1#ifndef _NFT_BRIDGE_H_ 2#define _NFT_BRIDGE_H_ 3 4#include <netinet/in.h> 5//#include <linux/netfilter_bridge/ebtables.h> 6#include <linux/netfilter/x_tables.h> 7#include <linux/netfilter/nf_tables.h> 8#include <net/ethernet.h> 9#include <libiptc/libxtc.h> 10 11/* We use replace->flags, so we can't use the following values: 12 * 0x01 == OPT_COMMAND, 0x02 == OPT_TABLE, 0x100 == OPT_ZERO */ 13#define LIST_N 0x04 14#define LIST_C 0x08 15#define LIST_X 0x10 16#define LIST_MAC2 0x20 17 18/* Be backwards compatible, so don't use '+' in kernel */ 19#define IF_WILDCARD 1 20 21extern unsigned char eb_mac_type_unicast[ETH_ALEN]; 22extern unsigned char eb_msk_type_unicast[ETH_ALEN]; 23extern unsigned char eb_mac_type_multicast[ETH_ALEN]; 24extern unsigned char eb_msk_type_multicast[ETH_ALEN]; 25extern unsigned char eb_mac_type_broadcast[ETH_ALEN]; 26extern unsigned char eb_msk_type_broadcast[ETH_ALEN]; 27extern unsigned char eb_mac_type_bridge_group[ETH_ALEN]; 28extern unsigned char eb_msk_type_bridge_group[ETH_ALEN]; 29 30int ebt_get_mac_and_mask(const char *from, unsigned char *to, unsigned char *mask); 31 32/* From: include/linux/netfilter_bridge/ebtables.h 33 * 34 * Adapted for the need of the ebtables-compat. 35 */ 36 37#define EBT_TABLE_MAXNAMELEN 32 38#define EBT_CHAIN_MAXNAMELEN EBT_TABLE_MAXNAMELEN 39#define EBT_FUNCTION_MAXNAMELEN EBT_TABLE_MAXNAMELEN 40 41/* verdicts >0 are "branches" */ 42#define EBT_ACCEPT -1 43#define EBT_DROP -2 44#define EBT_CONTINUE -3 45#define EBT_RETURN -4 46#define NUM_STANDARD_TARGETS 4 47 48#define EBT_ENTRY_OR_ENTRIES 0x01 49/* these are the normal masks */ 50#define EBT_NOPROTO 0x02 51#define EBT_802_3 0x04 52#define EBT_SOURCEMAC 0x08 53#define EBT_DESTMAC 0x10 54#define EBT_F_MASK (EBT_NOPROTO | EBT_802_3 | EBT_SOURCEMAC | EBT_DESTMAC \ 55 | EBT_ENTRY_OR_ENTRIES) 56 57#define EBT_IPROTO 0x01 58#define EBT_IIN 0x02 59#define EBT_IOUT 0x04 60#define EBT_ISOURCE 0x8 61#define EBT_IDEST 0x10 62#define EBT_ILOGICALIN 0x20 63#define EBT_ILOGICALOUT 0x40 64#define EBT_INV_MASK (EBT_IPROTO | EBT_IIN | EBT_IOUT | EBT_ILOGICALIN \ 65 | EBT_ILOGICALOUT | EBT_ISOURCE | EBT_IDEST) 66 67/* ebtables target modules store the verdict inside an int. We can 68 * reclaim a part of this int for backwards compatible extensions. 69 * The 4 lsb are more than enough to store the verdict. 70 */ 71#define EBT_VERDICT_BITS 0x0000000F 72 73/* Fake ebt_entry */ 74struct ebt_entry { 75 /* this needs to be the first field */ 76 unsigned int bitmask; 77 unsigned int invflags; 78 uint16_t ethproto; 79 /* the physical in-dev */ 80 char in[IFNAMSIZ]; 81 /* the logical in-dev */ 82 char logical_in[IFNAMSIZ]; 83 /* the physical out-dev */ 84 char out[IFNAMSIZ]; 85 /* the logical out-dev */ 86 char logical_out[IFNAMSIZ]; 87 unsigned char sourcemac[ETH_ALEN]; 88 unsigned char sourcemsk[ETH_ALEN]; 89 unsigned char destmac[ETH_ALEN]; 90 unsigned char destmsk[ETH_ALEN]; 91 92 unsigned char in_mask[IFNAMSIZ]; 93 unsigned char out_mask[IFNAMSIZ]; 94}; 95 96/* trick for ebtables-compat, since watchers are targets */ 97struct ebt_match { 98 struct ebt_match *next; 99 union { 100 struct xtables_match *match; 101 struct xtables_target *watcher; 102 } u; 103 bool ismatch; 104}; 105 106struct ebtables_command_state { 107 struct ebt_entry fw; 108 struct xtables_target *target; 109 struct xtables_rule_match *matches; 110 struct ebt_match *match_list; 111 const char *jumpto; 112 struct xt_counters counters; 113 int invert; 114 int c; 115 char **argv; 116 int proto_used; 117 char *protocol; 118 unsigned int options; 119}; 120 121void nft_rule_to_ebtables_command_state(struct nftnl_rule *r, 122 struct ebtables_command_state *cs); 123 124static const char *ebt_standard_targets[NUM_STANDARD_TARGETS] = { 125 "ACCEPT", 126 "DROP", 127 "CONTINUE", 128 "RETURN", 129}; 130 131static inline const char *nft_ebt_standard_target(unsigned int num) 132{ 133 if (num > NUM_STANDARD_TARGETS) 134 return NULL; 135 136 return ebt_standard_targets[num]; 137} 138 139static inline int ebt_fill_target(const char *str, unsigned int *verdict) 140{ 141 int i, ret = 0; 142 143 for (i = 0; i < NUM_STANDARD_TARGETS; i++) { 144 if (!strcmp(str, nft_ebt_standard_target(i))) { 145 *verdict = -i - 1; 146 break; 147 } 148 } 149 150 if (i == NUM_STANDARD_TARGETS) 151 ret = 1; 152 153 return ret; 154} 155 156static inline const char *ebt_target_name(unsigned int verdict) 157{ 158 return nft_ebt_standard_target(-verdict - 1); 159} 160 161#define EBT_CHECK_OPTION(flags, mask) ({ \ 162 if (*flags & mask) \ 163 xtables_error(PARAMETER_PROBLEM, \ 164 "Multiple use of same " \ 165 "option not allowed"); \ 166 *flags |= mask; \ 167}) \ 168 169void ebt_cs_clean(struct ebtables_command_state *cs); 170 171#endif 172