URL https://opencores.org/ocsvn/or1k/or1k/trunk

Subversion Repositories or1k

[/] [or1k/] [tags/] [LINUX_2_4_26_OR32/] [linux/] [linux-2.4/] [include/] [linux/] [netfilter_ipv4/] [ip_tables.h] - Blame information for rev 1765

Details | Compare with Previous | View Log


/*
 * 25-Jul-1998 Major changes to allow for ip chain table
 *
 * 3-Jan-2000 Named tables to allow packet selection for different uses.
 */
 
/*
 *      Format of an IP firewall descriptor
 *
 *      src, dst, src_mask, dst_mask are always stored in network byte order.
 *      flags are stored in host byte order (of course).
 *      Port numbers are stored in HOST byte order.
 */
 
#ifndef _IPTABLES_H
#define _IPTABLES_H
 
#ifdef __KERNEL__
#include <linux/if.h>
#include <linux/types.h>
#include <linux/in.h>
#include <linux/ip.h>
#include <linux/skbuff.h>
#endif
#include <linux/netfilter_ipv4.h>
 
#define IPT_FUNCTION_MAXNAMELEN 30
#define IPT_TABLE_MAXNAMELEN 32
 
/* Yes, Virginia, you have to zero the padding. */
struct ipt_ip {
        /* Source and destination IP addr */
        struct in_addr src, dst;
        /* Mask for src and dest IP addr */
        struct in_addr smsk, dmsk;
        char iniface[IFNAMSIZ], outiface[IFNAMSIZ];
        unsigned char iniface_mask[IFNAMSIZ], outiface_mask[IFNAMSIZ];
 
        /* Protocol, 0 = ANY */
        u_int16_t proto;
 
        /* Flags word */
        u_int8_t flags;
        /* Inverse flags */
        u_int8_t invflags;
};
 
struct ipt_entry_match
{
        union {
                struct {
                        u_int16_t match_size;
 
                        /* Used by userspace */
                        char name[IPT_FUNCTION_MAXNAMELEN];
                } user;
                struct {
                        u_int16_t match_size;
 
                        /* Used inside the kernel */
                        struct ipt_match *match;
                } kernel;
 
                /* Total length */
                u_int16_t match_size;
        } u;
 
        unsigned char data[0];
};
 
struct ipt_entry_target
{
        union {
                struct {
                        u_int16_t target_size;
 
                        /* Used by userspace */
                        char name[IPT_FUNCTION_MAXNAMELEN];
                } user;
                struct {
                        u_int16_t target_size;
 
                        /* Used inside the kernel */
                        struct ipt_target *target;
                } kernel;
 
                /* Total length */
                u_int16_t target_size;
        } u;
 
        unsigned char data[0];
};
 
struct ipt_standard_target
{
        struct ipt_entry_target target;
        int verdict;
};
 
struct ipt_counters
{
        u_int64_t pcnt, bcnt;                   /* Packet and byte counters */
};
 
/* Values for "flag" field in struct ipt_ip (general ip structure). */
#define IPT_F_FRAG              0x01    /* Set if rule is a fragment rule */
#define IPT_F_MASK              0x01    /* All possible flag bits mask. */
 
/* Values for "inv" field in struct ipt_ip. */
#define IPT_INV_VIA_IN          0x01    /* Invert the sense of IN IFACE. */
#define IPT_INV_VIA_OUT         0x02    /* Invert the sense of OUT IFACE */
#define IPT_INV_TOS             0x04    /* Invert the sense of TOS. */
#define IPT_INV_SRCIP           0x08    /* Invert the sense of SRC IP. */
#define IPT_INV_DSTIP           0x10    /* Invert the sense of DST OP. */
#define IPT_INV_FRAG            0x20    /* Invert the sense of FRAG. */
#define IPT_INV_PROTO           0x40    /* Invert the sense of PROTO. */
#define IPT_INV_MASK            0x7F    /* All possible flag bits mask. */
 
/* This structure defines each of the firewall rules.  Consists of 3
   parts which are 1) general IP header stuff 2) match specific
   stuff 3) the target to perform if the rule matches */
struct ipt_entry
{
        struct ipt_ip ip;
 
        /* Mark with fields that we care about. */
        unsigned int nfcache;
 
        /* Size of ipt_entry + matches */
        u_int16_t target_offset;
        /* Size of ipt_entry + matches + target */
        u_int16_t next_offset;
 
        /* Back pointer */
        unsigned int comefrom;
 
        /* Packet and byte counters. */
        struct ipt_counters counters;
 
        /* The matches (if any), then the target. */
        unsigned char elems[0];
};
 
/*
 * New IP firewall options for [gs]etsockopt at the RAW IP level.
 * Unlike BSD Linux inherits IP options so you don't have to use a raw
 * socket for this. Instead we check rights in the calls. */
#define IPT_BASE_CTL            64      /* base for firewall socket options */
 
#define IPT_SO_SET_REPLACE      (IPT_BASE_CTL)
#define IPT_SO_SET_ADD_COUNTERS (IPT_BASE_CTL + 1)
#define IPT_SO_SET_MAX          IPT_SO_SET_ADD_COUNTERS
 
#define IPT_SO_GET_INFO         (IPT_BASE_CTL)
#define IPT_SO_GET_ENTRIES      (IPT_BASE_CTL + 1)
#define IPT_SO_GET_MAX          IPT_SO_GET_ENTRIES
 
/* CONTINUE verdict for targets */
#define IPT_CONTINUE 0xFFFFFFFF
 
/* For standard target */
#define IPT_RETURN (-NF_MAX_VERDICT - 1)
 
/* TCP matching stuff */
struct ipt_tcp
{
        u_int16_t spts[2];                      /* Source port range. */
        u_int16_t dpts[2];                      /* Destination port range. */
        u_int8_t option;                        /* TCP Option iff non-zero*/
        u_int8_t flg_mask;                      /* TCP flags mask byte */
        u_int8_t flg_cmp;                       /* TCP flags compare byte */
        u_int8_t invflags;                      /* Inverse flags */
};
 
/* Values for "inv" field in struct ipt_tcp. */
#define IPT_TCP_INV_SRCPT       0x01    /* Invert the sense of source ports. */
#define IPT_TCP_INV_DSTPT       0x02    /* Invert the sense of dest ports. */
#define IPT_TCP_INV_FLAGS       0x04    /* Invert the sense of TCP flags. */
#define IPT_TCP_INV_OPTION      0x08    /* Invert the sense of option test. */
#define IPT_TCP_INV_MASK        0x0F    /* All possible flags. */
 
/* UDP matching stuff */
struct ipt_udp
{
        u_int16_t spts[2];                      /* Source port range. */
        u_int16_t dpts[2];                      /* Destination port range. */
        u_int8_t invflags;                      /* Inverse flags */
};
 
/* Values for "invflags" field in struct ipt_udp. */
#define IPT_UDP_INV_SRCPT       0x01    /* Invert the sense of source ports. */
#define IPT_UDP_INV_DSTPT       0x02    /* Invert the sense of dest ports. */
#define IPT_UDP_INV_MASK        0x03    /* All possible flags. */
 
/* ICMP matching stuff */
struct ipt_icmp
{
        u_int8_t type;                          /* type to match */
        u_int8_t code[2];                       /* range of code */
        u_int8_t invflags;                      /* Inverse flags */
};
 
/* Values for "inv" field for struct ipt_icmp. */
#define IPT_ICMP_INV    0x01    /* Invert the sense of type/code test */
 
/* The argument to IPT_SO_GET_INFO */
struct ipt_getinfo
{
        /* Which table: caller fills this in. */
        char name[IPT_TABLE_MAXNAMELEN];
 
        /* Kernel fills these in. */
        /* Which hook entry points are valid: bitmask */
        unsigned int valid_hooks;
 
        /* Hook entry points: one per netfilter hook. */
        unsigned int hook_entry[NF_IP_NUMHOOKS];
 
        /* Underflow points. */
        unsigned int underflow[NF_IP_NUMHOOKS];
 
        /* Number of entries */
        unsigned int num_entries;
 
        /* Size of entries. */
        unsigned int size;
};
 
/* The argument to IPT_SO_SET_REPLACE. */
struct ipt_replace
{
        /* Which table. */
        char name[IPT_TABLE_MAXNAMELEN];
 
        /* Which hook entry points are valid: bitmask.  You can't
           change this. */
        unsigned int valid_hooks;
 
        /* Number of entries */
        unsigned int num_entries;
 
        /* Total size of new entries */
        unsigned int size;
 
        /* Hook entry points. */
        unsigned int hook_entry[NF_IP_NUMHOOKS];
 
        /* Underflow points. */
        unsigned int underflow[NF_IP_NUMHOOKS];
 
        /* Information about old entries: */
        /* Number of counters (must be equal to current number of entries). */
        unsigned int num_counters;
        /* The old entries' counters. */
        struct ipt_counters *counters;
 
        /* The entries (hang off end: not really an array). */
        struct ipt_entry entries[0];
};
 
/* The argument to IPT_SO_ADD_COUNTERS. */
struct ipt_counters_info
{
        /* Which table. */
        char name[IPT_TABLE_MAXNAMELEN];
 
        unsigned int num_counters;
 
        /* The counters (actually `number' of these). */
        struct ipt_counters counters[0];
};
 
/* The argument to IPT_SO_GET_ENTRIES. */
struct ipt_get_entries
{
        /* Which table: user fills this in. */
        char name[IPT_TABLE_MAXNAMELEN];
 
        /* User fills this in: total entry size. */
        unsigned int size;
 
        /* The entries. */
        struct ipt_entry entrytable[0];
};
 
/* Standard return verdict, or do jump. */
#define IPT_STANDARD_TARGET ""
/* Error verdict. */
#define IPT_ERROR_TARGET "ERROR"
 
/* Helper functions */
static __inline__ struct ipt_entry_target *
ipt_get_target(struct ipt_entry *e)
{
        return (void *)e + e->target_offset;
}
 
/* fn returns 0 to continue iteration */
#define IPT_MATCH_ITERATE(e, fn, args...)       \
({                                              \
        unsigned int __i;                       \
        int __ret = 0;                           \
        struct ipt_entry_match *__match;        \
                                                \
        for (__i = sizeof(struct ipt_entry);    \
             __i < (e)->target_offset;          \
             __i += __match->u.match_size) {    \
                __match = (void *)(e) + __i;    \
                                                \
                __ret = fn(__match , ## args);  \
                if (__ret != 0)                  \
                        break;                  \
        }                                       \
        __ret;                                  \
})
 
/* fn returns 0 to continue iteration */
#define IPT_ENTRY_ITERATE(entries, size, fn, args...)           \
({                                                              \
        unsigned int __i;                                       \
        int __ret = 0;                                           \
        struct ipt_entry *__entry;                              \
                                                                \
        for (__i = 0; __i < (size); __i += __entry->next_offset) { \
                __entry = (void *)(entries) + __i;              \
                                                                \
                __ret = fn(__entry , ## args);                  \
                if (__ret != 0)                                  \
                        break;                                  \
        }                                                       \
        __ret;                                                  \
})
 
/*
 *      Main firewall chains definitions and global var's definitions.
 */
#ifdef __KERNEL__
 
#include <linux/init.h>
extern void ipt_init(void) __init;
 
struct ipt_match
{
        struct list_head list;
 
        const char name[IPT_FUNCTION_MAXNAMELEN];
 
        /* Return true or false: return FALSE and set *hotdrop = 1 to
           force immediate packet drop. */
        int (*match)(const struct sk_buff *skb,
                     const struct net_device *in,
                     const struct net_device *out,
                     const void *matchinfo,
                     int offset,
                     const void *hdr,
                     u_int16_t datalen,
                     int *hotdrop);
 
        /* Called when user tries to insert an entry of this type. */
        /* Should return true or false. */
        int (*checkentry)(const char *tablename,
                          const struct ipt_ip *ip,
                          void *matchinfo,
                          unsigned int matchinfosize,
                          unsigned int hook_mask);
 
        /* Called when entry of this type deleted. */
        void (*destroy)(void *matchinfo, unsigned int matchinfosize);
 
        /* Set this to THIS_MODULE if you are a module, otherwise NULL */
        struct module *me;
};
 
/* Registration hooks for targets. */
struct ipt_target
{
        struct list_head list;
 
        const char name[IPT_FUNCTION_MAXNAMELEN];
 
        /* Returns verdict. */
        unsigned int (*target)(struct sk_buff **pskb,
                               unsigned int hooknum,
                               const struct net_device *in,
                               const struct net_device *out,
                               const void *targinfo,
                               void *userdata);
 
        /* Called when user tries to insert an entry of this type:
           hook_mask is a bitmask of hooks from which it can be
           called. */
        /* Should return true or false. */
        int (*checkentry)(const char *tablename,
                          const struct ipt_entry *e,
                          void *targinfo,
                          unsigned int targinfosize,
                          unsigned int hook_mask);
 
        /* Called when entry of this type deleted. */
        void (*destroy)(void *targinfo, unsigned int targinfosize);
 
        /* Set this to THIS_MODULE if you are a module, otherwise NULL */
        struct module *me;
};
 
extern int ipt_register_target(struct ipt_target *target);
extern void ipt_unregister_target(struct ipt_target *target);
 
extern int ipt_register_match(struct ipt_match *match);
extern void ipt_unregister_match(struct ipt_match *match);
 
/* Furniture shopping... */
struct ipt_table
{
        struct list_head list;
 
        /* A unique name... */
        char name[IPT_TABLE_MAXNAMELEN];
 
        /* Seed table: copied in register_table */
        struct ipt_replace *table;
 
        /* What hooks you will enter on */
        unsigned int valid_hooks;
 
        /* Lock for the curtain */
        rwlock_t lock;
 
        /* Man behind the curtain... */
        struct ipt_table_info *private;
 
        /* Set this to THIS_MODULE if you are a module, otherwise NULL */
        struct module *me;
};
 
extern int ipt_register_table(struct ipt_table *table);
extern void ipt_unregister_table(struct ipt_table *table);
extern unsigned int ipt_do_table(struct sk_buff **pskb,
                                 unsigned int hook,
                                 const struct net_device *in,
                                 const struct net_device *out,
                                 struct ipt_table *table,
                                 void *userdata);
 
#define IPT_ALIGN(s) (((s) + (__alignof__(struct ipt_entry)-1)) & ~(__alignof__(struct ipt_entry)-1))
#endif /*__KERNEL__*/
#endif /* _IPTABLES_H */

Browse

Tools

Subversion Repositories or1k

[/] [or1k/] [tags/] [LINUX_2_4_26_OR32/] [linux/] [linux-2.4/] [include/] [linux/] [netfilter_ipv4/] [ip_tables.h] - Blame information for rev 1765

Line No.	Rev	Author	Line
1	1275	phoenix	`/*`
2			`* 25-Jul-1998 Major changes to allow for ip chain table`
3			`*`
4			`* 3-Jan-2000 Named tables to allow packet selection for different uses.`
5			`*/`
6
7			`/*`
8			`* Format of an IP firewall descriptor`
9			`*`
10			`* src, dst, src_mask, dst_mask are always stored in network byte order.`
11			`* flags are stored in host byte order (of course).`
12			`* Port numbers are stored in HOST byte order.`
13			`*/`
14
15			`#ifndef _IPTABLES_H`
16			`#define _IPTABLES_H`
17
18			`#ifdef __KERNEL__`
19			`#include <linux/if.h>`
20			`#include <linux/types.h>`
21			`#include <linux/in.h>`
22			`#include <linux/ip.h>`
23			`#include <linux/skbuff.h>`
24			`#endif`
25			`#include <linux/netfilter_ipv4.h>`
26
27			`#define IPT_FUNCTION_MAXNAMELEN 30`
28			`#define IPT_TABLE_MAXNAMELEN 32`
29
30			`/* Yes, Virginia, you have to zero the padding. */`
31			`struct ipt_ip {`
32			`/* Source and destination IP addr */`
33			`struct in_addr src, dst;`
34			`/* Mask for src and dest IP addr */`
35			`struct in_addr smsk, dmsk;`
36			`char iniface[IFNAMSIZ], outiface[IFNAMSIZ];`
37			`unsigned char iniface_mask[IFNAMSIZ], outiface_mask[IFNAMSIZ];`
38
39			`/* Protocol, 0 = ANY */`
40			`u_int16_t proto;`
41
42			`/* Flags word */`
43			`u_int8_t flags;`
44			`/* Inverse flags */`
45			`u_int8_t invflags;`
46			`};`
47
48			`struct ipt_entry_match`
49			`{`
50			`union {`
51			`struct {`
52			`u_int16_t match_size;`
53
54			`/* Used by userspace */`
55			`char name[IPT_FUNCTION_MAXNAMELEN];`
56			`} user;`
57			`struct {`
58			`u_int16_t match_size;`
59
60			`/* Used inside the kernel */`
61			`struct ipt_match *match;`
62			`} kernel;`
63
64			`/* Total length */`
65			`u_int16_t match_size;`
66			`} u;`
67
68			`unsigned char data[0];`
69			`};`
70
71			`struct ipt_entry_target`
72			`{`
73			`union {`
74			`struct {`
75			`u_int16_t target_size;`
76
77			`/* Used by userspace */`
78			`char name[IPT_FUNCTION_MAXNAMELEN];`
79			`} user;`
80			`struct {`
81			`u_int16_t target_size;`
82
83			`/* Used inside the kernel */`
84			`struct ipt_target *target;`
85			`} kernel;`
86
87			`/* Total length */`
88			`u_int16_t target_size;`
89			`} u;`
90
91			`unsigned char data[0];`
92			`};`
93
94			`struct ipt_standard_target`
95			`{`
96			`struct ipt_entry_target target;`
97			`int verdict;`
98			`};`
99
100			`struct ipt_counters`
101			`{`
102			`u_int64_t pcnt, bcnt; /* Packet and byte counters */`
103			`};`
104
105			`/* Values for "flag" field in struct ipt_ip (general ip structure). */`
106			`#define IPT_F_FRAG 0x01 /* Set if rule is a fragment rule */`
107			`#define IPT_F_MASK 0x01 /* All possible flag bits mask. */`
108
109			`/* Values for "inv" field in struct ipt_ip. */`
110			`#define IPT_INV_VIA_IN 0x01 /* Invert the sense of IN IFACE. */`
111			`#define IPT_INV_VIA_OUT 0x02 /* Invert the sense of OUT IFACE */`
112			`#define IPT_INV_TOS 0x04 /* Invert the sense of TOS. */`
113			`#define IPT_INV_SRCIP 0x08 /* Invert the sense of SRC IP. */`
114			`#define IPT_INV_DSTIP 0x10 /* Invert the sense of DST OP. */`
115			`#define IPT_INV_FRAG 0x20 /* Invert the sense of FRAG. */`
116			`#define IPT_INV_PROTO 0x40 /* Invert the sense of PROTO. */`
117			`#define IPT_INV_MASK 0x7F /* All possible flag bits mask. */`
118
119			`/* This structure defines each of the firewall rules. Consists of 3`
120			`parts which are 1) general IP header stuff 2) match specific`
121			`stuff 3) the target to perform if the rule matches */`
122			`struct ipt_entry`
123			`{`
124			`struct ipt_ip ip;`
125
126			`/* Mark with fields that we care about. */`
127			`unsigned int nfcache;`
128
129			`/* Size of ipt_entry + matches */`
130			`u_int16_t target_offset;`
131			`/* Size of ipt_entry + matches + target */`
132			`u_int16_t next_offset;`
133
134			`/* Back pointer */`
135			`unsigned int comefrom;`
136
137			`/* Packet and byte counters. */`
138			`struct ipt_counters counters;`
139
140			`/* The matches (if any), then the target. */`
141			`unsigned char elems[0];`
142			`};`
143
144			`/*`
145			`* New IP firewall options for [gs]etsockopt at the RAW IP level.`
146			`* Unlike BSD Linux inherits IP options so you don't have to use a raw`
147			`* socket for this. Instead we check rights in the calls. */`
148			`#define IPT_BASE_CTL 64 /* base for firewall socket options */`
149
150			`#define IPT_SO_SET_REPLACE (IPT_BASE_CTL)`
151			`#define IPT_SO_SET_ADD_COUNTERS (IPT_BASE_CTL + 1)`
152			`#define IPT_SO_SET_MAX IPT_SO_SET_ADD_COUNTERS`
153
154			`#define IPT_SO_GET_INFO (IPT_BASE_CTL)`
155			`#define IPT_SO_GET_ENTRIES (IPT_BASE_CTL + 1)`
156			`#define IPT_SO_GET_MAX IPT_SO_GET_ENTRIES`
157
158			`/* CONTINUE verdict for targets */`
159			`#define IPT_CONTINUE 0xFFFFFFFF`
160
161			`/* For standard target */`
162			`#define IPT_RETURN (-NF_MAX_VERDICT - 1)`
163
164			`/* TCP matching stuff */`
165			`struct ipt_tcp`
166			`{`
167			`u_int16_t spts[2]; /* Source port range. */`
168			`u_int16_t dpts[2]; /* Destination port range. */`
169			`u_int8_t option; /* TCP Option iff non-zero*/`
170			`u_int8_t flg_mask; /* TCP flags mask byte */`
171			`u_int8_t flg_cmp; /* TCP flags compare byte */`
172			`u_int8_t invflags; /* Inverse flags */`
173			`};`
174
175			`/* Values for "inv" field in struct ipt_tcp. */`
176			`#define IPT_TCP_INV_SRCPT 0x01 /* Invert the sense of source ports. */`
177			`#define IPT_TCP_INV_DSTPT 0x02 /* Invert the sense of dest ports. */`
178			`#define IPT_TCP_INV_FLAGS 0x04 /* Invert the sense of TCP flags. */`
179			`#define IPT_TCP_INV_OPTION 0x08 /* Invert the sense of option test. */`
180			`#define IPT_TCP_INV_MASK 0x0F /* All possible flags. */`
181
182			`/* UDP matching stuff */`
183			`struct ipt_udp`
184			`{`
185			`u_int16_t spts[2]; /* Source port range. */`
186			`u_int16_t dpts[2]; /* Destination port range. */`
187			`u_int8_t invflags; /* Inverse flags */`
188			`};`
189
190			`/* Values for "invflags" field in struct ipt_udp. */`
191			`#define IPT_UDP_INV_SRCPT 0x01 /* Invert the sense of source ports. */`
192			`#define IPT_UDP_INV_DSTPT 0x02 /* Invert the sense of dest ports. */`
193			`#define IPT_UDP_INV_MASK 0x03 /* All possible flags. */`
194
195			`/* ICMP matching stuff */`
196			`struct ipt_icmp`
197			`{`
198			`u_int8_t type; /* type to match */`
199			`u_int8_t code[2]; /* range of code */`
200			`u_int8_t invflags; /* Inverse flags */`
201			`};`
202
203			`/* Values for "inv" field for struct ipt_icmp. */`
204			`#define IPT_ICMP_INV 0x01 /* Invert the sense of type/code test */`
205
206			`/* The argument to IPT_SO_GET_INFO */`
207			`struct ipt_getinfo`
208			`{`
209			`/* Which table: caller fills this in. */`
210			`char name[IPT_TABLE_MAXNAMELEN];`
211
212			`/* Kernel fills these in. */`
213			`/* Which hook entry points are valid: bitmask */`
214			`unsigned int valid_hooks;`
215
216			`/* Hook entry points: one per netfilter hook. */`
217			`unsigned int hook_entry[NF_IP_NUMHOOKS];`
218
219			`/* Underflow points. */`
220			`unsigned int underflow[NF_IP_NUMHOOKS];`
221
222			`/* Number of entries */`
223			`unsigned int num_entries;`
224
225			`/* Size of entries. */`
226			`unsigned int size;`
227			`};`
228
229			`/* The argument to IPT_SO_SET_REPLACE. */`
230			`struct ipt_replace`
231			`{`
232			`/* Which table. */`
233			`char name[IPT_TABLE_MAXNAMELEN];`
234
235			`/* Which hook entry points are valid: bitmask. You can't`
236			`change this. */`
237			`unsigned int valid_hooks;`
238
239			`/* Number of entries */`
240			`unsigned int num_entries;`
241
242			`/* Total size of new entries */`
243			`unsigned int size;`
244
245			`/* Hook entry points. */`
246			`unsigned int hook_entry[NF_IP_NUMHOOKS];`
247
248			`/* Underflow points. */`
249			`unsigned int underflow[NF_IP_NUMHOOKS];`
250
251			`/* Information about old entries: */`
252			`/* Number of counters (must be equal to current number of entries). */`
253			`unsigned int num_counters;`
254			`/* The old entries' counters. */`
255			`struct ipt_counters *counters;`
256
257			`/* The entries (hang off end: not really an array). */`
258			`struct ipt_entry entries[0];`
259			`};`
260
261			`/* The argument to IPT_SO_ADD_COUNTERS. */`
262			`struct ipt_counters_info`
263			`{`
264			`/* Which table. */`
265			`char name[IPT_TABLE_MAXNAMELEN];`
266
267			`unsigned int num_counters;`
268
269			/* The counters (actually `number' of these). */
270			`struct ipt_counters counters[0];`
271			`};`
272
273			`/* The argument to IPT_SO_GET_ENTRIES. */`
274			`struct ipt_get_entries`
275			`{`
276			`/* Which table: user fills this in. */`
277			`char name[IPT_TABLE_MAXNAMELEN];`
278
279			`/* User fills this in: total entry size. */`
280			`unsigned int size;`
281
282			`/* The entries. */`
283			`struct ipt_entry entrytable[0];`
284			`};`
285
286			`/* Standard return verdict, or do jump. */`
287			`#define IPT_STANDARD_TARGET ""`
288			`/* Error verdict. */`
289			`#define IPT_ERROR_TARGET "ERROR"`
290
291			`/* Helper functions */`
292			`static __inline__ struct ipt_entry_target *`
293			`ipt_get_target(struct ipt_entry *e)`
294			`{`
295			`return (void *)e + e->target_offset;`
296			`}`
297
298			`/* fn returns 0 to continue iteration */`
299			`#define IPT_MATCH_ITERATE(e, fn, args...) \`
300			`({ \`
301			`unsigned int __i; \`
302			`int __ret = 0; \`
303			`struct ipt_entry_match *__match; \`
304			`\`
305			`for (__i = sizeof(struct ipt_entry); \`
306			`__i < (e)->target_offset; \`
307			`__i += __match->u.match_size) { \`
308			`__match = (void *)(e) + __i; \`
309			`\`
310			`__ret = fn(__match , ## args); \`
311			`if (__ret != 0) \`
312			`break; \`
313			`} \`
314			`__ret; \`
315			`})`
316
317			`/* fn returns 0 to continue iteration */`
318			`#define IPT_ENTRY_ITERATE(entries, size, fn, args...) \`
319			`({ \`
320			`unsigned int __i; \`
321			`int __ret = 0; \`
322			`struct ipt_entry *__entry; \`
323			`\`
324			`for (__i = 0; __i < (size); __i += __entry->next_offset) { \`
325			`__entry = (void *)(entries) + __i; \`
326			`\`
327			`__ret = fn(__entry , ## args); \`
328			`if (__ret != 0) \`
329			`break; \`
330			`} \`
331			`__ret; \`
332			`})`
333
334			`/*`
335			`* Main firewall chains definitions and global var's definitions.`
336			`*/`
337			`#ifdef __KERNEL__`
338
339			`#include <linux/init.h>`
340			`extern void ipt_init(void) __init;`
341
342			`struct ipt_match`
343			`{`
344			`struct list_head list;`
345
346			`const char name[IPT_FUNCTION_MAXNAMELEN];`
347
348			`/* Return true or false: return FALSE and set *hotdrop = 1 to`
349			`force immediate packet drop. */`
350			`int (match)(const struct sk_buff skb,`
351			`const struct net_device *in,`
352			`const struct net_device *out,`
353			`const void *matchinfo,`
354			`int offset,`
355			`const void *hdr,`
356			`u_int16_t datalen,`
357			`int *hotdrop);`
358
359			`/* Called when user tries to insert an entry of this type. */`
360			`/* Should return true or false. */`
361			`int (checkentry)(const char tablename,`
362			`const struct ipt_ip *ip,`
363			`void *matchinfo,`
364			`unsigned int matchinfosize,`
365			`unsigned int hook_mask);`
366
367			`/* Called when entry of this type deleted. */`
368			`void (destroy)(void matchinfo, unsigned int matchinfosize);`
369
370			`/* Set this to THIS_MODULE if you are a module, otherwise NULL */`
371			`struct module *me;`
372			`};`
373
374			`/* Registration hooks for targets. */`
375			`struct ipt_target`
376			`{`
377			`struct list_head list;`
378
379			`const char name[IPT_FUNCTION_MAXNAMELEN];`
380
381			`/* Returns verdict. */`
382			`unsigned int (target)(struct sk_buff *pskb,`
383			`unsigned int hooknum,`
384			`const struct net_device *in,`
385			`const struct net_device *out,`
386			`const void *targinfo,`
387			`void *userdata);`
388
389			`/* Called when user tries to insert an entry of this type:`
390			`hook_mask is a bitmask of hooks from which it can be`
391			`called. */`
392			`/* Should return true or false. */`
393			`int (checkentry)(const char tablename,`
394			`const struct ipt_entry *e,`
395			`void *targinfo,`
396			`unsigned int targinfosize,`
397			`unsigned int hook_mask);`
398
399			`/* Called when entry of this type deleted. */`
400			`void (destroy)(void targinfo, unsigned int targinfosize);`
401
402			`/* Set this to THIS_MODULE if you are a module, otherwise NULL */`
403			`struct module *me;`
404			`};`
405
406			`extern int ipt_register_target(struct ipt_target *target);`
407			`extern void ipt_unregister_target(struct ipt_target *target);`
408
409			`extern int ipt_register_match(struct ipt_match *match);`
410			`extern void ipt_unregister_match(struct ipt_match *match);`
411
412			`/* Furniture shopping... */`
413			`struct ipt_table`
414			`{`
415			`struct list_head list;`
416
417			`/* A unique name... */`
418			`char name[IPT_TABLE_MAXNAMELEN];`
419
420			`/* Seed table: copied in register_table */`
421			`struct ipt_replace *table;`
422
423			`/* What hooks you will enter on */`
424			`unsigned int valid_hooks;`
425
426			`/* Lock for the curtain */`
427			`rwlock_t lock;`
428
429			`/* Man behind the curtain... */`
430			`struct ipt_table_info *private;`
431
432			`/* Set this to THIS_MODULE if you are a module, otherwise NULL */`
433			`struct module *me;`
434			`};`
435
436			`extern int ipt_register_table(struct ipt_table *table);`
437			`extern void ipt_unregister_table(struct ipt_table *table);`
438			`extern unsigned int ipt_do_table(struct sk_buff **pskb,`
439			`unsigned int hook,`
440			`const struct net_device *in,`
441			`const struct net_device *out,`
442			`struct ipt_table *table,`
443			`void *userdata);`
444
445			`#define IPT_ALIGN(s) (((s) + (__alignof__(struct ipt_entry)-1)) & ~(__alignof__(struct ipt_entry)-1))`
446			`#endif /__KERNEL__/`
447			`#endif /* _IPTABLES_H */`