Dr Andrew Scott
G7VAV
Senior Lecturer
School of Computing
and Communications
D35 InfoLab21
Lancaster University
Lancaster, LA1 4WA
United Kingdom
School of Computing
and Communications
D35 InfoLab21
Lancaster University
Lancaster, LA1 4WA
United Kingdom
| June 2025 | ||||||
| Mo | Tu | We | Th | Fr | Sa | Su |
| 26 | 27 | 28 | 29 | 30 | 31 | 1 |
| 2 | 3 | 4 | 5 | 6 | 7 | 8 |
| 9 | 10 | 11 | 12 | 13 | 14 | 15 |
| 16 | 17 | 18 | 19 | 20 | 21 | 22 |
| 23 | 24 | 25 | 26 | 27 | 28 | 29 |
| 30 | 1 | 2 | 3 | 4 | 5 | 6 |
ip6_tables.h
001: /* 002: * 25-Jul-1998 Major changes to allow for ip chain table 003: * 004: * 3-Jan-2000 Named tables to allow packet selection for different uses. 005: */ 006: 007: /* 008: * Format of an IP6 firewall descriptor 009: * 010: * src, dst, src_mask, dst_mask are always stored in network byte order. 011: * flags are stored in host byte order (of course). 012: * Port numbers are stored in HOST byte order. 013: */ 014: 015: #ifndef _IP6_TABLES_H 016: #define _IP6_TABLES_H 017: 018: #include <linux/types.h> 019: 020: #include <linux/netfilter_ipv6.h> 021: 022: #include <linux/netfilter/x_tables.h> 023: 024: #define IP6T_FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN 025: #define IP6T_TABLE_MAXNAMELEN XT_TABLE_MAXNAMELEN 026: #define ip6t_match xt_match 027: #define ip6t_target xt_target 028: #define ip6t_table xt_table 029: #define ip6t_get_revision xt_get_revision 030: #define ip6t_entry_match xt_entry_match 031: #define ip6t_entry_target xt_entry_target 032: #define ip6t_standard_target xt_standard_target 033: #define ip6t_error_target xt_error_target 034: #define ip6t_counters xt_counters 035: #define IP6T_CONTINUE XT_CONTINUE 036: #define IP6T_RETURN XT_RETURN 037: 038: /* Pre-iptables-1.4.0 */ 039: #include <linux/netfilter/xt_tcpudp.h> 040: #define ip6t_tcp xt_tcp 041: #define ip6t_udp xt_udp 042: #define IP6T_TCP_INV_SRCPT XT_TCP_INV_SRCPT 043: #define IP6T_TCP_INV_DSTPT XT_TCP_INV_DSTPT 044: #define IP6T_TCP_INV_FLAGS XT_TCP_INV_FLAGS 045: #define IP6T_TCP_INV_OPTION XT_TCP_INV_OPTION 046: #define IP6T_TCP_INV_MASK XT_TCP_INV_MASK 047: #define IP6T_UDP_INV_SRCPT XT_UDP_INV_SRCPT 048: #define IP6T_UDP_INV_DSTPT XT_UDP_INV_DSTPT 049: #define IP6T_UDP_INV_MASK XT_UDP_INV_MASK 050: 051: #define ip6t_counters_info xt_counters_info 052: #define IP6T_STANDARD_TARGET XT_STANDARD_TARGET 053: #define IP6T_ERROR_TARGET XT_ERROR_TARGET 054: #define IP6T_MATCH_ITERATE(e, fn, args...) \ 055: XT_MATCH_ITERATE(struct ip6t_entry, e, fn, ## args) 056: #define IP6T_ENTRY_ITERATE(entries, size, fn, args...) \ 057: XT_ENTRY_ITERATE(struct ip6t_entry, entries, size, fn, ## args) 058: 059: /* Yes, Virginia, you have to zero the padding. */ 060: struct ip6t_ip6 { 061: /* Source and destination IP6 addr */ 062: struct in6_addr src, dst; 063: /* Mask for src and dest IP6 addr */ 064: struct in6_addr smsk, dmsk; 065: char iniface[IFNAMSIZ], outiface[IFNAMSIZ]; 066: unsigned char iniface_mask[IFNAMSIZ], outiface_mask[IFNAMSIZ]; 067: 068: /* Upper protocol number 069: * - The allowed value is 0 (any) or protocol number of last parsable 070: * header, which is 50 (ESP), 59 (No Next Header), 135 (MH), or 071: * the non IPv6 extension headers. 072: * - The protocol numbers of IPv6 extension headers except of ESP and 073: * MH do not match any packets. 074: * - You also need to set IP6T_FLAGS_PROTO to "flags" to check protocol. 075: */ 076: __u16 proto; 077: /* TOS to match iff flags & IP6T_F_TOS */ 078: __u8 tos; 079: 080: /* Flags word */ 081: __u8 flags; 082: /* Inverse flags */ 083: __u8 invflags; 084: }; 085: 086: /* Values for "flag" field in struct ip6t_ip6 (general ip6 structure). */ 087: #define IP6T_F_PROTO 0x01 /* Set if rule cares about upper 088: protocols */ 089: #define IP6T_F_TOS 0x02 /* Match the TOS. */ 090: #define IP6T_F_GOTO 0x04 /* Set if jump is a goto */ 091: #define IP6T_F_MASK 0x07 /* All possible flag bits mask. */ 092: 093: /* Values for "inv" field in struct ip6t_ip6. */ 094: #define IP6T_INV_VIA_IN 0x01 /* Invert the sense of IN IFACE. */ 095: #define IP6T_INV_VIA_OUT 0x02 /* Invert the sense of OUT IFACE */ 096: #define IP6T_INV_TOS 0x04 /* Invert the sense of TOS. */ 097: #define IP6T_INV_SRCIP 0x08 /* Invert the sense of SRC IP. */ 098: #define IP6T_INV_DSTIP 0x10 /* Invert the sense of DST OP. */ 099: #define IP6T_INV_FRAG 0x20 /* Invert the sense of FRAG. */ 100: #define IP6T_INV_PROTO XT_INV_PROTO 101: #define IP6T_INV_MASK 0x7F /* All possible flag bits mask. */ 102: 103: /* This structure defines each of the firewall rules. Consists of 3 104: parts which are 1) general IP header stuff 2) match specific 105: stuff 3) the target to perform if the rule matches */ 106: struct ip6t_entry { 107: struct ip6t_ip6 ipv6; 108: 109: /* Mark with fields that we care about. */ 110: unsigned int nfcache; 111: 112: /* Size of ipt_entry + matches */ 113: __u16 target_offset; 114: /* Size of ipt_entry + matches + target */ 115: __u16 next_offset; 116: 117: /* Back pointer */ 118: unsigned int comefrom; 119: 120: /* Packet and byte counters. */ 121: struct xt_counters counters; 122: 123: /* The matches (if any), then the target. */ 124: unsigned char elems[0]; 125: }; 126: 127: /* Standard entry */ 128: struct ip6t_standard { 129: struct ip6t_entry entry; 130: struct xt_standard_target target; 131: }; 132: 133: struct ip6t_error { 134: struct ip6t_entry entry; 135: struct xt_error_target target; 136: }; 137: 138: #define IP6T_ENTRY_INIT(__size) \ 139: { \ 140: .target_offset = sizeof(struct ip6t_entry), \ 141: .next_offset = (__size), \ 142: } 143: 144: #define IP6T_STANDARD_INIT(__verdict) \ 145: { \ 146: .entry = IP6T_ENTRY_INIT(sizeof(struct ip6t_standard)), \ 147: .target = XT_TARGET_INIT(XT_STANDARD_TARGET, \ 148: sizeof(struct xt_standard_target)), \ 149: .target.verdict = -(__verdict) - 1, \ 150: } 151: 152: #define IP6T_ERROR_INIT \ 153: { \ 154: .entry = IP6T_ENTRY_INIT(sizeof(struct ip6t_error)), \ 155: .target = XT_TARGET_INIT(XT_ERROR_TARGET, \ 156: sizeof(struct xt_error_target)), \ 157: .target.errorname = "ERROR", \ 158: } 159: 160: /* 161: * New IP firewall options for [gs]etsockopt at the RAW IP level. 162: * Unlike BSD Linux inherits IP options so you don't have to use 163: * a raw socket for this. Instead we check rights in the calls. 164: * 165: * ATTENTION: check linux/in6.h before adding new number here. 166: */ 167: #define IP6T_BASE_CTL 64 168: 169: #define IP6T_SO_SET_REPLACE (IP6T_BASE_CTL) 170: #define IP6T_SO_SET_ADD_COUNTERS (IP6T_BASE_CTL + 1) 171: #define IP6T_SO_SET_MAX IP6T_SO_SET_ADD_COUNTERS 172: 173: #define IP6T_SO_GET_INFO (IP6T_BASE_CTL) 174: #define IP6T_SO_GET_ENTRIES (IP6T_BASE_CTL + 1) 175: #define IP6T_SO_GET_REVISION_MATCH (IP6T_BASE_CTL + 4) 176: #define IP6T_SO_GET_REVISION_TARGET (IP6T_BASE_CTL + 5) 177: #define IP6T_SO_GET_MAX IP6T_SO_GET_REVISION_TARGET 178: 179: /* ICMP matching stuff */ 180: struct ip6t_icmp { 181: __u8 type; /* type to match */ 182: __u8 code[2]; /* range of code */ 183: __u8 invflags; /* Inverse flags */ 184: }; 185: 186: /* Values for "inv" field for struct ipt_icmp. */ 187: #define IP6T_ICMP_INV 0x01 /* Invert the sense of type/code test */ 188: 189: /* The argument to IP6T_SO_GET_INFO */ 190: struct ip6t_getinfo { 191: /* Which table: caller fills this in. */ 192: char name[XT_TABLE_MAXNAMELEN]; 193: 194: /* Kernel fills these in. */ 195: /* Which hook entry points are valid: bitmask */ 196: unsigned int valid_hooks; 197: 198: /* Hook entry points: one per netfilter hook. */ 199: unsigned int hook_entry[NF_INET_NUMHOOKS]; 200: 201: /* Underflow points. */ 202: unsigned int underflow[NF_INET_NUMHOOKS]; 203: 204: /* Number of entries */ 205: unsigned int num_entries; 206: 207: /* Size of entries. */ 208: unsigned int size; 209: }; 210: 211: /* The argument to IP6T_SO_SET_REPLACE. */ 212: struct ip6t_replace { 213: /* Which table. */ 214: char name[XT_TABLE_MAXNAMELEN]; 215: 216: /* Which hook entry points are valid: bitmask. You can't 217: change this. */ 218: unsigned int valid_hooks; 219: 220: /* Number of entries */ 221: unsigned int num_entries; 222: 223: /* Total size of new entries */ 224: unsigned int size; 225: 226: /* Hook entry points. */ 227: unsigned int hook_entry[NF_INET_NUMHOOKS]; 228: 229: /* Underflow points. */ 230: unsigned int underflow[NF_INET_NUMHOOKS]; 231: 232: /* Information about old entries: */ 233: /* Number of counters (must be equal to current number of entries). */ 234: unsigned int num_counters; 235: /* The old entries' counters. */ 236: struct xt_counters *counters; 237: 238: /* The entries (hang off end: not really an array). */ 239: struct ip6t_entry entries[0]; 240: }; 241: 242: /* The argument to IP6T_SO_GET_ENTRIES. */ 243: struct ip6t_get_entries { 244: /* Which table: user fills this in. */ 245: char name[XT_TABLE_MAXNAMELEN]; 246: 247: /* User fills this in: total entry size. */ 248: unsigned int size; 249: 250: /* The entries. */ 251: struct ip6t_entry entrytable[0]; 252: }; 253: 254: /* Helper functions */ 255: static __inline__ struct xt_entry_target * 256: ip6t_get_target(struct ip6t_entry *e) 257: { 258: return (void *)e + e->target_offset; 259: } 260: 261: /* 262: * Main firewall chains definitions and global var's definitions. 263: */ 264: 265: #endif /* _IP6_TABLES_H */ 266:
for client
(none)
© Andrew Scott 2006 -
2025,
All Rights Reserved
All Rights Reserved
Andrew Scott