1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
|
# Copyright 2018 syzkaller project authors. All rights reserved.
# Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.
include <linux/socket.h>
include <uapi/linux/netfilter_ipv6/ip6_tables.h>
include <uapi/linux/netfilter_ipv6/ip6t_rt.h>
include <uapi/linux/netfilter_ipv6/ip6t_mh.h>
include <uapi/linux/netfilter_ipv6/ip6t_opts.h>
include <uapi/linux/netfilter_ipv6/ip6t_frag.h>
include <uapi/linux/netfilter_ipv6/ip6t_ipv6header.h>
include <uapi/linux/netfilter_ipv6/ip6t_ah.h>
include <uapi/linux/netfilter_ipv6/ip6t_srh.h>
include <uapi/linux/netfilter_ipv6/ip6t_REJECT.h>
include <uapi/linux/netfilter_ipv6/ip6t_NPT.h>
include <uapi/linux/netfilter_ipv6/ip6t_HL.h>
setsockopt$IP6T_SO_SET_REPLACE(fd sock_in6, level const[SOL_IPV6], opt const[IP6T_SO_SET_REPLACE], val ptr[in, ip6t_replace], len len[val])
setsockopt$IP6T_SO_SET_ADD_COUNTERS(fd sock_in6, level const[SOL_IPV6], opt const[IP6T_SO_SET_ADD_COUNTERS], val ptr[in, ipt_counters_info], len len[val])
getsockopt$IP6T_SO_GET_INFO(fd sock_in6, level const[SOL_IPV6], opt const[IP6T_SO_GET_INFO], val ptr[in, ipt_getinfo], len ptr[in, len[val, int32]])
getsockopt$IP6T_SO_GET_ENTRIES(fd sock_in6, level const[SOL_IPV6], opt const[IP6T_SO_GET_ENTRIES], val ptr[in, ipt_get_entries], len ptr[in, len[val, int32]])
getsockopt$IP6T_SO_GET_REVISION_MATCH(fd sock_in6, level const[SOL_IPV6], opt const[IP6T_SO_GET_REVISION_MATCH], val ptr[in, xt_get_revision], len ptr[in, len[val, int32]])
getsockopt$IP6T_SO_GET_REVISION_TARGET(fd sock_in6, level const[SOL_IPV6], opt const[IP6T_SO_GET_REVISION_TARGET], val ptr[in, xt_get_revision], len ptr[in, len[val, int32]])
ip6t_replace [
filter ip6t_replace_t["filter", 3, 4, IPT_FILTER_VALID_HOOKS, ip6t_filter_matches, ip6t_filter_targets, ipt_unused, ipt_hook, ipt_hook, ipt_hook, ipt_unused, ipt_unused, ipt_hook, ipt_hook, ipt_hook, ipt_unused]
nat ip6t_replace_t["nat", 4, 5, IPT_NAT_VALID_HOOKS, ip6t_nat_matches, ip6t_nat_targets, ipt_hook, ipt_hook, ipt_unused, ipt_hook, ipt_hook, ipt_hook, ipt_hook, ipt_unused, ipt_hook, ipt_hook]
mangle ip6t_replace_t["mangle", 5, 6, IPT_MANGLE_VALID_HOOKS, ip6t_mangle_matches, ip6t_mangle_targets, ipt_hook, ipt_hook, ipt_hook, ipt_hook, ipt_hook, ipt_hook, ipt_hook, ipt_hook, ipt_hook, ipt_hook]
raw ip6t_replace_t["raw", 2, 3, IPT_RAW_VALID_HOOKS, ip6t_raw_matches, ip6t_raw_targets, ipt_hook, ipt_unused, ipt_unused, ipt_hook, ipt_unused, ipt_hook, ipt_unused, ipt_unused, ipt_hook, ipt_unused]
security ip6t_replace_t["security", 3, 4, IPT_SECURITY_VALID_HOOKS, ip6t_security_matches, ip6t_security_targets, ipt_unused, ipt_hook, ipt_hook, ipt_hook, ipt_unused, ipt_unused, ipt_hook, ipt_hook, ipt_hook, ipt_unused]
] [varlen]
type ip6t_replace_t[NAME, NENTRIES, NHOOKS, HOOKS, MATCHES, TARGETS, H0, H1, H2, H3, H4, U0, U1, U2, U3, U4] {
name string[NAME, XT_TABLE_MAXNAMELEN]
valid_hooks const[HOOKS, int32]
num_entries const[NHOOKS, int32]
size bytesize[entries, int32]
hook_pre_routing H0
hook_local_in H1
hook_forward H2
hook_local_out H3
hook_post_routing H4
underflow_pre_routing U0
underflow_local_in U1
underflow_forward U2
underflow_local_out U3
underflow_post_routing U4
num_counters const[NHOOKS, int32]
counters ptr[out, array[xt_counters, NHOOKS]]
entries ip6t_replace_entries[NENTRIES, MATCHES, TARGETS]
}
type ip6t_replace_entries[NENTRIES, MATCHES, TARGETS] {
entries array[ip6t_entry[MATCHES, TARGETS], NENTRIES]
underflow ip6t_entry_underflow
} [packed, align[PTR_SIZE]]
type ip6t_entry[MATCHES, TARGETS] {
matches ip6t_entry_matches[MATCHES]
target TARGETS
} [packed, align[PTR_SIZE]]
type ip6t_entry_matches[MATCHES] {
ipv6 ip6t_ip6_or_uncond
nfcache const[0, int32]
target_offset len[parent, int16]
next_offset len[ip6t_entry, int16]
comefrom const[0, int32]
counters xt_counters
matches array[MATCHES, 0:2]
} [align[PTR_SIZE]]
ip6t_entry_underflow {
matches ip6t_entry_underflow_matches
target xt_target_t["", const[NF_ACCEPT_VERDICT, int32], 0]
} [align[PTR_SIZE]]
ip6t_entry_underflow_matches {
ipv6 ip6t_ip6_uncond
nfcache const[0, int32]
target_offset len[parent, int16]
next_offset len[ip6t_entry_underflow, int16]
comefrom const[0, int32]
counters xt_counters
}
ip6t_ip6_or_uncond [
ipv6 ip6t_ip6
uncond ip6t_ip6_uncond
]
type ip6t_ip6_uncond array[const[0, int8], IP6T_IP6_SIZE]
define IP6T_IP6_SIZE sizeof(struct ip6t_ip6)
ip6t_ip6 {
src ipv6_addr
dst ipv6_addr
smsk ipv6_addr_mask
dmsk ipv6_addr_mask
iniface devname
outiface devname
iniface_mask devname_mask
outiface_mask devname_mask
proto flags[ipv6_types, int16]
tos int8
flags flags[ip6t_ip6_flags, int8]
invflags flags[ip6t_ip6_invflags, int8]
}
ip6t_ip6_flags = IP6T_F_PROTO, IP6T_F_TOS, IP6T_F_GOTO
ip6t_ip6_invflags = IP6T_INV_VIA_IN, IP6T_INV_VIA_OUT, IP6T_INV_TOS, IP6T_INV_SRCIP, IP6T_INV_DSTIP, IP6T_INV_FRAG, IP6T_INV_PROTO
# MATCHES:
ipt6_matches [
unspec xt_unspec_matches
inet xt_inet_matches
icmp6 xt_entry_match_t["icmp6", ip6t_icmp, 0]
rt xt_entry_match_t["rt", ip6t_rt, 0]
mh xt_entry_match_t["mh", ip6t_mh, 0]
hbh xt_entry_match_t["hbh", ip6t_opts, 0]
dst xt_entry_match_t["dst", ip6t_opts, 0]
frag xt_entry_match_t["frag", ip6t_frag, 0]
eui64 xt_entry_match_t["eui64", const[0, int32], 0]
ah xt_entry_match_t["ah", ip6t_ah, 0]
ipv6header xt_entry_match_t["ipv6header", ip6t_ipv6header_info, 0]
hl xt_entry_match_t["hl", ipt_ttl_info, 0]
srh xt_entry_match_t["srh", ip6t_srh, 0]
srh1 xt_entry_match_t["srh", ip6t_srh1, 1]
] [varlen]
ip6t_filter_matches [
common ipt6_matches
] [varlen]
ip6t_nat_matches [
common ipt6_matches
] [varlen]
ip6t_mangle_matches [
common ipt6_matches
inet xt_inet_mangle_matches
] [varlen]
ip6t_raw_matches [
common ipt6_matches
inet xt_inet_raw_matches
] [varlen]
ip6t_security_matches [
common ipt6_matches
] [varlen]
ip6t_icmp {
type flags[icmp_types, int8]
code array[int8, 2]
invflags bool8
}
ip6t_rt {
rt_type int32
segsleft array[int32, 2]
hdrlen int32
flags flags[ip6t_rt_flags, int8]
invflags flags[ip6t_rt_invflags, int8]
addrs array[ipv6_addr, IP6T_RT_HOPS]
addrnr int8[0:IP6T_RT_HOPS]
}
ip6t_rt_flags = IP6T_RT_TYP, IP6T_RT_SGS, IP6T_RT_LEN, IP6T_RT_RES, IP6T_RT_FST_MASK, IP6T_RT_FST, IP6T_RT_FST_NSTRICT
ip6t_rt_invflags = IP6T_RT_INV_TYP, IP6T_RT_INV_SGS, IP6T_RT_INV_LEN
ip6t_mh {
types array[int8, 2]
invflags bool8
}
ip6t_opts {
hdrlen int32
flags flags[ip6t_opts_flags, int8]
invflags flags[ip6t_opts_invflags, int8]
opts array[int16, IP6T_OPTS_OPTSNR]
optsnr int8[0:IP6T_OPTS_OPTSNR]
}
ip6t_opts_flags = IP6T_OPTS_LEN, IP6T_OPTS_OPTS, IP6T_OPTS_NSTRICT
ip6t_opts_invflags = IP6T_OPTS_INV_LEN
ip6t_frag {
ids array[int32, 2]
hdrlen int32
flags flags[ip6t_frag_flags, int8]
invflags flags[ip6t_frag_invflags, int8]
}
ip6t_frag_flags = IP6T_FRAG_IDS, IP6T_FRAG_LEN, IP6T_FRAG_RES, IP6T_FRAG_FST, IP6T_FRAG_MF, IP6T_FRAG_NMF
ip6t_frag_invflags = IP6T_FRAG_INV_IDS, IP6T_FRAG_INV_LEN
ip6t_ipv6header_info {
matchflags flags[ip6t_ipv6header_flags, int8]
invflags flags[ip6t_ipv6header_flags, int8]
modeflag bool8
}
ip6t_ipv6header_flags = MASK_HOPOPTS, MASK_DSTOPTS, MASK_ROUTING, MASK_FRAGMENT, MASK_AH, MASK_ESP, MASK_NONE, MASK_PROTO
ip6t_ah {
spis array[xfrm_spi, 2]
hdrlen int32
hdrres int8
invflags flags[ip6t_ah_flags, int8]
}
ip6t_ah_flags = IP6T_AH_INV_SPI, IP6T_AH_INV_LEN
ip6t_srh {
next_hdr flags[ipv6_types, int8]
hdr_len int8
segs_left int8
last_entry int8
tag int16
mt_flags flags[ip6t_srh_flags, int16]
mt_invflags flags[ip6t_srh_flags, int16]
}
ip6t_srh1 {
next_hdr flags[ipv6_types, int8]
hdr_len int8
segs_left int8
last_entry int8
tag int16
psid_addr ipv6_addr
nsid_addr ipv6_addr
lsid_addr ipv6_addr
psid_msk ipv6_addr_mask
nsid_msk ipv6_addr_mask
lsid_msk ipv6_addr_mask
mt_flags flags[ip6t_srh_flags, int16]
mt_invflags flags[ip6t_srh_flags, int16]
}
ip6t_srh_flags = IP6T_SRH_NEXTHDR, IP6T_SRH_LEN_EQ, IP6T_SRH_LEN_GT, IP6T_SRH_LEN_LT, IP6T_SRH_SEGS_EQ, IP6T_SRH_SEGS_GT, IP6T_SRH_SEGS_LT, IP6T_SRH_LAST_EQ, IP6T_SRH_LAST_GT, IP6T_SRH_LAST_LT, IP6T_SRH_TAG, IP6T_SRH_PSID, IP6T_SRH_NSID, IP6T_SRH_LSID
# TARGETS:
ip6t_targets [
unspec xt_unspec_targets
inet xt_inet_targets
] [varlen]
ip6t_filter_targets [
common ip6t_targets
REJECT xt_target_t["REJECT", ip6t_reject_info, 0]
] [varlen]
ip6t_nat_targets [
common ip6t_targets
unspec xt_unspec_nat_targets
NETMAP xt_target_t["NETMAP", nf_nat_range, 0]
REDIRECT xt_target_t["REDIRECT", nf_nat_range, 0]
MASQUERADE xt_target_t["MASQUERADE", nf_nat_range, 0]
] [varlen]
ip6t_mangle_targets [
common ip6t_targets
unspec xt_unspec_mangle_targets
inet xt_inet_mangle_targets
SNPT xt_target_t["SNPT", ip6t_npt_tginfo, 0]
DNPT xt_target_t["DNPT", ip6t_npt_tginfo, 0]
HL xt_target_t["HL", ipt_TTL_info, 0]
] [varlen]
ip6t_raw_targets [
common ip6t_targets
unspec xt_unspec_raw_targets
] [varlen]
ip6t_security_targets [
common ip6t_targets
] [varlen]
ip6t_reject_info {
with flags[ip6t_reject_with, int32]
}
ip6t_reject_with = IP6T_ICMP6_NO_ROUTE, IP6T_ICMP6_ADM_PROHIBITED, IP6T_ICMP6_NOT_NEIGHBOUR, IP6T_ICMP6_ADDR_UNREACH, IP6T_ICMP6_PORT_UNREACH, IP6T_ICMP6_ECHOREPLY, IP6T_TCP_RESET, IP6T_ICMP6_POLICY_FAIL, IP6T_ICMP6_REJECT_ROUTE
ip6t_npt_tginfo {
src_pfx nf_inet_addr
dst_pfx nf_inet_addr
src_pfx_len int8[0:64]
dst_pfx_len int8[0:64]
adjustment int16
}
|
