PageRenderTime 41ms CodeModel.GetById 19ms app.highlight 18ms RepoModel.GetById 0ms app.codeStats 0ms

/include/linux/netfilter/x_tables.h

https://bitbucket.org/cyanogenmod/android_kernel_asus_tf300t
C Header | 622 lines | 377 code | 95 blank | 150 comment | 12 complexity | 14ede46ebac3623ec6220067998ab9b3 MD5 | raw file
Possible License(s): LGPL-2.0, AGPL-1.0, GPL-2.0
  1#ifndef _X_TABLES_H
  2#define _X_TABLES_H
  3#include <linux/kernel.h>
  4#include <linux/types.h>
  5
  6#define XT_FUNCTION_MAXNAMELEN 30
  7#define XT_EXTENSION_MAXNAMELEN 29
  8#define XT_TABLE_MAXNAMELEN 32
  9
 10struct xt_entry_match {
 11	union {
 12		struct {
 13			__u16 match_size;
 14
 15			/* Used by userspace */
 16			char name[XT_EXTENSION_MAXNAMELEN];
 17			__u8 revision;
 18		} user;
 19		struct {
 20			__u16 match_size;
 21
 22			/* Used inside the kernel */
 23			struct xt_match *match;
 24		} kernel;
 25
 26		/* Total length */
 27		__u16 match_size;
 28	} u;
 29
 30	unsigned char data[0];
 31};
 32
 33struct xt_entry_target {
 34	union {
 35		struct {
 36			__u16 target_size;
 37
 38			/* Used by userspace */
 39			char name[XT_EXTENSION_MAXNAMELEN];
 40			__u8 revision;
 41		} user;
 42		struct {
 43			__u16 target_size;
 44
 45			/* Used inside the kernel */
 46			struct xt_target *target;
 47		} kernel;
 48
 49		/* Total length */
 50		__u16 target_size;
 51	} u;
 52
 53	unsigned char data[0];
 54};
 55
 56#define XT_TARGET_INIT(__name, __size)					       \
 57{									       \
 58	.target.u.user = {						       \
 59		.target_size	= XT_ALIGN(__size),			       \
 60		.name		= __name,				       \
 61	},								       \
 62}
 63
 64struct xt_standard_target {
 65	struct xt_entry_target target;
 66	int verdict;
 67};
 68
 69struct xt_error_target {
 70	struct xt_entry_target target;
 71	char errorname[XT_FUNCTION_MAXNAMELEN];
 72};
 73
 74/* The argument to IPT_SO_GET_REVISION_*.  Returns highest revision
 75 * kernel supports, if >= revision. */
 76struct xt_get_revision {
 77	char name[XT_EXTENSION_MAXNAMELEN];
 78	__u8 revision;
 79};
 80
 81/* CONTINUE verdict for targets */
 82#define XT_CONTINUE 0xFFFFFFFF
 83
 84/* For standard target */
 85#define XT_RETURN (-NF_REPEAT - 1)
 86
 87/* this is a dummy structure to find out the alignment requirement for a struct
 88 * containing all the fundamental data types that are used in ipt_entry,
 89 * ip6t_entry and arpt_entry.  This sucks, and it is a hack.  It will be my
 90 * personal pleasure to remove it -HW
 91 */
 92struct _xt_align {
 93	__u8 u8;
 94	__u16 u16;
 95	__u32 u32;
 96	__u64 u64;
 97};
 98
 99#define XT_ALIGN(s) __ALIGN_KERNEL((s), __alignof__(struct _xt_align))
100
101/* Standard return verdict, or do jump. */
102#define XT_STANDARD_TARGET ""
103/* Error verdict. */
104#define XT_ERROR_TARGET "ERROR"
105
106#define SET_COUNTER(c,b,p) do { (c).bcnt = (b); (c).pcnt = (p); } while(0)
107#define ADD_COUNTER(c,b,p) do { (c).bcnt += (b); (c).pcnt += (p); } while(0)
108
109struct xt_counters {
110	__u64 pcnt, bcnt;			/* Packet and byte counters */
111};
112
113/* The argument to IPT_SO_ADD_COUNTERS. */
114struct xt_counters_info {
115	/* Which table. */
116	char name[XT_TABLE_MAXNAMELEN];
117
118	unsigned int num_counters;
119
120	/* The counters (actually `number' of these). */
121	struct xt_counters counters[0];
122};
123
124#define XT_INV_PROTO		0x40	/* Invert the sense of PROTO. */
125
126#ifndef __KERNEL__
127/* fn returns 0 to continue iteration */
128#define XT_MATCH_ITERATE(type, e, fn, args...)			\
129({								\
130	unsigned int __i;					\
131	int __ret = 0;						\
132	struct xt_entry_match *__m;				\
133								\
134	for (__i = sizeof(type);				\
135	     __i < (e)->target_offset;				\
136	     __i += __m->u.match_size) {			\
137		__m = (void *)e + __i;				\
138								\
139		__ret = fn(__m , ## args);			\
140		if (__ret != 0)					\
141			break;					\
142	}							\
143	__ret;							\
144})
145
146/* fn returns 0 to continue iteration */
147#define XT_ENTRY_ITERATE_CONTINUE(type, entries, size, n, fn, args...) \
148({								\
149	unsigned int __i, __n;					\
150	int __ret = 0;						\
151	type *__entry;						\
152								\
153	for (__i = 0, __n = 0; __i < (size);			\
154	     __i += __entry->next_offset, __n++) { 		\
155		__entry = (void *)(entries) + __i;		\
156		if (__n < n)					\
157			continue;				\
158								\
159		__ret = fn(__entry , ## args);			\
160		if (__ret != 0)					\
161			break;					\
162	}							\
163	__ret;							\
164})
165
166/* fn returns 0 to continue iteration */
167#define XT_ENTRY_ITERATE(type, entries, size, fn, args...) \
168	XT_ENTRY_ITERATE_CONTINUE(type, entries, size, 0, fn, args)
169
170#endif /* !__KERNEL__ */
171
172/* pos is normally a struct ipt_entry/ip6t_entry/etc. */
173#define xt_entry_foreach(pos, ehead, esize) \
174	for ((pos) = (typeof(pos))(ehead); \
175	     (pos) < (typeof(pos))((char *)(ehead) + (esize)); \
176	     (pos) = (typeof(pos))((char *)(pos) + (pos)->next_offset))
177
178/* can only be xt_entry_match, so no use of typeof here */
179#define xt_ematch_foreach(pos, entry) \
180	for ((pos) = (struct xt_entry_match *)entry->elems; \
181	     (pos) < (struct xt_entry_match *)((char *)(entry) + \
182	             (entry)->target_offset); \
183	     (pos) = (struct xt_entry_match *)((char *)(pos) + \
184	             (pos)->u.match_size))
185
186#ifdef __KERNEL__
187
188#include <linux/netdevice.h>
189
190/**
191 * struct xt_action_param - parameters for matches/targets
192 *
193 * @match:	the match extension
194 * @target:	the target extension
195 * @matchinfo:	per-match data
196 * @targetinfo:	per-target data
197 * @in:		input netdevice
198 * @out:	output netdevice
199 * @fragoff:	packet is a fragment, this is the data offset
200 * @thoff:	position of transport header relative to skb->data
201 * @hook:	hook number given packet came from
202 * @family:	Actual NFPROTO_* through which the function is invoked
203 * 		(helpful when match->family == NFPROTO_UNSPEC)
204 *
205 * Fields written to by extensions:
206 *
207 * @hotdrop:	drop packet if we had inspection problems
208 * Network namespace obtainable using dev_net(in/out)
209 */
210struct xt_action_param {
211	union {
212		const struct xt_match *match;
213		const struct xt_target *target;
214	};
215	union {
216		const void *matchinfo, *targinfo;
217	};
218	const struct net_device *in, *out;
219	int fragoff;
220	unsigned int thoff;
221	unsigned int hooknum;
222	u_int8_t family;
223	bool hotdrop;
224};
225
226/**
227 * struct xt_mtchk_param - parameters for match extensions'
228 * checkentry functions
229 *
230 * @net:	network namespace through which the check was invoked
231 * @table:	table the rule is tried to be inserted into
232 * @entryinfo:	the family-specific rule data
233 * 		(struct ipt_ip, ip6t_ip, arpt_arp or (note) ebt_entry)
234 * @match:	struct xt_match through which this function was invoked
235 * @matchinfo:	per-match data
236 * @hook_mask:	via which hooks the new rule is reachable
237 * Other fields as above.
238 */
239struct xt_mtchk_param {
240	struct net *net;
241	const char *table;
242	const void *entryinfo;
243	const struct xt_match *match;
244	void *matchinfo;
245	unsigned int hook_mask;
246	u_int8_t family;
247};
248
249/**
250 * struct xt_mdtor_param - match destructor parameters
251 * Fields as above.
252 */
253struct xt_mtdtor_param {
254	struct net *net;
255	const struct xt_match *match;
256	void *matchinfo;
257	u_int8_t family;
258};
259
260/**
261 * struct xt_tgchk_param - parameters for target extensions'
262 * checkentry functions
263 *
264 * @entryinfo:	the family-specific rule data
265 * 		(struct ipt_entry, ip6t_entry, arpt_entry, ebt_entry)
266 *
267 * Other fields see above.
268 */
269struct xt_tgchk_param {
270	struct net *net;
271	const char *table;
272	const void *entryinfo;
273	const struct xt_target *target;
274	void *targinfo;
275	unsigned int hook_mask;
276	u_int8_t family;
277};
278
279/* Target destructor parameters */
280struct xt_tgdtor_param {
281	struct net *net;
282	const struct xt_target *target;
283	void *targinfo;
284	u_int8_t family;
285};
286
287struct xt_match {
288	struct list_head list;
289
290	const char name[XT_EXTENSION_MAXNAMELEN];
291	u_int8_t revision;
292
293	/* Return true or false: return FALSE and set *hotdrop = 1 to
294           force immediate packet drop. */
295	/* Arguments changed since 2.6.9, as this must now handle
296	   non-linear skb, using skb_header_pointer and
297	   skb_ip_make_writable. */
298	bool (*match)(const struct sk_buff *skb,
299		      struct xt_action_param *);
300
301	/* Called when user tries to insert an entry of this type. */
302	int (*checkentry)(const struct xt_mtchk_param *);
303
304	/* Called when entry of this type deleted. */
305	void (*destroy)(const struct xt_mtdtor_param *);
306#ifdef CONFIG_COMPAT
307	/* Called when userspace align differs from kernel space one */
308	void (*compat_from_user)(void *dst, const void *src);
309	int (*compat_to_user)(void __user *dst, const void *src);
310#endif
311	/* Set this to THIS_MODULE if you are a module, otherwise NULL */
312	struct module *me;
313
314	const char *table;
315	unsigned int matchsize;
316#ifdef CONFIG_COMPAT
317	unsigned int compatsize;
318#endif
319	unsigned int hooks;
320	unsigned short proto;
321
322	unsigned short family;
323};
324
325/* Registration hooks for targets. */
326struct xt_target {
327	struct list_head list;
328
329	const char name[XT_EXTENSION_MAXNAMELEN];
330	u_int8_t revision;
331
332	/* Returns verdict. Argument order changed since 2.6.9, as this
333	   must now handle non-linear skbs, using skb_copy_bits and
334	   skb_ip_make_writable. */
335	unsigned int (*target)(struct sk_buff *skb,
336			       const struct xt_action_param *);
337
338	/* Called when user tries to insert an entry of this type:
339           hook_mask is a bitmask of hooks from which it can be
340           called. */
341	/* Should return 0 on success or an error code otherwise (-Exxxx). */
342	int (*checkentry)(const struct xt_tgchk_param *);
343
344	/* Called when entry of this type deleted. */
345	void (*destroy)(const struct xt_tgdtor_param *);
346#ifdef CONFIG_COMPAT
347	/* Called when userspace align differs from kernel space one */
348	void (*compat_from_user)(void *dst, const void *src);
349	int (*compat_to_user)(void __user *dst, const void *src);
350#endif
351	/* Set this to THIS_MODULE if you are a module, otherwise NULL */
352	struct module *me;
353
354	const char *table;
355	unsigned int targetsize;
356#ifdef CONFIG_COMPAT
357	unsigned int compatsize;
358#endif
359	unsigned int hooks;
360	unsigned short proto;
361
362	unsigned short family;
363};
364
365/* Furniture shopping... */
366struct xt_table {
367	struct list_head list;
368
369	/* What hooks you will enter on */
370	unsigned int valid_hooks;
371
372	/* Man behind the curtain... */
373	struct xt_table_info *private;
374
375	/* Set this to THIS_MODULE if you are a module, otherwise NULL */
376	struct module *me;
377
378	u_int8_t af;		/* address/protocol family */
379	int priority;		/* hook order */
380
381	/* A unique name... */
382	const char name[XT_TABLE_MAXNAMELEN];
383};
384
385#include <linux/netfilter_ipv4.h>
386
387/* The table itself */
388struct xt_table_info {
389	/* Size per table */
390	unsigned int size;
391	/* Number of entries: FIXME. --RR */
392	unsigned int number;
393	/* Initial number of entries. Needed for module usage count */
394	unsigned int initial_entries;
395
396	/* Entry points and underflows */
397	unsigned int hook_entry[NF_INET_NUMHOOKS];
398	unsigned int underflow[NF_INET_NUMHOOKS];
399
400	/*
401	 * Number of user chains. Since tables cannot have loops, at most
402	 * @stacksize jumps (number of user chains) can possibly be made.
403	 */
404	unsigned int stacksize;
405	unsigned int __percpu *stackptr;
406	void ***jumpstack;
407	/* ipt_entry tables: one per CPU */
408	/* Note : this field MUST be the last one, see XT_TABLE_INFO_SZ */
409	void *entries[1];
410};
411
412#define XT_TABLE_INFO_SZ (offsetof(struct xt_table_info, entries) \
413			  + nr_cpu_ids * sizeof(char *))
414extern int xt_register_target(struct xt_target *target);
415extern void xt_unregister_target(struct xt_target *target);
416extern int xt_register_targets(struct xt_target *target, unsigned int n);
417extern void xt_unregister_targets(struct xt_target *target, unsigned int n);
418
419extern int xt_register_match(struct xt_match *target);
420extern void xt_unregister_match(struct xt_match *target);
421extern int xt_register_matches(struct xt_match *match, unsigned int n);
422extern void xt_unregister_matches(struct xt_match *match, unsigned int n);
423
424extern int xt_check_match(struct xt_mtchk_param *,
425			  unsigned int size, u_int8_t proto, bool inv_proto);
426extern int xt_check_target(struct xt_tgchk_param *,
427			   unsigned int size, u_int8_t proto, bool inv_proto);
428
429extern struct xt_table *xt_register_table(struct net *net,
430					  const struct xt_table *table,
431					  struct xt_table_info *bootstrap,
432					  struct xt_table_info *newinfo);
433extern void *xt_unregister_table(struct xt_table *table);
434
435extern struct xt_table_info *xt_replace_table(struct xt_table *table,
436					      unsigned int num_counters,
437					      struct xt_table_info *newinfo,
438					      int *error);
439
440extern struct xt_match *xt_find_match(u8 af, const char *name, u8 revision);
441extern struct xt_target *xt_find_target(u8 af, const char *name, u8 revision);
442extern struct xt_match *xt_request_find_match(u8 af, const char *name,
443					      u8 revision);
444extern struct xt_target *xt_request_find_target(u8 af, const char *name,
445						u8 revision);
446extern int xt_find_revision(u8 af, const char *name, u8 revision,
447			    int target, int *err);
448
449extern struct xt_table *xt_find_table_lock(struct net *net, u_int8_t af,
450					   const char *name);
451extern void xt_table_unlock(struct xt_table *t);
452
453extern int xt_proto_init(struct net *net, u_int8_t af);
454extern void xt_proto_fini(struct net *net, u_int8_t af);
455
456extern struct xt_table_info *xt_alloc_table_info(unsigned int size);
457extern void xt_free_table_info(struct xt_table_info *info);
458
459/**
460 * xt_recseq - recursive seqcount for netfilter use
461 * 
462 * Packet processing changes the seqcount only if no recursion happened
463 * get_counters() can use read_seqcount_begin()/read_seqcount_retry(),
464 * because we use the normal seqcount convention :
465 * Low order bit set to 1 if a writer is active.
466 */
467DECLARE_PER_CPU(seqcount_t, xt_recseq);
468
469/**
470 * xt_write_recseq_begin - start of a write section
471 *
472 * Begin packet processing : all readers must wait the end
473 * 1) Must be called with preemption disabled
474 * 2) softirqs must be disabled too (or we should use irqsafe_cpu_add())
475 * Returns :
476 *  1 if no recursion on this cpu
477 *  0 if recursion detected
478 */
479static inline unsigned int xt_write_recseq_begin(void)
480{
481	unsigned int addend;
482
483	/*
484	 * Low order bit of sequence is set if we already
485	 * called xt_write_recseq_begin().
486	 */
487	addend = (__this_cpu_read(xt_recseq.sequence) + 1) & 1;
488
489	/*
490	 * This is kind of a write_seqcount_begin(), but addend is 0 or 1
491	 * We dont check addend value to avoid a test and conditional jump,
492	 * since addend is most likely 1
493	 */
494	__this_cpu_add(xt_recseq.sequence, addend);
495	smp_wmb();
496
497	return addend;
498}
499
500/**
501 * xt_write_recseq_end - end of a write section
502 * @addend: return value from previous xt_write_recseq_begin()
503 *
504 * End packet processing : all readers can proceed
505 * 1) Must be called with preemption disabled
506 * 2) softirqs must be disabled too (or we should use irqsafe_cpu_add())
507 */
508static inline void xt_write_recseq_end(unsigned int addend)
509{
510	/* this is kind of a write_seqcount_end(), but addend is 0 or 1 */
511	smp_wmb();
512	__this_cpu_add(xt_recseq.sequence, addend);
513}
514
515/*
516 * This helper is performance critical and must be inlined
517 */
518static inline unsigned long ifname_compare_aligned(const char *_a,
519						   const char *_b,
520						   const char *_mask)
521{
522	const unsigned long *a = (const unsigned long *)_a;
523	const unsigned long *b = (const unsigned long *)_b;
524	const unsigned long *mask = (const unsigned long *)_mask;
525	unsigned long ret;
526
527	ret = (a[0] ^ b[0]) & mask[0];
528	if (IFNAMSIZ > sizeof(unsigned long))
529		ret |= (a[1] ^ b[1]) & mask[1];
530	if (IFNAMSIZ > 2 * sizeof(unsigned long))
531		ret |= (a[2] ^ b[2]) & mask[2];
532	if (IFNAMSIZ > 3 * sizeof(unsigned long))
533		ret |= (a[3] ^ b[3]) & mask[3];
534	BUILD_BUG_ON(IFNAMSIZ > 4 * sizeof(unsigned long));
535	return ret;
536}
537
538extern struct nf_hook_ops *xt_hook_link(const struct xt_table *, nf_hookfn *);
539extern void xt_hook_unlink(const struct xt_table *, struct nf_hook_ops *);
540
541#ifdef CONFIG_COMPAT
542#include <net/compat.h>
543
544struct compat_xt_entry_match {
545	union {
546		struct {
547			u_int16_t match_size;
548			char name[XT_FUNCTION_MAXNAMELEN - 1];
549			u_int8_t revision;
550		} user;
551		struct {
552			u_int16_t match_size;
553			compat_uptr_t match;
554		} kernel;
555		u_int16_t match_size;
556	} u;
557	unsigned char data[0];
558};
559
560struct compat_xt_entry_target {
561	union {
562		struct {
563			u_int16_t target_size;
564			char name[XT_FUNCTION_MAXNAMELEN - 1];
565			u_int8_t revision;
566		} user;
567		struct {
568			u_int16_t target_size;
569			compat_uptr_t target;
570		} kernel;
571		u_int16_t target_size;
572	} u;
573	unsigned char data[0];
574};
575
576/* FIXME: this works only on 32 bit tasks
577 * need to change whole approach in order to calculate align as function of
578 * current task alignment */
579
580struct compat_xt_counters {
581	compat_u64 pcnt, bcnt;			/* Packet and byte counters */
582};
583
584struct compat_xt_counters_info {
585	char name[XT_TABLE_MAXNAMELEN];
586	compat_uint_t num_counters;
587	struct compat_xt_counters counters[0];
588};
589
590struct _compat_xt_align {
591	__u8 u8;
592	__u16 u16;
593	__u32 u32;
594	compat_u64 u64;
595};
596
597#define COMPAT_XT_ALIGN(s) __ALIGN_KERNEL((s), __alignof__(struct _compat_xt_align))
598
599extern void xt_compat_lock(u_int8_t af);
600extern void xt_compat_unlock(u_int8_t af);
601
602extern int xt_compat_add_offset(u_int8_t af, unsigned int offset, int delta);
603extern void xt_compat_flush_offsets(u_int8_t af);
604extern void xt_compat_init_offsets(u_int8_t af, unsigned int number);
605extern int xt_compat_calc_jump(u_int8_t af, unsigned int offset);
606
607extern int xt_compat_match_offset(const struct xt_match *match);
608extern int xt_compat_match_from_user(struct xt_entry_match *m,
609				     void **dstptr, unsigned int *size);
610extern int xt_compat_match_to_user(const struct xt_entry_match *m,
611				   void __user **dstptr, unsigned int *size);
612
613extern int xt_compat_target_offset(const struct xt_target *target);
614extern void xt_compat_target_from_user(struct xt_entry_target *t,
615				       void **dstptr, unsigned int *size);
616extern int xt_compat_target_to_user(const struct xt_entry_target *t,
617				    void __user **dstptr, unsigned int *size);
618
619#endif /* CONFIG_COMPAT */
620#endif /* __KERNEL__ */
621
622#endif /* _X_TABLES_H */