Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / msm-4.9 / 2e4e6a17af35be359cc8f1c924f8f198fbd478cc / . / include / linux / netfilter_ipv6 / ip6_tables.h
blob: f249b574f0fa0e5ef8cb7fb2ff4cc1fcd7c2278b [file] [log] [blame]
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]1/*
2 * 25-Jul-1998 Major changes to allow for ip chain table
3 *
4 * 3-Jan-2000 Named tables to allow packet selection for different uses.
5 */
6
7/*
8 * Format of an IP6 firewall descriptor
9 *
10 * src, dst, src_mask, dst_mask are always stored in network byte order.
11 * flags are stored in host byte order (of course).
12 * Port numbers are stored in HOST byte order.
13 */
14
15#ifndef _IP6_TABLES_H
16#define _IP6_TABLES_H
17
18#ifdef __KERNEL__
19#include <linux/if.h>
20#include <linux/types.h>
21#include <linux/in6.h>
22#include <linux/ipv6.h>
23#include <linux/skbuff.h>
24#endif
25#include <linux/compiler.h>
26#include <linux/netfilter_ipv6.h>
27
Harald Welte2e4e6a12006-01-12 13:30:04 -0800[diff] [blame^]28#include <linux/netfilter/x_tables.h>
29
30#define IP6T_FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN
31#define IP6T_TABLE_MAXNAMELEN XT_TABLE_MAXNAMELEN
32
33#define ip6t_match xt_match
34#define ip6t_target xt_target
35#define ip6t_table xt_table
36#define ip6t_get_revision xt_get_revision
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]37
38/* Yes, Virginia, you have to zero the padding. */
39struct ip6t_ip6 {
40 /* Source and destination IP6 addr */
41 struct in6_addr src, dst;
42 /* Mask for src and dest IP6 addr */
43 struct in6_addr smsk, dmsk;
44 char iniface[IFNAMSIZ], outiface[IFNAMSIZ];
45 unsigned char iniface_mask[IFNAMSIZ], outiface_mask[IFNAMSIZ];
46
47 /* ARGH, HopByHop uses 0, so can't do 0 = ANY,
48 instead IP6T_F_NOPROTO must be set */
49 u_int16_t proto;
50 /* TOS to match iff flags & IP6T_F_TOS */
51 u_int8_t tos;
52
53 /* Flags word */
54 u_int8_t flags;
55 /* Inverse flags */
56 u_int8_t invflags;
57};
58
59/* FIXME: If alignment in kernel different from userspace? --RR */
60struct ip6t_entry_match
61{
62 union {
63 struct {
64 u_int16_t match_size;
65
66 /* Used by userspace */
Harald Welte6b7d31f2005-10-26 09:34:24 +0200[diff] [blame]67 char name[IP6T_FUNCTION_MAXNAMELEN-1];
68 u_int8_t revision;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]69 } user;
70 struct {
71 u_int16_t match_size;
72
73 /* Used inside the kernel */
74 struct ip6t_match *match;
75 } kernel;
76
77 /* Total length */
78 u_int16_t match_size;
79 } u;
80
81 unsigned char data[0];
82};
83
84struct ip6t_entry_target
85{
86 union {
87 struct {
88 u_int16_t target_size;
89
90 /* Used by userspace */
Harald Welte6b7d31f2005-10-26 09:34:24 +0200[diff] [blame]91 char name[IP6T_FUNCTION_MAXNAMELEN-1];
92 u_int8_t revision;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]93 } user;
94 struct {
95 u_int16_t target_size;
96
97 /* Used inside the kernel */
98 struct ip6t_target *target;
99 } kernel;
100
101 /* Total length */
102 u_int16_t target_size;
103 } u;
104
105 unsigned char data[0];
106};
107
108struct ip6t_standard_target
109{
110 struct ip6t_entry_target target;
111 int verdict;
112};
113
Harald Welte2e4e6a12006-01-12 13:30:04 -0800[diff] [blame^]114#define ip6t_counters xt_counters
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]115
116/* Values for "flag" field in struct ip6t_ip6 (general ip6 structure). */
117#define IP6T_F_PROTO 0x01 /* Set if rule cares about upper
118 protocols */
119#define IP6T_F_TOS 0x02 /* Match the TOS. */
Patrick McHardy05465342005-08-21 23:31:43 -0700[diff] [blame]120#define IP6T_F_GOTO 0x04 /* Set if jump is a goto */
121#define IP6T_F_MASK 0x07 /* All possible flag bits mask. */
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]122
123/* Values for "inv" field in struct ip6t_ip6. */
124#define IP6T_INV_VIA_IN 0x01 /* Invert the sense of IN IFACE. */
125#define IP6T_INV_VIA_OUT 0x02 /* Invert the sense of OUT IFACE */
126#define IP6T_INV_TOS 0x04 /* Invert the sense of TOS. */
127#define IP6T_INV_SRCIP 0x08 /* Invert the sense of SRC IP. */
128#define IP6T_INV_DSTIP 0x10 /* Invert the sense of DST OP. */
129#define IP6T_INV_FRAG 0x20 /* Invert the sense of FRAG. */
Harald Welte2e4e6a12006-01-12 13:30:04 -0800[diff] [blame^]130#define IP6T_INV_PROTO XT_INV_PROTO
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]131#define IP6T_INV_MASK 0x7F /* All possible flag bits mask. */
132
133/* This structure defines each of the firewall rules. Consists of 3
134 parts which are 1) general IP header stuff 2) match specific
135 stuff 3) the target to perform if the rule matches */
136struct ip6t_entry
137{
138 struct ip6t_ip6 ipv6;
139
140 /* Mark with fields that we care about. */
141 unsigned int nfcache;
142
143 /* Size of ipt_entry + matches */
144 u_int16_t target_offset;
145 /* Size of ipt_entry + matches + target */
146 u_int16_t next_offset;
147
148 /* Back pointer */
149 unsigned int comefrom;
150
151 /* Packet and byte counters. */
Harald Welte2e4e6a12006-01-12 13:30:04 -0800[diff] [blame^]152 struct xt_counters counters;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]153
154 /* The matches (if any), then the target. */
155 unsigned char elems[0];
156};
157
158/*
159 * New IP firewall options for [gs]etsockopt at the RAW IP level.
160 * Unlike BSD Linux inherits IP options so you don't have to use
161 * a raw socket for this. Instead we check rights in the calls. */
Harald Welte2e4e6a12006-01-12 13:30:04 -0800[diff] [blame^]162#define IP6T_BASE_CTL XT_BASE_CTL
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]163
Harald Welte2e4e6a12006-01-12 13:30:04 -0800[diff] [blame^]164#define IP6T_SO_SET_REPLACE XT_SO_SET_REPLACE
165#define IP6T_SO_SET_ADD_COUNTERS XT_SO_SET_ADD_COUNTERS
166#define IP6T_SO_SET_MAX XT_SO_SET_MAX
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]167
Harald Welte2e4e6a12006-01-12 13:30:04 -0800[diff] [blame^]168#define IP6T_SO_GET_INFO XT_SO_GET_INFO
169#define IP6T_SO_GET_ENTRIES XT_SO_GET_ENTRIES
170#define IP6T_SO_GET_REVISION_MATCH XT_SO_GET_REVISION_MATCH
171#define IP6T_SO_GET_REVISION_TARGET XT_SO_GET_REVISION_TARGET
172#define IP6T_SO_GET_MAX XT_SO_GET_REVISION_TARGET
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]173
174/* CONTINUE verdict for targets */
Harald Welte2e4e6a12006-01-12 13:30:04 -0800[diff] [blame^]175#define IP6T_CONTINUE XT_CONTINUE
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]176
177/* For standard target */
Harald Welte2e4e6a12006-01-12 13:30:04 -0800[diff] [blame^]178#define IP6T_RETURN XT_RETURN
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]179
Harald Welte2e4e6a12006-01-12 13:30:04 -0800[diff] [blame^]180/* TCP/UDP matching stuff */
181#include <linux/netfilter/xt_tcpudp.h>
182
183#define ip6t_tcp xt_tcp
184#define ip6t_udp xt_udp
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]185
186/* Values for "inv" field in struct ipt_tcp. */
Harald Welte2e4e6a12006-01-12 13:30:04 -0800[diff] [blame^]187#define IP6T_TCP_INV_SRCPT XT_TCP_INV_SRCPT
188#define IP6T_TCP_INV_DSTPT XT_TCP_INV_DSTPT
189#define IP6T_TCP_INV_FLAGS XT_TCP_INV_FLAGS
190#define IP6T_TCP_INV_OPTION XT_TCP_INV_OPTION
191#define IP6T_TCP_INV_MASK XT_TCP_INV_MASK
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]192
193/* Values for "invflags" field in struct ipt_udp. */
Harald Welte2e4e6a12006-01-12 13:30:04 -0800[diff] [blame^]194#define IP6T_UDP_INV_SRCPT XT_UDP_INV_SRCPT
195#define IP6T_UDP_INV_DSTPT XT_UDP_INV_DSTPT
196#define IP6T_UDP_INV_MASK XT_UDP_INV_MASK
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]197
198/* ICMP matching stuff */
199struct ip6t_icmp
200{
201 u_int8_t type; /* type to match */
202 u_int8_t code[2]; /* range of code */
203 u_int8_t invflags; /* Inverse flags */
204};
205
206/* Values for "inv" field for struct ipt_icmp. */
207#define IP6T_ICMP_INV 0x01 /* Invert the sense of type/code test */
208
209/* The argument to IP6T_SO_GET_INFO */
210struct ip6t_getinfo
211{
212 /* Which table: caller fills this in. */
213 char name[IP6T_TABLE_MAXNAMELEN];
214
215 /* Kernel fills these in. */
216 /* Which hook entry points are valid: bitmask */
217 unsigned int valid_hooks;
218
219 /* Hook entry points: one per netfilter hook. */
220 unsigned int hook_entry[NF_IP6_NUMHOOKS];
221
222 /* Underflow points. */
223 unsigned int underflow[NF_IP6_NUMHOOKS];
224
225 /* Number of entries */
226 unsigned int num_entries;
227
228 /* Size of entries. */
229 unsigned int size;
230};
231
232/* The argument to IP6T_SO_SET_REPLACE. */
233struct ip6t_replace
234{
235 /* Which table. */
236 char name[IP6T_TABLE_MAXNAMELEN];
237
238 /* Which hook entry points are valid: bitmask. You can't
239 change this. */
240 unsigned int valid_hooks;
241
242 /* Number of entries */
243 unsigned int num_entries;
244
245 /* Total size of new entries */
246 unsigned int size;
247
248 /* Hook entry points. */
249 unsigned int hook_entry[NF_IP6_NUMHOOKS];
250
251 /* Underflow points. */
252 unsigned int underflow[NF_IP6_NUMHOOKS];
253
254 /* Information about old entries: */
255 /* Number of counters (must be equal to current number of entries). */
256 unsigned int num_counters;
257 /* The old entries' counters. */
Harald Welte2e4e6a12006-01-12 13:30:04 -0800[diff] [blame^]258 struct xt_counters __user *counters;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]259
260 /* The entries (hang off end: not really an array). */
261 struct ip6t_entry entries[0];
262};
263
264/* The argument to IP6T_SO_ADD_COUNTERS. */
Harald Welte2e4e6a12006-01-12 13:30:04 -0800[diff] [blame^]265#define ip6t_counters_info xt_counters_info
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]266
267/* The argument to IP6T_SO_GET_ENTRIES. */
268struct ip6t_get_entries
269{
270 /* Which table: user fills this in. */
271 char name[IP6T_TABLE_MAXNAMELEN];
272
273 /* User fills this in: total entry size. */
274 unsigned int size;
275
276 /* The entries. */
277 struct ip6t_entry entrytable[0];
278};
279
280/* Standard return verdict, or do jump. */
Harald Welte2e4e6a12006-01-12 13:30:04 -0800[diff] [blame^]281#define IP6T_STANDARD_TARGET XT_STANDARD_TARGET
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]282/* Error verdict. */
Harald Welte2e4e6a12006-01-12 13:30:04 -0800[diff] [blame^]283#define IP6T_ERROR_TARGET XT_ERROR_TARGET
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]284
285/* Helper functions */
286static __inline__ struct ip6t_entry_target *
287ip6t_get_target(struct ip6t_entry *e)
288{
289 return (void *)e + e->target_offset;
290}
291
292/* fn returns 0 to continue iteration */
293#define IP6T_MATCH_ITERATE(e, fn, args...) \
294({ \
295 unsigned int __i; \
296 int __ret = 0; \
297 struct ip6t_entry_match *__m; \
298 \
299 for (__i = sizeof(struct ip6t_entry); \
300 __i < (e)->target_offset; \
301 __i += __m->u.match_size) { \
302 __m = (void *)(e) + __i; \
303 \
304 __ret = fn(__m , ## args); \
305 if (__ret != 0) \
306 break; \
307 } \
308 __ret; \
309})
310
311/* fn returns 0 to continue iteration */
312#define IP6T_ENTRY_ITERATE(entries, size, fn, args...) \
313({ \
314 unsigned int __i; \
315 int __ret = 0; \
316 struct ip6t_entry *__e; \
317 \
318 for (__i = 0; __i < (size); __i += __e->next_offset) { \
319 __e = (void *)(entries) + __i; \
320 \
321 __ret = fn(__e , ## args); \
322 if (__ret != 0) \
323 break; \
324 } \
325 __ret; \
326})
327
328/*
329 * Main firewall chains definitions and global var's definitions.
330 */
331
332#ifdef __KERNEL__
333
334#include <linux/init.h>
335extern void ip6t_init(void) __init;
336
Harald Welte2e4e6a12006-01-12 13:30:04 -0800[diff] [blame^]337#define ip6t_register_target(tgt) xt_register_target(AF_INET6, tgt)
338#define ip6t_unregister_target(tgt) xt_unregister_target(AF_INET6, tgt)
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]339
Harald Welte2e4e6a12006-01-12 13:30:04 -0800[diff] [blame^]340#define ip6t_register_match(match) xt_register_match(AF_INET6, match)
341#define ip6t_unregister_match(match) xt_unregister_match(AF_INET6, match)
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]342
343extern int ip6t_register_table(struct ip6t_table *table,
344 const struct ip6t_replace *repl);
345extern void ip6t_unregister_table(struct ip6t_table *table);
346extern unsigned int ip6t_do_table(struct sk_buff **pskb,
347 unsigned int hook,
348 const struct net_device *in,
349 const struct net_device *out,
350 struct ip6t_table *table,
351 void *userdata);
352
353/* Check for an extension */
354extern int ip6t_ext_hdr(u8 nexthdr);
Yasuyuki Kozakaie674d0f2005-09-19 15:34:40 -0700[diff] [blame]355/* find specified header and get offset to it */
356extern int ipv6_find_hdr(const struct sk_buff *skb, unsigned int *offset,
Patrick McHardyb777e0c2006-01-05 12:21:16 -0800[diff] [blame]357 int target, unsigned short *fragoff);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]358
Patrick McHardy22dea562006-01-05 12:21:34 -0800[diff] [blame]359extern int ip6_masked_addrcmp(const struct in6_addr *addr1,
360 const struct in6_addr *mask,
361 const struct in6_addr *addr2);
362
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]363#define IP6T_ALIGN(s) (((s) + (__alignof__(struct ip6t_entry)-1)) & ~(__alignof__(struct ip6t_entry)-1))
364
365#endif /*__KERNEL__*/
366#endif /* _IP6_TABLES_H */