|
Packit |
7b22a4 |
#ifndef _NFT_BRIDGE_H_
|
|
Packit |
7b22a4 |
#define _NFT_BRIDGE_H_
|
|
Packit |
7b22a4 |
|
|
Packit |
7b22a4 |
#include <netinet/in.h>
|
|
Packit |
7b22a4 |
//#include <linux/netfilter_bridge/ebtables.h>
|
|
Packit |
7b22a4 |
#include <linux/netfilter/x_tables.h>
|
|
Packit |
7b22a4 |
#include <linux/netfilter/nf_tables.h>
|
|
Packit |
7b22a4 |
#include <net/ethernet.h>
|
|
Packit |
7b22a4 |
#include <libiptc/libxtc.h>
|
|
Packit |
7b22a4 |
|
|
Packit |
7b22a4 |
/* We use replace->flags, so we can't use the following values:
|
|
Packit |
7b22a4 |
* 0x01 == OPT_COMMAND, 0x02 == OPT_TABLE, 0x100 == OPT_ZERO */
|
|
Packit |
7b22a4 |
#define LIST_N 0x04
|
|
Packit |
7b22a4 |
#define LIST_C 0x08
|
|
Packit |
7b22a4 |
#define LIST_X 0x10
|
|
Packit |
7b22a4 |
#define LIST_MAC2 0x20
|
|
Packit |
7b22a4 |
|
|
Packit |
7b22a4 |
extern unsigned char eb_mac_type_unicast[ETH_ALEN];
|
|
Packit |
7b22a4 |
extern unsigned char eb_msk_type_unicast[ETH_ALEN];
|
|
Packit |
7b22a4 |
extern unsigned char eb_mac_type_multicast[ETH_ALEN];
|
|
Packit |
7b22a4 |
extern unsigned char eb_msk_type_multicast[ETH_ALEN];
|
|
Packit |
7b22a4 |
extern unsigned char eb_mac_type_broadcast[ETH_ALEN];
|
|
Packit |
7b22a4 |
extern unsigned char eb_msk_type_broadcast[ETH_ALEN];
|
|
Packit |
7b22a4 |
extern unsigned char eb_mac_type_bridge_group[ETH_ALEN];
|
|
Packit |
7b22a4 |
extern unsigned char eb_msk_type_bridge_group[ETH_ALEN];
|
|
Packit |
7b22a4 |
|
|
Packit |
7b22a4 |
int ebt_get_mac_and_mask(const char *from, unsigned char *to, unsigned char *mask);
|
|
Packit |
7b22a4 |
|
|
Packit |
7b22a4 |
/* From: include/linux/netfilter_bridge/ebtables.h
|
|
Packit |
7b22a4 |
*
|
|
Packit |
7b22a4 |
* Adapted for the need of the ebtables-compat.
|
|
Packit |
7b22a4 |
*/
|
|
Packit |
7b22a4 |
|
|
Packit |
7b22a4 |
#define EBT_TABLE_MAXNAMELEN 32
|
|
Packit |
7b22a4 |
#define EBT_FUNCTION_MAXNAMELEN EBT_TABLE_MAXNAMELEN
|
|
Packit |
7b22a4 |
|
|
Packit |
7b22a4 |
/* verdicts >0 are "branches" */
|
|
Packit |
7b22a4 |
#define EBT_ACCEPT -1
|
|
Packit |
7b22a4 |
#define EBT_DROP -2
|
|
Packit |
7b22a4 |
#define EBT_CONTINUE -3
|
|
Packit |
7b22a4 |
#define EBT_RETURN -4
|
|
Packit |
7b22a4 |
#define NUM_STANDARD_TARGETS 4
|
|
Packit |
7b22a4 |
|
|
Packit |
7b22a4 |
#define EBT_ENTRY_OR_ENTRIES 0x01
|
|
Packit |
7b22a4 |
/* these are the normal masks */
|
|
Packit |
7b22a4 |
#define EBT_NOPROTO 0x02
|
|
Packit |
7b22a4 |
#define EBT_802_3 0x04
|
|
Packit |
7b22a4 |
#define EBT_SOURCEMAC 0x08
|
|
Packit |
7b22a4 |
#define EBT_DESTMAC 0x10
|
|
Packit |
7b22a4 |
#define EBT_F_MASK (EBT_NOPROTO | EBT_802_3 | EBT_SOURCEMAC | EBT_DESTMAC \
|
|
Packit |
7b22a4 |
| EBT_ENTRY_OR_ENTRIES)
|
|
Packit |
7b22a4 |
|
|
Packit |
7b22a4 |
#define EBT_IPROTO 0x01
|
|
Packit |
7b22a4 |
#define EBT_IIN 0x02
|
|
Packit |
7b22a4 |
#define EBT_IOUT 0x04
|
|
Packit |
7b22a4 |
#define EBT_ISOURCE 0x8
|
|
Packit |
7b22a4 |
#define EBT_IDEST 0x10
|
|
Packit |
7b22a4 |
#define EBT_ILOGICALIN 0x20
|
|
Packit |
7b22a4 |
#define EBT_ILOGICALOUT 0x40
|
|
Packit |
7b22a4 |
#define EBT_INV_MASK (EBT_IPROTO | EBT_IIN | EBT_IOUT | EBT_ILOGICALIN \
|
|
Packit |
7b22a4 |
| EBT_ILOGICALOUT | EBT_ISOURCE | EBT_IDEST)
|
|
Packit |
7b22a4 |
|
|
Packit |
7b22a4 |
/* ebtables target modules store the verdict inside an int. We can
|
|
Packit |
7b22a4 |
* reclaim a part of this int for backwards compatible extensions.
|
|
Packit |
7b22a4 |
* The 4 lsb are more than enough to store the verdict.
|
|
Packit |
7b22a4 |
*/
|
|
Packit |
7b22a4 |
#define EBT_VERDICT_BITS 0x0000000F
|
|
Packit |
7b22a4 |
|
|
Packit |
7b22a4 |
struct nftnl_rule;
|
|
Packit |
7b22a4 |
struct iptables_command_state;
|
|
Packit |
7b22a4 |
|
|
Packit |
7b22a4 |
static const char *ebt_standard_targets[NUM_STANDARD_TARGETS] = {
|
|
Packit |
7b22a4 |
"ACCEPT",
|
|
Packit |
7b22a4 |
"DROP",
|
|
Packit |
7b22a4 |
"CONTINUE",
|
|
Packit |
7b22a4 |
"RETURN",
|
|
Packit |
7b22a4 |
};
|
|
Packit |
7b22a4 |
|
|
Packit |
7b22a4 |
static inline const char *nft_ebt_standard_target(unsigned int num)
|
|
Packit |
7b22a4 |
{
|
|
Packit |
7b22a4 |
if (num >= NUM_STANDARD_TARGETS)
|
|
Packit |
7b22a4 |
return NULL;
|
|
Packit |
7b22a4 |
|
|
Packit |
7b22a4 |
return ebt_standard_targets[num];
|
|
Packit |
7b22a4 |
}
|
|
Packit |
7b22a4 |
|
|
Packit |
7b22a4 |
static inline int ebt_fill_target(const char *str, unsigned int *verdict)
|
|
Packit |
7b22a4 |
{
|
|
Packit |
7b22a4 |
int i, ret = 0;
|
|
Packit |
7b22a4 |
|
|
Packit |
7b22a4 |
for (i = 0; i < NUM_STANDARD_TARGETS; i++) {
|
|
Packit |
7b22a4 |
if (!strcmp(str, nft_ebt_standard_target(i))) {
|
|
Packit |
7b22a4 |
*verdict = -i - 1;
|
|
Packit |
7b22a4 |
break;
|
|
Packit |
7b22a4 |
}
|
|
Packit |
7b22a4 |
}
|
|
Packit |
7b22a4 |
|
|
Packit |
7b22a4 |
if (i == NUM_STANDARD_TARGETS)
|
|
Packit |
7b22a4 |
ret = 1;
|
|
Packit |
7b22a4 |
|
|
Packit |
7b22a4 |
return ret;
|
|
Packit |
7b22a4 |
}
|
|
Packit |
7b22a4 |
|
|
Packit |
7b22a4 |
static inline const char *ebt_target_name(unsigned int verdict)
|
|
Packit |
7b22a4 |
{
|
|
Packit |
7b22a4 |
return nft_ebt_standard_target(-verdict - 1);
|
|
Packit |
7b22a4 |
}
|
|
Packit |
7b22a4 |
|
|
Packit |
7b22a4 |
#define EBT_CHECK_OPTION(flags, mask) ({ \
|
|
Packit |
7b22a4 |
if (*flags & mask) \
|
|
Packit |
7b22a4 |
xtables_error(PARAMETER_PROBLEM, \
|
|
Packit |
7b22a4 |
"Multiple use of same " \
|
|
Packit |
7b22a4 |
"option not allowed"); \
|
|
Packit |
7b22a4 |
*flags |= mask; \
|
|
Packit |
7b22a4 |
}) \
|
|
Packit |
7b22a4 |
|
|
Packit |
7b22a4 |
void ebt_cs_clean(struct iptables_command_state *cs);
|
|
Packit |
7b22a4 |
void ebt_load_match_extensions(void);
|
|
Packit |
7b22a4 |
void ebt_add_match(struct xtables_match *m,
|
|
Packit |
7b22a4 |
struct iptables_command_state *cs);
|
|
Packit |
7b22a4 |
void ebt_add_watcher(struct xtables_target *watcher,
|
|
Packit |
7b22a4 |
struct iptables_command_state *cs);
|
|
Packit |
7b22a4 |
int ebt_command_default(struct iptables_command_state *cs);
|
|
Packit |
7b22a4 |
|
|
Packit |
7b22a4 |
struct nft_among_pair {
|
|
Packit |
7b22a4 |
struct ether_addr ether;
|
|
Packit |
7b22a4 |
struct in_addr in __attribute__((aligned (4)));
|
|
Packit |
7b22a4 |
};
|
|
Packit |
7b22a4 |
|
|
Packit |
7b22a4 |
struct nft_among_data {
|
|
Packit |
7b22a4 |
struct {
|
|
Packit |
7b22a4 |
size_t cnt;
|
|
Packit |
7b22a4 |
bool inv;
|
|
Packit |
7b22a4 |
bool ip;
|
|
Packit |
7b22a4 |
} src, dst;
|
|
Packit |
7b22a4 |
/* first source, then dest pairs */
|
|
Packit |
7b22a4 |
struct nft_among_pair pairs[0];
|
|
Packit |
7b22a4 |
};
|
|
Packit |
7b22a4 |
|
|
Packit |
7b22a4 |
/* initialize fields, return offset into pairs array to write pairs to */
|
|
Packit |
7b22a4 |
static inline size_t
|
|
Packit |
7b22a4 |
nft_among_prepare_data(struct nft_among_data *data, bool dst,
|
|
Packit |
7b22a4 |
size_t cnt, bool inv, bool ip)
|
|
Packit |
7b22a4 |
{
|
|
Packit |
7b22a4 |
size_t poff;
|
|
Packit |
7b22a4 |
|
|
Packit |
7b22a4 |
if (dst) {
|
|
Packit |
7b22a4 |
data->dst.cnt = cnt;
|
|
Packit |
7b22a4 |
data->dst.inv = inv;
|
|
Packit |
7b22a4 |
data->dst.ip = ip;
|
|
Packit |
7b22a4 |
poff = data->src.cnt;
|
|
Packit |
7b22a4 |
} else {
|
|
Packit |
7b22a4 |
data->src.cnt = cnt;
|
|
Packit |
7b22a4 |
data->src.inv = inv;
|
|
Packit |
7b22a4 |
data->src.ip = ip;
|
|
Packit |
7b22a4 |
poff = 0;
|
|
Packit |
7b22a4 |
memmove(data->pairs + cnt, data->pairs,
|
|
Packit |
7b22a4 |
data->dst.cnt * sizeof(*data->pairs));
|
|
Packit |
7b22a4 |
}
|
|
Packit |
7b22a4 |
return poff;
|
|
Packit |
7b22a4 |
}
|
|
Packit |
7b22a4 |
|
|
Packit |
7b22a4 |
static inline void
|
|
Packit |
7b22a4 |
nft_among_insert_pair(struct nft_among_pair *pairs,
|
|
Packit |
7b22a4 |
size_t *pcount, const struct nft_among_pair *new)
|
|
Packit |
7b22a4 |
{
|
|
Packit |
7b22a4 |
int i;
|
|
Packit |
7b22a4 |
|
|
Packit |
7b22a4 |
/* nftables automatically sorts set elements from smallest to largest,
|
|
Packit |
7b22a4 |
* insert sorted so extension comparison works */
|
|
Packit |
7b22a4 |
|
|
Packit |
7b22a4 |
for (i = 0; i < *pcount; i++) {
|
|
Packit |
7b22a4 |
if (memcmp(new, &pairs[i], sizeof(*new)) < 0)
|
|
Packit |
7b22a4 |
break;
|
|
Packit |
7b22a4 |
}
|
|
Packit |
7b22a4 |
memmove(&pairs[i + 1], &pairs[i], sizeof(*pairs) * (*pcount - i));
|
|
Packit |
7b22a4 |
memcpy(&pairs[i], new, sizeof(*new));
|
|
Packit |
7b22a4 |
(*pcount)++;
|
|
Packit |
7b22a4 |
}
|
|
Packit |
7b22a4 |
|
|
Packit |
7b22a4 |
#endif
|