diff options
-rw-r--r-- | include/libnetfilter_conntrack/libnetfilter_conntrack.h | 595 |
1 files changed, 302 insertions, 293 deletions
diff --git a/include/libnetfilter_conntrack/libnetfilter_conntrack.h b/include/libnetfilter_conntrack/libnetfilter_conntrack.h index 3beeef6..6031417 100644 --- a/include/libnetfilter_conntrack/libnetfilter_conntrack.h +++ b/include/libnetfilter_conntrack/libnetfilter_conntrack.h @@ -23,12 +23,6 @@ enum { }; /* - * In case that the user doesn't want to do some kind - * of action against a conntrack based on its ID - */ -#define NFCT_ANY_ID 0 - -/* * Subscribe to all possible conntrack event groups. Use this * flag in case that you want to catch up all the possible * events. Do not use this flag for dumping or any other @@ -36,200 +30,7 @@ enum { */ #define NFCT_ALL_CT_GROUPS (NF_NETLINK_CONNTRACK_NEW|NF_NETLINK_CONNTRACK_UPDATE|NF_NETLINK_CONNTRACK_DESTROY) -union nfct_l4 { - /* Add other protocols here. */ - u_int16_t all; - struct { - u_int16_t port; - } tcp; - struct { - u_int16_t port; - } udp; - struct { - u_int8_t type, code; - u_int16_t id; - } icmp; - struct { - u_int16_t port; - } sctp; -}; - -union nfct_address { - u_int32_t v4; - u_int32_t v6[4]; -}; - -struct nfct_tuple { - union nfct_address src; - union nfct_address dst; - - u_int8_t l3protonum; - u_int8_t protonum; - union nfct_l4 l4src; - union nfct_l4 l4dst; -}; - -union nfct_protoinfo { - struct { - u_int8_t state; - } tcp; -}; - -struct nfct_counters { - u_int64_t packets; - u_int64_t bytes; -}; - -struct nfct_nat { - u_int32_t min_ip, max_ip; - union nfct_l4 l4min, l4max; -}; - -#define NFCT_DIR_ORIGINAL 0 -#define NFCT_DIR_REPLY 1 -#define NFCT_DIR_MAX NFCT_DIR_REPLY+1 - -struct nfct_conntrack { - struct nfct_tuple tuple[NFCT_DIR_MAX]; - - u_int32_t timeout; - u_int32_t mark; - u_int32_t status; - u_int32_t use; - u_int32_t id; - - union nfct_protoinfo protoinfo; - struct nfct_counters counters[NFCT_DIR_MAX]; - struct nfct_nat nat; -}; - -struct nfct_expect { - struct nfct_tuple master; - struct nfct_tuple tuple; - struct nfct_tuple mask; - u_int32_t timeout; - u_int32_t id; - u_int16_t expectfn_queue_id; -}; - -struct nfct_conntrack_compare { - struct nfct_conntrack *ct; - unsigned int flags; - unsigned int l3flags; - unsigned int l4flags; -}; - -enum { - NFCT_STATUS_BIT = 0, - NFCT_STATUS = (1 << NFCT_STATUS_BIT), - - NFCT_PROTOINFO_BIT = 1, - NFCT_PROTOINFO = (1 << NFCT_PROTOINFO_BIT), - - NFCT_TIMEOUT_BIT = 2, - NFCT_TIMEOUT = (1 << NFCT_TIMEOUT_BIT), - - NFCT_MARK_BIT = 3, - NFCT_MARK = (1 << NFCT_MARK_BIT), - - NFCT_COUNTERS_ORIG_BIT = 4, - NFCT_COUNTERS_ORIG = (1 << NFCT_COUNTERS_ORIG_BIT), - - NFCT_COUNTERS_RPLY_BIT = 5, - NFCT_COUNTERS_RPLY = (1 << NFCT_COUNTERS_RPLY_BIT), - - NFCT_USE_BIT = 6, - NFCT_USE = (1 << NFCT_USE_BIT), - - NFCT_ID_BIT = 7, - NFCT_ID = (1 << NFCT_ID_BIT) -}; - -/* Bitset representing status of connection. Taken from ip_conntrack.h - * - * Note: For backward compatibility this shouldn't ever change - * in kernel space. - */ -enum ip_conntrack_status { - /* It's an expected connection: bit 0 set. This bit never changed */ - IPS_EXPECTED_BIT = 0, - IPS_EXPECTED = (1 << IPS_EXPECTED_BIT), - - /* We've seen packets both ways: bit 1 set. Can be set, not unset. */ - IPS_SEEN_REPLY_BIT = 1, - IPS_SEEN_REPLY = (1 << IPS_SEEN_REPLY_BIT), - - /* Conntrack should never be early-expired. */ - IPS_ASSURED_BIT = 2, - IPS_ASSURED = (1 << IPS_ASSURED_BIT), - - /* Connection is confirmed: originating packet has left box */ - IPS_CONFIRMED_BIT = 3, - IPS_CONFIRMED = (1 << IPS_CONFIRMED_BIT), - - /* Connection needs src nat in orig dir. This bit never changed. */ - IPS_SRC_NAT_BIT = 4, - IPS_SRC_NAT = (1 << IPS_SRC_NAT_BIT), - - /* Connection needs dst nat in orig dir. This bit never changed. */ - IPS_DST_NAT_BIT = 5, - IPS_DST_NAT = (1 << IPS_DST_NAT_BIT), - - /* Both together. */ - IPS_NAT_MASK = (IPS_DST_NAT | IPS_SRC_NAT), - - /* Connection needs TCP sequence adjusted. */ - IPS_SEQ_ADJUST_BIT = 6, - IPS_SEQ_ADJUST = (1 << IPS_SEQ_ADJUST_BIT), - - /* NAT initialization bits. */ - IPS_SRC_NAT_DONE_BIT = 7, - IPS_SRC_NAT_DONE = (1 << IPS_SRC_NAT_DONE_BIT), - - IPS_DST_NAT_DONE_BIT = 8, - IPS_DST_NAT_DONE = (1 << IPS_DST_NAT_DONE_BIT), - - /* Both together */ - IPS_NAT_DONE_MASK = (IPS_DST_NAT_DONE | IPS_SRC_NAT_DONE), - - /* Connection is dying (removed from lists), can not be unset. */ - IPS_DYING_BIT = 9, - IPS_DYING = (1 << IPS_DYING_BIT), - - /* Connection has fixed timeout. */ - IPS_FIXED_TIMEOUT_BIT = 10, - IPS_FIXED_TIMEOUT = (1 << IPS_FIXED_TIMEOUT_BIT), - -}; - -enum { - NFCT_MSG_UNKNOWN, - NFCT_MSG_NEW, - NFCT_MSG_UPDATE, - NFCT_MSG_DESTROY -}; - struct nfct_handle; -typedef int (*nfct_callback)(void *arg, unsigned int flags, int, void *data); - -/* - * [Allocate|free] a conntrack - */ -extern struct nfct_conntrack * -nfct_conntrack_alloc(struct nfct_tuple *orig, struct nfct_tuple *reply, - u_int32_t timeout, union nfct_protoinfo *proto, - u_int32_t status, u_int32_t mark, - u_int32_t id, struct nfct_nat *range); -extern void nfct_conntrack_free(struct nfct_conntrack *ct); - -/* - * [Allocate|free] an expectation - */ -extern struct nfct_expect * -nfct_expect_alloc(struct nfct_tuple *master, struct nfct_tuple *tuple, - struct nfct_tuple *mask, u_int32_t timeout, - u_int32_t id); -extern void nfct_expect_free(struct nfct_expect *exp); /* * [Open|close] a conntrack handler @@ -242,100 +43,6 @@ extern int nfct_close(struct nfct_handle *cth); extern int nfct_fd(struct nfct_handle *cth); -/* - * [Register|unregister] callbacks - */ -extern void nfct_register_callback(struct nfct_handle *cth, - nfct_callback callback, void *data); -extern void nfct_unregister_callback(struct nfct_handle *cth); - -/* - * callback displayers - */ -extern int nfct_default_conntrack_display(void *, unsigned int, int, void *); -extern int nfct_default_conntrack_display_id(void *, unsigned int, int, void *); -extern int nfct_default_expect_display(void *, unsigned int, int, void *); -extern int nfct_default_expect_display_id(void *, unsigned int, int, void *); -extern int nfct_default_conntrack_event_display(void *, unsigned int, int, - void *); - -/* - * [Create|update|get|destroy] conntracks - */ -extern int nfct_create_conntrack(struct nfct_handle *cth, - struct nfct_conntrack *ct); -extern int nfct_update_conntrack(struct nfct_handle *cth, - struct nfct_conntrack *ct); -extern int nfct_delete_conntrack(struct nfct_handle *cth, - struct nfct_tuple *tuple, int dir, - u_int32_t id); -extern int nfct_get_conntrack(struct nfct_handle *cth, - struct nfct_tuple *tuple, int dir, - u_int32_t id); -/* - * Conntrack table dumping & zeroing - */ -extern int nfct_dump_conntrack_table(struct nfct_handle *cth, int family); -extern int nfct_dump_conntrack_table_reset_counters(struct nfct_handle *cth, - int family); - -/* - * Conntrack event notification - */ -extern int nfct_event_conntrack(struct nfct_handle *cth); - -/* - * Conntrack printing functions - */ -extern int nfct_sprintf_conntrack(char *buf, struct nfct_conntrack *ct, - unsigned int flags); -extern int nfct_sprintf_conntrack_id(char *buf, struct nfct_conntrack *ct, - unsigned int flags); -extern int nfct_sprintf_address(char *buf, struct nfct_tuple *t); -extern int nfct_sprintf_proto(char *buf, struct nfct_tuple *t); -extern int nfct_sprintf_protoinfo(char *buf, struct nfct_conntrack *ct); -extern int nfct_sprintf_timeout(char *buf, struct nfct_conntrack *ct); -extern int nfct_sprintf_protocol(char *buf, struct nfct_conntrack *ct); -extern int nfct_sprintf_status_assured(char *buf, struct nfct_conntrack *ct); -extern int nfct_sprintf_status_seen_reply(char *buf, struct nfct_conntrack *ct); -extern int nfct_sprintf_counters(char *buf, struct nfct_conntrack *ct, int dir); -extern int nfct_sprintf_mark(char *buf, struct nfct_conntrack *ct); -extern int nfct_sprintf_use(char *buf, struct nfct_conntrack *ct); -extern int nfct_sprintf_id(char *buf, u_int32_t id); - -/* - * Conntrack comparison - */ -extern int nfct_conntrack_compare(struct nfct_conntrack *ct1, - struct nfct_conntrack *ct2, - struct nfct_conntrack_compare *cmp); - -/* - * Expectations - */ -extern int nfct_dump_expect_list(struct nfct_handle *cth, int family); -extern int nfct_flush_conntrack_table(struct nfct_handle *cth, int family); -extern int nfct_get_expectation(struct nfct_handle *cth, - struct nfct_tuple *tuple, - u_int32_t id); -extern int nfct_create_expectation(struct nfct_handle *cth, struct nfct_expect *); -extern int nfct_delete_expectation(struct nfct_handle *cth, - struct nfct_tuple *tuple, u_int32_t id); -extern int nfct_event_expectation(struct nfct_handle *cth); -extern int nfct_flush_expectation_table(struct nfct_handle *cth, int family); - -/* - * expectation printing functions - */ -extern int nfct_sprintf_expect(char *buf, struct nfct_expect *exp); -extern int nfct_sprintf_expect_id(char *buf, struct nfct_expect *exp); - -/* - * low-level functions for libnetfilter_cthelper - */ -extern void nfct_build_tuple(struct nfnlhdr *req, int size, - struct nfct_tuple *t, int type); - /* * NEW libnetfilter_conntrack API */ @@ -559,6 +266,10 @@ extern int nfct_build_query(struct nfnl_subsys_handle *ssh, void *req, unsigned int size); +/* + * NEW expectation API + */ + /* expectation object */ struct nf_expect; @@ -642,6 +353,304 @@ extern int nfexp_snprintf(char *buf, extern int nfexp_catch(struct nfct_handle *h); +/* Bitset representing status of connection. Taken from ip_conntrack.h + * + * Note: For backward compatibility this shouldn't ever change + * in kernel space. + */ +enum ip_conntrack_status { + /* It's an expected connection: bit 0 set. This bit never changed */ + IPS_EXPECTED_BIT = 0, + IPS_EXPECTED = (1 << IPS_EXPECTED_BIT), + + /* We've seen packets both ways: bit 1 set. Can be set, not unset. */ + IPS_SEEN_REPLY_BIT = 1, + IPS_SEEN_REPLY = (1 << IPS_SEEN_REPLY_BIT), + + /* Conntrack should never be early-expired. */ + IPS_ASSURED_BIT = 2, + IPS_ASSURED = (1 << IPS_ASSURED_BIT), + + /* Connection is confirmed: originating packet has left box */ + IPS_CONFIRMED_BIT = 3, + IPS_CONFIRMED = (1 << IPS_CONFIRMED_BIT), + + /* Connection needs src nat in orig dir. This bit never changed. */ + IPS_SRC_NAT_BIT = 4, + IPS_SRC_NAT = (1 << IPS_SRC_NAT_BIT), + + /* Connection needs dst nat in orig dir. This bit never changed. */ + IPS_DST_NAT_BIT = 5, + IPS_DST_NAT = (1 << IPS_DST_NAT_BIT), + + /* Both together. */ + IPS_NAT_MASK = (IPS_DST_NAT | IPS_SRC_NAT), + + /* Connection needs TCP sequence adjusted. */ + IPS_SEQ_ADJUST_BIT = 6, + IPS_SEQ_ADJUST = (1 << IPS_SEQ_ADJUST_BIT), + + /* NAT initialization bits. */ + IPS_SRC_NAT_DONE_BIT = 7, + IPS_SRC_NAT_DONE = (1 << IPS_SRC_NAT_DONE_BIT), + + IPS_DST_NAT_DONE_BIT = 8, + IPS_DST_NAT_DONE = (1 << IPS_DST_NAT_DONE_BIT), + + /* Both together */ + IPS_NAT_DONE_MASK = (IPS_DST_NAT_DONE | IPS_SRC_NAT_DONE), + + /* Connection is dying (removed from lists), can not be unset. */ + IPS_DYING_BIT = 9, + IPS_DYING = (1 << IPS_DYING_BIT), + + /* Connection has fixed timeout. */ + IPS_FIXED_TIMEOUT_BIT = 10, + IPS_FIXED_TIMEOUT = (1 << IPS_FIXED_TIMEOUT_BIT), +}; + +/* + * Old deprecated API, its use for new applications is *strongly discouraged* + */ + +/* + * In case that the user doesn't want to do some kind + * of action against a conntrack based on its ID + */ +#define NFCT_ANY_ID 0 + +union nfct_l4 { + /* Add other protocols here. */ + u_int16_t all; + struct { + u_int16_t port; + } tcp; + struct { + u_int16_t port; + } udp; + struct { + u_int8_t type, code; + u_int16_t id; + } icmp; + struct { + u_int16_t port; + } sctp; +}; + +union nfct_address { + u_int32_t v4; + u_int32_t v6[4]; +}; + +struct nfct_tuple { + union nfct_address src; + union nfct_address dst; + + u_int8_t l3protonum; + u_int8_t protonum; + union nfct_l4 l4src; + union nfct_l4 l4dst; +}; + +union nfct_protoinfo { + struct { + u_int8_t state; + } tcp; +}; + +struct nfct_counters { + u_int64_t packets; + u_int64_t bytes; +}; + +struct nfct_nat { + u_int32_t min_ip, max_ip; + union nfct_l4 l4min, l4max; +}; + +#define NFCT_DIR_ORIGINAL 0 +#define NFCT_DIR_REPLY 1 +#define NFCT_DIR_MAX NFCT_DIR_REPLY+1 + +struct nfct_conntrack { + struct nfct_tuple tuple[NFCT_DIR_MAX]; + + u_int32_t timeout; + u_int32_t mark; + u_int32_t status; + u_int32_t use; + u_int32_t id; + + union nfct_protoinfo protoinfo; + struct nfct_counters counters[NFCT_DIR_MAX]; + struct nfct_nat nat; +}; + +struct nfct_expect { + struct nfct_tuple master; + struct nfct_tuple tuple; + struct nfct_tuple mask; + u_int32_t timeout; + u_int32_t id; + u_int16_t expectfn_queue_id; +}; + +struct nfct_conntrack_compare { + struct nfct_conntrack *ct; + unsigned int flags; + unsigned int l3flags; + unsigned int l4flags; +}; + +enum { + NFCT_STATUS_BIT = 0, + NFCT_STATUS = (1 << NFCT_STATUS_BIT), + + NFCT_PROTOINFO_BIT = 1, + NFCT_PROTOINFO = (1 << NFCT_PROTOINFO_BIT), + + NFCT_TIMEOUT_BIT = 2, + NFCT_TIMEOUT = (1 << NFCT_TIMEOUT_BIT), + + NFCT_MARK_BIT = 3, + NFCT_MARK = (1 << NFCT_MARK_BIT), + + NFCT_COUNTERS_ORIG_BIT = 4, + NFCT_COUNTERS_ORIG = (1 << NFCT_COUNTERS_ORIG_BIT), + + NFCT_COUNTERS_RPLY_BIT = 5, + NFCT_COUNTERS_RPLY = (1 << NFCT_COUNTERS_RPLY_BIT), + + NFCT_USE_BIT = 6, + NFCT_USE = (1 << NFCT_USE_BIT), + + NFCT_ID_BIT = 7, + NFCT_ID = (1 << NFCT_ID_BIT) +}; + +enum { + NFCT_MSG_UNKNOWN, + NFCT_MSG_NEW, + NFCT_MSG_UPDATE, + NFCT_MSG_DESTROY +}; + +typedef int (*nfct_callback)(void *arg, unsigned int flags, int, void *data); + +/* + * [Allocate|free] a conntrack + */ +extern struct nfct_conntrack * +nfct_conntrack_alloc(struct nfct_tuple *orig, struct nfct_tuple *reply, + u_int32_t timeout, union nfct_protoinfo *proto, + u_int32_t status, u_int32_t mark, + u_int32_t id, struct nfct_nat *range); +extern void nfct_conntrack_free(struct nfct_conntrack *ct); + +/* + * [Allocate|free] an expectation + */ +extern struct nfct_expect * +nfct_expect_alloc(struct nfct_tuple *master, struct nfct_tuple *tuple, + struct nfct_tuple *mask, u_int32_t timeout, + u_int32_t id); +extern void nfct_expect_free(struct nfct_expect *exp); + + +/* + * [Register|unregister] callbacks + */ +extern void nfct_register_callback(struct nfct_handle *cth, + nfct_callback callback, void *data); +extern void nfct_unregister_callback(struct nfct_handle *cth); + +/* + * callback displayers + */ +extern int nfct_default_conntrack_display(void *, unsigned int, int, void *); +extern int nfct_default_conntrack_display_id(void *, unsigned int, int, void *); +extern int nfct_default_expect_display(void *, unsigned int, int, void *); +extern int nfct_default_expect_display_id(void *, unsigned int, int, void *); +extern int nfct_default_conntrack_event_display(void *, unsigned int, int, + void *); + +/* + * [Create|update|get|destroy] conntracks + */ +extern int nfct_create_conntrack(struct nfct_handle *cth, + struct nfct_conntrack *ct); +extern int nfct_update_conntrack(struct nfct_handle *cth, + struct nfct_conntrack *ct); +extern int nfct_delete_conntrack(struct nfct_handle *cth, + struct nfct_tuple *tuple, int dir, + u_int32_t id); +extern int nfct_get_conntrack(struct nfct_handle *cth, + struct nfct_tuple *tuple, int dir, + u_int32_t id); +/* + * Conntrack table dumping & zeroing + */ +extern int nfct_dump_conntrack_table(struct nfct_handle *cth, int family); +extern int nfct_dump_conntrack_table_reset_counters(struct nfct_handle *cth, + int family); + +/* + * Conntrack event notification + */ +extern int nfct_event_conntrack(struct nfct_handle *cth); + +/* + * Conntrack printing functions + */ +extern int nfct_sprintf_conntrack(char *buf, struct nfct_conntrack *ct, + unsigned int flags); +extern int nfct_sprintf_conntrack_id(char *buf, struct nfct_conntrack *ct, + unsigned int flags); +extern int nfct_sprintf_address(char *buf, struct nfct_tuple *t); +extern int nfct_sprintf_proto(char *buf, struct nfct_tuple *t); +extern int nfct_sprintf_protoinfo(char *buf, struct nfct_conntrack *ct); +extern int nfct_sprintf_timeout(char *buf, struct nfct_conntrack *ct); +extern int nfct_sprintf_protocol(char *buf, struct nfct_conntrack *ct); +extern int nfct_sprintf_status_assured(char *buf, struct nfct_conntrack *ct); +extern int nfct_sprintf_status_seen_reply(char *buf, struct nfct_conntrack *ct); +extern int nfct_sprintf_counters(char *buf, struct nfct_conntrack *ct, int dir); +extern int nfct_sprintf_mark(char *buf, struct nfct_conntrack *ct); +extern int nfct_sprintf_use(char *buf, struct nfct_conntrack *ct); +extern int nfct_sprintf_id(char *buf, u_int32_t id); + +/* + * Conntrack comparison + */ +extern int nfct_conntrack_compare(struct nfct_conntrack *ct1, + struct nfct_conntrack *ct2, + struct nfct_conntrack_compare *cmp); + +/* + * Expectations + */ +extern int nfct_dump_expect_list(struct nfct_handle *cth, int family); +extern int nfct_flush_conntrack_table(struct nfct_handle *cth, int family); +extern int nfct_get_expectation(struct nfct_handle *cth, + struct nfct_tuple *tuple, + u_int32_t id); +extern int nfct_create_expectation(struct nfct_handle *cth, struct nfct_expect *); +extern int nfct_delete_expectation(struct nfct_handle *cth, + struct nfct_tuple *tuple, u_int32_t id); +extern int nfct_event_expectation(struct nfct_handle *cth); +extern int nfct_flush_expectation_table(struct nfct_handle *cth, int family); + +/* + * expectation printing functions + */ +extern int nfct_sprintf_expect(char *buf, struct nfct_expect *exp); +extern int nfct_sprintf_expect_id(char *buf, struct nfct_expect *exp); + +/* + * low-level functions for libnetfilter_cthelper + */ +extern void nfct_build_tuple(struct nfnlhdr *req, int size, + struct nfct_tuple *t, int type); + #ifdef __cplusplus } #endif |