16f52b16cSGreg Kroah-Hartman /* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ 2607ca46eSDavid Howells #ifndef _UAPI__LINUX_NETFILTER_H 3607ca46eSDavid Howells #define _UAPI__LINUX_NETFILTER_H 4607ca46eSDavid Howells 5607ca46eSDavid Howells #include <linux/types.h> 6607ca46eSDavid Howells #include <linux/compiler.h> 7a263653eSPablo Neira Ayuso #include <linux/in.h> 8a263653eSPablo Neira Ayuso #include <linux/in6.h> 9607ca46eSDavid Howells 10607ca46eSDavid Howells /* Responses from hook functions. */ 11607ca46eSDavid Howells #define NF_DROP 0 12607ca46eSDavid Howells #define NF_ACCEPT 1 13607ca46eSDavid Howells #define NF_STOLEN 2 14607ca46eSDavid Howells #define NF_QUEUE 3 15607ca46eSDavid Howells #define NF_REPEAT 4 1606fd3a39SPablo Neira Ayuso #define NF_STOP 5 /* Deprecated, for userspace nf_queue compatibility. */ 17607ca46eSDavid Howells #define NF_MAX_VERDICT NF_STOP 18607ca46eSDavid Howells 19607ca46eSDavid Howells /* we overload the higher bits for encoding auxiliary data such as the queue 20607ca46eSDavid Howells * number or errno values. Not nice, but better than additional function 21607ca46eSDavid Howells * arguments. */ 22607ca46eSDavid Howells #define NF_VERDICT_MASK 0x000000ff 23607ca46eSDavid Howells 24607ca46eSDavid Howells /* extra verdict flags have mask 0x0000ff00 */ 25607ca46eSDavid Howells #define NF_VERDICT_FLAG_QUEUE_BYPASS 0x00008000 26607ca46eSDavid Howells 27607ca46eSDavid Howells /* queue number (NF_QUEUE) or errno (NF_DROP) */ 28607ca46eSDavid Howells #define NF_VERDICT_QMASK 0xffff0000 29607ca46eSDavid Howells #define NF_VERDICT_QBITS 16 30607ca46eSDavid Howells 31607ca46eSDavid Howells #define NF_QUEUE_NR(x) ((((x) << 16) & NF_VERDICT_QMASK) | NF_QUEUE) 32607ca46eSDavid Howells 33607ca46eSDavid Howells #define NF_DROP_ERR(x) (((-x) << 16) | NF_DROP) 34607ca46eSDavid Howells 35607ca46eSDavid Howells /* only for userspace compatibility */ 36607ca46eSDavid Howells #ifndef __KERNEL__ 37607ca46eSDavid Howells 38607ca46eSDavid Howells /* NF_VERDICT_BITS should be 8 now, but userspace might break if this changes */ 39607ca46eSDavid Howells #define NF_VERDICT_BITS 16 40607ca46eSDavid Howells #endif 41607ca46eSDavid Howells 42607ca46eSDavid Howells enum nf_inet_hooks { 43607ca46eSDavid Howells NF_INET_PRE_ROUTING, 44607ca46eSDavid Howells NF_INET_LOCAL_IN, 45607ca46eSDavid Howells NF_INET_FORWARD, 46607ca46eSDavid Howells NF_INET_LOCAL_OUT, 47607ca46eSDavid Howells NF_INET_POST_ROUTING, 48d25e2e93SPablo Neira Ayuso NF_INET_NUMHOOKS, 49d25e2e93SPablo Neira Ayuso NF_INET_INGRESS = NF_INET_NUMHOOKS, 50607ca46eSDavid Howells }; 51607ca46eSDavid Howells 52e687ad60SPablo Neira enum nf_dev_hooks { 53e687ad60SPablo Neira NF_NETDEV_INGRESS, 5442df6e1dSLukas Wunner NF_NETDEV_EGRESS, 55e687ad60SPablo Neira NF_NETDEV_NUMHOOKS 56e687ad60SPablo Neira }; 57e687ad60SPablo Neira 58607ca46eSDavid Howells enum { 59607ca46eSDavid Howells NFPROTO_UNSPEC = 0, 601d49144cSPatrick McHardy NFPROTO_INET = 1, 61607ca46eSDavid Howells NFPROTO_IPV4 = 2, 62607ca46eSDavid Howells NFPROTO_ARP = 3, 63e687ad60SPablo Neira NFPROTO_NETDEV = 5, 64607ca46eSDavid Howells NFPROTO_BRIDGE = 7, 65607ca46eSDavid Howells NFPROTO_IPV6 = 10, 66*a0a4de4dSFlorian Westphal #ifndef __KERNEL__ /* no longer supported by kernel */ 67607ca46eSDavid Howells NFPROTO_DECNET = 12, 68*a0a4de4dSFlorian Westphal #endif 69607ca46eSDavid Howells NFPROTO_NUMPROTO, 70607ca46eSDavid Howells }; 71607ca46eSDavid Howells 72607ca46eSDavid Howells union nf_inet_addr { 73607ca46eSDavid Howells __u32 all[4]; 74607ca46eSDavid Howells __be32 ip; 75607ca46eSDavid Howells __be32 ip6[4]; 76607ca46eSDavid Howells struct in_addr in; 77607ca46eSDavid Howells struct in6_addr in6; 78607ca46eSDavid Howells }; 79607ca46eSDavid Howells 80607ca46eSDavid Howells #endif /* _UAPI__LINUX_NETFILTER_H */ 81