1 /* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
2 /*
3  * 25-Jul-1998 Major changes to allow for ip chain table
4  *
5  * 3-Jan-2000 Named tables to allow packet selection for different uses.
6  */
7 
8 /*
9  * 	Format of an IP6 firewall descriptor
10  *
11  * 	src, dst, src_mask, dst_mask are always stored in network byte order.
12  * 	flags are stored in host byte order (of course).
13  * 	Port numbers are stored in HOST byte order.
14  */
15 
16 #ifndef _UAPI_IP6_TABLES_H
17 #define _UAPI_IP6_TABLES_H
18 
19 #include <linux/types.h>
20 #include <linux/compiler.h>
21 #include <linux/if.h>
22 #include <linux/netfilter_ipv6.h>
23 
24 #include <linux/netfilter/x_tables.h>
25 
26 #ifndef __KERNEL__
27 #define IP6T_FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN
28 #define IP6T_TABLE_MAXNAMELEN XT_TABLE_MAXNAMELEN
29 #define ip6t_match xt_match
30 #define ip6t_target xt_target
31 #define ip6t_table xt_table
32 #define ip6t_get_revision xt_get_revision
33 #define ip6t_entry_match xt_entry_match
34 #define ip6t_entry_target xt_entry_target
35 #define ip6t_standard_target xt_standard_target
36 #define ip6t_error_target xt_error_target
37 #define ip6t_counters xt_counters
38 #define IP6T_CONTINUE XT_CONTINUE
39 #define IP6T_RETURN XT_RETURN
40 
41 /* Pre-iptables-1.4.0 */
42 #include <linux/netfilter/xt_tcpudp.h>
43 #define ip6t_tcp xt_tcp
44 #define ip6t_udp xt_udp
45 #define IP6T_TCP_INV_SRCPT	XT_TCP_INV_SRCPT
46 #define IP6T_TCP_INV_DSTPT	XT_TCP_INV_DSTPT
47 #define IP6T_TCP_INV_FLAGS	XT_TCP_INV_FLAGS
48 #define IP6T_TCP_INV_OPTION	XT_TCP_INV_OPTION
49 #define IP6T_TCP_INV_MASK	XT_TCP_INV_MASK
50 #define IP6T_UDP_INV_SRCPT	XT_UDP_INV_SRCPT
51 #define IP6T_UDP_INV_DSTPT	XT_UDP_INV_DSTPT
52 #define IP6T_UDP_INV_MASK	XT_UDP_INV_MASK
53 
54 #define ip6t_counters_info xt_counters_info
55 #define IP6T_STANDARD_TARGET XT_STANDARD_TARGET
56 #define IP6T_ERROR_TARGET XT_ERROR_TARGET
57 #define IP6T_MATCH_ITERATE(e, fn, args...) \
58 	XT_MATCH_ITERATE(struct ip6t_entry, e, fn, ## args)
59 #define IP6T_ENTRY_ITERATE(entries, size, fn, args...) \
60 	XT_ENTRY_ITERATE(struct ip6t_entry, entries, size, fn, ## args)
61 #endif
62 
63 /* Yes, Virginia, you have to zero the padding. */
64 struct ip6t_ip6 {
65 	/* Source and destination IP6 addr */
66 	struct in6_addr src, dst;
67 	/* Mask for src and dest IP6 addr */
68 	struct in6_addr smsk, dmsk;
69 	char iniface[IFNAMSIZ], outiface[IFNAMSIZ];
70 	unsigned char iniface_mask[IFNAMSIZ], outiface_mask[IFNAMSIZ];
71 
72 	/* Upper protocol number
73 	 * - The allowed value is 0 (any) or protocol number of last parsable
74 	 *   header, which is 50 (ESP), 59 (No Next Header), 135 (MH), or
75 	 *   the non IPv6 extension headers.
76 	 * - The protocol numbers of IPv6 extension headers except of ESP and
77 	 *   MH do not match any packets.
78 	 * - You also need to set IP6T_FLAGS_PROTO to "flags" to check protocol.
79 	 */
80 	__u16 proto;
81 	/* TOS to match iff flags & IP6T_F_TOS */
82 	__u8 tos;
83 
84 	/* Flags word */
85 	__u8 flags;
86 	/* Inverse flags */
87 	__u8 invflags;
88 };
89 
90 /* Values for "flag" field in struct ip6t_ip6 (general ip6 structure). */
91 #define IP6T_F_PROTO		0x01	/* Set if rule cares about upper
92 					   protocols */
93 #define IP6T_F_TOS		0x02	/* Match the TOS. */
94 #define IP6T_F_GOTO		0x04	/* Set if jump is a goto */
95 #define IP6T_F_MASK		0x07	/* All possible flag bits mask. */
96 
97 /* Values for "inv" field in struct ip6t_ip6. */
98 #define IP6T_INV_VIA_IN		0x01	/* Invert the sense of IN IFACE. */
99 #define IP6T_INV_VIA_OUT		0x02	/* Invert the sense of OUT IFACE */
100 #define IP6T_INV_TOS		0x04	/* Invert the sense of TOS. */
101 #define IP6T_INV_SRCIP		0x08	/* Invert the sense of SRC IP. */
102 #define IP6T_INV_DSTIP		0x10	/* Invert the sense of DST OP. */
103 #define IP6T_INV_FRAG		0x20	/* Invert the sense of FRAG. */
104 #define IP6T_INV_PROTO		XT_INV_PROTO
105 #define IP6T_INV_MASK		0x7F	/* All possible flag bits mask. */
106 
107 /* This structure defines each of the firewall rules.  Consists of 3
108    parts which are 1) general IP header stuff 2) match specific
109    stuff 3) the target to perform if the rule matches */
110 struct ip6t_entry {
111 	struct ip6t_ip6 ipv6;
112 
113 	/* Mark with fields that we care about. */
114 	unsigned int nfcache;
115 
116 	/* Size of ipt_entry + matches */
117 	__u16 target_offset;
118 	/* Size of ipt_entry + matches + target */
119 	__u16 next_offset;
120 
121 	/* Back pointer */
122 	unsigned int comefrom;
123 
124 	/* Packet and byte counters. */
125 	struct xt_counters counters;
126 
127 	/* The matches (if any), then the target. */
128 	unsigned char elems[0];
129 };
130 
131 /* Standard entry */
132 struct ip6t_standard {
133 	struct ip6t_entry entry;
134 	struct xt_standard_target target;
135 };
136 
137 struct ip6t_error {
138 	struct ip6t_entry entry;
139 	struct xt_error_target target;
140 };
141 
142 #define IP6T_ENTRY_INIT(__size)						       \
143 {									       \
144 	.target_offset	= sizeof(struct ip6t_entry),			       \
145 	.next_offset	= (__size),					       \
146 }
147 
148 #define IP6T_STANDARD_INIT(__verdict)					       \
149 {									       \
150 	.entry		= IP6T_ENTRY_INIT(sizeof(struct ip6t_standard)),       \
151 	.target		= XT_TARGET_INIT(XT_STANDARD_TARGET,		       \
152 					 sizeof(struct xt_standard_target)),   \
153 	.target.verdict	= -(__verdict) - 1,				       \
154 }
155 
156 #define IP6T_ERROR_INIT							       \
157 {									       \
158 	.entry		= IP6T_ENTRY_INIT(sizeof(struct ip6t_error)),	       \
159 	.target		= XT_TARGET_INIT(XT_ERROR_TARGET,		       \
160 					 sizeof(struct xt_error_target)),      \
161 	.target.errorname = "ERROR",					       \
162 }
163 
164 /*
165  * New IP firewall options for [gs]etsockopt at the RAW IP level.
166  * Unlike BSD Linux inherits IP options so you don't have to use
167  * a raw socket for this. Instead we check rights in the calls.
168  *
169  * ATTENTION: check linux/in6.h before adding new number here.
170  */
171 #define IP6T_BASE_CTL			64
172 
173 #define IP6T_SO_SET_REPLACE		(IP6T_BASE_CTL)
174 #define IP6T_SO_SET_ADD_COUNTERS	(IP6T_BASE_CTL + 1)
175 #define IP6T_SO_SET_MAX			IP6T_SO_SET_ADD_COUNTERS
176 
177 #define IP6T_SO_GET_INFO		(IP6T_BASE_CTL)
178 #define IP6T_SO_GET_ENTRIES		(IP6T_BASE_CTL + 1)
179 #define IP6T_SO_GET_REVISION_MATCH	(IP6T_BASE_CTL + 4)
180 #define IP6T_SO_GET_REVISION_TARGET	(IP6T_BASE_CTL + 5)
181 #define IP6T_SO_GET_MAX			IP6T_SO_GET_REVISION_TARGET
182 
183 /* obtain original address if REDIRECT'd connection */
184 #define IP6T_SO_ORIGINAL_DST            80
185 
186 /* ICMP matching stuff */
187 struct ip6t_icmp {
188 	__u8 type;				/* type to match */
189 	__u8 code[2];				/* range of code */
190 	__u8 invflags;				/* Inverse flags */
191 };
192 
193 /* Values for "inv" field for struct ipt_icmp. */
194 #define IP6T_ICMP_INV	0x01	/* Invert the sense of type/code test */
195 
196 /* The argument to IP6T_SO_GET_INFO */
197 struct ip6t_getinfo {
198 	/* Which table: caller fills this in. */
199 	char name[XT_TABLE_MAXNAMELEN];
200 
201 	/* Kernel fills these in. */
202 	/* Which hook entry points are valid: bitmask */
203 	unsigned int valid_hooks;
204 
205 	/* Hook entry points: one per netfilter hook. */
206 	unsigned int hook_entry[NF_INET_NUMHOOKS];
207 
208 	/* Underflow points. */
209 	unsigned int underflow[NF_INET_NUMHOOKS];
210 
211 	/* Number of entries */
212 	unsigned int num_entries;
213 
214 	/* Size of entries. */
215 	unsigned int size;
216 };
217 
218 /* The argument to IP6T_SO_SET_REPLACE. */
219 struct ip6t_replace {
220 	/* Which table. */
221 	char name[XT_TABLE_MAXNAMELEN];
222 
223 	/* Which hook entry points are valid: bitmask.  You can't
224            change this. */
225 	unsigned int valid_hooks;
226 
227 	/* Number of entries */
228 	unsigned int num_entries;
229 
230 	/* Total size of new entries */
231 	unsigned int size;
232 
233 	/* Hook entry points. */
234 	unsigned int hook_entry[NF_INET_NUMHOOKS];
235 
236 	/* Underflow points. */
237 	unsigned int underflow[NF_INET_NUMHOOKS];
238 
239 	/* Information about old entries: */
240 	/* Number of counters (must be equal to current number of entries). */
241 	unsigned int num_counters;
242 	/* The old entries' counters. */
243 	struct xt_counters __user *counters;
244 
245 	/* The entries (hang off end: not really an array). */
246 	struct ip6t_entry entries[0];
247 };
248 
249 /* The argument to IP6T_SO_GET_ENTRIES. */
250 struct ip6t_get_entries {
251 	/* Which table: user fills this in. */
252 	char name[XT_TABLE_MAXNAMELEN];
253 
254 	/* User fills this in: total entry size. */
255 	unsigned int size;
256 
257 	/* The entries. */
258 	struct ip6t_entry entrytable[0];
259 };
260 
261 /* Helper functions */
262 static __inline__ struct xt_entry_target *
ip6t_get_target(struct ip6t_entry * e)263 ip6t_get_target(struct ip6t_entry *e)
264 {
265 	return (struct xt_entry_target *)((char *)e + e->target_offset);
266 }
267 
268 /*
269  *	Main firewall chains definitions and global var's definitions.
270  */
271 
272 #endif /* _UAPI_IP6_TABLES_H */
273