1 #ifndef _LIBIPTC_H 2 #define _LIBIPTC_H 3 /* Library which manipulates filtering rules. */ 4 5 #include <libiptc/ipt_kernel_headers.h> 6 #include <linux/netfilter_ipv4/ip_tables.h> 7 8 #ifdef __cplusplus 9 extern "C" { 10 #endif 11 12 #ifndef IPT_MIN_ALIGN 13 /* ipt_entry has pointers and u_int64_t's in it, so if you align to 14 it, you'll also align to any crazy matches and targets someone 15 might write */ 16 #define IPT_MIN_ALIGN (__alignof__(struct ipt_entry)) 17 #endif 18 19 #define IPT_ALIGN(s) (((s) + ((IPT_MIN_ALIGN)-1)) & ~((IPT_MIN_ALIGN)-1)) 20 21 typedef char ipt_chainlabel[32]; 22 23 #define IPTC_LABEL_ACCEPT "ACCEPT" 24 #define IPTC_LABEL_DROP "DROP" 25 #define IPTC_LABEL_QUEUE "QUEUE" 26 #define IPTC_LABEL_RETURN "RETURN" 27 28 /* Transparent handle type. */ 29 typedef struct iptc_handle *iptc_handle_t; 30 31 /* Does this chain exist? */ 32 int iptc_is_chain(const char *chain, const iptc_handle_t handle); 33 34 /* Take a snapshot of the rules. Returns NULL on error. */ 35 iptc_handle_t iptc_init(const char *tablename); 36 37 /* Cleanup after iptc_init(). */ 38 void iptc_free(iptc_handle_t *h); 39 40 /* Iterator functions to run through the chains. Returns NULL at end. */ 41 const char *iptc_first_chain(iptc_handle_t *handle); 42 const char *iptc_next_chain(iptc_handle_t *handle); 43 44 /* Get first rule in the given chain: NULL for empty chain. */ 45 const struct ipt_entry *iptc_first_rule(const char *chain, 46 iptc_handle_t *handle); 47 48 /* Returns NULL when rules run out. */ 49 const struct ipt_entry *iptc_next_rule(const struct ipt_entry *prev, 50 iptc_handle_t *handle); 51 52 /* Returns a pointer to the target name of this entry. */ 53 const char *iptc_get_target(const struct ipt_entry *e, 54 iptc_handle_t *handle); 55 56 /* Is this a built-in chain? */ 57 int iptc_builtin(const char *chain, const iptc_handle_t handle); 58 59 /* Get the policy of a given built-in chain */ 60 const char *iptc_get_policy(const char *chain, 61 struct ipt_counters *counter, 62 iptc_handle_t *handle); 63 64 /* These functions return TRUE for OK or 0 and set errno. If errno == 65 0, it means there was a version error (ie. upgrade libiptc). */ 66 /* Rule numbers start at 1 for the first rule. */ 67 68 /* Insert the entry `e' in chain `chain' into position `rulenum'. */ 69 int iptc_insert_entry(const ipt_chainlabel chain, 70 const struct ipt_entry *e, 71 unsigned int rulenum, 72 iptc_handle_t *handle); 73 74 /* Atomically replace rule `rulenum' in `chain' with `e'. */ 75 int iptc_replace_entry(const ipt_chainlabel chain, 76 const struct ipt_entry *e, 77 unsigned int rulenum, 78 iptc_handle_t *handle); 79 80 /* Append entry `e' to chain `chain'. Equivalent to insert with 81 rulenum = length of chain. */ 82 int iptc_append_entry(const ipt_chainlabel chain, 83 const struct ipt_entry *e, 84 iptc_handle_t *handle); 85 86 /* Delete the first rule in `chain' which matches `e', subject to 87 matchmask (array of length == origfw) */ 88 int iptc_delete_entry(const ipt_chainlabel chain, 89 const struct ipt_entry *origfw, 90 unsigned char *matchmask, 91 iptc_handle_t *handle); 92 93 /* Delete the rule in position `rulenum' in `chain'. */ 94 int iptc_delete_num_entry(const ipt_chainlabel chain, 95 unsigned int rulenum, 96 iptc_handle_t *handle); 97 98 /* Check the packet `e' on chain `chain'. Returns the verdict, or 99 NULL and sets errno. */ 100 const char *iptc_check_packet(const ipt_chainlabel chain, 101 struct ipt_entry *entry, 102 iptc_handle_t *handle); 103 104 /* Flushes the entries in the given chain (ie. empties chain). */ 105 int iptc_flush_entries(const ipt_chainlabel chain, 106 iptc_handle_t *handle); 107 108 /* Zeroes the counters in a chain. */ 109 int iptc_zero_entries(const ipt_chainlabel chain, 110 iptc_handle_t *handle); 111 112 /* Creates a new chain. */ 113 int iptc_create_chain(const ipt_chainlabel chain, 114 iptc_handle_t *handle); 115 116 /* Deletes a chain. */ 117 int iptc_delete_chain(const ipt_chainlabel chain, 118 iptc_handle_t *handle); 119 120 /* Renames a chain. */ 121 int iptc_rename_chain(const ipt_chainlabel oldname, 122 const ipt_chainlabel newname, 123 iptc_handle_t *handle); 124 125 /* Sets the policy on a built-in chain. */ 126 int iptc_set_policy(const ipt_chainlabel chain, 127 const ipt_chainlabel policy, 128 struct ipt_counters *counters, 129 iptc_handle_t *handle); 130 131 /* Get the number of references to this chain */ 132 int iptc_get_references(unsigned int *ref, 133 const ipt_chainlabel chain, 134 iptc_handle_t *handle); 135 136 /* read packet and byte counters for a specific rule */ 137 struct ipt_counters *iptc_read_counter(const ipt_chainlabel chain, 138 unsigned int rulenum, 139 iptc_handle_t *handle); 140 141 /* zero packet and byte counters for a specific rule */ 142 int iptc_zero_counter(const ipt_chainlabel chain, 143 unsigned int rulenum, 144 iptc_handle_t *handle); 145 146 /* set packet and byte counters for a specific rule */ 147 int iptc_set_counter(const ipt_chainlabel chain, 148 unsigned int rulenum, 149 struct ipt_counters *counters, 150 iptc_handle_t *handle); 151 152 /* Makes the actual changes. */ 153 int iptc_commit(iptc_handle_t *handle); 154 155 /* Get raw socket. */ 156 int iptc_get_raw_socket(void); 157 158 /* Translates errno numbers into more human-readable form than strerror. */ 159 const char *iptc_strerror(int err); 160 161 #ifdef __cplusplus 162 } 163 #endif 164 165 166 #endif /* _LIBIPTC_H */ 167
