1 /* 2 * 25-Jul-1998 Major changes to allow for ip chain table 3 * 4 * 3-Jan-2000 Named tables to allow packet selection for different uses. 5 */ 6 7 /* 8 * Format of an IP6 firewall descriptor 9 * 10 * src, dst, src_mask, dst_mask are always stored in network byte order. 11 * flags are stored in host byte order (of course). 12 * Port numbers are stored in HOST byte order. 13 */ 14 15 #ifndef _IP6_TABLES_H 16 #define _IP6_TABLES_H 17 18 #include <linux/netfilter_ipv6.h> 19 20 #include <linux/netfilter/x_tables.h> 21 22 #define IP6T_FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN 23 #define IP6T_TABLE_MAXNAMELEN XT_TABLE_MAXNAMELEN 24 25 #define ip6t_match xt_match 26 #define ip6t_target xt_target 27 #define ip6t_table xt_table 28 #define ip6t_get_revision xt_get_revision 29 30 /* Yes, Virginia, you have to zero the padding. */ 31 struct ip6t_ip6 { 32 /* Source and destination IP6 addr */ 33 struct in6_addr src, dst; 34 /* Mask for src and dest IP6 addr */ 35 struct in6_addr smsk, dmsk; 36 char iniface[IFNAMSIZ], outiface[IFNAMSIZ]; 37 unsigned char iniface_mask[IFNAMSIZ], outiface_mask[IFNAMSIZ]; 38 39 /* Upper protocol number 40 * - The allowed value is 0 (any) or protocol number of last parsable 41 * header, which is 50 (ESP), 59 (No Next Header), 135 (MH), or 42 * the non IPv6 extension headers. 43 * - The protocol numbers of IPv6 extension headers except of ESP and 44 * MH do not match any packets. 45 * - You also need to set IP6T_FLAGS_PROTO to "flags" to check protocol. 46 */ 47 u_int16_t proto; 48 /* TOS to match iff flags & IP6T_F_TOS */ 49 u_int8_t tos; 50 51 /* Flags word */ 52 u_int8_t flags; 53 /* Inverse flags */ 54 u_int8_t invflags; 55 }; 56 57 #define ip6t_entry_match xt_entry_match 58 #define ip6t_entry_target xt_entry_target 59 #define ip6t_standard_target xt_standard_target 60 61 #define ip6t_counters xt_counters 62 63 /* Values for "flag" field in struct ip6t_ip6 (general ip6 structure). */ 64 #define IP6T_F_PROTO 0x01 /* Set if rule cares about upper 65 protocols */ 66 #define IP6T_F_TOS 0x02 /* Match the TOS. */ 67 #define IP6T_F_GOTO 0x04 /* Set if jump is a goto */ 68 #define IP6T_F_MASK 0x07 /* All possible flag bits mask. */ 69 70 /* Values for "inv" field in struct ip6t_ip6. */ 71 #define IP6T_INV_VIA_IN 0x01 /* Invert the sense of IN IFACE. */ 72 #define IP6T_INV_VIA_OUT 0x02 /* Invert the sense of OUT IFACE */ 73 #define IP6T_INV_TOS 0x04 /* Invert the sense of TOS. */ 74 #define IP6T_INV_SRCIP 0x08 /* Invert the sense of SRC IP. */ 75 #define IP6T_INV_DSTIP 0x10 /* Invert the sense of DST OP. */ 76 #define IP6T_INV_FRAG 0x20 /* Invert the sense of FRAG. */ 77 #define IP6T_INV_PROTO XT_INV_PROTO 78 #define IP6T_INV_MASK 0x7F /* All possible flag bits mask. */ 79 80 /* This structure defines each of the firewall rules. Consists of 3 81 parts which are 1) general IP header stuff 2) match specific 82 stuff 3) the target to perform if the rule matches */ 83 struct ip6t_entry 84 { 85 struct ip6t_ip6 ipv6; 86 87 /* Mark with fields that we care about. */ 88 unsigned int nfcache; 89 90 /* Size of ipt_entry + matches */ 91 u_int16_t target_offset; 92 /* Size of ipt_entry + matches + target */ 93 u_int16_t next_offset; 94 95 /* Back pointer */ 96 unsigned int comefrom; 97 98 /* Packet and byte counters. */ 99 struct xt_counters counters; 100 101 /* The matches (if any), then the target. */ 102 unsigned char elems[0]; 103 }; 104 105 /* Standard entry */ 106 struct ip6t_standard 107 { 108 struct ip6t_entry entry; 109 struct ip6t_standard_target target; 110 }; 111 112 struct ip6t_error_target 113 { 114 struct ip6t_entry_target target; 115 char errorname[IP6T_FUNCTION_MAXNAMELEN]; 116 }; 117 118 struct ip6t_error 119 { 120 struct ip6t_entry entry; 121 struct ip6t_error_target target; 122 }; 123 124 #define IP6T_ENTRY_INIT(__size) \ 125 { \ 126 .target_offset = sizeof(struct ip6t_entry), \ 127 .next_offset = (__size), \ 128 } 129 130 #define IP6T_STANDARD_INIT(__verdict) \ 131 { \ 132 .entry = IP6T_ENTRY_INIT(sizeof(struct ip6t_standard)), \ 133 .target = XT_TARGET_INIT(IP6T_STANDARD_TARGET, \ 134 sizeof(struct ip6t_standard_target)), \ 135 .target.verdict = -(__verdict) - 1, \ 136 } 137 138 #define IP6T_ERROR_INIT \ 139 { \ 140 .entry = IP6T_ENTRY_INIT(sizeof(struct ip6t_error)), \ 141 .target = XT_TARGET_INIT(IP6T_ERROR_TARGET, \ 142 sizeof(struct ip6t_error_target)), \ 143 .target.errorname = "ERROR", \ 144 } 145 146 /* 147 * New IP firewall options for [gs]etsockopt at the RAW IP level. 148 * Unlike BSD Linux inherits IP options so you don't have to use 149 * a raw socket for this. Instead we check rights in the calls. 150 * 151 * ATTENTION: check linux/in6.h before adding new number here. 152 */ 153 #define IP6T_BASE_CTL 64 154 155 #define IP6T_SO_SET_REPLACE (IP6T_BASE_CTL) 156 #define IP6T_SO_SET_ADD_COUNTERS (IP6T_BASE_CTL + 1) 157 #define IP6T_SO_SET_MAX IP6T_SO_SET_ADD_COUNTERS 158 159 #define IP6T_SO_GET_INFO (IP6T_BASE_CTL) 160 #define IP6T_SO_GET_ENTRIES (IP6T_BASE_CTL + 1) 161 #define IP6T_SO_GET_REVISION_MATCH (IP6T_BASE_CTL + 4) 162 #define IP6T_SO_GET_REVISION_TARGET (IP6T_BASE_CTL + 5) 163 #define IP6T_SO_GET_MAX IP6T_SO_GET_REVISION_TARGET 164 165 /* CONTINUE verdict for targets */ 166 #define IP6T_CONTINUE XT_CONTINUE 167 168 /* For standard target */ 169 #define IP6T_RETURN XT_RETURN 170 171 /* TCP/UDP matching stuff */ 172 #include <linux/netfilter/xt_tcpudp.h> 173 174 #define ip6t_tcp xt_tcp 175 #define ip6t_udp xt_udp 176 177 /* Values for "inv" field in struct ipt_tcp. */ 178 #define IP6T_TCP_INV_SRCPT XT_TCP_INV_SRCPT 179 #define IP6T_TCP_INV_DSTPT XT_TCP_INV_DSTPT 180 #define IP6T_TCP_INV_FLAGS XT_TCP_INV_FLAGS 181 #define IP6T_TCP_INV_OPTION XT_TCP_INV_OPTION 182 #define IP6T_TCP_INV_MASK XT_TCP_INV_MASK 183 184 /* Values for "invflags" field in struct ipt_udp. */ 185 #define IP6T_UDP_INV_SRCPT XT_UDP_INV_SRCPT 186 #define IP6T_UDP_INV_DSTPT XT_UDP_INV_DSTPT 187 #define IP6T_UDP_INV_MASK XT_UDP_INV_MASK 188 189 /* ICMP matching stuff */ 190 struct ip6t_icmp 191 { 192 u_int8_t type; /* type to match */ 193 u_int8_t code[2]; /* range of code */ 194 u_int8_t invflags; /* Inverse flags */ 195 }; 196 197 /* Values for "inv" field for struct ipt_icmp. */ 198 #define IP6T_ICMP_INV 0x01 /* Invert the sense of type/code test */ 199 200 /* The argument to IP6T_SO_GET_INFO */ 201 struct ip6t_getinfo 202 { 203 /* Which table: caller fills this in. */ 204 char name[IP6T_TABLE_MAXNAMELEN]; 205 206 /* Kernel fills these in. */ 207 /* Which hook entry points are valid: bitmask */ 208 unsigned int valid_hooks; 209 210 /* Hook entry points: one per netfilter hook. */ 211 unsigned int hook_entry[NF_IP6_NUMHOOKS]; 212 213 /* Underflow points. */ 214 unsigned int underflow[NF_IP6_NUMHOOKS]; 215 216 /* Number of entries */ 217 unsigned int num_entries; 218 219 /* Size of entries. */ 220 unsigned int size; 221 }; 222 223 /* The argument to IP6T_SO_SET_REPLACE. */ 224 struct ip6t_replace 225 { 226 /* Which table. */ 227 char name[IP6T_TABLE_MAXNAMELEN]; 228 229 /* Which hook entry points are valid: bitmask. You can't 230 change this. */ 231 unsigned int valid_hooks; 232 233 /* Number of entries */ 234 unsigned int num_entries; 235 236 /* Total size of new entries */ 237 unsigned int size; 238 239 /* Hook entry points. */ 240 unsigned int hook_entry[NF_IP6_NUMHOOKS]; 241 242 /* Underflow points. */ 243 unsigned int underflow[NF_IP6_NUMHOOKS]; 244 245 /* Information about old entries: */ 246 /* Number of counters (must be equal to current number of entries). */ 247 unsigned int num_counters; 248 /* The old entries' counters. */ 249 struct xt_counters *counters; 250 251 /* The entries (hang off end: not really an array). */ 252 struct ip6t_entry entries[0]; 253 }; 254 255 /* The argument to IP6T_SO_ADD_COUNTERS. */ 256 #define ip6t_counters_info xt_counters_info 257 258 /* The argument to IP6T_SO_GET_ENTRIES. */ 259 struct ip6t_get_entries 260 { 261 /* Which table: user fills this in. */ 262 char name[IP6T_TABLE_MAXNAMELEN]; 263 264 /* User fills this in: total entry size. */ 265 unsigned int size; 266 267 /* The entries. */ 268 struct ip6t_entry entrytable[0]; 269 }; 270 271 /* Standard return verdict, or do jump. */ 272 #define IP6T_STANDARD_TARGET XT_STANDARD_TARGET 273 /* Error verdict. */ 274 #define IP6T_ERROR_TARGET XT_ERROR_TARGET 275 276 /* Helper functions */ 277 static __inline__ struct ip6t_entry_target * 278 ip6t_get_target(struct ip6t_entry *e) 279 { 280 return (void *)e + e->target_offset; 281 } 282 283 /* fn returns 0 to continue iteration */ 284 #define IP6T_MATCH_ITERATE(e, fn, args...) \ 285 ({ \ 286 unsigned int __i; \ 287 int __ret = 0; \ 288 struct ip6t_entry_match *__m; \ 289 \ 290 for (__i = sizeof(struct ip6t_entry); \ 291 __i < (e)->target_offset; \ 292 __i += __m->u.match_size) { \ 293 __m = (void *)(e) + __i; \ 294 \ 295 __ret = fn(__m , ## args); \ 296 if (__ret != 0) \ 297 break; \ 298 } \ 299 __ret; \ 300 }) 301 302 /* fn returns 0 to continue iteration */ 303 #define IP6T_ENTRY_ITERATE(entries, size, fn, args...) \ 304 ({ \ 305 unsigned int __i; \ 306 int __ret = 0; \ 307 struct ip6t_entry *__e; \ 308 \ 309 for (__i = 0; __i < (size); __i += __e->next_offset) { \ 310 __e = (void *)(entries) + __i; \ 311 \ 312 __ret = fn(__e , ## args); \ 313 if (__ret != 0) \ 314 break; \ 315 } \ 316 __ret; \ 317 }) 318 319 /* 320 * Main firewall chains definitions and global var's definitions. 321 */ 322 323 #endif /* _IP6_TABLES_H */ 324