1/*
2 * 25-Jul-1998 Major changes to allow for ip chain table
3 *
4 * 3-Jan-2000 Named tables to allow packet selection for different uses.
5 */
6
7/*
8 * 	Format of an IP firewall descriptor
9 *
10 * 	src, dst, src_mask, dst_mask are always stored in network byte order.
11 * 	flags are stored in host byte order (of course).
12 * 	Port numbers are stored in HOST byte order.
13 */
14
15#ifndef _IPTABLES_H
16#define _IPTABLES_H
17
18#include <linux/netfilter_ipv4.h>
19
20#define IPT_FUNCTION_MAXNAMELEN 30
21#define IPT_TABLE_MAXNAMELEN 32
22
23/* Yes, Virginia, you have to zero the padding. */
24struct ipt_ip {
25	/* Source and destination IP addr */
26	struct in_addr src, dst;
27	/* Mask for src and dest IP addr */
28	struct in_addr smsk, dmsk;
29	char iniface[IFNAMSIZ], outiface[IFNAMSIZ];
30	unsigned char iniface_mask[IFNAMSIZ], outiface_mask[IFNAMSIZ];
31
32	/* Protocol, 0 = ANY */
33	u_int16_t proto;
34
35	/* Flags word */
36	u_int8_t flags;
37	/* Inverse flags */
38	u_int8_t invflags;
39};
40
41struct ipt_entry_match
42{
43	union {
44		struct {
45			u_int16_t match_size;
46
47			/* Used by userspace */
48			char name[IPT_FUNCTION_MAXNAMELEN-1];
49
50			u_int8_t revision;
51		} user;
52		struct {
53			u_int16_t match_size;
54
55			/* Used inside the kernel */
56			struct ipt_match *match;
57		} kernel;
58
59		/* Total length */
60		u_int16_t match_size;
61	} u;
62
63	unsigned char data[0];
64};
65
66struct ipt_entry_target
67{
68	union {
69		struct {
70			u_int16_t target_size;
71
72			/* Used by userspace */
73			char name[IPT_FUNCTION_MAXNAMELEN-1];
74
75			u_int8_t revision;
76		} user;
77		struct {
78			u_int16_t target_size;
79
80			/* Used inside the kernel */
81			struct ipt_target *target;
82		} kernel;
83
84		/* Total length */
85		u_int16_t target_size;
86	} u;
87
88	unsigned char data[0];
89};
90
91struct ipt_standard_target
92{
93	struct ipt_entry_target target;
94	int verdict;
95};
96
97struct ipt_counters
98{
99	u_int64_t pcnt, bcnt;			/* Packet and byte counters */
100};
101
102/* Values for "flag" field in struct ipt_ip (general ip structure). */
103#define IPT_F_FRAG		0x01	/* Set if rule is a fragment rule */
104#define IPT_F_MASK		0x01	/* All possible flag bits mask. */
105
106/* Values for "inv" field in struct ipt_ip. */
107#define IPT_INV_VIA_IN		0x01	/* Invert the sense of IN IFACE. */
108#define IPT_INV_VIA_OUT		0x02	/* Invert the sense of OUT IFACE */
109#define IPT_INV_TOS		0x04	/* Invert the sense of TOS. */
110#define IPT_INV_SRCIP		0x08	/* Invert the sense of SRC IP. */
111#define IPT_INV_DSTIP		0x10	/* Invert the sense of DST OP. */
112#define IPT_INV_FRAG		0x20	/* Invert the sense of FRAG. */
113#define IPT_INV_PROTO		0x40	/* Invert the sense of PROTO. */
114#define IPT_INV_MASK		0x7F	/* All possible flag bits mask. */
115
116/* This structure defines each of the firewall rules.  Consists of 3
117   parts which are 1) general IP header stuff 2) match specific
118   stuff 3) the target to perform if the rule matches */
119struct ipt_entry
120{
121	struct ipt_ip ip;
122
123	/* Mark with fields that we care about. */
124	unsigned int nfcache;
125
126	/* Size of ipt_entry + matches */
127	u_int16_t target_offset;
128	/* Size of ipt_entry + matches + target */
129	u_int16_t next_offset;
130
131	/* Back pointer */
132	unsigned int comefrom;
133
134	/* Packet and byte counters. */
135	struct ipt_counters counters;
136
137	/* The matches (if any), then the target. */
138	unsigned char elems[0];
139};
140
141/*
142 * New IP firewall options for [gs]etsockopt at the RAW IP level.
143 * Unlike BSD Linux inherits IP options so you don't have to use a raw
144 * socket for this. Instead we check rights in the calls. */
145#define IPT_BASE_CTL		64	/* base for firewall socket options */
146
147#define IPT_SO_SET_REPLACE	(IPT_BASE_CTL)
148#define IPT_SO_SET_ADD_COUNTERS	(IPT_BASE_CTL + 1)
149#define IPT_SO_SET_MAX		IPT_SO_SET_ADD_COUNTERS
150
151#define IPT_SO_GET_INFO			(IPT_BASE_CTL)
152#define IPT_SO_GET_ENTRIES		(IPT_BASE_CTL + 1)
153#define IPT_SO_GET_REVISION_MATCH	(IPT_BASE_CTL + 2)
154#define IPT_SO_GET_REVISION_TARGET	(IPT_BASE_CTL + 3)
155#define IPT_SO_GET_MAX			IPT_SO_GET_REVISION_TARGET
156
157/* CONTINUE verdict for targets */
158#define IPT_CONTINUE 0xFFFFFFFF
159
160/* For standard target */
161#define IPT_RETURN (-NF_MAX_VERDICT - 1)
162
163/* TCP matching stuff */
164struct ipt_tcp
165{
166	u_int16_t spts[2];			/* Source port range. */
167	u_int16_t dpts[2];			/* Destination port range. */
168	u_int8_t option;			/* TCP Option iff non-zero*/
169	u_int8_t flg_mask;			/* TCP flags mask byte */
170	u_int8_t flg_cmp;			/* TCP flags compare byte */
171	u_int8_t invflags;			/* Inverse flags */
172};
173
174/* Values for "inv" field in struct ipt_tcp. */
175#define IPT_TCP_INV_SRCPT	0x01	/* Invert the sense of source ports. */
176#define IPT_TCP_INV_DSTPT	0x02	/* Invert the sense of dest ports. */
177#define IPT_TCP_INV_FLAGS	0x04	/* Invert the sense of TCP flags. */
178#define IPT_TCP_INV_OPTION	0x08	/* Invert the sense of option test. */
179#define IPT_TCP_INV_MASK	0x0F	/* All possible flags. */
180
181/* UDP matching stuff */
182struct ipt_udp
183{
184	u_int16_t spts[2];			/* Source port range. */
185	u_int16_t dpts[2];			/* Destination port range. */
186	u_int8_t invflags;			/* Inverse flags */
187};
188
189/* Values for "invflags" field in struct ipt_udp. */
190#define IPT_UDP_INV_SRCPT	0x01	/* Invert the sense of source ports. */
191#define IPT_UDP_INV_DSTPT	0x02	/* Invert the sense of dest ports. */
192#define IPT_UDP_INV_MASK	0x03	/* All possible flags. */
193
194/* ICMP matching stuff */
195struct ipt_icmp
196{
197	u_int8_t type;				/* type to match */
198	u_int8_t code[2];			/* range of code */
199	u_int8_t invflags;			/* Inverse flags */
200};
201
202/* Values for "inv" field for struct ipt_icmp. */
203#define IPT_ICMP_INV	0x01	/* Invert the sense of type/code test */
204
205/* The argument to IPT_SO_GET_INFO */
206struct ipt_getinfo
207{
208	/* Which table: caller fills this in. */
209	char name[IPT_TABLE_MAXNAMELEN];
210
211	/* Kernel fills these in. */
212	/* Which hook entry points are valid: bitmask */
213	unsigned int valid_hooks;
214
215	/* Hook entry points: one per netfilter hook. */
216	unsigned int hook_entry[NF_IP_NUMHOOKS];
217
218	/* Underflow points. */
219	unsigned int underflow[NF_IP_NUMHOOKS];
220
221	/* Number of entries */
222	unsigned int num_entries;
223
224	/* Size of entries. */
225	unsigned int size;
226};
227
228/* The argument to IPT_SO_SET_REPLACE. */
229struct ipt_replace
230{
231	/* Which table. */
232	char name[IPT_TABLE_MAXNAMELEN];
233
234	/* Which hook entry points are valid: bitmask.  You can't
235           change this. */
236	unsigned int valid_hooks;
237
238	/* Number of entries */
239	unsigned int num_entries;
240
241	/* Total size of new entries */
242	unsigned int size;
243
244	/* Hook entry points. */
245	unsigned int hook_entry[NF_IP_NUMHOOKS];
246
247	/* Underflow points. */
248	unsigned int underflow[NF_IP_NUMHOOKS];
249
250	/* Information about old entries: */
251	/* Number of counters (must be equal to current number of entries). */
252	unsigned int num_counters;
253
254	/* The old entries' counters. */
255	struct ipt_counters  *counters;
256
257	/* The entries (hang off end: not really an array). */
258	struct ipt_entry entries[0];
259};
260
261/* The argument to IPT_SO_ADD_COUNTERS. */
262struct ipt_counters_info
263{
264	/* Which table. */
265	char name[IPT_TABLE_MAXNAMELEN];
266
267	unsigned int num_counters;
268
269	/* The counters (actually `number' of these). */
270	struct ipt_counters counters[0];
271};
272
273/* The argument to IPT_SO_GET_ENTRIES. */
274struct ipt_get_entries
275{
276	/* Which table: user fills this in. */
277	char name[IPT_TABLE_MAXNAMELEN];
278
279	/* User fills this in: total entry size. */
280	unsigned int size;
281
282	/* The entries. */
283	struct ipt_entry entrytable[0];
284};
285
286/* The argument to IPT_SO_GET_REVISION_*.  Returns highest revision
287 * kernel supports, if >= revision. */
288struct ipt_get_revision
289{
290	char name[IPT_FUNCTION_MAXNAMELEN-1];
291
292	u_int8_t revision;
293};
294
295/* Standard return verdict, or do jump. */
296#define IPT_STANDARD_TARGET ""
297/* Error verdict. */
298#define IPT_ERROR_TARGET "ERROR"
299
300/* Helper functions */
301static __inline__ struct ipt_entry_target *
302ipt_get_target(struct ipt_entry *e)
303{
304	return (void *)e + e->target_offset;
305}
306
307/* fn returns 0 to continue iteration */
308#define IPT_MATCH_ITERATE(e, fn, args...)	\
309({						\
310	unsigned int __i;			\
311	int __ret = 0;				\
312	struct ipt_entry_match *__match;	\
313						\
314	for (__i = sizeof(struct ipt_entry);	\
315	     __i < (e)->target_offset;		\
316	     __i += __match->u.match_size) {	\
317		__match = (void *)(e) + __i;	\
318						\
319		__ret = fn(__match , ## args);	\
320		if (__ret != 0)			\
321			break;			\
322	}					\
323	__ret;					\
324})
325
326/* fn returns 0 to continue iteration */
327#define IPT_ENTRY_ITERATE(entries, size, fn, args...)		\
328({								\
329	unsigned int __i;					\
330	int __ret = 0;						\
331	struct ipt_entry *__entry;				\
332								\
333	for (__i = 0; __i < (size); __i += __entry->next_offset) { \
334		__entry = (void *)(entries) + __i;		\
335								\
336		__ret = fn(__entry , ## args);			\
337		if (__ret != 0)					\
338			break;					\
339	}							\
340	__ret;							\
341})
342
343/*
344 *	Main firewall chains definitions and global var's definitions.
345 */
346#endif /* _IPTABLES_H */
347