UAPI: (Scripted) Disintegrate include/linux/netfilter_bridge

tjh.dev / kernel

fork atom

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

fork atom

UAPI: (Scripted) Disintegrate include/linux/netfilter_bridge

Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Michael Kerrisk <mtk.manpages@gmail.com>
Acked-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Acked-by: Dave Jones <davej@redhat.com>

David Howells 13 years ago 55c5cd3c 8922082a

+350 -332

22 changed files

expand all collapse all

include

linux

netfilter_bridge

Kbuild

ebt_802_3.h

ebtables.h

uapi

linux

netfilter_bridge

Kbuild

ebt_802_3.h

ebt_among.h

ebt_arp.h

ebt_arpreply.h

ebt_ip.h

ebt_ip6.h

ebt_limit.h

ebt_log.h

ebt_mark_m.h

ebt_mark_t.h

ebt_nat.h

ebt_nflog.h

ebt_pkttype.h

ebt_redirect.h

ebt_stp.h

ebt_ulog.h

ebt_vlan.h

ebtables.h

-18

include/linux/netfilter_bridge/Kbuild

reviewed

··· 1 1 - header-y += ebt_802_3.h 2 2 - header-y += ebt_among.h 3 3 - header-y += ebt_arp.h 4 4 - header-y += ebt_arpreply.h 5 5 - header-y += ebt_ip.h 6 6 - header-y += ebt_ip6.h 7 7 - header-y += ebt_limit.h 8 8 - header-y += ebt_log.h 9 9 - header-y += ebt_mark_m.h 10 10 - header-y += ebt_mark_t.h 11 11 - header-y += ebt_nat.h 12 12 - header-y += ebt_nflog.h 13 13 - header-y += ebt_pkttype.h 14 14 - header-y += ebt_redirect.h 15 15 - header-y += ebt_stp.h 16 16 - header-y += ebt_ulog.h 17 17 - header-y += ebt_vlan.h 18 18 - header-y += ebtables.h

+1 -60

include/linux/netfilter_bridge/ebt_802_3.h

reviewed

··· 1 1 #ifndef __LINUX_BRIDGE_EBT_802_3_H 2 2 #define __LINUX_BRIDGE_EBT_802_3_H 3 3 4 4 - #include <linux/types.h> 5 5 - 6 6 - #define EBT_802_3_SAP 0x01 7 7 - #define EBT_802_3_TYPE 0x02 8 8 - 9 9 - #define EBT_802_3_MATCH "802_3" 10 10 - 11 11 - /* 12 12 - * If frame has DSAP/SSAP value 0xaa you must check the SNAP type 13 13 - * to discover what kind of packet we're carrying. 14 14 - */ 15 15 - #define CHECK_TYPE 0xaa 16 16 - 17 17 - /* 18 18 - * Control field may be one or two bytes. If the first byte has 19 19 - * the value 0x03 then the entire length is one byte, otherwise it is two. 20 20 - * One byte controls are used in Unnumbered Information frames. 21 21 - * Two byte controls are used in Numbered Information frames. 22 22 - */ 23 23 - #define IS_UI 0x03 24 24 - 25 25 - #define EBT_802_3_MASK (EBT_802_3_SAP | EBT_802_3_TYPE | EBT_802_3) 26 26 - 27 27 - /* ui has one byte ctrl, ni has two */ 28 28 - struct hdr_ui { 29 29 - __u8 dsap; 30 30 - __u8 ssap; 31 31 - __u8 ctrl; 32 32 - __u8 orig[3]; 33 33 - __be16 type; 34 34 - }; 35 35 - 36 36 - struct hdr_ni { 37 37 - __u8 dsap; 38 38 - __u8 ssap; 39 39 - __be16 ctrl; 40 40 - __u8 orig[3]; 41 41 - __be16 type; 42 42 - }; 43 43 - 44 44 - struct ebt_802_3_hdr { 45 45 - __u8 daddr[6]; 46 46 - __u8 saddr[6]; 47 47 - __be16 len; 48 48 - union { 49 49 - struct hdr_ui ui; 50 50 - struct hdr_ni ni; 51 51 - } llc; 52 52 - }; 53 53 - 54 54 - #ifdef __KERNEL__ 55 4 #include <linux/skbuff.h> 5 5 + #include <uapi/linux/netfilter_bridge/ebt_802_3.h> 56 6 57 7 static inline struct ebt_802_3_hdr *ebt_802_3_hdr(const struct sk_buff *skb) 58 8 { 59 9 return (struct ebt_802_3_hdr *)skb_mac_header(skb); 60 10 } 61 61 - #endif 62 62 - 63 63 - struct ebt_802_3_info { 64 64 - __u8 sap; 65 65 - __be16 type; 66 66 - __u8 bitmask; 67 67 - __u8 invflags; 68 68 - }; 69 69 - 70 11 #endif

include/linux/netfilter_bridge/ebt_among.h include/uapi/linux/netfilter_bridge/ebt_among.h

reviewed

include/linux/netfilter_bridge/ebt_arp.h include/uapi/linux/netfilter_bridge/ebt_arp.h

reviewed

include/linux/netfilter_bridge/ebt_arpreply.h include/uapi/linux/netfilter_bridge/ebt_arpreply.h

reviewed

include/linux/netfilter_bridge/ebt_ip.h include/uapi/linux/netfilter_bridge/ebt_ip.h

reviewed

include/linux/netfilter_bridge/ebt_ip6.h include/uapi/linux/netfilter_bridge/ebt_ip6.h

reviewed

include/linux/netfilter_bridge/ebt_limit.h include/uapi/linux/netfilter_bridge/ebt_limit.h

reviewed

include/linux/netfilter_bridge/ebt_log.h include/uapi/linux/netfilter_bridge/ebt_log.h

reviewed

include/linux/netfilter_bridge/ebt_mark_m.h include/uapi/linux/netfilter_bridge/ebt_mark_m.h

reviewed

include/linux/netfilter_bridge/ebt_mark_t.h include/uapi/linux/netfilter_bridge/ebt_mark_t.h

reviewed

include/linux/netfilter_bridge/ebt_nat.h include/uapi/linux/netfilter_bridge/ebt_nat.h

reviewed

include/linux/netfilter_bridge/ebt_nflog.h include/uapi/linux/netfilter_bridge/ebt_nflog.h

reviewed

include/linux/netfilter_bridge/ebt_pkttype.h include/uapi/linux/netfilter_bridge/ebt_pkttype.h

reviewed

include/linux/netfilter_bridge/ebt_redirect.h include/uapi/linux/netfilter_bridge/ebt_redirect.h

reviewed

include/linux/netfilter_bridge/ebt_stp.h include/uapi/linux/netfilter_bridge/ebt_stp.h

reviewed

include/linux/netfilter_bridge/ebt_ulog.h include/uapi/linux/netfilter_bridge/ebt_ulog.h

reviewed

include/linux/netfilter_bridge/ebt_vlan.h include/uapi/linux/netfilter_bridge/ebt_vlan.h

reviewed

+1 -254

include/linux/netfilter_bridge/ebtables.h

reviewed

··· 9 9 * This code is stongly inspired on the iptables code which is 10 10 * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling 11 11 */ 12 12 - 13 12 #ifndef __LINUX_BRIDGE_EFF_H 14 13 #define __LINUX_BRIDGE_EFF_H 15 15 - #include <linux/if.h> 16 16 - #include <linux/netfilter_bridge.h> 17 17 - #include <linux/if_ether.h> 18 14 19 19 - #define EBT_TABLE_MAXNAMELEN 32 20 20 - #define EBT_CHAIN_MAXNAMELEN EBT_TABLE_MAXNAMELEN 21 21 - #define EBT_FUNCTION_MAXNAMELEN EBT_TABLE_MAXNAMELEN 15 15 + #include <uapi/linux/netfilter_bridge/ebtables.h> 22 16 23 23 - /* verdicts >0 are "branches" */ 24 24 - #define EBT_ACCEPT -1 25 25 - #define EBT_DROP -2 26 26 - #define EBT_CONTINUE -3 27 27 - #define EBT_RETURN -4 28 28 - #define NUM_STANDARD_TARGETS 4 29 29 - /* ebtables target modules store the verdict inside an int. We can 30 30 - * reclaim a part of this int for backwards compatible extensions. 31 31 - * The 4 lsb are more than enough to store the verdict. */ 32 32 - #define EBT_VERDICT_BITS 0x0000000F 33 33 - 34 34 - struct xt_match; 35 35 - struct xt_target; 36 36 - 37 37 - struct ebt_counter { 38 38 - uint64_t pcnt; 39 39 - uint64_t bcnt; 40 40 - }; 41 41 - 42 42 - struct ebt_replace { 43 43 - char name[EBT_TABLE_MAXNAMELEN]; 44 44 - unsigned int valid_hooks; 45 45 - /* nr of rules in the table */ 46 46 - unsigned int nentries; 47 47 - /* total size of the entries */ 48 48 - unsigned int entries_size; 49 49 - /* start of the chains */ 50 50 - struct ebt_entries __user *hook_entry[NF_BR_NUMHOOKS]; 51 51 - /* nr of counters userspace expects back */ 52 52 - unsigned int num_counters; 53 53 - /* where the kernel will put the old counters */ 54 54 - struct ebt_counter __user *counters; 55 55 - char __user *entries; 56 56 - }; 57 57 - 58 58 - struct ebt_replace_kernel { 59 59 - char name[EBT_TABLE_MAXNAMELEN]; 60 60 - unsigned int valid_hooks; 61 61 - /* nr of rules in the table */ 62 62 - unsigned int nentries; 63 63 - /* total size of the entries */ 64 64 - unsigned int entries_size; 65 65 - /* start of the chains */ 66 66 - struct ebt_entries *hook_entry[NF_BR_NUMHOOKS]; 67 67 - /* nr of counters userspace expects back */ 68 68 - unsigned int num_counters; 69 69 - /* where the kernel will put the old counters */ 70 70 - struct ebt_counter *counters; 71 71 - char *entries; 72 72 - }; 73 73 - 74 74 - struct ebt_entries { 75 75 - /* this field is always set to zero 76 76 - * See EBT_ENTRY_OR_ENTRIES. 77 77 - * Must be same size as ebt_entry.bitmask */ 78 78 - unsigned int distinguisher; 79 79 - /* the chain name */ 80 80 - char name[EBT_CHAIN_MAXNAMELEN]; 81 81 - /* counter offset for this chain */ 82 82 - unsigned int counter_offset; 83 83 - /* one standard (accept, drop, return) per hook */ 84 84 - int policy; 85 85 - /* nr. of entries */ 86 86 - unsigned int nentries; 87 87 - /* entry list */ 88 88 - char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace)))); 89 89 - }; 90 90 - 91 91 - /* used for the bitmask of struct ebt_entry */ 92 92 - 93 93 - /* This is a hack to make a difference between an ebt_entry struct and an 94 94 - * ebt_entries struct when traversing the entries from start to end. 95 95 - * Using this simplifies the code a lot, while still being able to use 96 96 - * ebt_entries. 97 97 - * Contrary, iptables doesn't use something like ebt_entries and therefore uses 98 98 - * different techniques for naming the policy and such. So, iptables doesn't 99 99 - * need a hack like this. 100 100 - */ 101 101 - #define EBT_ENTRY_OR_ENTRIES 0x01 102 102 - /* these are the normal masks */ 103 103 - #define EBT_NOPROTO 0x02 104 104 - #define EBT_802_3 0x04 105 105 - #define EBT_SOURCEMAC 0x08 106 106 - #define EBT_DESTMAC 0x10 107 107 - #define EBT_F_MASK (EBT_NOPROTO | EBT_802_3 | EBT_SOURCEMAC | EBT_DESTMAC \ 108 108 - | EBT_ENTRY_OR_ENTRIES) 109 109 - 110 110 - #define EBT_IPROTO 0x01 111 111 - #define EBT_IIN 0x02 112 112 - #define EBT_IOUT 0x04 113 113 - #define EBT_ISOURCE 0x8 114 114 - #define EBT_IDEST 0x10 115 115 - #define EBT_ILOGICALIN 0x20 116 116 - #define EBT_ILOGICALOUT 0x40 117 117 - #define EBT_INV_MASK (EBT_IPROTO | EBT_IIN | EBT_IOUT | EBT_ILOGICALIN \ 118 118 - | EBT_ILOGICALOUT | EBT_ISOURCE | EBT_IDEST) 119 119 - 120 120 - struct ebt_entry_match { 121 121 - union { 122 122 - char name[EBT_FUNCTION_MAXNAMELEN]; 123 123 - struct xt_match *match; 124 124 - } u; 125 125 - /* size of data */ 126 126 - unsigned int match_size; 127 127 - unsigned char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace)))); 128 128 - }; 129 129 - 130 130 - struct ebt_entry_watcher { 131 131 - union { 132 132 - char name[EBT_FUNCTION_MAXNAMELEN]; 133 133 - struct xt_target *watcher; 134 134 - } u; 135 135 - /* size of data */ 136 136 - unsigned int watcher_size; 137 137 - unsigned char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace)))); 138 138 - }; 139 139 - 140 140 - struct ebt_entry_target { 141 141 - union { 142 142 - char name[EBT_FUNCTION_MAXNAMELEN]; 143 143 - struct xt_target *target; 144 144 - } u; 145 145 - /* size of data */ 146 146 - unsigned int target_size; 147 147 - unsigned char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace)))); 148 148 - }; 149 149 - 150 150 - #define EBT_STANDARD_TARGET "standard" 151 151 - struct ebt_standard_target { 152 152 - struct ebt_entry_target target; 153 153 - int verdict; 154 154 - }; 155 155 - 156 156 - /* one entry */ 157 157 - struct ebt_entry { 158 158 - /* this needs to be the first field */ 159 159 - unsigned int bitmask; 160 160 - unsigned int invflags; 161 161 - __be16 ethproto; 162 162 - /* the physical in-dev */ 163 163 - char in[IFNAMSIZ]; 164 164 - /* the logical in-dev */ 165 165 - char logical_in[IFNAMSIZ]; 166 166 - /* the physical out-dev */ 167 167 - char out[IFNAMSIZ]; 168 168 - /* the logical out-dev */ 169 169 - char logical_out[IFNAMSIZ]; 170 170 - unsigned char sourcemac[ETH_ALEN]; 171 171 - unsigned char sourcemsk[ETH_ALEN]; 172 172 - unsigned char destmac[ETH_ALEN]; 173 173 - unsigned char destmsk[ETH_ALEN]; 174 174 - /* sizeof ebt_entry + matches */ 175 175 - unsigned int watchers_offset; 176 176 - /* sizeof ebt_entry + matches + watchers */ 177 177 - unsigned int target_offset; 178 178 - /* sizeof ebt_entry + matches + watchers + target */ 179 179 - unsigned int next_offset; 180 180 - unsigned char elems[0] __attribute__ ((aligned (__alignof__(struct ebt_replace)))); 181 181 - }; 182 182 - 183 183 - /* {g,s}etsockopt numbers */ 184 184 - #define EBT_BASE_CTL 128 185 185 - 186 186 - #define EBT_SO_SET_ENTRIES (EBT_BASE_CTL) 187 187 - #define EBT_SO_SET_COUNTERS (EBT_SO_SET_ENTRIES+1) 188 188 - #define EBT_SO_SET_MAX (EBT_SO_SET_COUNTERS+1) 189 189 - 190 190 - #define EBT_SO_GET_INFO (EBT_BASE_CTL) 191 191 - #define EBT_SO_GET_ENTRIES (EBT_SO_GET_INFO+1) 192 192 - #define EBT_SO_GET_INIT_INFO (EBT_SO_GET_ENTRIES+1) 193 193 - #define EBT_SO_GET_INIT_ENTRIES (EBT_SO_GET_INIT_INFO+1) 194 194 - #define EBT_SO_GET_MAX (EBT_SO_GET_INIT_ENTRIES+1) 195 195 - 196 196 - #ifdef __KERNEL__ 197 17 198 18 /* return values for match() functions */ 199 19 #define EBT_MATCH 0 ··· 123 303 #define CLEAR_BASE_CHAIN_BIT (par->hook_mask &= ~(1 << NF_BR_NUMHOOKS)) 124 304 /* True if the target is not a standard target */ 125 305 #define INVALID_TARGET (info->target < -NUM_STANDARD_TARGETS || info->target >= 0) 126 126 - 127 127 - #endif /* __KERNEL__ */ 128 128 - 129 129 - /* blatently stolen from ip_tables.h 130 130 - * fn returns 0 to continue iteration */ 131 131 - #define EBT_MATCH_ITERATE(e, fn, args...) \ 132 132 - ({ \ 133 133 - unsigned int __i; \ 134 134 - int __ret = 0; \ 135 135 - struct ebt_entry_match *__match; \ 136 136 - \ 137 137 - for (__i = sizeof(struct ebt_entry); \ 138 138 - __i < (e)->watchers_offset; \ 139 139 - __i += __match->match_size + \ 140 140 - sizeof(struct ebt_entry_match)) { \ 141 141 - __match = (void *)(e) + __i; \ 142 142 - \ 143 143 - __ret = fn(__match , ## args); \ 144 144 - if (__ret != 0) \ 145 145 - break; \ 146 146 - } \ 147 147 - if (__ret == 0) { \ 148 148 - if (__i != (e)->watchers_offset) \ 149 149 - __ret = -EINVAL; \ 150 150 - } \ 151 151 - __ret; \ 152 152 - }) 153 153 - 154 154 - #define EBT_WATCHER_ITERATE(e, fn, args...) \ 155 155 - ({ \ 156 156 - unsigned int __i; \ 157 157 - int __ret = 0; \ 158 158 - struct ebt_entry_watcher *__watcher; \ 159 159 - \ 160 160 - for (__i = e->watchers_offset; \ 161 161 - __i < (e)->target_offset; \ 162 162 - __i += __watcher->watcher_size + \ 163 163 - sizeof(struct ebt_entry_watcher)) { \ 164 164 - __watcher = (void *)(e) + __i; \ 165 165 - \ 166 166 - __ret = fn(__watcher , ## args); \ 167 167 - if (__ret != 0) \ 168 168 - break; \ 169 169 - } \ 170 170 - if (__ret == 0) { \ 171 171 - if (__i != (e)->target_offset) \ 172 172 - __ret = -EINVAL; \ 173 173 - } \ 174 174 - __ret; \ 175 175 - }) 176 176 - 177 177 - #define EBT_ENTRY_ITERATE(entries, size, fn, args...) \ 178 178 - ({ \ 179 179 - unsigned int __i; \ 180 180 - int __ret = 0; \ 181 181 - struct ebt_entry *__entry; \ 182 182 - \ 183 183 - for (__i = 0; __i < (size);) { \ 184 184 - __entry = (void *)(entries) + __i; \ 185 185 - __ret = fn(__entry , ## args); \ 186 186 - if (__ret != 0) \ 187 187 - break; \ 188 188 - if (__entry->bitmask != 0) \ 189 189 - __i += __entry->next_offset; \ 190 190 - else \ 191 191 - __i += sizeof(struct ebt_entries); \ 192 192 - } \ 193 193 - if (__ret == 0) { \ 194 194 - if (__i != (size)) \ 195 195 - __ret = -EINVAL; \ 196 196 - } \ 197 197 - __ret; \ 198 198 - }) 199 306 200 307 #endif

+18

include/uapi/linux/netfilter_bridge/Kbuild

reviewed

··· 1 1 # UAPI Header export list 2 2 + header-y += ebt_802_3.h 3 3 + header-y += ebt_among.h 4 4 + header-y += ebt_arp.h 5 5 + header-y += ebt_arpreply.h 6 6 + header-y += ebt_ip.h 7 7 + header-y += ebt_ip6.h 8 8 + header-y += ebt_limit.h 9 9 + header-y += ebt_log.h 10 10 + header-y += ebt_mark_m.h 11 11 + header-y += ebt_mark_t.h 12 12 + header-y += ebt_nat.h 13 13 + header-y += ebt_nflog.h 14 14 + header-y += ebt_pkttype.h 15 15 + header-y += ebt_redirect.h 16 16 + header-y += ebt_stp.h 17 17 + header-y += ebt_ulog.h 18 18 + header-y += ebt_vlan.h 19 19 + header-y += ebtables.h

+62

include/uapi/linux/netfilter_bridge/ebt_802_3.h

reviewed

··· 1 1 + #ifndef _UAPI__LINUX_BRIDGE_EBT_802_3_H 2 2 + #define _UAPI__LINUX_BRIDGE_EBT_802_3_H 3 3 + 4 4 + #include <linux/types.h> 5 5 + 6 6 + #define EBT_802_3_SAP 0x01 7 7 + #define EBT_802_3_TYPE 0x02 8 8 + 9 9 + #define EBT_802_3_MATCH "802_3" 10 10 + 11 11 + /* 12 12 + * If frame has DSAP/SSAP value 0xaa you must check the SNAP type 13 13 + * to discover what kind of packet we're carrying. 14 14 + */ 15 15 + #define CHECK_TYPE 0xaa 16 16 + 17 17 + /* 18 18 + * Control field may be one or two bytes. If the first byte has 19 19 + * the value 0x03 then the entire length is one byte, otherwise it is two. 20 20 + * One byte controls are used in Unnumbered Information frames. 21 21 + * Two byte controls are used in Numbered Information frames. 22 22 + */ 23 23 + #define IS_UI 0x03 24 24 + 25 25 + #define EBT_802_3_MASK (EBT_802_3_SAP | EBT_802_3_TYPE | EBT_802_3) 26 26 + 27 27 + /* ui has one byte ctrl, ni has two */ 28 28 + struct hdr_ui { 29 29 + __u8 dsap; 30 30 + __u8 ssap; 31 31 + __u8 ctrl; 32 32 + __u8 orig[3]; 33 33 + __be16 type; 34 34 + }; 35 35 + 36 36 + struct hdr_ni { 37 37 + __u8 dsap; 38 38 + __u8 ssap; 39 39 + __be16 ctrl; 40 40 + __u8 orig[3]; 41 41 + __be16 type; 42 42 + }; 43 43 + 44 44 + struct ebt_802_3_hdr { 45 45 + __u8 daddr[6]; 46 46 + __u8 saddr[6]; 47 47 + __be16 len; 48 48 + union { 49 49 + struct hdr_ui ui; 50 50 + struct hdr_ni ni; 51 51 + } llc; 52 52 + }; 53 53 + 54 54 + 55 55 + struct ebt_802_3_info { 56 56 + __u8 sap; 57 57 + __be16 type; 58 58 + __u8 bitmask; 59 59 + __u8 invflags; 60 60 + }; 61 61 + 62 62 + #endif /* _UAPI__LINUX_BRIDGE_EBT_802_3_H */

+268

include/uapi/linux/netfilter_bridge/ebtables.h

reviewed

··· 1 1 + /* 2 2 + * ebtables 3 3 + * 4 4 + * Authors: 5 5 + * Bart De Schuymer <bdschuym@pandora.be> 6 6 + * 7 7 + * ebtables.c,v 2.0, April, 2002 8 8 + * 9 9 + * This code is stongly inspired on the iptables code which is 10 10 + * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling 11 11 + */ 12 12 + 13 13 + #ifndef _UAPI__LINUX_BRIDGE_EFF_H 14 14 + #define _UAPI__LINUX_BRIDGE_EFF_H 15 15 + #include <linux/if.h> 16 16 + #include <linux/netfilter_bridge.h> 17 17 + #include <linux/if_ether.h> 18 18 + 19 19 + #define EBT_TABLE_MAXNAMELEN 32 20 20 + #define EBT_CHAIN_MAXNAMELEN EBT_TABLE_MAXNAMELEN 21 21 + #define EBT_FUNCTION_MAXNAMELEN EBT_TABLE_MAXNAMELEN 22 22 + 23 23 + /* verdicts >0 are "branches" */ 24 24 + #define EBT_ACCEPT -1 25 25 + #define EBT_DROP -2 26 26 + #define EBT_CONTINUE -3 27 27 + #define EBT_RETURN -4 28 28 + #define NUM_STANDARD_TARGETS 4 29 29 + /* ebtables target modules store the verdict inside an int. We can 30 30 + * reclaim a part of this int for backwards compatible extensions. 31 31 + * The 4 lsb are more than enough to store the verdict. */ 32 32 + #define EBT_VERDICT_BITS 0x0000000F 33 33 + 34 34 + struct xt_match; 35 35 + struct xt_target; 36 36 + 37 37 + struct ebt_counter { 38 38 + uint64_t pcnt; 39 39 + uint64_t bcnt; 40 40 + }; 41 41 + 42 42 + struct ebt_replace { 43 43 + char name[EBT_TABLE_MAXNAMELEN]; 44 44 + unsigned int valid_hooks; 45 45 + /* nr of rules in the table */ 46 46 + unsigned int nentries; 47 47 + /* total size of the entries */ 48 48 + unsigned int entries_size; 49 49 + /* start of the chains */ 50 50 + struct ebt_entries __user *hook_entry[NF_BR_NUMHOOKS]; 51 51 + /* nr of counters userspace expects back */ 52 52 + unsigned int num_counters; 53 53 + /* where the kernel will put the old counters */ 54 54 + struct ebt_counter __user *counters; 55 55 + char __user *entries; 56 56 + }; 57 57 + 58 58 + struct ebt_replace_kernel { 59 59 + char name[EBT_TABLE_MAXNAMELEN]; 60 60 + unsigned int valid_hooks; 61 61 + /* nr of rules in the table */ 62 62 + unsigned int nentries; 63 63 + /* total size of the entries */ 64 64 + unsigned int entries_size; 65 65 + /* start of the chains */ 66 66 + struct ebt_entries *hook_entry[NF_BR_NUMHOOKS]; 67 67 + /* nr of counters userspace expects back */ 68 68 + unsigned int num_counters; 69 69 + /* where the kernel will put the old counters */ 70 70 + struct ebt_counter *counters; 71 71 + char *entries; 72 72 + }; 73 73 + 74 74 + struct ebt_entries { 75 75 + /* this field is always set to zero 76 76 + * See EBT_ENTRY_OR_ENTRIES. 77 77 + * Must be same size as ebt_entry.bitmask */ 78 78 + unsigned int distinguisher; 79 79 + /* the chain name */ 80 80 + char name[EBT_CHAIN_MAXNAMELEN]; 81 81 + /* counter offset for this chain */ 82 82 + unsigned int counter_offset; 83 83 + /* one standard (accept, drop, return) per hook */ 84 84 + int policy; 85 85 + /* nr. of entries */ 86 86 + unsigned int nentries; 87 87 + /* entry list */ 88 88 + char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace)))); 89 89 + }; 90 90 + 91 91 + /* used for the bitmask of struct ebt_entry */ 92 92 + 93 93 + /* This is a hack to make a difference between an ebt_entry struct and an 94 94 + * ebt_entries struct when traversing the entries from start to end. 95 95 + * Using this simplifies the code a lot, while still being able to use 96 96 + * ebt_entries. 97 97 + * Contrary, iptables doesn't use something like ebt_entries and therefore uses 98 98 + * different techniques for naming the policy and such. So, iptables doesn't 99 99 + * need a hack like this. 100 100 + */ 101 101 + #define EBT_ENTRY_OR_ENTRIES 0x01 102 102 + /* these are the normal masks */ 103 103 + #define EBT_NOPROTO 0x02 104 104 + #define EBT_802_3 0x04 105 105 + #define EBT_SOURCEMAC 0x08 106 106 + #define EBT_DESTMAC 0x10 107 107 + #define EBT_F_MASK (EBT_NOPROTO | EBT_802_3 | EBT_SOURCEMAC | EBT_DESTMAC \ 108 108 + | EBT_ENTRY_OR_ENTRIES) 109 109 + 110 110 + #define EBT_IPROTO 0x01 111 111 + #define EBT_IIN 0x02 112 112 + #define EBT_IOUT 0x04 113 113 + #define EBT_ISOURCE 0x8 114 114 + #define EBT_IDEST 0x10 115 115 + #define EBT_ILOGICALIN 0x20 116 116 + #define EBT_ILOGICALOUT 0x40 117 117 + #define EBT_INV_MASK (EBT_IPROTO | EBT_IIN | EBT_IOUT | EBT_ILOGICALIN \ 118 118 + | EBT_ILOGICALOUT | EBT_ISOURCE | EBT_IDEST) 119 119 + 120 120 + struct ebt_entry_match { 121 121 + union { 122 122 + char name[EBT_FUNCTION_MAXNAMELEN]; 123 123 + struct xt_match *match; 124 124 + } u; 125 125 + /* size of data */ 126 126 + unsigned int match_size; 127 127 + unsigned char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace)))); 128 128 + }; 129 129 + 130 130 + struct ebt_entry_watcher { 131 131 + union { 132 132 + char name[EBT_FUNCTION_MAXNAMELEN]; 133 133 + struct xt_target *watcher; 134 134 + } u; 135 135 + /* size of data */ 136 136 + unsigned int watcher_size; 137 137 + unsigned char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace)))); 138 138 + }; 139 139 + 140 140 + struct ebt_entry_target { 141 141 + union { 142 142 + char name[EBT_FUNCTION_MAXNAMELEN]; 143 143 + struct xt_target *target; 144 144 + } u; 145 145 + /* size of data */ 146 146 + unsigned int target_size; 147 147 + unsigned char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace)))); 148 148 + }; 149 149 + 150 150 + #define EBT_STANDARD_TARGET "standard" 151 151 + struct ebt_standard_target { 152 152 + struct ebt_entry_target target; 153 153 + int verdict; 154 154 + }; 155 155 + 156 156 + /* one entry */ 157 157 + struct ebt_entry { 158 158 + /* this needs to be the first field */ 159 159 + unsigned int bitmask; 160 160 + unsigned int invflags; 161 161 + __be16 ethproto; 162 162 + /* the physical in-dev */ 163 163 + char in[IFNAMSIZ]; 164 164 + /* the logical in-dev */ 165 165 + char logical_in[IFNAMSIZ]; 166 166 + /* the physical out-dev */ 167 167 + char out[IFNAMSIZ]; 168 168 + /* the logical out-dev */ 169 169 + char logical_out[IFNAMSIZ]; 170 170 + unsigned char sourcemac[ETH_ALEN]; 171 171 + unsigned char sourcemsk[ETH_ALEN]; 172 172 + unsigned char destmac[ETH_ALEN]; 173 173 + unsigned char destmsk[ETH_ALEN]; 174 174 + /* sizeof ebt_entry + matches */ 175 175 + unsigned int watchers_offset; 176 176 + /* sizeof ebt_entry + matches + watchers */ 177 177 + unsigned int target_offset; 178 178 + /* sizeof ebt_entry + matches + watchers + target */ 179 179 + unsigned int next_offset; 180 180 + unsigned char elems[0] __attribute__ ((aligned (__alignof__(struct ebt_replace)))); 181 181 + }; 182 182 + 183 183 + /* {g,s}etsockopt numbers */ 184 184 + #define EBT_BASE_CTL 128 185 185 + 186 186 + #define EBT_SO_SET_ENTRIES (EBT_BASE_CTL) 187 187 + #define EBT_SO_SET_COUNTERS (EBT_SO_SET_ENTRIES+1) 188 188 + #define EBT_SO_SET_MAX (EBT_SO_SET_COUNTERS+1) 189 189 + 190 190 + #define EBT_SO_GET_INFO (EBT_BASE_CTL) 191 191 + #define EBT_SO_GET_ENTRIES (EBT_SO_GET_INFO+1) 192 192 + #define EBT_SO_GET_INIT_INFO (EBT_SO_GET_ENTRIES+1) 193 193 + #define EBT_SO_GET_INIT_ENTRIES (EBT_SO_GET_INIT_INFO+1) 194 194 + #define EBT_SO_GET_MAX (EBT_SO_GET_INIT_ENTRIES+1) 195 195 + 196 196 + 197 197 + /* blatently stolen from ip_tables.h 198 198 + * fn returns 0 to continue iteration */ 199 199 + #define EBT_MATCH_ITERATE(e, fn, args...) \ 200 200 + ({ \ 201 201 + unsigned int __i; \ 202 202 + int __ret = 0; \ 203 203 + struct ebt_entry_match *__match; \ 204 204 + \ 205 205 + for (__i = sizeof(struct ebt_entry); \ 206 206 + __i < (e)->watchers_offset; \ 207 207 + __i += __match->match_size + \ 208 208 + sizeof(struct ebt_entry_match)) { \ 209 209 + __match = (void *)(e) + __i; \ 210 210 + \ 211 211 + __ret = fn(__match , ## args); \ 212 212 + if (__ret != 0) \ 213 213 + break; \ 214 214 + } \ 215 215 + if (__ret == 0) { \ 216 216 + if (__i != (e)->watchers_offset) \ 217 217 + __ret = -EINVAL; \ 218 218 + } \ 219 219 + __ret; \ 220 220 + }) 221 221 + 222 222 + #define EBT_WATCHER_ITERATE(e, fn, args...) \ 223 223 + ({ \ 224 224 + unsigned int __i; \ 225 225 + int __ret = 0; \ 226 226 + struct ebt_entry_watcher *__watcher; \ 227 227 + \ 228 228 + for (__i = e->watchers_offset; \ 229 229 + __i < (e)->target_offset; \ 230 230 + __i += __watcher->watcher_size + \ 231 231 + sizeof(struct ebt_entry_watcher)) { \ 232 232 + __watcher = (void *)(e) + __i; \ 233 233 + \ 234 234 + __ret = fn(__watcher , ## args); \ 235 235 + if (__ret != 0) \ 236 236 + break; \ 237 237 + } \ 238 238 + if (__ret == 0) { \ 239 239 + if (__i != (e)->target_offset) \ 240 240 + __ret = -EINVAL; \ 241 241 + } \ 242 242 + __ret; \ 243 243 + }) 244 244 + 245 245 + #define EBT_ENTRY_ITERATE(entries, size, fn, args...) \ 246 246 + ({ \ 247 247 + unsigned int __i; \ 248 248 + int __ret = 0; \ 249 249 + struct ebt_entry *__entry; \ 250 250 + \ 251 251 + for (__i = 0; __i < (size);) { \ 252 252 + __entry = (void *)(entries) + __i; \ 253 253 + __ret = fn(__entry , ## args); \ 254 254 + if (__ret != 0) \ 255 255 + break; \ 256 256 + if (__entry->bitmask != 0) \ 257 257 + __i += __entry->next_offset; \ 258 258 + else \ 259 259 + __i += sizeof(struct ebt_entries); \ 260 260 + } \ 261 261 + if (__ret == 0) { \ 262 262 + if (__i != (size)) \ 263 263 + __ret = -EINVAL; \ 264 264 + } \ 265 265 + __ret; \ 266 266 + }) 267 267 + 268 268 + #endif /* _UAPI__LINUX_BRIDGE_EFF_H */