2 * 25-Jul-1998 Major changes to allow for ip chain table
4 * 3-Jan-2000 Named tables to allow packet selection for different uses.
8 * Format of an IP6 firewall descriptor
10 * src, dst, src_mask, dst_mask are always stored in network byte order.
11 * flags are stored in host byte order (of course).
12 * Port numbers are stored in HOST byte order.
15 #ifndef _UAPI_IP6_TABLES_H
16 #define _UAPI_IP6_TABLES_H
18 #include <linux/types.h>
19 #include <linux/compiler.h>
20 #include <linux/netfilter_ipv6.h>
22 #include <linux/netfilter/x_tables.h>
25 #define IP6T_FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN
26 #define IP6T_TABLE_MAXNAMELEN XT_TABLE_MAXNAMELEN
27 #define ip6t_match xt_match
28 #define ip6t_target xt_target
29 #define ip6t_table xt_table
30 #define ip6t_get_revision xt_get_revision
31 #define ip6t_entry_match xt_entry_match
32 #define ip6t_entry_target xt_entry_target
33 #define ip6t_standard_target xt_standard_target
34 #define ip6t_error_target xt_error_target
35 #define ip6t_counters xt_counters
36 #define IP6T_CONTINUE XT_CONTINUE
37 #define IP6T_RETURN XT_RETURN
39 /* Pre-iptables-1.4.0 */
40 #include <linux/netfilter/xt_tcpudp.h>
41 #define ip6t_tcp xt_tcp
42 #define ip6t_udp xt_udp
43 #define IP6T_TCP_INV_SRCPT XT_TCP_INV_SRCPT
44 #define IP6T_TCP_INV_DSTPT XT_TCP_INV_DSTPT
45 #define IP6T_TCP_INV_FLAGS XT_TCP_INV_FLAGS
46 #define IP6T_TCP_INV_OPTION XT_TCP_INV_OPTION
47 #define IP6T_TCP_INV_MASK XT_TCP_INV_MASK
48 #define IP6T_UDP_INV_SRCPT XT_UDP_INV_SRCPT
49 #define IP6T_UDP_INV_DSTPT XT_UDP_INV_DSTPT
50 #define IP6T_UDP_INV_MASK XT_UDP_INV_MASK
52 #define ip6t_counters_info xt_counters_info
53 #define IP6T_STANDARD_TARGET XT_STANDARD_TARGET
54 #define IP6T_ERROR_TARGET XT_ERROR_TARGET
55 #define IP6T_MATCH_ITERATE(e, fn, args...) \
56 XT_MATCH_ITERATE(struct ip6t_entry, e, fn, ## args)
57 #define IP6T_ENTRY_ITERATE(entries, size, fn, args...) \
58 XT_ENTRY_ITERATE(struct ip6t_entry, entries, size, fn, ## args)
61 /* Yes, Virginia, you have to zero the padding. */
63 /* Source and destination IP6 addr */
64 struct in6_addr src, dst;
65 /* Mask for src and dest IP6 addr */
66 struct in6_addr smsk, dmsk;
67 char iniface[IFNAMSIZ], outiface[IFNAMSIZ];
68 unsigned char iniface_mask[IFNAMSIZ], outiface_mask[IFNAMSIZ];
70 /* Upper protocol number
71 * - The allowed value is 0 (any) or protocol number of last parsable
72 * header, which is 50 (ESP), 59 (No Next Header), 135 (MH), or
73 * the non IPv6 extension headers.
74 * - The protocol numbers of IPv6 extension headers except of ESP and
75 * MH do not match any packets.
76 * - You also need to set IP6T_FLAGS_PROTO to "flags" to check protocol.
79 /* TOS to match iff flags & IP6T_F_TOS */
88 /* Values for "flag" field in struct ip6t_ip6 (general ip6 structure). */
89 #define IP6T_F_PROTO 0x01 /* Set if rule cares about upper
91 #define IP6T_F_TOS 0x02 /* Match the TOS. */
92 #define IP6T_F_GOTO 0x04 /* Set if jump is a goto */
93 #define IP6T_F_MASK 0x07 /* All possible flag bits mask. */
95 /* Values for "inv" field in struct ip6t_ip6. */
96 #define IP6T_INV_VIA_IN 0x01 /* Invert the sense of IN IFACE. */
97 #define IP6T_INV_VIA_OUT 0x02 /* Invert the sense of OUT IFACE */
98 #define IP6T_INV_TOS 0x04 /* Invert the sense of TOS. */
99 #define IP6T_INV_SRCIP 0x08 /* Invert the sense of SRC IP. */
100 #define IP6T_INV_DSTIP 0x10 /* Invert the sense of DST OP. */
101 #define IP6T_INV_FRAG 0x20 /* Invert the sense of FRAG. */
102 #define IP6T_INV_PROTO XT_INV_PROTO
103 #define IP6T_INV_MASK 0x7F /* All possible flag bits mask. */
105 /* This structure defines each of the firewall rules. Consists of 3
106 parts which are 1) general IP header stuff 2) match specific
107 stuff 3) the target to perform if the rule matches */
109 struct ip6t_ip6 ipv6;
111 /* Mark with fields that we care about. */
112 unsigned int nfcache;
114 /* Size of ipt_entry + matches */
116 /* Size of ipt_entry + matches + target */
120 unsigned int comefrom;
122 /* Packet and byte counters. */
123 struct xt_counters counters;
125 /* The matches (if any), then the target. */
126 unsigned char elems[0];
130 struct ip6t_standard {
131 struct ip6t_entry entry;
132 struct xt_standard_target target;
136 struct ip6t_entry entry;
137 struct xt_error_target target;
140 #define IP6T_ENTRY_INIT(__size) \
142 .target_offset = sizeof(struct ip6t_entry), \
143 .next_offset = (__size), \
146 #define IP6T_STANDARD_INIT(__verdict) \
148 .entry = IP6T_ENTRY_INIT(sizeof(struct ip6t_standard)), \
149 .target = XT_TARGET_INIT(XT_STANDARD_TARGET, \
150 sizeof(struct xt_standard_target)), \
151 .target.verdict = -(__verdict) - 1, \
154 #define IP6T_ERROR_INIT \
156 .entry = IP6T_ENTRY_INIT(sizeof(struct ip6t_error)), \
157 .target = XT_TARGET_INIT(XT_ERROR_TARGET, \
158 sizeof(struct xt_error_target)), \
159 .target.errorname = "ERROR", \
163 * New IP firewall options for [gs]etsockopt at the RAW IP level.
164 * Unlike BSD Linux inherits IP options so you don't have to use
165 * a raw socket for this. Instead we check rights in the calls.
167 * ATTENTION: check linux/in6.h before adding new number here.
169 #define IP6T_BASE_CTL 64
171 #define IP6T_SO_SET_REPLACE (IP6T_BASE_CTL)
172 #define IP6T_SO_SET_ADD_COUNTERS (IP6T_BASE_CTL + 1)
173 #define IP6T_SO_SET_MAX IP6T_SO_SET_ADD_COUNTERS
175 #define IP6T_SO_GET_INFO (IP6T_BASE_CTL)
176 #define IP6T_SO_GET_ENTRIES (IP6T_BASE_CTL + 1)
177 #define IP6T_SO_GET_REVISION_MATCH (IP6T_BASE_CTL + 4)
178 #define IP6T_SO_GET_REVISION_TARGET (IP6T_BASE_CTL + 5)
179 #define IP6T_SO_GET_MAX IP6T_SO_GET_REVISION_TARGET
181 /* obtain original address if REDIRECT'd connection */
182 #define IP6T_SO_ORIGINAL_DST 80
184 /* ICMP matching stuff */
186 __u8 type; /* type to match */
187 __u8 code[2]; /* range of code */
188 __u8 invflags; /* Inverse flags */
191 /* Values for "inv" field for struct ipt_icmp. */
192 #define IP6T_ICMP_INV 0x01 /* Invert the sense of type/code test */
194 /* The argument to IP6T_SO_GET_INFO */
195 struct ip6t_getinfo {
196 /* Which table: caller fills this in. */
197 char name[XT_TABLE_MAXNAMELEN];
199 /* Kernel fills these in. */
200 /* Which hook entry points are valid: bitmask */
201 unsigned int valid_hooks;
203 /* Hook entry points: one per netfilter hook. */
204 unsigned int hook_entry[NF_INET_NUMHOOKS];
206 /* Underflow points. */
207 unsigned int underflow[NF_INET_NUMHOOKS];
209 /* Number of entries */
210 unsigned int num_entries;
212 /* Size of entries. */
216 /* The argument to IP6T_SO_SET_REPLACE. */
217 struct ip6t_replace {
219 char name[XT_TABLE_MAXNAMELEN];
221 /* Which hook entry points are valid: bitmask. You can't
223 unsigned int valid_hooks;
225 /* Number of entries */
226 unsigned int num_entries;
228 /* Total size of new entries */
231 /* Hook entry points. */
232 unsigned int hook_entry[NF_INET_NUMHOOKS];
234 /* Underflow points. */
235 unsigned int underflow[NF_INET_NUMHOOKS];
237 /* Information about old entries: */
238 /* Number of counters (must be equal to current number of entries). */
239 unsigned int num_counters;
240 /* The old entries' counters. */
241 struct xt_counters __user *counters;
243 /* The entries (hang off end: not really an array). */
244 struct ip6t_entry entries[0];
247 /* The argument to IP6T_SO_GET_ENTRIES. */
248 struct ip6t_get_entries {
249 /* Which table: user fills this in. */
250 char name[XT_TABLE_MAXNAMELEN];
252 /* User fills this in: total entry size. */
256 struct ip6t_entry entrytable[0];
259 /* Helper functions */
260 static __inline__ struct xt_entry_target *
261 ip6t_get_target(struct ip6t_entry *e)
263 return (void *)e + e->target_offset;
267 * Main firewall chains definitions and global var's definitions.
270 #endif /* _UAPI_IP6_TABLES_H */