Commit | Line | Data |
---|---|---|
2e4e6a17 HW |
1 | #ifndef _X_TABLES_H |
2 | #define _X_TABLES_H | |
3 | ||
4 | #define XT_FUNCTION_MAXNAMELEN 30 | |
5 | #define XT_TABLE_MAXNAMELEN 32 | |
6 | ||
7 | /* The argument to IPT_SO_GET_REVISION_*. Returns highest revision | |
8 | * kernel supports, if >= revision. */ | |
9 | struct xt_get_revision | |
10 | { | |
11 | char name[XT_FUNCTION_MAXNAMELEN-1]; | |
12 | ||
13 | u_int8_t revision; | |
14 | }; | |
15 | ||
16 | /* CONTINUE verdict for targets */ | |
17 | #define XT_CONTINUE 0xFFFFFFFF | |
18 | ||
19 | /* For standard target */ | |
20 | #define XT_RETURN (-NF_REPEAT - 1) | |
21 | ||
4f2d7680 | 22 | #define XT_ALIGN(s) (((s) + (__alignof__(u_int64_t)-1)) & ~(__alignof__(u_int64_t)-1)) |
2e4e6a17 HW |
23 | |
24 | /* Standard return verdict, or do jump. */ | |
25 | #define XT_STANDARD_TARGET "" | |
26 | /* Error verdict. */ | |
27 | #define XT_ERROR_TARGET "ERROR" | |
28 | ||
29 | /* | |
30 | * New IP firewall options for [gs]etsockopt at the RAW IP level. | |
31 | * Unlike BSD Linux inherits IP options so you don't have to use a raw | |
32 | * socket for this. Instead we check rights in the calls. */ | |
33 | #define XT_BASE_CTL 64 /* base for firewall socket options */ | |
34 | ||
35 | #define XT_SO_SET_REPLACE (XT_BASE_CTL) | |
36 | #define XT_SO_SET_ADD_COUNTERS (XT_BASE_CTL + 1) | |
37 | #define XT_SO_SET_MAX XT_SO_SET_ADD_COUNTERS | |
38 | ||
39 | #define XT_SO_GET_INFO (XT_BASE_CTL) | |
40 | #define XT_SO_GET_ENTRIES (XT_BASE_CTL + 1) | |
41 | #define XT_SO_GET_REVISION_MATCH (XT_BASE_CTL + 2) | |
42 | #define XT_SO_GET_REVISION_TARGET (XT_BASE_CTL + 3) | |
43 | #define XT_SO_GET_MAX XT_SO_GET_REVISION_TARGET | |
44 | ||
45 | #define SET_COUNTER(c,b,p) do { (c).bcnt = (b); (c).pcnt = (p); } while(0) | |
46 | #define ADD_COUNTER(c,b,p) do { (c).bcnt += (b); (c).pcnt += (p); } while(0) | |
47 | ||
48 | struct xt_counters | |
49 | { | |
50 | u_int64_t pcnt, bcnt; /* Packet and byte counters */ | |
51 | }; | |
52 | ||
53 | /* The argument to IPT_SO_ADD_COUNTERS. */ | |
54 | struct xt_counters_info | |
55 | { | |
56 | /* Which table. */ | |
57 | char name[XT_TABLE_MAXNAMELEN]; | |
58 | ||
59 | unsigned int num_counters; | |
60 | ||
61 | /* The counters (actually `number' of these). */ | |
62 | struct xt_counters counters[0]; | |
63 | }; | |
64 | ||
65 | #define XT_INV_PROTO 0x40 /* Invert the sense of PROTO. */ | |
66 | ||
67 | #ifdef __KERNEL__ | |
68 | ||
69 | #include <linux/netdevice.h> | |
70 | ||
71 | #define ASSERT_READ_LOCK(x) | |
72 | #define ASSERT_WRITE_LOCK(x) | |
73 | #include <linux/netfilter_ipv4/listhelp.h> | |
74 | ||
75 | struct xt_match | |
76 | { | |
77 | struct list_head list; | |
78 | ||
79 | const char name[XT_FUNCTION_MAXNAMELEN-1]; | |
80 | ||
81 | u_int8_t revision; | |
82 | ||
83 | /* Return true or false: return FALSE and set *hotdrop = 1 to | |
84 | force immediate packet drop. */ | |
85 | /* Arguments changed since 2.6.9, as this must now handle | |
86 | non-linear skb, using skb_header_pointer and | |
87 | skb_ip_make_writable. */ | |
88 | int (*match)(const struct sk_buff *skb, | |
89 | const struct net_device *in, | |
90 | const struct net_device *out, | |
91 | const void *matchinfo, | |
92 | int offset, | |
93 | unsigned int protoff, | |
94 | int *hotdrop); | |
95 | ||
96 | /* Called when user tries to insert an entry of this type. */ | |
97 | /* Should return true or false. */ | |
98 | int (*checkentry)(const char *tablename, | |
99 | const void *ip, | |
100 | void *matchinfo, | |
101 | unsigned int matchinfosize, | |
102 | unsigned int hook_mask); | |
103 | ||
104 | /* Called when entry of this type deleted. */ | |
105 | void (*destroy)(void *matchinfo, unsigned int matchinfosize); | |
106 | ||
107 | /* Set this to THIS_MODULE if you are a module, otherwise NULL */ | |
108 | struct module *me; | |
109 | }; | |
110 | ||
111 | /* Registration hooks for targets. */ | |
112 | struct xt_target | |
113 | { | |
114 | struct list_head list; | |
115 | ||
116 | const char name[XT_FUNCTION_MAXNAMELEN-1]; | |
117 | ||
118 | u_int8_t revision; | |
119 | ||
120 | /* Returns verdict. Argument order changed since 2.6.9, as this | |
121 | must now handle non-linear skbs, using skb_copy_bits and | |
122 | skb_ip_make_writable. */ | |
123 | unsigned int (*target)(struct sk_buff **pskb, | |
124 | const struct net_device *in, | |
125 | const struct net_device *out, | |
126 | unsigned int hooknum, | |
127 | const void *targinfo, | |
128 | void *userdata); | |
129 | ||
130 | /* Called when user tries to insert an entry of this type: | |
131 | hook_mask is a bitmask of hooks from which it can be | |
132 | called. */ | |
133 | /* Should return true or false. */ | |
134 | int (*checkentry)(const char *tablename, | |
135 | const void *entry, | |
136 | void *targinfo, | |
137 | unsigned int targinfosize, | |
138 | unsigned int hook_mask); | |
139 | ||
140 | /* Called when entry of this type deleted. */ | |
141 | void (*destroy)(void *targinfo, unsigned int targinfosize); | |
142 | ||
143 | /* Set this to THIS_MODULE if you are a module, otherwise NULL */ | |
144 | struct module *me; | |
145 | }; | |
146 | ||
147 | /* Furniture shopping... */ | |
148 | struct xt_table | |
149 | { | |
150 | struct list_head list; | |
151 | ||
152 | /* A unique name... */ | |
153 | char name[XT_TABLE_MAXNAMELEN]; | |
154 | ||
155 | /* What hooks you will enter on */ | |
156 | unsigned int valid_hooks; | |
157 | ||
158 | /* Lock for the curtain */ | |
159 | rwlock_t lock; | |
160 | ||
161 | /* Man behind the curtain... */ | |
162 | //struct ip6t_table_info *private; | |
163 | void *private; | |
164 | ||
165 | /* Set this to THIS_MODULE if you are a module, otherwise NULL */ | |
166 | struct module *me; | |
167 | ||
168 | int af; /* address/protocol family */ | |
169 | }; | |
170 | ||
171 | #include <linux/netfilter_ipv4.h> | |
172 | ||
173 | /* The table itself */ | |
174 | struct xt_table_info | |
175 | { | |
176 | /* Size per table */ | |
177 | unsigned int size; | |
178 | /* Number of entries: FIXME. --RR */ | |
179 | unsigned int number; | |
180 | /* Initial number of entries. Needed for module usage count */ | |
181 | unsigned int initial_entries; | |
182 | ||
183 | /* Entry points and underflows */ | |
184 | unsigned int hook_entry[NF_IP_NUMHOOKS]; | |
185 | unsigned int underflow[NF_IP_NUMHOOKS]; | |
186 | ||
187 | /* ipt_entry tables: one per CPU */ | |
188 | char *entries[NR_CPUS]; | |
189 | }; | |
190 | ||
191 | extern int xt_register_target(int af, struct xt_target *target); | |
192 | extern void xt_unregister_target(int af, struct xt_target *target); | |
193 | extern int xt_register_match(int af, struct xt_match *target); | |
194 | extern void xt_unregister_match(int af, struct xt_match *target); | |
195 | ||
196 | extern int xt_register_table(struct xt_table *table, | |
197 | struct xt_table_info *bootstrap, | |
198 | struct xt_table_info *newinfo); | |
199 | extern void *xt_unregister_table(struct xt_table *table); | |
200 | ||
201 | extern struct xt_table_info *xt_replace_table(struct xt_table *table, | |
202 | unsigned int num_counters, | |
203 | struct xt_table_info *newinfo, | |
204 | int *error); | |
205 | ||
206 | extern struct xt_match *xt_find_match(int af, const char *name, u8 revision); | |
207 | extern struct xt_target *xt_find_target(int af, const char *name, u8 revision); | |
208 | extern struct xt_target *xt_request_find_target(int af, const char *name, | |
209 | u8 revision); | |
210 | extern int xt_find_revision(int af, const char *name, u8 revision, int target, | |
211 | int *err); | |
212 | ||
213 | extern struct xt_table *xt_find_table_lock(int af, const char *name); | |
214 | extern void xt_table_unlock(struct xt_table *t); | |
215 | ||
216 | extern int xt_proto_init(int af); | |
217 | extern void xt_proto_fini(int af); | |
218 | ||
219 | extern struct xt_table_info *xt_alloc_table_info(unsigned int size); | |
220 | extern void xt_free_table_info(struct xt_table_info *info); | |
221 | ||
222 | #endif /* __KERNEL__ */ | |
223 | ||
224 | #endif /* _X_TABLES_H */ |