xref: /aosp_15_r20/external/iptables/iptables/xshared.h (revision a71a954618bbadd4a345637e5edcf36eec826889) 
1 #ifndef IPTABLES_XSHARED_H
2 #define IPTABLES_XSHARED_H 1
3 
4 #include <limits.h>
5 #include <stdbool.h>
6 #include <stdint.h>
7 #include <netinet/in.h>
8 #include <net/if.h>
9 #include <linux/netfilter_arp/arp_tables.h>
10 #include <linux/netfilter_ipv4/ip_tables.h>
11 #include <linux/netfilter_ipv6/ip6_tables.h>
12 
13 #ifdef DEBUG
14 #define DEBUGP(x, args...) fprintf(stderr, x, ## args)
15 #define DEBUG_HEXDUMP(pfx, data, len)					\
16 	for (int __i = 0; __i < (len); __i++) {				\
17 		if (__i % 16 == 0)					\
18 			printf("%s%s: ", __i ? "\n" : "", (pfx));	\
19 		printf("%02x ", ((const unsigned char *)data)[__i]);	\
20 	} printf("\n")
21 #else
22 #define DEBUGP(x, args...)
23 #define DEBUG_HEXDUMP(pfx, data, len)
24 #endif
25 
26 enum {
27 	OPT_NONE        = 0,
28 	OPT_NUMERIC     = 1 << 0,
29 	OPT_SOURCE      = 1 << 1,
30 	OPT_DESTINATION = 1 << 2,
31 	OPT_PROTOCOL    = 1 << 3,
32 	OPT_JUMP        = 1 << 4,
33 	OPT_VERBOSE     = 1 << 5,
34 	OPT_EXPANDED    = 1 << 6,
35 	OPT_VIANAMEIN   = 1 << 7,
36 	OPT_VIANAMEOUT  = 1 << 8,
37 	OPT_LINENUMBERS = 1 << 9,
38 	OPT_COUNTERS    = 1 << 10,
39 	OPT_FRAGMENT	= 1 << 11,
40 	/* below are for arptables only */
41 	OPT_S_MAC	= 1 << 12,
42 	OPT_D_MAC	= 1 << 13,
43 	OPT_H_LENGTH	= 1 << 14,
44 	OPT_OPCODE	= 1 << 15,
45 	OPT_H_TYPE	= 1 << 16,
46 	OPT_P_TYPE	= 1 << 17,
47 	/* below are for ebtables only */
48 	OPT_LOGICALIN	= 1 << 18,
49 	OPT_LOGICALOUT	= 1 << 19,
50 	OPT_COMMAND	= 1 << 20,
51 	OPT_ZERO	= 1 << 21,
52 };
53 
54 enum {
55 	CMD_NONE		= 0,
56 	CMD_INSERT		= 1 << 0,
57 	CMD_DELETE		= 1 << 1,
58 	CMD_DELETE_NUM		= 1 << 2,
59 	CMD_REPLACE		= 1 << 3,
60 	CMD_APPEND		= 1 << 4,
61 	CMD_LIST		= 1 << 5,
62 	CMD_FLUSH		= 1 << 6,
63 	CMD_ZERO		= 1 << 7,
64 	CMD_NEW_CHAIN		= 1 << 8,
65 	CMD_DELETE_CHAIN	= 1 << 9,
66 	CMD_SET_POLICY		= 1 << 10,
67 	CMD_RENAME_CHAIN	= 1 << 11,
68 	CMD_LIST_RULES		= 1 << 12,
69 	CMD_ZERO_NUM		= 1 << 13,
70 	CMD_CHECK		= 1 << 14,
71 };
72 #define NUMBER_OF_CMD		16
73 
74 struct xtables_globals;
75 struct xtables_rule_match;
76 struct xtables_target;
77 
78 #define OPTSTRING_COMMON "-:A:C:D:E:F::I:L::M:N:P:VX::Z::" "c:d:i:j:o:p:s:t:"
79 #define IPT_OPTSTRING	OPTSTRING_COMMON "R:S::W::" "46bfg:h::m:nvw::x"
80 #define ARPT_OPTSTRING	OPTSTRING_COMMON "R:S::" "h::l:nvx" /* "m:" */
81 #define EBT_OPTSTRING	OPTSTRING_COMMON "hv"
82 
83 /* define invflags which won't collide with IPT ones */
84 #define IPT_INV_SRCDEVADDR	0x0080
85 #define IPT_INV_TGTDEVADDR	0x0100
86 #define IPT_INV_ARPHLN		0x0200
87 #define IPT_INV_ARPOP		0x0400
88 #define IPT_INV_ARPHRD		0x0800
89 
90 /* trick for ebtables-compat, since watchers are targets */
91 struct ebt_match {
92 	struct ebt_match			*next;
93 	union {
94 		struct xtables_match		*match;
95 		struct xtables_target		*watcher;
96 	} u;
97 	bool					ismatch;
98 };
99 
100 /* Fake ebt_entry */
101 struct ebt_entry {
102 	/* this needs to be the first field */
103 	unsigned int bitmask;
104 	unsigned int invflags;
105 	uint16_t ethproto;
106 	/* the physical in-dev */
107 	char in[IFNAMSIZ];
108 	/* the logical in-dev */
109 	char logical_in[IFNAMSIZ];
110 	/* the physical out-dev */
111 	char out[IFNAMSIZ];
112 	/* the logical out-dev */
113 	char logical_out[IFNAMSIZ];
114 	unsigned char sourcemac[6];
115 	unsigned char sourcemsk[6];
116 	unsigned char destmac[6];
117 	unsigned char destmsk[6];
118 };
119 
120 struct iptables_command_state {
121 	union {
122 		struct ebt_entry eb;
123 		struct ipt_entry fw;
124 		struct ip6t_entry fw6;
125 		struct arpt_entry arp;
126 	};
127 	int c;
128 	unsigned int options;
129 	struct xtables_rule_match *matches;
130 	struct ebt_match *match_list;
131 	struct xtables_target *target;
132 	struct xt_counters counters;
133 	char *protocol;
134 	int proto_used;
135 	const char *jumpto;
136 	char **argv;
137 	bool restore;
138 };
139 
140 void xtables_clear_iptables_command_state(struct iptables_command_state *cs);
141 
142 typedef int (*mainfunc_t)(int, char **);
143 
144 struct subcommand {
145 	const char *name;
146 	mainfunc_t main;
147 };
148 
149 extern int subcmd_main(int, char **, const struct subcommand *);
150 extern void xs_init_target(struct xtables_target *);
151 extern void xs_init_match(struct xtables_match *);
152 
153 /**
154  * Values for the iptables lock.
155  *
156  * A value >= 0 indicates the lock filedescriptor. Other values are:
157  *
158  * XT_LOCK_FAILED : The lock could not be acquired.
159  *
160  * XT_LOCK_BUSY : The lock was held by another process. xtables_lock only
161  * returns this value when |wait| == false. If |wait| == true, xtables_lock
162  * will not return unless the lock has been acquired.
163  *
164  * XT_LOCK_NOT_ACQUIRED : We have not yet attempted to acquire the lock.
165  */
166 enum {
167 	XT_LOCK_BUSY = -1,
168 	XT_LOCK_FAILED = -2,
169 	XT_LOCK_NOT_ACQUIRED  = -3,
170 };
171 extern void xtables_unlock(int lock);
172 extern int xtables_lock_or_exit(int wait);
173 
174 int parse_wait_time(int argc, char *argv[]);
175 void parse_wait_interval(int argc, char *argv[]);
176 int parse_counters(const char *string, struct xt_counters *ctr);
177 bool tokenize_rule_counters(char **bufferp, char **pcnt, char **bcnt, int line);
178 bool xs_has_arg(int argc, char *argv[]);
179 
180 #define MAX_ARGC	255
181 struct argv_store {
182 	int argc;
183 	char *argv[MAX_ARGC];
184 	int argvattr[MAX_ARGC];
185 };
186 
187 void add_argv(struct argv_store *store, const char *what, int quoted);
188 void free_argv(struct argv_store *store);
189 void save_argv(struct argv_store *dst, struct argv_store *src);
190 void add_param_to_argv(struct argv_store *store, char *parsestart, int line);
191 #ifdef DEBUG
192 void debug_print_argv(struct argv_store *store);
193 #else
194 #  define debug_print_argv(...) /* nothing */
195 #endif
196 
197 const char *ipv4_addr_to_string(const struct in_addr *addr,
198 				const struct in_addr *mask,
199 				unsigned int format);
200 void print_header(unsigned int format, const char *chain, const char *pol,
201 		  const struct xt_counters *counters,
202 		  int refs, uint32_t entries);
203 void print_ipv4_addresses(const struct ipt_entry *fw, unsigned int format);
204 void save_ipv4_addr(char letter, const struct in_addr *addr,
205 		    const struct in_addr *mask, int invert);
206 void print_ipv6_addresses(const struct ip6t_entry *fw6, unsigned int format);
207 void save_ipv6_addr(char letter, const struct in6_addr *addr,
208 		    const struct in6_addr *mask, int invert);
209 
210 void print_ifaces(const char *iniface, const char *outiface, uint8_t invflags,
211 		  unsigned int format);
212 void save_iface(char letter, const char *iface,
213 		const unsigned char *mask, int invert);
214 
215 void print_fragment(unsigned int flags, unsigned int invflags,
216 		    unsigned int format, bool fake);
217 
218 void command_jump(struct iptables_command_state *cs, const char *jumpto);
219 
220 void assert_valid_chain_name(const char *chainname);
221 
222 void print_rule_details(unsigned int linenum, const struct xt_counters *ctrs,
223 			const char *targname, uint8_t proto, uint8_t flags,
224 			uint8_t invflags, unsigned int format);
225 void save_rule_details(const char *iniface, unsigned const char *iniface_mask,
226 		       const char *outiface, unsigned const char *outiface_mask,
227 		       uint16_t proto, int frag, uint8_t invflags);
228 
229 int print_match_save(const struct xt_entry_match *e, const void *ip);
230 
231 void exit_tryhelp(int status, int line) __attribute__((noreturn));
232 
233 struct addr_mask {
234 	union {
235 		struct in_addr	*v4;
236 		struct in6_addr *v6;
237 		void *ptr;
238 	} addr;
239 
240 	unsigned int naddrs;
241 
242 	union {
243 		struct in_addr	*v4;
244 		struct in6_addr *v6;
245 		void *ptr;
246 	} mask;
247 };
248 
249 struct xtables_args {
250 	int		family;
251 	uint16_t	proto;
252 	uint8_t		flags;
253 	uint16_t	invflags;
254 	char		iniface[IFNAMSIZ], outiface[IFNAMSIZ];
255 	unsigned char	iniface_mask[IFNAMSIZ], outiface_mask[IFNAMSIZ];
256 	bool		goto_set;
257 	const char	*shostnetworkmask, *dhostnetworkmask;
258 	const char	*pcnt, *bcnt;
259 	struct addr_mask s, d;
260 	const char	*src_mac, *dst_mac;
261 	const char	*arp_hlen, *arp_opcode;
262 	const char	*arp_htype, *arp_ptype;
263 	unsigned long long pcnt_cnt, bcnt_cnt;
264 	int		wait;
265 };
266 
267 struct xt_cmd_parse_ops {
268 	void	(*proto_parse)(struct iptables_command_state *cs,
269 			       struct xtables_args *args);
270 	void	(*post_parse)(int command,
271 			      struct iptables_command_state *cs,
272 			      struct xtables_args *args);
273 };
274 
275 struct xt_cmd_parse {
276 	unsigned int			command;
277 	unsigned int			rulenum;
278 	char				*table;
279 	const char			*chain;
280 	const char			*newname;
281 	const char			*policy;
282 	bool				restore;
283 	int				line;
284 	int				verbose;
285 	bool				xlate;
286 	struct xt_cmd_parse_ops		*ops;
287 };
288 
289 void do_parse(int argc, char *argv[],
290 	      struct xt_cmd_parse *p, struct iptables_command_state *cs,
291 	      struct xtables_args *args);
292 
293 void ipv4_proto_parse(struct iptables_command_state *cs,
294 		      struct xtables_args *args);
295 void ipv6_proto_parse(struct iptables_command_state *cs,
296 		      struct xtables_args *args);
297 void ipv4_post_parse(int command, struct iptables_command_state *cs,
298 		     struct xtables_args *args);
299 void ipv6_post_parse(int command, struct iptables_command_state *cs,
300 		     struct xtables_args *args);
301 
302 extern char *arp_opcodes[];
303 #define ARP_NUMOPCODES 9
304 
305 unsigned char *make_delete_mask(const struct xtables_rule_match *matches,
306 				const struct xtables_target *target,
307 				size_t entry_size);
308 
309 #endif /* IPTABLES_XSHARED_H */
310