1/* 2 * ebtables 3 * 4 * Authors: 5 * Bart De Schuymer <bdschuym@pandora.be> 6 * 7 * ebtables.c,v 2.0, April, 2002 8 * 9 * This code is stongly inspired on the iptables code which is 10 * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling 11 */ 12#ifndef __LINUX_BRIDGE_EFF_H 13#define __LINUX_BRIDGE_EFF_H 14 15#include <linux/if.h> 16#include <linux/if_ether.h> 17#include <uapi/linux/netfilter_bridge/ebtables.h> 18 19/* return values for match() functions */ 20#define EBT_MATCH 0 21#define EBT_NOMATCH 1 22 23struct ebt_match { 24 struct list_head list; 25 const char name[EBT_FUNCTION_MAXNAMELEN]; 26 bool (*match)(const struct sk_buff *skb, const struct net_device *in, 27 const struct net_device *out, const struct xt_match *match, 28 const void *matchinfo, int offset, unsigned int protoff, 29 bool *hotdrop); 30 bool (*checkentry)(const char *table, const void *entry, 31 const struct xt_match *match, void *matchinfo, 32 unsigned int hook_mask); 33 void (*destroy)(const struct xt_match *match, void *matchinfo); 34 unsigned int matchsize; 35 u_int8_t revision; 36 u_int8_t family; 37 struct module *me; 38}; 39 40struct ebt_watcher { 41 struct list_head list; 42 const char name[EBT_FUNCTION_MAXNAMELEN]; 43 unsigned int (*target)(struct sk_buff *skb, 44 const struct net_device *in, const struct net_device *out, 45 unsigned int hook_num, const struct xt_target *target, 46 const void *targinfo); 47 bool (*checkentry)(const char *table, const void *entry, 48 const struct xt_target *target, void *targinfo, 49 unsigned int hook_mask); 50 void (*destroy)(const struct xt_target *target, void *targinfo); 51 unsigned int targetsize; 52 u_int8_t revision; 53 u_int8_t family; 54 struct module *me; 55}; 56 57struct ebt_target { 58 struct list_head list; 59 const char name[EBT_FUNCTION_MAXNAMELEN]; 60 /* returns one of the standard EBT_* verdicts */ 61 unsigned int (*target)(struct sk_buff *skb, 62 const struct net_device *in, const struct net_device *out, 63 unsigned int hook_num, const struct xt_target *target, 64 const void *targinfo); 65 bool (*checkentry)(const char *table, const void *entry, 66 const struct xt_target *target, void *targinfo, 67 unsigned int hook_mask); 68 void (*destroy)(const struct xt_target *target, void *targinfo); 69 unsigned int targetsize; 70 u_int8_t revision; 71 u_int8_t family; 72 struct module *me; 73}; 74 75/* used for jumping from and into user defined chains (udc) */ 76struct ebt_chainstack { 77 struct ebt_entries *chaininfo; /* pointer to chain data */ 78 struct ebt_entry *e; /* pointer to entry data */ 79 unsigned int n; /* n'th entry */ 80}; 81 82struct ebt_table_info { 83 /* total size of the entries */ 84 unsigned int entries_size; 85 unsigned int nentries; 86 /* pointers to the start of the chains */ 87 struct ebt_entries *hook_entry[NF_BR_NUMHOOKS]; 88 /* room to maintain the stack used for jumping from and into udc */ 89 struct ebt_chainstack **chainstack; 90 char *entries; 91 struct ebt_counter counters[0] ____cacheline_aligned; 92}; 93 94struct ebt_table { 95 struct list_head list; 96 char name[EBT_TABLE_MAXNAMELEN]; 97 struct ebt_replace_kernel *table; 98 unsigned int valid_hooks; 99 rwlock_t lock; 100 /* e.g. could be the table explicitly only allows certain 101 * matches, targets, ... 0 == let it in */ 102 int (*check)(const struct ebt_table_info *info, 103 unsigned int valid_hooks); 104 /* the data used by the kernel */ 105 struct ebt_table_info *private; 106 struct module *me; 107}; 108 109#define EBT_ALIGN(s) (((s) + (__alignof__(struct _xt_align)-1)) & \ 110 ~(__alignof__(struct _xt_align)-1)) 111extern struct ebt_table *ebt_register_table(struct net *net, 112 const struct ebt_table *table); 113extern void ebt_unregister_table(struct net *net, struct ebt_table *table); 114extern unsigned int ebt_do_table(unsigned int hook, struct sk_buff *skb, 115 const struct net_device *in, const struct net_device *out, 116 struct ebt_table *table); 117 118/* Used in the kernel match() functions */ 119#define FWINV(bool,invflg) ((bool) ^ !!(info->invflags & invflg)) 120/* True if the hook mask denotes that the rule is in a base chain, 121 * used in the check() functions */ 122#define BASE_CHAIN (par->hook_mask & (1 << NF_BR_NUMHOOKS)) 123/* Clear the bit in the hook mask that tells if the rule is on a base chain */ 124#define CLEAR_BASE_CHAIN_BIT (par->hook_mask &= ~(1 << NF_BR_NUMHOOKS)) 125/* True if the target is not a standard target */ 126#define INVALID_TARGET (info->target < -NUM_STANDARD_TARGETS || info->target >= 0) 127 128#endif 129