From 40d54756cd8a2705e22b36f7aef03bb2c472a10b Mon Sep 17 00:00:00 2001 From: Patrick McHardy Date: Wed, 18 Apr 2007 07:00:36 +0000 Subject: Use nf_conntrack headers instead of ip_conntrack ones and add sanitized versions. --- extensions/libip6t_state.c | 2 +- extensions/libipt_DNAT.c | 2 +- extensions/libipt_MASQUERADE.c | 2 +- extensions/libipt_NETMAP.c | 2 +- extensions/libipt_REDIRECT.c | 2 +- extensions/libipt_SAME.c | 2 +- extensions/libipt_SNAT.c | 2 +- extensions/libipt_connbytes.c | 2 +- extensions/libipt_connrate.c | 2 +- extensions/libipt_conntrack.c | 2 +- extensions/libipt_state.c | 2 +- include/linux/netfilter/nf_conntrack_common.h | 135 +++++++++++++++++++++ include/linux/netfilter/nf_conntrack_tuple.h | 103 ++++++++++++++++ .../linux/netfilter/nf_conntrack_tuple_common.h | 13 ++ include/linux/netfilter/nf_nat.h | 45 +++++++ include/linux/netfilter_ipv4/ipt_conntrack.h | 2 +- 16 files changed, 308 insertions(+), 12 deletions(-) create mode 100644 include/linux/netfilter/nf_conntrack_common.h create mode 100644 include/linux/netfilter/nf_conntrack_tuple.h create mode 100644 include/linux/netfilter/nf_conntrack_tuple_common.h create mode 100644 include/linux/netfilter/nf_nat.h diff --git a/extensions/libip6t_state.c b/extensions/libip6t_state.c index 84fd1a43..a4477cec 100644 --- a/extensions/libip6t_state.c +++ b/extensions/libip6t_state.c @@ -5,7 +5,7 @@ #include #include #include -#include +#include #include #ifndef IPT_STATE_UNTRACKED diff --git a/extensions/libipt_DNAT.c b/extensions/libipt_DNAT.c index bdc15eb8..3cf839e6 100644 --- a/extensions/libipt_DNAT.c +++ b/extensions/libipt_DNAT.c @@ -6,7 +6,7 @@ #include #include #include -#include +#include /* Dest NAT data consists of a multi-range, indicating where to map to. */ diff --git a/extensions/libipt_MASQUERADE.c b/extensions/libipt_MASQUERADE.c index e06333ab..48cff9a8 100644 --- a/extensions/libipt_MASQUERADE.c +++ b/extensions/libipt_MASQUERADE.c @@ -6,7 +6,7 @@ #include #include #include -#include +#include /* Function which prints out usage message. */ static void diff --git a/extensions/libipt_NETMAP.c b/extensions/libipt_NETMAP.c index 8cecb4d3..4b4b14dd 100644 --- a/extensions/libipt_NETMAP.c +++ b/extensions/libipt_NETMAP.c @@ -9,7 +9,7 @@ #include #include #include -#include +#include #define MODULENAME "NETMAP" diff --git a/extensions/libipt_REDIRECT.c b/extensions/libipt_REDIRECT.c index 13195b0c..c94bb592 100644 --- a/extensions/libipt_REDIRECT.c +++ b/extensions/libipt_REDIRECT.c @@ -6,7 +6,7 @@ #include #include #include -#include +#include /* Function which prints out usage message. */ static void diff --git a/extensions/libipt_SAME.c b/extensions/libipt_SAME.c index 625a78a7..4bbed908 100644 --- a/extensions/libipt_SAME.c +++ b/extensions/libipt_SAME.c @@ -6,7 +6,7 @@ #include #include #include -#include +#include /* For 64bit kernel / 32bit userspace */ #include "../include/linux/netfilter_ipv4/ipt_SAME.h" diff --git a/extensions/libipt_SNAT.c b/extensions/libipt_SNAT.c index 36147397..d52c1810 100644 --- a/extensions/libipt_SNAT.c +++ b/extensions/libipt_SNAT.c @@ -6,7 +6,7 @@ #include #include #include -#include +#include #define IPT_SNAT_OPT_SOURCE 0x01 #ifdef IP_NAT_RANGE_PROTO_RANDOM diff --git a/extensions/libipt_connbytes.c b/extensions/libipt_connbytes.c index 42e1ab57..f6439c2d 100644 --- a/extensions/libipt_connbytes.c +++ b/extensions/libipt_connbytes.c @@ -5,7 +5,7 @@ #include #include #include -#include +#include #include /* Function which prints out usage message. */ diff --git a/extensions/libipt_connrate.c b/extensions/libipt_connrate.c index 47c5fcbb..5abe3c4d 100644 --- a/extensions/libipt_connrate.c +++ b/extensions/libipt_connrate.c @@ -13,7 +13,7 @@ #include #include #include -#include +#include #include /* Function which prints out usage message. */ diff --git a/extensions/libipt_conntrack.c b/extensions/libipt_conntrack.c index cdb86c4e..f187e41d 100644 --- a/extensions/libipt_conntrack.c +++ b/extensions/libipt_conntrack.c @@ -9,7 +9,7 @@ #include #include #include -#include +#include #include /* For 64bit kernel / 32bit userspace */ #include "../include/linux/netfilter_ipv4/ipt_conntrack.h" diff --git a/extensions/libipt_state.c b/extensions/libipt_state.c index acafe9a7..6a784ffc 100644 --- a/extensions/libipt_state.c +++ b/extensions/libipt_state.c @@ -5,7 +5,7 @@ #include #include #include -#include +#include #include #ifndef IPT_STATE_UNTRACKED diff --git a/include/linux/netfilter/nf_conntrack_common.h b/include/linux/netfilter/nf_conntrack_common.h new file mode 100644 index 00000000..3b452a64 --- /dev/null +++ b/include/linux/netfilter/nf_conntrack_common.h @@ -0,0 +1,135 @@ +#ifndef _NF_CONNTRACK_COMMON_H +#define _NF_CONNTRACK_COMMON_H +/* Connection state tracking for netfilter. This is separated from, + but required by, the NAT layer; it can also be used by an iptables + extension. */ +enum ip_conntrack_info +{ + /* Part of an established connection (either direction). */ + IP_CT_ESTABLISHED, + + /* Like NEW, but related to an existing connection, or ICMP error + (in either direction). */ + IP_CT_RELATED, + + /* Started a new connection to track (only + IP_CT_DIR_ORIGINAL); may be a retransmission. */ + IP_CT_NEW, + + /* >= this indicates reply direction */ + IP_CT_IS_REPLY, + + /* Number of distinct IP_CT types (no NEW in reply dirn). */ + IP_CT_NUMBER = IP_CT_IS_REPLY * 2 - 1 +}; + +/* Bitset representing status of connection. */ +enum ip_conntrack_status { + /* It's an expected connection: bit 0 set. This bit never changed */ + IPS_EXPECTED_BIT = 0, + IPS_EXPECTED = (1 << IPS_EXPECTED_BIT), + + /* We've seen packets both ways: bit 1 set. Can be set, not unset. */ + IPS_SEEN_REPLY_BIT = 1, + IPS_SEEN_REPLY = (1 << IPS_SEEN_REPLY_BIT), + + /* Conntrack should never be early-expired. */ + IPS_ASSURED_BIT = 2, + IPS_ASSURED = (1 << IPS_ASSURED_BIT), + + /* Connection is confirmed: originating packet has left box */ + IPS_CONFIRMED_BIT = 3, + IPS_CONFIRMED = (1 << IPS_CONFIRMED_BIT), + + /* Connection needs src nat in orig dir. This bit never changed. */ + IPS_SRC_NAT_BIT = 4, + IPS_SRC_NAT = (1 << IPS_SRC_NAT_BIT), + + /* Connection needs dst nat in orig dir. This bit never changed. */ + IPS_DST_NAT_BIT = 5, + IPS_DST_NAT = (1 << IPS_DST_NAT_BIT), + + /* Both together. */ + IPS_NAT_MASK = (IPS_DST_NAT | IPS_SRC_NAT), + + /* Connection needs TCP sequence adjusted. */ + IPS_SEQ_ADJUST_BIT = 6, + IPS_SEQ_ADJUST = (1 << IPS_SEQ_ADJUST_BIT), + + /* NAT initialization bits. */ + IPS_SRC_NAT_DONE_BIT = 7, + IPS_SRC_NAT_DONE = (1 << IPS_SRC_NAT_DONE_BIT), + + IPS_DST_NAT_DONE_BIT = 8, + IPS_DST_NAT_DONE = (1 << IPS_DST_NAT_DONE_BIT), + + /* Both together */ + IPS_NAT_DONE_MASK = (IPS_DST_NAT_DONE | IPS_SRC_NAT_DONE), + + /* Connection is dying (removed from lists), can not be unset. */ + IPS_DYING_BIT = 9, + IPS_DYING = (1 << IPS_DYING_BIT), + + /* Connection has fixed timeout. */ + IPS_FIXED_TIMEOUT_BIT = 10, + IPS_FIXED_TIMEOUT = (1 << IPS_FIXED_TIMEOUT_BIT), +}; + +/* Connection tracking event bits */ +enum ip_conntrack_events +{ + /* New conntrack */ + IPCT_NEW_BIT = 0, + IPCT_NEW = (1 << IPCT_NEW_BIT), + + /* Expected connection */ + IPCT_RELATED_BIT = 1, + IPCT_RELATED = (1 << IPCT_RELATED_BIT), + + /* Destroyed conntrack */ + IPCT_DESTROY_BIT = 2, + IPCT_DESTROY = (1 << IPCT_DESTROY_BIT), + + /* Timer has been refreshed */ + IPCT_REFRESH_BIT = 3, + IPCT_REFRESH = (1 << IPCT_REFRESH_BIT), + + /* Status has changed */ + IPCT_STATUS_BIT = 4, + IPCT_STATUS = (1 << IPCT_STATUS_BIT), + + /* Update of protocol info */ + IPCT_PROTOINFO_BIT = 5, + IPCT_PROTOINFO = (1 << IPCT_PROTOINFO_BIT), + + /* Volatile protocol info */ + IPCT_PROTOINFO_VOLATILE_BIT = 6, + IPCT_PROTOINFO_VOLATILE = (1 << IPCT_PROTOINFO_VOLATILE_BIT), + + /* New helper for conntrack */ + IPCT_HELPER_BIT = 7, + IPCT_HELPER = (1 << IPCT_HELPER_BIT), + + /* Update of helper info */ + IPCT_HELPINFO_BIT = 8, + IPCT_HELPINFO = (1 << IPCT_HELPINFO_BIT), + + /* Volatile helper info */ + IPCT_HELPINFO_VOLATILE_BIT = 9, + IPCT_HELPINFO_VOLATILE = (1 << IPCT_HELPINFO_VOLATILE_BIT), + + /* NAT info */ + IPCT_NATINFO_BIT = 10, + IPCT_NATINFO = (1 << IPCT_NATINFO_BIT), + + /* Counter highest bit has been set */ + IPCT_COUNTER_FILLING_BIT = 11, + IPCT_COUNTER_FILLING = (1 << IPCT_COUNTER_FILLING_BIT), +}; + +enum ip_conntrack_expect_events { + IPEXP_NEW_BIT = 0, + IPEXP_NEW = (1 << IPEXP_NEW_BIT), +}; + +#endif /* _NF_CONNTRACK_COMMON_H */ diff --git a/include/linux/netfilter/nf_conntrack_tuple.h b/include/linux/netfilter/nf_conntrack_tuple.h new file mode 100644 index 00000000..cd5044e2 --- /dev/null +++ b/include/linux/netfilter/nf_conntrack_tuple.h @@ -0,0 +1,103 @@ +/* + * Definitions and Declarations for tuple. + * + * 16 Dec 2003: Yasuyuki Kozakai @USAGI + * - generalize L3 protocol dependent part. + * + * Derived from include/linux/netfiter_ipv4/ip_conntrack_tuple.h + */ + +#ifndef _NF_CONNTRACK_TUPLE_H +#define _NF_CONNTRACK_TUPLE_H + +#include + +/* A `tuple' is a structure containing the information to uniquely + identify a connection. ie. if two packets have the same tuple, they + are in the same connection; if not, they are not. + + We divide the structure along "manipulatable" and + "non-manipulatable" lines, for the benefit of the NAT code. +*/ + +#define NF_CT_TUPLE_L3SIZE 4 + +/* The l3 protocol-specific manipulable parts of the tuple: always in + network order! */ +union nf_conntrack_address { + u_int32_t all[NF_CT_TUPLE_L3SIZE]; + __be32 ip; + __be32 ip6[4]; +}; + +/* The protocol-specific manipulable parts of the tuple: always in + network order! */ +union nf_conntrack_man_proto +{ + /* Add other protocols here. */ + u_int16_t all; + + struct { + __be16 port; + } tcp; + struct { + __be16 port; + } udp; + struct { + __be16 id; + } icmp; + struct { + __be16 port; + } sctp; + struct { + __be16 key; /* GRE key is 32bit, PPtP only uses 16bit */ + } gre; +}; + +/* The manipulable part of the tuple. */ +struct nf_conntrack_man +{ + union nf_conntrack_address u3; + union nf_conntrack_man_proto u; + /* Layer 3 protocol */ + u_int16_t l3num; +}; + +/* This contains the information to distinguish a connection. */ +struct nf_conntrack_tuple +{ + struct nf_conntrack_man src; + + /* These are the parts of the tuple which are fixed. */ + struct { + union nf_conntrack_address u3; + union { + /* Add other protocols here. */ + u_int16_t all; + + struct { + __be16 port; + } tcp; + struct { + __be16 port; + } udp; + struct { + u_int8_t type, code; + } icmp; + struct { + __be16 port; + } sctp; + struct { + __be16 key; + } gre; + } u; + + /* The protocol. */ + u_int8_t protonum; + + /* The direction (for tuplehash) */ + u_int8_t dir; + } dst; +}; + +#endif /* _NF_CONNTRACK_TUPLE_H */ diff --git a/include/linux/netfilter/nf_conntrack_tuple_common.h b/include/linux/netfilter/nf_conntrack_tuple_common.h new file mode 100644 index 00000000..8e145f0d --- /dev/null +++ b/include/linux/netfilter/nf_conntrack_tuple_common.h @@ -0,0 +1,13 @@ +#ifndef _NF_CONNTRACK_TUPLE_COMMON_H +#define _NF_CONNTRACK_TUPLE_COMMON_H + +enum ip_conntrack_dir +{ + IP_CT_DIR_ORIGINAL, + IP_CT_DIR_REPLY, + IP_CT_DIR_MAX +}; + +#define CTINFO2DIR(ctinfo) ((ctinfo) >= IP_CT_IS_REPLY ? IP_CT_DIR_REPLY : IP_CT_DIR_ORIGINAL) + +#endif /* _NF_CONNTRACK_TUPLE_COMMON_H */ diff --git a/include/linux/netfilter/nf_nat.h b/include/linux/netfilter/nf_nat.h new file mode 100644 index 00000000..5d3b5e0d --- /dev/null +++ b/include/linux/netfilter/nf_nat.h @@ -0,0 +1,45 @@ +#ifndef _NF_NAT_H +#define _NF_NAT_H +#include +#include + +#define NF_NAT_MAPPING_TYPE_MAX_NAMELEN 16 + +enum nf_nat_manip_type +{ + IP_NAT_MANIP_SRC, + IP_NAT_MANIP_DST +}; + +/* SRC manip occurs POST_ROUTING or LOCAL_IN */ +#define HOOK2MANIP(hooknum) ((hooknum) != NF_IP_POST_ROUTING && (hooknum) != NF_IP_LOCAL_IN) + +#define IP_NAT_RANGE_MAP_IPS 1 +#define IP_NAT_RANGE_PROTO_SPECIFIED 2 +#define IP_NAT_RANGE_PROTO_RANDOM 4 + +/* Single range specification. */ +struct nf_nat_range +{ + /* Set to OR of flags above. */ + unsigned int flags; + + /* Inclusive: network order. */ + __be32 min_ip, max_ip; + + /* Inclusive: network order */ + union nf_conntrack_man_proto min, max; +}; + +/* For backwards compat: don't use in modern code. */ +struct nf_nat_multi_range_compat +{ + unsigned int rangesize; /* Must be 1. */ + + /* hangs off end. */ + struct nf_nat_range range[1]; +}; + +#define ip_nat_range nf_nat_range +#define ip_nat_multi_range nf_nat_multi_range_compat +#endif diff --git a/include/linux/netfilter_ipv4/ipt_conntrack.h b/include/linux/netfilter_ipv4/ipt_conntrack.h index 9f074c6d..c8661b88 100644 --- a/include/linux/netfilter_ipv4/ipt_conntrack.h +++ b/include/linux/netfilter_ipv4/ipt_conntrack.h @@ -5,7 +5,7 @@ #ifndef _IPT_CONNTRACK_H #define _IPT_CONNTRACK_H -#include +#include /* backwards compatibility crap. only exists in userspace - HW */ #include -- cgit v1.2.3