/*
|
* (C) 2014 by Giuseppe Longo <giuseppelng@gmail.com>
|
*
|
* This program is free software; you can redistribute it and/or modify
|
* it under the terms of the GNU General Public License as published by
|
* the Free Software Foundation; either version 2 of the License, or
|
* (at your option) any later version.
|
*/
|
|
#include <stdio.h>
|
#include <stdlib.h>
|
#include <string.h>
|
#include <netinet/ether.h>
|
#include <inttypes.h>
|
|
#include <xtables.h>
|
#include <libiptc/libxtc.h>
|
#include <linux/netfilter/nf_tables.h>
|
#include <ebtables/ethernetdb.h>
|
|
#include "nft-shared.h"
|
#include "nft-bridge.h"
|
#include "nft.h"
|
|
void ebt_cs_clean(struct ebtables_command_state *cs)
|
{
|
struct ebt_match *m, *nm;
|
|
xtables_rule_matches_free(&cs->matches);
|
|
for (m = cs->match_list; m;) {
|
nm = m->next;
|
if (!m->ismatch)
|
free(m->u.watcher->t);
|
free(m);
|
m = nm;
|
}
|
}
|
|
/* 0: default, print only 2 digits if necessary
|
* 2: always print 2 digits, a printed mac address
|
* then always has the same length
|
*/
|
int ebt_printstyle_mac;
|
|
static void ebt_print_mac(const unsigned char *mac)
|
{
|
if (ebt_printstyle_mac == 2) {
|
int j;
|
for (j = 0; j < ETH_ALEN; j++)
|
printf("%02x%s", mac[j],
|
(j==ETH_ALEN-1) ? "" : ":");
|
} else
|
printf("%s", ether_ntoa((struct ether_addr *) mac));
|
}
|
|
/* Put the mac address into 6 (ETH_ALEN) bytes returns 0 on success. */
|
static void ebt_print_mac_and_mask(const unsigned char *mac, const unsigned char *mask)
|
{
|
char hlpmsk[6] = {};
|
|
if (!memcmp(mac, eb_mac_type_unicast, 6) &&
|
!memcmp(mask, eb_msk_type_unicast, 6))
|
printf("Unicast");
|
else if (!memcmp(mac, eb_mac_type_multicast, 6) &&
|
!memcmp(mask, eb_msk_type_multicast, 6))
|
printf("Multicast");
|
else if (!memcmp(mac, eb_mac_type_broadcast, 6) &&
|
!memcmp(mask, eb_msk_type_broadcast, 6))
|
printf("Broadcast");
|
else if (!memcmp(mac, eb_mac_type_bridge_group, 6) &&
|
!memcmp(mask, eb_msk_type_bridge_group, 6))
|
printf("BGA");
|
else {
|
ebt_print_mac(mac);
|
if (memcmp(mask, hlpmsk, 6)) {
|
printf("/");
|
ebt_print_mac(mask);
|
}
|
}
|
}
|
|
static uint16_t ipt_to_ebt_flags(uint8_t invflags)
|
{
|
uint16_t result = 0;
|
|
if (invflags & IPT_INV_VIA_IN)
|
result |= EBT_IIN;
|
|
if (invflags & IPT_INV_VIA_OUT)
|
result |= EBT_IOUT;
|
|
if (invflags & IPT_INV_PROTO)
|
result |= EBT_IPROTO;
|
|
return result;
|
}
|
|
static void add_logical_iniface(struct nftnl_rule *r, char *iface, uint32_t op)
|
{
|
int iface_len;
|
|
iface_len = strlen(iface);
|
|
add_meta(r, NFT_META_BRI_IIFNAME);
|
if (iface[iface_len - 1] == '+')
|
add_cmp_ptr(r, op, iface, iface_len - 1);
|
else
|
add_cmp_ptr(r, op, iface, iface_len + 1);
|
}
|
|
static void add_logical_outiface(struct nftnl_rule *r, char *iface, uint32_t op)
|
{
|
int iface_len;
|
|
iface_len = strlen(iface);
|
|
add_meta(r, NFT_META_BRI_OIFNAME);
|
if (iface[iface_len - 1] == '+')
|
add_cmp_ptr(r, op, iface, iface_len - 1);
|
else
|
add_cmp_ptr(r, op, iface, iface_len + 1);
|
}
|
|
/* TODO: Use generic add_action() once we convert this to use
|
* iptables_command_state.
|
*/
|
static int _add_action(struct nftnl_rule *r, struct ebtables_command_state *cs)
|
{
|
int ret = 0;
|
|
if (cs->jumpto == NULL || strcmp(cs->jumpto, "CONTINUE") == 0)
|
return 0;
|
|
/* If no target at all, add nothing (default to continue) */
|
if (cs->target != NULL) {
|
/* Standard target? */
|
if (strcmp(cs->jumpto, XTC_LABEL_ACCEPT) == 0)
|
ret = add_verdict(r, NF_ACCEPT);
|
else if (strcmp(cs->jumpto, XTC_LABEL_DROP) == 0)
|
ret = add_verdict(r, NF_DROP);
|
else if (strcmp(cs->jumpto, XTC_LABEL_RETURN) == 0)
|
ret = add_verdict(r, NFT_RETURN);
|
else
|
ret = add_target(r, cs->target->t);
|
} else if (strlen(cs->jumpto) > 0) {
|
/* Not standard, then it's a jump to chain */
|
ret = add_jumpto(r, cs->jumpto, NFT_JUMP);
|
}
|
|
return ret;
|
}
|
|
static int nft_bridge_add(struct nftnl_rule *r, void *data)
|
{
|
struct ebtables_command_state *cs = data;
|
struct ebt_match *iter;
|
struct ebt_entry *fw = &cs->fw;
|
uint32_t op;
|
char *addr;
|
|
if (fw->in[0] != '\0') {
|
op = nft_invflags2cmp(fw->invflags, EBT_IIN);
|
add_iniface(r, fw->in, op);
|
}
|
|
if (fw->out[0] != '\0') {
|
op = nft_invflags2cmp(fw->invflags, EBT_IOUT);
|
add_outiface(r, fw->out, op);
|
}
|
|
if (fw->logical_in[0] != '\0') {
|
op = nft_invflags2cmp(fw->invflags, EBT_ILOGICALIN);
|
add_logical_iniface(r, fw->logical_in, op);
|
}
|
|
if (fw->logical_out[0] != '\0') {
|
op = nft_invflags2cmp(fw->invflags, EBT_ILOGICALOUT);
|
add_logical_outiface(r, fw->logical_out, op);
|
}
|
|
addr = ether_ntoa((struct ether_addr *) fw->sourcemac);
|
if (strcmp(addr, "0:0:0:0:0:0") != 0) {
|
op = nft_invflags2cmp(fw->invflags, EBT_ISOURCE);
|
add_payload(r, offsetof(struct ethhdr, h_source), 6,
|
NFT_PAYLOAD_LL_HEADER);
|
add_cmp_ptr(r, op, fw->sourcemac, 6);
|
}
|
|
addr = ether_ntoa((struct ether_addr *) fw->destmac);
|
if (strcmp(addr, "0:0:0:0:0:0") != 0) {
|
op = nft_invflags2cmp(fw->invflags, EBT_IDEST);
|
add_payload(r, offsetof(struct ethhdr, h_dest), 6,
|
NFT_PAYLOAD_LL_HEADER);
|
add_cmp_ptr(r, op, fw->destmac, 6);
|
}
|
|
if (fw->ethproto != 0) {
|
op = nft_invflags2cmp(fw->invflags, EBT_IPROTO);
|
add_payload(r, offsetof(struct ethhdr, h_proto), 2,
|
NFT_PAYLOAD_LL_HEADER);
|
add_cmp_u16(r, fw->ethproto, op);
|
}
|
|
add_compat(r, fw->ethproto, fw->invflags);
|
|
for (iter = cs->match_list; iter; iter = iter->next) {
|
if (iter->ismatch) {
|
if (add_match(r, iter->u.match->m))
|
break;
|
} else {
|
if (add_target(r, iter->u.watcher->t))
|
break;
|
}
|
}
|
|
if (add_counters(r, cs->counters.pcnt, cs->counters.bcnt) < 0)
|
return -1;
|
|
return _add_action(r, cs);
|
}
|
|
static void nft_bridge_parse_meta(struct nft_xt_ctx *ctx,
|
struct nftnl_expr *e, void *data)
|
{
|
struct ebtables_command_state *cs = data;
|
struct ebt_entry *fw = &cs->fw;
|
uint8_t flags = 0;
|
int iface = 0;
|
const void *ifname;
|
uint32_t len;
|
|
iface = parse_meta(e, ctx->meta.key, fw->in, fw->in_mask,
|
fw->out, fw->out_mask, &flags);
|
if (!iface)
|
goto out;
|
|
switch (ctx->meta.key) {
|
case NFT_META_BRI_IIFNAME:
|
ifname = nftnl_expr_get(e, NFTNL_EXPR_CMP_DATA, &len);
|
if (nftnl_expr_get_u32(e, NFTNL_EXPR_CMP_OP) == NFT_CMP_NEQ)
|
flags |= IPT_INV_VIA_IN;
|
|
memcpy(fw->logical_in, ifname, len);
|
|
if (fw->logical_in[len] == '\0')
|
memset(fw->in_mask, 0xff, len);
|
else {
|
fw->logical_in[len] = '+';
|
fw->logical_in[len+1] = '\0';
|
memset(fw->in_mask, 0xff, len + 1);
|
}
|
break;
|
case NFT_META_BRI_OIFNAME:
|
ifname = nftnl_expr_get(e, NFTNL_EXPR_CMP_DATA, &len);
|
if (nftnl_expr_get_u32(e, NFTNL_EXPR_CMP_OP) == NFT_CMP_NEQ)
|
flags |= IPT_INV_VIA_OUT;
|
|
memcpy(fw->logical_out, ifname, len);
|
|
if (fw->logical_out[len] == '\0')
|
memset(fw->out_mask, 0xff, len);
|
else {
|
fw->logical_out[len] = '+';
|
fw->logical_out[len+1] = '\0';
|
memset(fw->out_mask, 0xff, len + 1);
|
}
|
break;
|
default:
|
break;
|
}
|
|
out:
|
fw->invflags |= ipt_to_ebt_flags(flags);
|
}
|
|
static void nft_bridge_parse_payload(struct nft_xt_ctx *ctx,
|
struct nftnl_expr *e, void *data)
|
{
|
struct ebtables_command_state *cs = data;
|
struct ebt_entry *fw = &cs->fw;
|
unsigned char addr[ETH_ALEN];
|
unsigned short int ethproto;
|
bool inv;
|
int i;
|
|
switch (ctx->payload.offset) {
|
case offsetof(struct ethhdr, h_dest):
|
get_cmp_data(e, addr, sizeof(addr), &inv);
|
for (i = 0; i < ETH_ALEN; i++)
|
fw->destmac[i] = addr[i];
|
if (inv)
|
fw->invflags |= EBT_IDEST;
|
break;
|
case offsetof(struct ethhdr, h_source):
|
get_cmp_data(e, addr, sizeof(addr), &inv);
|
for (i = 0; i < ETH_ALEN; i++)
|
fw->sourcemac[i] = addr[i];
|
if (inv)
|
fw->invflags |= EBT_ISOURCE;
|
break;
|
case offsetof(struct ethhdr, h_proto):
|
get_cmp_data(e, ðproto, sizeof(ethproto), &inv);
|
fw->ethproto = ethproto;
|
if (inv)
|
fw->invflags |= EBT_IPROTO;
|
break;
|
}
|
}
|
|
static void nft_bridge_parse_immediate(const char *jumpto, bool nft_goto,
|
void *data)
|
{
|
struct ebtables_command_state *cs = data;
|
|
cs->jumpto = jumpto;
|
}
|
|
static void parse_watcher(void *object, struct ebt_match **match_list,
|
bool ismatch)
|
{
|
struct ebt_match *m;
|
|
m = calloc(1, sizeof(struct ebt_match));
|
if (m == NULL)
|
xtables_error(OTHER_PROBLEM, "Can't allocate memory");
|
|
if (ismatch)
|
m->u.match = object;
|
else
|
m->u.watcher = object;
|
|
m->ismatch = ismatch;
|
if (*match_list == NULL)
|
*match_list = m;
|
else
|
(*match_list)->next = m;
|
}
|
|
static void nft_bridge_parse_match(struct xtables_match *m, void *data)
|
{
|
struct ebtables_command_state *cs = data;
|
|
parse_watcher(m, &cs->match_list, true);
|
}
|
|
static void nft_bridge_parse_target(struct xtables_target *t, void *data)
|
{
|
struct ebtables_command_state *cs = data;
|
|
/* harcoded names :-( */
|
if (strcmp(t->name, "log") == 0 ||
|
strcmp(t->name, "nflog") == 0) {
|
parse_watcher(t, &cs->match_list, false);
|
return;
|
}
|
|
cs->target = t;
|
}
|
|
void nft_rule_to_ebtables_command_state(struct nftnl_rule *r,
|
struct ebtables_command_state *cs)
|
{
|
struct nftnl_expr_iter *iter;
|
struct nftnl_expr *expr;
|
int family = nftnl_rule_get_u32(r, NFTNL_RULE_FAMILY);
|
struct nft_xt_ctx ctx = {
|
.state.cs_eb = cs,
|
.family = family,
|
};
|
|
iter = nftnl_expr_iter_create(r);
|
if (iter == NULL)
|
return;
|
|
expr = nftnl_expr_iter_next(iter);
|
while (expr != NULL) {
|
const char *name =
|
nftnl_expr_get_str(expr, NFTNL_EXPR_NAME);
|
|
if (strcmp(name, "counter") == 0)
|
nft_parse_counter(expr, &cs->counters);
|
else if (strcmp(name, "payload") == 0)
|
nft_parse_payload(&ctx, expr);
|
else if (strcmp(name, "meta") == 0)
|
nft_parse_meta(&ctx, expr);
|
else if (strcmp(name, "bitwise") == 0)
|
nft_parse_bitwise(&ctx, expr);
|
else if (strcmp(name, "cmp") == 0)
|
nft_parse_cmp(&ctx, expr);
|
else if (strcmp(name, "immediate") == 0)
|
nft_parse_immediate(&ctx, expr);
|
else if (strcmp(name, "match") == 0)
|
nft_parse_match(&ctx, expr);
|
else if (strcmp(name, "target") == 0)
|
nft_parse_target(&ctx, expr);
|
|
expr = nftnl_expr_iter_next(iter);
|
}
|
|
nftnl_expr_iter_destroy(iter);
|
|
if (cs->jumpto != NULL)
|
return;
|
|
if (cs->target != NULL && cs->target->name != NULL)
|
cs->target = xtables_find_target(cs->target->name, XTF_TRY_LOAD);
|
else
|
cs->jumpto = "CONTINUE";
|
}
|
|
static void print_iface(const char *iface)
|
{
|
char *c;
|
|
if ((c = strchr(iface, IF_WILDCARD)))
|
*c = '+';
|
printf("%s ", iface);
|
if (c)
|
*c = IF_WILDCARD;
|
}
|
|
static void nft_bridge_print_table_header(const char *tablename)
|
{
|
printf("Bridge table: %s\n\n", tablename);
|
}
|
|
static void nft_bridge_print_header(unsigned int format, const char *chain,
|
const char *pol,
|
const struct xt_counters *counters,
|
bool basechain, uint32_t refs)
|
{
|
printf("Bridge chain: %s, entries: %u, policy: %s\n",
|
chain, refs, basechain ? pol : "RETURN");
|
}
|
|
static void nft_bridge_print_firewall(struct nftnl_rule *r, unsigned int num,
|
unsigned int format)
|
{
|
struct xtables_match *matchp;
|
struct xtables_target *watcherp;
|
struct ebt_match *m;
|
struct ebtables_command_state cs = {};
|
char *addr;
|
|
nft_rule_to_ebtables_command_state(r, &cs);
|
|
if (format & FMT_LINENUMBERS)
|
printf("%d ", num);
|
|
/* Dont print anything about the protocol if no protocol was
|
* specified, obviously this means any protocol will do. */
|
if (cs.fw.ethproto != 0) {
|
printf("-p ");
|
if (cs.fw.invflags & EBT_IPROTO)
|
printf("! ");
|
if (cs.fw.bitmask & EBT_802_3)
|
printf("Length ");
|
else {
|
struct ethertypeent *ent;
|
|
ent = getethertypebynumber(ntohs(cs.fw.ethproto));
|
if (!ent)
|
printf("0x%x ", ntohs(cs.fw.ethproto));
|
else
|
printf("%s ", ent->e_name);
|
}
|
}
|
|
addr = ether_ntoa((struct ether_addr *) cs.fw.sourcemac);
|
if (strcmp(addr, "0:0:0:0:0:0") != 0) {
|
printf("-s ");
|
if (cs.fw.invflags & EBT_ISOURCE)
|
printf("! ");
|
ebt_print_mac_and_mask(cs.fw.sourcemac, cs.fw.sourcemsk);
|
printf(" ");
|
}
|
|
addr = ether_ntoa((struct ether_addr *) cs.fw.destmac);
|
if (strcmp(addr, "0:0:0:0:0:0") != 0) {
|
printf("-d ");
|
if (cs.fw.invflags & EBT_IDEST)
|
printf("! ");
|
ebt_print_mac_and_mask(cs.fw.destmac, cs.fw.destmsk);
|
printf(" ");
|
}
|
|
if (cs.fw.in[0] != '\0') {
|
printf("-i ");
|
if (cs.fw.invflags & EBT_IIN)
|
printf("! ");
|
print_iface(cs.fw.in);
|
}
|
|
if (cs.fw.logical_in[0] != '\0') {
|
printf("--logical-in ");
|
if (cs.fw.invflags & EBT_ILOGICALIN)
|
printf("! ");
|
print_iface(cs.fw.logical_in);
|
}
|
|
if (cs.fw.logical_out[0] != '\0') {
|
printf("--logical-out ");
|
if (cs.fw.invflags & EBT_ILOGICALOUT)
|
printf("! ");
|
print_iface(cs.fw.logical_out);
|
}
|
|
if (cs.fw.out[0] != '\0') {
|
printf("-o ");
|
if (cs.fw.invflags & EBT_IOUT)
|
printf("! ");
|
print_iface(cs.fw.out);
|
}
|
|
for (m = cs.match_list; m; m = m->next) {
|
if (m->ismatch) {
|
matchp = m->u.match;
|
if (matchp->print != NULL) {
|
matchp->print(&cs.fw, matchp->m,
|
format & FMT_NUMERIC);
|
}
|
} else {
|
watcherp = m->u.watcher;
|
if (watcherp->print != NULL) {
|
watcherp->print(&cs.fw, watcherp->t,
|
format & FMT_NUMERIC);
|
}
|
}
|
}
|
|
printf("-j ");
|
|
if (cs.jumpto != NULL)
|
printf("%s", cs.jumpto);
|
else if (cs.target != NULL && cs.target->print != NULL)
|
cs.target->print(&cs.fw, cs.target->t, format & FMT_NUMERIC);
|
|
if (!(format & FMT_NOCOUNTS))
|
printf(" , pcnt = %"PRIu64" -- bcnt = %"PRIu64"",
|
(uint64_t)cs.counters.pcnt, (uint64_t)cs.counters.bcnt);
|
|
if (!(format & FMT_NONEWLINE))
|
fputc('\n', stdout);
|
|
ebt_cs_clean(&cs);
|
}
|
|
static bool nft_bridge_is_same(const void *data_a, const void *data_b)
|
{
|
const struct ebt_entry *a = data_a;
|
const struct ebt_entry *b = data_b;
|
int i;
|
|
if (a->ethproto != b->ethproto ||
|
/* FIXME: a->flags != b->flags || */
|
a->invflags != b->invflags) {
|
DEBUGP("different proto/flags/invflags\n");
|
return false;
|
}
|
|
for (i = 0; i < ETH_ALEN; i++) {
|
if (a->sourcemac[i] != b->sourcemac[i]) {
|
DEBUGP("different source mac %x, %x (%d)\n",
|
a->sourcemac[i] & 0xff, b->sourcemac[i] & 0xff, i);
|
return false;
|
}
|
|
if (a->destmac[i] != b->destmac[i]) {
|
DEBUGP("different destination mac %x, %x (%d)\n",
|
a->destmac[i] & 0xff, b->destmac[i] & 0xff, i);
|
return false;
|
}
|
}
|
|
for (i = 0; i < IFNAMSIZ; i++) {
|
if (a->logical_in[i] != b->logical_in[i]) {
|
DEBUGP("different logical iniface %x, %x (%d)\n",
|
a->logical_in[i] & 0xff, b->logical_in[i] & 0xff, i);
|
return false;
|
}
|
|
if (a->logical_out[i] != b->logical_out[i]) {
|
DEBUGP("different logical outiface %x, %x (%d)\n",
|
a->logical_out[i] & 0xff, b->logical_out[i] & 0xff, i);
|
return false;
|
}
|
}
|
|
return is_same_interfaces((char *)a->in,
|
(char *)a->out,
|
a->in_mask,
|
a->out_mask,
|
(char *)b->in,
|
(char *)b->out,
|
b->in_mask,
|
b->out_mask);
|
}
|
|
static bool nft_bridge_rule_find(struct nft_family_ops *ops, struct nftnl_rule *r,
|
void *data)
|
{
|
struct ebtables_command_state *cs = data;
|
struct ebtables_command_state this = {};
|
|
nft_rule_to_ebtables_command_state(r, &this);
|
|
DEBUGP("comparing with... ");
|
|
if (!nft_bridge_is_same(cs, &this))
|
return false;
|
|
if (!compare_matches(cs->matches, this.matches)) {
|
DEBUGP("Different matches\n");
|
return false;
|
}
|
|
if (!compare_targets(cs->target, this.target)) {
|
DEBUGP("Different target\n");
|
return false;
|
}
|
|
if (cs->jumpto != NULL && strcmp(cs->jumpto, this.jumpto) != 0) {
|
DEBUGP("Different verdict\n");
|
return false;
|
}
|
|
return true;
|
}
|
|
struct nft_family_ops nft_family_ops_bridge = {
|
.add = nft_bridge_add,
|
.is_same = nft_bridge_is_same,
|
.print_payload = NULL,
|
.parse_meta = nft_bridge_parse_meta,
|
.parse_payload = nft_bridge_parse_payload,
|
.parse_immediate = nft_bridge_parse_immediate,
|
.parse_match = nft_bridge_parse_match,
|
.parse_target = nft_bridge_parse_target,
|
.print_table_header = nft_bridge_print_table_header,
|
.print_header = nft_bridge_print_header,
|
.print_firewall = nft_bridge_print_firewall,
|
.save_firewall = NULL,
|
.save_counters = NULL,
|
.post_parse = NULL,
|
.rule_find = nft_bridge_rule_find,
|
};
|
