LXR linux/include/linux/netfilter/x

   1#ifndef _X_TABLES_H
   2#define _X_TABLES_H
   3
   4#include <linux/types.h>
   5
   6#define XT_FUNCTION_MAXNAMELEN 30
   7#define XT_TABLE_MAXNAMELEN 32
   8
   9struct xt_entry_match
  10{
  11        union {
  12                struct {
  13                        __u16 match_size;
  14
  15                        /* Used by userspace */
  16                        char name[XT_FUNCTION_MAXNAMELEN-1];
  17
  18                        __u8 revision;
  19                } user;
  20                struct {
  21                        __u16 match_size;
  22
  23                        /* Used inside the kernel */
  24                        struct xt_match *match;
  25                } kernel;
  26
  27                /* Total length */
  28                __u16 match_size;
  29        } u;
  30
  31        unsigned char data[0];
  32};
  33
  34struct xt_entry_target
  35{
  36        union {
  37                struct {
  38                        __u16 target_size;
  39
  40                        /* Used by userspace */
  41                        char name[XT_FUNCTION_MAXNAMELEN-1];
  42
  43                        __u8 revision;
  44                } user;
  45                struct {
  46                        __u16 target_size;
  47
  48                        /* Used inside the kernel */
  49                        struct xt_target *target;
  50                } kernel;
  51
  52                /* Total length */
  53                __u16 target_size;
  54        } u;
  55
  56        unsigned char data[0];
  57};
  58
  59#define XT_TARGET_INIT(__name, __size)                                         \
  60{                                                                              \
  61        .target.u.user = {                                                     \
  62                .target_size    = XT_ALIGN(__size),                            \
  63                .name           = __name,                                      \
  64        },                                                                     \
  65}
  66
  67struct xt_standard_target
  68{
  69        struct xt_entry_target target;
  70        int verdict;
  71};
  72
  73/* The argument to IPT_SO_GET_REVISION_*.  Returns highest revision
  74 * kernel supports, if >= revision. */
  75struct xt_get_revision
  76{
  77        char name[XT_FUNCTION_MAXNAMELEN-1];
  78
  79        __u8 revision;
  80};
  81
  82/* CONTINUE verdict for targets */
  83#define XT_CONTINUE 0xFFFFFFFF
  84
  85/* For standard target */
  86#define XT_RETURN (-NF_REPEAT - 1)
  87
  88/* this is a dummy structure to find out the alignment requirement for a struct
  89 * containing all the fundamental data types that are used in ipt_entry,
  90 * ip6t_entry and arpt_entry.  This sucks, and it is a hack.  It will be my
  91 * personal pleasure to remove it -HW
  92 */
  93struct _xt_align
  94{
  95        __u8 u8;
  96        __u16 u16;
  97        __u32 u32;
  98        __u64 u64;
  99};
 100
 101#define XT_ALIGN(s) (((s) + (__alignof__(struct _xt_align)-1))  \
 102                        & ~(__alignof__(struct _xt_align)-1))
 103
 104/* Standard return verdict, or do jump. */
 105#define XT_STANDARD_TARGET ""
 106/* Error verdict. */
 107#define XT_ERROR_TARGET "ERROR"
 108
 109#define SET_COUNTER(c,b,p) do { (c).bcnt = (b); (c).pcnt = (p); } while(0)
 110#define ADD_COUNTER(c,b,p) do { (c).bcnt += (b); (c).pcnt += (p); } while(0)
 111
 112struct xt_counters
 113{
 114        __u64 pcnt, bcnt;                       /* Packet and byte counters */
 115};
 116
 117/* The argument to IPT_SO_ADD_COUNTERS. */
 118struct xt_counters_info
 119{
 120        /* Which table. */
 121        char name[XT_TABLE_MAXNAMELEN];
 122
 123        unsigned int num_counters;
 124
 125        /* The counters (actually `number' of these). */
 126        struct xt_counters counters[0];
 127};
 128
 129#define XT_INV_PROTO            0x40    /* Invert the sense of PROTO. */
 130
 131/* fn returns 0 to continue iteration */
 132#define XT_MATCH_ITERATE(type, e, fn, args...)                  \
 133({                                                              \
 134        unsigned int __i;                                       \
 135        int __ret = 0;                                          \
 136        struct xt_entry_match *__m;                             \
 137                                                                \
 138        for (__i = sizeof(type);                                \
 139             __i < (e)->target_offset;                          \
 140             __i += __m->u.match_size) {                        \
 141                __m = (void *)e + __i;                          \
 142                                                                \
 143                __ret = fn(__m , ## args);                      \
 144                if (__ret != 0)                                 \
 145                        break;                                  \
 146        }                                                       \
 147        __ret;                                                  \
 148})
 149
 150/* fn returns 0 to continue iteration */
 151#define XT_ENTRY_ITERATE_CONTINUE(type, entries, size, n, fn, args...) \
 152({                                                              \
 153        unsigned int __i, __n;                                  \
 154        int __ret = 0;                                          \
 155        type *__entry;                                          \
 156                                                                \
 157        for (__i = 0, __n = 0; __i < (size);                    \
 158             __i += __entry->next_offset, __n++) {              \
 159                __entry = (void *)(entries) + __i;              \
 160                if (__n < n)                                    \
 161                        continue;                               \
 162                                                                \
 163                __ret = fn(__entry , ## args);                  \
 164                if (__ret != 0)                                 \
 165                        break;                                  \
 166        }                                                       \
 167        __ret;                                                  \
 168})
 169
 170/* fn returns 0 to continue iteration */
 171#define XT_ENTRY_ITERATE(type, entries, size, fn, args...) \
 172        XT_ENTRY_ITERATE_CONTINUE(type, entries, size, 0, fn, args)
 173
 174#ifdef __KERNEL__
 175
 176#include <linux/netdevice.h>
 177
 178/**
 179 * struct xt_match_param - parameters for match extensions' match functions
 180 *
 181 * @in:         input netdevice
 182 * @out:        output netdevice
 183 * @match:      struct xt_match through which this function was invoked
 184 * @matchinfo:  per-match data
 185 * @fragoff:    packet is a fragment, this is the data offset
 186 * @thoff:      position of transport header relative to skb->data
 187 * @hook:       hook number given packet came from
 188 * @family:     Actual NFPROTO_* through which the function is invoked
 189 *              (helpful when match->family == NFPROTO_UNSPEC)
 190 * @hotdrop:    drop packet if we had inspection problems
 191 */
 192struct xt_match_param {
 193        const struct net_device *in, *out;
 194        const struct xt_match *match;
 195        const void *matchinfo;
 196        int fragoff;
 197        unsigned int thoff;
 198        unsigned int hooknum;
 199        u_int8_t family;
 200        bool *hotdrop;
 201};
 202
 203/**
 204 * struct xt_mtchk_param - parameters for match extensions'
 205 * checkentry functions
 206 *
 207 * @table:      table the rule is tried to be inserted into
 208 * @entryinfo:  the family-specific rule data
 209 *              (struct ipt_ip, ip6t_ip, ebt_entry)
 210 * @match:      struct xt_match through which this function was invoked
 211 * @matchinfo:  per-match data
 212 * @hook_mask:  via which hooks the new rule is reachable
 213 */
 214struct xt_mtchk_param {
 215        const char *table;
 216        const void *entryinfo;
 217        const struct xt_match *match;
 218        void *matchinfo;
 219        unsigned int hook_mask;
 220        u_int8_t family;
 221};
 222
 223/* Match destructor parameters */
 224struct xt_mtdtor_param {
 225        const struct xt_match *match;
 226        void *matchinfo;
 227        u_int8_t family;
 228};
 229
 230/**
 231 * struct xt_target_param - parameters for target extensions' target functions
 232 *
 233 * @hooknum:    hook through which this target was invoked
 234 * @target:     struct xt_target through which this function was invoked
 235 * @targinfo:   per-target data
 236 *
 237 * Other fields see above.
 238 */
 239struct xt_target_param {
 240        const struct net_device *in, *out;
 241        const struct xt_target *target;
 242        const void *targinfo;
 243        unsigned int hooknum;
 244        u_int8_t family;
 245};
 246
 247/**
 248 * struct xt_tgchk_param - parameters for target extensions'
 249 * checkentry functions
 250 *
 251 * @entryinfo:  the family-specific rule data
 252 *              (struct ipt_entry, ip6t_entry, arpt_entry, ebt_entry)
 253 *
 254 * Other fields see above.
 255 */
 256struct xt_tgchk_param {
 257        const char *table;
 258        const void *entryinfo;
 259        const struct xt_target *target;
 260        void *targinfo;
 261        unsigned int hook_mask;
 262        u_int8_t family;
 263};
 264
 265/* Target destructor parameters */
 266struct xt_tgdtor_param {
 267        const struct xt_target *target;
 268        void *targinfo;
 269        u_int8_t family;
 270};
 271
 272struct xt_match
 273{
 274        struct list_head list;
 275
 276        const char name[XT_FUNCTION_MAXNAMELEN-1];
 277        u_int8_t revision;
 278
 279        /* Return true or false: return FALSE and set *hotdrop = 1 to
 280           force immediate packet drop. */
 281        /* Arguments changed since 2.6.9, as this must now handle
 282           non-linear skb, using skb_header_pointer and
 283           skb_ip_make_writable. */
 284        bool (*match)(const struct sk_buff *skb,
 285                      const struct xt_match_param *);
 286
 287        /* Called when user tries to insert an entry of this type. */
 288        bool (*checkentry)(const struct xt_mtchk_param *);
 289
 290        /* Called when entry of this type deleted. */
 291        void (*destroy)(const struct xt_mtdtor_param *);
 292
 293        /* Called when userspace align differs from kernel space one */
 294        void (*compat_from_user)(void *dst, void *src);
 295        int (*compat_to_user)(void __user *dst, void *src);
 296
 297        /* Set this to THIS_MODULE if you are a module, otherwise NULL */
 298        struct module *me;
 299
 300        /* Free to use by each match */
 301        unsigned long data;
 302
 303        const char *table;
 304        unsigned int matchsize;
 305        unsigned int compatsize;
 306        unsigned int hooks;
 307        unsigned short proto;
 308
 309        unsigned short family;
 310};
 311
 312/* Registration hooks for targets. */
 313struct xt_target
 314{
 315        struct list_head list;
 316
 317        const char name[XT_FUNCTION_MAXNAMELEN-1];
 318
 319        /* Returns verdict. Argument order changed since 2.6.9, as this
 320           must now handle non-linear skbs, using skb_copy_bits and
 321           skb_ip_make_writable. */
 322        unsigned int (*target)(struct sk_buff *skb,
 323                               const struct xt_target_param *);
 324
 325        /* Called when user tries to insert an entry of this type:
 326           hook_mask is a bitmask of hooks from which it can be
 327           called. */
 328        /* Should return true or false. */
 329        bool (*checkentry)(const struct xt_tgchk_param *);
 330
 331        /* Called when entry of this type deleted. */
 332        void (*destroy)(const struct xt_tgdtor_param *);
 333
 334        /* Called when userspace align differs from kernel space one */
 335        void (*compat_from_user)(void *dst, void *src);
 336        int (*compat_to_user)(void __user *dst, void *src);
 337
 338        /* Set this to THIS_MODULE if you are a module, otherwise NULL */
 339        struct module *me;
 340
 341        const char *table;
 342        unsigned int targetsize;
 343        unsigned int compatsize;
 344        unsigned int hooks;
 345        unsigned short proto;
 346
 347        unsigned short family;
 348        u_int8_t revision;
 349};
 350
 351/* Furniture shopping... */
 352struct xt_table
 353{
 354        struct list_head list;
 355
 356        /* What hooks you will enter on */
 357        unsigned int valid_hooks;
 358
 359        /* Man behind the curtain... */
 360        struct xt_table_info *private;
 361
 362        /* Set this to THIS_MODULE if you are a module, otherwise NULL */
 363        struct module *me;
 364
 365        u_int8_t af;            /* address/protocol family */
 366
 367        /* A unique name... */
 368        const char name[XT_TABLE_MAXNAMELEN];
 369};
 370
 371#include <linux/netfilter_ipv4.h>
 372
 373/* The table itself */
 374struct xt_table_info
 375{
 376        /* Size per table */
 377        unsigned int size;
 378        /* Number of entries: FIXME. --RR */
 379        unsigned int number;
 380        /* Initial number of entries. Needed for module usage count */
 381        unsigned int initial_entries;
 382
 383        /* Entry points and underflows */
 384        unsigned int hook_entry[NF_INET_NUMHOOKS];
 385        unsigned int underflow[NF_INET_NUMHOOKS];
 386
 387        /* ipt_entry tables: one per CPU */
 388        /* Note : this field MUST be the last one, see XT_TABLE_INFO_SZ */
 389        void *entries[1];
 390};
 391
 392#define XT_TABLE_INFO_SZ (offsetof(struct xt_table_info, entries) \
 393                          + nr_cpu_ids * sizeof(char *))
 394extern int xt_register_target(struct xt_target *target);
 395extern void xt_unregister_target(struct xt_target *target);
 396extern int xt_register_targets(struct xt_target *target, unsigned int n);
 397extern void xt_unregister_targets(struct xt_target *target, unsigned int n);
 398
 399extern int xt_register_match(struct xt_match *target);
 400extern void xt_unregister_match(struct xt_match *target);
 401extern int xt_register_matches(struct xt_match *match, unsigned int n);
 402extern void xt_unregister_matches(struct xt_match *match, unsigned int n);
 403
 404extern int xt_check_match(struct xt_mtchk_param *,
 405                          unsigned int size, u_int8_t proto, bool inv_proto);
 406extern int xt_check_target(struct xt_tgchk_param *,
 407                           unsigned int size, u_int8_t proto, bool inv_proto);
 408
 409extern struct xt_table *xt_register_table(struct net *net,
 410                                          const struct xt_table *table,
 411                                          struct xt_table_info *bootstrap,
 412                                          struct xt_table_info *newinfo);
 413extern void *xt_unregister_table(struct xt_table *table);
 414
 415extern struct xt_table_info *xt_replace_table(struct xt_table *table,
 416                                              unsigned int num_counters,
 417                                              struct xt_table_info *newinfo,
 418                                              int *error);
 419
 420extern struct xt_match *xt_find_match(u8 af, const char *name, u8 revision);
 421extern struct xt_target *xt_find_target(u8 af, const char *name, u8 revision);
 422extern struct xt_target *xt_request_find_target(u8 af, const char *name,
 423                                                u8 revision);
 424extern int xt_find_revision(u8 af, const char *name, u8 revision,
 425                            int target, int *err);
 426
 427extern struct xt_table *xt_find_table_lock(struct net *net, u_int8_t af,
 428                                           const char *name);
 429extern void xt_table_unlock(struct xt_table *t);
 430
 431extern int xt_proto_init(struct net *net, u_int8_t af);
 432extern void xt_proto_fini(struct net *net, u_int8_t af);
 433
 434extern struct xt_table_info *xt_alloc_table_info(unsigned int size);
 435extern void xt_free_table_info(struct xt_table_info *info);
 436
 437/*
 438 * Per-CPU spinlock associated with per-cpu table entries, and
 439 * with a counter for the "reading" side that allows a recursive
 440 * reader to avoid taking the lock and deadlocking.
 441 *
 442 * "reading" is used by ip/arp/ip6 tables rule processing which runs per-cpu.
 443 * It needs to ensure that the rules are not being changed while the packet
 444 * is being processed. In some cases, the read lock will be acquired
 445 * twice on the same CPU; this is okay because of the count.
 446 *
 447 * "writing" is used when reading counters.
 448 *  During replace any readers that are using the old tables have to complete
 449 *  before freeing the old table. This is handled by the write locking
 450 *  necessary for reading the counters.
 451 */
 452struct xt_info_lock {
 453        spinlock_t lock;
 454        unsigned char readers;
 455};
 456DECLARE_PER_CPU(struct xt_info_lock, xt_info_locks);
 457
 458/*
 459 * Note: we need to ensure that preemption is disabled before acquiring
 460 * the per-cpu-variable, so we do it as a two step process rather than
 461 * using "spin_lock_bh()".
 462 *
 463 * We _also_ need to disable bottom half processing before updating our
 464 * nesting count, to make sure that the only kind of re-entrancy is this
 465 * code being called by itself: since the count+lock is not an atomic
 466 * operation, we can allow no races.
 467 *
 468 * _Only_ that special combination of being per-cpu and never getting
 469 * re-entered asynchronously means that the count is safe.
 470 */
 471static inline void xt_info_rdlock_bh(void)
 472{
 473        struct xt_info_lock *lock;
 474
 475        local_bh_disable();
 476        lock = &__get_cpu_var(xt_info_locks);
 477        if (likely(!lock->readers++))
 478                spin_lock(&lock->lock);
 479}
 480
 481static inline void xt_info_rdunlock_bh(void)
 482{
 483        struct xt_info_lock *lock = &__get_cpu_var(xt_info_locks);
 484
 485        if (likely(!--lock->readers))
 486                spin_unlock(&lock->lock);
 487        local_bh_enable();
 488}
 489
 490/*
 491 * The "writer" side needs to get exclusive access to the lock,
 492 * regardless of readers.  This must be called with bottom half
 493 * processing (and thus also preemption) disabled.
 494 */
 495static inline void xt_info_wrlock(unsigned int cpu)
 496{
 497        spin_lock(&per_cpu(xt_info_locks, cpu).lock);
 498}
 499
 500static inline void xt_info_wrunlock(unsigned int cpu)
 501{
 502        spin_unlock(&per_cpu(xt_info_locks, cpu).lock);
 503}
 504
 505/*
 506 * This helper is performance critical and must be inlined
 507 */
 508static inline unsigned long ifname_compare_aligned(const char *_a,
 509                                                   const char *_b,
 510                                                   const char *_mask)
 511{
 512        const unsigned long *a = (const unsigned long *)_a;
 513        const unsigned long *b = (const unsigned long *)_b;
 514        const unsigned long *mask = (const unsigned long *)_mask;
 515        unsigned long ret;
 516
 517        ret = (a[0] ^ b[0]) & mask[0];
 518        if (IFNAMSIZ > sizeof(unsigned long))
 519                ret |= (a[1] ^ b[1]) & mask[1];
 520        if (IFNAMSIZ > 2 * sizeof(unsigned long))
 521                ret |= (a[2] ^ b[2]) & mask[2];
 522        if (IFNAMSIZ > 3 * sizeof(unsigned long))
 523                ret |= (a[3] ^ b[3]) & mask[3];
 524        BUILD_BUG_ON(IFNAMSIZ > 4 * sizeof(unsigned long));
 525        return ret;
 526}
 527
 528#ifdef CONFIG_COMPAT
 529#include <net/compat.h>
 530
 531struct compat_xt_entry_match
 532{
 533        union {
 534                struct {
 535                        u_int16_t match_size;
 536                        char name[XT_FUNCTION_MAXNAMELEN - 1];
 537                        u_int8_t revision;
 538                } user;
 539                struct {
 540                        u_int16_t match_size;
 541                        compat_uptr_t match;
 542                } kernel;
 543                u_int16_t match_size;
 544        } u;
 545        unsigned char data[0];
 546};
 547
 548struct compat_xt_entry_target
 549{
 550        union {
 551                struct {
 552                        u_int16_t target_size;
 553                        char name[XT_FUNCTION_MAXNAMELEN - 1];
 554                        u_int8_t revision;
 555                } user;
 556                struct {
 557                        u_int16_t target_size;
 558                        compat_uptr_t target;
 559                } kernel;
 560                u_int16_t target_size;
 561        } u;
 562        unsigned char data[0];
 563};
 564
 565/* FIXME: this works only on 32 bit tasks
 566 * need to change whole approach in order to calculate align as function of
 567 * current task alignment */
 568
 569struct compat_xt_counters
 570{
 571#if defined(CONFIG_X86_64) || defined(CONFIG_IA64)
 572        u_int32_t cnt[4];
 573#else
 574        u_int64_t cnt[2];
 575#endif
 576};
 577
 578struct compat_xt_counters_info
 579{
 580        char name[XT_TABLE_MAXNAMELEN];
 581        compat_uint_t num_counters;
 582        struct compat_xt_counters counters[0];
 583};
 584
 585#define COMPAT_XT_ALIGN(s) (((s) + (__alignof__(struct compat_xt_counters)-1)) \
 586                & ~(__alignof__(struct compat_xt_counters)-1))
 587
 588extern void xt_compat_lock(u_int8_t af);
 589extern void xt_compat_unlock(u_int8_t af);
 590
 591extern int xt_compat_add_offset(u_int8_t af, unsigned int offset, short delta);
 592extern void xt_compat_flush_offsets(u_int8_t af);
 593extern short xt_compat_calc_jump(u_int8_t af, unsigned int offset);
 594
 595extern int xt_compat_match_offset(const struct xt_match *match);
 596extern int xt_compat_match_from_user(struct xt_entry_match *m,
 597                                     void **dstptr, unsigned int *size);
 598extern int xt_compat_match_to_user(struct xt_entry_match *m,
 599                                   void __user **dstptr, unsigned int *size);
 600
 601extern int xt_compat_target_offset(const struct xt_target *target);
 602extern void xt_compat_target_from_user(struct xt_entry_target *t,
 603                                       void **dstptr, unsigned int *size);
 604extern int xt_compat_target_to_user(struct xt_entry_target *t,
 605                                    void __user **dstptr, unsigned int *size);
 606
 607#endif /* CONFIG_COMPAT */
 608#endif /* __KERNEL__ */
 609
 610#endif /* _X_TABLES_H */
 611