blob: 640a1d09690c29c83f4b307a984bf8818f8b2c1f [file] [log] [blame] [edit]
/*
* 25-Jul-1998 Major changes to allow for ip chain table
*
* 3-Jan-2000 Named tables to allow packet selection for different uses.
*/
/*
* Format of an IP6 firewall descriptor
*
* src, dst, src_mask, dst_mask are always stored in network byte order.
* flags are stored in host byte order (of course).
* Port numbers are stored in HOST byte order.
*/
#ifndef _IP6_TABLES_H
#define _IP6_TABLES_H
#include <linux/types.h>
#include <linux/netfilter_ipv6.h>
#include <linux/netfilter/x_tables.h>
#define IP6T_FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN
#define IP6T_TABLE_MAXNAMELEN XT_TABLE_MAXNAMELEN
#define ip6t_match xt_match
#define ip6t_target xt_target
#define ip6t_table xt_table
#define ip6t_get_revision xt_get_revision
#define ip6t_entry_match xt_entry_match
#define ip6t_entry_target xt_entry_target
#define ip6t_standard_target xt_standard_target
#define ip6t_error_target xt_error_target
#define ip6t_counters xt_counters
#define IP6T_CONTINUE XT_CONTINUE
#define IP6T_RETURN XT_RETURN
/* Pre-iptables-1.4.0 */
#include <linux/netfilter/xt_tcpudp.h>
#define ip6t_tcp xt_tcp
#define ip6t_udp xt_udp
#define IP6T_TCP_INV_SRCPT XT_TCP_INV_SRCPT
#define IP6T_TCP_INV_DSTPT XT_TCP_INV_DSTPT
#define IP6T_TCP_INV_FLAGS XT_TCP_INV_FLAGS
#define IP6T_TCP_INV_OPTION XT_TCP_INV_OPTION
#define IP6T_TCP_INV_MASK XT_TCP_INV_MASK
#define IP6T_UDP_INV_SRCPT XT_UDP_INV_SRCPT
#define IP6T_UDP_INV_DSTPT XT_UDP_INV_DSTPT
#define IP6T_UDP_INV_MASK XT_UDP_INV_MASK
#define ip6t_counters_info xt_counters_info
#define IP6T_STANDARD_TARGET XT_STANDARD_TARGET
#define IP6T_ERROR_TARGET XT_ERROR_TARGET
#define IP6T_MATCH_ITERATE(e, fn, args...) \
XT_MATCH_ITERATE(struct ip6t_entry, e, fn, ## args)
#define IP6T_ENTRY_ITERATE(entries, size, fn, args...) \
XT_ENTRY_ITERATE(struct ip6t_entry, entries, size, fn, ## args)
/* Yes, Virginia, you have to zero the padding. */
struct ip6t_ip6 {
/* Source and destination IP6 addr */
struct in6_addr src, dst;
/* Mask for src and dest IP6 addr */
struct in6_addr smsk, dmsk;
char iniface[IFNAMSIZ], outiface[IFNAMSIZ];
unsigned char iniface_mask[IFNAMSIZ], outiface_mask[IFNAMSIZ];
/* Upper protocol number
* - The allowed value is 0 (any) or protocol number of last parsable
* header, which is 50 (ESP), 59 (No Next Header), 135 (MH), or
* the non IPv6 extension headers.
* - The protocol numbers of IPv6 extension headers except of ESP and
* MH do not match any packets.
* - You also need to set IP6T_FLAGS_PROTO to "flags" to check protocol.
*/
__u16 proto;
/* TOS to match iff flags & IP6T_F_TOS */
__u8 tos;
/* Flags word */
__u8 flags;
/* Inverse flags */
__u8 invflags;
};
/* Values for "flag" field in struct ip6t_ip6 (general ip6 structure). */
#define IP6T_F_PROTO 0x01 /* Set if rule cares about upper
protocols */
#define IP6T_F_TOS 0x02 /* Match the TOS. */
#define IP6T_F_GOTO 0x04 /* Set if jump is a goto */
#define IP6T_F_MASK 0x07 /* All possible flag bits mask. */
/* Values for "inv" field in struct ip6t_ip6. */
#define IP6T_INV_VIA_IN 0x01 /* Invert the sense of IN IFACE. */
#define IP6T_INV_VIA_OUT 0x02 /* Invert the sense of OUT IFACE */
#define IP6T_INV_TOS 0x04 /* Invert the sense of TOS. */
#define IP6T_INV_SRCIP 0x08 /* Invert the sense of SRC IP. */
#define IP6T_INV_DSTIP 0x10 /* Invert the sense of DST OP. */
#define IP6T_INV_FRAG 0x20 /* Invert the sense of FRAG. */
#define IP6T_INV_PROTO XT_INV_PROTO
#define IP6T_INV_MASK 0x7F /* All possible flag bits mask. */
/* This structure defines each of the firewall rules. Consists of 3
parts which are 1) general IP header stuff 2) match specific
stuff 3) the target to perform if the rule matches */
struct ip6t_entry {
struct ip6t_ip6 ipv6;
/* Mark with fields that we care about. */
unsigned int nfcache;
/* Size of ipt_entry + matches */
__u16 target_offset;
/* Size of ipt_entry + matches + target */
__u16 next_offset;
/* Back pointer */
unsigned int comefrom;
/* Packet and byte counters. */
struct xt_counters counters;
/* The matches (if any), then the target. */
unsigned char elems[0];
};
/* Standard entry */
struct ip6t_standard {
struct ip6t_entry entry;
struct xt_standard_target target;
};
struct ip6t_error {
struct ip6t_entry entry;
struct xt_error_target target;
};
#define IP6T_ENTRY_INIT(__size) \
{ \
.target_offset = sizeof(struct ip6t_entry), \
.next_offset = (__size), \
}
#define IP6T_STANDARD_INIT(__verdict) \
{ \
.entry = IP6T_ENTRY_INIT(sizeof(struct ip6t_standard)), \
.target = XT_TARGET_INIT(XT_STANDARD_TARGET, \
sizeof(struct xt_standard_target)), \
.target.verdict = -(__verdict) - 1, \
}
#define IP6T_ERROR_INIT \
{ \
.entry = IP6T_ENTRY_INIT(sizeof(struct ip6t_error)), \
.target = XT_TARGET_INIT(XT_ERROR_TARGET, \
sizeof(struct xt_error_target)), \
.target.errorname = "ERROR", \
}
/*
* New IP firewall options for [gs]etsockopt at the RAW IP level.
* Unlike BSD Linux inherits IP options so you don't have to use
* a raw socket for this. Instead we check rights in the calls.
*
* ATTENTION: check linux/in6.h before adding new number here.
*/
#define IP6T_BASE_CTL 64
#define IP6T_SO_SET_REPLACE (IP6T_BASE_CTL)
#define IP6T_SO_SET_ADD_COUNTERS (IP6T_BASE_CTL + 1)
#define IP6T_SO_SET_MAX IP6T_SO_SET_ADD_COUNTERS
#define IP6T_SO_GET_INFO (IP6T_BASE_CTL)
#define IP6T_SO_GET_ENTRIES (IP6T_BASE_CTL + 1)
#define IP6T_SO_GET_REVISION_MATCH (IP6T_BASE_CTL + 4)
#define IP6T_SO_GET_REVISION_TARGET (IP6T_BASE_CTL + 5)
#define IP6T_SO_GET_MAX IP6T_SO_GET_REVISION_TARGET
/* obtain original address if REDIRECT'd connection */
#define IP6T_SO_ORIGINAL_DST 80
/* ICMP matching stuff */
struct ip6t_icmp {
__u8 type; /* type to match */
__u8 code[2]; /* range of code */
__u8 invflags; /* Inverse flags */
};
/* Values for "inv" field for struct ipt_icmp. */
#define IP6T_ICMP_INV 0x01 /* Invert the sense of type/code test */
/* The argument to IP6T_SO_GET_INFO */
struct ip6t_getinfo {
/* Which table: caller fills this in. */
char name[XT_TABLE_MAXNAMELEN];
/* Kernel fills these in. */
/* Which hook entry points are valid: bitmask */
unsigned int valid_hooks;
/* Hook entry points: one per netfilter hook. */
unsigned int hook_entry[NF_INET_NUMHOOKS];
/* Underflow points. */
unsigned int underflow[NF_INET_NUMHOOKS];
/* Number of entries */
unsigned int num_entries;
/* Size of entries. */
unsigned int size;
};
/* The argument to IP6T_SO_SET_REPLACE. */
struct ip6t_replace {
/* Which table. */
char name[XT_TABLE_MAXNAMELEN];
/* Which hook entry points are valid: bitmask. You can't
change this. */
unsigned int valid_hooks;
/* Number of entries */
unsigned int num_entries;
/* Total size of new entries */
unsigned int size;
/* Hook entry points. */
unsigned int hook_entry[NF_INET_NUMHOOKS];
/* Underflow points. */
unsigned int underflow[NF_INET_NUMHOOKS];
/* Information about old entries: */
/* Number of counters (must be equal to current number of entries). */
unsigned int num_counters;
/* The old entries' counters. */
struct xt_counters *counters;
/* The entries (hang off end: not really an array). */
struct ip6t_entry entries[0];
};
/* The argument to IP6T_SO_GET_ENTRIES. */
struct ip6t_get_entries {
/* Which table: user fills this in. */
char name[XT_TABLE_MAXNAMELEN];
/* User fills this in: total entry size. */
unsigned int size;
/* The entries. */
struct ip6t_entry entrytable[0];
};
/* Helper functions */
static __inline__ struct xt_entry_target *
ip6t_get_target(struct ip6t_entry *e)
{
return (void *)e + e->target_offset;
}
/*
* Main firewall chains definitions and global var's definitions.
*/
#endif /* _IP6_TABLES_H */