libiptc.h revision 4008138e2b5248940265b160fae001d8954fae21
1#ifndef _LIBIPTC_H 2#define _LIBIPTC_H 3/* Library which manipulates filtering rules. */ 4 5#include <libiptc/ipt_kernel_headers.h> 6#include <linux/netfilter_ipv4/ip_tables.h> 7 8#ifdef __cplusplus 9extern "C" { 10#endif 11 12#ifndef IPT_MIN_ALIGN 13/* ipt_entry has pointers and u_int64_t's in it, so if you align to 14 it, you'll also align to any crazy matches and targets someone 15 might write */ 16#define IPT_MIN_ALIGN (__alignof__(struct ipt_entry)) 17#endif 18 19#define IPT_ALIGN(s) (((s) + ((IPT_MIN_ALIGN)-1)) & ~((IPT_MIN_ALIGN)-1)) 20 21typedef char ipt_chainlabel[32]; 22 23#define IPTC_LABEL_ACCEPT "ACCEPT" 24#define IPTC_LABEL_DROP "DROP" 25#define IPTC_LABEL_QUEUE "QUEUE" 26#define IPTC_LABEL_RETURN "RETURN" 27 28/* Transparent handle type. */ 29typedef struct iptc_handle *iptc_handle_t; 30 31/* Does this chain exist? */ 32int iptc_is_chain(const char *chain, const iptc_handle_t handle); 33 34/* Take a snapshot of the rules. Returns NULL on error. */ 35iptc_handle_t iptc_init(const char *tablename); 36 37/* Cleanup after iptc_init(). */ 38void iptc_free(iptc_handle_t *h); 39 40/* Iterator functions to run through the chains. Returns NULL at end. */ 41const char *iptc_first_chain(iptc_handle_t *handle); 42const char *iptc_next_chain(iptc_handle_t *handle); 43 44/* Get first rule in the given chain: NULL for empty chain. */ 45const struct ipt_entry *iptc_first_rule(const char *chain, 46 iptc_handle_t *handle); 47 48/* Returns NULL when rules run out. */ 49const struct ipt_entry *iptc_next_rule(const struct ipt_entry *prev, 50 iptc_handle_t *handle); 51 52/* Returns a pointer to the target name of this entry. */ 53const char *iptc_get_target(const struct ipt_entry *e, 54 iptc_handle_t *handle); 55 56/* Is this a built-in chain? */ 57int iptc_builtin(const char *chain, const iptc_handle_t handle); 58 59/* Get the policy of a given built-in chain */ 60const char *iptc_get_policy(const char *chain, 61 struct ipt_counters *counter, 62 iptc_handle_t *handle); 63 64/* These functions return TRUE for OK or 0 and set errno. If errno == 65 0, it means there was a version error (ie. upgrade libiptc). */ 66/* Rule numbers start at 1 for the first rule. */ 67 68/* Insert the entry `e' in chain `chain' into position `rulenum'. */ 69int iptc_insert_entry(const ipt_chainlabel chain, 70 const struct ipt_entry *e, 71 unsigned int rulenum, 72 iptc_handle_t *handle); 73 74/* Atomically replace rule `rulenum' in `chain' with `e'. */ 75int iptc_replace_entry(const ipt_chainlabel chain, 76 const struct ipt_entry *e, 77 unsigned int rulenum, 78 iptc_handle_t *handle); 79 80/* Append entry `e' to chain `chain'. Equivalent to insert with 81 rulenum = length of chain. */ 82int iptc_append_entry(const ipt_chainlabel chain, 83 const struct ipt_entry *e, 84 iptc_handle_t *handle); 85 86/* Delete the first rule in `chain' which matches `e', subject to 87 matchmask (array of length == origfw) */ 88int iptc_delete_entry(const ipt_chainlabel chain, 89 const struct ipt_entry *origfw, 90 unsigned char *matchmask, 91 iptc_handle_t *handle); 92 93/* Delete the rule in position `rulenum' in `chain'. */ 94int iptc_delete_num_entry(const ipt_chainlabel chain, 95 unsigned int rulenum, 96 iptc_handle_t *handle); 97 98/* Check the packet `e' on chain `chain'. Returns the verdict, or 99 NULL and sets errno. */ 100const char *iptc_check_packet(const ipt_chainlabel chain, 101 struct ipt_entry *entry, 102 iptc_handle_t *handle); 103 104/* Flushes the entries in the given chain (ie. empties chain). */ 105int iptc_flush_entries(const ipt_chainlabel chain, 106 iptc_handle_t *handle); 107 108/* Zeroes the counters in a chain. */ 109int iptc_zero_entries(const ipt_chainlabel chain, 110 iptc_handle_t *handle); 111 112/* Creates a new chain. */ 113int iptc_create_chain(const ipt_chainlabel chain, 114 iptc_handle_t *handle); 115 116/* Deletes a chain. */ 117int iptc_delete_chain(const ipt_chainlabel chain, 118 iptc_handle_t *handle); 119 120/* Renames a chain. */ 121int iptc_rename_chain(const ipt_chainlabel oldname, 122 const ipt_chainlabel newname, 123 iptc_handle_t *handle); 124 125/* Sets the policy on a built-in chain. */ 126int iptc_set_policy(const ipt_chainlabel chain, 127 const ipt_chainlabel policy, 128 struct ipt_counters *counters, 129 iptc_handle_t *handle); 130 131/* Get the number of references to this chain */ 132int iptc_get_references(unsigned int *ref, 133 const ipt_chainlabel chain, 134 iptc_handle_t *handle); 135 136/* read packet and byte counters for a specific rule */ 137struct ipt_counters *iptc_read_counter(const ipt_chainlabel chain, 138 unsigned int rulenum, 139 iptc_handle_t *handle); 140 141/* zero packet and byte counters for a specific rule */ 142int iptc_zero_counter(const ipt_chainlabel chain, 143 unsigned int rulenum, 144 iptc_handle_t *handle); 145 146/* set packet and byte counters for a specific rule */ 147int iptc_set_counter(const ipt_chainlabel chain, 148 unsigned int rulenum, 149 struct ipt_counters *counters, 150 iptc_handle_t *handle); 151 152/* Makes the actual changes. */ 153int iptc_commit(iptc_handle_t *handle); 154 155/* Get raw socket. */ 156int iptc_get_raw_socket(); 157 158/* Translates errno numbers into more human-readable form than strerror. */ 159const char *iptc_strerror(int err); 160 161#ifdef __cplusplus 162} 163#endif 164 165 166#endif /* _LIBIPTC_H */ 167