diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2012-02-29 02:55:00 +0100 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2012-02-29 03:27:49 +0100 |
commit | f3d2a5ee1af6fc4e548f02e4bc4e143d7d0c8d90 (patch) | |
tree | 0b9505f57ca42303a80e0d827897823ae07c6977 /include |
initial commit
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'include')
-rw-r--r-- | include/Makefile.am | 1 | ||||
-rw-r--r-- | include/libnetfilter_cttimeout/Makefile.am | 1 | ||||
-rw-r--r-- | include/libnetfilter_cttimeout/libnetfilter_cttimeout.h | 106 | ||||
-rw-r--r-- | include/linux/Makefile.am | 1 | ||||
-rw-r--r-- | include/linux/netfilter/Makefile.am | 1 | ||||
-rw-r--r-- | include/linux/netfilter/nf_conntrack_tcp.h | 79 | ||||
-rw-r--r-- | include/linux/netfilter/nfnetlink.h | 95 | ||||
-rw-r--r-- | include/linux/netfilter/nfnetlink_cttimeout.h | 114 |
8 files changed, 398 insertions, 0 deletions
diff --git a/include/Makefile.am b/include/Makefile.am new file mode 100644 index 0000000..d502177 --- /dev/null +++ b/include/Makefile.am @@ -0,0 +1 @@ +SUBDIRS = libnetfilter_cttimeout linux diff --git a/include/libnetfilter_cttimeout/Makefile.am b/include/libnetfilter_cttimeout/Makefile.am new file mode 100644 index 0000000..63c9eea --- /dev/null +++ b/include/libnetfilter_cttimeout/Makefile.am @@ -0,0 +1 @@ +pkginclude_HEADERS = libnetfilter_cttimeout.h diff --git a/include/libnetfilter_cttimeout/libnetfilter_cttimeout.h b/include/libnetfilter_cttimeout/libnetfilter_cttimeout.h new file mode 100644 index 0000000..be37636 --- /dev/null +++ b/include/libnetfilter_cttimeout/libnetfilter_cttimeout.h @@ -0,0 +1,106 @@ +#ifndef _LIBNETFILTER_CTTIMEOUT_H_ +#define _LIBNETFILTER_CTTIMEOUT_H_ + +#include <sys/types.h> +#include <linux/netfilter/nfnetlink_conntrack.h> + +struct nfct_timeout; + +struct nfct_timeout *nfct_timeout_alloc(void); +void nfct_timeout_free(struct nfct_timeout *); + +enum nfct_timeout_attr { + NFCT_TIMEOUT_ATTR_NAME= 0, + NFCT_TIMEOUT_ATTR_L3PROTO, + NFCT_TIMEOUT_ATTR_L4PROTO, + NFCT_TIMEOUT_ATTR_POLICY, + NFCT_TIMEOUT_ATTR_MAX +}; + +enum nfct_timeout_tcp_attr { + NFCT_TIMEOUT_ATTR_TCP_SYN_SENT = 0, + NFCT_TIMEOUT_ATTR_TCP_SYN_RECV, + NFCT_TIMEOUT_ATTR_TCP_ESTABLISHED, + NFCT_TIMEOUT_ATTR_TCP_FIN_WAIT, + NFCT_TIMEOUT_ATTR_TCP_CLOSE_WAIT, + NFCT_TIMEOUT_ATTR_TCP_LAST_ACK, + NFCT_TIMEOUT_ATTR_TCP_TIME_WAIT, + NFCT_TIMEOUT_ATTR_TCP_CLOSE, + NFCT_TIMEOUT_ATTR_TCP_SYN_SENT2, + NFCT_TIMEOUT_ATTR_TCP_RETRANS, + NFCT_TIMEOUT_ATTR_TCP_UNACK, + NFCT_TIMEOUT_ATTR_TCP_MAX +}; + +enum nfct_timeout_udp_attr { + NFCT_TIMEOUT_ATTR_UDP_UNREPLIED = 0, + NFCT_TIMEOUT_ATTR_UDP_REPLIED, + NFCT_TIMEOUT_ATTR_UDP_MAX +}; + +enum nfct_timeout_udplite_attr { + NFCT_TIMEOUT_ATTR_UDPLITE_UNREPLIED = 0, + NFCT_TIMEOUT_ATTR_UDPLITE_REPLIED, + NFCT_TIMEOUT_ATTR_UDPLITE_MAX +}; + +enum nfct_timeout_dccp_attr { + NFCT_TIMEOUT_ATTR_DCCP_REQUEST, + NFCT_TIMEOUT_ATTR_DCCP_RESPOND, + NFCT_TIMEOUT_ATTR_DCCP_PARTOPEN, + NFCT_TIMEOUT_ATTR_DCCP_OPEN, + NFCT_TIMEOUT_ATTR_DCCP_CLOSEREQ, + NFCT_TIMEOUT_ATTR_DCCP_CLOSING, + NFCT_TIMEOUT_ATTR_DCCP_TIMEWAIT, + NFCT_TIMEOUT_ATTR_DCCP_MAX +}; + +enum nfct_timeout_sctp_attr { + NFCT_TIMEOUT_ATTR_SCTP_CLOSED = 0, + NFCT_TIMEOUT_ATTR_SCTP_COOKIE_WAIT, + NFCT_TIMEOUT_ATTR_SCTP_COOKIE_ECHOED, + NFCT_TIMEOUT_ATTR_SCTP_ESTABLISHED, + NFCT_TIMEOUT_ATTR_SCTP_SHUTDOWN_SENT, + NFCT_TIMEOUT_ATTR_SCTP_SHUTDOWN_RECD, + NFCT_TIMEOUT_ATTR_SCTP_SHUTDOWN_ACK_SENT, + NFCT_TIMEOUT_ATTR_SCTP_MAX +}; + +enum nfct_timeout_icmp_attr { + NFCT_TIMEOUT_ATTR_ICMP = 0, + NFCT_TIMEOUT_ATTR_ICMP_MAX +}; + +enum nfct_timeout_icmpv6_attr { + NFCT_TIMEOUT_ATTR_ICMPV6 = 0, + NFCT_TIMEOUT_ATTR_ICMPV6_MAX +}; + +enum nfct_timeout_gre_attr { + NFCT_TIMEOUT_ATTR_GRE_UNREPLIED = 0, + NFCT_TIMEOUT_ATTR_GRE_REPLIED, + NFCT_TIMEOUT_ATTR_GRE_MAX +}; + +enum nfct_timeout_generic_attr { + NFCT_TIMEOUT_ATTR_GENERIC = 0, + NFCT_TIMEOUT_ATTR_GENERIC_MAX +}; + +int nfct_timeout_attr_set(struct nfct_timeout *t, uint32_t type, const void *data); +int nfct_timeout_attr_set_u8(struct nfct_timeout *t, uint32_t type, uint8_t data); +int nfct_timeout_attr_set_u16(struct nfct_timeout *t, uint32_t type, uint16_t data); +void nfct_timeout_attr_unset(struct nfct_timeout *t, uint32_t type); + +int nfct_timeout_policy_attr_set_u32(struct nfct_timeout *, uint32_t type, uint32_t data); +void nfct_timeout_policy_attr_unset(struct nfct_timeout *t, uint32_t type); + +struct nlmsghdr; + +struct nlmsghdr *nfct_timeout_nlmsg_build_hdr(char *buf, uint8_t cmd, uint16_t flags, uint32_t seq); +void nfct_timeout_nlmsg_build_payload(struct nlmsghdr *, struct nfct_timeout *); +int nfct_timeout_nlmsg_parse_payload(const struct nlmsghdr *nlh, struct nfct_timeout *); + +int nfct_timeout_snprintf(char *buf, size_t size, struct nfct_timeout *, unsigned int flags); + +#endif diff --git a/include/linux/Makefile.am b/include/linux/Makefile.am new file mode 100644 index 0000000..78be976 --- /dev/null +++ b/include/linux/Makefile.am @@ -0,0 +1 @@ +SUBDIR = netfilter diff --git a/include/linux/netfilter/Makefile.am b/include/linux/netfilter/Makefile.am new file mode 100644 index 0000000..998489a --- /dev/null +++ b/include/linux/netfilter/Makefile.am @@ -0,0 +1 @@ +noinst_HEADERS = nfnetlink.h nfnetlink_cttimeout.h nf_conntrack_tcp.h diff --git a/include/linux/netfilter/nf_conntrack_tcp.h b/include/linux/netfilter/nf_conntrack_tcp.h new file mode 100644 index 0000000..e59868a --- /dev/null +++ b/include/linux/netfilter/nf_conntrack_tcp.h @@ -0,0 +1,79 @@ +#ifndef _NF_CONNTRACK_TCP_H +#define _NF_CONNTRACK_TCP_H +/* TCP tracking. */ + +#include <linux/types.h> + +/* This is exposed to userspace (ctnetlink) */ +enum tcp_conntrack { + TCP_CONNTRACK_NONE, + TCP_CONNTRACK_SYN_SENT, + TCP_CONNTRACK_SYN_RECV, + TCP_CONNTRACK_ESTABLISHED, + TCP_CONNTRACK_FIN_WAIT, + TCP_CONNTRACK_CLOSE_WAIT, + TCP_CONNTRACK_LAST_ACK, + TCP_CONNTRACK_TIME_WAIT, + TCP_CONNTRACK_CLOSE, + TCP_CONNTRACK_LISTEN, /* obsolete */ +#define TCP_CONNTRACK_SYN_SENT2 TCP_CONNTRACK_LISTEN + TCP_CONNTRACK_MAX, + TCP_CONNTRACK_IGNORE, + TCP_CONNTRACK_RETRANS, + TCP_CONNTRACK_UNACK, + TCP_CONNTRACK_TIMEOUT_MAX +}; + +/* Window scaling is advertised by the sender */ +#define IP_CT_TCP_FLAG_WINDOW_SCALE 0x01 + +/* SACK is permitted by the sender */ +#define IP_CT_TCP_FLAG_SACK_PERM 0x02 + +/* This sender sent FIN first */ +#define IP_CT_TCP_FLAG_CLOSE_INIT 0x04 + +/* Be liberal in window checking */ +#define IP_CT_TCP_FLAG_BE_LIBERAL 0x08 + +/* Has unacknowledged data */ +#define IP_CT_TCP_FLAG_DATA_UNACKNOWLEDGED 0x10 + +/* The field td_maxack has been set */ +#define IP_CT_TCP_FLAG_MAXACK_SET 0x20 + +struct nf_ct_tcp_flags { + __u8 flags; + __u8 mask; +}; + +#ifdef __KERNEL__ + +struct ip_ct_tcp_state { + u_int32_t td_end; /* max of seq + len */ + u_int32_t td_maxend; /* max of ack + max(win, 1) */ + u_int32_t td_maxwin; /* max(win) */ + u_int32_t td_maxack; /* max of ack */ + u_int8_t td_scale; /* window scale factor */ + u_int8_t flags; /* per direction options */ +}; + +struct ip_ct_tcp { + struct ip_ct_tcp_state seen[2]; /* connection parameters per direction */ + u_int8_t state; /* state of the connection (enum tcp_conntrack) */ + /* For detecting stale connections */ + u_int8_t last_dir; /* Direction of the last packet (enum ip_conntrack_dir) */ + u_int8_t retrans; /* Number of retransmitted packets */ + u_int8_t last_index; /* Index of the last packet */ + u_int32_t last_seq; /* Last sequence number seen in dir */ + u_int32_t last_ack; /* Last sequence number seen in opposite dir */ + u_int32_t last_end; /* Last seq + len */ + u_int16_t last_win; /* Last window advertisement seen in dir */ + /* For SYN packets while we may be out-of-sync */ + u_int8_t last_wscale; /* Last window scaling factor seen */ + u_int8_t last_flags; /* Last flags set */ +}; + +#endif /* __KERNEL__ */ + +#endif /* _NF_CONNTRACK_TCP_H */ diff --git a/include/linux/netfilter/nfnetlink.h b/include/linux/netfilter/nfnetlink.h new file mode 100644 index 0000000..6fd1f0d --- /dev/null +++ b/include/linux/netfilter/nfnetlink.h @@ -0,0 +1,95 @@ +#ifndef _NFNETLINK_H +#define _NFNETLINK_H +#include <linux/types.h> +#include <linux/netfilter/nfnetlink_compat.h> + +enum nfnetlink_groups { + NFNLGRP_NONE, +#define NFNLGRP_NONE NFNLGRP_NONE + NFNLGRP_CONNTRACK_NEW, +#define NFNLGRP_CONNTRACK_NEW NFNLGRP_CONNTRACK_NEW + NFNLGRP_CONNTRACK_UPDATE, +#define NFNLGRP_CONNTRACK_UPDATE NFNLGRP_CONNTRACK_UPDATE + NFNLGRP_CONNTRACK_DESTROY, +#define NFNLGRP_CONNTRACK_DESTROY NFNLGRP_CONNTRACK_DESTROY + NFNLGRP_CONNTRACK_EXP_NEW, +#define NFNLGRP_CONNTRACK_EXP_NEW NFNLGRP_CONNTRACK_EXP_NEW + NFNLGRP_CONNTRACK_EXP_UPDATE, +#define NFNLGRP_CONNTRACK_EXP_UPDATE NFNLGRP_CONNTRACK_EXP_UPDATE + NFNLGRP_CONNTRACK_EXP_DESTROY, +#define NFNLGRP_CONNTRACK_EXP_DESTROY NFNLGRP_CONNTRACK_EXP_DESTROY + __NFNLGRP_MAX, +}; +#define NFNLGRP_MAX (__NFNLGRP_MAX - 1) + +/* General form of address family dependent message. + */ +struct nfgenmsg { + __u8 nfgen_family; /* AF_xxx */ + __u8 version; /* nfnetlink version */ + __be16 res_id; /* resource id */ +}; + +#define NFNETLINK_V0 0 + +/* netfilter netlink message types are split in two pieces: + * 8 bit subsystem, 8bit operation. + */ + +#define NFNL_SUBSYS_ID(x) ((x & 0xff00) >> 8) +#define NFNL_MSG_TYPE(x) (x & 0x00ff) + +/* No enum here, otherwise __stringify() trick of MODULE_ALIAS_NFNL_SUBSYS() + * won't work anymore */ +#define NFNL_SUBSYS_NONE 0 +#define NFNL_SUBSYS_CTNETLINK 1 +#define NFNL_SUBSYS_CTNETLINK_EXP 2 +#define NFNL_SUBSYS_QUEUE 3 +#define NFNL_SUBSYS_ULOG 4 +#define NFNL_SUBSYS_OSF 5 +#define NFNL_SUBSYS_IPSET 6 +#define NFNL_SUBSYS_ACCT 7 +#define NFNL_SUBSYS_CTNETLINK_TIMEOUT 8 +#define NFNL_SUBSYS_COUNT 9 + +#ifdef __KERNEL__ + +#include <linux/netlink.h> +#include <linux/capability.h> +#include <net/netlink.h> + +struct nfnl_callback { + int (*call)(struct sock *nl, struct sk_buff *skb, + const struct nlmsghdr *nlh, + const struct nlattr * const cda[]); + int (*call_rcu)(struct sock *nl, struct sk_buff *skb, + const struct nlmsghdr *nlh, + const struct nlattr * const cda[]); + const struct nla_policy *policy; /* netlink attribute policy */ + const u_int16_t attr_count; /* number of nlattr's */ +}; + +struct nfnetlink_subsystem { + const char *name; + __u8 subsys_id; /* nfnetlink subsystem ID */ + __u8 cb_count; /* number of callbacks */ + const struct nfnl_callback *cb; /* callback for individual types */ +}; + +extern int nfnetlink_subsys_register(const struct nfnetlink_subsystem *n); +extern int nfnetlink_subsys_unregister(const struct nfnetlink_subsystem *n); + +extern int nfnetlink_has_listeners(struct net *net, unsigned int group); +extern int nfnetlink_send(struct sk_buff *skb, struct net *net, u32 pid, unsigned group, + int echo, gfp_t flags); +extern int nfnetlink_set_err(struct net *net, u32 pid, u32 group, int error); +extern int nfnetlink_unicast(struct sk_buff *skb, struct net *net, u_int32_t pid, int flags); + +extern void nfnl_lock(void); +extern void nfnl_unlock(void); + +#define MODULE_ALIAS_NFNL_SUBSYS(subsys) \ + MODULE_ALIAS("nfnetlink-subsys-" __stringify(subsys)) + +#endif /* __KERNEL__ */ +#endif /* _NFNETLINK_H */ diff --git a/include/linux/netfilter/nfnetlink_cttimeout.h b/include/linux/netfilter/nfnetlink_cttimeout.h new file mode 100644 index 0000000..a2810a7 --- /dev/null +++ b/include/linux/netfilter/nfnetlink_cttimeout.h @@ -0,0 +1,114 @@ +#ifndef _CTTIMEOUT_NETLINK_H +#define _CTTIMEOUT_NETLINK_H +#include <linux/netfilter/nfnetlink.h> + +enum ctnl_timeout_msg_types { + IPCTNL_MSG_TIMEOUT_NEW, + IPCTNL_MSG_TIMEOUT_GET, + IPCTNL_MSG_TIMEOUT_DELETE, + + IPCTNL_MSG_TIMEOUT_MAX +}; + +enum ctattr_timeout { + CTA_TIMEOUT_UNSPEC, + CTA_TIMEOUT_NAME, + CTA_TIMEOUT_L3PROTO, + CTA_TIMEOUT_L4PROTO, + CTA_TIMEOUT_DATA, + CTA_TIMEOUT_USE, + __CTA_TIMEOUT_MAX +}; +#define CTA_TIMEOUT_MAX (__CTA_TIMEOUT_MAX - 1) + +enum ctattr_timeout_generic { + CTA_TIMEOUT_GENERIC_UNSPEC, + CTA_TIMEOUT_GENERIC_TIMEOUT, + __CTA_TIMEOUT_GENERIC_MAX +}; +#define CTA_TIMEOUT_GENERIC_MAX (__CTA_TIMEOUT_GENERIC_MAX - 1) + +enum ctattr_timeout_tcp { + CTA_TIMEOUT_TCP_UNSPEC, + CTA_TIMEOUT_TCP_SYN_SENT, + CTA_TIMEOUT_TCP_SYN_RECV, + CTA_TIMEOUT_TCP_ESTABLISHED, + CTA_TIMEOUT_TCP_FIN_WAIT, + CTA_TIMEOUT_TCP_CLOSE_WAIT, + CTA_TIMEOUT_TCP_LAST_ACK, + CTA_TIMEOUT_TCP_TIME_WAIT, + CTA_TIMEOUT_TCP_CLOSE, + CTA_TIMEOUT_TCP_SYN_SENT2, + CTA_TIMEOUT_TCP_RETRANS, + CTA_TIMEOUT_TCP_UNACK, + __CTA_TIMEOUT_TCP_MAX +}; +#define CTA_TIMEOUT_TCP_MAX (__CTA_TIMEOUT_TCP_MAX - 1) + +enum ctattr_timeout_udp { + CTA_TIMEOUT_UDP_UNSPEC, + CTA_TIMEOUT_UDP_UNREPLIED, + CTA_TIMEOUT_UDP_REPLIED, + __CTA_TIMEOUT_UDP_MAX +}; +#define CTA_TIMEOUT_UDP_MAX (__CTA_TIMEOUT_UDP_MAX - 1) + +enum ctattr_timeout_udplite { + CTA_TIMEOUT_UDPLITE_UNSPEC, + CTA_TIMEOUT_UDPLITE_UNREPLIED, + CTA_TIMEOUT_UDPLITE_REPLIED, + __CTA_TIMEOUT_UDPLITE_MAX +}; +#define CTA_TIMEOUT_UDPLITE_MAX (__CTA_TIMEOUT_UDPLITE_MAX - 1) + +enum ctattr_timeout_icmp { + CTA_TIMEOUT_ICMP_UNSPEC, + CTA_TIMEOUT_ICMP_TIMEOUT, + __CTA_TIMEOUT_ICMP_MAX +}; +#define CTA_TIMEOUT_ICMP_MAX (__CTA_TIMEOUT_ICMP_MAX - 1) + +enum ctattr_timeout_dccp { + CTA_TIMEOUT_DCCP_UNSPEC, + CTA_TIMEOUT_DCCP_REQUEST, + CTA_TIMEOUT_DCCP_RESPOND, + CTA_TIMEOUT_DCCP_PARTOPEN, + CTA_TIMEOUT_DCCP_OPEN, + CTA_TIMEOUT_DCCP_CLOSEREQ, + CTA_TIMEOUT_DCCP_CLOSING, + CTA_TIMEOUT_DCCP_TIMEWAIT, + __CTA_TIMEOUT_DCCP_MAX +}; +#define CTA_TIMEOUT_DCCP_MAX (__CTA_TIMEOUT_DCCP_MAX - 1) + +enum ctattr_timeout_sctp { + CTA_TIMEOUT_SCTP_UNSPEC, + CTA_TIMEOUT_SCTP_CLOSED, + CTA_TIMEOUT_SCTP_COOKIE_WAIT, + CTA_TIMEOUT_SCTP_COOKIE_ECHOED, + CTA_TIMEOUT_SCTP_ESTABLISHED, + CTA_TIMEOUT_SCTP_SHUTDOWN_SENT, + CTA_TIMEOUT_SCTP_SHUTDOWN_RECD, + CTA_TIMEOUT_SCTP_SHUTDOWN_ACK_SENT, + __CTA_TIMEOUT_SCTP_MAX +}; +#define CTA_TIMEOUT_SCTP_MAX (__CTA_TIMEOUT_SCTP_MAX - 1) + +enum ctattr_timeout_icmpv6 { + CTA_TIMEOUT_ICMPV6_UNSPEC, + CTA_TIMEOUT_ICMPV6_TIMEOUT, + __CTA_TIMEOUT_ICMPV6_MAX +}; +#define CTA_TIMEOUT_ICMPV6_MAX (__CTA_TIMEOUT_ICMPV6_MAX - 1) + +enum ctattr_timeout_gre { + CTA_TIMEOUT_GRE_UNSPEC, + CTA_TIMEOUT_GRE_UNREPLIED, + CTA_TIMEOUT_GRE_REPLIED, + __CTA_TIMEOUT_GRE_MAX +}; +#define CTA_TIMEOUT_GRE_MAX (__CTA_TIMEOUT_GRE_MAX - 1) + +#define CTNL_TIMEOUT_NAME_MAX 32 + +#endif |