199 lines
5.9 KiB
C
199 lines
5.9 KiB
C
// Copyright 2019 The gVisor Authors.
|
|
//
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
// you may not use this file except in compliance with the License.
|
|
// You may obtain a copy of the License at
|
|
//
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
//
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
// See the License for the specific language governing permissions and
|
|
// limitations under the License.
|
|
|
|
// There are a number of structs and values that we can't #include because of a
|
|
// difference between C and C++ (C++ won't let you implicitly cast from void* to
|
|
// struct something*). We re-define them here.
|
|
|
|
#ifndef GVISOR_TEST_SYSCALLS_IPTABLES_TYPES_H_
|
|
#define GVISOR_TEST_SYSCALLS_IPTABLES_TYPES_H_
|
|
|
|
// Netfilter headers require some headers to preceed them.
|
|
// clang-format off
|
|
#include <netinet/in.h>
|
|
#include <stddef.h>
|
|
// clang-format on
|
|
|
|
#include <linux/netfilter/x_tables.h>
|
|
#include <linux/netfilter_ipv4.h>
|
|
#include <net/if.h>
|
|
#include <netinet/ip.h>
|
|
#include <stdint.h>
|
|
|
|
#define ipt_standard_target xt_standard_target
|
|
#define ipt_entry_target xt_entry_target
|
|
#define ipt_error_target xt_error_target
|
|
|
|
enum SockOpts {
|
|
// For setsockopt.
|
|
BASE_CTL = 64,
|
|
SO_SET_REPLACE = BASE_CTL,
|
|
SO_SET_ADD_COUNTERS,
|
|
SO_SET_MAX = SO_SET_ADD_COUNTERS,
|
|
|
|
// For getsockopt.
|
|
SO_GET_INFO = BASE_CTL,
|
|
SO_GET_ENTRIES,
|
|
SO_GET_REVISION_MATCH,
|
|
SO_GET_REVISION_TARGET,
|
|
SO_GET_MAX = SO_GET_REVISION_TARGET
|
|
};
|
|
|
|
// ipt_ip specifies basic matching criteria that can be applied by examining
|
|
// only the IP header of a packet.
|
|
struct ipt_ip {
|
|
// Source IP address.
|
|
struct in_addr src;
|
|
|
|
// Destination IP address.
|
|
struct in_addr dst;
|
|
|
|
// Source IP address mask.
|
|
struct in_addr smsk;
|
|
|
|
// Destination IP address mask.
|
|
struct in_addr dmsk;
|
|
|
|
// Input interface.
|
|
char iniface[IFNAMSIZ];
|
|
|
|
// Output interface.
|
|
char outiface[IFNAMSIZ];
|
|
|
|
// Input interface mask.
|
|
unsigned char iniface_mask[IFNAMSIZ];
|
|
|
|
// Output interface mask.
|
|
unsigned char outiface_mask[IFNAMSIZ];
|
|
|
|
// Transport protocol.
|
|
uint16_t proto;
|
|
|
|
// Flags.
|
|
uint8_t flags;
|
|
|
|
// Inverse flags.
|
|
uint8_t invflags;
|
|
};
|
|
|
|
// ipt_entry is an iptables rule. It contains information about what packets the
|
|
// rule matches and what action (target) to perform for matching packets.
|
|
struct ipt_entry {
|
|
// Basic matching information used to match a packet's IP header.
|
|
struct ipt_ip ip;
|
|
|
|
// A caching field that isn't used by userspace.
|
|
unsigned int nfcache;
|
|
|
|
// The number of bytes between the start of this ipt_entry struct and the
|
|
// rule's target.
|
|
uint16_t target_offset;
|
|
|
|
// The total size of this rule, from the beginning of the entry to the end of
|
|
// the target.
|
|
uint16_t next_offset;
|
|
|
|
// A return pointer not used by userspace.
|
|
unsigned int comefrom;
|
|
|
|
// Counters for packets and bytes, which we don't yet implement.
|
|
struct xt_counters counters;
|
|
|
|
// The data for all this rules matches followed by the target. This runs
|
|
// beyond the value of sizeof(struct ipt_entry).
|
|
unsigned char elems[0];
|
|
};
|
|
|
|
// Passed to getsockopt(SO_GET_INFO).
|
|
struct ipt_getinfo {
|
|
// The name of the table. The user only fills this in, the rest is filled in
|
|
// when returning from getsockopt. Currently "nat" and "mangle" are supported.
|
|
char name[XT_TABLE_MAXNAMELEN];
|
|
|
|
// A bitmap of which hooks apply to the table. For example, a table with hooks
|
|
// PREROUTING and FORWARD has the value
|
|
// (1 << NF_IP_PRE_REOUTING) | (1 << NF_IP_FORWARD).
|
|
unsigned int valid_hooks;
|
|
|
|
// The offset into the entry table for each valid hook. The entry table is
|
|
// returned by getsockopt(SO_GET_ENTRIES).
|
|
unsigned int hook_entry[NF_IP_NUMHOOKS];
|
|
|
|
// For each valid hook, the underflow is the offset into the entry table to
|
|
// jump to in case traversing the table yields no verdict (although I have no
|
|
// clue how that could happen - builtin chains always end with a policy, and
|
|
// user-defined chains always end with a RETURN.
|
|
//
|
|
// The entry referred to must be an "unconditional" entry, meaning it has no
|
|
// matches, specifies no IP criteria, and either DROPs or ACCEPTs packets. It
|
|
// basically has to be capable of making a definitive decision no matter what
|
|
// it's passed.
|
|
unsigned int underflow[NF_IP_NUMHOOKS];
|
|
|
|
// The number of entries in the entry table returned by
|
|
// getsockopt(SO_GET_ENTRIES).
|
|
unsigned int num_entries;
|
|
|
|
// The size of the entry table returned by getsockopt(SO_GET_ENTRIES).
|
|
unsigned int size;
|
|
};
|
|
|
|
// Passed to getsockopt(SO_GET_ENTRIES).
|
|
struct ipt_get_entries {
|
|
// The name of the table. The user fills this in. Currently "nat" and "mangle"
|
|
// are supported.
|
|
char name[XT_TABLE_MAXNAMELEN];
|
|
|
|
// The size of the entry table in bytes. The user fills this in with the value
|
|
// from struct ipt_getinfo.size.
|
|
unsigned int size;
|
|
|
|
// The entries for the given table. This will run past the size defined by
|
|
// sizeof(struct ipt_get_entries).
|
|
struct ipt_entry entrytable[0];
|
|
};
|
|
|
|
// Passed to setsockopt(SO_SET_REPLACE).
|
|
struct ipt_replace {
|
|
// The name of the table.
|
|
char name[XT_TABLE_MAXNAMELEN];
|
|
|
|
// The same as struct ipt_getinfo.valid_hooks. Users don't change this.
|
|
unsigned int valid_hooks;
|
|
|
|
// The same as struct ipt_getinfo.num_entries.
|
|
unsigned int num_entries;
|
|
|
|
// The same as struct ipt_getinfo.size.
|
|
unsigned int size;
|
|
|
|
// The same as struct ipt_getinfo.hook_entry.
|
|
unsigned int hook_entry[NF_IP_NUMHOOKS];
|
|
|
|
// The same as struct ipt_getinfo.underflow.
|
|
unsigned int underflow[NF_IP_NUMHOOKS];
|
|
|
|
// The number of counters, which should equal the number of entries.
|
|
unsigned int num_counters;
|
|
|
|
// The unchanged values from each ipt_entry's counters.
|
|
struct xt_counters* counters;
|
|
|
|
// The entries to write to the table. This will run past the size defined by
|
|
// sizeof(srtuct ipt_replace);
|
|
struct ipt_entry entries[0];
|
|
};
|
|
|
|
#endif // GVISOR_TEST_SYSCALLS_IPTABLES_TYPES_H_
|