diff -uNr include.orig/linux/netfilter/ipv4/nf_conntrack_icmp.h usr/include/linux/netfilter/ipv4/nf_conntrack_icmp.h --- include.orig/linux/netfilter/ipv4/nf_conntrack_icmp.h 1970-01-01 01:00:00.000000000 +0100 +++ usr/include/linux/netfilter/ipv4/nf_conntrack_icmp.h 2005-08-02 20:02:17.683251344 +0200 @@ -0,0 +1,17 @@ +/* + * ICMP tracking. + * + * Derived from usr/include/linux/netfiter_ipv4/ip_conntrack_icmp.h + */ + +#ifndef _NF_CONNTRACK_ICMP_H +#define _NF_CONNTRACK_ICMP_H +#include + +struct nf_ct_icmp +{ + /* Optimization: when number in == number out, forget immediately. */ + atomic_t count; +}; + +#endif /* _NF_CONNTRACK_ICMP_H */ diff -uNr include.orig/linux/netfilter/ipv4/nf_conntrack_ipv4.h usr/include/linux/netfilter/ipv4/nf_conntrack_ipv4.h --- include.orig/linux/netfilter/ipv4/nf_conntrack_ipv4.h 1970-01-01 01:00:00.000000000 +0100 +++ usr/include/linux/netfilter/ipv4/nf_conntrack_ipv4.h 2005-08-02 20:02:17.684251192 +0200 @@ -0,0 +1,40 @@ +/* + * IPv4 support for nf_conntrack. + * + * 23 Mar 2004: Yasuyuki Kozakai @ USAGI + * - move L3 protocol dependent part from usr/include/linux/netfilter_ipv4/ + * ip_conntarck.h + */ + +#ifndef _NF_CONNTRACK_IPV4_H +#define _NF_CONNTRACK_IPV4_H + +#ifdef CONFIG_IP_NF_NAT_NEEDED +#include + +/* per conntrack: nat application helper private data */ +union ip_conntrack_nat_help { + /* insert nat helper private data here */ +}; + +struct nf_conntrack_ipv4_nat { + struct ip_nat_info info; + union ip_conntrack_nat_help help; +#if defined(CONFIG_IP_NF_TARGET_MASQUERADE) || \ + defined(CONFIG_IP_NF_TARGET_MASQUERADE_MODULE) + int masq_index; +#endif +}; +#endif /* CONFIG_IP_NF_NAT_NEEDED */ + +struct nf_conntrack_ipv4 { +#ifdef CONFIG_IP_NF_NAT_NEEDED + struct nf_conntrack_ipv4_nat *nat; +#endif +}; + +/* Returns new sk_buff, or NULL */ +struct sk_buff * +nf_ct_ipv4_ct_gather_frags(struct sk_buff *skb); + +#endif /*_NF_CONNTRACK_IPV4_H*/ diff -uNr include.orig/linux/netfilter/ipv6/nf_conntrack_icmpv6.h usr/include/linux/netfilter/ipv6/nf_conntrack_icmpv6.h --- include.orig/linux/netfilter/ipv6/nf_conntrack_icmpv6.h 1970-01-01 01:00:00.000000000 +0100 +++ usr/include/linux/netfilter/ipv6/nf_conntrack_icmpv6.h 2005-08-02 20:02:17.698249064 +0200 @@ -0,0 +1,27 @@ +/* + * ICMPv6 tracking. + * + * 21 Apl 2004: Yasuyuki Kozakai @USAGI + * - separated from nf_conntrack_icmp.h + * + * Derived from usr/include/linux/netfiter_ipv4/ip_conntrack_icmp.h + */ + +#ifndef _NF_CONNTRACK_ICMPV6_H +#define _NF_CONNTRACK_ICMPV6_H +#include + +#ifndef ICMPV6_NI_QUERY +#define ICMPV6_NI_QUERY 139 +#endif +#ifndef ICMPV6_NI_REPLY +#define ICMPV6_NI_REPLY 140 +#endif + +struct nf_ct_icmpv6 +{ + /* Optimization: when number in == number out, forget immediately. */ + atomic_t count; +}; + +#endif /* _NF_CONNTRACK_ICMPV6_H */ diff -uNr include.orig/linux/netfilter/nf_conntrack_core.h usr/include/linux/netfilter/nf_conntrack_core.h --- include.orig/linux/netfilter/nf_conntrack_core.h 1970-01-01 01:00:00.000000000 +0100 +++ usr/include/linux/netfilter/nf_conntrack_core.h 2005-08-02 20:02:17.687250736 +0200 @@ -0,0 +1,72 @@ +/* + * This header is used to share core functionality between the + * standalone connection tracking module, and the compatibility layer's use + * of connection tracking. + * + * 16 Dec 2003: Yasuyuki Kozakai @USAGI + * - generalize L3 protocol dependent part. + * + * Derived from usr/include/linux/netfiter_ipv4/ip_conntrack_core.h + */ + +#ifndef _NF_CONNTRACK_CORE_H +#define _NF_CONNTRACK_CORE_H + +#include +#include + +/* This header is used to share core functionality between the + standalone connection tracking module, and the compatibility layer's use + of connection tracking. */ +extern unsigned int nf_conntrack_in(int pf, + unsigned int hooknum, + struct sk_buff **pskb); + +extern int nf_conntrack_init(void); +extern void nf_conntrack_cleanup(void); + +struct nf_conntrack_l3proto; +extern struct nf_conntrack_l3proto *nf_ct_find_l3proto(u_int16_t pf); +/* Like above, but you already have conntrack read lock. */ +extern struct nf_conntrack_l3proto *__nf_ct_find_l3proto(u_int16_t l3proto); + +struct nf_conntrack_protocol; + +extern int +nf_ct_get_tuple(const struct sk_buff *skb, + unsigned int nhoff, + unsigned int dataoff, + u_int16_t l3num, + u_int8_t protonum, + struct nf_conntrack_tuple *tuple, + const struct nf_conntrack_l3proto *l3proto, + const struct nf_conntrack_protocol *protocol); + +extern int +nf_ct_invert_tuple(struct nf_conntrack_tuple *inverse, + const struct nf_conntrack_tuple *orig, + const struct nf_conntrack_l3proto *l3proto, + const struct nf_conntrack_protocol *protocol); + +/* Find a connection corresponding to a tuple. */ +extern struct nf_conntrack_tuple_hash * +nf_conntrack_find_get(const struct nf_conntrack_tuple *tuple, + const struct nf_conn *ignored_conntrack); + +extern int __nf_conntrack_confirm(struct sk_buff **pskb); + +/* Confirm a connection: returns NF_DROP if packet must be dropped. */ +static inline int nf_conntrack_confirm(struct sk_buff **pskb) +{ + if ((*pskb)->nfct + && !is_confirmed((struct nf_conn *)(*pskb)->nfct)) + return __nf_conntrack_confirm(pskb); + return NF_ACCEPT; +} + +extern void __nf_conntrack_attach(struct sk_buff *nskb, struct sk_buff *skb); + +extern struct list_head *nf_conntrack_hash; +extern struct list_head nf_conntrack_expect_list; +DECLARE_RWLOCK_EXTERN(nf_conntrack_lock); +#endif /* _NF_CONNTRACK_CORE_H */ diff -uNr include.orig/linux/netfilter/nf_conntrack_ftp.h usr/include/linux/netfilter/nf_conntrack_ftp.h --- include.orig/linux/netfilter/nf_conntrack_ftp.h 1970-01-01 01:00:00.000000000 +0100 +++ usr/include/linux/netfilter/nf_conntrack_ftp.h 2005-08-02 20:02:17.700248760 +0200 @@ -0,0 +1,59 @@ +/* + * nf_conntrack_ftp.h + * + * Definitions and Declarations for FTP tracking. + * + * Derived from usr/include/linux/netfiter_ipv4/ip_conntrack_ftp.h + * + * 16 Dec 2003: Yasuyuki Kozakai @ USAGI + * - IPv6 support. + */ + +#ifndef _NF_CONNTRACK_FTP_H +#define _NF_CONNTRACK_FTP_H +/* FTP tracking. */ + +#ifdef __KERNEL__ + +#include + +/* Protects ftp part of conntracks */ +DECLARE_LOCK_EXTERN(ip_ftp_lock); + +#define FTP_PORT 21 + +#endif /* __KERNEL__ */ + +enum nf_ct_ftp_type +{ + /* PORT command from client */ + NF_CT_FTP_PORT, + /* PASV response from server */ + NF_CT_FTP_PASV, + /* EPRT command from client */ + NF_CT_FTP_EPRT, + /* EPSV response from server */ + NF_CT_FTP_EPSV, +}; + +#define NUM_SEQ_TO_REMEMBER 2 +/* This structure exists only once per master */ +struct nf_ct_ftp_master { + /* Valid seq positions for cmd matching after newline */ + u_int32_t seq_aft_nl[NF_CT_DIR_MAX][NUM_SEQ_TO_REMEMBER]; + /* 0 means seq_match_aft_nl not set */ + int seq_aft_nl_num[NF_CT_DIR_MAX]; +}; + +struct nf_conntrack_expect; + +/* For NAT to hook in when we find a packet which describes what other + * connection we should expect. */ +extern unsigned int (*nf_nat_ftp_hook)(struct sk_buff **pskb, + enum nf_conntrack_info ctinfo, + enum nf_ct_ftp_type type, + unsigned int matchoff, + unsigned int matchlen, + struct nf_conntrack_expect *exp, + u32 *seq); +#endif /* _NF_CONNTRACK_FTP_H */ diff -uNr include.orig/linux/netfilter/nf_conntrack.h usr/include/linux/netfilter/nf_conntrack.h --- include.orig/linux/netfilter/nf_conntrack.h 1970-01-01 01:00:00.000000000 +0100 +++ usr/include/linux/netfilter/nf_conntrack.h 2005-08-02 20:02:17.708247544 +0200 @@ -0,0 +1,302 @@ +/* + * Connection state tracking for netfilter. This is separated from, + * but required by, the (future) NAT layer; it can also be used by an iptables + * extension. + * + * 16 Dec 2003: Yasuyuki Kozakai @USAGI + * - generalize L3 protocol dependent part. + * + * Derived from usr/include/linux/netfiter_ipv4/ip_conntrack.h + */ + +#ifndef _NF_CONNTRACK_H +#define _NF_CONNTRACK_H + +enum nf_conntrack_info +{ + /* Part of an established connection (either direction). */ + NF_CT_ESTABLISHED, + + /* Like NEW, but related to an existing connection, or ICMP error + (in either direction). */ + NF_CT_RELATED, + + /* Started a new connection to track (only + NF_CT_DIR_ORIGINAL); may be a retransmission. */ + NF_CT_NEW, + + /* >= this indicates reply direction */ + NF_CT_IS_REPLY, + + /* Number of distinct NF_CT types (no NEW in reply dirn). */ + NF_CT_NUMBER = NF_CT_IS_REPLY * 2 - 1 +}; + +/* Bitset representing status of connection. */ +enum nf_conntrack_status { + /* It's an expected connection: bit 0 set. This bit never changed */ + NF_S_EXPECTED_BIT = 0, + NF_S_EXPECTED = (1 << NF_S_EXPECTED_BIT), + + /* We've seen packets both ways: bit 1 set. Can be set, not unset. */ + NF_S_SEEN_REPLY_BIT = 1, + NF_S_SEEN_REPLY = (1 << NF_S_SEEN_REPLY_BIT), + + /* Conntrack should never be early-expired. */ + NF_S_ASSURED_BIT = 2, + NF_S_ASSURED = (1 << NF_S_ASSURED_BIT), + + /* Connection is confirmed: originating packet has left box */ + NF_S_CONFIRMED_BIT = 3, + NF_S_CONFIRMED = (1 << NF_S_CONFIRMED_BIT), +}; + +#ifdef __KERNEL__ +#include +#include +#include +#include +#include + +#include +#include +#include +#include + +/* per conntrack: protocol private data */ +union nf_conntrack_proto { + /* insert conntrack proto private data here */ + struct nf_ct_sctp sctp; + struct nf_ct_tcp tcp; + struct nf_ct_icmp icmp; + struct nf_ct_icmpv6 icmpv6; +}; + +union nf_conntrack_expect_proto { + /* insert expect proto private data here */ +}; + +/* Add protocol helper include file here */ +#include + +/* per conntrack: application helper private data */ +union nf_conntrack_help { + /* insert conntrack helper private data (master) here */ + struct nf_ct_ftp_master ct_ftp_info; +}; + +#include +#include + +#ifdef CONFIG_NETFILTER_DEBUG +#define NF_CT_ASSERT(x) \ +do { \ + if (!(x)) \ + /* Wooah! I'm tripping my conntrack in a frenzy of \ + netplay... */ \ + printk("NF_CT_ASSERT: %s:%i(%s)\n", \ + __FILE__, __LINE__, __FUNCTION__); \ +} while(0) +#else +#define NF_CT_ASSERT(x) +#endif + +struct nf_conntrack_counter +{ + u_int64_t packets; + u_int64_t bytes; +}; + +struct nf_conntrack_helper; + +#include +struct nf_conn +{ + /* Usage count in here is 1 for hash table/destruct timer, 1 per skb, + plus 1 for any connection(s) we are `master' for */ + struct nf_conntrack ct_general; + + /* XXX should I move this to the tail ? - Y.K */ + /* These are my tuples; original and reply */ + struct nf_conntrack_tuple_hash tuplehash[NF_CT_DIR_MAX]; + + /* Have we seen traffic both ways yet? (bitset) */ + unsigned long status; + + /* Timer function; drops refcnt when it goes off. */ + struct timer_list timeout; + +#ifdef CONFIG_NF_CT_ACCT + /* Accounting Information (same cache line as other written members) */ + struct nf_conntrack_counter counters[NF_CT_DIR_MAX]; +#endif + /* If we were expected by an expectation, this will be it */ + struct nf_conn *master; + + /* Current number of expected connections */ + unsigned int expecting; + + /* Helper. if any */ + struct nf_conntrack_helper *helper; + + /* features - nat, helper, ... used by allocating system */ + u_int32_t features; + + /* Storage reserved for other modules: */ + + union nf_conntrack_proto proto; + +#if defined(CONFIG_NF_CONNTRACK_MARK) + unsigned long mark; +#endif + + /* These members are dynamically allocated. */ + + union nf_conntrack_help *help; + + /* Layer 3 dependent members. (ex: NAT) */ + union { + struct nf_conntrack_ipv4 *ipv4; + } l3proto; + void *data[0]; +}; + +struct nf_conntrack_expect +{ + /* Internal linked list (global expectation list) */ + struct list_head list; + + /* We expect this tuple, with the following mask */ + struct nf_conntrack_tuple tuple, mask; + + /* Function to call after setup and insertion */ + void (*expectfn)(struct nf_conn *new, + struct nf_conntrack_expect *this); + + /* The conntrack of the master connection */ + struct nf_conn *master; + + /* Timer function; deletes the expectation. */ + struct timer_list timeout; + +#ifdef CONFIG_NF_NAT_NEEDED + /* This is the original per-proto part, used to map the + * expected connection the way the recipient expects. */ + union nf_conntrack_manip_proto saved_proto; + /* Direction relative to the master connection. */ + enum nf_conntrack_dir dir; +#endif +}; + +static inline struct nf_conn * +tuplehash_to_ctrack(const struct nf_conntrack_tuple_hash *hash) +{ + return container_of(hash, struct nf_conn, + tuplehash[hash->tuple.dst.dir]); +} + +/* get master conntrack via master expectation */ +#define master_ct(conntr) (conntr->master) + +/* Alter reply tuple (maybe alter helper). */ +extern void +nf_conntrack_alter_reply(struct nf_conn *conntrack, + const struct nf_conntrack_tuple *newreply); + +/* Is this tuple taken? (ignoring any belonging to the given + conntrack). */ +extern int +nf_conntrack_tuple_taken(const struct nf_conntrack_tuple *tuple, + const struct nf_conn *ignored_conntrack); + +/* Return conntrack_info and tuple hash for given skb. */ +static inline struct nf_conn * +nf_ct_get(struct sk_buff *skb, enum nf_conntrack_info *ctinfo) +{ + *ctinfo = skb->nfctinfo; + return (struct nf_conn *)skb->nfct; +} + +/* decrement reference count on a conntrack */ +extern void nf_ct_put(struct nf_conn *ct); + +/* call to create an explicit dependency on nf_conntrack. */ +extern void need_nf_conntrack(void); + +extern int nf_ct_invert_tuplepr(struct nf_conntrack_tuple *inverse, + const struct nf_conntrack_tuple *orig); + +/* Refresh conntrack for this many jiffies */ +extern void nf_ct_refresh_acct(struct nf_conn *ct, + enum nf_conntrack_info ctinfo, + const struct sk_buff *skb, + unsigned long extra_jiffies); + +/* These are for NAT. Icky. */ +/* Call me when a conntrack is destroyed. */ +extern void (*nf_conntrack_destroyed)(struct nf_conn *conntrack); + +/* Fake conntrack entry for untracked connections */ +extern struct nf_conn nf_conntrack_untracked; + +extern int nf_ct_no_defrag; + +/* Iterate over all conntracks: if iter returns true, it's deleted. */ +extern void +nf_ct_iterate_cleanup(int (*iter)(struct nf_conn *i, void *data), void *data); + +/* It's confirmed if it is, or has been in the hash table. */ +static inline int is_confirmed(struct nf_conn *ct) +{ + return test_bit(NF_S_CONFIRMED_BIT, &ct->status); +} + +extern unsigned int nf_conntrack_htable_size; + +struct nf_conntrack_stat +{ + unsigned int searched; + unsigned int found; + unsigned int new; + unsigned int invalid; + unsigned int ignore; + unsigned int delete; + unsigned int delete_list; + unsigned int insert; + unsigned int insert_failed; + unsigned int drop; + unsigned int early_drop; + unsigned int error; + unsigned int expect_new; + unsigned int expect_create; + unsigned int expect_delete; +}; + +#define NF_CT_STAT_INC(count) (__get_cpu_var(nf_conntrack_stat).count++) + +/* eg. PROVIDES_CONNTRACK(ftp); */ +#define PROVIDES_CONNTRACK(name) \ + int needs_nf_conntrack_##name; \ + EXPORT_SYMBOL(needs_nf_conntrack_##name) + +/*. eg. NEEDS_CONNTRACK(ftp); */ +#define NEEDS_CONNTRACK(name) \ + extern int needs_nf_conntrack_##name; \ + static int *need_nf_conntrack_##name __attribute_used__ = &needs_nf_conntrack_##name + +/* no helper, no nat */ +#define NF_CT_F_BASIC 0 +/* for helper */ +#define NF_CT_F_HELP 1 +/* for nat. */ +#define NF_CT_F_NAT 2 +#define NF_CT_F_NUM 4 + +extern int +nf_conntrack_register_cache(u_int32_t features, const char *name, size_t size, + int (*init_conntrack)(struct nf_conn *, u_int32_t)); +extern void +nf_conntrack_unregister_cache(u_int32_t features); + +#endif /* __KERNEL__ */ +#endif /* _NF_CONNTRACK_H */ diff -uNr include.orig/linux/netfilter/nf_conntrack_helper.h usr/include/linux/netfilter/nf_conntrack_helper.h --- include.orig/linux/netfilter/nf_conntrack_helper.h 1970-01-01 01:00:00.000000000 +0100 +++ usr/include/linux/netfilter/nf_conntrack_helper.h 2005-08-02 20:02:17.706247848 +0200 @@ -0,0 +1,50 @@ +/* + * connection tracking helpers. + * + * 16 Dec 2003: Yasuyuki Kozakai @USAGI + * - generalize L3 protocol dependent part. + * + * Derived from usr/include/linux/netfiter_ipv4/ip_conntrack_helper.h + */ + +#ifndef _NF_CONNTRACK_HELPER_H +#define _NF_CONNTRACK_HELPER_H +#include + +struct module; + +struct nf_conntrack_helper +{ + struct list_head list; /* Internal use. */ + + const char *name; /* name of the module */ + struct module *me; /* pointer to self */ + unsigned int max_expected; /* Maximum number of concurrent + * expected connections */ + unsigned int timeout; /* timeout for expecteds */ + + /* Mask of things we will help (compared against server response) */ + struct nf_conntrack_tuple tuple; + struct nf_conntrack_tuple mask; + + /* Function to call when data passes; return verdict, or -1 to + invalidate. */ + int (*help)(struct sk_buff **pskb, + unsigned int protoff, + struct nf_conn *ct, + enum nf_conntrack_info conntrackinfo); +}; + +extern int nf_conntrack_helper_register(struct nf_conntrack_helper *); +extern void nf_conntrack_helper_unregister(struct nf_conntrack_helper *); + +/* Allocate space for an expectation: this is mandatory before calling + nf_conntrack_expect_related. */ +extern struct nf_conntrack_expect *nf_conntrack_expect_alloc(void); +extern void nf_conntrack_expect_free(struct nf_conntrack_expect *exp); + +/* Add an expected connection: can have more than one per connection */ +extern int nf_conntrack_expect_related(struct nf_conntrack_expect *exp); +extern void nf_conntrack_unexpect_related(struct nf_conntrack_expect *exp); + +#endif /*_NF_CONNTRACK_HELPER_H*/ diff -uNr include.orig/linux/netfilter/nf_conntrack_l3proto.h usr/include/linux/netfilter/nf_conntrack_l3proto.h --- include.orig/linux/netfilter/nf_conntrack_l3proto.h 1970-01-01 01:00:00.000000000 +0100 +++ usr/include/linux/netfilter/nf_conntrack_l3proto.h 2005-08-02 20:02:17.713246784 +0200 @@ -0,0 +1,93 @@ +/* + * Copyright (C)2003,2004 USAGI/WIDE Project + * + * Header for use in defining a given L3 protocol for connection tracking. + * + * Author: + * Yasuyuki Kozakai @USAGI + * + * Derived from usr/include/netfilter_ipv4/ip_conntrack_protocol.h + */ + +#ifndef _NF_CONNTRACK_L3PROTO_H +#define _NF_CONNTRACK_L3PROTO_H +#include +#include + +struct nf_conntrack_l3proto +{ + /* Next pointer. */ + struct list_head list; + + /* L3 Protocol Family number. ex) PF_INET */ + u_int16_t l3proto; + + /* Protocol name */ + const char *name; + + /* + * Try to fill in the third arg: nhoff is offset of l3 proto + * hdr. Return true if possible. + */ + int (*pkt_to_tuple)(const struct sk_buff *skb, unsigned int nhoff, + struct nf_conntrack_tuple *tuple); + + /* + * Invert the per-proto part of the tuple: ie. turn xmit into reply. + * Some packets can't be inverted: return 0 in that case. + */ + int (*invert_tuple)(struct nf_conntrack_tuple *inverse, + const struct nf_conntrack_tuple *orig); + + /* Print out the per-protocol part of the tuple. */ + int (*print_tuple)(struct seq_file *s, + const struct nf_conntrack_tuple *); + + /* Print out the private part of the conntrack. */ + int (*print_conntrack)(struct seq_file *s, const struct nf_conn *); + + /* Returns verdict for packet, or -1 for invalid. */ + int (*packet)(struct nf_conn *conntrack, + const struct sk_buff *skb, + enum nf_conntrack_info ctinfo); + + /* + * Called when a new connection for this protocol found; + * returns TRUE if it's OK. If so, packet() called next. + */ + int (*new)(struct nf_conn *conntrack, const struct sk_buff *skb); + + /* Called when a conntrack entry is destroyed */ + void (*destroy)(struct nf_conn *conntrack); + + /* + * Called before tracking. + * *dataoff: offset of protocol header (TCP, UDP,...) in *pskb + * *protonum: protocol number + */ + int (*prepare)(struct sk_buff **pskb, unsigned int hooknum, + unsigned int *dataoff, u_int8_t *protonum, int *ret); + + u_int32_t (*get_features)(const struct nf_conntrack_tuple *tuple); + + /* Module (if any) which this is connected to. */ + struct module *me; +}; + +extern struct nf_conntrack_l3proto *nf_ct_l3protos[AF_MAX]; + +/* Protocol registration. */ +extern int nf_conntrack_l3proto_register(struct nf_conntrack_l3proto *proto); +extern void nf_conntrack_l3proto_unregister(struct nf_conntrack_l3proto *proto); + +static inline struct nf_conntrack_l3proto * +nf_ct_find_l3proto(u_int16_t l3proto) +{ + return nf_ct_l3protos[l3proto]; +} + +/* Existing built-in protocols */ +extern struct nf_conntrack_l3proto nf_conntrack_l3proto_ipv4; +extern struct nf_conntrack_l3proto nf_conntrack_l3proto_ipv6; +extern struct nf_conntrack_l3proto nf_conntrack_generic_l3proto; +#endif /*_NF_CONNTRACK_L3PROTO_H*/ diff -uNr include.orig/linux/netfilter/nf_conntrack_protocol.h usr/include/linux/netfilter/nf_conntrack_protocol.h --- include.orig/linux/netfilter/nf_conntrack_protocol.h 1970-01-01 01:00:00.000000000 +0100 +++ usr/include/linux/netfilter/nf_conntrack_protocol.h 2005-08-02 20:02:17.710247240 +0200 @@ -0,0 +1,105 @@ +/* + * Header for use in defining a given protocol for connection tracking. + * + * 16 Dec 2003: Yasuyuki Kozakai @USAGI + * - generalized L3 protocol dependent part. + * + * Derived from usr/include/linux/netfiter_ipv4/ip_conntrack_protcol.h + */ + +#ifndef _NF_CONNTRACK_PROTOCOL_H +#define _NF_CONNTRACK_PROTOCOL_H +#include + +struct seq_file; + +struct nf_conntrack_protocol +{ + /* Next pointer. */ + struct list_head list; + + /* L3 Protocol number. */ + u_int16_t l3proto; + + /* Protocol number. */ + u_int8_t proto; + + /* Protocol name */ + const char *name; + + /* Try to fill in the third arg: dataoff is offset past network protocol + hdr. Return true if possible. */ + int (*pkt_to_tuple)(const struct sk_buff *skb, + unsigned int dataoff, + struct nf_conntrack_tuple *tuple); + + /* Invert the per-proto part of the tuple: ie. turn xmit into reply. + * Some packets can't be inverted: return 0 in that case. + */ + int (*invert_tuple)(struct nf_conntrack_tuple *inverse, + const struct nf_conntrack_tuple *orig); + + /* Print out the per-protocol part of the tuple. Return like seq_* */ + int (*print_tuple)(struct seq_file *s, + const struct nf_conntrack_tuple *); + + /* Print out the private part of the conntrack. */ + int (*print_conntrack)(struct seq_file *s, const struct nf_conn *); + + /* Returns verdict for packet, or -1 for invalid. */ + int (*packet)(struct nf_conn *conntrack, + const struct sk_buff *skb, + unsigned int dataoff, + enum nf_conntrack_info ctinfo, + int pf, + unsigned int hooknum); + + /* Called when a new connection for this protocol found; + * returns TRUE if it's OK. If so, packet() called next. */ + int (*new)(struct nf_conn *conntrack, const struct sk_buff *skb, + unsigned int dataoff); + + /* Called when a conntrack entry is destroyed */ + void (*destroy)(struct nf_conn *conntrack); + + int (*error)(struct sk_buff *skb, unsigned int dataoff, + enum nf_conntrack_info *ctinfo, + int pf, unsigned int hooknum); + + /* Module (if any) which this is connected to. */ + struct module *me; +}; + +/* Existing built-in protocols */ +extern struct nf_conntrack_protocol nf_conntrack_protocol_tcp6; +extern struct nf_conntrack_protocol nf_conntrack_protocol_udp4; +extern struct nf_conntrack_protocol nf_conntrack_protocol_udp6; +extern struct nf_conntrack_protocol nf_conntrack_generic_protocol; + +#define MAX_NF_CT_PROTO 256 +extern struct nf_conntrack_protocol **nf_ct_protos[PF_MAX]; + +extern struct nf_conntrack_protocol * +nf_ct_find_proto(u_int16_t l3proto, u_int8_t protocol); + +/* Protocol registration. */ +extern int nf_conntrack_protocol_register(struct nf_conntrack_protocol *proto); +extern void nf_conntrack_protocol_unregister(struct nf_conntrack_protocol *proto); + +/* Log invalid packets */ +extern unsigned int nf_ct_log_invalid; + +#ifdef CONFIG_SYSCTL +#ifdef DEBUG_INVALID_PACKETS +#define LOG_INVALID(proto) \ + (nf_ct_log_invalid == (proto) || nf_ct_log_invalid == IPPROTO_RAW) +#else +#define LOG_INVALID(proto) \ + ((nf_ct_log_invalid == (proto) || nf_ct_log_invalid == IPPROTO_RAW) \ + && net_ratelimit()) +#endif +#else +#define LOG_INVALID(proto) 0 +#endif /* CONFIG_SYSCTL */ + +#endif /*_NF_CONNTRACK_PROTOCOL_H*/ diff -uNr include.orig/linux/netfilter/nf_conntrack_sctp.h usr/include/linux/netfilter/nf_conntrack_sctp.h --- include.orig/linux/netfilter/nf_conntrack_sctp.h 1970-01-01 01:00:00.000000000 +0100 +++ usr/include/linux/netfilter/nf_conntrack_sctp.h 2005-08-02 20:02:17.701248608 +0200 @@ -0,0 +1,30 @@ +/* + * SCTP tracking. + * + * Derived from usr/include/linux/netfiter_ipv4/ip_conntrack_tcp.h + */ + +#ifndef _NF_CONNTRACK_SCTP_H +#define _NF_CONNTRACK_SCTP_H + +enum sctp_conntrack { + SCTP_CONNTRACK_NONE, + SCTP_CONNTRACK_CLOSED, + SCTP_CONNTRACK_COOKIE_WAIT, + SCTP_CONNTRACK_COOKIE_ECHOED, + SCTP_CONNTRACK_ESTABLISHED, + SCTP_CONNTRACK_SHUTDOWN_SENT, + SCTP_CONNTRACK_SHUTDOWN_RECD, + SCTP_CONNTRACK_SHUTDOWN_ACK_SENT, + SCTP_CONNTRACK_MAX +}; + +struct nf_ct_sctp +{ + enum sctp_conntrack state; + + u_int32_t vtag[NF_CT_DIR_MAX]; + u_int32_t ttag[NF_CT_DIR_MAX]; +}; + +#endif /* _NF_CONNTRACK_SCTP_H */ diff -uNr include.orig/linux/netfilter/nf_conntrack_tcp.h usr/include/linux/netfilter/nf_conntrack_tcp.h --- include.orig/linux/netfilter/nf_conntrack_tcp.h 1970-01-01 01:00:00.000000000 +0100 +++ usr/include/linux/netfilter/nf_conntrack_tcp.h 2005-08-02 20:02:17.681251648 +0200 @@ -0,0 +1,63 @@ +/* + * TCP tracking. + * + * Derived from usr/include/linux/netfiter_ipv4/ip_conntrack_tcp.h + */ + +#ifndef _NF_CONNTRACK_TCP_H +#define _NF_CONNTRACK_TCP_H + +enum tcp_conntrack { + TCP_CONNTRACK_NONE, + TCP_CONNTRACK_SYN_SENT, + TCP_CONNTRACK_SYN_RECV, + TCP_CONNTRACK_ESTABLISHED, + TCP_CONNTRACK_FIN_WAIT, + TCP_CONNTRACK_CLOSE_WAIT, + TCP_CONNTRACK_LAST_ACK, + TCP_CONNTRACK_TIME_WAIT, + TCP_CONNTRACK_CLOSE, + TCP_CONNTRACK_LISTEN, + TCP_CONNTRACK_MAX, + TCP_CONNTRACK_IGNORE +}; + +/* Window scaling is advertised by the sender */ +#define NF_CT_TCP_FLAG_WINDOW_SCALE 0x01 + +/* SACK is permitted by the sender */ +#define NF_CT_TCP_FLAG_SACK_PERM 0x02 + +struct nf_ct_tcp_state { + u_int32_t td_end; /* max of seq + len */ + u_int32_t td_maxend; /* max of ack + max(win, 1) */ + u_int32_t td_maxwin; /* max(win) */ + u_int8_t td_scale; /* window scale factor */ + u_int8_t loose; /* used when connection picked up from the middle */ + u_int8_t flags; /* per direction state flags */ +}; + +struct nf_ct_tcp +{ + struct nf_ct_tcp_state seen[2]; /* connection parameters per direction */ + u_int8_t state; /* state of the connection (enum tcp_conntrack) */ + /* For detecting stale connections */ + u_int8_t last_dir; /* Direction of the last packet (enum nf_conntrack_dir) */ + u_int8_t retrans; /* Number of retransmitted packets */ + u_int8_t last_index; /* Index of the last packet */ + u_int32_t last_seq; /* Last sequence number seen in dir */ + u_int32_t last_ack; /* Last sequence number seen in opposite dir */ + u_int32_t last_end; /* Last seq + len */ +}; + +/* Need this, since this file is included before the nf_conn definition + * in nf_conntrack.h */ +struct nf_conn; + +/* Update TCP window tracking data when NAT mangles the packet */ +extern void nf_conntrack_tcp_update(struct sk_buff *skb, + unsigned int dataoff, + struct nf_conn *conntrack, + int dir); + +#endif /* _NF_CONNTRACK_TCP_H */ diff -uNr include.orig/linux/netfilter/nf_conntrack_tuple.h usr/include/linux/netfilter/nf_conntrack_tuple.h --- include.orig/linux/netfilter/nf_conntrack_tuple.h 1970-01-01 01:00:00.000000000 +0100 +++ usr/include/linux/netfilter/nf_conntrack_tuple.h 2005-08-02 20:02:17.704248152 +0200 @@ -0,0 +1,201 @@ +/* + * Definitions and Declarations for tuple. + * + * 16 Dec 2003: Yasuyuki Kozakai @USAGI + * - generalize L3 protocol dependent part. + * + * Derived from usr/include/linux/netfiter_ipv4/ip_conntrack_tuple.h + */ + +#ifndef _NF_CONNTRACK_TUPLE_H +#define _NF_CONNTRACK_TUPLE_H + +/* A `tuple' is a structure containing the information to uniquely + identify a connection. ie. if two packets have the same tuple, they + are in the same connection; if not, they are not. + + We divide the structure along "manipulatable" and + "non-manipulatable" lines, for the benefit of the NAT code. +*/ + +#define NF_CT_TUPLE_L3SIZE 4 + +/* The l3 protocol-specific manipulable parts of the tuple: always in + network order! */ +union nf_conntrack_man_l3proto { + u_int32_t all[NF_CT_TUPLE_L3SIZE]; + u_int32_t ip; + u_int32_t ip6[4]; +}; + +/* The protocol-specific manipulable parts of the tuple: always in + network order! */ +union nf_conntrack_man_proto +{ + /* Add other protocols here. */ + u_int16_t all; + + struct { + u_int16_t port; + } tcp; + struct { + u_int16_t port; + } udp; + struct { + u_int16_t id; + } icmp; + struct { + u_int16_t port; + } sctp; +}; + +/* The manipulable part of the tuple. */ +struct nf_conntrack_man +{ + union nf_conntrack_man_l3proto u3; + union nf_conntrack_man_proto u; + /* Layer 3 protocol */ + u_int16_t l3num; +}; + +/* This contains the information to distinguish a connection. */ +struct nf_conntrack_tuple +{ + struct nf_conntrack_man src; + + /* These are the parts of the tuple which are fixed. */ + struct { + union { + u_int32_t all[NF_CT_TUPLE_L3SIZE]; + u_int32_t ip; + u_int32_t ip6[4]; + } u3; + union { + /* Add other protocols here. */ + u_int16_t all; + + struct { + u_int16_t port; + } tcp; + struct { + u_int16_t port; + } udp; + struct { + u_int8_t type, code; + } icmp; + struct { + u_int16_t port; + } sctp; + } u; + + /* The protocol. */ + u_int8_t protonum; + + /* The direction (for tuplehash) */ + u_int8_t dir; + } dst; +}; + +/* This is optimized opposed to a memset of the whole structure. Everything we + * really care about is the source/destination unions */ +#define NF_CT_TUPLE_U_BLANK(tuple) \ + do { \ + (tuple)->src.u.all = 0; \ + (tuple)->dst.u.all = 0; \ + memset((tuple)->src.u3.all, 0, \ + sizeof(u_int32_t)*NF_CT_TUPLE_L3SIZE); \ + memset((tuple)->dst.u3.all, 0, \ + sizeof(u_int32_t)*NF_CT_TUPLE_L3SIZE); \ + } while (0) + +enum nf_conntrack_dir +{ + NF_CT_DIR_ORIGINAL, + NF_CT_DIR_REPLY, + NF_CT_DIR_MAX +}; + +#ifdef __KERNEL__ + +#define NF_CT_DUMP_TUPLE(tp) \ +DEBUGP("tuple %p: %u %u %04x:%04x:%04x:%04x:%04x:%04x:%04x:%04x %hu -> %04x:%04x:%04x:%04x:%04x:%04x:%04x:%04x %hu\n", \ + (tp), (tp)->src.l3num, (tp)->dst.protonum, \ + NIP6(*(struct in6_addr *)(tp)->src.u3.all), ntohs((tp)->src.u.all), \ + NIP6(*(struct in6_addr *)(tp)->dst.u3.all), ntohs((tp)->dst.u.all)) + +#define NFCTINFO2DIR(ctinfo) ((ctinfo) >= NF_CT_IS_REPLY ? NF_CT_DIR_REPLY : NF_CT_DIR_ORIGINAL) + +/* If we're the first tuple, it's the original dir. */ +#define NF_CT_DIRECTION(h) \ + ((enum nf_conntrack_dir)(h)->tuple.dst.dir) + +/* Connections have two entries in the hash table: one for each way */ +struct nf_conntrack_tuple_hash +{ + struct list_head list; + + struct nf_conntrack_tuple tuple; +}; + +#endif /* __KERNEL__ */ + +static inline int nf_ct_tuple_src_equal(const struct nf_conntrack_tuple *t1, + const struct nf_conntrack_tuple *t2) +{ + return (t1->src.u3.all[0] == t2->src.u3.all[0] && + t1->src.u3.all[1] == t2->src.u3.all[1] && + t1->src.u3.all[2] == t2->src.u3.all[2] && + t1->src.u3.all[3] == t2->src.u3.all[3] && + t1->src.u.all == t2->src.u.all && + t1->src.l3num == t2->src.l3num && + t1->dst.protonum == t2->dst.protonum); +} + +static inline int nf_ct_tuple_dst_equal(const struct nf_conntrack_tuple *t1, + const struct nf_conntrack_tuple *t2) +{ + return (t1->dst.u3.all[0] == t2->dst.u3.all[0] && + t1->dst.u3.all[1] == t2->dst.u3.all[1] && + t1->dst.u3.all[2] == t2->dst.u3.all[2] && + t1->dst.u3.all[3] == t2->dst.u3.all[3] && + t1->dst.u.all == t2->dst.u.all && + t1->src.l3num == t2->src.l3num && + t1->dst.protonum == t2->dst.protonum); +} + +static inline int nf_ct_tuple_equal(const struct nf_conntrack_tuple *t1, + const struct nf_conntrack_tuple *t2) +{ + return nf_ct_tuple_src_equal(t1, t2) && nf_ct_tuple_dst_equal(t1, t2); +} + +static inline int nf_ct_tuple_mask_cmp(const struct nf_conntrack_tuple *t, + const struct nf_conntrack_tuple *tuple, + const struct nf_conntrack_tuple *mask) +{ + int count = 0; + + for (count = 0; count < NF_CT_TUPLE_L3SIZE; count++){ + if ((ntohs(t->src.u3.all[count]) ^ + ntohs(tuple->src.u3.all[count])) & + ntohs(mask->src.u3.all[count])) + return 0; + } + + for (count = 0; count < NF_CT_TUPLE_L3SIZE; count++){ + if ((ntohs(t->dst.u3.all[count]) ^ + ntohs(tuple->dst.u3.all[count])) & + ntohs(mask->dst.u3.all[count])) + return 0; + } + + if ((t->src.u.all ^ tuple->src.u.all) & mask->src.u.all || + (t->dst.u.all ^ tuple->dst.u.all) & mask->dst.u.all || + (t->src.l3num ^ tuple->src.l3num) & mask->src.l3num || + (t->dst.protonum ^ tuple->dst.protonum) & mask->dst.protonum) + return 0; + + return 1; +} + +#endif /* _NF_CONNTRACK_TUPLE_H */ diff -uNr include.orig/linux/netfilter/nfnetlink.h usr/include/linux/netfilter/nfnetlink.h --- include.orig/linux/netfilter/nfnetlink.h 1970-01-01 01:00:00.000000000 +0100 +++ usr/include/linux/netfilter/nfnetlink.h 2005-08-02 20:02:17.715246480 +0200 @@ -0,0 +1,145 @@ +#ifndef _NFNETLINK_H +#define _NFNETLINK_H +#include + +/* nfnetlink groups: Up to 32 maximum */ +#define NF_NETLINK_CONNTRACK_NEW 0x00000001 +#define NF_NETLINK_CONNTRACK_UPDATE 0x00000002 +#define NF_NETLINK_CONNTRACK_DESTROY 0x00000004 +#define NF_NETLINK_CONNTRACK_EXP_NEW 0x00000008 +#define NF_NETLINK_CONNTRACK_EXP_UPDATE 0x00000010 +#define NF_NETLINK_CONNTRACK_EXP_DESTROY 0x00000020 + +/* Generic structure for encapsulation optional netfilter information. + * It is reminiscent of sockaddr, but with sa_family replaced + * with attribute type. + * ! This should someday be put somewhere generic as now rtnetlink and + * ! nfnetlink use the same attributes methods. - J. Schulist. + */ + +struct nfattr +{ + u_int16_t nfa_len __attribute__ ((packed)); + u_int16_t nfa_type __attribute__ ((packed)); +}; + +/* FIXME: Shamelessly copy and pasted from rtnetlink.h, it's time + * to put this in a generic file */ + +#define NFA_ALIGNTO 4 +#define NFA_ALIGN(len) (((len) + NFA_ALIGNTO - 1) & ~(NFA_ALIGNTO - 1)) +#define NFA_OK(nfa,len) ((len) > 0 && (nfa)->nfa_len >= sizeof(struct nfattr) \ + && (nfa)->nfa_len <= (len)) +#define NFA_NEXT(nfa,attrlen) ((attrlen) -= NFA_ALIGN((nfa)->nfa_len), \ + (struct nfattr *)(((char *)(nfa)) + NFA_ALIGN((nfa)->nfa_len))) +#define NFA_LENGTH(len) (NFA_ALIGN(sizeof(struct nfattr)) + (len)) +#define NFA_SPACE(len) NFA_ALIGN(NFA_LENGTH(len)) +#define NFA_DATA(nfa) ((void *)(((char *)(nfa)) + NFA_LENGTH(0))) +#define NFA_PAYLOAD(nfa) ((int)((nfa)->nfa_len) - NFA_LENGTH(0)) +#define NFA_NEST(skb, type) \ +({ struct nfattr *__start = (struct nfattr *) (skb)->tail; \ + NFA_PUT(skb, type, 0, NULL); \ + __start; }) +#define NFA_NEST_END(skb, start) \ +({ (start)->nfa_len = ((skb)->tail - (unsigned char *) (start)); \ + (skb)->len; }) +#define NFA_NEST_CANCEL(skb, start) \ +({ if (start) \ + skb_trim(skb, (unsigned char *) (start) - (skb)->data); \ + -1; }) + +/* General form of address family dependent message. + */ +struct nfgenmsg { + u_int8_t nfgen_family __attribute__ ((packed)); /* AF_xxx */ + u_int8_t version __attribute__ ((packed)); /* nfnetlink version */ + u_int16_t res_id __attribute__ ((packed)); /* resource id */ +}; + +#define NFNETLINK_V1 1 + +#define NFM_NFA(n) ((struct nfattr *)(((char *)(n)) \ + + NLMSG_ALIGN(sizeof(struct nfgenmsg)))) +#define NFM_PAYLOAD(n) NLMSG_PAYLOAD(n, sizeof(struct nfgenmsg)) + +/* netfilter netlink message types are split in two pieces: + * 8 bit subsystem, 8bit operation. + */ + +#define NFNL_SUBSYS_ID(x) ((x & 0xff00) >> 8) +#define NFNL_MSG_TYPE(x) (x & 0x00ff) + +enum nfnl_subsys_id { + NFNL_SUBSYS_NONE = 0, + NFNL_SUBSYS_CTNETLINK, + NFNL_SUBSYS_CTNETLINK_EXP, + NFNL_SUBSYS_IPTNETLINK, + NFNL_SUBSYS_QUEUE, + NFNL_SUBSYS_ULOG, + NFNL_SUBSYS_COUNT, +}; + +#ifdef __KERNEL__ + +#include + +struct nfnl_callback +{ + kernel_cap_t cap_required; /* capabilities required for this msg */ + int (*call)(struct sock *nl, struct sk_buff *skb, + struct nlmsghdr *nlh, struct nfattr *cda[], int *errp); +}; + +struct nfnetlink_subsystem +{ + const char *name; + __u8 subsys_id; /* nfnetlink subsystem ID */ + __u8 cb_count; /* number of callbacks */ + u_int32_t attr_count; /* number of nfattr's */ + struct nfnl_callback *cb; /* callback for individual types */ +}; + +extern void __nfa_fill(struct sk_buff *skb, int attrtype, + int attrlen, const void *data); +#define NFA_PUT(skb, attrtype, attrlen, data) \ +({ if (skb_tailroom(skb) < (int)NFA_SPACE(attrlen)) goto nfattr_failure; \ + __nfa_fill(skb, attrtype, attrlen, data); }) + +extern struct semaphore nfnl_sem; + +#define nfnl_shlock() down(&nfnl_sem) +#define nfnl_shlock_nowait() down_trylock(&nfnl_sem) + +#define nfnl_shunlock() do { up(&nfnl_sem); \ + if(nfnl && nfnl->sk_receive_queue.qlen) \ + nfnl->sk_data_ready(nfnl, 0); \ + } while(0) + +extern void nfnl_lock(void); +extern void nfnl_unlock(void); + +extern int nfnetlink_subsys_register(struct nfnetlink_subsystem *n); +extern int nfnetlink_subsys_unregister(struct nfnetlink_subsystem *n); + +extern int nfattr_parse(struct nfattr *tb[], int maxattr, + struct nfattr *nfa, int len); + +#define nfattr_parse_nested(tb, max, nfa) \ + nfattr_parse((tb), (max), NFA_DATA((nfa)), NFA_PAYLOAD((nfa))) + +#define nfattr_bad_size(tb, max, cta_min) \ +({ int __i, __res = 0; \ + for (__i=0; __infct && !is_confirmed((struct ip_conntrack *)(*pskb)->nfct)) - return __ip_conntrack_confirm(pskb); - return NF_ACCEPT; + ret = __ip_conntrack_confirm(pskb); + ip_conntrack_deliver_cached_events(*pskb); + + return ret; } extern struct list_head *ip_conntrack_hash; diff -uNr include.orig/linux/netfilter_ipv4/ip_conntrack.h usr/include/linux/netfilter_ipv4/ip_conntrack.h --- include.orig/linux/netfilter_ipv4/ip_conntrack.h 2005-03-13 21:53:55.000000000 +0100 +++ usr/include/linux/netfilter_ipv4/ip_conntrack.h 2005-08-02 20:05:38.525718648 +0200 @@ -65,6 +65,63 @@ /* Both together */ IPS_NAT_DONE_MASK = (IPS_DST_NAT_DONE | IPS_SRC_NAT_DONE), + + /* Connection is destroyed (removed from lists), can not be unset. */ + IPS_DESTROYED_BIT = 9, + IPS_DESTROYED = (1 << IPS_DESTROYED_BIT), +}; + +/* Connection tracking event bits */ +enum ip_conntrack_events +{ + /* New conntrack */ + IPCT_NEW_BIT = 0, + IPCT_NEW = (1 << IPCT_NEW_BIT), + + /* Expected connection */ + IPCT_RELATED_BIT = 1, + IPCT_RELATED = (1 << IPCT_RELATED_BIT), + + /* Destroyed conntrack */ + IPCT_DESTROY_BIT = 2, + IPCT_DESTROY = (1 << IPCT_DESTROY_BIT), + + /* Timer has been refreshed */ + IPCT_REFRESH_BIT = 3, + IPCT_REFRESH = (1 << IPCT_REFRESH_BIT), + + /* Status has changed */ + IPCT_STATUS_BIT = 4, + IPCT_STATUS = (1 << IPCT_STATUS_BIT), + + /* Update of protocol info */ + IPCT_PROTOINFO_BIT = 5, + IPCT_PROTOINFO = (1 << IPCT_PROTOINFO_BIT), + + /* Volatile protocol info */ + IPCT_PROTOINFO_VOLATILE_BIT = 6, + IPCT_PROTOINFO_VOLATILE = (1 << IPCT_PROTOINFO_VOLATILE_BIT), + + /* New helper for conntrack */ + IPCT_HELPER_BIT = 7, + IPCT_HELPER = (1 << IPCT_HELPER_BIT), + + /* Update of helper info */ + IPCT_HELPINFO_BIT = 8, + IPCT_HELPINFO = (1 << IPCT_HELPINFO_BIT), + + /* Volatile helper info */ + IPCT_HELPINFO_VOLATILE_BIT = 9, + IPCT_HELPINFO_VOLATILE = (1 << IPCT_HELPINFO_VOLATILE_BIT), + + /* NAT info */ + IPCT_NATINFO_BIT = 10, + IPCT_NATINFO = (1 << IPCT_NATINFO_BIT), +}; + +enum ip_conntrack_expect_events { + IPEXP_NEW_BIT = 0, + IPEXP_NEW = (1 << IPEXP_NEW_BIT), }; #endif /* _IP_CONNTRACK_H */ diff -uNr include.orig/linux/netfilter_ipv4/ip_conntrack_h323.h usr/include/linux/netfilter_ipv4/ip_conntrack_h323.h --- include.orig/linux/netfilter_ipv4/ip_conntrack_h323.h 1970-01-01 01:00:00.000000000 +0100 +++ usr/include/linux/netfilter_ipv4/ip_conntrack_h323.h 2005-08-02 20:02:17.725244960 +0200 @@ -0,0 +1,38 @@ +#ifndef _IP_CONNTRACK_H323_H +#define _IP_CONNTRACK_H323_H +/* H.323 connection tracking. */ + +#ifdef __KERNEL__ + +/* Default H.225 port */ +#define H225_PORT 1720 + +struct ip_conntrack_expect; +struct ip_conntrack; +struct ip_conntrack_helper; + +extern int (*ip_nat_h245_hook)(struct sk_buff **pskb, + enum ip_conntrack_info ctinfo, + unsigned int offset, + struct ip_conntrack_expect *exp); + +extern int (*ip_nat_h225_hook)(struct sk_buff **pskb, + enum ip_conntrack_info ctinfo, + unsigned int offset, + struct ip_conntrack_expect *exp); + +extern void (*ip_nat_h225_signal_hook)(struct sk_buff **pskb, + struct ip_conntrack *ct, + enum ip_conntrack_info ctinfo, + unsigned int offset, + int dir, + int orig_dir); + +extern struct ip_conntrack_helper ip_conntrack_helper_h225; + +void ip_conntrack_h245_expect(struct ip_conntrack *new, + struct ip_conntrack_expect *this); + +#endif /* __KERNEL__ */ + +#endif /* _IP_CONNTRACK_H323_H */ diff -uNr include.orig/linux/netfilter_ipv4/ip_conntrack_mms.h usr/include/linux/netfilter_ipv4/ip_conntrack_mms.h --- include.orig/linux/netfilter_ipv4/ip_conntrack_mms.h 1970-01-01 01:00:00.000000000 +0100 +++ usr/include/linux/netfilter_ipv4/ip_conntrack_mms.h 2005-08-02 20:02:17.774237512 +0200 @@ -0,0 +1,36 @@ +#ifndef _IP_CONNTRACK_MMS_H +#define _IP_CONNTRACK_MMS_H +/* MMS tracking. */ + +#ifdef __KERNEL__ + +extern spinlock_t ip_mms_lock; + +#define MMS_PORT 1755 +#define MMS_SRV_MSG_ID 196610 + +#define MMS_SRV_MSG_OFFSET 36 +#define MMS_SRV_UNICODE_STRING_OFFSET 60 +#define MMS_SRV_CHUNKLENLV_OFFSET 16 +#define MMS_SRV_CHUNKLENLM_OFFSET 32 +#define MMS_SRV_MESSAGELENGTH_OFFSET 8 + +/* This structure is per expected connection */ +struct ip_ct_mms_expect { + u_int32_t offset; + u_int32_t len; + u_int32_t padding; + u_int16_t port; +}; + +/* This structure exists only once per master */ +struct ip_ct_mms_master { +}; + +struct ip_conntrack_expect; +extern unsigned int (*ip_nat_mms_hook)(struct sk_buff **pskb, + enum ip_conntrack_info ctinfo, + const struct ip_ct_mms_expect *exp_mms_info, + struct ip_conntrack_expect *exp); +#endif +#endif /* _IP_CONNTRACK_MMS_H */ diff -uNr include.orig/linux/netfilter_ipv4/ip_conntrack_pptp.h usr/include/linux/netfilter_ipv4/ip_conntrack_pptp.h --- include.orig/linux/netfilter_ipv4/ip_conntrack_pptp.h 1970-01-01 01:00:00.000000000 +0100 +++ usr/include/linux/netfilter_ipv4/ip_conntrack_pptp.h 2005-08-02 20:02:17.800233560 +0200 @@ -0,0 +1,336 @@ +/* PPTP constants and structs */ +#ifndef _CONNTRACK_PPTP_H +#define _CONNTRACK_PPTP_H + +/* state of the control session */ +enum pptp_ctrlsess_state { + PPTP_SESSION_NONE, /* no session present */ + PPTP_SESSION_ERROR, /* some session error */ + PPTP_SESSION_STOPREQ, /* stop_sess request seen */ + PPTP_SESSION_REQUESTED, /* start_sess request seen */ + PPTP_SESSION_CONFIRMED, /* session established */ +}; + +/* state of the call inside the control session */ +enum pptp_ctrlcall_state { + PPTP_CALL_NONE, + PPTP_CALL_ERROR, + PPTP_CALL_OUT_REQ, + PPTP_CALL_OUT_CONF, + PPTP_CALL_IN_REQ, + PPTP_CALL_IN_REP, + PPTP_CALL_IN_CONF, + PPTP_CALL_CLEAR_REQ, +}; + + +/* conntrack private data */ +struct ip_ct_pptp_master { + enum pptp_ctrlsess_state sstate; /* session state */ + + /* everything below is going to be per-expectation in newnat, + * since there could be more than one call within one session */ + enum pptp_ctrlcall_state cstate; /* call state */ + u_int16_t pac_call_id; /* call id of PAC, host byte order */ + u_int16_t pns_call_id; /* call id of PNS, host byte order */ + + /* in pre-2.6.11 this used to be per-expect. Now it is per-conntrack + * and therefore imposes a fixed limit on the number of maps */ + struct ip_ct_gre_keymap *keymap_orig, *keymap_reply; +}; + +/* conntrack_expect private member */ +struct ip_ct_pptp_expect { + enum pptp_ctrlcall_state cstate; /* call state */ + u_int16_t pac_call_id; /* call id of PAC */ + u_int16_t pns_call_id; /* call id of PNS */ +}; + + +#ifdef __KERNEL__ + + +#include +DECLARE_LOCK_EXTERN(ip_pptp_lock); + +#define IP_CONNTR_PPTP PPTP_CONTROL_PORT + +#define PPTP_CONTROL_PORT 1723 + +#define PPTP_PACKET_CONTROL 1 +#define PPTP_PACKET_MGMT 2 + +#define PPTP_MAGIC_COOKIE 0x1a2b3c4d + +struct pptp_pkt_hdr { + __u16 packetLength; + __u16 packetType; + __u32 magicCookie; +}; + +/* PptpControlMessageType values */ +#define PPTP_START_SESSION_REQUEST 1 +#define PPTP_START_SESSION_REPLY 2 +#define PPTP_STOP_SESSION_REQUEST 3 +#define PPTP_STOP_SESSION_REPLY 4 +#define PPTP_ECHO_REQUEST 5 +#define PPTP_ECHO_REPLY 6 +#define PPTP_OUT_CALL_REQUEST 7 +#define PPTP_OUT_CALL_REPLY 8 +#define PPTP_IN_CALL_REQUEST 9 +#define PPTP_IN_CALL_REPLY 10 +#define PPTP_IN_CALL_CONNECT 11 +#define PPTP_CALL_CLEAR_REQUEST 12 +#define PPTP_CALL_DISCONNECT_NOTIFY 13 +#define PPTP_WAN_ERROR_NOTIFY 14 +#define PPTP_SET_LINK_INFO 15 + +#define PPTP_MSG_MAX 15 + +/* PptpGeneralError values */ +#define PPTP_ERROR_CODE_NONE 0 +#define PPTP_NOT_CONNECTED 1 +#define PPTP_BAD_FORMAT 2 +#define PPTP_BAD_VALUE 3 +#define PPTP_NO_RESOURCE 4 +#define PPTP_BAD_CALLID 5 +#define PPTP_REMOVE_DEVICE_ERROR 6 + +struct PptpControlHeader { + __u16 messageType; + __u16 reserved; +}; + +/* FramingCapability Bitmap Values */ +#define PPTP_FRAME_CAP_ASYNC 0x1 +#define PPTP_FRAME_CAP_SYNC 0x2 + +/* BearerCapability Bitmap Values */ +#define PPTP_BEARER_CAP_ANALOG 0x1 +#define PPTP_BEARER_CAP_DIGITAL 0x2 + +struct PptpStartSessionRequest { + __u16 protocolVersion; + __u8 reserved1; + __u8 reserved2; + __u32 framingCapability; + __u32 bearerCapability; + __u16 maxChannels; + __u16 firmwareRevision; + __u8 hostName[64]; + __u8 vendorString[64]; +}; + +/* PptpStartSessionResultCode Values */ +#define PPTP_START_OK 1 +#define PPTP_START_GENERAL_ERROR 2 +#define PPTP_START_ALREADY_CONNECTED 3 +#define PPTP_START_NOT_AUTHORIZED 4 +#define PPTP_START_UNKNOWN_PROTOCOL 5 + +struct PptpStartSessionReply { + __u16 protocolVersion; + __u8 resultCode; + __u8 generalErrorCode; + __u32 framingCapability; + __u32 bearerCapability; + __u16 maxChannels; + __u16 firmwareRevision; + __u8 hostName[64]; + __u8 vendorString[64]; +}; + +/* PptpStopReasons */ +#define PPTP_STOP_NONE 1 +#define PPTP_STOP_PROTOCOL 2 +#define PPTP_STOP_LOCAL_SHUTDOWN 3 + +struct PptpStopSessionRequest { + __u8 reason; +}; + +/* PptpStopSessionResultCode */ +#define PPTP_STOP_OK 1 +#define PPTP_STOP_GENERAL_ERROR 2 + +struct PptpStopSessionReply { + __u8 resultCode; + __u8 generalErrorCode; +}; + +struct PptpEchoRequest { + __u32 identNumber; +}; + +/* PptpEchoReplyResultCode */ +#define PPTP_ECHO_OK 1 +#define PPTP_ECHO_GENERAL_ERROR 2 + +struct PptpEchoReply { + __u32 identNumber; + __u8 resultCode; + __u8 generalErrorCode; + __u16 reserved; +}; + +/* PptpFramingType */ +#define PPTP_ASYNC_FRAMING 1 +#define PPTP_SYNC_FRAMING 2 +#define PPTP_DONT_CARE_FRAMING 3 + +/* PptpCallBearerType */ +#define PPTP_ANALOG_TYPE 1 +#define PPTP_DIGITAL_TYPE 2 +#define PPTP_DONT_CARE_BEARER_TYPE 3 + +struct PptpOutCallRequest { + __u16 callID; + __u16 callSerialNumber; + __u32 minBPS; + __u32 maxBPS; + __u32 bearerType; + __u32 framingType; + __u16 packetWindow; + __u16 packetProcDelay; + __u16 reserved1; + __u16 phoneNumberLength; + __u16 reserved2; + __u8 phoneNumber[64]; + __u8 subAddress[64]; +}; + +/* PptpCallResultCode */ +#define PPTP_OUTCALL_CONNECT 1 +#define PPTP_OUTCALL_GENERAL_ERROR 2 +#define PPTP_OUTCALL_NO_CARRIER 3 +#define PPTP_OUTCALL_BUSY 4 +#define PPTP_OUTCALL_NO_DIAL_TONE 5 +#define PPTP_OUTCALL_TIMEOUT 6 +#define PPTP_OUTCALL_DONT_ACCEPT 7 + +struct PptpOutCallReply { + __u16 callID; + __u16 peersCallID; + __u8 resultCode; + __u8 generalErrorCode; + __u16 causeCode; + __u32 connectSpeed; + __u16 packetWindow; + __u16 packetProcDelay; + __u32 physChannelID; +}; + +struct PptpInCallRequest { + __u16 callID; + __u16 callSerialNumber; + __u32 callBearerType; + __u32 physChannelID; + __u16 dialedNumberLength; + __u16 dialingNumberLength; + __u8 dialedNumber[64]; + __u8 dialingNumber[64]; + __u8 subAddress[64]; +}; + +/* PptpInCallResultCode */ +#define PPTP_INCALL_ACCEPT 1 +#define PPTP_INCALL_GENERAL_ERROR 2 +#define PPTP_INCALL_DONT_ACCEPT 3 + +struct PptpInCallReply { + __u16 callID; + __u16 peersCallID; + __u8 resultCode; + __u8 generalErrorCode; + __u16 packetWindow; + __u16 packetProcDelay; + __u16 reserved; +}; + +struct PptpInCallConnected { + __u16 peersCallID; + __u16 reserved; + __u32 connectSpeed; + __u16 packetWindow; + __u16 packetProcDelay; + __u32 callFramingType; +}; + +struct PptpClearCallRequest { + __u16 callID; + __u16 reserved; +}; + +struct PptpCallDisconnectNotify { + __u16 callID; + __u8 resultCode; + __u8 generalErrorCode; + __u16 causeCode; + __u16 reserved; + __u8 callStatistics[128]; +}; + +struct PptpWanErrorNotify { + __u16 peersCallID; + __u16 reserved; + __u32 crcErrors; + __u32 framingErrors; + __u32 hardwareOverRuns; + __u32 bufferOverRuns; + __u32 timeoutErrors; + __u32 alignmentErrors; +}; + +struct PptpSetLinkInfo { + __u16 peersCallID; + __u16 reserved; + __u32 sendAccm; + __u32 recvAccm; +}; + + +struct pptp_priv_data { + __u16 call_id; + __u16 mcall_id; + __u16 pcall_id; +}; + +union pptp_ctrl_union { + struct PptpStartSessionRequest sreq; + struct PptpStartSessionReply srep; + struct PptpStopSessionRequest streq; + struct PptpStopSessionReply strep; + struct PptpOutCallRequest ocreq; + struct PptpOutCallReply ocack; + struct PptpInCallRequest icreq; + struct PptpInCallReply icack; + struct PptpInCallConnected iccon; + struct PptpClearCallRequest clrreq; + struct PptpCallDisconnectNotify disc; + struct PptpWanErrorNotify wanerr; + struct PptpSetLinkInfo setlink; +}; + +extern int +(*ip_nat_pptp_hook_outbound)(struct sk_buff **pskb, + struct ip_conntrack *ct, + enum ip_conntrack_info ctinfo, + struct PptpControlHeader *ctlh, + union pptp_ctrl_union *pptpReq); + +extern int +(*ip_nat_pptp_hook_inbound)(struct sk_buff **pskb, + struct ip_conntrack *ct, + enum ip_conntrack_info ctinfo, + struct PptpControlHeader *ctlh, + union pptp_ctrl_union *pptpReq); + +extern int +(*ip_nat_pptp_hook_exp_gre)(struct ip_conntrack_expect *exp_orig, + struct ip_conntrack_expect *exp_reply); + +extern void +(*ip_nat_pptp_hook_expectfn)(struct ip_conntrack *ct, + struct ip_conntrack_expect *exp); +#endif /* __KERNEL__ */ +#endif /* _CONNTRACK_PPTP_H */ diff -uNr include.orig/linux/netfilter_ipv4/ip_conntrack_protocol.h usr/include/linux/netfilter_ipv4/ip_conntrack_protocol.h --- include.orig/linux/netfilter_ipv4/ip_conntrack_protocol.h 2005-03-13 21:53:55.000000000 +0100 +++ usr/include/linux/netfilter_ipv4/ip_conntrack_protocol.h 2005-08-02 20:02:17.753240704 +0200 @@ -34,7 +34,7 @@ /* Returns verdict for packet, or -1 for invalid. */ int (*packet)(struct ip_conntrack *conntrack, - const struct sk_buff *skb, + struct sk_buff *skb, enum ip_conntrack_info ctinfo); /* Called when a new connection for this protocol found; diff -uNr include.orig/linux/netfilter_ipv4/ip_conntrack_proto_gre.h usr/include/linux/netfilter_ipv4/ip_conntrack_proto_gre.h --- include.orig/linux/netfilter_ipv4/ip_conntrack_proto_gre.h 1970-01-01 01:00:00.000000000 +0100 +++ usr/include/linux/netfilter_ipv4/ip_conntrack_proto_gre.h 2005-08-02 20:02:17.718246024 +0200 @@ -0,0 +1,114 @@ +#ifndef _CONNTRACK_PROTO_GRE_H +#define _CONNTRACK_PROTO_GRE_H +#include + +/* GRE PROTOCOL HEADER */ + +/* GRE Version field */ +#define GRE_VERSION_1701 0x0 +#define GRE_VERSION_PPTP 0x1 + +/* GRE Protocol field */ +#define GRE_PROTOCOL_PPTP 0x880B + +/* GRE Flags */ +#define GRE_FLAG_C 0x80 +#define GRE_FLAG_R 0x40 +#define GRE_FLAG_K 0x20 +#define GRE_FLAG_S 0x10 +#define GRE_FLAG_A 0x80 + +#define GRE_IS_C(f) ((f)&GRE_FLAG_C) +#define GRE_IS_R(f) ((f)&GRE_FLAG_R) +#define GRE_IS_K(f) ((f)&GRE_FLAG_K) +#define GRE_IS_S(f) ((f)&GRE_FLAG_S) +#define GRE_IS_A(f) ((f)&GRE_FLAG_A) + +/* GRE is a mess: Four different standards */ +struct gre_hdr { +#if defined(__LITTLE_ENDIAN_BITFIELD) + __u16 rec:3, + srr:1, + seq:1, + key:1, + routing:1, + csum:1, + version:3, + reserved:4, + ack:1; +#elif defined(__BIG_ENDIAN_BITFIELD) + __u16 csum:1, + routing:1, + key:1, + seq:1, + srr:1, + rec:3, + ack:1, + reserved:4, + version:3; +#else +#error "Adjust your defines" +#endif + __u16 protocol; +}; + +/* modified GRE header for PPTP */ +struct gre_hdr_pptp { + __u8 flags; /* bitfield */ + __u8 version; /* should be GRE_VERSION_PPTP */ + __u16 protocol; /* should be GRE_PROTOCOL_PPTP */ + __u16 payload_len; /* size of ppp payload, not inc. gre header */ + __u16 call_id; /* peer's call_id for this session */ + __u32 seq; /* sequence number. Present if S==1 */ + __u32 ack; /* seq number of highest packet recieved by */ + /* sender in this session */ +}; + + +/* this is part of ip_conntrack */ +struct ip_ct_gre { + unsigned int stream_timeout; + unsigned int timeout; +}; + +#ifdef __KERNEL__ +struct ip_conntrack_expect; +struct ip_conntrack; + +/* structure for original <-> reply keymap */ +struct ip_ct_gre_keymap { + struct list_head list; + + struct ip_conntrack_tuple tuple; +}; + +/* add new tuple->key_reply pair to keymap */ +int ip_ct_gre_keymap_add(struct ip_conntrack *ct, + struct ip_conntrack_tuple *t, + int reply); + +/* delete keymap entries */ +void ip_ct_gre_keymap_destroy(struct ip_conntrack *ct); + + +/* get pointer to gre key, if present */ +static inline u_int32_t *gre_key(struct gre_hdr *greh) +{ + if (!greh->key) + return NULL; + if (greh->csum || greh->routing) + return (u_int32_t *) (greh+sizeof(*greh)+4); + return (u_int32_t *) (greh+sizeof(*greh)); +} + +/* get pointer ot gre csum, if present */ +static inline u_int16_t *gre_csum(struct gre_hdr *greh) +{ + if (!greh->csum) + return NULL; + return (u_int16_t *) (greh+sizeof(*greh)); +} + +#endif /* __KERNEL__ */ + +#endif /* _CONNTRACK_PROTO_GRE_H */ diff -uNr include.orig/linux/netfilter_ipv4/ip_conntrack_quake3.h usr/include/linux/netfilter_ipv4/ip_conntrack_quake3.h --- include.orig/linux/netfilter_ipv4/ip_conntrack_quake3.h 1970-01-01 01:00:00.000000000 +0100 +++ usr/include/linux/netfilter_ipv4/ip_conntrack_quake3.h 2005-08-02 20:02:17.771237968 +0200 @@ -0,0 +1,22 @@ +#ifndef _IP_CT_QUAKE3 +#define _IP_CT_QUAKE3 + +/* Don't confuse with 27960, often used as the Server Port */ +#define QUAKE3_MASTER_PORT 27950 + +struct quake3_search { + const char marker[4]; /* always 0xff 0xff 0xff 0xff ? */ + const char *pattern; + size_t plen; +}; + +/* This structure is per expected connection */ +struct ip_ct_quake3_expect { +}; + +/* This structure exists only once per master */ +struct ip_ct_quake3_master { +}; + +extern unsigned int (*ip_nat_quake3_hook)(struct ip_conntrack_expect *exp); +#endif /* _IP_CT_QUAKE3 */ diff -uNr include.orig/linux/netfilter_ipv4/ip_conntrack_tuple.h usr/include/linux/netfilter_ipv4/ip_conntrack_tuple.h --- include.orig/linux/netfilter_ipv4/ip_conntrack_tuple.h 2005-03-13 21:53:55.000000000 +0100 +++ usr/include/linux/netfilter_ipv4/ip_conntrack_tuple.h 2005-08-02 20:02:17.807232496 +0200 @@ -28,6 +28,9 @@ struct { u_int16_t port; } sctp; + struct { + u_int16_t key; /* key is 32bit, pptp onky uses 16 */ + } gre; }; /* The manipulable part of the tuple. */ @@ -61,6 +64,9 @@ struct { u_int16_t port; } sctp; + struct { + u_int16_t key; + } gre; } u; /* The protocol. */ diff -uNr include.orig/linux/netfilter_ipv4/ip_nat_pptp.h usr/include/linux/netfilter_ipv4/ip_nat_pptp.h --- include.orig/linux/netfilter_ipv4/ip_nat_pptp.h 1970-01-01 01:00:00.000000000 +0100 +++ usr/include/linux/netfilter_ipv4/ip_nat_pptp.h 2005-08-02 20:02:17.767238576 +0200 @@ -0,0 +1,11 @@ +/* PPTP constants and structs */ +#ifndef _NAT_PPTP_H +#define _NAT_PPTP_H + +/* conntrack private data */ +struct ip_nat_pptp { + u_int16_t pns_call_id; /* NAT'ed PNS call id */ + u_int16_t pac_call_id; /* NAT'ed PAC call id */ +}; + +#endif /* _NAT_PPTP_H */ diff -uNr include.orig/linux/netfilter_ipv4/ip_queue.h usr/include/linux/netfilter_ipv4/ip_queue.h --- include.orig/linux/netfilter_ipv4/ip_queue.h 2004-10-31 20:56:03.000000000 +0100 +++ usr/include/linux/netfilter_ipv4/ip_queue.h 2005-08-02 20:02:17.823230064 +0200 @@ -39,10 +39,20 @@ unsigned char payload[0]; /* Optional replacement packet */ } ipq_verdict_msg_t; +typedef struct ipq_vwmark_msg { + unsigned int value; /* Verdict to hand to netfilter */ + unsigned long id; /* Packet ID for this verdict */ + size_t data_len; /* Length of replacement data */ + unsigned char payload[0]; /* Optional replacement packet */ + unsigned long nfmark; /* Mark for the Packet */ +} ipq_vwmark_msg_t; + + typedef struct ipq_peer_msg { union { ipq_verdict_msg_t verdict; ipq_mode_msg_t mode; + ipq_vwmark_msg_t vwmark; } msg; } ipq_peer_msg_t; @@ -59,6 +69,7 @@ #define IPQM_MODE (IPQM_BASE + 1) /* Mode request from peer */ #define IPQM_VERDICT (IPQM_BASE + 2) /* Verdict from peer */ #define IPQM_PACKET (IPQM_BASE + 3) /* Packet from kernel */ -#define IPQM_MAX (IPQM_BASE + 4) +#define IPQM_VWMARK (IPQM_BASE + 4) /* Verdict and mark from peer */ +#define IPQM_MAX (IPQM_BASE + 5) #endif /*_IP_QUEUE_H*/ diff -uNr include.orig/linux/netfilter_ipv4/ip_set.h usr/include/linux/netfilter_ipv4/ip_set.h --- include.orig/linux/netfilter_ipv4/ip_set.h 1970-01-01 01:00:00.000000000 +0100 +++ usr/include/linux/netfilter_ipv4/ip_set.h 2005-08-02 20:02:17.828229304 +0200 @@ -0,0 +1,489 @@ +#ifndef _IP_SET_H +#define _IP_SET_H + +/* Copyright (C) 2000-2002 Joakim Axelsson + * Patrick Schaaf + * Martin Josefsson + * Copyright (C) 2003-2004 Jozsef Kadlecsik + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 as + * published by the Free Software Foundation. + */ + +/* + * A sockopt of such quality has hardly ever been seen before on the open + * market! This little beauty, hardly ever used: above 64, so it's + * traditionally used for firewalling, not touched (even once!) by the + * 2.0, 2.2 and 2.4 kernels! + * + * Comes with its own certificate of authenticity, valid anywhere in the + * Free world! + * + * Rusty, 19.4.2000 + */ +#define SO_IP_SET 83 + +/* + * Heavily modify by Joakim Axelsson 08.03.2002 + * - Made it more modulebased + * + * Additional heavy modifications by Jozsef Kadlecsik 22.02.2004 + * - bindings added + * - in order to "deal with" backward compatibility, renamed to ipset + */ + +/* + * Used so that the kernel module and ipset-binary can match their versions + */ +#define IP_SET_PROTOCOL_VERSION 2 + +#define IP_SET_MAXNAMELEN 32 /* set names and set typenames */ + +/* Lets work with our own typedef for representing an IP address. + * We hope to make the code more portable, possibly to IPv6... + * + * The representation works in HOST byte order, because most set types + * will perform arithmetic operations and compare operations. + * + * For now the type is an uint32_t. + * + * Make sure to ONLY use the functions when translating and parsing + * in order to keep the host byte order and make it more portable: + * parse_ip() + * parse_mask() + * parse_ipandmask() + * ip_tostring() + * (Joakim: where are they???) + */ + +typedef uint32_t ip_set_ip_t; + +/* Sets are identified by an id in kernel space. Tweak with ip_set_id_t + * and IP_SET_INVALID_ID if you want to increase the max number of sets. + */ +typedef uint16_t ip_set_id_t; + +#define IP_SET_INVALID_ID 65535 + +/* How deep we follow bindings */ +#define IP_SET_MAX_BINDINGS 6 + +/* + * Option flags for kernel operations (ipt_set_info) + */ +#define IPSET_SRC 0x01 /* Source match/add */ +#define IPSET_DST 0x02 /* Destination match/add */ +#define IPSET_MATCH_INV 0x04 /* Inverse matching */ + +/* + * Set types (flavours) + */ +#define IPSET_TYPE_IP 0 /* IP address type of set */ +#define IPSET_TYPE_PORT 1 /* Port type of set */ + +/* Reserved keywords */ +#define IPSET_TOKEN_DEFAULT ":default:" +#define IPSET_TOKEN_ALL ":all:" + +/* SO_IP_SET operation constants, and their request struct types. + * + * Operation ids: + * 0-99: commands with version checking + * 100-199: add/del/test/bind/unbind + * 200-299: list, save, restore + */ + +/* Single shot operations: + * version, create, destroy, flush, rename and swap + * + * Sets are identified by name. + */ + +#define IP_SET_REQ_STD \ + unsigned op; \ + unsigned version; \ + char name[IP_SET_MAXNAMELEN] + +#define IP_SET_OP_CREATE 0x00000001 /* Create a new (empty) set */ +struct ip_set_req_create { + IP_SET_REQ_STD; + char typename[IP_SET_MAXNAMELEN]; +}; + +#define IP_SET_OP_DESTROY 0x00000002 /* Remove a (empty) set */ +struct ip_set_req_std { + IP_SET_REQ_STD; +}; + +#define IP_SET_OP_FLUSH 0x00000003 /* Remove all IPs in a set */ +/* Uses ip_set_req_std */ + +#define IP_SET_OP_RENAME 0x00000004 /* Rename a set */ +/* Uses ip_set_req_create */ + +#define IP_SET_OP_SWAP 0x00000005 /* Swap two sets */ +/* Uses ip_set_req_create */ + +union ip_set_name_index { + char name[IP_SET_MAXNAMELEN]; + ip_set_id_t index; +}; + +#define IP_SET_OP_GET_BYNAME 0x00000006 /* Get set index by name */ +struct ip_set_req_get_set { + unsigned op; + unsigned version; + union ip_set_name_index set; +}; + +#define IP_SET_OP_GET_BYINDEX 0x00000007 /* Get set name by index */ +/* Uses ip_set_req_get_set */ + +#define IP_SET_OP_VERSION 0x00000100 /* Ask kernel version */ +struct ip_set_req_version { + unsigned op; + unsigned version; +}; + +/* Double shots operations: + * add, del, test, bind and unbind. + * + * First we query the kernel to get the index and type of the target set, + * then issue the command. Validity of IP is checked in kernel in order + * to minimalize sockopt operations. + */ + +/* Get minimal set data for add/del/test/bind/unbind IP */ +#define IP_SET_OP_ADT_GET 0x00000010 /* Get set and type */ +struct ip_set_req_adt_get { + unsigned op; + unsigned version; + union ip_set_name_index set; + char typename[IP_SET_MAXNAMELEN]; +}; + +#define IP_SET_REQ_BYINDEX \ + unsigned op; \ + ip_set_id_t index; + +struct ip_set_req_adt { + IP_SET_REQ_BYINDEX; +}; + +#define IP_SET_OP_ADD_IP 0x00000101 /* Add an IP to a set */ +/* Uses ip_set_req_adt, with type specific addage */ + +#define IP_SET_OP_DEL_IP 0x00000102 /* Remove an IP from a set */ +/* Uses ip_set_req_adt, with type specific addage */ + +#define IP_SET_OP_TEST_IP 0x00000103 /* Test an IP in a set */ +/* Uses ip_set_req_adt, with type specific addage */ + +#define IP_SET_OP_BIND_SET 0x00000104 /* Bind an IP to a set */ +/* Uses ip_set_req_bind, with type specific addage */ +struct ip_set_req_bind { + IP_SET_REQ_BYINDEX; + char binding[IP_SET_MAXNAMELEN]; +}; + +#define IP_SET_OP_UNBIND_SET 0x00000105 /* Unbind an IP from a set */ +/* Uses ip_set_req_bind, with type speficic addage + * index = 0 means unbinding for all sets */ + +#define IP_SET_OP_TEST_BIND_SET 0x00000106 /* Test binding an IP to a set */ +/* Uses ip_set_req_bind, with type specific addage */ + +/* Multiple shots operations: list, save, restore. + * + * - check kernel version and query the max number of sets + * - get the basic information on all sets + * and size required for the next step + * - get actual set data: header, data, bindings + */ + +/* Get max_sets and the index of a queried set + */ +#define IP_SET_OP_MAX_SETS 0x00000020 +struct ip_set_req_max_sets { + unsigned op; + unsigned version; + ip_set_id_t max_sets; /* max_sets */ + ip_set_id_t sets; /* real number of sets */ + union ip_set_name_index set; /* index of set if name used */ +}; + +/* Get the id and name of the sets plus size for next step */ +#define IP_SET_OP_LIST_SIZE 0x00000201 +#define IP_SET_OP_SAVE_SIZE 0x00000202 +struct ip_set_req_setnames { + unsigned op; + ip_set_id_t index; /* set to list/save */ + size_t size; /* size to get setdata/bindings */ + /* followed by sets number of struct ip_set_name_list */ +}; + +struct ip_set_name_list { + char name[IP_SET_MAXNAMELEN]; + char typename[IP_SET_MAXNAMELEN]; + ip_set_id_t index; + ip_set_id_t id; +}; + +/* The actual list operation */ +#define IP_SET_OP_LIST 0x00000203 +struct ip_set_req_list { + IP_SET_REQ_BYINDEX; + /* sets number of struct ip_set_list in reply */ +}; + +struct ip_set_list { + ip_set_id_t index; + ip_set_id_t binding; + u_int32_t ref; + size_t header_size; /* Set header data of header_size */ + size_t members_size; /* Set members data of members_size */ + size_t bindings_size; /* Set bindings data of bindings_size */ +}; + +struct ip_set_hash_list { + ip_set_ip_t ip; + ip_set_id_t binding; +}; + +/* The save operation */ +#define IP_SET_OP_SAVE 0x00000204 +/* Uses ip_set_req_list, in the reply replaced by + * sets number of struct ip_set_save plus a marker + * ip_set_save followed by ip_set_hash_save structures. + */ +struct ip_set_save { + ip_set_id_t index; + ip_set_id_t binding; + size_t header_size; /* Set header data of header_size */ + size_t members_size; /* Set members data of members_size */ +}; + +/* At restoring, ip == 0 means default binding for the given set: */ +struct ip_set_hash_save { + ip_set_ip_t ip; + ip_set_id_t id; + ip_set_id_t binding; +}; + +/* The restore operation */ +#define IP_SET_OP_RESTORE 0x00000205 +/* Uses ip_set_req_setnames followed by ip_set_restore structures + * plus a marker ip_set_restore, followed by ip_set_hash_save + * structures. + */ +struct ip_set_restore { + char name[IP_SET_MAXNAMELEN]; + char typename[IP_SET_MAXNAMELEN]; + ip_set_id_t index; + size_t header_size; /* Create data of header_size */ + size_t members_size; /* Set members data of members_size */ +}; + +static inline int bitmap_bytes(ip_set_ip_t a, ip_set_ip_t b) +{ + return 4 * ((((b - a + 8) / 8) + 3) / 4); +} + +#ifdef __KERNEL__ + +#define ip_set_printk(format, args...) \ + do { \ + printk("%s: %s: ", __FILE__, __FUNCTION__); \ + printk(format "\n" , ## args); \ + } while (0) + +#if defined(IP_SET_DEBUG) +#define DP(format, args...) \ + do { \ + printk("%s: %s (DBG): ", __FILE__, __FUNCTION__);\ + printk(format "\n" , ## args); \ + } while (0) +#define IP_SET_ASSERT(x) \ + do { \ + if (!(x)) \ + printk("IP_SET_ASSERT: %s:%i(%s)\n", \ + __FILE__, __LINE__, __FUNCTION__); \ + } while (0) +#else +#define DP(format, args...) +#define IP_SET_ASSERT(x) +#endif + +struct ip_set; + +/* + * The ip_set_type definition - one per set type, e.g. "ipmap". + * + * Each individual set has a pointer, set->type, going to one + * of these structures. Function pointers inside the structure implement + * the real behaviour of the sets. + * + * If not mentioned differently, the implementation behind the function + * pointers of a set_type, is expected to return 0 if ok, and a negative + * errno (e.g. -EINVAL) on error. + */ +struct ip_set_type { + struct list_head list; /* next in list of set types */ + + /* test for IP in set (kernel: iptables -m set src|dst) + * return 0 if not in set, 1 if in set. + */ + int (*testip_kernel) (struct ip_set *set, + const struct sk_buff * skb, + u_int32_t flags, + ip_set_ip_t *ip); + + /* test for IP in set (userspace: ipset -T set IP) + * return 0 if not in set, 1 if in set. + */ + int (*testip) (struct ip_set *set, + const void *data, size_t size, + ip_set_ip_t *ip); + + /* + * Size of the data structure passed by when + * adding/deletin/testing an entry. + */ + size_t reqsize; + + /* Add IP into set (userspace: ipset -A set IP) + * Return -EEXIST if the address is already in the set, + * and -ERANGE if the address lies outside the set bounds. + * If the address was not already in the set, 0 is returned. + */ + int (*addip) (struct ip_set *set, + const void *data, size_t size, + ip_set_ip_t *ip); + + /* Add IP into set (kernel: iptables ... -j SET set src|dst) + * Return -EEXIST if the address is already in the set, + * and -ERANGE if the address lies outside the set bounds. + * If the address was not already in the set, 0 is returned. + */ + int (*addip_kernel) (struct ip_set *set, + const struct sk_buff * skb, + u_int32_t flags, + ip_set_ip_t *ip); + + /* remove IP from set (userspace: ipset -D set --entry x) + * Return -EEXIST if the address is NOT in the set, + * and -ERANGE if the address lies outside the set bounds. + * If the address really was in the set, 0 is returned. + */ + int (*delip) (struct ip_set *set, + const void *data, size_t size, + ip_set_ip_t *ip); + + /* remove IP from set (kernel: iptables ... -j SET --entry x) + * Return -EEXIST if the address is NOT in the set, + * and -ERANGE if the address lies outside the set bounds. + * If the address really was in the set, 0 is returned. + */ + int (*delip_kernel) (struct ip_set *set, + const struct sk_buff * skb, + u_int32_t flags, + ip_set_ip_t *ip); + + /* new set creation - allocated type specific items + */ + int (*create) (struct ip_set *set, + const void *data, size_t size); + + /* retry the operation after successfully tweaking the set + */ + int (*retry) (struct ip_set *set); + + /* set destruction - free type specific items + * There is no return value. + * Can be called only when child sets are destroyed. + */ + void (*destroy) (struct ip_set *set); + + /* set flushing - reset all bits in the set, or something similar. + * There is no return value. + */ + void (*flush) (struct ip_set *set); + + /* Listing: size needed for header + */ + size_t header_size; + + /* Listing: Get the header + * + * Fill in the information in "data". + * This function is always run after list_header_size() under a + * writelock on the set. Therefor is the length of "data" always + * correct. + */ + void (*list_header) (const struct ip_set *set, + void *data); + + /* Listing: Get the size for the set members + */ + int (*list_members_size) (const struct ip_set *set); + + /* Listing: Get the set members + * + * Fill in the information in "data". + * This function is always run after list_member_size() under a + * writelock on the set. Therefor is the length of "data" always + * correct. + */ + void (*list_members) (const struct ip_set *set, + void *data); + + char typename[IP_SET_MAXNAMELEN]; + char typecode; + int protocol_version; + + /* Set this to THIS_MODULE if you are a module, otherwise NULL */ + struct module *me; +}; + +extern int ip_set_register_set_type(struct ip_set_type *set_type); +extern void ip_set_unregister_set_type(struct ip_set_type *set_type); + +/* A generic ipset */ +struct ip_set { + char name[IP_SET_MAXNAMELEN]; /* the name of the set */ + rwlock_t lock; /* lock for concurrency control */ + ip_set_id_t id; /* set id for swapping */ + ip_set_id_t binding; /* default binding for the set */ + atomic_t ref; /* in kernel and in hash references */ + struct ip_set_type *type; /* the set types */ + void *data; /* pooltype specific data */ +}; + +/* Structure to bind set elements to sets */ +struct ip_set_hash { + struct list_head list; /* list of clashing entries in hash */ + ip_set_ip_t ip; /* ip from set */ + ip_set_id_t id; /* set id */ + ip_set_id_t binding; /* set we bind the element to */ +}; + +/* register and unregister set references */ +extern ip_set_id_t ip_set_get_byname(const char name[IP_SET_MAXNAMELEN]); +extern ip_set_id_t ip_set_get_byindex(ip_set_id_t id); +extern void ip_set_put(ip_set_id_t id); + +/* API for iptables set match, and SET target */ +extern void ip_set_addip_kernel(ip_set_id_t id, + const struct sk_buff *skb, + const u_int32_t *flags); +extern void ip_set_delip_kernel(ip_set_id_t id, + const struct sk_buff *skb, + const u_int32_t *flags); +extern int ip_set_testip_kernel(ip_set_id_t id, + const struct sk_buff *skb, + const u_int32_t *flags); + +#endif /* __KERNEL__ */ + +#endif /*_IP_SET_H*/ diff -uNr include.orig/linux/netfilter_ipv4/ip_set_iphash.h usr/include/linux/netfilter_ipv4/ip_set_iphash.h --- include.orig/linux/netfilter_ipv4/ip_set_iphash.h 1970-01-01 01:00:00.000000000 +0100 +++ usr/include/linux/netfilter_ipv4/ip_set_iphash.h 2005-08-02 20:02:17.803233104 +0200 @@ -0,0 +1,30 @@ +#ifndef __IP_SET_IPHASH_H +#define __IP_SET_IPHASH_H + +#include + +#define SETTYPE_NAME "iphash" +#define MAX_RANGE 0x0000FFFF + +struct ip_set_iphash { + ip_set_ip_t *members; /* the iphash proper */ + uint32_t initval; /* initval for jhash_1word */ + uint32_t prime; /* prime for double hashing */ + uint32_t hashsize; /* hash size */ + uint16_t probes; /* max number of probes */ + uint16_t resize; /* resize factor in percent */ + ip_set_ip_t netmask; /* netmask */ +}; + +struct ip_set_req_iphash_create { + uint32_t hashsize; + uint16_t probes; + uint16_t resize; + ip_set_ip_t netmask; +}; + +struct ip_set_req_iphash { + ip_set_ip_t ip; +}; + +#endif /* __IP_SET_IPHASH_H */ diff -uNr include.orig/linux/netfilter_ipv4/ip_set_ipmap.h usr/include/linux/netfilter_ipv4/ip_set_ipmap.h --- include.orig/linux/netfilter_ipv4/ip_set_ipmap.h 1970-01-01 01:00:00.000000000 +0100 +++ usr/include/linux/netfilter_ipv4/ip_set_ipmap.h 2005-08-02 20:02:17.763239184 +0200 @@ -0,0 +1,56 @@ +#ifndef __IP_SET_IPMAP_H +#define __IP_SET_IPMAP_H + +#include + +#define SETTYPE_NAME "ipmap" +#define MAX_RANGE 0x0000FFFF + +struct ip_set_ipmap { + void *members; /* the ipmap proper */ + ip_set_ip_t first_ip; /* host byte order, included in range */ + ip_set_ip_t last_ip; /* host byte order, included in range */ + ip_set_ip_t netmask; /* subnet netmask */ + ip_set_ip_t sizeid; /* size of set in IPs */ + u_int16_t hosts; /* number of hosts in a subnet */ +}; + +struct ip_set_req_ipmap_create { + ip_set_ip_t from; + ip_set_ip_t to; + ip_set_ip_t netmask; +}; + +struct ip_set_req_ipmap { + ip_set_ip_t ip; +}; + +unsigned int +mask_to_bits(ip_set_ip_t mask) +{ + unsigned int bits = 32; + ip_set_ip_t maskaddr; + + if (mask == 0xFFFFFFFF) + return bits; + + maskaddr = 0xFFFFFFFE; + while (--bits >= 0 && maskaddr != mask) + maskaddr <<= 1; + + return bits; +} + +ip_set_ip_t +range_to_mask(ip_set_ip_t from, ip_set_ip_t to, unsigned int *bits) +{ + ip_set_ip_t mask = 0xFFFFFFFE; + + *bits = 32; + while (--(*bits) >= 0 && mask && (to & mask) != from) + mask <<= 1; + + return mask; +} + +#endif /* __IP_SET_IPMAP_H */ diff -uNr include.orig/linux/netfilter_ipv4/ip_set_iptree.h usr/include/linux/netfilter_ipv4/ip_set_iptree.h --- include.orig/linux/netfilter_ipv4/ip_set_iptree.h 1970-01-01 01:00:00.000000000 +0100 +++ usr/include/linux/netfilter_ipv4/ip_set_iptree.h 2005-08-02 20:02:17.810232040 +0200 @@ -0,0 +1,39 @@ +#ifndef __IP_SET_IPTREE_H +#define __IP_SET_IPTREE_H + +#include + +#define SETTYPE_NAME "iptree" +#define MAX_RANGE 0x0000FFFF + +struct ip_set_iptreed { + unsigned long expires[255]; /* x.x.x.ADDR */ +}; + +struct ip_set_iptreec { + struct ip_set_iptreed *tree[255]; /* x.x.ADDR.* */ +}; + +struct ip_set_iptreeb { + struct ip_set_iptreec *tree[255]; /* x.ADDR.*.* */ +}; + +struct ip_set_iptree { + unsigned int timeout; + unsigned int gc_interval; +#ifdef __KERNEL__ + struct timer_list gc; + struct ip_set_iptreeb *tree[255]; /* ADDR.*.*.* */ +#endif +}; + +struct ip_set_req_iptree_create { + unsigned int timeout; +}; + +struct ip_set_req_iptree { + ip_set_ip_t ip; + unsigned int timeout; +}; + +#endif /* __IP_SET_IPTREE_H */ diff -uNr include.orig/linux/netfilter_ipv4/ip_set_jhash.h usr/include/linux/netfilter_ipv4/ip_set_jhash.h --- include.orig/linux/netfilter_ipv4/ip_set_jhash.h 1970-01-01 01:00:00.000000000 +0100 +++ usr/include/linux/netfilter_ipv4/ip_set_jhash.h 2005-08-02 20:02:17.758239944 +0200 @@ -0,0 +1,148 @@ +#ifndef _LINUX_IPSET_JHASH_H +#define _LINUX_IPSET_JHASH_H + +/* This is a copy of linux/jhash.h but the types u32/u8 are changed + * to __u32/__u8 so that the header file can be included into + * userspace code as well. Jozsef Kadlecsik (kadlec@blackhole.kfki.hu) + */ + +/* jhash.h: Jenkins hash support. + * + * Copyright (C) 1996 Bob Jenkins (bob_jenkins@burtleburtle.net) + * + * http://burtleburtle.net/bob/hash/ + * + * These are the credits from Bob's sources: + * + * lookup2.c, by Bob Jenkins, December 1996, Public Domain. + * hash(), hash2(), hash3, and mix() are externally useful functions. + * Routines to test the hash are included if SELF_TEST is defined. + * You can use this free for any purpose. It has no warranty. + * + * Copyright (C) 2003 David S. Miller (davem@redhat.com) + * + * I've modified Bob's hash to be useful in the Linux kernel, and + * any bugs present are surely my fault. -DaveM + */ + +/* NOTE: Arguments are modified. */ +#define __jhash_mix(a, b, c) \ +{ \ + a -= b; a -= c; a ^= (c>>13); \ + b -= c; b -= a; b ^= (a<<8); \ + c -= a; c -= b; c ^= (b>>13); \ + a -= b; a -= c; a ^= (c>>12); \ + b -= c; b -= a; b ^= (a<<16); \ + c -= a; c -= b; c ^= (b>>5); \ + a -= b; a -= c; a ^= (c>>3); \ + b -= c; b -= a; b ^= (a<<10); \ + c -= a; c -= b; c ^= (b>>15); \ +} + +/* The golden ration: an arbitrary value */ +#define JHASH_GOLDEN_RATIO 0x9e3779b9 + +/* The most generic version, hashes an arbitrary sequence + * of bytes. No alignment or length assumptions are made about + * the input key. + */ +static inline __u32 jhash(void *key, __u32 length, __u32 initval) +{ + __u32 a, b, c, len; + __u8 *k = key; + + len = length; + a = b = JHASH_GOLDEN_RATIO; + c = initval; + + while (len >= 12) { + a += (k[0] +((__u32)k[1]<<8) +((__u32)k[2]<<16) +((__u32)k[3]<<24)); + b += (k[4] +((__u32)k[5]<<8) +((__u32)k[6]<<16) +((__u32)k[7]<<24)); + c += (k[8] +((__u32)k[9]<<8) +((__u32)k[10]<<16)+((__u32)k[11]<<24)); + + __jhash_mix(a,b,c); + + k += 12; + len -= 12; + } + + c += length; + switch (len) { + case 11: c += ((__u32)k[10]<<24); + case 10: c += ((__u32)k[9]<<16); + case 9 : c += ((__u32)k[8]<<8); + case 8 : b += ((__u32)k[7]<<24); + case 7 : b += ((__u32)k[6]<<16); + case 6 : b += ((__u32)k[5]<<8); + case 5 : b += k[4]; + case 4 : a += ((__u32)k[3]<<24); + case 3 : a += ((__u32)k[2]<<16); + case 2 : a += ((__u32)k[1]<<8); + case 1 : a += k[0]; + }; + + __jhash_mix(a,b,c); + + return c; +} + +/* A special optimized version that handles 1 or more of __u32s. + * The length parameter here is the number of __u32s in the key. + */ +static inline __u32 jhash2(__u32 *k, __u32 length, __u32 initval) +{ + __u32 a, b, c, len; + + a = b = JHASH_GOLDEN_RATIO; + c = initval; + len = length; + + while (len >= 3) { + a += k[0]; + b += k[1]; + c += k[2]; + __jhash_mix(a, b, c); + k += 3; len -= 3; + } + + c += length * 4; + + switch (len) { + case 2 : b += k[1]; + case 1 : a += k[0]; + }; + + __jhash_mix(a,b,c); + + return c; +} + + +/* A special ultra-optimized versions that knows they are hashing exactly + * 3, 2 or 1 word(s). + * + * NOTE: In partilar the "c += length; __jhash_mix(a,b,c);" normally + * done at the end is not done here. + */ +static inline __u32 jhash_3words(__u32 a, __u32 b, __u32 c, __u32 initval) +{ + a += JHASH_GOLDEN_RATIO; + b += JHASH_GOLDEN_RATIO; + c += initval; + + __jhash_mix(a, b, c); + + return c; +} + +static inline __u32 jhash_2words(__u32 a, __u32 b, __u32 initval) +{ + return jhash_3words(a, b, 0, initval); +} + +static inline __u32 jhash_1word(__u32 a, __u32 initval) +{ + return jhash_3words(a, 0, 0, initval); +} + +#endif /* _LINUX_IPSET_JHASH_H */ diff -uNr include.orig/linux/netfilter_ipv4/ip_set_macipmap.h usr/include/linux/netfilter_ipv4/ip_set_macipmap.h --- include.orig/linux/netfilter_ipv4/ip_set_macipmap.h 1970-01-01 01:00:00.000000000 +0100 +++ usr/include/linux/netfilter_ipv4/ip_set_macipmap.h 2005-08-02 20:02:17.776237208 +0200 @@ -0,0 +1,38 @@ +#ifndef __IP_SET_MACIPMAP_H +#define __IP_SET_MACIPMAP_H + +#include + +#define SETTYPE_NAME "macipmap" +#define MAX_RANGE 0x0000FFFF + +/* general flags */ +#define IPSET_MACIP_MATCHUNSET 1 + +/* per ip flags */ +#define IPSET_MACIP_ISSET 1 + +struct ip_set_macipmap { + void *members; /* the macipmap proper */ + ip_set_ip_t first_ip; /* host byte order, included in range */ + ip_set_ip_t last_ip; /* host byte order, included in range */ + u_int32_t flags; +}; + +struct ip_set_req_macipmap_create { + ip_set_ip_t from; + ip_set_ip_t to; + u_int32_t flags; +}; + +struct ip_set_req_macipmap { + ip_set_ip_t ip; + unsigned char ethernet[ETH_ALEN]; +}; + +struct ip_set_macip { + unsigned short flags; + unsigned char ethernet[ETH_ALEN]; +}; + +#endif /* __IP_SET_MACIPMAP_H */ diff -uNr include.orig/linux/netfilter_ipv4/ip_set_malloc.h usr/include/linux/netfilter_ipv4/ip_set_malloc.h --- include.orig/linux/netfilter_ipv4/ip_set_malloc.h 1970-01-01 01:00:00.000000000 +0100 +++ usr/include/linux/netfilter_ipv4/ip_set_malloc.h 2005-08-02 20:02:17.788235384 +0200 @@ -0,0 +1,34 @@ +#ifndef _IP_SET_MALLOC_H +#define _IP_SET_MALLOC_H + +#ifdef __KERNEL__ + +/* Memory allocation and deallocation */ +static size_t max_malloc_size = 0; + +static inline void init_max_malloc_size(void) +{ +#define CACHE(x) max_malloc_size = x; +#include +#undef CACHE +} + +static inline void * ip_set_malloc(size_t bytes) +{ + if (bytes > max_malloc_size) + return vmalloc(bytes); + else + return kmalloc(bytes, GFP_KERNEL); +} + +static inline void ip_set_free(void * data, size_t bytes) +{ + if (bytes > max_malloc_size) + vfree(data); + else + kfree(data); +} + +#endif /* __KERNEL__ */ + +#endif /*_IP_SET_MALLOC_H*/ diff -uNr include.orig/linux/netfilter_ipv4/ip_set_nethash.h usr/include/linux/netfilter_ipv4/ip_set_nethash.h --- include.orig/linux/netfilter_ipv4/ip_set_nethash.h 1970-01-01 01:00:00.000000000 +0100 +++ usr/include/linux/netfilter_ipv4/ip_set_nethash.h 2005-08-02 20:02:17.755240400 +0200 @@ -0,0 +1,55 @@ +#ifndef __IP_SET_NETHASH_H +#define __IP_SET_NETHASH_H + +#include + +#define SETTYPE_NAME "nethash" +#define MAX_RANGE 0x0000FFFF + +struct ip_set_nethash { + ip_set_ip_t *members; /* the nethash proper */ + uint32_t initval; /* initval for jhash_1word */ + uint32_t prime; /* prime for double hashing */ + uint32_t hashsize; /* hash size */ + uint16_t probes; /* max number of probes */ + uint16_t resize; /* resize factor in percent */ + unsigned char cidr[30]; /* CIDR sizes */ +}; + +struct ip_set_req_nethash_create { + uint32_t hashsize; + uint16_t probes; + uint16_t resize; +}; + +struct ip_set_req_nethash { + ip_set_ip_t ip; + unsigned char cidr; +}; + +static unsigned char shifts[] = {255, 253, 249, 241, 225, 193, 129, 1}; + +static inline ip_set_ip_t +pack(ip_set_ip_t ip, unsigned char cidr) +{ + ip_set_ip_t addr, *paddr = &addr; + unsigned char n, t, *a; + + addr = htonl(ip & (0xFFFFFFFF << (32 - (cidr)))); +#ifdef __KERNEL__ + DP("ip:%u.%u.%u.%u/%u", NIPQUAD(addr), cidr); +#endif + n = cidr / 8; + t = cidr % 8; + a = &((unsigned char *)paddr)[n]; + *a = *a /(1 << (8 - t)) + shifts[t]; +#ifdef __KERNEL__ + DP("n: %u, t: %u, a: %u", n, t, *a); + DP("ip:%u.%u.%u.%u/%u, %u.%u.%u.%u", + HIPQUAD(ip), cidr, NIPQUAD(addr)); +#endif + + return ntohl(addr); +} + +#endif /* __IP_SET_NETHASH_H */ diff -uNr include.orig/linux/netfilter_ipv4/ip_set_portmap.h usr/include/linux/netfilter_ipv4/ip_set_portmap.h --- include.orig/linux/netfilter_ipv4/ip_set_portmap.h 1970-01-01 01:00:00.000000000 +0100 +++ usr/include/linux/netfilter_ipv4/ip_set_portmap.h 2005-08-02 20:02:17.772237816 +0200 @@ -0,0 +1,25 @@ +#ifndef __IP_SET_PORTMAP_H +#define __IP_SET_PORTMAP_H + +#include + +#define SETTYPE_NAME "portmap" +#define MAX_RANGE 0x0000FFFF +#define INVALID_PORT (MAX_RANGE + 1) + +struct ip_set_portmap { + void *members; /* the portmap proper */ + ip_set_ip_t first_port; /* host byte order, included in range */ + ip_set_ip_t last_port; /* host byte order, included in range */ +}; + +struct ip_set_req_portmap_create { + ip_set_ip_t from; + ip_set_ip_t to; +}; + +struct ip_set_req_portmap { + ip_set_ip_t port; +}; + +#endif /* __IP_SET_PORTMAP_H */ diff -uNr include.orig/linux/netfilter_ipv4/ip_set_prime.h usr/include/linux/netfilter_ipv4/ip_set_prime.h --- include.orig/linux/netfilter_ipv4/ip_set_prime.h 1970-01-01 01:00:00.000000000 +0100 +++ usr/include/linux/netfilter_ipv4/ip_set_prime.h 2005-08-02 20:02:17.825229760 +0200 @@ -0,0 +1,34 @@ +#ifndef __IP_SET_PRIME_H +#define __IP_SET_PRIME_H + +static inline unsigned make_prime_bound(unsigned nr) +{ + unsigned long long nr64 = nr; + unsigned long long x = 1; + nr = 1; + while (x <= nr64) { x <<= 2; nr <<= 1; } + return nr; +} + +static inline int make_prime_check(unsigned nr) +{ + unsigned x = 3; + unsigned b = make_prime_bound(nr); + while (x <= b) { + if (0 == (nr % x)) return 0; + x += 2; + } + return 1; +} + +static unsigned make_prime(unsigned nr) +{ + if (0 == (nr & 1)) nr--; + while (nr > 1) { + if (make_prime_check(nr)) return nr; + nr -= 2; + } + return 2; +} + +#endif /* __IP_SET_PRIME_H */ diff -uNr include.orig/linux/netfilter_ipv4/ip_tables.h usr/include/linux/netfilter_ipv4/ip_tables.h --- include.orig/linux/netfilter_ipv4/ip_tables.h 2005-07-06 02:17:20.000000000 +0200 +++ usr/include/linux/netfilter_ipv4/ip_tables.h 2005-08-02 20:02:17.815231280 +0200 @@ -101,7 +101,8 @@ /* Values for "flag" field in struct ipt_ip (general ip structure). */ #define IPT_F_FRAG 0x01 /* Set if rule is a fragment rule */ -#define IPT_F_MASK 0x01 /* All possible flag bits mask. */ +#define IPT_F_GOTO 0x02 /* Set if jump is a goto */ +#define IPT_F_MASK 0x03 /* All possible flag bits mask. */ /* Values for "inv" field in struct ipt_ip. */ #define IPT_INV_VIA_IN 0x01 /* Invert the sense of IN IFACE. */ @@ -148,12 +149,23 @@ #define IPT_SO_SET_ADD_COUNTERS (IPT_BASE_CTL + 1) #define IPT_SO_SET_MAX IPT_SO_SET_ADD_COUNTERS +#define IPT_SO_SET_ACCOUNT_HANDLE_FREE (IPT_BASE_CTL + 3) +#define IPT_SO_SET_ACCOUNT_HANDLE_FREE_ALL (IPT_BASE_CTL + 4) +#define IPT_SO_SET_ACCOUNT_MAX IPT_SO_SET_ACCOUNT_HANDLE_FREE_ALL + #define IPT_SO_GET_INFO (IPT_BASE_CTL) #define IPT_SO_GET_ENTRIES (IPT_BASE_CTL + 1) #define IPT_SO_GET_REVISION_MATCH (IPT_BASE_CTL + 2) #define IPT_SO_GET_REVISION_TARGET (IPT_BASE_CTL + 3) #define IPT_SO_GET_MAX IPT_SO_GET_REVISION_TARGET +#define IPT_SO_GET_ACCOUNT_PREPARE_READ (IPT_BASE_CTL + 3) +#define IPT_SO_GET_ACCOUNT_PREPARE_READ_FLUSH (IPT_BASE_CTL + 4) +#define IPT_SO_GET_ACCOUNT_GET_DATA (IPT_BASE_CTL + 5) +#define IPT_SO_GET_ACCOUNT_GET_HANDLE_USAGE (IPT_BASE_CTL + 6) +#define IPT_SO_GET_ACCOUNT_GET_TABLE_NAMES (IPT_BASE_CTL + 7) +#define IPT_SO_GET_ACCOUNT_MAX IPT_SO_GET_ACCOUNT_GET_TABLE_NAMES + /* CONTINUE verdict for targets */ #define IPT_CONTINUE 0xFFFFFFFF diff -uNr include.orig/linux/netfilter_ipv4/ipt_account.h usr/include/linux/netfilter_ipv4/ipt_account.h --- include.orig/linux/netfilter_ipv4/ipt_account.h 1970-01-01 01:00:00.000000000 +0100 +++ usr/include/linux/netfilter_ipv4/ipt_account.h 2005-08-02 20:02:17.786235688 +0200 @@ -0,0 +1,26 @@ +/* + * accounting match (ipt_account.c) + * (C) 2003,2004 by Piotr Gasidlo (quaker@barbara.eu.org) + * + * Version: 0.1.7 + * + * This software is distributed under the terms of GNU GPL + */ + +#ifndef _IPT_ACCOUNT_H_ +#define _IPT_ACCOUNT_H_ + +#define IPT_ACCOUNT_NAME_LEN 64 + +#define IPT_ACCOUNT_NAME "ipt_account" +#define IPT_ACCOUNT_VERSION "0.1.7" + +struct t_ipt_account_info { + char name[IPT_ACCOUNT_NAME_LEN]; + u_int32_t network; + u_int32_t netmask; + int shortlisting:1; +}; + +#endif + diff -uNr include.orig/linux/netfilter_ipv4/ipt_ACCOUNT.h usr/include/linux/netfilter_ipv4/ipt_ACCOUNT.h --- include.orig/linux/netfilter_ipv4/ipt_ACCOUNT.h 1970-01-01 01:00:00.000000000 +0100 +++ usr/include/linux/netfilter_ipv4/ipt_ACCOUNT.h 2005-08-02 20:02:17.817230976 +0200 @@ -0,0 +1,100 @@ +/*************************************************************************** + * Copyright (C) 2004 by Intra2net AG * + * opensource@intra2net.com * + * * + * This program is free software; you can redistribute it and/or modify * + * it under the terms of the GNU General Public License * + * version 2 as published by the Free Software Foundation; * + * * + ***************************************************************************/ + +#ifndef _IPT_ACCOUNT_H +#define _IPT_ACCOUNT_H + +#define ACCOUNT_MAX_TABLES 32 +#define ACCOUNT_TABLE_NAME_LEN 32 +#define ACCOUNT_MAX_HANDLES 10 + +/* Structure for the userspace part of ipt_ACCOUNT */ +struct ipt_acc_info { + u_int32_t net_ip; + u_int32_t net_mask; + char table_name[ACCOUNT_TABLE_NAME_LEN]; + int32_t table_nr; +}; + +/* Internal table structure, generated by check_entry() */ +struct ipt_acc_table { + char name[ACCOUNT_TABLE_NAME_LEN]; /* name of the table */ + u_int32_t ip; /* base IP of network */ + u_int32_t netmask; /* netmask of the network */ + unsigned char depth; /* size of network: + 0: 8 bit, 1: 16bit, 2: 24 bit */ + u_int32_t refcount; /* refcount of this table. + if zero, destroy it */ + u_int32_t itemcount; /* number of IPs in this table */ + void *data; /* pointer to the actual data, + depending on netmask */ +}; + +/* Internal handle structure */ +struct ipt_acc_handle { + u_int32_t ip; /* base IP of network. Used for + caculating the final IP during + get_data() */ + unsigned char depth; /* size of network. See above for + details */ + u_int32_t itemcount; /* number of IPs in this table */ + void *data; /* pointer to the actual data, + depending on size */ +}; + +/* Handle structure for communication with the userspace library */ +struct ipt_acc_handle_sockopt { + u_int32_t handle_nr; /* Used for HANDLE_FREE */ + char name[ACCOUNT_TABLE_NAME_LEN]; /* Used for HANDLE_PREPARE_READ/ + HANDLE_READ_FLUSH */ + u_int32_t itemcount; /* Used for HANDLE_PREPARE_READ/ + HANDLE_READ_FLUSH */ +}; + +/* Used for every IP entry + Size is 16 bytes so that 256 (class C network) * 16 + fits in one kernel (zero) page */ +struct ipt_acc_ip { + u_int32_t src_packets; + u_int32_t src_bytes; + u_int32_t dst_packets; + u_int32_t dst_bytes; +}; + +/* + Used for every IP when returning data +*/ +struct ipt_acc_handle_ip { + u_int32_t ip; + u_int32_t src_packets; + u_int32_t src_bytes; + u_int32_t dst_packets; + u_int32_t dst_bytes; +}; + +/* + The IPs are organized as an array so that direct slot + calculations are possible. + Only 8 bit networks are preallocated, 16/24 bit networks + allocate their slots when needed -> very efficent. +*/ +struct ipt_acc_mask_24 { + struct ipt_acc_ip ip[256]; +}; + +struct ipt_acc_mask_16 { + struct ipt_acc_mask_24 *mask_24[256]; +}; + +struct ipt_acc_mask_8 { + struct ipt_acc_mask_16 *mask_16[256]; +}; + +#endif /*_IPT_ACCOUNT_H*/ diff -uNr include.orig/linux/netfilter_ipv4/ipt_addrtype.h usr/include/linux/netfilter_ipv4/ipt_addrtype.h --- include.orig/linux/netfilter_ipv4/ipt_addrtype.h 2004-10-31 20:56:02.000000000 +0100 +++ usr/include/linux/netfilter_ipv4/ipt_addrtype.h 2005-08-02 20:02:17.751241008 +0200 @@ -4,8 +4,8 @@ struct ipt_addrtype_info { u_int16_t source; /* source-type mask */ u_int16_t dest; /* dest-type mask */ - u_int32_t invert_source; - u_int32_t invert_dest; + int invert_source; + int invert_dest; }; #endif diff -uNr include.orig/linux/netfilter_ipv4/ipt_CLUSTERIP.h usr/include/linux/netfilter_ipv4/ipt_CLUSTERIP.h --- include.orig/linux/netfilter_ipv4/ipt_CLUSTERIP.h 2005-01-08 15:03:55.000000000 +0100 +++ usr/include/linux/netfilter_ipv4/ipt_CLUSTERIP.h 2005-08-02 20:02:17.832228696 +0200 @@ -9,7 +9,7 @@ #define CLUSTERIP_HASHMODE_MAX CLUSTERIP_HASHMODE_SIP_SPT_DPT -#define CLUSTERIP_MAX_NODES 16 +#define CLUSTERIP_MAX_NODES 8 #define CLUSTERIP_FLAG_NEW 0x00000001 diff -uNr include.orig/linux/netfilter_ipv4/ipt_connlimit.h usr/include/linux/netfilter_ipv4/ipt_connlimit.h --- include.orig/linux/netfilter_ipv4/ipt_connlimit.h 1970-01-01 01:00:00.000000000 +0100 +++ usr/include/linux/netfilter_ipv4/ipt_connlimit.h 2005-08-02 20:02:17.723245264 +0200 @@ -0,0 +1,12 @@ +#ifndef _IPT_CONNLIMIT_H +#define _IPT_CONNLIMIT_H + +struct ipt_connlimit_data; + +struct ipt_connlimit_info { + int limit; + int inverse; + u_int32_t mask; + struct ipt_connlimit_data *data; +}; +#endif /* _IPT_CONNLIMIT_H */ diff -uNr include.orig/linux/netfilter_ipv4/ipt_fuzzy.h usr/include/linux/netfilter_ipv4/ipt_fuzzy.h --- include.orig/linux/netfilter_ipv4/ipt_fuzzy.h 1970-01-01 01:00:00.000000000 +0100 +++ usr/include/linux/netfilter_ipv4/ipt_fuzzy.h 2005-08-02 20:02:17.781236448 +0200 @@ -0,0 +1,21 @@ +#ifndef _IPT_FUZZY_H +#define _IPT_FUZZY_H + +#include +#include + +#define MAXFUZZYRATE 10000000 +#define MINFUZZYRATE 3 + +struct ipt_fuzzy_info { + u_int32_t minimum_rate; + u_int32_t maximum_rate; + u_int32_t packets_total; + u_int32_t bytes_total; + u_int32_t previous_time; + u_int32_t present_time; + u_int32_t mean_rate; + u_int8_t acceptance_rate; +}; + +#endif /*_IPT_FUZZY_H*/ diff -uNr include.orig/linux/netfilter_ipv4/ipt_geoip.h usr/include/linux/netfilter_ipv4/ipt_geoip.h --- include.orig/linux/netfilter_ipv4/ipt_geoip.h 1970-01-01 01:00:00.000000000 +0100 +++ usr/include/linux/netfilter_ipv4/ipt_geoip.h 2005-08-02 20:02:17.769238272 +0200 @@ -0,0 +1,50 @@ +/* ipt_geoip.h header file for libipt_geoip.c and ipt_geoip.c + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * Copyright (c) 2004 Cookinglinux + */ +#ifndef _IPT_GEOIP_H +#define _IPT_GEOIP_H + +#define IPT_GEOIP_SRC 0x01 /* Perform check on Source IP */ +#define IPT_GEOIP_DST 0x02 /* Perform check on Destination IP */ +#define IPT_GEOIP_INV 0x04 /* Negate the condition */ + +#define IPT_GEOIP_MAX 15 /* Maximum of countries */ + +struct geoip_subnet { + u_int32_t begin; + u_int32_t end; +}; + +struct geoip_info { + struct geoip_subnet *subnets; + u_int32_t count; + u_int32_t ref; + u_int16_t cc; + struct geoip_info *next; + struct geoip_info *prev; +}; + +struct ipt_geoip_info { + u_int8_t flags; + u_int8_t count; + u_int16_t cc[IPT_GEOIP_MAX]; + + /* Used internally by the kernel */ + struct geoip_info *mem[IPT_GEOIP_MAX]; + u_int8_t *refcount; + + /* not implemented yet: + void *fini; + */ +}; + +#define COUNTRY(cc) (cc >> 8), (cc & 0x00FF) + +#endif + diff -uNr include.orig/linux/netfilter_ipv4/ipt_IPMARK.h usr/include/linux/netfilter_ipv4/ipt_IPMARK.h --- include.orig/linux/netfilter_ipv4/ipt_IPMARK.h 1970-01-01 01:00:00.000000000 +0100 +++ usr/include/linux/netfilter_ipv4/ipt_IPMARK.h 2005-08-02 20:02:17.756240248 +0200 @@ -0,0 +1,13 @@ +#ifndef _IPT_IPMARK_H_target +#define _IPT_IPMARK_H_target + +struct ipt_ipmark_target_info { + unsigned long andmask; + unsigned long ormask; + unsigned int addr; +}; + +#define IPT_IPMARK_SRC 0 +#define IPT_IPMARK_DST 1 + +#endif /*_IPT_IPMARK_H_target*/ diff -uNr include.orig/linux/netfilter_ipv4/ipt_ipp2p.h usr/include/linux/netfilter_ipv4/ipt_ipp2p.h --- include.orig/linux/netfilter_ipv4/ipt_ipp2p.h 1970-01-01 01:00:00.000000000 +0100 +++ usr/include/linux/netfilter_ipv4/ipt_ipp2p.h 2005-08-02 20:02:17.784235992 +0200 @@ -0,0 +1,29 @@ +#ifndef __IPT_IPP2P_H +#define __IPT_IPP2P_H +#define IPP2P_VERSION "0.7.4" + +struct ipt_p2p_info { + int cmd; + int debug; +}; + +#endif //__IPT_IPP2P_H + +#define SHORT_HAND_IPP2P 1 /* --ipp2p switch*/ +#define SHORT_HAND_DATA 4 /* --ipp2p-data switch*/ +#define SHORT_HAND_NONE 5 /* no short hand*/ + +#define IPP2P_EDK 2 +#define IPP2P_DATA_KAZAA 8 +#define IPP2P_DATA_EDK 16 +#define IPP2P_DATA_DC 32 +#define IPP2P_DC 64 +#define IPP2P_DATA_GNU 128 +#define IPP2P_GNU 256 +#define IPP2P_KAZAA 512 +#define IPP2P_BIT 1024 +#define IPP2P_APPLE 2048 +#define IPP2P_SOUL 4096 +#define IPP2P_WINMX 8192 +#define IPP2P_ARES 16384 + diff -uNr include.orig/linux/netfilter_ipv4/ipt_ipv4options.h usr/include/linux/netfilter_ipv4/ipt_ipv4options.h --- include.orig/linux/netfilter_ipv4/ipt_ipv4options.h 1970-01-01 01:00:00.000000000 +0100 +++ usr/include/linux/netfilter_ipv4/ipt_ipv4options.h 2005-08-02 20:02:17.733243744 +0200 @@ -0,0 +1,21 @@ +#ifndef __ipt_ipv4options_h_included__ +#define __ipt_ipv4options_h_included__ + +#define IPT_IPV4OPTION_MATCH_SSRR 0x01 /* For strict source routing */ +#define IPT_IPV4OPTION_MATCH_LSRR 0x02 /* For loose source routing */ +#define IPT_IPV4OPTION_DONT_MATCH_SRR 0x04 /* any source routing */ +#define IPT_IPV4OPTION_MATCH_RR 0x08 /* For Record route */ +#define IPT_IPV4OPTION_DONT_MATCH_RR 0x10 +#define IPT_IPV4OPTION_MATCH_TIMESTAMP 0x20 /* For timestamp request */ +#define IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP 0x40 +#define IPT_IPV4OPTION_MATCH_ROUTER_ALERT 0x80 /* For router-alert */ +#define IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT 0x100 +#define IPT_IPV4OPTION_MATCH_ANY_OPT 0x200 /* match packet with any option */ +#define IPT_IPV4OPTION_DONT_MATCH_ANY_OPT 0x400 /* match packet with no option */ + +struct ipt_ipv4options_info { + u_int16_t options; +}; + + +#endif /* __ipt_ipv4options_h_included__ */ diff -uNr include.orig/linux/netfilter_ipv4/ipt_layer7.h usr/include/linux/netfilter_ipv4/ipt_layer7.h --- include.orig/linux/netfilter_ipv4/ipt_layer7.h 1970-01-01 01:00:00.000000000 +0100 +++ usr/include/linux/netfilter_ipv4/ipt_layer7.h 2005-08-02 20:02:17.736243288 +0200 @@ -0,0 +1,26 @@ +/* + By Matthew Strait , Dec 2003. + http://l7-filter.sf.net + + This program is free software; you can redistribute it and/or + modify it under the terms of the GNU General Public License + as published by the Free Software Foundation; either version + 2 of the License, or (at your option) any later version. + http://www.gnu.org/licenses/gpl.txt +*/ + +#ifndef _IPT_LAYER7_H +#define _IPT_LAYER7_H + +#define MAX_PATTERN_LEN 8192 +#define MAX_PROTOCOL_LEN 256 + +typedef char *(*proc_ipt_search) (char *, char, char *); + +struct ipt_layer7_info { + char protocol[MAX_PROTOCOL_LEN]; + char invert:1; + char pattern[MAX_PATTERN_LEN]; +}; + +#endif /* _IPT_LAYER7_H */ diff -uNr include.orig/linux/netfilter_ipv4/ipt_nth.h usr/include/linux/netfilter_ipv4/ipt_nth.h --- include.orig/linux/netfilter_ipv4/ipt_nth.h 1970-01-01 01:00:00.000000000 +0100 +++ usr/include/linux/netfilter_ipv4/ipt_nth.h 2005-08-02 20:02:17.760239640 +0200 @@ -0,0 +1,19 @@ +#ifndef _IPT_NTH_H +#define _IPT_NTH_H + +#include +#include + +#ifndef IPT_NTH_NUM_COUNTERS +#define IPT_NTH_NUM_COUNTERS 16 +#endif + +struct ipt_nth_info { + u_int8_t every; + u_int8_t not; + u_int8_t startat; + u_int8_t counter; + u_int8_t packet; +}; + +#endif /*_IPT_NTH_H*/ diff -uNr include.orig/linux/netfilter_ipv4/ipt_osf.h usr/include/linux/netfilter_ipv4/ipt_osf.h --- include.orig/linux/netfilter_ipv4/ipt_osf.h 1970-01-01 01:00:00.000000000 +0100 +++ usr/include/linux/netfilter_ipv4/ipt_osf.h 2005-08-02 20:02:17.783236144 +0200 @@ -0,0 +1,151 @@ +/* + * ipt_osf.h + * + * Copyright (c) 2003 Evgeniy Polyakov + * + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + */ + +#ifndef _IPT_OSF_H +#define _IPT_OSF_H + +#define MAXGENRELEN 32 +#define MAXDETLEN 64 + +#define IPT_OSF_GENRE 1 +#define IPT_OSF_SMART 2 +#define IPT_OSF_LOG 4 +#define IPT_OSF_NETLINK 8 +#define IPT_OSF_CONNECTOR 16 + +#define IPT_OSF_LOGLEVEL_ALL 0 +#define IPT_OSF_LOGLEVEL_FIRST 1 + +#ifndef __KERNEL__ +#include +#include + +struct list_head +{ + struct list_head *prev, *next; +}; +#endif + +struct ipt_osf_info +{ + char genre[MAXGENRELEN]; + int len; + unsigned long flags; + int loglevel; + int invert; /* UNSUPPORTED */ +}; + +struct osf_wc +{ + char wc; + unsigned long val; +}; + +/* This struct represents IANA options + * http://www.iana.org/assignments/tcp-parameters + */ +struct osf_opt +{ + unsigned char kind; + unsigned char length; + struct osf_wc wc; +}; + +struct osf_finger +{ + struct list_head flist; + struct osf_wc wss; + unsigned char ttl; + unsigned char df; + unsigned long ss; + unsigned char genre[MAXGENRELEN]; + unsigned char version[MAXGENRELEN], subtype[MAXGENRELEN]; + + /* Not needed, but for consistency with original table from Michal Zalewski */ + unsigned char details[MAXDETLEN]; + + int opt_num; + struct osf_opt opt[MAX_IPOPTLEN]; /* In case it is all NOP or EOL */ + +}; + +struct ipt_osf_nlmsg +{ + struct osf_finger f; + struct iphdr ip; + struct tcphdr tcp; +}; + +#ifdef __KERNEL__ + +#include +#include + + +/* Defines for IANA option kinds */ + +#define OSFOPT_EOL 0 /* End of options */ +#define OSFOPT_NOP 1 /* NOP */ +#define OSFOPT_MSS 2 /* Maximum segment size */ +#define OSFOPT_WSO 3 /* Window scale option */ +#define OSFOPT_SACKP 4 /* SACK permitted */ +#define OSFOPT_SACK 5 /* SACK */ +#define OSFOPT_ECHO 6 +#define OSFOPT_ECHOREPLY 7 +#define OSFOPT_TS 8 /* Timestamp option */ +#define OSFOPT_POCP 9 /* Partial Order Connection Permitted */ +#define OSFOPT_POSP 10 /* Partial Order Service Profile */ +/* Others are not used in current OSF */ + +static struct osf_opt IANA_opts[] = +{ + {0, 1,}, + {1, 1,}, + {2, 4,}, + {3, 3,}, + {4, 2,}, + {5, 1 ,}, /* SACK length is not defined */ + {6, 6,}, + {7, 6,}, + {8, 10,}, + {9, 2,}, + {10, 3,}, + {11, 1,}, /* CC: Suppose 1 */ + {12, 1,}, /* the same */ + {13, 1,}, /* and here too */ + {14, 3,}, + {15, 1,}, /* TCP Alternate Checksum Data. Length is not defined */ + {16, 1,}, + {17, 1,}, + {18, 3,}, + {19, 18,}, + {20, 1,}, + {21, 1,}, + {22, 1,}, + {23, 1,}, + {24, 1,}, + {25, 1,}, + {26, 1,}, +}; + +#endif /* __KERNEL__ */ + +#endif /* _IPT_OSF_H */ diff -uNr include.orig/linux/netfilter_ipv4/ipt_policy.h usr/include/linux/netfilter_ipv4/ipt_policy.h --- include.orig/linux/netfilter_ipv4/ipt_policy.h 1970-01-01 01:00:00.000000000 +0100 +++ usr/include/linux/netfilter_ipv4/ipt_policy.h 2005-08-02 20:02:17.735243440 +0200 @@ -0,0 +1,52 @@ +#ifndef _IPT_POLICY_H +#define _IPT_POLICY_H + +#define POLICY_MAX_ELEM 4 + +enum ipt_policy_flags +{ + POLICY_MATCH_IN = 0x1, + POLICY_MATCH_OUT = 0x2, + POLICY_MATCH_NONE = 0x4, + POLICY_MATCH_STRICT = 0x8, +}; + +enum ipt_policy_modes +{ + POLICY_MODE_TRANSPORT, + POLICY_MODE_TUNNEL +}; + +struct ipt_policy_spec +{ + u_int8_t saddr:1, + daddr:1, + proto:1, + mode:1, + spi:1, + reqid:1; +}; + +struct ipt_policy_elem +{ + u_int32_t saddr; + u_int32_t smask; + u_int32_t daddr; + u_int32_t dmask; + u_int32_t spi; + u_int32_t reqid; + u_int8_t proto; + u_int8_t mode; + + struct ipt_policy_spec match; + struct ipt_policy_spec invert; +}; + +struct ipt_policy_info +{ + struct ipt_policy_elem pol[POLICY_MAX_ELEM]; + u_int16_t flags; + u_int16_t len; +}; + +#endif /* _IPT_POLICY_H */ diff -uNr include.orig/linux/netfilter_ipv4/ipt_psd.h usr/include/linux/netfilter_ipv4/ipt_psd.h --- include.orig/linux/netfilter_ipv4/ipt_psd.h 1970-01-01 01:00:00.000000000 +0100 +++ usr/include/linux/netfilter_ipv4/ipt_psd.h 2005-08-02 20:02:17.778236904 +0200 @@ -0,0 +1,40 @@ +#ifndef _IPT_PSD_H +#define _IPT_PSD_H + +#include +#include + +/* + * High port numbers have a lower weight to reduce the frequency of false + * positives, such as from passive mode FTP transfers. + */ +#define PORT_WEIGHT_PRIV 3 +#define PORT_WEIGHT_HIGH 1 + +/* + * Port scan detection thresholds: at least COUNT ports need to be scanned + * from the same source, with no longer than DELAY ticks between ports. + */ +#define SCAN_MIN_COUNT 7 +#define SCAN_MAX_COUNT (SCAN_MIN_COUNT * PORT_WEIGHT_PRIV) +#define SCAN_WEIGHT_THRESHOLD SCAN_MAX_COUNT +#define SCAN_DELAY_THRESHOLD (300) /* old usage of HZ here was erroneously and broke under uml */ + +/* + * Keep track of up to LIST_SIZE source addresses, using a hash table of + * HASH_SIZE entries for faster lookups, but limiting hash collisions to + * HASH_MAX source addresses per the same hash value. + */ +#define LIST_SIZE 0x100 +#define HASH_LOG 9 +#define HASH_SIZE (1 << HASH_LOG) +#define HASH_MAX 0x10 + +struct ipt_psd_info { + unsigned int weight_threshold; + unsigned int delay_threshold; + unsigned short lo_ports_weight; + unsigned short hi_ports_weight; +}; + +#endif /*_IPT_PSD_H*/ diff -uNr include.orig/linux/netfilter_ipv4/ipt_quota.h usr/include/linux/netfilter_ipv4/ipt_quota.h --- include.orig/linux/netfilter_ipv4/ipt_quota.h 1970-01-01 01:00:00.000000000 +0100 +++ usr/include/linux/netfilter_ipv4/ipt_quota.h 2005-08-02 20:02:17.762239336 +0200 @@ -0,0 +1,12 @@ +#ifndef _IPT_QUOTA_H +#define _IPT_QUOTA_H + +/* print debug info in both kernel/netfilter module & iptable library */ +//#define DEBUG_IPT_QUOTA + +struct ipt_quota_info { + u_int64_t quota; + struct ipt_quota_info *master; +}; + +#endif /*_IPT_QUOTA_H*/ diff -uNr include.orig/linux/netfilter_ipv4/ipt_recent.h usr/include/linux/netfilter_ipv4/ipt_recent.h --- include.orig/linux/netfilter_ipv4/ipt_recent.h 2004-10-31 20:56:00.000000000 +0100 +++ usr/include/linux/netfilter_ipv4/ipt_recent.h 2005-08-02 20:02:17.720245720 +0200 @@ -2,7 +2,7 @@ #define _IPT_RECENT_H #define RECENT_NAME "ipt_recent" -#define RECENT_VER "v0.3.1" +#define RECENT_VER "v0.3.2" #define IPT_RECENT_CHECK 1 #define IPT_RECENT_SET 2 diff -uNr include.orig/linux/netfilter_ipv4/ipt_ROUTE.h usr/include/linux/netfilter_ipv4/ipt_ROUTE.h --- include.orig/linux/netfilter_ipv4/ipt_ROUTE.h 1970-01-01 01:00:00.000000000 +0100 +++ usr/include/linux/netfilter_ipv4/ipt_ROUTE.h 2005-08-02 20:02:17.726244808 +0200 @@ -0,0 +1,23 @@ +/* Header file for iptables ipt_ROUTE target + * + * (C) 2002 by Cédric de Launois + * + * This software is distributed under GNU GPL v2, 1991 + */ +#ifndef _IPT_ROUTE_H_target +#define _IPT_ROUTE_H_target + +#define IPT_ROUTE_IFNAMSIZ 16 + +struct ipt_route_target_info { + char oif[IPT_ROUTE_IFNAMSIZ]; /* Output Interface Name */ + char iif[IPT_ROUTE_IFNAMSIZ]; /* Input Interface Name */ + u_int32_t gw; /* IP address of gateway */ + u_int8_t flags; +}; + +/* Values for "flags" field */ +#define IPT_ROUTE_CONTINUE 0x01 +#define IPT_ROUTE_TEE 0x02 + +#endif /*_IPT_ROUTE_H_target*/ diff -uNr include.orig/linux/netfilter_ipv4/ipt_set.h usr/include/linux/netfilter_ipv4/ipt_set.h --- include.orig/linux/netfilter_ipv4/ipt_set.h 1970-01-01 01:00:00.000000000 +0100 +++ usr/include/linux/netfilter_ipv4/ipt_set.h 2005-08-02 20:02:17.721245568 +0200 @@ -0,0 +1,21 @@ +#ifndef _IPT_SET_H +#define _IPT_SET_H + +#include + +struct ipt_set_info { + ip_set_id_t index; + u_int32_t flags[IP_SET_MAX_BINDINGS + 1]; +}; + +/* match info */ +struct ipt_set_info_match { + struct ipt_set_info match_set; +}; + +struct ipt_set_info_target { + struct ipt_set_info add_set; + struct ipt_set_info del_set; +}; + +#endif /*_IPT_SET_H*/ diff -uNr include.orig/linux/netfilter_ipv4/ipt_string.h usr/include/linux/netfilter_ipv4/ipt_string.h --- include.orig/linux/netfilter_ipv4/ipt_string.h 1970-01-01 01:00:00.000000000 +0100 +++ usr/include/linux/netfilter_ipv4/ipt_string.h 2005-08-02 20:02:17.805232800 +0200 @@ -0,0 +1,21 @@ +#ifndef _IPT_STRING_H +#define _IPT_STRING_H + +/* *** PERFORMANCE TWEAK *** + * Packet size and search string threshold, + * above which sublinear searches is used. */ +#define IPT_STRING_HAYSTACK_THRESH 100 +#define IPT_STRING_NEEDLE_THRESH 20 + +#define BM_MAX_NLEN 256 +#define BM_MAX_HLEN 1024 + +typedef char *(*proc_ipt_search) (char *, char *, int, int); + +struct ipt_string_info { + char string[BM_MAX_NLEN]; + u_int16_t invert; + u_int16_t len; +}; + +#endif /* _IPT_STRING_H */ diff -uNr include.orig/linux/netfilter_ipv4/ipt_time.h usr/include/linux/netfilter_ipv4/ipt_time.h --- include.orig/linux/netfilter_ipv4/ipt_time.h 1970-01-01 01:00:00.000000000 +0100 +++ usr/include/linux/netfilter_ipv4/ipt_time.h 2005-08-02 20:02:17.765238880 +0200 @@ -0,0 +1,18 @@ +#ifndef __ipt_time_h_included__ +#define __ipt_time_h_included__ + + +struct ipt_time_info { + u_int8_t days_match; /* 1 bit per day. -SMTWTFS */ + u_int16_t time_start; /* 0 < time_start < 23*60+59 = 1439 */ + u_int16_t time_stop; /* 0:0 < time_stat < 23:59 */ + + /* FIXME: Keep this one for userspace iptables binary compability: */ + u_int8_t kerneltime; /* ignore skb time (and use kerneltime) or not. */ + + time_t date_start; + time_t date_stop; +}; + + +#endif /* __ipt_time_h_included__ */ diff -uNr include.orig/linux/netfilter_ipv4/ipt_TTL.h usr/include/linux/netfilter_ipv4/ipt_TTL.h --- include.orig/linux/netfilter_ipv4/ipt_TTL.h 1970-01-01 01:00:00.000000000 +0100 +++ usr/include/linux/netfilter_ipv4/ipt_TTL.h 2005-08-02 20:02:17.801233408 +0200 @@ -0,0 +1,21 @@ +/* TTL modification module for IP tables + * (C) 2000 by Harald Welte */ + +#ifndef _IPT_TTL_H +#define _IPT_TTL_H + +enum { + IPT_TTL_SET = 0, + IPT_TTL_INC, + IPT_TTL_DEC +}; + +#define IPT_TTL_MAXMODE IPT_TTL_DEC + +struct ipt_TTL_info { + u_int8_t mode; + u_int8_t ttl; +}; + + +#endif diff -uNr include.orig/linux/netfilter_ipv4/ipt_u32.h usr/include/linux/netfilter_ipv4/ipt_u32.h --- include.orig/linux/netfilter_ipv4/ipt_u32.h 1970-01-01 01:00:00.000000000 +0100 +++ usr/include/linux/netfilter_ipv4/ipt_u32.h 2005-08-02 20:02:17.809232192 +0200 @@ -0,0 +1,40 @@ +#ifndef _IPT_U32_H +#define _IPT_U32_H +#include + +enum ipt_u32_ops +{ + IPT_U32_AND, + IPT_U32_LEFTSH, + IPT_U32_RIGHTSH, + IPT_U32_AT +}; + +struct ipt_u32_location_element +{ + u_int32_t number; + u_int8_t nextop; +}; +struct ipt_u32_value_element +{ + u_int32_t min; + u_int32_t max; +}; +/* *** any way to allow for an arbitrary number of elements? + for now I settle for a limit of 10 of each */ +#define U32MAXSIZE 10 +struct ipt_u32_test +{ + u_int8_t nnums; + struct ipt_u32_location_element location[U32MAXSIZE+1]; + u_int8_t nvalues; + struct ipt_u32_value_element value[U32MAXSIZE+1]; +}; + +struct ipt_u32 +{ + u_int8_t ntests; + struct ipt_u32_test tests[U32MAXSIZE+1]; +}; + +#endif /*_IPT_U32_H*/ diff -uNr include.orig/linux/netfilter_ipv4/ipt_XOR.h usr/include/linux/netfilter_ipv4/ipt_XOR.h --- include.orig/linux/netfilter_ipv4/ipt_XOR.h 1970-01-01 01:00:00.000000000 +0100 +++ usr/include/linux/netfilter_ipv4/ipt_XOR.h 2005-08-02 20:02:17.830229000 +0200 @@ -0,0 +1,9 @@ +#ifndef _IPT_XOR_H +#define _IPT_XOR_H + +struct ipt_XOR_info { + char key[30]; + u_int8_t block_size; +}; + +#endif /* _IPT_XOR_H */ diff -uNr include.orig/linux/netfilter_ipv4.h usr/include/linux/netfilter_ipv4.h --- include.orig/linux/netfilter_ipv4.h 2005-07-06 02:17:21.000000000 +0200 +++ usr/include/linux/netfilter_ipv4.h 2005-08-02 20:02:17.660254840 +0200 @@ -7,34 +7,6 @@ #include -/* IP Cache bits. */ -/* Src IP address. */ -#define NFC_IP_SRC 0x0001 -/* Dest IP address. */ -#define NFC_IP_DST 0x0002 -/* Input device. */ -#define NFC_IP_IF_IN 0x0004 -/* Output device. */ -#define NFC_IP_IF_OUT 0x0008 -/* TOS. */ -#define NFC_IP_TOS 0x0010 -/* Protocol. */ -#define NFC_IP_PROTO 0x0020 -/* IP options. */ -#define NFC_IP_OPTIONS 0x0040 -/* Frag & flags. */ -#define NFC_IP_FRAG 0x0080 - -/* Per-protocol information: only matters if proto match. */ -/* TCP flags. */ -#define NFC_IP_TCPFLAGS 0x0100 -/* Source port. */ -#define NFC_IP_SRC_PT 0x0200 -/* Dest port. */ -#define NFC_IP_DST_PT 0x0400 -/* Something else about the proto */ -#define NFC_IP_PROTO_UNKNOWN 0x2000 - /* IP Hooks */ /* After promisc drops, checksum checks. */ #define NF_IP_PRE_ROUTING 0 diff -uNr include.orig/linux/netfilter_ipv6/ip6t_fuzzy.h usr/include/linux/netfilter_ipv6/ip6t_fuzzy.h --- include.orig/linux/netfilter_ipv6/ip6t_fuzzy.h 1970-01-01 01:00:00.000000000 +0100 +++ usr/include/linux/netfilter_ipv6/ip6t_fuzzy.h 2005-08-02 20:02:17.652256056 +0200 @@ -0,0 +1,21 @@ +#ifndef _IP6T_FUZZY_H +#define _IP6T_FUZZY_H + +#include +#include + +#define MAXFUZZYRATE 10000000 +#define MINFUZZYRATE 3 + +struct ip6t_fuzzy_info { + u_int32_t minimum_rate; + u_int32_t maximum_rate; + u_int32_t packets_total; + u_int32_t bytes_total; + u_int32_t previous_time; + u_int32_t present_time; + u_int32_t mean_rate; + u_int8_t acceptance_rate; +}; + +#endif /*_IP6T_FUZZY_H*/ diff -uNr include.orig/linux/netfilter_ipv6/ip6t_HL.h usr/include/linux/netfilter_ipv6/ip6t_HL.h --- include.orig/linux/netfilter_ipv6/ip6t_HL.h 1970-01-01 01:00:00.000000000 +0100 +++ usr/include/linux/netfilter_ipv6/ip6t_HL.h 2005-08-02 20:02:17.656255448 +0200 @@ -0,0 +1,22 @@ +/* Hop Limit modification module for ip6tables + * Maciej Soltysiak + * Based on HW's TTL module */ + +#ifndef _IP6T_HL_H +#define _IP6T_HL_H + +enum { + IP6T_HL_SET = 0, + IP6T_HL_INC, + IP6T_HL_DEC +}; + +#define IP6T_HL_MAXMODE IP6T_HL_DEC + +struct ip6t_HL_info { + u_int8_t mode; + u_int8_t hop_limit; +}; + + +#endif diff -uNr include.orig/linux/netfilter_ipv6/ip6t_nth.h usr/include/linux/netfilter_ipv6/ip6t_nth.h --- include.orig/linux/netfilter_ipv6/ip6t_nth.h 1970-01-01 01:00:00.000000000 +0100 +++ usr/include/linux/netfilter_ipv6/ip6t_nth.h 2005-08-02 20:02:17.652256056 +0200 @@ -0,0 +1,19 @@ +#ifndef _IP6T_NTH_H +#define _IP6T_NTH_H + +#include +#include + +#ifndef IP6T_NTH_NUM_COUNTERS +#define IP6T_NTH_NUM_COUNTERS 16 +#endif + +struct ip6t_nth_info { + u_int8_t every; + u_int8_t not; + u_int8_t startat; + u_int8_t counter; + u_int8_t packet; +}; + +#endif /*_IP6T_NTH_H*/ diff -uNr include.orig/linux/netfilter_ipv6/ip6t_policy.h usr/include/linux/netfilter_ipv6/ip6t_policy.h --- include.orig/linux/netfilter_ipv6/ip6t_policy.h 1970-01-01 01:00:00.000000000 +0100 +++ usr/include/linux/netfilter_ipv6/ip6t_policy.h 2005-08-02 20:02:17.655255600 +0200 @@ -0,0 +1,52 @@ +#ifndef _IP6T_POLICY_H +#define _IP6T_POLICY_H + +#define POLICY_MAX_ELEM 4 + +enum ip6t_policy_flags +{ + POLICY_MATCH_IN = 0x1, + POLICY_MATCH_OUT = 0x2, + POLICY_MATCH_NONE = 0x4, + POLICY_MATCH_STRICT = 0x8, +}; + +enum ip6t_policy_modes +{ + POLICY_MODE_TRANSPORT, + POLICY_MODE_TUNNEL +}; + +struct ip6t_policy_spec +{ + u_int8_t saddr:1, + daddr:1, + proto:1, + mode:1, + spi:1, + reqid:1; +}; + +struct ip6t_policy_elem +{ + struct in6_addr saddr; + struct in6_addr smask; + struct in6_addr daddr; + struct in6_addr dmask; + u_int32_t spi; + u_int32_t reqid; + u_int8_t proto; + u_int8_t mode; + + struct ip6t_policy_spec match; + struct ip6t_policy_spec invert; +}; + +struct ip6t_policy_info +{ + struct ip6t_policy_elem pol[POLICY_MAX_ELEM]; + u_int16_t flags; + u_int16_t len; +}; + +#endif /* _IP6T_POLICY_H */ diff -uNr include.orig/linux/netfilter_ipv6/ip6t_REJECT.h usr/include/linux/netfilter_ipv6/ip6t_REJECT.h --- include.orig/linux/netfilter_ipv6/ip6t_REJECT.h 1970-01-01 01:00:00.000000000 +0100 +++ usr/include/linux/netfilter_ipv6/ip6t_REJECT.h 2005-08-02 20:02:17.657255296 +0200 @@ -0,0 +1,18 @@ +#ifndef _IP6T_REJECT_H +#define _IP6T_REJECT_H + +enum ip6t_reject_with { + IP6T_ICMP6_NO_ROUTE, + IP6T_ICMP6_ADM_PROHIBITED, + IP6T_ICMP6_NOT_NEIGHBOUR, + IP6T_ICMP6_ADDR_UNREACH, + IP6T_ICMP6_PORT_UNREACH, + IP6T_ICMP6_ECHOREPLY, + IP6T_TCP_RESET +}; + +struct ip6t_reject_info { + enum ip6t_reject_with with; /* reject type */ +}; + +#endif /*_IP6T_REJECT_H*/ diff -uNr include.orig/linux/netfilter_ipv6/ip6t_ROUTE.h usr/include/linux/netfilter_ipv6/ip6t_ROUTE.h --- include.orig/linux/netfilter_ipv6/ip6t_ROUTE.h 1970-01-01 01:00:00.000000000 +0100 +++ usr/include/linux/netfilter_ipv6/ip6t_ROUTE.h 2005-08-02 20:02:17.654255752 +0200 @@ -0,0 +1,23 @@ +/* Header file for iptables ip6t_ROUTE target + * + * (C) 2003 by Cédric de Launois + * + * This software is distributed under GNU GPL v2, 1991 + */ +#ifndef _IPT_ROUTE_H_target +#define _IPT_ROUTE_H_target + +#define IP6T_ROUTE_IFNAMSIZ 16 + +struct ip6t_route_target_info { + char oif[IP6T_ROUTE_IFNAMSIZ]; /* Output Interface Name */ + char iif[IP6T_ROUTE_IFNAMSIZ]; /* Input Interface Name */ + u_int32_t gw[4]; /* IPv6 address of gateway */ + u_int8_t flags; +}; + +/* Values for "flags" field */ +#define IP6T_ROUTE_CONTINUE 0x01 +#define IP6T_ROUTE_TEE 0x02 + +#endif /*_IP6T_ROUTE_H_target*/ diff -uNr include.orig/linux/netfilter_ipv6.h usr/include/linux/netfilter_ipv6.h --- include.orig/linux/netfilter_ipv6.h 2004-10-31 20:55:40.000000000 +0100 +++ usr/include/linux/netfilter_ipv6.h 2005-08-02 20:02:17.661254688 +0200 @@ -56,6 +56,7 @@ enum nf_ip6_hook_priorities { NF_IP6_PRI_FIRST = INT_MIN, + NF_IP6_PRI_CONNTRACK_DEFRAG = -400, NF_IP6_PRI_SELINUX_FIRST = -225, NF_IP6_PRI_CONNTRACK = -200, NF_IP6_PRI_BRIDGE_SABOTAGE_FORWARD = -175, @@ -68,4 +69,6 @@ NF_IP6_PRI_LAST = INT_MAX, }; +#define SO_ORIGINAL_DST 80 + #endif /*__LINUX_IP6_NETFILTER_H*/ diff -uNr include.orig/linux/netlink.h usr/include/linux/netlink.h --- include.orig/linux/netlink.h 2005-01-08 15:03:40.000000000 +0100 +++ usr/include/linux/netlink.h 2005-08-02 20:02:17.679251952 +0200 @@ -14,6 +14,7 @@ #define NETLINK_SELINUX 7 /* SELinux event notifications */ #define NETLINK_ARPD 8 #define NETLINK_AUDIT 9 /* auditing */ +#define NETLINK_NETFILTER 10 /* netfilter subsystem */ #define NETLINK_ROUTE6 11 /* af_inet6 route comm channel */ #define NETLINK_IP6_FW 13 #define NETLINK_DNRTMSG 14 /* DECnet routing messages */ diff -uNr include.orig/linux/skbuff.h usr/include/linux/skbuff.h --- include.orig/linux/skbuff.h 2005-07-06 02:17:21.000000000 +0200 +++ usr/include/linux/skbuff.h 2005-08-02 20:02:17.667253776 +0200 @@ -258,6 +258,9 @@ __u32 nfcache; __u32 nfctinfo; struct nf_conntrack *nfct; +#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE) + struct sk_buff *nfct_reasm; +#endif #ifdef CONFIG_NETFILTER_DEBUG unsigned int nf_debug; #endif diff -uNr include.orig/linux/sysctl.h usr/include/linux/sysctl.h --- include.orig/linux/sysctl.h 2005-07-06 02:17:21.000000000 +0200 +++ usr/include/linux/sysctl.h 2005-08-02 20:03:45.127957728 +0200 @@ -193,7 +193,8 @@ NET_DECNET=15, NET_ECONET=16, NET_KHTTPD=17, /* [<2.6] */ - NET_SCTP=17 + NET_SCTP=17, + NET_NETFILTER=18 }; /* /proc/sys/kernel/random */ @@ -258,6 +259,42 @@ NET_UNIX_MAX_DGRAM_QLEN=3 }; +/* /proc/sys/net/netfilter */ +enum +{ + NET_NF_CONNTRACK_MAX=1, + NET_NF_CONNTRACK_TCP_TIMEOUT_SYN_SENT=2, + NET_NF_CONNTRACK_TCP_TIMEOUT_SYN_RECV=3, + NET_NF_CONNTRACK_TCP_TIMEOUT_ESTABLISHED=4, + NET_NF_CONNTRACK_TCP_TIMEOUT_FIN_WAIT=5, + NET_NF_CONNTRACK_TCP_TIMEOUT_CLOSE_WAIT=6, + NET_NF_CONNTRACK_TCP_TIMEOUT_LAST_ACK=7, + NET_NF_CONNTRACK_TCP_TIMEOUT_TIME_WAIT=8, + NET_NF_CONNTRACK_TCP_TIMEOUT_CLOSE=9, + NET_NF_CONNTRACK_UDP_TIMEOUT=10, + NET_NF_CONNTRACK_UDP_TIMEOUT_STREAM=11, + NET_NF_CONNTRACK_ICMP_TIMEOUT=12, + NET_NF_CONNTRACK_GENERIC_TIMEOUT=13, + NET_NF_CONNTRACK_BUCKETS=14, + NET_NF_CONNTRACK_LOG_INVALID=15, + NET_NF_CONNTRACK_TCP_TIMEOUT_MAX_RETRANS=16, + NET_NF_CONNTRACK_TCP_LOOSE=17, + NET_NF_CONNTRACK_TCP_BE_LIBERAL=18, + NET_NF_CONNTRACK_TCP_MAX_RETRANS=19, + NET_NF_CONNTRACK_SCTP_TIMEOUT_CLOSED=20, + NET_NF_CONNTRACK_SCTP_TIMEOUT_COOKIE_WAIT=21, + NET_NF_CONNTRACK_SCTP_TIMEOUT_COOKIE_ECHOED=22, + NET_NF_CONNTRACK_SCTP_TIMEOUT_ESTABLISHED=23, + NET_NF_CONNTRACK_SCTP_TIMEOUT_SHUTDOWN_SENT=24, + NET_NF_CONNTRACK_SCTP_TIMEOUT_SHUTDOWN_RECD=25, + NET_NF_CONNTRACK_SCTP_TIMEOUT_SHUTDOWN_ACK_SENT=26, + NET_NF_CONNTRACK_COUNT=27, + NET_NF_CONNTRACK_ICMPV6_TIMEOUT=28, + NET_NF_CONNTRACK_FRAG6_TIMEOUT=29, + NET_NF_CONNTRACK_FRAG6_LOW_THRESH=30, + NET_NF_CONNTRACK_FRAG6_HIGH_THRESH=31, +}; + /* /proc/sys/net/ipv4 */ enum {