#ifdef __KERNEL__
#include <linux/if.h>
-#include <linux/types.h>
#include <linux/in6.h>
#include <linux/ipv6.h>
#include <linux/skbuff.h>
#endif
+#include <linux/types.h>
#include <linux/compiler.h>
#include <linux/netfilter_ipv6.h>
char iniface[IFNAMSIZ], outiface[IFNAMSIZ];
unsigned char iniface_mask[IFNAMSIZ], outiface_mask[IFNAMSIZ];
- /* ARGH, HopByHop uses 0, so can't do 0 = ANY,
- instead IP6T_F_NOPROTO must be set */
+ /* Upper protocol number
+ * - The allowed value is 0 (any) or protocol number of last parsable
+ * header, which is 50 (ESP), 59 (No Next Header), 135 (MH), or
+ * the non IPv6 extension headers.
+ * - The protocol numbers of IPv6 extension headers except of ESP and
+ * MH do not match any packets.
+ * - You also need to set IP6T_FLAGS_PROTO to "flags" to check protocol.
+ */
u_int16_t proto;
/* TOS to match iff flags & IP6T_F_TOS */
u_int8_t tos;
struct ip6t_error_target target;
};
+#define IP6T_ENTRY_INIT(__size) \
+{ \
+ .target_offset = sizeof(struct ip6t_entry), \
+ .next_offset = (__size), \
+}
+
+#define IP6T_STANDARD_INIT(__verdict) \
+{ \
+ .entry = IP6T_ENTRY_INIT(sizeof(struct ip6t_standard)), \
+ .target = XT_TARGET_INIT(IP6T_STANDARD_TARGET, \
+ sizeof(struct ip6t_standard_target)), \
+ .target.verdict = -(__verdict) - 1, \
+}
+
+#define IP6T_ERROR_INIT \
+{ \
+ .entry = IP6T_ENTRY_INIT(sizeof(struct ip6t_error)), \
+ .target = XT_TARGET_INIT(IP6T_ERROR_TARGET, \
+ sizeof(struct ip6t_error_target)), \
+ .target.errorname = "ERROR", \
+}
+
/*
* New IP firewall options for [gs]etsockopt at the RAW IP level.
* Unlike BSD Linux inherits IP options so you don't have to use
unsigned int valid_hooks;
/* Hook entry points: one per netfilter hook. */
- unsigned int hook_entry[NF_IP6_NUMHOOKS];
+ unsigned int hook_entry[NF_INET_NUMHOOKS];
/* Underflow points. */
- unsigned int underflow[NF_IP6_NUMHOOKS];
+ unsigned int underflow[NF_INET_NUMHOOKS];
/* Number of entries */
unsigned int num_entries;
unsigned int size;
/* Hook entry points. */
- unsigned int hook_entry[NF_IP6_NUMHOOKS];
+ unsigned int hook_entry[NF_INET_NUMHOOKS];
/* Underflow points. */
- unsigned int underflow[NF_IP6_NUMHOOKS];
+ unsigned int underflow[NF_INET_NUMHOOKS];
/* Information about old entries: */
/* Number of counters (must be equal to current number of entries). */
}
/* fn returns 0 to continue iteration */
-#define IP6T_MATCH_ITERATE(e, fn, args...) \
-({ \
- unsigned int __i; \
- int __ret = 0; \
- struct ip6t_entry_match *__m; \
- \
- for (__i = sizeof(struct ip6t_entry); \
- __i < (e)->target_offset; \
- __i += __m->u.match_size) { \
- __m = (void *)(e) + __i; \
- \
- __ret = fn(__m , ## args); \
- if (__ret != 0) \
- break; \
- } \
- __ret; \
-})
+#define IP6T_MATCH_ITERATE(e, fn, args...) \
+ XT_MATCH_ITERATE(struct ip6t_entry, e, fn, ## args)
/* fn returns 0 to continue iteration */
-#define IP6T_ENTRY_ITERATE(entries, size, fn, args...) \
-({ \
- unsigned int __i; \
- int __ret = 0; \
- struct ip6t_entry *__e; \
- \
- for (__i = 0; __i < (size); __i += __e->next_offset) { \
- __e = (void *)(entries) + __i; \
- \
- __ret = fn(__e , ## args); \
- if (__ret != 0) \
- break; \
- } \
- __ret; \
-})
+#define IP6T_ENTRY_ITERATE(entries, size, fn, args...) \
+ XT_ENTRY_ITERATE(struct ip6t_entry, entries, size, fn, ## args)
/*
* Main firewall chains definitions and global var's definitions.
#include <linux/init.h>
extern void ip6t_init(void) __init;
-extern int ip6t_register_table(struct xt_table *table,
- const struct ip6t_replace *repl);
+extern struct xt_table *ip6t_register_table(struct net *net,
+ struct xt_table *table,
+ const struct ip6t_replace *repl);
extern void ip6t_unregister_table(struct xt_table *table);
-extern unsigned int ip6t_do_table(struct sk_buff **pskb,
+extern unsigned int ip6t_do_table(struct sk_buff *skb,
unsigned int hook,
const struct net_device *in,
const struct net_device *out,
const struct in6_addr *mask,
const struct in6_addr *addr2);
-#define IP6T_ALIGN(s) (((s) + (__alignof__(struct ip6t_entry)-1)) & ~(__alignof__(struct ip6t_entry)-1))
+#define IP6T_ALIGN(s) XT_ALIGN(s)
+
+#ifdef CONFIG_COMPAT
+#include <net/compat.h>
+
+struct compat_ip6t_entry
+{
+ struct ip6t_ip6 ipv6;
+ compat_uint_t nfcache;
+ u_int16_t target_offset;
+ u_int16_t next_offset;
+ compat_uint_t comefrom;
+ struct compat_xt_counters counters;
+ unsigned char elems[0];
+};
+
+static inline struct ip6t_entry_target *
+compat_ip6t_get_target(struct compat_ip6t_entry *e)
+{
+ return (void *)e + e->target_offset;
+}
+
+#define COMPAT_IP6T_ALIGN(s) COMPAT_XT_ALIGN(s)
+
+/* fn returns 0 to continue iteration */
+#define COMPAT_IP6T_MATCH_ITERATE(e, fn, args...) \
+ XT_MATCH_ITERATE(struct compat_ip6t_entry, e, fn, ## args)
+
+/* fn returns 0 to continue iteration */
+#define COMPAT_IP6T_ENTRY_ITERATE(entries, size, fn, args...) \
+ XT_ENTRY_ITERATE(struct compat_ip6t_entry, entries, size, fn, ## args)
+
+#define COMPAT_IP6T_ENTRY_ITERATE_CONTINUE(entries, size, n, fn, args...) \
+ XT_ENTRY_ITERATE_CONTINUE(struct compat_ip6t_entry, entries, size, n, \
+ fn, ## args)
+#endif /* CONFIG_COMPAT */
#endif /*__KERNEL__*/
#endif /* _IP6_TABLES_H */