// Copyright 2019 The gVisor Authors.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

// There are a number of structs and values that we can't #include because of a
// difference between C and C++ (C++ won't let you implicitly cast from void* to
// struct something*). We re-define them here.

#ifndef GVISOR_TEST_SYSCALLS_IPTABLES_TYPES_H_
#define GVISOR_TEST_SYSCALLS_IPTABLES_TYPES_H_

// Netfilter headers require some headers to preceed them.
// clang-format off
#include <netinet/in.h>
#include <stddef.h>
// clang-format on

#include <linux/netfilter/x_tables.h>
#include <linux/netfilter_ipv4.h>
#include <net/if.h>
#include <netinet/ip.h>
#include <stdint.h>

#define ipt_standard_target xt_standard_target
#define ipt_entry_target xt_entry_target
#define ipt_error_target xt_error_target

enum SockOpts {
  // For setsockopt.
  BASE_CTL = 64,
  SO_SET_REPLACE = BASE_CTL,
  SO_SET_ADD_COUNTERS,
  SO_SET_MAX = SO_SET_ADD_COUNTERS,

  // For getsockopt.
  SO_GET_INFO = BASE_CTL,
  SO_GET_ENTRIES,
  SO_GET_REVISION_MATCH,
  SO_GET_REVISION_TARGET,
  SO_GET_MAX = SO_GET_REVISION_TARGET
};

// ipt_ip specifies basic matching criteria that can be applied by examining
// only the IP header of a packet.
struct ipt_ip {
  // Source IP address.
  struct in_addr src;

  // Destination IP address.
  struct in_addr dst;

  // Source IP address mask.
  struct in_addr smsk;

  // Destination IP address mask.
  struct in_addr dmsk;

  // Input interface.
  char iniface[IFNAMSIZ];

  // Output interface.
  char outiface[IFNAMSIZ];

  // Input interface mask.
  unsigned char iniface_mask[IFNAMSIZ];

  // Output interface mask.
  unsigned char outiface_mask[IFNAMSIZ];

  // Transport protocol.
  uint16_t proto;

  // Flags.
  uint8_t flags;

  // Inverse flags.
  uint8_t invflags;
};

// ipt_entry is an iptables rule. It contains information about what packets the
// rule matches and what action (target) to perform for matching packets.
struct ipt_entry {
  // Basic matching information used to match a packet's IP header.
  struct ipt_ip ip;

  // A caching field that isn't used by userspace.
  unsigned int nfcache;

  // The number of bytes between the start of this ipt_entry struct and the
  // rule's target.
  uint16_t target_offset;

  // The total size of this rule, from the beginning of the entry to the end of
  // the target.
  uint16_t next_offset;

  // A return pointer not used by userspace.
  unsigned int comefrom;

  // Counters for packets and bytes, which we don't yet implement.
  struct xt_counters counters;

  // The data for all this rules matches followed by the target. This runs
  // beyond the value of sizeof(struct ipt_entry).
  unsigned char elems[0];
};

// Passed to getsockopt(SO_GET_INFO).
struct ipt_getinfo {
  // The name of the table. The user only fills this in, the rest is filled in
  // when returning from getsockopt. Currently "nat" and "mangle" are supported.
  char name[XT_TABLE_MAXNAMELEN];

  // A bitmap of which hooks apply to the table. For example, a table with hooks
  // PREROUTING and FORWARD has the value
  // (1 << NF_IP_PRE_REOUTING) | (1 << NF_IP_FORWARD).
  unsigned int valid_hooks;

  // The offset into the entry table for each valid hook. The entry table is
  // returned by getsockopt(SO_GET_ENTRIES).
  unsigned int hook_entry[NF_IP_NUMHOOKS];

  // For each valid hook, the underflow is the offset into the entry table to
  // jump to in case traversing the table yields no verdict (although I have no
  // clue how that could happen - builtin chains always end with a policy, and
  // user-defined chains always end with a RETURN.
  //
  // The entry referred to must be an "unconditional" entry, meaning it has no
  // matches, specifies no IP criteria, and either DROPs or ACCEPTs packets.  It
  // basically has to be capable of making a definitive decision no matter what
  // it's passed.
  unsigned int underflow[NF_IP_NUMHOOKS];

  // The number of entries in the entry table returned by
  // getsockopt(SO_GET_ENTRIES).
  unsigned int num_entries;

  // The size of the entry table returned by getsockopt(SO_GET_ENTRIES).
  unsigned int size;
};

// Passed to getsockopt(SO_GET_ENTRIES).
struct ipt_get_entries {
  // The name of the table. The user fills this in. Currently "nat" and "mangle"
  // are supported.
  char name[XT_TABLE_MAXNAMELEN];

  // The size of the entry table in bytes. The user fills this in with the value
  // from struct ipt_getinfo.size.
  unsigned int size;

  // The entries for the given table. This will run past the size defined by
  // sizeof(struct ipt_get_entries).
  struct ipt_entry entrytable[0];
};

// Passed to setsockopt(SO_SET_REPLACE).
struct ipt_replace {
  // The name of the table.
  char name[XT_TABLE_MAXNAMELEN];

  // The same as struct ipt_getinfo.valid_hooks. Users don't change this.
  unsigned int valid_hooks;

  // The same as struct ipt_getinfo.num_entries.
  unsigned int num_entries;

  // The same as struct ipt_getinfo.size.
  unsigned int size;

  // The same as struct ipt_getinfo.hook_entry.
  unsigned int hook_entry[NF_IP_NUMHOOKS];

  // The same as struct ipt_getinfo.underflow.
  unsigned int underflow[NF_IP_NUMHOOKS];

  // The number of counters, which should equal the number of entries.
  unsigned int num_counters;

  // The unchanged values from each ipt_entry's counters.
  struct xt_counters* counters;

  // The entries to write to the table. This will run past the size defined by
  // sizeof(srtuct ipt_replace);
  struct ipt_entry entries[0];
};

#endif  // GVISOR_TEST_SYSCALLS_IPTABLES_TYPES_H_