ip_tables.h revision aa88498f180a1cd9659ba21bceaec7063a8b36fe
1/* 2 * 25-Jul-1998 Major changes to allow for ip chain table 3 * 4 * 3-Jan-2000 Named tables to allow packet selection for different uses. 5 */ 6 7/* 8 * Format of an IP firewall descriptor 9 * 10 * src, dst, src_mask, dst_mask are always stored in network byte order. 11 * flags are stored in host byte order (of course). 12 * Port numbers are stored in HOST byte order. 13 */ 14 15#ifndef _IPTABLES_H 16#define _IPTABLES_H 17 18#include <linux/compiler.h> 19#include <linux/netfilter_ipv4.h> 20 21#define IPT_FUNCTION_MAXNAMELEN 30 22#define IPT_TABLE_MAXNAMELEN 32 23 24/* Yes, Virginia, you have to zero the padding. */ 25struct ipt_ip { 26 /* Source and destination IP addr */ 27 struct in_addr src, dst; 28 /* Mask for src and dest IP addr */ 29 struct in_addr smsk, dmsk; 30 char iniface[IFNAMSIZ], outiface[IFNAMSIZ]; 31 unsigned char iniface_mask[IFNAMSIZ], outiface_mask[IFNAMSIZ]; 32 33 /* Protocol, 0 = ANY */ 34 u_int16_t proto; 35 36 /* Flags word */ 37 u_int8_t flags; 38 /* Inverse flags */ 39 u_int8_t invflags; 40}; 41 42struct ipt_entry_match 43{ 44 union { 45 struct { 46 u_int16_t match_size; 47 48 /* Used by userspace */ 49 char name[IPT_FUNCTION_MAXNAMELEN-1]; 50 51 u_int8_t revision; 52 } user; 53 struct { 54 u_int16_t match_size; 55 56 /* Used inside the kernel */ 57 struct ipt_match *match; 58 } kernel; 59 60 /* Total length */ 61 u_int16_t match_size; 62 } u; 63 64 unsigned char data[0]; 65}; 66 67struct ipt_entry_target 68{ 69 union { 70 struct { 71 u_int16_t target_size; 72 73 /* Used by userspace */ 74 char name[IPT_FUNCTION_MAXNAMELEN-1]; 75 76 u_int8_t revision; 77 } user; 78 struct { 79 u_int16_t target_size; 80 81 /* Used inside the kernel */ 82 struct ipt_target *target; 83 } kernel; 84 85 /* Total length */ 86 u_int16_t target_size; 87 } u; 88 89 unsigned char data[0]; 90}; 91 92struct ipt_standard_target 93{ 94 struct ipt_entry_target target; 95 int verdict; 96}; 97 98struct ipt_counters 99{ 100 u_int64_t pcnt, bcnt; /* Packet and byte counters */ 101}; 102 103/* Values for "flag" field in struct ipt_ip (general ip structure). */ 104#define IPT_F_FRAG 0x01 /* Set if rule is a fragment rule */ 105#define IPT_F_MASK 0x01 /* All possible flag bits mask. */ 106 107/* Values for "inv" field in struct ipt_ip. */ 108#define IPT_INV_VIA_IN 0x01 /* Invert the sense of IN IFACE. */ 109#define IPT_INV_VIA_OUT 0x02 /* Invert the sense of OUT IFACE */ 110#define IPT_INV_TOS 0x04 /* Invert the sense of TOS. */ 111#define IPT_INV_SRCIP 0x08 /* Invert the sense of SRC IP. */ 112#define IPT_INV_DSTIP 0x10 /* Invert the sense of DST OP. */ 113#define IPT_INV_FRAG 0x20 /* Invert the sense of FRAG. */ 114#define IPT_INV_PROTO 0x40 /* Invert the sense of PROTO. */ 115#define IPT_INV_MASK 0x7F /* All possible flag bits mask. */ 116 117/* This structure defines each of the firewall rules. Consists of 3 118 parts which are 1) general IP header stuff 2) match specific 119 stuff 3) the target to perform if the rule matches */ 120struct ipt_entry 121{ 122 struct ipt_ip ip; 123 124 /* Mark with fields that we care about. */ 125 unsigned int nfcache; 126 127 /* Size of ipt_entry + matches */ 128 u_int16_t target_offset; 129 /* Size of ipt_entry + matches + target */ 130 u_int16_t next_offset; 131 132 /* Back pointer */ 133 unsigned int comefrom; 134 135 /* Packet and byte counters. */ 136 struct ipt_counters counters; 137 138 /* The matches (if any), then the target. */ 139 unsigned char elems[0]; 140}; 141 142/* 143 * New IP firewall options for [gs]etsockopt at the RAW IP level. 144 * Unlike BSD Linux inherits IP options so you don't have to use a raw 145 * socket for this. Instead we check rights in the calls. */ 146#define IPT_BASE_CTL 64 /* base for firewall socket options */ 147 148#define IPT_SO_SET_REPLACE (IPT_BASE_CTL) 149#define IPT_SO_SET_ADD_COUNTERS (IPT_BASE_CTL + 1) 150#define IPT_SO_SET_MAX IPT_SO_SET_ADD_COUNTERS 151 152#define IPT_SO_GET_INFO (IPT_BASE_CTL) 153#define IPT_SO_GET_ENTRIES (IPT_BASE_CTL + 1) 154#define IPT_SO_GET_REVISION_MATCH (IPT_BASE_CTL + 2) 155#define IPT_SO_GET_REVISION_TARGET (IPT_BASE_CTL + 3) 156#define IPT_SO_GET_MAX IPT_SO_GET_REVISION_TARGET 157 158/* CONTINUE verdict for targets */ 159#define IPT_CONTINUE 0xFFFFFFFF 160 161/* For standard target */ 162#define IPT_RETURN (-NF_MAX_VERDICT - 1) 163 164/* TCP matching stuff */ 165struct ipt_tcp 166{ 167 u_int16_t spts[2]; /* Source port range. */ 168 u_int16_t dpts[2]; /* Destination port range. */ 169 u_int8_t option; /* TCP Option iff non-zero*/ 170 u_int8_t flg_mask; /* TCP flags mask byte */ 171 u_int8_t flg_cmp; /* TCP flags compare byte */ 172 u_int8_t invflags; /* Inverse flags */ 173}; 174 175/* Values for "inv" field in struct ipt_tcp. */ 176#define IPT_TCP_INV_SRCPT 0x01 /* Invert the sense of source ports. */ 177#define IPT_TCP_INV_DSTPT 0x02 /* Invert the sense of dest ports. */ 178#define IPT_TCP_INV_FLAGS 0x04 /* Invert the sense of TCP flags. */ 179#define IPT_TCP_INV_OPTION 0x08 /* Invert the sense of option test. */ 180#define IPT_TCP_INV_MASK 0x0F /* All possible flags. */ 181 182/* UDP matching stuff */ 183struct ipt_udp 184{ 185 u_int16_t spts[2]; /* Source port range. */ 186 u_int16_t dpts[2]; /* Destination port range. */ 187 u_int8_t invflags; /* Inverse flags */ 188}; 189 190/* Values for "invflags" field in struct ipt_udp. */ 191#define IPT_UDP_INV_SRCPT 0x01 /* Invert the sense of source ports. */ 192#define IPT_UDP_INV_DSTPT 0x02 /* Invert the sense of dest ports. */ 193#define IPT_UDP_INV_MASK 0x03 /* All possible flags. */ 194 195/* ICMP matching stuff */ 196struct ipt_icmp 197{ 198 u_int8_t type; /* type to match */ 199 u_int8_t code[2]; /* range of code */ 200 u_int8_t invflags; /* Inverse flags */ 201}; 202 203/* Values for "inv" field for struct ipt_icmp. */ 204#define IPT_ICMP_INV 0x01 /* Invert the sense of type/code test */ 205 206/* The argument to IPT_SO_GET_INFO */ 207struct ipt_getinfo 208{ 209 /* Which table: caller fills this in. */ 210 char name[IPT_TABLE_MAXNAMELEN]; 211 212 /* Kernel fills these in. */ 213 /* Which hook entry points are valid: bitmask */ 214 unsigned int valid_hooks; 215 216 /* Hook entry points: one per netfilter hook. */ 217 unsigned int hook_entry[NF_IP_NUMHOOKS]; 218 219 /* Underflow points. */ 220 unsigned int underflow[NF_IP_NUMHOOKS]; 221 222 /* Number of entries */ 223 unsigned int num_entries; 224 225 /* Size of entries. */ 226 unsigned int size; 227}; 228 229/* The argument to IPT_SO_SET_REPLACE. */ 230struct ipt_replace 231{ 232 /* Which table. */ 233 char name[IPT_TABLE_MAXNAMELEN]; 234 235 /* Which hook entry points are valid: bitmask. You can't 236 change this. */ 237 unsigned int valid_hooks; 238 239 /* Number of entries */ 240 unsigned int num_entries; 241 242 /* Total size of new entries */ 243 unsigned int size; 244 245 /* Hook entry points. */ 246 unsigned int hook_entry[NF_IP_NUMHOOKS]; 247 248 /* Underflow points. */ 249 unsigned int underflow[NF_IP_NUMHOOKS]; 250 251 /* Information about old entries: */ 252 /* Number of counters (must be equal to current number of entries). */ 253 unsigned int num_counters; 254 255 /* The old entries' counters. */ 256 struct ipt_counters *counters; 257 258 /* The entries (hang off end: not really an array). */ 259 struct ipt_entry entries[0]; 260}; 261 262/* The argument to IPT_SO_ADD_COUNTERS. */ 263struct ipt_counters_info 264{ 265 /* Which table. */ 266 char name[IPT_TABLE_MAXNAMELEN]; 267 268 unsigned int num_counters; 269 270 /* The counters (actually `number' of these). */ 271 struct ipt_counters counters[0]; 272}; 273 274/* The argument to IPT_SO_GET_ENTRIES. */ 275struct ipt_get_entries 276{ 277 /* Which table: user fills this in. */ 278 char name[IPT_TABLE_MAXNAMELEN]; 279 280 /* User fills this in: total entry size. */ 281 unsigned int size; 282 283 /* The entries. */ 284 struct ipt_entry entrytable[0]; 285}; 286 287/* The argument to IPT_SO_GET_REVISION_*. Returns highest revision 288 * kernel supports, if >= revision. */ 289struct ipt_get_revision 290{ 291 char name[IPT_FUNCTION_MAXNAMELEN-1]; 292 293 u_int8_t revision; 294}; 295 296/* Standard return verdict, or do jump. */ 297#define IPT_STANDARD_TARGET "" 298/* Error verdict. */ 299#define IPT_ERROR_TARGET "ERROR" 300 301/* Helper functions */ 302static __inline__ struct ipt_entry_target * 303ipt_get_target(struct ipt_entry *e) 304{ 305 return (void *)e + e->target_offset; 306} 307 308/* fn returns 0 to continue iteration */ 309#define IPT_MATCH_ITERATE(e, fn, args...) \ 310({ \ 311 unsigned int __i; \ 312 int __ret = 0; \ 313 struct ipt_entry_match *__match; \ 314 \ 315 for (__i = sizeof(struct ipt_entry); \ 316 __i < (e)->target_offset; \ 317 __i += __match->u.match_size) { \ 318 __match = (void *)(e) + __i; \ 319 \ 320 __ret = fn(__match , ## args); \ 321 if (__ret != 0) \ 322 break; \ 323 } \ 324 __ret; \ 325}) 326 327/* fn returns 0 to continue iteration */ 328#define IPT_ENTRY_ITERATE(entries, size, fn, args...) \ 329({ \ 330 unsigned int __i; \ 331 int __ret = 0; \ 332 struct ipt_entry *__entry; \ 333 \ 334 for (__i = 0; __i < (size); __i += __entry->next_offset) { \ 335 __entry = (void *)(entries) + __i; \ 336 \ 337 __ret = fn(__entry , ## args); \ 338 if (__ret != 0) \ 339 break; \ 340 } \ 341 __ret; \ 342}) 343 344/* 345 * Main firewall chains definitions and global var's definitions. 346 */ 347#endif /* _IPTABLES_H */ 348