go
/
gvisor
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
gvisor/test/syscalls/linux/iptables.h

199 lines
5.9 KiB
C
Raw Blame History

// Copyright 2019 The gVisor Authors.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
// There are a number of structs and values that we can't #include because of a
// difference between C and C++ (C++ won't let you implicitly cast from void* to
// struct something*). We re-define them here.
#ifndef GVISOR_TEST_SYSCALLS_IPTABLES_TYPES_H_
#define GVISOR_TEST_SYSCALLS_IPTABLES_TYPES_H_
// Netfilter headers require some headers to preceed them.
// clang-format off
#include <netinet/in.h>
#include <stddef.h>
// clang-format on
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter_ipv4.h>
#include <net/if.h>
#include <netinet/ip.h>
#include <stdint.h>
#define ipt_standard_target xt_standard_target
#define ipt_entry_target xt_entry_target
#define ipt_error_target xt_error_target
enum SockOpts {
// For setsockopt.
BASE_CTL = 64,
SO_SET_REPLACE = BASE_CTL,
SO_SET_ADD_COUNTERS,
SO_SET_MAX = SO_SET_ADD_COUNTERS,
// For getsockopt.
SO_GET_INFO = BASE_CTL,
SO_GET_ENTRIES,
SO_GET_REVISION_MATCH,
SO_GET_REVISION_TARGET,
SO_GET_MAX = SO_GET_REVISION_TARGET
};
// ipt_ip specifies basic matching criteria that can be applied by examining
// only the IP header of a packet.
struct ipt_ip {
// Source IP address.
struct in_addr src;
// Destination IP address.
struct in_addr dst;
// Source IP address mask.
struct in_addr smsk;
// Destination IP address mask.
struct in_addr dmsk;
// Input interface.
char iniface[IFNAMSIZ];
// Output interface.
char outiface[IFNAMSIZ];
// Input interface mask.
unsigned char iniface_mask[IFNAMSIZ];
// Output interface mask.
unsigned char outiface_mask[IFNAMSIZ];
// Transport protocol.
uint16_t proto;
// Flags.
uint8_t flags;
// Inverse flags.
uint8_t invflags;
};
// ipt_entry is an iptables rule. It contains information about what packets the
// rule matches and what action (target) to perform for matching packets.
struct ipt_entry {
// Basic matching information used to match a packet's IP header.
struct ipt_ip ip;
// A caching field that isn't used by userspace.
unsigned int nfcache;
// The number of bytes between the start of this ipt_entry struct and the
// rule's target.
uint16_t target_offset;
// The total size of this rule, from the beginning of the entry to the end of
// the target.
uint16_t next_offset;
// A return pointer not used by userspace.
unsigned int comefrom;
// Counters for packets and bytes, which we don't yet implement.
struct xt_counters counters;
// The data for all this rules matches followed by the target. This runs
// beyond the value of sizeof(struct ipt_entry).
unsigned char elems[0];
};
// Passed to getsockopt(SO_GET_INFO).
struct ipt_getinfo {
// The name of the table. The user only fills this in, the rest is filled in
// when returning from getsockopt. Currently "nat" and "mangle" are supported.
char name[XT_TABLE_MAXNAMELEN];
// A bitmap of which hooks apply to the table. For example, a table with hooks
// PREROUTING and FORWARD has the value
// (1 << NF_IP_PRE_REOUTING) | (1 << NF_IP_FORWARD).
unsigned int valid_hooks;
// The offset into the entry table for each valid hook. The entry table is
// returned by getsockopt(SO_GET_ENTRIES).
unsigned int hook_entry[NF_IP_NUMHOOKS];
// For each valid hook, the underflow is the offset into the entry table to
// jump to in case traversing the table yields no verdict (although I have no
// clue how that could happen - builtin chains always end with a policy, and
// user-defined chains always end with a RETURN.
//
// The entry referred to must be an "unconditional" entry, meaning it has no
// matches, specifies no IP criteria, and either DROPs or ACCEPTs packets. It
// basically has to be capable of making a definitive decision no matter what
// it's passed.
unsigned int underflow[NF_IP_NUMHOOKS];
// The number of entries in the entry table returned by
// getsockopt(SO_GET_ENTRIES).
unsigned int num_entries;
// The size of the entry table returned by getsockopt(SO_GET_ENTRIES).
unsigned int size;
};
// Passed to getsockopt(SO_GET_ENTRIES).
struct ipt_get_entries {
// The name of the table. The user fills this in. Currently "nat" and "mangle"
// are supported.
char name[XT_TABLE_MAXNAMELEN];
// The size of the entry table in bytes. The user fills this in with the value
// from struct ipt_getinfo.size.
unsigned int size;
// The entries for the given table. This will run past the size defined by
// sizeof(struct ipt_get_entries).
struct ipt_entry entrytable[0];
};
// Passed to setsockopt(SO_SET_REPLACE).
struct ipt_replace {
// The name of the table.
char name[XT_TABLE_MAXNAMELEN];
// The same as struct ipt_getinfo.valid_hooks. Users don't change this.
unsigned int valid_hooks;
// The same as struct ipt_getinfo.num_entries.
unsigned int num_entries;
// The same as struct ipt_getinfo.size.
unsigned int size;
// The same as struct ipt_getinfo.hook_entry.
unsigned int hook_entry[NF_IP_NUMHOOKS];
// The same as struct ipt_getinfo.underflow.
unsigned int underflow[NF_IP_NUMHOOKS];
// The number of counters, which should equal the number of entries.
unsigned int num_counters;
// The unchanged values from each ipt_entry's counters.
struct xt_counters* counters;
// The entries to write to the table. This will run past the size defined by
// sizeof(srtuct ipt_replace);
struct ipt_entry entries[0];
};
#endif // GVISOR_TEST_SYSCALLS_IPTABLES_TYPES_H_
Reference in New Issue View Git Blame Copy Permalink