|
1 #ifndef __LINUX_NETFILTER_H |
|
2 #define __LINUX_NETFILTER_H |
|
3 |
|
4 #ifdef __KERNEL__ |
|
5 #include <linux/init.h> |
|
6 #include <linux/skbuff.h> |
|
7 #include <linux/net.h> |
|
8 #include <linux/if.h> |
|
9 #include <linux/in.h> |
|
10 #include <linux/in6.h> |
|
11 #include <linux/wait.h> |
|
12 #include <linux/list.h> |
|
13 #endif |
|
14 #include <linux/types.h> |
|
15 #include <linux/compiler.h> |
|
16 |
|
17 /* Responses from hook functions. */ |
|
18 #define NF_DROP 0 |
|
19 #define NF_ACCEPT 1 |
|
20 #define NF_STOLEN 2 |
|
21 #define NF_QUEUE 3 |
|
22 #define NF_REPEAT 4 |
|
23 #define NF_STOP 5 |
|
24 #define NF_MAX_VERDICT NF_STOP |
|
25 |
|
26 /* we overload the higher bits for encoding auxiliary data such as the queue |
|
27 * number. Not nice, but better than additional function arguments. */ |
|
28 #define NF_VERDICT_MASK 0x0000ffff |
|
29 #define NF_VERDICT_BITS 16 |
|
30 |
|
31 #define NF_VERDICT_QMASK 0xffff0000 |
|
32 #define NF_VERDICT_QBITS 16 |
|
33 |
|
34 #define NF_QUEUE_NR(x) ((((x) << NF_VERDICT_BITS) & NF_VERDICT_QMASK) | NF_QUEUE) |
|
35 |
|
36 /* only for userspace compatibility */ |
|
37 #ifndef __KERNEL__ |
|
38 /* Generic cache responses from hook functions. |
|
39 <= 0x2000 is used for protocol-flags. */ |
|
40 #define NFC_UNKNOWN 0x4000 |
|
41 #define NFC_ALTERED 0x8000 |
|
42 #endif |
|
43 |
|
44 enum nf_inet_hooks { |
|
45 NF_INET_PRE_ROUTING, |
|
46 NF_INET_LOCAL_IN, |
|
47 NF_INET_FORWARD, |
|
48 NF_INET_LOCAL_OUT, |
|
49 NF_INET_POST_ROUTING, |
|
50 NF_INET_NUMHOOKS |
|
51 }; |
|
52 |
|
53 enum { |
|
54 NFPROTO_UNSPEC = 0, |
|
55 NFPROTO_IPV4 = 2, |
|
56 NFPROTO_ARP = 3, |
|
57 NFPROTO_BRIDGE = 7, |
|
58 NFPROTO_IPV6 = 10, |
|
59 NFPROTO_DECNET = 12, |
|
60 NFPROTO_NUMPROTO, |
|
61 }; |
|
62 |
|
63 union nf_inet_addr { |
|
64 __u32 all[4]; |
|
65 __be32 ip; |
|
66 __be32 ip6[4]; |
|
67 struct in_addr in; |
|
68 struct in6_addr in6; |
|
69 }; |
|
70 |
|
71 #ifdef __KERNEL__ |
|
72 #ifdef CONFIG_NETFILTER |
|
73 |
|
74 static inline int nf_inet_addr_cmp(const union nf_inet_addr *a1, |
|
75 const union nf_inet_addr *a2) |
|
76 { |
|
77 return a1->all[0] == a2->all[0] && |
|
78 a1->all[1] == a2->all[1] && |
|
79 a1->all[2] == a2->all[2] && |
|
80 a1->all[3] == a2->all[3]; |
|
81 } |
|
82 |
|
83 extern void netfilter_init(void); |
|
84 |
|
85 /* Largest hook number + 1 */ |
|
86 #define NF_MAX_HOOKS 8 |
|
87 |
|
88 struct sk_buff; |
|
89 |
|
90 typedef unsigned int nf_hookfn(unsigned int hooknum, |
|
91 struct sk_buff *skb, |
|
92 const struct net_device *in, |
|
93 const struct net_device *out, |
|
94 int (*okfn)(struct sk_buff *)); |
|
95 |
|
96 struct nf_hook_ops |
|
97 { |
|
98 struct list_head list; |
|
99 |
|
100 /* User fills in from here down. */ |
|
101 nf_hookfn *hook; |
|
102 struct module *owner; |
|
103 u_int8_t pf; |
|
104 unsigned int hooknum; |
|
105 /* Hooks are ordered in ascending priority. */ |
|
106 int priority; |
|
107 }; |
|
108 |
|
109 struct nf_sockopt_ops |
|
110 { |
|
111 struct list_head list; |
|
112 |
|
113 u_int8_t pf; |
|
114 |
|
115 /* Non-inclusive ranges: use 0/0/NULL to never get called. */ |
|
116 int set_optmin; |
|
117 int set_optmax; |
|
118 int (*set)(struct sock *sk, int optval, void __user *user, unsigned int len); |
|
119 int (*compat_set)(struct sock *sk, int optval, |
|
120 void __user *user, unsigned int len); |
|
121 |
|
122 int get_optmin; |
|
123 int get_optmax; |
|
124 int (*get)(struct sock *sk, int optval, void __user *user, int *len); |
|
125 int (*compat_get)(struct sock *sk, int optval, |
|
126 void __user *user, int *len); |
|
127 |
|
128 /* Use the module struct to lock set/get code in place */ |
|
129 struct module *owner; |
|
130 }; |
|
131 |
|
132 /* Function to register/unregister hook points. */ |
|
133 int nf_register_hook(struct nf_hook_ops *reg); |
|
134 void nf_unregister_hook(struct nf_hook_ops *reg); |
|
135 int nf_register_hooks(struct nf_hook_ops *reg, unsigned int n); |
|
136 void nf_unregister_hooks(struct nf_hook_ops *reg, unsigned int n); |
|
137 |
|
138 /* Functions to register get/setsockopt ranges (non-inclusive). You |
|
139 need to check permissions yourself! */ |
|
140 int nf_register_sockopt(struct nf_sockopt_ops *reg); |
|
141 void nf_unregister_sockopt(struct nf_sockopt_ops *reg); |
|
142 |
|
143 #ifdef CONFIG_SYSCTL |
|
144 /* Sysctl registration */ |
|
145 extern struct ctl_path nf_net_netfilter_sysctl_path[]; |
|
146 extern struct ctl_path nf_net_ipv4_netfilter_sysctl_path[]; |
|
147 #endif /* CONFIG_SYSCTL */ |
|
148 |
|
149 extern struct list_head nf_hooks[NFPROTO_NUMPROTO][NF_MAX_HOOKS]; |
|
150 |
|
151 int nf_hook_slow(u_int8_t pf, unsigned int hook, struct sk_buff *skb, |
|
152 struct net_device *indev, struct net_device *outdev, |
|
153 int (*okfn)(struct sk_buff *), int thresh); |
|
154 |
|
155 /** |
|
156 * nf_hook_thresh - call a netfilter hook |
|
157 * |
|
158 * Returns 1 if the hook has allowed the packet to pass. The function |
|
159 * okfn must be invoked by the caller in this case. Any other return |
|
160 * value indicates the packet has been consumed by the hook. |
|
161 */ |
|
162 static inline int nf_hook_thresh(u_int8_t pf, unsigned int hook, |
|
163 struct sk_buff *skb, |
|
164 struct net_device *indev, |
|
165 struct net_device *outdev, |
|
166 int (*okfn)(struct sk_buff *), int thresh, |
|
167 int cond) |
|
168 { |
|
169 if (!cond) |
|
170 return 1; |
|
171 #ifndef CONFIG_NETFILTER_DEBUG |
|
172 if (list_empty(&nf_hooks[pf][hook])) |
|
173 return 1; |
|
174 #endif |
|
175 return nf_hook_slow(pf, hook, skb, indev, outdev, okfn, thresh); |
|
176 } |
|
177 |
|
178 static inline int nf_hook(u_int8_t pf, unsigned int hook, struct sk_buff *skb, |
|
179 struct net_device *indev, struct net_device *outdev, |
|
180 int (*okfn)(struct sk_buff *)) |
|
181 { |
|
182 return nf_hook_thresh(pf, hook, skb, indev, outdev, okfn, INT_MIN, 1); |
|
183 } |
|
184 |
|
185 /* Activate hook; either okfn or kfree_skb called, unless a hook |
|
186 returns NF_STOLEN (in which case, it's up to the hook to deal with |
|
187 the consequences). |
|
188 |
|
189 Returns -ERRNO if packet dropped. Zero means queued, stolen or |
|
190 accepted. |
|
191 */ |
|
192 |
|
193 /* RR: |
|
194 > I don't want nf_hook to return anything because people might forget |
|
195 > about async and trust the return value to mean "packet was ok". |
|
196 |
|
197 AK: |
|
198 Just document it clearly, then you can expect some sense from kernel |
|
199 coders :) |
|
200 */ |
|
201 |
|
202 /* This is gross, but inline doesn't cut it for avoiding the function |
|
203 call in fast path: gcc doesn't inline (needs value tracking?). --RR */ |
|
204 |
|
205 /* HX: It's slightly less gross now. */ |
|
206 |
|
207 #define NF_HOOK_THRESH(pf, hook, skb, indev, outdev, okfn, thresh) \ |
|
208 ({int __ret; \ |
|
209 if ((__ret=nf_hook_thresh(pf, hook, (skb), indev, outdev, okfn, thresh, 1)) == 1)\ |
|
210 __ret = (okfn)(skb); \ |
|
211 __ret;}) |
|
212 |
|
213 #define NF_HOOK_COND(pf, hook, skb, indev, outdev, okfn, cond) \ |
|
214 ({int __ret; \ |
|
215 if ((__ret=nf_hook_thresh(pf, hook, (skb), indev, outdev, okfn, INT_MIN, cond)) == 1)\ |
|
216 __ret = (okfn)(skb); \ |
|
217 __ret;}) |
|
218 |
|
219 #define NF_HOOK(pf, hook, skb, indev, outdev, okfn) \ |
|
220 NF_HOOK_THRESH(pf, hook, skb, indev, outdev, okfn, INT_MIN) |
|
221 |
|
222 /* Call setsockopt() */ |
|
223 int nf_setsockopt(struct sock *sk, u_int8_t pf, int optval, char __user *opt, |
|
224 int len); |
|
225 int nf_getsockopt(struct sock *sk, u_int8_t pf, int optval, char __user *opt, |
|
226 int *len); |
|
227 |
|
228 int compat_nf_setsockopt(struct sock *sk, u_int8_t pf, int optval, |
|
229 char __user *opt, int len); |
|
230 int compat_nf_getsockopt(struct sock *sk, u_int8_t pf, int optval, |
|
231 char __user *opt, int *len); |
|
232 |
|
233 /* Call this before modifying an existing packet: ensures it is |
|
234 modifiable and linear to the point you care about (writable_len). |
|
235 Returns true or false. */ |
|
236 extern int skb_make_writable(struct sk_buff *skb, unsigned int writable_len); |
|
237 |
|
238 struct flowi; |
|
239 struct nf_queue_entry; |
|
240 |
|
241 struct nf_afinfo { |
|
242 unsigned short family; |
|
243 __sum16 (*checksum)(struct sk_buff *skb, unsigned int hook, |
|
244 unsigned int dataoff, u_int8_t protocol); |
|
245 __sum16 (*checksum_partial)(struct sk_buff *skb, |
|
246 unsigned int hook, |
|
247 unsigned int dataoff, |
|
248 unsigned int len, |
|
249 u_int8_t protocol); |
|
250 int (*route)(struct dst_entry **dst, struct flowi *fl); |
|
251 void (*saveroute)(const struct sk_buff *skb, |
|
252 struct nf_queue_entry *entry); |
|
253 int (*reroute)(struct sk_buff *skb, |
|
254 const struct nf_queue_entry *entry); |
|
255 int route_key_size; |
|
256 }; |
|
257 |
|
258 extern const struct nf_afinfo *nf_afinfo[NFPROTO_NUMPROTO]; |
|
259 static inline const struct nf_afinfo *nf_get_afinfo(unsigned short family) |
|
260 { |
|
261 return rcu_dereference(nf_afinfo[family]); |
|
262 } |
|
263 |
|
264 static inline __sum16 |
|
265 nf_checksum(struct sk_buff *skb, unsigned int hook, unsigned int dataoff, |
|
266 u_int8_t protocol, unsigned short family) |
|
267 { |
|
268 const struct nf_afinfo *afinfo; |
|
269 __sum16 csum = 0; |
|
270 |
|
271 rcu_read_lock(); |
|
272 afinfo = nf_get_afinfo(family); |
|
273 if (afinfo) |
|
274 csum = afinfo->checksum(skb, hook, dataoff, protocol); |
|
275 rcu_read_unlock(); |
|
276 return csum; |
|
277 } |
|
278 |
|
279 static inline __sum16 |
|
280 nf_checksum_partial(struct sk_buff *skb, unsigned int hook, |
|
281 unsigned int dataoff, unsigned int len, |
|
282 u_int8_t protocol, unsigned short family) |
|
283 { |
|
284 const struct nf_afinfo *afinfo; |
|
285 __sum16 csum = 0; |
|
286 |
|
287 rcu_read_lock(); |
|
288 afinfo = nf_get_afinfo(family); |
|
289 if (afinfo) |
|
290 csum = afinfo->checksum_partial(skb, hook, dataoff, len, |
|
291 protocol); |
|
292 rcu_read_unlock(); |
|
293 return csum; |
|
294 } |
|
295 |
|
296 extern int nf_register_afinfo(const struct nf_afinfo *afinfo); |
|
297 extern void nf_unregister_afinfo(const struct nf_afinfo *afinfo); |
|
298 |
|
299 #include <net/flow.h> |
|
300 extern void (*ip_nat_decode_session)(struct sk_buff *, struct flowi *); |
|
301 |
|
302 static inline void |
|
303 nf_nat_decode_session(struct sk_buff *skb, struct flowi *fl, u_int8_t family) |
|
304 { |
|
305 #ifdef CONFIG_NF_NAT_NEEDED |
|
306 void (*decodefn)(struct sk_buff *, struct flowi *); |
|
307 |
|
308 if (family == AF_INET) { |
|
309 rcu_read_lock(); |
|
310 decodefn = rcu_dereference(ip_nat_decode_session); |
|
311 if (decodefn) |
|
312 decodefn(skb, fl); |
|
313 rcu_read_unlock(); |
|
314 } |
|
315 #endif |
|
316 } |
|
317 |
|
318 #ifdef CONFIG_PROC_FS |
|
319 #include <linux/proc_fs.h> |
|
320 extern struct proc_dir_entry *proc_net_netfilter; |
|
321 #endif |
|
322 |
|
323 #else /* !CONFIG_NETFILTER */ |
|
324 #define NF_HOOK(pf, hook, skb, indev, outdev, okfn) (okfn)(skb) |
|
325 #define NF_HOOK_COND(pf, hook, skb, indev, outdev, okfn, cond) (okfn)(skb) |
|
326 static inline int nf_hook_thresh(u_int8_t pf, unsigned int hook, |
|
327 struct sk_buff *skb, |
|
328 struct net_device *indev, |
|
329 struct net_device *outdev, |
|
330 int (*okfn)(struct sk_buff *), int thresh, |
|
331 int cond) |
|
332 { |
|
333 return okfn(skb); |
|
334 } |
|
335 static inline int nf_hook(u_int8_t pf, unsigned int hook, struct sk_buff *skb, |
|
336 struct net_device *indev, struct net_device *outdev, |
|
337 int (*okfn)(struct sk_buff *)) |
|
338 { |
|
339 return 1; |
|
340 } |
|
341 struct flowi; |
|
342 static inline void |
|
343 nf_nat_decode_session(struct sk_buff *skb, struct flowi *fl, u_int8_t family) |
|
344 { |
|
345 } |
|
346 #endif /*CONFIG_NETFILTER*/ |
|
347 |
|
348 #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE) |
|
349 extern void (*ip_ct_attach)(struct sk_buff *, struct sk_buff *); |
|
350 extern void nf_ct_attach(struct sk_buff *, struct sk_buff *); |
|
351 extern void (*nf_ct_destroy)(struct nf_conntrack *); |
|
352 #else |
|
353 static inline void nf_ct_attach(struct sk_buff *new, struct sk_buff *skb) {} |
|
354 #endif |
|
355 |
|
356 #endif /*__KERNEL__*/ |
|
357 #endif /*__LINUX_NETFILTER_H*/ |