2 * 25-Jul-1998 Major changes to allow for ip chain table
4 * 3-Jan-2000 Named tables to allow packet selection for different uses.
8 * Format of an IP6 firewall descriptor
10 * src, dst, src_mask, dst_mask are always stored in network byte order.
11 * flags are stored in host byte order (of course).
12 * Port numbers are stored in HOST byte order.
20 #include <linux/in6.h>
21 #include <linux/ipv6.h>
22 #include <linux/skbuff.h>
24 #include <linux/types.h>
25 #include <linux/compiler.h>
26 #include <linux/netfilter_ipv6.h>
28 #include <linux/netfilter/x_tables.h>
31 #define IP6T_FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN
32 #define IP6T_TABLE_MAXNAMELEN XT_TABLE_MAXNAMELEN
33 #define ip6t_match xt_match
34 #define ip6t_target xt_target
35 #define ip6t_table xt_table
36 #define ip6t_get_revision xt_get_revision
37 #define ip6t_entry_match xt_entry_match
38 #define ip6t_entry_target xt_entry_target
39 #define ip6t_standard_target xt_standard_target
40 #define ip6t_counters xt_counters
43 /* Yes, Virginia, you have to zero the padding. */
45 /* Source and destination IP6 addr */
46 struct in6_addr src, dst;
47 /* Mask for src and dest IP6 addr */
48 struct in6_addr smsk, dmsk;
49 char iniface[IFNAMSIZ], outiface[IFNAMSIZ];
50 unsigned char iniface_mask[IFNAMSIZ], outiface_mask[IFNAMSIZ];
52 /* Upper protocol number
53 * - The allowed value is 0 (any) or protocol number of last parsable
54 * header, which is 50 (ESP), 59 (No Next Header), 135 (MH), or
55 * the non IPv6 extension headers.
56 * - The protocol numbers of IPv6 extension headers except of ESP and
57 * MH do not match any packets.
58 * - You also need to set IP6T_FLAGS_PROTO to "flags" to check protocol.
61 /* TOS to match iff flags & IP6T_F_TOS */
70 /* Values for "flag" field in struct ip6t_ip6 (general ip6 structure). */
71 #define IP6T_F_PROTO 0x01 /* Set if rule cares about upper
73 #define IP6T_F_TOS 0x02 /* Match the TOS. */
74 #define IP6T_F_GOTO 0x04 /* Set if jump is a goto */
75 #define IP6T_F_MASK 0x07 /* All possible flag bits mask. */
77 /* Values for "inv" field in struct ip6t_ip6. */
78 #define IP6T_INV_VIA_IN 0x01 /* Invert the sense of IN IFACE. */
79 #define IP6T_INV_VIA_OUT 0x02 /* Invert the sense of OUT IFACE */
80 #define IP6T_INV_TOS 0x04 /* Invert the sense of TOS. */
81 #define IP6T_INV_SRCIP 0x08 /* Invert the sense of SRC IP. */
82 #define IP6T_INV_DSTIP 0x10 /* Invert the sense of DST OP. */
83 #define IP6T_INV_FRAG 0x20 /* Invert the sense of FRAG. */
84 #define IP6T_INV_PROTO XT_INV_PROTO
85 #define IP6T_INV_MASK 0x7F /* All possible flag bits mask. */
87 /* This structure defines each of the firewall rules. Consists of 3
88 parts which are 1) general IP header stuff 2) match specific
89 stuff 3) the target to perform if the rule matches */
93 /* Mark with fields that we care about. */
96 /* Size of ipt_entry + matches */
97 u_int16_t target_offset;
98 /* Size of ipt_entry + matches + target */
99 u_int16_t next_offset;
102 unsigned int comefrom;
104 /* Packet and byte counters. */
105 struct xt_counters counters;
107 /* The matches (if any), then the target. */
108 unsigned char elems[0];
112 struct ip6t_standard {
113 struct ip6t_entry entry;
114 struct xt_standard_target target;
117 struct ip6t_error_target {
118 struct xt_entry_target target;
119 char errorname[XT_FUNCTION_MAXNAMELEN];
123 struct ip6t_entry entry;
124 struct ip6t_error_target target;
127 #define IP6T_ENTRY_INIT(__size) \
129 .target_offset = sizeof(struct ip6t_entry), \
130 .next_offset = (__size), \
133 #define IP6T_STANDARD_INIT(__verdict) \
135 .entry = IP6T_ENTRY_INIT(sizeof(struct ip6t_standard)), \
136 .target = XT_TARGET_INIT(IP6T_STANDARD_TARGET, \
137 sizeof(struct xt_standard_target)), \
138 .target.verdict = -(__verdict) - 1, \
141 #define IP6T_ERROR_INIT \
143 .entry = IP6T_ENTRY_INIT(sizeof(struct ip6t_error)), \
144 .target = XT_TARGET_INIT(IP6T_ERROR_TARGET, \
145 sizeof(struct ip6t_error_target)), \
146 .target.errorname = "ERROR", \
150 * New IP firewall options for [gs]etsockopt at the RAW IP level.
151 * Unlike BSD Linux inherits IP options so you don't have to use
152 * a raw socket for this. Instead we check rights in the calls.
154 * ATTENTION: check linux/in6.h before adding new number here.
156 #define IP6T_BASE_CTL 64
158 #define IP6T_SO_SET_REPLACE (IP6T_BASE_CTL)
159 #define IP6T_SO_SET_ADD_COUNTERS (IP6T_BASE_CTL + 1)
160 #define IP6T_SO_SET_MAX IP6T_SO_SET_ADD_COUNTERS
162 #define IP6T_SO_GET_INFO (IP6T_BASE_CTL)
163 #define IP6T_SO_GET_ENTRIES (IP6T_BASE_CTL + 1)
164 #define IP6T_SO_GET_REVISION_MATCH (IP6T_BASE_CTL + 4)
165 #define IP6T_SO_GET_REVISION_TARGET (IP6T_BASE_CTL + 5)
166 #define IP6T_SO_GET_MAX IP6T_SO_GET_REVISION_TARGET
168 /* CONTINUE verdict for targets */
169 #define IP6T_CONTINUE XT_CONTINUE
171 /* For standard target */
172 #define IP6T_RETURN XT_RETURN
174 /* TCP/UDP matching stuff */
175 #include <linux/netfilter/xt_tcpudp.h>
177 #define ip6t_tcp xt_tcp
178 #define ip6t_udp xt_udp
180 /* Values for "inv" field in struct ipt_tcp. */
181 #define IP6T_TCP_INV_SRCPT XT_TCP_INV_SRCPT
182 #define IP6T_TCP_INV_DSTPT XT_TCP_INV_DSTPT
183 #define IP6T_TCP_INV_FLAGS XT_TCP_INV_FLAGS
184 #define IP6T_TCP_INV_OPTION XT_TCP_INV_OPTION
185 #define IP6T_TCP_INV_MASK XT_TCP_INV_MASK
187 /* Values for "invflags" field in struct ipt_udp. */
188 #define IP6T_UDP_INV_SRCPT XT_UDP_INV_SRCPT
189 #define IP6T_UDP_INV_DSTPT XT_UDP_INV_DSTPT
190 #define IP6T_UDP_INV_MASK XT_UDP_INV_MASK
192 /* ICMP matching stuff */
194 u_int8_t type; /* type to match */
195 u_int8_t code[2]; /* range of code */
196 u_int8_t invflags; /* Inverse flags */
199 /* Values for "inv" field for struct ipt_icmp. */
200 #define IP6T_ICMP_INV 0x01 /* Invert the sense of type/code test */
202 /* The argument to IP6T_SO_GET_INFO */
203 struct ip6t_getinfo {
204 /* Which table: caller fills this in. */
205 char name[XT_TABLE_MAXNAMELEN];
207 /* Kernel fills these in. */
208 /* Which hook entry points are valid: bitmask */
209 unsigned int valid_hooks;
211 /* Hook entry points: one per netfilter hook. */
212 unsigned int hook_entry[NF_INET_NUMHOOKS];
214 /* Underflow points. */
215 unsigned int underflow[NF_INET_NUMHOOKS];
217 /* Number of entries */
218 unsigned int num_entries;
220 /* Size of entries. */
224 /* The argument to IP6T_SO_SET_REPLACE. */
225 struct ip6t_replace {
227 char name[XT_TABLE_MAXNAMELEN];
229 /* Which hook entry points are valid: bitmask. You can't
231 unsigned int valid_hooks;
233 /* Number of entries */
234 unsigned int num_entries;
236 /* Total size of new entries */
239 /* Hook entry points. */
240 unsigned int hook_entry[NF_INET_NUMHOOKS];
242 /* Underflow points. */
243 unsigned int underflow[NF_INET_NUMHOOKS];
245 /* Information about old entries: */
246 /* Number of counters (must be equal to current number of entries). */
247 unsigned int num_counters;
248 /* The old entries' counters. */
249 struct xt_counters __user *counters;
251 /* The entries (hang off end: not really an array). */
252 struct ip6t_entry entries[0];
255 /* The argument to IP6T_SO_ADD_COUNTERS. */
256 #define ip6t_counters_info xt_counters_info
258 /* The argument to IP6T_SO_GET_ENTRIES. */
259 struct ip6t_get_entries {
260 /* Which table: user fills this in. */
261 char name[XT_TABLE_MAXNAMELEN];
263 /* User fills this in: total entry size. */
267 struct ip6t_entry entrytable[0];
270 /* Standard return verdict, or do jump. */
271 #define IP6T_STANDARD_TARGET XT_STANDARD_TARGET
273 #define IP6T_ERROR_TARGET XT_ERROR_TARGET
275 /* Helper functions */
276 static __inline__ struct xt_entry_target *
277 ip6t_get_target(struct ip6t_entry *e)
279 return (void *)e + e->target_offset;
283 /* fn returns 0 to continue iteration */
284 #define IP6T_MATCH_ITERATE(e, fn, args...) \
285 XT_MATCH_ITERATE(struct ip6t_entry, e, fn, ## args)
287 /* fn returns 0 to continue iteration */
288 #define IP6T_ENTRY_ITERATE(entries, size, fn, args...) \
289 XT_ENTRY_ITERATE(struct ip6t_entry, entries, size, fn, ## args)
293 * Main firewall chains definitions and global var's definitions.
298 #include <linux/init.h>
299 extern void ip6t_init(void) __init;
301 extern void *ip6t_alloc_initial_table(const struct xt_table *);
302 extern struct xt_table *ip6t_register_table(struct net *net,
303 const struct xt_table *table,
304 const struct ip6t_replace *repl);
305 extern void ip6t_unregister_table(struct net *net, struct xt_table *table);
306 extern unsigned int ip6t_do_table(struct sk_buff *skb,
308 const struct net_device *in,
309 const struct net_device *out,
310 struct xt_table *table);
312 /* Check for an extension */
313 extern int ip6t_ext_hdr(u8 nexthdr);
314 /* find specified header and get offset to it */
315 extern int ipv6_find_hdr(const struct sk_buff *skb, unsigned int *offset,
316 int target, unsigned short *fragoff);
318 #define IP6T_ALIGN(s) XT_ALIGN(s)
321 #include <net/compat.h>
323 struct compat_ip6t_entry {
324 struct ip6t_ip6 ipv6;
325 compat_uint_t nfcache;
326 u_int16_t target_offset;
327 u_int16_t next_offset;
328 compat_uint_t comefrom;
329 struct compat_xt_counters counters;
330 unsigned char elems[0];
333 static inline struct xt_entry_target *
334 compat_ip6t_get_target(struct compat_ip6t_entry *e)
336 return (void *)e + e->target_offset;
339 #define COMPAT_IP6T_ALIGN(s) COMPAT_XT_ALIGN(s)
341 #endif /* CONFIG_COMPAT */
342 #endif /*__KERNEL__*/
343 #endif /* _IP6_TABLES_H */