Blame view
include/linux/netfilter.h
11.7 KB
1da177e4c Linux-2.6.12-rc2 |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
#ifndef __LINUX_NETFILTER_H #define __LINUX_NETFILTER_H #ifdef __KERNEL__ #include <linux/init.h> #include <linux/types.h> #include <linux/skbuff.h> #include <linux/net.h> #include <linux/if.h> #include <linux/wait.h> #include <linux/list.h> #endif #include <linux/compiler.h> /* Responses from hook functions. */ #define NF_DROP 0 #define NF_ACCEPT 1 #define NF_STOLEN 2 #define NF_QUEUE 3 #define NF_REPEAT 4 #define NF_STOP 5 #define NF_MAX_VERDICT NF_STOP |
0ab43f849 [NETFILTER]: Core... |
23 24 25 26 27 28 29 |
/* we overload the higher bits for encoding auxiliary data such as the queue * number. Not nice, but better than additional function arguments. */ #define NF_VERDICT_MASK 0x0000ffff #define NF_VERDICT_BITS 16 #define NF_VERDICT_QMASK 0xffff0000 #define NF_VERDICT_QBITS 16 |
b766b305d [NETFILTER]: Fix ... |
30 |
#define NF_QUEUE_NR(x) (((x << NF_VERDICT_QBITS) & NF_VERDICT_QMASK) | NF_QUEUE) |
0ab43f849 [NETFILTER]: Core... |
31 |
|
6869c4d8e [NETFILTER]: redu... |
32 33 |
/* only for userspace compatibility */ #ifndef __KERNEL__ |
1da177e4c Linux-2.6.12-rc2 |
34 35 36 37 |
/* Generic cache responses from hook functions. <= 0x2000 is used for protocol-flags. */ #define NFC_UNKNOWN 0x4000 #define NFC_ALTERED 0x8000 |
6869c4d8e [NETFILTER]: redu... |
38 |
#endif |
1da177e4c Linux-2.6.12-rc2 |
39 40 |
#ifdef __KERNEL__ |
1da177e4c Linux-2.6.12-rc2 |
41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 |
#ifdef CONFIG_NETFILTER extern void netfilter_init(void); /* Largest hook number + 1 */ #define NF_MAX_HOOKS 8 struct sk_buff; struct net_device; typedef unsigned int nf_hookfn(unsigned int hooknum, struct sk_buff **skb, const struct net_device *in, const struct net_device *out, int (*okfn)(struct sk_buff *)); struct nf_hook_ops { struct list_head list; /* User fills in from here down. */ nf_hookfn *hook; struct module *owner; int pf; int hooknum; /* Hooks are ordered in ascending priority. */ int priority; }; struct nf_sockopt_ops { struct list_head list; int pf; /* Non-inclusive ranges: use 0/0/NULL to never get called. */ int set_optmin; int set_optmax; int (*set)(struct sock *sk, int optval, void __user *user, unsigned int len); |
3fdadf7d2 [NET]: {get|set}s... |
80 81 |
int (*compat_set)(struct sock *sk, int optval, void __user *user, unsigned int len); |
1da177e4c Linux-2.6.12-rc2 |
82 83 84 85 |
int get_optmin; int get_optmax; int (*get)(struct sock *sk, int optval, void __user *user, int *len); |
3fdadf7d2 [NET]: {get|set}s... |
86 87 |
int (*compat_get)(struct sock *sk, int optval, void __user *user, int *len); |
1da177e4c Linux-2.6.12-rc2 |
88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 |
/* Number of users inside set() or get(). */ unsigned int use; struct task_struct *cleanup_task; }; /* Each queued (to userspace) skbuff has one of these. */ struct nf_info { /* The ops struct which sent us to userspace. */ struct nf_hook_ops *elem; /* If we're sent to userspace, this keeps housekeeping info */ int pf; unsigned int hook; struct net_device *indev, *outdev; int (*okfn)(struct sk_buff *); }; /* Function to register/unregister hook points. */ int nf_register_hook(struct nf_hook_ops *reg); void nf_unregister_hook(struct nf_hook_ops *reg); |
972d1cb14 [NETFILTER]: Add ... |
110 111 |
int nf_register_hooks(struct nf_hook_ops *reg, unsigned int n); void nf_unregister_hooks(struct nf_hook_ops *reg, unsigned int n); |
1da177e4c Linux-2.6.12-rc2 |
112 113 114 115 116 |
/* Functions to register get/setsockopt ranges (non-inclusive). You need to check permissions yourself! */ int nf_register_sockopt(struct nf_sockopt_ops *reg); void nf_unregister_sockopt(struct nf_sockopt_ops *reg); |
d62f9ed4a [NETFILTER]: nf_c... |
117 118 119 120 121 122 123 124 125 |
#ifdef CONFIG_SYSCTL /* Sysctl registration */ struct ctl_table_header *nf_register_sysctl_table(struct ctl_table *path, struct ctl_table *table); void nf_unregister_sysctl_table(struct ctl_table_header *header, struct ctl_table *table); extern struct ctl_table nf_net_netfilter_sysctl_path[]; extern struct ctl_table nf_net_ipv4_netfilter_sysctl_path[]; #endif /* CONFIG_SYSCTL */ |
1da177e4c Linux-2.6.12-rc2 |
126 |
extern struct list_head nf_hooks[NPROTO][NF_MAX_HOOKS]; |
608c8e4f7 [NETFILTER]: Exte... |
127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 |
/* those NF_LOG_* defines and struct nf_loginfo are legacy definitios that will * disappear once iptables is replaced with pkttables. Please DO NOT use them * for any new code! */ #define NF_LOG_TCPSEQ 0x01 /* Log TCP sequence numbers */ #define NF_LOG_TCPOPT 0x02 /* Log TCP options */ #define NF_LOG_IPOPT 0x04 /* Log IP options */ #define NF_LOG_UID 0x08 /* Log UID owning local socket */ #define NF_LOG_MASK 0x0f #define NF_LOG_TYPE_LOG 0x01 #define NF_LOG_TYPE_ULOG 0x02 struct nf_loginfo { u_int8_t type; union { struct { u_int32_t copy_len; u_int16_t group; u_int16_t qthreshold; } ulog; struct { u_int8_t level; u_int8_t logflags; } log; } u; }; typedef void nf_logfn(unsigned int pf, unsigned int hooknum, |
1da177e4c Linux-2.6.12-rc2 |
156 157 158 |
const struct sk_buff *skb, const struct net_device *in, const struct net_device *out, |
608c8e4f7 [NETFILTER]: Exte... |
159 |
const struct nf_loginfo *li, |
1da177e4c Linux-2.6.12-rc2 |
160 |
const char *prefix); |
608c8e4f7 [NETFILTER]: Exte... |
161 162 163 164 165 |
struct nf_logger { struct module *me; nf_logfn *logfn; char *name; }; |
1da177e4c Linux-2.6.12-rc2 |
166 |
/* Function to register/unregister log function. */ |
608c8e4f7 [NETFILTER]: Exte... |
167 |
int nf_log_register(int pf, struct nf_logger *logger); |
e92ad99c7 [NETFILTER]: nf_l... |
168 |
void nf_log_unregister(struct nf_logger *logger); |
9dc6aa5fc [NETFILTER]: nf_l... |
169 |
void nf_log_unregister_pf(int pf); |
1da177e4c Linux-2.6.12-rc2 |
170 171 172 173 174 175 176 |
/* Calls the registered backend logging function */ void nf_log_packet(int pf, unsigned int hooknum, const struct sk_buff *skb, const struct net_device *in, const struct net_device *out, |
608c8e4f7 [NETFILTER]: Exte... |
177 |
struct nf_loginfo *li, |
1da177e4c Linux-2.6.12-rc2 |
178 |
const char *fmt, ...); |
16a6677fd [XFRM]: Netfilter... |
179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 |
int nf_hook_slow(int pf, unsigned int hook, struct sk_buff **pskb, struct net_device *indev, struct net_device *outdev, int (*okfn)(struct sk_buff *), int thresh); /** * nf_hook_thresh - call a netfilter hook * * Returns 1 if the hook has allowed the packet to pass. The function * okfn must be invoked by the caller in this case. Any other return * value indicates the packet has been consumed by the hook. */ static inline int nf_hook_thresh(int pf, unsigned int hook, struct sk_buff **pskb, struct net_device *indev, struct net_device *outdev, |
48d5cad87 [XFRM]: Fix SNAT-... |
195 196 |
int (*okfn)(struct sk_buff *), int thresh, int cond) |
16a6677fd [XFRM]: Netfilter... |
197 |
{ |
48d5cad87 [XFRM]: Fix SNAT-... |
198 199 |
if (!cond) return 1; |
16a6677fd [XFRM]: Netfilter... |
200 201 202 203 204 205 206 207 208 209 210 |
#ifndef CONFIG_NETFILTER_DEBUG if (list_empty(&nf_hooks[pf][hook])) return 1; #endif return nf_hook_slow(pf, hook, pskb, indev, outdev, okfn, thresh); } static inline int nf_hook(int pf, unsigned int hook, struct sk_buff **pskb, struct net_device *indev, struct net_device *outdev, int (*okfn)(struct sk_buff *)) { |
48d5cad87 [XFRM]: Fix SNAT-... |
211 |
return nf_hook_thresh(pf, hook, pskb, indev, outdev, okfn, INT_MIN, 1); |
16a6677fd [XFRM]: Netfilter... |
212 |
} |
1da177e4c Linux-2.6.12-rc2 |
213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 |
/* Activate hook; either okfn or kfree_skb called, unless a hook returns NF_STOLEN (in which case, it's up to the hook to deal with the consequences). Returns -ERRNO if packet dropped. Zero means queued, stolen or accepted. */ /* RR: > I don't want nf_hook to return anything because people might forget > about async and trust the return value to mean "packet was ok". AK: Just document it clearly, then you can expect some sense from kernel coders :) */ /* This is gross, but inline doesn't cut it for avoiding the function call in fast path: gcc doesn't inline (needs value tracking?). --RR */ |
16a6677fd [XFRM]: Netfilter... |
233 234 |
/* HX: It's slightly less gross now. */ |
1da177e4c Linux-2.6.12-rc2 |
235 236 |
#define NF_HOOK_THRESH(pf, hook, skb, indev, outdev, okfn, thresh) \ ({int __ret; \ |
48d5cad87 [XFRM]: Fix SNAT-... |
237 238 239 240 241 242 243 |
if ((__ret=nf_hook_thresh(pf, hook, &(skb), indev, outdev, okfn, thresh, 1)) == 1)\ __ret = (okfn)(skb); \ __ret;}) #define NF_HOOK_COND(pf, hook, skb, indev, outdev, okfn, cond) \ ({int __ret; \ if ((__ret=nf_hook_thresh(pf, hook, &(skb), indev, outdev, okfn, INT_MIN, cond)) == 1)\ |
1da177e4c Linux-2.6.12-rc2 |
244 245 |
__ret = (okfn)(skb); \ __ret;}) |
1da177e4c Linux-2.6.12-rc2 |
246 |
|
16a6677fd [XFRM]: Netfilter... |
247 248 |
#define NF_HOOK(pf, hook, skb, indev, outdev, okfn) \ NF_HOOK_THRESH(pf, hook, skb, indev, outdev, okfn, INT_MIN) |
1da177e4c Linux-2.6.12-rc2 |
249 250 251 252 253 254 |
/* Call setsockopt() */ int nf_setsockopt(struct sock *sk, int pf, int optval, char __user *opt, int len); int nf_getsockopt(struct sock *sk, int pf, int optval, char __user *opt, int *len); |
3fdadf7d2 [NET]: {get|set}s... |
255 256 257 258 |
int compat_nf_setsockopt(struct sock *sk, int pf, int optval, char __user *opt, int len); int compat_nf_getsockopt(struct sock *sk, int pf, int optval, char __user *opt, int *len); |
1da177e4c Linux-2.6.12-rc2 |
259 |
/* Packet queuing */ |
bbd86b9fc [NETFILTER]: add ... |
260 261 262 263 264 265 |
struct nf_queue_handler { int (*outfn)(struct sk_buff *skb, struct nf_info *info, unsigned int queuenum, void *data); void *data; char *name; }; |
1da177e4c Linux-2.6.12-rc2 |
266 |
extern int nf_register_queue_handler(int pf, |
bbd86b9fc [NETFILTER]: add ... |
267 |
struct nf_queue_handler *qh); |
1da177e4c Linux-2.6.12-rc2 |
268 |
extern int nf_unregister_queue_handler(int pf); |
bbd86b9fc [NETFILTER]: add ... |
269 |
extern void nf_unregister_queue_handlers(struct nf_queue_handler *qh); |
1da177e4c Linux-2.6.12-rc2 |
270 271 272 |
extern void nf_reinject(struct sk_buff *skb, struct nf_info *info, unsigned int verdict); |
1da177e4c Linux-2.6.12-rc2 |
273 274 |
/* FIXME: Before cache is ever used, this must be implemented for real. */ extern void nf_invalidate_cache(int pf); |
089af26c7 [NETFILTER]: Rena... |
275 276 277 278 |
/* Call this before modifying an existing packet: ensures it is modifiable and linear to the point you care about (writable_len). Returns true or false. */ extern int skb_make_writable(struct sk_buff **pskb, unsigned int writable_len); |
43bc0ca7e [NET]: netfilter ... |
279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 |
static inline void nf_csum_replace4(__sum16 *sum, __be32 from, __be32 to) { __be32 diff[] = { ~from, to }; *sum = csum_fold(csum_partial((char *)diff, sizeof(diff), ~csum_unfold(*sum))); } static inline void nf_csum_replace2(__sum16 *sum, __be16 from, __be16 to) { nf_csum_replace4(sum, (__force __be32)from, (__force __be32)to); } extern void nf_proto_csum_replace4(__sum16 *sum, struct sk_buff *skb, __be32 from, __be32 to, int pseudohdr); static inline void nf_proto_csum_replace2(__sum16 *sum, struct sk_buff *skb, __be16 from, __be16 to, int pseudohdr) { nf_proto_csum_replace4(sum, skb, (__force __be32)from, (__force __be32)to, pseudohdr); } |
4cf411de4 [NETFILTER]: Get ... |
300 |
|
bce8032ef [NETFILTER]: Intr... |
301 302 |
struct nf_afinfo { unsigned short family; |
b51655b95 [NET]: Annotate _... |
303 |
__sum16 (*checksum)(struct sk_buff *skb, unsigned int hook, |
422c346fa [NETFILTER]: Add ... |
304 |
unsigned int dataoff, u_int8_t protocol); |
bce8032ef [NETFILTER]: Intr... |
305 306 307 308 309 |
void (*saveroute)(const struct sk_buff *skb, struct nf_info *info); int (*reroute)(struct sk_buff **skb, const struct nf_info *info); int route_key_size; |
2cc7d5730 [NETFILTER]: Move... |
310 |
}; |
bce8032ef [NETFILTER]: Intr... |
311 312 313 314 315 |
extern struct nf_afinfo *nf_afinfo[]; static inline struct nf_afinfo *nf_get_afinfo(unsigned short family) { return rcu_dereference(nf_afinfo[family]); } |
2cc7d5730 [NETFILTER]: Move... |
316 |
|
b51655b95 [NET]: Annotate _... |
317 |
static inline __sum16 |
422c346fa [NETFILTER]: Add ... |
318 319 320 321 |
nf_checksum(struct sk_buff *skb, unsigned int hook, unsigned int dataoff, u_int8_t protocol, unsigned short family) { struct nf_afinfo *afinfo; |
b51655b95 [NET]: Annotate _... |
322 |
__sum16 csum = 0; |
422c346fa [NETFILTER]: Add ... |
323 324 325 326 327 328 329 330 |
rcu_read_lock(); afinfo = nf_get_afinfo(family); if (afinfo) csum = afinfo->checksum(skb, hook, dataoff, protocol); rcu_read_unlock(); return csum; } |
bce8032ef [NETFILTER]: Intr... |
331 332 333 334 |
extern int nf_register_afinfo(struct nf_afinfo *afinfo); extern void nf_unregister_afinfo(struct nf_afinfo *afinfo); #define nf_info_reroute(x) ((void *)x + sizeof(struct nf_info)) |
2cc7d5730 [NETFILTER]: Move... |
335 |
|
eb9c7ebe6 [NETFILTER]: Hand... |
336 337 338 339 340 341 |
#include <net/flow.h> extern void (*ip_nat_decode_session)(struct sk_buff *, struct flowi *); static inline void nf_nat_decode_session(struct sk_buff *skb, struct flowi *fl, int family) { |
5b1158e90 [NETFILTER]: Add ... |
342 |
#if defined(CONFIG_IP_NF_NAT_NEEDED) || defined(CONFIG_NF_NAT_NEEDED) |
eb9c7ebe6 [NETFILTER]: Hand... |
343 344 345 346 347 348 |
void (*decodefn)(struct sk_buff *, struct flowi *); if (family == AF_INET && (decodefn = ip_nat_decode_session) != NULL) decodefn(skb, fl); #endif } |
608c8e4f7 [NETFILTER]: Exte... |
349 350 351 352 |
#ifdef CONFIG_PROC_FS #include <linux/proc_fs.h> extern struct proc_dir_entry *proc_net_netfilter; #endif |
1da177e4c Linux-2.6.12-rc2 |
353 354 |
#else /* !CONFIG_NETFILTER */ #define NF_HOOK(pf, hook, skb, indev, outdev, okfn) (okfn)(skb) |
48d5cad87 [XFRM]: Fix SNAT-... |
355 |
#define NF_HOOK_COND(pf, hook, skb, indev, outdev, okfn, cond) (okfn)(skb) |
f53b61d8c [NETFILTER]: Add ... |
356 357 358 359 |
static inline int nf_hook_thresh(int pf, unsigned int hook, struct sk_buff **pskb, struct net_device *indev, struct net_device *outdev, |
48d5cad87 [XFRM]: Fix SNAT-... |
360 361 |
int (*okfn)(struct sk_buff *), int thresh, int cond) |
f53b61d8c [NETFILTER]: Add ... |
362 363 364 365 366 367 368 |
{ return okfn(*pskb); } static inline int nf_hook(int pf, unsigned int hook, struct sk_buff **pskb, struct net_device *indev, struct net_device *outdev, int (*okfn)(struct sk_buff *)) { |
9c92d3486 [NETFILTER]: Don'... |
369 |
return 1; |
f53b61d8c [NETFILTER]: Add ... |
370 |
} |
f53b61d8c [NETFILTER]: Add ... |
371 |
struct flowi; |
eb9c7ebe6 [NETFILTER]: Hand... |
372 373 |
static inline void nf_nat_decode_session(struct sk_buff *skb, struct flowi *fl, int family) {} |
1da177e4c Linux-2.6.12-rc2 |
374 |
#endif /*CONFIG_NETFILTER*/ |
5f79e0f91 [NETFILTER]: nf_c... |
375 376 377 |
#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE) extern void (*ip_ct_attach)(struct sk_buff *, struct sk_buff *); extern void nf_ct_attach(struct sk_buff *, struct sk_buff *); |
de6e05c49 [NETFILTER]: nf_c... |
378 |
extern void (*nf_ct_destroy)(struct nf_conntrack *); |
5f79e0f91 [NETFILTER]: nf_c... |
379 380 381 |
#else static inline void nf_ct_attach(struct sk_buff *new, struct sk_buff *skb) {} #endif |
1da177e4c Linux-2.6.12-rc2 |
382 383 |
#endif /*__KERNEL__*/ #endif /*__LINUX_NETFILTER_H*/ |