Skip to content
Permalink
Browse files

[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables

This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables.  In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.

o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
  wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
  are now implemented as xt_FOOBAR.c files and provide module aliases
  to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
  include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
  around the xt_FOOBAR.h headers

Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.

Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
  • Loading branch information...
laf0rge authored and David S. Miller committed Jan 12, 2006
1 parent 880b005 commit 2e4e6a17af35be359cc8f1c924f8f198fbd478cc
Showing with 3,615 additions and 4,149 deletions.
  1. +3 −0 include/linux/netfilter/nf_conntrack_common.h
  2. +224 −0 include/linux/netfilter/x_tables.h
  3. +8 −0 include/linux/netfilter/xt_CLASSIFY.h
  4. +25 −0 include/linux/netfilter/xt_CONNMARK.h
  5. +21 −0 include/linux/netfilter/xt_MARK.h
  6. +16 −0 include/linux/netfilter/xt_NFQUEUE.h
  7. +10 −0 include/linux/netfilter/xt_comment.h
  8. +25 −0 include/linux/netfilter/xt_connbytes.h
  9. +18 −0 include/linux/netfilter/xt_connmark.h
  10. +63 −0 include/linux/netfilter/xt_conntrack.h
  11. +23 −0 include/linux/netfilter/xt_dccp.h
  12. +8 −0 include/linux/netfilter/xt_helper.h
  13. +9 −0 include/linux/netfilter/xt_length.h
  14. +21 −0 include/linux/netfilter/xt_limit.h
  15. +8 −0 include/linux/netfilter/xt_mac.h
  16. +9 −0 include/linux/netfilter/xt_mark.h
  17. +24 −0 include/linux/netfilter/xt_physdev.h
  18. +8 −0 include/linux/netfilter/xt_pkttype.h
  19. +10 −0 include/linux/netfilter/xt_realm.h
  20. +107 −0 include/linux/netfilter/xt_sctp.h
  21. +13 −0 include/linux/netfilter/xt_state.h
  22. +18 −0 include/linux/netfilter/xt_string.h
  23. +9 −0 include/linux/netfilter/xt_tcpmss.h
  24. +36 −0 include/linux/netfilter/xt_tcpudp.h
  25. +25 −98 include/linux/netfilter_arp/arp_tables.h
  26. +0 −3 include/linux/netfilter_ipv4/ip_conntrack.h
  27. +47 −170 include/linux/netfilter_ipv4/ip_tables.h
  28. +2 −3 include/linux/netfilter_ipv4/ipt_CLASSIFY.h
  29. +5 −11 include/linux/netfilter_ipv4/ipt_CONNMARK.h
  30. +10 −12 include/linux/netfilter_ipv4/ipt_MARK.h
  31. +4 −4 include/linux/netfilter_ipv4/ipt_NFQUEUE.h
  32. +4 −4 include/linux/netfilter_ipv4/ipt_comment.h
  33. +12 −19 include/linux/netfilter_ipv4/ipt_connbytes.h
  34. +2 −13 include/linux/netfilter_ipv4/ipt_connmark.h
  35. +17 −49 include/linux/netfilter_ipv4/ipt_conntrack.h
  36. +7 −15 include/linux/netfilter_ipv4/ipt_dccp.h
  37. +3 −4 include/linux/netfilter_ipv4/ipt_helper.h
  38. +2 −4 include/linux/netfilter_ipv4/ipt_length.h
  39. +3 −16 include/linux/netfilter_ipv4/ipt_limit.h
  40. +3 −4 include/linux/netfilter_ipv4/ipt_mac.h
  41. +4 −4 include/linux/netfilter_ipv4/ipt_mark.h
  42. +10 −17 include/linux/netfilter_ipv4/ipt_physdev.h
  43. +3 −4 include/linux/netfilter_ipv4/ipt_pkttype.h
  44. +2 −5 include/linux/netfilter_ipv4/ipt_realm.h
  45. +9 −7 include/linux/netfilter_ipv4/ipt_state.h
  46. +4 −12 include/linux/netfilter_ipv4/ipt_string.h
  47. +2 −4 include/linux/netfilter_ipv4/ipt_tcpmss.h
  48. +44 −164 include/linux/netfilter_ipv6/ip6_tables.h
  49. +5 −4 include/linux/netfilter_ipv6/ip6t_MARK.h
  50. +2 −4 include/linux/netfilter_ipv6/ip6t_length.h
  51. +4 −17 include/linux/netfilter_ipv6/ip6t_limit.h
  52. +4 −5 include/linux/netfilter_ipv6/ip6t_mac.h
  53. +4 −4 include/linux/netfilter_ipv6/ip6t_mark.h
  54. +10 −17 include/linux/netfilter_ipv6/ip6t_physdev.h
  55. +0 −3 include/net/netfilter/ipv4/nf_conntrack_ipv4.h
  56. +0 −3 include/net/netfilter/nf_conntrack.h
  57. +1 −0 net/bridge/netfilter/ebt_log.c
  58. +2 −248 net/ipv4/netfilter/Kconfig
  59. +0 −21 net/ipv4/netfilter/Makefile
  60. +79 −365 net/ipv4/netfilter/arp_tables.c
  61. +4 −3 net/ipv4/netfilter/arpt_mangle.c
  62. +1 −0 net/ipv4/netfilter/arptable_filter.c
  63. +2 −2 net/ipv4/netfilter/ip_conntrack_standalone.c
  64. +3 −2 net/ipv4/netfilter/ip_nat_rule.c
  65. +1 −1 net/ipv4/netfilter/ip_nat_standalone.c
  66. +95 −747 net/ipv4/netfilter/ip_tables.c
  67. +2 −1 net/ipv4/netfilter/ipt_CLUSTERIP.c
  68. +1 −1 net/ipv4/netfilter/ipt_DSCP.c
  69. +2 −1 net/ipv4/netfilter/ipt_ECN.c
  70. +1 −1 net/ipv4/netfilter/ipt_LOG.c
  71. +1 −1 net/ipv4/netfilter/ipt_MASQUERADE.c
  72. +1 −1 net/ipv4/netfilter/ipt_NETMAP.c
  73. +0 −70 net/ipv4/netfilter/ipt_NFQUEUE.c
  74. +1 −1 net/ipv4/netfilter/ipt_REDIRECT.c
  75. +2 −1 net/ipv4/netfilter/ipt_REJECT.c
  76. +1 −1 net/ipv4/netfilter/ipt_SAME.c
  77. +2 −1 net/ipv4/netfilter/ipt_TCPMSS.c
  78. +1 −1 net/ipv4/netfilter/ipt_TOS.c
  79. +1 −1 net/ipv4/netfilter/ipt_TTL.c
  80. +1 −1 net/ipv4/netfilter/ipt_ULOG.c
  81. +2 −2 net/ipv4/netfilter/ipt_addrtype.c
  82. +4 −2 net/ipv4/netfilter/ipt_ah.c
  83. +2 −2 net/ipv4/netfilter/ipt_dscp.c
  84. +3 −2 net/ipv4/netfilter/ipt_ecn.c
  85. +4 −2 net/ipv4/netfilter/ipt_esp.c
  86. +2 −1 net/ipv4/netfilter/ipt_hashlimit.c
  87. +2 −2 net/ipv4/netfilter/ipt_iprange.c
  88. +0 −64 net/ipv4/netfilter/ipt_length.c
  89. +6 −4 net/ipv4/netfilter/ipt_multiport.c
  90. +2 −1 net/ipv4/netfilter/ipt_owner.c
  91. +0 −135 net/ipv4/netfilter/ipt_physdev.c
  92. +4 −2 net/ipv4/netfilter/ipt_recent.c
  93. +2 −1 net/ipv4/netfilter/ipt_tos.c
  94. +2 −2 net/ipv4/netfilter/ipt_ttl.c
  95. +2 −1 net/ipv4/netfilter/iptable_filter.c
  96. +1 −0 net/ipv4/netfilter/iptable_mangle.c
  97. +2 −1 net/ipv4/netfilter/iptable_raw.c
  98. +1 −6 net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
  99. +1 −71 net/ipv6/netfilter/Kconfig
  100. +0 −6 net/ipv6/netfilter/Makefile
  101. +101 −727 net/ipv6/netfilter/ip6_tables.c
  102. +1 −1 net/ipv6/netfilter/ip6t_HL.c
  103. +1 −1 net/ipv6/netfilter/ip6t_LOG.c
  104. +0 −81 net/ipv6/netfilter/ip6t_MARK.c
  105. +0 −70 net/ipv6/netfilter/ip6t_NFQUEUE.c
  106. +2 −1 net/ipv6/netfilter/ip6t_REJECT.c
  107. +1 −1 net/ipv6/netfilter/ip6t_ah.c
  108. +1 −1 net/ipv6/netfilter/ip6t_dst.c
  109. +1 −1 net/ipv6/netfilter/ip6t_esp.c
  110. +1 −1 net/ipv6/netfilter/ip6t_eui64.c
  111. +1 −1 net/ipv6/netfilter/ip6t_frag.c
  112. +1 −1 net/ipv6/netfilter/ip6t_hbh.c
  113. +1 −1 net/ipv6/netfilter/ip6t_hl.c
  114. +1 −1 net/ipv6/netfilter/ip6t_ipv6header.c
  115. +0 −66 net/ipv6/netfilter/ip6t_length.c
  116. +0 −147 net/ipv6/netfilter/ip6t_limit.c
  117. +0 −81 net/ipv6/netfilter/ip6t_mac.c
  118. +0 −66 net/ipv6/netfilter/ip6t_mark.c
  119. +2 −1 net/ipv6/netfilter/ip6t_multiport.c
  120. +1 −1 net/ipv6/netfilter/ip6t_owner.c
  121. +1 −1 net/ipv6/netfilter/ip6t_rt.c
  122. +1 −0 net/ipv6/netfilter/ip6table_filter.c
  123. +1 −0 net/ipv6/netfilter/ip6table_mangle.c
  124. +3 −2 net/ipv6/netfilter/ip6table_raw.c
  125. +1 −7 net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
  126. +16 −29 net/ipv6/netfilter/nf_conntrack_reasm.c
  127. +258 −0 net/netfilter/Kconfig
  128. +34 −3 net/netfilter/Makefile
  129. +2 −2 net/netfilter/nf_conntrack_standalone.c
  130. +624 −0 net/netfilter/x_tables.c
  131. +30 −11 net/{ipv4/netfilter/ipt_CLASSIFY.c → netfilter/xt_CLASSIFY.c}
  132. +35 −16 net/{ipv4/netfilter/ipt_CONNMARK.c → netfilter/xt_CONNMARK.c}
  133. +49 −30 net/{ipv4/netfilter/ipt_MARK.c → netfilter/xt_MARK.c}
  134. +107 −0 net/netfilter/xt_NFQUEUE.c
  135. +27 −11 net/{ipv4/netfilter/ipt_NOTRACK.c → netfilter/xt_NOTRACK.c}
  136. +28 −7 net/{ipv4/netfilter/ipt_comment.c → netfilter/xt_comment.c}
  137. +46 −27 net/{ipv4/netfilter/ipt_connbytes.c → netfilter/xt_connbytes.c}
  138. +31 −10 net/{ipv4/netfilter/ipt_connmark.c → netfilter/xt_connmark.c}
  139. +58 −52 net/{ipv4/netfilter/ipt_conntrack.c → netfilter/xt_conntrack.c}
  140. +75 −30 net/{ipv4/netfilter/ipt_dccp.c → netfilter/xt_dccp.c}
  141. +38 −18 net/{ipv4/netfilter/ipt_helper.c → netfilter/xt_helper.c}
  142. +98 −0 net/netfilter/xt_length.c
  143. +33 −15 net/{ipv4/netfilter/ipt_limit.c → netfilter/xt_limit.c}
  144. +29 −9 net/{ipv4/netfilter/ipt_mac.c → netfilter/xt_mac.c}
  145. +29 −9 net/{ipv4/netfilter/ipt_mark.c → netfilter/xt_mark.c}
  146. +51 −31 net/{ipv6/netfilter/ip6t_physdev.c → netfilter/xt_physdev.c}
  147. +29 −17 net/{ipv4/netfilter/ipt_pkttype.c → netfilter/xt_pkttype.c}
  148. +14 −11 net/{ipv4/netfilter/ipt_realm.c → netfilter/xt_realm.c}
  149. +78 −31 net/{ipv4/netfilter/ipt_sctp.c → netfilter/xt_sctp.c}
  150. +36 −14 net/{ipv4/netfilter/ipt_state.c → netfilter/xt_state.c}
  151. +30 −10 net/{ipv4/netfilter/ipt_string.c → netfilter/xt_string.c}
  152. +57 −12 net/{ipv4/netfilter/ipt_tcpmss.c → netfilter/xt_tcpmss.c}
  153. +333 −0 net/netfilter/xt_tcpudp.c
  154. +1 −1 net/sched/act_ipt.c
@@ -154,6 +154,9 @@ struct ip_conntrack_stat
unsigned int expect_delete;
};

/* call to create an explicit dependency on nf_conntrack. */
extern void need_conntrack(void);

#endif /* __KERNEL__ */

#endif /* _NF_CONNTRACK_COMMON_H */
@@ -0,0 +1,224 @@
#ifndef _X_TABLES_H
#define _X_TABLES_H

#define XT_FUNCTION_MAXNAMELEN 30
#define XT_TABLE_MAXNAMELEN 32

/* The argument to IPT_SO_GET_REVISION_*. Returns highest revision
* kernel supports, if >= revision. */
struct xt_get_revision
{
char name[XT_FUNCTION_MAXNAMELEN-1];

u_int8_t revision;
};

/* CONTINUE verdict for targets */
#define XT_CONTINUE 0xFFFFFFFF

/* For standard target */
#define XT_RETURN (-NF_REPEAT - 1)

#define XT_ALIGN(s) (((s) + (__alignof__(void *)-1)) & ~(__alignof__(void *)-1))

/* Standard return verdict, or do jump. */
#define XT_STANDARD_TARGET ""
/* Error verdict. */
#define XT_ERROR_TARGET "ERROR"

/*
* New IP firewall options for [gs]etsockopt at the RAW IP level.
* Unlike BSD Linux inherits IP options so you don't have to use a raw
* socket for this. Instead we check rights in the calls. */
#define XT_BASE_CTL 64 /* base for firewall socket options */

#define XT_SO_SET_REPLACE (XT_BASE_CTL)
#define XT_SO_SET_ADD_COUNTERS (XT_BASE_CTL + 1)
#define XT_SO_SET_MAX XT_SO_SET_ADD_COUNTERS

#define XT_SO_GET_INFO (XT_BASE_CTL)
#define XT_SO_GET_ENTRIES (XT_BASE_CTL + 1)
#define XT_SO_GET_REVISION_MATCH (XT_BASE_CTL + 2)
#define XT_SO_GET_REVISION_TARGET (XT_BASE_CTL + 3)
#define XT_SO_GET_MAX XT_SO_GET_REVISION_TARGET

#define SET_COUNTER(c,b,p) do { (c).bcnt = (b); (c).pcnt = (p); } while(0)
#define ADD_COUNTER(c,b,p) do { (c).bcnt += (b); (c).pcnt += (p); } while(0)

struct xt_counters
{
u_int64_t pcnt, bcnt; /* Packet and byte counters */
};

/* The argument to IPT_SO_ADD_COUNTERS. */
struct xt_counters_info
{
/* Which table. */
char name[XT_TABLE_MAXNAMELEN];

unsigned int num_counters;

/* The counters (actually `number' of these). */
struct xt_counters counters[0];
};

#define XT_INV_PROTO 0x40 /* Invert the sense of PROTO. */

#ifdef __KERNEL__

#include <linux/netdevice.h>

#define ASSERT_READ_LOCK(x)
#define ASSERT_WRITE_LOCK(x)
#include <linux/netfilter_ipv4/listhelp.h>

struct xt_match
{
struct list_head list;

const char name[XT_FUNCTION_MAXNAMELEN-1];

u_int8_t revision;

/* Return true or false: return FALSE and set *hotdrop = 1 to
force immediate packet drop. */
/* Arguments changed since 2.6.9, as this must now handle
non-linear skb, using skb_header_pointer and
skb_ip_make_writable. */
int (*match)(const struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
const void *matchinfo,
int offset,
unsigned int protoff,
int *hotdrop);

/* Called when user tries to insert an entry of this type. */
/* Should return true or false. */
int (*checkentry)(const char *tablename,
const void *ip,
void *matchinfo,
unsigned int matchinfosize,
unsigned int hook_mask);

/* Called when entry of this type deleted. */
void (*destroy)(void *matchinfo, unsigned int matchinfosize);

/* Set this to THIS_MODULE if you are a module, otherwise NULL */
struct module *me;
};

/* Registration hooks for targets. */
struct xt_target
{
struct list_head list;

const char name[XT_FUNCTION_MAXNAMELEN-1];

u_int8_t revision;

/* Returns verdict. Argument order changed since 2.6.9, as this
must now handle non-linear skbs, using skb_copy_bits and
skb_ip_make_writable. */
unsigned int (*target)(struct sk_buff **pskb,
const struct net_device *in,
const struct net_device *out,
unsigned int hooknum,
const void *targinfo,
void *userdata);

/* Called when user tries to insert an entry of this type:
hook_mask is a bitmask of hooks from which it can be
called. */
/* Should return true or false. */
int (*checkentry)(const char *tablename,
const void *entry,
void *targinfo,
unsigned int targinfosize,
unsigned int hook_mask);

/* Called when entry of this type deleted. */
void (*destroy)(void *targinfo, unsigned int targinfosize);

/* Set this to THIS_MODULE if you are a module, otherwise NULL */
struct module *me;
};

/* Furniture shopping... */
struct xt_table
{
struct list_head list;

/* A unique name... */
char name[XT_TABLE_MAXNAMELEN];

/* What hooks you will enter on */
unsigned int valid_hooks;

/* Lock for the curtain */
rwlock_t lock;

/* Man behind the curtain... */
//struct ip6t_table_info *private;
void *private;

/* Set this to THIS_MODULE if you are a module, otherwise NULL */
struct module *me;

int af; /* address/protocol family */
};

#include <linux/netfilter_ipv4.h>

/* The table itself */
struct xt_table_info
{
/* Size per table */
unsigned int size;
/* Number of entries: FIXME. --RR */
unsigned int number;
/* Initial number of entries. Needed for module usage count */
unsigned int initial_entries;

/* Entry points and underflows */
unsigned int hook_entry[NF_IP_NUMHOOKS];
unsigned int underflow[NF_IP_NUMHOOKS];

/* ipt_entry tables: one per CPU */
char *entries[NR_CPUS];
};

extern int xt_register_target(int af, struct xt_target *target);
extern void xt_unregister_target(int af, struct xt_target *target);
extern int xt_register_match(int af, struct xt_match *target);
extern void xt_unregister_match(int af, struct xt_match *target);

extern int xt_register_table(struct xt_table *table,
struct xt_table_info *bootstrap,
struct xt_table_info *newinfo);
extern void *xt_unregister_table(struct xt_table *table);

extern struct xt_table_info *xt_replace_table(struct xt_table *table,
unsigned int num_counters,
struct xt_table_info *newinfo,
int *error);

extern struct xt_match *xt_find_match(int af, const char *name, u8 revision);
extern struct xt_target *xt_find_target(int af, const char *name, u8 revision);
extern struct xt_target *xt_request_find_target(int af, const char *name,
u8 revision);
extern int xt_find_revision(int af, const char *name, u8 revision, int target,
int *err);

extern struct xt_table *xt_find_table_lock(int af, const char *name);
extern void xt_table_unlock(struct xt_table *t);

extern int xt_proto_init(int af);
extern void xt_proto_fini(int af);

extern struct xt_table_info *xt_alloc_table_info(unsigned int size);
extern void xt_free_table_info(struct xt_table_info *info);

#endif /* __KERNEL__ */

#endif /* _X_TABLES_H */
@@ -0,0 +1,8 @@
#ifndef _XT_CLASSIFY_H
#define _XT_CLASSIFY_H

struct xt_classify_target_info {
u_int32_t priority;
};

#endif /*_XT_CLASSIFY_H */
@@ -0,0 +1,25 @@
#ifndef _XT_CONNMARK_H_target
#define _XT_CONNMARK_H_target

/* Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
* by Henrik Nordstrom <hno@marasystems.com>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*/

enum {
XT_CONNMARK_SET = 0,
XT_CONNMARK_SAVE,
XT_CONNMARK_RESTORE
};

struct xt_connmark_target_info {
unsigned long mark;
unsigned long mask;
u_int8_t mode;
};

#endif /*_XT_CONNMARK_H_target*/
@@ -0,0 +1,21 @@
#ifndef _XT_MARK_H_target
#define _XT_MARK_H_target

/* Version 0 */
struct xt_mark_target_info {
unsigned long mark;
};

/* Version 1 */
enum {
XT_MARK_SET=0,
XT_MARK_AND,
XT_MARK_OR,
};

struct xt_mark_target_info_v1 {
unsigned long mark;
u_int8_t mode;
};

#endif /*_XT_MARK_H_target */
@@ -0,0 +1,16 @@
/* iptables module for using NFQUEUE mechanism
*
* (C) 2005 Harald Welte <laforge@netfilter.org>
*
* This software is distributed under GNU GPL v2, 1991
*
*/
#ifndef _XT_NFQ_TARGET_H
#define _XT_NFQ_TARGET_H

/* target info */
struct xt_NFQ_info {
u_int16_t queuenum;
};

#endif /* _XT_NFQ_TARGET_H */
@@ -0,0 +1,10 @@
#ifndef _XT_COMMENT_H
#define _XT_COMMENT_H

#define XT_MAX_COMMENT_LEN 256

struct xt_comment_info {
unsigned char comment[XT_MAX_COMMENT_LEN];
};

#endif /* XT_COMMENT_H */
@@ -0,0 +1,25 @@
#ifndef _XT_CONNBYTES_H
#define _XT_CONNBYTES_H

enum xt_connbytes_what {
XT_CONNBYTES_PKTS,
XT_CONNBYTES_BYTES,
XT_CONNBYTES_AVGPKT,
};

enum xt_connbytes_direction {
XT_CONNBYTES_DIR_ORIGINAL,
XT_CONNBYTES_DIR_REPLY,
XT_CONNBYTES_DIR_BOTH,
};

struct xt_connbytes_info
{
struct {
aligned_u64 from; /* count to be matched */
aligned_u64 to; /* count to be matched */
} count;
u_int8_t what; /* ipt_connbytes_what */
u_int8_t direction; /* ipt_connbytes_direction */
};
#endif
@@ -0,0 +1,18 @@
#ifndef _XT_CONNMARK_H
#define _XT_CONNMARK_H

/* Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
* by Henrik Nordstrom <hno@marasystems.com>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*/

struct xt_connmark_info {
unsigned long mark, mask;
u_int8_t invert;
};

#endif /*_XT_CONNMARK_H*/

0 comments on commit 2e4e6a1

Please sign in to comment.
You can’t perform that action at this time.