2 * 25-Jul-1998 Major changes to allow for ip chain table
4 * 3-Jan-2000 Named tables to allow packet selection for different uses.
8 * Format of an IP firewall descriptor
10 * src, dst, src_mask, dst_mask are always stored in network byte order.
11 * flags are stored in host byte order (of course).
12 * Port numbers are stored in HOST byte order.
18 #include <linux/netfilter_ipv4.h>
20 #define IPT_FUNCTION_MAXNAMELEN 30
21 #define IPT_TABLE_MAXNAMELEN 32
23 /* Yes, Virginia, you have to zero the padding. */
25 /* Source and destination IP addr */
26 struct in_addr src, dst;
27 /* Mask for src and dest IP addr */
28 struct in_addr smsk, dmsk;
29 char iniface[IFNAMSIZ], outiface[IFNAMSIZ];
30 unsigned char iniface_mask[IFNAMSIZ], outiface_mask[IFNAMSIZ];
32 /* Protocol, 0 = ANY */
41 struct ipt_entry_match
47 /* Used by userspace */
48 char name[IPT_FUNCTION_MAXNAMELEN-1];
55 /* Used inside the kernel */
56 struct ipt_match *match;
63 unsigned char data[0];
66 struct ipt_entry_target
70 u_int16_t target_size;
72 /* Used by userspace */
73 char name[IPT_FUNCTION_MAXNAMELEN-1];
78 u_int16_t target_size;
80 /* Used inside the kernel */
81 struct ipt_target *target;
85 u_int16_t target_size;
88 unsigned char data[0];
91 struct ipt_standard_target
93 struct ipt_entry_target target;
99 u_int64_t pcnt, bcnt; /* Packet and byte counters */
102 /* Values for "flag" field in struct ipt_ip (general ip structure). */
103 #define IPT_F_FRAG 0x01 /* Set if rule is a fragment rule */
104 #define IPT_F_MASK 0x01 /* All possible flag bits mask. */
106 /* Values for "inv" field in struct ipt_ip. */
107 #define IPT_INV_VIA_IN 0x01 /* Invert the sense of IN IFACE. */
108 #define IPT_INV_VIA_OUT 0x02 /* Invert the sense of OUT IFACE */
109 #define IPT_INV_TOS 0x04 /* Invert the sense of TOS. */
110 #define IPT_INV_SRCIP 0x08 /* Invert the sense of SRC IP. */
111 #define IPT_INV_DSTIP 0x10 /* Invert the sense of DST OP. */
112 #define IPT_INV_FRAG 0x20 /* Invert the sense of FRAG. */
113 #define IPT_INV_PROTO 0x40 /* Invert the sense of PROTO. */
114 #define IPT_INV_MASK 0x7F /* All possible flag bits mask. */
116 /* This structure defines each of the firewall rules. Consists of 3
117 parts which are 1) general IP header stuff 2) match specific
118 stuff 3) the target to perform if the rule matches */
123 /* Mark with fields that we care about. */
124 unsigned int nfcache;
126 /* Size of ipt_entry + matches */
127 u_int16_t target_offset;
128 /* Size of ipt_entry + matches + target */
129 u_int16_t next_offset;
132 unsigned int comefrom;
134 /* Packet and byte counters. */
135 struct ipt_counters counters;
137 /* The matches (if any), then the target. */
138 unsigned char elems[0];
142 * New IP firewall options for [gs]etsockopt at the RAW IP level.
143 * Unlike BSD Linux inherits IP options so you don't have to use a raw
144 * socket for this. Instead we check rights in the calls. */
145 #define IPT_BASE_CTL 64 /* base for firewall socket options */
147 #define IPT_SO_SET_REPLACE (IPT_BASE_CTL)
148 #define IPT_SO_SET_ADD_COUNTERS (IPT_BASE_CTL + 1)
149 #define IPT_SO_SET_MAX IPT_SO_SET_ADD_COUNTERS
151 #define IPT_SO_GET_INFO (IPT_BASE_CTL)
152 #define IPT_SO_GET_ENTRIES (IPT_BASE_CTL + 1)
153 #define IPT_SO_GET_REVISION_MATCH (IPT_BASE_CTL + 2)
154 #define IPT_SO_GET_REVISION_TARGET (IPT_BASE_CTL + 3)
155 #define IPT_SO_GET_MAX IPT_SO_GET_REVISION_TARGET
157 /* CONTINUE verdict for targets */
158 #define IPT_CONTINUE 0xFFFFFFFF
160 /* For standard target */
161 #define IPT_RETURN (-NF_MAX_VERDICT - 1)
163 /* TCP matching stuff */
166 u_int16_t spts[2]; /* Source port range. */
167 u_int16_t dpts[2]; /* Destination port range. */
168 u_int8_t option; /* TCP Option iff non-zero*/
169 u_int8_t flg_mask; /* TCP flags mask byte */
170 u_int8_t flg_cmp; /* TCP flags compare byte */
171 u_int8_t invflags; /* Inverse flags */
174 /* Values for "inv" field in struct ipt_tcp. */
175 #define IPT_TCP_INV_SRCPT 0x01 /* Invert the sense of source ports. */
176 #define IPT_TCP_INV_DSTPT 0x02 /* Invert the sense of dest ports. */
177 #define IPT_TCP_INV_FLAGS 0x04 /* Invert the sense of TCP flags. */
178 #define IPT_TCP_INV_OPTION 0x08 /* Invert the sense of option test. */
179 #define IPT_TCP_INV_MASK 0x0F /* All possible flags. */
181 /* UDP matching stuff */
184 u_int16_t spts[2]; /* Source port range. */
185 u_int16_t dpts[2]; /* Destination port range. */
186 u_int8_t invflags; /* Inverse flags */
189 /* Values for "invflags" field in struct ipt_udp. */
190 #define IPT_UDP_INV_SRCPT 0x01 /* Invert the sense of source ports. */
191 #define IPT_UDP_INV_DSTPT 0x02 /* Invert the sense of dest ports. */
192 #define IPT_UDP_INV_MASK 0x03 /* All possible flags. */
194 /* ICMP matching stuff */
197 u_int8_t type; /* type to match */
198 u_int8_t code[2]; /* range of code */
199 u_int8_t invflags; /* Inverse flags */
202 /* Values for "inv" field for struct ipt_icmp. */
203 #define IPT_ICMP_INV 0x01 /* Invert the sense of type/code test */
205 /* The argument to IPT_SO_GET_INFO */
208 /* Which table: caller fills this in. */
209 char name[IPT_TABLE_MAXNAMELEN];
211 /* Kernel fills these in. */
212 /* Which hook entry points are valid: bitmask */
213 unsigned int valid_hooks;
215 /* Hook entry points: one per netfilter hook. */
216 unsigned int hook_entry[NF_IP_NUMHOOKS];
218 /* Underflow points. */
219 unsigned int underflow[NF_IP_NUMHOOKS];
221 /* Number of entries */
222 unsigned int num_entries;
224 /* Size of entries. */
228 /* The argument to IPT_SO_SET_REPLACE. */
232 char name[IPT_TABLE_MAXNAMELEN];
234 /* Which hook entry points are valid: bitmask. You can't
236 unsigned int valid_hooks;
238 /* Number of entries */
239 unsigned int num_entries;
241 /* Total size of new entries */
244 /* Hook entry points. */
245 unsigned int hook_entry[NF_IP_NUMHOOKS];
247 /* Underflow points. */
248 unsigned int underflow[NF_IP_NUMHOOKS];
250 /* Information about old entries: */
251 /* Number of counters (must be equal to current number of entries). */
252 unsigned int num_counters;
254 /* The old entries' counters. */
255 struct ipt_counters *counters;
257 /* The entries (hang off end: not really an array). */
258 struct ipt_entry entries[0];
261 /* The argument to IPT_SO_ADD_COUNTERS. */
262 struct ipt_counters_info
265 char name[IPT_TABLE_MAXNAMELEN];
267 unsigned int num_counters;
269 /* The counters (actually `number' of these). */
270 struct ipt_counters counters[0];
273 /* The argument to IPT_SO_GET_ENTRIES. */
274 struct ipt_get_entries
276 /* Which table: user fills this in. */
277 char name[IPT_TABLE_MAXNAMELEN];
279 /* User fills this in: total entry size. */
283 struct ipt_entry entrytable[0];
286 /* The argument to IPT_SO_GET_REVISION_*. Returns highest revision
287 * kernel supports, if >= revision. */
288 struct ipt_get_revision
290 char name[IPT_FUNCTION_MAXNAMELEN-1];
295 /* Standard return verdict, or do jump. */
296 #define IPT_STANDARD_TARGET ""
298 #define IPT_ERROR_TARGET "ERROR"
300 /* Helper functions */
301 static __inline__ struct ipt_entry_target *
302 ipt_get_target(struct ipt_entry *e)
304 return (void *)e + e->target_offset;
307 /* fn returns 0 to continue iteration */
308 #define IPT_MATCH_ITERATE(e, fn, args...) \
312 struct ipt_entry_match *__match; \
314 for (__i = sizeof(struct ipt_entry); \
315 __i < (e)->target_offset; \
316 __i += __match->u.match_size) { \
317 __match = (void *)(e) + __i; \
319 __ret = fn(__match , ## args); \
326 /* fn returns 0 to continue iteration */
327 #define IPT_ENTRY_ITERATE(entries, size, fn, args...) \
331 struct ipt_entry *__entry; \
333 for (__i = 0; __i < (size); __i += __entry->next_offset) { \
334 __entry = (void *)(entries) + __i; \
336 __ret = fn(__entry , ## args); \
344 * Main firewall chains definitions and global var's definitions.
346 #endif /* _IPTABLES_H */
git://git.onelab.eu / iproute2.git / blob