Dr Andrew Scott
G7VAV
Senior Lecturer
School of Computing
and Communications
D35 InfoLab21
Lancaster University
Lancaster, LA1 4WA
United Kingdom
School of Computing
and Communications
D35 InfoLab21
Lancaster University
Lancaster, LA1 4WA
United Kingdom
| June 2025 | ||||||
| Mo | Tu | We | Th | Fr | Sa | Su |
| 26 | 27 | 28 | 29 | 30 | 31 | 1 |
| 2 | 3 | 4 | 5 | 6 | 7 | 8 |
| 9 | 10 | 11 | 12 | 13 | 14 | 15 |
| 16 | 17 | 18 | 19 | 20 | 21 | 22 |
| 23 | 24 | 25 | 26 | 27 | 28 | 29 |
| 30 | 1 | 2 | 3 | 4 | 5 | 6 |
ip_tables.h
001: /* 002: * 25-Jul-1998 Major changes to allow for ip chain table 003: * 004: * 3-Jan-2000 Named tables to allow packet selection for different uses. 005: */ 006: 007: /* 008: * Format of an IP firewall descriptor 009: * 010: * src, dst, src_mask, dst_mask are always stored in network byte order. 011: * flags are stored in host byte order (of course). 012: * Port numbers are stored in HOST byte order. 013: */ 014: 015: #ifndef _IPTABLES_H 016: #define _IPTABLES_H 017: 018: #include <linux/types.h> 019: 020: #include <linux/netfilter_ipv4.h> 021: 022: #include <linux/netfilter/x_tables.h> 023: 024: #define IPT_FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN 025: #define IPT_TABLE_MAXNAMELEN XT_TABLE_MAXNAMELEN 026: #define ipt_match xt_match 027: #define ipt_target xt_target 028: #define ipt_table xt_table 029: #define ipt_get_revision xt_get_revision 030: #define ipt_entry_match xt_entry_match 031: #define ipt_entry_target xt_entry_target 032: #define ipt_standard_target xt_standard_target 033: #define ipt_error_target xt_error_target 034: #define ipt_counters xt_counters 035: #define IPT_CONTINUE XT_CONTINUE 036: #define IPT_RETURN XT_RETURN 037: 038: /* This group is older than old (iptables < v1.4.0-rc1~89) */ 039: #include <linux/netfilter/xt_tcpudp.h> 040: #define ipt_udp xt_udp 041: #define ipt_tcp xt_tcp 042: #define IPT_TCP_INV_SRCPT XT_TCP_INV_SRCPT 043: #define IPT_TCP_INV_DSTPT XT_TCP_INV_DSTPT 044: #define IPT_TCP_INV_FLAGS XT_TCP_INV_FLAGS 045: #define IPT_TCP_INV_OPTION XT_TCP_INV_OPTION 046: #define IPT_TCP_INV_MASK XT_TCP_INV_MASK 047: #define IPT_UDP_INV_SRCPT XT_UDP_INV_SRCPT 048: #define IPT_UDP_INV_DSTPT XT_UDP_INV_DSTPT 049: #define IPT_UDP_INV_MASK XT_UDP_INV_MASK 050: 051: /* The argument to IPT_SO_ADD_COUNTERS. */ 052: #define ipt_counters_info xt_counters_info 053: /* Standard return verdict, or do jump. */ 054: #define IPT_STANDARD_TARGET XT_STANDARD_TARGET 055: /* Error verdict. */ 056: #define IPT_ERROR_TARGET XT_ERROR_TARGET 057: 058: /* fn returns 0 to continue iteration */ 059: #define IPT_MATCH_ITERATE(e, fn, args...) \ 060: XT_MATCH_ITERATE(struct ipt_entry, e, fn, ## args) 061: 062: /* fn returns 0 to continue iteration */ 063: #define IPT_ENTRY_ITERATE(entries, size, fn, args...) \ 064: XT_ENTRY_ITERATE(struct ipt_entry, entries, size, fn, ## args) 065: 066: /* Yes, Virginia, you have to zero the padding. */ 067: struct ipt_ip { 068: /* Source and destination IP addr */ 069: struct in_addr src, dst; 070: /* Mask for src and dest IP addr */ 071: struct in_addr smsk, dmsk; 072: char iniface[IFNAMSIZ], outiface[IFNAMSIZ]; 073: unsigned char iniface_mask[IFNAMSIZ], outiface_mask[IFNAMSIZ]; 074: 075: /* Protocol, 0 = ANY */ 076: __u16 proto; 077: 078: /* Flags word */ 079: __u8 flags; 080: /* Inverse flags */ 081: __u8 invflags; 082: }; 083: 084: /* Values for "flag" field in struct ipt_ip (general ip structure). */ 085: #define IPT_F_FRAG 0x01 /* Set if rule is a fragment rule */ 086: #define IPT_F_GOTO 0x02 /* Set if jump is a goto */ 087: #define IPT_F_MASK 0x03 /* All possible flag bits mask. */ 088: 089: /* Values for "inv" field in struct ipt_ip. */ 090: #define IPT_INV_VIA_IN 0x01 /* Invert the sense of IN IFACE. */ 091: #define IPT_INV_VIA_OUT 0x02 /* Invert the sense of OUT IFACE */ 092: #define IPT_INV_TOS 0x04 /* Invert the sense of TOS. */ 093: #define IPT_INV_SRCIP 0x08 /* Invert the sense of SRC IP. */ 094: #define IPT_INV_DSTIP 0x10 /* Invert the sense of DST OP. */ 095: #define IPT_INV_FRAG 0x20 /* Invert the sense of FRAG. */ 096: #define IPT_INV_PROTO XT_INV_PROTO 097: #define IPT_INV_MASK 0x7F /* All possible flag bits mask. */ 098: 099: /* This structure defines each of the firewall rules. Consists of 3 100: parts which are 1) general IP header stuff 2) match specific 101: stuff 3) the target to perform if the rule matches */ 102: struct ipt_entry { 103: struct ipt_ip ip; 104: 105: /* Mark with fields that we care about. */ 106: unsigned int nfcache; 107: 108: /* Size of ipt_entry + matches */ 109: __u16 target_offset; 110: /* Size of ipt_entry + matches + target */ 111: __u16 next_offset; 112: 113: /* Back pointer */ 114: unsigned int comefrom; 115: 116: /* Packet and byte counters. */ 117: struct xt_counters counters; 118: 119: /* The matches (if any), then the target. */ 120: unsigned char elems[0]; 121: }; 122: 123: /* 124: * New IP firewall options for [gs]etsockopt at the RAW IP level. 125: * Unlike BSD Linux inherits IP options so you don't have to use a raw 126: * socket for this. Instead we check rights in the calls. 127: * 128: * ATTENTION: check linux/in.h before adding new number here. 129: */ 130: #define IPT_BASE_CTL 64 131: 132: #define IPT_SO_SET_REPLACE (IPT_BASE_CTL) 133: #define IPT_SO_SET_ADD_COUNTERS (IPT_BASE_CTL + 1) 134: #define IPT_SO_SET_MAX IPT_SO_SET_ADD_COUNTERS 135: 136: #define IPT_SO_GET_INFO (IPT_BASE_CTL) 137: #define IPT_SO_GET_ENTRIES (IPT_BASE_CTL + 1) 138: #define IPT_SO_GET_REVISION_MATCH (IPT_BASE_CTL + 2) 139: #define IPT_SO_GET_REVISION_TARGET (IPT_BASE_CTL + 3) 140: #define IPT_SO_GET_MAX IPT_SO_GET_REVISION_TARGET 141: 142: /* ICMP matching stuff */ 143: struct ipt_icmp { 144: __u8 type; /* type to match */ 145: __u8 code[2]; /* range of code */ 146: __u8 invflags; /* Inverse flags */ 147: }; 148: 149: /* Values for "inv" field for struct ipt_icmp. */ 150: #define IPT_ICMP_INV 0x01 /* Invert the sense of type/code test */ 151: 152: /* The argument to IPT_SO_GET_INFO */ 153: struct ipt_getinfo { 154: /* Which table: caller fills this in. */ 155: char name[XT_TABLE_MAXNAMELEN]; 156: 157: /* Kernel fills these in. */ 158: /* Which hook entry points are valid: bitmask */ 159: unsigned int valid_hooks; 160: 161: /* Hook entry points: one per netfilter hook. */ 162: unsigned int hook_entry[NF_INET_NUMHOOKS]; 163: 164: /* Underflow points. */ 165: unsigned int underflow[NF_INET_NUMHOOKS]; 166: 167: /* Number of entries */ 168: unsigned int num_entries; 169: 170: /* Size of entries. */ 171: unsigned int size; 172: }; 173: 174: /* The argument to IPT_SO_SET_REPLACE. */ 175: struct ipt_replace { 176: /* Which table. */ 177: char name[XT_TABLE_MAXNAMELEN]; 178: 179: /* Which hook entry points are valid: bitmask. You can't 180: change this. */ 181: unsigned int valid_hooks; 182: 183: /* Number of entries */ 184: unsigned int num_entries; 185: 186: /* Total size of new entries */ 187: unsigned int size; 188: 189: /* Hook entry points. */ 190: unsigned int hook_entry[NF_INET_NUMHOOKS]; 191: 192: /* Underflow points. */ 193: unsigned int underflow[NF_INET_NUMHOOKS]; 194: 195: /* Information about old entries: */ 196: /* Number of counters (must be equal to current number of entries). */ 197: unsigned int num_counters; 198: /* The old entries' counters. */ 199: struct xt_counters *counters; 200: 201: /* The entries (hang off end: not really an array). */ 202: struct ipt_entry entries[0]; 203: }; 204: 205: /* The argument to IPT_SO_GET_ENTRIES. */ 206: struct ipt_get_entries { 207: /* Which table: user fills this in. */ 208: char name[XT_TABLE_MAXNAMELEN]; 209: 210: /* User fills this in: total entry size. */ 211: unsigned int size; 212: 213: /* The entries. */ 214: struct ipt_entry entrytable[0]; 215: }; 216: 217: /* Helper functions */ 218: static __inline__ struct xt_entry_target * 219: ipt_get_target(struct ipt_entry *e) 220: { 221: return (void *)e + e->target_offset; 222: } 223: 224: /* 225: * Main firewall chains definitions and global var's definitions. 226: */ 227: #endif /* _IPTABLES_H */ 228:
for client
(none)
© Andrew Scott 2006 -
2025,
All Rights Reserved
All Rights Reserved
Andrew Scott