1 /* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ 2 /* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu> 3 * Patrick Schaaf <bof@bof.de> 4 * Martin Josefsson <gandalf@wlug.westbo.se> 5 * Copyright (C) 2003-2011 Jozsef Kadlecsik <kadlec@netfilter.org> 6 * 7 * This program is free software; you can redistribute it and/or modify 8 * it under the terms of the GNU General Public License version 2 as 9 * published by the Free Software Foundation. 10 */ 11 #ifndef _UAPI_IP_SET_H 12 #define _UAPI_IP_SET_H 13 14 #include <linux/types.h> 15 16 /* The protocol versions */ 17 #define IPSET_PROTOCOL 7 18 #define IPSET_PROTOCOL_MIN 6 19 20 /* The max length of strings including NUL: set and type identifiers */ 21 #define IPSET_MAXNAMELEN 32 22 23 /* The maximum permissible comment length we will accept over netlink */ 24 #define IPSET_MAX_COMMENT_SIZE 255 25 26 /* Message types and commands */ 27 enum ipset_cmd { 28 IPSET_CMD_NONE, 29 IPSET_CMD_PROTOCOL, /* 1: Return protocol version */ 30 IPSET_CMD_CREATE, /* 2: Create a new (empty) set */ 31 IPSET_CMD_DESTROY, /* 3: Destroy a (empty) set */ 32 IPSET_CMD_FLUSH, /* 4: Remove all elements from a set */ 33 IPSET_CMD_RENAME, /* 5: Rename a set */ 34 IPSET_CMD_SWAP, /* 6: Swap two sets */ 35 IPSET_CMD_LIST, /* 7: List sets */ 36 IPSET_CMD_SAVE, /* 8: Save sets */ 37 IPSET_CMD_ADD, /* 9: Add an element to a set */ 38 IPSET_CMD_DEL, /* 10: Delete an element from a set */ 39 IPSET_CMD_TEST, /* 11: Test an element in a set */ 40 IPSET_CMD_HEADER, /* 12: Get set header data only */ 41 IPSET_CMD_TYPE, /* 13: Get set type */ 42 IPSET_CMD_GET_BYNAME, /* 14: Get set index by name */ 43 IPSET_CMD_GET_BYINDEX, /* 15: Get set name by index */ 44 IPSET_MSG_MAX, /* Netlink message commands */ 45 46 /* Commands in userspace: */ 47 IPSET_CMD_RESTORE = IPSET_MSG_MAX, /* 16: Enter restore mode */ 48 IPSET_CMD_HELP, /* 17: Get help */ 49 IPSET_CMD_VERSION, /* 18: Get program version */ 50 IPSET_CMD_QUIT, /* 19: Quit from interactive mode */ 51 52 IPSET_CMD_MAX, 53 54 IPSET_CMD_COMMIT = IPSET_CMD_MAX, /* 20: Commit buffered commands */ 55 }; 56 57 /* Attributes at command level */ 58 enum { 59 IPSET_ATTR_UNSPEC, 60 IPSET_ATTR_PROTOCOL, /* 1: Protocol version */ 61 IPSET_ATTR_SETNAME, /* 2: Name of the set */ 62 IPSET_ATTR_TYPENAME, /* 3: Typename */ 63 IPSET_ATTR_SETNAME2 = IPSET_ATTR_TYPENAME, /* Setname at rename/swap */ 64 IPSET_ATTR_REVISION, /* 4: Settype revision */ 65 IPSET_ATTR_FAMILY, /* 5: Settype family */ 66 IPSET_ATTR_FLAGS, /* 6: Flags at command level */ 67 IPSET_ATTR_DATA, /* 7: Nested attributes */ 68 IPSET_ATTR_ADT, /* 8: Multiple data containers */ 69 IPSET_ATTR_LINENO, /* 9: Restore lineno */ 70 IPSET_ATTR_PROTOCOL_MIN, /* 10: Minimal supported version number */ 71 IPSET_ATTR_REVISION_MIN = IPSET_ATTR_PROTOCOL_MIN, /* type rev min */ 72 IPSET_ATTR_INDEX, /* 11: Kernel index of set */ 73 __IPSET_ATTR_CMD_MAX, 74 }; 75 #define IPSET_ATTR_CMD_MAX (__IPSET_ATTR_CMD_MAX - 1) 76 77 /* CADT specific attributes */ 78 enum { 79 IPSET_ATTR_IP = IPSET_ATTR_UNSPEC + 1, 80 IPSET_ATTR_IP_FROM = IPSET_ATTR_IP, 81 IPSET_ATTR_IP_TO, /* 2 */ 82 IPSET_ATTR_CIDR, /* 3 */ 83 IPSET_ATTR_PORT, /* 4 */ 84 IPSET_ATTR_PORT_FROM = IPSET_ATTR_PORT, 85 IPSET_ATTR_PORT_TO, /* 5 */ 86 IPSET_ATTR_TIMEOUT, /* 6 */ 87 IPSET_ATTR_PROTO, /* 7 */ 88 IPSET_ATTR_CADT_FLAGS, /* 8 */ 89 IPSET_ATTR_CADT_LINENO = IPSET_ATTR_LINENO, /* 9 */ 90 IPSET_ATTR_MARK, /* 10 */ 91 IPSET_ATTR_MARKMASK, /* 11 */ 92 /* Reserve empty slots */ 93 IPSET_ATTR_CADT_MAX = 16, 94 /* Create-only specific attributes */ 95 IPSET_ATTR_GC, 96 IPSET_ATTR_HASHSIZE, 97 IPSET_ATTR_MAXELEM, 98 IPSET_ATTR_NETMASK, 99 IPSET_ATTR_PROBES, 100 IPSET_ATTR_RESIZE, 101 IPSET_ATTR_SIZE, 102 /* Kernel-only */ 103 IPSET_ATTR_ELEMENTS, 104 IPSET_ATTR_REFERENCES, 105 IPSET_ATTR_MEMSIZE, 106 107 __IPSET_ATTR_CREATE_MAX, 108 }; 109 #define IPSET_ATTR_CREATE_MAX (__IPSET_ATTR_CREATE_MAX - 1) 110 111 /* ADT specific attributes */ 112 enum { 113 IPSET_ATTR_ETHER = IPSET_ATTR_CADT_MAX + 1, 114 IPSET_ATTR_NAME, 115 IPSET_ATTR_NAMEREF, 116 IPSET_ATTR_IP2, 117 IPSET_ATTR_CIDR2, 118 IPSET_ATTR_IP2_TO, 119 IPSET_ATTR_IFACE, 120 IPSET_ATTR_BYTES, 121 IPSET_ATTR_PACKETS, 122 IPSET_ATTR_COMMENT, 123 IPSET_ATTR_SKBMARK, 124 IPSET_ATTR_SKBPRIO, 125 IPSET_ATTR_SKBQUEUE, 126 IPSET_ATTR_PAD, 127 __IPSET_ATTR_ADT_MAX, 128 }; 129 #define IPSET_ATTR_ADT_MAX (__IPSET_ATTR_ADT_MAX - 1) 130 131 /* IP specific attributes */ 132 enum { 133 IPSET_ATTR_IPADDR_IPV4 = IPSET_ATTR_UNSPEC + 1, 134 IPSET_ATTR_IPADDR_IPV6, 135 __IPSET_ATTR_IPADDR_MAX, 136 }; 137 #define IPSET_ATTR_IPADDR_MAX (__IPSET_ATTR_IPADDR_MAX - 1) 138 139 /* Error codes */ 140 enum ipset_errno { 141 IPSET_ERR_PRIVATE = 4096, 142 IPSET_ERR_PROTOCOL, 143 IPSET_ERR_FIND_TYPE, 144 IPSET_ERR_MAX_SETS, 145 IPSET_ERR_BUSY, 146 IPSET_ERR_EXIST_SETNAME2, 147 IPSET_ERR_TYPE_MISMATCH, 148 IPSET_ERR_EXIST, 149 IPSET_ERR_INVALID_CIDR, 150 IPSET_ERR_INVALID_NETMASK, 151 IPSET_ERR_INVALID_FAMILY, 152 IPSET_ERR_TIMEOUT, 153 IPSET_ERR_REFERENCED, 154 IPSET_ERR_IPADDR_IPV4, 155 IPSET_ERR_IPADDR_IPV6, 156 IPSET_ERR_COUNTER, 157 IPSET_ERR_COMMENT, 158 IPSET_ERR_INVALID_MARKMASK, 159 IPSET_ERR_SKBINFO, 160 161 /* Type specific error codes */ 162 IPSET_ERR_TYPE_SPECIFIC = 4352, 163 }; 164 165 /* Flags at command level or match/target flags, lower half of cmdattrs*/ 166 enum ipset_cmd_flags { 167 IPSET_FLAG_BIT_EXIST = 0, 168 IPSET_FLAG_EXIST = (1 << IPSET_FLAG_BIT_EXIST), 169 IPSET_FLAG_BIT_LIST_SETNAME = 1, 170 IPSET_FLAG_LIST_SETNAME = (1 << IPSET_FLAG_BIT_LIST_SETNAME), 171 IPSET_FLAG_BIT_LIST_HEADER = 2, 172 IPSET_FLAG_LIST_HEADER = (1 << IPSET_FLAG_BIT_LIST_HEADER), 173 IPSET_FLAG_BIT_SKIP_COUNTER_UPDATE = 3, 174 IPSET_FLAG_SKIP_COUNTER_UPDATE = 175 (1 << IPSET_FLAG_BIT_SKIP_COUNTER_UPDATE), 176 IPSET_FLAG_BIT_SKIP_SUBCOUNTER_UPDATE = 4, 177 IPSET_FLAG_SKIP_SUBCOUNTER_UPDATE = 178 (1 << IPSET_FLAG_BIT_SKIP_SUBCOUNTER_UPDATE), 179 IPSET_FLAG_BIT_MATCH_COUNTERS = 5, 180 IPSET_FLAG_MATCH_COUNTERS = (1 << IPSET_FLAG_BIT_MATCH_COUNTERS), 181 IPSET_FLAG_BIT_RETURN_NOMATCH = 7, 182 IPSET_FLAG_RETURN_NOMATCH = (1 << IPSET_FLAG_BIT_RETURN_NOMATCH), 183 IPSET_FLAG_BIT_MAP_SKBMARK = 8, 184 IPSET_FLAG_MAP_SKBMARK = (1 << IPSET_FLAG_BIT_MAP_SKBMARK), 185 IPSET_FLAG_BIT_MAP_SKBPRIO = 9, 186 IPSET_FLAG_MAP_SKBPRIO = (1 << IPSET_FLAG_BIT_MAP_SKBPRIO), 187 IPSET_FLAG_BIT_MAP_SKBQUEUE = 10, 188 IPSET_FLAG_MAP_SKBQUEUE = (1 << IPSET_FLAG_BIT_MAP_SKBQUEUE), 189 IPSET_FLAG_CMD_MAX = 15, 190 }; 191 192 /* Flags at CADT attribute level, upper half of cmdattrs */ 193 enum ipset_cadt_flags { 194 IPSET_FLAG_BIT_BEFORE = 0, 195 IPSET_FLAG_BEFORE = (1 << IPSET_FLAG_BIT_BEFORE), 196 IPSET_FLAG_BIT_PHYSDEV = 1, 197 IPSET_FLAG_PHYSDEV = (1 << IPSET_FLAG_BIT_PHYSDEV), 198 IPSET_FLAG_BIT_NOMATCH = 2, 199 IPSET_FLAG_NOMATCH = (1 << IPSET_FLAG_BIT_NOMATCH), 200 IPSET_FLAG_BIT_WITH_COUNTERS = 3, 201 IPSET_FLAG_WITH_COUNTERS = (1 << IPSET_FLAG_BIT_WITH_COUNTERS), 202 IPSET_FLAG_BIT_WITH_COMMENT = 4, 203 IPSET_FLAG_WITH_COMMENT = (1 << IPSET_FLAG_BIT_WITH_COMMENT), 204 IPSET_FLAG_BIT_WITH_FORCEADD = 5, 205 IPSET_FLAG_WITH_FORCEADD = (1 << IPSET_FLAG_BIT_WITH_FORCEADD), 206 IPSET_FLAG_BIT_WITH_SKBINFO = 6, 207 IPSET_FLAG_WITH_SKBINFO = (1 << IPSET_FLAG_BIT_WITH_SKBINFO), 208 IPSET_FLAG_CADT_MAX = 15, 209 }; 210 211 /* The flag bits which correspond to the non-extension create flags */ 212 enum ipset_create_flags { 213 IPSET_CREATE_FLAG_BIT_FORCEADD = 0, 214 IPSET_CREATE_FLAG_FORCEADD = (1 << IPSET_CREATE_FLAG_BIT_FORCEADD), 215 IPSET_CREATE_FLAG_BIT_MAX = 7, 216 }; 217 218 /* Commands with settype-specific attributes */ 219 enum ipset_adt { 220 IPSET_ADD, 221 IPSET_DEL, 222 IPSET_TEST, 223 IPSET_ADT_MAX, 224 IPSET_CREATE = IPSET_ADT_MAX, 225 IPSET_CADT_MAX, 226 }; 227 228 /* Sets are identified by an index in kernel space. Tweak with ip_set_id_t 229 * and IPSET_INVALID_ID if you want to increase the max number of sets. 230 * Also, IPSET_ATTR_INDEX must be changed. 231 */ 232 typedef __u16 ip_set_id_t; 233 234 #define IPSET_INVALID_ID 65535 235 236 enum ip_set_dim { 237 IPSET_DIM_ZERO = 0, 238 IPSET_DIM_ONE, 239 IPSET_DIM_TWO, 240 IPSET_DIM_THREE, 241 /* Max dimension in elements. 242 * If changed, new revision of iptables match/target is required. 243 */ 244 IPSET_DIM_MAX = 6, 245 /* Backward compatibility: set match revision 2 */ 246 IPSET_BIT_RETURN_NOMATCH = 7, 247 }; 248 249 /* Option flags for kernel operations */ 250 enum ip_set_kopt { 251 IPSET_INV_MATCH = (1 << IPSET_DIM_ZERO), 252 IPSET_DIM_ONE_SRC = (1 << IPSET_DIM_ONE), 253 IPSET_DIM_TWO_SRC = (1 << IPSET_DIM_TWO), 254 IPSET_DIM_THREE_SRC = (1 << IPSET_DIM_THREE), 255 IPSET_RETURN_NOMATCH = (1 << IPSET_BIT_RETURN_NOMATCH), 256 }; 257 258 enum { 259 IPSET_COUNTER_NONE = 0, 260 IPSET_COUNTER_EQ, 261 IPSET_COUNTER_NE, 262 IPSET_COUNTER_LT, 263 IPSET_COUNTER_GT, 264 }; 265 266 /* Backward compatibility for set match v3 */ 267 struct ip_set_counter_match0 { 268 __u8 op; 269 __u64 value; 270 }; 271 272 struct ip_set_counter_match { 273 __aligned_u64 value; 274 __u8 op; 275 }; 276 277 /* Interface to iptables/ip6tables */ 278 279 #define SO_IP_SET 83 280 281 union ip_set_name_index { 282 char name[IPSET_MAXNAMELEN]; 283 ip_set_id_t index; 284 }; 285 286 #define IP_SET_OP_GET_BYNAME 0x00000006 /* Get set index by name */ 287 struct ip_set_req_get_set { 288 unsigned int op; 289 unsigned int version; 290 union ip_set_name_index set; 291 }; 292 293 #define IP_SET_OP_GET_BYINDEX 0x00000007 /* Get set name by index */ 294 /* Uses ip_set_req_get_set */ 295 296 #define IP_SET_OP_GET_FNAME 0x00000008 /* Get set index and family */ 297 struct ip_set_req_get_set_family { 298 unsigned int op; 299 unsigned int version; 300 unsigned int family; 301 union ip_set_name_index set; 302 }; 303 304 #define IP_SET_OP_VERSION 0x00000100 /* Ask kernel version */ 305 struct ip_set_req_version { 306 unsigned int op; 307 unsigned int version; 308 }; 309 310 #endif /* _UAPI_IP_SET_H */ 311