Commit 2e4e6a17 authored by Harald Welte's avatar Harald Welte Committed by David S. Miller

[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables

This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables.  In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.

o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
  wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
  are now implemented as xt_FOOBAR.c files and provide module aliases
  to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
  include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
  around the xt_FOOBAR.h headers

Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: default avatarHarald Welte <laforge@netfilter.org>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 880b005f
...@@ -154,6 +154,9 @@ struct ip_conntrack_stat ...@@ -154,6 +154,9 @@ struct ip_conntrack_stat
unsigned int expect_delete; unsigned int expect_delete;
}; };
/* call to create an explicit dependency on nf_conntrack. */
extern void need_conntrack(void);
#endif /* __KERNEL__ */ #endif /* __KERNEL__ */
#endif /* _NF_CONNTRACK_COMMON_H */ #endif /* _NF_CONNTRACK_COMMON_H */
#ifndef _X_TABLES_H
#define _X_TABLES_H
#define XT_FUNCTION_MAXNAMELEN 30
#define XT_TABLE_MAXNAMELEN 32
/* The argument to IPT_SO_GET_REVISION_*. Returns highest revision
* kernel supports, if >= revision. */
struct xt_get_revision
{
char name[XT_FUNCTION_MAXNAMELEN-1];
u_int8_t revision;
};
/* CONTINUE verdict for targets */
#define XT_CONTINUE 0xFFFFFFFF
/* For standard target */
#define XT_RETURN (-NF_REPEAT - 1)
#define XT_ALIGN(s) (((s) + (__alignof__(void *)-1)) & ~(__alignof__(void *)-1))
/* Standard return verdict, or do jump. */
#define XT_STANDARD_TARGET ""
/* Error verdict. */
#define XT_ERROR_TARGET "ERROR"
/*
* New IP firewall options for [gs]etsockopt at the RAW IP level.
* Unlike BSD Linux inherits IP options so you don't have to use a raw
* socket for this. Instead we check rights in the calls. */
#define XT_BASE_CTL 64 /* base for firewall socket options */
#define XT_SO_SET_REPLACE (XT_BASE_CTL)
#define XT_SO_SET_ADD_COUNTERS (XT_BASE_CTL + 1)
#define XT_SO_SET_MAX XT_SO_SET_ADD_COUNTERS
#define XT_SO_GET_INFO (XT_BASE_CTL)
#define XT_SO_GET_ENTRIES (XT_BASE_CTL + 1)
#define XT_SO_GET_REVISION_MATCH (XT_BASE_CTL + 2)
#define XT_SO_GET_REVISION_TARGET (XT_BASE_CTL + 3)
#define XT_SO_GET_MAX XT_SO_GET_REVISION_TARGET
#define SET_COUNTER(c,b,p) do { (c).bcnt = (b); (c).pcnt = (p); } while(0)
#define ADD_COUNTER(c,b,p) do { (c).bcnt += (b); (c).pcnt += (p); } while(0)
struct xt_counters
{
u_int64_t pcnt, bcnt; /* Packet and byte counters */
};
/* The argument to IPT_SO_ADD_COUNTERS. */
struct xt_counters_info
{
/* Which table. */
char name[XT_TABLE_MAXNAMELEN];
unsigned int num_counters;
/* The counters (actually `number' of these). */
struct xt_counters counters[0];
};
#define XT_INV_PROTO 0x40 /* Invert the sense of PROTO. */
#ifdef __KERNEL__
#include <linux/netdevice.h>
#define ASSERT_READ_LOCK(x)
#define ASSERT_WRITE_LOCK(x)
#include <linux/netfilter_ipv4/listhelp.h>
struct xt_match
{
struct list_head list;
const char name[XT_FUNCTION_MAXNAMELEN-1];
u_int8_t revision;
/* Return true or false: return FALSE and set *hotdrop = 1 to
force immediate packet drop. */
/* Arguments changed since 2.6.9, as this must now handle
non-linear skb, using skb_header_pointer and
skb_ip_make_writable. */
int (*match)(const struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
const void *matchinfo,
int offset,
unsigned int protoff,
int *hotdrop);
/* Called when user tries to insert an entry of this type. */
/* Should return true or false. */
int (*checkentry)(const char *tablename,
const void *ip,
void *matchinfo,
unsigned int matchinfosize,
unsigned int hook_mask);
/* Called when entry of this type deleted. */
void (*destroy)(void *matchinfo, unsigned int matchinfosize);
/* Set this to THIS_MODULE if you are a module, otherwise NULL */
struct module *me;
};
/* Registration hooks for targets. */
struct xt_target
{
struct list_head list;
const char name[XT_FUNCTION_MAXNAMELEN-1];
u_int8_t revision;
/* Returns verdict. Argument order changed since 2.6.9, as this
must now handle non-linear skbs, using skb_copy_bits and
skb_ip_make_writable. */
unsigned int (*target)(struct sk_buff **pskb,
const struct net_device *in,
const struct net_device *out,
unsigned int hooknum,
const void *targinfo,
void *userdata);
/* Called when user tries to insert an entry of this type:
hook_mask is a bitmask of hooks from which it can be
called. */
/* Should return true or false. */
int (*checkentry)(const char *tablename,
const void *entry,
void *targinfo,
unsigned int targinfosize,
unsigned int hook_mask);
/* Called when entry of this type deleted. */
void (*destroy)(void *targinfo, unsigned int targinfosize);
/* Set this to THIS_MODULE if you are a module, otherwise NULL */
struct module *me;
};
/* Furniture shopping... */
struct xt_table
{
struct list_head list;
/* A unique name... */
char name[XT_TABLE_MAXNAMELEN];
/* What hooks you will enter on */
unsigned int valid_hooks;
/* Lock for the curtain */
rwlock_t lock;
/* Man behind the curtain... */
//struct ip6t_table_info *private;
void *private;
/* Set this to THIS_MODULE if you are a module, otherwise NULL */
struct module *me;
int af; /* address/protocol family */
};
#include <linux/netfilter_ipv4.h>
/* The table itself */
struct xt_table_info
{
/* Size per table */
unsigned int size;
/* Number of entries: FIXME. --RR */
unsigned int number;
/* Initial number of entries. Needed for module usage count */
unsigned int initial_entries;
/* Entry points and underflows */
unsigned int hook_entry[NF_IP_NUMHOOKS];
unsigned int underflow[NF_IP_NUMHOOKS];
/* ipt_entry tables: one per CPU */
char *entries[NR_CPUS];
};
extern int xt_register_target(int af, struct xt_target *target);
extern void xt_unregister_target(int af, struct xt_target *target);
extern int xt_register_match(int af, struct xt_match *target);
extern void xt_unregister_match(int af, struct xt_match *target);
extern int xt_register_table(struct xt_table *table,
struct xt_table_info *bootstrap,
struct xt_table_info *newinfo);
extern void *xt_unregister_table(struct xt_table *table);
extern struct xt_table_info *xt_replace_table(struct xt_table *table,
unsigned int num_counters,
struct xt_table_info *newinfo,
int *error);
extern struct xt_match *xt_find_match(int af, const char *name, u8 revision);
extern struct xt_target *xt_find_target(int af, const char *name, u8 revision);
extern struct xt_target *xt_request_find_target(int af, const char *name,
u8 revision);
extern int xt_find_revision(int af, const char *name, u8 revision, int target,
int *err);
extern struct xt_table *xt_find_table_lock(int af, const char *name);
extern void xt_table_unlock(struct xt_table *t);
extern int xt_proto_init(int af);
extern void xt_proto_fini(int af);
extern struct xt_table_info *xt_alloc_table_info(unsigned int size);
extern void xt_free_table_info(struct xt_table_info *info);
#endif /* __KERNEL__ */
#endif /* _X_TABLES_H */
#ifndef _XT_CLASSIFY_H
#define _XT_CLASSIFY_H
struct xt_classify_target_info {
u_int32_t priority;
};
#endif /*_XT_CLASSIFY_H */
#ifndef _XT_CONNMARK_H_target
#define _XT_CONNMARK_H_target
/* Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
* by Henrik Nordstrom <hno@marasystems.com>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*/
enum {
XT_CONNMARK_SET = 0,
XT_CONNMARK_SAVE,
XT_CONNMARK_RESTORE
};
struct xt_connmark_target_info {
unsigned long mark;
unsigned long mask;
u_int8_t mode;
};
#endif /*_XT_CONNMARK_H_target*/
#ifndef _XT_MARK_H_target
#define _XT_MARK_H_target
/* Version 0 */
struct xt_mark_target_info {
unsigned long mark;
};
/* Version 1 */
enum {
XT_MARK_SET=0,
XT_MARK_AND,
XT_MARK_OR,
};
struct xt_mark_target_info_v1 {
unsigned long mark;
u_int8_t mode;
};
#endif /*_XT_MARK_H_target */
/* iptables module for using NFQUEUE mechanism
*
* (C) 2005 Harald Welte <laforge@netfilter.org>
*
* This software is distributed under GNU GPL v2, 1991
*
*/
#ifndef _XT_NFQ_TARGET_H
#define _XT_NFQ_TARGET_H
/* target info */
struct xt_NFQ_info {
u_int16_t queuenum;
};
#endif /* _XT_NFQ_TARGET_H */
#ifndef _XT_COMMENT_H
#define _XT_COMMENT_H
#define XT_MAX_COMMENT_LEN 256
struct xt_comment_info {
unsigned char comment[XT_MAX_COMMENT_LEN];
};
#endif /* XT_COMMENT_H */
#ifndef _XT_CONNBYTES_H
#define _XT_CONNBYTES_H
enum xt_connbytes_what {
XT_CONNBYTES_PKTS,
XT_CONNBYTES_BYTES,
XT_CONNBYTES_AVGPKT,
};
enum xt_connbytes_direction {
XT_CONNBYTES_DIR_ORIGINAL,
XT_CONNBYTES_DIR_REPLY,
XT_CONNBYTES_DIR_BOTH,
};
struct xt_connbytes_info
{
struct {
aligned_u64 from; /* count to be matched */
aligned_u64 to; /* count to be matched */
} count;
u_int8_t what; /* ipt_connbytes_what */
u_int8_t direction; /* ipt_connbytes_direction */
};
#endif
#ifndef _XT_CONNMARK_H
#define _XT_CONNMARK_H
/* Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
* by Henrik Nordstrom <hno@marasystems.com>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*/
struct xt_connmark_info {
unsigned long mark, mask;
u_int8_t invert;
};
#endif /*_XT_CONNMARK_H*/
/* Header file for kernel module to match connection tracking information.
* GPL (C) 2001 Marc Boucher (marc@mbsi.ca).
*/
#ifndef _XT_CONNTRACK_H
#define _XT_CONNTRACK_H
#include <linux/netfilter/nf_conntrack_tuple_common.h>
#include <linux/in.h>
#define XT_CONNTRACK_STATE_BIT(ctinfo) (1 << ((ctinfo)%IP_CT_IS_REPLY+1))
#define XT_CONNTRACK_STATE_INVALID (1 << 0)
#define XT_CONNTRACK_STATE_SNAT (1 << (IP_CT_NUMBER + 1))
#define XT_CONNTRACK_STATE_DNAT (1 << (IP_CT_NUMBER + 2))
#define XT_CONNTRACK_STATE_UNTRACKED (1 << (IP_CT_NUMBER + 3))
/* flags, invflags: */
#define XT_CONNTRACK_STATE 0x01
#define XT_CONNTRACK_PROTO 0x02
#define XT_CONNTRACK_ORIGSRC 0x04
#define XT_CONNTRACK_ORIGDST 0x08
#define XT_CONNTRACK_REPLSRC 0x10
#define XT_CONNTRACK_REPLDST 0x20
#define XT_CONNTRACK_STATUS 0x40
#define XT_CONNTRACK_EXPIRES 0x80
/* This is exposed to userspace, so remains frozen in time. */
struct ip_conntrack_old_tuple
{
struct {
__u32 ip;
union {
__u16 all;
} u;
} src;
struct {
__u32 ip;
union {
__u16 all;
} u;
/* The protocol. */
u16 protonum;
} dst;
};
struct xt_conntrack_info
{
unsigned int statemask, statusmask;
struct ip_conntrack_old_tuple tuple[IP_CT_DIR_MAX];
struct in_addr sipmsk[IP_CT_DIR_MAX], dipmsk[IP_CT_DIR_MAX];
unsigned long expires_min, expires_max;
/* Flags word */
u_int8_t flags;
/* Inverse flags */
u_int8_t invflags;
};
#endif /*_XT_CONNTRACK_H*/
#ifndef _XT_DCCP_H_
#define _XT_DCCP_H_
#define XT_DCCP_SRC_PORTS 0x01
#define XT_DCCP_DEST_PORTS 0x02
#define XT_DCCP_TYPE 0x04
#define XT_DCCP_OPTION 0x08
#define XT_DCCP_VALID_FLAGS 0x0f
struct xt_dccp_info {
u_int16_t dpts[2]; /* Min, Max */
u_int16_t spts[2]; /* Min, Max */
u_int16_t flags;
u_int16_t invflags;
u_int16_t typemask;
u_int8_t option;
};
#endif /* _XT_DCCP_H_ */
#ifndef _XT_HELPER_H
#define _XT_HELPER_H
struct xt_helper_info {
int invert;
char name[30];
};
#endif /* _XT_HELPER_H */
#ifndef _XT_LENGTH_H
#define _XT_LENGTH_H
struct xt_length_info {
u_int16_t min, max;
u_int8_t invert;
};
#endif /*_XT_LENGTH_H*/
#ifndef _XT_RATE_H
#define _XT_RATE_H
/* timings are in milliseconds. */
#define XT_LIMIT_SCALE 10000
/* 1/10,000 sec period => max of 10,000/sec. Min rate is then 429490
seconds, or one every 59 hours. */
struct xt_rateinfo {
u_int32_t avg; /* Average secs between packets * scale */
u_int32_t burst; /* Period multiplier for upper limit. */
/* Used internally by the kernel */
unsigned long prev;
u_int32_t credit;
u_int32_t credit_cap, cost;
/* Ugly, ugly fucker. */
struct xt_rateinfo *master;
};
#endif /*_XT_RATE_H*/
#ifndef _XT_MAC_H
#define _XT_MAC_H
struct xt_mac_info {
unsigned char srcaddr[ETH_ALEN];
int invert;
};
#endif /*_XT_MAC_H*/
#ifndef _XT_MARK_H
#define _XT_MARK_H
struct xt_mark_info {
unsigned long mark, mask;
u_int8_t invert;
};
#endif /*_XT_MARK_H*/
#ifndef _XT_PHYSDEV_H
#define _XT_PHYSDEV_H
#ifdef __KERNEL__
#include <linux/if.h>
#endif
#define XT_PHYSDEV_OP_IN 0x01
#define XT_PHYSDEV_OP_OUT 0x02
#define XT_PHYSDEV_OP_BRIDGED 0x04
#define XT_PHYSDEV_OP_ISIN 0x08
#define XT_PHYSDEV_OP_ISOUT 0x10
#define XT_PHYSDEV_OP_MASK (0x20 - 1)
struct xt_physdev_info {
char physindev[IFNAMSIZ];
char in_mask[IFNAMSIZ];
char physoutdev[IFNAMSIZ];
char out_mask[IFNAMSIZ];
u_int8_t invert;
u_int8_t bitmask;
};
#endif /*_XT_PHYSDEV_H*/
#ifndef _XT_PKTTYPE_H
#define _XT_PKTTYPE_H
struct xt_pkttype_info {
int pkttype;
int invert;
};
#endif /*_XT_PKTTYPE_H*/
#ifndef _XT_REALM_H
#define _XT_REALM_H
struct xt_realm_info {
u_int32_t id;
u_int32_t mask;
u_int8_t invert;
};
#endif /* _XT_REALM_H */
#ifndef _XT_SCTP_H_
#define _XT_SCTP_H_
#define XT_SCTP_SRC_PORTS 0x01
#define XT_SCTP_DEST_PORTS 0x02
#define XT_SCTP_CHUNK_TYPES 0x04
#define XT_SCTP_VALID_FLAGS 0x07
#define ELEMCOUNT(x) (sizeof(x)/sizeof(x[0]))
struct xt_sctp_flag_info {
u_int8_t chunktype;
u_int8_t flag;
u_int8_t flag_mask;
};
#define XT_NUM_SCTP_FLAGS 4
struct xt_sctp_info {
u_int16_t dpts[2]; /* Min, Max */
u_int16_t spts[2]; /* Min, Max */
u_int32_t chunkmap[256 / sizeof (u_int32_t)]; /* Bit mask of chunks to be matched according to RFC 2960 */
#define SCTP_CHUNK_MATCH_ANY 0x01 /* Match if any of the chunk types are present */
#define SCTP_CHUNK_MATCH_ALL 0x02 /* Match if all of the chunk types are present */
#define SCTP_CHUNK_MATCH_ONLY 0x04 /* Match if these are the only chunk types present */
u_int32_t chunk_match_type;
struct xt_sctp_flag_info flag_info[XT_NUM_SCTP_FLAGS];
int flag_count;
u_int32_t flags;
u_int32_t invflags;
};
#define bytes(type) (sizeof(type) * 8)
#define SCTP_CHUNKMAP_SET(chunkmap, type) \
do { \
chunkmap[type / bytes(u_int32_t)] |= \
1 << (type % bytes(u_int32_t)); \
} while (0)
#define SCTP_CHUNKMAP_CLEAR(chunkmap, type) \
do { \
chunkmap[type / bytes(u_int32_t)] &= \
~(1 << (type % bytes(u_int32_t))); \
} while (0)
#define SCTP_CHUNKMAP_IS_SET(chunkmap, type) \
({ \
(chunkmap[type / bytes (u_int32_t)] & \
(1 << (type % bytes (u_int32_t)))) ? 1: 0; \
})
#define SCTP_CHUNKMAP_RESET(chunkmap) \
do { \
int i; \
for (i = 0; i < ELEMCOUNT(chunkmap); i++) \
chunkmap[i] = 0; \
} while (0)
#define SCTP_CHUNKMAP_SET_ALL(chunkmap) \
do { \
int i; \
for (i = 0; i < ELEMCOUNT(chunkmap); i++) \
chunkmap[i] = ~0; \
} while (0)
#define SCTP_CHUNKMAP_COPY(destmap, srcmap) \
do { \
int i; \
for (i = 0; i < ELEMCOUNT(chunkmap); i++) \
destmap[i] = srcmap[i]; \
} while (0)
#define SCTP_CHUNKMAP_IS_CLEAR(chunkmap) \
({ \
int i; \
int flag = 1; \
for (i = 0; i < ELEMCOUNT(chunkmap); i++) { \
if (chunkmap[i]) { \
flag = 0; \
break; \
} \
} \
flag; \
})
#define SCTP_CHUNKMAP_IS_ALL_SET(chunkmap) \
({ \
int i; \
int flag = 1; \
for (i = 0; i < ELEMCOUNT(chunkmap); i++) { \
if (chunkmap[i] != ~0) { \
flag = 0; \
break; \
} \
} \
flag; \
})
#endif /* _XT_SCTP_H_ */
#ifndef _XT_STATE_H
#define _XT_STATE_H
#define XT_STATE_BIT(ctinfo) (1 << ((ctinfo)%IP_CT_IS_REPLY+1))
#define XT_STATE_INVALID (1 << 0)
#define XT_STATE_UNTRACKED (1 << (IP_CT_NUMBER + 1))
struct xt_state_info
{
unsigned int statemask;
};
#endif /*_XT_STATE_H*/
#ifndef _XT_STRING_H
#define _XT_STRING_H
#define XT_STRING_MAX_PATTERN_SIZE 128
#define XT_STRING_MAX_ALGO_NAME_SIZE 16
struct xt_string_info
{
u_int16_t from_offset;
u_int16_t to_offset;
char algo[XT_STRING_MAX_ALGO_NAME_SIZE];
char pattern[XT_STRING_MAX_PATTERN_SIZE];
u_int8_t patlen;
u_int8_t invert;
struct ts_config __attribute__((aligned(8))) *config;
};
#endif /*_XT_STRING_H*/
#ifndef _XT_TCPMSS_MATCH_H
#define _XT_TCPMSS_MATCH_H
struct xt_tcpmss_match_info {
u_int16_t mss_min, mss_max;
u_int8_t invert;
};
#endif /*_XT_TCPMSS_MATCH_H*/
#ifndef _XT_TCPUDP_H
#define _XT_TCPUDP_H
/* TCP matching stuff */
struct xt_tcp
{
u_int16_t spts[2]; /* Source port range. */
u_int16_t dpts[2]; /* Destination port range. */
u_int8_t option; /* TCP Option iff non-zero*/
u_int8_t flg_mask; /* TCP flags mask byte */
u_int8_t flg_cmp; /* TCP flags compare byte */
u_int8_t invflags; /* Inverse flags */
};
/* Values for "inv" field in struct ipt_tcp. */
#define XT_TCP_INV_SRCPT 0x01 /* Invert the sense of source ports. */
#define XT_TCP_INV_DSTPT 0x02 /* Invert the sense of dest ports. */
#define XT_TCP_INV_FLAGS 0x04 /* Invert the sense of TCP flags. */
#define XT_TCP_INV_OPTION 0x08 /* Invert the sense of option test. */
#define XT_TCP_INV_MASK 0x0F /* All possible flags. */
/* UDP matching stuff */
struct xt_udp
{
u_int16_t spts[2]; /* Source port range. */
u_int16_t dpts[2]; /* Destination port range. */
u_int8_t invflags; /* Inverse flags */
};
/* Values for "invflags" field in struct ipt_udp. */
#define XT_UDP_INV_SRCPT 0x01 /* Invert the sense of source ports. */
#define XT_UDP_INV_DSTPT 0x02 /* Invert the sense of dest ports. */
#define XT_UDP_INV_MASK 0x03 /* All possible flags. */
#endif
...@@ -19,8 +19,12 @@ ...@@ -19,8 +19,12 @@
#include <linux/compiler.h> #include <linux/compiler.h>
#include <linux/netfilter_arp.h> #include <linux/netfilter_arp.h>
#define ARPT_FUNCTION_MAXNAMELEN 30 #include <linux/netfilter/x_tables.h>
#define ARPT_TABLE_MAXNAMELEN 32
#define ARPT_FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN
#define ARPT_TABLE_MAXNAMELEN XT_TABLE_MAXNAMELEN
#define arpt_target xt_target
#define arpt_table xt_table
#define ARPT_DEV_ADDR_LEN_MAX 16 #define ARPT_DEV_ADDR_LEN_MAX 16
...@@ -91,11 +95,6 @@ struct arpt_standard_target ...@@ -91,11 +95,6 @@ struct arpt_standard_target
int verdict; int verdict;
}; };
struct arpt_counters
{
u_int64_t pcnt, bcnt; /* Packet and byte counters */
};
/* Values for "flag" field in struct arpt_ip (general arp structure). /* Values for "flag" field in struct arpt_ip (general arp structure).
* No flags defined yet. * No flags defined yet.
*/ */
...@@ -130,7 +129,7 @@ struct arpt_entry ...@@ -130,7 +129,7 @@ struct arpt_entry
unsigned int comefrom; unsigned int comefrom;
/* Packet and byte counters. */ /* Packet and byte counters. */
struct arpt_counters counters; struct xt_counters counters;
/* The matches (if any), then the target. */ /* The matches (if any), then the target. */
unsigned char elems[0]; unsigned char elems[0];
...@@ -141,23 +140,24 @@ struct arpt_entry ...@@ -141,23 +140,24 @@ struct arpt_entry
* Unlike BSD Linux inherits IP options so you don't have to use a raw * Unlike BSD Linux inherits IP options so you don't have to use a raw
* socket for this. Instead we check rights in the calls. * socket for this. Instead we check rights in the calls.
*/ */
#define ARPT_BASE_CTL 96 /* base for firewall socket options */ #define ARPT_CTL_OFFSET 32
#define ARPT_BASE_CTL (XT_BASE_CTL+ARPT_CTL_OFFSET)
#define ARPT_SO_SET_REPLACE (ARPT_BASE_CTL) #define ARPT_SO_SET_REPLACE (XT_SO_SET_REPLACE+ARPT_CTL_OFFSET)
#define ARPT_SO_SET_ADD_COUNTERS (ARPT_BASE_CTL + 1) #define ARPT_SO_SET_ADD_COUNTERS (XT_SO_SET_ADD_COUNTERS+ARPT_CTL_OFFSET)
#define ARPT_SO_SET_MAX ARPT_SO_SET_ADD_COUNTERS #define ARPT_SO_SET_MAX (XT_SO_SET_MAX+ARPT_CTL_OFFSET)
#define ARPT_SO_GET_INFO (ARPT_BASE_CTL) #define ARPT_SO_GET_INFO (XT_SO_GET_INFO+ARPT_CTL_OFFSET)
#define ARPT_SO_GET_ENTRIES (ARPT_BASE_CTL + 1) #define ARPT_SO_GET_ENTRIES (XT_SO_GET_ENTRIES+ARPT_CTL_OFFSET)
/* #define ARPT_SO_GET_REVISION_MATCH (ARPT_BASE_CTL + 2)*/ /* #define ARPT_SO_GET_REVISION_MATCH XT_SO_GET_REVISION_MATCH */
#define ARPT_SO_GET_REVISION_TARGET (ARPT_BASE_CTL + 3) #define ARPT_SO_GET_REVISION_TARGET (XT_SO_GET_REVISION_TARGET+ARPT_CTL_OFFSET)
#define ARPT_SO_GET_MAX ARPT_SO_GET_REVISION_TARGET #define ARPT_SO_GET_MAX (XT_SO_GET_REVISION_TARGET+ARPT_CTL_OFFSET)
/* CONTINUE verdict for targets */ /* CONTINUE verdict for targets */
#define ARPT_CONTINUE 0xFFFFFFFF #define ARPT_CONTINUE XT_CONTINUE
/* For standard target */ /* For standard target */
#define ARPT_RETURN (-NF_REPEAT - 1) #define ARPT_RETURN XT_RETURN
/* The argument to ARPT_SO_GET_INFO */ /* The argument to ARPT_SO_GET_INFO */
struct arpt_getinfo struct arpt_getinfo
...@@ -208,23 +208,14 @@ struct arpt_replace ...@@ -208,23 +208,14 @@ struct arpt_replace
/* Number of counters (must be equal to current number of entries). */ /* Number of counters (must be equal to current number of entries). */
unsigned int num_counters; unsigned int num_counters;
/* The old entries' counters. */ /* The old entries' counters. */
struct arpt_counters __user *counters; struct xt_counters __user *counters;
/* The entries (hang off end: not really an array). */ /* The entries (hang off end: not really an array). */
struct arpt_entry entries[0]; struct arpt_entry entries[0];
}; };
/* The argument to ARPT_SO_ADD_COUNTERS. */ /* The argument to ARPT_SO_ADD_COUNTERS. */
struct arpt_counters_info #define arpt_counters_info xt_counters_info
{
/* Which table. */
char name[ARPT_TABLE_MAXNAMELEN];
unsigned int num_counters;
/* The counters (actually `number' of these). */
struct arpt_counters counters[0];
};
/* The argument to ARPT_SO_GET_ENTRIES. */ /* The argument to ARPT_SO_GET_ENTRIES. */
struct arpt_get_entries struct arpt_get_entries
...@@ -239,19 +230,10 @@ struct arpt_get_entries ...@@ -239,19 +230,10 @@ struct arpt_get_entries
struct arpt_entry entrytable[0]; struct arpt_entry entrytable[0];
}; };
/* The argument to ARPT_SO_GET_REVISION_*. Returns highest revision
* kernel supports, if >= revision. */
struct arpt_get_revision
{
char name[ARPT_FUNCTION_MAXNAMELEN-1];
u_int8_t revision;
};
/* Standard return verdict, or do jump. */ /* Standard return verdict, or do jump. */
#define ARPT_STANDARD_TARGET "" #define ARPT_STANDARD_TARGET XT_STANDARD_TARGET
/* Error verdict. */ /* Error verdict. */
#define ARPT_ERROR_TARGET "ERROR" #define ARPT_ERROR_TARGET XT_ERROR_TARGET
/* Helper functions */ /* Helper functions */
static __inline__ struct arpt_entry_target *arpt_get_target(struct arpt_entry *e) static __inline__ struct arpt_entry_target *arpt_get_target(struct arpt_entry *e)
...@@ -281,63 +263,8 @@ static __inline__ struct arpt_entry_target *arpt_get_target(struct arpt_entry *e ...@@ -281,63 +263,8 @@ static __inline__ struct arpt_entry_target *arpt_get_target(struct arpt_entry *e
*/ */
#ifdef __KERNEL__ #ifdef __KERNEL__
/* Registration hooks for targets. */ #define arpt_register_target(tgt) xt_register_target(NF_ARP, tgt)
struct arpt_target #define arpt_unregister_target(tgt) xt_unregister_target(NF_ARP, tgt)
{
struct list_head list;
const char name[ARPT_FUNCTION_MAXNAMELEN-1];
u_int8_t revision;
/* Returns verdict. */
unsigned int (*target)(struct sk_buff **pskb,
unsigned int hooknum,
const struct net_device *in,
const struct net_device *out,
const void *targinfo,
void *userdata);
/* Called when user tries to insert an entry of this type:
hook_mask is a bitmask of hooks from which it can be
called. */
/* Should return true or false. */
int (*checkentry)(const char *tablename,
const struct arpt_entry *e,
void *targinfo,
unsigned int targinfosize,
unsigned int hook_mask);
/* Called when entry of this type deleted. */
void (*destroy)(void *targinfo, unsigned int targinfosize);
/* Set this to THIS_MODULE if you are a module, otherwise NULL */
struct module *me;
};
extern int arpt_register_target(struct arpt_target *target);
extern void arpt_unregister_target(struct arpt_target *target);
/* Furniture shopping... */
struct arpt_table
{
struct list_head list;
/* A unique name... */
char name[ARPT_TABLE_MAXNAMELEN];
/* What hooks you will enter on */
unsigned int valid_hooks;
/* Lock for the curtain */
rwlock_t lock;
/* Man behind the curtain... */
struct arpt_table_info *private;
/* Set this to THIS_MODULE if you are a module, otherwise NULL */
struct module *me;
};
extern int arpt_register_table(struct arpt_table *table, extern int arpt_register_table(struct arpt_table *table,
const struct arpt_replace *repl); const struct arpt_replace *repl);
......
...@@ -199,9 +199,6 @@ ip_conntrack_put(struct ip_conntrack *ct) ...@@ -199,9 +199,6 @@ ip_conntrack_put(struct ip_conntrack *ct)
nf_conntrack_put(&ct->ct_general); nf_conntrack_put(&ct->ct_general);
} }
/* call to create an explicit dependency on ip_conntrack. */
extern void need_ip_conntrack(void);
extern int invert_tuplepr(struct ip_conntrack_tuple *inverse, extern int invert_tuplepr(struct ip_conntrack_tuple *inverse,
const struct ip_conntrack_tuple *orig); const struct ip_conntrack_tuple *orig);
......
...@@ -25,8 +25,14 @@ ...@@ -25,8 +25,14 @@
#include <linux/compiler.h> #include <linux/compiler.h>
#include <linux/netfilter_ipv4.h> #include <linux/netfilter_ipv4.h>
#define IPT_FUNCTION_MAXNAMELEN 30 #include <linux/netfilter/x_tables.h>
#define IPT_TABLE_MAXNAMELEN 32
#define IPT_FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN
#define IPT_TABLE_MAXNAMELEN XT_FUNCTION_MAXNAMELEN
#define ipt_match xt_match
#define ipt_target xt_target
#define ipt_table xt_table
#define ipt_get_revision xt_get_revision
/* Yes, Virginia, you have to zero the padding. */ /* Yes, Virginia, you have to zero the padding. */
struct ipt_ip { struct ipt_ip {
...@@ -102,10 +108,7 @@ struct ipt_standard_target ...@@ -102,10 +108,7 @@ struct ipt_standard_target
int verdict; int verdict;
}; };
struct ipt_counters #define ipt_counters xt_counters
{
u_int64_t pcnt, bcnt; /* Packet and byte counters */
};
/* Values for "flag" field in struct ipt_ip (general ip structure). */ /* Values for "flag" field in struct ipt_ip (general ip structure). */
#define IPT_F_FRAG 0x01 /* Set if rule is a fragment rule */ #define IPT_F_FRAG 0x01 /* Set if rule is a fragment rule */
...@@ -119,7 +122,7 @@ struct ipt_counters ...@@ -119,7 +122,7 @@ struct ipt_counters
#define IPT_INV_SRCIP 0x08 /* Invert the sense of SRC IP. */ #define IPT_INV_SRCIP 0x08 /* Invert the sense of SRC IP. */
#define IPT_INV_DSTIP 0x10 /* Invert the sense of DST OP. */ #define IPT_INV_DSTIP 0x10 /* Invert the sense of DST OP. */
#define IPT_INV_FRAG 0x20 /* Invert the sense of FRAG. */ #define IPT_INV_FRAG 0x20 /* Invert the sense of FRAG. */
#define IPT_INV_PROTO 0x40 /* Invert the sense of PROTO. */ #define IPT_INV_PROTO XT_INV_PROTO
#define IPT_INV_MASK 0x7F /* All possible flag bits mask. */ #define IPT_INV_MASK 0x7F /* All possible flag bits mask. */
/* This structure defines each of the firewall rules. Consists of 3 /* This structure defines each of the firewall rules. Consists of 3
...@@ -141,7 +144,7 @@ struct ipt_entry ...@@ -141,7 +144,7 @@ struct ipt_entry
unsigned int comefrom; unsigned int comefrom;
/* Packet and byte counters. */ /* Packet and byte counters. */
struct ipt_counters counters; struct xt_counters counters;
/* The matches (if any), then the target. */ /* The matches (if any), then the target. */
unsigned char elems[0]; unsigned char elems[0];
...@@ -151,54 +154,34 @@ struct ipt_entry ...@@ -151,54 +154,34 @@ struct ipt_entry
* New IP firewall options for [gs]etsockopt at the RAW IP level. * New IP firewall options for [gs]etsockopt at the RAW IP level.
* Unlike BSD Linux inherits IP options so you don't have to use a raw * Unlike BSD Linux inherits IP options so you don't have to use a raw
* socket for this. Instead we check rights in the calls. */ * socket for this. Instead we check rights in the calls. */
#define IPT_BASE_CTL 64 /* base for firewall socket options */ #define IPT_BASE_CTL XT_BASE_CTL
#define IPT_SO_SET_REPLACE (IPT_BASE_CTL) #define IPT_SO_SET_REPLACE XT_SO_SET_REPLACE
#define IPT_SO_SET_ADD_COUNTERS (IPT_BASE_CTL + 1) #define IPT_SO_SET_ADD_COUNTERS XT_SO_SET_ADD_COUNTERS
#define IPT_SO_SET_MAX IPT_SO_SET_ADD_COUNTERS #define IPT_SO_SET_MAX XT_SO_SET_MAX
#define IPT_SO_GET_INFO (IPT_BASE_CTL) #define IPT_SO_GET_INFO XT_SO_GET_INFO
#define IPT_SO_GET_ENTRIES (IPT_BASE_CTL + 1) #define IPT_SO_GET_ENTRIES XT_SO_GET_ENTRIES
#define IPT_SO_GET_REVISION_MATCH (IPT_BASE_CTL + 2) #define IPT_SO_GET_REVISION_MATCH XT_SO_GET_REVISION_MATCH
#define IPT_SO_GET_REVISION_TARGET (IPT_BASE_CTL + 3) #define IPT_SO_GET_REVISION_TARGET XT_SO_GET_REVISION_TARGET
#define IPT_SO_GET_MAX IPT_SO_GET_REVISION_TARGET #define IPT_SO_GET_MAX XT_SO_GET_REVISION_TARGET
/* CONTINUE verdict for targets */ #define IPT_CONTINUE XT_CONTINUE
#define IPT_CONTINUE 0xFFFFFFFF #define IPT_RETURN XT_RETURN
/* For standard target */ #include <linux/netfilter/xt_tcpudp.h>
#define IPT_RETURN (-NF_REPEAT - 1) #define ipt_udp xt_udp
#define ipt_tcp xt_tcp
/* TCP matching stuff */ #define IPT_TCP_INV_SRCPT XT_TCP_INV_SRCPT
struct ipt_tcp #define IPT_TCP_INV_DSTPT XT_TCP_INV_DSTPT
{ #define IPT_TCP_INV_FLAGS XT_TCP_INV_FLAGS
u_int16_t spts[2]; /* Source port range. */ #define IPT_TCP_INV_OPTION XT_TCP_INV_OPTION
u_int16_t dpts[2]; /* Destination port range. */ #define IPT_TCP_INV_MASK XT_TCP_INV_MASK
u_int8_t option; /* TCP Option iff non-zero*/
u_int8_t flg_mask; /* TCP flags mask byte */
u_int8_t flg_cmp; /* TCP flags compare byte */
u_int8_t invflags; /* Inverse flags */
};
/* Values for "inv" field in struct ipt_tcp. */ #define IPT_UDP_INV_SRCPT XT_UDP_INV_SRCPT
#define IPT_TCP_INV_SRCPT 0x01 /* Invert the sense of source ports. */ #define IPT_UDP_INV_DSTPT XT_UDP_INV_DSTPT
#define IPT_TCP_INV_DSTPT 0x02 /* Invert the sense of dest ports. */ #define IPT_UDP_INV_MASK XT_UDP_INV_MASK
#define IPT_TCP_INV_FLAGS 0x04 /* Invert the sense of TCP flags. */
#define IPT_TCP_INV_OPTION 0x08 /* Invert the sense of option test. */
#define IPT_TCP_INV_MASK 0x0F /* All possible flags. */
/* UDP matching stuff */
struct ipt_udp
{
u_int16_t spts[2]; /* Source port range. */
u_int16_t dpts[2]; /* Destination port range. */
u_int8_t invflags; /* Inverse flags */
};
/* Values for "invflags" field in struct ipt_udp. */
#define IPT_UDP_INV_SRCPT 0x01 /* Invert the sense of source ports. */
#define IPT_UDP_INV_DSTPT 0x02 /* Invert the sense of dest ports. */
#define IPT_UDP_INV_MASK 0x03 /* All possible flags. */
/* ICMP matching stuff */ /* ICMP matching stuff */
struct ipt_icmp struct ipt_icmp
...@@ -260,23 +243,14 @@ struct ipt_replace ...@@ -260,23 +243,14 @@ struct ipt_replace
/* Number of counters (must be equal to current number of entries). */ /* Number of counters (must be equal to current number of entries). */
unsigned int num_counters; unsigned int num_counters;
/* The old entries' counters. */ /* The old entries' counters. */
struct ipt_counters __user *counters; struct xt_counters __user *counters;
/* The entries (hang off end: not really an array). */ /* The entries (hang off end: not really an array). */
struct ipt_entry entries[0]; struct ipt_entry entries[0];
}; };
/* The argument to IPT_SO_ADD_COUNTERS. */ /* The argument to IPT_SO_ADD_COUNTERS. */
struct ipt_counters_info #define ipt_counters_info xt_counters_info
{
/* Which table. */
char name[IPT_TABLE_MAXNAMELEN];
unsigned int num_counters;
/* The counters (actually `number' of these). */
struct ipt_counters counters[0];
};
/* The argument to IPT_SO_GET_ENTRIES. */ /* The argument to IPT_SO_GET_ENTRIES. */
struct ipt_get_entries struct ipt_get_entries
...@@ -291,19 +265,10 @@ struct ipt_get_entries ...@@ -291,19 +265,10 @@ struct ipt_get_entries
struct ipt_entry entrytable[0]; struct ipt_entry entrytable[0];
}; };
/* The argument to IPT_SO_GET_REVISION_*. Returns highest revision
* kernel supports, if >= revision. */
struct ipt_get_revision
{
char name[IPT_FUNCTION_MAXNAMELEN-1];
u_int8_t revision;
};
/* Standard return verdict, or do jump. */ /* Standard return verdict, or do jump. */
#define IPT_STANDARD_TARGET "" #define IPT_STANDARD_TARGET XT_STANDARD_TARGET
/* Error verdict. */ /* Error verdict. */
#define IPT_ERROR_TARGET "ERROR" #define IPT_ERROR_TARGET XT_ERROR_TARGET
/* Helper functions */ /* Helper functions */
static __inline__ struct ipt_entry_target * static __inline__ struct ipt_entry_target *
...@@ -356,103 +321,18 @@ ipt_get_target(struct ipt_entry *e) ...@@ -356,103 +321,18 @@ ipt_get_target(struct ipt_entry *e)
#include <linux/init.h> #include <linux/init.h>
extern void ipt_init(void) __init; extern void ipt_init(void) __init;
struct ipt_match #define ipt_register_target(tgt) xt_register_target(AF_INET, tgt)
{ #define ipt_unregister_target(tgt) xt_unregister_target(AF_INET, tgt)
struct list_head list;
const char name[IPT_FUNCTION_MAXNAMELEN-1];
u_int8_t revision;
/* Return true or false: return FALSE and set *hotdrop = 1 to
force immediate packet drop. */
/* Arguments changed since 2.4, as this must now handle
non-linear skbs, using skb_copy_bits and
skb_ip_make_writable. */
int (*match)(const struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
const void *matchinfo,
int offset,
int *hotdrop);
/* Called when user tries to insert an entry of this type. */
/* Should return true or false. */
int (*checkentry)(const char *tablename,
const struct ipt_ip *ip,
void *matchinfo,
unsigned int matchinfosize,
unsigned int hook_mask);
/* Called when entry of this type deleted. */
void (*destroy)(void *matchinfo, unsigned int matchinfosize);
/* Set this to THIS_MODULE. */
struct module *me;
};
/* Registration hooks for targets. */
struct ipt_target
{
struct list_head list;
const char name[IPT_FUNCTION_MAXNAMELEN-1]; #define ipt_register_match(mtch) xt_register_match(AF_INET, mtch)
#define ipt_unregister_match(mtch) xt_unregister_match(AF_INET, mtch)
u_int8_t revision; //#define ipt_register_table(tbl, repl) xt_register_table(AF_INET, tbl, repl)
//#define ipt_unregister_table(tbl) xt_unregister_table(AF_INET, tbl)
/* Called when user tries to insert an entry of this type: extern int ipt_register_table(struct ipt_table *table,
hook_mask is a bitmask of hooks from which it can be const struct ipt_replace *repl);
called. */ extern void ipt_unregister_table(struct ipt_table *table);
/* Should return true or false. */
int (*checkentry)(const char *tablename,
const struct ipt_entry *e,
void *targinfo,
unsigned int targinfosize,
unsigned int hook_mask);
/* Called when entry of this type deleted. */
void (*destroy)(void *targinfo, unsigned int targinfosize);
/* Returns verdict. Argument order changed since 2.4, as this
must now handle non-linear skbs, using skb_copy_bits and
skb_ip_make_writable. */
unsigned int (*target)(struct sk_buff **pskb,
const struct net_device *in,
const struct net_device *out,
unsigned int hooknum,
const void *targinfo,
void *userdata);
/* Set this to THIS_MODULE. */
struct module *me;
};
extern int ipt_register_target(struct ipt_target *target);
extern void ipt_unregister_target(struct ipt_target *target);
extern int ipt_register_match(struct ipt_match *match);
extern void ipt_unregister_match(struct ipt_match *match);
/* Furniture shopping... */
struct ipt_table
{
struct list_head list;
/* A unique name... */
char name[IPT_TABLE_MAXNAMELEN];
/* What hooks you will enter on */
unsigned int valid_hooks;
/* Lock for the curtain */
rwlock_t lock;
/* Man behind the curtain... */
struct ipt_table_info *private;
/* Set to THIS_MODULE. */
struct module *me;
};
/* net/sched/ipt.c: Gimme access to your targets! Gets target->me. */ /* net/sched/ipt.c: Gimme access to your targets! Gets target->me. */
extern struct ipt_target *ipt_find_target(const char *name, u8 revision); extern struct ipt_target *ipt_find_target(const char *name, u8 revision);
...@@ -476,9 +356,6 @@ struct ipt_error ...@@ -476,9 +356,6 @@ struct ipt_error
struct ipt_error_target target; struct ipt_error_target target;
}; };
extern int ipt_register_table(struct ipt_table *table,
const struct ipt_replace *repl);
extern void ipt_unregister_table(struct ipt_table *table);
extern unsigned int ipt_do_table(struct sk_buff **pskb, extern unsigned int ipt_do_table(struct sk_buff **pskb,
unsigned int hook, unsigned int hook,
const struct net_device *in, const struct net_device *in,
...@@ -486,6 +363,6 @@ extern unsigned int ipt_do_table(struct sk_buff **pskb, ...@@ -486,6 +363,6 @@ extern unsigned int ipt_do_table(struct sk_buff **pskb,
struct ipt_table *table, struct ipt_table *table,
void *userdata); void *userdata);
#define IPT_ALIGN(s) (((s) + (__alignof__(struct ipt_entry)-1)) & ~(__alignof__(struct ipt_entry)-1)) #define IPT_ALIGN(s) XT_ALIGN(s)
#endif /*__KERNEL__*/ #endif /*__KERNEL__*/
#endif /* _IPTABLES_H */ #endif /* _IPTABLES_H */
#ifndef _IPT_CLASSIFY_H #ifndef _IPT_CLASSIFY_H
#define _IPT_CLASSIFY_H #define _IPT_CLASSIFY_H
struct ipt_classify_target_info { #include <linux/netfilter/xt_CLASSIFY.h>
u_int32_t priority; #define ipt_classify_target_info xt_classify_target_info
};
#endif /*_IPT_CLASSIFY_H */ #endif /*_IPT_CLASSIFY_H */
...@@ -9,17 +9,11 @@ ...@@ -9,17 +9,11 @@
* the Free Software Foundation; either version 2 of the License, or * the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version. * (at your option) any later version.
*/ */
#include <linux/netfilter/xt_CONNMARK.h>
#define IPT_CONNMARK_SET XT_CONNMARK_SET
#define IPT_CONNMARK_SAVE XT_CONNMARK_SAVE
#define IPT_CONNMARK_RESTORE XT_CONNMARK_RESTORE
enum { #define ipt_connmark_target_info xt_connmark_target_info
IPT_CONNMARK_SET = 0,
IPT_CONNMARK_SAVE,
IPT_CONNMARK_RESTORE
};
struct ipt_connmark_target_info {
unsigned long mark;
unsigned long mask;
u_int8_t mode;
};
#endif /*_IPT_CONNMARK_H_target*/ #endif /*_IPT_CONNMARK_H_target*/
#ifndef _IPT_MARK_H_target #ifndef _IPT_MARK_H_target
#define _IPT_MARK_H_target #define _IPT_MARK_H_target
/* Backwards compatibility for old userspace */
#include <linux/netfilter/xt_MARK.h>
/* Version 0 */ /* Version 0 */
struct ipt_mark_target_info { #define ipt_mark_target_info xt_mark_target_info
unsigned long mark;
};
/* Version 1 */ /* Version 1 */
enum { #define IPT_MARK_SET XT_MARK_SET
IPT_MARK_SET=0, #define IPT_MARK_AND XT_MARK_AND
IPT_MARK_AND, #define IPT_MARK_OR XT_MARK_OR
IPT_MARK_OR
}; #define ipt_mark_target_info_v1 xt_mark_target_info_v1
struct ipt_mark_target_info_v1 {
unsigned long mark;
u_int8_t mode;
};
#endif /*_IPT_MARK_H_target*/ #endif /*_IPT_MARK_H_target*/
...@@ -8,9 +8,9 @@ ...@@ -8,9 +8,9 @@
#ifndef _IPT_NFQ_TARGET_H #ifndef _IPT_NFQ_TARGET_H
#define _IPT_NFQ_TARGET_H #define _IPT_NFQ_TARGET_H
/* target info */ /* Backwards compatibility for old userspace */
struct ipt_NFQ_info { #include <linux/netfilter/xt_NFQUEUE.h>
u_int16_t queuenum;
}; #define ipt_NFQ_info xt_NFQ_info
#endif /* _IPT_DSCP_TARGET_H */ #endif /* _IPT_DSCP_TARGET_H */
#ifndef _IPT_COMMENT_H #ifndef _IPT_COMMENT_H
#define _IPT_COMMENT_H #define _IPT_COMMENT_H
#define IPT_MAX_COMMENT_LEN 256 #include <linux/netfilter/xt_comment.h>
struct ipt_comment_info { #define IPT_MAX_COMMENT_LEN XT_MAX_COMMENT_LEN
unsigned char comment[IPT_MAX_COMMENT_LEN];
}; #define ipt_comment_info xt_comment_info
#endif /* _IPT_COMMENT_H */ #endif /* _IPT_COMMENT_H */
#ifndef _IPT_CONNBYTES_H #ifndef _IPT_CONNBYTES_H
#define _IPT_CONNBYTES_H #define _IPT_CONNBYTES_H
enum ipt_connbytes_what { #include <net/netfilter/xt_connbytes.h>
IPT_CONNBYTES_PKTS, #define ipt_connbytes_what xt_connbytes_what
IPT_CONNBYTES_BYTES,
IPT_CONNBYTES_AVGPKT,
};
enum ipt_connbytes_direction { #define IPT_CONNBYTES_PKTS XT_CONNBYTES_PACKETS
IPT_CONNBYTES_DIR_ORIGINAL, #define IPT_CONNBYTES_BYTES XT_CONNBYTES_BYTES
IPT_CONNBYTES_DIR_REPLY, #define IPT_CONNBYTES_AVGPKT XT_CONNBYTES_AVGPKT
IPT_CONNBYTES_DIR_BOTH,
}; #define ipt_connbytes_direction xt_connbytes_direction
#define IPT_CONNBYTES_DIR_ORIGINAL XT_CONNBYTES_DIR_ORIGINAL
#define IPT_CONNBYTES_DIR_REPLY XT_CONNBYTES_DIR_REPLY
#define IPT_CONNBYTES_DIR_BOTH XT_CONNBYTES_DIR_BOTH
#define ipt_connbytes_info xt_connbytes_info
struct ipt_connbytes_info
{
struct {
aligned_u64 from; /* count to be matched */
aligned_u64 to; /* count to be matched */
} count;
u_int8_t what; /* ipt_connbytes_what */
u_int8_t direction; /* ipt_connbytes_direction */
};
#endif #endif
#ifndef _IPT_CONNMARK_H #ifndef _IPT_CONNMARK_H
#define _IPT_CONNMARK_H #define _IPT_CONNMARK_H
/* Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com> #include <linux/netfilter/xt_connmark.h>
* by Henrik Nordstrom <hno@marasystems.com> #define ipt_connmark_info xt_connmark_info
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*/
struct ipt_connmark_info {
unsigned long mark, mask;
u_int8_t invert;
};
#endif /*_IPT_CONNMARK_H*/ #endif /*_IPT_CONNMARK_H*/
...@@ -5,56 +5,24 @@ ...@@ -5,56 +5,24 @@
#ifndef _IPT_CONNTRACK_H #ifndef _IPT_CONNTRACK_H
#define _IPT_CONNTRACK_H #define _IPT_CONNTRACK_H
#define IPT_CONNTRACK_STATE_BIT(ctinfo) (1 << ((ctinfo)%IP_CT_IS_REPLY+1)) #include <linux/netfilter/xt_conntrack.h>
#define IPT_CONNTRACK_STATE_INVALID (1 << 0)
#define IPT_CONNTRACK_STATE_SNAT (1 << (IP_CT_NUMBER + 1)) #define IPT_CONNTRACK_STATE_BIT(ctinfo) XT_CONNTRACK_STATE_BIT(ctinfo)
#define IPT_CONNTRACK_STATE_DNAT (1 << (IP_CT_NUMBER + 2)) #define IPT_CONNTRACK_STATE_INVALID XT_CONNTRACK_STATE_INVALID
#define IPT_CONNTRACK_STATE_UNTRACKED (1 << (IP_CT_NUMBER + 3))
/* flags, invflags: */ #define IPT_CONNTRACK_STATE_SNAT XT_CONNTRACK_STATE_SNAT
#define IPT_CONNTRACK_STATE 0x01 #define IPT_CONNTRACK_STATE_DNAT XT_CONNTRACK_STATE_DNAT
#define IPT_CONNTRACK_PROTO 0x02 #define IPT_CONNTRACK_STATE_UNTRACKED XT_CONNTRACK_STATE_UNTRACKED
#define IPT_CONNTRACK_ORIGSRC 0x04
#define IPT_CONNTRACK_ORIGDST 0x08
#define IPT_CONNTRACK_REPLSRC 0x10
#define IPT_CONNTRACK_REPLDST 0x20
#define IPT_CONNTRACK_STATUS 0x40
#define IPT_CONNTRACK_EXPIRES 0x80
/* This is exposed to userspace, so remains frozen in time. */
struct ip_conntrack_old_tuple
{
struct {
__u32 ip;
union {
__u16 all;
} u;
} src;
struct {
__u32 ip;
union {
__u16 all;
} u;
/* The protocol. */
u16 protonum;
} dst;
};
struct ipt_conntrack_info /* flags, invflags: */
{ #define IPT_CONNTRACK_STATE XT_CONNTRACK_STATE
unsigned int statemask, statusmask; #define IPT_CONNTRACK_PROTO XT_CONNTRACK_PROTO
#define IPT_CONNTRACK_ORIGSRC XT_CONNTRACK_ORIGSRC
struct ip_conntrack_old_tuple tuple[IP_CT_DIR_MAX]; #define IPT_CONNTRACK_ORIGDST XT_CONNTRACK_ORIGDST
struct in_addr sipmsk[IP_CT_DIR_MAX], dipmsk[IP_CT_DIR_MAX]; #define IPT_CONNTRACK_REPLSRC XT_CONNTRACK_REPLSRC
#define IPT_CONNTRACK_REPLDST XT_CONNTRACK_REPLDST
unsigned long expires_min, expires_max; #define IPT_CONNTRACK_STATUS XT_CONNTRACK_STATUS
#define IPT_CONNTRACK_EXPIRES XT_CONNTRACK_EXPIRES
/* Flags word */
u_int8_t flags; #define ipt_conntrack_info xt_conntrack_info
/* Inverse flags */
u_int8_t invflags;
};
#endif /*_IPT_CONNTRACK_H*/ #endif /*_IPT_CONNTRACK_H*/
#ifndef _IPT_DCCP_H_ #ifndef _IPT_DCCP_H_
#define _IPT_DCCP_H_ #define _IPT_DCCP_H_
#define IPT_DCCP_SRC_PORTS 0x01 #include <linux/netfilter/xt_dccp.h>
#define IPT_DCCP_DEST_PORTS 0x02 #define IPT_DCCP_SRC_PORTS XT_DCCP_SRC_PORTS
#define IPT_DCCP_TYPE 0x04 #define IPT_DCCP_DEST_PORTS XT_DCCP_DEST_PORTS
#define IPT_DCCP_OPTION 0x08 #define IPT_DCCP_TYPE XT_DCCP_TYPE
#define IPT_DCCP_OPTION XT_DCCP_OPTION
#define IPT_DCCP_VALID_FLAGS 0x0f #define IPT_DCCP_VALID_FLAGS XT_DCCP_VALID_FLAGS
struct ipt_dccp_info { #define ipt_dccp_info xt_dccp_info
u_int16_t dpts[2]; /* Min, Max */
u_int16_t spts[2]; /* Min, Max */
u_int16_t flags;
u_int16_t invflags;
u_int16_t typemask;
u_int8_t option;
};
#endif /* _IPT_DCCP_H_ */ #endif /* _IPT_DCCP_H_ */
#ifndef _IPT_HELPER_H #ifndef _IPT_HELPER_H
#define _IPT_HELPER_H #define _IPT_HELPER_H
struct ipt_helper_info { #include <linux/netfilter/xt_helper.h>
int invert; #define ipt_helper_info xt_helper_info
char name[30];
};
#endif /* _IPT_HELPER_H */ #endif /* _IPT_HELPER_H */
#ifndef _IPT_LENGTH_H #ifndef _IPT_LENGTH_H
#define _IPT_LENGTH_H #define _IPT_LENGTH_H
struct ipt_length_info { #include <linux/netfilter/xt_length.h>
u_int16_t min, max; #define ipt_length_info xt_length_info
u_int8_t invert;
};
#endif /*_IPT_LENGTH_H*/ #endif /*_IPT_LENGTH_H*/
#ifndef _IPT_RATE_H #ifndef _IPT_RATE_H
#define _IPT_RATE_H #define _IPT_RATE_H
/* timings are in milliseconds. */ #include <linux/netfilter/xt_limit.h>
#define IPT_LIMIT_SCALE 10000 #define IPT_LIMIT_SCALE XT_LIMIT_SCALE
#define ipt_rateinfo xt_rateinfo
/* 1/10,000 sec period => max of 10,000/sec. Min rate is then 429490
seconds, or one every 59 hours. */
struct ipt_rateinfo {
u_int32_t avg; /* Average secs between packets * scale */
u_int32_t burst; /* Period multiplier for upper limit. */
/* Used internally by the kernel */
unsigned long prev;
u_int32_t credit;
u_int32_t credit_cap, cost;
/* Ugly, ugly fucker. */
struct ipt_rateinfo *master;
};
#endif /*_IPT_RATE_H*/ #endif /*_IPT_RATE_H*/
#ifndef _IPT_MAC_H #ifndef _IPT_MAC_H
#define _IPT_MAC_H #define _IPT_MAC_H
struct ipt_mac_info { #include <linux/netfilter/xt_mac.h>
unsigned char srcaddr[ETH_ALEN]; #define ipt_mac_info xt_mac_info
int invert;
};
#endif /*_IPT_MAC_H*/ #endif /*_IPT_MAC_H*/
#ifndef _IPT_MARK_H #ifndef _IPT_MARK_H
#define _IPT_MARK_H #define _IPT_MARK_H
struct ipt_mark_info { /* Backwards compatibility for old userspace */
unsigned long mark, mask; #include <linux/netfilter/xt_mark.h>
u_int8_t invert;
}; #define ipt_mark_info xt_mark_info
#endif /*_IPT_MARK_H*/ #endif /*_IPT_MARK_H*/
#ifndef _IPT_PHYSDEV_H #ifndef _IPT_PHYSDEV_H
#define _IPT_PHYSDEV_H #define _IPT_PHYSDEV_H
#ifdef __KERNEL__ /* Backwards compatibility for old userspace */
#include <linux/if.h>
#endif
#define IPT_PHYSDEV_OP_IN 0x01 #include <linux/netfilter/xt_physdev.h>
#define IPT_PHYSDEV_OP_OUT 0x02
#define IPT_PHYSDEV_OP_BRIDGED 0x04
#define IPT_PHYSDEV_OP_ISIN 0x08
#define IPT_PHYSDEV_OP_ISOUT 0x10
#define IPT_PHYSDEV_OP_MASK (0x20 - 1)
struct ipt_physdev_info { #define IPT_PHYSDEV_OP_IN XT_PHYSDEV_OP_IN
char physindev[IFNAMSIZ]; #define IPT_PHYSDEV_OP_OUT XT_PHYSDEV_OP_OUT
char in_mask[IFNAMSIZ]; #define IPT_PHYSDEV_OP_BRIDGED XT_PHYSDEV_OP_BRIDGED
char physoutdev[IFNAMSIZ]; #define IPT_PHYSDEV_OP_ISIN XT_PHYSDEV_OP_ISIN
char out_mask[IFNAMSIZ]; #define IPT_PHYSDEV_OP_ISOUT XT_PHYSDEV_OP_ISOUT
u_int8_t invert; #define IPT_PHYSDEV_OP_MASK XT_PHYSDEV_OP_MASK
u_int8_t bitmask;
}; #define ipt_physdev_info xt_physdev_info
#endif /*_IPT_PHYSDEV_H*/ #endif /*_IPT_PHYSDEV_H*/
#ifndef _IPT_PKTTYPE_H #ifndef _IPT_PKTTYPE_H
#define _IPT_PKTTYPE_H #define _IPT_PKTTYPE_H
struct ipt_pkttype_info { #include <linux/netfilter/xt_pkttype.h>
int pkttype; #define ipt_pkttype_info xt_pkttype_info
int invert;
};
#endif /*_IPT_PKTTYPE_H*/ #endif /*_IPT_PKTTYPE_H*/
#ifndef _IPT_REALM_H #ifndef _IPT_REALM_H
#define _IPT_REALM_H #define _IPT_REALM_H
struct ipt_realm_info { #include <linux/netfilter/xt_realm.h>
u_int32_t id; #define ipt_realm_info xt_realm_info
u_int32_t mask;
u_int8_t invert;
};
#endif /* _IPT_REALM_H */ #endif /* _IPT_REALM_H */
#ifndef _IPT_STATE_H #ifndef _IPT_STATE_H
#define _IPT_STATE_H #define _IPT_STATE_H
#define IPT_STATE_BIT(ctinfo) (1 << ((ctinfo)%IP_CT_IS_REPLY+1)) /* Backwards compatibility for old userspace */
#define IPT_STATE_INVALID (1 << 0)
#define IPT_STATE_UNTRACKED (1 << (IP_CT_NUMBER + 1)) #include <linux/netfilter/xt_state.h>
#define IPT_STATE_BIT XT_STATE_BIT
#define IPT_STATE_INVALID XT_STATE_INVALID
#define IPT_STATE_UNTRACKED XT_STATE_UNTRACKED
#define ipt_state_info xt_state_info
struct ipt_state_info
{
unsigned int statemask;
};
#endif /*_IPT_STATE_H*/ #endif /*_IPT_STATE_H*/
#ifndef _IPT_STRING_H #ifndef _IPT_STRING_H
#define _IPT_STRING_H #define _IPT_STRING_H
#define IPT_STRING_MAX_PATTERN_SIZE 128 #include <linux/netfilter/xt_string.h>
#define IPT_STRING_MAX_ALGO_NAME_SIZE 16
struct ipt_string_info #define IPT_STRING_MAX_PATTERN_SIZE XT_STRING_MAX_PATTERN_SIZE
{ #define IPT_STRING_MAX_ALGO_NAME_SIZE XT_STRING_MAX_ALGO_NAME_SIZE
u_int16_t from_offset; #define ipt_string_info xt_string_info
u_int16_t to_offset;
char algo[IPT_STRING_MAX_ALGO_NAME_SIZE];
char pattern[IPT_STRING_MAX_PATTERN_SIZE];
u_int8_t patlen;
u_int8_t invert;
struct ts_config __attribute__((aligned(8))) *config;
};
#endif /*_IPT_STRING_H*/ #endif /*_IPT_STRING_H*/
#ifndef _IPT_TCPMSS_MATCH_H #ifndef _IPT_TCPMSS_MATCH_H
#define _IPT_TCPMSS_MATCH_H #define _IPT_TCPMSS_MATCH_H
struct ipt_tcpmss_match_info { #include <linux/netfilter/xt_tcpmss.h>
u_int16_t mss_min, mss_max; #define ipt_tcpmss_match_info xt_tcpmss_match_info
u_int8_t invert;
};
#endif /*_IPT_TCPMSS_MATCH_H*/ #endif /*_IPT_TCPMSS_MATCH_H*/
...@@ -25,8 +25,15 @@ ...@@ -25,8 +25,15 @@
#include <linux/compiler.h> #include <linux/compiler.h>
#include <linux/netfilter_ipv6.h> #include <linux/netfilter_ipv6.h>
#define IP6T_FUNCTION_MAXNAMELEN 30 #include <linux/netfilter/x_tables.h>
#define IP6T_TABLE_MAXNAMELEN 32
#define IP6T_FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN
#define IP6T_TABLE_MAXNAMELEN XT_TABLE_MAXNAMELEN
#define ip6t_match xt_match
#define ip6t_target xt_target
#define ip6t_table xt_table
#define ip6t_get_revision xt_get_revision
/* Yes, Virginia, you have to zero the padding. */ /* Yes, Virginia, you have to zero the padding. */
struct ip6t_ip6 { struct ip6t_ip6 {
...@@ -104,10 +111,7 @@ struct ip6t_standard_target ...@@ -104,10 +111,7 @@ struct ip6t_standard_target
int verdict; int verdict;
}; };
struct ip6t_counters #define ip6t_counters xt_counters
{
u_int64_t pcnt, bcnt; /* Packet and byte counters */
};
/* Values for "flag" field in struct ip6t_ip6 (general ip6 structure). */ /* Values for "flag" field in struct ip6t_ip6 (general ip6 structure). */
#define IP6T_F_PROTO 0x01 /* Set if rule cares about upper #define IP6T_F_PROTO 0x01 /* Set if rule cares about upper
...@@ -123,7 +127,7 @@ struct ip6t_counters ...@@ -123,7 +127,7 @@ struct ip6t_counters
#define IP6T_INV_SRCIP 0x08 /* Invert the sense of SRC IP. */ #define IP6T_INV_SRCIP 0x08 /* Invert the sense of SRC IP. */
#define IP6T_INV_DSTIP 0x10 /* Invert the sense of DST OP. */ #define IP6T_INV_DSTIP 0x10 /* Invert the sense of DST OP. */
#define IP6T_INV_FRAG 0x20 /* Invert the sense of FRAG. */ #define IP6T_INV_FRAG 0x20 /* Invert the sense of FRAG. */
#define IP6T_INV_PROTO 0x40 /* Invert the sense of PROTO. */ #define IP6T_INV_PROTO XT_INV_PROTO
#define IP6T_INV_MASK 0x7F /* All possible flag bits mask. */ #define IP6T_INV_MASK 0x7F /* All possible flag bits mask. */
/* This structure defines each of the firewall rules. Consists of 3 /* This structure defines each of the firewall rules. Consists of 3
...@@ -145,7 +149,7 @@ struct ip6t_entry ...@@ -145,7 +149,7 @@ struct ip6t_entry
unsigned int comefrom; unsigned int comefrom;
/* Packet and byte counters. */ /* Packet and byte counters. */
struct ip6t_counters counters; struct xt_counters counters;
/* The matches (if any), then the target. */ /* The matches (if any), then the target. */
unsigned char elems[0]; unsigned char elems[0];
...@@ -155,54 +159,41 @@ struct ip6t_entry ...@@ -155,54 +159,41 @@ struct ip6t_entry
* New IP firewall options for [gs]etsockopt at the RAW IP level. * New IP firewall options for [gs]etsockopt at the RAW IP level.
* Unlike BSD Linux inherits IP options so you don't have to use * Unlike BSD Linux inherits IP options so you don't have to use
* a raw socket for this. Instead we check rights in the calls. */ * a raw socket for this. Instead we check rights in the calls. */
#define IP6T_BASE_CTL 64 /* base for firewall socket options */ #define IP6T_BASE_CTL XT_BASE_CTL
#define IP6T_SO_SET_REPLACE (IP6T_BASE_CTL) #define IP6T_SO_SET_REPLACE XT_SO_SET_REPLACE
#define IP6T_SO_SET_ADD_COUNTERS (IP6T_BASE_CTL + 1) #define IP6T_SO_SET_ADD_COUNTERS XT_SO_SET_ADD_COUNTERS
#define IP6T_SO_SET_MAX IP6T_SO_SET_ADD_COUNTERS #define IP6T_SO_SET_MAX XT_SO_SET_MAX
#define IP6T_SO_GET_INFO (IP6T_BASE_CTL) #define IP6T_SO_GET_INFO XT_SO_GET_INFO
#define IP6T_SO_GET_ENTRIES (IP6T_BASE_CTL + 1) #define IP6T_SO_GET_ENTRIES XT_SO_GET_ENTRIES
#define IP6T_SO_GET_REVISION_MATCH (IP6T_BASE_CTL + 2) #define IP6T_SO_GET_REVISION_MATCH XT_SO_GET_REVISION_MATCH
#define IP6T_SO_GET_REVISION_TARGET (IP6T_BASE_CTL + 3) #define IP6T_SO_GET_REVISION_TARGET XT_SO_GET_REVISION_TARGET
#define IP6T_SO_GET_MAX IP6T_SO_GET_REVISION_TARGET #define IP6T_SO_GET_MAX XT_SO_GET_REVISION_TARGET
/* CONTINUE verdict for targets */ /* CONTINUE verdict for targets */
#define IP6T_CONTINUE 0xFFFFFFFF #define IP6T_CONTINUE XT_CONTINUE
/* For standard target */ /* For standard target */
#define IP6T_RETURN (-NF_REPEAT - 1) #define IP6T_RETURN XT_RETURN
/* TCP matching stuff */ /* TCP/UDP matching stuff */
struct ip6t_tcp #include <linux/netfilter/xt_tcpudp.h>
{
u_int16_t spts[2]; /* Source port range. */ #define ip6t_tcp xt_tcp
u_int16_t dpts[2]; /* Destination port range. */ #define ip6t_udp xt_udp
u_int8_t option; /* TCP Option iff non-zero*/
u_int8_t flg_mask; /* TCP flags mask byte */
u_int8_t flg_cmp; /* TCP flags compare byte */
u_int8_t invflags; /* Inverse flags */
};
/* Values for "inv" field in struct ipt_tcp. */ /* Values for "inv" field in struct ipt_tcp. */
#define IP6T_TCP_INV_SRCPT 0x01 /* Invert the sense of source ports. */ #define IP6T_TCP_INV_SRCPT XT_TCP_INV_SRCPT
#define IP6T_TCP_INV_DSTPT 0x02 /* Invert the sense of dest ports. */ #define IP6T_TCP_INV_DSTPT XT_TCP_INV_DSTPT
#define IP6T_TCP_INV_FLAGS 0x04 /* Invert the sense of TCP flags. */ #define IP6T_TCP_INV_FLAGS XT_TCP_INV_FLAGS
#define IP6T_TCP_INV_OPTION 0x08 /* Invert the sense of option test. */ #define IP6T_TCP_INV_OPTION XT_TCP_INV_OPTION
#define IP6T_TCP_INV_MASK 0x0F /* All possible flags. */ #define IP6T_TCP_INV_MASK XT_TCP_INV_MASK
/* UDP matching stuff */
struct ip6t_udp
{
u_int16_t spts[2]; /* Source port range. */
u_int16_t dpts[2]; /* Destination port range. */
u_int8_t invflags; /* Inverse flags */
};
/* Values for "invflags" field in struct ipt_udp. */ /* Values for "invflags" field in struct ipt_udp. */
#define IP6T_UDP_INV_SRCPT 0x01 /* Invert the sense of source ports. */ #define IP6T_UDP_INV_SRCPT XT_UDP_INV_SRCPT
#define IP6T_UDP_INV_DSTPT 0x02 /* Invert the sense of dest ports. */ #define IP6T_UDP_INV_DSTPT XT_UDP_INV_DSTPT
#define IP6T_UDP_INV_MASK 0x03 /* All possible flags. */ #define IP6T_UDP_INV_MASK XT_UDP_INV_MASK
/* ICMP matching stuff */ /* ICMP matching stuff */
struct ip6t_icmp struct ip6t_icmp
...@@ -264,23 +255,14 @@ struct ip6t_replace ...@@ -264,23 +255,14 @@ struct ip6t_replace
/* Number of counters (must be equal to current number of entries). */ /* Number of counters (must be equal to current number of entries). */
unsigned int num_counters; unsigned int num_counters;
/* The old entries' counters. */ /* The old entries' counters. */
struct ip6t_counters __user *counters; struct xt_counters __user *counters;
/* The entries (hang off end: not really an array). */ /* The entries (hang off end: not really an array). */
struct ip6t_entry entries[0]; struct ip6t_entry entries[0];
}; };
/* The argument to IP6T_SO_ADD_COUNTERS. */ /* The argument to IP6T_SO_ADD_COUNTERS. */
struct ip6t_counters_info #define ip6t_counters_info xt_counters_info
{
/* Which table. */
char name[IP6T_TABLE_MAXNAMELEN];
unsigned int num_counters;
/* The counters (actually `number' of these). */
struct ip6t_counters counters[0];
};
/* The argument to IP6T_SO_GET_ENTRIES. */ /* The argument to IP6T_SO_GET_ENTRIES. */
struct ip6t_get_entries struct ip6t_get_entries
...@@ -295,19 +277,10 @@ struct ip6t_get_entries ...@@ -295,19 +277,10 @@ struct ip6t_get_entries
struct ip6t_entry entrytable[0]; struct ip6t_entry entrytable[0];
}; };
/* The argument to IP6T_SO_GET_REVISION_*. Returns highest revision
* kernel supports, if >= revision. */
struct ip6t_get_revision
{
char name[IP6T_FUNCTION_MAXNAMELEN-1];
u_int8_t revision;
};
/* Standard return verdict, or do jump. */ /* Standard return verdict, or do jump. */
#define IP6T_STANDARD_TARGET "" #define IP6T_STANDARD_TARGET XT_STANDARD_TARGET
/* Error verdict. */ /* Error verdict. */
#define IP6T_ERROR_TARGET "ERROR" #define IP6T_ERROR_TARGET XT_ERROR_TARGET
/* Helper functions */ /* Helper functions */
static __inline__ struct ip6t_entry_target * static __inline__ struct ip6t_entry_target *
...@@ -361,104 +334,11 @@ ip6t_get_target(struct ip6t_entry *e) ...@@ -361,104 +334,11 @@ ip6t_get_target(struct ip6t_entry *e)
#include <linux/init.h> #include <linux/init.h>
extern void ip6t_init(void) __init; extern void ip6t_init(void) __init;
struct ip6t_match #define ip6t_register_target(tgt) xt_register_target(AF_INET6, tgt)
{ #define ip6t_unregister_target(tgt) xt_unregister_target(AF_INET6, tgt)
struct list_head list;
const char name[IP6T_FUNCTION_MAXNAMELEN-1];
u_int8_t revision;
/* Return true or false: return FALSE and set *hotdrop = 1 to
force immediate packet drop. */
/* Arguments changed since 2.6.9, as this must now handle
non-linear skb, using skb_header_pointer and
skb_ip_make_writable. */
int (*match)(const struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
const void *matchinfo,
int offset,
unsigned int protoff,
int *hotdrop);
/* Called when user tries to insert an entry of this type. */
/* Should return true or false. */
int (*checkentry)(const char *tablename,
const struct ip6t_ip6 *ip,
void *matchinfo,
unsigned int matchinfosize,
unsigned int hook_mask);
/* Called when entry of this type deleted. */
void (*destroy)(void *matchinfo, unsigned int matchinfosize);
/* Set this to THIS_MODULE if you are a module, otherwise NULL */
struct module *me;
};
/* Registration hooks for targets. */
struct ip6t_target
{
struct list_head list;
const char name[IP6T_FUNCTION_MAXNAMELEN-1];
u_int8_t revision;
/* Returns verdict. Argument order changed since 2.6.9, as this
must now handle non-linear skbs, using skb_copy_bits and
skb_ip_make_writable. */
unsigned int (*target)(struct sk_buff **pskb,
const struct net_device *in,
const struct net_device *out,
unsigned int hooknum,
const void *targinfo,
void *userdata);
/* Called when user tries to insert an entry of this type: #define ip6t_register_match(match) xt_register_match(AF_INET6, match)
hook_mask is a bitmask of hooks from which it can be #define ip6t_unregister_match(match) xt_unregister_match(AF_INET6, match)
called. */
/* Should return true or false. */
int (*checkentry)(const char *tablename,
const struct ip6t_entry *e,
void *targinfo,
unsigned int targinfosize,
unsigned int hook_mask);
/* Called when entry of this type deleted. */
void (*destroy)(void *targinfo, unsigned int targinfosize);
/* Set this to THIS_MODULE if you are a module, otherwise NULL */
struct module *me;
};
extern int ip6t_register_target(struct ip6t_target *target);
extern void ip6t_unregister_target(struct ip6t_target *target);
extern int ip6t_register_match(struct ip6t_match *match);
extern void ip6t_unregister_match(struct ip6t_match *match);
/* Furniture shopping... */
struct ip6t_table
{
struct list_head list;
/* A unique name... */
char name[IP6T_TABLE_MAXNAMELEN];
/* What hooks you will enter on */
unsigned int valid_hooks;
/* Lock for the curtain */
rwlock_t lock;
/* Man behind the curtain... */
struct ip6t_table_info *private;
/* Set this to THIS_MODULE if you are a module, otherwise NULL */
struct module *me;
};
extern int ip6t_register_table(struct ip6t_table *table, extern int ip6t_register_table(struct ip6t_table *table,
const struct ip6t_replace *repl); const struct ip6t_replace *repl);
......
#ifndef _IP6T_MARK_H_target #ifndef _IP6T_MARK_H_target
#define _IP6T_MARK_H_target #define _IP6T_MARK_H_target
struct ip6t_mark_target_info { /* Backwards compatibility for old userspace */
unsigned long mark; #include <linux/netfilter/xt_MARK.h>
};
#endif /*_IPT_MARK_H_target*/ #define ip6t_mark_target_info xt_mark_target_info
#endif /*_IP6T_MARK_H_target*/
#ifndef _IP6T_LENGTH_H #ifndef _IP6T_LENGTH_H
#define _IP6T_LENGTH_H #define _IP6T_LENGTH_H
struct ip6t_length_info { #include <linux/netfilter/xt_length.h>
u_int16_t min, max; #define ip6t_length_info xt_length_info
u_int8_t invert;
};
#endif /*_IP6T_LENGTH_H*/ #endif /*_IP6T_LENGTH_H*/
#ifndef _IP6T_RATE_H #ifndef _IP6T_RATE_H
#define _IP6T_RATE_H #define _IP6T_RATE_H
/* timings are in milliseconds. */ #include <linux/netfilter/xt_limit.h>
#define IP6T_LIMIT_SCALE 10000 #define IP6T_LIMIT_SCALE XT_LIMIT_SCALE
#define ip6t_rateinfo xt_rateinfo
/* 1/10,000 sec period => max of 10,000/sec. Min rate is then 429490 #endif /*_IP6T_RATE_H*/
seconds, or one every 59 hours. */
struct ip6t_rateinfo {
u_int32_t avg; /* Average secs between packets * scale */
u_int32_t burst; /* Period multiplier for upper limit. */
/* Used internally by the kernel */
unsigned long prev;
u_int32_t credit;
u_int32_t credit_cap, cost;
/* Ugly, ugly fucker. */
struct ip6t_rateinfo *master;
};
#endif /*_IPT_RATE_H*/
#ifndef _IP6T_MAC_H #ifndef _IP6T_MAC_H
#define _IP6T_MAC_H #define _IP6T_MAC_H
struct ip6t_mac_info { #include <linux/netfilter/xt_mac.h>
unsigned char srcaddr[ETH_ALEN]; #define ip6t_mac_info xt_mac_info
int invert;
}; #endif /*_IP6T_MAC_H*/
#endif /*_IPT_MAC_H*/
#ifndef _IP6T_MARK_H #ifndef _IP6T_MARK_H
#define _IP6T_MARK_H #define _IP6T_MARK_H
struct ip6t_mark_info { /* Backwards compatibility for old userspace */
unsigned long mark, mask; #include <linux/netfilter/xt_mark.h>
u_int8_t invert;
}; #define ip6t_mark_info xt_mark_info
#endif /*_IPT_MARK_H*/ #endif /*_IPT_MARK_H*/
#ifndef _IP6T_PHYSDEV_H #ifndef _IP6T_PHYSDEV_H
#define _IP6T_PHYSDEV_H #define _IP6T_PHYSDEV_H
#ifdef __KERNEL__ /* Backwards compatibility for old userspace */
#include <linux/if.h>
#endif
#define IP6T_PHYSDEV_OP_IN 0x01 #include <linux/netfilter/xt_physdev.h>
#define IP6T_PHYSDEV_OP_OUT 0x02
#define IP6T_PHYSDEV_OP_BRIDGED 0x04
#define IP6T_PHYSDEV_OP_ISIN 0x08
#define IP6T_PHYSDEV_OP_ISOUT 0x10
#define IP6T_PHYSDEV_OP_MASK (0x20 - 1)
struct ip6t_physdev_info { #define IP6T_PHYSDEV_OP_IN XT_PHYSDEV_OP_IN
char physindev[IFNAMSIZ]; #define IP6T_PHYSDEV_OP_OUT XT_PHYSDEV_OP_OUT
char in_mask[IFNAMSIZ]; #define IP6T_PHYSDEV_OP_BRIDGED XT_PHYSDEV_OP_BRIDGED
char physoutdev[IFNAMSIZ]; #define IP6T_PHYSDEV_OP_ISIN XT_PHYSDEV_OP_ISIN
char out_mask[IFNAMSIZ]; #define IP6T_PHYSDEV_OP_ISOUT XT_PHYSDEV_OP_ISOUT
u_int8_t invert; #define IP6T_PHYSDEV_OP_MASK XT_PHYSDEV_OP_MASK
u_int8_t bitmask;
}; #define ip6t_physdev_info xt_physdev_info
#endif /*_IP6T_PHYSDEV_H*/ #endif /*_IP6T_PHYSDEV_H*/
...@@ -37,7 +37,4 @@ struct nf_conntrack_ipv4 { ...@@ -37,7 +37,4 @@ struct nf_conntrack_ipv4 {
struct sk_buff * struct sk_buff *
nf_ct_ipv4_ct_gather_frags(struct sk_buff *skb); nf_ct_ipv4_ct_gather_frags(struct sk_buff *skb);
/* call to create an explicit dependency on nf_conntrack_l3proto_ipv4. */
extern void need_ip_conntrack(void);
#endif /*_NF_CONNTRACK_IPV4_H*/ #endif /*_NF_CONNTRACK_IPV4_H*/
...@@ -221,9 +221,6 @@ extern void nf_ct_helper_put(struct nf_conntrack_helper *helper); ...@@ -221,9 +221,6 @@ extern void nf_ct_helper_put(struct nf_conntrack_helper *helper);
extern struct nf_conntrack_helper * extern struct nf_conntrack_helper *
__nf_conntrack_helper_find_byname(const char *name); __nf_conntrack_helper_find_byname(const char *name);
/* call to create an explicit dependency on nf_conntrack. */
extern void need_nf_conntrack(void);
extern int nf_ct_invert_tuplepr(struct nf_conntrack_tuple *inverse, extern int nf_ct_invert_tuplepr(struct nf_conntrack_tuple *inverse,
const struct nf_conntrack_tuple *orig); const struct nf_conntrack_tuple *orig);
......
...@@ -15,6 +15,7 @@ ...@@ -15,6 +15,7 @@
#include <linux/netfilter.h> #include <linux/netfilter.h>
#include <linux/module.h> #include <linux/module.h>
#include <linux/ip.h> #include <linux/ip.h>
#include <linux/in.h>
#include <linux/if_arp.h> #include <linux/if_arp.h>
#include <linux/spinlock.h> #include <linux/spinlock.h>
......
This diff is collapsed.
...@@ -47,14 +47,8 @@ obj-$(CONFIG_IP_NF_RAW) += iptable_raw.o ...@@ -47,14 +47,8 @@ obj-$(CONFIG_IP_NF_RAW) += iptable_raw.o
# matches # matches
obj-$(CONFIG_IP_NF_MATCH_HELPER) += ipt_helper.o obj-$(CONFIG_IP_NF_MATCH_HELPER) += ipt_helper.o
obj-$(CONFIG_IP_NF_MATCH_LIMIT) += ipt_limit.o
obj-$(CONFIG_IP_NF_MATCH_HASHLIMIT) += ipt_hashlimit.o obj-$(CONFIG_IP_NF_MATCH_HASHLIMIT) += ipt_hashlimit.o
obj-$(CONFIG_IP_NF_MATCH_SCTP) += ipt_sctp.o
obj-$(CONFIG_IP_NF_MATCH_DCCP) += ipt_dccp.o
obj-$(CONFIG_IP_NF_MATCH_MARK) += ipt_mark.o
obj-$(CONFIG_IP_NF_MATCH_MAC) += ipt_mac.o
obj-$(CONFIG_IP_NF_MATCH_IPRANGE) += ipt_iprange.o obj-$(CONFIG_IP_NF_MATCH_IPRANGE) += ipt_iprange.o
obj-$(CONFIG_IP_NF_MATCH_PKTTYPE) += ipt_pkttype.o
obj-$(CONFIG_IP_NF_MATCH_MULTIPORT) += ipt_multiport.o obj-$(CONFIG_IP_NF_MATCH_MULTIPORT) += ipt_multiport.o
obj-$(CONFIG_IP_NF_MATCH_OWNER) += ipt_owner.o obj-$(CONFIG_IP_NF_MATCH_OWNER) += ipt_owner.o
obj-$(CONFIG_IP_NF_MATCH_TOS) += ipt_tos.o obj-$(CONFIG_IP_NF_MATCH_TOS) += ipt_tos.o
...@@ -62,40 +56,25 @@ obj-$(CONFIG_IP_NF_MATCH_RECENT) += ipt_recent.o ...@@ -62,40 +56,25 @@ obj-$(CONFIG_IP_NF_MATCH_RECENT) += ipt_recent.o
obj-$(CONFIG_IP_NF_MATCH_ECN) += ipt_ecn.o obj-$(CONFIG_IP_NF_MATCH_ECN) += ipt_ecn.o
obj-$(CONFIG_IP_NF_MATCH_DSCP) += ipt_dscp.o obj-$(CONFIG_IP_NF_MATCH_DSCP) += ipt_dscp.o
obj-$(CONFIG_IP_NF_MATCH_AH_ESP) += ipt_ah.o ipt_esp.o obj-$(CONFIG_IP_NF_MATCH_AH_ESP) += ipt_ah.o ipt_esp.o
obj-$(CONFIG_IP_NF_MATCH_LENGTH) += ipt_length.o
obj-$(CONFIG_IP_NF_MATCH_TTL) += ipt_ttl.o obj-$(CONFIG_IP_NF_MATCH_TTL) += ipt_ttl.o
obj-$(CONFIG_IP_NF_MATCH_STATE) += ipt_state.o
obj-$(CONFIG_IP_NF_MATCH_CONNMARK) += ipt_connmark.o
obj-$(CONFIG_IP_NF_MATCH_CONNTRACK) += ipt_conntrack.o
obj-$(CONFIG_IP_NF_MATCH_CONNBYTES) += ipt_connbytes.o
obj-$(CONFIG_IP_NF_MATCH_TCPMSS) += ipt_tcpmss.o
obj-$(CONFIG_IP_NF_MATCH_REALM) += ipt_realm.o
obj-$(CONFIG_IP_NF_MATCH_ADDRTYPE) += ipt_addrtype.o obj-$(CONFIG_IP_NF_MATCH_ADDRTYPE) += ipt_addrtype.o
obj-$(CONFIG_IP_NF_MATCH_PHYSDEV) += ipt_physdev.o
obj-$(CONFIG_IP_NF_MATCH_POLICY) += ipt_policy.o obj-$(CONFIG_IP_NF_MATCH_POLICY) += ipt_policy.o
obj-$(CONFIG_IP_NF_MATCH_COMMENT) += ipt_comment.o
obj-$(CONFIG_IP_NF_MATCH_STRING) += ipt_string.o
# targets # targets
obj-$(CONFIG_IP_NF_TARGET_REJECT) += ipt_REJECT.o obj-$(CONFIG_IP_NF_TARGET_REJECT) += ipt_REJECT.o
obj-$(CONFIG_IP_NF_TARGET_TOS) += ipt_TOS.o obj-$(CONFIG_IP_NF_TARGET_TOS) += ipt_TOS.o
obj-$(CONFIG_IP_NF_TARGET_ECN) += ipt_ECN.o obj-$(CONFIG_IP_NF_TARGET_ECN) += ipt_ECN.o
obj-$(CONFIG_IP_NF_TARGET_DSCP) += ipt_DSCP.o obj-$(CONFIG_IP_NF_TARGET_DSCP) += ipt_DSCP.o
obj-$(CONFIG_IP_NF_TARGET_MARK) += ipt_MARK.o
obj-$(CONFIG_IP_NF_TARGET_MASQUERADE) += ipt_MASQUERADE.o obj-$(CONFIG_IP_NF_TARGET_MASQUERADE) += ipt_MASQUERADE.o
obj-$(CONFIG_IP_NF_TARGET_REDIRECT) += ipt_REDIRECT.o obj-$(CONFIG_IP_NF_TARGET_REDIRECT) += ipt_REDIRECT.o
obj-$(CONFIG_IP_NF_TARGET_NETMAP) += ipt_NETMAP.o obj-$(CONFIG_IP_NF_TARGET_NETMAP) += ipt_NETMAP.o
obj-$(CONFIG_IP_NF_TARGET_SAME) += ipt_SAME.o obj-$(CONFIG_IP_NF_TARGET_SAME) += ipt_SAME.o
obj-$(CONFIG_IP_NF_TARGET_CLASSIFY) += ipt_CLASSIFY.o
obj-$(CONFIG_IP_NF_NAT_SNMP_BASIC) += ip_nat_snmp_basic.o obj-$(CONFIG_IP_NF_NAT_SNMP_BASIC) += ip_nat_snmp_basic.o
obj-$(CONFIG_IP_NF_TARGET_LOG) += ipt_LOG.o obj-$(CONFIG_IP_NF_TARGET_LOG) += ipt_LOG.o
obj-$(CONFIG_IP_NF_TARGET_CONNMARK) += ipt_CONNMARK.o
obj-$(CONFIG_IP_NF_TARGET_ULOG) += ipt_ULOG.o obj-$(CONFIG_IP_NF_TARGET_ULOG) += ipt_ULOG.o
obj-$(CONFIG_IP_NF_TARGET_TCPMSS) += ipt_TCPMSS.o obj-$(CONFIG_IP_NF_TARGET_TCPMSS) += ipt_TCPMSS.o
obj-$(CONFIG_IP_NF_TARGET_NOTRACK) += ipt_NOTRACK.o
obj-$(CONFIG_IP_NF_TARGET_CLUSTERIP) += ipt_CLUSTERIP.o obj-$(CONFIG_IP_NF_TARGET_CLUSTERIP) += ipt_CLUSTERIP.o
obj-$(CONFIG_IP_NF_TARGET_TTL) += ipt_TTL.o obj-$(CONFIG_IP_NF_TARGET_TTL) += ipt_TTL.o
obj-$(CONFIG_IP_NF_TARGET_NFQUEUE) += ipt_NFQUEUE.o
# generic ARP tables # generic ARP tables
obj-$(CONFIG_IP_NF_ARPTABLES) += arp_tables.o obj-$(CONFIG_IP_NF_ARPTABLES) += arp_tables.o
......
This diff is collapsed.
...@@ -8,8 +8,9 @@ MODULE_AUTHOR("Bart De Schuymer <bdschuym@pandora.be>"); ...@@ -8,8 +8,9 @@ MODULE_AUTHOR("Bart De Schuymer <bdschuym@pandora.be>");
MODULE_DESCRIPTION("arptables arp payload mangle target"); MODULE_DESCRIPTION("arptables arp payload mangle target");
static unsigned int static unsigned int
target(struct sk_buff **pskb, unsigned int hooknum, const struct net_device *in, target(struct sk_buff **pskb, const struct net_device *in,
const struct net_device *out, const void *targinfo, void *userinfo) const struct net_device *out, unsigned int hooknum, const void *targinfo,
void *userinfo)
{ {
const struct arpt_mangle *mangle = targinfo; const struct arpt_mangle *mangle = targinfo;
struct arphdr *arp; struct arphdr *arp;
...@@ -64,7 +65,7 @@ target(struct sk_buff **pskb, unsigned int hooknum, const struct net_device *in, ...@@ -64,7 +65,7 @@ target(struct sk_buff **pskb, unsigned int hooknum, const struct net_device *in,
} }
static int static int
checkentry(const char *tablename, const struct arpt_entry *e, void *targinfo, checkentry(const char *tablename, const void *e, void *targinfo,
unsigned int targinfosize, unsigned int hook_mask) unsigned int targinfosize, unsigned int hook_mask)
{ {
const struct arpt_mangle *mangle = targinfo; const struct arpt_mangle *mangle = targinfo;
......
...@@ -145,6 +145,7 @@ static struct arpt_table packet_filter = { ...@@ -145,6 +145,7 @@ static struct arpt_table packet_filter = {
.lock = RW_LOCK_UNLOCKED, .lock = RW_LOCK_UNLOCKED,
.private = NULL, .private = NULL,
.me = THIS_MODULE, .me = THIS_MODULE,
.af = NF_ARP,
}; };
/* The work comes in here from netfilter.c */ /* The work comes in here from netfilter.c */
......
...@@ -944,7 +944,7 @@ module_exit(fini); ...@@ -944,7 +944,7 @@ module_exit(fini);
/* Some modules need us, but don't depend directly on any symbol. /* Some modules need us, but don't depend directly on any symbol.
They should call this. */ They should call this. */
void need_ip_conntrack(void) void need_conntrack(void)
{ {
} }
...@@ -962,7 +962,7 @@ EXPORT_SYMBOL(ip_ct_get_tuple); ...@@ -962,7 +962,7 @@ EXPORT_SYMBOL(ip_ct_get_tuple);
EXPORT_SYMBOL(invert_tuplepr); EXPORT_SYMBOL(invert_tuplepr);
EXPORT_SYMBOL(ip_conntrack_alter_reply); EXPORT_SYMBOL(ip_conntrack_alter_reply);
EXPORT_SYMBOL(ip_conntrack_destroyed); EXPORT_SYMBOL(ip_conntrack_destroyed);
EXPORT_SYMBOL(need_ip_conntrack); EXPORT_SYMBOL(need_conntrack);
EXPORT_SYMBOL(ip_conntrack_helper_register); EXPORT_SYMBOL(ip_conntrack_helper_register);
EXPORT_SYMBOL(ip_conntrack_helper_unregister); EXPORT_SYMBOL(ip_conntrack_helper_unregister);
EXPORT_SYMBOL(ip_ct_iterate_cleanup); EXPORT_SYMBOL(ip_ct_iterate_cleanup);
......
...@@ -95,6 +95,7 @@ static struct ipt_table nat_table = { ...@@ -95,6 +95,7 @@ static struct ipt_table nat_table = {
.valid_hooks = NAT_VALID_HOOKS, .valid_hooks = NAT_VALID_HOOKS,
.lock = RW_LOCK_UNLOCKED, .lock = RW_LOCK_UNLOCKED,
.me = THIS_MODULE, .me = THIS_MODULE,
.af = AF_INET,
}; };
/* Source NAT */ /* Source NAT */
...@@ -168,7 +169,7 @@ static unsigned int ipt_dnat_target(struct sk_buff **pskb, ...@@ -168,7 +169,7 @@ static unsigned int ipt_dnat_target(struct sk_buff **pskb,
} }
static int ipt_snat_checkentry(const char *tablename, static int ipt_snat_checkentry(const char *tablename,
const struct ipt_entry *e, const void *entry,
void *targinfo, void *targinfo,
unsigned int targinfosize, unsigned int targinfosize,
unsigned int hook_mask) unsigned int hook_mask)
...@@ -201,7 +202,7 @@ static int ipt_snat_checkentry(const char *tablename, ...@@ -201,7 +202,7 @@ static int ipt_snat_checkentry(const char *tablename,
} }
static int ipt_dnat_checkentry(const char *tablename, static int ipt_dnat_checkentry(const char *tablename,
const struct ipt_entry *e, const void *entry,
void *targinfo, void *targinfo,
unsigned int targinfosize, unsigned int targinfosize,
unsigned int hook_mask) unsigned int hook_mask)
......
...@@ -364,7 +364,7 @@ static int init_or_cleanup(int init) ...@@ -364,7 +364,7 @@ static int init_or_cleanup(int init)
{ {
int ret = 0; int ret = 0;
need_ip_conntrack(); need_conntrack();
if (!init) goto cleanup; if (!init) goto cleanup;
......
This diff is collapsed.
...@@ -379,12 +379,13 @@ target(struct sk_buff **pskb, ...@@ -379,12 +379,13 @@ target(struct sk_buff **pskb,
static int static int
checkentry(const char *tablename, checkentry(const char *tablename,
const struct ipt_entry *e, const void *e_void,
void *targinfo, void *targinfo,
unsigned int targinfosize, unsigned int targinfosize,
unsigned int hook_mask) unsigned int hook_mask)
{ {
struct ipt_clusterip_tgt_info *cipinfo = targinfo; struct ipt_clusterip_tgt_info *cipinfo = targinfo;
const struct ipt_entry *e = e_void;
struct clusterip_config *config; struct clusterip_config *config;
......
...@@ -57,7 +57,7 @@ target(struct sk_buff **pskb, ...@@ -57,7 +57,7 @@ target(struct sk_buff **pskb,
static int static int
checkentry(const char *tablename, checkentry(const char *tablename,
const struct ipt_entry *e, const void *e_void,
void *targinfo, void *targinfo,
unsigned int targinfosize, unsigned int targinfosize,
unsigned int hook_mask) unsigned int hook_mask)
......
...@@ -113,12 +113,13 @@ target(struct sk_buff **pskb, ...@@ -113,12 +113,13 @@ target(struct sk_buff **pskb,
static int static int
checkentry(const char *tablename, checkentry(const char *tablename,
const struct ipt_entry *e, const void *e_void,
void *targinfo, void *targinfo,
unsigned int targinfosize, unsigned int targinfosize,
unsigned int hook_mask) unsigned int hook_mask)
{ {
const struct ipt_ECN_info *einfo = (struct ipt_ECN_info *)targinfo; const struct ipt_ECN_info *einfo = (struct ipt_ECN_info *)targinfo;
const struct ipt_entry *e = e_void;
if (targinfosize != IPT_ALIGN(sizeof(struct ipt_ECN_info))) { if (targinfosize != IPT_ALIGN(sizeof(struct ipt_ECN_info))) {
printk(KERN_WARNING "ECN: targinfosize %u != %Zu\n", printk(KERN_WARNING "ECN: targinfosize %u != %Zu\n",
......
...@@ -431,7 +431,7 @@ ipt_log_target(struct sk_buff **pskb, ...@@ -431,7 +431,7 @@ ipt_log_target(struct sk_buff **pskb,
} }
static int ipt_log_checkentry(const char *tablename, static int ipt_log_checkentry(const char *tablename,
const struct ipt_entry *e, const void *e,
void *targinfo, void *targinfo,
unsigned int targinfosize, unsigned int targinfosize,
unsigned int hook_mask) unsigned int hook_mask)
......
...@@ -40,7 +40,7 @@ static DEFINE_RWLOCK(masq_lock); ...@@ -40,7 +40,7 @@ static DEFINE_RWLOCK(masq_lock);
/* FIXME: Multiple targets. --RR */ /* FIXME: Multiple targets. --RR */
static int static int
masquerade_check(const char *tablename, masquerade_check(const char *tablename,
const struct ipt_entry *e, const void *e,
void *targinfo, void *targinfo,
unsigned int targinfosize, unsigned int targinfosize,
unsigned int hook_mask) unsigned int hook_mask)
......
...@@ -31,7 +31,7 @@ MODULE_DESCRIPTION("iptables 1:1 NAT mapping of IP networks target"); ...@@ -31,7 +31,7 @@ MODULE_DESCRIPTION("iptables 1:1 NAT mapping of IP networks target");
static int static int
check(const char *tablename, check(const char *tablename,
const struct ipt_entry *e, const void *e,
void *targinfo, void *targinfo,
unsigned int targinfosize, unsigned int targinfosize,
unsigned int hook_mask) unsigned int hook_mask)
......
...@@ -33,7 +33,7 @@ MODULE_DESCRIPTION("iptables REDIRECT target module"); ...@@ -33,7 +33,7 @@ MODULE_DESCRIPTION("iptables REDIRECT target module");
/* FIXME: Take multiple ranges --RR */ /* FIXME: Take multiple ranges --RR */
static int static int
redirect_check(const char *tablename, redirect_check(const char *tablename,
const struct ipt_entry *e, const void *e,
void *targinfo, void *targinfo,
unsigned int targinfosize, unsigned int targinfosize,
unsigned int hook_mask) unsigned int hook_mask)
......
...@@ -282,12 +282,13 @@ static unsigned int reject(struct sk_buff **pskb, ...@@ -282,12 +282,13 @@ static unsigned int reject(struct sk_buff **pskb,
} }
static int check(const char *tablename, static int check(const char *tablename,
const struct ipt_entry *e, const void *e_void,
void *targinfo, void *targinfo,
unsigned int targinfosize, unsigned int targinfosize,
unsigned int hook_mask) unsigned int hook_mask)
{ {
const struct ipt_reject_info *rejinfo = targinfo; const struct ipt_reject_info *rejinfo = targinfo;
const struct ipt_entry *e = e_void;
if (targinfosize != IPT_ALIGN(sizeof(struct ipt_reject_info))) { if (targinfosize != IPT_ALIGN(sizeof(struct ipt_reject_info))) {
DEBUGP("REJECT: targinfosize %u != 0\n", targinfosize); DEBUGP("REJECT: targinfosize %u != 0\n", targinfosize);
......
...@@ -49,7 +49,7 @@ MODULE_DESCRIPTION("iptables special SNAT module for consistent sourceip"); ...@@ -49,7 +49,7 @@ MODULE_DESCRIPTION("iptables special SNAT module for consistent sourceip");
static int static int
same_check(const char *tablename, same_check(const char *tablename,
const struct ipt_entry *e, const void *e,
void *targinfo, void *targinfo,
unsigned int targinfosize, unsigned int targinfosize,
unsigned int hook_mask) unsigned int hook_mask)
......
...@@ -210,12 +210,13 @@ static inline int find_syn_match(const struct ipt_entry_match *m) ...@@ -210,12 +210,13 @@ static inline int find_syn_match(const struct ipt_entry_match *m)
/* Must specify -p tcp --syn/--tcp-flags SYN */ /* Must specify -p tcp --syn/--tcp-flags SYN */
static int static int
ipt_tcpmss_checkentry(const char *tablename, ipt_tcpmss_checkentry(const char *tablename,
const struct ipt_entry *e, const void *e_void,
void *targinfo, void *targinfo,
unsigned int targinfosize, unsigned int targinfosize,
unsigned int hook_mask) unsigned int hook_mask)
{ {
const struct ipt_tcpmss_info *tcpmssinfo = targinfo; const struct ipt_tcpmss_info *tcpmssinfo = targinfo;
const struct ipt_entry *e = e_void;
if (targinfosize != IPT_ALIGN(sizeof(struct ipt_tcpmss_info))) { if (targinfosize != IPT_ALIGN(sizeof(struct ipt_tcpmss_info))) {
DEBUGP("ipt_tcpmss_checkentry: targinfosize %u != %u\n", DEBUGP("ipt_tcpmss_checkentry: targinfosize %u != %u\n",
......
...@@ -52,7 +52,7 @@ target(struct sk_buff **pskb, ...@@ -52,7 +52,7 @@ target(struct sk_buff **pskb,
static int static int
checkentry(const char *tablename, checkentry(const char *tablename,
const struct ipt_entry *e, const void *e_void,
void *targinfo, void *targinfo,
unsigned int targinfosize, unsigned int targinfosize,
unsigned int hook_mask) unsigned int hook_mask)
......
...@@ -66,7 +66,7 @@ ipt_ttl_target(struct sk_buff **pskb, const struct net_device *in, ...@@ -66,7 +66,7 @@ ipt_ttl_target(struct sk_buff **pskb, const struct net_device *in,
} }
static int ipt_ttl_checkentry(const char *tablename, static int ipt_ttl_checkentry(const char *tablename,
const struct ipt_entry *e, const void *e,
void *targinfo, void *targinfo,
unsigned int targinfosize, unsigned int targinfosize,
unsigned int hook_mask) unsigned int hook_mask)
......
...@@ -330,7 +330,7 @@ static void ipt_logfn(unsigned int pf, ...@@ -330,7 +330,7 @@ static void ipt_logfn(unsigned int pf,
} }
static int ipt_ulog_checkentry(const char *tablename, static int ipt_ulog_checkentry(const char *tablename,
const struct ipt_entry *e, const void *e,
void *targinfo, void *targinfo,
unsigned int targinfosize, unsigned int targinfosize,
unsigned int hookmask) unsigned int hookmask)
......
...@@ -29,7 +29,7 @@ static inline int match_type(u_int32_t addr, u_int16_t mask) ...@@ -29,7 +29,7 @@ static inline int match_type(u_int32_t addr, u_int16_t mask)
static int match(const struct sk_buff *skb, const struct net_device *in, static int match(const struct sk_buff *skb, const struct net_device *in,
const struct net_device *out, const void *matchinfo, const struct net_device *out, const void *matchinfo,
int offset, int *hotdrop) int offset, unsigned int protoff, int *hotdrop)
{ {
const struct ipt_addrtype_info *info = matchinfo; const struct ipt_addrtype_info *info = matchinfo;
const struct iphdr *iph = skb->nh.iph; const struct iphdr *iph = skb->nh.iph;
...@@ -43,7 +43,7 @@ static int match(const struct sk_buff *skb, const struct net_device *in, ...@@ -43,7 +43,7 @@ static int match(const struct sk_buff *skb, const struct net_device *in,
return ret; return ret;
} }
static int checkentry(const char *tablename, const struct ipt_ip *ip, static int checkentry(const char *tablename, const void *ip,
void *matchinfo, unsigned int matchsize, void *matchinfo, unsigned int matchsize,
unsigned int hook_mask) unsigned int hook_mask)
{ {
......
...@@ -41,6 +41,7 @@ match(const struct sk_buff *skb, ...@@ -41,6 +41,7 @@ match(const struct sk_buff *skb,
const struct net_device *out, const struct net_device *out,
const void *matchinfo, const void *matchinfo,
int offset, int offset,
unsigned int protoff,
int *hotdrop) int *hotdrop)
{ {
struct ip_auth_hdr _ahdr, *ah; struct ip_auth_hdr _ahdr, *ah;
...@@ -50,7 +51,7 @@ match(const struct sk_buff *skb, ...@@ -50,7 +51,7 @@ match(const struct sk_buff *skb,
if (offset) if (offset)
return 0; return 0;
ah = skb_header_pointer(skb, skb->nh.iph->ihl * 4, ah = skb_header_pointer(skb, protoff,
sizeof(_ahdr), &_ahdr); sizeof(_ahdr), &_ahdr);
if (ah == NULL) { if (ah == NULL) {
/* We've been asked to examine this packet, and we /* We've been asked to examine this packet, and we
...@@ -69,12 +70,13 @@ match(const struct sk_buff *skb, ...@@ -69,12 +70,13 @@ match(const struct sk_buff *skb,
/* Called when user tries to insert an entry of this type. */ /* Called when user tries to insert an entry of this type. */
static int static int
checkentry(const char *tablename, checkentry(const char *tablename,
const struct ipt_ip *ip, const void *ip_void,
void *matchinfo, void *matchinfo,
unsigned int matchinfosize, unsigned int matchinfosize,
unsigned int hook_mask) unsigned int hook_mask)
{ {
const struct ipt_ah *ahinfo = matchinfo; const struct ipt_ah *ahinfo = matchinfo;
const struct ipt_ip *ip = ip_void;
/* Must specify proto == AH, and no unknown invflags */ /* Must specify proto == AH, and no unknown invflags */
if (ip->proto != IPPROTO_AH || (ip->invflags & IPT_INV_PROTO)) { if (ip->proto != IPPROTO_AH || (ip->invflags & IPT_INV_PROTO)) {
......
...@@ -21,7 +21,7 @@ MODULE_LICENSE("GPL"); ...@@ -21,7 +21,7 @@ MODULE_LICENSE("GPL");
static int match(const struct sk_buff *skb, const struct net_device *in, static int match(const struct sk_buff *skb, const struct net_device *in,
const struct net_device *out, const void *matchinfo, const struct net_device *out, const void *matchinfo,
int offset, int *hotdrop) int offset, unsigned int protoff, int *hotdrop)
{ {
const struct ipt_dscp_info *info = matchinfo; const struct ipt_dscp_info *info = matchinfo;
const struct iphdr *iph = skb->nh.iph; const struct iphdr *iph = skb->nh.iph;
...@@ -31,7 +31,7 @@ static int match(const struct sk_buff *skb, const struct net_device *in, ...@@ -31,7 +31,7 @@ static int match(const struct sk_buff *skb, const struct net_device *in,
return ((iph->tos&IPT_DSCP_MASK) == sh_dscp) ^ info->invert; return ((iph->tos&IPT_DSCP_MASK) == sh_dscp) ^ info->invert;
} }
static int checkentry(const char *tablename, const struct ipt_ip *ip, static int checkentry(const char *tablename, const void *ip,
void *matchinfo, unsigned int matchsize, void *matchinfo, unsigned int matchsize,
unsigned int hook_mask) unsigned int hook_mask)
{ {
......
...@@ -67,7 +67,7 @@ static inline int match_tcp(const struct sk_buff *skb, ...@@ -67,7 +67,7 @@ static inline int match_tcp(const struct sk_buff *skb,
static int match(const struct sk_buff *skb, const struct net_device *in, static int match(const struct sk_buff *skb, const struct net_device *in,
const struct net_device *out, const void *matchinfo, const struct net_device *out, const void *matchinfo,
int offset, int *hotdrop) int offset, unsigned int protoff, int *hotdrop)
{ {
const struct ipt_ecn_info *info = matchinfo; const struct ipt_ecn_info *info = matchinfo;
...@@ -85,11 +85,12 @@ static int match(const struct sk_buff *skb, const struct net_device *in, ...@@ -85,11 +85,12 @@ static int match(const struct sk_buff *skb, const struct net_device *in,
return 1; return 1;
} }
static int checkentry(const char *tablename, const struct ipt_ip *ip, static int checkentry(const char *tablename, const void *ip_void,
void *matchinfo, unsigned int matchsize, void *matchinfo, unsigned int matchsize,
unsigned int hook_mask) unsigned int hook_mask)
{ {
const struct ipt_ecn_info *info = matchinfo; const struct ipt_ecn_info *info = matchinfo;
const struct ipt_ip *ip = ip_void;
if (matchsize != IPT_ALIGN(sizeof(struct ipt_ecn_info))) if (matchsize != IPT_ALIGN(sizeof(struct ipt_ecn_info)))
return 0; return 0;
......
...@@ -42,6 +42,7 @@ match(const struct sk_buff *skb, ...@@ -42,6 +42,7 @@ match(const struct sk_buff *skb,
const struct net_device *out, const struct net_device *out,
const void *matchinfo, const void *matchinfo,
int offset, int offset,
unsigned int protoff,
int *hotdrop) int *hotdrop)
{ {
struct ip_esp_hdr _esp, *eh; struct ip_esp_hdr _esp, *eh;
...@@ -51,7 +52,7 @@ match(const struct sk_buff *skb, ...@@ -51,7 +52,7 @@ match(const struct sk_buff *skb,
if (offset) if (offset)
return 0; return 0;
eh = skb_header_pointer(skb, skb->nh.iph->ihl * 4, eh = skb_header_pointer(skb, protoff,
sizeof(_esp), &_esp); sizeof(_esp), &_esp);
if (eh == NULL) { if (eh == NULL) {
/* We've been asked to examine this packet, and we /* We've been asked to examine this packet, and we
...@@ -70,12 +71,13 @@ match(const struct sk_buff *skb, ...@@ -70,12 +71,13 @@ match(const struct sk_buff *skb,
/* Called when user tries to insert an entry of this type. */ /* Called when user tries to insert an entry of this type. */
static int static int
checkentry(const char *tablename, checkentry(const char *tablename,
const struct ipt_ip *ip, const void *ip_void,
void *matchinfo, void *matchinfo,
unsigned int matchinfosize, unsigned int matchinfosize,
unsigned int hook_mask) unsigned int hook_mask)
{ {
const struct ipt_esp *espinfo = matchinfo; const struct ipt_esp *espinfo = matchinfo;
const struct ipt_ip *ip = ip_void;
/* Must specify proto == ESP, and no unknown invflags */ /* Must specify proto == ESP, and no unknown invflags */
if (ip->proto != IPPROTO_ESP || (ip->invflags & IPT_INV_PROTO)) { if (ip->proto != IPPROTO_ESP || (ip->invflags & IPT_INV_PROTO)) {
......
...@@ -429,6 +429,7 @@ hashlimit_match(const struct sk_buff *skb, ...@@ -429,6 +429,7 @@ hashlimit_match(const struct sk_buff *skb,
const struct net_device *out, const struct net_device *out,
const void *matchinfo, const void *matchinfo,
int offset, int offset,
unsigned int protoff,
int *hotdrop) int *hotdrop)
{ {
struct ipt_hashlimit_info *r = struct ipt_hashlimit_info *r =
...@@ -504,7 +505,7 @@ hashlimit_match(const struct sk_buff *skb, ...@@ -504,7 +505,7 @@ hashlimit_match(const struct sk_buff *skb,
static int static int
hashlimit_checkentry(const char *tablename, hashlimit_checkentry(const char *tablename,
const struct ipt_ip *ip, const void *inf,
void *matchinfo, void *matchinfo,
unsigned int matchsize, unsigned int matchsize,
unsigned int hook_mask) unsigned int hook_mask)
......
...@@ -28,7 +28,7 @@ match(const struct sk_buff *skb, ...@@ -28,7 +28,7 @@ match(const struct sk_buff *skb,
const struct net_device *in, const struct net_device *in,
const struct net_device *out, const struct net_device *out,
const void *matchinfo, const void *matchinfo,
int offset, int *hotdrop) int offset, unsigned int protoff, int *hotdrop)
{ {
const struct ipt_iprange_info *info = matchinfo; const struct ipt_iprange_info *info = matchinfo;
const struct iphdr *iph = skb->nh.iph; const struct iphdr *iph = skb->nh.iph;
...@@ -63,7 +63,7 @@ match(const struct sk_buff *skb, ...@@ -63,7 +63,7 @@ match(const struct sk_buff *skb,
} }
static int check(const char *tablename, static int check(const char *tablename,
const struct ipt_ip *ip, const void *inf,
void *matchinfo, void *matchinfo,
unsigned int matchsize, unsigned int matchsize,
unsigned int hook_mask) unsigned int hook_mask)
......
...@@ -97,6 +97,7 @@ match(const struct sk_buff *skb, ...@@ -97,6 +97,7 @@ match(const struct sk_buff *skb,
const struct net_device *out, const struct net_device *out,
const void *matchinfo, const void *matchinfo,
int offset, int offset,
unsigned int protoff,
int *hotdrop) int *hotdrop)
{ {
u16 _ports[2], *pptr; u16 _ports[2], *pptr;
...@@ -105,7 +106,7 @@ match(const struct sk_buff *skb, ...@@ -105,7 +106,7 @@ match(const struct sk_buff *skb,
if (offset) if (offset)
return 0; return 0;
pptr = skb_header_pointer(skb, skb->nh.iph->ihl * 4, pptr = skb_header_pointer(skb, protoff,
sizeof(_ports), _ports); sizeof(_ports), _ports);
if (pptr == NULL) { if (pptr == NULL) {
/* We've been asked to examine this packet, and we /* We've been asked to examine this packet, and we
...@@ -128,6 +129,7 @@ match_v1(const struct sk_buff *skb, ...@@ -128,6 +129,7 @@ match_v1(const struct sk_buff *skb,
const struct net_device *out, const struct net_device *out,
const void *matchinfo, const void *matchinfo,
int offset, int offset,
unsigned int protoff,
int *hotdrop) int *hotdrop)
{ {
u16 _ports[2], *pptr; u16 _ports[2], *pptr;
...@@ -136,7 +138,7 @@ match_v1(const struct sk_buff *skb, ...@@ -136,7 +138,7 @@ match_v1(const struct sk_buff *skb,
if (offset) if (offset)
return 0; return 0;
pptr = skb_header_pointer(skb, skb->nh.iph->ihl * 4, pptr = skb_header_pointer(skb, protoff,
sizeof(_ports), _ports); sizeof(_ports), _ports);
if (pptr == NULL) { if (pptr == NULL) {
/* We've been asked to examine this packet, and we /* We've been asked to examine this packet, and we
...@@ -154,7 +156,7 @@ match_v1(const struct sk_buff *skb, ...@@ -154,7 +156,7 @@ match_v1(const struct sk_buff *skb,
/* Called when user tries to insert an entry of this type. */ /* Called when user tries to insert an entry of this type. */
static int static int
checkentry(const char *tablename, checkentry(const char *tablename,
const struct ipt_ip *ip, const void *ip,
void *matchinfo, void *matchinfo,
unsigned int matchsize, unsigned int matchsize,
unsigned int hook_mask) unsigned int hook_mask)
...@@ -164,7 +166,7 @@ checkentry(const char *tablename, ...@@ -164,7 +166,7 @@ checkentry(const char *tablename,
static int static int
checkentry_v1(const char *tablename, checkentry_v1(const char *tablename,
const struct ipt_ip *ip, const void *ip,
void *matchinfo, void *matchinfo,
unsigned int matchsize, unsigned int matchsize,
unsigned int hook_mask) unsigned int hook_mask)
......
...@@ -27,6 +27,7 @@ match(const struct sk_buff *skb, ...@@ -27,6 +27,7 @@ match(const struct sk_buff *skb,
const struct net_device *out, const struct net_device *out,
const void *matchinfo, const void *matchinfo,
int offset, int offset,
unsigned int protoff,
int *hotdrop) int *hotdrop)
{ {
const struct ipt_owner_info *info = matchinfo; const struct ipt_owner_info *info = matchinfo;
...@@ -51,7 +52,7 @@ match(const struct sk_buff *skb, ...@@ -51,7 +52,7 @@ match(const struct sk_buff *skb,
static int static int
checkentry(const char *tablename, checkentry(const char *tablename,
const struct ipt_ip *ip, const void *ip,
void *matchinfo, void *matchinfo,
unsigned int matchsize, unsigned int matchsize,
unsigned int hook_mask) unsigned int hook_mask)
......
/* Kernel module to match the bridge port in and
* out device for IP packets coming into contact with a bridge. */
/* (C) 2001-2003 Bart De Schuymer <bdschuym@pandora.be>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
* published by the Free Software Foundation.
*/
#include <linux/module.h>
#include <linux/netdevice.h>
#include <linux/skbuff.h>
#include <linux/netfilter_ipv4/ipt_physdev.h>
#include <linux/netfilter_ipv4/ip_tables.h>
#include <linux/netfilter_bridge.h>
#define MATCH 1
#define NOMATCH 0
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Bart De Schuymer <bdschuym@pandora.be>");
MODULE_DESCRIPTION("iptables bridge physical device match module");
static int
match(const struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
const void *matchinfo,
int offset,
int *hotdrop)
{
int i;
static const char nulldevname[IFNAMSIZ];
const struct ipt_physdev_info *info = matchinfo;
unsigned int ret;
const char *indev, *outdev;
struct nf_bridge_info *nf_bridge;
/* Not a bridged IP packet or no info available yet:
* LOCAL_OUT/mangle and LOCAL_OUT/nat don't know if
* the destination device will be a bridge. */
if (!(nf_bridge = skb->nf_bridge)) {
/* Return MATCH if the invert flags of the used options are on */
if ((info->bitmask & IPT_PHYSDEV_OP_BRIDGED) &&
!(info->invert & IPT_PHYSDEV_OP_BRIDGED))
return NOMATCH;
if ((info->bitmask & IPT_PHYSDEV_OP_ISIN) &&
!(info->invert & IPT_PHYSDEV_OP_ISIN))
return NOMATCH;
if ((info->bitmask & IPT_PHYSDEV_OP_ISOUT) &&
!(info->invert & IPT_PHYSDEV_OP_ISOUT))
return NOMATCH;
if ((info->bitmask & IPT_PHYSDEV_OP_IN) &&
!(info->invert & IPT_PHYSDEV_OP_IN))
return NOMATCH;
if ((info->bitmask & IPT_PHYSDEV_OP_OUT) &&
!(info->invert & IPT_PHYSDEV_OP_OUT))
return NOMATCH;
return MATCH;
}
/* This only makes sense in the FORWARD and POSTROUTING chains */
if ((info->bitmask & IPT_PHYSDEV_OP_BRIDGED) &&
(!!(nf_bridge->mask & BRNF_BRIDGED) ^
!(info->invert & IPT_PHYSDEV_OP_BRIDGED)))
return NOMATCH;
if ((info->bitmask & IPT_PHYSDEV_OP_ISIN &&
(!nf_bridge->physindev ^ !!(info->invert & IPT_PHYSDEV_OP_ISIN))) ||
(info->bitmask & IPT_PHYSDEV_OP_ISOUT &&
(!nf_bridge->physoutdev ^ !!(info->invert & IPT_PHYSDEV_OP_ISOUT))))
return NOMATCH;
if (!(info->bitmask & IPT_PHYSDEV_OP_IN))
goto match_outdev;
indev = nf_bridge->physindev ? nf_bridge->physindev->name : nulldevname;
for (i = 0, ret = 0; i < IFNAMSIZ/sizeof(unsigned int); i++) {
ret |= (((const unsigned int *)indev)[i]
^ ((const unsigned int *)info->physindev)[i])
& ((const unsigned int *)info->in_mask)[i];
}
if ((ret == 0) ^ !(info->invert & IPT_PHYSDEV_OP_IN))
return NOMATCH;
match_outdev:
if (!(info->bitmask & IPT_PHYSDEV_OP_OUT))
return MATCH;
outdev = nf_bridge->physoutdev ?
nf_bridge->physoutdev->name : nulldevname;
for (i = 0, ret = 0; i < IFNAMSIZ/sizeof(unsigned int); i++) {
ret |= (((const unsigned int *)outdev)[i]
^ ((const unsigned int *)info->physoutdev)[i])
& ((const unsigned int *)info->out_mask)[i];
}
return (ret != 0) ^ !(info->invert & IPT_PHYSDEV_OP_OUT);
}
static int
checkentry(const char *tablename,
const struct ipt_ip *ip,
void *matchinfo,
unsigned int matchsize,
unsigned int hook_mask)
{
const struct ipt_physdev_info *info = matchinfo;
if (matchsize != IPT_ALIGN(sizeof(struct ipt_physdev_info)))
return 0;
if (!(info->bitmask & IPT_PHYSDEV_OP_MASK) ||
info->bitmask & ~IPT_PHYSDEV_OP_MASK)
return 0;
return 1;
}
static struct ipt_match physdev_match = {
.name = "physdev",
.match = &match,
.checkentry = &checkentry,
.me = THIS_MODULE,
};
static int __init init(void)
{
return ipt_register_match(&physdev_match);
}
static void __exit fini(void)
{
ipt_unregister_match(&physdev_match);
}
module_init(init);
module_exit(fini);
...@@ -104,6 +104,7 @@ match(const struct sk_buff *skb, ...@@ -104,6 +104,7 @@ match(const struct sk_buff *skb,
const struct net_device *out, const struct net_device *out,
const void *matchinfo, const void *matchinfo,
int offset, int offset,
unsigned int protoff,
int *hotdrop); int *hotdrop);
/* Function to hash a given address into the hash table of table_size size */ /* Function to hash a given address into the hash table of table_size size */
...@@ -317,7 +318,7 @@ static int ip_recent_ctrl(struct file *file, const char __user *input, unsigned ...@@ -317,7 +318,7 @@ static int ip_recent_ctrl(struct file *file, const char __user *input, unsigned
skb->nh.iph->daddr = 0; skb->nh.iph->daddr = 0;
/* Clear ttl since we have no way of knowing it */ /* Clear ttl since we have no way of knowing it */
skb->nh.iph->ttl = 0; skb->nh.iph->ttl = 0;
match(skb,NULL,NULL,info,0,NULL); match(skb,NULL,NULL,info,0,0,NULL);
kfree(skb->nh.iph); kfree(skb->nh.iph);
out_free_skb: out_free_skb:
...@@ -357,6 +358,7 @@ match(const struct sk_buff *skb, ...@@ -357,6 +358,7 @@ match(const struct sk_buff *skb,
const struct net_device *out, const struct net_device *out,
const void *matchinfo, const void *matchinfo,
int offset, int offset,
unsigned int protoff,
int *hotdrop) int *hotdrop)
{ {
int pkt_count, hits_found, ans; int pkt_count, hits_found, ans;
...@@ -654,7 +656,7 @@ match(const struct sk_buff *skb, ...@@ -654,7 +656,7 @@ match(const struct sk_buff *skb,
*/ */
static int static int
checkentry(const char *tablename, checkentry(const char *tablename,
const struct ipt_ip *ip, const void *ip,
void *matchinfo, void *matchinfo,
unsigned int matchsize, unsigned int matchsize,
unsigned int hook_mask) unsigned int hook_mask)
......
...@@ -23,6 +23,7 @@ match(const struct sk_buff *skb, ...@@ -23,6 +23,7 @@ match(const struct sk_buff *skb,
const struct net_device *out, const struct net_device *out,
const void *matchinfo, const void *matchinfo,
int offset, int offset,
unsigned int protoff,
int *hotdrop) int *hotdrop)
{ {
const struct ipt_tos_info *info = matchinfo; const struct ipt_tos_info *info = matchinfo;
...@@ -32,7 +33,7 @@ match(const struct sk_buff *skb, ...@@ -32,7 +33,7 @@ match(const struct sk_buff *skb,
static int static int
checkentry(const char *tablename, checkentry(const char *tablename,
const struct ipt_ip *ip, const void *ip,
void *matchinfo, void *matchinfo,
unsigned int matchsize, unsigned int matchsize,
unsigned int hook_mask) unsigned int hook_mask)
......
This diff is collapsed.
...@@ -78,7 +78,8 @@ static struct ipt_table packet_filter = { ...@@ -78,7 +78,8 @@ static struct ipt_table packet_filter = {
.name = "filter", .name = "filter",
.valid_hooks = FILTER_VALID_HOOKS, .valid_hooks = FILTER_VALID_HOOKS,
.lock = RW_LOCK_UNLOCKED, .lock = RW_LOCK_UNLOCKED,
.me = THIS_MODULE .me = THIS_MODULE,
.af = AF_INET,
}; };
/* The work comes in here from netfilter.c. */ /* The work comes in here from netfilter.c. */
......
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment