]>
Commit | Line | Data |
---|---|---|
ae95cca4 PS |
1 | diff -uNr include.orig/linux/netfilter/ipv4/nf_conntrack_icmp.h include/linux/netfilter/ipv4/nf_conntrack_icmp.h |
2 | --- include.orig/linux/netfilter/ipv4/nf_conntrack_icmp.h 1970-01-01 01:00:00.000000000 +0100 | |
c558041a | 3 | +++ include/linux/netfilter/ipv4/nf_conntrack_icmp.h 2005-08-02 20:02:17.683251344 +0200 |
014436e1 PS |
4 | @@ -0,0 +1,17 @@ |
5 | +/* | |
6 | + * ICMP tracking. | |
7 | + * | |
8 | + * Derived from include/linux/netfiter_ipv4/ip_conntrack_icmp.h | |
9 | + */ | |
ac0c4b1f | 10 | + |
014436e1 PS |
11 | +#ifndef _NF_CONNTRACK_ICMP_H |
12 | +#define _NF_CONNTRACK_ICMP_H | |
13 | +#include <asm/atomic.h> | |
ac0c4b1f | 14 | + |
014436e1 PS |
15 | +struct nf_ct_icmp |
16 | +{ | |
17 | + /* Optimization: when number in == number out, forget immediately. */ | |
18 | + atomic_t count; | |
19 | +}; | |
ac0c4b1f | 20 | + |
014436e1 | 21 | +#endif /* _NF_CONNTRACK_ICMP_H */ |
ae95cca4 PS |
22 | diff -uNr include.orig/linux/netfilter/ipv4/nf_conntrack_ipv4.h include/linux/netfilter/ipv4/nf_conntrack_ipv4.h |
23 | --- include.orig/linux/netfilter/ipv4/nf_conntrack_ipv4.h 1970-01-01 01:00:00.000000000 +0100 | |
c558041a | 24 | +++ include/linux/netfilter/ipv4/nf_conntrack_ipv4.h 2005-08-02 20:02:17.684251192 +0200 |
014436e1 PS |
25 | @@ -0,0 +1,40 @@ |
26 | +/* | |
27 | + * IPv4 support for nf_conntrack. | |
28 | + * | |
29 | + * 23 Mar 2004: Yasuyuki Kozakai @ USAGI <yasuyuki.kozakai@toshiba.co.jp> | |
30 | + * - move L3 protocol dependent part from include/linux/netfilter_ipv4/ | |
31 | + * ip_conntarck.h | |
32 | + */ | |
0fc89030 | 33 | + |
014436e1 PS |
34 | +#ifndef _NF_CONNTRACK_IPV4_H |
35 | +#define _NF_CONNTRACK_IPV4_H | |
36 | + | |
37 | +#ifdef CONFIG_IP_NF_NAT_NEEDED | |
38 | +#include <linux/netfilter_ipv4/ip_nat.h> | |
39 | + | |
40 | +/* per conntrack: nat application helper private data */ | |
41 | +union ip_conntrack_nat_help { | |
42 | + /* insert nat helper private data here */ | |
43 | +}; | |
44 | + | |
45 | +struct nf_conntrack_ipv4_nat { | |
46 | + struct ip_nat_info info; | |
47 | + union ip_conntrack_nat_help help; | |
48 | +#if defined(CONFIG_IP_NF_TARGET_MASQUERADE) || \ | |
49 | + defined(CONFIG_IP_NF_TARGET_MASQUERADE_MODULE) | |
50 | + int masq_index; | |
51 | +#endif | |
52 | +}; | |
53 | +#endif /* CONFIG_IP_NF_NAT_NEEDED */ | |
54 | + | |
55 | +struct nf_conntrack_ipv4 { | |
56 | +#ifdef CONFIG_IP_NF_NAT_NEEDED | |
57 | + struct nf_conntrack_ipv4_nat *nat; | |
58 | +#endif | |
59 | +}; | |
60 | + | |
61 | +/* Returns new sk_buff, or NULL */ | |
62 | +struct sk_buff * | |
63 | +nf_ct_ipv4_ct_gather_frags(struct sk_buff *skb); | |
64 | + | |
65 | +#endif /*_NF_CONNTRACK_IPV4_H*/ | |
ae95cca4 PS |
66 | diff -uNr include.orig/linux/netfilter/ipv6/nf_conntrack_icmpv6.h include/linux/netfilter/ipv6/nf_conntrack_icmpv6.h |
67 | --- include.orig/linux/netfilter/ipv6/nf_conntrack_icmpv6.h 1970-01-01 01:00:00.000000000 +0100 | |
c558041a | 68 | +++ include/linux/netfilter/ipv6/nf_conntrack_icmpv6.h 2005-08-02 20:02:17.698249064 +0200 |
014436e1 PS |
69 | @@ -0,0 +1,27 @@ |
70 | +/* | |
71 | + * ICMPv6 tracking. | |
72 | + * | |
73 | + * 21 Apl 2004: Yasuyuki Kozakai @USAGI <yasuyuki.kozakai@toshiba.co.jp> | |
74 | + * - separated from nf_conntrack_icmp.h | |
75 | + * | |
76 | + * Derived from include/linux/netfiter_ipv4/ip_conntrack_icmp.h | |
77 | + */ | |
78 | + | |
79 | +#ifndef _NF_CONNTRACK_ICMPV6_H | |
80 | +#define _NF_CONNTRACK_ICMPV6_H | |
81 | +#include <asm/atomic.h> | |
82 | + | |
83 | +#ifndef ICMPV6_NI_QUERY | |
84 | +#define ICMPV6_NI_QUERY 139 | |
85 | +#endif | |
86 | +#ifndef ICMPV6_NI_REPLY | |
87 | +#define ICMPV6_NI_REPLY 140 | |
88 | +#endif | |
89 | + | |
90 | +struct nf_ct_icmpv6 | |
91 | +{ | |
92 | + /* Optimization: when number in == number out, forget immediately. */ | |
93 | + atomic_t count; | |
94 | +}; | |
95 | + | |
96 | +#endif /* _NF_CONNTRACK_ICMPV6_H */ | |
ae95cca4 PS |
97 | diff -uNr include.orig/linux/netfilter/nf_conntrack_core.h include/linux/netfilter/nf_conntrack_core.h |
98 | --- include.orig/linux/netfilter/nf_conntrack_core.h 1970-01-01 01:00:00.000000000 +0100 | |
c558041a PS |
99 | +++ include/linux/netfilter/nf_conntrack_core.h 2005-08-02 20:02:17.687250736 +0200 |
100 | @@ -0,0 +1,72 @@ | |
014436e1 PS |
101 | +/* |
102 | + * This header is used to share core functionality between the | |
103 | + * standalone connection tracking module, and the compatibility layer's use | |
104 | + * of connection tracking. | |
105 | + * | |
106 | + * 16 Dec 2003: Yasuyuki Kozakai @USAGI <yasuyuki.kozakai@toshiba.co.jp> | |
107 | + * - generalize L3 protocol dependent part. | |
108 | + * | |
109 | + * Derived from include/linux/netfiter_ipv4/ip_conntrack_core.h | |
110 | + */ | |
111 | + | |
112 | +#ifndef _NF_CONNTRACK_CORE_H | |
113 | +#define _NF_CONNTRACK_CORE_H | |
114 | + | |
115 | +#include <linux/netfilter.h> | |
c558041a | 116 | +#include <linux/netfilter_ipv4/lockhelp.h> |
014436e1 PS |
117 | + |
118 | +/* This header is used to share core functionality between the | |
119 | + standalone connection tracking module, and the compatibility layer's use | |
120 | + of connection tracking. */ | |
121 | +extern unsigned int nf_conntrack_in(int pf, | |
122 | + unsigned int hooknum, | |
123 | + struct sk_buff **pskb); | |
124 | + | |
125 | +extern int nf_conntrack_init(void); | |
126 | +extern void nf_conntrack_cleanup(void); | |
127 | + | |
128 | +struct nf_conntrack_l3proto; | |
129 | +extern struct nf_conntrack_l3proto *nf_ct_find_l3proto(u_int16_t pf); | |
130 | +/* Like above, but you already have conntrack read lock. */ | |
131 | +extern struct nf_conntrack_l3proto *__nf_ct_find_l3proto(u_int16_t l3proto); | |
132 | + | |
133 | +struct nf_conntrack_protocol; | |
134 | + | |
135 | +extern int | |
136 | +nf_ct_get_tuple(const struct sk_buff *skb, | |
137 | + unsigned int nhoff, | |
138 | + unsigned int dataoff, | |
139 | + u_int16_t l3num, | |
140 | + u_int8_t protonum, | |
141 | + struct nf_conntrack_tuple *tuple, | |
142 | + const struct nf_conntrack_l3proto *l3proto, | |
143 | + const struct nf_conntrack_protocol *protocol); | |
144 | + | |
145 | +extern int | |
146 | +nf_ct_invert_tuple(struct nf_conntrack_tuple *inverse, | |
147 | + const struct nf_conntrack_tuple *orig, | |
148 | + const struct nf_conntrack_l3proto *l3proto, | |
149 | + const struct nf_conntrack_protocol *protocol); | |
150 | + | |
151 | +/* Find a connection corresponding to a tuple. */ | |
152 | +extern struct nf_conntrack_tuple_hash * | |
153 | +nf_conntrack_find_get(const struct nf_conntrack_tuple *tuple, | |
154 | + const struct nf_conn *ignored_conntrack); | |
155 | + | |
156 | +extern int __nf_conntrack_confirm(struct sk_buff **pskb); | |
157 | + | |
158 | +/* Confirm a connection: returns NF_DROP if packet must be dropped. */ | |
159 | +static inline int nf_conntrack_confirm(struct sk_buff **pskb) | |
160 | +{ | |
161 | + if ((*pskb)->nfct | |
162 | + && !is_confirmed((struct nf_conn *)(*pskb)->nfct)) | |
163 | + return __nf_conntrack_confirm(pskb); | |
164 | + return NF_ACCEPT; | |
165 | +} | |
166 | + | |
167 | +extern void __nf_conntrack_attach(struct sk_buff *nskb, struct sk_buff *skb); | |
168 | + | |
169 | +extern struct list_head *nf_conntrack_hash; | |
170 | +extern struct list_head nf_conntrack_expect_list; | |
171 | +DECLARE_RWLOCK_EXTERN(nf_conntrack_lock); | |
172 | +#endif /* _NF_CONNTRACK_CORE_H */ | |
ae95cca4 PS |
173 | diff -uNr include.orig/linux/netfilter/nf_conntrack_ftp.h include/linux/netfilter/nf_conntrack_ftp.h |
174 | --- include.orig/linux/netfilter/nf_conntrack_ftp.h 1970-01-01 01:00:00.000000000 +0100 | |
c558041a PS |
175 | +++ include/linux/netfilter/nf_conntrack_ftp.h 2005-08-02 20:02:17.700248760 +0200 |
176 | @@ -0,0 +1,59 @@ | |
014436e1 PS |
177 | +/* |
178 | + * nf_conntrack_ftp.h | |
179 | + * | |
180 | + * Definitions and Declarations for FTP tracking. | |
181 | + * | |
182 | + * Derived from include/linux/netfiter_ipv4/ip_conntrack_ftp.h | |
183 | + * | |
184 | + * 16 Dec 2003: Yasuyuki Kozakai @ USAGI <yasuyuki.kozakai@toshiba.co.jp> | |
185 | + * - IPv6 support. | |
186 | + */ | |
187 | + | |
188 | +#ifndef _NF_CONNTRACK_FTP_H | |
189 | +#define _NF_CONNTRACK_FTP_H | |
190 | +/* FTP tracking. */ | |
191 | + | |
c558041a PS |
192 | +#ifdef __KERNEL__ |
193 | + | |
194 | +#include <linux/netfilter_ipv4/lockhelp.h> | |
195 | + | |
196 | +/* Protects ftp part of conntracks */ | |
197 | +DECLARE_LOCK_EXTERN(ip_ftp_lock); | |
198 | + | |
199 | +#define FTP_PORT 21 | |
200 | + | |
201 | +#endif /* __KERNEL__ */ | |
202 | + | |
014436e1 PS |
203 | +enum nf_ct_ftp_type |
204 | +{ | |
205 | + /* PORT command from client */ | |
206 | + NF_CT_FTP_PORT, | |
207 | + /* PASV response from server */ | |
208 | + NF_CT_FTP_PASV, | |
209 | + /* EPRT command from client */ | |
210 | + NF_CT_FTP_EPRT, | |
211 | + /* EPSV response from server */ | |
212 | + NF_CT_FTP_EPSV, | |
213 | +}; | |
214 | + | |
215 | +#define NUM_SEQ_TO_REMEMBER 2 | |
216 | +/* This structure exists only once per master */ | |
217 | +struct nf_ct_ftp_master { | |
218 | + /* Valid seq positions for cmd matching after newline */ | |
219 | + u_int32_t seq_aft_nl[NF_CT_DIR_MAX][NUM_SEQ_TO_REMEMBER]; | |
220 | + /* 0 means seq_match_aft_nl not set */ | |
221 | + int seq_aft_nl_num[NF_CT_DIR_MAX]; | |
222 | +}; | |
223 | + | |
224 | +struct nf_conntrack_expect; | |
225 | + | |
226 | +/* For NAT to hook in when we find a packet which describes what other | |
227 | + * connection we should expect. */ | |
228 | +extern unsigned int (*nf_nat_ftp_hook)(struct sk_buff **pskb, | |
229 | + enum nf_conntrack_info ctinfo, | |
230 | + enum nf_ct_ftp_type type, | |
231 | + unsigned int matchoff, | |
232 | + unsigned int matchlen, | |
233 | + struct nf_conntrack_expect *exp, | |
234 | + u32 *seq); | |
235 | +#endif /* _NF_CONNTRACK_FTP_H */ | |
ae95cca4 PS |
236 | diff -uNr include.orig/linux/netfilter/nf_conntrack.h include/linux/netfilter/nf_conntrack.h |
237 | --- include.orig/linux/netfilter/nf_conntrack.h 1970-01-01 01:00:00.000000000 +0100 | |
c558041a PS |
238 | +++ include/linux/netfilter/nf_conntrack.h 2005-08-02 20:02:17.708247544 +0200 |
239 | @@ -0,0 +1,302 @@ | |
014436e1 PS |
240 | +/* |
241 | + * Connection state tracking for netfilter. This is separated from, | |
242 | + * but required by, the (future) NAT layer; it can also be used by an iptables | |
243 | + * extension. | |
244 | + * | |
245 | + * 16 Dec 2003: Yasuyuki Kozakai @USAGI <yasuyuki.kozakai@toshiba.co.jp> | |
246 | + * - generalize L3 protocol dependent part. | |
247 | + * | |
248 | + * Derived from include/linux/netfiter_ipv4/ip_conntrack.h | |
249 | + */ | |
250 | + | |
251 | +#ifndef _NF_CONNTRACK_H | |
252 | +#define _NF_CONNTRACK_H | |
253 | + | |
254 | +enum nf_conntrack_info | |
255 | +{ | |
256 | + /* Part of an established connection (either direction). */ | |
257 | + NF_CT_ESTABLISHED, | |
258 | + | |
259 | + /* Like NEW, but related to an existing connection, or ICMP error | |
260 | + (in either direction). */ | |
261 | + NF_CT_RELATED, | |
262 | + | |
263 | + /* Started a new connection to track (only | |
264 | + NF_CT_DIR_ORIGINAL); may be a retransmission. */ | |
265 | + NF_CT_NEW, | |
266 | + | |
267 | + /* >= this indicates reply direction */ | |
268 | + NF_CT_IS_REPLY, | |
269 | + | |
270 | + /* Number of distinct NF_CT types (no NEW in reply dirn). */ | |
271 | + NF_CT_NUMBER = NF_CT_IS_REPLY * 2 - 1 | |
272 | +}; | |
273 | + | |
274 | +/* Bitset representing status of connection. */ | |
275 | +enum nf_conntrack_status { | |
276 | + /* It's an expected connection: bit 0 set. This bit never changed */ | |
277 | + NF_S_EXPECTED_BIT = 0, | |
278 | + NF_S_EXPECTED = (1 << NF_S_EXPECTED_BIT), | |
279 | + | |
280 | + /* We've seen packets both ways: bit 1 set. Can be set, not unset. */ | |
281 | + NF_S_SEEN_REPLY_BIT = 1, | |
282 | + NF_S_SEEN_REPLY = (1 << NF_S_SEEN_REPLY_BIT), | |
283 | + | |
284 | + /* Conntrack should never be early-expired. */ | |
285 | + NF_S_ASSURED_BIT = 2, | |
286 | + NF_S_ASSURED = (1 << NF_S_ASSURED_BIT), | |
287 | + | |
288 | + /* Connection is confirmed: originating packet has left box */ | |
289 | + NF_S_CONFIRMED_BIT = 3, | |
290 | + NF_S_CONFIRMED = (1 << NF_S_CONFIRMED_BIT), | |
291 | +}; | |
292 | + | |
c558041a PS |
293 | +#ifdef __KERNEL__ |
294 | +#include <linux/config.h> | |
295 | +#include <linux/netfilter/nf_conntrack_tuple.h> | |
296 | +#include <linux/bitops.h> | |
297 | +#include <linux/compiler.h> | |
298 | +#include <asm/atomic.h> | |
299 | + | |
300 | +#include <linux/netfilter/nf_conntrack_tcp.h> | |
301 | +#include <linux/netfilter/ipv4/nf_conntrack_icmp.h> | |
302 | +#include <linux/netfilter/ipv6/nf_conntrack_icmpv6.h> | |
303 | +#include <linux/netfilter/nf_conntrack_sctp.h> | |
304 | + | |
305 | +/* per conntrack: protocol private data */ | |
306 | +union nf_conntrack_proto { | |
307 | + /* insert conntrack proto private data here */ | |
308 | + struct nf_ct_sctp sctp; | |
309 | + struct nf_ct_tcp tcp; | |
310 | + struct nf_ct_icmp icmp; | |
311 | + struct nf_ct_icmpv6 icmpv6; | |
312 | +}; | |
313 | + | |
314 | +union nf_conntrack_expect_proto { | |
315 | + /* insert expect proto private data here */ | |
316 | +}; | |
317 | + | |
318 | +/* Add protocol helper include file here */ | |
319 | +#include <linux/netfilter/nf_conntrack_ftp.h> | |
320 | + | |
321 | +/* per conntrack: application helper private data */ | |
322 | +union nf_conntrack_help { | |
323 | + /* insert conntrack helper private data (master) here */ | |
324 | + struct nf_ct_ftp_master ct_ftp_info; | |
325 | +}; | |
326 | + | |
327 | +#include <linux/types.h> | |
328 | +#include <linux/skbuff.h> | |
329 | + | |
330 | +#ifdef CONFIG_NETFILTER_DEBUG | |
331 | +#define NF_CT_ASSERT(x) \ | |
332 | +do { \ | |
333 | + if (!(x)) \ | |
334 | + /* Wooah! I'm tripping my conntrack in a frenzy of \ | |
335 | + netplay... */ \ | |
336 | + printk("NF_CT_ASSERT: %s:%i(%s)\n", \ | |
337 | + __FILE__, __LINE__, __FUNCTION__); \ | |
338 | +} while(0) | |
339 | +#else | |
340 | +#define NF_CT_ASSERT(x) | |
341 | +#endif | |
342 | + | |
343 | +struct nf_conntrack_counter | |
344 | +{ | |
345 | + u_int64_t packets; | |
346 | + u_int64_t bytes; | |
347 | +}; | |
348 | + | |
349 | +struct nf_conntrack_helper; | |
350 | + | |
351 | +#include <linux/netfilter/ipv4/nf_conntrack_ipv4.h> | |
352 | +struct nf_conn | |
353 | +{ | |
354 | + /* Usage count in here is 1 for hash table/destruct timer, 1 per skb, | |
355 | + plus 1 for any connection(s) we are `master' for */ | |
356 | + struct nf_conntrack ct_general; | |
357 | + | |
358 | + /* XXX should I move this to the tail ? - Y.K */ | |
359 | + /* These are my tuples; original and reply */ | |
360 | + struct nf_conntrack_tuple_hash tuplehash[NF_CT_DIR_MAX]; | |
361 | + | |
362 | + /* Have we seen traffic both ways yet? (bitset) */ | |
363 | + unsigned long status; | |
364 | + | |
365 | + /* Timer function; drops refcnt when it goes off. */ | |
366 | + struct timer_list timeout; | |
367 | + | |
368 | +#ifdef CONFIG_NF_CT_ACCT | |
369 | + /* Accounting Information (same cache line as other written members) */ | |
370 | + struct nf_conntrack_counter counters[NF_CT_DIR_MAX]; | |
371 | +#endif | |
372 | + /* If we were expected by an expectation, this will be it */ | |
373 | + struct nf_conn *master; | |
374 | + | |
375 | + /* Current number of expected connections */ | |
376 | + unsigned int expecting; | |
377 | + | |
378 | + /* Helper. if any */ | |
379 | + struct nf_conntrack_helper *helper; | |
380 | + | |
381 | + /* features - nat, helper, ... used by allocating system */ | |
382 | + u_int32_t features; | |
383 | + | |
384 | + /* Storage reserved for other modules: */ | |
385 | + | |
386 | + union nf_conntrack_proto proto; | |
387 | + | |
388 | +#if defined(CONFIG_NF_CONNTRACK_MARK) | |
389 | + unsigned long mark; | |
390 | +#endif | |
391 | + | |
392 | + /* These members are dynamically allocated. */ | |
393 | + | |
394 | + union nf_conntrack_help *help; | |
395 | + | |
396 | + /* Layer 3 dependent members. (ex: NAT) */ | |
397 | + union { | |
398 | + struct nf_conntrack_ipv4 *ipv4; | |
399 | + } l3proto; | |
400 | + void *data[0]; | |
401 | +}; | |
402 | + | |
403 | +struct nf_conntrack_expect | |
404 | +{ | |
405 | + /* Internal linked list (global expectation list) */ | |
406 | + struct list_head list; | |
407 | + | |
408 | + /* We expect this tuple, with the following mask */ | |
409 | + struct nf_conntrack_tuple tuple, mask; | |
410 | + | |
411 | + /* Function to call after setup and insertion */ | |
412 | + void (*expectfn)(struct nf_conn *new, | |
413 | + struct nf_conntrack_expect *this); | |
414 | + | |
415 | + /* The conntrack of the master connection */ | |
416 | + struct nf_conn *master; | |
417 | + | |
418 | + /* Timer function; deletes the expectation. */ | |
419 | + struct timer_list timeout; | |
420 | + | |
421 | +#ifdef CONFIG_NF_NAT_NEEDED | |
422 | + /* This is the original per-proto part, used to map the | |
423 | + * expected connection the way the recipient expects. */ | |
424 | + union nf_conntrack_manip_proto saved_proto; | |
425 | + /* Direction relative to the master connection. */ | |
426 | + enum nf_conntrack_dir dir; | |
427 | +#endif | |
428 | +}; | |
429 | + | |
430 | +static inline struct nf_conn * | |
431 | +tuplehash_to_ctrack(const struct nf_conntrack_tuple_hash *hash) | |
432 | +{ | |
433 | + return container_of(hash, struct nf_conn, | |
434 | + tuplehash[hash->tuple.dst.dir]); | |
435 | +} | |
436 | + | |
437 | +/* get master conntrack via master expectation */ | |
438 | +#define master_ct(conntr) (conntr->master) | |
439 | + | |
440 | +/* Alter reply tuple (maybe alter helper). */ | |
441 | +extern void | |
442 | +nf_conntrack_alter_reply(struct nf_conn *conntrack, | |
443 | + const struct nf_conntrack_tuple *newreply); | |
444 | + | |
445 | +/* Is this tuple taken? (ignoring any belonging to the given | |
446 | + conntrack). */ | |
447 | +extern int | |
448 | +nf_conntrack_tuple_taken(const struct nf_conntrack_tuple *tuple, | |
449 | + const struct nf_conn *ignored_conntrack); | |
450 | + | |
451 | +/* Return conntrack_info and tuple hash for given skb. */ | |
452 | +static inline struct nf_conn * | |
453 | +nf_ct_get(struct sk_buff *skb, enum nf_conntrack_info *ctinfo) | |
454 | +{ | |
455 | + *ctinfo = skb->nfctinfo; | |
456 | + return (struct nf_conn *)skb->nfct; | |
457 | +} | |
458 | + | |
459 | +/* decrement reference count on a conntrack */ | |
460 | +extern void nf_ct_put(struct nf_conn *ct); | |
461 | + | |
462 | +/* call to create an explicit dependency on nf_conntrack. */ | |
463 | +extern void need_nf_conntrack(void); | |
464 | + | |
465 | +extern int nf_ct_invert_tuplepr(struct nf_conntrack_tuple *inverse, | |
466 | + const struct nf_conntrack_tuple *orig); | |
467 | + | |
468 | +/* Refresh conntrack for this many jiffies */ | |
469 | +extern void nf_ct_refresh_acct(struct nf_conn *ct, | |
470 | + enum nf_conntrack_info ctinfo, | |
471 | + const struct sk_buff *skb, | |
472 | + unsigned long extra_jiffies); | |
473 | + | |
474 | +/* These are for NAT. Icky. */ | |
475 | +/* Call me when a conntrack is destroyed. */ | |
476 | +extern void (*nf_conntrack_destroyed)(struct nf_conn *conntrack); | |
477 | + | |
478 | +/* Fake conntrack entry for untracked connections */ | |
479 | +extern struct nf_conn nf_conntrack_untracked; | |
480 | + | |
481 | +extern int nf_ct_no_defrag; | |
482 | + | |
483 | +/* Iterate over all conntracks: if iter returns true, it's deleted. */ | |
484 | +extern void | |
485 | +nf_ct_iterate_cleanup(int (*iter)(struct nf_conn *i, void *data), void *data); | |
486 | + | |
487 | +/* It's confirmed if it is, or has been in the hash table. */ | |
488 | +static inline int is_confirmed(struct nf_conn *ct) | |
489 | +{ | |
490 | + return test_bit(NF_S_CONFIRMED_BIT, &ct->status); | |
491 | +} | |
492 | + | |
493 | +extern unsigned int nf_conntrack_htable_size; | |
494 | + | |
495 | +struct nf_conntrack_stat | |
496 | +{ | |
497 | + unsigned int searched; | |
498 | + unsigned int found; | |
499 | + unsigned int new; | |
500 | + unsigned int invalid; | |
501 | + unsigned int ignore; | |
502 | + unsigned int delete; | |
503 | + unsigned int delete_list; | |
504 | + unsigned int insert; | |
505 | + unsigned int insert_failed; | |
506 | + unsigned int drop; | |
507 | + unsigned int early_drop; | |
508 | + unsigned int error; | |
509 | + unsigned int expect_new; | |
510 | + unsigned int expect_create; | |
511 | + unsigned int expect_delete; | |
512 | +}; | |
513 | + | |
514 | +#define NF_CT_STAT_INC(count) (__get_cpu_var(nf_conntrack_stat).count++) | |
515 | + | |
516 | +/* eg. PROVIDES_CONNTRACK(ftp); */ | |
517 | +#define PROVIDES_CONNTRACK(name) \ | |
518 | + int needs_nf_conntrack_##name; \ | |
519 | + EXPORT_SYMBOL(needs_nf_conntrack_##name) | |
520 | + | |
521 | +/*. eg. NEEDS_CONNTRACK(ftp); */ | |
522 | +#define NEEDS_CONNTRACK(name) \ | |
523 | + extern int needs_nf_conntrack_##name; \ | |
524 | + static int *need_nf_conntrack_##name __attribute_used__ = &needs_nf_conntrack_##name | |
525 | + | |
526 | +/* no helper, no nat */ | |
527 | +#define NF_CT_F_BASIC 0 | |
528 | +/* for helper */ | |
529 | +#define NF_CT_F_HELP 1 | |
530 | +/* for nat. */ | |
531 | +#define NF_CT_F_NAT 2 | |
532 | +#define NF_CT_F_NUM 4 | |
533 | + | |
534 | +extern int | |
535 | +nf_conntrack_register_cache(u_int32_t features, const char *name, size_t size, | |
536 | + int (*init_conntrack)(struct nf_conn *, u_int32_t)); | |
537 | +extern void | |
538 | +nf_conntrack_unregister_cache(u_int32_t features); | |
539 | + | |
540 | +#endif /* __KERNEL__ */ | |
014436e1 | 541 | +#endif /* _NF_CONNTRACK_H */ |
ae95cca4 PS |
542 | diff -uNr include.orig/linux/netfilter/nf_conntrack_helper.h include/linux/netfilter/nf_conntrack_helper.h |
543 | --- include.orig/linux/netfilter/nf_conntrack_helper.h 1970-01-01 01:00:00.000000000 +0100 | |
c558041a | 544 | +++ include/linux/netfilter/nf_conntrack_helper.h 2005-08-02 20:02:17.706247848 +0200 |
014436e1 PS |
545 | @@ -0,0 +1,50 @@ |
546 | +/* | |
547 | + * connection tracking helpers. | |
548 | + * | |
549 | + * 16 Dec 2003: Yasuyuki Kozakai @USAGI <yasuyuki.kozakai@toshiba.co.jp> | |
550 | + * - generalize L3 protocol dependent part. | |
551 | + * | |
552 | + * Derived from include/linux/netfiter_ipv4/ip_conntrack_helper.h | |
553 | + */ | |
554 | + | |
555 | +#ifndef _NF_CONNTRACK_HELPER_H | |
556 | +#define _NF_CONNTRACK_HELPER_H | |
557 | +#include <linux/netfilter/nf_conntrack.h> | |
558 | + | |
559 | +struct module; | |
560 | + | |
561 | +struct nf_conntrack_helper | |
562 | +{ | |
563 | + struct list_head list; /* Internal use. */ | |
564 | + | |
565 | + const char *name; /* name of the module */ | |
566 | + struct module *me; /* pointer to self */ | |
567 | + unsigned int max_expected; /* Maximum number of concurrent | |
568 | + * expected connections */ | |
569 | + unsigned int timeout; /* timeout for expecteds */ | |
570 | + | |
571 | + /* Mask of things we will help (compared against server response) */ | |
572 | + struct nf_conntrack_tuple tuple; | |
573 | + struct nf_conntrack_tuple mask; | |
574 | + | |
575 | + /* Function to call when data passes; return verdict, or -1 to | |
576 | + invalidate. */ | |
577 | + int (*help)(struct sk_buff **pskb, | |
578 | + unsigned int protoff, | |
579 | + struct nf_conn *ct, | |
580 | + enum nf_conntrack_info conntrackinfo); | |
581 | +}; | |
582 | + | |
583 | +extern int nf_conntrack_helper_register(struct nf_conntrack_helper *); | |
584 | +extern void nf_conntrack_helper_unregister(struct nf_conntrack_helper *); | |
585 | + | |
586 | +/* Allocate space for an expectation: this is mandatory before calling | |
587 | + nf_conntrack_expect_related. */ | |
588 | +extern struct nf_conntrack_expect *nf_conntrack_expect_alloc(void); | |
589 | +extern void nf_conntrack_expect_free(struct nf_conntrack_expect *exp); | |
590 | + | |
591 | +/* Add an expected connection: can have more than one per connection */ | |
592 | +extern int nf_conntrack_expect_related(struct nf_conntrack_expect *exp); | |
593 | +extern void nf_conntrack_unexpect_related(struct nf_conntrack_expect *exp); | |
594 | + | |
595 | +#endif /*_NF_CONNTRACK_HELPER_H*/ | |
ae95cca4 PS |
596 | diff -uNr include.orig/linux/netfilter/nf_conntrack_l3proto.h include/linux/netfilter/nf_conntrack_l3proto.h |
597 | --- include.orig/linux/netfilter/nf_conntrack_l3proto.h 1970-01-01 01:00:00.000000000 +0100 | |
c558041a PS |
598 | +++ include/linux/netfilter/nf_conntrack_l3proto.h 2005-08-02 20:02:17.713246784 +0200 |
599 | @@ -0,0 +1,93 @@ | |
014436e1 PS |
600 | +/* |
601 | + * Copyright (C)2003,2004 USAGI/WIDE Project | |
602 | + * | |
603 | + * Header for use in defining a given L3 protocol for connection tracking. | |
604 | + * | |
605 | + * Author: | |
606 | + * Yasuyuki Kozakai @USAGI <yasuyuki.kozakai@toshiba.co.jp> | |
607 | + * | |
608 | + * Derived from include/netfilter_ipv4/ip_conntrack_protocol.h | |
609 | + */ | |
610 | + | |
611 | +#ifndef _NF_CONNTRACK_L3PROTO_H | |
612 | +#define _NF_CONNTRACK_L3PROTO_H | |
c558041a | 613 | +#include <linux/seq_file.h> |
014436e1 PS |
614 | +#include <linux/netfilter/nf_conntrack.h> |
615 | + | |
616 | +struct nf_conntrack_l3proto | |
617 | +{ | |
618 | + /* Next pointer. */ | |
619 | + struct list_head list; | |
620 | + | |
621 | + /* L3 Protocol Family number. ex) PF_INET */ | |
622 | + u_int16_t l3proto; | |
623 | + | |
624 | + /* Protocol name */ | |
625 | + const char *name; | |
626 | + | |
627 | + /* | |
628 | + * Try to fill in the third arg: nhoff is offset of l3 proto | |
629 | + * hdr. Return true if possible. | |
630 | + */ | |
631 | + int (*pkt_to_tuple)(const struct sk_buff *skb, unsigned int nhoff, | |
632 | + struct nf_conntrack_tuple *tuple); | |
633 | + | |
634 | + /* | |
635 | + * Invert the per-proto part of the tuple: ie. turn xmit into reply. | |
636 | + * Some packets can't be inverted: return 0 in that case. | |
637 | + */ | |
638 | + int (*invert_tuple)(struct nf_conntrack_tuple *inverse, | |
639 | + const struct nf_conntrack_tuple *orig); | |
640 | + | |
641 | + /* Print out the per-protocol part of the tuple. */ | |
642 | + int (*print_tuple)(struct seq_file *s, | |
643 | + const struct nf_conntrack_tuple *); | |
644 | + | |
645 | + /* Print out the private part of the conntrack. */ | |
646 | + int (*print_conntrack)(struct seq_file *s, const struct nf_conn *); | |
647 | + | |
648 | + /* Returns verdict for packet, or -1 for invalid. */ | |
649 | + int (*packet)(struct nf_conn *conntrack, | |
650 | + const struct sk_buff *skb, | |
651 | + enum nf_conntrack_info ctinfo); | |
652 | + | |
653 | + /* | |
654 | + * Called when a new connection for this protocol found; | |
655 | + * returns TRUE if it's OK. If so, packet() called next. | |
656 | + */ | |
657 | + int (*new)(struct nf_conn *conntrack, const struct sk_buff *skb); | |
658 | + | |
659 | + /* Called when a conntrack entry is destroyed */ | |
660 | + void (*destroy)(struct nf_conn *conntrack); | |
661 | + | |
662 | + /* | |
663 | + * Called before tracking. | |
664 | + * *dataoff: offset of protocol header (TCP, UDP,...) in *pskb | |
665 | + * *protonum: protocol number | |
666 | + */ | |
667 | + int (*prepare)(struct sk_buff **pskb, unsigned int hooknum, | |
668 | + unsigned int *dataoff, u_int8_t *protonum, int *ret); | |
669 | + | |
670 | + u_int32_t (*get_features)(const struct nf_conntrack_tuple *tuple); | |
671 | + | |
672 | + /* Module (if any) which this is connected to. */ | |
673 | + struct module *me; | |
674 | +}; | |
675 | + | |
676 | +extern struct nf_conntrack_l3proto *nf_ct_l3protos[AF_MAX]; | |
677 | + | |
678 | +/* Protocol registration. */ | |
679 | +extern int nf_conntrack_l3proto_register(struct nf_conntrack_l3proto *proto); | |
680 | +extern void nf_conntrack_l3proto_unregister(struct nf_conntrack_l3proto *proto); | |
681 | + | |
682 | +static inline struct nf_conntrack_l3proto * | |
683 | +nf_ct_find_l3proto(u_int16_t l3proto) | |
684 | +{ | |
685 | + return nf_ct_l3protos[l3proto]; | |
686 | +} | |
687 | + | |
688 | +/* Existing built-in protocols */ | |
689 | +extern struct nf_conntrack_l3proto nf_conntrack_l3proto_ipv4; | |
690 | +extern struct nf_conntrack_l3proto nf_conntrack_l3proto_ipv6; | |
691 | +extern struct nf_conntrack_l3proto nf_conntrack_generic_l3proto; | |
692 | +#endif /*_NF_CONNTRACK_L3PROTO_H*/ | |
ae95cca4 PS |
693 | diff -uNr include.orig/linux/netfilter/nf_conntrack_protocol.h include/linux/netfilter/nf_conntrack_protocol.h |
694 | --- include.orig/linux/netfilter/nf_conntrack_protocol.h 1970-01-01 01:00:00.000000000 +0100 | |
c558041a | 695 | +++ include/linux/netfilter/nf_conntrack_protocol.h 2005-08-02 20:02:17.710247240 +0200 |
014436e1 PS |
696 | @@ -0,0 +1,105 @@ |
697 | +/* | |
698 | + * Header for use in defining a given protocol for connection tracking. | |
699 | + * | |
700 | + * 16 Dec 2003: Yasuyuki Kozakai @USAGI <yasuyuki.kozakai@toshiba.co.jp> | |
701 | + * - generalized L3 protocol dependent part. | |
702 | + * | |
703 | + * Derived from include/linux/netfiter_ipv4/ip_conntrack_protcol.h | |
704 | + */ | |
705 | + | |
706 | +#ifndef _NF_CONNTRACK_PROTOCOL_H | |
707 | +#define _NF_CONNTRACK_PROTOCOL_H | |
708 | +#include <linux/netfilter/nf_conntrack.h> | |
709 | + | |
710 | +struct seq_file; | |
711 | + | |
712 | +struct nf_conntrack_protocol | |
713 | +{ | |
714 | + /* Next pointer. */ | |
715 | + struct list_head list; | |
716 | + | |
717 | + /* L3 Protocol number. */ | |
718 | + u_int16_t l3proto; | |
719 | + | |
720 | + /* Protocol number. */ | |
721 | + u_int8_t proto; | |
722 | + | |
723 | + /* Protocol name */ | |
724 | + const char *name; | |
725 | + | |
726 | + /* Try to fill in the third arg: dataoff is offset past network protocol | |
727 | + hdr. Return true if possible. */ | |
728 | + int (*pkt_to_tuple)(const struct sk_buff *skb, | |
729 | + unsigned int dataoff, | |
730 | + struct nf_conntrack_tuple *tuple); | |
731 | + | |
732 | + /* Invert the per-proto part of the tuple: ie. turn xmit into reply. | |
733 | + * Some packets can't be inverted: return 0 in that case. | |
734 | + */ | |
735 | + int (*invert_tuple)(struct nf_conntrack_tuple *inverse, | |
736 | + const struct nf_conntrack_tuple *orig); | |
737 | + | |
738 | + /* Print out the per-protocol part of the tuple. Return like seq_* */ | |
739 | + int (*print_tuple)(struct seq_file *s, | |
740 | + const struct nf_conntrack_tuple *); | |
741 | + | |
742 | + /* Print out the private part of the conntrack. */ | |
743 | + int (*print_conntrack)(struct seq_file *s, const struct nf_conn *); | |
744 | + | |
745 | + /* Returns verdict for packet, or -1 for invalid. */ | |
746 | + int (*packet)(struct nf_conn *conntrack, | |
747 | + const struct sk_buff *skb, | |
748 | + unsigned int dataoff, | |
749 | + enum nf_conntrack_info ctinfo, | |
750 | + int pf, | |
751 | + unsigned int hooknum); | |
752 | + | |
753 | + /* Called when a new connection for this protocol found; | |
754 | + * returns TRUE if it's OK. If so, packet() called next. */ | |
755 | + int (*new)(struct nf_conn *conntrack, const struct sk_buff *skb, | |
756 | + unsigned int dataoff); | |
757 | + | |
758 | + /* Called when a conntrack entry is destroyed */ | |
759 | + void (*destroy)(struct nf_conn *conntrack); | |
760 | + | |
761 | + int (*error)(struct sk_buff *skb, unsigned int dataoff, | |
762 | + enum nf_conntrack_info *ctinfo, | |
763 | + int pf, unsigned int hooknum); | |
764 | + | |
765 | + /* Module (if any) which this is connected to. */ | |
766 | + struct module *me; | |
767 | +}; | |
768 | + | |
769 | +/* Existing built-in protocols */ | |
770 | +extern struct nf_conntrack_protocol nf_conntrack_protocol_tcp6; | |
771 | +extern struct nf_conntrack_protocol nf_conntrack_protocol_udp4; | |
772 | +extern struct nf_conntrack_protocol nf_conntrack_protocol_udp6; | |
773 | +extern struct nf_conntrack_protocol nf_conntrack_generic_protocol; | |
774 | + | |
775 | +#define MAX_NF_CT_PROTO 256 | |
776 | +extern struct nf_conntrack_protocol **nf_ct_protos[PF_MAX]; | |
777 | + | |
778 | +extern struct nf_conntrack_protocol * | |
779 | +nf_ct_find_proto(u_int16_t l3proto, u_int8_t protocol); | |
780 | + | |
781 | +/* Protocol registration. */ | |
782 | +extern int nf_conntrack_protocol_register(struct nf_conntrack_protocol *proto); | |
783 | +extern void nf_conntrack_protocol_unregister(struct nf_conntrack_protocol *proto); | |
784 | + | |
785 | +/* Log invalid packets */ | |
786 | +extern unsigned int nf_ct_log_invalid; | |
787 | + | |
788 | +#ifdef CONFIG_SYSCTL | |
789 | +#ifdef DEBUG_INVALID_PACKETS | |
790 | +#define LOG_INVALID(proto) \ | |
791 | + (nf_ct_log_invalid == (proto) || nf_ct_log_invalid == IPPROTO_RAW) | |
0fc89030 | 792 | +#else |
014436e1 PS |
793 | +#define LOG_INVALID(proto) \ |
794 | + ((nf_ct_log_invalid == (proto) || nf_ct_log_invalid == IPPROTO_RAW) \ | |
795 | + && net_ratelimit()) | |
0fc89030 | 796 | +#endif |
014436e1 PS |
797 | +#else |
798 | +#define LOG_INVALID(proto) 0 | |
799 | +#endif /* CONFIG_SYSCTL */ | |
800 | + | |
801 | +#endif /*_NF_CONNTRACK_PROTOCOL_H*/ | |
ae95cca4 PS |
802 | diff -uNr include.orig/linux/netfilter/nf_conntrack_sctp.h include/linux/netfilter/nf_conntrack_sctp.h |
803 | --- include.orig/linux/netfilter/nf_conntrack_sctp.h 1970-01-01 01:00:00.000000000 +0100 | |
c558041a | 804 | +++ include/linux/netfilter/nf_conntrack_sctp.h 2005-08-02 20:02:17.701248608 +0200 |
014436e1 PS |
805 | @@ -0,0 +1,30 @@ |
806 | +/* | |
807 | + * SCTP tracking. | |
808 | + * | |
809 | + * Derived from include/linux/netfiter_ipv4/ip_conntrack_tcp.h | |
810 | + */ | |
811 | + | |
812 | +#ifndef _NF_CONNTRACK_SCTP_H | |
813 | +#define _NF_CONNTRACK_SCTP_H | |
814 | + | |
815 | +enum sctp_conntrack { | |
816 | + SCTP_CONNTRACK_NONE, | |
817 | + SCTP_CONNTRACK_CLOSED, | |
818 | + SCTP_CONNTRACK_COOKIE_WAIT, | |
819 | + SCTP_CONNTRACK_COOKIE_ECHOED, | |
820 | + SCTP_CONNTRACK_ESTABLISHED, | |
821 | + SCTP_CONNTRACK_SHUTDOWN_SENT, | |
822 | + SCTP_CONNTRACK_SHUTDOWN_RECD, | |
823 | + SCTP_CONNTRACK_SHUTDOWN_ACK_SENT, | |
824 | + SCTP_CONNTRACK_MAX | |
0fc89030 PS |
825 | +}; |
826 | + | |
014436e1 PS |
827 | +struct nf_ct_sctp |
828 | +{ | |
829 | + enum sctp_conntrack state; | |
830 | + | |
831 | + u_int32_t vtag[NF_CT_DIR_MAX]; | |
832 | + u_int32_t ttag[NF_CT_DIR_MAX]; | |
0fc89030 PS |
833 | +}; |
834 | + | |
014436e1 | 835 | +#endif /* _NF_CONNTRACK_SCTP_H */ |
ae95cca4 PS |
836 | diff -uNr include.orig/linux/netfilter/nf_conntrack_tcp.h include/linux/netfilter/nf_conntrack_tcp.h |
837 | --- include.orig/linux/netfilter/nf_conntrack_tcp.h 1970-01-01 01:00:00.000000000 +0100 | |
c558041a | 838 | +++ include/linux/netfilter/nf_conntrack_tcp.h 2005-08-02 20:02:17.681251648 +0200 |
014436e1 PS |
839 | @@ -0,0 +1,63 @@ |
840 | +/* | |
841 | + * TCP tracking. | |
842 | + * | |
843 | + * Derived from include/linux/netfiter_ipv4/ip_conntrack_tcp.h | |
844 | + */ | |
845 | + | |
846 | +#ifndef _NF_CONNTRACK_TCP_H | |
847 | +#define _NF_CONNTRACK_TCP_H | |
0fc89030 | 848 | + |
014436e1 PS |
849 | +enum tcp_conntrack { |
850 | + TCP_CONNTRACK_NONE, | |
851 | + TCP_CONNTRACK_SYN_SENT, | |
852 | + TCP_CONNTRACK_SYN_RECV, | |
853 | + TCP_CONNTRACK_ESTABLISHED, | |
854 | + TCP_CONNTRACK_FIN_WAIT, | |
855 | + TCP_CONNTRACK_CLOSE_WAIT, | |
856 | + TCP_CONNTRACK_LAST_ACK, | |
857 | + TCP_CONNTRACK_TIME_WAIT, | |
858 | + TCP_CONNTRACK_CLOSE, | |
859 | + TCP_CONNTRACK_LISTEN, | |
860 | + TCP_CONNTRACK_MAX, | |
861 | + TCP_CONNTRACK_IGNORE | |
0fc89030 PS |
862 | +}; |
863 | + | |
014436e1 PS |
864 | +/* Window scaling is advertised by the sender */ |
865 | +#define NF_CT_TCP_FLAG_WINDOW_SCALE 0x01 | |
866 | + | |
867 | +/* SACK is permitted by the sender */ | |
868 | +#define NF_CT_TCP_FLAG_SACK_PERM 0x02 | |
869 | + | |
870 | +struct nf_ct_tcp_state { | |
871 | + u_int32_t td_end; /* max of seq + len */ | |
872 | + u_int32_t td_maxend; /* max of ack + max(win, 1) */ | |
873 | + u_int32_t td_maxwin; /* max(win) */ | |
874 | + u_int8_t td_scale; /* window scale factor */ | |
875 | + u_int8_t loose; /* used when connection picked up from the middle */ | |
876 | + u_int8_t flags; /* per direction state flags */ | |
0fc89030 PS |
877 | +}; |
878 | + | |
014436e1 PS |
879 | +struct nf_ct_tcp |
880 | +{ | |
881 | + struct nf_ct_tcp_state seen[2]; /* connection parameters per direction */ | |
882 | + u_int8_t state; /* state of the connection (enum tcp_conntrack) */ | |
883 | + /* For detecting stale connections */ | |
884 | + u_int8_t last_dir; /* Direction of the last packet (enum nf_conntrack_dir) */ | |
885 | + u_int8_t retrans; /* Number of retransmitted packets */ | |
886 | + u_int8_t last_index; /* Index of the last packet */ | |
887 | + u_int32_t last_seq; /* Last sequence number seen in dir */ | |
888 | + u_int32_t last_ack; /* Last sequence number seen in opposite dir */ | |
889 | + u_int32_t last_end; /* Last seq + len */ | |
890 | +}; | |
891 | + | |
892 | +/* Need this, since this file is included before the nf_conn definition | |
893 | + * in nf_conntrack.h */ | |
894 | +struct nf_conn; | |
895 | + | |
896 | +/* Update TCP window tracking data when NAT mangles the packet */ | |
897 | +extern void nf_conntrack_tcp_update(struct sk_buff *skb, | |
898 | + unsigned int dataoff, | |
899 | + struct nf_conn *conntrack, | |
900 | + int dir); | |
901 | + | |
902 | +#endif /* _NF_CONNTRACK_TCP_H */ | |
ae95cca4 PS |
903 | diff -uNr include.orig/linux/netfilter/nf_conntrack_tuple.h include/linux/netfilter/nf_conntrack_tuple.h |
904 | --- include.orig/linux/netfilter/nf_conntrack_tuple.h 1970-01-01 01:00:00.000000000 +0100 | |
c558041a PS |
905 | +++ include/linux/netfilter/nf_conntrack_tuple.h 2005-08-02 20:02:17.704248152 +0200 |
906 | @@ -0,0 +1,201 @@ | |
014436e1 PS |
907 | +/* |
908 | + * Definitions and Declarations for tuple. | |
909 | + * | |
910 | + * 16 Dec 2003: Yasuyuki Kozakai @USAGI <yasuyuki.kozakai@toshiba.co.jp> | |
911 | + * - generalize L3 protocol dependent part. | |
912 | + * | |
913 | + * Derived from include/linux/netfiter_ipv4/ip_conntrack_tuple.h | |
914 | + */ | |
0fc89030 | 915 | + |
014436e1 PS |
916 | +#ifndef _NF_CONNTRACK_TUPLE_H |
917 | +#define _NF_CONNTRACK_TUPLE_H | |
0fc89030 | 918 | + |
014436e1 PS |
919 | +/* A `tuple' is a structure containing the information to uniquely |
920 | + identify a connection. ie. if two packets have the same tuple, they | |
921 | + are in the same connection; if not, they are not. | |
922 | + | |
923 | + We divide the structure along "manipulatable" and | |
924 | + "non-manipulatable" lines, for the benefit of the NAT code. | |
925 | +*/ | |
0fc89030 | 926 | + |
014436e1 PS |
927 | +#define NF_CT_TUPLE_L3SIZE 4 |
928 | + | |
929 | +/* The l3 protocol-specific manipulable parts of the tuple: always in | |
930 | + network order! */ | |
931 | +union nf_conntrack_man_l3proto { | |
932 | + u_int32_t all[NF_CT_TUPLE_L3SIZE]; | |
933 | + u_int32_t ip; | |
934 | + u_int32_t ip6[4]; | |
0fc89030 PS |
935 | +}; |
936 | + | |
014436e1 PS |
937 | +/* The protocol-specific manipulable parts of the tuple: always in |
938 | + network order! */ | |
939 | +union nf_conntrack_man_proto | |
940 | +{ | |
941 | + /* Add other protocols here. */ | |
942 | + u_int16_t all; | |
943 | + | |
0fc89030 | 944 | + struct { |
014436e1 PS |
945 | + u_int16_t port; |
946 | + } tcp; | |
947 | + struct { | |
948 | + u_int16_t port; | |
949 | + } udp; | |
950 | + struct { | |
951 | + u_int16_t id; | |
952 | + } icmp; | |
953 | + struct { | |
954 | + u_int16_t port; | |
955 | + } sctp; | |
956 | +}; | |
957 | + | |
958 | +/* The manipulable part of the tuple. */ | |
959 | +struct nf_conntrack_man | |
960 | +{ | |
961 | + union nf_conntrack_man_l3proto u3; | |
962 | + union nf_conntrack_man_proto u; | |
963 | + /* Layer 3 protocol */ | |
964 | + u_int16_t l3num; | |
965 | +}; | |
966 | + | |
967 | +/* This contains the information to distinguish a connection. */ | |
968 | +struct nf_conntrack_tuple | |
969 | +{ | |
970 | + struct nf_conntrack_man src; | |
971 | + | |
972 | + /* These are the parts of the tuple which are fixed. */ | |
973 | + struct { | |
974 | + union { | |
975 | + u_int32_t all[NF_CT_TUPLE_L3SIZE]; | |
976 | + u_int32_t ip; | |
977 | + u_int32_t ip6[4]; | |
978 | + } u3; | |
979 | + union { | |
980 | + /* Add other protocols here. */ | |
981 | + u_int16_t all; | |
982 | + | |
0fc89030 | 983 | + struct { |
014436e1 PS |
984 | + u_int16_t port; |
985 | + } tcp; | |
986 | + struct { | |
987 | + u_int16_t port; | |
988 | + } udp; | |
989 | + struct { | |
990 | + u_int8_t type, code; | |
991 | + } icmp; | |
992 | + struct { | |
993 | + u_int16_t port; | |
994 | + } sctp; | |
995 | + } u; | |
996 | + | |
997 | + /* The protocol. */ | |
998 | + u_int8_t protonum; | |
999 | + | |
1000 | + /* The direction (for tuplehash) */ | |
1001 | + u_int8_t dir; | |
1002 | + } dst; | |
1003 | +}; | |
1004 | + | |
1005 | +/* This is optimized opposed to a memset of the whole structure. Everything we | |
1006 | + * really care about is the source/destination unions */ | |
1007 | +#define NF_CT_TUPLE_U_BLANK(tuple) \ | |
1008 | + do { \ | |
1009 | + (tuple)->src.u.all = 0; \ | |
1010 | + (tuple)->dst.u.all = 0; \ | |
1011 | + memset((tuple)->src.u3.all, 0, \ | |
1012 | + sizeof(u_int32_t)*NF_CT_TUPLE_L3SIZE); \ | |
1013 | + memset((tuple)->dst.u3.all, 0, \ | |
1014 | + sizeof(u_int32_t)*NF_CT_TUPLE_L3SIZE); \ | |
1015 | + } while (0) | |
1016 | + | |
1017 | +enum nf_conntrack_dir | |
1018 | +{ | |
1019 | + NF_CT_DIR_ORIGINAL, | |
1020 | + NF_CT_DIR_REPLY, | |
1021 | + NF_CT_DIR_MAX | |
1022 | +}; | |
1023 | + | |
c558041a PS |
1024 | +#ifdef __KERNEL__ |
1025 | + | |
1026 | +#define NF_CT_DUMP_TUPLE(tp) \ | |
1027 | +DEBUGP("tuple %p: %u %u %04x:%04x:%04x:%04x:%04x:%04x:%04x:%04x %hu -> %04x:%04x:%04x:%04x:%04x:%04x:%04x:%04x %hu\n", \ | |
1028 | + (tp), (tp)->src.l3num, (tp)->dst.protonum, \ | |
1029 | + NIP6(*(struct in6_addr *)(tp)->src.u3.all), ntohs((tp)->src.u.all), \ | |
1030 | + NIP6(*(struct in6_addr *)(tp)->dst.u3.all), ntohs((tp)->dst.u.all)) | |
1031 | + | |
1032 | +#define NFCTINFO2DIR(ctinfo) ((ctinfo) >= NF_CT_IS_REPLY ? NF_CT_DIR_REPLY : NF_CT_DIR_ORIGINAL) | |
1033 | + | |
1034 | +/* If we're the first tuple, it's the original dir. */ | |
1035 | +#define NF_CT_DIRECTION(h) \ | |
1036 | + ((enum nf_conntrack_dir)(h)->tuple.dst.dir) | |
1037 | + | |
1038 | +/* Connections have two entries in the hash table: one for each way */ | |
1039 | +struct nf_conntrack_tuple_hash | |
1040 | +{ | |
1041 | + struct list_head list; | |
1042 | + | |
1043 | + struct nf_conntrack_tuple tuple; | |
1044 | +}; | |
1045 | + | |
1046 | +#endif /* __KERNEL__ */ | |
1047 | + | |
014436e1 PS |
1048 | +static inline int nf_ct_tuple_src_equal(const struct nf_conntrack_tuple *t1, |
1049 | + const struct nf_conntrack_tuple *t2) | |
1050 | +{ | |
1051 | + return (t1->src.u3.all[0] == t2->src.u3.all[0] && | |
1052 | + t1->src.u3.all[1] == t2->src.u3.all[1] && | |
1053 | + t1->src.u3.all[2] == t2->src.u3.all[2] && | |
1054 | + t1->src.u3.all[3] == t2->src.u3.all[3] && | |
1055 | + t1->src.u.all == t2->src.u.all && | |
1056 | + t1->src.l3num == t2->src.l3num && | |
1057 | + t1->dst.protonum == t2->dst.protonum); | |
1058 | +} | |
1059 | + | |
1060 | +static inline int nf_ct_tuple_dst_equal(const struct nf_conntrack_tuple *t1, | |
1061 | + const struct nf_conntrack_tuple *t2) | |
1062 | +{ | |
1063 | + return (t1->dst.u3.all[0] == t2->dst.u3.all[0] && | |
1064 | + t1->dst.u3.all[1] == t2->dst.u3.all[1] && | |
1065 | + t1->dst.u3.all[2] == t2->dst.u3.all[2] && | |
1066 | + t1->dst.u3.all[3] == t2->dst.u3.all[3] && | |
1067 | + t1->dst.u.all == t2->dst.u.all && | |
1068 | + t1->src.l3num == t2->src.l3num && | |
1069 | + t1->dst.protonum == t2->dst.protonum); | |
1070 | +} | |
1071 | + | |
1072 | +static inline int nf_ct_tuple_equal(const struct nf_conntrack_tuple *t1, | |
1073 | + const struct nf_conntrack_tuple *t2) | |
1074 | +{ | |
1075 | + return nf_ct_tuple_src_equal(t1, t2) && nf_ct_tuple_dst_equal(t1, t2); | |
1076 | +} | |
1077 | + | |
1078 | +static inline int nf_ct_tuple_mask_cmp(const struct nf_conntrack_tuple *t, | |
1079 | + const struct nf_conntrack_tuple *tuple, | |
1080 | + const struct nf_conntrack_tuple *mask) | |
1081 | +{ | |
1082 | + int count = 0; | |
1083 | + | |
1084 | + for (count = 0; count < NF_CT_TUPLE_L3SIZE; count++){ | |
1085 | + if ((ntohs(t->src.u3.all[count]) ^ | |
1086 | + ntohs(tuple->src.u3.all[count])) & | |
1087 | + ntohs(mask->src.u3.all[count])) | |
1088 | + return 0; | |
1089 | + } | |
1090 | + | |
1091 | + for (count = 0; count < NF_CT_TUPLE_L3SIZE; count++){ | |
1092 | + if ((ntohs(t->dst.u3.all[count]) ^ | |
1093 | + ntohs(tuple->dst.u3.all[count])) & | |
1094 | + ntohs(mask->dst.u3.all[count])) | |
1095 | + return 0; | |
1096 | + } | |
1097 | + | |
1098 | + if ((t->src.u.all ^ tuple->src.u.all) & mask->src.u.all || | |
1099 | + (t->dst.u.all ^ tuple->dst.u.all) & mask->dst.u.all || | |
1100 | + (t->src.l3num ^ tuple->src.l3num) & mask->src.l3num || | |
1101 | + (t->dst.protonum ^ tuple->dst.protonum) & mask->dst.protonum) | |
1102 | + return 0; | |
1103 | + | |
1104 | + return 1; | |
1105 | +} | |
1106 | + | |
1107 | +#endif /* _NF_CONNTRACK_TUPLE_H */ | |
ae95cca4 PS |
1108 | diff -uNr include.orig/linux/netfilter/nfnetlink.h include/linux/netfilter/nfnetlink.h |
1109 | --- include.orig/linux/netfilter/nfnetlink.h 1970-01-01 01:00:00.000000000 +0100 | |
c558041a PS |
1110 | +++ include/linux/netfilter/nfnetlink.h 2005-08-02 20:02:17.715246480 +0200 |
1111 | @@ -0,0 +1,145 @@ | |
ae95cca4 PS |
1112 | +#ifndef _NFNETLINK_H |
1113 | +#define _NFNETLINK_H | |
1114 | +#include <linux/types.h> | |
1115 | + | |
c558041a PS |
1116 | +/* nfnetlink groups: Up to 32 maximum */ |
1117 | +#define NF_NETLINK_CONNTRACK_NEW 0x00000001 | |
1118 | +#define NF_NETLINK_CONNTRACK_UPDATE 0x00000002 | |
1119 | +#define NF_NETLINK_CONNTRACK_DESTROY 0x00000004 | |
1120 | +#define NF_NETLINK_CONNTRACK_EXP_NEW 0x00000008 | |
1121 | +#define NF_NETLINK_CONNTRACK_EXP_UPDATE 0x00000010 | |
1122 | +#define NF_NETLINK_CONNTRACK_EXP_DESTROY 0x00000020 | |
1123 | + | |
ae95cca4 PS |
1124 | +/* Generic structure for encapsulation optional netfilter information. |
1125 | + * It is reminiscent of sockaddr, but with sa_family replaced | |
1126 | + * with attribute type. | |
1127 | + * ! This should someday be put somewhere generic as now rtnetlink and | |
1128 | + * ! nfnetlink use the same attributes methods. - J. Schulist. | |
1129 | + */ | |
1130 | + | |
1131 | +struct nfattr | |
1132 | +{ | |
c558041a PS |
1133 | + u_int16_t nfa_len __attribute__ ((packed)); |
1134 | + u_int16_t nfa_type __attribute__ ((packed)); | |
ae95cca4 PS |
1135 | +}; |
1136 | + | |
c558041a PS |
1137 | +/* FIXME: Shamelessly copy and pasted from rtnetlink.h, it's time |
1138 | + * to put this in a generic file */ | |
1139 | + | |
ae95cca4 PS |
1140 | +#define NFA_ALIGNTO 4 |
1141 | +#define NFA_ALIGN(len) (((len) + NFA_ALIGNTO - 1) & ~(NFA_ALIGNTO - 1)) | |
1142 | +#define NFA_OK(nfa,len) ((len) > 0 && (nfa)->nfa_len >= sizeof(struct nfattr) \ | |
1143 | + && (nfa)->nfa_len <= (len)) | |
1144 | +#define NFA_NEXT(nfa,attrlen) ((attrlen) -= NFA_ALIGN((nfa)->nfa_len), \ | |
1145 | + (struct nfattr *)(((char *)(nfa)) + NFA_ALIGN((nfa)->nfa_len))) | |
1146 | +#define NFA_LENGTH(len) (NFA_ALIGN(sizeof(struct nfattr)) + (len)) | |
1147 | +#define NFA_SPACE(len) NFA_ALIGN(NFA_LENGTH(len)) | |
1148 | +#define NFA_DATA(nfa) ((void *)(((char *)(nfa)) + NFA_LENGTH(0))) | |
1149 | +#define NFA_PAYLOAD(nfa) ((int)((nfa)->nfa_len) - NFA_LENGTH(0)) | |
c558041a PS |
1150 | +#define NFA_NEST(skb, type) \ |
1151 | +({ struct nfattr *__start = (struct nfattr *) (skb)->tail; \ | |
1152 | + NFA_PUT(skb, type, 0, NULL); \ | |
1153 | + __start; }) | |
1154 | +#define NFA_NEST_END(skb, start) \ | |
1155 | +({ (start)->nfa_len = ((skb)->tail - (unsigned char *) (start)); \ | |
1156 | + (skb)->len; }) | |
1157 | +#define NFA_NEST_CANCEL(skb, start) \ | |
1158 | +({ if (start) \ | |
1159 | + skb_trim(skb, (unsigned char *) (start) - (skb)->data); \ | |
1160 | + -1; }) | |
ae95cca4 PS |
1161 | + |
1162 | +/* General form of address family dependent message. | |
1163 | + */ | |
1164 | +struct nfgenmsg { | |
c558041a PS |
1165 | + u_int8_t nfgen_family __attribute__ ((packed)); /* AF_xxx */ |
1166 | + u_int8_t version __attribute__ ((packed)); /* nfnetlink version */ | |
1167 | + u_int16_t res_id __attribute__ ((packed)); /* resource id */ | |
ae95cca4 PS |
1168 | +}; |
1169 | + | |
c558041a PS |
1170 | +#define NFNETLINK_V1 1 |
1171 | + | |
ae95cca4 PS |
1172 | +#define NFM_NFA(n) ((struct nfattr *)(((char *)(n)) \ |
1173 | + + NLMSG_ALIGN(sizeof(struct nfgenmsg)))) | |
1174 | +#define NFM_PAYLOAD(n) NLMSG_PAYLOAD(n, sizeof(struct nfgenmsg)) | |
1175 | + | |
ae95cca4 PS |
1176 | +/* netfilter netlink message types are split in two pieces: |
1177 | + * 8 bit subsystem, 8bit operation. | |
1178 | + */ | |
1179 | + | |
1180 | +#define NFNL_SUBSYS_ID(x) ((x & 0xff00) >> 8) | |
1181 | +#define NFNL_MSG_TYPE(x) (x & 0x00ff) | |
1182 | + | |
1183 | +enum nfnl_subsys_id { | |
1184 | + NFNL_SUBSYS_NONE = 0, | |
1185 | + NFNL_SUBSYS_CTNETLINK, | |
1186 | + NFNL_SUBSYS_CTNETLINK_EXP, | |
1187 | + NFNL_SUBSYS_IPTNETLINK, | |
1188 | + NFNL_SUBSYS_QUEUE, | |
1189 | + NFNL_SUBSYS_ULOG, | |
1190 | + NFNL_SUBSYS_COUNT, | |
1191 | +}; | |
1192 | + | |
c558041a PS |
1193 | +#ifdef __KERNEL__ |
1194 | + | |
1195 | +#include <linux/capability.h> | |
1196 | + | |
1197 | +struct nfnl_callback | |
1198 | +{ | |
1199 | + kernel_cap_t cap_required; /* capabilities required for this msg */ | |
1200 | + int (*call)(struct sock *nl, struct sk_buff *skb, | |
1201 | + struct nlmsghdr *nlh, struct nfattr *cda[], int *errp); | |
1202 | +}; | |
1203 | + | |
1204 | +struct nfnetlink_subsystem | |
1205 | +{ | |
1206 | + const char *name; | |
1207 | + __u8 subsys_id; /* nfnetlink subsystem ID */ | |
1208 | + __u8 cb_count; /* number of callbacks */ | |
1209 | + u_int32_t attr_count; /* number of nfattr's */ | |
1210 | + struct nfnl_callback *cb; /* callback for individual types */ | |
1211 | +}; | |
1212 | + | |
1213 | +extern void __nfa_fill(struct sk_buff *skb, int attrtype, | |
1214 | + int attrlen, const void *data); | |
1215 | +#define NFA_PUT(skb, attrtype, attrlen, data) \ | |
1216 | +({ if (skb_tailroom(skb) < (int)NFA_SPACE(attrlen)) goto nfattr_failure; \ | |
1217 | + __nfa_fill(skb, attrtype, attrlen, data); }) | |
1218 | + | |
1219 | +extern struct semaphore nfnl_sem; | |
1220 | + | |
1221 | +#define nfnl_shlock() down(&nfnl_sem) | |
1222 | +#define nfnl_shlock_nowait() down_trylock(&nfnl_sem) | |
1223 | + | |
1224 | +#define nfnl_shunlock() do { up(&nfnl_sem); \ | |
1225 | + if(nfnl && nfnl->sk_receive_queue.qlen) \ | |
1226 | + nfnl->sk_data_ready(nfnl, 0); \ | |
1227 | + } while(0) | |
1228 | + | |
1229 | +extern void nfnl_lock(void); | |
1230 | +extern void nfnl_unlock(void); | |
1231 | + | |
1232 | +extern int nfnetlink_subsys_register(struct nfnetlink_subsystem *n); | |
1233 | +extern int nfnetlink_subsys_unregister(struct nfnetlink_subsystem *n); | |
1234 | + | |
1235 | +extern int nfattr_parse(struct nfattr *tb[], int maxattr, | |
1236 | + struct nfattr *nfa, int len); | |
1237 | + | |
1238 | +#define nfattr_parse_nested(tb, max, nfa) \ | |
1239 | + nfattr_parse((tb), (max), NFA_DATA((nfa)), NFA_PAYLOAD((nfa))) | |
1240 | + | |
1241 | +#define nfattr_bad_size(tb, max, cta_min) \ | |
1242 | +({ int __i, __res = 0; \ | |
1243 | + for (__i=0; __i<max; __i++) \ | |
1244 | + if (tb[__i] && NFA_PAYLOAD(tb[__i]) < cta_min[__i]){ \ | |
1245 | + __res = 1; \ | |
1246 | + break; \ | |
1247 | + } \ | |
1248 | + __res; \ | |
1249 | +}) | |
1250 | + | |
1251 | +extern int nfnetlink_send(struct sk_buff *skb, u32 pid, unsigned group, | |
1252 | + int echo); | |
1253 | +extern int nfnetlink_unicast(struct sk_buff *skb, u_int32_t pid, int flags); | |
1254 | + | |
1255 | +#endif /* __KERNEL__ */ | |
ae95cca4 | 1256 | +#endif /* _NFNETLINK_H */ |
c558041a PS |
1257 | diff -uNr include.orig/linux/netfilter.h include/linux/netfilter.h |
1258 | --- include.orig/linux/netfilter.h 2005-07-06 02:17:21.000000000 +0200 | |
1259 | +++ include/linux/netfilter.h 2005-08-02 20:02:17.658255144 +0200 | |
1260 | @@ -11,7 +11,7 @@ | |
1261 | #define NF_MAX_VERDICT NF_STOP | |
1262 | ||
1263 | /* Generic cache responses from hook functions. | |
1264 | - <= 0x2000 is used for protocol-flags. */ | |
1265 | + <= 0x2000 is reserved for conntrack event cache. */ | |
1266 | #define NFC_UNKNOWN 0x4000 | |
1267 | #define NFC_ALTERED 0x8000 | |
ae95cca4 | 1268 | |
ae95cca4 PS |
1269 | diff -uNr include.orig/linux/netfilter_ipv4/ip_conntrack_core.h include/linux/netfilter_ipv4/ip_conntrack_core.h |
1270 | --- include.orig/linux/netfilter_ipv4/ip_conntrack_core.h 2005-03-13 21:53:55.000000000 +0100 | |
c558041a PS |
1271 | +++ include/linux/netfilter_ipv4/ip_conntrack_core.h 2005-08-02 20:02:17.749241312 +0200 |
1272 | @@ -34,15 +34,26 @@ | |
1273 | ip_conntrack_find_get(const struct ip_conntrack_tuple *tuple, | |
1274 | const struct ip_conntrack *ignored_conntrack); | |
1275 | ||
1276 | +struct ip_conntrack_tuple_hash * | |
1277 | +__ip_conntrack_find(const struct ip_conntrack_tuple *tuple, | |
1278 | + const struct ip_conntrack *ignored_conntrack); | |
1279 | + | |
1280 | +struct ip_conntrack_expect * | |
1281 | +__ip_conntrack_exp_find(const struct ip_conntrack_tuple *tuple); | |
1282 | + | |
1283 | extern int __ip_conntrack_confirm(struct sk_buff **pskb); | |
ae95cca4 | 1284 | |
ae95cca4 PS |
1285 | /* Confirm a connection: returns NF_DROP if packet must be dropped. */ |
1286 | static inline int ip_conntrack_confirm(struct sk_buff **pskb) | |
1287 | { | |
1288 | + int ret = NF_ACCEPT; | |
1289 | + | |
1290 | if ((*pskb)->nfct | |
1291 | && !is_confirmed((struct ip_conntrack *)(*pskb)->nfct)) | |
1292 | - return __ip_conntrack_confirm(pskb); | |
1293 | - return NF_ACCEPT; | |
1294 | + ret = __ip_conntrack_confirm(pskb); | |
1295 | + ip_conntrack_deliver_cached_events(*pskb); | |
1296 | + | |
1297 | + return ret; | |
1298 | } | |
1299 | ||
1300 | extern struct list_head *ip_conntrack_hash; | |
ae95cca4 PS |
1301 | diff -uNr include.orig/linux/netfilter_ipv4/ip_conntrack.h include/linux/netfilter_ipv4/ip_conntrack.h |
1302 | --- include.orig/linux/netfilter_ipv4/ip_conntrack.h 2005-03-13 21:53:55.000000000 +0100 | |
c558041a PS |
1303 | +++ include/linux/netfilter_ipv4/ip_conntrack.h 2005-08-02 20:05:38.525718648 +0200 |
1304 | @@ -65,6 +65,63 @@ | |
ae95cca4 PS |
1305 | |
1306 | /* Both together */ | |
1307 | IPS_NAT_DONE_MASK = (IPS_DST_NAT_DONE | IPS_SRC_NAT_DONE), | |
1308 | + | |
1309 | + /* Connection is destroyed (removed from lists), can not be unset. */ | |
1310 | + IPS_DESTROYED_BIT = 9, | |
1311 | + IPS_DESTROYED = (1 << IPS_DESTROYED_BIT), | |
1312 | +}; | |
1313 | + | |
1314 | +/* Connection tracking event bits */ | |
1315 | +enum ip_conntrack_events | |
1316 | +{ | |
1317 | + /* New conntrack */ | |
1318 | + IPCT_NEW_BIT = 0, | |
1319 | + IPCT_NEW = (1 << IPCT_NEW_BIT), | |
1320 | + | |
1321 | + /* Expected connection */ | |
1322 | + IPCT_RELATED_BIT = 1, | |
1323 | + IPCT_RELATED = (1 << IPCT_RELATED_BIT), | |
1324 | + | |
1325 | + /* Destroyed conntrack */ | |
1326 | + IPCT_DESTROY_BIT = 2, | |
1327 | + IPCT_DESTROY = (1 << IPCT_DESTROY_BIT), | |
1328 | + | |
1329 | + /* Timer has been refreshed */ | |
1330 | + IPCT_REFRESH_BIT = 3, | |
1331 | + IPCT_REFRESH = (1 << IPCT_REFRESH_BIT), | |
1332 | + | |
1333 | + /* Status has changed */ | |
1334 | + IPCT_STATUS_BIT = 4, | |
1335 | + IPCT_STATUS = (1 << IPCT_STATUS_BIT), | |
1336 | + | |
1337 | + /* Update of protocol info */ | |
1338 | + IPCT_PROTOINFO_BIT = 5, | |
1339 | + IPCT_PROTOINFO = (1 << IPCT_PROTOINFO_BIT), | |
1340 | + | |
1341 | + /* Volatile protocol info */ | |
1342 | + IPCT_PROTOINFO_VOLATILE_BIT = 6, | |
1343 | + IPCT_PROTOINFO_VOLATILE = (1 << IPCT_PROTOINFO_VOLATILE_BIT), | |
1344 | + | |
1345 | + /* New helper for conntrack */ | |
1346 | + IPCT_HELPER_BIT = 7, | |
1347 | + IPCT_HELPER = (1 << IPCT_HELPER_BIT), | |
1348 | + | |
1349 | + /* Update of helper info */ | |
1350 | + IPCT_HELPINFO_BIT = 8, | |
1351 | + IPCT_HELPINFO = (1 << IPCT_HELPINFO_BIT), | |
1352 | + | |
1353 | + /* Volatile helper info */ | |
1354 | + IPCT_HELPINFO_VOLATILE_BIT = 9, | |
1355 | + IPCT_HELPINFO_VOLATILE = (1 << IPCT_HELPINFO_VOLATILE_BIT), | |
1356 | + | |
1357 | + /* NAT info */ | |
1358 | + IPCT_NATINFO_BIT = 10, | |
1359 | + IPCT_NATINFO = (1 << IPCT_NATINFO_BIT), | |
1360 | +}; | |
1361 | + | |
1362 | +enum ip_conntrack_expect_events { | |
1363 | + IPEXP_NEW_BIT = 0, | |
1364 | + IPEXP_NEW = (1 << IPEXP_NEW_BIT), | |
ae95cca4 PS |
1365 | }; |
1366 | ||
1367 | #endif /* _IP_CONNTRACK_H */ | |
1368 | diff -uNr include.orig/linux/netfilter_ipv4/ip_conntrack_h323.h include/linux/netfilter_ipv4/ip_conntrack_h323.h | |
1369 | --- include.orig/linux/netfilter_ipv4/ip_conntrack_h323.h 1970-01-01 01:00:00.000000000 +0100 | |
c558041a PS |
1370 | +++ include/linux/netfilter_ipv4/ip_conntrack_h323.h 2005-08-02 20:02:17.725244960 +0200 |
1371 | @@ -0,0 +1,38 @@ | |
ae95cca4 PS |
1372 | +#ifndef _IP_CONNTRACK_H323_H |
1373 | +#define _IP_CONNTRACK_H323_H | |
1374 | +/* H.323 connection tracking. */ | |
1375 | + | |
c558041a | 1376 | +#ifdef __KERNEL__ |
ae95cca4 | 1377 | + |
c558041a PS |
1378 | +/* Default H.225 port */ |
1379 | +#define H225_PORT 1720 | |
ae95cca4 | 1380 | + |
c558041a PS |
1381 | +struct ip_conntrack_expect; |
1382 | +struct ip_conntrack; | |
1383 | +struct ip_conntrack_helper; | |
ae95cca4 | 1384 | + |
c558041a PS |
1385 | +extern int (*ip_nat_h245_hook)(struct sk_buff **pskb, |
1386 | + enum ip_conntrack_info ctinfo, | |
1387 | + unsigned int offset, | |
1388 | + struct ip_conntrack_expect *exp); | |
ae95cca4 | 1389 | + |
c558041a PS |
1390 | +extern int (*ip_nat_h225_hook)(struct sk_buff **pskb, |
1391 | + enum ip_conntrack_info ctinfo, | |
1392 | + unsigned int offset, | |
1393 | + struct ip_conntrack_expect *exp); | |
ae95cca4 | 1394 | + |
c558041a PS |
1395 | +extern void (*ip_nat_h225_signal_hook)(struct sk_buff **pskb, |
1396 | + struct ip_conntrack *ct, | |
1397 | + enum ip_conntrack_info ctinfo, | |
1398 | + unsigned int offset, | |
1399 | + int dir, | |
1400 | + int orig_dir); | |
ae95cca4 | 1401 | + |
c558041a | 1402 | +extern struct ip_conntrack_helper ip_conntrack_helper_h225; |
ae95cca4 | 1403 | + |
c558041a PS |
1404 | +void ip_conntrack_h245_expect(struct ip_conntrack *new, |
1405 | + struct ip_conntrack_expect *this); | |
ae95cca4 | 1406 | + |
c558041a | 1407 | +#endif /* __KERNEL__ */ |
ae95cca4 | 1408 | + |
c558041a PS |
1409 | +#endif /* _IP_CONNTRACK_H323_H */ |
1410 | diff -uNr include.orig/linux/netfilter_ipv4/ip_conntrack_mms.h include/linux/netfilter_ipv4/ip_conntrack_mms.h | |
1411 | --- include.orig/linux/netfilter_ipv4/ip_conntrack_mms.h 1970-01-01 01:00:00.000000000 +0100 | |
1412 | +++ include/linux/netfilter_ipv4/ip_conntrack_mms.h 2005-08-02 20:02:17.774237512 +0200 | |
1413 | @@ -0,0 +1,36 @@ | |
1414 | +#ifndef _IP_CONNTRACK_MMS_H | |
1415 | +#define _IP_CONNTRACK_MMS_H | |
1416 | +/* MMS tracking. */ | |
ae95cca4 | 1417 | + |
c558041a | 1418 | +#ifdef __KERNEL__ |
ae95cca4 | 1419 | + |
c558041a | 1420 | +extern spinlock_t ip_mms_lock; |
ae95cca4 | 1421 | + |
c558041a PS |
1422 | +#define MMS_PORT 1755 |
1423 | +#define MMS_SRV_MSG_ID 196610 | |
ae95cca4 | 1424 | + |
c558041a PS |
1425 | +#define MMS_SRV_MSG_OFFSET 36 |
1426 | +#define MMS_SRV_UNICODE_STRING_OFFSET 60 | |
1427 | +#define MMS_SRV_CHUNKLENLV_OFFSET 16 | |
1428 | +#define MMS_SRV_CHUNKLENLM_OFFSET 32 | |
1429 | +#define MMS_SRV_MESSAGELENGTH_OFFSET 8 | |
ae95cca4 | 1430 | + |
c558041a PS |
1431 | +/* This structure is per expected connection */ |
1432 | +struct ip_ct_mms_expect { | |
1433 | + u_int32_t offset; | |
1434 | + u_int32_t len; | |
1435 | + u_int32_t padding; | |
1436 | + u_int16_t port; | |
1437 | +}; | |
ae95cca4 | 1438 | + |
c558041a PS |
1439 | +/* This structure exists only once per master */ |
1440 | +struct ip_ct_mms_master { | |
ae95cca4 PS |
1441 | +}; |
1442 | + | |
c558041a PS |
1443 | +struct ip_conntrack_expect; |
1444 | +extern unsigned int (*ip_nat_mms_hook)(struct sk_buff **pskb, | |
1445 | + enum ip_conntrack_info ctinfo, | |
1446 | + const struct ip_ct_mms_expect *exp_mms_info, | |
1447 | + struct ip_conntrack_expect *exp); | |
1448 | +#endif | |
1449 | +#endif /* _IP_CONNTRACK_MMS_H */ | |
1450 | diff -uNr include.orig/linux/netfilter_ipv4/ip_conntrack_pptp.h include/linux/netfilter_ipv4/ip_conntrack_pptp.h | |
1451 | --- include.orig/linux/netfilter_ipv4/ip_conntrack_pptp.h 1970-01-01 01:00:00.000000000 +0100 | |
1452 | +++ include/linux/netfilter_ipv4/ip_conntrack_pptp.h 2005-08-02 20:02:17.800233560 +0200 | |
1453 | @@ -0,0 +1,336 @@ | |
1454 | +/* PPTP constants and structs */ | |
1455 | +#ifndef _CONNTRACK_PPTP_H | |
1456 | +#define _CONNTRACK_PPTP_H | |
ae95cca4 | 1457 | + |
c558041a PS |
1458 | +/* state of the control session */ |
1459 | +enum pptp_ctrlsess_state { | |
1460 | + PPTP_SESSION_NONE, /* no session present */ | |
1461 | + PPTP_SESSION_ERROR, /* some session error */ | |
1462 | + PPTP_SESSION_STOPREQ, /* stop_sess request seen */ | |
1463 | + PPTP_SESSION_REQUESTED, /* start_sess request seen */ | |
1464 | + PPTP_SESSION_CONFIRMED, /* session established */ | |
ae95cca4 PS |
1465 | +}; |
1466 | + | |
c558041a PS |
1467 | +/* state of the call inside the control session */ |
1468 | +enum pptp_ctrlcall_state { | |
1469 | + PPTP_CALL_NONE, | |
1470 | + PPTP_CALL_ERROR, | |
1471 | + PPTP_CALL_OUT_REQ, | |
1472 | + PPTP_CALL_OUT_CONF, | |
1473 | + PPTP_CALL_IN_REQ, | |
1474 | + PPTP_CALL_IN_REP, | |
1475 | + PPTP_CALL_IN_CONF, | |
1476 | + PPTP_CALL_CLEAR_REQ, | |
1477 | +}; | |
1478 | + | |
1479 | + | |
1480 | +/* conntrack private data */ | |
1481 | +struct ip_ct_pptp_master { | |
1482 | + enum pptp_ctrlsess_state sstate; /* session state */ | |
1483 | + | |
1484 | + /* everything below is going to be per-expectation in newnat, | |
1485 | + * since there could be more than one call within one session */ | |
1486 | + enum pptp_ctrlcall_state cstate; /* call state */ | |
1487 | + u_int16_t pac_call_id; /* call id of PAC, host byte order */ | |
1488 | + u_int16_t pns_call_id; /* call id of PNS, host byte order */ | |
1489 | + | |
1490 | + /* in pre-2.6.11 this used to be per-expect. Now it is per-conntrack | |
1491 | + * and therefore imposes a fixed limit on the number of maps */ | |
1492 | + struct ip_ct_gre_keymap *keymap_orig, *keymap_reply; | |
1493 | +}; | |
1494 | + | |
1495 | +/* conntrack_expect private member */ | |
1496 | +struct ip_ct_pptp_expect { | |
1497 | + enum pptp_ctrlcall_state cstate; /* call state */ | |
1498 | + u_int16_t pac_call_id; /* call id of PAC */ | |
1499 | + u_int16_t pns_call_id; /* call id of PNS */ | |
1500 | +}; | |
1501 | + | |
1502 | + | |
1503 | +#ifdef __KERNEL__ | |
1504 | + | |
1505 | + | |
1506 | +#include <linux/netfilter_ipv4/lockhelp.h> | |
1507 | +DECLARE_LOCK_EXTERN(ip_pptp_lock); | |
1508 | + | |
1509 | +#define IP_CONNTR_PPTP PPTP_CONTROL_PORT | |
1510 | + | |
1511 | +#define PPTP_CONTROL_PORT 1723 | |
1512 | + | |
1513 | +#define PPTP_PACKET_CONTROL 1 | |
1514 | +#define PPTP_PACKET_MGMT 2 | |
1515 | + | |
1516 | +#define PPTP_MAGIC_COOKIE 0x1a2b3c4d | |
ae95cca4 | 1517 | + |
c558041a PS |
1518 | +struct pptp_pkt_hdr { |
1519 | + __u16 packetLength; | |
1520 | + __u16 packetType; | |
1521 | + __u32 magicCookie; | |
ae95cca4 PS |
1522 | +}; |
1523 | + | |
c558041a PS |
1524 | +/* PptpControlMessageType values */ |
1525 | +#define PPTP_START_SESSION_REQUEST 1 | |
1526 | +#define PPTP_START_SESSION_REPLY 2 | |
1527 | +#define PPTP_STOP_SESSION_REQUEST 3 | |
1528 | +#define PPTP_STOP_SESSION_REPLY 4 | |
1529 | +#define PPTP_ECHO_REQUEST 5 | |
1530 | +#define PPTP_ECHO_REPLY 6 | |
1531 | +#define PPTP_OUT_CALL_REQUEST 7 | |
1532 | +#define PPTP_OUT_CALL_REPLY 8 | |
1533 | +#define PPTP_IN_CALL_REQUEST 9 | |
1534 | +#define PPTP_IN_CALL_REPLY 10 | |
1535 | +#define PPTP_IN_CALL_CONNECT 11 | |
1536 | +#define PPTP_CALL_CLEAR_REQUEST 12 | |
1537 | +#define PPTP_CALL_DISCONNECT_NOTIFY 13 | |
1538 | +#define PPTP_WAN_ERROR_NOTIFY 14 | |
1539 | +#define PPTP_SET_LINK_INFO 15 | |
ae95cca4 | 1540 | + |
c558041a PS |
1541 | +#define PPTP_MSG_MAX 15 |
1542 | + | |
1543 | +/* PptpGeneralError values */ | |
1544 | +#define PPTP_ERROR_CODE_NONE 0 | |
1545 | +#define PPTP_NOT_CONNECTED 1 | |
1546 | +#define PPTP_BAD_FORMAT 2 | |
1547 | +#define PPTP_BAD_VALUE 3 | |
1548 | +#define PPTP_NO_RESOURCE 4 | |
1549 | +#define PPTP_BAD_CALLID 5 | |
1550 | +#define PPTP_REMOVE_DEVICE_ERROR 6 | |
1551 | + | |
1552 | +struct PptpControlHeader { | |
1553 | + __u16 messageType; | |
1554 | + __u16 reserved; | |
1555 | +}; | |
1556 | + | |
1557 | +/* FramingCapability Bitmap Values */ | |
1558 | +#define PPTP_FRAME_CAP_ASYNC 0x1 | |
1559 | +#define PPTP_FRAME_CAP_SYNC 0x2 | |
1560 | + | |
1561 | +/* BearerCapability Bitmap Values */ | |
1562 | +#define PPTP_BEARER_CAP_ANALOG 0x1 | |
1563 | +#define PPTP_BEARER_CAP_DIGITAL 0x2 | |
1564 | + | |
1565 | +struct PptpStartSessionRequest { | |
1566 | + __u16 protocolVersion; | |
1567 | + __u8 reserved1; | |
1568 | + __u8 reserved2; | |
1569 | + __u32 framingCapability; | |
1570 | + __u32 bearerCapability; | |
1571 | + __u16 maxChannels; | |
1572 | + __u16 firmwareRevision; | |
1573 | + __u8 hostName[64]; | |
1574 | + __u8 vendorString[64]; | |
1575 | +}; | |
1576 | + | |
1577 | +/* PptpStartSessionResultCode Values */ | |
1578 | +#define PPTP_START_OK 1 | |
1579 | +#define PPTP_START_GENERAL_ERROR 2 | |
1580 | +#define PPTP_START_ALREADY_CONNECTED 3 | |
1581 | +#define PPTP_START_NOT_AUTHORIZED 4 | |
1582 | +#define PPTP_START_UNKNOWN_PROTOCOL 5 | |
1583 | + | |
1584 | +struct PptpStartSessionReply { | |
1585 | + __u16 protocolVersion; | |
1586 | + __u8 resultCode; | |
1587 | + __u8 generalErrorCode; | |
1588 | + __u32 framingCapability; | |
1589 | + __u32 bearerCapability; | |
1590 | + __u16 maxChannels; | |
1591 | + __u16 firmwareRevision; | |
1592 | + __u8 hostName[64]; | |
1593 | + __u8 vendorString[64]; | |
1594 | +}; | |
1595 | + | |
1596 | +/* PptpStopReasons */ | |
1597 | +#define PPTP_STOP_NONE 1 | |
1598 | +#define PPTP_STOP_PROTOCOL 2 | |
1599 | +#define PPTP_STOP_LOCAL_SHUTDOWN 3 | |
1600 | + | |
1601 | +struct PptpStopSessionRequest { | |
1602 | + __u8 reason; | |
1603 | +}; | |
1604 | + | |
1605 | +/* PptpStopSessionResultCode */ | |
1606 | +#define PPTP_STOP_OK 1 | |
1607 | +#define PPTP_STOP_GENERAL_ERROR 2 | |
1608 | + | |
1609 | +struct PptpStopSessionReply { | |
1610 | + __u8 resultCode; | |
1611 | + __u8 generalErrorCode; | |
1612 | +}; | |
1613 | + | |
1614 | +struct PptpEchoRequest { | |
1615 | + __u32 identNumber; | |
1616 | +}; | |
1617 | + | |
1618 | +/* PptpEchoReplyResultCode */ | |
1619 | +#define PPTP_ECHO_OK 1 | |
1620 | +#define PPTP_ECHO_GENERAL_ERROR 2 | |
1621 | + | |
1622 | +struct PptpEchoReply { | |
1623 | + __u32 identNumber; | |
1624 | + __u8 resultCode; | |
1625 | + __u8 generalErrorCode; | |
1626 | + __u16 reserved; | |
1627 | +}; | |
1628 | + | |
1629 | +/* PptpFramingType */ | |
1630 | +#define PPTP_ASYNC_FRAMING 1 | |
1631 | +#define PPTP_SYNC_FRAMING 2 | |
1632 | +#define PPTP_DONT_CARE_FRAMING 3 | |
1633 | + | |
1634 | +/* PptpCallBearerType */ | |
1635 | +#define PPTP_ANALOG_TYPE 1 | |
1636 | +#define PPTP_DIGITAL_TYPE 2 | |
1637 | +#define PPTP_DONT_CARE_BEARER_TYPE 3 | |
1638 | + | |
1639 | +struct PptpOutCallRequest { | |
1640 | + __u16 callID; | |
1641 | + __u16 callSerialNumber; | |
1642 | + __u32 minBPS; | |
1643 | + __u32 maxBPS; | |
1644 | + __u32 bearerType; | |
1645 | + __u32 framingType; | |
1646 | + __u16 packetWindow; | |
1647 | + __u16 packetProcDelay; | |
1648 | + __u16 reserved1; | |
1649 | + __u16 phoneNumberLength; | |
1650 | + __u16 reserved2; | |
1651 | + __u8 phoneNumber[64]; | |
1652 | + __u8 subAddress[64]; | |
1653 | +}; | |
1654 | + | |
1655 | +/* PptpCallResultCode */ | |
1656 | +#define PPTP_OUTCALL_CONNECT 1 | |
1657 | +#define PPTP_OUTCALL_GENERAL_ERROR 2 | |
1658 | +#define PPTP_OUTCALL_NO_CARRIER 3 | |
1659 | +#define PPTP_OUTCALL_BUSY 4 | |
1660 | +#define PPTP_OUTCALL_NO_DIAL_TONE 5 | |
1661 | +#define PPTP_OUTCALL_TIMEOUT 6 | |
1662 | +#define PPTP_OUTCALL_DONT_ACCEPT 7 | |
1663 | + | |
1664 | +struct PptpOutCallReply { | |
1665 | + __u16 callID; | |
1666 | + __u16 peersCallID; | |
1667 | + __u8 resultCode; | |
1668 | + __u8 generalErrorCode; | |
1669 | + __u16 causeCode; | |
1670 | + __u32 connectSpeed; | |
1671 | + __u16 packetWindow; | |
1672 | + __u16 packetProcDelay; | |
1673 | + __u32 physChannelID; | |
1674 | +}; | |
1675 | + | |
1676 | +struct PptpInCallRequest { | |
1677 | + __u16 callID; | |
1678 | + __u16 callSerialNumber; | |
1679 | + __u32 callBearerType; | |
1680 | + __u32 physChannelID; | |
1681 | + __u16 dialedNumberLength; | |
1682 | + __u16 dialingNumberLength; | |
1683 | + __u8 dialedNumber[64]; | |
1684 | + __u8 dialingNumber[64]; | |
1685 | + __u8 subAddress[64]; | |
1686 | +}; | |
1687 | + | |
1688 | +/* PptpInCallResultCode */ | |
1689 | +#define PPTP_INCALL_ACCEPT 1 | |
1690 | +#define PPTP_INCALL_GENERAL_ERROR 2 | |
1691 | +#define PPTP_INCALL_DONT_ACCEPT 3 | |
1692 | + | |
1693 | +struct PptpInCallReply { | |
1694 | + __u16 callID; | |
1695 | + __u16 peersCallID; | |
1696 | + __u8 resultCode; | |
1697 | + __u8 generalErrorCode; | |
1698 | + __u16 packetWindow; | |
1699 | + __u16 packetProcDelay; | |
1700 | + __u16 reserved; | |
1701 | +}; | |
1702 | + | |
1703 | +struct PptpInCallConnected { | |
1704 | + __u16 peersCallID; | |
1705 | + __u16 reserved; | |
1706 | + __u32 connectSpeed; | |
1707 | + __u16 packetWindow; | |
1708 | + __u16 packetProcDelay; | |
1709 | + __u32 callFramingType; | |
1710 | +}; | |
1711 | + | |
1712 | +struct PptpClearCallRequest { | |
1713 | + __u16 callID; | |
1714 | + __u16 reserved; | |
1715 | +}; | |
1716 | + | |
1717 | +struct PptpCallDisconnectNotify { | |
1718 | + __u16 callID; | |
1719 | + __u8 resultCode; | |
1720 | + __u8 generalErrorCode; | |
1721 | + __u16 causeCode; | |
1722 | + __u16 reserved; | |
1723 | + __u8 callStatistics[128]; | |
1724 | +}; | |
1725 | + | |
1726 | +struct PptpWanErrorNotify { | |
1727 | + __u16 peersCallID; | |
1728 | + __u16 reserved; | |
1729 | + __u32 crcErrors; | |
1730 | + __u32 framingErrors; | |
1731 | + __u32 hardwareOverRuns; | |
1732 | + __u32 bufferOverRuns; | |
1733 | + __u32 timeoutErrors; | |
1734 | + __u32 alignmentErrors; | |
1735 | +}; | |
1736 | + | |
1737 | +struct PptpSetLinkInfo { | |
1738 | + __u16 peersCallID; | |
1739 | + __u16 reserved; | |
1740 | + __u32 sendAccm; | |
1741 | + __u32 recvAccm; | |
1742 | +}; | |
1743 | + | |
1744 | + | |
1745 | +struct pptp_priv_data { | |
1746 | + __u16 call_id; | |
1747 | + __u16 mcall_id; | |
1748 | + __u16 pcall_id; | |
1749 | +}; | |
1750 | + | |
1751 | +union pptp_ctrl_union { | |
1752 | + struct PptpStartSessionRequest sreq; | |
1753 | + struct PptpStartSessionReply srep; | |
1754 | + struct PptpStopSessionRequest streq; | |
1755 | + struct PptpStopSessionReply strep; | |
1756 | + struct PptpOutCallRequest ocreq; | |
1757 | + struct PptpOutCallReply ocack; | |
1758 | + struct PptpInCallRequest icreq; | |
1759 | + struct PptpInCallReply icack; | |
1760 | + struct PptpInCallConnected iccon; | |
1761 | + struct PptpClearCallRequest clrreq; | |
1762 | + struct PptpCallDisconnectNotify disc; | |
1763 | + struct PptpWanErrorNotify wanerr; | |
1764 | + struct PptpSetLinkInfo setlink; | |
ae95cca4 PS |
1765 | +}; |
1766 | + | |
c558041a PS |
1767 | +extern int |
1768 | +(*ip_nat_pptp_hook_outbound)(struct sk_buff **pskb, | |
1769 | + struct ip_conntrack *ct, | |
1770 | + enum ip_conntrack_info ctinfo, | |
1771 | + struct PptpControlHeader *ctlh, | |
1772 | + union pptp_ctrl_union *pptpReq); | |
ae95cca4 | 1773 | + |
c558041a PS |
1774 | +extern int |
1775 | +(*ip_nat_pptp_hook_inbound)(struct sk_buff **pskb, | |
1776 | + struct ip_conntrack *ct, | |
1777 | + enum ip_conntrack_info ctinfo, | |
1778 | + struct PptpControlHeader *ctlh, | |
1779 | + union pptp_ctrl_union *pptpReq); | |
ae95cca4 | 1780 | + |
c558041a PS |
1781 | +extern int |
1782 | +(*ip_nat_pptp_hook_exp_gre)(struct ip_conntrack_expect *exp_orig, | |
1783 | + struct ip_conntrack_expect *exp_reply); | |
1784 | + | |
1785 | +extern void | |
1786 | +(*ip_nat_pptp_hook_expectfn)(struct ip_conntrack *ct, | |
1787 | + struct ip_conntrack_expect *exp); | |
1788 | +#endif /* __KERNEL__ */ | |
1789 | +#endif /* _CONNTRACK_PPTP_H */ | |
ae95cca4 PS |
1790 | diff -uNr include.orig/linux/netfilter_ipv4/ip_conntrack_protocol.h include/linux/netfilter_ipv4/ip_conntrack_protocol.h |
1791 | --- include.orig/linux/netfilter_ipv4/ip_conntrack_protocol.h 2005-03-13 21:53:55.000000000 +0100 | |
c558041a PS |
1792 | +++ include/linux/netfilter_ipv4/ip_conntrack_protocol.h 2005-08-02 20:02:17.753240704 +0200 |
1793 | @@ -34,7 +34,7 @@ | |
ae95cca4 PS |
1794 | |
1795 | /* Returns verdict for packet, or -1 for invalid. */ | |
1796 | int (*packet)(struct ip_conntrack *conntrack, | |
1797 | - const struct sk_buff *skb, | |
1798 | + struct sk_buff *skb, | |
1799 | enum ip_conntrack_info ctinfo); | |
1800 | ||
1801 | /* Called when a new connection for this protocol found; | |
c558041a PS |
1802 | diff -uNr include.orig/linux/netfilter_ipv4/ip_conntrack_proto_gre.h include/linux/netfilter_ipv4/ip_conntrack_proto_gre.h |
1803 | --- include.orig/linux/netfilter_ipv4/ip_conntrack_proto_gre.h 1970-01-01 01:00:00.000000000 +0100 | |
1804 | +++ include/linux/netfilter_ipv4/ip_conntrack_proto_gre.h 2005-08-02 20:02:17.718246024 +0200 | |
1805 | @@ -0,0 +1,114 @@ | |
1806 | +#ifndef _CONNTRACK_PROTO_GRE_H | |
1807 | +#define _CONNTRACK_PROTO_GRE_H | |
1808 | +#include <asm/byteorder.h> | |
1809 | + | |
1810 | +/* GRE PROTOCOL HEADER */ | |
1811 | + | |
1812 | +/* GRE Version field */ | |
1813 | +#define GRE_VERSION_1701 0x0 | |
1814 | +#define GRE_VERSION_PPTP 0x1 | |
1815 | + | |
1816 | +/* GRE Protocol field */ | |
1817 | +#define GRE_PROTOCOL_PPTP 0x880B | |
1818 | + | |
1819 | +/* GRE Flags */ | |
1820 | +#define GRE_FLAG_C 0x80 | |
1821 | +#define GRE_FLAG_R 0x40 | |
1822 | +#define GRE_FLAG_K 0x20 | |
1823 | +#define GRE_FLAG_S 0x10 | |
1824 | +#define GRE_FLAG_A 0x80 | |
1825 | + | |
1826 | +#define GRE_IS_C(f) ((f)&GRE_FLAG_C) | |
1827 | +#define GRE_IS_R(f) ((f)&GRE_FLAG_R) | |
1828 | +#define GRE_IS_K(f) ((f)&GRE_FLAG_K) | |
1829 | +#define GRE_IS_S(f) ((f)&GRE_FLAG_S) | |
1830 | +#define GRE_IS_A(f) ((f)&GRE_FLAG_A) | |
1831 | + | |
1832 | +/* GRE is a mess: Four different standards */ | |
1833 | +struct gre_hdr { | |
1834 | +#if defined(__LITTLE_ENDIAN_BITFIELD) | |
1835 | + __u16 rec:3, | |
1836 | + srr:1, | |
1837 | + seq:1, | |
1838 | + key:1, | |
1839 | + routing:1, | |
1840 | + csum:1, | |
1841 | + version:3, | |
1842 | + reserved:4, | |
1843 | + ack:1; | |
1844 | +#elif defined(__BIG_ENDIAN_BITFIELD) | |
1845 | + __u16 csum:1, | |
1846 | + routing:1, | |
1847 | + key:1, | |
1848 | + seq:1, | |
1849 | + srr:1, | |
1850 | + rec:3, | |
1851 | + ack:1, | |
1852 | + reserved:4, | |
1853 | + version:3; | |
1854 | +#else | |
1855 | +#error "Adjust your <asm/byteorder.h> defines" | |
1856 | +#endif | |
1857 | + __u16 protocol; | |
1858 | +}; | |
ae95cca4 | 1859 | + |
c558041a PS |
1860 | +/* modified GRE header for PPTP */ |
1861 | +struct gre_hdr_pptp { | |
1862 | + __u8 flags; /* bitfield */ | |
1863 | + __u8 version; /* should be GRE_VERSION_PPTP */ | |
1864 | + __u16 protocol; /* should be GRE_PROTOCOL_PPTP */ | |
1865 | + __u16 payload_len; /* size of ppp payload, not inc. gre header */ | |
1866 | + __u16 call_id; /* peer's call_id for this session */ | |
1867 | + __u32 seq; /* sequence number. Present if S==1 */ | |
1868 | + __u32 ack; /* seq number of highest packet recieved by */ | |
1869 | + /* sender in this session */ | |
1870 | +}; | |
ae95cca4 | 1871 | + |
c558041a PS |
1872 | + |
1873 | +/* this is part of ip_conntrack */ | |
1874 | +struct ip_ct_gre { | |
1875 | + unsigned int stream_timeout; | |
1876 | + unsigned int timeout; | |
1877 | +}; | |
1878 | + | |
1879 | +#ifdef __KERNEL__ | |
1880 | +struct ip_conntrack_expect; | |
1881 | +struct ip_conntrack; | |
1882 | + | |
1883 | +/* structure for original <-> reply keymap */ | |
1884 | +struct ip_ct_gre_keymap { | |
1885 | + struct list_head list; | |
1886 | + | |
1887 | + struct ip_conntrack_tuple tuple; | |
1888 | +}; | |
1889 | + | |
1890 | +/* add new tuple->key_reply pair to keymap */ | |
1891 | +int ip_ct_gre_keymap_add(struct ip_conntrack *ct, | |
1892 | + struct ip_conntrack_tuple *t, | |
1893 | + int reply); | |
1894 | + | |
1895 | +/* delete keymap entries */ | |
1896 | +void ip_ct_gre_keymap_destroy(struct ip_conntrack *ct); | |
1897 | + | |
1898 | + | |
1899 | +/* get pointer to gre key, if present */ | |
1900 | +static inline u_int32_t *gre_key(struct gre_hdr *greh) | |
1901 | +{ | |
1902 | + if (!greh->key) | |
1903 | + return NULL; | |
1904 | + if (greh->csum || greh->routing) | |
1905 | + return (u_int32_t *) (greh+sizeof(*greh)+4); | |
1906 | + return (u_int32_t *) (greh+sizeof(*greh)); | |
1907 | +} | |
1908 | + | |
1909 | +/* get pointer ot gre csum, if present */ | |
1910 | +static inline u_int16_t *gre_csum(struct gre_hdr *greh) | |
1911 | +{ | |
1912 | + if (!greh->csum) | |
1913 | + return NULL; | |
1914 | + return (u_int16_t *) (greh+sizeof(*greh)); | |
1915 | +} | |
1916 | + | |
1917 | +#endif /* __KERNEL__ */ | |
1918 | + | |
1919 | +#endif /* _CONNTRACK_PROTO_GRE_H */ | |
1920 | diff -uNr include.orig/linux/netfilter_ipv4/ip_conntrack_quake3.h include/linux/netfilter_ipv4/ip_conntrack_quake3.h | |
1921 | --- include.orig/linux/netfilter_ipv4/ip_conntrack_quake3.h 1970-01-01 01:00:00.000000000 +0100 | |
1922 | +++ include/linux/netfilter_ipv4/ip_conntrack_quake3.h 2005-08-02 20:02:17.771237968 +0200 | |
1923 | @@ -0,0 +1,22 @@ | |
1924 | +#ifndef _IP_CT_QUAKE3 | |
1925 | +#define _IP_CT_QUAKE3 | |
1926 | + | |
1927 | +/* Don't confuse with 27960, often used as the Server Port */ | |
1928 | +#define QUAKE3_MASTER_PORT 27950 | |
1929 | + | |
1930 | +struct quake3_search { | |
1931 | + const char marker[4]; /* always 0xff 0xff 0xff 0xff ? */ | |
1932 | + const char *pattern; | |
1933 | + size_t plen; | |
1934 | +}; | |
1935 | + | |
1936 | +/* This structure is per expected connection */ | |
1937 | +struct ip_ct_quake3_expect { | |
1938 | +}; | |
1939 | + | |
1940 | +/* This structure exists only once per master */ | |
1941 | +struct ip_ct_quake3_master { | |
1942 | +}; | |
1943 | + | |
1944 | +extern unsigned int (*ip_nat_quake3_hook)(struct ip_conntrack_expect *exp); | |
1945 | +#endif /* _IP_CT_QUAKE3 */ | |
1946 | diff -uNr include.orig/linux/netfilter_ipv4/ip_conntrack_tuple.h include/linux/netfilter_ipv4/ip_conntrack_tuple.h | |
1947 | --- include.orig/linux/netfilter_ipv4/ip_conntrack_tuple.h 2005-03-13 21:53:55.000000000 +0100 | |
1948 | +++ include/linux/netfilter_ipv4/ip_conntrack_tuple.h 2005-08-02 20:02:17.807232496 +0200 | |
1949 | @@ -28,6 +28,9 @@ | |
1950 | struct { | |
1951 | u_int16_t port; | |
1952 | } sctp; | |
1953 | + struct { | |
1954 | + u_int16_t key; /* key is 32bit, pptp onky uses 16 */ | |
1955 | + } gre; | |
014436e1 PS |
1956 | }; |
1957 | ||
c558041a PS |
1958 | /* The manipulable part of the tuple. */ |
1959 | @@ -61,6 +64,9 @@ | |
1960 | struct { | |
1961 | u_int16_t port; | |
1962 | } sctp; | |
1963 | + struct { | |
1964 | + u_int16_t key; | |
1965 | + } gre; | |
1966 | } u; | |
ae95cca4 | 1967 | |
c558041a PS |
1968 | /* The protocol. */ |
1969 | diff -uNr include.orig/linux/netfilter_ipv4/ip_nat_pptp.h include/linux/netfilter_ipv4/ip_nat_pptp.h | |
1970 | --- include.orig/linux/netfilter_ipv4/ip_nat_pptp.h 1970-01-01 01:00:00.000000000 +0100 | |
1971 | +++ include/linux/netfilter_ipv4/ip_nat_pptp.h 2005-08-02 20:02:17.767238576 +0200 | |
1972 | @@ -0,0 +1,11 @@ | |
1973 | +/* PPTP constants and structs */ | |
1974 | +#ifndef _NAT_PPTP_H | |
1975 | +#define _NAT_PPTP_H | |
1976 | + | |
1977 | +/* conntrack private data */ | |
1978 | +struct ip_nat_pptp { | |
1979 | + u_int16_t pns_call_id; /* NAT'ed PNS call id */ | |
1980 | + u_int16_t pac_call_id; /* NAT'ed PAC call id */ | |
1981 | +}; | |
1982 | + | |
1983 | +#endif /* _NAT_PPTP_H */ | |
ae95cca4 PS |
1984 | diff -uNr include.orig/linux/netfilter_ipv4/ip_queue.h include/linux/netfilter_ipv4/ip_queue.h |
1985 | --- include.orig/linux/netfilter_ipv4/ip_queue.h 2004-10-31 20:56:03.000000000 +0100 | |
c558041a | 1986 | +++ include/linux/netfilter_ipv4/ip_queue.h 2005-08-02 20:02:17.823230064 +0200 |
ae95cca4 PS |
1987 | @@ -39,10 +39,20 @@ |
1988 | unsigned char payload[0]; /* Optional replacement packet */ | |
1989 | } ipq_verdict_msg_t; | |
1990 | ||
1991 | +typedef struct ipq_vwmark_msg { | |
1992 | + unsigned int value; /* Verdict to hand to netfilter */ | |
1993 | + unsigned long id; /* Packet ID for this verdict */ | |
1994 | + size_t data_len; /* Length of replacement data */ | |
1995 | + unsigned char payload[0]; /* Optional replacement packet */ | |
1996 | + unsigned long nfmark; /* Mark for the Packet */ | |
1997 | +} ipq_vwmark_msg_t; | |
1998 | + | |
1999 | + | |
2000 | typedef struct ipq_peer_msg { | |
2001 | union { | |
2002 | ipq_verdict_msg_t verdict; | |
2003 | ipq_mode_msg_t mode; | |
c558041a | 2004 | + ipq_vwmark_msg_t vwmark; |
ae95cca4 PS |
2005 | } msg; |
2006 | } ipq_peer_msg_t; | |
2007 | ||
2008 | @@ -59,6 +69,7 @@ | |
2009 | #define IPQM_MODE (IPQM_BASE + 1) /* Mode request from peer */ | |
2010 | #define IPQM_VERDICT (IPQM_BASE + 2) /* Verdict from peer */ | |
2011 | #define IPQM_PACKET (IPQM_BASE + 3) /* Packet from kernel */ | |
2012 | -#define IPQM_MAX (IPQM_BASE + 4) | |
2013 | +#define IPQM_VWMARK (IPQM_BASE + 4) /* Verdict and mark from peer */ | |
2014 | +#define IPQM_MAX (IPQM_BASE + 5) | |
2015 | ||
2016 | #endif /*_IP_QUEUE_H*/ | |
2017 | diff -uNr include.orig/linux/netfilter_ipv4/ip_set.h include/linux/netfilter_ipv4/ip_set.h | |
2018 | --- include.orig/linux/netfilter_ipv4/ip_set.h 1970-01-01 01:00:00.000000000 +0100 | |
c558041a PS |
2019 | +++ include/linux/netfilter_ipv4/ip_set.h 2005-08-02 20:02:17.828229304 +0200 |
2020 | @@ -0,0 +1,489 @@ | |
014436e1 PS |
2021 | +#ifndef _IP_SET_H |
2022 | +#define _IP_SET_H | |
2023 | + | |
2024 | +/* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu> | |
2025 | + * Patrick Schaaf <bof@bof.de> | |
2026 | + * Martin Josefsson <gandalf@wlug.westbo.se> | |
2027 | + * Copyright (C) 2003-2004 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> | |
2028 | + * | |
2029 | + * This program is free software; you can redistribute it and/or modify | |
2030 | + * it under the terms of the GNU General Public License version 2 as | |
2031 | + * published by the Free Software Foundation. | |
2032 | + */ | |
2033 | + | |
2034 | +/* | |
2035 | + * A sockopt of such quality has hardly ever been seen before on the open | |
2036 | + * market! This little beauty, hardly ever used: above 64, so it's | |
2037 | + * traditionally used for firewalling, not touched (even once!) by the | |
2038 | + * 2.0, 2.2 and 2.4 kernels! | |
2039 | + * | |
2040 | + * Comes with its own certificate of authenticity, valid anywhere in the | |
2041 | + * Free world! | |
2042 | + * | |
2043 | + * Rusty, 19.4.2000 | |
2044 | + */ | |
2045 | +#define SO_IP_SET 83 | |
2046 | + | |
2047 | +/* | |
2048 | + * Heavily modify by Joakim Axelsson 08.03.2002 | |
2049 | + * - Made it more modulebased | |
2050 | + * | |
2051 | + * Additional heavy modifications by Jozsef Kadlecsik 22.02.2004 | |
2052 | + * - bindings added | |
2053 | + * - in order to "deal with" backward compatibility, renamed to ipset | |
2054 | + */ | |
2055 | + | |
2056 | +/* | |
2057 | + * Used so that the kernel module and ipset-binary can match their versions | |
2058 | + */ | |
2059 | +#define IP_SET_PROTOCOL_VERSION 2 | |
2060 | + | |
2061 | +#define IP_SET_MAXNAMELEN 32 /* set names and set typenames */ | |
2062 | + | |
2063 | +/* Lets work with our own typedef for representing an IP address. | |
2064 | + * We hope to make the code more portable, possibly to IPv6... | |
2065 | + * | |
2066 | + * The representation works in HOST byte order, because most set types | |
2067 | + * will perform arithmetic operations and compare operations. | |
2068 | + * | |
2069 | + * For now the type is an uint32_t. | |
2070 | + * | |
2071 | + * Make sure to ONLY use the functions when translating and parsing | |
2072 | + * in order to keep the host byte order and make it more portable: | |
2073 | + * parse_ip() | |
2074 | + * parse_mask() | |
2075 | + * parse_ipandmask() | |
2076 | + * ip_tostring() | |
2077 | + * (Joakim: where are they???) | |
2078 | + */ | |
2079 | + | |
2080 | +typedef uint32_t ip_set_ip_t; | |
2081 | + | |
2082 | +/* Sets are identified by an id in kernel space. Tweak with ip_set_id_t | |
2083 | + * and IP_SET_INVALID_ID if you want to increase the max number of sets. | |
2084 | + */ | |
2085 | +typedef uint16_t ip_set_id_t; | |
2086 | + | |
2087 | +#define IP_SET_INVALID_ID 65535 | |
2088 | + | |
2089 | +/* How deep we follow bindings */ | |
2090 | +#define IP_SET_MAX_BINDINGS 6 | |
2091 | + | |
2092 | +/* | |
2093 | + * Option flags for kernel operations (ipt_set_info) | |
2094 | + */ | |
2095 | +#define IPSET_SRC 0x01 /* Source match/add */ | |
2096 | +#define IPSET_DST 0x02 /* Destination match/add */ | |
2097 | +#define IPSET_MATCH_INV 0x04 /* Inverse matching */ | |
2098 | + | |
2099 | +/* | |
2100 | + * Set types (flavours) | |
2101 | + */ | |
2102 | +#define IPSET_TYPE_IP 0 /* IP address type of set */ | |
2103 | +#define IPSET_TYPE_PORT 1 /* Port type of set */ | |
2104 | + | |
2105 | +/* Reserved keywords */ | |
2106 | +#define IPSET_TOKEN_DEFAULT ":default:" | |
2107 | +#define IPSET_TOKEN_ALL ":all:" | |
2108 | + | |
2109 | +/* SO_IP_SET operation constants, and their request struct types. | |
2110 | + * | |
2111 | + * Operation ids: | |
2112 | + * 0-99: commands with version checking | |
2113 | + * 100-199: add/del/test/bind/unbind | |
2114 | + * 200-299: list, save, restore | |
2115 | + */ | |
2116 | + | |
2117 | +/* Single shot operations: | |
2118 | + * version, create, destroy, flush, rename and swap | |
2119 | + * | |
2120 | + * Sets are identified by name. | |
2121 | + */ | |
2122 | + | |
2123 | +#define IP_SET_REQ_STD \ | |
2124 | + unsigned op; \ | |
2125 | + unsigned version; \ | |
2126 | + char name[IP_SET_MAXNAMELEN] | |
2127 | + | |
2128 | +#define IP_SET_OP_CREATE 0x00000001 /* Create a new (empty) set */ | |
2129 | +struct ip_set_req_create { | |
2130 | + IP_SET_REQ_STD; | |
2131 | + char typename[IP_SET_MAXNAMELEN]; | |
2132 | +}; | |
2133 | + | |
2134 | +#define IP_SET_OP_DESTROY 0x00000002 /* Remove a (empty) set */ | |
2135 | +struct ip_set_req_std { | |
2136 | + IP_SET_REQ_STD; | |
2137 | +}; | |
2138 | + | |
2139 | +#define IP_SET_OP_FLUSH 0x00000003 /* Remove all IPs in a set */ | |
2140 | +/* Uses ip_set_req_std */ | |
2141 | + | |
2142 | +#define IP_SET_OP_RENAME 0x00000004 /* Rename a set */ | |
2143 | +/* Uses ip_set_req_create */ | |
2144 | + | |
2145 | +#define IP_SET_OP_SWAP 0x00000005 /* Swap two sets */ | |
2146 | +/* Uses ip_set_req_create */ | |
2147 | + | |
2148 | +union ip_set_name_index { | |
2149 | + char name[IP_SET_MAXNAMELEN]; | |
2150 | + ip_set_id_t index; | |
2151 | +}; | |
2152 | + | |
2153 | +#define IP_SET_OP_GET_BYNAME 0x00000006 /* Get set index by name */ | |
2154 | +struct ip_set_req_get_set { | |
2155 | + unsigned op; | |
2156 | + unsigned version; | |
2157 | + union ip_set_name_index set; | |
2158 | +}; | |
2159 | + | |
2160 | +#define IP_SET_OP_GET_BYINDEX 0x00000007 /* Get set name by index */ | |
2161 | +/* Uses ip_set_req_get_set */ | |
2162 | + | |
2163 | +#define IP_SET_OP_VERSION 0x00000100 /* Ask kernel version */ | |
2164 | +struct ip_set_req_version { | |
2165 | + unsigned op; | |
2166 | + unsigned version; | |
2167 | +}; | |
2168 | + | |
2169 | +/* Double shots operations: | |
2170 | + * add, del, test, bind and unbind. | |
2171 | + * | |
2172 | + * First we query the kernel to get the index and type of the target set, | |
2173 | + * then issue the command. Validity of IP is checked in kernel in order | |
2174 | + * to minimalize sockopt operations. | |
2175 | + */ | |
2176 | + | |
2177 | +/* Get minimal set data for add/del/test/bind/unbind IP */ | |
2178 | +#define IP_SET_OP_ADT_GET 0x00000010 /* Get set and type */ | |
2179 | +struct ip_set_req_adt_get { | |
2180 | + unsigned op; | |
2181 | + unsigned version; | |
2182 | + union ip_set_name_index set; | |
2183 | + char typename[IP_SET_MAXNAMELEN]; | |
2184 | +}; | |
2185 | + | |
2186 | +#define IP_SET_REQ_BYINDEX \ | |
2187 | + unsigned op; \ | |
2188 | + ip_set_id_t index; | |
2189 | + | |
2190 | +struct ip_set_req_adt { | |
2191 | + IP_SET_REQ_BYINDEX; | |
2192 | +}; | |
2193 | + | |
2194 | +#define IP_SET_OP_ADD_IP 0x00000101 /* Add an IP to a set */ | |
2195 | +/* Uses ip_set_req_adt, with type specific addage */ | |
2196 | + | |
2197 | +#define IP_SET_OP_DEL_IP 0x00000102 /* Remove an IP from a set */ | |
2198 | +/* Uses ip_set_req_adt, with type specific addage */ | |
2199 | + | |
2200 | +#define IP_SET_OP_TEST_IP 0x00000103 /* Test an IP in a set */ | |
2201 | +/* Uses ip_set_req_adt, with type specific addage */ | |
2202 | + | |
2203 | +#define IP_SET_OP_BIND_SET 0x00000104 /* Bind an IP to a set */ | |
2204 | +/* Uses ip_set_req_bind, with type specific addage */ | |
2205 | +struct ip_set_req_bind { | |
2206 | + IP_SET_REQ_BYINDEX; | |
2207 | + char binding[IP_SET_MAXNAMELEN]; | |
2208 | +}; | |
2209 | + | |
2210 | +#define IP_SET_OP_UNBIND_SET 0x00000105 /* Unbind an IP from a set */ | |
2211 | +/* Uses ip_set_req_bind, with type speficic addage | |
2212 | + * index = 0 means unbinding for all sets */ | |
2213 | + | |
2214 | +#define IP_SET_OP_TEST_BIND_SET 0x00000106 /* Test binding an IP to a set */ | |
2215 | +/* Uses ip_set_req_bind, with type specific addage */ | |
2216 | + | |
2217 | +/* Multiple shots operations: list, save, restore. | |
2218 | + * | |
2219 | + * - check kernel version and query the max number of sets | |
2220 | + * - get the basic information on all sets | |
2221 | + * and size required for the next step | |
2222 | + * - get actual set data: header, data, bindings | |
2223 | + */ | |
2224 | + | |
2225 | +/* Get max_sets and the index of a queried set | |
2226 | + */ | |
2227 | +#define IP_SET_OP_MAX_SETS 0x00000020 | |
2228 | +struct ip_set_req_max_sets { | |
2229 | + unsigned op; | |
2230 | + unsigned version; | |
2231 | + ip_set_id_t max_sets; /* max_sets */ | |
2232 | + ip_set_id_t sets; /* real number of sets */ | |
2233 | + union ip_set_name_index set; /* index of set if name used */ | |
2234 | +}; | |
2235 | + | |
2236 | +/* Get the id and name of the sets plus size for next step */ | |
2237 | +#define IP_SET_OP_LIST_SIZE 0x00000201 | |
2238 | +#define IP_SET_OP_SAVE_SIZE 0x00000202 | |
2239 | +struct ip_set_req_setnames { | |
2240 | + unsigned op; | |
2241 | + ip_set_id_t index; /* set to list/save */ | |
2242 | + size_t size; /* size to get setdata/bindings */ | |
2243 | + /* followed by sets number of struct ip_set_name_list */ | |
2244 | +}; | |
2245 | + | |
2246 | +struct ip_set_name_list { | |
2247 | + char name[IP_SET_MAXNAMELEN]; | |
2248 | + char typename[IP_SET_MAXNAMELEN]; | |
2249 | + ip_set_id_t index; | |
2250 | + ip_set_id_t id; | |
2251 | +}; | |
2252 | + | |
2253 | +/* The actual list operation */ | |
2254 | +#define IP_SET_OP_LIST 0x00000203 | |
2255 | +struct ip_set_req_list { | |
2256 | + IP_SET_REQ_BYINDEX; | |
2257 | + /* sets number of struct ip_set_list in reply */ | |
2258 | +}; | |
2259 | + | |
2260 | +struct ip_set_list { | |
2261 | + ip_set_id_t index; | |
2262 | + ip_set_id_t binding; | |
2263 | + u_int32_t ref; | |
2264 | + size_t header_size; /* Set header data of header_size */ | |
2265 | + size_t members_size; /* Set members data of members_size */ | |
2266 | + size_t bindings_size; /* Set bindings data of bindings_size */ | |
2267 | +}; | |
2268 | + | |
2269 | +struct ip_set_hash_list { | |
2270 | + ip_set_ip_t ip; | |
2271 | + ip_set_id_t binding; | |
2272 | +}; | |
2273 | + | |
2274 | +/* The save operation */ | |
2275 | +#define IP_SET_OP_SAVE 0x00000204 | |
2276 | +/* Uses ip_set_req_list, in the reply replaced by | |
2277 | + * sets number of struct ip_set_save plus a marker | |
2278 | + * ip_set_save followed by ip_set_hash_save structures. | |
2279 | + */ | |
2280 | +struct ip_set_save { | |
2281 | + ip_set_id_t index; | |
2282 | + ip_set_id_t binding; | |
2283 | + size_t header_size; /* Set header data of header_size */ | |
2284 | + size_t members_size; /* Set members data of members_size */ | |
2285 | +}; | |
2286 | + | |
2287 | +/* At restoring, ip == 0 means default binding for the given set: */ | |
2288 | +struct ip_set_hash_save { | |
2289 | + ip_set_ip_t ip; | |
2290 | + ip_set_id_t id; | |
2291 | + ip_set_id_t binding; | |
2292 | +}; | |
2293 | + | |
2294 | +/* The restore operation */ | |
2295 | +#define IP_SET_OP_RESTORE 0x00000205 | |
2296 | +/* Uses ip_set_req_setnames followed by ip_set_restore structures | |
2297 | + * plus a marker ip_set_restore, followed by ip_set_hash_save | |
2298 | + * structures. | |
2299 | + */ | |
2300 | +struct ip_set_restore { | |
2301 | + char name[IP_SET_MAXNAMELEN]; | |
2302 | + char typename[IP_SET_MAXNAMELEN]; | |
2303 | + ip_set_id_t index; | |
2304 | + size_t header_size; /* Create data of header_size */ | |
2305 | + size_t members_size; /* Set members data of members_size */ | |
2306 | +}; | |
2307 | + | |
2308 | +static inline int bitmap_bytes(ip_set_ip_t a, ip_set_ip_t b) | |
2309 | +{ | |
2310 | + return 4 * ((((b - a + 8) / 8) + 3) / 4); | |
2311 | +} | |
2312 | + | |
c558041a PS |
2313 | +#ifdef __KERNEL__ |
2314 | + | |
2315 | +#define ip_set_printk(format, args...) \ | |
2316 | + do { \ | |
2317 | + printk("%s: %s: ", __FILE__, __FUNCTION__); \ | |
2318 | + printk(format "\n" , ## args); \ | |
2319 | + } while (0) | |
2320 | + | |
2321 | +#if defined(IP_SET_DEBUG) | |
2322 | +#define DP(format, args...) \ | |
2323 | + do { \ | |
2324 | + printk("%s: %s (DBG): ", __FILE__, __FUNCTION__);\ | |
2325 | + printk(format "\n" , ## args); \ | |
2326 | + } while (0) | |
2327 | +#define IP_SET_ASSERT(x) \ | |
2328 | + do { \ | |
2329 | + if (!(x)) \ | |
2330 | + printk("IP_SET_ASSERT: %s:%i(%s)\n", \ | |
2331 | + __FILE__, __LINE__, __FUNCTION__); \ | |
2332 | + } while (0) | |
2333 | +#else | |
2334 | +#define DP(format, args...) | |
2335 | +#define IP_SET_ASSERT(x) | |
2336 | +#endif | |
2337 | + | |
2338 | +struct ip_set; | |
2339 | + | |
2340 | +/* | |
2341 | + * The ip_set_type definition - one per set type, e.g. "ipmap". | |
2342 | + * | |
2343 | + * Each individual set has a pointer, set->type, going to one | |
2344 | + * of these structures. Function pointers inside the structure implement | |
2345 | + * the real behaviour of the sets. | |
2346 | + * | |
2347 | + * If not mentioned differently, the implementation behind the function | |
2348 | + * pointers of a set_type, is expected to return 0 if ok, and a negative | |
2349 | + * errno (e.g. -EINVAL) on error. | |
2350 | + */ | |
2351 | +struct ip_set_type { | |
2352 | + struct list_head list; /* next in list of set types */ | |
2353 | + | |
2354 | + /* test for IP in set (kernel: iptables -m set src|dst) | |
2355 | + * return 0 if not in set, 1 if in set. | |
2356 | + */ | |
2357 | + int (*testip_kernel) (struct ip_set *set, | |
2358 | + const struct sk_buff * skb, | |
2359 | + u_int32_t flags, | |
2360 | + ip_set_ip_t *ip); | |
2361 | + | |
2362 | + /* test for IP in set (userspace: ipset -T set IP) | |
2363 | + * return 0 if not in set, 1 if in set. | |
2364 | + */ | |
2365 | + int (*testip) (struct ip_set *set, | |
2366 | + const void *data, size_t size, | |
2367 | + ip_set_ip_t *ip); | |
2368 | + | |
2369 | + /* | |
2370 | + * Size of the data structure passed by when | |
2371 | + * adding/deletin/testing an entry. | |
2372 | + */ | |
2373 | + size_t reqsize; | |
2374 | + | |
2375 | + /* Add IP into set (userspace: ipset -A set IP) | |
2376 | + * Return -EEXIST if the address is already in the set, | |
2377 | + * and -ERANGE if the address lies outside the set bounds. | |
2378 | + * If the address was not already in the set, 0 is returned. | |
2379 | + */ | |
2380 | + int (*addip) (struct ip_set *set, | |
2381 | + const void *data, size_t size, | |
2382 | + ip_set_ip_t *ip); | |
2383 | + | |
2384 | + /* Add IP into set (kernel: iptables ... -j SET set src|dst) | |
2385 | + * Return -EEXIST if the address is already in the set, | |
2386 | + * and -ERANGE if the address lies outside the set bounds. | |
2387 | + * If the address was not already in the set, 0 is returned. | |
2388 | + */ | |
2389 | + int (*addip_kernel) (struct ip_set *set, | |
2390 | + const struct sk_buff * skb, | |
2391 | + u_int32_t flags, | |
2392 | + ip_set_ip_t *ip); | |
2393 | + | |
2394 | + /* remove IP from set (userspace: ipset -D set --entry x) | |
2395 | + * Return -EEXIST if the address is NOT in the set, | |
2396 | + * and -ERANGE if the address lies outside the set bounds. | |
2397 | + * If the address really was in the set, 0 is returned. | |
2398 | + */ | |
2399 | + int (*delip) (struct ip_set *set, | |
2400 | + const void *data, size_t size, | |
2401 | + ip_set_ip_t *ip); | |
2402 | + | |
2403 | + /* remove IP from set (kernel: iptables ... -j SET --entry x) | |
2404 | + * Return -EEXIST if the address is NOT in the set, | |
2405 | + * and -ERANGE if the address lies outside the set bounds. | |
2406 | + * If the address really was in the set, 0 is returned. | |
2407 | + */ | |
2408 | + int (*delip_kernel) (struct ip_set *set, | |
2409 | + const struct sk_buff * skb, | |
2410 | + u_int32_t flags, | |
2411 | + ip_set_ip_t *ip); | |
2412 | + | |
2413 | + /* new set creation - allocated type specific items | |
2414 | + */ | |
2415 | + int (*create) (struct ip_set *set, | |
2416 | + const void *data, size_t size); | |
2417 | + | |
2418 | + /* retry the operation after successfully tweaking the set | |
2419 | + */ | |
2420 | + int (*retry) (struct ip_set *set); | |
2421 | + | |
2422 | + /* set destruction - free type specific items | |
2423 | + * There is no return value. | |
2424 | + * Can be called only when child sets are destroyed. | |
2425 | + */ | |
2426 | + void (*destroy) (struct ip_set *set); | |
2427 | + | |
2428 | + /* set flushing - reset all bits in the set, or something similar. | |
2429 | + * There is no return value. | |
2430 | + */ | |
2431 | + void (*flush) (struct ip_set *set); | |
2432 | + | |
2433 | + /* Listing: size needed for header | |
2434 | + */ | |
2435 | + size_t header_size; | |
2436 | + | |
2437 | + /* Listing: Get the header | |
2438 | + * | |
2439 | + * Fill in the information in "data". | |
2440 | + * This function is always run after list_header_size() under a | |
2441 | + * writelock on the set. Therefor is the length of "data" always | |
2442 | + * correct. | |
2443 | + */ | |
2444 | + void (*list_header) (const struct ip_set *set, | |
2445 | + void *data); | |
2446 | + | |
2447 | + /* Listing: Get the size for the set members | |
2448 | + */ | |
2449 | + int (*list_members_size) (const struct ip_set *set); | |
2450 | + | |
2451 | + /* Listing: Get the set members | |
2452 | + * | |
2453 | + * Fill in the information in "data". | |
2454 | + * This function is always run after list_member_size() under a | |
2455 | + * writelock on the set. Therefor is the length of "data" always | |
2456 | + * correct. | |
2457 | + */ | |
2458 | + void (*list_members) (const struct ip_set *set, | |
2459 | + void *data); | |
2460 | + | |
2461 | + char typename[IP_SET_MAXNAMELEN]; | |
2462 | + char typecode; | |
2463 | + int protocol_version; | |
2464 | + | |
2465 | + /* Set this to THIS_MODULE if you are a module, otherwise NULL */ | |
2466 | + struct module *me; | |
2467 | +}; | |
2468 | + | |
2469 | +extern int ip_set_register_set_type(struct ip_set_type *set_type); | |
2470 | +extern void ip_set_unregister_set_type(struct ip_set_type *set_type); | |
2471 | + | |
2472 | +/* A generic ipset */ | |
2473 | +struct ip_set { | |
2474 | + char name[IP_SET_MAXNAMELEN]; /* the name of the set */ | |
2475 | + rwlock_t lock; /* lock for concurrency control */ | |
2476 | + ip_set_id_t id; /* set id for swapping */ | |
2477 | + ip_set_id_t binding; /* default binding for the set */ | |
2478 | + atomic_t ref; /* in kernel and in hash references */ | |
2479 | + struct ip_set_type *type; /* the set types */ | |
2480 | + void *data; /* pooltype specific data */ | |
2481 | +}; | |
2482 | + | |
2483 | +/* Structure to bind set elements to sets */ | |
2484 | +struct ip_set_hash { | |
2485 | + struct list_head list; /* list of clashing entries in hash */ | |
2486 | + ip_set_ip_t ip; /* ip from set */ | |
2487 | + ip_set_id_t id; /* set id */ | |
2488 | + ip_set_id_t binding; /* set we bind the element to */ | |
2489 | +}; | |
2490 | + | |
2491 | +/* register and unregister set references */ | |
2492 | +extern ip_set_id_t ip_set_get_byname(const char name[IP_SET_MAXNAMELEN]); | |
2493 | +extern ip_set_id_t ip_set_get_byindex(ip_set_id_t id); | |
2494 | +extern void ip_set_put(ip_set_id_t id); | |
2495 | + | |
2496 | +/* API for iptables set match, and SET target */ | |
2497 | +extern void ip_set_addip_kernel(ip_set_id_t id, | |
2498 | + const struct sk_buff *skb, | |
2499 | + const u_int32_t *flags); | |
2500 | +extern void ip_set_delip_kernel(ip_set_id_t id, | |
2501 | + const struct sk_buff *skb, | |
2502 | + const u_int32_t *flags); | |
2503 | +extern int ip_set_testip_kernel(ip_set_id_t id, | |
2504 | + const struct sk_buff *skb, | |
2505 | + const u_int32_t *flags); | |
2506 | + | |
2507 | +#endif /* __KERNEL__ */ | |
2508 | + | |
014436e1 | 2509 | +#endif /*_IP_SET_H*/ |
ae95cca4 PS |
2510 | diff -uNr include.orig/linux/netfilter_ipv4/ip_set_iphash.h include/linux/netfilter_ipv4/ip_set_iphash.h |
2511 | --- include.orig/linux/netfilter_ipv4/ip_set_iphash.h 1970-01-01 01:00:00.000000000 +0100 | |
c558041a | 2512 | +++ include/linux/netfilter_ipv4/ip_set_iphash.h 2005-08-02 20:02:17.803233104 +0200 |
014436e1 PS |
2513 | @@ -0,0 +1,30 @@ |
2514 | +#ifndef __IP_SET_IPHASH_H | |
2515 | +#define __IP_SET_IPHASH_H | |
2516 | + | |
2517 | +#include <linux/netfilter_ipv4/ip_set.h> | |
2518 | + | |
2519 | +#define SETTYPE_NAME "iphash" | |
2520 | +#define MAX_RANGE 0x0000FFFF | |
2521 | + | |
2522 | +struct ip_set_iphash { | |
2523 | + ip_set_ip_t *members; /* the iphash proper */ | |
2524 | + uint32_t initval; /* initval for jhash_1word */ | |
2525 | + uint32_t prime; /* prime for double hashing */ | |
2526 | + uint32_t hashsize; /* hash size */ | |
2527 | + uint16_t probes; /* max number of probes */ | |
2528 | + uint16_t resize; /* resize factor in percent */ | |
2529 | + ip_set_ip_t netmask; /* netmask */ | |
2530 | +}; | |
2531 | + | |
2532 | +struct ip_set_req_iphash_create { | |
2533 | + uint32_t hashsize; | |
2534 | + uint16_t probes; | |
2535 | + uint16_t resize; | |
2536 | + ip_set_ip_t netmask; | |
2537 | +}; | |
2538 | + | |
2539 | +struct ip_set_req_iphash { | |
2540 | + ip_set_ip_t ip; | |
2541 | +}; | |
2542 | + | |
2543 | +#endif /* __IP_SET_IPHASH_H */ | |
ae95cca4 PS |
2544 | diff -uNr include.orig/linux/netfilter_ipv4/ip_set_ipmap.h include/linux/netfilter_ipv4/ip_set_ipmap.h |
2545 | --- include.orig/linux/netfilter_ipv4/ip_set_ipmap.h 1970-01-01 01:00:00.000000000 +0100 | |
c558041a | 2546 | +++ include/linux/netfilter_ipv4/ip_set_ipmap.h 2005-08-02 20:02:17.763239184 +0200 |
014436e1 PS |
2547 | @@ -0,0 +1,56 @@ |
2548 | +#ifndef __IP_SET_IPMAP_H | |
2549 | +#define __IP_SET_IPMAP_H | |
2550 | + | |
2551 | +#include <linux/netfilter_ipv4/ip_set.h> | |
2552 | + | |
2553 | +#define SETTYPE_NAME "ipmap" | |
2554 | +#define MAX_RANGE 0x0000FFFF | |
2555 | + | |
2556 | +struct ip_set_ipmap { | |
2557 | + void *members; /* the ipmap proper */ | |
2558 | + ip_set_ip_t first_ip; /* host byte order, included in range */ | |
2559 | + ip_set_ip_t last_ip; /* host byte order, included in range */ | |
2560 | + ip_set_ip_t netmask; /* subnet netmask */ | |
2561 | + ip_set_ip_t sizeid; /* size of set in IPs */ | |
2562 | + u_int16_t hosts; /* number of hosts in a subnet */ | |
2563 | +}; | |
2564 | + | |
2565 | +struct ip_set_req_ipmap_create { | |
2566 | + ip_set_ip_t from; | |
2567 | + ip_set_ip_t to; | |
2568 | + ip_set_ip_t netmask; | |
2569 | +}; | |
2570 | + | |
2571 | +struct ip_set_req_ipmap { | |
2572 | + ip_set_ip_t ip; | |
2573 | +}; | |
2574 | + | |
2575 | +unsigned int | |
2576 | +mask_to_bits(ip_set_ip_t mask) | |
2577 | +{ | |
2578 | + unsigned int bits = 32; | |
2579 | + ip_set_ip_t maskaddr; | |
2580 | + | |
2581 | + if (mask == 0xFFFFFFFF) | |
2582 | + return bits; | |
2583 | + | |
2584 | + maskaddr = 0xFFFFFFFE; | |
2585 | + while (--bits >= 0 && maskaddr != mask) | |
2586 | + maskaddr <<= 1; | |
2587 | + | |
2588 | + return bits; | |
2589 | +} | |
2590 | + | |
2591 | +ip_set_ip_t | |
2592 | +range_to_mask(ip_set_ip_t from, ip_set_ip_t to, unsigned int *bits) | |
2593 | +{ | |
2594 | + ip_set_ip_t mask = 0xFFFFFFFE; | |
2595 | + | |
2596 | + *bits = 32; | |
2597 | + while (--(*bits) >= 0 && mask && (to & mask) != from) | |
2598 | + mask <<= 1; | |
2599 | + | |
2600 | + return mask; | |
2601 | +} | |
2602 | + | |
2603 | +#endif /* __IP_SET_IPMAP_H */ | |
ae95cca4 PS |
2604 | diff -uNr include.orig/linux/netfilter_ipv4/ip_set_iptree.h include/linux/netfilter_ipv4/ip_set_iptree.h |
2605 | --- include.orig/linux/netfilter_ipv4/ip_set_iptree.h 1970-01-01 01:00:00.000000000 +0100 | |
c558041a PS |
2606 | +++ include/linux/netfilter_ipv4/ip_set_iptree.h 2005-08-02 20:02:17.810232040 +0200 |
2607 | @@ -0,0 +1,39 @@ | |
ae95cca4 PS |
2608 | +#ifndef __IP_SET_IPTREE_H |
2609 | +#define __IP_SET_IPTREE_H | |
2610 | + | |
2611 | +#include <linux/netfilter_ipv4/ip_set.h> | |
2612 | + | |
2613 | +#define SETTYPE_NAME "iptree" | |
2614 | +#define MAX_RANGE 0x0000FFFF | |
2615 | + | |
2616 | +struct ip_set_iptreed { | |
2617 | + unsigned long expires[255]; /* x.x.x.ADDR */ | |
2618 | +}; | |
2619 | + | |
2620 | +struct ip_set_iptreec { | |
2621 | + struct ip_set_iptreed *tree[255]; /* x.x.ADDR.* */ | |
2622 | +}; | |
2623 | + | |
2624 | +struct ip_set_iptreeb { | |
2625 | + struct ip_set_iptreec *tree[255]; /* x.ADDR.*.* */ | |
2626 | +}; | |
2627 | + | |
2628 | +struct ip_set_iptree { | |
2629 | + unsigned int timeout; | |
2630 | + unsigned int gc_interval; | |
c558041a PS |
2631 | +#ifdef __KERNEL__ |
2632 | + struct timer_list gc; | |
2633 | + struct ip_set_iptreeb *tree[255]; /* ADDR.*.*.* */ | |
2634 | +#endif | |
ae95cca4 PS |
2635 | +}; |
2636 | + | |
2637 | +struct ip_set_req_iptree_create { | |
2638 | + unsigned int timeout; | |
2639 | +}; | |
2640 | + | |
2641 | +struct ip_set_req_iptree { | |
2642 | + ip_set_ip_t ip; | |
2643 | + unsigned int timeout; | |
2644 | +}; | |
2645 | + | |
2646 | +#endif /* __IP_SET_IPTREE_H */ | |
2647 | diff -uNr include.orig/linux/netfilter_ipv4/ip_set_jhash.h include/linux/netfilter_ipv4/ip_set_jhash.h | |
2648 | --- include.orig/linux/netfilter_ipv4/ip_set_jhash.h 1970-01-01 01:00:00.000000000 +0100 | |
c558041a | 2649 | +++ include/linux/netfilter_ipv4/ip_set_jhash.h 2005-08-02 20:02:17.758239944 +0200 |
014436e1 PS |
2650 | @@ -0,0 +1,148 @@ |
2651 | +#ifndef _LINUX_IPSET_JHASH_H | |
2652 | +#define _LINUX_IPSET_JHASH_H | |
2653 | + | |
2654 | +/* This is a copy of linux/jhash.h but the types u32/u8 are changed | |
2655 | + * to __u32/__u8 so that the header file can be included into | |
2656 | + * userspace code as well. Jozsef Kadlecsik (kadlec@blackhole.kfki.hu) | |
2657 | + */ | |
2658 | + | |
2659 | +/* jhash.h: Jenkins hash support. | |
2660 | + * | |
2661 | + * Copyright (C) 1996 Bob Jenkins (bob_jenkins@burtleburtle.net) | |
2662 | + * | |
2663 | + * http://burtleburtle.net/bob/hash/ | |
2664 | + * | |
2665 | + * These are the credits from Bob's sources: | |
2666 | + * | |
2667 | + * lookup2.c, by Bob Jenkins, December 1996, Public Domain. | |
2668 | + * hash(), hash2(), hash3, and mix() are externally useful functions. | |
2669 | + * Routines to test the hash are included if SELF_TEST is defined. | |
2670 | + * You can use this free for any purpose. It has no warranty. | |
2671 | + * | |
2672 | + * Copyright (C) 2003 David S. Miller (davem@redhat.com) | |
2673 | + * | |
2674 | + * I've modified Bob's hash to be useful in the Linux kernel, and | |
2675 | + * any bugs present are surely my fault. -DaveM | |
2676 | + */ | |
2677 | + | |
2678 | +/* NOTE: Arguments are modified. */ | |
2679 | +#define __jhash_mix(a, b, c) \ | |
2680 | +{ \ | |
2681 | + a -= b; a -= c; a ^= (c>>13); \ | |
2682 | + b -= c; b -= a; b ^= (a<<8); \ | |
2683 | + c -= a; c -= b; c ^= (b>>13); \ | |
2684 | + a -= b; a -= c; a ^= (c>>12); \ | |
2685 | + b -= c; b -= a; b ^= (a<<16); \ | |
2686 | + c -= a; c -= b; c ^= (b>>5); \ | |
2687 | + a -= b; a -= c; a ^= (c>>3); \ | |
2688 | + b -= c; b -= a; b ^= (a<<10); \ | |
2689 | + c -= a; c -= b; c ^= (b>>15); \ | |
2690 | +} | |
2691 | + | |
2692 | +/* The golden ration: an arbitrary value */ | |
2693 | +#define JHASH_GOLDEN_RATIO 0x9e3779b9 | |
2694 | + | |
2695 | +/* The most generic version, hashes an arbitrary sequence | |
2696 | + * of bytes. No alignment or length assumptions are made about | |
2697 | + * the input key. | |
2698 | + */ | |
2699 | +static inline __u32 jhash(void *key, __u32 length, __u32 initval) | |
2700 | +{ | |
2701 | + __u32 a, b, c, len; | |
2702 | + __u8 *k = key; | |
2703 | + | |
2704 | + len = length; | |
2705 | + a = b = JHASH_GOLDEN_RATIO; | |
2706 | + c = initval; | |
2707 | + | |
2708 | + while (len >= 12) { | |
2709 | + a += (k[0] +((__u32)k[1]<<8) +((__u32)k[2]<<16) +((__u32)k[3]<<24)); | |
2710 | + b += (k[4] +((__u32)k[5]<<8) +((__u32)k[6]<<16) +((__u32)k[7]<<24)); | |
2711 | + c += (k[8] +((__u32)k[9]<<8) +((__u32)k[10]<<16)+((__u32)k[11]<<24)); | |
2712 | + | |
2713 | + __jhash_mix(a,b,c); | |
2714 | + | |
2715 | + k += 12; | |
2716 | + len -= 12; | |
2717 | + } | |
2718 | + | |
2719 | + c += length; | |
2720 | + switch (len) { | |
2721 | + case 11: c += ((__u32)k[10]<<24); | |
2722 | + case 10: c += ((__u32)k[9]<<16); | |
2723 | + case 9 : c += ((__u32)k[8]<<8); | |
2724 | + case 8 : b += ((__u32)k[7]<<24); | |
2725 | + case 7 : b += ((__u32)k[6]<<16); | |
2726 | + case 6 : b += ((__u32)k[5]<<8); | |
2727 | + case 5 : b += k[4]; | |
2728 | + case 4 : a += ((__u32)k[3]<<24); | |
2729 | + case 3 : a += ((__u32)k[2]<<16); | |
2730 | + case 2 : a += ((__u32)k[1]<<8); | |
2731 | + case 1 : a += k[0]; | |
2732 | + }; | |
2733 | + | |
2734 | + __jhash_mix(a,b,c); | |
2735 | + | |
2736 | + return c; | |
2737 | +} | |
2738 | + | |
2739 | +/* A special optimized version that handles 1 or more of __u32s. | |
2740 | + * The length parameter here is the number of __u32s in the key. | |
2741 | + */ | |
2742 | +static inline __u32 jhash2(__u32 *k, __u32 length, __u32 initval) | |
2743 | +{ | |
2744 | + __u32 a, b, c, len; | |
2745 | + | |
2746 | + a = b = JHASH_GOLDEN_RATIO; | |
2747 | + c = initval; | |
2748 | + len = length; | |
2749 | + | |
2750 | + while (len >= 3) { | |
2751 | + a += k[0]; | |
2752 | + b += k[1]; | |
2753 | + c += k[2]; | |
2754 | + __jhash_mix(a, b, c); | |
2755 | + k += 3; len -= 3; | |
2756 | + } | |
2757 | + | |
2758 | + c += length * 4; | |
2759 | + | |
2760 | + switch (len) { | |
2761 | + case 2 : b += k[1]; | |
2762 | + case 1 : a += k[0]; | |
2763 | + }; | |
2764 | + | |
2765 | + __jhash_mix(a,b,c); | |
2766 | + | |
2767 | + return c; | |
2768 | +} | |
2769 | + | |
2770 | + | |
2771 | +/* A special ultra-optimized versions that knows they are hashing exactly | |
2772 | + * 3, 2 or 1 word(s). | |
2773 | + * | |
2774 | + * NOTE: In partilar the "c += length; __jhash_mix(a,b,c);" normally | |
2775 | + * done at the end is not done here. | |
2776 | + */ | |
2777 | +static inline __u32 jhash_3words(__u32 a, __u32 b, __u32 c, __u32 initval) | |
2778 | +{ | |
2779 | + a += JHASH_GOLDEN_RATIO; | |
2780 | + b += JHASH_GOLDEN_RATIO; | |
2781 | + c += initval; | |
2782 | + | |
2783 | + __jhash_mix(a, b, c); | |
2784 | + | |
2785 | + return c; | |
2786 | +} | |
2787 | + | |
2788 | +static inline __u32 jhash_2words(__u32 a, __u32 b, __u32 initval) | |
2789 | +{ | |
2790 | + return jhash_3words(a, b, 0, initval); | |
2791 | +} | |
2792 | + | |
2793 | +static inline __u32 jhash_1word(__u32 a, __u32 initval) | |
2794 | +{ | |
2795 | + return jhash_3words(a, 0, 0, initval); | |
2796 | +} | |
2797 | + | |
2798 | +#endif /* _LINUX_IPSET_JHASH_H */ | |
ae95cca4 PS |
2799 | diff -uNr include.orig/linux/netfilter_ipv4/ip_set_macipmap.h include/linux/netfilter_ipv4/ip_set_macipmap.h |
2800 | --- include.orig/linux/netfilter_ipv4/ip_set_macipmap.h 1970-01-01 01:00:00.000000000 +0100 | |
c558041a | 2801 | +++ include/linux/netfilter_ipv4/ip_set_macipmap.h 2005-08-02 20:02:17.776237208 +0200 |
014436e1 PS |
2802 | @@ -0,0 +1,38 @@ |
2803 | +#ifndef __IP_SET_MACIPMAP_H | |
2804 | +#define __IP_SET_MACIPMAP_H | |
2805 | + | |
2806 | +#include <linux/netfilter_ipv4/ip_set.h> | |
2807 | + | |
2808 | +#define SETTYPE_NAME "macipmap" | |
2809 | +#define MAX_RANGE 0x0000FFFF | |
2810 | + | |
2811 | +/* general flags */ | |
2812 | +#define IPSET_MACIP_MATCHUNSET 1 | |
2813 | + | |
2814 | +/* per ip flags */ | |
2815 | +#define IPSET_MACIP_ISSET 1 | |
2816 | + | |
2817 | +struct ip_set_macipmap { | |
2818 | + void *members; /* the macipmap proper */ | |
2819 | + ip_set_ip_t first_ip; /* host byte order, included in range */ | |
2820 | + ip_set_ip_t last_ip; /* host byte order, included in range */ | |
2821 | + u_int32_t flags; | |
2822 | +}; | |
2823 | + | |
2824 | +struct ip_set_req_macipmap_create { | |
2825 | + ip_set_ip_t from; | |
2826 | + ip_set_ip_t to; | |
2827 | + u_int32_t flags; | |
2828 | +}; | |
2829 | + | |
2830 | +struct ip_set_req_macipmap { | |
2831 | + ip_set_ip_t ip; | |
2832 | + unsigned char ethernet[ETH_ALEN]; | |
2833 | +}; | |
2834 | + | |
2835 | +struct ip_set_macip { | |
2836 | + unsigned short flags; | |
2837 | + unsigned char ethernet[ETH_ALEN]; | |
2838 | +}; | |
2839 | + | |
2840 | +#endif /* __IP_SET_MACIPMAP_H */ | |
ae95cca4 PS |
2841 | diff -uNr include.orig/linux/netfilter_ipv4/ip_set_malloc.h include/linux/netfilter_ipv4/ip_set_malloc.h |
2842 | --- include.orig/linux/netfilter_ipv4/ip_set_malloc.h 1970-01-01 01:00:00.000000000 +0100 | |
c558041a PS |
2843 | +++ include/linux/netfilter_ipv4/ip_set_malloc.h 2005-08-02 20:02:17.788235384 +0200 |
2844 | @@ -0,0 +1,34 @@ | |
014436e1 PS |
2845 | +#ifndef _IP_SET_MALLOC_H |
2846 | +#define _IP_SET_MALLOC_H | |
2847 | + | |
c558041a PS |
2848 | +#ifdef __KERNEL__ |
2849 | + | |
2850 | +/* Memory allocation and deallocation */ | |
2851 | +static size_t max_malloc_size = 0; | |
2852 | + | |
2853 | +static inline void init_max_malloc_size(void) | |
2854 | +{ | |
2855 | +#define CACHE(x) max_malloc_size = x; | |
2856 | +#include <linux/kmalloc_sizes.h> | |
2857 | +#undef CACHE | |
2858 | +} | |
2859 | + | |
2860 | +static inline void * ip_set_malloc(size_t bytes) | |
2861 | +{ | |
2862 | + if (bytes > max_malloc_size) | |
2863 | + return vmalloc(bytes); | |
2864 | + else | |
2865 | + return kmalloc(bytes, GFP_KERNEL); | |
2866 | +} | |
2867 | + | |
2868 | +static inline void ip_set_free(void * data, size_t bytes) | |
2869 | +{ | |
2870 | + if (bytes > max_malloc_size) | |
2871 | + vfree(data); | |
2872 | + else | |
2873 | + kfree(data); | |
2874 | +} | |
2875 | + | |
2876 | +#endif /* __KERNEL__ */ | |
2877 | + | |
014436e1 | 2878 | +#endif /*_IP_SET_MALLOC_H*/ |
ae95cca4 PS |
2879 | diff -uNr include.orig/linux/netfilter_ipv4/ip_set_nethash.h include/linux/netfilter_ipv4/ip_set_nethash.h |
2880 | --- include.orig/linux/netfilter_ipv4/ip_set_nethash.h 1970-01-01 01:00:00.000000000 +0100 | |
c558041a PS |
2881 | +++ include/linux/netfilter_ipv4/ip_set_nethash.h 2005-08-02 20:02:17.755240400 +0200 |
2882 | @@ -0,0 +1,55 @@ | |
014436e1 PS |
2883 | +#ifndef __IP_SET_NETHASH_H |
2884 | +#define __IP_SET_NETHASH_H | |
2885 | + | |
2886 | +#include <linux/netfilter_ipv4/ip_set.h> | |
2887 | + | |
2888 | +#define SETTYPE_NAME "nethash" | |
2889 | +#define MAX_RANGE 0x0000FFFF | |
2890 | + | |
2891 | +struct ip_set_nethash { | |
2892 | + ip_set_ip_t *members; /* the nethash proper */ | |
2893 | + uint32_t initval; /* initval for jhash_1word */ | |
2894 | + uint32_t prime; /* prime for double hashing */ | |
2895 | + uint32_t hashsize; /* hash size */ | |
2896 | + uint16_t probes; /* max number of probes */ | |
2897 | + uint16_t resize; /* resize factor in percent */ | |
2898 | + unsigned char cidr[30]; /* CIDR sizes */ | |
2899 | +}; | |
2900 | + | |
2901 | +struct ip_set_req_nethash_create { | |
2902 | + uint32_t hashsize; | |
2903 | + uint16_t probes; | |
2904 | + uint16_t resize; | |
2905 | +}; | |
2906 | + | |
2907 | +struct ip_set_req_nethash { | |
2908 | + ip_set_ip_t ip; | |
2909 | + unsigned char cidr; | |
2910 | +}; | |
2911 | + | |
ae95cca4 | 2912 | +static unsigned char shifts[] = {255, 253, 249, 241, 225, 193, 129, 1}; |
014436e1 PS |
2913 | + |
2914 | +static inline ip_set_ip_t | |
2915 | +pack(ip_set_ip_t ip, unsigned char cidr) | |
2916 | +{ | |
2917 | + ip_set_ip_t addr, *paddr = &addr; | |
2918 | + unsigned char n, t, *a; | |
2919 | + | |
2920 | + addr = htonl(ip & (0xFFFFFFFF << (32 - (cidr)))); | |
c558041a PS |
2921 | +#ifdef __KERNEL__ |
2922 | + DP("ip:%u.%u.%u.%u/%u", NIPQUAD(addr), cidr); | |
2923 | +#endif | |
014436e1 PS |
2924 | + n = cidr / 8; |
2925 | + t = cidr % 8; | |
2926 | + a = &((unsigned char *)paddr)[n]; | |
2927 | + *a = *a /(1 << (8 - t)) + shifts[t]; | |
c558041a PS |
2928 | +#ifdef __KERNEL__ |
2929 | + DP("n: %u, t: %u, a: %u", n, t, *a); | |
2930 | + DP("ip:%u.%u.%u.%u/%u, %u.%u.%u.%u", | |
2931 | + HIPQUAD(ip), cidr, NIPQUAD(addr)); | |
2932 | +#endif | |
014436e1 PS |
2933 | + |
2934 | + return ntohl(addr); | |
2935 | +} | |
2936 | + | |
2937 | +#endif /* __IP_SET_NETHASH_H */ | |
ae95cca4 PS |
2938 | diff -uNr include.orig/linux/netfilter_ipv4/ip_set_portmap.h include/linux/netfilter_ipv4/ip_set_portmap.h |
2939 | --- include.orig/linux/netfilter_ipv4/ip_set_portmap.h 1970-01-01 01:00:00.000000000 +0100 | |
c558041a | 2940 | +++ include/linux/netfilter_ipv4/ip_set_portmap.h 2005-08-02 20:02:17.772237816 +0200 |
014436e1 PS |
2941 | @@ -0,0 +1,25 @@ |
2942 | +#ifndef __IP_SET_PORTMAP_H | |
2943 | +#define __IP_SET_PORTMAP_H | |
2944 | + | |
2945 | +#include <linux/netfilter_ipv4/ip_set.h> | |
2946 | + | |
2947 | +#define SETTYPE_NAME "portmap" | |
2948 | +#define MAX_RANGE 0x0000FFFF | |
2949 | +#define INVALID_PORT (MAX_RANGE + 1) | |
2950 | + | |
2951 | +struct ip_set_portmap { | |
2952 | + void *members; /* the portmap proper */ | |
2953 | + ip_set_ip_t first_port; /* host byte order, included in range */ | |
2954 | + ip_set_ip_t last_port; /* host byte order, included in range */ | |
2955 | +}; | |
2956 | + | |
2957 | +struct ip_set_req_portmap_create { | |
2958 | + ip_set_ip_t from; | |
2959 | + ip_set_ip_t to; | |
2960 | +}; | |
2961 | + | |
2962 | +struct ip_set_req_portmap { | |
2963 | + ip_set_ip_t port; | |
2964 | +}; | |
2965 | + | |
2966 | +#endif /* __IP_SET_PORTMAP_H */ | |
ae95cca4 PS |
2967 | diff -uNr include.orig/linux/netfilter_ipv4/ip_set_prime.h include/linux/netfilter_ipv4/ip_set_prime.h |
2968 | --- include.orig/linux/netfilter_ipv4/ip_set_prime.h 1970-01-01 01:00:00.000000000 +0100 | |
c558041a | 2969 | +++ include/linux/netfilter_ipv4/ip_set_prime.h 2005-08-02 20:02:17.825229760 +0200 |
014436e1 PS |
2970 | @@ -0,0 +1,34 @@ |
2971 | +#ifndef __IP_SET_PRIME_H | |
2972 | +#define __IP_SET_PRIME_H | |
2973 | + | |
2974 | +static inline unsigned make_prime_bound(unsigned nr) | |
2975 | +{ | |
2976 | + unsigned long long nr64 = nr; | |
2977 | + unsigned long long x = 1; | |
2978 | + nr = 1; | |
2979 | + while (x <= nr64) { x <<= 2; nr <<= 1; } | |
2980 | + return nr; | |
2981 | +} | |
2982 | + | |
2983 | +static inline int make_prime_check(unsigned nr) | |
2984 | +{ | |
2985 | + unsigned x = 3; | |
2986 | + unsigned b = make_prime_bound(nr); | |
2987 | + while (x <= b) { | |
2988 | + if (0 == (nr % x)) return 0; | |
2989 | + x += 2; | |
2990 | + } | |
2991 | + return 1; | |
2992 | +} | |
2993 | + | |
2994 | +static unsigned make_prime(unsigned nr) | |
2995 | +{ | |
2996 | + if (0 == (nr & 1)) nr--; | |
2997 | + while (nr > 1) { | |
2998 | + if (make_prime_check(nr)) return nr; | |
2999 | + nr -= 2; | |
3000 | + } | |
3001 | + return 2; | |
3002 | +} | |
3003 | + | |
3004 | +#endif /* __IP_SET_PRIME_H */ | |
ae95cca4 | 3005 | diff -uNr include.orig/linux/netfilter_ipv4/ip_tables.h include/linux/netfilter_ipv4/ip_tables.h |
c558041a PS |
3006 | --- include.orig/linux/netfilter_ipv4/ip_tables.h 2005-07-06 02:17:20.000000000 +0200 |
3007 | +++ include/linux/netfilter_ipv4/ip_tables.h 2005-08-02 20:02:17.815231280 +0200 | |
ae95cca4 | 3008 | @@ -101,7 +101,8 @@ |
0fc89030 PS |
3009 | |
3010 | /* Values for "flag" field in struct ipt_ip (general ip structure). */ | |
3011 | #define IPT_F_FRAG 0x01 /* Set if rule is a fragment rule */ | |
3012 | -#define IPT_F_MASK 0x01 /* All possible flag bits mask. */ | |
3013 | +#define IPT_F_GOTO 0x02 /* Set if jump is a goto */ | |
3014 | +#define IPT_F_MASK 0x03 /* All possible flag bits mask. */ | |
3015 | ||
3016 | /* Values for "inv" field in struct ipt_ip. */ | |
3017 | #define IPT_INV_VIA_IN 0x01 /* Invert the sense of IN IFACE. */ | |
ae95cca4 PS |
3018 | @@ -148,12 +149,23 @@ |
3019 | #define IPT_SO_SET_ADD_COUNTERS (IPT_BASE_CTL + 1) | |
3020 | #define IPT_SO_SET_MAX IPT_SO_SET_ADD_COUNTERS | |
3021 | ||
c558041a PS |
3022 | +#define IPT_SO_SET_ACCOUNT_HANDLE_FREE (IPT_BASE_CTL + 3) |
3023 | +#define IPT_SO_SET_ACCOUNT_HANDLE_FREE_ALL (IPT_BASE_CTL + 4) | |
3024 | +#define IPT_SO_SET_ACCOUNT_MAX IPT_SO_SET_ACCOUNT_HANDLE_FREE_ALL | |
ae95cca4 PS |
3025 | + |
3026 | #define IPT_SO_GET_INFO (IPT_BASE_CTL) | |
3027 | #define IPT_SO_GET_ENTRIES (IPT_BASE_CTL + 1) | |
3028 | #define IPT_SO_GET_REVISION_MATCH (IPT_BASE_CTL + 2) | |
3029 | #define IPT_SO_GET_REVISION_TARGET (IPT_BASE_CTL + 3) | |
3030 | #define IPT_SO_GET_MAX IPT_SO_GET_REVISION_TARGET | |
3031 | ||
c558041a PS |
3032 | +#define IPT_SO_GET_ACCOUNT_PREPARE_READ (IPT_BASE_CTL + 3) |
3033 | +#define IPT_SO_GET_ACCOUNT_PREPARE_READ_FLUSH (IPT_BASE_CTL + 4) | |
3034 | +#define IPT_SO_GET_ACCOUNT_GET_DATA (IPT_BASE_CTL + 5) | |
3035 | +#define IPT_SO_GET_ACCOUNT_GET_HANDLE_USAGE (IPT_BASE_CTL + 6) | |
3036 | +#define IPT_SO_GET_ACCOUNT_GET_TABLE_NAMES (IPT_BASE_CTL + 7) | |
3037 | +#define IPT_SO_GET_ACCOUNT_MAX IPT_SO_GET_ACCOUNT_GET_TABLE_NAMES | |
ae95cca4 PS |
3038 | + |
3039 | /* CONTINUE verdict for targets */ | |
3040 | #define IPT_CONTINUE 0xFFFFFFFF | |
3041 | ||
3042 | diff -uNr include.orig/linux/netfilter_ipv4/ipt_account.h include/linux/netfilter_ipv4/ipt_account.h | |
3043 | --- include.orig/linux/netfilter_ipv4/ipt_account.h 1970-01-01 01:00:00.000000000 +0100 | |
c558041a | 3044 | +++ include/linux/netfilter_ipv4/ipt_account.h 2005-08-02 20:02:17.786235688 +0200 |
0fc89030 | 3045 | @@ -0,0 +1,26 @@ |
4f894449 PS |
3046 | +/* |
3047 | + * accounting match (ipt_account.c) | |
0fc89030 | 3048 | + * (C) 2003,2004 by Piotr Gasidlo (quaker@barbara.eu.org) |
4f894449 | 3049 | + * |
0fc89030 | 3050 | + * Version: 0.1.7 |
4f894449 PS |
3051 | + * |
3052 | + * This software is distributed under the terms of GNU GPL | |
3053 | + */ | |
3054 | + | |
3055 | +#ifndef _IPT_ACCOUNT_H_ | |
3056 | +#define _IPT_ACCOUNT_H_ | |
3057 | + | |
3058 | +#define IPT_ACCOUNT_NAME_LEN 64 | |
3059 | + | |
0fc89030 PS |
3060 | +#define IPT_ACCOUNT_NAME "ipt_account" |
3061 | +#define IPT_ACCOUNT_VERSION "0.1.7" | |
3062 | + | |
4f894449 PS |
3063 | +struct t_ipt_account_info { |
3064 | + char name[IPT_ACCOUNT_NAME_LEN]; | |
3065 | + u_int32_t network; | |
3066 | + u_int32_t netmask; | |
0fc89030 | 3067 | + int shortlisting:1; |
4f894449 PS |
3068 | +}; |
3069 | + | |
3070 | +#endif | |
0fc89030 | 3071 | + |
ae95cca4 PS |
3072 | diff -uNr include.orig/linux/netfilter_ipv4/ipt_ACCOUNT.h include/linux/netfilter_ipv4/ipt_ACCOUNT.h |
3073 | --- include.orig/linux/netfilter_ipv4/ipt_ACCOUNT.h 1970-01-01 01:00:00.000000000 +0100 | |
c558041a | 3074 | +++ include/linux/netfilter_ipv4/ipt_ACCOUNT.h 2005-08-02 20:02:17.817230976 +0200 |
ae95cca4 PS |
3075 | @@ -0,0 +1,100 @@ |
3076 | +/*************************************************************************** | |
3077 | + * Copyright (C) 2004 by Intra2net AG * | |
3078 | + * opensource@intra2net.com * | |
3079 | + * * | |
3080 | + * This program is free software; you can redistribute it and/or modify * | |
3081 | + * it under the terms of the GNU General Public License * | |
3082 | + * version 2 as published by the Free Software Foundation; * | |
3083 | + * * | |
3084 | + ***************************************************************************/ | |
3085 | + | |
3086 | +#ifndef _IPT_ACCOUNT_H | |
3087 | +#define _IPT_ACCOUNT_H | |
3088 | + | |
3089 | +#define ACCOUNT_MAX_TABLES 32 | |
3090 | +#define ACCOUNT_TABLE_NAME_LEN 32 | |
3091 | +#define ACCOUNT_MAX_HANDLES 10 | |
3092 | + | |
3093 | +/* Structure for the userspace part of ipt_ACCOUNT */ | |
3094 | +struct ipt_acc_info { | |
3095 | + u_int32_t net_ip; | |
3096 | + u_int32_t net_mask; | |
3097 | + char table_name[ACCOUNT_TABLE_NAME_LEN]; | |
3098 | + int32_t table_nr; | |
3099 | +}; | |
3100 | + | |
3101 | +/* Internal table structure, generated by check_entry() */ | |
3102 | +struct ipt_acc_table { | |
3103 | + char name[ACCOUNT_TABLE_NAME_LEN]; /* name of the table */ | |
3104 | + u_int32_t ip; /* base IP of network */ | |
3105 | + u_int32_t netmask; /* netmask of the network */ | |
3106 | + unsigned char depth; /* size of network: | |
3107 | + 0: 8 bit, 1: 16bit, 2: 24 bit */ | |
3108 | + u_int32_t refcount; /* refcount of this table. | |
3109 | + if zero, destroy it */ | |
3110 | + u_int32_t itemcount; /* number of IPs in this table */ | |
3111 | + void *data; /* pointer to the actual data, | |
3112 | + depending on netmask */ | |
3113 | +}; | |
3114 | + | |
3115 | +/* Internal handle structure */ | |
3116 | +struct ipt_acc_handle { | |
3117 | + u_int32_t ip; /* base IP of network. Used for | |
3118 | + caculating the final IP during | |
3119 | + get_data() */ | |
3120 | + unsigned char depth; /* size of network. See above for | |
3121 | + details */ | |
3122 | + u_int32_t itemcount; /* number of IPs in this table */ | |
3123 | + void *data; /* pointer to the actual data, | |
3124 | + depending on size */ | |
3125 | +}; | |
3126 | + | |
3127 | +/* Handle structure for communication with the userspace library */ | |
3128 | +struct ipt_acc_handle_sockopt { | |
3129 | + u_int32_t handle_nr; /* Used for HANDLE_FREE */ | |
3130 | + char name[ACCOUNT_TABLE_NAME_LEN]; /* Used for HANDLE_PREPARE_READ/ | |
3131 | + HANDLE_READ_FLUSH */ | |
3132 | + u_int32_t itemcount; /* Used for HANDLE_PREPARE_READ/ | |
3133 | + HANDLE_READ_FLUSH */ | |
3134 | +}; | |
3135 | + | |
3136 | +/* Used for every IP entry | |
3137 | + Size is 16 bytes so that 256 (class C network) * 16 | |
3138 | + fits in one kernel (zero) page */ | |
3139 | +struct ipt_acc_ip { | |
3140 | + u_int32_t src_packets; | |
3141 | + u_int32_t src_bytes; | |
3142 | + u_int32_t dst_packets; | |
3143 | + u_int32_t dst_bytes; | |
3144 | +}; | |
3145 | + | |
3146 | +/* | |
3147 | + Used for every IP when returning data | |
3148 | +*/ | |
3149 | +struct ipt_acc_handle_ip { | |
3150 | + u_int32_t ip; | |
3151 | + u_int32_t src_packets; | |
3152 | + u_int32_t src_bytes; | |
3153 | + u_int32_t dst_packets; | |
3154 | + u_int32_t dst_bytes; | |
3155 | +}; | |
3156 | + | |
3157 | +/* | |
3158 | + The IPs are organized as an array so that direct slot | |
3159 | + calculations are possible. | |
3160 | + Only 8 bit networks are preallocated, 16/24 bit networks | |
3161 | + allocate their slots when needed -> very efficent. | |
3162 | +*/ | |
3163 | +struct ipt_acc_mask_24 { | |
3164 | + struct ipt_acc_ip ip[256]; | |
3165 | +}; | |
3166 | + | |
3167 | +struct ipt_acc_mask_16 { | |
3168 | + struct ipt_acc_mask_24 *mask_24[256]; | |
3169 | +}; | |
3170 | + | |
3171 | +struct ipt_acc_mask_8 { | |
3172 | + struct ipt_acc_mask_16 *mask_16[256]; | |
3173 | +}; | |
3174 | + | |
3175 | +#endif /*_IPT_ACCOUNT_H*/ | |
3176 | diff -uNr include.orig/linux/netfilter_ipv4/ipt_addrtype.h include/linux/netfilter_ipv4/ipt_addrtype.h | |
3177 | --- include.orig/linux/netfilter_ipv4/ipt_addrtype.h 2004-10-31 20:56:02.000000000 +0100 | |
c558041a | 3178 | +++ include/linux/netfilter_ipv4/ipt_addrtype.h 2005-08-02 20:02:17.751241008 +0200 |
ae95cca4 PS |
3179 | @@ -4,8 +4,8 @@ |
3180 | struct ipt_addrtype_info { | |
3181 | u_int16_t source; /* source-type mask */ | |
3182 | u_int16_t dest; /* dest-type mask */ | |
3183 | - u_int32_t invert_source; | |
3184 | - u_int32_t invert_dest; | |
3185 | + int invert_source; | |
3186 | + int invert_dest; | |
3187 | }; | |
3188 | ||
3189 | #endif | |
3190 | diff -uNr include.orig/linux/netfilter_ipv4/ipt_CLUSTERIP.h include/linux/netfilter_ipv4/ipt_CLUSTERIP.h | |
3191 | --- include.orig/linux/netfilter_ipv4/ipt_CLUSTERIP.h 2005-01-08 15:03:55.000000000 +0100 | |
c558041a | 3192 | +++ include/linux/netfilter_ipv4/ipt_CLUSTERIP.h 2005-08-02 20:02:17.832228696 +0200 |
ae95cca4 PS |
3193 | @@ -9,7 +9,7 @@ |
3194 | ||
3195 | #define CLUSTERIP_HASHMODE_MAX CLUSTERIP_HASHMODE_SIP_SPT_DPT | |
3196 | ||
3197 | -#define CLUSTERIP_MAX_NODES 16 | |
3198 | +#define CLUSTERIP_MAX_NODES 8 | |
3199 | ||
3200 | #define CLUSTERIP_FLAG_NEW 0x00000001 | |
3201 | ||
3202 | diff -uNr include.orig/linux/netfilter_ipv4/ipt_connlimit.h include/linux/netfilter_ipv4/ipt_connlimit.h | |
3203 | --- include.orig/linux/netfilter_ipv4/ipt_connlimit.h 1970-01-01 01:00:00.000000000 +0100 | |
c558041a | 3204 | +++ include/linux/netfilter_ipv4/ipt_connlimit.h 2005-08-02 20:02:17.723245264 +0200 |
ab88a259 PS |
3205 | @@ -0,0 +1,12 @@ |
3206 | +#ifndef _IPT_CONNLIMIT_H | |
3207 | +#define _IPT_CONNLIMIT_H | |
3208 | + | |
3209 | +struct ipt_connlimit_data; | |
3210 | + | |
3211 | +struct ipt_connlimit_info { | |
3212 | + int limit; | |
3213 | + int inverse; | |
3214 | + u_int32_t mask; | |
3215 | + struct ipt_connlimit_data *data; | |
3216 | +}; | |
3217 | +#endif /* _IPT_CONNLIMIT_H */ | |
ae95cca4 PS |
3218 | diff -uNr include.orig/linux/netfilter_ipv4/ipt_fuzzy.h include/linux/netfilter_ipv4/ipt_fuzzy.h |
3219 | --- include.orig/linux/netfilter_ipv4/ipt_fuzzy.h 1970-01-01 01:00:00.000000000 +0100 | |
c558041a | 3220 | +++ include/linux/netfilter_ipv4/ipt_fuzzy.h 2005-08-02 20:02:17.781236448 +0200 |
bab37e86 PS |
3221 | @@ -0,0 +1,21 @@ |
3222 | +#ifndef _IPT_FUZZY_H | |
3223 | +#define _IPT_FUZZY_H | |
3224 | + | |
3225 | +#include <linux/param.h> | |
3226 | +#include <linux/types.h> | |
3227 | + | |
3228 | +#define MAXFUZZYRATE 10000000 | |
3229 | +#define MINFUZZYRATE 3 | |
3230 | + | |
3231 | +struct ipt_fuzzy_info { | |
3232 | + u_int32_t minimum_rate; | |
3233 | + u_int32_t maximum_rate; | |
3234 | + u_int32_t packets_total; | |
3235 | + u_int32_t bytes_total; | |
3236 | + u_int32_t previous_time; | |
3237 | + u_int32_t present_time; | |
3238 | + u_int32_t mean_rate; | |
3239 | + u_int8_t acceptance_rate; | |
3240 | +}; | |
3241 | + | |
3242 | +#endif /*_IPT_FUZZY_H*/ | |
ae95cca4 PS |
3243 | diff -uNr include.orig/linux/netfilter_ipv4/ipt_geoip.h include/linux/netfilter_ipv4/ipt_geoip.h |
3244 | --- include.orig/linux/netfilter_ipv4/ipt_geoip.h 1970-01-01 01:00:00.000000000 +0100 | |
c558041a | 3245 | +++ include/linux/netfilter_ipv4/ipt_geoip.h 2005-08-02 20:02:17.769238272 +0200 |
014436e1 PS |
3246 | @@ -0,0 +1,50 @@ |
3247 | +/* ipt_geoip.h header file for libipt_geoip.c and ipt_geoip.c | |
3248 | + * | |
3249 | + * This program is free software; you can redistribute it and/or modify | |
3250 | + * it under the terms of the GNU General Public License as published by | |
3251 | + * the Free Software Foundation; either version 2 of the License, or | |
3252 | + * (at your option) any later version. | |
3253 | + * | |
3254 | + * Copyright (c) 2004 Cookinglinux | |
3255 | + */ | |
3256 | +#ifndef _IPT_GEOIP_H | |
3257 | +#define _IPT_GEOIP_H | |
3258 | + | |
3259 | +#define IPT_GEOIP_SRC 0x01 /* Perform check on Source IP */ | |
3260 | +#define IPT_GEOIP_DST 0x02 /* Perform check on Destination IP */ | |
3261 | +#define IPT_GEOIP_INV 0x04 /* Negate the condition */ | |
3262 | + | |
3263 | +#define IPT_GEOIP_MAX 15 /* Maximum of countries */ | |
3264 | + | |
3265 | +struct geoip_subnet { | |
3266 | + u_int32_t begin; | |
3267 | + u_int32_t end; | |
3268 | +}; | |
3269 | + | |
3270 | +struct geoip_info { | |
3271 | + struct geoip_subnet *subnets; | |
3272 | + u_int32_t count; | |
3273 | + u_int32_t ref; | |
3274 | + u_int16_t cc; | |
3275 | + struct geoip_info *next; | |
3276 | + struct geoip_info *prev; | |
3277 | +}; | |
3278 | + | |
3279 | +struct ipt_geoip_info { | |
3280 | + u_int8_t flags; | |
3281 | + u_int8_t count; | |
3282 | + u_int16_t cc[IPT_GEOIP_MAX]; | |
3283 | + | |
3284 | + /* Used internally by the kernel */ | |
3285 | + struct geoip_info *mem[IPT_GEOIP_MAX]; | |
3286 | + u_int8_t *refcount; | |
3287 | + | |
3288 | + /* not implemented yet: | |
3289 | + void *fini; | |
3290 | + */ | |
3291 | +}; | |
3292 | + | |
3293 | +#define COUNTRY(cc) (cc >> 8), (cc & 0x00FF) | |
3294 | + | |
3295 | +#endif | |
3296 | + | |
ae95cca4 PS |
3297 | diff -uNr include.orig/linux/netfilter_ipv4/ipt_IPMARK.h include/linux/netfilter_ipv4/ipt_IPMARK.h |
3298 | --- include.orig/linux/netfilter_ipv4/ipt_IPMARK.h 1970-01-01 01:00:00.000000000 +0100 | |
c558041a | 3299 | +++ include/linux/netfilter_ipv4/ipt_IPMARK.h 2005-08-02 20:02:17.756240248 +0200 |
bab37e86 PS |
3300 | @@ -0,0 +1,13 @@ |
3301 | +#ifndef _IPT_IPMARK_H_target | |
3302 | +#define _IPT_IPMARK_H_target | |
3303 | + | |
3304 | +struct ipt_ipmark_target_info { | |
3305 | + unsigned long andmask; | |
3306 | + unsigned long ormask; | |
3307 | + unsigned int addr; | |
3308 | +}; | |
3309 | + | |
3310 | +#define IPT_IPMARK_SRC 0 | |
3311 | +#define IPT_IPMARK_DST 1 | |
3312 | + | |
3313 | +#endif /*_IPT_IPMARK_H_target*/ | |
ae95cca4 PS |
3314 | diff -uNr include.orig/linux/netfilter_ipv4/ipt_ipp2p.h include/linux/netfilter_ipv4/ipt_ipp2p.h |
3315 | --- include.orig/linux/netfilter_ipv4/ipt_ipp2p.h 1970-01-01 01:00:00.000000000 +0100 | |
c558041a | 3316 | +++ include/linux/netfilter_ipv4/ipt_ipp2p.h 2005-08-02 20:02:17.784235992 +0200 |
014436e1 PS |
3317 | @@ -0,0 +1,29 @@ |
3318 | +#ifndef __IPT_IPP2P_H | |
3319 | +#define __IPT_IPP2P_H | |
c558041a | 3320 | +#define IPP2P_VERSION "0.7.4" |
014436e1 PS |
3321 | + |
3322 | +struct ipt_p2p_info { | |
3323 | + int cmd; | |
3324 | + int debug; | |
3325 | +}; | |
3326 | + | |
3327 | +#endif //__IPT_IPP2P_H | |
3328 | + | |
3329 | +#define SHORT_HAND_IPP2P 1 /* --ipp2p switch*/ | |
3330 | +#define SHORT_HAND_DATA 4 /* --ipp2p-data switch*/ | |
3331 | +#define SHORT_HAND_NONE 5 /* no short hand*/ | |
3332 | + | |
3333 | +#define IPP2P_EDK 2 | |
3334 | +#define IPP2P_DATA_KAZAA 8 | |
3335 | +#define IPP2P_DATA_EDK 16 | |
3336 | +#define IPP2P_DATA_DC 32 | |
3337 | +#define IPP2P_DC 64 | |
3338 | +#define IPP2P_DATA_GNU 128 | |
3339 | +#define IPP2P_GNU 256 | |
3340 | +#define IPP2P_KAZAA 512 | |
3341 | +#define IPP2P_BIT 1024 | |
3342 | +#define IPP2P_APPLE 2048 | |
3343 | +#define IPP2P_SOUL 4096 | |
3344 | +#define IPP2P_WINMX 8192 | |
3345 | +#define IPP2P_ARES 16384 | |
3346 | + | |
ae95cca4 PS |
3347 | diff -uNr include.orig/linux/netfilter_ipv4/ipt_ipv4options.h include/linux/netfilter_ipv4/ipt_ipv4options.h |
3348 | --- include.orig/linux/netfilter_ipv4/ipt_ipv4options.h 1970-01-01 01:00:00.000000000 +0100 | |
c558041a | 3349 | +++ include/linux/netfilter_ipv4/ipt_ipv4options.h 2005-08-02 20:02:17.733243744 +0200 |
bab37e86 PS |
3350 | @@ -0,0 +1,21 @@ |
3351 | +#ifndef __ipt_ipv4options_h_included__ | |
3352 | +#define __ipt_ipv4options_h_included__ | |
3353 | + | |
3354 | +#define IPT_IPV4OPTION_MATCH_SSRR 0x01 /* For strict source routing */ | |
3355 | +#define IPT_IPV4OPTION_MATCH_LSRR 0x02 /* For loose source routing */ | |
3356 | +#define IPT_IPV4OPTION_DONT_MATCH_SRR 0x04 /* any source routing */ | |
3357 | +#define IPT_IPV4OPTION_MATCH_RR 0x08 /* For Record route */ | |
3358 | +#define IPT_IPV4OPTION_DONT_MATCH_RR 0x10 | |
3359 | +#define IPT_IPV4OPTION_MATCH_TIMESTAMP 0x20 /* For timestamp request */ | |
3360 | +#define IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP 0x40 | |
3361 | +#define IPT_IPV4OPTION_MATCH_ROUTER_ALERT 0x80 /* For router-alert */ | |
3362 | +#define IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT 0x100 | |
3363 | +#define IPT_IPV4OPTION_MATCH_ANY_OPT 0x200 /* match packet with any option */ | |
3364 | +#define IPT_IPV4OPTION_DONT_MATCH_ANY_OPT 0x400 /* match packet with no option */ | |
3365 | + | |
3366 | +struct ipt_ipv4options_info { | |
3367 | + u_int16_t options; | |
3368 | +}; | |
3369 | + | |
3370 | + | |
3371 | +#endif /* __ipt_ipv4options_h_included__ */ | |
ae95cca4 PS |
3372 | diff -uNr include.orig/linux/netfilter_ipv4/ipt_layer7.h include/linux/netfilter_ipv4/ipt_layer7.h |
3373 | --- include.orig/linux/netfilter_ipv4/ipt_layer7.h 1970-01-01 01:00:00.000000000 +0100 | |
c558041a | 3374 | +++ include/linux/netfilter_ipv4/ipt_layer7.h 2005-08-02 20:02:17.736243288 +0200 |
ae95cca4 PS |
3375 | @@ -0,0 +1,26 @@ |
3376 | +/* | |
3377 | + By Matthew Strait <quadong@users.sf.net>, Dec 2003. | |
3378 | + http://l7-filter.sf.net | |
3379 | + | |
3380 | + This program is free software; you can redistribute it and/or | |
3381 | + modify it under the terms of the GNU General Public License | |
3382 | + as published by the Free Software Foundation; either version | |
3383 | + 2 of the License, or (at your option) any later version. | |
3384 | + http://www.gnu.org/licenses/gpl.txt | |
3385 | +*/ | |
3386 | + | |
3387 | +#ifndef _IPT_LAYER7_H | |
3388 | +#define _IPT_LAYER7_H | |
3389 | + | |
3390 | +#define MAX_PATTERN_LEN 8192 | |
3391 | +#define MAX_PROTOCOL_LEN 256 | |
3392 | + | |
3393 | +typedef char *(*proc_ipt_search) (char *, char, char *); | |
3394 | + | |
3395 | +struct ipt_layer7_info { | |
3396 | + char protocol[MAX_PROTOCOL_LEN]; | |
3397 | + char invert:1; | |
3398 | + char pattern[MAX_PATTERN_LEN]; | |
3399 | +}; | |
3400 | + | |
3401 | +#endif /* _IPT_LAYER7_H */ | |
3402 | diff -uNr include.orig/linux/netfilter_ipv4/ipt_nth.h include/linux/netfilter_ipv4/ipt_nth.h | |
3403 | --- include.orig/linux/netfilter_ipv4/ipt_nth.h 1970-01-01 01:00:00.000000000 +0100 | |
c558041a | 3404 | +++ include/linux/netfilter_ipv4/ipt_nth.h 2005-08-02 20:02:17.760239640 +0200 |
bab37e86 PS |
3405 | @@ -0,0 +1,19 @@ |
3406 | +#ifndef _IPT_NTH_H | |
3407 | +#define _IPT_NTH_H | |
3408 | + | |
3409 | +#include <linux/param.h> | |
3410 | +#include <linux/types.h> | |
3411 | + | |
3412 | +#ifndef IPT_NTH_NUM_COUNTERS | |
3413 | +#define IPT_NTH_NUM_COUNTERS 16 | |
3414 | +#endif | |
3415 | + | |
3416 | +struct ipt_nth_info { | |
3417 | + u_int8_t every; | |
3418 | + u_int8_t not; | |
3419 | + u_int8_t startat; | |
3420 | + u_int8_t counter; | |
3421 | + u_int8_t packet; | |
3422 | +}; | |
3423 | + | |
3424 | +#endif /*_IPT_NTH_H*/ | |
ae95cca4 PS |
3425 | diff -uNr include.orig/linux/netfilter_ipv4/ipt_osf.h include/linux/netfilter_ipv4/ipt_osf.h |
3426 | --- include.orig/linux/netfilter_ipv4/ipt_osf.h 1970-01-01 01:00:00.000000000 +0100 | |
c558041a PS |
3427 | +++ include/linux/netfilter_ipv4/ipt_osf.h 2005-08-02 20:02:17.783236144 +0200 |
3428 | @@ -0,0 +1,151 @@ | |
0fc89030 PS |
3429 | +/* |
3430 | + * ipt_osf.h | |
3431 | + * | |
3432 | + * Copyright (c) 2003 Evgeniy Polyakov <johnpol@2ka.mipt.ru> | |
3433 | + * | |
3434 | + * | |
3435 | + * This program is free software; you can redistribute it and/or modify | |
3436 | + * it under the terms of the GNU General Public License as published by | |
3437 | + * the Free Software Foundation; either version 2 of the License, or | |
3438 | + * (at your option) any later version. | |
3439 | + * | |
3440 | + * This program is distributed in the hope that it will be useful, | |
3441 | + * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
3442 | + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
3443 | + * GNU General Public License for more details. | |
3444 | + * | |
3445 | + * You should have received a copy of the GNU General Public License | |
3446 | + * along with this program; if not, write to the Free Software | |
3447 | + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA | |
3448 | + */ | |
3449 | + | |
3450 | +#ifndef _IPT_OSF_H | |
3451 | +#define _IPT_OSF_H | |
3452 | + | |
3453 | +#define MAXGENRELEN 32 | |
3454 | +#define MAXDETLEN 64 | |
3455 | + | |
3456 | +#define IPT_OSF_GENRE 1 | |
3457 | +#define IPT_OSF_SMART 2 | |
3458 | +#define IPT_OSF_LOG 4 | |
3459 | +#define IPT_OSF_NETLINK 8 | |
c558041a | 3460 | +#define IPT_OSF_CONNECTOR 16 |
0fc89030 PS |
3461 | + |
3462 | +#define IPT_OSF_LOGLEVEL_ALL 0 | |
3463 | +#define IPT_OSF_LOGLEVEL_FIRST 1 | |
3464 | + | |
c558041a | 3465 | +#ifndef __KERNEL__ |
ae95cca4 PS |
3466 | +#include <netinet/ip.h> |
3467 | +#include <netinet/tcp.h> | |
3468 | + | |
3469 | +struct list_head | |
3470 | +{ | |
3471 | + struct list_head *prev, *next; | |
3472 | +}; | |
c558041a | 3473 | +#endif |
ae95cca4 | 3474 | + |
0fc89030 PS |
3475 | +struct ipt_osf_info |
3476 | +{ | |
3477 | + char genre[MAXGENRELEN]; | |
3478 | + int len; | |
3479 | + unsigned long flags; | |
3480 | + int loglevel; | |
3481 | + int invert; /* UNSUPPORTED */ | |
3482 | +}; | |
3483 | + | |
3484 | +struct osf_wc | |
3485 | +{ | |
3486 | + char wc; | |
3487 | + unsigned long val; | |
3488 | +}; | |
3489 | + | |
3490 | +/* This struct represents IANA options | |
3491 | + * http://www.iana.org/assignments/tcp-parameters | |
3492 | + */ | |
3493 | +struct osf_opt | |
3494 | +{ | |
3495 | + unsigned char kind; | |
3496 | + unsigned char length; | |
3497 | + struct osf_wc wc; | |
3498 | +}; | |
3499 | + | |
3500 | +struct osf_finger | |
3501 | +{ | |
ae95cca4 | 3502 | + struct list_head flist; |
0fc89030 PS |
3503 | + struct osf_wc wss; |
3504 | + unsigned char ttl; | |
3505 | + unsigned char df; | |
3506 | + unsigned long ss; | |
3507 | + unsigned char genre[MAXGENRELEN]; | |
3508 | + unsigned char version[MAXGENRELEN], subtype[MAXGENRELEN]; | |
3509 | + | |
3510 | + /* Not needed, but for consistency with original table from Michal Zalewski */ | |
3511 | + unsigned char details[MAXDETLEN]; | |
3512 | + | |
3513 | + int opt_num; | |
3514 | + struct osf_opt opt[MAX_IPOPTLEN]; /* In case it is all NOP or EOL */ | |
3515 | + | |
3516 | +}; | |
3517 | + | |
3518 | +struct ipt_osf_nlmsg | |
3519 | +{ | |
3520 | + struct osf_finger f; | |
3521 | + struct iphdr ip; | |
3522 | + struct tcphdr tcp; | |
3523 | +}; | |
3524 | + | |
c558041a PS |
3525 | +#ifdef __KERNEL__ |
3526 | + | |
3527 | +#include <linux/list.h> | |
3528 | +#include <net/tcp.h> | |
3529 | + | |
3530 | + | |
3531 | +/* Defines for IANA option kinds */ | |
3532 | + | |
3533 | +#define OSFOPT_EOL 0 /* End of options */ | |
3534 | +#define OSFOPT_NOP 1 /* NOP */ | |
3535 | +#define OSFOPT_MSS 2 /* Maximum segment size */ | |
3536 | +#define OSFOPT_WSO 3 /* Window scale option */ | |
3537 | +#define OSFOPT_SACKP 4 /* SACK permitted */ | |
3538 | +#define OSFOPT_SACK 5 /* SACK */ | |
3539 | +#define OSFOPT_ECHO 6 | |
3540 | +#define OSFOPT_ECHOREPLY 7 | |
3541 | +#define OSFOPT_TS 8 /* Timestamp option */ | |
3542 | +#define OSFOPT_POCP 9 /* Partial Order Connection Permitted */ | |
3543 | +#define OSFOPT_POSP 10 /* Partial Order Service Profile */ | |
3544 | +/* Others are not used in current OSF */ | |
3545 | + | |
3546 | +static struct osf_opt IANA_opts[] = | |
3547 | +{ | |
3548 | + {0, 1,}, | |
3549 | + {1, 1,}, | |
3550 | + {2, 4,}, | |
3551 | + {3, 3,}, | |
3552 | + {4, 2,}, | |
3553 | + {5, 1 ,}, /* SACK length is not defined */ | |
3554 | + {6, 6,}, | |
3555 | + {7, 6,}, | |
3556 | + {8, 10,}, | |
3557 | + {9, 2,}, | |
3558 | + {10, 3,}, | |
3559 | + {11, 1,}, /* CC: Suppose 1 */ | |
3560 | + {12, 1,}, /* the same */ | |
3561 | + {13, 1,}, /* and here too */ | |
3562 | + {14, 3,}, | |
3563 | + {15, 1,}, /* TCP Alternate Checksum Data. Length is not defined */ | |
3564 | + {16, 1,}, | |
3565 | + {17, 1,}, | |
3566 | + {18, 3,}, | |
3567 | + {19, 18,}, | |
3568 | + {20, 1,}, | |
3569 | + {21, 1,}, | |
3570 | + {22, 1,}, | |
3571 | + {23, 1,}, | |
3572 | + {24, 1,}, | |
3573 | + {25, 1,}, | |
3574 | + {26, 1,}, | |
3575 | +}; | |
3576 | + | |
3577 | +#endif /* __KERNEL__ */ | |
3578 | + | |
0fc89030 | 3579 | +#endif /* _IPT_OSF_H */ |
ae95cca4 PS |
3580 | diff -uNr include.orig/linux/netfilter_ipv4/ipt_policy.h include/linux/netfilter_ipv4/ipt_policy.h |
3581 | --- include.orig/linux/netfilter_ipv4/ipt_policy.h 1970-01-01 01:00:00.000000000 +0100 | |
c558041a | 3582 | +++ include/linux/netfilter_ipv4/ipt_policy.h 2005-08-02 20:02:17.735243440 +0200 |
bab37e86 PS |
3583 | @@ -0,0 +1,52 @@ |
3584 | +#ifndef _IPT_POLICY_H | |
3585 | +#define _IPT_POLICY_H | |
3586 | + | |
3587 | +#define POLICY_MAX_ELEM 4 | |
3588 | + | |
3589 | +enum ipt_policy_flags | |
3590 | +{ | |
3591 | + POLICY_MATCH_IN = 0x1, | |
3592 | + POLICY_MATCH_OUT = 0x2, | |
3593 | + POLICY_MATCH_NONE = 0x4, | |
3594 | + POLICY_MATCH_STRICT = 0x8, | |
3595 | +}; | |
3596 | + | |
3597 | +enum ipt_policy_modes | |
3598 | +{ | |
3599 | + POLICY_MODE_TRANSPORT, | |
3600 | + POLICY_MODE_TUNNEL | |
3601 | +}; | |
3602 | + | |
3603 | +struct ipt_policy_spec | |
3604 | +{ | |
3605 | + u_int8_t saddr:1, | |
3606 | + daddr:1, | |
3607 | + proto:1, | |
3608 | + mode:1, | |
3609 | + spi:1, | |
3610 | + reqid:1; | |
3611 | +}; | |
3612 | + | |
3613 | +struct ipt_policy_elem | |
3614 | +{ | |
3615 | + u_int32_t saddr; | |
3616 | + u_int32_t smask; | |
3617 | + u_int32_t daddr; | |
3618 | + u_int32_t dmask; | |
3619 | + u_int32_t spi; | |
3620 | + u_int32_t reqid; | |
3621 | + u_int8_t proto; | |
3622 | + u_int8_t mode; | |
3623 | + | |
3624 | + struct ipt_policy_spec match; | |
3625 | + struct ipt_policy_spec invert; | |
3626 | +}; | |
3627 | + | |
3628 | +struct ipt_policy_info | |
3629 | +{ | |
3630 | + struct ipt_policy_elem pol[POLICY_MAX_ELEM]; | |
3631 | + u_int16_t flags; | |
3632 | + u_int16_t len; | |
3633 | +}; | |
3634 | + | |
3635 | +#endif /* _IPT_POLICY_H */ | |
ae95cca4 PS |
3636 | diff -uNr include.orig/linux/netfilter_ipv4/ipt_psd.h include/linux/netfilter_ipv4/ipt_psd.h |
3637 | --- include.orig/linux/netfilter_ipv4/ipt_psd.h 1970-01-01 01:00:00.000000000 +0100 | |
c558041a | 3638 | +++ include/linux/netfilter_ipv4/ipt_psd.h 2005-08-02 20:02:17.778236904 +0200 |
ae95cca4 PS |
3639 | @@ -0,0 +1,40 @@ |
3640 | +#ifndef _IPT_PSD_H | |
3641 | +#define _IPT_PSD_H | |
3642 | + | |
3643 | +#include <linux/param.h> | |
3644 | +#include <linux/types.h> | |
3645 | + | |
3646 | +/* | |
3647 | + * High port numbers have a lower weight to reduce the frequency of false | |
3648 | + * positives, such as from passive mode FTP transfers. | |
3649 | + */ | |
3650 | +#define PORT_WEIGHT_PRIV 3 | |
3651 | +#define PORT_WEIGHT_HIGH 1 | |
3652 | + | |
3653 | +/* | |
3654 | + * Port scan detection thresholds: at least COUNT ports need to be scanned | |
3655 | + * from the same source, with no longer than DELAY ticks between ports. | |
3656 | + */ | |
3657 | +#define SCAN_MIN_COUNT 7 | |
3658 | +#define SCAN_MAX_COUNT (SCAN_MIN_COUNT * PORT_WEIGHT_PRIV) | |
3659 | +#define SCAN_WEIGHT_THRESHOLD SCAN_MAX_COUNT | |
3660 | +#define SCAN_DELAY_THRESHOLD (300) /* old usage of HZ here was erroneously and broke under uml */ | |
3661 | + | |
3662 | +/* | |
3663 | + * Keep track of up to LIST_SIZE source addresses, using a hash table of | |
3664 | + * HASH_SIZE entries for faster lookups, but limiting hash collisions to | |
3665 | + * HASH_MAX source addresses per the same hash value. | |
3666 | + */ | |
3667 | +#define LIST_SIZE 0x100 | |
3668 | +#define HASH_LOG 9 | |
3669 | +#define HASH_SIZE (1 << HASH_LOG) | |
3670 | +#define HASH_MAX 0x10 | |
3671 | + | |
3672 | +struct ipt_psd_info { | |
3673 | + unsigned int weight_threshold; | |
3674 | + unsigned int delay_threshold; | |
3675 | + unsigned short lo_ports_weight; | |
3676 | + unsigned short hi_ports_weight; | |
3677 | +}; | |
3678 | + | |
3679 | +#endif /*_IPT_PSD_H*/ | |
3680 | diff -uNr include.orig/linux/netfilter_ipv4/ipt_quota.h include/linux/netfilter_ipv4/ipt_quota.h | |
3681 | --- include.orig/linux/netfilter_ipv4/ipt_quota.h 1970-01-01 01:00:00.000000000 +0100 | |
c558041a | 3682 | +++ include/linux/netfilter_ipv4/ipt_quota.h 2005-08-02 20:02:17.762239336 +0200 |
ae95cca4 PS |
3683 | @@ -0,0 +1,12 @@ |
3684 | +#ifndef _IPT_QUOTA_H | |
3685 | +#define _IPT_QUOTA_H | |
3686 | + | |
3687 | +/* print debug info in both kernel/netfilter module & iptable library */ | |
3688 | +//#define DEBUG_IPT_QUOTA | |
3689 | + | |
3690 | +struct ipt_quota_info { | |
3691 | + u_int64_t quota; | |
3692 | + struct ipt_quota_info *master; | |
3693 | +}; | |
3694 | + | |
3695 | +#endif /*_IPT_QUOTA_H*/ | |
c558041a PS |
3696 | diff -uNr include.orig/linux/netfilter_ipv4/ipt_recent.h include/linux/netfilter_ipv4/ipt_recent.h |
3697 | --- include.orig/linux/netfilter_ipv4/ipt_recent.h 2004-10-31 20:56:00.000000000 +0100 | |
3698 | +++ include/linux/netfilter_ipv4/ipt_recent.h 2005-08-02 20:02:17.720245720 +0200 | |
3699 | @@ -2,7 +2,7 @@ | |
3700 | #define _IPT_RECENT_H | |
3701 | ||
3702 | #define RECENT_NAME "ipt_recent" | |
3703 | -#define RECENT_VER "v0.3.1" | |
3704 | +#define RECENT_VER "v0.3.2" | |
3705 | ||
3706 | #define IPT_RECENT_CHECK 1 | |
3707 | #define IPT_RECENT_SET 2 | |
ae95cca4 PS |
3708 | diff -uNr include.orig/linux/netfilter_ipv4/ipt_ROUTE.h include/linux/netfilter_ipv4/ipt_ROUTE.h |
3709 | --- include.orig/linux/netfilter_ipv4/ipt_ROUTE.h 1970-01-01 01:00:00.000000000 +0100 | |
c558041a | 3710 | +++ include/linux/netfilter_ipv4/ipt_ROUTE.h 2005-08-02 20:02:17.726244808 +0200 |
ae95cca4 PS |
3711 | @@ -0,0 +1,23 @@ |
3712 | +/* Header file for iptables ipt_ROUTE target | |
3713 | + * | |
3714 |