/shark/trunk/drivers/linuxc26/include/linux/netfilter_bridge/ebt_pkttype.h |
---|
0,0 → 1,11 |
#ifndef __LINUX_BRIDGE_EBT_PKTTYPE_H |
#define __LINUX_BRIDGE_EBT_PKTTYPE_H |
struct ebt_pkttype_info |
{ |
uint8_t pkt_type; |
uint8_t invert; |
}; |
#define EBT_PKTTYPE_MATCH "pkttype" |
#endif |
/shark/trunk/drivers/linuxc26/include/linux/netfilter_bridge/ebt_vlan.h |
---|
0,0 → 1,20 |
#ifndef __LINUX_BRIDGE_EBT_VLAN_H |
#define __LINUX_BRIDGE_EBT_VLAN_H |
#define EBT_VLAN_ID 0x01 |
#define EBT_VLAN_PRIO 0x02 |
#define EBT_VLAN_ENCAP 0x04 |
#define EBT_VLAN_MASK (EBT_VLAN_ID | EBT_VLAN_PRIO | EBT_VLAN_ENCAP) |
#define EBT_VLAN_MATCH "vlan" |
struct ebt_vlan_info { |
uint16_t id; /* VLAN ID {1-4095} */ |
uint8_t prio; /* VLAN User Priority {0-7} */ |
uint16_t encap; /* VLAN Encapsulated frame code {0-65535} */ |
uint8_t bitmask; /* Args bitmask bit 1=1 - ID arg, |
bit 2=1 User-Priority arg, bit 3=1 encap*/ |
uint8_t invflags; /* Inverse bitmask bit 1=1 - inversed ID arg, |
bit 2=1 - inversed Pirority arg */ |
}; |
#endif |
/shark/trunk/drivers/linuxc26/include/linux/netfilter_bridge/ebt_log.h |
---|
0,0 → 1,17 |
#ifndef __LINUX_BRIDGE_EBT_LOG_H |
#define __LINUX_BRIDGE_EBT_LOG_H |
#define EBT_LOG_IP 0x01 /* if the frame is made by ip, log the ip information */ |
#define EBT_LOG_ARP 0x02 |
#define EBT_LOG_MASK (EBT_LOG_IP | EBT_LOG_ARP) |
#define EBT_LOG_PREFIX_SIZE 30 |
#define EBT_LOG_WATCHER "log" |
struct ebt_log_info |
{ |
uint8_t loglevel; |
uint8_t prefix[EBT_LOG_PREFIX_SIZE]; |
uint32_t bitmask; |
}; |
#endif |
/shark/trunk/drivers/linuxc26/include/linux/netfilter_bridge/ebt_redirect.h |
---|
0,0 → 1,11 |
#ifndef __LINUX_BRIDGE_EBT_REDIRECT_H |
#define __LINUX_BRIDGE_EBT_REDIRECT_H |
struct ebt_redirect_info |
{ |
/* EBT_ACCEPT, EBT_DROP, EBT_CONTINUE or EBT_RETURN */ |
int target; |
}; |
#define EBT_REDIRECT_TARGET "redirect" |
#endif |
/shark/trunk/drivers/linuxc26/include/linux/netfilter_bridge/ebt_among.h |
---|
0,0 → 1,65 |
#ifndef __LINUX_BRIDGE_EBT_AMONG_H |
#define __LINUX_BRIDGE_EBT_AMONG_H |
#define EBT_AMONG_DST 0x01 |
#define EBT_AMONG_SRC 0x02 |
/* Grzegorz Borowiak <grzes@gnu.univ.gda.pl> 2003 |
* |
* Write-once-read-many hash table, used for checking if a given |
* MAC address belongs to a set or not and possibly for checking |
* if it is related with a given IPv4 address. |
* |
* The hash value of an address is its last byte. |
* |
* In real-world ethernet addresses, values of the last byte are |
* evenly distributed and there is no need to consider other bytes. |
* It would only slow the routines down. |
* |
* For MAC address comparison speedup reasons, we introduce a trick. |
* MAC address is mapped onto an array of two 32-bit integers. |
* This pair of integers is compared with MAC addresses in the |
* hash table, which are stored also in form of pairs of integers |
* (in `cmp' array). This is quick as it requires only two elementary |
* number comparisons in worst case. Further, we take advantage of |
* fact that entropy of 3 last bytes of address is larger than entropy |
* of 3 first bytes. So first we compare 4 last bytes of addresses and |
* if they are the same we compare 2 first. |
* |
* Yes, it is a memory overhead, but in 2003 AD, who cares? |
*/ |
struct ebt_mac_wormhash_tuple |
{ |
uint32_t cmp[2]; |
uint32_t ip; |
}; |
struct ebt_mac_wormhash |
{ |
int table[257]; |
int poolsize; |
struct ebt_mac_wormhash_tuple pool[0]; |
}; |
#define ebt_mac_wormhash_size(x) ((x) ? sizeof(struct ebt_mac_wormhash) \ |
+ (x)->poolsize * sizeof(struct ebt_mac_wormhash_tuple) : 0) |
struct ebt_among_info |
{ |
int wh_dst_ofs; |
int wh_src_ofs; |
int bitmask; |
}; |
#define EBT_AMONG_DST_NEG 0x1 |
#define EBT_AMONG_SRC_NEG 0x2 |
#define ebt_among_wh_dst(x) ((x)->wh_dst_ofs ? \ |
(struct ebt_mac_wormhash*)((char*)(x) + (x)->wh_dst_ofs) : NULL) |
#define ebt_among_wh_src(x) ((x)->wh_src_ofs ? \ |
(struct ebt_mac_wormhash*)((char*)(x) + (x)->wh_src_ofs) : NULL) |
#define EBT_AMONG_MATCH "among" |
#endif |
/shark/trunk/drivers/linuxc26/include/linux/netfilter_bridge/ebt_arp.h |
---|
0,0 → 1,32 |
#ifndef __LINUX_BRIDGE_EBT_ARP_H |
#define __LINUX_BRIDGE_EBT_ARP_H |
#define EBT_ARP_OPCODE 0x01 |
#define EBT_ARP_HTYPE 0x02 |
#define EBT_ARP_PTYPE 0x04 |
#define EBT_ARP_SRC_IP 0x08 |
#define EBT_ARP_DST_IP 0x10 |
#define EBT_ARP_SRC_MAC 0x20 |
#define EBT_ARP_DST_MAC 0x40 |
#define EBT_ARP_MASK (EBT_ARP_OPCODE | EBT_ARP_HTYPE | EBT_ARP_PTYPE | \ |
EBT_ARP_SRC_IP | EBT_ARP_DST_IP | EBT_ARP_SRC_MAC | EBT_ARP_DST_MAC) |
#define EBT_ARP_MATCH "arp" |
struct ebt_arp_info |
{ |
uint16_t htype; |
uint16_t ptype; |
uint16_t opcode; |
uint32_t saddr; |
uint32_t smsk; |
uint32_t daddr; |
uint32_t dmsk; |
unsigned char smaddr[ETH_ALEN]; |
unsigned char smmsk[ETH_ALEN]; |
unsigned char dmaddr[ETH_ALEN]; |
unsigned char dmmsk[ETH_ALEN]; |
uint8_t bitmask; |
uint8_t invflags; |
}; |
#endif |
/shark/trunk/drivers/linuxc26/include/linux/netfilter_bridge/ebt_nat.h |
---|
0,0 → 1,13 |
#ifndef __LINUX_BRIDGE_EBT_NAT_H |
#define __LINUX_BRIDGE_EBT_NAT_H |
struct ebt_nat_info |
{ |
unsigned char mac[ETH_ALEN]; |
/* EBT_ACCEPT, EBT_DROP, EBT_CONTINUE or EBT_RETURN */ |
int target; |
}; |
#define EBT_SNAT_TARGET "snat" |
#define EBT_DNAT_TARGET "dnat" |
#endif |
/shark/trunk/drivers/linuxc26/include/linux/netfilter_bridge/ebt_mark_m.h |
---|
0,0 → 1,15 |
#ifndef __LINUX_BRIDGE_EBT_MARK_M_H |
#define __LINUX_BRIDGE_EBT_MARK_M_H |
#define EBT_MARK_AND 0x01 |
#define EBT_MARK_OR 0x02 |
#define EBT_MARK_MASK (EBT_MARK_AND | EBT_MARK_OR) |
struct ebt_mark_m_info |
{ |
unsigned long mark, mask; |
uint8_t invert; |
uint8_t bitmask; |
}; |
#define EBT_MARK_MATCH "mark_m" |
#endif |
/shark/trunk/drivers/linuxc26/include/linux/netfilter_bridge/ebt_stp.h |
---|
0,0 → 1,46 |
#ifndef __LINUX_BRIDGE_EBT_STP_H |
#define __LINUX_BRIDGE_EBT_STP_H |
#define EBT_STP_TYPE 0x0001 |
#define EBT_STP_FLAGS 0x0002 |
#define EBT_STP_ROOTPRIO 0x0004 |
#define EBT_STP_ROOTADDR 0x0008 |
#define EBT_STP_ROOTCOST 0x0010 |
#define EBT_STP_SENDERPRIO 0x0020 |
#define EBT_STP_SENDERADDR 0x0040 |
#define EBT_STP_PORT 0x0080 |
#define EBT_STP_MSGAGE 0x0100 |
#define EBT_STP_MAXAGE 0x0200 |
#define EBT_STP_HELLOTIME 0x0400 |
#define EBT_STP_FWDD 0x0800 |
#define EBT_STP_MASK 0x0fff |
#define EBT_STP_CONFIG_MASK 0x0ffe |
#define EBT_STP_MATCH "stp" |
struct ebt_stp_config_info |
{ |
uint8_t flags; |
uint16_t root_priol, root_priou; |
char root_addr[6], root_addrmsk[6]; |
uint32_t root_costl, root_costu; |
uint16_t sender_priol, sender_priou; |
char sender_addr[6], sender_addrmsk[6]; |
uint16_t portl, portu; |
uint16_t msg_agel, msg_ageu; |
uint16_t max_agel, max_ageu; |
uint16_t hello_timel, hello_timeu; |
uint16_t forward_delayl, forward_delayu; |
}; |
struct ebt_stp_info |
{ |
uint8_t type; |
struct ebt_stp_config_info config; |
uint16_t bitmask; |
uint16_t invflags; |
}; |
#endif |
/shark/trunk/drivers/linuxc26/include/linux/netfilter_bridge/ebtables.h |
---|
0,0 → 1,363 |
/* |
* ebtables |
* |
* Authors: |
* Bart De Schuymer <bdschuym@pandora.be> |
* |
* ebtables.c,v 2.0, April, 2002 |
* |
* This code is stongly inspired on the iptables code which is |
* Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling |
*/ |
#ifndef __LINUX_BRIDGE_EFF_H |
#define __LINUX_BRIDGE_EFF_H |
#include <linux/if.h> |
#include <linux/netfilter_bridge.h> |
#include <linux/if_ether.h> |
#define EBT_TABLE_MAXNAMELEN 32 |
#define EBT_CHAIN_MAXNAMELEN EBT_TABLE_MAXNAMELEN |
#define EBT_FUNCTION_MAXNAMELEN EBT_TABLE_MAXNAMELEN |
/* verdicts >0 are "branches" */ |
#define EBT_ACCEPT -1 |
#define EBT_DROP -2 |
#define EBT_CONTINUE -3 |
#define EBT_RETURN -4 |
#define NUM_STANDARD_TARGETS 4 |
struct ebt_counter |
{ |
uint64_t pcnt; |
uint64_t bcnt; |
}; |
struct ebt_replace |
{ |
char name[EBT_TABLE_MAXNAMELEN]; |
unsigned int valid_hooks; |
/* nr of rules in the table */ |
unsigned int nentries; |
/* total size of the entries */ |
unsigned int entries_size; |
/* start of the chains */ |
struct ebt_entries *hook_entry[NF_BR_NUMHOOKS]; |
/* nr of counters userspace expects back */ |
unsigned int num_counters; |
/* where the kernel will put the old counters */ |
struct ebt_counter *counters; |
char *entries; |
}; |
struct ebt_entries { |
/* this field is always set to zero |
* See EBT_ENTRY_OR_ENTRIES. |
* Must be same size as ebt_entry.bitmask */ |
unsigned int distinguisher; |
/* the chain name */ |
char name[EBT_CHAIN_MAXNAMELEN]; |
/* counter offset for this chain */ |
unsigned int counter_offset; |
/* one standard (accept, drop, return) per hook */ |
int policy; |
/* nr. of entries */ |
unsigned int nentries; |
/* entry list */ |
char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace)))); |
}; |
/* used for the bitmask of struct ebt_entry */ |
/* This is a hack to make a difference between an ebt_entry struct and an |
* ebt_entries struct when traversing the entries from start to end. |
* Using this simplifies the code alot, while still being able to use |
* ebt_entries. |
* Contrary, iptables doesn't use something like ebt_entries and therefore uses |
* different techniques for naming the policy and such. So, iptables doesn't |
* need a hack like this. |
*/ |
#define EBT_ENTRY_OR_ENTRIES 0x01 |
/* these are the normal masks */ |
#define EBT_NOPROTO 0x02 |
#define EBT_802_3 0x04 |
#define EBT_SOURCEMAC 0x08 |
#define EBT_DESTMAC 0x10 |
#define EBT_F_MASK (EBT_NOPROTO | EBT_802_3 | EBT_SOURCEMAC | EBT_DESTMAC \ |
| EBT_ENTRY_OR_ENTRIES) |
#define EBT_IPROTO 0x01 |
#define EBT_IIN 0x02 |
#define EBT_IOUT 0x04 |
#define EBT_ISOURCE 0x8 |
#define EBT_IDEST 0x10 |
#define EBT_ILOGICALIN 0x20 |
#define EBT_ILOGICALOUT 0x40 |
#define EBT_INV_MASK (EBT_IPROTO | EBT_IIN | EBT_IOUT | EBT_ILOGICALIN \ |
| EBT_ILOGICALOUT | EBT_ISOURCE | EBT_IDEST) |
struct ebt_entry_match |
{ |
union { |
char name[EBT_FUNCTION_MAXNAMELEN]; |
struct ebt_match *match; |
} u; |
/* size of data */ |
unsigned int match_size; |
unsigned char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace)))); |
}; |
struct ebt_entry_watcher |
{ |
union { |
char name[EBT_FUNCTION_MAXNAMELEN]; |
struct ebt_watcher *watcher; |
} u; |
/* size of data */ |
unsigned int watcher_size; |
unsigned char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace)))); |
}; |
struct ebt_entry_target |
{ |
union { |
char name[EBT_FUNCTION_MAXNAMELEN]; |
struct ebt_target *target; |
} u; |
/* size of data */ |
unsigned int target_size; |
unsigned char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace)))); |
}; |
#define EBT_STANDARD_TARGET "standard" |
struct ebt_standard_target |
{ |
struct ebt_entry_target target; |
int verdict; |
}; |
/* one entry */ |
struct ebt_entry { |
/* this needs to be the first field */ |
unsigned int bitmask; |
unsigned int invflags; |
uint16_t ethproto; |
/* the physical in-dev */ |
char in[IFNAMSIZ]; |
/* the logical in-dev */ |
char logical_in[IFNAMSIZ]; |
/* the physical out-dev */ |
char out[IFNAMSIZ]; |
/* the logical out-dev */ |
char logical_out[IFNAMSIZ]; |
unsigned char sourcemac[ETH_ALEN]; |
unsigned char sourcemsk[ETH_ALEN]; |
unsigned char destmac[ETH_ALEN]; |
unsigned char destmsk[ETH_ALEN]; |
/* sizeof ebt_entry + matches */ |
unsigned int watchers_offset; |
/* sizeof ebt_entry + matches + watchers */ |
unsigned int target_offset; |
/* sizeof ebt_entry + matches + watchers + target */ |
unsigned int next_offset; |
unsigned char elems[0] __attribute__ ((aligned (__alignof__(struct ebt_replace)))); |
}; |
/* {g,s}etsockopt numbers */ |
#define EBT_BASE_CTL 128 |
#define EBT_SO_SET_ENTRIES (EBT_BASE_CTL) |
#define EBT_SO_SET_COUNTERS (EBT_SO_SET_ENTRIES+1) |
#define EBT_SO_SET_MAX (EBT_SO_SET_COUNTERS+1) |
#define EBT_SO_GET_INFO (EBT_BASE_CTL) |
#define EBT_SO_GET_ENTRIES (EBT_SO_GET_INFO+1) |
#define EBT_SO_GET_INIT_INFO (EBT_SO_GET_ENTRIES+1) |
#define EBT_SO_GET_INIT_ENTRIES (EBT_SO_GET_INIT_INFO+1) |
#define EBT_SO_GET_MAX (EBT_SO_GET_INIT_ENTRIES+1) |
#ifdef __KERNEL__ |
/* return values for match() functions */ |
#define EBT_MATCH 0 |
#define EBT_NOMATCH 1 |
struct ebt_match |
{ |
struct list_head list; |
const char name[EBT_FUNCTION_MAXNAMELEN]; |
/* 0 == it matches */ |
int (*match)(const struct sk_buff *skb, const struct net_device *in, |
const struct net_device *out, const void *matchdata, |
unsigned int datalen); |
/* 0 == let it in */ |
int (*check)(const char *tablename, unsigned int hookmask, |
const struct ebt_entry *e, void *matchdata, unsigned int datalen); |
void (*destroy)(void *matchdata, unsigned int datalen); |
struct module *me; |
}; |
struct ebt_watcher |
{ |
struct list_head list; |
const char name[EBT_FUNCTION_MAXNAMELEN]; |
void (*watcher)(const struct sk_buff *skb, const struct net_device *in, |
const struct net_device *out, const void *watcherdata, |
unsigned int datalen); |
/* 0 == let it in */ |
int (*check)(const char *tablename, unsigned int hookmask, |
const struct ebt_entry *e, void *watcherdata, unsigned int datalen); |
void (*destroy)(void *watcherdata, unsigned int datalen); |
struct module *me; |
}; |
struct ebt_target |
{ |
struct list_head list; |
const char name[EBT_FUNCTION_MAXNAMELEN]; |
/* returns one of the standard verdicts */ |
int (*target)(struct sk_buff **pskb, unsigned int hooknr, |
const struct net_device *in, const struct net_device *out, |
const void *targetdata, unsigned int datalen); |
/* 0 == let it in */ |
int (*check)(const char *tablename, unsigned int hookmask, |
const struct ebt_entry *e, void *targetdata, unsigned int datalen); |
void (*destroy)(void *targetdata, unsigned int datalen); |
struct module *me; |
}; |
/* used for jumping from and into user defined chains (udc) */ |
struct ebt_chainstack |
{ |
struct ebt_entries *chaininfo; /* pointer to chain data */ |
struct ebt_entry *e; /* pointer to entry data */ |
unsigned int n; /* n'th entry */ |
}; |
struct ebt_table_info |
{ |
/* total size of the entries */ |
unsigned int entries_size; |
unsigned int nentries; |
/* pointers to the start of the chains */ |
struct ebt_entries *hook_entry[NF_BR_NUMHOOKS]; |
/* room to maintain the stack used for jumping from and into udc */ |
struct ebt_chainstack **chainstack; |
char *entries; |
struct ebt_counter counters[0] ____cacheline_aligned; |
}; |
struct ebt_table |
{ |
struct list_head list; |
char name[EBT_TABLE_MAXNAMELEN]; |
struct ebt_replace *table; |
unsigned int valid_hooks; |
rwlock_t lock; |
/* e.g. could be the table explicitly only allows certain |
* matches, targets, ... 0 == let it in */ |
int (*check)(const struct ebt_table_info *info, |
unsigned int valid_hooks); |
/* the data used by the kernel */ |
struct ebt_table_info *private; |
struct module *me; |
}; |
#define EBT_ALIGN(s) (((s) + (__alignof__(struct ebt_replace)-1)) & \ |
~(__alignof__(struct ebt_replace)-1)) |
extern int ebt_register_table(struct ebt_table *table); |
extern void ebt_unregister_table(struct ebt_table *table); |
extern int ebt_register_match(struct ebt_match *match); |
extern void ebt_unregister_match(struct ebt_match *match); |
extern int ebt_register_watcher(struct ebt_watcher *watcher); |
extern void ebt_unregister_watcher(struct ebt_watcher *watcher); |
extern int ebt_register_target(struct ebt_target *target); |
extern void ebt_unregister_target(struct ebt_target *target); |
extern unsigned int ebt_do_table(unsigned int hook, struct sk_buff **pskb, |
const struct net_device *in, const struct net_device *out, |
struct ebt_table *table); |
/* Used in the kernel match() functions */ |
#define FWINV(bool,invflg) ((bool) ^ !!(info->invflags & invflg)) |
/* True if the hook mask denotes that the rule is in a base chain, |
* used in the check() functions */ |
#define BASE_CHAIN (hookmask & (1 << NF_BR_NUMHOOKS)) |
/* Clear the bit in the hook mask that tells if the rule is on a base chain */ |
#define CLEAR_BASE_CHAIN_BIT (hookmask &= ~(1 << NF_BR_NUMHOOKS)) |
/* True if the target is not a standard target */ |
#define INVALID_TARGET (info->target < -NUM_STANDARD_TARGETS || info->target >= 0) |
#endif /* __KERNEL__ */ |
/* blatently stolen from ip_tables.h |
* fn returns 0 to continue iteration */ |
#define EBT_MATCH_ITERATE(e, fn, args...) \ |
({ \ |
unsigned int __i; \ |
int __ret = 0; \ |
struct ebt_entry_match *__match; \ |
\ |
for (__i = sizeof(struct ebt_entry); \ |
__i < (e)->watchers_offset; \ |
__i += __match->match_size + \ |
sizeof(struct ebt_entry_match)) { \ |
__match = (void *)(e) + __i; \ |
\ |
__ret = fn(__match , ## args); \ |
if (__ret != 0) \ |
break; \ |
} \ |
if (__ret == 0) { \ |
if (__i != (e)->watchers_offset) \ |
__ret = -EINVAL; \ |
} \ |
__ret; \ |
}) |
#define EBT_WATCHER_ITERATE(e, fn, args...) \ |
({ \ |
unsigned int __i; \ |
int __ret = 0; \ |
struct ebt_entry_watcher *__watcher; \ |
\ |
for (__i = e->watchers_offset; \ |
__i < (e)->target_offset; \ |
__i += __watcher->watcher_size + \ |
sizeof(struct ebt_entry_watcher)) { \ |
__watcher = (void *)(e) + __i; \ |
\ |
__ret = fn(__watcher , ## args); \ |
if (__ret != 0) \ |
break; \ |
} \ |
if (__ret == 0) { \ |
if (__i != (e)->target_offset) \ |
__ret = -EINVAL; \ |
} \ |
__ret; \ |
}) |
#define EBT_ENTRY_ITERATE(entries, size, fn, args...) \ |
({ \ |
unsigned int __i; \ |
int __ret = 0; \ |
struct ebt_entry *__entry; \ |
\ |
for (__i = 0; __i < (size);) { \ |
__entry = (void *)(entries) + __i; \ |
__ret = fn(__entry , ## args); \ |
if (__ret != 0) \ |
break; \ |
if (__entry->bitmask != 0) \ |
__i += __entry->next_offset; \ |
else \ |
__i += sizeof(struct ebt_entries); \ |
} \ |
if (__ret == 0) { \ |
if (__i != (size)) \ |
__ret = -EINVAL; \ |
} \ |
__ret; \ |
}) |
#endif |
/shark/trunk/drivers/linuxc26/include/linux/netfilter_bridge/ebt_ip.h |
---|
0,0 → 1,43 |
/* |
* ebt_ip |
* |
* Authors: |
* Bart De Schuymer <bart.de.schuymer@pandora.be> |
* |
* April, 2002 |
* |
* Changes: |
* added ip-sport and ip-dport |
* Innominate Security Technologies AG <mhopf@innominate.com> |
* September, 2002 |
*/ |
#ifndef __LINUX_BRIDGE_EBT_IP_H |
#define __LINUX_BRIDGE_EBT_IP_H |
#define EBT_IP_SOURCE 0x01 |
#define EBT_IP_DEST 0x02 |
#define EBT_IP_TOS 0x04 |
#define EBT_IP_PROTO 0x08 |
#define EBT_IP_SPORT 0x10 |
#define EBT_IP_DPORT 0x20 |
#define EBT_IP_MASK (EBT_IP_SOURCE | EBT_IP_DEST | EBT_IP_TOS | EBT_IP_PROTO |\ |
EBT_IP_SPORT | EBT_IP_DPORT ) |
#define EBT_IP_MATCH "ip" |
/* the same values are used for the invflags */ |
struct ebt_ip_info |
{ |
uint32_t saddr; |
uint32_t daddr; |
uint32_t smsk; |
uint32_t dmsk; |
uint8_t tos; |
uint8_t protocol; |
uint8_t bitmask; |
uint8_t invflags; |
uint16_t sport[2]; |
uint16_t dport[2]; |
}; |
#endif |
/shark/trunk/drivers/linuxc26/include/linux/netfilter_bridge/ebt_802_3.h |
---|
0,0 → 1,60 |
#ifndef __LINUX_BRIDGE_EBT_802_3_H |
#define __LINUX_BRIDGE_EBT_802_3_H |
#define EBT_802_3_SAP 0x01 |
#define EBT_802_3_TYPE 0x02 |
#define EBT_802_3_MATCH "802_3" |
/* |
* If frame has DSAP/SSAP value 0xaa you must check the SNAP type |
* to discover what kind of packet we're carrying. |
*/ |
#define CHECK_TYPE 0xaa |
/* |
* Control field may be one or two bytes. If the first byte has |
* the value 0x03 then the entire length is one byte, otherwise it is two. |
* One byte controls are used in Unnumbered Information frames. |
* Two byte controls are used in Numbered Information frames. |
*/ |
#define IS_UI 0x03 |
#define EBT_802_3_MASK (EBT_802_3_SAP | EBT_802_3_TYPE | EBT_802_3) |
/* ui has one byte ctrl, ni has two */ |
struct hdr_ui { |
uint8_t dsap; |
uint8_t ssap; |
uint8_t ctrl; |
uint8_t orig[3]; |
uint16_t type; |
}; |
struct hdr_ni { |
uint8_t dsap; |
uint8_t ssap; |
uint16_t ctrl; |
uint8_t orig[3]; |
uint16_t type; |
}; |
struct ebt_802_3_hdr { |
uint8_t daddr[6]; |
uint8_t saddr[6]; |
uint16_t len; |
union { |
struct hdr_ui ui; |
struct hdr_ni ni; |
} llc; |
}; |
struct ebt_802_3_info |
{ |
uint8_t sap; |
uint16_t type; |
uint8_t bitmask; |
uint8_t invflags; |
}; |
#endif |
/shark/trunk/drivers/linuxc26/include/linux/netfilter_bridge/ebt_mark_t.h |
---|
0,0 → 1,12 |
#ifndef __LINUX_BRIDGE_EBT_MARK_T_H |
#define __LINUX_BRIDGE_EBT_MARK_T_H |
struct ebt_mark_t_info |
{ |
unsigned long mark; |
/* EBT_ACCEPT, EBT_DROP, EBT_CONTINUE or EBT_RETURN */ |
int target; |
}; |
#define EBT_MARK_TARGET "mark" |
#endif |
/shark/trunk/drivers/linuxc26/include/linux/netfilter_bridge/ebt_arpreply.h |
---|
0,0 → 1,11 |
#ifndef __LINUX_BRIDGE_EBT_ARPREPLY_H |
#define __LINUX_BRIDGE_EBT_ARPREPLY_H |
struct ebt_arpreply_info |
{ |
unsigned char mac[ETH_ALEN]; |
int target; |
}; |
#define EBT_ARPREPLY_TARGET "arpreply" |
#endif |
/shark/trunk/drivers/linuxc26/include/linux/netfilter_bridge/ebt_limit.h |
---|
0,0 → 1,23 |
#ifndef __LINUX_BRIDGE_EBT_LIMIT_H |
#define __LINUX_BRIDGE_EBT_LIMIT_H |
#define EBT_LIMIT_MATCH "limit" |
/* timings are in milliseconds. */ |
#define EBT_LIMIT_SCALE 10000 |
/* 1/10,000 sec period => max of 10,000/sec. Min rate is then 429490 |
seconds, or one every 59 hours. */ |
struct ebt_limit_info |
{ |
u_int32_t avg; /* Average secs between packets * scale */ |
u_int32_t burst; /* Period multiplier for upper limit. */ |
/* Used internally by the kernel */ |
unsigned long prev; |
u_int32_t credit; |
u_int32_t credit_cap, cost; |
}; |
#endif |
/shark/trunk/drivers/linuxc26/include/linux/netfilter_ipv6/ip6t_esp.h |
---|
0,0 → 1,23 |
#ifndef _IP6T_ESP_H |
#define _IP6T_ESP_H |
struct ip6t_esp |
{ |
u_int32_t spis[2]; /* Security Parameter Index */ |
u_int8_t invflags; /* Inverse flags */ |
}; |
#define MASK_HOPOPTS 128 |
#define MASK_DSTOPTS 64 |
#define MASK_ROUTING 32 |
#define MASK_FRAGMENT 16 |
#define MASK_AH 8 |
#define MASK_ESP 4 |
#define MASK_NONE 2 |
#define MASK_PROTO 1 |
/* Values for "invflags" field in struct ip6t_esp. */ |
#define IP6T_ESP_INV_SPI 0x01 /* Invert the sense of spi. */ |
#define IP6T_ESP_INV_MASK 0x01 /* All possible flags. */ |
#endif /*_IP6T_ESP_H*/ |
/shark/trunk/drivers/linuxc26/include/linux/netfilter_ipv6/ip6t_ah.h |
---|
0,0 → 1,30 |
#ifndef _IP6T_AH_H |
#define _IP6T_AH_H |
struct ip6t_ah |
{ |
u_int32_t spis[2]; /* Security Parameter Index */ |
u_int32_t hdrlen; /* Header Length */ |
u_int8_t hdrres; /* Test of the Reserved Filed */ |
u_int8_t invflags; /* Inverse flags */ |
}; |
#define IP6T_AH_SPI 0x01 |
#define IP6T_AH_LEN 0x02 |
#define IP6T_AH_RES 0x04 |
/* Values for "invflags" field in struct ip6t_ah. */ |
#define IP6T_AH_INV_SPI 0x01 /* Invert the sense of spi. */ |
#define IP6T_AH_INV_LEN 0x02 /* Invert the sense of length. */ |
#define IP6T_AH_INV_MASK 0x03 /* All possible flags. */ |
#define MASK_HOPOPTS 128 |
#define MASK_DSTOPTS 64 |
#define MASK_ROUTING 32 |
#define MASK_FRAGMENT 16 |
#define MASK_AH 8 |
#define MASK_ESP 4 |
#define MASK_NONE 2 |
#define MASK_PROTO 1 |
#endif /*_IP6T_AH_H*/ |
/shark/trunk/drivers/linuxc26/include/linux/netfilter_ipv6/ip6t_mark.h |
---|
0,0 → 1,9 |
#ifndef _IP6T_MARK_H |
#define _IP6T_MARK_H |
struct ip6t_mark_info { |
unsigned long mark, mask; |
u_int8_t invert; |
}; |
#endif /*_IPT_MARK_H*/ |
/shark/trunk/drivers/linuxc26/include/linux/netfilter_ipv6/ip6t_owner.h |
---|
0,0 → 1,18 |
#ifndef _IP6T_OWNER_H |
#define _IP6T_OWNER_H |
/* match and invert flags */ |
#define IP6T_OWNER_UID 0x01 |
#define IP6T_OWNER_GID 0x02 |
#define IP6T_OWNER_PID 0x04 |
#define IP6T_OWNER_SID 0x08 |
struct ip6t_owner_info { |
uid_t uid; |
gid_t gid; |
pid_t pid; |
pid_t sid; |
u_int8_t match, invert; /* flags */ |
}; |
#endif /*_IPT_OWNER_H*/ |
/shark/trunk/drivers/linuxc26/include/linux/netfilter_ipv6/ip6t_MARK.h |
---|
0,0 → 1,8 |
#ifndef _IP6T_MARK_H_target |
#define _IP6T_MARK_H_target |
struct ip6t_mark_target_info { |
unsigned long mark; |
}; |
#endif /*_IPT_MARK_H_target*/ |
/shark/trunk/drivers/linuxc26/include/linux/netfilter_ipv6/ip6t_ipv6header.h |
---|
0,0 → 1,27 |
/* ipv6header match - matches IPv6 packets based |
on whether they contain certain headers */ |
/* Original idea: Brad Chapman |
* Rewritten by: Andras Kis-Szabo <kisza@sch.bme.hu> */ |
#ifndef __IPV6HEADER_H |
#define __IPV6HEADER_H |
struct ip6t_ipv6header_info |
{ |
u_int8_t matchflags; |
u_int8_t invflags; |
u_int8_t modeflag; |
}; |
#define MASK_HOPOPTS 128 |
#define MASK_DSTOPTS 64 |
#define MASK_ROUTING 32 |
#define MASK_FRAGMENT 16 |
#define MASK_AH 8 |
#define MASK_ESP 4 |
#define MASK_NONE 2 |
#define MASK_PROTO 1 |
#endif /* __IPV6HEADER_H */ |
/shark/trunk/drivers/linuxc26/include/linux/netfilter_ipv6/ip6t_multiport.h |
---|
0,0 → 1,21 |
#ifndef _IP6T_MULTIPORT_H |
#define _IP6T_MULTIPORT_H |
#include <linux/netfilter_ipv6/ip6_tables.h> |
enum ip6t_multiport_flags |
{ |
IP6T_MULTIPORT_SOURCE, |
IP6T_MULTIPORT_DESTINATION, |
IP6T_MULTIPORT_EITHER |
}; |
#define IP6T_MULTI_PORTS 15 |
/* Must fit inside union ip6t_matchinfo: 16 bytes */ |
struct ip6t_multiport |
{ |
u_int8_t flags; /* Type of comparison */ |
u_int8_t count; /* Number of ports */ |
u_int16_t ports[IP6T_MULTI_PORTS]; /* Ports */ |
}; |
#endif /*_IPT_MULTIPORT_H*/ |
/shark/trunk/drivers/linuxc26/include/linux/netfilter_ipv6/ip6t_mac.h |
---|
0,0 → 1,8 |
#ifndef _IP6T_MAC_H |
#define _IP6T_MAC_H |
struct ip6t_mac_info { |
unsigned char srcaddr[ETH_ALEN]; |
int invert; |
}; |
#endif /*_IPT_MAC_H*/ |
/shark/trunk/drivers/linuxc26/include/linux/netfilter_ipv6/ip6t_hl.h |
---|
0,0 → 1,22 |
/* ip6tables module for matching the Hop Limit value |
* Maciej Soltysiak <solt@dns.toxicfilms.tv> |
* Based on HW's ttl module */ |
#ifndef _IP6T_HL_H |
#define _IP6T_HL_H |
enum { |
IP6T_HL_EQ = 0, /* equals */ |
IP6T_HL_NE, /* not equals */ |
IP6T_HL_LT, /* less than */ |
IP6T_HL_GT, /* greater than */ |
}; |
struct ip6t_hl_info { |
u_int8_t mode; |
u_int8_t hop_limit; |
}; |
#endif |
/shark/trunk/drivers/linuxc26/include/linux/netfilter_ipv6/ip6t_REJECT.h |
---|
0,0 → 1,16 |
#ifndef _IP6T_REJECT_H |
#define _IP6T_REJECT_H |
enum ip6t_reject_with { |
IP6T_ICMP_NET_UNREACHABLE, |
IP6T_ICMP_HOST_UNREACHABLE, |
IP6T_ICMP_PROT_UNREACHABLE, |
IP6T_ICMP_PORT_UNREACHABLE, |
IP6T_ICMP_ECHOREPLY |
}; |
struct ip6t_reject_info { |
enum ip6t_reject_with with; /* reject type */ |
}; |
#endif /*_IPT_REJECT_H*/ |
/shark/trunk/drivers/linuxc26/include/linux/netfilter_ipv6/ip6t_limit.h |
---|
0,0 → 1,21 |
#ifndef _IP6T_RATE_H |
#define _IP6T_RATE_H |
/* timings are in milliseconds. */ |
#define IP6T_LIMIT_SCALE 10000 |
/* 1/10,000 sec period => max of 10,000/sec. Min rate is then 429490 |
seconds, or one every 59 hours. */ |
struct ip6t_rateinfo { |
u_int32_t avg; /* Average secs between packets * scale */ |
u_int32_t burst; /* Period multiplier for upper limit. */ |
/* Used internally by the kernel */ |
unsigned long prev; |
u_int32_t credit; |
u_int32_t credit_cap, cost; |
/* Ugly, ugly fucker. */ |
struct ip6t_rateinfo *master; |
}; |
#endif /*_IPT_RATE_H*/ |
/shark/trunk/drivers/linuxc26/include/linux/netfilter_ipv6/ip6t_frag.h |
---|
0,0 → 1,33 |
#ifndef _IP6T_FRAG_H |
#define _IP6T_FRAG_H |
struct ip6t_frag |
{ |
u_int32_t ids[2]; /* Security Parameter Index */ |
u_int32_t hdrlen; /* Header Length */ |
u_int8_t flags; /* */ |
u_int8_t invflags; /* Inverse flags */ |
}; |
#define IP6T_FRAG_IDS 0x01 |
#define IP6T_FRAG_LEN 0x02 |
#define IP6T_FRAG_RES 0x04 |
#define IP6T_FRAG_FST 0x08 |
#define IP6T_FRAG_MF 0x10 |
#define IP6T_FRAG_NMF 0x20 |
/* Values for "invflags" field in struct ip6t_frag. */ |
#define IP6T_FRAG_INV_IDS 0x01 /* Invert the sense of ids. */ |
#define IP6T_FRAG_INV_LEN 0x02 /* Invert the sense of length. */ |
#define IP6T_FRAG_INV_MASK 0x03 /* All possible flags. */ |
#define MASK_HOPOPTS 128 |
#define MASK_DSTOPTS 64 |
#define MASK_ROUTING 32 |
#define MASK_FRAGMENT 16 |
#define MASK_AH 8 |
#define MASK_ESP 4 |
#define MASK_NONE 2 |
#define MASK_PROTO 1 |
#endif /*_IP6T_FRAG_H*/ |
/shark/trunk/drivers/linuxc26/include/linux/netfilter_ipv6/ip6t_LOG.h |
---|
0,0 → 1,15 |
#ifndef _IP6T_LOG_H |
#define _IP6T_LOG_H |
#define IP6T_LOG_TCPSEQ 0x01 /* Log TCP sequence numbers */ |
#define IP6T_LOG_TCPOPT 0x02 /* Log TCP options */ |
#define IP6T_LOG_IPOPT 0x04 /* Log IP options */ |
#define IP6T_LOG_MASK 0x07 |
struct ip6t_log_info { |
unsigned char level; |
unsigned char logflags; |
char prefix[30]; |
}; |
#endif /*_IPT_LOG_H*/ |
/shark/trunk/drivers/linuxc26/include/linux/netfilter_ipv6/ip6t_length.h |
---|
0,0 → 1,10 |
#ifndef _IP6T_LENGTH_H |
#define _IP6T_LENGTH_H |
struct ip6t_length_info { |
u_int16_t min, max; |
u_int8_t invert; |
}; |
#endif /*_IP6T_LENGTH_H*/ |
/shark/trunk/drivers/linuxc26/include/linux/netfilter_ipv6/ip6t_rt.h |
---|
0,0 → 1,42 |
#ifndef _IP6T_RT_H |
#define _IP6T_RT_H |
/*#include <linux/in6.h>*/ |
#define IP6T_RT_HOPS 16 |
struct ip6t_rt |
{ |
u_int32_t rt_type; /* Routing Type */ |
u_int32_t segsleft[2]; /* Segments Left */ |
u_int32_t hdrlen; /* Header Length */ |
u_int8_t flags; /* */ |
u_int8_t invflags; /* Inverse flags */ |
struct in6_addr addrs[IP6T_RT_HOPS]; /* Hops */ |
u_int8_t addrnr; /* Nr of Addresses */ |
}; |
#define IP6T_RT_TYP 0x01 |
#define IP6T_RT_SGS 0x02 |
#define IP6T_RT_LEN 0x04 |
#define IP6T_RT_RES 0x08 |
#define IP6T_RT_FST_MASK 0x30 |
#define IP6T_RT_FST 0x10 |
#define IP6T_RT_FST_NSTRICT 0x20 |
/* Values for "invflags" field in struct ip6t_rt. */ |
#define IP6T_RT_INV_TYP 0x01 /* Invert the sense of type. */ |
#define IP6T_RT_INV_SGS 0x02 /* Invert the sense of Segments. */ |
#define IP6T_RT_INV_LEN 0x04 /* Invert the sense of length. */ |
#define IP6T_RT_INV_MASK 0x07 /* All possible flags. */ |
#define MASK_HOPOPTS 128 |
#define MASK_DSTOPTS 64 |
#define MASK_ROUTING 32 |
#define MASK_FRAGMENT 16 |
#define MASK_AH 8 |
#define MASK_ESP 4 |
#define MASK_NONE 2 |
#define MASK_PROTO 1 |
#endif /*_IP6T_RT_H*/ |
/shark/trunk/drivers/linuxc26/include/linux/netfilter_ipv6/ip6t_opts.h |
---|
0,0 → 1,32 |
#ifndef _IP6T_OPTS_H |
#define _IP6T_OPTS_H |
#define IP6T_OPTS_OPTSNR 16 |
struct ip6t_opts |
{ |
u_int32_t hdrlen; /* Header Length */ |
u_int8_t flags; /* */ |
u_int8_t invflags; /* Inverse flags */ |
u_int16_t opts[IP6T_OPTS_OPTSNR]; /* opts */ |
u_int8_t optsnr; /* Nr of OPts */ |
}; |
#define IP6T_OPTS_LEN 0x01 |
#define IP6T_OPTS_OPTS 0x02 |
#define IP6T_OPTS_NSTRICT 0x04 |
/* Values for "invflags" field in struct ip6t_rt. */ |
#define IP6T_OPTS_INV_LEN 0x01 /* Invert the sense of length. */ |
#define IP6T_OPTS_INV_MASK 0x01 /* All possible flags. */ |
#define MASK_HOPOPTS 128 |
#define MASK_DSTOPTS 64 |
#define MASK_ROUTING 32 |
#define MASK_FRAGMENT 16 |
#define MASK_AH 8 |
#define MASK_ESP 4 |
#define MASK_NONE 2 |
#define MASK_PROTO 1 |
#endif /*_IP6T_OPTS_H*/ |
/shark/trunk/drivers/linuxc26/include/linux/netfilter_ipv6/ip6_tables.h |
---|
0,0 → 1,458 |
/* |
* 25-Jul-1998 Major changes to allow for ip chain table |
* |
* 3-Jan-2000 Named tables to allow packet selection for different uses. |
*/ |
/* |
* Format of an IP6 firewall descriptor |
* |
* src, dst, src_mask, dst_mask are always stored in network byte order. |
* flags are stored in host byte order (of course). |
* Port numbers are stored in HOST byte order. |
*/ |
#ifndef _IP6_TABLES_H |
#define _IP6_TABLES_H |
#ifdef __KERNEL__ |
#include <linux/if.h> |
#include <linux/types.h> |
#include <linux/in6.h> |
#include <linux/ipv6.h> |
#include <linux/skbuff.h> |
#endif |
#include <linux/netfilter_ipv6.h> |
#define IP6T_FUNCTION_MAXNAMELEN 30 |
#define IP6T_TABLE_MAXNAMELEN 32 |
/* Yes, Virginia, you have to zero the padding. */ |
struct ip6t_ip6 { |
/* Source and destination IP6 addr */ |
struct in6_addr src, dst; |
/* Mask for src and dest IP6 addr */ |
struct in6_addr smsk, dmsk; |
char iniface[IFNAMSIZ], outiface[IFNAMSIZ]; |
unsigned char iniface_mask[IFNAMSIZ], outiface_mask[IFNAMSIZ]; |
/* ARGH, HopByHop uses 0, so can't do 0 = ANY, |
instead IP6T_F_NOPROTO must be set */ |
u_int16_t proto; |
/* TOS to match iff flags & IP6T_F_TOS */ |
u_int8_t tos; |
/* Flags word */ |
u_int8_t flags; |
/* Inverse flags */ |
u_int8_t invflags; |
}; |
/* FIXME: If alignment in kernel different from userspace? --RR */ |
struct ip6t_entry_match |
{ |
union { |
struct { |
u_int16_t match_size; |
/* Used by userspace */ |
char name[IP6T_FUNCTION_MAXNAMELEN]; |
} user; |
struct { |
u_int16_t match_size; |
/* Used inside the kernel */ |
struct ip6t_match *match; |
} kernel; |
/* Total length */ |
u_int16_t match_size; |
} u; |
unsigned char data[0]; |
}; |
struct ip6t_entry_target |
{ |
union { |
struct { |
u_int16_t target_size; |
/* Used by userspace */ |
char name[IP6T_FUNCTION_MAXNAMELEN]; |
} user; |
struct { |
u_int16_t target_size; |
/* Used inside the kernel */ |
struct ip6t_target *target; |
} kernel; |
/* Total length */ |
u_int16_t target_size; |
} u; |
unsigned char data[0]; |
}; |
struct ip6t_standard_target |
{ |
struct ip6t_entry_target target; |
int verdict; |
}; |
struct ip6t_counters |
{ |
u_int64_t pcnt, bcnt; /* Packet and byte counters */ |
}; |
/* Values for "flag" field in struct ip6t_ip6 (general ip6 structure). */ |
#define IP6T_F_PROTO 0x01 /* Set if rule cares about upper |
protocols */ |
#define IP6T_F_TOS 0x02 /* Match the TOS. */ |
#define IP6T_F_MASK 0x03 /* All possible flag bits mask. */ |
/* Values for "inv" field in struct ip6t_ip6. */ |
#define IP6T_INV_VIA_IN 0x01 /* Invert the sense of IN IFACE. */ |
#define IP6T_INV_VIA_OUT 0x02 /* Invert the sense of OUT IFACE */ |
#define IP6T_INV_TOS 0x04 /* Invert the sense of TOS. */ |
#define IP6T_INV_SRCIP 0x08 /* Invert the sense of SRC IP. */ |
#define IP6T_INV_DSTIP 0x10 /* Invert the sense of DST OP. */ |
#define IP6T_INV_FRAG 0x20 /* Invert the sense of FRAG. */ |
#define IP6T_INV_PROTO 0x40 /* Invert the sense of PROTO. */ |
#define IP6T_INV_MASK 0x7F /* All possible flag bits mask. */ |
/* This structure defines each of the firewall rules. Consists of 3 |
parts which are 1) general IP header stuff 2) match specific |
stuff 3) the target to perform if the rule matches */ |
struct ip6t_entry |
{ |
struct ip6t_ip6 ipv6; |
/* Mark with fields that we care about. */ |
unsigned int nfcache; |
/* Size of ipt_entry + matches */ |
u_int16_t target_offset; |
/* Size of ipt_entry + matches + target */ |
u_int16_t next_offset; |
/* Back pointer */ |
unsigned int comefrom; |
/* Packet and byte counters. */ |
struct ip6t_counters counters; |
/* The matches (if any), then the target. */ |
unsigned char elems[0]; |
}; |
/* |
* New IP firewall options for [gs]etsockopt at the RAW IP level. |
* Unlike BSD Linux inherits IP options so you don't have to use |
* a raw socket for this. Instead we check rights in the calls. */ |
#define IP6T_BASE_CTL 64 /* base for firewall socket options */ |
#define IP6T_SO_SET_REPLACE (IP6T_BASE_CTL) |
#define IP6T_SO_SET_ADD_COUNTERS (IP6T_BASE_CTL + 1) |
#define IP6T_SO_SET_MAX IP6T_SO_SET_ADD_COUNTERS |
#define IP6T_SO_GET_INFO (IP6T_BASE_CTL) |
#define IP6T_SO_GET_ENTRIES (IP6T_BASE_CTL + 1) |
#define IP6T_SO_GET_MAX IP6T_SO_GET_ENTRIES |
/* CONTINUE verdict for targets */ |
#define IP6T_CONTINUE 0xFFFFFFFF |
/* For standard target */ |
#define IP6T_RETURN (-NF_MAX_VERDICT - 1) |
/* TCP matching stuff */ |
struct ip6t_tcp |
{ |
u_int16_t spts[2]; /* Source port range. */ |
u_int16_t dpts[2]; /* Destination port range. */ |
u_int8_t option; /* TCP Option iff non-zero*/ |
u_int8_t flg_mask; /* TCP flags mask byte */ |
u_int8_t flg_cmp; /* TCP flags compare byte */ |
u_int8_t invflags; /* Inverse flags */ |
}; |
/* Values for "inv" field in struct ipt_tcp. */ |
#define IP6T_TCP_INV_SRCPT 0x01 /* Invert the sense of source ports. */ |
#define IP6T_TCP_INV_DSTPT 0x02 /* Invert the sense of dest ports. */ |
#define IP6T_TCP_INV_FLAGS 0x04 /* Invert the sense of TCP flags. */ |
#define IP6T_TCP_INV_OPTION 0x08 /* Invert the sense of option test. */ |
#define IP6T_TCP_INV_MASK 0x0F /* All possible flags. */ |
/* UDP matching stuff */ |
struct ip6t_udp |
{ |
u_int16_t spts[2]; /* Source port range. */ |
u_int16_t dpts[2]; /* Destination port range. */ |
u_int8_t invflags; /* Inverse flags */ |
}; |
/* Values for "invflags" field in struct ipt_udp. */ |
#define IP6T_UDP_INV_SRCPT 0x01 /* Invert the sense of source ports. */ |
#define IP6T_UDP_INV_DSTPT 0x02 /* Invert the sense of dest ports. */ |
#define IP6T_UDP_INV_MASK 0x03 /* All possible flags. */ |
/* ICMP matching stuff */ |
struct ip6t_icmp |
{ |
u_int8_t type; /* type to match */ |
u_int8_t code[2]; /* range of code */ |
u_int8_t invflags; /* Inverse flags */ |
}; |
/* Values for "inv" field for struct ipt_icmp. */ |
#define IP6T_ICMP_INV 0x01 /* Invert the sense of type/code test */ |
/* The argument to IP6T_SO_GET_INFO */ |
struct ip6t_getinfo |
{ |
/* Which table: caller fills this in. */ |
char name[IP6T_TABLE_MAXNAMELEN]; |
/* Kernel fills these in. */ |
/* Which hook entry points are valid: bitmask */ |
unsigned int valid_hooks; |
/* Hook entry points: one per netfilter hook. */ |
unsigned int hook_entry[NF_IP6_NUMHOOKS]; |
/* Underflow points. */ |
unsigned int underflow[NF_IP6_NUMHOOKS]; |
/* Number of entries */ |
unsigned int num_entries; |
/* Size of entries. */ |
unsigned int size; |
}; |
/* The argument to IP6T_SO_SET_REPLACE. */ |
struct ip6t_replace |
{ |
/* Which table. */ |
char name[IP6T_TABLE_MAXNAMELEN]; |
/* Which hook entry points are valid: bitmask. You can't |
change this. */ |
unsigned int valid_hooks; |
/* Number of entries */ |
unsigned int num_entries; |
/* Total size of new entries */ |
unsigned int size; |
/* Hook entry points. */ |
unsigned int hook_entry[NF_IP6_NUMHOOKS]; |
/* Underflow points. */ |
unsigned int underflow[NF_IP6_NUMHOOKS]; |
/* Information about old entries: */ |
/* Number of counters (must be equal to current number of entries). */ |
unsigned int num_counters; |
/* The old entries' counters. */ |
struct ip6t_counters *counters; |
/* The entries (hang off end: not really an array). */ |
struct ip6t_entry entries[0]; |
}; |
/* The argument to IP6T_SO_ADD_COUNTERS. */ |
struct ip6t_counters_info |
{ |
/* Which table. */ |
char name[IP6T_TABLE_MAXNAMELEN]; |
unsigned int num_counters; |
/* The counters (actually `number' of these). */ |
struct ip6t_counters counters[0]; |
}; |
/* The argument to IP6T_SO_GET_ENTRIES. */ |
struct ip6t_get_entries |
{ |
/* Which table: user fills this in. */ |
char name[IP6T_TABLE_MAXNAMELEN]; |
/* User fills this in: total entry size. */ |
unsigned int size; |
/* The entries. */ |
struct ip6t_entry entrytable[0]; |
}; |
/* Standard return verdict, or do jump. */ |
#define IP6T_STANDARD_TARGET "" |
/* Error verdict. */ |
#define IP6T_ERROR_TARGET "ERROR" |
/* Helper functions */ |
static __inline__ struct ip6t_entry_target * |
ip6t_get_target(struct ip6t_entry *e) |
{ |
return (void *)e + e->target_offset; |
} |
/* fn returns 0 to continue iteration */ |
#define IP6T_MATCH_ITERATE(e, fn, args...) \ |
({ \ |
unsigned int __i; \ |
int __ret = 0; \ |
struct ip6t_entry_match *__m; \ |
\ |
for (__i = sizeof(struct ip6t_entry); \ |
__i < (e)->target_offset; \ |
__i += __m->u.match_size) { \ |
__m = (void *)(e) + __i; \ |
\ |
__ret = fn(__m , ## args); \ |
if (__ret != 0) \ |
break; \ |
} \ |
__ret; \ |
}) |
/* fn returns 0 to continue iteration */ |
#define IP6T_ENTRY_ITERATE(entries, size, fn, args...) \ |
({ \ |
unsigned int __i; \ |
int __ret = 0; \ |
struct ip6t_entry *__e; \ |
\ |
for (__i = 0; __i < (size); __i += __e->next_offset) { \ |
__e = (void *)(entries) + __i; \ |
\ |
__ret = fn(__e , ## args); \ |
if (__ret != 0) \ |
break; \ |
} \ |
__ret; \ |
}) |
/* |
* Main firewall chains definitions and global var's definitions. |
*/ |
#ifdef __KERNEL__ |
#include <linux/init.h> |
extern void ip6t_init(void) __init; |
struct ip6t_match |
{ |
struct list_head list; |
const char name[IP6T_FUNCTION_MAXNAMELEN]; |
/* Return true or false: return FALSE and set *hotdrop = 1 to |
force immediate packet drop. */ |
int (*match)(const struct sk_buff *skb, |
const struct net_device *in, |
const struct net_device *out, |
const void *matchinfo, |
int offset, |
const void *hdr, |
u_int16_t datalen, |
int *hotdrop); |
/* Called when user tries to insert an entry of this type. */ |
/* Should return true or false. */ |
int (*checkentry)(const char *tablename, |
const struct ip6t_ip6 *ip, |
void *matchinfo, |
unsigned int matchinfosize, |
unsigned int hook_mask); |
/* Called when entry of this type deleted. */ |
void (*destroy)(void *matchinfo, unsigned int matchinfosize); |
/* Set this to THIS_MODULE if you are a module, otherwise NULL */ |
struct module *me; |
}; |
/* Registration hooks for targets. */ |
struct ip6t_target |
{ |
struct list_head list; |
const char name[IP6T_FUNCTION_MAXNAMELEN]; |
/* Returns verdict. */ |
unsigned int (*target)(struct sk_buff **pskb, |
unsigned int hooknum, |
const struct net_device *in, |
const struct net_device *out, |
const void *targinfo, |
void *userdata); |
/* Called when user tries to insert an entry of this type: |
hook_mask is a bitmask of hooks from which it can be |
called. */ |
/* Should return true or false. */ |
int (*checkentry)(const char *tablename, |
const struct ip6t_entry *e, |
void *targinfo, |
unsigned int targinfosize, |
unsigned int hook_mask); |
/* Called when entry of this type deleted. */ |
void (*destroy)(void *targinfo, unsigned int targinfosize); |
/* Set this to THIS_MODULE if you are a module, otherwise NULL */ |
struct module *me; |
}; |
extern int ip6t_register_target(struct ip6t_target *target); |
extern void ip6t_unregister_target(struct ip6t_target *target); |
extern int ip6t_register_match(struct ip6t_match *match); |
extern void ip6t_unregister_match(struct ip6t_match *match); |
/* Furniture shopping... */ |
struct ip6t_table |
{ |
struct list_head list; |
/* A unique name... */ |
char name[IP6T_TABLE_MAXNAMELEN]; |
/* Seed table: copied in register_table */ |
struct ip6t_replace *table; |
/* What hooks you will enter on */ |
unsigned int valid_hooks; |
/* Lock for the curtain */ |
rwlock_t lock; |
/* Man behind the curtain... */ |
struct ip6t_table_info *private; |
/* Set this to THIS_MODULE if you are a module, otherwise NULL */ |
struct module *me; |
}; |
extern int ip6t_register_table(struct ip6t_table *table); |
extern void ip6t_unregister_table(struct ip6t_table *table); |
extern unsigned int ip6t_do_table(struct sk_buff **pskb, |
unsigned int hook, |
const struct net_device *in, |
const struct net_device *out, |
struct ip6t_table *table, |
void *userdata); |
/* Check for an extension */ |
extern int ip6t_ext_hdr(u8 nexthdr); |
#define IP6T_ALIGN(s) (((s) + (__alignof__(struct ip6t_entry)-1)) & ~(__alignof__(struct ip6t_entry)-1)) |
#endif /*__KERNEL__*/ |
#endif /* _IP6_TABLES_H */ |