Google Git
Sign in
android / platform / external / syzkaller / 3e1cf9ad8a569844caebca4ce63759f15324c422 / . / sys / linux / netfilter.txt
blob: 1687b6dba69bfdb8fb9a5a90508af0997d5181fa [file] [log] [blame]
# Copyright 2018 syzkaller project authors. All rights reserved.
# Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.
include <linux/socket.h>
include <uapi/linux/limits.h>
include <uapi/linux/ip_vs.h>
include <uapi/linux/netfilter/x_tables.h>
include <uapi/linux/netfilter/xt_rpfilter.h>
include <uapi/linux/netfilter/xt_cgroup.h>
include <uapi/linux/netfilter/xt_rateest.h>
include <uapi/linux/netfilter/xt_l2tp.h>
include <uapi/linux/netfilter/xt_time.h>
include <uapi/linux/netfilter/xt_bpf.h>
include <uapi/linux/netfilter/xt_socket.h>
include <uapi/linux/netfilter/xt_connlimit.h>
include <uapi/linux/netfilter/xt_conntrack.h>
include <uapi/linux/netfilter/xt_tcpudp.h>
include <uapi/linux/netfilter/xt_set.h>
include <uapi/linux/netfilter/xt_mark.h>
include <uapi/linux/netfilter/xt_connmark.h>
include <uapi/linux/netfilter/xt_realm.h>
include <uapi/linux/netfilter/xt_connbytes.h>
include <uapi/linux/netfilter/xt_quota.h>
include <uapi/linux/netfilter/xt_sctp.h>
include <uapi/linux/netfilter/xt_limit.h>
include <uapi/linux/netfilter/xt_addrtype.h>
include <uapi/linux/netfilter/xt_ipvs.h>
include <uapi/linux/netfilter/xt_dccp.h>
include <uapi/linux/netfilter/xt_hashlimit.h>
include <uapi/linux/netfilter/xt_nfacct.h>
include <uapi/linux/netfilter/xt_length.h>
include <uapi/linux/netfilter/xt_mac.h>
include <uapi/linux/netfilter/xt_comment.h>
include <uapi/linux/netfilter/xt_ipcomp.h>
include <uapi/linux/netfilter/xt_statistic.h>
include <uapi/linux/netfilter/xt_recent.h>
include <uapi/linux/netfilter/xt_dscp.h>
include <uapi/linux/netfilter/xt_policy.h>
include <uapi/linux/netfilter/xt_tcpmss.h>
include <uapi/linux/netfilter/xt_string.h>
include <uapi/linux/netfilter/xt_physdev.h>
include <uapi/linux/netfilter/xt_connlabel.h>
include <uapi/linux/netfilter/xt_devgroup.h>
include <uapi/linux/netfilter/xt_multiport.h>
include <uapi/linux/netfilter/xt_cluster.h>
include <uapi/linux/netfilter/xt_ecn.h>
include <uapi/linux/netfilter/xt_owner.h>
include <uapi/linux/netfilter/xt_pkttype.h>
include <uapi/linux/netfilter/xt_u32.h>
include <uapi/linux/netfilter/xt_iprange.h>
include <uapi/linux/netfilter/xt_esp.h>
include <uapi/linux/netfilter/xt_cpu.h>
include <uapi/linux/netfilter/xt_state.h>
# Netfilter matches shared between ipv6/ipv6.
# TODO: add CONFIG_NF_FLOW_TABLE* support.
define IPT_FILTER_VALID_HOOKS NF_INET_LOCAL_IN_BIT | NF_INET_FORWARD_BIT | NF_INET_LOCAL_OUT_BIT
define IPT_NAT_VALID_HOOKS NF_INET_PRE_ROUTING_BIT | NF_INET_POST_ROUTING_BIT | NF_INET_LOCAL_OUT_BIT | NF_INET_LOCAL_IN_BIT
define IPT_MANGLE_VALID_HOOKS NF_INET_PRE_ROUTING_BIT | NF_INET_POST_ROUTING_BIT | NF_INET_FORWARD_BIT |NF_INET_LOCAL_OUT_BIT | NF_INET_LOCAL_IN_BIT
define IPT_RAW_VALID_HOOKS NF_INET_PRE_ROUTING_BIT | NF_INET_LOCAL_OUT_BIT
define IPT_SECURITY_VALID_HOOKS NF_INET_LOCAL_IN_BIT | NF_INET_FORWARD_BIT | NF_INET_LOCAL_OUT_BIT
define NF_INET_PRE_ROUTING_BIT 1 << NF_INET_PRE_ROUTING
define NF_INET_LOCAL_IN_BIT 1 << NF_INET_LOCAL_IN
define NF_INET_FORWARD_BIT 1 << NF_INET_FORWARD
define NF_INET_LOCAL_OUT_BIT 1 << NF_INET_LOCAL_OUT
define NF_INET_POST_ROUTING_BIT 1 << NF_INET_POST_ROUTING
xt_counters {
pcnt const[0, int64]
bcnt const[0, int64]
}
xt_get_revision {
name string[xt_get_revision_strings, XT_EXTENSION_MAXNAMELEN]
revision const[0, int8]
}
xt_get_revision_strings = "icmp", "ah", "NETMAP", "TPROXY", "ipvs", "IDLETIMER", "icmp6", "HL"
nf_inet_addr [
ipv4 ipv4_addr
ipv6 ipv6_addr
]
nf_conntrack_man_proto [
port sock_port
icmp_id icmp_id
# TODO: what is gre key? do we have it already in gre descriptions in vnet.txt?
gre_key int16
]
type xt_entry_match[NAME, DATA, REV] {
match_size len[parent, int16]
name string[NAME, XT_EXTENSION_MAXNAMELEN]
revision const[REV, int8]
data DATA
} [align_ptr]
xt_unspec_matches [
cgroup0 xt_entry_match["cgroup", xt_cgroup_info_v0, 0]
cgroup1 xt_entry_match["cgroup", xt_cgroup_info_v1, 1]
helper xt_entry_match["helper", xt_helper_info, 0]
rateest xt_entry_match["rateest", xt_rateest_match_info, 0]
time xt_entry_match["time", xt_time_info, 0]
bpf0 xt_entry_match["bpf", xt_bpf_info, 0]
bpf1 xt_entry_match["bpf", xt_bpf_info_v1, 1]
connlimit xt_entry_match["connlimit", xt_connlimit_info, 1]
conntrack1 xt_entry_match["conntrack", xt_conntrack_mtinfo1, 1]
conntrack2 xt_entry_match["conntrack", xt_conntrack_mtinfo2, 2]
conntrack3 xt_entry_match["conntrack", xt_conntrack_mtinfo3, 3]
mark xt_entry_match["mark", xt_mark_mtinfo1, 1]
connmark xt_entry_match["connmark", xt_connmark_mtinfo1, 1]
realm xt_entry_match["realm", xt_realm_info, 0]
connbytes xt_entry_match["connbytes", xt_connbytes_info, 0]
quota xt_entry_match["quota", xt_quota_info, 0]
limit xt_entry_match["limit", xt_rateinfo, 0]
addrtype1 xt_entry_match["addrtype", xt_addrtype_info_v1, 1]
ipvs xt_entry_match["ipvs", xt_ipvs_mtinfo, 0]
nfacct xt_entry_match["nfacct", xt_nfacct_match_info, 0]
mac xt_entry_match["mac", xt_mac_info, 0]
comment xt_entry_match["comment", xt_comment_info, 0]
statistic xt_entry_match["statistic", xt_statistic_info, 0]
string xt_entry_match["string", xt_string_info, 1]
physdev xt_entry_match["physdev", xt_physdev_info, 0]
connlabel xt_entry_match["connlabel", xt_connlabel_mtinfo, 0]
devgroup xt_entry_match["devgroup", xt_devgroup_info, 0]
cluster xt_entry_match["cluster", xt_cluster_match_info, 0]
owner xt_entry_match["owner", xt_owner_match_info, 0]
pkttype xt_entry_match["pkttype", xt_pkttype_info, 0]
u32 xt_entry_match["u32", xt_u32, 0]
cpu xt_entry_match["cpu", xt_cpu_info, 0]
state xt_entry_match["state", xt_state_info, 0]
] [varlen]
xt_inet_matches [
l2tp xt_entry_match["l2tp", xt_l2tp_info, 0]
socket1 xt_entry_match["socket", flags[xt_socket_flags_v1, int8], 1]
socket2 xt_entry_match["socket", flags[xt_socket_flags_v2, int8], 2]
socket3 xt_entry_match["socket", flags[xt_socket_flags_v3, int8], 3]
tcp xt_entry_match["tcp", xt_tcp, 0]
udp xt_entry_match["udp", xt_udp, 0]
udplite xt_entry_match["udplite", xt_udp, 0]
set1 xt_entry_match["set", xt_set_info_match_v1, 1]
set2 xt_entry_match["set", xt_set_info_match_v1, 2]
set3 xt_entry_match["set", xt_set_info_match_v3, 3]
set4 xt_entry_match["set", xt_set_info_match_v4, 4]
sctp xt_entry_match["sctp", xt_sctp_info, 0]
dccp xt_entry_match["dccp", xt_dccp_info, 0]
hashlimit1 xt_entry_match["hashlimit", xt_hashlimit_mtinfo1, 1]
hashlimit2 xt_entry_match["hashlimit", xt_hashlimit_mtinfo2, 2]
hashlimit3 xt_entry_match["hashlimit", xt_hashlimit_mtinfo3, 3]
length xt_entry_match["length", xt_length_info, 0]
ipcomp xt_entry_match["ipcomp", xt_ipcomp, 0]
recent0 xt_entry_match["recent", xt_recent_mtinfo, 0]
recent1 xt_entry_match["recent", xt_recent_mtinfo_v1, 0]
dscp xt_entry_match["dscp", xt_dscp_info, 0]
tos xt_entry_match["tos", xt_tos_match_info, 0]
policy xt_entry_match["policy", xt_policy_info, 0]
tcpmss xt_entry_match["tcpmss", xt_tcpmss_match_info, 0]
multiport xt_entry_match["multiport", xt_multiport_v1, 1]
ecn xt_entry_match["ecn", xt_ecn_info, 0]
iprange xt_entry_match["iprange", xt_iprange_mtinfo, 1]
esp xt_entry_match["esp", xt_esp, 0]
] [varlen]
xt_inet_mangle_matches [
rpfilter xt_entry_match["rpfilter", xt_rpfilter_info, 0]
] [varlen]
xt_inet_raw_matches [
rpfilter xt_entry_match["rpfilter", xt_rpfilter_info, 0]
] [varlen]
xt_socket_flags_v1 = XT_SOCKET_TRANSPARENT
xt_socket_flags_v2 = XT_SOCKET_TRANSPARENT, XT_SOCKET_NOWILDCARD
xt_socket_flags_v3 = XT_SOCKET_TRANSPARENT, XT_SOCKET_NOWILDCARD, XT_SOCKET_RESTORESKMARK
xt_rpfilter_info {
flags flags[xt_rpfilter_flags, int8]
}
xt_rpfilter_flags = XT_RPFILTER_LOOSE, XT_RPFILTER_VALID_MARK, XT_RPFILTER_ACCEPT_LOCAL, XT_RPFILTER_INVERT
xt_cgroup_info_v0 {
# TODO: this is some "cgroup classid", what's this?
id int32
invert bool32
}
xt_cgroup_info_v1 {
has_path bool8
has_classid bool8
invert_path bool8
invert_classid bool8
path string[cgroup_paths, PATH_MAX]
# TODO: again "cgroup classid"
classid int32
priv intptr
}
xt_helper_info {
invert bool32
name string[xt_helper_names, 30]
}
xt_helper_names = "ftp-20000", "tftp-20000", "sip-20000", "irc-20000", "sane-20000", "amanda", "RAS", "Q.931", "H.245"
xt_rateest_match_info {
name1 devname
name2 devname
flags flags[xt_rateest_match_flags, int16]
mode flags[xt_rateest_match_mode, int16]
bps1 int32
pps1 int32
bps2 int32
pps2 int32
est1 intptr
est2 intptr
}
xt_rateest_match_flags = XT_RATEEST_MATCH_INVERT, XT_RATEEST_MATCH_ABS, XT_RATEEST_MATCH_REL, XT_RATEEST_MATCH_DELTA, XT_RATEEST_MATCH_BPS, XT_RATEEST_MATCH_PPS
xt_rateest_match_mode = XT_RATEEST_MATCH_NONE, XT_RATEEST_MATCH_EQ, XT_RATEEST_MATCH_LT, XT_RATEEST_MATCH_GT
xt_l2tp_info {
tid l2tp_tunnel32
sid l2tp_session32
version int8[2:3]
type flags[xt_l2tp_type, int8]
flags flags[xt_l2tp_flags, int8]
}
xt_l2tp_type = XT_L2TP_TYPE_CONTROL, XT_L2TP_TYPE_DATA
xt_l2tp_flags = XT_L2TP_TID, XT_L2TP_SID, XT_L2TP_VERSION, XT_L2TP_TYPE
xt_time_info {
date_start int32
date_stop int32
daytime_start int32[0:XT_TIME_MAX_DAYTIME]
daytime_stop int32[0:XT_TIME_MAX_DAYTIME]
monthdays_match int32
weekdays_match int8
flags flags[xt_time_flags, int8]
}
xt_time_flags = XT_TIME_LOCAL_TZ, XT_TIME_CONTIGUOUS
xt_bpf_info {
bpf_program_num_elem int16[0:XT_BPF_MAX_NUM_INSTR]
bpf_program array[sock_filter, XT_BPF_MAX_NUM_INSTR]
filter intptr
}
xt_bpf_info_v1 [
bytecode xt_bpf_info_bytecode
pinned xt_bpf_info_pinned
fd xt_bpf_info_fd
]
xt_bpf_info_bytecode {
mode const[XT_BPF_MODE_BYTECODE, int16]
bpf_program_num_elem int16[0:XT_BPF_MAX_NUM_INSTR]
fd const[0, int32]
bpf_program array[sock_filter, XT_BPF_MAX_NUM_INSTR]
filter intptr
}
xt_bpf_info_pinned {
mode const[XT_BPF_MODE_FD_PINNED, int16]
bpf_program_num_elem const[0, int16]
fd const[0, int32]
path string[filename, XT_BPF_PATH_MAX]
filter intptr
}
xt_bpf_info_fd {
mode const[XT_BPF_MODE_FD_ELF, int16]
bpf_program_num_elem const[0, int16]
fd fd_bpf_prog
}
xt_connlimit_info {
mask ipv6_addr_mask
limit int32
flags flags[xt_connlimit_flags, int32]
data intptr
}
xt_connlimit_flags = XT_CONNLIMIT_INVERT, XT_CONNLIMIT_DADDR
xt_conntrack_mtinfo_common {
origsrc_addr nf_inet_addr
origsrc_mask ipv6_addr_mask
origdst_addr nf_inet_addr
origdst_mask ipv6_addr_mask
replsrc_addr nf_inet_addr
replsrc_mask ipv6_addr_mask
repldst_addr nf_inet_addr
repldst_mask ipv6_addr_mask
expires_min int32
expires_max int32
l4proto flags[ipv6_types, int16]
origsrc_port sock_port
origdst_port sock_port
replsrc_port sock_port
repldst_port sock_port
match_flags flags[xt_conntrack_flags, int16]
invert_flags flags[xt_conntrack_flags, int16]
}
xt_conntrack_mtinfo1 {
common xt_conntrack_mtinfo_common
state_mask flags[xt_conntrack_state, int8]
status_mask flags[xt_conntrack_status, int8]
}
xt_conntrack_mtinfo2 {
common xt_conntrack_mtinfo_common
state_mask flags[xt_conntrack_state, int16]
status_mask flags[xt_conntrack_status, int16]
}
xt_conntrack_mtinfo3 {
common xt_conntrack_mtinfo_common
state_mask flags[xt_conntrack_state, int16]
status_mask flags[xt_conntrack_status, int16]
origsrc_port_high sock_port
origdst_port_high sock_port
replsrc_port_high sock_port
repldst_port_high sock_port
}
xt_conntrack_flags = XT_CONNTRACK_STATE, XT_CONNTRACK_PROTO, XT_CONNTRACK_ORIGSRC, XT_CONNTRACK_ORIGDST, XT_CONNTRACK_REPLSRC, XT_CONNTRACK_REPLDST, XT_CONNTRACK_STATUS, XT_CONNTRACK_EXPIRES, XT_CONNTRACK_ORIGSRC_PORT, XT_CONNTRACK_ORIGDST_PORT, XT_CONNTRACK_REPLSRC_PORT, XT_CONNTRACK_REPLDST_PORT, XT_CONNTRACK_DIRECTION, XT_CONNTRACK_STATE_ALIAS
xt_conntrack_state = XT_CONNTRACK_STATE_INVALID, XT_CONNTRACK_STATE_SNAT, XT_CONNTRACK_STATE_DNAT, XT_CONNTRACK_STATE_UNTRACKED
xt_conntrack_status = IPS_EXPECTED, IPS_SEEN_REPLY, IPS_ASSURED, IPS_CONFIRMED, IPS_SRC_NAT, IPS_DST_NAT, IPS_SEQ_ADJUST, IPS_SRC_NAT_DONE, IPS_DST_NAT_DONE, IPS_DYING, IPS_FIXED_TIMEOUT, IPS_TEMPLATE, IPS_UNTRACKED, IPS_HELPER
xt_tcp {
spts_min sock_port
spts_max sock_port
dpts_min sock_port
dpts_max sock_port
option flags[tcp_option_types, int8]
flg_mask flags[tcp_flags, int8]
flg_cmp flags[tcp_flags, int8]
invflags flags[xt_tcp_inv_flags, int8]
}
xt_tcp_inv_flags = XT_TCP_INV_SRCPT, XT_TCP_INV_DSTPT, XT_TCP_INV_FLAGS, XT_TCP_INV_OPTION
xt_udp {
spts_min sock_port
spts_max sock_port
dpts_min sock_port
dpts_max sock_port
invflags flags[xt_udp_inv_flags, int8]
}
xt_udp_inv_flags = XT_UDP_INV_SRCPT, XT_UDP_INV_DSTPT
xt_set_info_match_v0 {
match_set xt_set_info_v0
}
xt_set_info_match_v1 {
match_set xt_set_info
}
xt_set_info_match_v3 {
match_set xt_set_info
packets ip_set_counter_match0
bytes ip_set_counter_match0
flags int32
}
xt_set_info_match_v4 {
match_set xt_set_info
packets ip_set_counter_match
bytes ip_set_counter_match
flags int32
}
xt_mark_mtinfo1 {
mark int32
mask int32
invert bool8
}
xt_connmark_mtinfo1 {
mark int32
mask int32
invert bool32
}
xt_realm_info {
id int32
mask int32
invert bool8
}
xt_connbytes_info {
count_from int64
count_to int64
what flags[xt_connbytes_what, int8]
direction flags[xt_connbytes_direction, int8]
}
xt_connbytes_what = XT_CONNBYTES_PKTS, XT_CONNBYTES_BYTES, XT_CONNBYTES_AVGPKT
xt_connbytes_direction = XT_CONNBYTES_DIR_ORIGINAL, XT_CONNBYTES_DIR_REPLY, XT_CONNBYTES_DIR_BOTH
xt_quota_info {
flags bool32
pad const[0, int32]
quota int64
master intptr
}
xt_sctp_info {
dpts_min sock_port
dpts_max sock_port
spts_min sock_port
spts_max sock_port
chunkmap array[int32, 64]
chunk_match_type flags[xt_sctp_match_type, int32]
flag_info array[xt_sctp_flag_info, XT_NUM_SCTP_FLAGS]
flag_count int32[0:XT_NUM_SCTP_FLAGS]
flags flags[xt_sctp_flags, int32]
invflags flags[xt_sctp_flags, int32]
}
xt_sctp_match_type = SCTP_CHUNK_MATCH_ANY, SCTP_CHUNK_MATCH_ALL, SCTP_CHUNK_MATCH_ONLY
xt_sctp_flags = XT_SCTP_SRC_PORTS, XT_SCTP_DEST_PORTS, XT_SCTP_CHUNK_TYPES
xt_sctp_flag_info {
chunktype int8
flag int8
flag_mask int8
}
xt_rateinfo {
avg int32
burst int32
prev intptr
credit int32
credit_cap int32
cost int32
master intptr
}
xt_addrtype_info {
source flags[xt_addrtype_type, int16]
dest flags[xt_addrtype_type, int16]
invert_source bool32
invert_dest bool32
}
xt_addrtype_info_v1 {
source flags[xt_addrtype_type, int16]
dest flags[xt_addrtype_type, int16]
flags flags[xt_addrtype_flags, int32]
}
xt_addrtype_type = XT_ADDRTYPE_UNSPEC, XT_ADDRTYPE_UNICAST, XT_ADDRTYPE_LOCAL, XT_ADDRTYPE_BROADCAST, XT_ADDRTYPE_ANYCAST, XT_ADDRTYPE_MULTICAST, XT_ADDRTYPE_BLACKHOLE, XT_ADDRTYPE_UNREACHABLE, XT_ADDRTYPE_PROHIBIT, XT_ADDRTYPE_THROW, XT_ADDRTYPE_NAT, XT_ADDRTYPE_XRESOLVE
xt_addrtype_flags = XT_ADDRTYPE_INVERT_SOURCE, XT_ADDRTYPE_INVERT_DEST, XT_ADDRTYPE_LIMIT_IFACE_IN, XT_ADDRTYPE_LIMIT_IFACE_OUT
xt_ipvs_mtinfo {
vaddr nf_inet_addr
vmask ipv6_addr_mask
vport sock_port
l4proto flags[ipv6_types, int8]
fwd_method int8[0:IP_VS_CONN_F_FWD_MASK]
vportctl sock_port
invert flags[xt_ipvs_flags, int8]
bitmask flags[xt_ipvs_flags, int8]
}
xt_ipvs_flags = XT_IPVS_IPVS_PROPERTY, XT_IPVS_PROTO, XT_IPVS_VADDR, XT_IPVS_VPORT, XT_IPVS_DIR, XT_IPVS_METHOD, XT_IPVS_VPORT
xt_dccp_info {
dpts_min sock_port
dpts_max sock_port
spts_min sock_port
spts_max sock_port
flags flags[xt_dccp_flags, int16]
invflags flags[xt_dccp_flags, int16]
typemask int16
option int8
}
xt_dccp_flags = XT_DCCP_SRC_PORTS, XT_DCCP_DEST_PORTS, XT_DCCP_TYPE, XT_DCCP_OPTION
xt_hashlimit_mtinfo1 {
name devname
cfg hashlimit_cfg1
hinfo intptr
}
xt_hashlimit_mtinfo2 {
name string[devnames, NAME_MAX]
cfg hashlimit_cfg2
hinfo intptr
}
xt_hashlimit_mtinfo3 {
name string[devnames, NAME_MAX]
cfg hashlimit_cfg3
hinfo intptr
}
hashlimit_cfg1 {
mode flags[xt_hashlimit_modes, int32]
avg int32
burst int32
size int32
max int32
gc_interval int32
expire int32
srcmask flags[xt_hashlimit_mask, int8]
dstmask flags[xt_hashlimit_mask, int8]
}
hashlimit_cfg2 {
avg int64
burst int64
mode flags[xt_hashlimit_modes, int32]
size int32
max int32
gc_interval int32
expire int32
srcmask flags[xt_hashlimit_mask, int8]
dstmask flags[xt_hashlimit_mask, int8]
}
hashlimit_cfg3 {
avg int64
burst int64
mode flags[xt_hashlimit_modes, int32]
size int32
max int32
gc_interval int32
expire int32
interval int32
srcmask flags[xt_hashlimit_mask, int8]
dstmask flags[xt_hashlimit_mask, int8]
}
xt_hashlimit_modes = XT_HASHLIMIT_HASH_DIP, XT_HASHLIMIT_HASH_DPT, XT_HASHLIMIT_HASH_SIP, XT_HASHLIMIT_HASH_SPT, XT_HASHLIMIT_INVERT, XT_HASHLIMIT_BYTES, XT_HASHLIMIT_RATE_MATCH
xt_hashlimit_mask = 0, 8, 24, 32, 64, 120, 128
xt_nfacct_match_info {
name string[xt_nfacct_match_names, NFACCT_NAME_MAX]
nfacct intptr
}
xt_nfacct_match_names = "syz0", "syz1"
xt_length_info {
min int16
max int16
invert bool8
}
xt_mac_info {
srcaddr mac_addr
invert bool32
}
xt_comment_info {
comment array[const[0, int8], XT_MAX_COMMENT_LEN]
}
xt_ipcomp {
spis_min xfrm_spi
spis_max xfrm_spi
invflags flags[xt_ipcomp_flags, int8]
hdrres const[0, int8]
}
xt_ipcomp_flags = XT_IPCOMP_INV_SPI, XT_IPCOMP_INV_MASK
xt_statistic_info {
mode bool16
flags bool16
every int32
packet int32
count int32
master intptr
}
xt_recent_mtinfo {
seconds int32
hit_count int32
check_set flags[xt_recent_check_set, int8]
invert bool8
name string[xt_recent_names, XT_RECENT_NAME_LEN]
side int8
}
xt_recent_mtinfo_v1 {
seconds int32
hit_count int32
check_set flags[xt_recent_check_set, int8]
invert bool8
name string[xt_recent_names, XT_RECENT_NAME_LEN]
side int8
mask ipv6_addr_mask
}
xt_recent_names = "syz0", "syz1"
xt_recent_check_set = XT_RECENT_CHECK, XT_RECENT_SET, XT_RECENT_UPDATE, XT_RECENT_REMOVE, XT_RECENT_TTL, XT_RECENT_REAP, XT_RECENT_SOURCE, XT_RECENT_DEST
xt_dscp_info {
dscp int8
invert bool8
}
xt_tos_match_info {
tos_mask int8
tos_value int8
invert bool8
}
xt_policy_info {
pol array[xt_policy_elem, XT_POLICY_MAX_ELEM]
flags flags[xt_policy_flags, int16]
len int16[0:XT_POLICY_MAX_ELEM]
}
xt_policy_elem {
saddr nf_inet_addr
smask ipv6_addr_mask
daddr nf_inet_addr
dmask ipv6_addr_mask
spi xfrm_spi
reqid xfrm_req_id
proto flags[ipv6_types, int8]
mode flags[xt_policy_mode, int8]
match flags[xt_policy_spec, int8]
invert flags[xt_policy_spec, int8]
}
xt_policy_flags = XT_POLICY_MATCH_IN, XT_POLICY_MATCH_OUT, XT_POLICY_MATCH_NONE, XT_POLICY_MATCH_STRICT
xt_policy_mode = XT_POLICY_MODE_TRANSPORT, XT_POLICY_MODE_TUNNEL
xt_policy_spec = 1, 2, 4, 8, 16
xt_tcpmss_match_info {
mss_min int16
mss_max int16
invert bool8
}
xt_string_info {
from_offset int16
to_offset int16
algo string[textsearch_algos, XT_STRING_MAX_ALGO_NAME_SIZE]
pattern array[int8, XT_STRING_MAX_PATTERN_SIZE]
patlen int8[0:XT_STRING_MAX_PATTERN_SIZE]
flags flags[xt_string_flags, int8]
config intptr
}
textsearch_algos = "bm", "fsm", "kmp"
xt_string_flags = XT_STRING_FLAG_INVERT, XT_STRING_FLAG_IGNORECASE
xt_physdev_info {
physindev devname
in_mask devname_mask
physoutdev devname
out_mask devname_mask
invert flags[xt_physdev_flags, int8]
bitmask flags[xt_physdev_flags, int8]
}
xt_physdev_flags = XT_PHYSDEV_OP_IN, XT_PHYSDEV_OP_OUT, XT_PHYSDEV_OP_BRIDGED, XT_PHYSDEV_OP_ISIN, XT_PHYSDEV_OP_ISOUT
xt_connlabel_mtinfo {
bit int16
options flags[xt_connlabel_mtopts, int16]
}
xt_connlabel_mtopts = XT_CONNLABEL_OP_INVERT, XT_CONNLABEL_OP_SET
xt_devgroup_info {
flags flags[xt_devgroup_flags, int32]
src_group int32
src_mask int32
dst_group int32
dst_mask int32
}
xt_devgroup_flags = XT_DEVGROUP_MATCH_SRC, XT_DEVGROUP_INVERT_SRC, XT_DEVGROUP_MATCH_DST, XT_DEVGROUP_INVERT_DST
xt_multiport_v1 {
flags int8[0:2]
count int8[0:XT_MULTI_PORTS]
ports array[sock_port, XT_MULTI_PORTS]
pflags array[bool8, XT_MULTI_PORTS]
invert bool8
}
xt_cluster_match_info {
total_nodes int32
node_mask int32
hash_seed int32
flags bool32
}
xt_ecn_info {
operation flags[xt_ecn_operation, int8]
invert flags[xt_ecn_operation, int8]
ip_ect int8
ect int8
}
xt_ecn_operation = XT_ECN_OP_MATCH_IP, XT_ECN_OP_MATCH_ECE, XT_ECN_OP_MATCH_CWR
xt_owner_match_info {
uid_min uid
uid_max uid
gid_min gid
gid_max gid
match flags[xt_owner_match_flags, int8]
invert flags[xt_owner_match_flags, int8]
}
xt_owner_match_flags = XT_OWNER_UID, XT_OWNER_GID, XT_OWNER_SOCKET
xt_pkttype_info {
pkttype int32
invert int32
}
xt_u32 {
tests array[xt_u32_test, XT_U32_REAL_MAXSIZE]
ntests int8[0:XT_U32_REAL_MAXSIZE]
invert bool8
}
xt_u32_test {
location array[xt_u32_location_element, XT_U32_REAL_MAXSIZE]
value array[xt_u32_value_element, XT_U32_REAL_MAXSIZE]
nnums int8[0:XT_U32_REAL_MAXSIZE]
nvalues int8[0:XT_U32_REAL_MAXSIZE]
}
xt_u32_location_element {
number int32
nextop flags[xt_u32_ops, int8]
}
xt_u32_value_element {
min int32
max int32
}
xt_u32_ops = XT_U32_AND, XT_U32_LEFTSH, XT_U32_RIGHTSH, XT_U32_AT
define XT_U32_REAL_MAXSIZE XT_U32_MAXSIZE + 1
xt_iprange_mtinfo {
src_min nf_inet_addr
src_max nf_inet_addr
dst_min nf_inet_addr
dst_max nf_inet_addr
flags flags[xt_iprange_flags, int8]
}
xt_iprange_flags = IPRANGE_SRC, IPRANGE_DST, IPRANGE_SRC_INV, IPRANGE_DST_INV
xt_esp {
spis_min xfrm_spi
spis_max xfrm_spi
invflags flags[xt_esp_flags, int8]
}
xt_esp_flags = XT_ESP_INV_SPI, XT_ESP_INV_MASK
xt_cpu_info {
cpu int32
invert bool32
}
xt_state_info {
statemask int32
}