diff options
| author | Scott Wood <scottwood@freescale.com> | 2014-04-07 23:49:35 (GMT) |
|---|---|---|
| committer | Scott Wood <scottwood@freescale.com> | 2014-04-07 23:49:35 (GMT) |
| commit | 62b8c978ee6b8d135d9e7953221de58000dba986 (patch) | |
| tree | 683b04b2e627f6710c22c151b23c8cc9a165315e /include/net/netfilter | |
| parent | 78fd82238d0e5716578c326404184a27ba67fd6e (diff) | |
| download | linux-fsl-qoriq-62b8c978ee6b8d135d9e7953221de58000dba986.tar.xz | |
Rewind v3.13-rc3+ (78fd82238d0e5716) to v3.12
Diffstat (limited to 'include/net/netfilter')
26 files changed, 249 insertions, 839 deletions
diff --git a/include/net/netfilter/ipv4/nf_conntrack_ipv4.h b/include/net/netfilter/ipv4/nf_conntrack_ipv4.h index 6c3d12e..7573d52 100644 --- a/include/net/netfilter/ipv4/nf_conntrack_ipv4.h +++ b/include/net/netfilter/ipv4/nf_conntrack_ipv4.h @@ -16,9 +16,9 @@ extern struct nf_conntrack_l4proto nf_conntrack_l4proto_tcp4; extern struct nf_conntrack_l4proto nf_conntrack_l4proto_udp4; extern struct nf_conntrack_l4proto nf_conntrack_l4proto_icmp; -int nf_conntrack_ipv4_compat_init(void); -void nf_conntrack_ipv4_compat_fini(void); +extern int nf_conntrack_ipv4_compat_init(void); +extern void nf_conntrack_ipv4_compat_fini(void); -void need_ipv4_conntrack(void); +extern void need_ipv4_conntrack(void); #endif /*_NF_CONNTRACK_IPV4_H*/ diff --git a/include/net/netfilter/ipv4/nf_defrag_ipv4.h b/include/net/netfilter/ipv4/nf_defrag_ipv4.h index f01ef20..6b00ea3 100644 --- a/include/net/netfilter/ipv4/nf_defrag_ipv4.h +++ b/include/net/netfilter/ipv4/nf_defrag_ipv4.h @@ -1,6 +1,6 @@ #ifndef _NF_DEFRAG_IPV4_H #define _NF_DEFRAG_IPV4_H -void nf_defrag_ipv4_enable(void); +extern void nf_defrag_ipv4_enable(void); #endif /* _NF_DEFRAG_IPV4_H */ diff --git a/include/net/netfilter/ipv6/nf_defrag_ipv6.h b/include/net/netfilter/ipv6/nf_defrag_ipv6.h index 27666d8..fd79c9a 100644 --- a/include/net/netfilter/ipv6/nf_defrag_ipv6.h +++ b/include/net/netfilter/ipv6/nf_defrag_ipv6.h @@ -1,12 +1,15 @@ #ifndef _NF_DEFRAG_IPV6_H #define _NF_DEFRAG_IPV6_H -void nf_defrag_ipv6_enable(void); +extern void nf_defrag_ipv6_enable(void); -int nf_ct_frag6_init(void); -void nf_ct_frag6_cleanup(void); -struct sk_buff *nf_ct_frag6_gather(struct sk_buff *skb, u32 user); -void nf_ct_frag6_consume_orig(struct sk_buff *skb); +extern int nf_ct_frag6_init(void); +extern void nf_ct_frag6_cleanup(void); +extern struct sk_buff *nf_ct_frag6_gather(struct sk_buff *skb, u32 user); +extern void nf_ct_frag6_output(unsigned int hooknum, struct sk_buff *skb, + struct net_device *in, + struct net_device *out, + int (*okfn)(struct sk_buff *)); struct inet_frags_ctl; diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h index 01ea6ee..0c1288a 100644 --- a/include/net/netfilter/nf_conntrack.h +++ b/include/net/netfilter/nf_conntrack.h @@ -139,13 +139,15 @@ static inline struct net *nf_ct_net(const struct nf_conn *ct) } /* Alter reply tuple (maybe alter helper). */ -void nf_conntrack_alter_reply(struct nf_conn *ct, - const struct nf_conntrack_tuple *newreply); +extern void +nf_conntrack_alter_reply(struct nf_conn *ct, + const struct nf_conntrack_tuple *newreply); /* Is this tuple taken? (ignoring any belonging to the given conntrack). */ -int nf_conntrack_tuple_taken(const struct nf_conntrack_tuple *tuple, - const struct nf_conn *ignored_conntrack); +extern int +nf_conntrack_tuple_taken(const struct nf_conntrack_tuple *tuple, + const struct nf_conn *ignored_conntrack); /* Return conntrack_info and tuple hash for given skb. */ static inline struct nf_conn * @@ -163,34 +165,37 @@ static inline void nf_ct_put(struct nf_conn *ct) } /* Protocol module loading */ -int nf_ct_l3proto_try_module_get(unsigned short l3proto); -void nf_ct_l3proto_module_put(unsigned short l3proto); +extern int nf_ct_l3proto_try_module_get(unsigned short l3proto); +extern void nf_ct_l3proto_module_put(unsigned short l3proto); /* * Allocate a hashtable of hlist_head (if nulls == 0), * or hlist_nulls_head (if nulls == 1) */ -void *nf_ct_alloc_hashtable(unsigned int *sizep, int nulls); +extern void *nf_ct_alloc_hashtable(unsigned int *sizep, int nulls); -void nf_ct_free_hashtable(void *hash, unsigned int size); +extern void nf_ct_free_hashtable(void *hash, unsigned int size); -struct nf_conntrack_tuple_hash * +extern struct nf_conntrack_tuple_hash * __nf_conntrack_find(struct net *net, u16 zone, const struct nf_conntrack_tuple *tuple); -int nf_conntrack_hash_check_insert(struct nf_conn *ct); +extern int nf_conntrack_hash_check_insert(struct nf_conn *ct); bool nf_ct_delete(struct nf_conn *ct, u32 pid, int report); -void nf_conntrack_flush_report(struct net *net, u32 portid, int report); +extern void nf_conntrack_flush_report(struct net *net, u32 portid, int report); -bool nf_ct_get_tuplepr(const struct sk_buff *skb, unsigned int nhoff, - u_int16_t l3num, struct nf_conntrack_tuple *tuple); -bool nf_ct_invert_tuplepr(struct nf_conntrack_tuple *inverse, - const struct nf_conntrack_tuple *orig); +extern bool nf_ct_get_tuplepr(const struct sk_buff *skb, + unsigned int nhoff, u_int16_t l3num, + struct nf_conntrack_tuple *tuple); +extern bool nf_ct_invert_tuplepr(struct nf_conntrack_tuple *inverse, + const struct nf_conntrack_tuple *orig); -void __nf_ct_refresh_acct(struct nf_conn *ct, enum ip_conntrack_info ctinfo, - const struct sk_buff *skb, - unsigned long extra_jiffies, int do_acct); +extern void __nf_ct_refresh_acct(struct nf_conn *ct, + enum ip_conntrack_info ctinfo, + const struct sk_buff *skb, + unsigned long extra_jiffies, + int do_acct); /* Refresh conntrack for this many jiffies and do accounting */ static inline void nf_ct_refresh_acct(struct nf_conn *ct, @@ -209,8 +214,10 @@ static inline void nf_ct_refresh(struct nf_conn *ct, __nf_ct_refresh_acct(ct, 0, skb, extra_jiffies, 0); } -bool __nf_ct_kill_acct(struct nf_conn *ct, enum ip_conntrack_info ctinfo, - const struct sk_buff *skb, int do_acct); +extern bool __nf_ct_kill_acct(struct nf_conn *ct, + enum ip_conntrack_info ctinfo, + const struct sk_buff *skb, + int do_acct); /* kill conntrack and do accounting */ static inline bool nf_ct_kill_acct(struct nf_conn *ct, @@ -237,17 +244,19 @@ static inline struct nf_conn *nf_ct_untracked_get(void) { return &__raw_get_cpu_var(nf_conntrack_untracked); } -void nf_ct_untracked_status_or(unsigned long bits); +extern void nf_ct_untracked_status_or(unsigned long bits); /* Iterate over all conntracks: if iter returns true, it's deleted. */ -void nf_ct_iterate_cleanup(struct net *net, - int (*iter)(struct nf_conn *i, void *data), - void *data, u32 portid, int report); -void nf_conntrack_free(struct nf_conn *ct); -struct nf_conn *nf_conntrack_alloc(struct net *net, u16 zone, - const struct nf_conntrack_tuple *orig, - const struct nf_conntrack_tuple *repl, - gfp_t gfp); +extern void +nf_ct_iterate_cleanup(struct net *net, + int (*iter)(struct nf_conn *i, void *data), + void *data, u32 portid, int report); +extern void nf_conntrack_free(struct nf_conn *ct); +extern struct nf_conn * +nf_conntrack_alloc(struct net *net, u16 zone, + const struct nf_conntrack_tuple *orig, + const struct nf_conntrack_tuple *repl, + gfp_t gfp); static inline int nf_ct_is_template(const struct nf_conn *ct) { @@ -278,7 +287,7 @@ static inline bool nf_is_loopback_packet(const struct sk_buff *skb) struct kernel_param; -int nf_conntrack_set_hashsize(const char *val, struct kernel_param *kp); +extern int nf_conntrack_set_hashsize(const char *val, struct kernel_param *kp); extern unsigned int nf_conntrack_htable_size; extern unsigned int nf_conntrack_max; extern unsigned int nf_conntrack_hash_rnd; diff --git a/include/net/netfilter/nf_conntrack_acct.h b/include/net/netfilter/nf_conntrack_acct.h index 79d8d16..2bdb7a1 100644 --- a/include/net/netfilter/nf_conntrack_acct.h +++ b/include/net/netfilter/nf_conntrack_acct.h @@ -19,21 +19,17 @@ struct nf_conn_counter { atomic64_t bytes; }; -struct nf_conn_acct { - struct nf_conn_counter counter[IP_CT_DIR_MAX]; -}; - static inline -struct nf_conn_acct *nf_conn_acct_find(const struct nf_conn *ct) +struct nf_conn_counter *nf_conn_acct_find(const struct nf_conn *ct) { return nf_ct_ext_find(ct, NF_CT_EXT_ACCT); } static inline -struct nf_conn_acct *nf_ct_acct_ext_add(struct nf_conn *ct, gfp_t gfp) +struct nf_conn_counter *nf_ct_acct_ext_add(struct nf_conn *ct, gfp_t gfp) { struct net *net = nf_ct_net(ct); - struct nf_conn_acct *acct; + struct nf_conn_counter *acct; if (!net->ct.sysctl_acct) return NULL; @@ -46,8 +42,8 @@ struct nf_conn_acct *nf_ct_acct_ext_add(struct nf_conn *ct, gfp_t gfp) return acct; }; -unsigned int seq_print_acct(struct seq_file *s, const struct nf_conn *ct, - int dir); +extern unsigned int +seq_print_acct(struct seq_file *s, const struct nf_conn *ct, int dir); /* Check if connection tracking accounting is enabled */ static inline bool nf_ct_acct_enabled(struct net *net) @@ -61,9 +57,9 @@ static inline void nf_ct_set_acct(struct net *net, bool enable) net->ct.sysctl_acct = enable; } -int nf_conntrack_acct_pernet_init(struct net *net); -void nf_conntrack_acct_pernet_fini(struct net *net); +extern int nf_conntrack_acct_pernet_init(struct net *net); +extern void nf_conntrack_acct_pernet_fini(struct net *net); -int nf_conntrack_acct_init(void); -void nf_conntrack_acct_fini(void); +extern int nf_conntrack_acct_init(void); +extern void nf_conntrack_acct_fini(void); #endif /* _NF_CONNTRACK_ACCT_H */ diff --git a/include/net/netfilter/nf_conntrack_core.h b/include/net/netfilter/nf_conntrack_core.h index 15308b8..fb2b623 100644 --- a/include/net/netfilter/nf_conntrack_core.h +++ b/include/net/netfilter/nf_conntrack_core.h @@ -20,42 +20,49 @@ /* This header is used to share core functionality between the standalone connection tracking module, and the compatibility layer's use of connection tracking. */ -unsigned int nf_conntrack_in(struct net *net, u_int8_t pf, unsigned int hooknum, - struct sk_buff *skb); - -int nf_conntrack_init_net(struct net *net); -void nf_conntrack_cleanup_net(struct net *net); -void nf_conntrack_cleanup_net_list(struct list_head *net_exit_list); - -int nf_conntrack_proto_pernet_init(struct net *net); -void nf_conntrack_proto_pernet_fini(struct net *net); - -int nf_conntrack_proto_init(void); -void nf_conntrack_proto_fini(void); - -int nf_conntrack_init_start(void); -void nf_conntrack_cleanup_start(void); - -void nf_conntrack_init_end(void); -void nf_conntrack_cleanup_end(void); - -bool nf_ct_get_tuple(const struct sk_buff *skb, unsigned int nhoff, - unsigned int dataoff, u_int16_t l3num, u_int8_t protonum, - struct nf_conntrack_tuple *tuple, - const struct nf_conntrack_l3proto *l3proto, - const struct nf_conntrack_l4proto *l4proto); - -bool nf_ct_invert_tuple(struct nf_conntrack_tuple *inverse, - const struct nf_conntrack_tuple *orig, - const struct nf_conntrack_l3proto *l3proto, - const struct nf_conntrack_l4proto *l4proto); +extern unsigned int nf_conntrack_in(struct net *net, + u_int8_t pf, + unsigned int hooknum, + struct sk_buff *skb); + +extern int nf_conntrack_init_net(struct net *net); +extern void nf_conntrack_cleanup_net(struct net *net); +extern void nf_conntrack_cleanup_net_list(struct list_head *net_exit_list); + +extern int nf_conntrack_proto_pernet_init(struct net *net); +extern void nf_conntrack_proto_pernet_fini(struct net *net); + +extern int nf_conntrack_proto_init(void); +extern void nf_conntrack_proto_fini(void); + +extern int nf_conntrack_init_start(void); +extern void nf_conntrack_cleanup_start(void); + +extern void nf_conntrack_init_end(void); +extern void nf_conntrack_cleanup_end(void); + +extern bool +nf_ct_get_tuple(const struct sk_buff *skb, + unsigned int nhoff, + unsigned int dataoff, + u_int16_t l3num, + u_int8_t protonum, + struct nf_conntrack_tuple *tuple, + const struct nf_conntrack_l3proto *l3proto, + const struct nf_conntrack_l4proto *l4proto); + +extern bool +nf_ct_invert_tuple(struct nf_conntrack_tuple *inverse, + const struct nf_conntrack_tuple *orig, + const struct nf_conntrack_l3proto *l3proto, + const struct nf_conntrack_l4proto *l4proto); /* Find a connection corresponding to a tuple. */ -struct nf_conntrack_tuple_hash * +extern struct nf_conntrack_tuple_hash * nf_conntrack_find_get(struct net *net, u16 zone, const struct nf_conntrack_tuple *tuple); -int __nf_conntrack_confirm(struct sk_buff *skb); +extern int __nf_conntrack_confirm(struct sk_buff *skb); /* Confirm a connection: returns NF_DROP if packet must be dropped. */ static inline int nf_conntrack_confirm(struct sk_buff *skb) diff --git a/include/net/netfilter/nf_conntrack_ecache.h b/include/net/netfilter/nf_conntrack_ecache.h index 0e3d08e..092dc65 100644 --- a/include/net/netfilter/nf_conntrack_ecache.h +++ b/include/net/netfilter/nf_conntrack_ecache.h @@ -68,12 +68,10 @@ struct nf_ct_event_notifier { int (*fcn)(unsigned int events, struct nf_ct_event *item); }; -int nf_conntrack_register_notifier(struct net *net, - struct nf_ct_event_notifier *nb); -void nf_conntrack_unregister_notifier(struct net *net, - struct nf_ct_event_notifier *nb); +extern int nf_conntrack_register_notifier(struct net *net, struct nf_ct_event_notifier *nb); +extern void nf_conntrack_unregister_notifier(struct net *net, struct nf_ct_event_notifier *nb); -void nf_ct_deliver_cached_events(struct nf_conn *ct); +extern void nf_ct_deliver_cached_events(struct nf_conn *ct); static inline void nf_conntrack_event_cache(enum ip_conntrack_events event, struct nf_conn *ct) @@ -168,10 +166,8 @@ struct nf_exp_event_notifier { int (*fcn)(unsigned int events, struct nf_exp_event *item); }; -int nf_ct_expect_register_notifier(struct net *net, - struct nf_exp_event_notifier *nb); -void nf_ct_expect_unregister_notifier(struct net *net, - struct nf_exp_event_notifier *nb); +extern int nf_ct_expect_register_notifier(struct net *net, struct nf_exp_event_notifier *nb); +extern void nf_ct_expect_unregister_notifier(struct net *net, struct nf_exp_event_notifier *nb); static inline void nf_ct_expect_event_report(enum ip_conntrack_expect_events event, @@ -211,11 +207,11 @@ nf_ct_expect_event(enum ip_conntrack_expect_events event, nf_ct_expect_event_report(event, exp, 0, 0); } -int nf_conntrack_ecache_pernet_init(struct net *net); -void nf_conntrack_ecache_pernet_fini(struct net *net); +extern int nf_conntrack_ecache_pernet_init(struct net *net); +extern void nf_conntrack_ecache_pernet_fini(struct net *net); -int nf_conntrack_ecache_init(void); -void nf_conntrack_ecache_fini(void); +extern int nf_conntrack_ecache_init(void); +extern void nf_conntrack_ecache_fini(void); #else /* CONFIG_NF_CONNTRACK_EVENTS */ static inline void nf_conntrack_event_cache(enum ip_conntrack_events event, diff --git a/include/net/netfilter/nf_conntrack_extend.h b/include/net/netfilter/nf_conntrack_extend.h index 956b175..88a1d40 100644 --- a/include/net/netfilter/nf_conntrack_extend.h +++ b/include/net/netfilter/nf_conntrack_extend.h @@ -36,7 +36,7 @@ enum nf_ct_ext_id { #define NF_CT_EXT_HELPER_TYPE struct nf_conn_help #define NF_CT_EXT_NAT_TYPE struct nf_conn_nat #define NF_CT_EXT_SEQADJ_TYPE struct nf_conn_seqadj -#define NF_CT_EXT_ACCT_TYPE struct nf_conn_acct +#define NF_CT_EXT_ACCT_TYPE struct nf_conn_counter #define NF_CT_EXT_ECACHE_TYPE struct nf_conntrack_ecache #define NF_CT_EXT_ZONE_TYPE struct nf_conntrack_zone #define NF_CT_EXT_TSTAMP_TYPE struct nf_conn_tstamp @@ -73,7 +73,7 @@ static inline void *__nf_ct_ext_find(const struct nf_conn *ct, u8 id) ((id##_TYPE *)__nf_ct_ext_find((ext), (id))) /* Destroy all relationships */ -void __nf_ct_ext_destroy(struct nf_conn *ct); +extern void __nf_ct_ext_destroy(struct nf_conn *ct); static inline void nf_ct_ext_destroy(struct nf_conn *ct) { if (ct->ext) diff --git a/include/net/netfilter/nf_conntrack_helper.h b/include/net/netfilter/nf_conntrack_helper.h index 6cf614bc..26c4ae5 100644 --- a/include/net/netfilter/nf_conntrack_helper.h +++ b/include/net/netfilter/nf_conntrack_helper.h @@ -52,24 +52,21 @@ struct nf_conntrack_helper { unsigned int queue_num; /* For user-space helpers. */ }; -struct nf_conntrack_helper *__nf_conntrack_helper_find(const char *name, - u16 l3num, u8 protonum); +extern struct nf_conntrack_helper * +__nf_conntrack_helper_find(const char *name, u16 l3num, u8 protonum); -struct nf_conntrack_helper *nf_conntrack_helper_try_module_get(const char *name, - u16 l3num, - u8 protonum); +extern struct nf_conntrack_helper * +nf_conntrack_helper_try_module_get(const char *name, u16 l3num, u8 protonum); -int nf_conntrack_helper_register(struct nf_conntrack_helper *); -void nf_conntrack_helper_unregister(struct nf_conntrack_helper *); +extern int nf_conntrack_helper_register(struct nf_conntrack_helper *); +extern void nf_conntrack_helper_unregister(struct nf_conntrack_helper *); -struct nf_conn_help *nf_ct_helper_ext_add(struct nf_conn *ct, - struct nf_conntrack_helper *helper, - gfp_t gfp); +extern struct nf_conn_help *nf_ct_helper_ext_add(struct nf_conn *ct, struct nf_conntrack_helper *helper, gfp_t gfp); -int __nf_ct_try_assign_helper(struct nf_conn *ct, struct nf_conn *tmpl, - gfp_t flags); +extern int __nf_ct_try_assign_helper(struct nf_conn *ct, struct nf_conn *tmpl, + gfp_t flags); -void nf_ct_helper_destroy(struct nf_conn *ct); +extern void nf_ct_helper_destroy(struct nf_conn *ct); static inline struct nf_conn_help *nfct_help(const struct nf_conn *ct) { @@ -85,16 +82,17 @@ static inline void *nfct_help_data(const struct nf_conn *ct) return (void *)help->data; } -int nf_conntrack_helper_pernet_init(struct net *net); -void nf_conntrack_helper_pernet_fini(struct net *net); +extern int nf_conntrack_helper_pernet_init(struct net *net); +extern void nf_conntrack_helper_pernet_fini(struct net *net); -int nf_conntrack_helper_init(void); -void nf_conntrack_helper_fini(void); +extern int nf_conntrack_helper_init(void); +extern void nf_conntrack_helper_fini(void); -int nf_conntrack_broadcast_help(struct sk_buff *skb, unsigned int protoff, - struct nf_conn *ct, - enum ip_conntrack_info ctinfo, - unsigned int timeout); +extern int nf_conntrack_broadcast_help(struct sk_buff *skb, + unsigned int protoff, + struct nf_conn *ct, + enum ip_conntrack_info ctinfo, + unsigned int timeout); struct nf_ct_helper_expectfn { struct list_head head; diff --git a/include/net/netfilter/nf_conntrack_l3proto.h b/include/net/netfilter/nf_conntrack_l3proto.h index 3efab70..3bb89ea 100644 --- a/include/net/netfilter/nf_conntrack_l3proto.h +++ b/include/net/netfilter/nf_conntrack_l3proto.h @@ -77,17 +77,17 @@ struct nf_conntrack_l3proto { extern struct nf_conntrack_l3proto __rcu *nf_ct_l3protos[AF_MAX]; /* Protocol pernet registration. */ -int nf_ct_l3proto_pernet_register(struct net *net, - struct nf_conntrack_l3proto *proto); -void nf_ct_l3proto_pernet_unregister(struct net *net, - struct nf_conntrack_l3proto *proto); +extern int nf_ct_l3proto_pernet_register(struct net *net, + struct nf_conntrack_l3proto *proto); +extern void nf_ct_l3proto_pernet_unregister(struct net *net, + struct nf_conntrack_l3proto *proto); /* Protocol global registration. */ -int nf_ct_l3proto_register(struct nf_conntrack_l3proto *proto); -void nf_ct_l3proto_unregister(struct nf_conntrack_l3proto *proto); +extern int nf_ct_l3proto_register(struct nf_conntrack_l3proto *proto); +extern void nf_ct_l3proto_unregister(struct nf_conntrack_l3proto *proto); -struct nf_conntrack_l3proto *nf_ct_l3proto_find_get(u_int16_t l3proto); -void nf_ct_l3proto_put(struct nf_conntrack_l3proto *p); +extern struct nf_conntrack_l3proto *nf_ct_l3proto_find_get(u_int16_t l3proto); +extern void nf_ct_l3proto_put(struct nf_conntrack_l3proto *p); /* Existing built-in protocols */ extern struct nf_conntrack_l3proto nf_conntrack_l3proto_generic; diff --git a/include/net/netfilter/nf_conntrack_l4proto.h b/include/net/netfilter/nf_conntrack_l4proto.h index 4c8d573..b411d7b 100644 --- a/include/net/netfilter/nf_conntrack_l4proto.h +++ b/include/net/netfilter/nf_conntrack_l4proto.h @@ -114,22 +114,22 @@ extern struct nf_conntrack_l4proto nf_conntrack_l4proto_generic; #define MAX_NF_CT_PROTO 256 -struct nf_conntrack_l4proto *__nf_ct_l4proto_find(u_int16_t l3proto, - u_int8_t l4proto); +extern struct nf_conntrack_l4proto * +__nf_ct_l4proto_find(u_int16_t l3proto, u_int8_t l4proto); -struct nf_conntrack_l4proto *nf_ct_l4proto_find_get(u_int16_t l3proto, - u_int8_t l4proto); -void nf_ct_l4proto_put(struct nf_conntrack_l4proto *p); +extern struct nf_conntrack_l4proto * +nf_ct_l4proto_find_get(u_int16_t l3proto, u_int8_t l4proto); +extern void nf_ct_l4proto_put(struct nf_conntrack_l4proto *p); /* Protocol pernet registration. */ -int nf_ct_l4proto_pernet_register(struct net *net, - struct nf_conntrack_l4proto *proto); -void nf_ct_l4proto_pernet_unregister(struct net *net, - struct nf_conntrack_l4proto *proto); +extern int nf_ct_l4proto_pernet_register(struct net *net, + struct nf_conntrack_l4proto *proto); +extern void nf_ct_l4proto_pernet_unregister(struct net *net, + struct nf_conntrack_l4proto *proto); /* Protocol global registration. */ -int nf_ct_l4proto_register(struct nf_conntrack_l4proto *proto); -void nf_ct_l4proto_unregister(struct nf_conntrack_l4proto *proto); +extern int nf_ct_l4proto_register(struct nf_conntrack_l4proto *proto); +extern void nf_ct_l4proto_unregister(struct nf_conntrack_l4proto *proto); static inline void nf_ct_kfree_compat_sysctl_table(struct nf_proto_net *pn) { @@ -140,11 +140,11 @@ static inline void nf_ct_kfree_compat_sysctl_table(struct nf_proto_net *pn) } /* Generic netlink helpers */ -int nf_ct_port_tuple_to_nlattr(struct sk_buff *skb, - const struct nf_conntrack_tuple *tuple); -int nf_ct_port_nlattr_to_tuple(struct nlattr *tb[], - struct nf_conntrack_tuple *t); -int nf_ct_port_nlattr_tuple_size(void); +extern int nf_ct_port_tuple_to_nlattr(struct sk_buff *skb, + const struct nf_conntrack_tuple *tuple); +extern int nf_ct_port_nlattr_to_tuple(struct nlattr *tb[], + struct nf_conntrack_tuple *t); +extern int nf_ct_port_nlattr_tuple_size(void); extern const struct nla_policy nf_ct_port_nla_policy[]; #ifdef CONFIG_SYSCTL diff --git a/include/net/netfilter/nf_conntrack_seqadj.h b/include/net/netfilter/nf_conntrack_seqadj.h index 4b33629..f6177a5 100644 --- a/include/net/netfilter/nf_conntrack_seqadj.h +++ b/include/net/netfilter/nf_conntrack_seqadj.h @@ -30,18 +30,22 @@ static inline struct nf_conn_seqadj *nfct_seqadj_ext_add(struct nf_conn *ct) return nf_ct_ext_add(ct, NF_CT_EXT_SEQADJ, GFP_ATOMIC); } -int nf_ct_seqadj_init(struct nf_conn *ct, enum ip_conntrack_info ctinfo, - s32 off); -int nf_ct_seqadj_set(struct nf_conn *ct, enum ip_conntrack_info ctinfo, - __be32 seq, s32 off); -void nf_ct_tcp_seqadj_set(struct sk_buff *skb, struct nf_conn *ct, - enum ip_conntrack_info ctinfo, s32 off); - -int nf_ct_seq_adjust(struct sk_buff *skb, struct nf_conn *ct, - enum ip_conntrack_info ctinfo, unsigned int protoff); -s32 nf_ct_seq_offset(const struct nf_conn *ct, enum ip_conntrack_dir, u32 seq); - -int nf_conntrack_seqadj_init(void); -void nf_conntrack_seqadj_fini(void); +extern int nf_ct_seqadj_init(struct nf_conn *ct, enum ip_conntrack_info ctinfo, + s32 off); +extern int nf_ct_seqadj_set(struct nf_conn *ct, enum ip_conntrack_info ctinfo, + __be32 seq, s32 off); +extern void nf_ct_tcp_seqadj_set(struct sk_buff *skb, + struct nf_conn *ct, + enum ip_conntrack_info ctinfo, + s32 off); + +extern int nf_ct_seq_adjust(struct sk_buff *skb, + struct nf_conn *ct, enum ip_conntrack_info ctinfo, + unsigned int protoff); +extern s32 nf_ct_seq_offset(const struct nf_conn *ct, enum ip_conntrack_dir, + u32 seq); + +extern int nf_conntrack_seqadj_init(void); +extern void nf_conntrack_seqadj_fini(void); #endif /* _NF_CONNTRACK_SEQADJ_H */ diff --git a/include/net/netfilter/nf_conntrack_synproxy.h b/include/net/netfilter/nf_conntrack_synproxy.h index 6793614..f572f31 100644 --- a/include/net/netfilter/nf_conntrack_synproxy.h +++ b/include/net/netfilter/nf_conntrack_synproxy.h @@ -56,20 +56,22 @@ struct synproxy_options { struct tcphdr; struct xt_synproxy_info; -bool synproxy_parse_options(const struct sk_buff *skb, unsigned int doff, - const struct tcphdr *th, - struct synproxy_options *opts); -unsigned int synproxy_options_size(const struct synproxy_options *opts); -void synproxy_build_options(struct tcphdr *th, - const struct synproxy_options *opts); +extern bool synproxy_parse_options(const struct sk_buff *skb, unsigned int doff, + const struct tcphdr *th, + struct synproxy_options *opts); +extern unsigned int synproxy_options_size(const struct synproxy_options *opts); +extern void synproxy_build_options(struct tcphdr *th, + const struct synproxy_options *opts); -void synproxy_init_timestamp_cookie(const struct xt_synproxy_info *info, - struct synproxy_options *opts); -void synproxy_check_timestamp_cookie(struct synproxy_options *opts); +extern void synproxy_init_timestamp_cookie(const struct xt_synproxy_info *info, + struct synproxy_options *opts); +extern void synproxy_check_timestamp_cookie(struct synproxy_options *opts); -unsigned int synproxy_tstamp_adjust(struct sk_buff *skb, unsigned int protoff, - struct tcphdr *th, struct nf_conn *ct, - enum ip_conntrack_info ctinfo, - const struct nf_conn_synproxy *synproxy); +extern unsigned int synproxy_tstamp_adjust(struct sk_buff *skb, + unsigned int protoff, + struct tcphdr *th, + struct nf_conn *ct, + enum ip_conntrack_info ctinfo, + const struct nf_conn_synproxy *synproxy); #endif /* _NF_CONNTRACK_SYNPROXY_H */ diff --git a/include/net/netfilter/nf_conntrack_timeout.h b/include/net/netfilter/nf_conntrack_timeout.h index 6230871..d23aceb 100644 --- a/include/net/netfilter/nf_conntrack_timeout.h +++ b/include/net/netfilter/nf_conntrack_timeout.h @@ -76,8 +76,8 @@ nf_ct_timeout_lookup(struct net *net, struct nf_conn *ct, } #ifdef CONFIG_NF_CONNTRACK_TIMEOUT -int nf_conntrack_timeout_init(void); -void nf_conntrack_timeout_fini(void); +extern int nf_conntrack_timeout_init(void); +extern void nf_conntrack_timeout_fini(void); #else static inline int nf_conntrack_timeout_init(void) { diff --git a/include/net/netfilter/nf_conntrack_timestamp.h b/include/net/netfilter/nf_conntrack_timestamp.h index 300ae22..b004614 100644 --- a/include/net/netfilter/nf_conntrack_timestamp.h +++ b/include/net/netfilter/nf_conntrack_timestamp.h @@ -48,11 +48,11 @@ static inline void nf_ct_set_tstamp(struct net *net, bool enable) } #ifdef CONFIG_NF_CONNTRACK_TIMESTAMP -int nf_conntrack_tstamp_pernet_init(struct net *net); -void nf_conntrack_tstamp_pernet_fini(struct net *net); +extern int nf_conntrack_tstamp_pernet_init(struct net *net); +extern void nf_conntrack_tstamp_pernet_fini(struct net *net); -int nf_conntrack_tstamp_init(void); -void nf_conntrack_tstamp_fini(void); +extern int nf_conntrack_tstamp_init(void); +extern void nf_conntrack_tstamp_fini(void); #else static inline int nf_conntrack_tstamp_pernet_init(struct net *net) { diff --git a/include/net/netfilter/nf_nat.h b/include/net/netfilter/nf_nat.h index 07eaaf6..59a1924 100644 --- a/include/net/netfilter/nf_nat.h +++ b/include/net/netfilter/nf_nat.h @@ -41,16 +41,13 @@ struct nf_conn_nat { }; /* Set up the info structure to map into this range. */ -unsigned int nf_nat_setup_info(struct nf_conn *ct, - const struct nf_nat_range *range, - enum nf_nat_manip_type maniptype); - -extern unsigned int nf_nat_alloc_null_binding(struct nf_conn *ct, - unsigned int hooknum); +extern unsigned int nf_nat_setup_info(struct nf_conn *ct, + const struct nf_nat_range *range, + enum nf_nat_manip_type maniptype); /* Is this tuple already taken? (not by us)*/ -int nf_nat_used_tuple(const struct nf_conntrack_tuple *tuple, - const struct nf_conn *ignored_conntrack); +extern int nf_nat_used_tuple(const struct nf_conntrack_tuple *tuple, + const struct nf_conn *ignored_conntrack); static inline struct nf_conn_nat *nfct_nat(const struct nf_conn *ct) { diff --git a/include/net/netfilter/nf_nat_core.h b/include/net/netfilter/nf_nat_core.h index fbfd1ba..972e1e4 100644 --- a/include/net/netfilter/nf_nat_core.h +++ b/include/net/netfilter/nf_nat_core.h @@ -7,10 +7,12 @@ /* This header used to share core functionality between the standalone NAT module, and the compatibility layer's use of NAT for masquerading. */ -unsigned int nf_nat_packet(struct nf_conn *ct, enum ip_conntrack_info ctinfo, - unsigned int hooknum, struct sk_buff *skb); +extern unsigned int nf_nat_packet(struct nf_conn *ct, + enum ip_conntrack_info ctinfo, + unsigned int hooknum, + struct sk_buff *skb); -int nf_xfrm_me_harder(struct sk_buff *skb, unsigned int family); +extern int nf_xfrm_me_harder(struct sk_buff *skb, unsigned int family); static inline int nf_nat_initialized(struct nf_conn *ct, enum nf_nat_manip_type manip) diff --git a/include/net/netfilter/nf_nat_helper.h b/include/net/netfilter/nf_nat_helper.h index 01bcc6b..404324d 100644 --- a/include/net/netfilter/nf_nat_helper.h +++ b/include/net/netfilter/nf_nat_helper.h @@ -7,11 +7,14 @@ struct sk_buff; /* These return true or false. */ -int __nf_nat_mangle_tcp_packet(struct sk_buff *skb, struct nf_conn *ct, - enum ip_conntrack_info ctinfo, - unsigned int protoff, unsigned int match_offset, - unsigned int match_len, const char *rep_buffer, - unsigned int rep_len, bool adjust); +extern int __nf_nat_mangle_tcp_packet(struct sk_buff *skb, + struct nf_conn *ct, + enum ip_conntrack_info ctinfo, + unsigned int protoff, + unsigned int match_offset, + unsigned int match_len, + const char *rep_buffer, + unsigned int rep_len, bool adjust); static inline int nf_nat_mangle_tcp_packet(struct sk_buff *skb, struct nf_conn *ct, @@ -27,14 +30,18 @@ static inline int nf_nat_mangle_tcp_packet(struct sk_buff *skb, rep_buffer, rep_len, true); } -int nf_nat_mangle_udp_packet(struct sk_buff *skb, struct nf_conn *ct, - enum ip_conntrack_info ctinfo, - unsigned int protoff, unsigned int match_offset, - unsigned int match_len, const char *rep_buffer, - unsigned int rep_len); +extern int nf_nat_mangle_udp_packet(struct sk_buff *skb, + struct nf_conn *ct, + enum ip_conntrack_info ctinfo, + unsigned int protoff, + unsigned int match_offset, + unsigned int match_len, + const char *rep_buffer, + unsigned int rep_len); /* Setup NAT on this expected conntrack so it follows master, but goes * to port ct->master->saved_proto. */ -void nf_nat_follow_master(struct nf_conn *ct, struct nf_conntrack_expect *this); +extern void nf_nat_follow_master(struct nf_conn *ct, + struct nf_conntrack_expect *this); #endif diff --git a/include/net/netfilter/nf_nat_l3proto.h b/include/net/netfilter/nf_nat_l3proto.h index 5a2919b..bd3b97e 100644 --- a/include/net/netfilter/nf_nat_l3proto.h +++ b/include/net/netfilter/nf_nat_l3proto.h @@ -35,15 +35,18 @@ struct nf_nat_l3proto { struct nf_nat_range *range); }; -int nf_nat_l3proto_register(const struct nf_nat_l3proto *); -void nf_nat_l3proto_unregister(const struct nf_nat_l3proto *); -const struct nf_nat_l3proto *__nf_nat_l3proto_find(u8 l3proto); - -int nf_nat_icmp_reply_translation(struct sk_buff *skb, struct nf_conn *ct, - enum ip_conntrack_info ctinfo, - unsigned int hooknum); -int nf_nat_icmpv6_reply_translation(struct sk_buff *skb, struct nf_conn *ct, - enum ip_conntrack_info ctinfo, - unsigned int hooknum, unsigned int hdrlen); +extern int nf_nat_l3proto_register(const struct nf_nat_l3proto *); +extern void nf_nat_l3proto_unregister(const struct nf_nat_l3proto *); +extern const struct nf_nat_l3proto *__nf_nat_l3proto_find(u8 l3proto); + +extern int nf_nat_icmp_reply_translation(struct sk_buff *skb, + struct nf_conn *ct, + enum ip_conntrack_info ctinfo, + unsigned int hooknum); +extern int nf_nat_icmpv6_reply_translation(struct sk_buff *skb, + struct nf_conn *ct, + enum ip_conntrack_info ctinfo, + unsigned int hooknum, + unsigned int hdrlen); #endif /* _NF_NAT_L3PROTO_H */ diff --git a/include/net/netfilter/nf_nat_l4proto.h b/include/net/netfilter/nf_nat_l4proto.h index 12f4cc8..24feb68 100644 --- a/include/net/netfilter/nf_nat_l4proto.h +++ b/include/net/netfilter/nf_nat_l4proto.h @@ -42,11 +42,10 @@ struct nf_nat_l4proto { }; /* Protocol registration. */ -int nf_nat_l4proto_register(u8 l3proto, const struct nf_nat_l4proto *l4proto); -void nf_nat_l4proto_unregister(u8 l3proto, - const struct nf_nat_l4proto *l4proto); +extern int nf_nat_l4proto_register(u8 l3proto, const struct nf_nat_l4proto *l4proto); +extern void nf_nat_l4proto_unregister(u8 l3proto, const struct nf_nat_l4proto *l4proto); -const struct nf_nat_l4proto *__nf_nat_l4proto_find(u8 l3proto, u8 l4proto); +extern const struct nf_nat_l4proto *__nf_nat_l4proto_find(u8 l3proto, u8 l4proto); /* Built-in protocols. */ extern const struct nf_nat_l4proto nf_nat_l4proto_tcp; @@ -55,18 +54,19 @@ extern const struct nf_nat_l4proto nf_nat_l4proto_icmp; extern const struct nf_nat_l4proto nf_nat_l4proto_icmpv6; extern const struct nf_nat_l4proto nf_nat_l4proto_unknown; -bool nf_nat_l4proto_in_range(const struct nf_conntrack_tuple *tuple, - enum nf_nat_manip_type maniptype, - const union nf_conntrack_man_proto *min, - const union nf_conntrack_man_proto *max); +extern bool nf_nat_l4proto_in_range(const struct nf_conntrack_tuple *tuple, + enum nf_nat_manip_type maniptype, + const union nf_conntrack_man_proto *min, + const union nf_conntrack_man_proto *max); -void nf_nat_l4proto_unique_tuple(const struct nf_nat_l3proto *l3proto, - struct nf_conntrack_tuple *tuple, - const struct nf_nat_range *range, - enum nf_nat_manip_type maniptype, - const struct nf_conn *ct, u16 *rover); +extern void nf_nat_l4proto_unique_tuple(const struct nf_nat_l3proto *l3proto, + struct nf_conntrack_tuple *tuple, + const struct nf_nat_range *range, + enum nf_nat_manip_type maniptype, + const struct nf_conn *ct, + u16 *rover); -int nf_nat_l4proto_nlattr_to_range(struct nlattr *tb[], - struct nf_nat_range *range); +extern int nf_nat_l4proto_nlattr_to_range(struct nlattr *tb[], + struct nf_nat_range *range); #endif /*_NF_NAT_L4PROTO_H*/ diff --git a/include/net/netfilter/nf_queue.h b/include/net/netfilter/nf_queue.h index c1d5b3e..aaba4bb 100644 --- a/include/net/netfilter/nf_queue.h +++ b/include/net/netfilter/nf_queue.h @@ -28,7 +28,7 @@ struct nf_queue_handler { void nf_register_queue_handler(const struct nf_queue_handler *qh); void nf_unregister_queue_handler(void); -void nf_reinject(struct nf_queue_entry *entry, unsigned int verdict); +extern void nf_reinject(struct nf_queue_entry *entry, unsigned int verdict); bool nf_queue_entry_get_refs(struct nf_queue_entry *entry); void nf_queue_entry_release_refs(struct nf_queue_entry *entry); diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h deleted file mode 100644 index 5a91abf..0000000 --- a/include/net/netfilter/nf_tables.h +++ /dev/null @@ -1,519 +0,0 @@ -#ifndef _NET_NF_TABLES_H -#define _NET_NF_TABLES_H - -#include <linux/list.h> -#include <linux/netfilter.h> -#include <linux/netfilter/x_tables.h> -#include <linux/netfilter/nf_tables.h> -#include <net/netlink.h> - -#define NFT_JUMP_STACK_SIZE 16 - -struct nft_pktinfo { - struct sk_buff *skb; - const struct net_device *in; - const struct net_device *out; - u8 hooknum; - u8 nhoff; - u8 thoff; - /* for x_tables compatibility */ - struct xt_action_param xt; -}; - -static inline void nft_set_pktinfo(struct nft_pktinfo *pkt, - const struct nf_hook_ops *ops, - struct sk_buff *skb, - const struct net_device *in, - const struct net_device *out) -{ - pkt->skb = skb; - pkt->in = pkt->xt.in = in; - pkt->out = pkt->xt.out = out; - pkt->hooknum = pkt->xt.hooknum = ops->hooknum; - pkt->xt.family = ops->pf; -} - -struct nft_data { - union { - u32 data[4]; - struct { - u32 verdict; - struct nft_chain *chain; - }; - }; -} __attribute__((aligned(__alignof__(u64)))); - -static inline int nft_data_cmp(const struct nft_data *d1, - const struct nft_data *d2, - unsigned int len) -{ - return memcmp(d1->data, d2->data, len); -} - -static inline void nft_data_copy(struct nft_data *dst, - const struct nft_data *src) -{ - BUILD_BUG_ON(__alignof__(*dst) != __alignof__(u64)); - *(u64 *)&dst->data[0] = *(u64 *)&src->data[0]; - *(u64 *)&dst->data[2] = *(u64 *)&src->data[2]; -} - -static inline void nft_data_debug(const struct nft_data *data) -{ - pr_debug("data[0]=%x data[1]=%x data[2]=%x data[3]=%x\n", - data->data[0], data->data[1], - data->data[2], data->data[3]); -} - -/** - * struct nft_ctx - nf_tables rule/set context - * - * @net: net namespace - * @skb: netlink skb - * @nlh: netlink message header - * @afi: address family info - * @table: the table the chain is contained in - * @chain: the chain the rule is contained in - * @nla: netlink attributes - */ -struct nft_ctx { - struct net *net; - const struct sk_buff *skb; - const struct nlmsghdr *nlh; - const struct nft_af_info *afi; - const struct nft_table *table; - const struct nft_chain *chain; - const struct nlattr * const *nla; -}; - -struct nft_data_desc { - enum nft_data_types type; - unsigned int len; -}; - -int nft_data_init(const struct nft_ctx *ctx, struct nft_data *data, - struct nft_data_desc *desc, const struct nlattr *nla); -void nft_data_uninit(const struct nft_data *data, enum nft_data_types type); -int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data, - enum nft_data_types type, unsigned int len); - -static inline enum nft_data_types nft_dreg_to_type(enum nft_registers reg) -{ - return reg == NFT_REG_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE; -} - -static inline enum nft_registers nft_type_to_reg(enum nft_data_types type) -{ - return type == NFT_DATA_VERDICT ? NFT_REG_VERDICT : NFT_REG_1; -} - -int nft_validate_input_register(enum nft_registers reg); -int nft_validate_output_register(enum nft_registers reg); -int nft_validate_data_load(const struct nft_ctx *ctx, enum nft_registers reg, - const struct nft_data *data, - enum nft_data_types type); - -/** - * struct nft_set_elem - generic representation of set elements - * - * @cookie: implementation specific element cookie - * @key: element key - * @data: element data (maps only) - * @flags: element flags (end of interval) - * - * The cookie can be used to store a handle to the element for subsequent - * removal. - */ -struct nft_set_elem { - void *cookie; - struct nft_data key; - struct nft_data data; - u32 flags; -}; - -struct nft_set; -struct nft_set_iter { - unsigned int count; - unsigned int skip; - int err; - int (*fn)(const struct nft_ctx *ctx, - const struct nft_set *set, - const struct nft_set_iter *iter, - const struct nft_set_elem *elem); -}; - -/** - * struct nft_set_ops - nf_tables set operations - * - * @lookup: look up an element within the set - * @insert: insert new element into set - * @remove: remove element from set - * @walk: iterate over all set elemeennts - * @privsize: function to return size of set private data - * @init: initialize private data of new set instance - * @destroy: destroy private data of set instance - * @list: nf_tables_set_ops list node - * @owner: module reference - * @features: features supported by the implementation - */ -struct nft_set_ops { - bool (*lookup)(const struct nft_set *set, - const struct nft_data *key, - struct nft_data *data); - int (*get)(const struct nft_set *set, - struct nft_set_elem *elem); - int (*insert)(const struct nft_set *set, - const struct nft_set_elem *elem); - void (*remove)(const struct nft_set *set, - const struct nft_set_elem *elem); - void (*walk)(const struct nft_ctx *ctx, - const struct nft_set *set, - struct nft_set_iter *iter); - - unsigned int (*privsize)(const struct nlattr * const nla[]); - int (*init)(const struct nft_set *set, - const struct nlattr * const nla[]); - void (*destroy)(const struct nft_set *set); - - struct list_head list; - struct module *owner; - u32 features; -}; - -int nft_register_set(struct nft_set_ops *ops); -void nft_unregister_set(struct nft_set_ops *ops); - -/** - * struct nft_set - nf_tables set instance - * - * @list: table set list node - * @bindings: list of set bindings - * @name: name of the set - * @ktype: key type (numeric type defined by userspace, not used in the kernel) - * @dtype: data type (verdict or numeric type defined by userspace) - * @ops: set ops - * @flags: set flags - * @klen: key length - * @dlen: data length - * @data: private set data - */ -struct nft_set { - struct list_head list; - struct list_head bindings; - char name[IFNAMSIZ]; - u32 ktype; - u32 dtype; - /* runtime data below here */ - const struct nft_set_ops *ops ____cacheline_aligned; - u16 flags; - u8 klen; - u8 dlen; - unsigned char data[] - __attribute__((aligned(__alignof__(u64)))); -}; - -static inline void *nft_set_priv(const struct nft_set *set) -{ - return (void *)set->data; -} - -struct nft_set *nf_tables_set_lookup(const struct nft_table *table, - const struct nlattr *nla); - -/** - * struct nft_set_binding - nf_tables set binding - * - * @list: set bindings list node - * @chain: chain containing the rule bound to the set - * - * A set binding contains all information necessary for validation - * of new elements added to a bound set. - */ -struct nft_set_binding { - struct list_head list; - const struct nft_chain *chain; -}; - -int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set, - struct nft_set_binding *binding); -void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set, - struct nft_set_binding *binding); - - -/** - * struct nft_expr_type - nf_tables expression type - * - * @select_ops: function to select nft_expr_ops - * @ops: default ops, used when no select_ops functions is present - * @list: used internally - * @name: Identifier - * @owner: module reference - * @policy: netlink attribute policy - * @maxattr: highest netlink attribute number - */ -struct nft_expr_type { - const struct nft_expr_ops *(*select_ops)(const struct nft_ctx *, - const struct nlattr * const tb[]); - const struct nft_expr_ops *ops; - struct list_head list; - const char *name; - struct module *owner; - const struct nla_policy *policy; - unsigned int maxattr; -}; - -/** - * struct nft_expr_ops - nf_tables expression operations - * - * @eval: Expression evaluation function - * @size: full expression size, including private data size - * @init: initialization function - * @destroy: destruction function - * @dump: function to dump parameters - * @type: expression type - * @validate: validate expression, called during loop detection - * @data: extra data to attach to this expression operation - */ -struct nft_expr; -struct nft_expr_ops { - void (*eval)(const struct nft_expr *expr, - struct nft_data data[NFT_REG_MAX + 1], - const struct nft_pktinfo *pkt); - unsigned int size; - - int (*init)(const struct nft_ctx *ctx, - const struct nft_expr *expr, - const struct nlattr * const tb[]); - void (*destroy)(const struct nft_expr *expr); - int (*dump)(struct sk_buff *skb, - const struct nft_expr *expr); - int (*validate)(const struct nft_ctx *ctx, - const struct nft_expr *expr, - const struct nft_data **data); - const struct nft_expr_type *type; - void *data; -}; - -#define NFT_EXPR_MAXATTR 16 -#define NFT_EXPR_SIZE(size) (sizeof(struct nft_expr) + \ - ALIGN(size, __alignof__(struct nft_expr))) - -/** - * struct nft_expr - nf_tables expression - * - * @ops: expression ops - * @data: expression private data - */ -struct nft_expr { - const struct nft_expr_ops *ops; - unsigned char data[]; -}; - -static inline void *nft_expr_priv(const struct nft_expr *expr) -{ - return (void *)expr->data; -} - -/** - * struct nft_rule - nf_tables rule - * - * @list: used internally - * @rcu_head: used internally for rcu - * @handle: rule handle - * @genmask: generation mask - * @dlen: length of expression data - * @data: expression data - */ -struct nft_rule { - struct list_head list; - struct rcu_head rcu_head; - u64 handle:46, - genmask:2, - dlen:16; - unsigned char data[] - __attribute__((aligned(__alignof__(struct nft_expr)))); -}; - -/** - * struct nft_rule_trans - nf_tables rule update in transaction - * - * @list: used internally - * @rule: rule that needs to be updated - * @chain: chain that this rule belongs to - * @table: table for which this chain applies - * @nlh: netlink header of the message that contain this update - * @family: family expressesed as AF_* - */ -struct nft_rule_trans { - struct list_head list; - struct nft_rule *rule; - const struct nft_chain *chain; - const struct nft_table *table; - const struct nlmsghdr *nlh; - u8 family; -}; - -static inline struct nft_expr *nft_expr_first(const struct nft_rule *rule) -{ - return (struct nft_expr *)&rule->data[0]; -} - -static inline struct nft_expr *nft_expr_next(const struct nft_expr *expr) -{ - return ((void *)expr) + expr->ops->size; -} - -static inline struct nft_expr *nft_expr_last(const struct nft_rule *rule) -{ - return (struct nft_expr *)&rule->data[rule->dlen]; -} - -/* - * The last pointer isn't really necessary, but the compiler isn't able to - * determine that the result of nft_expr_last() is always the same since it - * can't assume that the dlen value wasn't changed within calls in the loop. - */ -#define nft_rule_for_each_expr(expr, last, rule) \ - for ((expr) = nft_expr_first(rule), (last) = nft_expr_last(rule); \ - (expr) != (last); \ - (expr) = nft_expr_next(expr)) - -enum nft_chain_flags { - NFT_BASE_CHAIN = 0x1, -}; - -/** - * struct nft_chain - nf_tables chain - * - * @rules: list of rules in the chain - * @list: used internally - * @rcu_head: used internally - * @net: net namespace that this chain belongs to - * @table: table that this chain belongs to - * @handle: chain handle - * @flags: bitmask of enum nft_chain_flags - * @use: number of jump references to this chain - * @level: length of longest path to this chain - * @name: name of the chain - */ -struct nft_chain { - struct list_head rules; - struct list_head list; - struct rcu_head rcu_head; - struct net *net; - struct nft_table *table; - u64 handle; - u8 flags; - u16 use; - u16 level; - char name[NFT_CHAIN_MAXNAMELEN]; -}; - -enum nft_chain_type { - NFT_CHAIN_T_DEFAULT = 0, - NFT_CHAIN_T_ROUTE, - NFT_CHAIN_T_NAT, - NFT_CHAIN_T_MAX -}; - -struct nft_stats { - u64 bytes; - u64 pkts; -}; - -/** - * struct nft_base_chain - nf_tables base chain - * - * @ops: netfilter hook ops - * @type: chain type - * @policy: default policy - * @stats: per-cpu chain stats - * @chain: the chain - */ -struct nft_base_chain { - struct nf_hook_ops ops; - enum nft_chain_type type; - u8 policy; - struct nft_stats __percpu *stats; - struct nft_chain chain; -}; - -static inline struct nft_base_chain *nft_base_chain(const struct nft_chain *chain) -{ - return container_of(chain, struct nft_base_chain, chain); -} - -unsigned int nft_do_chain_pktinfo(struct nft_pktinfo *pkt, - const struct nf_hook_ops *ops); - -/** - * struct nft_table - nf_tables table - * - * @list: used internally - * @chains: chains in the table - * @sets: sets in the table - * @hgenerator: handle generator state - * @use: number of chain references to this table - * @flags: table flag (see enum nft_table_flags) - * @name: name of the table - */ -struct nft_table { - struct list_head list; - struct list_head chains; - struct list_head sets; - u64 hgenerator; - u32 use; - u16 flags; - char name[]; -}; - -/** - * struct nft_af_info - nf_tables address family info - * - * @list: used internally - * @family: address family - * @nhooks: number of hooks in this family - * @owner: module owner - * @tables: used internally - * @hooks: hookfn overrides for packet validation - */ -struct nft_af_info { - struct list_head list; - int family; - unsigned int nhooks; - struct module *owner; - struct list_head tables; - nf_hookfn *hooks[NF_MAX_HOOKS]; -}; - -int nft_register_afinfo(struct net *, struct nft_af_info *); -void nft_unregister_afinfo(struct nft_af_info *); - -struct nf_chain_type { - unsigned int hook_mask; - const char *name; - enum nft_chain_type type; - nf_hookfn *fn[NF_MAX_HOOKS]; - struct module *me; - int family; -}; - -int nft_register_chain_type(struct nf_chain_type *); -void nft_unregister_chain_type(struct nf_chain_type *); - -int nft_register_expr(struct nft_expr_type *); -void nft_unregister_expr(struct nft_expr_type *); - -#define MODULE_ALIAS_NFT_FAMILY(family) \ - MODULE_ALIAS("nft-afinfo-" __stringify(family)) - -#define MODULE_ALIAS_NFT_CHAIN(family, name) \ - MODULE_ALIAS("nft-chain-" __stringify(family) "-" name) - -#define MODULE_ALIAS_NFT_EXPR(name) \ - MODULE_ALIAS("nft-expr-" name) - -#define MODULE_ALIAS_NFT_SET() \ - MODULE_ALIAS("nft-set") - -#endif /* _NET_NF_TABLES_H */ diff --git a/include/net/netfilter/nf_tables_core.h b/include/net/netfilter/nf_tables_core.h deleted file mode 100644 index cf2b7ae..0000000 --- a/include/net/netfilter/nf_tables_core.h +++ /dev/null @@ -1,42 +0,0 @@ -#ifndef _NET_NF_TABLES_CORE_H -#define _NET_NF_TABLES_CORE_H - -int nf_tables_core_module_init(void); -void nf_tables_core_module_exit(void); - -int nft_immediate_module_init(void); -void nft_immediate_module_exit(void); - -struct nft_cmp_fast_expr { - u32 data; - enum nft_registers sreg:8; - u8 len; -}; - -extern const struct nft_expr_ops nft_cmp_fast_ops; - -int nft_cmp_module_init(void); -void nft_cmp_module_exit(void); - -int nft_lookup_module_init(void); -void nft_lookup_module_exit(void); - -int nft_bitwise_module_init(void); -void nft_bitwise_module_exit(void); - -int nft_byteorder_module_init(void); -void nft_byteorder_module_exit(void); - -struct nft_payload { - enum nft_payload_bases base:8; - u8 offset; - u8 len; - enum nft_registers dreg:8; -}; - -extern const struct nft_expr_ops nft_payload_fast_ops; - -int nft_payload_module_init(void); -void nft_payload_module_exit(void); - -#endif /* _NET_NF_TABLES_CORE_H */ diff --git a/include/net/netfilter/nf_tables_ipv4.h b/include/net/netfilter/nf_tables_ipv4.h deleted file mode 100644 index 1be1c2c..0000000 --- a/include/net/netfilter/nf_tables_ipv4.h +++ /dev/null @@ -1,23 +0,0 @@ -#ifndef _NF_TABLES_IPV4_H_ -#define _NF_TABLES_IPV4_H_ - -#include <net/netfilter/nf_tables.h> -#include <net/ip.h> - -static inline void -nft_set_pktinfo_ipv4(struct nft_pktinfo *pkt, - const struct nf_hook_ops *ops, - struct sk_buff *skb, - const struct net_device *in, - const struct net_device *out) -{ - struct iphdr *ip; - - nft_set_pktinfo(pkt, ops, skb, in, out); - - pkt->xt.thoff = ip_hdrlen(pkt->skb); - ip = ip_hdr(pkt->skb); - pkt->xt.fragoff = ntohs(ip->frag_off) & IP_OFFSET; -} - -#endif diff --git a/include/net/netfilter/nf_tables_ipv6.h b/include/net/netfilter/nf_tables_ipv6.h deleted file mode 100644 index 4a9b88a..0000000 --- a/include/net/netfilter/nf_tables_ipv6.h +++ /dev/null @@ -1,30 +0,0 @@ -#ifndef _NF_TABLES_IPV6_H_ -#define _NF_TABLES_IPV6_H_ - -#include <linux/netfilter_ipv6/ip6_tables.h> -#include <net/ipv6.h> - -static inline int -nft_set_pktinfo_ipv6(struct nft_pktinfo *pkt, - const struct nf_hook_ops *ops, - struct sk_buff *skb, - const struct net_device *in, - const struct net_device *out) -{ - int protohdr, thoff = 0; - unsigned short frag_off; - - nft_set_pktinfo(pkt, ops, skb, in, out); - - protohdr = ipv6_find_hdr(pkt->skb, &thoff, -1, &frag_off, NULL); - /* If malformed, drop it */ - if (protohdr < 0) - return -1; - - pkt->xt.thoff = thoff; - pkt->xt.fragoff = frag_off; - - return 0; -} - -#endif diff --git a/include/net/netfilter/xt_rateest.h b/include/net/netfilter/xt_rateest.h index 79f45e1..495c71f 100644 --- a/include/net/netfilter/xt_rateest.h +++ b/include/net/netfilter/xt_rateest.h @@ -16,7 +16,7 @@ struct xt_rateest { struct rcu_head rcu; }; -struct xt_rateest *xt_rateest_lookup(const char *name); -void xt_rateest_put(struct xt_rateest *est); +extern struct xt_rateest *xt_rateest_lookup(const char *name); +extern void xt_rateest_put(struct xt_rateest *est); #endif /* _XT_RATEEST_H */ |