github.com/google/syzkaller@v0.0.0-20240517125934-c0f1611a36d6/sys/linux/netfilter.txt (about) 1 # Copyright 2018 syzkaller project authors. All rights reserved. 2 # Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file. 3 4 include <linux/socket.h> 5 include <uapi/linux/limits.h> 6 include <uapi/linux/ip_vs.h> 7 include <uapi/linux/netfilter/x_tables.h> 8 include <uapi/linux/netfilter/xt_rpfilter.h> 9 include <uapi/linux/netfilter/xt_cgroup.h> 10 include <uapi/linux/netfilter/xt_rateest.h> 11 include <uapi/linux/netfilter/xt_l2tp.h> 12 include <uapi/linux/netfilter/xt_time.h> 13 include <uapi/linux/netfilter/xt_bpf.h> 14 include <uapi/linux/netfilter/xt_socket.h> 15 include <uapi/linux/netfilter/xt_connlimit.h> 16 include <uapi/linux/netfilter/xt_conntrack.h> 17 include <uapi/linux/netfilter/xt_tcpudp.h> 18 include <uapi/linux/netfilter/xt_set.h> 19 include <uapi/linux/netfilter/xt_mark.h> 20 include <uapi/linux/netfilter/xt_connmark.h> 21 include <uapi/linux/netfilter/xt_realm.h> 22 include <uapi/linux/netfilter/xt_connbytes.h> 23 include <uapi/linux/netfilter/xt_quota.h> 24 include <uapi/linux/netfilter/xt_sctp.h> 25 include <uapi/linux/netfilter/xt_limit.h> 26 include <uapi/linux/netfilter/xt_addrtype.h> 27 include <uapi/linux/netfilter/xt_ipvs.h> 28 include <uapi/linux/netfilter/xt_dccp.h> 29 include <uapi/linux/netfilter/xt_hashlimit.h> 30 include <uapi/linux/netfilter/xt_nfacct.h> 31 include <uapi/linux/netfilter/xt_length.h> 32 include <uapi/linux/netfilter/xt_mac.h> 33 include <uapi/linux/netfilter/xt_comment.h> 34 include <uapi/linux/netfilter/xt_ipcomp.h> 35 include <uapi/linux/netfilter/xt_statistic.h> 36 include <uapi/linux/netfilter/xt_recent.h> 37 include <uapi/linux/netfilter/xt_dscp.h> 38 include <uapi/linux/netfilter/xt_policy.h> 39 include <uapi/linux/netfilter/xt_tcpmss.h> 40 include <uapi/linux/netfilter/xt_string.h> 41 include <uapi/linux/netfilter/xt_physdev.h> 42 include <uapi/linux/netfilter/xt_connlabel.h> 43 include <uapi/linux/netfilter/xt_devgroup.h> 44 include <uapi/linux/netfilter/xt_multiport.h> 45 include <uapi/linux/netfilter/xt_cluster.h> 46 include <uapi/linux/netfilter/xt_ecn.h> 47 include <uapi/linux/netfilter/xt_owner.h> 48 include <uapi/linux/netfilter/xt_pkttype.h> 49 include <uapi/linux/netfilter/xt_u32.h> 50 include <uapi/linux/netfilter/xt_iprange.h> 51 include <uapi/linux/netfilter/xt_esp.h> 52 include <uapi/linux/netfilter/xt_cpu.h> 53 include <uapi/linux/netfilter/xt_state.h> 54 55 # Netfilter matches shared between ipv6/ipv6. 56 57 # TODO: add CONFIG_NF_FLOW_TABLE* support. 58 59 define IPT_FILTER_VALID_HOOKS NF_INET_LOCAL_IN_BIT | NF_INET_FORWARD_BIT | NF_INET_LOCAL_OUT_BIT 60 define IPT_NAT_VALID_HOOKS NF_INET_PRE_ROUTING_BIT | NF_INET_POST_ROUTING_BIT | NF_INET_LOCAL_OUT_BIT | NF_INET_LOCAL_IN_BIT 61 define IPT_MANGLE_VALID_HOOKS NF_INET_PRE_ROUTING_BIT | NF_INET_POST_ROUTING_BIT | NF_INET_FORWARD_BIT |NF_INET_LOCAL_OUT_BIT | NF_INET_LOCAL_IN_BIT 62 define IPT_RAW_VALID_HOOKS NF_INET_PRE_ROUTING_BIT | NF_INET_LOCAL_OUT_BIT 63 define IPT_SECURITY_VALID_HOOKS NF_INET_LOCAL_IN_BIT | NF_INET_FORWARD_BIT | NF_INET_LOCAL_OUT_BIT 64 65 define NF_INET_PRE_ROUTING_BIT 1 << NF_INET_PRE_ROUTING 66 define NF_INET_LOCAL_IN_BIT 1 << NF_INET_LOCAL_IN 67 define NF_INET_FORWARD_BIT 1 << NF_INET_FORWARD 68 define NF_INET_LOCAL_OUT_BIT 1 << NF_INET_LOCAL_OUT 69 define NF_INET_POST_ROUTING_BIT 1 << NF_INET_POST_ROUTING 70 71 xt_counters { 72 pcnt const[0, int64] 73 bcnt const[0, int64] 74 } 75 76 xt_get_revision { 77 name string[xt_get_revision_strings, XT_EXTENSION_MAXNAMELEN] 78 revision const[0, int8] 79 } 80 81 xt_get_revision_strings = "icmp", "ah", "NETMAP", "TPROXY", "ipvs", "IDLETIMER", "icmp6", "HL" 82 83 nf_inet_addr [ 84 ipv4 ipv4_addr 85 ipv6 ipv6_addr 86 ] 87 88 nf_conntrack_man_proto [ 89 port sock_port 90 icmp_id icmp_id 91 # TODO: what is gre key? do we have it already in gre descriptions in vnet.txt? 92 gre_key int16 93 ] 94 95 type xt_entry_match[NAME, REV] { 96 match_size len[xt_entry_match_t, int16] 97 name string[NAME, XT_EXTENSION_MAXNAMELEN] 98 revision const[REV, int8] 99 } 100 101 type xt_entry_match_t[NAME, DATA, REV] { 102 header xt_entry_match[NAME, REV] 103 data DATA 104 } [align[PTR_SIZE]] 105 106 xt_unspec_matches [ 107 cgroup0 xt_entry_match_t["cgroup", xt_cgroup_info_v0, 0] 108 cgroup1 xt_entry_match_t["cgroup", xt_cgroup_info_v1, 1] 109 helper xt_entry_match_t["helper", xt_helper_info, 0] 110 rateest xt_entry_match_t["rateest", xt_rateest_match_info, 0] 111 time xt_entry_match_t["time", xt_time_info, 0] 112 bpf0 xt_entry_match_t["bpf", xt_bpf_info, 0] 113 bpf1 xt_entry_match_t["bpf", xt_bpf_info_v1, 1] 114 connlimit xt_entry_match_t["connlimit", xt_connlimit_info, 1] 115 conntrack1 xt_entry_match_t["conntrack", xt_conntrack_mtinfo1, 1] 116 conntrack2 xt_entry_match_t["conntrack", xt_conntrack_mtinfo2, 2] 117 conntrack3 xt_entry_match_t["conntrack", xt_conntrack_mtinfo3, 3] 118 mark xt_entry_match_t["mark", xt_mark_mtinfo1, 1] 119 connmark xt_entry_match_t["connmark", xt_connmark_mtinfo1, 1] 120 realm xt_entry_match_t["realm", xt_realm_info, 0] 121 connbytes xt_entry_match_t["connbytes", xt_connbytes_info, 0] 122 quota xt_entry_match_t["quota", xt_quota_info, 0] 123 limit xt_entry_match_t["limit", xt_rateinfo, 0] 124 addrtype1 xt_entry_match_t["addrtype", xt_addrtype_info_v1, 1] 125 ipvs xt_entry_match_t["ipvs", xt_ipvs_mtinfo, 0] 126 nfacct xt_entry_match_t["nfacct", xt_nfacct_match_info, 0] 127 mac xt_entry_match_t["mac", xt_mac_info, 0] 128 comment xt_entry_match_t["comment", xt_comment_info, 0] 129 statistic xt_entry_match_t["statistic", xt_statistic_info, 0] 130 string xt_entry_match_t["string", xt_string_info, 1] 131 physdev xt_entry_match_t["physdev", xt_physdev_info, 0] 132 connlabel xt_entry_match_t["connlabel", xt_connlabel_mtinfo, 0] 133 devgroup xt_entry_match_t["devgroup", xt_devgroup_info, 0] 134 cluster xt_entry_match_t["cluster", xt_cluster_match_info, 0] 135 owner xt_entry_match_t["owner", xt_owner_match_info, 0] 136 pkttype xt_entry_match_t["pkttype", xt_pkttype_info, 0] 137 u32 xt_entry_match_t["u32", xt_u32, 0] 138 cpu xt_entry_match_t["cpu", xt_cpu_info, 0] 139 state xt_entry_match_t["state", xt_state_info, 0] 140 ] [varlen] 141 142 xt_inet_matches [ 143 l2tp xt_entry_match_t["l2tp", xt_l2tp_info, 0] 144 socket1 xt_entry_match_t["socket", flags[xt_socket_flags_v1, int8], 1] 145 socket2 xt_entry_match_t["socket", flags[xt_socket_flags_v2, int8], 2] 146 socket3 xt_entry_match_t["socket", flags[xt_socket_flags_v3, int8], 3] 147 tcp xt_entry_match_t["tcp", xt_tcp, 0] 148 udp xt_entry_match_t["udp", xt_udp, 0] 149 udplite xt_entry_match_t["udplite", xt_udp, 0] 150 set1 xt_entry_match_t["set", xt_set_info_match_v1, 1] 151 set2 xt_entry_match_t["set", xt_set_info_match_v1, 2] 152 set3 xt_entry_match_t["set", xt_set_info_match_v3, 3] 153 set4 xt_entry_match_t["set", xt_set_info_match_v4, 4] 154 sctp xt_entry_match_t["sctp", xt_sctp_info, 0] 155 dccp xt_entry_match_t["dccp", xt_dccp_info, 0] 156 hashlimit1 xt_entry_match_t["hashlimit", xt_hashlimit_mtinfo1, 1] 157 hashlimit2 xt_entry_match_t["hashlimit", xt_hashlimit_mtinfo2, 2] 158 hashlimit3 xt_entry_match_t["hashlimit", xt_hashlimit_mtinfo3, 3] 159 length xt_entry_match_t["length", xt_length_info, 0] 160 ipcomp xt_entry_match_t["ipcomp", xt_ipcomp, 0] 161 recent0 xt_entry_match_t["recent", xt_recent_mtinfo, 0] 162 recent1 xt_entry_match_t["recent", xt_recent_mtinfo_v1, 0] 163 dscp xt_entry_match_t["dscp", xt_dscp_info, 0] 164 tos xt_entry_match_t["tos", xt_tos_match_info, 0] 165 policy xt_entry_match_t["policy", xt_policy_info, 0] 166 tcpmss xt_entry_match_t["tcpmss", xt_tcpmss_match_info, 0] 167 multiport xt_entry_match_t["multiport", xt_multiport_v1, 1] 168 ecn xt_entry_match_t["ecn", xt_ecn_info, 0] 169 iprange xt_entry_match_t["iprange", xt_iprange_mtinfo, 1] 170 esp xt_entry_match_t["esp", xt_esp, 0] 171 ] [varlen] 172 173 xt_inet_mangle_matches [ 174 rpfilter xt_entry_match_t["rpfilter", xt_rpfilter_info, 0] 175 ] [varlen] 176 177 xt_inet_raw_matches [ 178 rpfilter xt_entry_match_t["rpfilter", xt_rpfilter_info, 0] 179 ] [varlen] 180 181 xt_socket_flags_v1 = XT_SOCKET_TRANSPARENT 182 xt_socket_flags_v2 = XT_SOCKET_NOWILDCARD, xt_socket_flags_v1 183 xt_socket_flags_v3 = XT_SOCKET_RESTORESKMARK, xt_socket_flags_v2 184 185 xt_rpfilter_info { 186 flags flags[xt_rpfilter_flags, int8] 187 } 188 189 xt_rpfilter_flags = XT_RPFILTER_LOOSE, XT_RPFILTER_VALID_MARK, XT_RPFILTER_ACCEPT_LOCAL, XT_RPFILTER_INVERT 190 191 xt_cgroup_info_v0 { 192 # TODO: this is some "cgroup classid", what's this? 193 id int32 194 invert bool32 195 } 196 197 xt_cgroup_info_v1 { 198 has_path bool8 199 has_classid bool8 200 invert_path bool8 201 invert_classid bool8 202 path string[cgroup_dirs, PATH_MAX] 203 # TODO: again "cgroup classid" 204 classid int32 205 priv align64[intptr] 206 } 207 208 xt_helper_info { 209 invert bool32 210 name string[xt_helper_names, 30] 211 } 212 213 xt_helper_names = "", "ftp-20000", "tftp-20000", "sip-20000", "irc-20000", "sane-20000", "amanda", "RAS", "Q.931", "H.245", "netbios-ns", "snmp", "snmp_trap", "pptp", "syz0", "syz1" 214 215 xt_rateest_match_info { 216 name1 devname 217 name2 devname 218 flags flags[xt_rateest_match_flags, int16] 219 mode flags[xt_rateest_match_mode, int16] 220 bps1 int32 221 pps1 int32 222 bps2 int32 223 pps2 int32 224 est1 align64[intptr] 225 est2 align64[intptr] 226 } 227 228 xt_rateest_match_flags = XT_RATEEST_MATCH_INVERT, XT_RATEEST_MATCH_ABS, XT_RATEEST_MATCH_REL, XT_RATEEST_MATCH_DELTA, XT_RATEEST_MATCH_BPS, XT_RATEEST_MATCH_PPS 229 xt_rateest_match_mode = XT_RATEEST_MATCH_NONE, XT_RATEEST_MATCH_EQ, XT_RATEEST_MATCH_LT, XT_RATEEST_MATCH_GT 230 231 xt_l2tp_info { 232 tid l2tp_tunnel[int32] 233 sid l2tp_session[int32] 234 version int8[2:3] 235 type flags[xt_l2tp_type, int8] 236 flags flags[xt_l2tp_flags, int8] 237 } 238 239 xt_l2tp_type = XT_L2TP_TYPE_CONTROL, XT_L2TP_TYPE_DATA 240 xt_l2tp_flags = XT_L2TP_TID, XT_L2TP_SID, XT_L2TP_VERSION, XT_L2TP_TYPE 241 242 xt_time_info { 243 date_start int32 244 date_stop int32 245 daytime_start int32[0:XT_TIME_MAX_DAYTIME] 246 daytime_stop int32[0:XT_TIME_MAX_DAYTIME] 247 monthdays_match int32 248 weekdays_match int8 249 flags flags[xt_time_flags, int8] 250 } 251 252 xt_time_flags = XT_TIME_LOCAL_TZ, XT_TIME_CONTIGUOUS 253 254 xt_bpf_info { 255 bpf_program_num_elem int16[0:XT_BPF_MAX_NUM_INSTR] 256 bpf_program array[sock_filter, XT_BPF_MAX_NUM_INSTR] 257 filter align64[intptr] 258 } 259 260 xt_bpf_info_v1 [ 261 bytecode xt_bpf_info_bytecode 262 pinned xt_bpf_info_pinned 263 fd xt_bpf_info_fd 264 ] 265 266 xt_bpf_info_bytecode { 267 mode const[XT_BPF_MODE_BYTECODE, int16] 268 bpf_program_num_elem int16[0:XT_BPF_MAX_NUM_INSTR] 269 fd const[0, int32] 270 bpf_program array[sock_filter, XT_BPF_MAX_NUM_INSTR] 271 filter align64[intptr] 272 } 273 274 xt_bpf_info_pinned { 275 mode const[XT_BPF_MODE_FD_PINNED, int16] 276 bpf_program_num_elem const[0, int16] 277 fd const[0, int32] 278 path string[filename, XT_BPF_PATH_MAX] 279 filter align64[intptr] 280 } 281 282 xt_bpf_info_fd { 283 mode const[XT_BPF_MODE_FD_ELF, int16] 284 bpf_program_num_elem const[0, int16] 285 fd fd_bpf_prog 286 } 287 288 xt_connlimit_info { 289 mask ipv6_addr_mask 290 limit int32 291 flags flags[xt_connlimit_flags, int32] 292 data align64[intptr] 293 } 294 295 xt_connlimit_flags = XT_CONNLIMIT_INVERT, XT_CONNLIMIT_DADDR 296 297 xt_conntrack_mtinfo_common { 298 origsrc_addr nf_inet_addr 299 origsrc_mask ipv6_addr_mask 300 origdst_addr nf_inet_addr 301 origdst_mask ipv6_addr_mask 302 replsrc_addr nf_inet_addr 303 replsrc_mask ipv6_addr_mask 304 repldst_addr nf_inet_addr 305 repldst_mask ipv6_addr_mask 306 expires_min int32 307 expires_max int32 308 l4proto flags[ipv6_types, int16] 309 origsrc_port sock_port 310 origdst_port sock_port 311 replsrc_port sock_port 312 repldst_port sock_port 313 match_flags flags[xt_conntrack_flags, int16] 314 invert_flags flags[xt_conntrack_flags, int16] 315 } [packed] 316 317 xt_conntrack_mtinfo1 { 318 common xt_conntrack_mtinfo_common 319 state_mask flags[xt_conntrack_state8, int8] 320 status_mask flags[xt_conntrack_status8, int8] 321 } [align[4]] 322 323 xt_conntrack_mtinfo2 { 324 common xt_conntrack_mtinfo_common 325 state_mask flags[xt_conntrack_state, int16] 326 status_mask flags[xt_conntrack_status, int16] 327 } [align[4]] 328 329 xt_conntrack_mtinfo3 { 330 common xt_conntrack_mtinfo_common 331 state_mask flags[xt_conntrack_state, int16] 332 status_mask flags[xt_conntrack_status, int16] 333 origsrc_port_high sock_port 334 origdst_port_high sock_port 335 replsrc_port_high sock_port 336 repldst_port_high sock_port 337 } [align[4]] 338 339 xt_conntrack_flags = XT_CONNTRACK_STATE, XT_CONNTRACK_PROTO, XT_CONNTRACK_ORIGSRC, XT_CONNTRACK_ORIGDST, XT_CONNTRACK_REPLSRC, XT_CONNTRACK_REPLDST, XT_CONNTRACK_STATUS, XT_CONNTRACK_EXPIRES, XT_CONNTRACK_ORIGSRC_PORT, XT_CONNTRACK_ORIGDST_PORT, XT_CONNTRACK_REPLSRC_PORT, XT_CONNTRACK_REPLDST_PORT, XT_CONNTRACK_DIRECTION, XT_CONNTRACK_STATE_ALIAS 340 xt_conntrack_state8 = XT_CONNTRACK_STATE_INVALID, XT_CONNTRACK_STATE_SNAT, XT_CONNTRACK_STATE_DNAT 341 xt_conntrack_state = XT_CONNTRACK_STATE_UNTRACKED, xt_conntrack_state8 342 xt_conntrack_status8 = IPS_EXPECTED, IPS_SEEN_REPLY, IPS_ASSURED, IPS_CONFIRMED, IPS_SRC_NAT, IPS_DST_NAT, IPS_SEQ_ADJUST, IPS_SRC_NAT_DONE 343 xt_conntrack_status = IPS_DST_NAT_DONE, IPS_DYING, IPS_FIXED_TIMEOUT, IPS_TEMPLATE, IPS_UNTRACKED, IPS_HELPER, xt_conntrack_status8 344 345 xt_tcp { 346 spts array[sock_port, 2] 347 dpts array[sock_port, 2] 348 option flags[tcp_option_types, int8] 349 flg_mask flags[tcp_flags, int8] 350 flg_cmp flags[tcp_flags, int8] 351 invflags flags[xt_tcp_inv_flags, int8] 352 } 353 354 xt_tcp_inv_flags = XT_TCP_INV_SRCPT, XT_TCP_INV_DSTPT, XT_TCP_INV_FLAGS, XT_TCP_INV_OPTION 355 356 xt_udp { 357 spts array[sock_port, 2] 358 dpts array[sock_port, 2] 359 invflags flags[xt_udp_inv_flags, int8] 360 } 361 362 xt_udp_inv_flags = XT_UDP_INV_SRCPT, XT_UDP_INV_DSTPT 363 364 xt_set_info_match_v0 { 365 match_set xt_set_info_v0 366 } 367 368 xt_set_info_match_v1 { 369 match_set xt_set_info 370 } 371 372 xt_set_info_match_v3 { 373 match_set xt_set_info 374 packets ip_set_counter_match0 375 bytes ip_set_counter_match0 376 flags int32 377 } 378 379 xt_set_info_match_v4 { 380 match_set xt_set_info 381 packets ip_set_counter_match 382 bytes ip_set_counter_match 383 flags int32 384 } 385 386 xt_mark_mtinfo1 { 387 mark int32 388 mask int32 389 invert bool8 390 } 391 392 xt_connmark_mtinfo1 { 393 mark int32 394 mask int32 395 invert bool8 396 } 397 398 xt_realm_info { 399 id int32 400 mask int32 401 invert bool8 402 } 403 404 xt_connbytes_info { 405 count array[align64[int64], 2] 406 what flags[xt_connbytes_what, int8] 407 direction flags[xt_connbytes_direction, int8] 408 } 409 410 xt_connbytes_what = XT_CONNBYTES_PKTS, XT_CONNBYTES_BYTES, XT_CONNBYTES_AVGPKT 411 xt_connbytes_direction = XT_CONNBYTES_DIR_ORIGINAL, XT_CONNBYTES_DIR_REPLY, XT_CONNBYTES_DIR_BOTH 412 413 xt_quota_info { 414 flags bool32 415 pad const[0, int32] 416 quota int64 417 master align64[intptr] 418 } 419 420 xt_sctp_info { 421 dpts array[sock_port, 2] 422 spts array[sock_port, 2] 423 chunkmap array[int32, 64] 424 chunk_match_type flags[xt_sctp_match_type, int32] 425 flag_info array[xt_sctp_flag_info, XT_NUM_SCTP_FLAGS] 426 flag_count int32[0:XT_NUM_SCTP_FLAGS] 427 flags flags[xt_sctp_flags, int32] 428 invflags flags[xt_sctp_flags, int32] 429 } 430 431 xt_sctp_match_type = SCTP_CHUNK_MATCH_ANY, SCTP_CHUNK_MATCH_ALL, SCTP_CHUNK_MATCH_ONLY 432 xt_sctp_flags = XT_SCTP_SRC_PORTS, XT_SCTP_DEST_PORTS, XT_SCTP_CHUNK_TYPES 433 434 xt_sctp_flag_info { 435 chunktype int8 436 flag int8 437 flag_mask int8 438 } 439 440 xt_rateinfo { 441 avg int32 442 burst int32 443 prev intptr 444 credit int32 445 credit_cap int32 446 cost int32 447 master intptr 448 } 449 450 xt_addrtype_info { 451 source flags[xt_addrtype_type, int16] 452 dest flags[xt_addrtype_type, int16] 453 invert_source bool32 454 invert_dest bool32 455 } 456 457 xt_addrtype_info_v1 { 458 source flags[xt_addrtype_type, int16] 459 dest flags[xt_addrtype_type, int16] 460 flags flags[xt_addrtype_flags, int32] 461 } 462 463 xt_addrtype_type = XT_ADDRTYPE_UNSPEC, XT_ADDRTYPE_UNICAST, XT_ADDRTYPE_LOCAL, XT_ADDRTYPE_BROADCAST, XT_ADDRTYPE_ANYCAST, XT_ADDRTYPE_MULTICAST, XT_ADDRTYPE_BLACKHOLE, XT_ADDRTYPE_UNREACHABLE, XT_ADDRTYPE_PROHIBIT, XT_ADDRTYPE_THROW, XT_ADDRTYPE_NAT, XT_ADDRTYPE_XRESOLVE 464 xt_addrtype_flags = XT_ADDRTYPE_INVERT_SOURCE, XT_ADDRTYPE_INVERT_DEST, XT_ADDRTYPE_LIMIT_IFACE_IN, XT_ADDRTYPE_LIMIT_IFACE_OUT 465 466 xt_ipvs_mtinfo { 467 vaddr nf_inet_addr 468 vmask ipv6_addr_mask 469 vport sock_port 470 l4proto flags[ipv6_types, int8] 471 fwd_method int8[0:IP_VS_CONN_F_FWD_MASK] 472 vportctl sock_port 473 invert flags[xt_ipvs_flags, int8] 474 bitmask flags[xt_ipvs_flags, int8] 475 } 476 477 xt_ipvs_flags = XT_IPVS_IPVS_PROPERTY, XT_IPVS_PROTO, XT_IPVS_VADDR, XT_IPVS_VPORT, XT_IPVS_DIR, XT_IPVS_METHOD, XT_IPVS_VPORT 478 479 xt_dccp_info { 480 dpts array[sock_port, 2] 481 spts array[sock_port, 2] 482 flags flags[xt_dccp_flags, int16] 483 invflags flags[xt_dccp_flags, int16] 484 typemask int16 485 option int8 486 } 487 488 xt_dccp_flags = XT_DCCP_SRC_PORTS, XT_DCCP_DEST_PORTS, XT_DCCP_TYPE, XT_DCCP_OPTION 489 490 xt_hashlimit_mtinfo1 { 491 name devname 492 cfg hashlimit_cfg1 493 hinfo align64[intptr] 494 } 495 496 xt_hashlimit_mtinfo2 { 497 name string[devnames, NAME_MAX] 498 cfg hashlimit_cfg2 499 hinfo align64[intptr] 500 } 501 502 xt_hashlimit_mtinfo3 { 503 name string[devnames, NAME_MAX] 504 cfg hashlimit_cfg3 505 hinfo align64[intptr] 506 } 507 508 hashlimit_cfg1 { 509 mode flags[xt_hashlimit_modes, int32] 510 avg int32 511 burst int32 512 size int32 513 max int32 514 gc_interval int32 515 expire int32 516 srcmask flags[xt_hashlimit_mask, int8] 517 dstmask flags[xt_hashlimit_mask, int8] 518 } 519 520 hashlimit_cfg2 { 521 avg int64 522 burst int64 523 mode flags[xt_hashlimit_modes, int32] 524 size int32 525 max int32 526 gc_interval int32 527 expire int32 528 srcmask flags[xt_hashlimit_mask, int8] 529 dstmask flags[xt_hashlimit_mask, int8] 530 } 531 532 hashlimit_cfg3 { 533 avg int64 534 burst int64 535 mode flags[xt_hashlimit_modes, int32] 536 size int32 537 max int32 538 gc_interval int32 539 expire int32 540 interval int32 541 srcmask flags[xt_hashlimit_mask, int8] 542 dstmask flags[xt_hashlimit_mask, int8] 543 } 544 545 xt_hashlimit_modes = XT_HASHLIMIT_HASH_DIP, XT_HASHLIMIT_HASH_DPT, XT_HASHLIMIT_HASH_SIP, XT_HASHLIMIT_HASH_SPT, XT_HASHLIMIT_INVERT, XT_HASHLIMIT_BYTES, XT_HASHLIMIT_RATE_MATCH 546 xt_hashlimit_mask = 0, 8, 24, 32, 64, 120, 128 547 548 xt_nfacct_match_info { 549 name string[xt_nfacct_match_names, NFACCT_NAME_MAX] 550 nfacct intptr 551 } 552 553 xt_nfacct_match_names = "syz0", "syz1" 554 555 xt_length_info { 556 min int16 557 max int16 558 invert bool8 559 } 560 561 xt_mac_info { 562 srcaddr mac_addr 563 invert bool32 564 } 565 566 xt_comment_info { 567 comment array[const[0, int8], XT_MAX_COMMENT_LEN] 568 } 569 570 xt_ipcomp { 571 spis array[xfrm_spi, 2] 572 invflags flags[xt_ipcomp_flags, int8] 573 hdrres const[0, int8] 574 } 575 576 xt_ipcomp_flags = XT_IPCOMP_INV_SPI 577 578 xt_statistic_info { 579 mode bool16 580 flags bool16 581 every int32 582 packet int32 583 count int32 584 master align64[intptr] 585 } 586 587 xt_recent_mtinfo { 588 seconds int32 589 hit_count int32 590 check_set flags[xt_recent_check_set, int8] 591 invert bool8 592 name string[xt_recent_names, XT_RECENT_NAME_LEN] 593 side int8 594 } 595 596 xt_recent_mtinfo_v1 { 597 seconds int32 598 hit_count int32 599 check_set flags[xt_recent_check_set, int8] 600 invert bool8 601 name string[xt_recent_names, XT_RECENT_NAME_LEN] 602 side int8 603 mask ipv6_addr_mask 604 } 605 606 xt_recent_names = "syz0", "syz1" 607 xt_recent_check_set = XT_RECENT_CHECK, XT_RECENT_SET, XT_RECENT_UPDATE, XT_RECENT_REMOVE, XT_RECENT_TTL, XT_RECENT_REAP, XT_RECENT_SOURCE, XT_RECENT_DEST 608 609 xt_dscp_info { 610 dscp int8 611 invert bool8 612 } 613 614 xt_tos_match_info { 615 tos_mask int8 616 tos_value int8 617 invert bool8 618 } 619 620 xt_policy_info { 621 pol array[xt_policy_elem, XT_POLICY_MAX_ELEM] 622 flags flags[xt_policy_flags, int16] 623 len int16[0:XT_POLICY_MAX_ELEM] 624 } 625 626 xt_policy_elem { 627 saddr nf_inet_addr 628 smask ipv6_addr_mask 629 daddr nf_inet_addr 630 dmask ipv6_addr_mask 631 spi xfrm_spi 632 reqid xfrm_req_id 633 proto flags[ipv6_types, int8] 634 mode flags[xt_policy_mode, int8] 635 match flags[xt_policy_spec, int8] 636 invert flags[xt_policy_spec, int8] 637 } 638 639 xt_policy_flags = XT_POLICY_MATCH_IN, XT_POLICY_MATCH_OUT, XT_POLICY_MATCH_NONE, XT_POLICY_MATCH_STRICT 640 xt_policy_mode = XT_POLICY_MODE_TRANSPORT, XT_POLICY_MODE_TUNNEL 641 xt_policy_spec = 1, 2, 4, 8, 16 642 643 xt_tcpmss_match_info { 644 mss_min int16 645 mss_max int16 646 invert bool8 647 } 648 649 xt_string_info { 650 from_offset int16 651 to_offset int16 652 algo string[textsearch_algos, XT_STRING_MAX_ALGO_NAME_SIZE] 653 pattern array[int8, XT_STRING_MAX_PATTERN_SIZE] 654 patlen int8[0:XT_STRING_MAX_PATTERN_SIZE] 655 flags flags[xt_string_flags, int8] 656 config align64[intptr] 657 } 658 659 textsearch_algos = "bm", "fsm", "kmp" 660 xt_string_flags = XT_STRING_FLAG_INVERT, XT_STRING_FLAG_IGNORECASE 661 662 xt_physdev_info { 663 physindev devname 664 in_mask devname_mask 665 physoutdev devname 666 out_mask devname_mask 667 invert flags[xt_physdev_flags, int8] 668 bitmask flags[xt_physdev_flags, int8] 669 } 670 671 xt_physdev_flags = XT_PHYSDEV_OP_IN, XT_PHYSDEV_OP_OUT, XT_PHYSDEV_OP_BRIDGED, XT_PHYSDEV_OP_ISIN, XT_PHYSDEV_OP_ISOUT 672 673 xt_connlabel_mtinfo { 674 bit int16 675 options flags[xt_connlabel_mtopts, int16] 676 } 677 678 xt_connlabel_mtopts = XT_CONNLABEL_OP_INVERT, XT_CONNLABEL_OP_SET 679 680 xt_devgroup_info { 681 flags flags[xt_devgroup_flags, int32] 682 src_group int32 683 src_mask int32 684 dst_group int32 685 dst_mask int32 686 } 687 688 xt_devgroup_flags = XT_DEVGROUP_MATCH_SRC, XT_DEVGROUP_INVERT_SRC, XT_DEVGROUP_MATCH_DST, XT_DEVGROUP_INVERT_DST 689 690 xt_multiport_v1 { 691 flags int8[0:2] 692 count int8[0:XT_MULTI_PORTS] 693 ports array[sock_port, XT_MULTI_PORTS] 694 pflags array[bool8, XT_MULTI_PORTS] 695 invert bool8 696 } 697 698 xt_cluster_match_info { 699 total_nodes int32 700 node_mask int32 701 hash_seed int32 702 flags bool32 703 } 704 705 xt_ecn_info { 706 operation flags[xt_ecn_operation, int8] 707 invert flags[xt_ecn_operation, int8] 708 ip_ect int8 709 ect int8 710 } 711 712 xt_ecn_operation = XT_ECN_OP_MATCH_IP, XT_ECN_OP_MATCH_ECE, XT_ECN_OP_MATCH_CWR 713 714 xt_owner_match_info { 715 uid_min uid 716 uid_max uid 717 gid_min gid 718 gid_max gid 719 match flags[xt_owner_match_flags, int8] 720 invert flags[xt_owner_match_flags, int8] 721 } 722 723 xt_owner_match_flags = XT_OWNER_UID, XT_OWNER_GID, XT_OWNER_SOCKET 724 725 xt_pkttype_info { 726 pkttype int32 727 invert int32 728 } 729 730 xt_u32 { 731 tests array[xt_u32_test, XT_U32_REAL_MAXSIZE] 732 ntests int8[0:XT_U32_REAL_MAXSIZE] 733 invert bool8 734 } 735 736 xt_u32_test { 737 location array[xt_u32_location_element, XT_U32_REAL_MAXSIZE] 738 value array[xt_u32_value_element, XT_U32_REAL_MAXSIZE] 739 nnums int8[0:XT_U32_REAL_MAXSIZE] 740 nvalues int8[0:XT_U32_REAL_MAXSIZE] 741 } 742 743 xt_u32_location_element { 744 number int32 745 nextop flags[xt_u32_ops, int8] 746 } 747 748 xt_u32_value_element { 749 min int32 750 max int32 751 } 752 753 xt_u32_ops = XT_U32_AND, XT_U32_LEFTSH, XT_U32_RIGHTSH, XT_U32_AT 754 define XT_U32_REAL_MAXSIZE XT_U32_MAXSIZE + 1 755 756 xt_iprange_mtinfo { 757 src_min nf_inet_addr 758 src_max nf_inet_addr 759 dst_min nf_inet_addr 760 dst_max nf_inet_addr 761 flags flags[xt_iprange_flags, int8] 762 } 763 764 xt_iprange_flags = IPRANGE_SRC, IPRANGE_DST, IPRANGE_SRC_INV, IPRANGE_DST_INV 765 766 xt_esp { 767 spis array[xfrm_spi, 2] 768 invflags flags[xt_esp_flags, int8] 769 } 770 771 xt_esp_flags = XT_ESP_INV_SPI 772 773 xt_cpu_info { 774 cpu int32 775 invert bool32 776 } 777 778 xt_state_info { 779 statemask int32 780 }