1 /* 2 * WARNING: Do *NOT* ever include this file, only for internal use! 3 * Use the set/get API in order to set/get the conntrack attributes 4 */ 5 6 #ifndef _NFCT_OBJECT_H_ 7 #define _NFCT_OBJECT_H_ 8 9 #include <libnetfilter_conntrack/libnetfilter_conntrack.h> 10 11 /* 12 * nfct callback handler object 13 */ 14 15 struct nfct_handle { 16 struct nfnl_handle *nfnlh; 17 struct nfnl_subsys_handle *nfnlssh_ct; 18 struct nfnl_subsys_handle *nfnlssh_exp; 19 20 /* callback handler for the new API */ 21 struct nfnl_callback nfnl_cb_ct; 22 struct nfnl_callback nfnl_cb_exp; 23 24 int (*cb)(enum nf_conntrack_msg_type type, 25 struct nf_conntrack *ct, 26 void *data); 27 28 /* This is the second version of the callback that includes 29 * the Netlink header. This is the result of an early design 30 * error, hiding Netlink details is evil. You end needing some 31 * internal information at some point like the Netlink PortID. */ 32 int (*cb2)(const struct nlmsghdr *nlh, 33 enum nf_conntrack_msg_type type, 34 struct nf_conntrack *ct, 35 void *data); 36 37 int (*expect_cb)(enum nf_conntrack_msg_type type, 38 struct nf_expect *exp, 39 void *data); 40 41 /* second version of the expect callback: it includes netlink header */ 42 int (*expect_cb2)(const struct nlmsghdr *nlh, 43 enum nf_conntrack_msg_type type, 44 struct nf_expect *exp, 45 void *data); 46 }; 47 48 /* container used to pass data to nfnl callbacks */ 49 struct __data_container { 50 struct nfct_handle *h; 51 enum nf_conntrack_msg_type type; 52 void *data; 53 }; 54 55 /* 56 * conntrack object 57 */ 58 59 union __nfct_l4_src { 60 /* Add other protocols here. */ 61 uint16_t all; 62 struct { 63 uint16_t port; 64 } tcp; 65 struct { 66 uint16_t port; 67 } udp; 68 struct { 69 uint16_t id; 70 } icmp; 71 struct { 72 uint16_t port; 73 } sctp; 74 struct { 75 uint16_t port; 76 } dccp; 77 }; 78 79 union __nfct_l4_dst { 80 /* Add other protocols here. */ 81 uint16_t all; 82 struct { 83 uint16_t port; 84 } tcp; 85 struct { 86 uint16_t port; 87 } udp; 88 struct { 89 uint8_t type, code; 90 } icmp; 91 struct { 92 uint16_t port; 93 } sctp; 94 struct { 95 uint16_t port; 96 } dccp; 97 }; 98 99 union __nfct_address { 100 uint32_t v4; 101 struct in6_addr v6; 102 }; 103 104 struct __nfct_tuple { 105 union __nfct_address src; 106 union __nfct_address dst; 107 108 uint8_t l3protonum; 109 uint8_t protonum; 110 uint16_t zone; 111 112 union __nfct_l4_src l4src; 113 union __nfct_l4_dst l4dst; 114 }; 115 116 #define __DIR_ORIG 0 117 #define __DIR_REPL 1 118 #define __DIR_MAX __DIR_REPL+1 119 #define __DIR_MASTER 2 120 121 union __nfct_protoinfo { 122 struct { 123 uint8_t state; 124 struct { 125 uint8_t value; 126 uint8_t mask; 127 } flags[__DIR_MAX]; 128 uint8_t wscale[__DIR_MAX]; 129 } tcp; 130 struct { 131 uint8_t state; 132 uint32_t vtag[__DIR_MAX]; 133 } sctp; 134 struct { 135 uint8_t state; 136 uint8_t role; 137 uint64_t handshake_seq; 138 } dccp; 139 }; 140 141 struct __nfct_counters { 142 uint64_t packets; 143 uint64_t bytes; 144 }; 145 146 struct __nfct_nat { 147 union __nfct_address min_ip, max_ip; 148 union __nfct_l4_src l4min, l4max; 149 }; 150 151 struct nfct_tuple_head { 152 struct __nfct_tuple orig; 153 154 #define __NFCT_BITSET 3 155 uint32_t set[__NFCT_BITSET]; 156 }; 157 158 struct nf_conntrack { 159 struct nfct_tuple_head head; 160 struct __nfct_tuple repl; 161 struct __nfct_tuple master; 162 163 uint32_t timeout; 164 uint32_t mark; 165 uint32_t secmark; 166 uint32_t status; 167 uint32_t use; 168 uint32_t id; 169 uint16_t zone; 170 171 char helper_name[NFCT_HELPER_NAME_MAX]; 172 /* According to Eric Paris <eparis (at) redhat.com> this field can be up to 4096 173 * bytes long. For that reason, we allocate this dynamically. */ 174 char *secctx; 175 176 union __nfct_protoinfo protoinfo; 177 struct __nfct_counters counters[__DIR_MAX]; 178 struct __nfct_nat snat; 179 struct __nfct_nat dnat; 180 181 struct { 182 uint32_t correction_pos; 183 uint32_t offset_before; 184 uint32_t offset_after; 185 } natseq[__DIR_MAX]; 186 187 struct { 188 uint64_t start; 189 uint64_t stop; 190 } timestamp; 191 192 void *helper_info; 193 size_t helper_info_len; 194 195 struct nfct_bitmask *connlabels; 196 struct nfct_bitmask *connlabels_mask; 197 }; 198 199 /* 200 * conntrack filter object 201 */ 202 203 struct nfct_filter { 204 /* 205 * As many other objects in this library, the attributes are 206 * private. This gives us the chance to modify the layout and 207 * object size. 208 * 209 * Another observation, although this object might seem too 210 * memory consuming, it is only needed to build the filter. Thus, 211 * once it is attached, you can release this object. 212 */ 213 214 /* 215 * filter logic: use positive or negative logic 216 */ 217 enum nfct_filter_logic logic[NFCT_FILTER_MAX]; 218 219 /* 220 * This the layer 4 protocol map for filtering. Not more than 221 * 255 protocols (maximum is IPPROTO_MAX which is 256). Actually, 222 * I doubt that anyone can reach such a limit. 223 */ 224 #define __FILTER_L4PROTO_MAX 255 225 uint32_t l4proto_map[IPPROTO_MAX/32]; 226 uint32_t l4proto_len; 227 228 struct { 229 /* 230 * No limitations in the protocol filtering. We use a map of 231 * 16 bits per protocol. As for now, DCCP has 10 states, TCP has 232 * 10 states, SCTP has 8 state. Therefore, 16 bits is enough. 233 */ 234 #define __FILTER_PROTO_MAX 16 235 uint16_t map; 236 uint16_t len; 237 } l4proto_state[IPPROTO_MAX]; 238 239 #define __FILTER_ADDR_SRC 0 240 #define __FILTER_ADDR_DST 1 241 242 /* 243 * FIXME: For IPv4 filtering, up to 127 IPs by now. 244 * This limitation is related to the existing autogenerated BSF code 245 * (two BSF lines per comparison) and the fact that the maximum 246 * jump offset is 0xff which is 255. 247 */ 248 uint32_t l3proto_elems[2]; 249 struct { 250 #define __FILTER_ADDR_MAX 127 251 uint32_t addr; 252 uint32_t mask; 253 } l3proto[2][__FILTER_ADDR_MAX]; 254 255 /* 256 * FIXME: For IPv6 filtering, up to 20 IPs/masks (12 BSF lines 257 * per comparison). I think that it is not worthy to try to support 258 * more than that for performance reasons. It seems that oprofile 259 * shows bad numbers for very large BSF code. 260 */ 261 uint32_t l3proto_elems_ipv6[2]; 262 struct { 263 #define __FILTER_IPV6_MAX 20 264 uint32_t addr[4]; 265 uint32_t mask[4]; 266 } l3proto_ipv6[2][__FILTER_IPV6_MAX]; 267 268 uint32_t mark_elems; 269 struct { 270 #define __FILTER_MARK_MAX 127 271 uint32_t val; 272 uint32_t mask; 273 } mark[__FILTER_MARK_MAX]; 274 275 uint32_t set[1]; 276 }; 277 278 /* 279 * conntrack filter dump object 280 */ 281 282 struct nfct_filter_dump { 283 struct nfct_filter_dump_mark mark; 284 uint8_t l3num; 285 uint32_t set; 286 }; 287 288 /* 289 * expectation object 290 */ 291 292 #define __NFCT_EXPECTFN_MAX 24 /* maximum symbol length. */ 293 294 struct nf_expect { 295 struct nfct_tuple_head master; 296 struct nfct_tuple_head expected; 297 struct nfct_tuple_head mask; 298 struct nfct_tuple_head nat; 299 300 uint32_t timeout; 301 uint32_t id; 302 uint16_t zone; 303 uint32_t flags; 304 uint32_t class; 305 char helper_name[NFCT_HELPER_NAME_MAX]; 306 uint32_t nat_dir; 307 char expectfn[__NFCT_EXPECTFN_MAX]; 308 309 uint32_t set[1]; 310 }; 311 312 /* 313 * bitmask object 314 */ 315 struct nfct_bitmask { 316 unsigned int words; 317 uint32_t bits[]; 318 }; 319 320 struct nfct_labelmap; 321 322 #endif 323
