diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2008-07-25 13:05:12 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2008-07-25 13:05:12 +0200 |
commit | e5cb42249f7fd5b730667150c9c19f10d2f215fd (patch) | |
tree | 36ddd7112093f6cee0ea09b1bc57848dba42c79d /include | |
parent | 96a2418c082e6ebdf76a3dbf0c277398221c78e3 (diff) |
cleanup: split internal.h into several internal header files
This patch cleanups the internal headers by splitting them into several
logical pieces.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'include')
-rw-r--r-- | include/Makefile.am | 5 | ||||
-rw-r--r-- | include/internal.h | 340 | ||||
-rw-r--r-- | include/internal/Makefile.am | 2 | ||||
-rw-r--r-- | include/internal/bitops.h | 32 | ||||
-rw-r--r-- | include/internal/deprecated.h | 65 | ||||
-rw-r--r-- | include/internal/extern.h | 12 | ||||
-rw-r--r-- | include/internal/internal.h | 75 | ||||
-rw-r--r-- | include/internal/linux_list.h (renamed from include/linux_list.h) | 3 | ||||
-rw-r--r-- | include/internal/object.h | 217 | ||||
-rw-r--r-- | include/internal/prototypes.h | 37 | ||||
-rw-r--r-- | include/internal/types.h | 21 | ||||
-rw-r--r-- | include/libnetfilter_conntrack/Makefile.am | 3 | ||||
-rw-r--r-- | include/libnetfilter_conntrack/libnetfilter_conntrack_extensions.h | 38 | ||||
-rw-r--r-- | include/libnetfilter_conntrack/libnetfilter_conntrack_l3extensions.h | 29 |
14 files changed, 465 insertions, 414 deletions
diff --git a/include/Makefile.am b/include/Makefile.am index 7113c9c..6fb2881 100644 --- a/include/Makefile.am +++ b/include/Makefile.am @@ -1,4 +1 @@ - -SUBDIRS = libnetfilter_conntrack - -noinst_HEADERS = linux_list.h internal.h +SUBDIRS = libnetfilter_conntrack internal diff --git a/include/internal.h b/include/internal.h deleted file mode 100644 index 9dc33f2..0000000 --- a/include/internal.h +++ /dev/null @@ -1,340 +0,0 @@ -/* - * (C) 2006 by Pablo Neira Ayuso <pablo@netfilter.org> - * - * This software may be used and distributed according to the terms - * of the GNU General Public License, incorporated herein by reference. - * - * WARNING: Do *NOT* ever include this file, only for internal use! - * Use the set/get API in order to set/get the conntrack attributes - */ - -#ifndef __LIBNETFILTER_CONNTRACK_INTERNAL__ -#define __LIBNETFILTER_CONNTRACK_INTERNAL__ - -#include <stdio.h> -#include <stdlib.h> -#include <stdarg.h> -#include <string.h> -#include <sys/types.h> -#include <arpa/inet.h> -#include <time.h> -#include <errno.h> -#include <netinet/in.h> - -#include <libnfnetlink/libnfnetlink.h> -#include <libnetfilter_conntrack/libnetfilter_conntrack.h> - -#ifndef IPPROTO_SCTP -#define IPPROTO_SCTP 132 -#endif - -#ifndef IPPROTO_UDPLITE -#define IPPROTO_UDPLITE 136 -#endif - -#ifndef IPPROTO_DCCP -#define IPPROTO_DCCP 33 -#endif - -struct nfct_handle; -struct nfct_filter; - -typedef void (*set_attr)(struct nf_conntrack *ct, const void *value); -typedef const void *(*get_attr)(const struct nf_conntrack *ct); -typedef void (*copy_attr)(struct nf_conntrack *d, const struct nf_conntrack *o); -typedef void (*filter_attr)(struct nfct_filter *filter, const void *value); - -extern set_attr set_attr_array[]; -extern get_attr get_attr_array[]; -extern copy_attr copy_attr_array[]; -extern filter_attr filter_attr_array[]; - -typedef int (*nfct_handler)(struct nfct_handle *cth, struct nlmsghdr *nlh, - void *arg); - -struct nfct_handle { - struct nfnl_handle *nfnlh; - struct nfnl_subsys_handle *nfnlssh_ct; - struct nfnl_subsys_handle *nfnlssh_exp; - nfct_callback callback; /* user callback */ - void *callback_data; /* user data for callback */ - nfct_handler handler; /* netlink handler */ - - /* callback handler for the new API */ - struct nfnl_callback nfnl_cb; - int(*cb)(enum nf_conntrack_msg_type type, - struct nf_conntrack *ct, - void *data); - int(*expect_cb)(enum nf_conntrack_msg_type type, - struct nf_expect *exp, - void *data); -}; - -union __nfct_l4_src { - /* Add other protocols here. */ - u_int16_t all; - struct { - u_int16_t port; - } tcp; - struct { - u_int16_t port; - } udp; - struct { - u_int16_t id; - } icmp; - struct { - u_int16_t port; - } sctp; -}; - -union __nfct_l4_dst { - /* Add other protocols here. */ - u_int16_t all; - struct { - u_int16_t port; - } tcp; - struct { - u_int16_t port; - } udp; - struct { - u_int8_t type, code; - } icmp; - struct { - u_int16_t port; - } sctp; -}; - -union __nfct_address { - u_int32_t v4; - struct in6_addr v6; -}; - -struct __nfct_tuple { - union __nfct_address src; - union __nfct_address dst; - - u_int8_t l3protonum; - u_int8_t protonum; - union __nfct_l4_src l4src; - union __nfct_l4_dst l4dst; - - struct { - u_int32_t correction_pos; - u_int32_t offset_before; - u_int32_t offset_after; - } natseq; -}; - -#define __DIR_ORIG 0 -#define __DIR_REPL 1 -#define __DIR_MASTER 2 -#define __DIR_MAX __DIR_MASTER+1 - -union __nfct_protoinfo { - struct { - u_int8_t state; - struct { - u_int8_t value; - u_int8_t mask; - } flags[__DIR_MAX]; - } tcp; - struct { - u_int8_t state; - u_int32_t vtag[__DIR_MAX]; - } sctp; - -}; - -struct __nfct_counters { - u_int64_t packets; - u_int64_t bytes; -}; - -struct __nfct_nat { - u_int32_t min_ip, max_ip; - union __nfct_l4_src l4min, l4max; -}; - -struct nf_conntrack { - struct __nfct_tuple tuple[__DIR_MAX]; - - u_int32_t timeout; - u_int32_t mark; - u_int32_t secmark; - u_int32_t status; - u_int32_t use; - u_int32_t id; - - union __nfct_protoinfo protoinfo; - struct __nfct_counters counters[__DIR_MAX]; - struct __nfct_nat snat; - struct __nfct_nat dnat; - - u_int32_t set[2]; -}; - -struct nfct_filter { - /* - * As many other objects in this library, the attributes are - * private. This gives us the chance to modify the layout and - * object size. - * - * Another observation, although this object might seem too - * memory consuming, it is only needed to build the filter. Thus, - * once it is attached, you can release this object. - */ - - /* - * filter logic: use positive or negative logic - */ - enum nfct_filter_logic logic[NFCT_FILTER_MAX]; - - /* - * This the layer 4 protocol map for filtering. - */ - u_int32_t l4proto_map[IPPROTO_MAX/32]; - - struct { - /* - * No limitations in the protocol filtering. We use a map of - * 16 bits per protocol. As for now, DCCP has 10 states, TCP has - * 10 states, SCTP has 8 state. Therefore, 16 bits is enough. - */ -#define __FILTER_PROTO_MAX 16 - u_int16_t map; - } l4proto_state[IPPROTO_MAX]; - -#define __FILTER_ADDR_SRC 0 -#define __FILTER_ADDR_DST 1 - - /* - * FIXME: For IPv4 filtering, up to 256 IPs or masks by now. - * This limitation is related to the existing autogenerated BSF code - * and the fact that the maximum jump offset if 2^8 = 256. - */ - u_int32_t l3proto_elems[2]; - struct { -#define __FILTER_ADDR_MAX 256 - u_int32_t addr; - u_int32_t mask; - } l3proto[2][__FILTER_ADDR_MAX]; - - u_int32_t set[1]; -}; - -struct nf_expect { - struct nf_conntrack master; - struct nf_conntrack expected; - struct nf_conntrack mask; - u_int32_t timeout; - u_int32_t id; - u_int16_t expectfn_queue_id; - - u_int32_t set[1]; -}; - -/* container used to pass data to nfnl callbacks */ -struct __data_container { - struct nfct_handle *h; - enum nf_conntrack_msg_type type; - void *data; -}; - -static inline void set_bit(int nr, u_int32_t *addr) -{ - addr[nr >> 5] |= (1UL << (nr & 31)); -} - -static inline void unset_bit(int nr, u_int32_t *addr) -{ - addr[nr >> 5] &= ~(1UL << (nr & 31)); -} - -static inline void set_bit_u16(int nr, u_int16_t *addr) -{ - addr[nr >> 4] |= (1UL << (nr & 15)); -} - -static inline void unset_bit_u16(int nr, u_int16_t *addr) -{ - addr[nr >> 4] &= ~(1UL << (nr & 15)); -} - -static inline int test_bit(int nr, const u_int32_t *addr) -{ - return ((1UL << (nr & 31)) & (addr[nr >> 5])) != 0; -} - -#define BUFFER_SIZE(ret, size, len, offset) \ - size += ret; \ - if (ret > len) \ - ret = len; \ - offset += ret; \ - len -= ret; - -int __build_conntrack(struct nfnl_subsys_handle *ssh, struct nfnlhdr *req, size_t size, u_int16_t type, u_int16_t flags, const struct nf_conntrack *ct); -void __build_tuple(struct nfnlhdr *req, size_t size, const struct __nfct_tuple *t, const int type); -int __parse_message_type(const struct nlmsghdr *nlh); -void __parse_conntrack(const struct nlmsghdr *nlh, const struct nfattr *cda[], struct nf_conntrack *ct); -void __parse_tuple(const struct nfattr *attr, struct __nfct_tuple *tuple, int dir, u_int32_t *set); -int __snprintf_conntrack(char *buf, unsigned int len, const struct nf_conntrack *ct, unsigned int type, unsigned int msg_output, unsigned int flags); -int __snprintf_address(char *buf, unsigned int len, const struct __nfct_tuple *tuple); -int __snprintf_protocol(char *buf, unsigned int len, const struct nf_conntrack *ct); -int __snprintf_proto(char *buf, unsigned int len, const struct __nfct_tuple *tuple); -int __snprintf_conntrack_default(char *buf, unsigned int len, const struct nf_conntrack *ct, const unsigned int msg_type, const unsigned int flags); -int __snprintf_conntrack_xml(char *buf, unsigned int len, const struct nf_conntrack *ct, const unsigned int msg_type, const unsigned int flags); - - -int __callback(struct nlmsghdr *nlh, struct nfattr *nfa[], void *data); - -int __setobjopt(struct nf_conntrack *ct, unsigned int option); -int __getobjopt(const struct nf_conntrack *ct, unsigned int option); -int __compare(const struct nf_conntrack *ct1, const struct nf_conntrack *ct2, unsigned int flags); - -int __setup_netlink_socket_filter(int fd, struct nfct_filter *filter); - -typedef void (*set_exp_attr)(struct nf_expect *exp, const void *value); -typedef const void *(*get_exp_attr)(const struct nf_expect *exp); - -extern set_exp_attr set_exp_attr_array[]; -extern get_exp_attr get_exp_attr_array[]; - -int __build_expect(struct nfnl_subsys_handle *ssh, struct nfnlhdr *req, size_t size, u_int16_t type, u_int16_t flags, const struct nf_expect *exp); -int __parse_expect_message_type(const struct nlmsghdr *nlh); -void __parse_expect(const struct nlmsghdr *nlh, const struct nfattr *cda[], struct nf_expect *exp); -int __expect_callback(struct nlmsghdr *nlh, struct nfattr *nfa[], void *data); -int __snprintf_expect(char *buf, unsigned int len, const struct nf_expect *exp, unsigned int type, unsigned int msg_output, unsigned int flags); -int __snprintf_expect_default(char *buf, unsigned int len, const struct nf_expect *exp, unsigned int msg_type, unsigned int flags); - -/* backward compatibility of the deprecated API */ -extern struct nfct_l3proto ipv4; -extern struct nfct_l3proto ipv6; - -extern struct nfct_proto tcp; -extern struct nfct_proto udp; -extern struct nfct_proto sctp; -extern struct nfct_proto icmp; - -#define TS_ORIG \ -({ \ - ((1 << ATTR_ORIG_IPV4_SRC) | (1 << ATTR_ORIG_IPV4_DST) | \ - (1 << ATTR_ORIG_IPV6_SRC) | (1 << ATTR_ORIG_IPV6_DST) | \ - (1 << ATTR_ORIG_PORT_SRC) | (1 << ATTR_ORIG_PORT_DST) | \ - (1 << ATTR_ORIG_L3PROTO) | (1 << ATTR_ORIG_L4PROTO) | \ - (1 << ATTR_ICMP_TYPE) | (1 << ATTR_ICMP_CODE) | \ - (1 << ATTR_ICMP_ID)); \ -}) - -#define TS_REPL \ -({ \ - ((1 << ATTR_REPL_IPV4_SRC) | (1 << ATTR_REPL_IPV4_DST) | \ - (1 << ATTR_REPL_IPV6_SRC) | (1 << ATTR_REPL_IPV6_DST) | \ - (1 << ATTR_REPL_PORT_SRC) | (1 << ATTR_REPL_PORT_DST) | \ - (1 << ATTR_REPL_L3PROTO) | (1 << ATTR_REPL_L4PROTO) | \ - (1 << ATTR_ICMP_TYPE) | (1 << ATTR_ICMP_CODE) | \ - (1 << ATTR_ICMP_ID)); \ -}) - -#define TUPLE_SET(dir) (dir == __DIR_ORIG ? TS_ORIG : TS_REPL) - -#endif diff --git a/include/internal/Makefile.am b/include/internal/Makefile.am new file mode 100644 index 0000000..a4fadd5 --- /dev/null +++ b/include/internal/Makefile.am @@ -0,0 +1,2 @@ +noinst_HEADERS = bitops.h extern.h linux_list.h prototypes.h \ + deprecated.h internal.h object.h types.h diff --git a/include/internal/bitops.h b/include/internal/bitops.h new file mode 100644 index 0000000..b1bd848 --- /dev/null +++ b/include/internal/bitops.h @@ -0,0 +1,32 @@ +/* + * WARNING: Do *NOT* ever include this file, only for internal use! + */ +#ifndef _NFCT_BITOPS_H_ +#define _NFCT_BITOPS_H_ + +static inline void set_bit(int nr, u_int32_t *addr) +{ + addr[nr >> 5] |= (1UL << (nr & 31)); +} + +static inline void unset_bit(int nr, u_int32_t *addr) +{ + addr[nr >> 5] &= ~(1UL << (nr & 31)); +} + +static inline void set_bit_u16(int nr, u_int16_t *addr) +{ + addr[nr >> 4] |= (1UL << (nr & 15)); +} + +static inline void unset_bit_u16(int nr, u_int16_t *addr) +{ + addr[nr >> 4] &= ~(1UL << (nr & 15)); +} + +static inline int test_bit(int nr, const u_int32_t *addr) +{ + return ((1UL << (nr & 31)) & (addr[nr >> 5])) != 0; +} + +#endif diff --git a/include/internal/deprecated.h b/include/internal/deprecated.h new file mode 100644 index 0000000..fe6f890 --- /dev/null +++ b/include/internal/deprecated.h @@ -0,0 +1,65 @@ +/* + * WARNING: Do *NOT* ever include this file, only for internal use! + */ +#ifndef _NFCT_DEPRECATED_H_ +#define _NFCT_DEPRECATED_H_ + +typedef int (*nfct_handler)(struct nfct_handle *cth, struct nlmsghdr *nlh, + void *arg); + +/* some systems have old libc's */ +#include <netinet/in.h> +#ifndef IPPROTO_SCTP +#define IPPROTO_SCTP 132 +#endif + +#include "internal/linux_list.h" + +/* extensions */ +struct nfct_proto { + struct list_head head; + + char *name; + u_int8_t protonum; + char *version; + + void (*parse_proto)(struct nfattr **, struct nfct_tuple *); + void (*parse_protoinfo)(struct nfattr **, struct nfct_conntrack *); + void (*build_tuple_proto)(struct nfnlhdr *, int, struct nfct_tuple *); + void (*build_protoinfo)(struct nfnlhdr *, int, struct nfct_conntrack *); + int (*print_protoinfo)(char *, union nfct_protoinfo *); + int (*print_proto)(char *, struct nfct_tuple *); + int (*compare)(struct nfct_conntrack *, struct nfct_conntrack *, + unsigned int); +}; + +extern void nfct_register_proto(struct nfct_proto *h); + +struct nfct_l3proto { + struct list_head head; + + char *name; + u_int16_t protonum; + char *version; + + void (*parse_proto)(struct nfattr **, struct nfct_tuple *); + void (*build_tuple_proto)(struct nfnlhdr *, int, struct nfct_tuple *); + int (*print_proto)(char *, struct nfct_tuple *); + int (*compare)(struct nfct_conntrack *, struct nfct_conntrack *, + unsigned int); +}; + +extern void nfct_register_l3proto(struct nfct_l3proto *h); + +/* backward compatibility of the deprecated API */ +extern struct nfct_l3proto ipv4; +extern struct nfct_l3proto ipv6; + +extern struct nfct_proto tcp; +extern struct nfct_proto udp; +extern struct nfct_proto sctp; +extern struct nfct_proto icmp; + +extern void deprecated_backward_support(); + +#endif diff --git a/include/internal/extern.h b/include/internal/extern.h new file mode 100644 index 0000000..a43cde7 --- /dev/null +++ b/include/internal/extern.h @@ -0,0 +1,12 @@ +#ifndef _NFCT_EXTERN_H_ +#define _NFCT_EXTERN_H_ + +extern set_attr set_attr_array[]; +extern get_attr get_attr_array[]; +extern copy_attr copy_attr_array[]; +extern filter_attr filter_attr_array[]; + +extern set_exp_attr set_exp_attr_array[]; +extern get_exp_attr get_exp_attr_array[]; + +#endif diff --git a/include/internal/internal.h b/include/internal/internal.h new file mode 100644 index 0000000..e7fc22e --- /dev/null +++ b/include/internal/internal.h @@ -0,0 +1,75 @@ +/* + * (C) 2006 by Pablo Neira Ayuso <pablo@netfilter.org> + * + * This software may be used and distributed according to the terms + * of the GNU General Public License, incorporated herein by reference. + * + * WARNING: Do *NOT* ever include this file, only for internal use! + * Use the set/get API in order to set/get the conntrack attributes + */ + +#ifndef __LIBNETFILTER_CONNTRACK_INTERNAL__ +#define __LIBNETFILTER_CONNTRACK_INTERNAL__ + +#include <stdio.h> +#include <stdlib.h> +#include <stdarg.h> +#include <string.h> +#include <sys/types.h> +#include <arpa/inet.h> +#include <time.h> +#include <errno.h> +#include <netinet/in.h> + +#include <libnfnetlink/libnfnetlink.h> +#include <libnetfilter_conntrack/libnetfilter_conntrack.h> + +#include "internal/deprecated.h" +#include "internal/object.h" +#include "internal/prototypes.h" +#include "internal/types.h" +#include "internal/extern.h" +#include "internal/bitops.h" + +#ifndef IPPROTO_SCTP +#define IPPROTO_SCTP 132 +#endif + +#ifndef IPPROTO_UDPLITE +#define IPPROTO_UDPLITE 136 +#endif + +#ifndef IPPROTO_DCCP +#define IPPROTO_DCCP 33 +#endif + +#define BUFFER_SIZE(ret, size, len, offset) \ + size += ret; \ + if (ret > len) \ + ret = len; \ + offset += ret; \ + len -= ret; + +#define TS_ORIG \ +({ \ + ((1 << ATTR_ORIG_IPV4_SRC) | (1 << ATTR_ORIG_IPV4_DST) | \ + (1 << ATTR_ORIG_IPV6_SRC) | (1 << ATTR_ORIG_IPV6_DST) | \ + (1 << ATTR_ORIG_PORT_SRC) | (1 << ATTR_ORIG_PORT_DST) | \ + (1 << ATTR_ORIG_L3PROTO) | (1 << ATTR_ORIG_L4PROTO) | \ + (1 << ATTR_ICMP_TYPE) | (1 << ATTR_ICMP_CODE) | \ + (1 << ATTR_ICMP_ID)); \ +}) + +#define TS_REPL \ +({ \ + ((1 << ATTR_REPL_IPV4_SRC) | (1 << ATTR_REPL_IPV4_DST) | \ + (1 << ATTR_REPL_IPV6_SRC) | (1 << ATTR_REPL_IPV6_DST) | \ + (1 << ATTR_REPL_PORT_SRC) | (1 << ATTR_REPL_PORT_DST) | \ + (1 << ATTR_REPL_L3PROTO) | (1 << ATTR_REPL_L4PROTO) | \ + (1 << ATTR_ICMP_TYPE) | (1 << ATTR_ICMP_CODE) | \ + (1 << ATTR_ICMP_ID)); \ +}) + +#define TUPLE_SET(dir) (dir == __DIR_ORIG ? TS_ORIG : TS_REPL) + +#endif diff --git a/include/linux_list.h b/include/internal/linux_list.h index 57b56d7..7b561c3 100644 --- a/include/linux_list.h +++ b/include/internal/linux_list.h @@ -1,3 +1,6 @@ +/* + * WARNING: Do *NOT* ever include this file, only for internal use! + */ #ifndef _LINUX_LIST_H #define _LINUX_LIST_H diff --git a/include/internal/object.h b/include/internal/object.h new file mode 100644 index 0000000..e39a576 --- /dev/null +++ b/include/internal/object.h @@ -0,0 +1,217 @@ +/* + * WARNING: Do *NOT* ever include this file, only for internal use! + * Use the set/get API in order to set/get the conntrack attributes + */ + +#ifndef _NFCT_OBJECT_H_ +#define _NFCT_OBJECT_H_ + +/* + * nfct callback handler object + */ + +struct nfct_handle { + struct nfnl_handle *nfnlh; + struct nfnl_subsys_handle *nfnlssh_ct; + struct nfnl_subsys_handle *nfnlssh_exp; + + /* deprecated old API */ + nfct_callback callback; + void *callback_data; + nfct_handler handler; + + /* callback handler for the new API */ + struct nfnl_callback nfnl_cb; + + int (*cb)(enum nf_conntrack_msg_type type, + struct nf_conntrack *ct, + void *data); + + int (*expect_cb)(enum nf_conntrack_msg_type type, + struct nf_expect *exp, + void *data); +}; + +/* container used to pass data to nfnl callbacks */ +struct __data_container { + struct nfct_handle *h; + enum nf_conntrack_msg_type type; + void *data; +}; + +/* + * conntrack object + */ + +union __nfct_l4_src { + /* Add other protocols here. */ + u_int16_t all; + struct { + u_int16_t port; + } tcp; + struct { + u_int16_t port; + } udp; + struct { + u_int16_t id; + } icmp; + struct { + u_int16_t port; + } sctp; +}; + +union __nfct_l4_dst { + /* Add other protocols here. */ + u_int16_t all; + struct { + u_int16_t port; + } tcp; + struct { + u_int16_t port; + } udp; + struct { + u_int8_t type, code; + } icmp; + struct { + u_int16_t port; + } sctp; +}; + +union __nfct_address { + u_int32_t v4; + struct in6_addr v6; +}; + +struct __nfct_tuple { + union __nfct_address src; + union __nfct_address dst; + + u_int8_t l3protonum; + u_int8_t protonum; + union __nfct_l4_src l4src; + union __nfct_l4_dst l4dst; + + struct { + u_int32_t correction_pos; + u_int32_t offset_before; + u_int32_t offset_after; + } natseq; +}; + +#define __DIR_ORIG 0 +#define __DIR_REPL 1 +#define __DIR_MASTER 2 +#define __DIR_MAX __DIR_MASTER+1 + +union __nfct_protoinfo { + struct { + u_int8_t state; + struct { + u_int8_t value; + u_int8_t mask; + } flags[__DIR_MAX]; + } tcp; + struct { + u_int8_t state; + u_int32_t vtag[__DIR_MAX]; + } sctp; + +}; + +struct __nfct_counters { + u_int64_t packets; + u_int64_t bytes; +}; + +struct __nfct_nat { + u_int32_t min_ip, max_ip; + union __nfct_l4_src l4min, l4max; +}; + +struct nf_conntrack { + struct __nfct_tuple tuple[__DIR_MAX]; + + u_int32_t timeout; + u_int32_t mark; + u_int32_t secmark; + u_int32_t status; + u_int32_t use; + u_int32_t id; + + union __nfct_protoinfo protoinfo; + struct __nfct_counters counters[__DIR_MAX]; + struct __nfct_nat snat; + struct __nfct_nat dnat; + + u_int32_t set[2]; +}; + +/* + * conntrack filter object + */ + +struct nfct_filter { + /* + * As many other objects in this library, the attributes are + * private. This gives us the chance to modify the layout and + * object size. + * + * Another observation, although this object might seem too + * memory consuming, it is only needed to build the filter. Thus, + * once it is attached, you can release this object. + */ + + /* + * filter logic: use positive or negative logic + */ + enum nfct_filter_logic logic[NFCT_FILTER_MAX]; + + /* + * This the layer 4 protocol map for filtering. + */ + u_int32_t l4proto_map[IPPROTO_MAX/32]; + + struct { + /* + * No limitations in the protocol filtering. We use a map of + * 16 bits per protocol. As for now, DCCP has 10 states, TCP has + * 10 states, SCTP has 8 state. Therefore, 16 bits is enough. + */ +#define __FILTER_PROTO_MAX 16 + u_int16_t map; + } l4proto_state[IPPROTO_MAX]; + +#define __FILTER_ADDR_SRC 0 +#define __FILTER_ADDR_DST 1 + + /* + * FIXME: For IPv4 filtering, up to 256 IPs or masks by now. + * This limitation is related to the existing autogenerated BSF code + * and the fact that the maximum jump offset if 2^8 = 256. + */ + u_int32_t l3proto_elems[2]; + struct { +#define __FILTER_ADDR_MAX 256 + u_int32_t addr; + u_int32_t mask; + } l3proto[2][__FILTER_ADDR_MAX]; + + u_int32_t set[1]; +}; + +/* + * expectation object + */ + +struct nf_expect { + struct nf_conntrack master; + struct nf_conntrack expected; + struct nf_conntrack mask; + u_int32_t timeout; + u_int32_t id; + u_int16_t expectfn_queue_id; + + u_int32_t set[1]; +}; + +#endif diff --git a/include/internal/prototypes.h b/include/internal/prototypes.h new file mode 100644 index 0000000..bab9082 --- /dev/null +++ b/include/internal/prototypes.h @@ -0,0 +1,37 @@ +#ifndef _NFCT_PROTOTYPES_H_ +#define _NFCT_PROTOTYPES_H_ + +/* + * conntrack internal prototypes + */ +int __build_conntrack(struct nfnl_subsys_handle *ssh, struct nfnlhdr *req, size_t size, u_int16_t type, u_int16_t flags, const struct nf_conntrack *ct); +void __build_tuple(struct nfnlhdr *req, size_t size, const struct __nfct_tuple *t, const int type); +int __parse_message_type(const struct nlmsghdr *nlh); +void __parse_conntrack(const struct nlmsghdr *nlh, const struct nfattr *cda[], struct nf_conntrack *ct); +void __parse_tuple(const struct nfattr *attr, struct __nfct_tuple *tuple, int dir, u_int32_t *set); +int __snprintf_conntrack(char *buf, unsigned int len, const struct nf_conntrack *ct, unsigned int type, unsigned int msg_output, unsigned int flags); +int __snprintf_address(char *buf, unsigned int len, const struct __nfct_tuple *tuple); +int __snprintf_protocol(char *buf, unsigned int len, const struct nf_conntrack *ct); +int __snprintf_proto(char *buf, unsigned int len, const struct __nfct_tuple *tuple); +int __snprintf_conntrack_default(char *buf, unsigned int len, const struct nf_conntrack *ct, const unsigned int msg_type, const unsigned int flags); +int __snprintf_conntrack_xml(char *buf, unsigned int len, const struct nf_conntrack *ct, const unsigned int msg_type, const unsigned int flags); + +int __callback(struct nlmsghdr *nlh, struct nfattr *nfa[], void *data); + +int __setobjopt(struct nf_conntrack *ct, unsigned int option); +int __getobjopt(const struct nf_conntrack *ct, unsigned int option); +int __compare(const struct nf_conntrack *ct1, const struct nf_conntrack *ct2, unsigned int flags); + +int __setup_netlink_socket_filter(int fd, struct nfct_filter *filter); + +/* + * expectation internal prototypes + */ +int __build_expect(struct nfnl_subsys_handle *ssh, struct nfnlhdr *req, size_t size, u_int16_t type, u_int16_t flags, const struct nf_expect *exp); +int __parse_expect_message_type(const struct nlmsghdr *nlh); +void __parse_expect(const struct nlmsghdr *nlh, const struct nfattr *cda[], struct nf_expect *exp); +int __expect_callback(struct nlmsghdr *nlh, struct nfattr *nfa[], void *data); +int __snprintf_expect(char *buf, unsigned int len, const struct nf_expect *exp, unsigned int type, unsigned int msg_output, unsigned int flags); +int __snprintf_expect_default(char *buf, unsigned int len, const struct nf_expect *exp, unsigned int msg_type, unsigned int flags); + +#endif diff --git a/include/internal/types.h b/include/internal/types.h new file mode 100644 index 0000000..a13722c --- /dev/null +++ b/include/internal/types.h @@ -0,0 +1,21 @@ +/* + * WARNING: Do *NOT* ever include this file, only for internal use! + */ +#ifndef _NFCT_TYPES_H_ +#define _NFCT_TYPES_H_ + +/* + * conntrack types + */ +typedef void (*set_attr)(struct nf_conntrack *ct, const void *value); +typedef const void *(*get_attr)(const struct nf_conntrack *ct); +typedef void (*copy_attr)(struct nf_conntrack *d, const struct nf_conntrack *o); +typedef void (*filter_attr)(struct nfct_filter *filter, const void *value); + +/* + * expectation types + */ +typedef void (*set_exp_attr)(struct nf_expect *exp, const void *value); +typedef const void *(*get_exp_attr)(const struct nf_expect *exp); + +#endif diff --git a/include/libnetfilter_conntrack/Makefile.am b/include/libnetfilter_conntrack/Makefile.am index 9e4a2d1..c5f762f 100644 --- a/include/libnetfilter_conntrack/Makefile.am +++ b/include/libnetfilter_conntrack/Makefile.am @@ -1,5 +1,2 @@ pkginclude_HEADERS = libnetfilter_conntrack.h linux_nfnetlink_conntrack.h libnetfilter_conntrack_tcp.h libnetfilter_conntrack_udp.h libnetfilter_conntrack_icmp.h libnetfilter_conntrack_sctp.h libnetfilter_conntrack_ipv4.h libnetfilter_conntrack_ipv6.h - -noinst_HEADERS = libnetfilter_conntrack_extensions.h \ - libnetfilter_conntrack_l3extensions.h diff --git a/include/libnetfilter_conntrack/libnetfilter_conntrack_extensions.h b/include/libnetfilter_conntrack/libnetfilter_conntrack_extensions.h deleted file mode 100644 index db7828d..0000000 --- a/include/libnetfilter_conntrack/libnetfilter_conntrack_extensions.h +++ /dev/null @@ -1,38 +0,0 @@ -/* - * (C) 2005 by Pablo Neira Ayuso <pablo@eurodev.net> - * - * This software may be used and distributed according to the terms - * of the GNU General Public License, incorporated herein by reference. - */ - -#ifndef _LIBNETFILTER_CONNTRACK_EXTENSIONS_H_ -#define _LIBNETFILTER_CONNTRACK_EXTENSIONS_H_ - -/* some systems have old libc's */ -#include <netinet/in.h> -#ifndef IPPROTO_SCTP -#define IPPROTO_SCTP 132 -#endif - -#include "linux_list.h" - -struct nfct_proto { - struct list_head head; - - char *name; - u_int8_t protonum; - char *version; - - void (*parse_proto)(struct nfattr **, struct nfct_tuple *); - void (*parse_protoinfo)(struct nfattr **, struct nfct_conntrack *); - void (*build_tuple_proto)(struct nfnlhdr *, int, struct nfct_tuple *); - void (*build_protoinfo)(struct nfnlhdr *, int, struct nfct_conntrack *); - int (*print_protoinfo)(char *, union nfct_protoinfo *); - int (*print_proto)(char *, struct nfct_tuple *); - int (*compare)(struct nfct_conntrack *, struct nfct_conntrack *, - unsigned int); -}; - -extern void nfct_register_proto(struct nfct_proto *h); - -#endif diff --git a/include/libnetfilter_conntrack/libnetfilter_conntrack_l3extensions.h b/include/libnetfilter_conntrack/libnetfilter_conntrack_l3extensions.h deleted file mode 100644 index 86e002a..0000000 --- a/include/libnetfilter_conntrack/libnetfilter_conntrack_l3extensions.h +++ /dev/null @@ -1,29 +0,0 @@ -/* - * (C) 2005 by Pablo Neira Ayuso <pablo@eurodev.net> - * - * This software may be used and distributed according to the terms - * of the GNU General Public License, incorporated herein by reference. - */ - -#ifndef _LIBNETFILTER_CONNTRACK_L3EXTENSIONS_H_ -#define _LIBNETFILTER_CONNTRACK_L3EXTENSIONS_H_ - -#include "linux_list.h" - -struct nfct_l3proto { - struct list_head head; - - char *name; - u_int16_t protonum; - char *version; - - void (*parse_proto)(struct nfattr **, struct nfct_tuple *); - void (*build_tuple_proto)(struct nfnlhdr *, int, struct nfct_tuple *); - int (*print_proto)(char *, struct nfct_tuple *); - int (*compare)(struct nfct_conntrack *, struct nfct_conntrack *, - unsigned int); -}; - -extern void nfct_register_l3proto(struct nfct_l3proto *h); - -#endif |