inet.af/netstack@v0.0.0-20220214151720-7585b01ddccf/abi/linux/netfilter_ipv6.go (about) 1 // Copyright 2020 The gVisor Authors. 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 package linux 16 17 import ( 18 "inet.af/netstack/marshal" 19 "inet.af/netstack/marshal/primitive" 20 ) 21 22 // This file contains structures required to support IPv6 netfilter and 23 // ip6tables. Some constants and structs are equal to their IPv4 analogues, and 24 // are only distinguished by context (e.g. whether used on an IPv4 of IPv6 25 // socket). 26 27 // Socket options for SOL_SOCLET. These correspond to values in 28 // include/uapi/linux/netfilter_ipv6/ip6_tables.h. 29 const ( 30 IP6T_BASE_CTL = 64 31 IP6T_SO_SET_REPLACE = IPT_BASE_CTL 32 IP6T_SO_SET_ADD_COUNTERS = IPT_BASE_CTL + 1 33 IP6T_SO_SET_MAX = IPT_SO_SET_ADD_COUNTERS 34 35 IP6T_SO_GET_INFO = IPT_BASE_CTL 36 IP6T_SO_GET_ENTRIES = IPT_BASE_CTL + 1 37 IP6T_SO_GET_REVISION_MATCH = IPT_BASE_CTL + 4 38 IP6T_SO_GET_REVISION_TARGET = IPT_BASE_CTL + 5 39 IP6T_SO_GET_MAX = IP6T_SO_GET_REVISION_TARGET 40 ) 41 42 // IP6T_ORIGINAL_DST is the ip6tables SOL_IPV6 socket option. Corresponds to 43 // the value in include/uapi/linux/netfilter_ipv6/ip6_tables.h. 44 const IP6T_ORIGINAL_DST = 80 45 46 // IP6TReplace is the argument for the IP6T_SO_SET_REPLACE sockopt. It 47 // corresponds to struct ip6t_replace in 48 // include/uapi/linux/netfilter_ipv6/ip6_tables.h. 49 // 50 // +marshal 51 type IP6TReplace struct { 52 Name TableName 53 ValidHooks uint32 54 NumEntries uint32 55 Size uint32 56 HookEntry [NF_INET_NUMHOOKS]uint32 57 Underflow [NF_INET_NUMHOOKS]uint32 58 NumCounters uint32 59 Counters uint64 // This is really a *XTCounters. 60 // Entries is omitted here because it would cause IP6TReplace to be an 61 // extra byte longer (see http://www.catb.org/esr/structure-packing/). 62 // Entries [0]IP6TEntry 63 } 64 65 // SizeOfIP6TReplace is the size of an IP6TReplace. 66 const SizeOfIP6TReplace = 96 67 68 // KernelIP6TGetEntries is identical to IP6TGetEntries, but includes the 69 // Entrytable field. 70 // 71 // +marshal dynamic 72 type KernelIP6TGetEntries struct { 73 IPTGetEntries 74 Entrytable []KernelIP6TEntry 75 } 76 77 // SizeBytes implements marshal.Marshallable.SizeBytes. 78 func (ke *KernelIP6TGetEntries) SizeBytes() int { 79 res := ke.IPTGetEntries.SizeBytes() 80 for _, entry := range ke.Entrytable { 81 res += entry.SizeBytes() 82 } 83 return res 84 } 85 86 // MarshalBytes implements marshal.Marshallable.MarshalBytes. 87 func (ke *KernelIP6TGetEntries) MarshalBytes(dst []byte) []byte { 88 dst = ke.IPTGetEntries.MarshalUnsafe(dst) 89 for i := range ke.Entrytable { 90 dst = ke.Entrytable[i].MarshalBytes(dst) 91 } 92 return dst 93 } 94 95 // UnmarshalBytes implements marshal.Marshallable.UnmarshalBytes. 96 func (ke *KernelIP6TGetEntries) UnmarshalBytes(src []byte) []byte { 97 src = ke.IPTGetEntries.UnmarshalUnsafe(src) 98 for i := range ke.Entrytable { 99 src = ke.Entrytable[i].UnmarshalBytes(src) 100 } 101 return src 102 } 103 104 var _ marshal.Marshallable = (*KernelIP6TGetEntries)(nil) 105 106 // IP6TEntry is an iptables rule. It corresponds to struct ip6t_entry in 107 // include/uapi/linux/netfilter_ipv6/ip6_tables.h. 108 // 109 // +marshal 110 type IP6TEntry struct { 111 // IPv6 is used to filter packets based on the IPv6 header. 112 IPv6 IP6TIP 113 114 // NFCache relates to kernel-internal caching and isn't used by 115 // userspace. 116 NFCache uint32 117 118 // TargetOffset is the byte offset from the beginning of this IPTEntry 119 // to the start of the entry's target. 120 TargetOffset uint16 121 122 // NextOffset is the byte offset from the beginning of this IPTEntry to 123 // the start of the next entry. It is thus also the size of the entry. 124 NextOffset uint16 125 126 // Comeback is a return pointer. It is not used by userspace. 127 Comeback uint32 128 129 _ [4]byte 130 131 // Counters holds the packet and byte counts for this rule. 132 Counters XTCounters 133 134 // Elems holds the data for all this rule's matches followed by the 135 // target. It is variable length -- users have to iterate over any 136 // matches and use TargetOffset and NextOffset to make sense of the 137 // data. 138 // 139 // Elems is omitted here because it would cause IPTEntry to be an extra 140 // byte larger (see http://www.catb.org/esr/structure-packing/). 141 // 142 // Elems [0]byte 143 } 144 145 // SizeOfIP6TEntry is the size of an IP6TEntry. 146 const SizeOfIP6TEntry = 168 147 148 // KernelIP6TEntry is identical to IP6TEntry, but includes the Elems field. 149 // 150 // +marshal dynamic 151 type KernelIP6TEntry struct { 152 Entry IP6TEntry 153 154 // Elems holds the data for all this rule's matches followed by the 155 // target. It is variable length -- users have to iterate over any 156 // matches and use TargetOffset and NextOffset to make sense of the 157 // data. 158 Elems primitive.ByteSlice 159 } 160 161 // SizeBytes implements marshal.Marshallable.SizeBytes. 162 func (ke *KernelIP6TEntry) SizeBytes() int { 163 return ke.Entry.SizeBytes() + ke.Elems.SizeBytes() 164 } 165 166 // MarshalBytes implements marshal.Marshallable.MarshalBytes. 167 func (ke *KernelIP6TEntry) MarshalBytes(dst []byte) []byte { 168 dst = ke.Entry.MarshalUnsafe(dst) 169 return ke.Elems.MarshalBytes(dst) 170 } 171 172 // UnmarshalBytes implements marshal.Marshallable.UnmarshalBytes. 173 func (ke *KernelIP6TEntry) UnmarshalBytes(src []byte) []byte { 174 src = ke.Entry.UnmarshalUnsafe(src) 175 return ke.Elems.UnmarshalBytes(src) 176 } 177 178 var _ marshal.Marshallable = (*KernelIP6TEntry)(nil) 179 180 // IP6TIP contains information for matching a packet's IP header. 181 // It corresponds to struct ip6t_ip6 in 182 // include/uapi/linux/netfilter_ipv6/ip6_tables.h. 183 // 184 // +marshal 185 type IP6TIP struct { 186 // Src is the source IP address. 187 Src Inet6Addr 188 189 // Dst is the destination IP address. 190 Dst Inet6Addr 191 192 // SrcMask is the source IP mask. 193 SrcMask Inet6Addr 194 195 // DstMask is the destination IP mask. 196 DstMask Inet6Addr 197 198 // InputInterface is the input network interface. 199 InputInterface [IFNAMSIZ]byte 200 201 // OutputInterface is the output network interface. 202 OutputInterface [IFNAMSIZ]byte 203 204 // InputInterfaceMask is the input interface mask. 205 InputInterfaceMask [IFNAMSIZ]byte 206 207 // OuputInterfaceMask is the output interface mask. 208 OutputInterfaceMask [IFNAMSIZ]byte 209 210 // Protocol is the transport protocol. 211 Protocol uint16 212 213 // TOS matches TOS flags when Flags indicates filtering by TOS. 214 TOS uint8 215 216 // Flags define matching behavior for the IP header. 217 Flags uint8 218 219 // InverseFlags invert the meaning of fields in struct IPTIP. See the 220 // IP6T_INV_* flags. 221 InverseFlags uint8 222 223 // Linux defines in6_addr (Inet6Addr for us) as the union of a 224 // 16-element byte array and a 4-element 32-bit integer array, so the 225 // whole struct is 4-byte aligned. 226 _ [3]byte 227 } 228 229 // SizeOfIP6TIP is the size of an IP6 header. 230 const SizeOfIP6TIP = 136 231 232 // Flags in IP6TIP.Flags. Corresponding constants are in 233 // include/uapi/linux/netfilter_ipv6/ip6_tables.h. 234 const ( 235 // Whether to check the Protocol field. 236 IP6T_F_PROTO = 0x01 237 // Whether to match the TOS field. 238 IP6T_F_TOS = 0x02 239 // Indicates that the jump target is an aboslute GOTO, not an offset. 240 IP6T_F_GOTO = 0x04 241 // Enables all flags. 242 IP6T_F_MASK = 0x07 243 ) 244 245 // Flags in IP6TIP.InverseFlags. Corresponding constants are in 246 // include/uapi/linux/netfilter_ipv6/ip6_tables.h. 247 const ( 248 // Invert the meaning of InputInterface. 249 IP6T_INV_VIA_IN = 0x01 250 // Invert the meaning of OutputInterface. 251 IP6T_INV_VIA_OUT = 0x02 252 // Invert the meaning of TOS. 253 IP6T_INV_TOS = 0x04 254 // Invert the meaning of Src. 255 IP6T_INV_SRCIP = 0x08 256 // Invert the meaning of Dst. 257 IP6T_INV_DSTIP = 0x10 258 // Invert the meaning of the IPT_F_FRAG flag. 259 IP6T_INV_FRAG = 0x20 260 // Enable all flags. 261 IP6T_INV_MASK = 0x7F 262 ) 263 264 // NFNATRange corresponds to struct nf_nat_range in 265 // include/uapi/linux/netfilter/nf_nat.h. 266 // 267 // +marshal 268 type NFNATRange struct { 269 Flags uint32 270 MinAddr Inet6Addr 271 MaxAddr Inet6Addr 272 MinProto uint16 // Network byte order. 273 MaxProto uint16 // Network byte order. 274 } 275 276 // SizeOfNFNATRange is the size of NFNATRange. 277 const SizeOfNFNATRange = 40