1 | /* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ |
2 | /* |
3 | * 25-Jul-1998 Major changes to allow for ip chain table |
4 | * |
5 | * 3-Jan-2000 Named tables to allow packet selection for different uses. |
6 | */ |
7 | |
8 | /* |
9 | * Format of an IP6 firewall descriptor |
10 | * |
11 | * src, dst, src_mask, dst_mask are always stored in network byte order. |
12 | * flags are stored in host byte order (of course). |
13 | * Port numbers are stored in HOST byte order. |
14 | */ |
15 | |
16 | #ifndef _UAPI_IP6_TABLES_H |
17 | #define _UAPI_IP6_TABLES_H |
18 | |
19 | #include <linux/types.h> |
20 | #include <linux/compiler.h> |
21 | #include <linux/if.h> |
22 | #include <linux/netfilter_ipv6.h> |
23 | |
24 | #include <linux/netfilter/x_tables.h> |
25 | |
26 | #ifndef __KERNEL__ |
27 | #define IP6T_FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN |
28 | #define IP6T_TABLE_MAXNAMELEN XT_TABLE_MAXNAMELEN |
29 | #define ip6t_match xt_match |
30 | #define ip6t_target xt_target |
31 | #define ip6t_table xt_table |
32 | #define ip6t_get_revision xt_get_revision |
33 | #define ip6t_entry_match xt_entry_match |
34 | #define ip6t_entry_target xt_entry_target |
35 | #define ip6t_standard_target xt_standard_target |
36 | #define ip6t_error_target xt_error_target |
37 | #define ip6t_counters xt_counters |
38 | #define IP6T_CONTINUE XT_CONTINUE |
39 | #define IP6T_RETURN XT_RETURN |
40 | |
41 | /* Pre-iptables-1.4.0 */ |
42 | #include <linux/netfilter/xt_tcpudp.h> |
43 | #define ip6t_tcp xt_tcp |
44 | #define ip6t_udp xt_udp |
45 | #define IP6T_TCP_INV_SRCPT XT_TCP_INV_SRCPT |
46 | #define IP6T_TCP_INV_DSTPT XT_TCP_INV_DSTPT |
47 | #define IP6T_TCP_INV_FLAGS XT_TCP_INV_FLAGS |
48 | #define IP6T_TCP_INV_OPTION XT_TCP_INV_OPTION |
49 | #define IP6T_TCP_INV_MASK XT_TCP_INV_MASK |
50 | #define IP6T_UDP_INV_SRCPT XT_UDP_INV_SRCPT |
51 | #define IP6T_UDP_INV_DSTPT XT_UDP_INV_DSTPT |
52 | #define IP6T_UDP_INV_MASK XT_UDP_INV_MASK |
53 | |
54 | #define ip6t_counters_info xt_counters_info |
55 | #define IP6T_STANDARD_TARGET XT_STANDARD_TARGET |
56 | #define IP6T_ERROR_TARGET XT_ERROR_TARGET |
57 | #define IP6T_MATCH_ITERATE(e, fn, args...) \ |
58 | XT_MATCH_ITERATE(struct ip6t_entry, e, fn, ## args) |
59 | #define IP6T_ENTRY_ITERATE(entries, size, fn, args...) \ |
60 | XT_ENTRY_ITERATE(struct ip6t_entry, entries, size, fn, ## args) |
61 | #endif |
62 | |
63 | /* Yes, Virginia, you have to zero the padding. */ |
64 | struct ip6t_ip6 { |
65 | /* Source and destination IP6 addr */ |
66 | struct in6_addr src, dst; |
67 | /* Mask for src and dest IP6 addr */ |
68 | struct in6_addr smsk, dmsk; |
69 | char iniface[IFNAMSIZ], outiface[IFNAMSIZ]; |
70 | unsigned char iniface_mask[IFNAMSIZ], outiface_mask[IFNAMSIZ]; |
71 | |
72 | /* Upper protocol number |
73 | * - The allowed value is 0 (any) or protocol number of last parsable |
74 | * header, which is 50 (ESP), 59 (No Next Header), 135 (MH), or |
75 | * the non IPv6 extension headers. |
76 | * - The protocol numbers of IPv6 extension headers except of ESP and |
77 | * MH do not match any packets. |
78 | * - You also need to set IP6T_FLAGS_PROTO to "flags" to check protocol. |
79 | */ |
80 | __u16 proto; |
81 | /* TOS to match iff flags & IP6T_F_TOS */ |
82 | __u8 tos; |
83 | |
84 | /* Flags word */ |
85 | __u8 flags; |
86 | /* Inverse flags */ |
87 | __u8 invflags; |
88 | }; |
89 | |
90 | /* Values for "flag" field in struct ip6t_ip6 (general ip6 structure). */ |
91 | #define IP6T_F_PROTO 0x01 /* Set if rule cares about upper |
92 | protocols */ |
93 | #define IP6T_F_TOS 0x02 /* Match the TOS. */ |
94 | #define IP6T_F_GOTO 0x04 /* Set if jump is a goto */ |
95 | #define IP6T_F_MASK 0x07 /* All possible flag bits mask. */ |
96 | |
97 | /* Values for "inv" field in struct ip6t_ip6. */ |
98 | #define IP6T_INV_VIA_IN 0x01 /* Invert the sense of IN IFACE. */ |
99 | #define IP6T_INV_VIA_OUT 0x02 /* Invert the sense of OUT IFACE */ |
100 | #define IP6T_INV_TOS 0x04 /* Invert the sense of TOS. */ |
101 | #define IP6T_INV_SRCIP 0x08 /* Invert the sense of SRC IP. */ |
102 | #define IP6T_INV_DSTIP 0x10 /* Invert the sense of DST OP. */ |
103 | #define IP6T_INV_FRAG 0x20 /* Invert the sense of FRAG. */ |
104 | #define IP6T_INV_PROTO XT_INV_PROTO |
105 | #define IP6T_INV_MASK 0x7F /* All possible flag bits mask. */ |
106 | |
107 | /* This structure defines each of the firewall rules. Consists of 3 |
108 | parts which are 1) general IP header stuff 2) match specific |
109 | stuff 3) the target to perform if the rule matches */ |
110 | struct ip6t_entry { |
111 | struct ip6t_ip6 ipv6; |
112 | |
113 | /* Mark with fields that we care about. */ |
114 | unsigned int nfcache; |
115 | |
116 | /* Size of ipt_entry + matches */ |
117 | __u16 target_offset; |
118 | /* Size of ipt_entry + matches + target */ |
119 | __u16 next_offset; |
120 | |
121 | /* Back pointer */ |
122 | unsigned int comefrom; |
123 | |
124 | /* Packet and byte counters. */ |
125 | struct xt_counters counters; |
126 | |
127 | /* The matches (if any), then the target. */ |
128 | unsigned char elems[0]; |
129 | }; |
130 | |
131 | /* Standard entry */ |
132 | struct ip6t_standard { |
133 | struct ip6t_entry entry; |
134 | struct xt_standard_target target; |
135 | }; |
136 | |
137 | struct ip6t_error { |
138 | struct ip6t_entry entry; |
139 | struct xt_error_target target; |
140 | }; |
141 | |
142 | #define IP6T_ENTRY_INIT(__size) \ |
143 | { \ |
144 | .target_offset = sizeof(struct ip6t_entry), \ |
145 | .next_offset = (__size), \ |
146 | } |
147 | |
148 | #define IP6T_STANDARD_INIT(__verdict) \ |
149 | { \ |
150 | .entry = IP6T_ENTRY_INIT(sizeof(struct ip6t_standard)), \ |
151 | .target = XT_TARGET_INIT(XT_STANDARD_TARGET, \ |
152 | sizeof(struct xt_standard_target)), \ |
153 | .target.verdict = -(__verdict) - 1, \ |
154 | } |
155 | |
156 | #define IP6T_ERROR_INIT \ |
157 | { \ |
158 | .entry = IP6T_ENTRY_INIT(sizeof(struct ip6t_error)), \ |
159 | .target = XT_TARGET_INIT(XT_ERROR_TARGET, \ |
160 | sizeof(struct xt_error_target)), \ |
161 | .target.errorname = "ERROR", \ |
162 | } |
163 | |
164 | /* |
165 | * New IP firewall options for [gs]etsockopt at the RAW IP level. |
166 | * Unlike BSD Linux inherits IP options so you don't have to use |
167 | * a raw socket for this. Instead we check rights in the calls. |
168 | * |
169 | * ATTENTION: check linux/in6.h before adding new number here. |
170 | */ |
171 | #define IP6T_BASE_CTL 64 |
172 | |
173 | #define IP6T_SO_SET_REPLACE (IP6T_BASE_CTL) |
174 | #define IP6T_SO_SET_ADD_COUNTERS (IP6T_BASE_CTL + 1) |
175 | #define IP6T_SO_SET_MAX IP6T_SO_SET_ADD_COUNTERS |
176 | |
177 | #define IP6T_SO_GET_INFO (IP6T_BASE_CTL) |
178 | #define IP6T_SO_GET_ENTRIES (IP6T_BASE_CTL + 1) |
179 | #define IP6T_SO_GET_REVISION_MATCH (IP6T_BASE_CTL + 4) |
180 | #define IP6T_SO_GET_REVISION_TARGET (IP6T_BASE_CTL + 5) |
181 | #define IP6T_SO_GET_MAX IP6T_SO_GET_REVISION_TARGET |
182 | |
183 | /* obtain original address if REDIRECT'd connection */ |
184 | #define IP6T_SO_ORIGINAL_DST 80 |
185 | |
186 | /* ICMP matching stuff */ |
187 | struct ip6t_icmp { |
188 | __u8 type; /* type to match */ |
189 | __u8 code[2]; /* range of code */ |
190 | __u8 invflags; /* Inverse flags */ |
191 | }; |
192 | |
193 | /* Values for "inv" field for struct ipt_icmp. */ |
194 | #define IP6T_ICMP_INV 0x01 /* Invert the sense of type/code test */ |
195 | |
196 | /* The argument to IP6T_SO_GET_INFO */ |
197 | struct ip6t_getinfo { |
198 | /* Which table: caller fills this in. */ |
199 | char name[XT_TABLE_MAXNAMELEN]; |
200 | |
201 | /* Kernel fills these in. */ |
202 | /* Which hook entry points are valid: bitmask */ |
203 | unsigned int valid_hooks; |
204 | |
205 | /* Hook entry points: one per netfilter hook. */ |
206 | unsigned int hook_entry[NF_INET_NUMHOOKS]; |
207 | |
208 | /* Underflow points. */ |
209 | unsigned int underflow[NF_INET_NUMHOOKS]; |
210 | |
211 | /* Number of entries */ |
212 | unsigned int num_entries; |
213 | |
214 | /* Size of entries. */ |
215 | unsigned int size; |
216 | }; |
217 | |
218 | /* The argument to IP6T_SO_SET_REPLACE. */ |
219 | struct ip6t_replace { |
220 | /* Which table. */ |
221 | char name[XT_TABLE_MAXNAMELEN]; |
222 | |
223 | /* Which hook entry points are valid: bitmask. You can't |
224 | change this. */ |
225 | unsigned int valid_hooks; |
226 | |
227 | /* Number of entries */ |
228 | unsigned int num_entries; |
229 | |
230 | /* Total size of new entries */ |
231 | unsigned int size; |
232 | |
233 | /* Hook entry points. */ |
234 | unsigned int hook_entry[NF_INET_NUMHOOKS]; |
235 | |
236 | /* Underflow points. */ |
237 | unsigned int underflow[NF_INET_NUMHOOKS]; |
238 | |
239 | /* Information about old entries: */ |
240 | /* Number of counters (must be equal to current number of entries). */ |
241 | unsigned int num_counters; |
242 | /* The old entries' counters. */ |
243 | struct xt_counters __user *counters; |
244 | |
245 | /* The entries (hang off end: not really an array). */ |
246 | struct ip6t_entry entries[]; |
247 | }; |
248 | |
249 | /* The argument to IP6T_SO_GET_ENTRIES. */ |
250 | struct ip6t_get_entries { |
251 | /* Which table: user fills this in. */ |
252 | char name[XT_TABLE_MAXNAMELEN]; |
253 | |
254 | /* User fills this in: total entry size. */ |
255 | unsigned int size; |
256 | |
257 | /* The entries. */ |
258 | struct ip6t_entry entrytable[]; |
259 | }; |
260 | |
261 | /* Helper functions */ |
262 | static __inline__ struct xt_entry_target * |
263 | ip6t_get_target(struct ip6t_entry *e) |
264 | { |
265 | return (struct xt_entry_target *)((char *)e + e->target_offset); |
266 | } |
267 | |
268 | /* |
269 | * Main firewall chains definitions and global var's definitions. |
270 | */ |
271 | |
272 | #endif /* _UAPI_IP6_TABLES_H */ |
273 | |