From 62b2c282232df3407b966198a3cbd1292edb4913 Mon Sep 17 00:00:00 2001 From: "/C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=pablo/emailAddress=pablo@netfilter.org" Date: Sat, 29 Oct 2005 12:49:38 +0000 Subject: Thanks to Harald for all the comments. o libnetfilter_conntrack.h splitted into two parts: what is visible to application programs and what is visible to extensions. o Killed includes asm/types.h and linux/if.h o Fixed nasty wrong ipv6 definition o Stolen the status bits from ip_conntrack.h, we don't include ip_conntrack.h anymore. o move nfct_handle to libnetfilter_conntrack.c: better for encapsulation --- extensions/libnetfilter_conntrack_icmp.c | 1 + extensions/libnetfilter_conntrack_sctp.c | 1 + extensions/libnetfilter_conntrack_tcp.c | 1 + extensions/libnetfilter_conntrack_udp.c | 1 + .../libnetfilter_conntrack.h | 78 +++++++++++++++------- .../libnetfilter_conntrack_extensions.h | 28 ++++++++ src/libnetfilter_conntrack.c | 8 +++ 7 files changed, 93 insertions(+), 25 deletions(-) create mode 100644 include/libnetfilter_conntrack/libnetfilter_conntrack_extensions.h diff --git a/extensions/libnetfilter_conntrack_icmp.c b/extensions/libnetfilter_conntrack_icmp.c index 8f1ccb1..747fedf 100644 --- a/extensions/libnetfilter_conntrack_icmp.c +++ b/extensions/libnetfilter_conntrack_icmp.c @@ -14,6 +14,7 @@ #include /* For htons */ #include #include +#include void parse_proto(struct nfattr *cda[], struct nfct_tuple *tuple) { diff --git a/extensions/libnetfilter_conntrack_sctp.c b/extensions/libnetfilter_conntrack_sctp.c index 5b7f9e0..f533287 100644 --- a/extensions/libnetfilter_conntrack_sctp.c +++ b/extensions/libnetfilter_conntrack_sctp.c @@ -14,6 +14,7 @@ #include /* For htons */ #include #include +#include void parse_proto(struct nfattr *cda[], struct nfct_tuple *tuple) { diff --git a/extensions/libnetfilter_conntrack_tcp.c b/extensions/libnetfilter_conntrack_tcp.c index fe0e632..ecb988f 100644 --- a/extensions/libnetfilter_conntrack_tcp.c +++ b/extensions/libnetfilter_conntrack_tcp.c @@ -14,6 +14,7 @@ #include /* For htons */ #include #include +#include static const char *states[] = { "NONE", diff --git a/extensions/libnetfilter_conntrack_udp.c b/extensions/libnetfilter_conntrack_udp.c index 940bf67..44fd85c 100644 --- a/extensions/libnetfilter_conntrack_udp.c +++ b/extensions/libnetfilter_conntrack_udp.c @@ -14,6 +14,7 @@ #include /* For htons */ #include #include +#include void parse_proto(struct nfattr *cda[], struct nfct_tuple *tuple) { diff --git a/include/libnetfilter_conntrack/libnetfilter_conntrack.h b/include/libnetfilter_conntrack/libnetfilter_conntrack.h index 55391bb..6d28b97 100644 --- a/include/libnetfilter_conntrack/libnetfilter_conntrack.h +++ b/include/libnetfilter_conntrack/libnetfilter_conntrack.h @@ -9,13 +9,9 @@ #define _LIBNETFILTER_CONNTRACK_H_ #include -#include -#include #include #include #include -#include -#include "linux_list.h" #define LIBNETFILTER_CONNTRACK_VERSION "0.2.0" @@ -57,7 +53,7 @@ union nfct_l4 { struct nfct_tuple { union { u_int32_t v4; - u_int64_t v6; + u_int32_t v6[4]; } src; union { @@ -112,18 +108,6 @@ struct nfct_expect { unsigned int id; }; -struct nfct_proto { - struct list_head head; - - char *name; - u_int8_t protonum; - char *version; - - void (*parse_proto)(struct nfattr **, struct nfct_tuple *); - void (*parse_protoinfo)(struct nfattr **, struct nfct_conntrack *); - int (*print_protoinfo)(char *, union nfct_protoinfo *); - int (*print_proto)(char *, struct nfct_tuple *); -}; enum { NFCT_STATUS_BIT = 0, @@ -151,6 +135,58 @@ enum { NFCT_ID = (1 << NFCT_ID_BIT) }; +/* Bitset representing status of connection. Taken from ip_conntrack.h + * + * Note: For backward compatibility this shouldn't ever change + * in kernel space. + */ +enum ip_conntrack_status { + /* It's an expected connection: bit 0 set. This bit never changed */ + IPS_EXPECTED_BIT = 0, + IPS_EXPECTED = (1 << IPS_EXPECTED_BIT), + + /* We've seen packets both ways: bit 1 set. Can be set, not unset. */ + IPS_SEEN_REPLY_BIT = 1, + IPS_SEEN_REPLY = (1 << IPS_SEEN_REPLY_BIT), + + /* Conntrack should never be early-expired. */ + IPS_ASSURED_BIT = 2, + IPS_ASSURED = (1 << IPS_ASSURED_BIT), + + /* Connection is confirmed: originating packet has left box */ + IPS_CONFIRMED_BIT = 3, + IPS_CONFIRMED = (1 << IPS_CONFIRMED_BIT), + + /* Connection needs src nat in orig dir. This bit never changed. */ + IPS_SRC_NAT_BIT = 4, + IPS_SRC_NAT = (1 << IPS_SRC_NAT_BIT), + + /* Connection needs dst nat in orig dir. This bit never changed. */ + IPS_DST_NAT_BIT = 5, + IPS_DST_NAT = (1 << IPS_DST_NAT_BIT), + + /* Both together. */ + IPS_NAT_MASK = (IPS_DST_NAT | IPS_SRC_NAT), + + /* Connection needs TCP sequence adjusted. */ + IPS_SEQ_ADJUST_BIT = 6, + IPS_SEQ_ADJUST = (1 << IPS_SEQ_ADJUST_BIT), + + /* NAT initialization bits. */ + IPS_SRC_NAT_DONE_BIT = 7, + IPS_SRC_NAT_DONE = (1 << IPS_SRC_NAT_DONE_BIT), + + IPS_DST_NAT_DONE_BIT = 8, + IPS_DST_NAT_DONE = (1 << IPS_DST_NAT_DONE_BIT), + + /* Both together */ + IPS_NAT_DONE_MASK = (IPS_DST_NAT_DONE | IPS_SRC_NAT_DONE), + + /* Connection is dying (removed from lists), can not be unset. */ + IPS_DYING_BIT = 9, + IPS_DYING = (1 << IPS_DYING_BIT), +}; + enum { NFCT_MSG_UNKNOWN, NFCT_MSG_NEW, @@ -163,14 +199,6 @@ typedef int (*nfct_callback)(void *arg, unsigned int flags, int); typedef int (*nfct_handler)(struct nfct_handle *cth, struct nlmsghdr *nlh, void *arg); -struct nfct_handle { - struct nfnl_handle nfnlh; - nfct_callback callback; /* user callback */ - nfct_handler handler; /* netlink handler */ -}; - -extern void nfct_register_proto(struct nfct_proto *h); - /* * [Allocate|free] a conntrack */ diff --git a/include/libnetfilter_conntrack/libnetfilter_conntrack_extensions.h b/include/libnetfilter_conntrack/libnetfilter_conntrack_extensions.h new file mode 100644 index 0000000..4900541 --- /dev/null +++ b/include/libnetfilter_conntrack/libnetfilter_conntrack_extensions.h @@ -0,0 +1,28 @@ +/* + * (C) 2005 by Pablo Neira Ayuso + * + * This software may be used and distributed according to the terms + * of the GNU General Public License, incorporated herein by reference. + */ + +#ifndef _LIBNETFILTER_CONNTRACK_EXTENSIONS_H_ +#define _LIBNETFILTER_CONNTRACK_EXTENSIONS_H_ + +#include "linux_list.h" + +struct nfct_proto { + struct list_head head; + + char *name; + u_int8_t protonum; + char *version; + + void (*parse_proto)(struct nfattr **, struct nfct_tuple *); + void (*parse_protoinfo)(struct nfattr **, struct nfct_conntrack *); + int (*print_protoinfo)(char *, union nfct_protoinfo *); + int (*print_proto)(char *, struct nfct_tuple *); +}; + +extern void nfct_register_proto(struct nfct_proto *h); + +#endif diff --git a/src/libnetfilter_conntrack.c b/src/libnetfilter_conntrack.c index 32a3827..6204df9 100644 --- a/src/libnetfilter_conntrack.c +++ b/src/libnetfilter_conntrack.c @@ -17,6 +17,7 @@ #include "linux_list.h" #include #include +#include #define NFCT_BUFSIZE 4096 @@ -26,6 +27,13 @@ ((unsigned char *)&addr)[2], \ ((unsigned char *)&addr)[3] +/* Harald says: "better for encapsulation" ;) */ +struct nfct_handle { + struct nfnl_handle nfnlh; + nfct_callback callback; /* user callback */ + nfct_handler handler; /* netlink handler */ +}; + static char *lib_dir = LIBNETFILTER_CONNTRACK_DIR; static LIST_HEAD(proto_list); static char *proto2str[IPPROTO_MAX] = { -- cgit v1.2.3