/include/linux/netfilter/x_tables.h

https://bitbucket.org/cyanogenmod/android_kernel_asus_tf300t · C Header · 622 lines · 377 code · 95 blank · 150 comment · 14 complexity · 14ede46ebac3623ec6220067998ab9b3 MD5 · raw file

  1. #ifndef _X_TABLES_H
  2. #define _X_TABLES_H
  3. #include <linux/kernel.h>
  4. #include <linux/types.h>
  5. #define XT_FUNCTION_MAXNAMELEN 30
  6. #define XT_EXTENSION_MAXNAMELEN 29
  7. #define XT_TABLE_MAXNAMELEN 32
  8. struct xt_entry_match {
  9. union {
  10. struct {
  11. __u16 match_size;
  12. /* Used by userspace */
  13. char name[XT_EXTENSION_MAXNAMELEN];
  14. __u8 revision;
  15. } user;
  16. struct {
  17. __u16 match_size;
  18. /* Used inside the kernel */
  19. struct xt_match *match;
  20. } kernel;
  21. /* Total length */
  22. __u16 match_size;
  23. } u;
  24. unsigned char data[0];
  25. };
  26. struct xt_entry_target {
  27. union {
  28. struct {
  29. __u16 target_size;
  30. /* Used by userspace */
  31. char name[XT_EXTENSION_MAXNAMELEN];
  32. __u8 revision;
  33. } user;
  34. struct {
  35. __u16 target_size;
  36. /* Used inside the kernel */
  37. struct xt_target *target;
  38. } kernel;
  39. /* Total length */
  40. __u16 target_size;
  41. } u;
  42. unsigned char data[0];
  43. };
  44. #define XT_TARGET_INIT(__name, __size) \
  45. { \
  46. .target.u.user = { \
  47. .target_size = XT_ALIGN(__size), \
  48. .name = __name, \
  49. }, \
  50. }
  51. struct xt_standard_target {
  52. struct xt_entry_target target;
  53. int verdict;
  54. };
  55. struct xt_error_target {
  56. struct xt_entry_target target;
  57. char errorname[XT_FUNCTION_MAXNAMELEN];
  58. };
  59. /* The argument to IPT_SO_GET_REVISION_*. Returns highest revision
  60. * kernel supports, if >= revision. */
  61. struct xt_get_revision {
  62. char name[XT_EXTENSION_MAXNAMELEN];
  63. __u8 revision;
  64. };
  65. /* CONTINUE verdict for targets */
  66. #define XT_CONTINUE 0xFFFFFFFF
  67. /* For standard target */
  68. #define XT_RETURN (-NF_REPEAT - 1)
  69. /* this is a dummy structure to find out the alignment requirement for a struct
  70. * containing all the fundamental data types that are used in ipt_entry,
  71. * ip6t_entry and arpt_entry. This sucks, and it is a hack. It will be my
  72. * personal pleasure to remove it -HW
  73. */
  74. struct _xt_align {
  75. __u8 u8;
  76. __u16 u16;
  77. __u32 u32;
  78. __u64 u64;
  79. };
  80. #define XT_ALIGN(s) __ALIGN_KERNEL((s), __alignof__(struct _xt_align))
  81. /* Standard return verdict, or do jump. */
  82. #define XT_STANDARD_TARGET ""
  83. /* Error verdict. */
  84. #define XT_ERROR_TARGET "ERROR"
  85. #define SET_COUNTER(c,b,p) do { (c).bcnt = (b); (c).pcnt = (p); } while(0)
  86. #define ADD_COUNTER(c,b,p) do { (c).bcnt += (b); (c).pcnt += (p); } while(0)
  87. struct xt_counters {
  88. __u64 pcnt, bcnt; /* Packet and byte counters */
  89. };
  90. /* The argument to IPT_SO_ADD_COUNTERS. */
  91. struct xt_counters_info {
  92. /* Which table. */
  93. char name[XT_TABLE_MAXNAMELEN];
  94. unsigned int num_counters;
  95. /* The counters (actually `number' of these). */
  96. struct xt_counters counters[0];
  97. };
  98. #define XT_INV_PROTO 0x40 /* Invert the sense of PROTO. */
  99. #ifndef __KERNEL__
  100. /* fn returns 0 to continue iteration */
  101. #define XT_MATCH_ITERATE(type, e, fn, args...) \
  102. ({ \
  103. unsigned int __i; \
  104. int __ret = 0; \
  105. struct xt_entry_match *__m; \
  106. \
  107. for (__i = sizeof(type); \
  108. __i < (e)->target_offset; \
  109. __i += __m->u.match_size) { \
  110. __m = (void *)e + __i; \
  111. \
  112. __ret = fn(__m , ## args); \
  113. if (__ret != 0) \
  114. break; \
  115. } \
  116. __ret; \
  117. })
  118. /* fn returns 0 to continue iteration */
  119. #define XT_ENTRY_ITERATE_CONTINUE(type, entries, size, n, fn, args...) \
  120. ({ \
  121. unsigned int __i, __n; \
  122. int __ret = 0; \
  123. type *__entry; \
  124. \
  125. for (__i = 0, __n = 0; __i < (size); \
  126. __i += __entry->next_offset, __n++) { \
  127. __entry = (void *)(entries) + __i; \
  128. if (__n < n) \
  129. continue; \
  130. \
  131. __ret = fn(__entry , ## args); \
  132. if (__ret != 0) \
  133. break; \
  134. } \
  135. __ret; \
  136. })
  137. /* fn returns 0 to continue iteration */
  138. #define XT_ENTRY_ITERATE(type, entries, size, fn, args...) \
  139. XT_ENTRY_ITERATE_CONTINUE(type, entries, size, 0, fn, args)
  140. #endif /* !__KERNEL__ */
  141. /* pos is normally a struct ipt_entry/ip6t_entry/etc. */
  142. #define xt_entry_foreach(pos, ehead, esize) \
  143. for ((pos) = (typeof(pos))(ehead); \
  144. (pos) < (typeof(pos))((char *)(ehead) + (esize)); \
  145. (pos) = (typeof(pos))((char *)(pos) + (pos)->next_offset))
  146. /* can only be xt_entry_match, so no use of typeof here */
  147. #define xt_ematch_foreach(pos, entry) \
  148. for ((pos) = (struct xt_entry_match *)entry->elems; \
  149. (pos) < (struct xt_entry_match *)((char *)(entry) + \
  150. (entry)->target_offset); \
  151. (pos) = (struct xt_entry_match *)((char *)(pos) + \
  152. (pos)->u.match_size))
  153. #ifdef __KERNEL__
  154. #include <linux/netdevice.h>
  155. /**
  156. * struct xt_action_param - parameters for matches/targets
  157. *
  158. * @match: the match extension
  159. * @target: the target extension
  160. * @matchinfo: per-match data
  161. * @targetinfo: per-target data
  162. * @in: input netdevice
  163. * @out: output netdevice
  164. * @fragoff: packet is a fragment, this is the data offset
  165. * @thoff: position of transport header relative to skb->data
  166. * @hook: hook number given packet came from
  167. * @family: Actual NFPROTO_* through which the function is invoked
  168. * (helpful when match->family == NFPROTO_UNSPEC)
  169. *
  170. * Fields written to by extensions:
  171. *
  172. * @hotdrop: drop packet if we had inspection problems
  173. * Network namespace obtainable using dev_net(in/out)
  174. */
  175. struct xt_action_param {
  176. union {
  177. const struct xt_match *match;
  178. const struct xt_target *target;
  179. };
  180. union {
  181. const void *matchinfo, *targinfo;
  182. };
  183. const struct net_device *in, *out;
  184. int fragoff;
  185. unsigned int thoff;
  186. unsigned int hooknum;
  187. u_int8_t family;
  188. bool hotdrop;
  189. };
  190. /**
  191. * struct xt_mtchk_param - parameters for match extensions'
  192. * checkentry functions
  193. *
  194. * @net: network namespace through which the check was invoked
  195. * @table: table the rule is tried to be inserted into
  196. * @entryinfo: the family-specific rule data
  197. * (struct ipt_ip, ip6t_ip, arpt_arp or (note) ebt_entry)
  198. * @match: struct xt_match through which this function was invoked
  199. * @matchinfo: per-match data
  200. * @hook_mask: via which hooks the new rule is reachable
  201. * Other fields as above.
  202. */
  203. struct xt_mtchk_param {
  204. struct net *net;
  205. const char *table;
  206. const void *entryinfo;
  207. const struct xt_match *match;
  208. void *matchinfo;
  209. unsigned int hook_mask;
  210. u_int8_t family;
  211. };
  212. /**
  213. * struct xt_mdtor_param - match destructor parameters
  214. * Fields as above.
  215. */
  216. struct xt_mtdtor_param {
  217. struct net *net;
  218. const struct xt_match *match;
  219. void *matchinfo;
  220. u_int8_t family;
  221. };
  222. /**
  223. * struct xt_tgchk_param - parameters for target extensions'
  224. * checkentry functions
  225. *
  226. * @entryinfo: the family-specific rule data
  227. * (struct ipt_entry, ip6t_entry, arpt_entry, ebt_entry)
  228. *
  229. * Other fields see above.
  230. */
  231. struct xt_tgchk_param {
  232. struct net *net;
  233. const char *table;
  234. const void *entryinfo;
  235. const struct xt_target *target;
  236. void *targinfo;
  237. unsigned int hook_mask;
  238. u_int8_t family;
  239. };
  240. /* Target destructor parameters */
  241. struct xt_tgdtor_param {
  242. struct net *net;
  243. const struct xt_target *target;
  244. void *targinfo;
  245. u_int8_t family;
  246. };
  247. struct xt_match {
  248. struct list_head list;
  249. const char name[XT_EXTENSION_MAXNAMELEN];
  250. u_int8_t revision;
  251. /* Return true or false: return FALSE and set *hotdrop = 1 to
  252. force immediate packet drop. */
  253. /* Arguments changed since 2.6.9, as this must now handle
  254. non-linear skb, using skb_header_pointer and
  255. skb_ip_make_writable. */
  256. bool (*match)(const struct sk_buff *skb,
  257. struct xt_action_param *);
  258. /* Called when user tries to insert an entry of this type. */
  259. int (*checkentry)(const struct xt_mtchk_param *);
  260. /* Called when entry of this type deleted. */
  261. void (*destroy)(const struct xt_mtdtor_param *);
  262. #ifdef CONFIG_COMPAT
  263. /* Called when userspace align differs from kernel space one */
  264. void (*compat_from_user)(void *dst, const void *src);
  265. int (*compat_to_user)(void __user *dst, const void *src);
  266. #endif
  267. /* Set this to THIS_MODULE if you are a module, otherwise NULL */
  268. struct module *me;
  269. const char *table;
  270. unsigned int matchsize;
  271. #ifdef CONFIG_COMPAT
  272. unsigned int compatsize;
  273. #endif
  274. unsigned int hooks;
  275. unsigned short proto;
  276. unsigned short family;
  277. };
  278. /* Registration hooks for targets. */
  279. struct xt_target {
  280. struct list_head list;
  281. const char name[XT_EXTENSION_MAXNAMELEN];
  282. u_int8_t revision;
  283. /* Returns verdict. Argument order changed since 2.6.9, as this
  284. must now handle non-linear skbs, using skb_copy_bits and
  285. skb_ip_make_writable. */
  286. unsigned int (*target)(struct sk_buff *skb,
  287. const struct xt_action_param *);
  288. /* Called when user tries to insert an entry of this type:
  289. hook_mask is a bitmask of hooks from which it can be
  290. called. */
  291. /* Should return 0 on success or an error code otherwise (-Exxxx). */
  292. int (*checkentry)(const struct xt_tgchk_param *);
  293. /* Called when entry of this type deleted. */
  294. void (*destroy)(const struct xt_tgdtor_param *);
  295. #ifdef CONFIG_COMPAT
  296. /* Called when userspace align differs from kernel space one */
  297. void (*compat_from_user)(void *dst, const void *src);
  298. int (*compat_to_user)(void __user *dst, const void *src);
  299. #endif
  300. /* Set this to THIS_MODULE if you are a module, otherwise NULL */
  301. struct module *me;
  302. const char *table;
  303. unsigned int targetsize;
  304. #ifdef CONFIG_COMPAT
  305. unsigned int compatsize;
  306. #endif
  307. unsigned int hooks;
  308. unsigned short proto;
  309. unsigned short family;
  310. };
  311. /* Furniture shopping... */
  312. struct xt_table {
  313. struct list_head list;
  314. /* What hooks you will enter on */
  315. unsigned int valid_hooks;
  316. /* Man behind the curtain... */
  317. struct xt_table_info *private;
  318. /* Set this to THIS_MODULE if you are a module, otherwise NULL */
  319. struct module *me;
  320. u_int8_t af; /* address/protocol family */
  321. int priority; /* hook order */
  322. /* A unique name... */
  323. const char name[XT_TABLE_MAXNAMELEN];
  324. };
  325. #include <linux/netfilter_ipv4.h>
  326. /* The table itself */
  327. struct xt_table_info {
  328. /* Size per table */
  329. unsigned int size;
  330. /* Number of entries: FIXME. --RR */
  331. unsigned int number;
  332. /* Initial number of entries. Needed for module usage count */
  333. unsigned int initial_entries;
  334. /* Entry points and underflows */
  335. unsigned int hook_entry[NF_INET_NUMHOOKS];
  336. unsigned int underflow[NF_INET_NUMHOOKS];
  337. /*
  338. * Number of user chains. Since tables cannot have loops, at most
  339. * @stacksize jumps (number of user chains) can possibly be made.
  340. */
  341. unsigned int stacksize;
  342. unsigned int __percpu *stackptr;
  343. void ***jumpstack;
  344. /* ipt_entry tables: one per CPU */
  345. /* Note : this field MUST be the last one, see XT_TABLE_INFO_SZ */
  346. void *entries[1];
  347. };
  348. #define XT_TABLE_INFO_SZ (offsetof(struct xt_table_info, entries) \
  349. + nr_cpu_ids * sizeof(char *))
  350. extern int xt_register_target(struct xt_target *target);
  351. extern void xt_unregister_target(struct xt_target *target);
  352. extern int xt_register_targets(struct xt_target *target, unsigned int n);
  353. extern void xt_unregister_targets(struct xt_target *target, unsigned int n);
  354. extern int xt_register_match(struct xt_match *target);
  355. extern void xt_unregister_match(struct xt_match *target);
  356. extern int xt_register_matches(struct xt_match *match, unsigned int n);
  357. extern void xt_unregister_matches(struct xt_match *match, unsigned int n);
  358. extern int xt_check_match(struct xt_mtchk_param *,
  359. unsigned int size, u_int8_t proto, bool inv_proto);
  360. extern int xt_check_target(struct xt_tgchk_param *,
  361. unsigned int size, u_int8_t proto, bool inv_proto);
  362. extern struct xt_table *xt_register_table(struct net *net,
  363. const struct xt_table *table,
  364. struct xt_table_info *bootstrap,
  365. struct xt_table_info *newinfo);
  366. extern void *xt_unregister_table(struct xt_table *table);
  367. extern struct xt_table_info *xt_replace_table(struct xt_table *table,
  368. unsigned int num_counters,
  369. struct xt_table_info *newinfo,
  370. int *error);
  371. extern struct xt_match *xt_find_match(u8 af, const char *name, u8 revision);
  372. extern struct xt_target *xt_find_target(u8 af, const char *name, u8 revision);
  373. extern struct xt_match *xt_request_find_match(u8 af, const char *name,
  374. u8 revision);
  375. extern struct xt_target *xt_request_find_target(u8 af, const char *name,
  376. u8 revision);
  377. extern int xt_find_revision(u8 af, const char *name, u8 revision,
  378. int target, int *err);
  379. extern struct xt_table *xt_find_table_lock(struct net *net, u_int8_t af,
  380. const char *name);
  381. extern void xt_table_unlock(struct xt_table *t);
  382. extern int xt_proto_init(struct net *net, u_int8_t af);
  383. extern void xt_proto_fini(struct net *net, u_int8_t af);
  384. extern struct xt_table_info *xt_alloc_table_info(unsigned int size);
  385. extern void xt_free_table_info(struct xt_table_info *info);
  386. /**
  387. * xt_recseq - recursive seqcount for netfilter use
  388. *
  389. * Packet processing changes the seqcount only if no recursion happened
  390. * get_counters() can use read_seqcount_begin()/read_seqcount_retry(),
  391. * because we use the normal seqcount convention :
  392. * Low order bit set to 1 if a writer is active.
  393. */
  394. DECLARE_PER_CPU(seqcount_t, xt_recseq);
  395. /**
  396. * xt_write_recseq_begin - start of a write section
  397. *
  398. * Begin packet processing : all readers must wait the end
  399. * 1) Must be called with preemption disabled
  400. * 2) softirqs must be disabled too (or we should use irqsafe_cpu_add())
  401. * Returns :
  402. * 1 if no recursion on this cpu
  403. * 0 if recursion detected
  404. */
  405. static inline unsigned int xt_write_recseq_begin(void)
  406. {
  407. unsigned int addend;
  408. /*
  409. * Low order bit of sequence is set if we already
  410. * called xt_write_recseq_begin().
  411. */
  412. addend = (__this_cpu_read(xt_recseq.sequence) + 1) & 1;
  413. /*
  414. * This is kind of a write_seqcount_begin(), but addend is 0 or 1
  415. * We dont check addend value to avoid a test and conditional jump,
  416. * since addend is most likely 1
  417. */
  418. __this_cpu_add(xt_recseq.sequence, addend);
  419. smp_wmb();
  420. return addend;
  421. }
  422. /**
  423. * xt_write_recseq_end - end of a write section
  424. * @addend: return value from previous xt_write_recseq_begin()
  425. *
  426. * End packet processing : all readers can proceed
  427. * 1) Must be called with preemption disabled
  428. * 2) softirqs must be disabled too (or we should use irqsafe_cpu_add())
  429. */
  430. static inline void xt_write_recseq_end(unsigned int addend)
  431. {
  432. /* this is kind of a write_seqcount_end(), but addend is 0 or 1 */
  433. smp_wmb();
  434. __this_cpu_add(xt_recseq.sequence, addend);
  435. }
  436. /*
  437. * This helper is performance critical and must be inlined
  438. */
  439. static inline unsigned long ifname_compare_aligned(const char *_a,
  440. const char *_b,
  441. const char *_mask)
  442. {
  443. const unsigned long *a = (const unsigned long *)_a;
  444. const unsigned long *b = (const unsigned long *)_b;
  445. const unsigned long *mask = (const unsigned long *)_mask;
  446. unsigned long ret;
  447. ret = (a[0] ^ b[0]) & mask[0];
  448. if (IFNAMSIZ > sizeof(unsigned long))
  449. ret |= (a[1] ^ b[1]) & mask[1];
  450. if (IFNAMSIZ > 2 * sizeof(unsigned long))
  451. ret |= (a[2] ^ b[2]) & mask[2];
  452. if (IFNAMSIZ > 3 * sizeof(unsigned long))
  453. ret |= (a[3] ^ b[3]) & mask[3];
  454. BUILD_BUG_ON(IFNAMSIZ > 4 * sizeof(unsigned long));
  455. return ret;
  456. }
  457. extern struct nf_hook_ops *xt_hook_link(const struct xt_table *, nf_hookfn *);
  458. extern void xt_hook_unlink(const struct xt_table *, struct nf_hook_ops *);
  459. #ifdef CONFIG_COMPAT
  460. #include <net/compat.h>
  461. struct compat_xt_entry_match {
  462. union {
  463. struct {
  464. u_int16_t match_size;
  465. char name[XT_FUNCTION_MAXNAMELEN - 1];
  466. u_int8_t revision;
  467. } user;
  468. struct {
  469. u_int16_t match_size;
  470. compat_uptr_t match;
  471. } kernel;
  472. u_int16_t match_size;
  473. } u;
  474. unsigned char data[0];
  475. };
  476. struct compat_xt_entry_target {
  477. union {
  478. struct {
  479. u_int16_t target_size;
  480. char name[XT_FUNCTION_MAXNAMELEN - 1];
  481. u_int8_t revision;
  482. } user;
  483. struct {
  484. u_int16_t target_size;
  485. compat_uptr_t target;
  486. } kernel;
  487. u_int16_t target_size;
  488. } u;
  489. unsigned char data[0];
  490. };
  491. /* FIXME: this works only on 32 bit tasks
  492. * need to change whole approach in order to calculate align as function of
  493. * current task alignment */
  494. struct compat_xt_counters {
  495. compat_u64 pcnt, bcnt; /* Packet and byte counters */
  496. };
  497. struct compat_xt_counters_info {
  498. char name[XT_TABLE_MAXNAMELEN];
  499. compat_uint_t num_counters;
  500. struct compat_xt_counters counters[0];
  501. };
  502. struct _compat_xt_align {
  503. __u8 u8;
  504. __u16 u16;
  505. __u32 u32;
  506. compat_u64 u64;
  507. };
  508. #define COMPAT_XT_ALIGN(s) __ALIGN_KERNEL((s), __alignof__(struct _compat_xt_align))
  509. extern void xt_compat_lock(u_int8_t af);
  510. extern void xt_compat_unlock(u_int8_t af);
  511. extern int xt_compat_add_offset(u_int8_t af, unsigned int offset, int delta);
  512. extern void xt_compat_flush_offsets(u_int8_t af);
  513. extern void xt_compat_init_offsets(u_int8_t af, unsigned int number);
  514. extern int xt_compat_calc_jump(u_int8_t af, unsigned int offset);
  515. extern int xt_compat_match_offset(const struct xt_match *match);
  516. extern int xt_compat_match_from_user(struct xt_entry_match *m,
  517. void **dstptr, unsigned int *size);
  518. extern int xt_compat_match_to_user(const struct xt_entry_match *m,
  519. void __user **dstptr, unsigned int *size);
  520. extern int xt_compat_target_offset(const struct xt_target *target);
  521. extern void xt_compat_target_from_user(struct xt_entry_target *t,
  522. void **dstptr, unsigned int *size);
  523. extern int xt_compat_target_to_user(const struct xt_entry_target *t,
  524. void __user **dstptr, unsigned int *size);
  525. #endif /* CONFIG_COMPAT */
  526. #endif /* __KERNEL__ */
  527. #endif /* _X_TABLES_H */