Linux Kernel  3.7.1
 All Data Structures Namespaces Files Functions Variables Typedefs Enumerations Enumerator Macros Groups Pages
netfilter.h
Go to the documentation of this file.
1 #ifndef __LINUX_NETFILTER_H
2 #define __LINUX_NETFILTER_H
3 
4 #include <linux/init.h>
5 #include <linux/skbuff.h>
6 #include <linux/net.h>
7 #include <linux/if.h>
8 #include <linux/in.h>
9 #include <linux/in6.h>
10 #include <linux/wait.h>
11 #include <linux/list.h>
12 #include <uapi/linux/netfilter.h>
13 #ifdef CONFIG_NETFILTER
14 static inline int NF_DROP_GETERR(int verdict)
15 {
16  return -(verdict >> NF_VERDICT_QBITS);
17 }
18 
19 static inline int nf_inet_addr_cmp(const union nf_inet_addr *a1,
20  const union nf_inet_addr *a2)
21 {
22  return a1->all[0] == a2->all[0] &&
23  a1->all[1] == a2->all[1] &&
24  a1->all[2] == a2->all[2] &&
25  a1->all[3] == a2->all[3];
26 }
27 
28 static inline void nf_inet_addr_mask(const union nf_inet_addr *a1,
29  union nf_inet_addr *result,
30  const union nf_inet_addr *mask)
31 {
32  result->all[0] = a1->all[0] & mask->all[0];
33  result->all[1] = a1->all[1] & mask->all[1];
34  result->all[2] = a1->all[2] & mask->all[2];
35  result->all[3] = a1->all[3] & mask->all[3];
36 }
37 
38 extern void netfilter_init(void);
39 
40 /* Largest hook number + 1 */
41 #define NF_MAX_HOOKS 8
42 
43 struct sk_buff;
44 
45 typedef unsigned int nf_hookfn(unsigned int hooknum,
46  struct sk_buff *skb,
47  const struct net_device *in,
48  const struct net_device *out,
49  int (*okfn)(struct sk_buff *));
50 
51 struct nf_hook_ops {
52  struct list_head list;
53 
54  /* User fills in from here down. */
55  nf_hookfn *hook;
56  struct module *owner;
57  u_int8_t pf;
58  unsigned int hooknum;
59  /* Hooks are ordered in ascending priority. */
60  int priority;
61 };
62 
63 struct nf_sockopt_ops {
64  struct list_head list;
65 
66  u_int8_t pf;
67 
68  /* Non-inclusive ranges: use 0/0/NULL to never get called. */
69  int set_optmin;
70  int set_optmax;
71  int (*set)(struct sock *sk, int optval, void __user *user, unsigned int len);
72 #ifdef CONFIG_COMPAT
73  int (*compat_set)(struct sock *sk, int optval,
74  void __user *user, unsigned int len);
75 #endif
76  int get_optmin;
77  int get_optmax;
78  int (*get)(struct sock *sk, int optval, void __user *user, int *len);
79 #ifdef CONFIG_COMPAT
80  int (*compat_get)(struct sock *sk, int optval,
81  void __user *user, int *len);
82 #endif
83  /* Use the module struct to lock set/get code in place */
84  struct module *owner;
85 };
86 
87 /* Function to register/unregister hook points. */
88 int nf_register_hook(struct nf_hook_ops *reg);
89 void nf_unregister_hook(struct nf_hook_ops *reg);
90 int nf_register_hooks(struct nf_hook_ops *reg, unsigned int n);
91 void nf_unregister_hooks(struct nf_hook_ops *reg, unsigned int n);
92 
93 /* Functions to register get/setsockopt ranges (non-inclusive). You
94  need to check permissions yourself! */
95 int nf_register_sockopt(struct nf_sockopt_ops *reg);
96 void nf_unregister_sockopt(struct nf_sockopt_ops *reg);
97 
98 extern struct list_head nf_hooks[NFPROTO_NUMPROTO][NF_MAX_HOOKS];
99 
100 #if defined(CONFIG_JUMP_LABEL)
101 #include <linux/static_key.h>
102 extern struct static_key nf_hooks_needed[NFPROTO_NUMPROTO][NF_MAX_HOOKS];
103 static inline bool nf_hooks_active(u_int8_t pf, unsigned int hook)
104 {
105  if (__builtin_constant_p(pf) &&
106  __builtin_constant_p(hook))
107  return static_key_false(&nf_hooks_needed[pf][hook]);
108 
109  return !list_empty(&nf_hooks[pf][hook]);
110 }
111 #else
112 static inline bool nf_hooks_active(u_int8_t pf, unsigned int hook)
113 {
114  return !list_empty(&nf_hooks[pf][hook]);
115 }
116 #endif
117 
118 int nf_hook_slow(u_int8_t pf, unsigned int hook, struct sk_buff *skb,
119  struct net_device *indev, struct net_device *outdev,
120  int (*okfn)(struct sk_buff *), int thresh);
121 
129 static inline int nf_hook_thresh(u_int8_t pf, unsigned int hook,
130  struct sk_buff *skb,
131  struct net_device *indev,
132  struct net_device *outdev,
133  int (*okfn)(struct sk_buff *), int thresh)
134 {
135  if (nf_hooks_active(pf, hook))
136  return nf_hook_slow(pf, hook, skb, indev, outdev, okfn, thresh);
137  return 1;
138 }
139 
140 static inline int nf_hook(u_int8_t pf, unsigned int hook, struct sk_buff *skb,
141  struct net_device *indev, struct net_device *outdev,
142  int (*okfn)(struct sk_buff *))
143 {
144  return nf_hook_thresh(pf, hook, skb, indev, outdev, okfn, INT_MIN);
145 }
146 
147 /* Activate hook; either okfn or kfree_skb called, unless a hook
148  returns NF_STOLEN (in which case, it's up to the hook to deal with
149  the consequences).
150 
151  Returns -ERRNO if packet dropped. Zero means queued, stolen or
152  accepted.
153 */
154 
155 /* RR:
156  > I don't want nf_hook to return anything because people might forget
157  > about async and trust the return value to mean "packet was ok".
158 
159  AK:
160  Just document it clearly, then you can expect some sense from kernel
161  coders :)
162 */
163 
164 static inline int
165 NF_HOOK_THRESH(uint8_t pf, unsigned int hook, struct sk_buff *skb,
166  struct net_device *in, struct net_device *out,
167  int (*okfn)(struct sk_buff *), int thresh)
168 {
169  int ret = nf_hook_thresh(pf, hook, skb, in, out, okfn, thresh);
170  if (ret == 1)
171  ret = okfn(skb);
172  return ret;
173 }
174 
175 static inline int
176 NF_HOOK_COND(uint8_t pf, unsigned int hook, struct sk_buff *skb,
177  struct net_device *in, struct net_device *out,
178  int (*okfn)(struct sk_buff *), bool cond)
179 {
180  int ret;
181 
182  if (!cond ||
183  ((ret = nf_hook_thresh(pf, hook, skb, in, out, okfn, INT_MIN)) == 1))
184  ret = okfn(skb);
185  return ret;
186 }
187 
188 static inline int
189 NF_HOOK(uint8_t pf, unsigned int hook, struct sk_buff *skb,
190  struct net_device *in, struct net_device *out,
191  int (*okfn)(struct sk_buff *))
192 {
193  return NF_HOOK_THRESH(pf, hook, skb, in, out, okfn, INT_MIN);
194 }
195 
196 /* Call setsockopt() */
197 int nf_setsockopt(struct sock *sk, u_int8_t pf, int optval, char __user *opt,
198  unsigned int len);
199 int nf_getsockopt(struct sock *sk, u_int8_t pf, int optval, char __user *opt,
200  int *len);
201 #ifdef CONFIG_COMPAT
202 int compat_nf_setsockopt(struct sock *sk, u_int8_t pf, int optval,
203  char __user *opt, unsigned int len);
204 int compat_nf_getsockopt(struct sock *sk, u_int8_t pf, int optval,
205  char __user *opt, int *len);
206 #endif
207 
208 /* Call this before modifying an existing packet: ensures it is
209  modifiable and linear to the point you care about (writable_len).
210  Returns true or false. */
211 extern int skb_make_writable(struct sk_buff *skb, unsigned int writable_len);
212 
213 struct flowi;
214 struct nf_queue_entry;
215 
216 struct nf_afinfo {
217  unsigned short family;
218  __sum16 (*checksum)(struct sk_buff *skb, unsigned int hook,
219  unsigned int dataoff, u_int8_t protocol);
220  __sum16 (*checksum_partial)(struct sk_buff *skb,
221  unsigned int hook,
222  unsigned int dataoff,
223  unsigned int len,
224  u_int8_t protocol);
225  int (*route)(struct net *net, struct dst_entry **dst,
226  struct flowi *fl, bool strict);
227  void (*saveroute)(const struct sk_buff *skb,
228  struct nf_queue_entry *entry);
229  int (*reroute)(struct sk_buff *skb,
230  const struct nf_queue_entry *entry);
231  int route_key_size;
232 };
233 
234 extern const struct nf_afinfo __rcu *nf_afinfo[NFPROTO_NUMPROTO];
235 static inline const struct nf_afinfo *nf_get_afinfo(unsigned short family)
236 {
237  return rcu_dereference(nf_afinfo[family]);
238 }
239 
240 static inline __sum16
241 nf_checksum(struct sk_buff *skb, unsigned int hook, unsigned int dataoff,
242  u_int8_t protocol, unsigned short family)
243 {
244  const struct nf_afinfo *afinfo;
245  __sum16 csum = 0;
246 
247  rcu_read_lock();
248  afinfo = nf_get_afinfo(family);
249  if (afinfo)
250  csum = afinfo->checksum(skb, hook, dataoff, protocol);
251  rcu_read_unlock();
252  return csum;
253 }
254 
255 static inline __sum16
256 nf_checksum_partial(struct sk_buff *skb, unsigned int hook,
257  unsigned int dataoff, unsigned int len,
258  u_int8_t protocol, unsigned short family)
259 {
260  const struct nf_afinfo *afinfo;
261  __sum16 csum = 0;
262 
263  rcu_read_lock();
264  afinfo = nf_get_afinfo(family);
265  if (afinfo)
266  csum = afinfo->checksum_partial(skb, hook, dataoff, len,
267  protocol);
268  rcu_read_unlock();
269  return csum;
270 }
271 
272 extern int nf_register_afinfo(const struct nf_afinfo *afinfo);
273 extern void nf_unregister_afinfo(const struct nf_afinfo *afinfo);
274 
275 #include <net/flow.h>
276 extern void (*nf_nat_decode_session_hook)(struct sk_buff *, struct flowi *);
277 
278 static inline void
279 nf_nat_decode_session(struct sk_buff *skb, struct flowi *fl, u_int8_t family)
280 {
281 #ifdef CONFIG_NF_NAT_NEEDED
282  void (*decodefn)(struct sk_buff *, struct flowi *);
283 
284  rcu_read_lock();
285  decodefn = rcu_dereference(nf_nat_decode_session_hook);
286  if (decodefn)
287  decodefn(skb, fl);
288  rcu_read_unlock();
289 #endif
290 }
291 
292 #ifdef CONFIG_PROC_FS
293 #include <linux/proc_fs.h>
294 extern struct proc_dir_entry *proc_net_netfilter;
295 #endif
296 
297 #else /* !CONFIG_NETFILTER */
298 #define NF_HOOK(pf, hook, skb, indev, outdev, okfn) (okfn)(skb)
299 #define NF_HOOK_COND(pf, hook, skb, indev, outdev, okfn, cond) (okfn)(skb)
300 static inline int nf_hook_thresh(u_int8_t pf, unsigned int hook,
301  struct sk_buff *skb,
302  struct net_device *indev,
303  struct net_device *outdev,
304  int (*okfn)(struct sk_buff *), int thresh)
305 {
306  return okfn(skb);
307 }
308 static inline int nf_hook(u_int8_t pf, unsigned int hook, struct sk_buff *skb,
309  struct net_device *indev, struct net_device *outdev,
310  int (*okfn)(struct sk_buff *))
311 {
312  return 1;
313 }
314 struct flowi;
315 static inline void
316 nf_nat_decode_session(struct sk_buff *skb, struct flowi *fl, u_int8_t family)
317 {
318 }
319 #endif /*CONFIG_NETFILTER*/
320 
321 #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
322 extern void (*ip_ct_attach)(struct sk_buff *, struct sk_buff *) __rcu;
323 extern void nf_ct_attach(struct sk_buff *, struct sk_buff *);
324 extern void (*nf_ct_destroy)(struct nf_conntrack *) __rcu;
325 
326 struct nf_conn;
327 struct nlattr;
328 
329 struct nfq_ct_hook {
330  size_t (*build_size)(const struct nf_conn *ct);
331  int (*build)(struct sk_buff *skb, struct nf_conn *ct);
332  int (*parse)(const struct nlattr *attr, struct nf_conn *ct);
333 };
334 extern struct nfq_ct_hook __rcu *nfq_ct_hook;
335 
336 struct nfq_ct_nat_hook {
337  void (*seq_adjust)(struct sk_buff *skb, struct nf_conn *ct,
338  u32 ctinfo, int off);
339 };
340 extern struct nfq_ct_nat_hook __rcu *nfq_ct_nat_hook;
341 #else
342 static inline void nf_ct_attach(struct sk_buff *new, struct sk_buff *skb) {}
343 #endif
344 
345 #endif /*__LINUX_NETFILTER_H*/
Generated on Thu Jan 10 2013 14:52:06 for Linux Kernel by   doxygen 1.8.2