1902e92ceedba96d3241fa8ff701c061cd53a197dPablo Neira Ayuso#ifndef _NFT_BRIDGE_H_ 2902e92ceedba96d3241fa8ff701c061cd53a197dPablo Neira Ayuso#define _NFT_BRIDGE_H_ 3902e92ceedba96d3241fa8ff701c061cd53a197dPablo Neira Ayuso 4902e92ceedba96d3241fa8ff701c061cd53a197dPablo Neira Ayuso#include <netinet/in.h> 5902e92ceedba96d3241fa8ff701c061cd53a197dPablo Neira Ayuso//#include <linux/netfilter_bridge/ebtables.h> 6902e92ceedba96d3241fa8ff701c061cd53a197dPablo Neira Ayuso#include <linux/netfilter/x_tables.h> 7db0e29a96982806c98eb5525e2b5edf48935c857Arturo Borrero#include <linux/netfilter/nf_tables.h> 842cfeee024d0ba0c6b15645f829273ee3dcfa5c6Arturo Borrero#include <net/ethernet.h> 9db0e29a96982806c98eb5525e2b5edf48935c857Arturo Borrero#include <libiptc/libxtc.h> 10902e92ceedba96d3241fa8ff701c061cd53a197dPablo Neira Ayuso 11902e92ceedba96d3241fa8ff701c061cd53a197dPablo Neira Ayuso/* We use replace->flags, so we can't use the following values: 12902e92ceedba96d3241fa8ff701c061cd53a197dPablo Neira Ayuso * 0x01 == OPT_COMMAND, 0x02 == OPT_TABLE, 0x100 == OPT_ZERO */ 13902e92ceedba96d3241fa8ff701c061cd53a197dPablo Neira Ayuso#define LIST_N 0x04 14902e92ceedba96d3241fa8ff701c061cd53a197dPablo Neira Ayuso#define LIST_C 0x08 15902e92ceedba96d3241fa8ff701c061cd53a197dPablo Neira Ayuso#define LIST_X 0x10 16902e92ceedba96d3241fa8ff701c061cd53a197dPablo Neira Ayuso#define LIST_MAC2 0x20 17902e92ceedba96d3241fa8ff701c061cd53a197dPablo Neira Ayuso 18902e92ceedba96d3241fa8ff701c061cd53a197dPablo Neira Ayuso/* Be backwards compatible, so don't use '+' in kernel */ 19902e92ceedba96d3241fa8ff701c061cd53a197dPablo Neira Ayuso#define IF_WILDCARD 1 20902e92ceedba96d3241fa8ff701c061cd53a197dPablo Neira Ayuso 21902e92ceedba96d3241fa8ff701c061cd53a197dPablo Neira Ayusoextern unsigned char eb_mac_type_unicast[ETH_ALEN]; 22902e92ceedba96d3241fa8ff701c061cd53a197dPablo Neira Ayusoextern unsigned char eb_msk_type_unicast[ETH_ALEN]; 23902e92ceedba96d3241fa8ff701c061cd53a197dPablo Neira Ayusoextern unsigned char eb_mac_type_multicast[ETH_ALEN]; 24902e92ceedba96d3241fa8ff701c061cd53a197dPablo Neira Ayusoextern unsigned char eb_msk_type_multicast[ETH_ALEN]; 25902e92ceedba96d3241fa8ff701c061cd53a197dPablo Neira Ayusoextern unsigned char eb_mac_type_broadcast[ETH_ALEN]; 26902e92ceedba96d3241fa8ff701c061cd53a197dPablo Neira Ayusoextern unsigned char eb_msk_type_broadcast[ETH_ALEN]; 27902e92ceedba96d3241fa8ff701c061cd53a197dPablo Neira Ayusoextern unsigned char eb_mac_type_bridge_group[ETH_ALEN]; 28902e92ceedba96d3241fa8ff701c061cd53a197dPablo Neira Ayusoextern unsigned char eb_msk_type_bridge_group[ETH_ALEN]; 29902e92ceedba96d3241fa8ff701c061cd53a197dPablo Neira Ayuso 30902e92ceedba96d3241fa8ff701c061cd53a197dPablo Neira Ayusoint ebt_get_mac_and_mask(const char *from, unsigned char *to, unsigned char *mask); 31902e92ceedba96d3241fa8ff701c061cd53a197dPablo Neira Ayuso 32902e92ceedba96d3241fa8ff701c061cd53a197dPablo Neira Ayuso/* From: include/linux/netfilter_bridge/ebtables.h 33902e92ceedba96d3241fa8ff701c061cd53a197dPablo Neira Ayuso * 34902e92ceedba96d3241fa8ff701c061cd53a197dPablo Neira Ayuso * Adapted for the need of the ebtables-compat. 35902e92ceedba96d3241fa8ff701c061cd53a197dPablo Neira Ayuso */ 36902e92ceedba96d3241fa8ff701c061cd53a197dPablo Neira Ayuso 37902e92ceedba96d3241fa8ff701c061cd53a197dPablo Neira Ayuso#define EBT_TABLE_MAXNAMELEN 32 38902e92ceedba96d3241fa8ff701c061cd53a197dPablo Neira Ayuso#define EBT_CHAIN_MAXNAMELEN EBT_TABLE_MAXNAMELEN 39902e92ceedba96d3241fa8ff701c061cd53a197dPablo Neira Ayuso#define EBT_FUNCTION_MAXNAMELEN EBT_TABLE_MAXNAMELEN 40902e92ceedba96d3241fa8ff701c061cd53a197dPablo Neira Ayuso 41902e92ceedba96d3241fa8ff701c061cd53a197dPablo Neira Ayuso/* verdicts >0 are "branches" */ 42902e92ceedba96d3241fa8ff701c061cd53a197dPablo Neira Ayuso#define EBT_ACCEPT -1 43902e92ceedba96d3241fa8ff701c061cd53a197dPablo Neira Ayuso#define EBT_DROP -2 44902e92ceedba96d3241fa8ff701c061cd53a197dPablo Neira Ayuso#define EBT_CONTINUE -3 45902e92ceedba96d3241fa8ff701c061cd53a197dPablo Neira Ayuso#define EBT_RETURN -4 46902e92ceedba96d3241fa8ff701c061cd53a197dPablo Neira Ayuso#define NUM_STANDARD_TARGETS 4 47902e92ceedba96d3241fa8ff701c061cd53a197dPablo Neira Ayuso 48902e92ceedba96d3241fa8ff701c061cd53a197dPablo Neira Ayuso#define EBT_ENTRY_OR_ENTRIES 0x01 49902e92ceedba96d3241fa8ff701c061cd53a197dPablo Neira Ayuso/* these are the normal masks */ 50902e92ceedba96d3241fa8ff701c061cd53a197dPablo Neira Ayuso#define EBT_NOPROTO 0x02 51902e92ceedba96d3241fa8ff701c061cd53a197dPablo Neira Ayuso#define EBT_802_3 0x04 52902e92ceedba96d3241fa8ff701c061cd53a197dPablo Neira Ayuso#define EBT_SOURCEMAC 0x08 53902e92ceedba96d3241fa8ff701c061cd53a197dPablo Neira Ayuso#define EBT_DESTMAC 0x10 54902e92ceedba96d3241fa8ff701c061cd53a197dPablo Neira Ayuso#define EBT_F_MASK (EBT_NOPROTO | EBT_802_3 | EBT_SOURCEMAC | EBT_DESTMAC \ 55902e92ceedba96d3241fa8ff701c061cd53a197dPablo Neira Ayuso | EBT_ENTRY_OR_ENTRIES) 56902e92ceedba96d3241fa8ff701c061cd53a197dPablo Neira Ayuso 57902e92ceedba96d3241fa8ff701c061cd53a197dPablo Neira Ayuso#define EBT_IPROTO 0x01 58902e92ceedba96d3241fa8ff701c061cd53a197dPablo Neira Ayuso#define EBT_IIN 0x02 59902e92ceedba96d3241fa8ff701c061cd53a197dPablo Neira Ayuso#define EBT_IOUT 0x04 60902e92ceedba96d3241fa8ff701c061cd53a197dPablo Neira Ayuso#define EBT_ISOURCE 0x8 61902e92ceedba96d3241fa8ff701c061cd53a197dPablo Neira Ayuso#define EBT_IDEST 0x10 62902e92ceedba96d3241fa8ff701c061cd53a197dPablo Neira Ayuso#define EBT_ILOGICALIN 0x20 63902e92ceedba96d3241fa8ff701c061cd53a197dPablo Neira Ayuso#define EBT_ILOGICALOUT 0x40 64902e92ceedba96d3241fa8ff701c061cd53a197dPablo Neira Ayuso#define EBT_INV_MASK (EBT_IPROTO | EBT_IIN | EBT_IOUT | EBT_ILOGICALIN \ 65902e92ceedba96d3241fa8ff701c061cd53a197dPablo Neira Ayuso | EBT_ILOGICALOUT | EBT_ISOURCE | EBT_IDEST) 66902e92ceedba96d3241fa8ff701c061cd53a197dPablo Neira Ayuso 67db0e29a96982806c98eb5525e2b5edf48935c857Arturo Borrero/* ebtables target modules store the verdict inside an int. We can 68db0e29a96982806c98eb5525e2b5edf48935c857Arturo Borrero * reclaim a part of this int for backwards compatible extensions. 69db0e29a96982806c98eb5525e2b5edf48935c857Arturo Borrero * The 4 lsb are more than enough to store the verdict. 70db0e29a96982806c98eb5525e2b5edf48935c857Arturo Borrero */ 71db0e29a96982806c98eb5525e2b5edf48935c857Arturo Borrero#define EBT_VERDICT_BITS 0x0000000F 72db0e29a96982806c98eb5525e2b5edf48935c857Arturo Borrero 73902e92ceedba96d3241fa8ff701c061cd53a197dPablo Neira Ayuso/* Fake ebt_entry */ 74902e92ceedba96d3241fa8ff701c061cd53a197dPablo Neira Ayusostruct ebt_entry { 75902e92ceedba96d3241fa8ff701c061cd53a197dPablo Neira Ayuso /* this needs to be the first field */ 76902e92ceedba96d3241fa8ff701c061cd53a197dPablo Neira Ayuso unsigned int bitmask; 77902e92ceedba96d3241fa8ff701c061cd53a197dPablo Neira Ayuso unsigned int invflags; 78902e92ceedba96d3241fa8ff701c061cd53a197dPablo Neira Ayuso uint16_t ethproto; 79902e92ceedba96d3241fa8ff701c061cd53a197dPablo Neira Ayuso /* the physical in-dev */ 80902e92ceedba96d3241fa8ff701c061cd53a197dPablo Neira Ayuso char in[IFNAMSIZ]; 81902e92ceedba96d3241fa8ff701c061cd53a197dPablo Neira Ayuso /* the logical in-dev */ 82902e92ceedba96d3241fa8ff701c061cd53a197dPablo Neira Ayuso char logical_in[IFNAMSIZ]; 83902e92ceedba96d3241fa8ff701c061cd53a197dPablo Neira Ayuso /* the physical out-dev */ 84902e92ceedba96d3241fa8ff701c061cd53a197dPablo Neira Ayuso char out[IFNAMSIZ]; 85902e92ceedba96d3241fa8ff701c061cd53a197dPablo Neira Ayuso /* the logical out-dev */ 86902e92ceedba96d3241fa8ff701c061cd53a197dPablo Neira Ayuso char logical_out[IFNAMSIZ]; 87902e92ceedba96d3241fa8ff701c061cd53a197dPablo Neira Ayuso unsigned char sourcemac[ETH_ALEN]; 88902e92ceedba96d3241fa8ff701c061cd53a197dPablo Neira Ayuso unsigned char sourcemsk[ETH_ALEN]; 89902e92ceedba96d3241fa8ff701c061cd53a197dPablo Neira Ayuso unsigned char destmac[ETH_ALEN]; 90902e92ceedba96d3241fa8ff701c061cd53a197dPablo Neira Ayuso unsigned char destmsk[ETH_ALEN]; 91902e92ceedba96d3241fa8ff701c061cd53a197dPablo Neira Ayuso 92902e92ceedba96d3241fa8ff701c061cd53a197dPablo Neira Ayuso unsigned char in_mask[IFNAMSIZ]; 93902e92ceedba96d3241fa8ff701c061cd53a197dPablo Neira Ayuso unsigned char out_mask[IFNAMSIZ]; 94902e92ceedba96d3241fa8ff701c061cd53a197dPablo Neira Ayuso}; 95902e92ceedba96d3241fa8ff701c061cd53a197dPablo Neira Ayuso 96fe97f60e5d2a968638286036db67e3a4e17f095dArturo Borrero/* trick for ebtables-compat, since watchers are targets */ 97fe97f60e5d2a968638286036db67e3a4e17f095dArturo Borrerostruct ebt_match { 98fe97f60e5d2a968638286036db67e3a4e17f095dArturo Borrero struct ebt_match *next; 99fe97f60e5d2a968638286036db67e3a4e17f095dArturo Borrero union { 100fe97f60e5d2a968638286036db67e3a4e17f095dArturo Borrero struct xtables_match *match; 101fe97f60e5d2a968638286036db67e3a4e17f095dArturo Borrero struct xtables_target *watcher; 102fe97f60e5d2a968638286036db67e3a4e17f095dArturo Borrero } u; 103fe97f60e5d2a968638286036db67e3a4e17f095dArturo Borrero bool ismatch; 104fe97f60e5d2a968638286036db67e3a4e17f095dArturo Borrero}; 105fe97f60e5d2a968638286036db67e3a4e17f095dArturo Borrero 106902e92ceedba96d3241fa8ff701c061cd53a197dPablo Neira Ayusostruct ebtables_command_state { 107902e92ceedba96d3241fa8ff701c061cd53a197dPablo Neira Ayuso struct ebt_entry fw; 108902e92ceedba96d3241fa8ff701c061cd53a197dPablo Neira Ayuso struct xtables_target *target; 109902e92ceedba96d3241fa8ff701c061cd53a197dPablo Neira Ayuso struct xtables_rule_match *matches; 110fe97f60e5d2a968638286036db67e3a4e17f095dArturo Borrero struct ebt_match *match_list; 111902e92ceedba96d3241fa8ff701c061cd53a197dPablo Neira Ayuso const char *jumpto; 112902e92ceedba96d3241fa8ff701c061cd53a197dPablo Neira Ayuso struct xt_counters counters; 1136aa7d1c26d0a3b0c909bbf13aa0ef6b179615433Arturo Borrero int invert; 1146aa7d1c26d0a3b0c909bbf13aa0ef6b179615433Arturo Borrero int c; 1156aa7d1c26d0a3b0c909bbf13aa0ef6b179615433Arturo Borrero char **argv; 1166aa7d1c26d0a3b0c909bbf13aa0ef6b179615433Arturo Borrero int proto_used; 1176aa7d1c26d0a3b0c909bbf13aa0ef6b179615433Arturo Borrero char *protocol; 1186aa7d1c26d0a3b0c909bbf13aa0ef6b179615433Arturo Borrero unsigned int options; 119902e92ceedba96d3241fa8ff701c061cd53a197dPablo Neira Ayuso}; 120902e92ceedba96d3241fa8ff701c061cd53a197dPablo Neira Ayuso 121742baabd185c326cc2125e648e240894362eb31cPablo Neira Ayusovoid nft_rule_to_ebtables_command_state(struct nftnl_rule *r, 122902e92ceedba96d3241fa8ff701c061cd53a197dPablo Neira Ayuso struct ebtables_command_state *cs); 123902e92ceedba96d3241fa8ff701c061cd53a197dPablo Neira Ayuso 124db0e29a96982806c98eb5525e2b5edf48935c857Arturo Borrerostatic const char *ebt_standard_targets[NUM_STANDARD_TARGETS] = { 125db0e29a96982806c98eb5525e2b5edf48935c857Arturo Borrero "ACCEPT", 126db0e29a96982806c98eb5525e2b5edf48935c857Arturo Borrero "DROP", 127db0e29a96982806c98eb5525e2b5edf48935c857Arturo Borrero "CONTINUE", 128db0e29a96982806c98eb5525e2b5edf48935c857Arturo Borrero "RETURN", 129db0e29a96982806c98eb5525e2b5edf48935c857Arturo Borrero}; 130db0e29a96982806c98eb5525e2b5edf48935c857Arturo Borrero 131db0e29a96982806c98eb5525e2b5edf48935c857Arturo Borrerostatic inline const char *nft_ebt_standard_target(unsigned int num) 132db0e29a96982806c98eb5525e2b5edf48935c857Arturo Borrero{ 133db0e29a96982806c98eb5525e2b5edf48935c857Arturo Borrero if (num > NUM_STANDARD_TARGETS) 134db0e29a96982806c98eb5525e2b5edf48935c857Arturo Borrero return NULL; 135db0e29a96982806c98eb5525e2b5edf48935c857Arturo Borrero 136db0e29a96982806c98eb5525e2b5edf48935c857Arturo Borrero return ebt_standard_targets[num]; 137db0e29a96982806c98eb5525e2b5edf48935c857Arturo Borrero} 138db0e29a96982806c98eb5525e2b5edf48935c857Arturo Borrero 139db0e29a96982806c98eb5525e2b5edf48935c857Arturo Borrerostatic inline int ebt_fill_target(const char *str, unsigned int *verdict) 140db0e29a96982806c98eb5525e2b5edf48935c857Arturo Borrero{ 141db0e29a96982806c98eb5525e2b5edf48935c857Arturo Borrero int i, ret = 0; 142db0e29a96982806c98eb5525e2b5edf48935c857Arturo Borrero 143db0e29a96982806c98eb5525e2b5edf48935c857Arturo Borrero for (i = 0; i < NUM_STANDARD_TARGETS; i++) { 144db0e29a96982806c98eb5525e2b5edf48935c857Arturo Borrero if (!strcmp(str, nft_ebt_standard_target(i))) { 145db0e29a96982806c98eb5525e2b5edf48935c857Arturo Borrero *verdict = -i - 1; 146db0e29a96982806c98eb5525e2b5edf48935c857Arturo Borrero break; 147db0e29a96982806c98eb5525e2b5edf48935c857Arturo Borrero } 148db0e29a96982806c98eb5525e2b5edf48935c857Arturo Borrero } 149db0e29a96982806c98eb5525e2b5edf48935c857Arturo Borrero 150db0e29a96982806c98eb5525e2b5edf48935c857Arturo Borrero if (i == NUM_STANDARD_TARGETS) 151db0e29a96982806c98eb5525e2b5edf48935c857Arturo Borrero ret = 1; 152db0e29a96982806c98eb5525e2b5edf48935c857Arturo Borrero 153db0e29a96982806c98eb5525e2b5edf48935c857Arturo Borrero return ret; 154db0e29a96982806c98eb5525e2b5edf48935c857Arturo Borrero} 155db0e29a96982806c98eb5525e2b5edf48935c857Arturo Borrero 156db0e29a96982806c98eb5525e2b5edf48935c857Arturo Borrerostatic inline const char *ebt_target_name(unsigned int verdict) 157db0e29a96982806c98eb5525e2b5edf48935c857Arturo Borrero{ 158db0e29a96982806c98eb5525e2b5edf48935c857Arturo Borrero return nft_ebt_standard_target(-verdict - 1); 159db0e29a96982806c98eb5525e2b5edf48935c857Arturo Borrero} 160db0e29a96982806c98eb5525e2b5edf48935c857Arturo Borrero 161db0e29a96982806c98eb5525e2b5edf48935c857Arturo Borrero#define EBT_CHECK_OPTION(flags, mask) ({ \ 162db0e29a96982806c98eb5525e2b5edf48935c857Arturo Borrero if (*flags & mask) \ 163db0e29a96982806c98eb5525e2b5edf48935c857Arturo Borrero xtables_error(PARAMETER_PROBLEM, \ 164db0e29a96982806c98eb5525e2b5edf48935c857Arturo Borrero "Multiple use of same " \ 165db0e29a96982806c98eb5525e2b5edf48935c857Arturo Borrero "option not allowed"); \ 166db0e29a96982806c98eb5525e2b5edf48935c857Arturo Borrero *flags |= mask; \ 167db0e29a96982806c98eb5525e2b5edf48935c857Arturo Borrero}) \ 168db0e29a96982806c98eb5525e2b5edf48935c857Arturo Borrero 169fe97f60e5d2a968638286036db67e3a4e17f095dArturo Borrerovoid ebt_cs_clean(struct ebtables_command_state *cs); 170fe97f60e5d2a968638286036db67e3a4e17f095dArturo Borrero 171902e92ceedba96d3241fa8ff701c061cd53a197dPablo Neira Ayuso#endif 172