• Home
  • History
  • Annotate
  • Line#
  • Navigate
  • Raw
  • Download
  • only in /netgear-WNDR4500v2-V1.0.0.60_1.0.38/ap/gpl/iptables-1.4.12.1/include/linux/netfilter_ipv6/
1/*
2 * 25-Jul-1998 Major changes to allow for ip chain table
3 *
4 * 3-Jan-2000 Named tables to allow packet selection for different uses.
5 */
6
7/*
8 * 	Format of an IP6 firewall descriptor
9 *
10 * 	src, dst, src_mask, dst_mask are always stored in network byte order.
11 * 	flags are stored in host byte order (of course).
12 * 	Port numbers are stored in HOST byte order.
13 */
14
15#ifndef _IP6_TABLES_H
16#define _IP6_TABLES_H
17
18#include <linux/types.h>
19
20#include <linux/netfilter_ipv6.h>
21
22#include <linux/netfilter/x_tables.h>
23
24#define IP6T_FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN
25#define IP6T_TABLE_MAXNAMELEN XT_TABLE_MAXNAMELEN
26
27#define ip6t_match xt_match
28#define ip6t_target xt_target
29#define ip6t_table xt_table
30#define ip6t_get_revision xt_get_revision
31
32/* Yes, Virginia, you have to zero the padding. */
33struct ip6t_ip6 {
34	/* Source and destination IP6 addr */
35	struct in6_addr src, dst;
36	/* Mask for src and dest IP6 addr */
37	struct in6_addr smsk, dmsk;
38	char iniface[IFNAMSIZ], outiface[IFNAMSIZ];
39	unsigned char iniface_mask[IFNAMSIZ], outiface_mask[IFNAMSIZ];
40
41	/* Upper protocol number
42	 * - The allowed value is 0 (any) or protocol number of last parsable
43	 *   header, which is 50 (ESP), 59 (No Next Header), 135 (MH), or
44	 *   the non IPv6 extension headers.
45	 * - The protocol numbers of IPv6 extension headers except of ESP and
46	 *   MH do not match any packets.
47	 * - You also need to set IP6T_FLAGS_PROTO to "flags" to check protocol.
48	 */
49	u_int16_t proto;
50	/* TOS to match iff flags & IP6T_F_TOS */
51	u_int8_t tos;
52
53	/* Flags word */
54	u_int8_t flags;
55	/* Inverse flags */
56	u_int8_t invflags;
57};
58
59#define ip6t_entry_match xt_entry_match
60#define ip6t_entry_target xt_entry_target
61#define ip6t_standard_target xt_standard_target
62
63#define ip6t_counters	xt_counters
64
65/* Values for "flag" field in struct ip6t_ip6 (general ip6 structure). */
66#define IP6T_F_PROTO		0x01	/* Set if rule cares about upper
67					   protocols */
68#define IP6T_F_TOS		0x02	/* Match the TOS. */
69#define IP6T_F_GOTO		0x04	/* Set if jump is a goto */
70#define IP6T_F_MASK		0x07	/* All possible flag bits mask. */
71
72/* Values for "inv" field in struct ip6t_ip6. */
73#define IP6T_INV_VIA_IN		0x01	/* Invert the sense of IN IFACE. */
74#define IP6T_INV_VIA_OUT		0x02	/* Invert the sense of OUT IFACE */
75#define IP6T_INV_TOS		0x04	/* Invert the sense of TOS. */
76#define IP6T_INV_SRCIP		0x08	/* Invert the sense of SRC IP. */
77#define IP6T_INV_DSTIP		0x10	/* Invert the sense of DST OP. */
78#define IP6T_INV_FRAG		0x20	/* Invert the sense of FRAG. */
79#define IP6T_INV_PROTO		XT_INV_PROTO
80#define IP6T_INV_MASK		0x7F	/* All possible flag bits mask. */
81
82/* This structure defines each of the firewall rules.  Consists of 3
83   parts which are 1) general IP header stuff 2) match specific
84   stuff 3) the target to perform if the rule matches */
85struct ip6t_entry {
86	struct ip6t_ip6 ipv6;
87
88	/* Mark with fields that we care about. */
89	unsigned int nfcache;
90
91	/* Size of ipt_entry + matches */
92	u_int16_t target_offset;
93	/* Size of ipt_entry + matches + target */
94	u_int16_t next_offset;
95
96	/* Back pointer */
97	unsigned int comefrom;
98
99	/* Packet and byte counters. */
100	struct xt_counters counters;
101
102	/* The matches (if any), then the target. */
103	unsigned char elems[0];
104};
105
106/* Standard entry */
107struct ip6t_standard {
108	struct ip6t_entry entry;
109	struct ip6t_standard_target target;
110};
111
112struct ip6t_error_target {
113	struct ip6t_entry_target target;
114	char errorname[IP6T_FUNCTION_MAXNAMELEN];
115};
116
117struct ip6t_error {
118	struct ip6t_entry entry;
119	struct ip6t_error_target target;
120};
121
122#define IP6T_ENTRY_INIT(__size)						       \
123{									       \
124	.target_offset	= sizeof(struct ip6t_entry),			       \
125	.next_offset	= (__size),					       \
126}
127
128#define IP6T_STANDARD_INIT(__verdict)					       \
129{									       \
130	.entry		= IP6T_ENTRY_INIT(sizeof(struct ip6t_standard)),       \
131	.target		= XT_TARGET_INIT(IP6T_STANDARD_TARGET,		       \
132					 sizeof(struct ip6t_standard_target)), \
133	.target.verdict	= -(__verdict) - 1,				       \
134}
135
136#define IP6T_ERROR_INIT							       \
137{									       \
138	.entry		= IP6T_ENTRY_INIT(sizeof(struct ip6t_error)),	       \
139	.target		= XT_TARGET_INIT(IP6T_ERROR_TARGET,		       \
140					 sizeof(struct ip6t_error_target)),    \
141	.target.errorname = "ERROR",					       \
142}
143
144/*
145 * New IP firewall options for [gs]etsockopt at the RAW IP level.
146 * Unlike BSD Linux inherits IP options so you don't have to use
147 * a raw socket for this. Instead we check rights in the calls.
148 *
149 * ATTENTION: check linux/in6.h before adding new number here.
150 */
151#define IP6T_BASE_CTL			64
152
153#define IP6T_SO_SET_REPLACE		(IP6T_BASE_CTL)
154#define IP6T_SO_SET_ADD_COUNTERS	(IP6T_BASE_CTL + 1)
155#define IP6T_SO_SET_MAX			IP6T_SO_SET_ADD_COUNTERS
156
157#define IP6T_SO_GET_INFO		(IP6T_BASE_CTL)
158#define IP6T_SO_GET_ENTRIES		(IP6T_BASE_CTL + 1)
159#define IP6T_SO_GET_REVISION_MATCH	(IP6T_BASE_CTL + 4)
160#define IP6T_SO_GET_REVISION_TARGET	(IP6T_BASE_CTL + 5)
161#define IP6T_SO_GET_MAX			IP6T_SO_GET_REVISION_TARGET
162
163/* CONTINUE verdict for targets */
164#define IP6T_CONTINUE XT_CONTINUE
165
166/* For standard target */
167#define IP6T_RETURN XT_RETURN
168
169/* TCP/UDP matching stuff */
170#include <linux/netfilter/xt_tcpudp.h>
171
172#define ip6t_tcp xt_tcp
173#define ip6t_udp xt_udp
174
175/* Values for "inv" field in struct ipt_tcp. */
176#define IP6T_TCP_INV_SRCPT	XT_TCP_INV_SRCPT
177#define IP6T_TCP_INV_DSTPT	XT_TCP_INV_DSTPT
178#define IP6T_TCP_INV_FLAGS	XT_TCP_INV_FLAGS
179#define IP6T_TCP_INV_OPTION	XT_TCP_INV_OPTION
180#define IP6T_TCP_INV_MASK	XT_TCP_INV_MASK
181
182/* Values for "invflags" field in struct ipt_udp. */
183#define IP6T_UDP_INV_SRCPT	XT_UDP_INV_SRCPT
184#define IP6T_UDP_INV_DSTPT	XT_UDP_INV_DSTPT
185#define IP6T_UDP_INV_MASK	XT_UDP_INV_MASK
186
187/* ICMP matching stuff */
188struct ip6t_icmp {
189	u_int8_t type;				/* type to match */
190	u_int8_t code[2];			/* range of code */
191	u_int8_t invflags;			/* Inverse flags */
192};
193
194/* Values for "inv" field for struct ipt_icmp. */
195#define IP6T_ICMP_INV	0x01	/* Invert the sense of type/code test */
196
197/* The argument to IP6T_SO_GET_INFO */
198struct ip6t_getinfo {
199	/* Which table: caller fills this in. */
200	char name[IP6T_TABLE_MAXNAMELEN];
201
202	/* Kernel fills these in. */
203	/* Which hook entry points are valid: bitmask */
204	unsigned int valid_hooks;
205
206	/* Hook entry points: one per netfilter hook. */
207	unsigned int hook_entry[NF_INET_NUMHOOKS];
208
209	/* Underflow points. */
210	unsigned int underflow[NF_INET_NUMHOOKS];
211
212	/* Number of entries */
213	unsigned int num_entries;
214
215	/* Size of entries. */
216	unsigned int size;
217};
218
219/* The argument to IP6T_SO_SET_REPLACE. */
220struct ip6t_replace {
221	/* Which table. */
222	char name[IP6T_TABLE_MAXNAMELEN];
223
224	/* Which hook entry points are valid: bitmask.  You can't
225           change this. */
226	unsigned int valid_hooks;
227
228	/* Number of entries */
229	unsigned int num_entries;
230
231	/* Total size of new entries */
232	unsigned int size;
233
234	/* Hook entry points. */
235	unsigned int hook_entry[NF_INET_NUMHOOKS];
236
237	/* Underflow points. */
238	unsigned int underflow[NF_INET_NUMHOOKS];
239
240	/* Information about old entries: */
241	/* Number of counters (must be equal to current number of entries). */
242	unsigned int num_counters;
243	/* The old entries' counters. */
244	struct xt_counters *counters;
245
246	/* The entries (hang off end: not really an array). */
247	struct ip6t_entry entries[0];
248};
249
250/* The argument to IP6T_SO_ADD_COUNTERS. */
251#define ip6t_counters_info xt_counters_info
252
253/* The argument to IP6T_SO_GET_ENTRIES. */
254struct ip6t_get_entries {
255	/* Which table: user fills this in. */
256	char name[IP6T_TABLE_MAXNAMELEN];
257
258	/* User fills this in: total entry size. */
259	unsigned int size;
260
261	/* The entries. */
262	struct ip6t_entry entrytable[0];
263};
264
265/* Standard return verdict, or do jump. */
266#define IP6T_STANDARD_TARGET XT_STANDARD_TARGET
267/* Error verdict. */
268#define IP6T_ERROR_TARGET XT_ERROR_TARGET
269
270/* Helper functions */
271static __inline__ struct ip6t_entry_target *
272ip6t_get_target(struct ip6t_entry *e)
273{
274	return (void *)e + e->target_offset;
275}
276
277/* fn returns 0 to continue iteration */
278#define IP6T_MATCH_ITERATE(e, fn, args...) \
279	XT_MATCH_ITERATE(struct ip6t_entry, e, fn, ## args)
280
281/* fn returns 0 to continue iteration */
282#define IP6T_ENTRY_ITERATE(entries, size, fn, args...) \
283	XT_ENTRY_ITERATE(struct ip6t_entry, entries, size, fn, ## args)
284
285/*
286 *	Main firewall chains definitions and global var's definitions.
287 */
288
289#endif /* _IP6_TABLES_H */
290