1 #ifndef _X_TABLES_H 2 #define _X_TABLES_H 3 4 #define XT_FUNCTION_MAXNAMELEN 30 5 #define XT_TABLE_MAXNAMELEN 32 6 7 struct xt_entry_match 8 { 9 union { 10 struct { 11 u_int16_t match_size; 12 13 /* Used by userspace */ 14 char name[XT_FUNCTION_MAXNAMELEN-1]; 15 16 u_int8_t revision; 17 } user; 18 struct { 19 u_int16_t match_size; 20 21 /* Used inside the kernel */ 22 struct xt_match *match; 23 } kernel; 24 25 /* Total length */ 26 u_int16_t match_size; 27 } u; 28 29 unsigned char data[0]; 30 }; 31 32 struct xt_entry_target 33 { 34 union { 35 struct { 36 u_int16_t target_size; 37 38 /* Used by userspace */ 39 char name[XT_FUNCTION_MAXNAMELEN-1]; 40 41 u_int8_t revision; 42 } user; 43 struct { 44 u_int16_t target_size; 45 46 /* Used inside the kernel */ 47 struct xt_target *target; 48 } kernel; 49 50 /* Total length */ 51 u_int16_t target_size; 52 } u; 53 54 unsigned char data[0]; 55 }; 56 57 struct xt_standard_target 58 { 59 struct xt_entry_target target; 60 int verdict; 61 }; 62 63 /* The argument to IPT_SO_GET_REVISION_*. Returns highest revision 64 * kernel supports, if >= revision. */ 65 struct xt_get_revision 66 { 67 char name[XT_FUNCTION_MAXNAMELEN-1]; 68 69 u_int8_t revision; 70 }; 71 72 /* CONTINUE verdict for targets */ 73 #define XT_CONTINUE 0xFFFFFFFF 74 75 /* For standard target */ 76 #define XT_RETURN (-NF_REPEAT - 1) 77 78 /* this is a dummy structure to find out the alignment requirement for a struct 79 * containing all the fundamental data types that are used in ipt_entry, 80 * ip6t_entry and arpt_entry. This sucks, and it is a hack. It will be my 81 * personal pleasure to remove it -HW 82 */ 83 struct _xt_align 84 { 85 u_int8_t u8; 86 u_int16_t u16; 87 u_int32_t u32; 88 u_int64_t u64; 89 }; 90 91 #define XT_ALIGN(s) (((s) + (__alignof__(struct _xt_align)-1)) \ 92 & ~(__alignof__(struct _xt_align)-1)) 93 94 /* Standard return verdict, or do jump. */ 95 #define XT_STANDARD_TARGET "" 96 /* Error verdict. */ 97 #define XT_ERROR_TARGET "ERROR" 98 99 /* 100 * New IP firewall options for [gs]etsockopt at the RAW IP level. 101 * Unlike BSD Linux inherits IP options so you don't have to use a raw 102 * socket for this. Instead we check rights in the calls. */ 103 #define XT_BASE_CTL 64 /* base for firewall socket options */ 104 105 #define XT_SO_SET_REPLACE (XT_BASE_CTL) 106 #define XT_SO_SET_ADD_COUNTERS (XT_BASE_CTL + 1) 107 #define XT_SO_SET_MAX XT_SO_SET_ADD_COUNTERS 108 109 #define XT_SO_GET_INFO (XT_BASE_CTL) 110 #define XT_SO_GET_ENTRIES (XT_BASE_CTL + 1) 111 #define XT_SO_GET_REVISION_MATCH (XT_BASE_CTL + 2) 112 #define XT_SO_GET_REVISION_TARGET (XT_BASE_CTL + 3) 113 #define XT_SO_GET_MAX XT_SO_GET_REVISION_TARGET 114 115 #define SET_COUNTER(c,b,p) do { (c).bcnt = (b); (c).pcnt = (p); } while(0) 116 #define ADD_COUNTER(c,b,p) do { (c).bcnt += (b); (c).pcnt += (p); } while(0) 117 118 struct xt_counters 119 { 120 u_int64_t pcnt, bcnt; /* Packet and byte counters */ 121 }; 122 123 /* The argument to IPT_SO_ADD_COUNTERS. */ 124 struct xt_counters_info 125 { 126 /* Which table. */ 127 char name[XT_TABLE_MAXNAMELEN]; 128 129 unsigned int num_counters; 130 131 /* The counters (actually `number' of these). */ 132 struct xt_counters counters[0]; 133 }; 134 135 #define XT_INV_PROTO 0x40 /* Invert the sense of PROTO. */ 136 137 #ifdef __KERNEL__ 138 139 #include <linux/netdevice.h> 140 141 #define ASSERT_READ_LOCK(x) 142 #define ASSERT_WRITE_LOCK(x) 143 #include <linux/netfilter_ipv4/listhelp.h> 144 145 #ifdef CONFIG_COMPAT 146 #define COMPAT_TO_USER 1 147 #define COMPAT_FROM_USER -1 148 #define COMPAT_CALC_SIZE 0 149 #endif 150 151 struct xt_match 152 { 153 struct list_head list; 154 155 const char name[XT_FUNCTION_MAXNAMELEN-1]; 156 157 /* Return true or false: return FALSE and set *hotdrop = 1 to 158 force immediate packet drop. */ 159 /* Arguments changed since 2.6.9, as this must now handle 160 non-linear skb, using skb_header_pointer and 161 skb_ip_make_writable. */ 162 int (*match)(const struct sk_buff *skb, 163 const struct net_device *in, 164 const struct net_device *out, 165 const struct xt_match *match, 166 const void *matchinfo, 167 int offset, 168 unsigned int protoff, 169 int *hotdrop); 170 171 /* Called when user tries to insert an entry of this type. */ 172 /* Should return true or false. */ 173 int (*checkentry)(const char *tablename, 174 const void *ip, 175 const struct xt_match *match, 176 void *matchinfo, 177 unsigned int matchinfosize, 178 unsigned int hook_mask); 179 180 /* Called when entry of this type deleted. */ 181 void (*destroy)(const struct xt_match *match, void *matchinfo, 182 unsigned int matchinfosize); 183 184 /* Called when userspace align differs from kernel space one */ 185 int (*compat)(void *match, void **dstptr, int *size, int convert); 186 187 /* Set this to THIS_MODULE if you are a module, otherwise NULL */ 188 struct module *me; 189 190 char *table; 191 unsigned int matchsize; 192 unsigned int hooks; 193 unsigned short proto; 194 195 unsigned short family; 196 u_int8_t revision; 197 }; 198 199 /* Registration hooks for targets. */ 200 struct xt_target 201 { 202 struct list_head list; 203 204 const char name[XT_FUNCTION_MAXNAMELEN-1]; 205 206 /* Returns verdict. Argument order changed since 2.6.9, as this 207 must now handle non-linear skbs, using skb_copy_bits and 208 skb_ip_make_writable. */ 209 unsigned int (*target)(struct sk_buff **pskb, 210 const struct net_device *in, 211 const struct net_device *out, 212 unsigned int hooknum, 213 const struct xt_target *target, 214 const void *targinfo, 215 void *userdata); 216 217 /* Called when user tries to insert an entry of this type: 218 hook_mask is a bitmask of hooks from which it can be 219 called. */ 220 /* Should return true or false. */ 221 int (*checkentry)(const char *tablename, 222 const void *entry, 223 const struct xt_target *target, 224 void *targinfo, 225 unsigned int targinfosize, 226 unsigned int hook_mask); 227 228 /* Called when entry of this type deleted. */ 229 void (*destroy)(const struct xt_target *target, void *targinfo, 230 unsigned int targinfosize); 231 232 /* Called when userspace align differs from kernel space one */ 233 int (*compat)(void *target, void **dstptr, int *size, int convert); 234 235 /* Set this to THIS_MODULE if you are a module, otherwise NULL */ 236 struct module *me; 237 238 char *table; 239 unsigned int targetsize; 240 unsigned int hooks; 241 unsigned short proto; 242 243 unsigned short family; 244 u_int8_t revision; 245 }; 246 247 /* Furniture shopping... */ 248 struct xt_table 249 { 250 struct list_head list; 251 252 /* A unique name... */ 253 char name[XT_TABLE_MAXNAMELEN]; 254 255 /* What hooks you will enter on */ 256 unsigned int valid_hooks; 257 258 /* Lock for the curtain */ 259 rwlock_t lock; 260 261 /* Man behind the curtain... */ 262 //struct ip6t_table_info *private; 263 void *private; 264 265 /* Set this to THIS_MODULE if you are a module, otherwise NULL */ 266 struct module *me; 267 268 int af; /* address/protocol family */ 269 }; 270 271 #include <linux/netfilter_ipv4.h> 272 273 /* The table itself */ 274 struct xt_table_info 275 { 276 /* Size per table */ 277 unsigned int size; 278 /* Number of entries: FIXME. --RR */ 279 unsigned int number; 280 /* Initial number of entries. Needed for module usage count */ 281 unsigned int initial_entries; 282 283 /* Entry points and underflows */ 284 unsigned int hook_entry[NF_IP_NUMHOOKS]; 285 unsigned int underflow[NF_IP_NUMHOOKS]; 286 287 /* ipt_entry tables: one per CPU */ 288 char *entries[NR_CPUS]; 289 }; 290 291 extern int xt_register_target(struct xt_target *target); 292 extern void xt_unregister_target(struct xt_target *target); 293 extern int xt_register_match(struct xt_match *target); 294 extern void xt_unregister_match(struct xt_match *target); 295 296 extern int xt_check_match(const struct xt_match *match, unsigned short family, 297 unsigned int size, const char *table, unsigned int hook, 298 unsigned short proto, int inv_proto); 299 extern int xt_check_target(const struct xt_target *target, unsigned short family, 300 unsigned int size, const char *table, unsigned int hook, 301 unsigned short proto, int inv_proto); 302 303 extern int xt_register_table(struct xt_table *table, 304 struct xt_table_info *bootstrap, 305 struct xt_table_info *newinfo); 306 extern void *xt_unregister_table(struct xt_table *table); 307 308 extern struct xt_table_info *xt_replace_table(struct xt_table *table, 309 unsigned int num_counters, 310 struct xt_table_info *newinfo, 311 int *error); 312 313 extern struct xt_match *xt_find_match(int af, const char *name, u8 revision); 314 extern struct xt_target *xt_find_target(int af, const char *name, u8 revision); 315 extern struct xt_target *xt_request_find_target(int af, const char *name, 316 u8 revision); 317 extern int xt_find_revision(int af, const char *name, u8 revision, int target, 318 int *err); 319 320 extern struct xt_table *xt_find_table_lock(int af, const char *name); 321 extern void xt_table_unlock(struct xt_table *t); 322 323 extern int xt_proto_init(int af); 324 extern void xt_proto_fini(int af); 325 326 extern struct xt_table_info *xt_alloc_table_info(unsigned int size); 327 extern void xt_free_table_info(struct xt_table_info *info); 328 329 #ifdef CONFIG_COMPAT 330 #include <net/compat.h> 331 332 struct compat_xt_entry_match 333 { 334 union { 335 struct { 336 u_int16_t match_size; 337 char name[XT_FUNCTION_MAXNAMELEN - 1]; 338 u_int8_t revision; 339 } user; 340 struct { 341 u_int16_t match_size; 342 compat_uptr_t match; 343 } kernel; 344 u_int16_t match_size; 345 } u; 346 unsigned char data[0]; 347 }; 348 349 struct compat_xt_entry_target 350 { 351 union { 352 struct { 353 u_int16_t target_size; 354 char name[XT_FUNCTION_MAXNAMELEN - 1]; 355 u_int8_t revision; 356 } user; 357 struct { 358 u_int16_t target_size; 359 compat_uptr_t target; 360 } kernel; 361 u_int16_t target_size; 362 } u; 363 unsigned char data[0]; 364 }; 365 366 /* FIXME: this works only on 32 bit tasks 367 * need to change whole approach in order to calculate align as function of 368 * current task alignment */ 369 370 struct compat_xt_counters 371 { 372 #if defined(CONFIG_X86_64) || defined(CONFIG_IA64) 373 u_int32_t cnt[4]; 374 #else 375 u_int64_t cnt[2]; 376 #endif 377 }; 378 379 struct compat_xt_counters_info 380 { 381 char name[XT_TABLE_MAXNAMELEN]; 382 compat_uint_t num_counters; 383 struct compat_xt_counters counters[0]; 384 }; 385 386 #define COMPAT_XT_ALIGN(s) (((s) + (__alignof__(struct compat_xt_counters)-1)) \ 387 & ~(__alignof__(struct compat_xt_counters)-1)) 388 389 extern void xt_compat_lock(int af); 390 extern void xt_compat_unlock(int af); 391 extern int xt_compat_match(void *match, void **dstptr, int *size, int convert); 392 extern int xt_compat_target(void *target, void **dstptr, int *size, 393 int convert); 394 395 #endif /* CONFIG_COMPAT */ 396 #endif /* __KERNEL__ */ 397 398 #endif /* _X_TABLES_H */ 399
