ip_tables.h revision aa88498f180a1cd9659ba21bceaec7063a8b36fe 
1/*
2 * 25-Jul-1998 Major changes to allow for ip chain table
3 *
4 * 3-Jan-2000 Named tables to allow packet selection for different uses.
5 */
6
7/*
8 * 	Format of an IP firewall descriptor
9 *
10 * 	src, dst, src_mask, dst_mask are always stored in network byte order.
11 * 	flags are stored in host byte order (of course).
12 * 	Port numbers are stored in HOST byte order.
13 */
14
15#ifndef _IPTABLES_H
16#define _IPTABLES_H
17
18#include <linux/compiler.h>
19#include <linux/netfilter_ipv4.h>
20
21#define IPT_FUNCTION_MAXNAMELEN 30
22#define IPT_TABLE_MAXNAMELEN 32
23
24/* Yes, Virginia, you have to zero the padding. */
25struct ipt_ip {
26	/* Source and destination IP addr */
27	struct in_addr src, dst;
28	/* Mask for src and dest IP addr */
29	struct in_addr smsk, dmsk;
30	char iniface[IFNAMSIZ], outiface[IFNAMSIZ];
31	unsigned char iniface_mask[IFNAMSIZ], outiface_mask[IFNAMSIZ];
32
33	/* Protocol, 0 = ANY */
34	u_int16_t proto;
35
36	/* Flags word */
37	u_int8_t flags;
38	/* Inverse flags */
39	u_int8_t invflags;
40};
41
42struct ipt_entry_match
43{
44	union {
45		struct {
46			u_int16_t match_size;
47
48			/* Used by userspace */
49			char name[IPT_FUNCTION_MAXNAMELEN-1];
50
51			u_int8_t revision;
52		} user;
53		struct {
54			u_int16_t match_size;
55
56			/* Used inside the kernel */
57			struct ipt_match *match;
58		} kernel;
59
60		/* Total length */
61		u_int16_t match_size;
62	} u;
63
64	unsigned char data[0];
65};
66
67struct ipt_entry_target
68{
69	union {
70		struct {
71			u_int16_t target_size;
72
73			/* Used by userspace */
74			char name[IPT_FUNCTION_MAXNAMELEN-1];
75
76			u_int8_t revision;
77		} user;
78		struct {
79			u_int16_t target_size;
80
81			/* Used inside the kernel */
82			struct ipt_target *target;
83		} kernel;
84
85		/* Total length */
86		u_int16_t target_size;
87	} u;
88
89	unsigned char data[0];
90};
91
92struct ipt_standard_target
93{
94	struct ipt_entry_target target;
95	int verdict;
96};
97
98struct ipt_counters
99{
100	u_int64_t pcnt, bcnt;			/* Packet and byte counters */
101};
102
103/* Values for "flag" field in struct ipt_ip (general ip structure). */
104#define IPT_F_FRAG		0x01	/* Set if rule is a fragment rule */
105#define IPT_F_MASK		0x01	/* All possible flag bits mask. */
106
107/* Values for "inv" field in struct ipt_ip. */
108#define IPT_INV_VIA_IN		0x01	/* Invert the sense of IN IFACE. */
109#define IPT_INV_VIA_OUT		0x02	/* Invert the sense of OUT IFACE */
110#define IPT_INV_TOS		0x04	/* Invert the sense of TOS. */
111#define IPT_INV_SRCIP		0x08	/* Invert the sense of SRC IP. */
112#define IPT_INV_DSTIP		0x10	/* Invert the sense of DST OP. */
113#define IPT_INV_FRAG		0x20	/* Invert the sense of FRAG. */
114#define IPT_INV_PROTO		0x40	/* Invert the sense of PROTO. */
115#define IPT_INV_MASK		0x7F	/* All possible flag bits mask. */
116
117/* This structure defines each of the firewall rules.  Consists of 3
118   parts which are 1) general IP header stuff 2) match specific
119   stuff 3) the target to perform if the rule matches */
120struct ipt_entry
121{
122	struct ipt_ip ip;
123
124	/* Mark with fields that we care about. */
125	unsigned int nfcache;
126
127	/* Size of ipt_entry + matches */
128	u_int16_t target_offset;
129	/* Size of ipt_entry + matches + target */
130	u_int16_t next_offset;
131
132	/* Back pointer */
133	unsigned int comefrom;
134
135	/* Packet and byte counters. */
136	struct ipt_counters counters;
137
138	/* The matches (if any), then the target. */
139	unsigned char elems[0];
140};
141
142/*
143 * New IP firewall options for [gs]etsockopt at the RAW IP level.
144 * Unlike BSD Linux inherits IP options so you don't have to use a raw
145 * socket for this. Instead we check rights in the calls. */
146#define IPT_BASE_CTL		64	/* base for firewall socket options */
147
148#define IPT_SO_SET_REPLACE	(IPT_BASE_CTL)
149#define IPT_SO_SET_ADD_COUNTERS	(IPT_BASE_CTL + 1)
150#define IPT_SO_SET_MAX		IPT_SO_SET_ADD_COUNTERS
151
152#define IPT_SO_GET_INFO			(IPT_BASE_CTL)
153#define IPT_SO_GET_ENTRIES		(IPT_BASE_CTL + 1)
154#define IPT_SO_GET_REVISION_MATCH	(IPT_BASE_CTL + 2)
155#define IPT_SO_GET_REVISION_TARGET	(IPT_BASE_CTL + 3)
156#define IPT_SO_GET_MAX			IPT_SO_GET_REVISION_TARGET
157
158/* CONTINUE verdict for targets */
159#define IPT_CONTINUE 0xFFFFFFFF
160
161/* For standard target */
162#define IPT_RETURN (-NF_MAX_VERDICT - 1)
163
164/* TCP matching stuff */
165struct ipt_tcp
166{
167	u_int16_t spts[2];			/* Source port range. */
168	u_int16_t dpts[2];			/* Destination port range. */
169	u_int8_t option;			/* TCP Option iff non-zero*/
170	u_int8_t flg_mask;			/* TCP flags mask byte */
171	u_int8_t flg_cmp;			/* TCP flags compare byte */
172	u_int8_t invflags;			/* Inverse flags */
173};
174
175/* Values for "inv" field in struct ipt_tcp. */
176#define IPT_TCP_INV_SRCPT	0x01	/* Invert the sense of source ports. */
177#define IPT_TCP_INV_DSTPT	0x02	/* Invert the sense of dest ports. */
178#define IPT_TCP_INV_FLAGS	0x04	/* Invert the sense of TCP flags. */
179#define IPT_TCP_INV_OPTION	0x08	/* Invert the sense of option test. */
180#define IPT_TCP_INV_MASK	0x0F	/* All possible flags. */
181
182/* UDP matching stuff */
183struct ipt_udp
184{
185	u_int16_t spts[2];			/* Source port range. */
186	u_int16_t dpts[2];			/* Destination port range. */
187	u_int8_t invflags;			/* Inverse flags */
188};
189
190/* Values for "invflags" field in struct ipt_udp. */
191#define IPT_UDP_INV_SRCPT	0x01	/* Invert the sense of source ports. */
192#define IPT_UDP_INV_DSTPT	0x02	/* Invert the sense of dest ports. */
193#define IPT_UDP_INV_MASK	0x03	/* All possible flags. */
194
195/* ICMP matching stuff */
196struct ipt_icmp
197{
198	u_int8_t type;				/* type to match */
199	u_int8_t code[2];			/* range of code */
200	u_int8_t invflags;			/* Inverse flags */
201};
202
203/* Values for "inv" field for struct ipt_icmp. */
204#define IPT_ICMP_INV	0x01	/* Invert the sense of type/code test */
205
206/* The argument to IPT_SO_GET_INFO */
207struct ipt_getinfo
208{
209	/* Which table: caller fills this in. */
210	char name[IPT_TABLE_MAXNAMELEN];
211
212	/* Kernel fills these in. */
213	/* Which hook entry points are valid: bitmask */
214	unsigned int valid_hooks;
215
216	/* Hook entry points: one per netfilter hook. */
217	unsigned int hook_entry[NF_IP_NUMHOOKS];
218
219	/* Underflow points. */
220	unsigned int underflow[NF_IP_NUMHOOKS];
221
222	/* Number of entries */
223	unsigned int num_entries;
224
225	/* Size of entries. */
226	unsigned int size;
227};
228
229/* The argument to IPT_SO_SET_REPLACE. */
230struct ipt_replace
231{
232	/* Which table. */
233	char name[IPT_TABLE_MAXNAMELEN];
234
235	/* Which hook entry points are valid: bitmask.  You can't
236           change this. */
237	unsigned int valid_hooks;
238
239	/* Number of entries */
240	unsigned int num_entries;
241
242	/* Total size of new entries */
243	unsigned int size;
244
245	/* Hook entry points. */
246	unsigned int hook_entry[NF_IP_NUMHOOKS];
247
248	/* Underflow points. */
249	unsigned int underflow[NF_IP_NUMHOOKS];
250
251	/* Information about old entries: */
252	/* Number of counters (must be equal to current number of entries). */
253	unsigned int num_counters;
254
255	/* The old entries' counters. */
256	struct ipt_counters  *counters;
257
258	/* The entries (hang off end: not really an array). */
259	struct ipt_entry entries[0];
260};
261
262/* The argument to IPT_SO_ADD_COUNTERS. */
263struct ipt_counters_info
264{
265	/* Which table. */
266	char name[IPT_TABLE_MAXNAMELEN];
267
268	unsigned int num_counters;
269
270	/* The counters (actually `number' of these). */
271	struct ipt_counters counters[0];
272};
273
274/* The argument to IPT_SO_GET_ENTRIES. */
275struct ipt_get_entries
276{
277	/* Which table: user fills this in. */
278	char name[IPT_TABLE_MAXNAMELEN];
279
280	/* User fills this in: total entry size. */
281	unsigned int size;
282
283	/* The entries. */
284	struct ipt_entry entrytable[0];
285};
286
287/* The argument to IPT_SO_GET_REVISION_*.  Returns highest revision
288 * kernel supports, if >= revision. */
289struct ipt_get_revision
290{
291	char name[IPT_FUNCTION_MAXNAMELEN-1];
292
293	u_int8_t revision;
294};
295
296/* Standard return verdict, or do jump. */
297#define IPT_STANDARD_TARGET ""
298/* Error verdict. */
299#define IPT_ERROR_TARGET "ERROR"
300
301/* Helper functions */
302static __inline__ struct ipt_entry_target *
303ipt_get_target(struct ipt_entry *e)
304{
305	return (void *)e + e->target_offset;
306}
307
308/* fn returns 0 to continue iteration */
309#define IPT_MATCH_ITERATE(e, fn, args...)	\
310({						\
311	unsigned int __i;			\
312	int __ret = 0;				\
313	struct ipt_entry_match *__match;	\
314						\
315	for (__i = sizeof(struct ipt_entry);	\
316	     __i < (e)->target_offset;		\
317	     __i += __match->u.match_size) {	\
318		__match = (void *)(e) + __i;	\
319						\
320		__ret = fn(__match , ## args);	\
321		if (__ret != 0)			\
322			break;			\
323	}					\
324	__ret;					\
325})
326
327/* fn returns 0 to continue iteration */
328#define IPT_ENTRY_ITERATE(entries, size, fn, args...)		\
329({								\
330	unsigned int __i;					\
331	int __ret = 0;						\
332	struct ipt_entry *__entry;				\
333								\
334	for (__i = 0; __i < (size); __i += __entry->next_offset) { \
335		__entry = (void *)(entries) + __i;		\
336								\
337		__ret = fn(__entry , ## args);			\
338		if (__ret != 0)					\
339			break;					\
340	}							\
341	__ret;							\
342})
343
344/*
345 *	Main firewall chains definitions and global var's definitions.
346 */
347#endif /* _IPTABLES_H */
348