libiptc.h revision d59b9db031abee37a9aa9776662dd15370faabf4
1fddd51853f8ccaa1df2476376e6fd74d2f315c73Ted Kremenek#ifndef _LIBIPTC_H 2fddd51853f8ccaa1df2476376e6fd74d2f315c73Ted Kremenek#define _LIBIPTC_H 3fddd51853f8ccaa1df2476376e6fd74d2f315c73Ted Kremenek/* Library which manipulates filtering rules. */ 4fddd51853f8ccaa1df2476376e6fd74d2f315c73Ted Kremenek 50bc735ffcfb223c0186419547abaa5c84482663eChris Lattner#include <linux/types.h> 60bc735ffcfb223c0186419547abaa5c84482663eChris Lattner#include <libiptc/ipt_kernel_headers.h> 7fddd51853f8ccaa1df2476376e6fd74d2f315c73Ted Kremenek#ifdef __cplusplus 8fddd51853f8ccaa1df2476376e6fd74d2f315c73Ted Kremenek# include <climits> 9fddd51853f8ccaa1df2476376e6fd74d2f315c73Ted Kremenek#else 10fddd51853f8ccaa1df2476376e6fd74d2f315c73Ted Kremenek# include <limits.h> /* INT_MAX in ip_tables.h */ 11fddd51853f8ccaa1df2476376e6fd74d2f315c73Ted Kremenek#endif 12fddd51853f8ccaa1df2476376e6fd74d2f315c73Ted Kremenek#include <linux/netfilter_ipv4/ip_tables.h> 13fddd51853f8ccaa1df2476376e6fd74d2f315c73Ted Kremenek 14fddd51853f8ccaa1df2476376e6fd74d2f315c73Ted Kremenek#ifdef __cplusplus 15cd881d534517f09a2fae10445f9b865f49ccc6c8Ted Kremenekextern "C" { 16cd881d534517f09a2fae10445f9b865f49ccc6c8Ted Kremenek#endif 17cd881d534517f09a2fae10445f9b865f49ccc6c8Ted Kremenek 1874fb1a493cf5d2dd0fb51a4eadf74e85e10a3457Ted Kremenek#ifndef IPT_MIN_ALIGN 19ee82d9bdc5025b82de8ce2a4ad4685e0a8b79da9Ted Kremenek/* ipt_entry has pointers and u_int64_t's in it, so if you align to 20079bd72439448b78629a28da6b1f8abe2cdeaf4dMike Stump it, you'll also align to any crazy matches and targets someone 2130a2e16f6c27f888dd11eba6bbbae1e980078fcbChandler Carruth might write */ 2230a2e16f6c27f888dd11eba6bbbae1e980078fcbChandler Carruth#define IPT_MIN_ALIGN (__alignof__(struct ipt_entry)) 23fdf6a279c9a75c778eba382d9a156697092982a1David Blaikie#endif 2430a2e16f6c27f888dd11eba6bbbae1e980078fcbChandler Carruth 2530a2e16f6c27f888dd11eba6bbbae1e980078fcbChandler Carruth#define IPT_ALIGN(s) (((s) + ((IPT_MIN_ALIGN)-1)) & ~((IPT_MIN_ALIGN)-1)) 2630a2e16f6c27f888dd11eba6bbbae1e980078fcbChandler Carruth 2730a2e16f6c27f888dd11eba6bbbae1e980078fcbChandler Carruthstruct iptc_handle; 28681ab8998793899076bae9cd6383a5d78b8ee1acBenjamin Kramer 29c1581a0d64b0ee4f822ed2fca4442a111d03569aHartmut Kaisertypedef char ipt_chainlabel[32]; 30403ba3522d1b1c97ae5fad81c1a2c4b3a754e1c1Nick Lewycky 31fddd51853f8ccaa1df2476376e6fd74d2f315c73Ted Kremenek#define IPTC_LABEL_ACCEPT "ACCEPT" 32fddd51853f8ccaa1df2476376e6fd74d2f315c73Ted Kremenek#define IPTC_LABEL_DROP "DROP" 333c0349e87cdbd7316d06d2411d86ee1086e717a5Ted Kremenek#define IPTC_LABEL_QUEUE "QUEUE" 34b978a441c7d8bf59e7fede938e1f3b672573b443Mike Stump#define IPTC_LABEL_RETURN "RETURN" 3542a509f6a4f71bb805cc4abbb26722a34dffdddeTed Kremenek 3663f5887f316fb52d243fcbb3631c039de6c4b993Ted Kremenek/* Does this chain exist? */ 377c625d8ffc20b92fff9e1690cd2484fcb6498183Marcin Swiderskiint iptc_is_chain(const char *chain, struct iptc_handle *const handle); 381cff132e48e0ccc253c34e5a2fb12718bd4e7d2eMarcin Swiderski 39cbb67480094b3bcb5b715acd827cbad55e2a204cSean Hunt/* Take a snapshot of the rules. Returns NULL on error. */ 407c625d8ffc20b92fff9e1690cd2484fcb6498183Marcin Swiderskistruct iptc_handle *iptc_init(const char *tablename); 418599e7677e067fd01d3b2ee4c0875747d367fd8eMarcin Swiderski 4242a509f6a4f71bb805cc4abbb26722a34dffdddeTed Kremenek/* Cleanup after iptc_init(). */ 4342a509f6a4f71bb805cc4abbb26722a34dffdddeTed Kremenekvoid iptc_free(struct iptc_handle *h); 44e4f2142d00fa5fdb580c4e2413da91882d955381Chris Lattner 45e5af3ce53ec58995b09381ba645ab2117a46647bMike Stump/* Iterator functions to run through the chains. Returns NULL at end. */ 46e5af3ce53ec58995b09381ba645ab2117a46647bMike Stumpconst char *iptc_first_chain(struct iptc_handle *handle); 47852274d4257134906995cb252fb3dfd2d71deae8Ted Kremenekconst char *iptc_next_chain(struct iptc_handle *handle); 48852274d4257134906995cb252fb3dfd2d71deae8Ted Kremenek 49852274d4257134906995cb252fb3dfd2d71deae8Ted Kremenek/* Get first rule in the given chain: NULL for empty chain. */ 50b36cd3e1757fb4fcd9509f35558c847b04bef35fZhongxing Xuconst struct ipt_entry *iptc_first_rule(const char *chain, 51b36cd3e1757fb4fcd9509f35558c847b04bef35fZhongxing Xu struct iptc_handle *handle); 52b36cd3e1757fb4fcd9509f35558c847b04bef35fZhongxing Xu 53b36cd3e1757fb4fcd9509f35558c847b04bef35fZhongxing Xu/* Returns NULL when rules run out. */ 54b36cd3e1757fb4fcd9509f35558c847b04bef35fZhongxing Xuconst struct ipt_entry *iptc_next_rule(const struct ipt_entry *prev, 55b36cd3e1757fb4fcd9509f35558c847b04bef35fZhongxing Xu struct iptc_handle *handle); 56b36cd3e1757fb4fcd9509f35558c847b04bef35fZhongxing Xu 57b36cd3e1757fb4fcd9509f35558c847b04bef35fZhongxing Xu/* Returns a pointer to the target name of this entry. */ 58b36cd3e1757fb4fcd9509f35558c847b04bef35fZhongxing Xuconst char *iptc_get_target(const struct ipt_entry *e, 593c0349e87cdbd7316d06d2411d86ee1086e717a5Ted Kremenek struct iptc_handle *handle); 603c0349e87cdbd7316d06d2411d86ee1086e717a5Ted Kremenek 61b36cd3e1757fb4fcd9509f35558c847b04bef35fZhongxing Xu/* Is this a built-in chain? */ 62b36cd3e1757fb4fcd9509f35558c847b04bef35fZhongxing Xuint iptc_builtin(const char *chain, struct iptc_handle *const handle); 63b36cd3e1757fb4fcd9509f35558c847b04bef35fZhongxing Xu 643c0349e87cdbd7316d06d2411d86ee1086e717a5Ted Kremenek/* Get the policy of a given built-in chain */ 65b36cd3e1757fb4fcd9509f35558c847b04bef35fZhongxing Xuconst char *iptc_get_policy(const char *chain, 66b36cd3e1757fb4fcd9509f35558c847b04bef35fZhongxing Xu struct ipt_counters *counter, 67b36cd3e1757fb4fcd9509f35558c847b04bef35fZhongxing Xu struct iptc_handle *handle); 683c0349e87cdbd7316d06d2411d86ee1086e717a5Ted Kremenek 693c0349e87cdbd7316d06d2411d86ee1086e717a5Ted Kremenek/* These functions return TRUE for OK or 0 and set errno. If errno == 70ba243b59a1074e0962f6abfa3bb9aa984eac1245David Blaikie 0, it means there was a version error (ie. upgrade libiptc). */ 711cff132e48e0ccc253c34e5a2fb12718bd4e7d2eMarcin Swiderski/* Rule numbers start at 1 for the first rule. */ 72b36cd3e1757fb4fcd9509f35558c847b04bef35fZhongxing Xu 73b07805485c603be3d8011f72611465324c9e664bDavid Blaikie/* Insert the entry `e' in chain `chain' into position `rulenum'. */ 74b36cd3e1757fb4fcd9509f35558c847b04bef35fZhongxing Xuint iptc_insert_entry(const ipt_chainlabel chain, 75fdf6a279c9a75c778eba382d9a156697092982a1David Blaikie const struct ipt_entry *e, 76fdf6a279c9a75c778eba382d9a156697092982a1David Blaikie unsigned int rulenum, 77fdf6a279c9a75c778eba382d9a156697092982a1David Blaikie struct iptc_handle *handle); 78fdf6a279c9a75c778eba382d9a156697092982a1David Blaikie 79fdf6a279c9a75c778eba382d9a156697092982a1David Blaikie/* Atomically replace rule `rulenum' in `chain' with `e'. */ 80fdf6a279c9a75c778eba382d9a156697092982a1David Blaikieint iptc_replace_entry(const ipt_chainlabel chain, 81fdf6a279c9a75c778eba382d9a156697092982a1David Blaikie const struct ipt_entry *e, 82fdf6a279c9a75c778eba382d9a156697092982a1David Blaikie unsigned int rulenum, 83fdf6a279c9a75c778eba382d9a156697092982a1David Blaikie struct iptc_handle *handle); 84fdf6a279c9a75c778eba382d9a156697092982a1David Blaikie 85fdf6a279c9a75c778eba382d9a156697092982a1David Blaikie/* Append entry `e' to chain `chain'. Equivalent to insert with 86b07805485c603be3d8011f72611465324c9e664bDavid Blaikie rulenum = length of chain. */ 87b07805485c603be3d8011f72611465324c9e664bDavid Blaikieint iptc_append_entry(const ipt_chainlabel chain, 88fdf6a279c9a75c778eba382d9a156697092982a1David Blaikie const struct ipt_entry *e, 89b07805485c603be3d8011f72611465324c9e664bDavid Blaikie struct iptc_handle *handle); 90fdf6a279c9a75c778eba382d9a156697092982a1David Blaikie 91b07805485c603be3d8011f72611465324c9e664bDavid Blaikie/* Check whether a mathching rule exists */ 92fdf6a279c9a75c778eba382d9a156697092982a1David Blaikieint iptc_check_entry(const ipt_chainlabel chain, 93fdf6a279c9a75c778eba382d9a156697092982a1David Blaikie const struct ipt_entry *origfw, 94fdf6a279c9a75c778eba382d9a156697092982a1David Blaikie unsigned char *matchmask, 95fdf6a279c9a75c778eba382d9a156697092982a1David Blaikie struct iptc_handle *handle); 96fdf6a279c9a75c778eba382d9a156697092982a1David Blaikie 97fdf6a279c9a75c778eba382d9a156697092982a1David Blaikie/* Delete the first rule in `chain' which matches `e', subject to 98ba243b59a1074e0962f6abfa3bb9aa984eac1245David Blaikie matchmask (array of length == origfw) */ 993c0349e87cdbd7316d06d2411d86ee1086e717a5Ted Kremenekint iptc_delete_entry(const ipt_chainlabel chain, 1003c0349e87cdbd7316d06d2411d86ee1086e717a5Ted Kremenek const struct ipt_entry *origfw, 1013c0349e87cdbd7316d06d2411d86ee1086e717a5Ted Kremenek unsigned char *matchmask, 1023c0349e87cdbd7316d06d2411d86ee1086e717a5Ted Kremenek struct iptc_handle *handle); 103b36cd3e1757fb4fcd9509f35558c847b04bef35fZhongxing Xu 104b36cd3e1757fb4fcd9509f35558c847b04bef35fZhongxing Xu/* Delete the rule in position `rulenum' in `chain'. */ 105b36cd3e1757fb4fcd9509f35558c847b04bef35fZhongxing Xuint iptc_delete_num_entry(const ipt_chainlabel chain, 106b36cd3e1757fb4fcd9509f35558c847b04bef35fZhongxing Xu unsigned int rulenum, 107b36cd3e1757fb4fcd9509f35558c847b04bef35fZhongxing Xu struct iptc_handle *handle); 1083c0349e87cdbd7316d06d2411d86ee1086e717a5Ted Kremenek 109b36cd3e1757fb4fcd9509f35558c847b04bef35fZhongxing Xu/* Check the packet `e' on chain `chain'. Returns the verdict, or 110ba243b59a1074e0962f6abfa3bb9aa984eac1245David Blaikie NULL and sets errno. */ 111f1d10d939739f1a4544926d807e4f0f9fb64be61Ted Kremenekconst char *iptc_check_packet(const ipt_chainlabel chain, 112f1d10d939739f1a4544926d807e4f0f9fb64be61Ted Kremenek struct ipt_entry *entry, 113b36cd3e1757fb4fcd9509f35558c847b04bef35fZhongxing Xu struct iptc_handle *handle); 114fdf6a279c9a75c778eba382d9a156697092982a1David Blaikie 115fdf6a279c9a75c778eba382d9a156697092982a1David Blaikie/* Flushes the entries in the given chain (ie. empties chain). */ 116fdf6a279c9a75c778eba382d9a156697092982a1David Blaikieint iptc_flush_entries(const ipt_chainlabel chain, 117fdf6a279c9a75c778eba382d9a156697092982a1David Blaikie struct iptc_handle *handle); 118fdf6a279c9a75c778eba382d9a156697092982a1David Blaikie 119b36cd3e1757fb4fcd9509f35558c847b04bef35fZhongxing Xu/* Zeroes the counters in a chain. */ 120b36cd3e1757fb4fcd9509f35558c847b04bef35fZhongxing Xuint iptc_zero_entries(const ipt_chainlabel chain, 121b36cd3e1757fb4fcd9509f35558c847b04bef35fZhongxing Xu struct iptc_handle *handle); 1221cff132e48e0ccc253c34e5a2fb12718bd4e7d2eMarcin Swiderski 1231cff132e48e0ccc253c34e5a2fb12718bd4e7d2eMarcin Swiderski/* Creates a new chain. */ 124b36cd3e1757fb4fcd9509f35558c847b04bef35fZhongxing Xuint iptc_create_chain(const ipt_chainlabel chain, 125b36cd3e1757fb4fcd9509f35558c847b04bef35fZhongxing Xu struct iptc_handle *handle); 1263c0349e87cdbd7316d06d2411d86ee1086e717a5Ted Kremenek 1273c0349e87cdbd7316d06d2411d86ee1086e717a5Ted Kremenek/* Deletes a chain. */ 1281cff132e48e0ccc253c34e5a2fb12718bd4e7d2eMarcin Swiderskiint iptc_delete_chain(const ipt_chainlabel chain, 129cbb67480094b3bcb5b715acd827cbad55e2a204cSean Hunt struct iptc_handle *handle); 130cbb67480094b3bcb5b715acd827cbad55e2a204cSean Hunt 1311cff132e48e0ccc253c34e5a2fb12718bd4e7d2eMarcin Swiderski/* Renames a chain. */ 1321cff132e48e0ccc253c34e5a2fb12718bd4e7d2eMarcin Swiderskiint iptc_rename_chain(const ipt_chainlabel oldname, 133fdf6a279c9a75c778eba382d9a156697092982a1David Blaikie const ipt_chainlabel newname, 134fdf6a279c9a75c778eba382d9a156697092982a1David Blaikie struct iptc_handle *handle); 135fdf6a279c9a75c778eba382d9a156697092982a1David Blaikie 136fdf6a279c9a75c778eba382d9a156697092982a1David Blaikie/* Sets the policy on a built-in chain. */ 137fdf6a279c9a75c778eba382d9a156697092982a1David Blaikieint iptc_set_policy(const ipt_chainlabel chain, 138b36cd3e1757fb4fcd9509f35558c847b04bef35fZhongxing Xu const ipt_chainlabel policy, 139b36cd3e1757fb4fcd9509f35558c847b04bef35fZhongxing Xu struct ipt_counters *counters, 140b36cd3e1757fb4fcd9509f35558c847b04bef35fZhongxing Xu struct iptc_handle *handle); 14153de134e7b4686eed40bc031438d8a4560a2cda4Marcin Swiderski 1421cff132e48e0ccc253c34e5a2fb12718bd4e7d2eMarcin Swiderski/* Get the number of references to this chain */ 143b36cd3e1757fb4fcd9509f35558c847b04bef35fZhongxing Xuint iptc_get_references(unsigned int *ref, 1441cff132e48e0ccc253c34e5a2fb12718bd4e7d2eMarcin Swiderski const ipt_chainlabel chain, 145fdf6a279c9a75c778eba382d9a156697092982a1David Blaikie struct iptc_handle *handle); 146ba243b59a1074e0962f6abfa3bb9aa984eac1245David Blaikie 1473c0349e87cdbd7316d06d2411d86ee1086e717a5Ted Kremenek/* read packet and byte counters for a specific rule */ 148ba243b59a1074e0962f6abfa3bb9aa984eac1245David Blaikiestruct ipt_counters *iptc_read_counter(const ipt_chainlabel chain, 1493c0349e87cdbd7316d06d2411d86ee1086e717a5Ted Kremenek unsigned int rulenum, 1501cff132e48e0ccc253c34e5a2fb12718bd4e7d2eMarcin Swiderski struct iptc_handle *handle); 151b36cd3e1757fb4fcd9509f35558c847b04bef35fZhongxing Xu 152c5aff4497e5bfd7523e00b87560c1a5aa65136ccTed Kremenek/* zero packet and byte counters for a specific rule */ 153c5aff4497e5bfd7523e00b87560c1a5aa65136ccTed Kremenekint iptc_zero_counter(const ipt_chainlabel chain, 1541cff132e48e0ccc253c34e5a2fb12718bd4e7d2eMarcin Swiderski unsigned int rulenum, 155fdf6a279c9a75c778eba382d9a156697092982a1David Blaikie struct iptc_handle *handle); 156fdf6a279c9a75c778eba382d9a156697092982a1David Blaikie 157fdf6a279c9a75c778eba382d9a156697092982a1David Blaikie/* set packet and byte counters for a specific rule */ 158fdf6a279c9a75c778eba382d9a156697092982a1David Blaikieint iptc_set_counter(const ipt_chainlabel chain, 1593c0349e87cdbd7316d06d2411d86ee1086e717a5Ted Kremenek unsigned int rulenum, 160b36cd3e1757fb4fcd9509f35558c847b04bef35fZhongxing Xu struct ipt_counters *counters, 161b36cd3e1757fb4fcd9509f35558c847b04bef35fZhongxing Xu struct iptc_handle *handle); 162b36cd3e1757fb4fcd9509f35558c847b04bef35fZhongxing Xu 1637c625d8ffc20b92fff9e1690cd2484fcb6498183Marcin Swiderski/* Makes the actual changes. */ 1641cff132e48e0ccc253c34e5a2fb12718bd4e7d2eMarcin Swiderskiint iptc_commit(struct iptc_handle *handle); 1651cff132e48e0ccc253c34e5a2fb12718bd4e7d2eMarcin Swiderski 166b36cd3e1757fb4fcd9509f35558c847b04bef35fZhongxing Xu/* Get raw socket. */ 167b36cd3e1757fb4fcd9509f35558c847b04bef35fZhongxing Xuint iptc_get_raw_socket(void); 1683c0349e87cdbd7316d06d2411d86ee1086e717a5Ted Kremenek 1693c0349e87cdbd7316d06d2411d86ee1086e717a5Ted Kremenek/* Translates errno numbers into more human-readable form than strerror. */ 1701cff132e48e0ccc253c34e5a2fb12718bd4e7d2eMarcin Swiderskiconst char *iptc_strerror(int err); 1713c0349e87cdbd7316d06d2411d86ee1086e717a5Ted Kremenek 1721cff132e48e0ccc253c34e5a2fb12718bd4e7d2eMarcin Swiderskiextern void dump_entries(struct iptc_handle *const); 1731cff132e48e0ccc253c34e5a2fb12718bd4e7d2eMarcin Swiderski 1741cff132e48e0ccc253c34e5a2fb12718bd4e7d2eMarcin Swiderski#ifdef __cplusplus 1751cff132e48e0ccc253c34e5a2fb12718bd4e7d2eMarcin Swiderski} 1763c0349e87cdbd7316d06d2411d86ee1086e717a5Ted Kremenek#endif 1771cff132e48e0ccc253c34e5a2fb12718bd4e7d2eMarcin Swiderski 1781cff132e48e0ccc253c34e5a2fb12718bd4e7d2eMarcin Swiderski 1791cff132e48e0ccc253c34e5a2fb12718bd4e7d2eMarcin Swiderski#endif /* _LIBIPTC_H */ 180fdf6a279c9a75c778eba382d9a156697092982a1David Blaikie