diff options
author | /C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=pablo/emailAddress=pablo@netfilter.org </C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=pablo/emailAddress=pablo@netfilter.org> | 2005-10-29 12:49:38 +0000 |
---|---|---|
committer | /C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=pablo/emailAddress=pablo@netfilter.org </C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=pablo/emailAddress=pablo@netfilter.org> | 2005-10-29 12:49:38 +0000 |
commit | 62b2c282232df3407b966198a3cbd1292edb4913 (patch) | |
tree | 4c4f2493b70d81ade7df2b9c325ed57aeb77d2f1 | |
parent | e0fb5af798a1b7723e228ffc7c67e38babc883c6 (diff) |
Thanks to Harald for all the comments.
o libnetfilter_conntrack.h splitted into two parts: what is visible to
application programs and what is visible to extensions.
o Killed includes asm/types.h and linux/if.h
o Fixed nasty wrong ipv6 definition
o Stolen the status bits from ip_conntrack.h, we don't include ip_conntrack.h
anymore.
o move nfct_handle to libnetfilter_conntrack.c: better for encapsulation
-rw-r--r-- | extensions/libnetfilter_conntrack_icmp.c | 1 | ||||
-rw-r--r-- | extensions/libnetfilter_conntrack_sctp.c | 1 | ||||
-rw-r--r-- | extensions/libnetfilter_conntrack_tcp.c | 1 | ||||
-rw-r--r-- | extensions/libnetfilter_conntrack_udp.c | 1 | ||||
-rw-r--r-- | include/libnetfilter_conntrack/libnetfilter_conntrack.h | 78 | ||||
-rw-r--r-- | include/libnetfilter_conntrack/libnetfilter_conntrack_extensions.h | 28 | ||||
-rw-r--r-- | src/libnetfilter_conntrack.c | 8 |
7 files changed, 93 insertions, 25 deletions
diff --git a/extensions/libnetfilter_conntrack_icmp.c b/extensions/libnetfilter_conntrack_icmp.c index 8f1ccb1..747fedf 100644 --- a/extensions/libnetfilter_conntrack_icmp.c +++ b/extensions/libnetfilter_conntrack_icmp.c @@ -14,6 +14,7 @@ #include <netinet/in.h> /* For htons */ #include <linux/netfilter/nfnetlink_conntrack.h> #include <libnetfilter_conntrack/libnetfilter_conntrack.h> +#include <libnetfilter_conntrack/libnetfilter_conntrack_extensions.h> void parse_proto(struct nfattr *cda[], struct nfct_tuple *tuple) { diff --git a/extensions/libnetfilter_conntrack_sctp.c b/extensions/libnetfilter_conntrack_sctp.c index 5b7f9e0..f533287 100644 --- a/extensions/libnetfilter_conntrack_sctp.c +++ b/extensions/libnetfilter_conntrack_sctp.c @@ -14,6 +14,7 @@ #include <netinet/in.h> /* For htons */ #include <linux/netfilter/nfnetlink_conntrack.h> #include <libnetfilter_conntrack/libnetfilter_conntrack.h> +#include <libnetfilter_conntrack/libnetfilter_conntrack_extensions.h> void parse_proto(struct nfattr *cda[], struct nfct_tuple *tuple) { diff --git a/extensions/libnetfilter_conntrack_tcp.c b/extensions/libnetfilter_conntrack_tcp.c index fe0e632..ecb988f 100644 --- a/extensions/libnetfilter_conntrack_tcp.c +++ b/extensions/libnetfilter_conntrack_tcp.c @@ -14,6 +14,7 @@ #include <netinet/in.h> /* For htons */ #include <linux/netfilter/nfnetlink_conntrack.h> #include <libnetfilter_conntrack/libnetfilter_conntrack.h> +#include <libnetfilter_conntrack/libnetfilter_conntrack_extensions.h> static const char *states[] = { "NONE", diff --git a/extensions/libnetfilter_conntrack_udp.c b/extensions/libnetfilter_conntrack_udp.c index 940bf67..44fd85c 100644 --- a/extensions/libnetfilter_conntrack_udp.c +++ b/extensions/libnetfilter_conntrack_udp.c @@ -14,6 +14,7 @@ #include <netinet/in.h> /* For htons */ #include <linux/netfilter/nfnetlink_conntrack.h> #include <libnetfilter_conntrack/libnetfilter_conntrack.h> +#include <libnetfilter_conntrack/libnetfilter_conntrack_extensions.h> void parse_proto(struct nfattr *cda[], struct nfct_tuple *tuple) { diff --git a/include/libnetfilter_conntrack/libnetfilter_conntrack.h b/include/libnetfilter_conntrack/libnetfilter_conntrack.h index 55391bb..6d28b97 100644 --- a/include/libnetfilter_conntrack/libnetfilter_conntrack.h +++ b/include/libnetfilter_conntrack/libnetfilter_conntrack.h @@ -9,13 +9,9 @@ #define _LIBNETFILTER_CONNTRACK_H_ #include <netinet/in.h> -#include <asm/types.h> -#include <linux/if.h> #include <linux/netfilter/nfnetlink.h> #include <linux/netfilter/nfnetlink_conntrack.h> #include <libnfnetlink/libnfnetlink.h> -#include <linux/netfilter_ipv4/ip_conntrack.h> -#include "linux_list.h" #define LIBNETFILTER_CONNTRACK_VERSION "0.2.0" @@ -57,7 +53,7 @@ union nfct_l4 { struct nfct_tuple { union { u_int32_t v4; - u_int64_t v6; + u_int32_t v6[4]; } src; union { @@ -112,18 +108,6 @@ struct nfct_expect { unsigned int id; }; -struct nfct_proto { - struct list_head head; - - char *name; - u_int8_t protonum; - char *version; - - void (*parse_proto)(struct nfattr **, struct nfct_tuple *); - void (*parse_protoinfo)(struct nfattr **, struct nfct_conntrack *); - int (*print_protoinfo)(char *, union nfct_protoinfo *); - int (*print_proto)(char *, struct nfct_tuple *); -}; enum { NFCT_STATUS_BIT = 0, @@ -151,6 +135,58 @@ enum { NFCT_ID = (1 << NFCT_ID_BIT) }; +/* Bitset representing status of connection. Taken from ip_conntrack.h + * + * Note: For backward compatibility this shouldn't ever change + * in kernel space. + */ +enum ip_conntrack_status { + /* It's an expected connection: bit 0 set. This bit never changed */ + IPS_EXPECTED_BIT = 0, + IPS_EXPECTED = (1 << IPS_EXPECTED_BIT), + + /* We've seen packets both ways: bit 1 set. Can be set, not unset. */ + IPS_SEEN_REPLY_BIT = 1, + IPS_SEEN_REPLY = (1 << IPS_SEEN_REPLY_BIT), + + /* Conntrack should never be early-expired. */ + IPS_ASSURED_BIT = 2, + IPS_ASSURED = (1 << IPS_ASSURED_BIT), + + /* Connection is confirmed: originating packet has left box */ + IPS_CONFIRMED_BIT = 3, + IPS_CONFIRMED = (1 << IPS_CONFIRMED_BIT), + + /* Connection needs src nat in orig dir. This bit never changed. */ + IPS_SRC_NAT_BIT = 4, + IPS_SRC_NAT = (1 << IPS_SRC_NAT_BIT), + + /* Connection needs dst nat in orig dir. This bit never changed. */ + IPS_DST_NAT_BIT = 5, + IPS_DST_NAT = (1 << IPS_DST_NAT_BIT), + + /* Both together. */ + IPS_NAT_MASK = (IPS_DST_NAT | IPS_SRC_NAT), + + /* Connection needs TCP sequence adjusted. */ + IPS_SEQ_ADJUST_BIT = 6, + IPS_SEQ_ADJUST = (1 << IPS_SEQ_ADJUST_BIT), + + /* NAT initialization bits. */ + IPS_SRC_NAT_DONE_BIT = 7, + IPS_SRC_NAT_DONE = (1 << IPS_SRC_NAT_DONE_BIT), + + IPS_DST_NAT_DONE_BIT = 8, + IPS_DST_NAT_DONE = (1 << IPS_DST_NAT_DONE_BIT), + + /* Both together */ + IPS_NAT_DONE_MASK = (IPS_DST_NAT_DONE | IPS_SRC_NAT_DONE), + + /* Connection is dying (removed from lists), can not be unset. */ + IPS_DYING_BIT = 9, + IPS_DYING = (1 << IPS_DYING_BIT), +}; + enum { NFCT_MSG_UNKNOWN, NFCT_MSG_NEW, @@ -163,14 +199,6 @@ typedef int (*nfct_callback)(void *arg, unsigned int flags, int); typedef int (*nfct_handler)(struct nfct_handle *cth, struct nlmsghdr *nlh, void *arg); -struct nfct_handle { - struct nfnl_handle nfnlh; - nfct_callback callback; /* user callback */ - nfct_handler handler; /* netlink handler */ -}; - -extern void nfct_register_proto(struct nfct_proto *h); - /* * [Allocate|free] a conntrack */ diff --git a/include/libnetfilter_conntrack/libnetfilter_conntrack_extensions.h b/include/libnetfilter_conntrack/libnetfilter_conntrack_extensions.h new file mode 100644 index 0000000..4900541 --- /dev/null +++ b/include/libnetfilter_conntrack/libnetfilter_conntrack_extensions.h @@ -0,0 +1,28 @@ +/* + * (C) 2005 by Pablo Neira Ayuso <pablo@eurodev.net> + * + * This software may be used and distributed according to the terms + * of the GNU General Public License, incorporated herein by reference. + */ + +#ifndef _LIBNETFILTER_CONNTRACK_EXTENSIONS_H_ +#define _LIBNETFILTER_CONNTRACK_EXTENSIONS_H_ + +#include "linux_list.h" + +struct nfct_proto { + struct list_head head; + + char *name; + u_int8_t protonum; + char *version; + + void (*parse_proto)(struct nfattr **, struct nfct_tuple *); + void (*parse_protoinfo)(struct nfattr **, struct nfct_conntrack *); + int (*print_protoinfo)(char *, union nfct_protoinfo *); + int (*print_proto)(char *, struct nfct_tuple *); +}; + +extern void nfct_register_proto(struct nfct_proto *h); + +#endif diff --git a/src/libnetfilter_conntrack.c b/src/libnetfilter_conntrack.c index 32a3827..6204df9 100644 --- a/src/libnetfilter_conntrack.c +++ b/src/libnetfilter_conntrack.c @@ -17,6 +17,7 @@ #include "linux_list.h" #include <libnfnetlink/libnfnetlink.h> #include <libnetfilter_conntrack/libnetfilter_conntrack.h> +#include <libnetfilter_conntrack/libnetfilter_conntrack_extensions.h> #define NFCT_BUFSIZE 4096 @@ -26,6 +27,13 @@ ((unsigned char *)&addr)[2], \ ((unsigned char *)&addr)[3] +/* Harald says: "better for encapsulation" ;) */ +struct nfct_handle { + struct nfnl_handle nfnlh; + nfct_callback callback; /* user callback */ + nfct_handler handler; /* netlink handler */ +}; + static char *lib_dir = LIBNETFILTER_CONNTRACK_DIR; static LIST_HEAD(proto_list); static char *proto2str[IPPROTO_MAX] = { |