summaryrefslogtreecommitdiffhomepage
path: root/test/syscalls/linux/iptables.h
diff options
context:
space:
mode:
Diffstat (limited to 'test/syscalls/linux/iptables.h')
-rw-r--r--test/syscalls/linux/iptables.h132
1 files changed, 118 insertions, 14 deletions
diff --git a/test/syscalls/linux/iptables.h b/test/syscalls/linux/iptables.h
index 0719c60a4..d0fc10fea 100644
--- a/test/syscalls/linux/iptables.h
+++ b/test/syscalls/linux/iptables.h
@@ -27,27 +27,32 @@
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter_ipv4.h>
+#include <linux/netfilter_ipv6.h>
#include <net/if.h>
#include <netinet/ip.h>
#include <stdint.h>
+//
+// IPv4 ABI.
+//
+
#define ipt_standard_target xt_standard_target
#define ipt_entry_target xt_entry_target
#define ipt_error_target xt_error_target
enum SockOpts {
// For setsockopt.
- BASE_CTL = 64,
- SO_SET_REPLACE = BASE_CTL,
- SO_SET_ADD_COUNTERS,
- SO_SET_MAX = SO_SET_ADD_COUNTERS,
+ IPT_BASE_CTL = 64,
+ IPT_SO_SET_REPLACE = IPT_BASE_CTL,
+ IPT_SO_SET_ADD_COUNTERS = IPT_BASE_CTL + 1,
+ IPT_SO_SET_MAX = IPT_SO_SET_ADD_COUNTERS,
// For getsockopt.
- SO_GET_INFO = BASE_CTL,
- SO_GET_ENTRIES,
- SO_GET_REVISION_MATCH,
- SO_GET_REVISION_TARGET,
- SO_GET_MAX = SO_GET_REVISION_TARGET
+ IPT_SO_GET_INFO = IPT_BASE_CTL,
+ IPT_SO_GET_ENTRIES = IPT_BASE_CTL + 1,
+ IPT_SO_GET_REVISION_MATCH = IPT_BASE_CTL + 2,
+ IPT_SO_GET_REVISION_TARGET = IPT_BASE_CTL + 3,
+ IPT_SO_GET_MAX = IPT_SO_GET_REVISION_TARGET
};
// ipt_ip specifies basic matching criteria that can be applied by examining
@@ -115,7 +120,7 @@ struct ipt_entry {
unsigned char elems[0];
};
-// Passed to getsockopt(SO_GET_INFO).
+// Passed to getsockopt(IPT_SO_GET_INFO).
struct ipt_getinfo {
// The name of the table. The user only fills this in, the rest is filled in
// when returning from getsockopt. Currently "nat" and "mangle" are supported.
@@ -127,7 +132,7 @@ struct ipt_getinfo {
unsigned int valid_hooks;
// The offset into the entry table for each valid hook. The entry table is
- // returned by getsockopt(SO_GET_ENTRIES).
+ // returned by getsockopt(IPT_SO_GET_ENTRIES).
unsigned int hook_entry[NF_IP_NUMHOOKS];
// For each valid hook, the underflow is the offset into the entry table to
@@ -142,14 +147,14 @@ struct ipt_getinfo {
unsigned int underflow[NF_IP_NUMHOOKS];
// The number of entries in the entry table returned by
- // getsockopt(SO_GET_ENTRIES).
+ // getsockopt(IPT_SO_GET_ENTRIES).
unsigned int num_entries;
- // The size of the entry table returned by getsockopt(SO_GET_ENTRIES).
+ // The size of the entry table returned by getsockopt(IPT_SO_GET_ENTRIES).
unsigned int size;
};
-// Passed to getsockopt(SO_GET_ENTRIES).
+// Passed to getsockopt(IPT_SO_GET_ENTRIES).
struct ipt_get_entries {
// The name of the table. The user fills this in. Currently "nat" and "mangle"
// are supported.
@@ -195,4 +200,103 @@ struct ipt_replace {
struct ipt_entry entries[0];
};
+//
+// IPv6 ABI.
+//
+
+enum SockOpts6 {
+ // For setsockopt.
+ IP6T_BASE_CTL = 64,
+ IP6T_SO_SET_REPLACE = IP6T_BASE_CTL,
+ IP6T_SO_SET_ADD_COUNTERS = IP6T_BASE_CTL + 1,
+ IP6T_SO_SET_MAX = IP6T_SO_SET_ADD_COUNTERS,
+
+ // For getsockopt.
+ IP6T_SO_GET_INFO = IP6T_BASE_CTL,
+ IP6T_SO_GET_ENTRIES = IP6T_BASE_CTL + 1,
+ IP6T_SO_GET_REVISION_MATCH = IP6T_BASE_CTL + 4,
+ IP6T_SO_GET_REVISION_TARGET = IP6T_BASE_CTL + 5,
+ IP6T_SO_GET_MAX = IP6T_SO_GET_REVISION_TARGET
+};
+
+// ip6t_ip6 specifies basic matching criteria that can be applied by examining
+// only the IP header of a packet.
+struct ip6t_ip6 {
+ // Source IP address.
+ struct in6_addr src;
+
+ // Destination IP address.
+ struct in6_addr dst;
+
+ // Source IP address mask.
+ struct in6_addr smsk;
+
+ // Destination IP address mask.
+ struct in6_addr dmsk;
+
+ // Input interface.
+ char iniface[IFNAMSIZ];
+
+ // Output interface.
+ char outiface[IFNAMSIZ];
+
+ // Input interface mask.
+ unsigned char iniface_mask[IFNAMSIZ];
+
+ // Output interface mask.
+ unsigned char outiface_mask[IFNAMSIZ];
+
+ // Transport protocol.
+ uint16_t proto;
+
+ // TOS.
+ uint8_t tos;
+
+ // Flags.
+ uint8_t flags;
+
+ // Inverse flags.
+ uint8_t invflags;
+};
+
+// ip6t_entry is an ip6tables rule.
+struct ip6t_entry {
+ // Basic matching information used to match a packet's IP header.
+ struct ip6t_ip6 ipv6;
+
+ // A caching field that isn't used by userspace.
+ unsigned int nfcache;
+
+ // The number of bytes between the start of this entry and the rule's target.
+ uint16_t target_offset;
+
+ // The total size of this rule, from the beginning of the entry to the end of
+ // the target.
+ uint16_t next_offset;
+
+ // A return pointer not used by userspace.
+ unsigned int comefrom;
+
+ // Counters for packets and bytes, which we don't yet implement.
+ struct xt_counters counters;
+
+ // The data for all this rules matches followed by the target. This runs
+ // beyond the value of sizeof(struct ip6t_entry).
+ unsigned char elems[0];
+};
+
+// Passed to getsockopt(IP6T_SO_GET_ENTRIES).
+struct ip6t_get_entries {
+ // The name of the table.
+ char name[XT_TABLE_MAXNAMELEN];
+
+ // The size of the entry table in bytes. The user fills this in with the value
+ // from struct ipt_getinfo.size.
+ unsigned int size;
+
+ // The entries for the given table. This will run past the size defined by
+ // sizeof(struct ip6t_get_entries).
+ struct ip6t_entry entrytable[0];
+};
+
#endif // GVISOR_TEST_SYSCALLS_IPTABLES_TYPES_H_
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-05 23:24:54 +0000