libip6tc.h revision 5e9eaed23d0cf1cfdd49c88e68beb43e611f0191
179dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell#ifndef _LIBIP6TC_H 279dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell#define _LIBIP6TC_H 379dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell/* Library which manipulates firewall rules. Version 0.2. */ 479dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell 55e9eaed23d0cf1cfdd49c88e68beb43e611f0191Jan Engelhardt#include <linux/types.h> 679dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell#include <libiptc/ipt_kernel_headers.h> 779dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell#include <linux/netfilter_ipv6/ip6_tables.h> 879dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell 979dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell#ifndef IP6T_MIN_ALIGN 100de32435158ffa575eaae6d821bf326970af36c0Andreas Herrmann#define IP6T_MIN_ALIGN (__alignof__(struct ip6t_entry)) 1179dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell#endif 1279dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell#define IP6T_ALIGN(s) (((s) + (IP6T_MIN_ALIGN-1)) & ~(IP6T_MIN_ALIGN-1)) 1379dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell 1479dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russelltypedef char ip6t_chainlabel[32]; 1579dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell 1679dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell#define IP6TC_LABEL_ACCEPT "ACCEPT" 1779dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell#define IP6TC_LABEL_DROP "DROP" 1888eb835ad207f579ae4ce21cd46f0b564ebd4748Philip Blundell#define IP6TC_LABEL_QUEUE "QUEUE" 1979dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell#define IP6TC_LABEL_RETURN "RETURN" 2079dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell 2179dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell/* Transparent handle type. */ 2279dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russelltypedef struct ip6tc_handle *ip6tc_handle_t; 2379dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell 2479dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell/* Does this chain exist? */ 2579dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russellint ip6tc_is_chain(const char *chain, const ip6tc_handle_t handle); 2679dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell 2779dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell/* Take a snapshot of the rules. Returns NULL on error. */ 2879dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russellip6tc_handle_t ip6tc_init(const char *tablename); 2979dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell 308371e15a49d422755fbd185ab8415b9b12ec9d9aMartin Josefsson/* Cleanup after ip6tc_init(). */ 318371e15a49d422755fbd185ab8415b9b12ec9d9aMartin Josefssonvoid ip6tc_free(ip6tc_handle_t *h); 328371e15a49d422755fbd185ab8415b9b12ec9d9aMartin Josefsson 3388eb835ad207f579ae4ce21cd46f0b564ebd4748Philip Blundell/* Iterator functions to run through the chains. Returns NULL at end. */ 348c700900e2a0cf87d7917cb62578583a60ad1210Philip Blundellconst char *ip6tc_first_chain(ip6tc_handle_t *handle); 3588eb835ad207f579ae4ce21cd46f0b564ebd4748Philip Blundellconst char *ip6tc_next_chain(ip6tc_handle_t *handle); 3679dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell 378c700900e2a0cf87d7917cb62578583a60ad1210Philip Blundell/* Get first rule in the given chain: NULL for empty chain. */ 388c700900e2a0cf87d7917cb62578583a60ad1210Philip Blundellconst struct ip6t_entry *ip6tc_first_rule(const char *chain, 398c700900e2a0cf87d7917cb62578583a60ad1210Philip Blundell ip6tc_handle_t *handle); 4079dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell 418c700900e2a0cf87d7917cb62578583a60ad1210Philip Blundell/* Returns NULL when rules run out. */ 428c700900e2a0cf87d7917cb62578583a60ad1210Philip Blundellconst struct ip6t_entry *ip6tc_next_rule(const struct ip6t_entry *prev, 438c700900e2a0cf87d7917cb62578583a60ad1210Philip Blundell ip6tc_handle_t *handle); 4479dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell 4579dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell/* Returns a pointer to the target name of this position. */ 4688eb835ad207f579ae4ce21cd46f0b564ebd4748Philip Blundellconst char *ip6tc_get_target(const struct ip6t_entry *e, 4779dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell ip6tc_handle_t *handle); 4879dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell 4979dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell/* Is this a built-in chain? */ 5079dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russellint ip6tc_builtin(const char *chain, const ip6tc_handle_t handle); 5179dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell 5279dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell/* Get the policy of a given built-in chain */ 5379dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russellconst char *ip6tc_get_policy(const char *chain, 5479dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell struct ip6t_counters *counters, 5579dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell ip6tc_handle_t *handle); 5679dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell 5779dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell/* These functions return TRUE for OK or 0 and set errno. If errno == 5879dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell 0, it means there was a version error (ie. upgrade libiptc). */ 5979dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell/* Rule numbers start at 1 for the first rule. */ 6079dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell 6179dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell/* Insert the entry `fw' in chain `chain' into position `rulenum'. */ 6279dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russellint ip6tc_insert_entry(const ip6t_chainlabel chain, 6379dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell const struct ip6t_entry *e, 6479dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell unsigned int rulenum, 6579dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell ip6tc_handle_t *handle); 6679dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell 6779dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell/* Atomically replace rule `rulenum' in `chain' with `fw'. */ 6879dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russellint ip6tc_replace_entry(const ip6t_chainlabel chain, 6979dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell const struct ip6t_entry *e, 7079dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell unsigned int rulenum, 7179dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell ip6tc_handle_t *handle); 7279dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell 7379dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell/* Append entry `fw' to chain `chain'. Equivalent to insert with 7479dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell rulenum = length of chain. */ 7579dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russellint ip6tc_append_entry(const ip6t_chainlabel chain, 7679dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell const struct ip6t_entry *e, 7779dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell ip6tc_handle_t *handle); 7879dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell 7979dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell/* Delete the first rule in `chain' which matches `fw'. */ 8079dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russellint ip6tc_delete_entry(const ip6t_chainlabel chain, 8179dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell const struct ip6t_entry *origfw, 8288eb835ad207f579ae4ce21cd46f0b564ebd4748Philip Blundell unsigned char *matchmask, 8379dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell ip6tc_handle_t *handle); 8479dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell 8579dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell/* Delete the rule in position `rulenum' in `chain'. */ 8679dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russellint ip6tc_delete_num_entry(const ip6t_chainlabel chain, 8779dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell unsigned int rulenum, 8879dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell ip6tc_handle_t *handle); 8979dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell 9079dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell/* Check the packet `fw' on chain `chain'. Returns the verdict, or 9179dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell NULL and sets errno. */ 9279dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russellconst char *ip6tc_check_packet(const ip6t_chainlabel chain, 9379dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell struct ip6t_entry *, 9479dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell ip6tc_handle_t *handle); 9579dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell 9679dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell/* Flushes the entries in the given chain (ie. empties chain). */ 9779dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russellint ip6tc_flush_entries(const ip6t_chainlabel chain, 9879dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell ip6tc_handle_t *handle); 9979dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell 10079dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell/* Zeroes the counters in a chain. */ 10179dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russellint ip6tc_zero_entries(const ip6t_chainlabel chain, 10279dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell ip6tc_handle_t *handle); 10379dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell 10479dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell/* Creates a new chain. */ 10579dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russellint ip6tc_create_chain(const ip6t_chainlabel chain, 10679dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell ip6tc_handle_t *handle); 10779dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell 10879dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell/* Deletes a chain. */ 10979dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russellint ip6tc_delete_chain(const ip6t_chainlabel chain, 11079dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell ip6tc_handle_t *handle); 11179dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell 11279dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell/* Renames a chain. */ 11379dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russellint ip6tc_rename_chain(const ip6t_chainlabel oldname, 11479dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell const ip6t_chainlabel newname, 11579dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell ip6tc_handle_t *handle); 11679dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell 11779dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell/* Sets the policy on a built-in chain. */ 11879dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russellint ip6tc_set_policy(const ip6t_chainlabel chain, 11979dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell const ip6t_chainlabel policy, 1200fbf055c9e320a89dd8a5ad0edbeae3d8c1de4afHarald Welte struct ip6t_counters *counters, 12179dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell ip6tc_handle_t *handle); 12279dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell 12379dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell/* Get the number of references to this chain */ 12479dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russellint ip6tc_get_references(unsigned int *ref, const ip6t_chainlabel chain, 12579dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell ip6tc_handle_t *handle); 12679dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell 1270fbf055c9e320a89dd8a5ad0edbeae3d8c1de4afHarald Welte/* read packet and byte counters for a specific rule */ 1280fbf055c9e320a89dd8a5ad0edbeae3d8c1de4afHarald Weltestruct ip6t_counters *ip6tc_read_counter(const ip6t_chainlabel chain, 1290fbf055c9e320a89dd8a5ad0edbeae3d8c1de4afHarald Welte unsigned int rulenum, 1300fbf055c9e320a89dd8a5ad0edbeae3d8c1de4afHarald Welte ip6tc_handle_t *handle); 1310fbf055c9e320a89dd8a5ad0edbeae3d8c1de4afHarald Welte 1320fbf055c9e320a89dd8a5ad0edbeae3d8c1de4afHarald Welte/* zero packet and byte counters for a specific rule */ 1330fbf055c9e320a89dd8a5ad0edbeae3d8c1de4afHarald Welteint ip6tc_zero_counter(const ip6t_chainlabel chain, 1340fbf055c9e320a89dd8a5ad0edbeae3d8c1de4afHarald Welte unsigned int rulenum, 1350fbf055c9e320a89dd8a5ad0edbeae3d8c1de4afHarald Welte ip6tc_handle_t *handle); 1360fbf055c9e320a89dd8a5ad0edbeae3d8c1de4afHarald Welte 1370fbf055c9e320a89dd8a5ad0edbeae3d8c1de4afHarald Welte/* set packet and byte counters for a specific rule */ 1380fbf055c9e320a89dd8a5ad0edbeae3d8c1de4afHarald Welteint ip6tc_set_counter(const ip6t_chainlabel chain, 1390fbf055c9e320a89dd8a5ad0edbeae3d8c1de4afHarald Welte unsigned int rulenum, 1400fbf055c9e320a89dd8a5ad0edbeae3d8c1de4afHarald Welte struct ip6t_counters *counters, 1410fbf055c9e320a89dd8a5ad0edbeae3d8c1de4afHarald Welte ip6tc_handle_t *handle); 1420fbf055c9e320a89dd8a5ad0edbeae3d8c1de4afHarald Welte 14379dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell/* Makes the actual changes. */ 14479dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russellint ip6tc_commit(ip6tc_handle_t *handle); 14579dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell 14679dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell/* Get raw socket. */ 14779dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russellint ip6tc_get_raw_socket(); 14879dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell 14979dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell/* Translates errno numbers into more human-readable form than strerror. */ 15079dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russellconst char *ip6tc_strerror(int err); 15179dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell 15279dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell/* Return prefix length, or -1 if not contiguous */ 15379dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russellint ipv6_prefix_length(const struct in6_addr *a); 15479dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell 15579dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell#endif /* _LIBIP6TC_H */ 156