1#ifndef _LIBIPTC_H
2#define _LIBIPTC_H
3/* Library which manipulates filtering rules. */
4
5#include <libiptc/ipt_kernel_headers.h>
6#include <linux/netfilter_ipv4/ip_tables.h>
7
8#ifdef __cplusplus
9extern "C" {
10#endif
11
12#ifndef IPT_MIN_ALIGN
13/* ipt_entry has pointers and u_int64_t's in it, so if you align to
14   it, you'll also align to any crazy matches and targets someone
15   might write */
16#define IPT_MIN_ALIGN (__alignof__(struct ipt_entry))
17#endif
18
19#define IPT_ALIGN(s) (((s) + ((IPT_MIN_ALIGN)-1)) & ~((IPT_MIN_ALIGN)-1))
20
21typedef char ipt_chainlabel[32];
22
23#define IPTC_LABEL_ACCEPT  "ACCEPT"
24#define IPTC_LABEL_DROP    "DROP"
25#define IPTC_LABEL_QUEUE   "QUEUE"
26#define IPTC_LABEL_RETURN  "RETURN"
27
28/* Transparent handle type. */
29typedef struct iptc_handle *iptc_handle_t;
30
31/* Does this chain exist? */
32int iptc_is_chain(const char *chain, const iptc_handle_t handle);
33
34/* Take a snapshot of the rules.  Returns NULL on error. */
35iptc_handle_t iptc_init(const char *tablename);
36
37/* Iterator functions to run through the chains.  Returns NULL at end. */
38const char *iptc_first_chain(iptc_handle_t *handle);
39const char *iptc_next_chain(iptc_handle_t *handle);
40
41/* Get first rule in the given chain: NULL for empty chain. */
42const struct ipt_entry *iptc_first_rule(const char *chain,
43					iptc_handle_t *handle);
44
45/* Returns NULL when rules run out. */
46const struct ipt_entry *iptc_next_rule(const struct ipt_entry *prev,
47				       iptc_handle_t *handle);
48
49/* Returns a pointer to the target name of this entry. */
50const char *iptc_get_target(const struct ipt_entry *e,
51			    iptc_handle_t *handle);
52
53/* Is this a built-in chain? */
54int iptc_builtin(const char *chain, const iptc_handle_t handle);
55
56/* Get the policy of a given built-in chain */
57const char *iptc_get_policy(const char *chain,
58			    struct ipt_counters *counter,
59			    iptc_handle_t *handle);
60
61/* These functions return TRUE for OK or 0 and set errno.  If errno ==
62   0, it means there was a version error (ie. upgrade libiptc). */
63/* Rule numbers start at 1 for the first rule. */
64
65/* Insert the entry `e' in chain `chain' into position `rulenum'. */
66int iptc_insert_entry(const ipt_chainlabel chain,
67		      const struct ipt_entry *e,
68		      unsigned int rulenum,
69		      iptc_handle_t *handle);
70
71/* Atomically replace rule `rulenum' in `chain' with `e'. */
72int iptc_replace_entry(const ipt_chainlabel chain,
73		       const struct ipt_entry *e,
74		       unsigned int rulenum,
75		       iptc_handle_t *handle);
76
77/* Append entry `e' to chain `chain'.  Equivalent to insert with
78   rulenum = length of chain. */
79int iptc_append_entry(const ipt_chainlabel chain,
80		      const struct ipt_entry *e,
81		      iptc_handle_t *handle);
82
83/* Delete the first rule in `chain' which matches `e', subject to
84   matchmask (array of length == origfw) */
85int iptc_delete_entry(const ipt_chainlabel chain,
86		      const struct ipt_entry *origfw,
87		      unsigned char *matchmask,
88		      iptc_handle_t *handle);
89
90/* Delete the rule in position `rulenum' in `chain'. */
91int iptc_delete_num_entry(const ipt_chainlabel chain,
92			  unsigned int rulenum,
93			  iptc_handle_t *handle);
94
95/* Check the packet `e' on chain `chain'.  Returns the verdict, or
96   NULL and sets errno. */
97const char *iptc_check_packet(const ipt_chainlabel chain,
98			      struct ipt_entry *entry,
99			      iptc_handle_t *handle);
100
101/* Flushes the entries in the given chain (ie. empties chain). */
102int iptc_flush_entries(const ipt_chainlabel chain,
103		       iptc_handle_t *handle);
104
105/* Zeroes the counters in a chain. */
106int iptc_zero_entries(const ipt_chainlabel chain,
107		      iptc_handle_t *handle);
108
109/* Creates a new chain. */
110int iptc_create_chain(const ipt_chainlabel chain,
111		      iptc_handle_t *handle);
112
113/* Deletes a chain. */
114int iptc_delete_chain(const ipt_chainlabel chain,
115		      iptc_handle_t *handle);
116
117/* Renames a chain. */
118int iptc_rename_chain(const ipt_chainlabel oldname,
119		      const ipt_chainlabel newname,
120		      iptc_handle_t *handle);
121
122/* Sets the policy on a built-in chain. */
123int iptc_set_policy(const ipt_chainlabel chain,
124		    const ipt_chainlabel policy,
125		    struct ipt_counters *counters,
126		    iptc_handle_t *handle);
127
128/* Get the number of references to this chain */
129int iptc_get_references(unsigned int *ref,
130			const ipt_chainlabel chain,
131			iptc_handle_t *handle);
132
133/* read packet and byte counters for a specific rule */
134struct ipt_counters *iptc_read_counter(const ipt_chainlabel chain,
135				       unsigned int rulenum,
136				       iptc_handle_t *handle);
137
138/* zero packet and byte counters for a specific rule */
139int iptc_zero_counter(const ipt_chainlabel chain,
140		      unsigned int rulenum,
141		      iptc_handle_t *handle);
142
143/* set packet and byte counters for a specific rule */
144int iptc_set_counter(const ipt_chainlabel chain,
145		     unsigned int rulenum,
146		     struct ipt_counters *counters,
147		     iptc_handle_t *handle);
148
149/* Makes the actual changes. */
150int iptc_commit(iptc_handle_t *handle);
151
152/* Get raw socket. */
153int iptc_get_raw_socket();
154
155/* Translates errno numbers into more human-readable form than strerror. */
156const char *iptc_strerror(int err);
157
158#ifdef __cplusplus
159}
160#endif
161
162
163#endif /* _LIBIPTC_H */
164