Skip to content
Navigation Menu
Toggle navigation
Sign in
In this repository
All GitHub Enterprise
↵
Jump to
↵
No suggested jump to results
In this repository
All GitHub Enterprise
↵
Jump to
↵
In this organization
All GitHub Enterprise
↵
Jump to
↵
In this repository
All GitHub Enterprise
↵
Jump to
↵
Sign in
Reseting focus
You signed in with another tab or window.
Reload
to refresh your session.
You signed out in another tab or window.
Reload
to refresh your session.
You switched accounts on another tab or window.
Reload
to refresh your session.
Dismiss alert
{{ message }}
mariux64
/
linux
Public
Notifications
You must be signed in to change notification settings
Fork
0
Star
0
Code
Issues
2
Pull requests
0
Actions
Projects
0
Wiki
Security
Insights
Additional navigation options
Code
Issues
Pull requests
Actions
Projects
Wiki
Security
Insights
Files
4b1f5dd
Documentation
LICENSES
arch
block
certs
crypto
drivers
fs
include
acpi
asm-generic
clocksource
crypto
drm
dt-bindings
keys
kvm
linux
amba
avf
bcma
byteorder
can
ceph
clk
crush
decompress
dma
dsa
extcon
firmware
fpga
fsl
gpio
greybus
hsi
i3c
iio
input
irqchip
isdn
lockd
mailbox
mfd
mlx4
mlx5
mmc
mtd
mux
netfilter
netfilter_arp
netfilter_bridge
netfilter_ipv4
netfilter_ipv6
perf
phy
pinctrl
platform_data
power
qed
raid
regulator
remoteproc
reset
rpmsg
rtc
sched
8250_pci.h
a.out.h
acct.h
acpi.h
acpi_dma.h
acpi_iort.h
acpi_pmtmr.h
adb.h
adfs_fs.h
adxl.h
aer.h
agp_backend.h
agpgart.h
ahci-remap.h
ahci_platform.h
aio.h
alarmtimer.h
alcor_pci.h
altera_jtaguart.h
altera_uart.h
amd-iommu.h
anon_inodes.h
apm-emulation.h
apm_bios.h
apple-gmux.h
apple_bl.h
arch_topology.h
arm-cci.h
arm-smccc.h
arm_sdei.h
armada-37xx-rwtm-mailbox.h
ascii85.h
asn1.h
asn1_ber_bytecode.h
asn1_decoder.h
assoc_array.h
assoc_array_priv.h
async.h
async_tx.h
ata.h
ata_platform.h
atalk.h
ath9k_platform.h
atm.h
atm_suni.h
atm_tcp.h
atmdev.h
atmel-mci.h
atmel-ssc.h
atmel_pdc.h
atomic-fallback.h
atomic.h
attribute_container.h
audit.h
auto_dev-ioctl.h
auto_fs.h
auxvec.h
average.h
b1pcmcia.h
backing-dev-defs.h
backing-dev.h
backlight.h
badblocks.h
balloon_compaction.h
bcd.h
bch.h
bcm47xx_nvram.h
bcm47xx_sprom.h
bcm47xx_wdt.h
bcm963xx_nvram.h
bcm963xx_tag.h
binfmts.h
bio.h
bit_spinlock.h
bitfield.h
bitmap.h
bitops.h
bitrev.h
bits.h
blk-cgroup.h
blk-mq-pci.h
blk-mq-rdma.h
blk-mq-virtio.h
blk-mq.h
blk-pm.h
blk_types.h
blkdev.h
blkpg.h
blktrace_api.h
blockgroup_lock.h
bma150.h
bottom_half.h
bpf-cgroup.h
bpf.h
bpf_lirc.h
bpf_trace.h
bpf_types.h
bpf_verifier.h
bpfilter.h
brcmphy.h
bsearch.h
bsg-lib.h
bsg.h
btf.h
btree-128.h
btree-type.h
btree.h
btrfs.h
buffer_head.h
bug.h
build-salt.h
build_bug.h
bvec.h
c2port.h
cache.h
cacheinfo.h
capability.h
cb710.h
cciss_ioctl.h
ccp.h
cdev.h
cdrom.h
cfag12864b.h
cgroup-defs.h
cgroup.h
cgroup_rdma.h
cgroup_subsys.h
circ_buf.h
cleancache.h
clk-provider.h
clk.h
clkdev.h
clock_cooling.h
clockchips.h
clocksource.h
cm4000_cs.h
cma.h
cmdline-parser.h
cn_proc.h
cnt32_to_63.h
coda.h
compaction.h
compat.h
compiler-clang.h
compiler-gcc.h
compiler-intel.h
compiler.h
compiler_attributes.h
compiler_types.h
completion.h
component.h
configfs.h
connector.h
console.h
console_struct.h
consolemap.h
const.h
container.h
context_tracking.h
context_tracking_state.h
cordic.h
coredump.h
coresight-pmu.h
coresight-stm.h
coresight.h
count_zeros.h
counter.h
counter_enum.h
cper.h
cpu.h
cpu_cooling.h
cpu_pm.h
cpu_rmap.h
cpufeature.h
cpufreq.h
cpuhotplug.h
cpuidle.h
cpuidle_haltpoll.h
cpumask.h
cpuset.h
crash_core.h
crash_dump.h
crc-ccitt.h
crc-itu-t.h
crc-t10dif.h
crc16.h
crc32.h
crc32c.h
crc32poly.h
crc4.h
crc64.h
crc7.h
crc8.h
cred.h
crypto.h
cryptohash.h
cs5535.h
ctype.h
cuda.h
cyclades.h
davinci_emac.h
dax.h
dca.h
dcache.h
dccp.h
dcookies.h
debug_locks.h
debugfs.h
debugobjects.h
delay.h
delayacct.h
delayed_call.h
devcoredump.h
devfreq-event.h
devfreq.h
devfreq_cooling.h
device-mapper.h
device.h
device_cgroup.h
devpts_fs.h
digsig.h
dim.h
dio.h
dirent.h
dlm.h
dlm_plock.h
dm-bufio.h
dm-dirty-log.h
dm-io.h
dm-kcopyd.h
dm-region-hash.h
dm9000.h
dma-buf.h
dma-contiguous.h
dma-debug.h
dma-direct.h
dma-direction.h
dma-fence-array.h
dma-fence-chain.h
dma-fence.h
dma-iommu.h
dma-mapping.h
dma-noncoherent.h
dma-resv.h
dmaengine.h
dmapool.h
dmar.h
dmi.h
dnotify.h
dns_resolver.h
dqblk_qtree.h
dqblk_v1.h
dqblk_v2.h
drbd.h
drbd_genl.h
drbd_genl_api.h
drbd_limits.h
ds2782_battery.h
dtlk.h
dw_apb_timer.h
dynamic_debug.h
dynamic_queue_limits.h
earlycpio.h
ecryptfs.h
edac.h
edd.h
eeprom_93cx6.h
eeprom_93xx46.h
efi-bgrt.h
efi.h
efs_vh.h
eisa.h
elevator.h
elf-fdpic.h
elf-randomize.h
elf.h
elfcore-compat.h
elfcore.h
elfnote.h
enclosure.h
energy_model.h
err.h
errno.h
error-injection.h
errqueue.h
errseq.h
etherdevice.h
ethtool.h
eventfd.h
eventpoll.h
evm.h
export.h
exportfs.h
ext2_fs.h
extable.h
extcon-provider.h
extcon.h
f2fs_fs.h
f75375s.h
falloc.h
fanotify.h
fault-inject.h
fb.h
fbcon.h
fcdevice.h
fcntl.h
fd.h
fddidevice.h
fdtable.h
fec.h
file.h
filter.h
fips.h
firewire.h
firmware-map.h
firmware.h
fixp-arith.h
flat.h
flex_proportions.h
font.h
frame.h
freezer.h
frontswap.h
fs.h
fs_context.h
fs_enet_pd.h
fs_parser.h
fs_pin.h
fs_stack.h
fs_struct.h
fs_types.h
fs_uart_pd.h
fscache-cache.h
fscache.h
fscrypt.h
fsi-occ.h
fsi-sbefifo.h
fsi.h
fsl-diu-fb.h
fsl_devices.h
fsl_hypervisor.h
fsl_ifc.h
fsldma.h
fsnotify.h
fsnotify_backend.h
fsverity.h
ftrace.h
ftrace_irq.h
futex.h
fwnode.h
gameport.h
gcd.h
genalloc.h
generic-radix-tree.h
genetlink.h
genhd.h
genl_magic_func.h
genl_magic_struct.h
getcpu.h
gfp.h
glob.h
gnss.h
goldfish.h
gpio-pxa.h
gpio.h
gpio_keys.h
greybus.h
hardirq.h
hash.h
hashtable.h
hdlc.h
hdlcdrv.h
hdmi.h
hid-debug.h
hid-roccat.h
hid-sensor-hub.h
hid-sensor-ids.h
hid.h
hiddev.h
hidraw.h
highmem.h
highuid.h
hil.h
hil_mlc.h
hippidevice.h
hmm.h
host1x.h
hp_sdc.h
hpet.h
hrtimer.h
hrtimer_defs.h
htcpld.h
huge_mm.h
hugetlb.h
hugetlb_cgroup.h
hugetlb_inline.h
hw_breakpoint.h
hw_random.h
hwmon-sysfs.h
hwmon-vid.h
hwmon.h
hwspinlock.h
hyperv.h
hypervisor.h
i2c-algo-bit.h
i2c-algo-pca.h
i2c-algo-pcf.h
i2c-dev.h
i2c-mux.h
i2c-pxa.h
i2c-smbus.h
i2c.h
i8042.h
i8253.h
icmp.h
icmpv6.h
ide.h
idle_inject.h
idr.h
ieee80211.h
ieee802154.h
if_arp.h
if_bridge.h
if_eql.h
if_ether.h
if_fddi.h
if_frad.h
if_link.h
if_ltalk.h
if_macvlan.h
if_phonet.h
if_pppol2tp.h
if_pppox.h
if_rmnet.h
if_tap.h
if_team.h
if_tun.h
if_tunnel.h
if_vlan.h
igmp.h
ihex.h
ima.h
imx-media.h
in.h
in6.h
indirect_call_wrapper.h
inet.h
inet_diag.h
inetdevice.h
init.h
init_ohci1394_dma.h
init_task.h
initrd.h
inotify.h
input-polldev.h
input.h
integrity.h
intel-iommu.h
intel-ish-client-if.h
intel-pti.h
intel-svm.h
intel_rapl.h
intel_th.h
interconnect-provider.h
interconnect.h
interrupt.h
interval_tree.h
interval_tree_generic.h
io-64-nonatomic-hi-lo.h
io-64-nonatomic-lo-hi.h
io-mapping.h
io-pgtable.h
io.h
ioc3.h
iocontext.h
iomap.h
iommu-helper.h
iommu.h
iopoll.h
ioport.h
ioprio.h
iova.h
ip.h
ipack.h
ipc.h
ipc_namespace.h
ipmi-fru.h
ipmi.h
ipmi_smi.h
ipv6.h
ipv6_route.h
irq.h
irq_cpustat.h
irq_poll.h
irq_sim.h
irq_work.h
irqbypass.h
irqchip.h
irqdesc.h
irqdomain.h
irqflags.h
irqhandler.h
irqnr.h
irqreturn.h
isa.h
isapnp.h
iscsi_boot_sysfs.h
iscsi_ibft.h
isicom.h
iversion.h
jbd2.h
jhash.h
jiffies.h
journal-head.h
joystick.h
jump_label.h
jump_label_ratelimit.h
jz4740-adc.h
jz4780-nemc.h
kallsyms.h
kasan-checks.h
kasan.h
kbd_diacr.h
kbd_kern.h
kbuild.h
kconfig.h
kcore.h
kcov.h
kd.h
kdb.h
kdebug.h
kdev_t.h
kern_levels.h
kernel-page-flags.h
kernel.h
kernel_stat.h
kernelcapi.h
kernfs.h
kexec.h
key-type.h
key.h
keyboard.h
keyctl.h
kfifo.h
kgdb.h
khugepaged.h
klist.h
kmemleak.h
kmod.h
kmsg_dump.h
kobj_map.h
kobject.h
kobject_ns.h
kprobes.h
kref.h
ks0108.h
ks8842.h
ks8851_mll.h
ksm.h
kthread.h
ktime.h
kvm_host.h
kvm_irqfd.h
kvm_para.h
kvm_types.h
l2tp.h
lantiq.h
lapb.h
latencytop.h
lcd.h
lcm.h
led-class-flash.h
led-lm3530.h
leds-bd2802.h
leds-lp3944.h
leds-lp3952.h
leds-pca9532.h
leds-regulator.h
leds-tca6507.h
leds-ti-lmu-common.h
leds.h
leds_pwm.h
libata.h
libfdt.h
libfdt_env.h
libgcc.h
libnvdimm.h
libps2.h
license.h
lightnvm.h
limits.h
linkage.h
linkmode.h
linux_logo.h
lis3lv02d.h
list.h
list_bl.h
list_lru.h
list_nulls.h
list_sort.h
livepatch.h
llc.h
llist.h
lockdep.h
lockref.h
log2.h
logic_pio.h
lp.h
lru_cache.h
lsm_audit.h
lsm_hooks.h
lz4.h
lzo.h
mISDNdsp.h
mISDNhw.h
mISDNif.h
mailbox_client.h
mailbox_controller.h
maple.h
marvell_phy.h
math64.h
max17040_battery.h
mbcache.h
mbus.h
mc146818rtc.h
mc6821.h
mcb.h
mdev.h
mdio-bitbang.h
mdio-gpio.h
mdio-mux.h
mdio.h
mei_cl_bus.h
mem_encrypt.h
memblock.h
memcontrol.h
memfd.h
memory.h
memory_hotplug.h
mempolicy.h
mempool.h
memremap.h
memstick.h
mic_bus.h
micrel_phy.h
microchipphy.h
migrate.h
migrate_mode.h
mii.h
miscdevice.h
mm-arch-hooks.h
mm.h
mm_inline.h
mm_types.h
mm_types_task.h
mman.h
mmdebug.h
mmiotrace.h
mmu_context.h
mmu_notifier.h
mmzone.h
mnt_namespace.h
mod_devicetable.h
module.h
module_signature.h
moduleloader.h
moduleparam.h
mount.h
moxtet.h
mpage.h
mpi.h
mpls.h
mpls_iptunnel.h
mroute.h
mroute6.h
mroute_base.h
msdos_fs.h
msg.h
msi.h
mutex.h
mv643xx.h
mv643xx_eth.h
mv643xx_i2c.h
mvebu-pmsu.h
mxm-wmi.h
n_r3964.h
namei.h
nd.h
ndctl.h
net.h
netdev_features.h
netdevice.h
netfilter.h
netfilter_bridge.h
netfilter_defs.h
netfilter_ingress.h
netfilter_ipv4.h
netfilter_ipv6.h
netlink.h
netpoll.h
nfs.h
nfs3.h
nfs4.h
nfs_fs.h
nfs_fs_i.h
nfs_fs_sb.h
nfs_iostat.h
nfs_page.h
nfs_xdr.h
nfsacl.h
nl802154.h
nls.h
nmi.h
node.h
nodemask.h
nospec.h
notifier.h
ns_common.h
nsc_gpio.h
nsproxy.h
ntb.h
ntb_transport.h
nubus.h
numa.h
nvme-fc-driver.h
nvme-fc.h
nvme-rdma.h
nvme-tcp.h
nvme.h
nvmem-consumer.h
nvmem-provider.h
nvram.h
objagg.h
of.h
of_address.h
of_clk.h
of_device.h
of_dma.h
of_fdt.h
of_gpio.h
of_graph.h
of_iommu.h
of_irq.h
of_mdio.h
of_net.h
of_pci.h
of_pdt.h
of_platform.h
of_reserved_mem.h
oid_registry.h
olpc-ec.h
omap-dma.h
omap-gpmc.h
omap-iommu.h
omap-mailbox.h
omapfb.h
once.h
oom.h
openvswitch.h
oprofile.h
osq_lock.h
overflow.h
packing.h
padata.h
page-flags-layout.h
page-flags.h
page-isolation.h
page_counter.h
page_ext.h
page_idle.h
page_owner.h
page_ref.h
pageblock-flags.h
pagemap.h
pagevec.h
pagewalk.h
parman.h
parport.h
parport_pc.h
parser.h
pata_arasan_cf_data.h
patchkey.h
path.h
pch_dma.h
pci-acpi.h
pci-ats.h
pci-dma-compat.h
pci-ecam.h
pci-ep-cfs.h
pci-epc.h
pci-epf.h
pci-p2pdma.h
pci.h
pci_hotplug.h
pci_ids.h
pda_power.h
pe.h
percpu-defs.h
percpu-refcount.h
percpu-rwsem.h
percpu.h
percpu_counter.h
perf_event.h
perf_regs.h
personality.h
pfn.h
pfn_t.h
phonet.h
phy.h
phy_fixed.h
phy_led_triggers.h
phylink.h
pid.h
pid_namespace.h
pim.h
pipe_fs_i.h
pkeys.h
pktcdvd.h
pl320-ipc.h
pl353-smc.h
platform_device.h
plist.h
pm-trace.h
pm.h
pm2301_charger.h
pm_clock.h
pm_domain.h
pm_opp.h
pm_qos.h
pm_runtime.h
pm_wakeirq.h
pm_wakeup.h
pmbus.h
pmu.h
pnfs_osd_xdr.h
pnp.h
poison.h
poll.h
posix-clock.h
posix-timers.h
posix_acl.h
posix_acl_xattr.h
power_supply.h
powercap.h
ppp-comp.h
ppp_channel.h
ppp_defs.h
pps-gpio.h
pps_kernel.h
pr.h
preempt.h
prefetch.h
prime_numbers.h
printk.h
proc_fs.h
proc_ns.h
processor.h
profile.h
projid.h
property.h
psci.h
pseudo_fs.h
psi.h
psi_types.h
psp-sev.h
pstore.h
pstore_ram.h
pti.h
ptp_classify.h
ptp_clock_kernel.h
ptr_ring.h
ptrace.h
purgatory.h
pvclock_gtod.h
pwm.h
pwm_backlight.h
pxa168_eth.h
pxa2xx_ssp.h
qcom-geni-se.h
qcom_scm.h
qnx6_fs.h
quota.h
quotaops.h
radix-tree.h
raid_class.h
ramfs.h
random.h
range.h
ras.h
ratelimit.h
rational.h
rbtree.h
rbtree_augmented.h
rbtree_latch.h
rcu_node_tree.h
rcu_segcblist.h
rcu_sync.h
rculist.h
rculist_bl.h
rculist_nulls.h
rcupdate.h
rcupdate_wait.h
rcutiny.h
rcutree.h
rcuwait.h
reboot-mode.h
reboot.h
reciprocal_div.h
refcount.h
regmap.h
regset.h
relay.h
remoteproc.h
reset-controller.h
reset.h
resource.h
resource_ext.h
restart_block.h
rfkill.h
rhashtable-types.h
rhashtable.h
ring_buffer.h
rio.h
rio_drv.h
rio_ids.h
rio_regs.h
rmap.h
rmi.h
rndis.h
rodata_test.h
root_dev.h
rpmsg.h
rslib.h
rtc.h
rtmutex.h
rtnetlink.h
rtsx_common.h
rtsx_pci.h
rtsx_usb.h
rwlock.h
rwlock_api_smp.h
rwlock_types.h
rwsem.h
s3c_adc_battery.h
sbitmap.h
scatterlist.h
scc.h
sched.h
sched_clock.h
scif.h
scmi_protocol.h
292 entries not shown
math-emu
media
misc
net
pcmcia
ras
rdma
scsi
soc
sound
target
trace
uapi
vdso
video
xen
Kbuild
init
ipc
kernel
lib
mm
net
samples
scripts
security
sound
tools
usr
virt
.clang-format
.cocciconfig
.get_maintainer.ignore
.gitattributes
.gitignore
.mailmap
COPYING
CREDITS
Kbuild
Kconfig
MAINTAINERS
Makefile
README
Breadcrumbs
linux
/
include
/
linux
/
netfilter.h
Copy path
Blame
Blame
Latest commit
History
History
503 lines (431 loc) · 13.9 KB
Breadcrumbs
linux
/
include
/
linux
/
netfilter.h
Top
File metadata and controls
Code
Blame
503 lines (431 loc) · 13.9 KB
Raw
/* SPDX-License-Identifier: GPL-2.0 */ #ifndef __LINUX_NETFILTER_H #define __LINUX_NETFILTER_H #include <linux/init.h> #include <linux/skbuff.h> #include <linux/net.h> #include <linux/if.h> #include <linux/in.h> #include <linux/in6.h> #include <linux/wait.h> #include <linux/list.h> #include <linux/static_key.h> #include <linux/netfilter_defs.h> #include <linux/netdevice.h> #include <net/net_namespace.h> static inline int NF_DROP_GETERR(int verdict) { return -(verdict >> NF_VERDICT_QBITS); } static inline int nf_inet_addr_cmp(const union nf_inet_addr *a1, const union nf_inet_addr *a2) { #if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS) && BITS_PER_LONG == 64 const unsigned long *ul1 = (const unsigned long *)a1; const unsigned long *ul2 = (const unsigned long *)a2; return ((ul1[0] ^ ul2[0]) | (ul1[1] ^ ul2[1])) == 0UL; #else return a1->all[0] == a2->all[0] && a1->all[1] == a2->all[1] && a1->all[2] == a2->all[2] && a1->all[3] == a2->all[3]; #endif } static inline void nf_inet_addr_mask(const union nf_inet_addr *a1, union nf_inet_addr *result, const union nf_inet_addr *mask) { #if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS) && BITS_PER_LONG == 64 const unsigned long *ua = (const unsigned long *)a1; unsigned long *ur = (unsigned long *)result; const unsigned long *um = (const unsigned long *)mask; ur[0] = ua[0] & um[0]; ur[1] = ua[1] & um[1]; #else result->all[0] = a1->all[0] & mask->all[0]; result->all[1] = a1->all[1] & mask->all[1]; result->all[2] = a1->all[2] & mask->all[2]; result->all[3] = a1->all[3] & mask->all[3]; #endif } int netfilter_init(void); struct sk_buff; struct nf_hook_ops; struct sock; struct nf_hook_state { unsigned int hook; u_int8_t pf; struct net_device *in; struct net_device *out; struct sock *sk; struct net *net; int (*okfn)(struct net *, struct sock *, struct sk_buff *); }; typedef unsigned int nf_hookfn(void *priv, struct sk_buff *skb, const struct nf_hook_state *state); struct nf_hook_ops { /* User fills in from here down. */ nf_hookfn *hook; struct net_device *dev; void *priv; u_int8_t pf; unsigned int hooknum; /* Hooks are ordered in ascending priority. */ int priority; }; struct nf_hook_entry { nf_hookfn *hook; void *priv; }; struct nf_hook_entries_rcu_head { struct rcu_head head; void *allocation; }; struct nf_hook_entries { u16 num_hook_entries; /* padding */ struct nf_hook_entry hooks[]; /* trailer: pointers to original orig_ops of each hook, * followed by rcu_head and scratch space used for freeing * the structure via call_rcu. * * This is not part of struct nf_hook_entry since its only * needed in slow path (hook register/unregister): * const struct nf_hook_ops *orig_ops[] * * For the same reason, we store this at end -- its * only needed when a hook is deleted, not during * packet path processing: * struct nf_hook_entries_rcu_head head */ }; #ifdef CONFIG_NETFILTER static inline struct nf_hook_ops **nf_hook_entries_get_hook_ops(const struct nf_hook_entries *e) { unsigned int n = e->num_hook_entries; const void *hook_end; hook_end = &e->hooks[n]; /* this is *past* ->hooks[]! */ return (struct nf_hook_ops **)hook_end; } static inline int nf_hook_entry_hookfn(const struct nf_hook_entry *entry, struct sk_buff *skb, struct nf_hook_state *state) { return entry->hook(entry->priv, skb, state); } static inline void nf_hook_state_init(struct nf_hook_state *p, unsigned int hook, u_int8_t pf, struct net_device *indev, struct net_device *outdev, struct sock *sk, struct net *net, int (*okfn)(struct net *, struct sock *, struct sk_buff *)) { p->hook = hook; p->pf = pf; p->in = indev; p->out = outdev; p->sk = sk; p->net = net; p->okfn = okfn; } struct nf_sockopt_ops { struct list_head list; u_int8_t pf; /* Non-inclusive ranges: use 0/0/NULL to never get called. */ int set_optmin; int set_optmax; int (*set)(struct sock *sk, int optval, void __user *user, unsigned int len); #ifdef CONFIG_COMPAT int (*compat_set)(struct sock *sk, int optval, void __user *user, unsigned int len); #endif int get_optmin; int get_optmax; int (*get)(struct sock *sk, int optval, void __user *user, int *len); #ifdef CONFIG_COMPAT int (*compat_get)(struct sock *sk, int optval, void __user *user, int *len); #endif /* Use the module struct to lock set/get code in place */ struct module *owner; }; /* Function to register/unregister hook points. */ int nf_register_net_hook(struct net *net, const struct nf_hook_ops *ops); void nf_unregister_net_hook(struct net *net, const struct nf_hook_ops *ops); int nf_register_net_hooks(struct net *net, const struct nf_hook_ops *reg, unsigned int n); void nf_unregister_net_hooks(struct net *net, const struct nf_hook_ops *reg, unsigned int n); /* Functions to register get/setsockopt ranges (non-inclusive). You need to check permissions yourself! */ int nf_register_sockopt(struct nf_sockopt_ops *reg); void nf_unregister_sockopt(struct nf_sockopt_ops *reg); #ifdef CONFIG_JUMP_LABEL extern struct static_key nf_hooks_needed[NFPROTO_NUMPROTO][NF_MAX_HOOKS]; #endif int nf_hook_slow(struct sk_buff *skb, struct nf_hook_state *state, const struct nf_hook_entries *e, unsigned int i); void nf_hook_slow_list(struct list_head *head, struct nf_hook_state *state, const struct nf_hook_entries *e); /** * nf_hook - call a netfilter hook * * Returns 1 if the hook has allowed the packet to pass. The function * okfn must be invoked by the caller in this case. Any other return * value indicates the packet has been consumed by the hook. */ static inline int nf_hook(u_int8_t pf, unsigned int hook, struct net *net, struct sock *sk, struct sk_buff *skb, struct net_device *indev, struct net_device *outdev, int (*okfn)(struct net *, struct sock *, struct sk_buff *)) { struct nf_hook_entries *hook_head = NULL; int ret = 1; #ifdef CONFIG_JUMP_LABEL if (__builtin_constant_p(pf) && __builtin_constant_p(hook) && !static_key_false(&nf_hooks_needed[pf][hook])) return 1; #endif rcu_read_lock(); switch (pf) { case NFPROTO_IPV4: hook_head = rcu_dereference(net->nf.hooks_ipv4[hook]); break; case NFPROTO_IPV6: hook_head = rcu_dereference(net->nf.hooks_ipv6[hook]); break; case NFPROTO_ARP: #ifdef CONFIG_NETFILTER_FAMILY_ARP if (WARN_ON_ONCE(hook >= ARRAY_SIZE(net->nf.hooks_arp))) break; hook_head = rcu_dereference(net->nf.hooks_arp[hook]); #endif break; case NFPROTO_BRIDGE: #ifdef CONFIG_NETFILTER_FAMILY_BRIDGE hook_head = rcu_dereference(net->nf.hooks_bridge[hook]); #endif break; #if IS_ENABLED(CONFIG_DECNET) case NFPROTO_DECNET: hook_head = rcu_dereference(net->nf.hooks_decnet[hook]); break; #endif default: WARN_ON_ONCE(1); break; } if (hook_head) { struct nf_hook_state state; nf_hook_state_init(&state, hook, pf, indev, outdev, sk, net, okfn); ret = nf_hook_slow(skb, &state, hook_head, 0); } rcu_read_unlock(); return ret; } /* Activate hook; either okfn or kfree_skb called, unless a hook returns NF_STOLEN (in which case, it's up to the hook to deal with the consequences). Returns -ERRNO if packet dropped. Zero means queued, stolen or accepted. */ /* RR: > I don't want nf_hook to return anything because people might forget > about async and trust the return value to mean "packet was ok". AK: Just document it clearly, then you can expect some sense from kernel coders :) */ static inline int NF_HOOK_COND(uint8_t pf, unsigned int hook, struct net *net, struct sock *sk, struct sk_buff *skb, struct net_device *in, struct net_device *out, int (*okfn)(struct net *, struct sock *, struct sk_buff *), bool cond) { int ret; if (!cond || ((ret = nf_hook(pf, hook, net, sk, skb, in, out, okfn)) == 1)) ret = okfn(net, sk, skb); return ret; } static inline int NF_HOOK(uint8_t pf, unsigned int hook, struct net *net, struct sock *sk, struct sk_buff *skb, struct net_device *in, struct net_device *out, int (*okfn)(struct net *, struct sock *, struct sk_buff *)) { int ret = nf_hook(pf, hook, net, sk, skb, in, out, okfn); if (ret == 1) ret = okfn(net, sk, skb); return ret; } static inline void NF_HOOK_LIST(uint8_t pf, unsigned int hook, struct net *net, struct sock *sk, struct list_head *head, struct net_device *in, struct net_device *out, int (*okfn)(struct net *, struct sock *, struct sk_buff *)) { struct nf_hook_entries *hook_head = NULL; #ifdef CONFIG_JUMP_LABEL if (__builtin_constant_p(pf) && __builtin_constant_p(hook) && !static_key_false(&nf_hooks_needed[pf][hook])) return; #endif rcu_read_lock(); switch (pf) { case NFPROTO_IPV4: hook_head = rcu_dereference(net->nf.hooks_ipv4[hook]); break; case NFPROTO_IPV6: hook_head = rcu_dereference(net->nf.hooks_ipv6[hook]); break; default: WARN_ON_ONCE(1); break; } if (hook_head) { struct nf_hook_state state; nf_hook_state_init(&state, hook, pf, in, out, sk, net, okfn); nf_hook_slow_list(head, &state, hook_head); } rcu_read_unlock(); } /* Call setsockopt() */ int nf_setsockopt(struct sock *sk, u_int8_t pf, int optval, char __user *opt, unsigned int len); int nf_getsockopt(struct sock *sk, u_int8_t pf, int optval, char __user *opt, int *len); #ifdef CONFIG_COMPAT int compat_nf_setsockopt(struct sock *sk, u_int8_t pf, int optval, char __user *opt, unsigned int len); int compat_nf_getsockopt(struct sock *sk, u_int8_t pf, int optval, char __user *opt, int *len); #endif struct flowi; struct nf_queue_entry; __sum16 nf_checksum(struct sk_buff *skb, unsigned int hook, unsigned int dataoff, u_int8_t protocol, unsigned short family); __sum16 nf_checksum_partial(struct sk_buff *skb, unsigned int hook, unsigned int dataoff, unsigned int len, u_int8_t protocol, unsigned short family); int nf_route(struct net *net, struct dst_entry **dst, struct flowi *fl, bool strict, unsigned short family); int nf_reroute(struct sk_buff *skb, struct nf_queue_entry *entry); #include <net/flow.h> struct nf_conn; enum nf_nat_manip_type; struct nlattr; enum ip_conntrack_dir; struct nf_nat_hook { int (*parse_nat_setup)(struct nf_conn *ct, enum nf_nat_manip_type manip, const struct nlattr *attr); void (*decode_session)(struct sk_buff *skb, struct flowi *fl); unsigned int (*manip_pkt)(struct sk_buff *skb, struct nf_conn *ct, enum nf_nat_manip_type mtype, enum ip_conntrack_dir dir); }; extern struct nf_nat_hook __rcu *nf_nat_hook; static inline void nf_nat_decode_session(struct sk_buff *skb, struct flowi *fl, u_int8_t family) { #if IS_ENABLED(CONFIG_NF_NAT) struct nf_nat_hook *nat_hook; rcu_read_lock(); nat_hook = rcu_dereference(nf_nat_hook); if (nat_hook && nat_hook->decode_session) nat_hook->decode_session(skb, fl); rcu_read_unlock(); #endif } #else /* !CONFIG_NETFILTER */ static inline int NF_HOOK_COND(uint8_t pf, unsigned int hook, struct net *net, struct sock *sk, struct sk_buff *skb, struct net_device *in, struct net_device *out, int (*okfn)(struct net *, struct sock *, struct sk_buff *), bool cond) { return okfn(net, sk, skb); } static inline int NF_HOOK(uint8_t pf, unsigned int hook, struct net *net, struct sock *sk, struct sk_buff *skb, struct net_device *in, struct net_device *out, int (*okfn)(struct net *, struct sock *, struct sk_buff *)) { return okfn(net, sk, skb); } static inline void NF_HOOK_LIST(uint8_t pf, unsigned int hook, struct net *net, struct sock *sk, struct list_head *head, struct net_device *in, struct net_device *out, int (*okfn)(struct net *, struct sock *, struct sk_buff *)) { /* nothing to do */ } static inline int nf_hook(u_int8_t pf, unsigned int hook, struct net *net, struct sock *sk, struct sk_buff *skb, struct net_device *indev, struct net_device *outdev, int (*okfn)(struct net *, struct sock *, struct sk_buff *)) { return 1; } struct flowi; static inline void nf_nat_decode_session(struct sk_buff *skb, struct flowi *fl, u_int8_t family) { } #endif /*CONFIG_NETFILTER*/ #if IS_ENABLED(CONFIG_NF_CONNTRACK) #include <linux/netfilter/nf_conntrack_zones_common.h> extern void (*ip_ct_attach)(struct sk_buff *, const struct sk_buff *) __rcu; void nf_ct_attach(struct sk_buff *, const struct sk_buff *); struct nf_conntrack_tuple; bool nf_ct_get_tuple_skb(struct nf_conntrack_tuple *dst_tuple, const struct sk_buff *skb); #else static inline void nf_ct_attach(struct sk_buff *new, struct sk_buff *skb) {} struct nf_conntrack_tuple; static inline bool nf_ct_get_tuple_skb(struct nf_conntrack_tuple *dst_tuple, const struct sk_buff *skb) { return false; } #endif struct nf_conn; enum ip_conntrack_info; struct nf_ct_hook { int (*update)(struct net *net, struct sk_buff *skb); void (*destroy)(struct nf_conntrack *); bool (*get_tuple_skb)(struct nf_conntrack_tuple *, const struct sk_buff *); }; extern struct nf_ct_hook __rcu *nf_ct_hook; struct nlattr; struct nfnl_ct_hook { struct nf_conn *(*get_ct)(const struct sk_buff *skb, enum ip_conntrack_info *ctinfo); size_t (*build_size)(const struct nf_conn *ct); int (*build)(struct sk_buff *skb, struct nf_conn *ct, enum ip_conntrack_info ctinfo, u_int16_t ct_attr, u_int16_t ct_info_attr); int (*parse)(const struct nlattr *attr, struct nf_conn *ct); int (*attach_expect)(const struct nlattr *attr, struct nf_conn *ct, u32 portid, u32 report); void (*seq_adjust)(struct sk_buff *skb, struct nf_conn *ct, enum ip_conntrack_info ctinfo, s32 off); }; extern struct nfnl_ct_hook __rcu *nfnl_ct_hook; /** * nf_skb_duplicated - TEE target has sent a packet * * When a xtables target sends a packet, the OUTPUT and POSTROUTING * hooks are traversed again, i.e. nft and xtables are invoked recursively. * * This is used by xtables TEE target to prevent the duplicated skb from * being duplicated again. */ DECLARE_PER_CPU(bool, nf_skb_duplicated); #endif /*__LINUX_NETFILTER_H*/
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
You can’t perform that action at this time.