Loading include/linux/genetlink.h 0 → 100644 +51 −0 Original line number Diff line number Diff line #ifndef __LINUX_GENERIC_NETLINK_H #define __LINUX_GENERIC_NETLINK_H #include <linux/netlink.h> #define GENL_NAMSIZ 16 /* length of family name */ #define GENL_MIN_ID NLMSG_MIN_TYPE #define GENL_MAX_ID 1023 struct genlmsghdr { __u8 cmd; __u8 version; __u16 reserved; }; #define GENL_HDRLEN NLMSG_ALIGN(sizeof(struct genlmsghdr)) /* * List of reserved static generic netlink identifiers: */ #define GENL_ID_GENERATE 0 #define GENL_ID_CTRL NLMSG_MIN_TYPE /************************************************************************** * Controller **************************************************************************/ enum { CTRL_CMD_UNSPEC, CTRL_CMD_NEWFAMILY, CTRL_CMD_DELFAMILY, CTRL_CMD_GETFAMILY, CTRL_CMD_NEWOPS, CTRL_CMD_DELOPS, CTRL_CMD_GETOPS, __CTRL_CMD_MAX, }; #define CTRL_CMD_MAX (__CTRL_CMD_MAX - 1) enum { CTRL_ATTR_UNSPEC, CTRL_ATTR_FAMILY_ID, CTRL_ATTR_FAMILY_NAME, __CTRL_ATTR_MAX, }; #define CTRL_ATTR_MAX (__CTRL_ATTR_MAX - 1) #endif /* __LINUX_GENERIC_NETLINK_H */ include/linux/netfilter/nf_conntrack_common.h 0 → 100644 +159 −0 Original line number Diff line number Diff line #ifndef _NF_CONNTRACK_COMMON_H #define _NF_CONNTRACK_COMMON_H /* Connection state tracking for netfilter. This is separated from, but required by, the NAT layer; it can also be used by an iptables extension. */ enum ip_conntrack_info { /* Part of an established connection (either direction). */ IP_CT_ESTABLISHED, /* Like NEW, but related to an existing connection, or ICMP error (in either direction). */ IP_CT_RELATED, /* Started a new connection to track (only IP_CT_DIR_ORIGINAL); may be a retransmission. */ IP_CT_NEW, /* >= this indicates reply direction */ IP_CT_IS_REPLY, /* Number of distinct IP_CT types (no NEW in reply dirn). */ IP_CT_NUMBER = IP_CT_IS_REPLY * 2 - 1 }; /* Bitset representing status of connection. */ enum ip_conntrack_status { /* It's an expected connection: bit 0 set. This bit never changed */ IPS_EXPECTED_BIT = 0, IPS_EXPECTED = (1 << IPS_EXPECTED_BIT), /* We've seen packets both ways: bit 1 set. Can be set, not unset. */ IPS_SEEN_REPLY_BIT = 1, IPS_SEEN_REPLY = (1 << IPS_SEEN_REPLY_BIT), /* Conntrack should never be early-expired. */ IPS_ASSURED_BIT = 2, IPS_ASSURED = (1 << IPS_ASSURED_BIT), /* Connection is confirmed: originating packet has left box */ IPS_CONFIRMED_BIT = 3, IPS_CONFIRMED = (1 << IPS_CONFIRMED_BIT), /* Connection needs src nat in orig dir. This bit never changed. */ IPS_SRC_NAT_BIT = 4, IPS_SRC_NAT = (1 << IPS_SRC_NAT_BIT), /* Connection needs dst nat in orig dir. This bit never changed. */ IPS_DST_NAT_BIT = 5, IPS_DST_NAT = (1 << IPS_DST_NAT_BIT), /* Both together. */ IPS_NAT_MASK = (IPS_DST_NAT | IPS_SRC_NAT), /* Connection needs TCP sequence adjusted. */ IPS_SEQ_ADJUST_BIT = 6, IPS_SEQ_ADJUST = (1 << IPS_SEQ_ADJUST_BIT), /* NAT initialization bits. */ IPS_SRC_NAT_DONE_BIT = 7, IPS_SRC_NAT_DONE = (1 << IPS_SRC_NAT_DONE_BIT), IPS_DST_NAT_DONE_BIT = 8, IPS_DST_NAT_DONE = (1 << IPS_DST_NAT_DONE_BIT), /* Both together */ IPS_NAT_DONE_MASK = (IPS_DST_NAT_DONE | IPS_SRC_NAT_DONE), /* Connection is dying (removed from lists), can not be unset. */ IPS_DYING_BIT = 9, IPS_DYING = (1 << IPS_DYING_BIT), }; /* Connection tracking event bits */ enum ip_conntrack_events { /* New conntrack */ IPCT_NEW_BIT = 0, IPCT_NEW = (1 << IPCT_NEW_BIT), /* Expected connection */ IPCT_RELATED_BIT = 1, IPCT_RELATED = (1 << IPCT_RELATED_BIT), /* Destroyed conntrack */ IPCT_DESTROY_BIT = 2, IPCT_DESTROY = (1 << IPCT_DESTROY_BIT), /* Timer has been refreshed */ IPCT_REFRESH_BIT = 3, IPCT_REFRESH = (1 << IPCT_REFRESH_BIT), /* Status has changed */ IPCT_STATUS_BIT = 4, IPCT_STATUS = (1 << IPCT_STATUS_BIT), /* Update of protocol info */ IPCT_PROTOINFO_BIT = 5, IPCT_PROTOINFO = (1 << IPCT_PROTOINFO_BIT), /* Volatile protocol info */ IPCT_PROTOINFO_VOLATILE_BIT = 6, IPCT_PROTOINFO_VOLATILE = (1 << IPCT_PROTOINFO_VOLATILE_BIT), /* New helper for conntrack */ IPCT_HELPER_BIT = 7, IPCT_HELPER = (1 << IPCT_HELPER_BIT), /* Update of helper info */ IPCT_HELPINFO_BIT = 8, IPCT_HELPINFO = (1 << IPCT_HELPINFO_BIT), /* Volatile helper info */ IPCT_HELPINFO_VOLATILE_BIT = 9, IPCT_HELPINFO_VOLATILE = (1 << IPCT_HELPINFO_VOLATILE_BIT), /* NAT info */ IPCT_NATINFO_BIT = 10, IPCT_NATINFO = (1 << IPCT_NATINFO_BIT), /* Counter highest bit has been set */ IPCT_COUNTER_FILLING_BIT = 11, IPCT_COUNTER_FILLING = (1 << IPCT_COUNTER_FILLING_BIT), }; enum ip_conntrack_expect_events { IPEXP_NEW_BIT = 0, IPEXP_NEW = (1 << IPEXP_NEW_BIT), }; #ifdef __KERNEL__ struct ip_conntrack_counter { u_int32_t packets; u_int32_t bytes; }; struct ip_conntrack_stat { unsigned int searched; unsigned int found; unsigned int new; unsigned int invalid; unsigned int ignore; unsigned int delete; unsigned int delete_list; unsigned int insert; unsigned int insert_failed; unsigned int drop; unsigned int early_drop; unsigned int error; unsigned int expect_new; unsigned int expect_create; unsigned int expect_delete; }; #endif /* __KERNEL__ */ #endif /* _NF_CONNTRACK_COMMON_H */ include/linux/netfilter/nf_conntrack_ftp.h 0 → 100644 +44 −0 Original line number Diff line number Diff line #ifndef _NF_CONNTRACK_FTP_H #define _NF_CONNTRACK_FTP_H /* FTP tracking. */ /* This enum is exposed to userspace */ enum ip_ct_ftp_type { /* PORT command from client */ IP_CT_FTP_PORT, /* PASV response from server */ IP_CT_FTP_PASV, /* EPRT command from client */ IP_CT_FTP_EPRT, /* EPSV response from server */ IP_CT_FTP_EPSV, }; #ifdef __KERNEL__ #define FTP_PORT 21 #define NUM_SEQ_TO_REMEMBER 2 /* This structure exists only once per master */ struct ip_ct_ftp_master { /* Valid seq positions for cmd matching after newline */ u_int32_t seq_aft_nl[IP_CT_DIR_MAX][NUM_SEQ_TO_REMEMBER]; /* 0 means seq_match_aft_nl not set */ int seq_aft_nl_num[IP_CT_DIR_MAX]; }; struct ip_conntrack_expect; /* For NAT to hook in when we find a packet which describes what other * connection we should expect. */ extern unsigned int (*ip_nat_ftp_hook)(struct sk_buff **pskb, enum ip_conntrack_info ctinfo, enum ip_ct_ftp_type type, unsigned int matchoff, unsigned int matchlen, struct ip_conntrack_expect *exp, u32 *seq); #endif /* __KERNEL__ */ #endif /* _NF_CONNTRACK_FTP_H */ include/linux/netfilter/nf_conntrack_sctp.h 0 → 100644 +27 −0 Original line number Diff line number Diff line #ifndef _NF_CONNTRACK_SCTP_H #define _NF_CONNTRACK_SCTP_H /* SCTP tracking. */ #include <linux/netfilter/nf_conntrack_tuple_common.h> enum sctp_conntrack { SCTP_CONNTRACK_NONE, SCTP_CONNTRACK_CLOSED, SCTP_CONNTRACK_COOKIE_WAIT, SCTP_CONNTRACK_COOKIE_ECHOED, SCTP_CONNTRACK_ESTABLISHED, SCTP_CONNTRACK_SHUTDOWN_SENT, SCTP_CONNTRACK_SHUTDOWN_RECD, SCTP_CONNTRACK_SHUTDOWN_ACK_SENT, SCTP_CONNTRACK_MAX }; struct ip_ct_sctp { enum sctp_conntrack state; u_int32_t vtag[IP_CT_DIR_MAX]; u_int32_t ttag[IP_CT_DIR_MAX]; }; #endif /* _NF_CONNTRACK_SCTP_H */ include/linux/netfilter/nf_conntrack_tcp.h 0 → 100644 +56 −0 Original line number Diff line number Diff line #ifndef _NF_CONNTRACK_TCP_H #define _NF_CONNTRACK_TCP_H /* TCP tracking. */ /* This is exposed to userspace (ctnetlink) */ enum tcp_conntrack { TCP_CONNTRACK_NONE, TCP_CONNTRACK_SYN_SENT, TCP_CONNTRACK_SYN_RECV, TCP_CONNTRACK_ESTABLISHED, TCP_CONNTRACK_FIN_WAIT, TCP_CONNTRACK_CLOSE_WAIT, TCP_CONNTRACK_LAST_ACK, TCP_CONNTRACK_TIME_WAIT, TCP_CONNTRACK_CLOSE, TCP_CONNTRACK_LISTEN, TCP_CONNTRACK_MAX, TCP_CONNTRACK_IGNORE }; /* Window scaling is advertised by the sender */ #define IP_CT_TCP_FLAG_WINDOW_SCALE 0x01 /* SACK is permitted by the sender */ #define IP_CT_TCP_FLAG_SACK_PERM 0x02 /* This sender sent FIN first */ #define IP_CT_TCP_FLAG_CLOSE_INIT 0x03 #ifdef __KERNEL__ struct ip_ct_tcp_state { u_int32_t td_end; /* max of seq + len */ u_int32_t td_maxend; /* max of ack + max(win, 1) */ u_int32_t td_maxwin; /* max(win) */ u_int8_t td_scale; /* window scale factor */ u_int8_t loose; /* used when connection picked up from the middle */ u_int8_t flags; /* per direction options */ }; struct ip_ct_tcp { struct ip_ct_tcp_state seen[2]; /* connection parameters per direction */ u_int8_t state; /* state of the connection (enum tcp_conntrack) */ /* For detecting stale connections */ u_int8_t last_dir; /* Direction of the last packet (enum ip_conntrack_dir) */ u_int8_t retrans; /* Number of retransmitted packets */ u_int8_t last_index; /* Index of the last packet */ u_int32_t last_seq; /* Last sequence number seen in dir */ u_int32_t last_ack; /* Last sequence number seen in opposite dir */ u_int32_t last_end; /* Last seq + len */ }; #endif /* __KERNEL__ */ #endif /* _NF_CONNTRACK_TCP_H */ Loading
include/linux/genetlink.h 0 → 100644 +51 −0 Original line number Diff line number Diff line #ifndef __LINUX_GENERIC_NETLINK_H #define __LINUX_GENERIC_NETLINK_H #include <linux/netlink.h> #define GENL_NAMSIZ 16 /* length of family name */ #define GENL_MIN_ID NLMSG_MIN_TYPE #define GENL_MAX_ID 1023 struct genlmsghdr { __u8 cmd; __u8 version; __u16 reserved; }; #define GENL_HDRLEN NLMSG_ALIGN(sizeof(struct genlmsghdr)) /* * List of reserved static generic netlink identifiers: */ #define GENL_ID_GENERATE 0 #define GENL_ID_CTRL NLMSG_MIN_TYPE /************************************************************************** * Controller **************************************************************************/ enum { CTRL_CMD_UNSPEC, CTRL_CMD_NEWFAMILY, CTRL_CMD_DELFAMILY, CTRL_CMD_GETFAMILY, CTRL_CMD_NEWOPS, CTRL_CMD_DELOPS, CTRL_CMD_GETOPS, __CTRL_CMD_MAX, }; #define CTRL_CMD_MAX (__CTRL_CMD_MAX - 1) enum { CTRL_ATTR_UNSPEC, CTRL_ATTR_FAMILY_ID, CTRL_ATTR_FAMILY_NAME, __CTRL_ATTR_MAX, }; #define CTRL_ATTR_MAX (__CTRL_ATTR_MAX - 1) #endif /* __LINUX_GENERIC_NETLINK_H */
include/linux/netfilter/nf_conntrack_common.h 0 → 100644 +159 −0 Original line number Diff line number Diff line #ifndef _NF_CONNTRACK_COMMON_H #define _NF_CONNTRACK_COMMON_H /* Connection state tracking for netfilter. This is separated from, but required by, the NAT layer; it can also be used by an iptables extension. */ enum ip_conntrack_info { /* Part of an established connection (either direction). */ IP_CT_ESTABLISHED, /* Like NEW, but related to an existing connection, or ICMP error (in either direction). */ IP_CT_RELATED, /* Started a new connection to track (only IP_CT_DIR_ORIGINAL); may be a retransmission. */ IP_CT_NEW, /* >= this indicates reply direction */ IP_CT_IS_REPLY, /* Number of distinct IP_CT types (no NEW in reply dirn). */ IP_CT_NUMBER = IP_CT_IS_REPLY * 2 - 1 }; /* Bitset representing status of connection. */ enum ip_conntrack_status { /* It's an expected connection: bit 0 set. This bit never changed */ IPS_EXPECTED_BIT = 0, IPS_EXPECTED = (1 << IPS_EXPECTED_BIT), /* We've seen packets both ways: bit 1 set. Can be set, not unset. */ IPS_SEEN_REPLY_BIT = 1, IPS_SEEN_REPLY = (1 << IPS_SEEN_REPLY_BIT), /* Conntrack should never be early-expired. */ IPS_ASSURED_BIT = 2, IPS_ASSURED = (1 << IPS_ASSURED_BIT), /* Connection is confirmed: originating packet has left box */ IPS_CONFIRMED_BIT = 3, IPS_CONFIRMED = (1 << IPS_CONFIRMED_BIT), /* Connection needs src nat in orig dir. This bit never changed. */ IPS_SRC_NAT_BIT = 4, IPS_SRC_NAT = (1 << IPS_SRC_NAT_BIT), /* Connection needs dst nat in orig dir. This bit never changed. */ IPS_DST_NAT_BIT = 5, IPS_DST_NAT = (1 << IPS_DST_NAT_BIT), /* Both together. */ IPS_NAT_MASK = (IPS_DST_NAT | IPS_SRC_NAT), /* Connection needs TCP sequence adjusted. */ IPS_SEQ_ADJUST_BIT = 6, IPS_SEQ_ADJUST = (1 << IPS_SEQ_ADJUST_BIT), /* NAT initialization bits. */ IPS_SRC_NAT_DONE_BIT = 7, IPS_SRC_NAT_DONE = (1 << IPS_SRC_NAT_DONE_BIT), IPS_DST_NAT_DONE_BIT = 8, IPS_DST_NAT_DONE = (1 << IPS_DST_NAT_DONE_BIT), /* Both together */ IPS_NAT_DONE_MASK = (IPS_DST_NAT_DONE | IPS_SRC_NAT_DONE), /* Connection is dying (removed from lists), can not be unset. */ IPS_DYING_BIT = 9, IPS_DYING = (1 << IPS_DYING_BIT), }; /* Connection tracking event bits */ enum ip_conntrack_events { /* New conntrack */ IPCT_NEW_BIT = 0, IPCT_NEW = (1 << IPCT_NEW_BIT), /* Expected connection */ IPCT_RELATED_BIT = 1, IPCT_RELATED = (1 << IPCT_RELATED_BIT), /* Destroyed conntrack */ IPCT_DESTROY_BIT = 2, IPCT_DESTROY = (1 << IPCT_DESTROY_BIT), /* Timer has been refreshed */ IPCT_REFRESH_BIT = 3, IPCT_REFRESH = (1 << IPCT_REFRESH_BIT), /* Status has changed */ IPCT_STATUS_BIT = 4, IPCT_STATUS = (1 << IPCT_STATUS_BIT), /* Update of protocol info */ IPCT_PROTOINFO_BIT = 5, IPCT_PROTOINFO = (1 << IPCT_PROTOINFO_BIT), /* Volatile protocol info */ IPCT_PROTOINFO_VOLATILE_BIT = 6, IPCT_PROTOINFO_VOLATILE = (1 << IPCT_PROTOINFO_VOLATILE_BIT), /* New helper for conntrack */ IPCT_HELPER_BIT = 7, IPCT_HELPER = (1 << IPCT_HELPER_BIT), /* Update of helper info */ IPCT_HELPINFO_BIT = 8, IPCT_HELPINFO = (1 << IPCT_HELPINFO_BIT), /* Volatile helper info */ IPCT_HELPINFO_VOLATILE_BIT = 9, IPCT_HELPINFO_VOLATILE = (1 << IPCT_HELPINFO_VOLATILE_BIT), /* NAT info */ IPCT_NATINFO_BIT = 10, IPCT_NATINFO = (1 << IPCT_NATINFO_BIT), /* Counter highest bit has been set */ IPCT_COUNTER_FILLING_BIT = 11, IPCT_COUNTER_FILLING = (1 << IPCT_COUNTER_FILLING_BIT), }; enum ip_conntrack_expect_events { IPEXP_NEW_BIT = 0, IPEXP_NEW = (1 << IPEXP_NEW_BIT), }; #ifdef __KERNEL__ struct ip_conntrack_counter { u_int32_t packets; u_int32_t bytes; }; struct ip_conntrack_stat { unsigned int searched; unsigned int found; unsigned int new; unsigned int invalid; unsigned int ignore; unsigned int delete; unsigned int delete_list; unsigned int insert; unsigned int insert_failed; unsigned int drop; unsigned int early_drop; unsigned int error; unsigned int expect_new; unsigned int expect_create; unsigned int expect_delete; }; #endif /* __KERNEL__ */ #endif /* _NF_CONNTRACK_COMMON_H */
include/linux/netfilter/nf_conntrack_ftp.h 0 → 100644 +44 −0 Original line number Diff line number Diff line #ifndef _NF_CONNTRACK_FTP_H #define _NF_CONNTRACK_FTP_H /* FTP tracking. */ /* This enum is exposed to userspace */ enum ip_ct_ftp_type { /* PORT command from client */ IP_CT_FTP_PORT, /* PASV response from server */ IP_CT_FTP_PASV, /* EPRT command from client */ IP_CT_FTP_EPRT, /* EPSV response from server */ IP_CT_FTP_EPSV, }; #ifdef __KERNEL__ #define FTP_PORT 21 #define NUM_SEQ_TO_REMEMBER 2 /* This structure exists only once per master */ struct ip_ct_ftp_master { /* Valid seq positions for cmd matching after newline */ u_int32_t seq_aft_nl[IP_CT_DIR_MAX][NUM_SEQ_TO_REMEMBER]; /* 0 means seq_match_aft_nl not set */ int seq_aft_nl_num[IP_CT_DIR_MAX]; }; struct ip_conntrack_expect; /* For NAT to hook in when we find a packet which describes what other * connection we should expect. */ extern unsigned int (*ip_nat_ftp_hook)(struct sk_buff **pskb, enum ip_conntrack_info ctinfo, enum ip_ct_ftp_type type, unsigned int matchoff, unsigned int matchlen, struct ip_conntrack_expect *exp, u32 *seq); #endif /* __KERNEL__ */ #endif /* _NF_CONNTRACK_FTP_H */
include/linux/netfilter/nf_conntrack_sctp.h 0 → 100644 +27 −0 Original line number Diff line number Diff line #ifndef _NF_CONNTRACK_SCTP_H #define _NF_CONNTRACK_SCTP_H /* SCTP tracking. */ #include <linux/netfilter/nf_conntrack_tuple_common.h> enum sctp_conntrack { SCTP_CONNTRACK_NONE, SCTP_CONNTRACK_CLOSED, SCTP_CONNTRACK_COOKIE_WAIT, SCTP_CONNTRACK_COOKIE_ECHOED, SCTP_CONNTRACK_ESTABLISHED, SCTP_CONNTRACK_SHUTDOWN_SENT, SCTP_CONNTRACK_SHUTDOWN_RECD, SCTP_CONNTRACK_SHUTDOWN_ACK_SENT, SCTP_CONNTRACK_MAX }; struct ip_ct_sctp { enum sctp_conntrack state; u_int32_t vtag[IP_CT_DIR_MAX]; u_int32_t ttag[IP_CT_DIR_MAX]; }; #endif /* _NF_CONNTRACK_SCTP_H */
include/linux/netfilter/nf_conntrack_tcp.h 0 → 100644 +56 −0 Original line number Diff line number Diff line #ifndef _NF_CONNTRACK_TCP_H #define _NF_CONNTRACK_TCP_H /* TCP tracking. */ /* This is exposed to userspace (ctnetlink) */ enum tcp_conntrack { TCP_CONNTRACK_NONE, TCP_CONNTRACK_SYN_SENT, TCP_CONNTRACK_SYN_RECV, TCP_CONNTRACK_ESTABLISHED, TCP_CONNTRACK_FIN_WAIT, TCP_CONNTRACK_CLOSE_WAIT, TCP_CONNTRACK_LAST_ACK, TCP_CONNTRACK_TIME_WAIT, TCP_CONNTRACK_CLOSE, TCP_CONNTRACK_LISTEN, TCP_CONNTRACK_MAX, TCP_CONNTRACK_IGNORE }; /* Window scaling is advertised by the sender */ #define IP_CT_TCP_FLAG_WINDOW_SCALE 0x01 /* SACK is permitted by the sender */ #define IP_CT_TCP_FLAG_SACK_PERM 0x02 /* This sender sent FIN first */ #define IP_CT_TCP_FLAG_CLOSE_INIT 0x03 #ifdef __KERNEL__ struct ip_ct_tcp_state { u_int32_t td_end; /* max of seq + len */ u_int32_t td_maxend; /* max of ack + max(win, 1) */ u_int32_t td_maxwin; /* max(win) */ u_int8_t td_scale; /* window scale factor */ u_int8_t loose; /* used when connection picked up from the middle */ u_int8_t flags; /* per direction options */ }; struct ip_ct_tcp { struct ip_ct_tcp_state seen[2]; /* connection parameters per direction */ u_int8_t state; /* state of the connection (enum tcp_conntrack) */ /* For detecting stale connections */ u_int8_t last_dir; /* Direction of the last packet (enum ip_conntrack_dir) */ u_int8_t retrans; /* Number of retransmitted packets */ u_int8_t last_index; /* Index of the last packet */ u_int32_t last_seq; /* Last sequence number seen in dir */ u_int32_t last_ack; /* Last sequence number seen in opposite dir */ u_int32_t last_end; /* Last seq + len */ }; #endif /* __KERNEL__ */ #endif /* _NF_CONNTRACK_TCP_H */
