github.com/google/syzkaller@v0.0.0-20240517125934-c0f1611a36d6/sys/linux/netfilter_ipv4.txt (about) 1 # Copyright 2018 syzkaller project authors. All rights reserved. 2 # Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file. 3 4 include <linux/socket.h> 5 include <uapi/linux/netfilter/xt_osf.h> 6 include <uapi/linux/netfilter_ipv4/ip_tables.h> 7 include <uapi/linux/netfilter_ipv4/ipt_ah.h> 8 include <uapi/linux/netfilter_ipv4/ipt_ttl.h> 9 include <uapi/linux/netfilter_ipv4/ipt_REJECT.h> 10 include <uapi/linux/netfilter_ipv4/ipt_ECN.h> 11 include <uapi/linux/netfilter_ipv4/ipt_TTL.h> 12 include <uapi/linux/netfilter_ipv4/ipt_CLUSTERIP.h> 13 14 setsockopt$IPT_SO_SET_REPLACE(fd sock_in, level const[SOL_IP], opt const[IPT_SO_SET_REPLACE], val ptr[in, ipt_replace], len len[val]) 15 setsockopt$IPT_SO_SET_ADD_COUNTERS(fd sock_in, level const[SOL_IP], opt const[IPT_SO_SET_ADD_COUNTERS], val ptr[in, ipt_counters_info], len len[val]) 16 getsockopt$IPT_SO_GET_INFO(fd sock_in, level const[SOL_IP], opt const[IPT_SO_GET_INFO], val ptr[in, ipt_getinfo], len ptr[in, len[val, int32]]) 17 getsockopt$IPT_SO_GET_ENTRIES(fd sock_in, level const[SOL_IP], opt const[IPT_SO_GET_ENTRIES], val ptr[in, ipt_get_entries], len ptr[in, len[val, int32]]) 18 getsockopt$IPT_SO_GET_REVISION_MATCH(fd sock_in, level const[SOL_IP], opt const[IPT_SO_GET_REVISION_MATCH], val ptr[in, xt_get_revision], len ptr[in, len[val, int32]]) 19 getsockopt$IPT_SO_GET_REVISION_TARGET(fd sock_in, level const[SOL_IP], opt const[IPT_SO_GET_REVISION_TARGET], val ptr[in, xt_get_revision], len ptr[in, len[val, int32]]) 20 21 ipt_replace [ 22 filter ipt_replace_t["filter", 3, 4, IPT_FILTER_VALID_HOOKS, ipt_filter_matches, ipt_filter_targets, ipt_unused, ipt_hook, ipt_hook, ipt_hook, ipt_unused, ipt_unused, ipt_hook, ipt_hook, ipt_hook, ipt_unused] 23 nat ipt_replace_t["nat", 4, 5, IPT_NAT_VALID_HOOKS, ipt_nat_matches, ipt_nat_targets, ipt_hook, ipt_hook, ipt_unused, ipt_hook, ipt_hook, ipt_hook, ipt_hook, ipt_unused, ipt_hook, ipt_hook] 24 mangle ipt_replace_t["mangle", 5, 6, IPT_MANGLE_VALID_HOOKS, ipt_mangle_matches, ipt_mangle_targets, ipt_hook, ipt_hook, ipt_hook, ipt_hook, ipt_hook, ipt_hook, ipt_hook, ipt_hook, ipt_hook, ipt_hook] 25 raw ipt_replace_t["raw", 2, 3, IPT_RAW_VALID_HOOKS, ipt_raw_matches, ipt_raw_targets, ipt_hook, ipt_unused, ipt_unused, ipt_hook, ipt_unused, ipt_hook, ipt_unused, ipt_unused, ipt_hook, ipt_unused] 26 security ipt_replace_t["security", 3, 4, IPT_SECURITY_VALID_HOOKS, ipt_security_matches, ipt_security_targets, ipt_unused, ipt_hook, ipt_hook, ipt_hook, ipt_unused, ipt_unused, ipt_hook, ipt_hook, ipt_hook, ipt_unused] 27 ] [varlen] 28 29 type ipt_replace_t[NAME, NENTRIES, NHOOKS, HOOKS, MATCHES, TARGETS, H0, H1, H2, H3, H4, U0, U1, U2, U3, U4] { 30 name string[NAME, XT_TABLE_MAXNAMELEN] 31 valid_hooks const[HOOKS, int32] 32 num_entries const[NHOOKS, int32] 33 size bytesize[entries, int32] 34 hook_pre_routing H0 35 hook_local_in H1 36 hook_forward H2 37 hook_local_out H3 38 hook_post_routing H4 39 underflow_pre_routing U0 40 underflow_local_in U1 41 underflow_forward U2 42 underflow_local_out U3 43 underflow_post_routing U4 44 num_counters const[NHOOKS, int32] 45 counters ptr[out, array[xt_counters, NHOOKS]] 46 entries ipt_replace_entries[NENTRIES, MATCHES, TARGETS] 47 } 48 49 type ipt_replace_entries[NENTRIES, MATCHES, TARGETS] { 50 entries array[ipt_entry[MATCHES, TARGETS], NENTRIES] 51 underflow ipt_entry_underflow 52 } [packed, align[PTR_SIZE]] 53 54 type ipt_hook const[0, int32] 55 type ipt_unused const[-1, int32] 56 57 type ipt_entry[MATCHES, TARGETS] { 58 matches ipt_entry_matches[MATCHES] 59 target TARGETS 60 } [packed, align[PTR_SIZE]] 61 62 type ipt_entry_matches[MATCHES] { 63 ip ipt_ip_or_uncond 64 nfcache const[0, int32] 65 target_offset len[parent, int16] 66 next_offset len[ipt_entry, int16] 67 comefrom const[0, int32] 68 counters xt_counters 69 matches array[MATCHES, 0:2] 70 } [align[PTR_SIZE]] 71 72 ipt_entry_underflow { 73 matches ipt_entry_underflow_matches 74 target xt_target_t["", const[NF_ACCEPT_VERDICT, int32], 0] 75 } [align[PTR_SIZE]] 76 77 ipt_entry_underflow_matches { 78 ip ipt_ip_uncond 79 nfcache const[0, int32] 80 target_offset len[parent, int16] 81 next_offset len[ipt_entry_underflow, int16] 82 comefrom const[0, int32] 83 counters xt_counters 84 } 85 86 ipt_ip_or_uncond [ 87 ip ipt_ip 88 uncond ipt_ip_uncond 89 ] 90 91 type ipt_ip_uncond array[const[0, int8], IPT_IP_SIZE] 92 define IPT_IP_SIZE sizeof(struct ipt_ip) 93 94 ipt_ip { 95 src ipv4_addr 96 dst ipv4_addr 97 smsk ipv4_addr_mask 98 dmsk ipv4_addr_mask 99 iniface devname 100 outiface devname 101 iniface_mask devname_mask 102 outiface_mask devname_mask 103 proto flags[ipv4_types, int16] 104 flags flags[ipt_ip_flags, int8] 105 invflags flags[ipt_ip_invflags, int8] 106 } 107 108 ipt_ip_flags = IPT_F_FRAG, IPT_F_GOTO 109 ipt_ip_invflags = IPT_INV_VIA_IN, IPT_INV_VIA_OUT, IPT_INV_TOS, IPT_INV_SRCIP, IPT_INV_DSTIP, IPT_INV_FRAG, IPT_INV_PROTO 110 111 ipt_counters_info { 112 name string[ipt_tables, XT_TABLE_MAXNAMELEN] 113 num_counters len[counters, int32] 114 counters array[xt_counters, 2:5] 115 } 116 117 ipt_tables = "filter", "nat", "mangle", "raw", "security" 118 119 ipt_getinfo { 120 name string[ipt_tables, XT_TABLE_MAXNAMELEN] 121 # The rest are output arguments. 122 valid_hooks const[0, int32] 123 hook_entry array[int32, NF_INET_NUMHOOKS] 124 underflow array[const[0, int32], NF_INET_NUMHOOKS] 125 num_entries const[0, int32] 126 size const[0, int32] 127 } 128 129 ipt_get_entries { 130 name string[ipt_tables, XT_TABLE_MAXNAMELEN] 131 size bytesize[entrytable, int32] 132 entrytable array[int8] 133 } 134 135 # MATCHES: 136 137 ipt_matches [ 138 unspec xt_unspec_matches 139 inet xt_inet_matches 140 icmp xt_entry_match_t["icmp", ipt_icmp, 0] 141 ah xt_entry_match_t["ah", ipt_ah, 0] 142 socket0 xt_entry_match_t["socket", void, 0] 143 set xt_entry_match_t["set", xt_set_info_match_v0, 0] 144 addrtype xt_entry_match_t["addrtype", xt_addrtype_info, 0] 145 osf xt_entry_match_t["osf", xt_osf_info, 0] 146 ttl xt_entry_match_t["ttl", ipt_ttl_info, 0] 147 ] [varlen] 148 149 ipt_filter_matches [ 150 common ipt_matches 151 ] [varlen] 152 153 ipt_nat_matches [ 154 common ipt_matches 155 ] [varlen] 156 157 ipt_mangle_matches [ 158 common ipt_matches 159 inet xt_inet_mangle_matches 160 ] [varlen] 161 162 ipt_raw_matches [ 163 common ipt_matches 164 inet xt_inet_raw_matches 165 ] [varlen] 166 167 ipt_security_matches [ 168 common ipt_matches 169 ] [varlen] 170 171 ipt_icmp { 172 type flags[icmp_types, int8] 173 code array[int8, 2] 174 invflags bool8 175 } 176 177 ipt_ah { 178 spis array[int32, 2] 179 invflags bool8 180 } 181 182 xt_osf_info { 183 genre string[xt_osf_genre, MAXGENRELEN] 184 # unused? 185 len const[0, int32] 186 flags flags[xt_osf_flags, int32] 187 loglevel int32[0:2] 188 ttl int32[0:2] 189 } 190 191 xt_osf_genre = "syz0", "syz1" 192 xt_osf_flags = XT_OSF_GENRE, XT_OSF_TTL, XT_OSF_LOG, XT_OSF_INVERT 193 194 ipt_ttl_info { 195 mode flags[ipt_ttl_mode, int8] 196 ttl int8 197 } 198 199 ipt_ttl_mode = IPT_TTL_EQ, IPT_TTL_NE, IPT_TTL_LT, IPT_TTL_GT 200 201 # TARGETS: 202 203 ipt_targets [ 204 unspec xt_unspec_targets 205 inet xt_inet_targets 206 SET xt_target_t["SET", xt_set_info_target_v0, 0] 207 # TODO: remove CLUSTERIP once removed from relevant LTS. 208 # Removed from kernel in 9db5d918e2c07fa09. 209 CLUSTERIP xt_target_t["CLUSTERIP", ipt_clusterip_tgt_info, 0] 210 ] [varlen] 211 212 ipt_filter_targets [ 213 common ipt_targets 214 REJECT xt_target_t["REJECT", ipt_reject_info, 0] 215 ] [varlen] 216 217 ipt_nat_targets [ 218 common ipt_targets 219 unspec xt_unspec_nat_targets 220 NETMAP xt_target_t["NETMAP", nf_nat_ipv4_multi_range_compat, 0] 221 SNAT0 xt_target_t["SNAT", nf_nat_ipv4_multi_range_compat, 0] 222 DNAT0 xt_target_t["DNAT", nf_nat_ipv4_multi_range_compat, 0] 223 REDIRECT xt_target_t["REDIRECT", nf_nat_ipv4_multi_range_compat, 0] 224 MASQUERADE xt_target_t["MASQUERADE", nf_nat_ipv4_multi_range_compat, 0] 225 ] [varlen] 226 227 ipt_mangle_targets [ 228 common ipt_targets 229 unspec xt_unspec_mangle_targets 230 inet xt_inet_mangle_targets 231 ECN xt_target_t["ECN", ipt_ECN_info, 0] 232 TPROXY xt_target_t["TPROXY", xt_tproxy_target_info, 0] 233 TTL xt_target_t["TTL", ipt_TTL_info, 0] 234 ] [varlen] 235 236 ipt_raw_targets [ 237 common ipt_targets 238 unspec xt_unspec_raw_targets 239 ] [varlen] 240 241 ipt_security_targets [ 242 common ipt_targets 243 ] [varlen] 244 245 ipt_reject_info { 246 with flags[ipt_reject_with, int32] 247 } 248 249 ipt_reject_with = IPT_ICMP_NET_UNREACHABLE, IPT_ICMP_HOST_UNREACHABLE, IPT_ICMP_PROT_UNREACHABLE, IPT_ICMP_PORT_UNREACHABLE, IPT_ICMP_NET_PROHIBITED, IPT_ICMP_HOST_PROHIBITED, IPT_TCP_RESET, IPT_ICMP_ADMIN_PROHIBITED 250 251 ipt_ECN_info { 252 operation flags[ipt_ECN_op, int8] 253 ip_ect int8 254 tcp int8[0:3] 255 } 256 257 ipt_ECN_op = IPT_ECN_OP_SET_IP, IPT_ECN_OP_SET_ECE, IPT_ECN_OP_SET_CWR 258 259 ipt_TTL_info { 260 mode int8[0:3] 261 ttl int8 262 } 263 264 ipt_clusterip_tgt_info { 265 flags bool32 266 clustermac mac_addr 267 num_total_nodes int16 268 num_local_nodes int16[0:CLUSTERIP_MAX_NODES] 269 local_nodes array[int16[0:64], CLUSTERIP_MAX_NODES] 270 hash_mode flags[ipt_clusterip_hash_mode, int32] 271 hash_initval int32 272 config intptr 273 } 274 275 ipt_clusterip_hash_mode = CLUSTERIP_HASHMODE_SIP, CLUSTERIP_HASHMODE_SIP_SPT, CLUSTERIP_HASHMODE_SIP_SPT_DPT