NFEXT_RULE

NFEXT_RULE

A rule defines the filtering flag for network activity, described by other rule fields.

// Port range [from:to] for rules. Port numbers must be in host format!
typedef struct _NFEXT_PORT_RANGE
{
	unsigned short from;
	unsigned short to;
} NFEXT_PORT_RANGE, *PNFEXT_PORT_RANGE;

typedef enum _NFEXT_FILTERING_FLAG
{
	NFEXT_BYPASS = 0,		// Bypass connection/packet
	NFEXT_REDIRECT = 1,		// Redirect connection
	NFEXT_BLOCK = 2,		// Block connection/packet
} NFEXT_FILTERING_FLAG;

typedef enum _NFEXT_RULE_FIELDS
{
	NFEXT_USE_REMOTE_IP = 1,		// Use remoteIp
	NFEXT_USE_REMOTE_IP_MASK = 2,	// Use remoteIpMask
	NFEXT_USE_REMOTE_PORTS = 4,		// Use remotePorts
	NFEXT_USE_PID = 8,				// Use pid
	NFEXT_USE_UID = 16,				// Use uid
	NFEXT_USE_PROCESS_NAME = 32,	// Use processName
} NFEXT_RULE_FIELDS;

typedef struct _NFEXT_RULE
{
	// See NFEXT_RULE_FIELDS
	unsigned int	fieldsMask;	
	// AF_INET for IPv4 and AF_INET6 for IPv6
	unsigned short	ip_family;	
	// Remote IP or network 
	char	remoteIp[NFEXT_MAX_IP_ADDRESS_LENGTH];	
	// Remote IP mask
	char	remoteIpMask[NFEXT_MAX_IP_ADDRESS_LENGTH]; 
	// Remote ports
	NFEXT_PORT_RANGE	remotePorts;

	// Where to redirect the connection
	union 
	{
		struct sockaddr_in	addr4;		// ipv4 remote addr
		struct sockaddr_in6	addr6;		// ipv6 remote addr
	} redirectTo;
	
	// Process id
	pid_t			pid;
	// User id
	pid_t			uid;
	// Process name mask
	char			processName[NFEXT_MAX_PATH];
	// See NFEXT_FILTERING_FLAG
	unsigned long	filteringFlag;
} NFEXT_RULE, *PNFEXT_RULE;

Members

fieldMask: Specify the used structure fields as a bitmask from identifiers defined in NFEXT_RULE_FIELDS.
ip_family: Describes the family of IP addresses in rule. Specify AF_INET for IPv4 and AF_INET6 for IPv6.
remoteIp: Destination IPv4 or IPv6 address. Zero means any address.
remoteIpMask: If dstIpMask is not zero, dstIp and dstIpMask define a network.
remotePorts: Destination ports range in host format as NFEXT_PORT_RANGE structure.
redirectTo: IPv4 or IPv6 address for redirecting TCP connections. It is assigned automatically by API for redirection to local proxy.
pid: Process identifier.
uid: Process owner user identifier.
processName: Process name mask. It supports * mask as zero or more symbols.
filteringFlag: A value from NF_FILTERING_FLAG enumeration.

Remarks

All IP addresses in rule must have network byte order. Use fieldMask field to specify the bits for used fields of NFEXT_RULE structure.

The following values are allowed for filteringFlag:

NFEXT_BYPASS = 0
Allow the activity without filtering transmitted packets. This flag is applied to all network activity, which is not described by any rule.

NFEXT_REDIRECT = 1
Filter the outgoing TCP connections by redirecting them to a local proxy. The packets will be indicated via NF_EventHandler methods.

NFEXT_BLOCK = 2
Block the activity.