Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
tjh.dev
kernel
os
linux
1#ifndef __LINUX_NETFILTER_H
2#define __LINUX_NETFILTER_H
3
4#ifdef __KERNEL__
5#include <linux/init.h>
6#include <linux/types.h>
7#include <linux/skbuff.h>
8#include <linux/net.h>
9#include <linux/if.h>
10#include <linux/wait.h>
11#include <linux/list.h>
12#endif
13#include <linux/compiler.h>
14
15/* Responses from hook functions. */
16#define NF_DROP 0
17#define NF_ACCEPT 1
18#define NF_STOLEN 2
19#define NF_QUEUE 3
20#define NF_REPEAT 4
21#define NF_STOP 5
22#define NF_MAX_VERDICT NF_STOP
23
24/* Generic cache responses from hook functions.
25 <= 0x2000 is used for protocol-flags. */
26#define NFC_UNKNOWN 0x4000
27#define NFC_ALTERED 0x8000
28
29#ifdef __KERNEL__
30#include <linux/config.h>
31#ifdef CONFIG_NETFILTER
32
33extern void netfilter_init(void);
34
35/* Largest hook number + 1 */
36#define NF_MAX_HOOKS 8
37
38struct sk_buff;
39struct net_device;
40
41typedef unsigned int nf_hookfn(unsigned int hooknum,
42 struct sk_buff **skb,
43 const struct net_device *in,
44 const struct net_device *out,
45 int (*okfn)(struct sk_buff *));
46
47struct nf_hook_ops
48{
49 struct list_head list;
50
51 /* User fills in from here down. */
52 nf_hookfn *hook;
53 struct module *owner;
54 int pf;
55 int hooknum;
56 /* Hooks are ordered in ascending priority. */
57 int priority;
58};
59
60struct nf_sockopt_ops
61{
62 struct list_head list;
63
64 int pf;
65
66 /* Non-inclusive ranges: use 0/0/NULL to never get called. */
67 int set_optmin;
68 int set_optmax;
69 int (*set)(struct sock *sk, int optval, void __user *user, unsigned int len);
70
71 int get_optmin;
72 int get_optmax;
73 int (*get)(struct sock *sk, int optval, void __user *user, int *len);
74
75 /* Number of users inside set() or get(). */
76 unsigned int use;
77 struct task_struct *cleanup_task;
78};
79
80/* Each queued (to userspace) skbuff has one of these. */
81struct nf_info
82{
83 /* The ops struct which sent us to userspace. */
84 struct nf_hook_ops *elem;
85
86 /* If we're sent to userspace, this keeps housekeeping info */
87 int pf;
88 unsigned int hook;
89 struct net_device *indev, *outdev;
90 int (*okfn)(struct sk_buff *);
91};
92
93/* Function to register/unregister hook points. */
94int nf_register_hook(struct nf_hook_ops *reg);
95void nf_unregister_hook(struct nf_hook_ops *reg);
96
97/* Functions to register get/setsockopt ranges (non-inclusive). You
98 need to check permissions yourself! */
99int nf_register_sockopt(struct nf_sockopt_ops *reg);
100void nf_unregister_sockopt(struct nf_sockopt_ops *reg);
101
102extern struct list_head nf_hooks[NPROTO][NF_MAX_HOOKS];
103
104typedef void nf_logfn(unsigned int hooknum,
105 const struct sk_buff *skb,
106 const struct net_device *in,
107 const struct net_device *out,
108 const char *prefix);
109
110/* Function to register/unregister log function. */
111int nf_log_register(int pf, nf_logfn *logfn);
112void nf_log_unregister(int pf, nf_logfn *logfn);
113
114/* Calls the registered backend logging function */
115void nf_log_packet(int pf,
116 unsigned int hooknum,
117 const struct sk_buff *skb,
118 const struct net_device *in,
119 const struct net_device *out,
120 const char *fmt, ...);
121
122/* Activate hook; either okfn or kfree_skb called, unless a hook
123 returns NF_STOLEN (in which case, it's up to the hook to deal with
124 the consequences).
125
126 Returns -ERRNO if packet dropped. Zero means queued, stolen or
127 accepted.
128*/
129
130/* RR:
131 > I don't want nf_hook to return anything because people might forget
132 > about async and trust the return value to mean "packet was ok".
133
134 AK:
135 Just document it clearly, then you can expect some sense from kernel
136 coders :)
137*/
138
139/* This is gross, but inline doesn't cut it for avoiding the function
140 call in fast path: gcc doesn't inline (needs value tracking?). --RR */
141#ifdef CONFIG_NETFILTER_DEBUG
142#define NF_HOOK(pf, hook, skb, indev, outdev, okfn) \
143({int __ret; \
144if ((__ret=nf_hook_slow(pf, hook, &(skb), indev, outdev, okfn, INT_MIN)) == 1) \
145 __ret = (okfn)(skb); \
146__ret;})
147#define NF_HOOK_THRESH(pf, hook, skb, indev, outdev, okfn, thresh) \
148({int __ret; \
149if ((__ret=nf_hook_slow(pf, hook, &(skb), indev, outdev, okfn, thresh)) == 1) \
150 __ret = (okfn)(skb); \
151__ret;})
152#else
153#define NF_HOOK(pf, hook, skb, indev, outdev, okfn) \
154({int __ret; \
155if (list_empty(&nf_hooks[pf][hook]) || \
156 (__ret=nf_hook_slow(pf, hook, &(skb), indev, outdev, okfn, INT_MIN)) == 1) \
157 __ret = (okfn)(skb); \
158__ret;})
159#define NF_HOOK_THRESH(pf, hook, skb, indev, outdev, okfn, thresh) \
160({int __ret; \
161if (list_empty(&nf_hooks[pf][hook]) || \
162 (__ret=nf_hook_slow(pf, hook, &(skb), indev, outdev, okfn, thresh)) == 1) \
163 __ret = (okfn)(skb); \
164__ret;})
165#endif
166
167int nf_hook_slow(int pf, unsigned int hook, struct sk_buff **pskb,
168 struct net_device *indev, struct net_device *outdev,
169 int (*okfn)(struct sk_buff *), int thresh);
170
171/* Call setsockopt() */
172int nf_setsockopt(struct sock *sk, int pf, int optval, char __user *opt,
173 int len);
174int nf_getsockopt(struct sock *sk, int pf, int optval, char __user *opt,
175 int *len);
176
177/* Packet queuing */
178typedef int (*nf_queue_outfn_t)(struct sk_buff *skb,
179 struct nf_info *info, void *data);
180extern int nf_register_queue_handler(int pf,
181 nf_queue_outfn_t outfn, void *data);
182extern int nf_unregister_queue_handler(int pf);
183extern void nf_reinject(struct sk_buff *skb,
184 struct nf_info *info,
185 unsigned int verdict);
186
187extern void (*ip_ct_attach)(struct sk_buff *, struct sk_buff *);
188extern void nf_ct_attach(struct sk_buff *, struct sk_buff *);
189
190/* FIXME: Before cache is ever used, this must be implemented for real. */
191extern void nf_invalidate_cache(int pf);
192
193#else /* !CONFIG_NETFILTER */
194#define NF_HOOK(pf, hook, skb, indev, outdev, okfn) (okfn)(skb)
195static inline void nf_ct_attach(struct sk_buff *new, struct sk_buff *skb) {}
196#endif /*CONFIG_NETFILTER*/
197
198#endif /*__KERNEL__*/
199#endif /*__LINUX_NETFILTER_H*/