net/netfilter/nf_synproxy.h

0001 /* SPDX-License-Identifier: GPL-2.0 */
0002 #ifndef _NF_SYNPROXY_SHARED_H
0003 #define _NF_SYNPROXY_SHARED_H
0004
0005 #include <linux/module.h>
0006 #include <linux/skbuff.h>
0007 #include <net/ip6_checksum.h>
0008 #include <net/ip6_route.h>
0009 #include <net/tcp.h>
0010
0011 #include <net/netfilter/nf_conntrack_seqadj.h>
0012 #include <net/netfilter/nf_conntrack_synproxy.h>
0013
0014 struct synproxy_stats {
0015     unsigned int            syn_received;
0016     unsigned int            cookie_invalid;
0017     unsigned int            cookie_valid;
0018     unsigned int            cookie_retrans;
0019     unsigned int            conn_reopened;
0020 };
0021
0022 struct synproxy_net {
0023     struct nf_conn          *tmpl;
0024     struct synproxy_stats __percpu  *stats;
0025     unsigned int            hook_ref4;
0026     unsigned int            hook_ref6;
0027 };
0028
0029 extern unsigned int synproxy_net_id;
0030 static inline struct synproxy_net *synproxy_pernet(struct net *net)
0031 {
0032     return net_generic(net, synproxy_net_id);
0033 }
0034
0035 struct synproxy_options {
0036     u8              options;
0037     u8              wscale;
0038     u16             mss_option;
0039     u16             mss_encode;
0040     u32             tsval;
0041     u32             tsecr;
0042 };
0043
0044 struct nf_synproxy_info;
0045 bool synproxy_parse_options(const struct sk_buff *skb, unsigned int doff,
0046                 const struct tcphdr *th,
0047                 struct synproxy_options *opts);
0048
0049 void synproxy_init_timestamp_cookie(const struct nf_synproxy_info *info,
0050                     struct synproxy_options *opts);
0051
0052 void synproxy_send_client_synack(struct net *net, const struct sk_buff *skb,
0053                  const struct tcphdr *th,
0054                  const struct synproxy_options *opts);
0055
0056 bool synproxy_recv_client_ack(struct net *net,
0057                   const struct sk_buff *skb,
0058                   const struct tcphdr *th,
0059                   struct synproxy_options *opts, u32 recv_seq);
0060
0061 struct nf_hook_state;
0062
0063 unsigned int ipv4_synproxy_hook(void *priv, struct sk_buff *skb,
0064                 const struct nf_hook_state *nhs);
0065 int nf_synproxy_ipv4_init(struct synproxy_net *snet, struct net *net);
0066 void nf_synproxy_ipv4_fini(struct synproxy_net *snet, struct net *net);
0067
0068 #if IS_ENABLED(CONFIG_IPV6)
0069 void synproxy_send_client_synack_ipv6(struct net *net,
0070                       const struct sk_buff *skb,
0071                       const struct tcphdr *th,
0072                       const struct synproxy_options *opts);
0073
0074 bool synproxy_recv_client_ack_ipv6(struct net *net, const struct sk_buff *skb,
0075                    const struct tcphdr *th,
0076                    struct synproxy_options *opts, u32 recv_seq);
0077
0078 unsigned int ipv6_synproxy_hook(void *priv, struct sk_buff *skb,
0079                 const struct nf_hook_state *nhs);
0080 int nf_synproxy_ipv6_init(struct synproxy_net *snet, struct net *net);
0081 void nf_synproxy_ipv6_fini(struct synproxy_net *snet, struct net *net);
0082 #else
0083 static inline int
0084 nf_synproxy_ipv6_init(struct synproxy_net *snet, struct net *net) { return 0; }
0085 static inline void
0086 nf_synproxy_ipv6_fini(struct synproxy_net *snet, struct net *net) {};
0087 #endif /* CONFIG_IPV6 */
0088
0089 #endif /* _NF_SYNPROXY_SHARED_H */