1 #ifndef _NF_CONNTRACK_COMMON_H 2 #define _NF_CONNTRACK_COMMON_H 3 /* Connection state tracking for netfilter. This is separated from, 4 but required by, the NAT layer; it can also be used by an iptables 5 extension. */ 6 enum ip_conntrack_info 7 { 8 /* Part of an established connection (either direction). */ 9 IP_CT_ESTABLISHED, 10 11 /* Like NEW, but related to an existing connection, or ICMP error 12 (in either direction). */ 13 IP_CT_RELATED, 14 15 /* Started a new connection to track (only 16 IP_CT_DIR_ORIGINAL); may be a retransmission. */ 17 IP_CT_NEW, 18 19 /* >= this indicates reply direction */ 20 IP_CT_IS_REPLY, 21 22 /* Number of distinct IP_CT types (no NEW in reply dirn). */ 23 IP_CT_NUMBER = IP_CT_IS_REPLY * 2 - 1 24 }; 25 26 /* Bitset representing status of connection. */ 27 enum ip_conntrack_status { 28 /* It's an expected connection: bit 0 set. This bit never changed */ 29 IPS_EXPECTED_BIT = 0, 30 IPS_EXPECTED = (1 << IPS_EXPECTED_BIT), 31 32 /* We've seen packets both ways: bit 1 set. Can be set, not unset. */ 33 IPS_SEEN_REPLY_BIT = 1, 34 IPS_SEEN_REPLY = (1 << IPS_SEEN_REPLY_BIT), 35 36 /* Conntrack should never be early-expired. */ 37 IPS_ASSURED_BIT = 2, 38 IPS_ASSURED = (1 << IPS_ASSURED_BIT), 39 40 /* Connection is confirmed: originating packet has left box */ 41 IPS_CONFIRMED_BIT = 3, 42 IPS_CONFIRMED = (1 << IPS_CONFIRMED_BIT), 43 44 /* Connection needs src nat in orig dir. This bit never changed. */ 45 IPS_SRC_NAT_BIT = 4, 46 IPS_SRC_NAT = (1 << IPS_SRC_NAT_BIT), 47 48 /* Connection needs dst nat in orig dir. This bit never changed. */ 49 IPS_DST_NAT_BIT = 5, 50 IPS_DST_NAT = (1 << IPS_DST_NAT_BIT), 51 52 /* Both together. */ 53 IPS_NAT_MASK = (IPS_DST_NAT | IPS_SRC_NAT), 54 55 /* Connection needs TCP sequence adjusted. */ 56 IPS_SEQ_ADJUST_BIT = 6, 57 IPS_SEQ_ADJUST = (1 << IPS_SEQ_ADJUST_BIT), 58 59 /* NAT initialization bits. */ 60 IPS_SRC_NAT_DONE_BIT = 7, 61 IPS_SRC_NAT_DONE = (1 << IPS_SRC_NAT_DONE_BIT), 62 63 IPS_DST_NAT_DONE_BIT = 8, 64 IPS_DST_NAT_DONE = (1 << IPS_DST_NAT_DONE_BIT), 65 66 /* Both together */ 67 IPS_NAT_DONE_MASK = (IPS_DST_NAT_DONE | IPS_SRC_NAT_DONE), 68 69 /* Connection is dying (removed from lists), can not be unset. */ 70 IPS_DYING_BIT = 9, 71 IPS_DYING = (1 << IPS_DYING_BIT), 72 73 /* Connection has fixed timeout. */ 74 IPS_FIXED_TIMEOUT_BIT = 10, 75 IPS_FIXED_TIMEOUT = (1 << IPS_FIXED_TIMEOUT_BIT), 76 }; 77 78 /* Connection tracking event bits */ 79 enum ip_conntrack_events 80 { 81 /* New conntrack */ 82 IPCT_NEW_BIT = 0, 83 IPCT_NEW = (1 << IPCT_NEW_BIT), 84 85 /* Expected connection */ 86 IPCT_RELATED_BIT = 1, 87 IPCT_RELATED = (1 << IPCT_RELATED_BIT), 88 89 /* Destroyed conntrack */ 90 IPCT_DESTROY_BIT = 2, 91 IPCT_DESTROY = (1 << IPCT_DESTROY_BIT), 92 93 /* Timer has been refreshed */ 94 IPCT_REFRESH_BIT = 3, 95 IPCT_REFRESH = (1 << IPCT_REFRESH_BIT), 96 97 /* Status has changed */ 98 IPCT_STATUS_BIT = 4, 99 IPCT_STATUS = (1 << IPCT_STATUS_BIT), 100 101 /* Update of protocol info */ 102 IPCT_PROTOINFO_BIT = 5, 103 IPCT_PROTOINFO = (1 << IPCT_PROTOINFO_BIT), 104 105 /* Volatile protocol info */ 106 IPCT_PROTOINFO_VOLATILE_BIT = 6, 107 IPCT_PROTOINFO_VOLATILE = (1 << IPCT_PROTOINFO_VOLATILE_BIT), 108 109 /* New helper for conntrack */ 110 IPCT_HELPER_BIT = 7, 111 IPCT_HELPER = (1 << IPCT_HELPER_BIT), 112 113 /* Update of helper info */ 114 IPCT_HELPINFO_BIT = 8, 115 IPCT_HELPINFO = (1 << IPCT_HELPINFO_BIT), 116 117 /* Volatile helper info */ 118 IPCT_HELPINFO_VOLATILE_BIT = 9, 119 IPCT_HELPINFO_VOLATILE = (1 << IPCT_HELPINFO_VOLATILE_BIT), 120 121 /* NAT info */ 122 IPCT_NATINFO_BIT = 10, 123 IPCT_NATINFO = (1 << IPCT_NATINFO_BIT), 124 125 /* Counter highest bit has been set */ 126 IPCT_COUNTER_FILLING_BIT = 11, 127 IPCT_COUNTER_FILLING = (1 << IPCT_COUNTER_FILLING_BIT), 128 }; 129 130 enum ip_conntrack_expect_events { 131 IPEXP_NEW_BIT = 0, 132 IPEXP_NEW = (1 << IPEXP_NEW_BIT), 133 }; 134 135 #ifdef __KERNEL__ 136 struct ip_conntrack_counter 137 { 138 u_int32_t packets; 139 u_int32_t bytes; 140 }; 141 142 struct ip_conntrack_stat 143 { 144 unsigned int searched; 145 unsigned int found; 146 unsigned int new; 147 unsigned int invalid; 148 unsigned int ignore; 149 unsigned int delete; 150 unsigned int delete_list; 151 unsigned int insert; 152 unsigned int insert_failed; 153 unsigned int drop; 154 unsigned int early_drop; 155 unsigned int error; 156 unsigned int expect_new; 157 unsigned int expect_create; 158 unsigned int expect_delete; 159 }; 160 161 /* call to create an explicit dependency on nf_conntrack. */ 162 extern void need_conntrack(void); 163 164 #endif /* __KERNEL__ */ 165 166 #endif /* _NF_CONNTRACK_COMMON_H */ 167