10 #ifndef _LIBNETFILTER_CONNTRACK_H_
11 #define _LIBNETFILTER_CONNTRACK_H_
14 #include <netinet/in.h>
15 #include <libnfnetlink/linux_nfnetlink.h>
16 #include <libnfnetlink/libnfnetlink.h>
17 #include <libnetfilter_conntrack/linux_nfnetlink_conntrack.h>
18 #include <libnetfilter_conntrack/linux_nf_conntrack_common.h>
25 CONNTRACK = NFNL_SUBSYS_CTNETLINK,
26 EXPECT = NFNL_SUBSYS_CTNETLINK_EXP
35 #define NFCT_ALL_CT_GROUPS (NF_NETLINK_CONNTRACK_NEW|NF_NETLINK_CONNTRACK_UPDATE|NF_NETLINK_CONNTRACK_DESTROY)
42 extern struct nfct_handle *
nfct_open(uint8_t,
unsigned);
43 extern struct nfct_handle *nfct_open_nfnl(
struct nfnl_handle *nfnlh,
45 unsigned int subscriptions);
46 extern int nfct_close(
struct nfct_handle *cth);
48 extern int nfct_fd(
struct nfct_handle *cth);
49 extern const struct nfnl_handle *nfct_nfnlh(
struct nfct_handle *cth);
57 #include <sys/types.h>
63 enum nf_conntrack_attr {
64 ATTR_ORIG_IPV4_SRC = 0,
65 ATTR_IPV4_SRC = ATTR_ORIG_IPV4_SRC,
67 ATTR_IPV4_DST = ATTR_ORIG_IPV4_DST,
70 ATTR_ORIG_IPV6_SRC = 4,
71 ATTR_IPV6_SRC = ATTR_ORIG_IPV6_SRC,
73 ATTR_IPV6_DST = ATTR_ORIG_IPV6_DST,
76 ATTR_ORIG_PORT_SRC = 8,
77 ATTR_PORT_SRC = ATTR_ORIG_PORT_SRC,
79 ATTR_PORT_DST = ATTR_ORIG_PORT_DST,
86 ATTR_L3PROTO = ATTR_ORIG_L3PROTO,
87 ATTR_REPL_L3PROTO = 16,
89 ATTR_L4PROTO = ATTR_ORIG_L4PROTO,
98 ATTR_ORIG_COUNTER_PACKETS,
99 ATTR_REPL_COUNTER_PACKETS,
100 ATTR_ORIG_COUNTER_BYTES = 28,
101 ATTR_REPL_COUNTER_BYTES,
108 ATTR_TCP_MASK_REPL = 36,
109 ATTR_MASTER_IPV4_SRC,
110 ATTR_MASTER_IPV4_DST,
111 ATTR_MASTER_IPV6_SRC,
112 ATTR_MASTER_IPV6_DST = 40,
113 ATTR_MASTER_PORT_SRC,
114 ATTR_MASTER_PORT_DST,
116 ATTR_MASTER_L4PROTO = 44,
118 ATTR_ORIG_NAT_SEQ_CORRECTION_POS,
119 ATTR_ORIG_NAT_SEQ_OFFSET_BEFORE,
120 ATTR_ORIG_NAT_SEQ_OFFSET_AFTER = 48,
121 ATTR_REPL_NAT_SEQ_CORRECTION_POS,
122 ATTR_REPL_NAT_SEQ_OFFSET_BEFORE,
123 ATTR_REPL_NAT_SEQ_OFFSET_AFTER,
124 ATTR_SCTP_STATE = 52,
128 ATTR_DCCP_STATE = 56,
130 ATTR_DCCP_HANDSHAKE_SEQ,
131 ATTR_TCP_WSCALE_ORIG,
132 ATTR_TCP_WSCALE_REPL = 60,
135 ATTR_TIMESTAMP_START,
136 ATTR_TIMESTAMP_STOP = 64,
139 ATTR_CONNLABELS_MASK,
148 enum nf_conntrack_attr_grp {
149 ATTR_GRP_ORIG_IPV4 = 0,
153 ATTR_GRP_ORIG_PORT = 4,
156 ATTR_GRP_MASTER_IPV4,
157 ATTR_GRP_MASTER_IPV6 = 8,
158 ATTR_GRP_MASTER_PORT,
159 ATTR_GRP_ORIG_COUNTERS,
160 ATTR_GRP_REPL_COUNTERS,
161 ATTR_GRP_ORIG_ADDR_SRC = 12,
162 ATTR_GRP_ORIG_ADDR_DST,
163 ATTR_GRP_REPL_ADDR_SRC,
164 ATTR_GRP_REPL_ADDR_DST,
173 uint32_t src[4], dst[4];
177 uint16_t sport, dport;
197 enum nf_conntrack_msg_type {
201 NFCT_T_NEW = (1 << NFCT_T_NEW_BIT),
203 NFCT_T_UPDATE_BIT = 1,
204 NFCT_T_UPDATE = (1 << NFCT_T_UPDATE_BIT),
206 NFCT_T_DESTROY_BIT = 2,
207 NFCT_T_DESTROY = (1 << NFCT_T_DESTROY_BIT),
209 NFCT_T_ALL = NFCT_T_NEW | NFCT_T_UPDATE | NFCT_T_DESTROY,
211 NFCT_T_ERROR_BIT = 31,
212 NFCT_T_ERROR = (1 << NFCT_T_ERROR_BIT),
216 extern struct nf_conntrack *
nfct_new(
void);
220 struct nf_conntrack *
nfct_clone(
const struct nf_conntrack *ct);
223 extern __attribute__((deprecated)) size_t
nfct_sizeof(const struct nf_conntrack *ct);
226 extern __attribute__((deprecated))
size_t nfct_maxsize(
void);
234 NFCT_SOPT_SETUP_ORIGINAL,
235 NFCT_SOPT_SETUP_REPLY,
238 #define NFCT_SOPT_MAX (__NFCT_SOPT_MAX - 1)
248 #define NFCT_GOPT_MAX (__NFCT_GOPT_MAX - 1)
250 extern int nfct_setobjopt(
struct nf_conntrack *ct,
unsigned int option);
251 extern int nfct_getobjopt(
const struct nf_conntrack *ct,
unsigned int option);
256 enum nf_conntrack_msg_type type,
257 int (*cb)(
enum nf_conntrack_msg_type type,
258 struct nf_conntrack *ct,
267 enum nf_conntrack_msg_type type,
268 int (*cb)(
const struct nlmsghdr *nlh,
269 enum nf_conntrack_msg_type type,
270 struct nf_conntrack *ct,
278 NFCT_CB_FAILURE = -1,
280 NFCT_CB_CONTINUE = 1,
287 struct nfct_bitmask *nfct_bitmask_new(
unsigned int maxbit);
288 struct nfct_bitmask *nfct_bitmask_clone(
const struct nfct_bitmask *);
289 unsigned int nfct_bitmask_maxbit(
const struct nfct_bitmask *);
291 void nfct_bitmask_set_bit(
struct nfct_bitmask *,
unsigned int bit);
292 int nfct_bitmask_test_bit(
const struct nfct_bitmask *,
unsigned int bit);
293 void nfct_bitmask_unset_bit(
struct nfct_bitmask *,
unsigned int bit);
294 void nfct_bitmask_destroy(
struct nfct_bitmask *);
295 void nfct_bitmask_clear(
struct nfct_bitmask *);
296 bool nfct_bitmask_equal(
const struct nfct_bitmask *,
const struct nfct_bitmask *);
309 const enum nf_conntrack_attr type,
313 const enum nf_conntrack_attr type,
317 const enum nf_conntrack_attr type,
321 const enum nf_conntrack_attr type,
325 const enum nf_conntrack_attr type,
329 const enum nf_conntrack_attr type,
334 extern const void *
nfct_get_attr(
const struct nf_conntrack *ct,
335 const enum nf_conntrack_attr type);
338 const enum nf_conntrack_attr type);
341 const enum nf_conntrack_attr type);
344 const enum nf_conntrack_attr type);
347 const enum nf_conntrack_attr type);
351 const enum nf_conntrack_attr type);
354 const enum nf_conntrack_attr *type_array,
359 const enum nf_conntrack_attr type);
363 const enum nf_conntrack_attr_grp type,
367 const enum nf_conntrack_attr_grp type,
372 const enum nf_conntrack_attr_grp type);
376 const enum nf_conntrack_attr_grp type);
383 NFCT_O_DEFAULT = NFCT_O_PLAIN,
390 NFCT_OF_SHOW_LAYER3_BIT = 0,
391 NFCT_OF_SHOW_LAYER3 = (1 << NFCT_OF_SHOW_LAYER3_BIT),
393 NFCT_OF_TIME_BIT = 1,
394 NFCT_OF_TIME = (1 << NFCT_OF_TIME_BIT),
397 NFCT_OF_ID = (1 << NFCT_OF_ID_BIT),
399 NFCT_OF_TIMESTAMP_BIT = 3,
400 NFCT_OF_TIMESTAMP = (1 << NFCT_OF_TIMESTAMP_BIT),
405 const struct nf_conntrack *ct,
406 const unsigned int msg_type,
407 const unsigned int out_type,
408 const unsigned int out_flags);
412 const struct nf_conntrack *ct,
413 const unsigned int msg_type,
414 const unsigned int out_type,
415 const unsigned int out_flags,
420 const struct nf_conntrack *ct2);
424 NFCT_CMP_ORIG = (1 << 0),
425 NFCT_CMP_REPL = (1 << 1),
426 NFCT_CMP_TIMEOUT_EQ = (1 << 2),
427 NFCT_CMP_TIMEOUT_GT = (1 << 3),
428 NFCT_CMP_TIMEOUT_GE = (NFCT_CMP_TIMEOUT_EQ | NFCT_CMP_TIMEOUT_GT),
429 NFCT_CMP_TIMEOUT_LT = (1 << 4),
430 NFCT_CMP_TIMEOUT_LE = (NFCT_CMP_TIMEOUT_EQ | NFCT_CMP_TIMEOUT_LT),
431 NFCT_CMP_MASK = (1 << 5),
432 NFCT_CMP_STRICT = (1 << 6),
435 extern int nfct_cmp(
const struct nf_conntrack *ct1,
436 const struct nf_conntrack *ct2,
441 enum nf_conntrack_query {
449 NFCT_Q_CREATE_UPDATE,
451 NFCT_Q_DUMP_FILTER_RESET,
455 const enum nf_conntrack_query query,
458 extern int nfct_send(
struct nfct_handle *h,
459 const enum nf_conntrack_query query,
467 NFCT_CP_ORIG = (1 << 0),
468 NFCT_CP_REPL = (1 << 1),
469 NFCT_CP_META = (1 << 2),
470 NFCT_CP_OVERRIDE = (1 << 3),
473 extern void nfct_copy(
struct nf_conntrack *dest,
474 const struct nf_conntrack *source,
478 const struct nf_conntrack *ct2,
479 const enum nf_conntrack_attr type);
501 enum nfct_filter_attr {
502 NFCT_FILTER_L4PROTO = 0,
503 NFCT_FILTER_L4PROTO_STATE,
504 NFCT_FILTER_SRC_IPV4,
505 NFCT_FILTER_DST_IPV4,
506 NFCT_FILTER_SRC_IPV6,
507 NFCT_FILTER_DST_IPV6,
513 const enum nfct_filter_attr attr,
517 const enum nfct_filter_attr attr,
518 const uint32_t value);
520 enum nfct_filter_logic {
521 NFCT_FILTER_LOGIC_POSITIVE,
522 NFCT_FILTER_LOGIC_NEGATIVE,
523 NFCT_FILTER_LOGIC_MAX
527 const enum nfct_filter_attr attr,
528 const enum nfct_filter_logic logic);
535 struct nfct_filter_dump;
542 enum nfct_filter_dump_attr {
543 NFCT_FILTER_DUMP_MARK = 0,
544 NFCT_FILTER_DUMP_L3NUM,
553 const enum nfct_filter_dump_attr type,
557 const enum nfct_filter_dump_attr type,
562 extern __attribute__((deprecated)) int
568 const struct nf_conntrack *ct);
570 extern __attribute__((deprecated))
572 const struct nlmsghdr *nlh,
573 struct nf_conntrack *ct);
575 extern __attribute__((deprecated))
577 const enum nf_conntrack_query query,
584 extern
int nfct_nlmsg_build(struct nlmsghdr *nlh, const struct nf_conntrack *ct);
585 extern
int nfct_nlmsg_parse(const struct nlmsghdr *nlh, struct nf_conntrack *ct);
586 extern
int nfct_payload_parse(const
void *payload,
size_t payload_len, uint16_t l3num, struct nf_conntrack *ct);
596 enum nf_expect_attr {
603 ATTR_EXP_HELPER_NAME,
612 extern struct nf_expect *
nfexp_new(
void);
616 extern struct nf_expect *
nfexp_clone(
const struct nf_expect *exp);
619 extern size_t nfexp_sizeof(
const struct nf_expect *exp);
627 enum nf_conntrack_msg_type type,
628 int (*cb)(
enum nf_conntrack_msg_type type,
629 struct nf_expect *exp,
637 enum nf_conntrack_msg_type type,
638 int (*cb)(
const struct nlmsghdr *nlh,
639 enum nf_conntrack_msg_type type,
640 struct nf_expect *exp,
648 const enum nf_expect_attr type,
652 const enum nf_expect_attr type,
656 const enum nf_expect_attr type,
660 const enum nf_expect_attr type,
665 const enum nf_expect_attr type);
668 const enum nf_expect_attr type);
671 const enum nf_expect_attr type);
674 const enum nf_expect_attr type);
678 const enum nf_expect_attr type);
682 const enum nf_expect_attr type);
686 const enum nf_conntrack_query qt,
692 const struct nf_expect *exp,
693 const unsigned int msg_type,
694 const unsigned int out_type,
695 const unsigned int out_flags);
698 extern int nfexp_cmp(
const struct nf_expect *exp1,
699 const struct nf_expect *exp2,
703 const enum nf_conntrack_query qt,
709 extern __attribute__((deprecated))
715 const struct nf_expect *exp);
717 extern __attribute__((deprecated))
719 const struct nlmsghdr *nlh,
720 struct nf_expect *exp);
722 extern __attribute__((deprecated))
724 const enum nf_conntrack_query qt,
731 extern
int nfexp_nlmsg_build(struct nlmsghdr *nlh, const struct nf_expect *exp);
732 extern
int nfexp_nlmsg_parse(const struct nlmsghdr *nlh, struct nf_expect *exp);
739 #define IP_CT_TCP_FLAG_WINDOW_SCALE 0x01
742 #define IP_CT_TCP_FLAG_SACK_PERM 0x02
745 #define IP_CT_TCP_FLAG_CLOSE_INIT 0x04
748 #define IP_CT_TCP_FLAG_BE_LIBERAL 0x08
752 #define NFCT_DIR_ORIGINAL 0
753 #define NFCT_DIR_REPLY 1
754 #define NFCT_DIR_MAX NFCT_DIR_REPLY+1
759 #define NFCT_HELPER_NAME_MAX 16
void nfct_filter_destroy(struct nfct_filter *filter)
void nfexp_set_attr(struct nf_expect *exp, const enum nf_expect_attr type, const void *value)
size_t nfexp_maxsize(void)
void nfct_set_attr_l(struct nf_conntrack *ct, const enum nf_conntrack_attr type, const void *value, size_t len)
int nfct_send(struct nfct_handle *h, const enum nf_conntrack_query query, const void *data)
uint16_t nfct_get_attr_u16(const struct nf_conntrack *ct, const enum nf_conntrack_attr type)
void nfct_set_attr_u64(struct nf_conntrack *ct, const enum nf_conntrack_attr type, uint64_t value)
void nfct_set_attr_u32(struct nf_conntrack *ct, const enum nf_conntrack_attr type, uint32_t value)
uint8_t nfct_get_attr_u8(const struct nf_conntrack *ct, const enum nf_conntrack_attr type)
const char * nfct_labelmap_get_name(struct nfct_labelmap *m, unsigned int bit)
int nfexp_callback_register2(struct nfct_handle *h, enum nf_conntrack_msg_type type, int(*cb)(const struct nlmsghdr *nlh, enum nf_conntrack_msg_type type, struct nf_expect *exp, void *data), void *data)
void nfct_filter_add_attr_u32(struct nfct_filter *filter, const enum nfct_filter_attr attr, const uint32_t value)
int nfct_query(struct nfct_handle *h, const enum nf_conntrack_query query, const void *data)
void nfct_set_attr(struct nf_conntrack *ct, const enum nf_conntrack_attr type, const void *value)
void nfexp_set_attr_u32(struct nf_expect *exp, const enum nf_expect_attr type, uint32_t value)
void nfct_copy_attr(struct nf_conntrack *ct1, const struct nf_conntrack *ct2, const enum nf_conntrack_attr type)
uint32_t nfexp_get_attr_u32(const struct nf_expect *exp, const enum nf_expect_attr type)
void nfexp_callback_unregister2(struct nfct_handle *h)
void nfexp_set_attr_u16(struct nf_expect *exp, const enum nf_expect_attr type, uint16_t value)
const char * nfct_labels_get_path(void)
int nfexp_build_expect(struct nfnl_subsys_handle *ssh, void *req, size_t size, uint16_t type, uint16_t flags, const struct nf_expect *exp)
int nfct_close(struct nfct_handle *cth)
void nfct_filter_dump_set_attr(struct nfct_filter_dump *filter_dump, const enum nfct_filter_dump_attr type, const void *data)
int nfexp_query(struct nfct_handle *h, const enum nf_conntrack_query qt, const void *data)
struct nf_expect * nfexp_clone(const struct nf_expect *exp)
int nfct_build_conntrack(struct nfnl_subsys_handle *ssh, void *req, size_t size, uint16_t type, uint16_t flags, const struct nf_conntrack *ct)
void nfct_filter_dump_set_attr_u8(struct nfct_filter_dump *filter_dump, const enum nfct_filter_dump_attr type, uint8_t data)
int nfexp_cmp(const struct nf_expect *exp1, const struct nf_expect *exp2, unsigned int flags)
int nfct_get_attr_grp(const struct nf_conntrack *ct, const enum nf_conntrack_attr_grp type, void *data)
void nfct_copy(struct nf_conntrack *dest, const struct nf_conntrack *source, unsigned int flags)
void nfct_destroy(struct nf_conntrack *ct)
int nfct_fd(struct nfct_handle *cth)
int nfct_snprintf(char *buf, unsigned int size, const struct nf_conntrack *ct, const unsigned int msg_type, const unsigned int out_type, const unsigned int out_flags)
void nfct_set_attr_grp(struct nf_conntrack *ct, const enum nf_conntrack_attr_grp type, const void *value)
int nfct_attr_is_set_array(const struct nf_conntrack *ct, const enum nf_conntrack_attr *type_array, int size)
int nfexp_send(struct nfct_handle *h, const enum nf_conntrack_query qt, const void *data)
void nfct_filter_add_attr(struct nfct_filter *filter, const enum nfct_filter_attr attr, const void *value)
uint16_t nfexp_get_attr_u16(const struct nf_expect *exp, const enum nf_expect_attr type)
struct nfct_filter * nfct_filter_create(void)
int nfct_callback_register(struct nfct_handle *h, enum nf_conntrack_msg_type type, int(*cb)(enum nf_conntrack_msg_type type, struct nf_conntrack *ct, void *data), void *data)
struct nfct_labelmap * nfct_labelmap_new(const char *mapfile)
int nfct_setobjopt(struct nf_conntrack *ct, unsigned int option)
struct nf_expect * nfexp_new(void)
int nfexp_attr_unset(struct nf_expect *exp, const enum nf_expect_attr type)
uint32_t nfct_get_attr_u32(const struct nf_conntrack *ct, const enum nf_conntrack_attr type)
int nfct_parse_conntrack(enum nf_conntrack_msg_type type, const struct nlmsghdr *nlh, struct nf_conntrack *ct)
int nfexp_parse_expect(enum nf_conntrack_msg_type type, const struct nlmsghdr *nlh, struct nf_expect *exp)
struct nf_conntrack * nfct_clone(const struct nf_conntrack *ct)
void nfct_callback_unregister(struct nfct_handle *h)
void nfct_callback_unregister2(struct nfct_handle *h)
int nfct_filter_set_logic(struct nfct_filter *filter, const enum nfct_filter_attr attr, const enum nfct_filter_logic logic)
uint64_t nfct_get_attr_u64(const struct nf_conntrack *ct, const enum nf_conntrack_attr type)
int nfexp_snprintf(char *buf, unsigned int size, const struct nf_expect *exp, const unsigned int msg_type, const unsigned int out_type, const unsigned int out_flags)
int nfct_callback_register2(struct nfct_handle *h, enum nf_conntrack_msg_type type, int(*cb)(const struct nlmsghdr *nlh, enum nf_conntrack_msg_type type, struct nf_conntrack *ct, void *data), void *data)
void nfct_set_attr_u16(struct nf_conntrack *ct, const enum nf_conntrack_attr type, uint16_t value)
struct nf_conntrack * nfct_new(void)
int nfct_build_query(struct nfnl_subsys_handle *ssh, const enum nf_conntrack_query qt, const void *data, void *buffer, unsigned int size)
int nfct_compare(const struct nf_conntrack *ct1, const struct nf_conntrack *ct2)
int nfexp_build_query(struct nfnl_subsys_handle *ssh, const enum nf_conntrack_query qt, const void *data, void *buffer, unsigned int size)
int nfct_cmp(const struct nf_conntrack *ct1, const struct nf_conntrack *ct2, unsigned int flags)
int nfct_filter_attach(int fd, struct nfct_filter *filter)
void nfexp_set_attr_u8(struct nf_expect *exp, const enum nf_expect_attr type, uint8_t value)
int nfct_getobjopt(const struct nf_conntrack *ct, unsigned int option)
int nfct_catch(struct nfct_handle *h)
int nfct_filter_detach(int fd)
void nfct_set_attr_u8(struct nf_conntrack *ct, const enum nf_conntrack_attr type, uint8_t value)
void nfct_filter_dump_destroy(struct nfct_filter_dump *filter)
const void * nfct_get_attr(const struct nf_conntrack *ct, const enum nf_conntrack_attr type)
int nfexp_callback_register(struct nfct_handle *h, enum nf_conntrack_msg_type type, int(*cb)(enum nf_conntrack_msg_type type, struct nf_expect *exp, void *data), void *data)
int nfct_labelmap_get_bit(struct nfct_labelmap *m, const char *name)
int nfexp_attr_is_set(const struct nf_expect *exp, const enum nf_expect_attr type)
size_t nfct_sizeof(const struct nf_conntrack *ct)
int nfct_attr_grp_unset(struct nf_conntrack *ct, const enum nf_conntrack_attr_grp type)
size_t nfct_maxsize(void)
int nfexp_catch(struct nfct_handle *h)
int nfct_attr_is_set(const struct nf_conntrack *ct, const enum nf_conntrack_attr type)
uint8_t nfexp_get_attr_u8(const struct nf_expect *exp, const enum nf_expect_attr type)
void nfexp_callback_unregister(struct nfct_handle *h)
size_t nfexp_sizeof(const struct nf_expect *exp)
void nfexp_destroy(struct nf_expect *exp)
int nfct_attr_grp_is_set(const struct nf_conntrack *ct, const enum nf_conntrack_attr_grp type)
void nfct_labelmap_destroy(struct nfct_labelmap *map)
const void * nfexp_get_attr(const struct nf_expect *exp, const enum nf_expect_attr type)
int nfct_attr_unset(struct nf_conntrack *ct, const enum nf_conntrack_attr type)
struct nfct_handle * nfct_open(uint8_t, unsigned)
struct nfct_filter_dump * nfct_filter_dump_create(void)
int nfct_snprintf_labels(char *buf, unsigned int size, const struct nf_conntrack *ct, const unsigned int msg_type, const unsigned int out_type, const unsigned int out_flags, struct nfct_labelmap *map)