sys/linux/netfilter_ipv4.txt - platform/external/syzkaller - Git at Google

 # Copyright 2018 syzkaller project authors. All rights reserved.
 # Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.

 include <linux/socket.h>
 include <uapi/linux/netfilter/xt_osf.h>
 include <uapi/linux/netfilter_ipv4/ip_tables.h>
 include <uapi/linux/netfilter_ipv4/ipt_ah.h>
 include <uapi/linux/netfilter_ipv4/ipt_ttl.h>
 include <uapi/linux/netfilter_ipv4/ipt_REJECT.h>
 include <uapi/linux/netfilter_ipv4/ipt_ECN.h>
 include <uapi/linux/netfilter_ipv4/ipt_TTL.h>
 include <uapi/linux/netfilter_ipv4/ipt_CLUSTERIP.h>

 setsockopt$IPT_SO_SET_REPLACE(fd sock_in, level const[SOL_IP], opt const[IPT_SO_SET_REPLACE], val ptr[in, ipt_replace], len len[val])
 setsockopt$IPT_SO_SET_ADD_COUNTERS(fd sock_in, level const[SOL_IP], opt const[IPT_SO_SET_ADD_COUNTERS], val ptr[in, ipt_counters_info], len len[val])
 getsockopt$IPT_SO_GET_INFO(fd sock_in, level const[SOL_IP], opt const[IPT_SO_GET_INFO], val ptr[in, ipt_getinfo], len ptr[in, len[val, int32]])
 getsockopt$IPT_SO_GET_ENTRIES(fd sock_in, level const[SOL_IP], opt const[IPT_SO_GET_ENTRIES], val ptr[in, ipt_get_entries], len ptr[in, len[val, int32]])
 getsockopt$IPT_SO_GET_REVISION_MATCH(fd sock_in, level const[SOL_IP], opt const[IPT_SO_GET_REVISION_MATCH], val ptr[in, xt_get_revision], len ptr[in, len[val, int32]])
 getsockopt$IPT_SO_GET_REVISION_TARGET(fd sock_in, level const[SOL_IP], opt const[IPT_SO_GET_REVISION_TARGET], val ptr[in, xt_get_revision], len ptr[in, len[val, int32]])

 ipt_replace [
 	filter		ipt_replace_t["filter", 3, 4, IPT_FILTER_VALID_HOOKS, ipt_filter_matches, ipt_filter_targets, ipt_unused, ipt_hook, ipt_hook, ipt_hook, ipt_unused, ipt_unused, ipt_hook, ipt_hook, ipt_hook, ipt_unused]
 	nat		ipt_replace_t["nat", 4, 5, IPT_NAT_VALID_HOOKS, ipt_nat_matches, ipt_nat_targets, ipt_hook, ipt_hook, ipt_unused, ipt_hook, ipt_hook, ipt_hook, ipt_hook, ipt_unused, ipt_hook, ipt_hook]
 	mangle		ipt_replace_t["mangle", 5, 6, IPT_MANGLE_VALID_HOOKS, ipt_mangle_matches, ipt_mangle_targets, ipt_hook, ipt_hook, ipt_hook, ipt_hook, ipt_hook, ipt_hook, ipt_hook, ipt_hook, ipt_hook, ipt_hook]
 	raw		ipt_replace_t["raw", 2, 3, IPT_RAW_VALID_HOOKS, ipt_raw_matches, ipt_raw_targets, ipt_hook, ipt_unused, ipt_unused, ipt_hook, ipt_unused, ipt_hook, ipt_unused, ipt_unused, ipt_hook, ipt_unused]
 	security	ipt_replace_t["security", 3, 4, IPT_SECURITY_VALID_HOOKS, ipt_security_matches, ipt_security_targets, ipt_unused, ipt_hook, ipt_hook, ipt_hook, ipt_unused, ipt_unused, ipt_hook, ipt_hook, ipt_hook, ipt_unused]
 ] [varlen]

 type ipt_replace_t[NAME, NENTRIES, NHOOKS, HOOKS, MATCHES, TARGETS, H0, H1, H2, H3, H4, U0, U1, U2, U3, U4] {
 	name			string[NAME, XT_TABLE_MAXNAMELEN]
 	valid_hooks		const[HOOKS, int32]
 	num_entries		const[NHOOKS, int32]
 	size			bytesize[entries, int32]
 	hook_pre_routing	H0
 	hook_local_in		H1
 	hook_forward		H2
 	hook_local_out		H3
 	hook_post_routing	H4
 	underflow_pre_routing	U0
 	underflow_local_in	U1
 	underflow_forward	U2
 	underflow_local_out	U3
 	underflow_post_routing	U4
 	num_counters		const[NHOOKS, int32]
 	counters		ptr[out, array[xt_counters, NHOOKS]]
 	entries			ipt_replace_entries[NENTRIES, MATCHES, TARGETS]
 }

 type ipt_replace_entries[NENTRIES, MATCHES, TARGETS] {
 	entries		array[ipt_entry[MATCHES, TARGETS], NENTRIES]
 	underflow	ipt_entry_underflow
 } [packed, align_ptr]

 type ipt_hook const[0, int32]
 type ipt_unused const[-1, int32]

 type ipt_entry[MATCHES, TARGETS] {
 	matches	ipt_entry_matches[MATCHES]
 	target	TARGETS
 } [packed, align_ptr]

 type ipt_entry_matches[MATCHES] {
 	ip		ipt_ip_or_uncond
 	nfcache		const[0, int32]
 	target_offset	len[parent, int16]
 	next_offset	len[ipt_entry, int16]
 	comefrom	const[0, int32]
 	counters	xt_counters
 	matches		array[MATCHES, 0:2]
 } [align_ptr]

 ipt_entry_underflow {
 	matches	ipt_entry_underflow_matches
 	target	xt_target_t["", const[NF_ACCEPT_VERDICT, int32], 0]
 } [align_ptr]

 ipt_entry_underflow_matches {
 	ip		ipt_ip_uncond
 	nfcache		const[0, int32]
 	target_offset	len[parent, int16]
 	next_offset	len[ipt_entry_underflow, int16]
 	comefrom	const[0, int32]
 	counters	xt_counters
 }

 ipt_ip_or_uncond [
 	ip	ipt_ip
 	uncond	ipt_ip_uncond
 ]

 type ipt_ip_uncond array[const[0, int8], IPT_IP_SIZE]
 define IPT_IP_SIZE	sizeof(struct ipt_ip)

 ipt_ip {
 	src		ipv4_addr
 	dst		ipv4_addr
 	smsk		ipv4_addr_mask
 	dmsk		ipv4_addr_mask
 	iniface		devname
 	outiface	devname
 	iniface_mask	devname_mask
 	outiface_mask	devname_mask
 	proto		flags[ipv4_types, int16]
 	flags		flags[ipt_ip_flags, int8]
 	invflags	flags[ipt_ip_invflags, int8]
 }

 ipt_ip_flags = IPT_F_FRAG, IPT_F_GOTO
 ipt_ip_invflags = IPT_INV_VIA_IN, IPT_INV_VIA_OUT, IPT_INV_TOS, IPT_INV_SRCIP, IPT_INV_DSTIP, IPT_INV_FRAG, IPT_INV_PROTO

 ipt_counters_info {
 	name		string[ipt_tables, XT_TABLE_MAXNAMELEN]
 	num_counters	len[counters, int32]
 	counters	array[xt_counters, 2:5]
 }

 ipt_tables = "filter", "nat", "mangle", "raw", "security"

 ipt_getinfo {
 	name		string[ipt_tables, XT_TABLE_MAXNAMELEN]
 # The rest are output arguments.
 	valid_hooks	const[0, int32]
 	hook_entry	array[const[0, int32], NF_INET_NUMHOOKS]
 	underflow	array[const[0, int32], NF_INET_NUMHOOKS]
 	num_entries	const[0, int32]
 	size		const[0, int32]
 }

 ipt_get_entries {
 	name		string[ipt_tables, XT_TABLE_MAXNAMELEN]
 	size		bytesize[entrytable, int32]
 	entrytable	array[int8]
 }

 # MATCHES:

 ipt_matches [
 	unspec		xt_unspec_matches
 	inet		xt_inet_matches
 	icmp		xt_entry_match["icmp", ipt_icmp, 0]
 	ah		xt_entry_match["ah", ipt_ah, 0]
 	socket0		xt_entry_match["socket", void, 0]
 	set		xt_entry_match["set", xt_set_info_match_v0, 0]
 	addrtype	xt_entry_match["addrtype", xt_addrtype_info, 0]
 	osf		xt_entry_match["osf", xt_osf_info, 0]
 	ttl		xt_entry_match["ttl", ipt_ttl_info, 0]
 ] [varlen]

 ipt_filter_matches [
 	common	ipt_matches
 ] [varlen]

 ipt_nat_matches [
 	common	ipt_matches
 ] [varlen]

 ipt_mangle_matches [
 	common	ipt_matches
 	inet	xt_inet_mangle_matches
 ] [varlen]

 ipt_raw_matches [
 	common	ipt_matches
 	inet	xt_inet_raw_matches
 ] [varlen]

 ipt_security_matches [
 	common	ipt_matches
 ] [varlen]

 ipt_icmp {
 	type		flags[icmp_types, int8]
 	code_min	int8
 	code_max	int8
 	invflags	bool8
 }

 ipt_ah {
 	spi_min		int32
 	spi_max		int32
 	invflags	bool8
 }

 xt_osf_info {
 	genre		string[xt_osf_genre, MAXGENRELEN]
 	len		int32
 	flags		flags[xt_osf_flags, int32]
 	loglevel	int32[0:2]
 	ttl		int32[0:2]
 }

 # TODO: genres are somehow setup via netlink.
 xt_osf_genre = "syz0", "syz1"
 xt_osf_flags = XT_OSF_GENRE, XT_OSF_TTL, XT_OSF_LOG, XT_OSF_INVERT

 ipt_ttl_info {
 	mode	flags[ipt_ttl_mode, int8]
 	ttl	int8
 }

 ipt_ttl_mode = IPT_TTL_EQ, IPT_TTL_NE, IPT_TTL_LT, IPT_TTL_GT

 # TARGETS:

 ipt_targets [
 	unspec		xt_unspec_targets
 	inet		xt_inet_targets
 	SET		xt_target_t["SET", xt_set_info_target_v0, 0]
 	CLUSTERIP	xt_target_t["CLUSTERIP", ipt_clusterip_tgt_info, 0]
 ] [varlen]

 ipt_filter_targets [
 	common	ipt_targets
 	REJECT	xt_target_t["REJECT", ipt_reject_info, 0]
 ] [varlen]

 ipt_nat_targets [
 	common		ipt_targets
 	unspec		xt_unspec_nat_targets
 	NETMAP		xt_target_t["NETMAP", nf_nat_ipv4_multi_range_compat, 0]
 	SNAT0		xt_target_t["SNAT", nf_nat_ipv4_multi_range_compat, 0]
 	DNAT0		xt_target_t["DNAT", nf_nat_ipv4_multi_range_compat, 0]
 	REDIRECT	xt_target_t["REDIRECT", nf_nat_ipv4_multi_range_compat, 0]
 	MASQUERADE	xt_target_t["MASQUERADE", nf_nat_ipv4_multi_range_compat, 0]
 ] [varlen]

 ipt_mangle_targets [
 	common	ipt_targets
 	unspec	xt_unspec_mangle_targets
 	inet	xt_inet_mangle_targets
 	ECN	xt_target_t["ECN", ipt_ECN_info, 0]
 	TPROXY	xt_target_t["TPROXY", xt_tproxy_target_info, 0]
 	TTL	xt_target_t["TTL", ipt_TTL_info, 0]
 ] [varlen]

 ipt_raw_targets [
 	common	ipt_targets
 	unspec	xt_unspec_raw_targets
 ] [varlen]

 ipt_security_targets [
 	common	ipt_targets
 ] [varlen]

 ipt_reject_info {
 	with	flags[ipt_reject_with, int32]
 }

 ipt_reject_with = IPT_ICMP_NET_UNREACHABLE, IPT_ICMP_HOST_UNREACHABLE, IPT_ICMP_PROT_UNREACHABLE, IPT_ICMP_PORT_UNREACHABLE, IPT_ICMP_NET_PROHIBITED, IPT_ICMP_HOST_PROHIBITED, IPT_TCP_RESET, IPT_ICMP_ADMIN_PROHIBITED

 ipt_ECN_info {
 	operation	flags[ipt_ECN_op, int8]
 	ip_ect		int8
 	tcp		int8[0:3]
 }

 ipt_ECN_op = IPT_ECN_OP_SET_IP, IPT_ECN_OP_SET_ECE, IPT_ECN_OP_SET_CWR

 ipt_TTL_info {
 	mode	int8[0:3]
 	ttl	int8
 }

 ipt_clusterip_tgt_info {
 	flags		bool32
 	clustermac	mac_addr
 	num_total_nodes	int16
 	num_local_nodes	int16[0:CLUSTERIP_MAX_NODES]
 	local_nodes	array[int16[0:64], CLUSTERIP_MAX_NODES]
 	hash_mode	flags[ipt_clusterip_hash_mode, int32]
 	hash_initval	int32
 	config		intptr
 }

 ipt_clusterip_hash_mode = CLUSTERIP_HASHMODE_SIP, CLUSTERIP_HASHMODE_SIP_SPT, CLUSTERIP_HASHMODE_SIP_SPT_DPT
	# Copyright 2018 syzkaller project authors. All rights reserved.
	# Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.

	include <linux/socket.h>
	include <uapi/linux/netfilter/xt_osf.h>
	include <uapi/linux/netfilter_ipv4/ip_tables.h>
	include <uapi/linux/netfilter_ipv4/ipt_ah.h>
	include <uapi/linux/netfilter_ipv4/ipt_ttl.h>
	include <uapi/linux/netfilter_ipv4/ipt_REJECT.h>
	include <uapi/linux/netfilter_ipv4/ipt_ECN.h>
	include <uapi/linux/netfilter_ipv4/ipt_TTL.h>
	include <uapi/linux/netfilter_ipv4/ipt_CLUSTERIP.h>

	setsockopt$IPT_SO_SET_REPLACE(fd sock_in, level const[SOL_IP], opt const[IPT_SO_SET_REPLACE], val ptr[in, ipt_replace], len len[val])
	setsockopt$IPT_SO_SET_ADD_COUNTERS(fd sock_in, level const[SOL_IP], opt const[IPT_SO_SET_ADD_COUNTERS], val ptr[in, ipt_counters_info], len len[val])
	getsockopt$IPT_SO_GET_INFO(fd sock_in, level const[SOL_IP], opt const[IPT_SO_GET_INFO], val ptr[in, ipt_getinfo], len ptr[in, len[val, int32]])
	getsockopt$IPT_SO_GET_ENTRIES(fd sock_in, level const[SOL_IP], opt const[IPT_SO_GET_ENTRIES], val ptr[in, ipt_get_entries], len ptr[in, len[val, int32]])
	getsockopt$IPT_SO_GET_REVISION_MATCH(fd sock_in, level const[SOL_IP], opt const[IPT_SO_GET_REVISION_MATCH], val ptr[in, xt_get_revision], len ptr[in, len[val, int32]])
	getsockopt$IPT_SO_GET_REVISION_TARGET(fd sock_in, level const[SOL_IP], opt const[IPT_SO_GET_REVISION_TARGET], val ptr[in, xt_get_revision], len ptr[in, len[val, int32]])

	ipt_replace [
	filter ipt_replace_t["filter", 3, 4, IPT_FILTER_VALID_HOOKS, ipt_filter_matches, ipt_filter_targets, ipt_unused, ipt_hook, ipt_hook, ipt_hook, ipt_unused, ipt_unused, ipt_hook, ipt_hook, ipt_hook, ipt_unused]
	nat ipt_replace_t["nat", 4, 5, IPT_NAT_VALID_HOOKS, ipt_nat_matches, ipt_nat_targets, ipt_hook, ipt_hook, ipt_unused, ipt_hook, ipt_hook, ipt_hook, ipt_hook, ipt_unused, ipt_hook, ipt_hook]
	mangle ipt_replace_t["mangle", 5, 6, IPT_MANGLE_VALID_HOOKS, ipt_mangle_matches, ipt_mangle_targets, ipt_hook, ipt_hook, ipt_hook, ipt_hook, ipt_hook, ipt_hook, ipt_hook, ipt_hook, ipt_hook, ipt_hook]
	raw ipt_replace_t["raw", 2, 3, IPT_RAW_VALID_HOOKS, ipt_raw_matches, ipt_raw_targets, ipt_hook, ipt_unused, ipt_unused, ipt_hook, ipt_unused, ipt_hook, ipt_unused, ipt_unused, ipt_hook, ipt_unused]
	security ipt_replace_t["security", 3, 4, IPT_SECURITY_VALID_HOOKS, ipt_security_matches, ipt_security_targets, ipt_unused, ipt_hook, ipt_hook, ipt_hook, ipt_unused, ipt_unused, ipt_hook, ipt_hook, ipt_hook, ipt_unused]
	] [varlen]

	type ipt_replace_t[NAME, NENTRIES, NHOOKS, HOOKS, MATCHES, TARGETS, H0, H1, H2, H3, H4, U0, U1, U2, U3, U4] {
	name string[NAME, XT_TABLE_MAXNAMELEN]
	valid_hooks const[HOOKS, int32]
	num_entries const[NHOOKS, int32]
	size bytesize[entries, int32]
	hook_pre_routing H0
	hook_local_in H1
	hook_forward H2
	hook_local_out H3
	hook_post_routing H4
	underflow_pre_routing U0
	underflow_local_in U1
	underflow_forward U2
	underflow_local_out U3
	underflow_post_routing U4
	num_counters const[NHOOKS, int32]
	counters ptr[out, array[xt_counters, NHOOKS]]
	entries ipt_replace_entries[NENTRIES, MATCHES, TARGETS]
	}

	type ipt_replace_entries[NENTRIES, MATCHES, TARGETS] {
	entries array[ipt_entry[MATCHES, TARGETS], NENTRIES]
	underflow ipt_entry_underflow
	} [packed, align_ptr]

	type ipt_hook const[0, int32]
	type ipt_unused const[-1, int32]

	type ipt_entry[MATCHES, TARGETS] {
	matches ipt_entry_matches[MATCHES]
	target TARGETS
	} [packed, align_ptr]

	type ipt_entry_matches[MATCHES] {
	ip ipt_ip_or_uncond
	nfcache const[0, int32]
	target_offset len[parent, int16]
	next_offset len[ipt_entry, int16]
	comefrom const[0, int32]
	counters xt_counters
	matches array[MATCHES, 0:2]
	} [align_ptr]

	ipt_entry_underflow {
	matches ipt_entry_underflow_matches
	target xt_target_t["", const[NF_ACCEPT_VERDICT, int32], 0]
	} [align_ptr]

	ipt_entry_underflow_matches {
	ip ipt_ip_uncond
	nfcache const[0, int32]
	target_offset len[parent, int16]
	next_offset len[ipt_entry_underflow, int16]
	comefrom const[0, int32]
	counters xt_counters
	}

	ipt_ip_or_uncond [
	ip ipt_ip
	uncond ipt_ip_uncond
	]

	type ipt_ip_uncond array[const[0, int8], IPT_IP_SIZE]
	define IPT_IP_SIZE sizeof(struct ipt_ip)

	ipt_ip {
	src ipv4_addr
	dst ipv4_addr
	smsk ipv4_addr_mask
	dmsk ipv4_addr_mask
	iniface devname
	outiface devname
	iniface_mask devname_mask
	outiface_mask devname_mask
	proto flags[ipv4_types, int16]
	flags flags[ipt_ip_flags, int8]
	invflags flags[ipt_ip_invflags, int8]
	}

	ipt_ip_flags = IPT_F_FRAG, IPT_F_GOTO
	ipt_ip_invflags = IPT_INV_VIA_IN, IPT_INV_VIA_OUT, IPT_INV_TOS, IPT_INV_SRCIP, IPT_INV_DSTIP, IPT_INV_FRAG, IPT_INV_PROTO

	ipt_counters_info {
	name string[ipt_tables, XT_TABLE_MAXNAMELEN]
	num_counters len[counters, int32]
	counters array[xt_counters, 2:5]
	}

	ipt_tables = "filter", "nat", "mangle", "raw", "security"

	ipt_getinfo {
	name string[ipt_tables, XT_TABLE_MAXNAMELEN]
	# The rest are output arguments.
	valid_hooks const[0, int32]
	hook_entry array[const[0, int32], NF_INET_NUMHOOKS]
	underflow array[const[0, int32], NF_INET_NUMHOOKS]
	num_entries const[0, int32]
	size const[0, int32]
	}

	ipt_get_entries {
	name string[ipt_tables, XT_TABLE_MAXNAMELEN]
	size bytesize[entrytable, int32]
	entrytable array[int8]
	}

	# MATCHES:

	ipt_matches [
	unspec xt_unspec_matches
	inet xt_inet_matches
	icmp xt_entry_match["icmp", ipt_icmp, 0]
	ah xt_entry_match["ah", ipt_ah, 0]
	socket0 xt_entry_match["socket", void, 0]
	set xt_entry_match["set", xt_set_info_match_v0, 0]
	addrtype xt_entry_match["addrtype", xt_addrtype_info, 0]
	osf xt_entry_match["osf", xt_osf_info, 0]
	ttl xt_entry_match["ttl", ipt_ttl_info, 0]
	] [varlen]

	ipt_filter_matches [
	common ipt_matches
	] [varlen]

	ipt_nat_matches [
	common ipt_matches
	] [varlen]

	ipt_mangle_matches [
	common ipt_matches
	inet xt_inet_mangle_matches
	] [varlen]

	ipt_raw_matches [
	common ipt_matches
	inet xt_inet_raw_matches
	] [varlen]

	ipt_security_matches [
	common ipt_matches
	] [varlen]

	ipt_icmp {
	type flags[icmp_types, int8]
	code_min int8
	code_max int8
	invflags bool8
	}

	ipt_ah {
	spi_min int32
	spi_max int32
	invflags bool8
	}

	xt_osf_info {
	genre string[xt_osf_genre, MAXGENRELEN]
	len int32
	flags flags[xt_osf_flags, int32]
	loglevel int32[0:2]
	ttl int32[0:2]
	}

	# TODO: genres are somehow setup via netlink.
	xt_osf_genre = "syz0", "syz1"
	xt_osf_flags = XT_OSF_GENRE, XT_OSF_TTL, XT_OSF_LOG, XT_OSF_INVERT

	ipt_ttl_info {
	mode flags[ipt_ttl_mode, int8]
	ttl int8
	}

	ipt_ttl_mode = IPT_TTL_EQ, IPT_TTL_NE, IPT_TTL_LT, IPT_TTL_GT

	# TARGETS:

	ipt_targets [
	unspec xt_unspec_targets
	inet xt_inet_targets
	SET xt_target_t["SET", xt_set_info_target_v0, 0]
	CLUSTERIP xt_target_t["CLUSTERIP", ipt_clusterip_tgt_info, 0]
	] [varlen]

	ipt_filter_targets [
	common ipt_targets
	REJECT xt_target_t["REJECT", ipt_reject_info, 0]
	] [varlen]

	ipt_nat_targets [
	common ipt_targets
	unspec xt_unspec_nat_targets
	NETMAP xt_target_t["NETMAP", nf_nat_ipv4_multi_range_compat, 0]
	SNAT0 xt_target_t["SNAT", nf_nat_ipv4_multi_range_compat, 0]
	DNAT0 xt_target_t["DNAT", nf_nat_ipv4_multi_range_compat, 0]
	REDIRECT xt_target_t["REDIRECT", nf_nat_ipv4_multi_range_compat, 0]
	MASQUERADE xt_target_t["MASQUERADE", nf_nat_ipv4_multi_range_compat, 0]
	] [varlen]

	ipt_mangle_targets [
	common ipt_targets
	unspec xt_unspec_mangle_targets
	inet xt_inet_mangle_targets
	ECN xt_target_t["ECN", ipt_ECN_info, 0]
	TPROXY xt_target_t["TPROXY", xt_tproxy_target_info, 0]
	TTL xt_target_t["TTL", ipt_TTL_info, 0]
	] [varlen]

	ipt_raw_targets [
	common ipt_targets
	unspec xt_unspec_raw_targets
	] [varlen]

	ipt_security_targets [
	common ipt_targets
	] [varlen]

	ipt_reject_info {
	with flags[ipt_reject_with, int32]
	}

	ipt_reject_with = IPT_ICMP_NET_UNREACHABLE, IPT_ICMP_HOST_UNREACHABLE, IPT_ICMP_PROT_UNREACHABLE, IPT_ICMP_PORT_UNREACHABLE, IPT_ICMP_NET_PROHIBITED, IPT_ICMP_HOST_PROHIBITED, IPT_TCP_RESET, IPT_ICMP_ADMIN_PROHIBITED

	ipt_ECN_info {
	operation flags[ipt_ECN_op, int8]
	ip_ect int8
	tcp int8[0:3]
	}

	ipt_ECN_op = IPT_ECN_OP_SET_IP, IPT_ECN_OP_SET_ECE, IPT_ECN_OP_SET_CWR

	ipt_TTL_info {
	mode int8[0:3]
	ttl int8
	}

	ipt_clusterip_tgt_info {
	flags bool32
	clustermac mac_addr
	num_total_nodes int16
	num_local_nodes int16[0:CLUSTERIP_MAX_NODES]
	local_nodes array[int16[0:64], CLUSTERIP_MAX_NODES]
	hash_mode flags[ipt_clusterip_hash_mode, int32]
	hash_initval int32
	config intptr
	}

	ipt_clusterip_hash_mode = CLUSTERIP_HASHMODE_SIP, CLUSTERIP_HASHMODE_SIP_SPT, CLUSTERIP_HASHMODE_SIP_SPT_DPT