1/* 2 * 25-Jul-1998 Major changes to allow for ip chain table 3 * 4 * 3-Jan-2000 Named tables to allow packet selection for different uses. 5 */ 6 7/* 8 * Format of an IP firewall descriptor 9 * 10 * src, dst, src_mask, dst_mask are always stored in network byte order. 11 * flags are stored in host byte order (of course). 12 * Port numbers are stored in HOST byte order. 13 */ 14 15#ifndef _IPTABLES_H 16#define _IPTABLES_H 17 18#include <linux/netfilter_ipv4.h> 19 20#define IPT_FUNCTION_MAXNAMELEN 30 21#define IPT_TABLE_MAXNAMELEN 32 22 23/* Yes, Virginia, you have to zero the padding. */ 24struct ipt_ip { 25 /* Source and destination IP addr */ 26 struct in_addr src, dst; 27 /* Mask for src and dest IP addr */ 28 struct in_addr smsk, dmsk; 29 char iniface[IFNAMSIZ], outiface[IFNAMSIZ]; 30 unsigned char iniface_mask[IFNAMSIZ], outiface_mask[IFNAMSIZ]; 31 32 /* Protocol, 0 = ANY */ 33 u_int16_t proto; 34 35 /* Flags word */ 36 u_int8_t flags; 37 /* Inverse flags */ 38 u_int8_t invflags; 39}; 40 41struct ipt_entry_match 42{ 43 union { 44 struct { 45 u_int16_t match_size; 46 47 /* Used by userspace */ 48 char name[IPT_FUNCTION_MAXNAMELEN-1]; 49 50 u_int8_t revision; 51 } user; 52 struct { 53 u_int16_t match_size; 54 55 /* Used inside the kernel */ 56 struct ipt_match *match; 57 } kernel; 58 59 /* Total length */ 60 u_int16_t match_size; 61 } u; 62 63 unsigned char data[0]; 64}; 65 66struct ipt_entry_target 67{ 68 union { 69 struct { 70 u_int16_t target_size; 71 72 /* Used by userspace */ 73 char name[IPT_FUNCTION_MAXNAMELEN-1]; 74 75 u_int8_t revision; 76 } user; 77 struct { 78 u_int16_t target_size; 79 80 /* Used inside the kernel */ 81 struct ipt_target *target; 82 } kernel; 83 84 /* Total length */ 85 u_int16_t target_size; 86 } u; 87 88 unsigned char data[0]; 89}; 90 91struct ipt_standard_target 92{ 93 struct ipt_entry_target target; 94 int verdict; 95}; 96 97struct ipt_counters 98{ 99 u_int64_t pcnt, bcnt; /* Packet and byte counters */ 100}; 101 102/* Values for "flag" field in struct ipt_ip (general ip structure). */ 103#define IPT_F_FRAG 0x01 /* Set if rule is a fragment rule */ 104#define IPT_F_MASK 0x01 /* All possible flag bits mask. */ 105 106/* Values for "inv" field in struct ipt_ip. */ 107#define IPT_INV_VIA_IN 0x01 /* Invert the sense of IN IFACE. */ 108#define IPT_INV_VIA_OUT 0x02 /* Invert the sense of OUT IFACE */ 109#define IPT_INV_TOS 0x04 /* Invert the sense of TOS. */ 110#define IPT_INV_SRCIP 0x08 /* Invert the sense of SRC IP. */ 111#define IPT_INV_DSTIP 0x10 /* Invert the sense of DST OP. */ 112#define IPT_INV_FRAG 0x20 /* Invert the sense of FRAG. */ 113#define IPT_INV_PROTO 0x40 /* Invert the sense of PROTO. */ 114#define IPT_INV_MASK 0x7F /* All possible flag bits mask. */ 115 116/* This structure defines each of the firewall rules. Consists of 3 117 parts which are 1) general IP header stuff 2) match specific 118 stuff 3) the target to perform if the rule matches */ 119struct ipt_entry 120{ 121 struct ipt_ip ip; 122 123 /* Mark with fields that we care about. */ 124 unsigned int nfcache; 125 126 /* Size of ipt_entry + matches */ 127 u_int16_t target_offset; 128 /* Size of ipt_entry + matches + target */ 129 u_int16_t next_offset; 130 131 /* Back pointer */ 132 unsigned int comefrom; 133 134 /* Packet and byte counters. */ 135 struct ipt_counters counters; 136 137 /* The matches (if any), then the target. */ 138 unsigned char elems[0]; 139}; 140 141/* 142 * New IP firewall options for [gs]etsockopt at the RAW IP level. 143 * Unlike BSD Linux inherits IP options so you don't have to use a raw 144 * socket for this. Instead we check rights in the calls. */ 145#define IPT_BASE_CTL 64 /* base for firewall socket options */ 146 147#define IPT_SO_SET_REPLACE (IPT_BASE_CTL) 148#define IPT_SO_SET_ADD_COUNTERS (IPT_BASE_CTL + 1) 149#define IPT_SO_SET_MAX IPT_SO_SET_ADD_COUNTERS 150 151#define IPT_SO_GET_INFO (IPT_BASE_CTL) 152#define IPT_SO_GET_ENTRIES (IPT_BASE_CTL + 1) 153#define IPT_SO_GET_REVISION_MATCH (IPT_BASE_CTL + 2) 154#define IPT_SO_GET_REVISION_TARGET (IPT_BASE_CTL + 3) 155#define IPT_SO_GET_MAX IPT_SO_GET_REVISION_TARGET 156 157/* CONTINUE verdict for targets */ 158#define IPT_CONTINUE 0xFFFFFFFF 159 160/* For standard target */ 161#define IPT_RETURN (-NF_MAX_VERDICT - 1) 162 163/* TCP matching stuff */ 164struct ipt_tcp 165{ 166 u_int16_t spts[2]; /* Source port range. */ 167 u_int16_t dpts[2]; /* Destination port range. */ 168 u_int8_t option; /* TCP Option iff non-zero*/ 169 u_int8_t flg_mask; /* TCP flags mask byte */ 170 u_int8_t flg_cmp; /* TCP flags compare byte */ 171 u_int8_t invflags; /* Inverse flags */ 172}; 173 174/* Values for "inv" field in struct ipt_tcp. */ 175#define IPT_TCP_INV_SRCPT 0x01 /* Invert the sense of source ports. */ 176#define IPT_TCP_INV_DSTPT 0x02 /* Invert the sense of dest ports. */ 177#define IPT_TCP_INV_FLAGS 0x04 /* Invert the sense of TCP flags. */ 178#define IPT_TCP_INV_OPTION 0x08 /* Invert the sense of option test. */ 179#define IPT_TCP_INV_MASK 0x0F /* All possible flags. */ 180 181/* UDP matching stuff */ 182struct ipt_udp 183{ 184 u_int16_t spts[2]; /* Source port range. */ 185 u_int16_t dpts[2]; /* Destination port range. */ 186 u_int8_t invflags; /* Inverse flags */ 187}; 188 189/* Values for "invflags" field in struct ipt_udp. */ 190#define IPT_UDP_INV_SRCPT 0x01 /* Invert the sense of source ports. */ 191#define IPT_UDP_INV_DSTPT 0x02 /* Invert the sense of dest ports. */ 192#define IPT_UDP_INV_MASK 0x03 /* All possible flags. */ 193 194/* ICMP matching stuff */ 195struct ipt_icmp 196{ 197 u_int8_t type; /* type to match */ 198 u_int8_t code[2]; /* range of code */ 199 u_int8_t invflags; /* Inverse flags */ 200}; 201 202/* Values for "inv" field for struct ipt_icmp. */ 203#define IPT_ICMP_INV 0x01 /* Invert the sense of type/code test */ 204 205/* The argument to IPT_SO_GET_INFO */ 206struct ipt_getinfo 207{ 208 /* Which table: caller fills this in. */ 209 char name[IPT_TABLE_MAXNAMELEN]; 210 211 /* Kernel fills these in. */ 212 /* Which hook entry points are valid: bitmask */ 213 unsigned int valid_hooks; 214 215 /* Hook entry points: one per netfilter hook. */ 216 unsigned int hook_entry[NF_IP_NUMHOOKS]; 217 218 /* Underflow points. */ 219 unsigned int underflow[NF_IP_NUMHOOKS]; 220 221 /* Number of entries */ 222 unsigned int num_entries; 223 224 /* Size of entries. */ 225 unsigned int size; 226}; 227 228/* The argument to IPT_SO_SET_REPLACE. */ 229struct ipt_replace 230{ 231 /* Which table. */ 232 char name[IPT_TABLE_MAXNAMELEN]; 233 234 /* Which hook entry points are valid: bitmask. You can't 235 change this. */ 236 unsigned int valid_hooks; 237 238 /* Number of entries */ 239 unsigned int num_entries; 240 241 /* Total size of new entries */ 242 unsigned int size; 243 244 /* Hook entry points. */ 245 unsigned int hook_entry[NF_IP_NUMHOOKS]; 246 247 /* Underflow points. */ 248 unsigned int underflow[NF_IP_NUMHOOKS]; 249 250 /* Information about old entries: */ 251 /* Number of counters (must be equal to current number of entries). */ 252 unsigned int num_counters; 253 254 /* The old entries' counters. */ 255 struct ipt_counters *counters; 256 257 /* The entries (hang off end: not really an array). */ 258 struct ipt_entry entries[0]; 259}; 260 261/* The argument to IPT_SO_ADD_COUNTERS. */ 262struct ipt_counters_info 263{ 264 /* Which table. */ 265 char name[IPT_TABLE_MAXNAMELEN]; 266 267 unsigned int num_counters; 268 269 /* The counters (actually `number' of these). */ 270 struct ipt_counters counters[0]; 271}; 272 273/* The argument to IPT_SO_GET_ENTRIES. */ 274struct ipt_get_entries 275{ 276 /* Which table: user fills this in. */ 277 char name[IPT_TABLE_MAXNAMELEN]; 278 279 /* User fills this in: total entry size. */ 280 unsigned int size; 281 282 /* The entries. */ 283 struct ipt_entry entrytable[0]; 284}; 285 286/* The argument to IPT_SO_GET_REVISION_*. Returns highest revision 287 * kernel supports, if >= revision. */ 288struct ipt_get_revision 289{ 290 char name[IPT_FUNCTION_MAXNAMELEN-1]; 291 292 u_int8_t revision; 293}; 294 295/* Standard return verdict, or do jump. */ 296#define IPT_STANDARD_TARGET "" 297/* Error verdict. */ 298#define IPT_ERROR_TARGET "ERROR" 299 300/* Helper functions */ 301static __inline__ struct ipt_entry_target * 302ipt_get_target(struct ipt_entry *e) 303{ 304 return (void *)e + e->target_offset; 305} 306 307/* fn returns 0 to continue iteration */ 308#define IPT_MATCH_ITERATE(e, fn, args...) \ 309({ \ 310 unsigned int __i; \ 311 int __ret = 0; \ 312 struct ipt_entry_match *__match; \ 313 \ 314 for (__i = sizeof(struct ipt_entry); \ 315 __i < (e)->target_offset; \ 316 __i += __match->u.match_size) { \ 317 __match = (void *)(e) + __i; \ 318 \ 319 __ret = fn(__match , ## args); \ 320 if (__ret != 0) \ 321 break; \ 322 } \ 323 __ret; \ 324}) 325 326/* fn returns 0 to continue iteration */ 327#define IPT_ENTRY_ITERATE(entries, size, fn, args...) \ 328({ \ 329 unsigned int __i; \ 330 int __ret = 0; \ 331 struct ipt_entry *__entry; \ 332 \ 333 for (__i = 0; __i < (size); __i += __entry->next_offset) { \ 334 __entry = (void *)(entries) + __i; \ 335 \ 336 __ret = fn(__entry , ## args); \ 337 if (__ret != 0) \ 338 break; \ 339 } \ 340 __ret; \ 341}) 342 343/* 344 * Main firewall chains definitions and global var's definitions. 345 */ 346#endif /* _IPTABLES_H */ 347