github.com/google/syzkaller@v0.0.0-20240517125934-c0f1611a36d6/sys/linux/netfilter_bridge.txt (about) 1 # Copyright 2018 syzkaller project authors. All rights reserved. 2 # Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file. 3 4 include <linux/socket.h> 5 include <uapi/linux/netfilter/x_tables.h> 6 include <uapi/linux/netfilter_bridge.h> 7 include <uapi/linux/netfilter_bridge/ebtables.h> 8 include <uapi/linux/netfilter_bridge/ebt_802_3.h> 9 include <uapi/linux/netfilter_bridge/ebt_among.h> 10 include <uapi/linux/netfilter_bridge/ebt_arp.h> 11 include <uapi/linux/netfilter_bridge/ebt_ip.h> 12 include <uapi/linux/netfilter_bridge/ebt_ip6.h> 13 include <uapi/linux/netfilter_bridge/ebt_limit.h> 14 include <uapi/linux/netfilter_bridge/ebt_mark_m.h> 15 include <uapi/linux/netfilter_bridge/ebt_pkttype.h> 16 include <uapi/linux/netfilter_bridge/ebt_stp.h> 17 include <uapi/linux/netfilter_bridge/ebt_vlan.h> 18 include <uapi/linux/netfilter_bridge/ebt_arpreply.h> 19 include <uapi/linux/netfilter_bridge/ebt_nat.h> 20 include <uapi/linux/netfilter_bridge/ebt_log.h> 21 include <uapi/linux/netfilter_bridge/ebt_mark_t.h> 22 include <uapi/linux/netfilter_bridge/ebt_nflog.h> 23 include <uapi/linux/netfilter_bridge/ebt_redirect.h> 24 25 setsockopt$EBT_SO_SET_ENTRIES(fd sock_in, level const[SOL_IP], opt const[EBT_SO_SET_ENTRIES], val ptr[in, ebt_replace], len const[0]) 26 setsockopt$EBT_SO_SET_COUNTERS(fd sock_in, level const[SOL_IP], opt const[EBT_SO_SET_COUNTERS], val ptr[in, ebt_counters_info], len len[val]) 27 getsockopt$EBT_SO_GET_INFO(fd sock_in, level const[SOL_IP], opt const[EBT_SO_GET_INFO], val ptr[in, ebt_getinfo], len ptr[in, len[val, int32]]) 28 getsockopt$EBT_SO_GET_INIT_INFO(fd sock_in, level const[SOL_IP], opt const[EBT_SO_GET_INIT_INFO], val ptr[in, ebt_getinfo], len ptr[in, len[val, int32]]) 29 getsockopt$EBT_SO_GET_ENTRIES(fd sock_in, level const[SOL_IP], opt const[EBT_SO_GET_ENTRIES], val ptr[in, ebt_get_entries], len ptr[in, len[val, int32]]) 30 getsockopt$EBT_SO_GET_INIT_ENTRIES(fd sock_in, level const[SOL_IP], opt const[EBT_SO_GET_INIT_ENTRIES], val ptr[in, ebt_get_entries], len ptr[in, len[val, int32]]) 31 32 ebt_replace [ 33 filter ebt_replace_t["filter", EBT_FILTER_VALID_HOOKS, ebt_filter_targets] 34 nat ebt_replace_t["nat", EBT_NAT_VALID_HOOKS, ebt_nat_targets] 35 broute ebt_replace_t["broute", EBT_BROUTE_VALID_HOOKS, ebt_broute_targets] 36 ] [varlen] 37 38 define NF_BR_PRE_ROUTING_BIT 1 << NF_BR_PRE_ROUTING 39 define NF_BR_LOCAL_IN_BIT 1 << NF_BR_LOCAL_IN 40 define NF_BR_FORWARD_BIT 1 << NF_BR_FORWARD 41 define NF_BR_LOCAL_OUT_BIT 1 << NF_BR_LOCAL_OUT 42 define NF_BR_POST_ROUTING_BIT 1 << NF_BR_POST_ROUTING 43 define NF_BR_BROUTING_BIT 1 << NF_BR_BROUTING 44 45 define EBT_FILTER_VALID_HOOKS NF_BR_LOCAL_IN_BIT | NF_BR_FORWARD_BIT | NF_BR_LOCAL_OUT_BIT 46 define EBT_NAT_VALID_HOOKS NF_BR_PRE_ROUTING_BIT | NF_BR_LOCAL_OUT_BIT | NF_BR_POST_ROUTING_BIT 47 define EBT_BROUTE_VALID_HOOKS NF_BR_BROUTING_BIT 48 49 type ebt_replace_t[NAME, HOOKS, TARGETS] { 50 name string[NAME, XT_TABLE_MAXNAMELEN] 51 valid_hooks const[HOOKS, int32] 52 nentries const[0, int32] 53 entries_size bytesize[entries, int32] 54 hook_entry array[intptr, NF_BR_NUMHOOKS] 55 num_counters const[0, int32] 56 counters ptr[out, array[xt_counters, 1]] 57 entries ptr[in, array[ebt_entries[TARGETS], 3:4]] 58 } 59 60 type ebt_entries[TARGETS] { 61 distinguisher const[0, int32] 62 name string["", EBT_CHAIN_MAXNAMELEN] 63 counter_offset const[0, int32] 64 policy flags[ebt_entries_policy, int32] 65 nentries len[entries, int32] 66 entries array[ebt_entry[TARGETS], 0:2] 67 } 68 69 ebt_entries_policy = EBT_DROP, EBT_ACCEPT, EBT_RETURN 70 ebt_verdicts = EBT_DROP, EBT_ACCEPT, EBT_RETURN, EBT_CONTINUE 71 72 type ebt_entry[TARGETS] { 73 bitmask flags[ebt_entry_bitmask, int32] 74 invflags flags[ebt_entry_invflags, int32] 75 ethproto flags[ether_types, int16be] 76 in devname 77 logical_in devname 78 out devname 79 logical_out devname 80 sourcemac mac_addr 81 sourcemsk mac_addr_mask 82 destmac mac_addr 83 destmsk mac_addr_mask 84 watchers_offset offsetof[watchers, int32] 85 target_offset offsetof[target, int32] 86 next_offset bytesize[parent, int32] 87 matches array[ebt_matches, 0:2] 88 watchers array[TARGETS, 0:2] 89 target TARGETS 90 } [packed] 91 92 ebt_entry_bitmask = EBT_NOPROTO_F, EBT_802_3_F, EBT_SOURCEMAC_F, EBT_DESTMAC_F 93 ebt_entry_invflags = EBT_IPROTO, EBT_IIN, EBT_IOUT, EBT_ISOURCE, EBT_IDEST, EBT_ILOGICALIN, EBT_ILOGICALOUT 94 95 define EBT_NOPROTO_F EBT_ENTRY_OR_ENTRIES | EBT_NOPROTO 96 define EBT_802_3_F EBT_ENTRY_OR_ENTRIES | EBT_802_3 97 define EBT_SOURCEMAC_F EBT_ENTRY_OR_ENTRIES | EBT_SOURCEMAC 98 define EBT_DESTMAC_F EBT_ENTRY_OR_ENTRIES | EBT_DESTMAC 99 100 ebt_tables = "filter", "nat", "broute" 101 102 ebt_counters_info { 103 name string[ebt_tables, XT_TABLE_MAXNAMELEN] 104 valid_hooks const[0, int32] 105 nentries const[0, int32] 106 entries_size const[0, int32] 107 hook_entry array[intptr, NF_BR_NUMHOOKS] 108 num_counters len[counters1, int32] 109 counters ptr[out, array[xt_counters]] 110 entries const[0, intptr] 111 counters1 array[xt_counters] 112 } 113 114 ebt_getinfo { 115 name string[ebt_tables, XT_TABLE_MAXNAMELEN] 116 valid_hooks const[0, int32] 117 nentries const[0, int32] 118 entries_size const[0, int32] 119 hook_entry array[intptr, NF_BR_NUMHOOKS] 120 num_counters const[0, int32] 121 counters const[0, intptr] 122 entries const[0, intptr] 123 } 124 125 ebt_get_entries { 126 name string[ebt_tables, XT_TABLE_MAXNAMELEN] 127 valid_hooks const[0, int32] 128 nentries int32[3:4] 129 entries_size bytesize[entries, int32] 130 hook_entry array[intptr, NF_BR_NUMHOOKS] 131 num_counters len[counters, int32] 132 counters ptr[out, array[xt_counters]] 133 entries ptr[out, array[int8]] 134 } 135 136 # MATCHES: 137 138 type ebt_entry_match[NAME] { 139 name string[NAME, EBT_EXTENSION_MAXNAMELEN] 140 revision const[0, int8] 141 match_size bytesize[ebt_entry_match_t:data, int32] 142 } [align[PTR_SIZE]] 143 144 type ebt_entry_match_t[NAME, DATA] { 145 header ebt_entry_match[NAME] 146 data xt_padded[DATA] 147 } 148 149 type xt_padded[TYPE] { 150 data TYPE 151 } [align[PTR_SIZE]] 152 153 ebt_matches [ 154 m802_3 ebt_entry_match_t["802_3", ebt_802_3_info] 155 among ebt_entry_match_t["among", ebt_among_info] 156 arp ebt_entry_match_t["arp", ebt_arp_info] 157 ip ebt_entry_match_t["ip", ebt_ip_info] 158 ip6 ebt_entry_match_t["ip6", ebt_ip6_info] 159 limit ebt_entry_match_t["limit", ebt_limit_info] 160 mark_m ebt_entry_match_t["mark_m", ebt_mark_m_info] 161 pkttype ebt_entry_match_t["pkttype", ebt_pkttype_info] 162 stp ebt_entry_match_t["stp", ebt_stp_info] 163 vlan ebt_entry_match_t["vlan", ebt_vlan_info] 164 # AF_UNSPEC matches (only version 0 and not overriden by AF_BRIDGE). 165 cgroup0 ebt_entry_match_t["cgroup", xt_cgroup_info_v0] 166 helper ebt_entry_match_t["helper", xt_helper_info] 167 rateest ebt_entry_match_t["rateest", xt_rateest_match_info] 168 time ebt_entry_match_t["time", xt_time_info] 169 bpf0 ebt_entry_match_t["bpf", xt_bpf_info] 170 realm ebt_entry_match_t["realm", xt_realm_info] 171 connbytes ebt_entry_match_t["connbytes", xt_connbytes_info] 172 quota ebt_entry_match_t["quota", xt_quota_info] 173 ipvs ebt_entry_match_t["ipvs", xt_ipvs_mtinfo] 174 nfacct ebt_entry_match_t["nfacct", xt_nfacct_match_info] 175 mac ebt_entry_match_t["mac", xt_mac_info] 176 comment ebt_entry_match_t["comment", xt_comment_info] 177 statistic ebt_entry_match_t["statistic", xt_statistic_info] 178 physdev ebt_entry_match_t["physdev", xt_physdev_info] 179 connlabel ebt_entry_match_t["connlabel", xt_connlabel_mtinfo] 180 devgroup ebt_entry_match_t["devgroup", xt_devgroup_info] 181 cluster ebt_entry_match_t["cluster", xt_cluster_match_info] 182 owner ebt_entry_match_t["owner", xt_owner_match_info] 183 u32 ebt_entry_match_t["u32", xt_u32] 184 cpu ebt_entry_match_t["cpu", xt_cpu_info] 185 state ebt_entry_match_t["state", xt_state_info] 186 ] [varlen] 187 188 ebt_802_3_info { 189 sap flags[sap_values, int8] 190 type int16be 191 bitmask flags[ebt_802_3_flags, int8] 192 invflags flags[ebt_802_3_flags, int8] 193 } 194 195 ebt_802_3_flags = EBT_802_3_SAP, EBT_802_3_TYPE, EBT_802_3 196 197 ebt_among_info { 198 wh_dst_ofs ebt_among_info_offset[dst] 199 wh_src_ofs ebt_among_info_offset[src] 200 bitmask flags[ebt_among_flags, int32] 201 dst ebt_mac_wormhash 202 src ebt_mac_wormhash 203 } [packed] 204 205 type ebt_among_info_offset[FIELD] [ 206 offset offsetof[ebt_among_info:FIELD, int32] 207 zero const[0, int32] 208 ] 209 210 ebt_mac_wormhash { 211 table array[int32, 257] 212 poolsize len[pool, int32] 213 pool array[ebt_mac_wormhash_tuple] 214 } 215 216 ebt_mac_wormhash_tuple { 217 cmp array[int32, 2] 218 ip ipv4_addr 219 } 220 221 ebt_among_flags = EBT_AMONG_DST_NEG, EBT_AMONG_SRC_NEG 222 223 ebt_arp_info { 224 htype flags[arp_htypes, int16be] 225 ptype flags[ether_types, int16be] 226 op flags[arp_ops, int16be] 227 saddr ipv4_addr 228 smsk ipv4_addr_mask 229 daddr ipv4_addr 230 dmsk ipv4_addr_mask 231 smaddr mac_addr 232 smmsk mac_addr_mask 233 dmaddr mac_addr 234 dmmsk mac_addr_mask 235 bitmask flags[ebt_arp_flags, int8] 236 invflags flags[ebt_arp_flags, int8] 237 } 238 239 ebt_arp_flags = EBT_ARP_OPCODE, EBT_ARP_HTYPE, EBT_ARP_PTYPE, EBT_ARP_SRC_IP, EBT_ARP_DST_IP, EBT_ARP_SRC_MAC, EBT_ARP_DST_MAC, EBT_ARP_GRAT 240 241 ebt_ip_info { 242 saddr ipv4_addr 243 daddr ipv4_addr 244 smsk ipv4_addr_mask 245 dmsk ipv4_addr_mask 246 tos int8 247 protocol flags[ipv4_types, int8] 248 bitmask flags[ebt_ip_flags, int8] 249 invflags flags[ebt_ip_flags, int8] 250 sport_min sock_port 251 sport_max sock_port 252 dport_min sock_port 253 dport_max sock_port 254 } 255 256 ebt_ip_flags = EBT_IP_SOURCE, EBT_IP_DEST, EBT_IP_TOS, EBT_IP_PROTO, EBT_IP_SPORT, EBT_IP_DPORT 257 258 ebt_ip6_info { 259 saddr ipv6_addr 260 daddr ipv6_addr 261 smsk ipv6_addr_mask 262 dmsk ipv6_addr_mask 263 tclass int8 264 protocol flags[ipv6_types, int8] 265 bitmask flags[ebt_ip6_flags, int8] 266 invflags flags[ebt_ip6_flags, int8] 267 sport_min sock_port 268 sport_max sock_port 269 dport_min sock_port 270 dport_max sock_port 271 } 272 273 ebt_ip6_flags = EBT_IP6_SOURCE, EBT_IP6_DEST, EBT_IP6_TCLASS, EBT_IP6_PROTO, EBT_IP6_SPORT, EBT_IP6_DPORT, EBT_IP6_ICMP6 274 275 ebt_limit_info { 276 avg int32 277 burst int32 278 prev intptr 279 credit int32 280 credit_cap int32 281 cost int32 282 } 283 284 ebt_mark_m_info { 285 mark intptr 286 mask intptr 287 invert flags[ebt_mark_m_flags, int8] 288 bitmask flags[ebt_mark_m_flags, int8] 289 } 290 291 ebt_mark_m_flags = EBT_MARK_AND, EBT_MARK_OR 292 293 ebt_pkttype_info { 294 pkt_type int8[0:7] 295 invert bool8 296 } 297 298 ebt_stp_info { 299 type int8 300 config ebt_stp_config_info 301 bitmask flags[ebt_stp_flags, int16] 302 invflags flags[ebt_stp_flags, int16] 303 } 304 305 ebt_stp_config_info { 306 flags int8 307 root_priol int16 308 root_priou int16 309 root_addr mac_addr 310 root_addrmsk mac_addr_mask 311 root_costl int32 312 root_costu int32 313 sender_priol int16 314 sender_priou int16 315 sender_addr mac_addr 316 sender_addrmsk mac_addr_mask 317 portl sock_port 318 portu sock_port 319 msg_agel int16 320 msg_ageu int16 321 max_agel int16 322 max_ageu int16 323 hello_timel int16 324 hello_timeu int16 325 forward_delayl int16 326 forward_delayu int16 327 } 328 329 ebt_stp_flags = EBT_STP_TYPE, EBT_STP_FLAGS, EBT_STP_ROOTPRIO, EBT_STP_ROOTADDR, EBT_STP_ROOTCOST, EBT_STP_SENDERPRIO, EBT_STP_SENDERADDR, EBT_STP_PORT, EBT_STP_MSGAGE, EBT_STP_MAXAGE, EBT_STP_HELLOTIME, EBT_STP_FWDD 330 331 ebt_vlan_info { 332 id int16[0:4] 333 prio int8[0:7] 334 encap flags[ether_types, int16be] 335 bitmask flags[ebt_vlan_flags, int8] 336 invflags flags[ebt_vlan_flags, int8] 337 } 338 339 ebt_vlan_flags = EBT_VLAN_ID, EBT_VLAN_PRIO, EBT_VLAN_ENCAP 340 341 # TARGETS: 342 343 type ebt_entry_target[NAME, DATA] { 344 name string[NAME, EBT_FUNCTION_MAXNAMELEN] 345 target_size bytesize[data, int32] 346 data xt_padded[DATA] 347 } 348 349 ebt_targets [ 350 dnat ebt_entry_target["dnat", ebt_nat_info] 351 log ebt_entry_target["log", ebt_log_info] 352 mark ebt_entry_target["mark", ebt_mark_t_info] 353 nflog ebt_entry_target["nflog", ebt_nflog_info] 354 redirect ebt_entry_target["redirect", ebt_redirect_info] 355 # AF_UNSPEC targets (only version 0). 356 STANDARD ebt_entry_target["", flags[nf_verdicts, int32]] 357 ERROR ebt_entry_target["ERROR", array[int8, XT_FUNCTION_MAXNAMELEN]] 358 LED ebt_entry_target["LED", xt_led_info] 359 RATEEST ebt_entry_target["RATEEST", xt_rateest_target_info] 360 NFQUEUE0 ebt_entry_target["NFQUEUE", xt_NFQ_info] 361 CLASSIFY ebt_entry_target["CLASSIFY", xt_classify_target_info] 362 IDLETIMER ebt_entry_target["IDLETIMER", idletimer_tg_info] 363 AUDIT ebt_entry_target["AUDIT", xt_audit_info] 364 CONNSECMARK ebt_entry_target["CONNSECMARK", xt_connsecmark_target_info] 365 SECMARK ebt_entry_target["SECMARK", xt_secmark_target_info] 366 NFLOG ebt_entry_target["NFLOG", xt_nflog_info] 367 ] [varlen] 368 369 ebt_filter_targets [ 370 common ebt_targets 371 ] [varlen] 372 373 ebt_nat_targets [ 374 common ebt_targets 375 arpreply ebt_entry_target["arpreply", ebt_arpreply_info] 376 snat ebt_entry_target["snat", ebt_nat_info] 377 ] [varlen] 378 379 ebt_broute_targets [ 380 common ebt_targets 381 ] [varlen] 382 383 ebt_arpreply_info { 384 mac mac_addr 385 # TODO: can also be jump target 386 target flags[ebt_verdicts, int32] 387 } 388 389 ebt_nat_info { 390 mac mac_addr 391 # TODO: can also be jump target 392 target flags[ebt_nat_verdicts, int32] 393 } 394 395 ebt_nat_verdicts = NAT_ARP_BIT, ebt_verdicts 396 397 ebt_log_info { 398 loglevel int8 399 prefix array[int8, EBT_LOG_PREFIX_SIZE] 400 bitmask flags[ebt_log_bitmask, int32] 401 } 402 403 ebt_log_bitmask = EBT_LOG_IP, EBT_LOG_ARP, EBT_LOG_NFLOG, EBT_LOG_IP6 404 405 ebt_mark_t_info { 406 mark flags[ebt_mark_marks, intptr] 407 # TODO: can also be jump target 408 target flags[ebt_verdicts, int32] 409 } 410 411 ebt_mark_marks = MARK_SET_VALUE, MARK_OR_VALUE, MARK_AND_VALUE, MARK_XOR_VALUE 412 413 ebt_nflog_info { 414 len int32 415 group int16 416 threshold int16 417 flags const[0, int16] 418 pad const[0, int16] 419 prefix array[int8, EBT_NFLOG_PREFIX_SIZE] 420 } 421 422 ebt_redirect_info { 423 # TODO: can also be jump target 424 target flags[ebt_verdicts, int32] 425 }