1 #ifndef __LINUX_NETFILTER_H 2 #define __LINUX_NETFILTER_H 3 4 #ifdef __KERNEL__ 5 #include <linux/init.h> 6 #include <linux/types.h> 7 #include <linux/skbuff.h> 8 #include <linux/net.h> 9 #include <linux/if.h> 10 #include <linux/wait.h> 11 #include <linux/list.h> 12 #endif 13 #include <linux/compiler.h> 14 15 /* Responses from hook functions. */ 16 #define NF_DROP 0 17 #define NF_ACCEPT 1 18 #define NF_STOLEN 2 19 #define NF_QUEUE 3 20 #define NF_REPEAT 4 21 #define NF_STOP 5 22 #define NF_MAX_VERDICT NF_STOP 23 24 /* Generic cache responses from hook functions. 25 <= 0x2000 is used for protocol-flags. */ 26 #define NFC_UNKNOWN 0x4000 27 #define NFC_ALTERED 0x8000 28 29 #ifdef __KERNEL__ 30 #include <linux/config.h> 31 #ifdef CONFIG_NETFILTER 32 33 extern void netfilter_init(void); 34 35 /* Largest hook number + 1 */ 36 #define NF_MAX_HOOKS 8 37 38 struct sk_buff; 39 struct net_device; 40 41 typedef unsigned int nf_hookfn(unsigned int hooknum, 42 struct sk_buff **skb, 43 const struct net_device *in, 44 const struct net_device *out, 45 int (*okfn)(struct sk_buff *)); 46 47 struct nf_hook_ops 48 { 49 struct list_head list; 50 51 /* User fills in from here down. */ 52 nf_hookfn *hook; 53 struct module *owner; 54 int pf; 55 int hooknum; 56 /* Hooks are ordered in ascending priority. */ 57 int priority; 58 }; 59 60 struct nf_sockopt_ops 61 { 62 struct list_head list; 63 64 int pf; 65 66 /* Non-inclusive ranges: use 0/0/NULL to never get called. */ 67 int set_optmin; 68 int set_optmax; 69 int (*set)(struct sock *sk, int optval, void __user *user, unsigned int len); 70 71 int get_optmin; 72 int get_optmax; 73 int (*get)(struct sock *sk, int optval, void __user *user, int *len); 74 75 /* Number of users inside set() or get(). */ 76 unsigned int use; 77 struct task_struct *cleanup_task; 78 }; 79 80 /* Each queued (to userspace) skbuff has one of these. */ 81 struct nf_info 82 { 83 /* The ops struct which sent us to userspace. */ 84 struct nf_hook_ops *elem; 85 86 /* If we're sent to userspace, this keeps housekeeping info */ 87 int pf; 88 unsigned int hook; 89 struct net_device *indev, *outdev; 90 int (*okfn)(struct sk_buff *); 91 }; 92 93 /* Function to register/unregister hook points. */ 94 int nf_register_hook(struct nf_hook_ops *reg); 95 void nf_unregister_hook(struct nf_hook_ops *reg); 96 97 /* Functions to register get/setsockopt ranges (non-inclusive). You 98 need to check permissions yourself! */ 99 int nf_register_sockopt(struct nf_sockopt_ops *reg); 100 void nf_unregister_sockopt(struct nf_sockopt_ops *reg); 101 102 extern struct list_head nf_hooks[NPROTO][NF_MAX_HOOKS]; 103 104 typedef void nf_logfn(unsigned int hooknum, 105 const struct sk_buff *skb, 106 const struct net_device *in, 107 const struct net_device *out, 108 const char *prefix); 109 110 /* Function to register/unregister log function. */ 111 int nf_log_register(int pf, nf_logfn *logfn); 112 void nf_log_unregister(int pf, nf_logfn *logfn); 113 114 /* Calls the registered backend logging function */ 115 void nf_log_packet(int pf, 116 unsigned int hooknum, 117 const struct sk_buff *skb, 118 const struct net_device *in, 119 const struct net_device *out, 120 const char *fmt, ...); 121 122 /* Activate hook; either okfn or kfree_skb called, unless a hook 123 returns NF_STOLEN (in which case, it's up to the hook to deal with 124 the consequences). 125 126 Returns -ERRNO if packet dropped. Zero means queued, stolen or 127 accepted. 128 */ 129 130 /* RR: 131 > I don't want nf_hook to return anything because people might forget 132 > about async and trust the return value to mean "packet was ok". 133 134 AK: 135 Just document it clearly, then you can expect some sense from kernel 136 coders :) 137 */ 138 139 /* This is gross, but inline doesn't cut it for avoiding the function 140 call in fast path: gcc doesn't inline (needs value tracking?). --RR */ 141 #ifdef CONFIG_NETFILTER_DEBUG 142 #define NF_HOOK(pf, hook, skb, indev, outdev, okfn) \ 143 ({int __ret; \ 144 if ((__ret=nf_hook_slow(pf, hook, &(skb), indev, outdev, okfn, INT_MIN)) == 1) \ 145 __ret = (okfn)(skb); \ 146 __ret;}) 147 #define NF_HOOK_THRESH(pf, hook, skb, indev, outdev, okfn, thresh) \ 148 ({int __ret; \ 149 if ((__ret=nf_hook_slow(pf, hook, &(skb), indev, outdev, okfn, thresh)) == 1) \ 150 __ret = (okfn)(skb); \ 151 __ret;}) 152 #else 153 #define NF_HOOK(pf, hook, skb, indev, outdev, okfn) \ 154 ({int __ret; \ 155 if (list_empty(&nf_hooks[pf][hook]) || \ 156 (__ret=nf_hook_slow(pf, hook, &(skb), indev, outdev, okfn, INT_MIN)) == 1) \ 157 __ret = (okfn)(skb); \ 158 __ret;}) 159 #define NF_HOOK_THRESH(pf, hook, skb, indev, outdev, okfn, thresh) \ 160 ({int __ret; \ 161 if (list_empty(&nf_hooks[pf][hook]) || \ 162 (__ret=nf_hook_slow(pf, hook, &(skb), indev, outdev, okfn, thresh)) == 1) \ 163 __ret = (okfn)(skb); \ 164 __ret;}) 165 #endif 166 167 int nf_hook_slow(int pf, unsigned int hook, struct sk_buff **pskb, 168 struct net_device *indev, struct net_device *outdev, 169 int (*okfn)(struct sk_buff *), int thresh); 170 171 /* Call setsockopt() */ 172 int nf_setsockopt(struct sock *sk, int pf, int optval, char __user *opt, 173 int len); 174 int nf_getsockopt(struct sock *sk, int pf, int optval, char __user *opt, 175 int *len); 176 177 /* Packet queuing */ 178 typedef int (*nf_queue_outfn_t)(struct sk_buff *skb, 179 struct nf_info *info, void *data); 180 extern int nf_register_queue_handler(int pf, 181 nf_queue_outfn_t outfn, void *data); 182 extern int nf_unregister_queue_handler(int pf); 183 extern void nf_reinject(struct sk_buff *skb, 184 struct nf_info *info, 185 unsigned int verdict); 186 187 extern void (*ip_ct_attach)(struct sk_buff *, struct sk_buff *); 188 extern void nf_ct_attach(struct sk_buff *, struct sk_buff *); 189 190 /* FIXME: Before cache is ever used, this must be implemented for real. */ 191 extern void nf_invalidate_cache(int pf); 192 193 #else /* !CONFIG_NETFILTER */ 194 #define NF_HOOK(pf, hook, skb, indev, outdev, okfn) (okfn)(skb) 195 static inline void nf_ct_attach(struct sk_buff *new, struct sk_buff *skb) {} 196 #endif /*CONFIG_NETFILTER*/ 197 198 #endif /*__KERNEL__*/ 199 #endif /*__LINUX_NETFILTER_H*/ 200