- added update patch (fixes two blocker bugs); release 2

[packages/linux-libc-headers.git] / linux-libc-headers-netfilter.patch

diff -uNr linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4.orig/ip_pool.h linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4/ip_pool.h
--- linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4.orig/ip_pool.h      1970-01-01 01:00:00.000000000 +0100
+++ linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4/ip_pool.h   2004-03-28 17:56:33.830211432 +0200
@@ -0,0 +1,56 @@
+#ifndef _IP_POOL_H
+#define _IP_POOL_H
+
+/***************************************************************************/
+/*  This program is free software; you can redistribute it and/or modify   */
+/*  it under the terms of the GNU General Public License as published by   */
+/*  the Free Software Foundation; either version 2 of the License, or     */
+/*  (at your option) any later version.                                           */
+/*                                                                        */
+/*  This program is distributed in the hope that it will be useful,       */
+/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
+/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the         */
+/*  GNU General Public License for more details.                          */
+/*                                                                        */
+/*  You should have received a copy of the GNU General Public License     */
+/*  along with this program; if not, write to the Free Software                   */
+/*  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA*/
+/***************************************************************************/
+
+/* A sockopt of such quality has hardly ever been seen before on the open
+ * market!  This little beauty, hardly ever used: above 64, so it's
+ * traditionally used for firewalling, not touched (even once!) by the
+ * 2.0, 2.2 and 2.4 kernels!
+ *
+ * Comes with its own certificate of authenticity, valid anywhere in the
+ * Free world!
+ *
+ * Rusty, 19.4.2000
+ */
+#define SO_IP_POOL 81
+
+typedef int ip_pool_t;                 /* pool index */
+#define IP_POOL_NONE   ((ip_pool_t)-1)
+
+struct ip_pool_request {
+       int op;
+       ip_pool_t index;
+       u_int32_t addr;
+       u_int32_t addr2;
+};
+
+/* NOTE: I deliberately break the first cut ippool utility. Nobody uses it. */
+
+#define IP_POOL_BAD001         0x00000010
+
+#define IP_POOL_FLUSH          0x00000011      /* req.index, no arguments */
+#define IP_POOL_INIT           0x00000012      /* from addr to addr2 incl. */
+#define IP_POOL_DESTROY                0x00000013      /* req.index, no arguments */
+#define IP_POOL_ADD_ADDR       0x00000014      /* add addr to pool */
+#define IP_POOL_DEL_ADDR       0x00000015      /* del addr from pool */
+#define IP_POOL_HIGH_NR                0x00000016      /* result in req.index */
+#define IP_POOL_LOOKUP         0x00000017      /* result in addr and addr2 */
+#define IP_POOL_USAGE          0x00000018      /* result in addr */
+#define IP_POOL_TEST_ADDR      0x00000019      /* result (0/1) returned */
+
+#endif /*_IP_POOL_H*/
diff -uNr linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4.orig/ipt_addrtype.h linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4/ipt_addrtype.h
--- linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4.orig/ipt_addrtype.h 1970-01-01 01:00:00.000000000 +0100
+++ linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4/ipt_addrtype.h      2004-03-22 21:13:43.000000000 +0100
@@ -0,0 +1,11 @@
+#ifndef _IPT_ADDRTYPE_H
+#define _IPT_ADDRTYPE_H
+
+struct ipt_addrtype_info {
+       u_int16_t       source;         /* source-type mask */
+       u_int16_t       dest;           /* dest-type mask */
+       int             invert_source;
+       int             invert_dest;
+};
+
+#endif
diff -uNr linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4.orig/ipt_childlevel.h linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4/ipt_childlevel.h
--- linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4.orig/ipt_childlevel.h       1970-01-01 01:00:00.000000000 +0100
+++ linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4/ipt_childlevel.h    2004-03-22 21:13:43.000000000 +0100
@@ -0,0 +1,22 @@
+/* 
+  By Matthew Strait <quadong@users.sf.net>, Dec 2003.
+  http://l7-filter.sf.net
+
+  This program is free software; you can redistribute it and/or
+  modify it under the terms of the GNU General Public License
+  as published by the Free Software Foundation; either version
+  2 of the License, or (at your option) any later version.
+  http://www.gnu.org/licenses/gpl.txt
+*/
+
+#ifndef _IPT_CHILDLEVEL_H
+#define _IPT_CHILDLEVEL_H
+
+typedef char *(*proc_ipt_search) (u_int32_t, u_int8_t);
+
+struct ipt_childlevel_info {
+       u_int32_t childlevel; 
+       u_int8_t invert;
+};
+
+#endif /* _IPT_CHILDLEVEL_H */
diff -uNr linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4.orig/ipt_connlimit.h linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4/ipt_connlimit.h
--- linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4.orig/ipt_connlimit.h        1970-01-01 01:00:00.000000000 +0100
+++ linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4/ipt_connlimit.h     2004-03-22 21:13:43.000000000 +0100
@@ -0,0 +1,12 @@
+#ifndef _IPT_CONNLIMIT_H
+#define _IPT_CONNLIMIT_H
+
+struct ipt_connlimit_data;
+
+struct ipt_connlimit_info {
+       int limit;
+       int inverse;
+       u_int32_t mask;
+       struct ipt_connlimit_data *data;
+};
+#endif /* _IPT_CONNLIMIT_H */
diff -uNr linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4.orig/ipt_connmark.h linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4/ipt_connmark.h
--- linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4.orig/ipt_connmark.h 1970-01-01 01:00:00.000000000 +0100
+++ linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4/ipt_connmark.h      2004-03-22 21:13:43.000000000 +0100
@@ -0,0 +1,18 @@
+#ifndef _IPT_CONNMARK_H
+#define _IPT_CONNMARK_H
+
+/* Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
+ * by Henrik Nordstrom <hno@marasystems.com>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ */
+
+struct ipt_connmark_info {
+       unsigned long mark, mask;
+       u_int8_t invert;
+};
+
+#endif /*_IPT_CONNMARK_H*/
diff -uNr linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4.orig/ipt_CONNMARK.h linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4/ipt_CONNMARK.h
--- linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4.orig/ipt_CONNMARK.h 1970-01-01 01:00:00.000000000 +0100
+++ linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4/ipt_CONNMARK.h      2004-03-22 21:13:43.000000000 +0100
@@ -0,0 +1,25 @@
+#ifndef _IPT_CONNMARK_H_target
+#define _IPT_CONNMARK_H_target
+
+/* Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
+ * by Henrik Nordstrom <hno@marasystems.com>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ */
+
+enum {
+       IPT_CONNMARK_SET = 0,
+       IPT_CONNMARK_SAVE,
+       IPT_CONNMARK_RESTORE
+};
+
+struct ipt_connmark_target_info {
+       unsigned long mark;
+       unsigned long mask;
+       u_int8_t mode;
+};
+
+#endif /*_IPT_CONNMARK_H_target*/
diff -uNr linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4.orig/ipt_conntrack.h linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4/ipt_conntrack.h
--- linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4.orig/ipt_conntrack.h        2004-03-05 16:36:39.000000000 +0100
+++ linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4/ipt_conntrack.h     2004-03-22 21:13:43.000000000 +0100
@@ -10,6 +10,7 @@
 
 #define IPT_CONNTRACK_STATE_SNAT (1 << (IP_CT_NUMBER + 1))
 #define IPT_CONNTRACK_STATE_DNAT (1 << (IP_CT_NUMBER + 2))
+#define IPT_CONNTRACK_STATE_UNTRACKED (1 << (IP_CT_NUMBER + 3))
 
 /* flags, invflags: */
 #define IPT_CONNTRACK_STATE    0x01
diff -uNr linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4.orig/ipt_dstlimit.h linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4/ipt_dstlimit.h
--- linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4.orig/ipt_dstlimit.h 1970-01-01 01:00:00.000000000 +0100
+++ linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4/ipt_dstlimit.h      2004-03-22 21:13:43.000000000 +0100
@@ -0,0 +1,39 @@
+#ifndef _IPT_DSTLIMIT_H
+#define _IPT_DSTLIMIT_H
+
+/* timings are in milliseconds. */
+#define IPT_DSTLIMIT_SCALE 10000
+/* 1/10,000 sec period => max of 10,000/sec.  Min rate is then 429490
+   seconds, or one every 59 hours. */
+
+/* details of this structure hidden by the implementation */
+struct ipt_dstlimit_htable;
+
+#define IPT_DSTLIMIT_HASH_DIP  0x0001
+#define IPT_DSTLIMIT_HASH_DPT  0x0002
+#define IPT_DSTLIMIT_HASH_SIP  0x0004
+
+struct dstlimit_cfg {
+       u_int32_t mode;   /* bitmask of IPT_DSTLIMIT_HASH_* */
+       u_int32_t avg;    /* Average secs between packets * scale */
+       u_int32_t burst;  /* Period multiplier for upper limit. */
+
+       /* user specified */
+       u_int32_t size;         /* how many buckets */
+       u_int32_t max;          /* max number of entries */
+       u_int32_t gc_interval;  /* gc interval */
+       u_int32_t expire;       /* when do entries expire? */
+};
+
+struct ipt_dstlimit_info {
+       char name [IFNAMSIZ];           /* name */
+       struct dstlimit_cfg cfg;
+       struct ipt_dstlimit_htable *hinfo;
+
+       /* Used internally by the kernel */
+       union {
+               void *ptr;
+               struct ipt_dstlimit_info *master;
+       } u;
+};
+#endif /*_IPT_DSTLIMIT_H*/
diff -uNr linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4.orig/ipt_fuzzy.h linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4/ipt_fuzzy.h
--- linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4.orig/ipt_fuzzy.h    1970-01-01 01:00:00.000000000 +0100
+++ linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4/ipt_fuzzy.h 2004-03-22 21:13:43.000000000 +0100
@@ -0,0 +1,21 @@
+#ifndef _IPT_FUZZY_H
+#define _IPT_FUZZY_H
+
+#include <linux/param.h>
+#include <linux/types.h>
+
+#define MAXFUZZYRATE 10000000
+#define MINFUZZYRATE 3
+
+struct ipt_fuzzy_info {
+       u_int32_t minimum_rate;
+       u_int32_t maximum_rate;
+       u_int32_t packets_total;
+       u_int32_t bytes_total;
+       u_int32_t previous_time;
+       u_int32_t present_time;
+       u_int32_t mean_rate;
+       u_int8_t acceptance_rate;
+};
+
+#endif /*_IPT_FUZZY_H*/
diff -uNr linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4.orig/ipt_IMQ.h linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4/ipt_IMQ.h
--- linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4.orig/ipt_IMQ.h      1970-01-01 01:00:00.000000000 +0100
+++ linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4/ipt_IMQ.h   2004-03-22 21:13:43.000000000 +0100
@@ -0,0 +1,8 @@
+#ifndef _IPT_IMQ_H
+#define _IPT_IMQ_H
+
+struct ipt_imq_info {
+       unsigned int todev;     /* target imq device */
+};
+
+#endif /* _IPT_IMQ_H */
diff -uNr linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4.orig/ipt_IPMARK.h linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4/ipt_IPMARK.h
--- linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4.orig/ipt_IPMARK.h   1970-01-01 01:00:00.000000000 +0100
+++ linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4/ipt_IPMARK.h        2004-03-22 21:13:43.000000000 +0100
@@ -0,0 +1,13 @@
+#ifndef _IPT_IPMARK_H_target
+#define _IPT_IPMARK_H_target
+
+struct ipt_ipmark_target_info {
+       unsigned long andmask;
+       unsigned long ormask;
+       unsigned int addr;
+};
+
+#define IPT_IPMARK_SRC    0
+#define IPT_IPMARK_DST    1
+
+#endif /*_IPT_IPMARK_H_target*/
diff -uNr linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4.orig/ipt_ipv4options.h linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4/ipt_ipv4options.h
--- linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4.orig/ipt_ipv4options.h      1970-01-01 01:00:00.000000000 +0100
+++ linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4/ipt_ipv4options.h   2004-03-22 21:13:43.000000000 +0100
@@ -0,0 +1,21 @@
+#ifndef __ipt_ipv4options_h_included__
+#define __ipt_ipv4options_h_included__
+
+#define IPT_IPV4OPTION_MATCH_SSRR              0x01  /* For strict source routing */
+#define IPT_IPV4OPTION_MATCH_LSRR              0x02  /* For loose source routing */
+#define IPT_IPV4OPTION_DONT_MATCH_SRR          0x04  /* any source routing */
+#define IPT_IPV4OPTION_MATCH_RR                        0x08  /* For Record route */
+#define IPT_IPV4OPTION_DONT_MATCH_RR           0x10
+#define IPT_IPV4OPTION_MATCH_TIMESTAMP         0x20  /* For timestamp request */
+#define IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP    0x40
+#define IPT_IPV4OPTION_MATCH_ROUTER_ALERT      0x80  /* For router-alert */
+#define IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT 0x100
+#define IPT_IPV4OPTION_MATCH_ANY_OPT           0x200 /* match packet with any option */
+#define IPT_IPV4OPTION_DONT_MATCH_ANY_OPT      0x400 /* match packet with no option */
+
+struct ipt_ipv4options_info {
+       u_int16_t options;
+};
+
+
+#endif /* __ipt_ipv4options_h_included__ */
diff -uNr linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4.orig/ipt_mport.h linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4/ipt_mport.h
--- linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4.orig/ipt_mport.h    1970-01-01 01:00:00.000000000 +0100
+++ linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4/ipt_mport.h 2004-03-22 21:13:43.000000000 +0100
@@ -0,0 +1,24 @@
+#ifndef _IPT_MPORT_H
+#define _IPT_MPORT_H
+#include <linux/netfilter_ipv4/ip_tables.h>
+
+#define IPT_MPORT_SOURCE (1<<0)
+#define IPT_MPORT_DESTINATION (1<<1)
+#define IPT_MPORT_EITHER (IPT_MPORT_SOURCE|IPT_MPORT_DESTINATION)
+
+#define IPT_MULTI_PORTS        15
+
+/* Must fit inside union ipt_matchinfo: 32 bytes */
+/* every entry in ports[] except for the last one has one bit in pflags
+ * associated with it. If this bit is set, the port is the first port of
+ * a portrange, with the next entry being the last.
+ * End of list is marked with pflags bit set and port=65535.
+ * If 14 ports are used (last one does not have a pflag), the last port
+ * is repeated to fill the last entry in ports[] */
+struct ipt_mport
+{
+       u_int8_t flags:2;                       /* Type of comparison */
+       u_int16_t pflags:14;                    /* Port flags */
+       u_int16_t ports[IPT_MULTI_PORTS];       /* Ports */
+};
+#endif /*_IPT_MPORT_H*/
diff -uNr linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4.orig/ipt_nth.h linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4/ipt_nth.h
--- linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4.orig/ipt_nth.h      1970-01-01 01:00:00.000000000 +0100
+++ linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4/ipt_nth.h   2004-03-22 21:13:43.000000000 +0100
@@ -0,0 +1,19 @@
+#ifndef _IPT_NTH_H
+#define _IPT_NTH_H
+
+#include <linux/param.h>
+#include <linux/types.h>
+
+#ifndef IPT_NTH_NUM_COUNTERS
+#define IPT_NTH_NUM_COUNTERS 16
+#endif
+
+struct ipt_nth_info {
+       u_int8_t every;
+       u_int8_t not;
+       u_int8_t startat;
+       u_int8_t counter;
+       u_int8_t packet;
+};
+
+#endif /*_IPT_NTH_H*/
diff -uNr linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4.orig/ipt_osf.h linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4/ipt_osf.h
--- linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4.orig/ipt_osf.h      1970-01-01 01:00:00.000000000 +0100
+++ linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4/ipt_osf.h   2004-03-28 18:01:24.309051936 +0200
@@ -0,0 +1,95 @@
+/*
+ * ipt_osf.h
+ *
+ * Copyright (c) 2003 Evgeniy Polyakov <johnpol@2ka.mipt.ru>
+ *
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ */
+
+#ifndef _IPT_OSF_H
+#define _IPT_OSF_H
+
+#define MAXGENRELEN            32
+#define MAXDETLEN              64
+
+#define IPT_OSF_GENRE          1
+#define        IPT_OSF_SMART           2
+#define IPT_OSF_LOG            4
+#define IPT_OSF_NETLINK                8
+
+#define IPT_OSF_LOGLEVEL_ALL   0
+#define IPT_OSF_LOGLEVEL_FIRST 1
+
+
+#include <netinet/ip.h>
+#include <netinet/tcp.h>
+
+struct list_head
+{
+       struct list_head *prev, *next;
+};
+
+struct ipt_osf_info
+{
+       char                    genre[MAXGENRELEN];
+       int                     len;
+       unsigned long           flags;
+       int                     loglevel;
+       int                     invert; /* UNSUPPORTED */
+};
+
+struct osf_wc
+{
+       char                    wc;
+       unsigned long           val;
+};
+
+/* This struct represents IANA options
+ * http://www.iana.org/assignments/tcp-parameters
+ */
+struct osf_opt
+{
+       unsigned char           kind;
+       unsigned char           length;
+       struct osf_wc           wc;
+};
+
+struct osf_finger
+{
+       struct list_head        flist;
+       struct osf_wc           wss;
+       unsigned char           ttl;
+       unsigned char           df;
+       unsigned long           ss;
+       unsigned char           genre[MAXGENRELEN];
+       unsigned char           version[MAXGENRELEN], subtype[MAXGENRELEN];
+       
+       /* Not needed, but for consistency with original table from Michal Zalewski */
+       unsigned char           details[MAXDETLEN]; 
+
+       int                     opt_num;
+       struct osf_opt          opt[MAX_IPOPTLEN]; /* In case it is all NOP or EOL */
+
+};
+
+struct ipt_osf_nlmsg
+{
+       struct osf_finger       f;
+       struct iphdr            ip;
+       struct tcphdr           tcp;
+};
+
+#endif /* _IPT_OSF_H */
diff -uNr linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4.orig/ipt_policy.h linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4/ipt_policy.h
--- linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4.orig/ipt_policy.h   1970-01-01 01:00:00.000000000 +0100
+++ linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4/ipt_policy.h        2004-03-22 21:13:43.000000000 +0100
@@ -0,0 +1,52 @@
+#ifndef _IPT_POLICY_H
+#define _IPT_POLICY_H
+
+#define POLICY_MAX_ELEM        4
+
+enum ipt_policy_flags
+{
+       POLICY_MATCH_IN         = 0x1,
+       POLICY_MATCH_OUT        = 0x2,
+       POLICY_MATCH_NONE       = 0x4,
+       POLICY_MATCH_STRICT     = 0x8,
+};
+
+enum ipt_policy_modes
+{
+       POLICY_MODE_TRANSPORT,
+       POLICY_MODE_TUNNEL
+};
+
+struct ipt_policy_spec
+{
+       u_int8_t        saddr:1,
+                       daddr:1,
+                       proto:1,
+                       mode:1,
+                       spi:1,
+                       reqid:1;
+};
+
+struct ipt_policy_elem
+{
+       u_int32_t       saddr;
+       u_int32_t       smask;
+       u_int32_t       daddr;
+       u_int32_t       dmask;
+       u_int32_t       spi;
+       u_int32_t       reqid;
+       u_int8_t        proto;
+       u_int8_t        mode;
+
+       struct ipt_policy_spec  match;
+       struct ipt_policy_spec  invert;
+};
+
+struct ipt_policy_info
+{
+       struct ipt_policy_elem pol[POLICY_MAX_ELEM];
+       u_int16_t flags;
+       u_int16_t len;
+};
+
+#endif /* _IPT_POLICY_H */
diff -uNr linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4.orig/ipt_pool.h linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4/ipt_pool.h
--- linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4.orig/ipt_pool.h     1970-01-01 01:00:00.000000000 +0100
+++ linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4/ipt_pool.h  2004-03-22 21:13:43.000000000 +0100
@@ -0,0 +1,25 @@
+#ifndef _IPT_POOL_H
+#define _IPT_POOL_H
+
+#include <linux/netfilter_ipv4/ip_pool.h>
+
+#define IPT_POOL_INV_SRC       0x00000001
+#define IPT_POOL_INV_DST       0x00000002
+#define IPT_POOL_DEL_SRC       0x00000004
+#define IPT_POOL_DEL_DST       0x00000008
+#define IPT_POOL_INV_MOD_SRC   0x00000010
+#define IPT_POOL_INV_MOD_DST   0x00000020
+#define IPT_POOL_MOD_SRC_ACCEPT        0x00000040
+#define IPT_POOL_MOD_DST_ACCEPT        0x00000080
+#define IPT_POOL_MOD_SRC_DROP  0x00000100
+#define IPT_POOL_MOD_DST_DROP  0x00000200
+
+/* match info */
+struct ipt_pool_info
+{
+       ip_pool_t src;
+       ip_pool_t dst;
+       unsigned flags;
+};
+
+#endif /*_IPT_POOL_H*/
diff -uNr linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4.orig/ipt_psd.h linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4/ipt_psd.h
--- linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4.orig/ipt_psd.h      1970-01-01 01:00:00.000000000 +0100
+++ linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4/ipt_psd.h   2004-03-22 21:13:43.000000000 +0100
@@ -0,0 +1,40 @@
+#ifndef _IPT_PSD_H
+#define _IPT_PSD_H
+
+#include <linux/param.h>
+#include <linux/types.h>
+
+/*
+ * High port numbers have a lower weight to reduce the frequency of false
+ * positives, such as from passive mode FTP transfers.
+ */
+#define PORT_WEIGHT_PRIV               3
+#define PORT_WEIGHT_HIGH               1
+
+/*
+ * Port scan detection thresholds: at least COUNT ports need to be scanned
+ * from the same source, with no longer than DELAY ticks between ports.
+ */
+#define SCAN_MIN_COUNT                 7
+#define SCAN_MAX_COUNT                 (SCAN_MIN_COUNT * PORT_WEIGHT_PRIV)
+#define SCAN_WEIGHT_THRESHOLD          SCAN_MAX_COUNT
+#define SCAN_DELAY_THRESHOLD           (HZ * 3)
+
+/*
+ * Keep track of up to LIST_SIZE source addresses, using a hash table of
+ * HASH_SIZE entries for faster lookups, but limiting hash collisions to
+ * HASH_MAX source addresses per the same hash value.
+ */
+#define LIST_SIZE                      0x100
+#define HASH_LOG                       9
+#define HASH_SIZE                      (1 << HASH_LOG)
+#define HASH_MAX                       0x10
+
+struct ipt_psd_info {
+       unsigned int weight_threshold;
+       unsigned int delay_threshold;
+       unsigned short lo_ports_weight;
+       unsigned short hi_ports_weight;
+};
+
+#endif /*_IPT_PSD_H*/
diff -uNr linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4.orig/ipt_quota.h linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4/ipt_quota.h
--- linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4.orig/ipt_quota.h    1970-01-01 01:00:00.000000000 +0100
+++ linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4/ipt_quota.h 2004-03-22 21:13:43.000000000 +0100
@@ -0,0 +1,11 @@
+#ifndef _IPT_QUOTA_H
+#define _IPT_QUOTA_H
+
+/* print debug info in both kernel/netfilter module & iptable library */
+//#define DEBUG_IPT_QUOTA
+
+struct ipt_quota_info {
+        u_int64_t quota;
+};
+
+#endif /*_IPT_QUOTA_H*/
diff -uNr linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4.orig/ipt_random.h linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4/ipt_random.h
--- linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4.orig/ipt_random.h   1970-01-01 01:00:00.000000000 +0100
+++ linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4/ipt_random.h        2004-03-22 21:13:43.000000000 +0100
@@ -0,0 +1,11 @@
+#ifndef _IPT_RAND_H
+#define _IPT_RAND_H
+
+#include <linux/param.h>
+#include <linux/types.h>
+
+struct ipt_rand_info {
+       u_int8_t average;
+};
+
+#endif /*_IPT_RAND_H*/
diff -uNr linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4.orig/ipt_realm.h linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4/ipt_realm.h
--- linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4.orig/ipt_realm.h    1970-01-01 01:00:00.000000000 +0100
+++ linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4/ipt_realm.h 2004-03-22 21:13:43.000000000 +0100
@@ -0,0 +1,9 @@
+#ifndef _IPT_REALM_H
+#define _IPT_REALM_H
+
+struct ipt_realm_info {
+       u_int32_t id;
+       u_int32_t mask;
+       u_int8_t invert;
+};
+#endif /*_IPT_REALM_H*/
diff -uNr linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4.orig/ipt_sctp.h linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4/ipt_sctp.h
--- linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4.orig/ipt_sctp.h     1970-01-01 01:00:00.000000000 +0100
+++ linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4/ipt_sctp.h  2004-03-22 21:13:43.000000000 +0100
@@ -0,0 +1,107 @@
+#ifndef _IPT_SCTP_H_
+#define _IPT_SCTP_H_
+
+#define IPT_SCTP_SRC_PORTS             0x01
+#define IPT_SCTP_DEST_PORTS            0x02
+#define IPT_SCTP_CHUNK_TYPES           0x04
+
+#define IPT_SCTP_VALID_FLAGS           0x07
+
+#define ELEMCOUNT(x) (sizeof(x)/sizeof(x[0]))
+
+
+struct ipt_sctp_flag_info {
+       u_int8_t chunktype;
+       u_int8_t flag;
+       u_int8_t flag_mask;
+};
+
+#define IPT_NUM_SCTP_FLAGS     4
+
+struct ipt_sctp_info {
+       u_int16_t dpts[2];  /* Min, Max */
+       u_int16_t spts[2];  /* Min, Max */
+
+       u_int32_t chunkmap[256 / sizeof (u_int32_t)];  /* Bit mask of chunks to be matched according to RFC 2960 */
+
+#define SCTP_CHUNK_MATCH_ANY   0x01  /* Match if any of the chunk types are present */
+#define SCTP_CHUNK_MATCH_ALL   0x02  /* Match if all of the chunk types are present */
+#define SCTP_CHUNK_MATCH_ONLY  0x04  /* Match if these are the only chunk types present */
+
+       u_int32_t chunk_match_type;
+       struct ipt_sctp_flag_info flag_info[IPT_NUM_SCTP_FLAGS];
+       int flag_count;
+
+       u_int32_t flags;
+       u_int32_t invflags;
+};
+
+#define bytes(type) (sizeof(type) * 8)
+
+#define SCTP_CHUNKMAP_SET(chunkmap, type)              \
+       do {                                            \
+               chunkmap[type / bytes(u_int32_t)] |=    \
+                       1 << (type % bytes(u_int32_t)); \
+       } while (0)
+
+#define SCTP_CHUNKMAP_CLEAR(chunkmap, type)                    \
+       do {                                                    \
+               chunkmap[type / bytes(u_int32_t)] &=            \
+                       ~(1 << (type % bytes(u_int32_t)));      \
+       } while (0)
+
+#define SCTP_CHUNKMAP_IS_SET(chunkmap, type)                   \
+({                                                             \
+       (chunkmap[type / bytes (u_int32_t)] &                   \
+               (1 << (type % bytes (u_int32_t)))) ? 1: 0;      \
+})
+
+#define SCTP_CHUNKMAP_RESET(chunkmap)                          \
+       do {                                                    \
+               int i;                                          \
+               for (i = 0; i < ELEMCOUNT(chunkmap); i++)       \
+                       chunkmap[i] = 0;                        \
+       } while (0)
+
+#define SCTP_CHUNKMAP_SET_ALL(chunkmap)                        \
+       do {                                                    \
+               int i;                                          \
+               for (i = 0; i < ELEMCOUNT(chunkmap); i++)       \
+                       chunkmap[i] = ~0;                       \
+       } while (0)
+
+#define SCTP_CHUNKMAP_COPY(destmap, srcmap)                    \
+       do {                                                    \
+               int i;                                          \
+               for (i = 0; i < ELEMCOUNT(chunkmap); i++)       \
+                       destmap[i] = srcmap[i];                 \
+       } while (0)
+
+#define SCTP_CHUNKMAP_IS_CLEAR(chunkmap)               \
+({                                                     \
+       int i;                                          \
+       int flag = 1;                                   \
+       for (i = 0; i < ELEMCOUNT(chunkmap); i++) {     \
+               if (chunkmap[i]) {                      \
+                       flag = 0;                       \
+                       break;                          \
+               }                                       \
+       }                                               \
+        flag;                                          \
+})
+
+#define SCTP_CHUNKMAP_IS_ALL_SET(chunkmap)             \
+({                                                     \
+       int i;                                          \
+       int flag = 1;                                   \
+       for (i = 0; i < ELEMCOUNT(chunkmap); i++) {     \
+               if (chunkmap[i] != ~0) {                \
+                       flag = 0;                       \
+                               break;                  \
+               }                                       \
+       }                                               \
+        flag;                                          \
+})
+
+#endif /* _IPT_SCTP_H_ */
+
diff -uNr linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4.orig/ipt_state.h linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4/ipt_state.h
--- linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4.orig/ipt_state.h    2004-03-05 16:36:39.000000000 +0100
+++ linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4/ipt_state.h 2004-03-22 21:13:43.000000000 +0100
@@ -4,6 +4,8 @@
 #define IPT_STATE_BIT(ctinfo) (1 << ((ctinfo)%IP_CT_IS_REPLY+1))
 #define IPT_STATE_INVALID (1 << 0)
 
+#define IPT_STATE_UNTRACKED (1 << (IP_CT_NUMBER + 1))
+
 struct ipt_state_info
 {
        unsigned int statemask;
diff -uNr linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4.orig/ipt_time.h linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4/ipt_time.h
--- linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4.orig/ipt_time.h     1970-01-01 01:00:00.000000000 +0100
+++ linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4/ipt_time.h  2004-03-22 21:13:43.000000000 +0100
@@ -0,0 +1,13 @@
+#ifndef __ipt_time_h_included__
+#define __ipt_time_h_included__
+
+
+struct ipt_time_info {
+       u_int8_t  days_match;   /* 1 bit per day. -SMTWTFS                      */
+       u_int16_t time_start;   /* 0 < time_start < 23*60+59 = 1439             */
+       u_int16_t time_stop;    /* 0:0 < time_stat < 23:59                      */
+       u_int8_t  kerneltime;   /* ignore skb time (and use kerneltime) or not. */
+};
+
+
+#endif /* __ipt_time_h_included__ */
diff -uNr linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4.orig/ipt_TTL.h linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4/ipt_TTL.h
--- linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4.orig/ipt_TTL.h      1970-01-01 01:00:00.000000000 +0100
+++ linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4/ipt_TTL.h   2004-03-22 21:13:43.000000000 +0100
@@ -0,0 +1,21 @@
+/* TTL modification module for IP tables
+ * (C) 2000 by Harald Welte <laforge@gnumonks.org> */
+
+#ifndef _IPT_TTL_H
+#define _IPT_TTL_H
+
+enum {
+       IPT_TTL_SET = 0,
+       IPT_TTL_INC,
+       IPT_TTL_DEC
+};
+
+#define IPT_TTL_MAXMODE        IPT_TTL_DEC
+
+struct ipt_TTL_info {
+       u_int8_t        mode;
+       u_int8_t        ttl;
+};
+
+
+#endif
diff -uNr linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4.orig/ipt_u32.h linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4/ipt_u32.h
--- linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4.orig/ipt_u32.h      1970-01-01 01:00:00.000000000 +0100
+++ linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4/ipt_u32.h   2004-03-22 21:13:43.000000000 +0100
@@ -0,0 +1,40 @@
+#ifndef _IPT_U32_H
+#define _IPT_U32_H
+#include <linux/netfilter_ipv4/ip_tables.h>
+
+enum ipt_u32_ops
+{
+       IPT_U32_AND,
+       IPT_U32_LEFTSH,
+       IPT_U32_RIGHTSH,
+       IPT_U32_AT
+};
+
+struct ipt_u32_location_element
+{
+       u_int32_t number;
+       u_int8_t nextop;
+};
+struct ipt_u32_value_element
+{
+       u_int32_t min;
+       u_int32_t max;
+};
+/* *** any way to allow for an arbitrary number of elements?
+   for now I settle for a limit of 10 of each */
+#define U32MAXSIZE 10
+struct ipt_u32_test
+{
+       u_int8_t nnums;
+       struct ipt_u32_location_element location[U32MAXSIZE+1];
+       u_int8_t nvalues;
+       struct ipt_u32_value_element value[U32MAXSIZE+1];
+};
+
+struct ipt_u32
+{
+       u_int8_t ntests;
+       struct ipt_u32_test tests[U32MAXSIZE+1];
+};
+
+#endif /*_IPT_U32_H*/
diff -uNr linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4.orig/ipt_ULOG.h linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4/ipt_ULOG.h
--- linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4.orig/ipt_ULOG.h     2004-03-05 16:36:39.000000000 +0100
+++ linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4/ipt_ULOG.h  2004-03-22 21:13:43.000000000 +0100
@@ -11,6 +11,9 @@
 #define NETLINK_NFLOG  5
 #endif
 
+#define ULOG_DEFAULT_NLGROUP   1
+#define ULOG_DEFAULT_QTHRESHOLD        1
+
 #define ULOG_MAC_LEN   80
 #define ULOG_PREFIX_LEN        32
 
diff -uNr linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4.orig/ipt_XOR.h linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4/ipt_XOR.h
--- linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4.orig/ipt_XOR.h      1970-01-01 01:00:00.000000000 +0100
+++ linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv4/ipt_XOR.h   2004-03-22 21:13:43.000000000 +0100
@@ -0,0 +1,9 @@
+#ifndef _IPT_XOR_H
+#define _IPT_XOR_H
+
+struct ipt_XOR_info {
+       char            key[30];
+       u_int8_t        block_size;
+};
+
+#endif /* _IPT_XOR_H */
diff -uNr linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv6.orig/ip6t_fuzzy.h linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv6/ip6t_fuzzy.h
--- linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv6.orig/ip6t_fuzzy.h   1970-01-01 01:00:00.000000000 +0100
+++ linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv6/ip6t_fuzzy.h        2004-03-22 21:13:43.000000000 +0100
@@ -0,0 +1,21 @@
+#ifndef _IP6T_FUZZY_H
+#define _IP6T_FUZZY_H
+
+#include <linux/param.h>
+#include <linux/types.h>
+
+#define MAXFUZZYRATE 10000000
+#define MINFUZZYRATE 3
+
+struct ip6t_fuzzy_info {
+       u_int32_t minimum_rate;
+       u_int32_t maximum_rate;
+       u_int32_t packets_total;
+       u_int32_t bytes_total;
+       u_int32_t previous_time;
+       u_int32_t present_time;
+       u_int32_t mean_rate;
+       u_int8_t acceptance_rate;
+};
+
+#endif /*_IP6T_FUZZY_H*/
diff -uNr linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv6.orig/ip6t_HL.h linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv6/ip6t_HL.h
--- linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv6.orig/ip6t_HL.h      1970-01-01 01:00:00.000000000 +0100
+++ linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv6/ip6t_HL.h   2004-03-22 21:13:43.000000000 +0100
@@ -0,0 +1,22 @@
+/* Hop Limit modification module for ip6tables
+ * Maciej Soltysiak <solt@dns.toxicfilms.tv>
+ * Based on HW's TTL module */
+
+#ifndef _IP6T_HL_H
+#define _IP6T_HL_H
+
+enum {
+       IP6T_HL_SET = 0,
+       IP6T_HL_INC,
+       IP6T_HL_DEC
+};
+
+#define IP6T_HL_MAXMODE        IP6T_HL_DEC
+
+struct ip6t_HL_info {
+       u_int8_t        mode;
+       u_int8_t        hop_limit;
+};
+
+
+#endif
diff -uNr linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv6.orig/ip6t_nth.h linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv6/ip6t_nth.h
--- linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv6.orig/ip6t_nth.h     1970-01-01 01:00:00.000000000 +0100
+++ linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv6/ip6t_nth.h  2004-03-22 21:13:43.000000000 +0100
@@ -0,0 +1,19 @@
+#ifndef _IP6T_NTH_H
+#define _IP6T_NTH_H
+
+#include <linux/param.h>
+#include <linux/types.h>
+
+#ifndef IP6T_NTH_NUM_COUNTERS
+#define IP6T_NTH_NUM_COUNTERS 16
+#endif
+
+struct ip6t_nth_info {
+       u_int8_t every;
+       u_int8_t not;
+       u_int8_t startat;
+       u_int8_t counter;
+       u_int8_t packet;
+};
+
+#endif /*_IP6T_NTH_H*/
diff -uNr linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv6.orig/ip6t_random.h linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv6/ip6t_random.h
--- linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv6.orig/ip6t_random.h  1970-01-01 01:00:00.000000000 +0100
+++ linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv6/ip6t_random.h       2004-03-22 21:13:43.000000000 +0100
@@ -0,0 +1,11 @@
+#ifndef _IP6T_RAND_H
+#define _IP6T_RAND_H
+
+#include <linux/param.h>
+#include <linux/types.h>
+
+struct ip6t_rand_info {
+       u_int8_t average;
+};
+
+#endif /*_IP6T_RAND_H*/
diff -uNr linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv6.orig/ip6t_REJECT.h linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv6/ip6t_REJECT.h
--- linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv6.orig/ip6t_REJECT.h  2004-03-05 16:36:39.000000000 +0100
+++ linux-libc-headers-2.6.4.0/include/linux/netfilter_ipv6/ip6t_REJECT.h       2004-03-22 21:13:43.000000000 +0100
@@ -2,15 +2,17 @@
 #define _IP6T_REJECT_H
 
 enum ip6t_reject_with {
-       IP6T_ICMP_NET_UNREACHABLE,
-       IP6T_ICMP_HOST_UNREACHABLE,
-       IP6T_ICMP_PROT_UNREACHABLE,
-       IP6T_ICMP_PORT_UNREACHABLE,
-       IP6T_ICMP_ECHOREPLY
+       IP6T_ICMP6_NO_ROUTE,
+       IP6T_ICMP6_ADM_PROHIBITED,
+       IP6T_ICMP6_NOT_NEIGHBOUR,
+       IP6T_ICMP6_ADDR_UNREACH,
+       IP6T_ICMP6_PORT_UNREACH,
+       IP6T_ICMP6_ECHOREPLY,
+       IP6T_TCP_RESET
 };
 
 struct ip6t_reject_info {
        enum ip6t_reject_with with;      /* reject type */
 };
 
-#endif /*_IPT_REJECT_H*/
+#endif /*_IP6T_REJECT_H*/