LXR linux/include/linux/netfilter/x

   1#ifndef _X_TABLES_H
   2#define _X_TABLES_H
   3
   4#define XT_FUNCTION_MAXNAMELEN 30
   5#define XT_TABLE_MAXNAMELEN 32
   6
   7struct xt_entry_match
   8{
   9        union {
  10                struct {
  11                        u_int16_t match_size;
  12
  13                        /* Used by userspace */
  14                        char name[XT_FUNCTION_MAXNAMELEN-1];
  15
  16                        u_int8_t revision;
  17                } user;
  18                struct {
  19                        u_int16_t match_size;
  20
  21                        /* Used inside the kernel */
  22                        struct xt_match *match;
  23                } kernel;
  24
  25                /* Total length */
  26                u_int16_t match_size;
  27        } u;
  28
  29        unsigned char data[0];
  30};
  31
  32struct xt_entry_target
  33{
  34        union {
  35                struct {
  36                        u_int16_t target_size;
  37
  38                        /* Used by userspace */
  39                        char name[XT_FUNCTION_MAXNAMELEN-1];
  40
  41                        u_int8_t revision;
  42                } user;
  43                struct {
  44                        u_int16_t target_size;
  45
  46                        /* Used inside the kernel */
  47                        struct xt_target *target;
  48                } kernel;
  49
  50                /* Total length */
  51                u_int16_t target_size;
  52        } u;
  53
  54        unsigned char data[0];
  55};
  56
  57#define XT_TARGET_INIT(__name, __size)                                         \
  58{                                                                              \
  59        .target.u.user = {                                                     \
  60                .target_size    = XT_ALIGN(__size),                            \
  61                .name           = __name,                                      \
  62        },                                                                     \
  63}
  64
  65struct xt_standard_target
  66{
  67        struct xt_entry_target target;
  68        int verdict;
  69};
  70
  71/* The argument to IPT_SO_GET_REVISION_*.  Returns highest revision
  72 * kernel supports, if >= revision. */
  73struct xt_get_revision
  74{
  75        char name[XT_FUNCTION_MAXNAMELEN-1];
  76
  77        u_int8_t revision;
  78};
  79
  80/* CONTINUE verdict for targets */
  81#define XT_CONTINUE 0xFFFFFFFF
  82
  83/* For standard target */
  84#define XT_RETURN (-NF_REPEAT - 1)
  85
  86/* this is a dummy structure to find out the alignment requirement for a struct
  87 * containing all the fundamental data types that are used in ipt_entry,
  88 * ip6t_entry and arpt_entry.  This sucks, and it is a hack.  It will be my
  89 * personal pleasure to remove it -HW
  90 */
  91struct _xt_align
  92{
  93        u_int8_t u8;
  94        u_int16_t u16;
  95        u_int32_t u32;
  96        u_int64_t u64;
  97};
  98
  99#define XT_ALIGN(s) (((s) + (__alignof__(struct _xt_align)-1))  \
 100                        & ~(__alignof__(struct _xt_align)-1))
 101
 102/* Standard return verdict, or do jump. */
 103#define XT_STANDARD_TARGET ""
 104/* Error verdict. */
 105#define XT_ERROR_TARGET "ERROR"
 106
 107#define SET_COUNTER(c,b,p) do { (c).bcnt = (b); (c).pcnt = (p); } while(0)
 108#define ADD_COUNTER(c,b,p) do { (c).bcnt += (b); (c).pcnt += (p); } while(0)
 109
 110struct xt_counters
 111{
 112        u_int64_t pcnt, bcnt;                   /* Packet and byte counters */
 113};
 114
 115/* The argument to IPT_SO_ADD_COUNTERS. */
 116struct xt_counters_info
 117{
 118        /* Which table. */
 119        char name[XT_TABLE_MAXNAMELEN];
 120
 121        unsigned int num_counters;
 122
 123        /* The counters (actually `number' of these). */
 124        struct xt_counters counters[0];
 125};
 126
 127#define XT_INV_PROTO            0x40    /* Invert the sense of PROTO. */
 128
 129/* fn returns 0 to continue iteration */
 130#define XT_MATCH_ITERATE(type, e, fn, args...)                  \
 131({                                                              \
 132        unsigned int __i;                                       \
 133        int __ret = 0;                                          \
 134        struct xt_entry_match *__m;                             \
 135                                                                \
 136        for (__i = sizeof(type);                                \
 137             __i < (e)->target_offset;                          \
 138             __i += __m->u.match_size) {                        \
 139                __m = (void *)e + __i;                          \
 140                                                                \
 141                __ret = fn(__m , ## args);                      \
 142                if (__ret != 0)                                 \
 143                        break;                                  \
 144        }                                                       \
 145        __ret;                                                  \
 146})
 147
 148/* fn returns 0 to continue iteration */
 149#define XT_ENTRY_ITERATE_CONTINUE(type, entries, size, n, fn, args...) \
 150({                                                              \
 151        unsigned int __i, __n;                                  \
 152        int __ret = 0;                                          \
 153        type *__entry;                                          \
 154                                                                \
 155        for (__i = 0, __n = 0; __i < (size);                    \
 156             __i += __entry->next_offset, __n++) {              \
 157                __entry = (void *)(entries) + __i;              \
 158                if (__n < n)                                    \
 159                        continue;                               \
 160                                                                \
 161                __ret = fn(__entry , ## args);                  \
 162                if (__ret != 0)                                 \
 163                        break;                                  \
 164        }                                                       \
 165        __ret;                                                  \
 166})
 167
 168/* fn returns 0 to continue iteration */
 169#define XT_ENTRY_ITERATE(type, entries, size, fn, args...) \
 170        XT_ENTRY_ITERATE_CONTINUE(type, entries, size, 0, fn, args)
 171
 172#ifdef __KERNEL__
 173
 174#include <linux/netdevice.h>
 175
 176/**
 177 * struct xt_match_param - parameters for match extensions' match functions
 178 *
 179 * @in:         input netdevice
 180 * @out:        output netdevice
 181 * @match:      struct xt_match through which this function was invoked
 182 * @matchinfo:  per-match data
 183 * @fragoff:    packet is a fragment, this is the data offset
 184 * @thoff:      position of transport header relative to skb->data
 185 * @hotdrop:    drop packet if we had inspection problems
 186 * @family:     Actual NFPROTO_* through which the function is invoked
 187 *              (helpful when match->family == NFPROTO_UNSPEC)
 188 */
 189struct xt_match_param {
 190        const struct net_device *in, *out;
 191        const struct xt_match *match;
 192        const void *matchinfo;
 193        int fragoff;
 194        unsigned int thoff;
 195        bool *hotdrop;
 196        u_int8_t family;
 197};
 198
 199/**
 200 * struct xt_mtchk_param - parameters for match extensions'
 201 * checkentry functions
 202 *
 203 * @table:      table the rule is tried to be inserted into
 204 * @entryinfo:  the family-specific rule data
 205 *              (struct ipt_ip, ip6t_ip, ebt_entry)
 206 * @match:      struct xt_match through which this function was invoked
 207 * @matchinfo:  per-match data
 208 * @hook_mask:  via which hooks the new rule is reachable
 209 */
 210struct xt_mtchk_param {
 211        const char *table;
 212        const void *entryinfo;
 213        const struct xt_match *match;
 214        void *matchinfo;
 215        unsigned int hook_mask;
 216        u_int8_t family;
 217};
 218
 219/* Match destructor parameters */
 220struct xt_mtdtor_param {
 221        const struct xt_match *match;
 222        void *matchinfo;
 223        u_int8_t family;
 224};
 225
 226/**
 227 * struct xt_target_param - parameters for target extensions' target functions
 228 *
 229 * @hooknum:    hook through which this target was invoked
 230 * @target:     struct xt_target through which this function was invoked
 231 * @targinfo:   per-target data
 232 *
 233 * Other fields see above.
 234 */
 235struct xt_target_param {
 236        const struct net_device *in, *out;
 237        unsigned int hooknum;
 238        const struct xt_target *target;
 239        const void *targinfo;
 240        u_int8_t family;
 241};
 242
 243/**
 244 * struct xt_tgchk_param - parameters for target extensions'
 245 * checkentry functions
 246 *
 247 * @entryinfo:  the family-specific rule data
 248 *              (struct ipt_entry, ip6t_entry, arpt_entry, ebt_entry)
 249 *
 250 * Other fields see above.
 251 */
 252struct xt_tgchk_param {
 253        const char *table;
 254        const void *entryinfo;
 255        const struct xt_target *target;
 256        void *targinfo;
 257        unsigned int hook_mask;
 258        u_int8_t family;
 259};
 260
 261/* Target destructor parameters */
 262struct xt_tgdtor_param {
 263        const struct xt_target *target;
 264        void *targinfo;
 265        u_int8_t family;
 266};
 267
 268struct xt_match
 269{
 270        struct list_head list;
 271
 272        const char name[XT_FUNCTION_MAXNAMELEN-1];
 273
 274        /* Return true or false: return FALSE and set *hotdrop = 1 to
 275           force immediate packet drop. */
 276        /* Arguments changed since 2.6.9, as this must now handle
 277           non-linear skb, using skb_header_pointer and
 278           skb_ip_make_writable. */
 279        bool (*match)(const struct sk_buff *skb,
 280                      const struct xt_match_param *);
 281
 282        /* Called when user tries to insert an entry of this type. */
 283        bool (*checkentry)(const struct xt_mtchk_param *);
 284
 285        /* Called when entry of this type deleted. */
 286        void (*destroy)(const struct xt_mtdtor_param *);
 287
 288        /* Called when userspace align differs from kernel space one */
 289        void (*compat_from_user)(void *dst, void *src);
 290        int (*compat_to_user)(void __user *dst, void *src);
 291
 292        /* Set this to THIS_MODULE if you are a module, otherwise NULL */
 293        struct module *me;
 294
 295        /* Free to use by each match */
 296        unsigned long data;
 297
 298        const char *table;
 299        unsigned int matchsize;
 300        unsigned int compatsize;
 301        unsigned int hooks;
 302        unsigned short proto;
 303
 304        unsigned short family;
 305        u_int8_t revision;
 306};
 307
 308/* Registration hooks for targets. */
 309struct xt_target
 310{
 311        struct list_head list;
 312
 313        const char name[XT_FUNCTION_MAXNAMELEN-1];
 314
 315        /* Returns verdict. Argument order changed since 2.6.9, as this
 316           must now handle non-linear skbs, using skb_copy_bits and
 317           skb_ip_make_writable. */
 318        unsigned int (*target)(struct sk_buff *skb,
 319                               const struct xt_target_param *);
 320
 321        /* Called when user tries to insert an entry of this type:
 322           hook_mask is a bitmask of hooks from which it can be
 323           called. */
 324        /* Should return true or false. */
 325        bool (*checkentry)(const struct xt_tgchk_param *);
 326
 327        /* Called when entry of this type deleted. */
 328        void (*destroy)(const struct xt_tgdtor_param *);
 329
 330        /* Called when userspace align differs from kernel space one */
 331        void (*compat_from_user)(void *dst, void *src);
 332        int (*compat_to_user)(void __user *dst, void *src);
 333
 334        /* Set this to THIS_MODULE if you are a module, otherwise NULL */
 335        struct module *me;
 336
 337        const char *table;
 338        unsigned int targetsize;
 339        unsigned int compatsize;
 340        unsigned int hooks;
 341        unsigned short proto;
 342
 343        unsigned short family;
 344        u_int8_t revision;
 345};
 346
 347/* Furniture shopping... */
 348struct xt_table
 349{
 350        struct list_head list;
 351
 352        /* A unique name... */
 353        const char name[XT_TABLE_MAXNAMELEN];
 354
 355        /* What hooks you will enter on */
 356        unsigned int valid_hooks;
 357
 358        /* Lock for the curtain */
 359        rwlock_t lock;
 360
 361        /* Man behind the curtain... */
 362        //struct ip6t_table_info *private;
 363        void *private;
 364
 365        /* Set this to THIS_MODULE if you are a module, otherwise NULL */
 366        struct module *me;
 367
 368        u_int8_t af;            /* address/protocol family */
 369};
 370
 371#include <linux/netfilter_ipv4.h>
 372
 373/* The table itself */
 374struct xt_table_info
 375{
 376        /* Size per table */
 377        unsigned int size;
 378        /* Number of entries: FIXME. --RR */
 379        unsigned int number;
 380        /* Initial number of entries. Needed for module usage count */
 381        unsigned int initial_entries;
 382
 383        /* Entry points and underflows */
 384        unsigned int hook_entry[NF_INET_NUMHOOKS];
 385        unsigned int underflow[NF_INET_NUMHOOKS];
 386
 387        /* ipt_entry tables: one per CPU */
 388        /* Note : this field MUST be the last one, see XT_TABLE_INFO_SZ */
 389        char *entries[1];
 390};
 391
 392#define XT_TABLE_INFO_SZ (offsetof(struct xt_table_info, entries) \
 393                          + nr_cpu_ids * sizeof(char *))
 394extern int xt_register_target(struct xt_target *target);
 395extern void xt_unregister_target(struct xt_target *target);
 396extern int xt_register_targets(struct xt_target *target, unsigned int n);
 397extern void xt_unregister_targets(struct xt_target *target, unsigned int n);
 398
 399extern int xt_register_match(struct xt_match *target);
 400extern void xt_unregister_match(struct xt_match *target);
 401extern int xt_register_matches(struct xt_match *match, unsigned int n);
 402extern void xt_unregister_matches(struct xt_match *match, unsigned int n);
 403
 404extern int xt_check_match(struct xt_mtchk_param *,
 405                          unsigned int size, u_int8_t proto, bool inv_proto);
 406extern int xt_check_target(struct xt_tgchk_param *,
 407                           unsigned int size, u_int8_t proto, bool inv_proto);
 408
 409extern struct xt_table *xt_register_table(struct net *net,
 410                                          struct xt_table *table,
 411                                          struct xt_table_info *bootstrap,
 412                                          struct xt_table_info *newinfo);
 413extern void *xt_unregister_table(struct xt_table *table);
 414
 415extern struct xt_table_info *xt_replace_table(struct xt_table *table,
 416                                              unsigned int num_counters,
 417                                              struct xt_table_info *newinfo,
 418                                              int *error);
 419
 420extern struct xt_match *xt_find_match(u8 af, const char *name, u8 revision);
 421extern struct xt_target *xt_find_target(u8 af, const char *name, u8 revision);
 422extern struct xt_target *xt_request_find_target(u8 af, const char *name,
 423                                                u8 revision);
 424extern int xt_find_revision(u8 af, const char *name, u8 revision,
 425                            int target, int *err);
 426
 427extern struct xt_table *xt_find_table_lock(struct net *net, u_int8_t af,
 428                                           const char *name);
 429extern void xt_table_unlock(struct xt_table *t);
 430
 431extern int xt_proto_init(struct net *net, u_int8_t af);
 432extern void xt_proto_fini(struct net *net, u_int8_t af);
 433
 434extern struct xt_table_info *xt_alloc_table_info(unsigned int size);
 435extern void xt_free_table_info(struct xt_table_info *info);
 436
 437#ifdef CONFIG_COMPAT
 438#include <net/compat.h>
 439
 440struct compat_xt_entry_match
 441{
 442        union {
 443                struct {
 444                        u_int16_t match_size;
 445                        char name[XT_FUNCTION_MAXNAMELEN - 1];
 446                        u_int8_t revision;
 447                } user;
 448                struct {
 449                        u_int16_t match_size;
 450                        compat_uptr_t match;
 451                } kernel;
 452                u_int16_t match_size;
 453        } u;
 454        unsigned char data[0];
 455};
 456
 457struct compat_xt_entry_target
 458{
 459        union {
 460                struct {
 461                        u_int16_t target_size;
 462                        char name[XT_FUNCTION_MAXNAMELEN - 1];
 463                        u_int8_t revision;
 464                } user;
 465                struct {
 466                        u_int16_t target_size;
 467                        compat_uptr_t target;
 468                } kernel;
 469                u_int16_t target_size;
 470        } u;
 471        unsigned char data[0];
 472};
 473
 474/* FIXME: this works only on 32 bit tasks
 475 * need to change whole approach in order to calculate align as function of
 476 * current task alignment */
 477
 478struct compat_xt_counters
 479{
 480#if defined(CONFIG_X86_64) || defined(CONFIG_IA64)
 481        u_int32_t cnt[4];
 482#else
 483        u_int64_t cnt[2];
 484#endif
 485};
 486
 487struct compat_xt_counters_info
 488{
 489        char name[XT_TABLE_MAXNAMELEN];
 490        compat_uint_t num_counters;
 491        struct compat_xt_counters counters[0];
 492};
 493
 494#define COMPAT_XT_ALIGN(s) (((s) + (__alignof__(struct compat_xt_counters)-1)) \
 495                & ~(__alignof__(struct compat_xt_counters)-1))
 496
 497extern void xt_compat_lock(u_int8_t af);
 498extern void xt_compat_unlock(u_int8_t af);
 499
 500extern int xt_compat_add_offset(u_int8_t af, unsigned int offset, short delta);
 501extern void xt_compat_flush_offsets(u_int8_t af);
 502extern short xt_compat_calc_jump(u_int8_t af, unsigned int offset);
 503
 504extern int xt_compat_match_offset(const struct xt_match *match);
 505extern int xt_compat_match_from_user(struct xt_entry_match *m,
 506                                     void **dstptr, unsigned int *size);
 507extern int xt_compat_match_to_user(struct xt_entry_match *m,
 508                                   void __user **dstptr, unsigned int *size);
 509
 510extern int xt_compat_target_offset(const struct xt_target *target);
 511extern void xt_compat_target_from_user(struct xt_entry_target *t,
 512                                       void **dstptr, unsigned int *size);
 513extern int xt_compat_target_to_user(struct xt_entry_target *t,
 514                                    void __user **dstptr, unsigned int *size);
 515
 516#endif /* CONFIG_COMPAT */
 517#endif /* __KERNEL__ */
 518
 519#endif /* _X_TABLES_H */
 520