]> git.proxmox.com Git - mirror_ubuntu-artful-kernel.git/blob - include/linux/netfilter_ipv6/ip6_tables.h
projects / mirror_ubuntu-artful-kernel.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Linux-2.6.12-rc2
[mirror_ubuntu-artful-kernel.git] / include / linux / netfilter_ipv6 / ip6_tables.h
1 /*
2 * 25-Jul-1998 Major changes to allow for ip chain table
3 *
4 * 3-Jan-2000 Named tables to allow packet selection for different uses.
5 */
6
7 /*
8 * Format of an IP6 firewall descriptor
9 *
10 * src, dst, src_mask, dst_mask are always stored in network byte order.
11 * flags are stored in host byte order (of course).
12 * Port numbers are stored in HOST byte order.
13 */
14
15 #ifndef _IP6_TABLES_H
16 #define _IP6_TABLES_H
17
18 #ifdef __KERNEL__
19 #include <linux/if.h>
20 #include <linux/types.h>
21 #include <linux/in6.h>
22 #include <linux/ipv6.h>
23 #include <linux/skbuff.h>
24 #endif
25 #include <linux/compiler.h>
26 #include <linux/netfilter_ipv6.h>
27
28 #define IP6T_FUNCTION_MAXNAMELEN 30
29 #define IP6T_TABLE_MAXNAMELEN 32
30
31 /* Yes, Virginia, you have to zero the padding. */
32 struct ip6t_ip6 {
33 /* Source and destination IP6 addr */
34 struct in6_addr src, dst;
35 /* Mask for src and dest IP6 addr */
36 struct in6_addr smsk, dmsk;
37 char iniface[IFNAMSIZ], outiface[IFNAMSIZ];
38 unsigned char iniface_mask[IFNAMSIZ], outiface_mask[IFNAMSIZ];
39
40 /* ARGH, HopByHop uses 0, so can't do 0 = ANY,
41 instead IP6T_F_NOPROTO must be set */
42 u_int16_t proto;
43 /* TOS to match iff flags & IP6T_F_TOS */
44 u_int8_t tos;
45
46 /* Flags word */
47 u_int8_t flags;
48 /* Inverse flags */
49 u_int8_t invflags;
50 };
51
52 /* FIXME: If alignment in kernel different from userspace? --RR */
53 struct ip6t_entry_match
54 {
55 union {
56 struct {
57 u_int16_t match_size;
58
59 /* Used by userspace */
60 char name[IP6T_FUNCTION_MAXNAMELEN];
61 } user;
62 struct {
63 u_int16_t match_size;
64
65 /* Used inside the kernel */
66 struct ip6t_match *match;
67 } kernel;
68
69 /* Total length */
70 u_int16_t match_size;
71 } u;
72
73 unsigned char data[0];
74 };
75
76 struct ip6t_entry_target
77 {
78 union {
79 struct {
80 u_int16_t target_size;
81
82 /* Used by userspace */
83 char name[IP6T_FUNCTION_MAXNAMELEN];
84 } user;
85 struct {
86 u_int16_t target_size;
87
88 /* Used inside the kernel */
89 struct ip6t_target *target;
90 } kernel;
91
92 /* Total length */
93 u_int16_t target_size;
94 } u;
95
96 unsigned char data[0];
97 };
98
99 struct ip6t_standard_target
100 {
101 struct ip6t_entry_target target;
102 int verdict;
103 };
104
105 struct ip6t_counters
106 {
107 u_int64_t pcnt, bcnt; /* Packet and byte counters */
108 };
109
110 /* Values for "flag" field in struct ip6t_ip6 (general ip6 structure). */
111 #define IP6T_F_PROTO 0x01 /* Set if rule cares about upper
112 protocols */
113 #define IP6T_F_TOS 0x02 /* Match the TOS. */
114 #define IP6T_F_MASK 0x03 /* All possible flag bits mask. */
115
116 /* Values for "inv" field in struct ip6t_ip6. */
117 #define IP6T_INV_VIA_IN 0x01 /* Invert the sense of IN IFACE. */
118 #define IP6T_INV_VIA_OUT 0x02 /* Invert the sense of OUT IFACE */
119 #define IP6T_INV_TOS 0x04 /* Invert the sense of TOS. */
120 #define IP6T_INV_SRCIP 0x08 /* Invert the sense of SRC IP. */
121 #define IP6T_INV_DSTIP 0x10 /* Invert the sense of DST OP. */
122 #define IP6T_INV_FRAG 0x20 /* Invert the sense of FRAG. */
123 #define IP6T_INV_PROTO 0x40 /* Invert the sense of PROTO. */
124 #define IP6T_INV_MASK 0x7F /* All possible flag bits mask. */
125
126 /* This structure defines each of the firewall rules. Consists of 3
127 parts which are 1) general IP header stuff 2) match specific
128 stuff 3) the target to perform if the rule matches */
129 struct ip6t_entry
130 {
131 struct ip6t_ip6 ipv6;
132
133 /* Mark with fields that we care about. */
134 unsigned int nfcache;
135
136 /* Size of ipt_entry + matches */
137 u_int16_t target_offset;
138 /* Size of ipt_entry + matches + target */
139 u_int16_t next_offset;
140
141 /* Back pointer */
142 unsigned int comefrom;
143
144 /* Packet and byte counters. */
145 struct ip6t_counters counters;
146
147 /* The matches (if any), then the target. */
148 unsigned char elems[0];
149 };
150
151 /*
152 * New IP firewall options for [gs]etsockopt at the RAW IP level.
153 * Unlike BSD Linux inherits IP options so you don't have to use
154 * a raw socket for this. Instead we check rights in the calls. */
155 #define IP6T_BASE_CTL 64 /* base for firewall socket options */
156
157 #define IP6T_SO_SET_REPLACE (IP6T_BASE_CTL)
158 #define IP6T_SO_SET_ADD_COUNTERS (IP6T_BASE_CTL + 1)
159 #define IP6T_SO_SET_MAX IP6T_SO_SET_ADD_COUNTERS
160
161 #define IP6T_SO_GET_INFO (IP6T_BASE_CTL)
162 #define IP6T_SO_GET_ENTRIES (IP6T_BASE_CTL + 1)
163 #define IP6T_SO_GET_MAX IP6T_SO_GET_ENTRIES
164
165 /* CONTINUE verdict for targets */
166 #define IP6T_CONTINUE 0xFFFFFFFF
167
168 /* For standard target */
169 #define IP6T_RETURN (-NF_REPEAT - 1)
170
171 /* TCP matching stuff */
172 struct ip6t_tcp
173 {
174 u_int16_t spts[2]; /* Source port range. */
175 u_int16_t dpts[2]; /* Destination port range. */
176 u_int8_t option; /* TCP Option iff non-zero*/
177 u_int8_t flg_mask; /* TCP flags mask byte */
178 u_int8_t flg_cmp; /* TCP flags compare byte */
179 u_int8_t invflags; /* Inverse flags */
180 };
181
182 /* Values for "inv" field in struct ipt_tcp. */
183 #define IP6T_TCP_INV_SRCPT 0x01 /* Invert the sense of source ports. */
184 #define IP6T_TCP_INV_DSTPT 0x02 /* Invert the sense of dest ports. */
185 #define IP6T_TCP_INV_FLAGS 0x04 /* Invert the sense of TCP flags. */
186 #define IP6T_TCP_INV_OPTION 0x08 /* Invert the sense of option test. */
187 #define IP6T_TCP_INV_MASK 0x0F /* All possible flags. */
188
189 /* UDP matching stuff */
190 struct ip6t_udp
191 {
192 u_int16_t spts[2]; /* Source port range. */
193 u_int16_t dpts[2]; /* Destination port range. */
194 u_int8_t invflags; /* Inverse flags */
195 };
196
197 /* Values for "invflags" field in struct ipt_udp. */
198 #define IP6T_UDP_INV_SRCPT 0x01 /* Invert the sense of source ports. */
199 #define IP6T_UDP_INV_DSTPT 0x02 /* Invert the sense of dest ports. */
200 #define IP6T_UDP_INV_MASK 0x03 /* All possible flags. */
201
202 /* ICMP matching stuff */
203 struct ip6t_icmp
204 {
205 u_int8_t type; /* type to match */
206 u_int8_t code[2]; /* range of code */
207 u_int8_t invflags; /* Inverse flags */
208 };
209
210 /* Values for "inv" field for struct ipt_icmp. */
211 #define IP6T_ICMP_INV 0x01 /* Invert the sense of type/code test */
212
213 /* The argument to IP6T_SO_GET_INFO */
214 struct ip6t_getinfo
215 {
216 /* Which table: caller fills this in. */
217 char name[IP6T_TABLE_MAXNAMELEN];
218
219 /* Kernel fills these in. */
220 /* Which hook entry points are valid: bitmask */
221 unsigned int valid_hooks;
222
223 /* Hook entry points: one per netfilter hook. */
224 unsigned int hook_entry[NF_IP6_NUMHOOKS];
225
226 /* Underflow points. */
227 unsigned int underflow[NF_IP6_NUMHOOKS];
228
229 /* Number of entries */
230 unsigned int num_entries;
231
232 /* Size of entries. */
233 unsigned int size;
234 };
235
236 /* The argument to IP6T_SO_SET_REPLACE. */
237 struct ip6t_replace
238 {
239 /* Which table. */
240 char name[IP6T_TABLE_MAXNAMELEN];
241
242 /* Which hook entry points are valid: bitmask. You can't
243 change this. */
244 unsigned int valid_hooks;
245
246 /* Number of entries */
247 unsigned int num_entries;
248
249 /* Total size of new entries */
250 unsigned int size;
251
252 /* Hook entry points. */
253 unsigned int hook_entry[NF_IP6_NUMHOOKS];
254
255 /* Underflow points. */
256 unsigned int underflow[NF_IP6_NUMHOOKS];
257
258 /* Information about old entries: */
259 /* Number of counters (must be equal to current number of entries). */
260 unsigned int num_counters;
261 /* The old entries' counters. */
262 struct ip6t_counters __user *counters;
263
264 /* The entries (hang off end: not really an array). */
265 struct ip6t_entry entries[0];
266 };
267
268 /* The argument to IP6T_SO_ADD_COUNTERS. */
269 struct ip6t_counters_info
270 {
271 /* Which table. */
272 char name[IP6T_TABLE_MAXNAMELEN];
273
274 unsigned int num_counters;
275
276 /* The counters (actually `number' of these). */
277 struct ip6t_counters counters[0];
278 };
279
280 /* The argument to IP6T_SO_GET_ENTRIES. */
281 struct ip6t_get_entries
282 {
283 /* Which table: user fills this in. */
284 char name[IP6T_TABLE_MAXNAMELEN];
285
286 /* User fills this in: total entry size. */
287 unsigned int size;
288
289 /* The entries. */
290 struct ip6t_entry entrytable[0];
291 };
292
293 /* Standard return verdict, or do jump. */
294 #define IP6T_STANDARD_TARGET ""
295 /* Error verdict. */
296 #define IP6T_ERROR_TARGET "ERROR"
297
298 /* Helper functions */
299 static __inline__ struct ip6t_entry_target *
300 ip6t_get_target(struct ip6t_entry *e)
301 {
302 return (void *)e + e->target_offset;
303 }
304
305 /* fn returns 0 to continue iteration */
306 #define IP6T_MATCH_ITERATE(e, fn, args...) \
307 ({ \
308 unsigned int __i; \
309 int __ret = 0; \
310 struct ip6t_entry_match *__m; \
311 \
312 for (__i = sizeof(struct ip6t_entry); \
313 __i < (e)->target_offset; \
314 __i += __m->u.match_size) { \
315 __m = (void *)(e) + __i; \
316 \
317 __ret = fn(__m , ## args); \
318 if (__ret != 0) \
319 break; \
320 } \
321 __ret; \
322 })
323
324 /* fn returns 0 to continue iteration */
325 #define IP6T_ENTRY_ITERATE(entries, size, fn, args...) \
326 ({ \
327 unsigned int __i; \
328 int __ret = 0; \
329 struct ip6t_entry *__e; \
330 \
331 for (__i = 0; __i < (size); __i += __e->next_offset) { \
332 __e = (void *)(entries) + __i; \
333 \
334 __ret = fn(__e , ## args); \
335 if (__ret != 0) \
336 break; \
337 } \
338 __ret; \
339 })
340
341 /*
342 * Main firewall chains definitions and global var's definitions.
343 */
344
345 #ifdef __KERNEL__
346
347 #include <linux/init.h>
348 extern void ip6t_init(void) __init;
349
350 struct ip6t_match
351 {
352 struct list_head list;
353
354 const char name[IP6T_FUNCTION_MAXNAMELEN];
355
356 /* Return true or false: return FALSE and set *hotdrop = 1 to
357 force immediate packet drop. */
358 /* Arguments changed since 2.6.9, as this must now handle
359 non-linear skb, using skb_header_pointer and
360 skb_ip_make_writable. */
361 int (*match)(const struct sk_buff *skb,
362 const struct net_device *in,
363 const struct net_device *out,
364 const void *matchinfo,
365 int offset,
366 unsigned int protoff,
367 int *hotdrop);
368
369 /* Called when user tries to insert an entry of this type. */
370 /* Should return true or false. */
371 int (*checkentry)(const char *tablename,
372 const struct ip6t_ip6 *ip,
373 void *matchinfo,
374 unsigned int matchinfosize,
375 unsigned int hook_mask);
376
377 /* Called when entry of this type deleted. */
378 void (*destroy)(void *matchinfo, unsigned int matchinfosize);
379
380 /* Set this to THIS_MODULE if you are a module, otherwise NULL */
381 struct module *me;
382 };
383
384 /* Registration hooks for targets. */
385 struct ip6t_target
386 {
387 struct list_head list;
388
389 const char name[IP6T_FUNCTION_MAXNAMELEN];
390
391 /* Returns verdict. Argument order changed since 2.6.9, as this
392 must now handle non-linear skbs, using skb_copy_bits and
393 skb_ip_make_writable. */
394 unsigned int (*target)(struct sk_buff **pskb,
395 const struct net_device *in,
396 const struct net_device *out,
397 unsigned int hooknum,
398 const void *targinfo,
399 void *userdata);
400
401 /* Called when user tries to insert an entry of this type:
402 hook_mask is a bitmask of hooks from which it can be
403 called. */
404 /* Should return true or false. */
405 int (*checkentry)(const char *tablename,
406 const struct ip6t_entry *e,
407 void *targinfo,
408 unsigned int targinfosize,
409 unsigned int hook_mask);
410
411 /* Called when entry of this type deleted. */
412 void (*destroy)(void *targinfo, unsigned int targinfosize);
413
414 /* Set this to THIS_MODULE if you are a module, otherwise NULL */
415 struct module *me;
416 };
417
418 extern int ip6t_register_target(struct ip6t_target *target);
419 extern void ip6t_unregister_target(struct ip6t_target *target);
420
421 extern int ip6t_register_match(struct ip6t_match *match);
422 extern void ip6t_unregister_match(struct ip6t_match *match);
423
424 /* Furniture shopping... */
425 struct ip6t_table
426 {
427 struct list_head list;
428
429 /* A unique name... */
430 char name[IP6T_TABLE_MAXNAMELEN];
431
432 /* What hooks you will enter on */
433 unsigned int valid_hooks;
434
435 /* Lock for the curtain */
436 rwlock_t lock;
437
438 /* Man behind the curtain... */
439 struct ip6t_table_info *private;
440
441 /* Set this to THIS_MODULE if you are a module, otherwise NULL */
442 struct module *me;
443 };
444
445 extern int ip6t_register_table(struct ip6t_table *table,
446 const struct ip6t_replace *repl);
447 extern void ip6t_unregister_table(struct ip6t_table *table);
448 extern unsigned int ip6t_do_table(struct sk_buff **pskb,
449 unsigned int hook,
450 const struct net_device *in,
451 const struct net_device *out,
452 struct ip6t_table *table,
453 void *userdata);
454
455 /* Check for an extension */
456 extern int ip6t_ext_hdr(u8 nexthdr);
457
458 #define IP6T_ALIGN(s) (((s) + (__alignof__(struct ip6t_entry)-1)) & ~(__alignof__(struct ip6t_entry)-1))
459
460 #endif /*__KERNEL__*/
461 #endif /* _IP6_TABLES_H */
Ubuntu Artful kernel mirror