NFEXT_RULE

NFEXT_RULE

A rule defines the filtering flag for network activity, described by other rule fields.

// Port range [from:to] for rules. Port numbers must be in host format!
typedef struct _NFEXT_PORT_RANGE
{
	unsigned short from;
	unsigned short to;
} NFEXT_PORT_RANGE, *PNFEXT_PORT_RANGE;

typedef enum _NFEXT_FILTERING_FLAG
{
	NFEXT_BYPASS = 0,		// Bypass connection/packet
	NFEXT_REDIRECT = 1,		// Redirect outgoing TCP connection to local proxy
	NFEXT_BLOCK = 2,		// Block connection/packet
} NFEXT_FILTERING_FLAG;

typedef enum _NFEXT_RULE_FIELDS
{
	NFEXT_USE_DST_IP = 1,		// Use dstIp
	NFEXT_USE_DST_PORTS = 2,	// Use dstPorts
	NFEXT_USE_SRC_IP = 4,		// Use srcIp
	NFEXT_USE_SRC_PORTS = 8,	// Use srcPorts
	NFEXT_USE_UID = 16,		// Use uid
	NFEXT_USE_GID = 32,		// Use gid
} NFEXT_RULE_FIELDS;

typedef enum _NFEXT_RULE_TYPE
{
	NFEXT_REDIRECT_RULE = 0,		// Redirection and access control on mangle level
	NFEXT_PACKET_RULE = 1,		// Access control on packet level
} NFEXT_RULE_TYPE;

typedef struct _NFEXT_RULE
{
	// See NFEXT_RULE_TYPE
	int		ruleType;	
	// Protocol (IPPROTO_TCP, IPPROTO_UDP)
	int		protocol;	
	// Direction (NF_D_IN, NF_D_OUT, NF_D_BOTH or zero)
	int		direction;	
	// AF_INET for IPv4 and AF_INET6 for IPv6
	unsigned short	ip_family;	
	// See NFEXT_RULE_FIELDS
	unsigned int	fieldsMask;	

	// Destination IP or network 
	char	dstIp[NFEXT_MAX_IP_ADDRESS_LENGTH];	
	// Destination IP mask
	unsigned char	dstIpMask; 
	// Destination ports
	NFEXT_PORT_RANGE	dstPorts;

	// Source IP or network 
	char	srcIp[NFEXT_MAX_IP_ADDRESS_LENGTH];	
	// Source IP mask
	unsigned char	srcIpMask; 
	// Source ports
	NFEXT_PORT_RANGE	srcPorts;

	// User id
	pid_t			uid;

	// Group id
	pid_t			gid;

	// See NFEXT_FILTERING_FLAG
	unsigned long	filteringFlag;
} NFEXT_RULE, *PNFEXT_RULE;

Members

ruleType: NFEXT_REDIRECT_RULE=0 for filtering outgoing TCP by redirecting to a local proxy. NFEXT_PACKET_RULE=1 for allowing/blocking any IP network traffic on packet level.
protocol: Network protocol (IPPROTO_TCP or IPPROTO_UDP). Zero means any protocol.
direction: The direction of network activity. Specify NF_D_IN for inbound packets/connections, NF_D_OUT for outbound packets/connections. Zero or NF_D_BOTH means any direction.
ip_family: Describes the family of IP addresses in rule. Specify AF_INET for IPv4 and AF_INET6 for IPv6.
fieldMask: Specify the used structure fields as a bitmask from identifiers defined in NFEXT_RULE_FIELDS.
dstIp: Destination IPv4 or IPv6 address. Zero means any address.
dstIpMask: If dstIpMask is not zero, dstIp and dstIpMask define a network.
dstPorts: Destination ports range in host format as NFEXT_PORT_RANGE structure.
srcIp: Source IPv4 or IPv6 address. Zero means any address.
srcIpMask: If srcIpMask is not zero, srcIp and srcIpMask define a network.
srcPorts: Source ports range in host format as NFEXT_PORT_RANGE structure.
uid: Process owner user identifier.
gid: Process owner group identifier.
filteringFlag: A value from NF_FILTERING_FLAG enumeration.

Remarks

All IP addresses in rule must have network byte order. Use fieldMask field to specify the bits for used fields of NFEXT_RULE structure.

The following values are allowed for filteringFlag:

NFEXT_BYPASS = 0
Allow the activity without filtering transmitted packets. This flag is applied to all network activity, which is not described by any rule.

NFEXT_REDIRECT = 1
Filter the outgoing TCP connections by redirecting them to a local proxy. The packets will be indicated via NF_EventHandler methods.

NFEXT_BLOCK = 2
Block the activity.