rsmnl_linux/netfilter/
mod.rs

1use libc::{c_int, c_uint};
2
3pub mod nf_conntrack_common;
4pub mod nf_conntrack_tcp;
5pub mod nfnetlink;
6pub mod nfnetlink_conntrack;
7pub mod nfnetlink_log;
8pub mod nfnetlink_queue;
9
10// Responses from hook functions.
11pub const NF_DROP: c_uint = 0;
12pub const NF_ACCEPT: c_uint = 1;
13pub const NF_STOLEN: c_uint = 2;
14pub const NF_QUEUE: c_uint = 3;
15pub const NF_REPEAT: c_uint = 4;
16pub const NF_STOP: c_uint = 5; // Deprecated, for userspace nf_queue compatibility.
17pub const NF_MAX_VERDICT: c_uint = NF_STOP;
18
19// we overload the higher bits for encoding auxiliary data such as the queue
20// number or errno values. Not nice, but better than additional function
21// arguments.
22pub const NF_VERDICT_MASK: u32 = 0x000000ff;
23
24// extra verdict flags have mask 0x0000ff00 */
25pub const NF_VERDICT_FLAG_QUEUE_BYPASS: u32 = 0x00008000;
26
27// queue number (NF_QUEUE) or errno (NF_DROP) */
28pub const NF_VERDICT_QMASK: u32 = 0xffff0000;
29pub const NF_VERDICT_QBITS: u8 = 16;
30
31#[allow(non_snake_case)]
32pub fn NF_QUEUE_NR(x: u32) -> u32 {
33    (((x) << 16) & NF_VERDICT_QMASK) | NF_QUEUE
34}
35
36#[allow(non_snake_case)]
37pub fn NF_DROP_ERR(x: i32) -> u32 {
38    ((-x) << 16) as u32 | NF_DROP
39}
40
41// only for userspace compatibility */
42//
43// NF_VERDICT_BITS should be 8 now, but userspace might break if this changes */
44pub const NF_VERDICT_BITS: u8 = 16;
45// #endif
46
47#[repr(u32)] // c_uint
48#[derive(Debug, Copy, Clone)]
49pub enum NfInetHooks {
50    // NF_INET_
51    // bitop? or u32
52    PreRouting = 0,
53    LocalIn,
54    Forward,
55    LocalOut,
56    PostRouting,
57    Numhooks,
58}
59pub const NF_INET_PRE_ROUTING: c_uint = NfInetHooks::PreRouting as c_uint;
60pub const NF_INET_LOCAL_IN: c_uint = NfInetHooks::LocalIn as c_uint;
61pub const NF_INET_FORWARD: c_uint = NfInetHooks::Forward as c_uint;
62pub const NF_INET_LOCAL_OUT: c_uint = NfInetHooks::LocalOut as c_uint;
63pub const NF_INET_POST_ROUTING: c_uint = NfInetHooks::PostRouting as c_uint;
64pub const NF_INET_NUMHOOKS: c_uint = NfInetHooks::Numhooks as c_uint;
65
66#[repr(u32)] // c_uint
67#[derive(Debug, Copy, Clone)]
68pub enum NfDevHooks {
69    // NF_NETDEV_
70    Ingress = 0,
71    Numhooks,
72}
73pub const NF_NETDEV_INGRESS: c_uint = NfDevHooks::Ingress as c_uint;
74pub const NF_NETDEV_NUMHOOKS: c_uint = NfDevHooks::Numhooks as c_uint;
75
76#[repr(C)] // c_int
77#[derive(Debug, Copy, Clone)]
78pub enum NfProto {
79    // NFPROTO_
80    Unspec = 0,
81    Inet = 1,
82    Ipv4 = 2,
83    Arp = 3,
84    Netdev = 5,
85    Bridge = 7,
86    Ipv6 = 10,
87    Decnet = 12,
88    Numproto = 13,
89}
90pub const NFPROTO_UNSPEC: c_int = NfProto::Unspec as c_int;
91pub const NFPROTO_INET: c_int = NfProto::Inet as c_int;
92pub const NFPROTO_IPV4: c_int = NfProto::Ipv4 as c_int;
93pub const NFPROTO_ARP: c_int = NfProto::Arp as c_int;
94pub const NFPROTO_NETDEV: c_int = NfProto::Netdev as c_int;
95pub const NFPROTO_BRIDGE: c_int = NfProto::Bridge as c_int;
96pub const NFPROTO_IPV6: c_int = NfProto::Ipv6 as c_int;
97pub const NFPROTO_DECNET: c_int = NfProto::Decnet as c_int;
98pub const NFPROTO_NUMPROTO: c_int = NfProto::Numproto as c_int;
99
100// XXX: not implemented yet
101// union nf_inet_addr {
102// 	__u32		all[4];
103// 	__be32		ip;
104// 	__be32		ip6[4];
105// 	struct in_addr	in;
106// 	struct in6_addr	in6;
107// };