| /shark/trunk/drivers/linuxc26/include/linux/netfilter_bridge/ebt_pkttype.h |
|---|
| 0,0 → 1,11 |
| #ifndef __LINUX_BRIDGE_EBT_PKTTYPE_H |
| #define __LINUX_BRIDGE_EBT_PKTTYPE_H |
| struct ebt_pkttype_info |
| { |
| uint8_t pkt_type; |
| uint8_t invert; |
| }; |
| #define EBT_PKTTYPE_MATCH "pkttype" |
| #endif |
| /shark/trunk/drivers/linuxc26/include/linux/netfilter_bridge/ebt_vlan.h |
|---|
| 0,0 → 1,20 |
| #ifndef __LINUX_BRIDGE_EBT_VLAN_H |
| #define __LINUX_BRIDGE_EBT_VLAN_H |
| #define EBT_VLAN_ID 0x01 |
| #define EBT_VLAN_PRIO 0x02 |
| #define EBT_VLAN_ENCAP 0x04 |
| #define EBT_VLAN_MASK (EBT_VLAN_ID | EBT_VLAN_PRIO | EBT_VLAN_ENCAP) |
| #define EBT_VLAN_MATCH "vlan" |
| struct ebt_vlan_info { |
| uint16_t id; /* VLAN ID {1-4095} */ |
| uint8_t prio; /* VLAN User Priority {0-7} */ |
| uint16_t encap; /* VLAN Encapsulated frame code {0-65535} */ |
| uint8_t bitmask; /* Args bitmask bit 1=1 - ID arg, |
| bit 2=1 User-Priority arg, bit 3=1 encap*/ |
| uint8_t invflags; /* Inverse bitmask bit 1=1 - inversed ID arg, |
| bit 2=1 - inversed Pirority arg */ |
| }; |
| #endif |
| /shark/trunk/drivers/linuxc26/include/linux/netfilter_bridge/ebt_log.h |
|---|
| 0,0 → 1,17 |
| #ifndef __LINUX_BRIDGE_EBT_LOG_H |
| #define __LINUX_BRIDGE_EBT_LOG_H |
| #define EBT_LOG_IP 0x01 /* if the frame is made by ip, log the ip information */ |
| #define EBT_LOG_ARP 0x02 |
| #define EBT_LOG_MASK (EBT_LOG_IP | EBT_LOG_ARP) |
| #define EBT_LOG_PREFIX_SIZE 30 |
| #define EBT_LOG_WATCHER "log" |
| struct ebt_log_info |
| { |
| uint8_t loglevel; |
| uint8_t prefix[EBT_LOG_PREFIX_SIZE]; |
| uint32_t bitmask; |
| }; |
| #endif |
| /shark/trunk/drivers/linuxc26/include/linux/netfilter_bridge/ebt_redirect.h |
|---|
| 0,0 → 1,11 |
| #ifndef __LINUX_BRIDGE_EBT_REDIRECT_H |
| #define __LINUX_BRIDGE_EBT_REDIRECT_H |
| struct ebt_redirect_info |
| { |
| /* EBT_ACCEPT, EBT_DROP, EBT_CONTINUE or EBT_RETURN */ |
| int target; |
| }; |
| #define EBT_REDIRECT_TARGET "redirect" |
| #endif |
| /shark/trunk/drivers/linuxc26/include/linux/netfilter_bridge/ebt_among.h |
|---|
| 0,0 → 1,65 |
| #ifndef __LINUX_BRIDGE_EBT_AMONG_H |
| #define __LINUX_BRIDGE_EBT_AMONG_H |
| #define EBT_AMONG_DST 0x01 |
| #define EBT_AMONG_SRC 0x02 |
| /* Grzegorz Borowiak <grzes@gnu.univ.gda.pl> 2003 |
| * |
| * Write-once-read-many hash table, used for checking if a given |
| * MAC address belongs to a set or not and possibly for checking |
| * if it is related with a given IPv4 address. |
| * |
| * The hash value of an address is its last byte. |
| * |
| * In real-world ethernet addresses, values of the last byte are |
| * evenly distributed and there is no need to consider other bytes. |
| * It would only slow the routines down. |
| * |
| * For MAC address comparison speedup reasons, we introduce a trick. |
| * MAC address is mapped onto an array of two 32-bit integers. |
| * This pair of integers is compared with MAC addresses in the |
| * hash table, which are stored also in form of pairs of integers |
| * (in `cmp' array). This is quick as it requires only two elementary |
| * number comparisons in worst case. Further, we take advantage of |
| * fact that entropy of 3 last bytes of address is larger than entropy |
| * of 3 first bytes. So first we compare 4 last bytes of addresses and |
| * if they are the same we compare 2 first. |
| * |
| * Yes, it is a memory overhead, but in 2003 AD, who cares? |
| */ |
| struct ebt_mac_wormhash_tuple |
| { |
| uint32_t cmp[2]; |
| uint32_t ip; |
| }; |
| struct ebt_mac_wormhash |
| { |
| int table[257]; |
| int poolsize; |
| struct ebt_mac_wormhash_tuple pool[0]; |
| }; |
| #define ebt_mac_wormhash_size(x) ((x) ? sizeof(struct ebt_mac_wormhash) \ |
| + (x)->poolsize * sizeof(struct ebt_mac_wormhash_tuple) : 0) |
| struct ebt_among_info |
| { |
| int wh_dst_ofs; |
| int wh_src_ofs; |
| int bitmask; |
| }; |
| #define EBT_AMONG_DST_NEG 0x1 |
| #define EBT_AMONG_SRC_NEG 0x2 |
| #define ebt_among_wh_dst(x) ((x)->wh_dst_ofs ? \ |
| (struct ebt_mac_wormhash*)((char*)(x) + (x)->wh_dst_ofs) : NULL) |
| #define ebt_among_wh_src(x) ((x)->wh_src_ofs ? \ |
| (struct ebt_mac_wormhash*)((char*)(x) + (x)->wh_src_ofs) : NULL) |
| #define EBT_AMONG_MATCH "among" |
| #endif |
| /shark/trunk/drivers/linuxc26/include/linux/netfilter_bridge/ebt_arp.h |
|---|
| 0,0 → 1,32 |
| #ifndef __LINUX_BRIDGE_EBT_ARP_H |
| #define __LINUX_BRIDGE_EBT_ARP_H |
| #define EBT_ARP_OPCODE 0x01 |
| #define EBT_ARP_HTYPE 0x02 |
| #define EBT_ARP_PTYPE 0x04 |
| #define EBT_ARP_SRC_IP 0x08 |
| #define EBT_ARP_DST_IP 0x10 |
| #define EBT_ARP_SRC_MAC 0x20 |
| #define EBT_ARP_DST_MAC 0x40 |
| #define EBT_ARP_MASK (EBT_ARP_OPCODE | EBT_ARP_HTYPE | EBT_ARP_PTYPE | \ |
| EBT_ARP_SRC_IP | EBT_ARP_DST_IP | EBT_ARP_SRC_MAC | EBT_ARP_DST_MAC) |
| #define EBT_ARP_MATCH "arp" |
| struct ebt_arp_info |
| { |
| uint16_t htype; |
| uint16_t ptype; |
| uint16_t opcode; |
| uint32_t saddr; |
| uint32_t smsk; |
| uint32_t daddr; |
| uint32_t dmsk; |
| unsigned char smaddr[ETH_ALEN]; |
| unsigned char smmsk[ETH_ALEN]; |
| unsigned char dmaddr[ETH_ALEN]; |
| unsigned char dmmsk[ETH_ALEN]; |
| uint8_t bitmask; |
| uint8_t invflags; |
| }; |
| #endif |
| /shark/trunk/drivers/linuxc26/include/linux/netfilter_bridge/ebt_nat.h |
|---|
| 0,0 → 1,13 |
| #ifndef __LINUX_BRIDGE_EBT_NAT_H |
| #define __LINUX_BRIDGE_EBT_NAT_H |
| struct ebt_nat_info |
| { |
| unsigned char mac[ETH_ALEN]; |
| /* EBT_ACCEPT, EBT_DROP, EBT_CONTINUE or EBT_RETURN */ |
| int target; |
| }; |
| #define EBT_SNAT_TARGET "snat" |
| #define EBT_DNAT_TARGET "dnat" |
| #endif |
| /shark/trunk/drivers/linuxc26/include/linux/netfilter_bridge/ebt_mark_m.h |
|---|
| 0,0 → 1,15 |
| #ifndef __LINUX_BRIDGE_EBT_MARK_M_H |
| #define __LINUX_BRIDGE_EBT_MARK_M_H |
| #define EBT_MARK_AND 0x01 |
| #define EBT_MARK_OR 0x02 |
| #define EBT_MARK_MASK (EBT_MARK_AND | EBT_MARK_OR) |
| struct ebt_mark_m_info |
| { |
| unsigned long mark, mask; |
| uint8_t invert; |
| uint8_t bitmask; |
| }; |
| #define EBT_MARK_MATCH "mark_m" |
| #endif |
| /shark/trunk/drivers/linuxc26/include/linux/netfilter_bridge/ebt_stp.h |
|---|
| 0,0 → 1,46 |
| #ifndef __LINUX_BRIDGE_EBT_STP_H |
| #define __LINUX_BRIDGE_EBT_STP_H |
| #define EBT_STP_TYPE 0x0001 |
| #define EBT_STP_FLAGS 0x0002 |
| #define EBT_STP_ROOTPRIO 0x0004 |
| #define EBT_STP_ROOTADDR 0x0008 |
| #define EBT_STP_ROOTCOST 0x0010 |
| #define EBT_STP_SENDERPRIO 0x0020 |
| #define EBT_STP_SENDERADDR 0x0040 |
| #define EBT_STP_PORT 0x0080 |
| #define EBT_STP_MSGAGE 0x0100 |
| #define EBT_STP_MAXAGE 0x0200 |
| #define EBT_STP_HELLOTIME 0x0400 |
| #define EBT_STP_FWDD 0x0800 |
| #define EBT_STP_MASK 0x0fff |
| #define EBT_STP_CONFIG_MASK 0x0ffe |
| #define EBT_STP_MATCH "stp" |
| struct ebt_stp_config_info |
| { |
| uint8_t flags; |
| uint16_t root_priol, root_priou; |
| char root_addr[6], root_addrmsk[6]; |
| uint32_t root_costl, root_costu; |
| uint16_t sender_priol, sender_priou; |
| char sender_addr[6], sender_addrmsk[6]; |
| uint16_t portl, portu; |
| uint16_t msg_agel, msg_ageu; |
| uint16_t max_agel, max_ageu; |
| uint16_t hello_timel, hello_timeu; |
| uint16_t forward_delayl, forward_delayu; |
| }; |
| struct ebt_stp_info |
| { |
| uint8_t type; |
| struct ebt_stp_config_info config; |
| uint16_t bitmask; |
| uint16_t invflags; |
| }; |
| #endif |
| /shark/trunk/drivers/linuxc26/include/linux/netfilter_bridge/ebtables.h |
|---|
| 0,0 → 1,363 |
| /* |
| * ebtables |
| * |
| * Authors: |
| * Bart De Schuymer <bdschuym@pandora.be> |
| * |
| * ebtables.c,v 2.0, April, 2002 |
| * |
| * This code is stongly inspired on the iptables code which is |
| * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling |
| */ |
| #ifndef __LINUX_BRIDGE_EFF_H |
| #define __LINUX_BRIDGE_EFF_H |
| #include <linux/if.h> |
| #include <linux/netfilter_bridge.h> |
| #include <linux/if_ether.h> |
| #define EBT_TABLE_MAXNAMELEN 32 |
| #define EBT_CHAIN_MAXNAMELEN EBT_TABLE_MAXNAMELEN |
| #define EBT_FUNCTION_MAXNAMELEN EBT_TABLE_MAXNAMELEN |
| /* verdicts >0 are "branches" */ |
| #define EBT_ACCEPT -1 |
| #define EBT_DROP -2 |
| #define EBT_CONTINUE -3 |
| #define EBT_RETURN -4 |
| #define NUM_STANDARD_TARGETS 4 |
| struct ebt_counter |
| { |
| uint64_t pcnt; |
| uint64_t bcnt; |
| }; |
| struct ebt_replace |
| { |
| char name[EBT_TABLE_MAXNAMELEN]; |
| unsigned int valid_hooks; |
| /* nr of rules in the table */ |
| unsigned int nentries; |
| /* total size of the entries */ |
| unsigned int entries_size; |
| /* start of the chains */ |
| struct ebt_entries *hook_entry[NF_BR_NUMHOOKS]; |
| /* nr of counters userspace expects back */ |
| unsigned int num_counters; |
| /* where the kernel will put the old counters */ |
| struct ebt_counter *counters; |
| char *entries; |
| }; |
| struct ebt_entries { |
| /* this field is always set to zero |
| * See EBT_ENTRY_OR_ENTRIES. |
| * Must be same size as ebt_entry.bitmask */ |
| unsigned int distinguisher; |
| /* the chain name */ |
| char name[EBT_CHAIN_MAXNAMELEN]; |
| /* counter offset for this chain */ |
| unsigned int counter_offset; |
| /* one standard (accept, drop, return) per hook */ |
| int policy; |
| /* nr. of entries */ |
| unsigned int nentries; |
| /* entry list */ |
| char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace)))); |
| }; |
| /* used for the bitmask of struct ebt_entry */ |
| /* This is a hack to make a difference between an ebt_entry struct and an |
| * ebt_entries struct when traversing the entries from start to end. |
| * Using this simplifies the code alot, while still being able to use |
| * ebt_entries. |
| * Contrary, iptables doesn't use something like ebt_entries and therefore uses |
| * different techniques for naming the policy and such. So, iptables doesn't |
| * need a hack like this. |
| */ |
| #define EBT_ENTRY_OR_ENTRIES 0x01 |
| /* these are the normal masks */ |
| #define EBT_NOPROTO 0x02 |
| #define EBT_802_3 0x04 |
| #define EBT_SOURCEMAC 0x08 |
| #define EBT_DESTMAC 0x10 |
| #define EBT_F_MASK (EBT_NOPROTO | EBT_802_3 | EBT_SOURCEMAC | EBT_DESTMAC \ |
| | EBT_ENTRY_OR_ENTRIES) |
| #define EBT_IPROTO 0x01 |
| #define EBT_IIN 0x02 |
| #define EBT_IOUT 0x04 |
| #define EBT_ISOURCE 0x8 |
| #define EBT_IDEST 0x10 |
| #define EBT_ILOGICALIN 0x20 |
| #define EBT_ILOGICALOUT 0x40 |
| #define EBT_INV_MASK (EBT_IPROTO | EBT_IIN | EBT_IOUT | EBT_ILOGICALIN \ |
| | EBT_ILOGICALOUT | EBT_ISOURCE | EBT_IDEST) |
| struct ebt_entry_match |
| { |
| union { |
| char name[EBT_FUNCTION_MAXNAMELEN]; |
| struct ebt_match *match; |
| } u; |
| /* size of data */ |
| unsigned int match_size; |
| unsigned char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace)))); |
| }; |
| struct ebt_entry_watcher |
| { |
| union { |
| char name[EBT_FUNCTION_MAXNAMELEN]; |
| struct ebt_watcher *watcher; |
| } u; |
| /* size of data */ |
| unsigned int watcher_size; |
| unsigned char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace)))); |
| }; |
| struct ebt_entry_target |
| { |
| union { |
| char name[EBT_FUNCTION_MAXNAMELEN]; |
| struct ebt_target *target; |
| } u; |
| /* size of data */ |
| unsigned int target_size; |
| unsigned char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace)))); |
| }; |
| #define EBT_STANDARD_TARGET "standard" |
| struct ebt_standard_target |
| { |
| struct ebt_entry_target target; |
| int verdict; |
| }; |
| /* one entry */ |
| struct ebt_entry { |
| /* this needs to be the first field */ |
| unsigned int bitmask; |
| unsigned int invflags; |
| uint16_t ethproto; |
| /* the physical in-dev */ |
| char in[IFNAMSIZ]; |
| /* the logical in-dev */ |
| char logical_in[IFNAMSIZ]; |
| /* the physical out-dev */ |
| char out[IFNAMSIZ]; |
| /* the logical out-dev */ |
| char logical_out[IFNAMSIZ]; |
| unsigned char sourcemac[ETH_ALEN]; |
| unsigned char sourcemsk[ETH_ALEN]; |
| unsigned char destmac[ETH_ALEN]; |
| unsigned char destmsk[ETH_ALEN]; |
| /* sizeof ebt_entry + matches */ |
| unsigned int watchers_offset; |
| /* sizeof ebt_entry + matches + watchers */ |
| unsigned int target_offset; |
| /* sizeof ebt_entry + matches + watchers + target */ |
| unsigned int next_offset; |
| unsigned char elems[0] __attribute__ ((aligned (__alignof__(struct ebt_replace)))); |
| }; |
| /* {g,s}etsockopt numbers */ |
| #define EBT_BASE_CTL 128 |
| #define EBT_SO_SET_ENTRIES (EBT_BASE_CTL) |
| #define EBT_SO_SET_COUNTERS (EBT_SO_SET_ENTRIES+1) |
| #define EBT_SO_SET_MAX (EBT_SO_SET_COUNTERS+1) |
| #define EBT_SO_GET_INFO (EBT_BASE_CTL) |
| #define EBT_SO_GET_ENTRIES (EBT_SO_GET_INFO+1) |
| #define EBT_SO_GET_INIT_INFO (EBT_SO_GET_ENTRIES+1) |
| #define EBT_SO_GET_INIT_ENTRIES (EBT_SO_GET_INIT_INFO+1) |
| #define EBT_SO_GET_MAX (EBT_SO_GET_INIT_ENTRIES+1) |
| #ifdef __KERNEL__ |
| /* return values for match() functions */ |
| #define EBT_MATCH 0 |
| #define EBT_NOMATCH 1 |
| struct ebt_match |
| { |
| struct list_head list; |
| const char name[EBT_FUNCTION_MAXNAMELEN]; |
| /* 0 == it matches */ |
| int (*match)(const struct sk_buff *skb, const struct net_device *in, |
| const struct net_device *out, const void *matchdata, |
| unsigned int datalen); |
| /* 0 == let it in */ |
| int (*check)(const char *tablename, unsigned int hookmask, |
| const struct ebt_entry *e, void *matchdata, unsigned int datalen); |
| void (*destroy)(void *matchdata, unsigned int datalen); |
| struct module *me; |
| }; |
| struct ebt_watcher |
| { |
| struct list_head list; |
| const char name[EBT_FUNCTION_MAXNAMELEN]; |
| void (*watcher)(const struct sk_buff *skb, const struct net_device *in, |
| const struct net_device *out, const void *watcherdata, |
| unsigned int datalen); |
| /* 0 == let it in */ |
| int (*check)(const char *tablename, unsigned int hookmask, |
| const struct ebt_entry *e, void *watcherdata, unsigned int datalen); |
| void (*destroy)(void *watcherdata, unsigned int datalen); |
| struct module *me; |
| }; |
| struct ebt_target |
| { |
| struct list_head list; |
| const char name[EBT_FUNCTION_MAXNAMELEN]; |
| /* returns one of the standard verdicts */ |
| int (*target)(struct sk_buff **pskb, unsigned int hooknr, |
| const struct net_device *in, const struct net_device *out, |
| const void *targetdata, unsigned int datalen); |
| /* 0 == let it in */ |
| int (*check)(const char *tablename, unsigned int hookmask, |
| const struct ebt_entry *e, void *targetdata, unsigned int datalen); |
| void (*destroy)(void *targetdata, unsigned int datalen); |
| struct module *me; |
| }; |
| /* used for jumping from and into user defined chains (udc) */ |
| struct ebt_chainstack |
| { |
| struct ebt_entries *chaininfo; /* pointer to chain data */ |
| struct ebt_entry *e; /* pointer to entry data */ |
| unsigned int n; /* n'th entry */ |
| }; |
| struct ebt_table_info |
| { |
| /* total size of the entries */ |
| unsigned int entries_size; |
| unsigned int nentries; |
| /* pointers to the start of the chains */ |
| struct ebt_entries *hook_entry[NF_BR_NUMHOOKS]; |
| /* room to maintain the stack used for jumping from and into udc */ |
| struct ebt_chainstack **chainstack; |
| char *entries; |
| struct ebt_counter counters[0] ____cacheline_aligned; |
| }; |
| struct ebt_table |
| { |
| struct list_head list; |
| char name[EBT_TABLE_MAXNAMELEN]; |
| struct ebt_replace *table; |
| unsigned int valid_hooks; |
| rwlock_t lock; |
| /* e.g. could be the table explicitly only allows certain |
| * matches, targets, ... 0 == let it in */ |
| int (*check)(const struct ebt_table_info *info, |
| unsigned int valid_hooks); |
| /* the data used by the kernel */ |
| struct ebt_table_info *private; |
| struct module *me; |
| }; |
| #define EBT_ALIGN(s) (((s) + (__alignof__(struct ebt_replace)-1)) & \ |
| ~(__alignof__(struct ebt_replace)-1)) |
| extern int ebt_register_table(struct ebt_table *table); |
| extern void ebt_unregister_table(struct ebt_table *table); |
| extern int ebt_register_match(struct ebt_match *match); |
| extern void ebt_unregister_match(struct ebt_match *match); |
| extern int ebt_register_watcher(struct ebt_watcher *watcher); |
| extern void ebt_unregister_watcher(struct ebt_watcher *watcher); |
| extern int ebt_register_target(struct ebt_target *target); |
| extern void ebt_unregister_target(struct ebt_target *target); |
| extern unsigned int ebt_do_table(unsigned int hook, struct sk_buff **pskb, |
| const struct net_device *in, const struct net_device *out, |
| struct ebt_table *table); |
| /* Used in the kernel match() functions */ |
| #define FWINV(bool,invflg) ((bool) ^ !!(info->invflags & invflg)) |
| /* True if the hook mask denotes that the rule is in a base chain, |
| * used in the check() functions */ |
| #define BASE_CHAIN (hookmask & (1 << NF_BR_NUMHOOKS)) |
| /* Clear the bit in the hook mask that tells if the rule is on a base chain */ |
| #define CLEAR_BASE_CHAIN_BIT (hookmask &= ~(1 << NF_BR_NUMHOOKS)) |
| /* True if the target is not a standard target */ |
| #define INVALID_TARGET (info->target < -NUM_STANDARD_TARGETS || info->target >= 0) |
| #endif /* __KERNEL__ */ |
| /* blatently stolen from ip_tables.h |
| * fn returns 0 to continue iteration */ |
| #define EBT_MATCH_ITERATE(e, fn, args...) \ |
| ({ \ |
| unsigned int __i; \ |
| int __ret = 0; \ |
| struct ebt_entry_match *__match; \ |
| \ |
| for (__i = sizeof(struct ebt_entry); \ |
| __i < (e)->watchers_offset; \ |
| __i += __match->match_size + \ |
| sizeof(struct ebt_entry_match)) { \ |
| __match = (void *)(e) + __i; \ |
| \ |
| __ret = fn(__match , ## args); \ |
| if (__ret != 0) \ |
| break; \ |
| } \ |
| if (__ret == 0) { \ |
| if (__i != (e)->watchers_offset) \ |
| __ret = -EINVAL; \ |
| } \ |
| __ret; \ |
| }) |
| #define EBT_WATCHER_ITERATE(e, fn, args...) \ |
| ({ \ |
| unsigned int __i; \ |
| int __ret = 0; \ |
| struct ebt_entry_watcher *__watcher; \ |
| \ |
| for (__i = e->watchers_offset; \ |
| __i < (e)->target_offset; \ |
| __i += __watcher->watcher_size + \ |
| sizeof(struct ebt_entry_watcher)) { \ |
| __watcher = (void *)(e) + __i; \ |
| \ |
| __ret = fn(__watcher , ## args); \ |
| if (__ret != 0) \ |
| break; \ |
| } \ |
| if (__ret == 0) { \ |
| if (__i != (e)->target_offset) \ |
| __ret = -EINVAL; \ |
| } \ |
| __ret; \ |
| }) |
| #define EBT_ENTRY_ITERATE(entries, size, fn, args...) \ |
| ({ \ |
| unsigned int __i; \ |
| int __ret = 0; \ |
| struct ebt_entry *__entry; \ |
| \ |
| for (__i = 0; __i < (size);) { \ |
| __entry = (void *)(entries) + __i; \ |
| __ret = fn(__entry , ## args); \ |
| if (__ret != 0) \ |
| break; \ |
| if (__entry->bitmask != 0) \ |
| __i += __entry->next_offset; \ |
| else \ |
| __i += sizeof(struct ebt_entries); \ |
| } \ |
| if (__ret == 0) { \ |
| if (__i != (size)) \ |
| __ret = -EINVAL; \ |
| } \ |
| __ret; \ |
| }) |
| #endif |
| /shark/trunk/drivers/linuxc26/include/linux/netfilter_bridge/ebt_ip.h |
|---|
| 0,0 → 1,43 |
| /* |
| * ebt_ip |
| * |
| * Authors: |
| * Bart De Schuymer <bart.de.schuymer@pandora.be> |
| * |
| * April, 2002 |
| * |
| * Changes: |
| * added ip-sport and ip-dport |
| * Innominate Security Technologies AG <mhopf@innominate.com> |
| * September, 2002 |
| */ |
| #ifndef __LINUX_BRIDGE_EBT_IP_H |
| #define __LINUX_BRIDGE_EBT_IP_H |
| #define EBT_IP_SOURCE 0x01 |
| #define EBT_IP_DEST 0x02 |
| #define EBT_IP_TOS 0x04 |
| #define EBT_IP_PROTO 0x08 |
| #define EBT_IP_SPORT 0x10 |
| #define EBT_IP_DPORT 0x20 |
| #define EBT_IP_MASK (EBT_IP_SOURCE | EBT_IP_DEST | EBT_IP_TOS | EBT_IP_PROTO |\ |
| EBT_IP_SPORT | EBT_IP_DPORT ) |
| #define EBT_IP_MATCH "ip" |
| /* the same values are used for the invflags */ |
| struct ebt_ip_info |
| { |
| uint32_t saddr; |
| uint32_t daddr; |
| uint32_t smsk; |
| uint32_t dmsk; |
| uint8_t tos; |
| uint8_t protocol; |
| uint8_t bitmask; |
| uint8_t invflags; |
| uint16_t sport[2]; |
| uint16_t dport[2]; |
| }; |
| #endif |
| /shark/trunk/drivers/linuxc26/include/linux/netfilter_bridge/ebt_802_3.h |
|---|
| 0,0 → 1,60 |
| #ifndef __LINUX_BRIDGE_EBT_802_3_H |
| #define __LINUX_BRIDGE_EBT_802_3_H |
| #define EBT_802_3_SAP 0x01 |
| #define EBT_802_3_TYPE 0x02 |
| #define EBT_802_3_MATCH "802_3" |
| /* |
| * If frame has DSAP/SSAP value 0xaa you must check the SNAP type |
| * to discover what kind of packet we're carrying. |
| */ |
| #define CHECK_TYPE 0xaa |
| /* |
| * Control field may be one or two bytes. If the first byte has |
| * the value 0x03 then the entire length is one byte, otherwise it is two. |
| * One byte controls are used in Unnumbered Information frames. |
| * Two byte controls are used in Numbered Information frames. |
| */ |
| #define IS_UI 0x03 |
| #define EBT_802_3_MASK (EBT_802_3_SAP | EBT_802_3_TYPE | EBT_802_3) |
| /* ui has one byte ctrl, ni has two */ |
| struct hdr_ui { |
| uint8_t dsap; |
| uint8_t ssap; |
| uint8_t ctrl; |
| uint8_t orig[3]; |
| uint16_t type; |
| }; |
| struct hdr_ni { |
| uint8_t dsap; |
| uint8_t ssap; |
| uint16_t ctrl; |
| uint8_t orig[3]; |
| uint16_t type; |
| }; |
| struct ebt_802_3_hdr { |
| uint8_t daddr[6]; |
| uint8_t saddr[6]; |
| uint16_t len; |
| union { |
| struct hdr_ui ui; |
| struct hdr_ni ni; |
| } llc; |
| }; |
| struct ebt_802_3_info |
| { |
| uint8_t sap; |
| uint16_t type; |
| uint8_t bitmask; |
| uint8_t invflags; |
| }; |
| #endif |
| /shark/trunk/drivers/linuxc26/include/linux/netfilter_bridge/ebt_mark_t.h |
|---|
| 0,0 → 1,12 |
| #ifndef __LINUX_BRIDGE_EBT_MARK_T_H |
| #define __LINUX_BRIDGE_EBT_MARK_T_H |
| struct ebt_mark_t_info |
| { |
| unsigned long mark; |
| /* EBT_ACCEPT, EBT_DROP, EBT_CONTINUE or EBT_RETURN */ |
| int target; |
| }; |
| #define EBT_MARK_TARGET "mark" |
| #endif |
| /shark/trunk/drivers/linuxc26/include/linux/netfilter_bridge/ebt_arpreply.h |
|---|
| 0,0 → 1,11 |
| #ifndef __LINUX_BRIDGE_EBT_ARPREPLY_H |
| #define __LINUX_BRIDGE_EBT_ARPREPLY_H |
| struct ebt_arpreply_info |
| { |
| unsigned char mac[ETH_ALEN]; |
| int target; |
| }; |
| #define EBT_ARPREPLY_TARGET "arpreply" |
| #endif |
| /shark/trunk/drivers/linuxc26/include/linux/netfilter_bridge/ebt_limit.h |
|---|
| 0,0 → 1,23 |
| #ifndef __LINUX_BRIDGE_EBT_LIMIT_H |
| #define __LINUX_BRIDGE_EBT_LIMIT_H |
| #define EBT_LIMIT_MATCH "limit" |
| /* timings are in milliseconds. */ |
| #define EBT_LIMIT_SCALE 10000 |
| /* 1/10,000 sec period => max of 10,000/sec. Min rate is then 429490 |
| seconds, or one every 59 hours. */ |
| struct ebt_limit_info |
| { |
| u_int32_t avg; /* Average secs between packets * scale */ |
| u_int32_t burst; /* Period multiplier for upper limit. */ |
| /* Used internally by the kernel */ |
| unsigned long prev; |
| u_int32_t credit; |
| u_int32_t credit_cap, cost; |
| }; |
| #endif |
| /shark/trunk/drivers/linuxc26/include/linux/netfilter_ipv6/ip6t_esp.h |
|---|
| 0,0 → 1,23 |
| #ifndef _IP6T_ESP_H |
| #define _IP6T_ESP_H |
| struct ip6t_esp |
| { |
| u_int32_t spis[2]; /* Security Parameter Index */ |
| u_int8_t invflags; /* Inverse flags */ |
| }; |
| #define MASK_HOPOPTS 128 |
| #define MASK_DSTOPTS 64 |
| #define MASK_ROUTING 32 |
| #define MASK_FRAGMENT 16 |
| #define MASK_AH 8 |
| #define MASK_ESP 4 |
| #define MASK_NONE 2 |
| #define MASK_PROTO 1 |
| /* Values for "invflags" field in struct ip6t_esp. */ |
| #define IP6T_ESP_INV_SPI 0x01 /* Invert the sense of spi. */ |
| #define IP6T_ESP_INV_MASK 0x01 /* All possible flags. */ |
| #endif /*_IP6T_ESP_H*/ |
| /shark/trunk/drivers/linuxc26/include/linux/netfilter_ipv6/ip6t_ah.h |
|---|
| 0,0 → 1,30 |
| #ifndef _IP6T_AH_H |
| #define _IP6T_AH_H |
| struct ip6t_ah |
| { |
| u_int32_t spis[2]; /* Security Parameter Index */ |
| u_int32_t hdrlen; /* Header Length */ |
| u_int8_t hdrres; /* Test of the Reserved Filed */ |
| u_int8_t invflags; /* Inverse flags */ |
| }; |
| #define IP6T_AH_SPI 0x01 |
| #define IP6T_AH_LEN 0x02 |
| #define IP6T_AH_RES 0x04 |
| /* Values for "invflags" field in struct ip6t_ah. */ |
| #define IP6T_AH_INV_SPI 0x01 /* Invert the sense of spi. */ |
| #define IP6T_AH_INV_LEN 0x02 /* Invert the sense of length. */ |
| #define IP6T_AH_INV_MASK 0x03 /* All possible flags. */ |
| #define MASK_HOPOPTS 128 |
| #define MASK_DSTOPTS 64 |
| #define MASK_ROUTING 32 |
| #define MASK_FRAGMENT 16 |
| #define MASK_AH 8 |
| #define MASK_ESP 4 |
| #define MASK_NONE 2 |
| #define MASK_PROTO 1 |
| #endif /*_IP6T_AH_H*/ |
| /shark/trunk/drivers/linuxc26/include/linux/netfilter_ipv6/ip6t_mark.h |
|---|
| 0,0 → 1,9 |
| #ifndef _IP6T_MARK_H |
| #define _IP6T_MARK_H |
| struct ip6t_mark_info { |
| unsigned long mark, mask; |
| u_int8_t invert; |
| }; |
| #endif /*_IPT_MARK_H*/ |
| /shark/trunk/drivers/linuxc26/include/linux/netfilter_ipv6/ip6t_owner.h |
|---|
| 0,0 → 1,18 |
| #ifndef _IP6T_OWNER_H |
| #define _IP6T_OWNER_H |
| /* match and invert flags */ |
| #define IP6T_OWNER_UID 0x01 |
| #define IP6T_OWNER_GID 0x02 |
| #define IP6T_OWNER_PID 0x04 |
| #define IP6T_OWNER_SID 0x08 |
| struct ip6t_owner_info { |
| uid_t uid; |
| gid_t gid; |
| pid_t pid; |
| pid_t sid; |
| u_int8_t match, invert; /* flags */ |
| }; |
| #endif /*_IPT_OWNER_H*/ |
| /shark/trunk/drivers/linuxc26/include/linux/netfilter_ipv6/ip6t_MARK.h |
|---|
| 0,0 → 1,8 |
| #ifndef _IP6T_MARK_H_target |
| #define _IP6T_MARK_H_target |
| struct ip6t_mark_target_info { |
| unsigned long mark; |
| }; |
| #endif /*_IPT_MARK_H_target*/ |
| /shark/trunk/drivers/linuxc26/include/linux/netfilter_ipv6/ip6t_ipv6header.h |
|---|
| 0,0 → 1,27 |
| /* ipv6header match - matches IPv6 packets based |
| on whether they contain certain headers */ |
| /* Original idea: Brad Chapman |
| * Rewritten by: Andras Kis-Szabo <kisza@sch.bme.hu> */ |
| #ifndef __IPV6HEADER_H |
| #define __IPV6HEADER_H |
| struct ip6t_ipv6header_info |
| { |
| u_int8_t matchflags; |
| u_int8_t invflags; |
| u_int8_t modeflag; |
| }; |
| #define MASK_HOPOPTS 128 |
| #define MASK_DSTOPTS 64 |
| #define MASK_ROUTING 32 |
| #define MASK_FRAGMENT 16 |
| #define MASK_AH 8 |
| #define MASK_ESP 4 |
| #define MASK_NONE 2 |
| #define MASK_PROTO 1 |
| #endif /* __IPV6HEADER_H */ |
| /shark/trunk/drivers/linuxc26/include/linux/netfilter_ipv6/ip6t_multiport.h |
|---|
| 0,0 → 1,21 |
| #ifndef _IP6T_MULTIPORT_H |
| #define _IP6T_MULTIPORT_H |
| #include <linux/netfilter_ipv6/ip6_tables.h> |
| enum ip6t_multiport_flags |
| { |
| IP6T_MULTIPORT_SOURCE, |
| IP6T_MULTIPORT_DESTINATION, |
| IP6T_MULTIPORT_EITHER |
| }; |
| #define IP6T_MULTI_PORTS 15 |
| /* Must fit inside union ip6t_matchinfo: 16 bytes */ |
| struct ip6t_multiport |
| { |
| u_int8_t flags; /* Type of comparison */ |
| u_int8_t count; /* Number of ports */ |
| u_int16_t ports[IP6T_MULTI_PORTS]; /* Ports */ |
| }; |
| #endif /*_IPT_MULTIPORT_H*/ |
| /shark/trunk/drivers/linuxc26/include/linux/netfilter_ipv6/ip6t_mac.h |
|---|
| 0,0 → 1,8 |
| #ifndef _IP6T_MAC_H |
| #define _IP6T_MAC_H |
| struct ip6t_mac_info { |
| unsigned char srcaddr[ETH_ALEN]; |
| int invert; |
| }; |
| #endif /*_IPT_MAC_H*/ |
| /shark/trunk/drivers/linuxc26/include/linux/netfilter_ipv6/ip6t_hl.h |
|---|
| 0,0 → 1,22 |
| /* ip6tables module for matching the Hop Limit value |
| * Maciej Soltysiak <solt@dns.toxicfilms.tv> |
| * Based on HW's ttl module */ |
| #ifndef _IP6T_HL_H |
| #define _IP6T_HL_H |
| enum { |
| IP6T_HL_EQ = 0, /* equals */ |
| IP6T_HL_NE, /* not equals */ |
| IP6T_HL_LT, /* less than */ |
| IP6T_HL_GT, /* greater than */ |
| }; |
| struct ip6t_hl_info { |
| u_int8_t mode; |
| u_int8_t hop_limit; |
| }; |
| #endif |
| /shark/trunk/drivers/linuxc26/include/linux/netfilter_ipv6/ip6t_REJECT.h |
|---|
| 0,0 → 1,16 |
| #ifndef _IP6T_REJECT_H |
| #define _IP6T_REJECT_H |
| enum ip6t_reject_with { |
| IP6T_ICMP_NET_UNREACHABLE, |
| IP6T_ICMP_HOST_UNREACHABLE, |
| IP6T_ICMP_PROT_UNREACHABLE, |
| IP6T_ICMP_PORT_UNREACHABLE, |
| IP6T_ICMP_ECHOREPLY |
| }; |
| struct ip6t_reject_info { |
| enum ip6t_reject_with with; /* reject type */ |
| }; |
| #endif /*_IPT_REJECT_H*/ |
| /shark/trunk/drivers/linuxc26/include/linux/netfilter_ipv6/ip6t_limit.h |
|---|
| 0,0 → 1,21 |
| #ifndef _IP6T_RATE_H |
| #define _IP6T_RATE_H |
| /* timings are in milliseconds. */ |
| #define IP6T_LIMIT_SCALE 10000 |
| /* 1/10,000 sec period => max of 10,000/sec. Min rate is then 429490 |
| seconds, or one every 59 hours. */ |
| struct ip6t_rateinfo { |
| u_int32_t avg; /* Average secs between packets * scale */ |
| u_int32_t burst; /* Period multiplier for upper limit. */ |
| /* Used internally by the kernel */ |
| unsigned long prev; |
| u_int32_t credit; |
| u_int32_t credit_cap, cost; |
| /* Ugly, ugly fucker. */ |
| struct ip6t_rateinfo *master; |
| }; |
| #endif /*_IPT_RATE_H*/ |
| /shark/trunk/drivers/linuxc26/include/linux/netfilter_ipv6/ip6t_frag.h |
|---|
| 0,0 → 1,33 |
| #ifndef _IP6T_FRAG_H |
| #define _IP6T_FRAG_H |
| struct ip6t_frag |
| { |
| u_int32_t ids[2]; /* Security Parameter Index */ |
| u_int32_t hdrlen; /* Header Length */ |
| u_int8_t flags; /* */ |
| u_int8_t invflags; /* Inverse flags */ |
| }; |
| #define IP6T_FRAG_IDS 0x01 |
| #define IP6T_FRAG_LEN 0x02 |
| #define IP6T_FRAG_RES 0x04 |
| #define IP6T_FRAG_FST 0x08 |
| #define IP6T_FRAG_MF 0x10 |
| #define IP6T_FRAG_NMF 0x20 |
| /* Values for "invflags" field in struct ip6t_frag. */ |
| #define IP6T_FRAG_INV_IDS 0x01 /* Invert the sense of ids. */ |
| #define IP6T_FRAG_INV_LEN 0x02 /* Invert the sense of length. */ |
| #define IP6T_FRAG_INV_MASK 0x03 /* All possible flags. */ |
| #define MASK_HOPOPTS 128 |
| #define MASK_DSTOPTS 64 |
| #define MASK_ROUTING 32 |
| #define MASK_FRAGMENT 16 |
| #define MASK_AH 8 |
| #define MASK_ESP 4 |
| #define MASK_NONE 2 |
| #define MASK_PROTO 1 |
| #endif /*_IP6T_FRAG_H*/ |
| /shark/trunk/drivers/linuxc26/include/linux/netfilter_ipv6/ip6t_LOG.h |
|---|
| 0,0 → 1,15 |
| #ifndef _IP6T_LOG_H |
| #define _IP6T_LOG_H |
| #define IP6T_LOG_TCPSEQ 0x01 /* Log TCP sequence numbers */ |
| #define IP6T_LOG_TCPOPT 0x02 /* Log TCP options */ |
| #define IP6T_LOG_IPOPT 0x04 /* Log IP options */ |
| #define IP6T_LOG_MASK 0x07 |
| struct ip6t_log_info { |
| unsigned char level; |
| unsigned char logflags; |
| char prefix[30]; |
| }; |
| #endif /*_IPT_LOG_H*/ |
| /shark/trunk/drivers/linuxc26/include/linux/netfilter_ipv6/ip6t_length.h |
|---|
| 0,0 → 1,10 |
| #ifndef _IP6T_LENGTH_H |
| #define _IP6T_LENGTH_H |
| struct ip6t_length_info { |
| u_int16_t min, max; |
| u_int8_t invert; |
| }; |
| #endif /*_IP6T_LENGTH_H*/ |
| /shark/trunk/drivers/linuxc26/include/linux/netfilter_ipv6/ip6t_rt.h |
|---|
| 0,0 → 1,42 |
| #ifndef _IP6T_RT_H |
| #define _IP6T_RT_H |
| /*#include <linux/in6.h>*/ |
| #define IP6T_RT_HOPS 16 |
| struct ip6t_rt |
| { |
| u_int32_t rt_type; /* Routing Type */ |
| u_int32_t segsleft[2]; /* Segments Left */ |
| u_int32_t hdrlen; /* Header Length */ |
| u_int8_t flags; /* */ |
| u_int8_t invflags; /* Inverse flags */ |
| struct in6_addr addrs[IP6T_RT_HOPS]; /* Hops */ |
| u_int8_t addrnr; /* Nr of Addresses */ |
| }; |
| #define IP6T_RT_TYP 0x01 |
| #define IP6T_RT_SGS 0x02 |
| #define IP6T_RT_LEN 0x04 |
| #define IP6T_RT_RES 0x08 |
| #define IP6T_RT_FST_MASK 0x30 |
| #define IP6T_RT_FST 0x10 |
| #define IP6T_RT_FST_NSTRICT 0x20 |
| /* Values for "invflags" field in struct ip6t_rt. */ |
| #define IP6T_RT_INV_TYP 0x01 /* Invert the sense of type. */ |
| #define IP6T_RT_INV_SGS 0x02 /* Invert the sense of Segments. */ |
| #define IP6T_RT_INV_LEN 0x04 /* Invert the sense of length. */ |
| #define IP6T_RT_INV_MASK 0x07 /* All possible flags. */ |
| #define MASK_HOPOPTS 128 |
| #define MASK_DSTOPTS 64 |
| #define MASK_ROUTING 32 |
| #define MASK_FRAGMENT 16 |
| #define MASK_AH 8 |
| #define MASK_ESP 4 |
| #define MASK_NONE 2 |
| #define MASK_PROTO 1 |
| #endif /*_IP6T_RT_H*/ |
| /shark/trunk/drivers/linuxc26/include/linux/netfilter_ipv6/ip6t_opts.h |
|---|
| 0,0 → 1,32 |
| #ifndef _IP6T_OPTS_H |
| #define _IP6T_OPTS_H |
| #define IP6T_OPTS_OPTSNR 16 |
| struct ip6t_opts |
| { |
| u_int32_t hdrlen; /* Header Length */ |
| u_int8_t flags; /* */ |
| u_int8_t invflags; /* Inverse flags */ |
| u_int16_t opts[IP6T_OPTS_OPTSNR]; /* opts */ |
| u_int8_t optsnr; /* Nr of OPts */ |
| }; |
| #define IP6T_OPTS_LEN 0x01 |
| #define IP6T_OPTS_OPTS 0x02 |
| #define IP6T_OPTS_NSTRICT 0x04 |
| /* Values for "invflags" field in struct ip6t_rt. */ |
| #define IP6T_OPTS_INV_LEN 0x01 /* Invert the sense of length. */ |
| #define IP6T_OPTS_INV_MASK 0x01 /* All possible flags. */ |
| #define MASK_HOPOPTS 128 |
| #define MASK_DSTOPTS 64 |
| #define MASK_ROUTING 32 |
| #define MASK_FRAGMENT 16 |
| #define MASK_AH 8 |
| #define MASK_ESP 4 |
| #define MASK_NONE 2 |
| #define MASK_PROTO 1 |
| #endif /*_IP6T_OPTS_H*/ |
| /shark/trunk/drivers/linuxc26/include/linux/netfilter_ipv6/ip6_tables.h |
|---|
| 0,0 → 1,458 |
| /* |
| * 25-Jul-1998 Major changes to allow for ip chain table |
| * |
| * 3-Jan-2000 Named tables to allow packet selection for different uses. |
| */ |
| /* |
| * Format of an IP6 firewall descriptor |
| * |
| * src, dst, src_mask, dst_mask are always stored in network byte order. |
| * flags are stored in host byte order (of course). |
| * Port numbers are stored in HOST byte order. |
| */ |
| #ifndef _IP6_TABLES_H |
| #define _IP6_TABLES_H |
| #ifdef __KERNEL__ |
| #include <linux/if.h> |
| #include <linux/types.h> |
| #include <linux/in6.h> |
| #include <linux/ipv6.h> |
| #include <linux/skbuff.h> |
| #endif |
| #include <linux/netfilter_ipv6.h> |
| #define IP6T_FUNCTION_MAXNAMELEN 30 |
| #define IP6T_TABLE_MAXNAMELEN 32 |
| /* Yes, Virginia, you have to zero the padding. */ |
| struct ip6t_ip6 { |
| /* Source and destination IP6 addr */ |
| struct in6_addr src, dst; |
| /* Mask for src and dest IP6 addr */ |
| struct in6_addr smsk, dmsk; |
| char iniface[IFNAMSIZ], outiface[IFNAMSIZ]; |
| unsigned char iniface_mask[IFNAMSIZ], outiface_mask[IFNAMSIZ]; |
| /* ARGH, HopByHop uses 0, so can't do 0 = ANY, |
| instead IP6T_F_NOPROTO must be set */ |
| u_int16_t proto; |
| /* TOS to match iff flags & IP6T_F_TOS */ |
| u_int8_t tos; |
| /* Flags word */ |
| u_int8_t flags; |
| /* Inverse flags */ |
| u_int8_t invflags; |
| }; |
| /* FIXME: If alignment in kernel different from userspace? --RR */ |
| struct ip6t_entry_match |
| { |
| union { |
| struct { |
| u_int16_t match_size; |
| /* Used by userspace */ |
| char name[IP6T_FUNCTION_MAXNAMELEN]; |
| } user; |
| struct { |
| u_int16_t match_size; |
| /* Used inside the kernel */ |
| struct ip6t_match *match; |
| } kernel; |
| /* Total length */ |
| u_int16_t match_size; |
| } u; |
| unsigned char data[0]; |
| }; |
| struct ip6t_entry_target |
| { |
| union { |
| struct { |
| u_int16_t target_size; |
| /* Used by userspace */ |
| char name[IP6T_FUNCTION_MAXNAMELEN]; |
| } user; |
| struct { |
| u_int16_t target_size; |
| /* Used inside the kernel */ |
| struct ip6t_target *target; |
| } kernel; |
| /* Total length */ |
| u_int16_t target_size; |
| } u; |
| unsigned char data[0]; |
| }; |
| struct ip6t_standard_target |
| { |
| struct ip6t_entry_target target; |
| int verdict; |
| }; |
| struct ip6t_counters |
| { |
| u_int64_t pcnt, bcnt; /* Packet and byte counters */ |
| }; |
| /* Values for "flag" field in struct ip6t_ip6 (general ip6 structure). */ |
| #define IP6T_F_PROTO 0x01 /* Set if rule cares about upper |
| protocols */ |
| #define IP6T_F_TOS 0x02 /* Match the TOS. */ |
| #define IP6T_F_MASK 0x03 /* All possible flag bits mask. */ |
| /* Values for "inv" field in struct ip6t_ip6. */ |
| #define IP6T_INV_VIA_IN 0x01 /* Invert the sense of IN IFACE. */ |
| #define IP6T_INV_VIA_OUT 0x02 /* Invert the sense of OUT IFACE */ |
| #define IP6T_INV_TOS 0x04 /* Invert the sense of TOS. */ |
| #define IP6T_INV_SRCIP 0x08 /* Invert the sense of SRC IP. */ |
| #define IP6T_INV_DSTIP 0x10 /* Invert the sense of DST OP. */ |
| #define IP6T_INV_FRAG 0x20 /* Invert the sense of FRAG. */ |
| #define IP6T_INV_PROTO 0x40 /* Invert the sense of PROTO. */ |
| #define IP6T_INV_MASK 0x7F /* All possible flag bits mask. */ |
| /* This structure defines each of the firewall rules. Consists of 3 |
| parts which are 1) general IP header stuff 2) match specific |
| stuff 3) the target to perform if the rule matches */ |
| struct ip6t_entry |
| { |
| struct ip6t_ip6 ipv6; |
| /* Mark with fields that we care about. */ |
| unsigned int nfcache; |
| /* Size of ipt_entry + matches */ |
| u_int16_t target_offset; |
| /* Size of ipt_entry + matches + target */ |
| u_int16_t next_offset; |
| /* Back pointer */ |
| unsigned int comefrom; |
| /* Packet and byte counters. */ |
| struct ip6t_counters counters; |
| /* The matches (if any), then the target. */ |
| unsigned char elems[0]; |
| }; |
| /* |
| * New IP firewall options for [gs]etsockopt at the RAW IP level. |
| * Unlike BSD Linux inherits IP options so you don't have to use |
| * a raw socket for this. Instead we check rights in the calls. */ |
| #define IP6T_BASE_CTL 64 /* base for firewall socket options */ |
| #define IP6T_SO_SET_REPLACE (IP6T_BASE_CTL) |
| #define IP6T_SO_SET_ADD_COUNTERS (IP6T_BASE_CTL + 1) |
| #define IP6T_SO_SET_MAX IP6T_SO_SET_ADD_COUNTERS |
| #define IP6T_SO_GET_INFO (IP6T_BASE_CTL) |
| #define IP6T_SO_GET_ENTRIES (IP6T_BASE_CTL + 1) |
| #define IP6T_SO_GET_MAX IP6T_SO_GET_ENTRIES |
| /* CONTINUE verdict for targets */ |
| #define IP6T_CONTINUE 0xFFFFFFFF |
| /* For standard target */ |
| #define IP6T_RETURN (-NF_MAX_VERDICT - 1) |
| /* TCP matching stuff */ |
| struct ip6t_tcp |
| { |
| u_int16_t spts[2]; /* Source port range. */ |
| u_int16_t dpts[2]; /* Destination port range. */ |
| u_int8_t option; /* TCP Option iff non-zero*/ |
| u_int8_t flg_mask; /* TCP flags mask byte */ |
| u_int8_t flg_cmp; /* TCP flags compare byte */ |
| u_int8_t invflags; /* Inverse flags */ |
| }; |
| /* Values for "inv" field in struct ipt_tcp. */ |
| #define IP6T_TCP_INV_SRCPT 0x01 /* Invert the sense of source ports. */ |
| #define IP6T_TCP_INV_DSTPT 0x02 /* Invert the sense of dest ports. */ |
| #define IP6T_TCP_INV_FLAGS 0x04 /* Invert the sense of TCP flags. */ |
| #define IP6T_TCP_INV_OPTION 0x08 /* Invert the sense of option test. */ |
| #define IP6T_TCP_INV_MASK 0x0F /* All possible flags. */ |
| /* UDP matching stuff */ |
| struct ip6t_udp |
| { |
| u_int16_t spts[2]; /* Source port range. */ |
| u_int16_t dpts[2]; /* Destination port range. */ |
| u_int8_t invflags; /* Inverse flags */ |
| }; |
| /* Values for "invflags" field in struct ipt_udp. */ |
| #define IP6T_UDP_INV_SRCPT 0x01 /* Invert the sense of source ports. */ |
| #define IP6T_UDP_INV_DSTPT 0x02 /* Invert the sense of dest ports. */ |
| #define IP6T_UDP_INV_MASK 0x03 /* All possible flags. */ |
| /* ICMP matching stuff */ |
| struct ip6t_icmp |
| { |
| u_int8_t type; /* type to match */ |
| u_int8_t code[2]; /* range of code */ |
| u_int8_t invflags; /* Inverse flags */ |
| }; |
| /* Values for "inv" field for struct ipt_icmp. */ |
| #define IP6T_ICMP_INV 0x01 /* Invert the sense of type/code test */ |
| /* The argument to IP6T_SO_GET_INFO */ |
| struct ip6t_getinfo |
| { |
| /* Which table: caller fills this in. */ |
| char name[IP6T_TABLE_MAXNAMELEN]; |
| /* Kernel fills these in. */ |
| /* Which hook entry points are valid: bitmask */ |
| unsigned int valid_hooks; |
| /* Hook entry points: one per netfilter hook. */ |
| unsigned int hook_entry[NF_IP6_NUMHOOKS]; |
| /* Underflow points. */ |
| unsigned int underflow[NF_IP6_NUMHOOKS]; |
| /* Number of entries */ |
| unsigned int num_entries; |
| /* Size of entries. */ |
| unsigned int size; |
| }; |
| /* The argument to IP6T_SO_SET_REPLACE. */ |
| struct ip6t_replace |
| { |
| /* Which table. */ |
| char name[IP6T_TABLE_MAXNAMELEN]; |
| /* Which hook entry points are valid: bitmask. You can't |
| change this. */ |
| unsigned int valid_hooks; |
| /* Number of entries */ |
| unsigned int num_entries; |
| /* Total size of new entries */ |
| unsigned int size; |
| /* Hook entry points. */ |
| unsigned int hook_entry[NF_IP6_NUMHOOKS]; |
| /* Underflow points. */ |
| unsigned int underflow[NF_IP6_NUMHOOKS]; |
| /* Information about old entries: */ |
| /* Number of counters (must be equal to current number of entries). */ |
| unsigned int num_counters; |
| /* The old entries' counters. */ |
| struct ip6t_counters *counters; |
| /* The entries (hang off end: not really an array). */ |
| struct ip6t_entry entries[0]; |
| }; |
| /* The argument to IP6T_SO_ADD_COUNTERS. */ |
| struct ip6t_counters_info |
| { |
| /* Which table. */ |
| char name[IP6T_TABLE_MAXNAMELEN]; |
| unsigned int num_counters; |
| /* The counters (actually `number' of these). */ |
| struct ip6t_counters counters[0]; |
| }; |
| /* The argument to IP6T_SO_GET_ENTRIES. */ |
| struct ip6t_get_entries |
| { |
| /* Which table: user fills this in. */ |
| char name[IP6T_TABLE_MAXNAMELEN]; |
| /* User fills this in: total entry size. */ |
| unsigned int size; |
| /* The entries. */ |
| struct ip6t_entry entrytable[0]; |
| }; |
| /* Standard return verdict, or do jump. */ |
| #define IP6T_STANDARD_TARGET "" |
| /* Error verdict. */ |
| #define IP6T_ERROR_TARGET "ERROR" |
| /* Helper functions */ |
| static __inline__ struct ip6t_entry_target * |
| ip6t_get_target(struct ip6t_entry *e) |
| { |
| return (void *)e + e->target_offset; |
| } |
| /* fn returns 0 to continue iteration */ |
| #define IP6T_MATCH_ITERATE(e, fn, args...) \ |
| ({ \ |
| unsigned int __i; \ |
| int __ret = 0; \ |
| struct ip6t_entry_match *__m; \ |
| \ |
| for (__i = sizeof(struct ip6t_entry); \ |
| __i < (e)->target_offset; \ |
| __i += __m->u.match_size) { \ |
| __m = (void *)(e) + __i; \ |
| \ |
| __ret = fn(__m , ## args); \ |
| if (__ret != 0) \ |
| break; \ |
| } \ |
| __ret; \ |
| }) |
| /* fn returns 0 to continue iteration */ |
| #define IP6T_ENTRY_ITERATE(entries, size, fn, args...) \ |
| ({ \ |
| unsigned int __i; \ |
| int __ret = 0; \ |
| struct ip6t_entry *__e; \ |
| \ |
| for (__i = 0; __i < (size); __i += __e->next_offset) { \ |
| __e = (void *)(entries) + __i; \ |
| \ |
| __ret = fn(__e , ## args); \ |
| if (__ret != 0) \ |
| break; \ |
| } \ |
| __ret; \ |
| }) |
| /* |
| * Main firewall chains definitions and global var's definitions. |
| */ |
| #ifdef __KERNEL__ |
| #include <linux/init.h> |
| extern void ip6t_init(void) __init; |
| struct ip6t_match |
| { |
| struct list_head list; |
| const char name[IP6T_FUNCTION_MAXNAMELEN]; |
| /* Return true or false: return FALSE and set *hotdrop = 1 to |
| force immediate packet drop. */ |
| int (*match)(const struct sk_buff *skb, |
| const struct net_device *in, |
| const struct net_device *out, |
| const void *matchinfo, |
| int offset, |
| const void *hdr, |
| u_int16_t datalen, |
| int *hotdrop); |
| /* Called when user tries to insert an entry of this type. */ |
| /* Should return true or false. */ |
| int (*checkentry)(const char *tablename, |
| const struct ip6t_ip6 *ip, |
| void *matchinfo, |
| unsigned int matchinfosize, |
| unsigned int hook_mask); |
| /* Called when entry of this type deleted. */ |
| void (*destroy)(void *matchinfo, unsigned int matchinfosize); |
| /* Set this to THIS_MODULE if you are a module, otherwise NULL */ |
| struct module *me; |
| }; |
| /* Registration hooks for targets. */ |
| struct ip6t_target |
| { |
| struct list_head list; |
| const char name[IP6T_FUNCTION_MAXNAMELEN]; |
| /* Returns verdict. */ |
| unsigned int (*target)(struct sk_buff **pskb, |
| unsigned int hooknum, |
| const struct net_device *in, |
| const struct net_device *out, |
| const void *targinfo, |
| void *userdata); |
| /* Called when user tries to insert an entry of this type: |
| hook_mask is a bitmask of hooks from which it can be |
| called. */ |
| /* Should return true or false. */ |
| int (*checkentry)(const char *tablename, |
| const struct ip6t_entry *e, |
| void *targinfo, |
| unsigned int targinfosize, |
| unsigned int hook_mask); |
| /* Called when entry of this type deleted. */ |
| void (*destroy)(void *targinfo, unsigned int targinfosize); |
| /* Set this to THIS_MODULE if you are a module, otherwise NULL */ |
| struct module *me; |
| }; |
| extern int ip6t_register_target(struct ip6t_target *target); |
| extern void ip6t_unregister_target(struct ip6t_target *target); |
| extern int ip6t_register_match(struct ip6t_match *match); |
| extern void ip6t_unregister_match(struct ip6t_match *match); |
| /* Furniture shopping... */ |
| struct ip6t_table |
| { |
| struct list_head list; |
| /* A unique name... */ |
| char name[IP6T_TABLE_MAXNAMELEN]; |
| /* Seed table: copied in register_table */ |
| struct ip6t_replace *table; |
| /* What hooks you will enter on */ |
| unsigned int valid_hooks; |
| /* Lock for the curtain */ |
| rwlock_t lock; |
| /* Man behind the curtain... */ |
| struct ip6t_table_info *private; |
| /* Set this to THIS_MODULE if you are a module, otherwise NULL */ |
| struct module *me; |
| }; |
| extern int ip6t_register_table(struct ip6t_table *table); |
| extern void ip6t_unregister_table(struct ip6t_table *table); |
| extern unsigned int ip6t_do_table(struct sk_buff **pskb, |
| unsigned int hook, |
| const struct net_device *in, |
| const struct net_device *out, |
| struct ip6t_table *table, |
| void *userdata); |
| /* Check for an extension */ |
| extern int ip6t_ext_hdr(u8 nexthdr); |
| #define IP6T_ALIGN(s) (((s) + (__alignof__(struct ip6t_entry)-1)) & ~(__alignof__(struct ip6t_entry)-1)) |
| #endif /*__KERNEL__*/ |
| #endif /* _IP6_TABLES_H */ |