forked from torvalds/linux
-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data structures and backend interfaces for the three evil clones ip_tables, ip6_tables and arp_tables. In an ideal world we would never have allowed this kind of copy+paste programming... but well, our world isn't (yet?) ideal. o introduce a new x_tables module o {ip,arp,ip6}_tables depend on this x_tables module o registration functions for tables, matches and targets are only wrappers around x_tables provided functions o all matches/targets that are used from ip_tables and ip6_tables are now implemented as xt_FOOBAR.c files and provide module aliases to ipt_FOOBAR and ip6t_FOOBAR o header files for xt_matches are in include/linux/netfilter/, include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers around the xt_FOOBAR.h headers Based on this patchset we're going to further unify the code, gradually getting rid of all the layer 3 specific assumptions. Signed-off-by: Harald Welte <laforge@netfilter.org> Signed-off-by: David S. Miller <davem@davemloft.net>
- Loading branch information
Showing
154 changed files
with
3,615 additions
and
4,149 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,224 @@ | ||
#ifndef _X_TABLES_H | ||
#define _X_TABLES_H | ||
|
||
#define XT_FUNCTION_MAXNAMELEN 30 | ||
#define XT_TABLE_MAXNAMELEN 32 | ||
|
||
/* The argument to IPT_SO_GET_REVISION_*. Returns highest revision | ||
* kernel supports, if >= revision. */ | ||
struct xt_get_revision | ||
{ | ||
char name[XT_FUNCTION_MAXNAMELEN-1]; | ||
|
||
u_int8_t revision; | ||
}; | ||
|
||
/* CONTINUE verdict for targets */ | ||
#define XT_CONTINUE 0xFFFFFFFF | ||
|
||
/* For standard target */ | ||
#define XT_RETURN (-NF_REPEAT - 1) | ||
|
||
#define XT_ALIGN(s) (((s) + (__alignof__(void *)-1)) & ~(__alignof__(void *)-1)) | ||
|
||
/* Standard return verdict, or do jump. */ | ||
#define XT_STANDARD_TARGET "" | ||
/* Error verdict. */ | ||
#define XT_ERROR_TARGET "ERROR" | ||
|
||
/* | ||
* New IP firewall options for [gs]etsockopt at the RAW IP level. | ||
* Unlike BSD Linux inherits IP options so you don't have to use a raw | ||
* socket for this. Instead we check rights in the calls. */ | ||
#define XT_BASE_CTL 64 /* base for firewall socket options */ | ||
|
||
#define XT_SO_SET_REPLACE (XT_BASE_CTL) | ||
#define XT_SO_SET_ADD_COUNTERS (XT_BASE_CTL + 1) | ||
#define XT_SO_SET_MAX XT_SO_SET_ADD_COUNTERS | ||
|
||
#define XT_SO_GET_INFO (XT_BASE_CTL) | ||
#define XT_SO_GET_ENTRIES (XT_BASE_CTL + 1) | ||
#define XT_SO_GET_REVISION_MATCH (XT_BASE_CTL + 2) | ||
#define XT_SO_GET_REVISION_TARGET (XT_BASE_CTL + 3) | ||
#define XT_SO_GET_MAX XT_SO_GET_REVISION_TARGET | ||
|
||
#define SET_COUNTER(c,b,p) do { (c).bcnt = (b); (c).pcnt = (p); } while(0) | ||
#define ADD_COUNTER(c,b,p) do { (c).bcnt += (b); (c).pcnt += (p); } while(0) | ||
|
||
struct xt_counters | ||
{ | ||
u_int64_t pcnt, bcnt; /* Packet and byte counters */ | ||
}; | ||
|
||
/* The argument to IPT_SO_ADD_COUNTERS. */ | ||
struct xt_counters_info | ||
{ | ||
/* Which table. */ | ||
char name[XT_TABLE_MAXNAMELEN]; | ||
|
||
unsigned int num_counters; | ||
|
||
/* The counters (actually `number' of these). */ | ||
struct xt_counters counters[0]; | ||
}; | ||
|
||
#define XT_INV_PROTO 0x40 /* Invert the sense of PROTO. */ | ||
|
||
#ifdef __KERNEL__ | ||
|
||
#include <linux/netdevice.h> | ||
|
||
#define ASSERT_READ_LOCK(x) | ||
#define ASSERT_WRITE_LOCK(x) | ||
#include <linux/netfilter_ipv4/listhelp.h> | ||
|
||
struct xt_match | ||
{ | ||
struct list_head list; | ||
|
||
const char name[XT_FUNCTION_MAXNAMELEN-1]; | ||
|
||
u_int8_t revision; | ||
|
||
/* Return true or false: return FALSE and set *hotdrop = 1 to | ||
force immediate packet drop. */ | ||
/* Arguments changed since 2.6.9, as this must now handle | ||
non-linear skb, using skb_header_pointer and | ||
skb_ip_make_writable. */ | ||
int (*match)(const struct sk_buff *skb, | ||
const struct net_device *in, | ||
const struct net_device *out, | ||
const void *matchinfo, | ||
int offset, | ||
unsigned int protoff, | ||
int *hotdrop); | ||
|
||
/* Called when user tries to insert an entry of this type. */ | ||
/* Should return true or false. */ | ||
int (*checkentry)(const char *tablename, | ||
const void *ip, | ||
void *matchinfo, | ||
unsigned int matchinfosize, | ||
unsigned int hook_mask); | ||
|
||
/* Called when entry of this type deleted. */ | ||
void (*destroy)(void *matchinfo, unsigned int matchinfosize); | ||
|
||
/* Set this to THIS_MODULE if you are a module, otherwise NULL */ | ||
struct module *me; | ||
}; | ||
|
||
/* Registration hooks for targets. */ | ||
struct xt_target | ||
{ | ||
struct list_head list; | ||
|
||
const char name[XT_FUNCTION_MAXNAMELEN-1]; | ||
|
||
u_int8_t revision; | ||
|
||
/* Returns verdict. Argument order changed since 2.6.9, as this | ||
must now handle non-linear skbs, using skb_copy_bits and | ||
skb_ip_make_writable. */ | ||
unsigned int (*target)(struct sk_buff **pskb, | ||
const struct net_device *in, | ||
const struct net_device *out, | ||
unsigned int hooknum, | ||
const void *targinfo, | ||
void *userdata); | ||
|
||
/* Called when user tries to insert an entry of this type: | ||
hook_mask is a bitmask of hooks from which it can be | ||
called. */ | ||
/* Should return true or false. */ | ||
int (*checkentry)(const char *tablename, | ||
const void *entry, | ||
void *targinfo, | ||
unsigned int targinfosize, | ||
unsigned int hook_mask); | ||
|
||
/* Called when entry of this type deleted. */ | ||
void (*destroy)(void *targinfo, unsigned int targinfosize); | ||
|
||
/* Set this to THIS_MODULE if you are a module, otherwise NULL */ | ||
struct module *me; | ||
}; | ||
|
||
/* Furniture shopping... */ | ||
struct xt_table | ||
{ | ||
struct list_head list; | ||
|
||
/* A unique name... */ | ||
char name[XT_TABLE_MAXNAMELEN]; | ||
|
||
/* What hooks you will enter on */ | ||
unsigned int valid_hooks; | ||
|
||
/* Lock for the curtain */ | ||
rwlock_t lock; | ||
|
||
/* Man behind the curtain... */ | ||
//struct ip6t_table_info *private; | ||
void *private; | ||
|
||
/* Set this to THIS_MODULE if you are a module, otherwise NULL */ | ||
struct module *me; | ||
|
||
int af; /* address/protocol family */ | ||
}; | ||
|
||
#include <linux/netfilter_ipv4.h> | ||
|
||
/* The table itself */ | ||
struct xt_table_info | ||
{ | ||
/* Size per table */ | ||
unsigned int size; | ||
/* Number of entries: FIXME. --RR */ | ||
unsigned int number; | ||
/* Initial number of entries. Needed for module usage count */ | ||
unsigned int initial_entries; | ||
|
||
/* Entry points and underflows */ | ||
unsigned int hook_entry[NF_IP_NUMHOOKS]; | ||
unsigned int underflow[NF_IP_NUMHOOKS]; | ||
|
||
/* ipt_entry tables: one per CPU */ | ||
char *entries[NR_CPUS]; | ||
}; | ||
|
||
extern int xt_register_target(int af, struct xt_target *target); | ||
extern void xt_unregister_target(int af, struct xt_target *target); | ||
extern int xt_register_match(int af, struct xt_match *target); | ||
extern void xt_unregister_match(int af, struct xt_match *target); | ||
|
||
extern int xt_register_table(struct xt_table *table, | ||
struct xt_table_info *bootstrap, | ||
struct xt_table_info *newinfo); | ||
extern void *xt_unregister_table(struct xt_table *table); | ||
|
||
extern struct xt_table_info *xt_replace_table(struct xt_table *table, | ||
unsigned int num_counters, | ||
struct xt_table_info *newinfo, | ||
int *error); | ||
|
||
extern struct xt_match *xt_find_match(int af, const char *name, u8 revision); | ||
extern struct xt_target *xt_find_target(int af, const char *name, u8 revision); | ||
extern struct xt_target *xt_request_find_target(int af, const char *name, | ||
u8 revision); | ||
extern int xt_find_revision(int af, const char *name, u8 revision, int target, | ||
int *err); | ||
|
||
extern struct xt_table *xt_find_table_lock(int af, const char *name); | ||
extern void xt_table_unlock(struct xt_table *t); | ||
|
||
extern int xt_proto_init(int af); | ||
extern void xt_proto_fini(int af); | ||
|
||
extern struct xt_table_info *xt_alloc_table_info(unsigned int size); | ||
extern void xt_free_table_info(struct xt_table_info *info); | ||
|
||
#endif /* __KERNEL__ */ | ||
|
||
#endif /* _X_TABLES_H */ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
#ifndef _XT_CLASSIFY_H | ||
#define _XT_CLASSIFY_H | ||
|
||
struct xt_classify_target_info { | ||
u_int32_t priority; | ||
}; | ||
|
||
#endif /*_XT_CLASSIFY_H */ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
#ifndef _XT_CONNMARK_H_target | ||
#define _XT_CONNMARK_H_target | ||
|
||
/* Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com> | ||
* by Henrik Nordstrom <hno@marasystems.com> | ||
* | ||
* This program is free software; you can redistribute it and/or modify | ||
* it under the terms of the GNU General Public License as published by | ||
* the Free Software Foundation; either version 2 of the License, or | ||
* (at your option) any later version. | ||
*/ | ||
|
||
enum { | ||
XT_CONNMARK_SET = 0, | ||
XT_CONNMARK_SAVE, | ||
XT_CONNMARK_RESTORE | ||
}; | ||
|
||
struct xt_connmark_target_info { | ||
unsigned long mark; | ||
unsigned long mask; | ||
u_int8_t mode; | ||
}; | ||
|
||
#endif /*_XT_CONNMARK_H_target*/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
#ifndef _XT_MARK_H_target | ||
#define _XT_MARK_H_target | ||
|
||
/* Version 0 */ | ||
struct xt_mark_target_info { | ||
unsigned long mark; | ||
}; | ||
|
||
/* Version 1 */ | ||
enum { | ||
XT_MARK_SET=0, | ||
XT_MARK_AND, | ||
XT_MARK_OR, | ||
}; | ||
|
||
struct xt_mark_target_info_v1 { | ||
unsigned long mark; | ||
u_int8_t mode; | ||
}; | ||
|
||
#endif /*_XT_MARK_H_target */ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
/* iptables module for using NFQUEUE mechanism | ||
* | ||
* (C) 2005 Harald Welte <laforge@netfilter.org> | ||
* | ||
* This software is distributed under GNU GPL v2, 1991 | ||
* | ||
*/ | ||
#ifndef _XT_NFQ_TARGET_H | ||
#define _XT_NFQ_TARGET_H | ||
|
||
/* target info */ | ||
struct xt_NFQ_info { | ||
u_int16_t queuenum; | ||
}; | ||
|
||
#endif /* _XT_NFQ_TARGET_H */ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
#ifndef _XT_COMMENT_H | ||
#define _XT_COMMENT_H | ||
|
||
#define XT_MAX_COMMENT_LEN 256 | ||
|
||
struct xt_comment_info { | ||
unsigned char comment[XT_MAX_COMMENT_LEN]; | ||
}; | ||
|
||
#endif /* XT_COMMENT_H */ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
#ifndef _XT_CONNBYTES_H | ||
#define _XT_CONNBYTES_H | ||
|
||
enum xt_connbytes_what { | ||
XT_CONNBYTES_PKTS, | ||
XT_CONNBYTES_BYTES, | ||
XT_CONNBYTES_AVGPKT, | ||
}; | ||
|
||
enum xt_connbytes_direction { | ||
XT_CONNBYTES_DIR_ORIGINAL, | ||
XT_CONNBYTES_DIR_REPLY, | ||
XT_CONNBYTES_DIR_BOTH, | ||
}; | ||
|
||
struct xt_connbytes_info | ||
{ | ||
struct { | ||
aligned_u64 from; /* count to be matched */ | ||
aligned_u64 to; /* count to be matched */ | ||
} count; | ||
u_int8_t what; /* ipt_connbytes_what */ | ||
u_int8_t direction; /* ipt_connbytes_direction */ | ||
}; | ||
#endif |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
#ifndef _XT_CONNMARK_H | ||
#define _XT_CONNMARK_H | ||
|
||
/* Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com> | ||
* by Henrik Nordstrom <hno@marasystems.com> | ||
* | ||
* This program is free software; you can redistribute it and/or modify | ||
* it under the terms of the GNU General Public License as published by | ||
* the Free Software Foundation; either version 2 of the License, or | ||
* (at your option) any later version. | ||
*/ | ||
|
||
struct xt_connmark_info { | ||
unsigned long mark, mask; | ||
u_int8_t invert; | ||
}; | ||
|
||
#endif /*_XT_CONNMARK_H*/ |
Oops, something went wrong.