From 0d502bcdbc97ed359e84f6a21dfa0049b3b60a6c Mon Sep 17 00:00:00 2001 From: Yasuyuki KOZAKAI Date: Tue, 24 Jul 2007 05:52:07 +0000 Subject: Introduces xtables match/target registration - moves lib_dir to xtables.c - introduces struct pfinfo which has protocol family dependent infomations. - unifies load_ip[6]tables_ko() and moves them as load_xtables_ko() - introduces xt_{match,match_rule,target,tryload} and replaces ip[6]t_* with them - unifies following functions and move them to xtables.c - find_{match,find_target} - compatible_revision, compatible_{match,target}_revision - introduces xtables_register_{match,target} and make register_{match,target}[6] call them. xtables_register_* register ONLY matches/targets matched protocol family Some concepts: - source compatibility for libip[6]t_xxx.c with warning on compilation not binary compatibility. - binary compatibility between 2.4/2.6 kernel and iptables/ip6tables, of cause. - xtables is enough to support only one address family at runtime. Then xtables keeps infomations of only the focused address famiy in struct afinfo. --- include/ip6tables.h | 142 ++---------------------------- include/iptables.h | 143 ++---------------------------- include/iptables_common.h | 2 - include/libiptc/libxtc.h | 35 ++++++++ include/linux/netfilter/x_tables.h | 123 ++++++++++++++++++++++++++ include/xtables.h | 173 +++++++++++++++++++++++++++++++++++++ 6 files changed, 342 insertions(+), 276 deletions(-) create mode 100644 include/libiptc/libxtc.h create mode 100644 include/linux/netfilter/x_tables.h (limited to 'include') diff --git a/include/ip6tables.h b/include/ip6tables.h index b6757a32..b9e364e9 100644 --- a/include/ip6tables.h +++ b/include/ip6tables.h @@ -1,6 +1,8 @@ #ifndef _IP6TABLES_USER_H #define _IP6TABLES_USER_H +#include + #include "iptables_common.h" #include "libiptc/libip6tc.h" @@ -21,129 +23,12 @@ #ifndef IP6T_SO_GET_REVISION_MATCH /* Old kernel source. */ #define IP6T_SO_GET_REVISION_MATCH 68 #define IP6T_SO_GET_REVISION_TARGET 69 - -struct ip6t_get_revision -{ - char name[IP6T_FUNCTION_MAXNAMELEN-1]; - - u_int8_t revision; -}; #endif /* IP6T_SO_GET_REVISION_MATCH Old kernel source */ -struct ip6tables_rule_match -{ - struct ip6tables_rule_match *next; - - struct ip6tables_match *match; - - /* Multiple matches of the same type: the ones before - the current one are completed from parsing point of view */ - unsigned int completed; -}; - -/* Include file for additions: new matches and targets. */ -struct ip6tables_match -{ - struct ip6tables_match *next; - - ip6t_chainlabel name; - - /* Revision of match (0 by default). */ - u_int8_t revision; - - const char *version; - - /* Size of match data. */ - size_t size; - - /* Size of match data relevent for userspace comparison purposes */ - size_t userspacesize; - - /* Function which prints out usage message. */ - void (*help)(void); - - /* Initialize the match. */ - void (*init)(struct ip6t_entry_match *m, unsigned int *nfcache); - - /* Function which parses command options; returns true if it - ate an option */ - int (*parse)(int c, char **argv, int invert, unsigned int *flags, - const struct ip6t_entry *entry, - unsigned int *nfcache, - struct ip6t_entry_match **match); - - /* Final check; exit if not ok. */ - void (*final_check)(unsigned int flags); - - /* Prints out the match iff non-NULL: put space at end */ - void (*print)(const struct ip6t_ip6 *ip, - const struct ip6t_entry_match *match, int numeric); - - /* Saves the union ipt_matchinfo in parsable form to stdout. */ - void (*save)(const struct ip6t_ip6 *ip, - const struct ip6t_entry_match *match); - - /* Pointer to list of extra command-line options */ - const struct option *extra_opts; - - /* Ignore these men behind the curtain: */ - unsigned int option_offset; - struct ip6t_entry_match *m; - unsigned int mflags; -#ifdef NO_SHARED_LIBS - unsigned int loaded; /* simulate loading so options are merged properly */ -#endif -}; - -struct ip6tables_target -{ - struct ip6tables_target *next; - - ip6t_chainlabel name; - - const char *version; - - /* Size of target data. */ - size_t size; - - /* Size of target data relevent for userspace comparison purposes */ - size_t userspacesize; - - /* Function which prints out usage message. */ - void (*help)(void); - - /* Initialize the target. */ - void (*init)(struct ip6t_entry_target *t, unsigned int *nfcache); - - /* Function which parses command options; returns true if it - ate an option */ - int (*parse)(int c, char **argv, int invert, unsigned int *flags, - const struct ip6t_entry *entry, - struct ip6t_entry_target **target); - - /* Final check; exit if not ok. */ - void (*final_check)(unsigned int flags); - - /* Prints out the target iff non-NULL: put space at end */ - void (*print)(const struct ip6t_ip6 *ip, - const struct ip6t_entry_target *target, int numeric); - - /* Saves the targinfo in parsable form to stdout. */ - void (*save)(const struct ip6t_ip6 *ip, - const struct ip6t_entry_target *target); - - /* Pointer to list of extra command-line options */ - struct option *extra_opts; - - /* Ignore these men behind the curtain: */ - unsigned int option_offset; - struct ip6t_entry_target *t; - unsigned int tflags; - unsigned int used; -#ifdef NO_SHARED_LIBS - unsigned int loaded; /* simulate loading so options are merged properly */ -#endif -}; +#define ip6tables_rule_match xtables_rule_match +#define ip6tables_match xtables_match +#define ip6tables_target xtables_target +#define ip6t_tryload xt_tryload extern int line; @@ -155,25 +40,10 @@ extern int service_to_port(const char *name, const char *proto); extern u_int16_t parse_port(const char *port, const char *proto); extern int do_command6(int argc, char *argv[], char **table, ip6tc_handle_t *handle); -/* Keeping track of external matches and targets: linked lists. */ -extern struct ip6tables_match *ip6tables_matches; -extern struct ip6tables_target *ip6tables_targets; - -enum ip6t_tryload { - DONT_LOAD, - DURING_LOAD, - TRY_LOAD, - LOAD_MUST_SUCCEED -}; - -extern struct ip6tables_target *find_target(const char *name, enum ip6t_tryload); -extern struct ip6tables_match *find_match(const char *name, enum ip6t_tryload, struct ip6tables_rule_match **match); - extern void parse_interface(const char *arg, char *vianame, unsigned char *mask); extern int for_each_chain(int (*fn)(const ip6t_chainlabel, int, ip6tc_handle_t *), int verbose, int builtinstoo, ip6tc_handle_t *handle); extern int flush_entries(const ip6t_chainlabel chain, int verbose, ip6tc_handle_t *handle); extern int delete_chain(const ip6t_chainlabel chain, int verbose, ip6tc_handle_t *handle); -extern int load_ip6tables_ko(const char *modprobe, int quiet); #endif /*_IP6TABLES_USER_H*/ diff --git a/include/iptables.h b/include/iptables.h index cd514284..9df1a297 100644 --- a/include/iptables.h +++ b/include/iptables.h @@ -1,6 +1,7 @@ #ifndef _IPTABLES_USER_H #define _IPTABLES_USER_H +#include "xtables.h" #include "iptables_common.h" #include "libiptc/libiptc.h" @@ -21,132 +22,12 @@ #ifndef IPT_SO_GET_REVISION_MATCH /* Old kernel source. */ #define IPT_SO_GET_REVISION_MATCH (IPT_BASE_CTL + 2) #define IPT_SO_GET_REVISION_TARGET (IPT_BASE_CTL + 3) - -struct ipt_get_revision -{ - char name[IPT_FUNCTION_MAXNAMELEN-1]; - - u_int8_t revision; -}; #endif /* IPT_SO_GET_REVISION_MATCH Old kernel source */ -struct iptables_rule_match -{ - struct iptables_rule_match *next; - - struct iptables_match *match; - - /* Multiple matches of the same type: the ones before - the current one are completed from parsing point of view */ - unsigned int completed; -}; - -/* Include file for additions: new matches and targets. */ -struct iptables_match -{ - struct iptables_match *next; - - ipt_chainlabel name; - - /* Revision of match (0 by default). */ - u_int8_t revision; - - const char *version; - - /* Size of match data. */ - size_t size; - - /* Size of match data relevent for userspace comparison purposes */ - size_t userspacesize; - - /* Function which prints out usage message. */ - void (*help)(void); - - /* Initialize the match. */ - void (*init)(struct ipt_entry_match *m, unsigned int *nfcache); - - /* Function which parses command options; returns true if it - ate an option */ - int (*parse)(int c, char **argv, int invert, unsigned int *flags, - const struct ipt_entry *entry, - unsigned int *nfcache, - struct ipt_entry_match **match); - - /* Final check; exit if not ok. */ - void (*final_check)(unsigned int flags); - - /* Prints out the match iff non-NULL: put space at end */ - void (*print)(const struct ipt_ip *ip, - const struct ipt_entry_match *match, int numeric); - - /* Saves the match info in parsable form to stdout. */ - void (*save)(const struct ipt_ip *ip, - const struct ipt_entry_match *match); - - /* Pointer to list of extra command-line options */ - const struct option *extra_opts; - - /* Ignore these men behind the curtain: */ - unsigned int option_offset; - struct ipt_entry_match *m; - unsigned int mflags; -#ifdef NO_SHARED_LIBS - unsigned int loaded; /* simulate loading so options are merged properly */ -#endif -}; - -struct iptables_target -{ - struct iptables_target *next; - - ipt_chainlabel name; - - /* Revision of target (0 by default). */ - u_int8_t revision; - - const char *version; - - /* Size of target data. */ - size_t size; - - /* Size of target data relevent for userspace comparison purposes */ - size_t userspacesize; - - /* Function which prints out usage message. */ - void (*help)(void); - - /* Initialize the target. */ - void (*init)(struct ipt_entry_target *t, unsigned int *nfcache); - - /* Function which parses command options; returns true if it - ate an option */ - int (*parse)(int c, char **argv, int invert, unsigned int *flags, - const struct ipt_entry *entry, - struct ipt_entry_target **target); - - /* Final check; exit if not ok. */ - void (*final_check)(unsigned int flags); - - /* Prints out the target iff non-NULL: put space at end */ - void (*print)(const struct ipt_ip *ip, - const struct ipt_entry_target *target, int numeric); - - /* Saves the targinfo in parsable form to stdout. */ - void (*save)(const struct ipt_ip *ip, - const struct ipt_entry_target *target); - - /* Pointer to list of extra command-line options */ - struct option *extra_opts; - - /* Ignore these men behind the curtain: */ - unsigned int option_offset; - struct ipt_entry_target *t; - unsigned int tflags; - unsigned int used; -#ifdef NO_SHARED_LIBS - unsigned int loaded; /* simulate loading so options are merged properly */ -#endif -}; +#define iptables_rule_match xtables_rule_match +#define iptables_match xtables_match +#define iptables_target xtables_target +#define ipt_tryload xt_tryload extern int line; @@ -169,20 +50,6 @@ extern void parse_interface(const char *arg, char *vianame, unsigned char *mask) extern int do_command(int argc, char *argv[], char **table, iptc_handle_t *handle); -/* Keeping track of external matches and targets: linked lists. */ -extern struct iptables_match *iptables_matches; -extern struct iptables_target *iptables_targets; - -enum ipt_tryload { - DONT_LOAD, - DURING_LOAD, - TRY_LOAD, - LOAD_MUST_SUCCEED -}; - -extern struct iptables_target *find_target(const char *name, enum ipt_tryload); -extern struct iptables_match *find_match(const char *name, enum ipt_tryload, struct iptables_rule_match **match); - extern int delete_chain(const ipt_chainlabel chain, int verbose, iptc_handle_t *handle); extern int flush_entries(const ipt_chainlabel chain, int verbose, diff --git a/include/iptables_common.h b/include/iptables_common.h index 3b61e72d..3e190805 100644 --- a/include/iptables_common.h +++ b/include/iptables_common.h @@ -27,11 +27,9 @@ extern int string_to_number_ll(const char *, unsigned long long int, unsigned long long int, unsigned long long *); -extern int load_iptables_ko(const char *modprobe, int quiet); void exit_error(enum exittype, char *, ...)__attribute__((noreturn, format(printf,2,3))); extern const char *program_name, *program_version; -extern char *lib_dir; #define _init __attribute__((constructor)) my_init #ifdef NO_SHARED_LIBS diff --git a/include/libiptc/libxtc.h b/include/libiptc/libxtc.h new file mode 100644 index 00000000..031afb54 --- /dev/null +++ b/include/libiptc/libxtc.h @@ -0,0 +1,35 @@ +#ifndef _LIBXTC_H +#define _LIBXTC_H +/* Library which manipulates filtering rules. */ + +#include +#include + +#ifdef __cplusplus +extern "C" { +#endif + +#ifndef XT_MIN_ALIGN +/* xt_entry has pointers and u_int64_t's in it, so if you align to + it, you'll also align to any crazy matches and targets someone + might write */ +#define XT_MIN_ALIGN (__alignof__(struct xt_entry)) +#endif + +#ifndef XT_ALIGN +#define XT_ALIGN(s) (((s) + ((XT_MIN_ALIGN)-1)) & ~((XT_MIN_ALIGN)-1)) +#endif + +typedef char xt_chainlabel[32]; + +#define XTC_LABEL_ACCEPT "ACCEPT" +#define XTC_LABEL_DROP "DROP" +#define XTC_LABEL_QUEUE "QUEUE" +#define XTC_LABEL_RETURN "RETURN" + + +#ifdef __cplusplus +} +#endif + +#endif /* _LIBXTC_H */ diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h new file mode 100644 index 00000000..69ec8aea --- /dev/null +++ b/include/linux/netfilter/x_tables.h @@ -0,0 +1,123 @@ +#ifndef _X_TABLES_H +#define _X_TABLES_H + +#include + +#define XT_FUNCTION_MAXNAMELEN 30 +#define XT_TABLE_MAXNAMELEN 32 + +struct xt_entry_match +{ + union { + struct { + u_int16_t match_size; + + /* Used by userspace */ + char name[XT_FUNCTION_MAXNAMELEN-1]; + + u_int8_t revision; + } user; + struct { + u_int16_t match_size; + + /* Used inside the kernel */ + struct xt_match *match; + } kernel; + + /* Total length */ + u_int16_t match_size; + } u; + + unsigned char data[0]; +}; + +struct xt_entry_target +{ + union { + struct { + u_int16_t target_size; + + /* Used by userspace */ + char name[XT_FUNCTION_MAXNAMELEN-1]; + + u_int8_t revision; + } user; + struct { + u_int16_t target_size; + + /* Used inside the kernel */ + struct xt_target *target; + } kernel; + + /* Total length */ + u_int16_t target_size; + } u; + + unsigned char data[0]; +}; + +struct xt_standard_target +{ + struct xt_entry_target target; + int verdict; +}; + +/* The argument to IPT_SO_GET_REVISION_*. Returns highest revision + * kernel supports, if >= revision. */ +struct xt_get_revision +{ + char name[XT_FUNCTION_MAXNAMELEN-1]; + + u_int8_t revision; +}; + +/* CONTINUE verdict for targets */ +#define XT_CONTINUE 0xFFFFFFFF + +/* For standard target */ +#define XT_RETURN (-NF_REPEAT - 1) + +/* this is a dummy structure to find out the alignment requirement for a struct + * containing all the fundamental data types that are used in ipt_entry, + * ip6t_entry and arpt_entry. This sucks, and it is a hack. It will be my + * personal pleasure to remove it -HW + */ +struct _xt_align +{ + u_int8_t u8; + u_int16_t u16; + u_int32_t u32; + u_int64_t u64; +}; + +#define XT_ALIGN(s) (((s) + (__alignof__(struct _xt_align)-1)) \ + & ~(__alignof__(struct _xt_align)-1)) + +/* Standard return verdict, or do jump. */ +#define XT_STANDARD_TARGET "" +/* Error verdict. */ +#define XT_ERROR_TARGET "ERROR" + +#define SET_COUNTER(c,b,p) do { (c).bcnt = (b); (c).pcnt = (p); } while(0) +#define ADD_COUNTER(c,b,p) do { (c).bcnt += (b); (c).pcnt += (p); } while(0) + +struct xt_counters +{ + u_int64_t pcnt, bcnt; /* Packet and byte counters */ +}; + +/* The argument to IPT_SO_ADD_COUNTERS. */ +struct xt_counters_info +{ + /* Which table. */ + char name[XT_TABLE_MAXNAMELEN]; + + unsigned int num_counters; + + /* The counters (actually `number' of these). */ + struct xt_counters counters[0]; +}; + +#define XT_INV_PROTO 0x40 /* Invert the sense of PROTO. */ + +#endif /* _X_TABLES_H */ diff --git a/include/xtables.h b/include/xtables.h index 97395f3f..89b92c36 100644 --- a/include/xtables.h +++ b/include/xtables.h @@ -1,10 +1,183 @@ #ifndef _XTABLES_H #define _XTABLES_H +#include +#include +#include + +/* protocol family dependent informations */ +struct afinfo { + /* protocol family */ + int family; + + /* prefix of library name (ex "libipt_" */ + char *libprefix; + + /* used by setsockopt (ex IPPROTO_IP */ + int ipproto; + + /* kernel module (ex "ip_tables" */ + char *kmod; + + /* optname to check revision support of match */ + int so_rev_match; + + /* optname to check revision support of match */ + int so_rev_target; +}; + +enum xt_tryload { + DONT_LOAD, + DURING_LOAD, + TRY_LOAD, + LOAD_MUST_SUCCEED +}; + +struct xtables_rule_match +{ + struct xtables_rule_match *next; + struct xtables_match *match; + /* Multiple matches of the same type: the ones before + the current one are completed from parsing point of view */ + unsigned int completed; +}; + +/* Include file for additions: new matches and targets. */ +struct xtables_match +{ + struct xtables_match *next; + + xt_chainlabel name; + + /* Revision of match (0 by default). */ + u_int8_t revision; + + u_int16_t family; + + const char *version; + + /* Size of match data. */ + size_t size; + + /* Size of match data relevent for userspace comparison purposes */ + size_t userspacesize; + + /* Function which prints out usage message. */ + void (*help)(void); + + /* Initialize the match. */ + void (*init)(struct xt_entry_match *m, unsigned int *nfcache); + + /* Function which parses command options; returns true if it + ate an option */ + /* entry is struct ipt_entry for example */ + int (*parse)(int c, char **argv, int invert, unsigned int *flags, + const void *entry, + unsigned int *nfcache, + struct xt_entry_match **match); + + /* Final check; exit if not ok. */ + void (*final_check)(unsigned int flags); + + /* Prints out the match iff non-NULL: put space at end */ + /* ip is struct ipt_ip * for example */ + void (*print)(const void *ip, + const struct xt_entry_match *match, int numeric); + + /* Saves the match info in parsable form to stdout. */ + /* ip is struct ipt_ip * for example */ + void (*save)(const void *ip, const struct xt_entry_match *match); + + /* Pointer to list of extra command-line options */ + const struct option *extra_opts; + + /* Ignore these men behind the curtain: */ + unsigned int option_offset; + struct xt_entry_match *m; + unsigned int mflags; +#ifdef NO_SHARED_LIBS + unsigned int loaded; /* simulate loading so options are merged properly */ +#endif +}; + +struct xtables_target +{ + struct xtables_target *next; + + xt_chainlabel name; + + /* Revision of target (0 by default). */ + u_int8_t revision; + + u_int16_t family; + + const char *version; + + /* Size of target data. */ + size_t size; + + /* Size of target data relevent for userspace comparison purposes */ + size_t userspacesize; + + /* Function which prints out usage message. */ + void (*help)(void); + + /* Initialize the target. */ + void (*init)(struct xt_entry_target *t, unsigned int *nfcache); + + /* Function which parses command options; returns true if it + ate an option */ + /* entry is struct ipt_entry for example */ + int (*parse)(int c, char **argv, int invert, unsigned int *flags, + const void *entry, + struct xt_entry_target **targetinfo); + + /* Final check; exit if not ok. */ + void (*final_check)(unsigned int flags); + + /* Prints out the target iff non-NULL: put space at end */ + void (*print)(const void *ip, + const struct xt_entry_target *target, int numeric); + + /* Saves the targinfo in parsable form to stdout. */ + void (*save)(const void *ip, + const struct xt_entry_target *target); + + /* Pointer to list of extra command-line options */ + struct option *extra_opts; + + /* Ignore these men behind the curtain: */ + unsigned int option_offset; + struct xt_entry_target *t; + unsigned int tflags; + unsigned int used; +#ifdef NO_SHARED_LIBS + unsigned int loaded; /* simulate loading so options are merged properly */ +#endif +}; + +extern char *lib_dir; + extern void *fw_calloc(size_t count, size_t size); extern void *fw_malloc(size_t size); extern const char *modprobe; extern int xtables_insmod(const char *modname, const char *modprobe, int quiet); +extern int load_xtables_ko(const char *modprobe, int quiet); + +/* This is decleared in ip[6]tables.c */ +extern struct afinfo afinfo; + +/* Keeping track of external matches and targets: linked lists. */ +extern struct xtables_match *xtables_matches; +extern struct xtables_target *xtables_targets; + +/* Your shared library should call one of these. */ +extern void xtables_register_match(struct xtables_match *me); +extern void xtables_register_target(struct xtables_target *me); + +extern struct xtables_match *find_match(const char *name, enum xt_tryload, + struct xtables_rule_match **match); +extern struct xtables_target *find_target(const char *name, enum xt_tryload); #endif /* _XTABLES_H */ -- cgit v1.2.3