LXR linux/include/linux/netfilter/x

   1#ifndef _X_TABLES_H
   2#define _X_TABLES_H
   3
   4
   5#include <linux/netdevice.h>
   6#include <uapi/linux/netfilter/x_tables.h>
   7
   8/**
   9 * struct xt_action_param - parameters for matches/targets
  10 *
  11 * @match:      the match extension
  12 * @target:     the target extension
  13 * @matchinfo:  per-match data
  14 * @targetinfo: per-target data
  15 * @in:         input netdevice
  16 * @out:        output netdevice
  17 * @fragoff:    packet is a fragment, this is the data offset
  18 * @thoff:      position of transport header relative to skb->data
  19 * @hook:       hook number given packet came from
  20 * @family:     Actual NFPROTO_* through which the function is invoked
  21 *              (helpful when match->family == NFPROTO_UNSPEC)
  22 *
  23 * Fields written to by extensions:
  24 *
  25 * @hotdrop:    drop packet if we had inspection problems
  26 * Network namespace obtainable using dev_net(in/out)
  27 */
  28struct xt_action_param {
  29        union {
  30                const struct xt_match *match;
  31                const struct xt_target *target;
  32        };
  33        union {
  34                const void *matchinfo, *targinfo;
  35        };
  36        const struct net_device *in, *out;
  37        int fragoff;
  38        unsigned int thoff;
  39        unsigned int hooknum;
  40        u_int8_t family;
  41        bool hotdrop;
  42};
  43
  44/**
  45 * struct xt_mtchk_param - parameters for match extensions'
  46 * checkentry functions
  47 *
  48 * @net:        network namespace through which the check was invoked
  49 * @table:      table the rule is tried to be inserted into
  50 * @entryinfo:  the family-specific rule data
  51 *              (struct ipt_ip, ip6t_ip, arpt_arp or (note) ebt_entry)
  52 * @match:      struct xt_match through which this function was invoked
  53 * @matchinfo:  per-match data
  54 * @hook_mask:  via which hooks the new rule is reachable
  55 * Other fields as above.
  56 */
  57struct xt_mtchk_param {
  58        struct net *net;
  59        const char *table;
  60        const void *entryinfo;
  61        const struct xt_match *match;
  62        void *matchinfo;
  63        unsigned int hook_mask;
  64        u_int8_t family;
  65};
  66
  67/**
  68 * struct xt_mdtor_param - match destructor parameters
  69 * Fields as above.
  70 */
  71struct xt_mtdtor_param {
  72        struct net *net;
  73        const struct xt_match *match;
  74        void *matchinfo;
  75        u_int8_t family;
  76};
  77
  78/**
  79 * struct xt_tgchk_param - parameters for target extensions'
  80 * checkentry functions
  81 *
  82 * @entryinfo:  the family-specific rule data
  83 *              (struct ipt_entry, ip6t_entry, arpt_entry, ebt_entry)
  84 *
  85 * Other fields see above.
  86 */
  87struct xt_tgchk_param {
  88        struct net *net;
  89        const char *table;
  90        const void *entryinfo;
  91        const struct xt_target *target;
  92        void *targinfo;
  93        unsigned int hook_mask;
  94        u_int8_t family;
  95};
  96
  97/* Target destructor parameters */
  98struct xt_tgdtor_param {
  99        struct net *net;
 100        const struct xt_target *target;
 101        void *targinfo;
 102        u_int8_t family;
 103};
 104
 105struct xt_match {
 106        struct list_head list;
 107
 108        const char name[XT_EXTENSION_MAXNAMELEN];
 109        u_int8_t revision;
 110
 111        /* Return true or false: return FALSE and set *hotdrop = 1 to
 112           force immediate packet drop. */
 113        /* Arguments changed since 2.6.9, as this must now handle
 114           non-linear skb, using skb_header_pointer and
 115           skb_ip_make_writable. */
 116        bool (*match)(const struct sk_buff *skb,
 117                      struct xt_action_param *);
 118
 119        /* Called when user tries to insert an entry of this type. */
 120        int (*checkentry)(const struct xt_mtchk_param *);
 121
 122        /* Called when entry of this type deleted. */
 123        void (*destroy)(const struct xt_mtdtor_param *);
 124#ifdef CONFIG_COMPAT
 125        /* Called when userspace align differs from kernel space one */
 126        void (*compat_from_user)(void *dst, const void *src);
 127        int (*compat_to_user)(void __user *dst, const void *src);
 128#endif
 129        /* Set this to THIS_MODULE if you are a module, otherwise NULL */
 130        struct module *me;
 131
 132        const char *table;
 133        unsigned int matchsize;
 134#ifdef CONFIG_COMPAT
 135        unsigned int compatsize;
 136#endif
 137        unsigned int hooks;
 138        unsigned short proto;
 139
 140        unsigned short family;
 141};
 142
 143/* Registration hooks for targets. */
 144struct xt_target {
 145        struct list_head list;
 146
 147        const char name[XT_EXTENSION_MAXNAMELEN];
 148        u_int8_t revision;
 149
 150        /* Returns verdict. Argument order changed since 2.6.9, as this
 151           must now handle non-linear skbs, using skb_copy_bits and
 152           skb_ip_make_writable. */
 153        unsigned int (*target)(struct sk_buff *skb,
 154                               const struct xt_action_param *);
 155
 156        /* Called when user tries to insert an entry of this type:
 157           hook_mask is a bitmask of hooks from which it can be
 158           called. */
 159        /* Should return 0 on success or an error code otherwise (-Exxxx). */
 160        int (*checkentry)(const struct xt_tgchk_param *);
 161
 162        /* Called when entry of this type deleted. */
 163        void (*destroy)(const struct xt_tgdtor_param *);
 164#ifdef CONFIG_COMPAT
 165        /* Called when userspace align differs from kernel space one */
 166        void (*compat_from_user)(void *dst, const void *src);
 167        int (*compat_to_user)(void __user *dst, const void *src);
 168#endif
 169        /* Set this to THIS_MODULE if you are a module, otherwise NULL */
 170        struct module *me;
 171
 172        const char *table;
 173        unsigned int targetsize;
 174#ifdef CONFIG_COMPAT
 175        unsigned int compatsize;
 176#endif
 177        unsigned int hooks;
 178        unsigned short proto;
 179
 180        unsigned short family;
 181};
 182
 183/* Furniture shopping... */
 184struct xt_table {
 185        struct list_head list;
 186
 187        /* What hooks you will enter on */
 188        unsigned int valid_hooks;
 189
 190        /* Man behind the curtain... */
 191        struct xt_table_info *private;
 192
 193        /* Set this to THIS_MODULE if you are a module, otherwise NULL */
 194        struct module *me;
 195
 196        u_int8_t af;            /* address/protocol family */
 197        int priority;           /* hook order */
 198
 199        /* A unique name... */
 200        const char name[XT_TABLE_MAXNAMELEN];
 201};
 202
 203#include <linux/netfilter_ipv4.h>
 204
 205/* The table itself */
 206struct xt_table_info {
 207        /* Size per table */
 208        unsigned int size;
 209        /* Number of entries: FIXME. --RR */
 210        unsigned int number;
 211        /* Initial number of entries. Needed for module usage count */
 212        unsigned int initial_entries;
 213
 214        /* Entry points and underflows */
 215        unsigned int hook_entry[NF_INET_NUMHOOKS];
 216        unsigned int underflow[NF_INET_NUMHOOKS];
 217
 218        /*
 219         * Number of user chains. Since tables cannot have loops, at most
 220         * @stacksize jumps (number of user chains) can possibly be made.
 221         */
 222        unsigned int stacksize;
 223        unsigned int __percpu *stackptr;
 224        void ***jumpstack;
 225        /* ipt_entry tables: one per CPU */
 226        /* Note : this field MUST be the last one, see XT_TABLE_INFO_SZ */
 227        void *entries[1];
 228};
 229
 230#define XT_TABLE_INFO_SZ (offsetof(struct xt_table_info, entries) \
 231                          + nr_cpu_ids * sizeof(char *))
 232extern int xt_register_target(struct xt_target *target);
 233extern void xt_unregister_target(struct xt_target *target);
 234extern int xt_register_targets(struct xt_target *target, unsigned int n);
 235extern void xt_unregister_targets(struct xt_target *target, unsigned int n);
 236
 237extern int xt_register_match(struct xt_match *target);
 238extern void xt_unregister_match(struct xt_match *target);
 239extern int xt_register_matches(struct xt_match *match, unsigned int n);
 240extern void xt_unregister_matches(struct xt_match *match, unsigned int n);
 241
 242extern int xt_check_match(struct xt_mtchk_param *,
 243                          unsigned int size, u_int8_t proto, bool inv_proto);
 244extern int xt_check_target(struct xt_tgchk_param *,
 245                           unsigned int size, u_int8_t proto, bool inv_proto);
 246
 247extern struct xt_table *xt_register_table(struct net *net,
 248                                          const struct xt_table *table,
 249                                          struct xt_table_info *bootstrap,
 250                                          struct xt_table_info *newinfo);
 251extern void *xt_unregister_table(struct xt_table *table);
 252
 253extern struct xt_table_info *xt_replace_table(struct xt_table *table,
 254                                              unsigned int num_counters,
 255                                              struct xt_table_info *newinfo,
 256                                              int *error);
 257
 258extern struct xt_match *xt_find_match(u8 af, const char *name, u8 revision);
 259extern struct xt_target *xt_find_target(u8 af, const char *name, u8 revision);
 260extern struct xt_match *xt_request_find_match(u8 af, const char *name,
 261                                              u8 revision);
 262extern struct xt_target *xt_request_find_target(u8 af, const char *name,
 263                                                u8 revision);
 264extern int xt_find_revision(u8 af, const char *name, u8 revision,
 265                            int target, int *err);
 266
 267extern struct xt_table *xt_find_table_lock(struct net *net, u_int8_t af,
 268                                           const char *name);
 269extern void xt_table_unlock(struct xt_table *t);
 270
 271extern int xt_proto_init(struct net *net, u_int8_t af);
 272extern void xt_proto_fini(struct net *net, u_int8_t af);
 273
 274extern struct xt_table_info *xt_alloc_table_info(unsigned int size);
 275extern void xt_free_table_info(struct xt_table_info *info);
 276
 277/**
 278 * xt_recseq - recursive seqcount for netfilter use
 279 * 
 280 * Packet processing changes the seqcount only if no recursion happened
 281 * get_counters() can use read_seqcount_begin()/read_seqcount_retry(),
 282 * because we use the normal seqcount convention :
 283 * Low order bit set to 1 if a writer is active.
 284 */
 285DECLARE_PER_CPU(seqcount_t, xt_recseq);
 286
 287/**
 288 * xt_write_recseq_begin - start of a write section
 289 *
 290 * Begin packet processing : all readers must wait the end
 291 * 1) Must be called with preemption disabled
 292 * 2) softirqs must be disabled too (or we should use this_cpu_add())
 293 * Returns :
 294 *  1 if no recursion on this cpu
 295 *  0 if recursion detected
 296 */
 297static inline unsigned int xt_write_recseq_begin(void)
 298{
 299        unsigned int addend;
 300
 301        /*
 302         * Low order bit of sequence is set if we already
 303         * called xt_write_recseq_begin().
 304         */
 305        addend = (__this_cpu_read(xt_recseq.sequence) + 1) & 1;
 306
 307        /*
 308         * This is kind of a write_seqcount_begin(), but addend is 0 or 1
 309         * We dont check addend value to avoid a test and conditional jump,
 310         * since addend is most likely 1
 311         */
 312        __this_cpu_add(xt_recseq.sequence, addend);
 313        smp_wmb();
 314
 315        return addend;
 316}
 317
 318/**
 319 * xt_write_recseq_end - end of a write section
 320 * @addend: return value from previous xt_write_recseq_begin()
 321 *
 322 * End packet processing : all readers can proceed
 323 * 1) Must be called with preemption disabled
 324 * 2) softirqs must be disabled too (or we should use this_cpu_add())
 325 */
 326static inline void xt_write_recseq_end(unsigned int addend)
 327{
 328        /* this is kind of a write_seqcount_end(), but addend is 0 or 1 */
 329        smp_wmb();
 330        __this_cpu_add(xt_recseq.sequence, addend);
 331}
 332
 333/*
 334 * This helper is performance critical and must be inlined
 335 */
 336static inline unsigned long ifname_compare_aligned(const char *_a,
 337                                                   const char *_b,
 338                                                   const char *_mask)
 339{
 340        const unsigned long *a = (const unsigned long *)_a;
 341        const unsigned long *b = (const unsigned long *)_b;
 342        const unsigned long *mask = (const unsigned long *)_mask;
 343        unsigned long ret;
 344
 345        ret = (a[0] ^ b[0]) & mask[0];
 346        if (IFNAMSIZ > sizeof(unsigned long))
 347                ret |= (a[1] ^ b[1]) & mask[1];
 348        if (IFNAMSIZ > 2 * sizeof(unsigned long))
 349                ret |= (a[2] ^ b[2]) & mask[2];
 350        if (IFNAMSIZ > 3 * sizeof(unsigned long))
 351                ret |= (a[3] ^ b[3]) & mask[3];
 352        BUILD_BUG_ON(IFNAMSIZ > 4 * sizeof(unsigned long));
 353        return ret;
 354}
 355
 356extern struct nf_hook_ops *xt_hook_link(const struct xt_table *, nf_hookfn *);
 357extern void xt_hook_unlink(const struct xt_table *, struct nf_hook_ops *);
 358
 359#ifdef CONFIG_COMPAT
 360#include <net/compat.h>
 361
 362struct compat_xt_entry_match {
 363        union {
 364                struct {
 365                        u_int16_t match_size;
 366                        char name[XT_FUNCTION_MAXNAMELEN - 1];
 367                        u_int8_t revision;
 368                } user;
 369                struct {
 370                        u_int16_t match_size;
 371                        compat_uptr_t match;
 372                } kernel;
 373                u_int16_t match_size;
 374        } u;
 375        unsigned char data[0];
 376};
 377
 378struct compat_xt_entry_target {
 379        union {
 380                struct {
 381                        u_int16_t target_size;
 382                        char name[XT_FUNCTION_MAXNAMELEN - 1];
 383                        u_int8_t revision;
 384                } user;
 385                struct {
 386                        u_int16_t target_size;
 387                        compat_uptr_t target;
 388                } kernel;
 389                u_int16_t target_size;
 390        } u;
 391        unsigned char data[0];
 392};
 393
 394/* FIXME: this works only on 32 bit tasks
 395 * need to change whole approach in order to calculate align as function of
 396 * current task alignment */
 397
 398struct compat_xt_counters {
 399        compat_u64 pcnt, bcnt;                  /* Packet and byte counters */
 400};
 401
 402struct compat_xt_counters_info {
 403        char name[XT_TABLE_MAXNAMELEN];
 404        compat_uint_t num_counters;
 405        struct compat_xt_counters counters[0];
 406};
 407
 408struct _compat_xt_align {
 409        __u8 u8;
 410        __u16 u16;
 411        __u32 u32;
 412        compat_u64 u64;
 413};
 414
 415#define COMPAT_XT_ALIGN(s) __ALIGN_KERNEL((s), __alignof__(struct _compat_xt_align))
 416
 417extern void xt_compat_lock(u_int8_t af);
 418extern void xt_compat_unlock(u_int8_t af);
 419
 420extern int xt_compat_add_offset(u_int8_t af, unsigned int offset, int delta);
 421extern void xt_compat_flush_offsets(u_int8_t af);
 422extern void xt_compat_init_offsets(u_int8_t af, unsigned int number);
 423extern int xt_compat_calc_jump(u_int8_t af, unsigned int offset);
 424
 425extern int xt_compat_match_offset(const struct xt_match *match);
 426extern int xt_compat_match_from_user(struct xt_entry_match *m,
 427                                     void **dstptr, unsigned int *size);
 428extern int xt_compat_match_to_user(const struct xt_entry_match *m,
 429                                   void __user **dstptr, unsigned int *size);
 430
 431extern int xt_compat_target_offset(const struct xt_target *target);
 432extern void xt_compat_target_from_user(struct xt_entry_target *t,
 433                                       void **dstptr, unsigned int *size);
 434extern int xt_compat_target_to_user(const struct xt_entry_target *t,
 435                                    void __user **dstptr, unsigned int *size);
 436
 437#endif /* CONFIG_COMPAT */
 438#endif /* _X_TABLES_H */
 439