libnetfilter_conntrack  1.0.6
libnetfilter_conntrack.h
1 /*
2  * (C) 2005-2011 by Pablo Neira Ayuso <pablo@netfilter.org>
3  *
4  * This program is free software; you can redistribute it and/or modify it
5  * under the terms of the GNU General Public License as published by
6  * the Free Software Foundation; either version 2 of the License, or
7  * (at your option) any later version.
8  */
9 
10 #ifndef _LIBNETFILTER_CONNTRACK_H_
11 #define _LIBNETFILTER_CONNTRACK_H_
12 
13 #include <stdbool.h>
14 #include <netinet/in.h>
15 #include <libnfnetlink/linux_nfnetlink.h>
16 #include <libnfnetlink/libnfnetlink.h>
17 #include <libnetfilter_conntrack/linux_nfnetlink_conntrack.h>
18 #include <libnetfilter_conntrack/linux_nf_conntrack_common.h>
19 
20 #ifdef __cplusplus
21 extern "C" {
22 #endif
23 
24 enum {
25  CONNTRACK = NFNL_SUBSYS_CTNETLINK,
26  EXPECT = NFNL_SUBSYS_CTNETLINK_EXP
27 };
28 
29 /*
30  * Subscribe to all possible conntrack event groups. Use this
31  * flag in case that you want to catch up all the possible
32  * events. Do not use this flag for dumping or any other
33  * similar operation.
34  */
35 #define NFCT_ALL_CT_GROUPS (NF_NETLINK_CONNTRACK_NEW|NF_NETLINK_CONNTRACK_UPDATE|NF_NETLINK_CONNTRACK_DESTROY)
36 
37 struct nfct_handle;
38 
39 /*
40  * [Open|close] a conntrack handler
41  */
42 extern struct nfct_handle *nfct_open(uint8_t, unsigned);
43 extern struct nfct_handle *nfct_open_nfnl(struct nfnl_handle *nfnlh,
44  uint8_t subsys_id,
45  unsigned int subscriptions);
46 extern int nfct_close(struct nfct_handle *cth);
47 
48 extern int nfct_fd(struct nfct_handle *cth);
49 extern const struct nfnl_handle *nfct_nfnlh(struct nfct_handle *cth);
50 
51 /*
52  * NEW libnetfilter_conntrack API
53  */
54 
55 /* high level API */
56 
57 #include <sys/types.h>
58 
59 /* conntrack object */
60 struct nf_conntrack;
61 
62 /* conntrack attributes */
63 enum nf_conntrack_attr {
64  ATTR_ORIG_IPV4_SRC = 0, /* u32 bits */
65  ATTR_IPV4_SRC = ATTR_ORIG_IPV4_SRC, /* alias */
66  ATTR_ORIG_IPV4_DST, /* u32 bits */
67  ATTR_IPV4_DST = ATTR_ORIG_IPV4_DST, /* alias */
68  ATTR_REPL_IPV4_SRC, /* u32 bits */
69  ATTR_REPL_IPV4_DST, /* u32 bits */
70  ATTR_ORIG_IPV6_SRC = 4, /* u128 bits */
71  ATTR_IPV6_SRC = ATTR_ORIG_IPV6_SRC, /* alias */
72  ATTR_ORIG_IPV6_DST, /* u128 bits */
73  ATTR_IPV6_DST = ATTR_ORIG_IPV6_DST, /* alias */
74  ATTR_REPL_IPV6_SRC, /* u128 bits */
75  ATTR_REPL_IPV6_DST, /* u128 bits */
76  ATTR_ORIG_PORT_SRC = 8, /* u16 bits */
77  ATTR_PORT_SRC = ATTR_ORIG_PORT_SRC, /* alias */
78  ATTR_ORIG_PORT_DST, /* u16 bits */
79  ATTR_PORT_DST = ATTR_ORIG_PORT_DST, /* alias */
80  ATTR_REPL_PORT_SRC, /* u16 bits */
81  ATTR_REPL_PORT_DST, /* u16 bits */
82  ATTR_ICMP_TYPE = 12, /* u8 bits */
83  ATTR_ICMP_CODE, /* u8 bits */
84  ATTR_ICMP_ID, /* u16 bits */
85  ATTR_ORIG_L3PROTO, /* u8 bits */
86  ATTR_L3PROTO = ATTR_ORIG_L3PROTO, /* alias */
87  ATTR_REPL_L3PROTO = 16, /* u8 bits */
88  ATTR_ORIG_L4PROTO, /* u8 bits */
89  ATTR_L4PROTO = ATTR_ORIG_L4PROTO, /* alias */
90  ATTR_REPL_L4PROTO, /* u8 bits */
91  ATTR_TCP_STATE, /* u8 bits */
92  ATTR_SNAT_IPV4 = 20, /* u32 bits */
93  ATTR_DNAT_IPV4, /* u32 bits */
94  ATTR_SNAT_PORT, /* u16 bits */
95  ATTR_DNAT_PORT, /* u16 bits */
96  ATTR_TIMEOUT = 24, /* u32 bits */
97  ATTR_MARK, /* u32 bits */
98  ATTR_ORIG_COUNTER_PACKETS, /* u64 bits */
99  ATTR_REPL_COUNTER_PACKETS, /* u64 bits */
100  ATTR_ORIG_COUNTER_BYTES = 28, /* u64 bits */
101  ATTR_REPL_COUNTER_BYTES, /* u64 bits */
102  ATTR_USE, /* u32 bits */
103  ATTR_ID, /* u32 bits */
104  ATTR_STATUS = 32, /* u32 bits */
105  ATTR_TCP_FLAGS_ORIG, /* u8 bits */
106  ATTR_TCP_FLAGS_REPL, /* u8 bits */
107  ATTR_TCP_MASK_ORIG, /* u8 bits */
108  ATTR_TCP_MASK_REPL = 36, /* u8 bits */
109  ATTR_MASTER_IPV4_SRC, /* u32 bits */
110  ATTR_MASTER_IPV4_DST, /* u32 bits */
111  ATTR_MASTER_IPV6_SRC, /* u128 bits */
112  ATTR_MASTER_IPV6_DST = 40, /* u128 bits */
113  ATTR_MASTER_PORT_SRC, /* u16 bits */
114  ATTR_MASTER_PORT_DST, /* u16 bits */
115  ATTR_MASTER_L3PROTO, /* u8 bits */
116  ATTR_MASTER_L4PROTO = 44, /* u8 bits */
117  ATTR_SECMARK, /* u32 bits */
118  ATTR_ORIG_NAT_SEQ_CORRECTION_POS, /* u32 bits */
119  ATTR_ORIG_NAT_SEQ_OFFSET_BEFORE, /* u32 bits */
120  ATTR_ORIG_NAT_SEQ_OFFSET_AFTER = 48, /* u32 bits */
121  ATTR_REPL_NAT_SEQ_CORRECTION_POS, /* u32 bits */
122  ATTR_REPL_NAT_SEQ_OFFSET_BEFORE, /* u32 bits */
123  ATTR_REPL_NAT_SEQ_OFFSET_AFTER, /* u32 bits */
124  ATTR_SCTP_STATE = 52, /* u8 bits */
125  ATTR_SCTP_VTAG_ORIG, /* u32 bits */
126  ATTR_SCTP_VTAG_REPL, /* u32 bits */
127  ATTR_HELPER_NAME, /* string (30 bytes max) */
128  ATTR_DCCP_STATE = 56, /* u8 bits */
129  ATTR_DCCP_ROLE, /* u8 bits */
130  ATTR_DCCP_HANDSHAKE_SEQ, /* u64 bits */
131  ATTR_TCP_WSCALE_ORIG, /* u8 bits */
132  ATTR_TCP_WSCALE_REPL = 60, /* u8 bits */
133  ATTR_ZONE, /* u16 bits */
134  ATTR_SECCTX, /* string */
135  ATTR_TIMESTAMP_START, /* u64 bits, linux >= 2.6.38 */
136  ATTR_TIMESTAMP_STOP = 64, /* u64 bits, linux >= 2.6.38 */
137  ATTR_HELPER_INFO, /* variable length */
138  ATTR_CONNLABELS, /* variable length */
139  ATTR_CONNLABELS_MASK, /* variable length */
140  ATTR_ORIG_ZONE, /* u16 bits */
141  ATTR_REPL_ZONE, /* u16 bits */
142  ATTR_SNAT_IPV6, /* u128 bits */
143  ATTR_DNAT_IPV6, /* u128 bits */
144  ATTR_MAX
145 };
146 
147 /* conntrack attribute groups */
148 enum nf_conntrack_attr_grp {
149  ATTR_GRP_ORIG_IPV4 = 0, /* struct nfct_attr_grp_ipv4 */
150  ATTR_GRP_REPL_IPV4, /* struct nfct_attr_grp_ipv4 */
151  ATTR_GRP_ORIG_IPV6, /* struct nfct_attr_grp_ipv6 */
152  ATTR_GRP_REPL_IPV6, /* struct nfct_attr_grp_ipv6 */
153  ATTR_GRP_ORIG_PORT = 4, /* struct nfct_attr_grp_port */
154  ATTR_GRP_REPL_PORT, /* struct nfct_attr_grp_port */
155  ATTR_GRP_ICMP, /* struct nfct_attr_grp_icmp */
156  ATTR_GRP_MASTER_IPV4, /* struct nfct_attr_grp_ipv4 */
157  ATTR_GRP_MASTER_IPV6 = 8, /* struct nfct_attr_grp_ipv6 */
158  ATTR_GRP_MASTER_PORT, /* struct nfct_attr_grp_port */
159  ATTR_GRP_ORIG_COUNTERS, /* struct nfct_attr_grp_ctrs */
160  ATTR_GRP_REPL_COUNTERS, /* struct nfct_attr_grp_ctrs */
161  ATTR_GRP_ORIG_ADDR_SRC = 12, /* union nfct_attr_grp_addr */
162  ATTR_GRP_ORIG_ADDR_DST, /* union nfct_attr_grp_addr */
163  ATTR_GRP_REPL_ADDR_SRC, /* union nfct_attr_grp_addr */
164  ATTR_GRP_REPL_ADDR_DST, /* union nfct_attr_grp_addr */
165  ATTR_GRP_MAX
166 };
167 
169  uint32_t src, dst;
170 };
171 
173  uint32_t src[4], dst[4];
174 };
175 
177  uint16_t sport, dport;
178 };
179 
181  uint16_t id;
182  uint8_t code, type;
183 };
184 
186  uint64_t packets;
187  uint64_t bytes;
188 };
189 
191  uint32_t ip;
192  uint32_t ip6[4];
193  uint32_t addr[4];
194 };
195 
196 /* message type */
197 enum nf_conntrack_msg_type {
198  NFCT_T_UNKNOWN = 0,
199 
200  NFCT_T_NEW_BIT = 0,
201  NFCT_T_NEW = (1 << NFCT_T_NEW_BIT),
202 
203  NFCT_T_UPDATE_BIT = 1,
204  NFCT_T_UPDATE = (1 << NFCT_T_UPDATE_BIT),
205 
206  NFCT_T_DESTROY_BIT = 2,
207  NFCT_T_DESTROY = (1 << NFCT_T_DESTROY_BIT),
208 
209  NFCT_T_ALL = NFCT_T_NEW | NFCT_T_UPDATE | NFCT_T_DESTROY,
210 
211  NFCT_T_ERROR_BIT = 31,
212  NFCT_T_ERROR = (1 << NFCT_T_ERROR_BIT),
213 };
214 
215 /* constructor / destructor */
216 extern struct nf_conntrack *nfct_new(void);
217 extern void nfct_destroy(struct nf_conntrack *ct);
218 
219 /* clone */
220 struct nf_conntrack *nfct_clone(const struct nf_conntrack *ct);
221 
222 /* object size */
223 extern __attribute__((deprecated)) size_t nfct_sizeof(const struct nf_conntrack *ct);
224 
225 /* maximum object size */
226 extern __attribute__((deprecated)) size_t nfct_maxsize(void);
227 
228 /* set option */
229 enum {
230  NFCT_SOPT_UNDO_SNAT,
231  NFCT_SOPT_UNDO_DNAT,
232  NFCT_SOPT_UNDO_SPAT,
233  NFCT_SOPT_UNDO_DPAT,
234  NFCT_SOPT_SETUP_ORIGINAL,
235  NFCT_SOPT_SETUP_REPLY,
236  __NFCT_SOPT_MAX,
237 };
238 #define NFCT_SOPT_MAX (__NFCT_SOPT_MAX - 1)
239 
240 /* get option */
241 enum {
242  NFCT_GOPT_IS_SNAT,
243  NFCT_GOPT_IS_DNAT,
244  NFCT_GOPT_IS_SPAT,
245  NFCT_GOPT_IS_DPAT,
246  __NFCT_GOPT_MAX,
247 };
248 #define NFCT_GOPT_MAX (__NFCT_GOPT_MAX - 1)
249 
250 extern int nfct_setobjopt(struct nf_conntrack *ct, unsigned int option);
251 extern int nfct_getobjopt(const struct nf_conntrack *ct, unsigned int option);
252 
253 /* register / unregister callback */
254 
255 extern int nfct_callback_register(struct nfct_handle *h,
256  enum nf_conntrack_msg_type type,
257  int (*cb)(enum nf_conntrack_msg_type type,
258  struct nf_conntrack *ct,
259  void *data),
260  void *data);
261 
262 extern void nfct_callback_unregister(struct nfct_handle *h);
263 
264 /* register / unregister callback: extended version including netlink header */
265 
266 extern int nfct_callback_register2(struct nfct_handle *h,
267  enum nf_conntrack_msg_type type,
268  int (*cb)(const struct nlmsghdr *nlh,
269  enum nf_conntrack_msg_type type,
270  struct nf_conntrack *ct,
271  void *data),
272  void *data);
273 
274 extern void nfct_callback_unregister2(struct nfct_handle *h);
275 
276 /* callback verdict */
277 enum {
278  NFCT_CB_FAILURE = -1, /* failure */
279  NFCT_CB_STOP = 0, /* stop the query */
280  NFCT_CB_CONTINUE = 1, /* keep iterating through data */
281  NFCT_CB_STOLEN = 2, /* like continue, but ct is not freed */
282 };
283 
284 /* bitmask setter/getter */
285 struct nfct_bitmask;
286 
287 struct nfct_bitmask *nfct_bitmask_new(unsigned int maxbit);
288 struct nfct_bitmask *nfct_bitmask_clone(const struct nfct_bitmask *);
289 unsigned int nfct_bitmask_maxbit(const struct nfct_bitmask *);
290 
291 void nfct_bitmask_set_bit(struct nfct_bitmask *, unsigned int bit);
292 int nfct_bitmask_test_bit(const struct nfct_bitmask *, unsigned int bit);
293 void nfct_bitmask_unset_bit(struct nfct_bitmask *, unsigned int bit);
294 void nfct_bitmask_destroy(struct nfct_bitmask *);
295 void nfct_bitmask_clear(struct nfct_bitmask *);
296 bool nfct_bitmask_equal(const struct nfct_bitmask *, const struct nfct_bitmask *);
297 
298 /* connlabel name <-> bit translation mapping */
299 struct nfct_labelmap;
300 
301 const char *nfct_labels_get_path(void);
302 struct nfct_labelmap *nfct_labelmap_new(const char *mapfile);
303 void nfct_labelmap_destroy(struct nfct_labelmap *map);
304 const char *nfct_labelmap_get_name(struct nfct_labelmap *m, unsigned int bit);
305 int nfct_labelmap_get_bit(struct nfct_labelmap *m, const char *name);
306 
307 /* setter */
308 extern void nfct_set_attr(struct nf_conntrack *ct,
309  const enum nf_conntrack_attr type,
310  const void *value);
311 
312 extern void nfct_set_attr_u8(struct nf_conntrack *ct,
313  const enum nf_conntrack_attr type,
314  uint8_t value);
315 
316 extern void nfct_set_attr_u16(struct nf_conntrack *ct,
317  const enum nf_conntrack_attr type,
318  uint16_t value);
319 
320 extern void nfct_set_attr_u32(struct nf_conntrack *ct,
321  const enum nf_conntrack_attr type,
322  uint32_t value);
323 
324 extern void nfct_set_attr_u64(struct nf_conntrack *ct,
325  const enum nf_conntrack_attr type,
326  uint64_t value);
327 
328 extern void nfct_set_attr_l(struct nf_conntrack *ct,
329  const enum nf_conntrack_attr type,
330  const void *value,
331  size_t len);
332 
333 /* getter */
334 extern const void *nfct_get_attr(const struct nf_conntrack *ct,
335  const enum nf_conntrack_attr type);
336 
337 extern uint8_t nfct_get_attr_u8(const struct nf_conntrack *ct,
338  const enum nf_conntrack_attr type);
339 
340 extern uint16_t nfct_get_attr_u16(const struct nf_conntrack *ct,
341  const enum nf_conntrack_attr type);
342 
343 extern uint32_t nfct_get_attr_u32(const struct nf_conntrack *ct,
344  const enum nf_conntrack_attr type);
345 
346 extern uint64_t nfct_get_attr_u64(const struct nf_conntrack *ct,
347  const enum nf_conntrack_attr type);
348 
349 /* checker */
350 extern int nfct_attr_is_set(const struct nf_conntrack *ct,
351  const enum nf_conntrack_attr type);
352 
353 extern int nfct_attr_is_set_array(const struct nf_conntrack *ct,
354  const enum nf_conntrack_attr *type_array,
355  int size);
356 
357 /* unsetter */
358 extern int nfct_attr_unset(struct nf_conntrack *ct,
359  const enum nf_conntrack_attr type);
360 
361 /* group setter */
362 extern void nfct_set_attr_grp(struct nf_conntrack *ct,
363  const enum nf_conntrack_attr_grp type,
364  const void *value);
365 /* group getter */
366 extern int nfct_get_attr_grp(const struct nf_conntrack *ct,
367  const enum nf_conntrack_attr_grp type,
368  void *data);
369 
370 /* group checker */
371 extern int nfct_attr_grp_is_set(const struct nf_conntrack *ct,
372  const enum nf_conntrack_attr_grp type);
373 
374 /* unsetter */
375 extern int nfct_attr_grp_unset(struct nf_conntrack *ct,
376  const enum nf_conntrack_attr_grp type);
377 
378 /* print */
379 
380 /* output type */
381 enum {
382  NFCT_O_PLAIN,
383  NFCT_O_DEFAULT = NFCT_O_PLAIN,
384  NFCT_O_XML,
385  NFCT_O_MAX
386 };
387 
388 /* output flags */
389 enum {
390  NFCT_OF_SHOW_LAYER3_BIT = 0,
391  NFCT_OF_SHOW_LAYER3 = (1 << NFCT_OF_SHOW_LAYER3_BIT),
392 
393  NFCT_OF_TIME_BIT = 1,
394  NFCT_OF_TIME = (1 << NFCT_OF_TIME_BIT),
395 
396  NFCT_OF_ID_BIT = 2,
397  NFCT_OF_ID = (1 << NFCT_OF_ID_BIT),
398 
399  NFCT_OF_TIMESTAMP_BIT = 3,
400  NFCT_OF_TIMESTAMP = (1 << NFCT_OF_TIMESTAMP_BIT),
401 };
402 
403 extern int nfct_snprintf(char *buf,
404  unsigned int size,
405  const struct nf_conntrack *ct,
406  const unsigned int msg_type,
407  const unsigned int out_type,
408  const unsigned int out_flags);
409 
410 extern int nfct_snprintf_labels(char *buf,
411  unsigned int size,
412  const struct nf_conntrack *ct,
413  const unsigned int msg_type,
414  const unsigned int out_type,
415  const unsigned int out_flags,
416  struct nfct_labelmap *map);
417 
418 /* comparison */
419 extern int nfct_compare(const struct nf_conntrack *ct1,
420  const struct nf_conntrack *ct2);
421 
422 enum {
423  NFCT_CMP_ALL = 0,
424  NFCT_CMP_ORIG = (1 << 0),
425  NFCT_CMP_REPL = (1 << 1),
426  NFCT_CMP_TIMEOUT_EQ = (1 << 2),
427  NFCT_CMP_TIMEOUT_GT = (1 << 3),
428  NFCT_CMP_TIMEOUT_GE = (NFCT_CMP_TIMEOUT_EQ | NFCT_CMP_TIMEOUT_GT),
429  NFCT_CMP_TIMEOUT_LT = (1 << 4),
430  NFCT_CMP_TIMEOUT_LE = (NFCT_CMP_TIMEOUT_EQ | NFCT_CMP_TIMEOUT_LT),
431  NFCT_CMP_MASK = (1 << 5),
432  NFCT_CMP_STRICT = (1 << 6),
433 };
434 
435 extern int nfct_cmp(const struct nf_conntrack *ct1,
436  const struct nf_conntrack *ct2,
437  unsigned int flags);
438 
439 
440 /* query */
441 enum nf_conntrack_query {
442  NFCT_Q_CREATE,
443  NFCT_Q_UPDATE,
444  NFCT_Q_DESTROY,
445  NFCT_Q_GET,
446  NFCT_Q_FLUSH,
447  NFCT_Q_DUMP,
448  NFCT_Q_DUMP_RESET,
449  NFCT_Q_CREATE_UPDATE,
450  NFCT_Q_DUMP_FILTER,
451  NFCT_Q_DUMP_FILTER_RESET,
452 };
453 
454 extern int nfct_query(struct nfct_handle *h,
455  const enum nf_conntrack_query query,
456  const void *data);
457 
458 extern int nfct_send(struct nfct_handle *h,
459  const enum nf_conntrack_query query,
460  const void *data);
461 
462 extern int nfct_catch(struct nfct_handle *h);
463 
464 /* copy */
465 enum {
466  NFCT_CP_ALL = 0,
467  NFCT_CP_ORIG = (1 << 0),
468  NFCT_CP_REPL = (1 << 1),
469  NFCT_CP_META = (1 << 2),
470  NFCT_CP_OVERRIDE = (1 << 3),
471 };
472 
473 extern void nfct_copy(struct nf_conntrack *dest,
474  const struct nf_conntrack *source,
475  unsigned int flags);
476 
477 extern void nfct_copy_attr(struct nf_conntrack *ct1,
478  const struct nf_conntrack *ct2,
479  const enum nf_conntrack_attr type);
480 
481 /* event filtering */
482 
483 struct nfct_filter;
484 
485 extern struct nfct_filter *nfct_filter_create(void);
486 extern void nfct_filter_destroy(struct nfct_filter *filter);
487 
489  uint16_t proto;
490  uint16_t state;
491 };
493  uint32_t addr;
494  uint32_t mask;
495 };
497  uint32_t addr[4];
498  uint32_t mask[4];
499 };
500 
501 enum nfct_filter_attr {
502  NFCT_FILTER_L4PROTO = 0, /* uint32_t */
503  NFCT_FILTER_L4PROTO_STATE, /* struct nfct_filter_proto */
504  NFCT_FILTER_SRC_IPV4, /* struct nfct_filter_ipv4 */
505  NFCT_FILTER_DST_IPV4, /* struct nfct_filter_ipv4 */
506  NFCT_FILTER_SRC_IPV6, /* struct nfct_filter_ipv6 */
507  NFCT_FILTER_DST_IPV6, /* struct nfct_filter_ipv6 */
508  NFCT_FILTER_MARK, /* struct nfct_filter_dump_mark */
509  NFCT_FILTER_MAX
510 };
511 
512 extern void nfct_filter_add_attr(struct nfct_filter *filter,
513  const enum nfct_filter_attr attr,
514  const void *value);
515 
516 extern void nfct_filter_add_attr_u32(struct nfct_filter *filter,
517  const enum nfct_filter_attr attr,
518  const uint32_t value);
519 
520 enum nfct_filter_logic {
521  NFCT_FILTER_LOGIC_POSITIVE,
522  NFCT_FILTER_LOGIC_NEGATIVE,
523  NFCT_FILTER_LOGIC_MAX
524 };
525 
526 extern int nfct_filter_set_logic(struct nfct_filter *filter,
527  const enum nfct_filter_attr attr,
528  const enum nfct_filter_logic logic);
529 
530 extern int nfct_filter_attach(int fd, struct nfct_filter *filter);
531 extern int nfct_filter_detach(int fd);
532 
533 /* dump filtering */
534 
535 struct nfct_filter_dump;
536 
538  uint32_t val;
539  uint32_t mask;
540 };
541 
542 enum nfct_filter_dump_attr {
543  NFCT_FILTER_DUMP_MARK = 0, /* struct nfct_filter_dump_mark */
544  NFCT_FILTER_DUMP_L3NUM, /* uint8_t */
545  NFCT_FILTER_DUMP_MAX
546 };
547 
548 struct nfct_filter_dump *nfct_filter_dump_create(void);
549 
550 void nfct_filter_dump_destroy(struct nfct_filter_dump *filter);
551 
552 void nfct_filter_dump_set_attr(struct nfct_filter_dump *filter_dump,
553  const enum nfct_filter_dump_attr type,
554  const void *data);
555 
556 void nfct_filter_dump_set_attr_u8(struct nfct_filter_dump *filter_dump,
557  const enum nfct_filter_dump_attr type,
558  uint8_t data);
559 
560 /* low level API: netlink functions */
561 
562 extern __attribute__((deprecated)) int
563 nfct_build_conntrack(struct nfnl_subsys_handle *ssh,
564  void *req,
565  size_t size,
566  uint16_t type,
567  uint16_t flags,
568  const struct nf_conntrack *ct);
569 
570 extern __attribute__((deprecated))
571 int nfct_parse_conntrack(enum nf_conntrack_msg_type msg,
572  const struct nlmsghdr *nlh,
573  struct nf_conntrack *ct);
574 
575 extern __attribute__((deprecated))
576 int nfct_build_query(struct nfnl_subsys_handle *ssh,
577  const enum nf_conntrack_query query,
578  const void *data,
579  void *req,
580  unsigned int size);
581 
582 /* New low level API: netlink functions */
583 
584 extern int nfct_nlmsg_build(struct nlmsghdr *nlh, const struct nf_conntrack *ct);
585 extern int nfct_nlmsg_parse(const struct nlmsghdr *nlh, struct nf_conntrack *ct);
586 extern int nfct_payload_parse(const void *payload, size_t payload_len, uint16_t l3num, struct nf_conntrack *ct);
587 
588 /*
589  * NEW expectation API
590  */
591 
592 /* expectation object */
593 struct nf_expect;
594 
595 /* expect attributes */
596 enum nf_expect_attr {
597  ATTR_EXP_MASTER = 0, /* pointer to conntrack object */
598  ATTR_EXP_EXPECTED, /* pointer to conntrack object */
599  ATTR_EXP_MASK, /* pointer to conntrack object */
600  ATTR_EXP_TIMEOUT, /* u32 bits */
601  ATTR_EXP_ZONE, /* u16 bits */
602  ATTR_EXP_FLAGS, /* u32 bits */
603  ATTR_EXP_HELPER_NAME, /* string (16 bytes max) */
604  ATTR_EXP_CLASS, /* u32 bits */
605  ATTR_EXP_NAT_TUPLE, /* pointer to conntrack object */
606  ATTR_EXP_NAT_DIR, /* u8 bits */
607  ATTR_EXP_FN, /* string */
608  ATTR_EXP_MAX
609 };
610 
611 /* constructor / destructor */
612 extern struct nf_expect *nfexp_new(void);
613 extern void nfexp_destroy(struct nf_expect *exp);
614 
615 /* clone */
616 extern struct nf_expect *nfexp_clone(const struct nf_expect *exp);
617 
618 /* object size */
619 extern size_t nfexp_sizeof(const struct nf_expect *exp);
620 
621 /* maximum object size */
622 extern size_t nfexp_maxsize(void);
623 
624 /* register / unregister callback */
625 
626 extern int nfexp_callback_register(struct nfct_handle *h,
627  enum nf_conntrack_msg_type type,
628  int (*cb)(enum nf_conntrack_msg_type type,
629  struct nf_expect *exp,
630  void *data),
631  void *data);
632 
633 extern void nfexp_callback_unregister(struct nfct_handle *h);
634 
635 /* register / unregister callback: extended version including netlink header */
636 extern int nfexp_callback_register2(struct nfct_handle *h,
637  enum nf_conntrack_msg_type type,
638  int (*cb)(const struct nlmsghdr *nlh,
639  enum nf_conntrack_msg_type type,
640  struct nf_expect *exp,
641  void *data),
642  void *data);
643 
644 extern void nfexp_callback_unregister2(struct nfct_handle *h);
645 
646 /* setter */
647 extern void nfexp_set_attr(struct nf_expect *exp,
648  const enum nf_expect_attr type,
649  const void *value);
650 
651 extern void nfexp_set_attr_u8(struct nf_expect *exp,
652  const enum nf_expect_attr type,
653  uint8_t value);
654 
655 extern void nfexp_set_attr_u16(struct nf_expect *exp,
656  const enum nf_expect_attr type,
657  uint16_t value);
658 
659 extern void nfexp_set_attr_u32(struct nf_expect *exp,
660  const enum nf_expect_attr type,
661  uint32_t value);
662 
663 /* getter */
664 extern const void *nfexp_get_attr(const struct nf_expect *exp,
665  const enum nf_expect_attr type);
666 
667 extern uint8_t nfexp_get_attr_u8(const struct nf_expect *exp,
668  const enum nf_expect_attr type);
669 
670 extern uint16_t nfexp_get_attr_u16(const struct nf_expect *exp,
671  const enum nf_expect_attr type);
672 
673 extern uint32_t nfexp_get_attr_u32(const struct nf_expect *exp,
674  const enum nf_expect_attr type);
675 
676 /* checker */
677 extern int nfexp_attr_is_set(const struct nf_expect *exp,
678  const enum nf_expect_attr type);
679 
680 /* unsetter */
681 extern int nfexp_attr_unset(struct nf_expect *exp,
682  const enum nf_expect_attr type);
683 
684 /* query */
685 extern int nfexp_query(struct nfct_handle *h,
686  const enum nf_conntrack_query qt,
687  const void *data);
688 
689 /* print */
690 extern int nfexp_snprintf(char *buf,
691  unsigned int size,
692  const struct nf_expect *exp,
693  const unsigned int msg_type,
694  const unsigned int out_type,
695  const unsigned int out_flags);
696 
697 /* compare */
698 extern int nfexp_cmp(const struct nf_expect *exp1,
699  const struct nf_expect *exp2,
700  unsigned int flags);
701 
702 extern int nfexp_send(struct nfct_handle *h,
703  const enum nf_conntrack_query qt,
704  const void *data);
705 
706 extern int nfexp_catch(struct nfct_handle *h);
707 
708 /* low level API */
709 extern __attribute__((deprecated))
710 int nfexp_build_expect(struct nfnl_subsys_handle *ssh,
711  void *req,
712  size_t size,
713  uint16_t type,
714  uint16_t flags,
715  const struct nf_expect *exp);
716 
717 extern __attribute__((deprecated))
718 int nfexp_parse_expect(enum nf_conntrack_msg_type type,
719  const struct nlmsghdr *nlh,
720  struct nf_expect *exp);
721 
722 extern __attribute__((deprecated))
723 int nfexp_build_query(struct nfnl_subsys_handle *ssh,
724  const enum nf_conntrack_query qt,
725  const void *data,
726  void *buffer,
727  unsigned int size);
728 
729 /* New low level API: netlink functions */
730 
731 extern int nfexp_nlmsg_build(struct nlmsghdr *nlh, const struct nf_expect *exp);
732 extern int nfexp_nlmsg_parse(const struct nlmsghdr *nlh, struct nf_expect *exp);
733 
734 /*
735  * TCP flags
736  */
737 
738 /* Window scaling is advertised by the sender */
739 #define IP_CT_TCP_FLAG_WINDOW_SCALE 0x01
740 
741 /* SACK is permitted by the sender */
742 #define IP_CT_TCP_FLAG_SACK_PERM 0x02
743 
744 /* This sender sent FIN first */
745 #define IP_CT_TCP_FLAG_CLOSE_INIT 0x04
746 
747 /* Be liberal in window checking */
748 #define IP_CT_TCP_FLAG_BE_LIBERAL 0x08
749 
750 /* WARNING: do not use these constants in new applications, we keep them here
751  * to avoid breaking backward compatibility. */
752 #define NFCT_DIR_ORIGINAL 0
753 #define NFCT_DIR_REPLY 1
754 #define NFCT_DIR_MAX NFCT_DIR_REPLY+1
755 
756 /* xt_helper uses a length size of 30 bytes, however, no helper name in
757  * the tree has exceeded 16 bytes length. Since 2.6.29, the maximum
758  * length accepted is 16 bytes, this limit is enforced during module load. */
759 #define NFCT_HELPER_NAME_MAX 16
760 
761 #ifdef __cplusplus
762 }
763 #endif
764 
765 #endif /* _LIBNETFILTER_CONNTRACK_H_ */
void nfct_filter_destroy(struct nfct_filter *filter)
void nfexp_set_attr(struct nf_expect *exp, const enum nf_expect_attr type, const void *value)
Definition: expect/api.c:308
size_t nfexp_maxsize(void)
Definition: expect/api.c:76
void nfct_set_attr_l(struct nf_conntrack *ct, const enum nf_conntrack_attr type, const void *value, size_t len)
int nfct_send(struct nfct_handle *h, const enum nf_conntrack_query query, const void *data)
uint16_t nfct_get_attr_u16(const struct nf_conntrack *ct, const enum nf_conntrack_attr type)
void nfct_set_attr_u64(struct nf_conntrack *ct, const enum nf_conntrack_attr type, uint64_t value)
void nfct_set_attr_u32(struct nf_conntrack *ct, const enum nf_conntrack_attr type, uint32_t value)
uint8_t nfct_get_attr_u8(const struct nf_conntrack *ct, const enum nf_conntrack_attr type)
const char * nfct_labelmap_get_name(struct nfct_labelmap *m, unsigned int bit)
int nfexp_callback_register2(struct nfct_handle *h, enum nf_conntrack_msg_type type, int(*cb)(const struct nlmsghdr *nlh, enum nf_conntrack_msg_type type, struct nf_expect *exp, void *data), void *data)
Definition: expect/api.c:231
void nfct_filter_add_attr_u32(struct nfct_filter *filter, const enum nfct_filter_attr attr, const uint32_t value)
int nfct_query(struct nfct_handle *h, const enum nf_conntrack_query query, const void *data)
void nfct_set_attr(struct nf_conntrack *ct, const enum nf_conntrack_attr type, const void *value)
void nfexp_set_attr_u32(struct nf_expect *exp, const enum nf_expect_attr type, uint32_t value)
Definition: expect/api.c:356
void nfct_copy_attr(struct nf_conntrack *ct1, const struct nf_conntrack *ct2, const enum nf_conntrack_attr type)
uint32_t nfexp_get_attr_u32(const struct nf_expect *exp, const enum nf_expect_attr type)
Definition: expect/api.c:430
void nfexp_callback_unregister2(struct nfct_handle *h)
Definition: expect/api.c:272
void nfexp_set_attr_u16(struct nf_expect *exp, const enum nf_expect_attr type, uint16_t value)
Definition: expect/api.c:343
const char * nfct_labels_get_path(void)
int nfexp_build_expect(struct nfnl_subsys_handle *ssh, void *req, size_t size, uint16_t type, uint16_t flags, const struct nf_expect *exp)
Definition: expect/api.c:504
int nfct_close(struct nfct_handle *cth)
Definition: main.c:105
void nfct_filter_dump_set_attr(struct nfct_filter_dump *filter_dump, const enum nfct_filter_dump_attr type, const void *data)
int nfexp_query(struct nfct_handle *h, const enum nf_conntrack_query qt, const void *data)
Definition: expect/api.c:668
struct nf_expect * nfexp_clone(const struct nf_expect *exp)
Definition: expect/api.c:88
int nfct_build_conntrack(struct nfnl_subsys_handle *ssh, void *req, size_t size, uint16_t type, uint16_t flags, const struct nf_conntrack *ct)
void nfct_filter_dump_set_attr_u8(struct nfct_filter_dump *filter_dump, const enum nfct_filter_dump_attr type, uint8_t data)
int nfexp_cmp(const struct nf_expect *exp1, const struct nf_expect *exp2, unsigned int flags)
Definition: expect/api.c:126
int nfct_get_attr_grp(const struct nf_conntrack *ct, const enum nf_conntrack_attr_grp type, void *data)
void nfct_copy(struct nf_conntrack *dest, const struct nf_conntrack *source, unsigned int flags)
void nfct_destroy(struct nf_conntrack *ct)
Definition: conntrack/api.c:92
int nfct_fd(struct nfct_handle *cth)
Definition: main.c:144
int nfct_snprintf(char *buf, unsigned int size, const struct nf_conntrack *ct, const unsigned int msg_type, const unsigned int out_type, const unsigned int out_flags)
void nfct_set_attr_grp(struct nf_conntrack *ct, const enum nf_conntrack_attr_grp type, const void *value)
int nfct_attr_is_set_array(const struct nf_conntrack *ct, const enum nf_conntrack_attr *type_array, int size)
int nfexp_send(struct nfct_handle *h, const enum nf_conntrack_query qt, const void *data)
Definition: expect/api.c:700
void nfct_filter_add_attr(struct nfct_filter *filter, const enum nfct_filter_attr attr, const void *value)
uint16_t nfexp_get_attr_u16(const struct nf_expect *exp, const enum nf_expect_attr type)
Definition: expect/api.c:414
struct nfct_filter * nfct_filter_create(void)
int nfct_callback_register(struct nfct_handle *h, enum nf_conntrack_msg_type type, int(*cb)(enum nf_conntrack_msg_type type, struct nf_conntrack *ct, void *data), void *data)
struct nfct_labelmap * nfct_labelmap_new(const char *mapfile)
int nfct_setobjopt(struct nf_conntrack *ct, unsigned int option)
struct nf_expect * nfexp_new(void)
Definition: expect/api.c:28
int nfexp_attr_unset(struct nf_expect *exp, const enum nf_expect_attr type)
Definition: expect/api.c:465
uint32_t nfct_get_attr_u32(const struct nf_conntrack *ct, const enum nf_conntrack_attr type)
int nfct_parse_conntrack(enum nf_conntrack_msg_type type, const struct nlmsghdr *nlh, struct nf_conntrack *ct)
int nfexp_parse_expect(enum nf_conntrack_msg_type type, const struct nlmsghdr *nlh, struct nf_expect *exp)
Definition: expect/api.c:621
struct nf_conntrack * nfct_clone(const struct nf_conntrack *ct)
void nfct_callback_unregister(struct nfct_handle *h)
void nfct_callback_unregister2(struct nfct_handle *h)
int nfct_filter_set_logic(struct nfct_filter *filter, const enum nfct_filter_attr attr, const enum nfct_filter_logic logic)
uint64_t nfct_get_attr_u64(const struct nf_conntrack *ct, const enum nf_conntrack_attr type)
int nfexp_snprintf(char *buf, unsigned int size, const struct nf_expect *exp, const unsigned int msg_type, const unsigned int out_type, const unsigned int out_flags)
Definition: expect/api.c:774
int nfct_callback_register2(struct nfct_handle *h, enum nf_conntrack_msg_type type, int(*cb)(const struct nlmsghdr *nlh, enum nf_conntrack_msg_type type, struct nf_conntrack *ct, void *data), void *data)
void nfct_set_attr_u16(struct nf_conntrack *ct, const enum nf_conntrack_attr type, uint16_t value)
struct nf_conntrack * nfct_new(void)
Definition: conntrack/api.c:75
int nfct_build_query(struct nfnl_subsys_handle *ssh, const enum nf_conntrack_query qt, const void *data, void *buffer, unsigned int size)
int nfct_compare(const struct nf_conntrack *ct1, const struct nf_conntrack *ct2)
int nfexp_build_query(struct nfnl_subsys_handle *ssh, const enum nf_conntrack_query qt, const void *data, void *buffer, unsigned int size)
Definition: expect/api.c:588
int nfct_cmp(const struct nf_conntrack *ct1, const struct nf_conntrack *ct2, unsigned int flags)
int nfct_filter_attach(int fd, struct nfct_filter *filter)
void nfexp_set_attr_u8(struct nf_expect *exp, const enum nf_expect_attr type, uint8_t value)
Definition: expect/api.c:330
int nfct_getobjopt(const struct nf_conntrack *ct, unsigned int option)
int nfct_catch(struct nfct_handle *h)
int nfct_filter_detach(int fd)
void nfct_set_attr_u8(struct nf_conntrack *ct, const enum nf_conntrack_attr type, uint8_t value)
void nfct_filter_dump_destroy(struct nfct_filter_dump *filter)
const void * nfct_get_attr(const struct nf_conntrack *ct, const enum nf_conntrack_attr type)
int nfexp_callback_register(struct nfct_handle *h, enum nf_conntrack_msg_type type, int(*cb)(enum nf_conntrack_msg_type type, struct nf_expect *exp, void *data), void *data)
Definition: expect/api.c:157
int nfct_labelmap_get_bit(struct nfct_labelmap *m, const char *name)
int nfexp_attr_is_set(const struct nf_expect *exp, const enum nf_expect_attr type)
Definition: expect/api.c:445
size_t nfct_sizeof(const struct nf_conntrack *ct)
int nfct_attr_grp_unset(struct nf_conntrack *ct, const enum nf_conntrack_attr_grp type)
size_t nfct_maxsize(void)
int nfexp_catch(struct nfct_handle *h)
Definition: expect/api.c:733
int nfct_attr_is_set(const struct nf_conntrack *ct, const enum nf_conntrack_attr type)
uint8_t nfexp_get_attr_u8(const struct nf_expect *exp, const enum nf_expect_attr type)
Definition: expect/api.c:398
void nfexp_callback_unregister(struct nfct_handle *h)
Definition: expect/api.c:197
size_t nfexp_sizeof(const struct nf_expect *exp)
Definition: expect/api.c:56
void nfexp_destroy(struct nf_expect *exp)
Definition: expect/api.c:45
int nfct_attr_grp_is_set(const struct nf_conntrack *ct, const enum nf_conntrack_attr_grp type)
void nfct_labelmap_destroy(struct nfct_labelmap *map)
const void * nfexp_get_attr(const struct nf_expect *exp, const enum nf_expect_attr type)
Definition: expect/api.c:371
int nfct_attr_unset(struct nf_conntrack *ct, const enum nf_conntrack_attr type)
struct nfct_handle * nfct_open(uint8_t, unsigned)
Definition: main.c:84
struct nfct_filter_dump * nfct_filter_dump_create(void)
int nfct_snprintf_labels(char *buf, unsigned int size, const struct nf_conntrack *ct, const unsigned int msg_type, const unsigned int out_type, const unsigned int out_flags, struct nfct_labelmap *map)