Home | History | Annotate | Download | only in iptables 
      1 #ifndef _NFT_BRIDGE_H_
      2 #define _NFT_BRIDGE_H_
      3 
      4 #include <netinet/in.h>
      5 //#include <linux/netfilter_bridge/ebtables.h>
      6 #include <linux/netfilter/x_tables.h>
      7 #include <linux/netfilter/nf_tables.h>
      8 #include <net/ethernet.h>
      9 #include <libiptc/libxtc.h>
     10 
     11 /* We use replace->flags, so we can't use the following values:
     12  * 0x01 == OPT_COMMAND, 0x02 == OPT_TABLE, 0x100 == OPT_ZERO */
     13 #define LIST_N	  0x04
     14 #define LIST_C	  0x08
     15 #define LIST_X	  0x10
     16 #define LIST_MAC2 0x20
     17 
     18 /* Be backwards compatible, so don't use '+' in kernel */
     19 #define IF_WILDCARD 1
     20 
     21 extern unsigned char eb_mac_type_unicast[ETH_ALEN];
     22 extern unsigned char eb_msk_type_unicast[ETH_ALEN];
     23 extern unsigned char eb_mac_type_multicast[ETH_ALEN];
     24 extern unsigned char eb_msk_type_multicast[ETH_ALEN];
     25 extern unsigned char eb_mac_type_broadcast[ETH_ALEN];
     26 extern unsigned char eb_msk_type_broadcast[ETH_ALEN];
     27 extern unsigned char eb_mac_type_bridge_group[ETH_ALEN];
     28 extern unsigned char eb_msk_type_bridge_group[ETH_ALEN];
     29 
     30 int ebt_get_mac_and_mask(const char *from, unsigned char *to, unsigned char *mask);
     31 
     32 /* From: include/linux/netfilter_bridge/ebtables.h
     33  *
     34  * Adapted for the need of the ebtables-compat.
     35  */
     36 
     37 #define EBT_TABLE_MAXNAMELEN 32
     38 #define EBT_CHAIN_MAXNAMELEN EBT_TABLE_MAXNAMELEN
     39 #define EBT_FUNCTION_MAXNAMELEN EBT_TABLE_MAXNAMELEN
     40 
     41 /* verdicts >0 are "branches" */
     42 #define EBT_ACCEPT   -1
     43 #define EBT_DROP     -2
     44 #define EBT_CONTINUE -3
     45 #define EBT_RETURN   -4
     46 #define NUM_STANDARD_TARGETS   4
     47 
     48 #define EBT_ENTRY_OR_ENTRIES 0x01
     49 /* these are the normal masks */
     50 #define EBT_NOPROTO 0x02
     51 #define EBT_802_3 0x04
     52 #define EBT_SOURCEMAC 0x08
     53 #define EBT_DESTMAC 0x10
     54 #define EBT_F_MASK (EBT_NOPROTO | EBT_802_3 | EBT_SOURCEMAC | EBT_DESTMAC \
     55    | EBT_ENTRY_OR_ENTRIES)
     56 
     57 #define EBT_IPROTO 0x01
     58 #define EBT_IIN 0x02
     59 #define EBT_IOUT 0x04
     60 #define EBT_ISOURCE 0x8
     61 #define EBT_IDEST 0x10
     62 #define EBT_ILOGICALIN 0x20
     63 #define EBT_ILOGICALOUT 0x40
     64 #define EBT_INV_MASK (EBT_IPROTO | EBT_IIN | EBT_IOUT | EBT_ILOGICALIN \
     65    | EBT_ILOGICALOUT | EBT_ISOURCE | EBT_IDEST)
     66 
     67 /* ebtables target modules store the verdict inside an int. We can
     68  * reclaim a part of this int for backwards compatible extensions.
     69  * The 4 lsb are more than enough to store the verdict.
     70  */
     71 #define EBT_VERDICT_BITS 0x0000000F
     72 
     73 /* Fake ebt_entry */
     74 struct ebt_entry {
     75 	/* this needs to be the first field */
     76 	unsigned int bitmask;
     77 	unsigned int invflags;
     78 	uint16_t ethproto;
     79 	/* the physical in-dev */
     80 	char in[IFNAMSIZ];
     81 	/* the logical in-dev */
     82 	char logical_in[IFNAMSIZ];
     83 	/* the physical out-dev */
     84 	char out[IFNAMSIZ];
     85 	/* the logical out-dev */
     86 	char logical_out[IFNAMSIZ];
     87 	unsigned char sourcemac[ETH_ALEN];
     88 	unsigned char sourcemsk[ETH_ALEN];
     89 	unsigned char destmac[ETH_ALEN];
     90 	unsigned char destmsk[ETH_ALEN];
     91 
     92 	unsigned char in_mask[IFNAMSIZ];
     93 	unsigned char out_mask[IFNAMSIZ];
     94 };
     95 
     96 /* trick for ebtables-compat, since watchers are targets */
     97 struct ebt_match {
     98 	struct ebt_match				*next;
     99 	union {
    100 		struct xtables_match		*match;
    101 		struct xtables_target		*watcher;
    102 	} u;
    103 	bool					ismatch;
    104 };
    105 
    106 struct ebtables_command_state {
    107 	struct ebt_entry fw;
    108 	struct xtables_target *target;
    109 	struct xtables_rule_match *matches;
    110 	struct ebt_match *match_list;
    111 	const char *jumpto;
    112 	struct xt_counters counters;
    113 	int invert;
    114 	int c;
    115 	char **argv;
    116 	int proto_used;
    117 	char *protocol;
    118 	unsigned int options;
    119 };
    120 
    121 void nft_rule_to_ebtables_command_state(struct nftnl_rule *r,
    122 					struct ebtables_command_state *cs);
    123 
    124 static const char *ebt_standard_targets[NUM_STANDARD_TARGETS] = {
    125 	"ACCEPT",
    126 	"DROP",
    127 	"CONTINUE",
    128 	"RETURN",
    129 };
    130 
    131 static inline const char *nft_ebt_standard_target(unsigned int num)
    132 {
    133 	if (num > NUM_STANDARD_TARGETS)
    134 		return NULL;
    135 
    136 	return ebt_standard_targets[num];
    137 }
    138 
    139 static inline int ebt_fill_target(const char *str, unsigned int *verdict)
    140 {
    141 	int i, ret = 0;
    142 
    143 	for (i = 0; i < NUM_STANDARD_TARGETS; i++) {
    144 		if (!strcmp(str, nft_ebt_standard_target(i))) {
    145 			*verdict = -i - 1;
    146 			break;
    147 		}
    148 	}
    149 
    150 	if (i == NUM_STANDARD_TARGETS)
    151 		ret = 1;
    152 
    153 	return ret;
    154 }
    155 
    156 static inline const char *ebt_target_name(unsigned int verdict)
    157 {
    158 	return nft_ebt_standard_target(-verdict - 1);
    159 }
    160 
    161 #define EBT_CHECK_OPTION(flags, mask) ({			\
    162 	if (*flags & mask)					\
    163 		xtables_error(PARAMETER_PROBLEM,		\
    164 			      "Multiple use of same "		\
    165 			      "option not allowed");		\
    166 	*flags |= mask;						\
    167 })								\
    168 
    169 void ebt_cs_clean(struct ebtables_command_state *cs);
    170 
    171 #endif
    172