Gitiles
Code Review Sign In
android-review.linaro.org / kernel / hikey-linaro / 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 / . / include / linux / netfilter_ipv6 / ip6_tables.h
blob: f1ce3b009853b0fe8d87b2c2a563d31d9d3e6e15 [file] [log] [blame]
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame^]1/*
2 * 25-Jul-1998 Major changes to allow for ip chain table
3 *
4 * 3-Jan-2000 Named tables to allow packet selection for different uses.
5 */
6
7/*
8 * Format of an IP6 firewall descriptor
9 *
10 * src, dst, src_mask, dst_mask are always stored in network byte order.
11 * flags are stored in host byte order (of course).
12 * Port numbers are stored in HOST byte order.
13 */
14
15#ifndef _IP6_TABLES_H
16#define _IP6_TABLES_H
17
18#ifdef __KERNEL__
19#include <linux/if.h>
20#include <linux/types.h>
21#include <linux/in6.h>
22#include <linux/ipv6.h>
23#include <linux/skbuff.h>
24#endif
25#include <linux/compiler.h>
26#include <linux/netfilter_ipv6.h>
27
28#define IP6T_FUNCTION_MAXNAMELEN 30
29#define IP6T_TABLE_MAXNAMELEN 32
30
31/* Yes, Virginia, you have to zero the padding. */
32struct ip6t_ip6 {
33 /* Source and destination IP6 addr */
34 struct in6_addr src, dst;
35 /* Mask for src and dest IP6 addr */
36 struct in6_addr smsk, dmsk;
37 char iniface[IFNAMSIZ], outiface[IFNAMSIZ];
38 unsigned char iniface_mask[IFNAMSIZ], outiface_mask[IFNAMSIZ];
39
40 /* ARGH, HopByHop uses 0, so can't do 0 = ANY,
41 instead IP6T_F_NOPROTO must be set */
42 u_int16_t proto;
43 /* TOS to match iff flags & IP6T_F_TOS */
44 u_int8_t tos;
45
46 /* Flags word */
47 u_int8_t flags;
48 /* Inverse flags */
49 u_int8_t invflags;
50};
51
52/* FIXME: If alignment in kernel different from userspace? --RR */
53struct ip6t_entry_match
54{
55 union {
56 struct {
57 u_int16_t match_size;
58
59 /* Used by userspace */
60 char name[IP6T_FUNCTION_MAXNAMELEN];
61 } user;
62 struct {
63 u_int16_t match_size;
64
65 /* Used inside the kernel */
66 struct ip6t_match *match;
67 } kernel;
68
69 /* Total length */
70 u_int16_t match_size;
71 } u;
72
73 unsigned char data[0];
74};
75
76struct ip6t_entry_target
77{
78 union {
79 struct {
80 u_int16_t target_size;
81
82 /* Used by userspace */
83 char name[IP6T_FUNCTION_MAXNAMELEN];
84 } user;
85 struct {
86 u_int16_t target_size;
87
88 /* Used inside the kernel */
89 struct ip6t_target *target;
90 } kernel;
91
92 /* Total length */
93 u_int16_t target_size;
94 } u;
95
96 unsigned char data[0];
97};
98
99struct ip6t_standard_target
100{
101 struct ip6t_entry_target target;
102 int verdict;
103};
104
105struct ip6t_counters
106{
107 u_int64_t pcnt, bcnt; /* Packet and byte counters */
108};
109
110/* Values for "flag" field in struct ip6t_ip6 (general ip6 structure). */
111#define IP6T_F_PROTO 0x01 /* Set if rule cares about upper
112 protocols */
113#define IP6T_F_TOS 0x02 /* Match the TOS. */
114#define IP6T_F_MASK 0x03 /* All possible flag bits mask. */
115
116/* Values for "inv" field in struct ip6t_ip6. */
117#define IP6T_INV_VIA_IN 0x01 /* Invert the sense of IN IFACE. */
118#define IP6T_INV_VIA_OUT 0x02 /* Invert the sense of OUT IFACE */
119#define IP6T_INV_TOS 0x04 /* Invert the sense of TOS. */
120#define IP6T_INV_SRCIP 0x08 /* Invert the sense of SRC IP. */
121#define IP6T_INV_DSTIP 0x10 /* Invert the sense of DST OP. */
122#define IP6T_INV_FRAG 0x20 /* Invert the sense of FRAG. */
123#define IP6T_INV_PROTO 0x40 /* Invert the sense of PROTO. */
124#define IP6T_INV_MASK 0x7F /* All possible flag bits mask. */
125
126/* This structure defines each of the firewall rules. Consists of 3
127 parts which are 1) general IP header stuff 2) match specific
128 stuff 3) the target to perform if the rule matches */
129struct ip6t_entry
130{
131 struct ip6t_ip6 ipv6;
132
133 /* Mark with fields that we care about. */
134 unsigned int nfcache;
135
136 /* Size of ipt_entry + matches */
137 u_int16_t target_offset;
138 /* Size of ipt_entry + matches + target */
139 u_int16_t next_offset;
140
141 /* Back pointer */
142 unsigned int comefrom;
143
144 /* Packet and byte counters. */
145 struct ip6t_counters counters;
146
147 /* The matches (if any), then the target. */
148 unsigned char elems[0];
149};
150
151/*
152 * New IP firewall options for [gs]etsockopt at the RAW IP level.
153 * Unlike BSD Linux inherits IP options so you don't have to use
154 * a raw socket for this. Instead we check rights in the calls. */
155#define IP6T_BASE_CTL 64 /* base for firewall socket options */
156
157#define IP6T_SO_SET_REPLACE (IP6T_BASE_CTL)
158#define IP6T_SO_SET_ADD_COUNTERS (IP6T_BASE_CTL + 1)
159#define IP6T_SO_SET_MAX IP6T_SO_SET_ADD_COUNTERS
160
161#define IP6T_SO_GET_INFO (IP6T_BASE_CTL)
162#define IP6T_SO_GET_ENTRIES (IP6T_BASE_CTL + 1)
163#define IP6T_SO_GET_MAX IP6T_SO_GET_ENTRIES
164
165/* CONTINUE verdict for targets */
166#define IP6T_CONTINUE 0xFFFFFFFF
167
168/* For standard target */
169#define IP6T_RETURN (-NF_REPEAT - 1)
170
171/* TCP matching stuff */
172struct ip6t_tcp
173{
174 u_int16_t spts[2]; /* Source port range. */
175 u_int16_t dpts[2]; /* Destination port range. */
176 u_int8_t option; /* TCP Option iff non-zero*/
177 u_int8_t flg_mask; /* TCP flags mask byte */
178 u_int8_t flg_cmp; /* TCP flags compare byte */
179 u_int8_t invflags; /* Inverse flags */
180};
181
182/* Values for "inv" field in struct ipt_tcp. */
183#define IP6T_TCP_INV_SRCPT 0x01 /* Invert the sense of source ports. */
184#define IP6T_TCP_INV_DSTPT 0x02 /* Invert the sense of dest ports. */
185#define IP6T_TCP_INV_FLAGS 0x04 /* Invert the sense of TCP flags. */
186#define IP6T_TCP_INV_OPTION 0x08 /* Invert the sense of option test. */
187#define IP6T_TCP_INV_MASK 0x0F /* All possible flags. */
188
189/* UDP matching stuff */
190struct ip6t_udp
191{
192 u_int16_t spts[2]; /* Source port range. */
193 u_int16_t dpts[2]; /* Destination port range. */
194 u_int8_t invflags; /* Inverse flags */
195};
196
197/* Values for "invflags" field in struct ipt_udp. */
198#define IP6T_UDP_INV_SRCPT 0x01 /* Invert the sense of source ports. */
199#define IP6T_UDP_INV_DSTPT 0x02 /* Invert the sense of dest ports. */
200#define IP6T_UDP_INV_MASK 0x03 /* All possible flags. */
201
202/* ICMP matching stuff */
203struct ip6t_icmp
204{
205 u_int8_t type; /* type to match */
206 u_int8_t code[2]; /* range of code */
207 u_int8_t invflags; /* Inverse flags */
208};
209
210/* Values for "inv" field for struct ipt_icmp. */
211#define IP6T_ICMP_INV 0x01 /* Invert the sense of type/code test */
212
213/* The argument to IP6T_SO_GET_INFO */
214struct ip6t_getinfo
215{
216 /* Which table: caller fills this in. */
217 char name[IP6T_TABLE_MAXNAMELEN];
218
219 /* Kernel fills these in. */
220 /* Which hook entry points are valid: bitmask */
221 unsigned int valid_hooks;
222
223 /* Hook entry points: one per netfilter hook. */
224 unsigned int hook_entry[NF_IP6_NUMHOOKS];
225
226 /* Underflow points. */
227 unsigned int underflow[NF_IP6_NUMHOOKS];
228
229 /* Number of entries */
230 unsigned int num_entries;
231
232 /* Size of entries. */
233 unsigned int size;
234};
235
236/* The argument to IP6T_SO_SET_REPLACE. */
237struct ip6t_replace
238{
239 /* Which table. */
240 char name[IP6T_TABLE_MAXNAMELEN];
241
242 /* Which hook entry points are valid: bitmask. You can't
243 change this. */
244 unsigned int valid_hooks;
245
246 /* Number of entries */
247 unsigned int num_entries;
248
249 /* Total size of new entries */
250 unsigned int size;
251
252 /* Hook entry points. */
253 unsigned int hook_entry[NF_IP6_NUMHOOKS];
254
255 /* Underflow points. */
256 unsigned int underflow[NF_IP6_NUMHOOKS];
257
258 /* Information about old entries: */
259 /* Number of counters (must be equal to current number of entries). */
260 unsigned int num_counters;
261 /* The old entries' counters. */
262 struct ip6t_counters __user *counters;
263
264 /* The entries (hang off end: not really an array). */
265 struct ip6t_entry entries[0];
266};
267
268/* The argument to IP6T_SO_ADD_COUNTERS. */
269struct ip6t_counters_info
270{
271 /* Which table. */
272 char name[IP6T_TABLE_MAXNAMELEN];
273
274 unsigned int num_counters;
275
276 /* The counters (actually `number' of these). */
277 struct ip6t_counters counters[0];
278};
279
280/* The argument to IP6T_SO_GET_ENTRIES. */
281struct ip6t_get_entries
282{
283 /* Which table: user fills this in. */
284 char name[IP6T_TABLE_MAXNAMELEN];
285
286 /* User fills this in: total entry size. */
287 unsigned int size;
288
289 /* The entries. */
290 struct ip6t_entry entrytable[0];
291};
292
293/* Standard return verdict, or do jump. */
294#define IP6T_STANDARD_TARGET ""
295/* Error verdict. */
296#define IP6T_ERROR_TARGET "ERROR"
297
298/* Helper functions */
299static __inline__ struct ip6t_entry_target *
300ip6t_get_target(struct ip6t_entry *e)
301{
302 return (void *)e + e->target_offset;
303}
304
305/* fn returns 0 to continue iteration */
306#define IP6T_MATCH_ITERATE(e, fn, args...) \
307({ \
308 unsigned int __i; \
309 int __ret = 0; \
310 struct ip6t_entry_match *__m; \
311 \
312 for (__i = sizeof(struct ip6t_entry); \
313 __i < (e)->target_offset; \
314 __i += __m->u.match_size) { \
315 __m = (void *)(e) + __i; \
316 \
317 __ret = fn(__m , ## args); \
318 if (__ret != 0) \
319 break; \
320 } \
321 __ret; \
322})
323
324/* fn returns 0 to continue iteration */
325#define IP6T_ENTRY_ITERATE(entries, size, fn, args...) \
326({ \
327 unsigned int __i; \
328 int __ret = 0; \
329 struct ip6t_entry *__e; \
330 \
331 for (__i = 0; __i < (size); __i += __e->next_offset) { \
332 __e = (void *)(entries) + __i; \
333 \
334 __ret = fn(__e , ## args); \
335 if (__ret != 0) \
336 break; \
337 } \
338 __ret; \
339})
340
341/*
342 * Main firewall chains definitions and global var's definitions.
343 */
344
345#ifdef __KERNEL__
346
347#include <linux/init.h>
348extern void ip6t_init(void) __init;
349
350struct ip6t_match
351{
352 struct list_head list;
353
354 const char name[IP6T_FUNCTION_MAXNAMELEN];
355
356 /* Return true or false: return FALSE and set *hotdrop = 1 to
357 force immediate packet drop. */
358 /* Arguments changed since 2.6.9, as this must now handle
359 non-linear skb, using skb_header_pointer and
360 skb_ip_make_writable. */
361 int (*match)(const struct sk_buff *skb,
362 const struct net_device *in,
363 const struct net_device *out,
364 const void *matchinfo,
365 int offset,
366 unsigned int protoff,
367 int *hotdrop);
368
369 /* Called when user tries to insert an entry of this type. */
370 /* Should return true or false. */
371 int (*checkentry)(const char *tablename,
372 const struct ip6t_ip6 *ip,
373 void *matchinfo,
374 unsigned int matchinfosize,
375 unsigned int hook_mask);
376
377 /* Called when entry of this type deleted. */
378 void (*destroy)(void *matchinfo, unsigned int matchinfosize);
379
380 /* Set this to THIS_MODULE if you are a module, otherwise NULL */
381 struct module *me;
382};
383
384/* Registration hooks for targets. */
385struct ip6t_target
386{
387 struct list_head list;
388
389 const char name[IP6T_FUNCTION_MAXNAMELEN];
390
391 /* Returns verdict. Argument order changed since 2.6.9, as this
392 must now handle non-linear skbs, using skb_copy_bits and
393 skb_ip_make_writable. */
394 unsigned int (*target)(struct sk_buff **pskb,
395 const struct net_device *in,
396 const struct net_device *out,
397 unsigned int hooknum,
398 const void *targinfo,
399 void *userdata);
400
401 /* Called when user tries to insert an entry of this type:
402 hook_mask is a bitmask of hooks from which it can be
403 called. */
404 /* Should return true or false. */
405 int (*checkentry)(const char *tablename,
406 const struct ip6t_entry *e,
407 void *targinfo,
408 unsigned int targinfosize,
409 unsigned int hook_mask);
410
411 /* Called when entry of this type deleted. */
412 void (*destroy)(void *targinfo, unsigned int targinfosize);
413
414 /* Set this to THIS_MODULE if you are a module, otherwise NULL */
415 struct module *me;
416};
417
418extern int ip6t_register_target(struct ip6t_target *target);
419extern void ip6t_unregister_target(struct ip6t_target *target);
420
421extern int ip6t_register_match(struct ip6t_match *match);
422extern void ip6t_unregister_match(struct ip6t_match *match);
423
424/* Furniture shopping... */
425struct ip6t_table
426{
427 struct list_head list;
428
429 /* A unique name... */
430 char name[IP6T_TABLE_MAXNAMELEN];
431
432 /* What hooks you will enter on */
433 unsigned int valid_hooks;
434
435 /* Lock for the curtain */
436 rwlock_t lock;
437
438 /* Man behind the curtain... */
439 struct ip6t_table_info *private;
440
441 /* Set this to THIS_MODULE if you are a module, otherwise NULL */
442 struct module *me;
443};
444
445extern int ip6t_register_table(struct ip6t_table *table,
446 const struct ip6t_replace *repl);
447extern void ip6t_unregister_table(struct ip6t_table *table);
448extern unsigned int ip6t_do_table(struct sk_buff **pskb,
449 unsigned int hook,
450 const struct net_device *in,
451 const struct net_device *out,
452 struct ip6t_table *table,
453 void *userdata);
454
455/* Check for an extension */
456extern int ip6t_ext_hdr(u8 nexthdr);
457
458#define IP6T_ALIGN(s) (((s) + (__alignof__(struct ip6t_entry)-1)) & ~(__alignof__(struct ip6t_entry)-1))
459
460#endif /*__KERNEL__*/
461#endif /* _IP6_TABLES_H */