libnetfilter_conntrack 1.1.1
libnetfilter_conntrack.h
1/*
2 * (C) 2005-2011 by Pablo Neira Ayuso <pablo@netfilter.org>
3 *
4 * This program is free software; you can redistribute it and/or modify it
5 * under the terms of the GNU General Public License as published by
6 * the Free Software Foundation; either version 2 of the License, or
7 * (at your option) any later version.
8 */
9
10#ifndef _LIBNETFILTER_CONNTRACK_H_
11#define _LIBNETFILTER_CONNTRACK_H_
12
13#include <stdbool.h>
14#include <netinet/in.h>
15#include <libnfnetlink/linux_nfnetlink.h>
16#include <libnfnetlink/libnfnetlink.h>
17#include <libnetfilter_conntrack/linux_nfnetlink_conntrack.h>
18#include <libnetfilter_conntrack/linux_nf_conntrack_common.h>
19
20#ifdef __cplusplus
21extern "C" {
22#endif
23
24enum {
25 CONNTRACK = NFNL_SUBSYS_CTNETLINK,
26 EXPECT = NFNL_SUBSYS_CTNETLINK_EXP
27};
28
29/*
30 * Subscribe to all possible conntrack event groups. Use this
31 * flag in case that you want to catch up all the possible
32 * events. Do not use this flag for dumping or any other
33 * similar operation.
34 */
35#define NFCT_ALL_CT_GROUPS (NF_NETLINK_CONNTRACK_NEW|NF_NETLINK_CONNTRACK_UPDATE|NF_NETLINK_CONNTRACK_DESTROY)
36
37struct nfct_handle;
38
39/*
40 * [Open|close] a conntrack handler
41 */
42extern struct nfct_handle *nfct_open(uint8_t, unsigned);
43extern struct nfct_handle *nfct_open_nfnl(struct nfnl_handle *nfnlh,
44 uint8_t subsys_id,
45 unsigned int subscriptions);
46extern int nfct_close(struct nfct_handle *cth);
47
48extern int nfct_fd(struct nfct_handle *cth);
49extern const struct nfnl_handle *nfct_nfnlh(struct nfct_handle *cth);
50
51/*
52 * NEW libnetfilter_conntrack API
53 */
54
55/* high level API */
56
57#include <sys/types.h>
58
59/* conntrack object */
60struct nf_conntrack;
61
62/* conntrack attributes */
63enum nf_conntrack_attr {
64 ATTR_ORIG_IPV4_SRC = 0, /* u32 bits */
65 ATTR_IPV4_SRC = ATTR_ORIG_IPV4_SRC, /* alias */
66 ATTR_ORIG_IPV4_DST, /* u32 bits */
67 ATTR_IPV4_DST = ATTR_ORIG_IPV4_DST, /* alias */
68 ATTR_REPL_IPV4_SRC, /* u32 bits */
69 ATTR_REPL_IPV4_DST, /* u32 bits */
70 ATTR_ORIG_IPV6_SRC = 4, /* u128 bits */
71 ATTR_IPV6_SRC = ATTR_ORIG_IPV6_SRC, /* alias */
72 ATTR_ORIG_IPV6_DST, /* u128 bits */
73 ATTR_IPV6_DST = ATTR_ORIG_IPV6_DST, /* alias */
74 ATTR_REPL_IPV6_SRC, /* u128 bits */
75 ATTR_REPL_IPV6_DST, /* u128 bits */
76 ATTR_ORIG_PORT_SRC = 8, /* u16 bits */
77 ATTR_PORT_SRC = ATTR_ORIG_PORT_SRC, /* alias */
78 ATTR_ORIG_PORT_DST, /* u16 bits */
79 ATTR_PORT_DST = ATTR_ORIG_PORT_DST, /* alias */
80 ATTR_REPL_PORT_SRC, /* u16 bits */
81 ATTR_REPL_PORT_DST, /* u16 bits */
82 ATTR_ICMP_TYPE = 12, /* u8 bits */
83 ATTR_ICMP_CODE, /* u8 bits */
84 ATTR_ICMP_ID, /* u16 bits */
85 ATTR_ORIG_L3PROTO, /* u8 bits */
86 ATTR_L3PROTO = ATTR_ORIG_L3PROTO, /* alias */
87 ATTR_REPL_L3PROTO = 16, /* u8 bits */
88 ATTR_ORIG_L4PROTO, /* u8 bits */
89 ATTR_L4PROTO = ATTR_ORIG_L4PROTO, /* alias */
90 ATTR_REPL_L4PROTO, /* u8 bits */
91 ATTR_TCP_STATE, /* u8 bits */
92 ATTR_SNAT_IPV4 = 20, /* u32 bits */
93 ATTR_DNAT_IPV4, /* u32 bits */
94 ATTR_SNAT_PORT, /* u16 bits */
95 ATTR_DNAT_PORT, /* u16 bits */
96 ATTR_TIMEOUT = 24, /* u32 bits */
97 ATTR_MARK, /* u32 bits */
98 ATTR_ORIG_COUNTER_PACKETS, /* u64 bits */
99 ATTR_REPL_COUNTER_PACKETS, /* u64 bits */
100 ATTR_ORIG_COUNTER_BYTES = 28, /* u64 bits */
101 ATTR_REPL_COUNTER_BYTES, /* u64 bits */
102 ATTR_USE, /* u32 bits */
103 ATTR_ID, /* u32 bits */
104 ATTR_STATUS = 32, /* u32 bits */
105 ATTR_TCP_FLAGS_ORIG, /* u8 bits */
106 ATTR_TCP_FLAGS_REPL, /* u8 bits */
107 ATTR_TCP_MASK_ORIG, /* u8 bits */
108 ATTR_TCP_MASK_REPL = 36, /* u8 bits */
109 ATTR_MASTER_IPV4_SRC, /* u32 bits */
110 ATTR_MASTER_IPV4_DST, /* u32 bits */
111 ATTR_MASTER_IPV6_SRC, /* u128 bits */
112 ATTR_MASTER_IPV6_DST = 40, /* u128 bits */
113 ATTR_MASTER_PORT_SRC, /* u16 bits */
114 ATTR_MASTER_PORT_DST, /* u16 bits */
115 ATTR_MASTER_L3PROTO, /* u8 bits */
116 ATTR_MASTER_L4PROTO = 44, /* u8 bits */
117 ATTR_SECMARK, /* u32 bits */
118 ATTR_ORIG_NAT_SEQ_CORRECTION_POS, /* u32 bits */
119 ATTR_ORIG_NAT_SEQ_OFFSET_BEFORE, /* u32 bits */
120 ATTR_ORIG_NAT_SEQ_OFFSET_AFTER = 48, /* u32 bits */
121 ATTR_REPL_NAT_SEQ_CORRECTION_POS, /* u32 bits */
122 ATTR_REPL_NAT_SEQ_OFFSET_BEFORE, /* u32 bits */
123 ATTR_REPL_NAT_SEQ_OFFSET_AFTER, /* u32 bits */
124 ATTR_SCTP_STATE = 52, /* u8 bits */
125 ATTR_SCTP_VTAG_ORIG, /* u32 bits */
126 ATTR_SCTP_VTAG_REPL, /* u32 bits */
127 ATTR_HELPER_NAME, /* string (30 bytes max) */
128 ATTR_DCCP_STATE = 56, /* u8 bits */
129 ATTR_DCCP_ROLE, /* u8 bits */
130 ATTR_DCCP_HANDSHAKE_SEQ, /* u64 bits */
131 ATTR_TCP_WSCALE_ORIG, /* u8 bits */
132 ATTR_TCP_WSCALE_REPL = 60, /* u8 bits */
133 ATTR_ZONE, /* u16 bits */
134 ATTR_SECCTX, /* string */
135 ATTR_TIMESTAMP_START, /* u64 bits, linux >= 2.6.38 */
136 ATTR_TIMESTAMP_STOP = 64, /* u64 bits, linux >= 2.6.38 */
137 ATTR_HELPER_INFO, /* variable length */
138 ATTR_CONNLABELS, /* variable length */
139 ATTR_CONNLABELS_MASK, /* variable length */
140 ATTR_ORIG_ZONE = 68, /* u16 bits */
141 ATTR_REPL_ZONE, /* u16 bits */
142 ATTR_SNAT_IPV6, /* u128 bits */
143 ATTR_DNAT_IPV6, /* u128 bits */
144 ATTR_SYNPROXY_ISN = 72, /* u32 bits */
145 ATTR_SYNPROXY_ITS, /* u32 bits */
146 ATTR_SYNPROXY_TSOFF, /* u32 bits */
147 ATTR_TIMESTAMP_EVENT, /* u64 bits */
148 ATTR_MAX
149};
150
151/* conntrack attribute groups */
152enum nf_conntrack_attr_grp {
153 ATTR_GRP_ORIG_IPV4 = 0, /* struct nfct_attr_grp_ipv4 */
154 ATTR_GRP_REPL_IPV4, /* struct nfct_attr_grp_ipv4 */
155 ATTR_GRP_ORIG_IPV6, /* struct nfct_attr_grp_ipv6 */
156 ATTR_GRP_REPL_IPV6, /* struct nfct_attr_grp_ipv6 */
157 ATTR_GRP_ORIG_PORT = 4, /* struct nfct_attr_grp_port */
158 ATTR_GRP_REPL_PORT, /* struct nfct_attr_grp_port */
159 ATTR_GRP_ICMP, /* struct nfct_attr_grp_icmp */
160 ATTR_GRP_MASTER_IPV4, /* struct nfct_attr_grp_ipv4 */
161 ATTR_GRP_MASTER_IPV6 = 8, /* struct nfct_attr_grp_ipv6 */
162 ATTR_GRP_MASTER_PORT, /* struct nfct_attr_grp_port */
163 ATTR_GRP_ORIG_COUNTERS, /* struct nfct_attr_grp_ctrs */
164 ATTR_GRP_REPL_COUNTERS, /* struct nfct_attr_grp_ctrs */
165 ATTR_GRP_ORIG_ADDR_SRC = 12, /* union nfct_attr_grp_addr */
166 ATTR_GRP_ORIG_ADDR_DST, /* union nfct_attr_grp_addr */
167 ATTR_GRP_REPL_ADDR_SRC, /* union nfct_attr_grp_addr */
168 ATTR_GRP_REPL_ADDR_DST, /* union nfct_attr_grp_addr */
169 ATTR_GRP_MAX
170};
171
172struct nfct_attr_grp_ipv4 {
173 uint32_t src, dst;
174};
175
176struct nfct_attr_grp_ipv6 {
177 uint32_t src[4], dst[4];
178};
179
180struct nfct_attr_grp_port {
181 uint16_t sport, dport;
182};
183
184struct nfct_attr_grp_icmp {
185 uint16_t id;
186 uint8_t code, type;
187};
188
189struct nfct_attr_grp_ctrs {
190 uint64_t packets;
191 uint64_t bytes;
192};
193
194union nfct_attr_grp_addr {
195 uint32_t ip;
196 uint32_t ip6[4];
197 uint32_t addr[4];
198};
199
200/* message type */
201enum nf_conntrack_msg_type {
202 NFCT_T_UNKNOWN = 0,
203
204 NFCT_T_NEW_BIT = 0,
205 NFCT_T_NEW = (1 << NFCT_T_NEW_BIT),
206
207 NFCT_T_UPDATE_BIT = 1,
208 NFCT_T_UPDATE = (1 << NFCT_T_UPDATE_BIT),
209
210 NFCT_T_DESTROY_BIT = 2,
211 NFCT_T_DESTROY = (1 << NFCT_T_DESTROY_BIT),
212
213 NFCT_T_ALL = NFCT_T_NEW | NFCT_T_UPDATE | NFCT_T_DESTROY,
214
215 NFCT_T_ERROR_BIT = 31,
216 NFCT_T_ERROR = (1 << NFCT_T_ERROR_BIT),
217};
218
219/* constructor / destructor */
220extern struct nf_conntrack *nfct_new(void);
221extern void nfct_destroy(struct nf_conntrack *ct);
222
223/* clone */
224struct nf_conntrack *nfct_clone(const struct nf_conntrack *ct);
225
226/* object size */
227extern __attribute__((deprecated)) size_t nfct_sizeof(const struct nf_conntrack *ct);
228
229/* maximum object size */
230extern __attribute__((deprecated)) size_t nfct_maxsize(void);
231
232/* set option */
233enum {
234 NFCT_SOPT_UNDO_SNAT,
235 NFCT_SOPT_UNDO_DNAT,
236 NFCT_SOPT_UNDO_SPAT,
237 NFCT_SOPT_UNDO_DPAT,
238 NFCT_SOPT_SETUP_ORIGINAL,
239 NFCT_SOPT_SETUP_REPLY,
240 __NFCT_SOPT_MAX,
241};
242#define NFCT_SOPT_MAX (__NFCT_SOPT_MAX - 1)
243
244/* get option */
245enum {
246 NFCT_GOPT_IS_SNAT,
247 NFCT_GOPT_IS_DNAT,
248 NFCT_GOPT_IS_SPAT,
249 NFCT_GOPT_IS_DPAT,
250 __NFCT_GOPT_MAX,
251};
252#define NFCT_GOPT_MAX (__NFCT_GOPT_MAX - 1)
253
254extern int nfct_setobjopt(struct nf_conntrack *ct, unsigned int option);
255extern int nfct_getobjopt(const struct nf_conntrack *ct, unsigned int option);
256
257/* register / unregister callback */
258
259extern int nfct_callback_register(struct nfct_handle *h,
260 enum nf_conntrack_msg_type type,
261 int (*cb)(enum nf_conntrack_msg_type type,
262 struct nf_conntrack *ct,
263 void *data),
264 void *data);
265
266extern void nfct_callback_unregister(struct nfct_handle *h);
267
268/* register / unregister callback: extended version including netlink header */
269
270extern int nfct_callback_register2(struct nfct_handle *h,
271 enum nf_conntrack_msg_type type,
272 int (*cb)(const struct nlmsghdr *nlh,
273 enum nf_conntrack_msg_type type,
274 struct nf_conntrack *ct,
275 void *data),
276 void *data);
277
278extern void nfct_callback_unregister2(struct nfct_handle *h);
279
280/* callback verdict */
281enum {
282 NFCT_CB_FAILURE = -1, /* failure */
283 NFCT_CB_STOP = 0, /* stop the query */
284 NFCT_CB_CONTINUE = 1, /* keep iterating through data */
285 NFCT_CB_STOLEN = 2, /* like continue, but ct is not freed */
286};
287
288/* bitmask setter/getter */
289struct nfct_bitmask;
290
291struct nfct_bitmask *nfct_bitmask_new(unsigned int maxbit);
292struct nfct_bitmask *nfct_bitmask_clone(const struct nfct_bitmask *);
293unsigned int nfct_bitmask_maxbit(const struct nfct_bitmask *);
294
295void nfct_bitmask_set_bit(struct nfct_bitmask *, unsigned int bit);
296int nfct_bitmask_test_bit(const struct nfct_bitmask *, unsigned int bit);
297void nfct_bitmask_unset_bit(struct nfct_bitmask *, unsigned int bit);
298void nfct_bitmask_destroy(struct nfct_bitmask *);
299void nfct_bitmask_clear(struct nfct_bitmask *);
300bool nfct_bitmask_equal(const struct nfct_bitmask *, const struct nfct_bitmask *);
301
302/* connlabel name <-> bit translation mapping */
303struct nfct_labelmap;
304
305const char *nfct_labels_get_path(void);
306struct nfct_labelmap *nfct_labelmap_new(const char *mapfile);
307void nfct_labelmap_destroy(struct nfct_labelmap *map);
308const char *nfct_labelmap_get_name(struct nfct_labelmap *m, unsigned int bit);
309int nfct_labelmap_get_bit(struct nfct_labelmap *m, const char *name);
310
311/* setter */
312extern void nfct_set_attr(struct nf_conntrack *ct,
313 const enum nf_conntrack_attr type,
314 const void *value);
315
316extern void nfct_set_attr_u8(struct nf_conntrack *ct,
317 const enum nf_conntrack_attr type,
318 uint8_t value);
319
320extern void nfct_set_attr_u16(struct nf_conntrack *ct,
321 const enum nf_conntrack_attr type,
322 uint16_t value);
323
324extern void nfct_set_attr_u32(struct nf_conntrack *ct,
325 const enum nf_conntrack_attr type,
326 uint32_t value);
327
328extern void nfct_set_attr_u64(struct nf_conntrack *ct,
329 const enum nf_conntrack_attr type,
330 uint64_t value);
331
332extern void nfct_set_attr_l(struct nf_conntrack *ct,
333 const enum nf_conntrack_attr type,
334 const void *value,
335 size_t len);
336
337/* getter */
338extern const void *nfct_get_attr(const struct nf_conntrack *ct,
339 const enum nf_conntrack_attr type);
340
341extern uint8_t nfct_get_attr_u8(const struct nf_conntrack *ct,
342 const enum nf_conntrack_attr type);
343
344extern uint16_t nfct_get_attr_u16(const struct nf_conntrack *ct,
345 const enum nf_conntrack_attr type);
346
347extern uint32_t nfct_get_attr_u32(const struct nf_conntrack *ct,
348 const enum nf_conntrack_attr type);
349
350extern uint64_t nfct_get_attr_u64(const struct nf_conntrack *ct,
351 const enum nf_conntrack_attr type);
352
353/* checker */
354extern int nfct_attr_is_set(const struct nf_conntrack *ct,
355 const enum nf_conntrack_attr type);
356
357extern int nfct_attr_is_set_array(const struct nf_conntrack *ct,
358 const enum nf_conntrack_attr *type_array,
359 int size);
360
361/* unsetter */
362extern int nfct_attr_unset(struct nf_conntrack *ct,
363 const enum nf_conntrack_attr type);
364
365/* group setter */
366extern void nfct_set_attr_grp(struct nf_conntrack *ct,
367 const enum nf_conntrack_attr_grp type,
368 const void *value);
369/* group getter */
370extern int nfct_get_attr_grp(const struct nf_conntrack *ct,
371 const enum nf_conntrack_attr_grp type,
372 void *data);
373
374/* group checker */
375extern int nfct_attr_grp_is_set(const struct nf_conntrack *ct,
376 const enum nf_conntrack_attr_grp type);
377
378/* unsetter */
379extern int nfct_attr_grp_unset(struct nf_conntrack *ct,
380 const enum nf_conntrack_attr_grp type);
381
382/* print */
383
384/* output type */
385enum {
386 NFCT_O_PLAIN,
387 NFCT_O_DEFAULT = NFCT_O_PLAIN,
388 NFCT_O_XML,
389 NFCT_O_MAX
390};
391
392/* output flags */
393enum {
394 NFCT_OF_SHOW_LAYER3_BIT = 0,
395 NFCT_OF_SHOW_LAYER3 = (1 << NFCT_OF_SHOW_LAYER3_BIT),
396
397 NFCT_OF_TIME_BIT = 1,
398 NFCT_OF_TIME = (1 << NFCT_OF_TIME_BIT),
399
400 NFCT_OF_ID_BIT = 2,
401 NFCT_OF_ID = (1 << NFCT_OF_ID_BIT),
402
403 NFCT_OF_TIMESTAMP_BIT = 3,
404 NFCT_OF_TIMESTAMP = (1 << NFCT_OF_TIMESTAMP_BIT),
405};
406
407extern int nfct_snprintf(char *buf,
408 unsigned int size,
409 const struct nf_conntrack *ct,
410 const unsigned int msg_type,
411 const unsigned int out_type,
412 const unsigned int out_flags);
413
414extern int nfct_snprintf_labels(char *buf,
415 unsigned int size,
416 const struct nf_conntrack *ct,
417 const unsigned int msg_type,
418 const unsigned int out_type,
419 const unsigned int out_flags,
420 struct nfct_labelmap *map);
421
422/* comparison */
423extern int nfct_compare(const struct nf_conntrack *ct1,
424 const struct nf_conntrack *ct2);
425
426enum {
427 NFCT_CMP_ALL = 0,
428 NFCT_CMP_ORIG = (1 << 0),
429 NFCT_CMP_REPL = (1 << 1),
430 NFCT_CMP_TIMEOUT_EQ = (1 << 2),
431 NFCT_CMP_TIMEOUT_GT = (1 << 3),
432 NFCT_CMP_TIMEOUT_GE = (NFCT_CMP_TIMEOUT_EQ | NFCT_CMP_TIMEOUT_GT),
433 NFCT_CMP_TIMEOUT_LT = (1 << 4),
434 NFCT_CMP_TIMEOUT_LE = (NFCT_CMP_TIMEOUT_EQ | NFCT_CMP_TIMEOUT_LT),
435 NFCT_CMP_MASK = (1 << 5),
436 NFCT_CMP_STRICT = (1 << 6),
437};
438
439extern int nfct_cmp(const struct nf_conntrack *ct1,
440 const struct nf_conntrack *ct2,
441 unsigned int flags);
442
443
444/* query */
445enum nf_conntrack_query {
446 NFCT_Q_CREATE,
447 NFCT_Q_UPDATE,
448 NFCT_Q_DESTROY,
449 NFCT_Q_GET,
450 NFCT_Q_FLUSH,
451 NFCT_Q_DUMP,
452 NFCT_Q_DUMP_RESET,
453 NFCT_Q_CREATE_UPDATE,
454 NFCT_Q_DUMP_FILTER,
455 NFCT_Q_DUMP_FILTER_RESET,
456 NFCT_Q_FLUSH_FILTER,
457};
458
459extern int nfct_query(struct nfct_handle *h,
460 const enum nf_conntrack_query query,
461 const void *data);
462
463extern int nfct_send(struct nfct_handle *h,
464 const enum nf_conntrack_query query,
465 const void *data);
466
467extern int nfct_catch(struct nfct_handle *h);
468
469/* copy */
470enum {
471 NFCT_CP_ALL = 0,
472 NFCT_CP_ORIG = (1 << 0),
473 NFCT_CP_REPL = (1 << 1),
474 NFCT_CP_META = (1 << 2),
475 NFCT_CP_OVERRIDE = (1 << 3),
476};
477
478extern void nfct_copy(struct nf_conntrack *dest,
479 const struct nf_conntrack *source,
480 unsigned int flags);
481
482extern void nfct_copy_attr(struct nf_conntrack *ct1,
483 const struct nf_conntrack *ct2,
484 const enum nf_conntrack_attr type);
485
486/* event filtering */
487
488struct nfct_filter;
489
490extern struct nfct_filter *nfct_filter_create(void);
491extern void nfct_filter_destroy(struct nfct_filter *filter);
492
493struct nfct_filter_proto {
494 uint16_t proto;
495 uint16_t state;
496};
497struct nfct_filter_ipv4 {
498 uint32_t addr;
499 uint32_t mask;
500};
501struct nfct_filter_ipv6 {
502 uint32_t addr[4];
503 uint32_t mask[4];
504};
505
506enum nfct_filter_attr {
507 NFCT_FILTER_L4PROTO = 0, /* uint32_t */
508 NFCT_FILTER_L4PROTO_STATE, /* struct nfct_filter_proto */
509 NFCT_FILTER_SRC_IPV4, /* struct nfct_filter_ipv4 */
510 NFCT_FILTER_DST_IPV4, /* struct nfct_filter_ipv4 */
511 NFCT_FILTER_SRC_IPV6, /* struct nfct_filter_ipv6 */
512 NFCT_FILTER_DST_IPV6, /* struct nfct_filter_ipv6 */
513 NFCT_FILTER_MARK, /* struct nfct_filter_dump_mark */
514 NFCT_FILTER_ZONE, /* uint16_t */
515 NFCT_FILTER_MAX
516};
517
518extern void nfct_filter_add_attr(struct nfct_filter *filter,
519 const enum nfct_filter_attr attr,
520 const void *value);
521
522extern void nfct_filter_add_attr_u32(struct nfct_filter *filter,
523 const enum nfct_filter_attr attr,
524 const uint32_t value);
525
526enum nfct_filter_logic {
527 NFCT_FILTER_LOGIC_POSITIVE,
528 NFCT_FILTER_LOGIC_NEGATIVE,
529 NFCT_FILTER_LOGIC_MAX
530};
531
532extern int nfct_filter_set_logic(struct nfct_filter *filter,
533 const enum nfct_filter_attr attr,
534 const enum nfct_filter_logic logic);
535
536extern int nfct_filter_attach(int fd, struct nfct_filter *filter);
537extern int nfct_filter_detach(int fd);
538
539/* dump filtering */
540
541struct nfct_filter_dump;
542
543struct nfct_filter_dump_mark {
544 uint32_t val;
545 uint32_t mask;
546};
547
548enum nfct_filter_dump_attr {
549 NFCT_FILTER_DUMP_MARK = 0, /* struct nfct_filter_dump_mark */
550 NFCT_FILTER_DUMP_L3NUM, /* uint8_t */
551 NFCT_FILTER_DUMP_STATUS, /* struct nfct_filter_dump_mark */
552 NFCT_FILTER_DUMP_ZONE, /* uint16_t */
553 NFCT_FILTER_DUMP_TUPLE,
554 NFCT_FILTER_DUMP_MAX
555};
556
557struct nfct_filter_dump *nfct_filter_dump_create(void);
558
559void nfct_filter_dump_destroy(struct nfct_filter_dump *filter);
560
561void nfct_filter_dump_set_attr(struct nfct_filter_dump *filter_dump,
562 const enum nfct_filter_dump_attr type,
563 const void *data);
564
565void nfct_filter_dump_set_attr_u8(struct nfct_filter_dump *filter_dump,
566 const enum nfct_filter_dump_attr type,
567 uint8_t data);
568
569void nfct_filter_dump_set_attr_u16(struct nfct_filter_dump *filter_dump,
570 const enum nfct_filter_dump_attr type,
571 uint16_t data);
572
573/* low level API: netlink functions */
574
575extern __attribute__((deprecated)) int
576nfct_build_conntrack(struct nfnl_subsys_handle *ssh,
577 void *req,
578 size_t size,
579 uint16_t type,
580 uint16_t flags,
581 const struct nf_conntrack *ct);
582
583extern __attribute__((deprecated))
584int nfct_parse_conntrack(enum nf_conntrack_msg_type msg,
585 const struct nlmsghdr *nlh,
586 struct nf_conntrack *ct);
587
588extern __attribute__((deprecated))
589int nfct_build_query(struct nfnl_subsys_handle *ssh,
590 const enum nf_conntrack_query query,
591 const void *data,
592 void *req,
593 unsigned int size);
594
595/* New low level API: netlink functions */
596
597extern int nfct_nlmsg_build(struct nlmsghdr *nlh, const struct nf_conntrack *ct);
598extern int nfct_nlmsg_build_filter(struct nlmsghdr *nlh, const struct nfct_filter_dump *filter_dump);
599extern int nfct_nlmsg_parse(const struct nlmsghdr *nlh, struct nf_conntrack *ct);
600extern int nfct_payload_parse(const void *payload, size_t payload_len, uint16_t l3num, struct nf_conntrack *ct);
601
602/*
603 * NEW expectation API
604 */
605
606/* expectation object */
607struct nf_expect;
608
609/* expect attributes */
610enum nf_expect_attr {
611 ATTR_EXP_MASTER = 0, /* pointer to conntrack object */
612 ATTR_EXP_EXPECTED, /* pointer to conntrack object */
613 ATTR_EXP_MASK, /* pointer to conntrack object */
614 ATTR_EXP_TIMEOUT, /* u32 bits */
615 ATTR_EXP_ZONE, /* u16 bits */
616 ATTR_EXP_FLAGS, /* u32 bits */
617 ATTR_EXP_HELPER_NAME, /* string (16 bytes max) */
618 ATTR_EXP_CLASS, /* u32 bits */
619 ATTR_EXP_NAT_TUPLE, /* pointer to conntrack object */
620 ATTR_EXP_NAT_DIR, /* u8 bits */
621 ATTR_EXP_FN, /* string */
622 ATTR_EXP_MAX
623};
624
625/* constructor / destructor */
626extern struct nf_expect *nfexp_new(void);
627extern void nfexp_destroy(struct nf_expect *exp);
628
629/* clone */
630extern struct nf_expect *nfexp_clone(const struct nf_expect *exp);
631
632/* object size */
633extern size_t nfexp_sizeof(const struct nf_expect *exp);
634
635/* maximum object size */
636extern size_t nfexp_maxsize(void);
637
638/* register / unregister callback */
639
640extern int nfexp_callback_register(struct nfct_handle *h,
641 enum nf_conntrack_msg_type type,
642 int (*cb)(enum nf_conntrack_msg_type type,
643 struct nf_expect *exp,
644 void *data),
645 void *data);
646
647extern void nfexp_callback_unregister(struct nfct_handle *h);
648
649/* register / unregister callback: extended version including netlink header */
650extern int nfexp_callback_register2(struct nfct_handle *h,
651 enum nf_conntrack_msg_type type,
652 int (*cb)(const struct nlmsghdr *nlh,
653 enum nf_conntrack_msg_type type,
654 struct nf_expect *exp,
655 void *data),
656 void *data);
657
658extern void nfexp_callback_unregister2(struct nfct_handle *h);
659
660/* setter */
661extern void nfexp_set_attr(struct nf_expect *exp,
662 const enum nf_expect_attr type,
663 const void *value);
664
665extern void nfexp_set_attr_u8(struct nf_expect *exp,
666 const enum nf_expect_attr type,
667 uint8_t value);
668
669extern void nfexp_set_attr_u16(struct nf_expect *exp,
670 const enum nf_expect_attr type,
671 uint16_t value);
672
673extern void nfexp_set_attr_u32(struct nf_expect *exp,
674 const enum nf_expect_attr type,
675 uint32_t value);
676
677/* getter */
678extern const void *nfexp_get_attr(const struct nf_expect *exp,
679 const enum nf_expect_attr type);
680
681extern uint8_t nfexp_get_attr_u8(const struct nf_expect *exp,
682 const enum nf_expect_attr type);
683
684extern uint16_t nfexp_get_attr_u16(const struct nf_expect *exp,
685 const enum nf_expect_attr type);
686
687extern uint32_t nfexp_get_attr_u32(const struct nf_expect *exp,
688 const enum nf_expect_attr type);
689
690/* checker */
691extern int nfexp_attr_is_set(const struct nf_expect *exp,
692 const enum nf_expect_attr type);
693
694/* unsetter */
695extern int nfexp_attr_unset(struct nf_expect *exp,
696 const enum nf_expect_attr type);
697
698/* query */
699extern int nfexp_query(struct nfct_handle *h,
700 const enum nf_conntrack_query qt,
701 const void *data);
702
703/* print */
704extern int nfexp_snprintf(char *buf,
705 unsigned int size,
706 const struct nf_expect *exp,
707 const unsigned int msg_type,
708 const unsigned int out_type,
709 const unsigned int out_flags);
710
711/* compare */
712extern int nfexp_cmp(const struct nf_expect *exp1,
713 const struct nf_expect *exp2,
714 unsigned int flags);
715
716extern int nfexp_send(struct nfct_handle *h,
717 const enum nf_conntrack_query qt,
718 const void *data);
719
720extern int nfexp_catch(struct nfct_handle *h);
721
722/* low level API */
723extern __attribute__((deprecated))
724int nfexp_build_expect(struct nfnl_subsys_handle *ssh,
725 void *req,
726 size_t size,
727 uint16_t type,
728 uint16_t flags,
729 const struct nf_expect *exp);
730
731extern __attribute__((deprecated))
732int nfexp_parse_expect(enum nf_conntrack_msg_type type,
733 const struct nlmsghdr *nlh,
734 struct nf_expect *exp);
735
736extern __attribute__((deprecated))
737int nfexp_build_query(struct nfnl_subsys_handle *ssh,
738 const enum nf_conntrack_query qt,
739 const void *data,
740 void *buffer,
741 unsigned int size);
742
743/* New low level API: netlink functions */
744
745extern int nfexp_nlmsg_build(struct nlmsghdr *nlh, const struct nf_expect *exp);
746extern int nfexp_nlmsg_parse(const struct nlmsghdr *nlh, struct nf_expect *exp);
747
748/*
749 * TCP flags
750 */
751
752/* Window scaling is advertised by the sender */
753#define IP_CT_TCP_FLAG_WINDOW_SCALE 0x01
754
755/* SACK is permitted by the sender */
756#define IP_CT_TCP_FLAG_SACK_PERM 0x02
757
758/* This sender sent FIN first */
759#define IP_CT_TCP_FLAG_CLOSE_INIT 0x04
760
761/* Be liberal in window checking */
762#define IP_CT_TCP_FLAG_BE_LIBERAL 0x08
763
764/* WARNING: do not use these constants in new applications, we keep them here
765 * to avoid breaking backward compatibility. */
766#define NFCT_DIR_ORIGINAL 0
767#define NFCT_DIR_REPLY 1
768#define NFCT_DIR_MAX NFCT_DIR_REPLY+1
769
770/* xt_helper uses a length size of 30 bytes, however, no helper name in
771 * the tree has exceeded 16 bytes length. Since 2.6.29, the maximum
772 * length accepted is 16 bytes, this limit is enforced during module load. */
773#define NFCT_HELPER_NAME_MAX 16
774
775#ifdef __cplusplus
776}
777#endif
778
779#endif /* _LIBNETFILTER_CONNTRACK_H_ */
nfexp_callback_unregister
void nfexp_callback_unregister(struct nfct_handle *h)
Definition expect/api.c:198
nfexp_callback_unregister2
void nfexp_callback_unregister2(struct nfct_handle *h)
Definition expect/api.c:273
nfct_callback_register
int nfct_callback_register(struct nfct_handle *h, enum nf_conntrack_msg_type type, int(*cb)(enum nf_conntrack_msg_type type, struct nf_conntrack *ct, void *data), void *data)
Definition conntrack/api.c:224
nfexp_callback_register2
int nfexp_callback_register2(struct nfct_handle *h, enum nf_conntrack_msg_type type, int(*cb)(const struct nlmsghdr *nlh, enum nf_conntrack_msg_type type, struct nf_expect *exp, void *data), void *data)
Definition expect/api.c:232
nfct_open
struct nfct_handle * nfct_open(uint8_t, unsigned)
Definition main.c:84
nfct_callback_unregister2
void nfct_callback_unregister2(struct nfct_handle *h)
Definition conntrack/api.c:338
nfct_close
int nfct_close(struct nfct_handle *cth)
Definition main.c:105
nfct_callback_unregister
void nfct_callback_unregister(struct nfct_handle *h)
Definition conntrack/api.c:264
nfct_callback_register2
int nfct_callback_register2(struct nfct_handle *h, enum nf_conntrack_msg_type type, int(*cb)(const struct nlmsghdr *nlh, enum nf_conntrack_msg_type type, struct nf_conntrack *ct, void *data), void *data)
Definition conntrack/api.c:298
nfexp_callback_register
int nfexp_callback_register(struct nfct_handle *h, enum nf_conntrack_msg_type type, int(*cb)(enum nf_conntrack_msg_type type, struct nf_expect *exp, void *data), void *data)
Definition expect/api.c:158
nfct_fd
int nfct_fd(struct nfct_handle *cth)
Definition main.c:144
nfct_filter_destroy
void nfct_filter_destroy(struct nfct_filter *filter)
Definition conntrack/api.c:1377
nfct_filter_detach
int nfct_filter_detach(int fd)
Definition conntrack/api.c:1480
nfct_filter_set_logic
int nfct_filter_set_logic(struct nfct_filter *filter, const enum nfct_filter_attr attr, const enum nfct_filter_logic logic)
Definition conntrack/api.c:1439
nfct_filter_attach
int nfct_filter_attach(int fd, struct nfct_filter *filter)
Definition conntrack/api.c:1467
nfct_filter_add_attr_u32
void nfct_filter_add_attr_u32(struct nfct_filter *filter, const enum nfct_filter_attr attr, const uint32_t value)
Definition conntrack/api.c:1417
nfct_filter_add_attr
void nfct_filter_add_attr(struct nfct_filter *filter, const enum nfct_filter_attr attr, const void *value)
Definition conntrack/api.c:1393
nfct_filter_create
struct nfct_filter * nfct_filter_create(void)
Definition conntrack/api.c:1364
nfexp_catch
int nfexp_catch(struct nfct_handle *h)
Definition expect/api.c:760
nfct_send
int nfct_send(struct nfct_handle *h, const enum nf_conntrack_query query, const void *data)
Definition conntrack/api.c:1023
nfct_catch
int nfct_catch(struct nfct_handle *h)
Definition conntrack/api.c:1057
nfexp_send
int nfexp_send(struct nfct_handle *h, const enum nf_conntrack_query qt, const void *data)
Definition expect/api.c:727
nfexp_query
int nfexp_query(struct nfct_handle *h, const enum nf_conntrack_query qt, const void *data)
Definition expect/api.c:695
nfct_query
int nfct_query(struct nfct_handle *h, const enum nf_conntrack_query query, const void *data)
Definition conntrack/api.c:991
nfct_sizeof
size_t nfct_sizeof(const struct nf_conntrack *ct)
Definition conntrack/api.c:114
nfct_snprintf_labels
int nfct_snprintf_labels(char *buf, unsigned int size, const struct nf_conntrack *ct, const unsigned int msg_type, const unsigned int out_type, const unsigned int out_flags, struct nfct_labelmap *map)
Definition conntrack/api.c:1141
nfct_set_attr_u32
void nfct_set_attr_u32(struct nf_conntrack *ct, const enum nf_conntrack_attr type, uint32_t value)
Definition conntrack/api.c:439
nfct_destroy
void nfct_destroy(struct nf_conntrack *ct)
Definition conntrack/api.c:93
nfct_copy_attr
void nfct_copy_attr(struct nf_conntrack *ct1, const struct nf_conntrack *ct2, const enum nf_conntrack_attr type)
Definition conntrack/api.c:1337
nfct_set_attr
void nfct_set_attr(struct nf_conntrack *ct, const enum nf_conntrack_attr type, const void *value)
Definition conntrack/api.c:399
nfct_attr_grp_unset
int nfct_attr_grp_unset(struct nf_conntrack *ct, const enum nf_conntrack_attr_grp type)
Definition conntrack/api.c:731
nfct_get_attr_u64
uint64_t nfct_get_attr_u64(const struct nf_conntrack *ct, const enum nf_conntrack_attr type)
Definition conntrack/api.c:544
nfct_setobjopt
int nfct_setobjopt(struct nf_conntrack *ct, unsigned int option)
Definition conntrack/api.c:169
nfct_get_attr_grp
int nfct_get_attr_grp(const struct nf_conntrack *ct, const enum nf_conntrack_attr_grp type, void *data)
Definition conntrack/api.c:655
nfct_set_attr_grp
void nfct_set_attr_grp(struct nf_conntrack *ct, const enum nf_conntrack_attr_grp type, const void *value)
Definition conntrack/api.c:630
nfct_get_attr
const void * nfct_get_attr(const struct nf_conntrack *ct, const enum nf_conntrack_attr type)
Definition conntrack/api.c:467
nfct_attr_is_set_array
int nfct_attr_is_set_array(const struct nf_conntrack *ct, const enum nf_conntrack_attr *type_array, int size)
Definition conntrack/api.c:580
nfct_attr_unset
int nfct_attr_unset(struct nf_conntrack *ct, const enum nf_conntrack_attr type)
Definition conntrack/api.c:607
nfct_copy
void nfct_copy(struct nf_conntrack *dest, const struct nf_conntrack *source, unsigned int flags)
Definition conntrack/api.c:1247
nfct_get_attr_u16
uint16_t nfct_get_attr_u16(const struct nf_conntrack *ct, const enum nf_conntrack_attr type)
Definition conntrack/api.c:512
nfct_attr_grp_is_set
int nfct_attr_grp_is_set(const struct nf_conntrack *ct, const enum nf_conntrack_attr_grp type)
Definition conntrack/api.c:695
nfct_cmp
int nfct_cmp(const struct nf_conntrack *ct1, const struct nf_conntrack *ct2, unsigned int flags)
Definition conntrack/api.c:1212
nfct_set_attr_u16
void nfct_set_attr_u16(struct nf_conntrack *ct, const enum nf_conntrack_attr type, uint16_t value)
Definition conntrack/api.c:426
nfct_get_attr_u32
uint32_t nfct_get_attr_u32(const struct nf_conntrack *ct, const enum nf_conntrack_attr type)
Definition conntrack/api.c:528
nfct_set_attr_u8
void nfct_set_attr_u8(struct nf_conntrack *ct, const enum nf_conntrack_attr type, uint8_t value)
Definition conntrack/api.c:413
nfct_set_attr_u64
void nfct_set_attr_u64(struct nf_conntrack *ct, const enum nf_conntrack_attr type, uint64_t value)
Definition conntrack/api.c:452
nfct_set_attr_l
void nfct_set_attr_l(struct nf_conntrack *ct, const enum nf_conntrack_attr type, const void *value, size_t len)
Definition conntrack/api.c:370
nfct_snprintf
int nfct_snprintf(char *buf, unsigned int size, const struct nf_conntrack *ct, const unsigned int msg_type, const unsigned int out_type, const unsigned int out_flags)
Definition conntrack/api.c:1113
nfct_maxsize
size_t nfct_maxsize(void)
Definition conntrack/api.c:136
nfct_attr_is_set
int nfct_attr_is_set(const struct nf_conntrack *ct, const enum nf_conntrack_attr type)
Definition conntrack/api.c:559
nfct_getobjopt
int nfct_getobjopt(const struct nf_conntrack *ct, unsigned int option)
Definition conntrack/api.c:189
nfct_compare
int nfct_compare(const struct nf_conntrack *ct1, const struct nf_conntrack *ct2)
Definition conntrack/api.c:1166
nfct_get_attr_u8
uint8_t nfct_get_attr_u8(const struct nf_conntrack *ct, const enum nf_conntrack_attr type)
Definition conntrack/api.c:496
nfct_new
struct nf_conntrack * nfct_new(void)
Definition conntrack/api.c:76
nfct_clone
struct nf_conntrack * nfct_clone(const struct nf_conntrack *ct)
Definition conntrack/api.c:148
nfct_filter_dump_set_attr_u8
void nfct_filter_dump_set_attr_u8(struct nfct_filter_dump *filter_dump, const enum nfct_filter_dump_attr type, uint8_t data)
Definition conntrack/api.c:1549
nfct_filter_dump_create
struct nfct_filter_dump * nfct_filter_dump_create(void)
Definition conntrack/api.c:1503
nfct_filter_dump_destroy
void nfct_filter_dump_destroy(struct nfct_filter_dump *filter)
Definition conntrack/api.c:1514
nfct_filter_dump_set_attr_u16
void nfct_filter_dump_set_attr_u16(struct nfct_filter_dump *filter_dump, const enum nfct_filter_dump_attr type, uint16_t data)
Definition conntrack/api.c:1562
nfct_filter_dump_set_attr
void nfct_filter_dump_set_attr(struct nfct_filter_dump *filter_dump, const enum nfct_filter_dump_attr type, const void *data)
Definition conntrack/api.c:1527
nfexp_set_attr_u32
void nfexp_set_attr_u32(struct nf_expect *exp, const enum nf_expect_attr type, uint32_t value)
Definition expect/api.c:357
nfexp_new
struct nf_expect * nfexp_new(void)
Definition expect/api.c:29
nfexp_get_attr_u32
uint32_t nfexp_get_attr_u32(const struct nf_expect *exp, const enum nf_expect_attr type)
Definition expect/api.c:431
nfexp_sizeof
size_t nfexp_sizeof(const struct nf_expect *exp)
Definition expect/api.c:57
nfexp_get_attr
const void * nfexp_get_attr(const struct nf_expect *exp, const enum nf_expect_attr type)
Definition expect/api.c:372
nfexp_set_attr_u16
void nfexp_set_attr_u16(struct nf_expect *exp, const enum nf_expect_attr type, uint16_t value)
Definition expect/api.c:344
nfexp_set_attr
void nfexp_set_attr(struct nf_expect *exp, const enum nf_expect_attr type, const void *value)
Definition expect/api.c:309
nfexp_cmp
int nfexp_cmp(const struct nf_expect *exp1, const struct nf_expect *exp2, unsigned int flags)
Definition expect/api.c:127
nfexp_get_attr_u16
uint16_t nfexp_get_attr_u16(const struct nf_expect *exp, const enum nf_expect_attr type)
Definition expect/api.c:415
nfexp_set_attr_u8
void nfexp_set_attr_u8(struct nf_expect *exp, const enum nf_expect_attr type, uint8_t value)
Definition expect/api.c:331
nfexp_get_attr_u8
uint8_t nfexp_get_attr_u8(const struct nf_expect *exp, const enum nf_expect_attr type)
Definition expect/api.c:399
nfexp_snprintf
int nfexp_snprintf(char *buf, unsigned int size, const struct nf_expect *exp, const unsigned int msg_type, const unsigned int out_type, const unsigned int out_flags)
Definition expect/api.c:802
nfexp_destroy
void nfexp_destroy(struct nf_expect *exp)
Definition expect/api.c:46
nfexp_attr_unset
int nfexp_attr_unset(struct nf_expect *exp, const enum nf_expect_attr type)
Definition expect/api.c:466
nfexp_clone
struct nf_expect * nfexp_clone(const struct nf_expect *exp)
Definition expect/api.c:89
nfexp_attr_is_set
int nfexp_attr_is_set(const struct nf_expect *exp, const enum nf_expect_attr type)
Definition expect/api.c:446
nfexp_maxsize
size_t nfexp_maxsize(void)
Definition expect/api.c:77
nfct_labels_get_path
const char * nfct_labels_get_path(void)
Definition conntrack/api.c:1585
nfct_labelmap_destroy
void nfct_labelmap_destroy(struct nfct_labelmap *map)
Definition conntrack/api.c:1638
nfct_labelmap_get_name
const char * nfct_labelmap_get_name(struct nfct_labelmap *m, unsigned int bit)
Definition conntrack/api.c:1600
nfct_labelmap_new
struct nfct_labelmap * nfct_labelmap_new(const char *mapfile)
Definition conntrack/api.c:1626
nfct_labelmap_get_bit
int nfct_labelmap_get_bit(struct nfct_labelmap *m, const char *name)
Definition conntrack/api.c:1613
nfexp_build_query
int nfexp_build_query(struct nfnl_subsys_handle *ssh, const enum nf_conntrack_query qt, const void *data, void *buffer, unsigned int size)
Definition expect/api.c:609
nfct_parse_conntrack
int nfct_parse_conntrack(enum nf_conntrack_msg_type type, const struct nlmsghdr *nlh, struct nf_conntrack *ct)
Definition conntrack/api.c:955
nfexp_build_expect
int nfexp_build_expect(struct nfnl_subsys_handle *ssh, void *req, size_t size, uint16_t type, uint16_t flags, const struct nf_expect *exp)
Definition expect/api.c:505
nfct_build_conntrack
int nfct_build_conntrack(struct nfnl_subsys_handle *ssh, void *req, size_t size, uint16_t type, uint16_t flags, const struct nf_conntrack *ct)
Definition conntrack/api.c:771
nfexp_parse_expect
int nfexp_parse_expect(enum nf_conntrack_msg_type type, const struct nlmsghdr *nlh, struct nf_expect *exp)
Definition expect/api.c:659
nfct_build_query
int nfct_build_query(struct nfnl_subsys_handle *ssh, const enum nf_conntrack_query qt, const void *data, void *buffer, unsigned int size)
Definition conntrack/api.c:905
nfct_attr_grp_ctrs
Definition libnetfilter_conntrack.h:189
nfct_attr_grp_icmp
Definition libnetfilter_conntrack.h:184
nfct_attr_grp_ipv4
Definition libnetfilter_conntrack.h:172
nfct_attr_grp_ipv6
Definition libnetfilter_conntrack.h:176
nfct_attr_grp_port
Definition libnetfilter_conntrack.h:180
nfct_filter_dump_mark
Definition libnetfilter_conntrack.h:543
nfct_filter_ipv4
Definition libnetfilter_conntrack.h:497
nfct_filter_ipv6
Definition libnetfilter_conntrack.h:501
nfct_filter_proto
Definition libnetfilter_conntrack.h:493
nfct_labelmap
Definition labels.c:17
nfct_attr_grp_addr
Definition libnetfilter_conntrack.h:194
Generated by doxygen 1.15.0