1/*
2 * WARNING: Do *NOT* ever include this file, only for internal use!
3 * 	    Use the set/get API in order to set/get the conntrack attributes
4 */
5
6#ifndef _NFCT_OBJECT_H_
7#define _NFCT_OBJECT_H_
8
9#include <libnetfilter_conntrack/libnetfilter_conntrack.h>
10
11/*
12 * nfct callback handler object
13 */
14
15struct nfct_handle {
16	struct nfnl_handle		*nfnlh;
17	struct nfnl_subsys_handle	*nfnlssh_ct;
18	struct nfnl_subsys_handle	*nfnlssh_exp;
19
20	/* callback handler for the new API */
21	struct nfnl_callback		nfnl_cb_ct;
22	struct nfnl_callback		nfnl_cb_exp;
23
24	int			(*cb)(enum nf_conntrack_msg_type type,
25				      struct nf_conntrack *ct,
26				      void *data);
27
28	/* This is the second version of the callback that includes
29	 * the Netlink header. This is the result of an early design
30	 * error, hiding Netlink details is evil. You end needing some
31	 * internal information at some point like the Netlink PortID. */
32	int			(*cb2)(const struct nlmsghdr *nlh,
33				       enum nf_conntrack_msg_type type,
34				       struct nf_conntrack *ct,
35				       void *data);
36
37	int			(*expect_cb)(enum nf_conntrack_msg_type type,
38					     struct nf_expect *exp,
39					     void *data);
40
41	/* second version of the expect callback: it includes netlink header */
42	int			(*expect_cb2)(const struct nlmsghdr *nlh,
43					      enum nf_conntrack_msg_type type,
44					      struct nf_expect *exp,
45					      void *data);
46};
47
48/* container used to pass data to nfnl callbacks */
49struct __data_container {
50	struct nfct_handle *h;
51	enum nf_conntrack_msg_type type;
52	void *data;
53};
54
55/*
56 * conntrack object
57 */
58
59union __nfct_l4_src {
60	/* Add other protocols here. */
61	uint16_t 		all;
62	struct {
63		uint16_t 	port;
64	} tcp;
65	struct {
66		uint16_t 	port;
67	} udp;
68	struct {
69		uint16_t 	id;
70	} icmp;
71	struct {
72		uint16_t 	port;
73	} sctp;
74	struct {
75		uint16_t 	port;
76	} dccp;
77};
78
79union __nfct_l4_dst {
80	/* Add other protocols here. */
81	uint16_t 		all;
82	struct {
83		uint16_t 	port;
84	} tcp;
85	struct {
86		uint16_t 	port;
87	} udp;
88	struct {
89		uint8_t 	type, code;
90	} icmp;
91	struct {
92		uint16_t 	port;
93	} sctp;
94	struct {
95		uint16_t 	port;
96	} dccp;
97};
98
99union __nfct_address {
100	uint32_t 		v4;
101	struct in6_addr 	v6;
102};
103
104struct __nfct_tuple {
105	union __nfct_address	src;
106	union __nfct_address 	dst;
107
108	uint8_t			l3protonum;
109	uint8_t			protonum;
110	uint16_t		zone;
111
112	union __nfct_l4_src	l4src;
113	union __nfct_l4_dst	l4dst;
114};
115
116#define __DIR_ORIG 		0
117#define __DIR_REPL 		1
118#define __DIR_MAX		__DIR_REPL+1
119#define __DIR_MASTER 		2
120
121union __nfct_protoinfo {
122	struct {
123		uint8_t 		state;
124		struct {
125			uint8_t 	value;
126			uint8_t 	mask;
127		} flags[__DIR_MAX];
128		uint8_t			wscale[__DIR_MAX];
129	} tcp;
130	struct {
131		uint8_t 		state;
132		uint32_t 		vtag[__DIR_MAX];
133	} sctp;
134	struct {
135		uint8_t 		state;
136		uint8_t			role;
137		uint64_t		handshake_seq;
138	} dccp;
139};
140
141struct __nfct_counters {
142	uint64_t 	packets;
143	uint64_t 	bytes;
144};
145
146struct __nfct_nat {
147	union __nfct_address	min_ip, max_ip;
148	union __nfct_l4_src 	l4min, l4max;
149};
150
151struct nfct_tuple_head {
152	struct __nfct_tuple 	orig;
153
154#define __NFCT_BITSET			3
155	uint32_t               set[__NFCT_BITSET];
156};
157
158struct nf_conntrack {
159	struct nfct_tuple_head 	head;
160	struct __nfct_tuple	repl;
161	struct __nfct_tuple	master;
162
163	uint32_t 	timeout;
164	uint32_t	mark;
165	uint32_t	secmark;
166	uint32_t 	status;
167	uint32_t	use;
168	uint32_t	id;
169	uint16_t	zone;
170
171	char 		helper_name[NFCT_HELPER_NAME_MAX];
172/* According to Eric Paris <eparis@redhat.com> this field can be up to 4096
173 * bytes long. For that reason, we allocate this dynamically. */
174	char		*secctx;
175
176	union __nfct_protoinfo 	protoinfo;
177	struct __nfct_counters 	counters[__DIR_MAX];
178	struct __nfct_nat 	snat;
179	struct __nfct_nat 	dnat;
180
181	struct {
182		uint32_t 	correction_pos;
183		uint32_t 	offset_before;
184		uint32_t 	offset_after;
185	} natseq[__DIR_MAX];
186
187	struct {
188		uint64_t	start;
189		uint64_t	stop;
190	} timestamp;
191
192	void *helper_info;
193	size_t helper_info_len;
194
195	struct nfct_bitmask *connlabels;
196	struct nfct_bitmask *connlabels_mask;
197};
198
199/*
200 * conntrack filter object
201 */
202
203struct nfct_filter {
204	/*
205	 * As many other objects in this library, the attributes are
206	 * private. This gives us the chance to modify the layout and
207	 * object size.
208	 *
209	 * Another observation, although this object might seem too
210	 * memory consuming, it is only needed to build the filter. Thus,
211	 * once it is attached, you can release this object.
212	 */
213
214	/*
215	 * filter logic: use positive or negative logic
216	 */
217	enum nfct_filter_logic 	logic[NFCT_FILTER_MAX];
218
219	/*
220	 * This the layer 4 protocol map for filtering. Not more than
221	 * 255 protocols (maximum is IPPROTO_MAX which is 256). Actually,
222	 * I doubt that anyone can reach such a limit.
223	 */
224#define __FILTER_L4PROTO_MAX	255
225	uint32_t 		l4proto_map[IPPROTO_MAX/32];
226	uint32_t		l4proto_len;
227
228	struct {
229	/*
230	 * No limitations in the protocol filtering. We use a map of
231	 * 16 bits per protocol. As for now, DCCP has 10 states, TCP has
232	 * 10 states, SCTP has 8 state. Therefore, 16 bits is enough.
233	 */
234#define __FILTER_PROTO_MAX	16
235		uint16_t 	map;
236		uint16_t	len;
237	} l4proto_state[IPPROTO_MAX];
238
239#define __FILTER_ADDR_SRC 0
240#define __FILTER_ADDR_DST 1
241
242	/*
243	 * FIXME: For IPv4 filtering, up to 127 IPs by now.
244	 * This limitation is related to the existing autogenerated BSF code
245	 * (two BSF lines per comparison) and the fact that the maximum
246	 * jump offset is 0xff which is 255.
247	 */
248	uint32_t 		l3proto_elems[2];
249	struct {
250#define __FILTER_ADDR_MAX	127
251		uint32_t 	addr;
252		uint32_t 	mask;
253	} l3proto[2][__FILTER_ADDR_MAX];
254
255	/*
256	 * FIXME: For IPv6 filtering, up to 20 IPs/masks (12 BSF lines
257	 * per comparison). I think that it is not worthy to try to support
258	 * more than that for performance reasons. It seems that oprofile
259	 * shows bad numbers for very large BSF code.
260	 */
261	uint32_t 		l3proto_elems_ipv6[2];
262	struct {
263#define __FILTER_IPV6_MAX	20
264		uint32_t 	addr[4];
265		uint32_t 	mask[4];
266	} l3proto_ipv6[2][__FILTER_IPV6_MAX];
267
268	uint32_t 		mark_elems;
269	struct {
270#define __FILTER_MARK_MAX	127
271		uint32_t 	val;
272		uint32_t 	mask;
273	} mark[__FILTER_MARK_MAX];
274
275	uint32_t 		set[1];
276};
277
278/*
279 * conntrack filter dump object
280 */
281
282struct nfct_filter_dump {
283	struct nfct_filter_dump_mark	mark;
284	uint8_t				l3num;
285	uint32_t			set;
286};
287
288/*
289 * expectation object
290 */
291
292#define __NFCT_EXPECTFN_MAX	24	/* maximum symbol length. */
293
294struct nf_expect {
295	struct nfct_tuple_head	master;
296	struct nfct_tuple_head	expected;
297	struct nfct_tuple_head	mask;
298	struct nfct_tuple_head	nat;
299
300	uint32_t 		timeout;
301	uint32_t 		id;
302	uint16_t		zone;
303	uint32_t		flags;
304	uint32_t		class;
305	char 			helper_name[NFCT_HELPER_NAME_MAX];
306	uint32_t		nat_dir;
307	char			expectfn[__NFCT_EXPECTFN_MAX];
308
309	uint32_t 		set[1];
310};
311
312/*
313 * bitmask object
314 */
315struct nfct_bitmask {
316	unsigned int words;
317	uint32_t bits[];
318};
319
320struct nfct_labelmap;
321
322#endif
323