UAPI: (Scripted) Disintegrate include/linux/netfilter_ipv4

-10

include/linux/netfilter_ipv4/Kbuild

··· 1 - header-y += ip_tables.h 2 - header-y += ipt_CLUSTERIP.h 3 - header-y += ipt_ECN.h 4 - header-y += ipt_LOG.h 5 - header-y += ipt_REJECT.h 6 - header-y += ipt_TTL.h 7 - header-y += ipt_ULOG.h 8 - header-y += ipt_ah.h 9 - header-y += ipt_ecn.h 10 - header-y += ipt_ttl.h

+2 -216

include/linux/netfilter_ipv4/ip_tables.h

··· 11 11 * flags are stored in host byte order (of course). 12 12 * Port numbers are stored in HOST byte order. 13 13 */ 14 - 15 14 #ifndef _IPTABLES_H 16 15 #define _IPTABLES_H 17 16 18 - #ifdef __KERNEL__ 19 17 #include <linux/if.h> 20 18 #include <linux/in.h> 21 19 #include <linux/ip.h> 22 20 #include <linux/skbuff.h> 23 - #endif 24 - #include <linux/types.h> 25 - #include <linux/compiler.h> 26 - #include <linux/netfilter_ipv4.h> 27 - 28 - #include <linux/netfilter/x_tables.h> 29 - 30 - #ifndef __KERNEL__ 31 - #define IPT_FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN 32 - #define IPT_TABLE_MAXNAMELEN XT_TABLE_MAXNAMELEN 33 - #define ipt_match xt_match 34 - #define ipt_target xt_target 35 - #define ipt_table xt_table 36 - #define ipt_get_revision xt_get_revision 37 - #define ipt_entry_match xt_entry_match 38 - #define ipt_entry_target xt_entry_target 39 - #define ipt_standard_target xt_standard_target 40 - #define ipt_error_target xt_error_target 41 - #define ipt_counters xt_counters 42 - #define IPT_CONTINUE XT_CONTINUE 43 - #define IPT_RETURN XT_RETURN 44 - 45 - /* This group is older than old (iptables < v1.4.0-rc1~89) */ 46 - #include <linux/netfilter/xt_tcpudp.h> 47 - #define ipt_udp xt_udp 48 - #define ipt_tcp xt_tcp 49 - #define IPT_TCP_INV_SRCPT XT_TCP_INV_SRCPT 50 - #define IPT_TCP_INV_DSTPT XT_TCP_INV_DSTPT 51 - #define IPT_TCP_INV_FLAGS XT_TCP_INV_FLAGS 52 - #define IPT_TCP_INV_OPTION XT_TCP_INV_OPTION 53 - #define IPT_TCP_INV_MASK XT_TCP_INV_MASK 54 - #define IPT_UDP_INV_SRCPT XT_UDP_INV_SRCPT 55 - #define IPT_UDP_INV_DSTPT XT_UDP_INV_DSTPT 56 - #define IPT_UDP_INV_MASK XT_UDP_INV_MASK 57 - 58 - /* The argument to IPT_SO_ADD_COUNTERS. */ 59 - #define ipt_counters_info xt_counters_info 60 - /* Standard return verdict, or do jump. */ 61 - #define IPT_STANDARD_TARGET XT_STANDARD_TARGET 62 - /* Error verdict. */ 63 - #define IPT_ERROR_TARGET XT_ERROR_TARGET 64 - 65 - /* fn returns 0 to continue iteration */ 66 - #define IPT_MATCH_ITERATE(e, fn, args...) \ 67 - XT_MATCH_ITERATE(struct ipt_entry, e, fn, ## args) 68 - 69 - /* fn returns 0 to continue iteration */ 70 - #define IPT_ENTRY_ITERATE(entries, size, fn, args...) \ 71 - XT_ENTRY_ITERATE(struct ipt_entry, entries, size, fn, ## args) 72 - #endif 73 - 74 - /* Yes, Virginia, you have to zero the padding. */ 75 - struct ipt_ip { 76 - /* Source and destination IP addr */ 77 - struct in_addr src, dst; 78 - /* Mask for src and dest IP addr */ 79 - struct in_addr smsk, dmsk; 80 - char iniface[IFNAMSIZ], outiface[IFNAMSIZ]; 81 - unsigned char iniface_mask[IFNAMSIZ], outiface_mask[IFNAMSIZ]; 82 - 83 - /* Protocol, 0 = ANY */ 84 - __u16 proto; 85 - 86 - /* Flags word */ 87 - __u8 flags; 88 - /* Inverse flags */ 89 - __u8 invflags; 90 - }; 91 - 92 - /* Values for "flag" field in struct ipt_ip (general ip structure). */ 93 - #define IPT_F_FRAG 0x01 /* Set if rule is a fragment rule */ 94 - #define IPT_F_GOTO 0x02 /* Set if jump is a goto */ 95 - #define IPT_F_MASK 0x03 /* All possible flag bits mask. */ 96 - 97 - /* Values for "inv" field in struct ipt_ip. */ 98 - #define IPT_INV_VIA_IN 0x01 /* Invert the sense of IN IFACE. */ 99 - #define IPT_INV_VIA_OUT 0x02 /* Invert the sense of OUT IFACE */ 100 - #define IPT_INV_TOS 0x04 /* Invert the sense of TOS. */ 101 - #define IPT_INV_SRCIP 0x08 /* Invert the sense of SRC IP. */ 102 - #define IPT_INV_DSTIP 0x10 /* Invert the sense of DST OP. */ 103 - #define IPT_INV_FRAG 0x20 /* Invert the sense of FRAG. */ 104 - #define IPT_INV_PROTO XT_INV_PROTO 105 - #define IPT_INV_MASK 0x7F /* All possible flag bits mask. */ 106 - 107 - /* This structure defines each of the firewall rules. Consists of 3 108 - parts which are 1) general IP header stuff 2) match specific 109 - stuff 3) the target to perform if the rule matches */ 110 - struct ipt_entry { 111 - struct ipt_ip ip; 112 - 113 - /* Mark with fields that we care about. */ 114 - unsigned int nfcache; 115 - 116 - /* Size of ipt_entry + matches */ 117 - __u16 target_offset; 118 - /* Size of ipt_entry + matches + target */ 119 - __u16 next_offset; 120 - 121 - /* Back pointer */ 122 - unsigned int comefrom; 123 - 124 - /* Packet and byte counters. */ 125 - struct xt_counters counters; 126 - 127 - /* The matches (if any), then the target. */ 128 - unsigned char elems[0]; 129 - }; 130 - 131 - /* 132 - * New IP firewall options for [gs]etsockopt at the RAW IP level. 133 - * Unlike BSD Linux inherits IP options so you don't have to use a raw 134 - * socket for this. Instead we check rights in the calls. 135 - * 136 - * ATTENTION: check linux/in.h before adding new number here. 137 - */ 138 - #define IPT_BASE_CTL 64 139 - 140 - #define IPT_SO_SET_REPLACE (IPT_BASE_CTL) 141 - #define IPT_SO_SET_ADD_COUNTERS (IPT_BASE_CTL + 1) 142 - #define IPT_SO_SET_MAX IPT_SO_SET_ADD_COUNTERS 143 - 144 - #define IPT_SO_GET_INFO (IPT_BASE_CTL) 145 - #define IPT_SO_GET_ENTRIES (IPT_BASE_CTL + 1) 146 - #define IPT_SO_GET_REVISION_MATCH (IPT_BASE_CTL + 2) 147 - #define IPT_SO_GET_REVISION_TARGET (IPT_BASE_CTL + 3) 148 - #define IPT_SO_GET_MAX IPT_SO_GET_REVISION_TARGET 149 - 150 - /* ICMP matching stuff */ 151 - struct ipt_icmp { 152 - __u8 type; /* type to match */ 153 - __u8 code[2]; /* range of code */ 154 - __u8 invflags; /* Inverse flags */ 155 - }; 156 - 157 - /* Values for "inv" field for struct ipt_icmp. */ 158 - #define IPT_ICMP_INV 0x01 /* Invert the sense of type/code test */ 159 - 160 - /* The argument to IPT_SO_GET_INFO */ 161 - struct ipt_getinfo { 162 - /* Which table: caller fills this in. */ 163 - char name[XT_TABLE_MAXNAMELEN]; 164 - 165 - /* Kernel fills these in. */ 166 - /* Which hook entry points are valid: bitmask */ 167 - unsigned int valid_hooks; 168 - 169 - /* Hook entry points: one per netfilter hook. */ 170 - unsigned int hook_entry[NF_INET_NUMHOOKS]; 171 - 172 - /* Underflow points. */ 173 - unsigned int underflow[NF_INET_NUMHOOKS]; 174 - 175 - /* Number of entries */ 176 - unsigned int num_entries; 177 - 178 - /* Size of entries. */ 179 - unsigned int size; 180 - }; 181 - 182 - /* The argument to IPT_SO_SET_REPLACE. */ 183 - struct ipt_replace { 184 - /* Which table. */ 185 - char name[XT_TABLE_MAXNAMELEN]; 186 - 187 - /* Which hook entry points are valid: bitmask. You can't 188 - change this. */ 189 - unsigned int valid_hooks; 190 - 191 - /* Number of entries */ 192 - unsigned int num_entries; 193 - 194 - /* Total size of new entries */ 195 - unsigned int size; 196 - 197 - /* Hook entry points. */ 198 - unsigned int hook_entry[NF_INET_NUMHOOKS]; 199 - 200 - /* Underflow points. */ 201 - unsigned int underflow[NF_INET_NUMHOOKS]; 202 - 203 - /* Information about old entries: */ 204 - /* Number of counters (must be equal to current number of entries). */ 205 - unsigned int num_counters; 206 - /* The old entries' counters. */ 207 - struct xt_counters __user *counters; 208 - 209 - /* The entries (hang off end: not really an array). */ 210 - struct ipt_entry entries[0]; 211 - }; 212 - 213 - /* The argument to IPT_SO_GET_ENTRIES. */ 214 - struct ipt_get_entries { 215 - /* Which table: user fills this in. */ 216 - char name[XT_TABLE_MAXNAMELEN]; 217 - 218 - /* User fills this in: total entry size. */ 219 - unsigned int size; 220 - 221 - /* The entries. */ 222 - struct ipt_entry entrytable[0]; 223 - }; 224 - 225 - /* Helper functions */ 226 - static __inline__ struct xt_entry_target * 227 - ipt_get_target(struct ipt_entry *e) 228 - { 229 - return (void *)e + e->target_offset; 230 - } 231 - 232 - /* 233 - * Main firewall chains definitions and global var's definitions. 234 - */ 235 - #ifdef __KERNEL__ 236 21 237 22 #include <linux/init.h> 23 + #include <uapi/linux/netfilter_ipv4/ip_tables.h> 24 + 238 25 extern void ipt_init(void) __init; 239 26 240 27 extern struct xt_table *ipt_register_table(struct net *net, ··· 90 303 } 91 304 92 305 #endif /* CONFIG_COMPAT */ 93 - #endif /*__KERNEL__*/ 94 306 #endif /* _IPTABLES_H */

include/linux/netfilter_ipv4/ipt_CLUSTERIP.h include/uapi/linux/netfilter_ipv4/ipt_CLUSTERIP.h

include/linux/netfilter_ipv4/ipt_ECN.h include/uapi/linux/netfilter_ipv4/ipt_ECN.h

include/linux/netfilter_ipv4/ipt_LOG.h include/uapi/linux/netfilter_ipv4/ipt_LOG.h

include/linux/netfilter_ipv4/ipt_REJECT.h include/uapi/linux/netfilter_ipv4/ipt_REJECT.h

include/linux/netfilter_ipv4/ipt_TTL.h include/uapi/linux/netfilter_ipv4/ipt_TTL.h

include/linux/netfilter_ipv4/ipt_ULOG.h include/uapi/linux/netfilter_ipv4/ipt_ULOG.h

include/linux/netfilter_ipv4/ipt_ah.h include/uapi/linux/netfilter_ipv4/ipt_ah.h

include/linux/netfilter_ipv4/ipt_ecn.h include/uapi/linux/netfilter_ipv4/ipt_ecn.h

include/linux/netfilter_ipv4/ipt_ttl.h include/uapi/linux/netfilter_ipv4/ipt_ttl.h

+10

include/uapi/linux/netfilter_ipv4/Kbuild

··· 1 1 # UAPI Header export list 2 + header-y += ip_tables.h 3 + header-y += ipt_CLUSTERIP.h 4 + header-y += ipt_ECN.h 5 + header-y += ipt_LOG.h 6 + header-y += ipt_REJECT.h 7 + header-y += ipt_TTL.h 8 + header-y += ipt_ULOG.h 9 + header-y += ipt_ah.h 10 + header-y += ipt_ecn.h 11 + header-y += ipt_ttl.h

+229

include/uapi/linux/netfilter_ipv4/ip_tables.h

··· 1 + /* 2 + * 25-Jul-1998 Major changes to allow for ip chain table 3 + * 4 + * 3-Jan-2000 Named tables to allow packet selection for different uses. 5 + */ 6 + 7 + /* 8 + * Format of an IP firewall descriptor 9 + * 10 + * src, dst, src_mask, dst_mask are always stored in network byte order. 11 + * flags are stored in host byte order (of course). 12 + * Port numbers are stored in HOST byte order. 13 + */ 14 + 15 + #ifndef _UAPI_IPTABLES_H 16 + #define _UAPI_IPTABLES_H 17 + 18 + #include <linux/types.h> 19 + #include <linux/compiler.h> 20 + #include <linux/netfilter_ipv4.h> 21 + 22 + #include <linux/netfilter/x_tables.h> 23 + 24 + #ifndef __KERNEL__ 25 + #define IPT_FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN 26 + #define IPT_TABLE_MAXNAMELEN XT_TABLE_MAXNAMELEN 27 + #define ipt_match xt_match 28 + #define ipt_target xt_target 29 + #define ipt_table xt_table 30 + #define ipt_get_revision xt_get_revision 31 + #define ipt_entry_match xt_entry_match 32 + #define ipt_entry_target xt_entry_target 33 + #define ipt_standard_target xt_standard_target 34 + #define ipt_error_target xt_error_target 35 + #define ipt_counters xt_counters 36 + #define IPT_CONTINUE XT_CONTINUE 37 + #define IPT_RETURN XT_RETURN 38 + 39 + /* This group is older than old (iptables < v1.4.0-rc1~89) */ 40 + #include <linux/netfilter/xt_tcpudp.h> 41 + #define ipt_udp xt_udp 42 + #define ipt_tcp xt_tcp 43 + #define IPT_TCP_INV_SRCPT XT_TCP_INV_SRCPT 44 + #define IPT_TCP_INV_DSTPT XT_TCP_INV_DSTPT 45 + #define IPT_TCP_INV_FLAGS XT_TCP_INV_FLAGS 46 + #define IPT_TCP_INV_OPTION XT_TCP_INV_OPTION 47 + #define IPT_TCP_INV_MASK XT_TCP_INV_MASK 48 + #define IPT_UDP_INV_SRCPT XT_UDP_INV_SRCPT 49 + #define IPT_UDP_INV_DSTPT XT_UDP_INV_DSTPT 50 + #define IPT_UDP_INV_MASK XT_UDP_INV_MASK 51 + 52 + /* The argument to IPT_SO_ADD_COUNTERS. */ 53 + #define ipt_counters_info xt_counters_info 54 + /* Standard return verdict, or do jump. */ 55 + #define IPT_STANDARD_TARGET XT_STANDARD_TARGET 56 + /* Error verdict. */ 57 + #define IPT_ERROR_TARGET XT_ERROR_TARGET 58 + 59 + /* fn returns 0 to continue iteration */ 60 + #define IPT_MATCH_ITERATE(e, fn, args...) \ 61 + XT_MATCH_ITERATE(struct ipt_entry, e, fn, ## args) 62 + 63 + /* fn returns 0 to continue iteration */ 64 + #define IPT_ENTRY_ITERATE(entries, size, fn, args...) \ 65 + XT_ENTRY_ITERATE(struct ipt_entry, entries, size, fn, ## args) 66 + #endif 67 + 68 + /* Yes, Virginia, you have to zero the padding. */ 69 + struct ipt_ip { 70 + /* Source and destination IP addr */ 71 + struct in_addr src, dst; 72 + /* Mask for src and dest IP addr */ 73 + struct in_addr smsk, dmsk; 74 + char iniface[IFNAMSIZ], outiface[IFNAMSIZ]; 75 + unsigned char iniface_mask[IFNAMSIZ], outiface_mask[IFNAMSIZ]; 76 + 77 + /* Protocol, 0 = ANY */ 78 + __u16 proto; 79 + 80 + /* Flags word */ 81 + __u8 flags; 82 + /* Inverse flags */ 83 + __u8 invflags; 84 + }; 85 + 86 + /* Values for "flag" field in struct ipt_ip (general ip structure). */ 87 + #define IPT_F_FRAG 0x01 /* Set if rule is a fragment rule */ 88 + #define IPT_F_GOTO 0x02 /* Set if jump is a goto */ 89 + #define IPT_F_MASK 0x03 /* All possible flag bits mask. */ 90 + 91 + /* Values for "inv" field in struct ipt_ip. */ 92 + #define IPT_INV_VIA_IN 0x01 /* Invert the sense of IN IFACE. */ 93 + #define IPT_INV_VIA_OUT 0x02 /* Invert the sense of OUT IFACE */ 94 + #define IPT_INV_TOS 0x04 /* Invert the sense of TOS. */ 95 + #define IPT_INV_SRCIP 0x08 /* Invert the sense of SRC IP. */ 96 + #define IPT_INV_DSTIP 0x10 /* Invert the sense of DST OP. */ 97 + #define IPT_INV_FRAG 0x20 /* Invert the sense of FRAG. */ 98 + #define IPT_INV_PROTO XT_INV_PROTO 99 + #define IPT_INV_MASK 0x7F /* All possible flag bits mask. */ 100 + 101 + /* This structure defines each of the firewall rules. Consists of 3 102 + parts which are 1) general IP header stuff 2) match specific 103 + stuff 3) the target to perform if the rule matches */ 104 + struct ipt_entry { 105 + struct ipt_ip ip; 106 + 107 + /* Mark with fields that we care about. */ 108 + unsigned int nfcache; 109 + 110 + /* Size of ipt_entry + matches */ 111 + __u16 target_offset; 112 + /* Size of ipt_entry + matches + target */ 113 + __u16 next_offset; 114 + 115 + /* Back pointer */ 116 + unsigned int comefrom; 117 + 118 + /* Packet and byte counters. */ 119 + struct xt_counters counters; 120 + 121 + /* The matches (if any), then the target. */ 122 + unsigned char elems[0]; 123 + }; 124 + 125 + /* 126 + * New IP firewall options for [gs]etsockopt at the RAW IP level. 127 + * Unlike BSD Linux inherits IP options so you don't have to use a raw 128 + * socket for this. Instead we check rights in the calls. 129 + * 130 + * ATTENTION: check linux/in.h before adding new number here. 131 + */ 132 + #define IPT_BASE_CTL 64 133 + 134 + #define IPT_SO_SET_REPLACE (IPT_BASE_CTL) 135 + #define IPT_SO_SET_ADD_COUNTERS (IPT_BASE_CTL + 1) 136 + #define IPT_SO_SET_MAX IPT_SO_SET_ADD_COUNTERS 137 + 138 + #define IPT_SO_GET_INFO (IPT_BASE_CTL) 139 + #define IPT_SO_GET_ENTRIES (IPT_BASE_CTL + 1) 140 + #define IPT_SO_GET_REVISION_MATCH (IPT_BASE_CTL + 2) 141 + #define IPT_SO_GET_REVISION_TARGET (IPT_BASE_CTL + 3) 142 + #define IPT_SO_GET_MAX IPT_SO_GET_REVISION_TARGET 143 + 144 + /* ICMP matching stuff */ 145 + struct ipt_icmp { 146 + __u8 type; /* type to match */ 147 + __u8 code[2]; /* range of code */ 148 + __u8 invflags; /* Inverse flags */ 149 + }; 150 + 151 + /* Values for "inv" field for struct ipt_icmp. */ 152 + #define IPT_ICMP_INV 0x01 /* Invert the sense of type/code test */ 153 + 154 + /* The argument to IPT_SO_GET_INFO */ 155 + struct ipt_getinfo { 156 + /* Which table: caller fills this in. */ 157 + char name[XT_TABLE_MAXNAMELEN]; 158 + 159 + /* Kernel fills these in. */ 160 + /* Which hook entry points are valid: bitmask */ 161 + unsigned int valid_hooks; 162 + 163 + /* Hook entry points: one per netfilter hook. */ 164 + unsigned int hook_entry[NF_INET_NUMHOOKS]; 165 + 166 + /* Underflow points. */ 167 + unsigned int underflow[NF_INET_NUMHOOKS]; 168 + 169 + /* Number of entries */ 170 + unsigned int num_entries; 171 + 172 + /* Size of entries. */ 173 + unsigned int size; 174 + }; 175 + 176 + /* The argument to IPT_SO_SET_REPLACE. */ 177 + struct ipt_replace { 178 + /* Which table. */ 179 + char name[XT_TABLE_MAXNAMELEN]; 180 + 181 + /* Which hook entry points are valid: bitmask. You can't 182 + change this. */ 183 + unsigned int valid_hooks; 184 + 185 + /* Number of entries */ 186 + unsigned int num_entries; 187 + 188 + /* Total size of new entries */ 189 + unsigned int size; 190 + 191 + /* Hook entry points. */ 192 + unsigned int hook_entry[NF_INET_NUMHOOKS]; 193 + 194 + /* Underflow points. */ 195 + unsigned int underflow[NF_INET_NUMHOOKS]; 196 + 197 + /* Information about old entries: */ 198 + /* Number of counters (must be equal to current number of entries). */ 199 + unsigned int num_counters; 200 + /* The old entries' counters. */ 201 + struct xt_counters __user *counters; 202 + 203 + /* The entries (hang off end: not really an array). */ 204 + struct ipt_entry entries[0]; 205 + }; 206 + 207 + /* The argument to IPT_SO_GET_ENTRIES. */ 208 + struct ipt_get_entries { 209 + /* Which table: user fills this in. */ 210 + char name[XT_TABLE_MAXNAMELEN]; 211 + 212 + /* User fills this in: total entry size. */ 213 + unsigned int size; 214 + 215 + /* The entries. */ 216 + struct ipt_entry entrytable[0]; 217 + }; 218 + 219 + /* Helper functions */ 220 + static __inline__ struct xt_entry_target * 221 + ipt_get_target(struct ipt_entry *e) 222 + { 223 + return (void *)e + e->target_offset; 224 + } 225 + 226 + /* 227 + * Main firewall chains definitions and global var's definitions. 228 + */ 229 + #endif /* _UAPI_IPTABLES_H */