~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/include/linux/netfilter/x_tables.h

Version: ~ [ linux-5.15-rc7 ] ~ [ linux-5.14.14 ] ~ [ linux-5.13.19 ] ~ [ linux-5.12.19 ] ~ [ linux-5.11.22 ] ~ [ linux-5.10.75 ] ~ [ linux-5.9.16 ] ~ [ linux-5.8.18 ] ~ [ linux-5.7.19 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.155 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.213 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.252 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.287 ] ~ [ linux-4.8.17 ] ~ [ linux-4.7.10 ] ~ [ linux-4.6.7 ] ~ [ linux-4.5.7 ] ~ [ linux-4.4.289 ] ~ [ linux-4.3.6 ] ~ [ linux-4.2.8 ] ~ [ linux-4.1.52 ] ~ [ linux-4.0.9 ] ~ [ linux-3.18.140 ] ~ [ linux-3.16.85 ] ~ [ linux-3.14.79 ] ~ [ linux-3.12.74 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.5 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

  1 #ifndef _X_TABLES_H
  2 #define _X_TABLES_H
  3 
  4 
  5 #include <linux/netdevice.h>
  6 #include <uapi/linux/netfilter/x_tables.h>
  7 
  8 /**
  9  * struct xt_action_param - parameters for matches/targets
 10  *
 11  * @match:      the match extension
 12  * @target:     the target extension
 13  * @matchinfo:  per-match data
 14  * @targetinfo: per-target data
 15  * @in:         input netdevice
 16  * @out:        output netdevice
 17  * @fragoff:    packet is a fragment, this is the data offset
 18  * @thoff:      position of transport header relative to skb->data
 19  * @hook:       hook number given packet came from
 20  * @family:     Actual NFPROTO_* through which the function is invoked
 21  *              (helpful when match->family == NFPROTO_UNSPEC)
 22  *
 23  * Fields written to by extensions:
 24  *
 25  * @hotdrop:    drop packet if we had inspection problems
 26  * Network namespace obtainable using dev_net(in/out)
 27  */
 28 struct xt_action_param {
 29         union {
 30                 const struct xt_match *match;
 31                 const struct xt_target *target;
 32         };
 33         union {
 34                 const void *matchinfo, *targinfo;
 35         };
 36         const struct net_device *in, *out;
 37         int fragoff;
 38         unsigned int thoff;
 39         unsigned int hooknum;
 40         u_int8_t family;
 41         bool hotdrop;
 42 };
 43 
 44 /**
 45  * struct xt_mtchk_param - parameters for match extensions'
 46  * checkentry functions
 47  *
 48  * @net:        network namespace through which the check was invoked
 49  * @table:      table the rule is tried to be inserted into
 50  * @entryinfo:  the family-specific rule data
 51  *              (struct ipt_ip, ip6t_ip, arpt_arp or (note) ebt_entry)
 52  * @match:      struct xt_match through which this function was invoked
 53  * @matchinfo:  per-match data
 54  * @hook_mask:  via which hooks the new rule is reachable
 55  * Other fields as above.
 56  */
 57 struct xt_mtchk_param {
 58         struct net *net;
 59         const char *table;
 60         const void *entryinfo;
 61         const struct xt_match *match;
 62         void *matchinfo;
 63         unsigned int hook_mask;
 64         u_int8_t family;
 65 };
 66 
 67 /**
 68  * struct xt_mdtor_param - match destructor parameters
 69  * Fields as above.
 70  */
 71 struct xt_mtdtor_param {
 72         struct net *net;
 73         const struct xt_match *match;
 74         void *matchinfo;
 75         u_int8_t family;
 76 };
 77 
 78 /**
 79  * struct xt_tgchk_param - parameters for target extensions'
 80  * checkentry functions
 81  *
 82  * @entryinfo:  the family-specific rule data
 83  *              (struct ipt_entry, ip6t_entry, arpt_entry, ebt_entry)
 84  *
 85  * Other fields see above.
 86  */
 87 struct xt_tgchk_param {
 88         struct net *net;
 89         const char *table;
 90         const void *entryinfo;
 91         const struct xt_target *target;
 92         void *targinfo;
 93         unsigned int hook_mask;
 94         u_int8_t family;
 95 };
 96 
 97 /* Target destructor parameters */
 98 struct xt_tgdtor_param {
 99         struct net *net;
100         const struct xt_target *target;
101         void *targinfo;
102         u_int8_t family;
103 };
104 
105 struct xt_match {
106         struct list_head list;
107 
108         const char name[XT_EXTENSION_MAXNAMELEN];
109         u_int8_t revision;
110 
111         /* Return true or false: return FALSE and set *hotdrop = 1 to
112            force immediate packet drop. */
113         /* Arguments changed since 2.6.9, as this must now handle
114            non-linear skb, using skb_header_pointer and
115            skb_ip_make_writable. */
116         bool (*match)(const struct sk_buff *skb,
117                       struct xt_action_param *);
118 
119         /* Called when user tries to insert an entry of this type. */
120         int (*checkentry)(const struct xt_mtchk_param *);
121 
122         /* Called when entry of this type deleted. */
123         void (*destroy)(const struct xt_mtdtor_param *);
124 #ifdef CONFIG_COMPAT
125         /* Called when userspace align differs from kernel space one */
126         void (*compat_from_user)(void *dst, const void *src);
127         int (*compat_to_user)(void __user *dst, const void *src);
128 #endif
129         /* Set this to THIS_MODULE if you are a module, otherwise NULL */
130         struct module *me;
131 
132         const char *table;
133         unsigned int matchsize;
134 #ifdef CONFIG_COMPAT
135         unsigned int compatsize;
136 #endif
137         unsigned int hooks;
138         unsigned short proto;
139 
140         unsigned short family;
141 };
142 
143 /* Registration hooks for targets. */
144 struct xt_target {
145         struct list_head list;
146 
147         const char name[XT_EXTENSION_MAXNAMELEN];
148         u_int8_t revision;
149 
150         /* Returns verdict. Argument order changed since 2.6.9, as this
151            must now handle non-linear skbs, using skb_copy_bits and
152            skb_ip_make_writable. */
153         unsigned int (*target)(struct sk_buff *skb,
154                                const struct xt_action_param *);
155 
156         /* Called when user tries to insert an entry of this type:
157            hook_mask is a bitmask of hooks from which it can be
158            called. */
159         /* Should return 0 on success or an error code otherwise (-Exxxx). */
160         int (*checkentry)(const struct xt_tgchk_param *);
161 
162         /* Called when entry of this type deleted. */
163         void (*destroy)(const struct xt_tgdtor_param *);
164 #ifdef CONFIG_COMPAT
165         /* Called when userspace align differs from kernel space one */
166         void (*compat_from_user)(void *dst, const void *src);
167         int (*compat_to_user)(void __user *dst, const void *src);
168 #endif
169         /* Set this to THIS_MODULE if you are a module, otherwise NULL */
170         struct module *me;
171 
172         const char *table;
173         unsigned int targetsize;
174 #ifdef CONFIG_COMPAT
175         unsigned int compatsize;
176 #endif
177         unsigned int hooks;
178         unsigned short proto;
179 
180         unsigned short family;
181 };
182 
183 /* Furniture shopping... */
184 struct xt_table {
185         struct list_head list;
186 
187         /* What hooks you will enter on */
188         unsigned int valid_hooks;
189 
190         /* Man behind the curtain... */
191         struct xt_table_info *private;
192 
193         /* Set this to THIS_MODULE if you are a module, otherwise NULL */
194         struct module *me;
195 
196         u_int8_t af;            /* address/protocol family */
197         int priority;           /* hook order */
198 
199         /* A unique name... */
200         const char name[XT_TABLE_MAXNAMELEN];
201 };
202 
203 #include <linux/netfilter_ipv4.h>
204 
205 /* The table itself */
206 struct xt_table_info {
207         /* Size per table */
208         unsigned int size;
209         /* Number of entries: FIXME. --RR */
210         unsigned int number;
211         /* Initial number of entries. Needed for module usage count */
212         unsigned int initial_entries;
213 
214         /* Entry points and underflows */
215         unsigned int hook_entry[NF_INET_NUMHOOKS];
216         unsigned int underflow[NF_INET_NUMHOOKS];
217 
218         /*
219          * Number of user chains. Since tables cannot have loops, at most
220          * @stacksize jumps (number of user chains) can possibly be made.
221          */
222         unsigned int stacksize;
223         unsigned int __percpu *stackptr;
224         void ***jumpstack;
225         /* ipt_entry tables: one per CPU */
226         /* Note : this field MUST be the last one, see XT_TABLE_INFO_SZ */
227         void *entries[1];
228 };
229 
230 #define XT_TABLE_INFO_SZ (offsetof(struct xt_table_info, entries) \
231                           + nr_cpu_ids * sizeof(char *))
232 extern int xt_register_target(struct xt_target *target);
233 extern void xt_unregister_target(struct xt_target *target);
234 extern int xt_register_targets(struct xt_target *target, unsigned int n);
235 extern void xt_unregister_targets(struct xt_target *target, unsigned int n);
236 
237 extern int xt_register_match(struct xt_match *target);
238 extern void xt_unregister_match(struct xt_match *target);
239 extern int xt_register_matches(struct xt_match *match, unsigned int n);
240 extern void xt_unregister_matches(struct xt_match *match, unsigned int n);
241 
242 int xt_check_entry_offsets(const void *base, const char *elems,
243                            unsigned int target_offset,
244                            unsigned int next_offset);
245 
246 extern int xt_check_match(struct xt_mtchk_param *,
247                           unsigned int size, u_int8_t proto, bool inv_proto);
248 extern int xt_check_target(struct xt_tgchk_param *,
249                            unsigned int size, u_int8_t proto, bool inv_proto);
250 
251 void *xt_copy_counters_from_user(const void __user *user, unsigned int len,
252                                  struct xt_counters_info *info, bool compat);
253 
254 extern struct xt_table *xt_register_table(struct net *net,
255                                           const struct xt_table *table,
256                                           struct xt_table_info *bootstrap,
257                                           struct xt_table_info *newinfo);
258 extern void *xt_unregister_table(struct xt_table *table);
259 
260 extern struct xt_table_info *xt_replace_table(struct xt_table *table,
261                                               unsigned int num_counters,
262                                               struct xt_table_info *newinfo,
263                                               int *error);
264 
265 extern struct xt_match *xt_find_match(u8 af, const char *name, u8 revision);
266 extern struct xt_target *xt_find_target(u8 af, const char *name, u8 revision);
267 extern struct xt_match *xt_request_find_match(u8 af, const char *name,
268                                               u8 revision);
269 extern struct xt_target *xt_request_find_target(u8 af, const char *name,
270                                                 u8 revision);
271 extern int xt_find_revision(u8 af, const char *name, u8 revision,
272                             int target, int *err);
273 
274 extern struct xt_table *xt_find_table_lock(struct net *net, u_int8_t af,
275                                            const char *name);
276 extern void xt_table_unlock(struct xt_table *t);
277 
278 extern int xt_proto_init(struct net *net, u_int8_t af);
279 extern void xt_proto_fini(struct net *net, u_int8_t af);
280 
281 extern struct xt_table_info *xt_alloc_table_info(unsigned int size);
282 extern void xt_free_table_info(struct xt_table_info *info);
283 
284 /**
285  * xt_recseq - recursive seqcount for netfilter use
286  * 
287  * Packet processing changes the seqcount only if no recursion happened
288  * get_counters() can use read_seqcount_begin()/read_seqcount_retry(),
289  * because we use the normal seqcount convention :
290  * Low order bit set to 1 if a writer is active.
291  */
292 DECLARE_PER_CPU(seqcount_t, xt_recseq);
293 
294 /**
295  * xt_write_recseq_begin - start of a write section
296  *
297  * Begin packet processing : all readers must wait the end
298  * 1) Must be called with preemption disabled
299  * 2) softirqs must be disabled too (or we should use this_cpu_add())
300  * Returns :
301  *  1 if no recursion on this cpu
302  *  0 if recursion detected
303  */
304 static inline unsigned int xt_write_recseq_begin(void)
305 {
306         unsigned int addend;
307 
308         /*
309          * Low order bit of sequence is set if we already
310          * called xt_write_recseq_begin().
311          */
312         addend = (__this_cpu_read(xt_recseq.sequence) + 1) & 1;
313 
314         /*
315          * This is kind of a write_seqcount_begin(), but addend is 0 or 1
316          * We dont check addend value to avoid a test and conditional jump,
317          * since addend is most likely 1
318          */
319         __this_cpu_add(xt_recseq.sequence, addend);
320         smp_wmb();
321 
322         return addend;
323 }
324 
325 /**
326  * xt_write_recseq_end - end of a write section
327  * @addend: return value from previous xt_write_recseq_begin()
328  *
329  * End packet processing : all readers can proceed
330  * 1) Must be called with preemption disabled
331  * 2) softirqs must be disabled too (or we should use this_cpu_add())
332  */
333 static inline void xt_write_recseq_end(unsigned int addend)
334 {
335         /* this is kind of a write_seqcount_end(), but addend is 0 or 1 */
336         smp_wmb();
337         __this_cpu_add(xt_recseq.sequence, addend);
338 }
339 
340 /*
341  * This helper is performance critical and must be inlined
342  */
343 static inline unsigned long ifname_compare_aligned(const char *_a,
344                                                    const char *_b,
345                                                    const char *_mask)
346 {
347         const unsigned long *a = (const unsigned long *)_a;
348         const unsigned long *b = (const unsigned long *)_b;
349         const unsigned long *mask = (const unsigned long *)_mask;
350         unsigned long ret;
351 
352         ret = (a[0] ^ b[0]) & mask[0];
353         if (IFNAMSIZ > sizeof(unsigned long))
354                 ret |= (a[1] ^ b[1]) & mask[1];
355         if (IFNAMSIZ > 2 * sizeof(unsigned long))
356                 ret |= (a[2] ^ b[2]) & mask[2];
357         if (IFNAMSIZ > 3 * sizeof(unsigned long))
358                 ret |= (a[3] ^ b[3]) & mask[3];
359         BUILD_BUG_ON(IFNAMSIZ > 4 * sizeof(unsigned long));
360         return ret;
361 }
362 
363 extern struct nf_hook_ops *xt_hook_link(const struct xt_table *, nf_hookfn *);
364 extern void xt_hook_unlink(const struct xt_table *, struct nf_hook_ops *);
365 
366 #ifdef CONFIG_COMPAT
367 #include <net/compat.h>
368 
369 struct compat_xt_entry_match {
370         union {
371                 struct {
372                         u_int16_t match_size;
373                         char name[XT_FUNCTION_MAXNAMELEN - 1];
374                         u_int8_t revision;
375                 } user;
376                 struct {
377                         u_int16_t match_size;
378                         compat_uptr_t match;
379                 } kernel;
380                 u_int16_t match_size;
381         } u;
382         unsigned char data[0];
383 };
384 
385 struct compat_xt_entry_target {
386         union {
387                 struct {
388                         u_int16_t target_size;
389                         char name[XT_FUNCTION_MAXNAMELEN - 1];
390                         u_int8_t revision;
391                 } user;
392                 struct {
393                         u_int16_t target_size;
394                         compat_uptr_t target;
395                 } kernel;
396                 u_int16_t target_size;
397         } u;
398         unsigned char data[0];
399 };
400 
401 /* FIXME: this works only on 32 bit tasks
402  * need to change whole approach in order to calculate align as function of
403  * current task alignment */
404 
405 struct compat_xt_counters {
406         compat_u64 pcnt, bcnt;                  /* Packet and byte counters */
407 };
408 
409 struct compat_xt_counters_info {
410         char name[XT_TABLE_MAXNAMELEN];
411         compat_uint_t num_counters;
412         struct compat_xt_counters counters[0];
413 };
414 
415 struct _compat_xt_align {
416         __u8 u8;
417         __u16 u16;
418         __u32 u32;
419         compat_u64 u64;
420 };
421 
422 #define COMPAT_XT_ALIGN(s) __ALIGN_KERNEL((s), __alignof__(struct _compat_xt_align))
423 
424 extern void xt_compat_lock(u_int8_t af);
425 extern void xt_compat_unlock(u_int8_t af);
426 
427 extern int xt_compat_add_offset(u_int8_t af, unsigned int offset, int delta);
428 extern void xt_compat_flush_offsets(u_int8_t af);
429 extern void xt_compat_init_offsets(u_int8_t af, unsigned int number);
430 extern int xt_compat_calc_jump(u_int8_t af, unsigned int offset);
431 
432 extern int xt_compat_match_offset(const struct xt_match *match);
433 extern void xt_compat_match_from_user(struct xt_entry_match *m,
434                                      void **dstptr, unsigned int *size);
435 extern int xt_compat_match_to_user(const struct xt_entry_match *m,
436                                    void __user **dstptr, unsigned int *size);
437 
438 extern int xt_compat_target_offset(const struct xt_target *target);
439 extern void xt_compat_target_from_user(struct xt_entry_target *t,
440                                        void **dstptr, unsigned int *size);
441 extern int xt_compat_target_to_user(const struct xt_entry_target *t,
442                                     void __user **dstptr, unsigned int *size);
443 int xt_compat_check_entry_offsets(const void *base, const char *elems,
444                                   unsigned int target_offset,
445                                   unsigned int next_offset);
446 
447 #endif /* CONFIG_COMPAT */
448 #endif /* _X_TABLES_H */
449 

~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

kernel.org | git.kernel.org | LWN.net | Project Home | Wiki (Japanese) | Wiki (English) | SVN repository | Mail admin

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

osdn.jp