summaryrefslogtreecommitdiffstats
path: root/iptables/nft-bridge.h
diff options
context:
space:
mode:
Diffstat (limited to 'iptables/nft-bridge.h')
-rw-r--r--iptables/nft-bridge.h53
1 files changed, 53 insertions, 0 deletions
diff --git a/iptables/nft-bridge.h b/iptables/nft-bridge.h
index 83575432..cd63c11a 100644
--- a/iptables/nft-bridge.h
+++ b/iptables/nft-bridge.h
@@ -4,7 +4,9 @@
#include <netinet/in.h>
//#include <linux/netfilter_bridge/ebtables.h>
#include <linux/netfilter/x_tables.h>
+#include <linux/netfilter/nf_tables.h>
#include <net/ethernet.h>
+#include <libiptc/libxtc.h>
/* We use replace->flags, so we can't use the following values:
* 0x01 == OPT_COMMAND, 0x02 == OPT_TABLE, 0x100 == OPT_ZERO */
@@ -62,6 +64,12 @@ int ebt_get_mac_and_mask(const char *from, unsigned char *to, unsigned char *mas
#define EBT_INV_MASK (EBT_IPROTO | EBT_IIN | EBT_IOUT | EBT_ILOGICALIN \
| EBT_ILOGICALOUT | EBT_ISOURCE | EBT_IDEST)
+/* ebtables target modules store the verdict inside an int. We can
+ * reclaim a part of this int for backwards compatible extensions.
+ * The 4 lsb are more than enough to store the verdict.
+ */
+#define EBT_VERDICT_BITS 0x0000000F
+
/* Fake ebt_entry */
struct ebt_entry {
/* this needs to be the first field */
@@ -102,4 +110,49 @@ struct ebtables_command_state {
void nft_rule_to_ebtables_command_state(struct nft_rule *r,
struct ebtables_command_state *cs);
+static const char *ebt_standard_targets[NUM_STANDARD_TARGETS] = {
+ "ACCEPT",
+ "DROP",
+ "CONTINUE",
+ "RETURN",
+};
+
+static inline const char *nft_ebt_standard_target(unsigned int num)
+{
+ if (num > NUM_STANDARD_TARGETS)
+ return NULL;
+
+ return ebt_standard_targets[num];
+}
+
+static inline int ebt_fill_target(const char *str, unsigned int *verdict)
+{
+ int i, ret = 0;
+
+ for (i = 0; i < NUM_STANDARD_TARGETS; i++) {
+ if (!strcmp(str, nft_ebt_standard_target(i))) {
+ *verdict = -i - 1;
+ break;
+ }
+ }
+
+ if (i == NUM_STANDARD_TARGETS)
+ ret = 1;
+
+ return ret;
+}
+
+static inline const char *ebt_target_name(unsigned int verdict)
+{
+ return nft_ebt_standard_target(-verdict - 1);
+}
+
+#define EBT_CHECK_OPTION(flags, mask) ({ \
+ if (*flags & mask) \
+ xtables_error(PARAMETER_PROBLEM, \
+ "Multiple use of same " \
+ "option not allowed"); \
+ *flags |= mask; \
+}) \
+
#endif