summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--extensions/libnetfilter_conntrack_icmp.c1
-rw-r--r--extensions/libnetfilter_conntrack_sctp.c1
-rw-r--r--extensions/libnetfilter_conntrack_tcp.c1
-rw-r--r--extensions/libnetfilter_conntrack_udp.c1
-rw-r--r--include/libnetfilter_conntrack/libnetfilter_conntrack.h78
-rw-r--r--include/libnetfilter_conntrack/libnetfilter_conntrack_extensions.h28
-rw-r--r--src/libnetfilter_conntrack.c8
7 files changed, 93 insertions, 25 deletions
diff --git a/extensions/libnetfilter_conntrack_icmp.c b/extensions/libnetfilter_conntrack_icmp.c
index 8f1ccb1..747fedf 100644
--- a/extensions/libnetfilter_conntrack_icmp.c
+++ b/extensions/libnetfilter_conntrack_icmp.c
@@ -14,6 +14,7 @@
#include <netinet/in.h> /* For htons */
#include <linux/netfilter/nfnetlink_conntrack.h>
#include <libnetfilter_conntrack/libnetfilter_conntrack.h>
+#include <libnetfilter_conntrack/libnetfilter_conntrack_extensions.h>
void parse_proto(struct nfattr *cda[], struct nfct_tuple *tuple)
{
diff --git a/extensions/libnetfilter_conntrack_sctp.c b/extensions/libnetfilter_conntrack_sctp.c
index 5b7f9e0..f533287 100644
--- a/extensions/libnetfilter_conntrack_sctp.c
+++ b/extensions/libnetfilter_conntrack_sctp.c
@@ -14,6 +14,7 @@
#include <netinet/in.h> /* For htons */
#include <linux/netfilter/nfnetlink_conntrack.h>
#include <libnetfilter_conntrack/libnetfilter_conntrack.h>
+#include <libnetfilter_conntrack/libnetfilter_conntrack_extensions.h>
void parse_proto(struct nfattr *cda[], struct nfct_tuple *tuple)
{
diff --git a/extensions/libnetfilter_conntrack_tcp.c b/extensions/libnetfilter_conntrack_tcp.c
index fe0e632..ecb988f 100644
--- a/extensions/libnetfilter_conntrack_tcp.c
+++ b/extensions/libnetfilter_conntrack_tcp.c
@@ -14,6 +14,7 @@
#include <netinet/in.h> /* For htons */
#include <linux/netfilter/nfnetlink_conntrack.h>
#include <libnetfilter_conntrack/libnetfilter_conntrack.h>
+#include <libnetfilter_conntrack/libnetfilter_conntrack_extensions.h>
static const char *states[] = {
"NONE",
diff --git a/extensions/libnetfilter_conntrack_udp.c b/extensions/libnetfilter_conntrack_udp.c
index 940bf67..44fd85c 100644
--- a/extensions/libnetfilter_conntrack_udp.c
+++ b/extensions/libnetfilter_conntrack_udp.c
@@ -14,6 +14,7 @@
#include <netinet/in.h> /* For htons */
#include <linux/netfilter/nfnetlink_conntrack.h>
#include <libnetfilter_conntrack/libnetfilter_conntrack.h>
+#include <libnetfilter_conntrack/libnetfilter_conntrack_extensions.h>
void parse_proto(struct nfattr *cda[], struct nfct_tuple *tuple)
{
diff --git a/include/libnetfilter_conntrack/libnetfilter_conntrack.h b/include/libnetfilter_conntrack/libnetfilter_conntrack.h
index 55391bb..6d28b97 100644
--- a/include/libnetfilter_conntrack/libnetfilter_conntrack.h
+++ b/include/libnetfilter_conntrack/libnetfilter_conntrack.h
@@ -9,13 +9,9 @@
#define _LIBNETFILTER_CONNTRACK_H_
#include <netinet/in.h>
-#include <asm/types.h>
-#include <linux/if.h>
#include <linux/netfilter/nfnetlink.h>
#include <linux/netfilter/nfnetlink_conntrack.h>
#include <libnfnetlink/libnfnetlink.h>
-#include <linux/netfilter_ipv4/ip_conntrack.h>
-#include "linux_list.h"
#define LIBNETFILTER_CONNTRACK_VERSION "0.2.0"
@@ -57,7 +53,7 @@ union nfct_l4 {
struct nfct_tuple {
union {
u_int32_t v4;
- u_int64_t v6;
+ u_int32_t v6[4];
} src;
union {
@@ -112,18 +108,6 @@ struct nfct_expect {
unsigned int id;
};
-struct nfct_proto {
- struct list_head head;
-
- char *name;
- u_int8_t protonum;
- char *version;
-
- void (*parse_proto)(struct nfattr **, struct nfct_tuple *);
- void (*parse_protoinfo)(struct nfattr **, struct nfct_conntrack *);
- int (*print_protoinfo)(char *, union nfct_protoinfo *);
- int (*print_proto)(char *, struct nfct_tuple *);
-};
enum {
NFCT_STATUS_BIT = 0,
@@ -151,6 +135,58 @@ enum {
NFCT_ID = (1 << NFCT_ID_BIT)
};
+/* Bitset representing status of connection. Taken from ip_conntrack.h
+ *
+ * Note: For backward compatibility this shouldn't ever change
+ * in kernel space.
+ */
+enum ip_conntrack_status {
+ /* It's an expected connection: bit 0 set. This bit never changed */
+ IPS_EXPECTED_BIT = 0,
+ IPS_EXPECTED = (1 << IPS_EXPECTED_BIT),
+
+ /* We've seen packets both ways: bit 1 set. Can be set, not unset. */
+ IPS_SEEN_REPLY_BIT = 1,
+ IPS_SEEN_REPLY = (1 << IPS_SEEN_REPLY_BIT),
+
+ /* Conntrack should never be early-expired. */
+ IPS_ASSURED_BIT = 2,
+ IPS_ASSURED = (1 << IPS_ASSURED_BIT),
+
+ /* Connection is confirmed: originating packet has left box */
+ IPS_CONFIRMED_BIT = 3,
+ IPS_CONFIRMED = (1 << IPS_CONFIRMED_BIT),
+
+ /* Connection needs src nat in orig dir. This bit never changed. */
+ IPS_SRC_NAT_BIT = 4,
+ IPS_SRC_NAT = (1 << IPS_SRC_NAT_BIT),
+
+ /* Connection needs dst nat in orig dir. This bit never changed. */
+ IPS_DST_NAT_BIT = 5,
+ IPS_DST_NAT = (1 << IPS_DST_NAT_BIT),
+
+ /* Both together. */
+ IPS_NAT_MASK = (IPS_DST_NAT | IPS_SRC_NAT),
+
+ /* Connection needs TCP sequence adjusted. */
+ IPS_SEQ_ADJUST_BIT = 6,
+ IPS_SEQ_ADJUST = (1 << IPS_SEQ_ADJUST_BIT),
+
+ /* NAT initialization bits. */
+ IPS_SRC_NAT_DONE_BIT = 7,
+ IPS_SRC_NAT_DONE = (1 << IPS_SRC_NAT_DONE_BIT),
+
+ IPS_DST_NAT_DONE_BIT = 8,
+ IPS_DST_NAT_DONE = (1 << IPS_DST_NAT_DONE_BIT),
+
+ /* Both together */
+ IPS_NAT_DONE_MASK = (IPS_DST_NAT_DONE | IPS_SRC_NAT_DONE),
+
+ /* Connection is dying (removed from lists), can not be unset. */
+ IPS_DYING_BIT = 9,
+ IPS_DYING = (1 << IPS_DYING_BIT),
+};
+
enum {
NFCT_MSG_UNKNOWN,
NFCT_MSG_NEW,
@@ -163,14 +199,6 @@ typedef int (*nfct_callback)(void *arg, unsigned int flags, int);
typedef int (*nfct_handler)(struct nfct_handle *cth, struct nlmsghdr *nlh,
void *arg);
-struct nfct_handle {
- struct nfnl_handle nfnlh;
- nfct_callback callback; /* user callback */
- nfct_handler handler; /* netlink handler */
-};
-
-extern void nfct_register_proto(struct nfct_proto *h);
-
/*
* [Allocate|free] a conntrack
*/
diff --git a/include/libnetfilter_conntrack/libnetfilter_conntrack_extensions.h b/include/libnetfilter_conntrack/libnetfilter_conntrack_extensions.h
new file mode 100644
index 0000000..4900541
--- /dev/null
+++ b/include/libnetfilter_conntrack/libnetfilter_conntrack_extensions.h
@@ -0,0 +1,28 @@
+/*
+ * (C) 2005 by Pablo Neira Ayuso <pablo@eurodev.net>
+ *
+ * This software may be used and distributed according to the terms
+ * of the GNU General Public License, incorporated herein by reference.
+ */
+
+#ifndef _LIBNETFILTER_CONNTRACK_EXTENSIONS_H_
+#define _LIBNETFILTER_CONNTRACK_EXTENSIONS_H_
+
+#include "linux_list.h"
+
+struct nfct_proto {
+ struct list_head head;
+
+ char *name;
+ u_int8_t protonum;
+ char *version;
+
+ void (*parse_proto)(struct nfattr **, struct nfct_tuple *);
+ void (*parse_protoinfo)(struct nfattr **, struct nfct_conntrack *);
+ int (*print_protoinfo)(char *, union nfct_protoinfo *);
+ int (*print_proto)(char *, struct nfct_tuple *);
+};
+
+extern void nfct_register_proto(struct nfct_proto *h);
+
+#endif
diff --git a/src/libnetfilter_conntrack.c b/src/libnetfilter_conntrack.c
index 32a3827..6204df9 100644
--- a/src/libnetfilter_conntrack.c
+++ b/src/libnetfilter_conntrack.c
@@ -17,6 +17,7 @@
#include "linux_list.h"
#include <libnfnetlink/libnfnetlink.h>
#include <libnetfilter_conntrack/libnetfilter_conntrack.h>
+#include <libnetfilter_conntrack/libnetfilter_conntrack_extensions.h>
#define NFCT_BUFSIZE 4096
@@ -26,6 +27,13 @@
((unsigned char *)&addr)[2], \
((unsigned char *)&addr)[3]
+/* Harald says: "better for encapsulation" ;) */
+struct nfct_handle {
+ struct nfnl_handle nfnlh;
+ nfct_callback callback; /* user callback */
+ nfct_handler handler; /* netlink handler */
+};
+
static char *lib_dir = LIBNETFILTER_CONNTRACK_DIR;
static LIST_HEAD(proto_list);
static char *proto2str[IPPROTO_MAX] = {