179dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell#ifndef _LIBIP6TC_H 279dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell#define _LIBIP6TC_H 379dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell/* Library which manipulates firewall rules. Version 0.2. */ 479dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell 55e9eaed23d0cf1cfdd49c88e68beb43e611f0191Jan Engelhardt#include <linux/types.h> 679dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell#include <libiptc/ipt_kernel_headers.h> 74e41854423b529d3107c23b85434d50a75d08057Jan Engelhardt#ifdef __cplusplus 84e41854423b529d3107c23b85434d50a75d08057Jan Engelhardt# include <climits> 94e41854423b529d3107c23b85434d50a75d08057Jan Engelhardt#else 104e41854423b529d3107c23b85434d50a75d08057Jan Engelhardt# include <limits.h> /* INT_MAX in ip6_tables.h */ 114e41854423b529d3107c23b85434d50a75d08057Jan Engelhardt#endif 1279dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell#include <linux/netfilter_ipv6/ip6_tables.h> 1379dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell 14fd1873110f8e57be578df17fc9d03536b10f4f73Jan Engelhardtstruct ip6tc_handle; 15fd1873110f8e57be578df17fc9d03536b10f4f73Jan Engelhardt 1679dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russelltypedef char ip6t_chainlabel[32]; 1779dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell 1879dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell#define IP6TC_LABEL_ACCEPT "ACCEPT" 1979dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell#define IP6TC_LABEL_DROP "DROP" 2088eb835ad207f579ae4ce21cd46f0b564ebd4748Philip Blundell#define IP6TC_LABEL_QUEUE "QUEUE" 2179dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell#define IP6TC_LABEL_RETURN "RETURN" 2279dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell 2379dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell/* Does this chain exist? */ 24fd1873110f8e57be578df17fc9d03536b10f4f73Jan Engelhardtint ip6tc_is_chain(const char *chain, struct ip6tc_handle *const handle); 2579dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell 2679dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell/* Take a snapshot of the rules. Returns NULL on error. */ 27fd1873110f8e57be578df17fc9d03536b10f4f73Jan Engelhardtstruct ip6tc_handle *ip6tc_init(const char *tablename); 2879dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell 298371e15a49d422755fbd185ab8415b9b12ec9d9aMartin Josefsson/* Cleanup after ip6tc_init(). */ 301c9015b2cb483678f153121255e10ec0bbfde3e6Jan Engelhardtvoid ip6tc_free(struct ip6tc_handle *h); 318371e15a49d422755fbd185ab8415b9b12ec9d9aMartin Josefsson 3288eb835ad207f579ae4ce21cd46f0b564ebd4748Philip Blundell/* Iterator functions to run through the chains. Returns NULL at end. */ 331c9015b2cb483678f153121255e10ec0bbfde3e6Jan Engelhardtconst char *ip6tc_first_chain(struct ip6tc_handle *handle); 341c9015b2cb483678f153121255e10ec0bbfde3e6Jan Engelhardtconst char *ip6tc_next_chain(struct ip6tc_handle *handle); 3579dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell 368c700900e2a0cf87d7917cb62578583a60ad1210Philip Blundell/* Get first rule in the given chain: NULL for empty chain. */ 378c700900e2a0cf87d7917cb62578583a60ad1210Philip Blundellconst struct ip6t_entry *ip6tc_first_rule(const char *chain, 381c9015b2cb483678f153121255e10ec0bbfde3e6Jan Engelhardt struct ip6tc_handle *handle); 3979dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell 408c700900e2a0cf87d7917cb62578583a60ad1210Philip Blundell/* Returns NULL when rules run out. */ 418c700900e2a0cf87d7917cb62578583a60ad1210Philip Blundellconst struct ip6t_entry *ip6tc_next_rule(const struct ip6t_entry *prev, 421c9015b2cb483678f153121255e10ec0bbfde3e6Jan Engelhardt struct ip6tc_handle *handle); 4379dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell 4479dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell/* Returns a pointer to the target name of this position. */ 4588eb835ad207f579ae4ce21cd46f0b564ebd4748Philip Blundellconst char *ip6tc_get_target(const struct ip6t_entry *e, 461c9015b2cb483678f153121255e10ec0bbfde3e6Jan Engelhardt struct ip6tc_handle *handle); 4779dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell 4879dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell/* Is this a built-in chain? */ 49fd1873110f8e57be578df17fc9d03536b10f4f73Jan Engelhardtint ip6tc_builtin(const char *chain, struct ip6tc_handle *const handle); 5079dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell 5179dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell/* Get the policy of a given built-in chain */ 5279dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russellconst char *ip6tc_get_policy(const char *chain, 5379dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell struct ip6t_counters *counters, 541c9015b2cb483678f153121255e10ec0bbfde3e6Jan Engelhardt struct ip6tc_handle *handle); 5579dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell 5679dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell/* These functions return TRUE for OK or 0 and set errno. If errno == 5779dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell 0, it means there was a version error (ie. upgrade libiptc). */ 5879dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell/* Rule numbers start at 1 for the first rule. */ 5979dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell 6079dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell/* Insert the entry `fw' in chain `chain' into position `rulenum'. */ 6179dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russellint ip6tc_insert_entry(const ip6t_chainlabel chain, 6279dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell const struct ip6t_entry *e, 6379dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell unsigned int rulenum, 641c9015b2cb483678f153121255e10ec0bbfde3e6Jan Engelhardt struct ip6tc_handle *handle); 6579dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell 6679dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell/* Atomically replace rule `rulenum' in `chain' with `fw'. */ 6779dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russellint ip6tc_replace_entry(const ip6t_chainlabel chain, 6879dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell const struct ip6t_entry *e, 6979dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell unsigned int rulenum, 701c9015b2cb483678f153121255e10ec0bbfde3e6Jan Engelhardt struct ip6tc_handle *handle); 7179dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell 7279dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell/* Append entry `fw' to chain `chain'. Equivalent to insert with 7379dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell rulenum = length of chain. */ 7479dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russellint ip6tc_append_entry(const ip6t_chainlabel chain, 7579dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell const struct ip6t_entry *e, 761c9015b2cb483678f153121255e10ec0bbfde3e6Jan Engelhardt struct ip6tc_handle *handle); 7779dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell 78d59b9db031abee37a9aa9776662dd15370faabf4Stefan Tomanek/* Check whether a matching rule exists */ 79d59b9db031abee37a9aa9776662dd15370faabf4Stefan Tomanekint ip6tc_check_entry(const ip6t_chainlabel chain, 80d59b9db031abee37a9aa9776662dd15370faabf4Stefan Tomanek const struct ip6t_entry *origfw, 81d59b9db031abee37a9aa9776662dd15370faabf4Stefan Tomanek unsigned char *matchmask, 82d59b9db031abee37a9aa9776662dd15370faabf4Stefan Tomanek struct ip6tc_handle *handle); 83d59b9db031abee37a9aa9776662dd15370faabf4Stefan Tomanek 8479dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell/* Delete the first rule in `chain' which matches `fw'. */ 8579dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russellint ip6tc_delete_entry(const ip6t_chainlabel chain, 8679dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell const struct ip6t_entry *origfw, 8788eb835ad207f579ae4ce21cd46f0b564ebd4748Philip Blundell unsigned char *matchmask, 881c9015b2cb483678f153121255e10ec0bbfde3e6Jan Engelhardt struct ip6tc_handle *handle); 8979dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell 9079dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell/* Delete the rule in position `rulenum' in `chain'. */ 9179dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russellint ip6tc_delete_num_entry(const ip6t_chainlabel chain, 9279dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell unsigned int rulenum, 931c9015b2cb483678f153121255e10ec0bbfde3e6Jan Engelhardt struct ip6tc_handle *handle); 9479dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell 9579dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell/* Check the packet `fw' on chain `chain'. Returns the verdict, or 9679dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell NULL and sets errno. */ 9779dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russellconst char *ip6tc_check_packet(const ip6t_chainlabel chain, 9879dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell struct ip6t_entry *, 991c9015b2cb483678f153121255e10ec0bbfde3e6Jan Engelhardt struct ip6tc_handle *handle); 10079dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell 10179dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell/* Flushes the entries in the given chain (ie. empties chain). */ 10279dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russellint ip6tc_flush_entries(const ip6t_chainlabel chain, 1031c9015b2cb483678f153121255e10ec0bbfde3e6Jan Engelhardt struct ip6tc_handle *handle); 10479dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell 10579dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell/* Zeroes the counters in a chain. */ 10679dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russellint ip6tc_zero_entries(const ip6t_chainlabel chain, 1071c9015b2cb483678f153121255e10ec0bbfde3e6Jan Engelhardt struct ip6tc_handle *handle); 10879dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell 10979dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell/* Creates a new chain. */ 11079dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russellint ip6tc_create_chain(const ip6t_chainlabel chain, 1111c9015b2cb483678f153121255e10ec0bbfde3e6Jan Engelhardt struct ip6tc_handle *handle); 11279dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell 11379dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell/* Deletes a chain. */ 11479dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russellint ip6tc_delete_chain(const ip6t_chainlabel chain, 1151c9015b2cb483678f153121255e10ec0bbfde3e6Jan Engelhardt struct ip6tc_handle *handle); 11679dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell 11779dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell/* Renames a chain. */ 11879dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russellint ip6tc_rename_chain(const ip6t_chainlabel oldname, 11979dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell const ip6t_chainlabel newname, 1201c9015b2cb483678f153121255e10ec0bbfde3e6Jan Engelhardt struct ip6tc_handle *handle); 12179dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell 12279dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell/* Sets the policy on a built-in chain. */ 12379dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russellint ip6tc_set_policy(const ip6t_chainlabel chain, 12479dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell const ip6t_chainlabel policy, 1250fbf055c9e320a89dd8a5ad0edbeae3d8c1de4afHarald Welte struct ip6t_counters *counters, 1261c9015b2cb483678f153121255e10ec0bbfde3e6Jan Engelhardt struct ip6tc_handle *handle); 12779dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell 12879dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell/* Get the number of references to this chain */ 12979dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russellint ip6tc_get_references(unsigned int *ref, const ip6t_chainlabel chain, 1301c9015b2cb483678f153121255e10ec0bbfde3e6Jan Engelhardt struct ip6tc_handle *handle); 13179dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell 1320fbf055c9e320a89dd8a5ad0edbeae3d8c1de4afHarald Welte/* read packet and byte counters for a specific rule */ 1330fbf055c9e320a89dd8a5ad0edbeae3d8c1de4afHarald Weltestruct ip6t_counters *ip6tc_read_counter(const ip6t_chainlabel chain, 1340fbf055c9e320a89dd8a5ad0edbeae3d8c1de4afHarald Welte unsigned int rulenum, 1351c9015b2cb483678f153121255e10ec0bbfde3e6Jan Engelhardt struct ip6tc_handle *handle); 1360fbf055c9e320a89dd8a5ad0edbeae3d8c1de4afHarald Welte 1370fbf055c9e320a89dd8a5ad0edbeae3d8c1de4afHarald Welte/* zero packet and byte counters for a specific rule */ 1380fbf055c9e320a89dd8a5ad0edbeae3d8c1de4afHarald Welteint ip6tc_zero_counter(const ip6t_chainlabel chain, 1390fbf055c9e320a89dd8a5ad0edbeae3d8c1de4afHarald Welte unsigned int rulenum, 1401c9015b2cb483678f153121255e10ec0bbfde3e6Jan Engelhardt struct ip6tc_handle *handle); 1410fbf055c9e320a89dd8a5ad0edbeae3d8c1de4afHarald Welte 1420fbf055c9e320a89dd8a5ad0edbeae3d8c1de4afHarald Welte/* set packet and byte counters for a specific rule */ 1430fbf055c9e320a89dd8a5ad0edbeae3d8c1de4afHarald Welteint ip6tc_set_counter(const ip6t_chainlabel chain, 1440fbf055c9e320a89dd8a5ad0edbeae3d8c1de4afHarald Welte unsigned int rulenum, 1450fbf055c9e320a89dd8a5ad0edbeae3d8c1de4afHarald Welte struct ip6t_counters *counters, 1461c9015b2cb483678f153121255e10ec0bbfde3e6Jan Engelhardt struct ip6tc_handle *handle); 1470fbf055c9e320a89dd8a5ad0edbeae3d8c1de4afHarald Welte 14879dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell/* Makes the actual changes. */ 1491c9015b2cb483678f153121255e10ec0bbfde3e6Jan Engelhardtint ip6tc_commit(struct ip6tc_handle *handle); 15079dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell 15179dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell/* Get raw socket. */ 1529ee386a1b6d7704b259460152c959ab0e79e02aaMax Kellermannint ip6tc_get_raw_socket(void); 15379dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell 15479dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell/* Translates errno numbers into more human-readable form than strerror. */ 15579dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russellconst char *ip6tc_strerror(int err); 15679dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell 15779dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell/* Return prefix length, or -1 if not contiguous */ 15879dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russellint ipv6_prefix_length(const struct in6_addr *a); 15979dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell 160fd1873110f8e57be578df17fc9d03536b10f4f73Jan Engelhardtextern void dump_entries6(struct ip6tc_handle *const); 16133690a1aec0b6309ff90066ca56285b6e43013f2Jan Engelhardt 16279dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell#endif /* _LIBIP6TC_H */ 163