Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / msm-4.9 / e674d0f38de6109b59dbe30fba8b296a03229b8e / . / include / linux / netfilter_ipv6 / ip6_tables.h
blob: 59f70b34e02925568c18c9c3f2dd0a6b7c294156 [file] [log] [blame]
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]1/*
2 * 25-Jul-1998 Major changes to allow for ip chain table
3 *
4 * 3-Jan-2000 Named tables to allow packet selection for different uses.
5 */
6
7/*
8 * Format of an IP6 firewall descriptor
9 *
10 * src, dst, src_mask, dst_mask are always stored in network byte order.
11 * flags are stored in host byte order (of course).
12 * Port numbers are stored in HOST byte order.
13 */
14
15#ifndef _IP6_TABLES_H
16#define _IP6_TABLES_H
17
18#ifdef __KERNEL__
19#include <linux/if.h>
20#include <linux/types.h>
21#include <linux/in6.h>
22#include <linux/ipv6.h>
23#include <linux/skbuff.h>
24#endif
25#include <linux/compiler.h>
26#include <linux/netfilter_ipv6.h>
27
28#define IP6T_FUNCTION_MAXNAMELEN 30
29#define IP6T_TABLE_MAXNAMELEN 32
30
31/* Yes, Virginia, you have to zero the padding. */
32struct ip6t_ip6 {
33 /* Source and destination IP6 addr */
34 struct in6_addr src, dst;
35 /* Mask for src and dest IP6 addr */
36 struct in6_addr smsk, dmsk;
37 char iniface[IFNAMSIZ], outiface[IFNAMSIZ];
38 unsigned char iniface_mask[IFNAMSIZ], outiface_mask[IFNAMSIZ];
39
40 /* ARGH, HopByHop uses 0, so can't do 0 = ANY,
41 instead IP6T_F_NOPROTO must be set */
42 u_int16_t proto;
43 /* TOS to match iff flags & IP6T_F_TOS */
44 u_int8_t tos;
45
46 /* Flags word */
47 u_int8_t flags;
48 /* Inverse flags */
49 u_int8_t invflags;
50};
51
52/* FIXME: If alignment in kernel different from userspace? --RR */
53struct ip6t_entry_match
54{
55 union {
56 struct {
57 u_int16_t match_size;
58
59 /* Used by userspace */
60 char name[IP6T_FUNCTION_MAXNAMELEN];
61 } user;
62 struct {
63 u_int16_t match_size;
64
65 /* Used inside the kernel */
66 struct ip6t_match *match;
67 } kernel;
68
69 /* Total length */
70 u_int16_t match_size;
71 } u;
72
73 unsigned char data[0];
74};
75
76struct ip6t_entry_target
77{
78 union {
79 struct {
80 u_int16_t target_size;
81
82 /* Used by userspace */
83 char name[IP6T_FUNCTION_MAXNAMELEN];
84 } user;
85 struct {
86 u_int16_t target_size;
87
88 /* Used inside the kernel */
89 struct ip6t_target *target;
90 } kernel;
91
92 /* Total length */
93 u_int16_t target_size;
94 } u;
95
96 unsigned char data[0];
97};
98
99struct ip6t_standard_target
100{
101 struct ip6t_entry_target target;
102 int verdict;
103};
104
105struct ip6t_counters
106{
107 u_int64_t pcnt, bcnt; /* Packet and byte counters */
108};
109
110/* Values for "flag" field in struct ip6t_ip6 (general ip6 structure). */
111#define IP6T_F_PROTO 0x01 /* Set if rule cares about upper
112 protocols */
113#define IP6T_F_TOS 0x02 /* Match the TOS. */
Patrick McHardy05465342005-08-21 23:31:43 -0700[diff] [blame]114#define IP6T_F_GOTO 0x04 /* Set if jump is a goto */
115#define IP6T_F_MASK 0x07 /* All possible flag bits mask. */
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]116
117/* Values for "inv" field in struct ip6t_ip6. */
118#define IP6T_INV_VIA_IN 0x01 /* Invert the sense of IN IFACE. */
119#define IP6T_INV_VIA_OUT 0x02 /* Invert the sense of OUT IFACE */
120#define IP6T_INV_TOS 0x04 /* Invert the sense of TOS. */
121#define IP6T_INV_SRCIP 0x08 /* Invert the sense of SRC IP. */
122#define IP6T_INV_DSTIP 0x10 /* Invert the sense of DST OP. */
123#define IP6T_INV_FRAG 0x20 /* Invert the sense of FRAG. */
124#define IP6T_INV_PROTO 0x40 /* Invert the sense of PROTO. */
125#define IP6T_INV_MASK 0x7F /* All possible flag bits mask. */
126
127/* This structure defines each of the firewall rules. Consists of 3
128 parts which are 1) general IP header stuff 2) match specific
129 stuff 3) the target to perform if the rule matches */
130struct ip6t_entry
131{
132 struct ip6t_ip6 ipv6;
133
134 /* Mark with fields that we care about. */
135 unsigned int nfcache;
136
137 /* Size of ipt_entry + matches */
138 u_int16_t target_offset;
139 /* Size of ipt_entry + matches + target */
140 u_int16_t next_offset;
141
142 /* Back pointer */
143 unsigned int comefrom;
144
145 /* Packet and byte counters. */
146 struct ip6t_counters counters;
147
148 /* The matches (if any), then the target. */
149 unsigned char elems[0];
150};
151
152/*
153 * New IP firewall options for [gs]etsockopt at the RAW IP level.
154 * Unlike BSD Linux inherits IP options so you don't have to use
155 * a raw socket for this. Instead we check rights in the calls. */
156#define IP6T_BASE_CTL 64 /* base for firewall socket options */
157
158#define IP6T_SO_SET_REPLACE (IP6T_BASE_CTL)
159#define IP6T_SO_SET_ADD_COUNTERS (IP6T_BASE_CTL + 1)
160#define IP6T_SO_SET_MAX IP6T_SO_SET_ADD_COUNTERS
161
162#define IP6T_SO_GET_INFO (IP6T_BASE_CTL)
163#define IP6T_SO_GET_ENTRIES (IP6T_BASE_CTL + 1)
164#define IP6T_SO_GET_MAX IP6T_SO_GET_ENTRIES
165
166/* CONTINUE verdict for targets */
167#define IP6T_CONTINUE 0xFFFFFFFF
168
169/* For standard target */
170#define IP6T_RETURN (-NF_REPEAT - 1)
171
172/* TCP matching stuff */
173struct ip6t_tcp
174{
175 u_int16_t spts[2]; /* Source port range. */
176 u_int16_t dpts[2]; /* Destination port range. */
177 u_int8_t option; /* TCP Option iff non-zero*/
178 u_int8_t flg_mask; /* TCP flags mask byte */
179 u_int8_t flg_cmp; /* TCP flags compare byte */
180 u_int8_t invflags; /* Inverse flags */
181};
182
183/* Values for "inv" field in struct ipt_tcp. */
184#define IP6T_TCP_INV_SRCPT 0x01 /* Invert the sense of source ports. */
185#define IP6T_TCP_INV_DSTPT 0x02 /* Invert the sense of dest ports. */
186#define IP6T_TCP_INV_FLAGS 0x04 /* Invert the sense of TCP flags. */
187#define IP6T_TCP_INV_OPTION 0x08 /* Invert the sense of option test. */
188#define IP6T_TCP_INV_MASK 0x0F /* All possible flags. */
189
190/* UDP matching stuff */
191struct ip6t_udp
192{
193 u_int16_t spts[2]; /* Source port range. */
194 u_int16_t dpts[2]; /* Destination port range. */
195 u_int8_t invflags; /* Inverse flags */
196};
197
198/* Values for "invflags" field in struct ipt_udp. */
199#define IP6T_UDP_INV_SRCPT 0x01 /* Invert the sense of source ports. */
200#define IP6T_UDP_INV_DSTPT 0x02 /* Invert the sense of dest ports. */
201#define IP6T_UDP_INV_MASK 0x03 /* All possible flags. */
202
203/* ICMP matching stuff */
204struct ip6t_icmp
205{
206 u_int8_t type; /* type to match */
207 u_int8_t code[2]; /* range of code */
208 u_int8_t invflags; /* Inverse flags */
209};
210
211/* Values for "inv" field for struct ipt_icmp. */
212#define IP6T_ICMP_INV 0x01 /* Invert the sense of type/code test */
213
214/* The argument to IP6T_SO_GET_INFO */
215struct ip6t_getinfo
216{
217 /* Which table: caller fills this in. */
218 char name[IP6T_TABLE_MAXNAMELEN];
219
220 /* Kernel fills these in. */
221 /* Which hook entry points are valid: bitmask */
222 unsigned int valid_hooks;
223
224 /* Hook entry points: one per netfilter hook. */
225 unsigned int hook_entry[NF_IP6_NUMHOOKS];
226
227 /* Underflow points. */
228 unsigned int underflow[NF_IP6_NUMHOOKS];
229
230 /* Number of entries */
231 unsigned int num_entries;
232
233 /* Size of entries. */
234 unsigned int size;
235};
236
237/* The argument to IP6T_SO_SET_REPLACE. */
238struct ip6t_replace
239{
240 /* Which table. */
241 char name[IP6T_TABLE_MAXNAMELEN];
242
243 /* Which hook entry points are valid: bitmask. You can't
244 change this. */
245 unsigned int valid_hooks;
246
247 /* Number of entries */
248 unsigned int num_entries;
249
250 /* Total size of new entries */
251 unsigned int size;
252
253 /* Hook entry points. */
254 unsigned int hook_entry[NF_IP6_NUMHOOKS];
255
256 /* Underflow points. */
257 unsigned int underflow[NF_IP6_NUMHOOKS];
258
259 /* Information about old entries: */
260 /* Number of counters (must be equal to current number of entries). */
261 unsigned int num_counters;
262 /* The old entries' counters. */
263 struct ip6t_counters __user *counters;
264
265 /* The entries (hang off end: not really an array). */
266 struct ip6t_entry entries[0];
267};
268
269/* The argument to IP6T_SO_ADD_COUNTERS. */
270struct ip6t_counters_info
271{
272 /* Which table. */
273 char name[IP6T_TABLE_MAXNAMELEN];
274
275 unsigned int num_counters;
276
277 /* The counters (actually `number' of these). */
278 struct ip6t_counters counters[0];
279};
280
281/* The argument to IP6T_SO_GET_ENTRIES. */
282struct ip6t_get_entries
283{
284 /* Which table: user fills this in. */
285 char name[IP6T_TABLE_MAXNAMELEN];
286
287 /* User fills this in: total entry size. */
288 unsigned int size;
289
290 /* The entries. */
291 struct ip6t_entry entrytable[0];
292};
293
294/* Standard return verdict, or do jump. */
295#define IP6T_STANDARD_TARGET ""
296/* Error verdict. */
297#define IP6T_ERROR_TARGET "ERROR"
298
299/* Helper functions */
300static __inline__ struct ip6t_entry_target *
301ip6t_get_target(struct ip6t_entry *e)
302{
303 return (void *)e + e->target_offset;
304}
305
306/* fn returns 0 to continue iteration */
307#define IP6T_MATCH_ITERATE(e, fn, args...) \
308({ \
309 unsigned int __i; \
310 int __ret = 0; \
311 struct ip6t_entry_match *__m; \
312 \
313 for (__i = sizeof(struct ip6t_entry); \
314 __i < (e)->target_offset; \
315 __i += __m->u.match_size) { \
316 __m = (void *)(e) + __i; \
317 \
318 __ret = fn(__m , ## args); \
319 if (__ret != 0) \
320 break; \
321 } \
322 __ret; \
323})
324
325/* fn returns 0 to continue iteration */
326#define IP6T_ENTRY_ITERATE(entries, size, fn, args...) \
327({ \
328 unsigned int __i; \
329 int __ret = 0; \
330 struct ip6t_entry *__e; \
331 \
332 for (__i = 0; __i < (size); __i += __e->next_offset) { \
333 __e = (void *)(entries) + __i; \
334 \
335 __ret = fn(__e , ## args); \
336 if (__ret != 0) \
337 break; \
338 } \
339 __ret; \
340})
341
342/*
343 * Main firewall chains definitions and global var's definitions.
344 */
345
346#ifdef __KERNEL__
347
348#include <linux/init.h>
349extern void ip6t_init(void) __init;
350
351struct ip6t_match
352{
353 struct list_head list;
354
355 const char name[IP6T_FUNCTION_MAXNAMELEN];
356
357 /* Return true or false: return FALSE and set *hotdrop = 1 to
358 force immediate packet drop. */
359 /* Arguments changed since 2.6.9, as this must now handle
360 non-linear skb, using skb_header_pointer and
361 skb_ip_make_writable. */
362 int (*match)(const struct sk_buff *skb,
363 const struct net_device *in,
364 const struct net_device *out,
365 const void *matchinfo,
366 int offset,
367 unsigned int protoff,
368 int *hotdrop);
369
370 /* Called when user tries to insert an entry of this type. */
371 /* Should return true or false. */
372 int (*checkentry)(const char *tablename,
373 const struct ip6t_ip6 *ip,
374 void *matchinfo,
375 unsigned int matchinfosize,
376 unsigned int hook_mask);
377
378 /* Called when entry of this type deleted. */
379 void (*destroy)(void *matchinfo, unsigned int matchinfosize);
380
381 /* Set this to THIS_MODULE if you are a module, otherwise NULL */
382 struct module *me;
383};
384
385/* Registration hooks for targets. */
386struct ip6t_target
387{
388 struct list_head list;
389
390 const char name[IP6T_FUNCTION_MAXNAMELEN];
391
392 /* Returns verdict. Argument order changed since 2.6.9, as this
393 must now handle non-linear skbs, using skb_copy_bits and
394 skb_ip_make_writable. */
395 unsigned int (*target)(struct sk_buff **pskb,
396 const struct net_device *in,
397 const struct net_device *out,
398 unsigned int hooknum,
399 const void *targinfo,
400 void *userdata);
401
402 /* Called when user tries to insert an entry of this type:
403 hook_mask is a bitmask of hooks from which it can be
404 called. */
405 /* Should return true or false. */
406 int (*checkentry)(const char *tablename,
407 const struct ip6t_entry *e,
408 void *targinfo,
409 unsigned int targinfosize,
410 unsigned int hook_mask);
411
412 /* Called when entry of this type deleted. */
413 void (*destroy)(void *targinfo, unsigned int targinfosize);
414
415 /* Set this to THIS_MODULE if you are a module, otherwise NULL */
416 struct module *me;
417};
418
419extern int ip6t_register_target(struct ip6t_target *target);
420extern void ip6t_unregister_target(struct ip6t_target *target);
421
422extern int ip6t_register_match(struct ip6t_match *match);
423extern void ip6t_unregister_match(struct ip6t_match *match);
424
425/* Furniture shopping... */
426struct ip6t_table
427{
428 struct list_head list;
429
430 /* A unique name... */
431 char name[IP6T_TABLE_MAXNAMELEN];
432
433 /* What hooks you will enter on */
434 unsigned int valid_hooks;
435
436 /* Lock for the curtain */
437 rwlock_t lock;
438
439 /* Man behind the curtain... */
440 struct ip6t_table_info *private;
441
442 /* Set this to THIS_MODULE if you are a module, otherwise NULL */
443 struct module *me;
444};
445
446extern int ip6t_register_table(struct ip6t_table *table,
447 const struct ip6t_replace *repl);
448extern void ip6t_unregister_table(struct ip6t_table *table);
449extern unsigned int ip6t_do_table(struct sk_buff **pskb,
450 unsigned int hook,
451 const struct net_device *in,
452 const struct net_device *out,
453 struct ip6t_table *table,
454 void *userdata);
455
456/* Check for an extension */
457extern int ip6t_ext_hdr(u8 nexthdr);
Yasuyuki Kozakaie674d0f2005-09-19 15:34:40 -0700[diff] [blame^]458/* find specified header and get offset to it */
459extern int ipv6_find_hdr(const struct sk_buff *skb, unsigned int *offset,
460 u8 target);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]461
462#define IP6T_ALIGN(s) (((s) + (__alignof__(struct ip6t_entry)-1)) & ~(__alignof__(struct ip6t_entry)-1))
463
464#endif /*__KERNEL__*/
465#endif /* _IP6_TABLES_H */