diff options
45 files changed, 510 insertions, 449 deletions
diff --git a/configure.in b/configure.in index 6568334..c95177f 100644 --- a/configure.in +++ b/configure.in @@ -78,5 +78,5 @@ LIBNFCONNTRACK_LIBS="$LIBNFNETLINK_LIBS" AC_SUBST(LIBNFCONNTRACK_LIBS) dnl Output the makefile -AC_OUTPUT(Makefile src/Makefile include/Makefile utils/Makefile include/libnetfilter_conntrack/Makefile src/conntrack/Makefile src/expect/Makefile src/deprecated/Makefile src/deprecated/l3extensions/Makefile src/deprecated/extensions/Makefile libnetfilter_conntrack.pc) +AC_OUTPUT(Makefile src/Makefile include/Makefile utils/Makefile include/libnetfilter_conntrack/Makefile include/internal/Makefile src/conntrack/Makefile src/expect/Makefile src/deprecated/Makefile src/deprecated/l3extensions/Makefile src/deprecated/extensions/Makefile libnetfilter_conntrack.pc) diff --git a/include/Makefile.am b/include/Makefile.am index 7113c9c..6fb2881 100644 --- a/include/Makefile.am +++ b/include/Makefile.am @@ -1,4 +1 @@ - -SUBDIRS = libnetfilter_conntrack - -noinst_HEADERS = linux_list.h internal.h +SUBDIRS = libnetfilter_conntrack internal diff --git a/include/internal.h b/include/internal.h deleted file mode 100644 index 9dc33f2..0000000 --- a/include/internal.h +++ /dev/null @@ -1,340 +0,0 @@ -/* - * (C) 2006 by Pablo Neira Ayuso <pablo@netfilter.org> - * - * This software may be used and distributed according to the terms - * of the GNU General Public License, incorporated herein by reference. - * - * WARNING: Do *NOT* ever include this file, only for internal use! - * Use the set/get API in order to set/get the conntrack attributes - */ - -#ifndef __LIBNETFILTER_CONNTRACK_INTERNAL__ -#define __LIBNETFILTER_CONNTRACK_INTERNAL__ - -#include <stdio.h> -#include <stdlib.h> -#include <stdarg.h> -#include <string.h> -#include <sys/types.h> -#include <arpa/inet.h> -#include <time.h> -#include <errno.h> -#include <netinet/in.h> - -#include <libnfnetlink/libnfnetlink.h> -#include <libnetfilter_conntrack/libnetfilter_conntrack.h> - -#ifndef IPPROTO_SCTP -#define IPPROTO_SCTP 132 -#endif - -#ifndef IPPROTO_UDPLITE -#define IPPROTO_UDPLITE 136 -#endif - -#ifndef IPPROTO_DCCP -#define IPPROTO_DCCP 33 -#endif - -struct nfct_handle; -struct nfct_filter; - -typedef void (*set_attr)(struct nf_conntrack *ct, const void *value); -typedef const void *(*get_attr)(const struct nf_conntrack *ct); -typedef void (*copy_attr)(struct nf_conntrack *d, const struct nf_conntrack *o); -typedef void (*filter_attr)(struct nfct_filter *filter, const void *value); - -extern set_attr set_attr_array[]; -extern get_attr get_attr_array[]; -extern copy_attr copy_attr_array[]; -extern filter_attr filter_attr_array[]; - -typedef int (*nfct_handler)(struct nfct_handle *cth, struct nlmsghdr *nlh, - void *arg); - -struct nfct_handle { - struct nfnl_handle *nfnlh; - struct nfnl_subsys_handle *nfnlssh_ct; - struct nfnl_subsys_handle *nfnlssh_exp; - nfct_callback callback; /* user callback */ - void *callback_data; /* user data for callback */ - nfct_handler handler; /* netlink handler */ - - /* callback handler for the new API */ - struct nfnl_callback nfnl_cb; - int(*cb)(enum nf_conntrack_msg_type type, - struct nf_conntrack *ct, - void *data); - int(*expect_cb)(enum nf_conntrack_msg_type type, - struct nf_expect *exp, - void *data); -}; - -union __nfct_l4_src { - /* Add other protocols here. */ - u_int16_t all; - struct { - u_int16_t port; - } tcp; - struct { - u_int16_t port; - } udp; - struct { - u_int16_t id; - } icmp; - struct { - u_int16_t port; - } sctp; -}; - -union __nfct_l4_dst { - /* Add other protocols here. */ - u_int16_t all; - struct { - u_int16_t port; - } tcp; - struct { - u_int16_t port; - } udp; - struct { - u_int8_t type, code; - } icmp; - struct { - u_int16_t port; - } sctp; -}; - -union __nfct_address { - u_int32_t v4; - struct in6_addr v6; -}; - -struct __nfct_tuple { - union __nfct_address src; - union __nfct_address dst; - - u_int8_t l3protonum; - u_int8_t protonum; - union __nfct_l4_src l4src; - union __nfct_l4_dst l4dst; - - struct { - u_int32_t correction_pos; - u_int32_t offset_before; - u_int32_t offset_after; - } natseq; -}; - -#define __DIR_ORIG 0 -#define __DIR_REPL 1 -#define __DIR_MASTER 2 -#define __DIR_MAX __DIR_MASTER+1 - -union __nfct_protoinfo { - struct { - u_int8_t state; - struct { - u_int8_t value; - u_int8_t mask; - } flags[__DIR_MAX]; - } tcp; - struct { - u_int8_t state; - u_int32_t vtag[__DIR_MAX]; - } sctp; - -}; - -struct __nfct_counters { - u_int64_t packets; - u_int64_t bytes; -}; - -struct __nfct_nat { - u_int32_t min_ip, max_ip; - union __nfct_l4_src l4min, l4max; -}; - -struct nf_conntrack { - struct __nfct_tuple tuple[__DIR_MAX]; - - u_int32_t timeout; - u_int32_t mark; - u_int32_t secmark; - u_int32_t status; - u_int32_t use; - u_int32_t id; - - union __nfct_protoinfo protoinfo; - struct __nfct_counters counters[__DIR_MAX]; - struct __nfct_nat snat; - struct __nfct_nat dnat; - - u_int32_t set[2]; -}; - -struct nfct_filter { - /* - * As many other objects in this library, the attributes are - * private. This gives us the chance to modify the layout and - * object size. - * - * Another observation, although this object might seem too - * memory consuming, it is only needed to build the filter. Thus, - * once it is attached, you can release this object. - */ - - /* - * filter logic: use positive or negative logic - */ - enum nfct_filter_logic logic[NFCT_FILTER_MAX]; - - /* - * This the layer 4 protocol map for filtering. - */ - u_int32_t l4proto_map[IPPROTO_MAX/32]; - - struct { - /* - * No limitations in the protocol filtering. We use a map of - * 16 bits per protocol. As for now, DCCP has 10 states, TCP has - * 10 states, SCTP has 8 state. Therefore, 16 bits is enough. - */ -#define __FILTER_PROTO_MAX 16 - u_int16_t map; - } l4proto_state[IPPROTO_MAX]; - -#define __FILTER_ADDR_SRC 0 -#define __FILTER_ADDR_DST 1 - - /* - * FIXME: For IPv4 filtering, up to 256 IPs or masks by now. - * This limitation is related to the existing autogenerated BSF code - * and the fact that the maximum jump offset if 2^8 = 256. - */ - u_int32_t l3proto_elems[2]; - struct { -#define __FILTER_ADDR_MAX 256 - u_int32_t addr; - u_int32_t mask; - } l3proto[2][__FILTER_ADDR_MAX]; - - u_int32_t set[1]; -}; - -struct nf_expect { - struct nf_conntrack master; - struct nf_conntrack expected; - struct nf_conntrack mask; - u_int32_t timeout; - u_int32_t id; - u_int16_t expectfn_queue_id; - - u_int32_t set[1]; -}; - -/* container used to pass data to nfnl callbacks */ -struct __data_container { - struct nfct_handle *h; - enum nf_conntrack_msg_type type; - void *data; -}; - -static inline void set_bit(int nr, u_int32_t *addr) -{ - addr[nr >> 5] |= (1UL << (nr & 31)); -} - -static inline void unset_bit(int nr, u_int32_t *addr) -{ - addr[nr >> 5] &= ~(1UL << (nr & 31)); -} - -static inline void set_bit_u16(int nr, u_int16_t *addr) -{ - addr[nr >> 4] |= (1UL << (nr & 15)); -} - -static inline void unset_bit_u16(int nr, u_int16_t *addr) -{ - addr[nr >> 4] &= ~(1UL << (nr & 15)); -} - -static inline int test_bit(int nr, const u_int32_t *addr) -{ - return ((1UL << (nr & 31)) & (addr[nr >> 5])) != 0; -} - -#define BUFFER_SIZE(ret, size, len, offset) \ - size += ret; \ - if (ret > len) \ - ret = len; \ - offset += ret; \ - len -= ret; - -int __build_conntrack(struct nfnl_subsys_handle *ssh, struct nfnlhdr *req, size_t size, u_int16_t type, u_int16_t flags, const struct nf_conntrack *ct); -void __build_tuple(struct nfnlhdr *req, size_t size, const struct __nfct_tuple *t, const int type); -int __parse_message_type(const struct nlmsghdr *nlh); -void __parse_conntrack(const struct nlmsghdr *nlh, const struct nfattr *cda[], struct nf_conntrack *ct); -void __parse_tuple(const struct nfattr *attr, struct __nfct_tuple *tuple, int dir, u_int32_t *set); -int __snprintf_conntrack(char *buf, unsigned int len, const struct nf_conntrack *ct, unsigned int type, unsigned int msg_output, unsigned int flags); -int __snprintf_address(char *buf, unsigned int len, const struct __nfct_tuple *tuple); -int __snprintf_protocol(char *buf, unsigned int len, const struct nf_conntrack *ct); -int __snprintf_proto(char *buf, unsigned int len, const struct __nfct_tuple *tuple); -int __snprintf_conntrack_default(char *buf, unsigned int len, const struct nf_conntrack *ct, const unsigned int msg_type, const unsigned int flags); -int __snprintf_conntrack_xml(char *buf, unsigned int len, const struct nf_conntrack *ct, const unsigned int msg_type, const unsigned int flags); - - -int __callback(struct nlmsghdr *nlh, struct nfattr *nfa[], void *data); - -int __setobjopt(struct nf_conntrack *ct, unsigned int option); -int __getobjopt(const struct nf_conntrack *ct, unsigned int option); -int __compare(const struct nf_conntrack *ct1, const struct nf_conntrack *ct2, unsigned int flags); - -int __setup_netlink_socket_filter(int fd, struct nfct_filter *filter); - -typedef void (*set_exp_attr)(struct nf_expect *exp, const void *value); -typedef const void *(*get_exp_attr)(const struct nf_expect *exp); - -extern set_exp_attr set_exp_attr_array[]; -extern get_exp_attr get_exp_attr_array[]; - -int __build_expect(struct nfnl_subsys_handle *ssh, struct nfnlhdr *req, size_t size, u_int16_t type, u_int16_t flags, const struct nf_expect *exp); -int __parse_expect_message_type(const struct nlmsghdr *nlh); -void __parse_expect(const struct nlmsghdr *nlh, const struct nfattr *cda[], struct nf_expect *exp); -int __expect_callback(struct nlmsghdr *nlh, struct nfattr *nfa[], void *data); -int __snprintf_expect(char *buf, unsigned int len, const struct nf_expect *exp, unsigned int type, unsigned int msg_output, unsigned int flags); -int __snprintf_expect_default(char *buf, unsigned int len, const struct nf_expect *exp, unsigned int msg_type, unsigned int flags); - -/* backward compatibility of the deprecated API */ -extern struct nfct_l3proto ipv4; -extern struct nfct_l3proto ipv6; - -extern struct nfct_proto tcp; -extern struct nfct_proto udp; -extern struct nfct_proto sctp; -extern struct nfct_proto icmp; - -#define TS_ORIG \ -({ \ - ((1 << ATTR_ORIG_IPV4_SRC) | (1 << ATTR_ORIG_IPV4_DST) | \ - (1 << ATTR_ORIG_IPV6_SRC) | (1 << ATTR_ORIG_IPV6_DST) | \ - (1 << ATTR_ORIG_PORT_SRC) | (1 << ATTR_ORIG_PORT_DST) | \ - (1 << ATTR_ORIG_L3PROTO) | (1 << ATTR_ORIG_L4PROTO) | \ - (1 << ATTR_ICMP_TYPE) | (1 << ATTR_ICMP_CODE) | \ - (1 << ATTR_ICMP_ID)); \ -}) - -#define TS_REPL \ -({ \ - ((1 << ATTR_REPL_IPV4_SRC) | (1 << ATTR_REPL_IPV4_DST) | \ - (1 << ATTR_REPL_IPV6_SRC) | (1 << ATTR_REPL_IPV6_DST) | \ - (1 << ATTR_REPL_PORT_SRC) | (1 << ATTR_REPL_PORT_DST) | \ - (1 << ATTR_REPL_L3PROTO) | (1 << ATTR_REPL_L4PROTO) | \ - (1 << ATTR_ICMP_TYPE) | (1 << ATTR_ICMP_CODE) | \ - (1 << ATTR_ICMP_ID)); \ -}) - -#define TUPLE_SET(dir) (dir == __DIR_ORIG ? TS_ORIG : TS_REPL) - -#endif diff --git a/include/internal/Makefile.am b/include/internal/Makefile.am new file mode 100644 index 0000000..a4fadd5 --- /dev/null +++ b/include/internal/Makefile.am @@ -0,0 +1,2 @@ +noinst_HEADERS = bitops.h extern.h linux_list.h prototypes.h \ + deprecated.h internal.h object.h types.h diff --git a/include/internal/bitops.h b/include/internal/bitops.h new file mode 100644 index 0000000..b1bd848 --- /dev/null +++ b/include/internal/bitops.h @@ -0,0 +1,32 @@ +/* + * WARNING: Do *NOT* ever include this file, only for internal use! + */ +#ifndef _NFCT_BITOPS_H_ +#define _NFCT_BITOPS_H_ + +static inline void set_bit(int nr, u_int32_t *addr) +{ + addr[nr >> 5] |= (1UL << (nr & 31)); +} + +static inline void unset_bit(int nr, u_int32_t *addr) +{ + addr[nr >> 5] &= ~(1UL << (nr & 31)); +} + +static inline void set_bit_u16(int nr, u_int16_t *addr) +{ + addr[nr >> 4] |= (1UL << (nr & 15)); +} + +static inline void unset_bit_u16(int nr, u_int16_t *addr) +{ + addr[nr >> 4] &= ~(1UL << (nr & 15)); +} + +static inline int test_bit(int nr, const u_int32_t *addr) +{ + return ((1UL << (nr & 31)) & (addr[nr >> 5])) != 0; +} + +#endif diff --git a/include/internal/deprecated.h b/include/internal/deprecated.h new file mode 100644 index 0000000..fe6f890 --- /dev/null +++ b/include/internal/deprecated.h @@ -0,0 +1,65 @@ +/* + * WARNING: Do *NOT* ever include this file, only for internal use! + */ +#ifndef _NFCT_DEPRECATED_H_ +#define _NFCT_DEPRECATED_H_ + +typedef int (*nfct_handler)(struct nfct_handle *cth, struct nlmsghdr *nlh, + void *arg); + +/* some systems have old libc's */ +#include <netinet/in.h> +#ifndef IPPROTO_SCTP +#define IPPROTO_SCTP 132 +#endif + +#include "internal/linux_list.h" + +/* extensions */ +struct nfct_proto { + struct list_head head; + + char *name; + u_int8_t protonum; + char *version; + + void (*parse_proto)(struct nfattr **, struct nfct_tuple *); + void (*parse_protoinfo)(struct nfattr **, struct nfct_conntrack *); + void (*build_tuple_proto)(struct nfnlhdr *, int, struct nfct_tuple *); + void (*build_protoinfo)(struct nfnlhdr *, int, struct nfct_conntrack *); + int (*print_protoinfo)(char *, union nfct_protoinfo *); + int (*print_proto)(char *, struct nfct_tuple *); + int (*compare)(struct nfct_conntrack *, struct nfct_conntrack *, + unsigned int); +}; + +extern void nfct_register_proto(struct nfct_proto *h); + +struct nfct_l3proto { + struct list_head head; + + char *name; + u_int16_t protonum; + char *version; + + void (*parse_proto)(struct nfattr **, struct nfct_tuple *); + void (*build_tuple_proto)(struct nfnlhdr *, int, struct nfct_tuple *); + int (*print_proto)(char *, struct nfct_tuple *); + int (*compare)(struct nfct_conntrack *, struct nfct_conntrack *, + unsigned int); +}; + +extern void nfct_register_l3proto(struct nfct_l3proto *h); + +/* backward compatibility of the deprecated API */ +extern struct nfct_l3proto ipv4; +extern struct nfct_l3proto ipv6; + +extern struct nfct_proto tcp; +extern struct nfct_proto udp; +extern struct nfct_proto sctp; +extern struct nfct_proto icmp; + +extern void deprecated_backward_support(); + +#endif diff --git a/include/internal/extern.h b/include/internal/extern.h new file mode 100644 index 0000000..a43cde7 --- /dev/null +++ b/include/internal/extern.h @@ -0,0 +1,12 @@ +#ifndef _NFCT_EXTERN_H_ +#define _NFCT_EXTERN_H_ + +extern set_attr set_attr_array[]; +extern get_attr get_attr_array[]; +extern copy_attr copy_attr_array[]; +extern filter_attr filter_attr_array[]; + +extern set_exp_attr set_exp_attr_array[]; +extern get_exp_attr get_exp_attr_array[]; + +#endif diff --git a/include/internal/internal.h b/include/internal/internal.h new file mode 100644 index 0000000..e7fc22e --- /dev/null +++ b/include/internal/internal.h @@ -0,0 +1,75 @@ +/* + * (C) 2006 by Pablo Neira Ayuso <pablo@netfilter.org> + * + * This software may be used and distributed according to the terms + * of the GNU General Public License, incorporated herein by reference. + * + * WARNING: Do *NOT* ever include this file, only for internal use! + * Use the set/get API in order to set/get the conntrack attributes + */ + +#ifndef __LIBNETFILTER_CONNTRACK_INTERNAL__ +#define __LIBNETFILTER_CONNTRACK_INTERNAL__ + +#include <stdio.h> +#include <stdlib.h> +#include <stdarg.h> +#include <string.h> +#include <sys/types.h> +#include <arpa/inet.h> +#include <time.h> +#include <errno.h> +#include <netinet/in.h> + +#include <libnfnetlink/libnfnetlink.h> +#include <libnetfilter_conntrack/libnetfilter_conntrack.h> + +#include "internal/deprecated.h" +#include "internal/object.h" +#include "internal/prototypes.h" +#include "internal/types.h" +#include "internal/extern.h" +#include "internal/bitops.h" + +#ifndef IPPROTO_SCTP +#define IPPROTO_SCTP 132 +#endif + +#ifndef IPPROTO_UDPLITE +#define IPPROTO_UDPLITE 136 +#endif + +#ifndef IPPROTO_DCCP +#define IPPROTO_DCCP 33 +#endif + +#define BUFFER_SIZE(ret, size, len, offset) \ + size += ret; \ + if (ret > len) \ + ret = len; \ + offset += ret; \ + len -= ret; + +#define TS_ORIG \ +({ \ + ((1 << ATTR_ORIG_IPV4_SRC) | (1 << ATTR_ORIG_IPV4_DST) | \ + (1 << ATTR_ORIG_IPV6_SRC) | (1 << ATTR_ORIG_IPV6_DST) | \ + (1 << ATTR_ORIG_PORT_SRC) | (1 << ATTR_ORIG_PORT_DST) | \ + (1 << ATTR_ORIG_L3PROTO) | (1 << ATTR_ORIG_L4PROTO) | \ + (1 << ATTR_ICMP_TYPE) | (1 << ATTR_ICMP_CODE) | \ + (1 << ATTR_ICMP_ID)); \ +}) + +#define TS_REPL \ +({ \ + ((1 << ATTR_REPL_IPV4_SRC) | (1 << ATTR_REPL_IPV4_DST) | \ + (1 << ATTR_REPL_IPV6_SRC) | (1 << ATTR_REPL_IPV6_DST) | \ + (1 << ATTR_REPL_PORT_SRC) | (1 << ATTR_REPL_PORT_DST) | \ + (1 << ATTR_REPL_L3PROTO) | (1 << ATTR_REPL_L4PROTO) | \ + (1 << ATTR_ICMP_TYPE) | (1 << ATTR_ICMP_CODE) | \ + (1 << ATTR_ICMP_ID)); \ +}) + +#define TUPLE_SET(dir) (dir == __DIR_ORIG ? TS_ORIG : TS_REPL) + +#endif diff --git a/include/linux_list.h b/include/internal/linux_list.h index 57b56d7..7b561c3 100644 --- a/include/linux_list.h +++ b/include/internal/linux_list.h @@ -1,3 +1,6 @@ +/* + * WARNING: Do *NOT* ever include this file, only for internal use! + */ #ifndef _LINUX_LIST_H #define _LINUX_LIST_H diff --git a/include/internal/object.h b/include/internal/object.h new file mode 100644 index 0000000..e39a576 --- /dev/null +++ b/include/internal/object.h @@ -0,0 +1,217 @@ +/* + * WARNING: Do *NOT* ever include this file, only for internal use! + * Use the set/get API in order to set/get the conntrack attributes + */ + +#ifndef _NFCT_OBJECT_H_ +#define _NFCT_OBJECT_H_ + +/* + * nfct callback handler object + */ + +struct nfct_handle { + struct nfnl_handle *nfnlh; + struct nfnl_subsys_handle *nfnlssh_ct; + struct nfnl_subsys_handle *nfnlssh_exp; + + /* deprecated old API */ + nfct_callback callback; + void *callback_data; + nfct_handler handler; + + /* callback handler for the new API */ + struct nfnl_callback nfnl_cb; + + int (*cb)(enum nf_conntrack_msg_type type, + struct nf_conntrack *ct, + void *data); + + int (*expect_cb)(enum nf_conntrack_msg_type type, + struct nf_expect *exp, + void *data); +}; + +/* container used to pass data to nfnl callbacks */ +struct __data_container { + struct nfct_handle *h; + enum nf_conntrack_msg_type type; + void *data; +}; + +/* + * conntrack object + */ + +union __nfct_l4_src { + /* Add other protocols here. */ + u_int16_t all; + struct { + u_int16_t port; + } tcp; + struct { + u_int16_t port; + } udp; + struct { + u_int16_t id; + } icmp; + struct { + u_int16_t port; + } sctp; +}; + +union __nfct_l4_dst { + /* Add other protocols here. */ + u_int16_t all; + struct { + u_int16_t port; + } tcp; + struct { + u_int16_t port; + } udp; + struct { + u_int8_t type, code; + } icmp; + struct { + u_int16_t port; + } sctp; +}; + +union __nfct_address { + u_int32_t v4; + struct in6_addr v6; +}; + +struct __nfct_tuple { + union __nfct_address src; + union __nfct_address dst; + + u_int8_t l3protonum; + u_int8_t protonum; + union __nfct_l4_src l4src; + union __nfct_l4_dst l4dst; + + struct { + u_int32_t correction_pos; + u_int32_t offset_before; + u_int32_t offset_after; + } natseq; +}; + +#define __DIR_ORIG 0 +#define __DIR_REPL 1 +#define __DIR_MASTER 2 +#define __DIR_MAX __DIR_MASTER+1 + +union __nfct_protoinfo { + struct { + u_int8_t state; + struct { + u_int8_t value; + u_int8_t mask; + } flags[__DIR_MAX]; + } tcp; + struct { + u_int8_t state; + u_int32_t vtag[__DIR_MAX]; + } sctp; + +}; + +struct __nfct_counters { + u_int64_t packets; + u_int64_t bytes; +}; + +struct __nfct_nat { + u_int32_t min_ip, max_ip; + union __nfct_l4_src l4min, l4max; +}; + +struct nf_conntrack { + struct __nfct_tuple tuple[__DIR_MAX]; + + u_int32_t timeout; + u_int32_t mark; + u_int32_t secmark; + u_int32_t status; + u_int32_t use; + u_int32_t id; + + union __nfct_protoinfo protoinfo; + struct __nfct_counters counters[__DIR_MAX]; + struct __nfct_nat snat; + struct __nfct_nat dnat; + + u_int32_t set[2]; +}; + +/* + * conntrack filter object + */ + +struct nfct_filter { + /* + * As many other objects in this library, the attributes are + * private. This gives us the chance to modify the layout and + * object size. + * + * Another observation, although this object might seem too + * memory consuming, it is only needed to build the filter. Thus, + * once it is attached, you can release this object. + */ + + /* + * filter logic: use positive or negative logic + */ + enum nfct_filter_logic logic[NFCT_FILTER_MAX]; + + /* + * This the layer 4 protocol map for filtering. + */ + u_int32_t l4proto_map[IPPROTO_MAX/32]; + + struct { + /* + * No limitations in the protocol filtering. We use a map of + * 16 bits per protocol. As for now, DCCP has 10 states, TCP has + * 10 states, SCTP has 8 state. Therefore, 16 bits is enough. + */ +#define __FILTER_PROTO_MAX 16 + u_int16_t map; + } l4proto_state[IPPROTO_MAX]; + +#define __FILTER_ADDR_SRC 0 +#define __FILTER_ADDR_DST 1 + + /* + * FIXME: For IPv4 filtering, up to 256 IPs or masks by now. + * This limitation is related to the existing autogenerated BSF code + * and the fact that the maximum jump offset if 2^8 = 256. + */ + u_int32_t l3proto_elems[2]; + struct { +#define __FILTER_ADDR_MAX 256 + u_int32_t addr; + u_int32_t mask; + } l3proto[2][__FILTER_ADDR_MAX]; + + u_int32_t set[1]; +}; + +/* + * expectation object + */ + +struct nf_expect { + struct nf_conntrack master; + struct nf_conntrack expected; + struct nf_conntrack mask; + u_int32_t timeout; + u_int32_t id; + u_int16_t expectfn_queue_id; + + u_int32_t set[1]; +}; + +#endif diff --git a/include/internal/prototypes.h b/include/internal/prototypes.h new file mode 100644 index 0000000..bab9082 --- /dev/null +++ b/include/internal/prototypes.h @@ -0,0 +1,37 @@ +#ifndef _NFCT_PROTOTYPES_H_ +#define _NFCT_PROTOTYPES_H_ + +/* + * conntrack internal prototypes + */ +int __build_conntrack(struct nfnl_subsys_handle *ssh, struct nfnlhdr *req, size_t size, u_int16_t type, u_int16_t flags, const struct nf_conntrack *ct); +void __build_tuple(struct nfnlhdr *req, size_t size, const struct __nfct_tuple *t, const int type); +int __parse_message_type(const struct nlmsghdr *nlh); +void __parse_conntrack(const struct nlmsghdr *nlh, const struct nfattr *cda[], struct nf_conntrack *ct); +void __parse_tuple(const struct nfattr *attr, struct __nfct_tuple *tuple, int dir, u_int32_t *set); +int __snprintf_conntrack(char *buf, unsigned int len, const struct nf_conntrack *ct, unsigned int type, unsigned int msg_output, unsigned int flags); +int __snprintf_address(char *buf, unsigned int len, const struct __nfct_tuple *tuple); +int __snprintf_protocol(char *buf, unsigned int len, const struct nf_conntrack *ct); +int __snprintf_proto(char *buf, unsigned int len, const struct __nfct_tuple *tuple); +int __snprintf_conntrack_default(char *buf, unsigned int len, const struct nf_conntrack *ct, const unsigned int msg_type, const unsigned int flags); +int __snprintf_conntrack_xml(char *buf, unsigned int len, const struct nf_conntrack *ct, const unsigned int msg_type, const unsigned int flags); + +int __callback(struct nlmsghdr *nlh, struct nfattr *nfa[], void *data); + +int __setobjopt(struct nf_conntrack *ct, unsigned int option); +int __getobjopt(const struct nf_conntrack *ct, unsigned int option); +int __compare(const struct nf_conntrack *ct1, const struct nf_conntrack *ct2, unsigned int flags); + +int __setup_netlink_socket_filter(int fd, struct nfct_filter *filter); + +/* + * expectation internal prototypes + */ +int __build_expect(struct nfnl_subsys_handle *ssh, struct nfnlhdr *req, size_t size, u_int16_t type, u_int16_t flags, const struct nf_expect *exp); +int __parse_expect_message_type(const struct nlmsghdr *nlh); +void __parse_expect(const struct nlmsghdr *nlh, const struct nfattr *cda[], struct nf_expect *exp); +int __expect_callback(struct nlmsghdr *nlh, struct nfattr *nfa[], void *data); +int __snprintf_expect(char *buf, unsigned int len, const struct nf_expect *exp, unsigned int type, unsigned int msg_output, unsigned int flags); +int __snprintf_expect_default(char *buf, unsigned int len, const struct nf_expect *exp, unsigned int msg_type, unsigned int flags); + +#endif diff --git a/include/internal/types.h b/include/internal/types.h new file mode 100644 index 0000000..a13722c --- /dev/null +++ b/include/internal/types.h @@ -0,0 +1,21 @@ +/* + * WARNING: Do *NOT* ever include this file, only for internal use! + */ +#ifndef _NFCT_TYPES_H_ +#define _NFCT_TYPES_H_ + +/* + * conntrack types + */ +typedef void (*set_attr)(struct nf_conntrack *ct, const void *value); +typedef const void *(*get_attr)(const struct nf_conntrack *ct); +typedef void (*copy_attr)(struct nf_conntrack *d, const struct nf_conntrack *o); +typedef void (*filter_attr)(struct nfct_filter *filter, const void *value); + +/* + * expectation types + */ +typedef void (*set_exp_attr)(struct nf_expect *exp, const void *value); +typedef const void *(*get_exp_attr)(const struct nf_expect *exp); + +#endif diff --git a/include/libnetfilter_conntrack/Makefile.am b/include/libnetfilter_conntrack/Makefile.am index 9e4a2d1..c5f762f 100644 --- a/include/libnetfilter_conntrack/Makefile.am +++ b/include/libnetfilter_conntrack/Makefile.am @@ -1,5 +1,2 @@ pkginclude_HEADERS = libnetfilter_conntrack.h linux_nfnetlink_conntrack.h libnetfilter_conntrack_tcp.h libnetfilter_conntrack_udp.h libnetfilter_conntrack_icmp.h libnetfilter_conntrack_sctp.h libnetfilter_conntrack_ipv4.h libnetfilter_conntrack_ipv6.h - -noinst_HEADERS = libnetfilter_conntrack_extensions.h \ - libnetfilter_conntrack_l3extensions.h diff --git a/include/libnetfilter_conntrack/libnetfilter_conntrack_extensions.h b/include/libnetfilter_conntrack/libnetfilter_conntrack_extensions.h deleted file mode 100644 index db7828d..0000000 --- a/include/libnetfilter_conntrack/libnetfilter_conntrack_extensions.h +++ /dev/null @@ -1,38 +0,0 @@ -/* - * (C) 2005 by Pablo Neira Ayuso <pablo@eurodev.net> - * - * This software may be used and distributed according to the terms - * of the GNU General Public License, incorporated herein by reference. - */ - -#ifndef _LIBNETFILTER_CONNTRACK_EXTENSIONS_H_ -#define _LIBNETFILTER_CONNTRACK_EXTENSIONS_H_ - -/* some systems have old libc's */ -#include <netinet/in.h> -#ifndef IPPROTO_SCTP -#define IPPROTO_SCTP 132 -#endif - -#include "linux_list.h" - -struct nfct_proto { - struct list_head head; - - char *name; - u_int8_t protonum; - char *version; - - void (*parse_proto)(struct nfattr **, struct nfct_tuple *); - void (*parse_protoinfo)(struct nfattr **, struct nfct_conntrack *); - void (*build_tuple_proto)(struct nfnlhdr *, int, struct nfct_tuple *); - void (*build_protoinfo)(struct nfnlhdr *, int, struct nfct_conntrack *); - int (*print_protoinfo)(char *, union nfct_protoinfo *); - int (*print_proto)(char *, struct nfct_tuple *); - int (*compare)(struct nfct_conntrack *, struct nfct_conntrack *, - unsigned int); -}; - -extern void nfct_register_proto(struct nfct_proto *h); - -#endif diff --git a/include/libnetfilter_conntrack/libnetfilter_conntrack_l3extensions.h b/include/libnetfilter_conntrack/libnetfilter_conntrack_l3extensions.h deleted file mode 100644 index 86e002a..0000000 --- a/include/libnetfilter_conntrack/libnetfilter_conntrack_l3extensions.h +++ /dev/null @@ -1,29 +0,0 @@ -/* - * (C) 2005 by Pablo Neira Ayuso <pablo@eurodev.net> - * - * This software may be used and distributed according to the terms - * of the GNU General Public License, incorporated herein by reference. - */ - -#ifndef _LIBNETFILTER_CONNTRACK_L3EXTENSIONS_H_ -#define _LIBNETFILTER_CONNTRACK_L3EXTENSIONS_H_ - -#include "linux_list.h" - -struct nfct_l3proto { - struct list_head head; - - char *name; - u_int16_t protonum; - char *version; - - void (*parse_proto)(struct nfattr **, struct nfct_tuple *); - void (*build_tuple_proto)(struct nfnlhdr *, int, struct nfct_tuple *); - int (*print_proto)(char *, struct nfct_tuple *); - int (*compare)(struct nfct_conntrack *, struct nfct_conntrack *, - unsigned int); -}; - -extern void nfct_register_l3proto(struct nfct_l3proto *h); - -#endif diff --git a/src/conntrack/api.c b/src/conntrack/api.c index fcd3fb4..ff8b11f 100644 --- a/src/conntrack/api.c +++ b/src/conntrack/api.c @@ -10,7 +10,7 @@ #include <errno.h> #include <assert.h> -#include "internal.h" +#include "internal/internal.h" /** * nfct_conntrack_new - allocate a new conntrack diff --git a/src/conntrack/bsf.c b/src/conntrack/bsf.c index cd9e883..0d20949 100644 --- a/src/conntrack/bsf.c +++ b/src/conntrack/bsf.c @@ -5,7 +5,7 @@ * of the GNU General Public License, incorporated herein by reference. */ -#include "internal.h" +#include "internal/internal.h" #include <linux/filter.h> #ifndef SKF_AD_NLATTR diff --git a/src/conntrack/build.c b/src/conntrack/build.c index f11af42..1bc87f9 100644 --- a/src/conntrack/build.c +++ b/src/conntrack/build.c @@ -5,7 +5,7 @@ * of the GNU General Public License, incorporated herein by reference. */ -#include "internal.h" +#include "internal/internal.h" void __build_tuple_ip(struct nfnlhdr *req, size_t size, diff --git a/src/conntrack/callback.c b/src/conntrack/callback.c index 582dfc4..7faf13a 100644 --- a/src/conntrack/callback.c +++ b/src/conntrack/callback.c @@ -5,7 +5,7 @@ * of the GNU General Public License, incorporated herein by reference. */ -#include "internal.h" +#include "internal/internal.h" int __callback(struct nlmsghdr *nlh, struct nfattr *nfa[], void *data) { diff --git a/src/conntrack/compare.c b/src/conntrack/compare.c index b57414b..3dd9e5b 100644 --- a/src/conntrack/compare.c +++ b/src/conntrack/compare.c @@ -5,7 +5,7 @@ * of the GNU General Public License, incorporated herein by reference. */ -#include "internal.h" +#include "internal/internal.h" static int cmp_orig(const struct nf_conntrack *ct1, const struct nf_conntrack *ct2) diff --git a/src/conntrack/copy.c b/src/conntrack/copy.c index 562f801..92866fb 100644 --- a/src/conntrack/copy.c +++ b/src/conntrack/copy.c @@ -5,7 +5,7 @@ * of the GNU General Public License, incorporated herein by reference. */ -#include "internal.h" +#include "internal/internal.h" static void copy_attr_orig_ipv4_src(struct nf_conntrack *dest, const struct nf_conntrack *orig) diff --git a/src/conntrack/filter.c b/src/conntrack/filter.c index 5ea7d5e..952cbba 100644 --- a/src/conntrack/filter.c +++ b/src/conntrack/filter.c @@ -1,4 +1,11 @@ -#include "internal.h" +/* + * (C) 2008 by Pablo Neira Ayuso <pablo@netfilter.org> + * + * This software may be used and distributed according to the terms + * of the GNU General Public License, incorporated herein by reference. + */ + +#include "internal/internal.h" static void filter_attr_l4proto(struct nfct_filter *filter, const void *value) { diff --git a/src/conntrack/getter.c b/src/conntrack/getter.c index 8591f88..20a2a35 100644 --- a/src/conntrack/getter.c +++ b/src/conntrack/getter.c @@ -5,7 +5,7 @@ * of the GNU General Public License, incorporated herein by reference. */ -#include "internal.h" +#include "internal/internal.h" static const void *get_attr_orig_ipv4_src(const struct nf_conntrack *ct) { diff --git a/src/conntrack/objopt.c b/src/conntrack/objopt.c index f5692f4..709bd2f 100644 --- a/src/conntrack/objopt.c +++ b/src/conntrack/objopt.c @@ -5,7 +5,7 @@ * of the GNU General Public License, incorporated herein by reference. */ -#include "internal.h" +#include "internal/internal.h" static void __autocomplete(struct nf_conntrack *ct, int dir) { diff --git a/src/conntrack/parse.c b/src/conntrack/parse.c index 7b6c0c5..11cf5ff 100644 --- a/src/conntrack/parse.c +++ b/src/conntrack/parse.c @@ -5,7 +5,7 @@ * of the GNU General Public License, incorporated herein by reference. */ -#include "internal.h" +#include "internal/internal.h" static void __parse_ip(const struct nfattr *attr, struct __nfct_tuple *tuple, diff --git a/src/conntrack/setter.c b/src/conntrack/setter.c index 6ceab46..6759652 100644 --- a/src/conntrack/setter.c +++ b/src/conntrack/setter.c @@ -5,7 +5,7 @@ * of the GNU General Public License, incorporated herein by reference. */ -#include "internal.h" +#include "internal/internal.h" #include <linux/icmp.h> #include <linux/icmpv6.h> diff --git a/src/conntrack/snprintf.c b/src/conntrack/snprintf.c index bcaf2db..cc68293 100644 --- a/src/conntrack/snprintf.c +++ b/src/conntrack/snprintf.c @@ -5,7 +5,7 @@ * of the GNU General Public License, incorporated herein by reference. */ -#include "internal.h" +#include "internal/internal.h" int __snprintf_conntrack(char *buf, unsigned int len, diff --git a/src/conntrack/snprintf_default.c b/src/conntrack/snprintf_default.c index e89f2f5..7cf28f8 100644 --- a/src/conntrack/snprintf_default.c +++ b/src/conntrack/snprintf_default.c @@ -5,7 +5,7 @@ * of the GNU General Public License, incorporated herein by reference. */ -#include "internal.h" +#include "internal/internal.h" static char *proto2str[IPPROTO_MAX] = { [IPPROTO_TCP] = "tcp", diff --git a/src/conntrack/snprintf_xml.c b/src/conntrack/snprintf_xml.c index bb9bdef..9cd49cf 100644 --- a/src/conntrack/snprintf_xml.c +++ b/src/conntrack/snprintf_xml.c @@ -5,7 +5,7 @@ * of the GNU General Public License, incorporated herein by reference. */ -#include "internal.h" +#include "internal/internal.h" /* * XML output sample: diff --git a/src/deprecated.c b/src/deprecated.c index 63a5699..84de04b 100644 --- a/src/deprecated.c +++ b/src/deprecated.c @@ -17,17 +17,14 @@ #include <errno.h> #include <string.h> #include <arpa/inet.h> -#include "linux_list.h" #include <libnfnetlink/libnfnetlink.h> #include <libnetfilter_conntrack/libnetfilter_conntrack.h> -#include <libnetfilter_conntrack/libnetfilter_conntrack_l3extensions.h> -#include <libnetfilter_conntrack/libnetfilter_conntrack_extensions.h> -#include "internal.h" +#include "internal/linux_list.h" +#include "internal/internal.h" #define NFCT_BUFSIZE 4096 -static char *lib_dir = LIBNETFILTER_CONNTRACK_DIR; static LIST_HEAD(proto_list); static LIST_HEAD(l3proto_list); static char *proto2str[IPPROTO_MAX] = { diff --git a/src/deprecated/extensions/libnetfilter_conntrack_icmp.c b/src/deprecated/extensions/libnetfilter_conntrack_icmp.c index ae8470a..d15d7a1 100644 --- a/src/deprecated/extensions/libnetfilter_conntrack_icmp.c +++ b/src/deprecated/extensions/libnetfilter_conntrack_icmp.c @@ -14,9 +14,10 @@ #include <netinet/in.h> /* For htons */ #include <libnetfilter_conntrack/linux_nfnetlink_conntrack.h> #include <libnetfilter_conntrack/libnetfilter_conntrack.h> -#include <libnetfilter_conntrack/libnetfilter_conntrack_extensions.h> #include <libnetfilter_conntrack/libnetfilter_conntrack_icmp.h> +#include "internal/deprecated.h" + static void parse_proto(struct nfattr *cda[], struct nfct_tuple *tuple) { if (cda[CTA_PROTO_ICMP_TYPE-1]) diff --git a/src/deprecated/extensions/libnetfilter_conntrack_sctp.c b/src/deprecated/extensions/libnetfilter_conntrack_sctp.c index 6225ca1..1fa63a5 100644 --- a/src/deprecated/extensions/libnetfilter_conntrack_sctp.c +++ b/src/deprecated/extensions/libnetfilter_conntrack_sctp.c @@ -14,9 +14,10 @@ #include <netinet/in.h> /* For htons */ #include <libnetfilter_conntrack/linux_nfnetlink_conntrack.h> #include <libnetfilter_conntrack/libnetfilter_conntrack.h> -#include <libnetfilter_conntrack/libnetfilter_conntrack_extensions.h> #include <libnetfilter_conntrack/libnetfilter_conntrack_sctp.h> +#include "internal/deprecated.h" + static void parse_proto(struct nfattr *cda[], struct nfct_tuple *tuple) { if (cda[CTA_PROTO_SRC_PORT-1]) diff --git a/src/deprecated/extensions/libnetfilter_conntrack_tcp.c b/src/deprecated/extensions/libnetfilter_conntrack_tcp.c index a7ce2ce..60447fe 100644 --- a/src/deprecated/extensions/libnetfilter_conntrack_tcp.c +++ b/src/deprecated/extensions/libnetfilter_conntrack_tcp.c @@ -14,9 +14,10 @@ #include <netinet/in.h> /* For htons */ #include <libnetfilter_conntrack/linux_nfnetlink_conntrack.h> #include <libnetfilter_conntrack/libnetfilter_conntrack.h> -#include <libnetfilter_conntrack/libnetfilter_conntrack_extensions.h> #include <libnetfilter_conntrack/libnetfilter_conntrack_tcp.h> +#include "internal/deprecated.h" + static const char *states[] = { "NONE", "SYN_SENT", diff --git a/src/deprecated/extensions/libnetfilter_conntrack_udp.c b/src/deprecated/extensions/libnetfilter_conntrack_udp.c index b20ba04..522c0ae 100644 --- a/src/deprecated/extensions/libnetfilter_conntrack_udp.c +++ b/src/deprecated/extensions/libnetfilter_conntrack_udp.c @@ -14,9 +14,10 @@ #include <netinet/in.h> /* For htons */ #include <libnetfilter_conntrack/linux_nfnetlink_conntrack.h> #include <libnetfilter_conntrack/libnetfilter_conntrack.h> -#include <libnetfilter_conntrack/libnetfilter_conntrack_extensions.h> #include <libnetfilter_conntrack/libnetfilter_conntrack_udp.h> +#include "internal/deprecated.h" + static void parse_proto(struct nfattr *cda[], struct nfct_tuple *tuple) { if (cda[CTA_PROTO_SRC_PORT-1]) diff --git a/src/deprecated/l3extensions/libnetfilter_conntrack_ipv4.c b/src/deprecated/l3extensions/libnetfilter_conntrack_ipv4.c index 8e8c681..fb84a6f 100644 --- a/src/deprecated/l3extensions/libnetfilter_conntrack_ipv4.c +++ b/src/deprecated/l3extensions/libnetfilter_conntrack_ipv4.c @@ -11,9 +11,10 @@ #include <netinet/in.h> /* For htons */ #include <libnetfilter_conntrack/linux_nfnetlink_conntrack.h> #include <libnetfilter_conntrack/libnetfilter_conntrack.h> -#include <libnetfilter_conntrack/libnetfilter_conntrack_l3extensions.h> #include <libnetfilter_conntrack/libnetfilter_conntrack_ipv4.h> +#include "internal/deprecated.h" + static void parse_proto(struct nfattr *cda[], struct nfct_tuple *tuple) { if (cda[CTA_IP_V4_SRC-1]) diff --git a/src/deprecated/l3extensions/libnetfilter_conntrack_ipv6.c b/src/deprecated/l3extensions/libnetfilter_conntrack_ipv6.c index 1b6b909..dc13395 100644 --- a/src/deprecated/l3extensions/libnetfilter_conntrack_ipv6.c +++ b/src/deprecated/l3extensions/libnetfilter_conntrack_ipv6.c @@ -14,9 +14,10 @@ #include <arpa/inet.h> #include <libnetfilter_conntrack/linux_nfnetlink_conntrack.h> #include <libnetfilter_conntrack/libnetfilter_conntrack.h> -#include <libnetfilter_conntrack/libnetfilter_conntrack_l3extensions.h> #include <libnetfilter_conntrack/libnetfilter_conntrack_ipv6.h> +#include "internal/deprecated.h" + #ifndef HAVE_INET_NTOP_IPV6 #warning "inet_ntop does not support IPv6" #endif diff --git a/src/expect/api.c b/src/expect/api.c index ab804ca..bbf6e30 100644 --- a/src/expect/api.c +++ b/src/expect/api.c @@ -10,7 +10,7 @@ #include <errno.h> #include <assert.h> -#include "internal.h" +#include "internal/internal.h" /** * nfexp_new - allocate a new expectation diff --git a/src/expect/build.c b/src/expect/build.c index dfc5edf..2f9cb84 100644 --- a/src/expect/build.c +++ b/src/expect/build.c @@ -5,7 +5,7 @@ * of the GNU General Public License, incorporated herein by reference. */ -#include "internal.h" +#include "internal/internal.h" static void __build_timeout(struct nfnlhdr *req, size_t size, diff --git a/src/expect/callback.c b/src/expect/callback.c index df4ffe7..6a45b0e 100644 --- a/src/expect/callback.c +++ b/src/expect/callback.c @@ -5,7 +5,7 @@ * of the GNU General Public License, incorporated herein by reference. */ -#include "internal.h" +#include "internal/internal.h" int __expect_callback(struct nlmsghdr *nlh, struct nfattr *nfa[], void *data) { diff --git a/src/expect/getter.c b/src/expect/getter.c index 2cbebe6..2a622af 100644 --- a/src/expect/getter.c +++ b/src/expect/getter.c @@ -5,7 +5,7 @@ * of the GNU General Public License, incorporated herein by reference. */ -#include "internal.h" +#include "internal/internal.h" static const void *get_exp_attr_master(const struct nf_expect *exp) { diff --git a/src/expect/parse.c b/src/expect/parse.c index 5fe0bce..e14890d 100644 --- a/src/expect/parse.c +++ b/src/expect/parse.c @@ -5,7 +5,7 @@ * of the GNU General Public License, incorporated herein by reference. */ -#include "internal.h" +#include "internal/internal.h" int __parse_expect_message_type(const struct nlmsghdr *nlh) { diff --git a/src/expect/setter.c b/src/expect/setter.c index ae80ca8..c962bb5 100644 --- a/src/expect/setter.c +++ b/src/expect/setter.c @@ -5,7 +5,7 @@ * of the GNU General Public License, incorporated herein by reference. */ -#include "internal.h" +#include "internal/internal.h" static void set_exp_attr_master(struct nf_expect *exp, const void *value) { diff --git a/src/expect/snprintf.c b/src/expect/snprintf.c index 64a6589..9eccfa4 100644 --- a/src/expect/snprintf.c +++ b/src/expect/snprintf.c @@ -5,7 +5,7 @@ * of the GNU General Public License, incorporated herein by reference. */ -#include "internal.h" +#include "internal/internal.h" int __snprintf_expect(char *buf, unsigned int len, diff --git a/src/expect/snprintf_default.c b/src/expect/snprintf_default.c index 1014ef0..fec1586 100644 --- a/src/expect/snprintf_default.c +++ b/src/expect/snprintf_default.c @@ -5,7 +5,7 @@ * of the GNU General Public License, incorporated herein by reference. */ -#include "internal.h" +#include "internal/internal.h" static int __snprintf_expect_proto(char *buf, unsigned int len, @@ -10,7 +10,7 @@ #include <libnfnetlink/libnfnetlink.h> #include <libnetfilter_conntrack/libnetfilter_conntrack.h> -#include "internal.h" +#include "internal/internal.h" struct nfct_handle *nfct_open_nfnl(struct nfnl_handle *nfnlh, u_int8_t subsys_id, |