#ifndef _NFNETLINK_H
#define _NFNETLINK_H
#include <linux/types.h>
-
-#ifndef __KERNEL__
-/* nfnetlink groups: Up to 32 maximum - backwards compatibility for userspace */
-#define NF_NETLINK_CONNTRACK_NEW 0x00000001
-#define NF_NETLINK_CONNTRACK_UPDATE 0x00000002
-#define NF_NETLINK_CONNTRACK_DESTROY 0x00000004
-#define NF_NETLINK_CONNTRACK_EXP_NEW 0x00000008
-#define NF_NETLINK_CONNTRACK_EXP_UPDATE 0x00000010
-#define NF_NETLINK_CONNTRACK_EXP_DESTROY 0x00000020
-#endif
+#include <linux/netfilter/nfnetlink_compat.h>
enum nfnetlink_groups {
- NFNLGRP_NONE,
-#define NFNLGRP_NONE NFNLGRP_NONE
- NFNLGRP_CONNTRACK_NEW,
-#define NFNLGRP_CONNTRACK_NEW NFNLGRP_CONNTRACK_NEW
- NFNLGRP_CONNTRACK_UPDATE,
-#define NFNLGRP_CONNTRACK_UPDATE NFNLGRP_CONNTRACK_UPDATE
- NFNLGRP_CONNTRACK_DESTROY,
-#define NFNLGRP_CONNTRACK_DESTROY NFNLGRP_CONNTRACK_DESTROY
- NFNLGRP_CONNTRACK_EXP_NEW,
-#define NFNLGRP_CONNTRACK_EXP_NEW NFNLGRP_CONNTRACK_EXP_NEW
- NFNLGRP_CONNTRACK_EXP_UPDATE,
-#define NFNLGRP_CONNTRACK_EXP_UPDATE NFNLGRP_CONNTRACK_EXP_UPDATE
- NFNLGRP_CONNTRACK_EXP_DESTROY,
-#define NFNLGRP_CONNTRACK_EXP_DESTROY NFNLGRP_CONNTRACK_EXP_DESTROY
- __NFNLGRP_MAX,
+ NFNLGRP_NONE,
+#define NFNLGRP_NONE NFNLGRP_NONE
+ NFNLGRP_CONNTRACK_NEW,
+#define NFNLGRP_CONNTRACK_NEW NFNLGRP_CONNTRACK_NEW
+ NFNLGRP_CONNTRACK_UPDATE,
+#define NFNLGRP_CONNTRACK_UPDATE NFNLGRP_CONNTRACK_UPDATE
+ NFNLGRP_CONNTRACK_DESTROY,
+#define NFNLGRP_CONNTRACK_DESTROY NFNLGRP_CONNTRACK_DESTROY
+ NFNLGRP_CONNTRACK_EXP_NEW,
+#define NFNLGRP_CONNTRACK_EXP_NEW NFNLGRP_CONNTRACK_EXP_NEW
+ NFNLGRP_CONNTRACK_EXP_UPDATE,
+#define NFNLGRP_CONNTRACK_EXP_UPDATE NFNLGRP_CONNTRACK_EXP_UPDATE
+ NFNLGRP_CONNTRACK_EXP_DESTROY,
+#define NFNLGRP_CONNTRACK_EXP_DESTROY NFNLGRP_CONNTRACK_EXP_DESTROY
+ __NFNLGRP_MAX,
};
-#define NFNLGRP_MAX (__NFNLGRP_MAX - 1)
+#define NFNLGRP_MAX (__NFNLGRP_MAX - 1)
/* General form of address family dependent message.
*/
struct nfgenmsg {
- u_int8_t nfgen_family; /* AF_xxx */
- u_int8_t version; /* nfnetlink version */
- __be16 res_id; /* resource id */
+ __u8 nfgen_family; /* AF_xxx */
+ __u8 version; /* nfnetlink version */
+ __be16 res_id; /* resource id */
};
-#define NFNETLINK_V0 0
+#define NFNETLINK_V0 0
/* netfilter netlink message types are split in two pieces:
* 8 bit subsystem, 8bit operation.
*/
-#define NFNL_SUBSYS_ID(x) ((x & 0xff00) >> 8)
-#define NFNL_MSG_TYPE(x) (x & 0x00ff)
+#define NFNL_SUBSYS_ID(x) ((x & 0xff00) >> 8)
+#define NFNL_MSG_TYPE(x) (x & 0x00ff)
/* No enum here, otherwise __stringify() trick of MODULE_ALIAS_NFNL_SUBSYS()
* won't work anymore */
-#define NFNL_SUBSYS_NONE 0
-#define NFNL_SUBSYS_CTNETLINK 1
-#define NFNL_SUBSYS_CTNETLINK_EXP 2
-#define NFNL_SUBSYS_QUEUE 3
-#define NFNL_SUBSYS_ULOG 4
-#define NFNL_SUBSYS_COUNT 5
-
-#endif /* _NFNETLINK_H */
+#define NFNL_SUBSYS_NONE 0
+#define NFNL_SUBSYS_CTNETLINK 1
+#define NFNL_SUBSYS_CTNETLINK_EXP 2
+#define NFNL_SUBSYS_QUEUE 3
+#define NFNL_SUBSYS_ULOG 4
+#define NFNL_SUBSYS_OSF 5
+#define NFNL_SUBSYS_IPSET 6
+#define NFNL_SUBSYS_ACCT 7
+#define NFNL_SUBSYS_CTNETLINK_TIMEOUT 8
+#define NFNL_SUBSYS_CTHELPER 9
+#define NFNL_SUBSYS_COUNT 10
+
+#ifdef __KERNEL__
+
+#include <linux/netlink.h>
+#include <linux/capability.h>
+#include <net/netlink.h>
+
+struct nfnl_callback {
+ int (*call)(struct sock *nl, struct sk_buff *skb,
+ const struct nlmsghdr *nlh,
+ const struct nlattr * const cda[]);
+ int (*call_rcu)(struct sock *nl, struct sk_buff *skb,
+ const struct nlmsghdr *nlh,
+ const struct nlattr * const cda[]);
+ const struct nla_policy *policy; /* netlink attribute policy */
+ const u_int16_t attr_count; /* number of nlattr's */
+};
+
+struct nfnetlink_subsystem {
+ const char *name;
+ __u8 subsys_id; /* nfnetlink subsystem ID */
+ __u8 cb_count; /* number of callbacks */
+ const struct nfnl_callback *cb; /* callback for individual types */
+};
+
+extern int nfnetlink_subsys_register(const struct nfnetlink_subsystem *n);
+extern int nfnetlink_subsys_unregister(const struct nfnetlink_subsystem *n);
+
+extern int nfnetlink_has_listeners(struct net *net, unsigned int group);
+extern int nfnetlink_send(struct sk_buff *skb, struct net *net, u32 pid, unsigned int group,
+ int echo, gfp_t flags);
+extern int nfnetlink_set_err(struct net *net, u32 pid, u32 group, int error);
+extern int nfnetlink_unicast(struct sk_buff *skb, struct net *net, u_int32_t pid, int flags);
+
+extern void nfnl_lock(void);
+extern void nfnl_unlock(void);
+
+#define MODULE_ALIAS_NFNL_SUBSYS(subsys) \
+ MODULE_ALIAS("nfnetlink-subsys-" __stringify(subsys))
+
+#endif /* __KERNEL__ */
+#endif /* _NFNETLINK_H */
#include <linux/netfilter/nfnetlink.h>
enum cntl_msg_types {
- IPCTNL_MSG_CT_NEW,
- IPCTNL_MSG_CT_GET,
- IPCTNL_MSG_CT_DELETE,
- IPCTNL_MSG_CT_GET_CTRZERO,
-
- IPCTNL_MSG_MAX
+ IPCTNL_MSG_CT_NEW,
+ IPCTNL_MSG_CT_GET,
+ IPCTNL_MSG_CT_DELETE,
+ IPCTNL_MSG_CT_GET_CTRZERO,
+ IPCTNL_MSG_CT_GET_STATS_CPU,
+ IPCTNL_MSG_CT_GET_STATS,
+
+ IPCTNL_MSG_MAX
};
enum ctnl_exp_msg_types {
- IPCTNL_MSG_EXP_NEW,
- IPCTNL_MSG_EXP_GET,
- IPCTNL_MSG_EXP_DELETE,
+ IPCTNL_MSG_EXP_NEW,
+ IPCTNL_MSG_EXP_GET,
+ IPCTNL_MSG_EXP_DELETE,
+ IPCTNL_MSG_EXP_GET_STATS_CPU,
- IPCTNL_MSG_EXP_MAX
+ IPCTNL_MSG_EXP_MAX
};
enum ctattr_type {
- CTA_UNSPEC,
- CTA_TUPLE_ORIG,
- CTA_TUPLE_REPLY,
- CTA_STATUS,
- CTA_PROTOINFO,
- CTA_HELP,
- CTA_NAT_SRC,
-#define CTA_NAT CTA_NAT_SRC /* backwards compatibility */
- CTA_TIMEOUT,
- CTA_MARK,
- CTA_COUNTERS_ORIG,
- CTA_COUNTERS_REPLY,
- CTA_USE,
- CTA_ID,
- CTA_NAT_DST,
- __CTA_MAX
+ CTA_UNSPEC,
+ CTA_TUPLE_ORIG,
+ CTA_TUPLE_REPLY,
+ CTA_STATUS,
+ CTA_PROTOINFO,
+ CTA_HELP,
+ CTA_NAT_SRC,
+#define CTA_NAT CTA_NAT_SRC /* backwards compatibility */
+ CTA_TIMEOUT,
+ CTA_MARK,
+ CTA_COUNTERS_ORIG,
+ CTA_COUNTERS_REPLY,
+ CTA_USE,
+ CTA_ID,
+ CTA_NAT_DST,
+ CTA_TUPLE_MASTER,
+ CTA_NAT_SEQ_ADJ_ORIG,
+ CTA_NAT_SEQ_ADJ_REPLY,
+ CTA_SECMARK, /* obsolete */
+ CTA_ZONE,
+ CTA_SECCTX,
+ CTA_TIMESTAMP,
+ CTA_MARK_MASK,
+ __CTA_MAX
};
#define CTA_MAX (__CTA_MAX - 1)
enum ctattr_tuple {
- CTA_TUPLE_UNSPEC,
- CTA_TUPLE_IP,
- CTA_TUPLE_PROTO,
- __CTA_TUPLE_MAX
+ CTA_TUPLE_UNSPEC,
+ CTA_TUPLE_IP,
+ CTA_TUPLE_PROTO,
+ __CTA_TUPLE_MAX
};
#define CTA_TUPLE_MAX (__CTA_TUPLE_MAX - 1)
enum ctattr_ip {
- CTA_IP_UNSPEC,
- CTA_IP_V4_SRC,
- CTA_IP_V4_DST,
- CTA_IP_V6_SRC,
- CTA_IP_V6_DST,
- __CTA_IP_MAX
+ CTA_IP_UNSPEC,
+ CTA_IP_V4_SRC,
+ CTA_IP_V4_DST,
+ CTA_IP_V6_SRC,
+ CTA_IP_V6_DST,
+ __CTA_IP_MAX
};
#define CTA_IP_MAX (__CTA_IP_MAX - 1)
enum ctattr_l4proto {
- CTA_PROTO_UNSPEC,
- CTA_PROTO_NUM,
- CTA_PROTO_SRC_PORT,
- CTA_PROTO_DST_PORT,
- CTA_PROTO_ICMP_ID,
- CTA_PROTO_ICMP_TYPE,
- CTA_PROTO_ICMP_CODE,
- CTA_PROTO_ICMPV6_ID,
- CTA_PROTO_ICMPV6_TYPE,
- CTA_PROTO_ICMPV6_CODE,
- __CTA_PROTO_MAX
+ CTA_PROTO_UNSPEC,
+ CTA_PROTO_NUM,
+ CTA_PROTO_SRC_PORT,
+ CTA_PROTO_DST_PORT,
+ CTA_PROTO_ICMP_ID,
+ CTA_PROTO_ICMP_TYPE,
+ CTA_PROTO_ICMP_CODE,
+ CTA_PROTO_ICMPV6_ID,
+ CTA_PROTO_ICMPV6_TYPE,
+ CTA_PROTO_ICMPV6_CODE,
+ __CTA_PROTO_MAX
};
#define CTA_PROTO_MAX (__CTA_PROTO_MAX - 1)
enum ctattr_protoinfo {
- CTA_PROTOINFO_UNSPEC,
- CTA_PROTOINFO_TCP,
- __CTA_PROTOINFO_MAX
+ CTA_PROTOINFO_UNSPEC,
+ CTA_PROTOINFO_TCP,
+ CTA_PROTOINFO_DCCP,
+ CTA_PROTOINFO_SCTP,
+ __CTA_PROTOINFO_MAX
};
#define CTA_PROTOINFO_MAX (__CTA_PROTOINFO_MAX - 1)
enum ctattr_protoinfo_tcp {
- CTA_PROTOINFO_TCP_UNSPEC,
- CTA_PROTOINFO_TCP_STATE,
- CTA_PROTOINFO_TCP_WSCALE_ORIGINAL,
- CTA_PROTOINFO_TCP_WSCALE_REPLY,
- CTA_PROTOINFO_TCP_FLAGS_ORIGINAL,
- CTA_PROTOINFO_TCP_FLAGS_REPLY,
- __CTA_PROTOINFO_TCP_MAX
+ CTA_PROTOINFO_TCP_UNSPEC,
+ CTA_PROTOINFO_TCP_STATE,
+ CTA_PROTOINFO_TCP_WSCALE_ORIGINAL,
+ CTA_PROTOINFO_TCP_WSCALE_REPLY,
+ CTA_PROTOINFO_TCP_FLAGS_ORIGINAL,
+ CTA_PROTOINFO_TCP_FLAGS_REPLY,
+ __CTA_PROTOINFO_TCP_MAX
};
#define CTA_PROTOINFO_TCP_MAX (__CTA_PROTOINFO_TCP_MAX - 1)
+enum ctattr_protoinfo_dccp {
+ CTA_PROTOINFO_DCCP_UNSPEC,
+ CTA_PROTOINFO_DCCP_STATE,
+ CTA_PROTOINFO_DCCP_ROLE,
+ CTA_PROTOINFO_DCCP_HANDSHAKE_SEQ,
+ __CTA_PROTOINFO_DCCP_MAX,
+};
+#define CTA_PROTOINFO_DCCP_MAX (__CTA_PROTOINFO_DCCP_MAX - 1)
+
+enum ctattr_protoinfo_sctp {
+ CTA_PROTOINFO_SCTP_UNSPEC,
+ CTA_PROTOINFO_SCTP_STATE,
+ CTA_PROTOINFO_SCTP_VTAG_ORIGINAL,
+ CTA_PROTOINFO_SCTP_VTAG_REPLY,
+ __CTA_PROTOINFO_SCTP_MAX
+};
+#define CTA_PROTOINFO_SCTP_MAX (__CTA_PROTOINFO_SCTP_MAX - 1)
+
enum ctattr_counters {
- CTA_COUNTERS_UNSPEC,
- CTA_COUNTERS_PACKETS, /* old 64bit counters */
- CTA_COUNTERS_BYTES, /* old 64bit counters */
- CTA_COUNTERS32_PACKETS,
- CTA_COUNTERS32_BYTES,
- __CTA_COUNTERS_MAX
+ CTA_COUNTERS_UNSPEC,
+ CTA_COUNTERS_PACKETS, /* 64bit counters */
+ CTA_COUNTERS_BYTES, /* 64bit counters */
+ CTA_COUNTERS32_PACKETS, /* old 32bit counters, unused */
+ CTA_COUNTERS32_BYTES, /* old 32bit counters, unused */
+ __CTA_COUNTERS_MAX
};
#define CTA_COUNTERS_MAX (__CTA_COUNTERS_MAX - 1)
+enum ctattr_tstamp {
+ CTA_TIMESTAMP_UNSPEC,
+ CTA_TIMESTAMP_START,
+ CTA_TIMESTAMP_STOP,
+ __CTA_TIMESTAMP_MAX
+};
+#define CTA_TIMESTAMP_MAX (__CTA_TIMESTAMP_MAX - 1)
+
enum ctattr_nat {
- CTA_NAT_UNSPEC,
- CTA_NAT_MINIP,
- CTA_NAT_MAXIP,
- CTA_NAT_PROTO,
- __CTA_NAT_MAX
+ CTA_NAT_UNSPEC,
+ CTA_NAT_MINIP,
+ CTA_NAT_MAXIP,
+ CTA_NAT_PROTO,
+ __CTA_NAT_MAX
};
#define CTA_NAT_MAX (__CTA_NAT_MAX - 1)
enum ctattr_protonat {
- CTA_PROTONAT_UNSPEC,
- CTA_PROTONAT_PORT_MIN,
- CTA_PROTONAT_PORT_MAX,
- __CTA_PROTONAT_MAX
+ CTA_PROTONAT_UNSPEC,
+ CTA_PROTONAT_PORT_MIN,
+ CTA_PROTONAT_PORT_MAX,
+ __CTA_PROTONAT_MAX
};
#define CTA_PROTONAT_MAX (__CTA_PROTONAT_MAX - 1)
+enum ctattr_natseq {
+ CTA_NAT_SEQ_UNSPEC,
+ CTA_NAT_SEQ_CORRECTION_POS,
+ CTA_NAT_SEQ_OFFSET_BEFORE,
+ CTA_NAT_SEQ_OFFSET_AFTER,
+ __CTA_NAT_SEQ_MAX
+};
+#define CTA_NAT_SEQ_MAX (__CTA_NAT_SEQ_MAX - 1)
+
enum ctattr_expect {
- CTA_EXPECT_UNSPEC,
- CTA_EXPECT_MASTER,
- CTA_EXPECT_TUPLE,
- CTA_EXPECT_MASK,
- CTA_EXPECT_TIMEOUT,
- CTA_EXPECT_ID,
- CTA_EXPECT_HELP_NAME,
- __CTA_EXPECT_MAX
+ CTA_EXPECT_UNSPEC,
+ CTA_EXPECT_MASTER,
+ CTA_EXPECT_TUPLE,
+ CTA_EXPECT_MASK,
+ CTA_EXPECT_TIMEOUT,
+ CTA_EXPECT_ID,
+ CTA_EXPECT_HELP_NAME,
+ CTA_EXPECT_ZONE,
+ CTA_EXPECT_FLAGS,
+ CTA_EXPECT_CLASS,
+ CTA_EXPECT_NAT,
+ CTA_EXPECT_FN,
+ __CTA_EXPECT_MAX
};
#define CTA_EXPECT_MAX (__CTA_EXPECT_MAX - 1)
+enum ctattr_expect_nat {
+ CTA_EXPECT_NAT_UNSPEC,
+ CTA_EXPECT_NAT_DIR,
+ CTA_EXPECT_NAT_TUPLE,
+ __CTA_EXPECT_NAT_MAX
+};
+#define CTA_EXPECT_NAT_MAX (__CTA_EXPECT_NAT_MAX - 1)
+
enum ctattr_help {
- CTA_HELP_UNSPEC,
- CTA_HELP_NAME,
- __CTA_HELP_MAX
+ CTA_HELP_UNSPEC,
+ CTA_HELP_NAME,
+ CTA_HELP_INFO,
+ __CTA_HELP_MAX
};
#define CTA_HELP_MAX (__CTA_HELP_MAX - 1)
+enum ctattr_secctx {
+ CTA_SECCTX_UNSPEC,
+ CTA_SECCTX_NAME,
+ __CTA_SECCTX_MAX
+};
+#define CTA_SECCTX_MAX (__CTA_SECCTX_MAX - 1)
+
+enum ctattr_stats_cpu {
+ CTA_STATS_UNSPEC,
+ CTA_STATS_SEARCHED,
+ CTA_STATS_FOUND,
+ CTA_STATS_NEW,
+ CTA_STATS_INVALID,
+ CTA_STATS_IGNORE,
+ CTA_STATS_DELETE,
+ CTA_STATS_DELETE_LIST,
+ CTA_STATS_INSERT,
+ CTA_STATS_INSERT_FAILED,
+ CTA_STATS_DROP,
+ CTA_STATS_EARLY_DROP,
+ CTA_STATS_ERROR,
+ CTA_STATS_SEARCH_RESTART,
+ __CTA_STATS_MAX,
+};
+#define CTA_STATS_MAX (__CTA_STATS_MAX - 1)
+
+enum ctattr_stats_global {
+ CTA_STATS_GLOBAL_UNSPEC,
+ CTA_STATS_GLOBAL_ENTRIES,
+ __CTA_STATS_GLOBAL_MAX,
+};
+#define CTA_STATS_GLOBAL_MAX (__CTA_STATS_GLOBAL_MAX - 1)
+
+enum ctattr_expect_stats {
+ CTA_STATS_EXP_UNSPEC,
+ CTA_STATS_EXP_NEW,
+ CTA_STATS_EXP_CREATE,
+ CTA_STATS_EXP_DELETE,
+ __CTA_STATS_EXP_MAX,
+};
+#define CTA_STATS_EXP_MAX (__CTA_STATS_EXP_MAX - 1)
+
#endif /* _IPCONNTRACK_NETLINK_H */
* and not any kind of function definitions. It is shared between kernel and
* userspace. Don't put kernel specific stuff in here */
-#ifndef aligned_be64
-#define aligned_be64 u_int64_t __attribute__((aligned(8)))
-#endif
-
#include <linux/types.h>
#include <linux/netfilter/nfnetlink.h>
struct nfulnl_msg_packet_hdr {
__be16 hw_protocol; /* hw protocol (network order) */
- u_int8_t hook; /* netfilter hook */
- u_int8_t _pad;
+ __u8 hook; /* netfilter hook */
+ __u8 _pad;
};
struct nfulnl_msg_packet_hw {
__be16 hw_addrlen;
- u_int16_t _pad;
- u_int8_t hw_addr[8];
+ __u16 _pad;
+ __u8 hw_addr[8];
};
struct nfulnl_msg_packet_timestamp {
- aligned_be64 sec;
- aligned_be64 usec;
+ __aligned_be64 sec;
+ __aligned_be64 usec;
};
enum nfulnl_attr_type {
NFULA_UNSPEC,
NFULA_PACKET_HDR,
- NFULA_MARK, /* u_int32_t nfmark */
+ NFULA_MARK, /* __u32 nfmark */
NFULA_TIMESTAMP, /* nfulnl_msg_packet_timestamp */
- NFULA_IFINDEX_INDEV, /* u_int32_t ifindex */
- NFULA_IFINDEX_OUTDEV, /* u_int32_t ifindex */
- NFULA_IFINDEX_PHYSINDEV, /* u_int32_t ifindex */
- NFULA_IFINDEX_PHYSOUTDEV, /* u_int32_t ifindex */
+ NFULA_IFINDEX_INDEV, /* __u32 ifindex */
+ NFULA_IFINDEX_OUTDEV, /* __u32 ifindex */
+ NFULA_IFINDEX_PHYSINDEV, /* __u32 ifindex */
+ NFULA_IFINDEX_PHYSOUTDEV, /* __u32 ifindex */
NFULA_HWADDR, /* nfulnl_msg_packet_hw */
NFULA_PAYLOAD, /* opaque data payload */
NFULA_PREFIX, /* string prefix */
NFULA_SEQ, /* instance-local sequence number */
NFULA_SEQ_GLOBAL, /* global sequence number */
NFULA_GID, /* group id of socket */
+ NFULA_HWTYPE, /* hardware type */
+ NFULA_HWHEADER, /* hardware header */
+ NFULA_HWLEN, /* hardware header length */
__NFULA_MAX
};
};
struct nfulnl_msg_config_cmd {
- u_int8_t command; /* nfulnl_msg_config_cmds */
+ __u8 command; /* nfulnl_msg_config_cmds */
} __attribute__ ((packed));
struct nfulnl_msg_config_mode {
__be32 copy_range;
- u_int8_t copy_mode;
- u_int8_t _pad;
+ __u8 copy_mode;
+ __u8 _pad;
} __attribute__ ((packed));
enum nfulnl_attr_config {
NFULA_CFG_UNSPEC,
NFULA_CFG_CMD, /* nfulnl_msg_config_cmd */
NFULA_CFG_MODE, /* nfulnl_msg_config_mode */
- NFULA_CFG_NLBUFSIZ, /* u_int32_t buffer size */
- NFULA_CFG_TIMEOUT, /* u_int32_t in 1/100 s */
- NFULA_CFG_QTHRESH, /* u_int32_t */
- NFULA_CFG_FLAGS, /* u_int16_t */
+ NFULA_CFG_NLBUFSIZ, /* __u32 buffer size */
+ NFULA_CFG_TIMEOUT, /* __u32 in 1/100 s */
+ NFULA_CFG_QTHRESH, /* __u32 */
+ NFULA_CFG_FLAGS, /* __u16 */
__NFULA_CFG_MAX
};
#define NFULA_CFG_MAX (__NFULA_CFG_MAX -1)
#define NFULNL_COPY_NONE 0x00
#define NFULNL_COPY_META 0x01
#define NFULNL_COPY_PACKET 0x02
+/* 0xff is reserved, don't use it for new copy modes. */
#define NFULNL_CFG_F_SEQ 0x0001
#define NFULNL_CFG_F_SEQ_GLOBAL 0x0002
#include <linux/types.h>
#include <linux/netfilter/nfnetlink.h>
-#ifndef aligned_be64
-#define aligned_be64 u_int64_t __attribute__((aligned(8)))
-#endif
-
enum nfqnl_msg_types {
- NFQNL_MSG_PACKET, /* packet from kernel to userspace */
- NFQNL_MSG_VERDICT, /* verdict from userspace to kernel */
- NFQNL_MSG_CONFIG, /* connect to a particular queue */
+ NFQNL_MSG_PACKET, /* packet from kernel to userspace */
+ NFQNL_MSG_VERDICT, /* verdict from userspace to kernel */
+ NFQNL_MSG_CONFIG, /* connect to a particular queue */
+ NFQNL_MSG_VERDICT_BATCH, /* batchv from userspace to kernel */
- NFQNL_MSG_MAX
+ NFQNL_MSG_MAX
};
struct nfqnl_msg_packet_hdr {
- __be32 packet_id; /* unique ID of packet in queue */
- __be16 hw_protocol; /* hw protocol (network order) */
- u_int8_t hook; /* netfilter hook */
+ __be32 packet_id; /* unique ID of packet in queue */
+ __be16 hw_protocol; /* hw protocol (network order) */
+ __u8 hook; /* netfilter hook */
} __attribute__ ((packed));
struct nfqnl_msg_packet_hw {
- __be16 hw_addrlen;
- u_int16_t _pad;
- u_int8_t hw_addr[8];
+ __be16 hw_addrlen;
+ __u16 _pad;
+ __u8 hw_addr[8];
};
struct nfqnl_msg_packet_timestamp {
- aligned_be64 sec;
- aligned_be64 usec;
+ __aligned_be64 sec;
+ __aligned_be64 usec;
};
enum nfqnl_attr_type {
- NFQA_UNSPEC,
- NFQA_PACKET_HDR,
- NFQA_VERDICT_HDR, /* nfqnl_msg_verdict_hrd */
- NFQA_MARK, /* u_int32_t nfmark */
- NFQA_TIMESTAMP, /* nfqnl_msg_packet_timestamp */
- NFQA_IFINDEX_INDEV, /* u_int32_t ifindex */
- NFQA_IFINDEX_OUTDEV, /* u_int32_t ifindex */
- NFQA_IFINDEX_PHYSINDEV, /* u_int32_t ifindex */
- NFQA_IFINDEX_PHYSOUTDEV, /* u_int32_t ifindex */
- NFQA_HWADDR, /* nfqnl_msg_packet_hw */
- NFQA_PAYLOAD, /* opaque data payload */
-
- __NFQA_MAX
+ NFQA_UNSPEC,
+ NFQA_PACKET_HDR,
+ NFQA_VERDICT_HDR, /* nfqnl_msg_verdict_hrd */
+ NFQA_MARK, /* __u32 nfmark */
+ NFQA_TIMESTAMP, /* nfqnl_msg_packet_timestamp */
+ NFQA_IFINDEX_INDEV, /* __u32 ifindex */
+ NFQA_IFINDEX_OUTDEV, /* __u32 ifindex */
+ NFQA_IFINDEX_PHYSINDEV, /* __u32 ifindex */
+ NFQA_IFINDEX_PHYSOUTDEV, /* __u32 ifindex */
+ NFQA_HWADDR, /* nfqnl_msg_packet_hw */
+ NFQA_PAYLOAD, /* opaque data payload */
+ NFQA_CT, /* nf_conntrack_netlink.h */
+ NFQA_CT_INFO, /* enum ip_conntrack_info */
+
+ __NFQA_MAX
};
#define NFQA_MAX (__NFQA_MAX - 1)
struct nfqnl_msg_verdict_hdr {
- __be32 verdict;
- __be32 id;
+ __be32 verdict;
+ __be32 id;
};
enum nfqnl_msg_config_cmds {
- NFQNL_CFG_CMD_NONE,
- NFQNL_CFG_CMD_BIND,
- NFQNL_CFG_CMD_UNBIND,
- NFQNL_CFG_CMD_PF_BIND,
- NFQNL_CFG_CMD_PF_UNBIND,
+ NFQNL_CFG_CMD_NONE,
+ NFQNL_CFG_CMD_BIND,
+ NFQNL_CFG_CMD_UNBIND,
+ NFQNL_CFG_CMD_PF_BIND,
+ NFQNL_CFG_CMD_PF_UNBIND,
};
struct nfqnl_msg_config_cmd {
- u_int8_t command; /* nfqnl_msg_config_cmds */
- u_int8_t _pad;
- __be16 pf; /* AF_xxx for PF_[UN]BIND */
+ __u8 command; /* nfqnl_msg_config_cmds */
+ __u8 _pad;
+ __be16 pf; /* AF_xxx for PF_[UN]BIND */
};
enum nfqnl_config_mode {
- NFQNL_COPY_NONE,
- NFQNL_COPY_META,
- NFQNL_COPY_PACKET,
+ NFQNL_COPY_NONE,
+ NFQNL_COPY_META,
+ NFQNL_COPY_PACKET,
};
struct nfqnl_msg_config_params {
- __be32 copy_range;
- u_int8_t copy_mode; /* enum nfqnl_config_mode */
+ __be32 copy_range;
+ __u8 copy_mode; /* enum nfqnl_config_mode */
} __attribute__ ((packed));
enum nfqnl_attr_config {
- NFQA_CFG_UNSPEC,
- NFQA_CFG_CMD, /* nfqnl_msg_config_cmd */
- NFQA_CFG_PARAMS, /* nfqnl_msg_config_params */
- NFQA_CFG_QUEUE_MAXLEN, /* u_int32_t */
- __NFQA_CFG_MAX
+ NFQA_CFG_UNSPEC,
+ NFQA_CFG_CMD, /* nfqnl_msg_config_cmd */
+ NFQA_CFG_PARAMS, /* nfqnl_msg_config_params */
+ NFQA_CFG_QUEUE_MAXLEN, /* __u32 */
+ NFQA_CFG_MASK, /* identify which flags to change */
+ NFQA_CFG_FLAGS, /* value of these flags (__u32) */
+ __NFQA_CFG_MAX
};
#define NFQA_CFG_MAX (__NFQA_CFG_MAX-1)
+/* Flags for NFQA_CFG_FLAGS */
+#define NFQA_CFG_F_FAIL_OPEN (1 << 0)
+#define NFQA_CFG_F_CONNTRACK (1 << 1)
+#define NFQA_CFG_F_MAX (1 << 2)
+
#endif /* _NFNETLINK_QUEUE_H */
* of the License.
*
* Copyright (c) 2012 Rich Fought <Rich.Fought@watchguard.com>
+ * Copyright (c) 2008-2009 Thomas Graf <tgraf@suug.ch>
*/
#ifndef __NETLINK_CLI_EXP_H_
extern void nl_cli_exp_parse_timeout(struct nfnl_exp *, char *);
extern void nl_cli_exp_parse_id(struct nfnl_exp *, char *);
extern void nl_cli_exp_parse_helper_name(struct nfnl_exp *, char *);
+extern void nl_cli_exp_parse_zone(struct nfnl_exp *, char *);
+extern void nl_cli_exp_parse_flags(struct nfnl_exp *, char *);
+extern void nl_cli_exp_parse_class(struct nfnl_exp *, char *);
+extern void nl_cli_exp_parse_nat_dir(struct nfnl_exp *, char *);
+extern void nl_cli_exp_parse_fn(struct nfnl_exp *, char *);
+
extern void nl_cli_exp_parse_src(struct nfnl_exp *, int, char *);
extern void nl_cli_exp_parse_dst(struct nfnl_exp *, int, char *);
extern void nl_cli_exp_parse_l4protonum(struct nfnl_exp *, int, char *);
extern void nl_cli_exp_parse_src_port(struct nfnl_exp *, int, char *);
extern void nl_cli_exp_parse_dst_port(struct nfnl_exp *, int, char *);
+extern void nl_cli_exp_parse_icmp_id(struct nfnl_exp *, int, char *);
+extern void nl_cli_exp_parse_icmp_type(struct nfnl_exp *, int, char *);
+extern void nl_cli_exp_parse_icmp_code(struct nfnl_exp *, int, char *);
+
#endif
* Copyright (c) 2003-2008 Thomas Graf <tgraf@suug.ch>
* Copyright (c) 2007 Philip Craig <philipc@snapgear.com>
* Copyright (c) 2007 Secure Computing Corporation
+ * Copyright (c) 2012 Rich Fought <rich.fought@watchguard.com>
*/
#ifndef NETLINK_EXP_H_
#include <linux/version.h>
-#if CTA_EXPECT_MAX > CTA_EXPECT_HELP_NAME
-#define NLE_ZONE
-#elseif CTA_EXPECT_MAX > CTA_EXPECT_ZONE
-#define NLE_ZONE
-#define NLE_FLAGS
-#elseif (CTA_EXPECT_MAX > CTA_EXPECT_FLAGS)
-#define NLE_ZONE
-#define NLE_FLAGS
-#define NLE_NAT_FN_CLASS
-#endif
-
#ifdef __cplusplus
extern "C" {
#endif
NFNL_EXP_TUPLE_EXPECT,
NFNL_EXP_TUPLE_MASTER,
NFNL_EXP_TUPLE_MASK,
-#ifdef NLE_NAT_FN_CLASS
NFNL_EXP_TUPLE_NAT,
-#endif
NFNL_EXP_TUPLE_MAX
};
extern int nfnl_exp_test_helper_name(const struct nfnl_exp *);
extern const char * nfnl_exp_get_helper_name(const struct nfnl_exp *);
-#ifdef NLE_ZONE
extern void nfnl_exp_set_zone(struct nfnl_exp *, uint16_t);
extern int nfnl_exp_test_zone(const struct nfnl_exp *);
extern uint16_t nfnl_exp_get_zone(const struct nfnl_exp *);
-#endif
-#ifdef NLE_FLAGS
extern void nfnl_exp_set_flags(struct nfnl_exp *, uint32_t);
extern int nfnl_exp_test_flags(const struct nfnl_exp *);
extern uint32_t nfnl_exp_get_flags(const struct nfnl_exp *);
-#endif
-#ifdef NLE_NAT_FN_CLASS
extern void nfnl_exp_set_class(struct nfnl_exp *, uint32_t);
extern int nfnl_exp_test_class(const struct nfnl_exp *);
extern uint32_t nfnl_exp_get_class(const struct nfnl_exp *);
extern void nfnl_exp_set_nat_dir(struct nfnl_exp *, uint8_t);
extern int nfnl_exp_test_nat_dir(const struct nfnl_exp *);
extern uint8_t nfnl_exp_get_nat_dir(const struct nfnl_exp *);
-#endif
// The int argument specifies which nfnl_exp_dir (expect, master, mask or nat)
// Expectation objects only use orig, not reply
/*
- * lib/netfilter/ct.c Conntrack Expectation
+ * lib/netfilter/exp.c Conntrack Expectation
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* Copyright (c) 2007 Philip Craig <philipc@snapgear.com>
* Copyright (c) 2007 Secure Computing Corporation
* Copyright (c= 2008 Patrick McHardy <kaber@trash.net>
+ * Copyright (c) 2012 Rich Fought <rich.fought@watchguard.com>
*/
/**
[CTA_EXPECT_TIMEOUT] = { .type = NLA_U32 },
[CTA_EXPECT_ID] = { .type = NLA_U32 },
[CTA_EXPECT_HELP_NAME] = { .type = NLA_STRING },
-#ifdef NLE_ZONE
[CTA_EXPECT_ZONE] = { .type = NLA_U16 }, // Added in kernel 2.6.34
-#endif
-#ifdef NLE_FLAGS
[CTA_EXPECT_FLAGS] = { .type = NLA_U32 }, // Added in kernel 2.6.37
-#endif
-#ifdef NLE_NAT_FN_CLASS
[CTA_EXPECT_CLASS] = { .type = NLA_U32 }, // Added in kernel 3.5
[CTA_EXPECT_NAT] = { .type = NLA_NESTED }, // Added in kernel 3.5
[CTA_EXPECT_FN] = { .type = NLA_STRING }, // Added in kernel 3.5
-#endif
};
static struct nla_policy exp_tuple_policy[CTA_TUPLE_MAX+1] = {
[CTA_PROTO_ICMPV6_CODE] = { .type = NLA_U8 },
};
-#ifdef NLE_NAT_FN_CLASS
static struct nla_policy exp_nat_policy[CTA_EXPECT_NAT_MAX+1] = {
[CTA_EXPECT_NAT_DIR] = { .type = NLA_U8 },
[CTA_EXPECT_NAT_TUPLE] = { .type = NLA_NESTED },
};
-#endif
static int exp_parse_ip(struct nfnl_exp *exp, int tuple, struct nlattr *attr)
{
return 0;
}
-#ifdef NLE_NAT_FN_CLASS
static int exp_parse_nat(struct nfnl_exp *exp, struct nlattr *attr)
{
struct nlattr *tb[CTA_EXPECT_NAT_MAX+1];
return 0;
}
-#endif
int nfnlmsg_exp_group(struct nlmsghdr *nlh)
{
goto errout;
}
-#ifdef NLE_NAT_FN_CLASS
if (tb[CTA_EXPECT_NAT])
err = exp_parse_nat(exp, tb[CTA_EXPECT_MASK]);
if (err < 0)
if (tb[CTA_EXPECT_FN])
nfnl_exp_set_fn(exp, nla_data(tb[CTA_EXPECT_FN]));
-#endif
if (tb[CTA_EXPECT_TIMEOUT])
if (tb[CTA_EXPECT_HELP_NAME])
nfnl_exp_set_helper_name(exp, nla_data(tb[CTA_EXPECT_HELP_NAME]));
-#ifdef NLE_ZONE
if (tb[CTA_EXPECT_ZONE])
nfnl_exp_set_zone(exp, ntohs(nla_get_u16(tb[CTA_EXPECT_ZONE])));
-#endif
-#ifdef NLE_FLAGS
if (tb[CTA_EXPECT_FLAGS])
nfnl_exp_set_flags(exp, ntohl(nla_get_u32(tb[CTA_EXPECT_FLAGS])));
-#endif
-
*result = exp;
return 0;
return -NLE_MSGSIZE;
}
-#ifdef NLE_NAT_FN_CLASS
static int nfnl_exp_build_nat(struct nl_msg *msg, const struct nfnl_exp *exp)
{
struct nlattr *nat;
nla_put_failure:
return -NLE_MSGSIZE;
}
-#endif
static int nfnl_exp_build_message(const struct nfnl_exp *exp, int cmd, int flags,
struct nl_msg **result)
if ((err = nfnl_exp_build_tuple(msg, exp, CTA_EXPECT_MASK)) < 0)
goto err_out;
-#ifdef NLE_NAT_FN_CLASS
if (nfnl_exp_test_src(exp, NFNL_EXP_TUPLE_NAT)) {
if ((err = nfnl_exp_build_nat(msg, exp)) < 0)
goto err_out;
if (nfnl_exp_test_fn(exp))
NLA_PUT_STRING(msg, CTA_EXPECT_FN, nfnl_exp_get_fn(exp));
-#endif
if (nfnl_exp_test_id(exp))
NLA_PUT_U32(msg, CTA_EXPECT_ID, htonl(nfnl_exp_get_id(exp)));
if (nfnl_exp_test_helper_name(exp))
NLA_PUT_STRING(msg, CTA_EXPECT_HELP_NAME, nfnl_exp_get_helper_name(exp));
-#ifdef NLE_ZONE
if (nfnl_exp_test_zone(exp))
NLA_PUT_U16(msg, CTA_EXPECT_ZONE, htons(nfnl_exp_get_zone(exp)));
-#endif
-#ifdef NLE_FLAGS
if (nfnl_exp_test_flags(exp))
NLA_PUT_U32(msg, CTA_EXPECT_FLAGS, htonl(nfnl_exp_get_flags(exp)));
-#endif
*result = msg;
return 0;
* Copyright (c) 2003-2008 Thomas Graf <tgraf@suug.ch>
* Copyright (c) 2007 Philip Craig <philipc@snapgear.com>
* Copyright (c) 2007 Secure Computing Corporation
+ * Copyright (c) 2012 Rich Fought <rich.fought@watchguard.com>
*/
#include <sys/types.h>
dump_icmp(p, exp, 0);
}
-#ifdef NLE_NAT_FN_CLASS
if (nfnl_exp_test_nat_dir(exp))
nl_dump(p, "nat dir %s ", exp->exp_nat_dir);
-#endif
}
if (nfnl_exp_test_helper_name(exp))
nl_dump(p, "helper %s ", exp->exp_helper_name);
-#ifdef NLE_NAT_FN_CLASS
if (nfnl_exp_test_fn(exp))
nl_dump(p, "fn %s ", exp->exp_fn);
if (nfnl_exp_test_class(exp))
nl_dump(p, "class %u ", nfnl_exp_get_class(exp));
-#endif
-#ifdef NLE_ZONE
if (nfnl_exp_test_zone(exp))
nl_dump(p, "zone %u ", nfnl_exp_get_zone(exp));
-#endif
-#ifdef NLE_FLAGS
if (nfnl_exp_test_flags(exp))
nl_dump(p, "<");
#define PRINT_FLAG(str) \
if (nfnl_exp_test_flags(exp))
nl_dump(p, ">");
-#endif
nl_dump(p, "\n");
}
return exp->exp_nat_dir;
}
-#ifdef NLE_NAT_FN_CLASS
#define EXP_GET_TUPLE(e, t) \
(t == NFNL_EXP_TUPLE_MASTER) ? \
&(e->exp_master) : \
&(e->exp_mask) : \
(t == NFNL_EXP_TUPLE_NAT) ? \
&(e->exp_nat) : &(exp->exp_expect)
-#else
-#define EXP_GET_TUPLE(e, t) \
- (t == NFNL_EXP_TUPLE_MASTER) ? \
- &(e->exp_master) : \
- (t == NFNL_EXP_TUPLE_MASK) ? \
- &(e->exp_mask) : &(exp->exp_expect)
-#endif
static int exp_get_src_attr(int tuple)
{
case NFNL_EXP_TUPLE_MASK:
attr = EXP_ATTR_MASK_IP_SRC;
break;
-#ifdef NLE_NAT_FN_CLASS
case NFNL_EXP_TUPLE_NAT:
attr = EXP_ATTR_NAT_IP_SRC;
break;
-#endif
case NFNL_EXP_TUPLE_EXPECT:
default :
attr = EXP_ATTR_EXPECT_IP_SRC;
case NFNL_EXP_TUPLE_MASK:
attr = EXP_ATTR_MASK_IP_DST;
break;
-#ifdef NLE_NAT_FN_CLASS
case NFNL_EXP_TUPLE_NAT:
attr = EXP_ATTR_NAT_IP_DST;
break;
-#endif
case NFNL_EXP_TUPLE_EXPECT:
default :
attr = EXP_ATTR_EXPECT_IP_DST;
case NFNL_EXP_TUPLE_MASK:
attr = EXP_ATTR_MASK_L4PROTO_NUM;
break;
-#ifdef NLE_NAT_FN_CLASS
case NFNL_EXP_TUPLE_NAT:
attr = EXP_ATTR_NAT_L4PROTO_NUM;
break;
-#endif
case NFNL_EXP_TUPLE_EXPECT:
default :
attr = EXP_ATTR_EXPECT_L4PROTO_NUM;
case NFNL_EXP_TUPLE_MASK:
attr = EXP_ATTR_MASK_L4PROTO_PORTS;
break;
-#ifdef NLE_NAT_FN_CLASS
case NFNL_EXP_TUPLE_NAT:
attr = EXP_ATTR_NAT_L4PROTO_PORTS;
break;
-#endif
case NFNL_EXP_TUPLE_EXPECT:
default :
attr = EXP_ATTR_EXPECT_L4PROTO_PORTS;
case NFNL_EXP_TUPLE_MASK:
attr = EXP_ATTR_MASK_L4PROTO_ICMP;
break;
-#ifdef NLE_NAT_FN_CLASS
case NFNL_EXP_TUPLE_NAT:
attr = EXP_ATTR_NAT_L4PROTO_ICMP;
break;
-#endif
case NFNL_EXP_TUPLE_EXPECT:
default :
attr = EXP_ATTR_EXPECT_L4PROTO_ICMP;
struct nl_object_ops exp_obj_ops = {
.oo_name = "netfilter/exp",
.oo_size = sizeof(struct nfnl_exp),
- .oo_free_data = exp_free_data,
+ .oo_free_data = exp_free_data,
.oo_clone = exp_clone,
.oo_dump = {
- [NL_DUMP_LINE] = exp_dump_line,
+ [NL_DUMP_LINE] = exp_dump_line,
[NL_DUMP_DETAILS] = exp_dump_details,
},
.oo_compare = exp_compare,
- .oo_attrs2str = exp_attrs2str,
+ .oo_attrs2str = exp_attrs2str,
};
/** @} */
genl-ctrl-list
nf-ct-list
nf-exp-list
-nf-exp-create
+nf-exp-add
+nf-exp-delete
nf-log
nf-monitor
nl-addr-add
noinst_PROGRAMS = \
nf-ct-list nf-log nf-queue nf-monitor \
- nf-exp-list nf-exp-create \
+ nf-exp-list nf-exp-add nf-exp-delete \
nl-addr-add nl-addr-delete nl-addr-list \
nl-link-set nl-link-stats \
nl-link-ifindex2name nl-link-name2ifindex \
nf_queue_SOURCES = nf-queue.c
nf_monitor_SOURCES = nf-monitor.c
+nf_exp_list_SOURCES = nf-exp-list.c
+nf_exp_add_SOURCES = nf-exp-add.c
+nf_exp_delete_SOURCES = nf-exp-delete.c
+
nl_addr_add_SOURCES = nl-addr-add.c
nl_addr_delete_SOURCES = nl-addr-delete.c
nl_addr_list_SOURCES = nl-addr-list.c
* License as published by the Free Software Foundation version 2.1
* of the License.
*
- * Copyright (c) 20012 Rich Fought <Rich.Fought@watchguard.com>
+ * Copyright (c) 2008-2009 Thomas Graf <tgraf@suug.ch>
+ * Copyright (c) 2012 Rich Fought <rich.fought@watchguard.com>
*/
/**
nfnl_exp_set_helper_name(exp, arg);
}
+void nl_cli_exp_parse_zone(struct nfnl_exp *exp, char *arg)
+{
+ uint32_t zone = nl_cli_parse_u32(arg);
+ nfnl_exp_set_zone(exp, zone);
+}
+
+void nl_cli_exp_parse_flags(struct nfnl_exp *exp, char *arg)
+{
+ uint32_t flags = nl_cli_parse_u32(arg);
+ nfnl_exp_set_flags(exp, flags);
+}
+
+void nl_cli_exp_parse_class(struct nfnl_exp *exp, char *arg)
+{
+ uint32_t class = nl_cli_parse_u32(arg);
+ nfnl_exp_set_class(exp, class);
+}
+
+void nl_cli_exp_parse_nat_dir(struct nfnl_exp *exp, char *arg)
+{
+ uint32_t nat_dir = nl_cli_parse_u32(arg);
+ nfnl_exp_set_nat_dir(exp, nat_dir);
+}
+
+void nl_cli_exp_parse_fn(struct nfnl_exp *exp, char *arg)
+{
+ nfnl_exp_set_fn(exp, arg);
+}
+
void nl_cli_exp_parse_src(struct nfnl_exp *exp, int tuple, char *arg)
{
int err;
void nl_cli_exp_parse_src_port(struct nfnl_exp *exp, int tuple, char *arg)
{
uint32_t sport = nl_cli_parse_u32(arg);
- nfnl_exp_set_ports(exp, tuple, sport, 0);
+ uint16_t dport = nfnl_exp_get_dst_port(exp, tuple);
+ nfnl_exp_set_ports(exp, tuple, sport, dport);
}
void nl_cli_exp_parse_dst_port(struct nfnl_exp *exp, int tuple, char *arg)
{
uint32_t dport = nl_cli_parse_u32(arg);
- uint32_t sport = nfnl_exp_get_src_port(exp, tuple);
+ uint16_t sport = nfnl_exp_get_src_port(exp, tuple);
nfnl_exp_set_ports(exp, tuple, sport, dport);
}
+void nl_cli_exp_parse_icmp_id(struct nfnl_exp *exp, int tuple, char *arg)
+{
+ uint32_t id = nl_cli_parse_u32(arg);
+ uint8_t type = nfnl_exp_get_icmp_type(exp, tuple);
+ uint8_t code = nfnl_exp_get_icmp_code(exp, tuple);
+ nfnl_exp_set_icmp(exp, tuple, id, type, code);
+}
+
+void nl_cli_exp_parse_icmp_type(struct nfnl_exp *exp, int tuple, char *arg)
+{
+ uint32_t type = nl_cli_parse_u32(arg);
+ uint16_t id = nfnl_exp_get_icmp_id(exp, tuple);
+ uint8_t code = nfnl_exp_get_icmp_code(exp, tuple);
+ nfnl_exp_set_icmp(exp, tuple, id, type, code);
+}
+
+void nl_cli_exp_parse_icmp_code(struct nfnl_exp *exp, int tuple, char *arg)
+{
+ uint32_t code = nl_cli_parse_u32(arg);
+ uint16_t id = nfnl_exp_get_icmp_id(exp, tuple);
+ uint8_t type = nfnl_exp_get_icmp_type(exp, tuple);
+ nfnl_exp_set_icmp(exp, tuple, id, type, code);
+}
+
/** @} */
/*
- * src/nf-exp-create.c Create an expectation
+ * src/nf-exp-add.c Create an expectation
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation version 2.1
* of the License.
*
- * Copyright (c) 2012 Rich Fought <Rich.Fought@watchguard.com>
+ * Copyright (c) 2003-2009 Thomas Graf <tgraf@suug.ch>
+ * Copyright (c) 2007 Philip Craig <philipc@snapgear.com>
+ * Copyright (c) 2007 Secure Computing Corporation
+ * Copyright (c) 2012 Rich Fought <rich.fought@watchguard.com>
+ *
*/
#include <netlink/cli/utils.h>
" -F, --family=FAMILY Address family\n"
" --timeout=NUM Timeout value\n"
" --helper=STRING Helper Name\n"
- //" --flags Flags\n"
+ " --flags Flags (Kernel 2.6.37)\n"
);
exit(0);
}
ARG_TIMEOUT,
ARG_HELPER_NAME,
ARG_REPLACE,
- //ARG_FLAGS,
+ ARG_FLAGS,
};
static struct option long_opts[] = {
{ "replace", 1, 0, ARG_REPLACE },
{ "family", 1, 0, 'F' },
{ "timeout", 1, 0, ARG_TIMEOUT },
{ "helper", 1, 0, ARG_HELPER_NAME },
- //{ "flags", 1, 0, ARG_FLAGS},
+ { "flags", 1, 0, ARG_FLAGS},
{ 0, 0, 0, 0 }
};
case 'F': nl_cli_exp_parse_family(exp, optarg); break;
case ARG_TIMEOUT: nl_cli_exp_parse_timeout(exp, optarg); break;
case ARG_HELPER_NAME: nl_cli_exp_parse_helper_name(exp, optarg); break;
- //case ARG_FLAGS: nl_cli_exp_parse_flags(exp, optarg); break;
+ case ARG_FLAGS: nl_cli_exp_parse_flags(exp, optarg); break;
}
}
--- /dev/null
+/*
+ * src/nf-exp-delete.c Delete an expectation
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation version 2.1
+ * of the License.
+ *
+ * Copyright (c) 2003-2009 Thomas Graf <tgraf@suug.ch>
+ * Copyright (c) 2007 Philip Craig <philipc@snapgear.com>
+ * Copyright (c) 2007 Secure Computing Corporation
+ * Copyright (c) 2012 Rich Fought <rich.fought@watchguard.com>
+ */
+
+#include <netlink/cli/utils.h>
+#include <netlink/cli/exp.h>
+
+static int quiet = 0;
+
+static void print_usage(void)
+{
+ printf(
+ "Usage: nf-exp-list [OPTION]... [CONNTRACK ENTRY]\n"
+ "\n"
+ "Options\n"
+ " --replace Replace the address if it exists.\n"
+ " -q, --quiet Do not print informal notifications.\n"
+ " -h, --help Show this help\n"
+ " -v, --version Show versioning information\n"
+ "\n"
+ "Expectation Selection\n"
+ " -i, --id=NUM Identifier\n"
+ " --expect-proto=PROTOCOL Expectation protocol\n"
+ " --expect-src=ADDR Expectation source address\n"
+ " --expect-sport=PORT Expectation source port\n"
+ " --expect-dst=ADDR Expectation destination address\n"
+ " --expect-dport=PORT Expectation destination port\n"
+ " --master-proto=PROTOCOL Master conntrack protocol\n"
+ " --master-src=ADDR Master conntrack source address\n"
+ " --master-sport=PORT Master conntrack source port\n"
+ " --master-dst=ADDR Master conntrack destination address\n"
+ " --master-dport=PORT Master conntrack destination port\n"
+ " --mask-proto=PROTOCOL Mask protocol\n"
+ " --mask-src=ADDR Mask source address\n"
+ " --mask-sport=PORT Mask source port\n"
+ " --mask-dst=ADDR Mask destination address\n"
+ " --mask-dport=PORT Mask destination port\n"
+ " -F, --family=FAMILY Address family\n"
+ " --timeout=NUM Timeout value\n"
+ " --helper=STRING Helper Name\n"
+ " --flags Flags\n"
+ );
+ exit(0);
+}
+
+int main(int argc, char *argv[])
+{
+ struct nl_sock *sock;
+ struct nfnl_exp *exp;
+ struct nl_dump_params params = {
+ .dp_type = NL_DUMP_LINE,
+ .dp_fd = stdout,
+ };
+ int err, nlflags = 0;
+
+ exp = nl_cli_exp_alloc();
+
+ for (;;) {
+ int c, optidx = 0;
+ enum {
+ ARG_MARK = 270,
+ ARG_TCP_STATE = 271,
+ ARG_EXPECT_PROTO,
+ ARG_EXPECT_SRC,
+ ARG_EXPECT_SPORT,
+ ARG_EXPECT_DST,
+ ARG_EXPECT_DPORT,
+ ARG_MASTER_PROTO,
+ ARG_MASTER_SRC,
+ ARG_MASTER_SPORT,
+ ARG_MASTER_DST,
+ ARG_MASTER_DPORT,
+ ARG_MASK_PROTO,
+ ARG_MASK_SRC,
+ ARG_MASK_SPORT,
+ ARG_MASK_DST,
+ ARG_MASK_DPORT,
+ ARG_TIMEOUT,
+ ARG_HELPER_NAME,
+ ARG_FLAGS,
+ };
+ static struct option long_opts[] = {
+ { "quiet", 0, 0, 'q' },
+ { "help", 0, 0, 'h' },
+ { "version", 0, 0, 'v' },
+ { "id", 1, 0, 'i' },
+ { "expect-proto", 1, 0, ARG_EXPECT_PROTO },
+ { "expect-src", 1, 0, ARG_EXPECT_SRC },
+ { "expect-sport", 1, 0, ARG_EXPECT_SPORT },
+ { "expect-dst", 1, 0, ARG_EXPECT_DST },
+ { "expect-dport", 1, 0, ARG_EXPECT_DPORT },
+ { "master-proto", 1, 0, ARG_MASTER_PROTO },
+ { "master-src", 1, 0, ARG_MASTER_SRC },
+ { "master-sport", 1, 0, ARG_MASTER_SPORT },
+ { "master-dst", 1, 0, ARG_MASTER_DST },
+ { "master-dport", 1, 0, ARG_MASTER_DPORT },
+ { "mask-proto", 1, 0, ARG_MASK_PROTO },
+ { "mask-src", 1, 0, ARG_MASK_SRC },
+ { "mask-sport", 1, 0, ARG_MASK_SPORT },
+ { "mask-dst", 1, 0, ARG_MASK_DST },
+ { "mask-dport", 1, 0, ARG_MASK_DPORT },
+ { "family", 1, 0, 'F' },
+ { "timeout", 1, 0, ARG_TIMEOUT },
+ { "helper", 1, 0, ARG_HELPER_NAME },
+ { "flags", 1, 0, ARG_FLAGS},
+ { 0, 0, 0, 0 }
+ };
+
+ c = getopt_long(argc, argv, "46f:hvi:p:F:", long_opts, &optidx);
+ if (c == -1)
+ break;
+
+ switch (c) {
+ case '?': exit(NLE_INVAL);
+ case 'q': quiet = 1; break;
+ case '4': nfnl_exp_set_family(exp, AF_INET); break;
+ case '6': nfnl_exp_set_family(exp, AF_INET6); break;
+ case 'h': print_usage(); break;
+ case 'v': nl_cli_print_version(); break;
+ case 'i': nl_cli_exp_parse_id(exp, optarg); break;
+ case ARG_EXPECT_PROTO: nl_cli_exp_parse_l4protonum(exp, NFNL_EXP_TUPLE_EXPECT, optarg); break;
+ case ARG_EXPECT_SRC: nl_cli_exp_parse_src(exp, NFNL_EXP_TUPLE_EXPECT, optarg); break;
+ case ARG_EXPECT_SPORT: nl_cli_exp_parse_src_port(exp, NFNL_EXP_TUPLE_EXPECT, optarg); break;
+ case ARG_EXPECT_DST: nl_cli_exp_parse_dst(exp, NFNL_EXP_TUPLE_EXPECT, optarg); break;
+ case ARG_EXPECT_DPORT: nl_cli_exp_parse_dst_port(exp, NFNL_EXP_TUPLE_EXPECT, optarg); break;
+ case ARG_MASTER_PROTO: nl_cli_exp_parse_l4protonum(exp, NFNL_EXP_TUPLE_MASTER, optarg); break;
+ case ARG_MASTER_SRC: nl_cli_exp_parse_src(exp, NFNL_EXP_TUPLE_MASTER, optarg); break;
+ case ARG_MASTER_SPORT: nl_cli_exp_parse_src_port(exp, NFNL_EXP_TUPLE_MASTER, optarg); break;
+ case ARG_MASTER_DST: nl_cli_exp_parse_dst(exp, NFNL_EXP_TUPLE_MASTER, optarg); break;
+ case ARG_MASTER_DPORT: nl_cli_exp_parse_dst_port(exp, NFNL_EXP_TUPLE_MASTER, optarg); break;
+ case ARG_MASK_PROTO: nl_cli_exp_parse_l4protonum(exp, NFNL_EXP_TUPLE_MASK, optarg); break;
+ case ARG_MASK_SRC: nl_cli_exp_parse_src(exp, NFNL_EXP_TUPLE_MASK, optarg); break;
+ case ARG_MASK_SPORT: nl_cli_exp_parse_src_port(exp, NFNL_EXP_TUPLE_MASK, optarg); break;
+ case ARG_MASK_DST: nl_cli_exp_parse_dst(exp, NFNL_EXP_TUPLE_MASK, optarg); break;
+ case ARG_MASK_DPORT: nl_cli_exp_parse_dst_port(exp, NFNL_EXP_TUPLE_MASK, optarg); break;
+ case 'F': nl_cli_exp_parse_family(exp, optarg); break;
+ case ARG_TIMEOUT: nl_cli_exp_parse_timeout(exp, optarg); break;
+ case ARG_HELPER_NAME: nl_cli_exp_parse_helper_name(exp, optarg); break;
+ case ARG_FLAGS: nl_cli_exp_parse_flags(exp, optarg); break;
+ }
+ }
+
+ sock = nl_cli_alloc_socket();
+ nl_cli_connect(sock, NETLINK_NETFILTER);
+
+ if ((err = nfnl_exp_del(sock, exp, nlflags)) < 0)
+ nl_cli_fatal(err, "Unable to delete expectation: %s",
+ nl_geterror(err));
+
+ if (!quiet) {
+ printf("Deleted ");
+ nl_object_dump(OBJ_CAST(exp), ¶ms);
+ }
+
+
+ return 0;
+}
/*
- * src/nf-exp-list.c List Conntrack Entries
+ * src/nf-exp-list.c List Expectation Entries
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation version 2.1
* of the License.
*
- * Copyright (c) 2012 Rich Fought <Rich.Fought@watchguard.com>
+ * Copyright (c) 2003-2009 Thomas Graf <tgraf@suug.ch>
+ * Copyright (c) 2007 Philip Craig <philipc@snapgear.com>
+ * Copyright (c) 2007 Secure Computing Corporation
+ * Copyright (c) 2012 Rich Fought <rich.fought@watchguard.com>
*/
#include <netlink/cli/utils.h>
static void print_usage(void)
{
printf(
- "Usage: nf-exp-list [OPTION]... [CONNTRACK ENTRY]\n"
+ "Usage: nf-exp-list [OPTION]... [EXPECTATION ENTRY]\n"
"\n"
"Options\n"
- " -f, --format=TYPE Output format { brief | details | stats }\n"
+ " -f, --format=TYPE Output format { brief | details }\n"
" -h, --help Show this help\n"
" -v, --version Show versioning information\n"
"\n"
projects / libnl / commitdiff