1#ifndef _LIBIPTC_H 2#define _LIBIPTC_H 3/* Library which manipulates filtering rules. */ 4 5#include <libiptc/ipt_kernel_headers.h> 6#include <linux/netfilter_ipv4/ip_tables.h> 7 8#ifdef __cplusplus 9extern "C" { 10#endif 11 12#ifndef IPT_MIN_ALIGN 13/* ipt_entry has pointers and u_int64_t's in it, so if you align to 14 it, you'll also align to any crazy matches and targets someone 15 might write */ 16#define IPT_MIN_ALIGN (__alignof__(struct ipt_entry)) 17#endif 18 19#define IPT_ALIGN(s) (((s) + ((IPT_MIN_ALIGN)-1)) & ~((IPT_MIN_ALIGN)-1)) 20 21typedef char ipt_chainlabel[32]; 22 23#define IPTC_LABEL_ACCEPT "ACCEPT" 24#define IPTC_LABEL_DROP "DROP" 25#define IPTC_LABEL_QUEUE "QUEUE" 26#define IPTC_LABEL_RETURN "RETURN" 27 28/* Transparent handle type. */ 29typedef struct iptc_handle *iptc_handle_t; 30 31/* Does this chain exist? */ 32int iptc_is_chain(const char *chain, const iptc_handle_t handle); 33 34/* Take a snapshot of the rules. Returns NULL on error. */ 35iptc_handle_t iptc_init(const char *tablename); 36 37/* Iterator functions to run through the chains. Returns NULL at end. */ 38const char *iptc_first_chain(iptc_handle_t *handle); 39const char *iptc_next_chain(iptc_handle_t *handle); 40 41/* Get first rule in the given chain: NULL for empty chain. */ 42const struct ipt_entry *iptc_first_rule(const char *chain, 43 iptc_handle_t *handle); 44 45/* Returns NULL when rules run out. */ 46const struct ipt_entry *iptc_next_rule(const struct ipt_entry *prev, 47 iptc_handle_t *handle); 48 49/* Returns a pointer to the target name of this entry. */ 50const char *iptc_get_target(const struct ipt_entry *e, 51 iptc_handle_t *handle); 52 53/* Is this a built-in chain? */ 54int iptc_builtin(const char *chain, const iptc_handle_t handle); 55 56/* Get the policy of a given built-in chain */ 57const char *iptc_get_policy(const char *chain, 58 struct ipt_counters *counter, 59 iptc_handle_t *handle); 60 61/* These functions return TRUE for OK or 0 and set errno. If errno == 62 0, it means there was a version error (ie. upgrade libiptc). */ 63/* Rule numbers start at 1 for the first rule. */ 64 65/* Insert the entry `e' in chain `chain' into position `rulenum'. */ 66int iptc_insert_entry(const ipt_chainlabel chain, 67 const struct ipt_entry *e, 68 unsigned int rulenum, 69 iptc_handle_t *handle); 70 71/* Atomically replace rule `rulenum' in `chain' with `e'. */ 72int iptc_replace_entry(const ipt_chainlabel chain, 73 const struct ipt_entry *e, 74 unsigned int rulenum, 75 iptc_handle_t *handle); 76 77/* Append entry `e' to chain `chain'. Equivalent to insert with 78 rulenum = length of chain. */ 79int iptc_append_entry(const ipt_chainlabel chain, 80 const struct ipt_entry *e, 81 iptc_handle_t *handle); 82 83/* Delete the first rule in `chain' which matches `e', subject to 84 matchmask (array of length == origfw) */ 85int iptc_delete_entry(const ipt_chainlabel chain, 86 const struct ipt_entry *origfw, 87 unsigned char *matchmask, 88 iptc_handle_t *handle); 89 90/* Delete the rule in position `rulenum' in `chain'. */ 91int iptc_delete_num_entry(const ipt_chainlabel chain, 92 unsigned int rulenum, 93 iptc_handle_t *handle); 94 95/* Check the packet `e' on chain `chain'. Returns the verdict, or 96 NULL and sets errno. */ 97const char *iptc_check_packet(const ipt_chainlabel chain, 98 struct ipt_entry *entry, 99 iptc_handle_t *handle); 100 101/* Flushes the entries in the given chain (ie. empties chain). */ 102int iptc_flush_entries(const ipt_chainlabel chain, 103 iptc_handle_t *handle); 104 105/* Zeroes the counters in a chain. */ 106int iptc_zero_entries(const ipt_chainlabel chain, 107 iptc_handle_t *handle); 108 109/* Creates a new chain. */ 110int iptc_create_chain(const ipt_chainlabel chain, 111 iptc_handle_t *handle); 112 113/* Deletes a chain. */ 114int iptc_delete_chain(const ipt_chainlabel chain, 115 iptc_handle_t *handle); 116 117/* Renames a chain. */ 118int iptc_rename_chain(const ipt_chainlabel oldname, 119 const ipt_chainlabel newname, 120 iptc_handle_t *handle); 121 122/* Sets the policy on a built-in chain. */ 123int iptc_set_policy(const ipt_chainlabel chain, 124 const ipt_chainlabel policy, 125 struct ipt_counters *counters, 126 iptc_handle_t *handle); 127 128/* Get the number of references to this chain */ 129int iptc_get_references(unsigned int *ref, 130 const ipt_chainlabel chain, 131 iptc_handle_t *handle); 132 133/* read packet and byte counters for a specific rule */ 134struct ipt_counters *iptc_read_counter(const ipt_chainlabel chain, 135 unsigned int rulenum, 136 iptc_handle_t *handle); 137 138/* zero packet and byte counters for a specific rule */ 139int iptc_zero_counter(const ipt_chainlabel chain, 140 unsigned int rulenum, 141 iptc_handle_t *handle); 142 143/* set packet and byte counters for a specific rule */ 144int iptc_set_counter(const ipt_chainlabel chain, 145 unsigned int rulenum, 146 struct ipt_counters *counters, 147 iptc_handle_t *handle); 148 149/* Makes the actual changes. */ 150int iptc_commit(iptc_handle_t *handle); 151 152/* Get raw socket. */ 153int iptc_get_raw_socket(); 154 155/* Translates errno numbers into more human-readable form than strerror. */ 156const char *iptc_strerror(int err); 157 158#ifdef __cplusplus 159} 160#endif 161 162 163#endif /* _LIBIPTC_H */ 164