Andrew Scott

Dr Andrew Scott G7VAV
MBCS, MIET, Member ACM, Member IEEE
Senior Lecturer
School of Computing
and Communications

D35 InfoLab21
Lancaster University
Lancaster, LA1 4WA
United Kingdom
June 2025
26	27	28	29	30	31	1
2	3	4	5	6	7	8
9	10	11	12	13	14	15
16	17	18	19	20	21	22
23	24	25	26	27	28	29
30	1	2	3	4	5	6
ebtables.h
001: /*
002:  *  ebtables
003:  *
004:  *      Authors:
005:  *      Bart De Schuymer                <bdschuym@pandora.be>
006:  *
007:  *  ebtables.c,v 2.0, April, 2002
008:  *
009:  *  This code is stongly inspired on the iptables code which is
010:  *  Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
011:  */
012: 
013: #ifndef __LINUX_BRIDGE_EFF_H
014: #define __LINUX_BRIDGE_EFF_H
015: #include <linux/if.h>
016: #include <linux/netfilter_bridge.h>
017: #include <linux/if_ether.h>
018: 
019: #define EBT_TABLE_MAXNAMELEN 32
020: #define EBT_CHAIN_MAXNAMELEN EBT_TABLE_MAXNAMELEN
021: #define EBT_FUNCTION_MAXNAMELEN EBT_TABLE_MAXNAMELEN
022: 
023: /* verdicts >0 are "branches" */
024: #define EBT_ACCEPT   -1
025: #define EBT_DROP     -2
026: #define EBT_CONTINUE -3
027: #define EBT_RETURN   -4
028: #define NUM_STANDARD_TARGETS   4
029: /* ebtables target modules store the verdict inside an int. We can
030:  * reclaim a part of this int for backwards compatible extensions.
031:  * The 4 lsb are more than enough to store the verdict. */
032: #define EBT_VERDICT_BITS 0x0000000F
033: 
034: struct xt_match;
035: struct xt_target;
036: 
037: struct ebt_counter {
038:         uint64_t pcnt;
039:         uint64_t bcnt;
040: };
041: 
042: struct ebt_replace {
043:         char name[EBT_TABLE_MAXNAMELEN];
044:         unsigned int valid_hooks;
045:         /* nr of rules in the table */
046:         unsigned int nentries;
047:         /* total size of the entries */
048:         unsigned int entries_size;
049:         /* start of the chains */
050:         struct ebt_entries *hook_entry[NF_BR_NUMHOOKS];
051:         /* nr of counters userspace expects back */
052:         unsigned int num_counters;
053:         /* where the kernel will put the old counters */
054:         struct ebt_counter *counters;
055:         char *entries;
056: };
057: 
058: struct ebt_replace_kernel {
059:         char name[EBT_TABLE_MAXNAMELEN];
060:         unsigned int valid_hooks;
061:         /* nr of rules in the table */
062:         unsigned int nentries;
063:         /* total size of the entries */
064:         unsigned int entries_size;
065:         /* start of the chains */
066:         struct ebt_entries *hook_entry[NF_BR_NUMHOOKS];
067:         /* nr of counters userspace expects back */
068:         unsigned int num_counters;
069:         /* where the kernel will put the old counters */
070:         struct ebt_counter *counters;
071:         char *entries;
072: };
073: 
074: struct ebt_entries {
075:         /* this field is always set to zero
076:          * See EBT_ENTRY_OR_ENTRIES.
077:          * Must be same size as ebt_entry.bitmask */
078:         unsigned int distinguisher;
079:         /* the chain name */
080:         char name[EBT_CHAIN_MAXNAMELEN];
081:         /* counter offset for this chain */
082:         unsigned int counter_offset;
083:         /* one standard (accept, drop, return) per hook */
084:         int policy;
085:         /* nr. of entries */
086:         unsigned int nentries;
087:         /* entry list */
088:         char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace))));
089: };
090: 
091: /* used for the bitmask of struct ebt_entry */
092: 
093: /* This is a hack to make a difference between an ebt_entry struct and an
094:  * ebt_entries struct when traversing the entries from start to end.
095:  * Using this simplifies the code a lot, while still being able to use
096:  * ebt_entries.
097:  * Contrary, iptables doesn't use something like ebt_entries and therefore uses
098:  * different techniques for naming the policy and such. So, iptables doesn't
099:  * need a hack like this.
100:  */
101: #define EBT_ENTRY_OR_ENTRIES 0x01
102: /* these are the normal masks */
103: #define EBT_NOPROTO 0x02
104: #define EBT_802_3 0x04
105: #define EBT_SOURCEMAC 0x08
106: #define EBT_DESTMAC 0x10
107: #define EBT_F_MASK (EBT_NOPROTO | EBT_802_3 | EBT_SOURCEMAC | EBT_DESTMAC \
108:    | EBT_ENTRY_OR_ENTRIES)
109: 
110: #define EBT_IPROTO 0x01
111: #define EBT_IIN 0x02
112: #define EBT_IOUT 0x04
113: #define EBT_ISOURCE 0x8
114: #define EBT_IDEST 0x10
115: #define EBT_ILOGICALIN 0x20
116: #define EBT_ILOGICALOUT 0x40
117: #define EBT_INV_MASK (EBT_IPROTO | EBT_IIN | EBT_IOUT | EBT_ILOGICALIN \
118:    | EBT_ILOGICALOUT | EBT_ISOURCE | EBT_IDEST)
119: 
120: struct ebt_entry_match {
121:         union {
122:                 char name[EBT_FUNCTION_MAXNAMELEN];
123:                 struct xt_match *match;
124:         } u;
125:         /* size of data */
126:         unsigned int match_size;
127:         unsigned char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace))));
128: };
129: 
130: struct ebt_entry_watcher {
131:         union {
132:                 char name[EBT_FUNCTION_MAXNAMELEN];
133:                 struct xt_target *watcher;
134:         } u;
135:         /* size of data */
136:         unsigned int watcher_size;
137:         unsigned char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace))));
138: };
139: 
140: struct ebt_entry_target {
141:         union {
142:                 char name[EBT_FUNCTION_MAXNAMELEN];
143:                 struct xt_target *target;
144:         } u;
145:         /* size of data */
146:         unsigned int target_size;
147:         unsigned char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace))));
148: };
149: 
150: #define EBT_STANDARD_TARGET "standard"
151: struct ebt_standard_target {
152:         struct ebt_entry_target target;
153:         int verdict;
154: };
155: 
156: /* one entry */
157: struct ebt_entry {
158:         /* this needs to be the first field */
159:         unsigned int bitmask;
160:         unsigned int invflags;
161:         __be16 ethproto;
162:         /* the physical in-dev */
163:         char in[IFNAMSIZ];
164:         /* the logical in-dev */
165:         char logical_in[IFNAMSIZ];
166:         /* the physical out-dev */
167:         char out[IFNAMSIZ];
168:         /* the logical out-dev */
169:         char logical_out[IFNAMSIZ];
170:         unsigned char sourcemac[ETH_ALEN];
171:         unsigned char sourcemsk[ETH_ALEN];
172:         unsigned char destmac[ETH_ALEN];
173:         unsigned char destmsk[ETH_ALEN];
174:         /* sizeof ebt_entry + matches */
175:         unsigned int watchers_offset;
176:         /* sizeof ebt_entry + matches + watchers */
177:         unsigned int target_offset;
178:         /* sizeof ebt_entry + matches + watchers + target */
179:         unsigned int next_offset;
180:         unsigned char elems[0] __attribute__ ((aligned (__alignof__(struct ebt_replace))));
181: };
182: 
183: /* {g,s}etsockopt numbers */
184: #define EBT_BASE_CTL            128
185: 
186: #define EBT_SO_SET_ENTRIES      (EBT_BASE_CTL)
187: #define EBT_SO_SET_COUNTERS     (EBT_SO_SET_ENTRIES+1)
188: #define EBT_SO_SET_MAX          (EBT_SO_SET_COUNTERS+1)
189: 
190: #define EBT_SO_GET_INFO         (EBT_BASE_CTL)
191: #define EBT_SO_GET_ENTRIES      (EBT_SO_GET_INFO+1)
192: #define EBT_SO_GET_INIT_INFO    (EBT_SO_GET_ENTRIES+1)
193: #define EBT_SO_GET_INIT_ENTRIES (EBT_SO_GET_INIT_INFO+1)
194: #define EBT_SO_GET_MAX          (EBT_SO_GET_INIT_ENTRIES+1)
195: 
196: 
197: /* blatently stolen from ip_tables.h
198:  * fn returns 0 to continue iteration */
199: #define EBT_MATCH_ITERATE(e, fn, args...)                   \
200: ({                                                          \
201:         unsigned int __i;                                   \
202:         int __ret = 0;                                      \
203:         struct ebt_entry_match *__match;                    \
204:                                                             \
205:         for (__i = sizeof(struct ebt_entry);                \
206:              __i < (e)->watchers_offset;                    \
207:              __i += __match->match_size +                   \
208:              sizeof(struct ebt_entry_match)) {              \
209:                 __match = (void *)(e) + __i;                \
210:                                                             \
211:                 __ret = fn(__match , ## args);              \
212:                 if (__ret != 0)                             \
213:                         break;                              \
214:         }                                                   \
215:         if (__ret == 0) {                                   \
216:                 if (__i != (e)->watchers_offset)            \
217:                         __ret = -EINVAL;                    \
218:         }                                                   \
219:         __ret;                                              \
220: })
221: 
222: #define EBT_WATCHER_ITERATE(e, fn, args...)                 \
223: ({                                                          \
224:         unsigned int __i;                                   \
225:         int __ret = 0;                                      \
226:         struct ebt_entry_watcher *__watcher;                \
227:                                                             \
228:         for (__i = e->watchers_offset;                      \
229:              __i < (e)->target_offset;                      \
230:              __i += __watcher->watcher_size +               \
231:              sizeof(struct ebt_entry_watcher)) {            \
232:                 __watcher = (void *)(e) + __i;              \
233:                                                             \
234:                 __ret = fn(__watcher , ## args);            \
235:                 if (__ret != 0)                             \
236:                         break;                              \
237:         }                                                   \
238:         if (__ret == 0) {                                   \
239:                 if (__i != (e)->target_offset)              \
240:                         __ret = -EINVAL;                    \
241:         }                                                   \
242:         __ret;                                              \
243: })
244: 
245: #define EBT_ENTRY_ITERATE(entries, size, fn, args...)       \
246: ({                                                          \
247:         unsigned int __i;                                   \
248:         int __ret = 0;                                      \
249:         struct ebt_entry *__entry;                          \
250:                                                             \
251:         for (__i = 0; __i < (size);) {                      \
252:                 __entry = (void *)(entries) + __i;          \
253:                 __ret = fn(__entry , ## args);              \
254:                 if (__ret != 0)                             \
255:                         break;                              \
256:                 if (__entry->bitmask != 0)                  \
257:                         __i += __entry->next_offset;        \
258:                 else                                        \
259:                         __i += sizeof(struct ebt_entries);  \
260:         }                                                   \
261:         if (__ret == 0) {                                   \
262:                 if (__i != (size))                          \
263:                         __ret = -EINVAL;                    \
264:         }                                                   \
265:         __ret;                                              \
266: })
267: 
268: #endif
269:
for client (none)
http://www.andrew-scott.uk/
Andrew Scott
http://www.andrew-scott.co.uk/