1 #ifndef _X_TABLES_H 2 #define _X_TABLES_H 3 4 #define XT_FUNCTION_MAXNAMELEN 30 5 #define XT_TABLE_MAXNAMELEN 32 6 7 struct xt_entry_match 8 { 9 union { 10 struct { 11 u_int16_t match_size; 12 13 /* Used by userspace */ 14 char name[XT_FUNCTION_MAXNAMELEN-1]; 15 16 u_int8_t revision; 17 } user; 18 struct { 19 u_int16_t match_size; 20 21 /* Used inside the kernel */ 22 struct xt_match *match; 23 } kernel; 24 25 /* Total length */ 26 u_int16_t match_size; 27 } u; 28 29 unsigned char data[0]; 30 }; 31 32 struct xt_entry_target 33 { 34 union { 35 struct { 36 u_int16_t target_size; 37 38 /* Used by userspace */ 39 char name[XT_FUNCTION_MAXNAMELEN-1]; 40 41 u_int8_t revision; 42 } user; 43 struct { 44 u_int16_t target_size; 45 46 /* Used inside the kernel */ 47 struct xt_target *target; 48 } kernel; 49 50 /* Total length */ 51 u_int16_t target_size; 52 } u; 53 54 unsigned char data[0]; 55 }; 56 57 #define XT_TARGET_INIT(__name, __size) \ 58 { \ 59 .target.u.user = { \ 60 .target_size = XT_ALIGN(__size), \ 61 .name = __name, \ 62 }, \ 63 } 64 65 struct xt_standard_target 66 { 67 struct xt_entry_target target; 68 int verdict; 69 }; 70 71 /* The argument to IPT_SO_GET_REVISION_*. Returns highest revision 72 * kernel supports, if >= revision. */ 73 struct xt_get_revision 74 { 75 char name[XT_FUNCTION_MAXNAMELEN-1]; 76 77 u_int8_t revision; 78 }; 79 80 /* CONTINUE verdict for targets */ 81 #define XT_CONTINUE 0xFFFFFFFF 82 83 /* For standard target */ 84 #define XT_RETURN (-NF_REPEAT - 1) 85 86 /* this is a dummy structure to find out the alignment requirement for a struct 87 * containing all the fundamental data types that are used in ipt_entry, 88 * ip6t_entry and arpt_entry. This sucks, and it is a hack. It will be my 89 * personal pleasure to remove it -HW 90 */ 91 struct _xt_align 92 { 93 u_int8_t u8; 94 u_int16_t u16; 95 u_int32_t u32; 96 u_int64_t u64; 97 }; 98 99 #define XT_ALIGN(s) (((s) + (__alignof__(struct _xt_align)-1)) \ 100 & ~(__alignof__(struct _xt_align)-1)) 101 102 /* Standard return verdict, or do jump. */ 103 #define XT_STANDARD_TARGET "" 104 /* Error verdict. */ 105 #define XT_ERROR_TARGET "ERROR" 106 107 #define SET_COUNTER(c,b,p) do { (c).bcnt = (b); (c).pcnt = (p); } while(0) 108 #define ADD_COUNTER(c,b,p) do { (c).bcnt += (b); (c).pcnt += (p); } while(0) 109 110 struct xt_counters 111 { 112 u_int64_t pcnt, bcnt; /* Packet and byte counters */ 113 }; 114 115 /* The argument to IPT_SO_ADD_COUNTERS. */ 116 struct xt_counters_info 117 { 118 /* Which table. */ 119 char name[XT_TABLE_MAXNAMELEN]; 120 121 unsigned int num_counters; 122 123 /* The counters (actually `number' of these). */ 124 struct xt_counters counters[0]; 125 }; 126 127 #define XT_INV_PROTO 0x40 /* Invert the sense of PROTO. */ 128 129 /* fn returns 0 to continue iteration */ 130 #define XT_MATCH_ITERATE(type, e, fn, args...) \ 131 ({ \ 132 unsigned int __i; \ 133 int __ret = 0; \ 134 struct xt_entry_match *__m; \ 135 \ 136 for (__i = sizeof(type); \ 137 __i < (e)->target_offset; \ 138 __i += __m->u.match_size) { \ 139 __m = (void *)e + __i; \ 140 \ 141 __ret = fn(__m , ## args); \ 142 if (__ret != 0) \ 143 break; \ 144 } \ 145 __ret; \ 146 }) 147 148 /* fn returns 0 to continue iteration */ 149 #define XT_ENTRY_ITERATE_CONTINUE(type, entries, size, n, fn, args...) \ 150 ({ \ 151 unsigned int __i, __n; \ 152 int __ret = 0; \ 153 type *__entry; \ 154 \ 155 for (__i = 0, __n = 0; __i < (size); \ 156 __i += __entry->next_offset, __n++) { \ 157 __entry = (void *)(entries) + __i; \ 158 if (__n < n) \ 159 continue; \ 160 \ 161 __ret = fn(__entry , ## args); \ 162 if (__ret != 0) \ 163 break; \ 164 } \ 165 __ret; \ 166 }) 167 168 /* fn returns 0 to continue iteration */ 169 #define XT_ENTRY_ITERATE(type, entries, size, fn, args...) \ 170 XT_ENTRY_ITERATE_CONTINUE(type, entries, size, 0, fn, args) 171 172 #ifdef __KERNEL__ 173 174 #include <linux/netdevice.h> 175 176 /** 177 * struct xt_match_param - parameters for match extensions' match functions 178 * 179 * @in: input netdevice 180 * @out: output netdevice 181 * @match: struct xt_match through which this function was invoked 182 * @matchinfo: per-match data 183 * @fragoff: packet is a fragment, this is the data offset 184 * @thoff: position of transport header relative to skb->data 185 * @hotdrop: drop packet if we had inspection problems 186 * @family: Actual NFPROTO_* through which the function is invoked 187 * (helpful when match->family == NFPROTO_UNSPEC) 188 */ 189 struct xt_match_param { 190 const struct net_device *in, *out; 191 const struct xt_match *match; 192 const void *matchinfo; 193 int fragoff; 194 unsigned int thoff; 195 bool *hotdrop; 196 u_int8_t family; 197 }; 198 199 /** 200 * struct xt_mtchk_param - parameters for match extensions' 201 * checkentry functions 202 * 203 * @table: table the rule is tried to be inserted into 204 * @entryinfo: the family-specific rule data 205 * (struct ipt_ip, ip6t_ip, ebt_entry) 206 * @match: struct xt_match through which this function was invoked 207 * @matchinfo: per-match data 208 * @hook_mask: via which hooks the new rule is reachable 209 */ 210 struct xt_mtchk_param { 211 const char *table; 212 const void *entryinfo; 213 const struct xt_match *match; 214 void *matchinfo; 215 unsigned int hook_mask; 216 u_int8_t family; 217 }; 218 219 /* Match destructor parameters */ 220 struct xt_mtdtor_param { 221 const struct xt_match *match; 222 void *matchinfo; 223 u_int8_t family; 224 }; 225 226 /** 227 * struct xt_target_param - parameters for target extensions' target functions 228 * 229 * @hooknum: hook through which this target was invoked 230 * @target: struct xt_target through which this function was invoked 231 * @targinfo: per-target data 232 * 233 * Other fields see above. 234 */ 235 struct xt_target_param { 236 const struct net_device *in, *out; 237 unsigned int hooknum; 238 const struct xt_target *target; 239 const void *targinfo; 240 u_int8_t family; 241 }; 242 243 /** 244 * struct xt_tgchk_param - parameters for target extensions' 245 * checkentry functions 246 * 247 * @entryinfo: the family-specific rule data 248 * (struct ipt_entry, ip6t_entry, arpt_entry, ebt_entry) 249 * 250 * Other fields see above. 251 */ 252 struct xt_tgchk_param { 253 const char *table; 254 const void *entryinfo; 255 const struct xt_target *target; 256 void *targinfo; 257 unsigned int hook_mask; 258 u_int8_t family; 259 }; 260 261 /* Target destructor parameters */ 262 struct xt_tgdtor_param { 263 const struct xt_target *target; 264 void *targinfo; 265 u_int8_t family; 266 }; 267 268 struct xt_match 269 { 270 struct list_head list; 271 272 const char name[XT_FUNCTION_MAXNAMELEN-1]; 273 u_int8_t revision; 274 275 /* Return true or false: return FALSE and set *hotdrop = 1 to 276 force immediate packet drop. */ 277 /* Arguments changed since 2.6.9, as this must now handle 278 non-linear skb, using skb_header_pointer and 279 skb_ip_make_writable. */ 280 bool (*match)(const struct sk_buff *skb, 281 const struct xt_match_param *); 282 283 /* Called when user tries to insert an entry of this type. */ 284 bool (*checkentry)(const struct xt_mtchk_param *); 285 286 /* Called when entry of this type deleted. */ 287 void (*destroy)(const struct xt_mtdtor_param *); 288 289 /* Called when userspace align differs from kernel space one */ 290 void (*compat_from_user)(void *dst, void *src); 291 int (*compat_to_user)(void __user *dst, void *src); 292 293 /* Set this to THIS_MODULE if you are a module, otherwise NULL */ 294 struct module *me; 295 296 /* Free to use by each match */ 297 unsigned long data; 298 299 const char *table; 300 unsigned int matchsize; 301 unsigned int compatsize; 302 unsigned int hooks; 303 unsigned short proto; 304 305 unsigned short family; 306 }; 307 308 /* Registration hooks for targets. */ 309 struct xt_target 310 { 311 struct list_head list; 312 313 const char name[XT_FUNCTION_MAXNAMELEN-1]; 314 315 /* Returns verdict. Argument order changed since 2.6.9, as this 316 must now handle non-linear skbs, using skb_copy_bits and 317 skb_ip_make_writable. */ 318 unsigned int (*target)(struct sk_buff *skb, 319 const struct xt_target_param *); 320 321 /* Called when user tries to insert an entry of this type: 322 hook_mask is a bitmask of hooks from which it can be 323 called. */ 324 /* Should return true or false. */ 325 bool (*checkentry)(const struct xt_tgchk_param *); 326 327 /* Called when entry of this type deleted. */ 328 void (*destroy)(const struct xt_tgdtor_param *); 329 330 /* Called when userspace align differs from kernel space one */ 331 void (*compat_from_user)(void *dst, void *src); 332 int (*compat_to_user)(void __user *dst, void *src); 333 334 /* Set this to THIS_MODULE if you are a module, otherwise NULL */ 335 struct module *me; 336 337 const char *table; 338 unsigned int targetsize; 339 unsigned int compatsize; 340 unsigned int hooks; 341 unsigned short proto; 342 343 unsigned short family; 344 u_int8_t revision; 345 }; 346 347 /* Furniture shopping... */ 348 struct xt_table 349 { 350 struct list_head list; 351 352 /* A unique name... */ 353 const char name[XT_TABLE_MAXNAMELEN]; 354 355 /* What hooks you will enter on */ 356 unsigned int valid_hooks; 357 358 /* Lock for the curtain */ 359 rwlock_t lock; 360 361 /* Man behind the curtain... */ 362 //struct ip6t_table_info *private; 363 void *private; 364 365 /* Set this to THIS_MODULE if you are a module, otherwise NULL */ 366 struct module *me; 367 368 u_int8_t af; /* address/protocol family */ 369 }; 370 371 #include <linux/netfilter_ipv4.h> 372 373 /* The table itself */ 374 struct xt_table_info 375 { 376 /* Size per table */ 377 unsigned int size; 378 /* Number of entries: FIXME. --RR */ 379 unsigned int number; 380 /* Initial number of entries. Needed for module usage count */ 381 unsigned int initial_entries; 382 383 /* Entry points and underflows */ 384 unsigned int hook_entry[NF_INET_NUMHOOKS]; 385 unsigned int underflow[NF_INET_NUMHOOKS]; 386 387 /* ipt_entry tables: one per CPU */ 388 /* Note : this field MUST be the last one, see XT_TABLE_INFO_SZ */ 389 char *entries[1]; 390 }; 391 392 #define XT_TABLE_INFO_SZ (offsetof(struct xt_table_info, entries) \ 393 + nr_cpu_ids * sizeof(char *)) 394 extern int xt_register_target(struct xt_target *target); 395 extern void xt_unregister_target(struct xt_target *target); 396 extern int xt_register_targets(struct xt_target *target, unsigned int n); 397 extern void xt_unregister_targets(struct xt_target *target, unsigned int n); 398 399 extern int xt_register_match(struct xt_match *target); 400 extern void xt_unregister_match(struct xt_match *target); 401 extern int xt_register_matches(struct xt_match *match, unsigned int n); 402 extern void xt_unregister_matches(struct xt_match *match, unsigned int n); 403 404 extern int xt_check_match(struct xt_mtchk_param *, 405 unsigned int size, u_int8_t proto, bool inv_proto); 406 extern int xt_check_target(struct xt_tgchk_param *, 407 unsigned int size, u_int8_t proto, bool inv_proto); 408 409 extern struct xt_table *xt_register_table(struct net *net, 410 struct xt_table *table, 411 struct xt_table_info *bootstrap, 412 struct xt_table_info *newinfo); 413 extern void *xt_unregister_table(struct xt_table *table); 414 415 extern struct xt_table_info *xt_replace_table(struct xt_table *table, 416 unsigned int num_counters, 417 struct xt_table_info *newinfo, 418 int *error); 419 420 extern struct xt_match *xt_find_match(u8 af, const char *name, u8 revision); 421 extern struct xt_target *xt_find_target(u8 af, const char *name, u8 revision); 422 extern struct xt_target *xt_request_find_target(u8 af, const char *name, 423 u8 revision); 424 extern int xt_find_revision(u8 af, const char *name, u8 revision, 425 int target, int *err); 426 427 extern struct xt_table *xt_find_table_lock(struct net *net, u_int8_t af, 428 const char *name); 429 extern void xt_table_unlock(struct xt_table *t); 430 431 extern int xt_proto_init(struct net *net, u_int8_t af); 432 extern void xt_proto_fini(struct net *net, u_int8_t af); 433 434 extern struct xt_table_info *xt_alloc_table_info(unsigned int size); 435 extern void xt_free_table_info(struct xt_table_info *info); 436 437 #ifdef CONFIG_COMPAT 438 #include <net/compat.h> 439 440 struct compat_xt_entry_match 441 { 442 union { 443 struct { 444 u_int16_t match_size; 445 char name[XT_FUNCTION_MAXNAMELEN - 1]; 446 u_int8_t revision; 447 } user; 448 struct { 449 u_int16_t match_size; 450 compat_uptr_t match; 451 } kernel; 452 u_int16_t match_size; 453 } u; 454 unsigned char data[0]; 455 }; 456 457 struct compat_xt_entry_target 458 { 459 union { 460 struct { 461 u_int16_t target_size; 462 char name[XT_FUNCTION_MAXNAMELEN - 1]; 463 u_int8_t revision; 464 } user; 465 struct { 466 u_int16_t target_size; 467 compat_uptr_t target; 468 } kernel; 469 u_int16_t target_size; 470 } u; 471 unsigned char data[0]; 472 }; 473 474 /* FIXME: this works only on 32 bit tasks 475 * need to change whole approach in order to calculate align as function of 476 * current task alignment */ 477 478 struct compat_xt_counters 479 { 480 #if defined(CONFIG_X86_64) || defined(CONFIG_IA64) 481 u_int32_t cnt[4]; 482 #else 483 u_int64_t cnt[2]; 484 #endif 485 }; 486 487 struct compat_xt_counters_info 488 { 489 char name[XT_TABLE_MAXNAMELEN]; 490 compat_uint_t num_counters; 491 struct compat_xt_counters counters[0]; 492 }; 493 494 #define COMPAT_XT_ALIGN(s) (((s) + (__alignof__(struct compat_xt_counters)-1)) \ 495 & ~(__alignof__(struct compat_xt_counters)-1)) 496 497 extern void xt_compat_lock(u_int8_t af); 498 extern void xt_compat_unlock(u_int8_t af); 499 500 extern int xt_compat_add_offset(u_int8_t af, unsigned int offset, short delta); 501 extern void xt_compat_flush_offsets(u_int8_t af); 502 extern short xt_compat_calc_jump(u_int8_t af, unsigned int offset); 503 504 extern int xt_compat_match_offset(const struct xt_match *match); 505 extern int xt_compat_match_from_user(struct xt_entry_match *m, 506 void **dstptr, unsigned int *size); 507 extern int xt_compat_match_to_user(struct xt_entry_match *m, 508 void __user **dstptr, unsigned int *size); 509 510 extern int xt_compat_target_offset(const struct xt_target *target); 511 extern void xt_compat_target_from_user(struct xt_entry_target *t, 512 void **dstptr, unsigned int *size); 513 extern int xt_compat_target_to_user(struct xt_entry_target *t, 514 void __user **dstptr, unsigned int *size); 515 516 #endif /* CONFIG_COMPAT */ 517 #endif /* __KERNEL__ */ 518 519 #endif /* _X_TABLES_H */ 520