LXR linux/include/linux/netfilter/nf_conntrack

   1#ifndef _NF_CONNTRACK_COMMON_H
   2#define _NF_CONNTRACK_COMMON_H
   3/* Connection state tracking for netfilter.  This is separated from,
   4   but required by, the NAT layer; it can also be used by an iptables
   5   extension. */
   6enum ip_conntrack_info {
   7        /* Part of an established connection (either direction). */
   8        IP_CT_ESTABLISHED,
   9
  10        /* Like NEW, but related to an existing connection, or ICMP error
  11           (in either direction). */
  12        IP_CT_RELATED,
  13
  14        /* Started a new connection to track (only
  15           IP_CT_DIR_ORIGINAL); may be a retransmission. */
  16        IP_CT_NEW,
  17
  18        /* >= this indicates reply direction */
  19        IP_CT_IS_REPLY,
  20
  21        IP_CT_ESTABLISHED_REPLY = IP_CT_ESTABLISHED + IP_CT_IS_REPLY,
  22        IP_CT_RELATED_REPLY = IP_CT_RELATED + IP_CT_IS_REPLY,
  23        IP_CT_NEW_REPLY = IP_CT_NEW + IP_CT_IS_REPLY,   
  24        /* Number of distinct IP_CT types (no NEW in reply dirn). */
  25        IP_CT_NUMBER = IP_CT_IS_REPLY * 2 - 1
  26};
  27
  28/* Bitset representing status of connection. */
  29enum ip_conntrack_status {
  30        /* It's an expected connection: bit 0 set.  This bit never changed */
  31        IPS_EXPECTED_BIT = 0,
  32        IPS_EXPECTED = (1 << IPS_EXPECTED_BIT),
  33
  34        /* We've seen packets both ways: bit 1 set.  Can be set, not unset. */
  35        IPS_SEEN_REPLY_BIT = 1,
  36        IPS_SEEN_REPLY = (1 << IPS_SEEN_REPLY_BIT),
  37
  38        /* Conntrack should never be early-expired. */
  39        IPS_ASSURED_BIT = 2,
  40        IPS_ASSURED = (1 << IPS_ASSURED_BIT),
  41
  42        /* Connection is confirmed: originating packet has left box */
  43        IPS_CONFIRMED_BIT = 3,
  44        IPS_CONFIRMED = (1 << IPS_CONFIRMED_BIT),
  45
  46        /* Connection needs src nat in orig dir.  This bit never changed. */
  47        IPS_SRC_NAT_BIT = 4,
  48        IPS_SRC_NAT = (1 << IPS_SRC_NAT_BIT),
  49
  50        /* Connection needs dst nat in orig dir.  This bit never changed. */
  51        IPS_DST_NAT_BIT = 5,
  52        IPS_DST_NAT = (1 << IPS_DST_NAT_BIT),
  53
  54        /* Both together. */
  55        IPS_NAT_MASK = (IPS_DST_NAT | IPS_SRC_NAT),
  56
  57        /* Connection needs TCP sequence adjusted. */
  58        IPS_SEQ_ADJUST_BIT = 6,
  59        IPS_SEQ_ADJUST = (1 << IPS_SEQ_ADJUST_BIT),
  60
  61        /* NAT initialization bits. */
  62        IPS_SRC_NAT_DONE_BIT = 7,
  63        IPS_SRC_NAT_DONE = (1 << IPS_SRC_NAT_DONE_BIT),
  64
  65        IPS_DST_NAT_DONE_BIT = 8,
  66        IPS_DST_NAT_DONE = (1 << IPS_DST_NAT_DONE_BIT),
  67
  68        /* Both together */
  69        IPS_NAT_DONE_MASK = (IPS_DST_NAT_DONE | IPS_SRC_NAT_DONE),
  70
  71        /* Connection is dying (removed from lists), can not be unset. */
  72        IPS_DYING_BIT = 9,
  73        IPS_DYING = (1 << IPS_DYING_BIT),
  74
  75        /* Connection has fixed timeout. */
  76        IPS_FIXED_TIMEOUT_BIT = 10,
  77        IPS_FIXED_TIMEOUT = (1 << IPS_FIXED_TIMEOUT_BIT),
  78
  79        /* Conntrack is a template */
  80        IPS_TEMPLATE_BIT = 11,
  81        IPS_TEMPLATE = (1 << IPS_TEMPLATE_BIT),
  82
  83        /* Conntrack is a fake untracked entry */
  84        IPS_UNTRACKED_BIT = 12,
  85        IPS_UNTRACKED = (1 << IPS_UNTRACKED_BIT),
  86};
  87
  88/* Connection tracking event types */
  89enum ip_conntrack_events {
  90        IPCT_NEW,               /* new conntrack */
  91        IPCT_RELATED,           /* related conntrack */
  92        IPCT_DESTROY,           /* destroyed conntrack */
  93        IPCT_REPLY,             /* connection has seen two-way traffic */
  94        IPCT_ASSURED,           /* connection status has changed to assured */
  95        IPCT_PROTOINFO,         /* protocol information has changed */
  96        IPCT_HELPER,            /* new helper has been set */
  97        IPCT_MARK,              /* new mark has been set */
  98        IPCT_NATSEQADJ,         /* NAT is doing sequence adjustment */
  99        IPCT_SECMARK,           /* new security mark has been set */
 100};
 101
 102enum ip_conntrack_expect_events {
 103        IPEXP_NEW,              /* new expectation */
 104        IPEXP_DESTROY,          /* destroyed expectation */
 105};
 106
 107/* expectation flags */
 108#define NF_CT_EXPECT_PERMANENT          0x1
 109#define NF_CT_EXPECT_INACTIVE           0x2
 110#define NF_CT_EXPECT_USERSPACE          0x4
 111
 112#ifdef __KERNEL__
 113struct ip_conntrack_stat {
 114        unsigned int searched;
 115        unsigned int found;
 116        unsigned int new;
 117        unsigned int invalid;
 118        unsigned int ignore;
 119        unsigned int delete;
 120        unsigned int delete_list;
 121        unsigned int insert;
 122        unsigned int insert_failed;
 123        unsigned int drop;
 124        unsigned int early_drop;
 125        unsigned int error;
 126        unsigned int expect_new;
 127        unsigned int expect_create;
 128        unsigned int expect_delete;
 129        unsigned int search_restart;
 130};
 131
 132/* call to create an explicit dependency on nf_conntrack. */
 133extern void need_conntrack(void);
 134
 135#endif /* __KERNEL__ */
 136
 137#endif /* _NF_CONNTRACK_COMMON_H */
 138