diff options
Diffstat (limited to 'include/linux/netfilter/x_tables.h')
| -rw-r--r-- | include/linux/netfilter/x_tables.h | 50 |
1 files changed, 30 insertions, 20 deletions
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h index 84c7c92..eeb4884 100644 --- a/include/linux/netfilter/x_tables.h +++ b/include/linux/netfilter/x_tables.h @@ -1,9 +1,10 @@ #ifndef _X_TABLES_H #define _X_TABLES_H - +#include <linux/kernel.h> #include <linux/types.h> #define XT_FUNCTION_MAXNAMELEN 30 +#define XT_EXTENSION_MAXNAMELEN 29 #define XT_TABLE_MAXNAMELEN 32 struct xt_entry_match { @@ -12,8 +13,7 @@ struct xt_entry_match { __u16 match_size; /* Used by userspace */ - char name[XT_FUNCTION_MAXNAMELEN-1]; - + char name[XT_EXTENSION_MAXNAMELEN]; __u8 revision; } user; struct { @@ -36,8 +36,7 @@ struct xt_entry_target { __u16 target_size; /* Used by userspace */ - char name[XT_FUNCTION_MAXNAMELEN-1]; - + char name[XT_EXTENSION_MAXNAMELEN]; __u8 revision; } user; struct { @@ -70,8 +69,7 @@ struct xt_standard_target { /* The argument to IPT_SO_GET_REVISION_*. Returns highest revision * kernel supports, if >= revision. */ struct xt_get_revision { - char name[XT_FUNCTION_MAXNAMELEN-1]; - + char name[XT_EXTENSION_MAXNAMELEN]; __u8 revision; }; @@ -93,7 +91,7 @@ struct _xt_align { __u64 u64; }; -#define XT_ALIGN(s) ALIGN((s), __alignof__(struct _xt_align)) +#define XT_ALIGN(s) __ALIGN_KERNEL((s), __alignof__(struct _xt_align)) /* Standard return verdict, or do jump. */ #define XT_STANDARD_TARGET "" @@ -197,6 +195,7 @@ struct xt_counters_info { * @family: Actual NFPROTO_* through which the function is invoked * (helpful when match->family == NFPROTO_UNSPEC) * @hotdrop: drop packet if we had inspection problems + * Network namespace obtainable using dev_net(in/out) */ struct xt_match_param { const struct net_device *in, *out; @@ -213,12 +212,14 @@ struct xt_match_param { * struct xt_mtchk_param - parameters for match extensions' * checkentry functions * + * @net: network namespace through which the check was invoked * @table: table the rule is tried to be inserted into * @entryinfo: the family-specific rule data - * (struct ipt_ip, ip6t_ip, ebt_entry) + * (struct ipt_ip, ip6t_ip, arpt_arp or (note) ebt_entry) * @match: struct xt_match through which this function was invoked * @matchinfo: per-match data * @hook_mask: via which hooks the new rule is reachable + * Other fields as above. */ struct xt_mtchk_param { struct net *net; @@ -230,7 +231,10 @@ struct xt_mtchk_param { u_int8_t family; }; -/* Match destructor parameters */ +/** + * struct xt_mdtor_param - match destructor parameters + * Fields as above. + */ struct xt_mtdtor_param { struct net *net; const struct xt_match *match; @@ -285,7 +289,7 @@ struct xt_tgdtor_param { struct xt_match { struct list_head list; - const char name[XT_FUNCTION_MAXNAMELEN-1]; + const char name[XT_EXTENSION_MAXNAMELEN]; u_int8_t revision; /* Return true or false: return FALSE and set *hotdrop = 1 to @@ -297,7 +301,7 @@ struct xt_match { const struct xt_match_param *); /* Called when user tries to insert an entry of this type. */ - bool (*checkentry)(const struct xt_mtchk_param *); + int (*checkentry)(const struct xt_mtchk_param *); /* Called when entry of this type deleted. */ void (*destroy)(const struct xt_mtdtor_param *); @@ -309,9 +313,6 @@ struct xt_match { /* Set this to THIS_MODULE if you are a module, otherwise NULL */ struct module *me; - /* Free to use by each match */ - unsigned long data; - const char *table; unsigned int matchsize; #ifdef CONFIG_COMPAT @@ -327,7 +328,8 @@ struct xt_match { struct xt_target { struct list_head list; - const char name[XT_FUNCTION_MAXNAMELEN-1]; + const char name[XT_EXTENSION_MAXNAMELEN]; + u_int8_t revision; /* Returns verdict. Argument order changed since 2.6.9, as this must now handle non-linear skbs, using skb_copy_bits and @@ -338,8 +340,8 @@ struct xt_target { /* Called when user tries to insert an entry of this type: hook_mask is a bitmask of hooks from which it can be called. */ - /* Should return true or false. */ - bool (*checkentry)(const struct xt_tgchk_param *); + /* Should return true or false, or an error code (-Exxxx). */ + int (*checkentry)(const struct xt_tgchk_param *); /* Called when entry of this type deleted. */ void (*destroy)(const struct xt_tgdtor_param *); @@ -360,7 +362,6 @@ struct xt_target { unsigned short proto; unsigned short family; - u_int8_t revision; }; /* Furniture shopping... */ @@ -398,6 +399,13 @@ struct xt_table_info { unsigned int hook_entry[NF_INET_NUMHOOKS]; unsigned int underflow[NF_INET_NUMHOOKS]; + /* + * Number of user chains. Since tables cannot have loops, at most + * @stacksize jumps (number of user chains) can possibly be made. + */ + unsigned int stacksize; + unsigned int *stackptr; + void ***jumpstack; /* ipt_entry tables: one per CPU */ /* Note : this field MUST be the last one, see XT_TABLE_INFO_SZ */ void *entries[1]; @@ -433,6 +441,8 @@ extern struct xt_table_info *xt_replace_table(struct xt_table *table, extern struct xt_match *xt_find_match(u8 af, const char *name, u8 revision); extern struct xt_target *xt_find_target(u8 af, const char *name, u8 revision); +extern struct xt_match *xt_request_find_match(u8 af, const char *name, + u8 revision); extern struct xt_target *xt_request_find_target(u8 af, const char *name, u8 revision); extern int xt_find_revision(u8 af, const char *name, u8 revision, @@ -598,7 +608,7 @@ struct _compat_xt_align { compat_u64 u64; }; -#define COMPAT_XT_ALIGN(s) ALIGN((s), __alignof__(struct _compat_xt_align)) +#define COMPAT_XT_ALIGN(s) __ALIGN_KERNEL((s), __alignof__(struct _compat_xt_align)) extern void xt_compat_lock(u_int8_t af); extern void xt_compat_unlock(u_int8_t af); |
