LXR linux/include/linux/netfilter_ipv4/ip

   1/*
   2 * 25-Jul-1998 Major changes to allow for ip chain table
   3 *
   4 * 3-Jan-2000 Named tables to allow packet selection for different uses.
   5 */
   6
   7/*
   8 *      Format of an IP firewall descriptor
   9 *
  10 *      src, dst, src_mask, dst_mask are always stored in network byte order.
  11 *      flags are stored in host byte order (of course).
  12 *      Port numbers are stored in HOST byte order.
  13 */
  14
  15#ifndef _IPTABLES_H
  16#define _IPTABLES_H
  17
  18#ifdef __KERNEL__
  19#include <linux/if.h>
  20#include <linux/in.h>
  21#include <linux/ip.h>
  22#include <linux/skbuff.h>
  23#endif
  24#include <linux/types.h>
  25#include <linux/compiler.h>
  26#include <linux/netfilter_ipv4.h>
  27
  28#include <linux/netfilter/x_tables.h>
  29
  30#ifndef __KERNEL__
  31#define IPT_FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN
  32#define IPT_TABLE_MAXNAMELEN XT_TABLE_MAXNAMELEN
  33#define ipt_match xt_match
  34#define ipt_target xt_target
  35#define ipt_table xt_table
  36#define ipt_get_revision xt_get_revision
  37#define ipt_entry_match xt_entry_match
  38#define ipt_entry_target xt_entry_target
  39#define ipt_standard_target xt_standard_target
  40#define ipt_error_target xt_error_target
  41#define ipt_counters xt_counters
  42#define IPT_CONTINUE XT_CONTINUE
  43#define IPT_RETURN XT_RETURN
  44
  45/* This group is older than old (iptables < v1.4.0-rc1~89) */
  46#include <linux/netfilter/xt_tcpudp.h>
  47#define ipt_udp xt_udp
  48#define ipt_tcp xt_tcp
  49#define IPT_TCP_INV_SRCPT       XT_TCP_INV_SRCPT
  50#define IPT_TCP_INV_DSTPT       XT_TCP_INV_DSTPT
  51#define IPT_TCP_INV_FLAGS       XT_TCP_INV_FLAGS
  52#define IPT_TCP_INV_OPTION      XT_TCP_INV_OPTION
  53#define IPT_TCP_INV_MASK        XT_TCP_INV_MASK
  54#define IPT_UDP_INV_SRCPT       XT_UDP_INV_SRCPT
  55#define IPT_UDP_INV_DSTPT       XT_UDP_INV_DSTPT
  56#define IPT_UDP_INV_MASK        XT_UDP_INV_MASK
  57
  58/* The argument to IPT_SO_ADD_COUNTERS. */
  59#define ipt_counters_info xt_counters_info
  60/* Standard return verdict, or do jump. */
  61#define IPT_STANDARD_TARGET XT_STANDARD_TARGET
  62/* Error verdict. */
  63#define IPT_ERROR_TARGET XT_ERROR_TARGET
  64
  65/* fn returns 0 to continue iteration */
  66#define IPT_MATCH_ITERATE(e, fn, args...) \
  67        XT_MATCH_ITERATE(struct ipt_entry, e, fn, ## args)
  68
  69/* fn returns 0 to continue iteration */
  70#define IPT_ENTRY_ITERATE(entries, size, fn, args...) \
  71        XT_ENTRY_ITERATE(struct ipt_entry, entries, size, fn, ## args)
  72#endif
  73
  74/* Yes, Virginia, you have to zero the padding. */
  75struct ipt_ip {
  76        /* Source and destination IP addr */
  77        struct in_addr src, dst;
  78        /* Mask for src and dest IP addr */
  79        struct in_addr smsk, dmsk;
  80        char iniface[IFNAMSIZ], outiface[IFNAMSIZ];
  81        unsigned char iniface_mask[IFNAMSIZ], outiface_mask[IFNAMSIZ];
  82
  83        /* Protocol, 0 = ANY */
  84        u_int16_t proto;
  85
  86        /* Flags word */
  87        u_int8_t flags;
  88        /* Inverse flags */
  89        u_int8_t invflags;
  90};
  91
  92/* Values for "flag" field in struct ipt_ip (general ip structure). */
  93#define IPT_F_FRAG              0x01    /* Set if rule is a fragment rule */
  94#define IPT_F_GOTO              0x02    /* Set if jump is a goto */
  95#define IPT_F_MASK              0x03    /* All possible flag bits mask. */
  96
  97/* Values for "inv" field in struct ipt_ip. */
  98#define IPT_INV_VIA_IN          0x01    /* Invert the sense of IN IFACE. */
  99#define IPT_INV_VIA_OUT         0x02    /* Invert the sense of OUT IFACE */
 100#define IPT_INV_TOS             0x04    /* Invert the sense of TOS. */
 101#define IPT_INV_SRCIP           0x08    /* Invert the sense of SRC IP. */
 102#define IPT_INV_DSTIP           0x10    /* Invert the sense of DST OP. */
 103#define IPT_INV_FRAG            0x20    /* Invert the sense of FRAG. */
 104#define IPT_INV_PROTO           XT_INV_PROTO
 105#define IPT_INV_MASK            0x7F    /* All possible flag bits mask. */
 106
 107/* This structure defines each of the firewall rules.  Consists of 3
 108   parts which are 1) general IP header stuff 2) match specific
 109   stuff 3) the target to perform if the rule matches */
 110struct ipt_entry {
 111        struct ipt_ip ip;
 112
 113        /* Mark with fields that we care about. */
 114        unsigned int nfcache;
 115
 116        /* Size of ipt_entry + matches */
 117        u_int16_t target_offset;
 118        /* Size of ipt_entry + matches + target */
 119        u_int16_t next_offset;
 120
 121        /* Back pointer */
 122        unsigned int comefrom;
 123
 124        /* Packet and byte counters. */
 125        struct xt_counters counters;
 126
 127        /* The matches (if any), then the target. */
 128        unsigned char elems[0];
 129};
 130
 131/*
 132 * New IP firewall options for [gs]etsockopt at the RAW IP level.
 133 * Unlike BSD Linux inherits IP options so you don't have to use a raw
 134 * socket for this. Instead we check rights in the calls.
 135 *
 136 * ATTENTION: check linux/in.h before adding new number here.
 137 */
 138#define IPT_BASE_CTL            64
 139
 140#define IPT_SO_SET_REPLACE      (IPT_BASE_CTL)
 141#define IPT_SO_SET_ADD_COUNTERS (IPT_BASE_CTL + 1)
 142#define IPT_SO_SET_MAX          IPT_SO_SET_ADD_COUNTERS
 143
 144#define IPT_SO_GET_INFO                 (IPT_BASE_CTL)
 145#define IPT_SO_GET_ENTRIES              (IPT_BASE_CTL + 1)
 146#define IPT_SO_GET_REVISION_MATCH       (IPT_BASE_CTL + 2)
 147#define IPT_SO_GET_REVISION_TARGET      (IPT_BASE_CTL + 3)
 148#define IPT_SO_GET_MAX                  IPT_SO_GET_REVISION_TARGET
 149
 150/* ICMP matching stuff */
 151struct ipt_icmp {
 152        u_int8_t type;                          /* type to match */
 153        u_int8_t code[2];                       /* range of code */
 154        u_int8_t invflags;                      /* Inverse flags */
 155};
 156
 157/* Values for "inv" field for struct ipt_icmp. */
 158#define IPT_ICMP_INV    0x01    /* Invert the sense of type/code test */
 159
 160/* The argument to IPT_SO_GET_INFO */
 161struct ipt_getinfo {
 162        /* Which table: caller fills this in. */
 163        char name[XT_TABLE_MAXNAMELEN];
 164
 165        /* Kernel fills these in. */
 166        /* Which hook entry points are valid: bitmask */
 167        unsigned int valid_hooks;
 168
 169        /* Hook entry points: one per netfilter hook. */
 170        unsigned int hook_entry[NF_INET_NUMHOOKS];
 171
 172        /* Underflow points. */
 173        unsigned int underflow[NF_INET_NUMHOOKS];
 174
 175        /* Number of entries */
 176        unsigned int num_entries;
 177
 178        /* Size of entries. */
 179        unsigned int size;
 180};
 181
 182/* The argument to IPT_SO_SET_REPLACE. */
 183struct ipt_replace {
 184        /* Which table. */
 185        char name[XT_TABLE_MAXNAMELEN];
 186
 187        /* Which hook entry points are valid: bitmask.  You can't
 188           change this. */
 189        unsigned int valid_hooks;
 190
 191        /* Number of entries */
 192        unsigned int num_entries;
 193
 194        /* Total size of new entries */
 195        unsigned int size;
 196
 197        /* Hook entry points. */
 198        unsigned int hook_entry[NF_INET_NUMHOOKS];
 199
 200        /* Underflow points. */
 201        unsigned int underflow[NF_INET_NUMHOOKS];
 202
 203        /* Information about old entries: */
 204        /* Number of counters (must be equal to current number of entries). */
 205        unsigned int num_counters;
 206        /* The old entries' counters. */
 207        struct xt_counters __user *counters;
 208
 209        /* The entries (hang off end: not really an array). */
 210        struct ipt_entry entries[0];
 211};
 212
 213/* The argument to IPT_SO_GET_ENTRIES. */
 214struct ipt_get_entries {
 215        /* Which table: user fills this in. */
 216        char name[XT_TABLE_MAXNAMELEN];
 217
 218        /* User fills this in: total entry size. */
 219        unsigned int size;
 220
 221        /* The entries. */
 222        struct ipt_entry entrytable[0];
 223};
 224
 225/* Helper functions */
 226static __inline__ struct xt_entry_target *
 227ipt_get_target(struct ipt_entry *e)
 228{
 229        return (void *)e + e->target_offset;
 230}
 231
 232/*
 233 *      Main firewall chains definitions and global var's definitions.
 234 */
 235#ifdef __KERNEL__
 236
 237#include <linux/init.h>
 238extern void ipt_init(void) __init;
 239
 240extern struct xt_table *ipt_register_table(struct net *net,
 241                                           const struct xt_table *table,
 242                                           const struct ipt_replace *repl);
 243extern void ipt_unregister_table(struct net *net, struct xt_table *table);
 244
 245/* Standard entry. */
 246struct ipt_standard {
 247        struct ipt_entry entry;
 248        struct xt_standard_target target;
 249};
 250
 251struct ipt_error {
 252        struct ipt_entry entry;
 253        struct xt_error_target target;
 254};
 255
 256#define IPT_ENTRY_INIT(__size)                                                 \
 257{                                                                              \
 258        .target_offset  = sizeof(struct ipt_entry),                            \
 259        .next_offset    = (__size),                                            \
 260}
 261
 262#define IPT_STANDARD_INIT(__verdict)                                           \
 263{                                                                              \
 264        .entry          = IPT_ENTRY_INIT(sizeof(struct ipt_standard)),         \
 265        .target         = XT_TARGET_INIT(XT_STANDARD_TARGET,                   \
 266                                         sizeof(struct xt_standard_target)),   \
 267        .target.verdict = -(__verdict) - 1,                                    \
 268}
 269
 270#define IPT_ERROR_INIT                                                         \
 271{                                                                              \
 272        .entry          = IPT_ENTRY_INIT(sizeof(struct ipt_error)),            \
 273        .target         = XT_TARGET_INIT(XT_ERROR_TARGET,                      \
 274                                         sizeof(struct xt_error_target)),      \
 275        .target.errorname = "ERROR",                                           \
 276}
 277
 278extern void *ipt_alloc_initial_table(const struct xt_table *);
 279extern unsigned int ipt_do_table(struct sk_buff *skb,
 280                                 unsigned int hook,
 281                                 const struct net_device *in,
 282                                 const struct net_device *out,
 283                                 struct xt_table *table);
 284
 285#ifdef CONFIG_COMPAT
 286#include <net/compat.h>
 287
 288struct compat_ipt_entry {
 289        struct ipt_ip ip;
 290        compat_uint_t nfcache;
 291        u_int16_t target_offset;
 292        u_int16_t next_offset;
 293        compat_uint_t comefrom;
 294        struct compat_xt_counters counters;
 295        unsigned char elems[0];
 296};
 297
 298/* Helper functions */
 299static inline struct xt_entry_target *
 300compat_ipt_get_target(struct compat_ipt_entry *e)
 301{
 302        return (void *)e + e->target_offset;
 303}
 304
 305#endif /* CONFIG_COMPAT */
 306#endif /*__KERNEL__*/
 307#endif /* _IPTABLES_H */
 308