ||
| 232 | __watcher = (void *)(e) + __i; \ | ||
| 233 | \ | ||
| 234 | __ret = fn(__watcher , ## args); \ | ||
| 235 | if (__ret != 0) \ | ||
| 236 | break; \ | ||
| 237 | } \ | ||
| 238 | if (__ret == 0) { \ | ||
| 239 | if (__i != (e)->target_offset) \ | ||
| 240 | __ret = -EINVAL; \ | ||
| 241 | } \ | ||
| 242 | __ret; \ | ||
| 243 | }) | ||
| 244 | |||
| 245 | #define EBT_ENTRY_ITERATE(entries, size, fn, args...) \ | ||
| 246 | ({ \ | ||
| 247 | unsigned int __i; \ | ||
| 248 | int __ret = 0; \ | ||
| 249 | struct ebt_entry *__entry; \ | ||
| 250 | \ | ||
| 251 | for (__i = 0; __i < (size);) { \ | ||
| 252 | __entry = (void *)(entries) + __i; \ | ||
| 253 | __ret = fn(__entry , ## args); \ | ||
| 254 | if (__ret != 0) \ | ||
| 255 | break; \ | ||
| 256 | if (__entry->bitmask != 0) \ | ||
| 257 | __i += __entry->next_offset; \ | ||
| 258 | else \ | ||
| 259 | __i += sizeof(struct ebt_entries); \ | ||
| 260 | } \ | ||
| 261 | if (__ret == 0) { \ | ||
| 262 | if (__i != (size)) \ | ||
| 263 | __ret = -EINVAL; \ | ||
| 264 | } \ | ||
| 265 | __ret; \ | ||
| 266 | }) | ||
| 267 | |||
| 268 | #endif /* _UAPI__LINUX_BRIDGE_EFF_H */ | ||