1/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
2#ifndef _UAPI__LINUX_NETFILTER_H
3#define _UAPI__LINUX_NETFILTER_H
4
5#include <linux/types.h>
6#include <linux/compiler.h>
7#include <linux/in.h>
8#include <linux/in6.h>
9
10/* Responses from hook functions. */
11#define NF_DROP 0
12#define NF_ACCEPT 1
13#define NF_STOLEN 2
14#define NF_QUEUE 3
15#define NF_REPEAT 4
16#define NF_STOP 5 /* Deprecated, for userspace nf_queue compatibility. */
17#define NF_MAX_VERDICT NF_STOP
18
19/* we overload the higher bits for encoding auxiliary data such as the queue
20 * number or errno values. Not nice, but better than additional function
21 * arguments. */
22#define NF_VERDICT_MASK 0x000000ff
23
24/* extra verdict flags have mask 0x0000ff00 */
25#define NF_VERDICT_FLAG_QUEUE_BYPASS 0x00008000
26
27/* queue number (NF_QUEUE) or errno (NF_DROP) */
28#define NF_VERDICT_QMASK 0xffff0000
29#define NF_VERDICT_QBITS 16
30
31#define NF_QUEUE_NR(x) ((((x) << 16) & NF_VERDICT_QMASK) | NF_QUEUE)
32
33#define NF_DROP_ERR(x) (((-x) << 16) | NF_DROP)
34
35/* only for userspace compatibility */
36#ifndef __KERNEL__
37
38/* NF_VERDICT_BITS should be 8 now, but userspace might break if this changes */
39#define NF_VERDICT_BITS 16
40#endif
41
42enum nf_inet_hooks {
43 NF_INET_PRE_ROUTING,
44 NF_INET_LOCAL_IN,
45 NF_INET_FORWARD,
46 NF_INET_LOCAL_OUT,
47 NF_INET_POST_ROUTING,
48 NF_INET_NUMHOOKS,
49 NF_INET_INGRESS = NF_INET_NUMHOOKS,
50};
51
52enum nf_dev_hooks {
53 NF_NETDEV_INGRESS,
54 NF_NETDEV_EGRESS,
55 NF_NETDEV_NUMHOOKS
56};
57
58enum {
59 NFPROTO_UNSPEC = 0,
60 NFPROTO_INET = 1,
61 NFPROTO_IPV4 = 2,
62 NFPROTO_ARP = 3,
63 NFPROTO_NETDEV = 5,
64 NFPROTO_BRIDGE = 7,
65 NFPROTO_IPV6 = 10,
66#ifndef __KERNEL__ /* no longer supported by kernel */
67 NFPROTO_DECNET = 12,
68#endif
69 NFPROTO_NUMPROTO,
70};
71
72union nf_inet_addr {
73 __u32 all[4];
74 __be32 ip;
75 __be32 ip6[4];
76 struct in_addr in;
77 struct in6_addr in6;
78};
79
80#endif /* _UAPI__LINUX_NETFILTER_H */
81