#define XT_FUNCTION_MAXNAMELEN 30
#define XT_TABLE_MAXNAMELEN 32
+struct xt_entry_match
+{
+ union {
+ struct {
+ u_int16_t match_size;
+
+ /* Used by userspace */
+ char name[XT_FUNCTION_MAXNAMELEN-1];
+
+ u_int8_t revision;
+ } user;
+ struct {
+ u_int16_t match_size;
+
+ /* Used inside the kernel */
+ struct xt_match *match;
+ } kernel;
+
+ /* Total length */
+ u_int16_t match_size;
+ } u;
+
+ unsigned char data[0];
+};
+
+struct xt_entry_target
+{
+ union {
+ struct {
+ u_int16_t target_size;
+
+ /* Used by userspace */
+ char name[XT_FUNCTION_MAXNAMELEN-1];
+
+ u_int8_t revision;
+ } user;
+ struct {
+ u_int16_t target_size;
+
+ /* Used inside the kernel */
+ struct xt_target *target;
+ } kernel;
+
+ /* Total length */
+ u_int16_t target_size;
+ } u;
+
+ unsigned char data[0];
+};
+
+struct xt_standard_target
+{
+ struct xt_entry_target target;
+ int verdict;
+};
+
/* The argument to IPT_SO_GET_REVISION_*. Returns highest revision
* kernel supports, if >= revision. */
struct xt_get_revision
/* Error verdict. */
#define XT_ERROR_TARGET "ERROR"
-/*
- * New IP firewall options for [gs]etsockopt at the RAW IP level.
- * Unlike BSD Linux inherits IP options so you don't have to use a raw
- * socket for this. Instead we check rights in the calls. */
-#define XT_BASE_CTL 64 /* base for firewall socket options */
-
-#define XT_SO_SET_REPLACE (XT_BASE_CTL)
-#define XT_SO_SET_ADD_COUNTERS (XT_BASE_CTL + 1)
-#define XT_SO_SET_MAX XT_SO_SET_ADD_COUNTERS
-
-#define XT_SO_GET_INFO (XT_BASE_CTL)
-#define XT_SO_GET_ENTRIES (XT_BASE_CTL + 1)
-#define XT_SO_GET_REVISION_MATCH (XT_BASE_CTL + 2)
-#define XT_SO_GET_REVISION_TARGET (XT_BASE_CTL + 3)
-#define XT_SO_GET_MAX XT_SO_GET_REVISION_TARGET
-
#define SET_COUNTER(c,b,p) do { (c).bcnt = (b); (c).pcnt = (p); } while(0)
#define ADD_COUNTER(c,b,p) do { (c).bcnt += (b); (c).pcnt += (p); } while(0)
#include <linux/netdevice.h>
-#define ASSERT_READ_LOCK(x)
-#define ASSERT_WRITE_LOCK(x)
-#include <linux/netfilter_ipv4/listhelp.h>
-
struct xt_match
{
struct list_head list;
const char name[XT_FUNCTION_MAXNAMELEN-1];
- u_int8_t revision;
-
/* Return true or false: return FALSE and set *hotdrop = 1 to
force immediate packet drop. */
/* Arguments changed since 2.6.9, as this must now handle
int (*match)(const struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
+ const struct xt_match *match,
const void *matchinfo,
int offset,
unsigned int protoff,
/* Should return true or false. */
int (*checkentry)(const char *tablename,
const void *ip,
+ const struct xt_match *match,
void *matchinfo,
- unsigned int matchinfosize,
unsigned int hook_mask);
/* Called when entry of this type deleted. */
- void (*destroy)(void *matchinfo, unsigned int matchinfosize);
+ void (*destroy)(const struct xt_match *match, void *matchinfo);
+
+ /* Called when userspace align differs from kernel space one */
+ void (*compat_from_user)(void *dst, void *src);
+ int (*compat_to_user)(void __user *dst, void *src);
/* Set this to THIS_MODULE if you are a module, otherwise NULL */
struct module *me;
+
+ /* Free to use by each match */
+ unsigned long data;
+
+ char *table;
+ unsigned int matchsize;
+ unsigned int compatsize;
+ unsigned int hooks;
+ unsigned short proto;
+
+ unsigned short family;
+ u_int8_t revision;
};
/* Registration hooks for targets. */
const char name[XT_FUNCTION_MAXNAMELEN-1];
- u_int8_t revision;
-
/* Returns verdict. Argument order changed since 2.6.9, as this
must now handle non-linear skbs, using skb_copy_bits and
skb_ip_make_writable. */
const struct net_device *in,
const struct net_device *out,
unsigned int hooknum,
- const void *targinfo,
- void *userdata);
+ const struct xt_target *target,
+ const void *targinfo);
/* Called when user tries to insert an entry of this type:
hook_mask is a bitmask of hooks from which it can be
/* Should return true or false. */
int (*checkentry)(const char *tablename,
const void *entry,
+ const struct xt_target *target,
void *targinfo,
- unsigned int targinfosize,
unsigned int hook_mask);
/* Called when entry of this type deleted. */
- void (*destroy)(void *targinfo, unsigned int targinfosize);
+ void (*destroy)(const struct xt_target *target, void *targinfo);
+
+ /* Called when userspace align differs from kernel space one */
+ void (*compat_from_user)(void *dst, void *src);
+ int (*compat_to_user)(void __user *dst, void *src);
/* Set this to THIS_MODULE if you are a module, otherwise NULL */
struct module *me;
+
+ char *table;
+ unsigned int targetsize;
+ unsigned int compatsize;
+ unsigned int hooks;
+ unsigned short proto;
+
+ unsigned short family;
+ u_int8_t revision;
};
/* Furniture shopping... */
char *entries[NR_CPUS];
};
-extern int xt_register_target(int af, struct xt_target *target);
-extern void xt_unregister_target(int af, struct xt_target *target);
-extern int xt_register_match(int af, struct xt_match *target);
-extern void xt_unregister_match(int af, struct xt_match *target);
+extern int xt_register_target(struct xt_target *target);
+extern void xt_unregister_target(struct xt_target *target);
+extern int xt_register_targets(struct xt_target *target, unsigned int n);
+extern void xt_unregister_targets(struct xt_target *target, unsigned int n);
+
+extern int xt_register_match(struct xt_match *target);
+extern void xt_unregister_match(struct xt_match *target);
+extern int xt_register_matches(struct xt_match *match, unsigned int n);
+extern void xt_unregister_matches(struct xt_match *match, unsigned int n);
+
+extern int xt_check_match(const struct xt_match *match, unsigned short family,
+ unsigned int size, const char *table, unsigned int hook,
+ unsigned short proto, int inv_proto);
+extern int xt_check_target(const struct xt_target *target, unsigned short family,
+ unsigned int size, const char *table, unsigned int hook,
+ unsigned short proto, int inv_proto);
extern int xt_register_table(struct xt_table *table,
struct xt_table_info *bootstrap,
extern struct xt_table_info *xt_alloc_table_info(unsigned int size);
extern void xt_free_table_info(struct xt_table_info *info);
+#ifdef CONFIG_COMPAT
+#include <net/compat.h>
+
+struct compat_xt_entry_match
+{
+ union {
+ struct {
+ u_int16_t match_size;
+ char name[XT_FUNCTION_MAXNAMELEN - 1];
+ u_int8_t revision;
+ } user;
+ struct {
+ u_int16_t match_size;
+ compat_uptr_t match;
+ } kernel;
+ u_int16_t match_size;
+ } u;
+ unsigned char data[0];
+};
+
+struct compat_xt_entry_target
+{
+ union {
+ struct {
+ u_int16_t target_size;
+ char name[XT_FUNCTION_MAXNAMELEN - 1];
+ u_int8_t revision;
+ } user;
+ struct {
+ u_int16_t target_size;
+ compat_uptr_t target;
+ } kernel;
+ u_int16_t target_size;
+ } u;
+ unsigned char data[0];
+};
+
+/* FIXME: this works only on 32 bit tasks
+ * need to change whole approach in order to calculate align as function of
+ * current task alignment */
+
+struct compat_xt_counters
+{
+#if defined(CONFIG_X86_64) || defined(CONFIG_IA64)
+ u_int32_t cnt[4];
+#else
+ u_int64_t cnt[2];
+#endif
+};
+
+struct compat_xt_counters_info
+{
+ char name[XT_TABLE_MAXNAMELEN];
+ compat_uint_t num_counters;
+ struct compat_xt_counters counters[0];
+};
+
+#define COMPAT_XT_ALIGN(s) (((s) + (__alignof__(struct compat_xt_counters)-1)) \
+ & ~(__alignof__(struct compat_xt_counters)-1))
+
+extern void xt_compat_lock(int af);
+extern void xt_compat_unlock(int af);
+
+extern int xt_compat_match_offset(struct xt_match *match);
+extern void xt_compat_match_from_user(struct xt_entry_match *m,
+ void **dstptr, int *size);
+extern int xt_compat_match_to_user(struct xt_entry_match *m,
+ void __user **dstptr, int *size);
+
+extern int xt_compat_target_offset(struct xt_target *target);
+extern void xt_compat_target_from_user(struct xt_entry_target *t,
+ void **dstptr, int *size);
+extern int xt_compat_target_to_user(struct xt_entry_target *t,
+ void __user **dstptr, int *size);
+
+#endif /* CONFIG_COMPAT */
#endif /* __KERNEL__ */
#endif /* _X_TABLES_H */