aboutsummaryrefslogtreecommitdiffstats
path: root/include/linux
diff options
context:
space:
mode:
Diffstat (limited to 'include/linux')
-rw-r--r--include/linux/netfilter/nf_conntrack_common.h159
-rw-r--r--include/linux/netfilter/nf_conntrack_ftp.h44
-rw-r--r--include/linux/netfilter/nf_conntrack_sctp.h27
-rw-r--r--include/linux/netfilter/nf_conntrack_tcp.h56
-rw-r--r--include/linux/netfilter/nf_conntrack_tuple_common.h13
-rw-r--r--include/linux/netfilter_ipv4/ip_conntrack.h152
-rw-r--r--include/linux/netfilter_ipv4/ip_conntrack_ftp.h39
-rw-r--r--include/linux/netfilter_ipv4/ip_conntrack_icmp.h9
-rw-r--r--include/linux/netfilter_ipv4/ip_conntrack_sctp.h21
-rw-r--r--include/linux/netfilter_ipv4/ip_conntrack_tcp.h47
-rw-r--r--include/linux/netfilter_ipv4/ip_conntrack_tuple.h10
-rw-r--r--include/linux/netfilter_ipv6.h1
-rw-r--r--include/linux/skbuff.h19
-rw-r--r--include/linux/sysctl.h37
14 files changed, 363 insertions, 271 deletions
diff --git a/include/linux/netfilter/nf_conntrack_common.h b/include/linux/netfilter/nf_conntrack_common.h
new file mode 100644
index 000000000000..6d39b518486b
--- /dev/null
+++ b/include/linux/netfilter/nf_conntrack_common.h
@@ -0,0 +1,159 @@
1#ifndef _NF_CONNTRACK_COMMON_H
2#define _NF_CONNTRACK_COMMON_H
3/* Connection state tracking for netfilter. This is separated from,
4 but required by, the NAT layer; it can also be used by an iptables
5 extension. */
6enum ip_conntrack_info
7{
8 /* Part of an established connection (either direction). */
9 IP_CT_ESTABLISHED,
10
11 /* Like NEW, but related to an existing connection, or ICMP error
12 (in either direction). */
13 IP_CT_RELATED,
14
15 /* Started a new connection to track (only
16 IP_CT_DIR_ORIGINAL); may be a retransmission. */
17 IP_CT_NEW,
18
19 /* >= this indicates reply direction */
20 IP_CT_IS_REPLY,
21
22 /* Number of distinct IP_CT types (no NEW in reply dirn). */
23 IP_CT_NUMBER = IP_CT_IS_REPLY * 2 - 1
24};
25
26/* Bitset representing status of connection. */
27enum ip_conntrack_status {
28 /* It's an expected connection: bit 0 set. This bit never changed */
29 IPS_EXPECTED_BIT = 0,
30 IPS_EXPECTED = (1 << IPS_EXPECTED_BIT),
31
32 /* We've seen packets both ways: bit 1 set. Can be set, not unset. */
33 IPS_SEEN_REPLY_BIT = 1,
34 IPS_SEEN_REPLY = (1 << IPS_SEEN_REPLY_BIT),
35
36 /* Conntrack should never be early-expired. */
37 IPS_ASSURED_BIT = 2,
38 IPS_ASSURED = (1 << IPS_ASSURED_BIT),
39
40 /* Connection is confirmed: originating packet has left box */
41 IPS_CONFIRMED_BIT = 3,
42 IPS_CONFIRMED = (1 << IPS_CONFIRMED_BIT),
43
44 /* Connection needs src nat in orig dir. This bit never changed. */
45 IPS_SRC_NAT_BIT = 4,
46 IPS_SRC_NAT = (1 << IPS_SRC_NAT_BIT),
47
48 /* Connection needs dst nat in orig dir. This bit never changed. */
49 IPS_DST_NAT_BIT = 5,
50 IPS_DST_NAT = (1 << IPS_DST_NAT_BIT),
51
52 /* Both together. */
53 IPS_NAT_MASK = (IPS_DST_NAT | IPS_SRC_NAT),
54
55 /* Connection needs TCP sequence adjusted. */
56 IPS_SEQ_ADJUST_BIT = 6,
57 IPS_SEQ_ADJUST = (1 << IPS_SEQ_ADJUST_BIT),
58
59 /* NAT initialization bits. */
60 IPS_SRC_NAT_DONE_BIT = 7,
61 IPS_SRC_NAT_DONE = (1 << IPS_SRC_NAT_DONE_BIT),
62
63 IPS_DST_NAT_DONE_BIT = 8,
64 IPS_DST_NAT_DONE = (1 << IPS_DST_NAT_DONE_BIT),
65
66 /* Both together */
67 IPS_NAT_DONE_MASK = (IPS_DST_NAT_DONE | IPS_SRC_NAT_DONE),
68
69 /* Connection is dying (removed from lists), can not be unset. */
70 IPS_DYING_BIT = 9,
71 IPS_DYING = (1 << IPS_DYING_BIT),
72};
73
74/* Connection tracking event bits */
75enum ip_conntrack_events
76{
77 /* New conntrack */
78 IPCT_NEW_BIT = 0,
79 IPCT_NEW = (1 << IPCT_NEW_BIT),
80
81 /* Expected connection */
82 IPCT_RELATED_BIT = 1,
83 IPCT_RELATED = (1 << IPCT_RELATED_BIT),
84
85 /* Destroyed conntrack */
86 IPCT_DESTROY_BIT = 2,
87 IPCT_DESTROY = (1 << IPCT_DESTROY_BIT),
88
89 /* Timer has been refreshed */
90 IPCT_REFRESH_BIT = 3,
91 IPCT_REFRESH = (1 << IPCT_REFRESH_BIT),
92
93 /* Status has changed */
94 IPCT_STATUS_BIT = 4,
95 IPCT_STATUS = (1 << IPCT_STATUS_BIT),
96
97 /* Update of protocol info */
98 IPCT_PROTOINFO_BIT = 5,
99 IPCT_PROTOINFO = (1 << IPCT_PROTOINFO_BIT),
100
101 /* Volatile protocol info */
102 IPCT_PROTOINFO_VOLATILE_BIT = 6,
103 IPCT_PROTOINFO_VOLATILE = (1 << IPCT_PROTOINFO_VOLATILE_BIT),
104
105 /* New helper for conntrack */
106 IPCT_HELPER_BIT = 7,
107 IPCT_HELPER = (1 << IPCT_HELPER_BIT),
108
109 /* Update of helper info */
110 IPCT_HELPINFO_BIT = 8,
111 IPCT_HELPINFO = (1 << IPCT_HELPINFO_BIT),
112
113 /* Volatile helper info */
114 IPCT_HELPINFO_VOLATILE_BIT = 9,
115 IPCT_HELPINFO_VOLATILE = (1 << IPCT_HELPINFO_VOLATILE_BIT),
116
117 /* NAT info */
118 IPCT_NATINFO_BIT = 10,
119 IPCT_NATINFO = (1 << IPCT_NATINFO_BIT),
120
121 /* Counter highest bit has been set */
122 IPCT_COUNTER_FILLING_BIT = 11,
123 IPCT_COUNTER_FILLING = (1 << IPCT_COUNTER_FILLING_BIT),
124};
125
126enum ip_conntrack_expect_events {
127 IPEXP_NEW_BIT = 0,
128 IPEXP_NEW = (1 << IPEXP_NEW_BIT),
129};
130
131#ifdef __KERNEL__
132struct ip_conntrack_counter
133{
134 u_int32_t packets;
135 u_int32_t bytes;
136};
137
138struct ip_conntrack_stat
139{
140 unsigned int searched;
141 unsigned int found;
142 unsigned int new;
143 unsigned int invalid;
144 unsigned int ignore;
145 unsigned int delete;
146 unsigned int delete_list;
147 unsigned int insert;
148 unsigned int insert_failed;
149 unsigned int drop;
150 unsigned int early_drop;
151 unsigned int error;
152 unsigned int expect_new;
153 unsigned int expect_create;
154 unsigned int expect_delete;
155};
156
157#endif /* __KERNEL__ */
158
159#endif /* _NF_CONNTRACK_COMMON_H */
diff --git a/include/linux/netfilter/nf_conntrack_ftp.h b/include/linux/netfilter/nf_conntrack_ftp.h
new file mode 100644
index 000000000000..ad4a41c9ce93
--- /dev/null
+++ b/include/linux/netfilter/nf_conntrack_ftp.h
@@ -0,0 +1,44 @@
1#ifndef _NF_CONNTRACK_FTP_H
2#define _NF_CONNTRACK_FTP_H
3/* FTP tracking. */
4
5/* This enum is exposed to userspace */
6enum ip_ct_ftp_type
7{
8 /* PORT command from client */
9 IP_CT_FTP_PORT,
10 /* PASV response from server */
11 IP_CT_FTP_PASV,
12 /* EPRT command from client */
13 IP_CT_FTP_EPRT,
14 /* EPSV response from server */
15 IP_CT_FTP_EPSV,
16};
17
18#ifdef __KERNEL__
19
20#define FTP_PORT 21
21
22#define NUM_SEQ_TO_REMEMBER 2
23/* This structure exists only once per master */
24struct ip_ct_ftp_master {
25 /* Valid seq positions for cmd matching after newline */
26 u_int32_t seq_aft_nl[IP_CT_DIR_MAX][NUM_SEQ_TO_REMEMBER];
27 /* 0 means seq_match_aft_nl not set */
28 int seq_aft_nl_num[IP_CT_DIR_MAX];
29};
30
31struct ip_conntrack_expect;
32
33/* For NAT to hook in when we find a packet which describes what other
34 * connection we should expect. */
35extern unsigned int (*ip_nat_ftp_hook)(struct sk_buff **pskb,
36 enum ip_conntrack_info ctinfo,
37 enum ip_ct_ftp_type type,
38 unsigned int matchoff,
39 unsigned int matchlen,
40 struct ip_conntrack_expect *exp,
41 u32 *seq);
42#endif /* __KERNEL__ */
43
44#endif /* _NF_CONNTRACK_FTP_H */
diff --git a/include/linux/netfilter/nf_conntrack_sctp.h b/include/linux/netfilter/nf_conntrack_sctp.h
new file mode 100644
index 000000000000..b8994d9fd1a9
--- /dev/null
+++ b/include/linux/netfilter/nf_conntrack_sctp.h
@@ -0,0 +1,27 @@
1#ifndef _NF_CONNTRACK_SCTP_H
2#define _NF_CONNTRACK_SCTP_H
3/* SCTP tracking. */
4
5#include <linux/netfilter/nf_conntrack_tuple_common.h>
6
7enum sctp_conntrack {
8 SCTP_CONNTRACK_NONE,
9 SCTP_CONNTRACK_CLOSED,
10 SCTP_CONNTRACK_COOKIE_WAIT,
11 SCTP_CONNTRACK_COOKIE_ECHOED,
12 SCTP_CONNTRACK_ESTABLISHED,
13 SCTP_CONNTRACK_SHUTDOWN_SENT,
14 SCTP_CONNTRACK_SHUTDOWN_RECD,
15 SCTP_CONNTRACK_SHUTDOWN_ACK_SENT,
16 SCTP_CONNTRACK_MAX
17};
18
19struct ip_ct_sctp
20{
21 enum sctp_conntrack state;
22
23 u_int32_t vtag[IP_CT_DIR_MAX];
24 u_int32_t ttag[IP_CT_DIR_MAX];
25};
26
27#endif /* _NF_CONNTRACK_SCTP_H */
diff --git a/include/linux/netfilter/nf_conntrack_tcp.h b/include/linux/netfilter/nf_conntrack_tcp.h
new file mode 100644
index 000000000000..b2feeffde384
--- /dev/null
+++ b/include/linux/netfilter/nf_conntrack_tcp.h
@@ -0,0 +1,56 @@
1#ifndef _NF_CONNTRACK_TCP_H
2#define _NF_CONNTRACK_TCP_H
3/* TCP tracking. */
4
5/* This is exposed to userspace (ctnetlink) */
6enum tcp_conntrack {
7 TCP_CONNTRACK_NONE,
8 TCP_CONNTRACK_SYN_SENT,
9 TCP_CONNTRACK_SYN_RECV,
10 TCP_CONNTRACK_ESTABLISHED,
11 TCP_CONNTRACK_FIN_WAIT,
12 TCP_CONNTRACK_CLOSE_WAIT,
13 TCP_CONNTRACK_LAST_ACK,
14 TCP_CONNTRACK_TIME_WAIT,
15 TCP_CONNTRACK_CLOSE,
16 TCP_CONNTRACK_LISTEN,
17 TCP_CONNTRACK_MAX,
18 TCP_CONNTRACK_IGNORE
19};
20
21/* Window scaling is advertised by the sender */
22#define IP_CT_TCP_FLAG_WINDOW_SCALE 0x01
23
24/* SACK is permitted by the sender */
25#define IP_CT_TCP_FLAG_SACK_PERM 0x02
26
27/* This sender sent FIN first */
28#define IP_CT_TCP_FLAG_CLOSE_INIT 0x03
29
30#ifdef __KERNEL__
31
32struct ip_ct_tcp_state {
33 u_int32_t td_end; /* max of seq + len */
34 u_int32_t td_maxend; /* max of ack + max(win, 1) */
35 u_int32_t td_maxwin; /* max(win) */
36 u_int8_t td_scale; /* window scale factor */
37 u_int8_t loose; /* used when connection picked up from the middle */
38 u_int8_t flags; /* per direction options */
39};
40
41struct ip_ct_tcp
42{
43 struct ip_ct_tcp_state seen[2]; /* connection parameters per direction */
44 u_int8_t state; /* state of the connection (enum tcp_conntrack) */
45 /* For detecting stale connections */
46 u_int8_t last_dir; /* Direction of the last packet (enum ip_conntrack_dir) */
47 u_int8_t retrans; /* Number of retransmitted packets */
48 u_int8_t last_index; /* Index of the last packet */
49 u_int32_t last_seq; /* Last sequence number seen in dir */
50 u_int32_t last_ack; /* Last sequence number seen in opposite dir */
51 u_int32_t last_end; /* Last seq + len */
52};
53
54#endif /* __KERNEL__ */
55
56#endif /* _NF_CONNTRACK_TCP_H */
diff --git a/include/linux/netfilter/nf_conntrack_tuple_common.h b/include/linux/netfilter/nf_conntrack_tuple_common.h
new file mode 100644
index 000000000000..8e145f0d61cb
--- /dev/null
+++ b/include/linux/netfilter/nf_conntrack_tuple_common.h
@@ -0,0 +1,13 @@
1#ifndef _NF_CONNTRACK_TUPLE_COMMON_H
2#define _NF_CONNTRACK_TUPLE_COMMON_H
3
4enum ip_conntrack_dir
5{
6 IP_CT_DIR_ORIGINAL,
7 IP_CT_DIR_REPLY,
8 IP_CT_DIR_MAX
9};
10
11#define CTINFO2DIR(ctinfo) ((ctinfo) >= IP_CT_IS_REPLY ? IP_CT_DIR_REPLY : IP_CT_DIR_ORIGINAL)
12
13#endif /* _NF_CONNTRACK_TUPLE_COMMON_H */
diff --git a/include/linux/netfilter_ipv4/ip_conntrack.h b/include/linux/netfilter_ipv4/ip_conntrack.h
index d078bb91d9e5..b3432ab59a17 100644
--- a/include/linux/netfilter_ipv4/ip_conntrack.h
+++ b/include/linux/netfilter_ipv4/ip_conntrack.h
@@ -1,132 +1,7 @@
1#ifndef _IP_CONNTRACK_H 1#ifndef _IP_CONNTRACK_H
2#define _IP_CONNTRACK_H 2#define _IP_CONNTRACK_H
3/* Connection state tracking for netfilter. This is separated from,
4 but required by, the NAT layer; it can also be used by an iptables
5 extension. */
6enum ip_conntrack_info
7{
8 /* Part of an established connection (either direction). */
9 IP_CT_ESTABLISHED,
10
11 /* Like NEW, but related to an existing connection, or ICMP error
12 (in either direction). */
13 IP_CT_RELATED,
14
15 /* Started a new connection to track (only
16 IP_CT_DIR_ORIGINAL); may be a retransmission. */
17 IP_CT_NEW,
18
19 /* >= this indicates reply direction */
20 IP_CT_IS_REPLY,
21
22 /* Number of distinct IP_CT types (no NEW in reply dirn). */
23 IP_CT_NUMBER = IP_CT_IS_REPLY * 2 - 1
24};
25
26/* Bitset representing status of connection. */
27enum ip_conntrack_status {
28 /* It's an expected connection: bit 0 set. This bit never changed */
29 IPS_EXPECTED_BIT = 0,
30 IPS_EXPECTED = (1 << IPS_EXPECTED_BIT),
31
32 /* We've seen packets both ways: bit 1 set. Can be set, not unset. */
33 IPS_SEEN_REPLY_BIT = 1,
34 IPS_SEEN_REPLY = (1 << IPS_SEEN_REPLY_BIT),
35
36 /* Conntrack should never be early-expired. */
37 IPS_ASSURED_BIT = 2,
38 IPS_ASSURED = (1 << IPS_ASSURED_BIT),
39
40 /* Connection is confirmed: originating packet has left box */
41 IPS_CONFIRMED_BIT = 3,
42 IPS_CONFIRMED = (1 << IPS_CONFIRMED_BIT),
43
44 /* Connection needs src nat in orig dir. This bit never changed. */
45 IPS_SRC_NAT_BIT = 4,
46 IPS_SRC_NAT = (1 << IPS_SRC_NAT_BIT),
47
48 /* Connection needs dst nat in orig dir. This bit never changed. */
49 IPS_DST_NAT_BIT = 5,
50 IPS_DST_NAT = (1 << IPS_DST_NAT_BIT),
51
52 /* Both together. */
53 IPS_NAT_MASK = (IPS_DST_NAT | IPS_SRC_NAT),
54
55 /* Connection needs TCP sequence adjusted. */
56 IPS_SEQ_ADJUST_BIT = 6,
57 IPS_SEQ_ADJUST = (1 << IPS_SEQ_ADJUST_BIT),
58
59 /* NAT initialization bits. */
60 IPS_SRC_NAT_DONE_BIT = 7,
61 IPS_SRC_NAT_DONE = (1 << IPS_SRC_NAT_DONE_BIT),
62
63 IPS_DST_NAT_DONE_BIT = 8,
64 IPS_DST_NAT_DONE = (1 << IPS_DST_NAT_DONE_BIT),
65
66 /* Both together */
67 IPS_NAT_DONE_MASK = (IPS_DST_NAT_DONE | IPS_SRC_NAT_DONE),
68
69 /* Connection is dying (removed from lists), can not be unset. */
70 IPS_DYING_BIT = 9,
71 IPS_DYING = (1 << IPS_DYING_BIT),
72};
73
74/* Connection tracking event bits */
75enum ip_conntrack_events
76{
77 /* New conntrack */
78 IPCT_NEW_BIT = 0,
79 IPCT_NEW = (1 << IPCT_NEW_BIT),
80
81 /* Expected connection */
82 IPCT_RELATED_BIT = 1,
83 IPCT_RELATED = (1 << IPCT_RELATED_BIT),
84
85 /* Destroyed conntrack */
86 IPCT_DESTROY_BIT = 2,
87 IPCT_DESTROY = (1 << IPCT_DESTROY_BIT),
88
89 /* Timer has been refreshed */
90 IPCT_REFRESH_BIT = 3,
91 IPCT_REFRESH = (1 << IPCT_REFRESH_BIT),
92
93 /* Status has changed */
94 IPCT_STATUS_BIT = 4,
95 IPCT_STATUS = (1 << IPCT_STATUS_BIT),
96
97 /* Update of protocol info */
98 IPCT_PROTOINFO_BIT = 5,
99 IPCT_PROTOINFO = (1 << IPCT_PROTOINFO_BIT),
100
101 /* Volatile protocol info */
102 IPCT_PROTOINFO_VOLATILE_BIT = 6,
103 IPCT_PROTOINFO_VOLATILE = (1 << IPCT_PROTOINFO_VOLATILE_BIT),
104
105 /* New helper for conntrack */
106 IPCT_HELPER_BIT = 7,
107 IPCT_HELPER = (1 << IPCT_HELPER_BIT),
108
109 /* Update of helper info */
110 IPCT_HELPINFO_BIT = 8,
111 IPCT_HELPINFO = (1 << IPCT_HELPINFO_BIT),
112
113 /* Volatile helper info */
114 IPCT_HELPINFO_VOLATILE_BIT = 9,
115 IPCT_HELPINFO_VOLATILE = (1 << IPCT_HELPINFO_VOLATILE_BIT),
116 3
117 /* NAT info */ 4#include <linux/netfilter/nf_conntrack_common.h>
118 IPCT_NATINFO_BIT = 10,
119 IPCT_NATINFO = (1 << IPCT_NATINFO_BIT),
120
121 /* Counter highest bit has been set */
122 IPCT_COUNTER_FILLING_BIT = 11,
123 IPCT_COUNTER_FILLING = (1 << IPCT_COUNTER_FILLING_BIT),
124};
125
126enum ip_conntrack_expect_events {
127 IPEXP_NEW_BIT = 0,
128 IPEXP_NEW = (1 << IPEXP_NEW_BIT),
129};
130 5
131#ifdef __KERNEL__ 6#ifdef __KERNEL__
132#include <linux/config.h> 7#include <linux/config.h>
@@ -194,12 +69,6 @@ do { \
194#define IP_NF_ASSERT(x) 69#define IP_NF_ASSERT(x)
195#endif 70#endif
196 71
197struct ip_conntrack_counter
198{
199 u_int32_t packets;
200 u_int32_t bytes;
201};
202
203struct ip_conntrack_helper; 72struct ip_conntrack_helper;
204 73
205struct ip_conntrack 74struct ip_conntrack
@@ -426,25 +295,6 @@ static inline int is_dying(struct ip_conntrack *ct)
426 295
427extern unsigned int ip_conntrack_htable_size; 296extern unsigned int ip_conntrack_htable_size;
428 297
429struct ip_conntrack_stat
430{
431 unsigned int searched;
432 unsigned int found;
433 unsigned int new;
434 unsigned int invalid;
435 unsigned int ignore;
436 unsigned int delete;
437 unsigned int delete_list;
438 unsigned int insert;
439 unsigned int insert_failed;
440 unsigned int drop;
441 unsigned int early_drop;
442 unsigned int error;
443 unsigned int expect_new;
444 unsigned int expect_create;
445 unsigned int expect_delete;
446};
447
448#define CONNTRACK_STAT_INC(count) (__get_cpu_var(ip_conntrack_stat).count++) 298#define CONNTRACK_STAT_INC(count) (__get_cpu_var(ip_conntrack_stat).count++)
449 299
450#ifdef CONFIG_IP_NF_CONNTRACK_EVENTS 300#ifdef CONFIG_IP_NF_CONNTRACK_EVENTS
diff --git a/include/linux/netfilter_ipv4/ip_conntrack_ftp.h b/include/linux/netfilter_ipv4/ip_conntrack_ftp.h
index 5f06429b9047..63811934de4d 100644
--- a/include/linux/netfilter_ipv4/ip_conntrack_ftp.h
+++ b/include/linux/netfilter_ipv4/ip_conntrack_ftp.h
@@ -1,43 +1,6 @@
1#ifndef _IP_CONNTRACK_FTP_H 1#ifndef _IP_CONNTRACK_FTP_H
2#define _IP_CONNTRACK_FTP_H 2#define _IP_CONNTRACK_FTP_H
3/* FTP tracking. */
4 3
5#ifdef __KERNEL__ 4#include <linux/netfilter/nf_conntrack_ftp.h>
6 5
7#define FTP_PORT 21
8
9#endif /* __KERNEL__ */
10
11enum ip_ct_ftp_type
12{
13 /* PORT command from client */
14 IP_CT_FTP_PORT,
15 /* PASV response from server */
16 IP_CT_FTP_PASV,
17 /* EPRT command from client */
18 IP_CT_FTP_EPRT,
19 /* EPSV response from server */
20 IP_CT_FTP_EPSV,
21};
22
23#define NUM_SEQ_TO_REMEMBER 2
24/* This structure exists only once per master */
25struct ip_ct_ftp_master {
26 /* Valid seq positions for cmd matching after newline */
27 u_int32_t seq_aft_nl[IP_CT_DIR_MAX][NUM_SEQ_TO_REMEMBER];
28 /* 0 means seq_match_aft_nl not set */
29 int seq_aft_nl_num[IP_CT_DIR_MAX];
30};
31
32struct ip_conntrack_expect;
33
34/* For NAT to hook in when we find a packet which describes what other
35 * connection we should expect. */
36extern unsigned int (*ip_nat_ftp_hook)(struct sk_buff **pskb,
37 enum ip_conntrack_info ctinfo,
38 enum ip_ct_ftp_type type,
39 unsigned int matchoff,
40 unsigned int matchlen,
41 struct ip_conntrack_expect *exp,
42 u32 *seq);
43#endif /* _IP_CONNTRACK_FTP_H */ 6#endif /* _IP_CONNTRACK_FTP_H */
diff --git a/include/linux/netfilter_ipv4/ip_conntrack_icmp.h b/include/linux/netfilter_ipv4/ip_conntrack_icmp.h
index f1664abbe392..eed5ee3e4744 100644
--- a/include/linux/netfilter_ipv4/ip_conntrack_icmp.h
+++ b/include/linux/netfilter_ipv4/ip_conntrack_icmp.h
@@ -1,11 +1,6 @@
1#ifndef _IP_CONNTRACK_ICMP_H 1#ifndef _IP_CONNTRACK_ICMP_H
2#define _IP_CONNTRACK_ICMP_H 2#define _IP_CONNTRACK_ICMP_H
3/* ICMP tracking. */
4#include <asm/atomic.h>
5 3
6struct ip_ct_icmp 4#include <net/netfilter/ipv4/nf_conntrack_icmp.h>
7{ 5
8 /* Optimization: when number in == number out, forget immediately. */
9 atomic_t count;
10};
11#endif /* _IP_CONNTRACK_ICMP_H */ 6#endif /* _IP_CONNTRACK_ICMP_H */
diff --git a/include/linux/netfilter_ipv4/ip_conntrack_sctp.h b/include/linux/netfilter_ipv4/ip_conntrack_sctp.h
index 7a8d869321f7..4099a041a32a 100644
--- a/include/linux/netfilter_ipv4/ip_conntrack_sctp.h
+++ b/include/linux/netfilter_ipv4/ip_conntrack_sctp.h
@@ -1,25 +1,6 @@
1#ifndef _IP_CONNTRACK_SCTP_H 1#ifndef _IP_CONNTRACK_SCTP_H
2#define _IP_CONNTRACK_SCTP_H 2#define _IP_CONNTRACK_SCTP_H
3/* SCTP tracking. */
4 3
5enum sctp_conntrack { 4#include <linux/netfilter/nf_conntrack_sctp.h>
6 SCTP_CONNTRACK_NONE,
7 SCTP_CONNTRACK_CLOSED,
8 SCTP_CONNTRACK_COOKIE_WAIT,
9 SCTP_CONNTRACK_COOKIE_ECHOED,
10 SCTP_CONNTRACK_ESTABLISHED,
11 SCTP_CONNTRACK_SHUTDOWN_SENT,
12 SCTP_CONNTRACK_SHUTDOWN_RECD,
13 SCTP_CONNTRACK_SHUTDOWN_ACK_SENT,
14 SCTP_CONNTRACK_MAX
15};
16
17struct ip_ct_sctp
18{
19 enum sctp_conntrack state;
20
21 u_int32_t vtag[IP_CT_DIR_MAX];
22 u_int32_t ttag[IP_CT_DIR_MAX];
23};
24 5
25#endif /* _IP_CONNTRACK_SCTP_H */ 6#endif /* _IP_CONNTRACK_SCTP_H */
diff --git a/include/linux/netfilter_ipv4/ip_conntrack_tcp.h b/include/linux/netfilter_ipv4/ip_conntrack_tcp.h
index 16da044d97a7..876b8fb17e68 100644
--- a/include/linux/netfilter_ipv4/ip_conntrack_tcp.h
+++ b/include/linux/netfilter_ipv4/ip_conntrack_tcp.h
@@ -1,51 +1,6 @@
1#ifndef _IP_CONNTRACK_TCP_H 1#ifndef _IP_CONNTRACK_TCP_H
2#define _IP_CONNTRACK_TCP_H 2#define _IP_CONNTRACK_TCP_H
3/* TCP tracking. */
4 3
5enum tcp_conntrack { 4#include <linux/netfilter/nf_conntrack_tcp.h>
6 TCP_CONNTRACK_NONE,
7 TCP_CONNTRACK_SYN_SENT,
8 TCP_CONNTRACK_SYN_RECV,
9 TCP_CONNTRACK_ESTABLISHED,
10 TCP_CONNTRACK_FIN_WAIT,
11 TCP_CONNTRACK_CLOSE_WAIT,
12 TCP_CONNTRACK_LAST_ACK,
13 TCP_CONNTRACK_TIME_WAIT,
14 TCP_CONNTRACK_CLOSE,
15 TCP_CONNTRACK_LISTEN,
16 TCP_CONNTRACK_MAX,
17 TCP_CONNTRACK_IGNORE
18};
19
20/* Window scaling is advertised by the sender */
21#define IP_CT_TCP_FLAG_WINDOW_SCALE 0x01
22
23/* SACK is permitted by the sender */
24#define IP_CT_TCP_FLAG_SACK_PERM 0x02
25
26/* This sender sent FIN first */
27#define IP_CT_TCP_FLAG_CLOSE_INIT 0x03
28
29struct ip_ct_tcp_state {
30 u_int32_t td_end; /* max of seq + len */
31 u_int32_t td_maxend; /* max of ack + max(win, 1) */
32 u_int32_t td_maxwin; /* max(win) */
33 u_int8_t td_scale; /* window scale factor */
34 u_int8_t loose; /* used when connection picked up from the middle */
35 u_int8_t flags; /* per direction options */
36};
37
38struct ip_ct_tcp
39{
40 struct ip_ct_tcp_state seen[2]; /* connection parameters per direction */
41 u_int8_t state; /* state of the connection (enum tcp_conntrack) */
42 /* For detecting stale connections */
43 u_int8_t last_dir; /* Direction of the last packet (enum ip_conntrack_dir) */
44 u_int8_t retrans; /* Number of retransmitted packets */
45 u_int8_t last_index; /* Index of the last packet */
46 u_int32_t last_seq; /* Last sequence number seen in dir */
47 u_int32_t last_ack; /* Last sequence number seen in opposite dir */
48 u_int32_t last_end; /* Last seq + len */
49};
50 5
51#endif /* _IP_CONNTRACK_TCP_H */ 6#endif /* _IP_CONNTRACK_TCP_H */
diff --git a/include/linux/netfilter_ipv4/ip_conntrack_tuple.h b/include/linux/netfilter_ipv4/ip_conntrack_tuple.h
index 3232db11a4e5..2fdabdb4c0ef 100644
--- a/include/linux/netfilter_ipv4/ip_conntrack_tuple.h
+++ b/include/linux/netfilter_ipv4/ip_conntrack_tuple.h
@@ -2,6 +2,7 @@
2#define _IP_CONNTRACK_TUPLE_H 2#define _IP_CONNTRACK_TUPLE_H
3 3
4#include <linux/types.h> 4#include <linux/types.h>
5#include <linux/netfilter/nf_conntrack_tuple_common.h>
5 6
6/* A `tuple' is a structure containing the information to uniquely 7/* A `tuple' is a structure containing the information to uniquely
7 identify a connection. ie. if two packets have the same tuple, they 8 identify a connection. ie. if two packets have the same tuple, they
@@ -88,13 +89,6 @@ struct ip_conntrack_tuple
88 (tuple)->dst.u.all = 0; \ 89 (tuple)->dst.u.all = 0; \
89 } while (0) 90 } while (0)
90 91
91enum ip_conntrack_dir
92{
93 IP_CT_DIR_ORIGINAL,
94 IP_CT_DIR_REPLY,
95 IP_CT_DIR_MAX
96};
97
98#ifdef __KERNEL__ 92#ifdef __KERNEL__
99 93
100#define DUMP_TUPLE(tp) \ 94#define DUMP_TUPLE(tp) \
@@ -103,8 +97,6 @@ DEBUGP("tuple %p: %u %u.%u.%u.%u:%hu -> %u.%u.%u.%u:%hu\n", \
103 NIPQUAD((tp)->src.ip), ntohs((tp)->src.u.all), \ 97 NIPQUAD((tp)->src.ip), ntohs((tp)->src.u.all), \
104 NIPQUAD((tp)->dst.ip), ntohs((tp)->dst.u.all)) 98 NIPQUAD((tp)->dst.ip), ntohs((tp)->dst.u.all))
105 99
106#define CTINFO2DIR(ctinfo) ((ctinfo) >= IP_CT_IS_REPLY ? IP_CT_DIR_REPLY : IP_CT_DIR_ORIGINAL)
107
108/* If we're the first tuple, it's the original dir. */ 100/* If we're the first tuple, it's the original dir. */
109#define DIRECTION(h) ((enum ip_conntrack_dir)(h)->tuple.dst.dir) 101#define DIRECTION(h) ((enum ip_conntrack_dir)(h)->tuple.dst.dir)
110 102
diff --git a/include/linux/netfilter_ipv6.h b/include/linux/netfilter_ipv6.h
index edcc2c6eb5c7..53b2983f6278 100644
--- a/include/linux/netfilter_ipv6.h
+++ b/include/linux/netfilter_ipv6.h
@@ -59,6 +59,7 @@
59 59
60enum nf_ip6_hook_priorities { 60enum nf_ip6_hook_priorities {
61 NF_IP6_PRI_FIRST = INT_MIN, 61 NF_IP6_PRI_FIRST = INT_MIN,
62 NF_IP6_PRI_CONNTRACK_DEFRAG = -400,
62 NF_IP6_PRI_SELINUX_FIRST = -225, 63 NF_IP6_PRI_SELINUX_FIRST = -225,
63 NF_IP6_PRI_CONNTRACK = -200, 64 NF_IP6_PRI_CONNTRACK = -200,
64 NF_IP6_PRI_BRIDGE_SABOTAGE_FORWARD = -175, 65 NF_IP6_PRI_BRIDGE_SABOTAGE_FORWARD = -175,
diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
index fdfb8fe8c38c..83010231db99 100644
--- a/include/linux/skbuff.h
+++ b/include/linux/skbuff.h
@@ -274,6 +274,9 @@ struct sk_buff {
274#if defined(CONFIG_IP_VS) || defined(CONFIG_IP_VS_MODULE) 274#if defined(CONFIG_IP_VS) || defined(CONFIG_IP_VS_MODULE)
275 __u8 ipvs_property:1; 275 __u8 ipvs_property:1;
276#endif 276#endif
277#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
278 struct sk_buff *nfct_reasm;
279#endif
277#ifdef CONFIG_BRIDGE_NETFILTER 280#ifdef CONFIG_BRIDGE_NETFILTER
278 struct nf_bridge_info *nf_bridge; 281 struct nf_bridge_info *nf_bridge;
279#endif 282#endif
@@ -1313,10 +1316,26 @@ static inline void nf_conntrack_get(struct nf_conntrack *nfct)
1313 if (nfct) 1316 if (nfct)
1314 atomic_inc(&nfct->use); 1317 atomic_inc(&nfct->use);
1315} 1318}
1319#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
1320static inline void nf_conntrack_get_reasm(struct sk_buff *skb)
1321{
1322 if (skb)
1323 atomic_inc(&skb->users);
1324}
1325static inline void nf_conntrack_put_reasm(struct sk_buff *skb)
1326{
1327 if (skb)
1328 kfree_skb(skb);
1329}
1330#endif
1316static inline void nf_reset(struct sk_buff *skb) 1331static inline void nf_reset(struct sk_buff *skb)
1317{ 1332{
1318 nf_conntrack_put(skb->nfct); 1333 nf_conntrack_put(skb->nfct);
1319 skb->nfct = NULL; 1334 skb->nfct = NULL;
1335#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
1336 nf_conntrack_put_reasm(skb->nfct_reasm);
1337 skb->nfct_reasm = NULL;
1338#endif
1320} 1339}
1321 1340
1322#ifdef CONFIG_BRIDGE_NETFILTER 1341#ifdef CONFIG_BRIDGE_NETFILTER
diff --git a/include/linux/sysctl.h b/include/linux/sysctl.h
index fc131d6602b9..22cf5e1ac987 100644
--- a/include/linux/sysctl.h
+++ b/include/linux/sysctl.h
@@ -205,6 +205,7 @@ enum
205 NET_ECONET=16, 205 NET_ECONET=16,
206 NET_SCTP=17, 206 NET_SCTP=17,
207 NET_LLC=18, 207 NET_LLC=18,
208 NET_NETFILTER=19,
208}; 209};
209 210
210/* /proc/sys/kernel/random */ 211/* /proc/sys/kernel/random */
@@ -270,6 +271,42 @@ enum
270 NET_UNIX_MAX_DGRAM_QLEN=3, 271 NET_UNIX_MAX_DGRAM_QLEN=3,
271}; 272};
272 273
274/* /proc/sys/net/netfilter */
275enum
276{
277 NET_NF_CONNTRACK_MAX=1,
278 NET_NF_CONNTRACK_TCP_TIMEOUT_SYN_SENT=2,
279 NET_NF_CONNTRACK_TCP_TIMEOUT_SYN_RECV=3,
280 NET_NF_CONNTRACK_TCP_TIMEOUT_ESTABLISHED=4,
281 NET_NF_CONNTRACK_TCP_TIMEOUT_FIN_WAIT=5,
282 NET_NF_CONNTRACK_TCP_TIMEOUT_CLOSE_WAIT=6,
283 NET_NF_CONNTRACK_TCP_TIMEOUT_LAST_ACK=7,
284 NET_NF_CONNTRACK_TCP_TIMEOUT_TIME_WAIT=8,
285 NET_NF_CONNTRACK_TCP_TIMEOUT_CLOSE=9,
286 NET_NF_CONNTRACK_UDP_TIMEOUT=10,
287 NET_NF_CONNTRACK_UDP_TIMEOUT_STREAM=11,
288 NET_NF_CONNTRACK_ICMP_TIMEOUT=12,
289 NET_NF_CONNTRACK_GENERIC_TIMEOUT=13,
290 NET_NF_CONNTRACK_BUCKETS=14,
291 NET_NF_CONNTRACK_LOG_INVALID=15,
292 NET_NF_CONNTRACK_TCP_TIMEOUT_MAX_RETRANS=16,
293 NET_NF_CONNTRACK_TCP_LOOSE=17,
294 NET_NF_CONNTRACK_TCP_BE_LIBERAL=18,
295 NET_NF_CONNTRACK_TCP_MAX_RETRANS=19,
296 NET_NF_CONNTRACK_SCTP_TIMEOUT_CLOSED=20,
297 NET_NF_CONNTRACK_SCTP_TIMEOUT_COOKIE_WAIT=21,
298 NET_NF_CONNTRACK_SCTP_TIMEOUT_COOKIE_ECHOED=22,
299 NET_NF_CONNTRACK_SCTP_TIMEOUT_ESTABLISHED=23,
300 NET_NF_CONNTRACK_SCTP_TIMEOUT_SHUTDOWN_SENT=24,
301 NET_NF_CONNTRACK_SCTP_TIMEOUT_SHUTDOWN_RECD=25,
302 NET_NF_CONNTRACK_SCTP_TIMEOUT_SHUTDOWN_ACK_SENT=26,
303 NET_NF_CONNTRACK_COUNT=27,
304 NET_NF_CONNTRACK_ICMPV6_TIMEOUT=28,
305 NET_NF_CONNTRACK_FRAG6_TIMEOUT=29,
306 NET_NF_CONNTRACK_FRAG6_LOW_THRESH=30,
307 NET_NF_CONNTRACK_FRAG6_HIGH_THRESH=31,
308};
309
273/* /proc/sys/net/ipv4 */ 310/* /proc/sys/net/ipv4 */
274enum 311enum
275{ 312{
generated by cgit v1.2.2 (git 2.25.0) at 2024-11-28 02:05:20 -0500