1 diff -uNr linux-libc-headers-2.6.11.0.orig/include/linux/netfilter/ipv4/nf_conntrack_icmp.h linux-libc-headers-2.6.11.0/include/linux/netfilter/ipv4/nf_conntrack_icmp.h
2 --- linux-libc-headers-2.6.11.0.orig/include/linux/netfilter/ipv4/nf_conntrack_icmp.h 1970-01-01 01:00:00.000000000 +0100
3 +++ linux-libc-headers-2.6.11.0/include/linux/netfilter/ipv4/nf_conntrack_icmp.h 2005-03-13 13:50:15.000000000 +0100
8 + * Derived from include/linux/netfiter_ipv4/ip_conntrack_icmp.h
11 +#ifndef _NF_CONNTRACK_ICMP_H
12 +#define _NF_CONNTRACK_ICMP_H
13 +#include <asm/atomic.h>
17 + /* Optimization: when number in == number out, forget immediately. */
21 +#endif /* _NF_CONNTRACK_ICMP_H */
22 diff -uNr linux-libc-headers-2.6.11.0.orig/include/linux/netfilter/ipv4/nf_conntrack_ipv4.h linux-libc-headers-2.6.11.0/include/linux/netfilter/ipv4/nf_conntrack_ipv4.h
23 --- linux-libc-headers-2.6.11.0.orig/include/linux/netfilter/ipv4/nf_conntrack_ipv4.h 1970-01-01 01:00:00.000000000 +0100
24 +++ linux-libc-headers-2.6.11.0/include/linux/netfilter/ipv4/nf_conntrack_ipv4.h 2005-03-13 13:50:15.000000000 +0100
27 + * IPv4 support for nf_conntrack.
29 + * 23 Mar 2004: Yasuyuki Kozakai @ USAGI <yasuyuki.kozakai@toshiba.co.jp>
30 + * - move L3 protocol dependent part from include/linux/netfilter_ipv4/
34 +#ifndef _NF_CONNTRACK_IPV4_H
35 +#define _NF_CONNTRACK_IPV4_H
37 +#ifdef CONFIG_IP_NF_NAT_NEEDED
38 +#include <linux/netfilter_ipv4/ip_nat.h>
40 +/* per conntrack: nat application helper private data */
41 +union ip_conntrack_nat_help {
42 + /* insert nat helper private data here */
45 +struct nf_conntrack_ipv4_nat {
46 + struct ip_nat_info info;
47 + union ip_conntrack_nat_help help;
48 +#if defined(CONFIG_IP_NF_TARGET_MASQUERADE) || \
49 + defined(CONFIG_IP_NF_TARGET_MASQUERADE_MODULE)
53 +#endif /* CONFIG_IP_NF_NAT_NEEDED */
55 +struct nf_conntrack_ipv4 {
56 +#ifdef CONFIG_IP_NF_NAT_NEEDED
57 + struct nf_conntrack_ipv4_nat *nat;
61 +/* Returns new sk_buff, or NULL */
63 +nf_ct_ipv4_ct_gather_frags(struct sk_buff *skb);
65 +#endif /*_NF_CONNTRACK_IPV4_H*/
66 diff -uNr linux-libc-headers-2.6.11.0.orig/include/linux/netfilter/ipv6/nf_conntrack_icmpv6.h linux-libc-headers-2.6.11.0/include/linux/netfilter/ipv6/nf_conntrack_icmpv6.h
67 --- linux-libc-headers-2.6.11.0.orig/include/linux/netfilter/ipv6/nf_conntrack_icmpv6.h 1970-01-01 01:00:00.000000000 +0100
68 +++ linux-libc-headers-2.6.11.0/include/linux/netfilter/ipv6/nf_conntrack_icmpv6.h 2005-03-13 13:50:15.000000000 +0100
73 + * 21 Apl 2004: Yasuyuki Kozakai @USAGI <yasuyuki.kozakai@toshiba.co.jp>
74 + * - separated from nf_conntrack_icmp.h
76 + * Derived from include/linux/netfiter_ipv4/ip_conntrack_icmp.h
79 +#ifndef _NF_CONNTRACK_ICMPV6_H
80 +#define _NF_CONNTRACK_ICMPV6_H
81 +#include <asm/atomic.h>
83 +#ifndef ICMPV6_NI_QUERY
84 +#define ICMPV6_NI_QUERY 139
86 +#ifndef ICMPV6_NI_REPLY
87 +#define ICMPV6_NI_REPLY 140
92 + /* Optimization: when number in == number out, forget immediately. */
96 +#endif /* _NF_CONNTRACK_ICMPV6_H */
97 diff -uNr linux-libc-headers-2.6.11.0.orig/include/linux/netfilter/nf_conntrack_core.h linux-libc-headers-2.6.11.0/include/linux/netfilter/nf_conntrack_core.h
98 --- linux-libc-headers-2.6.11.0.orig/include/linux/netfilter/nf_conntrack_core.h 1970-01-01 01:00:00.000000000 +0100
99 +++ linux-libc-headers-2.6.11.0/include/linux/netfilter/nf_conntrack_core.h 2005-03-13 13:50:15.000000000 +0100
102 + * This header is used to share core functionality between the
103 + * standalone connection tracking module, and the compatibility layer's use
104 + * of connection tracking.
106 + * 16 Dec 2003: Yasuyuki Kozakai @USAGI <yasuyuki.kozakai@toshiba.co.jp>
107 + * - generalize L3 protocol dependent part.
109 + * Derived from include/linux/netfiter_ipv4/ip_conntrack_core.h
112 +#ifndef _NF_CONNTRACK_CORE_H
113 +#define _NF_CONNTRACK_CORE_H
115 +#include <linux/netfilter.h>
116 +#include <linux/netfilter_ipv4/lockhelp.h>
118 +/* This header is used to share core functionality between the
119 + standalone connection tracking module, and the compatibility layer's use
120 + of connection tracking. */
121 +extern unsigned int nf_conntrack_in(int pf,
122 + unsigned int hooknum,
123 + struct sk_buff **pskb);
125 +extern int nf_conntrack_init(void);
126 +extern void nf_conntrack_cleanup(void);
128 +struct nf_conntrack_l3proto;
129 +extern struct nf_conntrack_l3proto *nf_ct_find_l3proto(u_int16_t pf);
130 +/* Like above, but you already have conntrack read lock. */
131 +extern struct nf_conntrack_l3proto *__nf_ct_find_l3proto(u_int16_t l3proto);
133 +struct nf_conntrack_protocol;
136 +nf_ct_get_tuple(const struct sk_buff *skb,
137 + unsigned int nhoff,
138 + unsigned int dataoff,
141 + struct nf_conntrack_tuple *tuple,
142 + const struct nf_conntrack_l3proto *l3proto,
143 + const struct nf_conntrack_protocol *protocol);
146 +nf_ct_invert_tuple(struct nf_conntrack_tuple *inverse,
147 + const struct nf_conntrack_tuple *orig,
148 + const struct nf_conntrack_l3proto *l3proto,
149 + const struct nf_conntrack_protocol *protocol);
151 +/* Find a connection corresponding to a tuple. */
152 +extern struct nf_conntrack_tuple_hash *
153 +nf_conntrack_find_get(const struct nf_conntrack_tuple *tuple,
154 + const struct nf_conn *ignored_conntrack);
156 +extern int __nf_conntrack_confirm(struct sk_buff **pskb);
158 +/* Confirm a connection: returns NF_DROP if packet must be dropped. */
159 +static inline int nf_conntrack_confirm(struct sk_buff **pskb)
162 + && !is_confirmed((struct nf_conn *)(*pskb)->nfct))
163 + return __nf_conntrack_confirm(pskb);
167 +extern void __nf_conntrack_attach(struct sk_buff *nskb, struct sk_buff *skb);
169 +extern struct list_head *nf_conntrack_hash;
170 +extern struct list_head nf_conntrack_expect_list;
171 +DECLARE_RWLOCK_EXTERN(nf_conntrack_lock);
172 +#endif /* _NF_CONNTRACK_CORE_H */
173 diff -uNr linux-libc-headers-2.6.11.0.orig/include/linux/netfilter/nf_conntrack_ftp.h linux-libc-headers-2.6.11.0/include/linux/netfilter/nf_conntrack_ftp.h
174 --- linux-libc-headers-2.6.11.0.orig/include/linux/netfilter/nf_conntrack_ftp.h 1970-01-01 01:00:00.000000000 +0100
175 +++ linux-libc-headers-2.6.11.0/include/linux/netfilter/nf_conntrack_ftp.h 2005-03-13 23:01:16.000000000 +0100
178 + * nf_conntrack_ftp.h
180 + * Definitions and Declarations for FTP tracking.
182 + * Derived from include/linux/netfiter_ipv4/ip_conntrack_ftp.h
184 + * 16 Dec 2003: Yasuyuki Kozakai @ USAGI <yasuyuki.kozakai@toshiba.co.jp>
188 +#ifndef _NF_CONNTRACK_FTP_H
189 +#define _NF_CONNTRACK_FTP_H
194 + /* PORT command from client */
196 + /* PASV response from server */
198 + /* EPRT command from client */
200 + /* EPSV response from server */
204 +#define NUM_SEQ_TO_REMEMBER 2
205 +/* This structure exists only once per master */
206 +struct nf_ct_ftp_master {
207 + /* Valid seq positions for cmd matching after newline */
208 + u_int32_t seq_aft_nl[NF_CT_DIR_MAX][NUM_SEQ_TO_REMEMBER];
209 + /* 0 means seq_match_aft_nl not set */
210 + int seq_aft_nl_num[NF_CT_DIR_MAX];
213 +struct nf_conntrack_expect;
215 +/* For NAT to hook in when we find a packet which describes what other
216 + * connection we should expect. */
217 +extern unsigned int (*nf_nat_ftp_hook)(struct sk_buff **pskb,
218 + enum nf_conntrack_info ctinfo,
219 + enum nf_ct_ftp_type type,
220 + unsigned int matchoff,
221 + unsigned int matchlen,
222 + struct nf_conntrack_expect *exp,
224 +#endif /* _NF_CONNTRACK_FTP_H */
225 diff -uNr linux-libc-headers-2.6.11.0.orig/include/linux/netfilter/nf_conntrack.h linux-libc-headers-2.6.11.0/include/linux/netfilter/nf_conntrack.h
226 --- linux-libc-headers-2.6.11.0.orig/include/linux/netfilter/nf_conntrack.h 1970-01-01 01:00:00.000000000 +0100
227 +++ linux-libc-headers-2.6.11.0/include/linux/netfilter/nf_conntrack.h 2005-03-13 23:01:06.000000000 +0100
230 + * Connection state tracking for netfilter. This is separated from,
231 + * but required by, the (future) NAT layer; it can also be used by an iptables
234 + * 16 Dec 2003: Yasuyuki Kozakai @USAGI <yasuyuki.kozakai@toshiba.co.jp>
235 + * - generalize L3 protocol dependent part.
237 + * Derived from include/linux/netfiter_ipv4/ip_conntrack.h
240 +#ifndef _NF_CONNTRACK_H
241 +#define _NF_CONNTRACK_H
243 +enum nf_conntrack_info
245 + /* Part of an established connection (either direction). */
248 + /* Like NEW, but related to an existing connection, or ICMP error
249 + (in either direction). */
252 + /* Started a new connection to track (only
253 + NF_CT_DIR_ORIGINAL); may be a retransmission. */
256 + /* >= this indicates reply direction */
259 + /* Number of distinct NF_CT types (no NEW in reply dirn). */
260 + NF_CT_NUMBER = NF_CT_IS_REPLY * 2 - 1
263 +/* Bitset representing status of connection. */
264 +enum nf_conntrack_status {
265 + /* It's an expected connection: bit 0 set. This bit never changed */
266 + NF_S_EXPECTED_BIT = 0,
267 + NF_S_EXPECTED = (1 << NF_S_EXPECTED_BIT),
269 + /* We've seen packets both ways: bit 1 set. Can be set, not unset. */
270 + NF_S_SEEN_REPLY_BIT = 1,
271 + NF_S_SEEN_REPLY = (1 << NF_S_SEEN_REPLY_BIT),
273 + /* Conntrack should never be early-expired. */
274 + NF_S_ASSURED_BIT = 2,
275 + NF_S_ASSURED = (1 << NF_S_ASSURED_BIT),
277 + /* Connection is confirmed: originating packet has left box */
278 + NF_S_CONFIRMED_BIT = 3,
279 + NF_S_CONFIRMED = (1 << NF_S_CONFIRMED_BIT),
282 +#endif /* _NF_CONNTRACK_H */
283 diff -uNr linux-libc-headers-2.6.11.0.orig/include/linux/netfilter/nf_conntrack_helper.h linux-libc-headers-2.6.11.0/include/linux/netfilter/nf_conntrack_helper.h
284 --- linux-libc-headers-2.6.11.0.orig/include/linux/netfilter/nf_conntrack_helper.h 1970-01-01 01:00:00.000000000 +0100
285 +++ linux-libc-headers-2.6.11.0/include/linux/netfilter/nf_conntrack_helper.h 2005-03-13 13:50:15.000000000 +0100
288 + * connection tracking helpers.
290 + * 16 Dec 2003: Yasuyuki Kozakai @USAGI <yasuyuki.kozakai@toshiba.co.jp>
291 + * - generalize L3 protocol dependent part.
293 + * Derived from include/linux/netfiter_ipv4/ip_conntrack_helper.h
296 +#ifndef _NF_CONNTRACK_HELPER_H
297 +#define _NF_CONNTRACK_HELPER_H
298 +#include <linux/netfilter/nf_conntrack.h>
302 +struct nf_conntrack_helper
304 + struct list_head list; /* Internal use. */
306 + const char *name; /* name of the module */
307 + struct module *me; /* pointer to self */
308 + unsigned int max_expected; /* Maximum number of concurrent
309 + * expected connections */
310 + unsigned int timeout; /* timeout for expecteds */
312 + /* Mask of things we will help (compared against server response) */
313 + struct nf_conntrack_tuple tuple;
314 + struct nf_conntrack_tuple mask;
316 + /* Function to call when data passes; return verdict, or -1 to
318 + int (*help)(struct sk_buff **pskb,
319 + unsigned int protoff,
320 + struct nf_conn *ct,
321 + enum nf_conntrack_info conntrackinfo);
324 +extern int nf_conntrack_helper_register(struct nf_conntrack_helper *);
325 +extern void nf_conntrack_helper_unregister(struct nf_conntrack_helper *);
327 +/* Allocate space for an expectation: this is mandatory before calling
328 + nf_conntrack_expect_related. */
329 +extern struct nf_conntrack_expect *nf_conntrack_expect_alloc(void);
330 +extern void nf_conntrack_expect_free(struct nf_conntrack_expect *exp);
332 +/* Add an expected connection: can have more than one per connection */
333 +extern int nf_conntrack_expect_related(struct nf_conntrack_expect *exp);
334 +extern void nf_conntrack_unexpect_related(struct nf_conntrack_expect *exp);
336 +#endif /*_NF_CONNTRACK_HELPER_H*/
337 diff -uNr linux-libc-headers-2.6.11.0.orig/include/linux/netfilter/nf_conntrack_l3proto.h linux-libc-headers-2.6.11.0/include/linux/netfilter/nf_conntrack_l3proto.h
338 --- linux-libc-headers-2.6.11.0.orig/include/linux/netfilter/nf_conntrack_l3proto.h 1970-01-01 01:00:00.000000000 +0100
339 +++ linux-libc-headers-2.6.11.0/include/linux/netfilter/nf_conntrack_l3proto.h 2005-03-13 13:50:15.000000000 +0100
342 + * Copyright (C)2003,2004 USAGI/WIDE Project
344 + * Header for use in defining a given L3 protocol for connection tracking.
347 + * Yasuyuki Kozakai @USAGI <yasuyuki.kozakai@toshiba.co.jp>
349 + * Derived from include/netfilter_ipv4/ip_conntrack_protocol.h
352 +#ifndef _NF_CONNTRACK_L3PROTO_H
353 +#define _NF_CONNTRACK_L3PROTO_H
354 +#include <linux/seq_file.h>
355 +#include <linux/netfilter/nf_conntrack.h>
357 +struct nf_conntrack_l3proto
359 + /* Next pointer. */
360 + struct list_head list;
362 + /* L3 Protocol Family number. ex) PF_INET */
365 + /* Protocol name */
369 + * Try to fill in the third arg: nhoff is offset of l3 proto
370 + * hdr. Return true if possible.
372 + int (*pkt_to_tuple)(const struct sk_buff *skb, unsigned int nhoff,
373 + struct nf_conntrack_tuple *tuple);
376 + * Invert the per-proto part of the tuple: ie. turn xmit into reply.
377 + * Some packets can't be inverted: return 0 in that case.
379 + int (*invert_tuple)(struct nf_conntrack_tuple *inverse,
380 + const struct nf_conntrack_tuple *orig);
382 + /* Print out the per-protocol part of the tuple. */
383 + int (*print_tuple)(struct seq_file *s,
384 + const struct nf_conntrack_tuple *);
386 + /* Print out the private part of the conntrack. */
387 + int (*print_conntrack)(struct seq_file *s, const struct nf_conn *);
389 + /* Returns verdict for packet, or -1 for invalid. */
390 + int (*packet)(struct nf_conn *conntrack,
391 + const struct sk_buff *skb,
392 + enum nf_conntrack_info ctinfo);
395 + * Called when a new connection for this protocol found;
396 + * returns TRUE if it's OK. If so, packet() called next.
398 + int (*new)(struct nf_conn *conntrack, const struct sk_buff *skb);
400 + /* Called when a conntrack entry is destroyed */
401 + void (*destroy)(struct nf_conn *conntrack);
404 + * Called before tracking.
405 + * *dataoff: offset of protocol header (TCP, UDP,...) in *pskb
406 + * *protonum: protocol number
408 + int (*prepare)(struct sk_buff **pskb, unsigned int hooknum,
409 + unsigned int *dataoff, u_int8_t *protonum, int *ret);
411 + u_int32_t (*get_features)(const struct nf_conntrack_tuple *tuple);
413 + /* Module (if any) which this is connected to. */
417 +extern struct nf_conntrack_l3proto *nf_ct_l3protos[AF_MAX];
419 +/* Protocol registration. */
420 +extern int nf_conntrack_l3proto_register(struct nf_conntrack_l3proto *proto);
421 +extern void nf_conntrack_l3proto_unregister(struct nf_conntrack_l3proto *proto);
423 +static inline struct nf_conntrack_l3proto *
424 +nf_ct_find_l3proto(u_int16_t l3proto)
426 + return nf_ct_l3protos[l3proto];
429 +/* Existing built-in protocols */
430 +extern struct nf_conntrack_l3proto nf_conntrack_l3proto_ipv4;
431 +extern struct nf_conntrack_l3proto nf_conntrack_l3proto_ipv6;
432 +extern struct nf_conntrack_l3proto nf_conntrack_generic_l3proto;
433 +#endif /*_NF_CONNTRACK_L3PROTO_H*/
434 diff -uNr linux-libc-headers-2.6.11.0.orig/include/linux/netfilter/nf_conntrack_protocol.h linux-libc-headers-2.6.11.0/include/linux/netfilter/nf_conntrack_protocol.h
435 --- linux-libc-headers-2.6.11.0.orig/include/linux/netfilter/nf_conntrack_protocol.h 1970-01-01 01:00:00.000000000 +0100
436 +++ linux-libc-headers-2.6.11.0/include/linux/netfilter/nf_conntrack_protocol.h 2005-03-13 13:50:15.000000000 +0100
439 + * Header for use in defining a given protocol for connection tracking.
441 + * 16 Dec 2003: Yasuyuki Kozakai @USAGI <yasuyuki.kozakai@toshiba.co.jp>
442 + * - generalized L3 protocol dependent part.
444 + * Derived from include/linux/netfiter_ipv4/ip_conntrack_protcol.h
447 +#ifndef _NF_CONNTRACK_PROTOCOL_H
448 +#define _NF_CONNTRACK_PROTOCOL_H
449 +#include <linux/netfilter/nf_conntrack.h>
453 +struct nf_conntrack_protocol
455 + /* Next pointer. */
456 + struct list_head list;
458 + /* L3 Protocol number. */
461 + /* Protocol number. */
464 + /* Protocol name */
467 + /* Try to fill in the third arg: dataoff is offset past network protocol
468 + hdr. Return true if possible. */
469 + int (*pkt_to_tuple)(const struct sk_buff *skb,
470 + unsigned int dataoff,
471 + struct nf_conntrack_tuple *tuple);
473 + /* Invert the per-proto part of the tuple: ie. turn xmit into reply.
474 + * Some packets can't be inverted: return 0 in that case.
476 + int (*invert_tuple)(struct nf_conntrack_tuple *inverse,
477 + const struct nf_conntrack_tuple *orig);
479 + /* Print out the per-protocol part of the tuple. Return like seq_* */
480 + int (*print_tuple)(struct seq_file *s,
481 + const struct nf_conntrack_tuple *);
483 + /* Print out the private part of the conntrack. */
484 + int (*print_conntrack)(struct seq_file *s, const struct nf_conn *);
486 + /* Returns verdict for packet, or -1 for invalid. */
487 + int (*packet)(struct nf_conn *conntrack,
488 + const struct sk_buff *skb,
489 + unsigned int dataoff,
490 + enum nf_conntrack_info ctinfo,
492 + unsigned int hooknum);
494 + /* Called when a new connection for this protocol found;
495 + * returns TRUE if it's OK. If so, packet() called next. */
496 + int (*new)(struct nf_conn *conntrack, const struct sk_buff *skb,
497 + unsigned int dataoff);
499 + /* Called when a conntrack entry is destroyed */
500 + void (*destroy)(struct nf_conn *conntrack);
502 + int (*error)(struct sk_buff *skb, unsigned int dataoff,
503 + enum nf_conntrack_info *ctinfo,
504 + int pf, unsigned int hooknum);
506 + /* Module (if any) which this is connected to. */
510 +/* Existing built-in protocols */
511 +extern struct nf_conntrack_protocol nf_conntrack_protocol_tcp6;
512 +extern struct nf_conntrack_protocol nf_conntrack_protocol_udp4;
513 +extern struct nf_conntrack_protocol nf_conntrack_protocol_udp6;
514 +extern struct nf_conntrack_protocol nf_conntrack_generic_protocol;
516 +#define MAX_NF_CT_PROTO 256
517 +extern struct nf_conntrack_protocol **nf_ct_protos[PF_MAX];
519 +extern struct nf_conntrack_protocol *
520 +nf_ct_find_proto(u_int16_t l3proto, u_int8_t protocol);
522 +/* Protocol registration. */
523 +extern int nf_conntrack_protocol_register(struct nf_conntrack_protocol *proto);
524 +extern void nf_conntrack_protocol_unregister(struct nf_conntrack_protocol *proto);
526 +/* Log invalid packets */
527 +extern unsigned int nf_ct_log_invalid;
529 +#ifdef CONFIG_SYSCTL
530 +#ifdef DEBUG_INVALID_PACKETS
531 +#define LOG_INVALID(proto) \
532 + (nf_ct_log_invalid == (proto) || nf_ct_log_invalid == IPPROTO_RAW)
534 +#define LOG_INVALID(proto) \
535 + ((nf_ct_log_invalid == (proto) || nf_ct_log_invalid == IPPROTO_RAW) \
536 + && net_ratelimit())
539 +#define LOG_INVALID(proto) 0
540 +#endif /* CONFIG_SYSCTL */
542 +#endif /*_NF_CONNTRACK_PROTOCOL_H*/
543 diff -uNr linux-libc-headers-2.6.11.0.orig/include/linux/netfilter/nf_conntrack_sctp.h linux-libc-headers-2.6.11.0/include/linux/netfilter/nf_conntrack_sctp.h
544 --- linux-libc-headers-2.6.11.0.orig/include/linux/netfilter/nf_conntrack_sctp.h 1970-01-01 01:00:00.000000000 +0100
545 +++ linux-libc-headers-2.6.11.0/include/linux/netfilter/nf_conntrack_sctp.h 2005-03-13 13:50:15.000000000 +0100
550 + * Derived from include/linux/netfiter_ipv4/ip_conntrack_tcp.h
553 +#ifndef _NF_CONNTRACK_SCTP_H
554 +#define _NF_CONNTRACK_SCTP_H
556 +enum sctp_conntrack {
557 + SCTP_CONNTRACK_NONE,
558 + SCTP_CONNTRACK_CLOSED,
559 + SCTP_CONNTRACK_COOKIE_WAIT,
560 + SCTP_CONNTRACK_COOKIE_ECHOED,
561 + SCTP_CONNTRACK_ESTABLISHED,
562 + SCTP_CONNTRACK_SHUTDOWN_SENT,
563 + SCTP_CONNTRACK_SHUTDOWN_RECD,
564 + SCTP_CONNTRACK_SHUTDOWN_ACK_SENT,
570 + enum sctp_conntrack state;
572 + u_int32_t vtag[NF_CT_DIR_MAX];
573 + u_int32_t ttag[NF_CT_DIR_MAX];
576 +#endif /* _NF_CONNTRACK_SCTP_H */
577 diff -uNr linux-libc-headers-2.6.11.0.orig/include/linux/netfilter/nf_conntrack_tcp.h linux-libc-headers-2.6.11.0/include/linux/netfilter/nf_conntrack_tcp.h
578 --- linux-libc-headers-2.6.11.0.orig/include/linux/netfilter/nf_conntrack_tcp.h 1970-01-01 01:00:00.000000000 +0100
579 +++ linux-libc-headers-2.6.11.0/include/linux/netfilter/nf_conntrack_tcp.h 2005-03-13 13:50:15.000000000 +0100
584 + * Derived from include/linux/netfiter_ipv4/ip_conntrack_tcp.h
587 +#ifndef _NF_CONNTRACK_TCP_H
588 +#define _NF_CONNTRACK_TCP_H
590 +enum tcp_conntrack {
591 + TCP_CONNTRACK_NONE,
592 + TCP_CONNTRACK_SYN_SENT,
593 + TCP_CONNTRACK_SYN_RECV,
594 + TCP_CONNTRACK_ESTABLISHED,
595 + TCP_CONNTRACK_FIN_WAIT,
596 + TCP_CONNTRACK_CLOSE_WAIT,
597 + TCP_CONNTRACK_LAST_ACK,
598 + TCP_CONNTRACK_TIME_WAIT,
599 + TCP_CONNTRACK_CLOSE,
600 + TCP_CONNTRACK_LISTEN,
602 + TCP_CONNTRACK_IGNORE
605 +/* Window scaling is advertised by the sender */
606 +#define NF_CT_TCP_FLAG_WINDOW_SCALE 0x01
608 +/* SACK is permitted by the sender */
609 +#define NF_CT_TCP_FLAG_SACK_PERM 0x02
611 +struct nf_ct_tcp_state {
612 + u_int32_t td_end; /* max of seq + len */
613 + u_int32_t td_maxend; /* max of ack + max(win, 1) */
614 + u_int32_t td_maxwin; /* max(win) */
615 + u_int8_t td_scale; /* window scale factor */
616 + u_int8_t loose; /* used when connection picked up from the middle */
617 + u_int8_t flags; /* per direction state flags */
622 + struct nf_ct_tcp_state seen[2]; /* connection parameters per direction */
623 + u_int8_t state; /* state of the connection (enum tcp_conntrack) */
624 + /* For detecting stale connections */
625 + u_int8_t last_dir; /* Direction of the last packet (enum nf_conntrack_dir) */
626 + u_int8_t retrans; /* Number of retransmitted packets */
627 + u_int8_t last_index; /* Index of the last packet */
628 + u_int32_t last_seq; /* Last sequence number seen in dir */
629 + u_int32_t last_ack; /* Last sequence number seen in opposite dir */
630 + u_int32_t last_end; /* Last seq + len */
633 +/* Need this, since this file is included before the nf_conn definition
634 + * in nf_conntrack.h */
637 +/* Update TCP window tracking data when NAT mangles the packet */
638 +extern void nf_conntrack_tcp_update(struct sk_buff *skb,
639 + unsigned int dataoff,
640 + struct nf_conn *conntrack,
643 +#endif /* _NF_CONNTRACK_TCP_H */
644 diff -uNr linux-libc-headers-2.6.11.0.orig/include/linux/netfilter/nf_conntrack_tuple.h linux-libc-headers-2.6.11.0/include/linux/netfilter/nf_conntrack_tuple.h
645 --- linux-libc-headers-2.6.11.0.orig/include/linux/netfilter/nf_conntrack_tuple.h 1970-01-01 01:00:00.000000000 +0100
646 +++ linux-libc-headers-2.6.11.0/include/linux/netfilter/nf_conntrack_tuple.h 2005-03-13 23:01:31.000000000 +0100
649 + * Definitions and Declarations for tuple.
651 + * 16 Dec 2003: Yasuyuki Kozakai @USAGI <yasuyuki.kozakai@toshiba.co.jp>
652 + * - generalize L3 protocol dependent part.
654 + * Derived from include/linux/netfiter_ipv4/ip_conntrack_tuple.h
657 +#ifndef _NF_CONNTRACK_TUPLE_H
658 +#define _NF_CONNTRACK_TUPLE_H
660 +/* A `tuple' is a structure containing the information to uniquely
661 + identify a connection. ie. if two packets have the same tuple, they
662 + are in the same connection; if not, they are not.
664 + We divide the structure along "manipulatable" and
665 + "non-manipulatable" lines, for the benefit of the NAT code.
668 +#define NF_CT_TUPLE_L3SIZE 4
670 +/* The l3 protocol-specific manipulable parts of the tuple: always in
672 +union nf_conntrack_man_l3proto {
673 + u_int32_t all[NF_CT_TUPLE_L3SIZE];
678 +/* The protocol-specific manipulable parts of the tuple: always in
680 +union nf_conntrack_man_proto
682 + /* Add other protocols here. */
699 +/* The manipulable part of the tuple. */
700 +struct nf_conntrack_man
702 + union nf_conntrack_man_l3proto u3;
703 + union nf_conntrack_man_proto u;
704 + /* Layer 3 protocol */
708 +/* This contains the information to distinguish a connection. */
709 +struct nf_conntrack_tuple
711 + struct nf_conntrack_man src;
713 + /* These are the parts of the tuple which are fixed. */
716 + u_int32_t all[NF_CT_TUPLE_L3SIZE];
721 + /* Add other protocols here. */
731 + u_int8_t type, code;
738 + /* The protocol. */
741 + /* The direction (for tuplehash) */
746 +/* This is optimized opposed to a memset of the whole structure. Everything we
747 + * really care about is the source/destination unions */
748 +#define NF_CT_TUPLE_U_BLANK(tuple) \
750 + (tuple)->src.u.all = 0; \
751 + (tuple)->dst.u.all = 0; \
752 + memset((tuple)->src.u3.all, 0, \
753 + sizeof(u_int32_t)*NF_CT_TUPLE_L3SIZE); \
754 + memset((tuple)->dst.u3.all, 0, \
755 + sizeof(u_int32_t)*NF_CT_TUPLE_L3SIZE); \
758 +enum nf_conntrack_dir
760 + NF_CT_DIR_ORIGINAL,
765 +static inline int nf_ct_tuple_src_equal(const struct nf_conntrack_tuple *t1,
766 + const struct nf_conntrack_tuple *t2)
768 + return (t1->src.u3.all[0] == t2->src.u3.all[0] &&
769 + t1->src.u3.all[1] == t2->src.u3.all[1] &&
770 + t1->src.u3.all[2] == t2->src.u3.all[2] &&
771 + t1->src.u3.all[3] == t2->src.u3.all[3] &&
772 + t1->src.u.all == t2->src.u.all &&
773 + t1->src.l3num == t2->src.l3num &&
774 + t1->dst.protonum == t2->dst.protonum);
777 +static inline int nf_ct_tuple_dst_equal(const struct nf_conntrack_tuple *t1,
778 + const struct nf_conntrack_tuple *t2)
780 + return (t1->dst.u3.all[0] == t2->dst.u3.all[0] &&
781 + t1->dst.u3.all[1] == t2->dst.u3.all[1] &&
782 + t1->dst.u3.all[2] == t2->dst.u3.all[2] &&
783 + t1->dst.u3.all[3] == t2->dst.u3.all[3] &&
784 + t1->dst.u.all == t2->dst.u.all &&
785 + t1->src.l3num == t2->src.l3num &&
786 + t1->dst.protonum == t2->dst.protonum);
789 +static inline int nf_ct_tuple_equal(const struct nf_conntrack_tuple *t1,
790 + const struct nf_conntrack_tuple *t2)
792 + return nf_ct_tuple_src_equal(t1, t2) && nf_ct_tuple_dst_equal(t1, t2);
795 +static inline int nf_ct_tuple_mask_cmp(const struct nf_conntrack_tuple *t,
796 + const struct nf_conntrack_tuple *tuple,
797 + const struct nf_conntrack_tuple *mask)
801 + for (count = 0; count < NF_CT_TUPLE_L3SIZE; count++){
802 + if ((ntohs(t->src.u3.all[count]) ^
803 + ntohs(tuple->src.u3.all[count])) &
804 + ntohs(mask->src.u3.all[count]))
808 + for (count = 0; count < NF_CT_TUPLE_L3SIZE; count++){
809 + if ((ntohs(t->dst.u3.all[count]) ^
810 + ntohs(tuple->dst.u3.all[count])) &
811 + ntohs(mask->dst.u3.all[count]))
815 + if ((t->src.u.all ^ tuple->src.u.all) & mask->src.u.all ||
816 + (t->dst.u.all ^ tuple->dst.u.all) & mask->dst.u.all ||
817 + (t->src.l3num ^ tuple->src.l3num) & mask->src.l3num ||
818 + (t->dst.protonum ^ tuple->dst.protonum) & mask->dst.protonum)
824 +#endif /* _NF_CONNTRACK_TUPLE_H */
825 diff -uNr linux-libc-headers-2.6.11.0.orig/include/linux/netfilter_ipv4/ip_logging.h linux-libc-headers-2.6.11.0/include/linux/netfilter_ipv4/ip_logging.h
826 --- linux-libc-headers-2.6.11.0.orig/include/linux/netfilter_ipv4/ip_logging.h 1970-01-01 01:00:00.000000000 +0100
827 +++ linux-libc-headers-2.6.11.0/include/linux/netfilter_ipv4/ip_logging.h 2005-03-13 22:55:27.000000000 +0100
829 +/* IPv4 macros for the internal logging interface. */
830 +#ifndef __IP_LOGGING_H
831 +#define __IP_LOGGING_H
833 +#endif /*__IP_LOGGING_H*/
834 diff -uNr linux-libc-headers-2.6.11.0.orig/include/linux/netfilter_ipv4/ip_nat.h linux-libc-headers-2.6.11.0/include/linux/netfilter_ipv4/ip_nat.h
835 --- linux-libc-headers-2.6.11.0.orig/include/linux/netfilter_ipv4/ip_nat.h 2005-03-13 21:53:55.000000000 +0100
836 +++ linux-libc-headers-2.6.11.0/include/linux/netfilter_ipv4/ip_nat.h 2005-03-13 22:55:37.000000000 +0100
838 union ip_conntrack_manip_proto min, max;
841 -/* A range consists of an array of 1 or more ip_nat_range */
842 -struct ip_nat_multi_range
843 +/* For backwards compat: don't use in modern code. */
844 +struct ip_nat_multi_range_compat
846 - unsigned int rangesize;
847 + unsigned int rangesize; /* Must be 1. */
850 struct ip_nat_range range[1];
853 -/* Worst case: local-out manip + 1 post-routing, and reverse dirn. */
854 -#define IP_NAT_MAX_MANIPS (2*3)
856 -struct ip_nat_info_manip
858 - /* The direction. */
859 - u_int8_t direction;
861 - /* Which hook the manipulation happens on. */
864 - /* The manipulation type. */
865 - u_int8_t maniptype;
867 - /* Manipulations to occur at each conntrack in this dirn. */
868 - struct ip_conntrack_manip manip;
871 -#define ip_nat_multi_range ip_nat_multi_range_compat
874 diff -uNr linux-libc-headers-2.6.11.0.orig/include/linux/netfilter_ipv4/ip_queue.h linux-libc-headers-2.6.11.0/include/linux/netfilter_ipv4/ip_queue.h
875 --- linux-libc-headers-2.6.11.0.orig/include/linux/netfilter_ipv4/ip_queue.h 2004-10-31 20:56:03.000000000 +0100
876 +++ linux-libc-headers-2.6.11.0/include/linux/netfilter_ipv4/ip_queue.h 2005-03-13 22:56:08.000000000 +0100
881 -#include <linux/if.h>
884 /* Messages sent from kernel */
885 typedef struct ipq_packet_msg {
886 diff -uNr linux-libc-headers-2.6.11.0.orig/include/linux/netfilter_ipv4/ip_set.h linux-libc-headers-2.6.11.0/include/linux/netfilter_ipv4/ip_set.h
887 --- linux-libc-headers-2.6.11.0.orig/include/linux/netfilter_ipv4/ip_set.h 1970-01-01 01:00:00.000000000 +0100
888 +++ linux-libc-headers-2.6.11.0/include/linux/netfilter_ipv4/ip_set.h 2005-03-13 22:56:21.000000000 +0100
893 +/* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu>
894 + * Patrick Schaaf <bof@bof.de>
895 + * Martin Josefsson <gandalf@wlug.westbo.se>
896 + * Copyright (C) 2003-2004 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
898 + * This program is free software; you can redistribute it and/or modify
899 + * it under the terms of the GNU General Public License version 2 as
900 + * published by the Free Software Foundation.
904 + * A sockopt of such quality has hardly ever been seen before on the open
905 + * market! This little beauty, hardly ever used: above 64, so it's
906 + * traditionally used for firewalling, not touched (even once!) by the
907 + * 2.0, 2.2 and 2.4 kernels!
909 + * Comes with its own certificate of authenticity, valid anywhere in the
914 +#define SO_IP_SET 83
917 + * Heavily modify by Joakim Axelsson 08.03.2002
918 + * - Made it more modulebased
920 + * Additional heavy modifications by Jozsef Kadlecsik 22.02.2004
922 + * - in order to "deal with" backward compatibility, renamed to ipset
926 + * Used so that the kernel module and ipset-binary can match their versions
928 +#define IP_SET_PROTOCOL_VERSION 2
930 +#define IP_SET_MAXNAMELEN 32 /* set names and set typenames */
932 +/* Lets work with our own typedef for representing an IP address.
933 + * We hope to make the code more portable, possibly to IPv6...
935 + * The representation works in HOST byte order, because most set types
936 + * will perform arithmetic operations and compare operations.
938 + * For now the type is an uint32_t.
940 + * Make sure to ONLY use the functions when translating and parsing
941 + * in order to keep the host byte order and make it more portable:
944 + * parse_ipandmask()
946 + * (Joakim: where are they???)
949 +typedef uint32_t ip_set_ip_t;
951 +/* Sets are identified by an id in kernel space. Tweak with ip_set_id_t
952 + * and IP_SET_INVALID_ID if you want to increase the max number of sets.
954 +typedef uint16_t ip_set_id_t;
956 +#define IP_SET_INVALID_ID 65535
958 +/* How deep we follow bindings */
959 +#define IP_SET_MAX_BINDINGS 6
962 + * Option flags for kernel operations (ipt_set_info)
964 +#define IPSET_SRC 0x01 /* Source match/add */
965 +#define IPSET_DST 0x02 /* Destination match/add */
966 +#define IPSET_MATCH_INV 0x04 /* Inverse matching */
969 + * Set types (flavours)
971 +#define IPSET_TYPE_IP 0 /* IP address type of set */
972 +#define IPSET_TYPE_PORT 1 /* Port type of set */
974 +/* Reserved keywords */
975 +#define IPSET_TOKEN_DEFAULT ":default:"
976 +#define IPSET_TOKEN_ALL ":all:"
978 +/* SO_IP_SET operation constants, and their request struct types.
981 + * 0-99: commands with version checking
982 + * 100-199: add/del/test/bind/unbind
983 + * 200-299: list, save, restore
986 +/* Single shot operations:
987 + * version, create, destroy, flush, rename and swap
989 + * Sets are identified by name.
992 +#define IP_SET_REQ_STD \
994 + unsigned version; \
995 + char name[IP_SET_MAXNAMELEN]
997 +#define IP_SET_OP_CREATE 0x00000001 /* Create a new (empty) set */
998 +struct ip_set_req_create {
1000 + char typename[IP_SET_MAXNAMELEN];
1003 +#define IP_SET_OP_DESTROY 0x00000002 /* Remove a (empty) set */
1004 +struct ip_set_req_std {
1008 +#define IP_SET_OP_FLUSH 0x00000003 /* Remove all IPs in a set */
1009 +/* Uses ip_set_req_std */
1011 +#define IP_SET_OP_RENAME 0x00000004 /* Rename a set */
1012 +/* Uses ip_set_req_create */
1014 +#define IP_SET_OP_SWAP 0x00000005 /* Swap two sets */
1015 +/* Uses ip_set_req_create */
1017 +union ip_set_name_index {
1018 + char name[IP_SET_MAXNAMELEN];
1019 + ip_set_id_t index;
1022 +#define IP_SET_OP_GET_BYNAME 0x00000006 /* Get set index by name */
1023 +struct ip_set_req_get_set {
1026 + union ip_set_name_index set;
1029 +#define IP_SET_OP_GET_BYINDEX 0x00000007 /* Get set name by index */
1030 +/* Uses ip_set_req_get_set */
1032 +#define IP_SET_OP_VERSION 0x00000100 /* Ask kernel version */
1033 +struct ip_set_req_version {
1038 +/* Double shots operations:
1039 + * add, del, test, bind and unbind.
1041 + * First we query the kernel to get the index and type of the target set,
1042 + * then issue the command. Validity of IP is checked in kernel in order
1043 + * to minimalize sockopt operations.
1046 +/* Get minimal set data for add/del/test/bind/unbind IP */
1047 +#define IP_SET_OP_ADT_GET 0x00000010 /* Get set and type */
1048 +struct ip_set_req_adt_get {
1051 + union ip_set_name_index set;
1052 + char typename[IP_SET_MAXNAMELEN];
1055 +#define IP_SET_REQ_BYINDEX \
1057 + ip_set_id_t index;
1059 +struct ip_set_req_adt {
1060 + IP_SET_REQ_BYINDEX;
1063 +#define IP_SET_OP_ADD_IP 0x00000101 /* Add an IP to a set */
1064 +/* Uses ip_set_req_adt, with type specific addage */
1066 +#define IP_SET_OP_DEL_IP 0x00000102 /* Remove an IP from a set */
1067 +/* Uses ip_set_req_adt, with type specific addage */
1069 +#define IP_SET_OP_TEST_IP 0x00000103 /* Test an IP in a set */
1070 +/* Uses ip_set_req_adt, with type specific addage */
1072 +#define IP_SET_OP_BIND_SET 0x00000104 /* Bind an IP to a set */
1073 +/* Uses ip_set_req_bind, with type specific addage */
1074 +struct ip_set_req_bind {
1075 + IP_SET_REQ_BYINDEX;
1076 + char binding[IP_SET_MAXNAMELEN];
1079 +#define IP_SET_OP_UNBIND_SET 0x00000105 /* Unbind an IP from a set */
1080 +/* Uses ip_set_req_bind, with type speficic addage
1081 + * index = 0 means unbinding for all sets */
1083 +#define IP_SET_OP_TEST_BIND_SET 0x00000106 /* Test binding an IP to a set */
1084 +/* Uses ip_set_req_bind, with type specific addage */
1086 +/* Multiple shots operations: list, save, restore.
1088 + * - check kernel version and query the max number of sets
1089 + * - get the basic information on all sets
1090 + * and size required for the next step
1091 + * - get actual set data: header, data, bindings
1094 +/* Get max_sets and the index of a queried set
1096 +#define IP_SET_OP_MAX_SETS 0x00000020
1097 +struct ip_set_req_max_sets {
1100 + ip_set_id_t max_sets; /* max_sets */
1101 + ip_set_id_t sets; /* real number of sets */
1102 + union ip_set_name_index set; /* index of set if name used */
1105 +/* Get the id and name of the sets plus size for next step */
1106 +#define IP_SET_OP_LIST_SIZE 0x00000201
1107 +#define IP_SET_OP_SAVE_SIZE 0x00000202
1108 +struct ip_set_req_setnames {
1110 + ip_set_id_t index; /* set to list/save */
1111 + size_t size; /* size to get setdata/bindings */
1112 + /* followed by sets number of struct ip_set_name_list */
1115 +struct ip_set_name_list {
1116 + char name[IP_SET_MAXNAMELEN];
1117 + char typename[IP_SET_MAXNAMELEN];
1118 + ip_set_id_t index;
1122 +/* The actual list operation */
1123 +#define IP_SET_OP_LIST 0x00000203
1124 +struct ip_set_req_list {
1125 + IP_SET_REQ_BYINDEX;
1126 + /* sets number of struct ip_set_list in reply */
1129 +struct ip_set_list {
1130 + ip_set_id_t index;
1131 + ip_set_id_t binding;
1133 + size_t header_size; /* Set header data of header_size */
1134 + size_t members_size; /* Set members data of members_size */
1135 + size_t bindings_size; /* Set bindings data of bindings_size */
1138 +struct ip_set_hash_list {
1140 + ip_set_id_t binding;
1143 +/* The save operation */
1144 +#define IP_SET_OP_SAVE 0x00000204
1145 +/* Uses ip_set_req_list, in the reply replaced by
1146 + * sets number of struct ip_set_save plus a marker
1147 + * ip_set_save followed by ip_set_hash_save structures.
1149 +struct ip_set_save {
1150 + ip_set_id_t index;
1151 + ip_set_id_t binding;
1152 + size_t header_size; /* Set header data of header_size */
1153 + size_t members_size; /* Set members data of members_size */
1156 +/* At restoring, ip == 0 means default binding for the given set: */
1157 +struct ip_set_hash_save {
1160 + ip_set_id_t binding;
1163 +/* The restore operation */
1164 +#define IP_SET_OP_RESTORE 0x00000205
1165 +/* Uses ip_set_req_setnames followed by ip_set_restore structures
1166 + * plus a marker ip_set_restore, followed by ip_set_hash_save
1169 +struct ip_set_restore {
1170 + char name[IP_SET_MAXNAMELEN];
1171 + char typename[IP_SET_MAXNAMELEN];
1172 + ip_set_id_t index;
1173 + size_t header_size; /* Create data of header_size */
1174 + size_t members_size; /* Set members data of members_size */
1177 +static inline int bitmap_bytes(ip_set_ip_t a, ip_set_ip_t b)
1179 + return 4 * ((((b - a + 8) / 8) + 3) / 4);
1182 +#endif /*_IP_SET_H*/
1183 diff -uNr linux-libc-headers-2.6.11.0.orig/include/linux/netfilter_ipv4/ip_set_iphash.h linux-libc-headers-2.6.11.0/include/linux/netfilter_ipv4/ip_set_iphash.h
1184 --- linux-libc-headers-2.6.11.0.orig/include/linux/netfilter_ipv4/ip_set_iphash.h 1970-01-01 01:00:00.000000000 +0100
1185 +++ linux-libc-headers-2.6.11.0/include/linux/netfilter_ipv4/ip_set_iphash.h 2005-03-13 13:50:15.000000000 +0100
1187 +#ifndef __IP_SET_IPHASH_H
1188 +#define __IP_SET_IPHASH_H
1190 +#include <linux/netfilter_ipv4/ip_set.h>
1192 +#define SETTYPE_NAME "iphash"
1193 +#define MAX_RANGE 0x0000FFFF
1195 +struct ip_set_iphash {
1196 + ip_set_ip_t *members; /* the iphash proper */
1197 + uint32_t initval; /* initval for jhash_1word */
1198 + uint32_t prime; /* prime for double hashing */
1199 + uint32_t hashsize; /* hash size */
1200 + uint16_t probes; /* max number of probes */
1201 + uint16_t resize; /* resize factor in percent */
1202 + ip_set_ip_t netmask; /* netmask */
1205 +struct ip_set_req_iphash_create {
1206 + uint32_t hashsize;
1209 + ip_set_ip_t netmask;
1212 +struct ip_set_req_iphash {
1216 +#endif /* __IP_SET_IPHASH_H */
1217 diff -uNr linux-libc-headers-2.6.11.0.orig/include/linux/netfilter_ipv4/ip_set_ipmap.h linux-libc-headers-2.6.11.0/include/linux/netfilter_ipv4/ip_set_ipmap.h
1218 --- linux-libc-headers-2.6.11.0.orig/include/linux/netfilter_ipv4/ip_set_ipmap.h 1970-01-01 01:00:00.000000000 +0100
1219 +++ linux-libc-headers-2.6.11.0/include/linux/netfilter_ipv4/ip_set_ipmap.h 2005-03-13 13:50:15.000000000 +0100
1221 +#ifndef __IP_SET_IPMAP_H
1222 +#define __IP_SET_IPMAP_H
1224 +#include <linux/netfilter_ipv4/ip_set.h>
1226 +#define SETTYPE_NAME "ipmap"
1227 +#define MAX_RANGE 0x0000FFFF
1229 +struct ip_set_ipmap {
1230 + void *members; /* the ipmap proper */
1231 + ip_set_ip_t first_ip; /* host byte order, included in range */
1232 + ip_set_ip_t last_ip; /* host byte order, included in range */
1233 + ip_set_ip_t netmask; /* subnet netmask */
1234 + ip_set_ip_t sizeid; /* size of set in IPs */
1235 + u_int16_t hosts; /* number of hosts in a subnet */
1238 +struct ip_set_req_ipmap_create {
1241 + ip_set_ip_t netmask;
1244 +struct ip_set_req_ipmap {
1249 +mask_to_bits(ip_set_ip_t mask)
1251 + unsigned int bits = 32;
1252 + ip_set_ip_t maskaddr;
1254 + if (mask == 0xFFFFFFFF)
1257 + maskaddr = 0xFFFFFFFE;
1258 + while (--bits >= 0 && maskaddr != mask)
1265 +range_to_mask(ip_set_ip_t from, ip_set_ip_t to, unsigned int *bits)
1267 + ip_set_ip_t mask = 0xFFFFFFFE;
1270 + while (--(*bits) >= 0 && mask && (to & mask) != from)
1276 +#endif /* __IP_SET_IPMAP_H */
1277 diff -uNr linux-libc-headers-2.6.11.0.orig/include/linux/netfilter_ipv4/ip_set_jhash.h linux-libc-headers-2.6.11.0/include/linux/netfilter_ipv4/ip_set_jhash.h
1278 --- linux-libc-headers-2.6.11.0.orig/include/linux/netfilter_ipv4/ip_set_jhash.h 1970-01-01 01:00:00.000000000 +0100
1279 +++ linux-libc-headers-2.6.11.0/include/linux/netfilter_ipv4/ip_set_jhash.h 2005-03-13 13:50:15.000000000 +0100
1281 +#ifndef _LINUX_IPSET_JHASH_H
1282 +#define _LINUX_IPSET_JHASH_H
1284 +/* This is a copy of linux/jhash.h but the types u32/u8 are changed
1285 + * to __u32/__u8 so that the header file can be included into
1286 + * userspace code as well. Jozsef Kadlecsik (kadlec@blackhole.kfki.hu)
1289 +/* jhash.h: Jenkins hash support.
1291 + * Copyright (C) 1996 Bob Jenkins (bob_jenkins@burtleburtle.net)
1293 + * http://burtleburtle.net/bob/hash/
1295 + * These are the credits from Bob's sources:
1297 + * lookup2.c, by Bob Jenkins, December 1996, Public Domain.
1298 + * hash(), hash2(), hash3, and mix() are externally useful functions.
1299 + * Routines to test the hash are included if SELF_TEST is defined.
1300 + * You can use this free for any purpose. It has no warranty.
1302 + * Copyright (C) 2003 David S. Miller (davem@redhat.com)
1304 + * I've modified Bob's hash to be useful in the Linux kernel, and
1305 + * any bugs present are surely my fault. -DaveM
1308 +/* NOTE: Arguments are modified. */
1309 +#define __jhash_mix(a, b, c) \
1311 + a -= b; a -= c; a ^= (c>>13); \
1312 + b -= c; b -= a; b ^= (a<<8); \
1313 + c -= a; c -= b; c ^= (b>>13); \
1314 + a -= b; a -= c; a ^= (c>>12); \
1315 + b -= c; b -= a; b ^= (a<<16); \
1316 + c -= a; c -= b; c ^= (b>>5); \
1317 + a -= b; a -= c; a ^= (c>>3); \
1318 + b -= c; b -= a; b ^= (a<<10); \
1319 + c -= a; c -= b; c ^= (b>>15); \
1322 +/* The golden ration: an arbitrary value */
1323 +#define JHASH_GOLDEN_RATIO 0x9e3779b9
1325 +/* The most generic version, hashes an arbitrary sequence
1326 + * of bytes. No alignment or length assumptions are made about
1329 +static inline __u32 jhash(void *key, __u32 length, __u32 initval)
1331 + __u32 a, b, c, len;
1335 + a = b = JHASH_GOLDEN_RATIO;
1338 + while (len >= 12) {
1339 + a += (k[0] +((__u32)k[1]<<8) +((__u32)k[2]<<16) +((__u32)k[3]<<24));
1340 + b += (k[4] +((__u32)k[5]<<8) +((__u32)k[6]<<16) +((__u32)k[7]<<24));
1341 + c += (k[8] +((__u32)k[9]<<8) +((__u32)k[10]<<16)+((__u32)k[11]<<24));
1343 + __jhash_mix(a,b,c);
1351 + case 11: c += ((__u32)k[10]<<24);
1352 + case 10: c += ((__u32)k[9]<<16);
1353 + case 9 : c += ((__u32)k[8]<<8);
1354 + case 8 : b += ((__u32)k[7]<<24);
1355 + case 7 : b += ((__u32)k[6]<<16);
1356 + case 6 : b += ((__u32)k[5]<<8);
1357 + case 5 : b += k[4];
1358 + case 4 : a += ((__u32)k[3]<<24);
1359 + case 3 : a += ((__u32)k[2]<<16);
1360 + case 2 : a += ((__u32)k[1]<<8);
1361 + case 1 : a += k[0];
1364 + __jhash_mix(a,b,c);
1369 +/* A special optimized version that handles 1 or more of __u32s.
1370 + * The length parameter here is the number of __u32s in the key.
1372 +static inline __u32 jhash2(__u32 *k, __u32 length, __u32 initval)
1374 + __u32 a, b, c, len;
1376 + a = b = JHASH_GOLDEN_RATIO;
1380 + while (len >= 3) {
1384 + __jhash_mix(a, b, c);
1391 + case 2 : b += k[1];
1392 + case 1 : a += k[0];
1395 + __jhash_mix(a,b,c);
1401 +/* A special ultra-optimized versions that knows they are hashing exactly
1402 + * 3, 2 or 1 word(s).
1404 + * NOTE: In partilar the "c += length; __jhash_mix(a,b,c);" normally
1405 + * done at the end is not done here.
1407 +static inline __u32 jhash_3words(__u32 a, __u32 b, __u32 c, __u32 initval)
1409 + a += JHASH_GOLDEN_RATIO;
1410 + b += JHASH_GOLDEN_RATIO;
1413 + __jhash_mix(a, b, c);
1418 +static inline __u32 jhash_2words(__u32 a, __u32 b, __u32 initval)
1420 + return jhash_3words(a, b, 0, initval);
1423 +static inline __u32 jhash_1word(__u32 a, __u32 initval)
1425 + return jhash_3words(a, 0, 0, initval);
1428 +#endif /* _LINUX_IPSET_JHASH_H */
1429 diff -uNr linux-libc-headers-2.6.11.0.orig/include/linux/netfilter_ipv4/ip_set_macipmap.h linux-libc-headers-2.6.11.0/include/linux/netfilter_ipv4/ip_set_macipmap.h
1430 --- linux-libc-headers-2.6.11.0.orig/include/linux/netfilter_ipv4/ip_set_macipmap.h 1970-01-01 01:00:00.000000000 +0100
1431 +++ linux-libc-headers-2.6.11.0/include/linux/netfilter_ipv4/ip_set_macipmap.h 2005-03-13 13:50:15.000000000 +0100
1433 +#ifndef __IP_SET_MACIPMAP_H
1434 +#define __IP_SET_MACIPMAP_H
1436 +#include <linux/netfilter_ipv4/ip_set.h>
1438 +#define SETTYPE_NAME "macipmap"
1439 +#define MAX_RANGE 0x0000FFFF
1441 +/* general flags */
1442 +#define IPSET_MACIP_MATCHUNSET 1
1445 +#define IPSET_MACIP_ISSET 1
1447 +struct ip_set_macipmap {
1448 + void *members; /* the macipmap proper */
1449 + ip_set_ip_t first_ip; /* host byte order, included in range */
1450 + ip_set_ip_t last_ip; /* host byte order, included in range */
1454 +struct ip_set_req_macipmap_create {
1460 +struct ip_set_req_macipmap {
1462 + unsigned char ethernet[ETH_ALEN];
1465 +struct ip_set_macip {
1466 + unsigned short flags;
1467 + unsigned char ethernet[ETH_ALEN];
1470 +#endif /* __IP_SET_MACIPMAP_H */
1471 diff -uNr linux-libc-headers-2.6.11.0.orig/include/linux/netfilter_ipv4/ip_set_malloc.h linux-libc-headers-2.6.11.0/include/linux/netfilter_ipv4/ip_set_malloc.h
1472 --- linux-libc-headers-2.6.11.0.orig/include/linux/netfilter_ipv4/ip_set_malloc.h 1970-01-01 01:00:00.000000000 +0100
1473 +++ linux-libc-headers-2.6.11.0/include/linux/netfilter_ipv4/ip_set_malloc.h 2005-03-13 22:59:30.000000000 +0100
1475 +#ifndef _IP_SET_MALLOC_H
1476 +#define _IP_SET_MALLOC_H
1478 +#endif /*_IP_SET_MALLOC_H*/
1479 diff -uNr linux-libc-headers-2.6.11.0.orig/include/linux/netfilter_ipv4/ip_set_nethash.h linux-libc-headers-2.6.11.0/include/linux/netfilter_ipv4/ip_set_nethash.h
1480 --- linux-libc-headers-2.6.11.0.orig/include/linux/netfilter_ipv4/ip_set_nethash.h 1970-01-01 01:00:00.000000000 +0100
1481 +++ linux-libc-headers-2.6.11.0/include/linux/netfilter_ipv4/ip_set_nethash.h 2005-03-13 22:59:44.000000000 +0100
1483 +#ifndef __IP_SET_NETHASH_H
1484 +#define __IP_SET_NETHASH_H
1486 +#include <linux/netfilter_ipv4/ip_set.h>
1488 +#define SETTYPE_NAME "nethash"
1489 +#define MAX_RANGE 0x0000FFFF
1491 +struct ip_set_nethash {
1492 + ip_set_ip_t *members; /* the nethash proper */
1493 + uint32_t initval; /* initval for jhash_1word */
1494 + uint32_t prime; /* prime for double hashing */
1495 + uint32_t hashsize; /* hash size */
1496 + uint16_t probes; /* max number of probes */
1497 + uint16_t resize; /* resize factor in percent */
1498 + unsigned char cidr[30]; /* CIDR sizes */
1501 +struct ip_set_req_nethash_create {
1502 + uint32_t hashsize;
1507 +struct ip_set_req_nethash {
1509 + unsigned char cidr;
1512 +static unsigned char shifts[] = {255, 253, 249, 242, 225, 193, 129, 1};
1514 +static inline ip_set_ip_t
1515 +pack(ip_set_ip_t ip, unsigned char cidr)
1517 + ip_set_ip_t addr, *paddr = &addr;
1518 + unsigned char n, t, *a;
1520 + addr = htonl(ip & (0xFFFFFFFF << (32 - (cidr))));
1523 + a = &((unsigned char *)paddr)[n];
1524 + *a = *a /(1 << (8 - t)) + shifts[t];
1526 + return ntohl(addr);
1529 +#endif /* __IP_SET_NETHASH_H */
1530 diff -uNr linux-libc-headers-2.6.11.0.orig/include/linux/netfilter_ipv4/ip_set_portmap.h linux-libc-headers-2.6.11.0/include/linux/netfilter_ipv4/ip_set_portmap.h
1531 --- linux-libc-headers-2.6.11.0.orig/include/linux/netfilter_ipv4/ip_set_portmap.h 1970-01-01 01:00:00.000000000 +0100
1532 +++ linux-libc-headers-2.6.11.0/include/linux/netfilter_ipv4/ip_set_portmap.h 2005-03-13 13:50:15.000000000 +0100
1534 +#ifndef __IP_SET_PORTMAP_H
1535 +#define __IP_SET_PORTMAP_H
1537 +#include <linux/netfilter_ipv4/ip_set.h>
1539 +#define SETTYPE_NAME "portmap"
1540 +#define MAX_RANGE 0x0000FFFF
1541 +#define INVALID_PORT (MAX_RANGE + 1)
1543 +struct ip_set_portmap {
1544 + void *members; /* the portmap proper */
1545 + ip_set_ip_t first_port; /* host byte order, included in range */
1546 + ip_set_ip_t last_port; /* host byte order, included in range */
1549 +struct ip_set_req_portmap_create {
1554 +struct ip_set_req_portmap {
1558 +#endif /* __IP_SET_PORTMAP_H */
1559 diff -uNr linux-libc-headers-2.6.11.0.orig/include/linux/netfilter_ipv4/ip_set_prime.h linux-libc-headers-2.6.11.0/include/linux/netfilter_ipv4/ip_set_prime.h
1560 --- linux-libc-headers-2.6.11.0.orig/include/linux/netfilter_ipv4/ip_set_prime.h 1970-01-01 01:00:00.000000000 +0100
1561 +++ linux-libc-headers-2.6.11.0/include/linux/netfilter_ipv4/ip_set_prime.h 2005-03-13 13:50:15.000000000 +0100
1563 +#ifndef __IP_SET_PRIME_H
1564 +#define __IP_SET_PRIME_H
1566 +static inline unsigned make_prime_bound(unsigned nr)
1568 + unsigned long long nr64 = nr;
1569 + unsigned long long x = 1;
1571 + while (x <= nr64) { x <<= 2; nr <<= 1; }
1575 +static inline int make_prime_check(unsigned nr)
1578 + unsigned b = make_prime_bound(nr);
1580 + if (0 == (nr % x)) return 0;
1586 +static unsigned make_prime(unsigned nr)
1588 + if (0 == (nr & 1)) nr--;
1590 + if (make_prime_check(nr)) return nr;
1596 +#endif /* __IP_SET_PRIME_H */
1597 diff -uNr linux-libc-headers-2.6.11.0.orig/include/linux/netfilter_ipv4/ip_tables.h linux-libc-headers-2.6.11.0/include/linux/netfilter_ipv4/ip_tables.h
1598 --- linux-libc-headers-2.6.11.0.orig/include/linux/netfilter_ipv4/ip_tables.h 2005-03-13 21:53:55.000000000 +0100
1599 +++ linux-libc-headers-2.6.11.0/include/linux/netfilter_ipv4/ip_tables.h 2005-03-13 22:59:58.000000000 +0100
1602 /* Values for "flag" field in struct ipt_ip (general ip structure). */
1603 #define IPT_F_FRAG 0x01 /* Set if rule is a fragment rule */
1604 -#define IPT_F_MASK 0x01 /* All possible flag bits mask. */
1605 +#define IPT_F_GOTO 0x02 /* Set if jump is a goto */
1606 +#define IPT_F_MASK 0x03 /* All possible flag bits mask. */
1608 /* Values for "inv" field in struct ipt_ip. */
1609 #define IPT_INV_VIA_IN 0x01 /* Invert the sense of IN IFACE. */
1610 diff -uNr linux-libc-headers-2.6.11.0.orig/include/linux/netfilter_ipv4/ipt_account.h linux-libc-headers-2.6.11.0/include/linux/netfilter_ipv4/ipt_account.h
1611 --- linux-libc-headers-2.6.11.0.orig/include/linux/netfilter_ipv4/ipt_account.h 1970-01-01 01:00:00.000000000 +0100
1612 +++ linux-libc-headers-2.6.11.0/include/linux/netfilter_ipv4/ipt_account.h 2005-03-13 13:50:15.000000000 +0100
1615 + * accounting match (ipt_account.c)
1616 + * (C) 2003,2004 by Piotr Gasidlo (quaker@barbara.eu.org)
1620 + * This software is distributed under the terms of GNU GPL
1623 +#ifndef _IPT_ACCOUNT_H_
1624 +#define _IPT_ACCOUNT_H_
1626 +#define IPT_ACCOUNT_NAME_LEN 64
1628 +#define IPT_ACCOUNT_NAME "ipt_account"
1629 +#define IPT_ACCOUNT_VERSION "0.1.7"
1631 +struct t_ipt_account_info {
1632 + char name[IPT_ACCOUNT_NAME_LEN];
1633 + u_int32_t network;
1634 + u_int32_t netmask;
1635 + int shortlisting:1;
1640 diff -uNr linux-libc-headers-2.6.11.0.orig/include/linux/netfilter_ipv4/ipt_fuzzy.h linux-libc-headers-2.6.11.0/include/linux/netfilter_ipv4/ipt_fuzzy.h
1641 --- linux-libc-headers-2.6.11.0.orig/include/linux/netfilter_ipv4/ipt_fuzzy.h 1970-01-01 01:00:00.000000000 +0100
1642 +++ linux-libc-headers-2.6.11.0/include/linux/netfilter_ipv4/ipt_fuzzy.h 2005-03-13 13:50:15.000000000 +0100
1644 +#ifndef _IPT_FUZZY_H
1645 +#define _IPT_FUZZY_H
1647 +#include <linux/param.h>
1648 +#include <linux/types.h>
1650 +#define MAXFUZZYRATE 10000000
1651 +#define MINFUZZYRATE 3
1653 +struct ipt_fuzzy_info {
1654 + u_int32_t minimum_rate;
1655 + u_int32_t maximum_rate;
1656 + u_int32_t packets_total;
1657 + u_int32_t bytes_total;
1658 + u_int32_t previous_time;
1659 + u_int32_t present_time;
1660 + u_int32_t mean_rate;
1661 + u_int8_t acceptance_rate;
1664 +#endif /*_IPT_FUZZY_H*/
1665 diff -uNr linux-libc-headers-2.6.11.0.orig/include/linux/netfilter_ipv4/ipt_geoip.h linux-libc-headers-2.6.11.0/include/linux/netfilter_ipv4/ipt_geoip.h
1666 --- linux-libc-headers-2.6.11.0.orig/include/linux/netfilter_ipv4/ipt_geoip.h 1970-01-01 01:00:00.000000000 +0100
1667 +++ linux-libc-headers-2.6.11.0/include/linux/netfilter_ipv4/ipt_geoip.h 2005-03-13 13:50:15.000000000 +0100
1669 +/* ipt_geoip.h header file for libipt_geoip.c and ipt_geoip.c
1671 + * This program is free software; you can redistribute it and/or modify
1672 + * it under the terms of the GNU General Public License as published by
1673 + * the Free Software Foundation; either version 2 of the License, or
1674 + * (at your option) any later version.
1676 + * Copyright (c) 2004 Cookinglinux
1678 +#ifndef _IPT_GEOIP_H
1679 +#define _IPT_GEOIP_H
1681 +#define IPT_GEOIP_SRC 0x01 /* Perform check on Source IP */
1682 +#define IPT_GEOIP_DST 0x02 /* Perform check on Destination IP */
1683 +#define IPT_GEOIP_INV 0x04 /* Negate the condition */
1685 +#define IPT_GEOIP_MAX 15 /* Maximum of countries */
1687 +struct geoip_subnet {
1692 +struct geoip_info {
1693 + struct geoip_subnet *subnets;
1697 + struct geoip_info *next;
1698 + struct geoip_info *prev;
1701 +struct ipt_geoip_info {
1704 + u_int16_t cc[IPT_GEOIP_MAX];
1706 + /* Used internally by the kernel */
1707 + struct geoip_info *mem[IPT_GEOIP_MAX];
1708 + u_int8_t *refcount;
1710 + /* not implemented yet:
1715 +#define COUNTRY(cc) (cc >> 8), (cc & 0x00FF)
1719 diff -uNr linux-libc-headers-2.6.11.0.orig/include/linux/netfilter_ipv4/ipt_IMQ.h linux-libc-headers-2.6.11.0/include/linux/netfilter_ipv4/ipt_IMQ.h
1720 --- linux-libc-headers-2.6.11.0.orig/include/linux/netfilter_ipv4/ipt_IMQ.h 1970-01-01 01:00:00.000000000 +0100
1721 +++ linux-libc-headers-2.6.11.0/include/linux/netfilter_ipv4/ipt_IMQ.h 2005-03-13 13:50:15.000000000 +0100
1726 +struct ipt_imq_info {
1727 + unsigned int todev; /* target imq device */
1730 +#endif /* _IPT_IMQ_H */
1731 diff -uNr linux-libc-headers-2.6.11.0.orig/include/linux/netfilter_ipv4/ipt_IPMARK.h linux-libc-headers-2.6.11.0/include/linux/netfilter_ipv4/ipt_IPMARK.h
1732 --- linux-libc-headers-2.6.11.0.orig/include/linux/netfilter_ipv4/ipt_IPMARK.h 1970-01-01 01:00:00.000000000 +0100
1733 +++ linux-libc-headers-2.6.11.0/include/linux/netfilter_ipv4/ipt_IPMARK.h 2005-03-13 13:50:15.000000000 +0100
1735 +#ifndef _IPT_IPMARK_H_target
1736 +#define _IPT_IPMARK_H_target
1738 +struct ipt_ipmark_target_info {
1739 + unsigned long andmask;
1740 + unsigned long ormask;
1741 + unsigned int addr;
1744 +#define IPT_IPMARK_SRC 0
1745 +#define IPT_IPMARK_DST 1
1747 +#endif /*_IPT_IPMARK_H_target*/
1748 diff -uNr linux-libc-headers-2.6.11.0.orig/include/linux/netfilter_ipv4/ipt_ipp2p.h linux-libc-headers-2.6.11.0/include/linux/netfilter_ipv4/ipt_ipp2p.h
1749 --- linux-libc-headers-2.6.11.0.orig/include/linux/netfilter_ipv4/ipt_ipp2p.h 1970-01-01 01:00:00.000000000 +0100
1750 +++ linux-libc-headers-2.6.11.0/include/linux/netfilter_ipv4/ipt_ipp2p.h 2005-03-13 13:50:15.000000000 +0100
1752 +#ifndef __IPT_IPP2P_H
1753 +#define __IPT_IPP2P_H
1754 +#define IPP2P_VERSION "0.7.2"
1756 +struct ipt_p2p_info {
1761 +#endif //__IPT_IPP2P_H
1763 +#define SHORT_HAND_IPP2P 1 /* --ipp2p switch*/
1764 +#define SHORT_HAND_DATA 4 /* --ipp2p-data switch*/
1765 +#define SHORT_HAND_NONE 5 /* no short hand*/
1767 +#define IPP2P_EDK 2
1768 +#define IPP2P_DATA_KAZAA 8
1769 +#define IPP2P_DATA_EDK 16
1770 +#define IPP2P_DATA_DC 32
1771 +#define IPP2P_DC 64
1772 +#define IPP2P_DATA_GNU 128
1773 +#define IPP2P_GNU 256
1774 +#define IPP2P_KAZAA 512
1775 +#define IPP2P_BIT 1024
1776 +#define IPP2P_APPLE 2048
1777 +#define IPP2P_SOUL 4096
1778 +#define IPP2P_WINMX 8192
1779 +#define IPP2P_ARES 16384
1781 diff -uNr linux-libc-headers-2.6.11.0.orig/include/linux/netfilter_ipv4/ipt_ipv4options.h linux-libc-headers-2.6.11.0/include/linux/netfilter_ipv4/ipt_ipv4options.h
1782 --- linux-libc-headers-2.6.11.0.orig/include/linux/netfilter_ipv4/ipt_ipv4options.h 1970-01-01 01:00:00.000000000 +0100
1783 +++ linux-libc-headers-2.6.11.0/include/linux/netfilter_ipv4/ipt_ipv4options.h 2005-03-13 13:50:15.000000000 +0100
1785 +#ifndef __ipt_ipv4options_h_included__
1786 +#define __ipt_ipv4options_h_included__
1788 +#define IPT_IPV4OPTION_MATCH_SSRR 0x01 /* For strict source routing */
1789 +#define IPT_IPV4OPTION_MATCH_LSRR 0x02 /* For loose source routing */
1790 +#define IPT_IPV4OPTION_DONT_MATCH_SRR 0x04 /* any source routing */
1791 +#define IPT_IPV4OPTION_MATCH_RR 0x08 /* For Record route */
1792 +#define IPT_IPV4OPTION_DONT_MATCH_RR 0x10
1793 +#define IPT_IPV4OPTION_MATCH_TIMESTAMP 0x20 /* For timestamp request */
1794 +#define IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP 0x40
1795 +#define IPT_IPV4OPTION_MATCH_ROUTER_ALERT 0x80 /* For router-alert */
1796 +#define IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT 0x100
1797 +#define IPT_IPV4OPTION_MATCH_ANY_OPT 0x200 /* match packet with any option */
1798 +#define IPT_IPV4OPTION_DONT_MATCH_ANY_OPT 0x400 /* match packet with no option */
1800 +struct ipt_ipv4options_info {
1801 + u_int16_t options;
1805 +#endif /* __ipt_ipv4options_h_included__ */
1806 diff -uNr linux-libc-headers-2.6.11.0.orig/include/linux/netfilter_ipv4/ipt_nth.h linux-libc-headers-2.6.11.0/include/linux/netfilter_ipv4/ipt_nth.h
1807 --- linux-libc-headers-2.6.11.0.orig/include/linux/netfilter_ipv4/ipt_nth.h 1970-01-01 01:00:00.000000000 +0100
1808 +++ linux-libc-headers-2.6.11.0/include/linux/netfilter_ipv4/ipt_nth.h 2005-03-13 13:50:15.000000000 +0100
1813 +#include <linux/param.h>
1814 +#include <linux/types.h>
1816 +#ifndef IPT_NTH_NUM_COUNTERS
1817 +#define IPT_NTH_NUM_COUNTERS 16
1820 +struct ipt_nth_info {
1828 +#endif /*_IPT_NTH_H*/
1829 diff -uNr linux-libc-headers-2.6.11.0.orig/include/linux/netfilter_ipv4/ipt_osf.h linux-libc-headers-2.6.11.0/include/linux/netfilter_ipv4/ipt_osf.h
1830 --- linux-libc-headers-2.6.11.0.orig/include/linux/netfilter_ipv4/ipt_osf.h 1970-01-01 01:00:00.000000000 +0100
1831 +++ linux-libc-headers-2.6.11.0/include/linux/netfilter_ipv4/ipt_osf.h 2005-03-13 23:00:33.000000000 +0100
1836 + * Copyright (c) 2003 Evgeniy Polyakov <johnpol@2ka.mipt.ru>
1839 + * This program is free software; you can redistribute it and/or modify
1840 + * it under the terms of the GNU General Public License as published by
1841 + * the Free Software Foundation; either version 2 of the License, or
1842 + * (at your option) any later version.
1844 + * This program is distributed in the hope that it will be useful,
1845 + * but WITHOUT ANY WARRANTY; without even the implied warranty of
1846 + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
1847 + * GNU General Public License for more details.
1849 + * You should have received a copy of the GNU General Public License
1850 + * along with this program; if not, write to the Free Software
1851 + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
1857 +#define MAXGENRELEN 32
1858 +#define MAXDETLEN 64
1860 +#define IPT_OSF_GENRE 1
1861 +#define IPT_OSF_SMART 2
1862 +#define IPT_OSF_LOG 4
1863 +#define IPT_OSF_NETLINK 8
1865 +#define IPT_OSF_LOGLEVEL_ALL 0
1866 +#define IPT_OSF_LOGLEVEL_FIRST 1
1868 +struct ipt_osf_info
1870 + char genre[MAXGENRELEN];
1872 + unsigned long flags;
1874 + int invert; /* UNSUPPORTED */
1880 + unsigned long val;
1883 +/* This struct represents IANA options
1884 + * http://www.iana.org/assignments/tcp-parameters
1888 + unsigned char kind;
1889 + unsigned char length;
1894 +struct __list_head {
1895 + struct __list_head *next, *prev;
1900 + struct __list_head flist;
1901 + struct osf_wc wss;
1902 + unsigned char ttl;
1905 + unsigned char genre[MAXGENRELEN];
1906 + unsigned char version[MAXGENRELEN], subtype[MAXGENRELEN];
1908 + /* Not needed, but for consistency with original table from Michal Zalewski */
1909 + unsigned char details[MAXDETLEN];
1912 + struct osf_opt opt[MAX_IPOPTLEN]; /* In case it is all NOP or EOL */
1916 +struct ipt_osf_nlmsg
1918 + struct osf_finger f;
1920 + struct tcphdr tcp;
1923 +#endif /* _IPT_OSF_H */
1924 diff -uNr linux-libc-headers-2.6.11.0.orig/include/linux/netfilter_ipv4/ipt_policy.h linux-libc-headers-2.6.11.0/include/linux/netfilter_ipv4/ipt_policy.h
1925 --- linux-libc-headers-2.6.11.0.orig/include/linux/netfilter_ipv4/ipt_policy.h 1970-01-01 01:00:00.000000000 +0100
1926 +++ linux-libc-headers-2.6.11.0/include/linux/netfilter_ipv4/ipt_policy.h 2005-03-13 13:50:15.000000000 +0100
1928 +#ifndef _IPT_POLICY_H
1929 +#define _IPT_POLICY_H
1931 +#define POLICY_MAX_ELEM 4
1933 +enum ipt_policy_flags
1935 + POLICY_MATCH_IN = 0x1,
1936 + POLICY_MATCH_OUT = 0x2,
1937 + POLICY_MATCH_NONE = 0x4,
1938 + POLICY_MATCH_STRICT = 0x8,
1941 +enum ipt_policy_modes
1943 + POLICY_MODE_TRANSPORT,
1944 + POLICY_MODE_TUNNEL
1947 +struct ipt_policy_spec
1957 +struct ipt_policy_elem
1968 + struct ipt_policy_spec match;
1969 + struct ipt_policy_spec invert;
1972 +struct ipt_policy_info
1974 + struct ipt_policy_elem pol[POLICY_MAX_ELEM];
1979 +#endif /* _IPT_POLICY_H */
1980 diff -uNr linux-libc-headers-2.6.11.0.orig/include/linux/netfilter_ipv4/ipt_set.h linux-libc-headers-2.6.11.0/include/linux/netfilter_ipv4/ipt_set.h
1981 --- linux-libc-headers-2.6.11.0.orig/include/linux/netfilter_ipv4/ipt_set.h 1970-01-01 01:00:00.000000000 +0100
1982 +++ linux-libc-headers-2.6.11.0/include/linux/netfilter_ipv4/ipt_set.h 2005-03-13 13:50:15.000000000 +0100
1987 +#include <linux/netfilter_ipv4/ip_set.h>
1989 +struct ipt_set_info {
1990 + ip_set_id_t index;
1991 + u_int32_t flags[IP_SET_MAX_BINDINGS + 1];
1995 +struct ipt_set_info_match {
1996 + struct ipt_set_info match_set;
1999 +struct ipt_set_info_target {
2000 + struct ipt_set_info add_set;
2001 + struct ipt_set_info del_set;
2004 +#endif /*_IPT_SET_H*/
2005 diff -uNr linux-libc-headers-2.6.11.0.orig/include/linux/netfilter_ipv4/ipt_string.h linux-libc-headers-2.6.11.0/include/linux/netfilter_ipv4/ipt_string.h
2006 --- linux-libc-headers-2.6.11.0.orig/include/linux/netfilter_ipv4/ipt_string.h 1970-01-01 01:00:00.000000000 +0100
2007 +++ linux-libc-headers-2.6.11.0/include/linux/netfilter_ipv4/ipt_string.h 2005-03-13 18:21:35.000000000 +0100
2009 +#ifndef _IPT_STRING_H
2010 +#define _IPT_STRING_H
2012 +/* *** PERFORMANCE TWEAK ***
2013 + * Packet size and search string threshold,
2014 + * above which sublinear searches is used. */
2015 +#define IPT_STRING_HAYSTACK_THRESH 100
2016 +#define IPT_STRING_NEEDLE_THRESH 20
2018 +#define BM_MAX_NLEN 256
2019 +#define BM_MAX_HLEN 1024
2021 +typedef char *(*proc_ipt_search) (char *, char *, int, int);
2023 +struct ipt_string_info {
2024 + char string[BM_MAX_NLEN];
2029 +#endif /* _IPT_STRING_H */
2030 diff -uNr linux-libc-headers-2.6.11.0.orig/include/linux/netfilter_ipv4/ipt_time.h linux-libc-headers-2.6.11.0/include/linux/netfilter_ipv4/ipt_time.h
2031 --- linux-libc-headers-2.6.11.0.orig/include/linux/netfilter_ipv4/ipt_time.h 1970-01-01 01:00:00.000000000 +0100
2032 +++ linux-libc-headers-2.6.11.0/include/linux/netfilter_ipv4/ipt_time.h 2005-03-13 13:50:15.000000000 +0100
2034 +#ifndef __ipt_time_h_included__
2035 +#define __ipt_time_h_included__
2038 +struct ipt_time_info {
2039 + u_int8_t days_match; /* 1 bit per day. -SMTWTFS */
2040 + u_int16_t time_start; /* 0 < time_start < 23*60+59 = 1439 */
2041 + u_int16_t time_stop; /* 0:0 < time_stat < 23:59 */
2042 + u_int8_t kerneltime; /* ignore skb time (and use kerneltime) or not. */
2043 + time_t date_start;
2048 +#endif /* __ipt_time_h_included__ */
2049 diff -uNr linux-libc-headers-2.6.11.0.orig/include/linux/netfilter_ipv4/ipt_TTL.h linux-libc-headers-2.6.11.0/include/linux/netfilter_ipv4/ipt_TTL.h
2050 --- linux-libc-headers-2.6.11.0.orig/include/linux/netfilter_ipv4/ipt_TTL.h 1970-01-01 01:00:00.000000000 +0100
2051 +++ linux-libc-headers-2.6.11.0/include/linux/netfilter_ipv4/ipt_TTL.h 2005-03-13 13:50:15.000000000 +0100
2053 +/* TTL modification module for IP tables
2054 + * (C) 2000 by Harald Welte <laforge@gnumonks.org> */
2065 +#define IPT_TTL_MAXMODE IPT_TTL_DEC
2067 +struct ipt_TTL_info {
2074 diff -uNr linux-libc-headers-2.6.11.0.orig/include/linux/netfilter_ipv4/ipt_u32.h linux-libc-headers-2.6.11.0/include/linux/netfilter_ipv4/ipt_u32.h
2075 --- linux-libc-headers-2.6.11.0.orig/include/linux/netfilter_ipv4/ipt_u32.h 1970-01-01 01:00:00.000000000 +0100
2076 +++ linux-libc-headers-2.6.11.0/include/linux/netfilter_ipv4/ipt_u32.h 2005-03-13 18:31:34.000000000 +0100
2080 +#include <linux/netfilter_ipv4/ip_tables.h>
2090 +struct ipt_u32_location_element
2095 +struct ipt_u32_value_element
2100 +/* *** any way to allow for an arbitrary number of elements?
2101 + for now I settle for a limit of 10 of each */
2102 +#define U32MAXSIZE 10
2103 +struct ipt_u32_test
2106 + struct ipt_u32_location_element location[U32MAXSIZE+1];
2108 + struct ipt_u32_value_element value[U32MAXSIZE+1];
2114 + struct ipt_u32_test tests[U32MAXSIZE+1];
2117 +#endif /*_IPT_U32_H*/
2118 diff -uNr linux-libc-headers-2.6.11.0.orig/include/linux/netfilter_ipv4/ipt_XOR.h linux-libc-headers-2.6.11.0/include/linux/netfilter_ipv4/ipt_XOR.h
2119 --- linux-libc-headers-2.6.11.0.orig/include/linux/netfilter_ipv4/ipt_XOR.h 1970-01-01 01:00:00.000000000 +0100
2120 +++ linux-libc-headers-2.6.11.0/include/linux/netfilter_ipv4/ipt_XOR.h 2005-03-13 13:50:15.000000000 +0100
2125 +struct ipt_XOR_info {
2127 + u_int8_t block_size;
2130 +#endif /* _IPT_XOR_H */
2131 diff -uNr linux-libc-headers-2.6.11.0.orig/include/linux/netfilter_ipv6/ip6_logging.h linux-libc-headers-2.6.11.0/include/linux/netfilter_ipv6/ip6_logging.h
2132 --- linux-libc-headers-2.6.11.0.orig/include/linux/netfilter_ipv6/ip6_logging.h 1970-01-01 01:00:00.000000000 +0100
2133 +++ linux-libc-headers-2.6.11.0/include/linux/netfilter_ipv6/ip6_logging.h 2005-03-13 22:51:05.000000000 +0100
2135 +/* IPv6 macros for the nternal logging interface. */
2136 +#ifndef __IP6_LOGGING_H
2137 +#define __IP6_LOGGING_H
2139 +#endif /*__IP6_LOGGING_H*/
2140 diff -uNr linux-libc-headers-2.6.11.0.orig/include/linux/netfilter_ipv6/ip6t_fuzzy.h linux-libc-headers-2.6.11.0/include/linux/netfilter_ipv6/ip6t_fuzzy.h
2141 --- linux-libc-headers-2.6.11.0.orig/include/linux/netfilter_ipv6/ip6t_fuzzy.h 1970-01-01 01:00:00.000000000 +0100
2142 +++ linux-libc-headers-2.6.11.0/include/linux/netfilter_ipv6/ip6t_fuzzy.h 2005-03-13 13:50:15.000000000 +0100
2144 +#ifndef _IP6T_FUZZY_H
2145 +#define _IP6T_FUZZY_H
2147 +#include <linux/param.h>
2148 +#include <linux/types.h>
2150 +#define MAXFUZZYRATE 10000000
2151 +#define MINFUZZYRATE 3
2153 +struct ip6t_fuzzy_info {
2154 + u_int32_t minimum_rate;
2155 + u_int32_t maximum_rate;
2156 + u_int32_t packets_total;
2157 + u_int32_t bytes_total;
2158 + u_int32_t previous_time;
2159 + u_int32_t present_time;
2160 + u_int32_t mean_rate;
2161 + u_int8_t acceptance_rate;
2164 +#endif /*_IP6T_FUZZY_H*/
2165 diff -uNr linux-libc-headers-2.6.11.0.orig/include/linux/netfilter_ipv6/ip6t_HL.h linux-libc-headers-2.6.11.0/include/linux/netfilter_ipv6/ip6t_HL.h
2166 --- linux-libc-headers-2.6.11.0.orig/include/linux/netfilter_ipv6/ip6t_HL.h 1970-01-01 01:00:00.000000000 +0100
2167 +++ linux-libc-headers-2.6.11.0/include/linux/netfilter_ipv6/ip6t_HL.h 2005-03-13 13:50:15.000000000 +0100
2169 +/* Hop Limit modification module for ip6tables
2170 + * Maciej Soltysiak <solt@dns.toxicfilms.tv>
2171 + * Based on HW's TTL module */
2182 +#define IP6T_HL_MAXMODE IP6T_HL_DEC
2184 +struct ip6t_HL_info {
2186 + u_int8_t hop_limit;
2191 diff -uNr linux-libc-headers-2.6.11.0.orig/include/linux/netfilter_ipv6/ip6t_IMQ.h linux-libc-headers-2.6.11.0/include/linux/netfilter_ipv6/ip6t_IMQ.h
2192 --- linux-libc-headers-2.6.11.0.orig/include/linux/netfilter_ipv6/ip6t_IMQ.h 1970-01-01 01:00:00.000000000 +0100
2193 +++ linux-libc-headers-2.6.11.0/include/linux/netfilter_ipv6/ip6t_IMQ.h 2005-03-13 13:50:15.000000000 +0100
2195 +#ifndef _IP6T_IMQ_H
2196 +#define _IP6T_IMQ_H
2198 +struct ip6t_imq_info {
2199 + unsigned int todev; /* target imq device */
2202 +#endif /* _IP6T_IMQ_H */
2203 diff -uNr linux-libc-headers-2.6.11.0.orig/include/linux/netfilter_ipv6/ip6t_nth.h linux-libc-headers-2.6.11.0/include/linux/netfilter_ipv6/ip6t_nth.h
2204 --- linux-libc-headers-2.6.11.0.orig/include/linux/netfilter_ipv6/ip6t_nth.h 1970-01-01 01:00:00.000000000 +0100
2205 +++ linux-libc-headers-2.6.11.0/include/linux/netfilter_ipv6/ip6t_nth.h 2005-03-13 13:50:15.000000000 +0100
2207 +#ifndef _IP6T_NTH_H
2208 +#define _IP6T_NTH_H
2210 +#include <linux/param.h>
2211 +#include <linux/types.h>
2213 +#ifndef IP6T_NTH_NUM_COUNTERS
2214 +#define IP6T_NTH_NUM_COUNTERS 16
2217 +struct ip6t_nth_info {
2225 +#endif /*_IP6T_NTH_H*/
2226 diff -uNr linux-libc-headers-2.6.11.0.orig/include/linux/netfilter_ipv6/ip6t_owner.h linux-libc-headers-2.6.11.0/include/linux/netfilter_ipv6/ip6t_owner.h
2227 --- linux-libc-headers-2.6.11.0.orig/include/linux/netfilter_ipv6/ip6t_owner.h 2004-10-31 20:56:06.000000000 +0100
2228 +++ linux-libc-headers-2.6.11.0/include/linux/netfilter_ipv6/ip6t_owner.h 2005-03-13 13:50:15.000000000 +0100
2230 #define IP6T_OWNER_GID 0x02
2231 #define IP6T_OWNER_PID 0x04
2232 #define IP6T_OWNER_SID 0x08
2233 +#define IP6T_OWNER_COMM 0x10
2235 struct ip6t_owner_info {
2241 u_int8_t match, invert; /* flags */
2244 diff -uNr linux-libc-headers-2.6.11.0.orig/include/linux/netfilter_ipv6/ip6t_policy.h linux-libc-headers-2.6.11.0/include/linux/netfilter_ipv6/ip6t_policy.h
2245 --- linux-libc-headers-2.6.11.0.orig/include/linux/netfilter_ipv6/ip6t_policy.h 1970-01-01 01:00:00.000000000 +0100
2246 +++ linux-libc-headers-2.6.11.0/include/linux/netfilter_ipv6/ip6t_policy.h 2005-03-13 13:50:15.000000000 +0100
2248 +#ifndef _IP6T_POLICY_H
2249 +#define _IP6T_POLICY_H
2251 +#define POLICY_MAX_ELEM 4
2253 +enum ip6t_policy_flags
2255 + POLICY_MATCH_IN = 0x1,
2256 + POLICY_MATCH_OUT = 0x2,
2257 + POLICY_MATCH_NONE = 0x4,
2258 + POLICY_MATCH_STRICT = 0x8,
2261 +enum ip6t_policy_modes
2263 + POLICY_MODE_TRANSPORT,
2264 + POLICY_MODE_TUNNEL
2267 +struct ip6t_policy_spec
2277 +struct ip6t_policy_elem
2279 + struct in6_addr saddr;
2280 + struct in6_addr smask;
2281 + struct in6_addr daddr;
2282 + struct in6_addr dmask;
2288 + struct ip6t_policy_spec match;
2289 + struct ip6t_policy_spec invert;
2292 +struct ip6t_policy_info
2294 + struct ip6t_policy_elem pol[POLICY_MAX_ELEM];
2299 +#endif /* _IP6T_POLICY_H */
2300 diff -uNr linux-libc-headers-2.6.11.0.orig/include/linux/netfilter_ipv6/ip6t_REJECT.h linux-libc-headers-2.6.11.0/include/linux/netfilter_ipv6/ip6t_REJECT.h
2301 --- linux-libc-headers-2.6.11.0.orig/include/linux/netfilter_ipv6/ip6t_REJECT.h 1970-01-01 01:00:00.000000000 +0100
2302 +++ linux-libc-headers-2.6.11.0/include/linux/netfilter_ipv6/ip6t_REJECT.h 2005-03-13 13:50:15.000000000 +0100
2304 +#ifndef _IP6T_REJECT_H
2305 +#define _IP6T_REJECT_H
2307 +enum ip6t_reject_with {
2308 + IP6T_ICMP6_NO_ROUTE,
2309 + IP6T_ICMP6_ADM_PROHIBITED,
2310 + IP6T_ICMP6_NOT_NEIGHBOUR,
2311 + IP6T_ICMP6_ADDR_UNREACH,
2312 + IP6T_ICMP6_PORT_UNREACH,
2313 + IP6T_ICMP6_ECHOREPLY,
2317 +struct ip6t_reject_info {
2318 + enum ip6t_reject_with with; /* reject type */
2321 +#endif /*_IP6T_REJECT_H*/