1 /*
2  * (C) 2005-2011 by Pablo Neira Ayuso <pablo@netfilter.org>
3  *
4  * This program is free software; you can redistribute it and/or modify it
5  * under the terms of the GNU General Public License as published by
6  * the Free Software Foundation; either version 2 of the License, or
7  * (at your option) any later version.
8  */
9 
10 #ifndef _LIBNETFILTER_CONNTRACK_H_
11 #define _LIBNETFILTER_CONNTRACK_H_
12 
13 #include <stdbool.h>
14 #include <netinet/in.h>
15 #include <libnfnetlink/linux_nfnetlink.h>
16 #include <libnfnetlink/libnfnetlink.h>
17 #include <libnetfilter_conntrack/linux_nfnetlink_conntrack.h>
18 
19 #ifdef __cplusplus
20 extern "C" {
21 #endif
22 
23 enum {
24 	CONNTRACK = NFNL_SUBSYS_CTNETLINK,
25 	EXPECT = NFNL_SUBSYS_CTNETLINK_EXP
26 };
27 
28 /*
29  * Subscribe to all possible conntrack event groups. Use this
30  * flag in case that you want to catch up all the possible
31  * events. Do not use this flag for dumping or any other
32  * similar operation.
33  */
34 #define NFCT_ALL_CT_GROUPS (NF_NETLINK_CONNTRACK_NEW|NF_NETLINK_CONNTRACK_UPDATE|NF_NETLINK_CONNTRACK_DESTROY)
35 
36 struct nfct_handle;
37 
38 /*
39  * [Open|close] a conntrack handler
40  */
41 extern struct nfct_handle *nfct_open(uint8_t, unsigned);
42 extern struct nfct_handle *nfct_open2(uint8_t, unsigned, int);
43 extern struct nfct_handle *nfct_open_nfnl(struct nfnl_handle *nfnlh,
44 					  uint8_t subsys_id,
45 					  unsigned int subscriptions);
46 extern struct nfct_handle *nfct_open_nfnl2(struct nfnl_handle *nfnlh,
47 					  uint8_t subsys_id,
48 					  unsigned int subscriptions,
49 					  bool bind);
50 extern int nfct_close(struct nfct_handle *cth);
51 extern int nfct_close2(struct nfct_handle *cth, bool keep_fd);
52 
53 extern int nfct_fd(struct nfct_handle *cth);
54 extern const struct nfnl_handle *nfct_nfnlh(struct nfct_handle *cth);
55 
56 /*
57  * NEW libnetfilter_conntrack API
58  */
59 
60 /* high level API */
61 
62 #include <sys/types.h>
63 
64 /* conntrack object */
65 struct nf_conntrack;
66 
67 /* conntrack attributes */
68 enum nf_conntrack_attr {
69 	ATTR_ORIG_IPV4_SRC = 0,			/* u32 bits */
70 	ATTR_IPV4_SRC = ATTR_ORIG_IPV4_SRC,	/* alias */
71 	ATTR_ORIG_IPV4_DST,			/* u32 bits */
72 	ATTR_IPV4_DST = ATTR_ORIG_IPV4_DST,	/* alias */
73 	ATTR_REPL_IPV4_SRC,			/* u32 bits */
74 	ATTR_REPL_IPV4_DST,			/* u32 bits */
75 	ATTR_ORIG_IPV6_SRC = 4,			/* u128 bits */
76 	ATTR_IPV6_SRC = ATTR_ORIG_IPV6_SRC,	/* alias */
77 	ATTR_ORIG_IPV6_DST,			/* u128 bits */
78 	ATTR_IPV6_DST = ATTR_ORIG_IPV6_DST,	/* alias */
79 	ATTR_REPL_IPV6_SRC,			/* u128 bits */
80 	ATTR_REPL_IPV6_DST,			/* u128 bits */
81 	ATTR_ORIG_PORT_SRC = 8,			/* u16 bits */
82 	ATTR_PORT_SRC = ATTR_ORIG_PORT_SRC,	/* alias */
83 	ATTR_ORIG_PORT_DST,			/* u16 bits */
84 	ATTR_PORT_DST = ATTR_ORIG_PORT_DST,	/* alias */
85 	ATTR_REPL_PORT_SRC,			/* u16 bits */
86 	ATTR_REPL_PORT_DST,			/* u16 bits */
87 	ATTR_ICMP_TYPE = 12,			/* u8 bits */
88 	ATTR_ICMP_CODE,				/* u8 bits */
89 	ATTR_ICMP_ID,				/* u16 bits */
90 	ATTR_ORIG_L3PROTO,			/* u8 bits */
91 	ATTR_L3PROTO = ATTR_ORIG_L3PROTO,	/* alias */
92 	ATTR_REPL_L3PROTO = 16,			/* u8 bits */
93 	ATTR_ORIG_L4PROTO,			/* u8 bits */
94 	ATTR_L4PROTO = ATTR_ORIG_L4PROTO,	/* alias */
95 	ATTR_REPL_L4PROTO,			/* u8 bits */
96 	ATTR_TCP_STATE,				/* u8 bits */
97 	ATTR_SNAT_IPV4 = 20,			/* u32 bits */
98 	ATTR_DNAT_IPV4,				/* u32 bits */
99 	ATTR_SNAT_PORT,				/* u16 bits */
100 	ATTR_DNAT_PORT,				/* u16 bits */
101 	ATTR_TIMEOUT = 24,			/* u32 bits */
102 	ATTR_MARK,				/* u32 bits */
103 	ATTR_ORIG_COUNTER_PACKETS,		/* u64 bits */
104 	ATTR_REPL_COUNTER_PACKETS,		/* u64 bits */
105 	ATTR_ORIG_COUNTER_BYTES = 28,		/* u64 bits */
106 	ATTR_REPL_COUNTER_BYTES,		/* u64 bits */
107 	ATTR_USE,				/* u32 bits */
108 	ATTR_ID,				/* u32 bits */
109 	ATTR_STATUS = 32,			/* u32 bits  */
110 	ATTR_TCP_FLAGS_ORIG,			/* u8 bits */
111 	ATTR_TCP_FLAGS_REPL,			/* u8 bits */
112 	ATTR_TCP_MASK_ORIG,			/* u8 bits */
113 	ATTR_TCP_MASK_REPL = 36,		/* u8 bits */
114 	ATTR_MASTER_IPV4_SRC,			/* u32 bits */
115 	ATTR_MASTER_IPV4_DST,			/* u32 bits */
116 	ATTR_MASTER_IPV6_SRC,			/* u128 bits */
117 	ATTR_MASTER_IPV6_DST = 40,		/* u128 bits */
118 	ATTR_MASTER_PORT_SRC,			/* u16 bits */
119 	ATTR_MASTER_PORT_DST,			/* u16 bits */
120 	ATTR_MASTER_L3PROTO,			/* u8 bits */
121 	ATTR_MASTER_L4PROTO = 44,		/* u8 bits */
122 	ATTR_SECMARK,				/* u32 bits */
123 	ATTR_ORIG_NAT_SEQ_CORRECTION_POS,	/* u32 bits */
124 	ATTR_ORIG_NAT_SEQ_OFFSET_BEFORE,	/* u32 bits */
125 	ATTR_ORIG_NAT_SEQ_OFFSET_AFTER = 48,	/* u32 bits */
126 	ATTR_REPL_NAT_SEQ_CORRECTION_POS,	/* u32 bits */
127 	ATTR_REPL_NAT_SEQ_OFFSET_BEFORE,	/* u32 bits */
128 	ATTR_REPL_NAT_SEQ_OFFSET_AFTER,		/* u32 bits */
129 	ATTR_SCTP_STATE = 52,			/* u8 bits */
130 	ATTR_SCTP_VTAG_ORIG,			/* u32 bits */
131 	ATTR_SCTP_VTAG_REPL,			/* u32 bits */
132 	ATTR_HELPER_NAME,			/* string (30 bytes max) */
133 	ATTR_DCCP_STATE = 56,			/* u8 bits */
134 	ATTR_DCCP_ROLE,				/* u8 bits */
135 	ATTR_DCCP_HANDSHAKE_SEQ,		/* u64 bits */
136 	ATTR_TCP_WSCALE_ORIG,			/* u8 bits */
137 	ATTR_TCP_WSCALE_REPL = 60,		/* u8 bits */
138 	ATTR_ZONE,				/* u16 bits */
139 	ATTR_SECCTX,				/* string */
140 	ATTR_TIMESTAMP_START,			/* u64 bits, linux >= 2.6.38 */
141 	ATTR_TIMESTAMP_STOP = 64,		/* u64 bits, linux >= 2.6.38 */
142 	ATTR_HELPER_INFO,			/* variable length */
143 	ATTR_CONNLABELS,			/* variable length */
144 	ATTR_CONNLABELS_MASK,			/* variable length */
145 	ATTR_ORIG_ZONE,				/* u16 bits */
146 	ATTR_REPL_ZONE,				/* u16 bits */
147 	ATTR_SNAT_IPV6,				/* u128 bits */
148 	ATTR_DNAT_IPV6,				/* u128 bits */
149 	ATTR_MAX
150 };
151 
152 /* conntrack attribute groups */
153 enum nf_conntrack_attr_grp {
154 	ATTR_GRP_ORIG_IPV4 = 0,			/* struct nfct_attr_grp_ipv4 */
155 	ATTR_GRP_REPL_IPV4,			/* struct nfct_attr_grp_ipv4 */
156 	ATTR_GRP_ORIG_IPV6,			/* struct nfct_attr_grp_ipv6 */
157 	ATTR_GRP_REPL_IPV6,			/* struct nfct_attr_grp_ipv6 */
158 	ATTR_GRP_ORIG_PORT = 4,			/* struct nfct_attr_grp_port */
159 	ATTR_GRP_REPL_PORT,			/* struct nfct_attr_grp_port */
160 	ATTR_GRP_ICMP,				/* struct nfct_attr_grp_icmp */
161 	ATTR_GRP_MASTER_IPV4,			/* struct nfct_attr_grp_ipv4 */
162 	ATTR_GRP_MASTER_IPV6 = 8,		/* struct nfct_attr_grp_ipv6 */
163 	ATTR_GRP_MASTER_PORT,			/* struct nfct_attr_grp_port */
164 	ATTR_GRP_ORIG_COUNTERS,			/* struct nfct_attr_grp_ctrs */
165 	ATTR_GRP_REPL_COUNTERS,			/* struct nfct_attr_grp_ctrs */
166 	ATTR_GRP_ORIG_ADDR_SRC = 12,		/* union nfct_attr_grp_addr */
167 	ATTR_GRP_ORIG_ADDR_DST,			/* union nfct_attr_grp_addr */
168 	ATTR_GRP_REPL_ADDR_SRC,			/* union nfct_attr_grp_addr */
169 	ATTR_GRP_REPL_ADDR_DST,			/* union nfct_attr_grp_addr */
170 	ATTR_GRP_MAX
171 };
172 
173 struct nfct_attr_grp_ipv4 {
174 	uint32_t src, dst;
175 };
176 
177 struct nfct_attr_grp_ipv6 {
178 	uint32_t src[4], dst[4];
179 };
180 
181 struct nfct_attr_grp_port {
182 	uint16_t sport, dport;
183 };
184 
185 struct nfct_attr_grp_icmp {
186 	uint16_t id;
187 	uint8_t code, type;
188 };
189 
190 struct nfct_attr_grp_ctrs {
191 	uint64_t packets;
192 	uint64_t bytes;
193 };
194 
195 union nfct_attr_grp_addr {
196 	uint32_t ip;
197 	uint32_t ip6[4];
198 	uint32_t addr[4];
199 };
200 
201 /* message type */
202 enum nf_conntrack_msg_type {
203 	NFCT_T_UNKNOWN = 0,
204 
205 	NFCT_T_NEW_BIT = 0,
206 	NFCT_T_NEW = (1 << NFCT_T_NEW_BIT),
207 
208 	NFCT_T_UPDATE_BIT = 1,
209 	NFCT_T_UPDATE = (1 << NFCT_T_UPDATE_BIT),
210 
211 	NFCT_T_DESTROY_BIT = 2,
212 	NFCT_T_DESTROY = (1 << NFCT_T_DESTROY_BIT),
213 
214 	NFCT_T_ALL = NFCT_T_NEW | NFCT_T_UPDATE | NFCT_T_DESTROY,
215 
216 	NFCT_T_ERROR_BIT = 31,
217 	NFCT_T_ERROR = (1 << NFCT_T_ERROR_BIT),
218 };
219 
220 /* constructor / destructor */
221 extern struct nf_conntrack *nfct_new(void);
222 extern void nfct_destroy(struct nf_conntrack *ct);
223 
224 /* clone */
225 struct nf_conntrack *nfct_clone(const struct nf_conntrack *ct);
226 
227 /* object size */
228 extern __attribute__((deprecated)) size_t nfct_sizeof(const struct nf_conntrack *ct);
229 
230 /* maximum object size */
231 extern __attribute__((deprecated)) size_t nfct_maxsize(void);
232 
233 /* set option */
234 enum {
235 	NFCT_SOPT_UNDO_SNAT,
236 	NFCT_SOPT_UNDO_DNAT,
237 	NFCT_SOPT_UNDO_SPAT,
238 	NFCT_SOPT_UNDO_DPAT,
239 	NFCT_SOPT_SETUP_ORIGINAL,
240 	NFCT_SOPT_SETUP_REPLY,
241 	__NFCT_SOPT_MAX,
242 };
243 #define NFCT_SOPT_MAX (__NFCT_SOPT_MAX - 1)
244 
245 /* get option */
246 enum {
247 	NFCT_GOPT_IS_SNAT,
248 	NFCT_GOPT_IS_DNAT,
249 	NFCT_GOPT_IS_SPAT,
250 	NFCT_GOPT_IS_DPAT,
251 	__NFCT_GOPT_MAX,
252 };
253 #define NFCT_GOPT_MAX (__NFCT_GOPT_MAX - 1)
254 
255 extern int nfct_setobjopt(struct nf_conntrack *ct, unsigned int option);
256 extern int nfct_getobjopt(const struct nf_conntrack *ct, unsigned int option);
257 
258 /* register / unregister callback */
259 
260 extern int nfct_callback_register(struct nfct_handle *h,
261 				  enum nf_conntrack_msg_type type,
262 				  int (*cb)(enum nf_conntrack_msg_type type,
263 				  	    struct nf_conntrack *ct,
264 					    void *data),
265 				  void *data);
266 
267 extern void nfct_callback_unregister(struct nfct_handle *h);
268 
269 /* register / unregister callback: extended version including netlink header */
270 
271 extern int nfct_callback_register2(struct nfct_handle *h,
272 				   enum nf_conntrack_msg_type type,
273 				   int (*cb)(const struct nlmsghdr *nlh,
274 				   	     enum nf_conntrack_msg_type type,
275 				  	     struct nf_conntrack *ct,
276 					     void *data),
277 				   void *data);
278 
279 extern void nfct_callback_unregister2(struct nfct_handle *h);
280 
281 /* callback verdict */
282 enum {
283 	NFCT_CB_FAILURE = -1,   /* failure */
284 	NFCT_CB_STOP = 0,       /* stop the query */
285 	NFCT_CB_CONTINUE = 1,   /* keep iterating through data */
286 	NFCT_CB_STOLEN = 2,     /* like continue, but ct is not freed */
287 };
288 
289 /* bitmask setter/getter */
290 struct nfct_bitmask;
291 
292 struct nfct_bitmask *nfct_bitmask_new(unsigned int maxbit);
293 struct nfct_bitmask *nfct_bitmask_clone(const struct nfct_bitmask *);
294 unsigned int nfct_bitmask_maxbit(const struct nfct_bitmask *);
295 
296 void nfct_bitmask_set_bit(struct nfct_bitmask *, unsigned int bit);
297 int nfct_bitmask_test_bit(const struct nfct_bitmask *, unsigned int bit);
298 void nfct_bitmask_unset_bit(struct nfct_bitmask *, unsigned int bit);
299 void nfct_bitmask_destroy(struct nfct_bitmask *);
300 void nfct_bitmask_clear(struct nfct_bitmask *);
301 bool nfct_bitmask_equal(const struct nfct_bitmask *, const struct nfct_bitmask *);
302 
303 /* connlabel name <-> bit translation mapping */
304 struct nfct_labelmap;
305 
306 const char *nfct_labels_get_path(void);
307 struct nfct_labelmap *nfct_labelmap_new(const char *mapfile);
308 void nfct_labelmap_destroy(struct nfct_labelmap *map);
309 const char *nfct_labelmap_get_name(struct nfct_labelmap *m, unsigned int bit);
310 int nfct_labelmap_get_bit(struct nfct_labelmap *m, const char *name);
311 
312 /* setter */
313 extern void nfct_set_attr(struct nf_conntrack *ct,
314 			  const enum nf_conntrack_attr type,
315 			  const void *value);
316 
317 extern void nfct_set_attr_u8(struct nf_conntrack *ct,
318 			     const enum nf_conntrack_attr type,
319 			     uint8_t value);
320 
321 extern void nfct_set_attr_u16(struct nf_conntrack *ct,
322 			      const enum nf_conntrack_attr type,
323 			      uint16_t value);
324 
325 extern void nfct_set_attr_u32(struct nf_conntrack *ct,
326 			      const enum nf_conntrack_attr type,
327 			      uint32_t value);
328 
329 extern void nfct_set_attr_u64(struct nf_conntrack *ct,
330 			      const enum nf_conntrack_attr type,
331 			      uint64_t value);
332 
333 extern void nfct_set_attr_l(struct nf_conntrack *ct,
334 			    const enum nf_conntrack_attr type,
335 			    const void *value,
336 			    size_t len);
337 
338 /* getter */
339 extern const void *nfct_get_attr(const struct nf_conntrack *ct,
340 				 const enum nf_conntrack_attr type);
341 
342 extern uint8_t nfct_get_attr_u8(const struct nf_conntrack *ct,
343 				 const enum nf_conntrack_attr type);
344 
345 extern uint16_t nfct_get_attr_u16(const struct nf_conntrack *ct,
346 				   const enum nf_conntrack_attr type);
347 
348 extern uint32_t nfct_get_attr_u32(const struct nf_conntrack *ct,
349 				   const enum nf_conntrack_attr type);
350 
351 extern uint64_t nfct_get_attr_u64(const struct nf_conntrack *ct,
352 				   const enum nf_conntrack_attr type);
353 
354 /* checker */
355 extern int nfct_attr_is_set(const struct nf_conntrack *ct,
356 			    const enum nf_conntrack_attr type);
357 
358 extern int nfct_attr_is_set_array(const struct nf_conntrack *ct,
359 				  const enum nf_conntrack_attr *type_array,
360 				  int size);
361 
362 /* unsetter */
363 extern int nfct_attr_unset(struct nf_conntrack *ct,
364 			   const enum nf_conntrack_attr type);
365 
366 /* group setter */
367 extern void nfct_set_attr_grp(struct nf_conntrack *ct,
368 			      const enum nf_conntrack_attr_grp type,
369 			      const void *value);
370 /* group getter */
371 extern int nfct_get_attr_grp(const struct nf_conntrack *ct,
372 			     const enum nf_conntrack_attr_grp type,
373 			     void *data);
374 
375 /* group checker */
376 extern int nfct_attr_grp_is_set(const struct nf_conntrack *ct,
377 				const enum nf_conntrack_attr_grp type);
378 
379 /* unsetter */
380 extern int nfct_attr_grp_unset(struct nf_conntrack *ct,
381 			       const enum nf_conntrack_attr_grp type);
382 
383 /* print */
384 
385 /* output type */
386 enum {
387 	NFCT_O_PLAIN,
388 	NFCT_O_DEFAULT = NFCT_O_PLAIN,
389 	NFCT_O_XML,
390 	NFCT_O_MAX
391 };
392 
393 /* output flags */
394 enum {
395 	NFCT_OF_SHOW_LAYER3_BIT = 0,
396 	NFCT_OF_SHOW_LAYER3 = (1 << NFCT_OF_SHOW_LAYER3_BIT),
397 
398 	NFCT_OF_TIME_BIT = 1,
399 	NFCT_OF_TIME = (1 << NFCT_OF_TIME_BIT),
400 
401 	NFCT_OF_ID_BIT = 2,
402 	NFCT_OF_ID = (1 << NFCT_OF_ID_BIT),
403 
404 	NFCT_OF_TIMESTAMP_BIT = 3,
405 	NFCT_OF_TIMESTAMP = (1 << NFCT_OF_TIMESTAMP_BIT),
406 };
407 
408 extern int nfct_snprintf(char *buf,
409 			 unsigned int size,
410 			 const struct nf_conntrack *ct,
411 			 const unsigned int msg_type,
412 			 const unsigned int out_type,
413 			 const unsigned int out_flags);
414 
415 extern int nfct_snprintf_labels(char *buf,
416 				unsigned int size,
417 				const struct nf_conntrack *ct,
418 				const unsigned int msg_type,
419 				const unsigned int out_type,
420 				const unsigned int out_flags,
421 				struct nfct_labelmap *map);
422 
423 /* comparison */
424 extern int nfct_compare(const struct nf_conntrack *ct1,
425 			const struct nf_conntrack *ct2);
426 
427 enum {
428 	NFCT_CMP_ALL = 0,
429 	NFCT_CMP_ORIG = (1 << 0),
430 	NFCT_CMP_REPL = (1 << 1),
431 	NFCT_CMP_TIMEOUT_EQ = (1 << 2),
432 	NFCT_CMP_TIMEOUT_GT = (1 << 3),
433 	NFCT_CMP_TIMEOUT_GE = (NFCT_CMP_TIMEOUT_EQ | NFCT_CMP_TIMEOUT_GT),
434 	NFCT_CMP_TIMEOUT_LT = (1 << 4),
435 	NFCT_CMP_TIMEOUT_LE = (NFCT_CMP_TIMEOUT_EQ | NFCT_CMP_TIMEOUT_LT),
436 	NFCT_CMP_MASK = (1 << 5),
437 	NFCT_CMP_STRICT = (1 << 6),
438 };
439 
440 extern int nfct_cmp(const struct nf_conntrack *ct1,
441 		    const struct nf_conntrack *ct2,
442 		    unsigned int flags);
443 
444 
445 /* query */
446 enum nf_conntrack_query {
447 	NFCT_Q_CREATE,
448 	NFCT_Q_UPDATE,
449 	NFCT_Q_DESTROY,
450 	NFCT_Q_GET,
451 	NFCT_Q_FLUSH,
452 	NFCT_Q_DUMP,
453 	NFCT_Q_DUMP_RESET,
454 	NFCT_Q_CREATE_UPDATE,
455 	NFCT_Q_DUMP_FILTER,
456 	NFCT_Q_DUMP_FILTER_RESET,
457 };
458 
459 extern int nfct_query(struct nfct_handle *h,
460 		      const enum nf_conntrack_query query,
461 		      const void *data);
462 
463 extern int nfct_send(struct nfct_handle *h,
464 		     const enum nf_conntrack_query query,
465 		     const void *data);
466 
467 extern int nfct_catch(struct nfct_handle *h);
468 
469 /* copy */
470 enum {
471 	NFCT_CP_ALL = 0,
472 	NFCT_CP_ORIG = (1 << 0),
473 	NFCT_CP_REPL = (1 << 1),
474 	NFCT_CP_META = (1 << 2),
475 	NFCT_CP_OVERRIDE = (1 << 3),
476 };
477 
478 extern void nfct_copy(struct nf_conntrack *dest,
479 		      const struct nf_conntrack *source,
480 		      unsigned int flags);
481 
482 extern void nfct_copy_attr(struct nf_conntrack *ct1,
483 			   const struct nf_conntrack *ct2,
484 			   const enum nf_conntrack_attr type);
485 
486 /* event filtering */
487 
488 struct nfct_filter;
489 
490 extern struct nfct_filter *nfct_filter_create(void);
491 extern void nfct_filter_destroy(struct nfct_filter *filter);
492 
493 struct nfct_filter_proto {
494 	uint16_t proto;
495 	uint16_t state;
496 };
497 struct nfct_filter_ipv4 {
498 	uint32_t addr;
499 	uint32_t mask;
500 };
501 struct nfct_filter_ipv6 {
502 	uint32_t addr[4];
503 	uint32_t mask[4];
504 };
505 
506 enum nfct_filter_attr {
507 	NFCT_FILTER_L4PROTO = 0,	/* uint32_t */
508 	NFCT_FILTER_L4PROTO_STATE,	/* struct nfct_filter_proto */
509 	NFCT_FILTER_SRC_IPV4,		/* struct nfct_filter_ipv4 */
510 	NFCT_FILTER_DST_IPV4,		/* struct nfct_filter_ipv4 */
511 	NFCT_FILTER_SRC_IPV6,		/* struct nfct_filter_ipv6 */
512 	NFCT_FILTER_DST_IPV6,		/* struct nfct_filter_ipv6 */
513 	NFCT_FILTER_MARK,		/* struct nfct_filter_dump_mark */
514 	NFCT_FILTER_MAX
515 };
516 
517 extern void nfct_filter_add_attr(struct nfct_filter *filter,
518 				 const enum nfct_filter_attr attr,
519 				 const void *value);
520 
521 extern void nfct_filter_add_attr_u32(struct nfct_filter *filter,
522 				     const enum nfct_filter_attr attr,
523 				     const uint32_t value);
524 
525 enum nfct_filter_logic {
526 	NFCT_FILTER_LOGIC_POSITIVE,
527 	NFCT_FILTER_LOGIC_NEGATIVE,
528 	NFCT_FILTER_LOGIC_MAX
529 };
530 
531 extern int nfct_filter_set_logic(struct nfct_filter *filter,
532 				 const enum nfct_filter_attr attr,
533 				 const enum nfct_filter_logic logic);
534 
535 extern int nfct_filter_attach(int fd, struct nfct_filter *filter);
536 extern int nfct_filter_detach(int fd);
537 
538 /* dump filtering */
539 
540 struct nfct_filter_dump;
541 
542 struct nfct_filter_dump_mark {
543 	uint32_t val;
544 	uint32_t mask;
545 };
546 
547 enum nfct_filter_dump_attr {
548 	NFCT_FILTER_DUMP_MARK = 0,	/* struct nfct_filter_dump_mark */
549 	NFCT_FILTER_DUMP_L3NUM,		/* uint8_t */
550 	NFCT_FILTER_DUMP_MAX
551 };
552 
553 struct nfct_filter_dump *nfct_filter_dump_create(void);
554 
555 void nfct_filter_dump_destroy(struct nfct_filter_dump *filter);
556 
557 void nfct_filter_dump_set_attr(struct nfct_filter_dump *filter_dump,
558 			       const enum nfct_filter_dump_attr type,
559 			       const void *data);
560 
561 void nfct_filter_dump_set_attr_u8(struct nfct_filter_dump *filter_dump,
562 				  const enum nfct_filter_dump_attr type,
563 				  uint8_t data);
564 
565 /* low level API: netlink functions */
566 
567 extern __attribute__((deprecated)) int
568 nfct_build_conntrack(struct nfnl_subsys_handle *ssh,
569 				void *req,
570 				size_t size,
571 				uint16_t type,
572 				uint16_t flags,
573 				const struct nf_conntrack *ct);
574 
575 extern __attribute__((deprecated))
576 int nfct_parse_conntrack(enum nf_conntrack_msg_type msg,
577 				const struct nlmsghdr *nlh,
578 				struct nf_conntrack *ct);
579 
580 extern __attribute__((deprecated))
581 int nfct_build_query(struct nfnl_subsys_handle *ssh,
582 			    const enum nf_conntrack_query query,
583 			    const void *data,
584 			    void *req,
585 			    unsigned int size);
586 
587 /* New low level API: netlink functions */
588 
589 extern int nfct_nlmsg_build(struct nlmsghdr *nlh, const struct nf_conntrack *ct);
590 extern int nfct_nlmsg_parse(const struct nlmsghdr *nlh, struct nf_conntrack *ct);
591 extern int nfct_payload_parse(const void *payload, size_t payload_len, uint16_t l3num, struct nf_conntrack *ct);
592 
593 /*
594  * NEW expectation API
595  */
596 
597 /* expectation object */
598 struct nf_expect;
599 
600 /* expect attributes */
601 enum nf_expect_attr {
602 	ATTR_EXP_MASTER = 0,	/* pointer to conntrack object */
603 	ATTR_EXP_EXPECTED,	/* pointer to conntrack object */
604 	ATTR_EXP_MASK,		/* pointer to conntrack object */
605 	ATTR_EXP_TIMEOUT,	/* u32 bits */
606 	ATTR_EXP_ZONE,		/* u16 bits */
607 	ATTR_EXP_FLAGS,		/* u32 bits */
608 	ATTR_EXP_HELPER_NAME,	/* string (16 bytes max) */
609 	ATTR_EXP_CLASS,		/* u32 bits */
610 	ATTR_EXP_NAT_TUPLE,	/* pointer to conntrack object */
611 	ATTR_EXP_NAT_DIR,	/* u8 bits */
612 	ATTR_EXP_FN,		/* string */
613 	ATTR_EXP_MAX
614 };
615 
616 /* constructor / destructor */
617 extern struct nf_expect *nfexp_new(void);
618 extern void nfexp_destroy(struct nf_expect *exp);
619 
620 /* clone */
621 extern struct nf_expect *nfexp_clone(const struct nf_expect *exp);
622 
623 /* object size */
624 extern size_t nfexp_sizeof(const struct nf_expect *exp);
625 
626 /* maximum object size */
627 extern size_t nfexp_maxsize(void);
628 
629 /* register / unregister callback */
630 
631 extern int nfexp_callback_register(struct nfct_handle *h,
632 				   enum nf_conntrack_msg_type type,
633 				   int (*cb)(enum nf_conntrack_msg_type type,
634 				  	     struct nf_expect *exp,
635 					     void *data),
636 				   void *data);
637 
638 extern void nfexp_callback_unregister(struct nfct_handle *h);
639 
640 /* register / unregister callback: extended version including netlink header */
641 extern int nfexp_callback_register2(struct nfct_handle *h,
642 				    enum nf_conntrack_msg_type type,
643 				    int (*cb)(const struct nlmsghdr *nlh,
644 				    	      enum nf_conntrack_msg_type type,
645 					      struct nf_expect *exp,
646 					      void *data),
647 				    void *data);
648 
649 extern void nfexp_callback_unregister2(struct nfct_handle *h);
650 
651 /* setter */
652 extern void nfexp_set_attr(struct nf_expect *exp,
653 			   const enum nf_expect_attr type,
654 			   const void *value);
655 
656 extern void nfexp_set_attr_u8(struct nf_expect *exp,
657 			      const enum nf_expect_attr type,
658 			      uint8_t value);
659 
660 extern void nfexp_set_attr_u16(struct nf_expect *exp,
661 			       const enum nf_expect_attr type,
662 			       uint16_t value);
663 
664 extern void nfexp_set_attr_u32(struct nf_expect *exp,
665 			       const enum nf_expect_attr type,
666 			       uint32_t value);
667 
668 /* getter */
669 extern const void *nfexp_get_attr(const struct nf_expect *exp,
670 				  const enum nf_expect_attr type);
671 
672 extern uint8_t nfexp_get_attr_u8(const struct nf_expect *exp,
673 				  const enum nf_expect_attr type);
674 
675 extern uint16_t nfexp_get_attr_u16(const struct nf_expect *exp,
676 				    const enum nf_expect_attr type);
677 
678 extern uint32_t nfexp_get_attr_u32(const struct nf_expect *exp,
679 				    const enum nf_expect_attr type);
680 
681 /* checker */
682 extern int nfexp_attr_is_set(const struct nf_expect *exp,
683 			     const enum nf_expect_attr type);
684 
685 /* unsetter */
686 extern int nfexp_attr_unset(struct nf_expect *exp,
687 			    const enum nf_expect_attr type);
688 
689 /* query */
690 extern int nfexp_query(struct nfct_handle *h,
691 		       const enum nf_conntrack_query qt,
692 		       const void *data);
693 
694 /* print */
695 extern int nfexp_snprintf(char *buf,
696 			  unsigned int size,
697 			  const struct nf_expect *exp,
698 			  const unsigned int msg_type,
699 			  const unsigned int out_type,
700 			  const unsigned int out_flags);
701 
702 /* compare */
703 extern int nfexp_cmp(const struct nf_expect *exp1,
704 		     const struct nf_expect *exp2,
705 		     unsigned int flags);
706 
707 extern int nfexp_send(struct nfct_handle *h,
708 		      const enum nf_conntrack_query qt,
709 		      const void *data);
710 
711 extern int nfexp_catch(struct nfct_handle *h);
712 
713 /* low level API */
714 extern __attribute__((deprecated))
715 int nfexp_build_expect(struct nfnl_subsys_handle *ssh,
716 			      void *req,
717 			      size_t size,
718 			      uint16_t type,
719 			      uint16_t flags,
720 			      const struct nf_expect *exp);
721 
722 extern __attribute__((deprecated))
723 int nfexp_parse_expect(enum nf_conntrack_msg_type type,
724 			      const struct nlmsghdr *nlh,
725 			      struct nf_expect *exp);
726 
727 extern __attribute__((deprecated))
728 int nfexp_build_query(struct nfnl_subsys_handle *ssh,
729 			     const enum nf_conntrack_query qt,
730 			     const void *data,
731 			     void *buffer,
732 			     unsigned int size);
733 
734 /* New low level API: netlink functions */
735 
736 extern int nfexp_nlmsg_build(struct nlmsghdr *nlh, const struct nf_expect *exp);
737 extern int nfexp_nlmsg_parse(const struct nlmsghdr *nlh, struct nf_expect *exp);
738 
739 /* Bitset representing status of connection. Taken from ip_conntrack.h
740  *
741  * Note: For backward compatibility this shouldn't ever change
742  * 	 in kernel space.
743  */
744 enum ip_conntrack_status {
745 	/* It's an expected connection: bit 0 set.  This bit never changed */
746 	IPS_EXPECTED_BIT = 0,
747 	IPS_EXPECTED = (1 << IPS_EXPECTED_BIT),
748 
749 	/* We've seen packets both ways: bit 1 set.  Can be set, not unset. */
750 	IPS_SEEN_REPLY_BIT = 1,
751 	IPS_SEEN_REPLY = (1 << IPS_SEEN_REPLY_BIT),
752 
753 	/* Conntrack should never be early-expired. */
754 	IPS_ASSURED_BIT = 2,
755 	IPS_ASSURED = (1 << IPS_ASSURED_BIT),
756 
757 	/* Connection is confirmed: originating packet has left box */
758 	IPS_CONFIRMED_BIT = 3,
759 	IPS_CONFIRMED = (1 << IPS_CONFIRMED_BIT),
760 
761 	/* Connection needs src nat in orig dir.  This bit never changed. */
762 	IPS_SRC_NAT_BIT = 4,
763 	IPS_SRC_NAT = (1 << IPS_SRC_NAT_BIT),
764 
765 	/* Connection needs dst nat in orig dir.  This bit never changed. */
766 	IPS_DST_NAT_BIT = 5,
767 	IPS_DST_NAT = (1 << IPS_DST_NAT_BIT),
768 
769 	/* Both together. */
770 	IPS_NAT_MASK = (IPS_DST_NAT | IPS_SRC_NAT),
771 
772 	/* Connection needs TCP sequence adjusted. */
773 	IPS_SEQ_ADJUST_BIT = 6,
774 	IPS_SEQ_ADJUST = (1 << IPS_SEQ_ADJUST_BIT),
775 
776 	/* NAT initialization bits. */
777 	IPS_SRC_NAT_DONE_BIT = 7,
778 	IPS_SRC_NAT_DONE = (1 << IPS_SRC_NAT_DONE_BIT),
779 
780 	IPS_DST_NAT_DONE_BIT = 8,
781 	IPS_DST_NAT_DONE = (1 << IPS_DST_NAT_DONE_BIT),
782 
783 	/* Both together */
784 	IPS_NAT_DONE_MASK = (IPS_DST_NAT_DONE | IPS_SRC_NAT_DONE),
785 
786 	/* Connection is dying (removed from lists), can not be unset. */
787 	IPS_DYING_BIT = 9,
788 	IPS_DYING = (1 << IPS_DYING_BIT),
789 
790 	/* Connection has fixed timeout. */
791 	IPS_FIXED_TIMEOUT_BIT = 10,
792 	IPS_FIXED_TIMEOUT = (1 << IPS_FIXED_TIMEOUT_BIT),
793 
794 	/* Conntrack is a template */
795 	IPS_TEMPLATE_BIT = 11,
796 	IPS_TEMPLATE = (1 << IPS_TEMPLATE_BIT),
797 
798 	/* Conntrack is a fake untracked entry */
799 	IPS_UNTRACKED_BIT = 12,
800 	IPS_UNTRACKED = (1 << IPS_UNTRACKED_BIT),
801 };
802 
803 /* expectation flags */
804 #define NF_CT_EXPECT_PERMANENT          0x1
805 #define NF_CT_EXPECT_INACTIVE           0x2
806 #define NF_CT_EXPECT_USERSPACE          0x4
807 
808 /*
809  * TCP flags
810  */
811 
812 /* Window scaling is advertised by the sender */
813 #define IP_CT_TCP_FLAG_WINDOW_SCALE             0x01
814 
815 /* SACK is permitted by the sender */
816 #define IP_CT_TCP_FLAG_SACK_PERM                0x02
817 
818 /* This sender sent FIN first */
819 #define IP_CT_TCP_FLAG_CLOSE_INIT               0x04
820 
821 /* Be liberal in window checking */
822 #define IP_CT_TCP_FLAG_BE_LIBERAL               0x08
823 
824 /* WARNING: do not use these constants in new applications, we keep them here
825  * to avoid breaking backward compatibility. */
826 #define NFCT_DIR_ORIGINAL 0
827 #define NFCT_DIR_REPLY 1
828 #define NFCT_DIR_MAX NFCT_DIR_REPLY+1
829 
830 /* xt_helper uses a length size of 30 bytes, however, no helper name in
831  * the tree has exceeded 16 bytes length. Since 2.6.29, the maximum
832  * length accepted is 16 bytes, this limit is enforced during module load. */
833 #define NFCT_HELPER_NAME_MAX	16
834 
835 #ifdef __cplusplus
836 }
837 #endif
838 
839 #endif	/* _LIBNETFILTER_CONNTRACK_H_ */
840