LXR linux/include/linux/netfilter.h

   1#ifndef __LINUX_NETFILTER_H
   2#define __LINUX_NETFILTER_H
   3
   4#ifdef __KERNEL__
   5#include <linux/init.h>
   6#include <linux/types.h>
   7#include <linux/skbuff.h>
   8#include <linux/net.h>
   9#include <linux/if.h>
  10#include <linux/wait.h>
  11#include <linux/list.h>
  12#endif
  13#include <linux/compiler.h>
  14
  15/* Responses from hook functions. */
  16#define NF_DROP 0
  17#define NF_ACCEPT 1
  18#define NF_STOLEN 2
  19#define NF_QUEUE 3
  20#define NF_REPEAT 4
  21#define NF_STOP 5
  22#define NF_MAX_VERDICT NF_STOP
  23
  24/* we overload the higher bits for encoding auxiliary data such as the queue
  25 * number. Not nice, but better than additional function arguments. */
  26#define NF_VERDICT_MASK 0x0000ffff
  27#define NF_VERDICT_BITS 16
  28
  29#define NF_VERDICT_QMASK 0xffff0000
  30#define NF_VERDICT_QBITS 16
  31
  32#define NF_QUEUE_NR(x) (((x << NF_VERDICT_QBITS) & NF_VERDICT_QMASK) | NF_QUEUE)
  33
  34/* only for userspace compatibility */
  35#ifndef __KERNEL__
  36/* Generic cache responses from hook functions.
  37   <= 0x2000 is used for protocol-flags. */
  38#define NFC_UNKNOWN 0x4000
  39#define NFC_ALTERED 0x8000
  40#endif
  41
  42#ifdef __KERNEL__
  43#ifdef CONFIG_NETFILTER
  44
  45extern void netfilter_init(void);
  46
  47/* Largest hook number + 1 */
  48#define NF_MAX_HOOKS 8
  49
  50struct sk_buff;
  51struct net_device;
  52
  53typedef unsigned int nf_hookfn(unsigned int hooknum,
  54                               struct sk_buff *skb,
  55                               const struct net_device *in,
  56                               const struct net_device *out,
  57                               int (*okfn)(struct sk_buff *));
  58
  59struct nf_hook_ops
  60{
  61        struct list_head list;
  62
  63        /* User fills in from here down. */
  64        nf_hookfn *hook;
  65        struct module *owner;
  66        int pf;
  67        int hooknum;
  68        /* Hooks are ordered in ascending priority. */
  69        int priority;
  70};
  71
  72struct nf_sockopt_ops
  73{
  74        struct list_head list;
  75
  76        int pf;
  77
  78        /* Non-inclusive ranges: use 0/0/NULL to never get called. */
  79        int set_optmin;
  80        int set_optmax;
  81        int (*set)(struct sock *sk, int optval, void __user *user, unsigned int len);
  82        int (*compat_set)(struct sock *sk, int optval,
  83                        void __user *user, unsigned int len);
  84
  85        int get_optmin;
  86        int get_optmax;
  87        int (*get)(struct sock *sk, int optval, void __user *user, int *len);
  88        int (*compat_get)(struct sock *sk, int optval,
  89                        void __user *user, int *len);
  90
  91        /* Use the module struct to lock set/get code in place */
  92        struct module *owner;
  93};
  94
  95/* Each queued (to userspace) skbuff has one of these. */
  96struct nf_info
  97{
  98        /* The ops struct which sent us to userspace. */
  99        struct nf_hook_ops *elem;
 100        
 101        /* If we're sent to userspace, this keeps housekeeping info */
 102        int pf;
 103        unsigned int hook;
 104        struct net_device *indev, *outdev;
 105        int (*okfn)(struct sk_buff *);
 106};
 107                                                                                
 108/* Function to register/unregister hook points. */
 109int nf_register_hook(struct nf_hook_ops *reg);
 110void nf_unregister_hook(struct nf_hook_ops *reg);
 111int nf_register_hooks(struct nf_hook_ops *reg, unsigned int n);
 112void nf_unregister_hooks(struct nf_hook_ops *reg, unsigned int n);
 113
 114/* Functions to register get/setsockopt ranges (non-inclusive).  You
 115   need to check permissions yourself! */
 116int nf_register_sockopt(struct nf_sockopt_ops *reg);
 117void nf_unregister_sockopt(struct nf_sockopt_ops *reg);
 118
 119#ifdef CONFIG_SYSCTL
 120/* Sysctl registration */
 121struct ctl_table_header *nf_register_sysctl_table(struct ctl_table *path,
 122                                                  struct ctl_table *table);
 123void nf_unregister_sysctl_table(struct ctl_table_header *header,
 124                                struct ctl_table *table);
 125extern struct ctl_table nf_net_netfilter_sysctl_path[];
 126extern struct ctl_table nf_net_ipv4_netfilter_sysctl_path[];
 127#endif /* CONFIG_SYSCTL */
 128
 129extern struct list_head nf_hooks[NPROTO][NF_MAX_HOOKS];
 130
 131/* those NF_LOG_* defines and struct nf_loginfo are legacy definitios that will
 132 * disappear once iptables is replaced with pkttables.  Please DO NOT use them
 133 * for any new code! */
 134#define NF_LOG_TCPSEQ           0x01    /* Log TCP sequence numbers */
 135#define NF_LOG_TCPOPT           0x02    /* Log TCP options */
 136#define NF_LOG_IPOPT            0x04    /* Log IP options */
 137#define NF_LOG_UID              0x08    /* Log UID owning local socket */
 138#define NF_LOG_MASK             0x0f
 139
 140#define NF_LOG_TYPE_LOG         0x01
 141#define NF_LOG_TYPE_ULOG        0x02
 142
 143struct nf_loginfo {
 144        u_int8_t type;
 145        union {
 146                struct {
 147                        u_int32_t copy_len;
 148                        u_int16_t group;
 149                        u_int16_t qthreshold;
 150                } ulog;
 151                struct {
 152                        u_int8_t level;
 153                        u_int8_t logflags;
 154                } log;
 155        } u;
 156};
 157
 158typedef void nf_logfn(unsigned int pf,
 159                      unsigned int hooknum,
 160                      const struct sk_buff *skb,
 161                      const struct net_device *in,
 162                      const struct net_device *out,
 163                      const struct nf_loginfo *li,
 164                      const char *prefix);
 165
 166struct nf_logger {
 167        struct module   *me;
 168        nf_logfn        *logfn;
 169        char            *name;
 170};
 171
 172/* Function to register/unregister log function. */
 173int nf_log_register(int pf, struct nf_logger *logger);
 174void nf_log_unregister(struct nf_logger *logger);
 175void nf_log_unregister_pf(int pf);
 176
 177/* Calls the registered backend logging function */
 178void nf_log_packet(int pf,
 179                   unsigned int hooknum,
 180                   const struct sk_buff *skb,
 181                   const struct net_device *in,
 182                   const struct net_device *out,
 183                   struct nf_loginfo *li,
 184                   const char *fmt, ...);
 185
 186int nf_hook_slow(int pf, unsigned int hook, struct sk_buff *skb,
 187                 struct net_device *indev, struct net_device *outdev,
 188                 int (*okfn)(struct sk_buff *), int thresh);
 189
 190/**
 191 *      nf_hook_thresh - call a netfilter hook
 192 *      
 193 *      Returns 1 if the hook has allowed the packet to pass.  The function
 194 *      okfn must be invoked by the caller in this case.  Any other return
 195 *      value indicates the packet has been consumed by the hook.
 196 */
 197static inline int nf_hook_thresh(int pf, unsigned int hook,
 198                                 struct sk_buff *skb,
 199                                 struct net_device *indev,
 200                                 struct net_device *outdev,
 201                                 int (*okfn)(struct sk_buff *), int thresh,
 202                                 int cond)
 203{
 204        if (!cond)
 205                return 1;
 206#ifndef CONFIG_NETFILTER_DEBUG
 207        if (list_empty(&nf_hooks[pf][hook]))
 208                return 1;
 209#endif
 210        return nf_hook_slow(pf, hook, skb, indev, outdev, okfn, thresh);
 211}
 212
 213static inline int nf_hook(int pf, unsigned int hook, struct sk_buff *skb,
 214                          struct net_device *indev, struct net_device *outdev,
 215                          int (*okfn)(struct sk_buff *))
 216{
 217        return nf_hook_thresh(pf, hook, skb, indev, outdev, okfn, INT_MIN, 1);
 218}
 219                   
 220/* Activate hook; either okfn or kfree_skb called, unless a hook
 221   returns NF_STOLEN (in which case, it's up to the hook to deal with
 222   the consequences).
 223
 224   Returns -ERRNO if packet dropped.  Zero means queued, stolen or
 225   accepted.
 226*/
 227
 228/* RR:
 229   > I don't want nf_hook to return anything because people might forget
 230   > about async and trust the return value to mean "packet was ok".
 231
 232   AK:
 233   Just document it clearly, then you can expect some sense from kernel
 234   coders :)
 235*/
 236
 237/* This is gross, but inline doesn't cut it for avoiding the function
 238   call in fast path: gcc doesn't inline (needs value tracking?). --RR */
 239
 240/* HX: It's slightly less gross now. */
 241
 242#define NF_HOOK_THRESH(pf, hook, skb, indev, outdev, okfn, thresh)             \
 243({int __ret;                                                                   \
 244if ((__ret=nf_hook_thresh(pf, hook, (skb), indev, outdev, okfn, thresh, 1)) == 1)\
 245        __ret = (okfn)(skb);                                                   \
 246__ret;})
 247
 248#define NF_HOOK_COND(pf, hook, skb, indev, outdev, okfn, cond)                 \
 249({int __ret;                                                                   \
 250if ((__ret=nf_hook_thresh(pf, hook, (skb), indev, outdev, okfn, INT_MIN, cond)) == 1)\
 251        __ret = (okfn)(skb);                                                   \
 252__ret;})
 253
 254#define NF_HOOK(pf, hook, skb, indev, outdev, okfn) \
 255        NF_HOOK_THRESH(pf, hook, skb, indev, outdev, okfn, INT_MIN)
 256
 257/* Call setsockopt() */
 258int nf_setsockopt(struct sock *sk, int pf, int optval, char __user *opt, 
 259                  int len);
 260int nf_getsockopt(struct sock *sk, int pf, int optval, char __user *opt,
 261                  int *len);
 262
 263int compat_nf_setsockopt(struct sock *sk, int pf, int optval,
 264                char __user *opt, int len);
 265int compat_nf_getsockopt(struct sock *sk, int pf, int optval,
 266                char __user *opt, int *len);
 267
 268/* Packet queuing */
 269struct nf_queue_handler {
 270        int (*outfn)(struct sk_buff *skb, struct nf_info *info,
 271                     unsigned int queuenum, void *data);
 272        void *data;
 273        char *name;
 274};
 275extern int nf_register_queue_handler(int pf, 
 276                                     struct nf_queue_handler *qh);
 277extern int nf_unregister_queue_handler(int pf,
 278                                       struct nf_queue_handler *qh);
 279extern void nf_unregister_queue_handlers(struct nf_queue_handler *qh);
 280extern void nf_reinject(struct sk_buff *skb,
 281                        struct nf_info *info,
 282                        unsigned int verdict);
 283
 284/* FIXME: Before cache is ever used, this must be implemented for real. */
 285extern void nf_invalidate_cache(int pf);
 286
 287/* Call this before modifying an existing packet: ensures it is
 288   modifiable and linear to the point you care about (writable_len).
 289   Returns true or false. */
 290extern int skb_make_writable(struct sk_buff *skb, unsigned int writable_len);
 291
 292static inline void nf_csum_replace4(__sum16 *sum, __be32 from, __be32 to)
 293{
 294        __be32 diff[] = { ~from, to };
 295
 296        *sum = csum_fold(csum_partial((char *)diff, sizeof(diff), ~csum_unfold(*sum)));
 297}
 298
 299static inline void nf_csum_replace2(__sum16 *sum, __be16 from, __be16 to)
 300{
 301        nf_csum_replace4(sum, (__force __be32)from, (__force __be32)to);
 302}
 303
 304extern void nf_proto_csum_replace4(__sum16 *sum, struct sk_buff *skb,
 305                                      __be32 from, __be32 to, int pseudohdr);
 306
 307static inline void nf_proto_csum_replace2(__sum16 *sum, struct sk_buff *skb,
 308                                      __be16 from, __be16 to, int pseudohdr)
 309{
 310        nf_proto_csum_replace4(sum, skb, (__force __be32)from,
 311                                (__force __be32)to, pseudohdr);
 312}
 313
 314struct nf_afinfo {
 315        unsigned short  family;
 316        __sum16         (*checksum)(struct sk_buff *skb, unsigned int hook,
 317                                    unsigned int dataoff, u_int8_t protocol);
 318        void            (*saveroute)(const struct sk_buff *skb,
 319                                     struct nf_info *info);
 320        int             (*reroute)(struct sk_buff *skb,
 321                                   const struct nf_info *info);
 322        int             route_key_size;
 323};
 324
 325extern struct nf_afinfo *nf_afinfo[];
 326static inline struct nf_afinfo *nf_get_afinfo(unsigned short family)
 327{
 328        return rcu_dereference(nf_afinfo[family]);
 329}
 330
 331static inline __sum16
 332nf_checksum(struct sk_buff *skb, unsigned int hook, unsigned int dataoff,
 333            u_int8_t protocol, unsigned short family)
 334{
 335        struct nf_afinfo *afinfo;
 336        __sum16 csum = 0;
 337
 338        rcu_read_lock();
 339        afinfo = nf_get_afinfo(family);
 340        if (afinfo)
 341                csum = afinfo->checksum(skb, hook, dataoff, protocol);
 342        rcu_read_unlock();
 343        return csum;
 344}
 345
 346extern int nf_register_afinfo(struct nf_afinfo *afinfo);
 347extern void nf_unregister_afinfo(struct nf_afinfo *afinfo);
 348
 349#define nf_info_reroute(x) ((void *)x + sizeof(struct nf_info))
 350
 351#include <net/flow.h>
 352extern void (*ip_nat_decode_session)(struct sk_buff *, struct flowi *);
 353
 354static inline void
 355nf_nat_decode_session(struct sk_buff *skb, struct flowi *fl, int family)
 356{
 357#if defined(CONFIG_IP_NF_NAT_NEEDED) || defined(CONFIG_NF_NAT_NEEDED)
 358        void (*decodefn)(struct sk_buff *, struct flowi *);
 359
 360        if (family == AF_INET && (decodefn = ip_nat_decode_session) != NULL)
 361                decodefn(skb, fl);
 362#endif
 363}
 364
 365#ifdef CONFIG_PROC_FS
 366#include <linux/proc_fs.h>
 367extern struct proc_dir_entry *proc_net_netfilter;
 368#endif
 369
 370#else /* !CONFIG_NETFILTER */
 371#define NF_HOOK(pf, hook, skb, indev, outdev, okfn) (okfn)(skb)
 372#define NF_HOOK_COND(pf, hook, skb, indev, outdev, okfn, cond) (okfn)(skb)
 373static inline int nf_hook_thresh(int pf, unsigned int hook,
 374                                 struct sk_buff *skb,
 375                                 struct net_device *indev,
 376                                 struct net_device *outdev,
 377                                 int (*okfn)(struct sk_buff *), int thresh,
 378                                 int cond)
 379{
 380        return okfn(skb);
 381}
 382static inline int nf_hook(int pf, unsigned int hook, struct sk_buff *skb,
 383                          struct net_device *indev, struct net_device *outdev,
 384                          int (*okfn)(struct sk_buff *))
 385{
 386        return 1;
 387}
 388struct flowi;
 389static inline void
 390nf_nat_decode_session(struct sk_buff *skb, struct flowi *fl, int family) {}
 391#endif /*CONFIG_NETFILTER*/
 392
 393#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
 394extern void (*ip_ct_attach)(struct sk_buff *, struct sk_buff *);
 395extern void nf_ct_attach(struct sk_buff *, struct sk_buff *);
 396extern void (*nf_ct_destroy)(struct nf_conntrack *);
 397#else
 398static inline void nf_ct_attach(struct sk_buff *new, struct sk_buff *skb) {}
 399#endif
 400
 401#endif /*__KERNEL__*/
 402#endif /*__LINUX_NETFILTER_H*/
 403