Details | Last modification | View Log | RSS feed
Rev | Author | Line No. | Line |
---|---|---|---|
423 | giacomo | 1 | /* |
2 | * 25-Jul-1998 Major changes to allow for ip chain table |
||
3 | * |
||
4 | * 3-Jan-2000 Named tables to allow packet selection for different uses. |
||
5 | */ |
||
6 | |||
7 | /* |
||
8 | * Format of an IP firewall descriptor |
||
9 | * |
||
10 | * src, dst, src_mask, dst_mask are always stored in network byte order. |
||
11 | * flags are stored in host byte order (of course). |
||
12 | * Port numbers are stored in HOST byte order. |
||
13 | */ |
||
14 | |||
15 | #ifndef _IPTABLES_H |
||
16 | #define _IPTABLES_H |
||
17 | |||
18 | #ifdef __KERNEL__ |
||
19 | #include <linux/if.h> |
||
20 | #include <linux/types.h> |
||
21 | #include <linux/in.h> |
||
22 | #include <linux/ip.h> |
||
23 | #include <linux/skbuff.h> |
||
24 | #endif |
||
25 | #include <linux/netfilter_ipv4.h> |
||
26 | |||
27 | #define IPT_FUNCTION_MAXNAMELEN 30 |
||
28 | #define IPT_TABLE_MAXNAMELEN 32 |
||
29 | |||
30 | /* Yes, Virginia, you have to zero the padding. */ |
||
31 | struct ipt_ip { |
||
32 | /* Source and destination IP addr */ |
||
33 | struct in_addr src, dst; |
||
34 | /* Mask for src and dest IP addr */ |
||
35 | struct in_addr smsk, dmsk; |
||
36 | char iniface[IFNAMSIZ], outiface[IFNAMSIZ]; |
||
37 | unsigned char iniface_mask[IFNAMSIZ], outiface_mask[IFNAMSIZ]; |
||
38 | |||
39 | /* Protocol, 0 = ANY */ |
||
40 | u_int16_t proto; |
||
41 | |||
42 | /* Flags word */ |
||
43 | u_int8_t flags; |
||
44 | /* Inverse flags */ |
||
45 | u_int8_t invflags; |
||
46 | }; |
||
47 | |||
48 | struct ipt_entry_match |
||
49 | { |
||
50 | union { |
||
51 | struct { |
||
52 | u_int16_t match_size; |
||
53 | |||
54 | /* Used by userspace */ |
||
55 | char name[IPT_FUNCTION_MAXNAMELEN]; |
||
56 | } user; |
||
57 | struct { |
||
58 | u_int16_t match_size; |
||
59 | |||
60 | /* Used inside the kernel */ |
||
61 | struct ipt_match *match; |
||
62 | } kernel; |
||
63 | |||
64 | /* Total length */ |
||
65 | u_int16_t match_size; |
||
66 | } u; |
||
67 | |||
68 | unsigned char data[0]; |
||
69 | }; |
||
70 | |||
71 | struct ipt_entry_target |
||
72 | { |
||
73 | union { |
||
74 | struct { |
||
75 | u_int16_t target_size; |
||
76 | |||
77 | /* Used by userspace */ |
||
78 | char name[IPT_FUNCTION_MAXNAMELEN]; |
||
79 | } user; |
||
80 | struct { |
||
81 | u_int16_t target_size; |
||
82 | |||
83 | /* Used inside the kernel */ |
||
84 | struct ipt_target *target; |
||
85 | } kernel; |
||
86 | |||
87 | /* Total length */ |
||
88 | u_int16_t target_size; |
||
89 | } u; |
||
90 | |||
91 | unsigned char data[0]; |
||
92 | }; |
||
93 | |||
94 | struct ipt_standard_target |
||
95 | { |
||
96 | struct ipt_entry_target target; |
||
97 | int verdict; |
||
98 | }; |
||
99 | |||
100 | struct ipt_counters |
||
101 | { |
||
102 | u_int64_t pcnt, bcnt; /* Packet and byte counters */ |
||
103 | }; |
||
104 | |||
105 | /* Values for "flag" field in struct ipt_ip (general ip structure). */ |
||
106 | #define IPT_F_FRAG 0x01 /* Set if rule is a fragment rule */ |
||
107 | #define IPT_F_MASK 0x01 /* All possible flag bits mask. */ |
||
108 | |||
109 | /* Values for "inv" field in struct ipt_ip. */ |
||
110 | #define IPT_INV_VIA_IN 0x01 /* Invert the sense of IN IFACE. */ |
||
111 | #define IPT_INV_VIA_OUT 0x02 /* Invert the sense of OUT IFACE */ |
||
112 | #define IPT_INV_TOS 0x04 /* Invert the sense of TOS. */ |
||
113 | #define IPT_INV_SRCIP 0x08 /* Invert the sense of SRC IP. */ |
||
114 | #define IPT_INV_DSTIP 0x10 /* Invert the sense of DST OP. */ |
||
115 | #define IPT_INV_FRAG 0x20 /* Invert the sense of FRAG. */ |
||
116 | #define IPT_INV_PROTO 0x40 /* Invert the sense of PROTO. */ |
||
117 | #define IPT_INV_MASK 0x7F /* All possible flag bits mask. */ |
||
118 | |||
119 | /* This structure defines each of the firewall rules. Consists of 3 |
||
120 | parts which are 1) general IP header stuff 2) match specific |
||
121 | stuff 3) the target to perform if the rule matches */ |
||
122 | struct ipt_entry |
||
123 | { |
||
124 | struct ipt_ip ip; |
||
125 | |||
126 | /* Mark with fields that we care about. */ |
||
127 | unsigned int nfcache; |
||
128 | |||
129 | /* Size of ipt_entry + matches */ |
||
130 | u_int16_t target_offset; |
||
131 | /* Size of ipt_entry + matches + target */ |
||
132 | u_int16_t next_offset; |
||
133 | |||
134 | /* Back pointer */ |
||
135 | unsigned int comefrom; |
||
136 | |||
137 | /* Packet and byte counters. */ |
||
138 | struct ipt_counters counters; |
||
139 | |||
140 | /* The matches (if any), then the target. */ |
||
141 | unsigned char elems[0]; |
||
142 | }; |
||
143 | |||
144 | /* |
||
145 | * New IP firewall options for [gs]etsockopt at the RAW IP level. |
||
146 | * Unlike BSD Linux inherits IP options so you don't have to use a raw |
||
147 | * socket for this. Instead we check rights in the calls. */ |
||
148 | #define IPT_BASE_CTL 64 /* base for firewall socket options */ |
||
149 | |||
150 | #define IPT_SO_SET_REPLACE (IPT_BASE_CTL) |
||
151 | #define IPT_SO_SET_ADD_COUNTERS (IPT_BASE_CTL + 1) |
||
152 | #define IPT_SO_SET_MAX IPT_SO_SET_ADD_COUNTERS |
||
153 | |||
154 | #define IPT_SO_GET_INFO (IPT_BASE_CTL) |
||
155 | #define IPT_SO_GET_ENTRIES (IPT_BASE_CTL + 1) |
||
156 | #define IPT_SO_GET_MAX IPT_SO_GET_ENTRIES |
||
157 | |||
158 | /* CONTINUE verdict for targets */ |
||
159 | #define IPT_CONTINUE 0xFFFFFFFF |
||
160 | |||
161 | /* For standard target */ |
||
162 | #define IPT_RETURN (-NF_MAX_VERDICT - 1) |
||
163 | |||
164 | /* TCP matching stuff */ |
||
165 | struct ipt_tcp |
||
166 | { |
||
167 | u_int16_t spts[2]; /* Source port range. */ |
||
168 | u_int16_t dpts[2]; /* Destination port range. */ |
||
169 | u_int8_t option; /* TCP Option iff non-zero*/ |
||
170 | u_int8_t flg_mask; /* TCP flags mask byte */ |
||
171 | u_int8_t flg_cmp; /* TCP flags compare byte */ |
||
172 | u_int8_t invflags; /* Inverse flags */ |
||
173 | }; |
||
174 | |||
175 | /* Values for "inv" field in struct ipt_tcp. */ |
||
176 | #define IPT_TCP_INV_SRCPT 0x01 /* Invert the sense of source ports. */ |
||
177 | #define IPT_TCP_INV_DSTPT 0x02 /* Invert the sense of dest ports. */ |
||
178 | #define IPT_TCP_INV_FLAGS 0x04 /* Invert the sense of TCP flags. */ |
||
179 | #define IPT_TCP_INV_OPTION 0x08 /* Invert the sense of option test. */ |
||
180 | #define IPT_TCP_INV_MASK 0x0F /* All possible flags. */ |
||
181 | |||
182 | /* UDP matching stuff */ |
||
183 | struct ipt_udp |
||
184 | { |
||
185 | u_int16_t spts[2]; /* Source port range. */ |
||
186 | u_int16_t dpts[2]; /* Destination port range. */ |
||
187 | u_int8_t invflags; /* Inverse flags */ |
||
188 | }; |
||
189 | |||
190 | /* Values for "invflags" field in struct ipt_udp. */ |
||
191 | #define IPT_UDP_INV_SRCPT 0x01 /* Invert the sense of source ports. */ |
||
192 | #define IPT_UDP_INV_DSTPT 0x02 /* Invert the sense of dest ports. */ |
||
193 | #define IPT_UDP_INV_MASK 0x03 /* All possible flags. */ |
||
194 | |||
195 | /* ICMP matching stuff */ |
||
196 | struct ipt_icmp |
||
197 | { |
||
198 | u_int8_t type; /* type to match */ |
||
199 | u_int8_t code[2]; /* range of code */ |
||
200 | u_int8_t invflags; /* Inverse flags */ |
||
201 | }; |
||
202 | |||
203 | /* Values for "inv" field for struct ipt_icmp. */ |
||
204 | #define IPT_ICMP_INV 0x01 /* Invert the sense of type/code test */ |
||
205 | |||
206 | /* The argument to IPT_SO_GET_INFO */ |
||
207 | struct ipt_getinfo |
||
208 | { |
||
209 | /* Which table: caller fills this in. */ |
||
210 | char name[IPT_TABLE_MAXNAMELEN]; |
||
211 | |||
212 | /* Kernel fills these in. */ |
||
213 | /* Which hook entry points are valid: bitmask */ |
||
214 | unsigned int valid_hooks; |
||
215 | |||
216 | /* Hook entry points: one per netfilter hook. */ |
||
217 | unsigned int hook_entry[NF_IP_NUMHOOKS]; |
||
218 | |||
219 | /* Underflow points. */ |
||
220 | unsigned int underflow[NF_IP_NUMHOOKS]; |
||
221 | |||
222 | /* Number of entries */ |
||
223 | unsigned int num_entries; |
||
224 | |||
225 | /* Size of entries. */ |
||
226 | unsigned int size; |
||
227 | }; |
||
228 | |||
229 | /* The argument to IPT_SO_SET_REPLACE. */ |
||
230 | struct ipt_replace |
||
231 | { |
||
232 | /* Which table. */ |
||
233 | char name[IPT_TABLE_MAXNAMELEN]; |
||
234 | |||
235 | /* Which hook entry points are valid: bitmask. You can't |
||
236 | change this. */ |
||
237 | unsigned int valid_hooks; |
||
238 | |||
239 | /* Number of entries */ |
||
240 | unsigned int num_entries; |
||
241 | |||
242 | /* Total size of new entries */ |
||
243 | unsigned int size; |
||
244 | |||
245 | /* Hook entry points. */ |
||
246 | unsigned int hook_entry[NF_IP_NUMHOOKS]; |
||
247 | |||
248 | /* Underflow points. */ |
||
249 | unsigned int underflow[NF_IP_NUMHOOKS]; |
||
250 | |||
251 | /* Information about old entries: */ |
||
252 | /* Number of counters (must be equal to current number of entries). */ |
||
253 | unsigned int num_counters; |
||
254 | /* The old entries' counters. */ |
||
255 | struct ipt_counters *counters; |
||
256 | |||
257 | /* The entries (hang off end: not really an array). */ |
||
258 | struct ipt_entry entries[0]; |
||
259 | }; |
||
260 | |||
261 | /* The argument to IPT_SO_ADD_COUNTERS. */ |
||
262 | struct ipt_counters_info |
||
263 | { |
||
264 | /* Which table. */ |
||
265 | char name[IPT_TABLE_MAXNAMELEN]; |
||
266 | |||
267 | unsigned int num_counters; |
||
268 | |||
269 | /* The counters (actually `number' of these). */ |
||
270 | struct ipt_counters counters[0]; |
||
271 | }; |
||
272 | |||
273 | /* The argument to IPT_SO_GET_ENTRIES. */ |
||
274 | struct ipt_get_entries |
||
275 | { |
||
276 | /* Which table: user fills this in. */ |
||
277 | char name[IPT_TABLE_MAXNAMELEN]; |
||
278 | |||
279 | /* User fills this in: total entry size. */ |
||
280 | unsigned int size; |
||
281 | |||
282 | /* The entries. */ |
||
283 | struct ipt_entry entrytable[0]; |
||
284 | }; |
||
285 | |||
286 | /* Standard return verdict, or do jump. */ |
||
287 | #define IPT_STANDARD_TARGET "" |
||
288 | /* Error verdict. */ |
||
289 | #define IPT_ERROR_TARGET "ERROR" |
||
290 | |||
291 | /* Helper functions */ |
||
292 | static __inline__ struct ipt_entry_target * |
||
293 | ipt_get_target(struct ipt_entry *e) |
||
294 | { |
||
295 | return (void *)e + e->target_offset; |
||
296 | } |
||
297 | |||
298 | /* fn returns 0 to continue iteration */ |
||
299 | #define IPT_MATCH_ITERATE(e, fn, args...) \ |
||
300 | ({ \ |
||
301 | unsigned int __i; \ |
||
302 | int __ret = 0; \ |
||
303 | struct ipt_entry_match *__match; \ |
||
304 | \ |
||
305 | for (__i = sizeof(struct ipt_entry); \ |
||
306 | __i < (e)->target_offset; \ |
||
307 | __i += __match->u.match_size) { \ |
||
308 | __match = (void *)(e) + __i; \ |
||
309 | \ |
||
310 | __ret = fn(__match , ## args); \ |
||
311 | if (__ret != 0) \ |
||
312 | break; \ |
||
313 | } \ |
||
314 | __ret; \ |
||
315 | }) |
||
316 | |||
317 | /* fn returns 0 to continue iteration */ |
||
318 | #define IPT_ENTRY_ITERATE(entries, size, fn, args...) \ |
||
319 | ({ \ |
||
320 | unsigned int __i; \ |
||
321 | int __ret = 0; \ |
||
322 | struct ipt_entry *__entry; \ |
||
323 | \ |
||
324 | for (__i = 0; __i < (size); __i += __entry->next_offset) { \ |
||
325 | __entry = (void *)(entries) + __i; \ |
||
326 | \ |
||
327 | __ret = fn(__entry , ## args); \ |
||
328 | if (__ret != 0) \ |
||
329 | break; \ |
||
330 | } \ |
||
331 | __ret; \ |
||
332 | }) |
||
333 | |||
334 | /* |
||
335 | * Main firewall chains definitions and global var's definitions. |
||
336 | */ |
||
337 | #ifdef __KERNEL__ |
||
338 | |||
339 | #include <linux/init.h> |
||
340 | extern void ipt_init(void) __init; |
||
341 | |||
342 | struct ipt_match |
||
343 | { |
||
344 | struct list_head list; |
||
345 | |||
346 | const char name[IPT_FUNCTION_MAXNAMELEN]; |
||
347 | |||
348 | /* Return true or false: return FALSE and set *hotdrop = 1 to |
||
349 | force immediate packet drop. */ |
||
350 | /* Arguments changed since 2.4, as this must now handle |
||
351 | non-linear skbs, using skb_copy_bits and |
||
352 | skb_ip_make_writable. */ |
||
353 | int (*match)(const struct sk_buff *skb, |
||
354 | const struct net_device *in, |
||
355 | const struct net_device *out, |
||
356 | const void *matchinfo, |
||
357 | int offset, |
||
358 | int *hotdrop); |
||
359 | |||
360 | /* Called when user tries to insert an entry of this type. */ |
||
361 | /* Should return true or false. */ |
||
362 | int (*checkentry)(const char *tablename, |
||
363 | const struct ipt_ip *ip, |
||
364 | void *matchinfo, |
||
365 | unsigned int matchinfosize, |
||
366 | unsigned int hook_mask); |
||
367 | |||
368 | /* Called when entry of this type deleted. */ |
||
369 | void (*destroy)(void *matchinfo, unsigned int matchinfosize); |
||
370 | |||
371 | /* Set this to THIS_MODULE. */ |
||
372 | struct module *me; |
||
373 | }; |
||
374 | |||
375 | /* Registration hooks for targets. */ |
||
376 | struct ipt_target |
||
377 | { |
||
378 | struct list_head list; |
||
379 | |||
380 | const char name[IPT_FUNCTION_MAXNAMELEN]; |
||
381 | |||
382 | /* Called when user tries to insert an entry of this type: |
||
383 | hook_mask is a bitmask of hooks from which it can be |
||
384 | called. */ |
||
385 | /* Should return true or false. */ |
||
386 | int (*checkentry)(const char *tablename, |
||
387 | const struct ipt_entry *e, |
||
388 | void *targinfo, |
||
389 | unsigned int targinfosize, |
||
390 | unsigned int hook_mask); |
||
391 | |||
392 | /* Called when entry of this type deleted. */ |
||
393 | void (*destroy)(void *targinfo, unsigned int targinfosize); |
||
394 | |||
395 | /* Returns verdict. Argument order changed since 2.4, as this |
||
396 | must now handle non-linear skbs, using skb_copy_bits and |
||
397 | skb_ip_make_writable. */ |
||
398 | unsigned int (*target)(struct sk_buff **pskb, |
||
399 | const struct net_device *in, |
||
400 | const struct net_device *out, |
||
401 | unsigned int hooknum, |
||
402 | const void *targinfo, |
||
403 | void *userdata); |
||
404 | |||
405 | /* Set this to THIS_MODULE. */ |
||
406 | struct module *me; |
||
407 | }; |
||
408 | |||
409 | extern int ipt_register_target(struct ipt_target *target); |
||
410 | extern void ipt_unregister_target(struct ipt_target *target); |
||
411 | |||
412 | extern int ipt_register_match(struct ipt_match *match); |
||
413 | extern void ipt_unregister_match(struct ipt_match *match); |
||
414 | |||
415 | /* Furniture shopping... */ |
||
416 | struct ipt_table |
||
417 | { |
||
418 | struct list_head list; |
||
419 | |||
420 | /* A unique name... */ |
||
421 | char name[IPT_TABLE_MAXNAMELEN]; |
||
422 | |||
423 | /* Seed table: copied in register_table */ |
||
424 | struct ipt_replace *table; |
||
425 | |||
426 | /* What hooks you will enter on */ |
||
427 | unsigned int valid_hooks; |
||
428 | |||
429 | /* Lock for the curtain */ |
||
430 | rwlock_t lock; |
||
431 | |||
432 | /* Man behind the curtain... */ |
||
433 | struct ipt_table_info *private; |
||
434 | |||
435 | /* Set to THIS_MODULE. */ |
||
436 | struct module *me; |
||
437 | }; |
||
438 | |||
439 | extern int ipt_register_table(struct ipt_table *table); |
||
440 | extern void ipt_unregister_table(struct ipt_table *table); |
||
441 | extern unsigned int ipt_do_table(struct sk_buff **pskb, |
||
442 | unsigned int hook, |
||
443 | const struct net_device *in, |
||
444 | const struct net_device *out, |
||
445 | struct ipt_table *table, |
||
446 | void *userdata); |
||
447 | |||
448 | #define IPT_ALIGN(s) (((s) + (__alignof__(struct ipt_entry)-1)) & ~(__alignof__(struct ipt_entry)-1)) |
||
449 | #endif /*__KERNEL__*/ |
||
450 | #endif /* _IPTABLES_H */ |