X-Git-Url: http://git.onelab.eu/?a=blobdiff_plain;f=include%2Flinux%2Fnetfilter_ipv4%2Fip_tables.h;h=c0dac16e1902d97809398ac858fe36768feb9547;hb=43bc926fffd92024b46cafaf7350d669ba9ca884;hp=12ce47808e7d24c3d734e3619d40d9994ee38c71;hpb=cee37fe97739d85991964371c1f3a745c00dd236;p=linux-2.6.git diff --git a/include/linux/netfilter_ipv4/ip_tables.h b/include/linux/netfilter_ipv4/ip_tables.h index 12ce47808..c0dac16e1 100644 --- a/include/linux/netfilter_ipv4/ip_tables.h +++ b/include/linux/netfilter_ipv4/ip_tables.h @@ -25,8 +25,14 @@ #include #include -#define IPT_FUNCTION_MAXNAMELEN 30 -#define IPT_TABLE_MAXNAMELEN 32 +#include + +#define IPT_FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN +#define IPT_TABLE_MAXNAMELEN XT_FUNCTION_MAXNAMELEN +#define ipt_match xt_match +#define ipt_target xt_target +#define ipt_table xt_table +#define ipt_get_revision xt_get_revision /* Yes, Virginia, you have to zero the padding. */ struct ipt_ip { @@ -46,70 +52,16 @@ struct ipt_ip { u_int8_t invflags; }; -struct ipt_entry_match -{ - union { - struct { - u_int16_t match_size; - - /* Used by userspace */ - char name[IPT_FUNCTION_MAXNAMELEN-1]; - - u_int8_t revision; - } user; - struct { - u_int16_t match_size; - - /* Used inside the kernel */ - struct ipt_match *match; - } kernel; - - /* Total length */ - u_int16_t match_size; - } u; - - unsigned char data[0]; -}; - -struct ipt_entry_target -{ - union { - struct { - u_int16_t target_size; - - /* Used by userspace */ - char name[IPT_FUNCTION_MAXNAMELEN-1]; - - u_int8_t revision; - } user; - struct { - u_int16_t target_size; - - /* Used inside the kernel */ - struct ipt_target *target; - } kernel; - - /* Total length */ - u_int16_t target_size; - } u; - - unsigned char data[0]; -}; - -struct ipt_standard_target -{ - struct ipt_entry_target target; - int verdict; -}; +#define ipt_entry_match xt_entry_match +#define ipt_entry_target xt_entry_target +#define ipt_standard_target xt_standard_target -struct ipt_counters -{ - u_int64_t pcnt, bcnt; /* Packet and byte counters */ -}; +#define ipt_counters xt_counters /* Values for "flag" field in struct ipt_ip (general ip structure). */ #define IPT_F_FRAG 0x01 /* Set if rule is a fragment rule */ -#define IPT_F_MASK 0x01 /* All possible flag bits mask. */ +#define IPT_F_GOTO 0x02 /* Set if jump is a goto */ +#define IPT_F_MASK 0x03 /* All possible flag bits mask. */ /* Values for "inv" field in struct ipt_ip. */ #define IPT_INV_VIA_IN 0x01 /* Invert the sense of IN IFACE. */ @@ -118,7 +70,7 @@ struct ipt_counters #define IPT_INV_SRCIP 0x08 /* Invert the sense of SRC IP. */ #define IPT_INV_DSTIP 0x10 /* Invert the sense of DST OP. */ #define IPT_INV_FRAG 0x20 /* Invert the sense of FRAG. */ -#define IPT_INV_PROTO 0x40 /* Invert the sense of PROTO. */ +#define IPT_INV_PROTO XT_INV_PROTO #define IPT_INV_MASK 0x7F /* All possible flag bits mask. */ /* This structure defines each of the firewall rules. Consists of 3 @@ -140,7 +92,7 @@ struct ipt_entry unsigned int comefrom; /* Packet and byte counters. */ - struct ipt_counters counters; + struct xt_counters counters; /* The matches (if any), then the target. */ unsigned char elems[0]; @@ -150,54 +102,34 @@ struct ipt_entry * New IP firewall options for [gs]etsockopt at the RAW IP level. * Unlike BSD Linux inherits IP options so you don't have to use a raw * socket for this. Instead we check rights in the calls. */ -#define IPT_BASE_CTL 64 /* base for firewall socket options */ - -#define IPT_SO_SET_REPLACE (IPT_BASE_CTL) -#define IPT_SO_SET_ADD_COUNTERS (IPT_BASE_CTL + 1) -#define IPT_SO_SET_MAX IPT_SO_SET_ADD_COUNTERS +#define IPT_BASE_CTL XT_BASE_CTL -#define IPT_SO_GET_INFO (IPT_BASE_CTL) -#define IPT_SO_GET_ENTRIES (IPT_BASE_CTL + 1) -#define IPT_SO_GET_REVISION_MATCH (IPT_BASE_CTL + 2) -#define IPT_SO_GET_REVISION_TARGET (IPT_BASE_CTL + 3) -#define IPT_SO_GET_MAX IPT_SO_GET_REVISION_TARGET +#define IPT_SO_SET_REPLACE XT_SO_SET_REPLACE +#define IPT_SO_SET_ADD_COUNTERS XT_SO_SET_ADD_COUNTERS +#define IPT_SO_SET_MAX XT_SO_SET_MAX -/* CONTINUE verdict for targets */ -#define IPT_CONTINUE 0xFFFFFFFF +#define IPT_SO_GET_INFO XT_SO_GET_INFO +#define IPT_SO_GET_ENTRIES XT_SO_GET_ENTRIES +#define IPT_SO_GET_REVISION_MATCH XT_SO_GET_REVISION_MATCH +#define IPT_SO_GET_REVISION_TARGET XT_SO_GET_REVISION_TARGET +#define IPT_SO_GET_MAX XT_SO_GET_REVISION_TARGET -/* For standard target */ -#define IPT_RETURN (-NF_REPEAT - 1) - -/* TCP matching stuff */ -struct ipt_tcp -{ - u_int16_t spts[2]; /* Source port range. */ - u_int16_t dpts[2]; /* Destination port range. */ - u_int8_t option; /* TCP Option iff non-zero*/ - u_int8_t flg_mask; /* TCP flags mask byte */ - u_int8_t flg_cmp; /* TCP flags compare byte */ - u_int8_t invflags; /* Inverse flags */ -}; +#define IPT_CONTINUE XT_CONTINUE +#define IPT_RETURN XT_RETURN -/* Values for "inv" field in struct ipt_tcp. */ -#define IPT_TCP_INV_SRCPT 0x01 /* Invert the sense of source ports. */ -#define IPT_TCP_INV_DSTPT 0x02 /* Invert the sense of dest ports. */ -#define IPT_TCP_INV_FLAGS 0x04 /* Invert the sense of TCP flags. */ -#define IPT_TCP_INV_OPTION 0x08 /* Invert the sense of option test. */ -#define IPT_TCP_INV_MASK 0x0F /* All possible flags. */ +#include +#define ipt_udp xt_udp +#define ipt_tcp xt_tcp -/* UDP matching stuff */ -struct ipt_udp -{ - u_int16_t spts[2]; /* Source port range. */ - u_int16_t dpts[2]; /* Destination port range. */ - u_int8_t invflags; /* Inverse flags */ -}; +#define IPT_TCP_INV_SRCPT XT_TCP_INV_SRCPT +#define IPT_TCP_INV_DSTPT XT_TCP_INV_DSTPT +#define IPT_TCP_INV_FLAGS XT_TCP_INV_FLAGS +#define IPT_TCP_INV_OPTION XT_TCP_INV_OPTION +#define IPT_TCP_INV_MASK XT_TCP_INV_MASK -/* Values for "invflags" field in struct ipt_udp. */ -#define IPT_UDP_INV_SRCPT 0x01 /* Invert the sense of source ports. */ -#define IPT_UDP_INV_DSTPT 0x02 /* Invert the sense of dest ports. */ -#define IPT_UDP_INV_MASK 0x03 /* All possible flags. */ +#define IPT_UDP_INV_SRCPT XT_UDP_INV_SRCPT +#define IPT_UDP_INV_DSTPT XT_UDP_INV_DSTPT +#define IPT_UDP_INV_MASK XT_UDP_INV_MASK /* ICMP matching stuff */ struct ipt_icmp @@ -259,23 +191,14 @@ struct ipt_replace /* Number of counters (must be equal to current number of entries). */ unsigned int num_counters; /* The old entries' counters. */ - struct ipt_counters __user *counters; + struct xt_counters __user *counters; /* The entries (hang off end: not really an array). */ struct ipt_entry entries[0]; }; /* The argument to IPT_SO_ADD_COUNTERS. */ -struct ipt_counters_info -{ - /* Which table. */ - char name[IPT_TABLE_MAXNAMELEN]; - - unsigned int num_counters; - - /* The counters (actually `number' of these). */ - struct ipt_counters counters[0]; -}; +#define ipt_counters_info xt_counters_info /* The argument to IPT_SO_GET_ENTRIES. */ struct ipt_get_entries @@ -290,19 +213,10 @@ struct ipt_get_entries struct ipt_entry entrytable[0]; }; -/* The argument to IPT_SO_GET_REVISION_*. Returns highest revision - * kernel supports, if >= revision. */ -struct ipt_get_revision -{ - char name[IPT_FUNCTION_MAXNAMELEN-1]; - - u_int8_t revision; -}; - /* Standard return verdict, or do jump. */ -#define IPT_STANDARD_TARGET "" +#define IPT_STANDARD_TARGET XT_STANDARD_TARGET /* Error verdict. */ -#define IPT_ERROR_TARGET "ERROR" +#define IPT_ERROR_TARGET XT_ERROR_TARGET /* Helper functions */ static __inline__ struct ipt_entry_target * @@ -355,103 +269,22 @@ ipt_get_target(struct ipt_entry *e) #include extern void ipt_init(void) __init; -struct ipt_match -{ - struct list_head list; - - const char name[IPT_FUNCTION_MAXNAMELEN-1]; - - u_int8_t revision; - - /* Return true or false: return FALSE and set *hotdrop = 1 to - force immediate packet drop. */ - /* Arguments changed since 2.4, as this must now handle - non-linear skbs, using skb_copy_bits and - skb_ip_make_writable. */ - int (*match)(const struct sk_buff *skb, - const struct net_device *in, - const struct net_device *out, - const void *matchinfo, - int offset, - int *hotdrop); - - /* Called when user tries to insert an entry of this type. */ - /* Should return true or false. */ - int (*checkentry)(const char *tablename, - const struct ipt_ip *ip, - void *matchinfo, - unsigned int matchinfosize, - unsigned int hook_mask); - - /* Called when entry of this type deleted. */ - void (*destroy)(void *matchinfo, unsigned int matchinfosize); - - /* Set this to THIS_MODULE. */ - struct module *me; -}; - -/* Registration hooks for targets. */ -struct ipt_target -{ - struct list_head list; - - const char name[IPT_FUNCTION_MAXNAMELEN-1]; - - u_int8_t revision; - - /* Called when user tries to insert an entry of this type: - hook_mask is a bitmask of hooks from which it can be - called. */ - /* Should return true or false. */ - int (*checkentry)(const char *tablename, - const struct ipt_entry *e, - void *targinfo, - unsigned int targinfosize, - unsigned int hook_mask); - - /* Called when entry of this type deleted. */ - void (*destroy)(void *targinfo, unsigned int targinfosize); - - /* Returns verdict. Argument order changed since 2.4, as this - must now handle non-linear skbs, using skb_copy_bits and - skb_ip_make_writable. */ - unsigned int (*target)(struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - unsigned int hooknum, - const void *targinfo, - void *userdata); - - /* Set this to THIS_MODULE. */ - struct module *me; -}; - -extern int ipt_register_target(struct ipt_target *target); -extern void ipt_unregister_target(struct ipt_target *target); - -extern int ipt_register_match(struct ipt_match *match); -extern void ipt_unregister_match(struct ipt_match *match); - -/* Furniture shopping... */ -struct ipt_table -{ - struct list_head list; - - /* A unique name... */ - char name[IPT_TABLE_MAXNAMELEN]; - - /* What hooks you will enter on */ - unsigned int valid_hooks; +#define ipt_register_target(tgt) \ +({ (tgt)->family = AF_INET; \ + xt_register_target(tgt); }) +#define ipt_unregister_target(tgt) xt_unregister_target(tgt) - /* Lock for the curtain */ - rwlock_t lock; +#define ipt_register_match(mtch) \ +({ (mtch)->family = AF_INET; \ + xt_register_match(mtch); }) +#define ipt_unregister_match(mtch) xt_unregister_match(mtch) - /* Man behind the curtain... */ - struct ipt_table_info *private; +//#define ipt_register_table(tbl, repl) xt_register_table(AF_INET, tbl, repl) +//#define ipt_unregister_table(tbl) xt_unregister_table(AF_INET, tbl) - /* Set to THIS_MODULE. */ - struct module *me; -}; +extern int ipt_register_table(struct ipt_table *table, + const struct ipt_replace *repl); +extern void ipt_unregister_table(struct ipt_table *table); /* net/sched/ipt.c: Gimme access to your targets! Gets target->me. */ extern struct ipt_target *ipt_find_target(const char *name, u8 revision); @@ -475,9 +308,6 @@ struct ipt_error struct ipt_error_target target; }; -extern int ipt_register_table(struct ipt_table *table, - const struct ipt_replace *repl); -extern void ipt_unregister_table(struct ipt_table *table); extern unsigned int ipt_do_table(struct sk_buff **pskb, unsigned int hook, const struct net_device *in, @@ -485,6 +315,24 @@ extern unsigned int ipt_do_table(struct sk_buff **pskb, struct ipt_table *table, void *userdata); -#define IPT_ALIGN(s) (((s) + (__alignof__(struct ipt_entry)-1)) & ~(__alignof__(struct ipt_entry)-1)) +#define IPT_ALIGN(s) XT_ALIGN(s) + +#ifdef CONFIG_COMPAT +#include + +struct compat_ipt_entry +{ + struct ipt_ip ip; + compat_uint_t nfcache; + u_int16_t target_offset; + u_int16_t next_offset; + compat_uint_t comefrom; + struct compat_xt_counters counters; + unsigned char elems[0]; +}; + +#define COMPAT_IPT_ALIGN(s) COMPAT_XT_ALIGN(s) + +#endif /* CONFIG_COMPAT */ #endif /*__KERNEL__*/ #endif /* _IPTABLES_H */