1/* 2 * 25-Jul-1998 Major changes to allow for ip chain table 3 * 4 * 3-Jan-2000 Named tables to allow packet selection for different uses. 5 */ 6 7/* 8 * Format of an IP6 firewall descriptor 9 * 10 * src, dst, src_mask, dst_mask are always stored in network byte order. 11 * flags are stored in host byte order (of course). 12 * Port numbers are stored in HOST byte order. 13 */ 14 15#ifndef _IP6_TABLES_H 16#define _IP6_TABLES_H 17 18#include <linux/types.h> 19 20#include <linux/netfilter_ipv6.h> 21 22#include <linux/netfilter/x_tables.h> 23 24#define IP6T_FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN 25#define IP6T_TABLE_MAXNAMELEN XT_TABLE_MAXNAMELEN 26 27#define ip6t_match xt_match 28#define ip6t_target xt_target 29#define ip6t_table xt_table 30#define ip6t_get_revision xt_get_revision 31 32/* Yes, Virginia, you have to zero the padding. */ 33struct ip6t_ip6 { 34 /* Source and destination IP6 addr */ 35 struct in6_addr src, dst; 36 /* Mask for src and dest IP6 addr */ 37 struct in6_addr smsk, dmsk; 38 char iniface[IFNAMSIZ], outiface[IFNAMSIZ]; 39 unsigned char iniface_mask[IFNAMSIZ], outiface_mask[IFNAMSIZ]; 40 41 /* Upper protocol number 42 * - The allowed value is 0 (any) or protocol number of last parsable 43 * header, which is 50 (ESP), 59 (No Next Header), 135 (MH), or 44 * the non IPv6 extension headers. 45 * - The protocol numbers of IPv6 extension headers except of ESP and 46 * MH do not match any packets. 47 * - You also need to set IP6T_FLAGS_PROTO to "flags" to check protocol. 48 */ 49 u_int16_t proto; 50 /* TOS to match iff flags & IP6T_F_TOS */ 51 u_int8_t tos; 52 53 /* Flags word */ 54 u_int8_t flags; 55 /* Inverse flags */ 56 u_int8_t invflags; 57}; 58 59#define ip6t_entry_match xt_entry_match 60#define ip6t_entry_target xt_entry_target 61#define ip6t_standard_target xt_standard_target 62 63#define ip6t_counters xt_counters 64 65/* Values for "flag" field in struct ip6t_ip6 (general ip6 structure). */ 66#define IP6T_F_PROTO 0x01 /* Set if rule cares about upper 67 protocols */ 68#define IP6T_F_TOS 0x02 /* Match the TOS. */ 69#define IP6T_F_GOTO 0x04 /* Set if jump is a goto */ 70#define IP6T_F_MASK 0x07 /* All possible flag bits mask. */ 71 72/* Values for "inv" field in struct ip6t_ip6. */ 73#define IP6T_INV_VIA_IN 0x01 /* Invert the sense of IN IFACE. */ 74#define IP6T_INV_VIA_OUT 0x02 /* Invert the sense of OUT IFACE */ 75#define IP6T_INV_TOS 0x04 /* Invert the sense of TOS. */ 76#define IP6T_INV_SRCIP 0x08 /* Invert the sense of SRC IP. */ 77#define IP6T_INV_DSTIP 0x10 /* Invert the sense of DST OP. */ 78#define IP6T_INV_FRAG 0x20 /* Invert the sense of FRAG. */ 79#define IP6T_INV_PROTO XT_INV_PROTO 80#define IP6T_INV_MASK 0x7F /* All possible flag bits mask. */ 81 82/* This structure defines each of the firewall rules. Consists of 3 83 parts which are 1) general IP header stuff 2) match specific 84 stuff 3) the target to perform if the rule matches */ 85struct ip6t_entry { 86 struct ip6t_ip6 ipv6; 87 88 /* Mark with fields that we care about. */ 89 unsigned int nfcache; 90 91 /* Size of ipt_entry + matches */ 92 u_int16_t target_offset; 93 /* Size of ipt_entry + matches + target */ 94 u_int16_t next_offset; 95 96 /* Back pointer */ 97 unsigned int comefrom; 98 99 /* Packet and byte counters. */ 100 struct xt_counters counters; 101 102 /* The matches (if any), then the target. */ 103 unsigned char elems[0]; 104}; 105 106/* Standard entry */ 107struct ip6t_standard { 108 struct ip6t_entry entry; 109 struct ip6t_standard_target target; 110}; 111 112struct ip6t_error_target { 113 struct ip6t_entry_target target; 114 char errorname[IP6T_FUNCTION_MAXNAMELEN]; 115}; 116 117struct ip6t_error { 118 struct ip6t_entry entry; 119 struct ip6t_error_target target; 120}; 121 122#define IP6T_ENTRY_INIT(__size) \ 123{ \ 124 .target_offset = sizeof(struct ip6t_entry), \ 125 .next_offset = (__size), \ 126} 127 128#define IP6T_STANDARD_INIT(__verdict) \ 129{ \ 130 .entry = IP6T_ENTRY_INIT(sizeof(struct ip6t_standard)), \ 131 .target = XT_TARGET_INIT(IP6T_STANDARD_TARGET, \ 132 sizeof(struct ip6t_standard_target)), \ 133 .target.verdict = -(__verdict) - 1, \ 134} 135 136#define IP6T_ERROR_INIT \ 137{ \ 138 .entry = IP6T_ENTRY_INIT(sizeof(struct ip6t_error)), \ 139 .target = XT_TARGET_INIT(IP6T_ERROR_TARGET, \ 140 sizeof(struct ip6t_error_target)), \ 141 .target.errorname = "ERROR", \ 142} 143 144/* 145 * New IP firewall options for [gs]etsockopt at the RAW IP level. 146 * Unlike BSD Linux inherits IP options so you don't have to use 147 * a raw socket for this. Instead we check rights in the calls. 148 * 149 * ATTENTION: check linux/in6.h before adding new number here. 150 */ 151#define IP6T_BASE_CTL 64 152 153#define IP6T_SO_SET_REPLACE (IP6T_BASE_CTL) 154#define IP6T_SO_SET_ADD_COUNTERS (IP6T_BASE_CTL + 1) 155#define IP6T_SO_SET_MAX IP6T_SO_SET_ADD_COUNTERS 156 157#define IP6T_SO_GET_INFO (IP6T_BASE_CTL) 158#define IP6T_SO_GET_ENTRIES (IP6T_BASE_CTL + 1) 159#define IP6T_SO_GET_REVISION_MATCH (IP6T_BASE_CTL + 4) 160#define IP6T_SO_GET_REVISION_TARGET (IP6T_BASE_CTL + 5) 161#define IP6T_SO_GET_MAX IP6T_SO_GET_REVISION_TARGET 162 163/* CONTINUE verdict for targets */ 164#define IP6T_CONTINUE XT_CONTINUE 165 166/* For standard target */ 167#define IP6T_RETURN XT_RETURN 168 169/* TCP/UDP matching stuff */ 170#include <linux/netfilter/xt_tcpudp.h> 171 172#define ip6t_tcp xt_tcp 173#define ip6t_udp xt_udp 174 175/* Values for "inv" field in struct ipt_tcp. */ 176#define IP6T_TCP_INV_SRCPT XT_TCP_INV_SRCPT 177#define IP6T_TCP_INV_DSTPT XT_TCP_INV_DSTPT 178#define IP6T_TCP_INV_FLAGS XT_TCP_INV_FLAGS 179#define IP6T_TCP_INV_OPTION XT_TCP_INV_OPTION 180#define IP6T_TCP_INV_MASK XT_TCP_INV_MASK 181 182/* Values for "invflags" field in struct ipt_udp. */ 183#define IP6T_UDP_INV_SRCPT XT_UDP_INV_SRCPT 184#define IP6T_UDP_INV_DSTPT XT_UDP_INV_DSTPT 185#define IP6T_UDP_INV_MASK XT_UDP_INV_MASK 186 187/* ICMP matching stuff */ 188struct ip6t_icmp { 189 u_int8_t type; /* type to match */ 190 u_int8_t code[2]; /* range of code */ 191 u_int8_t invflags; /* Inverse flags */ 192}; 193 194/* Values for "inv" field for struct ipt_icmp. */ 195#define IP6T_ICMP_INV 0x01 /* Invert the sense of type/code test */ 196 197/* The argument to IP6T_SO_GET_INFO */ 198struct ip6t_getinfo { 199 /* Which table: caller fills this in. */ 200 char name[IP6T_TABLE_MAXNAMELEN]; 201 202 /* Kernel fills these in. */ 203 /* Which hook entry points are valid: bitmask */ 204 unsigned int valid_hooks; 205 206 /* Hook entry points: one per netfilter hook. */ 207 unsigned int hook_entry[NF_INET_NUMHOOKS]; 208 209 /* Underflow points. */ 210 unsigned int underflow[NF_INET_NUMHOOKS]; 211 212 /* Number of entries */ 213 unsigned int num_entries; 214 215 /* Size of entries. */ 216 unsigned int size; 217}; 218 219/* The argument to IP6T_SO_SET_REPLACE. */ 220struct ip6t_replace { 221 /* Which table. */ 222 char name[IP6T_TABLE_MAXNAMELEN]; 223 224 /* Which hook entry points are valid: bitmask. You can't 225 change this. */ 226 unsigned int valid_hooks; 227 228 /* Number of entries */ 229 unsigned int num_entries; 230 231 /* Total size of new entries */ 232 unsigned int size; 233 234 /* Hook entry points. */ 235 unsigned int hook_entry[NF_INET_NUMHOOKS]; 236 237 /* Underflow points. */ 238 unsigned int underflow[NF_INET_NUMHOOKS]; 239 240 /* Information about old entries: */ 241 /* Number of counters (must be equal to current number of entries). */ 242 unsigned int num_counters; 243 /* The old entries' counters. */ 244 struct xt_counters *counters; 245 246 /* The entries (hang off end: not really an array). */ 247 struct ip6t_entry entries[0]; 248}; 249 250/* The argument to IP6T_SO_ADD_COUNTERS. */ 251#define ip6t_counters_info xt_counters_info 252 253/* The argument to IP6T_SO_GET_ENTRIES. */ 254struct ip6t_get_entries { 255 /* Which table: user fills this in. */ 256 char name[IP6T_TABLE_MAXNAMELEN]; 257 258 /* User fills this in: total entry size. */ 259 unsigned int size; 260 261 /* The entries. */ 262 struct ip6t_entry entrytable[0]; 263}; 264 265/* Standard return verdict, or do jump. */ 266#define IP6T_STANDARD_TARGET XT_STANDARD_TARGET 267/* Error verdict. */ 268#define IP6T_ERROR_TARGET XT_ERROR_TARGET 269 270/* Helper functions */ 271static __inline__ struct ip6t_entry_target * 272ip6t_get_target(struct ip6t_entry *e) 273{ 274 return (void *)e + e->target_offset; 275} 276 277/* fn returns 0 to continue iteration */ 278#define IP6T_MATCH_ITERATE(e, fn, args...) \ 279 XT_MATCH_ITERATE(struct ip6t_entry, e, fn, ## args) 280 281/* fn returns 0 to continue iteration */ 282#define IP6T_ENTRY_ITERATE(entries, size, fn, args...) \ 283 XT_ENTRY_ITERATE(struct ip6t_entry, entries, size, fn, ## args) 284 285/* 286 * Main firewall chains definitions and global var's definitions. 287 */ 288 289#endif /* _IP6_TABLES_H */ 290