Warning: This file is not a C or C++ file. It does not have highlighting.
| 1 | /* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ |
|---|---|
| 2 | /* |
| 3 | * 25-Jul-1998 Major changes to allow for ip chain table |
| 4 | * |
| 5 | * 3-Jan-2000 Named tables to allow packet selection for different uses. |
| 6 | */ |
| 7 | |
| 8 | /* |
| 9 | * Format of an IP6 firewall descriptor |
| 10 | * |
| 11 | * src, dst, src_mask, dst_mask are always stored in network byte order. |
| 12 | * flags are stored in host byte order (of course). |
| 13 | * Port numbers are stored in HOST byte order. |
| 14 | */ |
| 15 | |
| 16 | #ifndef _UAPI_IP6_TABLES_H |
| 17 | #define _UAPI_IP6_TABLES_H |
| 18 | |
| 19 | #include <linux/types.h> |
| 20 | #include <linux/compiler.h> |
| 21 | #include <linux/if.h> |
| 22 | #include <linux/netfilter_ipv6.h> |
| 23 | |
| 24 | #include <linux/netfilter/x_tables.h> |
| 25 | |
| 26 | #ifndef __KERNEL__ |
| 27 | #define IP6T_FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN |
| 28 | #define IP6T_TABLE_MAXNAMELEN XT_TABLE_MAXNAMELEN |
| 29 | #define ip6t_match xt_match |
| 30 | #define ip6t_target xt_target |
| 31 | #define ip6t_table xt_table |
| 32 | #define ip6t_get_revision xt_get_revision |
| 33 | #define ip6t_entry_match xt_entry_match |
| 34 | #define ip6t_entry_target xt_entry_target |
| 35 | #define ip6t_standard_target xt_standard_target |
| 36 | #define ip6t_error_target xt_error_target |
| 37 | #define ip6t_counters xt_counters |
| 38 | #define IP6T_CONTINUE XT_CONTINUE |
| 39 | #define IP6T_RETURN XT_RETURN |
| 40 | |
| 41 | /* Pre-iptables-1.4.0 */ |
| 42 | #include <linux/netfilter/xt_tcpudp.h> |
| 43 | #define ip6t_tcp xt_tcp |
| 44 | #define ip6t_udp xt_udp |
| 45 | #define IP6T_TCP_INV_SRCPT XT_TCP_INV_SRCPT |
| 46 | #define IP6T_TCP_INV_DSTPT XT_TCP_INV_DSTPT |
| 47 | #define IP6T_TCP_INV_FLAGS XT_TCP_INV_FLAGS |
| 48 | #define IP6T_TCP_INV_OPTION XT_TCP_INV_OPTION |
| 49 | #define IP6T_TCP_INV_MASK XT_TCP_INV_MASK |
| 50 | #define IP6T_UDP_INV_SRCPT XT_UDP_INV_SRCPT |
| 51 | #define IP6T_UDP_INV_DSTPT XT_UDP_INV_DSTPT |
| 52 | #define IP6T_UDP_INV_MASK XT_UDP_INV_MASK |
| 53 | |
| 54 | #define ip6t_counters_info xt_counters_info |
| 55 | #define IP6T_STANDARD_TARGET XT_STANDARD_TARGET |
| 56 | #define IP6T_ERROR_TARGET XT_ERROR_TARGET |
| 57 | #define IP6T_MATCH_ITERATE(e, fn, args...) \ |
| 58 | XT_MATCH_ITERATE(struct ip6t_entry, e, fn, ## args) |
| 59 | #define IP6T_ENTRY_ITERATE(entries, size, fn, args...) \ |
| 60 | XT_ENTRY_ITERATE(struct ip6t_entry, entries, size, fn, ## args) |
| 61 | #endif |
| 62 | |
| 63 | /* Yes, Virginia, you have to zero the padding. */ |
| 64 | struct ip6t_ip6 { |
| 65 | /* Source and destination IP6 addr */ |
| 66 | struct in6_addr src, dst; |
| 67 | /* Mask for src and dest IP6 addr */ |
| 68 | struct in6_addr smsk, dmsk; |
| 69 | char iniface[IFNAMSIZ], outiface[IFNAMSIZ]; |
| 70 | unsigned char iniface_mask[IFNAMSIZ], outiface_mask[IFNAMSIZ]; |
| 71 | |
| 72 | /* Upper protocol number |
| 73 | * - The allowed value is 0 (any) or protocol number of last parsable |
| 74 | * header, which is 50 (ESP), 59 (No Next Header), 135 (MH), or |
| 75 | * the non IPv6 extension headers. |
| 76 | * - The protocol numbers of IPv6 extension headers except of ESP and |
| 77 | * MH do not match any packets. |
| 78 | * - You also need to set IP6T_FLAGS_PROTO to "flags" to check protocol. |
| 79 | */ |
| 80 | __u16 proto; |
| 81 | /* TOS to match iff flags & IP6T_F_TOS */ |
| 82 | __u8 tos; |
| 83 | |
| 84 | /* Flags word */ |
| 85 | __u8 flags; |
| 86 | /* Inverse flags */ |
| 87 | __u8 invflags; |
| 88 | }; |
| 89 | |
| 90 | /* Values for "flag" field in struct ip6t_ip6 (general ip6 structure). */ |
| 91 | #define IP6T_F_PROTO 0x01 /* Set if rule cares about upper |
| 92 | protocols */ |
| 93 | #define IP6T_F_TOS 0x02 /* Match the TOS. */ |
| 94 | #define IP6T_F_GOTO 0x04 /* Set if jump is a goto */ |
| 95 | #define IP6T_F_MASK 0x07 /* All possible flag bits mask. */ |
| 96 | |
| 97 | /* Values for "inv" field in struct ip6t_ip6. */ |
| 98 | #define IP6T_INV_VIA_IN 0x01 /* Invert the sense of IN IFACE. */ |
| 99 | #define IP6T_INV_VIA_OUT 0x02 /* Invert the sense of OUT IFACE */ |
| 100 | #define IP6T_INV_TOS 0x04 /* Invert the sense of TOS. */ |
| 101 | #define IP6T_INV_SRCIP 0x08 /* Invert the sense of SRC IP. */ |
| 102 | #define IP6T_INV_DSTIP 0x10 /* Invert the sense of DST OP. */ |
| 103 | #define IP6T_INV_FRAG 0x20 /* Invert the sense of FRAG. */ |
| 104 | #define IP6T_INV_PROTO XT_INV_PROTO |
| 105 | #define IP6T_INV_MASK 0x7F /* All possible flag bits mask. */ |
| 106 | |
| 107 | /* This structure defines each of the firewall rules. Consists of 3 |
| 108 | parts which are 1) general IP header stuff 2) match specific |
| 109 | stuff 3) the target to perform if the rule matches */ |
| 110 | struct ip6t_entry { |
| 111 | struct ip6t_ip6 ipv6; |
| 112 | |
| 113 | /* Mark with fields that we care about. */ |
| 114 | unsigned int nfcache; |
| 115 | |
| 116 | /* Size of ipt_entry + matches */ |
| 117 | __u16 target_offset; |
| 118 | /* Size of ipt_entry + matches + target */ |
| 119 | __u16 next_offset; |
| 120 | |
| 121 | /* Back pointer */ |
| 122 | unsigned int comefrom; |
| 123 | |
| 124 | /* Packet and byte counters. */ |
| 125 | struct xt_counters counters; |
| 126 | |
| 127 | /* The matches (if any), then the target. */ |
| 128 | unsigned char elems[0]; |
| 129 | }; |
| 130 | |
| 131 | /* Standard entry */ |
| 132 | struct ip6t_standard { |
| 133 | struct ip6t_entry entry; |
| 134 | struct xt_standard_target target; |
| 135 | }; |
| 136 | |
| 137 | struct ip6t_error { |
| 138 | struct ip6t_entry entry; |
| 139 | struct xt_error_target target; |
| 140 | }; |
| 141 | |
| 142 | #define IP6T_ENTRY_INIT(__size) \ |
| 143 | { \ |
| 144 | .target_offset = sizeof(struct ip6t_entry), \ |
| 145 | .next_offset = (__size), \ |
| 146 | } |
| 147 | |
| 148 | #define IP6T_STANDARD_INIT(__verdict) \ |
| 149 | { \ |
| 150 | .entry = IP6T_ENTRY_INIT(sizeof(struct ip6t_standard)), \ |
| 151 | .target = XT_TARGET_INIT(XT_STANDARD_TARGET, \ |
| 152 | sizeof(struct xt_standard_target)), \ |
| 153 | .target.verdict = -(__verdict) - 1, \ |
| 154 | } |
| 155 | |
| 156 | #define IP6T_ERROR_INIT \ |
| 157 | { \ |
| 158 | .entry = IP6T_ENTRY_INIT(sizeof(struct ip6t_error)), \ |
| 159 | .target = XT_TARGET_INIT(XT_ERROR_TARGET, \ |
| 160 | sizeof(struct xt_error_target)), \ |
| 161 | .target.errorname = "ERROR", \ |
| 162 | } |
| 163 | |
| 164 | /* |
| 165 | * New IP firewall options for [gs]etsockopt at the RAW IP level. |
| 166 | * Unlike BSD Linux inherits IP options so you don't have to use |
| 167 | * a raw socket for this. Instead we check rights in the calls. |
| 168 | * |
| 169 | * ATTENTION: check linux/in6.h before adding new number here. |
| 170 | */ |
| 171 | #define IP6T_BASE_CTL 64 |
| 172 | |
| 173 | #define IP6T_SO_SET_REPLACE (IP6T_BASE_CTL) |
| 174 | #define IP6T_SO_SET_ADD_COUNTERS (IP6T_BASE_CTL + 1) |
| 175 | #define IP6T_SO_SET_MAX IP6T_SO_SET_ADD_COUNTERS |
| 176 | |
| 177 | #define IP6T_SO_GET_INFO (IP6T_BASE_CTL) |
| 178 | #define IP6T_SO_GET_ENTRIES (IP6T_BASE_CTL + 1) |
| 179 | #define IP6T_SO_GET_REVISION_MATCH (IP6T_BASE_CTL + 4) |
| 180 | #define IP6T_SO_GET_REVISION_TARGET (IP6T_BASE_CTL + 5) |
| 181 | #define IP6T_SO_GET_MAX IP6T_SO_GET_REVISION_TARGET |
| 182 | |
| 183 | /* obtain original address if REDIRECT'd connection */ |
| 184 | #define IP6T_SO_ORIGINAL_DST 80 |
| 185 | |
| 186 | /* ICMP matching stuff */ |
| 187 | struct ip6t_icmp { |
| 188 | __u8 type; /* type to match */ |
| 189 | __u8 code[2]; /* range of code */ |
| 190 | __u8 invflags; /* Inverse flags */ |
| 191 | }; |
| 192 | |
| 193 | /* Values for "inv" field for struct ipt_icmp. */ |
| 194 | #define IP6T_ICMP_INV 0x01 /* Invert the sense of type/code test */ |
| 195 | |
| 196 | /* The argument to IP6T_SO_GET_INFO */ |
| 197 | struct ip6t_getinfo { |
| 198 | /* Which table: caller fills this in. */ |
| 199 | char name[XT_TABLE_MAXNAMELEN]; |
| 200 | |
| 201 | /* Kernel fills these in. */ |
| 202 | /* Which hook entry points are valid: bitmask */ |
| 203 | unsigned int valid_hooks; |
| 204 | |
| 205 | /* Hook entry points: one per netfilter hook. */ |
| 206 | unsigned int hook_entry[NF_INET_NUMHOOKS]; |
| 207 | |
| 208 | /* Underflow points. */ |
| 209 | unsigned int underflow[NF_INET_NUMHOOKS]; |
| 210 | |
| 211 | /* Number of entries */ |
| 212 | unsigned int num_entries; |
| 213 | |
| 214 | /* Size of entries. */ |
| 215 | unsigned int size; |
| 216 | }; |
| 217 | |
| 218 | /* The argument to IP6T_SO_SET_REPLACE. */ |
| 219 | struct ip6t_replace { |
| 220 | /* Which table. */ |
| 221 | char name[XT_TABLE_MAXNAMELEN]; |
| 222 | |
| 223 | /* Which hook entry points are valid: bitmask. You can't |
| 224 | change this. */ |
| 225 | unsigned int valid_hooks; |
| 226 | |
| 227 | /* Number of entries */ |
| 228 | unsigned int num_entries; |
| 229 | |
| 230 | /* Total size of new entries */ |
| 231 | unsigned int size; |
| 232 | |
| 233 | /* Hook entry points. */ |
| 234 | unsigned int hook_entry[NF_INET_NUMHOOKS]; |
| 235 | |
| 236 | /* Underflow points. */ |
| 237 | unsigned int underflow[NF_INET_NUMHOOKS]; |
| 238 | |
| 239 | /* Information about old entries: */ |
| 240 | /* Number of counters (must be equal to current number of entries). */ |
| 241 | unsigned int num_counters; |
| 242 | /* The old entries' counters. */ |
| 243 | struct xt_counters __user *counters; |
| 244 | |
| 245 | /* The entries (hang off end: not really an array). */ |
| 246 | struct ip6t_entry entries[]; |
| 247 | }; |
| 248 | |
| 249 | /* The argument to IP6T_SO_GET_ENTRIES. */ |
| 250 | struct ip6t_get_entries { |
| 251 | /* Which table: user fills this in. */ |
| 252 | char name[XT_TABLE_MAXNAMELEN]; |
| 253 | |
| 254 | /* User fills this in: total entry size. */ |
| 255 | unsigned int size; |
| 256 | |
| 257 | /* The entries. */ |
| 258 | struct ip6t_entry entrytable[]; |
| 259 | }; |
| 260 | |
| 261 | /* Helper functions */ |
| 262 | static __inline__ struct xt_entry_target * |
| 263 | ip6t_get_target(struct ip6t_entry *e) |
| 264 | { |
| 265 | return (struct xt_entry_target *)((char *)e + e->target_offset); |
| 266 | } |
| 267 | |
| 268 | /* |
| 269 | * Main firewall chains definitions and global var's definitions. |
| 270 | */ |
| 271 | |
| 272 | #endif /* _UAPI_IP6_TABLES_H */ |
| 273 |
Warning: This file is not a C or C++ file. It does not have highlighting.