summaryrefslogtreecommitdiffstats
path: root/include/internal.h
diff options
context:
space:
mode:
Diffstat (limited to 'include/internal.h')
-rw-r--r--include/internal.h64
1 files changed, 64 insertions, 0 deletions
diff --git a/include/internal.h b/include/internal.h
index 6661dbe..33b0dcd 100644
--- a/include/internal.h
+++ b/include/internal.h
@@ -19,6 +19,7 @@
#include <arpa/inet.h>
#include <time.h>
#include <errno.h>
+#include <netinet/in.h>
#include <libnfnetlink/libnfnetlink.h>
#include <libnetfilter_conntrack/libnetfilter_conntrack.h>
@@ -31,15 +32,22 @@
#define IPPROTO_UDPLITE 136
#endif
+#ifndef IPPROTO_DCCP
+#define IPPROTO_DCCP 33
+#endif
+
struct nfct_handle;
+struct nfct_filter;
typedef void (*set_attr)(struct nf_conntrack *ct, const void *value);
typedef const void *(*get_attr)(const struct nf_conntrack *ct);
typedef void (*copy_attr)(struct nf_conntrack *d, const struct nf_conntrack *o);
+typedef void (*filter_attr)(struct nfct_filter *filter, const void *value);
extern set_attr set_attr_array[];
extern get_attr get_attr_array[];
extern copy_attr copy_attr_array[];
+extern filter_attr filter_attr_array[];
typedef int (*nfct_handler)(struct nfct_handle *cth, struct nlmsghdr *nlh,
void *arg);
@@ -165,6 +173,50 @@ struct nf_conntrack {
u_int32_t set[2];
};
+struct nfct_filter {
+ /*
+ * As many other objects in this library, the attributes are
+ * private. This gives us the chance to modify the layout and
+ * object size.
+ *
+ * Another observation, although this object might seem too
+ * memory consuming, it is only needed to build the filter. Thus,
+ * once it is attached, you can release this object.
+ */
+
+ /*
+ * This the layer 4 protocol map for filtering.
+ */
+ u_int32_t l4proto_map[IPPROTO_MAX/32];
+
+ struct {
+ /*
+ * No limitations in the protocol filtering. We use a map of
+ * 16 bits per protocol. As for now, DCCP has 10 states, TCP has
+ * 10 states, SCTP has 8 state. Therefore, 16 bits is enough.
+ */
+#define __FILTER_PROTO_MAX 16
+ u_int16_t map;
+ } l4proto_state[IPPROTO_MAX];
+
+#define __FILTER_ADDR_SRC 0
+#define __FILTER_ADDR_DST 1
+
+ /*
+ * FIXME: For IPv4 filtering, up to 256 IPs or masks by now.
+ * This limitation is related to the existing autogenerated BSF code
+ * and the fact that the maximum jump offset if 2^8 = 256.
+ */
+ u_int32_t l3proto_elems[2];
+ struct {
+#define __FILTER_ADDR_MAX 256
+ u_int32_t addr;
+ u_int32_t mask;
+ } l3proto[2][__FILTER_ADDR_MAX];
+
+ u_int32_t set[1];
+};
+
struct nf_expect {
struct nf_conntrack master;
struct nf_conntrack expected;
@@ -193,6 +245,16 @@ static inline void unset_bit(int nr, u_int32_t *addr)
addr[nr >> 5] &= ~(1UL << (nr & 31));
}
+static inline void set_bit_u16(int nr, u_int16_t *addr)
+{
+ addr[nr >> 4] |= (1UL << (nr & 15));
+}
+
+static inline void unset_bit_u16(int nr, u_int16_t *addr)
+{
+ addr[nr >> 4] &= ~(1UL << (nr & 15));
+}
+
static inline int test_bit(int nr, const u_int32_t *addr)
{
return ((1UL << (nr & 31)) & (addr[nr >> 5])) != 0;
@@ -224,6 +286,8 @@ int __setobjopt(struct nf_conntrack *ct, unsigned int option);
int __getobjopt(const struct nf_conntrack *ct, unsigned int option);
int __compare(const struct nf_conntrack *ct1, const struct nf_conntrack *ct2, unsigned int flags);
+int __setup_netlink_socket_filter(int fd, struct nfct_filter *filter);
+
typedef void (*set_exp_attr)(struct nf_expect *exp, const void *value);
typedef const void *(*get_exp_attr)(const struct nf_expect *exp);