# Copyright 2018 syzkaller project authors. All rights reserved.
# Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.

# Netfilter targets shared between ipv6/ipv6.

include <linux/socket.h>
include <uapi/linux/netfilter/ipset/ip_set.h>
include <uapi/linux/netfilter/x_tables.h>
include <uapi/linux/netfilter/xt_connmark.h>
include <uapi/linux/netfilter/nf_nat.h>
include <uapi/linux/netfilter/xt_set.h>
include <uapi/linux/netfilter/xt_mark.h>
include <uapi/linux/netfilter/xt_TEE.h>
include <uapi/linux/netfilter/xt_LED.h>
include <uapi/linux/netfilter/xt_TCPMSS.h>
include <uapi/linux/netfilter/xt_RATEEST.h>
include <uapi/linux/netfilter/xt_DSCP.h>
include <uapi/linux/netfilter/xt_CLASSIFY.h>
include <uapi/linux/netfilter/xt_IDLETIMER.h>
include <uapi/linux/netfilter/xt_TCPOPTSTRIP.h>
include <uapi/linux/netfilter/xt_NFQUEUE.h>
include <uapi/linux/netfilter/xt_CT.h>
include <uapi/linux/netfilter/xt_AUDIT.h>
include <uapi/linux/netfilter/xt_HMARK.h>
include <uapi/linux/netfilter/xt_TPROXY.h>
include <uapi/linux/netfilter/xt_CHECKSUM.h>
include <uapi/linux/netfilter/xt_CONNSECMARK.h>
include <uapi/linux/netfilter/xt_SECMARK.h>
include <uapi/linux/netfilter/xt_NFLOG.h>
include <uapi/linux/netfilter/xt_LOG.h>
include <uapi/linux/netfilter/xt_SYNPROXY.h>

type xt_target_t[NAME, DATA, REV] {
	target_size	len[parent, int16]
	name		string[NAME, XT_EXTENSION_MAXNAMELEN]
	revision	const[REV, int8]
	data		DATA
} [align_ptr]

xt_unspec_targets [
	STANDARD	xt_target_t["", flags[nf_verdicts, int32], 0]
	ERROR		xt_target_t["ERROR", array[int8, XT_FUNCTION_MAXNAMELEN], 0]
	LED		xt_target_t["LED", xt_led_info, 0]
	RATEEST		xt_target_t["RATEEST", xt_rateest_target_info, 0]
	NFQUEUE0	xt_target_t["NFQUEUE", xt_NFQ_info, 0]
	NFQUEUE1	xt_target_t["NFQUEUE", xt_NFQ_info_v1, 1]
	NFQUEUE2	xt_target_t["NFQUEUE", xt_NFQ_info_v3, 2]
	NFQUEUE3	xt_target_t["NFQUEUE", xt_NFQ_info_v3, 3]
	CLASSIFY	xt_target_t["CLASSIFY", xt_classify_target_info, 0]
	IDLETIMER	xt_target_t["IDLETIMER", idletimer_tg_info, 0]
	AUDIT		xt_target_t["AUDIT", xt_audit_info, 0]
	MARK		xt_target_t["MARK", xt_mark_tginfo2, 2]
	CONNSECMARK	xt_target_t["CONNSECMARK", xt_connsecmark_target_info, 0]
	SECMARK		xt_target_t["SECMARK", xt_secmark_target_info, 0]
	NFLOG		xt_target_t["NFLOG", xt_nflog_info, 0]
	CONNMARK	xt_target_t["CONNMARK", xt_connmark_tginfo1, 1]
] [varlen]

nf_verdicts = 0, NF_DROP_VERDICT, NF_ACCEPT_VERDICT, NF_STOLEN_VERDICT, NF_QUEUE_VERDICT, NF_REPEAT_VERDICT

define NF_DROP_VERDICT	-NF_DROP - 1
define NF_ACCEPT_VERDICT	-NF_ACCEPT - 1
define NF_STOLEN_VERDICT	-NF_STOLEN - 1
define NF_QUEUE_VERDICT	-NF_QUEUE - 1
define NF_REPEAT_VERDICT	-NF_REPEAT - 1

xt_unspec_mangle_targets [
	CHECKSUM	xt_target_t["CHECKSUM", xt_CHECKSUM_info, 0]
] [varlen]

xt_unspec_nat_targets [
	SNAT1	xt_target_t["SNAT", nf_nat_range, 1]
	DNAT1	xt_target_t["DNAT", nf_nat_range, 1]
] [varlen]

xt_unspec_raw_targets [
	TRACE	xt_target_t["TRACE", void, 0]
	CT0	xt_target_t["CT", xt_ct_target_info, 0]
	CT1	xt_target_t["CT", xt_ct_target_info_v1, 1]
	CT2	xt_target_t["CT", xt_ct_target_info_v1, 2]
	NOTRACK	xt_target_t["NOTRACK", void, 0]
] [varlen]

xt_inet_targets [
	TEE		xt_target_t["TEE", xt_tee_tginfo, 1]
	TCPMSS		xt_target_t["TCPMSS", xt_tcpmss_info, 0]
	TCPOPTSTRIP	xt_target_t["TCPOPTSTRIP", xt_tcpoptstrip_target_info, 0]
	HMARK		xt_target_t["HMARK", xt_hmark_info, 0]
	SET1		xt_target_t["SET", xt_set_info_target_v1, 1]
	SET2		xt_target_t["SET", xt_set_info_target_v2, 2]
	SET3		xt_target_t["SET", xt_set_info_target_v3, 3]
	LOG		xt_target_t["LOG", xt_log_info, 0]
	SYNPROXY	xt_target_t["SYNPROXY", xt_synproxy_info, 0]
] [varlen]

xt_inet_mangle_targets [
	DSCP	xt_target_t["DSCP", xt_DSCP_info, 0]
	TOS	xt_target_t["TOS", xt_tos_target_info, 0]
	TPROXY1	xt_target_t["TPROXY", xt_tproxy_target_info_v1, 1]
] [varlen]

xt_tee_tginfo {
	gw	nf_inet_addr
	oif	devname
	priv	intptr
}

xt_led_info {
	id		string[xt_led_names, 27]
	always_blink	bool8
	delay		int32
	internal_data	intptr
}

xt_led_names = "syz0", "syz1"

xt_tcpmss_info {
	mss	int16
}

xt_rateest_target_info {
	name		string[xt_rateest_names, IFNAMSIZ]
	interval	int8
	ewma_log	int8
	est		intptr
}

xt_rateest_names = "syz0", "syz1"

nf_nat_range {
	flags		flags[nf_nat_flags, int32]
	min_addr	nf_inet_addr
	max_addr	nf_inet_addr
	min_proto	nf_conntrack_man_proto
	max_proto	nf_conntrack_man_proto
}

nf_nat_ipv4_multi_range_compat {
	rangesize	const[1, int32]
	range		nf_nat_ipv4_range
}

nf_nat_ipv4_range {
	flags	flags[nf_nat_flags, int32]
	min_ip	ipv4_addr
	max_ip	ipv4_addr
	min	nf_conntrack_man_proto
	max	nf_conntrack_man_proto
}

nf_nat_flags = NF_NAT_RANGE_MAP_IPS, NF_NAT_RANGE_PROTO_SPECIFIED, NF_NAT_RANGE_PROTO_RANDOM, NF_NAT_RANGE_PERSISTENT, NF_NAT_RANGE_PROTO_RANDOM_FULLY

xt_NFQ_info {
	queuenum	int16
}

xt_NFQ_info_v1 {
	queuenum	int16
	queues_total	int16
}

xt_NFQ_info_v3 {
	queuenum	int16
	queues_total	int16
	flags		flags[xt_NFQ_flags, int16]
}

xt_NFQ_flags = NFQ_FLAG_BYPASS, NFQ_FLAG_CPU_FANOUT

xt_DSCP_info {
	dscp	int8[0:XT_DSCP_MAX]
}

xt_tos_target_info {
	tos_value	int8
	tos_mask	int8
}

xt_classify_target_info {
	priority	int32
}

idletimer_tg_info {
	timeout	int32
	label	string[idletimer_tg_names, MAX_IDLETIMER_LABEL_SIZE]
	timer	intptr
}

idletimer_tg_names = "syz0", "syz1"

xt_tcpoptstrip_target_info {
	strip_bmap	array[int32, 8]
}

xt_ct_target_info {
	flags		bool16
	zone		int16
	ct_events	int32
	exp_events	int32
	helper		string[xt_ct_helpers, 16]
	ct		intptr
}

xt_ct_target_info_v1 {
	flags		flags[xt_ct_flags, int16]
	zone		int16
	ct_events	int32
	exp_events	int32
	helper		string[xt_ct_helpers, 16]
# TODO: these names must be registered somewhere from netlink.
	timeout		string[xt_ct_timeouts, 32]
	ct		intptr
}

xt_ct_flags = XT_CT_NOTRACK, XT_CT_NOTRACK_ALIAS, XT_CT_ZONE_DIR_ORIG, XT_CT_ZONE_DIR_REPL, XT_CT_ZONE_MARK
xt_ct_helpers = "", "snmp_trap", "netbios-ns", "pptp", "snmp"
xt_ct_timeouts = "syz0", "syz1"

xt_audit_info {
	type	flags[xt_audit_flags, int8]
}

xt_audit_flags = XT_AUDIT_TYPE_ACCEPT, XT_AUDIT_TYPE_DROP, XT_AUDIT_TYPE_REJECT

xt_hmark_info {
	src_mask	nf_inet_addr
	dst_mask	ipv6_addr_mask
	src_port_mask	sock_port
	dst_port_mask	sock_port
	src_port_set	sock_port
	dst_port_set	sock_port
	flags		int32
	proto_mask	int16
	hashrnd		int32
	hmodulus	int32
	hoffset		int32
}

xt_tproxy_target_info {
	mark_mask	int32
	mark_value	int32
	laddr		ipv4_addr
	lport		sock_port
}

xt_tproxy_target_info_v1 {
	mark_mask	int32
	mark_value	int32
	laddr		nf_inet_addr
	lport		sock_port
}

xt_set_info_target_v0 {
	add_set	xt_set_info_v0
	del_set	xt_set_info_v0
}

xt_set_info_target_v1 {
	add_set	xt_set_info
	del_set	xt_set_info
}

xt_set_info_target_v2 {
	add_set	xt_set_info
	del_set	xt_set_info
	flags	int32
	timeout	int32
}

xt_set_info_target_v3 {
	add_set	xt_set_info
	del_set	xt_set_info
	map_set	xt_set_info
	flags	int32
	timeout	int32
}

type ip_set_id_t int16

xt_set_info_v0 {
	index	ip_set_id_t
	flags	array[int32, IPSET_DIM_MAX]
	dim	int8
	flags2	int8
	pad	const[0, int16]
}

xt_set_info {
	index	ip_set_id_t
	dim	int8
	flags	int8
}

ip_set_counter_match0 {
	op	int8
	value	int64
}

ip_set_counter_match {
	value	int64
	op	int8
}

xt_mark_tginfo2 {
	mark	int32
	mask	int32
}

xt_CHECKSUM_info {
	operation	const[XT_CHECKSUM_OP_FILL, int8]
}

xt_log_info {
	level		int8
	logflags	flags[xt_log_flags, int8]
	prefix		array[int8, 30]
}

xt_log_flags = XT_LOG_TCPSEQ, XT_LOG_TCPOPT, XT_LOG_IPOPT, XT_LOG_UID, XT_LOG_NFLOG, XT_LOG_MACDECODE

xt_connsecmark_target_info {
	mode	int8[1:2]
}

xt_secmark_target_info {
	mode	int8[1:1]
	secid	int32
	secctx	string[selinux_security_context, SECMARK_SECCTX_MAX]
}

xt_nflog_info {
	len		int32
	group		int16
	threshold	int16
	flags		bool16
	pad		const[0, int16]
	prefix		array[int8, 64]
}

xt_connmark_tginfo1 {
	ctmark	int32
	ctmask	int32
	nfmask	int32
	mode	flags[xt_connmark_mode, int8]
}

xt_connmark_mode = XT_CONNMARK_SET, XT_CONNMARK_SAVE, XT_CONNMARK_RESTORE

xt_synproxy_info {
	options	flags[xt_synproxy_options, int8]
	wscale	int8
	mss	int16
}

xt_synproxy_options = XT_SYNPROXY_OPT_MSS, XT_SYNPROXY_OPT_WSCALE, XT_SYNPROXY_OPT_SACK_PERM, XT_SYNPROXY_OPT_TIMESTAMP, XT_SYNPROXY_OPT_ECN