Blame view
include/net/netfilter/nf_conntrack.h
9.48 KB
9fb9cbb10
[NETFILTER]: Add ...
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
/* * Connection state tracking for netfilter. This is separated from, * but required by, the (future) NAT layer; it can also be used by an iptables * extension. * * 16 Dec 2003: Yasuyuki Kozakai @USAGI <yasuyuki.kozakai@toshiba.co.jp> * - generalize L3 protocol dependent part. * * Derived from include/linux/netfiter_ipv4/ip_conntrack.h */ #ifndef _NF_CONNTRACK_H #define _NF_CONNTRACK_H #include <linux/netfilter/nf_conntrack_common.h> |
|
9fb9cbb10
[NETFILTER]: Add ...
|
16 17 |
#include <linux/bitops.h> #include <linux/compiler.h> |
60063497a
atomic: use <linu...
|
18 |
#include <linux/atomic.h> |
|
9fb9cbb10
[NETFILTER]: Add ...
|
19 20 |
#include <linux/netfilter/nf_conntrack_tcp.h> |
2bc780499
[NETFILTER]: nf_c...
|
21 |
#include <linux/netfilter/nf_conntrack_dccp.h> |
|
9fb9cbb10
[NETFILTER]: Add ...
|
22 |
#include <linux/netfilter/nf_conntrack_sctp.h> |
|
f09943fef
[NETFILTER]: nf_c...
|
23 |
#include <linux/netfilter/nf_conntrack_proto_gre.h> |
|
9fb9cbb10
[NETFILTER]: Add ...
|
24 25 26 27 28 29 30 |
#include <net/netfilter/ipv6/nf_conntrack_icmpv6.h>
#include <net/netfilter/nf_conntrack_tuple.h>
/* per conntrack: protocol private data */
union nf_conntrack_proto {
/* insert conntrack proto private data here */
|
|
2bc780499
[NETFILTER]: nf_c...
|
31 |
struct nf_ct_dccp dccp; |
|
9fb9cbb10
[NETFILTER]: Add ...
|
32 33 |
struct ip_ct_sctp sctp; struct ip_ct_tcp tcp; |
|
f09943fef
[NETFILTER]: nf_c...
|
34 |
struct nf_ct_gre gre; |
|
9fb9cbb10
[NETFILTER]: Add ...
|
35 36 37 38 39 40 41 42 |
};
union nf_conntrack_expect_proto {
/* insert expect proto private data here */
};
/* Add protocol helper include file here */
#include <linux/netfilter/nf_conntrack_ftp.h>
|
|
f09943fef
[NETFILTER]: nf_c...
|
43 |
#include <linux/netfilter/nf_conntrack_pptp.h> |
|
f587de0e2
[NETFILTER]: nf_c...
|
44 |
#include <linux/netfilter/nf_conntrack_h323.h> |
6fecd1985
[NETFILTER]: Add ...
|
45 |
#include <linux/netfilter/nf_conntrack_sane.h> |
|
0f32a40fc
[NETFILTER]: nf_c...
|
46 |
#include <linux/netfilter/nf_conntrack_sip.h> |
|
9fb9cbb10
[NETFILTER]: Add ...
|
47 48 49 50 |
/* per conntrack: application helper private data */
union nf_conntrack_help {
/* insert conntrack helper private data (master) here */
|
0f8e80044
netfilter: nf_con...
|
51 |
#if defined(CONFIG_NF_CONNTRACK_FTP) || defined(CONFIG_NF_CONNTRACK_FTP_MODULE) |
55a733247
[NETFILTER]: nf_n...
|
52 |
struct nf_ct_ftp_master ct_ftp_info; |
|
0f8e80044
netfilter: nf_con...
|
53 54 55 |
#endif
#if defined(CONFIG_NF_CONNTRACK_PPTP) || \
defined(CONFIG_NF_CONNTRACK_PPTP_MODULE)
|
|
f09943fef
[NETFILTER]: nf_c...
|
56 |
struct nf_ct_pptp_master ct_pptp_info; |
|
0f8e80044
netfilter: nf_con...
|
57 58 59 |
#endif
#if defined(CONFIG_NF_CONNTRACK_H323) || \
defined(CONFIG_NF_CONNTRACK_H323_MODULE)
|
|
f587de0e2
[NETFILTER]: nf_c...
|
60 |
struct nf_ct_h323_master ct_h323_info; |
|
0f8e80044
netfilter: nf_con...
|
61 62 63 |
#endif
#if defined(CONFIG_NF_CONNTRACK_SANE) || \
defined(CONFIG_NF_CONNTRACK_SANE_MODULE)
|
|
6fecd1985
[NETFILTER]: Add ...
|
64 |
struct nf_ct_sane_master ct_sane_info; |
|
0f8e80044
netfilter: nf_con...
|
65 66 |
#endif #if defined(CONFIG_NF_CONNTRACK_SIP) || defined(CONFIG_NF_CONNTRACK_SIP_MODULE) |
|
0f32a40fc
[NETFILTER]: nf_c...
|
67 |
struct nf_ct_sip_master ct_sip_info; |
|
0f8e80044
netfilter: nf_con...
|
68 |
#endif |
|
9fb9cbb10
[NETFILTER]: Add ...
|
69 70 71 72 |
}; #include <linux/types.h> #include <linux/skbuff.h> |
d7fe0f241
[PATCH] severing ...
|
73 |
#include <linux/timer.h> |
|
9fb9cbb10
[NETFILTER]: Add ...
|
74 75 |
#ifdef CONFIG_NETFILTER_DEBUG |
|
55871d047
[NETFILTER]: nf_c...
|
76 |
#define NF_CT_ASSERT(x) WARN_ON(!(x)) |
|
9fb9cbb10
[NETFILTER]: Add ...
|
77 78 79 80 81 |
#else #define NF_CT_ASSERT(x) #endif struct nf_conntrack_helper; |
|
6002f266b
[NETFILTER]: nf_c...
|
82 |
/* Must be kept in sync with the classes defined by helpers */ |
|
9d288dffe
netfilter: nf_con...
|
83 |
#define NF_CT_MAX_EXPECT_CLASSES 4 |
|
6002f266b
[NETFILTER]: nf_c...
|
84 |
|
dc808fe28
[NETFILTER] nf_co...
|
85 86 87 |
/* nf_conn feature for connections that have a helper */
struct nf_conn_help {
/* Helper. if any */
|
0906a372f
net/netfilter: __...
|
88 |
struct nf_conntrack_helper __rcu *helper; |
|
dc808fe28
[NETFILTER] nf_co...
|
89 90 |
union nf_conntrack_help help; |
|
b560580a1
[NETFILTER]: nf_c...
|
91 |
struct hlist_head expectations; |
|
dc808fe28
[NETFILTER] nf_co...
|
92 |
/* Current number of expected connections */ |
|
6002f266b
[NETFILTER]: nf_c...
|
93 |
u8 expecting[NF_CT_MAX_EXPECT_CLASSES]; |
|
dc808fe28
[NETFILTER] nf_co...
|
94 |
}; |
|
9fb9cbb10
[NETFILTER]: Add ...
|
95 |
#include <net/netfilter/ipv4/nf_conntrack_ipv4.h> |
|
f8eb24a89
[NETFILTER]: nf_c...
|
96 |
#include <net/netfilter/ipv6/nf_conntrack_ipv6.h> |
ea781f197
netfilter: nf_con...
|
97 |
struct nf_conn {
|
|
9fb9cbb10
[NETFILTER]: Add ...
|
98 99 100 |
/* Usage count in here is 1 for hash table/destruct timer, 1 per skb,
plus 1 for any connection(s) we are `master' for */
struct nf_conntrack ct_general;
|
|
440f0d588
netfilter: nf_con...
|
101 |
spinlock_t lock; |
|
9fb9cbb10
[NETFILTER]: Add ...
|
102 103 104 105 106 107 |
/* XXX should I move this to the tail ? - Y.K */ /* These are my tuples; original and reply */ struct nf_conntrack_tuple_hash tuplehash[IP_CT_DIR_MAX]; /* Have we seen traffic both ways yet? (bitset) */ unsigned long status; |
|
dc808fe28
[NETFILTER] nf_co...
|
108 109 |
/* If we were expected by an expectation, this will be it */ struct nf_conn *master; |
|
9fb9cbb10
[NETFILTER]: Add ...
|
110 111 |
/* Timer function; drops refcnt when it goes off. */ struct timer_list timeout; |
|
9fb9cbb10
[NETFILTER]: Add ...
|
112 113 114 |
#if defined(CONFIG_NF_CONNTRACK_MARK) u_int32_t mark; #endif |
7c9728c39
[SECMARK]: Add se...
|
115 116 117 |
#ifdef CONFIG_NF_CONNTRACK_SECMARK u_int32_t secmark; #endif |
|
ecfab2c9f
[NETFILTER]: nf_c...
|
118 119 |
/* Extensions */ struct nf_ct_ext *ext; |
5a1fb391d
netfilter: netns ...
|
120 121 122 |
#ifdef CONFIG_NET_NS struct net *ct_net; #endif |
|
e5fc9e7a6
netfilter: nf_con...
|
123 124 125 |
/* Storage reserved for other modules, must be the last member */ union nf_conntrack_proto proto; |
|
9fb9cbb10
[NETFILTER]: Add ...
|
126 |
}; |
|
9fb9cbb10
[NETFILTER]: Add ...
|
127 128 129 130 131 132 |
static inline struct nf_conn *
nf_ct_tuplehash_to_ctrack(const struct nf_conntrack_tuple_hash *hash)
{
return container_of(hash, struct nf_conn,
tuplehash[hash->tuple.dst.dir]);
}
|
|
5e8fbe2ac
[NETFILTER]: nf_c...
|
133 134 135 136 137 138 139 140 141 |
static inline u_int16_t nf_ct_l3num(const struct nf_conn *ct)
{
return ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.l3num;
}
static inline u_int8_t nf_ct_protonum(const struct nf_conn *ct)
{
return ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.protonum;
}
|
f2f3e38c6
netfilter: ctnetl...
|
142 |
#define nf_ct_tuple(ct, dir) (&(ct)->tuplehash[dir].tuple) |
|
9fb9cbb10
[NETFILTER]: Add ...
|
143 144 |
/* get master conntrack via master expectation */ #define master_ct(conntr) (conntr->master) |
|
5a1fb391d
netfilter: netns ...
|
145 146 147 148 |
extern struct net init_net;
static inline struct net *nf_ct_net(const struct nf_conn *ct)
{
|
c2d9ba9bc
net: CONFIG_NET_N...
|
149 |
return read_pnet(&ct->ct_net); |
|
5a1fb391d
netfilter: netns ...
|
150 |
} |
|
9fb9cbb10
[NETFILTER]: Add ...
|
151 152 |
/* Alter reply tuple (maybe alter helper). */ extern void |
|
c88130bcd
[NETFILTER]: nf_c...
|
153 |
nf_conntrack_alter_reply(struct nf_conn *ct, |
|
9fb9cbb10
[NETFILTER]: Add ...
|
154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 |
const struct nf_conntrack_tuple *newreply);
/* Is this tuple taken? (ignoring any belonging to the given
conntrack). */
extern int
nf_conntrack_tuple_taken(const struct nf_conntrack_tuple *tuple,
const struct nf_conn *ignored_conntrack);
/* Return conntrack_info and tuple hash for given skb. */
static inline struct nf_conn *
nf_ct_get(const struct sk_buff *skb, enum ip_conntrack_info *ctinfo)
{
*ctinfo = skb->nfctinfo;
return (struct nf_conn *)skb->nfct;
}
/* decrement reference count on a conntrack */
static inline void nf_ct_put(struct nf_conn *ct)
{
NF_CT_ASSERT(ct);
nf_conntrack_put(&ct->ct_general);
}
|
|
b9f78f9fc
[NETFILTER]: nf_c...
|
176 177 178 |
/* Protocol module loading */ extern int nf_ct_l3proto_try_module_get(unsigned short l3proto); extern void nf_ct_l3proto_module_put(unsigned short l3proto); |
|
ea781f197
netfilter: nf_con...
|
179 180 181 182 |
/* * Allocate a hashtable of hlist_head (if nulls == 0), * or hlist_nulls_head (if nulls == 1) */ |
|
d862a6622
netfilter: nf_con...
|
183 |
extern void *nf_ct_alloc_hashtable(unsigned int *sizep, int nulls); |
|
ea781f197
netfilter: nf_con...
|
184 |
|
|
d862a6622
netfilter: nf_con...
|
185 |
extern void nf_ct_free_hashtable(void *hash, unsigned int size); |
|
ac565e5fc
[NETFILTER]: nf_c...
|
186 |
|
|
c1d10adb4
[NETFILTER]: Add ...
|
187 |
extern struct nf_conntrack_tuple_hash * |
|
5d0aa2ccd
netfilter: nf_con...
|
188 189 |
__nf_conntrack_find(struct net *net, u16 zone, const struct nf_conntrack_tuple *tuple); |
|
c1d10adb4
[NETFILTER]: Add ...
|
190 191 |
extern void nf_conntrack_hash_insert(struct nf_conn *ct); |
|
dd7669a92
netfilter: conntr...
|
192 193 |
extern void nf_ct_delete_from_lists(struct nf_conn *ct); extern void nf_ct_insert_dying_list(struct nf_conn *ct); |
|
c1d10adb4
[NETFILTER]: Add ...
|
194 |
|
|
274d383b9
netfilter: conntr...
|
195 |
extern void nf_conntrack_flush_report(struct net *net, u32 pid, int report); |
|
c1d10adb4
[NETFILTER]: Add ...
|
196 |
|
5f2b4c900
[NETFILTER]: nf_c...
|
197 198 199 200 201 |
extern bool nf_ct_get_tuplepr(const struct sk_buff *skb, unsigned int nhoff, u_int16_t l3num, struct nf_conntrack_tuple *tuple); extern bool nf_ct_invert_tuplepr(struct nf_conntrack_tuple *inverse, const struct nf_conntrack_tuple *orig); |
|
9fb9cbb10
[NETFILTER]: Add ...
|
202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 |
extern void __nf_ct_refresh_acct(struct nf_conn *ct,
enum ip_conntrack_info ctinfo,
const struct sk_buff *skb,
unsigned long extra_jiffies,
int do_acct);
/* Refresh conntrack for this many jiffies and do accounting */
static inline void nf_ct_refresh_acct(struct nf_conn *ct,
enum ip_conntrack_info ctinfo,
const struct sk_buff *skb,
unsigned long extra_jiffies)
{
__nf_ct_refresh_acct(ct, ctinfo, skb, extra_jiffies, 1);
}
/* Refresh conntrack for this many jiffies */
static inline void nf_ct_refresh(struct nf_conn *ct,
const struct sk_buff *skb,
unsigned long extra_jiffies)
{
__nf_ct_refresh_acct(ct, 0, skb, extra_jiffies, 0);
}
|
4c8894980
netfilter: Let nf...
|
225 226 227 228 |
extern bool __nf_ct_kill_acct(struct nf_conn *ct, enum ip_conntrack_info ctinfo, const struct sk_buff *skb, int do_acct); |
718d4ad98
netfilter: nf_con...
|
229 230 |
/* kill conntrack and do accounting */ |
|
4c8894980
netfilter: Let nf...
|
231 232 233 |
static inline bool nf_ct_kill_acct(struct nf_conn *ct, enum ip_conntrack_info ctinfo, const struct sk_buff *skb) |
|
718d4ad98
netfilter: nf_con...
|
234 |
{
|
|
4c8894980
netfilter: Let nf...
|
235 |
return __nf_ct_kill_acct(ct, ctinfo, skb, 1); |
|
718d4ad98
netfilter: nf_con...
|
236 237 238 |
} /* kill conntrack without accounting */ |
|
4c8894980
netfilter: Let nf...
|
239 |
static inline bool nf_ct_kill(struct nf_conn *ct) |
|
718d4ad98
netfilter: nf_con...
|
240 |
{
|
|
4c8894980
netfilter: Let nf...
|
241 |
return __nf_ct_kill_acct(ct, 0, NULL, 0); |
|
718d4ad98
netfilter: nf_con...
|
242 |
} |
|
51091764f
netfilter: nf_con...
|
243 |
|
|
9fb9cbb10
[NETFILTER]: Add ...
|
244 |
/* These are for NAT. Icky. */ |
|
f9dd09c7f
netfilter: nf_nat...
|
245 246 247 |
extern s16 (*nf_ct_nat_offset)(const struct nf_conn *ct, enum ip_conntrack_dir dir, u32 seq); |
|
9fb9cbb10
[NETFILTER]: Add ...
|
248 |
|
|
9fb9cbb10
[NETFILTER]: Add ...
|
249 |
/* Fake conntrack entry for untracked connections */ |
|
b3c5163fe
netfilter: nf_con...
|
250 |
DECLARE_PER_CPU(struct nf_conn, nf_conntrack_untracked); |
|
5bfddbd46
netfilter: nf_con...
|
251 252 |
static inline struct nf_conn *nf_ct_untracked_get(void)
{
|
|
b3c5163fe
netfilter: nf_con...
|
253 |
return &__raw_get_cpu_var(nf_conntrack_untracked); |
|
5bfddbd46
netfilter: nf_con...
|
254 255 |
} extern void nf_ct_untracked_status_or(unsigned long bits); |
|
9fb9cbb10
[NETFILTER]: Add ...
|
256 |
|
|
9fb9cbb10
[NETFILTER]: Add ...
|
257 258 |
/* Iterate over all conntracks: if iter returns true, it's deleted. */ extern void |
|
400dad39d
netfilter: netns ...
|
259 |
nf_ct_iterate_cleanup(struct net *net, int (*iter)(struct nf_conn *i, void *data), void *data); |
|
9fb9cbb10
[NETFILTER]: Add ...
|
260 261 |
extern void nf_conntrack_free(struct nf_conn *ct); extern struct nf_conn * |
|
5d0aa2ccd
netfilter: nf_con...
|
262 |
nf_conntrack_alloc(struct net *net, u16 zone, |
|
5a1fb391d
netfilter: netns ...
|
263 |
const struct nf_conntrack_tuple *orig, |
|
b891c5a83
netfilter: nf_con...
|
264 265 |
const struct nf_conntrack_tuple *repl, gfp_t gfp); |
|
9fb9cbb10
[NETFILTER]: Add ...
|
266 |
|
|
b2a15a604
netfilter: nf_con...
|
267 268 269 270 |
static inline int nf_ct_is_template(const struct nf_conn *ct)
{
return test_bit(IPS_TEMPLATE_BIT, &ct->status);
}
|
|
9fb9cbb10
[NETFILTER]: Add ...
|
271 272 273 274 275 276 277 278 279 280 |
/* It's confirmed if it is, or has been in the hash table. */
static inline int nf_ct_is_confirmed(struct nf_conn *ct)
{
return test_bit(IPS_CONFIRMED_BIT, &ct->status);
}
static inline int nf_ct_is_dying(struct nf_conn *ct)
{
return test_bit(IPS_DYING_BIT, &ct->status);
}
|
|
5bfddbd46
netfilter: nf_con...
|
281 |
static inline int nf_ct_is_untracked(const struct nf_conn *ct) |
|
587aa6416
[NETFILTER]: Remo...
|
282 |
{
|
|
5bfddbd46
netfilter: nf_con...
|
283 |
return test_bit(IPS_UNTRACKED_BIT, &ct->status); |
|
587aa6416
[NETFILTER]: Remo...
|
284 |
} |
42c1edd34
netfilter: nf_nat...
|
285 286 287 288 289 |
/* Packet is received from loopback */
static inline bool nf_is_loopback_packet(const struct sk_buff *skb)
{
return skb->dev && skb->skb_iif && skb->dev->flags & IFF_LOOPBACK;
}
|
34641c6d0
nf_conntrack.h: f...
|
290 |
struct kernel_param; |
|
fae718dda
[NETFILTER]: nf_c...
|
291 |
extern int nf_conntrack_set_hashsize(const char *val, struct kernel_param *kp); |
|
9fb9cbb10
[NETFILTER]: Add ...
|
292 |
extern unsigned int nf_conntrack_htable_size; |
e478075c6
netfilter: nf_con...
|
293 |
extern unsigned int nf_conntrack_max; |
|
f682cefa5
netfilter: fix th...
|
294 295 |
extern unsigned int nf_conntrack_hash_rnd; void init_nf_conntrack_hash_rnd(void); |
|
9fb9cbb10
[NETFILTER]: Add ...
|
296 |
|
|
0d55af879
netfilter: netns ...
|
297 |
#define NF_CT_STAT_INC(net, count) \ |
4ea7334b6
this_cpu: Use thi...
|
298 |
__this_cpu_inc((net)->ct.stat->count) |
|
0d55af879
netfilter: netns ...
|
299 |
#define NF_CT_STAT_INC_ATOMIC(net, count) \ |
|
c0e912d7e
[NETFILTER]: nf_c...
|
300 301 |
do { \
local_bh_disable(); \
|
|
4ea7334b6
this_cpu: Use thi...
|
302 |
__this_cpu_inc((net)->ct.stat->count); \ |
|
c0e912d7e
[NETFILTER]: nf_c...
|
303 304 |
local_bh_enable(); \ } while (0) |
|
9fb9cbb10
[NETFILTER]: Add ...
|
305 |
|
|
4dc06f963
netfilter: nf_con...
|
306 307 |
#define MODULE_ALIAS_NFCT_HELPER(helper) \
MODULE_ALIAS("nfct-helper-" helper)
|
|
9fb9cbb10
[NETFILTER]: Add ...
|
308 |
#endif /* _NF_CONNTRACK_H */ |