libip6tc.h revision 8c700900e2a0cf87d7917cb62578583a60ad1210
179dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell#ifndef _LIBIP6TC_H 279dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell#define _LIBIP6TC_H 379dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell/* Library which manipulates firewall rules. Version 0.2. */ 479dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell 579dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell#include <libiptc/ipt_kernel_headers.h> 679dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell#include <linux/netfilter_ipv6/ip6_tables.h> 779dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell 879dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell#ifndef IP6T_MIN_ALIGN 979dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell#define IP6T_MIN_ALIGN (__alignof__(struct ip6t_entry_match)) 1079dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell#endif 1179dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell#define IP6T_ALIGN(s) (((s) + (IP6T_MIN_ALIGN-1)) & ~(IP6T_MIN_ALIGN-1)) 1279dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell 1379dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russelltypedef char ip6t_chainlabel[32]; 1479dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell 1579dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell#define IP6TC_LABEL_ACCEPT "ACCEPT" 1679dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell#define IP6TC_LABEL_DROP "DROP" 1788eb835ad207f579ae4ce21cd46f0b564ebd4748Philip Blundell#define IP6TC_LABEL_QUEUE "QUEUE" 1879dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell#define IP6TC_LABEL_RETURN "RETURN" 1979dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell 2079dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell/* Transparent handle type. */ 2179dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russelltypedef struct ip6tc_handle *ip6tc_handle_t; 2279dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell 2379dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell/* Does this chain exist? */ 2479dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russellint ip6tc_is_chain(const char *chain, const ip6tc_handle_t handle); 2579dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell 2679dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell/* Take a snapshot of the rules. Returns NULL on error. */ 2779dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russellip6tc_handle_t ip6tc_init(const char *tablename); 2879dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell 2988eb835ad207f579ae4ce21cd46f0b564ebd4748Philip Blundell/* Iterator functions to run through the chains. Returns NULL at end. */ 308c700900e2a0cf87d7917cb62578583a60ad1210Philip Blundellconst char *ip6tc_first_chain(ip6tc_handle_t *handle); 3188eb835ad207f579ae4ce21cd46f0b564ebd4748Philip Blundellconst char *ip6tc_next_chain(ip6tc_handle_t *handle); 3279dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell 338c700900e2a0cf87d7917cb62578583a60ad1210Philip Blundell/* Get first rule in the given chain: NULL for empty chain. */ 348c700900e2a0cf87d7917cb62578583a60ad1210Philip Blundellconst struct ip6t_entry *ip6tc_first_rule(const char *chain, 358c700900e2a0cf87d7917cb62578583a60ad1210Philip Blundell ip6tc_handle_t *handle); 3679dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell 378c700900e2a0cf87d7917cb62578583a60ad1210Philip Blundell/* Returns NULL when rules run out. */ 388c700900e2a0cf87d7917cb62578583a60ad1210Philip Blundellconst struct ip6t_entry *ip6tc_next_rule(const struct ip6t_entry *prev, 398c700900e2a0cf87d7917cb62578583a60ad1210Philip Blundell ip6tc_handle_t *handle); 4079dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell 4179dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell/* Returns a pointer to the target name of this position. */ 4288eb835ad207f579ae4ce21cd46f0b564ebd4748Philip Blundellconst char *ip6tc_get_target(const struct ip6t_entry *e, 4379dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell ip6tc_handle_t *handle); 4479dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell 4579dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell/* Is this a built-in chain? */ 4679dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russellint ip6tc_builtin(const char *chain, const ip6tc_handle_t handle); 4779dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell 4879dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell/* Get the policy of a given built-in chain */ 4979dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russellconst char *ip6tc_get_policy(const char *chain, 5079dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell struct ip6t_counters *counters, 5179dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell ip6tc_handle_t *handle); 5279dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell 5379dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell/* These functions return TRUE for OK or 0 and set errno. If errno == 5479dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell 0, it means there was a version error (ie. upgrade libiptc). */ 5579dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell/* Rule numbers start at 1 for the first rule. */ 5679dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell 5779dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell/* Insert the entry `fw' in chain `chain' into position `rulenum'. */ 5879dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russellint ip6tc_insert_entry(const ip6t_chainlabel chain, 5979dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell const struct ip6t_entry *e, 6079dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell unsigned int rulenum, 6179dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell ip6tc_handle_t *handle); 6279dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell 6379dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell/* Atomically replace rule `rulenum' in `chain' with `fw'. */ 6479dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russellint ip6tc_replace_entry(const ip6t_chainlabel chain, 6579dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell const struct ip6t_entry *e, 6679dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell unsigned int rulenum, 6779dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell ip6tc_handle_t *handle); 6879dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell 6979dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell/* Append entry `fw' to chain `chain'. Equivalent to insert with 7079dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell rulenum = length of chain. */ 7179dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russellint ip6tc_append_entry(const ip6t_chainlabel chain, 7279dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell const struct ip6t_entry *e, 7379dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell ip6tc_handle_t *handle); 7479dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell 7579dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell/* Delete the first rule in `chain' which matches `fw'. */ 7679dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russellint ip6tc_delete_entry(const ip6t_chainlabel chain, 7779dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell const struct ip6t_entry *origfw, 7888eb835ad207f579ae4ce21cd46f0b564ebd4748Philip Blundell unsigned char *matchmask, 7979dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell ip6tc_handle_t *handle); 8079dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell 8179dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell/* Delete the rule in position `rulenum' in `chain'. */ 8279dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russellint ip6tc_delete_num_entry(const ip6t_chainlabel chain, 8379dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell unsigned int rulenum, 8479dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell ip6tc_handle_t *handle); 8579dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell 8679dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell/* Check the packet `fw' on chain `chain'. Returns the verdict, or 8779dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell NULL and sets errno. */ 8879dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russellconst char *ip6tc_check_packet(const ip6t_chainlabel chain, 8979dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell struct ip6t_entry *, 9079dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell ip6tc_handle_t *handle); 9179dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell 9279dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell/* Flushes the entries in the given chain (ie. empties chain). */ 9379dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russellint ip6tc_flush_entries(const ip6t_chainlabel chain, 9479dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell ip6tc_handle_t *handle); 9579dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell 9679dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell/* Zeroes the counters in a chain. */ 9779dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russellint ip6tc_zero_entries(const ip6t_chainlabel chain, 9879dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell ip6tc_handle_t *handle); 9979dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell 10079dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell/* Creates a new chain. */ 10179dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russellint ip6tc_create_chain(const ip6t_chainlabel chain, 10279dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell ip6tc_handle_t *handle); 10379dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell 10479dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell/* Deletes a chain. */ 10579dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russellint ip6tc_delete_chain(const ip6t_chainlabel chain, 10679dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell ip6tc_handle_t *handle); 10779dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell 10879dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell/* Renames a chain. */ 10979dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russellint ip6tc_rename_chain(const ip6t_chainlabel oldname, 11079dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell const ip6t_chainlabel newname, 11179dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell ip6tc_handle_t *handle); 11279dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell 11379dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell/* Sets the policy on a built-in chain. */ 11479dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russellint ip6tc_set_policy(const ip6t_chainlabel chain, 11579dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell const ip6t_chainlabel policy, 11679dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell ip6tc_handle_t *handle); 11779dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell 11879dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell/* Get the number of references to this chain */ 11979dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russellint ip6tc_get_references(unsigned int *ref, const ip6t_chainlabel chain, 12079dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell ip6tc_handle_t *handle); 12179dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell 12279dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell/* Makes the actual changes. */ 12379dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russellint ip6tc_commit(ip6tc_handle_t *handle); 12479dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell 12579dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell/* Get raw socket. */ 12679dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russellint ip6tc_get_raw_socket(); 12779dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell 12879dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell/* Translates errno numbers into more human-readable form than strerror. */ 12979dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russellconst char *ip6tc_strerror(int err); 13079dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell 13179dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell/* Return prefix length, or -1 if not contiguous */ 13279dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russellint ipv6_prefix_length(const struct in6_addr *a); 13379dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell 13479dee0702b18c8ea1d1f7a2b1f6b29349466986bRusty Russell#endif /* _LIBIP6TC_H */ 135