patch-2.3.99-pre2 linux/include/linux/netfilter_ipv4/ip_conntrack.h
Next file: linux/include/linux/netfilter_ipv4/ip_conntrack_core.h
Previous file: linux/include/linux/netfilter_ipv4/compat_firewall.h
Back to the patch index
Back to the overall index
- Lines: 178
- Date:
Sat Mar 18 16:51:35 2000
- Orig file:
v2.3.99-pre1/linux/include/linux/netfilter_ipv4/ip_conntrack.h
- Orig date:
Wed Dec 31 16:00:00 1969
diff -u --recursive --new-file v2.3.99-pre1/linux/include/linux/netfilter_ipv4/ip_conntrack.h linux/include/linux/netfilter_ipv4/ip_conntrack.h
@@ -0,0 +1,177 @@
+#ifndef _IP_CONNTRACK_H
+#define _IP_CONNTRACK_H
+/* Connection state tracking for netfilter. This is separated from,
+ but required by, the NAT layer; it can also be used by an iptables
+ extension. */
+
+#include <linux/config.h>
+#include <linux/netfilter_ipv4/ip_conntrack_tuple.h>
+
+enum ip_conntrack_info
+{
+ /* Part of an established connection (either direction). */
+ IP_CT_ESTABLISHED,
+
+ /* Like NEW, but related to an existing connection, or ICMP error
+ (in either direction). */
+ IP_CT_RELATED,
+
+ /* Started a new connection to track (only
+ IP_CT_DIR_ORIGINAL); may be a retransmission. */
+ IP_CT_NEW,
+
+ /* >= this indicates reply direction */
+ IP_CT_IS_REPLY,
+
+ /* Number of distinct IP_CT types (no NEW in reply dirn). */
+ IP_CT_NUMBER = IP_CT_IS_REPLY * 2 - 1
+};
+
+#ifdef __KERNEL__
+
+#include <linux/types.h>
+#include <linux/skbuff.h>
+
+#ifdef CONFIG_NF_DEBUG
+#define IP_NF_ASSERT(x) \
+do { \
+ if (!(x)) \
+ /* Wooah! I'm tripping my conntrack in a frenzy of \
+ netplay... */ \
+ printk("NF_IP_ASSERT: %s:%i(%s)\n", \
+ __FILE__, __LINE__, __FUNCTION__); \
+} while(0)
+#else
+#define IP_NF_ASSERT(x)
+#endif
+
+/* Bitset representing status of connection. */
+enum ip_conntrack_status {
+ /* It's an expected connection: bit 0 set. This bit never changed */
+ IPS_EXPECTED = 0x01,
+
+ /* We've seen packets both ways: bit 1 set. Can be set, not unset. */
+ IPS_SEEN_REPLY = 0x02
+};
+
+struct ip_conntrack_expect
+{
+ /* Internal linked list */
+ struct list_head list;
+
+ /* We expect this tuple, but DON'T CARE ABOUT THE SOURCE
+ per-protocol part. */
+ struct ip_conntrack_tuple tuple;
+
+ /* The conntrack we are part of (set iff we're live) */
+ struct ip_conntrack *expectant;
+};
+
+#if defined(CONFIG_IP_NF_NAT) || defined(CONFIG_IP_NF_NAT_MODULE)
+#include <linux/netfilter_ipv4/ip_nat.h>
+#endif
+
+#if defined(CONFIG_IP_NF_FTP) || defined(CONFIG_IP_NF_FTP_MODULE)
+#include <linux/netfilter_ipv4/ip_conntrack_ftp.h>
+#if defined(CONFIG_IP_NF_NAT) || defined(CONFIG_IP_NF_NAT_MODULE)
+#include <linux/netfilter_ipv4/ip_nat_ftp.h>
+#endif
+#endif
+
+struct ip_conntrack
+{
+ /* Usage count in here is 1 for destruct timer, 1 per skb,
+ plus 1 for any connection(s) we are `master' for */
+ struct nf_conntrack ct_general;
+
+ /* These are my tuples; original and reply */
+ struct ip_conntrack_tuple_hash tuplehash[IP_CT_DIR_MAX];
+
+ /* Have we seen traffic both ways yet? (bitset) */
+ unsigned int status;
+
+ /* Timer function; drops refcnt when it goes off. */
+ struct timer_list timeout;
+
+ /* If we're expecting another related connection, this will be
+ in expected linked list */
+ struct ip_conntrack_expect expected;
+
+ /* If we were expected by another connection, this will be it */
+ struct nf_ct_info master;
+
+ /* Helper, if any. */
+ struct ip_conntrack_helper *helper;
+
+ /* Our various nf_ct_info structs specify *what* relation this
+ packet has to the conntrack */
+ struct nf_ct_info infos[IP_CT_NUMBER];
+
+ /* Storage reserved for other modules: */
+
+ union {
+ int /*enum tcp_conntrack*/ tcp_state;
+ } proto;
+
+ union {
+#if defined(CONFIG_IP_NF_FTP) || defined(CONFIG_IP_NF_FTP_MODULE)
+ struct ip_ct_ftp ct_ftp_info;
+#endif
+ } help;
+
+#if defined(CONFIG_IP_NF_NAT) || defined(CONFIG_IP_NF_NAT_MODULE)
+ struct {
+ struct ip_nat_info info;
+ union {
+#if defined(CONFIG_IP_NF_FTP) || defined(CONFIG_IP_NF_FTP_MODULE)
+ struct ip_nat_ftp_info ftp_info[IP_CT_DIR_MAX];
+#endif
+ } help;
+#if defined(CONFIG_IP_NF_TARGET_MASQUERADE) || \
+ defined(CONFIG_IP_NF_TARGET_MASQUERADE_MODULE)
+ int masq_index;
+#endif
+ } nat;
+#endif /* CONFIG_IP_NF_NAT || CONFIG_IP_NF_NAT_MODULE */
+
+};
+
+/* Alter reply tuple (maybe alter helper). If it's already taken,
+ return 0 and don't do alteration. */
+extern int
+ip_conntrack_alter_reply(struct ip_conntrack *conntrack,
+ const struct ip_conntrack_tuple *newreply);
+
+/* Is this tuple taken? (ignoring any belonging to the given
+ conntrack). */
+extern int
+ip_conntrack_tuple_taken(const struct ip_conntrack_tuple *tuple,
+ const struct ip_conntrack *ignored_conntrack);
+
+/* Return conntrack_info and tuple hash for given skb. */
+extern struct ip_conntrack *
+ip_conntrack_get(struct sk_buff *skb, enum ip_conntrack_info *ctinfo);
+
+extern struct module *ip_conntrack_module;
+
+extern int invert_tuplepr(struct ip_conntrack_tuple *inverse,
+ const struct ip_conntrack_tuple *orig);
+
+/* Refresh conntrack for this many jiffies */
+extern void ip_ct_refresh(struct ip_conntrack *ct,
+ unsigned long extra_jiffies);
+
+/* These are for NAT. Icky. */
+/* Call me when a conntrack is destroyed. */
+extern void (*ip_conntrack_destroyed)(struct ip_conntrack *conntrack);
+
+/* Returns new sk_buff, or NULL */
+struct sk_buff *
+ip_ct_gather_frags(struct sk_buff *skb);
+
+/* Delete all conntracks which match. */
+extern void
+ip_ct_selective_cleanup(int (*kill)(const struct ip_conntrack *i, void *data),
+ void *data);
+#endif /* __KERNEL__ */
+#endif /* _IP_CONNTRACK_H */
FUNET's LINUX-ADM group, linux-adm@nic.funet.fi
TCL-scripts by Sam Shen (who was at: slshen@lbl.gov)