3 #include <linux/kernel.h>
4 #include <linux/types.h>
6 #define XT_FUNCTION_MAXNAMELEN 30
7 #define XT_EXTENSION_MAXNAMELEN 29
8 #define XT_TABLE_MAXNAMELEN 32
10 struct xt_entry_match {
15 /* Used by userspace */
16 char name[XT_EXTENSION_MAXNAMELEN];
22 /* Used inside the kernel */
23 struct xt_match *match;
30 unsigned char data[0];
33 struct xt_entry_target {
38 /* Used by userspace */
39 char name[XT_EXTENSION_MAXNAMELEN];
45 /* Used inside the kernel */
46 struct xt_target *target;
53 unsigned char data[0];
56 #define XT_TARGET_INIT(__name, __size) \
59 .target_size = XT_ALIGN(__size), \
64 struct xt_standard_target {
65 struct xt_entry_target target;
69 /* The argument to IPT_SO_GET_REVISION_*. Returns highest revision
70 * kernel supports, if >= revision. */
71 struct xt_get_revision {
72 char name[XT_EXTENSION_MAXNAMELEN];
76 /* CONTINUE verdict for targets */
77 #define XT_CONTINUE 0xFFFFFFFF
79 /* For standard target */
80 #define XT_RETURN (-NF_REPEAT - 1)
82 /* this is a dummy structure to find out the alignment requirement for a struct
83 * containing all the fundamental data types that are used in ipt_entry,
84 * ip6t_entry and arpt_entry. This sucks, and it is a hack. It will be my
85 * personal pleasure to remove it -HW
94 #define XT_ALIGN(s) __ALIGN_KERNEL((s), __alignof__(struct _xt_align))
96 /* Standard return verdict, or do jump. */
97 #define XT_STANDARD_TARGET ""
99 #define XT_ERROR_TARGET "ERROR"
101 #define SET_COUNTER(c,b,p) do { (c).bcnt = (b); (c).pcnt = (p); } while(0)
102 #define ADD_COUNTER(c,b,p) do { (c).bcnt += (b); (c).pcnt += (p); } while(0)
105 __u64 pcnt, bcnt; /* Packet and byte counters */
108 /* The argument to IPT_SO_ADD_COUNTERS. */
109 struct xt_counters_info {
111 char name[XT_TABLE_MAXNAMELEN];
113 unsigned int num_counters;
115 /* The counters (actually `number' of these). */
116 struct xt_counters counters[0];
119 #define XT_INV_PROTO 0x40 /* Invert the sense of PROTO. */
122 /* fn returns 0 to continue iteration */
123 #define XT_MATCH_ITERATE(type, e, fn, args...) \
127 struct xt_entry_match *__m; \
129 for (__i = sizeof(type); \
130 __i < (e)->target_offset; \
131 __i += __m->u.match_size) { \
132 __m = (void *)e + __i; \
134 __ret = fn(__m , ## args); \
141 /* fn returns 0 to continue iteration */
142 #define XT_ENTRY_ITERATE_CONTINUE(type, entries, size, n, fn, args...) \
144 unsigned int __i, __n; \
148 for (__i = 0, __n = 0; __i < (size); \
149 __i += __entry->next_offset, __n++) { \
150 __entry = (void *)(entries) + __i; \
154 __ret = fn(__entry , ## args); \
161 /* fn returns 0 to continue iteration */
162 #define XT_ENTRY_ITERATE(type, entries, size, fn, args...) \
163 XT_ENTRY_ITERATE_CONTINUE(type, entries, size, 0, fn, args)
165 #endif /* !__KERNEL__ */
167 /* pos is normally a struct ipt_entry/ip6t_entry/etc. */
168 #define xt_entry_foreach(pos, ehead, esize) \
169 for ((pos) = (typeof(pos))(ehead); \
170 (pos) < (typeof(pos))((char *)(ehead) + (esize)); \
171 (pos) = (typeof(pos))((char *)(pos) + (pos)->next_offset))
173 /* can only be xt_entry_match, so no use of typeof here */
174 #define xt_ematch_foreach(pos, entry) \
175 for ((pos) = (struct xt_entry_match *)entry->elems; \
176 (pos) < (struct xt_entry_match *)((char *)(entry) + \
177 (entry)->target_offset); \
178 (pos) = (struct xt_entry_match *)((char *)(pos) + \
179 (pos)->u.match_size))
183 #include <linux/netdevice.h>
186 * struct xt_action_param - parameters for matches/targets
188 * @match: the match extension
189 * @target: the target extension
190 * @matchinfo: per-match data
191 * @targetinfo: per-target data
192 * @in: input netdevice
193 * @out: output netdevice
194 * @fragoff: packet is a fragment, this is the data offset
195 * @thoff: position of transport header relative to skb->data
196 * @hook: hook number given packet came from
197 * @family: Actual NFPROTO_* through which the function is invoked
198 * (helpful when match->family == NFPROTO_UNSPEC)
199 * @hotdrop: drop packet if we had inspection problems
200 * Network namespace obtainable using dev_net(in/out)
202 struct xt_action_param {
204 const struct xt_match *match;
205 const struct xt_target *target;
208 const void *matchinfo, *targinfo;
210 const struct net_device *in, *out;
213 unsigned int hooknum;
219 * struct xt_mtchk_param - parameters for match extensions'
220 * checkentry functions
222 * @net: network namespace through which the check was invoked
223 * @table: table the rule is tried to be inserted into
224 * @entryinfo: the family-specific rule data
225 * (struct ipt_ip, ip6t_ip, arpt_arp or (note) ebt_entry)
226 * @match: struct xt_match through which this function was invoked
227 * @matchinfo: per-match data
228 * @hook_mask: via which hooks the new rule is reachable
229 * Other fields as above.
231 struct xt_mtchk_param {
234 const void *entryinfo;
235 const struct xt_match *match;
237 unsigned int hook_mask;
242 * struct xt_mdtor_param - match destructor parameters
245 struct xt_mtdtor_param {
247 const struct xt_match *match;
253 * struct xt_tgchk_param - parameters for target extensions'
254 * checkentry functions
256 * @entryinfo: the family-specific rule data
257 * (struct ipt_entry, ip6t_entry, arpt_entry, ebt_entry)
259 * Other fields see above.
261 struct xt_tgchk_param {
264 const void *entryinfo;
265 const struct xt_target *target;
267 unsigned int hook_mask;
271 /* Target destructor parameters */
272 struct xt_tgdtor_param {
274 const struct xt_target *target;
280 struct list_head list;
282 const char name[XT_EXTENSION_MAXNAMELEN];
285 /* Return true or false: return FALSE and set *hotdrop = 1 to
286 force immediate packet drop. */
287 /* Arguments changed since 2.6.9, as this must now handle
288 non-linear skb, using skb_header_pointer and
289 skb_ip_make_writable. */
290 bool (*match)(const struct sk_buff *skb,
291 struct xt_action_param *);
293 /* Called when user tries to insert an entry of this type. */
294 int (*checkentry)(const struct xt_mtchk_param *);
296 /* Called when entry of this type deleted. */
297 void (*destroy)(const struct xt_mtdtor_param *);
299 /* Called when userspace align differs from kernel space one */
300 void (*compat_from_user)(void *dst, const void *src);
301 int (*compat_to_user)(void __user *dst, const void *src);
303 /* Set this to THIS_MODULE if you are a module, otherwise NULL */
307 unsigned int matchsize;
309 unsigned int compatsize;
312 unsigned short proto;
314 unsigned short family;
317 /* Registration hooks for targets. */
319 struct list_head list;
321 const char name[XT_EXTENSION_MAXNAMELEN];
324 /* Returns verdict. Argument order changed since 2.6.9, as this
325 must now handle non-linear skbs, using skb_copy_bits and
326 skb_ip_make_writable. */
327 unsigned int (*target)(struct sk_buff *skb,
328 const struct xt_action_param *);
330 /* Called when user tries to insert an entry of this type:
331 hook_mask is a bitmask of hooks from which it can be
333 /* Should return true or false, or an error code (-Exxxx). */
334 int (*checkentry)(const struct xt_tgchk_param *);
336 /* Called when entry of this type deleted. */
337 void (*destroy)(const struct xt_tgdtor_param *);
339 /* Called when userspace align differs from kernel space one */
340 void (*compat_from_user)(void *dst, const void *src);
341 int (*compat_to_user)(void __user *dst, const void *src);
343 /* Set this to THIS_MODULE if you are a module, otherwise NULL */
347 unsigned int targetsize;
349 unsigned int compatsize;
352 unsigned short proto;
354 unsigned short family;
357 /* Furniture shopping... */
359 struct list_head list;
361 /* What hooks you will enter on */
362 unsigned int valid_hooks;
364 /* Man behind the curtain... */
365 struct xt_table_info *private;
367 /* Set this to THIS_MODULE if you are a module, otherwise NULL */
370 u_int8_t af; /* address/protocol family */
371 int priority; /* hook order */
373 /* A unique name... */
374 const char name[XT_TABLE_MAXNAMELEN];
377 #include <linux/netfilter_ipv4.h>
379 /* The table itself */
380 struct xt_table_info {
383 /* Number of entries: FIXME. --RR */
385 /* Initial number of entries. Needed for module usage count */
386 unsigned int initial_entries;
388 /* Entry points and underflows */
389 unsigned int hook_entry[NF_INET_NUMHOOKS];
390 unsigned int underflow[NF_INET_NUMHOOKS];
393 * Number of user chains. Since tables cannot have loops, at most
394 * @stacksize jumps (number of user chains) can possibly be made.
396 unsigned int stacksize;
397 unsigned int *stackptr;
399 /* ipt_entry tables: one per CPU */
400 /* Note : this field MUST be the last one, see XT_TABLE_INFO_SZ */
404 #define XT_TABLE_INFO_SZ (offsetof(struct xt_table_info, entries) \
405 + nr_cpu_ids * sizeof(char *))
406 extern int xt_register_target(struct xt_target *target);
407 extern void xt_unregister_target(struct xt_target *target);
408 extern int xt_register_targets(struct xt_target *target, unsigned int n);
409 extern void xt_unregister_targets(struct xt_target *target, unsigned int n);
411 extern int xt_register_match(struct xt_match *target);
412 extern void xt_unregister_match(struct xt_match *target);
413 extern int xt_register_matches(struct xt_match *match, unsigned int n);
414 extern void xt_unregister_matches(struct xt_match *match, unsigned int n);
416 extern int xt_check_match(struct xt_mtchk_param *,
417 unsigned int size, u_int8_t proto, bool inv_proto);
418 extern int xt_check_target(struct xt_tgchk_param *,
419 unsigned int size, u_int8_t proto, bool inv_proto);
421 extern struct xt_table *xt_register_table(struct net *net,
422 const struct xt_table *table,
423 struct xt_table_info *bootstrap,
424 struct xt_table_info *newinfo);
425 extern void *xt_unregister_table(struct xt_table *table);
427 extern struct xt_table_info *xt_replace_table(struct xt_table *table,
428 unsigned int num_counters,
429 struct xt_table_info *newinfo,
432 extern struct xt_match *xt_find_match(u8 af, const char *name, u8 revision);
433 extern struct xt_target *xt_find_target(u8 af, const char *name, u8 revision);
434 extern struct xt_match *xt_request_find_match(u8 af, const char *name,
436 extern struct xt_target *xt_request_find_target(u8 af, const char *name,
438 extern int xt_find_revision(u8 af, const char *name, u8 revision,
439 int target, int *err);
441 extern struct xt_table *xt_find_table_lock(struct net *net, u_int8_t af,
443 extern void xt_table_unlock(struct xt_table *t);
445 extern int xt_proto_init(struct net *net, u_int8_t af);
446 extern void xt_proto_fini(struct net *net, u_int8_t af);
448 extern struct xt_table_info *xt_alloc_table_info(unsigned int size);
449 extern void xt_free_table_info(struct xt_table_info *info);
452 * Per-CPU spinlock associated with per-cpu table entries, and
453 * with a counter for the "reading" side that allows a recursive
454 * reader to avoid taking the lock and deadlocking.
456 * "reading" is used by ip/arp/ip6 tables rule processing which runs per-cpu.
457 * It needs to ensure that the rules are not being changed while the packet
458 * is being processed. In some cases, the read lock will be acquired
459 * twice on the same CPU; this is okay because of the count.
461 * "writing" is used when reading counters.
462 * During replace any readers that are using the old tables have to complete
463 * before freeing the old table. This is handled by the write locking
464 * necessary for reading the counters.
466 struct xt_info_lock {
468 unsigned char readers;
470 DECLARE_PER_CPU(struct xt_info_lock, xt_info_locks);
473 * Note: we need to ensure that preemption is disabled before acquiring
474 * the per-cpu-variable, so we do it as a two step process rather than
475 * using "spin_lock_bh()".
477 * We _also_ need to disable bottom half processing before updating our
478 * nesting count, to make sure that the only kind of re-entrancy is this
479 * code being called by itself: since the count+lock is not an atomic
480 * operation, we can allow no races.
482 * _Only_ that special combination of being per-cpu and never getting
483 * re-entered asynchronously means that the count is safe.
485 static inline void xt_info_rdlock_bh(void)
487 struct xt_info_lock *lock;
490 lock = &__get_cpu_var(xt_info_locks);
491 if (likely(!lock->readers++))
492 spin_lock(&lock->lock);
495 static inline void xt_info_rdunlock_bh(void)
497 struct xt_info_lock *lock = &__get_cpu_var(xt_info_locks);
499 if (likely(!--lock->readers))
500 spin_unlock(&lock->lock);
505 * The "writer" side needs to get exclusive access to the lock,
506 * regardless of readers. This must be called with bottom half
507 * processing (and thus also preemption) disabled.
509 static inline void xt_info_wrlock(unsigned int cpu)
511 spin_lock(&per_cpu(xt_info_locks, cpu).lock);
514 static inline void xt_info_wrunlock(unsigned int cpu)
516 spin_unlock(&per_cpu(xt_info_locks, cpu).lock);
520 * This helper is performance critical and must be inlined
522 static inline unsigned long ifname_compare_aligned(const char *_a,
526 const unsigned long *a = (const unsigned long *)_a;
527 const unsigned long *b = (const unsigned long *)_b;
528 const unsigned long *mask = (const unsigned long *)_mask;
531 ret = (a[0] ^ b[0]) & mask[0];
532 if (IFNAMSIZ > sizeof(unsigned long))
533 ret |= (a[1] ^ b[1]) & mask[1];
534 if (IFNAMSIZ > 2 * sizeof(unsigned long))
535 ret |= (a[2] ^ b[2]) & mask[2];
536 if (IFNAMSIZ > 3 * sizeof(unsigned long))
537 ret |= (a[3] ^ b[3]) & mask[3];
538 BUILD_BUG_ON(IFNAMSIZ > 4 * sizeof(unsigned long));
542 extern struct nf_hook_ops *xt_hook_link(const struct xt_table *, nf_hookfn *);
543 extern void xt_hook_unlink(const struct xt_table *, struct nf_hook_ops *);
546 #include <net/compat.h>
548 struct compat_xt_entry_match {
551 u_int16_t match_size;
552 char name[XT_FUNCTION_MAXNAMELEN - 1];
556 u_int16_t match_size;
559 u_int16_t match_size;
561 unsigned char data[0];
564 struct compat_xt_entry_target {
567 u_int16_t target_size;
568 char name[XT_FUNCTION_MAXNAMELEN - 1];
572 u_int16_t target_size;
573 compat_uptr_t target;
575 u_int16_t target_size;
577 unsigned char data[0];
580 /* FIXME: this works only on 32 bit tasks
581 * need to change whole approach in order to calculate align as function of
582 * current task alignment */
584 struct compat_xt_counters {
585 compat_u64 pcnt, bcnt; /* Packet and byte counters */
588 struct compat_xt_counters_info {
589 char name[XT_TABLE_MAXNAMELEN];
590 compat_uint_t num_counters;
591 struct compat_xt_counters counters[0];
594 struct _compat_xt_align {
601 #define COMPAT_XT_ALIGN(s) __ALIGN_KERNEL((s), __alignof__(struct _compat_xt_align))
603 extern void xt_compat_lock(u_int8_t af);
604 extern void xt_compat_unlock(u_int8_t af);
606 extern int xt_compat_add_offset(u_int8_t af, unsigned int offset, short delta);
607 extern void xt_compat_flush_offsets(u_int8_t af);
608 extern int xt_compat_calc_jump(u_int8_t af, unsigned int offset);
610 extern int xt_compat_match_offset(const struct xt_match *match);
611 extern int xt_compat_match_from_user(struct xt_entry_match *m,
612 void **dstptr, unsigned int *size);
613 extern int xt_compat_match_to_user(const struct xt_entry_match *m,
614 void __user **dstptr, unsigned int *size);
616 extern int xt_compat_target_offset(const struct xt_target *target);
617 extern void xt_compat_target_from_user(struct xt_entry_target *t,
618 void **dstptr, unsigned int *size);
619 extern int xt_compat_target_to_user(const struct xt_entry_target *t,
620 void __user **dstptr, unsigned int *size);
622 #endif /* CONFIG_COMPAT */
623 #endif /* __KERNEL__ */
625 #endif /* _X_TABLES_H */
git://bbs.cooldavid.org / net-next-2.6.git / blob