diff -uNr linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4.orig/ip_conntrack_tuple.h linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4/ip_conntrack_tuple.h --- linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4.orig/ip_conntrack_tuple.h 2004-01-05 19:42:34.000000000 +0100 +++ linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4/ip_conntrack_tuple.h 2004-04-25 18:55:52.361141304 +0200 @@ -25,6 +25,9 @@ struct { u_int16_t id; } icmp; + struct { + u_int16_t port; + } sctp; }; /* The manipulable part of the tuple. */ @@ -55,6 +58,9 @@ struct { u_int8_t type, code; } icmp; + struct { + u_int16_t port; + } sctp; } u; /* The protocol. */ diff -uNr linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4.orig/ip_pool.h linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4/ip_pool.h --- linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4.orig/ip_pool.h 1970-01-01 01:00:00.000000000 +0100 +++ linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4/ip_pool.h 2004-04-25 18:57:04.592160520 +0200 @@ -0,0 +1,56 @@ +#ifndef _IP_POOL_H +#define _IP_POOL_H + +/***************************************************************************/ +/* This program is free software; you can redistribute it and/or modify */ +/* it under the terms of the GNU General Public License as published by */ +/* the Free Software Foundation; either version 2 of the License, or */ +/* (at your option) any later version. */ +/* */ +/* This program is distributed in the hope that it will be useful, */ +/* but WITHOUT ANY WARRANTY; without even the implied warranty of */ +/* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the */ +/* GNU General Public License for more details. */ +/* */ +/* You should have received a copy of the GNU General Public License */ +/* along with this program; if not, write to the Free Software */ +/* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA*/ +/***************************************************************************/ + +/* A sockopt of such quality has hardly ever been seen before on the open + * market! This little beauty, hardly ever used: above 64, so it's + * traditionally used for firewalling, not touched (even once!) by the + * 2.0, 2.2 and 2.4 kernels! + * + * Comes with its own certificate of authenticity, valid anywhere in the + * Free world! + * + * Rusty, 19.4.2000 + */ +#define SO_IP_POOL 81 + +typedef int ip_pool_t; /* pool index */ +#define IP_POOL_NONE ((ip_pool_t)-1) + +struct ip_pool_request { + int op; + ip_pool_t index; + u_int32_t addr; + u_int32_t addr2; +}; + +/* NOTE: I deliberately break the first cut ippool utility. Nobody uses it. */ + +#define IP_POOL_BAD001 0x00000010 + +#define IP_POOL_FLUSH 0x00000011 /* req.index, no arguments */ +#define IP_POOL_INIT 0x00000012 /* from addr to addr2 incl. */ +#define IP_POOL_DESTROY 0x00000013 /* req.index, no arguments */ +#define IP_POOL_ADD_ADDR 0x00000014 /* add addr to pool */ +#define IP_POOL_DEL_ADDR 0x00000015 /* del addr from pool */ +#define IP_POOL_HIGH_NR 0x00000016 /* result in req.index */ +#define IP_POOL_LOOKUP 0x00000017 /* result in addr and addr2 */ +#define IP_POOL_USAGE 0x00000018 /* result in addr */ +#define IP_POOL_TEST_ADDR 0x00000019 /* result (0/1) returned */ + +#endif /*_IP_POOL_H*/ diff -uNr linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4.orig/ipt_addrtype.h linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4/ipt_addrtype.h --- linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4.orig/ipt_addrtype.h 1970-01-01 01:00:00.000000000 +0100 +++ linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4/ipt_addrtype.h 2004-04-20 13:10:18.000000000 +0200 @@ -0,0 +1,11 @@ +#ifndef _IPT_ADDRTYPE_H +#define _IPT_ADDRTYPE_H + +struct ipt_addrtype_info { + u_int16_t source; /* source-type mask */ + u_int16_t dest; /* dest-type mask */ + int invert_source; + int invert_dest; +}; + +#endif diff -uNr linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4.orig/ipt_connlimit.h linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4/ipt_connlimit.h --- linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4.orig/ipt_connlimit.h 1970-01-01 01:00:00.000000000 +0100 +++ linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4/ipt_connlimit.h 2004-04-20 13:10:18.000000000 +0200 @@ -0,0 +1,12 @@ +#ifndef _IPT_CONNLIMIT_H +#define _IPT_CONNLIMIT_H + +struct ipt_connlimit_data; + +struct ipt_connlimit_info { + int limit; + int inverse; + u_int32_t mask; + struct ipt_connlimit_data *data; +}; +#endif /* _IPT_CONNLIMIT_H */ diff -uNr linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4.orig/ipt_connmark.h linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4/ipt_connmark.h --- linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4.orig/ipt_connmark.h 1970-01-01 01:00:00.000000000 +0100 +++ linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4/ipt_connmark.h 2004-04-20 13:10:18.000000000 +0200 @@ -0,0 +1,18 @@ +#ifndef _IPT_CONNMARK_H +#define _IPT_CONNMARK_H + +/* Copyright (C) 2002,2004 MARA Systems AB + * by Henrik Nordstrom + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + */ + +struct ipt_connmark_info { + unsigned long mark, mask; + u_int8_t invert; +}; + +#endif /*_IPT_CONNMARK_H*/ diff -uNr linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4.orig/ipt_CONNMARK.h linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4/ipt_CONNMARK.h --- linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4.orig/ipt_CONNMARK.h 1970-01-01 01:00:00.000000000 +0100 +++ linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4/ipt_CONNMARK.h 2004-04-20 13:10:18.000000000 +0200 @@ -0,0 +1,25 @@ +#ifndef _IPT_CONNMARK_H_target +#define _IPT_CONNMARK_H_target + +/* Copyright (C) 2002,2004 MARA Systems AB + * by Henrik Nordstrom + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + */ + +enum { + IPT_CONNMARK_SET = 0, + IPT_CONNMARK_SAVE, + IPT_CONNMARK_RESTORE +}; + +struct ipt_connmark_target_info { + unsigned long mark; + unsigned long mask; + u_int8_t mode; +}; + +#endif /*_IPT_CONNMARK_H_target*/ diff -uNr linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4.orig/ipt_dstlimit.h linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4/ipt_dstlimit.h --- linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4.orig/ipt_dstlimit.h 1970-01-01 01:00:00.000000000 +0100 +++ linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4/ipt_dstlimit.h 2004-04-20 13:10:18.000000000 +0200 @@ -0,0 +1,39 @@ +#ifndef _IPT_DSTLIMIT_H +#define _IPT_DSTLIMIT_H + +/* timings are in milliseconds. */ +#define IPT_DSTLIMIT_SCALE 10000 +/* 1/10,000 sec period => max of 10,000/sec. Min rate is then 429490 + seconds, or one every 59 hours. */ + +/* details of this structure hidden by the implementation */ +struct ipt_dstlimit_htable; + +#define IPT_DSTLIMIT_HASH_DIP 0x0001 +#define IPT_DSTLIMIT_HASH_DPT 0x0002 +#define IPT_DSTLIMIT_HASH_SIP 0x0004 + +struct dstlimit_cfg { + u_int32_t mode; /* bitmask of IPT_DSTLIMIT_HASH_* */ + u_int32_t avg; /* Average secs between packets * scale */ + u_int32_t burst; /* Period multiplier for upper limit. */ + + /* user specified */ + u_int32_t size; /* how many buckets */ + u_int32_t max; /* max number of entries */ + u_int32_t gc_interval; /* gc interval */ + u_int32_t expire; /* when do entries expire? */ +}; + +struct ipt_dstlimit_info { + char name [IFNAMSIZ]; /* name */ + struct dstlimit_cfg cfg; + struct ipt_dstlimit_htable *hinfo; + + /* Used internally by the kernel */ + union { + void *ptr; + struct ipt_dstlimit_info *master; + } u; +}; +#endif /*_IPT_DSTLIMIT_H*/ diff -uNr linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4.orig/ipt_fuzzy.h linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4/ipt_fuzzy.h --- linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4.orig/ipt_fuzzy.h 1970-01-01 01:00:00.000000000 +0100 +++ linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4/ipt_fuzzy.h 2004-04-20 13:10:18.000000000 +0200 @@ -0,0 +1,21 @@ +#ifndef _IPT_FUZZY_H +#define _IPT_FUZZY_H + +#include +#include + +#define MAXFUZZYRATE 10000000 +#define MINFUZZYRATE 3 + +struct ipt_fuzzy_info { + u_int32_t minimum_rate; + u_int32_t maximum_rate; + u_int32_t packets_total; + u_int32_t bytes_total; + u_int32_t previous_time; + u_int32_t present_time; + u_int32_t mean_rate; + u_int8_t acceptance_rate; +}; + +#endif /*_IPT_FUZZY_H*/ diff -uNr linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4.orig/ipt_IMQ.h linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4/ipt_IMQ.h --- linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4.orig/ipt_IMQ.h 1970-01-01 01:00:00.000000000 +0100 +++ linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4/ipt_IMQ.h 2004-04-20 13:10:18.000000000 +0200 @@ -0,0 +1,8 @@ +#ifndef _IPT_IMQ_H +#define _IPT_IMQ_H + +struct ipt_imq_info { + unsigned int todev; /* target imq device */ +}; + +#endif /* _IPT_IMQ_H */ diff -uNr linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4.orig/ipt_IPMARK.h linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4/ipt_IPMARK.h --- linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4.orig/ipt_IPMARK.h 1970-01-01 01:00:00.000000000 +0100 +++ linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4/ipt_IPMARK.h 2004-04-20 13:10:18.000000000 +0200 @@ -0,0 +1,13 @@ +#ifndef _IPT_IPMARK_H_target +#define _IPT_IPMARK_H_target + +struct ipt_ipmark_target_info { + unsigned long andmask; + unsigned long ormask; + unsigned int addr; +}; + +#define IPT_IPMARK_SRC 0 +#define IPT_IPMARK_DST 1 + +#endif /*_IPT_IPMARK_H_target*/ diff -uNr linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4.orig/ipt_ipv4options.h linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4/ipt_ipv4options.h --- linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4.orig/ipt_ipv4options.h 1970-01-01 01:00:00.000000000 +0100 +++ linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4/ipt_ipv4options.h 2004-04-20 13:10:18.000000000 +0200 @@ -0,0 +1,21 @@ +#ifndef __ipt_ipv4options_h_included__ +#define __ipt_ipv4options_h_included__ + +#define IPT_IPV4OPTION_MATCH_SSRR 0x01 /* For strict source routing */ +#define IPT_IPV4OPTION_MATCH_LSRR 0x02 /* For loose source routing */ +#define IPT_IPV4OPTION_DONT_MATCH_SRR 0x04 /* any source routing */ +#define IPT_IPV4OPTION_MATCH_RR 0x08 /* For Record route */ +#define IPT_IPV4OPTION_DONT_MATCH_RR 0x10 +#define IPT_IPV4OPTION_MATCH_TIMESTAMP 0x20 /* For timestamp request */ +#define IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP 0x40 +#define IPT_IPV4OPTION_MATCH_ROUTER_ALERT 0x80 /* For router-alert */ +#define IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT 0x100 +#define IPT_IPV4OPTION_MATCH_ANY_OPT 0x200 /* match packet with any option */ +#define IPT_IPV4OPTION_DONT_MATCH_ANY_OPT 0x400 /* match packet with no option */ + +struct ipt_ipv4options_info { + u_int16_t options; +}; + + +#endif /* __ipt_ipv4options_h_included__ */ diff -uNr linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4.orig/ipt_mport.h linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4/ipt_mport.h --- linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4.orig/ipt_mport.h 1970-01-01 01:00:00.000000000 +0100 +++ linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4/ipt_mport.h 2004-04-20 13:10:18.000000000 +0200 @@ -0,0 +1,24 @@ +#ifndef _IPT_MPORT_H +#define _IPT_MPORT_H +#include + +#define IPT_MPORT_SOURCE (1<<0) +#define IPT_MPORT_DESTINATION (1<<1) +#define IPT_MPORT_EITHER (IPT_MPORT_SOURCE|IPT_MPORT_DESTINATION) + +#define IPT_MULTI_PORTS 15 + +/* Must fit inside union ipt_matchinfo: 32 bytes */ +/* every entry in ports[] except for the last one has one bit in pflags + * associated with it. If this bit is set, the port is the first port of + * a portrange, with the next entry being the last. + * End of list is marked with pflags bit set and port=65535. + * If 14 ports are used (last one does not have a pflag), the last port + * is repeated to fill the last entry in ports[] */ +struct ipt_mport +{ + u_int8_t flags:2; /* Type of comparison */ + u_int16_t pflags:14; /* Port flags */ + u_int16_t ports[IPT_MULTI_PORTS]; /* Ports */ +}; +#endif /*_IPT_MPORT_H*/ diff -uNr linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4.orig/ipt_nth.h linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4/ipt_nth.h --- linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4.orig/ipt_nth.h 1970-01-01 01:00:00.000000000 +0100 +++ linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4/ipt_nth.h 2004-04-20 13:10:18.000000000 +0200 @@ -0,0 +1,19 @@ +#ifndef _IPT_NTH_H +#define _IPT_NTH_H + +#include +#include + +#ifndef IPT_NTH_NUM_COUNTERS +#define IPT_NTH_NUM_COUNTERS 16 +#endif + +struct ipt_nth_info { + u_int8_t every; + u_int8_t not; + u_int8_t startat; + u_int8_t counter; + u_int8_t packet; +}; + +#endif /*_IPT_NTH_H*/ diff -uNr linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4.orig/ipt_osf.h linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4/ipt_osf.h --- linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4.orig/ipt_osf.h 1970-01-01 01:00:00.000000000 +0100 +++ linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4/ipt_osf.h 2004-04-25 18:58:27.772515184 +0200 @@ -0,0 +1,94 @@ +/* + * ipt_osf.h + * + * Copyright (c) 2003 Evgeniy Polyakov + * + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + */ + +#ifndef _IPT_OSF_H +#define _IPT_OSF_H + +#define MAXGENRELEN 32 +#define MAXDETLEN 64 + +#define IPT_OSF_GENRE 1 +#define IPT_OSF_SMART 2 +#define IPT_OSF_LOG 4 +#define IPT_OSF_NETLINK 8 + +#define IPT_OSF_LOGLEVEL_ALL 0 +#define IPT_OSF_LOGLEVEL_FIRST 1 + +#include +#include + +struct list_head +{ + struct list_head *prev, *next; +}; + +struct ipt_osf_info +{ + char genre[MAXGENRELEN]; + int len; + unsigned long flags; + int loglevel; + int invert; /* UNSUPPORTED */ +}; + +struct osf_wc +{ + char wc; + unsigned long val; +}; + +/* This struct represents IANA options + * http://www.iana.org/assignments/tcp-parameters + */ +struct osf_opt +{ + unsigned char kind; + unsigned char length; + struct osf_wc wc; +}; + +struct osf_finger +{ + struct list_head flist; + struct osf_wc wss; + unsigned char ttl; + unsigned char df; + unsigned long ss; + unsigned char genre[MAXGENRELEN]; + unsigned char version[MAXGENRELEN], subtype[MAXGENRELEN]; + + /* Not needed, but for consistency with original table from Michal Zalewski */ + unsigned char details[MAXDETLEN]; + + int opt_num; + struct osf_opt opt[MAX_IPOPTLEN]; /* In case it is all NOP or EOL */ + +}; + +struct ipt_osf_nlmsg +{ + struct osf_finger f; + struct iphdr ip; + struct tcphdr tcp; +}; + +#endif /* _IPT_OSF_H */ diff -uNr linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4.orig/ipt_policy.h linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4/ipt_policy.h --- linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4.orig/ipt_policy.h 1970-01-01 01:00:00.000000000 +0100 +++ linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4/ipt_policy.h 2004-04-20 13:10:18.000000000 +0200 @@ -0,0 +1,52 @@ +#ifndef _IPT_POLICY_H +#define _IPT_POLICY_H + +#define POLICY_MAX_ELEM 4 + +enum ipt_policy_flags +{ + POLICY_MATCH_IN = 0x1, + POLICY_MATCH_OUT = 0x2, + POLICY_MATCH_NONE = 0x4, + POLICY_MATCH_STRICT = 0x8, +}; + +enum ipt_policy_modes +{ + POLICY_MODE_TRANSPORT, + POLICY_MODE_TUNNEL +}; + +struct ipt_policy_spec +{ + u_int8_t saddr:1, + daddr:1, + proto:1, + mode:1, + spi:1, + reqid:1; +}; + +struct ipt_policy_elem +{ + u_int32_t saddr; + u_int32_t smask; + u_int32_t daddr; + u_int32_t dmask; + u_int32_t spi; + u_int32_t reqid; + u_int8_t proto; + u_int8_t mode; + + struct ipt_policy_spec match; + struct ipt_policy_spec invert; +}; + +struct ipt_policy_info +{ + struct ipt_policy_elem pol[POLICY_MAX_ELEM]; + u_int16_t flags; + u_int16_t len; +}; + +#endif /* _IPT_POLICY_H */ diff -uNr linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4.orig/ipt_pool.h linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4/ipt_pool.h --- linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4.orig/ipt_pool.h 1970-01-01 01:00:00.000000000 +0100 +++ linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4/ipt_pool.h 2004-04-20 13:10:18.000000000 +0200 @@ -0,0 +1,25 @@ +#ifndef _IPT_POOL_H +#define _IPT_POOL_H + +#include + +#define IPT_POOL_INV_SRC 0x00000001 +#define IPT_POOL_INV_DST 0x00000002 +#define IPT_POOL_DEL_SRC 0x00000004 +#define IPT_POOL_DEL_DST 0x00000008 +#define IPT_POOL_INV_MOD_SRC 0x00000010 +#define IPT_POOL_INV_MOD_DST 0x00000020 +#define IPT_POOL_MOD_SRC_ACCEPT 0x00000040 +#define IPT_POOL_MOD_DST_ACCEPT 0x00000080 +#define IPT_POOL_MOD_SRC_DROP 0x00000100 +#define IPT_POOL_MOD_DST_DROP 0x00000200 + +/* match info */ +struct ipt_pool_info +{ + ip_pool_t src; + ip_pool_t dst; + unsigned flags; +}; + +#endif /*_IPT_POOL_H*/ diff -uNr linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4.orig/ipt_psd.h linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4/ipt_psd.h --- linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4.orig/ipt_psd.h 1970-01-01 01:00:00.000000000 +0100 +++ linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4/ipt_psd.h 2004-04-20 13:10:18.000000000 +0200 @@ -0,0 +1,40 @@ +#ifndef _IPT_PSD_H +#define _IPT_PSD_H + +#include +#include + +/* + * High port numbers have a lower weight to reduce the frequency of false + * positives, such as from passive mode FTP transfers. + */ +#define PORT_WEIGHT_PRIV 3 +#define PORT_WEIGHT_HIGH 1 + +/* + * Port scan detection thresholds: at least COUNT ports need to be scanned + * from the same source, with no longer than DELAY ticks between ports. + */ +#define SCAN_MIN_COUNT 7 +#define SCAN_MAX_COUNT (SCAN_MIN_COUNT * PORT_WEIGHT_PRIV) +#define SCAN_WEIGHT_THRESHOLD SCAN_MAX_COUNT +#define SCAN_DELAY_THRESHOLD (HZ * 3) + +/* + * Keep track of up to LIST_SIZE source addresses, using a hash table of + * HASH_SIZE entries for faster lookups, but limiting hash collisions to + * HASH_MAX source addresses per the same hash value. + */ +#define LIST_SIZE 0x100 +#define HASH_LOG 9 +#define HASH_SIZE (1 << HASH_LOG) +#define HASH_MAX 0x10 + +struct ipt_psd_info { + unsigned int weight_threshold; + unsigned int delay_threshold; + unsigned short lo_ports_weight; + unsigned short hi_ports_weight; +}; + +#endif /*_IPT_PSD_H*/ diff -uNr linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4.orig/ipt_quota.h linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4/ipt_quota.h --- linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4.orig/ipt_quota.h 1970-01-01 01:00:00.000000000 +0100 +++ linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4/ipt_quota.h 2004-04-20 13:10:18.000000000 +0200 @@ -0,0 +1,11 @@ +#ifndef _IPT_QUOTA_H +#define _IPT_QUOTA_H + +/* print debug info in both kernel/netfilter module & iptable library */ +//#define DEBUG_IPT_QUOTA + +struct ipt_quota_info { + u_int64_t quota; +}; + +#endif /*_IPT_QUOTA_H*/ diff -uNr linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4.orig/ipt_random.h linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4/ipt_random.h --- linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4.orig/ipt_random.h 1970-01-01 01:00:00.000000000 +0100 +++ linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4/ipt_random.h 2004-04-20 13:10:18.000000000 +0200 @@ -0,0 +1,11 @@ +#ifndef _IPT_RAND_H +#define _IPT_RAND_H + +#include +#include + +struct ipt_rand_info { + u_int8_t average; +}; + +#endif /*_IPT_RAND_H*/ diff -uNr linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4.orig/ipt_realm.h linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4/ipt_realm.h --- linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4.orig/ipt_realm.h 1970-01-01 01:00:00.000000000 +0100 +++ linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4/ipt_realm.h 2004-04-20 13:10:18.000000000 +0200 @@ -0,0 +1,9 @@ +#ifndef _IPT_REALM_H +#define _IPT_REALM_H + +struct ipt_realm_info { + u_int32_t id; + u_int32_t mask; + u_int8_t invert; +}; +#endif /*_IPT_REALM_H*/ diff -uNr linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4.orig/ipt_sctp.h linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4/ipt_sctp.h --- linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4.orig/ipt_sctp.h 1970-01-01 01:00:00.000000000 +0100 +++ linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4/ipt_sctp.h 2004-04-20 13:10:18.000000000 +0200 @@ -0,0 +1,107 @@ +#ifndef _IPT_SCTP_H_ +#define _IPT_SCTP_H_ + +#define IPT_SCTP_SRC_PORTS 0x01 +#define IPT_SCTP_DEST_PORTS 0x02 +#define IPT_SCTP_CHUNK_TYPES 0x04 + +#define IPT_SCTP_VALID_FLAGS 0x07 + +#define ELEMCOUNT(x) (sizeof(x)/sizeof(x[0])) + + +struct ipt_sctp_flag_info { + u_int8_t chunktype; + u_int8_t flag; + u_int8_t flag_mask; +}; + +#define IPT_NUM_SCTP_FLAGS 4 + +struct ipt_sctp_info { + u_int16_t dpts[2]; /* Min, Max */ + u_int16_t spts[2]; /* Min, Max */ + + u_int32_t chunkmap[256 / sizeof (u_int32_t)]; /* Bit mask of chunks to be matched according to RFC 2960 */ + +#define SCTP_CHUNK_MATCH_ANY 0x01 /* Match if any of the chunk types are present */ +#define SCTP_CHUNK_MATCH_ALL 0x02 /* Match if all of the chunk types are present */ +#define SCTP_CHUNK_MATCH_ONLY 0x04 /* Match if these are the only chunk types present */ + + u_int32_t chunk_match_type; + struct ipt_sctp_flag_info flag_info[IPT_NUM_SCTP_FLAGS]; + int flag_count; + + u_int32_t flags; + u_int32_t invflags; +}; + +#define bytes(type) (sizeof(type) * 8) + +#define SCTP_CHUNKMAP_SET(chunkmap, type) \ + do { \ + chunkmap[type / bytes(u_int32_t)] |= \ + 1 << (type % bytes(u_int32_t)); \ + } while (0) + +#define SCTP_CHUNKMAP_CLEAR(chunkmap, type) \ + do { \ + chunkmap[type / bytes(u_int32_t)] &= \ + ~(1 << (type % bytes(u_int32_t))); \ + } while (0) + +#define SCTP_CHUNKMAP_IS_SET(chunkmap, type) \ +({ \ + (chunkmap[type / bytes (u_int32_t)] & \ + (1 << (type % bytes (u_int32_t)))) ? 1: 0; \ +}) + +#define SCTP_CHUNKMAP_RESET(chunkmap) \ + do { \ + int i; \ + for (i = 0; i < ELEMCOUNT(chunkmap); i++) \ + chunkmap[i] = 0; \ + } while (0) + +#define SCTP_CHUNKMAP_SET_ALL(chunkmap) \ + do { \ + int i; \ + for (i = 0; i < ELEMCOUNT(chunkmap); i++) \ + chunkmap[i] = ~0; \ + } while (0) + +#define SCTP_CHUNKMAP_COPY(destmap, srcmap) \ + do { \ + int i; \ + for (i = 0; i < ELEMCOUNT(chunkmap); i++) \ + destmap[i] = srcmap[i]; \ + } while (0) + +#define SCTP_CHUNKMAP_IS_CLEAR(chunkmap) \ +({ \ + int i; \ + int flag = 1; \ + for (i = 0; i < ELEMCOUNT(chunkmap); i++) { \ + if (chunkmap[i]) { \ + flag = 0; \ + break; \ + } \ + } \ + flag; \ +}) + +#define SCTP_CHUNKMAP_IS_ALL_SET(chunkmap) \ +({ \ + int i; \ + int flag = 1; \ + for (i = 0; i < ELEMCOUNT(chunkmap); i++) { \ + if (chunkmap[i] != ~0) { \ + flag = 0; \ + break; \ + } \ + } \ + flag; \ +}) + +#endif /* _IPT_SCTP_H_ */ + diff -uNr linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4.orig/ipt_string.h linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4/ipt_string.h --- linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4.orig/ipt_string.h 1970-01-01 01:00:00.000000000 +0100 +++ linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4/ipt_string.h 2004-04-20 13:10:18.000000000 +0200 @@ -0,0 +1,21 @@ +#ifndef _IPT_STRING_H +#define _IPT_STRING_H + +/* *** PERFORMANCE TWEAK *** + * Packet size and search string threshold, + * above which sublinear searches is used. */ +#define IPT_STRING_HAYSTACK_THRESH 100 +#define IPT_STRING_NEEDLE_THRESH 20 + +#define BM_MAX_NLEN 256 +#define BM_MAX_HLEN 1024 + +typedef char *(*proc_ipt_search) (char *, char *, int, int); + +struct ipt_string_info { + char string[BM_MAX_NLEN]; + u_int16_t invert; + u_int16_t len; +}; + +#endif /* _IPT_STRING_H */ diff -uNr linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4.orig/ipt_time.h linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4/ipt_time.h --- linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4.orig/ipt_time.h 1970-01-01 01:00:00.000000000 +0100 +++ linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4/ipt_time.h 2004-04-20 13:10:18.000000000 +0200 @@ -0,0 +1,13 @@ +#ifndef __ipt_time_h_included__ +#define __ipt_time_h_included__ + + +struct ipt_time_info { + u_int8_t days_match; /* 1 bit per day. -SMTWTFS */ + u_int16_t time_start; /* 0 < time_start < 23*60+59 = 1439 */ + u_int16_t time_stop; /* 0:0 < time_stat < 23:59 */ + u_int8_t kerneltime; /* ignore skb time (and use kerneltime) or not. */ +}; + + +#endif /* __ipt_time_h_included__ */ diff -uNr linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4.orig/ipt_TTL.h linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4/ipt_TTL.h --- linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4.orig/ipt_TTL.h 1970-01-01 01:00:00.000000000 +0100 +++ linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4/ipt_TTL.h 2004-04-20 13:10:18.000000000 +0200 @@ -0,0 +1,21 @@ +/* TTL modification module for IP tables + * (C) 2000 by Harald Welte */ + +#ifndef _IPT_TTL_H +#define _IPT_TTL_H + +enum { + IPT_TTL_SET = 0, + IPT_TTL_INC, + IPT_TTL_DEC +}; + +#define IPT_TTL_MAXMODE IPT_TTL_DEC + +struct ipt_TTL_info { + u_int8_t mode; + u_int8_t ttl; +}; + + +#endif diff -uNr linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4.orig/ipt_u32.h linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4/ipt_u32.h --- linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4.orig/ipt_u32.h 1970-01-01 01:00:00.000000000 +0100 +++ linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4/ipt_u32.h 2004-04-20 13:10:18.000000000 +0200 @@ -0,0 +1,40 @@ +#ifndef _IPT_U32_H +#define _IPT_U32_H +#include + +enum ipt_u32_ops +{ + IPT_U32_AND, + IPT_U32_LEFTSH, + IPT_U32_RIGHTSH, + IPT_U32_AT +}; + +struct ipt_u32_location_element +{ + u_int32_t number; + u_int8_t nextop; +}; +struct ipt_u32_value_element +{ + u_int32_t min; + u_int32_t max; +}; +/* *** any way to allow for an arbitrary number of elements? + for now I settle for a limit of 10 of each */ +#define U32MAXSIZE 10 +struct ipt_u32_test +{ + u_int8_t nnums; + struct ipt_u32_location_element location[U32MAXSIZE+1]; + u_int8_t nvalues; + struct ipt_u32_value_element value[U32MAXSIZE+1]; +}; + +struct ipt_u32 +{ + u_int8_t ntests; + struct ipt_u32_test tests[U32MAXSIZE+1]; +}; + +#endif /*_IPT_U32_H*/ diff -uNr linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4.orig/ipt_XOR.h linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4/ipt_XOR.h --- linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4.orig/ipt_XOR.h 1970-01-01 01:00:00.000000000 +0100 +++ linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4/ipt_XOR.h 2004-04-20 13:10:18.000000000 +0200 @@ -0,0 +1,9 @@ +#ifndef _IPT_XOR_H +#define _IPT_XOR_H + +struct ipt_XOR_info { + char key[30]; + u_int8_t block_size; +}; + +#endif /* _IPT_XOR_H */ diff -uNr linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv6.orig/ip6t_fuzzy.h linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv6/ip6t_fuzzy.h --- linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv6.orig/ip6t_fuzzy.h 1970-01-01 01:00:00.000000000 +0100 +++ linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv6/ip6t_fuzzy.h 2004-04-20 13:10:18.000000000 +0200 @@ -0,0 +1,21 @@ +#ifndef _IP6T_FUZZY_H +#define _IP6T_FUZZY_H + +#include +#include + +#define MAXFUZZYRATE 10000000 +#define MINFUZZYRATE 3 + +struct ip6t_fuzzy_info { + u_int32_t minimum_rate; + u_int32_t maximum_rate; + u_int32_t packets_total; + u_int32_t bytes_total; + u_int32_t previous_time; + u_int32_t present_time; + u_int32_t mean_rate; + u_int8_t acceptance_rate; +}; + +#endif /*_IP6T_FUZZY_H*/ diff -uNr linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv6.orig/ip6t_HL.h linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv6/ip6t_HL.h --- linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv6.orig/ip6t_HL.h 1970-01-01 01:00:00.000000000 +0100 +++ linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv6/ip6t_HL.h 2004-04-20 13:10:18.000000000 +0200 @@ -0,0 +1,22 @@ +/* Hop Limit modification module for ip6tables + * Maciej Soltysiak + * Based on HW's TTL module */ + +#ifndef _IP6T_HL_H +#define _IP6T_HL_H + +enum { + IP6T_HL_SET = 0, + IP6T_HL_INC, + IP6T_HL_DEC +}; + +#define IP6T_HL_MAXMODE IP6T_HL_DEC + +struct ip6t_HL_info { + u_int8_t mode; + u_int8_t hop_limit; +}; + + +#endif diff -uNr linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv6.orig/ip6t_nth.h linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv6/ip6t_nth.h --- linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv6.orig/ip6t_nth.h 1970-01-01 01:00:00.000000000 +0100 +++ linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv6/ip6t_nth.h 2004-04-20 13:10:18.000000000 +0200 @@ -0,0 +1,19 @@ +#ifndef _IP6T_NTH_H +#define _IP6T_NTH_H + +#include +#include + +#ifndef IP6T_NTH_NUM_COUNTERS +#define IP6T_NTH_NUM_COUNTERS 16 +#endif + +struct ip6t_nth_info { + u_int8_t every; + u_int8_t not; + u_int8_t startat; + u_int8_t counter; + u_int8_t packet; +}; + +#endif /*_IP6T_NTH_H*/ diff -uNr linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv6.orig/ip6t_random.h linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv6/ip6t_random.h --- linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv6.orig/ip6t_random.h 1970-01-01 01:00:00.000000000 +0100 +++ linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv6/ip6t_random.h 2004-04-20 13:10:18.000000000 +0200 @@ -0,0 +1,11 @@ +#ifndef _IP6T_RAND_H +#define _IP6T_RAND_H + +#include +#include + +struct ip6t_rand_info { + u_int8_t average; +}; + +#endif /*_IP6T_RAND_H*/ diff -uNr linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv6.orig/ip6t_REJECT.h linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv6/ip6t_REJECT.h --- linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv6.orig/ip6t_REJECT.h 2004-03-05 16:36:39.000000000 +0100 +++ linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv6/ip6t_REJECT.h 2004-04-20 13:10:18.000000000 +0200 @@ -2,15 +2,17 @@ #define _IP6T_REJECT_H enum ip6t_reject_with { - IP6T_ICMP_NET_UNREACHABLE, - IP6T_ICMP_HOST_UNREACHABLE, - IP6T_ICMP_PROT_UNREACHABLE, - IP6T_ICMP_PORT_UNREACHABLE, - IP6T_ICMP_ECHOREPLY + IP6T_ICMP6_NO_ROUTE, + IP6T_ICMP6_ADM_PROHIBITED, + IP6T_ICMP6_NOT_NEIGHBOUR, + IP6T_ICMP6_ADDR_UNREACH, + IP6T_ICMP6_PORT_UNREACH, + IP6T_ICMP6_ECHOREPLY, + IP6T_TCP_RESET }; struct ip6t_reject_info { enum ip6t_reject_with with; /* reject type */ }; -#endif /*_IPT_REJECT_H*/ +#endif /*_IP6T_REJECT_H*/