[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 21:30:04 +00:00
|
|
|
/* Header file for kernel module to match connection tracking information.
|
|
|
|
* GPL (C) 2001 Marc Boucher (marc@mbsi.ca).
|
|
|
|
*/
|
|
|
|
|
|
|
|
#ifndef _XT_CONNTRACK_H
|
|
|
|
#define _XT_CONNTRACK_H
|
|
|
|
|
2009-01-30 14:30:47 +00:00
|
|
|
#include <linux/types.h>
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 21:30:04 +00:00
|
|
|
#include <linux/netfilter/nf_conntrack_tuple_common.h>
|
|
|
|
|
|
|
|
#define XT_CONNTRACK_STATE_BIT(ctinfo) (1 << ((ctinfo)%IP_CT_IS_REPLY+1))
|
|
|
|
#define XT_CONNTRACK_STATE_INVALID (1 << 0)
|
|
|
|
|
|
|
|
#define XT_CONNTRACK_STATE_SNAT (1 << (IP_CT_NUMBER + 1))
|
|
|
|
#define XT_CONNTRACK_STATE_DNAT (1 << (IP_CT_NUMBER + 2))
|
|
|
|
#define XT_CONNTRACK_STATE_UNTRACKED (1 << (IP_CT_NUMBER + 3))
|
|
|
|
|
|
|
|
/* flags, invflags: */
|
2008-01-31 11:58:24 +00:00
|
|
|
enum {
|
|
|
|
XT_CONNTRACK_STATE = 1 << 0,
|
|
|
|
XT_CONNTRACK_PROTO = 1 << 1,
|
|
|
|
XT_CONNTRACK_ORIGSRC = 1 << 2,
|
|
|
|
XT_CONNTRACK_ORIGDST = 1 << 3,
|
|
|
|
XT_CONNTRACK_REPLSRC = 1 << 4,
|
|
|
|
XT_CONNTRACK_REPLDST = 1 << 5,
|
|
|
|
XT_CONNTRACK_STATUS = 1 << 6,
|
|
|
|
XT_CONNTRACK_EXPIRES = 1 << 7,
|
|
|
|
XT_CONNTRACK_ORIGSRC_PORT = 1 << 8,
|
|
|
|
XT_CONNTRACK_ORIGDST_PORT = 1 << 9,
|
|
|
|
XT_CONNTRACK_REPLSRC_PORT = 1 << 10,
|
|
|
|
XT_CONNTRACK_REPLDST_PORT = 1 << 11,
|
|
|
|
XT_CONNTRACK_DIRECTION = 1 << 12,
|
|
|
|
};
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 21:30:04 +00:00
|
|
|
|
|
|
|
/* This is exposed to userspace, so remains frozen in time. */
|
|
|
|
struct ip_conntrack_old_tuple
|
|
|
|
{
|
|
|
|
struct {
|
2006-11-08 08:26:51 +00:00
|
|
|
__be32 ip;
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 21:30:04 +00:00
|
|
|
union {
|
|
|
|
__u16 all;
|
|
|
|
} u;
|
|
|
|
} src;
|
|
|
|
|
|
|
|
struct {
|
2006-11-08 08:26:51 +00:00
|
|
|
__be32 ip;
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 21:30:04 +00:00
|
|
|
union {
|
|
|
|
__u16 all;
|
|
|
|
} u;
|
|
|
|
|
|
|
|
/* The protocol. */
|
2006-05-04 00:42:36 +00:00
|
|
|
__u16 protonum;
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 21:30:04 +00:00
|
|
|
} dst;
|
|
|
|
};
|
|
|
|
|
|
|
|
struct xt_conntrack_info
|
|
|
|
{
|
|
|
|
unsigned int statemask, statusmask;
|
|
|
|
|
|
|
|
struct ip_conntrack_old_tuple tuple[IP_CT_DIR_MAX];
|
|
|
|
struct in_addr sipmsk[IP_CT_DIR_MAX], dipmsk[IP_CT_DIR_MAX];
|
|
|
|
|
|
|
|
unsigned long expires_min, expires_max;
|
|
|
|
|
|
|
|
/* Flags word */
|
|
|
|
u_int8_t flags;
|
|
|
|
/* Inverse flags */
|
|
|
|
u_int8_t invflags;
|
|
|
|
};
|
2008-01-15 07:40:53 +00:00
|
|
|
|
|
|
|
struct xt_conntrack_mtinfo1 {
|
|
|
|
union nf_inet_addr origsrc_addr, origsrc_mask;
|
|
|
|
union nf_inet_addr origdst_addr, origdst_mask;
|
|
|
|
union nf_inet_addr replsrc_addr, replsrc_mask;
|
|
|
|
union nf_inet_addr repldst_addr, repldst_mask;
|
|
|
|
u_int32_t expires_min, expires_max;
|
|
|
|
u_int16_t l4proto;
|
2008-01-31 11:58:24 +00:00
|
|
|
__be16 origsrc_port, origdst_port;
|
|
|
|
__be16 replsrc_port, repldst_port;
|
|
|
|
u_int16_t match_flags, invert_flags;
|
2008-01-15 07:40:53 +00:00
|
|
|
u_int8_t state_mask, status_mask;
|
|
|
|
};
|
|
|
|
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 21:30:04 +00:00
|
|
|
#endif /*_XT_CONNTRACK_H*/
|