Blame view
include/linux/netfilter_ipv4/ip_tables.h
8.43 KB
1da177e4c Linux-2.6.12-rc2 |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
/* * 25-Jul-1998 Major changes to allow for ip chain table * * 3-Jan-2000 Named tables to allow packet selection for different uses. */ /* * Format of an IP firewall descriptor * * src, dst, src_mask, dst_mask are always stored in network byte order. * flags are stored in host byte order (of course). * Port numbers are stored in HOST byte order. */ #ifndef _IPTABLES_H #define _IPTABLES_H #ifdef __KERNEL__ #include <linux/if.h> |
1da177e4c Linux-2.6.12-rc2 |
20 21 22 23 |
#include <linux/in.h> #include <linux/ip.h> #include <linux/skbuff.h> #endif |
c8942f1f0 netfilter: Move l... |
24 |
#include <linux/types.h> |
1da177e4c Linux-2.6.12-rc2 |
25 26 |
#include <linux/compiler.h> #include <linux/netfilter_ipv4.h> |
2e4e6a17a [NETFILTER] x_tab... |
27 |
#include <linux/netfilter/x_tables.h> |
12b00c2c0 netfilter: xtable... |
28 |
#ifndef __KERNEL__ |
2e4e6a17a [NETFILTER] x_tab... |
29 |
#define IPT_FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN |
2748e5dec [NETFILTER]: Fix ... |
30 |
#define IPT_TABLE_MAXNAMELEN XT_TABLE_MAXNAMELEN |
2e4e6a17a [NETFILTER] x_tab... |
31 32 33 34 |
#define ipt_match xt_match #define ipt_target xt_target #define ipt_table xt_table #define ipt_get_revision xt_get_revision |
87a2e70db netfilter: xtable... |
35 36 37 |
#define ipt_entry_match xt_entry_match #define ipt_entry_target xt_entry_target #define ipt_standard_target xt_standard_target |
75f0a0fd7 netfilter: xtable... |
38 |
#define ipt_error_target xt_error_target |
87a2e70db netfilter: xtable... |
39 |
#define ipt_counters xt_counters |
243bf6e29 netfilter: xtable... |
40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 |
#define IPT_CONTINUE XT_CONTINUE #define IPT_RETURN XT_RETURN /* This group is older than old (iptables < v1.4.0-rc1~89) */ #include <linux/netfilter/xt_tcpudp.h> #define ipt_udp xt_udp #define ipt_tcp xt_tcp #define IPT_TCP_INV_SRCPT XT_TCP_INV_SRCPT #define IPT_TCP_INV_DSTPT XT_TCP_INV_DSTPT #define IPT_TCP_INV_FLAGS XT_TCP_INV_FLAGS #define IPT_TCP_INV_OPTION XT_TCP_INV_OPTION #define IPT_TCP_INV_MASK XT_TCP_INV_MASK #define IPT_UDP_INV_SRCPT XT_UDP_INV_SRCPT #define IPT_UDP_INV_DSTPT XT_UDP_INV_DSTPT #define IPT_UDP_INV_MASK XT_UDP_INV_MASK /* The argument to IPT_SO_ADD_COUNTERS. */ #define ipt_counters_info xt_counters_info /* Standard return verdict, or do jump. */ #define IPT_STANDARD_TARGET XT_STANDARD_TARGET /* Error verdict. */ #define IPT_ERROR_TARGET XT_ERROR_TARGET /* fn returns 0 to continue iteration */ #define IPT_MATCH_ITERATE(e, fn, args...) \ XT_MATCH_ITERATE(struct ipt_entry, e, fn, ## args) /* fn returns 0 to continue iteration */ #define IPT_ENTRY_ITERATE(entries, size, fn, args...) \ XT_ENTRY_ITERATE(struct ipt_entry, entries, size, fn, ## args) |
12b00c2c0 netfilter: xtable... |
70 |
#endif |
1da177e4c Linux-2.6.12-rc2 |
71 72 73 74 75 76 77 78 79 80 81 |
/* Yes, Virginia, you have to zero the padding. */ struct ipt_ip { /* Source and destination IP addr */ struct in_addr src, dst; /* Mask for src and dest IP addr */ struct in_addr smsk, dmsk; char iniface[IFNAMSIZ], outiface[IFNAMSIZ]; unsigned char iniface_mask[IFNAMSIZ], outiface_mask[IFNAMSIZ]; /* Protocol, 0 = ANY */ |
7ff30c43f headers, netfilte... |
82 |
__u16 proto; |
1da177e4c Linux-2.6.12-rc2 |
83 84 |
/* Flags word */ |
7ff30c43f headers, netfilte... |
85 |
__u8 flags; |
1da177e4c Linux-2.6.12-rc2 |
86 |
/* Inverse flags */ |
7ff30c43f headers, netfilte... |
87 |
__u8 invflags; |
1da177e4c Linux-2.6.12-rc2 |
88 |
}; |
1da177e4c Linux-2.6.12-rc2 |
89 90 |
/* Values for "flag" field in struct ipt_ip (general ip structure). */ #define IPT_F_FRAG 0x01 /* Set if rule is a fragment rule */ |
05465343b [NETFILTER]: Add ... |
91 92 |
#define IPT_F_GOTO 0x02 /* Set if jump is a goto */ #define IPT_F_MASK 0x03 /* All possible flag bits mask. */ |
1da177e4c Linux-2.6.12-rc2 |
93 94 95 96 97 98 99 100 |
/* Values for "inv" field in struct ipt_ip. */ #define IPT_INV_VIA_IN 0x01 /* Invert the sense of IN IFACE. */ #define IPT_INV_VIA_OUT 0x02 /* Invert the sense of OUT IFACE */ #define IPT_INV_TOS 0x04 /* Invert the sense of TOS. */ #define IPT_INV_SRCIP 0x08 /* Invert the sense of SRC IP. */ #define IPT_INV_DSTIP 0x10 /* Invert the sense of DST OP. */ #define IPT_INV_FRAG 0x20 /* Invert the sense of FRAG. */ |
2e4e6a17a [NETFILTER] x_tab... |
101 |
#define IPT_INV_PROTO XT_INV_PROTO |
1da177e4c Linux-2.6.12-rc2 |
102 103 104 105 106 |
#define IPT_INV_MASK 0x7F /* All possible flag bits mask. */ /* This structure defines each of the firewall rules. Consists of 3 parts which are 1) general IP header stuff 2) match specific stuff 3) the target to perform if the rule matches */ |
d94d9fee9 net: cleanup incl... |
107 |
struct ipt_entry { |
1da177e4c Linux-2.6.12-rc2 |
108 109 110 111 112 113 |
struct ipt_ip ip; /* Mark with fields that we care about. */ unsigned int nfcache; /* Size of ipt_entry + matches */ |
7ff30c43f headers, netfilte... |
114 |
__u16 target_offset; |
1da177e4c Linux-2.6.12-rc2 |
115 |
/* Size of ipt_entry + matches + target */ |
7ff30c43f headers, netfilte... |
116 |
__u16 next_offset; |
1da177e4c Linux-2.6.12-rc2 |
117 118 119 120 121 |
/* Back pointer */ unsigned int comefrom; /* Packet and byte counters. */ |
2e4e6a17a [NETFILTER] x_tab... |
122 |
struct xt_counters counters; |
1da177e4c Linux-2.6.12-rc2 |
123 124 125 126 127 128 129 130 |
/* The matches (if any), then the target. */ unsigned char elems[0]; }; /* * New IP firewall options for [gs]etsockopt at the RAW IP level. * Unlike BSD Linux inherits IP options so you don't have to use a raw |
b96e7ecbd [NETFILTER]: ip6_... |
131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 |
* socket for this. Instead we check rights in the calls. * * ATTENTION: check linux/in.h before adding new number here. */ #define IPT_BASE_CTL 64 #define IPT_SO_SET_REPLACE (IPT_BASE_CTL) #define IPT_SO_SET_ADD_COUNTERS (IPT_BASE_CTL + 1) #define IPT_SO_SET_MAX IPT_SO_SET_ADD_COUNTERS #define IPT_SO_GET_INFO (IPT_BASE_CTL) #define IPT_SO_GET_ENTRIES (IPT_BASE_CTL + 1) #define IPT_SO_GET_REVISION_MATCH (IPT_BASE_CTL + 2) #define IPT_SO_GET_REVISION_TARGET (IPT_BASE_CTL + 3) #define IPT_SO_GET_MAX IPT_SO_GET_REVISION_TARGET |
1da177e4c Linux-2.6.12-rc2 |
146 |
|
1da177e4c Linux-2.6.12-rc2 |
147 |
/* ICMP matching stuff */ |
d94d9fee9 net: cleanup incl... |
148 |
struct ipt_icmp { |
7ff30c43f headers, netfilte... |
149 150 151 |
__u8 type; /* type to match */ __u8 code[2]; /* range of code */ __u8 invflags; /* Inverse flags */ |
1da177e4c Linux-2.6.12-rc2 |
152 153 154 155 156 157 |
}; /* Values for "inv" field for struct ipt_icmp. */ #define IPT_ICMP_INV 0x01 /* Invert the sense of type/code test */ /* The argument to IPT_SO_GET_INFO */ |
d94d9fee9 net: cleanup incl... |
158 |
struct ipt_getinfo { |
1da177e4c Linux-2.6.12-rc2 |
159 |
/* Which table: caller fills this in. */ |
12b00c2c0 netfilter: xtable... |
160 |
char name[XT_TABLE_MAXNAMELEN]; |
1da177e4c Linux-2.6.12-rc2 |
161 162 163 164 165 166 |
/* Kernel fills these in. */ /* Which hook entry points are valid: bitmask */ unsigned int valid_hooks; /* Hook entry points: one per netfilter hook. */ |
6e23ae2a4 [NETFILTER]: Intr... |
167 |
unsigned int hook_entry[NF_INET_NUMHOOKS]; |
1da177e4c Linux-2.6.12-rc2 |
168 169 |
/* Underflow points. */ |
6e23ae2a4 [NETFILTER]: Intr... |
170 |
unsigned int underflow[NF_INET_NUMHOOKS]; |
1da177e4c Linux-2.6.12-rc2 |
171 172 173 174 175 176 177 178 179 |
/* Number of entries */ unsigned int num_entries; /* Size of entries. */ unsigned int size; }; /* The argument to IPT_SO_SET_REPLACE. */ |
d94d9fee9 net: cleanup incl... |
180 |
struct ipt_replace { |
1da177e4c Linux-2.6.12-rc2 |
181 |
/* Which table. */ |
12b00c2c0 netfilter: xtable... |
182 |
char name[XT_TABLE_MAXNAMELEN]; |
1da177e4c Linux-2.6.12-rc2 |
183 184 185 186 187 188 189 190 191 192 193 194 |
/* Which hook entry points are valid: bitmask. You can't change this. */ unsigned int valid_hooks; /* Number of entries */ unsigned int num_entries; /* Total size of new entries */ unsigned int size; /* Hook entry points. */ |
6e23ae2a4 [NETFILTER]: Intr... |
195 |
unsigned int hook_entry[NF_INET_NUMHOOKS]; |
1da177e4c Linux-2.6.12-rc2 |
196 197 |
/* Underflow points. */ |
6e23ae2a4 [NETFILTER]: Intr... |
198 |
unsigned int underflow[NF_INET_NUMHOOKS]; |
1da177e4c Linux-2.6.12-rc2 |
199 200 201 202 203 |
/* Information about old entries: */ /* Number of counters (must be equal to current number of entries). */ unsigned int num_counters; /* The old entries' counters. */ |
2e4e6a17a [NETFILTER] x_tab... |
204 |
struct xt_counters __user *counters; |
1da177e4c Linux-2.6.12-rc2 |
205 206 207 208 |
/* The entries (hang off end: not really an array). */ struct ipt_entry entries[0]; }; |
1da177e4c Linux-2.6.12-rc2 |
209 |
/* The argument to IPT_SO_GET_ENTRIES. */ |
d94d9fee9 net: cleanup incl... |
210 |
struct ipt_get_entries { |
1da177e4c Linux-2.6.12-rc2 |
211 |
/* Which table: user fills this in. */ |
12b00c2c0 netfilter: xtable... |
212 |
char name[XT_TABLE_MAXNAMELEN]; |
1da177e4c Linux-2.6.12-rc2 |
213 214 215 216 217 218 219 |
/* User fills this in: total entry size. */ unsigned int size; /* The entries. */ struct ipt_entry entrytable[0]; }; |
1da177e4c Linux-2.6.12-rc2 |
220 |
/* Helper functions */ |
87a2e70db netfilter: xtable... |
221 |
static __inline__ struct xt_entry_target * |
1da177e4c Linux-2.6.12-rc2 |
222 223 224 225 |
ipt_get_target(struct ipt_entry *e) { return (void *)e + e->target_offset; } |
1da177e4c Linux-2.6.12-rc2 |
226 227 228 229 230 231 232 |
/* * Main firewall chains definitions and global var's definitions. */ #ifdef __KERNEL__ #include <linux/init.h> extern void ipt_init(void) __init; |
44d34e721 [NETFILTER]: x_ta... |
233 |
extern struct xt_table *ipt_register_table(struct net *net, |
35aad0ffd netfilter: xtable... |
234 |
const struct xt_table *table, |
44d34e721 [NETFILTER]: x_ta... |
235 |
const struct ipt_replace *repl); |
f54e9367f netfilter: xtable... |
236 |
extern void ipt_unregister_table(struct net *net, struct xt_table *table); |
1da177e4c Linux-2.6.12-rc2 |
237 |
|
1da177e4c Linux-2.6.12-rc2 |
238 |
/* Standard entry. */ |
d94d9fee9 net: cleanup incl... |
239 |
struct ipt_standard { |
1da177e4c Linux-2.6.12-rc2 |
240 |
struct ipt_entry entry; |
87a2e70db netfilter: xtable... |
241 |
struct xt_standard_target target; |
1da177e4c Linux-2.6.12-rc2 |
242 |
}; |
d94d9fee9 net: cleanup incl... |
243 |
struct ipt_error { |
1da177e4c Linux-2.6.12-rc2 |
244 |
struct ipt_entry entry; |
75f0a0fd7 netfilter: xtable... |
245 |
struct xt_error_target target; |
1da177e4c Linux-2.6.12-rc2 |
246 |
}; |
3c2ad469c [NETFILTER]: Clea... |
247 248 249 250 251 252 253 254 255 |
#define IPT_ENTRY_INIT(__size) \ { \ .target_offset = sizeof(struct ipt_entry), \ .next_offset = (__size), \ } #define IPT_STANDARD_INIT(__verdict) \ { \ .entry = IPT_ENTRY_INIT(sizeof(struct ipt_standard)), \ |
243bf6e29 netfilter: xtable... |
256 |
.target = XT_TARGET_INIT(XT_STANDARD_TARGET, \ |
3c2ad469c [NETFILTER]: Clea... |
257 258 259 260 261 262 263 |
sizeof(struct xt_standard_target)), \ .target.verdict = -(__verdict) - 1, \ } #define IPT_ERROR_INIT \ { \ .entry = IPT_ENTRY_INIT(sizeof(struct ipt_error)), \ |
243bf6e29 netfilter: xtable... |
264 |
.target = XT_TARGET_INIT(XT_ERROR_TARGET, \ |
75f0a0fd7 netfilter: xtable... |
265 |
sizeof(struct xt_error_target)), \ |
3c2ad469c [NETFILTER]: Clea... |
266 267 |
.target.errorname = "ERROR", \ } |
e3eaa9910 netfilter: xtable... |
268 |
extern void *ipt_alloc_initial_table(const struct xt_table *); |
3db05fea5 [NETFILTER]: Repl... |
269 |
extern unsigned int ipt_do_table(struct sk_buff *skb, |
1da177e4c Linux-2.6.12-rc2 |
270 271 272 |
unsigned int hook, const struct net_device *in, const struct net_device *out, |
e60a13e03 [NETFILTER]: {ip,... |
273 |
struct xt_table *table); |
1da177e4c Linux-2.6.12-rc2 |
274 |
|
2722971cb [NETFILTER]: ipta... |
275 276 |
#ifdef CONFIG_COMPAT #include <net/compat.h> |
d94d9fee9 net: cleanup incl... |
277 |
struct compat_ipt_entry { |
2722971cb [NETFILTER]: ipta... |
278 279 |
struct ipt_ip ip; compat_uint_t nfcache; |
7ff30c43f headers, netfilte... |
280 281 |
__u16 target_offset; __u16 next_offset; |
2722971cb [NETFILTER]: ipta... |
282 283 284 285 |
compat_uint_t comefrom; struct compat_xt_counters counters; unsigned char elems[0]; }; |
73cd598df [NETFILTER]: ip_t... |
286 |
/* Helper functions */ |
87a2e70db netfilter: xtable... |
287 |
static inline struct xt_entry_target * |
73cd598df [NETFILTER]: ip_t... |
288 289 290 291 |
compat_ipt_get_target(struct compat_ipt_entry *e) { return (void *)e + e->target_offset; } |
2722971cb [NETFILTER]: ipta... |
292 |
#endif /* CONFIG_COMPAT */ |
1da177e4c Linux-2.6.12-rc2 |
293 294 |
#endif /*__KERNEL__*/ #endif /* _IPTABLES_H */ |