/// List of denied setsockopt(2) options.
pub const DENY_SETSOCKOPT: &[(i32, i32)] = &[
    // SOL_SOCKET
    (libc::SOL_SOCKET, libc::SO_DEBUG),
    (libc::SOL_SOCKET, libc::SO_SNDBUFFORCE),
    (libc::SOL_SOCKET, libc::SO_RCVBUFFORCE),
    // IPv4: iptables / arptables and multicast filters
    (libc::IPPROTO_IP, 64), // IPT_SO_SET_REPLACE
    (libc::IPPROTO_IP, 65), // IPT_SO_SET_ADD_COUNTERS
    (libc::IPPROTO_IP, 96), // ARPT_SO_SET_REPLACE
    (libc::IPPROTO_IP, 97), // ARPT_SO_SET_ADD_COUNTERS
    (libc::IPPROTO_IP, 41), // IP_MSFILTER
    (libc::IPPROTO_IP, 48), // MCAST_MSFILTER
    // IPv4 multicast group membership
    (libc::IPPROTO_IP, libc::IP_ADD_MEMBERSHIP),
    (libc::IPPROTO_IP, libc::IP_DROP_MEMBERSHIP),
    (libc::IPPROTO_IP, libc::IP_ADD_SOURCE_MEMBERSHIP),
    (libc::IPPROTO_IP, libc::IP_DROP_SOURCE_MEMBERSHIP),
    (libc::IPPROTO_IP, libc::IP_BLOCK_SOURCE),
    (libc::IPPROTO_IP, libc::IP_UNBLOCK_SOURCE),
    // Protocol-independent multicast API (v4/v6) - advanced membership
    (libc::IPPROTO_IP, libc::MCAST_JOIN_GROUP),
    (libc::IPPROTO_IP, libc::MCAST_LEAVE_GROUP),
    (libc::IPPROTO_IP, libc::MCAST_JOIN_SOURCE_GROUP),
    (libc::IPPROTO_IP, libc::MCAST_LEAVE_SOURCE_GROUP),
    (libc::IPPROTO_IP, libc::MCAST_BLOCK_SOURCE),
    (libc::IPPROTO_IP, libc::MCAST_UNBLOCK_SOURCE),
    // IPv4 multicast routing (mroute)
    (libc::IPPROTO_IP, 200), // MRT_INIT
    (libc::IPPROTO_IP, 201), // MRT_DONE
    (libc::IPPROTO_IP, 202), // MRT_ADD_VIF
    (libc::IPPROTO_IP, 203), // MRT_DEL_VIF
    (libc::IPPROTO_IP, 204), // MRT_ADD_MFC
    (libc::IPPROTO_IP, 205), // MRT_DEL_MFC
    (libc::IPPROTO_IP, 206), // MRT_VERSION
    (libc::IPPROTO_IP, 207), // MRT_ASSERT
    (libc::IPPROTO_IP, 208), // MRT_PIM
    (libc::IPPROTO_IP, 209), // MRT_TABLE
    (libc::IPPROTO_IP, 210), // MRT_ADD_MFC_PROXY
    (libc::IPPROTO_IP, 211), // MRT_DEL_MFC_PROXY
    (libc::IPPROTO_IP, 212), // MRT_FLUSH
    // IPv6: ip6tables and header manipulation
    (libc::IPPROTO_IPV6, 64), // IP6T_SO_SET_REPLACE
    (libc::IPPROTO_IPV6, 65), // IP6T_SO_SET_ADD_COUNTERS
    (libc::IPPROTO_IPV6, libc::IPV6_ADDRFORM),
    (libc::IPPROTO_IPV6, libc::IPV6_RTHDR),
    (libc::IPPROTO_IPV6, libc::IPV6_DSTOPTS),
    // Bridging / ebtables (Netfilter, analogous to IPT_SO_* we already deny)
    (libc::IPPROTO_IP, 128), // EBT_SO_SET_ENTRIES
    (libc::IPPROTO_IP, 129), // EBT_SO_SET_COUNTERS
    // IPv6: DCCP / IPV6_RECVPKTINFO (CVE-2017-6074)
    (libc::IPPROTO_IPV6, libc::IPV6_RECVPKTINFO),
    // IPv6 multicast group membership
    (libc::IPPROTO_IPV6, 20 /* IPV6_JOIN_GROUP */),
    (libc::IPPROTO_IPV6, 21 /* IPV6_LEAVE_GROUP */),
    (libc::IPPROTO_IPV6, 27 /* IPV6_JOIN_ANYCAST */),
    (libc::IPPROTO_IPV6, 28 /* IPV6_LEAVE_ANYCAST */),
    (libc::IPPROTO_IPV6, libc::MCAST_JOIN_GROUP),
    (libc::IPPROTO_IPV6, libc::MCAST_LEAVE_GROUP),
    (libc::IPPROTO_IPV6, libc::MCAST_JOIN_SOURCE_GROUP),
    (libc::IPPROTO_IPV6, libc::MCAST_LEAVE_SOURCE_GROUP),
    (libc::IPPROTO_IPV6, libc::MCAST_BLOCK_SOURCE),
    (libc::IPPROTO_IPV6, libc::MCAST_UNBLOCK_SOURCE),
    // IPv6 multicast routing (mroute6)
    (libc::IPPROTO_IPV6, 200), // MRT6_INIT
    (libc::IPPROTO_IPV6, 201), // MRT6_DONE
    (libc::IPPROTO_IPV6, 202), // MRT6_ADD_MIF
    (libc::IPPROTO_IPV6, 203), // MRT6_DEL_MIF
    (libc::IPPROTO_IPV6, 204), // MRT6_ADD_MFC
    (libc::IPPROTO_IPV6, 205), // MRT6_DEL_MFC
    (libc::IPPROTO_IPV6, 206), // MRT6_VERSION
    (libc::IPPROTO_IPV6, 207), // MRT6_ASSERT
    (libc::IPPROTO_IPV6, 208), // MRT6_PIM
    (libc::IPPROTO_IPV6, 209), // MRT6_TABLE
    (libc::IPPROTO_IPV6, 210), // MRT6_ADD_MFC_PROXY
    (libc::IPPROTO_IPV6, 211), // MRT6_DEL_MFC_PROXY
    (libc::IPPROTO_IPV6, 212), // MRT6_FLUSH
    // TCP: repair / ULP
    (libc::IPPROTO_TCP, libc::TCP_REPAIR),
    (libc::IPPROTO_TCP, libc::TCP_REPAIR_QUEUE),
    (libc::IPPROTO_TCP, libc::TCP_QUEUE_SEQ),
    (libc::IPPROTO_TCP, libc::TCP_REPAIR_OPTIONS),
    (libc::IPPROTO_TCP, libc::TCP_REPAIR_WINDOW),
    (libc::IPPROTO_TCP, libc::TCP_ULP),
    // TCP: congestion control selection (used in recent mptcp/tcp_setsockopt CVEs)
    (libc::IPPROTO_TCP, libc::TCP_CONGESTION),
    // UDP: corking (had IPv6/UDP interaction CVEs)
    (libc::IPPROTO_UDP, libc::UDP_CORK),
    // AF_PACKET: tpacket rings / fanout / bypass
    (libc::SOL_PACKET, 5),  // PACKET_RX_RING
    (libc::SOL_PACKET, 10), // PACKET_VERSION
    (libc::SOL_PACKET, 13), // PACKET_TX_RING
    (libc::SOL_PACKET, 18), // PACKET_FANOUT
    (libc::SOL_PACKET, 19), // PACKET_TX_HAS_OFF
    (libc::SOL_PACKET, 20), // PACKET_QDISC_BYPASS
    (libc::SOL_PACKET, 21), // PACKET_ROLLOVER_STATS
    (libc::SOL_PACKET, 22), // PACKET_FANOUT_DATA
    (libc::SOL_PACKET, 23), // PACKET_IGNORE_OUTGOING
    // AF_BLUETOOTH: HCI socket options (level SOL_HCI)
    (0 /* SOL_HCI */, 1 /* HCI_DATA_DIR */),
    (0 /* SOL_HCI */, 2 /* HCI_FILTER */),
    (0 /* SOL_HCI */, 3 /* HCI_TIME_STAMP */),
    // AF_BLUETOOTH: L2CAP socket options (level SOL_L2CAP)
    (6 /* SOL_L2CAP */, 1 /* L2CAP_OPTIONS */),
    (6 /* SOL_L2CAP */, 2 /* L2CAP_CONNINFO */),
    (6 /* SOL_L2CAP */, 3 /* L2CAP_LM */),
    // AF_BLUETOOTH: RFCOMM socket options (level SOL_RFCOMM)
    (18 /* SOL_RFCOMM */, 2 /* RFCOMM_CONNINFO */),
    (18 /* SOL_RFCOMM */, 3 /* RFCOMM_LM */),
    // AF_BLUETOOTH: SCO socket options (level SOL_SCO)
    (17 /* SOL_SCO */, 1 /* SCO_OPTIONS */),
    (17 /* SOL_SCO */, 2 /* SCO_CONNINFO */),
    // AF_BLUETOOTH: generic options (level SOL_BLUETOOTH)
    (274 /* SOL_BLUETOOTH */, 4 /* BT_SECURITY */),
    (274 /* SOL_BLUETOOTH */, 7 /* BT_DEFER_SETUP */),
    (274 /* SOL_BLUETOOTH */, 8 /* BT_FLUSHABLE */),
    (274 /* SOL_BLUETOOTH */, 9 /* BT_POWER */),
    (
        274, /* SOL_BLUETOOTH */
        10,  /* BT_CHANNEL_POLICY */
    ),
    (274 /* SOL_BLUETOOTH */, 11 /* BT_VOICE */),
    (274 /* SOL_BLUETOOTH */, 12 /* BT_SNDMTU */),
    (274 /* SOL_BLUETOOTH */, 13 /* BT_RCVMTU */),
    (274 /* SOL_BLUETOOTH */, 14 /* BT_PHY */),
    (274 /* SOL_BLUETOOTH */, 15 /* BT_MODE */),
    (274 /* SOL_BLUETOOTH */, 16 /* BT_PKT_STATUS */),
    (274 /* SOL_BLUETOOTH */, 17 /* BT_ISO_QOS */),
    (274 /* SOL_BLUETOOTH */, 19 /* BT_CODEC */),
    (274 /* SOL_BLUETOOTH */, 20 /* BT_ISO_BASE */),
    // BPF-related SOL_SOCKET options: classic/extended filters & reuseport
    (libc::SOL_SOCKET, 26 /* SO_ATTACH_FILTER */),
    (
        libc::SOL_SOCKET,
        27, /* SO_DETACH_FILTER, SO_DETACH_BPF */
    ),
    (libc::SOL_SOCKET, 44 /* SO_LOCK_FILTER */),
    (libc::SOL_SOCKET, 48 /* SO_BPF_EXTENSIONS */),
    (libc::SOL_SOCKET, 50 /* SO_ATTACH_BPF */),
    (libc::SOL_SOCKET, 51 /* SO_ATTACH_REUSEPORT_CBPF */),
    (libc::SOL_SOCKET, 52 /* SO_ATTACH_REUSEPORT_EBPF */),
    (libc::SOL_SOCKET, 53 /* SO_DETACH_REUSEPORT_BPF */),
    // VSOCK: buffer size controls (CVE-2021-26708 in vsock_stream_setsockopt)
    (libc::AF_VSOCK, 0), // SO_VM_SOCKETS_BUFFER_SIZE
    (libc::AF_VSOCK, 1), // SO_VM_SOCKETS_BUFFER_MIN_SIZE
    (libc::AF_VSOCK, 2), // SO_VM_SOCKETS_BUFFER_MAX_SIZE
];