2
* $Id: ebtables.c,v 1.03 2002/01/19
4
* Copyright (C) 2001-2002 Bart De Schuymer
6
* This code is stongly inspired on the iptables code which is
7
* Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
9
* This program is free software; you can redistribute it and/or
10
* modify it under the terms of the GNU General Public License as
11
* published by the Free Software Foundation; either version 2 of the
12
* License, or (at your option) any later version.
14
* This program is distributed in the hope that it will be useful, but
15
* WITHOUT ANY WARRANTY; without even the implied warranty of
16
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
17
* General Public License for more details.
19
* You should have received a copy of the GNU General Public License
20
* along with this program; if not, write to the Free Software
21
* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
26
#include <netinet/in.h>
27
#include <linux/netfilter_bridge/ebtables.h>
28
#include <linux/netfilter/x_tables.h>
31
#define IPPROTO_SCTP 132
34
#define IPPROTO_DCCP 33
37
#define EXEC_STYLE_PRG 0
38
#define EXEC_STYLE_DAEMON 1
41
#define EBT_MIN_ALIGN (__alignof__(struct _xt_align))
43
#define EBT_ALIGN(s) (((s) + (EBT_MIN_ALIGN-1)) & ~(EBT_MIN_ALIGN-1))
44
#define ERRORMSG_MAXLEN 128
49
unsigned int nentries;
50
/* counter offset for this chain */
51
unsigned int counter_offset;
53
unsigned int hook_mask;
55
char name[EBT_CHAIN_MAXNAMELEN];
56
struct ebt_u_entry *entries;
62
unsigned short change; /* determines incremental/decremental/change */
63
struct ebt_cntchanges *prev;
64
struct ebt_cntchanges *next;
67
#define EBT_ORI_MAX_CHAINS 10
70
char name[EBT_TABLE_MAXNAMELEN];
71
unsigned int valid_hooks;
72
/* nr of rules in the table */
73
unsigned int nentries;
74
unsigned int num_chains;
75
unsigned int max_chains;
76
struct ebt_u_entries **chains;
77
/* nr of counters userspace expects back */
78
unsigned int num_counters;
79
/* where the kernel will put the old counters */
80
struct ebt_counter *counters;
82
* can be used e.g. to know if a standard option
83
* has been specified twice
86
/* we stick the specified command (e.g. -A) in here */
89
* here we stick the chain to do our thing on (can be -1 if unspecified)
92
/* used for the atomic option */
94
/* tells what happened to the old rules (counter changes) */
95
struct ebt_cntchanges *cc;
100
char name[EBT_TABLE_MAXNAMELEN];
101
void (*check)(struct ebt_u_replace *repl);
102
void (*help)(const char **);
103
struct ebt_u_table *next;
106
struct ebt_u_match_list
108
struct ebt_u_match_list *next;
109
struct ebt_entry_match *m;
112
struct ebt_u_watcher_list
114
struct ebt_u_watcher_list *next;
115
struct ebt_entry_watcher *w;
120
unsigned int bitmask;
121
unsigned int invflags;
124
char logical_in[IFNAMSIZ];
126
char logical_out[IFNAMSIZ];
127
unsigned char sourcemac[ETH_ALEN];
128
unsigned char sourcemsk[ETH_ALEN];
129
unsigned char destmac[ETH_ALEN];
130
unsigned char destmsk[ETH_ALEN];
131
struct ebt_u_match_list *m_list;
132
struct ebt_u_watcher_list *w_list;
133
struct ebt_entry_target *t;
134
struct ebt_u_entry *prev;
135
struct ebt_u_entry *next;
136
struct ebt_counter cnt;
137
struct ebt_counter cnt_surplus; /* for increasing/decreasing a counter and for option 'C' */
138
struct ebt_cntchanges *cc;
139
/* the standard target needs this to know the name of a udc when
140
* printing out rules. */
141
struct ebt_u_replace *replace;
146
char name[EBT_FUNCTION_MAXNAMELEN];
147
/* size of the real match data */
150
void (*init)(struct ebt_entry_match *m);
151
int (*parse)(int c, char **argv, int argc,
152
const struct ebt_u_entry *entry, unsigned int *flags,
153
struct ebt_entry_match **match);
154
void (*final_check)(const struct ebt_u_entry *entry,
155
const struct ebt_entry_match *match,
156
const char *name, unsigned int hookmask, unsigned int time);
157
void (*print)(const struct ebt_u_entry *entry,
158
const struct ebt_entry_match *match);
159
int (*compare)(const struct ebt_entry_match *m1,
160
const struct ebt_entry_match *m2);
161
const struct option *extra_ops;
163
* can be used e.g. to check for multiple occurance of the same option
166
unsigned int option_offset;
167
struct ebt_entry_match *m;
169
* if used == 1 we no longer have to add it to
170
* the match chain of the new entry
171
* be sure to put it back on 0 when finished
174
struct ebt_u_match *next;
179
char name[EBT_FUNCTION_MAXNAMELEN];
182
void (*init)(struct ebt_entry_watcher *w);
183
int (*parse)(int c, char **argv, int argc,
184
const struct ebt_u_entry *entry, unsigned int *flags,
185
struct ebt_entry_watcher **watcher);
186
void (*final_check)(const struct ebt_u_entry *entry,
187
const struct ebt_entry_watcher *watch, const char *name,
188
unsigned int hookmask, unsigned int time);
189
void (*print)(const struct ebt_u_entry *entry,
190
const struct ebt_entry_watcher *watcher);
191
int (*compare)(const struct ebt_entry_watcher *w1,
192
const struct ebt_entry_watcher *w2);
193
const struct option *extra_ops;
195
unsigned int option_offset;
196
struct ebt_entry_watcher *w;
198
struct ebt_u_watcher *next;
203
char name[EBT_FUNCTION_MAXNAMELEN];
206
void (*init)(struct ebt_entry_target *t);
207
int (*parse)(int c, char **argv, int argc,
208
const struct ebt_u_entry *entry, unsigned int *flags,
209
struct ebt_entry_target **target);
210
void (*final_check)(const struct ebt_u_entry *entry,
211
const struct ebt_entry_target *target, const char *name,
212
unsigned int hookmask, unsigned int time);
213
void (*print)(const struct ebt_u_entry *entry,
214
const struct ebt_entry_target *target);
215
int (*compare)(const struct ebt_entry_target *t1,
216
const struct ebt_entry_target *t2);
217
const struct option *extra_ops;
218
unsigned int option_offset;
220
struct ebt_entry_target *t;
222
struct ebt_u_target *next;
227
extern struct ebt_u_table *ebt_tables;
228
extern struct ebt_u_match *ebt_matches;
229
extern struct ebt_u_watcher *ebt_watchers;
230
extern struct ebt_u_target *ebt_targets;
232
void ebt_register_table(struct ebt_u_table *);
233
void ebt_register_match(struct ebt_u_match *);
234
void ebt_register_watcher(struct ebt_u_watcher *);
235
void ebt_register_target(struct ebt_u_target *t);
236
int ebt_get_kernel_table(struct ebt_u_replace *replace, int init);
237
struct ebt_u_target *ebt_find_target(const char *name);
238
struct ebt_u_match *ebt_find_match(const char *name);
239
struct ebt_u_watcher *ebt_find_watcher(const char *name);
240
struct ebt_u_table *ebt_find_table(const char *name);
241
int ebtables_insmod(const char *modname);
242
void ebt_list_extensions(void);
243
void ebt_initialize_entry(struct ebt_u_entry *e);
244
void ebt_cleanup_replace(struct ebt_u_replace *replace);
245
void ebt_reinit_extensions(void);
246
void ebt_double_chains(struct ebt_u_replace *replace);
247
void ebt_free_u_entry(struct ebt_u_entry *e);
248
struct ebt_u_entries *ebt_name_to_chain(const struct ebt_u_replace *replace,
250
struct ebt_u_entries *ebt_name_to_chain(const struct ebt_u_replace *replace,
252
int ebt_get_chainnr(const struct ebt_u_replace *replace, const char* arg);
254
void ebt_change_policy(struct ebt_u_replace *replace, int policy);
255
void ebt_flush_chains(struct ebt_u_replace *replace);
256
int ebt_check_rule_exists(struct ebt_u_replace *replace,
257
struct ebt_u_entry *new_entry);
258
void ebt_add_rule(struct ebt_u_replace *replace, struct ebt_u_entry *new_entry,
260
void ebt_delete_rule(struct ebt_u_replace *replace,
261
struct ebt_u_entry *new_entry, int begin, int end);
262
void ebt_zero_counters(struct ebt_u_replace *replace);
263
void ebt_change_counters(struct ebt_u_replace *replace,
264
struct ebt_u_entry *new_entry, int begin, int end,
265
struct ebt_counter *cnt, int mask);
266
void ebt_new_chain(struct ebt_u_replace *replace, const char *name, int policy);
267
void ebt_delete_chain(struct ebt_u_replace *replace);
268
void ebt_rename_chain(struct ebt_u_replace *replace, const char *name);
270
void ebt_do_final_checks(struct ebt_u_replace *replace, struct ebt_u_entry *e,
271
struct ebt_u_entries *entries);
272
int ebt_check_for_references(struct ebt_u_replace *replace, int print_err);
273
int ebt_check_for_references2(struct ebt_u_replace *replace, int chain_nr,
275
void ebt_check_for_loops(struct ebt_u_replace *replace);
276
void ebt_add_match(struct ebt_u_entry *new_entry, struct ebt_u_match *m);
277
void ebt_add_watcher(struct ebt_u_entry *new_entry, struct ebt_u_watcher *w);
278
void ebt_iterate_matches(void (*f)(struct ebt_u_match *));
279
void ebt_iterate_watchers(void (*f)(struct ebt_u_watcher *));
280
void ebt_iterate_targets(void (*f)(struct ebt_u_target *));
281
void __ebt_print_bug(char *file, int line, char *format, ...);
282
void __ebt_print_error(char *format, ...);
284
/* communication.c */
286
int ebt_get_table(struct ebt_u_replace *repl, int init);
287
void ebt_deliver_counters(struct ebt_u_replace *repl);
288
void ebt_deliver_table(struct ebt_u_replace *repl);
290
/* useful_functions.c */
292
extern int ebt_invert;
293
void ebt_check_option(unsigned int *flags, unsigned int mask);
294
#define ebt_check_inverse(arg) _ebt_check_inverse(arg, argc, argv)
295
int _ebt_check_inverse(const char option[], int argc, char **argv);
296
void ebt_print_mac(const unsigned char *mac);
297
void ebt_print_mac_and_mask(const unsigned char *mac, const unsigned char *mask);
298
int ebt_get_mac_and_mask(const char *from, unsigned char *to, unsigned char *mask);
299
void ebt_parse_ip_address(char *address, uint32_t *addr, uint32_t *msk);
300
char *ebt_mask_to_dotted(uint32_t mask);
301
void ebt_parse_ip6_address(char *address, struct in6_addr *addr,
302
struct in6_addr *msk);
303
char *ebt_ip6_to_numeric(const struct in6_addr *addrp);
306
int do_command(int argc, char *argv[], int exec_style,
307
struct ebt_u_replace *replace_);
309
struct ethertypeent *parseethertypebynumber(int type);
311
#define ebt_to_chain(repl) \
312
({struct ebt_u_entries *_ch = NULL; \
313
if (repl->selected_chain != -1) \
314
_ch = repl->chains[repl->selected_chain]; \
316
#define ebt_print_bug(format, args...) \
317
__ebt_print_bug(__FILE__, __LINE__, format, ##args)
318
#define ebt_print_error(format,args...) __ebt_print_error(format, ##args);
319
#define ebt_print_error2(format, args...) do {__ebt_print_error(format, ##args); \
320
return -1;} while (0)
321
#define ebt_check_option2(flags,mask) \
322
({ebt_check_option(flags,mask); \
323
if (ebt_errormsg[0] != '\0') \
325
#define ebt_check_inverse2(option) \
326
({int __ret = ebt_check_inverse(option); \
327
if (ebt_errormsg[0] != '\0') \
330
__ebt_print_error("Option without (mandatory) argument"); \
334
#define ebt_print_memory() do {printf("Ebtables: " __FILE__ \
335
" %s %d :Out of memory.\n", __FUNCTION__, __LINE__); exit(-1);} while (0)
337
/* used for keeping the rule counters right during rule adds or deletes */
343
extern const char *ebt_hooknames[NF_BR_NUMHOOKS];
344
extern const char *ebt_standard_targets[NUM_STANDARD_TARGETS];
345
extern char ebt_errormsg[ERRORMSG_MAXLEN];
346
extern char *ebt_modprobe;
347
extern int ebt_silent;
348
extern int ebt_printstyle_mac;
351
* Transforms a target string into the right integer,
352
* returns 0 on success.
354
#define FILL_TARGET(_str, _pos) ({ \
356
for (_i = 0; _i < NUM_STANDARD_TARGETS; _i++) \
357
if (!strcmp(_str, ebt_standard_targets[_i])) {\
361
if (_i == NUM_STANDARD_TARGETS) \
366
/* Transforms the target value to an index into standard_targets[] */
367
#define TARGET_INDEX(_value) (-_value - 1)
368
/* Returns a target string corresponding to the value */
369
#define TARGET_NAME(_value) (ebt_standard_targets[TARGET_INDEX(_value)])
370
/* True if the hook mask denotes that the rule is in a base chain */
371
#define BASE_CHAIN (hookmask & (1 << NF_BR_NUMHOOKS))
372
/* Clear the bit in the hook_mask that tells if the rule is on a base chain */
373
#define CLEAR_BASE_CHAIN_BIT (hookmask &= ~(1 << NF_BR_NUMHOOKS))
374
#define PRINT_VERSION printf(PROGNAME" v"PROGVERSION" ("PROGDATE")\n")
375
#ifndef PROC_SYS_MODPROBE
376
#define PROC_SYS_MODPROBE "/proc/sys/kernel/modprobe"
378
#define ATOMIC_ENV_VARIABLE "EBTABLES_ATOMIC_FILE"
379
#endif /* EBTABLES_U_H */