gvisor.dev/gvisor@v0.0.0-20240520182842-f9d4d51c7e0f/test/syscalls/linux/iptables.h (about) 1 // Copyright 2019 The gVisor Authors. 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 // There are a number of structs and values that we can't #include because of a 16 // difference between C and C++ (C++ won't let you implicitly cast from void* to 17 // struct something*). We re-define them here. 18 19 #ifndef GVISOR_TEST_SYSCALLS_IPTABLES_TYPES_H_ 20 #define GVISOR_TEST_SYSCALLS_IPTABLES_TYPES_H_ 21 22 // Netfilter headers require some headers to preceed them. 23 // clang-format off 24 #include <netinet/in.h> 25 #include <stddef.h> 26 // clang-format on 27 28 #include <linux/netfilter/x_tables.h> 29 #include <linux/netfilter_ipv4.h> 30 #include <linux/netfilter_ipv6.h> 31 #include <net/if.h> 32 #include <netinet/ip.h> 33 #include <stdint.h> 34 35 // 36 // IPv4 ABI. 37 // 38 39 #define ipt_standard_target xt_standard_target 40 #define ipt_entry_target xt_entry_target 41 #define ipt_error_target xt_error_target 42 43 enum SockOpts { 44 // For setsockopt. 45 IPT_BASE_CTL = 64, 46 IPT_SO_SET_REPLACE = IPT_BASE_CTL, 47 IPT_SO_SET_ADD_COUNTERS = IPT_BASE_CTL + 1, 48 IPT_SO_SET_MAX = IPT_SO_SET_ADD_COUNTERS, 49 50 // For getsockopt. 51 IPT_SO_GET_INFO = IPT_BASE_CTL, 52 IPT_SO_GET_ENTRIES = IPT_BASE_CTL + 1, 53 IPT_SO_GET_REVISION_MATCH = IPT_BASE_CTL + 2, 54 IPT_SO_GET_REVISION_TARGET = IPT_BASE_CTL + 3, 55 IPT_SO_GET_MAX = IPT_SO_GET_REVISION_TARGET 56 }; 57 58 // ipt_ip specifies basic matching criteria that can be applied by examining 59 // only the IP header of a packet. 60 struct ipt_ip { 61 // Source IP address. 62 struct in_addr src; 63 64 // Destination IP address. 65 struct in_addr dst; 66 67 // Source IP address mask. 68 struct in_addr smsk; 69 70 // Destination IP address mask. 71 struct in_addr dmsk; 72 73 // Input interface. 74 char iniface[IFNAMSIZ]; 75 76 // Output interface. 77 char outiface[IFNAMSIZ]; 78 79 // Input interface mask. 80 unsigned char iniface_mask[IFNAMSIZ]; 81 82 // Output interface mask. 83 unsigned char outiface_mask[IFNAMSIZ]; 84 85 // Transport protocol. 86 uint16_t proto; 87 88 // Flags. 89 uint8_t flags; 90 91 // Inverse flags. 92 uint8_t invflags; 93 }; 94 95 // ipt_entry is an iptables rule. It contains information about what packets the 96 // rule matches and what action (target) to perform for matching packets. 97 struct ipt_entry { 98 // Basic matching information used to match a packet's IP header. 99 struct ipt_ip ip; 100 101 // A caching field that isn't used by userspace. 102 unsigned int nfcache; 103 104 // The number of bytes between the start of this ipt_entry struct and the 105 // rule's target. 106 uint16_t target_offset; 107 108 // The total size of this rule, from the beginning of the entry to the end of 109 // the target. 110 uint16_t next_offset; 111 112 // A return pointer not used by userspace. 113 unsigned int comefrom; 114 115 // Counters for packets and bytes, which we don't yet implement. 116 struct xt_counters counters; 117 118 // The data for all this rules matches followed by the target. This runs 119 // beyond the value of sizeof(struct ipt_entry). 120 unsigned char elems[0]; 121 }; 122 123 // Passed to getsockopt(IPT_SO_GET_INFO). 124 struct ipt_getinfo { 125 // The name of the table. The user only fills this in, the rest is filled in 126 // when returning from getsockopt. Currently "nat" and "mangle" are supported. 127 char name[XT_TABLE_MAXNAMELEN]; 128 129 // A bitmap of which hooks apply to the table. For example, a table with hooks 130 // PREROUTING and FORWARD has the value 131 // (1 << NF_IP_PRE_REOUTING) | (1 << NF_IP_FORWARD). 132 unsigned int valid_hooks; 133 134 // The offset into the entry table for each valid hook. The entry table is 135 // returned by getsockopt(IPT_SO_GET_ENTRIES). 136 unsigned int hook_entry[NF_IP_NUMHOOKS]; 137 138 // For each valid hook, the underflow is the offset into the entry table to 139 // jump to in case traversing the table yields no verdict (although I have no 140 // clue how that could happen - builtin chains always end with a policy, and 141 // user-defined chains always end with a RETURN. 142 // 143 // The entry referred to must be an "unconditional" entry, meaning it has no 144 // matches, specifies no IP criteria, and either DROPs or ACCEPTs packets. It 145 // basically has to be capable of making a definitive decision no matter what 146 // it's passed. 147 unsigned int underflow[NF_IP_NUMHOOKS]; 148 149 // The number of entries in the entry table returned by 150 // getsockopt(IPT_SO_GET_ENTRIES). 151 unsigned int num_entries; 152 153 // The size of the entry table returned by getsockopt(IPT_SO_GET_ENTRIES). 154 unsigned int size; 155 }; 156 157 // Passed to getsockopt(IPT_SO_GET_ENTRIES). 158 struct ipt_get_entries { 159 // The name of the table. The user fills this in. Currently "nat" and "mangle" 160 // are supported. 161 char name[XT_TABLE_MAXNAMELEN]; 162 163 // The size of the entry table in bytes. The user fills this in with the value 164 // from struct ipt_getinfo.size. 165 unsigned int size; 166 167 // The entries for the given table. This will run past the size defined by 168 // sizeof(struct ipt_get_entries). 169 struct ipt_entry entrytable[0]; 170 }; 171 172 // Passed to setsockopt(SO_SET_REPLACE). 173 struct ipt_replace { 174 // The name of the table. 175 char name[XT_TABLE_MAXNAMELEN]; 176 177 // The same as struct ipt_getinfo.valid_hooks. Users don't change this. 178 unsigned int valid_hooks; 179 180 // The same as struct ipt_getinfo.num_entries. 181 unsigned int num_entries; 182 183 // The same as struct ipt_getinfo.size. 184 unsigned int size; 185 186 // The same as struct ipt_getinfo.hook_entry. 187 unsigned int hook_entry[NF_IP_NUMHOOKS]; 188 189 // The same as struct ipt_getinfo.underflow. 190 unsigned int underflow[NF_IP_NUMHOOKS]; 191 192 // The number of counters, which should equal the number of entries. 193 unsigned int num_counters; 194 195 // The unchanged values from each ipt_entry's counters. 196 struct xt_counters* counters; 197 198 // The entries to write to the table. This will run past the size defined by 199 // sizeof(srtuct ipt_replace); 200 struct ipt_entry entries[0]; 201 }; 202 203 // 204 // IPv6 ABI. 205 // 206 207 enum SockOpts6 { 208 // For setsockopt. 209 IP6T_BASE_CTL = 64, 210 IP6T_SO_SET_REPLACE = IP6T_BASE_CTL, 211 IP6T_SO_SET_ADD_COUNTERS = IP6T_BASE_CTL + 1, 212 IP6T_SO_SET_MAX = IP6T_SO_SET_ADD_COUNTERS, 213 214 // For getsockopt. 215 IP6T_SO_GET_INFO = IP6T_BASE_CTL, 216 IP6T_SO_GET_ENTRIES = IP6T_BASE_CTL + 1, 217 IP6T_SO_GET_REVISION_MATCH = IP6T_BASE_CTL + 4, 218 IP6T_SO_GET_REVISION_TARGET = IP6T_BASE_CTL + 5, 219 IP6T_SO_GET_MAX = IP6T_SO_GET_REVISION_TARGET 220 }; 221 222 // ip6t_ip6 specifies basic matching criteria that can be applied by examining 223 // only the IP header of a packet. 224 // Must be POD so that it can be zero-initialized using memset() because 225 // initializing by "{}" leaves it partially uninitialized for paddings and 226 // nested unions. 227 struct ip6t_ip6 { 228 // Source IP address. 229 struct in6_addr src; 230 231 // Destination IP address. 232 struct in6_addr dst; 233 234 // Source IP address mask. 235 struct in6_addr smsk; 236 237 // Destination IP address mask. 238 struct in6_addr dmsk; 239 240 // Input interface. 241 char iniface[IFNAMSIZ]; 242 243 // Output interface. 244 char outiface[IFNAMSIZ]; 245 246 // Input interface mask. 247 unsigned char iniface_mask[IFNAMSIZ]; 248 249 // Output interface mask. 250 unsigned char outiface_mask[IFNAMSIZ]; 251 252 // Transport protocol. 253 uint16_t proto; 254 255 // TOS. 256 uint8_t tos; 257 258 // Flags. 259 uint8_t flags; 260 261 // Inverse flags. 262 uint8_t invflags; 263 }; 264 265 // ip6t_entry is an ip6tables rule. 266 struct ip6t_entry { 267 // Basic matching information used to match a packet's IP header. 268 struct ip6t_ip6 ipv6; 269 270 // A caching field that isn't used by userspace. 271 unsigned int nfcache; 272 273 // The number of bytes between the start of this entry and the rule's target. 274 uint16_t target_offset; 275 276 // The total size of this rule, from the beginning of the entry to the end of 277 // the target. 278 uint16_t next_offset; 279 280 // A return pointer not used by userspace. 281 unsigned int comefrom; 282 283 // Counters for packets and bytes, which we don't yet implement. 284 struct xt_counters counters; 285 286 // The data for all this rules matches followed by the target. This runs 287 // beyond the value of sizeof(struct ip6t_entry). 288 unsigned char elems[0]; 289 }; 290 291 // Passed to getsockopt(IP6T_SO_GET_ENTRIES). 292 struct ip6t_get_entries { 293 // The name of the table. 294 char name[XT_TABLE_MAXNAMELEN]; 295 296 // The size of the entry table in bytes. The user fills this in with the value 297 // from struct ipt_getinfo.size. 298 unsigned int size; 299 300 // The entries for the given table. This will run past the size defined by 301 // sizeof(struct ip6t_get_entries). 302 struct ip6t_entry entrytable[0]; 303 }; 304 305 #endif // GVISOR_TEST_SYSCALLS_IPTABLES_TYPES_H_