1 |
1275 |
phoenix |
#ifndef __LINUX_NETFILTER_H
|
2 |
|
|
#define __LINUX_NETFILTER_H
|
3 |
|
|
|
4 |
|
|
#ifdef __KERNEL__
|
5 |
|
|
#include <linux/init.h>
|
6 |
|
|
#include <linux/types.h>
|
7 |
|
|
#include <linux/skbuff.h>
|
8 |
|
|
#include <linux/net.h>
|
9 |
|
|
#include <linux/if.h>
|
10 |
|
|
#include <linux/wait.h>
|
11 |
|
|
#include <linux/list.h>
|
12 |
|
|
#endif
|
13 |
|
|
|
14 |
|
|
/* Responses from hook functions. */
|
15 |
|
|
#define NF_DROP 0
|
16 |
|
|
#define NF_ACCEPT 1
|
17 |
|
|
#define NF_STOLEN 2
|
18 |
|
|
#define NF_QUEUE 3
|
19 |
|
|
#define NF_REPEAT 4
|
20 |
|
|
#define NF_MAX_VERDICT NF_REPEAT
|
21 |
|
|
|
22 |
|
|
/* Generic cache responses from hook functions.
|
23 |
|
|
<= 0x2000 is used for protocol-flags. */
|
24 |
|
|
#define NFC_UNKNOWN 0x4000
|
25 |
|
|
#define NFC_ALTERED 0x8000
|
26 |
|
|
|
27 |
|
|
#ifdef __KERNEL__
|
28 |
|
|
#include <linux/config.h>
|
29 |
|
|
#ifdef CONFIG_NETFILTER
|
30 |
|
|
|
31 |
|
|
extern void netfilter_init(void);
|
32 |
|
|
|
33 |
|
|
/* Largest hook number + 1 */
|
34 |
|
|
#define NF_MAX_HOOKS 8
|
35 |
|
|
|
36 |
|
|
struct sk_buff;
|
37 |
|
|
struct net_device;
|
38 |
|
|
|
39 |
|
|
typedef unsigned int nf_hookfn(unsigned int hooknum,
|
40 |
|
|
struct sk_buff **skb,
|
41 |
|
|
const struct net_device *in,
|
42 |
|
|
const struct net_device *out,
|
43 |
|
|
int (*okfn)(struct sk_buff *));
|
44 |
|
|
|
45 |
|
|
struct nf_hook_ops
|
46 |
|
|
{
|
47 |
|
|
struct list_head list;
|
48 |
|
|
|
49 |
|
|
/* User fills in from here down. */
|
50 |
|
|
nf_hookfn *hook;
|
51 |
|
|
int pf;
|
52 |
|
|
int hooknum;
|
53 |
|
|
/* Hooks are ordered in ascending priority. */
|
54 |
|
|
int priority;
|
55 |
|
|
};
|
56 |
|
|
|
57 |
|
|
struct nf_sockopt_ops
|
58 |
|
|
{
|
59 |
|
|
struct list_head list;
|
60 |
|
|
|
61 |
|
|
int pf;
|
62 |
|
|
|
63 |
|
|
/* Non-inclusive ranges: use 0/0/NULL to never get called. */
|
64 |
|
|
int set_optmin;
|
65 |
|
|
int set_optmax;
|
66 |
|
|
int (*set)(struct sock *sk, int optval, void *user, unsigned int len);
|
67 |
|
|
|
68 |
|
|
int get_optmin;
|
69 |
|
|
int get_optmax;
|
70 |
|
|
int (*get)(struct sock *sk, int optval, void *user, int *len);
|
71 |
|
|
|
72 |
|
|
/* Number of users inside set() or get(). */
|
73 |
|
|
unsigned int use;
|
74 |
|
|
struct task_struct *cleanup_task;
|
75 |
|
|
};
|
76 |
|
|
|
77 |
|
|
/* Each queued (to userspace) skbuff has one of these. */
|
78 |
|
|
struct nf_info
|
79 |
|
|
{
|
80 |
|
|
/* The ops struct which sent us to userspace. */
|
81 |
|
|
struct nf_hook_ops *elem;
|
82 |
|
|
|
83 |
|
|
/* If we're sent to userspace, this keeps housekeeping info */
|
84 |
|
|
int pf;
|
85 |
|
|
unsigned int hook;
|
86 |
|
|
struct net_device *indev, *outdev;
|
87 |
|
|
int (*okfn)(struct sk_buff *);
|
88 |
|
|
};
|
89 |
|
|
|
90 |
|
|
/* Function to register/unregister hook points. */
|
91 |
|
|
int nf_register_hook(struct nf_hook_ops *reg);
|
92 |
|
|
void nf_unregister_hook(struct nf_hook_ops *reg);
|
93 |
|
|
|
94 |
|
|
/* Functions to register get/setsockopt ranges (non-inclusive). You
|
95 |
|
|
need to check permissions yourself! */
|
96 |
|
|
int nf_register_sockopt(struct nf_sockopt_ops *reg);
|
97 |
|
|
void nf_unregister_sockopt(struct nf_sockopt_ops *reg);
|
98 |
|
|
|
99 |
|
|
extern struct list_head nf_hooks[NPROTO][NF_MAX_HOOKS];
|
100 |
|
|
|
101 |
|
|
/* Activate hook; either okfn or kfree_skb called, unless a hook
|
102 |
|
|
returns NF_STOLEN (in which case, it's up to the hook to deal with
|
103 |
|
|
the consequences).
|
104 |
|
|
|
105 |
|
|
Returns -ERRNO if packet dropped. Zero means queued, stolen or
|
106 |
|
|
accepted.
|
107 |
|
|
*/
|
108 |
|
|
|
109 |
|
|
/* RR:
|
110 |
|
|
> I don't want nf_hook to return anything because people might forget
|
111 |
|
|
> about async and trust the return value to mean "packet was ok".
|
112 |
|
|
|
113 |
|
|
AK:
|
114 |
|
|
Just document it clearly, then you can expect some sense from kernel
|
115 |
|
|
coders :)
|
116 |
|
|
*/
|
117 |
|
|
|
118 |
|
|
/* This is gross, but inline doesn't cut it for avoiding the function
|
119 |
|
|
call in fast path: gcc doesn't inline (needs value tracking?). --RR */
|
120 |
|
|
#ifdef CONFIG_NETFILTER_DEBUG
|
121 |
|
|
#define NF_HOOK nf_hook_slow
|
122 |
|
|
#else
|
123 |
|
|
#define NF_HOOK(pf, hook, skb, indev, outdev, okfn) \
|
124 |
|
|
(list_empty(&nf_hooks[(pf)][(hook)]) \
|
125 |
|
|
? (okfn)(skb) \
|
126 |
|
|
: nf_hook_slow((pf), (hook), (skb), (indev), (outdev), (okfn)))
|
127 |
|
|
#endif
|
128 |
|
|
|
129 |
|
|
int nf_hook_slow(int pf, unsigned int hook, struct sk_buff *skb,
|
130 |
|
|
struct net_device *indev, struct net_device *outdev,
|
131 |
|
|
int (*okfn)(struct sk_buff *));
|
132 |
|
|
|
133 |
|
|
/* Call setsockopt() */
|
134 |
|
|
int nf_setsockopt(struct sock *sk, int pf, int optval, char *opt,
|
135 |
|
|
int len);
|
136 |
|
|
int nf_getsockopt(struct sock *sk, int pf, int optval, char *opt,
|
137 |
|
|
int *len);
|
138 |
|
|
|
139 |
|
|
/* Packet queuing */
|
140 |
|
|
typedef int (*nf_queue_outfn_t)(struct sk_buff *skb,
|
141 |
|
|
struct nf_info *info, void *data);
|
142 |
|
|
extern int nf_register_queue_handler(int pf,
|
143 |
|
|
nf_queue_outfn_t outfn, void *data);
|
144 |
|
|
extern int nf_unregister_queue_handler(int pf);
|
145 |
|
|
extern void nf_reinject(struct sk_buff *skb,
|
146 |
|
|
struct nf_info *info,
|
147 |
|
|
unsigned int verdict);
|
148 |
|
|
|
149 |
|
|
extern void (*ip_ct_attach)(struct sk_buff *, struct nf_ct_info *);
|
150 |
|
|
|
151 |
|
|
#ifdef CONFIG_NETFILTER_DEBUG
|
152 |
|
|
extern void nf_dump_skb(int pf, struct sk_buff *skb);
|
153 |
|
|
#endif
|
154 |
|
|
|
155 |
|
|
/* FIXME: Before cache is ever used, this must be implemented for real. */
|
156 |
|
|
extern void nf_invalidate_cache(int pf);
|
157 |
|
|
|
158 |
|
|
#else /* !CONFIG_NETFILTER */
|
159 |
|
|
#define NF_HOOK(pf, hook, skb, indev, outdev, okfn) (okfn)(skb)
|
160 |
|
|
#endif /*CONFIG_NETFILTER*/
|
161 |
|
|
|
162 |
|
|
/* From arch/i386/kernel/smp.c:
|
163 |
|
|
*
|
164 |
|
|
* Why isn't this somewhere standard ??
|
165 |
|
|
*
|
166 |
|
|
* Maybe because this procedure is horribly buggy, and does
|
167 |
|
|
* not deserve to live. Think about signedness issues for five
|
168 |
|
|
* seconds to see why. - Linus
|
169 |
|
|
*/
|
170 |
|
|
|
171 |
|
|
/* Two signed, return a signed. */
|
172 |
|
|
#define SMAX(a,b) ((ssize_t)(a)>(ssize_t)(b) ? (ssize_t)(a) : (ssize_t)(b))
|
173 |
|
|
#define SMIN(a,b) ((ssize_t)(a)<(ssize_t)(b) ? (ssize_t)(a) : (ssize_t)(b))
|
174 |
|
|
|
175 |
|
|
/* Two unsigned, return an unsigned. */
|
176 |
|
|
#define UMAX(a,b) ((size_t)(a)>(size_t)(b) ? (size_t)(a) : (size_t)(b))
|
177 |
|
|
#define UMIN(a,b) ((size_t)(a)<(size_t)(b) ? (size_t)(a) : (size_t)(b))
|
178 |
|
|
|
179 |
|
|
/* Two unsigned, return a signed. */
|
180 |
|
|
#define SUMAX(a,b) ((size_t)(a)>(size_t)(b) ? (ssize_t)(a) : (ssize_t)(b))
|
181 |
|
|
#define SUMIN(a,b) ((size_t)(a)<(size_t)(b) ? (ssize_t)(a) : (ssize_t)(b))
|
182 |
|
|
#endif /*__KERNEL__*/
|
183 |
|
|
|
184 |
|
|
#endif /*__LINUX_NETFILTER_H*/
|