netfilter.h (1799B)
1/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ 2#ifndef _UAPI__LINUX_NETFILTER_H 3#define _UAPI__LINUX_NETFILTER_H 4 5#include <linux/types.h> 6#include <linux/compiler.h> 7#include <linux/in.h> 8#include <linux/in6.h> 9 10/* Responses from hook functions. */ 11#define NF_DROP 0 12#define NF_ACCEPT 1 13#define NF_STOLEN 2 14#define NF_QUEUE 3 15#define NF_REPEAT 4 16#define NF_STOP 5 /* Deprecated, for userspace nf_queue compatibility. */ 17#define NF_MAX_VERDICT NF_STOP 18 19/* we overload the higher bits for encoding auxiliary data such as the queue 20 * number or errno values. Not nice, but better than additional function 21 * arguments. */ 22#define NF_VERDICT_MASK 0x000000ff 23 24/* extra verdict flags have mask 0x0000ff00 */ 25#define NF_VERDICT_FLAG_QUEUE_BYPASS 0x00008000 26 27/* queue number (NF_QUEUE) or errno (NF_DROP) */ 28#define NF_VERDICT_QMASK 0xffff0000 29#define NF_VERDICT_QBITS 16 30 31#define NF_QUEUE_NR(x) ((((x) << 16) & NF_VERDICT_QMASK) | NF_QUEUE) 32 33#define NF_DROP_ERR(x) (((-x) << 16) | NF_DROP) 34 35/* only for userspace compatibility */ 36#ifndef __KERNEL__ 37 38/* NF_VERDICT_BITS should be 8 now, but userspace might break if this changes */ 39#define NF_VERDICT_BITS 16 40#endif 41 42enum nf_inet_hooks { 43 NF_INET_PRE_ROUTING, 44 NF_INET_LOCAL_IN, 45 NF_INET_FORWARD, 46 NF_INET_LOCAL_OUT, 47 NF_INET_POST_ROUTING, 48 NF_INET_NUMHOOKS, 49 NF_INET_INGRESS = NF_INET_NUMHOOKS, 50}; 51 52enum nf_dev_hooks { 53 NF_NETDEV_INGRESS, 54 NF_NETDEV_EGRESS, 55 NF_NETDEV_NUMHOOKS 56}; 57 58enum { 59 NFPROTO_UNSPEC = 0, 60 NFPROTO_INET = 1, 61 NFPROTO_IPV4 = 2, 62 NFPROTO_ARP = 3, 63 NFPROTO_NETDEV = 5, 64 NFPROTO_BRIDGE = 7, 65 NFPROTO_IPV6 = 10, 66 NFPROTO_DECNET = 12, 67 NFPROTO_NUMPROTO, 68}; 69 70union nf_inet_addr { 71 __u32 all[4]; 72 __be32 ip; 73 __be32 ip6[4]; 74 struct in_addr in; 75 struct in6_addr in6; 76}; 77 78#endif /* _UAPI__LINUX_NETFILTER_H */