root/include/uapi/linux/netfilter_ipv6/ip6_tables.h

/* [<][>][^][v][top][bottom][index][help] */

INCLUDED FROM


DEFINITIONS

This source file includes following definitions.
  1. ip6t_get_target

   1 /* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
   2 /*
   3  * 25-Jul-1998 Major changes to allow for ip chain table
   4  *
   5  * 3-Jan-2000 Named tables to allow packet selection for different uses.
   6  */
   7 
   8 /*
   9  *      Format of an IP6 firewall descriptor
  10  *
  11  *      src, dst, src_mask, dst_mask are always stored in network byte order.
  12  *      flags are stored in host byte order (of course).
  13  *      Port numbers are stored in HOST byte order.
  14  */
  15 
  16 #ifndef _UAPI_IP6_TABLES_H
  17 #define _UAPI_IP6_TABLES_H
  18 
  19 #include <linux/types.h>
  20 #include <linux/compiler.h>
  21 #include <linux/if.h>
  22 #include <linux/netfilter_ipv6.h>
  23 
  24 #include <linux/netfilter/x_tables.h>
  25 
  26 #ifndef __KERNEL__
  27 #define IP6T_FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN
  28 #define IP6T_TABLE_MAXNAMELEN XT_TABLE_MAXNAMELEN
  29 #define ip6t_match xt_match
  30 #define ip6t_target xt_target
  31 #define ip6t_table xt_table
  32 #define ip6t_get_revision xt_get_revision
  33 #define ip6t_entry_match xt_entry_match
  34 #define ip6t_entry_target xt_entry_target
  35 #define ip6t_standard_target xt_standard_target
  36 #define ip6t_error_target xt_error_target
  37 #define ip6t_counters xt_counters
  38 #define IP6T_CONTINUE XT_CONTINUE
  39 #define IP6T_RETURN XT_RETURN
  40 
  41 /* Pre-iptables-1.4.0 */
  42 #include <linux/netfilter/xt_tcpudp.h>
  43 #define ip6t_tcp xt_tcp
  44 #define ip6t_udp xt_udp
  45 #define IP6T_TCP_INV_SRCPT      XT_TCP_INV_SRCPT
  46 #define IP6T_TCP_INV_DSTPT      XT_TCP_INV_DSTPT
  47 #define IP6T_TCP_INV_FLAGS      XT_TCP_INV_FLAGS
  48 #define IP6T_TCP_INV_OPTION     XT_TCP_INV_OPTION
  49 #define IP6T_TCP_INV_MASK       XT_TCP_INV_MASK
  50 #define IP6T_UDP_INV_SRCPT      XT_UDP_INV_SRCPT
  51 #define IP6T_UDP_INV_DSTPT      XT_UDP_INV_DSTPT
  52 #define IP6T_UDP_INV_MASK       XT_UDP_INV_MASK
  53 
  54 #define ip6t_counters_info xt_counters_info
  55 #define IP6T_STANDARD_TARGET XT_STANDARD_TARGET
  56 #define IP6T_ERROR_TARGET XT_ERROR_TARGET
  57 #define IP6T_MATCH_ITERATE(e, fn, args...) \
  58         XT_MATCH_ITERATE(struct ip6t_entry, e, fn, ## args)
  59 #define IP6T_ENTRY_ITERATE(entries, size, fn, args...) \
  60         XT_ENTRY_ITERATE(struct ip6t_entry, entries, size, fn, ## args)
  61 #endif
  62 
  63 /* Yes, Virginia, you have to zero the padding. */
  64 struct ip6t_ip6 {
  65         /* Source and destination IP6 addr */
  66         struct in6_addr src, dst;               
  67         /* Mask for src and dest IP6 addr */
  68         struct in6_addr smsk, dmsk;
  69         char iniface[IFNAMSIZ], outiface[IFNAMSIZ];
  70         unsigned char iniface_mask[IFNAMSIZ], outiface_mask[IFNAMSIZ];
  71 
  72         /* Upper protocol number
  73          * - The allowed value is 0 (any) or protocol number of last parsable
  74          *   header, which is 50 (ESP), 59 (No Next Header), 135 (MH), or
  75          *   the non IPv6 extension headers.
  76          * - The protocol numbers of IPv6 extension headers except of ESP and
  77          *   MH do not match any packets.
  78          * - You also need to set IP6T_FLAGS_PROTO to "flags" to check protocol.
  79          */
  80         __u16 proto;
  81         /* TOS to match iff flags & IP6T_F_TOS */
  82         __u8 tos;
  83 
  84         /* Flags word */
  85         __u8 flags;
  86         /* Inverse flags */
  87         __u8 invflags;
  88 };
  89 
  90 /* Values for "flag" field in struct ip6t_ip6 (general ip6 structure). */
  91 #define IP6T_F_PROTO            0x01    /* Set if rule cares about upper 
  92                                            protocols */
  93 #define IP6T_F_TOS              0x02    /* Match the TOS. */
  94 #define IP6T_F_GOTO             0x04    /* Set if jump is a goto */
  95 #define IP6T_F_MASK             0x07    /* All possible flag bits mask. */
  96 
  97 /* Values for "inv" field in struct ip6t_ip6. */
  98 #define IP6T_INV_VIA_IN         0x01    /* Invert the sense of IN IFACE. */
  99 #define IP6T_INV_VIA_OUT                0x02    /* Invert the sense of OUT IFACE */
 100 #define IP6T_INV_TOS            0x04    /* Invert the sense of TOS. */
 101 #define IP6T_INV_SRCIP          0x08    /* Invert the sense of SRC IP. */
 102 #define IP6T_INV_DSTIP          0x10    /* Invert the sense of DST OP. */
 103 #define IP6T_INV_FRAG           0x20    /* Invert the sense of FRAG. */
 104 #define IP6T_INV_PROTO          XT_INV_PROTO
 105 #define IP6T_INV_MASK           0x7F    /* All possible flag bits mask. */
 106 
 107 /* This structure defines each of the firewall rules.  Consists of 3
 108    parts which are 1) general IP header stuff 2) match specific
 109    stuff 3) the target to perform if the rule matches */
 110 struct ip6t_entry {
 111         struct ip6t_ip6 ipv6;
 112 
 113         /* Mark with fields that we care about. */
 114         unsigned int nfcache;
 115 
 116         /* Size of ipt_entry + matches */
 117         __u16 target_offset;
 118         /* Size of ipt_entry + matches + target */
 119         __u16 next_offset;
 120 
 121         /* Back pointer */
 122         unsigned int comefrom;
 123 
 124         /* Packet and byte counters. */
 125         struct xt_counters counters;
 126 
 127         /* The matches (if any), then the target. */
 128         unsigned char elems[0];
 129 };
 130 
 131 /* Standard entry */
 132 struct ip6t_standard {
 133         struct ip6t_entry entry;
 134         struct xt_standard_target target;
 135 };
 136 
 137 struct ip6t_error {
 138         struct ip6t_entry entry;
 139         struct xt_error_target target;
 140 };
 141 
 142 #define IP6T_ENTRY_INIT(__size)                                                \
 143 {                                                                              \
 144         .target_offset  = sizeof(struct ip6t_entry),                           \
 145         .next_offset    = (__size),                                            \
 146 }
 147 
 148 #define IP6T_STANDARD_INIT(__verdict)                                          \
 149 {                                                                              \
 150         .entry          = IP6T_ENTRY_INIT(sizeof(struct ip6t_standard)),       \
 151         .target         = XT_TARGET_INIT(XT_STANDARD_TARGET,                   \
 152                                          sizeof(struct xt_standard_target)),   \
 153         .target.verdict = -(__verdict) - 1,                                    \
 154 }
 155 
 156 #define IP6T_ERROR_INIT                                                        \
 157 {                                                                              \
 158         .entry          = IP6T_ENTRY_INIT(sizeof(struct ip6t_error)),          \
 159         .target         = XT_TARGET_INIT(XT_ERROR_TARGET,                      \
 160                                          sizeof(struct xt_error_target)),      \
 161         .target.errorname = "ERROR",                                           \
 162 }
 163 
 164 /*
 165  * New IP firewall options for [gs]etsockopt at the RAW IP level.
 166  * Unlike BSD Linux inherits IP options so you don't have to use
 167  * a raw socket for this. Instead we check rights in the calls.
 168  *
 169  * ATTENTION: check linux/in6.h before adding new number here.
 170  */
 171 #define IP6T_BASE_CTL                   64
 172 
 173 #define IP6T_SO_SET_REPLACE             (IP6T_BASE_CTL)
 174 #define IP6T_SO_SET_ADD_COUNTERS        (IP6T_BASE_CTL + 1)
 175 #define IP6T_SO_SET_MAX                 IP6T_SO_SET_ADD_COUNTERS
 176 
 177 #define IP6T_SO_GET_INFO                (IP6T_BASE_CTL)
 178 #define IP6T_SO_GET_ENTRIES             (IP6T_BASE_CTL + 1)
 179 #define IP6T_SO_GET_REVISION_MATCH      (IP6T_BASE_CTL + 4)
 180 #define IP6T_SO_GET_REVISION_TARGET     (IP6T_BASE_CTL + 5)
 181 #define IP6T_SO_GET_MAX                 IP6T_SO_GET_REVISION_TARGET
 182 
 183 /* obtain original address if REDIRECT'd connection */
 184 #define IP6T_SO_ORIGINAL_DST            80
 185 
 186 /* ICMP matching stuff */
 187 struct ip6t_icmp {
 188         __u8 type;                              /* type to match */
 189         __u8 code[2];                           /* range of code */
 190         __u8 invflags;                          /* Inverse flags */
 191 };
 192 
 193 /* Values for "inv" field for struct ipt_icmp. */
 194 #define IP6T_ICMP_INV   0x01    /* Invert the sense of type/code test */
 195 
 196 /* The argument to IP6T_SO_GET_INFO */
 197 struct ip6t_getinfo {
 198         /* Which table: caller fills this in. */
 199         char name[XT_TABLE_MAXNAMELEN];
 200 
 201         /* Kernel fills these in. */
 202         /* Which hook entry points are valid: bitmask */
 203         unsigned int valid_hooks;
 204 
 205         /* Hook entry points: one per netfilter hook. */
 206         unsigned int hook_entry[NF_INET_NUMHOOKS];
 207 
 208         /* Underflow points. */
 209         unsigned int underflow[NF_INET_NUMHOOKS];
 210 
 211         /* Number of entries */
 212         unsigned int num_entries;
 213 
 214         /* Size of entries. */
 215         unsigned int size;
 216 };
 217 
 218 /* The argument to IP6T_SO_SET_REPLACE. */
 219 struct ip6t_replace {
 220         /* Which table. */
 221         char name[XT_TABLE_MAXNAMELEN];
 222 
 223         /* Which hook entry points are valid: bitmask.  You can't
 224            change this. */
 225         unsigned int valid_hooks;
 226 
 227         /* Number of entries */
 228         unsigned int num_entries;
 229 
 230         /* Total size of new entries */
 231         unsigned int size;
 232 
 233         /* Hook entry points. */
 234         unsigned int hook_entry[NF_INET_NUMHOOKS];
 235 
 236         /* Underflow points. */
 237         unsigned int underflow[NF_INET_NUMHOOKS];
 238 
 239         /* Information about old entries: */
 240         /* Number of counters (must be equal to current number of entries). */
 241         unsigned int num_counters;
 242         /* The old entries' counters. */
 243         struct xt_counters __user *counters;
 244 
 245         /* The entries (hang off end: not really an array). */
 246         struct ip6t_entry entries[0];
 247 };
 248 
 249 /* The argument to IP6T_SO_GET_ENTRIES. */
 250 struct ip6t_get_entries {
 251         /* Which table: user fills this in. */
 252         char name[XT_TABLE_MAXNAMELEN];
 253 
 254         /* User fills this in: total entry size. */
 255         unsigned int size;
 256 
 257         /* The entries. */
 258         struct ip6t_entry entrytable[0];
 259 };
 260 
 261 /* Helper functions */
 262 static __inline__ struct xt_entry_target *
 263 ip6t_get_target(struct ip6t_entry *e)
 264 {
 265         return (void *)e + e->target_offset;
 266 }
 267 
 268 /*
 269  *      Main firewall chains definitions and global var's definitions.
 270  */
 271 
 272 #endif /* _UAPI_IP6_TABLES_H */

/* [<][>][^][v][top][bottom][index][help] */