/* * (C) 2005-2011 by Pablo Neira Ayuso * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2 of the License, or * (at your option) any later version. */ #ifndef _LIBNETFILTER_CONNTRACK_H_ #define _LIBNETFILTER_CONNTRACK_H_ #include #include #include #include #ifdef __cplusplus extern "C" { #endif enum { CONNTRACK = NFNL_SUBSYS_CTNETLINK, EXPECT = NFNL_SUBSYS_CTNETLINK_EXP }; /* * Subscribe to all possible conntrack event groups. Use this * flag in case that you want to catch up all the possible * events. Do not use this flag for dumping or any other * similar operation. */ #define NFCT_ALL_CT_GROUPS (NF_NETLINK_CONNTRACK_NEW|NF_NETLINK_CONNTRACK_UPDATE|NF_NETLINK_CONNTRACK_DESTROY) struct nfct_handle; /* * [Open|close] a conntrack handler */ extern struct nfct_handle *nfct_open(u_int8_t, unsigned); extern struct nfct_handle *nfct_open_nfnl(struct nfnl_handle *nfnlh, u_int8_t subsys_id, unsigned int subscriptions); extern int nfct_close(struct nfct_handle *cth); extern int nfct_fd(struct nfct_handle *cth); extern const struct nfnl_handle *nfct_nfnlh(struct nfct_handle *cth); /* * NEW libnetfilter_conntrack API */ /* high level API */ #include /* conntrack object */ struct nf_conntrack; /* conntrack attributes */ enum nf_conntrack_attr { ATTR_ORIG_IPV4_SRC = 0, /* u32 bits */ ATTR_IPV4_SRC = ATTR_ORIG_IPV4_SRC, /* alias */ ATTR_ORIG_IPV4_DST, /* u32 bits */ ATTR_IPV4_DST = ATTR_ORIG_IPV4_DST, /* alias */ ATTR_REPL_IPV4_SRC, /* u32 bits */ ATTR_REPL_IPV4_DST, /* u32 bits */ ATTR_ORIG_IPV6_SRC = 4, /* u128 bits */ ATTR_IPV6_SRC = ATTR_ORIG_IPV6_SRC, /* alias */ ATTR_ORIG_IPV6_DST, /* u128 bits */ ATTR_IPV6_DST = ATTR_ORIG_IPV6_DST, /* alias */ ATTR_REPL_IPV6_SRC, /* u128 bits */ ATTR_REPL_IPV6_DST, /* u128 bits */ ATTR_ORIG_PORT_SRC = 8, /* u16 bits */ ATTR_PORT_SRC = ATTR_ORIG_PORT_SRC, /* alias */ ATTR_ORIG_PORT_DST, /* u16 bits */ ATTR_PORT_DST = ATTR_ORIG_PORT_DST, /* alias */ ATTR_REPL_PORT_SRC, /* u16 bits */ ATTR_REPL_PORT_DST, /* u16 bits */ ATTR_ICMP_TYPE = 12, /* u8 bits */ ATTR_ICMP_CODE, /* u8 bits */ ATTR_ICMP_ID, /* u16 bits */ ATTR_ORIG_L3PROTO, /* u8 bits */ ATTR_L3PROTO = ATTR_ORIG_L3PROTO, /* alias */ ATTR_REPL_L3PROTO = 16, /* u8 bits */ ATTR_ORIG_L4PROTO, /* u8 bits */ ATTR_L4PROTO = ATTR_ORIG_L4PROTO, /* alias */ ATTR_REPL_L4PROTO, /* u8 bits */ ATTR_TCP_STATE, /* u8 bits */ ATTR_SNAT_IPV4 = 20, /* u32 bits */ ATTR_DNAT_IPV4, /* u32 bits */ ATTR_SNAT_PORT, /* u16 bits */ ATTR_DNAT_PORT, /* u16 bits */ ATTR_TIMEOUT = 24, /* u32 bits */ ATTR_MARK, /* u32 bits */ ATTR_ORIG_COUNTER_PACKETS, /* u64 bits */ ATTR_REPL_COUNTER_PACKETS, /* u64 bits */ ATTR_ORIG_COUNTER_BYTES = 28, /* u64 bits */ ATTR_REPL_COUNTER_BYTES, /* u64 bits */ ATTR_USE, /* u32 bits */ ATTR_ID, /* u32 bits */ ATTR_STATUS = 32, /* u32 bits */ ATTR_TCP_FLAGS_ORIG, /* u8 bits */ ATTR_TCP_FLAGS_REPL, /* u8 bits */ ATTR_TCP_MASK_ORIG, /* u8 bits */ ATTR_TCP_MASK_REPL = 36, /* u8 bits */ ATTR_MASTER_IPV4_SRC, /* u32 bits */ ATTR_MASTER_IPV4_DST, /* u32 bits */ ATTR_MASTER_IPV6_SRC, /* u128 bits */ ATTR_MASTER_IPV6_DST = 40, /* u128 bits */ ATTR_MASTER_PORT_SRC, /* u16 bits */ ATTR_MASTER_PORT_DST, /* u16 bits */ ATTR_MASTER_L3PROTO, /* u8 bits */ ATTR_MASTER_L4PROTO = 44, /* u8 bits */ ATTR_SECMARK, /* u32 bits */ ATTR_ORIG_NAT_SEQ_CORRECTION_POS, /* u32 bits */ ATTR_ORIG_NAT_SEQ_OFFSET_BEFORE, /* u32 bits */ ATTR_ORIG_NAT_SEQ_OFFSET_AFTER = 48, /* u32 bits */ ATTR_REPL_NAT_SEQ_CORRECTION_POS, /* u32 bits */ ATTR_REPL_NAT_SEQ_OFFSET_BEFORE, /* u32 bits */ ATTR_REPL_NAT_SEQ_OFFSET_AFTER, /* u32 bits */ ATTR_SCTP_STATE = 52, /* u8 bits */ ATTR_SCTP_VTAG_ORIG, /* u32 bits */ ATTR_SCTP_VTAG_REPL, /* u32 bits */ ATTR_HELPER_NAME, /* string (30 bytes max) */ ATTR_DCCP_STATE = 56, /* u8 bits */ ATTR_DCCP_ROLE, /* u8 bits */ ATTR_DCCP_HANDSHAKE_SEQ, /* u64 bits */ ATTR_TCP_WSCALE_ORIG, /* u8 bits */ ATTR_TCP_WSCALE_REPL = 60, /* u8 bits */ ATTR_ZONE, /* u16 bits */ ATTR_SECCTX, /* string */ ATTR_TIMESTAMP_START, /* u64 bits, linux >= 2.6.38 */ ATTR_TIMESTAMP_STOP = 64, /* u64 bits, linux >= 2.6.38 */ ATTR_HELPER_INFO, /* variable length */ ATTR_CONNLABELS, /* variable length */ ATTR_MAX }; /* conntrack attribute groups */ enum nf_conntrack_attr_grp { ATTR_GRP_ORIG_IPV4 = 0, /* struct nfct_attr_grp_ipv4 */ ATTR_GRP_REPL_IPV4, /* struct nfct_attr_grp_ipv4 */ ATTR_GRP_ORIG_IPV6, /* struct nfct_attr_grp_ipv6 */ ATTR_GRP_REPL_IPV6, /* struct nfct_attr_grp_ipv6 */ ATTR_GRP_ORIG_PORT = 4, /* struct nfct_attr_grp_port */ ATTR_GRP_REPL_PORT, /* struct nfct_attr_grp_port */ ATTR_GRP_ICMP, /* struct nfct_attr_grp_icmp */ ATTR_GRP_MASTER_IPV4, /* struct nfct_attr_grp_ipv4 */ ATTR_GRP_MASTER_IPV6 = 8, /* struct nfct_attr_grp_ipv6 */ ATTR_GRP_MASTER_PORT, /* struct nfct_attr_grp_port */ ATTR_GRP_ORIG_COUNTERS, /* struct nfct_attr_grp_ctrs */ ATTR_GRP_REPL_COUNTERS, /* struct nfct_attr_grp_ctrs */ ATTR_GRP_ORIG_ADDR_SRC = 12, /* union nfct_attr_grp_addr */ ATTR_GRP_ORIG_ADDR_DST, /* union nfct_attr_grp_addr */ ATTR_GRP_REPL_ADDR_SRC, /* union nfct_attr_grp_addr */ ATTR_GRP_REPL_ADDR_DST, /* union nfct_attr_grp_addr */ ATTR_GRP_MAX }; struct nfct_attr_grp_ipv4 { u_int32_t src, dst; }; struct nfct_attr_grp_ipv6 { u_int32_t src[4], dst[4]; }; struct nfct_attr_grp_port { u_int16_t sport, dport; }; struct nfct_attr_grp_icmp { u_int16_t id; u_int8_t code, type; }; struct nfct_attr_grp_ctrs { u_int64_t packets; u_int64_t bytes; }; union nfct_attr_grp_addr { u_int32_t ip; u_int32_t ip6[4]; u_int32_t addr[4]; }; /* message type */ enum nf_conntrack_msg_type { NFCT_T_UNKNOWN = 0, NFCT_T_NEW_BIT = 0, NFCT_T_NEW = (1 << NFCT_T_NEW_BIT), NFCT_T_UPDATE_BIT = 1, NFCT_T_UPDATE = (1 << NFCT_T_UPDATE_BIT), NFCT_T_DESTROY_BIT = 2, NFCT_T_DESTROY = (1 << NFCT_T_DESTROY_BIT), NFCT_T_ALL = NFCT_T_NEW | NFCT_T_UPDATE | NFCT_T_DESTROY, NFCT_T_ERROR_BIT = 31, NFCT_T_ERROR = (1 << NFCT_T_ERROR_BIT), }; /* constructor / destructor */ extern struct nf_conntrack *nfct_new(void); extern void nfct_destroy(struct nf_conntrack *ct); /* clone */ struct nf_conntrack *nfct_clone(const struct nf_conntrack *ct); /* object size */ extern __attribute__((deprecated)) size_t nfct_sizeof(const struct nf_conntrack *ct); /* maximum object size */ extern __attribute__((deprecated)) size_t nfct_maxsize(void); /* set option */ enum { NFCT_SOPT_UNDO_SNAT, NFCT_SOPT_UNDO_DNAT, NFCT_SOPT_UNDO_SPAT, NFCT_SOPT_UNDO_DPAT, NFCT_SOPT_SETUP_ORIGINAL, NFCT_SOPT_SETUP_REPLY, __NFCT_SOPT_MAX, }; #define NFCT_SOPT_MAX (__NFCT_SOPT_MAX - 1) /* get option */ enum { NFCT_GOPT_IS_SNAT, NFCT_GOPT_IS_DNAT, NFCT_GOPT_IS_SPAT, NFCT_GOPT_IS_DPAT, __NFCT_GOPT_MAX, }; #define NFCT_GOPT_MAX (__NFCT_GOPT_MAX - 1) extern int nfct_setobjopt(struct nf_conntrack *ct, unsigned int option); extern int nfct_getobjopt(const struct nf_conntrack *ct, unsigned int option); /* register / unregister callback */ extern int nfct_callback_register(struct nfct_handle *h, enum nf_conntrack_msg_type type, int (*cb)(enum nf_conntrack_msg_type type, struct nf_conntrack *ct, void *data), void *data); extern void nfct_callback_unregister(struct nfct_handle *h); /* register / unregister callback: extended version including netlink header */ extern int nfct_callback_register2(struct nfct_handle *h, enum nf_conntrack_msg_type type, int (*cb)(const struct nlmsghdr *nlh, enum nf_conntrack_msg_type type, struct nf_conntrack *ct, void *data), void *data); extern void nfct_callback_unregister2(struct nfct_handle *h); /* callback verdict */ enum { NFCT_CB_FAILURE = -1, /* failure */ NFCT_CB_STOP = 0, /* stop the query */ NFCT_CB_CONTINUE = 1, /* keep iterating through data */ NFCT_CB_STOLEN = 2, /* like continue, but ct is not freed */ }; /* bitmask setter/getter */ struct nfct_bitmask; struct nfct_bitmask *nfct_bitmask_new(unsigned int maxbit); struct nfct_bitmask *nfct_bitmask_clone(const struct nfct_bitmask *); unsigned int nfct_bitmask_maxbit(const struct nfct_bitmask *); void nfct_bitmask_set_bit(struct nfct_bitmask *, unsigned int bit); int nfct_bitmask_test_bit(const struct nfct_bitmask *, unsigned int bit); void nfct_bitmask_unset_bit(struct nfct_bitmask *, unsigned int bit); void nfct_bitmask_destroy(struct nfct_bitmask *); /* connlabel name <-> bit translation mapping */ struct nfct_labelmap; struct nfct_labelmap *nfct_labelmap_new(const char *mapfile); void nfct_labelmap_destroy(struct nfct_labelmap *map); const char *nfct_labelmap_get_name(struct nfct_labelmap *m, unsigned int bit); int nfct_labelmap_get_bit(struct nfct_labelmap *m, const char *name); /* setter */ extern void nfct_set_attr(struct nf_conntrack *ct, const enum nf_conntrack_attr type, const void *value); extern void nfct_set_attr_u8(struct nf_conntrack *ct, const enum nf_conntrack_attr type, u_int8_t value); extern void nfct_set_attr_u16(struct nf_conntrack *ct, const enum nf_conntrack_attr type, u_int16_t value); extern void nfct_set_attr_u32(struct nf_conntrack *ct, const enum nf_conntrack_attr type, u_int32_t value); extern void nfct_set_attr_u64(struct nf_conntrack *ct, const enum nf_conntrack_attr type, u_int64_t value); extern void nfct_set_attr_l(struct nf_conntrack *ct, const enum nf_conntrack_attr type, const void *value, size_t len); /* getter */ extern const void *nfct_get_attr(const struct nf_conntrack *ct, const enum nf_conntrack_attr type); extern u_int8_t nfct_get_attr_u8(const struct nf_conntrack *ct, const enum nf_conntrack_attr type); extern u_int16_t nfct_get_attr_u16(const struct nf_conntrack *ct, const enum nf_conntrack_attr type); extern u_int32_t nfct_get_attr_u32(const struct nf_conntrack *ct, const enum nf_conntrack_attr type); extern u_int64_t nfct_get_attr_u64(const struct nf_conntrack *ct, const enum nf_conntrack_attr type); /* checker */ extern int nfct_attr_is_set(const struct nf_conntrack *ct, const enum nf_conntrack_attr type); extern int nfct_attr_is_set_array(const struct nf_conntrack *ct, const enum nf_conntrack_attr *type_array, int size); /* unsetter */ extern int nfct_attr_unset(struct nf_conntrack *ct, const enum nf_conntrack_attr type); /* group setter */ extern void nfct_set_attr_grp(struct nf_conntrack *ct, const enum nf_conntrack_attr_grp type, const void *value); /* group getter */ extern int nfct_get_attr_grp(const struct nf_conntrack *ct, const enum nf_conntrack_attr_grp type, void *data); /* group checker */ extern int nfct_attr_grp_is_set(const struct nf_conntrack *ct, const enum nf_conntrack_attr_grp type); /* unsetter */ extern int nfct_attr_grp_unset(struct nf_conntrack *ct, const enum nf_conntrack_attr_grp type); /* print */ /* output type */ enum { NFCT_O_PLAIN, NFCT_O_DEFAULT = NFCT_O_PLAIN, NFCT_O_XML, NFCT_O_MAX }; /* output flags */ enum { NFCT_OF_SHOW_LAYER3_BIT = 0, NFCT_OF_SHOW_LAYER3 = (1 << NFCT_OF_SHOW_LAYER3_BIT), NFCT_OF_TIME_BIT = 1, NFCT_OF_TIME = (1 << NFCT_OF_TIME_BIT), NFCT_OF_ID_BIT = 2, NFCT_OF_ID = (1 << NFCT_OF_ID_BIT), NFCT_OF_TIMESTAMP_BIT = 3, NFCT_OF_TIMESTAMP = (1 << NFCT_OF_TIMESTAMP_BIT), }; extern int nfct_snprintf(char *buf, unsigned int size, const struct nf_conntrack *ct, const unsigned int msg_type, const unsigned int out_type, const unsigned int out_flags); /* comparison */ extern int nfct_compare(const struct nf_conntrack *ct1, const struct nf_conntrack *ct2); enum { NFCT_CMP_ALL = 0, NFCT_CMP_ORIG = (1 << 0), NFCT_CMP_REPL = (1 << 1), NFCT_CMP_TIMEOUT_EQ = (1 << 2), NFCT_CMP_TIMEOUT_GT = (1 << 3), NFCT_CMP_TIMEOUT_GE = (NFCT_CMP_TIMEOUT_EQ | NFCT_CMP_TIMEOUT_GT), NFCT_CMP_TIMEOUT_LT = (1 << 4), NFCT_CMP_TIMEOUT_LE = (NFCT_CMP_TIMEOUT_EQ | NFCT_CMP_TIMEOUT_LT), NFCT_CMP_MASK = (1 << 5), NFCT_CMP_STRICT = (1 << 6), }; extern int nfct_cmp(const struct nf_conntrack *ct1, const struct nf_conntrack *ct2, unsigned int flags); /* query */ enum nf_conntrack_query { NFCT_Q_CREATE, NFCT_Q_UPDATE, NFCT_Q_DESTROY, NFCT_Q_GET, NFCT_Q_FLUSH, NFCT_Q_DUMP, NFCT_Q_DUMP_RESET, NFCT_Q_CREATE_UPDATE, NFCT_Q_DUMP_FILTER, NFCT_Q_DUMP_FILTER_RESET, }; extern int nfct_query(struct nfct_handle *h, const enum nf_conntrack_query query, const void *data); extern int nfct_send(struct nfct_handle *h, const enum nf_conntrack_query query, const void *data); extern int nfct_catch(struct nfct_handle *h); /* copy */ enum { NFCT_CP_ALL = 0, NFCT_CP_ORIG = (1 << 0), NFCT_CP_REPL = (1 << 1), NFCT_CP_META = (1 << 2), NFCT_CP_OVERRIDE = (1 << 3), }; extern void nfct_copy(struct nf_conntrack *dest, const struct nf_conntrack *source, unsigned int flags); extern void nfct_copy_attr(struct nf_conntrack *ct1, const struct nf_conntrack *ct2, const enum nf_conntrack_attr type); /* event filtering */ struct nfct_filter; extern struct nfct_filter *nfct_filter_create(void); extern void nfct_filter_destroy(struct nfct_filter *filter); struct nfct_filter_proto { u_int16_t proto; u_int16_t state; }; struct nfct_filter_ipv4 { u_int32_t addr; u_int32_t mask; }; struct nfct_filter_ipv6 { u_int32_t addr[4]; u_int32_t mask[4]; }; enum nfct_filter_attr { NFCT_FILTER_L4PROTO = 0, /* u_int32_t */ NFCT_FILTER_L4PROTO_STATE, /* struct nfct_filter_proto */ NFCT_FILTER_SRC_IPV4, /* struct nfct_filter_ipv4 */ NFCT_FILTER_DST_IPV4, /* struct nfct_filter_ipv4 */ NFCT_FILTER_SRC_IPV6, /* struct nfct_filter_ipv6 */ NFCT_FILTER_DST_IPV6, /* struct nfct_filter_ipv6 */ NFCT_FILTER_MAX }; extern void nfct_filter_add_attr(struct nfct_filter *filter, const enum nfct_filter_attr attr, const void *value); extern void nfct_filter_add_attr_u32(struct nfct_filter *filter, const enum nfct_filter_attr attr, const u_int32_t value); enum nfct_filter_logic { NFCT_FILTER_LOGIC_POSITIVE, NFCT_FILTER_LOGIC_NEGATIVE, NFCT_FILTER_LOGIC_MAX }; extern int nfct_filter_set_logic(struct nfct_filter *filter, const enum nfct_filter_attr attr, const enum nfct_filter_logic logic); extern int nfct_filter_attach(int fd, struct nfct_filter *filter); extern int nfct_filter_detach(int fd); /* dump filtering */ struct nfct_filter_dump; struct nfct_filter_dump_mark { u_int32_t val; u_int32_t mask; }; enum nfct_filter_dump_attr { NFCT_FILTER_DUMP_MARK = 0, /* struct nfct_filter_dump_mark */ NFCT_FILTER_DUMP_L3NUM, /* u_int8_t */ NFCT_FILTER_DUMP_MAX }; struct nfct_filter_dump *nfct_filter_dump_create(void); void nfct_filter_dump_destroy(struct nfct_filter_dump *filter); void nfct_filter_dump_set_attr(struct nfct_filter_dump *filter_dump, const enum nfct_filter_dump_attr type, const void *data); void nfct_filter_dump_set_attr_u8(struct nfct_filter_dump *filter_dump, const enum nfct_filter_dump_attr type, u_int8_t data); /* low level API: netlink functions */ extern __attribute__((deprecated)) int nfct_build_conntrack(struct nfnl_subsys_handle *ssh, void *req, size_t size, u_int16_t type, u_int16_t flags, const struct nf_conntrack *ct); extern __attribute__((deprecated)) int nfct_parse_conntrack(enum nf_conntrack_msg_type msg, const struct nlmsghdr *nlh, struct nf_conntrack *ct); extern __attribute__((deprecated)) int nfct_build_query(struct nfnl_subsys_handle *ssh, const enum nf_conntrack_query query, const void *data, void *req, unsigned int size); /* New low level API: netlink functions */ extern int nfct_nlmsg_build(struct nlmsghdr *nlh, const struct nf_conntrack *ct); extern int nfct_nlmsg_parse(const struct nlmsghdr *nlh, struct nf_conntrack *ct); extern int nfct_payload_parse(const void *payload, size_t payload_len, uint16_t l3num, struct nf_conntrack *ct); /* * NEW expectation API */ /* expectation object */ struct nf_expect; /* expect attributes */ enum nf_expect_attr { ATTR_EXP_MASTER = 0, /* pointer to conntrack object */ ATTR_EXP_EXPECTED, /* pointer to conntrack object */ ATTR_EXP_MASK, /* pointer to conntrack object */ ATTR_EXP_TIMEOUT, /* u32 bits */ ATTR_EXP_ZONE, /* u16 bits */ ATTR_EXP_FLAGS, /* u32 bits */ ATTR_EXP_HELPER_NAME, /* string (16 bytes max) */ ATTR_EXP_CLASS, /* u32 bits */ ATTR_EXP_NAT_TUPLE, /* pointer to conntrack object */ ATTR_EXP_NAT_DIR, /* u8 bits */ ATTR_EXP_FN, /* string */ ATTR_EXP_MAX }; /* constructor / destructor */ extern struct nf_expect *nfexp_new(void); extern void nfexp_destroy(struct nf_expect *exp); /* clone */ extern struct nf_expect *nfexp_clone(const struct nf_expect *exp); /* object size */ extern size_t nfexp_sizeof(const struct nf_expect *exp); /* maximum object size */ extern size_t nfexp_maxsize(void); /* register / unregister callback */ extern int nfexp_callback_register(struct nfct_handle *h, enum nf_conntrack_msg_type type, int (*cb)(enum nf_conntrack_msg_type type, struct nf_expect *exp, void *data), void *data); extern void nfexp_callback_unregister(struct nfct_handle *h); /* register / unregister callback: extended version including netlink header */ extern int nfexp_callback_register2(struct nfct_handle *h, enum nf_conntrack_msg_type type, int (*cb)(const struct nlmsghdr *nlh, enum nf_conntrack_msg_type type, struct nf_expect *exp, void *data), void *data); extern void nfexp_callback_unregister2(struct nfct_handle *h); /* setter */ extern void nfexp_set_attr(struct nf_expect *exp, const enum nf_expect_attr type, const void *value); extern void nfexp_set_attr_u8(struct nf_expect *exp, const enum nf_expect_attr type, u_int8_t value); extern void nfexp_set_attr_u16(struct nf_expect *exp, const enum nf_expect_attr type, u_int16_t value); extern void nfexp_set_attr_u32(struct nf_expect *exp, const enum nf_expect_attr type, u_int32_t value); /* getter */ extern const void *nfexp_get_attr(const struct nf_expect *exp, const enum nf_expect_attr type); extern u_int8_t nfexp_get_attr_u8(const struct nf_expect *exp, const enum nf_expect_attr type); extern u_int16_t nfexp_get_attr_u16(const struct nf_expect *exp, const enum nf_expect_attr type); extern u_int32_t nfexp_get_attr_u32(const struct nf_expect *exp, const enum nf_expect_attr type); /* checker */ extern int nfexp_attr_is_set(const struct nf_expect *exp, const enum nf_expect_attr type); /* unsetter */ extern int nfexp_attr_unset(struct nf_expect *exp, const enum nf_expect_attr type); /* query */ extern int nfexp_query(struct nfct_handle *h, const enum nf_conntrack_query qt, const void *data); /* print */ extern int nfexp_snprintf(char *buf, unsigned int size, const struct nf_expect *exp, const unsigned int msg_type, const unsigned int out_type, const unsigned int out_flags); /* compare */ extern int nfexp_cmp(const struct nf_expect *exp1, const struct nf_expect *exp2, unsigned int flags); extern int nfexp_send(struct nfct_handle *h, const enum nf_conntrack_query qt, const void *data); extern int nfexp_catch(struct nfct_handle *h); /* low level API */ extern __attribute__((deprecated)) int nfexp_build_expect(struct nfnl_subsys_handle *ssh, void *req, size_t size, u_int16_t type, u_int16_t flags, const struct nf_expect *exp); extern __attribute__((deprecated)) int nfexp_parse_expect(enum nf_conntrack_msg_type type, const struct nlmsghdr *nlh, struct nf_expect *exp); extern __attribute__((deprecated)) int nfexp_build_query(struct nfnl_subsys_handle *ssh, const enum nf_conntrack_query qt, const void *data, void *buffer, unsigned int size); /* New low level API: netlink functions */ extern int nfexp_nlmsg_build(struct nlmsghdr *nlh, const struct nf_expect *exp); extern int nfexp_nlmsg_parse(const struct nlmsghdr *nlh, struct nf_expect *exp); /* Bitset representing status of connection. Taken from ip_conntrack.h * * Note: For backward compatibility this shouldn't ever change * in kernel space. */ enum ip_conntrack_status { /* It's an expected connection: bit 0 set. This bit never changed */ IPS_EXPECTED_BIT = 0, IPS_EXPECTED = (1 << IPS_EXPECTED_BIT), /* We've seen packets both ways: bit 1 set. Can be set, not unset. */ IPS_SEEN_REPLY_BIT = 1, IPS_SEEN_REPLY = (1 << IPS_SEEN_REPLY_BIT), /* Conntrack should never be early-expired. */ IPS_ASSURED_BIT = 2, IPS_ASSURED = (1 << IPS_ASSURED_BIT), /* Connection is confirmed: originating packet has left box */ IPS_CONFIRMED_BIT = 3, IPS_CONFIRMED = (1 << IPS_CONFIRMED_BIT), /* Connection needs src nat in orig dir. This bit never changed. */ IPS_SRC_NAT_BIT = 4, IPS_SRC_NAT = (1 << IPS_SRC_NAT_BIT), /* Connection needs dst nat in orig dir. This bit never changed. */ IPS_DST_NAT_BIT = 5, IPS_DST_NAT = (1 << IPS_DST_NAT_BIT), /* Both together. */ IPS_NAT_MASK = (IPS_DST_NAT | IPS_SRC_NAT), /* Connection needs TCP sequence adjusted. */ IPS_SEQ_ADJUST_BIT = 6, IPS_SEQ_ADJUST = (1 << IPS_SEQ_ADJUST_BIT), /* NAT initialization bits. */ IPS_SRC_NAT_DONE_BIT = 7, IPS_SRC_NAT_DONE = (1 << IPS_SRC_NAT_DONE_BIT), IPS_DST_NAT_DONE_BIT = 8, IPS_DST_NAT_DONE = (1 << IPS_DST_NAT_DONE_BIT), /* Both together */ IPS_NAT_DONE_MASK = (IPS_DST_NAT_DONE | IPS_SRC_NAT_DONE), /* Connection is dying (removed from lists), can not be unset. */ IPS_DYING_BIT = 9, IPS_DYING = (1 << IPS_DYING_BIT), /* Connection has fixed timeout. */ IPS_FIXED_TIMEOUT_BIT = 10, IPS_FIXED_TIMEOUT = (1 << IPS_FIXED_TIMEOUT_BIT), /* Conntrack is a template */ IPS_TEMPLATE_BIT = 11, IPS_TEMPLATE = (1 << IPS_TEMPLATE_BIT), /* Conntrack is a fake untracked entry */ IPS_UNTRACKED_BIT = 12, IPS_UNTRACKED = (1 << IPS_UNTRACKED_BIT), }; /* expectation flags */ #define NF_CT_EXPECT_PERMANENT 0x1 #define NF_CT_EXPECT_INACTIVE 0x2 #define NF_CT_EXPECT_USERSPACE 0x4 /* * TCP flags */ /* Window scaling is advertised by the sender */ #define IP_CT_TCP_FLAG_WINDOW_SCALE 0x01 /* SACK is permitted by the sender */ #define IP_CT_TCP_FLAG_SACK_PERM 0x02 /* This sender sent FIN first */ #define IP_CT_TCP_FLAG_CLOSE_INIT 0x04 /* Be liberal in window checking */ #define IP_CT_TCP_FLAG_BE_LIBERAL 0x08 /* WARNING: do not use these constants in new applications, we keep them here * to avoid breaking backward compatibility. */ #define NFCT_DIR_ORIGINAL 0 #define NFCT_DIR_REPLY 1 #define NFCT_DIR_MAX NFCT_DIR_REPLY+1 /* xt_helper uses a length size of 30 bytes, however, no helper name in * the tree has exceeded 16 bytes length. Since 2.6.29, the maximum * length accepted is 16 bytes, this limit is enforced during module load. */ #define NFCT_HELPER_NAME_MAX 16 #ifdef __cplusplus } #endif #endif /* _LIBNETFILTER_CONNTRACK_H_ */