xref: /aosp_15_r20/external/iptables/iptables/nft-bridge.h (revision a71a954618bbadd4a345637e5edcf36eec826889) 
1*a71a9546SAutomerger Merge Worker #ifndef _NFT_BRIDGE_H_
2*a71a9546SAutomerger Merge Worker #define _NFT_BRIDGE_H_
3*a71a9546SAutomerger Merge Worker 
4*a71a9546SAutomerger Merge Worker #include <netinet/in.h>
5*a71a9546SAutomerger Merge Worker //#include <linux/netfilter_bridge/ebtables.h>
6*a71a9546SAutomerger Merge Worker #include <linux/netfilter/x_tables.h>
7*a71a9546SAutomerger Merge Worker #include <linux/netfilter/nf_tables.h>
8*a71a9546SAutomerger Merge Worker #include <net/ethernet.h>
9*a71a9546SAutomerger Merge Worker #include <libiptc/libxtc.h>
10*a71a9546SAutomerger Merge Worker 
11*a71a9546SAutomerger Merge Worker /* We use replace->flags, so we can't use the following values:
12*a71a9546SAutomerger Merge Worker  * 0x01 == OPT_COMMAND, 0x02 == OPT_TABLE, 0x100 == OPT_ZERO */
13*a71a9546SAutomerger Merge Worker #define LIST_N	  0x04
14*a71a9546SAutomerger Merge Worker #define LIST_C	  0x08
15*a71a9546SAutomerger Merge Worker #define LIST_X	  0x10
16*a71a9546SAutomerger Merge Worker #define LIST_MAC2 0x20
17*a71a9546SAutomerger Merge Worker 
18*a71a9546SAutomerger Merge Worker extern unsigned char eb_mac_type_unicast[ETH_ALEN];
19*a71a9546SAutomerger Merge Worker extern unsigned char eb_msk_type_unicast[ETH_ALEN];
20*a71a9546SAutomerger Merge Worker extern unsigned char eb_mac_type_multicast[ETH_ALEN];
21*a71a9546SAutomerger Merge Worker extern unsigned char eb_msk_type_multicast[ETH_ALEN];
22*a71a9546SAutomerger Merge Worker extern unsigned char eb_mac_type_broadcast[ETH_ALEN];
23*a71a9546SAutomerger Merge Worker extern unsigned char eb_msk_type_broadcast[ETH_ALEN];
24*a71a9546SAutomerger Merge Worker extern unsigned char eb_mac_type_bridge_group[ETH_ALEN];
25*a71a9546SAutomerger Merge Worker extern unsigned char eb_msk_type_bridge_group[ETH_ALEN];
26*a71a9546SAutomerger Merge Worker 
27*a71a9546SAutomerger Merge Worker int ebt_get_mac_and_mask(const char *from, unsigned char *to, unsigned char *mask);
28*a71a9546SAutomerger Merge Worker 
29*a71a9546SAutomerger Merge Worker /* From: include/linux/netfilter_bridge/ebtables.h
30*a71a9546SAutomerger Merge Worker  *
31*a71a9546SAutomerger Merge Worker  * Adapted for the need of the ebtables-compat.
32*a71a9546SAutomerger Merge Worker  */
33*a71a9546SAutomerger Merge Worker 
34*a71a9546SAutomerger Merge Worker #define EBT_TABLE_MAXNAMELEN 32
35*a71a9546SAutomerger Merge Worker #define EBT_FUNCTION_MAXNAMELEN EBT_TABLE_MAXNAMELEN
36*a71a9546SAutomerger Merge Worker 
37*a71a9546SAutomerger Merge Worker /* verdicts >0 are "branches" */
38*a71a9546SAutomerger Merge Worker #define EBT_ACCEPT   -1
39*a71a9546SAutomerger Merge Worker #define EBT_DROP     -2
40*a71a9546SAutomerger Merge Worker #define EBT_CONTINUE -3
41*a71a9546SAutomerger Merge Worker #define EBT_RETURN   -4
42*a71a9546SAutomerger Merge Worker #define NUM_STANDARD_TARGETS   4
43*a71a9546SAutomerger Merge Worker 
44*a71a9546SAutomerger Merge Worker #define EBT_ENTRY_OR_ENTRIES 0x01
45*a71a9546SAutomerger Merge Worker /* these are the normal masks */
46*a71a9546SAutomerger Merge Worker #define EBT_NOPROTO 0x02
47*a71a9546SAutomerger Merge Worker #define EBT_802_3 0x04
48*a71a9546SAutomerger Merge Worker #define EBT_SOURCEMAC 0x08
49*a71a9546SAutomerger Merge Worker #define EBT_DESTMAC 0x10
50*a71a9546SAutomerger Merge Worker #define EBT_F_MASK (EBT_NOPROTO | EBT_802_3 | EBT_SOURCEMAC | EBT_DESTMAC \
51*a71a9546SAutomerger Merge Worker    | EBT_ENTRY_OR_ENTRIES)
52*a71a9546SAutomerger Merge Worker 
53*a71a9546SAutomerger Merge Worker #define EBT_IPROTO 0x01
54*a71a9546SAutomerger Merge Worker #define EBT_IIN 0x02
55*a71a9546SAutomerger Merge Worker #define EBT_IOUT 0x04
56*a71a9546SAutomerger Merge Worker #define EBT_ISOURCE 0x8
57*a71a9546SAutomerger Merge Worker #define EBT_IDEST 0x10
58*a71a9546SAutomerger Merge Worker #define EBT_ILOGICALIN 0x20
59*a71a9546SAutomerger Merge Worker #define EBT_ILOGICALOUT 0x40
60*a71a9546SAutomerger Merge Worker #define EBT_INV_MASK (EBT_IPROTO | EBT_IIN | EBT_IOUT | EBT_ILOGICALIN \
61*a71a9546SAutomerger Merge Worker    | EBT_ILOGICALOUT | EBT_ISOURCE | EBT_IDEST)
62*a71a9546SAutomerger Merge Worker 
63*a71a9546SAutomerger Merge Worker /* ebtables target modules store the verdict inside an int. We can
64*a71a9546SAutomerger Merge Worker  * reclaim a part of this int for backwards compatible extensions.
65*a71a9546SAutomerger Merge Worker  * The 4 lsb are more than enough to store the verdict.
66*a71a9546SAutomerger Merge Worker  */
67*a71a9546SAutomerger Merge Worker #define EBT_VERDICT_BITS 0x0000000F
68*a71a9546SAutomerger Merge Worker 
69*a71a9546SAutomerger Merge Worker struct nftnl_rule;
70*a71a9546SAutomerger Merge Worker struct iptables_command_state;
71*a71a9546SAutomerger Merge Worker 
72*a71a9546SAutomerger Merge Worker static const char *ebt_standard_targets[NUM_STANDARD_TARGETS] = {
73*a71a9546SAutomerger Merge Worker 	"ACCEPT",
74*a71a9546SAutomerger Merge Worker 	"DROP",
75*a71a9546SAutomerger Merge Worker 	"CONTINUE",
76*a71a9546SAutomerger Merge Worker 	"RETURN",
77*a71a9546SAutomerger Merge Worker };
78*a71a9546SAutomerger Merge Worker 
nft_ebt_standard_target(unsigned int num)79*a71a9546SAutomerger Merge Worker static inline const char *nft_ebt_standard_target(unsigned int num)
80*a71a9546SAutomerger Merge Worker {
81*a71a9546SAutomerger Merge Worker 	if (num >= NUM_STANDARD_TARGETS)
82*a71a9546SAutomerger Merge Worker 		return NULL;
83*a71a9546SAutomerger Merge Worker 
84*a71a9546SAutomerger Merge Worker 	return ebt_standard_targets[num];
85*a71a9546SAutomerger Merge Worker }
86*a71a9546SAutomerger Merge Worker 
ebt_fill_target(const char * str,unsigned int * verdict)87*a71a9546SAutomerger Merge Worker static inline int ebt_fill_target(const char *str, unsigned int *verdict)
88*a71a9546SAutomerger Merge Worker {
89*a71a9546SAutomerger Merge Worker 	int i, ret = 0;
90*a71a9546SAutomerger Merge Worker 
91*a71a9546SAutomerger Merge Worker 	for (i = 0; i < NUM_STANDARD_TARGETS; i++) {
92*a71a9546SAutomerger Merge Worker 		if (!strcmp(str, nft_ebt_standard_target(i))) {
93*a71a9546SAutomerger Merge Worker 			*verdict = -i - 1;
94*a71a9546SAutomerger Merge Worker 			break;
95*a71a9546SAutomerger Merge Worker 		}
96*a71a9546SAutomerger Merge Worker 	}
97*a71a9546SAutomerger Merge Worker 
98*a71a9546SAutomerger Merge Worker 	if (i == NUM_STANDARD_TARGETS)
99*a71a9546SAutomerger Merge Worker 		ret = 1;
100*a71a9546SAutomerger Merge Worker 
101*a71a9546SAutomerger Merge Worker 	return ret;
102*a71a9546SAutomerger Merge Worker }
103*a71a9546SAutomerger Merge Worker 
ebt_target_name(unsigned int verdict)104*a71a9546SAutomerger Merge Worker static inline const char *ebt_target_name(unsigned int verdict)
105*a71a9546SAutomerger Merge Worker {
106*a71a9546SAutomerger Merge Worker 	return nft_ebt_standard_target(-verdict - 1);
107*a71a9546SAutomerger Merge Worker }
108*a71a9546SAutomerger Merge Worker 
109*a71a9546SAutomerger Merge Worker #define EBT_CHECK_OPTION(flags, mask) ({			\
110*a71a9546SAutomerger Merge Worker 	if (*flags & mask)					\
111*a71a9546SAutomerger Merge Worker 		xtables_error(PARAMETER_PROBLEM,		\
112*a71a9546SAutomerger Merge Worker 			      "Multiple use of same "		\
113*a71a9546SAutomerger Merge Worker 			      "option not allowed");		\
114*a71a9546SAutomerger Merge Worker 	*flags |= mask;						\
115*a71a9546SAutomerger Merge Worker })								\
116*a71a9546SAutomerger Merge Worker 
117*a71a9546SAutomerger Merge Worker void ebt_cs_clean(struct iptables_command_state *cs);
118*a71a9546SAutomerger Merge Worker void ebt_load_match_extensions(void);
119*a71a9546SAutomerger Merge Worker void ebt_add_match(struct xtables_match *m,
120*a71a9546SAutomerger Merge Worker 			  struct iptables_command_state *cs);
121*a71a9546SAutomerger Merge Worker void ebt_add_watcher(struct xtables_target *watcher,
122*a71a9546SAutomerger Merge Worker                      struct iptables_command_state *cs);
123*a71a9546SAutomerger Merge Worker int ebt_command_default(struct iptables_command_state *cs);
124*a71a9546SAutomerger Merge Worker 
125*a71a9546SAutomerger Merge Worker struct nft_among_pair {
126*a71a9546SAutomerger Merge Worker 	struct ether_addr ether;
127*a71a9546SAutomerger Merge Worker 	struct in_addr in __attribute__((aligned (4)));
128*a71a9546SAutomerger Merge Worker };
129*a71a9546SAutomerger Merge Worker 
130*a71a9546SAutomerger Merge Worker struct nft_among_data {
131*a71a9546SAutomerger Merge Worker 	struct {
132*a71a9546SAutomerger Merge Worker 		size_t cnt;
133*a71a9546SAutomerger Merge Worker 		bool inv;
134*a71a9546SAutomerger Merge Worker 		bool ip;
135*a71a9546SAutomerger Merge Worker 	} src, dst;
136*a71a9546SAutomerger Merge Worker 	/* first source, then dest pairs */
137*a71a9546SAutomerger Merge Worker 	struct nft_among_pair pairs[0];
138*a71a9546SAutomerger Merge Worker };
139*a71a9546SAutomerger Merge Worker 
140*a71a9546SAutomerger Merge Worker /* initialize fields, return offset into pairs array to write pairs to */
141*a71a9546SAutomerger Merge Worker static inline size_t
nft_among_prepare_data(struct nft_among_data * data,bool dst,size_t cnt,bool inv,bool ip)142*a71a9546SAutomerger Merge Worker nft_among_prepare_data(struct nft_among_data *data, bool dst,
143*a71a9546SAutomerger Merge Worker 		       size_t cnt, bool inv, bool ip)
144*a71a9546SAutomerger Merge Worker {
145*a71a9546SAutomerger Merge Worker 	size_t poff;
146*a71a9546SAutomerger Merge Worker 
147*a71a9546SAutomerger Merge Worker 	if (dst) {
148*a71a9546SAutomerger Merge Worker 		data->dst.cnt = cnt;
149*a71a9546SAutomerger Merge Worker 		data->dst.inv = inv;
150*a71a9546SAutomerger Merge Worker 		data->dst.ip = ip;
151*a71a9546SAutomerger Merge Worker 		poff = data->src.cnt;
152*a71a9546SAutomerger Merge Worker 	} else {
153*a71a9546SAutomerger Merge Worker 		data->src.cnt = cnt;
154*a71a9546SAutomerger Merge Worker 		data->src.inv = inv;
155*a71a9546SAutomerger Merge Worker 		data->src.ip = ip;
156*a71a9546SAutomerger Merge Worker 		poff = 0;
157*a71a9546SAutomerger Merge Worker 		memmove(data->pairs + cnt, data->pairs,
158*a71a9546SAutomerger Merge Worker 			data->dst.cnt * sizeof(*data->pairs));
159*a71a9546SAutomerger Merge Worker 	}
160*a71a9546SAutomerger Merge Worker 	return poff;
161*a71a9546SAutomerger Merge Worker }
162*a71a9546SAutomerger Merge Worker 
163*a71a9546SAutomerger Merge Worker static inline void
nft_among_insert_pair(struct nft_among_pair * pairs,size_t * pcount,const struct nft_among_pair * new)164*a71a9546SAutomerger Merge Worker nft_among_insert_pair(struct nft_among_pair *pairs,
165*a71a9546SAutomerger Merge Worker 		      size_t *pcount, const struct nft_among_pair *new)
166*a71a9546SAutomerger Merge Worker {
167*a71a9546SAutomerger Merge Worker 	int i;
168*a71a9546SAutomerger Merge Worker 
169*a71a9546SAutomerger Merge Worker 	/* nftables automatically sorts set elements from smallest to largest,
170*a71a9546SAutomerger Merge Worker 	 * insert sorted so extension comparison works */
171*a71a9546SAutomerger Merge Worker 
172*a71a9546SAutomerger Merge Worker 	for (i = 0; i < *pcount; i++) {
173*a71a9546SAutomerger Merge Worker 		if (memcmp(new, &pairs[i], sizeof(*new)) < 0)
174*a71a9546SAutomerger Merge Worker 			break;
175*a71a9546SAutomerger Merge Worker 	}
176*a71a9546SAutomerger Merge Worker 	memmove(&pairs[i + 1], &pairs[i], sizeof(*pairs) * (*pcount - i));
177*a71a9546SAutomerger Merge Worker 	memcpy(&pairs[i], new, sizeof(*new));
178*a71a9546SAutomerger Merge Worker 	(*pcount)++;
179*a71a9546SAutomerger Merge Worker }
180*a71a9546SAutomerger Merge Worker 
181*a71a9546SAutomerger Merge Worker #endif
182