From 902e92ceedba96d3241fa8ff701c061cd53a197d Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Thu, 9 Oct 2014 20:11:16 +0200 Subject: ebtables-compat: use ebtables_command_state in bootstrap code And introduce fake ebt_entry. This gets the code in sync in other existing compat tools. This will likely allow to consolidate common infrastructure. This code is still quite experimental. Signed-off-by: Pablo Neira Ayuso --- iptables/nft-bridge.h | 98 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 98 insertions(+) create mode 100644 iptables/nft-bridge.h (limited to 'iptables/nft-bridge.h') diff --git a/iptables/nft-bridge.h b/iptables/nft-bridge.h new file mode 100644 index 00000000..1e3f0a16 --- /dev/null +++ b/iptables/nft-bridge.h @@ -0,0 +1,98 @@ +#ifndef _NFT_BRIDGE_H_ +#define _NFT_BRIDGE_H_ + +#include +//#include +#include + +/* We use replace->flags, so we can't use the following values: + * 0x01 == OPT_COMMAND, 0x02 == OPT_TABLE, 0x100 == OPT_ZERO */ +#define LIST_N 0x04 +#define LIST_C 0x08 +#define LIST_X 0x10 +#define LIST_MAC2 0x20 + +/* Be backwards compatible, so don't use '+' in kernel */ +#define IF_WILDCARD 1 + +extern unsigned char eb_mac_type_unicast[ETH_ALEN]; +extern unsigned char eb_msk_type_unicast[ETH_ALEN]; +extern unsigned char eb_mac_type_multicast[ETH_ALEN]; +extern unsigned char eb_msk_type_multicast[ETH_ALEN]; +extern unsigned char eb_mac_type_broadcast[ETH_ALEN]; +extern unsigned char eb_msk_type_broadcast[ETH_ALEN]; +extern unsigned char eb_mac_type_bridge_group[ETH_ALEN]; +extern unsigned char eb_msk_type_bridge_group[ETH_ALEN]; + +int ebt_get_mac_and_mask(const char *from, unsigned char *to, unsigned char *mask); + +/* From: include/linux/netfilter_bridge/ebtables.h + * + * Adapted for the need of the ebtables-compat. + */ + +#define EBT_TABLE_MAXNAMELEN 32 +#define EBT_CHAIN_MAXNAMELEN EBT_TABLE_MAXNAMELEN +#define EBT_FUNCTION_MAXNAMELEN EBT_TABLE_MAXNAMELEN + +/* verdicts >0 are "branches" */ +#define EBT_ACCEPT -1 +#define EBT_DROP -2 +#define EBT_CONTINUE -3 +#define EBT_RETURN -4 +#define NUM_STANDARD_TARGETS 4 + +#define EBT_ENTRY_OR_ENTRIES 0x01 +/* these are the normal masks */ +#define EBT_NOPROTO 0x02 +#define EBT_802_3 0x04 +#define EBT_SOURCEMAC 0x08 +#define EBT_DESTMAC 0x10 +#define EBT_F_MASK (EBT_NOPROTO | EBT_802_3 | EBT_SOURCEMAC | EBT_DESTMAC \ + | EBT_ENTRY_OR_ENTRIES) + +#define EBT_IPROTO 0x01 +#define EBT_IIN 0x02 +#define EBT_IOUT 0x04 +#define EBT_ISOURCE 0x8 +#define EBT_IDEST 0x10 +#define EBT_ILOGICALIN 0x20 +#define EBT_ILOGICALOUT 0x40 +#define EBT_INV_MASK (EBT_IPROTO | EBT_IIN | EBT_IOUT | EBT_ILOGICALIN \ + | EBT_ILOGICALOUT | EBT_ISOURCE | EBT_IDEST) + +/* Fake ebt_entry */ +struct ebt_entry { + /* this needs to be the first field */ + unsigned int bitmask; + unsigned int invflags; + uint16_t ethproto; + /* the physical in-dev */ + char in[IFNAMSIZ]; + /* the logical in-dev */ + char logical_in[IFNAMSIZ]; + /* the physical out-dev */ + char out[IFNAMSIZ]; + /* the logical out-dev */ + char logical_out[IFNAMSIZ]; + unsigned char sourcemac[ETH_ALEN]; + unsigned char sourcemsk[ETH_ALEN]; + unsigned char destmac[ETH_ALEN]; + unsigned char destmsk[ETH_ALEN]; + + unsigned char in_mask[IFNAMSIZ]; + unsigned char out_mask[IFNAMSIZ]; +}; + +struct ebtables_command_state { + struct ebt_entry fw; + struct xtables_target *target; + struct xtables_rule_match *matches; + const char *jumpto; + struct xt_counters counters; +}; + +void nft_rule_to_ebtables_command_state(struct nft_rule *r, + struct ebtables_command_state *cs); + +#endif -- cgit v1.2.3 From 6aa7d1c26d0a3b0c909bbf13aa0ef6b179615433 Mon Sep 17 00:00:00 2001 From: Arturo Borrero Date: Wed, 17 Dec 2014 12:06:56 +0100 Subject: extensions: add ebt 802_3 extension This patch adds the first ebtables extension to ebtables-compat. The original 802_3 code is adapted to the xtables environment. I tried to mimic as much as possible the original ebtables code paths. With this patch, ebtables-compat is able to send the 802_3 match to the kernel, but the kernel-to-userspace path is not tested and should be adjusted in follow-up patches. Signed-off-by: Arturo Borrero Gonzalez Signed-off-by: Pablo Neira Ayuso --- iptables/nft-bridge.h | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'iptables/nft-bridge.h') diff --git a/iptables/nft-bridge.h b/iptables/nft-bridge.h index 1e3f0a16..fd8bc9f1 100644 --- a/iptables/nft-bridge.h +++ b/iptables/nft-bridge.h @@ -90,6 +90,12 @@ struct ebtables_command_state { struct xtables_rule_match *matches; const char *jumpto; struct xt_counters counters; + int invert; + int c; + char **argv; + int proto_used; + char *protocol; + unsigned int options; }; void nft_rule_to_ebtables_command_state(struct nft_rule *r, -- cgit v1.2.3 From 42cfeee024d0ba0c6b15645f829273ee3dcfa5c6 Mon Sep 17 00:00:00 2001 From: Arturo Borrero Date: Fri, 26 Dec 2014 13:49:52 +0100 Subject: ebtables-compat: fix printing of extension This patch fix printing of ebt extensions: % sudo ebtables-compat -L [...] Bridge chain: FORWARD, entries: 1, policy: ACCEPT --802_3-type 0x0012 -j ACCEPT [...] Signed-off-by: Arturo Borrero Gonzalez Signed-off-by: Pablo Neira Ayuso --- iptables/nft-bridge.h | 1 + 1 file changed, 1 insertion(+) (limited to 'iptables/nft-bridge.h') diff --git a/iptables/nft-bridge.h b/iptables/nft-bridge.h index fd8bc9f1..83575432 100644 --- a/iptables/nft-bridge.h +++ b/iptables/nft-bridge.h @@ -4,6 +4,7 @@ #include //#include #include +#include /* We use replace->flags, so we can't use the following values: * 0x01 == OPT_COMMAND, 0x02 == OPT_TABLE, 0x100 == OPT_ZERO */ -- cgit v1.2.3 From db0e29a96982806c98eb5525e2b5edf48935c857 Mon Sep 17 00:00:00 2001 From: Arturo Borrero Date: Tue, 3 Feb 2015 17:58:17 +0100 Subject: ebtables-compat: finish target infrastructure Signed-off-by: Arturo Borrero Signed-off-by: Pablo Neira Ayuso --- iptables/nft-bridge.h | 53 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 53 insertions(+) (limited to 'iptables/nft-bridge.h') diff --git a/iptables/nft-bridge.h b/iptables/nft-bridge.h index 83575432..cd63c11a 100644 --- a/iptables/nft-bridge.h +++ b/iptables/nft-bridge.h @@ -4,7 +4,9 @@ #include //#include #include +#include #include +#include /* We use replace->flags, so we can't use the following values: * 0x01 == OPT_COMMAND, 0x02 == OPT_TABLE, 0x100 == OPT_ZERO */ @@ -62,6 +64,12 @@ int ebt_get_mac_and_mask(const char *from, unsigned char *to, unsigned char *mas #define EBT_INV_MASK (EBT_IPROTO | EBT_IIN | EBT_IOUT | EBT_ILOGICALIN \ | EBT_ILOGICALOUT | EBT_ISOURCE | EBT_IDEST) +/* ebtables target modules store the verdict inside an int. We can + * reclaim a part of this int for backwards compatible extensions. + * The 4 lsb are more than enough to store the verdict. + */ +#define EBT_VERDICT_BITS 0x0000000F + /* Fake ebt_entry */ struct ebt_entry { /* this needs to be the first field */ @@ -102,4 +110,49 @@ struct ebtables_command_state { void nft_rule_to_ebtables_command_state(struct nft_rule *r, struct ebtables_command_state *cs); +static const char *ebt_standard_targets[NUM_STANDARD_TARGETS] = { + "ACCEPT", + "DROP", + "CONTINUE", + "RETURN", +}; + +static inline const char *nft_ebt_standard_target(unsigned int num) +{ + if (num > NUM_STANDARD_TARGETS) + return NULL; + + return ebt_standard_targets[num]; +} + +static inline int ebt_fill_target(const char *str, unsigned int *verdict) +{ + int i, ret = 0; + + for (i = 0; i < NUM_STANDARD_TARGETS; i++) { + if (!strcmp(str, nft_ebt_standard_target(i))) { + *verdict = -i - 1; + break; + } + } + + if (i == NUM_STANDARD_TARGETS) + ret = 1; + + return ret; +} + +static inline const char *ebt_target_name(unsigned int verdict) +{ + return nft_ebt_standard_target(-verdict - 1); +} + +#define EBT_CHECK_OPTION(flags, mask) ({ \ + if (*flags & mask) \ + xtables_error(PARAMETER_PROBLEM, \ + "Multiple use of same " \ + "option not allowed"); \ + *flags |= mask; \ +}) \ + #endif -- cgit v1.2.3 From fe97f60e5d2a968638286036db67e3a4e17f095d Mon Sep 17 00:00:00 2001 From: Arturo Borrero Date: Mon, 9 Feb 2015 13:16:12 +0100 Subject: ebtables-compat: add watchers support ebtables watchers are targets which always return EBT_CONTINUE. Signed-off-by: Arturo Borrero Gonzalez Signed-off-by: Pablo Neira Ayuso --- iptables/nft-bridge.h | 13 +++++++++++++ 1 file changed, 13 insertions(+) (limited to 'iptables/nft-bridge.h') diff --git a/iptables/nft-bridge.h b/iptables/nft-bridge.h index cd63c11a..1c4a96ea 100644 --- a/iptables/nft-bridge.h +++ b/iptables/nft-bridge.h @@ -93,10 +93,21 @@ struct ebt_entry { unsigned char out_mask[IFNAMSIZ]; }; +/* trick for ebtables-compat, since watchers are targets */ +struct ebt_match { + struct ebt_match *next; + union { + struct xtables_match *match; + struct xtables_target *watcher; + } u; + bool ismatch; +}; + struct ebtables_command_state { struct ebt_entry fw; struct xtables_target *target; struct xtables_rule_match *matches; + struct ebt_match *match_list; const char *jumpto; struct xt_counters counters; int invert; @@ -155,4 +166,6 @@ static inline const char *ebt_target_name(unsigned int verdict) *flags |= mask; \ }) \ +void ebt_cs_clean(struct ebtables_command_state *cs); + #endif -- cgit v1.2.3