libiptc.h revision 4008138e2b5248940265b160fae001d8954fae21 
1#ifndef _LIBIPTC_H
2#define _LIBIPTC_H
3/* Library which manipulates filtering rules. */
4
5#include <libiptc/ipt_kernel_headers.h>
6#include <linux/netfilter_ipv4/ip_tables.h>
7
8#ifdef __cplusplus
9extern "C" {
10#endif
11
12#ifndef IPT_MIN_ALIGN
13/* ipt_entry has pointers and u_int64_t's in it, so if you align to
14   it, you'll also align to any crazy matches and targets someone
15   might write */
16#define IPT_MIN_ALIGN (__alignof__(struct ipt_entry))
17#endif
18
19#define IPT_ALIGN(s) (((s) + ((IPT_MIN_ALIGN)-1)) & ~((IPT_MIN_ALIGN)-1))
20
21typedef char ipt_chainlabel[32];
22
23#define IPTC_LABEL_ACCEPT  "ACCEPT"
24#define IPTC_LABEL_DROP    "DROP"
25#define IPTC_LABEL_QUEUE   "QUEUE"
26#define IPTC_LABEL_RETURN  "RETURN"
27
28/* Transparent handle type. */
29typedef struct iptc_handle *iptc_handle_t;
30
31/* Does this chain exist? */
32int iptc_is_chain(const char *chain, const iptc_handle_t handle);
33
34/* Take a snapshot of the rules.  Returns NULL on error. */
35iptc_handle_t iptc_init(const char *tablename);
36
37/* Cleanup after iptc_init(). */
38void iptc_free(iptc_handle_t *h);
39
40/* Iterator functions to run through the chains.  Returns NULL at end. */
41const char *iptc_first_chain(iptc_handle_t *handle);
42const char *iptc_next_chain(iptc_handle_t *handle);
43
44/* Get first rule in the given chain: NULL for empty chain. */
45const struct ipt_entry *iptc_first_rule(const char *chain,
46					iptc_handle_t *handle);
47
48/* Returns NULL when rules run out. */
49const struct ipt_entry *iptc_next_rule(const struct ipt_entry *prev,
50				       iptc_handle_t *handle);
51
52/* Returns a pointer to the target name of this entry. */
53const char *iptc_get_target(const struct ipt_entry *e,
54			    iptc_handle_t *handle);
55
56/* Is this a built-in chain? */
57int iptc_builtin(const char *chain, const iptc_handle_t handle);
58
59/* Get the policy of a given built-in chain */
60const char *iptc_get_policy(const char *chain,
61			    struct ipt_counters *counter,
62			    iptc_handle_t *handle);
63
64/* These functions return TRUE for OK or 0 and set errno.  If errno ==
65   0, it means there was a version error (ie. upgrade libiptc). */
66/* Rule numbers start at 1 for the first rule. */
67
68/* Insert the entry `e' in chain `chain' into position `rulenum'. */
69int iptc_insert_entry(const ipt_chainlabel chain,
70		      const struct ipt_entry *e,
71		      unsigned int rulenum,
72		      iptc_handle_t *handle);
73
74/* Atomically replace rule `rulenum' in `chain' with `e'. */
75int iptc_replace_entry(const ipt_chainlabel chain,
76		       const struct ipt_entry *e,
77		       unsigned int rulenum,
78		       iptc_handle_t *handle);
79
80/* Append entry `e' to chain `chain'.  Equivalent to insert with
81   rulenum = length of chain. */
82int iptc_append_entry(const ipt_chainlabel chain,
83		      const struct ipt_entry *e,
84		      iptc_handle_t *handle);
85
86/* Delete the first rule in `chain' which matches `e', subject to
87   matchmask (array of length == origfw) */
88int iptc_delete_entry(const ipt_chainlabel chain,
89		      const struct ipt_entry *origfw,
90		      unsigned char *matchmask,
91		      iptc_handle_t *handle);
92
93/* Delete the rule in position `rulenum' in `chain'. */
94int iptc_delete_num_entry(const ipt_chainlabel chain,
95			  unsigned int rulenum,
96			  iptc_handle_t *handle);
97
98/* Check the packet `e' on chain `chain'.  Returns the verdict, or
99   NULL and sets errno. */
100const char *iptc_check_packet(const ipt_chainlabel chain,
101			      struct ipt_entry *entry,
102			      iptc_handle_t *handle);
103
104/* Flushes the entries in the given chain (ie. empties chain). */
105int iptc_flush_entries(const ipt_chainlabel chain,
106		       iptc_handle_t *handle);
107
108/* Zeroes the counters in a chain. */
109int iptc_zero_entries(const ipt_chainlabel chain,
110		      iptc_handle_t *handle);
111
112/* Creates a new chain. */
113int iptc_create_chain(const ipt_chainlabel chain,
114		      iptc_handle_t *handle);
115
116/* Deletes a chain. */
117int iptc_delete_chain(const ipt_chainlabel chain,
118		      iptc_handle_t *handle);
119
120/* Renames a chain. */
121int iptc_rename_chain(const ipt_chainlabel oldname,
122		      const ipt_chainlabel newname,
123		      iptc_handle_t *handle);
124
125/* Sets the policy on a built-in chain. */
126int iptc_set_policy(const ipt_chainlabel chain,
127		    const ipt_chainlabel policy,
128		    struct ipt_counters *counters,
129		    iptc_handle_t *handle);
130
131/* Get the number of references to this chain */
132int iptc_get_references(unsigned int *ref,
133			const ipt_chainlabel chain,
134			iptc_handle_t *handle);
135
136/* read packet and byte counters for a specific rule */
137struct ipt_counters *iptc_read_counter(const ipt_chainlabel chain,
138				       unsigned int rulenum,
139				       iptc_handle_t *handle);
140
141/* zero packet and byte counters for a specific rule */
142int iptc_zero_counter(const ipt_chainlabel chain,
143		      unsigned int rulenum,
144		      iptc_handle_t *handle);
145
146/* set packet and byte counters for a specific rule */
147int iptc_set_counter(const ipt_chainlabel chain,
148		     unsigned int rulenum,
149		     struct ipt_counters *counters,
150		     iptc_handle_t *handle);
151
152/* Makes the actual changes. */
153int iptc_commit(iptc_handle_t *handle);
154
155/* Get raw socket. */
156int iptc_get_raw_socket();
157
158/* Translates errno numbers into more human-readable form than strerror. */
159const char *iptc_strerror(int err);
160
161#ifdef __cplusplus
162}
163#endif
164
165
166#endif /* _LIBIPTC_H */
167