Use nf_conntrack headers instead of ip_conntrack ones and add sanitized versions.

author Patrick McHardy <kaber@trash.net>

Wed, 18 Apr 2007 07:00:36 +0000 (07:00 +0000)

committer Patrick McHardy <kaber@trash.net>

Wed, 18 Apr 2007 07:00:36 +0000 (07:00 +0000)
author Patrick McHardy <kaber@trash.net>
Wed, 18 Apr 2007 07:00:36 +0000 (07:00 +0000)
committer Patrick McHardy <kaber@trash.net>
Wed, 18 Apr 2007 07:00:36 +0000 (07:00 +0000)
diff --git a/extensions/libip6t_state.c b/extensions/libip6t_state.c

index 84fd1a4343e7914c6cb09ae57ed985c529c621f9..a4477cecddbb25d35787498b1cdb9ed5bedaf53b 100644 (file)
--- a/extensions/libip6t_state.c
+++ b/extensions/libip6t_state.c
@@ -5,7 +5,7 @@
  #include <stdlib.h>
  #include <getopt.h>
  #include <ip6tables.h>
-#include <linux/netfilter_ipv4/ip_conntrack.h>
+#include <linux/netfilter/nf_conntrack_common.h>
  #include <linux/netfilter_ipv4/ipt_state.h>
  
  #ifndef IPT_STATE_UNTRACKED
diff --git a/extensions/libipt_DNAT.c b/extensions/libipt_DNAT.c

index bdc15eb836cefbea2f9afa4afc308e3e381e3193..3cf839e6721e81ae616b3dd453ca970f01bc86e3 100644 (file)
--- a/extensions/libipt_DNAT.c
+++ b/extensions/libipt_DNAT.c
@@ -6,7 +6,7 @@
  #include <getopt.h>
  #include <iptables.h>
  #include <linux/netfilter_ipv4/ip_tables.h>
-#include <linux/netfilter_ipv4/ip_nat_rule.h>
+#include <linux/netfilter/nf_nat.h>
  
  /* Dest NAT data consists of a multi-range, indicating where to map
     to. */
diff --git a/extensions/libipt_MASQUERADE.c b/extensions/libipt_MASQUERADE.c

index e06333abae821cc5c69d7e3c69184bee0b45b591..48cff9a8412fa477e3998dba77f55f11829bad9c 100644 (file)
--- a/extensions/libipt_MASQUERADE.c
+++ b/extensions/libipt_MASQUERADE.c
@@ -6,7 +6,7 @@
  #include <getopt.h>
  #include <iptables.h>
  #include <linux/netfilter_ipv4/ip_tables.h>
-#include <linux/netfilter_ipv4/ip_nat_rule.h>
+#include <linux/netfilter/nf_nat.h>
  
  /* Function which prints out usage message. */
  static void
diff --git a/extensions/libipt_NETMAP.c b/extensions/libipt_NETMAP.c

index 8cecb4d35e5cd3894bf0eaccd2abf268c8f510af..4b4b14dd075c31219f78386d04545c1fe4ef1c29 100644 (file)
--- a/extensions/libipt_NETMAP.c
+++ b/extensions/libipt_NETMAP.c
@@ -9,7 +9,7 @@
  #include <getopt.h>
  #include <iptables.h>
  #include <linux/netfilter_ipv4/ip_tables.h>
-#include <linux/netfilter_ipv4/ip_nat_rule.h>
+#include <linux/netfilter/nf_nat.h>
  
  #define MODULENAME "NETMAP"
  
diff --git a/extensions/libipt_REDIRECT.c b/extensions/libipt_REDIRECT.c

index 13195b0c000d60c45f0f14dccfc93d86b82e573c..c94bb592e570be628dcfa52f02cf7415a4afc9da 100644 (file)
--- a/extensions/libipt_REDIRECT.c
+++ b/extensions/libipt_REDIRECT.c
@@ -6,7 +6,7 @@
  #include <getopt.h>
  #include <iptables.h>
  #include <linux/netfilter_ipv4/ip_tables.h>
-#include <linux/netfilter_ipv4/ip_nat_rule.h>
+#include <linux/netfilter/nf_nat.h>
  
  /* Function which prints out usage message. */
  static void
diff --git a/extensions/libipt_SAME.c b/extensions/libipt_SAME.c

index 625a78a74f06b15775baf285b43c181f2129a739..4bbed90865dffc724ddbcea3de5d6386f5369a08 100644 (file)
--- a/extensions/libipt_SAME.c
+++ b/extensions/libipt_SAME.c
@@ -6,7 +6,7 @@
  #include <getopt.h>
  #include <iptables.h>
  #include <linux/netfilter_ipv4/ip_tables.h>
-#include <linux/netfilter_ipv4/ip_nat_rule.h>
+#include <linux/netfilter/nf_nat.h>
  /* For 64bit kernel / 32bit userspace */
  #include "../include/linux/netfilter_ipv4/ipt_SAME.h"
  
diff --git a/extensions/libipt_SNAT.c b/extensions/libipt_SNAT.c

index 36147397a71b16ff1260108421839f27abee58fb..d52c1810c772d824975946fb986b188d489f0d3b 100644 (file)
--- a/extensions/libipt_SNAT.c
+++ b/extensions/libipt_SNAT.c
@@ -6,7 +6,7 @@
  #include <getopt.h>
  #include <iptables.h>
  #include <linux/netfilter_ipv4/ip_tables.h>
-#include <linux/netfilter_ipv4/ip_nat_rule.h>
+#include <linux/netfilter/nf_nat.h>
  
  #define IPT_SNAT_OPT_SOURCE 0x01
  #ifdef IP_NAT_RANGE_PROTO_RANDOM
diff --git a/extensions/libipt_connbytes.c b/extensions/libipt_connbytes.c

index 42e1ab5794865625e46dc5f0d58fb941cd80cc54..f6439c2d1835ad2c5fee7f1a6a4a8667f34fa10e 100644 (file)
--- a/extensions/libipt_connbytes.c
+++ b/extensions/libipt_connbytes.c
@@ -5,7 +5,7 @@
  #include <stdlib.h>
  #include <getopt.h>
  #include <iptables.h>
-#include <linux/netfilter_ipv4/ip_conntrack.h>
+#include <linux/netfilter/nf_conntrack_common.h>
  #include <linux/netfilter_ipv4/ipt_connbytes.h>
  
  /* Function which prints out usage message. */
diff --git a/extensions/libipt_connrate.c b/extensions/libipt_connrate.c

index 47c5fcbb55d85397c6705afd59bf3153ffe5892a..5abe3c4d4fa4b58134319708b48550f8105201e3 100644 (file)
--- a/extensions/libipt_connrate.c
+++ b/extensions/libipt_connrate.c
@@ -13,7 +13,7 @@
  #include <stdlib.h>
  #include <getopt.h>
  #include <iptables.h>
-#include <linux/netfilter_ipv4/ip_conntrack.h>
+#include <linux/netfilter/nf_conntrack_common.h>
  #include <linux/netfilter_ipv4/ipt_connrate.h>
  
  /* Function which prints out usage message. */
diff --git a/extensions/libipt_conntrack.c b/extensions/libipt_conntrack.c

index cdb86c4eeb7051bbe135e85b67427515731195ab..f187e41d9409b83b58a373a0e3df359fc57b1875 100644 (file)
--- a/extensions/libipt_conntrack.c
+++ b/extensions/libipt_conntrack.c
@@ -9,7 +9,7 @@
  #include <getopt.h>
  #include <ctype.h>
  #include <iptables.h>
-#include <linux/netfilter_ipv4/ip_conntrack.h>
+#include <linux/netfilter/nf_conntrack_common.h>
  #include <linux/netfilter_ipv4/ip_conntrack_tuple.h>
  /* For 64bit kernel / 32bit userspace */
  #include "../include/linux/netfilter_ipv4/ipt_conntrack.h"
diff --git a/extensions/libipt_state.c b/extensions/libipt_state.c

index acafe9a79709c5a6718cf49695e27bfc8ae44216..6a784ffce1abf4d97da83bc1fced160b22e6dc12 100644 (file)
--- a/extensions/libipt_state.c
+++ b/extensions/libipt_state.c
@@ -5,7 +5,7 @@
  #include <stdlib.h>
  #include <getopt.h>
  #include <iptables.h>
-#include <linux/netfilter_ipv4/ip_conntrack.h>
+#include <linux/netfilter/nf_conntrack_common.h>
  #include <linux/netfilter_ipv4/ipt_state.h>
  
  #ifndef IPT_STATE_UNTRACKED
diff --git a/include/linux/netfilter/nf_conntrack_common.h b/include/linux/netfilter/nf_conntrack_common.h

new file mode 100644 (file)

index 0000000..3b452a6
--- /dev/null
+++ b/include/linux/netfilter/nf_conntrack_common.h
@@ -0,0 +1,135 @@
+#ifndef _NF_CONNTRACK_COMMON_H
+#define _NF_CONNTRACK_COMMON_H
+/* Connection state tracking for netfilter.  This is separated from,
+   but required by, the NAT layer; it can also be used by an iptables
+   extension. */
+enum ip_conntrack_info
+{
+       /* Part of an established connection (either direction). */
+       IP_CT_ESTABLISHED,
+
+       /* Like NEW, but related to an existing connection, or ICMP error
+          (in either direction). */
+       IP_CT_RELATED,
+
+       /* Started a new connection to track (only
+           IP_CT_DIR_ORIGINAL); may be a retransmission. */
+       IP_CT_NEW,
+
+       /* >= this indicates reply direction */
+       IP_CT_IS_REPLY,
+
+       /* Number of distinct IP_CT types (no NEW in reply dirn). */
+       IP_CT_NUMBER = IP_CT_IS_REPLY * 2 - 1
+};
+
+/* Bitset representing status of connection. */
+enum ip_conntrack_status {
+       /* It's an expected connection: bit 0 set.  This bit never changed */
+       IPS_EXPECTED_BIT = 0,
+       IPS_EXPECTED = (1 << IPS_EXPECTED_BIT),
+
+       /* We've seen packets both ways: bit 1 set.  Can be set, not unset. */
+       IPS_SEEN_REPLY_BIT = 1,
+       IPS_SEEN_REPLY = (1 << IPS_SEEN_REPLY_BIT),
+
+       /* Conntrack should never be early-expired. */
+       IPS_ASSURED_BIT = 2,
+       IPS_ASSURED = (1 << IPS_ASSURED_BIT),
+
+       /* Connection is confirmed: originating packet has left box */
+       IPS_CONFIRMED_BIT = 3,
+       IPS_CONFIRMED = (1 << IPS_CONFIRMED_BIT),
+
+       /* Connection needs src nat in orig dir.  This bit never changed. */
+       IPS_SRC_NAT_BIT = 4,
+       IPS_SRC_NAT = (1 << IPS_SRC_NAT_BIT),
+
+       /* Connection needs dst nat in orig dir.  This bit never changed. */
+       IPS_DST_NAT_BIT = 5,
+       IPS_DST_NAT = (1 << IPS_DST_NAT_BIT),
+
+       /* Both together. */
+       IPS_NAT_MASK = (IPS_DST_NAT | IPS_SRC_NAT),
+
+       /* Connection needs TCP sequence adjusted. */
+       IPS_SEQ_ADJUST_BIT = 6,
+       IPS_SEQ_ADJUST = (1 << IPS_SEQ_ADJUST_BIT),
+
+       /* NAT initialization bits. */
+       IPS_SRC_NAT_DONE_BIT = 7,
+       IPS_SRC_NAT_DONE = (1 << IPS_SRC_NAT_DONE_BIT),
+
+       IPS_DST_NAT_DONE_BIT = 8,
+       IPS_DST_NAT_DONE = (1 << IPS_DST_NAT_DONE_BIT),
+
+       /* Both together */
+       IPS_NAT_DONE_MASK = (IPS_DST_NAT_DONE | IPS_SRC_NAT_DONE),
+
+       /* Connection is dying (removed from lists), can not be unset. */
+       IPS_DYING_BIT = 9,
+       IPS_DYING = (1 << IPS_DYING_BIT),
+
+       /* Connection has fixed timeout. */
+       IPS_FIXED_TIMEOUT_BIT = 10,
+       IPS_FIXED_TIMEOUT = (1 << IPS_FIXED_TIMEOUT_BIT),
+};
+
+/* Connection tracking event bits */
+enum ip_conntrack_events
+{
+       /* New conntrack */
+       IPCT_NEW_BIT = 0,
+       IPCT_NEW = (1 << IPCT_NEW_BIT),
+
+       /* Expected connection */
+       IPCT_RELATED_BIT = 1,
+       IPCT_RELATED = (1 << IPCT_RELATED_BIT),
+
+       /* Destroyed conntrack */
+       IPCT_DESTROY_BIT = 2,
+       IPCT_DESTROY = (1 << IPCT_DESTROY_BIT),
+
+       /* Timer has been refreshed */
+       IPCT_REFRESH_BIT = 3,
+       IPCT_REFRESH = (1 << IPCT_REFRESH_BIT),
+
+       /* Status has changed */
+       IPCT_STATUS_BIT = 4,
+       IPCT_STATUS = (1 << IPCT_STATUS_BIT),
+
+       /* Update of protocol info */
+       IPCT_PROTOINFO_BIT = 5,
+       IPCT_PROTOINFO = (1 << IPCT_PROTOINFO_BIT),
+
+       /* Volatile protocol info */
+       IPCT_PROTOINFO_VOLATILE_BIT = 6,
+       IPCT_PROTOINFO_VOLATILE = (1 << IPCT_PROTOINFO_VOLATILE_BIT),
+
+       /* New helper for conntrack */
+       IPCT_HELPER_BIT = 7,
+       IPCT_HELPER = (1 << IPCT_HELPER_BIT),
+
+       /* Update of helper info */
+       IPCT_HELPINFO_BIT = 8,
+       IPCT_HELPINFO = (1 << IPCT_HELPINFO_BIT),
+
+       /* Volatile helper info */
+       IPCT_HELPINFO_VOLATILE_BIT = 9,
+       IPCT_HELPINFO_VOLATILE = (1 << IPCT_HELPINFO_VOLATILE_BIT),
+
+       /* NAT info */
+       IPCT_NATINFO_BIT = 10,
+       IPCT_NATINFO = (1 << IPCT_NATINFO_BIT),
+
+       /* Counter highest bit has been set */
+       IPCT_COUNTER_FILLING_BIT = 11,
+       IPCT_COUNTER_FILLING = (1 << IPCT_COUNTER_FILLING_BIT),
+};
+
+enum ip_conntrack_expect_events {
+       IPEXP_NEW_BIT = 0,
+       IPEXP_NEW = (1 << IPEXP_NEW_BIT),
+};
+
+#endif /* _NF_CONNTRACK_COMMON_H */
diff --git a/include/linux/netfilter/nf_conntrack_tuple.h b/include/linux/netfilter/nf_conntrack_tuple.h

new file mode 100644 (file)

index 0000000..cd5044e
--- /dev/null
+++ b/include/linux/netfilter/nf_conntrack_tuple.h
@@ -0,0 +1,103 @@
+/*
+ * Definitions and Declarations for tuple.
+ *
+ * 16 Dec 2003: Yasuyuki Kozakai @USAGI <yasuyuki.kozakai@toshiba.co.jp>
+ *     - generalize L3 protocol dependent part.
+ *
+ * Derived from include/linux/netfiter_ipv4/ip_conntrack_tuple.h
+ */
+
+#ifndef _NF_CONNTRACK_TUPLE_H
+#define _NF_CONNTRACK_TUPLE_H
+
+#include <linux/netfilter/nf_conntrack_tuple_common.h>
+
+/* A `tuple' is a structure containing the information to uniquely
+  identify a connection.  ie. if two packets have the same tuple, they
+  are in the same connection; if not, they are not.
+
+  We divide the structure along "manipulatable" and
+  "non-manipulatable" lines, for the benefit of the NAT code.
+*/
+
+#define NF_CT_TUPLE_L3SIZE     4
+
+/* The l3 protocol-specific manipulable parts of the tuple: always in
+   network order! */
+union nf_conntrack_address {
+       u_int32_t all[NF_CT_TUPLE_L3SIZE];
+       __be32 ip;
+       __be32 ip6[4];
+};
+
+/* The protocol-specific manipulable parts of the tuple: always in
+   network order! */
+union nf_conntrack_man_proto
+{
+       /* Add other protocols here. */
+       u_int16_t all;
+
+       struct {
+               __be16 port;
+       } tcp;
+       struct {
+               __be16 port;
+       } udp;
+       struct {
+               __be16 id;
+       } icmp;
+       struct {
+               __be16 port;
+       } sctp;
+       struct {
+               __be16 key;     /* GRE key is 32bit, PPtP only uses 16bit */
+       } gre;
+};
+
+/* The manipulable part of the tuple. */
+struct nf_conntrack_man
+{
+       union nf_conntrack_address u3;
+       union nf_conntrack_man_proto u;
+       /* Layer 3 protocol */
+       u_int16_t l3num;
+};
+
+/* This contains the information to distinguish a connection. */
+struct nf_conntrack_tuple
+{
+       struct nf_conntrack_man src;
+
+       /* These are the parts of the tuple which are fixed. */
+       struct {
+               union nf_conntrack_address u3;
+               union {
+                       /* Add other protocols here. */
+                       u_int16_t all;
+
+                       struct {
+                               __be16 port;
+                       } tcp;
+                       struct {
+                               __be16 port;
+                       } udp;
+                       struct {
+                               u_int8_t type, code;
+                       } icmp;
+                       struct {
+                               __be16 port;
+                       } sctp;
+                       struct {
+                               __be16 key;
+                       } gre;
+               } u;
+
+               /* The protocol. */
+               u_int8_t protonum;
+
+               /* The direction (for tuplehash) */
+               u_int8_t dir;
+       } dst;
+};
+
+#endif /* _NF_CONNTRACK_TUPLE_H */
diff --git a/include/linux/netfilter/nf_conntrack_tuple_common.h b/include/linux/netfilter/nf_conntrack_tuple_common.h

new file mode 100644 (file)

index 0000000..8e145f0
--- /dev/null
+++ b/include/linux/netfilter/nf_conntrack_tuple_common.h
@@ -0,0 +1,13 @@
+#ifndef _NF_CONNTRACK_TUPLE_COMMON_H
+#define _NF_CONNTRACK_TUPLE_COMMON_H
+
+enum ip_conntrack_dir
+{
+       IP_CT_DIR_ORIGINAL,
+       IP_CT_DIR_REPLY,
+       IP_CT_DIR_MAX
+};
+
+#define CTINFO2DIR(ctinfo) ((ctinfo) >= IP_CT_IS_REPLY ? IP_CT_DIR_REPLY : IP_CT_DIR_ORIGINAL)
+
+#endif /* _NF_CONNTRACK_TUPLE_COMMON_H */
diff --git a/include/linux/netfilter/nf_nat.h b/include/linux/netfilter/nf_nat.h

new file mode 100644 (file)

index 0000000..5d3b5e0
--- /dev/null
+++ b/include/linux/netfilter/nf_nat.h
@@ -0,0 +1,45 @@
+#ifndef _NF_NAT_H
+#define _NF_NAT_H
+#include <linux/netfilter_ipv4.h>
+#include <linux/netfilter/nf_conntrack_tuple.h>
+
+#define NF_NAT_MAPPING_TYPE_MAX_NAMELEN 16
+
+enum nf_nat_manip_type
+{
+       IP_NAT_MANIP_SRC,
+       IP_NAT_MANIP_DST
+};
+
+/* SRC manip occurs POST_ROUTING or LOCAL_IN */
+#define HOOK2MANIP(hooknum) ((hooknum) != NF_IP_POST_ROUTING && (hooknum) != NF_IP_LOCAL_IN)
+
+#define IP_NAT_RANGE_MAP_IPS 1
+#define IP_NAT_RANGE_PROTO_SPECIFIED 2
+#define IP_NAT_RANGE_PROTO_RANDOM 4
+
+/* Single range specification. */
+struct nf_nat_range
+{
+       /* Set to OR of flags above. */
+       unsigned int flags;
+
+       /* Inclusive: network order. */
+       __be32 min_ip, max_ip;
+
+       /* Inclusive: network order */
+       union nf_conntrack_man_proto min, max;
+};
+
+/* For backwards compat: don't use in modern code. */
+struct nf_nat_multi_range_compat
+{
+       unsigned int rangesize; /* Must be 1. */
+
+       /* hangs off end. */
+       struct nf_nat_range range[1];
+};
+
+#define ip_nat_range nf_nat_range
+#define ip_nat_multi_range nf_nat_multi_range_compat
+#endif
diff --git a/include/linux/netfilter_ipv4/ipt_conntrack.h b/include/linux/netfilter_ipv4/ipt_conntrack.h

index 9f074c6d43452c909e1a1a864417c3fee48bd6ff..c8661b88b0be1b7048d9ab3ba1dd440523114aac 100644 (file)
--- a/include/linux/netfilter_ipv4/ipt_conntrack.h
+++ b/include/linux/netfilter_ipv4/ipt_conntrack.h
@@ -5,7 +5,7 @@
  #ifndef _IPT_CONNTRACK_H
  #define _IPT_CONNTRACK_H
  
-#include <linux/netfilter_ipv4/ip_conntrack.h>
+#include <linux/netfilter/nf_conntrack_common.h>
  
  /* backwards compatibility crap. only exists in userspace - HW */
  #include <linux/version.h>
author	Patrick McHardy <kaber@trash.net>
	Wed, 18 Apr 2007 07:00:36 +0000 (07:00 +0000)
committer	Patrick McHardy <kaber@trash.net>
	Wed, 18 Apr 2007 07:00:36 +0000 (07:00 +0000)
extensions/libip6t_state.c		patch \| blob \| blame \| history
extensions/libipt_DNAT.c		patch \| blob \| blame \| history
extensions/libipt_MASQUERADE.c		patch \| blob \| blame \| history
extensions/libipt_NETMAP.c		patch \| blob \| blame \| history
extensions/libipt_REDIRECT.c		patch \| blob \| blame \| history
extensions/libipt_SAME.c		patch \| blob \| blame \| history
extensions/libipt_SNAT.c		patch \| blob \| blame \| history
extensions/libipt_connbytes.c		patch \| blob \| blame \| history
extensions/libipt_connrate.c		patch \| blob \| blame \| history
extensions/libipt_conntrack.c		patch \| blob \| blame \| history
extensions/libipt_state.c		patch \| blob \| blame \| history
include/linux/netfilter/nf_conntrack_common.h	[new file with mode: 0644]	patch \| blob
include/linux/netfilter/nf_conntrack_tuple.h	[new file with mode: 0644]	patch \| blob
include/linux/netfilter/nf_conntrack_tuple_common.h	[new file with mode: 0644]	patch \| blob
include/linux/netfilter/nf_nat.h	[new file with mode: 0644]	patch \| blob
include/linux/netfilter_ipv4/ipt_conntrack.h		patch \| blob \| blame \| history