-diff -uNr linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4.orig/ip_conntrack_tuple.h linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4/ip_conntrack_tuple.h
---- linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4.orig/ip_conntrack_tuple.h 2004-01-05 19:42:34.000000000 +0100
-+++ linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4/ip_conntrack_tuple.h 2004-04-25 18:55:52.361141304 +0200
-@@ -25,6 +25,9 @@
+diff -uNr include.orig/linux/netfilter/ipv4/nf_conntrack_icmp.h include/linux/netfilter/ipv4/nf_conntrack_icmp.h
+--- include.orig/linux/netfilter/ipv4/nf_conntrack_icmp.h 1970-01-01 01:00:00.000000000 +0100
++++ include/linux/netfilter/ipv4/nf_conntrack_icmp.h 2005-08-02 20:02:17.683251344 +0200
+@@ -0,0 +1,17 @@
++/*
++ * ICMP tracking.
++ *
++ * Derived from include/linux/netfiter_ipv4/ip_conntrack_icmp.h
++ */
++
++#ifndef _NF_CONNTRACK_ICMP_H
++#define _NF_CONNTRACK_ICMP_H
++#include <asm/atomic.h>
++
++struct nf_ct_icmp
++{
++ /* Optimization: when number in == number out, forget immediately. */
++ atomic_t count;
++};
++
++#endif /* _NF_CONNTRACK_ICMP_H */
+diff -uNr include.orig/linux/netfilter/ipv4/nf_conntrack_ipv4.h include/linux/netfilter/ipv4/nf_conntrack_ipv4.h
+--- include.orig/linux/netfilter/ipv4/nf_conntrack_ipv4.h 1970-01-01 01:00:00.000000000 +0100
++++ include/linux/netfilter/ipv4/nf_conntrack_ipv4.h 2005-08-02 20:02:17.684251192 +0200
+@@ -0,0 +1,40 @@
++/*
++ * IPv4 support for nf_conntrack.
++ *
++ * 23 Mar 2004: Yasuyuki Kozakai @ USAGI <yasuyuki.kozakai@toshiba.co.jp>
++ * - move L3 protocol dependent part from include/linux/netfilter_ipv4/
++ * ip_conntarck.h
++ */
++
++#ifndef _NF_CONNTRACK_IPV4_H
++#define _NF_CONNTRACK_IPV4_H
++
++#ifdef CONFIG_IP_NF_NAT_NEEDED
++#include <linux/netfilter_ipv4/ip_nat.h>
++
++/* per conntrack: nat application helper private data */
++union ip_conntrack_nat_help {
++ /* insert nat helper private data here */
++};
++
++struct nf_conntrack_ipv4_nat {
++ struct ip_nat_info info;
++ union ip_conntrack_nat_help help;
++#if defined(CONFIG_IP_NF_TARGET_MASQUERADE) || \
++ defined(CONFIG_IP_NF_TARGET_MASQUERADE_MODULE)
++ int masq_index;
++#endif
++};
++#endif /* CONFIG_IP_NF_NAT_NEEDED */
++
++struct nf_conntrack_ipv4 {
++#ifdef CONFIG_IP_NF_NAT_NEEDED
++ struct nf_conntrack_ipv4_nat *nat;
++#endif
++};
++
++/* Returns new sk_buff, or NULL */
++struct sk_buff *
++nf_ct_ipv4_ct_gather_frags(struct sk_buff *skb);
++
++#endif /*_NF_CONNTRACK_IPV4_H*/
+diff -uNr include.orig/linux/netfilter/ipv6/nf_conntrack_icmpv6.h include/linux/netfilter/ipv6/nf_conntrack_icmpv6.h
+--- include.orig/linux/netfilter/ipv6/nf_conntrack_icmpv6.h 1970-01-01 01:00:00.000000000 +0100
++++ include/linux/netfilter/ipv6/nf_conntrack_icmpv6.h 2005-08-02 20:02:17.698249064 +0200
+@@ -0,0 +1,27 @@
++/*
++ * ICMPv6 tracking.
++ *
++ * 21 Apl 2004: Yasuyuki Kozakai @USAGI <yasuyuki.kozakai@toshiba.co.jp>
++ * - separated from nf_conntrack_icmp.h
++ *
++ * Derived from include/linux/netfiter_ipv4/ip_conntrack_icmp.h
++ */
++
++#ifndef _NF_CONNTRACK_ICMPV6_H
++#define _NF_CONNTRACK_ICMPV6_H
++#include <asm/atomic.h>
++
++#ifndef ICMPV6_NI_QUERY
++#define ICMPV6_NI_QUERY 139
++#endif
++#ifndef ICMPV6_NI_REPLY
++#define ICMPV6_NI_REPLY 140
++#endif
++
++struct nf_ct_icmpv6
++{
++ /* Optimization: when number in == number out, forget immediately. */
++ atomic_t count;
++};
++
++#endif /* _NF_CONNTRACK_ICMPV6_H */
+diff -uNr include.orig/linux/netfilter/nf_conntrack_core.h include/linux/netfilter/nf_conntrack_core.h
+--- include.orig/linux/netfilter/nf_conntrack_core.h 1970-01-01 01:00:00.000000000 +0100
++++ include/linux/netfilter/nf_conntrack_core.h 2005-08-02 20:02:17.687250736 +0200
+@@ -0,0 +1,72 @@
++/*
++ * This header is used to share core functionality between the
++ * standalone connection tracking module, and the compatibility layer's use
++ * of connection tracking.
++ *
++ * 16 Dec 2003: Yasuyuki Kozakai @USAGI <yasuyuki.kozakai@toshiba.co.jp>
++ * - generalize L3 protocol dependent part.
++ *
++ * Derived from include/linux/netfiter_ipv4/ip_conntrack_core.h
++ */
++
++#ifndef _NF_CONNTRACK_CORE_H
++#define _NF_CONNTRACK_CORE_H
++
++#include <linux/netfilter.h>
++#include <linux/netfilter_ipv4/lockhelp.h>
++
++/* This header is used to share core functionality between the
++ standalone connection tracking module, and the compatibility layer's use
++ of connection tracking. */
++extern unsigned int nf_conntrack_in(int pf,
++ unsigned int hooknum,
++ struct sk_buff **pskb);
++
++extern int nf_conntrack_init(void);
++extern void nf_conntrack_cleanup(void);
++
++struct nf_conntrack_l3proto;
++extern struct nf_conntrack_l3proto *nf_ct_find_l3proto(u_int16_t pf);
++/* Like above, but you already have conntrack read lock. */
++extern struct nf_conntrack_l3proto *__nf_ct_find_l3proto(u_int16_t l3proto);
++
++struct nf_conntrack_protocol;
++
++extern int
++nf_ct_get_tuple(const struct sk_buff *skb,
++ unsigned int nhoff,
++ unsigned int dataoff,
++ u_int16_t l3num,
++ u_int8_t protonum,
++ struct nf_conntrack_tuple *tuple,
++ const struct nf_conntrack_l3proto *l3proto,
++ const struct nf_conntrack_protocol *protocol);
++
++extern int
++nf_ct_invert_tuple(struct nf_conntrack_tuple *inverse,
++ const struct nf_conntrack_tuple *orig,
++ const struct nf_conntrack_l3proto *l3proto,
++ const struct nf_conntrack_protocol *protocol);
++
++/* Find a connection corresponding to a tuple. */
++extern struct nf_conntrack_tuple_hash *
++nf_conntrack_find_get(const struct nf_conntrack_tuple *tuple,
++ const struct nf_conn *ignored_conntrack);
++
++extern int __nf_conntrack_confirm(struct sk_buff **pskb);
++
++/* Confirm a connection: returns NF_DROP if packet must be dropped. */
++static inline int nf_conntrack_confirm(struct sk_buff **pskb)
++{
++ if ((*pskb)->nfct
++ && !is_confirmed((struct nf_conn *)(*pskb)->nfct))
++ return __nf_conntrack_confirm(pskb);
++ return NF_ACCEPT;
++}
++
++extern void __nf_conntrack_attach(struct sk_buff *nskb, struct sk_buff *skb);
++
++extern struct list_head *nf_conntrack_hash;
++extern struct list_head nf_conntrack_expect_list;
++DECLARE_RWLOCK_EXTERN(nf_conntrack_lock);
++#endif /* _NF_CONNTRACK_CORE_H */
+diff -uNr include.orig/linux/netfilter/nf_conntrack_ftp.h include/linux/netfilter/nf_conntrack_ftp.h
+--- include.orig/linux/netfilter/nf_conntrack_ftp.h 1970-01-01 01:00:00.000000000 +0100
++++ include/linux/netfilter/nf_conntrack_ftp.h 2005-08-02 20:02:17.700248760 +0200
+@@ -0,0 +1,59 @@
++/*
++ * nf_conntrack_ftp.h
++ *
++ * Definitions and Declarations for FTP tracking.
++ *
++ * Derived from include/linux/netfiter_ipv4/ip_conntrack_ftp.h
++ *
++ * 16 Dec 2003: Yasuyuki Kozakai @ USAGI <yasuyuki.kozakai@toshiba.co.jp>
++ * - IPv6 support.
++ */
++
++#ifndef _NF_CONNTRACK_FTP_H
++#define _NF_CONNTRACK_FTP_H
++/* FTP tracking. */
++
++#ifdef __KERNEL__
++
++#include <linux/netfilter_ipv4/lockhelp.h>
++
++/* Protects ftp part of conntracks */
++DECLARE_LOCK_EXTERN(ip_ftp_lock);
++
++#define FTP_PORT 21
++
++#endif /* __KERNEL__ */
++
++enum nf_ct_ftp_type
++{
++ /* PORT command from client */
++ NF_CT_FTP_PORT,
++ /* PASV response from server */
++ NF_CT_FTP_PASV,
++ /* EPRT command from client */
++ NF_CT_FTP_EPRT,
++ /* EPSV response from server */
++ NF_CT_FTP_EPSV,
++};
++
++#define NUM_SEQ_TO_REMEMBER 2
++/* This structure exists only once per master */
++struct nf_ct_ftp_master {
++ /* Valid seq positions for cmd matching after newline */
++ u_int32_t seq_aft_nl[NF_CT_DIR_MAX][NUM_SEQ_TO_REMEMBER];
++ /* 0 means seq_match_aft_nl not set */
++ int seq_aft_nl_num[NF_CT_DIR_MAX];
++};
++
++struct nf_conntrack_expect;
++
++/* For NAT to hook in when we find a packet which describes what other
++ * connection we should expect. */
++extern unsigned int (*nf_nat_ftp_hook)(struct sk_buff **pskb,
++ enum nf_conntrack_info ctinfo,
++ enum nf_ct_ftp_type type,
++ unsigned int matchoff,
++ unsigned int matchlen,
++ struct nf_conntrack_expect *exp,
++ u32 *seq);
++#endif /* _NF_CONNTRACK_FTP_H */
+diff -uNr include.orig/linux/netfilter/nf_conntrack.h include/linux/netfilter/nf_conntrack.h
+--- include.orig/linux/netfilter/nf_conntrack.h 1970-01-01 01:00:00.000000000 +0100
++++ include/linux/netfilter/nf_conntrack.h 2005-08-02 20:02:17.708247544 +0200
+@@ -0,0 +1,302 @@
++/*
++ * Connection state tracking for netfilter. This is separated from,
++ * but required by, the (future) NAT layer; it can also be used by an iptables
++ * extension.
++ *
++ * 16 Dec 2003: Yasuyuki Kozakai @USAGI <yasuyuki.kozakai@toshiba.co.jp>
++ * - generalize L3 protocol dependent part.
++ *
++ * Derived from include/linux/netfiter_ipv4/ip_conntrack.h
++ */
++
++#ifndef _NF_CONNTRACK_H
++#define _NF_CONNTRACK_H
++
++enum nf_conntrack_info
++{
++ /* Part of an established connection (either direction). */
++ NF_CT_ESTABLISHED,
++
++ /* Like NEW, but related to an existing connection, or ICMP error
++ (in either direction). */
++ NF_CT_RELATED,
++
++ /* Started a new connection to track (only
++ NF_CT_DIR_ORIGINAL); may be a retransmission. */
++ NF_CT_NEW,
++
++ /* >= this indicates reply direction */
++ NF_CT_IS_REPLY,
++
++ /* Number of distinct NF_CT types (no NEW in reply dirn). */
++ NF_CT_NUMBER = NF_CT_IS_REPLY * 2 - 1
++};
++
++/* Bitset representing status of connection. */
++enum nf_conntrack_status {
++ /* It's an expected connection: bit 0 set. This bit never changed */
++ NF_S_EXPECTED_BIT = 0,
++ NF_S_EXPECTED = (1 << NF_S_EXPECTED_BIT),
++
++ /* We've seen packets both ways: bit 1 set. Can be set, not unset. */
++ NF_S_SEEN_REPLY_BIT = 1,
++ NF_S_SEEN_REPLY = (1 << NF_S_SEEN_REPLY_BIT),
++
++ /* Conntrack should never be early-expired. */
++ NF_S_ASSURED_BIT = 2,
++ NF_S_ASSURED = (1 << NF_S_ASSURED_BIT),
++
++ /* Connection is confirmed: originating packet has left box */
++ NF_S_CONFIRMED_BIT = 3,
++ NF_S_CONFIRMED = (1 << NF_S_CONFIRMED_BIT),
++};
++
++#ifdef __KERNEL__
++#include <linux/config.h>
++#include <linux/netfilter/nf_conntrack_tuple.h>
++#include <linux/bitops.h>
++#include <linux/compiler.h>
++#include <asm/atomic.h>
++
++#include <linux/netfilter/nf_conntrack_tcp.h>
++#include <linux/netfilter/ipv4/nf_conntrack_icmp.h>
++#include <linux/netfilter/ipv6/nf_conntrack_icmpv6.h>
++#include <linux/netfilter/nf_conntrack_sctp.h>
++
++/* per conntrack: protocol private data */
++union nf_conntrack_proto {
++ /* insert conntrack proto private data here */
++ struct nf_ct_sctp sctp;
++ struct nf_ct_tcp tcp;
++ struct nf_ct_icmp icmp;
++ struct nf_ct_icmpv6 icmpv6;
++};
++
++union nf_conntrack_expect_proto {
++ /* insert expect proto private data here */
++};
++
++/* Add protocol helper include file here */
++#include <linux/netfilter/nf_conntrack_ftp.h>
++
++/* per conntrack: application helper private data */
++union nf_conntrack_help {
++ /* insert conntrack helper private data (master) here */
++ struct nf_ct_ftp_master ct_ftp_info;
++};
++
++#include <linux/types.h>
++#include <linux/skbuff.h>
++
++#ifdef CONFIG_NETFILTER_DEBUG
++#define NF_CT_ASSERT(x) \
++do { \
++ if (!(x)) \
++ /* Wooah! I'm tripping my conntrack in a frenzy of \
++ netplay... */ \
++ printk("NF_CT_ASSERT: %s:%i(%s)\n", \
++ __FILE__, __LINE__, __FUNCTION__); \
++} while(0)
++#else
++#define NF_CT_ASSERT(x)
++#endif
++
++struct nf_conntrack_counter
++{
++ u_int64_t packets;
++ u_int64_t bytes;
++};
++
++struct nf_conntrack_helper;
++
++#include <linux/netfilter/ipv4/nf_conntrack_ipv4.h>
++struct nf_conn
++{
++ /* Usage count in here is 1 for hash table/destruct timer, 1 per skb,
++ plus 1 for any connection(s) we are `master' for */
++ struct nf_conntrack ct_general;
++
++ /* XXX should I move this to the tail ? - Y.K */
++ /* These are my tuples; original and reply */
++ struct nf_conntrack_tuple_hash tuplehash[NF_CT_DIR_MAX];
++
++ /* Have we seen traffic both ways yet? (bitset) */
++ unsigned long status;
++
++ /* Timer function; drops refcnt when it goes off. */
++ struct timer_list timeout;
++
++#ifdef CONFIG_NF_CT_ACCT
++ /* Accounting Information (same cache line as other written members) */
++ struct nf_conntrack_counter counters[NF_CT_DIR_MAX];
++#endif
++ /* If we were expected by an expectation, this will be it */
++ struct nf_conn *master;
++
++ /* Current number of expected connections */
++ unsigned int expecting;
++
++ /* Helper. if any */
++ struct nf_conntrack_helper *helper;
++
++ /* features - nat, helper, ... used by allocating system */
++ u_int32_t features;
++
++ /* Storage reserved for other modules: */
++
++ union nf_conntrack_proto proto;
++
++#if defined(CONFIG_NF_CONNTRACK_MARK)
++ unsigned long mark;
++#endif
++
++ /* These members are dynamically allocated. */
++
++ union nf_conntrack_help *help;
++
++ /* Layer 3 dependent members. (ex: NAT) */
++ union {
++ struct nf_conntrack_ipv4 *ipv4;
++ } l3proto;
++ void *data[0];
++};
++
++struct nf_conntrack_expect
++{
++ /* Internal linked list (global expectation list) */
++ struct list_head list;
++
++ /* We expect this tuple, with the following mask */
++ struct nf_conntrack_tuple tuple, mask;
++
++ /* Function to call after setup and insertion */
++ void (*expectfn)(struct nf_conn *new,
++ struct nf_conntrack_expect *this);
++
++ /* The conntrack of the master connection */
++ struct nf_conn *master;
++
++ /* Timer function; deletes the expectation. */
++ struct timer_list timeout;
++
++#ifdef CONFIG_NF_NAT_NEEDED
++ /* This is the original per-proto part, used to map the
++ * expected connection the way the recipient expects. */
++ union nf_conntrack_manip_proto saved_proto;
++ /* Direction relative to the master connection. */
++ enum nf_conntrack_dir dir;
++#endif
++};
++
++static inline struct nf_conn *
++tuplehash_to_ctrack(const struct nf_conntrack_tuple_hash *hash)
++{
++ return container_of(hash, struct nf_conn,
++ tuplehash[hash->tuple.dst.dir]);
++}
++
++/* get master conntrack via master expectation */
++#define master_ct(conntr) (conntr->master)
++
++/* Alter reply tuple (maybe alter helper). */
++extern void
++nf_conntrack_alter_reply(struct nf_conn *conntrack,
++ const struct nf_conntrack_tuple *newreply);
++
++/* Is this tuple taken? (ignoring any belonging to the given
++ conntrack). */
++extern int
++nf_conntrack_tuple_taken(const struct nf_conntrack_tuple *tuple,
++ const struct nf_conn *ignored_conntrack);
++
++/* Return conntrack_info and tuple hash for given skb. */
++static inline struct nf_conn *
++nf_ct_get(struct sk_buff *skb, enum nf_conntrack_info *ctinfo)
++{
++ *ctinfo = skb->nfctinfo;
++ return (struct nf_conn *)skb->nfct;
++}
++
++/* decrement reference count on a conntrack */
++extern void nf_ct_put(struct nf_conn *ct);
++
++/* call to create an explicit dependency on nf_conntrack. */
++extern void need_nf_conntrack(void);
++
++extern int nf_ct_invert_tuplepr(struct nf_conntrack_tuple *inverse,
++ const struct nf_conntrack_tuple *orig);
++
++/* Refresh conntrack for this many jiffies */
++extern void nf_ct_refresh_acct(struct nf_conn *ct,
++ enum nf_conntrack_info ctinfo,
++ const struct sk_buff *skb,
++ unsigned long extra_jiffies);
++
++/* These are for NAT. Icky. */
++/* Call me when a conntrack is destroyed. */
++extern void (*nf_conntrack_destroyed)(struct nf_conn *conntrack);
++
++/* Fake conntrack entry for untracked connections */
++extern struct nf_conn nf_conntrack_untracked;
++
++extern int nf_ct_no_defrag;
++
++/* Iterate over all conntracks: if iter returns true, it's deleted. */
++extern void
++nf_ct_iterate_cleanup(int (*iter)(struct nf_conn *i, void *data), void *data);
++
++/* It's confirmed if it is, or has been in the hash table. */
++static inline int is_confirmed(struct nf_conn *ct)
++{
++ return test_bit(NF_S_CONFIRMED_BIT, &ct->status);
++}
++
++extern unsigned int nf_conntrack_htable_size;
++
++struct nf_conntrack_stat
++{
++ unsigned int searched;
++ unsigned int found;
++ unsigned int new;
++ unsigned int invalid;
++ unsigned int ignore;
++ unsigned int delete;
++ unsigned int delete_list;
++ unsigned int insert;
++ unsigned int insert_failed;
++ unsigned int drop;
++ unsigned int early_drop;
++ unsigned int error;
++ unsigned int expect_new;
++ unsigned int expect_create;
++ unsigned int expect_delete;
++};
++
++#define NF_CT_STAT_INC(count) (__get_cpu_var(nf_conntrack_stat).count++)
++
++/* eg. PROVIDES_CONNTRACK(ftp); */
++#define PROVIDES_CONNTRACK(name) \
++ int needs_nf_conntrack_##name; \
++ EXPORT_SYMBOL(needs_nf_conntrack_##name)
++
++/*. eg. NEEDS_CONNTRACK(ftp); */
++#define NEEDS_CONNTRACK(name) \
++ extern int needs_nf_conntrack_##name; \
++ static int *need_nf_conntrack_##name __attribute_used__ = &needs_nf_conntrack_##name
++
++/* no helper, no nat */
++#define NF_CT_F_BASIC 0
++/* for helper */
++#define NF_CT_F_HELP 1
++/* for nat. */
++#define NF_CT_F_NAT 2
++#define NF_CT_F_NUM 4
++
++extern int
++nf_conntrack_register_cache(u_int32_t features, const char *name, size_t size,
++ int (*init_conntrack)(struct nf_conn *, u_int32_t));
++extern void
++nf_conntrack_unregister_cache(u_int32_t features);
++
++#endif /* __KERNEL__ */
++#endif /* _NF_CONNTRACK_H */
+diff -uNr include.orig/linux/netfilter/nf_conntrack_helper.h include/linux/netfilter/nf_conntrack_helper.h
+--- include.orig/linux/netfilter/nf_conntrack_helper.h 1970-01-01 01:00:00.000000000 +0100
++++ include/linux/netfilter/nf_conntrack_helper.h 2005-08-02 20:02:17.706247848 +0200
+@@ -0,0 +1,50 @@
++/*
++ * connection tracking helpers.
++ *
++ * 16 Dec 2003: Yasuyuki Kozakai @USAGI <yasuyuki.kozakai@toshiba.co.jp>
++ * - generalize L3 protocol dependent part.
++ *
++ * Derived from include/linux/netfiter_ipv4/ip_conntrack_helper.h
++ */
++
++#ifndef _NF_CONNTRACK_HELPER_H
++#define _NF_CONNTRACK_HELPER_H
++#include <linux/netfilter/nf_conntrack.h>
++
++struct module;
++
++struct nf_conntrack_helper
++{
++ struct list_head list; /* Internal use. */
++
++ const char *name; /* name of the module */
++ struct module *me; /* pointer to self */
++ unsigned int max_expected; /* Maximum number of concurrent
++ * expected connections */
++ unsigned int timeout; /* timeout for expecteds */
++
++ /* Mask of things we will help (compared against server response) */
++ struct nf_conntrack_tuple tuple;
++ struct nf_conntrack_tuple mask;
++
++ /* Function to call when data passes; return verdict, or -1 to
++ invalidate. */
++ int (*help)(struct sk_buff **pskb,
++ unsigned int protoff,
++ struct nf_conn *ct,
++ enum nf_conntrack_info conntrackinfo);
++};
++
++extern int nf_conntrack_helper_register(struct nf_conntrack_helper *);
++extern void nf_conntrack_helper_unregister(struct nf_conntrack_helper *);
++
++/* Allocate space for an expectation: this is mandatory before calling
++ nf_conntrack_expect_related. */
++extern struct nf_conntrack_expect *nf_conntrack_expect_alloc(void);
++extern void nf_conntrack_expect_free(struct nf_conntrack_expect *exp);
++
++/* Add an expected connection: can have more than one per connection */
++extern int nf_conntrack_expect_related(struct nf_conntrack_expect *exp);
++extern void nf_conntrack_unexpect_related(struct nf_conntrack_expect *exp);
++
++#endif /*_NF_CONNTRACK_HELPER_H*/
+diff -uNr include.orig/linux/netfilter/nf_conntrack_l3proto.h include/linux/netfilter/nf_conntrack_l3proto.h
+--- include.orig/linux/netfilter/nf_conntrack_l3proto.h 1970-01-01 01:00:00.000000000 +0100
++++ include/linux/netfilter/nf_conntrack_l3proto.h 2005-08-02 20:02:17.713246784 +0200
+@@ -0,0 +1,93 @@
++/*
++ * Copyright (C)2003,2004 USAGI/WIDE Project
++ *
++ * Header for use in defining a given L3 protocol for connection tracking.
++ *
++ * Author:
++ * Yasuyuki Kozakai @USAGI <yasuyuki.kozakai@toshiba.co.jp>
++ *
++ * Derived from include/netfilter_ipv4/ip_conntrack_protocol.h
++ */
++
++#ifndef _NF_CONNTRACK_L3PROTO_H
++#define _NF_CONNTRACK_L3PROTO_H
++#include <linux/seq_file.h>
++#include <linux/netfilter/nf_conntrack.h>
++
++struct nf_conntrack_l3proto
++{
++ /* Next pointer. */
++ struct list_head list;
++
++ /* L3 Protocol Family number. ex) PF_INET */
++ u_int16_t l3proto;
++
++ /* Protocol name */
++ const char *name;
++
++ /*
++ * Try to fill in the third arg: nhoff is offset of l3 proto
++ * hdr. Return true if possible.
++ */
++ int (*pkt_to_tuple)(const struct sk_buff *skb, unsigned int nhoff,
++ struct nf_conntrack_tuple *tuple);
++
++ /*
++ * Invert the per-proto part of the tuple: ie. turn xmit into reply.
++ * Some packets can't be inverted: return 0 in that case.
++ */
++ int (*invert_tuple)(struct nf_conntrack_tuple *inverse,
++ const struct nf_conntrack_tuple *orig);
++
++ /* Print out the per-protocol part of the tuple. */
++ int (*print_tuple)(struct seq_file *s,
++ const struct nf_conntrack_tuple *);
++
++ /* Print out the private part of the conntrack. */
++ int (*print_conntrack)(struct seq_file *s, const struct nf_conn *);
++
++ /* Returns verdict for packet, or -1 for invalid. */
++ int (*packet)(struct nf_conn *conntrack,
++ const struct sk_buff *skb,
++ enum nf_conntrack_info ctinfo);
++
++ /*
++ * Called when a new connection for this protocol found;
++ * returns TRUE if it's OK. If so, packet() called next.
++ */
++ int (*new)(struct nf_conn *conntrack, const struct sk_buff *skb);
++
++ /* Called when a conntrack entry is destroyed */
++ void (*destroy)(struct nf_conn *conntrack);
++
++ /*
++ * Called before tracking.
++ * *dataoff: offset of protocol header (TCP, UDP,...) in *pskb
++ * *protonum: protocol number
++ */
++ int (*prepare)(struct sk_buff **pskb, unsigned int hooknum,
++ unsigned int *dataoff, u_int8_t *protonum, int *ret);
++
++ u_int32_t (*get_features)(const struct nf_conntrack_tuple *tuple);
++
++ /* Module (if any) which this is connected to. */
++ struct module *me;
++};
++
++extern struct nf_conntrack_l3proto *nf_ct_l3protos[AF_MAX];
++
++/* Protocol registration. */
++extern int nf_conntrack_l3proto_register(struct nf_conntrack_l3proto *proto);
++extern void nf_conntrack_l3proto_unregister(struct nf_conntrack_l3proto *proto);
++
++static inline struct nf_conntrack_l3proto *
++nf_ct_find_l3proto(u_int16_t l3proto)
++{
++ return nf_ct_l3protos[l3proto];
++}
++
++/* Existing built-in protocols */
++extern struct nf_conntrack_l3proto nf_conntrack_l3proto_ipv4;
++extern struct nf_conntrack_l3proto nf_conntrack_l3proto_ipv6;
++extern struct nf_conntrack_l3proto nf_conntrack_generic_l3proto;
++#endif /*_NF_CONNTRACK_L3PROTO_H*/
+diff -uNr include.orig/linux/netfilter/nf_conntrack_protocol.h include/linux/netfilter/nf_conntrack_protocol.h
+--- include.orig/linux/netfilter/nf_conntrack_protocol.h 1970-01-01 01:00:00.000000000 +0100
++++ include/linux/netfilter/nf_conntrack_protocol.h 2005-08-02 20:02:17.710247240 +0200
+@@ -0,0 +1,105 @@
++/*
++ * Header for use in defining a given protocol for connection tracking.
++ *
++ * 16 Dec 2003: Yasuyuki Kozakai @USAGI <yasuyuki.kozakai@toshiba.co.jp>
++ * - generalized L3 protocol dependent part.
++ *
++ * Derived from include/linux/netfiter_ipv4/ip_conntrack_protcol.h
++ */
++
++#ifndef _NF_CONNTRACK_PROTOCOL_H
++#define _NF_CONNTRACK_PROTOCOL_H
++#include <linux/netfilter/nf_conntrack.h>
++
++struct seq_file;
++
++struct nf_conntrack_protocol
++{
++ /* Next pointer. */
++ struct list_head list;
++
++ /* L3 Protocol number. */
++ u_int16_t l3proto;
++
++ /* Protocol number. */
++ u_int8_t proto;
++
++ /* Protocol name */
++ const char *name;
++
++ /* Try to fill in the third arg: dataoff is offset past network protocol
++ hdr. Return true if possible. */
++ int (*pkt_to_tuple)(const struct sk_buff *skb,
++ unsigned int dataoff,
++ struct nf_conntrack_tuple *tuple);
++
++ /* Invert the per-proto part of the tuple: ie. turn xmit into reply.
++ * Some packets can't be inverted: return 0 in that case.
++ */
++ int (*invert_tuple)(struct nf_conntrack_tuple *inverse,
++ const struct nf_conntrack_tuple *orig);
++
++ /* Print out the per-protocol part of the tuple. Return like seq_* */
++ int (*print_tuple)(struct seq_file *s,
++ const struct nf_conntrack_tuple *);
++
++ /* Print out the private part of the conntrack. */
++ int (*print_conntrack)(struct seq_file *s, const struct nf_conn *);
++
++ /* Returns verdict for packet, or -1 for invalid. */
++ int (*packet)(struct nf_conn *conntrack,
++ const struct sk_buff *skb,
++ unsigned int dataoff,
++ enum nf_conntrack_info ctinfo,
++ int pf,
++ unsigned int hooknum);
++
++ /* Called when a new connection for this protocol found;
++ * returns TRUE if it's OK. If so, packet() called next. */
++ int (*new)(struct nf_conn *conntrack, const struct sk_buff *skb,
++ unsigned int dataoff);
++
++ /* Called when a conntrack entry is destroyed */
++ void (*destroy)(struct nf_conn *conntrack);
++
++ int (*error)(struct sk_buff *skb, unsigned int dataoff,
++ enum nf_conntrack_info *ctinfo,
++ int pf, unsigned int hooknum);
++
++ /* Module (if any) which this is connected to. */
++ struct module *me;
++};
++
++/* Existing built-in protocols */
++extern struct nf_conntrack_protocol nf_conntrack_protocol_tcp6;
++extern struct nf_conntrack_protocol nf_conntrack_protocol_udp4;
++extern struct nf_conntrack_protocol nf_conntrack_protocol_udp6;
++extern struct nf_conntrack_protocol nf_conntrack_generic_protocol;
++
++#define MAX_NF_CT_PROTO 256
++extern struct nf_conntrack_protocol **nf_ct_protos[PF_MAX];
++
++extern struct nf_conntrack_protocol *
++nf_ct_find_proto(u_int16_t l3proto, u_int8_t protocol);
++
++/* Protocol registration. */
++extern int nf_conntrack_protocol_register(struct nf_conntrack_protocol *proto);
++extern void nf_conntrack_protocol_unregister(struct nf_conntrack_protocol *proto);
++
++/* Log invalid packets */
++extern unsigned int nf_ct_log_invalid;
++
++#ifdef CONFIG_SYSCTL
++#ifdef DEBUG_INVALID_PACKETS
++#define LOG_INVALID(proto) \
++ (nf_ct_log_invalid == (proto) || nf_ct_log_invalid == IPPROTO_RAW)
++#else
++#define LOG_INVALID(proto) \
++ ((nf_ct_log_invalid == (proto) || nf_ct_log_invalid == IPPROTO_RAW) \
++ && net_ratelimit())
++#endif
++#else
++#define LOG_INVALID(proto) 0
++#endif /* CONFIG_SYSCTL */
++
++#endif /*_NF_CONNTRACK_PROTOCOL_H*/
+diff -uNr include.orig/linux/netfilter/nf_conntrack_sctp.h include/linux/netfilter/nf_conntrack_sctp.h
+--- include.orig/linux/netfilter/nf_conntrack_sctp.h 1970-01-01 01:00:00.000000000 +0100
++++ include/linux/netfilter/nf_conntrack_sctp.h 2005-08-02 20:02:17.701248608 +0200
+@@ -0,0 +1,30 @@
++/*
++ * SCTP tracking.
++ *
++ * Derived from include/linux/netfiter_ipv4/ip_conntrack_tcp.h
++ */
++
++#ifndef _NF_CONNTRACK_SCTP_H
++#define _NF_CONNTRACK_SCTP_H
++
++enum sctp_conntrack {
++ SCTP_CONNTRACK_NONE,
++ SCTP_CONNTRACK_CLOSED,
++ SCTP_CONNTRACK_COOKIE_WAIT,
++ SCTP_CONNTRACK_COOKIE_ECHOED,
++ SCTP_CONNTRACK_ESTABLISHED,
++ SCTP_CONNTRACK_SHUTDOWN_SENT,
++ SCTP_CONNTRACK_SHUTDOWN_RECD,
++ SCTP_CONNTRACK_SHUTDOWN_ACK_SENT,
++ SCTP_CONNTRACK_MAX
++};
++
++struct nf_ct_sctp
++{
++ enum sctp_conntrack state;
++
++ u_int32_t vtag[NF_CT_DIR_MAX];
++ u_int32_t ttag[NF_CT_DIR_MAX];
++};
++
++#endif /* _NF_CONNTRACK_SCTP_H */
+diff -uNr include.orig/linux/netfilter/nf_conntrack_tcp.h include/linux/netfilter/nf_conntrack_tcp.h
+--- include.orig/linux/netfilter/nf_conntrack_tcp.h 1970-01-01 01:00:00.000000000 +0100
++++ include/linux/netfilter/nf_conntrack_tcp.h 2005-08-02 20:02:17.681251648 +0200
+@@ -0,0 +1,63 @@
++/*
++ * TCP tracking.
++ *
++ * Derived from include/linux/netfiter_ipv4/ip_conntrack_tcp.h
++ */
++
++#ifndef _NF_CONNTRACK_TCP_H
++#define _NF_CONNTRACK_TCP_H
++
++enum tcp_conntrack {
++ TCP_CONNTRACK_NONE,
++ TCP_CONNTRACK_SYN_SENT,
++ TCP_CONNTRACK_SYN_RECV,
++ TCP_CONNTRACK_ESTABLISHED,
++ TCP_CONNTRACK_FIN_WAIT,
++ TCP_CONNTRACK_CLOSE_WAIT,
++ TCP_CONNTRACK_LAST_ACK,
++ TCP_CONNTRACK_TIME_WAIT,
++ TCP_CONNTRACK_CLOSE,
++ TCP_CONNTRACK_LISTEN,
++ TCP_CONNTRACK_MAX,
++ TCP_CONNTRACK_IGNORE
++};
++
++/* Window scaling is advertised by the sender */
++#define NF_CT_TCP_FLAG_WINDOW_SCALE 0x01
++
++/* SACK is permitted by the sender */
++#define NF_CT_TCP_FLAG_SACK_PERM 0x02
++
++struct nf_ct_tcp_state {
++ u_int32_t td_end; /* max of seq + len */
++ u_int32_t td_maxend; /* max of ack + max(win, 1) */
++ u_int32_t td_maxwin; /* max(win) */
++ u_int8_t td_scale; /* window scale factor */
++ u_int8_t loose; /* used when connection picked up from the middle */
++ u_int8_t flags; /* per direction state flags */
++};
++
++struct nf_ct_tcp
++{
++ struct nf_ct_tcp_state seen[2]; /* connection parameters per direction */
++ u_int8_t state; /* state of the connection (enum tcp_conntrack) */
++ /* For detecting stale connections */
++ u_int8_t last_dir; /* Direction of the last packet (enum nf_conntrack_dir) */
++ u_int8_t retrans; /* Number of retransmitted packets */
++ u_int8_t last_index; /* Index of the last packet */
++ u_int32_t last_seq; /* Last sequence number seen in dir */
++ u_int32_t last_ack; /* Last sequence number seen in opposite dir */
++ u_int32_t last_end; /* Last seq + len */
++};
++
++/* Need this, since this file is included before the nf_conn definition
++ * in nf_conntrack.h */
++struct nf_conn;
++
++/* Update TCP window tracking data when NAT mangles the packet */
++extern void nf_conntrack_tcp_update(struct sk_buff *skb,
++ unsigned int dataoff,
++ struct nf_conn *conntrack,
++ int dir);
++
++#endif /* _NF_CONNTRACK_TCP_H */
+diff -uNr include.orig/linux/netfilter/nf_conntrack_tuple.h include/linux/netfilter/nf_conntrack_tuple.h
+--- include.orig/linux/netfilter/nf_conntrack_tuple.h 1970-01-01 01:00:00.000000000 +0100
++++ include/linux/netfilter/nf_conntrack_tuple.h 2005-08-02 20:02:17.704248152 +0200
+@@ -0,0 +1,201 @@
++/*
++ * Definitions and Declarations for tuple.
++ *
++ * 16 Dec 2003: Yasuyuki Kozakai @USAGI <yasuyuki.kozakai@toshiba.co.jp>
++ * - generalize L3 protocol dependent part.
++ *
++ * Derived from include/linux/netfiter_ipv4/ip_conntrack_tuple.h
++ */
++
++#ifndef _NF_CONNTRACK_TUPLE_H
++#define _NF_CONNTRACK_TUPLE_H
++
++/* A `tuple' is a structure containing the information to uniquely
++ identify a connection. ie. if two packets have the same tuple, they
++ are in the same connection; if not, they are not.
++
++ We divide the structure along "manipulatable" and
++ "non-manipulatable" lines, for the benefit of the NAT code.
++*/
++
++#define NF_CT_TUPLE_L3SIZE 4
++
++/* The l3 protocol-specific manipulable parts of the tuple: always in
++ network order! */
++union nf_conntrack_man_l3proto {
++ u_int32_t all[NF_CT_TUPLE_L3SIZE];
++ u_int32_t ip;
++ u_int32_t ip6[4];
++};
++
++/* The protocol-specific manipulable parts of the tuple: always in
++ network order! */
++union nf_conntrack_man_proto
++{
++ /* Add other protocols here. */
++ u_int16_t all;
++
++ struct {
++ u_int16_t port;
++ } tcp;
++ struct {
++ u_int16_t port;
++ } udp;
++ struct {
++ u_int16_t id;
++ } icmp;
++ struct {
++ u_int16_t port;
++ } sctp;
++};
++
++/* The manipulable part of the tuple. */
++struct nf_conntrack_man
++{
++ union nf_conntrack_man_l3proto u3;
++ union nf_conntrack_man_proto u;
++ /* Layer 3 protocol */
++ u_int16_t l3num;
++};
++
++/* This contains the information to distinguish a connection. */
++struct nf_conntrack_tuple
++{
++ struct nf_conntrack_man src;
++
++ /* These are the parts of the tuple which are fixed. */
++ struct {
++ union {
++ u_int32_t all[NF_CT_TUPLE_L3SIZE];
++ u_int32_t ip;
++ u_int32_t ip6[4];
++ } u3;
++ union {
++ /* Add other protocols here. */
++ u_int16_t all;
++
++ struct {
++ u_int16_t port;
++ } tcp;
++ struct {
++ u_int16_t port;
++ } udp;
++ struct {
++ u_int8_t type, code;
++ } icmp;
++ struct {
++ u_int16_t port;
++ } sctp;
++ } u;
++
++ /* The protocol. */
++ u_int8_t protonum;
++
++ /* The direction (for tuplehash) */
++ u_int8_t dir;
++ } dst;
++};
++
++/* This is optimized opposed to a memset of the whole structure. Everything we
++ * really care about is the source/destination unions */
++#define NF_CT_TUPLE_U_BLANK(tuple) \
++ do { \
++ (tuple)->src.u.all = 0; \
++ (tuple)->dst.u.all = 0; \
++ memset((tuple)->src.u3.all, 0, \
++ sizeof(u_int32_t)*NF_CT_TUPLE_L3SIZE); \
++ memset((tuple)->dst.u3.all, 0, \
++ sizeof(u_int32_t)*NF_CT_TUPLE_L3SIZE); \
++ } while (0)
++
++enum nf_conntrack_dir
++{
++ NF_CT_DIR_ORIGINAL,
++ NF_CT_DIR_REPLY,
++ NF_CT_DIR_MAX
++};
++
++#ifdef __KERNEL__
++
++#define NF_CT_DUMP_TUPLE(tp) \
++DEBUGP("tuple %p: %u %u %04x:%04x:%04x:%04x:%04x:%04x:%04x:%04x %hu -> %04x:%04x:%04x:%04x:%04x:%04x:%04x:%04x %hu\n", \
++ (tp), (tp)->src.l3num, (tp)->dst.protonum, \
++ NIP6(*(struct in6_addr *)(tp)->src.u3.all), ntohs((tp)->src.u.all), \
++ NIP6(*(struct in6_addr *)(tp)->dst.u3.all), ntohs((tp)->dst.u.all))
++
++#define NFCTINFO2DIR(ctinfo) ((ctinfo) >= NF_CT_IS_REPLY ? NF_CT_DIR_REPLY : NF_CT_DIR_ORIGINAL)
++
++/* If we're the first tuple, it's the original dir. */
++#define NF_CT_DIRECTION(h) \
++ ((enum nf_conntrack_dir)(h)->tuple.dst.dir)
++
++/* Connections have two entries in the hash table: one for each way */
++struct nf_conntrack_tuple_hash
++{
++ struct list_head list;
++
++ struct nf_conntrack_tuple tuple;
++};
++
++#endif /* __KERNEL__ */
++
++static inline int nf_ct_tuple_src_equal(const struct nf_conntrack_tuple *t1,
++ const struct nf_conntrack_tuple *t2)
++{
++ return (t1->src.u3.all[0] == t2->src.u3.all[0] &&
++ t1->src.u3.all[1] == t2->src.u3.all[1] &&
++ t1->src.u3.all[2] == t2->src.u3.all[2] &&
++ t1->src.u3.all[3] == t2->src.u3.all[3] &&
++ t1->src.u.all == t2->src.u.all &&
++ t1->src.l3num == t2->src.l3num &&
++ t1->dst.protonum == t2->dst.protonum);
++}
++
++static inline int nf_ct_tuple_dst_equal(const struct nf_conntrack_tuple *t1,
++ const struct nf_conntrack_tuple *t2)
++{
++ return (t1->dst.u3.all[0] == t2->dst.u3.all[0] &&
++ t1->dst.u3.all[1] == t2->dst.u3.all[1] &&
++ t1->dst.u3.all[2] == t2->dst.u3.all[2] &&
++ t1->dst.u3.all[3] == t2->dst.u3.all[3] &&
++ t1->dst.u.all == t2->dst.u.all &&
++ t1->src.l3num == t2->src.l3num &&
++ t1->dst.protonum == t2->dst.protonum);
++}
++
++static inline int nf_ct_tuple_equal(const struct nf_conntrack_tuple *t1,
++ const struct nf_conntrack_tuple *t2)
++{
++ return nf_ct_tuple_src_equal(t1, t2) && nf_ct_tuple_dst_equal(t1, t2);
++}
++
++static inline int nf_ct_tuple_mask_cmp(const struct nf_conntrack_tuple *t,
++ const struct nf_conntrack_tuple *tuple,
++ const struct nf_conntrack_tuple *mask)
++{
++ int count = 0;
++
++ for (count = 0; count < NF_CT_TUPLE_L3SIZE; count++){
++ if ((ntohs(t->src.u3.all[count]) ^
++ ntohs(tuple->src.u3.all[count])) &
++ ntohs(mask->src.u3.all[count]))
++ return 0;
++ }
++
++ for (count = 0; count < NF_CT_TUPLE_L3SIZE; count++){
++ if ((ntohs(t->dst.u3.all[count]) ^
++ ntohs(tuple->dst.u3.all[count])) &
++ ntohs(mask->dst.u3.all[count]))
++ return 0;
++ }
++
++ if ((t->src.u.all ^ tuple->src.u.all) & mask->src.u.all ||
++ (t->dst.u.all ^ tuple->dst.u.all) & mask->dst.u.all ||
++ (t->src.l3num ^ tuple->src.l3num) & mask->src.l3num ||
++ (t->dst.protonum ^ tuple->dst.protonum) & mask->dst.protonum)
++ return 0;
++
++ return 1;
++}
++
++#endif /* _NF_CONNTRACK_TUPLE_H */
+diff -uNr include.orig/linux/netfilter/nfnetlink.h include/linux/netfilter/nfnetlink.h
+--- include.orig/linux/netfilter/nfnetlink.h 1970-01-01 01:00:00.000000000 +0100
++++ include/linux/netfilter/nfnetlink.h 2005-08-02 20:02:17.715246480 +0200
+@@ -0,0 +1,145 @@
++#ifndef _NFNETLINK_H
++#define _NFNETLINK_H
++#include <linux/types.h>
++
++/* nfnetlink groups: Up to 32 maximum */
++#define NF_NETLINK_CONNTRACK_NEW 0x00000001
++#define NF_NETLINK_CONNTRACK_UPDATE 0x00000002
++#define NF_NETLINK_CONNTRACK_DESTROY 0x00000004
++#define NF_NETLINK_CONNTRACK_EXP_NEW 0x00000008
++#define NF_NETLINK_CONNTRACK_EXP_UPDATE 0x00000010
++#define NF_NETLINK_CONNTRACK_EXP_DESTROY 0x00000020
++
++/* Generic structure for encapsulation optional netfilter information.
++ * It is reminiscent of sockaddr, but with sa_family replaced
++ * with attribute type.
++ * ! This should someday be put somewhere generic as now rtnetlink and
++ * ! nfnetlink use the same attributes methods. - J. Schulist.
++ */
++
++struct nfattr
++{
++ u_int16_t nfa_len __attribute__ ((packed));
++ u_int16_t nfa_type __attribute__ ((packed));
++};
++
++/* FIXME: Shamelessly copy and pasted from rtnetlink.h, it's time
++ * to put this in a generic file */
++
++#define NFA_ALIGNTO 4
++#define NFA_ALIGN(len) (((len) + NFA_ALIGNTO - 1) & ~(NFA_ALIGNTO - 1))
++#define NFA_OK(nfa,len) ((len) > 0 && (nfa)->nfa_len >= sizeof(struct nfattr) \
++ && (nfa)->nfa_len <= (len))
++#define NFA_NEXT(nfa,attrlen) ((attrlen) -= NFA_ALIGN((nfa)->nfa_len), \
++ (struct nfattr *)(((char *)(nfa)) + NFA_ALIGN((nfa)->nfa_len)))
++#define NFA_LENGTH(len) (NFA_ALIGN(sizeof(struct nfattr)) + (len))
++#define NFA_SPACE(len) NFA_ALIGN(NFA_LENGTH(len))
++#define NFA_DATA(nfa) ((void *)(((char *)(nfa)) + NFA_LENGTH(0)))
++#define NFA_PAYLOAD(nfa) ((int)((nfa)->nfa_len) - NFA_LENGTH(0))
++#define NFA_NEST(skb, type) \
++({ struct nfattr *__start = (struct nfattr *) (skb)->tail; \
++ NFA_PUT(skb, type, 0, NULL); \
++ __start; })
++#define NFA_NEST_END(skb, start) \
++({ (start)->nfa_len = ((skb)->tail - (unsigned char *) (start)); \
++ (skb)->len; })
++#define NFA_NEST_CANCEL(skb, start) \
++({ if (start) \
++ skb_trim(skb, (unsigned char *) (start) - (skb)->data); \
++ -1; })
++
++/* General form of address family dependent message.
++ */
++struct nfgenmsg {
++ u_int8_t nfgen_family __attribute__ ((packed)); /* AF_xxx */
++ u_int8_t version __attribute__ ((packed)); /* nfnetlink version */
++ u_int16_t res_id __attribute__ ((packed)); /* resource id */
++};
++
++#define NFNETLINK_V1 1
++
++#define NFM_NFA(n) ((struct nfattr *)(((char *)(n)) \
++ + NLMSG_ALIGN(sizeof(struct nfgenmsg))))
++#define NFM_PAYLOAD(n) NLMSG_PAYLOAD(n, sizeof(struct nfgenmsg))
++
++/* netfilter netlink message types are split in two pieces:
++ * 8 bit subsystem, 8bit operation.
++ */
++
++#define NFNL_SUBSYS_ID(x) ((x & 0xff00) >> 8)
++#define NFNL_MSG_TYPE(x) (x & 0x00ff)
++
++enum nfnl_subsys_id {
++ NFNL_SUBSYS_NONE = 0,
++ NFNL_SUBSYS_CTNETLINK,
++ NFNL_SUBSYS_CTNETLINK_EXP,
++ NFNL_SUBSYS_IPTNETLINK,
++ NFNL_SUBSYS_QUEUE,
++ NFNL_SUBSYS_ULOG,
++ NFNL_SUBSYS_COUNT,
++};
++
++#ifdef __KERNEL__
++
++#include <linux/capability.h>
++
++struct nfnl_callback
++{
++ kernel_cap_t cap_required; /* capabilities required for this msg */
++ int (*call)(struct sock *nl, struct sk_buff *skb,
++ struct nlmsghdr *nlh, struct nfattr *cda[], int *errp);
++};
++
++struct nfnetlink_subsystem
++{
++ const char *name;
++ __u8 subsys_id; /* nfnetlink subsystem ID */
++ __u8 cb_count; /* number of callbacks */
++ u_int32_t attr_count; /* number of nfattr's */
++ struct nfnl_callback *cb; /* callback for individual types */
++};
++
++extern void __nfa_fill(struct sk_buff *skb, int attrtype,
++ int attrlen, const void *data);
++#define NFA_PUT(skb, attrtype, attrlen, data) \
++({ if (skb_tailroom(skb) < (int)NFA_SPACE(attrlen)) goto nfattr_failure; \
++ __nfa_fill(skb, attrtype, attrlen, data); })
++
++extern struct semaphore nfnl_sem;
++
++#define nfnl_shlock() down(&nfnl_sem)
++#define nfnl_shlock_nowait() down_trylock(&nfnl_sem)
++
++#define nfnl_shunlock() do { up(&nfnl_sem); \
++ if(nfnl && nfnl->sk_receive_queue.qlen) \
++ nfnl->sk_data_ready(nfnl, 0); \
++ } while(0)
++
++extern void nfnl_lock(void);
++extern void nfnl_unlock(void);
++
++extern int nfnetlink_subsys_register(struct nfnetlink_subsystem *n);
++extern int nfnetlink_subsys_unregister(struct nfnetlink_subsystem *n);
++
++extern int nfattr_parse(struct nfattr *tb[], int maxattr,
++ struct nfattr *nfa, int len);
++
++#define nfattr_parse_nested(tb, max, nfa) \
++ nfattr_parse((tb), (max), NFA_DATA((nfa)), NFA_PAYLOAD((nfa)))
++
++#define nfattr_bad_size(tb, max, cta_min) \
++({ int __i, __res = 0; \
++ for (__i=0; __i<max; __i++) \
++ if (tb[__i] && NFA_PAYLOAD(tb[__i]) < cta_min[__i]){ \
++ __res = 1; \
++ break; \
++ } \
++ __res; \
++})
++
++extern int nfnetlink_send(struct sk_buff *skb, u32 pid, unsigned group,
++ int echo);
++extern int nfnetlink_unicast(struct sk_buff *skb, u_int32_t pid, int flags);
++
++#endif /* __KERNEL__ */
++#endif /* _NFNETLINK_H */
+diff -uNr include.orig/linux/netfilter.h include/linux/netfilter.h
+--- include.orig/linux/netfilter.h 2005-07-06 02:17:21.000000000 +0200
++++ include/linux/netfilter.h 2005-08-02 20:02:17.658255144 +0200
+@@ -11,7 +11,7 @@
+ #define NF_MAX_VERDICT NF_STOP
+
+ /* Generic cache responses from hook functions.
+- <= 0x2000 is used for protocol-flags. */
++ <= 0x2000 is reserved for conntrack event cache. */
+ #define NFC_UNKNOWN 0x4000
+ #define NFC_ALTERED 0x8000
+
+diff -uNr include.orig/linux/netfilter_ipv4/ip_conntrack_core.h include/linux/netfilter_ipv4/ip_conntrack_core.h
+--- include.orig/linux/netfilter_ipv4/ip_conntrack_core.h 2005-03-13 21:53:55.000000000 +0100
++++ include/linux/netfilter_ipv4/ip_conntrack_core.h 2005-08-02 20:02:17.749241312 +0200
+@@ -34,15 +34,26 @@
+ ip_conntrack_find_get(const struct ip_conntrack_tuple *tuple,
+ const struct ip_conntrack *ignored_conntrack);
+
++struct ip_conntrack_tuple_hash *
++__ip_conntrack_find(const struct ip_conntrack_tuple *tuple,
++ const struct ip_conntrack *ignored_conntrack);
++
++struct ip_conntrack_expect *
++__ip_conntrack_exp_find(const struct ip_conntrack_tuple *tuple);
++
+ extern int __ip_conntrack_confirm(struct sk_buff **pskb);
+
+ /* Confirm a connection: returns NF_DROP if packet must be dropped. */
+ static inline int ip_conntrack_confirm(struct sk_buff **pskb)
+ {
++ int ret = NF_ACCEPT;
++
+ if ((*pskb)->nfct
+ && !is_confirmed((struct ip_conntrack *)(*pskb)->nfct))
+- return __ip_conntrack_confirm(pskb);
+- return NF_ACCEPT;
++ ret = __ip_conntrack_confirm(pskb);
++ ip_conntrack_deliver_cached_events(*pskb);
++
++ return ret;
+ }
+
+ extern struct list_head *ip_conntrack_hash;
+diff -uNr include.orig/linux/netfilter_ipv4/ip_conntrack.h include/linux/netfilter_ipv4/ip_conntrack.h
+--- include.orig/linux/netfilter_ipv4/ip_conntrack.h 2005-03-13 21:53:55.000000000 +0100
++++ include/linux/netfilter_ipv4/ip_conntrack.h 2005-08-02 20:05:38.525718648 +0200
+@@ -65,6 +65,63 @@
+
+ /* Both together */
+ IPS_NAT_DONE_MASK = (IPS_DST_NAT_DONE | IPS_SRC_NAT_DONE),
++
++ /* Connection is destroyed (removed from lists), can not be unset. */
++ IPS_DESTROYED_BIT = 9,
++ IPS_DESTROYED = (1 << IPS_DESTROYED_BIT),
++};
++
++/* Connection tracking event bits */
++enum ip_conntrack_events
++{
++ /* New conntrack */
++ IPCT_NEW_BIT = 0,
++ IPCT_NEW = (1 << IPCT_NEW_BIT),
++
++ /* Expected connection */
++ IPCT_RELATED_BIT = 1,
++ IPCT_RELATED = (1 << IPCT_RELATED_BIT),
++
++ /* Destroyed conntrack */
++ IPCT_DESTROY_BIT = 2,
++ IPCT_DESTROY = (1 << IPCT_DESTROY_BIT),
++
++ /* Timer has been refreshed */
++ IPCT_REFRESH_BIT = 3,
++ IPCT_REFRESH = (1 << IPCT_REFRESH_BIT),
++
++ /* Status has changed */
++ IPCT_STATUS_BIT = 4,
++ IPCT_STATUS = (1 << IPCT_STATUS_BIT),
++
++ /* Update of protocol info */
++ IPCT_PROTOINFO_BIT = 5,
++ IPCT_PROTOINFO = (1 << IPCT_PROTOINFO_BIT),
++
++ /* Volatile protocol info */
++ IPCT_PROTOINFO_VOLATILE_BIT = 6,
++ IPCT_PROTOINFO_VOLATILE = (1 << IPCT_PROTOINFO_VOLATILE_BIT),
++
++ /* New helper for conntrack */
++ IPCT_HELPER_BIT = 7,
++ IPCT_HELPER = (1 << IPCT_HELPER_BIT),
++
++ /* Update of helper info */
++ IPCT_HELPINFO_BIT = 8,
++ IPCT_HELPINFO = (1 << IPCT_HELPINFO_BIT),
++
++ /* Volatile helper info */
++ IPCT_HELPINFO_VOLATILE_BIT = 9,
++ IPCT_HELPINFO_VOLATILE = (1 << IPCT_HELPINFO_VOLATILE_BIT),
++
++ /* NAT info */
++ IPCT_NATINFO_BIT = 10,
++ IPCT_NATINFO = (1 << IPCT_NATINFO_BIT),
++};
++
++enum ip_conntrack_expect_events {
++ IPEXP_NEW_BIT = 0,
++ IPEXP_NEW = (1 << IPEXP_NEW_BIT),
+ };
+
+ #endif /* _IP_CONNTRACK_H */
+diff -uNr include.orig/linux/netfilter_ipv4/ip_conntrack_h323.h include/linux/netfilter_ipv4/ip_conntrack_h323.h
+--- include.orig/linux/netfilter_ipv4/ip_conntrack_h323.h 1970-01-01 01:00:00.000000000 +0100
++++ include/linux/netfilter_ipv4/ip_conntrack_h323.h 2005-08-02 20:02:17.725244960 +0200
+@@ -0,0 +1,38 @@
++#ifndef _IP_CONNTRACK_H323_H
++#define _IP_CONNTRACK_H323_H
++/* H.323 connection tracking. */
++
++#ifdef __KERNEL__
++
++/* Default H.225 port */
++#define H225_PORT 1720
++
++struct ip_conntrack_expect;
++struct ip_conntrack;
++struct ip_conntrack_helper;
++
++extern int (*ip_nat_h245_hook)(struct sk_buff **pskb,
++ enum ip_conntrack_info ctinfo,
++ unsigned int offset,
++ struct ip_conntrack_expect *exp);
++
++extern int (*ip_nat_h225_hook)(struct sk_buff **pskb,
++ enum ip_conntrack_info ctinfo,
++ unsigned int offset,
++ struct ip_conntrack_expect *exp);
++
++extern void (*ip_nat_h225_signal_hook)(struct sk_buff **pskb,
++ struct ip_conntrack *ct,
++ enum ip_conntrack_info ctinfo,
++ unsigned int offset,
++ int dir,
++ int orig_dir);
++
++extern struct ip_conntrack_helper ip_conntrack_helper_h225;
++
++void ip_conntrack_h245_expect(struct ip_conntrack *new,
++ struct ip_conntrack_expect *this);
++
++#endif /* __KERNEL__ */
++
++#endif /* _IP_CONNTRACK_H323_H */
+diff -uNr include.orig/linux/netfilter_ipv4/ip_conntrack_mms.h include/linux/netfilter_ipv4/ip_conntrack_mms.h
+--- include.orig/linux/netfilter_ipv4/ip_conntrack_mms.h 1970-01-01 01:00:00.000000000 +0100
++++ include/linux/netfilter_ipv4/ip_conntrack_mms.h 2005-08-02 20:02:17.774237512 +0200
+@@ -0,0 +1,36 @@
++#ifndef _IP_CONNTRACK_MMS_H
++#define _IP_CONNTRACK_MMS_H
++/* MMS tracking. */
++
++#ifdef __KERNEL__
++
++extern spinlock_t ip_mms_lock;
++
++#define MMS_PORT 1755
++#define MMS_SRV_MSG_ID 196610
++
++#define MMS_SRV_MSG_OFFSET 36
++#define MMS_SRV_UNICODE_STRING_OFFSET 60
++#define MMS_SRV_CHUNKLENLV_OFFSET 16
++#define MMS_SRV_CHUNKLENLM_OFFSET 32
++#define MMS_SRV_MESSAGELENGTH_OFFSET 8
++
++/* This structure is per expected connection */
++struct ip_ct_mms_expect {
++ u_int32_t offset;
++ u_int32_t len;
++ u_int32_t padding;
++ u_int16_t port;
++};
++
++/* This structure exists only once per master */
++struct ip_ct_mms_master {
++};
++
++struct ip_conntrack_expect;
++extern unsigned int (*ip_nat_mms_hook)(struct sk_buff **pskb,
++ enum ip_conntrack_info ctinfo,
++ const struct ip_ct_mms_expect *exp_mms_info,
++ struct ip_conntrack_expect *exp);
++#endif
++#endif /* _IP_CONNTRACK_MMS_H */
+diff -uNr include.orig/linux/netfilter_ipv4/ip_conntrack_pptp.h include/linux/netfilter_ipv4/ip_conntrack_pptp.h
+--- include.orig/linux/netfilter_ipv4/ip_conntrack_pptp.h 1970-01-01 01:00:00.000000000 +0100
++++ include/linux/netfilter_ipv4/ip_conntrack_pptp.h 2005-08-02 20:02:17.800233560 +0200
+@@ -0,0 +1,336 @@
++/* PPTP constants and structs */
++#ifndef _CONNTRACK_PPTP_H
++#define _CONNTRACK_PPTP_H
++
++/* state of the control session */
++enum pptp_ctrlsess_state {
++ PPTP_SESSION_NONE, /* no session present */
++ PPTP_SESSION_ERROR, /* some session error */
++ PPTP_SESSION_STOPREQ, /* stop_sess request seen */
++ PPTP_SESSION_REQUESTED, /* start_sess request seen */
++ PPTP_SESSION_CONFIRMED, /* session established */
++};
++
++/* state of the call inside the control session */
++enum pptp_ctrlcall_state {
++ PPTP_CALL_NONE,
++ PPTP_CALL_ERROR,
++ PPTP_CALL_OUT_REQ,
++ PPTP_CALL_OUT_CONF,
++ PPTP_CALL_IN_REQ,
++ PPTP_CALL_IN_REP,
++ PPTP_CALL_IN_CONF,
++ PPTP_CALL_CLEAR_REQ,
++};
++
++
++/* conntrack private data */
++struct ip_ct_pptp_master {
++ enum pptp_ctrlsess_state sstate; /* session state */
++
++ /* everything below is going to be per-expectation in newnat,
++ * since there could be more than one call within one session */
++ enum pptp_ctrlcall_state cstate; /* call state */
++ u_int16_t pac_call_id; /* call id of PAC, host byte order */
++ u_int16_t pns_call_id; /* call id of PNS, host byte order */
++
++ /* in pre-2.6.11 this used to be per-expect. Now it is per-conntrack
++ * and therefore imposes a fixed limit on the number of maps */
++ struct ip_ct_gre_keymap *keymap_orig, *keymap_reply;
++};
++
++/* conntrack_expect private member */
++struct ip_ct_pptp_expect {
++ enum pptp_ctrlcall_state cstate; /* call state */
++ u_int16_t pac_call_id; /* call id of PAC */
++ u_int16_t pns_call_id; /* call id of PNS */
++};
++
++
++#ifdef __KERNEL__
++
++
++#include <linux/netfilter_ipv4/lockhelp.h>
++DECLARE_LOCK_EXTERN(ip_pptp_lock);
++
++#define IP_CONNTR_PPTP PPTP_CONTROL_PORT
++
++#define PPTP_CONTROL_PORT 1723
++
++#define PPTP_PACKET_CONTROL 1
++#define PPTP_PACKET_MGMT 2
++
++#define PPTP_MAGIC_COOKIE 0x1a2b3c4d
++
++struct pptp_pkt_hdr {
++ __u16 packetLength;
++ __u16 packetType;
++ __u32 magicCookie;
++};
++
++/* PptpControlMessageType values */
++#define PPTP_START_SESSION_REQUEST 1
++#define PPTP_START_SESSION_REPLY 2
++#define PPTP_STOP_SESSION_REQUEST 3
++#define PPTP_STOP_SESSION_REPLY 4
++#define PPTP_ECHO_REQUEST 5
++#define PPTP_ECHO_REPLY 6
++#define PPTP_OUT_CALL_REQUEST 7
++#define PPTP_OUT_CALL_REPLY 8
++#define PPTP_IN_CALL_REQUEST 9
++#define PPTP_IN_CALL_REPLY 10
++#define PPTP_IN_CALL_CONNECT 11
++#define PPTP_CALL_CLEAR_REQUEST 12
++#define PPTP_CALL_DISCONNECT_NOTIFY 13
++#define PPTP_WAN_ERROR_NOTIFY 14
++#define PPTP_SET_LINK_INFO 15
++
++#define PPTP_MSG_MAX 15
++
++/* PptpGeneralError values */
++#define PPTP_ERROR_CODE_NONE 0
++#define PPTP_NOT_CONNECTED 1
++#define PPTP_BAD_FORMAT 2
++#define PPTP_BAD_VALUE 3
++#define PPTP_NO_RESOURCE 4
++#define PPTP_BAD_CALLID 5
++#define PPTP_REMOVE_DEVICE_ERROR 6
++
++struct PptpControlHeader {
++ __u16 messageType;
++ __u16 reserved;
++};
++
++/* FramingCapability Bitmap Values */
++#define PPTP_FRAME_CAP_ASYNC 0x1
++#define PPTP_FRAME_CAP_SYNC 0x2
++
++/* BearerCapability Bitmap Values */
++#define PPTP_BEARER_CAP_ANALOG 0x1
++#define PPTP_BEARER_CAP_DIGITAL 0x2
++
++struct PptpStartSessionRequest {
++ __u16 protocolVersion;
++ __u8 reserved1;
++ __u8 reserved2;
++ __u32 framingCapability;
++ __u32 bearerCapability;
++ __u16 maxChannels;
++ __u16 firmwareRevision;
++ __u8 hostName[64];
++ __u8 vendorString[64];
++};
++
++/* PptpStartSessionResultCode Values */
++#define PPTP_START_OK 1
++#define PPTP_START_GENERAL_ERROR 2
++#define PPTP_START_ALREADY_CONNECTED 3
++#define PPTP_START_NOT_AUTHORIZED 4
++#define PPTP_START_UNKNOWN_PROTOCOL 5
++
++struct PptpStartSessionReply {
++ __u16 protocolVersion;
++ __u8 resultCode;
++ __u8 generalErrorCode;
++ __u32 framingCapability;
++ __u32 bearerCapability;
++ __u16 maxChannels;
++ __u16 firmwareRevision;
++ __u8 hostName[64];
++ __u8 vendorString[64];
++};
++
++/* PptpStopReasons */
++#define PPTP_STOP_NONE 1
++#define PPTP_STOP_PROTOCOL 2
++#define PPTP_STOP_LOCAL_SHUTDOWN 3
++
++struct PptpStopSessionRequest {
++ __u8 reason;
++};
++
++/* PptpStopSessionResultCode */
++#define PPTP_STOP_OK 1
++#define PPTP_STOP_GENERAL_ERROR 2
++
++struct PptpStopSessionReply {
++ __u8 resultCode;
++ __u8 generalErrorCode;
++};
++
++struct PptpEchoRequest {
++ __u32 identNumber;
++};
++
++/* PptpEchoReplyResultCode */
++#define PPTP_ECHO_OK 1
++#define PPTP_ECHO_GENERAL_ERROR 2
++
++struct PptpEchoReply {
++ __u32 identNumber;
++ __u8 resultCode;
++ __u8 generalErrorCode;
++ __u16 reserved;
++};
++
++/* PptpFramingType */
++#define PPTP_ASYNC_FRAMING 1
++#define PPTP_SYNC_FRAMING 2
++#define PPTP_DONT_CARE_FRAMING 3
++
++/* PptpCallBearerType */
++#define PPTP_ANALOG_TYPE 1
++#define PPTP_DIGITAL_TYPE 2
++#define PPTP_DONT_CARE_BEARER_TYPE 3
++
++struct PptpOutCallRequest {
++ __u16 callID;
++ __u16 callSerialNumber;
++ __u32 minBPS;
++ __u32 maxBPS;
++ __u32 bearerType;
++ __u32 framingType;
++ __u16 packetWindow;
++ __u16 packetProcDelay;
++ __u16 reserved1;
++ __u16 phoneNumberLength;
++ __u16 reserved2;
++ __u8 phoneNumber[64];
++ __u8 subAddress[64];
++};
++
++/* PptpCallResultCode */
++#define PPTP_OUTCALL_CONNECT 1
++#define PPTP_OUTCALL_GENERAL_ERROR 2
++#define PPTP_OUTCALL_NO_CARRIER 3
++#define PPTP_OUTCALL_BUSY 4
++#define PPTP_OUTCALL_NO_DIAL_TONE 5
++#define PPTP_OUTCALL_TIMEOUT 6
++#define PPTP_OUTCALL_DONT_ACCEPT 7
++
++struct PptpOutCallReply {
++ __u16 callID;
++ __u16 peersCallID;
++ __u8 resultCode;
++ __u8 generalErrorCode;
++ __u16 causeCode;
++ __u32 connectSpeed;
++ __u16 packetWindow;
++ __u16 packetProcDelay;
++ __u32 physChannelID;
++};
++
++struct PptpInCallRequest {
++ __u16 callID;
++ __u16 callSerialNumber;
++ __u32 callBearerType;
++ __u32 physChannelID;
++ __u16 dialedNumberLength;
++ __u16 dialingNumberLength;
++ __u8 dialedNumber[64];
++ __u8 dialingNumber[64];
++ __u8 subAddress[64];
++};
++
++/* PptpInCallResultCode */
++#define PPTP_INCALL_ACCEPT 1
++#define PPTP_INCALL_GENERAL_ERROR 2
++#define PPTP_INCALL_DONT_ACCEPT 3
++
++struct PptpInCallReply {
++ __u16 callID;
++ __u16 peersCallID;
++ __u8 resultCode;
++ __u8 generalErrorCode;
++ __u16 packetWindow;
++ __u16 packetProcDelay;
++ __u16 reserved;
++};
++
++struct PptpInCallConnected {
++ __u16 peersCallID;
++ __u16 reserved;
++ __u32 connectSpeed;
++ __u16 packetWindow;
++ __u16 packetProcDelay;
++ __u32 callFramingType;
++};
++
++struct PptpClearCallRequest {
++ __u16 callID;
++ __u16 reserved;
++};
++
++struct PptpCallDisconnectNotify {
++ __u16 callID;
++ __u8 resultCode;
++ __u8 generalErrorCode;
++ __u16 causeCode;
++ __u16 reserved;
++ __u8 callStatistics[128];
++};
++
++struct PptpWanErrorNotify {
++ __u16 peersCallID;
++ __u16 reserved;
++ __u32 crcErrors;
++ __u32 framingErrors;
++ __u32 hardwareOverRuns;
++ __u32 bufferOverRuns;
++ __u32 timeoutErrors;
++ __u32 alignmentErrors;
++};
++
++struct PptpSetLinkInfo {
++ __u16 peersCallID;
++ __u16 reserved;
++ __u32 sendAccm;
++ __u32 recvAccm;
++};
++
++
++struct pptp_priv_data {
++ __u16 call_id;
++ __u16 mcall_id;
++ __u16 pcall_id;
++};
++
++union pptp_ctrl_union {
++ struct PptpStartSessionRequest sreq;
++ struct PptpStartSessionReply srep;
++ struct PptpStopSessionRequest streq;
++ struct PptpStopSessionReply strep;
++ struct PptpOutCallRequest ocreq;
++ struct PptpOutCallReply ocack;
++ struct PptpInCallRequest icreq;
++ struct PptpInCallReply icack;
++ struct PptpInCallConnected iccon;
++ struct PptpClearCallRequest clrreq;
++ struct PptpCallDisconnectNotify disc;
++ struct PptpWanErrorNotify wanerr;
++ struct PptpSetLinkInfo setlink;
++};
++
++extern int
++(*ip_nat_pptp_hook_outbound)(struct sk_buff **pskb,
++ struct ip_conntrack *ct,
++ enum ip_conntrack_info ctinfo,
++ struct PptpControlHeader *ctlh,
++ union pptp_ctrl_union *pptpReq);
++
++extern int
++(*ip_nat_pptp_hook_inbound)(struct sk_buff **pskb,
++ struct ip_conntrack *ct,
++ enum ip_conntrack_info ctinfo,
++ struct PptpControlHeader *ctlh,
++ union pptp_ctrl_union *pptpReq);
++
++extern int
++(*ip_nat_pptp_hook_exp_gre)(struct ip_conntrack_expect *exp_orig,
++ struct ip_conntrack_expect *exp_reply);
++
++extern void
++(*ip_nat_pptp_hook_expectfn)(struct ip_conntrack *ct,
++ struct ip_conntrack_expect *exp);
++#endif /* __KERNEL__ */
++#endif /* _CONNTRACK_PPTP_H */
+diff -uNr include.orig/linux/netfilter_ipv4/ip_conntrack_protocol.h include/linux/netfilter_ipv4/ip_conntrack_protocol.h
+--- include.orig/linux/netfilter_ipv4/ip_conntrack_protocol.h 2005-03-13 21:53:55.000000000 +0100
++++ include/linux/netfilter_ipv4/ip_conntrack_protocol.h 2005-08-02 20:02:17.753240704 +0200
+@@ -34,7 +34,7 @@
+
+ /* Returns verdict for packet, or -1 for invalid. */
+ int (*packet)(struct ip_conntrack *conntrack,
+- const struct sk_buff *skb,
++ struct sk_buff *skb,
+ enum ip_conntrack_info ctinfo);
+
+ /* Called when a new connection for this protocol found;
+diff -uNr include.orig/linux/netfilter_ipv4/ip_conntrack_proto_gre.h include/linux/netfilter_ipv4/ip_conntrack_proto_gre.h
+--- include.orig/linux/netfilter_ipv4/ip_conntrack_proto_gre.h 1970-01-01 01:00:00.000000000 +0100
++++ include/linux/netfilter_ipv4/ip_conntrack_proto_gre.h 2005-08-02 20:02:17.718246024 +0200
+@@ -0,0 +1,114 @@
++#ifndef _CONNTRACK_PROTO_GRE_H
++#define _CONNTRACK_PROTO_GRE_H
++#include <asm/byteorder.h>
++
++/* GRE PROTOCOL HEADER */
++
++/* GRE Version field */
++#define GRE_VERSION_1701 0x0
++#define GRE_VERSION_PPTP 0x1
++
++/* GRE Protocol field */
++#define GRE_PROTOCOL_PPTP 0x880B
++
++/* GRE Flags */
++#define GRE_FLAG_C 0x80
++#define GRE_FLAG_R 0x40
++#define GRE_FLAG_K 0x20
++#define GRE_FLAG_S 0x10
++#define GRE_FLAG_A 0x80
++
++#define GRE_IS_C(f) ((f)&GRE_FLAG_C)
++#define GRE_IS_R(f) ((f)&GRE_FLAG_R)
++#define GRE_IS_K(f) ((f)&GRE_FLAG_K)
++#define GRE_IS_S(f) ((f)&GRE_FLAG_S)
++#define GRE_IS_A(f) ((f)&GRE_FLAG_A)
++
++/* GRE is a mess: Four different standards */
++struct gre_hdr {
++#if defined(__LITTLE_ENDIAN_BITFIELD)
++ __u16 rec:3,
++ srr:1,
++ seq:1,
++ key:1,
++ routing:1,
++ csum:1,
++ version:3,
++ reserved:4,
++ ack:1;
++#elif defined(__BIG_ENDIAN_BITFIELD)
++ __u16 csum:1,
++ routing:1,
++ key:1,
++ seq:1,
++ srr:1,
++ rec:3,
++ ack:1,
++ reserved:4,
++ version:3;
++#else
++#error "Adjust your <asm/byteorder.h> defines"
++#endif
++ __u16 protocol;
++};
++
++/* modified GRE header for PPTP */
++struct gre_hdr_pptp {
++ __u8 flags; /* bitfield */
++ __u8 version; /* should be GRE_VERSION_PPTP */
++ __u16 protocol; /* should be GRE_PROTOCOL_PPTP */
++ __u16 payload_len; /* size of ppp payload, not inc. gre header */
++ __u16 call_id; /* peer's call_id for this session */
++ __u32 seq; /* sequence number. Present if S==1 */
++ __u32 ack; /* seq number of highest packet recieved by */
++ /* sender in this session */
++};
++
++
++/* this is part of ip_conntrack */
++struct ip_ct_gre {
++ unsigned int stream_timeout;
++ unsigned int timeout;
++};
++
++#ifdef __KERNEL__
++struct ip_conntrack_expect;
++struct ip_conntrack;
++
++/* structure for original <-> reply keymap */
++struct ip_ct_gre_keymap {
++ struct list_head list;
++
++ struct ip_conntrack_tuple tuple;
++};
++
++/* add new tuple->key_reply pair to keymap */
++int ip_ct_gre_keymap_add(struct ip_conntrack *ct,
++ struct ip_conntrack_tuple *t,
++ int reply);
++
++/* delete keymap entries */
++void ip_ct_gre_keymap_destroy(struct ip_conntrack *ct);
++
++
++/* get pointer to gre key, if present */
++static inline u_int32_t *gre_key(struct gre_hdr *greh)
++{
++ if (!greh->key)
++ return NULL;
++ if (greh->csum || greh->routing)
++ return (u_int32_t *) (greh+sizeof(*greh)+4);
++ return (u_int32_t *) (greh+sizeof(*greh));
++}
++
++/* get pointer ot gre csum, if present */
++static inline u_int16_t *gre_csum(struct gre_hdr *greh)
++{
++ if (!greh->csum)
++ return NULL;
++ return (u_int16_t *) (greh+sizeof(*greh));
++}
++
++#endif /* __KERNEL__ */
++
++#endif /* _CONNTRACK_PROTO_GRE_H */
+diff -uNr include.orig/linux/netfilter_ipv4/ip_conntrack_quake3.h include/linux/netfilter_ipv4/ip_conntrack_quake3.h
+--- include.orig/linux/netfilter_ipv4/ip_conntrack_quake3.h 1970-01-01 01:00:00.000000000 +0100
++++ include/linux/netfilter_ipv4/ip_conntrack_quake3.h 2005-08-02 20:02:17.771237968 +0200
+@@ -0,0 +1,22 @@
++#ifndef _IP_CT_QUAKE3
++#define _IP_CT_QUAKE3
++
++/* Don't confuse with 27960, often used as the Server Port */
++#define QUAKE3_MASTER_PORT 27950
++
++struct quake3_search {
++ const char marker[4]; /* always 0xff 0xff 0xff 0xff ? */
++ const char *pattern;
++ size_t plen;
++};
++
++/* This structure is per expected connection */
++struct ip_ct_quake3_expect {
++};
++
++/* This structure exists only once per master */
++struct ip_ct_quake3_master {
++};
++
++extern unsigned int (*ip_nat_quake3_hook)(struct ip_conntrack_expect *exp);
++#endif /* _IP_CT_QUAKE3 */
+diff -uNr include.orig/linux/netfilter_ipv4/ip_conntrack_tuple.h include/linux/netfilter_ipv4/ip_conntrack_tuple.h
+--- include.orig/linux/netfilter_ipv4/ip_conntrack_tuple.h 2005-03-13 21:53:55.000000000 +0100
++++ include/linux/netfilter_ipv4/ip_conntrack_tuple.h 2005-08-02 20:02:17.807232496 +0200
+@@ -28,6 +28,9 @@
struct {
- u_int16_t id;
- } icmp;
+ u_int16_t port;
+ } sctp;
+ struct {
-+ u_int16_t port;
-+ } sctp;
++ u_int16_t key; /* key is 32bit, pptp onky uses 16 */
++ } gre;
};
/* The manipulable part of the tuple. */
-@@ -55,6 +58,9 @@
+@@ -61,6 +64,9 @@
struct {
- u_int8_t type, code;
- } icmp;
+ u_int16_t port;
+ } sctp;
+ struct {
-+ u_int16_t port;
-+ } sctp;
++ u_int16_t key;
++ } gre;
} u;
/* The protocol. */
-diff -uNr linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4.orig/ip_pool.h linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4/ip_pool.h
---- linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4.orig/ip_pool.h 1970-01-01 01:00:00.000000000 +0100
-+++ linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4/ip_pool.h 2004-04-25 18:57:04.592160520 +0200
-@@ -0,0 +1,56 @@
-+#ifndef _IP_POOL_H
-+#define _IP_POOL_H
-+
-+/***************************************************************************/
-+/* This program is free software; you can redistribute it and/or modify */
-+/* it under the terms of the GNU General Public License as published by */
-+/* the Free Software Foundation; either version 2 of the License, or */
-+/* (at your option) any later version. */
-+/* */
-+/* This program is distributed in the hope that it will be useful, */
-+/* but WITHOUT ANY WARRANTY; without even the implied warranty of */
-+/* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the */
-+/* GNU General Public License for more details. */
-+/* */
-+/* You should have received a copy of the GNU General Public License */
-+/* along with this program; if not, write to the Free Software */
-+/* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA*/
-+/***************************************************************************/
-+
-+/* A sockopt of such quality has hardly ever been seen before on the open
+diff -uNr include.orig/linux/netfilter_ipv4/ip_nat_pptp.h include/linux/netfilter_ipv4/ip_nat_pptp.h
+--- include.orig/linux/netfilter_ipv4/ip_nat_pptp.h 1970-01-01 01:00:00.000000000 +0100
++++ include/linux/netfilter_ipv4/ip_nat_pptp.h 2005-08-02 20:02:17.767238576 +0200
+@@ -0,0 +1,11 @@
++/* PPTP constants and structs */
++#ifndef _NAT_PPTP_H
++#define _NAT_PPTP_H
++
++/* conntrack private data */
++struct ip_nat_pptp {
++ u_int16_t pns_call_id; /* NAT'ed PNS call id */
++ u_int16_t pac_call_id; /* NAT'ed PAC call id */
++};
++
++#endif /* _NAT_PPTP_H */
+diff -uNr include.orig/linux/netfilter_ipv4/ip_queue.h include/linux/netfilter_ipv4/ip_queue.h
+--- include.orig/linux/netfilter_ipv4/ip_queue.h 2004-10-31 20:56:03.000000000 +0100
++++ include/linux/netfilter_ipv4/ip_queue.h 2005-08-02 20:02:17.823230064 +0200
+@@ -39,10 +39,20 @@
+ unsigned char payload[0]; /* Optional replacement packet */
+ } ipq_verdict_msg_t;
+
++typedef struct ipq_vwmark_msg {
++ unsigned int value; /* Verdict to hand to netfilter */
++ unsigned long id; /* Packet ID for this verdict */
++ size_t data_len; /* Length of replacement data */
++ unsigned char payload[0]; /* Optional replacement packet */
++ unsigned long nfmark; /* Mark for the Packet */
++} ipq_vwmark_msg_t;
++
++
+ typedef struct ipq_peer_msg {
+ union {
+ ipq_verdict_msg_t verdict;
+ ipq_mode_msg_t mode;
++ ipq_vwmark_msg_t vwmark;
+ } msg;
+ } ipq_peer_msg_t;
+
+@@ -59,6 +69,7 @@
+ #define IPQM_MODE (IPQM_BASE + 1) /* Mode request from peer */
+ #define IPQM_VERDICT (IPQM_BASE + 2) /* Verdict from peer */
+ #define IPQM_PACKET (IPQM_BASE + 3) /* Packet from kernel */
+-#define IPQM_MAX (IPQM_BASE + 4)
++#define IPQM_VWMARK (IPQM_BASE + 4) /* Verdict and mark from peer */
++#define IPQM_MAX (IPQM_BASE + 5)
+
+ #endif /*_IP_QUEUE_H*/
+diff -uNr include.orig/linux/netfilter_ipv4/ip_set.h include/linux/netfilter_ipv4/ip_set.h
+--- include.orig/linux/netfilter_ipv4/ip_set.h 1970-01-01 01:00:00.000000000 +0100
++++ include/linux/netfilter_ipv4/ip_set.h 2005-08-02 20:02:17.828229304 +0200
+@@ -0,0 +1,489 @@
++#ifndef _IP_SET_H
++#define _IP_SET_H
++
++/* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu>
++ * Patrick Schaaf <bof@bof.de>
++ * Martin Josefsson <gandalf@wlug.westbo.se>
++ * Copyright (C) 2003-2004 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
++ *
++ * This program is free software; you can redistribute it and/or modify
++ * it under the terms of the GNU General Public License version 2 as
++ * published by the Free Software Foundation.
++ */
++
++/*
++ * A sockopt of such quality has hardly ever been seen before on the open
+ * market! This little beauty, hardly ever used: above 64, so it's
+ * traditionally used for firewalling, not touched (even once!) by the
+ * 2.0, 2.2 and 2.4 kernels!
+ *
+ * Rusty, 19.4.2000
+ */
-+#define SO_IP_POOL 81
++#define SO_IP_SET 83
++
++/*
++ * Heavily modify by Joakim Axelsson 08.03.2002
++ * - Made it more modulebased
++ *
++ * Additional heavy modifications by Jozsef Kadlecsik 22.02.2004
++ * - bindings added
++ * - in order to "deal with" backward compatibility, renamed to ipset
++ */
++
++/*
++ * Used so that the kernel module and ipset-binary can match their versions
++ */
++#define IP_SET_PROTOCOL_VERSION 2
++
++#define IP_SET_MAXNAMELEN 32 /* set names and set typenames */
++
++/* Lets work with our own typedef for representing an IP address.
++ * We hope to make the code more portable, possibly to IPv6...
++ *
++ * The representation works in HOST byte order, because most set types
++ * will perform arithmetic operations and compare operations.
++ *
++ * For now the type is an uint32_t.
++ *
++ * Make sure to ONLY use the functions when translating and parsing
++ * in order to keep the host byte order and make it more portable:
++ * parse_ip()
++ * parse_mask()
++ * parse_ipandmask()
++ * ip_tostring()
++ * (Joakim: where are they???)
++ */
++
++typedef uint32_t ip_set_ip_t;
++
++/* Sets are identified by an id in kernel space. Tweak with ip_set_id_t
++ * and IP_SET_INVALID_ID if you want to increase the max number of sets.
++ */
++typedef uint16_t ip_set_id_t;
++
++#define IP_SET_INVALID_ID 65535
++
++/* How deep we follow bindings */
++#define IP_SET_MAX_BINDINGS 6
++
++/*
++ * Option flags for kernel operations (ipt_set_info)
++ */
++#define IPSET_SRC 0x01 /* Source match/add */
++#define IPSET_DST 0x02 /* Destination match/add */
++#define IPSET_MATCH_INV 0x04 /* Inverse matching */
++
++/*
++ * Set types (flavours)
++ */
++#define IPSET_TYPE_IP 0 /* IP address type of set */
++#define IPSET_TYPE_PORT 1 /* Port type of set */
++
++/* Reserved keywords */
++#define IPSET_TOKEN_DEFAULT ":default:"
++#define IPSET_TOKEN_ALL ":all:"
++
++/* SO_IP_SET operation constants, and their request struct types.
++ *
++ * Operation ids:
++ * 0-99: commands with version checking
++ * 100-199: add/del/test/bind/unbind
++ * 200-299: list, save, restore
++ */
++
++/* Single shot operations:
++ * version, create, destroy, flush, rename and swap
++ *
++ * Sets are identified by name.
++ */
++
++#define IP_SET_REQ_STD \
++ unsigned op; \
++ unsigned version; \
++ char name[IP_SET_MAXNAMELEN]
++
++#define IP_SET_OP_CREATE 0x00000001 /* Create a new (empty) set */
++struct ip_set_req_create {
++ IP_SET_REQ_STD;
++ char typename[IP_SET_MAXNAMELEN];
++};
++
++#define IP_SET_OP_DESTROY 0x00000002 /* Remove a (empty) set */
++struct ip_set_req_std {
++ IP_SET_REQ_STD;
++};
++
++#define IP_SET_OP_FLUSH 0x00000003 /* Remove all IPs in a set */
++/* Uses ip_set_req_std */
++
++#define IP_SET_OP_RENAME 0x00000004 /* Rename a set */
++/* Uses ip_set_req_create */
++
++#define IP_SET_OP_SWAP 0x00000005 /* Swap two sets */
++/* Uses ip_set_req_create */
++
++union ip_set_name_index {
++ char name[IP_SET_MAXNAMELEN];
++ ip_set_id_t index;
++};
++
++#define IP_SET_OP_GET_BYNAME 0x00000006 /* Get set index by name */
++struct ip_set_req_get_set {
++ unsigned op;
++ unsigned version;
++ union ip_set_name_index set;
++};
++
++#define IP_SET_OP_GET_BYINDEX 0x00000007 /* Get set name by index */
++/* Uses ip_set_req_get_set */
++
++#define IP_SET_OP_VERSION 0x00000100 /* Ask kernel version */
++struct ip_set_req_version {
++ unsigned op;
++ unsigned version;
++};
++
++/* Double shots operations:
++ * add, del, test, bind and unbind.
++ *
++ * First we query the kernel to get the index and type of the target set,
++ * then issue the command. Validity of IP is checked in kernel in order
++ * to minimalize sockopt operations.
++ */
++
++/* Get minimal set data for add/del/test/bind/unbind IP */
++#define IP_SET_OP_ADT_GET 0x00000010 /* Get set and type */
++struct ip_set_req_adt_get {
++ unsigned op;
++ unsigned version;
++ union ip_set_name_index set;
++ char typename[IP_SET_MAXNAMELEN];
++};
++
++#define IP_SET_REQ_BYINDEX \
++ unsigned op; \
++ ip_set_id_t index;
++
++struct ip_set_req_adt {
++ IP_SET_REQ_BYINDEX;
++};
++
++#define IP_SET_OP_ADD_IP 0x00000101 /* Add an IP to a set */
++/* Uses ip_set_req_adt, with type specific addage */
++
++#define IP_SET_OP_DEL_IP 0x00000102 /* Remove an IP from a set */
++/* Uses ip_set_req_adt, with type specific addage */
++
++#define IP_SET_OP_TEST_IP 0x00000103 /* Test an IP in a set */
++/* Uses ip_set_req_adt, with type specific addage */
++
++#define IP_SET_OP_BIND_SET 0x00000104 /* Bind an IP to a set */
++/* Uses ip_set_req_bind, with type specific addage */
++struct ip_set_req_bind {
++ IP_SET_REQ_BYINDEX;
++ char binding[IP_SET_MAXNAMELEN];
++};
++
++#define IP_SET_OP_UNBIND_SET 0x00000105 /* Unbind an IP from a set */
++/* Uses ip_set_req_bind, with type speficic addage
++ * index = 0 means unbinding for all sets */
++
++#define IP_SET_OP_TEST_BIND_SET 0x00000106 /* Test binding an IP to a set */
++/* Uses ip_set_req_bind, with type specific addage */
++
++/* Multiple shots operations: list, save, restore.
++ *
++ * - check kernel version and query the max number of sets
++ * - get the basic information on all sets
++ * and size required for the next step
++ * - get actual set data: header, data, bindings
++ */
++
++/* Get max_sets and the index of a queried set
++ */
++#define IP_SET_OP_MAX_SETS 0x00000020
++struct ip_set_req_max_sets {
++ unsigned op;
++ unsigned version;
++ ip_set_id_t max_sets; /* max_sets */
++ ip_set_id_t sets; /* real number of sets */
++ union ip_set_name_index set; /* index of set if name used */
++};
++
++/* Get the id and name of the sets plus size for next step */
++#define IP_SET_OP_LIST_SIZE 0x00000201
++#define IP_SET_OP_SAVE_SIZE 0x00000202
++struct ip_set_req_setnames {
++ unsigned op;
++ ip_set_id_t index; /* set to list/save */
++ size_t size; /* size to get setdata/bindings */
++ /* followed by sets number of struct ip_set_name_list */
++};
++
++struct ip_set_name_list {
++ char name[IP_SET_MAXNAMELEN];
++ char typename[IP_SET_MAXNAMELEN];
++ ip_set_id_t index;
++ ip_set_id_t id;
++};
++
++/* The actual list operation */
++#define IP_SET_OP_LIST 0x00000203
++struct ip_set_req_list {
++ IP_SET_REQ_BYINDEX;
++ /* sets number of struct ip_set_list in reply */
++};
++
++struct ip_set_list {
++ ip_set_id_t index;
++ ip_set_id_t binding;
++ u_int32_t ref;
++ size_t header_size; /* Set header data of header_size */
++ size_t members_size; /* Set members data of members_size */
++ size_t bindings_size; /* Set bindings data of bindings_size */
++};
++
++struct ip_set_hash_list {
++ ip_set_ip_t ip;
++ ip_set_id_t binding;
++};
++
++/* The save operation */
++#define IP_SET_OP_SAVE 0x00000204
++/* Uses ip_set_req_list, in the reply replaced by
++ * sets number of struct ip_set_save plus a marker
++ * ip_set_save followed by ip_set_hash_save structures.
++ */
++struct ip_set_save {
++ ip_set_id_t index;
++ ip_set_id_t binding;
++ size_t header_size; /* Set header data of header_size */
++ size_t members_size; /* Set members data of members_size */
++};
++
++/* At restoring, ip == 0 means default binding for the given set: */
++struct ip_set_hash_save {
++ ip_set_ip_t ip;
++ ip_set_id_t id;
++ ip_set_id_t binding;
++};
++
++/* The restore operation */
++#define IP_SET_OP_RESTORE 0x00000205
++/* Uses ip_set_req_setnames followed by ip_set_restore structures
++ * plus a marker ip_set_restore, followed by ip_set_hash_save
++ * structures.
++ */
++struct ip_set_restore {
++ char name[IP_SET_MAXNAMELEN];
++ char typename[IP_SET_MAXNAMELEN];
++ ip_set_id_t index;
++ size_t header_size; /* Create data of header_size */
++ size_t members_size; /* Set members data of members_size */
++};
++
++static inline int bitmap_bytes(ip_set_ip_t a, ip_set_ip_t b)
++{
++ return 4 * ((((b - a + 8) / 8) + 3) / 4);
++}
++
++#ifdef __KERNEL__
++
++#define ip_set_printk(format, args...) \
++ do { \
++ printk("%s: %s: ", __FILE__, __FUNCTION__); \
++ printk(format "\n" , ## args); \
++ } while (0)
++
++#if defined(IP_SET_DEBUG)
++#define DP(format, args...) \
++ do { \
++ printk("%s: %s (DBG): ", __FILE__, __FUNCTION__);\
++ printk(format "\n" , ## args); \
++ } while (0)
++#define IP_SET_ASSERT(x) \
++ do { \
++ if (!(x)) \
++ printk("IP_SET_ASSERT: %s:%i(%s)\n", \
++ __FILE__, __LINE__, __FUNCTION__); \
++ } while (0)
++#else
++#define DP(format, args...)
++#define IP_SET_ASSERT(x)
++#endif
++
++struct ip_set;
++
++/*
++ * The ip_set_type definition - one per set type, e.g. "ipmap".
++ *
++ * Each individual set has a pointer, set->type, going to one
++ * of these structures. Function pointers inside the structure implement
++ * the real behaviour of the sets.
++ *
++ * If not mentioned differently, the implementation behind the function
++ * pointers of a set_type, is expected to return 0 if ok, and a negative
++ * errno (e.g. -EINVAL) on error.
++ */
++struct ip_set_type {
++ struct list_head list; /* next in list of set types */
++
++ /* test for IP in set (kernel: iptables -m set src|dst)
++ * return 0 if not in set, 1 if in set.
++ */
++ int (*testip_kernel) (struct ip_set *set,
++ const struct sk_buff * skb,
++ u_int32_t flags,
++ ip_set_ip_t *ip);
++
++ /* test for IP in set (userspace: ipset -T set IP)
++ * return 0 if not in set, 1 if in set.
++ */
++ int (*testip) (struct ip_set *set,
++ const void *data, size_t size,
++ ip_set_ip_t *ip);
++
++ /*
++ * Size of the data structure passed by when
++ * adding/deletin/testing an entry.
++ */
++ size_t reqsize;
++
++ /* Add IP into set (userspace: ipset -A set IP)
++ * Return -EEXIST if the address is already in the set,
++ * and -ERANGE if the address lies outside the set bounds.
++ * If the address was not already in the set, 0 is returned.
++ */
++ int (*addip) (struct ip_set *set,
++ const void *data, size_t size,
++ ip_set_ip_t *ip);
++
++ /* Add IP into set (kernel: iptables ... -j SET set src|dst)
++ * Return -EEXIST if the address is already in the set,
++ * and -ERANGE if the address lies outside the set bounds.
++ * If the address was not already in the set, 0 is returned.
++ */
++ int (*addip_kernel) (struct ip_set *set,
++ const struct sk_buff * skb,
++ u_int32_t flags,
++ ip_set_ip_t *ip);
++
++ /* remove IP from set (userspace: ipset -D set --entry x)
++ * Return -EEXIST if the address is NOT in the set,
++ * and -ERANGE if the address lies outside the set bounds.
++ * If the address really was in the set, 0 is returned.
++ */
++ int (*delip) (struct ip_set *set,
++ const void *data, size_t size,
++ ip_set_ip_t *ip);
++
++ /* remove IP from set (kernel: iptables ... -j SET --entry x)
++ * Return -EEXIST if the address is NOT in the set,
++ * and -ERANGE if the address lies outside the set bounds.
++ * If the address really was in the set, 0 is returned.
++ */
++ int (*delip_kernel) (struct ip_set *set,
++ const struct sk_buff * skb,
++ u_int32_t flags,
++ ip_set_ip_t *ip);
++
++ /* new set creation - allocated type specific items
++ */
++ int (*create) (struct ip_set *set,
++ const void *data, size_t size);
++
++ /* retry the operation after successfully tweaking the set
++ */
++ int (*retry) (struct ip_set *set);
++
++ /* set destruction - free type specific items
++ * There is no return value.
++ * Can be called only when child sets are destroyed.
++ */
++ void (*destroy) (struct ip_set *set);
++
++ /* set flushing - reset all bits in the set, or something similar.
++ * There is no return value.
++ */
++ void (*flush) (struct ip_set *set);
++
++ /* Listing: size needed for header
++ */
++ size_t header_size;
++
++ /* Listing: Get the header
++ *
++ * Fill in the information in "data".
++ * This function is always run after list_header_size() under a
++ * writelock on the set. Therefor is the length of "data" always
++ * correct.
++ */
++ void (*list_header) (const struct ip_set *set,
++ void *data);
++
++ /* Listing: Get the size for the set members
++ */
++ int (*list_members_size) (const struct ip_set *set);
++
++ /* Listing: Get the set members
++ *
++ * Fill in the information in "data".
++ * This function is always run after list_member_size() under a
++ * writelock on the set. Therefor is the length of "data" always
++ * correct.
++ */
++ void (*list_members) (const struct ip_set *set,
++ void *data);
++
++ char typename[IP_SET_MAXNAMELEN];
++ char typecode;
++ int protocol_version;
++
++ /* Set this to THIS_MODULE if you are a module, otherwise NULL */
++ struct module *me;
++};
++
++extern int ip_set_register_set_type(struct ip_set_type *set_type);
++extern void ip_set_unregister_set_type(struct ip_set_type *set_type);
++
++/* A generic ipset */
++struct ip_set {
++ char name[IP_SET_MAXNAMELEN]; /* the name of the set */
++ rwlock_t lock; /* lock for concurrency control */
++ ip_set_id_t id; /* set id for swapping */
++ ip_set_id_t binding; /* default binding for the set */
++ atomic_t ref; /* in kernel and in hash references */
++ struct ip_set_type *type; /* the set types */
++ void *data; /* pooltype specific data */
++};
++
++/* Structure to bind set elements to sets */
++struct ip_set_hash {
++ struct list_head list; /* list of clashing entries in hash */
++ ip_set_ip_t ip; /* ip from set */
++ ip_set_id_t id; /* set id */
++ ip_set_id_t binding; /* set we bind the element to */
++};
++
++/* register and unregister set references */
++extern ip_set_id_t ip_set_get_byname(const char name[IP_SET_MAXNAMELEN]);
++extern ip_set_id_t ip_set_get_byindex(ip_set_id_t id);
++extern void ip_set_put(ip_set_id_t id);
++
++/* API for iptables set match, and SET target */
++extern void ip_set_addip_kernel(ip_set_id_t id,
++ const struct sk_buff *skb,
++ const u_int32_t *flags);
++extern void ip_set_delip_kernel(ip_set_id_t id,
++ const struct sk_buff *skb,
++ const u_int32_t *flags);
++extern int ip_set_testip_kernel(ip_set_id_t id,
++ const struct sk_buff *skb,
++ const u_int32_t *flags);
++
++#endif /* __KERNEL__ */
++
++#endif /*_IP_SET_H*/
+diff -uNr include.orig/linux/netfilter_ipv4/ip_set_iphash.h include/linux/netfilter_ipv4/ip_set_iphash.h
+--- include.orig/linux/netfilter_ipv4/ip_set_iphash.h 1970-01-01 01:00:00.000000000 +0100
++++ include/linux/netfilter_ipv4/ip_set_iphash.h 2005-08-02 20:02:17.803233104 +0200
+@@ -0,0 +1,30 @@
++#ifndef __IP_SET_IPHASH_H
++#define __IP_SET_IPHASH_H
++
++#include <linux/netfilter_ipv4/ip_set.h>
++
++#define SETTYPE_NAME "iphash"
++#define MAX_RANGE 0x0000FFFF
++
++struct ip_set_iphash {
++ ip_set_ip_t *members; /* the iphash proper */
++ uint32_t initval; /* initval for jhash_1word */
++ uint32_t prime; /* prime for double hashing */
++ uint32_t hashsize; /* hash size */
++ uint16_t probes; /* max number of probes */
++ uint16_t resize; /* resize factor in percent */
++ ip_set_ip_t netmask; /* netmask */
++};
++
++struct ip_set_req_iphash_create {
++ uint32_t hashsize;
++ uint16_t probes;
++ uint16_t resize;
++ ip_set_ip_t netmask;
++};
++
++struct ip_set_req_iphash {
++ ip_set_ip_t ip;
++};
++
++#endif /* __IP_SET_IPHASH_H */
+diff -uNr include.orig/linux/netfilter_ipv4/ip_set_ipmap.h include/linux/netfilter_ipv4/ip_set_ipmap.h
+--- include.orig/linux/netfilter_ipv4/ip_set_ipmap.h 1970-01-01 01:00:00.000000000 +0100
++++ include/linux/netfilter_ipv4/ip_set_ipmap.h 2005-08-02 20:02:17.763239184 +0200
+@@ -0,0 +1,56 @@
++#ifndef __IP_SET_IPMAP_H
++#define __IP_SET_IPMAP_H
++
++#include <linux/netfilter_ipv4/ip_set.h>
++
++#define SETTYPE_NAME "ipmap"
++#define MAX_RANGE 0x0000FFFF
++
++struct ip_set_ipmap {
++ void *members; /* the ipmap proper */
++ ip_set_ip_t first_ip; /* host byte order, included in range */
++ ip_set_ip_t last_ip; /* host byte order, included in range */
++ ip_set_ip_t netmask; /* subnet netmask */
++ ip_set_ip_t sizeid; /* size of set in IPs */
++ u_int16_t hosts; /* number of hosts in a subnet */
++};
++
++struct ip_set_req_ipmap_create {
++ ip_set_ip_t from;
++ ip_set_ip_t to;
++ ip_set_ip_t netmask;
++};
++
++struct ip_set_req_ipmap {
++ ip_set_ip_t ip;
++};
++
++unsigned int
++mask_to_bits(ip_set_ip_t mask)
++{
++ unsigned int bits = 32;
++ ip_set_ip_t maskaddr;
++
++ if (mask == 0xFFFFFFFF)
++ return bits;
++
++ maskaddr = 0xFFFFFFFE;
++ while (--bits >= 0 && maskaddr != mask)
++ maskaddr <<= 1;
++
++ return bits;
++}
++
++ip_set_ip_t
++range_to_mask(ip_set_ip_t from, ip_set_ip_t to, unsigned int *bits)
++{
++ ip_set_ip_t mask = 0xFFFFFFFE;
++
++ *bits = 32;
++ while (--(*bits) >= 0 && mask && (to & mask) != from)
++ mask <<= 1;
++
++ return mask;
++}
++
++#endif /* __IP_SET_IPMAP_H */
+diff -uNr include.orig/linux/netfilter_ipv4/ip_set_iptree.h include/linux/netfilter_ipv4/ip_set_iptree.h
+--- include.orig/linux/netfilter_ipv4/ip_set_iptree.h 1970-01-01 01:00:00.000000000 +0100
++++ include/linux/netfilter_ipv4/ip_set_iptree.h 2005-08-02 20:02:17.810232040 +0200
+@@ -0,0 +1,39 @@
++#ifndef __IP_SET_IPTREE_H
++#define __IP_SET_IPTREE_H
++
++#include <linux/netfilter_ipv4/ip_set.h>
++
++#define SETTYPE_NAME "iptree"
++#define MAX_RANGE 0x0000FFFF
++
++struct ip_set_iptreed {
++ unsigned long expires[255]; /* x.x.x.ADDR */
++};
++
++struct ip_set_iptreec {
++ struct ip_set_iptreed *tree[255]; /* x.x.ADDR.* */
++};
++
++struct ip_set_iptreeb {
++ struct ip_set_iptreec *tree[255]; /* x.ADDR.*.* */
++};
++
++struct ip_set_iptree {
++ unsigned int timeout;
++ unsigned int gc_interval;
++#ifdef __KERNEL__
++ struct timer_list gc;
++ struct ip_set_iptreeb *tree[255]; /* ADDR.*.*.* */
++#endif
++};
++
++struct ip_set_req_iptree_create {
++ unsigned int timeout;
++};
++
++struct ip_set_req_iptree {
++ ip_set_ip_t ip;
++ unsigned int timeout;
++};
++
++#endif /* __IP_SET_IPTREE_H */
+diff -uNr include.orig/linux/netfilter_ipv4/ip_set_jhash.h include/linux/netfilter_ipv4/ip_set_jhash.h
+--- include.orig/linux/netfilter_ipv4/ip_set_jhash.h 1970-01-01 01:00:00.000000000 +0100
++++ include/linux/netfilter_ipv4/ip_set_jhash.h 2005-08-02 20:02:17.758239944 +0200
+@@ -0,0 +1,148 @@
++#ifndef _LINUX_IPSET_JHASH_H
++#define _LINUX_IPSET_JHASH_H
++
++/* This is a copy of linux/jhash.h but the types u32/u8 are changed
++ * to __u32/__u8 so that the header file can be included into
++ * userspace code as well. Jozsef Kadlecsik (kadlec@blackhole.kfki.hu)
++ */
++
++/* jhash.h: Jenkins hash support.
++ *
++ * Copyright (C) 1996 Bob Jenkins (bob_jenkins@burtleburtle.net)
++ *
++ * http://burtleburtle.net/bob/hash/
++ *
++ * These are the credits from Bob's sources:
++ *
++ * lookup2.c, by Bob Jenkins, December 1996, Public Domain.
++ * hash(), hash2(), hash3, and mix() are externally useful functions.
++ * Routines to test the hash are included if SELF_TEST is defined.
++ * You can use this free for any purpose. It has no warranty.
++ *
++ * Copyright (C) 2003 David S. Miller (davem@redhat.com)
++ *
++ * I've modified Bob's hash to be useful in the Linux kernel, and
++ * any bugs present are surely my fault. -DaveM
++ */
++
++/* NOTE: Arguments are modified. */
++#define __jhash_mix(a, b, c) \
++{ \
++ a -= b; a -= c; a ^= (c>>13); \
++ b -= c; b -= a; b ^= (a<<8); \
++ c -= a; c -= b; c ^= (b>>13); \
++ a -= b; a -= c; a ^= (c>>12); \
++ b -= c; b -= a; b ^= (a<<16); \
++ c -= a; c -= b; c ^= (b>>5); \
++ a -= b; a -= c; a ^= (c>>3); \
++ b -= c; b -= a; b ^= (a<<10); \
++ c -= a; c -= b; c ^= (b>>15); \
++}
++
++/* The golden ration: an arbitrary value */
++#define JHASH_GOLDEN_RATIO 0x9e3779b9
++
++/* The most generic version, hashes an arbitrary sequence
++ * of bytes. No alignment or length assumptions are made about
++ * the input key.
++ */
++static inline __u32 jhash(void *key, __u32 length, __u32 initval)
++{
++ __u32 a, b, c, len;
++ __u8 *k = key;
++
++ len = length;
++ a = b = JHASH_GOLDEN_RATIO;
++ c = initval;
++
++ while (len >= 12) {
++ a += (k[0] +((__u32)k[1]<<8) +((__u32)k[2]<<16) +((__u32)k[3]<<24));
++ b += (k[4] +((__u32)k[5]<<8) +((__u32)k[6]<<16) +((__u32)k[7]<<24));
++ c += (k[8] +((__u32)k[9]<<8) +((__u32)k[10]<<16)+((__u32)k[11]<<24));
++
++ __jhash_mix(a,b,c);
++
++ k += 12;
++ len -= 12;
++ }
++
++ c += length;
++ switch (len) {
++ case 11: c += ((__u32)k[10]<<24);
++ case 10: c += ((__u32)k[9]<<16);
++ case 9 : c += ((__u32)k[8]<<8);
++ case 8 : b += ((__u32)k[7]<<24);
++ case 7 : b += ((__u32)k[6]<<16);
++ case 6 : b += ((__u32)k[5]<<8);
++ case 5 : b += k[4];
++ case 4 : a += ((__u32)k[3]<<24);
++ case 3 : a += ((__u32)k[2]<<16);
++ case 2 : a += ((__u32)k[1]<<8);
++ case 1 : a += k[0];
++ };
++
++ __jhash_mix(a,b,c);
++
++ return c;
++}
++
++/* A special optimized version that handles 1 or more of __u32s.
++ * The length parameter here is the number of __u32s in the key.
++ */
++static inline __u32 jhash2(__u32 *k, __u32 length, __u32 initval)
++{
++ __u32 a, b, c, len;
++
++ a = b = JHASH_GOLDEN_RATIO;
++ c = initval;
++ len = length;
++
++ while (len >= 3) {
++ a += k[0];
++ b += k[1];
++ c += k[2];
++ __jhash_mix(a, b, c);
++ k += 3; len -= 3;
++ }
++
++ c += length * 4;
++
++ switch (len) {
++ case 2 : b += k[1];
++ case 1 : a += k[0];
++ };
++
++ __jhash_mix(a,b,c);
++
++ return c;
++}
++
++
++/* A special ultra-optimized versions that knows they are hashing exactly
++ * 3, 2 or 1 word(s).
++ *
++ * NOTE: In partilar the "c += length; __jhash_mix(a,b,c);" normally
++ * done at the end is not done here.
++ */
++static inline __u32 jhash_3words(__u32 a, __u32 b, __u32 c, __u32 initval)
++{
++ a += JHASH_GOLDEN_RATIO;
++ b += JHASH_GOLDEN_RATIO;
++ c += initval;
++
++ __jhash_mix(a, b, c);
++
++ return c;
++}
++
++static inline __u32 jhash_2words(__u32 a, __u32 b, __u32 initval)
++{
++ return jhash_3words(a, b, 0, initval);
++}
++
++static inline __u32 jhash_1word(__u32 a, __u32 initval)
++{
++ return jhash_3words(a, 0, 0, initval);
++}
++
++#endif /* _LINUX_IPSET_JHASH_H */
+diff -uNr include.orig/linux/netfilter_ipv4/ip_set_macipmap.h include/linux/netfilter_ipv4/ip_set_macipmap.h
+--- include.orig/linux/netfilter_ipv4/ip_set_macipmap.h 1970-01-01 01:00:00.000000000 +0100
++++ include/linux/netfilter_ipv4/ip_set_macipmap.h 2005-08-02 20:02:17.776237208 +0200
+@@ -0,0 +1,38 @@
++#ifndef __IP_SET_MACIPMAP_H
++#define __IP_SET_MACIPMAP_H
++
++#include <linux/netfilter_ipv4/ip_set.h>
++
++#define SETTYPE_NAME "macipmap"
++#define MAX_RANGE 0x0000FFFF
++
++/* general flags */
++#define IPSET_MACIP_MATCHUNSET 1
++
++/* per ip flags */
++#define IPSET_MACIP_ISSET 1
++
++struct ip_set_macipmap {
++ void *members; /* the macipmap proper */
++ ip_set_ip_t first_ip; /* host byte order, included in range */
++ ip_set_ip_t last_ip; /* host byte order, included in range */
++ u_int32_t flags;
++};
+
-+typedef int ip_pool_t; /* pool index */
-+#define IP_POOL_NONE ((ip_pool_t)-1)
++struct ip_set_req_macipmap_create {
++ ip_set_ip_t from;
++ ip_set_ip_t to;
++ u_int32_t flags;
++};
+
-+struct ip_pool_request {
-+ int op;
-+ ip_pool_t index;
-+ u_int32_t addr;
-+ u_int32_t addr2;
++struct ip_set_req_macipmap {
++ ip_set_ip_t ip;
++ unsigned char ethernet[ETH_ALEN];
+};
+
-+/* NOTE: I deliberately break the first cut ippool utility. Nobody uses it. */
++struct ip_set_macip {
++ unsigned short flags;
++ unsigned char ethernet[ETH_ALEN];
++};
+
-+#define IP_POOL_BAD001 0x00000010
++#endif /* __IP_SET_MACIPMAP_H */
+diff -uNr include.orig/linux/netfilter_ipv4/ip_set_malloc.h include/linux/netfilter_ipv4/ip_set_malloc.h
+--- include.orig/linux/netfilter_ipv4/ip_set_malloc.h 1970-01-01 01:00:00.000000000 +0100
++++ include/linux/netfilter_ipv4/ip_set_malloc.h 2005-08-02 20:02:17.788235384 +0200
+@@ -0,0 +1,34 @@
++#ifndef _IP_SET_MALLOC_H
++#define _IP_SET_MALLOC_H
+
-+#define IP_POOL_FLUSH 0x00000011 /* req.index, no arguments */
-+#define IP_POOL_INIT 0x00000012 /* from addr to addr2 incl. */
-+#define IP_POOL_DESTROY 0x00000013 /* req.index, no arguments */
-+#define IP_POOL_ADD_ADDR 0x00000014 /* add addr to pool */
-+#define IP_POOL_DEL_ADDR 0x00000015 /* del addr from pool */
-+#define IP_POOL_HIGH_NR 0x00000016 /* result in req.index */
-+#define IP_POOL_LOOKUP 0x00000017 /* result in addr and addr2 */
-+#define IP_POOL_USAGE 0x00000018 /* result in addr */
-+#define IP_POOL_TEST_ADDR 0x00000019 /* result (0/1) returned */
++#ifdef __KERNEL__
+
-+#endif /*_IP_POOL_H*/
-diff -uNr linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4.orig/ipt_addrtype.h linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4/ipt_addrtype.h
---- linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4.orig/ipt_addrtype.h 1970-01-01 01:00:00.000000000 +0100
-+++ linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4/ipt_addrtype.h 2004-04-20 13:10:18.000000000 +0200
-@@ -0,0 +1,11 @@
-+#ifndef _IPT_ADDRTYPE_H
-+#define _IPT_ADDRTYPE_H
++/* Memory allocation and deallocation */
++static size_t max_malloc_size = 0;
+
-+struct ipt_addrtype_info {
-+ u_int16_t source; /* source-type mask */
-+ u_int16_t dest; /* dest-type mask */
-+ int invert_source;
-+ int invert_dest;
++static inline void init_max_malloc_size(void)
++{
++#define CACHE(x) max_malloc_size = x;
++#include <linux/kmalloc_sizes.h>
++#undef CACHE
++}
++
++static inline void * ip_set_malloc(size_t bytes)
++{
++ if (bytes > max_malloc_size)
++ return vmalloc(bytes);
++ else
++ return kmalloc(bytes, GFP_KERNEL);
++}
++
++static inline void ip_set_free(void * data, size_t bytes)
++{
++ if (bytes > max_malloc_size)
++ vfree(data);
++ else
++ kfree(data);
++}
++
++#endif /* __KERNEL__ */
++
++#endif /*_IP_SET_MALLOC_H*/
+diff -uNr include.orig/linux/netfilter_ipv4/ip_set_nethash.h include/linux/netfilter_ipv4/ip_set_nethash.h
+--- include.orig/linux/netfilter_ipv4/ip_set_nethash.h 1970-01-01 01:00:00.000000000 +0100
++++ include/linux/netfilter_ipv4/ip_set_nethash.h 2005-08-02 20:02:17.755240400 +0200
+@@ -0,0 +1,55 @@
++#ifndef __IP_SET_NETHASH_H
++#define __IP_SET_NETHASH_H
++
++#include <linux/netfilter_ipv4/ip_set.h>
++
++#define SETTYPE_NAME "nethash"
++#define MAX_RANGE 0x0000FFFF
++
++struct ip_set_nethash {
++ ip_set_ip_t *members; /* the nethash proper */
++ uint32_t initval; /* initval for jhash_1word */
++ uint32_t prime; /* prime for double hashing */
++ uint32_t hashsize; /* hash size */
++ uint16_t probes; /* max number of probes */
++ uint16_t resize; /* resize factor in percent */
++ unsigned char cidr[30]; /* CIDR sizes */
++};
++
++struct ip_set_req_nethash_create {
++ uint32_t hashsize;
++ uint16_t probes;
++ uint16_t resize;
++};
++
++struct ip_set_req_nethash {
++ ip_set_ip_t ip;
++ unsigned char cidr;
+};
+
++static unsigned char shifts[] = {255, 253, 249, 241, 225, 193, 129, 1};
++
++static inline ip_set_ip_t
++pack(ip_set_ip_t ip, unsigned char cidr)
++{
++ ip_set_ip_t addr, *paddr = &addr;
++ unsigned char n, t, *a;
++
++ addr = htonl(ip & (0xFFFFFFFF << (32 - (cidr))));
++#ifdef __KERNEL__
++ DP("ip:%u.%u.%u.%u/%u", NIPQUAD(addr), cidr);
++#endif
++ n = cidr / 8;
++ t = cidr % 8;
++ a = &((unsigned char *)paddr)[n];
++ *a = *a /(1 << (8 - t)) + shifts[t];
++#ifdef __KERNEL__
++ DP("n: %u, t: %u, a: %u", n, t, *a);
++ DP("ip:%u.%u.%u.%u/%u, %u.%u.%u.%u",
++ HIPQUAD(ip), cidr, NIPQUAD(addr));
+#endif
-diff -uNr linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4.orig/ipt_connlimit.h linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4/ipt_connlimit.h
---- linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4.orig/ipt_connlimit.h 1970-01-01 01:00:00.000000000 +0100
-+++ linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4/ipt_connlimit.h 2004-04-20 13:10:18.000000000 +0200
-@@ -0,0 +1,12 @@
-+#ifndef _IPT_CONNLIMIT_H
-+#define _IPT_CONNLIMIT_H
+
-+struct ipt_connlimit_data;
++ return ntohl(addr);
++}
+
-+struct ipt_connlimit_info {
-+ int limit;
-+ int inverse;
-+ u_int32_t mask;
-+ struct ipt_connlimit_data *data;
++#endif /* __IP_SET_NETHASH_H */
+diff -uNr include.orig/linux/netfilter_ipv4/ip_set_portmap.h include/linux/netfilter_ipv4/ip_set_portmap.h
+--- include.orig/linux/netfilter_ipv4/ip_set_portmap.h 1970-01-01 01:00:00.000000000 +0100
++++ include/linux/netfilter_ipv4/ip_set_portmap.h 2005-08-02 20:02:17.772237816 +0200
+@@ -0,0 +1,25 @@
++#ifndef __IP_SET_PORTMAP_H
++#define __IP_SET_PORTMAP_H
++
++#include <linux/netfilter_ipv4/ip_set.h>
++
++#define SETTYPE_NAME "portmap"
++#define MAX_RANGE 0x0000FFFF
++#define INVALID_PORT (MAX_RANGE + 1)
++
++struct ip_set_portmap {
++ void *members; /* the portmap proper */
++ ip_set_ip_t first_port; /* host byte order, included in range */
++ ip_set_ip_t last_port; /* host byte order, included in range */
+};
-+#endif /* _IPT_CONNLIMIT_H */
-diff -uNr linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4.orig/ipt_connmark.h linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4/ipt_connmark.h
---- linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4.orig/ipt_connmark.h 1970-01-01 01:00:00.000000000 +0100
-+++ linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4/ipt_connmark.h 2004-04-20 13:10:18.000000000 +0200
-@@ -0,0 +1,18 @@
-+#ifndef _IPT_CONNMARK_H
-+#define _IPT_CONNMARK_H
+
-+/* Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
-+ * by Henrik Nordstrom <hno@marasystems.com>
-+ *
-+ * This program is free software; you can redistribute it and/or modify
-+ * it under the terms of the GNU General Public License as published by
-+ * the Free Software Foundation; either version 2 of the License, or
-+ * (at your option) any later version.
-+ */
++struct ip_set_req_portmap_create {
++ ip_set_ip_t from;
++ ip_set_ip_t to;
++};
+
-+struct ipt_connmark_info {
-+ unsigned long mark, mask;
-+ u_int8_t invert;
++struct ip_set_req_portmap {
++ ip_set_ip_t port;
+};
+
-+#endif /*_IPT_CONNMARK_H*/
-diff -uNr linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4.orig/ipt_CONNMARK.h linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4/ipt_CONNMARK.h
---- linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4.orig/ipt_CONNMARK.h 1970-01-01 01:00:00.000000000 +0100
-+++ linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4/ipt_CONNMARK.h 2004-04-20 13:10:18.000000000 +0200
-@@ -0,0 +1,25 @@
-+#ifndef _IPT_CONNMARK_H_target
-+#define _IPT_CONNMARK_H_target
++#endif /* __IP_SET_PORTMAP_H */
+diff -uNr include.orig/linux/netfilter_ipv4/ip_set_prime.h include/linux/netfilter_ipv4/ip_set_prime.h
+--- include.orig/linux/netfilter_ipv4/ip_set_prime.h 1970-01-01 01:00:00.000000000 +0100
++++ include/linux/netfilter_ipv4/ip_set_prime.h 2005-08-02 20:02:17.825229760 +0200
+@@ -0,0 +1,34 @@
++#ifndef __IP_SET_PRIME_H
++#define __IP_SET_PRIME_H
+
-+/* Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
-+ * by Henrik Nordstrom <hno@marasystems.com>
++static inline unsigned make_prime_bound(unsigned nr)
++{
++ unsigned long long nr64 = nr;
++ unsigned long long x = 1;
++ nr = 1;
++ while (x <= nr64) { x <<= 2; nr <<= 1; }
++ return nr;
++}
++
++static inline int make_prime_check(unsigned nr)
++{
++ unsigned x = 3;
++ unsigned b = make_prime_bound(nr);
++ while (x <= b) {
++ if (0 == (nr % x)) return 0;
++ x += 2;
++ }
++ return 1;
++}
++
++static unsigned make_prime(unsigned nr)
++{
++ if (0 == (nr & 1)) nr--;
++ while (nr > 1) {
++ if (make_prime_check(nr)) return nr;
++ nr -= 2;
++ }
++ return 2;
++}
++
++#endif /* __IP_SET_PRIME_H */
+diff -uNr include.orig/linux/netfilter_ipv4/ip_tables.h include/linux/netfilter_ipv4/ip_tables.h
+--- include.orig/linux/netfilter_ipv4/ip_tables.h 2005-07-06 02:17:20.000000000 +0200
++++ include/linux/netfilter_ipv4/ip_tables.h 2005-08-02 20:02:17.815231280 +0200
+@@ -101,7 +101,8 @@
+
+ /* Values for "flag" field in struct ipt_ip (general ip structure). */
+ #define IPT_F_FRAG 0x01 /* Set if rule is a fragment rule */
+-#define IPT_F_MASK 0x01 /* All possible flag bits mask. */
++#define IPT_F_GOTO 0x02 /* Set if jump is a goto */
++#define IPT_F_MASK 0x03 /* All possible flag bits mask. */
+
+ /* Values for "inv" field in struct ipt_ip. */
+ #define IPT_INV_VIA_IN 0x01 /* Invert the sense of IN IFACE. */
+@@ -148,12 +149,23 @@
+ #define IPT_SO_SET_ADD_COUNTERS (IPT_BASE_CTL + 1)
+ #define IPT_SO_SET_MAX IPT_SO_SET_ADD_COUNTERS
+
++#define IPT_SO_SET_ACCOUNT_HANDLE_FREE (IPT_BASE_CTL + 3)
++#define IPT_SO_SET_ACCOUNT_HANDLE_FREE_ALL (IPT_BASE_CTL + 4)
++#define IPT_SO_SET_ACCOUNT_MAX IPT_SO_SET_ACCOUNT_HANDLE_FREE_ALL
++
+ #define IPT_SO_GET_INFO (IPT_BASE_CTL)
+ #define IPT_SO_GET_ENTRIES (IPT_BASE_CTL + 1)
+ #define IPT_SO_GET_REVISION_MATCH (IPT_BASE_CTL + 2)
+ #define IPT_SO_GET_REVISION_TARGET (IPT_BASE_CTL + 3)
+ #define IPT_SO_GET_MAX IPT_SO_GET_REVISION_TARGET
+
++#define IPT_SO_GET_ACCOUNT_PREPARE_READ (IPT_BASE_CTL + 3)
++#define IPT_SO_GET_ACCOUNT_PREPARE_READ_FLUSH (IPT_BASE_CTL + 4)
++#define IPT_SO_GET_ACCOUNT_GET_DATA (IPT_BASE_CTL + 5)
++#define IPT_SO_GET_ACCOUNT_GET_HANDLE_USAGE (IPT_BASE_CTL + 6)
++#define IPT_SO_GET_ACCOUNT_GET_TABLE_NAMES (IPT_BASE_CTL + 7)
++#define IPT_SO_GET_ACCOUNT_MAX IPT_SO_GET_ACCOUNT_GET_TABLE_NAMES
++
+ /* CONTINUE verdict for targets */
+ #define IPT_CONTINUE 0xFFFFFFFF
+
+diff -uNr include.orig/linux/netfilter_ipv4/ipt_account.h include/linux/netfilter_ipv4/ipt_account.h
+--- include.orig/linux/netfilter_ipv4/ipt_account.h 1970-01-01 01:00:00.000000000 +0100
++++ include/linux/netfilter_ipv4/ipt_account.h 2005-08-02 20:02:17.786235688 +0200
+@@ -0,0 +1,26 @@
++/*
++ * accounting match (ipt_account.c)
++ * (C) 2003,2004 by Piotr Gasidlo (quaker@barbara.eu.org)
+ *
-+ * This program is free software; you can redistribute it and/or modify
-+ * it under the terms of the GNU General Public License as published by
-+ * the Free Software Foundation; either version 2 of the License, or
-+ * (at your option) any later version.
++ * Version: 0.1.7
++ *
++ * This software is distributed under the terms of GNU GPL
+ */
+
-+enum {
-+ IPT_CONNMARK_SET = 0,
-+ IPT_CONNMARK_SAVE,
-+ IPT_CONNMARK_RESTORE
++#ifndef _IPT_ACCOUNT_H_
++#define _IPT_ACCOUNT_H_
++
++#define IPT_ACCOUNT_NAME_LEN 64
++
++#define IPT_ACCOUNT_NAME "ipt_account"
++#define IPT_ACCOUNT_VERSION "0.1.7"
++
++struct t_ipt_account_info {
++ char name[IPT_ACCOUNT_NAME_LEN];
++ u_int32_t network;
++ u_int32_t netmask;
++ int shortlisting:1;
+};
+
-+struct ipt_connmark_target_info {
-+ unsigned long mark;
-+ unsigned long mask;
-+ u_int8_t mode;
++#endif
++
+diff -uNr include.orig/linux/netfilter_ipv4/ipt_ACCOUNT.h include/linux/netfilter_ipv4/ipt_ACCOUNT.h
+--- include.orig/linux/netfilter_ipv4/ipt_ACCOUNT.h 1970-01-01 01:00:00.000000000 +0100
++++ include/linux/netfilter_ipv4/ipt_ACCOUNT.h 2005-08-02 20:02:17.817230976 +0200
+@@ -0,0 +1,100 @@
++/***************************************************************************
++ * Copyright (C) 2004 by Intra2net AG *
++ * opensource@intra2net.com *
++ * *
++ * This program is free software; you can redistribute it and/or modify *
++ * it under the terms of the GNU General Public License *
++ * version 2 as published by the Free Software Foundation; *
++ * *
++ ***************************************************************************/
++
++#ifndef _IPT_ACCOUNT_H
++#define _IPT_ACCOUNT_H
++
++#define ACCOUNT_MAX_TABLES 32
++#define ACCOUNT_TABLE_NAME_LEN 32
++#define ACCOUNT_MAX_HANDLES 10
++
++/* Structure for the userspace part of ipt_ACCOUNT */
++struct ipt_acc_info {
++ u_int32_t net_ip;
++ u_int32_t net_mask;
++ char table_name[ACCOUNT_TABLE_NAME_LEN];
++ int32_t table_nr;
+};
+
-+#endif /*_IPT_CONNMARK_H_target*/
-diff -uNr linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4.orig/ipt_dstlimit.h linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4/ipt_dstlimit.h
---- linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4.orig/ipt_dstlimit.h 1970-01-01 01:00:00.000000000 +0100
-+++ linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4/ipt_dstlimit.h 2004-04-20 13:10:18.000000000 +0200
-@@ -0,0 +1,39 @@
-+#ifndef _IPT_DSTLIMIT_H
-+#define _IPT_DSTLIMIT_H
++/* Internal table structure, generated by check_entry() */
++struct ipt_acc_table {
++ char name[ACCOUNT_TABLE_NAME_LEN]; /* name of the table */
++ u_int32_t ip; /* base IP of network */
++ u_int32_t netmask; /* netmask of the network */
++ unsigned char depth; /* size of network:
++ 0: 8 bit, 1: 16bit, 2: 24 bit */
++ u_int32_t refcount; /* refcount of this table.
++ if zero, destroy it */
++ u_int32_t itemcount; /* number of IPs in this table */
++ void *data; /* pointer to the actual data,
++ depending on netmask */
++};
++
++/* Internal handle structure */
++struct ipt_acc_handle {
++ u_int32_t ip; /* base IP of network. Used for
++ caculating the final IP during
++ get_data() */
++ unsigned char depth; /* size of network. See above for
++ details */
++ u_int32_t itemcount; /* number of IPs in this table */
++ void *data; /* pointer to the actual data,
++ depending on size */
++};
++
++/* Handle structure for communication with the userspace library */
++struct ipt_acc_handle_sockopt {
++ u_int32_t handle_nr; /* Used for HANDLE_FREE */
++ char name[ACCOUNT_TABLE_NAME_LEN]; /* Used for HANDLE_PREPARE_READ/
++ HANDLE_READ_FLUSH */
++ u_int32_t itemcount; /* Used for HANDLE_PREPARE_READ/
++ HANDLE_READ_FLUSH */
++};
+
-+/* timings are in milliseconds. */
-+#define IPT_DSTLIMIT_SCALE 10000
-+/* 1/10,000 sec period => max of 10,000/sec. Min rate is then 429490
-+ seconds, or one every 59 hours. */
++/* Used for every IP entry
++ Size is 16 bytes so that 256 (class C network) * 16
++ fits in one kernel (zero) page */
++struct ipt_acc_ip {
++ u_int32_t src_packets;
++ u_int32_t src_bytes;
++ u_int32_t dst_packets;
++ u_int32_t dst_bytes;
++};
+
-+/* details of this structure hidden by the implementation */
-+struct ipt_dstlimit_htable;
++/*
++ Used for every IP when returning data
++*/
++struct ipt_acc_handle_ip {
++ u_int32_t ip;
++ u_int32_t src_packets;
++ u_int32_t src_bytes;
++ u_int32_t dst_packets;
++ u_int32_t dst_bytes;
++};
+
-+#define IPT_DSTLIMIT_HASH_DIP 0x0001
-+#define IPT_DSTLIMIT_HASH_DPT 0x0002
-+#define IPT_DSTLIMIT_HASH_SIP 0x0004
++/*
++ The IPs are organized as an array so that direct slot
++ calculations are possible.
++ Only 8 bit networks are preallocated, 16/24 bit networks
++ allocate their slots when needed -> very efficent.
++*/
++struct ipt_acc_mask_24 {
++ struct ipt_acc_ip ip[256];
++};
+
-+struct dstlimit_cfg {
-+ u_int32_t mode; /* bitmask of IPT_DSTLIMIT_HASH_* */
-+ u_int32_t avg; /* Average secs between packets * scale */
-+ u_int32_t burst; /* Period multiplier for upper limit. */
++struct ipt_acc_mask_16 {
++ struct ipt_acc_mask_24 *mask_24[256];
++};
+
-+ /* user specified */
-+ u_int32_t size; /* how many buckets */
-+ u_int32_t max; /* max number of entries */
-+ u_int32_t gc_interval; /* gc interval */
-+ u_int32_t expire; /* when do entries expire? */
++struct ipt_acc_mask_8 {
++ struct ipt_acc_mask_16 *mask_16[256];
+};
+
-+struct ipt_dstlimit_info {
-+ char name [IFNAMSIZ]; /* name */
-+ struct dstlimit_cfg cfg;
-+ struct ipt_dstlimit_htable *hinfo;
++#endif /*_IPT_ACCOUNT_H*/
+diff -uNr include.orig/linux/netfilter_ipv4/ipt_addrtype.h include/linux/netfilter_ipv4/ipt_addrtype.h
+--- include.orig/linux/netfilter_ipv4/ipt_addrtype.h 2004-10-31 20:56:02.000000000 +0100
++++ include/linux/netfilter_ipv4/ipt_addrtype.h 2005-08-02 20:02:17.751241008 +0200
+@@ -4,8 +4,8 @@
+ struct ipt_addrtype_info {
+ u_int16_t source; /* source-type mask */
+ u_int16_t dest; /* dest-type mask */
+- u_int32_t invert_source;
+- u_int32_t invert_dest;
++ int invert_source;
++ int invert_dest;
+ };
+
+ #endif
+diff -uNr include.orig/linux/netfilter_ipv4/ipt_CLUSTERIP.h include/linux/netfilter_ipv4/ipt_CLUSTERIP.h
+--- include.orig/linux/netfilter_ipv4/ipt_CLUSTERIP.h 2005-01-08 15:03:55.000000000 +0100
++++ include/linux/netfilter_ipv4/ipt_CLUSTERIP.h 2005-08-02 20:02:17.832228696 +0200
+@@ -9,7 +9,7 @@
+
+ #define CLUSTERIP_HASHMODE_MAX CLUSTERIP_HASHMODE_SIP_SPT_DPT
+
+-#define CLUSTERIP_MAX_NODES 16
++#define CLUSTERIP_MAX_NODES 8
+
+ #define CLUSTERIP_FLAG_NEW 0x00000001
+
+diff -uNr include.orig/linux/netfilter_ipv4/ipt_connlimit.h include/linux/netfilter_ipv4/ipt_connlimit.h
+--- include.orig/linux/netfilter_ipv4/ipt_connlimit.h 1970-01-01 01:00:00.000000000 +0100
++++ include/linux/netfilter_ipv4/ipt_connlimit.h 2005-08-02 20:02:17.723245264 +0200
+@@ -0,0 +1,12 @@
++#ifndef _IPT_CONNLIMIT_H
++#define _IPT_CONNLIMIT_H
+
-+ /* Used internally by the kernel */
-+ union {
-+ void *ptr;
-+ struct ipt_dstlimit_info *master;
-+ } u;
-+};
-+#endif /*_IPT_DSTLIMIT_H*/
-diff -uNr linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4.orig/ipt_fuzzy.h linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4/ipt_fuzzy.h
---- linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4.orig/ipt_fuzzy.h 1970-01-01 01:00:00.000000000 +0100
-+++ linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4/ipt_fuzzy.h 2004-04-20 13:10:18.000000000 +0200
++struct ipt_connlimit_data;
++
++struct ipt_connlimit_info {
++ int limit;
++ int inverse;
++ u_int32_t mask;
++ struct ipt_connlimit_data *data;
++};
++#endif /* _IPT_CONNLIMIT_H */
+diff -uNr include.orig/linux/netfilter_ipv4/ipt_fuzzy.h include/linux/netfilter_ipv4/ipt_fuzzy.h
+--- include.orig/linux/netfilter_ipv4/ipt_fuzzy.h 1970-01-01 01:00:00.000000000 +0100
++++ include/linux/netfilter_ipv4/ipt_fuzzy.h 2005-08-02 20:02:17.781236448 +0200
@@ -0,0 +1,21 @@
+#ifndef _IPT_FUZZY_H
+#define _IPT_FUZZY_H
+};
+
+#endif /*_IPT_FUZZY_H*/
-diff -uNr linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4.orig/ipt_IMQ.h linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4/ipt_IMQ.h
---- linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4.orig/ipt_IMQ.h 1970-01-01 01:00:00.000000000 +0100
-+++ linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4/ipt_IMQ.h 2004-04-20 13:10:18.000000000 +0200
-@@ -0,0 +1,8 @@
-+#ifndef _IPT_IMQ_H
-+#define _IPT_IMQ_H
+diff -uNr include.orig/linux/netfilter_ipv4/ipt_geoip.h include/linux/netfilter_ipv4/ipt_geoip.h
+--- include.orig/linux/netfilter_ipv4/ipt_geoip.h 1970-01-01 01:00:00.000000000 +0100
++++ include/linux/netfilter_ipv4/ipt_geoip.h 2005-08-02 20:02:17.769238272 +0200
+@@ -0,0 +1,50 @@
++/* ipt_geoip.h header file for libipt_geoip.c and ipt_geoip.c
++ *
++ * This program is free software; you can redistribute it and/or modify
++ * it under the terms of the GNU General Public License as published by
++ * the Free Software Foundation; either version 2 of the License, or
++ * (at your option) any later version.
++ *
++ * Copyright (c) 2004 Cookinglinux
++ */
++#ifndef _IPT_GEOIP_H
++#define _IPT_GEOIP_H
++
++#define IPT_GEOIP_SRC 0x01 /* Perform check on Source IP */
++#define IPT_GEOIP_DST 0x02 /* Perform check on Destination IP */
++#define IPT_GEOIP_INV 0x04 /* Negate the condition */
++
++#define IPT_GEOIP_MAX 15 /* Maximum of countries */
+
-+struct ipt_imq_info {
-+ unsigned int todev; /* target imq device */
++struct geoip_subnet {
++ u_int32_t begin;
++ u_int32_t end;
+};
+
-+#endif /* _IPT_IMQ_H */
-diff -uNr linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4.orig/ipt_IPMARK.h linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4/ipt_IPMARK.h
---- linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4.orig/ipt_IPMARK.h 1970-01-01 01:00:00.000000000 +0100
-+++ linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4/ipt_IPMARK.h 2004-04-20 13:10:18.000000000 +0200
++struct geoip_info {
++ struct geoip_subnet *subnets;
++ u_int32_t count;
++ u_int32_t ref;
++ u_int16_t cc;
++ struct geoip_info *next;
++ struct geoip_info *prev;
++};
++
++struct ipt_geoip_info {
++ u_int8_t flags;
++ u_int8_t count;
++ u_int16_t cc[IPT_GEOIP_MAX];
++
++ /* Used internally by the kernel */
++ struct geoip_info *mem[IPT_GEOIP_MAX];
++ u_int8_t *refcount;
++
++ /* not implemented yet:
++ void *fini;
++ */
++};
++
++#define COUNTRY(cc) (cc >> 8), (cc & 0x00FF)
++
++#endif
++
+diff -uNr include.orig/linux/netfilter_ipv4/ipt_IPMARK.h include/linux/netfilter_ipv4/ipt_IPMARK.h
+--- include.orig/linux/netfilter_ipv4/ipt_IPMARK.h 1970-01-01 01:00:00.000000000 +0100
++++ include/linux/netfilter_ipv4/ipt_IPMARK.h 2005-08-02 20:02:17.756240248 +0200
@@ -0,0 +1,13 @@
+#ifndef _IPT_IPMARK_H_target
+#define _IPT_IPMARK_H_target
+#define IPT_IPMARK_DST 1
+
+#endif /*_IPT_IPMARK_H_target*/
-diff -uNr linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4.orig/ipt_ipv4options.h linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4/ipt_ipv4options.h
---- linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4.orig/ipt_ipv4options.h 1970-01-01 01:00:00.000000000 +0100
-+++ linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4/ipt_ipv4options.h 2004-04-20 13:10:18.000000000 +0200
+diff -uNr include.orig/linux/netfilter_ipv4/ipt_ipp2p.h include/linux/netfilter_ipv4/ipt_ipp2p.h
+--- include.orig/linux/netfilter_ipv4/ipt_ipp2p.h 1970-01-01 01:00:00.000000000 +0100
++++ include/linux/netfilter_ipv4/ipt_ipp2p.h 2005-08-02 20:02:17.784235992 +0200
+@@ -0,0 +1,29 @@
++#ifndef __IPT_IPP2P_H
++#define __IPT_IPP2P_H
++#define IPP2P_VERSION "0.7.4"
++
++struct ipt_p2p_info {
++ int cmd;
++ int debug;
++};
++
++#endif //__IPT_IPP2P_H
++
++#define SHORT_HAND_IPP2P 1 /* --ipp2p switch*/
++#define SHORT_HAND_DATA 4 /* --ipp2p-data switch*/
++#define SHORT_HAND_NONE 5 /* no short hand*/
++
++#define IPP2P_EDK 2
++#define IPP2P_DATA_KAZAA 8
++#define IPP2P_DATA_EDK 16
++#define IPP2P_DATA_DC 32
++#define IPP2P_DC 64
++#define IPP2P_DATA_GNU 128
++#define IPP2P_GNU 256
++#define IPP2P_KAZAA 512
++#define IPP2P_BIT 1024
++#define IPP2P_APPLE 2048
++#define IPP2P_SOUL 4096
++#define IPP2P_WINMX 8192
++#define IPP2P_ARES 16384
++
+diff -uNr include.orig/linux/netfilter_ipv4/ipt_ipv4options.h include/linux/netfilter_ipv4/ipt_ipv4options.h
+--- include.orig/linux/netfilter_ipv4/ipt_ipv4options.h 1970-01-01 01:00:00.000000000 +0100
++++ include/linux/netfilter_ipv4/ipt_ipv4options.h 2005-08-02 20:02:17.733243744 +0200
@@ -0,0 +1,21 @@
+#ifndef __ipt_ipv4options_h_included__
+#define __ipt_ipv4options_h_included__
+
+
+#endif /* __ipt_ipv4options_h_included__ */
-diff -uNr linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4.orig/ipt_mport.h linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4/ipt_mport.h
---- linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4.orig/ipt_mport.h 1970-01-01 01:00:00.000000000 +0100
-+++ linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4/ipt_mport.h 2004-04-20 13:10:18.000000000 +0200
-@@ -0,0 +1,24 @@
-+#ifndef _IPT_MPORT_H
-+#define _IPT_MPORT_H
-+#include <linux/netfilter_ipv4/ip_tables.h>
+diff -uNr include.orig/linux/netfilter_ipv4/ipt_layer7.h include/linux/netfilter_ipv4/ipt_layer7.h
+--- include.orig/linux/netfilter_ipv4/ipt_layer7.h 1970-01-01 01:00:00.000000000 +0100
++++ include/linux/netfilter_ipv4/ipt_layer7.h 2005-08-02 20:02:17.736243288 +0200
+@@ -0,0 +1,26 @@
++/*
++ By Matthew Strait <quadong@users.sf.net>, Dec 2003.
++ http://l7-filter.sf.net
++
++ This program is free software; you can redistribute it and/or
++ modify it under the terms of the GNU General Public License
++ as published by the Free Software Foundation; either version
++ 2 of the License, or (at your option) any later version.
++ http://www.gnu.org/licenses/gpl.txt
++*/
++
++#ifndef _IPT_LAYER7_H
++#define _IPT_LAYER7_H
++
++#define MAX_PATTERN_LEN 8192
++#define MAX_PROTOCOL_LEN 256
++
++typedef char *(*proc_ipt_search) (char *, char, char *);
++
++struct ipt_layer7_info {
++ char protocol[MAX_PROTOCOL_LEN];
++ char invert:1;
++ char pattern[MAX_PATTERN_LEN];
++};
+
-+#define IPT_MPORT_SOURCE (1<<0)
-+#define IPT_MPORT_DESTINATION (1<<1)
-+#define IPT_MPORT_EITHER (IPT_MPORT_SOURCE|IPT_MPORT_DESTINATION)
-+
-+#define IPT_MULTI_PORTS 15
-+
-+/* Must fit inside union ipt_matchinfo: 32 bytes */
-+/* every entry in ports[] except for the last one has one bit in pflags
-+ * associated with it. If this bit is set, the port is the first port of
-+ * a portrange, with the next entry being the last.
-+ * End of list is marked with pflags bit set and port=65535.
-+ * If 14 ports are used (last one does not have a pflag), the last port
-+ * is repeated to fill the last entry in ports[] */
-+struct ipt_mport
-+{
-+ u_int8_t flags:2; /* Type of comparison */
-+ u_int16_t pflags:14; /* Port flags */
-+ u_int16_t ports[IPT_MULTI_PORTS]; /* Ports */
-+};
-+#endif /*_IPT_MPORT_H*/
-diff -uNr linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4.orig/ipt_nth.h linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4/ipt_nth.h
---- linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4.orig/ipt_nth.h 1970-01-01 01:00:00.000000000 +0100
-+++ linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4/ipt_nth.h 2004-04-20 13:10:18.000000000 +0200
++#endif /* _IPT_LAYER7_H */
+diff -uNr include.orig/linux/netfilter_ipv4/ipt_nth.h include/linux/netfilter_ipv4/ipt_nth.h
+--- include.orig/linux/netfilter_ipv4/ipt_nth.h 1970-01-01 01:00:00.000000000 +0100
++++ include/linux/netfilter_ipv4/ipt_nth.h 2005-08-02 20:02:17.760239640 +0200
@@ -0,0 +1,19 @@
+#ifndef _IPT_NTH_H
+#define _IPT_NTH_H
+};
+
+#endif /*_IPT_NTH_H*/
-diff -uNr linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4.orig/ipt_osf.h linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4/ipt_osf.h
---- linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4.orig/ipt_osf.h 1970-01-01 01:00:00.000000000 +0100
-+++ linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4/ipt_osf.h 2004-04-25 18:58:27.772515184 +0200
-@@ -0,0 +1,94 @@
+diff -uNr include.orig/linux/netfilter_ipv4/ipt_osf.h include/linux/netfilter_ipv4/ipt_osf.h
+--- include.orig/linux/netfilter_ipv4/ipt_osf.h 1970-01-01 01:00:00.000000000 +0100
++++ include/linux/netfilter_ipv4/ipt_osf.h 2005-08-02 20:02:17.783236144 +0200
+@@ -0,0 +1,151 @@
+/*
+ * ipt_osf.h
+ *
+#ifndef _IPT_OSF_H
+#define _IPT_OSF_H
+
-+#define MAXGENRELEN 32
-+#define MAXDETLEN 64
++#define MAXGENRELEN 32
++#define MAXDETLEN 64
+
-+#define IPT_OSF_GENRE 1
-+#define IPT_OSF_SMART 2
-+#define IPT_OSF_LOG 4
-+#define IPT_OSF_NETLINK 8
++#define IPT_OSF_GENRE 1
++#define IPT_OSF_SMART 2
++#define IPT_OSF_LOG 4
++#define IPT_OSF_NETLINK 8
++#define IPT_OSF_CONNECTOR 16
+
-+#define IPT_OSF_LOGLEVEL_ALL 0
-+#define IPT_OSF_LOGLEVEL_FIRST 1
++#define IPT_OSF_LOGLEVEL_ALL 0
++#define IPT_OSF_LOGLEVEL_FIRST 1
+
++#ifndef __KERNEL__
+#include <netinet/ip.h>
+#include <netinet/tcp.h>
+
+struct list_head
+{
-+ struct list_head *prev, *next;
++ struct list_head *prev, *next;
+};
++#endif
+
+struct ipt_osf_info
+{
-+ char genre[MAXGENRELEN];
-+ int len;
-+ unsigned long flags;
-+ int loglevel;
-+ int invert; /* UNSUPPORTED */
++ char genre[MAXGENRELEN];
++ int len;
++ unsigned long flags;
++ int loglevel;
++ int invert; /* UNSUPPORTED */
+};
+
+struct osf_wc
+{
-+ char wc;
-+ unsigned long val;
++ char wc;
++ unsigned long val;
+};
+
+/* This struct represents IANA options
+ */
+struct osf_opt
+{
-+ unsigned char kind;
-+ unsigned char length;
-+ struct osf_wc wc;
++ unsigned char kind;
++ unsigned char length;
++ struct osf_wc wc;
+};
+
+struct osf_finger
+{
-+ struct list_head flist;
-+ struct osf_wc wss;
-+ unsigned char ttl;
-+ unsigned char df;
-+ unsigned long ss;
-+ unsigned char genre[MAXGENRELEN];
-+ unsigned char version[MAXGENRELEN], subtype[MAXGENRELEN];
-+
-+ /* Not needed, but for consistency with original table from Michal Zalewski */
-+ unsigned char details[MAXDETLEN];
++ struct list_head flist;
++ struct osf_wc wss;
++ unsigned char ttl;
++ unsigned char df;
++ unsigned long ss;
++ unsigned char genre[MAXGENRELEN];
++ unsigned char version[MAXGENRELEN], subtype[MAXGENRELEN];
++
++ /* Not needed, but for consistency with original table from Michal Zalewski */
++ unsigned char details[MAXDETLEN];
+
-+ int opt_num;
-+ struct osf_opt opt[MAX_IPOPTLEN]; /* In case it is all NOP or EOL */
++ int opt_num;
++ struct osf_opt opt[MAX_IPOPTLEN]; /* In case it is all NOP or EOL */
+
+};
+
+struct ipt_osf_nlmsg
+{
-+ struct osf_finger f;
-+ struct iphdr ip;
-+ struct tcphdr tcp;
++ struct osf_finger f;
++ struct iphdr ip;
++ struct tcphdr tcp;
+};
+
++#ifdef __KERNEL__
++
++#include <linux/list.h>
++#include <net/tcp.h>
++
++
++/* Defines for IANA option kinds */
++
++#define OSFOPT_EOL 0 /* End of options */
++#define OSFOPT_NOP 1 /* NOP */
++#define OSFOPT_MSS 2 /* Maximum segment size */
++#define OSFOPT_WSO 3 /* Window scale option */
++#define OSFOPT_SACKP 4 /* SACK permitted */
++#define OSFOPT_SACK 5 /* SACK */
++#define OSFOPT_ECHO 6
++#define OSFOPT_ECHOREPLY 7
++#define OSFOPT_TS 8 /* Timestamp option */
++#define OSFOPT_POCP 9 /* Partial Order Connection Permitted */
++#define OSFOPT_POSP 10 /* Partial Order Service Profile */
++/* Others are not used in current OSF */
++
++static struct osf_opt IANA_opts[] =
++{
++ {0, 1,},
++ {1, 1,},
++ {2, 4,},
++ {3, 3,},
++ {4, 2,},
++ {5, 1 ,}, /* SACK length is not defined */
++ {6, 6,},
++ {7, 6,},
++ {8, 10,},
++ {9, 2,},
++ {10, 3,},
++ {11, 1,}, /* CC: Suppose 1 */
++ {12, 1,}, /* the same */
++ {13, 1,}, /* and here too */
++ {14, 3,},
++ {15, 1,}, /* TCP Alternate Checksum Data. Length is not defined */
++ {16, 1,},
++ {17, 1,},
++ {18, 3,},
++ {19, 18,},
++ {20, 1,},
++ {21, 1,},
++ {22, 1,},
++ {23, 1,},
++ {24, 1,},
++ {25, 1,},
++ {26, 1,},
++};
++
++#endif /* __KERNEL__ */
++
+#endif /* _IPT_OSF_H */
-diff -uNr linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4.orig/ipt_policy.h linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4/ipt_policy.h
---- linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4.orig/ipt_policy.h 1970-01-01 01:00:00.000000000 +0100
-+++ linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4/ipt_policy.h 2004-04-20 13:10:18.000000000 +0200
+diff -uNr include.orig/linux/netfilter_ipv4/ipt_policy.h include/linux/netfilter_ipv4/ipt_policy.h
+--- include.orig/linux/netfilter_ipv4/ipt_policy.h 1970-01-01 01:00:00.000000000 +0100
++++ include/linux/netfilter_ipv4/ipt_policy.h 2005-08-02 20:02:17.735243440 +0200
@@ -0,0 +1,52 @@
+#ifndef _IPT_POLICY_H
+#define _IPT_POLICY_H
+};
+
+#endif /* _IPT_POLICY_H */
-diff -uNr linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4.orig/ipt_pool.h linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4/ipt_pool.h
---- linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4.orig/ipt_pool.h 1970-01-01 01:00:00.000000000 +0100
-+++ linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4/ipt_pool.h 2004-04-20 13:10:18.000000000 +0200
-@@ -0,0 +1,25 @@
-+#ifndef _IPT_POOL_H
-+#define _IPT_POOL_H
-+
-+#include <linux/netfilter_ipv4/ip_pool.h>
-+
-+#define IPT_POOL_INV_SRC 0x00000001
-+#define IPT_POOL_INV_DST 0x00000002
-+#define IPT_POOL_DEL_SRC 0x00000004
-+#define IPT_POOL_DEL_DST 0x00000008
-+#define IPT_POOL_INV_MOD_SRC 0x00000010
-+#define IPT_POOL_INV_MOD_DST 0x00000020
-+#define IPT_POOL_MOD_SRC_ACCEPT 0x00000040
-+#define IPT_POOL_MOD_DST_ACCEPT 0x00000080
-+#define IPT_POOL_MOD_SRC_DROP 0x00000100
-+#define IPT_POOL_MOD_DST_DROP 0x00000200
-+
-+/* match info */
-+struct ipt_pool_info
-+{
-+ ip_pool_t src;
-+ ip_pool_t dst;
-+ unsigned flags;
-+};
-+
-+#endif /*_IPT_POOL_H*/
-diff -uNr linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4.orig/ipt_psd.h linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4/ipt_psd.h
---- linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4.orig/ipt_psd.h 1970-01-01 01:00:00.000000000 +0100
-+++ linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4/ipt_psd.h 2004-04-20 13:10:18.000000000 +0200
+diff -uNr include.orig/linux/netfilter_ipv4/ipt_psd.h include/linux/netfilter_ipv4/ipt_psd.h
+--- include.orig/linux/netfilter_ipv4/ipt_psd.h 1970-01-01 01:00:00.000000000 +0100
++++ include/linux/netfilter_ipv4/ipt_psd.h 2005-08-02 20:02:17.778236904 +0200
@@ -0,0 +1,40 @@
+#ifndef _IPT_PSD_H
+#define _IPT_PSD_H
+#define SCAN_MIN_COUNT 7
+#define SCAN_MAX_COUNT (SCAN_MIN_COUNT * PORT_WEIGHT_PRIV)
+#define SCAN_WEIGHT_THRESHOLD SCAN_MAX_COUNT
-+#define SCAN_DELAY_THRESHOLD (HZ * 3)
++#define SCAN_DELAY_THRESHOLD (300) /* old usage of HZ here was erroneously and broke under uml */
+
+/*
+ * Keep track of up to LIST_SIZE source addresses, using a hash table of
+};
+
+#endif /*_IPT_PSD_H*/
-diff -uNr linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4.orig/ipt_quota.h linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4/ipt_quota.h
---- linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4.orig/ipt_quota.h 1970-01-01 01:00:00.000000000 +0100
-+++ linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4/ipt_quota.h 2004-04-20 13:10:18.000000000 +0200
-@@ -0,0 +1,11 @@
+diff -uNr include.orig/linux/netfilter_ipv4/ipt_quota.h include/linux/netfilter_ipv4/ipt_quota.h
+--- include.orig/linux/netfilter_ipv4/ipt_quota.h 1970-01-01 01:00:00.000000000 +0100
++++ include/linux/netfilter_ipv4/ipt_quota.h 2005-08-02 20:02:17.762239336 +0200
+@@ -0,0 +1,12 @@
+#ifndef _IPT_QUOTA_H
+#define _IPT_QUOTA_H
+
+
+struct ipt_quota_info {
+ u_int64_t quota;
++ struct ipt_quota_info *master;
+};
+
+#endif /*_IPT_QUOTA_H*/
-diff -uNr linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4.orig/ipt_random.h linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4/ipt_random.h
---- linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4.orig/ipt_random.h 1970-01-01 01:00:00.000000000 +0100
-+++ linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4/ipt_random.h 2004-04-20 13:10:18.000000000 +0200
-@@ -0,0 +1,11 @@
-+#ifndef _IPT_RAND_H
-+#define _IPT_RAND_H
-+
-+#include <linux/param.h>
-+#include <linux/types.h>
-+
-+struct ipt_rand_info {
-+ u_int8_t average;
-+};
+diff -uNr include.orig/linux/netfilter_ipv4/ipt_recent.h include/linux/netfilter_ipv4/ipt_recent.h
+--- include.orig/linux/netfilter_ipv4/ipt_recent.h 2004-10-31 20:56:00.000000000 +0100
++++ include/linux/netfilter_ipv4/ipt_recent.h 2005-08-02 20:02:17.720245720 +0200
+@@ -2,7 +2,7 @@
+ #define _IPT_RECENT_H
+
+ #define RECENT_NAME "ipt_recent"
+-#define RECENT_VER "v0.3.1"
++#define RECENT_VER "v0.3.2"
+
+ #define IPT_RECENT_CHECK 1
+ #define IPT_RECENT_SET 2
+diff -uNr include.orig/linux/netfilter_ipv4/ipt_ROUTE.h include/linux/netfilter_ipv4/ipt_ROUTE.h
+--- include.orig/linux/netfilter_ipv4/ipt_ROUTE.h 1970-01-01 01:00:00.000000000 +0100
++++ include/linux/netfilter_ipv4/ipt_ROUTE.h 2005-08-02 20:02:17.726244808 +0200
+@@ -0,0 +1,23 @@
++/* Header file for iptables ipt_ROUTE target
++ *
++ * (C) 2002 by Cédric de Launois <delaunois@info.ucl.ac.be>
++ *
++ * This software is distributed under GNU GPL v2, 1991
++ */
++#ifndef _IPT_ROUTE_H_target
++#define _IPT_ROUTE_H_target
+
-+#endif /*_IPT_RAND_H*/
-diff -uNr linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4.orig/ipt_realm.h linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4/ipt_realm.h
---- linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4.orig/ipt_realm.h 1970-01-01 01:00:00.000000000 +0100
-+++ linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4/ipt_realm.h 2004-04-20 13:10:18.000000000 +0200
-@@ -0,0 +1,9 @@
-+#ifndef _IPT_REALM_H
-+#define _IPT_REALM_H
++#define IPT_ROUTE_IFNAMSIZ 16
+
-+struct ipt_realm_info {
-+ u_int32_t id;
-+ u_int32_t mask;
-+ u_int8_t invert;
++struct ipt_route_target_info {
++ char oif[IPT_ROUTE_IFNAMSIZ]; /* Output Interface Name */
++ char iif[IPT_ROUTE_IFNAMSIZ]; /* Input Interface Name */
++ u_int32_t gw; /* IP address of gateway */
++ u_int8_t flags;
+};
-+#endif /*_IPT_REALM_H*/
-diff -uNr linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4.orig/ipt_sctp.h linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4/ipt_sctp.h
---- linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4.orig/ipt_sctp.h 1970-01-01 01:00:00.000000000 +0100
-+++ linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4/ipt_sctp.h 2004-04-20 13:10:18.000000000 +0200
-@@ -0,0 +1,107 @@
-+#ifndef _IPT_SCTP_H_
-+#define _IPT_SCTP_H_
+
-+#define IPT_SCTP_SRC_PORTS 0x01
-+#define IPT_SCTP_DEST_PORTS 0x02
-+#define IPT_SCTP_CHUNK_TYPES 0x04
++/* Values for "flags" field */
++#define IPT_ROUTE_CONTINUE 0x01
++#define IPT_ROUTE_TEE 0x02
+
-+#define IPT_SCTP_VALID_FLAGS 0x07
-+
-+#define ELEMCOUNT(x) (sizeof(x)/sizeof(x[0]))
++#endif /*_IPT_ROUTE_H_target*/
+diff -uNr include.orig/linux/netfilter_ipv4/ipt_set.h include/linux/netfilter_ipv4/ipt_set.h
+--- include.orig/linux/netfilter_ipv4/ipt_set.h 1970-01-01 01:00:00.000000000 +0100
++++ include/linux/netfilter_ipv4/ipt_set.h 2005-08-02 20:02:17.721245568 +0200
+@@ -0,0 +1,21 @@
++#ifndef _IPT_SET_H
++#define _IPT_SET_H
+
++#include <linux/netfilter_ipv4/ip_set.h>
+
-+struct ipt_sctp_flag_info {
-+ u_int8_t chunktype;
-+ u_int8_t flag;
-+ u_int8_t flag_mask;
++struct ipt_set_info {
++ ip_set_id_t index;
++ u_int32_t flags[IP_SET_MAX_BINDINGS + 1];
+};
+
-+#define IPT_NUM_SCTP_FLAGS 4
-+
-+struct ipt_sctp_info {
-+ u_int16_t dpts[2]; /* Min, Max */
-+ u_int16_t spts[2]; /* Min, Max */
-+
-+ u_int32_t chunkmap[256 / sizeof (u_int32_t)]; /* Bit mask of chunks to be matched according to RFC 2960 */
-+
-+#define SCTP_CHUNK_MATCH_ANY 0x01 /* Match if any of the chunk types are present */
-+#define SCTP_CHUNK_MATCH_ALL 0x02 /* Match if all of the chunk types are present */
-+#define SCTP_CHUNK_MATCH_ONLY 0x04 /* Match if these are the only chunk types present */
-+
-+ u_int32_t chunk_match_type;
-+ struct ipt_sctp_flag_info flag_info[IPT_NUM_SCTP_FLAGS];
-+ int flag_count;
-+
-+ u_int32_t flags;
-+ u_int32_t invflags;
++/* match info */
++struct ipt_set_info_match {
++ struct ipt_set_info match_set;
+};
+
-+#define bytes(type) (sizeof(type) * 8)
-+
-+#define SCTP_CHUNKMAP_SET(chunkmap, type) \
-+ do { \
-+ chunkmap[type / bytes(u_int32_t)] |= \
-+ 1 << (type % bytes(u_int32_t)); \
-+ } while (0)
-+
-+#define SCTP_CHUNKMAP_CLEAR(chunkmap, type) \
-+ do { \
-+ chunkmap[type / bytes(u_int32_t)] &= \
-+ ~(1 << (type % bytes(u_int32_t))); \
-+ } while (0)
-+
-+#define SCTP_CHUNKMAP_IS_SET(chunkmap, type) \
-+({ \
-+ (chunkmap[type / bytes (u_int32_t)] & \
-+ (1 << (type % bytes (u_int32_t)))) ? 1: 0; \
-+})
-+
-+#define SCTP_CHUNKMAP_RESET(chunkmap) \
-+ do { \
-+ int i; \
-+ for (i = 0; i < ELEMCOUNT(chunkmap); i++) \
-+ chunkmap[i] = 0; \
-+ } while (0)
-+
-+#define SCTP_CHUNKMAP_SET_ALL(chunkmap) \
-+ do { \
-+ int i; \
-+ for (i = 0; i < ELEMCOUNT(chunkmap); i++) \
-+ chunkmap[i] = ~0; \
-+ } while (0)
-+
-+#define SCTP_CHUNKMAP_COPY(destmap, srcmap) \
-+ do { \
-+ int i; \
-+ for (i = 0; i < ELEMCOUNT(chunkmap); i++) \
-+ destmap[i] = srcmap[i]; \
-+ } while (0)
-+
-+#define SCTP_CHUNKMAP_IS_CLEAR(chunkmap) \
-+({ \
-+ int i; \
-+ int flag = 1; \
-+ for (i = 0; i < ELEMCOUNT(chunkmap); i++) { \
-+ if (chunkmap[i]) { \
-+ flag = 0; \
-+ break; \
-+ } \
-+ } \
-+ flag; \
-+})
-+
-+#define SCTP_CHUNKMAP_IS_ALL_SET(chunkmap) \
-+({ \
-+ int i; \
-+ int flag = 1; \
-+ for (i = 0; i < ELEMCOUNT(chunkmap); i++) { \
-+ if (chunkmap[i] != ~0) { \
-+ flag = 0; \
-+ break; \
-+ } \
-+ } \
-+ flag; \
-+})
-+
-+#endif /* _IPT_SCTP_H_ */
++struct ipt_set_info_target {
++ struct ipt_set_info add_set;
++ struct ipt_set_info del_set;
++};
+
-diff -uNr linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4.orig/ipt_string.h linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4/ipt_string.h
---- linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4.orig/ipt_string.h 1970-01-01 01:00:00.000000000 +0100
-+++ linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4/ipt_string.h 2004-04-20 13:10:18.000000000 +0200
++#endif /*_IPT_SET_H*/
+diff -uNr include.orig/linux/netfilter_ipv4/ipt_string.h include/linux/netfilter_ipv4/ipt_string.h
+--- include.orig/linux/netfilter_ipv4/ipt_string.h 1970-01-01 01:00:00.000000000 +0100
++++ include/linux/netfilter_ipv4/ipt_string.h 2005-08-02 20:02:17.805232800 +0200
@@ -0,0 +1,21 @@
+#ifndef _IPT_STRING_H
+#define _IPT_STRING_H
+};
+
+#endif /* _IPT_STRING_H */
-diff -uNr linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4.orig/ipt_time.h linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4/ipt_time.h
---- linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4.orig/ipt_time.h 1970-01-01 01:00:00.000000000 +0100
-+++ linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4/ipt_time.h 2004-04-20 13:10:18.000000000 +0200
-@@ -0,0 +1,13 @@
+diff -uNr include.orig/linux/netfilter_ipv4/ipt_time.h include/linux/netfilter_ipv4/ipt_time.h
+--- include.orig/linux/netfilter_ipv4/ipt_time.h 1970-01-01 01:00:00.000000000 +0100
++++ include/linux/netfilter_ipv4/ipt_time.h 2005-08-02 20:02:17.765238880 +0200
+@@ -0,0 +1,18 @@
+#ifndef __ipt_time_h_included__
+#define __ipt_time_h_included__
+
+ u_int8_t days_match; /* 1 bit per day. -SMTWTFS */
+ u_int16_t time_start; /* 0 < time_start < 23*60+59 = 1439 */
+ u_int16_t time_stop; /* 0:0 < time_stat < 23:59 */
++
++ /* FIXME: Keep this one for userspace iptables binary compability: */
+ u_int8_t kerneltime; /* ignore skb time (and use kerneltime) or not. */
++
++ time_t date_start;
++ time_t date_stop;
+};
+
+
+#endif /* __ipt_time_h_included__ */
-diff -uNr linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4.orig/ipt_TTL.h linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4/ipt_TTL.h
---- linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4.orig/ipt_TTL.h 1970-01-01 01:00:00.000000000 +0100
-+++ linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4/ipt_TTL.h 2004-04-20 13:10:18.000000000 +0200
+diff -uNr include.orig/linux/netfilter_ipv4/ipt_TTL.h include/linux/netfilter_ipv4/ipt_TTL.h
+--- include.orig/linux/netfilter_ipv4/ipt_TTL.h 1970-01-01 01:00:00.000000000 +0100
++++ include/linux/netfilter_ipv4/ipt_TTL.h 2005-08-02 20:02:17.801233408 +0200
@@ -0,0 +1,21 @@
+/* TTL modification module for IP tables
+ * (C) 2000 by Harald Welte <laforge@gnumonks.org> */
+
+
+#endif
-diff -uNr linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4.orig/ipt_u32.h linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4/ipt_u32.h
---- linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4.orig/ipt_u32.h 1970-01-01 01:00:00.000000000 +0100
-+++ linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4/ipt_u32.h 2004-04-20 13:10:18.000000000 +0200
+diff -uNr include.orig/linux/netfilter_ipv4/ipt_u32.h include/linux/netfilter_ipv4/ipt_u32.h
+--- include.orig/linux/netfilter_ipv4/ipt_u32.h 1970-01-01 01:00:00.000000000 +0100
++++ include/linux/netfilter_ipv4/ipt_u32.h 2005-08-02 20:02:17.809232192 +0200
@@ -0,0 +1,40 @@
+#ifndef _IPT_U32_H
+#define _IPT_U32_H
+};
+
+#endif /*_IPT_U32_H*/
-diff -uNr linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4.orig/ipt_XOR.h linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4/ipt_XOR.h
---- linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4.orig/ipt_XOR.h 1970-01-01 01:00:00.000000000 +0100
-+++ linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv4/ipt_XOR.h 2004-04-20 13:10:18.000000000 +0200
+diff -uNr include.orig/linux/netfilter_ipv4/ipt_XOR.h include/linux/netfilter_ipv4/ipt_XOR.h
+--- include.orig/linux/netfilter_ipv4/ipt_XOR.h 1970-01-01 01:00:00.000000000 +0100
++++ include/linux/netfilter_ipv4/ipt_XOR.h 2005-08-02 20:02:17.830229000 +0200
@@ -0,0 +1,9 @@
+#ifndef _IPT_XOR_H
+#define _IPT_XOR_H
+};
+
+#endif /* _IPT_XOR_H */
-diff -uNr linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv6.orig/ip6t_fuzzy.h linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv6/ip6t_fuzzy.h
---- linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv6.orig/ip6t_fuzzy.h 1970-01-01 01:00:00.000000000 +0100
-+++ linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv6/ip6t_fuzzy.h 2004-04-20 13:10:18.000000000 +0200
+diff -uNr include.orig/linux/netfilter_ipv4.h include/linux/netfilter_ipv4.h
+--- include.orig/linux/netfilter_ipv4.h 2005-07-06 02:17:21.000000000 +0200
++++ include/linux/netfilter_ipv4.h 2005-08-02 20:02:17.660254840 +0200
+@@ -7,34 +7,6 @@
+
+ #include <linux/netfilter.h>
+
+-/* IP Cache bits. */
+-/* Src IP address. */
+-#define NFC_IP_SRC 0x0001
+-/* Dest IP address. */
+-#define NFC_IP_DST 0x0002
+-/* Input device. */
+-#define NFC_IP_IF_IN 0x0004
+-/* Output device. */
+-#define NFC_IP_IF_OUT 0x0008
+-/* TOS. */
+-#define NFC_IP_TOS 0x0010
+-/* Protocol. */
+-#define NFC_IP_PROTO 0x0020
+-/* IP options. */
+-#define NFC_IP_OPTIONS 0x0040
+-/* Frag & flags. */
+-#define NFC_IP_FRAG 0x0080
+-
+-/* Per-protocol information: only matters if proto match. */
+-/* TCP flags. */
+-#define NFC_IP_TCPFLAGS 0x0100
+-/* Source port. */
+-#define NFC_IP_SRC_PT 0x0200
+-/* Dest port. */
+-#define NFC_IP_DST_PT 0x0400
+-/* Something else about the proto */
+-#define NFC_IP_PROTO_UNKNOWN 0x2000
+-
+ /* IP Hooks */
+ /* After promisc drops, checksum checks. */
+ #define NF_IP_PRE_ROUTING 0
+diff -uNr include.orig/linux/netfilter_ipv6/ip6t_fuzzy.h include/linux/netfilter_ipv6/ip6t_fuzzy.h
+--- include.orig/linux/netfilter_ipv6/ip6t_fuzzy.h 1970-01-01 01:00:00.000000000 +0100
++++ include/linux/netfilter_ipv6/ip6t_fuzzy.h 2005-08-02 20:02:17.652256056 +0200
@@ -0,0 +1,21 @@
+#ifndef _IP6T_FUZZY_H
+#define _IP6T_FUZZY_H
+};
+
+#endif /*_IP6T_FUZZY_H*/
-diff -uNr linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv6.orig/ip6t_HL.h linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv6/ip6t_HL.h
---- linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv6.orig/ip6t_HL.h 1970-01-01 01:00:00.000000000 +0100
-+++ linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv6/ip6t_HL.h 2004-04-20 13:10:18.000000000 +0200
+diff -uNr include.orig/linux/netfilter_ipv6/ip6t_HL.h include/linux/netfilter_ipv6/ip6t_HL.h
+--- include.orig/linux/netfilter_ipv6/ip6t_HL.h 1970-01-01 01:00:00.000000000 +0100
++++ include/linux/netfilter_ipv6/ip6t_HL.h 2005-08-02 20:02:17.656255448 +0200
@@ -0,0 +1,22 @@
+/* Hop Limit modification module for ip6tables
+ * Maciej Soltysiak <solt@dns.toxicfilms.tv>
+
+
+#endif
-diff -uNr linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv6.orig/ip6t_nth.h linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv6/ip6t_nth.h
---- linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv6.orig/ip6t_nth.h 1970-01-01 01:00:00.000000000 +0100
-+++ linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv6/ip6t_nth.h 2004-04-20 13:10:18.000000000 +0200
+diff -uNr include.orig/linux/netfilter_ipv6/ip6t_nth.h include/linux/netfilter_ipv6/ip6t_nth.h
+--- include.orig/linux/netfilter_ipv6/ip6t_nth.h 1970-01-01 01:00:00.000000000 +0100
++++ include/linux/netfilter_ipv6/ip6t_nth.h 2005-08-02 20:02:17.652256056 +0200
@@ -0,0 +1,19 @@
+#ifndef _IP6T_NTH_H
+#define _IP6T_NTH_H
+};
+
+#endif /*_IP6T_NTH_H*/
-diff -uNr linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv6.orig/ip6t_random.h linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv6/ip6t_random.h
---- linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv6.orig/ip6t_random.h 1970-01-01 01:00:00.000000000 +0100
-+++ linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv6/ip6t_random.h 2004-04-20 13:10:18.000000000 +0200
-@@ -0,0 +1,11 @@
-+#ifndef _IP6T_RAND_H
-+#define _IP6T_RAND_H
+diff -uNr include.orig/linux/netfilter_ipv6/ip6t_policy.h include/linux/netfilter_ipv6/ip6t_policy.h
+--- include.orig/linux/netfilter_ipv6/ip6t_policy.h 1970-01-01 01:00:00.000000000 +0100
++++ include/linux/netfilter_ipv6/ip6t_policy.h 2005-08-02 20:02:17.655255600 +0200
+@@ -0,0 +1,52 @@
++#ifndef _IP6T_POLICY_H
++#define _IP6T_POLICY_H
+
-+#include <linux/param.h>
-+#include <linux/types.h>
++#define POLICY_MAX_ELEM 4
+
-+struct ip6t_rand_info {
-+ u_int8_t average;
++enum ip6t_policy_flags
++{
++ POLICY_MATCH_IN = 0x1,
++ POLICY_MATCH_OUT = 0x2,
++ POLICY_MATCH_NONE = 0x4,
++ POLICY_MATCH_STRICT = 0x8,
+};
+
-+#endif /*_IP6T_RAND_H*/
-diff -uNr linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv6.orig/ip6t_REJECT.h linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv6/ip6t_REJECT.h
---- linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv6.orig/ip6t_REJECT.h 2004-03-05 16:36:39.000000000 +0100
-+++ linux-libc-headers-2.6.5.0/include/linux/netfilter_ipv6/ip6t_REJECT.h 2004-04-20 13:10:18.000000000 +0200
-@@ -2,15 +2,17 @@
- #define _IP6T_REJECT_H
-
- enum ip6t_reject_with {
-- IP6T_ICMP_NET_UNREACHABLE,
-- IP6T_ICMP_HOST_UNREACHABLE,
-- IP6T_ICMP_PROT_UNREACHABLE,
-- IP6T_ICMP_PORT_UNREACHABLE,
-- IP6T_ICMP_ECHOREPLY
++enum ip6t_policy_modes
++{
++ POLICY_MODE_TRANSPORT,
++ POLICY_MODE_TUNNEL
++};
++
++struct ip6t_policy_spec
++{
++ u_int8_t saddr:1,
++ daddr:1,
++ proto:1,
++ mode:1,
++ spi:1,
++ reqid:1;
++};
++
++struct ip6t_policy_elem
++{
++ struct in6_addr saddr;
++ struct in6_addr smask;
++ struct in6_addr daddr;
++ struct in6_addr dmask;
++ u_int32_t spi;
++ u_int32_t reqid;
++ u_int8_t proto;
++ u_int8_t mode;
++
++ struct ip6t_policy_spec match;
++ struct ip6t_policy_spec invert;
++};
++
++struct ip6t_policy_info
++{
++ struct ip6t_policy_elem pol[POLICY_MAX_ELEM];
++ u_int16_t flags;
++ u_int16_t len;
++};
++
++#endif /* _IP6T_POLICY_H */
+diff -uNr include.orig/linux/netfilter_ipv6/ip6t_REJECT.h include/linux/netfilter_ipv6/ip6t_REJECT.h
+--- include.orig/linux/netfilter_ipv6/ip6t_REJECT.h 1970-01-01 01:00:00.000000000 +0100
++++ include/linux/netfilter_ipv6/ip6t_REJECT.h 2005-08-02 20:02:17.657255296 +0200
+@@ -0,0 +1,18 @@
++#ifndef _IP6T_REJECT_H
++#define _IP6T_REJECT_H
++
++enum ip6t_reject_with {
+ IP6T_ICMP6_NO_ROUTE,
+ IP6T_ICMP6_ADM_PROHIBITED,
+ IP6T_ICMP6_NOT_NEIGHBOUR,
+ IP6T_ICMP6_PORT_UNREACH,
+ IP6T_ICMP6_ECHOREPLY,
+ IP6T_TCP_RESET
++};
++
++struct ip6t_reject_info {
++ enum ip6t_reject_with with; /* reject type */
++};
++
++#endif /*_IP6T_REJECT_H*/
+diff -uNr include.orig/linux/netfilter_ipv6/ip6t_ROUTE.h include/linux/netfilter_ipv6/ip6t_ROUTE.h
+--- include.orig/linux/netfilter_ipv6/ip6t_ROUTE.h 1970-01-01 01:00:00.000000000 +0100
++++ include/linux/netfilter_ipv6/ip6t_ROUTE.h 2005-08-02 20:02:17.654255752 +0200
+@@ -0,0 +1,23 @@
++/* Header file for iptables ip6t_ROUTE target
++ *
++ * (C) 2003 by Cédric de Launois <delaunois@info.ucl.ac.be>
++ *
++ * This software is distributed under GNU GPL v2, 1991
++ */
++#ifndef _IPT_ROUTE_H_target
++#define _IPT_ROUTE_H_target
++
++#define IP6T_ROUTE_IFNAMSIZ 16
++
++struct ip6t_route_target_info {
++ char oif[IP6T_ROUTE_IFNAMSIZ]; /* Output Interface Name */
++ char iif[IP6T_ROUTE_IFNAMSIZ]; /* Input Interface Name */
++ u_int32_t gw[4]; /* IPv6 address of gateway */
++ u_int8_t flags;
++};
++
++/* Values for "flags" field */
++#define IP6T_ROUTE_CONTINUE 0x01
++#define IP6T_ROUTE_TEE 0x02
++
++#endif /*_IP6T_ROUTE_H_target*/
+diff -uNr include.orig/linux/netfilter_ipv6.h include/linux/netfilter_ipv6.h
+--- include.orig/linux/netfilter_ipv6.h 2004-10-31 20:55:40.000000000 +0100
++++ include/linux/netfilter_ipv6.h 2005-08-02 20:02:17.661254688 +0200
+@@ -56,6 +56,7 @@
+
+ enum nf_ip6_hook_priorities {
+ NF_IP6_PRI_FIRST = INT_MIN,
++ NF_IP6_PRI_CONNTRACK_DEFRAG = -400,
+ NF_IP6_PRI_SELINUX_FIRST = -225,
+ NF_IP6_PRI_CONNTRACK = -200,
+ NF_IP6_PRI_BRIDGE_SABOTAGE_FORWARD = -175,
+@@ -68,4 +69,6 @@
+ NF_IP6_PRI_LAST = INT_MAX,
};
- struct ip6t_reject_info {
- enum ip6t_reject_with with; /* reject type */
++#define SO_ORIGINAL_DST 80
++
+ #endif /*__LINUX_IP6_NETFILTER_H*/
+diff -uNr include.orig/linux/netlink.h include/linux/netlink.h
+--- include.orig/linux/netlink.h 2005-01-08 15:03:40.000000000 +0100
++++ include/linux/netlink.h 2005-08-02 20:02:17.679251952 +0200
+@@ -14,6 +14,7 @@
+ #define NETLINK_SELINUX 7 /* SELinux event notifications */
+ #define NETLINK_ARPD 8
+ #define NETLINK_AUDIT 9 /* auditing */
++#define NETLINK_NETFILTER 10 /* netfilter subsystem */
+ #define NETLINK_ROUTE6 11 /* af_inet6 route comm channel */
+ #define NETLINK_IP6_FW 13
+ #define NETLINK_DNRTMSG 14 /* DECnet routing messages */
+diff -uNr include.orig/linux/skbuff.h include/linux/skbuff.h
+--- include.orig/linux/skbuff.h 2005-07-06 02:17:21.000000000 +0200
++++ include/linux/skbuff.h 2005-08-02 20:02:17.667253776 +0200
+@@ -258,6 +258,9 @@
+ __u32 nfcache;
+ __u32 nfctinfo;
+ struct nf_conntrack *nfct;
++#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
++ struct sk_buff *nfct_reasm;
++#endif
+ #ifdef CONFIG_NETFILTER_DEBUG
+ unsigned int nf_debug;
+ #endif
+diff -uNr include.orig/linux/sysctl.h include/linux/sysctl.h
+--- include.orig/linux/sysctl.h 2005-07-06 02:17:21.000000000 +0200
++++ include/linux/sysctl.h 2005-08-02 20:03:45.127957728 +0200
+@@ -193,7 +193,8 @@
+ NET_DECNET=15,
+ NET_ECONET=16,
+ NET_KHTTPD=17, /* [<2.6] */
+- NET_SCTP=17
++ NET_SCTP=17,
++ NET_NETFILTER=18
};
--#endif /*_IPT_REJECT_H*/
-+#endif /*_IP6T_REJECT_H*/
+ /* /proc/sys/kernel/random */
+@@ -258,6 +259,42 @@
+ NET_UNIX_MAX_DGRAM_QLEN=3
+ };
+
++/* /proc/sys/net/netfilter */
++enum
++{
++ NET_NF_CONNTRACK_MAX=1,
++ NET_NF_CONNTRACK_TCP_TIMEOUT_SYN_SENT=2,
++ NET_NF_CONNTRACK_TCP_TIMEOUT_SYN_RECV=3,
++ NET_NF_CONNTRACK_TCP_TIMEOUT_ESTABLISHED=4,
++ NET_NF_CONNTRACK_TCP_TIMEOUT_FIN_WAIT=5,
++ NET_NF_CONNTRACK_TCP_TIMEOUT_CLOSE_WAIT=6,
++ NET_NF_CONNTRACK_TCP_TIMEOUT_LAST_ACK=7,
++ NET_NF_CONNTRACK_TCP_TIMEOUT_TIME_WAIT=8,
++ NET_NF_CONNTRACK_TCP_TIMEOUT_CLOSE=9,
++ NET_NF_CONNTRACK_UDP_TIMEOUT=10,
++ NET_NF_CONNTRACK_UDP_TIMEOUT_STREAM=11,
++ NET_NF_CONNTRACK_ICMP_TIMEOUT=12,
++ NET_NF_CONNTRACK_GENERIC_TIMEOUT=13,
++ NET_NF_CONNTRACK_BUCKETS=14,
++ NET_NF_CONNTRACK_LOG_INVALID=15,
++ NET_NF_CONNTRACK_TCP_TIMEOUT_MAX_RETRANS=16,
++ NET_NF_CONNTRACK_TCP_LOOSE=17,
++ NET_NF_CONNTRACK_TCP_BE_LIBERAL=18,
++ NET_NF_CONNTRACK_TCP_MAX_RETRANS=19,
++ NET_NF_CONNTRACK_SCTP_TIMEOUT_CLOSED=20,
++ NET_NF_CONNTRACK_SCTP_TIMEOUT_COOKIE_WAIT=21,
++ NET_NF_CONNTRACK_SCTP_TIMEOUT_COOKIE_ECHOED=22,
++ NET_NF_CONNTRACK_SCTP_TIMEOUT_ESTABLISHED=23,
++ NET_NF_CONNTRACK_SCTP_TIMEOUT_SHUTDOWN_SENT=24,
++ NET_NF_CONNTRACK_SCTP_TIMEOUT_SHUTDOWN_RECD=25,
++ NET_NF_CONNTRACK_SCTP_TIMEOUT_SHUTDOWN_ACK_SENT=26,
++ NET_NF_CONNTRACK_COUNT=27,
++ NET_NF_CONNTRACK_ICMPV6_TIMEOUT=28,
++ NET_NF_CONNTRACK_FRAG6_TIMEOUT=29,
++ NET_NF_CONNTRACK_FRAG6_LOW_THRESH=30,
++ NET_NF_CONNTRACK_FRAG6_HIGH_THRESH=31,
++};
++
+ /* /proc/sys/net/ipv4 */
+ enum
+ {
projects / packages / linux-libc-headers.git / blobdiff