1 /*
2  * WARNING: Do *NOT* ever include this file, only for internal use!
3  * 	    Use the set/get API in order to set/get the conntrack attributes
4  */
5 
6 #ifndef _NFCT_OBJECT_H_
7 #define _NFCT_OBJECT_H_
8 
9 #include <libnetfilter_conntrack/libnetfilter_conntrack.h>
10 
11 /*
12  * nfct callback handler object
13  */
14 
15 struct nfct_handle {
16 	struct nfnl_handle		*nfnlh;
17 	struct nfnl_subsys_handle	*nfnlssh_ct;
18 	struct nfnl_subsys_handle	*nfnlssh_exp;
19 
20 	/* callback handler for the new API */
21 	struct nfnl_callback		nfnl_cb_ct;
22 	struct nfnl_callback		nfnl_cb_exp;
23 
24 	int			(*cb)(enum nf_conntrack_msg_type type,
25 				      struct nf_conntrack *ct,
26 				      void *data);
27 
28 	/* This is the second version of the callback that includes
29 	 * the Netlink header. This is the result of an early design
30 	 * error, hiding Netlink details is evil. You end needing some
31 	 * internal information at some point like the Netlink PortID. */
32 	int			(*cb2)(const struct nlmsghdr *nlh,
33 				       enum nf_conntrack_msg_type type,
34 				       struct nf_conntrack *ct,
35 				       void *data);
36 
37 	int			(*expect_cb)(enum nf_conntrack_msg_type type,
38 					     struct nf_expect *exp,
39 					     void *data);
40 
41 	/* second version of the expect callback: it includes netlink header */
42 	int			(*expect_cb2)(const struct nlmsghdr *nlh,
43 					      enum nf_conntrack_msg_type type,
44 					      struct nf_expect *exp,
45 					      void *data);
46 };
47 
48 /* container used to pass data to nfnl callbacks */
49 struct __data_container {
50 	struct nfct_handle *h;
51 	enum nf_conntrack_msg_type type;
52 	void *data;
53 };
54 
55 /*
56  * conntrack object
57  */
58 
59 union __nfct_l4_src {
60 	/* Add other protocols here. */
61 	uint16_t 		all;
62 	struct {
63 		uint16_t 	port;
64 	} tcp;
65 	struct {
66 		uint16_t 	port;
67 	} udp;
68 	struct {
69 		uint16_t 	id;
70 	} icmp;
71 	struct {
72 		uint16_t 	port;
73 	} sctp;
74 	struct {
75 		uint16_t 	port;
76 	} dccp;
77 };
78 
79 union __nfct_l4_dst {
80 	/* Add other protocols here. */
81 	uint16_t 		all;
82 	struct {
83 		uint16_t 	port;
84 	} tcp;
85 	struct {
86 		uint16_t 	port;
87 	} udp;
88 	struct {
89 		uint8_t 	type, code;
90 	} icmp;
91 	struct {
92 		uint16_t 	port;
93 	} sctp;
94 	struct {
95 		uint16_t 	port;
96 	} dccp;
97 };
98 
99 union __nfct_address {
100 	uint32_t 		v4;
101 	struct in6_addr 	v6;
102 };
103 
104 struct __nfct_tuple {
105 	union __nfct_address	src;
106 	union __nfct_address 	dst;
107 
108 	uint8_t			l3protonum;
109 	uint8_t			protonum;
110 	uint16_t		zone;
111 
112 	union __nfct_l4_src	l4src;
113 	union __nfct_l4_dst	l4dst;
114 };
115 
116 #define __DIR_ORIG 		0
117 #define __DIR_REPL 		1
118 #define __DIR_MAX		__DIR_REPL+1
119 #define __DIR_MASTER 		2
120 
121 union __nfct_protoinfo {
122 	struct {
123 		uint8_t 		state;
124 		struct {
125 			uint8_t 	value;
126 			uint8_t 	mask;
127 		} flags[__DIR_MAX];
128 		uint8_t			wscale[__DIR_MAX];
129 	} tcp;
130 	struct {
131 		uint8_t 		state;
132 		uint32_t 		vtag[__DIR_MAX];
133 	} sctp;
134 	struct {
135 		uint8_t 		state;
136 		uint8_t			role;
137 		uint64_t		handshake_seq;
138 	} dccp;
139 };
140 
141 struct __nfct_counters {
142 	uint64_t 	packets;
143 	uint64_t 	bytes;
144 };
145 
146 struct __nfct_nat {
147 	union __nfct_address	min_ip, max_ip;
148 	union __nfct_l4_src 	l4min, l4max;
149 };
150 
151 struct nfct_tuple_head {
152 	struct __nfct_tuple 	orig;
153 
154 #define __NFCT_BITSET			3
155 	uint32_t               set[__NFCT_BITSET];
156 };
157 
158 struct nf_conntrack {
159 	struct nfct_tuple_head 	head;
160 	struct __nfct_tuple	repl;
161 	struct __nfct_tuple	master;
162 
163 	uint32_t 	timeout;
164 	uint32_t	mark;
165 	uint32_t	secmark;
166 	uint32_t 	status;
167 	uint32_t	use;
168 	uint32_t	id;
169 	uint16_t	zone;
170 
171 	char 		helper_name[NFCT_HELPER_NAME_MAX];
172 /* According to Eric Paris <eparis@redhat.com> this field can be up to 4096
173  * bytes long. For that reason, we allocate this dynamically. */
174 	char		*secctx;
175 
176 	union __nfct_protoinfo 	protoinfo;
177 	struct __nfct_counters 	counters[__DIR_MAX];
178 	struct __nfct_nat 	snat;
179 	struct __nfct_nat 	dnat;
180 
181 	struct {
182 		uint32_t 	correction_pos;
183 		uint32_t 	offset_before;
184 		uint32_t 	offset_after;
185 	} natseq[__DIR_MAX];
186 
187 	struct {
188 		uint64_t	start;
189 		uint64_t	stop;
190 	} timestamp;
191 
192 	void *helper_info;
193 	size_t helper_info_len;
194 
195 	struct nfct_bitmask *connlabels;
196 	struct nfct_bitmask *connlabels_mask;
197 };
198 
199 /*
200  * conntrack filter object
201  */
202 
203 struct nfct_filter {
204 	/*
205 	 * As many other objects in this library, the attributes are
206 	 * private. This gives us the chance to modify the layout and
207 	 * object size.
208 	 *
209 	 * Another observation, although this object might seem too
210 	 * memory consuming, it is only needed to build the filter. Thus,
211 	 * once it is attached, you can release this object.
212 	 */
213 
214 	/*
215 	 * filter logic: use positive or negative logic
216 	 */
217 	enum nfct_filter_logic 	logic[NFCT_FILTER_MAX];
218 
219 	/*
220 	 * This the layer 4 protocol map for filtering. Not more than
221 	 * 255 protocols (maximum is IPPROTO_MAX which is 256). Actually,
222 	 * I doubt that anyone can reach such a limit.
223 	 */
224 #define __FILTER_L4PROTO_MAX	255
225 	uint32_t 		l4proto_map[IPPROTO_MAX/32];
226 	uint32_t		l4proto_len;
227 
228 	struct {
229 	/*
230 	 * No limitations in the protocol filtering. We use a map of
231 	 * 16 bits per protocol. As for now, DCCP has 10 states, TCP has
232 	 * 10 states, SCTP has 8 state. Therefore, 16 bits is enough.
233 	 */
234 #define __FILTER_PROTO_MAX	16
235 		uint16_t 	map;
236 		uint16_t	len;
237 	} l4proto_state[IPPROTO_MAX];
238 
239 #define __FILTER_ADDR_SRC 0
240 #define __FILTER_ADDR_DST 1
241 
242 	/*
243 	 * FIXME: For IPv4 filtering, up to 127 IPs by now.
244 	 * This limitation is related to the existing autogenerated BSF code
245 	 * (two BSF lines per comparison) and the fact that the maximum
246 	 * jump offset is 0xff which is 255.
247 	 */
248 	uint32_t 		l3proto_elems[2];
249 	struct {
250 #define __FILTER_ADDR_MAX	127
251 		uint32_t 	addr;
252 		uint32_t 	mask;
253 	} l3proto[2][__FILTER_ADDR_MAX];
254 
255 	/*
256 	 * FIXME: For IPv6 filtering, up to 20 IPs/masks (12 BSF lines
257 	 * per comparison). I think that it is not worthy to try to support
258 	 * more than that for performance reasons. It seems that oprofile
259 	 * shows bad numbers for very large BSF code.
260 	 */
261 	uint32_t 		l3proto_elems_ipv6[2];
262 	struct {
263 #define __FILTER_IPV6_MAX	20
264 		uint32_t 	addr[4];
265 		uint32_t 	mask[4];
266 	} l3proto_ipv6[2][__FILTER_IPV6_MAX];
267 
268 	uint32_t 		mark_elems;
269 	struct {
270 #define __FILTER_MARK_MAX	127
271 		uint32_t 	val;
272 		uint32_t 	mask;
273 	} mark[__FILTER_MARK_MAX];
274 
275 	uint32_t 		set[1];
276 };
277 
278 /*
279  * conntrack filter dump object
280  */
281 
282 struct nfct_filter_dump {
283 	struct nfct_filter_dump_mark	mark;
284 	uint8_t				l3num;
285 	uint32_t			set;
286 };
287 
288 /*
289  * expectation object
290  */
291 
292 #define __NFCT_EXPECTFN_MAX	24	/* maximum symbol length. */
293 
294 struct nf_expect {
295 	struct nfct_tuple_head	master;
296 	struct nfct_tuple_head	expected;
297 	struct nfct_tuple_head	mask;
298 	struct nfct_tuple_head	nat;
299 
300 	uint32_t 		timeout;
301 	uint32_t 		id;
302 	uint16_t		zone;
303 	uint32_t		flags;
304 	uint32_t		class;
305 	char 			helper_name[NFCT_HELPER_NAME_MAX];
306 	uint32_t		nat_dir;
307 	char			expectfn[__NFCT_EXPECTFN_MAX];
308 
309 	uint32_t 		set[1];
310 };
311 
312 /*
313  * bitmask object
314  */
315 struct nfct_bitmask {
316 	unsigned int words;
317 	uint32_t bits[];
318 };
319 
320 struct nfct_labelmap;
321 
322 #endif
323