diff options
| author | Pablo Neira Ayuso <pablo@netfilter.org> | 2008-11-25 23:34:48 +0100 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2008-11-25 23:34:48 +0100 |
| commit | b2edf895af82914ab09a842641a45b7a806e9b1e (patch) | |
| tree | 2b2890418f2f39bd12587288411420e9a0b9b369 /include | |
| parent | 6262a4a7b7139fb5636228cb0f5a1e72f848d871 (diff) | |
| download | conntrack-tools-b2edf895af82914ab09a842641a45b7a806e9b1e.tar.gz conntrack-tools-b2edf895af82914ab09a842641a45b7a806e9b1e.zip | |
filter: CIDR-based filtering support
This patch adds CIDR-based filtering support. The current
implementation is O(n).
This patch also introduces the vector data type which is
used to store the IP address and the network mask.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'include')
| -rw-r--r-- | include/Makefile.am | 2 | ||||
| -rw-r--r-- | include/cidr.h | 8 | ||||
| -rw-r--r-- | include/filter.h | 15 | ||||
| -rw-r--r-- | include/vector.h | 13 |
4 files changed, 36 insertions, 2 deletions
diff --git a/include/Makefile.am b/include/Makefile.am index 3287a0c..4d22993 100644 --- a/include/Makefile.am +++ b/include/Makefile.am @@ -2,6 +2,6 @@ noinst_HEADERS = alarm.h jhash.h slist.h cache.h linux_list.h linux_rbtree.h \ sync.h conntrackd.h local.h us-conntrack.h \ debug.h log.h hash.h mcast.h conntrack.h \ - network.h filter.h queue.h \ + network.h filter.h queue.h vector.h \ traffic_stats.h netlink.h fds.h event.h bitops.h diff --git a/include/cidr.h b/include/cidr.h new file mode 100644 index 0000000..f8a4e2a --- /dev/null +++ b/include/cidr.h @@ -0,0 +1,8 @@ +#ifndef _CIDR_H_ + +uint32_t ipv4_cidr2mask_host(uint8_t cidr); +uint32_t ipv4_cidr2mask_net(uint8_t cidr); +void ipv6_cidr2mask_host(uint8_t cidr, uint32_t *res); +void ipv6_cidr2mask_net(uint8_t cidr, uint32_t *res); + +#endif diff --git a/include/filter.h b/include/filter.h index de0754e..567be34 100644 --- a/include/filter.h +++ b/include/filter.h @@ -2,11 +2,13 @@ #define _FILTER_H_ #include <stdint.h> +#include <string.h> +#include <netinet/in.h> enum ct_filter_type { CT_FILTER_L4PROTO, CT_FILTER_STATE, - CT_FILTER_ADDRESS, + CT_FILTER_ADDRESS, /* also for netmask */ CT_FILTER_MAX }; @@ -15,12 +17,23 @@ enum ct_filter_logic { CT_FILTER_POSITIVE = 1, }; +struct ct_filter_netmask_ipv4 { + uint32_t ip; + uint32_t mask; +}; + +struct ct_filter_netmask_ipv6 { + uint32_t ip[4]; + uint32_t mask[4]; +}; + struct nf_conntrack; struct ct_filter; struct ct_filter *ct_filter_create(void); void ct_filter_destroy(struct ct_filter *filter); int ct_filter_add_ip(struct ct_filter *filter, void *data, uint8_t family); +int ct_filter_add_netmask(struct ct_filter *filter, void *data, uint8_t family); void ct_filter_add_proto(struct ct_filter *filter, int protonum); void ct_filter_add_state(struct ct_filter *f, int protonum, int state); void ct_filter_set_logic(struct ct_filter *f, diff --git a/include/vector.h b/include/vector.h new file mode 100644 index 0000000..5b05cba --- /dev/null +++ b/include/vector.h @@ -0,0 +1,13 @@ +#ifndef _VECTOR_H_ +#define _VECTOR_H_ + +#include <stdlib.h> + +struct vector; + +struct vector *vector_create(size_t size); +void vector_destroy(struct vector *v); +int vector_add(struct vector *v, void *data); +int vector_iterate(struct vector *v, const void *data, int (*fcn)(const void *a, const void *b)); + +#endif |