From f22c085fe68bb827b15d235fee307f054c4f85a4 Mon Sep 17 00:00:00 2001
From: rusty <rusty>
Date: Tue, 2 May 2000 16:45:16 +0000
Subject: IPv6 enhancements.

---
 include/ip6tables.h        | 107 ++++++++++++++++++++++++++++++++++++
 include/iptables.h         |  28 ++++------
 include/iptables_common.h  |  18 ++++++
 include/libiptc/libip6tc.h | 133 +++++++++++++++++++++++++++++++++++++++++++++
 4 files changed, 269 insertions(+), 17 deletions(-)
 create mode 100644 include/ip6tables.h
 create mode 100644 include/iptables_common.h
 create mode 100644 include/libiptc/libip6tc.h

(limited to 'include')

diff --git a/include/ip6tables.h b/include/ip6tables.h
new file mode 100644
index 0000000..7acf800
--- /dev/null
+++ b/include/ip6tables.h
@@ -0,0 +1,107 @@
+#ifndef _IP6TABLES_USER_H
+#define _IP6TABLES_USER_H
+
+#include "iptables_common.h"
+#include "libiptc/libip6tc.h"
+
+/* Include file for additions: new matches and targets. */
+struct ip6tables_match
+{
+	struct ip6tables_match *next;
+
+	ip6t_chainlabel name;
+
+	const char *version;
+
+	/* Size of match data. */
+	size_t size;
+
+	/* Function which prints out usage message. */
+	void (*help)(void);
+
+	/* Initialize the match. */
+	void (*init)(struct ip6t_entry_match *m, unsigned int *nfcache);
+
+	/* Function which parses command options; returns true if it
+	   ate an option */
+	int (*parse)(int c, char **argv, int invert, unsigned int *flags,
+		     const struct ip6t_entry *entry,
+		     unsigned int *nfcache,
+		     struct ip6t_entry_match **match);
+
+	/* Final check; exit if not ok. */
+	void (*final_check)(unsigned int flags);
+
+	/* Prints out the match iff non-NULL: put space at end */
+	void (*print)(const struct ip6t_ip6 *ip,
+		      const struct ip6t_entry_match *match, int numeric);
+
+	/* Saves the union ipt_matchinfo in parsable form to stdout. */
+	void (*save)(const struct ip6t_ip6 *ip,
+		     const struct ip6t_entry_match *match);
+
+	/* Pointer to list of extra command-line options */
+	struct option *extra_opts;
+
+	/* Ignore these men behind the curtain: */
+	unsigned int option_offset;
+	struct ip6t_entry_match *m;
+	unsigned int mflags;
+};
+
+struct ip6tables_target
+{
+	struct ip6tables_target *next;
+	
+	ip6t_chainlabel name;
+
+	const char *version;
+
+	/* Size of target data. */
+	size_t size;
+
+	/* Function which prints out usage message. */
+	void (*help)(void);
+
+	/* Initialize the target. */
+	void (*init)(struct ip6t_entry_target *t, unsigned int *nfcache);
+
+	/* Function which parses command options; returns true if it
+	   ate an option */
+	int (*parse)(int c, char **argv, int invert, unsigned int *flags,
+		     const struct ip6t_entry *entry,
+		     struct ip6t_entry_target **target);
+	
+	/* Final check; exit if not ok. */
+	void (*final_check)(unsigned int flags);
+
+	/* Prints out the target iff non-NULL: put space at end */
+	void (*print)(const struct ip6t_ip6 *ip,
+		      const struct ip6t_entry_target *target, int numeric);
+
+	/* Saves the targinfo in parsable form to stdout. */
+	void (*save)(const struct ip6t_ip6 *ip,
+		     const struct ip6t_entry_target *target);
+
+	/* Pointer to list of extra command-line options */
+	struct option *extra_opts;
+
+	/* Ignore these men behind the curtain: */
+	unsigned int option_offset;
+	struct ip6t_entry_target *t;
+	unsigned int tflags;
+};
+
+/* Your shared library should call one of these. */
+extern void register_match6(struct ip6tables_match *me);
+extern void register_target6(struct ip6tables_target *me);
+
+extern int do_command6(int argc, char *argv[], char **table,
+		       ip6tc_handle_t *handle);
+/* Keeping track of external matches and targets: linked lists. */
+extern struct ip6tables_match *ip6tables_matches;
+extern struct ip6tables_target *ip6tables_targets;
+
+extern struct ip6tables_target *find_target6(const char *name, int tryload);
+extern struct ip6tables_match *find_match6(const char *name, int tryload);
+#endif /*_IP6TABLES_USER_H*/
diff --git a/include/iptables.h b/include/iptables.h
index 1ddd871..886d576 100644
--- a/include/iptables.h
+++ b/include/iptables.h
@@ -1,6 +1,7 @@
 #ifndef _IPTABLES_USER_H
 #define _IPTABLES_USER_H
 
+#include "iptables_common.h"
 #include "libiptc/libiptc.h"
 
 /* Include file for additions: new matches and targets. */
@@ -38,7 +39,7 @@ struct iptables_match
 	void (*print)(const struct ipt_ip *ip,
 		      const struct ipt_entry_match *match, int numeric);
 
-	/* Saves the union ipt_matchinfo in parsable form to stdout. */
+	/* Saves the match info in parsable form to stdout. */
 	void (*save)(const struct ipt_ip *ip,
 		     const struct ipt_entry_match *match);
 
@@ -101,21 +102,8 @@ struct iptables_target
 extern void register_match(struct iptables_match *me);
 extern void register_target(struct iptables_target *me);
 
-/* Functions we share */
-enum exittype {
-	OTHER_PROBLEM = 1,
-	PARAMETER_PROBLEM,
-	VERSION_PROBLEM
-};
-extern void exit_printhelp() __attribute__((noreturn));
-extern void exit_tryhelp(int) __attribute__((noreturn));
-int check_inverse(const char option[], int *invert);
-extern int string_to_number(const char *, int, int);
-void exit_error(enum exittype, char *, ...)__attribute__((noreturn,
-							  format(printf,2,3)));
+extern struct in_addr *dotted_to_addr(const char *dotted);
 extern char *addr_to_dotted(const struct in_addr *addrp);
-struct in_addr *dotted_to_addr(const char *dotted);
-extern const char *program_name, *program_version;
 
 extern int do_command(int argc, char *argv[], char **table,
 		      iptc_handle_t *handle);
@@ -123,6 +111,12 @@ extern int do_command(int argc, char *argv[], char **table,
 extern struct iptables_match *iptables_matches;
 extern struct iptables_target *iptables_targets;
 
-extern struct iptables_target *find_target(const char *name, int tryload);
-extern struct iptables_match *find_match(const char *name, int tryload);
+enum ipt_tryload {
+	DONT_LOAD,
+	TRY_LOAD,
+	LOAD_MUST_SUCCEED
+};
+
+extern struct iptables_target *find_target(const char *name, enum ipt_tryload);
+extern struct iptables_match *find_match(const char *name, enum ipt_tryload);
 #endif /*_IPTABLES_USER_H*/
diff --git a/include/iptables_common.h b/include/iptables_common.h
new file mode 100644
index 0000000..90ca74d
--- /dev/null
+++ b/include/iptables_common.h
@@ -0,0 +1,18 @@
+#ifndef _IPTABLES_COMMON_H
+#define _IPTABLES_COMMON_H
+/* Shared definitions between ipv4 and ipv6. */
+
+enum exittype {
+	OTHER_PROBLEM = 1,
+	PARAMETER_PROBLEM,
+	VERSION_PROBLEM
+};
+extern void exit_printhelp() __attribute__((noreturn));
+extern void exit_tryhelp(int) __attribute__((noreturn));
+int check_inverse(const char option[], int *invert);
+extern int string_to_number(const char *, int, int);
+void exit_error(enum exittype, char *, ...)__attribute__((noreturn,
+							  format(printf,2,3)));
+extern const char *program_name, *program_version;
+
+#endif /*_IPTABLES_COMMON_H*/
diff --git a/include/libiptc/libip6tc.h b/include/libiptc/libip6tc.h
new file mode 100644
index 0000000..d0b87bd
--- /dev/null
+++ b/include/libiptc/libip6tc.h
@@ -0,0 +1,133 @@
+#ifndef _LIBIP6TC_H
+#define _LIBIP6TC_H
+/* Library which manipulates firewall rules. Version 0.2. */
+
+#include <libiptc/ipt_kernel_headers.h>
+#include <linux/netfilter_ipv6/ip6_tables.h>
+
+#ifndef IP6T_MIN_ALIGN
+#define IP6T_MIN_ALIGN (__alignof__(struct ip6t_entry_match))
+#endif
+#define IP6T_ALIGN(s) (((s) + (IP6T_MIN_ALIGN-1)) & ~(IP6T_MIN_ALIGN-1))
+
+typedef char ip6t_chainlabel[32];
+
+#define IP6TC_LABEL_ACCEPT "ACCEPT"
+#define IP6TC_LABEL_DROP "DROP"
+#define IP6TC_LABEL_RETURN "RETURN"
+
+/* Transparent handle type. */
+typedef struct ip6tc_handle *ip6tc_handle_t;
+
+/* Does this chain exist? */
+int ip6tc_is_chain(const char *chain, const ip6tc_handle_t handle);
+
+/* Take a snapshot of the rules. Returns NULL on error. */
+ip6tc_handle_t ip6tc_init(const char *tablename);
+
+/* Iterator functions to run through the chains; prev = NULL means
+ first chain. Returns NULL at end. */
+const char *ip6tc_next_chain(const char *prev, ip6tc_handle_t *handle);
+
+/* How many rules in this chain? */
+unsigned int ip6tc_num_rules(const char *chain, ip6tc_handle_t *handle);
+
+/* Get n'th rule in this chain. */
+const struct ip6t_entry *ip6tc_get_rule(const char *chain,
+					unsigned int n,
+					ip6tc_handle_t *handle);
+
+/* Returns a pointer to the target name of this position. */
+const char *ip6tc_get_target(const char *chain,
+			     unsigned int n,
+			     ip6tc_handle_t *handle);
+
+/* Is this a built-in chain? */
+int ip6tc_builtin(const char *chain, const ip6tc_handle_t handle);
+
+/* Get the policy of a given built-in chain */
+const char *ip6tc_get_policy(const char *chain,
+			     struct ip6t_counters *counters,
+			     ip6tc_handle_t *handle);
+
+/* These functions return TRUE for OK or 0 and set errno. If errno ==
+   0, it means there was a version error (ie. upgrade libiptc). */
+/* Rule numbers start at 1 for the first rule. */
+
+/* Insert the entry `fw' in chain `chain' into position `rulenum'. */
+int ip6tc_insert_entry(const ip6t_chainlabel chain,
+		       const struct ip6t_entry *e,
+		       unsigned int rulenum,
+		       ip6tc_handle_t *handle);
+
+/* Atomically replace rule `rulenum' in `chain' with `fw'. */
+int ip6tc_replace_entry(const ip6t_chainlabel chain,
+			const struct ip6t_entry *e,
+			unsigned int rulenum,
+			ip6tc_handle_t *handle);
+
+/* Append entry `fw' to chain `chain'. Equivalent to insert with
+   rulenum = length of chain. */
+int ip6tc_append_entry(const ip6t_chainlabel chain,
+		       const struct ip6t_entry *e,
+		       ip6tc_handle_t *handle);
+
+/* Delete the first rule in `chain' which matches `fw'. */
+int ip6tc_delete_entry(const ip6t_chainlabel chain,
+		       const struct ip6t_entry *origfw,
+		       ip6tc_handle_t *handle);
+
+/* Delete the rule in position `rulenum' in `chain'. */
+int ip6tc_delete_num_entry(const ip6t_chainlabel chain,
+			   unsigned int rulenum,
+			   ip6tc_handle_t *handle);
+
+/* Check the packet `fw' on chain `chain'. Returns the verdict, or
+   NULL and sets errno. */
+const char *ip6tc_check_packet(const ip6t_chainlabel chain,
+			       struct ip6t_entry *,
+			       ip6tc_handle_t *handle);
+
+/* Flushes the entries in the given chain (ie. empties chain). */
+int ip6tc_flush_entries(const ip6t_chainlabel chain,
+			ip6tc_handle_t *handle);
+
+/* Zeroes the counters in a chain. */
+int ip6tc_zero_entries(const ip6t_chainlabel chain,
+		       ip6tc_handle_t *handle);
+
+/* Creates a new chain. */
+int ip6tc_create_chain(const ip6t_chainlabel chain,
+		       ip6tc_handle_t *handle);
+
+/* Deletes a chain. */
+int ip6tc_delete_chain(const ip6t_chainlabel chain,
+		       ip6tc_handle_t *handle);
+
+/* Renames a chain. */
+int ip6tc_rename_chain(const ip6t_chainlabel oldname,
+		       const ip6t_chainlabel newname,
+		       ip6tc_handle_t *handle);
+
+/* Sets the policy on a built-in chain. */
+int ip6tc_set_policy(const ip6t_chainlabel chain,
+		     const ip6t_chainlabel policy,
+		     ip6tc_handle_t *handle);
+
+/* Get the number of references to this chain */
+int ip6tc_get_references(unsigned int *ref, const ip6t_chainlabel chain,
+			 ip6tc_handle_t *handle);
+
+/* Makes the actual changes. */
+int ip6tc_commit(ip6tc_handle_t *handle);
+
+/* Get raw socket. */
+int ip6tc_get_raw_socket();
+
+/* Translates errno numbers into more human-readable form than strerror. */
+const char *ip6tc_strerror(int err);
+
+/* Return prefix length, or -1 if not contiguous */
+int ipv6_prefix_length(const struct in6_addr *a);
+
+#endif /* _LIBIP6TC_H */
-- 
cgit v1.2.3