1 /* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ 2 #ifndef _UAPI_NF_CONNTRACK_COMMON_H 3 #define _UAPI_NF_CONNTRACK_COMMON_H 4 /* Connection state tracking for netfilter. This is separated from, 5 but required by, the NAT layer; it can also be used by an iptables 6 extension. */ 7 enum ip_conntrack_info { 8 /* Part of an established connection (either direction). */ 9 IP_CT_ESTABLISHED, 10 11 /* Like NEW, but related to an existing connection, or ICMP error 12 (in either direction). */ 13 IP_CT_RELATED, 14 15 /* Started a new connection to track (only 16 IP_CT_DIR_ORIGINAL); may be a retransmission. */ 17 IP_CT_NEW, 18 19 /* >= this indicates reply direction */ 20 IP_CT_IS_REPLY, 21 22 IP_CT_ESTABLISHED_REPLY = IP_CT_ESTABLISHED + IP_CT_IS_REPLY, 23 IP_CT_RELATED_REPLY = IP_CT_RELATED + IP_CT_IS_REPLY, 24 /* No NEW in reply direction. */ 25 26 /* Number of distinct IP_CT types. */ 27 IP_CT_NUMBER, 28 29 /* only for userspace compatibility */ 30 #ifndef __KERNEL__ 31 IP_CT_NEW_REPLY = IP_CT_NUMBER, 32 #else 33 IP_CT_UNTRACKED = 7, 34 #endif 35 }; 36 37 #define NF_CT_STATE_INVALID_BIT (1 << 0) 38 #define NF_CT_STATE_BIT(ctinfo) (1 << ((ctinfo) % IP_CT_IS_REPLY + 1)) 39 #define NF_CT_STATE_UNTRACKED_BIT (1 << 6) 40 41 /* Bitset representing status of connection. */ 42 enum ip_conntrack_status { 43 /* It's an expected connection: bit 0 set. This bit never changed */ 44 IPS_EXPECTED_BIT = 0, 45 IPS_EXPECTED = (1 << IPS_EXPECTED_BIT), 46 47 /* We've seen packets both ways: bit 1 set. Can be set, not unset. */ 48 IPS_SEEN_REPLY_BIT = 1, 49 IPS_SEEN_REPLY = (1 << IPS_SEEN_REPLY_BIT), 50 51 /* Conntrack should never be early-expired. */ 52 IPS_ASSURED_BIT = 2, 53 IPS_ASSURED = (1 << IPS_ASSURED_BIT), 54 55 /* Connection is confirmed: originating packet has left box */ 56 IPS_CONFIRMED_BIT = 3, 57 IPS_CONFIRMED = (1 << IPS_CONFIRMED_BIT), 58 59 /* Connection needs src nat in orig dir. This bit never changed. */ 60 IPS_SRC_NAT_BIT = 4, 61 IPS_SRC_NAT = (1 << IPS_SRC_NAT_BIT), 62 63 /* Connection needs dst nat in orig dir. This bit never changed. */ 64 IPS_DST_NAT_BIT = 5, 65 IPS_DST_NAT = (1 << IPS_DST_NAT_BIT), 66 67 /* Both together. */ 68 IPS_NAT_MASK = (IPS_DST_NAT | IPS_SRC_NAT), 69 70 /* Connection needs TCP sequence adjusted. */ 71 IPS_SEQ_ADJUST_BIT = 6, 72 IPS_SEQ_ADJUST = (1 << IPS_SEQ_ADJUST_BIT), 73 74 /* NAT initialization bits. */ 75 IPS_SRC_NAT_DONE_BIT = 7, 76 IPS_SRC_NAT_DONE = (1 << IPS_SRC_NAT_DONE_BIT), 77 78 IPS_DST_NAT_DONE_BIT = 8, 79 IPS_DST_NAT_DONE = (1 << IPS_DST_NAT_DONE_BIT), 80 81 /* Both together */ 82 IPS_NAT_DONE_MASK = (IPS_DST_NAT_DONE | IPS_SRC_NAT_DONE), 83 84 /* Connection is dying (removed from lists), can not be unset. */ 85 IPS_DYING_BIT = 9, 86 IPS_DYING = (1 << IPS_DYING_BIT), 87 88 /* Connection has fixed timeout. */ 89 IPS_FIXED_TIMEOUT_BIT = 10, 90 IPS_FIXED_TIMEOUT = (1 << IPS_FIXED_TIMEOUT_BIT), 91 92 /* Conntrack is a template */ 93 IPS_TEMPLATE_BIT = 11, 94 IPS_TEMPLATE = (1 << IPS_TEMPLATE_BIT), 95 96 /* Conntrack is a fake untracked entry. Obsolete and not used anymore */ 97 IPS_UNTRACKED_BIT = 12, 98 IPS_UNTRACKED = (1 << IPS_UNTRACKED_BIT), 99 100 #ifdef __KERNEL__ 101 /* Re-purposed for in-kernel use: 102 * Tags a conntrack entry that clashed with an existing entry 103 * on insert. 104 */ 105 IPS_NAT_CLASH_BIT = IPS_UNTRACKED_BIT, 106 IPS_NAT_CLASH = IPS_UNTRACKED, 107 #endif 108 109 /* Conntrack got a helper explicitly attached (ruleset, ctnetlink). */ 110 IPS_HELPER_BIT = 13, 111 IPS_HELPER = (1 << IPS_HELPER_BIT), 112 113 /* Conntrack has been offloaded to flow table. */ 114 IPS_OFFLOAD_BIT = 14, 115 IPS_OFFLOAD = (1 << IPS_OFFLOAD_BIT), 116 117 /* Conntrack has been offloaded to hardware. */ 118 IPS_HW_OFFLOAD_BIT = 15, 119 IPS_HW_OFFLOAD = (1 << IPS_HW_OFFLOAD_BIT), 120 121 /* Be careful here, modifying these bits can make things messy, 122 * so don't let users modify them directly. 123 */ 124 IPS_UNCHANGEABLE_MASK = (IPS_NAT_DONE_MASK | IPS_NAT_MASK | 125 IPS_EXPECTED | IPS_CONFIRMED | IPS_DYING | 126 IPS_SEQ_ADJUST | IPS_TEMPLATE | IPS_UNTRACKED | 127 IPS_OFFLOAD | IPS_HW_OFFLOAD), 128 129 __IPS_MAX_BIT = 16, 130 }; 131 132 /* Connection tracking event types */ 133 enum ip_conntrack_events { 134 IPCT_NEW, /* new conntrack */ 135 IPCT_RELATED, /* related conntrack */ 136 IPCT_DESTROY, /* destroyed conntrack */ 137 IPCT_REPLY, /* connection has seen two-way traffic */ 138 IPCT_ASSURED, /* connection status has changed to assured */ 139 IPCT_PROTOINFO, /* protocol information has changed */ 140 IPCT_HELPER, /* new helper has been set */ 141 IPCT_MARK, /* new mark has been set */ 142 IPCT_SEQADJ, /* sequence adjustment has changed */ 143 IPCT_NATSEQADJ = IPCT_SEQADJ, 144 IPCT_SECMARK, /* new security mark has been set */ 145 IPCT_LABEL, /* new connlabel has been set */ 146 IPCT_SYNPROXY, /* synproxy has been set */ 147 #ifdef __KERNEL__ 148 __IPCT_MAX 149 #endif 150 }; 151 152 enum ip_conntrack_expect_events { 153 IPEXP_NEW, /* new expectation */ 154 IPEXP_DESTROY, /* destroyed expectation */ 155 }; 156 157 /* expectation flags */ 158 #define NF_CT_EXPECT_PERMANENT 0x1 159 #define NF_CT_EXPECT_INACTIVE 0x2 160 #define NF_CT_EXPECT_USERSPACE 0x4 161 162 163 #endif /* _UAPI_NF_CONNTRACK_COMMON_H */ 164