11da177e4c3f41524e886b7f1b8a0c1fc7321cacLinus Torvalds/*
21da177e4c3f41524e886b7f1b8a0c1fc7321cacLinus Torvalds *  ebtables
31da177e4c3f41524e886b7f1b8a0c1fc7321cacLinus Torvalds *
41da177e4c3f41524e886b7f1b8a0c1fc7321cacLinus Torvalds *	Authors:
51da177e4c3f41524e886b7f1b8a0c1fc7321cacLinus Torvalds *	Bart De Schuymer		<bdschuym@pandora.be>
61da177e4c3f41524e886b7f1b8a0c1fc7321cacLinus Torvalds *
71da177e4c3f41524e886b7f1b8a0c1fc7321cacLinus Torvalds *  ebtables.c,v 2.0, April, 2002
81da177e4c3f41524e886b7f1b8a0c1fc7321cacLinus Torvalds *
91da177e4c3f41524e886b7f1b8a0c1fc7321cacLinus Torvalds *  This code is stongly inspired on the iptables code which is
101da177e4c3f41524e886b7f1b8a0c1fc7321cacLinus Torvalds *  Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
111da177e4c3f41524e886b7f1b8a0c1fc7321cacLinus Torvalds */
121da177e4c3f41524e886b7f1b8a0c1fc7321cacLinus Torvalds#ifndef __LINUX_BRIDGE_EFF_H
131da177e4c3f41524e886b7f1b8a0c1fc7321cacLinus Torvalds#define __LINUX_BRIDGE_EFF_H
141da177e4c3f41524e886b7f1b8a0c1fc7321cacLinus Torvalds
1555c5cd3cc179eb87faa9cc2d9741047dd1642aafDavid Howells#include <uapi/linux/netfilter_bridge/ebtables.h>
161e419cd9953f59d06d7b88d0e2911a68a0044f33Al Viro
171da177e4c3f41524e886b7f1b8a0c1fc7321cacLinus Torvalds
181da177e4c3f41524e886b7f1b8a0c1fc7321cacLinus Torvalds/* return values for match() functions */
191da177e4c3f41524e886b7f1b8a0c1fc7321cacLinus Torvalds#define EBT_MATCH 0
201da177e4c3f41524e886b7f1b8a0c1fc7321cacLinus Torvalds#define EBT_NOMATCH 1
211da177e4c3f41524e886b7f1b8a0c1fc7321cacLinus Torvalds
22d94d9fee9fa4e66a0b91640a694b8b10177075b3Eric Dumazetstruct ebt_match {
231da177e4c3f41524e886b7f1b8a0c1fc7321cacLinus Torvalds	struct list_head list;
241da177e4c3f41524e886b7f1b8a0c1fc7321cacLinus Torvalds	const char name[EBT_FUNCTION_MAXNAMELEN];
258cc784eec6676b58e7f60419c88179aaa97bf71cJan Engelhardt	bool (*match)(const struct sk_buff *skb, const struct net_device *in,
262d06d4a5cc107046508d860a0b47dbc43b829b79Jan Engelhardt		const struct net_device *out, const struct xt_match *match,
272d06d4a5cc107046508d860a0b47dbc43b829b79Jan Engelhardt		const void *matchinfo, int offset, unsigned int protoff,
282d06d4a5cc107046508d860a0b47dbc43b829b79Jan Engelhardt		bool *hotdrop);
292d06d4a5cc107046508d860a0b47dbc43b829b79Jan Engelhardt	bool (*checkentry)(const char *table, const void *entry,
302d06d4a5cc107046508d860a0b47dbc43b829b79Jan Engelhardt		const struct xt_match *match, void *matchinfo,
312d06d4a5cc107046508d860a0b47dbc43b829b79Jan Engelhardt		unsigned int hook_mask);
322d06d4a5cc107046508d860a0b47dbc43b829b79Jan Engelhardt	void (*destroy)(const struct xt_match *match, void *matchinfo);
3318219d3f7d6a5bc43825a41e0763158efbdb80d3Jan Engelhardt	unsigned int matchsize;
34001a18d369f4813ed792629ff4a9a6ade2a4a031Jan Engelhardt	u_int8_t revision;
35001a18d369f4813ed792629ff4a9a6ade2a4a031Jan Engelhardt	u_int8_t family;
361da177e4c3f41524e886b7f1b8a0c1fc7321cacLinus Torvalds	struct module *me;
371da177e4c3f41524e886b7f1b8a0c1fc7321cacLinus Torvalds};
381da177e4c3f41524e886b7f1b8a0c1fc7321cacLinus Torvalds
39d94d9fee9fa4e66a0b91640a694b8b10177075b3Eric Dumazetstruct ebt_watcher {
401da177e4c3f41524e886b7f1b8a0c1fc7321cacLinus Torvalds	struct list_head list;
411da177e4c3f41524e886b7f1b8a0c1fc7321cacLinus Torvalds	const char name[EBT_FUNCTION_MAXNAMELEN];
422d06d4a5cc107046508d860a0b47dbc43b829b79Jan Engelhardt	unsigned int (*target)(struct sk_buff *skb,
432d06d4a5cc107046508d860a0b47dbc43b829b79Jan Engelhardt		const struct net_device *in, const struct net_device *out,
442d06d4a5cc107046508d860a0b47dbc43b829b79Jan Engelhardt		unsigned int hook_num, const struct xt_target *target,
452d06d4a5cc107046508d860a0b47dbc43b829b79Jan Engelhardt		const void *targinfo);
462d06d4a5cc107046508d860a0b47dbc43b829b79Jan Engelhardt	bool (*checkentry)(const char *table, const void *entry,
472d06d4a5cc107046508d860a0b47dbc43b829b79Jan Engelhardt		const struct xt_target *target, void *targinfo,
482d06d4a5cc107046508d860a0b47dbc43b829b79Jan Engelhardt		unsigned int hook_mask);
492d06d4a5cc107046508d860a0b47dbc43b829b79Jan Engelhardt	void (*destroy)(const struct xt_target *target, void *targinfo);
5018219d3f7d6a5bc43825a41e0763158efbdb80d3Jan Engelhardt	unsigned int targetsize;
51001a18d369f4813ed792629ff4a9a6ade2a4a031Jan Engelhardt	u_int8_t revision;
52001a18d369f4813ed792629ff4a9a6ade2a4a031Jan Engelhardt	u_int8_t family;
531da177e4c3f41524e886b7f1b8a0c1fc7321cacLinus Torvalds	struct module *me;
541da177e4c3f41524e886b7f1b8a0c1fc7321cacLinus Torvalds};
551da177e4c3f41524e886b7f1b8a0c1fc7321cacLinus Torvalds
56d94d9fee9fa4e66a0b91640a694b8b10177075b3Eric Dumazetstruct ebt_target {
571da177e4c3f41524e886b7f1b8a0c1fc7321cacLinus Torvalds	struct list_head list;
581da177e4c3f41524e886b7f1b8a0c1fc7321cacLinus Torvalds	const char name[EBT_FUNCTION_MAXNAMELEN];
590ac6ab1f7915fc820ca0cf8f597290dbb249edccJan Engelhardt	/* returns one of the standard EBT_* verdicts */
602d06d4a5cc107046508d860a0b47dbc43b829b79Jan Engelhardt	unsigned int (*target)(struct sk_buff *skb,
612d06d4a5cc107046508d860a0b47dbc43b829b79Jan Engelhardt		const struct net_device *in, const struct net_device *out,
622d06d4a5cc107046508d860a0b47dbc43b829b79Jan Engelhardt		unsigned int hook_num, const struct xt_target *target,
632d06d4a5cc107046508d860a0b47dbc43b829b79Jan Engelhardt		const void *targinfo);
642d06d4a5cc107046508d860a0b47dbc43b829b79Jan Engelhardt	bool (*checkentry)(const char *table, const void *entry,
652d06d4a5cc107046508d860a0b47dbc43b829b79Jan Engelhardt		const struct xt_target *target, void *targinfo,
662d06d4a5cc107046508d860a0b47dbc43b829b79Jan Engelhardt		unsigned int hook_mask);
672d06d4a5cc107046508d860a0b47dbc43b829b79Jan Engelhardt	void (*destroy)(const struct xt_target *target, void *targinfo);
6818219d3f7d6a5bc43825a41e0763158efbdb80d3Jan Engelhardt	unsigned int targetsize;
69001a18d369f4813ed792629ff4a9a6ade2a4a031Jan Engelhardt	u_int8_t revision;
70001a18d369f4813ed792629ff4a9a6ade2a4a031Jan Engelhardt	u_int8_t family;
711da177e4c3f41524e886b7f1b8a0c1fc7321cacLinus Torvalds	struct module *me;
721da177e4c3f41524e886b7f1b8a0c1fc7321cacLinus Torvalds};
731da177e4c3f41524e886b7f1b8a0c1fc7321cacLinus Torvalds
741da177e4c3f41524e886b7f1b8a0c1fc7321cacLinus Torvalds/* used for jumping from and into user defined chains (udc) */
75d94d9fee9fa4e66a0b91640a694b8b10177075b3Eric Dumazetstruct ebt_chainstack {
761da177e4c3f41524e886b7f1b8a0c1fc7321cacLinus Torvalds	struct ebt_entries *chaininfo; /* pointer to chain data */
771da177e4c3f41524e886b7f1b8a0c1fc7321cacLinus Torvalds	struct ebt_entry *e; /* pointer to entry data */
781da177e4c3f41524e886b7f1b8a0c1fc7321cacLinus Torvalds	unsigned int n; /* n'th entry */
791da177e4c3f41524e886b7f1b8a0c1fc7321cacLinus Torvalds};
801da177e4c3f41524e886b7f1b8a0c1fc7321cacLinus Torvalds
81d94d9fee9fa4e66a0b91640a694b8b10177075b3Eric Dumazetstruct ebt_table_info {
821da177e4c3f41524e886b7f1b8a0c1fc7321cacLinus Torvalds	/* total size of the entries */
831da177e4c3f41524e886b7f1b8a0c1fc7321cacLinus Torvalds	unsigned int entries_size;
841da177e4c3f41524e886b7f1b8a0c1fc7321cacLinus Torvalds	unsigned int nentries;
851da177e4c3f41524e886b7f1b8a0c1fc7321cacLinus Torvalds	/* pointers to the start of the chains */
861da177e4c3f41524e886b7f1b8a0c1fc7321cacLinus Torvalds	struct ebt_entries *hook_entry[NF_BR_NUMHOOKS];
871da177e4c3f41524e886b7f1b8a0c1fc7321cacLinus Torvalds	/* room to maintain the stack used for jumping from and into udc */
881da177e4c3f41524e886b7f1b8a0c1fc7321cacLinus Torvalds	struct ebt_chainstack **chainstack;
891da177e4c3f41524e886b7f1b8a0c1fc7321cacLinus Torvalds	char *entries;
901da177e4c3f41524e886b7f1b8a0c1fc7321cacLinus Torvalds	struct ebt_counter counters[0] ____cacheline_aligned;
911da177e4c3f41524e886b7f1b8a0c1fc7321cacLinus Torvalds};
921da177e4c3f41524e886b7f1b8a0c1fc7321cacLinus Torvalds
93d94d9fee9fa4e66a0b91640a694b8b10177075b3Eric Dumazetstruct ebt_table {
941da177e4c3f41524e886b7f1b8a0c1fc7321cacLinus Torvalds	struct list_head list;
951da177e4c3f41524e886b7f1b8a0c1fc7321cacLinus Torvalds	char name[EBT_TABLE_MAXNAMELEN];
961e419cd9953f59d06d7b88d0e2911a68a0044f33Al Viro	struct ebt_replace_kernel *table;
971da177e4c3f41524e886b7f1b8a0c1fc7321cacLinus Torvalds	unsigned int valid_hooks;
981da177e4c3f41524e886b7f1b8a0c1fc7321cacLinus Torvalds	rwlock_t lock;
991da177e4c3f41524e886b7f1b8a0c1fc7321cacLinus Torvalds	/* e.g. could be the table explicitly only allows certain
1001da177e4c3f41524e886b7f1b8a0c1fc7321cacLinus Torvalds	 * matches, targets, ... 0 == let it in */
1011da177e4c3f41524e886b7f1b8a0c1fc7321cacLinus Torvalds	int (*check)(const struct ebt_table_info *info,
1021da177e4c3f41524e886b7f1b8a0c1fc7321cacLinus Torvalds	   unsigned int valid_hooks);
1031da177e4c3f41524e886b7f1b8a0c1fc7321cacLinus Torvalds	/* the data used by the kernel */
1041da177e4c3f41524e886b7f1b8a0c1fc7321cacLinus Torvalds	struct ebt_table_info *private;
1051da177e4c3f41524e886b7f1b8a0c1fc7321cacLinus Torvalds	struct module *me;
1061da177e4c3f41524e886b7f1b8a0c1fc7321cacLinus Torvalds};
1071da177e4c3f41524e886b7f1b8a0c1fc7321cacLinus Torvalds
10888ba136d6635b262f77cc418d536115fb8e4d4abJoerg Willmann#define EBT_ALIGN(s) (((s) + (__alignof__(struct _xt_align)-1)) & \
10988ba136d6635b262f77cc418d536115fb8e4d4abJoerg Willmann		     ~(__alignof__(struct _xt_align)-1))
1106beceee5aa2cb94c4ae9f0784c7d3135d343f5b5Alexey Dobriyanextern struct ebt_table *ebt_register_table(struct net *net,
11135aad0ffdf548617940ca1e78be1f2e0bafc4496Jan Engelhardt					    const struct ebt_table *table);
112f54e9367f8499a9bf6b2afbc0dce63e1d53c525aAlexey Dobriyanextern void ebt_unregister_table(struct net *net, struct ebt_table *table);
1133db05fea51cdb162cfa8f69e9cfb9e228919d2a9Herbert Xuextern unsigned int ebt_do_table(unsigned int hook, struct sk_buff *skb,
1141da177e4c3f41524e886b7f1b8a0c1fc7321cacLinus Torvalds   const struct net_device *in, const struct net_device *out,
1151da177e4c3f41524e886b7f1b8a0c1fc7321cacLinus Torvalds   struct ebt_table *table);
1161da177e4c3f41524e886b7f1b8a0c1fc7321cacLinus Torvalds
1171da177e4c3f41524e886b7f1b8a0c1fc7321cacLinus Torvalds/* Used in the kernel match() functions */
1181da177e4c3f41524e886b7f1b8a0c1fc7321cacLinus Torvalds#define FWINV(bool,invflg) ((bool) ^ !!(info->invflags & invflg))
1191da177e4c3f41524e886b7f1b8a0c1fc7321cacLinus Torvalds/* True if the hook mask denotes that the rule is in a base chain,
1201da177e4c3f41524e886b7f1b8a0c1fc7321cacLinus Torvalds * used in the check() functions */
121af5d6dc200eb0fcc6fbd3df1ab4d8969004cb37fJan Engelhardt#define BASE_CHAIN (par->hook_mask & (1 << NF_BR_NUMHOOKS))
1221da177e4c3f41524e886b7f1b8a0c1fc7321cacLinus Torvalds/* Clear the bit in the hook mask that tells if the rule is on a base chain */
123af5d6dc200eb0fcc6fbd3df1ab4d8969004cb37fJan Engelhardt#define CLEAR_BASE_CHAIN_BIT (par->hook_mask &= ~(1 << NF_BR_NUMHOOKS))
1241da177e4c3f41524e886b7f1b8a0c1fc7321cacLinus Torvalds/* True if the target is not a standard target */
1251da177e4c3f41524e886b7f1b8a0c1fc7321cacLinus Torvalds#define INVALID_TARGET (info->target < -NUM_STANDARD_TARGETS || info->target >= 0)
1261da177e4c3f41524e886b7f1b8a0c1fc7321cacLinus Torvalds
1271da177e4c3f41524e886b7f1b8a0c1fc7321cacLinus Torvalds#endif
128