x_tables.h revision c40bba6922b470c0fd0c7a7b8b09584527c468e9 
1#ifndef _X_TABLES_H
2#define _X_TABLES_H
3
4#include <linux/types.h>
5
6#define XT_FUNCTION_MAXNAMELEN 30
7#define XT_TABLE_MAXNAMELEN 32
8
9struct xt_entry_match
10{
11	union {
12		struct {
13			__u16 match_size;
14
15			/* Used by userspace */
16			char name[XT_FUNCTION_MAXNAMELEN-1];
17
18			__u8 revision;
19		} user;
20		struct {
21			__u16 match_size;
22
23			/* Used inside the kernel */
24			struct xt_match *match;
25		} kernel;
26
27		/* Total length */
28		__u16 match_size;
29	} u;
30
31	unsigned char data[0];
32};
33
34struct xt_entry_target
35{
36	union {
37		struct {
38			__u16 target_size;
39
40			/* Used by userspace */
41			char name[XT_FUNCTION_MAXNAMELEN-1];
42
43			__u8 revision;
44		} user;
45		struct {
46			__u16 target_size;
47
48			/* Used inside the kernel */
49			struct xt_target *target;
50		} kernel;
51
52		/* Total length */
53		__u16 target_size;
54	} u;
55
56	unsigned char data[0];
57};
58
59#define XT_TARGET_INIT(__name, __size)					       \
60{									       \
61	.target.u.user = {						       \
62		.target_size	= XT_ALIGN(__size),			       \
63		.name		= __name,				       \
64	},								       \
65}
66
67struct xt_standard_target
68{
69	struct xt_entry_target target;
70	int verdict;
71};
72
73/* The argument to IPT_SO_GET_REVISION_*.  Returns highest revision
74 * kernel supports, if >= revision. */
75struct xt_get_revision
76{
77	char name[XT_FUNCTION_MAXNAMELEN-1];
78
79	__u8 revision;
80};
81
82/* CONTINUE verdict for targets */
83#define XT_CONTINUE 0xFFFFFFFF
84
85/* For standard target */
86#define XT_RETURN (-NF_REPEAT - 1)
87
88/* this is a dummy structure to find out the alignment requirement for a struct
89 * containing all the fundamental data types that are used in ipt_entry,
90 * ip6t_entry and arpt_entry.  This sucks, and it is a hack.  It will be my
91 * personal pleasure to remove it -HW
92 */
93struct _xt_align
94{
95	__u8 u8;
96	__u16 u16;
97	__u32 u32;
98	__u64 u64;
99};
100
101#define XT_ALIGN(s) (((s) + (__alignof__(struct _xt_align)-1)) 	\
102			& ~(__alignof__(struct _xt_align)-1))
103
104/* Standard return verdict, or do jump. */
105#define XT_STANDARD_TARGET ""
106/* Error verdict. */
107#define XT_ERROR_TARGET "ERROR"
108
109#define SET_COUNTER(c,b,p) do { (c).bcnt = (b); (c).pcnt = (p); } while(0)
110#define ADD_COUNTER(c,b,p) do { (c).bcnt += (b); (c).pcnt += (p); } while(0)
111
112struct xt_counters
113{
114	__u64 pcnt, bcnt;			/* Packet and byte counters */
115};
116
117/* The argument to IPT_SO_ADD_COUNTERS. */
118struct xt_counters_info
119{
120	/* Which table. */
121	char name[XT_TABLE_MAXNAMELEN];
122
123	unsigned int num_counters;
124
125	/* The counters (actually `number' of these). */
126	struct xt_counters counters[0];
127};
128
129#define XT_INV_PROTO		0x40	/* Invert the sense of PROTO. */
130
131/* fn returns 0 to continue iteration */
132#define XT_MATCH_ITERATE(type, e, fn, args...)			\
133({								\
134	unsigned int __i;					\
135	int __ret = 0;						\
136	struct xt_entry_match *__m;				\
137								\
138	for (__i = sizeof(type);				\
139	     __i < (e)->target_offset;				\
140	     __i += __m->u.match_size) {			\
141		__m = (void *)e + __i;				\
142								\
143		__ret = fn(__m , ## args);			\
144		if (__ret != 0)					\
145			break;					\
146	}							\
147	__ret;							\
148})
149
150/* fn returns 0 to continue iteration */
151#define XT_ENTRY_ITERATE_CONTINUE(type, entries, size, n, fn, args...) \
152({								\
153	unsigned int __i, __n;					\
154	int __ret = 0;						\
155	type *__entry;						\
156								\
157	for (__i = 0, __n = 0; __i < (size);			\
158	     __i += __entry->next_offset, __n++) { 		\
159		__entry = (void *)(entries) + __i;		\
160		if (__n < n)					\
161			continue;				\
162								\
163		__ret = fn(__entry , ## args);			\
164		if (__ret != 0)					\
165			break;					\
166	}							\
167	__ret;							\
168})
169
170/* fn returns 0 to continue iteration */
171#define XT_ENTRY_ITERATE(type, entries, size, fn, args...) \
172	XT_ENTRY_ITERATE_CONTINUE(type, entries, size, 0, fn, args)
173
174#ifdef __KERNEL__
175
176#include <linux/netdevice.h>
177
178/**
179 * struct xt_match_param - parameters for match extensions' match functions
180 *
181 * @in:		input netdevice
182 * @out:	output netdevice
183 * @match:	struct xt_match through which this function was invoked
184 * @matchinfo:	per-match data
185 * @fragoff:	packet is a fragment, this is the data offset
186 * @thoff:	position of transport header relative to skb->data
187 * @hook:	hook number given packet came from
188 * @family:	Actual NFPROTO_* through which the function is invoked
189 * 		(helpful when match->family == NFPROTO_UNSPEC)
190 * @hotdrop:	drop packet if we had inspection problems
191 */
192struct xt_match_param {
193	const struct net_device *in, *out;
194	const struct xt_match *match;
195	const void *matchinfo;
196	int fragoff;
197	unsigned int thoff;
198	unsigned int hooknum;
199	u_int8_t family;
200	bool *hotdrop;
201};
202
203/**
204 * struct xt_mtchk_param - parameters for match extensions'
205 * checkentry functions
206 *
207 * @table:	table the rule is tried to be inserted into
208 * @entryinfo:	the family-specific rule data
209 * 		(struct ipt_ip, ip6t_ip, ebt_entry)
210 * @match:	struct xt_match through which this function was invoked
211 * @matchinfo:	per-match data
212 * @hook_mask:	via which hooks the new rule is reachable
213 */
214struct xt_mtchk_param {
215	const char *table;
216	const void *entryinfo;
217	const struct xt_match *match;
218	void *matchinfo;
219	unsigned int hook_mask;
220	u_int8_t family;
221};
222
223/* Match destructor parameters */
224struct xt_mtdtor_param {
225	const struct xt_match *match;
226	void *matchinfo;
227	u_int8_t family;
228};
229
230/**
231 * struct xt_target_param - parameters for target extensions' target functions
232 *
233 * @hooknum:	hook through which this target was invoked
234 * @target:	struct xt_target through which this function was invoked
235 * @targinfo:	per-target data
236 *
237 * Other fields see above.
238 */
239struct xt_target_param {
240	const struct net_device *in, *out;
241	unsigned int hooknum;
242	const struct xt_target *target;
243	const void *targinfo;
244	u_int8_t family;
245};
246
247/**
248 * struct xt_tgchk_param - parameters for target extensions'
249 * checkentry functions
250 *
251 * @entryinfo:	the family-specific rule data
252 * 		(struct ipt_entry, ip6t_entry, arpt_entry, ebt_entry)
253 *
254 * Other fields see above.
255 */
256struct xt_tgchk_param {
257	const char *table;
258	const void *entryinfo;
259	const struct xt_target *target;
260	void *targinfo;
261	unsigned int hook_mask;
262	u_int8_t family;
263};
264
265/* Target destructor parameters */
266struct xt_tgdtor_param {
267	const struct xt_target *target;
268	void *targinfo;
269	u_int8_t family;
270};
271
272struct xt_match
273{
274	struct list_head list;
275
276	const char name[XT_FUNCTION_MAXNAMELEN-1];
277	u_int8_t revision;
278
279	/* Return true or false: return FALSE and set *hotdrop = 1 to
280           force immediate packet drop. */
281	/* Arguments changed since 2.6.9, as this must now handle
282	   non-linear skb, using skb_header_pointer and
283	   skb_ip_make_writable. */
284	bool (*match)(const struct sk_buff *skb,
285		      const struct xt_match_param *);
286
287	/* Called when user tries to insert an entry of this type. */
288	bool (*checkentry)(const struct xt_mtchk_param *);
289
290	/* Called when entry of this type deleted. */
291	void (*destroy)(const struct xt_mtdtor_param *);
292
293	/* Called when userspace align differs from kernel space one */
294	void (*compat_from_user)(void *dst, void *src);
295	int (*compat_to_user)(void __user *dst, void *src);
296
297	/* Set this to THIS_MODULE if you are a module, otherwise NULL */
298	struct module *me;
299
300	/* Free to use by each match */
301	unsigned long data;
302
303	const char *table;
304	unsigned int matchsize;
305	unsigned int compatsize;
306	unsigned int hooks;
307	unsigned short proto;
308
309	unsigned short family;
310};
311
312/* Registration hooks for targets. */
313struct xt_target
314{
315	struct list_head list;
316
317	const char name[XT_FUNCTION_MAXNAMELEN-1];
318
319	/* Returns verdict. Argument order changed since 2.6.9, as this
320	   must now handle non-linear skbs, using skb_copy_bits and
321	   skb_ip_make_writable. */
322	unsigned int (*target)(struct sk_buff *skb,
323			       const struct xt_target_param *);
324
325	/* Called when user tries to insert an entry of this type:
326           hook_mask is a bitmask of hooks from which it can be
327           called. */
328	/* Should return true or false. */
329	bool (*checkentry)(const struct xt_tgchk_param *);
330
331	/* Called when entry of this type deleted. */
332	void (*destroy)(const struct xt_tgdtor_param *);
333
334	/* Called when userspace align differs from kernel space one */
335	void (*compat_from_user)(void *dst, void *src);
336	int (*compat_to_user)(void __user *dst, void *src);
337
338	/* Set this to THIS_MODULE if you are a module, otherwise NULL */
339	struct module *me;
340
341	const char *table;
342	unsigned int targetsize;
343	unsigned int compatsize;
344	unsigned int hooks;
345	unsigned short proto;
346
347	unsigned short family;
348	u_int8_t revision;
349};
350
351/* Furniture shopping... */
352struct xt_table
353{
354	struct list_head list;
355
356	/* What hooks you will enter on */
357	unsigned int valid_hooks;
358
359	/* Man behind the curtain... */
360	struct xt_table_info *private;
361
362	/* Set this to THIS_MODULE if you are a module, otherwise NULL */
363	struct module *me;
364
365	u_int8_t af;		/* address/protocol family */
366
367	/* A unique name... */
368	const char name[XT_TABLE_MAXNAMELEN];
369};
370
371#include <linux/netfilter_ipv4.h>
372
373/* The table itself */
374struct xt_table_info
375{
376	/* Size per table */
377	unsigned int size;
378	/* Number of entries: FIXME. --RR */
379	unsigned int number;
380	/* Initial number of entries. Needed for module usage count */
381	unsigned int initial_entries;
382
383	/* Entry points and underflows */
384	unsigned int hook_entry[NF_INET_NUMHOOKS];
385	unsigned int underflow[NF_INET_NUMHOOKS];
386
387	/* ipt_entry tables: one per CPU */
388	/* Note : this field MUST be the last one, see XT_TABLE_INFO_SZ */
389	void *entries[1];
390};
391
392#define XT_TABLE_INFO_SZ (offsetof(struct xt_table_info, entries) \
393			  + nr_cpu_ids * sizeof(char *))
394extern int xt_register_target(struct xt_target *target);
395extern void xt_unregister_target(struct xt_target *target);
396extern int xt_register_targets(struct xt_target *target, unsigned int n);
397extern void xt_unregister_targets(struct xt_target *target, unsigned int n);
398
399extern int xt_register_match(struct xt_match *target);
400extern void xt_unregister_match(struct xt_match *target);
401extern int xt_register_matches(struct xt_match *match, unsigned int n);
402extern void xt_unregister_matches(struct xt_match *match, unsigned int n);
403
404extern int xt_check_match(struct xt_mtchk_param *,
405			  unsigned int size, u_int8_t proto, bool inv_proto);
406extern int xt_check_target(struct xt_tgchk_param *,
407			   unsigned int size, u_int8_t proto, bool inv_proto);
408
409extern struct xt_table *xt_register_table(struct net *net,
410					  struct xt_table *table,
411					  struct xt_table_info *bootstrap,
412					  struct xt_table_info *newinfo);
413extern void *xt_unregister_table(struct xt_table *table);
414
415extern struct xt_table_info *xt_replace_table(struct xt_table *table,
416					      unsigned int num_counters,
417					      struct xt_table_info *newinfo,
418					      int *error);
419
420extern struct xt_match *xt_find_match(u8 af, const char *name, u8 revision);
421extern struct xt_target *xt_find_target(u8 af, const char *name, u8 revision);
422extern struct xt_target *xt_request_find_target(u8 af, const char *name,
423						u8 revision);
424extern int xt_find_revision(u8 af, const char *name, u8 revision,
425			    int target, int *err);
426
427extern struct xt_table *xt_find_table_lock(struct net *net, u_int8_t af,
428					   const char *name);
429extern void xt_table_unlock(struct xt_table *t);
430
431extern int xt_proto_init(struct net *net, u_int8_t af);
432extern void xt_proto_fini(struct net *net, u_int8_t af);
433
434extern struct xt_table_info *xt_alloc_table_info(unsigned int size);
435extern void xt_free_table_info(struct xt_table_info *info);
436
437/*
438 * Per-CPU spinlock associated with per-cpu table entries, and
439 * with a counter for the "reading" side that allows a recursive
440 * reader to avoid taking the lock and deadlocking.
441 *
442 * "reading" is used by ip/arp/ip6 tables rule processing which runs per-cpu.
443 * It needs to ensure that the rules are not being changed while the packet
444 * is being processed. In some cases, the read lock will be acquired
445 * twice on the same CPU; this is okay because of the count.
446 *
447 * "writing" is used when reading counters.
448 *  During replace any readers that are using the old tables have to complete
449 *  before freeing the old table. This is handled by the write locking
450 *  necessary for reading the counters.
451 */
452struct xt_info_lock {
453	spinlock_t lock;
454	unsigned char readers;
455};
456DECLARE_PER_CPU(struct xt_info_lock, xt_info_locks);
457
458/*
459 * Note: we need to ensure that preemption is disabled before acquiring
460 * the per-cpu-variable, so we do it as a two step process rather than
461 * using "spin_lock_bh()".
462 *
463 * We _also_ need to disable bottom half processing before updating our
464 * nesting count, to make sure that the only kind of re-entrancy is this
465 * code being called by itself: since the count+lock is not an atomic
466 * operation, we can allow no races.
467 *
468 * _Only_ that special combination of being per-cpu and never getting
469 * re-entered asynchronously means that the count is safe.
470 */
471static inline void xt_info_rdlock_bh(void)
472{
473	struct xt_info_lock *lock;
474
475	local_bh_disable();
476	lock = &__get_cpu_var(xt_info_locks);
477	if (likely(!lock->readers++))
478		spin_lock(&lock->lock);
479}
480
481static inline void xt_info_rdunlock_bh(void)
482{
483	struct xt_info_lock *lock = &__get_cpu_var(xt_info_locks);
484
485	if (likely(!--lock->readers))
486		spin_unlock(&lock->lock);
487	local_bh_enable();
488}
489
490/*
491 * The "writer" side needs to get exclusive access to the lock,
492 * regardless of readers.  This must be called with bottom half
493 * processing (and thus also preemption) disabled.
494 */
495static inline void xt_info_wrlock(unsigned int cpu)
496{
497	spin_lock(&per_cpu(xt_info_locks, cpu).lock);
498}
499
500static inline void xt_info_wrunlock(unsigned int cpu)
501{
502	spin_unlock(&per_cpu(xt_info_locks, cpu).lock);
503}
504
505/*
506 * This helper is performance critical and must be inlined
507 */
508static inline unsigned long ifname_compare_aligned(const char *_a,
509						   const char *_b,
510						   const char *_mask)
511{
512	const unsigned long *a = (const unsigned long *)_a;
513	const unsigned long *b = (const unsigned long *)_b;
514	const unsigned long *mask = (const unsigned long *)_mask;
515	unsigned long ret;
516
517	ret = (a[0] ^ b[0]) & mask[0];
518	if (IFNAMSIZ > sizeof(unsigned long))
519		ret |= (a[1] ^ b[1]) & mask[1];
520	if (IFNAMSIZ > 2 * sizeof(unsigned long))
521		ret |= (a[2] ^ b[2]) & mask[2];
522	if (IFNAMSIZ > 3 * sizeof(unsigned long))
523		ret |= (a[3] ^ b[3]) & mask[3];
524	BUILD_BUG_ON(IFNAMSIZ > 4 * sizeof(unsigned long));
525	return ret;
526}
527
528#ifdef CONFIG_COMPAT
529#include <net/compat.h>
530
531struct compat_xt_entry_match
532{
533	union {
534		struct {
535			u_int16_t match_size;
536			char name[XT_FUNCTION_MAXNAMELEN - 1];
537			u_int8_t revision;
538		} user;
539		struct {
540			u_int16_t match_size;
541			compat_uptr_t match;
542		} kernel;
543		u_int16_t match_size;
544	} u;
545	unsigned char data[0];
546};
547
548struct compat_xt_entry_target
549{
550	union {
551		struct {
552			u_int16_t target_size;
553			char name[XT_FUNCTION_MAXNAMELEN - 1];
554			u_int8_t revision;
555		} user;
556		struct {
557			u_int16_t target_size;
558			compat_uptr_t target;
559		} kernel;
560		u_int16_t target_size;
561	} u;
562	unsigned char data[0];
563};
564
565/* FIXME: this works only on 32 bit tasks
566 * need to change whole approach in order to calculate align as function of
567 * current task alignment */
568
569struct compat_xt_counters
570{
571#if defined(CONFIG_X86_64) || defined(CONFIG_IA64)
572	u_int32_t cnt[4];
573#else
574	u_int64_t cnt[2];
575#endif
576};
577
578struct compat_xt_counters_info
579{
580	char name[XT_TABLE_MAXNAMELEN];
581	compat_uint_t num_counters;
582	struct compat_xt_counters counters[0];
583};
584
585#define COMPAT_XT_ALIGN(s) (((s) + (__alignof__(struct compat_xt_counters)-1)) \
586		& ~(__alignof__(struct compat_xt_counters)-1))
587
588extern void xt_compat_lock(u_int8_t af);
589extern void xt_compat_unlock(u_int8_t af);
590
591extern int xt_compat_add_offset(u_int8_t af, unsigned int offset, short delta);
592extern void xt_compat_flush_offsets(u_int8_t af);
593extern short xt_compat_calc_jump(u_int8_t af, unsigned int offset);
594
595extern int xt_compat_match_offset(const struct xt_match *match);
596extern int xt_compat_match_from_user(struct xt_entry_match *m,
597				     void **dstptr, unsigned int *size);
598extern int xt_compat_match_to_user(struct xt_entry_match *m,
599				   void __user **dstptr, unsigned int *size);
600
601extern int xt_compat_target_offset(const struct xt_target *target);
602extern void xt_compat_target_from_user(struct xt_entry_target *t,
603				       void **dstptr, unsigned int *size);
604extern int xt_compat_target_to_user(struct xt_entry_target *t,
605				    void __user **dstptr, unsigned int *size);
606
607#endif /* CONFIG_COMPAT */
608#endif /* __KERNEL__ */
609
610#endif /* _X_TABLES_H */
611