License cleanup: add SPDX GPL-2.0 license identifier to files with no license
Many source files in the tree are missing licensing information, which
makes it harder for compliance tools to determine the correct license.
By default all files without license information are under the default
license of the kernel, which is GPL version 2.
Update the files which contain no license information with the 'GPL-2.0'
SPDX license identifier. The SPDX identifier is a legally binding
shorthand, which can be used instead of the full boiler plate text.
This patch is based on work done by Thomas Gleixner and Kate Stewart and
Philippe Ombredanne.
How this work was done:
Patches were generated and checked against linux-4.14-rc6 for a subset of
the use cases:
- file had no licensing information it it.
- file was a */uapi/* one with no licensing information in it,
- file was a */uapi/* one with existing licensing information,
Further patches will be generated in subsequent months to fix up cases
where non-standard license headers were used, and references to license
had to be inferred by heuristics based on keywords.
The analysis to determine which SPDX License Identifier to be applied to
a file was done in a spreadsheet of side by side results from of the
output of two independent scanners (ScanCode & Windriver) producing SPDX
tag:value files created by Philippe Ombredanne. Philippe prepared the
base worksheet, and did an initial spot review of a few 1000 files.
The 4.13 kernel was the starting point of the analysis with 60,537 files
assessed. Kate Stewart did a file by file comparison of the scanner
results in the spreadsheet to determine which SPDX license identifier(s)
to be applied to the file. She confirmed any determination that was not
immediately clear with lawyers working with the Linux Foundation.
Criteria used to select files for SPDX license identifier tagging was:
- Files considered eligible had to be source code files.
- Make and config files were included as candidates if they contained >5
lines of source
- File already had some variant of a license header in it (even if <5
lines).
All documentation files were explicitly excluded.
The following heuristics were used to determine which SPDX license
identifiers to apply.
- when both scanners couldn't find any license traces, file was
considered to have no license information in it, and the top level
COPYING file license applied.
For non */uapi/* files that summary was:
SPDX license identifier # files
---------------------------------------------------|-------
GPL-2.0 11139
and resulted in the first patch in this series.
If that file was a */uapi/* path one, it was "GPL-2.0 WITH
Linux-syscall-note" otherwise it was "GPL-2.0". Results of that was:
SPDX license identifier # files
---------------------------------------------------|-------
GPL-2.0 WITH Linux-syscall-note 930
and resulted in the second patch in this series.
- if a file had some form of licensing information in it, and was one
of the */uapi/* ones, it was denoted with the Linux-syscall-note if
any GPL family license was found in the file or had no licensing in
it (per prior point). Results summary:
SPDX license identifier # files
---------------------------------------------------|------
GPL-2.0 WITH Linux-syscall-note 270
GPL-2.0+ WITH Linux-syscall-note 169
((GPL-2.0 WITH Linux-syscall-note) OR BSD-2-Clause) 21
((GPL-2.0 WITH Linux-syscall-note) OR BSD-3-Clause) 17
LGPL-2.1+ WITH Linux-syscall-note 15
GPL-1.0+ WITH Linux-syscall-note 14
((GPL-2.0+ WITH Linux-syscall-note) OR BSD-3-Clause) 5
LGPL-2.0+ WITH Linux-syscall-note 4
LGPL-2.1 WITH Linux-syscall-note 3
((GPL-2.0 WITH Linux-syscall-note) OR MIT) 3
((GPL-2.0 WITH Linux-syscall-note) AND MIT) 1
and that resulted in the third patch in this series.
- when the two scanners agreed on the detected license(s), that became
the concluded license(s).
- when there was disagreement between the two scanners (one detected a
license but the other didn't, or they both detected different
licenses) a manual inspection of the file occurred.
- In most cases a manual inspection of the information in the file
resulted in a clear resolution of the license that should apply (and
which scanner probably needed to revisit its heuristics).
- When it was not immediately clear, the license identifier was
confirmed with lawyers working with the Linux Foundation.
- If there was any question as to the appropriate license identifier,
the file was flagged for further research and to be revisited later
in time.
In total, over 70 hours of logged manual review was done on the
spreadsheet to determine the SPDX license identifiers to apply to the
source files by Kate, Philippe, Thomas and, in some cases, confirmation
by lawyers working with the Linux Foundation.
Kate also obtained a third independent scan of the 4.13 code base from
FOSSology, and compared selected files where the other two scanners
disagreed against that SPDX file, to see if there was new insights. The
Windriver scanner is based on an older version of FOSSology in part, so
they are related.
Thomas did random spot checks in about 500 files from the spreadsheets
for the uapi headers and agreed with SPDX license identifier in the
files he inspected. For the non-uapi files Thomas did random spot checks
in about 15000 files.
In initial set of patches against 4.14-rc6, 3 files were found to have
copy/paste license identifier errors, and have been fixed to reflect the
correct identifier.
Additionally Philippe spent 10 hours this week doing a detailed manual
inspection and review of the 12,461 patched files from the initial patch
version early this week with:
- a full scancode scan run, collecting the matched texts, detected
license ids and scores
- reviewing anything where there was a license detected (about 500+
files) to ensure that the applied SPDX license was correct
- reviewing anything where there was no detection but the patch license
was not GPL-2.0 WITH Linux-syscall-note to ensure that the applied
SPDX license was correct
This produced a worksheet with 20 files needing minor correction. This
worksheet was then exported into 3 different .csv files for the
different types of files to be modified.
These .csv files were then reviewed by Greg. Thomas wrote a script to
parse the csv files and add the proper SPDX tag to the file, in the
format that the file expected. This script was further refined by Greg
based on the output to detect more types of files automatically and to
distinguish between header and source .c files (which need different
comment types.) Finally Greg ran the script using the .csv files to
generate the patches.
Reviewed-by: Kate Stewart <kstewart@linuxfoundation.org>
Reviewed-by: Philippe Ombredanne <pombredanne@nexb.com>
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-11-01 08:07:57 -06:00
|
|
|
/* SPDX-License-Identifier: GPL-2.0 */
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
#ifndef _X_TABLES_H
|
|
|
|
|
#define _X_TABLES_H
|
2009-02-25 16:51:43 -07:00
|
|
|
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
|
|
|
|
|
#include <linux/netdevice.h>
|
2015-07-14 09:51:09 -06:00
|
|
|
#include <linux/static_key.h>
|
2016-11-03 03:56:21 -06:00
|
|
|
#include <linux/netfilter.h>
|
2012-10-09 02:48:54 -06:00
|
|
|
#include <uapi/linux/netfilter/x_tables.h>
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
|
2016-06-24 14:25:22 -06:00
|
|
|
/* Test a struct->invflags and a boolean for inequality */
|
|
|
|
|
#define NF_INVF(ptr, flag, boolean) \
|
|
|
|
|
((boolean) ^ !!((ptr)->invflags & (flag)))
|
|
|
|
|
|
2008-10-08 03:35:18 -06:00
|
|
|
/**
|
2009-07-05 10:26:37 -06:00
|
|
|
* struct xt_action_param - parameters for matches/targets
|
2008-10-08 03:35:18 -06:00
|
|
|
*
|
2009-07-05 10:26:37 -06:00
|
|
|
* @match: the match extension
|
|
|
|
|
* @target: the target extension
|
|
|
|
|
* @matchinfo: per-match data
|
|
|
|
|
* @targetinfo: per-target data
|
2016-11-03 03:56:21 -06:00
|
|
|
* @state: pointer to hook state this packet came from
|
2008-10-08 03:35:18 -06:00
|
|
|
* @fragoff: packet is a fragment, this is the data offset
|
|
|
|
|
* @thoff: position of transport header relative to skb->data
|
2009-07-07 12:54:30 -06:00
|
|
|
*
|
|
|
|
|
* Fields written to by extensions:
|
|
|
|
|
*
|
2009-06-04 08:54:42 -06:00
|
|
|
* @hotdrop: drop packet if we had inspection problems
|
2008-10-08 03:35:18 -06:00
|
|
|
*/
|
2009-07-05 10:26:37 -06:00
|
|
|
struct xt_action_param {
|
|
|
|
|
union {
|
|
|
|
|
const struct xt_match *match;
|
|
|
|
|
const struct xt_target *target;
|
|
|
|
|
};
|
|
|
|
|
union {
|
|
|
|
|
const void *matchinfo, *targinfo;
|
|
|
|
|
};
|
2016-11-03 03:56:21 -06:00
|
|
|
const struct nf_hook_state *state;
|
2008-10-08 03:35:18 -06:00
|
|
|
int fragoff;
|
|
|
|
|
unsigned int thoff;
|
2009-07-07 12:54:30 -06:00
|
|
|
bool hotdrop;
|
2008-10-08 03:35:18 -06:00
|
|
|
};
|
|
|
|
|
|
2016-11-03 03:56:21 -06:00
|
|
|
static inline struct net *xt_net(const struct xt_action_param *par)
|
|
|
|
|
{
|
|
|
|
|
return par->state->net;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static inline struct net_device *xt_in(const struct xt_action_param *par)
|
|
|
|
|
{
|
|
|
|
|
return par->state->in;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static inline const char *xt_inname(const struct xt_action_param *par)
|
|
|
|
|
{
|
|
|
|
|
return par->state->in->name;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static inline struct net_device *xt_out(const struct xt_action_param *par)
|
|
|
|
|
{
|
|
|
|
|
return par->state->out;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static inline const char *xt_outname(const struct xt_action_param *par)
|
|
|
|
|
{
|
|
|
|
|
return par->state->out->name;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static inline unsigned int xt_hooknum(const struct xt_action_param *par)
|
|
|
|
|
{
|
|
|
|
|
return par->state->hook;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static inline u_int8_t xt_family(const struct xt_action_param *par)
|
|
|
|
|
{
|
|
|
|
|
return par->state->pf;
|
|
|
|
|
}
|
|
|
|
|
|
2008-10-08 03:35:18 -06:00
|
|
|
/**
|
|
|
|
|
* struct xt_mtchk_param - parameters for match extensions'
|
|
|
|
|
* checkentry functions
|
|
|
|
|
*
|
2010-03-18 03:30:44 -06:00
|
|
|
* @net: network namespace through which the check was invoked
|
2008-10-08 03:35:18 -06:00
|
|
|
* @table: table the rule is tried to be inserted into
|
|
|
|
|
* @entryinfo: the family-specific rule data
|
2010-03-18 03:30:44 -06:00
|
|
|
* (struct ipt_ip, ip6t_ip, arpt_arp or (note) ebt_entry)
|
2008-10-08 03:35:18 -06:00
|
|
|
* @match: struct xt_match through which this function was invoked
|
|
|
|
|
* @matchinfo: per-match data
|
|
|
|
|
* @hook_mask: via which hooks the new rule is reachable
|
2010-03-18 03:30:44 -06:00
|
|
|
* Other fields as above.
|
2008-10-08 03:35:18 -06:00
|
|
|
*/
|
|
|
|
|
struct xt_mtchk_param {
|
2010-01-18 00:21:13 -07:00
|
|
|
struct net *net;
|
2008-10-08 03:35:18 -06:00
|
|
|
const char *table;
|
|
|
|
|
const void *entryinfo;
|
|
|
|
|
const struct xt_match *match;
|
|
|
|
|
void *matchinfo;
|
|
|
|
|
unsigned int hook_mask;
|
2008-10-08 03:35:20 -06:00
|
|
|
u_int8_t family;
|
2015-05-14 06:57:23 -06:00
|
|
|
bool nft_compat;
|
2008-10-08 03:35:18 -06:00
|
|
|
};
|
|
|
|
|
|
2010-03-18 03:30:44 -06:00
|
|
|
/**
|
|
|
|
|
* struct xt_mdtor_param - match destructor parameters
|
|
|
|
|
* Fields as above.
|
|
|
|
|
*/
|
2008-10-08 03:35:19 -06:00
|
|
|
struct xt_mtdtor_param {
|
2010-01-18 00:25:47 -07:00
|
|
|
struct net *net;
|
2008-10-08 03:35:19 -06:00
|
|
|
const struct xt_match *match;
|
|
|
|
|
void *matchinfo;
|
2008-10-08 03:35:20 -06:00
|
|
|
u_int8_t family;
|
2008-10-08 03:35:19 -06:00
|
|
|
};
|
|
|
|
|
|
2008-10-08 03:35:19 -06:00
|
|
|
/**
|
|
|
|
|
* struct xt_tgchk_param - parameters for target extensions'
|
|
|
|
|
* checkentry functions
|
|
|
|
|
*
|
|
|
|
|
* @entryinfo: the family-specific rule data
|
|
|
|
|
* (struct ipt_entry, ip6t_entry, arpt_entry, ebt_entry)
|
|
|
|
|
*
|
|
|
|
|
* Other fields see above.
|
|
|
|
|
*/
|
|
|
|
|
struct xt_tgchk_param {
|
2010-02-03 05:45:12 -07:00
|
|
|
struct net *net;
|
2008-10-08 03:35:19 -06:00
|
|
|
const char *table;
|
2008-11-24 17:06:17 -07:00
|
|
|
const void *entryinfo;
|
2008-10-08 03:35:19 -06:00
|
|
|
const struct xt_target *target;
|
|
|
|
|
void *targinfo;
|
|
|
|
|
unsigned int hook_mask;
|
2008-10-08 03:35:20 -06:00
|
|
|
u_int8_t family;
|
2015-05-14 06:57:23 -06:00
|
|
|
bool nft_compat;
|
2008-10-08 03:35:19 -06:00
|
|
|
};
|
|
|
|
|
|
2008-10-08 03:35:19 -06:00
|
|
|
/* Target destructor parameters */
|
|
|
|
|
struct xt_tgdtor_param {
|
2010-02-03 05:45:12 -07:00
|
|
|
struct net *net;
|
2008-10-08 03:35:19 -06:00
|
|
|
const struct xt_target *target;
|
|
|
|
|
void *targinfo;
|
2008-10-08 03:35:20 -06:00
|
|
|
u_int8_t family;
|
2008-10-08 03:35:19 -06:00
|
|
|
};
|
|
|
|
|
|
2009-11-04 10:50:58 -07:00
|
|
|
struct xt_match {
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
struct list_head list;
|
|
|
|
|
|
2010-04-27 07:34:34 -06:00
|
|
|
const char name[XT_EXTENSION_MAXNAMELEN];
|
2009-01-11 17:06:11 -07:00
|
|
|
u_int8_t revision;
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
|
|
|
|
|
/* Return true or false: return FALSE and set *hotdrop = 1 to
|
|
|
|
|
force immediate packet drop. */
|
|
|
|
|
/* Arguments changed since 2.6.9, as this must now handle
|
|
|
|
|
non-linear skb, using skb_header_pointer and
|
|
|
|
|
skb_ip_make_writable. */
|
2007-07-07 23:15:35 -06:00
|
|
|
bool (*match)(const struct sk_buff *skb,
|
2009-07-07 12:42:08 -06:00
|
|
|
struct xt_action_param *);
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
|
|
|
|
|
/* Called when user tries to insert an entry of this type. */
|
2010-03-19 10:16:42 -06:00
|
|
|
int (*checkentry)(const struct xt_mtchk_param *);
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
|
|
|
|
|
/* Called when entry of this type deleted. */
|
2008-10-08 03:35:19 -06:00
|
|
|
void (*destroy)(const struct xt_mtdtor_param *);
|
2010-02-02 07:03:24 -07:00
|
|
|
#ifdef CONFIG_COMPAT
|
2006-04-01 03:25:19 -07:00
|
|
|
/* Called when userspace align differs from kernel space one */
|
2009-06-26 00:23:19 -06:00
|
|
|
void (*compat_from_user)(void *dst, const void *src);
|
|
|
|
|
int (*compat_to_user)(void __user *dst, const void *src);
|
2010-02-02 07:03:24 -07:00
|
|
|
#endif
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
/* Set this to THIS_MODULE if you are a module, otherwise NULL */
|
|
|
|
|
struct module *me;
|
2006-03-20 18:59:06 -07:00
|
|
|
|
2008-01-31 04:54:47 -07:00
|
|
|
const char *table;
|
2006-03-20 18:59:06 -07:00
|
|
|
unsigned int matchsize;
|
2017-01-02 15:19:40 -07:00
|
|
|
unsigned int usersize;
|
2010-02-02 07:03:24 -07:00
|
|
|
#ifdef CONFIG_COMPAT
|
2006-09-20 13:05:37 -06:00
|
|
|
unsigned int compatsize;
|
2010-02-02 07:03:24 -07:00
|
|
|
#endif
|
2006-03-20 18:59:06 -07:00
|
|
|
unsigned int hooks;
|
|
|
|
|
unsigned short proto;
|
2006-03-20 19:03:40 -07:00
|
|
|
|
|
|
|
|
unsigned short family;
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
/* Registration hooks for targets. */
|
2009-11-04 10:50:58 -07:00
|
|
|
struct xt_target {
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
struct list_head list;
|
|
|
|
|
|
2010-04-27 07:34:34 -06:00
|
|
|
const char name[XT_EXTENSION_MAXNAMELEN];
|
2010-03-18 07:02:10 -06:00
|
|
|
u_int8_t revision;
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
|
|
|
|
|
/* Returns verdict. Argument order changed since 2.6.9, as this
|
|
|
|
|
must now handle non-linear skbs, using skb_copy_bits and
|
|
|
|
|
skb_ip_make_writable. */
|
2007-10-15 01:53:15 -06:00
|
|
|
unsigned int (*target)(struct sk_buff *skb,
|
2009-07-05 10:26:37 -06:00
|
|
|
const struct xt_action_param *);
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
|
|
|
|
|
/* Called when user tries to insert an entry of this type:
|
|
|
|
|
hook_mask is a bitmask of hooks from which it can be
|
|
|
|
|
called. */
|
2010-05-20 07:59:16 -06:00
|
|
|
/* Should return 0 on success or an error code otherwise (-Exxxx). */
|
2010-03-19 10:16:42 -06:00
|
|
|
int (*checkentry)(const struct xt_tgchk_param *);
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
|
|
|
|
|
/* Called when entry of this type deleted. */
|
2008-10-08 03:35:19 -06:00
|
|
|
void (*destroy)(const struct xt_tgdtor_param *);
|
2010-02-02 07:03:24 -07:00
|
|
|
#ifdef CONFIG_COMPAT
|
2006-04-01 03:25:19 -07:00
|
|
|
/* Called when userspace align differs from kernel space one */
|
2009-06-26 00:23:19 -06:00
|
|
|
void (*compat_from_user)(void *dst, const void *src);
|
|
|
|
|
int (*compat_to_user)(void __user *dst, const void *src);
|
2010-02-02 07:03:24 -07:00
|
|
|
#endif
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
/* Set this to THIS_MODULE if you are a module, otherwise NULL */
|
|
|
|
|
struct module *me;
|
2006-03-20 18:59:06 -07:00
|
|
|
|
2008-01-31 04:54:47 -07:00
|
|
|
const char *table;
|
2006-03-20 18:59:06 -07:00
|
|
|
unsigned int targetsize;
|
2017-01-02 15:19:40 -07:00
|
|
|
unsigned int usersize;
|
2010-02-02 07:03:24 -07:00
|
|
|
#ifdef CONFIG_COMPAT
|
2006-09-20 13:05:37 -06:00
|
|
|
unsigned int compatsize;
|
2010-02-02 07:03:24 -07:00
|
|
|
#endif
|
2006-03-20 18:59:06 -07:00
|
|
|
unsigned int hooks;
|
|
|
|
|
unsigned short proto;
|
2006-03-20 19:03:40 -07:00
|
|
|
|
|
|
|
|
unsigned short family;
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
/* Furniture shopping... */
|
2009-11-04 10:50:58 -07:00
|
|
|
struct xt_table {
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
struct list_head list;
|
|
|
|
|
|
|
|
|
|
/* What hooks you will enter on */
|
|
|
|
|
unsigned int valid_hooks;
|
|
|
|
|
|
|
|
|
|
/* Man behind the curtain... */
|
2021-03-07 18:24:12 -07:00
|
|
|
struct xt_table_info *private;
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
|
|
|
|
|
/* Set this to THIS_MODULE if you are a module, otherwise NULL */
|
|
|
|
|
struct module *me;
|
|
|
|
|
|
2008-10-08 03:35:00 -06:00
|
|
|
u_int8_t af; /* address/protocol family */
|
2009-06-17 05:57:48 -06:00
|
|
|
int priority; /* hook order */
|
2009-02-18 08:29:44 -07:00
|
|
|
|
netfilter: xtables: don't hook tables by default
delay hook registration until the table is being requested inside a
namespace.
Historically, a particular table (iptables mangle, ip6tables filter, etc)
was registered on module load.
When netns support was added to iptables only the ip/ip6tables ruleset was
made namespace aware, not the actual hook points.
This means f.e. that when ipt_filter table/module is loaded on a system,
then each namespace on that system has an (empty) iptables filter ruleset.
In other words, if a namespace sends a packet, such skb is 'caught' by
netfilter machinery and fed to hooking points for that table (i.e. INPUT,
FORWARD, etc).
Thanks to Eric Biederman, hooks are no longer global, but per namespace.
This means that we can avoid allocation of empty ruleset in a namespace and
defer hook registration until we need the functionality.
We register a tables hook entry points ONLY in the initial namespace.
When an iptables get/setockopt is issued inside a given namespace, we check
if the table is found in the per-namespace list.
If not, we attempt to find it in the initial namespace, and, if found,
create an empty default table in the requesting namespace and register the
needed hooks.
Hook points are destroyed only once namespace is deleted, there is no
'usage count' (it makes no sense since there is no 'remove table' operation
in xtables api).
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2016-02-25 02:08:36 -07:00
|
|
|
/* called when table is needed in the given netns */
|
|
|
|
|
int (*table_init)(struct net *net);
|
|
|
|
|
|
2009-02-18 08:29:44 -07:00
|
|
|
/* A unique name... */
|
|
|
|
|
const char name[XT_TABLE_MAXNAMELEN];
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
#include <linux/netfilter_ipv4.h>
|
|
|
|
|
|
|
|
|
|
/* The table itself */
|
2009-11-04 10:50:58 -07:00
|
|
|
struct xt_table_info {
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
/* Size per table */
|
|
|
|
|
unsigned int size;
|
|
|
|
|
/* Number of entries: FIXME. --RR */
|
|
|
|
|
unsigned int number;
|
|
|
|
|
/* Initial number of entries. Needed for module usage count */
|
|
|
|
|
unsigned int initial_entries;
|
|
|
|
|
|
|
|
|
|
/* Entry points and underflows */
|
2007-11-19 19:53:30 -07:00
|
|
|
unsigned int hook_entry[NF_INET_NUMHOOKS];
|
|
|
|
|
unsigned int underflow[NF_INET_NUMHOOKS];
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
|
2010-04-19 08:05:10 -06:00
|
|
|
/*
|
|
|
|
|
* Number of user chains. Since tables cannot have loops, at most
|
|
|
|
|
* @stacksize jumps (number of user chains) can possibly be made.
|
|
|
|
|
*/
|
|
|
|
|
unsigned int stacksize;
|
|
|
|
|
void ***jumpstack;
|
2015-06-10 17:34:55 -06:00
|
|
|
|
2020-02-20 06:59:14 -07:00
|
|
|
unsigned char entries[] __aligned(8);
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
};
|
|
|
|
|
|
2013-09-26 15:48:15 -06:00
|
|
|
int xt_register_target(struct xt_target *target);
|
|
|
|
|
void xt_unregister_target(struct xt_target *target);
|
|
|
|
|
int xt_register_targets(struct xt_target *target, unsigned int n);
|
|
|
|
|
void xt_unregister_targets(struct xt_target *target, unsigned int n);
|
|
|
|
|
|
|
|
|
|
int xt_register_match(struct xt_match *target);
|
|
|
|
|
void xt_unregister_match(struct xt_match *target);
|
|
|
|
|
int xt_register_matches(struct xt_match *match, unsigned int n);
|
|
|
|
|
void xt_unregister_matches(struct xt_match *match, unsigned int n);
|
|
|
|
|
|
2016-04-01 06:17:28 -06:00
|
|
|
int xt_check_entry_offsets(const void *base, const char *elems,
|
2016-04-01 06:17:23 -06:00
|
|
|
unsigned int target_offset,
|
|
|
|
|
unsigned int next_offset);
|
|
|
|
|
|
2018-02-27 11:42:29 -07:00
|
|
|
int xt_check_table_hooks(const struct xt_table_info *info, unsigned int valid_hooks);
|
|
|
|
|
|
2016-07-14 09:51:26 -06:00
|
|
|
unsigned int *xt_alloc_entry_offsets(unsigned int size);
|
|
|
|
|
bool xt_find_jump_offset(const unsigned int *offsets,
|
|
|
|
|
unsigned int target, unsigned int size);
|
|
|
|
|
|
2018-03-09 17:15:45 -07:00
|
|
|
int xt_check_proc_name(const char *name, unsigned int size);
|
|
|
|
|
|
2019-02-22 06:45:52 -07:00
|
|
|
int xt_check_match(struct xt_mtchk_param *, unsigned int size, u16 proto,
|
2013-09-26 15:48:15 -06:00
|
|
|
bool inv_proto);
|
2019-02-22 06:45:52 -07:00
|
|
|
int xt_check_target(struct xt_tgchk_param *, unsigned int size, u16 proto,
|
2013-09-26 15:48:15 -06:00
|
|
|
bool inv_proto);
|
|
|
|
|
|
2017-01-02 15:19:40 -07:00
|
|
|
int xt_match_to_user(const struct xt_entry_match *m,
|
|
|
|
|
struct xt_entry_match __user *u);
|
|
|
|
|
int xt_target_to_user(const struct xt_entry_target *t,
|
|
|
|
|
struct xt_entry_target __user *u);
|
|
|
|
|
int xt_data_to_user(void __user *dst, const void *src,
|
2017-05-09 14:17:37 -06:00
|
|
|
int usersize, int size, int aligned_size);
|
2017-01-02 15:19:40 -07:00
|
|
|
|
2020-07-23 00:08:53 -06:00
|
|
|
void *xt_copy_counters(sockptr_t arg, unsigned int len,
|
|
|
|
|
struct xt_counters_info *info);
|
2018-02-27 11:42:33 -07:00
|
|
|
struct xt_counters *xt_counters_alloc(unsigned int counters);
|
2016-04-01 07:37:59 -06:00
|
|
|
|
2013-09-26 15:48:15 -06:00
|
|
|
struct xt_table *xt_register_table(struct net *net,
|
|
|
|
|
const struct xt_table *table,
|
|
|
|
|
struct xt_table_info *bootstrap,
|
|
|
|
|
struct xt_table_info *newinfo);
|
|
|
|
|
void *xt_unregister_table(struct xt_table *table);
|
|
|
|
|
|
|
|
|
|
struct xt_table_info *xt_replace_table(struct xt_table *table,
|
|
|
|
|
unsigned int num_counters,
|
|
|
|
|
struct xt_table_info *newinfo,
|
|
|
|
|
int *error);
|
|
|
|
|
|
|
|
|
|
struct xt_match *xt_find_match(u8 af, const char *name, u8 revision);
|
|
|
|
|
struct xt_match *xt_request_find_match(u8 af, const char *name, u8 revision);
|
|
|
|
|
struct xt_target *xt_request_find_target(u8 af, const char *name, u8 revision);
|
|
|
|
|
int xt_find_revision(u8 af, const char *name, u8 revision, int target,
|
|
|
|
|
int *err);
|
|
|
|
|
|
|
|
|
|
struct xt_table *xt_find_table_lock(struct net *net, u_int8_t af,
|
|
|
|
|
const char *name);
|
2017-12-08 09:01:53 -07:00
|
|
|
struct xt_table *xt_request_find_table_lock(struct net *net, u_int8_t af,
|
|
|
|
|
const char *name);
|
2013-09-26 15:48:15 -06:00
|
|
|
void xt_table_unlock(struct xt_table *t);
|
|
|
|
|
|
|
|
|
|
int xt_proto_init(struct net *net, u_int8_t af);
|
|
|
|
|
void xt_proto_fini(struct net *net, u_int8_t af);
|
|
|
|
|
|
|
|
|
|
struct xt_table_info *xt_alloc_table_info(unsigned int size);
|
|
|
|
|
void xt_free_table_info(struct xt_table_info *info);
|
2009-04-28 23:36:33 -06:00
|
|
|
|
2011-04-04 09:04:03 -06:00
|
|
|
/**
|
|
|
|
|
* xt_recseq - recursive seqcount for netfilter use
|
2019-09-13 02:13:02 -06:00
|
|
|
*
|
2011-04-04 09:04:03 -06:00
|
|
|
* Packet processing changes the seqcount only if no recursion happened
|
|
|
|
|
* get_counters() can use read_seqcount_begin()/read_seqcount_retry(),
|
|
|
|
|
* because we use the normal seqcount convention :
|
|
|
|
|
* Low order bit set to 1 if a writer is active.
|
2009-04-28 23:36:33 -06:00
|
|
|
*/
|
2011-04-04 09:04:03 -06:00
|
|
|
DECLARE_PER_CPU(seqcount_t, xt_recseq);
|
2009-04-28 23:36:33 -06:00
|
|
|
|
2015-07-14 09:51:09 -06:00
|
|
|
/* xt_tee_enabled - true if x_tables needs to handle reentrancy
|
|
|
|
|
*
|
|
|
|
|
* Enabled if current ip(6)tables ruleset has at least one -j TEE rule.
|
|
|
|
|
*/
|
|
|
|
|
extern struct static_key xt_tee_enabled;
|
|
|
|
|
|
2011-04-04 09:04:03 -06:00
|
|
|
/**
|
|
|
|
|
* xt_write_recseq_begin - start of a write section
|
2009-04-28 23:36:33 -06:00
|
|
|
*
|
2011-04-04 09:04:03 -06:00
|
|
|
* Begin packet processing : all readers must wait the end
|
|
|
|
|
* 1) Must be called with preemption disabled
|
2011-12-22 10:58:51 -07:00
|
|
|
* 2) softirqs must be disabled too (or we should use this_cpu_add())
|
2011-04-04 09:04:03 -06:00
|
|
|
* Returns :
|
|
|
|
|
* 1 if no recursion on this cpu
|
|
|
|
|
* 0 if recursion detected
|
2009-04-28 23:36:33 -06:00
|
|
|
*/
|
2011-04-04 09:04:03 -06:00
|
|
|
static inline unsigned int xt_write_recseq_begin(void)
|
2009-04-28 23:36:33 -06:00
|
|
|
{
|
2011-04-04 09:04:03 -06:00
|
|
|
unsigned int addend;
|
2009-04-28 23:36:33 -06:00
|
|
|
|
2011-04-04 09:04:03 -06:00
|
|
|
/*
|
|
|
|
|
* Low order bit of sequence is set if we already
|
|
|
|
|
* called xt_write_recseq_begin().
|
|
|
|
|
*/
|
|
|
|
|
addend = (__this_cpu_read(xt_recseq.sequence) + 1) & 1;
|
2009-04-28 23:36:33 -06:00
|
|
|
|
2011-04-04 09:04:03 -06:00
|
|
|
/*
|
|
|
|
|
* This is kind of a write_seqcount_begin(), but addend is 0 or 1
|
|
|
|
|
* We dont check addend value to avoid a test and conditional jump,
|
|
|
|
|
* since addend is most likely 1
|
|
|
|
|
*/
|
|
|
|
|
__this_cpu_add(xt_recseq.sequence, addend);
|
2021-03-07 18:24:13 -07:00
|
|
|
smp_mb();
|
2009-04-28 23:36:33 -06:00
|
|
|
|
2011-04-04 09:04:03 -06:00
|
|
|
return addend;
|
2009-04-28 23:36:33 -06:00
|
|
|
}
|
|
|
|
|
|
2011-04-04 09:04:03 -06:00
|
|
|
/**
|
|
|
|
|
* xt_write_recseq_end - end of a write section
|
|
|
|
|
* @addend: return value from previous xt_write_recseq_begin()
|
|
|
|
|
*
|
|
|
|
|
* End packet processing : all readers can proceed
|
|
|
|
|
* 1) Must be called with preemption disabled
|
2011-12-22 10:58:51 -07:00
|
|
|
* 2) softirqs must be disabled too (or we should use this_cpu_add())
|
2009-04-28 23:36:33 -06:00
|
|
|
*/
|
2011-04-04 09:04:03 -06:00
|
|
|
static inline void xt_write_recseq_end(unsigned int addend)
|
2009-04-28 23:36:33 -06:00
|
|
|
{
|
2011-04-04 09:04:03 -06:00
|
|
|
/* this is kind of a write_seqcount_end(), but addend is 0 or 1 */
|
|
|
|
|
smp_wmb();
|
|
|
|
|
__this_cpu_add(xt_recseq.sequence, addend);
|
2009-04-28 23:36:33 -06:00
|
|
|
}
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
|
2009-03-25 10:31:52 -06:00
|
|
|
/*
|
|
|
|
|
* This helper is performance critical and must be inlined
|
|
|
|
|
*/
|
|
|
|
|
static inline unsigned long ifname_compare_aligned(const char *_a,
|
|
|
|
|
const char *_b,
|
|
|
|
|
const char *_mask)
|
|
|
|
|
{
|
|
|
|
|
const unsigned long *a = (const unsigned long *)_a;
|
|
|
|
|
const unsigned long *b = (const unsigned long *)_b;
|
|
|
|
|
const unsigned long *mask = (const unsigned long *)_mask;
|
|
|
|
|
unsigned long ret;
|
|
|
|
|
|
|
|
|
|
ret = (a[0] ^ b[0]) & mask[0];
|
|
|
|
|
if (IFNAMSIZ > sizeof(unsigned long))
|
|
|
|
|
ret |= (a[1] ^ b[1]) & mask[1];
|
|
|
|
|
if (IFNAMSIZ > 2 * sizeof(unsigned long))
|
|
|
|
|
ret |= (a[2] ^ b[2]) & mask[2];
|
|
|
|
|
if (IFNAMSIZ > 3 * sizeof(unsigned long))
|
|
|
|
|
ret |= (a[3] ^ b[3]) & mask[3];
|
|
|
|
|
BUILD_BUG_ON(IFNAMSIZ > 4 * sizeof(unsigned long));
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
2016-11-22 06:44:19 -07:00
|
|
|
struct xt_percpu_counter_alloc_state {
|
|
|
|
|
unsigned int off;
|
|
|
|
|
const char __percpu *mem;
|
|
|
|
|
};
|
2015-06-10 17:34:54 -06:00
|
|
|
|
2016-11-22 06:44:19 -07:00
|
|
|
bool xt_percpu_counter_alloc(struct xt_percpu_counter_alloc_state *state,
|
|
|
|
|
struct xt_counters *counter);
|
2016-11-22 06:44:17 -07:00
|
|
|
void xt_percpu_counter_free(struct xt_counters *cnt);
|
2015-06-10 17:34:54 -06:00
|
|
|
|
|
|
|
|
static inline struct xt_counters *
|
|
|
|
|
xt_get_this_cpu_counter(struct xt_counters *cnt)
|
|
|
|
|
{
|
|
|
|
|
if (nr_cpu_ids > 1)
|
2015-06-17 15:58:28 -06:00
|
|
|
return this_cpu_ptr((void __percpu *) (unsigned long) cnt->pcnt);
|
2015-06-10 17:34:54 -06:00
|
|
|
|
|
|
|
|
return cnt;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static inline struct xt_counters *
|
|
|
|
|
xt_get_per_cpu_counter(struct xt_counters *cnt, unsigned int cpu)
|
|
|
|
|
{
|
|
|
|
|
if (nr_cpu_ids > 1)
|
2015-06-17 15:58:28 -06:00
|
|
|
return per_cpu_ptr((void __percpu *) (unsigned long) cnt->pcnt, cpu);
|
2015-06-10 17:34:54 -06:00
|
|
|
|
|
|
|
|
return cnt;
|
|
|
|
|
}
|
|
|
|
|
|
netfilter: xtables: don't hook tables by default
delay hook registration until the table is being requested inside a
namespace.
Historically, a particular table (iptables mangle, ip6tables filter, etc)
was registered on module load.
When netns support was added to iptables only the ip/ip6tables ruleset was
made namespace aware, not the actual hook points.
This means f.e. that when ipt_filter table/module is loaded on a system,
then each namespace on that system has an (empty) iptables filter ruleset.
In other words, if a namespace sends a packet, such skb is 'caught' by
netfilter machinery and fed to hooking points for that table (i.e. INPUT,
FORWARD, etc).
Thanks to Eric Biederman, hooks are no longer global, but per namespace.
This means that we can avoid allocation of empty ruleset in a namespace and
defer hook registration until we need the functionality.
We register a tables hook entry points ONLY in the initial namespace.
When an iptables get/setockopt is issued inside a given namespace, we check
if the table is found in the per-namespace list.
If not, we attempt to find it in the initial namespace, and, if found,
create an empty default table in the requesting namespace and register the
needed hooks.
Hook points are destroyed only once namespace is deleted, there is no
'usage count' (it makes no sense since there is no 'remove table' operation
in xtables api).
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2016-02-25 02:08:36 -07:00
|
|
|
struct nf_hook_ops *xt_hook_ops_alloc(const struct xt_table *, nf_hookfn *);
|
2009-06-17 05:57:48 -06:00
|
|
|
|
2006-04-01 03:25:19 -07:00
|
|
|
#ifdef CONFIG_COMPAT
|
|
|
|
|
#include <net/compat.h>
|
|
|
|
|
|
2009-11-04 10:50:58 -07:00
|
|
|
struct compat_xt_entry_match {
|
2006-04-01 03:25:19 -07:00
|
|
|
union {
|
|
|
|
|
struct {
|
|
|
|
|
u_int16_t match_size;
|
|
|
|
|
char name[XT_FUNCTION_MAXNAMELEN - 1];
|
|
|
|
|
u_int8_t revision;
|
|
|
|
|
} user;
|
2006-05-01 21:12:22 -06:00
|
|
|
struct {
|
|
|
|
|
u_int16_t match_size;
|
|
|
|
|
compat_uptr_t match;
|
|
|
|
|
} kernel;
|
2006-04-01 03:25:19 -07:00
|
|
|
u_int16_t match_size;
|
|
|
|
|
} u;
|
2020-02-20 06:59:14 -07:00
|
|
|
unsigned char data[];
|
2006-04-01 03:25:19 -07:00
|
|
|
};
|
|
|
|
|
|
2009-11-04 10:50:58 -07:00
|
|
|
struct compat_xt_entry_target {
|
2006-04-01 03:25:19 -07:00
|
|
|
union {
|
|
|
|
|
struct {
|
|
|
|
|
u_int16_t target_size;
|
|
|
|
|
char name[XT_FUNCTION_MAXNAMELEN - 1];
|
|
|
|
|
u_int8_t revision;
|
|
|
|
|
} user;
|
2006-05-01 21:12:22 -06:00
|
|
|
struct {
|
|
|
|
|
u_int16_t target_size;
|
|
|
|
|
compat_uptr_t target;
|
|
|
|
|
} kernel;
|
2006-04-01 03:25:19 -07:00
|
|
|
u_int16_t target_size;
|
|
|
|
|
} u;
|
2020-02-20 06:59:14 -07:00
|
|
|
unsigned char data[];
|
2006-04-01 03:25:19 -07:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
/* FIXME: this works only on 32 bit tasks
|
|
|
|
|
* need to change whole approach in order to calculate align as function of
|
|
|
|
|
* current task alignment */
|
|
|
|
|
|
2009-11-04 10:50:58 -07:00
|
|
|
struct compat_xt_counters {
|
2010-02-10 07:00:32 -07:00
|
|
|
compat_u64 pcnt, bcnt; /* Packet and byte counters */
|
2006-04-01 03:25:19 -07:00
|
|
|
};
|
|
|
|
|
|
2009-11-04 10:50:58 -07:00
|
|
|
struct compat_xt_counters_info {
|
2006-04-01 03:25:19 -07:00
|
|
|
char name[XT_TABLE_MAXNAMELEN];
|
|
|
|
|
compat_uint_t num_counters;
|
2020-02-20 06:59:14 -07:00
|
|
|
struct compat_xt_counters counters[];
|
2006-04-01 03:25:19 -07:00
|
|
|
};
|
|
|
|
|
|
2010-02-10 07:03:27 -07:00
|
|
|
struct _compat_xt_align {
|
|
|
|
|
__u8 u8;
|
|
|
|
|
__u16 u16;
|
|
|
|
|
__u32 u32;
|
|
|
|
|
compat_u64 u64;
|
|
|
|
|
};
|
|
|
|
|
|
2010-04-13 03:21:46 -06:00
|
|
|
#define COMPAT_XT_ALIGN(s) __ALIGN_KERNEL((s), __alignof__(struct _compat_xt_align))
|
2006-04-01 03:25:19 -07:00
|
|
|
|
2013-09-26 15:48:15 -06:00
|
|
|
void xt_compat_lock(u_int8_t af);
|
|
|
|
|
void xt_compat_unlock(u_int8_t af);
|
|
|
|
|
|
|
|
|
|
int xt_compat_add_offset(u_int8_t af, unsigned int offset, int delta);
|
|
|
|
|
void xt_compat_flush_offsets(u_int8_t af);
|
2018-02-27 11:42:34 -07:00
|
|
|
int xt_compat_init_offsets(u8 af, unsigned int number);
|
2013-09-26 15:48:15 -06:00
|
|
|
int xt_compat_calc_jump(u_int8_t af, unsigned int offset);
|
|
|
|
|
|
|
|
|
|
int xt_compat_match_offset(const struct xt_match *match);
|
2016-04-01 06:17:33 -06:00
|
|
|
void xt_compat_match_from_user(struct xt_entry_match *m, void **dstptr,
|
2013-09-26 15:48:15 -06:00
|
|
|
unsigned int *size);
|
|
|
|
|
int xt_compat_match_to_user(const struct xt_entry_match *m,
|
|
|
|
|
void __user **dstptr, unsigned int *size);
|
|
|
|
|
|
|
|
|
|
int xt_compat_target_offset(const struct xt_target *target);
|
|
|
|
|
void xt_compat_target_from_user(struct xt_entry_target *t, void **dstptr,
|
|
|
|
|
unsigned int *size);
|
|
|
|
|
int xt_compat_target_to_user(const struct xt_entry_target *t,
|
|
|
|
|
void __user **dstptr, unsigned int *size);
|
2016-04-01 06:17:28 -06:00
|
|
|
int xt_compat_check_entry_offsets(const void *base, const char *elems,
|
2016-04-01 06:17:26 -06:00
|
|
|
unsigned int target_offset,
|
|
|
|
|
unsigned int next_offset);
|
2006-04-01 03:25:19 -07:00
|
|
|
|
|
|
|
|
#endif /* CONFIG_COMPAT */
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
#endif /* _X_TABLES_H */
|