diff options
author | David Howells <dhowells@redhat.com> | 2012-10-09 09:48:59 +0100 |
---|---|---|
committer | David Howells <dhowells@redhat.com> | 2012-10-09 09:48:59 +0100 |
commit | 17c075923da59c217155d0758ee0715641ebc152 (patch) | |
tree | 25c7c5c9a38e4be68ea7d3d8859bb55474199143 /include/linux | |
parent | 55c5cd3cc179eb87faa9cc2d9741047dd1642aaf (diff) |
UAPI: (Scripted) Disintegrate include/linux/netfilter_ipv4
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Michael Kerrisk <mtk.manpages@gmail.com>
Acked-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Acked-by: Dave Jones <davej@redhat.com>
Diffstat (limited to 'include/linux')
-rw-r--r-- | include/linux/netfilter_ipv4/Kbuild | 10 | ||||
-rw-r--r-- | include/linux/netfilter_ipv4/ip_tables.h | 218 | ||||
-rw-r--r-- | include/linux/netfilter_ipv4/ipt_CLUSTERIP.h | 36 | ||||
-rw-r--r-- | include/linux/netfilter_ipv4/ipt_ECN.h | 33 | ||||
-rw-r--r-- | include/linux/netfilter_ipv4/ipt_LOG.h | 21 | ||||
-rw-r--r-- | include/linux/netfilter_ipv4/ipt_REJECT.h | 20 | ||||
-rw-r--r-- | include/linux/netfilter_ipv4/ipt_TTL.h | 23 | ||||
-rw-r--r-- | include/linux/netfilter_ipv4/ipt_ULOG.h | 49 | ||||
-rw-r--r-- | include/linux/netfilter_ipv4/ipt_ah.h | 17 | ||||
-rw-r--r-- | include/linux/netfilter_ipv4/ipt_ecn.h | 15 | ||||
-rw-r--r-- | include/linux/netfilter_ipv4/ipt_ttl.h | 23 |
11 files changed, 2 insertions, 463 deletions
diff --git a/include/linux/netfilter_ipv4/Kbuild b/include/linux/netfilter_ipv4/Kbuild index 8ba0c5b72ea9..e69de29bb2d1 100644 --- a/include/linux/netfilter_ipv4/Kbuild +++ b/include/linux/netfilter_ipv4/Kbuild @@ -1,10 +0,0 @@ -header-y += ip_tables.h -header-y += ipt_CLUSTERIP.h -header-y += ipt_ECN.h -header-y += ipt_LOG.h -header-y += ipt_REJECT.h -header-y += ipt_TTL.h -header-y += ipt_ULOG.h -header-y += ipt_ah.h -header-y += ipt_ecn.h -header-y += ipt_ttl.h diff --git a/include/linux/netfilter_ipv4/ip_tables.h b/include/linux/netfilter_ipv4/ip_tables.h index db79231914ce..901e84db847d 100644 --- a/include/linux/netfilter_ipv4/ip_tables.h +++ b/include/linux/netfilter_ipv4/ip_tables.h @@ -11,230 +11,17 @@ * flags are stored in host byte order (of course). * Port numbers are stored in HOST byte order. */ - #ifndef _IPTABLES_H #define _IPTABLES_H -#ifdef __KERNEL__ #include <linux/if.h> #include <linux/in.h> #include <linux/ip.h> #include <linux/skbuff.h> -#endif -#include <linux/types.h> -#include <linux/compiler.h> -#include <linux/netfilter_ipv4.h> - -#include <linux/netfilter/x_tables.h> - -#ifndef __KERNEL__ -#define IPT_FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN -#define IPT_TABLE_MAXNAMELEN XT_TABLE_MAXNAMELEN -#define ipt_match xt_match -#define ipt_target xt_target -#define ipt_table xt_table -#define ipt_get_revision xt_get_revision -#define ipt_entry_match xt_entry_match -#define ipt_entry_target xt_entry_target -#define ipt_standard_target xt_standard_target -#define ipt_error_target xt_error_target -#define ipt_counters xt_counters -#define IPT_CONTINUE XT_CONTINUE -#define IPT_RETURN XT_RETURN - -/* This group is older than old (iptables < v1.4.0-rc1~89) */ -#include <linux/netfilter/xt_tcpudp.h> -#define ipt_udp xt_udp -#define ipt_tcp xt_tcp -#define IPT_TCP_INV_SRCPT XT_TCP_INV_SRCPT -#define IPT_TCP_INV_DSTPT XT_TCP_INV_DSTPT -#define IPT_TCP_INV_FLAGS XT_TCP_INV_FLAGS -#define IPT_TCP_INV_OPTION XT_TCP_INV_OPTION -#define IPT_TCP_INV_MASK XT_TCP_INV_MASK -#define IPT_UDP_INV_SRCPT XT_UDP_INV_SRCPT -#define IPT_UDP_INV_DSTPT XT_UDP_INV_DSTPT -#define IPT_UDP_INV_MASK XT_UDP_INV_MASK - -/* The argument to IPT_SO_ADD_COUNTERS. */ -#define ipt_counters_info xt_counters_info -/* Standard return verdict, or do jump. */ -#define IPT_STANDARD_TARGET XT_STANDARD_TARGET -/* Error verdict. */ -#define IPT_ERROR_TARGET XT_ERROR_TARGET - -/* fn returns 0 to continue iteration */ -#define IPT_MATCH_ITERATE(e, fn, args...) \ - XT_MATCH_ITERATE(struct ipt_entry, e, fn, ## args) - -/* fn returns 0 to continue iteration */ -#define IPT_ENTRY_ITERATE(entries, size, fn, args...) \ - XT_ENTRY_ITERATE(struct ipt_entry, entries, size, fn, ## args) -#endif - -/* Yes, Virginia, you have to zero the padding. */ -struct ipt_ip { - /* Source and destination IP addr */ - struct in_addr src, dst; - /* Mask for src and dest IP addr */ - struct in_addr smsk, dmsk; - char iniface[IFNAMSIZ], outiface[IFNAMSIZ]; - unsigned char iniface_mask[IFNAMSIZ], outiface_mask[IFNAMSIZ]; - - /* Protocol, 0 = ANY */ - __u16 proto; - - /* Flags word */ - __u8 flags; - /* Inverse flags */ - __u8 invflags; -}; - -/* Values for "flag" field in struct ipt_ip (general ip structure). */ -#define IPT_F_FRAG 0x01 /* Set if rule is a fragment rule */ -#define IPT_F_GOTO 0x02 /* Set if jump is a goto */ -#define IPT_F_MASK 0x03 /* All possible flag bits mask. */ - -/* Values for "inv" field in struct ipt_ip. */ -#define IPT_INV_VIA_IN 0x01 /* Invert the sense of IN IFACE. */ -#define IPT_INV_VIA_OUT 0x02 /* Invert the sense of OUT IFACE */ -#define IPT_INV_TOS 0x04 /* Invert the sense of TOS. */ -#define IPT_INV_SRCIP 0x08 /* Invert the sense of SRC IP. */ -#define IPT_INV_DSTIP 0x10 /* Invert the sense of DST OP. */ -#define IPT_INV_FRAG 0x20 /* Invert the sense of FRAG. */ -#define IPT_INV_PROTO XT_INV_PROTO -#define IPT_INV_MASK 0x7F /* All possible flag bits mask. */ - -/* This structure defines each of the firewall rules. Consists of 3 - parts which are 1) general IP header stuff 2) match specific - stuff 3) the target to perform if the rule matches */ -struct ipt_entry { - struct ipt_ip ip; - - /* Mark with fields that we care about. */ - unsigned int nfcache; - - /* Size of ipt_entry + matches */ - __u16 target_offset; - /* Size of ipt_entry + matches + target */ - __u16 next_offset; - - /* Back pointer */ - unsigned int comefrom; - - /* Packet and byte counters. */ - struct xt_counters counters; - - /* The matches (if any), then the target. */ - unsigned char elems[0]; -}; - -/* - * New IP firewall options for [gs]etsockopt at the RAW IP level. - * Unlike BSD Linux inherits IP options so you don't have to use a raw - * socket for this. Instead we check rights in the calls. - * - * ATTENTION: check linux/in.h before adding new number here. - */ -#define IPT_BASE_CTL 64 - -#define IPT_SO_SET_REPLACE (IPT_BASE_CTL) -#define IPT_SO_SET_ADD_COUNTERS (IPT_BASE_CTL + 1) -#define IPT_SO_SET_MAX IPT_SO_SET_ADD_COUNTERS - -#define IPT_SO_GET_INFO (IPT_BASE_CTL) -#define IPT_SO_GET_ENTRIES (IPT_BASE_CTL + 1) -#define IPT_SO_GET_REVISION_MATCH (IPT_BASE_CTL + 2) -#define IPT_SO_GET_REVISION_TARGET (IPT_BASE_CTL + 3) -#define IPT_SO_GET_MAX IPT_SO_GET_REVISION_TARGET - -/* ICMP matching stuff */ -struct ipt_icmp { - __u8 type; /* type to match */ - __u8 code[2]; /* range of code */ - __u8 invflags; /* Inverse flags */ -}; - -/* Values for "inv" field for struct ipt_icmp. */ -#define IPT_ICMP_INV 0x01 /* Invert the sense of type/code test */ - -/* The argument to IPT_SO_GET_INFO */ -struct ipt_getinfo { - /* Which table: caller fills this in. */ - char name[XT_TABLE_MAXNAMELEN]; - - /* Kernel fills these in. */ - /* Which hook entry points are valid: bitmask */ - unsigned int valid_hooks; - - /* Hook entry points: one per netfilter hook. */ - unsigned int hook_entry[NF_INET_NUMHOOKS]; - - /* Underflow points. */ - unsigned int underflow[NF_INET_NUMHOOKS]; - - /* Number of entries */ - unsigned int num_entries; - - /* Size of entries. */ - unsigned int size; -}; - -/* The argument to IPT_SO_SET_REPLACE. */ -struct ipt_replace { - /* Which table. */ - char name[XT_TABLE_MAXNAMELEN]; - - /* Which hook entry points are valid: bitmask. You can't - change this. */ - unsigned int valid_hooks; - - /* Number of entries */ - unsigned int num_entries; - - /* Total size of new entries */ - unsigned int size; - - /* Hook entry points. */ - unsigned int hook_entry[NF_INET_NUMHOOKS]; - - /* Underflow points. */ - unsigned int underflow[NF_INET_NUMHOOKS]; - - /* Information about old entries: */ - /* Number of counters (must be equal to current number of entries). */ - unsigned int num_counters; - /* The old entries' counters. */ - struct xt_counters __user *counters; - - /* The entries (hang off end: not really an array). */ - struct ipt_entry entries[0]; -}; - -/* The argument to IPT_SO_GET_ENTRIES. */ -struct ipt_get_entries { - /* Which table: user fills this in. */ - char name[XT_TABLE_MAXNAMELEN]; - - /* User fills this in: total entry size. */ - unsigned int size; - - /* The entries. */ - struct ipt_entry entrytable[0]; -}; - -/* Helper functions */ -static __inline__ struct xt_entry_target * -ipt_get_target(struct ipt_entry *e) -{ - return (void *)e + e->target_offset; -} - -/* - * Main firewall chains definitions and global var's definitions. - */ -#ifdef __KERNEL__ #include <linux/init.h> +#include <uapi/linux/netfilter_ipv4/ip_tables.h> + extern void ipt_init(void) __init; extern struct xt_table *ipt_register_table(struct net *net, @@ -303,5 +90,4 @@ compat_ipt_get_target(struct compat_ipt_entry *e) } #endif /* CONFIG_COMPAT */ -#endif /*__KERNEL__*/ #endif /* _IPTABLES_H */ diff --git a/include/linux/netfilter_ipv4/ipt_CLUSTERIP.h b/include/linux/netfilter_ipv4/ipt_CLUSTERIP.h deleted file mode 100644 index c6a204c97047..000000000000 --- a/include/linux/netfilter_ipv4/ipt_CLUSTERIP.h +++ /dev/null @@ -1,36 +0,0 @@ -#ifndef _IPT_CLUSTERIP_H_target -#define _IPT_CLUSTERIP_H_target - -#include <linux/types.h> - -enum clusterip_hashmode { - CLUSTERIP_HASHMODE_SIP = 0, - CLUSTERIP_HASHMODE_SIP_SPT, - CLUSTERIP_HASHMODE_SIP_SPT_DPT, -}; - -#define CLUSTERIP_HASHMODE_MAX CLUSTERIP_HASHMODE_SIP_SPT_DPT - -#define CLUSTERIP_MAX_NODES 16 - -#define CLUSTERIP_FLAG_NEW 0x00000001 - -struct clusterip_config; - -struct ipt_clusterip_tgt_info { - - __u32 flags; - - /* only relevant for new ones */ - __u8 clustermac[6]; - __u16 num_total_nodes; - __u16 num_local_nodes; - __u16 local_nodes[CLUSTERIP_MAX_NODES]; - __u32 hash_mode; - __u32 hash_initval; - - /* Used internally by the kernel */ - struct clusterip_config *config; -}; - -#endif /*_IPT_CLUSTERIP_H_target*/ diff --git a/include/linux/netfilter_ipv4/ipt_ECN.h b/include/linux/netfilter_ipv4/ipt_ECN.h deleted file mode 100644 index bb88d5315a4d..000000000000 --- a/include/linux/netfilter_ipv4/ipt_ECN.h +++ /dev/null @@ -1,33 +0,0 @@ -/* Header file for iptables ipt_ECN target - * - * (C) 2002 by Harald Welte <laforge@gnumonks.org> - * - * This software is distributed under GNU GPL v2, 1991 - * - * ipt_ECN.h,v 1.3 2002/05/29 12:17:40 laforge Exp -*/ -#ifndef _IPT_ECN_TARGET_H -#define _IPT_ECN_TARGET_H - -#include <linux/types.h> -#include <linux/netfilter/xt_DSCP.h> - -#define IPT_ECN_IP_MASK (~XT_DSCP_MASK) - -#define IPT_ECN_OP_SET_IP 0x01 /* set ECN bits of IPv4 header */ -#define IPT_ECN_OP_SET_ECE 0x10 /* set ECE bit of TCP header */ -#define IPT_ECN_OP_SET_CWR 0x20 /* set CWR bit of TCP header */ - -#define IPT_ECN_OP_MASK 0xce - -struct ipt_ECN_info { - __u8 operation; /* bitset of operations */ - __u8 ip_ect; /* ECT codepoint of IPv4 header, pre-shifted */ - union { - struct { - __u8 ece:1, cwr:1; /* TCP ECT bits */ - } tcp; - } proto; -}; - -#endif /* _IPT_ECN_TARGET_H */ diff --git a/include/linux/netfilter_ipv4/ipt_LOG.h b/include/linux/netfilter_ipv4/ipt_LOG.h deleted file mode 100644 index 5d8152077d71..000000000000 --- a/include/linux/netfilter_ipv4/ipt_LOG.h +++ /dev/null @@ -1,21 +0,0 @@ -#ifndef _IPT_LOG_H -#define _IPT_LOG_H - -#warning "Please update iptables, this file will be removed soon!" - -/* make sure not to change this without changing netfilter.h:NF_LOG_* (!) */ -#define IPT_LOG_TCPSEQ 0x01 /* Log TCP sequence numbers */ -#define IPT_LOG_TCPOPT 0x02 /* Log TCP options */ -#define IPT_LOG_IPOPT 0x04 /* Log IP options */ -#define IPT_LOG_UID 0x08 /* Log UID owning local socket */ -#define IPT_LOG_NFLOG 0x10 /* Unsupported, don't reuse */ -#define IPT_LOG_MACDECODE 0x20 /* Decode MAC header */ -#define IPT_LOG_MASK 0x2f - -struct ipt_log_info { - unsigned char level; - unsigned char logflags; - char prefix[30]; -}; - -#endif /*_IPT_LOG_H*/ diff --git a/include/linux/netfilter_ipv4/ipt_REJECT.h b/include/linux/netfilter_ipv4/ipt_REJECT.h deleted file mode 100644 index 4293a1ad1b01..000000000000 --- a/include/linux/netfilter_ipv4/ipt_REJECT.h +++ /dev/null @@ -1,20 +0,0 @@ -#ifndef _IPT_REJECT_H -#define _IPT_REJECT_H - -enum ipt_reject_with { - IPT_ICMP_NET_UNREACHABLE, - IPT_ICMP_HOST_UNREACHABLE, - IPT_ICMP_PROT_UNREACHABLE, - IPT_ICMP_PORT_UNREACHABLE, - IPT_ICMP_ECHOREPLY, - IPT_ICMP_NET_PROHIBITED, - IPT_ICMP_HOST_PROHIBITED, - IPT_TCP_RESET, - IPT_ICMP_ADMIN_PROHIBITED -}; - -struct ipt_reject_info { - enum ipt_reject_with with; /* reject type */ -}; - -#endif /*_IPT_REJECT_H*/ diff --git a/include/linux/netfilter_ipv4/ipt_TTL.h b/include/linux/netfilter_ipv4/ipt_TTL.h deleted file mode 100644 index f6ac169d92f9..000000000000 --- a/include/linux/netfilter_ipv4/ipt_TTL.h +++ /dev/null @@ -1,23 +0,0 @@ -/* TTL modification module for IP tables - * (C) 2000 by Harald Welte <laforge@netfilter.org> */ - -#ifndef _IPT_TTL_H -#define _IPT_TTL_H - -#include <linux/types.h> - -enum { - IPT_TTL_SET = 0, - IPT_TTL_INC, - IPT_TTL_DEC -}; - -#define IPT_TTL_MAXMODE IPT_TTL_DEC - -struct ipt_TTL_info { - __u8 mode; - __u8 ttl; -}; - - -#endif diff --git a/include/linux/netfilter_ipv4/ipt_ULOG.h b/include/linux/netfilter_ipv4/ipt_ULOG.h deleted file mode 100644 index 417aad280bcc..000000000000 --- a/include/linux/netfilter_ipv4/ipt_ULOG.h +++ /dev/null @@ -1,49 +0,0 @@ -/* Header file for IP tables userspace logging, Version 1.8 - * - * (C) 2000-2002 by Harald Welte <laforge@gnumonks.org> - * - * Distributed under the terms of GNU GPL */ - -#ifndef _IPT_ULOG_H -#define _IPT_ULOG_H - -#ifndef NETLINK_NFLOG -#define NETLINK_NFLOG 5 -#endif - -#define ULOG_DEFAULT_NLGROUP 1 -#define ULOG_DEFAULT_QTHRESHOLD 1 - -#define ULOG_MAC_LEN 80 -#define ULOG_PREFIX_LEN 32 - -#define ULOG_MAX_QLEN 50 -/* Why 50? Well... there is a limit imposed by the slab cache 131000 - * bytes. So the multipart netlink-message has to be < 131000 bytes. - * Assuming a standard ethernet-mtu of 1500, we could define this up - * to 80... but even 50 seems to be big enough. */ - -/* private data structure for each rule with a ULOG target */ -struct ipt_ulog_info { - unsigned int nl_group; - size_t copy_range; - size_t qthreshold; - char prefix[ULOG_PREFIX_LEN]; -}; - -/* Format of the ULOG packets passed through netlink */ -typedef struct ulog_packet_msg { - unsigned long mark; - long timestamp_sec; - long timestamp_usec; - unsigned int hook; - char indev_name[IFNAMSIZ]; - char outdev_name[IFNAMSIZ]; - size_t data_len; - char prefix[ULOG_PREFIX_LEN]; - unsigned char mac_len; - unsigned char mac[ULOG_MAC_LEN]; - unsigned char payload[0]; -} ulog_packet_msg_t; - -#endif /*_IPT_ULOG_H*/ diff --git a/include/linux/netfilter_ipv4/ipt_ah.h b/include/linux/netfilter_ipv4/ipt_ah.h deleted file mode 100644 index 4e02bb0119e3..000000000000 --- a/include/linux/netfilter_ipv4/ipt_ah.h +++ /dev/null @@ -1,17 +0,0 @@ -#ifndef _IPT_AH_H -#define _IPT_AH_H - -#include <linux/types.h> - -struct ipt_ah { - __u32 spis[2]; /* Security Parameter Index */ - __u8 invflags; /* Inverse flags */ -}; - - - -/* Values for "invflags" field in struct ipt_ah. */ -#define IPT_AH_INV_SPI 0x01 /* Invert the sense of spi. */ -#define IPT_AH_INV_MASK 0x01 /* All possible flags. */ - -#endif /*_IPT_AH_H*/ diff --git a/include/linux/netfilter_ipv4/ipt_ecn.h b/include/linux/netfilter_ipv4/ipt_ecn.h deleted file mode 100644 index 0e0c063dbf60..000000000000 --- a/include/linux/netfilter_ipv4/ipt_ecn.h +++ /dev/null @@ -1,15 +0,0 @@ -#ifndef _IPT_ECN_H -#define _IPT_ECN_H - -#include <linux/netfilter/xt_ecn.h> -#define ipt_ecn_info xt_ecn_info - -enum { - IPT_ECN_IP_MASK = XT_ECN_IP_MASK, - IPT_ECN_OP_MATCH_IP = XT_ECN_OP_MATCH_IP, - IPT_ECN_OP_MATCH_ECE = XT_ECN_OP_MATCH_ECE, - IPT_ECN_OP_MATCH_CWR = XT_ECN_OP_MATCH_CWR, - IPT_ECN_OP_MATCH_MASK = XT_ECN_OP_MATCH_MASK, -}; - -#endif /* IPT_ECN_H */ diff --git a/include/linux/netfilter_ipv4/ipt_ttl.h b/include/linux/netfilter_ipv4/ipt_ttl.h deleted file mode 100644 index 37bee4442486..000000000000 --- a/include/linux/netfilter_ipv4/ipt_ttl.h +++ /dev/null @@ -1,23 +0,0 @@ -/* IP tables module for matching the value of the TTL - * (C) 2000 by Harald Welte <laforge@gnumonks.org> */ - -#ifndef _IPT_TTL_H -#define _IPT_TTL_H - -#include <linux/types.h> - -enum { - IPT_TTL_EQ = 0, /* equals */ - IPT_TTL_NE, /* not equals */ - IPT_TTL_LT, /* less than */ - IPT_TTL_GT, /* greater than */ -}; - - -struct ipt_ttl_info { - __u8 mode; - __u8 ttl; -}; - - -#endif |