]> git.pld-linux.org Git - packages/linux-libc-headers.git/blame - linux-libc-headers-netfilter.patch
- rel 5
[packages/linux-libc-headers.git] / linux-libc-headers-netfilter.patch
CommitLineData
ae95cca4
PS
1diff -uNr include.orig/linux/netfilter/ipv4/nf_conntrack_icmp.h include/linux/netfilter/ipv4/nf_conntrack_icmp.h
2--- include.orig/linux/netfilter/ipv4/nf_conntrack_icmp.h 1970-01-01 01:00:00.000000000 +0100
c558041a 3+++ include/linux/netfilter/ipv4/nf_conntrack_icmp.h 2005-08-02 20:02:17.683251344 +0200
014436e1
PS
4@@ -0,0 +1,17 @@
5+/*
6+ * ICMP tracking.
7+ *
8+ * Derived from include/linux/netfiter_ipv4/ip_conntrack_icmp.h
9+ */
ac0c4b1f 10+
014436e1
PS
11+#ifndef _NF_CONNTRACK_ICMP_H
12+#define _NF_CONNTRACK_ICMP_H
13+#include <asm/atomic.h>
ac0c4b1f 14+
014436e1
PS
15+struct nf_ct_icmp
16+{
17+ /* Optimization: when number in == number out, forget immediately. */
18+ atomic_t count;
19+};
ac0c4b1f 20+
014436e1 21+#endif /* _NF_CONNTRACK_ICMP_H */
ae95cca4
PS
22diff -uNr include.orig/linux/netfilter/ipv4/nf_conntrack_ipv4.h include/linux/netfilter/ipv4/nf_conntrack_ipv4.h
23--- include.orig/linux/netfilter/ipv4/nf_conntrack_ipv4.h 1970-01-01 01:00:00.000000000 +0100
c558041a 24+++ include/linux/netfilter/ipv4/nf_conntrack_ipv4.h 2005-08-02 20:02:17.684251192 +0200
014436e1
PS
25@@ -0,0 +1,40 @@
26+/*
27+ * IPv4 support for nf_conntrack.
28+ *
29+ * 23 Mar 2004: Yasuyuki Kozakai @ USAGI <yasuyuki.kozakai@toshiba.co.jp>
30+ * - move L3 protocol dependent part from include/linux/netfilter_ipv4/
31+ * ip_conntarck.h
32+ */
0fc89030 33+
014436e1
PS
34+#ifndef _NF_CONNTRACK_IPV4_H
35+#define _NF_CONNTRACK_IPV4_H
36+
37+#ifdef CONFIG_IP_NF_NAT_NEEDED
38+#include <linux/netfilter_ipv4/ip_nat.h>
39+
40+/* per conntrack: nat application helper private data */
41+union ip_conntrack_nat_help {
42+ /* insert nat helper private data here */
43+};
44+
45+struct nf_conntrack_ipv4_nat {
46+ struct ip_nat_info info;
47+ union ip_conntrack_nat_help help;
48+#if defined(CONFIG_IP_NF_TARGET_MASQUERADE) || \
49+ defined(CONFIG_IP_NF_TARGET_MASQUERADE_MODULE)
50+ int masq_index;
51+#endif
52+};
53+#endif /* CONFIG_IP_NF_NAT_NEEDED */
54+
55+struct nf_conntrack_ipv4 {
56+#ifdef CONFIG_IP_NF_NAT_NEEDED
57+ struct nf_conntrack_ipv4_nat *nat;
58+#endif
59+};
60+
61+/* Returns new sk_buff, or NULL */
62+struct sk_buff *
63+nf_ct_ipv4_ct_gather_frags(struct sk_buff *skb);
64+
65+#endif /*_NF_CONNTRACK_IPV4_H*/
ae95cca4
PS
66diff -uNr include.orig/linux/netfilter/ipv6/nf_conntrack_icmpv6.h include/linux/netfilter/ipv6/nf_conntrack_icmpv6.h
67--- include.orig/linux/netfilter/ipv6/nf_conntrack_icmpv6.h 1970-01-01 01:00:00.000000000 +0100
c558041a 68+++ include/linux/netfilter/ipv6/nf_conntrack_icmpv6.h 2005-08-02 20:02:17.698249064 +0200
014436e1
PS
69@@ -0,0 +1,27 @@
70+/*
71+ * ICMPv6 tracking.
72+ *
73+ * 21 Apl 2004: Yasuyuki Kozakai @USAGI <yasuyuki.kozakai@toshiba.co.jp>
74+ * - separated from nf_conntrack_icmp.h
75+ *
76+ * Derived from include/linux/netfiter_ipv4/ip_conntrack_icmp.h
77+ */
78+
79+#ifndef _NF_CONNTRACK_ICMPV6_H
80+#define _NF_CONNTRACK_ICMPV6_H
81+#include <asm/atomic.h>
82+
83+#ifndef ICMPV6_NI_QUERY
84+#define ICMPV6_NI_QUERY 139
85+#endif
86+#ifndef ICMPV6_NI_REPLY
87+#define ICMPV6_NI_REPLY 140
88+#endif
89+
90+struct nf_ct_icmpv6
91+{
92+ /* Optimization: when number in == number out, forget immediately. */
93+ atomic_t count;
94+};
95+
96+#endif /* _NF_CONNTRACK_ICMPV6_H */
ae95cca4
PS
97diff -uNr include.orig/linux/netfilter/nf_conntrack_core.h include/linux/netfilter/nf_conntrack_core.h
98--- include.orig/linux/netfilter/nf_conntrack_core.h 1970-01-01 01:00:00.000000000 +0100
c558041a
PS
99+++ include/linux/netfilter/nf_conntrack_core.h 2005-08-02 20:02:17.687250736 +0200
100@@ -0,0 +1,72 @@
014436e1
PS
101+/*
102+ * This header is used to share core functionality between the
103+ * standalone connection tracking module, and the compatibility layer's use
104+ * of connection tracking.
105+ *
106+ * 16 Dec 2003: Yasuyuki Kozakai @USAGI <yasuyuki.kozakai@toshiba.co.jp>
107+ * - generalize L3 protocol dependent part.
108+ *
109+ * Derived from include/linux/netfiter_ipv4/ip_conntrack_core.h
110+ */
111+
112+#ifndef _NF_CONNTRACK_CORE_H
113+#define _NF_CONNTRACK_CORE_H
114+
115+#include <linux/netfilter.h>
c558041a 116+#include <linux/netfilter_ipv4/lockhelp.h>
014436e1
PS
117+
118+/* This header is used to share core functionality between the
119+ standalone connection tracking module, and the compatibility layer's use
120+ of connection tracking. */
121+extern unsigned int nf_conntrack_in(int pf,
122+ unsigned int hooknum,
123+ struct sk_buff **pskb);
124+
125+extern int nf_conntrack_init(void);
126+extern void nf_conntrack_cleanup(void);
127+
128+struct nf_conntrack_l3proto;
129+extern struct nf_conntrack_l3proto *nf_ct_find_l3proto(u_int16_t pf);
130+/* Like above, but you already have conntrack read lock. */
131+extern struct nf_conntrack_l3proto *__nf_ct_find_l3proto(u_int16_t l3proto);
132+
133+struct nf_conntrack_protocol;
134+
135+extern int
136+nf_ct_get_tuple(const struct sk_buff *skb,
137+ unsigned int nhoff,
138+ unsigned int dataoff,
139+ u_int16_t l3num,
140+ u_int8_t protonum,
141+ struct nf_conntrack_tuple *tuple,
142+ const struct nf_conntrack_l3proto *l3proto,
143+ const struct nf_conntrack_protocol *protocol);
144+
145+extern int
146+nf_ct_invert_tuple(struct nf_conntrack_tuple *inverse,
147+ const struct nf_conntrack_tuple *orig,
148+ const struct nf_conntrack_l3proto *l3proto,
149+ const struct nf_conntrack_protocol *protocol);
150+
151+/* Find a connection corresponding to a tuple. */
152+extern struct nf_conntrack_tuple_hash *
153+nf_conntrack_find_get(const struct nf_conntrack_tuple *tuple,
154+ const struct nf_conn *ignored_conntrack);
155+
156+extern int __nf_conntrack_confirm(struct sk_buff **pskb);
157+
158+/* Confirm a connection: returns NF_DROP if packet must be dropped. */
159+static inline int nf_conntrack_confirm(struct sk_buff **pskb)
160+{
161+ if ((*pskb)->nfct
162+ && !is_confirmed((struct nf_conn *)(*pskb)->nfct))
163+ return __nf_conntrack_confirm(pskb);
164+ return NF_ACCEPT;
165+}
166+
167+extern void __nf_conntrack_attach(struct sk_buff *nskb, struct sk_buff *skb);
168+
169+extern struct list_head *nf_conntrack_hash;
170+extern struct list_head nf_conntrack_expect_list;
171+DECLARE_RWLOCK_EXTERN(nf_conntrack_lock);
172+#endif /* _NF_CONNTRACK_CORE_H */
ae95cca4
PS
173diff -uNr include.orig/linux/netfilter/nf_conntrack_ftp.h include/linux/netfilter/nf_conntrack_ftp.h
174--- include.orig/linux/netfilter/nf_conntrack_ftp.h 1970-01-01 01:00:00.000000000 +0100
c558041a
PS
175+++ include/linux/netfilter/nf_conntrack_ftp.h 2005-08-02 20:02:17.700248760 +0200
176@@ -0,0 +1,59 @@
014436e1
PS
177+/*
178+ * nf_conntrack_ftp.h
179+ *
180+ * Definitions and Declarations for FTP tracking.
181+ *
182+ * Derived from include/linux/netfiter_ipv4/ip_conntrack_ftp.h
183+ *
184+ * 16 Dec 2003: Yasuyuki Kozakai @ USAGI <yasuyuki.kozakai@toshiba.co.jp>
185+ * - IPv6 support.
186+ */
187+
188+#ifndef _NF_CONNTRACK_FTP_H
189+#define _NF_CONNTRACK_FTP_H
190+/* FTP tracking. */
191+
c558041a
PS
192+#ifdef __KERNEL__
193+
194+#include <linux/netfilter_ipv4/lockhelp.h>
195+
196+/* Protects ftp part of conntracks */
197+DECLARE_LOCK_EXTERN(ip_ftp_lock);
198+
199+#define FTP_PORT 21
200+
201+#endif /* __KERNEL__ */
202+
014436e1
PS
203+enum nf_ct_ftp_type
204+{
205+ /* PORT command from client */
206+ NF_CT_FTP_PORT,
207+ /* PASV response from server */
208+ NF_CT_FTP_PASV,
209+ /* EPRT command from client */
210+ NF_CT_FTP_EPRT,
211+ /* EPSV response from server */
212+ NF_CT_FTP_EPSV,
213+};
214+
215+#define NUM_SEQ_TO_REMEMBER 2
216+/* This structure exists only once per master */
217+struct nf_ct_ftp_master {
218+ /* Valid seq positions for cmd matching after newline */
219+ u_int32_t seq_aft_nl[NF_CT_DIR_MAX][NUM_SEQ_TO_REMEMBER];
220+ /* 0 means seq_match_aft_nl not set */
221+ int seq_aft_nl_num[NF_CT_DIR_MAX];
222+};
223+
224+struct nf_conntrack_expect;
225+
226+/* For NAT to hook in when we find a packet which describes what other
227+ * connection we should expect. */
228+extern unsigned int (*nf_nat_ftp_hook)(struct sk_buff **pskb,
229+ enum nf_conntrack_info ctinfo,
230+ enum nf_ct_ftp_type type,
231+ unsigned int matchoff,
232+ unsigned int matchlen,
233+ struct nf_conntrack_expect *exp,
234+ u32 *seq);
235+#endif /* _NF_CONNTRACK_FTP_H */
ae95cca4
PS
236diff -uNr include.orig/linux/netfilter/nf_conntrack.h include/linux/netfilter/nf_conntrack.h
237--- include.orig/linux/netfilter/nf_conntrack.h 1970-01-01 01:00:00.000000000 +0100
c558041a
PS
238+++ include/linux/netfilter/nf_conntrack.h 2005-08-02 20:02:17.708247544 +0200
239@@ -0,0 +1,302 @@
014436e1
PS
240+/*
241+ * Connection state tracking for netfilter. This is separated from,
242+ * but required by, the (future) NAT layer; it can also be used by an iptables
243+ * extension.
244+ *
245+ * 16 Dec 2003: Yasuyuki Kozakai @USAGI <yasuyuki.kozakai@toshiba.co.jp>
246+ * - generalize L3 protocol dependent part.
247+ *
248+ * Derived from include/linux/netfiter_ipv4/ip_conntrack.h
249+ */
250+
251+#ifndef _NF_CONNTRACK_H
252+#define _NF_CONNTRACK_H
253+
254+enum nf_conntrack_info
255+{
256+ /* Part of an established connection (either direction). */
257+ NF_CT_ESTABLISHED,
258+
259+ /* Like NEW, but related to an existing connection, or ICMP error
260+ (in either direction). */
261+ NF_CT_RELATED,
262+
263+ /* Started a new connection to track (only
264+ NF_CT_DIR_ORIGINAL); may be a retransmission. */
265+ NF_CT_NEW,
266+
267+ /* >= this indicates reply direction */
268+ NF_CT_IS_REPLY,
269+
270+ /* Number of distinct NF_CT types (no NEW in reply dirn). */
271+ NF_CT_NUMBER = NF_CT_IS_REPLY * 2 - 1
272+};
273+
274+/* Bitset representing status of connection. */
275+enum nf_conntrack_status {
276+ /* It's an expected connection: bit 0 set. This bit never changed */
277+ NF_S_EXPECTED_BIT = 0,
278+ NF_S_EXPECTED = (1 << NF_S_EXPECTED_BIT),
279+
280+ /* We've seen packets both ways: bit 1 set. Can be set, not unset. */
281+ NF_S_SEEN_REPLY_BIT = 1,
282+ NF_S_SEEN_REPLY = (1 << NF_S_SEEN_REPLY_BIT),
283+
284+ /* Conntrack should never be early-expired. */
285+ NF_S_ASSURED_BIT = 2,
286+ NF_S_ASSURED = (1 << NF_S_ASSURED_BIT),
287+
288+ /* Connection is confirmed: originating packet has left box */
289+ NF_S_CONFIRMED_BIT = 3,
290+ NF_S_CONFIRMED = (1 << NF_S_CONFIRMED_BIT),
291+};
292+
c558041a
PS
293+#ifdef __KERNEL__
294+#include <linux/config.h>
295+#include <linux/netfilter/nf_conntrack_tuple.h>
296+#include <linux/bitops.h>
297+#include <linux/compiler.h>
298+#include <asm/atomic.h>
299+
300+#include <linux/netfilter/nf_conntrack_tcp.h>
301+#include <linux/netfilter/ipv4/nf_conntrack_icmp.h>
302+#include <linux/netfilter/ipv6/nf_conntrack_icmpv6.h>
303+#include <linux/netfilter/nf_conntrack_sctp.h>
304+
305+/* per conntrack: protocol private data */
306+union nf_conntrack_proto {
307+ /* insert conntrack proto private data here */
308+ struct nf_ct_sctp sctp;
309+ struct nf_ct_tcp tcp;
310+ struct nf_ct_icmp icmp;
311+ struct nf_ct_icmpv6 icmpv6;
312+};
313+
314+union nf_conntrack_expect_proto {
315+ /* insert expect proto private data here */
316+};
317+
318+/* Add protocol helper include file here */
319+#include <linux/netfilter/nf_conntrack_ftp.h>
320+
321+/* per conntrack: application helper private data */
322+union nf_conntrack_help {
323+ /* insert conntrack helper private data (master) here */
324+ struct nf_ct_ftp_master ct_ftp_info;
325+};
326+
327+#include <linux/types.h>
328+#include <linux/skbuff.h>
329+
330+#ifdef CONFIG_NETFILTER_DEBUG
331+#define NF_CT_ASSERT(x) \
332+do { \
333+ if (!(x)) \
334+ /* Wooah! I'm tripping my conntrack in a frenzy of \
335+ netplay... */ \
336+ printk("NF_CT_ASSERT: %s:%i(%s)\n", \
337+ __FILE__, __LINE__, __FUNCTION__); \
338+} while(0)
339+#else
340+#define NF_CT_ASSERT(x)
341+#endif
342+
343+struct nf_conntrack_counter
344+{
345+ u_int64_t packets;
346+ u_int64_t bytes;
347+};
348+
349+struct nf_conntrack_helper;
350+
351+#include <linux/netfilter/ipv4/nf_conntrack_ipv4.h>
352+struct nf_conn
353+{
354+ /* Usage count in here is 1 for hash table/destruct timer, 1 per skb,
355+ plus 1 for any connection(s) we are `master' for */
356+ struct nf_conntrack ct_general;
357+
358+ /* XXX should I move this to the tail ? - Y.K */
359+ /* These are my tuples; original and reply */
360+ struct nf_conntrack_tuple_hash tuplehash[NF_CT_DIR_MAX];
361+
362+ /* Have we seen traffic both ways yet? (bitset) */
363+ unsigned long status;
364+
365+ /* Timer function; drops refcnt when it goes off. */
366+ struct timer_list timeout;
367+
368+#ifdef CONFIG_NF_CT_ACCT
369+ /* Accounting Information (same cache line as other written members) */
370+ struct nf_conntrack_counter counters[NF_CT_DIR_MAX];
371+#endif
372+ /* If we were expected by an expectation, this will be it */
373+ struct nf_conn *master;
374+
375+ /* Current number of expected connections */
376+ unsigned int expecting;
377+
378+ /* Helper. if any */
379+ struct nf_conntrack_helper *helper;
380+
381+ /* features - nat, helper, ... used by allocating system */
382+ u_int32_t features;
383+
384+ /* Storage reserved for other modules: */
385+
386+ union nf_conntrack_proto proto;
387+
388+#if defined(CONFIG_NF_CONNTRACK_MARK)
389+ unsigned long mark;
390+#endif
391+
392+ /* These members are dynamically allocated. */
393+
394+ union nf_conntrack_help *help;
395+
396+ /* Layer 3 dependent members. (ex: NAT) */
397+ union {
398+ struct nf_conntrack_ipv4 *ipv4;
399+ } l3proto;
400+ void *data[0];
401+};
402+
403+struct nf_conntrack_expect
404+{
405+ /* Internal linked list (global expectation list) */
406+ struct list_head list;
407+
408+ /* We expect this tuple, with the following mask */
409+ struct nf_conntrack_tuple tuple, mask;
410+
411+ /* Function to call after setup and insertion */
412+ void (*expectfn)(struct nf_conn *new,
413+ struct nf_conntrack_expect *this);
414+
415+ /* The conntrack of the master connection */
416+ struct nf_conn *master;
417+
418+ /* Timer function; deletes the expectation. */
419+ struct timer_list timeout;
420+
421+#ifdef CONFIG_NF_NAT_NEEDED
422+ /* This is the original per-proto part, used to map the
423+ * expected connection the way the recipient expects. */
424+ union nf_conntrack_manip_proto saved_proto;
425+ /* Direction relative to the master connection. */
426+ enum nf_conntrack_dir dir;
427+#endif
428+};
429+
430+static inline struct nf_conn *
431+tuplehash_to_ctrack(const struct nf_conntrack_tuple_hash *hash)
432+{
433+ return container_of(hash, struct nf_conn,
434+ tuplehash[hash->tuple.dst.dir]);
435+}
436+
437+/* get master conntrack via master expectation */
438+#define master_ct(conntr) (conntr->master)
439+
440+/* Alter reply tuple (maybe alter helper). */
441+extern void
442+nf_conntrack_alter_reply(struct nf_conn *conntrack,
443+ const struct nf_conntrack_tuple *newreply);
444+
445+/* Is this tuple taken? (ignoring any belonging to the given
446+ conntrack). */
447+extern int
448+nf_conntrack_tuple_taken(const struct nf_conntrack_tuple *tuple,
449+ const struct nf_conn *ignored_conntrack);
450+
451+/* Return conntrack_info and tuple hash for given skb. */
452+static inline struct nf_conn *
453+nf_ct_get(struct sk_buff *skb, enum nf_conntrack_info *ctinfo)
454+{
455+ *ctinfo = skb->nfctinfo;
456+ return (struct nf_conn *)skb->nfct;
457+}
458+
459+/* decrement reference count on a conntrack */
460+extern void nf_ct_put(struct nf_conn *ct);
461+
462+/* call to create an explicit dependency on nf_conntrack. */
463+extern void need_nf_conntrack(void);
464+
465+extern int nf_ct_invert_tuplepr(struct nf_conntrack_tuple *inverse,
466+ const struct nf_conntrack_tuple *orig);
467+
468+/* Refresh conntrack for this many jiffies */
469+extern void nf_ct_refresh_acct(struct nf_conn *ct,
470+ enum nf_conntrack_info ctinfo,
471+ const struct sk_buff *skb,
472+ unsigned long extra_jiffies);
473+
474+/* These are for NAT. Icky. */
475+/* Call me when a conntrack is destroyed. */
476+extern void (*nf_conntrack_destroyed)(struct nf_conn *conntrack);
477+
478+/* Fake conntrack entry for untracked connections */
479+extern struct nf_conn nf_conntrack_untracked;
480+
481+extern int nf_ct_no_defrag;
482+
483+/* Iterate over all conntracks: if iter returns true, it's deleted. */
484+extern void
485+nf_ct_iterate_cleanup(int (*iter)(struct nf_conn *i, void *data), void *data);
486+
487+/* It's confirmed if it is, or has been in the hash table. */
488+static inline int is_confirmed(struct nf_conn *ct)
489+{
490+ return test_bit(NF_S_CONFIRMED_BIT, &ct->status);
491+}
492+
493+extern unsigned int nf_conntrack_htable_size;
494+
495+struct nf_conntrack_stat
496+{
497+ unsigned int searched;
498+ unsigned int found;
499+ unsigned int new;
500+ unsigned int invalid;
501+ unsigned int ignore;
502+ unsigned int delete;
503+ unsigned int delete_list;
504+ unsigned int insert;
505+ unsigned int insert_failed;
506+ unsigned int drop;
507+ unsigned int early_drop;
508+ unsigned int error;
509+ unsigned int expect_new;
510+ unsigned int expect_create;
511+ unsigned int expect_delete;
512+};
513+
514+#define NF_CT_STAT_INC(count) (__get_cpu_var(nf_conntrack_stat).count++)
515+
516+/* eg. PROVIDES_CONNTRACK(ftp); */
517+#define PROVIDES_CONNTRACK(name) \
518+ int needs_nf_conntrack_##name; \
519+ EXPORT_SYMBOL(needs_nf_conntrack_##name)
520+
521+/*. eg. NEEDS_CONNTRACK(ftp); */
522+#define NEEDS_CONNTRACK(name) \
523+ extern int needs_nf_conntrack_##name; \
524+ static int *need_nf_conntrack_##name __attribute_used__ = &needs_nf_conntrack_##name
525+
526+/* no helper, no nat */
527+#define NF_CT_F_BASIC 0
528+/* for helper */
529+#define NF_CT_F_HELP 1
530+/* for nat. */
531+#define NF_CT_F_NAT 2
532+#define NF_CT_F_NUM 4
533+
534+extern int
535+nf_conntrack_register_cache(u_int32_t features, const char *name, size_t size,
536+ int (*init_conntrack)(struct nf_conn *, u_int32_t));
537+extern void
538+nf_conntrack_unregister_cache(u_int32_t features);
539+
540+#endif /* __KERNEL__ */
014436e1 541+#endif /* _NF_CONNTRACK_H */
ae95cca4
PS
542diff -uNr include.orig/linux/netfilter/nf_conntrack_helper.h include/linux/netfilter/nf_conntrack_helper.h
543--- include.orig/linux/netfilter/nf_conntrack_helper.h 1970-01-01 01:00:00.000000000 +0100
c558041a 544+++ include/linux/netfilter/nf_conntrack_helper.h 2005-08-02 20:02:17.706247848 +0200
014436e1
PS
545@@ -0,0 +1,50 @@
546+/*
547+ * connection tracking helpers.
548+ *
549+ * 16 Dec 2003: Yasuyuki Kozakai @USAGI <yasuyuki.kozakai@toshiba.co.jp>
550+ * - generalize L3 protocol dependent part.
551+ *
552+ * Derived from include/linux/netfiter_ipv4/ip_conntrack_helper.h
553+ */
554+
555+#ifndef _NF_CONNTRACK_HELPER_H
556+#define _NF_CONNTRACK_HELPER_H
557+#include <linux/netfilter/nf_conntrack.h>
558+
559+struct module;
560+
561+struct nf_conntrack_helper
562+{
563+ struct list_head list; /* Internal use. */
564+
565+ const char *name; /* name of the module */
566+ struct module *me; /* pointer to self */
567+ unsigned int max_expected; /* Maximum number of concurrent
568+ * expected connections */
569+ unsigned int timeout; /* timeout for expecteds */
570+
571+ /* Mask of things we will help (compared against server response) */
572+ struct nf_conntrack_tuple tuple;
573+ struct nf_conntrack_tuple mask;
574+
575+ /* Function to call when data passes; return verdict, or -1 to
576+ invalidate. */
577+ int (*help)(struct sk_buff **pskb,
578+ unsigned int protoff,
579+ struct nf_conn *ct,
580+ enum nf_conntrack_info conntrackinfo);
581+};
582+
583+extern int nf_conntrack_helper_register(struct nf_conntrack_helper *);
584+extern void nf_conntrack_helper_unregister(struct nf_conntrack_helper *);
585+
586+/* Allocate space for an expectation: this is mandatory before calling
587+ nf_conntrack_expect_related. */
588+extern struct nf_conntrack_expect *nf_conntrack_expect_alloc(void);
589+extern void nf_conntrack_expect_free(struct nf_conntrack_expect *exp);
590+
591+/* Add an expected connection: can have more than one per connection */
592+extern int nf_conntrack_expect_related(struct nf_conntrack_expect *exp);
593+extern void nf_conntrack_unexpect_related(struct nf_conntrack_expect *exp);
594+
595+#endif /*_NF_CONNTRACK_HELPER_H*/
ae95cca4
PS
596diff -uNr include.orig/linux/netfilter/nf_conntrack_l3proto.h include/linux/netfilter/nf_conntrack_l3proto.h
597--- include.orig/linux/netfilter/nf_conntrack_l3proto.h 1970-01-01 01:00:00.000000000 +0100
c558041a
PS
598+++ include/linux/netfilter/nf_conntrack_l3proto.h 2005-08-02 20:02:17.713246784 +0200
599@@ -0,0 +1,93 @@
014436e1
PS
600+/*
601+ * Copyright (C)2003,2004 USAGI/WIDE Project
602+ *
603+ * Header for use in defining a given L3 protocol for connection tracking.
604+ *
605+ * Author:
606+ * Yasuyuki Kozakai @USAGI <yasuyuki.kozakai@toshiba.co.jp>
607+ *
608+ * Derived from include/netfilter_ipv4/ip_conntrack_protocol.h
609+ */
610+
611+#ifndef _NF_CONNTRACK_L3PROTO_H
612+#define _NF_CONNTRACK_L3PROTO_H
c558041a 613+#include <linux/seq_file.h>
014436e1
PS
614+#include <linux/netfilter/nf_conntrack.h>
615+
616+struct nf_conntrack_l3proto
617+{
618+ /* Next pointer. */
619+ struct list_head list;
620+
621+ /* L3 Protocol Family number. ex) PF_INET */
622+ u_int16_t l3proto;
623+
624+ /* Protocol name */
625+ const char *name;
626+
627+ /*
628+ * Try to fill in the third arg: nhoff is offset of l3 proto
629+ * hdr. Return true if possible.
630+ */
631+ int (*pkt_to_tuple)(const struct sk_buff *skb, unsigned int nhoff,
632+ struct nf_conntrack_tuple *tuple);
633+
634+ /*
635+ * Invert the per-proto part of the tuple: ie. turn xmit into reply.
636+ * Some packets can't be inverted: return 0 in that case.
637+ */
638+ int (*invert_tuple)(struct nf_conntrack_tuple *inverse,
639+ const struct nf_conntrack_tuple *orig);
640+
641+ /* Print out the per-protocol part of the tuple. */
642+ int (*print_tuple)(struct seq_file *s,
643+ const struct nf_conntrack_tuple *);
644+
645+ /* Print out the private part of the conntrack. */
646+ int (*print_conntrack)(struct seq_file *s, const struct nf_conn *);
647+
648+ /* Returns verdict for packet, or -1 for invalid. */
649+ int (*packet)(struct nf_conn *conntrack,
650+ const struct sk_buff *skb,
651+ enum nf_conntrack_info ctinfo);
652+
653+ /*
654+ * Called when a new connection for this protocol found;
655+ * returns TRUE if it's OK. If so, packet() called next.
656+ */
657+ int (*new)(struct nf_conn *conntrack, const struct sk_buff *skb);
658+
659+ /* Called when a conntrack entry is destroyed */
660+ void (*destroy)(struct nf_conn *conntrack);
661+
662+ /*
663+ * Called before tracking.
664+ * *dataoff: offset of protocol header (TCP, UDP,...) in *pskb
665+ * *protonum: protocol number
666+ */
667+ int (*prepare)(struct sk_buff **pskb, unsigned int hooknum,
668+ unsigned int *dataoff, u_int8_t *protonum, int *ret);
669+
670+ u_int32_t (*get_features)(const struct nf_conntrack_tuple *tuple);
671+
672+ /* Module (if any) which this is connected to. */
673+ struct module *me;
674+};
675+
676+extern struct nf_conntrack_l3proto *nf_ct_l3protos[AF_MAX];
677+
678+/* Protocol registration. */
679+extern int nf_conntrack_l3proto_register(struct nf_conntrack_l3proto *proto);
680+extern void nf_conntrack_l3proto_unregister(struct nf_conntrack_l3proto *proto);
681+
682+static inline struct nf_conntrack_l3proto *
683+nf_ct_find_l3proto(u_int16_t l3proto)
684+{
685+ return nf_ct_l3protos[l3proto];
686+}
687+
688+/* Existing built-in protocols */
689+extern struct nf_conntrack_l3proto nf_conntrack_l3proto_ipv4;
690+extern struct nf_conntrack_l3proto nf_conntrack_l3proto_ipv6;
691+extern struct nf_conntrack_l3proto nf_conntrack_generic_l3proto;
692+#endif /*_NF_CONNTRACK_L3PROTO_H*/
ae95cca4
PS
693diff -uNr include.orig/linux/netfilter/nf_conntrack_protocol.h include/linux/netfilter/nf_conntrack_protocol.h
694--- include.orig/linux/netfilter/nf_conntrack_protocol.h 1970-01-01 01:00:00.000000000 +0100
c558041a 695+++ include/linux/netfilter/nf_conntrack_protocol.h 2005-08-02 20:02:17.710247240 +0200
014436e1
PS
696@@ -0,0 +1,105 @@
697+/*
698+ * Header for use in defining a given protocol for connection tracking.
699+ *
700+ * 16 Dec 2003: Yasuyuki Kozakai @USAGI <yasuyuki.kozakai@toshiba.co.jp>
701+ * - generalized L3 protocol dependent part.
702+ *
703+ * Derived from include/linux/netfiter_ipv4/ip_conntrack_protcol.h
704+ */
705+
706+#ifndef _NF_CONNTRACK_PROTOCOL_H
707+#define _NF_CONNTRACK_PROTOCOL_H
708+#include <linux/netfilter/nf_conntrack.h>
709+
710+struct seq_file;
711+
712+struct nf_conntrack_protocol
713+{
714+ /* Next pointer. */
715+ struct list_head list;
716+
717+ /* L3 Protocol number. */
718+ u_int16_t l3proto;
719+
720+ /* Protocol number. */
721+ u_int8_t proto;
722+
723+ /* Protocol name */
724+ const char *name;
725+
726+ /* Try to fill in the third arg: dataoff is offset past network protocol
727+ hdr. Return true if possible. */
728+ int (*pkt_to_tuple)(const struct sk_buff *skb,
729+ unsigned int dataoff,
730+ struct nf_conntrack_tuple *tuple);
731+
732+ /* Invert the per-proto part of the tuple: ie. turn xmit into reply.
733+ * Some packets can't be inverted: return 0 in that case.
734+ */
735+ int (*invert_tuple)(struct nf_conntrack_tuple *inverse,
736+ const struct nf_conntrack_tuple *orig);
737+
738+ /* Print out the per-protocol part of the tuple. Return like seq_* */
739+ int (*print_tuple)(struct seq_file *s,
740+ const struct nf_conntrack_tuple *);
741+
742+ /* Print out the private part of the conntrack. */
743+ int (*print_conntrack)(struct seq_file *s, const struct nf_conn *);
744+
745+ /* Returns verdict for packet, or -1 for invalid. */
746+ int (*packet)(struct nf_conn *conntrack,
747+ const struct sk_buff *skb,
748+ unsigned int dataoff,
749+ enum nf_conntrack_info ctinfo,
750+ int pf,
751+ unsigned int hooknum);
752+
753+ /* Called when a new connection for this protocol found;
754+ * returns TRUE if it's OK. If so, packet() called next. */
755+ int (*new)(struct nf_conn *conntrack, const struct sk_buff *skb,
756+ unsigned int dataoff);
757+
758+ /* Called when a conntrack entry is destroyed */
759+ void (*destroy)(struct nf_conn *conntrack);
760+
761+ int (*error)(struct sk_buff *skb, unsigned int dataoff,
762+ enum nf_conntrack_info *ctinfo,
763+ int pf, unsigned int hooknum);
764+
765+ /* Module (if any) which this is connected to. */
766+ struct module *me;
767+};
768+
769+/* Existing built-in protocols */
770+extern struct nf_conntrack_protocol nf_conntrack_protocol_tcp6;
771+extern struct nf_conntrack_protocol nf_conntrack_protocol_udp4;
772+extern struct nf_conntrack_protocol nf_conntrack_protocol_udp6;
773+extern struct nf_conntrack_protocol nf_conntrack_generic_protocol;
774+
775+#define MAX_NF_CT_PROTO 256
776+extern struct nf_conntrack_protocol **nf_ct_protos[PF_MAX];
777+
778+extern struct nf_conntrack_protocol *
779+nf_ct_find_proto(u_int16_t l3proto, u_int8_t protocol);
780+
781+/* Protocol registration. */
782+extern int nf_conntrack_protocol_register(struct nf_conntrack_protocol *proto);
783+extern void nf_conntrack_protocol_unregister(struct nf_conntrack_protocol *proto);
784+
785+/* Log invalid packets */
786+extern unsigned int nf_ct_log_invalid;
787+
788+#ifdef CONFIG_SYSCTL
789+#ifdef DEBUG_INVALID_PACKETS
790+#define LOG_INVALID(proto) \
791+ (nf_ct_log_invalid == (proto) || nf_ct_log_invalid == IPPROTO_RAW)
0fc89030 792+#else
014436e1
PS
793+#define LOG_INVALID(proto) \
794+ ((nf_ct_log_invalid == (proto) || nf_ct_log_invalid == IPPROTO_RAW) \
795+ && net_ratelimit())
0fc89030 796+#endif
014436e1
PS
797+#else
798+#define LOG_INVALID(proto) 0
799+#endif /* CONFIG_SYSCTL */
800+
801+#endif /*_NF_CONNTRACK_PROTOCOL_H*/
ae95cca4
PS
802diff -uNr include.orig/linux/netfilter/nf_conntrack_sctp.h include/linux/netfilter/nf_conntrack_sctp.h
803--- include.orig/linux/netfilter/nf_conntrack_sctp.h 1970-01-01 01:00:00.000000000 +0100
c558041a 804+++ include/linux/netfilter/nf_conntrack_sctp.h 2005-08-02 20:02:17.701248608 +0200
014436e1
PS
805@@ -0,0 +1,30 @@
806+/*
807+ * SCTP tracking.
808+ *
809+ * Derived from include/linux/netfiter_ipv4/ip_conntrack_tcp.h
810+ */
811+
812+#ifndef _NF_CONNTRACK_SCTP_H
813+#define _NF_CONNTRACK_SCTP_H
814+
815+enum sctp_conntrack {
816+ SCTP_CONNTRACK_NONE,
817+ SCTP_CONNTRACK_CLOSED,
818+ SCTP_CONNTRACK_COOKIE_WAIT,
819+ SCTP_CONNTRACK_COOKIE_ECHOED,
820+ SCTP_CONNTRACK_ESTABLISHED,
821+ SCTP_CONNTRACK_SHUTDOWN_SENT,
822+ SCTP_CONNTRACK_SHUTDOWN_RECD,
823+ SCTP_CONNTRACK_SHUTDOWN_ACK_SENT,
824+ SCTP_CONNTRACK_MAX
0fc89030
PS
825+};
826+
014436e1
PS
827+struct nf_ct_sctp
828+{
829+ enum sctp_conntrack state;
830+
831+ u_int32_t vtag[NF_CT_DIR_MAX];
832+ u_int32_t ttag[NF_CT_DIR_MAX];
0fc89030
PS
833+};
834+
014436e1 835+#endif /* _NF_CONNTRACK_SCTP_H */
ae95cca4
PS
836diff -uNr include.orig/linux/netfilter/nf_conntrack_tcp.h include/linux/netfilter/nf_conntrack_tcp.h
837--- include.orig/linux/netfilter/nf_conntrack_tcp.h 1970-01-01 01:00:00.000000000 +0100
c558041a 838+++ include/linux/netfilter/nf_conntrack_tcp.h 2005-08-02 20:02:17.681251648 +0200
014436e1
PS
839@@ -0,0 +1,63 @@
840+/*
841+ * TCP tracking.
842+ *
843+ * Derived from include/linux/netfiter_ipv4/ip_conntrack_tcp.h
844+ */
845+
846+#ifndef _NF_CONNTRACK_TCP_H
847+#define _NF_CONNTRACK_TCP_H
0fc89030 848+
014436e1
PS
849+enum tcp_conntrack {
850+ TCP_CONNTRACK_NONE,
851+ TCP_CONNTRACK_SYN_SENT,
852+ TCP_CONNTRACK_SYN_RECV,
853+ TCP_CONNTRACK_ESTABLISHED,
854+ TCP_CONNTRACK_FIN_WAIT,
855+ TCP_CONNTRACK_CLOSE_WAIT,
856+ TCP_CONNTRACK_LAST_ACK,
857+ TCP_CONNTRACK_TIME_WAIT,
858+ TCP_CONNTRACK_CLOSE,
859+ TCP_CONNTRACK_LISTEN,
860+ TCP_CONNTRACK_MAX,
861+ TCP_CONNTRACK_IGNORE
0fc89030
PS
862+};
863+
014436e1
PS
864+/* Window scaling is advertised by the sender */
865+#define NF_CT_TCP_FLAG_WINDOW_SCALE 0x01
866+
867+/* SACK is permitted by the sender */
868+#define NF_CT_TCP_FLAG_SACK_PERM 0x02
869+
870+struct nf_ct_tcp_state {
871+ u_int32_t td_end; /* max of seq + len */
872+ u_int32_t td_maxend; /* max of ack + max(win, 1) */
873+ u_int32_t td_maxwin; /* max(win) */
874+ u_int8_t td_scale; /* window scale factor */
875+ u_int8_t loose; /* used when connection picked up from the middle */
876+ u_int8_t flags; /* per direction state flags */
0fc89030
PS
877+};
878+
014436e1
PS
879+struct nf_ct_tcp
880+{
881+ struct nf_ct_tcp_state seen[2]; /* connection parameters per direction */
882+ u_int8_t state; /* state of the connection (enum tcp_conntrack) */
883+ /* For detecting stale connections */
884+ u_int8_t last_dir; /* Direction of the last packet (enum nf_conntrack_dir) */
885+ u_int8_t retrans; /* Number of retransmitted packets */
886+ u_int8_t last_index; /* Index of the last packet */
887+ u_int32_t last_seq; /* Last sequence number seen in dir */
888+ u_int32_t last_ack; /* Last sequence number seen in opposite dir */
889+ u_int32_t last_end; /* Last seq + len */
890+};
891+
892+/* Need this, since this file is included before the nf_conn definition
893+ * in nf_conntrack.h */
894+struct nf_conn;
895+
896+/* Update TCP window tracking data when NAT mangles the packet */
897+extern void nf_conntrack_tcp_update(struct sk_buff *skb,
898+ unsigned int dataoff,
899+ struct nf_conn *conntrack,
900+ int dir);
901+
902+#endif /* _NF_CONNTRACK_TCP_H */
ae95cca4
PS
903diff -uNr include.orig/linux/netfilter/nf_conntrack_tuple.h include/linux/netfilter/nf_conntrack_tuple.h
904--- include.orig/linux/netfilter/nf_conntrack_tuple.h 1970-01-01 01:00:00.000000000 +0100
c558041a
PS
905+++ include/linux/netfilter/nf_conntrack_tuple.h 2005-08-02 20:02:17.704248152 +0200
906@@ -0,0 +1,201 @@
014436e1
PS
907+/*
908+ * Definitions and Declarations for tuple.
909+ *
910+ * 16 Dec 2003: Yasuyuki Kozakai @USAGI <yasuyuki.kozakai@toshiba.co.jp>
911+ * - generalize L3 protocol dependent part.
912+ *
913+ * Derived from include/linux/netfiter_ipv4/ip_conntrack_tuple.h
914+ */
0fc89030 915+
014436e1
PS
916+#ifndef _NF_CONNTRACK_TUPLE_H
917+#define _NF_CONNTRACK_TUPLE_H
0fc89030 918+
014436e1
PS
919+/* A `tuple' is a structure containing the information to uniquely
920+ identify a connection. ie. if two packets have the same tuple, they
921+ are in the same connection; if not, they are not.
922+
923+ We divide the structure along "manipulatable" and
924+ "non-manipulatable" lines, for the benefit of the NAT code.
925+*/
0fc89030 926+
014436e1
PS
927+#define NF_CT_TUPLE_L3SIZE 4
928+
929+/* The l3 protocol-specific manipulable parts of the tuple: always in
930+ network order! */
931+union nf_conntrack_man_l3proto {
932+ u_int32_t all[NF_CT_TUPLE_L3SIZE];
933+ u_int32_t ip;
934+ u_int32_t ip6[4];
0fc89030
PS
935+};
936+
014436e1
PS
937+/* The protocol-specific manipulable parts of the tuple: always in
938+ network order! */
939+union nf_conntrack_man_proto
940+{
941+ /* Add other protocols here. */
942+ u_int16_t all;
943+
0fc89030 944+ struct {
014436e1
PS
945+ u_int16_t port;
946+ } tcp;
947+ struct {
948+ u_int16_t port;
949+ } udp;
950+ struct {
951+ u_int16_t id;
952+ } icmp;
953+ struct {
954+ u_int16_t port;
955+ } sctp;
956+};
957+
958+/* The manipulable part of the tuple. */
959+struct nf_conntrack_man
960+{
961+ union nf_conntrack_man_l3proto u3;
962+ union nf_conntrack_man_proto u;
963+ /* Layer 3 protocol */
964+ u_int16_t l3num;
965+};
966+
967+/* This contains the information to distinguish a connection. */
968+struct nf_conntrack_tuple
969+{
970+ struct nf_conntrack_man src;
971+
972+ /* These are the parts of the tuple which are fixed. */
973+ struct {
974+ union {
975+ u_int32_t all[NF_CT_TUPLE_L3SIZE];
976+ u_int32_t ip;
977+ u_int32_t ip6[4];
978+ } u3;
979+ union {
980+ /* Add other protocols here. */
981+ u_int16_t all;
982+
0fc89030 983+ struct {
014436e1
PS
984+ u_int16_t port;
985+ } tcp;
986+ struct {
987+ u_int16_t port;
988+ } udp;
989+ struct {
990+ u_int8_t type, code;
991+ } icmp;
992+ struct {
993+ u_int16_t port;
994+ } sctp;
995+ } u;
996+
997+ /* The protocol. */
998+ u_int8_t protonum;
999+
1000+ /* The direction (for tuplehash) */
1001+ u_int8_t dir;
1002+ } dst;
1003+};
1004+
1005+/* This is optimized opposed to a memset of the whole structure. Everything we
1006+ * really care about is the source/destination unions */
1007+#define NF_CT_TUPLE_U_BLANK(tuple) \
1008+ do { \
1009+ (tuple)->src.u.all = 0; \
1010+ (tuple)->dst.u.all = 0; \
1011+ memset((tuple)->src.u3.all, 0, \
1012+ sizeof(u_int32_t)*NF_CT_TUPLE_L3SIZE); \
1013+ memset((tuple)->dst.u3.all, 0, \
1014+ sizeof(u_int32_t)*NF_CT_TUPLE_L3SIZE); \
1015+ } while (0)
1016+
1017+enum nf_conntrack_dir
1018+{
1019+ NF_CT_DIR_ORIGINAL,
1020+ NF_CT_DIR_REPLY,
1021+ NF_CT_DIR_MAX
1022+};
1023+
c558041a
PS
1024+#ifdef __KERNEL__
1025+
1026+#define NF_CT_DUMP_TUPLE(tp) \
1027+DEBUGP("tuple %p: %u %u %04x:%04x:%04x:%04x:%04x:%04x:%04x:%04x %hu -> %04x:%04x:%04x:%04x:%04x:%04x:%04x:%04x %hu\n", \
1028+ (tp), (tp)->src.l3num, (tp)->dst.protonum, \
1029+ NIP6(*(struct in6_addr *)(tp)->src.u3.all), ntohs((tp)->src.u.all), \
1030+ NIP6(*(struct in6_addr *)(tp)->dst.u3.all), ntohs((tp)->dst.u.all))
1031+
1032+#define NFCTINFO2DIR(ctinfo) ((ctinfo) >= NF_CT_IS_REPLY ? NF_CT_DIR_REPLY : NF_CT_DIR_ORIGINAL)
1033+
1034+/* If we're the first tuple, it's the original dir. */
1035+#define NF_CT_DIRECTION(h) \
1036+ ((enum nf_conntrack_dir)(h)->tuple.dst.dir)
1037+
1038+/* Connections have two entries in the hash table: one for each way */
1039+struct nf_conntrack_tuple_hash
1040+{
1041+ struct list_head list;
1042+
1043+ struct nf_conntrack_tuple tuple;
1044+};
1045+
1046+#endif /* __KERNEL__ */
1047+
014436e1
PS
1048+static inline int nf_ct_tuple_src_equal(const struct nf_conntrack_tuple *t1,
1049+ const struct nf_conntrack_tuple *t2)
1050+{
1051+ return (t1->src.u3.all[0] == t2->src.u3.all[0] &&
1052+ t1->src.u3.all[1] == t2->src.u3.all[1] &&
1053+ t1->src.u3.all[2] == t2->src.u3.all[2] &&
1054+ t1->src.u3.all[3] == t2->src.u3.all[3] &&
1055+ t1->src.u.all == t2->src.u.all &&
1056+ t1->src.l3num == t2->src.l3num &&
1057+ t1->dst.protonum == t2->dst.protonum);
1058+}
1059+
1060+static inline int nf_ct_tuple_dst_equal(const struct nf_conntrack_tuple *t1,
1061+ const struct nf_conntrack_tuple *t2)
1062+{
1063+ return (t1->dst.u3.all[0] == t2->dst.u3.all[0] &&
1064+ t1->dst.u3.all[1] == t2->dst.u3.all[1] &&
1065+ t1->dst.u3.all[2] == t2->dst.u3.all[2] &&
1066+ t1->dst.u3.all[3] == t2->dst.u3.all[3] &&
1067+ t1->dst.u.all == t2->dst.u.all &&
1068+ t1->src.l3num == t2->src.l3num &&
1069+ t1->dst.protonum == t2->dst.protonum);
1070+}
1071+
1072+static inline int nf_ct_tuple_equal(const struct nf_conntrack_tuple *t1,
1073+ const struct nf_conntrack_tuple *t2)
1074+{
1075+ return nf_ct_tuple_src_equal(t1, t2) && nf_ct_tuple_dst_equal(t1, t2);
1076+}
1077+
1078+static inline int nf_ct_tuple_mask_cmp(const struct nf_conntrack_tuple *t,
1079+ const struct nf_conntrack_tuple *tuple,
1080+ const struct nf_conntrack_tuple *mask)
1081+{
1082+ int count = 0;
1083+
1084+ for (count = 0; count < NF_CT_TUPLE_L3SIZE; count++){
1085+ if ((ntohs(t->src.u3.all[count]) ^
1086+ ntohs(tuple->src.u3.all[count])) &
1087+ ntohs(mask->src.u3.all[count]))
1088+ return 0;
1089+ }
1090+
1091+ for (count = 0; count < NF_CT_TUPLE_L3SIZE; count++){
1092+ if ((ntohs(t->dst.u3.all[count]) ^
1093+ ntohs(tuple->dst.u3.all[count])) &
1094+ ntohs(mask->dst.u3.all[count]))
1095+ return 0;
1096+ }
1097+
1098+ if ((t->src.u.all ^ tuple->src.u.all) & mask->src.u.all ||
1099+ (t->dst.u.all ^ tuple->dst.u.all) & mask->dst.u.all ||
1100+ (t->src.l3num ^ tuple->src.l3num) & mask->src.l3num ||
1101+ (t->dst.protonum ^ tuple->dst.protonum) & mask->dst.protonum)
1102+ return 0;
1103+
1104+ return 1;
1105+}
1106+
1107+#endif /* _NF_CONNTRACK_TUPLE_H */
ae95cca4
PS
1108diff -uNr include.orig/linux/netfilter/nfnetlink.h include/linux/netfilter/nfnetlink.h
1109--- include.orig/linux/netfilter/nfnetlink.h 1970-01-01 01:00:00.000000000 +0100
c558041a
PS
1110+++ include/linux/netfilter/nfnetlink.h 2005-08-02 20:02:17.715246480 +0200
1111@@ -0,0 +1,145 @@
ae95cca4
PS
1112+#ifndef _NFNETLINK_H
1113+#define _NFNETLINK_H
1114+#include <linux/types.h>
1115+
c558041a
PS
1116+/* nfnetlink groups: Up to 32 maximum */
1117+#define NF_NETLINK_CONNTRACK_NEW 0x00000001
1118+#define NF_NETLINK_CONNTRACK_UPDATE 0x00000002
1119+#define NF_NETLINK_CONNTRACK_DESTROY 0x00000004
1120+#define NF_NETLINK_CONNTRACK_EXP_NEW 0x00000008
1121+#define NF_NETLINK_CONNTRACK_EXP_UPDATE 0x00000010
1122+#define NF_NETLINK_CONNTRACK_EXP_DESTROY 0x00000020
1123+
ae95cca4
PS
1124+/* Generic structure for encapsulation optional netfilter information.
1125+ * It is reminiscent of sockaddr, but with sa_family replaced
1126+ * with attribute type.
1127+ * ! This should someday be put somewhere generic as now rtnetlink and
1128+ * ! nfnetlink use the same attributes methods. - J. Schulist.
1129+ */
1130+
1131+struct nfattr
1132+{
c558041a
PS
1133+ u_int16_t nfa_len __attribute__ ((packed));
1134+ u_int16_t nfa_type __attribute__ ((packed));
ae95cca4
PS
1135+};
1136+
c558041a
PS
1137+/* FIXME: Shamelessly copy and pasted from rtnetlink.h, it's time
1138+ * to put this in a generic file */
1139+
ae95cca4
PS
1140+#define NFA_ALIGNTO 4
1141+#define NFA_ALIGN(len) (((len) + NFA_ALIGNTO - 1) & ~(NFA_ALIGNTO - 1))
1142+#define NFA_OK(nfa,len) ((len) > 0 && (nfa)->nfa_len >= sizeof(struct nfattr) \
1143+ && (nfa)->nfa_len <= (len))
1144+#define NFA_NEXT(nfa,attrlen) ((attrlen) -= NFA_ALIGN((nfa)->nfa_len), \
1145+ (struct nfattr *)(((char *)(nfa)) + NFA_ALIGN((nfa)->nfa_len)))
1146+#define NFA_LENGTH(len) (NFA_ALIGN(sizeof(struct nfattr)) + (len))
1147+#define NFA_SPACE(len) NFA_ALIGN(NFA_LENGTH(len))
1148+#define NFA_DATA(nfa) ((void *)(((char *)(nfa)) + NFA_LENGTH(0)))
1149+#define NFA_PAYLOAD(nfa) ((int)((nfa)->nfa_len) - NFA_LENGTH(0))
c558041a
PS
1150+#define NFA_NEST(skb, type) \
1151+({ struct nfattr *__start = (struct nfattr *) (skb)->tail; \
1152+ NFA_PUT(skb, type, 0, NULL); \
1153+ __start; })
1154+#define NFA_NEST_END(skb, start) \
1155+({ (start)->nfa_len = ((skb)->tail - (unsigned char *) (start)); \
1156+ (skb)->len; })
1157+#define NFA_NEST_CANCEL(skb, start) \
1158+({ if (start) \
1159+ skb_trim(skb, (unsigned char *) (start) - (skb)->data); \
1160+ -1; })
ae95cca4
PS
1161+
1162+/* General form of address family dependent message.
1163+ */
1164+struct nfgenmsg {
c558041a
PS
1165+ u_int8_t nfgen_family __attribute__ ((packed)); /* AF_xxx */
1166+ u_int8_t version __attribute__ ((packed)); /* nfnetlink version */
1167+ u_int16_t res_id __attribute__ ((packed)); /* resource id */
ae95cca4
PS
1168+};
1169+
c558041a
PS
1170+#define NFNETLINK_V1 1
1171+
ae95cca4
PS
1172+#define NFM_NFA(n) ((struct nfattr *)(((char *)(n)) \
1173+ + NLMSG_ALIGN(sizeof(struct nfgenmsg))))
1174+#define NFM_PAYLOAD(n) NLMSG_PAYLOAD(n, sizeof(struct nfgenmsg))
1175+
ae95cca4
PS
1176+/* netfilter netlink message types are split in two pieces:
1177+ * 8 bit subsystem, 8bit operation.
1178+ */
1179+
1180+#define NFNL_SUBSYS_ID(x) ((x & 0xff00) >> 8)
1181+#define NFNL_MSG_TYPE(x) (x & 0x00ff)
1182+
1183+enum nfnl_subsys_id {
1184+ NFNL_SUBSYS_NONE = 0,
1185+ NFNL_SUBSYS_CTNETLINK,
1186+ NFNL_SUBSYS_CTNETLINK_EXP,
1187+ NFNL_SUBSYS_IPTNETLINK,
1188+ NFNL_SUBSYS_QUEUE,
1189+ NFNL_SUBSYS_ULOG,
1190+ NFNL_SUBSYS_COUNT,
1191+};
1192+
c558041a
PS
1193+#ifdef __KERNEL__
1194+
1195+#include <linux/capability.h>
1196+
1197+struct nfnl_callback
1198+{
1199+ kernel_cap_t cap_required; /* capabilities required for this msg */
1200+ int (*call)(struct sock *nl, struct sk_buff *skb,
1201+ struct nlmsghdr *nlh, struct nfattr *cda[], int *errp);
1202+};
1203+
1204+struct nfnetlink_subsystem
1205+{
1206+ const char *name;
1207+ __u8 subsys_id; /* nfnetlink subsystem ID */
1208+ __u8 cb_count; /* number of callbacks */
1209+ u_int32_t attr_count; /* number of nfattr's */
1210+ struct nfnl_callback *cb; /* callback for individual types */
1211+};
1212+
1213+extern void __nfa_fill(struct sk_buff *skb, int attrtype,
1214+ int attrlen, const void *data);
1215+#define NFA_PUT(skb, attrtype, attrlen, data) \
1216+({ if (skb_tailroom(skb) < (int)NFA_SPACE(attrlen)) goto nfattr_failure; \
1217+ __nfa_fill(skb, attrtype, attrlen, data); })
1218+
1219+extern struct semaphore nfnl_sem;
1220+
1221+#define nfnl_shlock() down(&nfnl_sem)
1222+#define nfnl_shlock_nowait() down_trylock(&nfnl_sem)
1223+
1224+#define nfnl_shunlock() do { up(&nfnl_sem); \
1225+ if(nfnl && nfnl->sk_receive_queue.qlen) \
1226+ nfnl->sk_data_ready(nfnl, 0); \
1227+ } while(0)
1228+
1229+extern void nfnl_lock(void);
1230+extern void nfnl_unlock(void);
1231+
1232+extern int nfnetlink_subsys_register(struct nfnetlink_subsystem *n);
1233+extern int nfnetlink_subsys_unregister(struct nfnetlink_subsystem *n);
1234+
1235+extern int nfattr_parse(struct nfattr *tb[], int maxattr,
1236+ struct nfattr *nfa, int len);
1237+
1238+#define nfattr_parse_nested(tb, max, nfa) \
1239+ nfattr_parse((tb), (max), NFA_DATA((nfa)), NFA_PAYLOAD((nfa)))
1240+
1241+#define nfattr_bad_size(tb, max, cta_min) \
1242+({ int __i, __res = 0; \
1243+ for (__i=0; __i<max; __i++) \
1244+ if (tb[__i] && NFA_PAYLOAD(tb[__i]) < cta_min[__i]){ \
1245+ __res = 1; \
1246+ break; \
1247+ } \
1248+ __res; \
1249+})
1250+
1251+extern int nfnetlink_send(struct sk_buff *skb, u32 pid, unsigned group,
1252+ int echo);
1253+extern int nfnetlink_unicast(struct sk_buff *skb, u_int32_t pid, int flags);
1254+
1255+#endif /* __KERNEL__ */
ae95cca4 1256+#endif /* _NFNETLINK_H */
c558041a
PS
1257diff -uNr include.orig/linux/netfilter.h include/linux/netfilter.h
1258--- include.orig/linux/netfilter.h 2005-07-06 02:17:21.000000000 +0200
1259+++ include/linux/netfilter.h 2005-08-02 20:02:17.658255144 +0200
1260@@ -11,7 +11,7 @@
1261 #define NF_MAX_VERDICT NF_STOP
1262
1263 /* Generic cache responses from hook functions.
1264- <= 0x2000 is used for protocol-flags. */
1265+ <= 0x2000 is reserved for conntrack event cache. */
1266 #define NFC_UNKNOWN 0x4000
1267 #define NFC_ALTERED 0x8000
ae95cca4 1268
ae95cca4
PS
1269diff -uNr include.orig/linux/netfilter_ipv4/ip_conntrack_core.h include/linux/netfilter_ipv4/ip_conntrack_core.h
1270--- include.orig/linux/netfilter_ipv4/ip_conntrack_core.h 2005-03-13 21:53:55.000000000 +0100
c558041a
PS
1271+++ include/linux/netfilter_ipv4/ip_conntrack_core.h 2005-08-02 20:02:17.749241312 +0200
1272@@ -34,15 +34,26 @@
1273 ip_conntrack_find_get(const struct ip_conntrack_tuple *tuple,
1274 const struct ip_conntrack *ignored_conntrack);
1275
1276+struct ip_conntrack_tuple_hash *
1277+__ip_conntrack_find(const struct ip_conntrack_tuple *tuple,
1278+ const struct ip_conntrack *ignored_conntrack);
1279+
1280+struct ip_conntrack_expect *
1281+__ip_conntrack_exp_find(const struct ip_conntrack_tuple *tuple);
1282+
1283 extern int __ip_conntrack_confirm(struct sk_buff **pskb);
ae95cca4 1284
ae95cca4
PS
1285 /* Confirm a connection: returns NF_DROP if packet must be dropped. */
1286 static inline int ip_conntrack_confirm(struct sk_buff **pskb)
1287 {
1288+ int ret = NF_ACCEPT;
1289+
1290 if ((*pskb)->nfct
1291 && !is_confirmed((struct ip_conntrack *)(*pskb)->nfct))
1292- return __ip_conntrack_confirm(pskb);
1293- return NF_ACCEPT;
1294+ ret = __ip_conntrack_confirm(pskb);
1295+ ip_conntrack_deliver_cached_events(*pskb);
1296+
1297+ return ret;
1298 }
1299
1300 extern struct list_head *ip_conntrack_hash;
ae95cca4
PS
1301diff -uNr include.orig/linux/netfilter_ipv4/ip_conntrack.h include/linux/netfilter_ipv4/ip_conntrack.h
1302--- include.orig/linux/netfilter_ipv4/ip_conntrack.h 2005-03-13 21:53:55.000000000 +0100
c558041a
PS
1303+++ include/linux/netfilter_ipv4/ip_conntrack.h 2005-08-02 20:05:38.525718648 +0200
1304@@ -65,6 +65,63 @@
ae95cca4
PS
1305
1306 /* Both together */
1307 IPS_NAT_DONE_MASK = (IPS_DST_NAT_DONE | IPS_SRC_NAT_DONE),
1308+
1309+ /* Connection is destroyed (removed from lists), can not be unset. */
1310+ IPS_DESTROYED_BIT = 9,
1311+ IPS_DESTROYED = (1 << IPS_DESTROYED_BIT),
1312+};
1313+
1314+/* Connection tracking event bits */
1315+enum ip_conntrack_events
1316+{
1317+ /* New conntrack */
1318+ IPCT_NEW_BIT = 0,
1319+ IPCT_NEW = (1 << IPCT_NEW_BIT),
1320+
1321+ /* Expected connection */
1322+ IPCT_RELATED_BIT = 1,
1323+ IPCT_RELATED = (1 << IPCT_RELATED_BIT),
1324+
1325+ /* Destroyed conntrack */
1326+ IPCT_DESTROY_BIT = 2,
1327+ IPCT_DESTROY = (1 << IPCT_DESTROY_BIT),
1328+
1329+ /* Timer has been refreshed */
1330+ IPCT_REFRESH_BIT = 3,
1331+ IPCT_REFRESH = (1 << IPCT_REFRESH_BIT),
1332+
1333+ /* Status has changed */
1334+ IPCT_STATUS_BIT = 4,
1335+ IPCT_STATUS = (1 << IPCT_STATUS_BIT),
1336+
1337+ /* Update of protocol info */
1338+ IPCT_PROTOINFO_BIT = 5,
1339+ IPCT_PROTOINFO = (1 << IPCT_PROTOINFO_BIT),
1340+
1341+ /* Volatile protocol info */
1342+ IPCT_PROTOINFO_VOLATILE_BIT = 6,
1343+ IPCT_PROTOINFO_VOLATILE = (1 << IPCT_PROTOINFO_VOLATILE_BIT),
1344+
1345+ /* New helper for conntrack */
1346+ IPCT_HELPER_BIT = 7,
1347+ IPCT_HELPER = (1 << IPCT_HELPER_BIT),
1348+
1349+ /* Update of helper info */
1350+ IPCT_HELPINFO_BIT = 8,
1351+ IPCT_HELPINFO = (1 << IPCT_HELPINFO_BIT),
1352+
1353+ /* Volatile helper info */
1354+ IPCT_HELPINFO_VOLATILE_BIT = 9,
1355+ IPCT_HELPINFO_VOLATILE = (1 << IPCT_HELPINFO_VOLATILE_BIT),
1356+
1357+ /* NAT info */
1358+ IPCT_NATINFO_BIT = 10,
1359+ IPCT_NATINFO = (1 << IPCT_NATINFO_BIT),
1360+};
1361+
1362+enum ip_conntrack_expect_events {
1363+ IPEXP_NEW_BIT = 0,
1364+ IPEXP_NEW = (1 << IPEXP_NEW_BIT),
ae95cca4
PS
1365 };
1366
1367 #endif /* _IP_CONNTRACK_H */
1368diff -uNr include.orig/linux/netfilter_ipv4/ip_conntrack_h323.h include/linux/netfilter_ipv4/ip_conntrack_h323.h
1369--- include.orig/linux/netfilter_ipv4/ip_conntrack_h323.h 1970-01-01 01:00:00.000000000 +0100
c558041a
PS
1370+++ include/linux/netfilter_ipv4/ip_conntrack_h323.h 2005-08-02 20:02:17.725244960 +0200
1371@@ -0,0 +1,38 @@
ae95cca4
PS
1372+#ifndef _IP_CONNTRACK_H323_H
1373+#define _IP_CONNTRACK_H323_H
1374+/* H.323 connection tracking. */
1375+
c558041a 1376+#ifdef __KERNEL__
ae95cca4 1377+
c558041a
PS
1378+/* Default H.225 port */
1379+#define H225_PORT 1720
ae95cca4 1380+
c558041a
PS
1381+struct ip_conntrack_expect;
1382+struct ip_conntrack;
1383+struct ip_conntrack_helper;
ae95cca4 1384+
c558041a
PS
1385+extern int (*ip_nat_h245_hook)(struct sk_buff **pskb,
1386+ enum ip_conntrack_info ctinfo,
1387+ unsigned int offset,
1388+ struct ip_conntrack_expect *exp);
ae95cca4 1389+
c558041a
PS
1390+extern int (*ip_nat_h225_hook)(struct sk_buff **pskb,
1391+ enum ip_conntrack_info ctinfo,
1392+ unsigned int offset,
1393+ struct ip_conntrack_expect *exp);
ae95cca4 1394+
c558041a
PS
1395+extern void (*ip_nat_h225_signal_hook)(struct sk_buff **pskb,
1396+ struct ip_conntrack *ct,
1397+ enum ip_conntrack_info ctinfo,
1398+ unsigned int offset,
1399+ int dir,
1400+ int orig_dir);
ae95cca4 1401+
c558041a 1402+extern struct ip_conntrack_helper ip_conntrack_helper_h225;
ae95cca4 1403+
c558041a
PS
1404+void ip_conntrack_h245_expect(struct ip_conntrack *new,
1405+ struct ip_conntrack_expect *this);
ae95cca4 1406+
c558041a 1407+#endif /* __KERNEL__ */
ae95cca4 1408+
c558041a
PS
1409+#endif /* _IP_CONNTRACK_H323_H */
1410diff -uNr include.orig/linux/netfilter_ipv4/ip_conntrack_mms.h include/linux/netfilter_ipv4/ip_conntrack_mms.h
1411--- include.orig/linux/netfilter_ipv4/ip_conntrack_mms.h 1970-01-01 01:00:00.000000000 +0100
1412+++ include/linux/netfilter_ipv4/ip_conntrack_mms.h 2005-08-02 20:02:17.774237512 +0200
1413@@ -0,0 +1,36 @@
1414+#ifndef _IP_CONNTRACK_MMS_H
1415+#define _IP_CONNTRACK_MMS_H
1416+/* MMS tracking. */
ae95cca4 1417+
c558041a 1418+#ifdef __KERNEL__
ae95cca4 1419+
c558041a 1420+extern spinlock_t ip_mms_lock;
ae95cca4 1421+
c558041a
PS
1422+#define MMS_PORT 1755
1423+#define MMS_SRV_MSG_ID 196610
ae95cca4 1424+
c558041a
PS
1425+#define MMS_SRV_MSG_OFFSET 36
1426+#define MMS_SRV_UNICODE_STRING_OFFSET 60
1427+#define MMS_SRV_CHUNKLENLV_OFFSET 16
1428+#define MMS_SRV_CHUNKLENLM_OFFSET 32
1429+#define MMS_SRV_MESSAGELENGTH_OFFSET 8
ae95cca4 1430+
c558041a
PS
1431+/* This structure is per expected connection */
1432+struct ip_ct_mms_expect {
1433+ u_int32_t offset;
1434+ u_int32_t len;
1435+ u_int32_t padding;
1436+ u_int16_t port;
1437+};
ae95cca4 1438+
c558041a
PS
1439+/* This structure exists only once per master */
1440+struct ip_ct_mms_master {
ae95cca4
PS
1441+};
1442+
c558041a
PS
1443+struct ip_conntrack_expect;
1444+extern unsigned int (*ip_nat_mms_hook)(struct sk_buff **pskb,
1445+ enum ip_conntrack_info ctinfo,
1446+ const struct ip_ct_mms_expect *exp_mms_info,
1447+ struct ip_conntrack_expect *exp);
1448+#endif
1449+#endif /* _IP_CONNTRACK_MMS_H */
1450diff -uNr include.orig/linux/netfilter_ipv4/ip_conntrack_pptp.h include/linux/netfilter_ipv4/ip_conntrack_pptp.h
1451--- include.orig/linux/netfilter_ipv4/ip_conntrack_pptp.h 1970-01-01 01:00:00.000000000 +0100
1452+++ include/linux/netfilter_ipv4/ip_conntrack_pptp.h 2005-08-02 20:02:17.800233560 +0200
1453@@ -0,0 +1,336 @@
1454+/* PPTP constants and structs */
1455+#ifndef _CONNTRACK_PPTP_H
1456+#define _CONNTRACK_PPTP_H
ae95cca4 1457+
c558041a
PS
1458+/* state of the control session */
1459+enum pptp_ctrlsess_state {
1460+ PPTP_SESSION_NONE, /* no session present */
1461+ PPTP_SESSION_ERROR, /* some session error */
1462+ PPTP_SESSION_STOPREQ, /* stop_sess request seen */
1463+ PPTP_SESSION_REQUESTED, /* start_sess request seen */
1464+ PPTP_SESSION_CONFIRMED, /* session established */
ae95cca4
PS
1465+};
1466+
c558041a
PS
1467+/* state of the call inside the control session */
1468+enum pptp_ctrlcall_state {
1469+ PPTP_CALL_NONE,
1470+ PPTP_CALL_ERROR,
1471+ PPTP_CALL_OUT_REQ,
1472+ PPTP_CALL_OUT_CONF,
1473+ PPTP_CALL_IN_REQ,
1474+ PPTP_CALL_IN_REP,
1475+ PPTP_CALL_IN_CONF,
1476+ PPTP_CALL_CLEAR_REQ,
1477+};
1478+
1479+
1480+/* conntrack private data */
1481+struct ip_ct_pptp_master {
1482+ enum pptp_ctrlsess_state sstate; /* session state */
1483+
1484+ /* everything below is going to be per-expectation in newnat,
1485+ * since there could be more than one call within one session */
1486+ enum pptp_ctrlcall_state cstate; /* call state */
1487+ u_int16_t pac_call_id; /* call id of PAC, host byte order */
1488+ u_int16_t pns_call_id; /* call id of PNS, host byte order */
1489+
1490+ /* in pre-2.6.11 this used to be per-expect. Now it is per-conntrack
1491+ * and therefore imposes a fixed limit on the number of maps */
1492+ struct ip_ct_gre_keymap *keymap_orig, *keymap_reply;
1493+};
1494+
1495+/* conntrack_expect private member */
1496+struct ip_ct_pptp_expect {
1497+ enum pptp_ctrlcall_state cstate; /* call state */
1498+ u_int16_t pac_call_id; /* call id of PAC */
1499+ u_int16_t pns_call_id; /* call id of PNS */
1500+};
1501+
1502+
1503+#ifdef __KERNEL__
1504+
1505+
1506+#include <linux/netfilter_ipv4/lockhelp.h>
1507+DECLARE_LOCK_EXTERN(ip_pptp_lock);
1508+
1509+#define IP_CONNTR_PPTP PPTP_CONTROL_PORT
1510+
1511+#define PPTP_CONTROL_PORT 1723
1512+
1513+#define PPTP_PACKET_CONTROL 1
1514+#define PPTP_PACKET_MGMT 2
1515+
1516+#define PPTP_MAGIC_COOKIE 0x1a2b3c4d
ae95cca4 1517+
c558041a
PS
1518+struct pptp_pkt_hdr {
1519+ __u16 packetLength;
1520+ __u16 packetType;
1521+ __u32 magicCookie;
ae95cca4
PS
1522+};
1523+
c558041a
PS
1524+/* PptpControlMessageType values */
1525+#define PPTP_START_SESSION_REQUEST 1
1526+#define PPTP_START_SESSION_REPLY 2
1527+#define PPTP_STOP_SESSION_REQUEST 3
1528+#define PPTP_STOP_SESSION_REPLY 4
1529+#define PPTP_ECHO_REQUEST 5
1530+#define PPTP_ECHO_REPLY 6
1531+#define PPTP_OUT_CALL_REQUEST 7
1532+#define PPTP_OUT_CALL_REPLY 8
1533+#define PPTP_IN_CALL_REQUEST 9
1534+#define PPTP_IN_CALL_REPLY 10
1535+#define PPTP_IN_CALL_CONNECT 11
1536+#define PPTP_CALL_CLEAR_REQUEST 12
1537+#define PPTP_CALL_DISCONNECT_NOTIFY 13
1538+#define PPTP_WAN_ERROR_NOTIFY 14
1539+#define PPTP_SET_LINK_INFO 15
ae95cca4 1540+
c558041a
PS
1541+#define PPTP_MSG_MAX 15
1542+
1543+/* PptpGeneralError values */
1544+#define PPTP_ERROR_CODE_NONE 0
1545+#define PPTP_NOT_CONNECTED 1
1546+#define PPTP_BAD_FORMAT 2
1547+#define PPTP_BAD_VALUE 3
1548+#define PPTP_NO_RESOURCE 4
1549+#define PPTP_BAD_CALLID 5
1550+#define PPTP_REMOVE_DEVICE_ERROR 6
1551+
1552+struct PptpControlHeader {
1553+ __u16 messageType;
1554+ __u16 reserved;
1555+};
1556+
1557+/* FramingCapability Bitmap Values */
1558+#define PPTP_FRAME_CAP_ASYNC 0x1
1559+#define PPTP_FRAME_CAP_SYNC 0x2
1560+
1561+/* BearerCapability Bitmap Values */
1562+#define PPTP_BEARER_CAP_ANALOG 0x1
1563+#define PPTP_BEARER_CAP_DIGITAL 0x2
1564+
1565+struct PptpStartSessionRequest {
1566+ __u16 protocolVersion;
1567+ __u8 reserved1;
1568+ __u8 reserved2;
1569+ __u32 framingCapability;
1570+ __u32 bearerCapability;
1571+ __u16 maxChannels;
1572+ __u16 firmwareRevision;
1573+ __u8 hostName[64];
1574+ __u8 vendorString[64];
1575+};
1576+
1577+/* PptpStartSessionResultCode Values */
1578+#define PPTP_START_OK 1
1579+#define PPTP_START_GENERAL_ERROR 2
1580+#define PPTP_START_ALREADY_CONNECTED 3
1581+#define PPTP_START_NOT_AUTHORIZED 4
1582+#define PPTP_START_UNKNOWN_PROTOCOL 5
1583+
1584+struct PptpStartSessionReply {
1585+ __u16 protocolVersion;
1586+ __u8 resultCode;
1587+ __u8 generalErrorCode;
1588+ __u32 framingCapability;
1589+ __u32 bearerCapability;
1590+ __u16 maxChannels;
1591+ __u16 firmwareRevision;
1592+ __u8 hostName[64];
1593+ __u8 vendorString[64];
1594+};
1595+
1596+/* PptpStopReasons */
1597+#define PPTP_STOP_NONE 1
1598+#define PPTP_STOP_PROTOCOL 2
1599+#define PPTP_STOP_LOCAL_SHUTDOWN 3
1600+
1601+struct PptpStopSessionRequest {
1602+ __u8 reason;
1603+};
1604+
1605+/* PptpStopSessionResultCode */
1606+#define PPTP_STOP_OK 1
1607+#define PPTP_STOP_GENERAL_ERROR 2
1608+
1609+struct PptpStopSessionReply {
1610+ __u8 resultCode;
1611+ __u8 generalErrorCode;
1612+};
1613+
1614+struct PptpEchoRequest {
1615+ __u32 identNumber;
1616+};
1617+
1618+/* PptpEchoReplyResultCode */
1619+#define PPTP_ECHO_OK 1
1620+#define PPTP_ECHO_GENERAL_ERROR 2
1621+
1622+struct PptpEchoReply {
1623+ __u32 identNumber;
1624+ __u8 resultCode;
1625+ __u8 generalErrorCode;
1626+ __u16 reserved;
1627+};
1628+
1629+/* PptpFramingType */
1630+#define PPTP_ASYNC_FRAMING 1
1631+#define PPTP_SYNC_FRAMING 2
1632+#define PPTP_DONT_CARE_FRAMING 3
1633+
1634+/* PptpCallBearerType */
1635+#define PPTP_ANALOG_TYPE 1
1636+#define PPTP_DIGITAL_TYPE 2
1637+#define PPTP_DONT_CARE_BEARER_TYPE 3
1638+
1639+struct PptpOutCallRequest {
1640+ __u16 callID;
1641+ __u16 callSerialNumber;
1642+ __u32 minBPS;
1643+ __u32 maxBPS;
1644+ __u32 bearerType;
1645+ __u32 framingType;
1646+ __u16 packetWindow;
1647+ __u16 packetProcDelay;
1648+ __u16 reserved1;
1649+ __u16 phoneNumberLength;
1650+ __u16 reserved2;
1651+ __u8 phoneNumber[64];
1652+ __u8 subAddress[64];
1653+};
1654+
1655+/* PptpCallResultCode */
1656+#define PPTP_OUTCALL_CONNECT 1
1657+#define PPTP_OUTCALL_GENERAL_ERROR 2
1658+#define PPTP_OUTCALL_NO_CARRIER 3
1659+#define PPTP_OUTCALL_BUSY 4
1660+#define PPTP_OUTCALL_NO_DIAL_TONE 5
1661+#define PPTP_OUTCALL_TIMEOUT 6
1662+#define PPTP_OUTCALL_DONT_ACCEPT 7
1663+
1664+struct PptpOutCallReply {
1665+ __u16 callID;
1666+ __u16 peersCallID;
1667+ __u8 resultCode;
1668+ __u8 generalErrorCode;
1669+ __u16 causeCode;
1670+ __u32 connectSpeed;
1671+ __u16 packetWindow;
1672+ __u16 packetProcDelay;
1673+ __u32 physChannelID;
1674+};
1675+
1676+struct PptpInCallRequest {
1677+ __u16 callID;
1678+ __u16 callSerialNumber;
1679+ __u32 callBearerType;
1680+ __u32 physChannelID;
1681+ __u16 dialedNumberLength;
1682+ __u16 dialingNumberLength;
1683+ __u8 dialedNumber[64];
1684+ __u8 dialingNumber[64];
1685+ __u8 subAddress[64];
1686+};
1687+
1688+/* PptpInCallResultCode */
1689+#define PPTP_INCALL_ACCEPT 1
1690+#define PPTP_INCALL_GENERAL_ERROR 2
1691+#define PPTP_INCALL_DONT_ACCEPT 3
1692+
1693+struct PptpInCallReply {
1694+ __u16 callID;
1695+ __u16 peersCallID;
1696+ __u8 resultCode;
1697+ __u8 generalErrorCode;
1698+ __u16 packetWindow;
1699+ __u16 packetProcDelay;
1700+ __u16 reserved;
1701+};
1702+
1703+struct PptpInCallConnected {
1704+ __u16 peersCallID;
1705+ __u16 reserved;
1706+ __u32 connectSpeed;
1707+ __u16 packetWindow;
1708+ __u16 packetProcDelay;
1709+ __u32 callFramingType;
1710+};
1711+
1712+struct PptpClearCallRequest {
1713+ __u16 callID;
1714+ __u16 reserved;
1715+};
1716+
1717+struct PptpCallDisconnectNotify {
1718+ __u16 callID;
1719+ __u8 resultCode;
1720+ __u8 generalErrorCode;
1721+ __u16 causeCode;
1722+ __u16 reserved;
1723+ __u8 callStatistics[128];
1724+};
1725+
1726+struct PptpWanErrorNotify {
1727+ __u16 peersCallID;
1728+ __u16 reserved;
1729+ __u32 crcErrors;
1730+ __u32 framingErrors;
1731+ __u32 hardwareOverRuns;
1732+ __u32 bufferOverRuns;
1733+ __u32 timeoutErrors;
1734+ __u32 alignmentErrors;
1735+};
1736+
1737+struct PptpSetLinkInfo {
1738+ __u16 peersCallID;
1739+ __u16 reserved;
1740+ __u32 sendAccm;
1741+ __u32 recvAccm;
1742+};
1743+
1744+
1745+struct pptp_priv_data {
1746+ __u16 call_id;
1747+ __u16 mcall_id;
1748+ __u16 pcall_id;
1749+};
1750+
1751+union pptp_ctrl_union {
1752+ struct PptpStartSessionRequest sreq;
1753+ struct PptpStartSessionReply srep;
1754+ struct PptpStopSessionRequest streq;
1755+ struct PptpStopSessionReply strep;
1756+ struct PptpOutCallRequest ocreq;
1757+ struct PptpOutCallReply ocack;
1758+ struct PptpInCallRequest icreq;
1759+ struct PptpInCallReply icack;
1760+ struct PptpInCallConnected iccon;
1761+ struct PptpClearCallRequest clrreq;
1762+ struct PptpCallDisconnectNotify disc;
1763+ struct PptpWanErrorNotify wanerr;
1764+ struct PptpSetLinkInfo setlink;
ae95cca4
PS
1765+};
1766+
c558041a
PS
1767+extern int
1768+(*ip_nat_pptp_hook_outbound)(struct sk_buff **pskb,
1769+ struct ip_conntrack *ct,
1770+ enum ip_conntrack_info ctinfo,
1771+ struct PptpControlHeader *ctlh,
1772+ union pptp_ctrl_union *pptpReq);
ae95cca4 1773+
c558041a
PS
1774+extern int
1775+(*ip_nat_pptp_hook_inbound)(struct sk_buff **pskb,
1776+ struct ip_conntrack *ct,
1777+ enum ip_conntrack_info ctinfo,
1778+ struct PptpControlHeader *ctlh,
1779+ union pptp_ctrl_union *pptpReq);
ae95cca4 1780+
c558041a
PS
1781+extern int
1782+(*ip_nat_pptp_hook_exp_gre)(struct ip_conntrack_expect *exp_orig,
1783+ struct ip_conntrack_expect *exp_reply);
1784+
1785+extern void
1786+(*ip_nat_pptp_hook_expectfn)(struct ip_conntrack *ct,
1787+ struct ip_conntrack_expect *exp);
1788+#endif /* __KERNEL__ */
1789+#endif /* _CONNTRACK_PPTP_H */
ae95cca4
PS
1790diff -uNr include.orig/linux/netfilter_ipv4/ip_conntrack_protocol.h include/linux/netfilter_ipv4/ip_conntrack_protocol.h
1791--- include.orig/linux/netfilter_ipv4/ip_conntrack_protocol.h 2005-03-13 21:53:55.000000000 +0100
c558041a
PS
1792+++ include/linux/netfilter_ipv4/ip_conntrack_protocol.h 2005-08-02 20:02:17.753240704 +0200
1793@@ -34,7 +34,7 @@
ae95cca4
PS
1794
1795 /* Returns verdict for packet, or -1 for invalid. */
1796 int (*packet)(struct ip_conntrack *conntrack,
1797- const struct sk_buff *skb,
1798+ struct sk_buff *skb,
1799 enum ip_conntrack_info ctinfo);
1800
1801 /* Called when a new connection for this protocol found;
c558041a
PS
1802diff -uNr include.orig/linux/netfilter_ipv4/ip_conntrack_proto_gre.h include/linux/netfilter_ipv4/ip_conntrack_proto_gre.h
1803--- include.orig/linux/netfilter_ipv4/ip_conntrack_proto_gre.h 1970-01-01 01:00:00.000000000 +0100
1804+++ include/linux/netfilter_ipv4/ip_conntrack_proto_gre.h 2005-08-02 20:02:17.718246024 +0200
1805@@ -0,0 +1,114 @@
1806+#ifndef _CONNTRACK_PROTO_GRE_H
1807+#define _CONNTRACK_PROTO_GRE_H
1808+#include <asm/byteorder.h>
1809+
1810+/* GRE PROTOCOL HEADER */
1811+
1812+/* GRE Version field */
1813+#define GRE_VERSION_1701 0x0
1814+#define GRE_VERSION_PPTP 0x1
1815+
1816+/* GRE Protocol field */
1817+#define GRE_PROTOCOL_PPTP 0x880B
1818+
1819+/* GRE Flags */
1820+#define GRE_FLAG_C 0x80
1821+#define GRE_FLAG_R 0x40
1822+#define GRE_FLAG_K 0x20
1823+#define GRE_FLAG_S 0x10
1824+#define GRE_FLAG_A 0x80
1825+
1826+#define GRE_IS_C(f) ((f)&GRE_FLAG_C)
1827+#define GRE_IS_R(f) ((f)&GRE_FLAG_R)
1828+#define GRE_IS_K(f) ((f)&GRE_FLAG_K)
1829+#define GRE_IS_S(f) ((f)&GRE_FLAG_S)
1830+#define GRE_IS_A(f) ((f)&GRE_FLAG_A)
1831+
1832+/* GRE is a mess: Four different standards */
1833+struct gre_hdr {
1834+#if defined(__LITTLE_ENDIAN_BITFIELD)
1835+ __u16 rec:3,
1836+ srr:1,
1837+ seq:1,
1838+ key:1,
1839+ routing:1,
1840+ csum:1,
1841+ version:3,
1842+ reserved:4,
1843+ ack:1;
1844+#elif defined(__BIG_ENDIAN_BITFIELD)
1845+ __u16 csum:1,
1846+ routing:1,
1847+ key:1,
1848+ seq:1,
1849+ srr:1,
1850+ rec:3,
1851+ ack:1,
1852+ reserved:4,
1853+ version:3;
1854+#else
1855+#error "Adjust your <asm/byteorder.h> defines"
1856+#endif
1857+ __u16 protocol;
1858+};
ae95cca4 1859+
c558041a
PS
1860+/* modified GRE header for PPTP */
1861+struct gre_hdr_pptp {
1862+ __u8 flags; /* bitfield */
1863+ __u8 version; /* should be GRE_VERSION_PPTP */
1864+ __u16 protocol; /* should be GRE_PROTOCOL_PPTP */
1865+ __u16 payload_len; /* size of ppp payload, not inc. gre header */
1866+ __u16 call_id; /* peer's call_id for this session */
1867+ __u32 seq; /* sequence number. Present if S==1 */
1868+ __u32 ack; /* seq number of highest packet recieved by */
1869+ /* sender in this session */
1870+};
ae95cca4 1871+
c558041a
PS
1872+
1873+/* this is part of ip_conntrack */
1874+struct ip_ct_gre {
1875+ unsigned int stream_timeout;
1876+ unsigned int timeout;
1877+};
1878+
1879+#ifdef __KERNEL__
1880+struct ip_conntrack_expect;
1881+struct ip_conntrack;
1882+
1883+/* structure for original <-> reply keymap */
1884+struct ip_ct_gre_keymap {
1885+ struct list_head list;
1886+
1887+ struct ip_conntrack_tuple tuple;
1888+};
1889+
1890+/* add new tuple->key_reply pair to keymap */
1891+int ip_ct_gre_keymap_add(struct ip_conntrack *ct,
1892+ struct ip_conntrack_tuple *t,
1893+ int reply);
1894+
1895+/* delete keymap entries */
1896+void ip_ct_gre_keymap_destroy(struct ip_conntrack *ct);
1897+
1898+
1899+/* get pointer to gre key, if present */
1900+static inline u_int32_t *gre_key(struct gre_hdr *greh)
1901+{
1902+ if (!greh->key)
1903+ return NULL;
1904+ if (greh->csum || greh->routing)
1905+ return (u_int32_t *) (greh+sizeof(*greh)+4);
1906+ return (u_int32_t *) (greh+sizeof(*greh));
1907+}
1908+
1909+/* get pointer ot gre csum, if present */
1910+static inline u_int16_t *gre_csum(struct gre_hdr *greh)
1911+{
1912+ if (!greh->csum)
1913+ return NULL;
1914+ return (u_int16_t *) (greh+sizeof(*greh));
1915+}
1916+
1917+#endif /* __KERNEL__ */
1918+
1919+#endif /* _CONNTRACK_PROTO_GRE_H */
1920diff -uNr include.orig/linux/netfilter_ipv4/ip_conntrack_quake3.h include/linux/netfilter_ipv4/ip_conntrack_quake3.h
1921--- include.orig/linux/netfilter_ipv4/ip_conntrack_quake3.h 1970-01-01 01:00:00.000000000 +0100
1922+++ include/linux/netfilter_ipv4/ip_conntrack_quake3.h 2005-08-02 20:02:17.771237968 +0200
1923@@ -0,0 +1,22 @@
1924+#ifndef _IP_CT_QUAKE3
1925+#define _IP_CT_QUAKE3
1926+
1927+/* Don't confuse with 27960, often used as the Server Port */
1928+#define QUAKE3_MASTER_PORT 27950
1929+
1930+struct quake3_search {
1931+ const char marker[4]; /* always 0xff 0xff 0xff 0xff ? */
1932+ const char *pattern;
1933+ size_t plen;
1934+};
1935+
1936+/* This structure is per expected connection */
1937+struct ip_ct_quake3_expect {
1938+};
1939+
1940+/* This structure exists only once per master */
1941+struct ip_ct_quake3_master {
1942+};
1943+
1944+extern unsigned int (*ip_nat_quake3_hook)(struct ip_conntrack_expect *exp);
1945+#endif /* _IP_CT_QUAKE3 */
1946diff -uNr include.orig/linux/netfilter_ipv4/ip_conntrack_tuple.h include/linux/netfilter_ipv4/ip_conntrack_tuple.h
1947--- include.orig/linux/netfilter_ipv4/ip_conntrack_tuple.h 2005-03-13 21:53:55.000000000 +0100
1948+++ include/linux/netfilter_ipv4/ip_conntrack_tuple.h 2005-08-02 20:02:17.807232496 +0200
1949@@ -28,6 +28,9 @@
1950 struct {
1951 u_int16_t port;
1952 } sctp;
1953+ struct {
1954+ u_int16_t key; /* key is 32bit, pptp onky uses 16 */
1955+ } gre;
014436e1
PS
1956 };
1957
c558041a
PS
1958 /* The manipulable part of the tuple. */
1959@@ -61,6 +64,9 @@
1960 struct {
1961 u_int16_t port;
1962 } sctp;
1963+ struct {
1964+ u_int16_t key;
1965+ } gre;
1966 } u;
ae95cca4 1967
c558041a
PS
1968 /* The protocol. */
1969diff -uNr include.orig/linux/netfilter_ipv4/ip_nat_pptp.h include/linux/netfilter_ipv4/ip_nat_pptp.h
1970--- include.orig/linux/netfilter_ipv4/ip_nat_pptp.h 1970-01-01 01:00:00.000000000 +0100
1971+++ include/linux/netfilter_ipv4/ip_nat_pptp.h 2005-08-02 20:02:17.767238576 +0200
1972@@ -0,0 +1,11 @@
1973+/* PPTP constants and structs */
1974+#ifndef _NAT_PPTP_H
1975+#define _NAT_PPTP_H
1976+
1977+/* conntrack private data */
1978+struct ip_nat_pptp {
1979+ u_int16_t pns_call_id; /* NAT'ed PNS call id */
1980+ u_int16_t pac_call_id; /* NAT'ed PAC call id */
1981+};
1982+
1983+#endif /* _NAT_PPTP_H */
ae95cca4
PS
1984diff -uNr include.orig/linux/netfilter_ipv4/ip_queue.h include/linux/netfilter_ipv4/ip_queue.h
1985--- include.orig/linux/netfilter_ipv4/ip_queue.h 2004-10-31 20:56:03.000000000 +0100
c558041a 1986+++ include/linux/netfilter_ipv4/ip_queue.h 2005-08-02 20:02:17.823230064 +0200
ae95cca4
PS
1987@@ -39,10 +39,20 @@
1988 unsigned char payload[0]; /* Optional replacement packet */
1989 } ipq_verdict_msg_t;
1990
1991+typedef struct ipq_vwmark_msg {
1992+ unsigned int value; /* Verdict to hand to netfilter */
1993+ unsigned long id; /* Packet ID for this verdict */
1994+ size_t data_len; /* Length of replacement data */
1995+ unsigned char payload[0]; /* Optional replacement packet */
1996+ unsigned long nfmark; /* Mark for the Packet */
1997+} ipq_vwmark_msg_t;
1998+
1999+
2000 typedef struct ipq_peer_msg {
2001 union {
2002 ipq_verdict_msg_t verdict;
2003 ipq_mode_msg_t mode;
c558041a 2004+ ipq_vwmark_msg_t vwmark;
ae95cca4
PS
2005 } msg;
2006 } ipq_peer_msg_t;
2007
2008@@ -59,6 +69,7 @@
2009 #define IPQM_MODE (IPQM_BASE + 1) /* Mode request from peer */
2010 #define IPQM_VERDICT (IPQM_BASE + 2) /* Verdict from peer */
2011 #define IPQM_PACKET (IPQM_BASE + 3) /* Packet from kernel */
2012-#define IPQM_MAX (IPQM_BASE + 4)
2013+#define IPQM_VWMARK (IPQM_BASE + 4) /* Verdict and mark from peer */
2014+#define IPQM_MAX (IPQM_BASE + 5)
2015
2016 #endif /*_IP_QUEUE_H*/
2017diff -uNr include.orig/linux/netfilter_ipv4/ip_set.h include/linux/netfilter_ipv4/ip_set.h
2018--- include.orig/linux/netfilter_ipv4/ip_set.h 1970-01-01 01:00:00.000000000 +0100
c558041a
PS
2019+++ include/linux/netfilter_ipv4/ip_set.h 2005-08-02 20:02:17.828229304 +0200
2020@@ -0,0 +1,489 @@
014436e1
PS
2021+#ifndef _IP_SET_H
2022+#define _IP_SET_H
2023+
2024+/* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu>
2025+ * Patrick Schaaf <bof@bof.de>
2026+ * Martin Josefsson <gandalf@wlug.westbo.se>
2027+ * Copyright (C) 2003-2004 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
2028+ *
2029+ * This program is free software; you can redistribute it and/or modify
2030+ * it under the terms of the GNU General Public License version 2 as
2031+ * published by the Free Software Foundation.
2032+ */
2033+
2034+/*
2035+ * A sockopt of such quality has hardly ever been seen before on the open
2036+ * market! This little beauty, hardly ever used: above 64, so it's
2037+ * traditionally used for firewalling, not touched (even once!) by the
2038+ * 2.0, 2.2 and 2.4 kernels!
2039+ *
2040+ * Comes with its own certificate of authenticity, valid anywhere in the
2041+ * Free world!
2042+ *
2043+ * Rusty, 19.4.2000
2044+ */
2045+#define SO_IP_SET 83
2046+
2047+/*
2048+ * Heavily modify by Joakim Axelsson 08.03.2002
2049+ * - Made it more modulebased
2050+ *
2051+ * Additional heavy modifications by Jozsef Kadlecsik 22.02.2004
2052+ * - bindings added
2053+ * - in order to "deal with" backward compatibility, renamed to ipset
2054+ */
2055+
2056+/*
2057+ * Used so that the kernel module and ipset-binary can match their versions
2058+ */
2059+#define IP_SET_PROTOCOL_VERSION 2
2060+
2061+#define IP_SET_MAXNAMELEN 32 /* set names and set typenames */
2062+
2063+/* Lets work with our own typedef for representing an IP address.
2064+ * We hope to make the code more portable, possibly to IPv6...
2065+ *
2066+ * The representation works in HOST byte order, because most set types
2067+ * will perform arithmetic operations and compare operations.
2068+ *
2069+ * For now the type is an uint32_t.
2070+ *
2071+ * Make sure to ONLY use the functions when translating and parsing
2072+ * in order to keep the host byte order and make it more portable:
2073+ * parse_ip()
2074+ * parse_mask()
2075+ * parse_ipandmask()
2076+ * ip_tostring()
2077+ * (Joakim: where are they???)
2078+ */
2079+
2080+typedef uint32_t ip_set_ip_t;
2081+
2082+/* Sets are identified by an id in kernel space. Tweak with ip_set_id_t
2083+ * and IP_SET_INVALID_ID if you want to increase the max number of sets.
2084+ */
2085+typedef uint16_t ip_set_id_t;
2086+
2087+#define IP_SET_INVALID_ID 65535
2088+
2089+/* How deep we follow bindings */
2090+#define IP_SET_MAX_BINDINGS 6
2091+
2092+/*
2093+ * Option flags for kernel operations (ipt_set_info)
2094+ */
2095+#define IPSET_SRC 0x01 /* Source match/add */
2096+#define IPSET_DST 0x02 /* Destination match/add */
2097+#define IPSET_MATCH_INV 0x04 /* Inverse matching */
2098+
2099+/*
2100+ * Set types (flavours)
2101+ */
2102+#define IPSET_TYPE_IP 0 /* IP address type of set */
2103+#define IPSET_TYPE_PORT 1 /* Port type of set */
2104+
2105+/* Reserved keywords */
2106+#define IPSET_TOKEN_DEFAULT ":default:"
2107+#define IPSET_TOKEN_ALL ":all:"
2108+
2109+/* SO_IP_SET operation constants, and their request struct types.
2110+ *
2111+ * Operation ids:
2112+ * 0-99: commands with version checking
2113+ * 100-199: add/del/test/bind/unbind
2114+ * 200-299: list, save, restore
2115+ */
2116+
2117+/* Single shot operations:
2118+ * version, create, destroy, flush, rename and swap
2119+ *
2120+ * Sets are identified by name.
2121+ */
2122+
2123+#define IP_SET_REQ_STD \
2124+ unsigned op; \
2125+ unsigned version; \
2126+ char name[IP_SET_MAXNAMELEN]
2127+
2128+#define IP_SET_OP_CREATE 0x00000001 /* Create a new (empty) set */
2129+struct ip_set_req_create {
2130+ IP_SET_REQ_STD;
2131+ char typename[IP_SET_MAXNAMELEN];
2132+};
2133+
2134+#define IP_SET_OP_DESTROY 0x00000002 /* Remove a (empty) set */
2135+struct ip_set_req_std {
2136+ IP_SET_REQ_STD;
2137+};
2138+
2139+#define IP_SET_OP_FLUSH 0x00000003 /* Remove all IPs in a set */
2140+/* Uses ip_set_req_std */
2141+
2142+#define IP_SET_OP_RENAME 0x00000004 /* Rename a set */
2143+/* Uses ip_set_req_create */
2144+
2145+#define IP_SET_OP_SWAP 0x00000005 /* Swap two sets */
2146+/* Uses ip_set_req_create */
2147+
2148+union ip_set_name_index {
2149+ char name[IP_SET_MAXNAMELEN];
2150+ ip_set_id_t index;
2151+};
2152+
2153+#define IP_SET_OP_GET_BYNAME 0x00000006 /* Get set index by name */
2154+struct ip_set_req_get_set {
2155+ unsigned op;
2156+ unsigned version;
2157+ union ip_set_name_index set;
2158+};
2159+
2160+#define IP_SET_OP_GET_BYINDEX 0x00000007 /* Get set name by index */
2161+/* Uses ip_set_req_get_set */
2162+
2163+#define IP_SET_OP_VERSION 0x00000100 /* Ask kernel version */
2164+struct ip_set_req_version {
2165+ unsigned op;
2166+ unsigned version;
2167+};
2168+
2169+/* Double shots operations:
2170+ * add, del, test, bind and unbind.
2171+ *
2172+ * First we query the kernel to get the index and type of the target set,
2173+ * then issue the command. Validity of IP is checked in kernel in order
2174+ * to minimalize sockopt operations.
2175+ */
2176+
2177+/* Get minimal set data for add/del/test/bind/unbind IP */
2178+#define IP_SET_OP_ADT_GET 0x00000010 /* Get set and type */
2179+struct ip_set_req_adt_get {
2180+ unsigned op;
2181+ unsigned version;
2182+ union ip_set_name_index set;
2183+ char typename[IP_SET_MAXNAMELEN];
2184+};
2185+
2186+#define IP_SET_REQ_BYINDEX \
2187+ unsigned op; \
2188+ ip_set_id_t index;
2189+
2190+struct ip_set_req_adt {
2191+ IP_SET_REQ_BYINDEX;
2192+};
2193+
2194+#define IP_SET_OP_ADD_IP 0x00000101 /* Add an IP to a set */
2195+/* Uses ip_set_req_adt, with type specific addage */
2196+
2197+#define IP_SET_OP_DEL_IP 0x00000102 /* Remove an IP from a set */
2198+/* Uses ip_set_req_adt, with type specific addage */
2199+
2200+#define IP_SET_OP_TEST_IP 0x00000103 /* Test an IP in a set */
2201+/* Uses ip_set_req_adt, with type specific addage */
2202+
2203+#define IP_SET_OP_BIND_SET 0x00000104 /* Bind an IP to a set */
2204+/* Uses ip_set_req_bind, with type specific addage */
2205+struct ip_set_req_bind {
2206+ IP_SET_REQ_BYINDEX;
2207+ char binding[IP_SET_MAXNAMELEN];
2208+};
2209+
2210+#define IP_SET_OP_UNBIND_SET 0x00000105 /* Unbind an IP from a set */
2211+/* Uses ip_set_req_bind, with type speficic addage
2212+ * index = 0 means unbinding for all sets */
2213+
2214+#define IP_SET_OP_TEST_BIND_SET 0x00000106 /* Test binding an IP to a set */
2215+/* Uses ip_set_req_bind, with type specific addage */
2216+
2217+/* Multiple shots operations: list, save, restore.
2218+ *
2219+ * - check kernel version and query the max number of sets
2220+ * - get the basic information on all sets
2221+ * and size required for the next step
2222+ * - get actual set data: header, data, bindings
2223+ */
2224+
2225+/* Get max_sets and the index of a queried set
2226+ */
2227+#define IP_SET_OP_MAX_SETS 0x00000020
2228+struct ip_set_req_max_sets {
2229+ unsigned op;
2230+ unsigned version;
2231+ ip_set_id_t max_sets; /* max_sets */
2232+ ip_set_id_t sets; /* real number of sets */
2233+ union ip_set_name_index set; /* index of set if name used */
2234+};
2235+
2236+/* Get the id and name of the sets plus size for next step */
2237+#define IP_SET_OP_LIST_SIZE 0x00000201
2238+#define IP_SET_OP_SAVE_SIZE 0x00000202
2239+struct ip_set_req_setnames {
2240+ unsigned op;
2241+ ip_set_id_t index; /* set to list/save */
2242+ size_t size; /* size to get setdata/bindings */
2243+ /* followed by sets number of struct ip_set_name_list */
2244+};
2245+
2246+struct ip_set_name_list {
2247+ char name[IP_SET_MAXNAMELEN];
2248+ char typename[IP_SET_MAXNAMELEN];
2249+ ip_set_id_t index;
2250+ ip_set_id_t id;
2251+};
2252+
2253+/* The actual list operation */
2254+#define IP_SET_OP_LIST 0x00000203
2255+struct ip_set_req_list {
2256+ IP_SET_REQ_BYINDEX;
2257+ /* sets number of struct ip_set_list in reply */
2258+};
2259+
2260+struct ip_set_list {
2261+ ip_set_id_t index;
2262+ ip_set_id_t binding;
2263+ u_int32_t ref;
2264+ size_t header_size; /* Set header data of header_size */
2265+ size_t members_size; /* Set members data of members_size */
2266+ size_t bindings_size; /* Set bindings data of bindings_size */
2267+};
2268+
2269+struct ip_set_hash_list {
2270+ ip_set_ip_t ip;
2271+ ip_set_id_t binding;
2272+};
2273+
2274+/* The save operation */
2275+#define IP_SET_OP_SAVE 0x00000204
2276+/* Uses ip_set_req_list, in the reply replaced by
2277+ * sets number of struct ip_set_save plus a marker
2278+ * ip_set_save followed by ip_set_hash_save structures.
2279+ */
2280+struct ip_set_save {
2281+ ip_set_id_t index;
2282+ ip_set_id_t binding;
2283+ size_t header_size; /* Set header data of header_size */
2284+ size_t members_size; /* Set members data of members_size */
2285+};
2286+
2287+/* At restoring, ip == 0 means default binding for the given set: */
2288+struct ip_set_hash_save {
2289+ ip_set_ip_t ip;
2290+ ip_set_id_t id;
2291+ ip_set_id_t binding;
2292+};
2293+
2294+/* The restore operation */
2295+#define IP_SET_OP_RESTORE 0x00000205
2296+/* Uses ip_set_req_setnames followed by ip_set_restore structures
2297+ * plus a marker ip_set_restore, followed by ip_set_hash_save
2298+ * structures.
2299+ */
2300+struct ip_set_restore {
2301+ char name[IP_SET_MAXNAMELEN];
2302+ char typename[IP_SET_MAXNAMELEN];
2303+ ip_set_id_t index;
2304+ size_t header_size; /* Create data of header_size */
2305+ size_t members_size; /* Set members data of members_size */
2306+};
2307+
2308+static inline int bitmap_bytes(ip_set_ip_t a, ip_set_ip_t b)
2309+{
2310+ return 4 * ((((b - a + 8) / 8) + 3) / 4);
2311+}
2312+
c558041a
PS
2313+#ifdef __KERNEL__
2314+
2315+#define ip_set_printk(format, args...) \
2316+ do { \
2317+ printk("%s: %s: ", __FILE__, __FUNCTION__); \
2318+ printk(format "\n" , ## args); \
2319+ } while (0)
2320+
2321+#if defined(IP_SET_DEBUG)
2322+#define DP(format, args...) \
2323+ do { \
2324+ printk("%s: %s (DBG): ", __FILE__, __FUNCTION__);\
2325+ printk(format "\n" , ## args); \
2326+ } while (0)
2327+#define IP_SET_ASSERT(x) \
2328+ do { \
2329+ if (!(x)) \
2330+ printk("IP_SET_ASSERT: %s:%i(%s)\n", \
2331+ __FILE__, __LINE__, __FUNCTION__); \
2332+ } while (0)
2333+#else
2334+#define DP(format, args...)
2335+#define IP_SET_ASSERT(x)
2336+#endif
2337+
2338+struct ip_set;
2339+
2340+/*
2341+ * The ip_set_type definition - one per set type, e.g. "ipmap".
2342+ *
2343+ * Each individual set has a pointer, set->type, going to one
2344+ * of these structures. Function pointers inside the structure implement
2345+ * the real behaviour of the sets.
2346+ *
2347+ * If not mentioned differently, the implementation behind the function
2348+ * pointers of a set_type, is expected to return 0 if ok, and a negative
2349+ * errno (e.g. -EINVAL) on error.
2350+ */
2351+struct ip_set_type {
2352+ struct list_head list; /* next in list of set types */
2353+
2354+ /* test for IP in set (kernel: iptables -m set src|dst)
2355+ * return 0 if not in set, 1 if in set.
2356+ */
2357+ int (*testip_kernel) (struct ip_set *set,
2358+ const struct sk_buff * skb,
2359+ u_int32_t flags,
2360+ ip_set_ip_t *ip);
2361+
2362+ /* test for IP in set (userspace: ipset -T set IP)
2363+ * return 0 if not in set, 1 if in set.
2364+ */
2365+ int (*testip) (struct ip_set *set,
2366+ const void *data, size_t size,
2367+ ip_set_ip_t *ip);
2368+
2369+ /*
2370+ * Size of the data structure passed by when
2371+ * adding/deletin/testing an entry.
2372+ */
2373+ size_t reqsize;
2374+
2375+ /* Add IP into set (userspace: ipset -A set IP)
2376+ * Return -EEXIST if the address is already in the set,
2377+ * and -ERANGE if the address lies outside the set bounds.
2378+ * If the address was not already in the set, 0 is returned.
2379+ */
2380+ int (*addip) (struct ip_set *set,
2381+ const void *data, size_t size,
2382+ ip_set_ip_t *ip);
2383+
2384+ /* Add IP into set (kernel: iptables ... -j SET set src|dst)
2385+ * Return -EEXIST if the address is already in the set,
2386+ * and -ERANGE if the address lies outside the set bounds.
2387+ * If the address was not already in the set, 0 is returned.
2388+ */
2389+ int (*addip_kernel) (struct ip_set *set,
2390+ const struct sk_buff * skb,
2391+ u_int32_t flags,
2392+ ip_set_ip_t *ip);
2393+
2394+ /* remove IP from set (userspace: ipset -D set --entry x)
2395+ * Return -EEXIST if the address is NOT in the set,
2396+ * and -ERANGE if the address lies outside the set bounds.
2397+ * If the address really was in the set, 0 is returned.
2398+ */
2399+ int (*delip) (struct ip_set *set,
2400+ const void *data, size_t size,
2401+ ip_set_ip_t *ip);
2402+
2403+ /* remove IP from set (kernel: iptables ... -j SET --entry x)
2404+ * Return -EEXIST if the address is NOT in the set,
2405+ * and -ERANGE if the address lies outside the set bounds.
2406+ * If the address really was in the set, 0 is returned.
2407+ */
2408+ int (*delip_kernel) (struct ip_set *set,
2409+ const struct sk_buff * skb,
2410+ u_int32_t flags,
2411+ ip_set_ip_t *ip);
2412+
2413+ /* new set creation - allocated type specific items
2414+ */
2415+ int (*create) (struct ip_set *set,
2416+ const void *data, size_t size);
2417+
2418+ /* retry the operation after successfully tweaking the set
2419+ */
2420+ int (*retry) (struct ip_set *set);
2421+
2422+ /* set destruction - free type specific items
2423+ * There is no return value.
2424+ * Can be called only when child sets are destroyed.
2425+ */
2426+ void (*destroy) (struct ip_set *set);
2427+
2428+ /* set flushing - reset all bits in the set, or something similar.
2429+ * There is no return value.
2430+ */
2431+ void (*flush) (struct ip_set *set);
2432+
2433+ /* Listing: size needed for header
2434+ */
2435+ size_t header_size;
2436+
2437+ /* Listing: Get the header
2438+ *
2439+ * Fill in the information in "data".
2440+ * This function is always run after list_header_size() under a
2441+ * writelock on the set. Therefor is the length of "data" always
2442+ * correct.
2443+ */
2444+ void (*list_header) (const struct ip_set *set,
2445+ void *data);
2446+
2447+ /* Listing: Get the size for the set members
2448+ */
2449+ int (*list_members_size) (const struct ip_set *set);
2450+
2451+ /* Listing: Get the set members
2452+ *
2453+ * Fill in the information in "data".
2454+ * This function is always run after list_member_size() under a
2455+ * writelock on the set. Therefor is the length of "data" always
2456+ * correct.
2457+ */
2458+ void (*list_members) (const struct ip_set *set,
2459+ void *data);
2460+
2461+ char typename[IP_SET_MAXNAMELEN];
2462+ char typecode;
2463+ int protocol_version;
2464+
2465+ /* Set this to THIS_MODULE if you are a module, otherwise NULL */
2466+ struct module *me;
2467+};
2468+
2469+extern int ip_set_register_set_type(struct ip_set_type *set_type);
2470+extern void ip_set_unregister_set_type(struct ip_set_type *set_type);
2471+
2472+/* A generic ipset */
2473+struct ip_set {
2474+ char name[IP_SET_MAXNAMELEN]; /* the name of the set */
2475+ rwlock_t lock; /* lock for concurrency control */
2476+ ip_set_id_t id; /* set id for swapping */
2477+ ip_set_id_t binding; /* default binding for the set */
2478+ atomic_t ref; /* in kernel and in hash references */
2479+ struct ip_set_type *type; /* the set types */
2480+ void *data; /* pooltype specific data */
2481+};
2482+
2483+/* Structure to bind set elements to sets */
2484+struct ip_set_hash {
2485+ struct list_head list; /* list of clashing entries in hash */
2486+ ip_set_ip_t ip; /* ip from set */
2487+ ip_set_id_t id; /* set id */
2488+ ip_set_id_t binding; /* set we bind the element to */
2489+};
2490+
2491+/* register and unregister set references */
2492+extern ip_set_id_t ip_set_get_byname(const char name[IP_SET_MAXNAMELEN]);
2493+extern ip_set_id_t ip_set_get_byindex(ip_set_id_t id);
2494+extern void ip_set_put(ip_set_id_t id);
2495+
2496+/* API for iptables set match, and SET target */
2497+extern void ip_set_addip_kernel(ip_set_id_t id,
2498+ const struct sk_buff *skb,
2499+ const u_int32_t *flags);
2500+extern void ip_set_delip_kernel(ip_set_id_t id,
2501+ const struct sk_buff *skb,
2502+ const u_int32_t *flags);
2503+extern int ip_set_testip_kernel(ip_set_id_t id,
2504+ const struct sk_buff *skb,
2505+ const u_int32_t *flags);
2506+
2507+#endif /* __KERNEL__ */
2508+
014436e1 2509+#endif /*_IP_SET_H*/
ae95cca4
PS
2510diff -uNr include.orig/linux/netfilter_ipv4/ip_set_iphash.h include/linux/netfilter_ipv4/ip_set_iphash.h
2511--- include.orig/linux/netfilter_ipv4/ip_set_iphash.h 1970-01-01 01:00:00.000000000 +0100
c558041a 2512+++ include/linux/netfilter_ipv4/ip_set_iphash.h 2005-08-02 20:02:17.803233104 +0200
014436e1
PS
2513@@ -0,0 +1,30 @@
2514+#ifndef __IP_SET_IPHASH_H
2515+#define __IP_SET_IPHASH_H
2516+
2517+#include <linux/netfilter_ipv4/ip_set.h>
2518+
2519+#define SETTYPE_NAME "iphash"
2520+#define MAX_RANGE 0x0000FFFF
2521+
2522+struct ip_set_iphash {
2523+ ip_set_ip_t *members; /* the iphash proper */
2524+ uint32_t initval; /* initval for jhash_1word */
2525+ uint32_t prime; /* prime for double hashing */
2526+ uint32_t hashsize; /* hash size */
2527+ uint16_t probes; /* max number of probes */
2528+ uint16_t resize; /* resize factor in percent */
2529+ ip_set_ip_t netmask; /* netmask */
2530+};
2531+
2532+struct ip_set_req_iphash_create {
2533+ uint32_t hashsize;
2534+ uint16_t probes;
2535+ uint16_t resize;
2536+ ip_set_ip_t netmask;
2537+};
2538+
2539+struct ip_set_req_iphash {
2540+ ip_set_ip_t ip;
2541+};
2542+
2543+#endif /* __IP_SET_IPHASH_H */
ae95cca4
PS
2544diff -uNr include.orig/linux/netfilter_ipv4/ip_set_ipmap.h include/linux/netfilter_ipv4/ip_set_ipmap.h
2545--- include.orig/linux/netfilter_ipv4/ip_set_ipmap.h 1970-01-01 01:00:00.000000000 +0100
c558041a 2546+++ include/linux/netfilter_ipv4/ip_set_ipmap.h 2005-08-02 20:02:17.763239184 +0200
014436e1
PS
2547@@ -0,0 +1,56 @@
2548+#ifndef __IP_SET_IPMAP_H
2549+#define __IP_SET_IPMAP_H
2550+
2551+#include <linux/netfilter_ipv4/ip_set.h>
2552+
2553+#define SETTYPE_NAME "ipmap"
2554+#define MAX_RANGE 0x0000FFFF
2555+
2556+struct ip_set_ipmap {
2557+ void *members; /* the ipmap proper */
2558+ ip_set_ip_t first_ip; /* host byte order, included in range */
2559+ ip_set_ip_t last_ip; /* host byte order, included in range */
2560+ ip_set_ip_t netmask; /* subnet netmask */
2561+ ip_set_ip_t sizeid; /* size of set in IPs */
2562+ u_int16_t hosts; /* number of hosts in a subnet */
2563+};
2564+
2565+struct ip_set_req_ipmap_create {
2566+ ip_set_ip_t from;
2567+ ip_set_ip_t to;
2568+ ip_set_ip_t netmask;
2569+};
2570+
2571+struct ip_set_req_ipmap {
2572+ ip_set_ip_t ip;
2573+};
2574+
2575+unsigned int
2576+mask_to_bits(ip_set_ip_t mask)
2577+{
2578+ unsigned int bits = 32;
2579+ ip_set_ip_t maskaddr;
2580+
2581+ if (mask == 0xFFFFFFFF)
2582+ return bits;
2583+
2584+ maskaddr = 0xFFFFFFFE;
2585+ while (--bits >= 0 && maskaddr != mask)
2586+ maskaddr <<= 1;
2587+
2588+ return bits;
2589+}
2590+
2591+ip_set_ip_t
2592+range_to_mask(ip_set_ip_t from, ip_set_ip_t to, unsigned int *bits)
2593+{
2594+ ip_set_ip_t mask = 0xFFFFFFFE;
2595+
2596+ *bits = 32;
2597+ while (--(*bits) >= 0 && mask && (to & mask) != from)
2598+ mask <<= 1;
2599+
2600+ return mask;
2601+}
2602+
2603+#endif /* __IP_SET_IPMAP_H */
ae95cca4
PS
2604diff -uNr include.orig/linux/netfilter_ipv4/ip_set_iptree.h include/linux/netfilter_ipv4/ip_set_iptree.h
2605--- include.orig/linux/netfilter_ipv4/ip_set_iptree.h 1970-01-01 01:00:00.000000000 +0100
c558041a
PS
2606+++ include/linux/netfilter_ipv4/ip_set_iptree.h 2005-08-02 20:02:17.810232040 +0200
2607@@ -0,0 +1,39 @@
ae95cca4
PS
2608+#ifndef __IP_SET_IPTREE_H
2609+#define __IP_SET_IPTREE_H
2610+
2611+#include <linux/netfilter_ipv4/ip_set.h>
2612+
2613+#define SETTYPE_NAME "iptree"
2614+#define MAX_RANGE 0x0000FFFF
2615+
2616+struct ip_set_iptreed {
2617+ unsigned long expires[255]; /* x.x.x.ADDR */
2618+};
2619+
2620+struct ip_set_iptreec {
2621+ struct ip_set_iptreed *tree[255]; /* x.x.ADDR.* */
2622+};
2623+
2624+struct ip_set_iptreeb {
2625+ struct ip_set_iptreec *tree[255]; /* x.ADDR.*.* */
2626+};
2627+
2628+struct ip_set_iptree {
2629+ unsigned int timeout;
2630+ unsigned int gc_interval;
c558041a
PS
2631+#ifdef __KERNEL__
2632+ struct timer_list gc;
2633+ struct ip_set_iptreeb *tree[255]; /* ADDR.*.*.* */
2634+#endif
ae95cca4
PS
2635+};
2636+
2637+struct ip_set_req_iptree_create {
2638+ unsigned int timeout;
2639+};
2640+
2641+struct ip_set_req_iptree {
2642+ ip_set_ip_t ip;
2643+ unsigned int timeout;
2644+};
2645+
2646+#endif /* __IP_SET_IPTREE_H */
2647diff -uNr include.orig/linux/netfilter_ipv4/ip_set_jhash.h include/linux/netfilter_ipv4/ip_set_jhash.h
2648--- include.orig/linux/netfilter_ipv4/ip_set_jhash.h 1970-01-01 01:00:00.000000000 +0100
c558041a 2649+++ include/linux/netfilter_ipv4/ip_set_jhash.h 2005-08-02 20:02:17.758239944 +0200
014436e1
PS
2650@@ -0,0 +1,148 @@
2651+#ifndef _LINUX_IPSET_JHASH_H
2652+#define _LINUX_IPSET_JHASH_H
2653+
2654+/* This is a copy of linux/jhash.h but the types u32/u8 are changed
2655+ * to __u32/__u8 so that the header file can be included into
2656+ * userspace code as well. Jozsef Kadlecsik (kadlec@blackhole.kfki.hu)
2657+ */
2658+
2659+/* jhash.h: Jenkins hash support.
2660+ *
2661+ * Copyright (C) 1996 Bob Jenkins (bob_jenkins@burtleburtle.net)
2662+ *
2663+ * http://burtleburtle.net/bob/hash/
2664+ *
2665+ * These are the credits from Bob's sources:
2666+ *
2667+ * lookup2.c, by Bob Jenkins, December 1996, Public Domain.
2668+ * hash(), hash2(), hash3, and mix() are externally useful functions.
2669+ * Routines to test the hash are included if SELF_TEST is defined.
2670+ * You can use this free for any purpose. It has no warranty.
2671+ *
2672+ * Copyright (C) 2003 David S. Miller (davem@redhat.com)
2673+ *
2674+ * I've modified Bob's hash to be useful in the Linux kernel, and
2675+ * any bugs present are surely my fault. -DaveM
2676+ */
2677+
2678+/* NOTE: Arguments are modified. */
2679+#define __jhash_mix(a, b, c) \
2680+{ \
2681+ a -= b; a -= c; a ^= (c>>13); \
2682+ b -= c; b -= a; b ^= (a<<8); \
2683+ c -= a; c -= b; c ^= (b>>13); \
2684+ a -= b; a -= c; a ^= (c>>12); \
2685+ b -= c; b -= a; b ^= (a<<16); \
2686+ c -= a; c -= b; c ^= (b>>5); \
2687+ a -= b; a -= c; a ^= (c>>3); \
2688+ b -= c; b -= a; b ^= (a<<10); \
2689+ c -= a; c -= b; c ^= (b>>15); \
2690+}
2691+
2692+/* The golden ration: an arbitrary value */
2693+#define JHASH_GOLDEN_RATIO 0x9e3779b9
2694+
2695+/* The most generic version, hashes an arbitrary sequence
2696+ * of bytes. No alignment or length assumptions are made about
2697+ * the input key.
2698+ */
2699+static inline __u32 jhash(void *key, __u32 length, __u32 initval)
2700+{
2701+ __u32 a, b, c, len;
2702+ __u8 *k = key;
2703+
2704+ len = length;
2705+ a = b = JHASH_GOLDEN_RATIO;
2706+ c = initval;
2707+
2708+ while (len >= 12) {
2709+ a += (k[0] +((__u32)k[1]<<8) +((__u32)k[2]<<16) +((__u32)k[3]<<24));
2710+ b += (k[4] +((__u32)k[5]<<8) +((__u32)k[6]<<16) +((__u32)k[7]<<24));
2711+ c += (k[8] +((__u32)k[9]<<8) +((__u32)k[10]<<16)+((__u32)k[11]<<24));
2712+
2713+ __jhash_mix(a,b,c);
2714+
2715+ k += 12;
2716+ len -= 12;
2717+ }
2718+
2719+ c += length;
2720+ switch (len) {
2721+ case 11: c += ((__u32)k[10]<<24);
2722+ case 10: c += ((__u32)k[9]<<16);
2723+ case 9 : c += ((__u32)k[8]<<8);
2724+ case 8 : b += ((__u32)k[7]<<24);
2725+ case 7 : b += ((__u32)k[6]<<16);
2726+ case 6 : b += ((__u32)k[5]<<8);
2727+ case 5 : b += k[4];
2728+ case 4 : a += ((__u32)k[3]<<24);
2729+ case 3 : a += ((__u32)k[2]<<16);
2730+ case 2 : a += ((__u32)k[1]<<8);
2731+ case 1 : a += k[0];
2732+ };
2733+
2734+ __jhash_mix(a,b,c);
2735+
2736+ return c;
2737+}
2738+
2739+/* A special optimized version that handles 1 or more of __u32s.
2740+ * The length parameter here is the number of __u32s in the key.
2741+ */
2742+static inline __u32 jhash2(__u32 *k, __u32 length, __u32 initval)
2743+{
2744+ __u32 a, b, c, len;
2745+
2746+ a = b = JHASH_GOLDEN_RATIO;
2747+ c = initval;
2748+ len = length;
2749+
2750+ while (len >= 3) {
2751+ a += k[0];
2752+ b += k[1];
2753+ c += k[2];
2754+ __jhash_mix(a, b, c);
2755+ k += 3; len -= 3;
2756+ }
2757+
2758+ c += length * 4;
2759+
2760+ switch (len) {
2761+ case 2 : b += k[1];
2762+ case 1 : a += k[0];
2763+ };
2764+
2765+ __jhash_mix(a,b,c);
2766+
2767+ return c;
2768+}
2769+
2770+
2771+/* A special ultra-optimized versions that knows they are hashing exactly
2772+ * 3, 2 or 1 word(s).
2773+ *
2774+ * NOTE: In partilar the "c += length; __jhash_mix(a,b,c);" normally
2775+ * done at the end is not done here.
2776+ */
2777+static inline __u32 jhash_3words(__u32 a, __u32 b, __u32 c, __u32 initval)
2778+{
2779+ a += JHASH_GOLDEN_RATIO;
2780+ b += JHASH_GOLDEN_RATIO;
2781+ c += initval;
2782+
2783+ __jhash_mix(a, b, c);
2784+
2785+ return c;
2786+}
2787+
2788+static inline __u32 jhash_2words(__u32 a, __u32 b, __u32 initval)
2789+{
2790+ return jhash_3words(a, b, 0, initval);
2791+}
2792+
2793+static inline __u32 jhash_1word(__u32 a, __u32 initval)
2794+{
2795+ return jhash_3words(a, 0, 0, initval);
2796+}
2797+
2798+#endif /* _LINUX_IPSET_JHASH_H */
ae95cca4
PS
2799diff -uNr include.orig/linux/netfilter_ipv4/ip_set_macipmap.h include/linux/netfilter_ipv4/ip_set_macipmap.h
2800--- include.orig/linux/netfilter_ipv4/ip_set_macipmap.h 1970-01-01 01:00:00.000000000 +0100
c558041a 2801+++ include/linux/netfilter_ipv4/ip_set_macipmap.h 2005-08-02 20:02:17.776237208 +0200
014436e1
PS
2802@@ -0,0 +1,38 @@
2803+#ifndef __IP_SET_MACIPMAP_H
2804+#define __IP_SET_MACIPMAP_H
2805+
2806+#include <linux/netfilter_ipv4/ip_set.h>
2807+
2808+#define SETTYPE_NAME "macipmap"
2809+#define MAX_RANGE 0x0000FFFF
2810+
2811+/* general flags */
2812+#define IPSET_MACIP_MATCHUNSET 1
2813+
2814+/* per ip flags */
2815+#define IPSET_MACIP_ISSET 1
2816+
2817+struct ip_set_macipmap {
2818+ void *members; /* the macipmap proper */
2819+ ip_set_ip_t first_ip; /* host byte order, included in range */
2820+ ip_set_ip_t last_ip; /* host byte order, included in range */
2821+ u_int32_t flags;
2822+};
2823+
2824+struct ip_set_req_macipmap_create {
2825+ ip_set_ip_t from;
2826+ ip_set_ip_t to;
2827+ u_int32_t flags;
2828+};
2829+
2830+struct ip_set_req_macipmap {
2831+ ip_set_ip_t ip;
2832+ unsigned char ethernet[ETH_ALEN];
2833+};
2834+
2835+struct ip_set_macip {
2836+ unsigned short flags;
2837+ unsigned char ethernet[ETH_ALEN];
2838+};
2839+
2840+#endif /* __IP_SET_MACIPMAP_H */
ae95cca4
PS
2841diff -uNr include.orig/linux/netfilter_ipv4/ip_set_malloc.h include/linux/netfilter_ipv4/ip_set_malloc.h
2842--- include.orig/linux/netfilter_ipv4/ip_set_malloc.h 1970-01-01 01:00:00.000000000 +0100
c558041a
PS
2843+++ include/linux/netfilter_ipv4/ip_set_malloc.h 2005-08-02 20:02:17.788235384 +0200
2844@@ -0,0 +1,34 @@
014436e1
PS
2845+#ifndef _IP_SET_MALLOC_H
2846+#define _IP_SET_MALLOC_H
2847+
c558041a
PS
2848+#ifdef __KERNEL__
2849+
2850+/* Memory allocation and deallocation */
2851+static size_t max_malloc_size = 0;
2852+
2853+static inline void init_max_malloc_size(void)
2854+{
2855+#define CACHE(x) max_malloc_size = x;
2856+#include <linux/kmalloc_sizes.h>
2857+#undef CACHE
2858+}
2859+
2860+static inline void * ip_set_malloc(size_t bytes)
2861+{
2862+ if (bytes > max_malloc_size)
2863+ return vmalloc(bytes);
2864+ else
2865+ return kmalloc(bytes, GFP_KERNEL);
2866+}
2867+
2868+static inline void ip_set_free(void * data, size_t bytes)
2869+{
2870+ if (bytes > max_malloc_size)
2871+ vfree(data);
2872+ else
2873+ kfree(data);
2874+}
2875+
2876+#endif /* __KERNEL__ */
2877+
014436e1 2878+#endif /*_IP_SET_MALLOC_H*/
ae95cca4
PS
2879diff -uNr include.orig/linux/netfilter_ipv4/ip_set_nethash.h include/linux/netfilter_ipv4/ip_set_nethash.h
2880--- include.orig/linux/netfilter_ipv4/ip_set_nethash.h 1970-01-01 01:00:00.000000000 +0100
c558041a
PS
2881+++ include/linux/netfilter_ipv4/ip_set_nethash.h 2005-08-02 20:02:17.755240400 +0200
2882@@ -0,0 +1,55 @@
014436e1
PS
2883+#ifndef __IP_SET_NETHASH_H
2884+#define __IP_SET_NETHASH_H
2885+
2886+#include <linux/netfilter_ipv4/ip_set.h>
2887+
2888+#define SETTYPE_NAME "nethash"
2889+#define MAX_RANGE 0x0000FFFF
2890+
2891+struct ip_set_nethash {
2892+ ip_set_ip_t *members; /* the nethash proper */
2893+ uint32_t initval; /* initval for jhash_1word */
2894+ uint32_t prime; /* prime for double hashing */
2895+ uint32_t hashsize; /* hash size */
2896+ uint16_t probes; /* max number of probes */
2897+ uint16_t resize; /* resize factor in percent */
2898+ unsigned char cidr[30]; /* CIDR sizes */
2899+};
2900+
2901+struct ip_set_req_nethash_create {
2902+ uint32_t hashsize;
2903+ uint16_t probes;
2904+ uint16_t resize;
2905+};
2906+
2907+struct ip_set_req_nethash {
2908+ ip_set_ip_t ip;
2909+ unsigned char cidr;
2910+};
2911+
ae95cca4 2912+static unsigned char shifts[] = {255, 253, 249, 241, 225, 193, 129, 1};
014436e1
PS
2913+
2914+static inline ip_set_ip_t
2915+pack(ip_set_ip_t ip, unsigned char cidr)
2916+{
2917+ ip_set_ip_t addr, *paddr = &addr;
2918+ unsigned char n, t, *a;
2919+
2920+ addr = htonl(ip & (0xFFFFFFFF << (32 - (cidr))));
c558041a
PS
2921+#ifdef __KERNEL__
2922+ DP("ip:%u.%u.%u.%u/%u", NIPQUAD(addr), cidr);
2923+#endif
014436e1
PS
2924+ n = cidr / 8;
2925+ t = cidr % 8;
2926+ a = &((unsigned char *)paddr)[n];
2927+ *a = *a /(1 << (8 - t)) + shifts[t];
c558041a
PS
2928+#ifdef __KERNEL__
2929+ DP("n: %u, t: %u, a: %u", n, t, *a);
2930+ DP("ip:%u.%u.%u.%u/%u, %u.%u.%u.%u",
2931+ HIPQUAD(ip), cidr, NIPQUAD(addr));
2932+#endif
014436e1
PS
2933+
2934+ return ntohl(addr);
2935+}
2936+
2937+#endif /* __IP_SET_NETHASH_H */
ae95cca4
PS
2938diff -uNr include.orig/linux/netfilter_ipv4/ip_set_portmap.h include/linux/netfilter_ipv4/ip_set_portmap.h
2939--- include.orig/linux/netfilter_ipv4/ip_set_portmap.h 1970-01-01 01:00:00.000000000 +0100
c558041a 2940+++ include/linux/netfilter_ipv4/ip_set_portmap.h 2005-08-02 20:02:17.772237816 +0200
014436e1
PS
2941@@ -0,0 +1,25 @@
2942+#ifndef __IP_SET_PORTMAP_H
2943+#define __IP_SET_PORTMAP_H
2944+
2945+#include <linux/netfilter_ipv4/ip_set.h>
2946+
2947+#define SETTYPE_NAME "portmap"
2948+#define MAX_RANGE 0x0000FFFF
2949+#define INVALID_PORT (MAX_RANGE + 1)
2950+
2951+struct ip_set_portmap {
2952+ void *members; /* the portmap proper */
2953+ ip_set_ip_t first_port; /* host byte order, included in range */
2954+ ip_set_ip_t last_port; /* host byte order, included in range */
2955+};
2956+
2957+struct ip_set_req_portmap_create {
2958+ ip_set_ip_t from;
2959+ ip_set_ip_t to;
2960+};
2961+
2962+struct ip_set_req_portmap {
2963+ ip_set_ip_t port;
2964+};
2965+
2966+#endif /* __IP_SET_PORTMAP_H */
ae95cca4
PS
2967diff -uNr include.orig/linux/netfilter_ipv4/ip_set_prime.h include/linux/netfilter_ipv4/ip_set_prime.h
2968--- include.orig/linux/netfilter_ipv4/ip_set_prime.h 1970-01-01 01:00:00.000000000 +0100
c558041a 2969+++ include/linux/netfilter_ipv4/ip_set_prime.h 2005-08-02 20:02:17.825229760 +0200
014436e1
PS
2970@@ -0,0 +1,34 @@
2971+#ifndef __IP_SET_PRIME_H
2972+#define __IP_SET_PRIME_H
2973+
2974+static inline unsigned make_prime_bound(unsigned nr)
2975+{
2976+ unsigned long long nr64 = nr;
2977+ unsigned long long x = 1;
2978+ nr = 1;
2979+ while (x <= nr64) { x <<= 2; nr <<= 1; }
2980+ return nr;
2981+}
2982+
2983+static inline int make_prime_check(unsigned nr)
2984+{
2985+ unsigned x = 3;
2986+ unsigned b = make_prime_bound(nr);
2987+ while (x <= b) {
2988+ if (0 == (nr % x)) return 0;
2989+ x += 2;
2990+ }
2991+ return 1;
2992+}
2993+
2994+static unsigned make_prime(unsigned nr)
2995+{
2996+ if (0 == (nr & 1)) nr--;
2997+ while (nr > 1) {
2998+ if (make_prime_check(nr)) return nr;
2999+ nr -= 2;
3000+ }
3001+ return 2;
3002+}
3003+
3004+#endif /* __IP_SET_PRIME_H */
ae95cca4 3005diff -uNr include.orig/linux/netfilter_ipv4/ip_tables.h include/linux/netfilter_ipv4/ip_tables.h
c558041a
PS
3006--- include.orig/linux/netfilter_ipv4/ip_tables.h 2005-07-06 02:17:20.000000000 +0200
3007+++ include/linux/netfilter_ipv4/ip_tables.h 2005-08-02 20:02:17.815231280 +0200
ae95cca4 3008@@ -101,7 +101,8 @@
0fc89030
PS
3009
3010 /* Values for "flag" field in struct ipt_ip (general ip structure). */
3011 #define IPT_F_FRAG 0x01 /* Set if rule is a fragment rule */
3012-#define IPT_F_MASK 0x01 /* All possible flag bits mask. */
3013+#define IPT_F_GOTO 0x02 /* Set if jump is a goto */
3014+#define IPT_F_MASK 0x03 /* All possible flag bits mask. */
3015
3016 /* Values for "inv" field in struct ipt_ip. */
3017 #define IPT_INV_VIA_IN 0x01 /* Invert the sense of IN IFACE. */
ae95cca4
PS
3018@@ -148,12 +149,23 @@
3019 #define IPT_SO_SET_ADD_COUNTERS (IPT_BASE_CTL + 1)
3020 #define IPT_SO_SET_MAX IPT_SO_SET_ADD_COUNTERS
3021
c558041a
PS
3022+#define IPT_SO_SET_ACCOUNT_HANDLE_FREE (IPT_BASE_CTL + 3)
3023+#define IPT_SO_SET_ACCOUNT_HANDLE_FREE_ALL (IPT_BASE_CTL + 4)
3024+#define IPT_SO_SET_ACCOUNT_MAX IPT_SO_SET_ACCOUNT_HANDLE_FREE_ALL
ae95cca4
PS
3025+
3026 #define IPT_SO_GET_INFO (IPT_BASE_CTL)
3027 #define IPT_SO_GET_ENTRIES (IPT_BASE_CTL + 1)
3028 #define IPT_SO_GET_REVISION_MATCH (IPT_BASE_CTL + 2)
3029 #define IPT_SO_GET_REVISION_TARGET (IPT_BASE_CTL + 3)
3030 #define IPT_SO_GET_MAX IPT_SO_GET_REVISION_TARGET
3031
c558041a
PS
3032+#define IPT_SO_GET_ACCOUNT_PREPARE_READ (IPT_BASE_CTL + 3)
3033+#define IPT_SO_GET_ACCOUNT_PREPARE_READ_FLUSH (IPT_BASE_CTL + 4)
3034+#define IPT_SO_GET_ACCOUNT_GET_DATA (IPT_BASE_CTL + 5)
3035+#define IPT_SO_GET_ACCOUNT_GET_HANDLE_USAGE (IPT_BASE_CTL + 6)
3036+#define IPT_SO_GET_ACCOUNT_GET_TABLE_NAMES (IPT_BASE_CTL + 7)
3037+#define IPT_SO_GET_ACCOUNT_MAX IPT_SO_GET_ACCOUNT_GET_TABLE_NAMES
ae95cca4
PS
3038+
3039 /* CONTINUE verdict for targets */
3040 #define IPT_CONTINUE 0xFFFFFFFF
3041
3042diff -uNr include.orig/linux/netfilter_ipv4/ipt_account.h include/linux/netfilter_ipv4/ipt_account.h
3043--- include.orig/linux/netfilter_ipv4/ipt_account.h 1970-01-01 01:00:00.000000000 +0100
c558041a 3044+++ include/linux/netfilter_ipv4/ipt_account.h 2005-08-02 20:02:17.786235688 +0200
0fc89030 3045@@ -0,0 +1,26 @@
4f894449
PS
3046+/*
3047+ * accounting match (ipt_account.c)
0fc89030 3048+ * (C) 2003,2004 by Piotr Gasidlo (quaker@barbara.eu.org)
4f894449 3049+ *
0fc89030 3050+ * Version: 0.1.7
4f894449
PS
3051+ *
3052+ * This software is distributed under the terms of GNU GPL
3053+ */
3054+
3055+#ifndef _IPT_ACCOUNT_H_
3056+#define _IPT_ACCOUNT_H_
3057+
3058+#define IPT_ACCOUNT_NAME_LEN 64
3059+
0fc89030
PS
3060+#define IPT_ACCOUNT_NAME "ipt_account"
3061+#define IPT_ACCOUNT_VERSION "0.1.7"
3062+
4f894449
PS
3063+struct t_ipt_account_info {
3064+ char name[IPT_ACCOUNT_NAME_LEN];
3065+ u_int32_t network;
3066+ u_int32_t netmask;
0fc89030 3067+ int shortlisting:1;
4f894449
PS
3068+};
3069+
3070+#endif
0fc89030 3071+
ae95cca4
PS
3072diff -uNr include.orig/linux/netfilter_ipv4/ipt_ACCOUNT.h include/linux/netfilter_ipv4/ipt_ACCOUNT.h
3073--- include.orig/linux/netfilter_ipv4/ipt_ACCOUNT.h 1970-01-01 01:00:00.000000000 +0100
c558041a 3074+++ include/linux/netfilter_ipv4/ipt_ACCOUNT.h 2005-08-02 20:02:17.817230976 +0200
ae95cca4
PS
3075@@ -0,0 +1,100 @@
3076+/***************************************************************************
3077+ * Copyright (C) 2004 by Intra2net AG *
3078+ * opensource@intra2net.com *
3079+ * *
3080+ * This program is free software; you can redistribute it and/or modify *
3081+ * it under the terms of the GNU General Public License *
3082+ * version 2 as published by the Free Software Foundation; *
3083+ * *
3084+ ***************************************************************************/
3085+
3086+#ifndef _IPT_ACCOUNT_H
3087+#define _IPT_ACCOUNT_H
3088+
3089+#define ACCOUNT_MAX_TABLES 32
3090+#define ACCOUNT_TABLE_NAME_LEN 32
3091+#define ACCOUNT_MAX_HANDLES 10
3092+
3093+/* Structure for the userspace part of ipt_ACCOUNT */
3094+struct ipt_acc_info {
3095+ u_int32_t net_ip;
3096+ u_int32_t net_mask;
3097+ char table_name[ACCOUNT_TABLE_NAME_LEN];
3098+ int32_t table_nr;
3099+};
3100+
3101+/* Internal table structure, generated by check_entry() */
3102+struct ipt_acc_table {
3103+ char name[ACCOUNT_TABLE_NAME_LEN]; /* name of the table */
3104+ u_int32_t ip; /* base IP of network */
3105+ u_int32_t netmask; /* netmask of the network */
3106+ unsigned char depth; /* size of network:
3107+ 0: 8 bit, 1: 16bit, 2: 24 bit */
3108+ u_int32_t refcount; /* refcount of this table.
3109+ if zero, destroy it */
3110+ u_int32_t itemcount; /* number of IPs in this table */
3111+ void *data; /* pointer to the actual data,
3112+ depending on netmask */
3113+};
3114+
3115+/* Internal handle structure */
3116+struct ipt_acc_handle {
3117+ u_int32_t ip; /* base IP of network. Used for
3118+ caculating the final IP during
3119+ get_data() */
3120+ unsigned char depth; /* size of network. See above for
3121+ details */
3122+ u_int32_t itemcount; /* number of IPs in this table */
3123+ void *data; /* pointer to the actual data,
3124+ depending on size */
3125+};
3126+
3127+/* Handle structure for communication with the userspace library */
3128+struct ipt_acc_handle_sockopt {
3129+ u_int32_t handle_nr; /* Used for HANDLE_FREE */
3130+ char name[ACCOUNT_TABLE_NAME_LEN]; /* Used for HANDLE_PREPARE_READ/
3131+ HANDLE_READ_FLUSH */
3132+ u_int32_t itemcount; /* Used for HANDLE_PREPARE_READ/
3133+ HANDLE_READ_FLUSH */
3134+};
3135+
3136+/* Used for every IP entry
3137+ Size is 16 bytes so that 256 (class C network) * 16
3138+ fits in one kernel (zero) page */
3139+struct ipt_acc_ip {
3140+ u_int32_t src_packets;
3141+ u_int32_t src_bytes;
3142+ u_int32_t dst_packets;
3143+ u_int32_t dst_bytes;
3144+};
3145+
3146+/*
3147+ Used for every IP when returning data
3148+*/
3149+struct ipt_acc_handle_ip {
3150+ u_int32_t ip;
3151+ u_int32_t src_packets;
3152+ u_int32_t src_bytes;
3153+ u_int32_t dst_packets;
3154+ u_int32_t dst_bytes;
3155+};
3156+
3157+/*
3158+ The IPs are organized as an array so that direct slot
3159+ calculations are possible.
3160+ Only 8 bit networks are preallocated, 16/24 bit networks
3161+ allocate their slots when needed -> very efficent.
3162+*/
3163+struct ipt_acc_mask_24 {
3164+ struct ipt_acc_ip ip[256];
3165+};
3166+
3167+struct ipt_acc_mask_16 {
3168+ struct ipt_acc_mask_24 *mask_24[256];
3169+};
3170+
3171+struct ipt_acc_mask_8 {
3172+ struct ipt_acc_mask_16 *mask_16[256];
3173+};
3174+
3175+#endif /*_IPT_ACCOUNT_H*/
3176diff -uNr include.orig/linux/netfilter_ipv4/ipt_addrtype.h include/linux/netfilter_ipv4/ipt_addrtype.h
3177--- include.orig/linux/netfilter_ipv4/ipt_addrtype.h 2004-10-31 20:56:02.000000000 +0100
c558041a 3178+++ include/linux/netfilter_ipv4/ipt_addrtype.h 2005-08-02 20:02:17.751241008 +0200
ae95cca4
PS
3179@@ -4,8 +4,8 @@
3180 struct ipt_addrtype_info {
3181 u_int16_t source; /* source-type mask */
3182 u_int16_t dest; /* dest-type mask */
3183- u_int32_t invert_source;
3184- u_int32_t invert_dest;
3185+ int invert_source;
3186+ int invert_dest;
3187 };
3188
3189 #endif
3190diff -uNr include.orig/linux/netfilter_ipv4/ipt_CLUSTERIP.h include/linux/netfilter_ipv4/ipt_CLUSTERIP.h
3191--- include.orig/linux/netfilter_ipv4/ipt_CLUSTERIP.h 2005-01-08 15:03:55.000000000 +0100
c558041a 3192+++ include/linux/netfilter_ipv4/ipt_CLUSTERIP.h 2005-08-02 20:02:17.832228696 +0200
ae95cca4
PS
3193@@ -9,7 +9,7 @@
3194
3195 #define CLUSTERIP_HASHMODE_MAX CLUSTERIP_HASHMODE_SIP_SPT_DPT
3196
3197-#define CLUSTERIP_MAX_NODES 16
3198+#define CLUSTERIP_MAX_NODES 8
3199
3200 #define CLUSTERIP_FLAG_NEW 0x00000001
3201
3202diff -uNr include.orig/linux/netfilter_ipv4/ipt_connlimit.h include/linux/netfilter_ipv4/ipt_connlimit.h
3203--- include.orig/linux/netfilter_ipv4/ipt_connlimit.h 1970-01-01 01:00:00.000000000 +0100
c558041a 3204+++ include/linux/netfilter_ipv4/ipt_connlimit.h 2005-08-02 20:02:17.723245264 +0200
ab88a259
PS
3205@@ -0,0 +1,12 @@
3206+#ifndef _IPT_CONNLIMIT_H
3207+#define _IPT_CONNLIMIT_H
3208+
3209+struct ipt_connlimit_data;
3210+
3211+struct ipt_connlimit_info {
3212+ int limit;
3213+ int inverse;
3214+ u_int32_t mask;
3215+ struct ipt_connlimit_data *data;
3216+};
3217+#endif /* _IPT_CONNLIMIT_H */
ae95cca4
PS
3218diff -uNr include.orig/linux/netfilter_ipv4/ipt_fuzzy.h include/linux/netfilter_ipv4/ipt_fuzzy.h
3219--- include.orig/linux/netfilter_ipv4/ipt_fuzzy.h 1970-01-01 01:00:00.000000000 +0100
c558041a 3220+++ include/linux/netfilter_ipv4/ipt_fuzzy.h 2005-08-02 20:02:17.781236448 +0200
bab37e86
PS
3221@@ -0,0 +1,21 @@
3222+#ifndef _IPT_FUZZY_H
3223+#define _IPT_FUZZY_H
3224+
3225+#include <linux/param.h>
3226+#include <linux/types.h>
3227+
3228+#define MAXFUZZYRATE 10000000
3229+#define MINFUZZYRATE 3
3230+
3231+struct ipt_fuzzy_info {
3232+ u_int32_t minimum_rate;
3233+ u_int32_t maximum_rate;
3234+ u_int32_t packets_total;
3235+ u_int32_t bytes_total;
3236+ u_int32_t previous_time;
3237+ u_int32_t present_time;
3238+ u_int32_t mean_rate;
3239+ u_int8_t acceptance_rate;
3240+};
3241+
3242+#endif /*_IPT_FUZZY_H*/
ae95cca4
PS
3243diff -uNr include.orig/linux/netfilter_ipv4/ipt_geoip.h include/linux/netfilter_ipv4/ipt_geoip.h
3244--- include.orig/linux/netfilter_ipv4/ipt_geoip.h 1970-01-01 01:00:00.000000000 +0100
c558041a 3245+++ include/linux/netfilter_ipv4/ipt_geoip.h 2005-08-02 20:02:17.769238272 +0200
014436e1
PS
3246@@ -0,0 +1,50 @@
3247+/* ipt_geoip.h header file for libipt_geoip.c and ipt_geoip.c
3248+ *
3249+ * This program is free software; you can redistribute it and/or modify
3250+ * it under the terms of the GNU General Public License as published by
3251+ * the Free Software Foundation; either version 2 of the License, or
3252+ * (at your option) any later version.
3253+ *
3254+ * Copyright (c) 2004 Cookinglinux
3255+ */
3256+#ifndef _IPT_GEOIP_H
3257+#define _IPT_GEOIP_H
3258+
3259+#define IPT_GEOIP_SRC 0x01 /* Perform check on Source IP */
3260+#define IPT_GEOIP_DST 0x02 /* Perform check on Destination IP */
3261+#define IPT_GEOIP_INV 0x04 /* Negate the condition */
3262+
3263+#define IPT_GEOIP_MAX 15 /* Maximum of countries */
3264+
3265+struct geoip_subnet {
3266+ u_int32_t begin;
3267+ u_int32_t end;
3268+};
3269+
3270+struct geoip_info {
3271+ struct geoip_subnet *subnets;
3272+ u_int32_t count;
3273+ u_int32_t ref;
3274+ u_int16_t cc;
3275+ struct geoip_info *next;
3276+ struct geoip_info *prev;
3277+};
3278+
3279+struct ipt_geoip_info {
3280+ u_int8_t flags;
3281+ u_int8_t count;
3282+ u_int16_t cc[IPT_GEOIP_MAX];
3283+
3284+ /* Used internally by the kernel */
3285+ struct geoip_info *mem[IPT_GEOIP_MAX];
3286+ u_int8_t *refcount;
3287+
3288+ /* not implemented yet:
3289+ void *fini;
3290+ */
3291+};
3292+
3293+#define COUNTRY(cc) (cc >> 8), (cc & 0x00FF)
3294+
3295+#endif
3296+
ae95cca4
PS
3297diff -uNr include.orig/linux/netfilter_ipv4/ipt_IPMARK.h include/linux/netfilter_ipv4/ipt_IPMARK.h
3298--- include.orig/linux/netfilter_ipv4/ipt_IPMARK.h 1970-01-01 01:00:00.000000000 +0100
c558041a 3299+++ include/linux/netfilter_ipv4/ipt_IPMARK.h 2005-08-02 20:02:17.756240248 +0200
bab37e86
PS
3300@@ -0,0 +1,13 @@
3301+#ifndef _IPT_IPMARK_H_target
3302+#define _IPT_IPMARK_H_target
3303+
3304+struct ipt_ipmark_target_info {
3305+ unsigned long andmask;
3306+ unsigned long ormask;
3307+ unsigned int addr;
3308+};
3309+
3310+#define IPT_IPMARK_SRC 0
3311+#define IPT_IPMARK_DST 1
3312+
3313+#endif /*_IPT_IPMARK_H_target*/
ae95cca4
PS
3314diff -uNr include.orig/linux/netfilter_ipv4/ipt_ipp2p.h include/linux/netfilter_ipv4/ipt_ipp2p.h
3315--- include.orig/linux/netfilter_ipv4/ipt_ipp2p.h 1970-01-01 01:00:00.000000000 +0100
c558041a 3316+++ include/linux/netfilter_ipv4/ipt_ipp2p.h 2005-08-02 20:02:17.784235992 +0200
014436e1
PS
3317@@ -0,0 +1,29 @@
3318+#ifndef __IPT_IPP2P_H
3319+#define __IPT_IPP2P_H
c558041a 3320+#define IPP2P_VERSION "0.7.4"
014436e1
PS
3321+
3322+struct ipt_p2p_info {
3323+ int cmd;
3324+ int debug;
3325+};
3326+
3327+#endif //__IPT_IPP2P_H
3328+
3329+#define SHORT_HAND_IPP2P 1 /* --ipp2p switch*/
3330+#define SHORT_HAND_DATA 4 /* --ipp2p-data switch*/
3331+#define SHORT_HAND_NONE 5 /* no short hand*/
3332+
3333+#define IPP2P_EDK 2
3334+#define IPP2P_DATA_KAZAA 8
3335+#define IPP2P_DATA_EDK 16
3336+#define IPP2P_DATA_DC 32
3337+#define IPP2P_DC 64
3338+#define IPP2P_DATA_GNU 128
3339+#define IPP2P_GNU 256
3340+#define IPP2P_KAZAA 512
3341+#define IPP2P_BIT 1024
3342+#define IPP2P_APPLE 2048
3343+#define IPP2P_SOUL 4096
3344+#define IPP2P_WINMX 8192
3345+#define IPP2P_ARES 16384
3346+
ae95cca4
PS
3347diff -uNr include.orig/linux/netfilter_ipv4/ipt_ipv4options.h include/linux/netfilter_ipv4/ipt_ipv4options.h
3348--- include.orig/linux/netfilter_ipv4/ipt_ipv4options.h 1970-01-01 01:00:00.000000000 +0100
c558041a 3349+++ include/linux/netfilter_ipv4/ipt_ipv4options.h 2005-08-02 20:02:17.733243744 +0200
bab37e86
PS
3350@@ -0,0 +1,21 @@
3351+#ifndef __ipt_ipv4options_h_included__
3352+#define __ipt_ipv4options_h_included__
3353+
3354+#define IPT_IPV4OPTION_MATCH_SSRR 0x01 /* For strict source routing */
3355+#define IPT_IPV4OPTION_MATCH_LSRR 0x02 /* For loose source routing */
3356+#define IPT_IPV4OPTION_DONT_MATCH_SRR 0x04 /* any source routing */
3357+#define IPT_IPV4OPTION_MATCH_RR 0x08 /* For Record route */
3358+#define IPT_IPV4OPTION_DONT_MATCH_RR 0x10
3359+#define IPT_IPV4OPTION_MATCH_TIMESTAMP 0x20 /* For timestamp request */
3360+#define IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP 0x40
3361+#define IPT_IPV4OPTION_MATCH_ROUTER_ALERT 0x80 /* For router-alert */
3362+#define IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT 0x100
3363+#define IPT_IPV4OPTION_MATCH_ANY_OPT 0x200 /* match packet with any option */
3364+#define IPT_IPV4OPTION_DONT_MATCH_ANY_OPT 0x400 /* match packet with no option */
3365+
3366+struct ipt_ipv4options_info {
3367+ u_int16_t options;
3368+};
3369+
3370+
3371+#endif /* __ipt_ipv4options_h_included__ */
ae95cca4
PS
3372diff -uNr include.orig/linux/netfilter_ipv4/ipt_layer7.h include/linux/netfilter_ipv4/ipt_layer7.h
3373--- include.orig/linux/netfilter_ipv4/ipt_layer7.h 1970-01-01 01:00:00.000000000 +0100
c558041a 3374+++ include/linux/netfilter_ipv4/ipt_layer7.h 2005-08-02 20:02:17.736243288 +0200
ae95cca4
PS
3375@@ -0,0 +1,26 @@
3376+/*
3377+ By Matthew Strait <quadong@users.sf.net>, Dec 2003.
3378+ http://l7-filter.sf.net
3379+
3380+ This program is free software; you can redistribute it and/or
3381+ modify it under the terms of the GNU General Public License
3382+ as published by the Free Software Foundation; either version
3383+ 2 of the License, or (at your option) any later version.
3384+ http://www.gnu.org/licenses/gpl.txt
3385+*/
3386+
3387+#ifndef _IPT_LAYER7_H
3388+#define _IPT_LAYER7_H
3389+
3390+#define MAX_PATTERN_LEN 8192
3391+#define MAX_PROTOCOL_LEN 256
3392+
3393+typedef char *(*proc_ipt_search) (char *, char, char *);
3394+
3395+struct ipt_layer7_info {
3396+ char protocol[MAX_PROTOCOL_LEN];
3397+ char invert:1;
3398+ char pattern[MAX_PATTERN_LEN];
3399+};
3400+
3401+#endif /* _IPT_LAYER7_H */
3402diff -uNr include.orig/linux/netfilter_ipv4/ipt_nth.h include/linux/netfilter_ipv4/ipt_nth.h
3403--- include.orig/linux/netfilter_ipv4/ipt_nth.h 1970-01-01 01:00:00.000000000 +0100
c558041a 3404+++ include/linux/netfilter_ipv4/ipt_nth.h 2005-08-02 20:02:17.760239640 +0200
bab37e86
PS
3405@@ -0,0 +1,19 @@
3406+#ifndef _IPT_NTH_H
3407+#define _IPT_NTH_H
3408+
3409+#include <linux/param.h>
3410+#include <linux/types.h>
3411+
3412+#ifndef IPT_NTH_NUM_COUNTERS
3413+#define IPT_NTH_NUM_COUNTERS 16
3414+#endif
3415+
3416+struct ipt_nth_info {
3417+ u_int8_t every;
3418+ u_int8_t not;
3419+ u_int8_t startat;
3420+ u_int8_t counter;
3421+ u_int8_t packet;
3422+};
3423+
3424+#endif /*_IPT_NTH_H*/
ae95cca4
PS
3425diff -uNr include.orig/linux/netfilter_ipv4/ipt_osf.h include/linux/netfilter_ipv4/ipt_osf.h
3426--- include.orig/linux/netfilter_ipv4/ipt_osf.h 1970-01-01 01:00:00.000000000 +0100
c558041a
PS
3427+++ include/linux/netfilter_ipv4/ipt_osf.h 2005-08-02 20:02:17.783236144 +0200
3428@@ -0,0 +1,151 @@
0fc89030
PS
3429+/*
3430+ * ipt_osf.h
3431+ *
3432+ * Copyright (c) 2003 Evgeniy Polyakov <johnpol@2ka.mipt.ru>
3433+ *
3434+ *
3435+ * This program is free software; you can redistribute it and/or modify
3436+ * it under the terms of the GNU General Public License as published by
3437+ * the Free Software Foundation; either version 2 of the License, or
3438+ * (at your option) any later version.
3439+ *
3440+ * This program is distributed in the hope that it will be useful,
3441+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
3442+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
3443+ * GNU General Public License for more details.
3444+ *
3445+ * You should have received a copy of the GNU General Public License
3446+ * along with this program; if not, write to the Free Software
3447+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
3448+ */
3449+
3450+#ifndef _IPT_OSF_H
3451+#define _IPT_OSF_H
3452+
3453+#define MAXGENRELEN 32
3454+#define MAXDETLEN 64
3455+
3456+#define IPT_OSF_GENRE 1
3457+#define IPT_OSF_SMART 2
3458+#define IPT_OSF_LOG 4
3459+#define IPT_OSF_NETLINK 8
c558041a 3460+#define IPT_OSF_CONNECTOR 16
0fc89030
PS
3461+
3462+#define IPT_OSF_LOGLEVEL_ALL 0
3463+#define IPT_OSF_LOGLEVEL_FIRST 1
3464+
c558041a 3465+#ifndef __KERNEL__
ae95cca4
PS
3466+#include <netinet/ip.h>
3467+#include <netinet/tcp.h>
3468+
3469+struct list_head
3470+{
3471+ struct list_head *prev, *next;
3472+};
c558041a 3473+#endif
ae95cca4 3474+
0fc89030
PS
3475+struct ipt_osf_info
3476+{
3477+ char genre[MAXGENRELEN];
3478+ int len;
3479+ unsigned long flags;
3480+ int loglevel;
3481+ int invert; /* UNSUPPORTED */
3482+};
3483+
3484+struct osf_wc
3485+{
3486+ char wc;
3487+ unsigned long val;
3488+};
3489+
3490+/* This struct represents IANA options
3491+ * http://www.iana.org/assignments/tcp-parameters
3492+ */
3493+struct osf_opt
3494+{
3495+ unsigned char kind;
3496+ unsigned char length;
3497+ struct osf_wc wc;
3498+};
3499+
3500+struct osf_finger
3501+{
ae95cca4 3502+ struct list_head flist;
0fc89030
PS
3503+ struct osf_wc wss;
3504+ unsigned char ttl;
3505+ unsigned char df;
3506+ unsigned long ss;
3507+ unsigned char genre[MAXGENRELEN];
3508+ unsigned char version[MAXGENRELEN], subtype[MAXGENRELEN];
3509+
3510+ /* Not needed, but for consistency with original table from Michal Zalewski */
3511+ unsigned char details[MAXDETLEN];
3512+
3513+ int opt_num;
3514+ struct osf_opt opt[MAX_IPOPTLEN]; /* In case it is all NOP or EOL */
3515+
3516+};
3517+
3518+struct ipt_osf_nlmsg
3519+{
3520+ struct osf_finger f;
3521+ struct iphdr ip;
3522+ struct tcphdr tcp;
3523+};
3524+
c558041a
PS
3525+#ifdef __KERNEL__
3526+
3527+#include <linux/list.h>
3528+#include <net/tcp.h>
3529+
3530+
3531+/* Defines for IANA option kinds */
3532+
3533+#define OSFOPT_EOL 0 /* End of options */
3534+#define OSFOPT_NOP 1 /* NOP */
3535+#define OSFOPT_MSS 2 /* Maximum segment size */
3536+#define OSFOPT_WSO 3 /* Window scale option */
3537+#define OSFOPT_SACKP 4 /* SACK permitted */
3538+#define OSFOPT_SACK 5 /* SACK */
3539+#define OSFOPT_ECHO 6
3540+#define OSFOPT_ECHOREPLY 7
3541+#define OSFOPT_TS 8 /* Timestamp option */
3542+#define OSFOPT_POCP 9 /* Partial Order Connection Permitted */
3543+#define OSFOPT_POSP 10 /* Partial Order Service Profile */
3544+/* Others are not used in current OSF */
3545+
3546+static struct osf_opt IANA_opts[] =
3547+{
3548+ {0, 1,},
3549+ {1, 1,},
3550+ {2, 4,},
3551+ {3, 3,},
3552+ {4, 2,},
3553+ {5, 1 ,}, /* SACK length is not defined */
3554+ {6, 6,},
3555+ {7, 6,},
3556+ {8, 10,},
3557+ {9, 2,},
3558+ {10, 3,},
3559+ {11, 1,}, /* CC: Suppose 1 */
3560+ {12, 1,}, /* the same */
3561+ {13, 1,}, /* and here too */
3562+ {14, 3,},
3563+ {15, 1,}, /* TCP Alternate Checksum Data. Length is not defined */
3564+ {16, 1,},
3565+ {17, 1,},
3566+ {18, 3,},
3567+ {19, 18,},
3568+ {20, 1,},
3569+ {21, 1,},
3570+ {22, 1,},
3571+ {23, 1,},
3572+ {24, 1,},
3573+ {25, 1,},
3574+ {26, 1,},
3575+};
3576+
3577+#endif /* __KERNEL__ */
3578+
0fc89030 3579+#endif /* _IPT_OSF_H */
ae95cca4
PS
3580diff -uNr include.orig/linux/netfilter_ipv4/ipt_policy.h include/linux/netfilter_ipv4/ipt_policy.h
3581--- include.orig/linux/netfilter_ipv4/ipt_policy.h 1970-01-01 01:00:00.000000000 +0100
c558041a 3582+++ include/linux/netfilter_ipv4/ipt_policy.h 2005-08-02 20:02:17.735243440 +0200
bab37e86
PS
3583@@ -0,0 +1,52 @@
3584+#ifndef _IPT_POLICY_H
3585+#define _IPT_POLICY_H
3586+
3587+#define POLICY_MAX_ELEM 4
3588+
3589+enum ipt_policy_flags
3590+{
3591+ POLICY_MATCH_IN = 0x1,
3592+ POLICY_MATCH_OUT = 0x2,
3593+ POLICY_MATCH_NONE = 0x4,
3594+ POLICY_MATCH_STRICT = 0x8,
3595+};
3596+
3597+enum ipt_policy_modes
3598+{
3599+ POLICY_MODE_TRANSPORT,
3600+ POLICY_MODE_TUNNEL
3601+};
3602+
3603+struct ipt_policy_spec
3604+{
3605+ u_int8_t saddr:1,
3606+ daddr:1,
3607+ proto:1,
3608+ mode:1,
3609+ spi:1,
3610+ reqid:1;
3611+};
3612+
3613+struct ipt_policy_elem
3614+{
3615+ u_int32_t saddr;
3616+ u_int32_t smask;
3617+ u_int32_t daddr;
3618+ u_int32_t dmask;
3619+ u_int32_t spi;
3620+ u_int32_t reqid;
3621+ u_int8_t proto;
3622+ u_int8_t mode;
3623+
3624+ struct ipt_policy_spec match;
3625+ struct ipt_policy_spec invert;
3626+};
3627+
3628+struct ipt_policy_info
3629+{
3630+ struct ipt_policy_elem pol[POLICY_MAX_ELEM];
3631+ u_int16_t flags;
3632+ u_int16_t len;
3633+};
3634+
3635+#endif /* _IPT_POLICY_H */
ae95cca4
PS
3636diff -uNr include.orig/linux/netfilter_ipv4/ipt_psd.h include/linux/netfilter_ipv4/ipt_psd.h
3637--- include.orig/linux/netfilter_ipv4/ipt_psd.h 1970-01-01 01:00:00.000000000 +0100
c558041a 3638+++ include/linux/netfilter_ipv4/ipt_psd.h 2005-08-02 20:02:17.778236904 +0200
ae95cca4
PS
3639@@ -0,0 +1,40 @@
3640+#ifndef _IPT_PSD_H
3641+#define _IPT_PSD_H
3642+
3643+#include <linux/param.h>
3644+#include <linux/types.h>
3645+
3646+/*
3647+ * High port numbers have a lower weight to reduce the frequency of false
3648+ * positives, such as from passive mode FTP transfers.
3649+ */
3650+#define PORT_WEIGHT_PRIV 3
3651+#define PORT_WEIGHT_HIGH 1
3652+
3653+/*
3654+ * Port scan detection thresholds: at least COUNT ports need to be scanned
3655+ * from the same source, with no longer than DELAY ticks between ports.
3656+ */
3657+#define SCAN_MIN_COUNT 7
3658+#define SCAN_MAX_COUNT (SCAN_MIN_COUNT * PORT_WEIGHT_PRIV)
3659+#define SCAN_WEIGHT_THRESHOLD SCAN_MAX_COUNT
3660+#define SCAN_DELAY_THRESHOLD (300) /* old usage of HZ here was erroneously and broke under uml */
3661+
3662+/*
3663+ * Keep track of up to LIST_SIZE source addresses, using a hash table of
3664+ * HASH_SIZE entries for faster lookups, but limiting hash collisions to
3665+ * HASH_MAX source addresses per the same hash value.
3666+ */
3667+#define LIST_SIZE 0x100
3668+#define HASH_LOG 9
3669+#define HASH_SIZE (1 << HASH_LOG)
3670+#define HASH_MAX 0x10
3671+
3672+struct ipt_psd_info {
3673+ unsigned int weight_threshold;
3674+ unsigned int delay_threshold;
3675+ unsigned short lo_ports_weight;
3676+ unsigned short hi_ports_weight;
3677+};
3678+
3679+#endif /*_IPT_PSD_H*/
3680diff -uNr include.orig/linux/netfilter_ipv4/ipt_quota.h include/linux/netfilter_ipv4/ipt_quota.h
3681--- include.orig/linux/netfilter_ipv4/ipt_quota.h 1970-01-01 01:00:00.000000000 +0100
c558041a 3682+++ include/linux/netfilter_ipv4/ipt_quota.h 2005-08-02 20:02:17.762239336 +0200
ae95cca4
PS
3683@@ -0,0 +1,12 @@
3684+#ifndef _IPT_QUOTA_H
3685+#define _IPT_QUOTA_H
3686+
3687+/* print debug info in both kernel/netfilter module & iptable library */
3688+//#define DEBUG_IPT_QUOTA
3689+
3690+struct ipt_quota_info {
3691+ u_int64_t quota;
3692+ struct ipt_quota_info *master;
3693+};
3694+
3695+#endif /*_IPT_QUOTA_H*/
c558041a
PS
3696diff -uNr include.orig/linux/netfilter_ipv4/ipt_recent.h include/linux/netfilter_ipv4/ipt_recent.h
3697--- include.orig/linux/netfilter_ipv4/ipt_recent.h 2004-10-31 20:56:00.000000000 +0100
3698+++ include/linux/netfilter_ipv4/ipt_recent.h 2005-08-02 20:02:17.720245720 +0200
3699@@ -2,7 +2,7 @@
3700 #define _IPT_RECENT_H
3701
3702 #define RECENT_NAME "ipt_recent"
3703-#define RECENT_VER "v0.3.1"
3704+#define RECENT_VER "v0.3.2"
3705
3706 #define IPT_RECENT_CHECK 1
3707 #define IPT_RECENT_SET 2
ae95cca4
PS
3708diff -uNr include.orig/linux/netfilter_ipv4/ipt_ROUTE.h include/linux/netfilter_ipv4/ipt_ROUTE.h
3709--- include.orig/linux/netfilter_ipv4/ipt_ROUTE.h 1970-01-01 01:00:00.000000000 +0100
c558041a 3710+++ include/linux/netfilter_ipv4/ipt_ROUTE.h 2005-08-02 20:02:17.726244808 +0200
ae95cca4
PS
3711@@ -0,0 +1,23 @@
3712+/* Header file for iptables ipt_ROUTE target
3713+ *
3714