[NETFILTER]: Add ctnetlink subsystem

Add ctnetlink subsystem for userspace-access to ip_conntrack table. This allows reading and updating of existing entries, as well as creating new ones (and new expect's) via nfnetlink. Please note the 'strange' byte order: nfattr (tag+length) are in host byte order, while the payload is always guaranteed to be in network byte order. This allows a simple userspace process to encapsulate netlink messages into arch-independent udp packets by just processing/swapping the headers and not knowing anything about the actual payload. Signed-off-by: Harald Welte <laforge@netfilter.org> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Harald Welte <laforge@netfilter.org> 2005-08-09 22:32:58 -0400
committer: David S. Miller <davem@sunset.davemloft.net> 2005-08-29 18:31:49 -0400
commit: 080774a243f56ce2195ace96fba3d18548ee48ce (patch)
tree: 2065041cb2b85891ca45648122122796122c38dc /include
parent: 6f1cf16582160c4839f05007c978743911aa022b (diff)
7 files changed, 210 insertions, 18 deletions
diff --git a/include/linux/netfilter/nfnetlink.h b/include/linux/netfilter/nfnetlink.h
index 8f1bfb8d650b..ace7a7be0742 100644
--- a/include/linux/netfilter/nfnetlink.h
+++ b/include/linux/netfilter/nfnetlink.h
@@ -56,7 +56,7 @@ struct nfgenmsg {
        u_int16_t res_id;               /* resource id */
 } __attribute__ ((packed));
-#define NFNETLINK_V1    1
+#define NFNETLINK_V0    0
 #define NFM_NFA(n)      ((struct nfattr *)(((char *)(n)) \
        + NLMSG_ALIGN(sizeof(struct nfgenmsg))))
@@ -81,6 +81,7 @@ enum nfnl_subsys_id {
 #ifdef __KERNEL__
+#include <linux/netlink.h>
 #include <linux/capability.h>
 struct nfnl_callback
diff --git a/include/linux/netfilter/nfnetlink_conntrack.h b/include/linux/netfilter/nfnetlink_conntrack.h
new file mode 100644
index 000000000000..fb528e0e3bd9
--- /dev/null
+++ b/include/linux/netfilter/nfnetlink_conntrack.h
@@ -0,0 +1,123 @@
+#ifndef _IPCONNTRACK_NETLINK_H
+#define _IPCONNTRACK_NETLINK_H
+#include <linux/netfilter/nfnetlink.h>
+enum cntl_msg_types {
+        IPCTNL_MSG_CT_NEW,
+        IPCTNL_MSG_CT_GET,
+        IPCTNL_MSG_CT_DELETE,
+        IPCTNL_MSG_CT_GET_CTRZERO,
+        IPCTNL_MSG_MAX
+};
+enum ctnl_exp_msg_types {
+        IPCTNL_MSG_EXP_NEW,
+        IPCTNL_MSG_EXP_GET,
+        IPCTNL_MSG_EXP_DELETE,
+        IPCTNL_MSG_EXP_MAX
+};
+enum ctattr_type {
+        CTA_UNSPEC,
+        CTA_TUPLE_ORIG,
+        CTA_TUPLE_REPLY,
+        CTA_STATUS,
+        CTA_PROTOINFO,
+        CTA_HELP,
+        CTA_NAT,
+        CTA_TIMEOUT,
+        CTA_MARK,
+        CTA_COUNTERS_ORIG,
+        CTA_COUNTERS_REPLY,
+        CTA_USE,
+        CTA_EXPECT,
+        CTA_ID,
+        __CTA_MAX
+};
+#define CTA_MAX (__CTA_MAX - 1)
+enum ctattr_tuple {
+        CTA_TUPLE_UNSPEC,
+        CTA_TUPLE_IP,
+        CTA_TUPLE_PROTO,
+        __CTA_TUPLE_MAX
+};
+#define CTA_TUPLE_MAX (__CTA_TUPLE_MAX - 1)
+enum ctattr_ip {
+        CTA_IP_UNSPEC,
+        CTA_IP_V4_SRC,
+        CTA_IP_V4_DST,
+        CTA_IP_V6_SRC,
+        CTA_IP_V6_DST,
+        __CTA_IP_MAX
+};
+#define CTA_IP_MAX (__CTA_IP_MAX - 1)
+enum ctattr_l4proto {
+        CTA_PROTO_UNSPEC,
+        CTA_PROTO_NUM,
+        CTA_PROTO_SRC_PORT,
+        CTA_PROTO_DST_PORT,
+        CTA_PROTO_ICMP_ID,
+        CTA_PROTO_ICMP_TYPE,
+        CTA_PROTO_ICMP_CODE,
+        __CTA_PROTO_MAX
+};
+#define CTA_PROTO_MAX (__CTA_PROTO_MAX - 1)
+enum ctattr_protoinfo {
+        CTA_PROTOINFO_UNSPEC,
+        CTA_PROTOINFO_TCP_STATE,
+        __CTA_PROTOINFO_MAX
+};
+#define CTA_PROTOINFO_MAX (__CTA_PROTOINFO_MAX - 1)
+enum ctattr_counters {
+        CTA_COUNTERS_UNSPEC,
+        CTA_COUNTERS_PACKETS,
+        CTA_COUNTERS_BYTES,
+        __CTA_COUNTERS_MAX
+};
+#define CTA_COUNTERS_MAX (__CTA_COUNTERS_MAX - 1)
+enum ctattr_nat {
+        CTA_NAT_UNSPEC,
+        CTA_NAT_MINIP,
+        CTA_NAT_MAXIP,
+        CTA_NAT_PROTO,
+        __CTA_NAT_MAX
+};
+#define CTA_NAT_MAX (__CTA_NAT_MAX - 1)
+enum ctattr_protonat {
+        CTA_PROTONAT_UNSPEC,
+        CTA_PROTONAT_PORT_MIN,
+        CTA_PROTONAT_PORT_MAX,
+        __CTA_PROTONAT_MAX
+};
+#define CTA_PROTONAT_MAX (__CTA_PROTONAT_MAX - 1)
+enum ctattr_expect {
+        CTA_EXPECT_UNSPEC,
+        CTA_EXPECT_TUPLE,
+        CTA_EXPECT_MASK,
+        CTA_EXPECT_TIMEOUT,
+        CTA_EXPECT_ID,
+        __CTA_EXPECT_MAX
+};
+#define CTA_EXPECT_MAX (__CTA_EXPECT_MAX - 1)
+enum ctattr_help {
+        CTA_HELP_UNSPEC,
+        CTA_HELP_NAME,
+        __CTA_HELP_MAX
+};
+#define CTA_HELP_MAX (__CTA_HELP_MAX - 1)
+#define CTA_HELP_MAXNAMESIZE    32
+#endif /* _IPCONNTRACK_NETLINK_H */
diff --git a/include/linux/netfilter_ipv4/ip_conntrack.h b/include/linux/netfilter_ipv4/ip_conntrack.h
index ae1270c97b50..ff2c1c6001f9 100644
--- a/include/linux/netfilter_ipv4/ip_conntrack.h
+++ b/include/linux/netfilter_ipv4/ip_conntrack.h
@@ -209,6 +209,9 @@ struct ip_conntrack
        /* Current number of expected connections */
        unsigned int expecting;
+        /* Unique ID that identifies this conntrack*/
+        unsigned int id;
        /* Helper, if any. */
        struct ip_conntrack_helper *helper;
@@ -257,6 +260,9 @@ struct ip_conntrack_expect
        /* Usage count. */
        atomic_t use;
+        /* Unique ID */
+        unsigned int id;
 #ifdef CONFIG_IP_NF_NAT_NEEDED
        /* This is the original per-proto part, used to map the
         * expected connection the way the recipient expects. */
@@ -296,7 +302,12 @@ ip_conntrack_get(const struct sk_buff *skb, enum ip_conntrack_info *ctinfo)
 }
 /* decrement reference count on a conntrack */
-extern void ip_conntrack_put(struct ip_conntrack *ct);
+static inline void
+ip_conntrack_put(struct ip_conntrack *ct)
+{
+        IP_NF_ASSERT(ct);
+        nf_conntrack_put(&ct->ct_general);
+}
 /* call to create an explicit dependency on ip_conntrack. */
 extern void need_ip_conntrack(void);
@@ -331,6 +342,39 @@ extern void
 ip_ct_iterate_cleanup(int (*iter)(struct ip_conntrack *i, void *data),
                      void *data);
+extern struct ip_conntrack_helper *
+__ip_conntrack_helper_find_byname(const char *);
+extern struct ip_conntrack_helper *
+ip_conntrack_helper_find_get(const struct ip_conntrack_tuple *tuple);
+extern void ip_conntrack_helper_put(struct ip_conntrack_helper *helper);
+extern struct ip_conntrack_protocol *
+__ip_conntrack_proto_find(u_int8_t protocol);
+extern struct ip_conntrack_protocol *
+ip_conntrack_proto_find_get(u_int8_t protocol);
+extern void ip_conntrack_proto_put(struct ip_conntrack_protocol *proto);
+extern void ip_ct_remove_expectations(struct ip_conntrack *ct);
+extern struct ip_conntrack *ip_conntrack_alloc(struct ip_conntrack_tuple *,
+                                               struct ip_conntrack_tuple *);
+extern void ip_conntrack_free(struct ip_conntrack *ct);
+extern void ip_conntrack_hash_insert(struct ip_conntrack *ct);
+extern struct ip_conntrack_expect *
+__ip_conntrack_expect_find(const struct ip_conntrack_tuple *tuple);
+extern struct ip_conntrack_expect *
+ip_conntrack_expect_find_get(const struct ip_conntrack_tuple *tuple);
+extern struct ip_conntrack_tuple_hash *
+__ip_conntrack_find(const struct ip_conntrack_tuple *tuple,
+                    const struct ip_conntrack *ignored_conntrack);
+extern void ip_conntrack_flush(void);
 /* It's confirmed if it is, or has been in the hash table. */
 static inline int is_confirmed(struct ip_conntrack *ct)
 {
diff --git a/include/linux/netfilter_ipv4/ip_conntrack_core.h b/include/linux/netfilter_ipv4/ip_conntrack_core.h
index 46eeea1e2733..fbf6c3e41647 100644
--- a/include/linux/netfilter_ipv4/ip_conntrack_core.h
+++ b/include/linux/netfilter_ipv4/ip_conntrack_core.h
@@ -2,6 +2,9 @@
 #define _IP_CONNTRACK_CORE_H
 #include <linux/netfilter.h>
+#define MAX_IP_CT_PROTO 256
+extern struct ip_conntrack_protocol *ip_ct_protos[MAX_IP_CT_PROTO];
 /* This header is used to share core functionality between the
   standalone connection tracking module, and the compatibility layer's use
   of connection tracking. */
@@ -53,6 +56,8 @@ struct ip_conntrack_ecache;
 extern void __ip_ct_deliver_cached_events(struct ip_conntrack_ecache *ec);
 #endif
+extern void __ip_ct_expect_unlink_destroy(struct ip_conntrack_expect *exp);
 extern struct list_head *ip_conntrack_hash;
 extern struct list_head ip_conntrack_expect_list;
 extern rwlock_t ip_conntrack_lock;
diff --git a/include/linux/netfilter_ipv4/ip_conntrack_helper.h b/include/linux/netfilter_ipv4/ip_conntrack_helper.h
index 3692daa93dec..8d69279ccfe4 100644
--- a/include/linux/netfilter_ipv4/ip_conntrack_helper.h
+++ b/include/linux/netfilter_ipv4/ip_conntrack_helper.h
@@ -24,6 +24,8 @@ struct ip_conntrack_helper
        int (*help)(struct sk_buff **pskb,
                    struct ip_conntrack *ct,
                    enum ip_conntrack_info conntrackinfo);
+        int (*to_nfattr)(struct sk_buff *skb, const struct ip_conntrack *ct);
 };
 extern int ip_conntrack_helper_register(struct ip_conntrack_helper *);
diff --git a/include/linux/netfilter_ipv4/ip_conntrack_protocol.h b/include/linux/netfilter_ipv4/ip_conntrack_protocol.h
index e20b57c5e1b7..b6b99be8632a 100644
--- a/include/linux/netfilter_ipv4/ip_conntrack_protocol.h
+++ b/include/linux/netfilter_ipv4/ip_conntrack_protocol.h
@@ -2,6 +2,7 @@
 #ifndef _IP_CONNTRACK_PROTOCOL_H
 #define _IP_CONNTRACK_PROTOCOL_H
 #include <linux/netfilter_ipv4/ip_conntrack.h>
+#include <linux/netfilter/nfnetlink_conntrack.h>
 struct seq_file;
@@ -47,22 +48,22 @@ struct ip_conntrack_protocol
        int (*error)(struct sk_buff *skb, enum ip_conntrack_info *ctinfo,
                     unsigned int hooknum);
+        /* convert protoinfo to nfnetink attributes */
+        int (*to_nfattr)(struct sk_buff *skb, struct nfattr *nfa,
+                         const struct ip_conntrack *ct);
+        int (*tuple_to_nfattr)(struct sk_buff *skb,
+                               const struct ip_conntrack_tuple *t);
+        int (*nfattr_to_tuple)(struct nfattr *tb[],
+                               struct ip_conntrack_tuple *t);
        /* Module (if any) which this is connected to. */
        struct module *me;
 };
-#define MAX_IP_CT_PROTO 256
-extern struct ip_conntrack_protocol *ip_ct_protos[MAX_IP_CT_PROTO];
 /* Protocol registration. */
 extern int ip_conntrack_protocol_register(struct ip_conntrack_protocol *proto);
 extern void ip_conntrack_protocol_unregister(struct ip_conntrack_protocol *proto);
-static inline struct ip_conntrack_protocol *ip_ct_find_proto(u_int8_t protocol)
-{
-        return ip_ct_protos[protocol];
-}
 /* Existing built-in protocols */
 extern struct ip_conntrack_protocol ip_conntrack_protocol_tcp;
 extern struct ip_conntrack_protocol ip_conntrack_protocol_udp;
@@ -73,6 +74,11 @@ extern int ip_conntrack_protocol_tcp_init(void);
 /* Log invalid packets */
 extern unsigned int ip_ct_log_invalid;
+extern int ip_ct_port_tuple_to_nfattr(struct sk_buff *,
+                                      const struct ip_conntrack_tuple *);
+extern int ip_ct_port_nfattr_to_tuple(struct nfattr *tb[],
+                                      struct ip_conntrack_tuple *);
 #ifdef CONFIG_SYSCTL
 #ifdef DEBUG_INVALID_PACKETS
 #define LOG_INVALID(proto) \
diff --git a/include/linux/netfilter_ipv4/ip_nat_protocol.h b/include/linux/netfilter_ipv4/ip_nat_protocol.h
index 129708c22386..ef63aa991a06 100644
--- a/include/linux/netfilter_ipv4/ip_nat_protocol.h
+++ b/include/linux/netfilter_ipv4/ip_nat_protocol.h
@@ -4,6 +4,9 @@
 #include <linux/init.h>
 #include <linux/list.h>
+#include <linux/netfilter_ipv4/ip_nat.h>
+#include <linux/netfilter/nfnetlink_conntrack.h>
 struct iphdr;
 struct ip_nat_range;
@@ -15,6 +18,8 @@ struct ip_nat_protocol
        /* Protocol number. */
        unsigned int protonum;
+        struct module *me;
        /* Translate a packet to the target according to manip type.
           Return true if succeeded. */
        int (*manip_pkt)(struct sk_buff **pskb,
@@ -43,19 +48,20 @@ struct ip_nat_protocol
        unsigned int (*print_range)(char *buffer,
                                    const struct ip_nat_range *range);
-};
-#define MAX_IP_NAT_PROTO 256
+        int (*range_to_nfattr)(struct sk_buff *skb,
-extern struct ip_nat_protocol *ip_nat_protos[MAX_IP_NAT_PROTO];
+                               const struct ip_nat_range *range);
+        int (*nfattr_to_range)(struct nfattr *tb[],
+                               struct ip_nat_range *range);
+};
 /* Protocol registration. */
 extern int ip_nat_protocol_register(struct ip_nat_protocol *proto);
 extern void ip_nat_protocol_unregister(struct ip_nat_protocol *proto);
-static inline struct ip_nat_protocol *ip_nat_find_proto(u_int8_t protocol)
+extern struct ip_nat_protocol *ip_nat_proto_find_get(u_int8_t protocol);
-{
+extern void ip_nat_proto_put(struct ip_nat_protocol *proto);
-        return ip_nat_protos[protocol];
-}
 /* Built-in protocols. */
 extern struct ip_nat_protocol ip_nat_protocol_tcp;
@@ -67,4 +73,9 @@ extern int init_protocols(void) __init;
 extern void cleanup_protocols(void);
 extern struct ip_nat_protocol *find_nat_proto(u_int16_t protonum);
+extern int ip_nat_port_range_to_nfattr(struct sk_buff *skb,
+                                       const struct ip_nat_range *range);
+extern int ip_nat_port_nfattr_to_range(struct nfattr *tb[],
+                                       struct ip_nat_range *range);
 #endif /*_IP_NAT_PROTO_H*/
author	Harald Welte <laforge@netfilter.org>	2005-08-09 22:32:58 -0400
committer	David S. Miller <davem@sunset.davemloft.net>	2005-08-29 18:31:49 -0400
commit	080774a243f56ce2195ace96fba3d18548ee48ce (patch)
tree	2065041cb2b85891ca45648122122796122c38dc /include
parent	6f1cf16582160c4839f05007c978743911aa022b (diff)

diff --git a/include/linux/netfilter/nfnetlink.h b/include/linux/netfilter/nfnetlink.h index 8f1bfb8d650b..ace7a7be0742 100644 --- a/include/linux/netfilter/nfnetlink.h +++ b/include/linux/netfilter/nfnetlink.h
@@ -56,7 +56,7 @@ struct nfgenmsg {
56	u_int16_t res_id; /* resource id */	56	u_int16_t res_id; /* resource id */
57	} __attribute__ ((packed));	57	} __attribute__ ((packed));
58		58
59	#define NFNETLINK_V1 1	59	#define NFNETLINK_V0 0
60		60
61	#define NFM_NFA(n) ((struct nfattr )(((char )(n)) \	61	#define NFM_NFA(n) ((struct nfattr )(((char )(n)) \
62	+ NLMSG_ALIGN(sizeof(struct nfgenmsg))))	62	+ NLMSG_ALIGN(sizeof(struct nfgenmsg))))
@@ -81,6 +81,7 @@ enum nfnl_subsys_id {
81		81
82	#ifdef __KERNEL__	82	#ifdef __KERNEL__
83		83
		84	#include <linux/netlink.h>
84	#include <linux/capability.h>	85	#include <linux/capability.h>
85		86
86	struct nfnl_callback	87	struct nfnl_callback


diff --git a/include/linux/netfilter/nfnetlink_conntrack.h b/include/linux/netfilter/nfnetlink_conntrack.h new file mode 100644 index 000000000000..fb528e0e3bd9 --- /dev/null +++ b/include/linux/netfilter/nfnetlink_conntrack.h
@@ -0,0 +1,123 @@
		1	#ifndef _IPCONNTRACK_NETLINK_H
		2	#define _IPCONNTRACK_NETLINK_H
		3	#include <linux/netfilter/nfnetlink.h>
		4
		5	enum cntl_msg_types {
		6	IPCTNL_MSG_CT_NEW,
		7	IPCTNL_MSG_CT_GET,
		8	IPCTNL_MSG_CT_DELETE,
		9	IPCTNL_MSG_CT_GET_CTRZERO,
		10
		11	IPCTNL_MSG_MAX
		12	};
		13
		14	enum ctnl_exp_msg_types {
		15	IPCTNL_MSG_EXP_NEW,
		16	IPCTNL_MSG_EXP_GET,
		17	IPCTNL_MSG_EXP_DELETE,
		18
		19	IPCTNL_MSG_EXP_MAX
		20	};
		21
		22
		23	enum ctattr_type {
		24	CTA_UNSPEC,
		25	CTA_TUPLE_ORIG,
		26	CTA_TUPLE_REPLY,
		27	CTA_STATUS,
		28	CTA_PROTOINFO,
		29	CTA_HELP,
		30	CTA_NAT,
		31	CTA_TIMEOUT,
		32	CTA_MARK,
		33	CTA_COUNTERS_ORIG,
		34	CTA_COUNTERS_REPLY,
		35	CTA_USE,
		36	CTA_EXPECT,
		37	CTA_ID,
		38	__CTA_MAX
		39	};
		40	#define CTA_MAX (__CTA_MAX - 1)
		41
		42	enum ctattr_tuple {
		43	CTA_TUPLE_UNSPEC,
		44	CTA_TUPLE_IP,
		45	CTA_TUPLE_PROTO,
		46	__CTA_TUPLE_MAX
		47	};
		48	#define CTA_TUPLE_MAX (__CTA_TUPLE_MAX - 1)
		49
		50	enum ctattr_ip {
		51	CTA_IP_UNSPEC,
		52	CTA_IP_V4_SRC,
		53	CTA_IP_V4_DST,
		54	CTA_IP_V6_SRC,
		55	CTA_IP_V6_DST,
		56	__CTA_IP_MAX
		57	};
		58	#define CTA_IP_MAX (__CTA_IP_MAX - 1)
		59
		60	enum ctattr_l4proto {
		61	CTA_PROTO_UNSPEC,
		62	CTA_PROTO_NUM,
		63	CTA_PROTO_SRC_PORT,
		64	CTA_PROTO_DST_PORT,
		65	CTA_PROTO_ICMP_ID,
		66	CTA_PROTO_ICMP_TYPE,
		67	CTA_PROTO_ICMP_CODE,
		68	__CTA_PROTO_MAX
		69	};
		70	#define CTA_PROTO_MAX (__CTA_PROTO_MAX - 1)
		71
		72	enum ctattr_protoinfo {
		73	CTA_PROTOINFO_UNSPEC,
		74	CTA_PROTOINFO_TCP_STATE,
		75	__CTA_PROTOINFO_MAX
		76	};
		77	#define CTA_PROTOINFO_MAX (__CTA_PROTOINFO_MAX - 1)
		78
		79	enum ctattr_counters {
		80	CTA_COUNTERS_UNSPEC,
		81	CTA_COUNTERS_PACKETS,
		82	CTA_COUNTERS_BYTES,
		83	__CTA_COUNTERS_MAX
		84	};
		85	#define CTA_COUNTERS_MAX (__CTA_COUNTERS_MAX - 1)
		86
		87	enum ctattr_nat {
		88	CTA_NAT_UNSPEC,
		89	CTA_NAT_MINIP,
		90	CTA_NAT_MAXIP,
		91	CTA_NAT_PROTO,
		92	__CTA_NAT_MAX
		93	};
		94	#define CTA_NAT_MAX (__CTA_NAT_MAX - 1)
		95
		96	enum ctattr_protonat {
		97	CTA_PROTONAT_UNSPEC,
		98	CTA_PROTONAT_PORT_MIN,
		99	CTA_PROTONAT_PORT_MAX,
		100	__CTA_PROTONAT_MAX
		101	};
		102	#define CTA_PROTONAT_MAX (__CTA_PROTONAT_MAX - 1)
		103
		104	enum ctattr_expect {
		105	CTA_EXPECT_UNSPEC,
		106	CTA_EXPECT_TUPLE,
		107	CTA_EXPECT_MASK,
		108	CTA_EXPECT_TIMEOUT,
		109	CTA_EXPECT_ID,
		110	__CTA_EXPECT_MAX
		111	};
		112	#define CTA_EXPECT_MAX (__CTA_EXPECT_MAX - 1)
		113
		114	enum ctattr_help {
		115	CTA_HELP_UNSPEC,
		116	CTA_HELP_NAME,
		117	__CTA_HELP_MAX
		118	};
		119	#define CTA_HELP_MAX (__CTA_HELP_MAX - 1)
		120
		121	#define CTA_HELP_MAXNAMESIZE 32
		122
		123	#endif /* _IPCONNTRACK_NETLINK_H */


diff --git a/include/linux/netfilter_ipv4/ip_conntrack.h b/include/linux/netfilter_ipv4/ip_conntrack.h index ae1270c97b50..ff2c1c6001f9 100644 --- a/include/linux/netfilter_ipv4/ip_conntrack.h +++ b/include/linux/netfilter_ipv4/ip_conntrack.h
@@ -209,6 +209,9 @@ struct ip_conntrack
209	/* Current number of expected connections */	209	/* Current number of expected connections */
210	unsigned int expecting;	210	unsigned int expecting;
211		211
		212	/* Unique ID that identifies this conntrack*/
		213	unsigned int id;
		214
212	/* Helper, if any. */	215	/* Helper, if any. */
213	struct ip_conntrack_helper *helper;	216	struct ip_conntrack_helper *helper;
214		217
@@ -257,6 +260,9 @@ struct ip_conntrack_expect
257	/* Usage count. */	260	/* Usage count. */
258	atomic_t use;	261	atomic_t use;
259		262
		263	/* Unique ID */
		264	unsigned int id;
		265
260	#ifdef CONFIG_IP_NF_NAT_NEEDED	266	#ifdef CONFIG_IP_NF_NAT_NEEDED
261	/* This is the original per-proto part, used to map the	267	/* This is the original per-proto part, used to map the
262	* expected connection the way the recipient expects. */	268	* expected connection the way the recipient expects. */
@@ -296,7 +302,12 @@ ip_conntrack_get(const struct sk_buff skb, enum ip_conntrack_info ctinfo)
296	}	302	}
297		303
298	/* decrement reference count on a conntrack */	304	/* decrement reference count on a conntrack */
299	extern void ip_conntrack_put(struct ip_conntrack *ct);	305	static inline void
		306	ip_conntrack_put(struct ip_conntrack *ct)
		307	{
		308	IP_NF_ASSERT(ct);
		309	nf_conntrack_put(&ct->ct_general);
		310	}
300		311
301	/* call to create an explicit dependency on ip_conntrack. */	312	/* call to create an explicit dependency on ip_conntrack. */
302	extern void need_ip_conntrack(void);	313	extern void need_ip_conntrack(void);
@@ -331,6 +342,39 @@ extern void
331	ip_ct_iterate_cleanup(int (iter)(struct ip_conntrack i, void *data),	342	ip_ct_iterate_cleanup(int (iter)(struct ip_conntrack i, void *data),
332	void *data);	343	void *data);
333		344
		345	extern struct ip_conntrack_helper *
		346	__ip_conntrack_helper_find_byname(const char *);
		347	extern struct ip_conntrack_helper *
		348	ip_conntrack_helper_find_get(const struct ip_conntrack_tuple *tuple);
		349	extern void ip_conntrack_helper_put(struct ip_conntrack_helper *helper);
		350
		351	extern struct ip_conntrack_protocol *
		352	__ip_conntrack_proto_find(u_int8_t protocol);
		353	extern struct ip_conntrack_protocol *
		354	ip_conntrack_proto_find_get(u_int8_t protocol);
		355	extern void ip_conntrack_proto_put(struct ip_conntrack_protocol *proto);
		356
		357	extern void ip_ct_remove_expectations(struct ip_conntrack *ct);
		358
		359	extern struct ip_conntrack ip_conntrack_alloc(struct ip_conntrack_tuple ,
		360	struct ip_conntrack_tuple *);
		361
		362	extern void ip_conntrack_free(struct ip_conntrack *ct);
		363
		364	extern void ip_conntrack_hash_insert(struct ip_conntrack *ct);
		365
		366	extern struct ip_conntrack_expect *
		367	__ip_conntrack_expect_find(const struct ip_conntrack_tuple *tuple);
		368
		369	extern struct ip_conntrack_expect *
		370	ip_conntrack_expect_find_get(const struct ip_conntrack_tuple *tuple);
		371
		372	extern struct ip_conntrack_tuple_hash *
		373	__ip_conntrack_find(const struct ip_conntrack_tuple *tuple,
		374	const struct ip_conntrack *ignored_conntrack);
		375
		376	extern void ip_conntrack_flush(void);
		377
334	/* It's confirmed if it is, or has been in the hash table. */	378	/* It's confirmed if it is, or has been in the hash table. */
335	static inline int is_confirmed(struct ip_conntrack *ct)	379	static inline int is_confirmed(struct ip_conntrack *ct)
336	{	380	{


diff --git a/include/linux/netfilter_ipv4/ip_conntrack_core.h b/include/linux/netfilter_ipv4/ip_conntrack_core.h index 46eeea1e2733..fbf6c3e41647 100644 --- a/include/linux/netfilter_ipv4/ip_conntrack_core.h +++ b/include/linux/netfilter_ipv4/ip_conntrack_core.h
@@ -2,6 +2,9 @@
2	#define _IP_CONNTRACK_CORE_H	2	#define _IP_CONNTRACK_CORE_H
3	#include <linux/netfilter.h>	3	#include <linux/netfilter.h>
4		4
		5	#define MAX_IP_CT_PROTO 256
		6	extern struct ip_conntrack_protocol *ip_ct_protos[MAX_IP_CT_PROTO];
		7
5	/* This header is used to share core functionality between the	8	/* This header is used to share core functionality between the
6	standalone connection tracking module, and the compatibility layer's use	9	standalone connection tracking module, and the compatibility layer's use
7	of connection tracking. */	10	of connection tracking. */
@@ -53,6 +56,8 @@ struct ip_conntrack_ecache;
53	extern void __ip_ct_deliver_cached_events(struct ip_conntrack_ecache *ec);	56	extern void __ip_ct_deliver_cached_events(struct ip_conntrack_ecache *ec);
54	#endif	57	#endif
55		58
		59	extern void __ip_ct_expect_unlink_destroy(struct ip_conntrack_expect *exp);
		60
56	extern struct list_head *ip_conntrack_hash;	61	extern struct list_head *ip_conntrack_hash;
57	extern struct list_head ip_conntrack_expect_list;	62	extern struct list_head ip_conntrack_expect_list;
58	extern rwlock_t ip_conntrack_lock;	63	extern rwlock_t ip_conntrack_lock;


diff --git a/include/linux/netfilter_ipv4/ip_conntrack_helper.h b/include/linux/netfilter_ipv4/ip_conntrack_helper.h index 3692daa93dec..8d69279ccfe4 100644 --- a/include/linux/netfilter_ipv4/ip_conntrack_helper.h +++ b/include/linux/netfilter_ipv4/ip_conntrack_helper.h
@@ -24,6 +24,8 @@ struct ip_conntrack_helper
24	int (help)(struct sk_buff *pskb,	24	int (help)(struct sk_buff *pskb,
25	struct ip_conntrack *ct,	25	struct ip_conntrack *ct,
26	enum ip_conntrack_info conntrackinfo);	26	enum ip_conntrack_info conntrackinfo);
		27
		28	int (to_nfattr)(struct sk_buff skb, const struct ip_conntrack *ct);
27	};	29	};
28		30
29	extern int ip_conntrack_helper_register(struct ip_conntrack_helper *);	31	extern int ip_conntrack_helper_register(struct ip_conntrack_helper *);


diff --git a/include/linux/netfilter_ipv4/ip_conntrack_protocol.h b/include/linux/netfilter_ipv4/ip_conntrack_protocol.h index e20b57c5e1b7..b6b99be8632a 100644 --- a/include/linux/netfilter_ipv4/ip_conntrack_protocol.h +++ b/include/linux/netfilter_ipv4/ip_conntrack_protocol.h
@@ -2,6 +2,7 @@
2	#ifndef _IP_CONNTRACK_PROTOCOL_H	2	#ifndef _IP_CONNTRACK_PROTOCOL_H
3	#define _IP_CONNTRACK_PROTOCOL_H	3	#define _IP_CONNTRACK_PROTOCOL_H
4	#include <linux/netfilter_ipv4/ip_conntrack.h>	4	#include <linux/netfilter_ipv4/ip_conntrack.h>
		5	#include <linux/netfilter/nfnetlink_conntrack.h>
5		6
6	struct seq_file;	7	struct seq_file;
7		8
@@ -47,22 +48,22 @@ struct ip_conntrack_protocol
47	int (error)(struct sk_buff skb, enum ip_conntrack_info *ctinfo,	48	int (error)(struct sk_buff skb, enum ip_conntrack_info *ctinfo,
48	unsigned int hooknum);	49	unsigned int hooknum);
49		50
		51	/* convert protoinfo to nfnetink attributes */
		52	int (to_nfattr)(struct sk_buff skb, struct nfattr *nfa,
		53	const struct ip_conntrack *ct);
		54
		55	int (tuple_to_nfattr)(struct sk_buff skb,
		56	const struct ip_conntrack_tuple *t);
		57	int (nfattr_to_tuple)(struct nfattr tb[],
		58	struct ip_conntrack_tuple *t);
		59
50	/* Module (if any) which this is connected to. */	60	/* Module (if any) which this is connected to. */
51	struct module *me;	61	struct module *me;
52	};	62	};
53		63
54	#define MAX_IP_CT_PROTO 256
55	extern struct ip_conntrack_protocol *ip_ct_protos[MAX_IP_CT_PROTO];
56
57	/* Protocol registration. */	64	/* Protocol registration. */
58	extern int ip_conntrack_protocol_register(struct ip_conntrack_protocol *proto);	65	extern int ip_conntrack_protocol_register(struct ip_conntrack_protocol *proto);
59	extern void ip_conntrack_protocol_unregister(struct ip_conntrack_protocol *proto);	66	extern void ip_conntrack_protocol_unregister(struct ip_conntrack_protocol *proto);
60
61	static inline struct ip_conntrack_protocol *ip_ct_find_proto(u_int8_t protocol)
62	{
63	return ip_ct_protos[protocol];
64	}
65
66	/* Existing built-in protocols */	67	/* Existing built-in protocols */
67	extern struct ip_conntrack_protocol ip_conntrack_protocol_tcp;	68	extern struct ip_conntrack_protocol ip_conntrack_protocol_tcp;
68	extern struct ip_conntrack_protocol ip_conntrack_protocol_udp;	69	extern struct ip_conntrack_protocol ip_conntrack_protocol_udp;
@@ -73,6 +74,11 @@ extern int ip_conntrack_protocol_tcp_init(void);
73	/* Log invalid packets */	74	/* Log invalid packets */
74	extern unsigned int ip_ct_log_invalid;	75	extern unsigned int ip_ct_log_invalid;
75		76
		77	extern int ip_ct_port_tuple_to_nfattr(struct sk_buff *,
		78	const struct ip_conntrack_tuple *);
		79	extern int ip_ct_port_nfattr_to_tuple(struct nfattr *tb[],
		80	struct ip_conntrack_tuple *);
		81
76	#ifdef CONFIG_SYSCTL	82	#ifdef CONFIG_SYSCTL
77	#ifdef DEBUG_INVALID_PACKETS	83	#ifdef DEBUG_INVALID_PACKETS
78	#define LOG_INVALID(proto) \	84	#define LOG_INVALID(proto) \


diff --git a/include/linux/netfilter_ipv4/ip_nat_protocol.h b/include/linux/netfilter_ipv4/ip_nat_protocol.h index 129708c22386..ef63aa991a06 100644 --- a/include/linux/netfilter_ipv4/ip_nat_protocol.h +++ b/include/linux/netfilter_ipv4/ip_nat_protocol.h
@@ -4,6 +4,9 @@
4	#include <linux/init.h>	4	#include <linux/init.h>
5	#include <linux/list.h>	5	#include <linux/list.h>
6		6
		7	#include <linux/netfilter_ipv4/ip_nat.h>
		8	#include <linux/netfilter/nfnetlink_conntrack.h>
		9
7	struct iphdr;	10	struct iphdr;
8	struct ip_nat_range;	11	struct ip_nat_range;
9		12
@@ -15,6 +18,8 @@ struct ip_nat_protocol
15	/* Protocol number. */	18	/* Protocol number. */
16	unsigned int protonum;	19	unsigned int protonum;
17		20
		21	struct module *me;
		22
18	/* Translate a packet to the target according to manip type.	23	/* Translate a packet to the target according to manip type.
19	Return true if succeeded. */	24	Return true if succeeded. */
20	int (manip_pkt)(struct sk_buff *pskb,	25	int (manip_pkt)(struct sk_buff *pskb,
@@ -43,19 +48,20 @@ struct ip_nat_protocol
43		48
44	unsigned int (print_range)(char buffer,	49	unsigned int (print_range)(char buffer,
45	const struct ip_nat_range *range);	50	const struct ip_nat_range *range);
46	};
47		51
48	#define MAX_IP_NAT_PROTO 256	52	int (range_to_nfattr)(struct sk_buff skb,
49	extern struct ip_nat_protocol *ip_nat_protos[MAX_IP_NAT_PROTO];	53	const struct ip_nat_range *range);
		54
		55	int (nfattr_to_range)(struct nfattr tb[],
		56	struct ip_nat_range *range);
		57	};
50		58
51	/* Protocol registration. */	59	/* Protocol registration. */
52	extern int ip_nat_protocol_register(struct ip_nat_protocol *proto);	60	extern int ip_nat_protocol_register(struct ip_nat_protocol *proto);
53	extern void ip_nat_protocol_unregister(struct ip_nat_protocol *proto);	61	extern void ip_nat_protocol_unregister(struct ip_nat_protocol *proto);
54		62
55	static inline struct ip_nat_protocol *ip_nat_find_proto(u_int8_t protocol)	63	extern struct ip_nat_protocol *ip_nat_proto_find_get(u_int8_t protocol);
56	{	64	extern void ip_nat_proto_put(struct ip_nat_protocol *proto);
57	return ip_nat_protos[protocol];
58	}
59		65
60	/* Built-in protocols. */	66	/* Built-in protocols. */
61	extern struct ip_nat_protocol ip_nat_protocol_tcp;	67	extern struct ip_nat_protocol ip_nat_protocol_tcp;
@@ -67,4 +73,9 @@ extern int init_protocols(void) __init;
67	extern void cleanup_protocols(void);	73	extern void cleanup_protocols(void);
68	extern struct ip_nat_protocol *find_nat_proto(u_int16_t protonum);	74	extern struct ip_nat_protocol *find_nat_proto(u_int16_t protonum);
69		75
		76	extern int ip_nat_port_range_to_nfattr(struct sk_buff *skb,
		77	const struct ip_nat_range *range);
		78	extern int ip_nat_port_nfattr_to_range(struct nfattr *tb[],
		79	struct ip_nat_range *range);
		80
70	#endif /_IP_NAT_PROTO_H/	81	#endif /_IP_NAT_PROTO_H/