libnetfilter_conntrack: libnetfilter

00001 /*
00002  * (C) 2005-2008 by Pablo Neira Ayuso <pablo@netfilter.org>
00003  *
00004  * This software may be used and distributed according to the terms
00005  * of the GNU General Public License, incorporated herein by reference.
00006  */
00007 
00008 #ifndef _LIBNETFILTER_CONNTRACK_H_
00009 #define _LIBNETFILTER_CONNTRACK_H_
00010 
00011 #include <netinet/in.h>
00012 #include <libnfnetlink/linux_nfnetlink.h>
00013 #include <libnfnetlink/libnfnetlink.h>
00014 #include <libnetfilter_conntrack/linux_nfnetlink_conntrack.h> 
00015 
00016 #ifdef __cplusplus
00017 extern "C" {
00018 #endif
00019 
00020 enum {
00021         CONNTRACK = NFNL_SUBSYS_CTNETLINK,
00022         EXPECT = NFNL_SUBSYS_CTNETLINK_EXP
00023 };
00024 
00025 /*
00026  * Subscribe to all possible conntrack event groups. Use this 
00027  * flag in case that you want to catch up all the possible 
00028  * events. Do not use this flag for dumping or any other
00029  * similar operation.
00030  */
00031 #define NFCT_ALL_CT_GROUPS (NF_NETLINK_CONNTRACK_NEW|NF_NETLINK_CONNTRACK_UPDATE|NF_NETLINK_CONNTRACK_DESTROY)
00032 
00033 struct nfct_handle;
00034 
00035 /*
00036  * [Open|close] a conntrack handler
00037  */
00038 extern struct nfct_handle *nfct_open(u_int8_t, unsigned);
00039 extern struct nfct_handle *nfct_open_nfnl(struct nfnl_handle *nfnlh,
00040                                           u_int8_t subsys_id,
00041                                           unsigned int subscriptions);
00042 extern int nfct_close(struct nfct_handle *cth);
00043 
00044 extern int nfct_fd(struct nfct_handle *cth);
00045 extern const struct nfnl_handle *nfct_nfnlh(struct nfct_handle *cth);
00046 
00047 /* 
00048  * NEW libnetfilter_conntrack API 
00049  */
00050 
00051 /* high level API */
00052 
00053 #include <sys/types.h>
00054 
00055 /* conntrack object */
00056 struct nf_conntrack;
00057 
00058 /* conntrack attributes */
00059 enum nf_conntrack_attr {
00060         ATTR_ORIG_IPV4_SRC = 0,                 /* u32 bits */
00061         ATTR_IPV4_SRC = ATTR_ORIG_IPV4_SRC,     /* alias */
00062         ATTR_ORIG_IPV4_DST,                     /* u32 bits */
00063         ATTR_IPV4_DST = ATTR_ORIG_IPV4_DST,     /* alias */
00064         ATTR_REPL_IPV4_SRC,                     /* u32 bits */
00065         ATTR_REPL_IPV4_DST,                     /* u32 bits */
00066         ATTR_ORIG_IPV6_SRC = 4,                 /* u128 bits */
00067         ATTR_IPV6_SRC = ATTR_ORIG_IPV6_SRC,     /* alias */
00068         ATTR_ORIG_IPV6_DST,                     /* u128 bits */
00069         ATTR_IPV6_DST = ATTR_ORIG_IPV6_DST,     /* alias */
00070         ATTR_REPL_IPV6_SRC,                     /* u128 bits */
00071         ATTR_REPL_IPV6_DST,                     /* u128 bits */
00072         ATTR_ORIG_PORT_SRC = 8,                 /* u16 bits */
00073         ATTR_PORT_SRC = ATTR_ORIG_PORT_SRC,     /* alias */
00074         ATTR_ORIG_PORT_DST,                     /* u16 bits */
00075         ATTR_PORT_DST = ATTR_ORIG_PORT_DST,     /* alias */
00076         ATTR_REPL_PORT_SRC,                     /* u16 bits */
00077         ATTR_REPL_PORT_DST,                     /* u16 bits */
00078         ATTR_ICMP_TYPE = 12,                    /* u8 bits */
00079         ATTR_ICMP_CODE,                         /* u8 bits */
00080         ATTR_ICMP_ID,                           /* u16 bits */
00081         ATTR_ORIG_L3PROTO,                      /* u8 bits */
00082         ATTR_L3PROTO = ATTR_ORIG_L3PROTO,       /* alias */
00083         ATTR_REPL_L3PROTO = 16,                 /* u8 bits */
00084         ATTR_ORIG_L4PROTO,                      /* u8 bits */
00085         ATTR_L4PROTO = ATTR_ORIG_L4PROTO,       /* alias */
00086         ATTR_REPL_L4PROTO,                      /* u8 bits */
00087         ATTR_TCP_STATE,                         /* u8 bits */
00088         ATTR_SNAT_IPV4 = 20,                    /* u32 bits */
00089         ATTR_DNAT_IPV4,                         /* u32 bits */
00090         ATTR_SNAT_PORT,                         /* u16 bits */
00091         ATTR_DNAT_PORT,                         /* u16 bits */
00092         ATTR_TIMEOUT = 24,                      /* u32 bits */
00093         ATTR_MARK,                              /* u32 bits */
00094         ATTR_ORIG_COUNTER_PACKETS,              /* u64 bits */
00095         ATTR_REPL_COUNTER_PACKETS,              /* u64 bits */
00096         ATTR_ORIG_COUNTER_BYTES = 28,           /* u64 bits */
00097         ATTR_REPL_COUNTER_BYTES,                /* u64 bits */
00098         ATTR_USE,                               /* u32 bits */
00099         ATTR_ID,                                /* u32 bits */
00100         ATTR_STATUS = 32,                       /* u32 bits  */
00101         ATTR_TCP_FLAGS_ORIG,                    /* u8 bits */
00102         ATTR_TCP_FLAGS_REPL,                    /* u8 bits */
00103         ATTR_TCP_MASK_ORIG,                     /* u8 bits */
00104         ATTR_TCP_MASK_REPL = 36,                /* u8 bits */
00105         ATTR_MASTER_IPV4_SRC,                   /* u32 bits */
00106         ATTR_MASTER_IPV4_DST,                   /* u32 bits */
00107         ATTR_MASTER_IPV6_SRC,                   /* u128 bits */
00108         ATTR_MASTER_IPV6_DST = 40,              /* u128 bits */
00109         ATTR_MASTER_PORT_SRC,                   /* u16 bits */
00110         ATTR_MASTER_PORT_DST,                   /* u16 bits */
00111         ATTR_MASTER_L3PROTO,                    /* u8 bits */
00112         ATTR_MASTER_L4PROTO = 44,               /* u8 bits */
00113         ATTR_SECMARK,                           /* u32 bits */
00114         ATTR_ORIG_NAT_SEQ_CORRECTION_POS,       /* u32 bits */
00115         ATTR_ORIG_NAT_SEQ_OFFSET_BEFORE,        /* u32 bits */
00116         ATTR_ORIG_NAT_SEQ_OFFSET_AFTER = 48,    /* u32 bits */
00117         ATTR_REPL_NAT_SEQ_CORRECTION_POS,       /* u32 bits */
00118         ATTR_REPL_NAT_SEQ_OFFSET_BEFORE,        /* u32 bits */
00119         ATTR_REPL_NAT_SEQ_OFFSET_AFTER,         /* u32 bits */
00120         ATTR_SCTP_STATE = 52,                   /* u8 bits */
00121         ATTR_SCTP_VTAG_ORIG,                    /* u32 bits */
00122         ATTR_SCTP_VTAG_REPL,                    /* u32 bits */
00123         ATTR_HELPER_NAME,                       /* string (30 bytes max) */
00124         ATTR_DCCP_STATE = 56,                   /* u8 bits */
00125         ATTR_DCCP_ROLE,                         /* u8 bits */
00126         ATTR_DCCP_HANDSHAKE_SEQ,                /* u64 bits */
00127         ATTR_TCP_WSCALE_ORIG,                   /* u8 bits */
00128         ATTR_TCP_WSCALE_REPL = 60,              /* u8 bits */
00129         ATTR_ZONE,                              /* u16 bits */
00130         ATTR_SECCTX,                            /* string */
00131         ATTR_MAX
00132 };
00133 
00134 /* conntrack attribute groups */
00135 enum nf_conntrack_attr_grp {
00136         ATTR_GRP_ORIG_IPV4 = 0,                 /* struct nfct_attr_grp_ipv4 */
00137         ATTR_GRP_REPL_IPV4,                     /* struct nfct_attr_grp_ipv4 */
00138         ATTR_GRP_ORIG_IPV6,                     /* struct nfct_attr_grp_ipv6 */
00139         ATTR_GRP_REPL_IPV6,                     /* struct nfct_attr_grp_ipv6 */
00140         ATTR_GRP_ORIG_PORT = 4,                 /* struct nfct_attr_grp_port */
00141         ATTR_GRP_REPL_PORT,                     /* struct nfct_attr_grp_port */
00142         ATTR_GRP_ICMP,                          /* struct nfct_attr_grp_icmp */
00143         ATTR_GRP_MASTER_IPV4,                   /* struct nfct_attr_grp_ipv4 */
00144         ATTR_GRP_MASTER_IPV6 = 8,               /* struct nfct_attr_grp_ipv6 */
00145         ATTR_GRP_MASTER_PORT,                   /* struct nfct_attr_grp_port */
00146         ATTR_GRP_ORIG_COUNTERS,                 /* struct nfct_attr_grp_ctrs */
00147         ATTR_GRP_REPL_COUNTERS,                 /* struct nfct_attr_grp_ctrs */
00148         ATTR_GRP_MAX
00149 };
00150 
00151 struct nfct_attr_grp_ipv4 {
00152         u_int32_t src, dst;
00153 };
00154 
00155 struct nfct_attr_grp_ipv6 {
00156         u_int32_t src[4], dst[4];
00157 };
00158 
00159 struct nfct_attr_grp_port {
00160         u_int16_t sport, dport;
00161 };
00162 
00163 struct nfct_attr_grp_icmp {
00164         u_int16_t id;
00165         u_int8_t code, type;
00166 };
00167 
00168 struct nfct_attr_grp_ctrs {
00169         u_int64_t packets;
00170         u_int64_t bytes;
00171 };
00172 
00173 /* message type */
00174 enum nf_conntrack_msg_type {
00175         NFCT_T_UNKNOWN = 0,
00176 
00177         NFCT_T_NEW_BIT = 0,
00178         NFCT_T_NEW = (1 << NFCT_T_NEW_BIT),
00179 
00180         NFCT_T_UPDATE_BIT = 1,
00181         NFCT_T_UPDATE = (1 << NFCT_T_UPDATE_BIT),
00182 
00183         NFCT_T_DESTROY_BIT = 2,
00184         NFCT_T_DESTROY = (1 << NFCT_T_DESTROY_BIT),
00185 
00186         NFCT_T_ALL = NFCT_T_NEW | NFCT_T_UPDATE | NFCT_T_DESTROY,
00187 
00188         NFCT_T_ERROR_BIT = 31,
00189         NFCT_T_ERROR = (1 << NFCT_T_ERROR_BIT),
00190 };
00191 
00192 /* constructor / destructor */
00193 extern struct nf_conntrack *nfct_new(void);
00194 extern void nfct_destroy(struct nf_conntrack *ct);
00195 
00196 /* clone */
00197 struct nf_conntrack *nfct_clone(const struct nf_conntrack *ct);
00198 
00199 /* object size */
00200 extern size_t nfct_sizeof(const struct nf_conntrack *ct);
00201 
00202 /* maximum object size */
00203 extern size_t nfct_maxsize(void);
00204 
00205 /* set option */
00206 enum {
00207         NFCT_SOPT_UNDO_SNAT,
00208         NFCT_SOPT_UNDO_DNAT,
00209         NFCT_SOPT_UNDO_SPAT,
00210         NFCT_SOPT_UNDO_DPAT,
00211         NFCT_SOPT_SETUP_ORIGINAL,
00212         NFCT_SOPT_SETUP_REPLY,
00213         __NFCT_SOPT_MAX,
00214 };
00215 #define NFCT_SOPT_MAX (__NFCT_SOPT_MAX - 1)
00216 
00217 /* get option */
00218 enum {
00219         NFCT_GOPT_IS_SNAT,
00220         NFCT_GOPT_IS_DNAT,
00221         NFCT_GOPT_IS_SPAT,
00222         NFCT_GOPT_IS_DPAT,
00223         __NFCT_GOPT_MAX,
00224 };
00225 #define NFCT_GOPT_MAX (__NFCT_GOPT_MAX - 1)
00226 
00227 extern int nfct_setobjopt(struct nf_conntrack *ct, unsigned int option);
00228 extern int nfct_getobjopt(const struct nf_conntrack *ct, unsigned int option);
00229 
00230 /* register / unregister callback */
00231 
00232 extern int nfct_callback_register(struct nfct_handle *h,
00233                                   enum nf_conntrack_msg_type type,
00234                                   int (*cb)(enum nf_conntrack_msg_type type,
00235                                             struct nf_conntrack *ct,
00236                                             void *data),
00237                                   void *data);
00238 
00239 extern void nfct_callback_unregister(struct nfct_handle *h);
00240 
00241 /* register / unregister callback: extended version including netlink header */
00242 
00243 extern int nfct_callback_register2(struct nfct_handle *h,
00244                                    enum nf_conntrack_msg_type type,
00245                                    int (*cb)(const struct nlmsghdr *nlh,
00246                                              enum nf_conntrack_msg_type type,
00247                                              struct nf_conntrack *ct,
00248                                              void *data),
00249                                    void *data);
00250 
00251 extern void nfct_callback_unregister2(struct nfct_handle *h);
00252 
00253 /* callback verdict */
00254 enum {
00255         NFCT_CB_FAILURE = -1,   /* failure */
00256         NFCT_CB_STOP = 0,       /* stop the query */
00257         NFCT_CB_CONTINUE = 1,   /* keep iterating through data */
00258         NFCT_CB_STOLEN = 2,     /* like continue, but ct is not freed */
00259 };
00260 
00261 /* setter */
00262 extern void nfct_set_attr(struct nf_conntrack *ct,
00263                           const enum nf_conntrack_attr type,
00264                           const void *value);
00265 
00266 extern void nfct_set_attr_u8(struct nf_conntrack *ct,
00267                              const enum nf_conntrack_attr type,
00268                              u_int8_t value);
00269 
00270 extern void nfct_set_attr_u16(struct nf_conntrack *ct,
00271                               const enum nf_conntrack_attr type,
00272                               u_int16_t value);
00273 
00274 extern void nfct_set_attr_u32(struct nf_conntrack *ct,
00275                               const enum nf_conntrack_attr type,
00276                               u_int32_t value);
00277 
00278 extern void nfct_set_attr_u64(struct nf_conntrack *ct,
00279                               const enum nf_conntrack_attr type,
00280                               u_int64_t value);
00281 
00282 /* getter */
00283 extern const void *nfct_get_attr(const struct nf_conntrack *ct,
00284                                  const enum nf_conntrack_attr type);
00285 
00286 extern u_int8_t nfct_get_attr_u8(const struct nf_conntrack *ct,
00287                                  const enum nf_conntrack_attr type);
00288 
00289 extern u_int16_t nfct_get_attr_u16(const struct nf_conntrack *ct,
00290                                    const enum nf_conntrack_attr type);
00291 
00292 extern u_int32_t nfct_get_attr_u32(const struct nf_conntrack *ct,
00293                                    const enum nf_conntrack_attr type);
00294 
00295 extern u_int64_t nfct_get_attr_u64(const struct nf_conntrack *ct,
00296                                    const enum nf_conntrack_attr type);
00297 
00298 /* checker */
00299 extern int nfct_attr_is_set(const struct nf_conntrack *ct,
00300                             const enum nf_conntrack_attr type);
00301 
00302 extern int nfct_attr_is_set_array(const struct nf_conntrack *ct,
00303                                   const enum nf_conntrack_attr *type_array,
00304                                   int size);
00305 
00306 /* unsetter */
00307 extern int nfct_attr_unset(struct nf_conntrack *ct,
00308                            const enum nf_conntrack_attr type);
00309 
00310 /* group setter */
00311 extern void nfct_set_attr_grp(struct nf_conntrack *ct,
00312                               const enum nf_conntrack_attr_grp type,
00313                               const void *value);
00314 /* group getter */
00315 extern int nfct_get_attr_grp(const struct nf_conntrack *ct,
00316                              const enum nf_conntrack_attr_grp type,
00317                              void *data);
00318 
00319 /* group checker */
00320 extern int nfct_attr_grp_is_set(const struct nf_conntrack *ct,
00321                                 const enum nf_conntrack_attr_grp type);
00322 
00323 /* unsetter */
00324 extern int nfct_attr_grp_unset(struct nf_conntrack *ct,
00325                                const enum nf_conntrack_attr_grp type);
00326 
00327 /* print */
00328 
00329 /* output type */
00330 enum {
00331         NFCT_O_PLAIN,
00332         NFCT_O_DEFAULT = NFCT_O_PLAIN,
00333         NFCT_O_XML,
00334         NFCT_O_MAX
00335 };
00336 
00337 /* output flags */
00338 enum {
00339         NFCT_OF_SHOW_LAYER3_BIT = 0,
00340         NFCT_OF_SHOW_LAYER3 = (1 << NFCT_OF_SHOW_LAYER3_BIT),
00341 
00342         NFCT_OF_TIME_BIT = 1,
00343         NFCT_OF_TIME = (1 << NFCT_OF_TIME_BIT),
00344 
00345         NFCT_OF_ID_BIT = 2,
00346         NFCT_OF_ID = (1 << NFCT_OF_ID_BIT),
00347 };
00348 
00349 extern int nfct_snprintf(char *buf, 
00350                          unsigned int size,
00351                          const struct nf_conntrack *ct,
00352                          const unsigned int msg_type,
00353                          const unsigned int out_type,
00354                          const unsigned int out_flags);
00355 
00356 /* comparison */
00357 extern int nfct_compare(const struct nf_conntrack *ct1,
00358                         const struct nf_conntrack *ct2);
00359 
00360 enum {
00361         NFCT_CMP_ALL = 0,
00362         NFCT_CMP_ORIG = (1 << 0),
00363         NFCT_CMP_REPL = (1 << 1),
00364         NFCT_CMP_TIMEOUT_EQ = (1 << 2),
00365         NFCT_CMP_TIMEOUT_GT = (1 << 3),
00366         NFCT_CMP_TIMEOUT_GE = (NFCT_CMP_TIMEOUT_EQ | NFCT_CMP_TIMEOUT_GT),
00367         NFCT_CMP_TIMEOUT_LT = (1 << 4),
00368         NFCT_CMP_TIMEOUT_LE = (NFCT_CMP_TIMEOUT_EQ | NFCT_CMP_TIMEOUT_LT),
00369         NFCT_CMP_MASK = (1 << 5),
00370         NFCT_CMP_STRICT = (1 << 6),
00371 };
00372 
00373 extern int nfct_cmp(const struct nf_conntrack *ct1,
00374                     const struct nf_conntrack *ct2,
00375                     unsigned int flags);
00376 
00377 
00378 /* query */
00379 enum nf_conntrack_query {
00380         NFCT_Q_CREATE,
00381         NFCT_Q_UPDATE,
00382         NFCT_Q_DESTROY,
00383         NFCT_Q_GET,
00384         NFCT_Q_FLUSH,
00385         NFCT_Q_DUMP,
00386         NFCT_Q_DUMP_RESET,
00387         NFCT_Q_CREATE_UPDATE,
00388 };
00389 
00390 extern int nfct_query(struct nfct_handle *h,
00391                       const enum nf_conntrack_query query,
00392                       const void *data);
00393 
00394 extern int nfct_send(struct nfct_handle *h,
00395                      const enum nf_conntrack_query query,
00396                      const void *data);
00397 
00398 extern int nfct_catch(struct nfct_handle *h);
00399 
00400 /* copy */
00401 enum {
00402         NFCT_CP_ALL = 0,
00403         NFCT_CP_ORIG = (1 << 0),
00404         NFCT_CP_REPL = (1 << 1),
00405         NFCT_CP_META = (1 << 2),
00406 };
00407 
00408 extern void nfct_copy(struct nf_conntrack *dest,
00409                       const struct nf_conntrack *source,
00410                       unsigned int flags);
00411 
00412 extern void nfct_copy_attr(struct nf_conntrack *ct1,
00413                            const struct nf_conntrack *ct2,
00414                            const enum nf_conntrack_attr type);
00415 
00416 /* filter */
00417 
00418 struct nfct_filter;
00419 
00420 extern struct nfct_filter *nfct_filter_create(void);
00421 extern void nfct_filter_destroy(struct nfct_filter *filter);
00422 
00423 struct nfct_filter_proto {
00424         u_int16_t proto;
00425         u_int16_t state;
00426 };
00427 struct nfct_filter_ipv4 {
00428         u_int32_t addr;
00429         u_int32_t mask;
00430 };
00431 struct nfct_filter_ipv6 {
00432         u_int32_t addr[4];
00433         u_int32_t mask[4];
00434 };
00435 
00436 enum nfct_filter_attr {
00437         NFCT_FILTER_L4PROTO = 0,        /* u_int32_t */
00438         NFCT_FILTER_L4PROTO_STATE,      /* struct nfct_filter_proto */
00439         NFCT_FILTER_SRC_IPV4,           /* struct nfct_filter_ipv4 */
00440         NFCT_FILTER_DST_IPV4,           /* struct nfct_filter_ipv4 */
00441         NFCT_FILTER_SRC_IPV6,           /* struct nfct_filter_ipv6 */
00442         NFCT_FILTER_DST_IPV6,           /* struct nfct_filter_ipv6 */
00443         NFCT_FILTER_MAX
00444 };
00445 
00446 extern void nfct_filter_add_attr(struct nfct_filter *filter,
00447                                  const enum nfct_filter_attr attr,
00448                                  const void *value);
00449 
00450 extern void nfct_filter_add_attr_u32(struct nfct_filter *filter,
00451                                      const enum nfct_filter_attr attr,
00452                                      const u_int32_t value);
00453 
00454 enum nfct_filter_logic {
00455         NFCT_FILTER_LOGIC_POSITIVE,
00456         NFCT_FILTER_LOGIC_NEGATIVE,
00457         NFCT_FILTER_LOGIC_MAX
00458 };
00459 
00460 extern int nfct_filter_set_logic(struct nfct_filter *filter,
00461                                  const enum nfct_filter_attr attr,
00462                                  const enum nfct_filter_logic logic);
00463 
00464 extern int nfct_filter_attach(int fd, struct nfct_filter *filter);
00465 extern int nfct_filter_detach(int fd);
00466 
00467 /* low level API: netlink functions */
00468 
00469 extern int nfct_build_conntrack(struct nfnl_subsys_handle *ssh,
00470                                 void *req,
00471                                 size_t size,
00472                                 u_int16_t type,
00473                                 u_int16_t flags,
00474                                 const struct nf_conntrack *ct);
00475 
00476 extern int nfct_parse_conntrack(enum nf_conntrack_msg_type msg,
00477                                 const struct nlmsghdr *nlh, 
00478                                 struct nf_conntrack *ct);
00479 
00480 extern int nfct_build_query(struct nfnl_subsys_handle *ssh,
00481                             const enum nf_conntrack_query query,
00482                             const void *data,
00483                             void *req,
00484                             unsigned int size);
00485 
00486 /*
00487  * NEW expectation API
00488  */
00489 
00490 /* expectation object */
00491 struct nf_expect;
00492 
00493 /* expect attributes */
00494 enum nf_expect_attr {
00495         ATTR_EXP_MASTER = 0,    /* pointer to conntrack object */
00496         ATTR_EXP_EXPECTED,      /* pointer to conntrack object */
00497         ATTR_EXP_MASK,          /* pointer to conntrack object */
00498         ATTR_EXP_TIMEOUT,       /* u32 bits */
00499         ATTR_EXP_ZONE,          /* u16 bits */
00500         ATTR_EXP_FLAGS,         /* u32 bits */
00501         ATTR_EXP_MAX
00502 };
00503 
00504 /* constructor / destructor */
00505 extern struct nf_expect *nfexp_new(void);
00506 extern void nfexp_destroy(struct nf_expect *exp);
00507 
00508 /* clone */
00509 extern struct nf_expect *nfexp_clone(const struct nf_expect *exp);
00510 
00511 /* object size */
00512 extern size_t nfexp_sizeof(const struct nf_expect *exp);
00513 
00514 /* maximum object size */
00515 extern size_t nfexp_maxsize(void);
00516 
00517 /* register / unregister callback */
00518 
00519 extern int nfexp_callback_register(struct nfct_handle *h,
00520                                    enum nf_conntrack_msg_type type,
00521                                    int (*cb)(enum nf_conntrack_msg_type type,
00522                                              struct nf_expect *exp,
00523                                              void *data),
00524                                    void *data);
00525 
00526 extern void nfexp_callback_unregister(struct nfct_handle *h);
00527 
00528 /* register / unregister callback: extended version including netlink header */
00529 extern int nfexp_callback_register2(struct nfct_handle *h,
00530                                     enum nf_conntrack_msg_type type,
00531                                     int (*cb)(const struct nlmsghdr *nlh,
00532                                               enum nf_conntrack_msg_type type,
00533                                               struct nf_expect *exp,
00534                                               void *data),
00535                                     void *data);
00536 
00537 extern void nfexp_callback_unregister2(struct nfct_handle *h);
00538 
00539 /* setter */
00540 extern void nfexp_set_attr(struct nf_expect *exp,
00541                            const enum nf_expect_attr type,
00542                            const void *value);
00543 
00544 extern void nfexp_set_attr_u8(struct nf_expect *exp,
00545                               const enum nf_expect_attr type,
00546                               u_int8_t value);
00547 
00548 extern void nfexp_set_attr_u16(struct nf_expect *exp,
00549                                const enum nf_expect_attr type,
00550                                u_int16_t value);
00551 
00552 extern void nfexp_set_attr_u32(struct nf_expect *exp,
00553                                const enum nf_expect_attr type,
00554                                u_int32_t value);
00555 
00556 /* getter */
00557 extern const void *nfexp_get_attr(const struct nf_expect *exp,
00558                                   const enum nf_expect_attr type);
00559 
00560 extern u_int8_t nfexp_get_attr_u8(const struct nf_expect *exp,
00561                                   const enum nf_expect_attr type);
00562 
00563 extern u_int16_t nfexp_get_attr_u16(const struct nf_expect *exp,
00564                                     const enum nf_expect_attr type);
00565 
00566 extern u_int32_t nfexp_get_attr_u32(const struct nf_expect *exp,
00567                                     const enum nf_expect_attr type);
00568 
00569 /* checker */
00570 extern int nfexp_attr_is_set(const struct nf_expect *exp,
00571                              const enum nf_expect_attr type);
00572 
00573 /* unsetter */
00574 extern int nfexp_attr_unset(struct nf_expect *exp,
00575                             const enum nf_expect_attr type);
00576 
00577 /* query */
00578 extern int nfexp_query(struct nfct_handle *h,
00579                        const enum nf_conntrack_query qt,
00580                        const void *data);
00581 
00582 /* print */
00583 extern int nfexp_snprintf(char *buf, 
00584                           unsigned int size,
00585                           const struct nf_expect *exp,
00586                           const unsigned int msg_type,
00587                           const unsigned int out_type,
00588                           const unsigned int out_flags);
00589 
00590 extern int nfexp_catch(struct nfct_handle *h);
00591 
00592 /* low level API */
00593 extern int nfexp_build_expect(struct nfnl_subsys_handle *ssh,
00594                               void *req,
00595                               size_t size,
00596                               u_int16_t type,
00597                               u_int16_t flags,
00598                               const struct nf_expect *exp);
00599 
00600 extern int nfexp_parse_expect(enum nf_conntrack_msg_type type,
00601                               const struct nlmsghdr *nlh,
00602                               struct nf_expect *exp);
00603 
00604 extern int nfexp_build_query(struct nfnl_subsys_handle *ssh,
00605                              const enum nf_conntrack_query qt,
00606                              const void *data,
00607                              void *buffer,
00608                              unsigned int size);
00609 
00610 /* Bitset representing status of connection. Taken from ip_conntrack.h
00611  * 
00612  * Note: For backward compatibility this shouldn't ever change
00613  *       in kernel space.
00614  */
00615 enum ip_conntrack_status {
00616         /* It's an expected connection: bit 0 set.  This bit never changed */
00617         IPS_EXPECTED_BIT = 0,
00618         IPS_EXPECTED = (1 << IPS_EXPECTED_BIT),
00619 
00620         /* We've seen packets both ways: bit 1 set.  Can be set, not unset. */
00621         IPS_SEEN_REPLY_BIT = 1,
00622         IPS_SEEN_REPLY = (1 << IPS_SEEN_REPLY_BIT),
00623 
00624         /* Conntrack should never be early-expired. */
00625         IPS_ASSURED_BIT = 2,
00626         IPS_ASSURED = (1 << IPS_ASSURED_BIT),
00627 
00628         /* Connection is confirmed: originating packet has left box */
00629         IPS_CONFIRMED_BIT = 3,
00630         IPS_CONFIRMED = (1 << IPS_CONFIRMED_BIT),
00631 
00632         /* Connection needs src nat in orig dir.  This bit never changed. */
00633         IPS_SRC_NAT_BIT = 4,
00634         IPS_SRC_NAT = (1 << IPS_SRC_NAT_BIT),
00635 
00636         /* Connection needs dst nat in orig dir.  This bit never changed. */
00637         IPS_DST_NAT_BIT = 5,
00638         IPS_DST_NAT = (1 << IPS_DST_NAT_BIT),
00639 
00640         /* Both together. */
00641         IPS_NAT_MASK = (IPS_DST_NAT | IPS_SRC_NAT),
00642 
00643         /* Connection needs TCP sequence adjusted. */
00644         IPS_SEQ_ADJUST_BIT = 6,
00645         IPS_SEQ_ADJUST = (1 << IPS_SEQ_ADJUST_BIT),
00646 
00647         /* NAT initialization bits. */
00648         IPS_SRC_NAT_DONE_BIT = 7,
00649         IPS_SRC_NAT_DONE = (1 << IPS_SRC_NAT_DONE_BIT),
00650 
00651         IPS_DST_NAT_DONE_BIT = 8,
00652         IPS_DST_NAT_DONE = (1 << IPS_DST_NAT_DONE_BIT),
00653 
00654         /* Both together */
00655         IPS_NAT_DONE_MASK = (IPS_DST_NAT_DONE | IPS_SRC_NAT_DONE),
00656 
00657         /* Connection is dying (removed from lists), can not be unset. */
00658         IPS_DYING_BIT = 9,
00659         IPS_DYING = (1 << IPS_DYING_BIT),
00660 
00661     /* Connection has fixed timeout. */
00662         IPS_FIXED_TIMEOUT_BIT = 10,
00663         IPS_FIXED_TIMEOUT = (1 << IPS_FIXED_TIMEOUT_BIT),
00664 };
00665 
00666 /* expectation flags */
00667 #define NF_CT_EXPECT_PERMANENT          0x1
00668 #define NF_CT_EXPECT_INACTIVE           0x2
00669 #define NF_CT_EXPECT_USERSPACE          0x4
00670 
00671 /*
00672  * TCP flags
00673  */
00674 
00675 /* Window scaling is advertised by the sender */
00676 #define IP_CT_TCP_FLAG_WINDOW_SCALE             0x01
00677 
00678 /* SACK is permitted by the sender */
00679 #define IP_CT_TCP_FLAG_SACK_PERM                0x02
00680 
00681 /* This sender sent FIN first */
00682 #define IP_CT_TCP_FLAG_CLOSE_INIT               0x04
00683 
00684 /* Be liberal in window checking */
00685 #define IP_CT_TCP_FLAG_BE_LIBERAL               0x08
00686 
00687 /* WARNING: do not use these constants in new applications, we keep them here
00688  * to avoid breaking backward compatibility. */
00689 #define NFCT_DIR_ORIGINAL 0
00690 #define NFCT_DIR_REPLY 1
00691 #define NFCT_DIR_MAX NFCT_DIR_REPLY+1
00692 
00693 #ifdef __cplusplus
00694 }
00695 #endif
00696 
00697 #endif  /* _LIBNETFILTER_CONNTRACK_H_ */
libnetfilter_conntrack.h
