1 diff -uNr include.orig/linux/netfilter/ipv4/nf_conntrack_icmp.h usr/include/linux/netfilter/ipv4/nf_conntrack_icmp.h
2 --- include.orig/linux/netfilter/ipv4/nf_conntrack_icmp.h 1970-01-01 01:00:00.000000000 +0100
3 +++ usr/include/linux/netfilter/ipv4/nf_conntrack_icmp.h 2005-08-02 20:02:17.683251344 +0200
8 + * Derived from usr/include/linux/netfiter_ipv4/ip_conntrack_icmp.h
11 +#ifndef _NF_CONNTRACK_ICMP_H
12 +#define _NF_CONNTRACK_ICMP_H
13 +#include <asm/atomic.h>
17 + /* Optimization: when number in == number out, forget immediately. */
21 +#endif /* _NF_CONNTRACK_ICMP_H */
22 diff -uNr include.orig/linux/netfilter/ipv4/nf_conntrack_ipv4.h usr/include/linux/netfilter/ipv4/nf_conntrack_ipv4.h
23 --- include.orig/linux/netfilter/ipv4/nf_conntrack_ipv4.h 1970-01-01 01:00:00.000000000 +0100
24 +++ usr/include/linux/netfilter/ipv4/nf_conntrack_ipv4.h 2005-08-02 20:02:17.684251192 +0200
27 + * IPv4 support for nf_conntrack.
29 + * 23 Mar 2004: Yasuyuki Kozakai @ USAGI <yasuyuki.kozakai@toshiba.co.jp>
30 + * - move L3 protocol dependent part from usr/include/linux/netfilter_ipv4/
34 +#ifndef _NF_CONNTRACK_IPV4_H
35 +#define _NF_CONNTRACK_IPV4_H
37 +#ifdef CONFIG_IP_NF_NAT_NEEDED
38 +#include <linux/netfilter_ipv4/ip_nat.h>
40 +/* per conntrack: nat application helper private data */
41 +union ip_conntrack_nat_help {
42 + /* insert nat helper private data here */
45 +struct nf_conntrack_ipv4_nat {
46 + struct ip_nat_info info;
47 + union ip_conntrack_nat_help help;
48 +#if defined(CONFIG_IP_NF_TARGET_MASQUERADE) || \
49 + defined(CONFIG_IP_NF_TARGET_MASQUERADE_MODULE)
53 +#endif /* CONFIG_IP_NF_NAT_NEEDED */
55 +struct nf_conntrack_ipv4 {
56 +#ifdef CONFIG_IP_NF_NAT_NEEDED
57 + struct nf_conntrack_ipv4_nat *nat;
61 +/* Returns new sk_buff, or NULL */
63 +nf_ct_ipv4_ct_gather_frags(struct sk_buff *skb);
65 +#endif /*_NF_CONNTRACK_IPV4_H*/
66 diff -uNr include.orig/linux/netfilter/ipv6/nf_conntrack_icmpv6.h usr/include/linux/netfilter/ipv6/nf_conntrack_icmpv6.h
67 --- include.orig/linux/netfilter/ipv6/nf_conntrack_icmpv6.h 1970-01-01 01:00:00.000000000 +0100
68 +++ usr/include/linux/netfilter/ipv6/nf_conntrack_icmpv6.h 2005-08-02 20:02:17.698249064 +0200
73 + * 21 Apl 2004: Yasuyuki Kozakai @USAGI <yasuyuki.kozakai@toshiba.co.jp>
74 + * - separated from nf_conntrack_icmp.h
76 + * Derived from usr/include/linux/netfiter_ipv4/ip_conntrack_icmp.h
79 +#ifndef _NF_CONNTRACK_ICMPV6_H
80 +#define _NF_CONNTRACK_ICMPV6_H
81 +#include <asm/atomic.h>
83 +#ifndef ICMPV6_NI_QUERY
84 +#define ICMPV6_NI_QUERY 139
86 +#ifndef ICMPV6_NI_REPLY
87 +#define ICMPV6_NI_REPLY 140
92 + /* Optimization: when number in == number out, forget immediately. */
96 +#endif /* _NF_CONNTRACK_ICMPV6_H */
97 diff -uNr include.orig/linux/netfilter/nf_conntrack_core.h usr/include/linux/netfilter/nf_conntrack_core.h
98 --- include.orig/linux/netfilter/nf_conntrack_core.h 1970-01-01 01:00:00.000000000 +0100
99 +++ usr/include/linux/netfilter/nf_conntrack_core.h 2005-08-02 20:02:17.687250736 +0200
102 + * This header is used to share core functionality between the
103 + * standalone connection tracking module, and the compatibility layer's use
104 + * of connection tracking.
106 + * 16 Dec 2003: Yasuyuki Kozakai @USAGI <yasuyuki.kozakai@toshiba.co.jp>
107 + * - generalize L3 protocol dependent part.
109 + * Derived from usr/include/linux/netfiter_ipv4/ip_conntrack_core.h
112 +#ifndef _NF_CONNTRACK_CORE_H
113 +#define _NF_CONNTRACK_CORE_H
115 +#include <linux/netfilter.h>
116 +#include <linux/netfilter_ipv4/lockhelp.h>
118 +/* This header is used to share core functionality between the
119 + standalone connection tracking module, and the compatibility layer's use
120 + of connection tracking. */
121 +extern unsigned int nf_conntrack_in(int pf,
122 + unsigned int hooknum,
123 + struct sk_buff **pskb);
125 +extern int nf_conntrack_init(void);
126 +extern void nf_conntrack_cleanup(void);
128 +struct nf_conntrack_l3proto;
129 +extern struct nf_conntrack_l3proto *nf_ct_find_l3proto(u_int16_t pf);
130 +/* Like above, but you already have conntrack read lock. */
131 +extern struct nf_conntrack_l3proto *__nf_ct_find_l3proto(u_int16_t l3proto);
133 +struct nf_conntrack_protocol;
136 +nf_ct_get_tuple(const struct sk_buff *skb,
137 + unsigned int nhoff,
138 + unsigned int dataoff,
141 + struct nf_conntrack_tuple *tuple,
142 + const struct nf_conntrack_l3proto *l3proto,
143 + const struct nf_conntrack_protocol *protocol);
146 +nf_ct_invert_tuple(struct nf_conntrack_tuple *inverse,
147 + const struct nf_conntrack_tuple *orig,
148 + const struct nf_conntrack_l3proto *l3proto,
149 + const struct nf_conntrack_protocol *protocol);
151 +/* Find a connection corresponding to a tuple. */
152 +extern struct nf_conntrack_tuple_hash *
153 +nf_conntrack_find_get(const struct nf_conntrack_tuple *tuple,
154 + const struct nf_conn *ignored_conntrack);
156 +extern int __nf_conntrack_confirm(struct sk_buff **pskb);
158 +/* Confirm a connection: returns NF_DROP if packet must be dropped. */
159 +static inline int nf_conntrack_confirm(struct sk_buff **pskb)
162 + && !is_confirmed((struct nf_conn *)(*pskb)->nfct))
163 + return __nf_conntrack_confirm(pskb);
167 +extern void __nf_conntrack_attach(struct sk_buff *nskb, struct sk_buff *skb);
169 +extern struct list_head *nf_conntrack_hash;
170 +extern struct list_head nf_conntrack_expect_list;
171 +DECLARE_RWLOCK_EXTERN(nf_conntrack_lock);
172 +#endif /* _NF_CONNTRACK_CORE_H */
173 diff -uNr include.orig/linux/netfilter/nf_conntrack_ftp.h usr/include/linux/netfilter/nf_conntrack_ftp.h
174 --- include.orig/linux/netfilter/nf_conntrack_ftp.h 1970-01-01 01:00:00.000000000 +0100
175 +++ usr/include/linux/netfilter/nf_conntrack_ftp.h 2005-08-02 20:02:17.700248760 +0200
178 + * nf_conntrack_ftp.h
180 + * Definitions and Declarations for FTP tracking.
182 + * Derived from usr/include/linux/netfiter_ipv4/ip_conntrack_ftp.h
184 + * 16 Dec 2003: Yasuyuki Kozakai @ USAGI <yasuyuki.kozakai@toshiba.co.jp>
188 +#ifndef _NF_CONNTRACK_FTP_H
189 +#define _NF_CONNTRACK_FTP_H
194 +#include <linux/netfilter_ipv4/lockhelp.h>
196 +/* Protects ftp part of conntracks */
197 +DECLARE_LOCK_EXTERN(ip_ftp_lock);
201 +#endif /* __KERNEL__ */
205 + /* PORT command from client */
207 + /* PASV response from server */
209 + /* EPRT command from client */
211 + /* EPSV response from server */
215 +#define NUM_SEQ_TO_REMEMBER 2
216 +/* This structure exists only once per master */
217 +struct nf_ct_ftp_master {
218 + /* Valid seq positions for cmd matching after newline */
219 + u_int32_t seq_aft_nl[NF_CT_DIR_MAX][NUM_SEQ_TO_REMEMBER];
220 + /* 0 means seq_match_aft_nl not set */
221 + int seq_aft_nl_num[NF_CT_DIR_MAX];
224 +struct nf_conntrack_expect;
226 +/* For NAT to hook in when we find a packet which describes what other
227 + * connection we should expect. */
228 +extern unsigned int (*nf_nat_ftp_hook)(struct sk_buff **pskb,
229 + enum nf_conntrack_info ctinfo,
230 + enum nf_ct_ftp_type type,
231 + unsigned int matchoff,
232 + unsigned int matchlen,
233 + struct nf_conntrack_expect *exp,
235 +#endif /* _NF_CONNTRACK_FTP_H */
236 diff -uNr include.orig/linux/netfilter/nf_conntrack.h usr/include/linux/netfilter/nf_conntrack.h
237 --- include.orig/linux/netfilter/nf_conntrack.h 1970-01-01 01:00:00.000000000 +0100
238 +++ usr/include/linux/netfilter/nf_conntrack.h 2005-08-02 20:02:17.708247544 +0200
241 + * Connection state tracking for netfilter. This is separated from,
242 + * but required by, the (future) NAT layer; it can also be used by an iptables
245 + * 16 Dec 2003: Yasuyuki Kozakai @USAGI <yasuyuki.kozakai@toshiba.co.jp>
246 + * - generalize L3 protocol dependent part.
248 + * Derived from usr/include/linux/netfiter_ipv4/ip_conntrack.h
251 +#ifndef _NF_CONNTRACK_H
252 +#define _NF_CONNTRACK_H
254 +enum nf_conntrack_info
256 + /* Part of an established connection (either direction). */
259 + /* Like NEW, but related to an existing connection, or ICMP error
260 + (in either direction). */
263 + /* Started a new connection to track (only
264 + NF_CT_DIR_ORIGINAL); may be a retransmission. */
267 + /* >= this indicates reply direction */
270 + /* Number of distinct NF_CT types (no NEW in reply dirn). */
271 + NF_CT_NUMBER = NF_CT_IS_REPLY * 2 - 1
274 +/* Bitset representing status of connection. */
275 +enum nf_conntrack_status {
276 + /* It's an expected connection: bit 0 set. This bit never changed */
277 + NF_S_EXPECTED_BIT = 0,
278 + NF_S_EXPECTED = (1 << NF_S_EXPECTED_BIT),
280 + /* We've seen packets both ways: bit 1 set. Can be set, not unset. */
281 + NF_S_SEEN_REPLY_BIT = 1,
282 + NF_S_SEEN_REPLY = (1 << NF_S_SEEN_REPLY_BIT),
284 + /* Conntrack should never be early-expired. */
285 + NF_S_ASSURED_BIT = 2,
286 + NF_S_ASSURED = (1 << NF_S_ASSURED_BIT),
288 + /* Connection is confirmed: originating packet has left box */
289 + NF_S_CONFIRMED_BIT = 3,
290 + NF_S_CONFIRMED = (1 << NF_S_CONFIRMED_BIT),
294 +#include <linux/config.h>
295 +#include <linux/netfilter/nf_conntrack_tuple.h>
296 +#include <linux/bitops.h>
297 +#include <linux/compiler.h>
298 +#include <asm/atomic.h>
300 +#include <linux/netfilter/nf_conntrack_tcp.h>
301 +#include <linux/netfilter/ipv4/nf_conntrack_icmp.h>
302 +#include <linux/netfilter/ipv6/nf_conntrack_icmpv6.h>
303 +#include <linux/netfilter/nf_conntrack_sctp.h>
305 +/* per conntrack: protocol private data */
306 +union nf_conntrack_proto {
307 + /* insert conntrack proto private data here */
308 + struct nf_ct_sctp sctp;
309 + struct nf_ct_tcp tcp;
310 + struct nf_ct_icmp icmp;
311 + struct nf_ct_icmpv6 icmpv6;
314 +union nf_conntrack_expect_proto {
315 + /* insert expect proto private data here */
318 +/* Add protocol helper include file here */
319 +#include <linux/netfilter/nf_conntrack_ftp.h>
321 +/* per conntrack: application helper private data */
322 +union nf_conntrack_help {
323 + /* insert conntrack helper private data (master) here */
324 + struct nf_ct_ftp_master ct_ftp_info;
327 +#include <linux/types.h>
328 +#include <linux/skbuff.h>
330 +#ifdef CONFIG_NETFILTER_DEBUG
331 +#define NF_CT_ASSERT(x) \
334 + /* Wooah! I'm tripping my conntrack in a frenzy of \
336 + printk("NF_CT_ASSERT: %s:%i(%s)\n", \
337 + __FILE__, __LINE__, __FUNCTION__); \
340 +#define NF_CT_ASSERT(x)
343 +struct nf_conntrack_counter
349 +struct nf_conntrack_helper;
351 +#include <linux/netfilter/ipv4/nf_conntrack_ipv4.h>
354 + /* Usage count in here is 1 for hash table/destruct timer, 1 per skb,
355 + plus 1 for any connection(s) we are `master' for */
356 + struct nf_conntrack ct_general;
358 + /* XXX should I move this to the tail ? - Y.K */
359 + /* These are my tuples; original and reply */
360 + struct nf_conntrack_tuple_hash tuplehash[NF_CT_DIR_MAX];
362 + /* Have we seen traffic both ways yet? (bitset) */
363 + unsigned long status;
365 + /* Timer function; drops refcnt when it goes off. */
366 + struct timer_list timeout;
368 +#ifdef CONFIG_NF_CT_ACCT
369 + /* Accounting Information (same cache line as other written members) */
370 + struct nf_conntrack_counter counters[NF_CT_DIR_MAX];
372 + /* If we were expected by an expectation, this will be it */
373 + struct nf_conn *master;
375 + /* Current number of expected connections */
376 + unsigned int expecting;
378 + /* Helper. if any */
379 + struct nf_conntrack_helper *helper;
381 + /* features - nat, helper, ... used by allocating system */
382 + u_int32_t features;
384 + /* Storage reserved for other modules: */
386 + union nf_conntrack_proto proto;
388 +#if defined(CONFIG_NF_CONNTRACK_MARK)
389 + unsigned long mark;
392 + /* These members are dynamically allocated. */
394 + union nf_conntrack_help *help;
396 + /* Layer 3 dependent members. (ex: NAT) */
398 + struct nf_conntrack_ipv4 *ipv4;
403 +struct nf_conntrack_expect
405 + /* Internal linked list (global expectation list) */
406 + struct list_head list;
408 + /* We expect this tuple, with the following mask */
409 + struct nf_conntrack_tuple tuple, mask;
411 + /* Function to call after setup and insertion */
412 + void (*expectfn)(struct nf_conn *new,
413 + struct nf_conntrack_expect *this);
415 + /* The conntrack of the master connection */
416 + struct nf_conn *master;
418 + /* Timer function; deletes the expectation. */
419 + struct timer_list timeout;
421 +#ifdef CONFIG_NF_NAT_NEEDED
422 + /* This is the original per-proto part, used to map the
423 + * expected connection the way the recipient expects. */
424 + union nf_conntrack_manip_proto saved_proto;
425 + /* Direction relative to the master connection. */
426 + enum nf_conntrack_dir dir;
430 +static inline struct nf_conn *
431 +tuplehash_to_ctrack(const struct nf_conntrack_tuple_hash *hash)
433 + return container_of(hash, struct nf_conn,
434 + tuplehash[hash->tuple.dst.dir]);
437 +/* get master conntrack via master expectation */
438 +#define master_ct(conntr) (conntr->master)
440 +/* Alter reply tuple (maybe alter helper). */
442 +nf_conntrack_alter_reply(struct nf_conn *conntrack,
443 + const struct nf_conntrack_tuple *newreply);
445 +/* Is this tuple taken? (ignoring any belonging to the given
448 +nf_conntrack_tuple_taken(const struct nf_conntrack_tuple *tuple,
449 + const struct nf_conn *ignored_conntrack);
451 +/* Return conntrack_info and tuple hash for given skb. */
452 +static inline struct nf_conn *
453 +nf_ct_get(struct sk_buff *skb, enum nf_conntrack_info *ctinfo)
455 + *ctinfo = skb->nfctinfo;
456 + return (struct nf_conn *)skb->nfct;
459 +/* decrement reference count on a conntrack */
460 +extern void nf_ct_put(struct nf_conn *ct);
462 +/* call to create an explicit dependency on nf_conntrack. */
463 +extern void need_nf_conntrack(void);
465 +extern int nf_ct_invert_tuplepr(struct nf_conntrack_tuple *inverse,
466 + const struct nf_conntrack_tuple *orig);
468 +/* Refresh conntrack for this many jiffies */
469 +extern void nf_ct_refresh_acct(struct nf_conn *ct,
470 + enum nf_conntrack_info ctinfo,
471 + const struct sk_buff *skb,
472 + unsigned long extra_jiffies);
474 +/* These are for NAT. Icky. */
475 +/* Call me when a conntrack is destroyed. */
476 +extern void (*nf_conntrack_destroyed)(struct nf_conn *conntrack);
478 +/* Fake conntrack entry for untracked connections */
479 +extern struct nf_conn nf_conntrack_untracked;
481 +extern int nf_ct_no_defrag;
483 +/* Iterate over all conntracks: if iter returns true, it's deleted. */
485 +nf_ct_iterate_cleanup(int (*iter)(struct nf_conn *i, void *data), void *data);
487 +/* It's confirmed if it is, or has been in the hash table. */
488 +static inline int is_confirmed(struct nf_conn *ct)
490 + return test_bit(NF_S_CONFIRMED_BIT, &ct->status);
493 +extern unsigned int nf_conntrack_htable_size;
495 +struct nf_conntrack_stat
497 + unsigned int searched;
498 + unsigned int found;
500 + unsigned int invalid;
501 + unsigned int ignore;
502 + unsigned int delete;
503 + unsigned int delete_list;
504 + unsigned int insert;
505 + unsigned int insert_failed;
507 + unsigned int early_drop;
508 + unsigned int error;
509 + unsigned int expect_new;
510 + unsigned int expect_create;
511 + unsigned int expect_delete;
514 +#define NF_CT_STAT_INC(count) (__get_cpu_var(nf_conntrack_stat).count++)
516 +/* eg. PROVIDES_CONNTRACK(ftp); */
517 +#define PROVIDES_CONNTRACK(name) \
518 + int needs_nf_conntrack_##name; \
519 + EXPORT_SYMBOL(needs_nf_conntrack_##name)
521 +/*. eg. NEEDS_CONNTRACK(ftp); */
522 +#define NEEDS_CONNTRACK(name) \
523 + extern int needs_nf_conntrack_##name; \
524 + static int *need_nf_conntrack_##name __attribute_used__ = &needs_nf_conntrack_##name
526 +/* no helper, no nat */
527 +#define NF_CT_F_BASIC 0
529 +#define NF_CT_F_HELP 1
531 +#define NF_CT_F_NAT 2
532 +#define NF_CT_F_NUM 4
535 +nf_conntrack_register_cache(u_int32_t features, const char *name, size_t size,
536 + int (*init_conntrack)(struct nf_conn *, u_int32_t));
538 +nf_conntrack_unregister_cache(u_int32_t features);
540 +#endif /* __KERNEL__ */
541 +#endif /* _NF_CONNTRACK_H */
542 diff -uNr include.orig/linux/netfilter/nf_conntrack_helper.h usr/include/linux/netfilter/nf_conntrack_helper.h
543 --- include.orig/linux/netfilter/nf_conntrack_helper.h 1970-01-01 01:00:00.000000000 +0100
544 +++ usr/include/linux/netfilter/nf_conntrack_helper.h 2005-08-02 20:02:17.706247848 +0200
547 + * connection tracking helpers.
549 + * 16 Dec 2003: Yasuyuki Kozakai @USAGI <yasuyuki.kozakai@toshiba.co.jp>
550 + * - generalize L3 protocol dependent part.
552 + * Derived from usr/include/linux/netfiter_ipv4/ip_conntrack_helper.h
555 +#ifndef _NF_CONNTRACK_HELPER_H
556 +#define _NF_CONNTRACK_HELPER_H
557 +#include <linux/netfilter/nf_conntrack.h>
561 +struct nf_conntrack_helper
563 + struct list_head list; /* Internal use. */
565 + const char *name; /* name of the module */
566 + struct module *me; /* pointer to self */
567 + unsigned int max_expected; /* Maximum number of concurrent
568 + * expected connections */
569 + unsigned int timeout; /* timeout for expecteds */
571 + /* Mask of things we will help (compared against server response) */
572 + struct nf_conntrack_tuple tuple;
573 + struct nf_conntrack_tuple mask;
575 + /* Function to call when data passes; return verdict, or -1 to
577 + int (*help)(struct sk_buff **pskb,
578 + unsigned int protoff,
579 + struct nf_conn *ct,
580 + enum nf_conntrack_info conntrackinfo);
583 +extern int nf_conntrack_helper_register(struct nf_conntrack_helper *);
584 +extern void nf_conntrack_helper_unregister(struct nf_conntrack_helper *);
586 +/* Allocate space for an expectation: this is mandatory before calling
587 + nf_conntrack_expect_related. */
588 +extern struct nf_conntrack_expect *nf_conntrack_expect_alloc(void);
589 +extern void nf_conntrack_expect_free(struct nf_conntrack_expect *exp);
591 +/* Add an expected connection: can have more than one per connection */
592 +extern int nf_conntrack_expect_related(struct nf_conntrack_expect *exp);
593 +extern void nf_conntrack_unexpect_related(struct nf_conntrack_expect *exp);
595 +#endif /*_NF_CONNTRACK_HELPER_H*/
596 diff -uNr include.orig/linux/netfilter/nf_conntrack_l3proto.h usr/include/linux/netfilter/nf_conntrack_l3proto.h
597 --- include.orig/linux/netfilter/nf_conntrack_l3proto.h 1970-01-01 01:00:00.000000000 +0100
598 +++ usr/include/linux/netfilter/nf_conntrack_l3proto.h 2005-08-02 20:02:17.713246784 +0200
601 + * Copyright (C)2003,2004 USAGI/WIDE Project
603 + * Header for use in defining a given L3 protocol for connection tracking.
606 + * Yasuyuki Kozakai @USAGI <yasuyuki.kozakai@toshiba.co.jp>
608 + * Derived from usr/include/netfilter_ipv4/ip_conntrack_protocol.h
611 +#ifndef _NF_CONNTRACK_L3PROTO_H
612 +#define _NF_CONNTRACK_L3PROTO_H
613 +#include <linux/seq_file.h>
614 +#include <linux/netfilter/nf_conntrack.h>
616 +struct nf_conntrack_l3proto
618 + /* Next pointer. */
619 + struct list_head list;
621 + /* L3 Protocol Family number. ex) PF_INET */
624 + /* Protocol name */
628 + * Try to fill in the third arg: nhoff is offset of l3 proto
629 + * hdr. Return true if possible.
631 + int (*pkt_to_tuple)(const struct sk_buff *skb, unsigned int nhoff,
632 + struct nf_conntrack_tuple *tuple);
635 + * Invert the per-proto part of the tuple: ie. turn xmit into reply.
636 + * Some packets can't be inverted: return 0 in that case.
638 + int (*invert_tuple)(struct nf_conntrack_tuple *inverse,
639 + const struct nf_conntrack_tuple *orig);
641 + /* Print out the per-protocol part of the tuple. */
642 + int (*print_tuple)(struct seq_file *s,
643 + const struct nf_conntrack_tuple *);
645 + /* Print out the private part of the conntrack. */
646 + int (*print_conntrack)(struct seq_file *s, const struct nf_conn *);
648 + /* Returns verdict for packet, or -1 for invalid. */
649 + int (*packet)(struct nf_conn *conntrack,
650 + const struct sk_buff *skb,
651 + enum nf_conntrack_info ctinfo);
654 + * Called when a new connection for this protocol found;
655 + * returns TRUE if it's OK. If so, packet() called next.
657 + int (*new)(struct nf_conn *conntrack, const struct sk_buff *skb);
659 + /* Called when a conntrack entry is destroyed */
660 + void (*destroy)(struct nf_conn *conntrack);
663 + * Called before tracking.
664 + * *dataoff: offset of protocol header (TCP, UDP,...) in *pskb
665 + * *protonum: protocol number
667 + int (*prepare)(struct sk_buff **pskb, unsigned int hooknum,
668 + unsigned int *dataoff, u_int8_t *protonum, int *ret);
670 + u_int32_t (*get_features)(const struct nf_conntrack_tuple *tuple);
672 + /* Module (if any) which this is connected to. */
676 +extern struct nf_conntrack_l3proto *nf_ct_l3protos[AF_MAX];
678 +/* Protocol registration. */
679 +extern int nf_conntrack_l3proto_register(struct nf_conntrack_l3proto *proto);
680 +extern void nf_conntrack_l3proto_unregister(struct nf_conntrack_l3proto *proto);
682 +static inline struct nf_conntrack_l3proto *
683 +nf_ct_find_l3proto(u_int16_t l3proto)
685 + return nf_ct_l3protos[l3proto];
688 +/* Existing built-in protocols */
689 +extern struct nf_conntrack_l3proto nf_conntrack_l3proto_ipv4;
690 +extern struct nf_conntrack_l3proto nf_conntrack_l3proto_ipv6;
691 +extern struct nf_conntrack_l3proto nf_conntrack_generic_l3proto;
692 +#endif /*_NF_CONNTRACK_L3PROTO_H*/
693 diff -uNr include.orig/linux/netfilter/nf_conntrack_protocol.h usr/include/linux/netfilter/nf_conntrack_protocol.h
694 --- include.orig/linux/netfilter/nf_conntrack_protocol.h 1970-01-01 01:00:00.000000000 +0100
695 +++ usr/include/linux/netfilter/nf_conntrack_protocol.h 2005-08-02 20:02:17.710247240 +0200
698 + * Header for use in defining a given protocol for connection tracking.
700 + * 16 Dec 2003: Yasuyuki Kozakai @USAGI <yasuyuki.kozakai@toshiba.co.jp>
701 + * - generalized L3 protocol dependent part.
703 + * Derived from usr/include/linux/netfiter_ipv4/ip_conntrack_protcol.h
706 +#ifndef _NF_CONNTRACK_PROTOCOL_H
707 +#define _NF_CONNTRACK_PROTOCOL_H
708 +#include <linux/netfilter/nf_conntrack.h>
712 +struct nf_conntrack_protocol
714 + /* Next pointer. */
715 + struct list_head list;
717 + /* L3 Protocol number. */
720 + /* Protocol number. */
723 + /* Protocol name */
726 + /* Try to fill in the third arg: dataoff is offset past network protocol
727 + hdr. Return true if possible. */
728 + int (*pkt_to_tuple)(const struct sk_buff *skb,
729 + unsigned int dataoff,
730 + struct nf_conntrack_tuple *tuple);
732 + /* Invert the per-proto part of the tuple: ie. turn xmit into reply.
733 + * Some packets can't be inverted: return 0 in that case.
735 + int (*invert_tuple)(struct nf_conntrack_tuple *inverse,
736 + const struct nf_conntrack_tuple *orig);
738 + /* Print out the per-protocol part of the tuple. Return like seq_* */
739 + int (*print_tuple)(struct seq_file *s,
740 + const struct nf_conntrack_tuple *);
742 + /* Print out the private part of the conntrack. */
743 + int (*print_conntrack)(struct seq_file *s, const struct nf_conn *);
745 + /* Returns verdict for packet, or -1 for invalid. */
746 + int (*packet)(struct nf_conn *conntrack,
747 + const struct sk_buff *skb,
748 + unsigned int dataoff,
749 + enum nf_conntrack_info ctinfo,
751 + unsigned int hooknum);
753 + /* Called when a new connection for this protocol found;
754 + * returns TRUE if it's OK. If so, packet() called next. */
755 + int (*new)(struct nf_conn *conntrack, const struct sk_buff *skb,
756 + unsigned int dataoff);
758 + /* Called when a conntrack entry is destroyed */
759 + void (*destroy)(struct nf_conn *conntrack);
761 + int (*error)(struct sk_buff *skb, unsigned int dataoff,
762 + enum nf_conntrack_info *ctinfo,
763 + int pf, unsigned int hooknum);
765 + /* Module (if any) which this is connected to. */
769 +/* Existing built-in protocols */
770 +extern struct nf_conntrack_protocol nf_conntrack_protocol_tcp6;
771 +extern struct nf_conntrack_protocol nf_conntrack_protocol_udp4;
772 +extern struct nf_conntrack_protocol nf_conntrack_protocol_udp6;
773 +extern struct nf_conntrack_protocol nf_conntrack_generic_protocol;
775 +#define MAX_NF_CT_PROTO 256
776 +extern struct nf_conntrack_protocol **nf_ct_protos[PF_MAX];
778 +extern struct nf_conntrack_protocol *
779 +nf_ct_find_proto(u_int16_t l3proto, u_int8_t protocol);
781 +/* Protocol registration. */
782 +extern int nf_conntrack_protocol_register(struct nf_conntrack_protocol *proto);
783 +extern void nf_conntrack_protocol_unregister(struct nf_conntrack_protocol *proto);
785 +/* Log invalid packets */
786 +extern unsigned int nf_ct_log_invalid;
788 +#ifdef CONFIG_SYSCTL
789 +#ifdef DEBUG_INVALID_PACKETS
790 +#define LOG_INVALID(proto) \
791 + (nf_ct_log_invalid == (proto) || nf_ct_log_invalid == IPPROTO_RAW)
793 +#define LOG_INVALID(proto) \
794 + ((nf_ct_log_invalid == (proto) || nf_ct_log_invalid == IPPROTO_RAW) \
795 + && net_ratelimit())
798 +#define LOG_INVALID(proto) 0
799 +#endif /* CONFIG_SYSCTL */
801 +#endif /*_NF_CONNTRACK_PROTOCOL_H*/
802 diff -uNr include.orig/linux/netfilter/nf_conntrack_sctp.h usr/include/linux/netfilter/nf_conntrack_sctp.h
803 --- include.orig/linux/netfilter/nf_conntrack_sctp.h 1970-01-01 01:00:00.000000000 +0100
804 +++ usr/include/linux/netfilter/nf_conntrack_sctp.h 2005-08-02 20:02:17.701248608 +0200
809 + * Derived from usr/include/linux/netfiter_ipv4/ip_conntrack_tcp.h
812 +#ifndef _NF_CONNTRACK_SCTP_H
813 +#define _NF_CONNTRACK_SCTP_H
815 +enum sctp_conntrack {
816 + SCTP_CONNTRACK_NONE,
817 + SCTP_CONNTRACK_CLOSED,
818 + SCTP_CONNTRACK_COOKIE_WAIT,
819 + SCTP_CONNTRACK_COOKIE_ECHOED,
820 + SCTP_CONNTRACK_ESTABLISHED,
821 + SCTP_CONNTRACK_SHUTDOWN_SENT,
822 + SCTP_CONNTRACK_SHUTDOWN_RECD,
823 + SCTP_CONNTRACK_SHUTDOWN_ACK_SENT,
829 + enum sctp_conntrack state;
831 + u_int32_t vtag[NF_CT_DIR_MAX];
832 + u_int32_t ttag[NF_CT_DIR_MAX];
835 +#endif /* _NF_CONNTRACK_SCTP_H */
836 diff -uNr include.orig/linux/netfilter/nf_conntrack_tcp.h usr/include/linux/netfilter/nf_conntrack_tcp.h
837 --- include.orig/linux/netfilter/nf_conntrack_tcp.h 1970-01-01 01:00:00.000000000 +0100
838 +++ usr/include/linux/netfilter/nf_conntrack_tcp.h 2005-08-02 20:02:17.681251648 +0200
843 + * Derived from usr/include/linux/netfiter_ipv4/ip_conntrack_tcp.h
846 +#ifndef _NF_CONNTRACK_TCP_H
847 +#define _NF_CONNTRACK_TCP_H
849 +enum tcp_conntrack {
850 + TCP_CONNTRACK_NONE,
851 + TCP_CONNTRACK_SYN_SENT,
852 + TCP_CONNTRACK_SYN_RECV,
853 + TCP_CONNTRACK_ESTABLISHED,
854 + TCP_CONNTRACK_FIN_WAIT,
855 + TCP_CONNTRACK_CLOSE_WAIT,
856 + TCP_CONNTRACK_LAST_ACK,
857 + TCP_CONNTRACK_TIME_WAIT,
858 + TCP_CONNTRACK_CLOSE,
859 + TCP_CONNTRACK_LISTEN,
861 + TCP_CONNTRACK_IGNORE
864 +/* Window scaling is advertised by the sender */
865 +#define NF_CT_TCP_FLAG_WINDOW_SCALE 0x01
867 +/* SACK is permitted by the sender */
868 +#define NF_CT_TCP_FLAG_SACK_PERM 0x02
870 +struct nf_ct_tcp_state {
871 + u_int32_t td_end; /* max of seq + len */
872 + u_int32_t td_maxend; /* max of ack + max(win, 1) */
873 + u_int32_t td_maxwin; /* max(win) */
874 + u_int8_t td_scale; /* window scale factor */
875 + u_int8_t loose; /* used when connection picked up from the middle */
876 + u_int8_t flags; /* per direction state flags */
881 + struct nf_ct_tcp_state seen[2]; /* connection parameters per direction */
882 + u_int8_t state; /* state of the connection (enum tcp_conntrack) */
883 + /* For detecting stale connections */
884 + u_int8_t last_dir; /* Direction of the last packet (enum nf_conntrack_dir) */
885 + u_int8_t retrans; /* Number of retransmitted packets */
886 + u_int8_t last_index; /* Index of the last packet */
887 + u_int32_t last_seq; /* Last sequence number seen in dir */
888 + u_int32_t last_ack; /* Last sequence number seen in opposite dir */
889 + u_int32_t last_end; /* Last seq + len */
892 +/* Need this, since this file is included before the nf_conn definition
893 + * in nf_conntrack.h */
896 +/* Update TCP window tracking data when NAT mangles the packet */
897 +extern void nf_conntrack_tcp_update(struct sk_buff *skb,
898 + unsigned int dataoff,
899 + struct nf_conn *conntrack,
902 +#endif /* _NF_CONNTRACK_TCP_H */
903 diff -uNr include.orig/linux/netfilter/nf_conntrack_tuple.h usr/include/linux/netfilter/nf_conntrack_tuple.h
904 --- include.orig/linux/netfilter/nf_conntrack_tuple.h 1970-01-01 01:00:00.000000000 +0100
905 +++ usr/include/linux/netfilter/nf_conntrack_tuple.h 2005-08-02 20:02:17.704248152 +0200
908 + * Definitions and Declarations for tuple.
910 + * 16 Dec 2003: Yasuyuki Kozakai @USAGI <yasuyuki.kozakai@toshiba.co.jp>
911 + * - generalize L3 protocol dependent part.
913 + * Derived from usr/include/linux/netfiter_ipv4/ip_conntrack_tuple.h
916 +#ifndef _NF_CONNTRACK_TUPLE_H
917 +#define _NF_CONNTRACK_TUPLE_H
919 +/* A `tuple' is a structure containing the information to uniquely
920 + identify a connection. ie. if two packets have the same tuple, they
921 + are in the same connection; if not, they are not.
923 + We divide the structure along "manipulatable" and
924 + "non-manipulatable" lines, for the benefit of the NAT code.
927 +#define NF_CT_TUPLE_L3SIZE 4
929 +/* The l3 protocol-specific manipulable parts of the tuple: always in
931 +union nf_conntrack_man_l3proto {
932 + u_int32_t all[NF_CT_TUPLE_L3SIZE];
937 +/* The protocol-specific manipulable parts of the tuple: always in
939 +union nf_conntrack_man_proto
941 + /* Add other protocols here. */
958 +/* The manipulable part of the tuple. */
959 +struct nf_conntrack_man
961 + union nf_conntrack_man_l3proto u3;
962 + union nf_conntrack_man_proto u;
963 + /* Layer 3 protocol */
967 +/* This contains the information to distinguish a connection. */
968 +struct nf_conntrack_tuple
970 + struct nf_conntrack_man src;
972 + /* These are the parts of the tuple which are fixed. */
975 + u_int32_t all[NF_CT_TUPLE_L3SIZE];
980 + /* Add other protocols here. */
990 + u_int8_t type, code;
997 + /* The protocol. */
1000 + /* The direction (for tuplehash) */
1005 +/* This is optimized opposed to a memset of the whole structure. Everything we
1006 + * really care about is the source/destination unions */
1007 +#define NF_CT_TUPLE_U_BLANK(tuple) \
1009 + (tuple)->src.u.all = 0; \
1010 + (tuple)->dst.u.all = 0; \
1011 + memset((tuple)->src.u3.all, 0, \
1012 + sizeof(u_int32_t)*NF_CT_TUPLE_L3SIZE); \
1013 + memset((tuple)->dst.u3.all, 0, \
1014 + sizeof(u_int32_t)*NF_CT_TUPLE_L3SIZE); \
1017 +enum nf_conntrack_dir
1019 + NF_CT_DIR_ORIGINAL,
1026 +#define NF_CT_DUMP_TUPLE(tp) \
1027 +DEBUGP("tuple %p: %u %u %04x:%04x:%04x:%04x:%04x:%04x:%04x:%04x %hu -> %04x:%04x:%04x:%04x:%04x:%04x:%04x:%04x %hu\n", \
1028 + (tp), (tp)->src.l3num, (tp)->dst.protonum, \
1029 + NIP6(*(struct in6_addr *)(tp)->src.u3.all), ntohs((tp)->src.u.all), \
1030 + NIP6(*(struct in6_addr *)(tp)->dst.u3.all), ntohs((tp)->dst.u.all))
1032 +#define NFCTINFO2DIR(ctinfo) ((ctinfo) >= NF_CT_IS_REPLY ? NF_CT_DIR_REPLY : NF_CT_DIR_ORIGINAL)
1034 +/* If we're the first tuple, it's the original dir. */
1035 +#define NF_CT_DIRECTION(h) \
1036 + ((enum nf_conntrack_dir)(h)->tuple.dst.dir)
1038 +/* Connections have two entries in the hash table: one for each way */
1039 +struct nf_conntrack_tuple_hash
1041 + struct list_head list;
1043 + struct nf_conntrack_tuple tuple;
1046 +#endif /* __KERNEL__ */
1048 +static inline int nf_ct_tuple_src_equal(const struct nf_conntrack_tuple *t1,
1049 + const struct nf_conntrack_tuple *t2)
1051 + return (t1->src.u3.all[0] == t2->src.u3.all[0] &&
1052 + t1->src.u3.all[1] == t2->src.u3.all[1] &&
1053 + t1->src.u3.all[2] == t2->src.u3.all[2] &&
1054 + t1->src.u3.all[3] == t2->src.u3.all[3] &&
1055 + t1->src.u.all == t2->src.u.all &&
1056 + t1->src.l3num == t2->src.l3num &&
1057 + t1->dst.protonum == t2->dst.protonum);
1060 +static inline int nf_ct_tuple_dst_equal(const struct nf_conntrack_tuple *t1,
1061 + const struct nf_conntrack_tuple *t2)
1063 + return (t1->dst.u3.all[0] == t2->dst.u3.all[0] &&
1064 + t1->dst.u3.all[1] == t2->dst.u3.all[1] &&
1065 + t1->dst.u3.all[2] == t2->dst.u3.all[2] &&
1066 + t1->dst.u3.all[3] == t2->dst.u3.all[3] &&
1067 + t1->dst.u.all == t2->dst.u.all &&
1068 + t1->src.l3num == t2->src.l3num &&
1069 + t1->dst.protonum == t2->dst.protonum);
1072 +static inline int nf_ct_tuple_equal(const struct nf_conntrack_tuple *t1,
1073 + const struct nf_conntrack_tuple *t2)
1075 + return nf_ct_tuple_src_equal(t1, t2) && nf_ct_tuple_dst_equal(t1, t2);
1078 +static inline int nf_ct_tuple_mask_cmp(const struct nf_conntrack_tuple *t,
1079 + const struct nf_conntrack_tuple *tuple,
1080 + const struct nf_conntrack_tuple *mask)
1084 + for (count = 0; count < NF_CT_TUPLE_L3SIZE; count++){
1085 + if ((ntohs(t->src.u3.all[count]) ^
1086 + ntohs(tuple->src.u3.all[count])) &
1087 + ntohs(mask->src.u3.all[count]))
1091 + for (count = 0; count < NF_CT_TUPLE_L3SIZE; count++){
1092 + if ((ntohs(t->dst.u3.all[count]) ^
1093 + ntohs(tuple->dst.u3.all[count])) &
1094 + ntohs(mask->dst.u3.all[count]))
1098 + if ((t->src.u.all ^ tuple->src.u.all) & mask->src.u.all ||
1099 + (t->dst.u.all ^ tuple->dst.u.all) & mask->dst.u.all ||
1100 + (t->src.l3num ^ tuple->src.l3num) & mask->src.l3num ||
1101 + (t->dst.protonum ^ tuple->dst.protonum) & mask->dst.protonum)
1107 +#endif /* _NF_CONNTRACK_TUPLE_H */
1108 diff -uNr include.orig/linux/netfilter/nfnetlink.h usr/include/linux/netfilter/nfnetlink.h
1109 --- include.orig/linux/netfilter/nfnetlink.h 1970-01-01 01:00:00.000000000 +0100
1110 +++ usr/include/linux/netfilter/nfnetlink.h 2005-08-02 20:02:17.715246480 +0200
1112 +#ifndef _NFNETLINK_H
1113 +#define _NFNETLINK_H
1114 +#include <linux/types.h>
1116 +/* nfnetlink groups: Up to 32 maximum */
1117 +#define NF_NETLINK_CONNTRACK_NEW 0x00000001
1118 +#define NF_NETLINK_CONNTRACK_UPDATE 0x00000002
1119 +#define NF_NETLINK_CONNTRACK_DESTROY 0x00000004
1120 +#define NF_NETLINK_CONNTRACK_EXP_NEW 0x00000008
1121 +#define NF_NETLINK_CONNTRACK_EXP_UPDATE 0x00000010
1122 +#define NF_NETLINK_CONNTRACK_EXP_DESTROY 0x00000020
1124 +/* Generic structure for encapsulation optional netfilter information.
1125 + * It is reminiscent of sockaddr, but with sa_family replaced
1126 + * with attribute type.
1127 + * ! This should someday be put somewhere generic as now rtnetlink and
1128 + * ! nfnetlink use the same attributes methods. - J. Schulist.
1133 + u_int16_t nfa_len __attribute__ ((packed));
1134 + u_int16_t nfa_type __attribute__ ((packed));
1137 +/* FIXME: Shamelessly copy and pasted from rtnetlink.h, it's time
1138 + * to put this in a generic file */
1140 +#define NFA_ALIGNTO 4
1141 +#define NFA_ALIGN(len) (((len) + NFA_ALIGNTO - 1) & ~(NFA_ALIGNTO - 1))
1142 +#define NFA_OK(nfa,len) ((len) > 0 && (nfa)->nfa_len >= sizeof(struct nfattr) \
1143 + && (nfa)->nfa_len <= (len))
1144 +#define NFA_NEXT(nfa,attrlen) ((attrlen) -= NFA_ALIGN((nfa)->nfa_len), \
1145 + (struct nfattr *)(((char *)(nfa)) + NFA_ALIGN((nfa)->nfa_len)))
1146 +#define NFA_LENGTH(len) (NFA_ALIGN(sizeof(struct nfattr)) + (len))
1147 +#define NFA_SPACE(len) NFA_ALIGN(NFA_LENGTH(len))
1148 +#define NFA_DATA(nfa) ((void *)(((char *)(nfa)) + NFA_LENGTH(0)))
1149 +#define NFA_PAYLOAD(nfa) ((int)((nfa)->nfa_len) - NFA_LENGTH(0))
1150 +#define NFA_NEST(skb, type) \
1151 +({ struct nfattr *__start = (struct nfattr *) (skb)->tail; \
1152 + NFA_PUT(skb, type, 0, NULL); \
1154 +#define NFA_NEST_END(skb, start) \
1155 +({ (start)->nfa_len = ((skb)->tail - (unsigned char *) (start)); \
1157 +#define NFA_NEST_CANCEL(skb, start) \
1159 + skb_trim(skb, (unsigned char *) (start) - (skb)->data); \
1162 +/* General form of address family dependent message.
1165 + u_int8_t nfgen_family __attribute__ ((packed)); /* AF_xxx */
1166 + u_int8_t version __attribute__ ((packed)); /* nfnetlink version */
1167 + u_int16_t res_id __attribute__ ((packed)); /* resource id */
1170 +#define NFNETLINK_V1 1
1172 +#define NFM_NFA(n) ((struct nfattr *)(((char *)(n)) \
1173 + + NLMSG_ALIGN(sizeof(struct nfgenmsg))))
1174 +#define NFM_PAYLOAD(n) NLMSG_PAYLOAD(n, sizeof(struct nfgenmsg))
1176 +/* netfilter netlink message types are split in two pieces:
1177 + * 8 bit subsystem, 8bit operation.
1180 +#define NFNL_SUBSYS_ID(x) ((x & 0xff00) >> 8)
1181 +#define NFNL_MSG_TYPE(x) (x & 0x00ff)
1183 +enum nfnl_subsys_id {
1184 + NFNL_SUBSYS_NONE = 0,
1185 + NFNL_SUBSYS_CTNETLINK,
1186 + NFNL_SUBSYS_CTNETLINK_EXP,
1187 + NFNL_SUBSYS_IPTNETLINK,
1188 + NFNL_SUBSYS_QUEUE,
1190 + NFNL_SUBSYS_COUNT,
1195 +#include <linux/capability.h>
1197 +struct nfnl_callback
1199 + kernel_cap_t cap_required; /* capabilities required for this msg */
1200 + int (*call)(struct sock *nl, struct sk_buff *skb,
1201 + struct nlmsghdr *nlh, struct nfattr *cda[], int *errp);
1204 +struct nfnetlink_subsystem
1207 + __u8 subsys_id; /* nfnetlink subsystem ID */
1208 + __u8 cb_count; /* number of callbacks */
1209 + u_int32_t attr_count; /* number of nfattr's */
1210 + struct nfnl_callback *cb; /* callback for individual types */
1213 +extern void __nfa_fill(struct sk_buff *skb, int attrtype,
1214 + int attrlen, const void *data);
1215 +#define NFA_PUT(skb, attrtype, attrlen, data) \
1216 +({ if (skb_tailroom(skb) < (int)NFA_SPACE(attrlen)) goto nfattr_failure; \
1217 + __nfa_fill(skb, attrtype, attrlen, data); })
1219 +extern struct semaphore nfnl_sem;
1221 +#define nfnl_shlock() down(&nfnl_sem)
1222 +#define nfnl_shlock_nowait() down_trylock(&nfnl_sem)
1224 +#define nfnl_shunlock() do { up(&nfnl_sem); \
1225 + if(nfnl && nfnl->sk_receive_queue.qlen) \
1226 + nfnl->sk_data_ready(nfnl, 0); \
1229 +extern void nfnl_lock(void);
1230 +extern void nfnl_unlock(void);
1232 +extern int nfnetlink_subsys_register(struct nfnetlink_subsystem *n);
1233 +extern int nfnetlink_subsys_unregister(struct nfnetlink_subsystem *n);
1235 +extern int nfattr_parse(struct nfattr *tb[], int maxattr,
1236 + struct nfattr *nfa, int len);
1238 +#define nfattr_parse_nested(tb, max, nfa) \
1239 + nfattr_parse((tb), (max), NFA_DATA((nfa)), NFA_PAYLOAD((nfa)))
1241 +#define nfattr_bad_size(tb, max, cta_min) \
1242 +({ int __i, __res = 0; \
1243 + for (__i=0; __i<max; __i++) \
1244 + if (tb[__i] && NFA_PAYLOAD(tb[__i]) < cta_min[__i]){ \
1251 +extern int nfnetlink_send(struct sk_buff *skb, u32 pid, unsigned group,
1253 +extern int nfnetlink_unicast(struct sk_buff *skb, u_int32_t pid, int flags);
1255 +#endif /* __KERNEL__ */
1256 +#endif /* _NFNETLINK_H */
1257 diff -uNr include.orig/linux/netfilter.h usr/include/linux/netfilter.h
1258 --- include.orig/linux/netfilter.h 2005-07-06 02:17:21.000000000 +0200
1259 +++ usr/include/linux/netfilter.h 2005-08-02 20:02:17.658255144 +0200
1261 #define NF_MAX_VERDICT NF_STOP
1263 /* Generic cache responses from hook functions.
1264 - <= 0x2000 is used for protocol-flags. */
1265 + <= 0x2000 is reserved for conntrack event cache. */
1266 #define NFC_UNKNOWN 0x4000
1267 #define NFC_ALTERED 0x8000
1269 diff -uNr include.orig/linux/netfilter_ipv4/ip_conntrack_core.h usr/include/linux/netfilter_ipv4/ip_conntrack_core.h
1270 --- include.orig/linux/netfilter_ipv4/ip_conntrack_core.h 2005-03-13 21:53:55.000000000 +0100
1271 +++ usr/include/linux/netfilter_ipv4/ip_conntrack_core.h 2005-08-02 20:02:17.749241312 +0200
1273 ip_conntrack_find_get(const struct ip_conntrack_tuple *tuple,
1274 const struct ip_conntrack *ignored_conntrack);
1276 +struct ip_conntrack_tuple_hash *
1277 +__ip_conntrack_find(const struct ip_conntrack_tuple *tuple,
1278 + const struct ip_conntrack *ignored_conntrack);
1280 +struct ip_conntrack_expect *
1281 +__ip_conntrack_exp_find(const struct ip_conntrack_tuple *tuple);
1283 extern int __ip_conntrack_confirm(struct sk_buff **pskb);
1285 /* Confirm a connection: returns NF_DROP if packet must be dropped. */
1286 static inline int ip_conntrack_confirm(struct sk_buff **pskb)
1288 + int ret = NF_ACCEPT;
1291 && !is_confirmed((struct ip_conntrack *)(*pskb)->nfct))
1292 - return __ip_conntrack_confirm(pskb);
1294 + ret = __ip_conntrack_confirm(pskb);
1295 + ip_conntrack_deliver_cached_events(*pskb);
1300 extern struct list_head *ip_conntrack_hash;
1301 diff -uNr include.orig/linux/netfilter_ipv4/ip_conntrack.h usr/include/linux/netfilter_ipv4/ip_conntrack.h
1302 --- include.orig/linux/netfilter_ipv4/ip_conntrack.h 2005-03-13 21:53:55.000000000 +0100
1303 +++ usr/include/linux/netfilter_ipv4/ip_conntrack.h 2005-08-02 20:05:38.525718648 +0200
1307 IPS_NAT_DONE_MASK = (IPS_DST_NAT_DONE | IPS_SRC_NAT_DONE),
1309 + /* Connection is destroyed (removed from lists), can not be unset. */
1310 + IPS_DESTROYED_BIT = 9,
1311 + IPS_DESTROYED = (1 << IPS_DESTROYED_BIT),
1314 +/* Connection tracking event bits */
1315 +enum ip_conntrack_events
1317 + /* New conntrack */
1319 + IPCT_NEW = (1 << IPCT_NEW_BIT),
1321 + /* Expected connection */
1322 + IPCT_RELATED_BIT = 1,
1323 + IPCT_RELATED = (1 << IPCT_RELATED_BIT),
1325 + /* Destroyed conntrack */
1326 + IPCT_DESTROY_BIT = 2,
1327 + IPCT_DESTROY = (1 << IPCT_DESTROY_BIT),
1329 + /* Timer has been refreshed */
1330 + IPCT_REFRESH_BIT = 3,
1331 + IPCT_REFRESH = (1 << IPCT_REFRESH_BIT),
1333 + /* Status has changed */
1334 + IPCT_STATUS_BIT = 4,
1335 + IPCT_STATUS = (1 << IPCT_STATUS_BIT),
1337 + /* Update of protocol info */
1338 + IPCT_PROTOINFO_BIT = 5,
1339 + IPCT_PROTOINFO = (1 << IPCT_PROTOINFO_BIT),
1341 + /* Volatile protocol info */
1342 + IPCT_PROTOINFO_VOLATILE_BIT = 6,
1343 + IPCT_PROTOINFO_VOLATILE = (1 << IPCT_PROTOINFO_VOLATILE_BIT),
1345 + /* New helper for conntrack */
1346 + IPCT_HELPER_BIT = 7,
1347 + IPCT_HELPER = (1 << IPCT_HELPER_BIT),
1349 + /* Update of helper info */
1350 + IPCT_HELPINFO_BIT = 8,
1351 + IPCT_HELPINFO = (1 << IPCT_HELPINFO_BIT),
1353 + /* Volatile helper info */
1354 + IPCT_HELPINFO_VOLATILE_BIT = 9,
1355 + IPCT_HELPINFO_VOLATILE = (1 << IPCT_HELPINFO_VOLATILE_BIT),
1358 + IPCT_NATINFO_BIT = 10,
1359 + IPCT_NATINFO = (1 << IPCT_NATINFO_BIT),
1362 +enum ip_conntrack_expect_events {
1363 + IPEXP_NEW_BIT = 0,
1364 + IPEXP_NEW = (1 << IPEXP_NEW_BIT),
1367 #endif /* _IP_CONNTRACK_H */
1368 diff -uNr include.orig/linux/netfilter_ipv4/ip_conntrack_h323.h usr/include/linux/netfilter_ipv4/ip_conntrack_h323.h
1369 --- include.orig/linux/netfilter_ipv4/ip_conntrack_h323.h 1970-01-01 01:00:00.000000000 +0100
1370 +++ usr/include/linux/netfilter_ipv4/ip_conntrack_h323.h 2005-08-02 20:02:17.725244960 +0200
1372 +#ifndef _IP_CONNTRACK_H323_H
1373 +#define _IP_CONNTRACK_H323_H
1374 +/* H.323 connection tracking. */
1378 +/* Default H.225 port */
1379 +#define H225_PORT 1720
1381 +struct ip_conntrack_expect;
1382 +struct ip_conntrack;
1383 +struct ip_conntrack_helper;
1385 +extern int (*ip_nat_h245_hook)(struct sk_buff **pskb,
1386 + enum ip_conntrack_info ctinfo,
1387 + unsigned int offset,
1388 + struct ip_conntrack_expect *exp);
1390 +extern int (*ip_nat_h225_hook)(struct sk_buff **pskb,
1391 + enum ip_conntrack_info ctinfo,
1392 + unsigned int offset,
1393 + struct ip_conntrack_expect *exp);
1395 +extern void (*ip_nat_h225_signal_hook)(struct sk_buff **pskb,
1396 + struct ip_conntrack *ct,
1397 + enum ip_conntrack_info ctinfo,
1398 + unsigned int offset,
1402 +extern struct ip_conntrack_helper ip_conntrack_helper_h225;
1404 +void ip_conntrack_h245_expect(struct ip_conntrack *new,
1405 + struct ip_conntrack_expect *this);
1407 +#endif /* __KERNEL__ */
1409 +#endif /* _IP_CONNTRACK_H323_H */
1410 diff -uNr include.orig/linux/netfilter_ipv4/ip_conntrack_mms.h usr/include/linux/netfilter_ipv4/ip_conntrack_mms.h
1411 --- include.orig/linux/netfilter_ipv4/ip_conntrack_mms.h 1970-01-01 01:00:00.000000000 +0100
1412 +++ usr/include/linux/netfilter_ipv4/ip_conntrack_mms.h 2005-08-02 20:02:17.774237512 +0200
1414 +#ifndef _IP_CONNTRACK_MMS_H
1415 +#define _IP_CONNTRACK_MMS_H
1416 +/* MMS tracking. */
1420 +extern spinlock_t ip_mms_lock;
1422 +#define MMS_PORT 1755
1423 +#define MMS_SRV_MSG_ID 196610
1425 +#define MMS_SRV_MSG_OFFSET 36
1426 +#define MMS_SRV_UNICODE_STRING_OFFSET 60
1427 +#define MMS_SRV_CHUNKLENLV_OFFSET 16
1428 +#define MMS_SRV_CHUNKLENLM_OFFSET 32
1429 +#define MMS_SRV_MESSAGELENGTH_OFFSET 8
1431 +/* This structure is per expected connection */
1432 +struct ip_ct_mms_expect {
1435 + u_int32_t padding;
1439 +/* This structure exists only once per master */
1440 +struct ip_ct_mms_master {
1443 +struct ip_conntrack_expect;
1444 +extern unsigned int (*ip_nat_mms_hook)(struct sk_buff **pskb,
1445 + enum ip_conntrack_info ctinfo,
1446 + const struct ip_ct_mms_expect *exp_mms_info,
1447 + struct ip_conntrack_expect *exp);
1449 +#endif /* _IP_CONNTRACK_MMS_H */
1450 diff -uNr include.orig/linux/netfilter_ipv4/ip_conntrack_pptp.h usr/include/linux/netfilter_ipv4/ip_conntrack_pptp.h
1451 --- include.orig/linux/netfilter_ipv4/ip_conntrack_pptp.h 1970-01-01 01:00:00.000000000 +0100
1452 +++ usr/include/linux/netfilter_ipv4/ip_conntrack_pptp.h 2005-08-02 20:02:17.800233560 +0200
1454 +/* PPTP constants and structs */
1455 +#ifndef _CONNTRACK_PPTP_H
1456 +#define _CONNTRACK_PPTP_H
1458 +/* state of the control session */
1459 +enum pptp_ctrlsess_state {
1460 + PPTP_SESSION_NONE, /* no session present */
1461 + PPTP_SESSION_ERROR, /* some session error */
1462 + PPTP_SESSION_STOPREQ, /* stop_sess request seen */
1463 + PPTP_SESSION_REQUESTED, /* start_sess request seen */
1464 + PPTP_SESSION_CONFIRMED, /* session established */
1467 +/* state of the call inside the control session */
1468 +enum pptp_ctrlcall_state {
1471 + PPTP_CALL_OUT_REQ,
1472 + PPTP_CALL_OUT_CONF,
1475 + PPTP_CALL_IN_CONF,
1476 + PPTP_CALL_CLEAR_REQ,
1480 +/* conntrack private data */
1481 +struct ip_ct_pptp_master {
1482 + enum pptp_ctrlsess_state sstate; /* session state */
1484 + /* everything below is going to be per-expectation in newnat,
1485 + * since there could be more than one call within one session */
1486 + enum pptp_ctrlcall_state cstate; /* call state */
1487 + u_int16_t pac_call_id; /* call id of PAC, host byte order */
1488 + u_int16_t pns_call_id; /* call id of PNS, host byte order */
1490 + /* in pre-2.6.11 this used to be per-expect. Now it is per-conntrack
1491 + * and therefore imposes a fixed limit on the number of maps */
1492 + struct ip_ct_gre_keymap *keymap_orig, *keymap_reply;
1495 +/* conntrack_expect private member */
1496 +struct ip_ct_pptp_expect {
1497 + enum pptp_ctrlcall_state cstate; /* call state */
1498 + u_int16_t pac_call_id; /* call id of PAC */
1499 + u_int16_t pns_call_id; /* call id of PNS */
1506 +#include <linux/netfilter_ipv4/lockhelp.h>
1507 +DECLARE_LOCK_EXTERN(ip_pptp_lock);
1509 +#define IP_CONNTR_PPTP PPTP_CONTROL_PORT
1511 +#define PPTP_CONTROL_PORT 1723
1513 +#define PPTP_PACKET_CONTROL 1
1514 +#define PPTP_PACKET_MGMT 2
1516 +#define PPTP_MAGIC_COOKIE 0x1a2b3c4d
1518 +struct pptp_pkt_hdr {
1519 + __u16 packetLength;
1521 + __u32 magicCookie;
1524 +/* PptpControlMessageType values */
1525 +#define PPTP_START_SESSION_REQUEST 1
1526 +#define PPTP_START_SESSION_REPLY 2
1527 +#define PPTP_STOP_SESSION_REQUEST 3
1528 +#define PPTP_STOP_SESSION_REPLY 4
1529 +#define PPTP_ECHO_REQUEST 5
1530 +#define PPTP_ECHO_REPLY 6
1531 +#define PPTP_OUT_CALL_REQUEST 7
1532 +#define PPTP_OUT_CALL_REPLY 8
1533 +#define PPTP_IN_CALL_REQUEST 9
1534 +#define PPTP_IN_CALL_REPLY 10
1535 +#define PPTP_IN_CALL_CONNECT 11
1536 +#define PPTP_CALL_CLEAR_REQUEST 12
1537 +#define PPTP_CALL_DISCONNECT_NOTIFY 13
1538 +#define PPTP_WAN_ERROR_NOTIFY 14
1539 +#define PPTP_SET_LINK_INFO 15
1541 +#define PPTP_MSG_MAX 15
1543 +/* PptpGeneralError values */
1544 +#define PPTP_ERROR_CODE_NONE 0
1545 +#define PPTP_NOT_CONNECTED 1
1546 +#define PPTP_BAD_FORMAT 2
1547 +#define PPTP_BAD_VALUE 3
1548 +#define PPTP_NO_RESOURCE 4
1549 +#define PPTP_BAD_CALLID 5
1550 +#define PPTP_REMOVE_DEVICE_ERROR 6
1552 +struct PptpControlHeader {
1553 + __u16 messageType;
1557 +/* FramingCapability Bitmap Values */
1558 +#define PPTP_FRAME_CAP_ASYNC 0x1
1559 +#define PPTP_FRAME_CAP_SYNC 0x2
1561 +/* BearerCapability Bitmap Values */
1562 +#define PPTP_BEARER_CAP_ANALOG 0x1
1563 +#define PPTP_BEARER_CAP_DIGITAL 0x2
1565 +struct PptpStartSessionRequest {
1566 + __u16 protocolVersion;
1569 + __u32 framingCapability;
1570 + __u32 bearerCapability;
1571 + __u16 maxChannels;
1572 + __u16 firmwareRevision;
1573 + __u8 hostName[64];
1574 + __u8 vendorString[64];
1577 +/* PptpStartSessionResultCode Values */
1578 +#define PPTP_START_OK 1
1579 +#define PPTP_START_GENERAL_ERROR 2
1580 +#define PPTP_START_ALREADY_CONNECTED 3
1581 +#define PPTP_START_NOT_AUTHORIZED 4
1582 +#define PPTP_START_UNKNOWN_PROTOCOL 5
1584 +struct PptpStartSessionReply {
1585 + __u16 protocolVersion;
1587 + __u8 generalErrorCode;
1588 + __u32 framingCapability;
1589 + __u32 bearerCapability;
1590 + __u16 maxChannels;
1591 + __u16 firmwareRevision;
1592 + __u8 hostName[64];
1593 + __u8 vendorString[64];
1596 +/* PptpStopReasons */
1597 +#define PPTP_STOP_NONE 1
1598 +#define PPTP_STOP_PROTOCOL 2
1599 +#define PPTP_STOP_LOCAL_SHUTDOWN 3
1601 +struct PptpStopSessionRequest {
1605 +/* PptpStopSessionResultCode */
1606 +#define PPTP_STOP_OK 1
1607 +#define PPTP_STOP_GENERAL_ERROR 2
1609 +struct PptpStopSessionReply {
1611 + __u8 generalErrorCode;
1614 +struct PptpEchoRequest {
1615 + __u32 identNumber;
1618 +/* PptpEchoReplyResultCode */
1619 +#define PPTP_ECHO_OK 1
1620 +#define PPTP_ECHO_GENERAL_ERROR 2
1622 +struct PptpEchoReply {
1623 + __u32 identNumber;
1625 + __u8 generalErrorCode;
1629 +/* PptpFramingType */
1630 +#define PPTP_ASYNC_FRAMING 1
1631 +#define PPTP_SYNC_FRAMING 2
1632 +#define PPTP_DONT_CARE_FRAMING 3
1634 +/* PptpCallBearerType */
1635 +#define PPTP_ANALOG_TYPE 1
1636 +#define PPTP_DIGITAL_TYPE 2
1637 +#define PPTP_DONT_CARE_BEARER_TYPE 3
1639 +struct PptpOutCallRequest {
1641 + __u16 callSerialNumber;
1645 + __u32 framingType;
1646 + __u16 packetWindow;
1647 + __u16 packetProcDelay;
1649 + __u16 phoneNumberLength;
1651 + __u8 phoneNumber[64];
1652 + __u8 subAddress[64];
1655 +/* PptpCallResultCode */
1656 +#define PPTP_OUTCALL_CONNECT 1
1657 +#define PPTP_OUTCALL_GENERAL_ERROR 2
1658 +#define PPTP_OUTCALL_NO_CARRIER 3
1659 +#define PPTP_OUTCALL_BUSY 4
1660 +#define PPTP_OUTCALL_NO_DIAL_TONE 5
1661 +#define PPTP_OUTCALL_TIMEOUT 6
1662 +#define PPTP_OUTCALL_DONT_ACCEPT 7
1664 +struct PptpOutCallReply {
1666 + __u16 peersCallID;
1668 + __u8 generalErrorCode;
1670 + __u32 connectSpeed;
1671 + __u16 packetWindow;
1672 + __u16 packetProcDelay;
1673 + __u32 physChannelID;
1676 +struct PptpInCallRequest {
1678 + __u16 callSerialNumber;
1679 + __u32 callBearerType;
1680 + __u32 physChannelID;
1681 + __u16 dialedNumberLength;
1682 + __u16 dialingNumberLength;
1683 + __u8 dialedNumber[64];
1684 + __u8 dialingNumber[64];
1685 + __u8 subAddress[64];
1688 +/* PptpInCallResultCode */
1689 +#define PPTP_INCALL_ACCEPT 1
1690 +#define PPTP_INCALL_GENERAL_ERROR 2
1691 +#define PPTP_INCALL_DONT_ACCEPT 3
1693 +struct PptpInCallReply {
1695 + __u16 peersCallID;
1697 + __u8 generalErrorCode;
1698 + __u16 packetWindow;
1699 + __u16 packetProcDelay;
1703 +struct PptpInCallConnected {
1704 + __u16 peersCallID;
1706 + __u32 connectSpeed;
1707 + __u16 packetWindow;
1708 + __u16 packetProcDelay;
1709 + __u32 callFramingType;
1712 +struct PptpClearCallRequest {
1717 +struct PptpCallDisconnectNotify {
1720 + __u8 generalErrorCode;
1723 + __u8 callStatistics[128];
1726 +struct PptpWanErrorNotify {
1727 + __u16 peersCallID;
1730 + __u32 framingErrors;
1731 + __u32 hardwareOverRuns;
1732 + __u32 bufferOverRuns;
1733 + __u32 timeoutErrors;
1734 + __u32 alignmentErrors;
1737 +struct PptpSetLinkInfo {
1738 + __u16 peersCallID;
1745 +struct pptp_priv_data {
1751 +union pptp_ctrl_union {
1752 + struct PptpStartSessionRequest sreq;
1753 + struct PptpStartSessionReply srep;
1754 + struct PptpStopSessionRequest streq;
1755 + struct PptpStopSessionReply strep;
1756 + struct PptpOutCallRequest ocreq;
1757 + struct PptpOutCallReply ocack;
1758 + struct PptpInCallRequest icreq;
1759 + struct PptpInCallReply icack;
1760 + struct PptpInCallConnected iccon;
1761 + struct PptpClearCallRequest clrreq;
1762 + struct PptpCallDisconnectNotify disc;
1763 + struct PptpWanErrorNotify wanerr;
1764 + struct PptpSetLinkInfo setlink;
1768 +(*ip_nat_pptp_hook_outbound)(struct sk_buff **pskb,
1769 + struct ip_conntrack *ct,
1770 + enum ip_conntrack_info ctinfo,
1771 + struct PptpControlHeader *ctlh,
1772 + union pptp_ctrl_union *pptpReq);
1775 +(*ip_nat_pptp_hook_inbound)(struct sk_buff **pskb,
1776 + struct ip_conntrack *ct,
1777 + enum ip_conntrack_info ctinfo,
1778 + struct PptpControlHeader *ctlh,
1779 + union pptp_ctrl_union *pptpReq);
1782 +(*ip_nat_pptp_hook_exp_gre)(struct ip_conntrack_expect *exp_orig,
1783 + struct ip_conntrack_expect *exp_reply);
1786 +(*ip_nat_pptp_hook_expectfn)(struct ip_conntrack *ct,
1787 + struct ip_conntrack_expect *exp);
1788 +#endif /* __KERNEL__ */
1789 +#endif /* _CONNTRACK_PPTP_H */
1790 diff -uNr include.orig/linux/netfilter_ipv4/ip_conntrack_protocol.h usr/include/linux/netfilter_ipv4/ip_conntrack_protocol.h
1791 --- include.orig/linux/netfilter_ipv4/ip_conntrack_protocol.h 2005-03-13 21:53:55.000000000 +0100
1792 +++ usr/include/linux/netfilter_ipv4/ip_conntrack_protocol.h 2005-08-02 20:02:17.753240704 +0200
1795 /* Returns verdict for packet, or -1 for invalid. */
1796 int (*packet)(struct ip_conntrack *conntrack,
1797 - const struct sk_buff *skb,
1798 + struct sk_buff *skb,
1799 enum ip_conntrack_info ctinfo);
1801 /* Called when a new connection for this protocol found;
1802 diff -uNr include.orig/linux/netfilter_ipv4/ip_conntrack_proto_gre.h usr/include/linux/netfilter_ipv4/ip_conntrack_proto_gre.h
1803 --- include.orig/linux/netfilter_ipv4/ip_conntrack_proto_gre.h 1970-01-01 01:00:00.000000000 +0100
1804 +++ usr/include/linux/netfilter_ipv4/ip_conntrack_proto_gre.h 2005-08-02 20:02:17.718246024 +0200
1806 +#ifndef _CONNTRACK_PROTO_GRE_H
1807 +#define _CONNTRACK_PROTO_GRE_H
1808 +#include <asm/byteorder.h>
1810 +/* GRE PROTOCOL HEADER */
1812 +/* GRE Version field */
1813 +#define GRE_VERSION_1701 0x0
1814 +#define GRE_VERSION_PPTP 0x1
1816 +/* GRE Protocol field */
1817 +#define GRE_PROTOCOL_PPTP 0x880B
1820 +#define GRE_FLAG_C 0x80
1821 +#define GRE_FLAG_R 0x40
1822 +#define GRE_FLAG_K 0x20
1823 +#define GRE_FLAG_S 0x10
1824 +#define GRE_FLAG_A 0x80
1826 +#define GRE_IS_C(f) ((f)&GRE_FLAG_C)
1827 +#define GRE_IS_R(f) ((f)&GRE_FLAG_R)
1828 +#define GRE_IS_K(f) ((f)&GRE_FLAG_K)
1829 +#define GRE_IS_S(f) ((f)&GRE_FLAG_S)
1830 +#define GRE_IS_A(f) ((f)&GRE_FLAG_A)
1832 +/* GRE is a mess: Four different standards */
1834 +#if defined(__LITTLE_ENDIAN_BITFIELD)
1844 +#elif defined(__BIG_ENDIAN_BITFIELD)
1855 +#error "Adjust your <asm/byteorder.h> defines"
1860 +/* modified GRE header for PPTP */
1861 +struct gre_hdr_pptp {
1862 + __u8 flags; /* bitfield */
1863 + __u8 version; /* should be GRE_VERSION_PPTP */
1864 + __u16 protocol; /* should be GRE_PROTOCOL_PPTP */
1865 + __u16 payload_len; /* size of ppp payload, not inc. gre header */
1866 + __u16 call_id; /* peer's call_id for this session */
1867 + __u32 seq; /* sequence number. Present if S==1 */
1868 + __u32 ack; /* seq number of highest packet recieved by */
1869 + /* sender in this session */
1873 +/* this is part of ip_conntrack */
1875 + unsigned int stream_timeout;
1876 + unsigned int timeout;
1880 +struct ip_conntrack_expect;
1881 +struct ip_conntrack;
1883 +/* structure for original <-> reply keymap */
1884 +struct ip_ct_gre_keymap {
1885 + struct list_head list;
1887 + struct ip_conntrack_tuple tuple;
1890 +/* add new tuple->key_reply pair to keymap */
1891 +int ip_ct_gre_keymap_add(struct ip_conntrack *ct,
1892 + struct ip_conntrack_tuple *t,
1895 +/* delete keymap entries */
1896 +void ip_ct_gre_keymap_destroy(struct ip_conntrack *ct);
1899 +/* get pointer to gre key, if present */
1900 +static inline u_int32_t *gre_key(struct gre_hdr *greh)
1904 + if (greh->csum || greh->routing)
1905 + return (u_int32_t *) (greh+sizeof(*greh)+4);
1906 + return (u_int32_t *) (greh+sizeof(*greh));
1909 +/* get pointer ot gre csum, if present */
1910 +static inline u_int16_t *gre_csum(struct gre_hdr *greh)
1914 + return (u_int16_t *) (greh+sizeof(*greh));
1917 +#endif /* __KERNEL__ */
1919 +#endif /* _CONNTRACK_PROTO_GRE_H */
1920 diff -uNr include.orig/linux/netfilter_ipv4/ip_conntrack_quake3.h usr/include/linux/netfilter_ipv4/ip_conntrack_quake3.h
1921 --- include.orig/linux/netfilter_ipv4/ip_conntrack_quake3.h 1970-01-01 01:00:00.000000000 +0100
1922 +++ usr/include/linux/netfilter_ipv4/ip_conntrack_quake3.h 2005-08-02 20:02:17.771237968 +0200
1924 +#ifndef _IP_CT_QUAKE3
1925 +#define _IP_CT_QUAKE3
1927 +/* Don't confuse with 27960, often used as the Server Port */
1928 +#define QUAKE3_MASTER_PORT 27950
1930 +struct quake3_search {
1931 + const char marker[4]; /* always 0xff 0xff 0xff 0xff ? */
1932 + const char *pattern;
1936 +/* This structure is per expected connection */
1937 +struct ip_ct_quake3_expect {
1940 +/* This structure exists only once per master */
1941 +struct ip_ct_quake3_master {
1944 +extern unsigned int (*ip_nat_quake3_hook)(struct ip_conntrack_expect *exp);
1945 +#endif /* _IP_CT_QUAKE3 */
1946 diff -uNr include.orig/linux/netfilter_ipv4/ip_conntrack_tuple.h usr/include/linux/netfilter_ipv4/ip_conntrack_tuple.h
1947 --- include.orig/linux/netfilter_ipv4/ip_conntrack_tuple.h 2005-03-13 21:53:55.000000000 +0100
1948 +++ usr/include/linux/netfilter_ipv4/ip_conntrack_tuple.h 2005-08-02 20:02:17.807232496 +0200
1954 + u_int16_t key; /* key is 32bit, pptp onky uses 16 */
1958 /* The manipulable part of the tuple. */
1969 diff -uNr include.orig/linux/netfilter_ipv4/ip_nat_pptp.h usr/include/linux/netfilter_ipv4/ip_nat_pptp.h
1970 --- include.orig/linux/netfilter_ipv4/ip_nat_pptp.h 1970-01-01 01:00:00.000000000 +0100
1971 +++ usr/include/linux/netfilter_ipv4/ip_nat_pptp.h 2005-08-02 20:02:17.767238576 +0200
1973 +/* PPTP constants and structs */
1974 +#ifndef _NAT_PPTP_H
1975 +#define _NAT_PPTP_H
1977 +/* conntrack private data */
1978 +struct ip_nat_pptp {
1979 + u_int16_t pns_call_id; /* NAT'ed PNS call id */
1980 + u_int16_t pac_call_id; /* NAT'ed PAC call id */
1983 +#endif /* _NAT_PPTP_H */
1984 diff -uNr include.orig/linux/netfilter_ipv4/ip_queue.h usr/include/linux/netfilter_ipv4/ip_queue.h
1985 --- include.orig/linux/netfilter_ipv4/ip_queue.h 2004-10-31 20:56:03.000000000 +0100
1986 +++ usr/include/linux/netfilter_ipv4/ip_queue.h 2005-08-02 20:02:17.823230064 +0200
1988 unsigned char payload[0]; /* Optional replacement packet */
1989 } ipq_verdict_msg_t;
1991 +typedef struct ipq_vwmark_msg {
1992 + unsigned int value; /* Verdict to hand to netfilter */
1993 + unsigned long id; /* Packet ID for this verdict */
1994 + size_t data_len; /* Length of replacement data */
1995 + unsigned char payload[0]; /* Optional replacement packet */
1996 + unsigned long nfmark; /* Mark for the Packet */
1997 +} ipq_vwmark_msg_t;
2000 typedef struct ipq_peer_msg {
2002 ipq_verdict_msg_t verdict;
2003 ipq_mode_msg_t mode;
2004 + ipq_vwmark_msg_t vwmark;
2009 #define IPQM_MODE (IPQM_BASE + 1) /* Mode request from peer */
2010 #define IPQM_VERDICT (IPQM_BASE + 2) /* Verdict from peer */
2011 #define IPQM_PACKET (IPQM_BASE + 3) /* Packet from kernel */
2012 -#define IPQM_MAX (IPQM_BASE + 4)
2013 +#define IPQM_VWMARK (IPQM_BASE + 4) /* Verdict and mark from peer */
2014 +#define IPQM_MAX (IPQM_BASE + 5)
2016 #endif /*_IP_QUEUE_H*/
2017 diff -uNr include.orig/linux/netfilter_ipv4/ip_set.h usr/include/linux/netfilter_ipv4/ip_set.h
2018 --- include.orig/linux/netfilter_ipv4/ip_set.h 1970-01-01 01:00:00.000000000 +0100
2019 +++ usr/include/linux/netfilter_ipv4/ip_set.h 2005-08-02 20:02:17.828229304 +0200
2024 +/* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu>
2025 + * Patrick Schaaf <bof@bof.de>
2026 + * Martin Josefsson <gandalf@wlug.westbo.se>
2027 + * Copyright (C) 2003-2004 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
2029 + * This program is free software; you can redistribute it and/or modify
2030 + * it under the terms of the GNU General Public License version 2 as
2031 + * published by the Free Software Foundation.
2035 + * A sockopt of such quality has hardly ever been seen before on the open
2036 + * market! This little beauty, hardly ever used: above 64, so it's
2037 + * traditionally used for firewalling, not touched (even once!) by the
2038 + * 2.0, 2.2 and 2.4 kernels!
2040 + * Comes with its own certificate of authenticity, valid anywhere in the
2043 + * Rusty, 19.4.2000
2045 +#define SO_IP_SET 83
2048 + * Heavily modify by Joakim Axelsson 08.03.2002
2049 + * - Made it more modulebased
2051 + * Additional heavy modifications by Jozsef Kadlecsik 22.02.2004
2052 + * - bindings added
2053 + * - in order to "deal with" backward compatibility, renamed to ipset
2057 + * Used so that the kernel module and ipset-binary can match their versions
2059 +#define IP_SET_PROTOCOL_VERSION 2
2061 +#define IP_SET_MAXNAMELEN 32 /* set names and set typenames */
2063 +/* Lets work with our own typedef for representing an IP address.
2064 + * We hope to make the code more portable, possibly to IPv6...
2066 + * The representation works in HOST byte order, because most set types
2067 + * will perform arithmetic operations and compare operations.
2069 + * For now the type is an uint32_t.
2071 + * Make sure to ONLY use the functions when translating and parsing
2072 + * in order to keep the host byte order and make it more portable:
2075 + * parse_ipandmask()
2077 + * (Joakim: where are they???)
2080 +typedef uint32_t ip_set_ip_t;
2082 +/* Sets are identified by an id in kernel space. Tweak with ip_set_id_t
2083 + * and IP_SET_INVALID_ID if you want to increase the max number of sets.
2085 +typedef uint16_t ip_set_id_t;
2087 +#define IP_SET_INVALID_ID 65535
2089 +/* How deep we follow bindings */
2090 +#define IP_SET_MAX_BINDINGS 6
2093 + * Option flags for kernel operations (ipt_set_info)
2095 +#define IPSET_SRC 0x01 /* Source match/add */
2096 +#define IPSET_DST 0x02 /* Destination match/add */
2097 +#define IPSET_MATCH_INV 0x04 /* Inverse matching */
2100 + * Set types (flavours)
2102 +#define IPSET_TYPE_IP 0 /* IP address type of set */
2103 +#define IPSET_TYPE_PORT 1 /* Port type of set */
2105 +/* Reserved keywords */
2106 +#define IPSET_TOKEN_DEFAULT ":default:"
2107 +#define IPSET_TOKEN_ALL ":all:"
2109 +/* SO_IP_SET operation constants, and their request struct types.
2112 + * 0-99: commands with version checking
2113 + * 100-199: add/del/test/bind/unbind
2114 + * 200-299: list, save, restore
2117 +/* Single shot operations:
2118 + * version, create, destroy, flush, rename and swap
2120 + * Sets are identified by name.
2123 +#define IP_SET_REQ_STD \
2125 + unsigned version; \
2126 + char name[IP_SET_MAXNAMELEN]
2128 +#define IP_SET_OP_CREATE 0x00000001 /* Create a new (empty) set */
2129 +struct ip_set_req_create {
2131 + char typename[IP_SET_MAXNAMELEN];
2134 +#define IP_SET_OP_DESTROY 0x00000002 /* Remove a (empty) set */
2135 +struct ip_set_req_std {
2139 +#define IP_SET_OP_FLUSH 0x00000003 /* Remove all IPs in a set */
2140 +/* Uses ip_set_req_std */
2142 +#define IP_SET_OP_RENAME 0x00000004 /* Rename a set */
2143 +/* Uses ip_set_req_create */
2145 +#define IP_SET_OP_SWAP 0x00000005 /* Swap two sets */
2146 +/* Uses ip_set_req_create */
2148 +union ip_set_name_index {
2149 + char name[IP_SET_MAXNAMELEN];
2150 + ip_set_id_t index;
2153 +#define IP_SET_OP_GET_BYNAME 0x00000006 /* Get set index by name */
2154 +struct ip_set_req_get_set {
2157 + union ip_set_name_index set;
2160 +#define IP_SET_OP_GET_BYINDEX 0x00000007 /* Get set name by index */
2161 +/* Uses ip_set_req_get_set */
2163 +#define IP_SET_OP_VERSION 0x00000100 /* Ask kernel version */
2164 +struct ip_set_req_version {
2169 +/* Double shots operations:
2170 + * add, del, test, bind and unbind.
2172 + * First we query the kernel to get the index and type of the target set,
2173 + * then issue the command. Validity of IP is checked in kernel in order
2174 + * to minimalize sockopt operations.
2177 +/* Get minimal set data for add/del/test/bind/unbind IP */
2178 +#define IP_SET_OP_ADT_GET 0x00000010 /* Get set and type */
2179 +struct ip_set_req_adt_get {
2182 + union ip_set_name_index set;
2183 + char typename[IP_SET_MAXNAMELEN];
2186 +#define IP_SET_REQ_BYINDEX \
2188 + ip_set_id_t index;
2190 +struct ip_set_req_adt {
2191 + IP_SET_REQ_BYINDEX;
2194 +#define IP_SET_OP_ADD_IP 0x00000101 /* Add an IP to a set */
2195 +/* Uses ip_set_req_adt, with type specific addage */
2197 +#define IP_SET_OP_DEL_IP 0x00000102 /* Remove an IP from a set */
2198 +/* Uses ip_set_req_adt, with type specific addage */
2200 +#define IP_SET_OP_TEST_IP 0x00000103 /* Test an IP in a set */
2201 +/* Uses ip_set_req_adt, with type specific addage */
2203 +#define IP_SET_OP_BIND_SET 0x00000104 /* Bind an IP to a set */
2204 +/* Uses ip_set_req_bind, with type specific addage */
2205 +struct ip_set_req_bind {
2206 + IP_SET_REQ_BYINDEX;
2207 + char binding[IP_SET_MAXNAMELEN];
2210 +#define IP_SET_OP_UNBIND_SET 0x00000105 /* Unbind an IP from a set */
2211 +/* Uses ip_set_req_bind, with type speficic addage
2212 + * index = 0 means unbinding for all sets */
2214 +#define IP_SET_OP_TEST_BIND_SET 0x00000106 /* Test binding an IP to a set */
2215 +/* Uses ip_set_req_bind, with type specific addage */
2217 +/* Multiple shots operations: list, save, restore.
2219 + * - check kernel version and query the max number of sets
2220 + * - get the basic information on all sets
2221 + * and size required for the next step
2222 + * - get actual set data: header, data, bindings
2225 +/* Get max_sets and the index of a queried set
2227 +#define IP_SET_OP_MAX_SETS 0x00000020
2228 +struct ip_set_req_max_sets {
2231 + ip_set_id_t max_sets; /* max_sets */
2232 + ip_set_id_t sets; /* real number of sets */
2233 + union ip_set_name_index set; /* index of set if name used */
2236 +/* Get the id and name of the sets plus size for next step */
2237 +#define IP_SET_OP_LIST_SIZE 0x00000201
2238 +#define IP_SET_OP_SAVE_SIZE 0x00000202
2239 +struct ip_set_req_setnames {
2241 + ip_set_id_t index; /* set to list/save */
2242 + size_t size; /* size to get setdata/bindings */
2243 + /* followed by sets number of struct ip_set_name_list */
2246 +struct ip_set_name_list {
2247 + char name[IP_SET_MAXNAMELEN];
2248 + char typename[IP_SET_MAXNAMELEN];
2249 + ip_set_id_t index;
2253 +/* The actual list operation */
2254 +#define IP_SET_OP_LIST 0x00000203
2255 +struct ip_set_req_list {
2256 + IP_SET_REQ_BYINDEX;
2257 + /* sets number of struct ip_set_list in reply */
2260 +struct ip_set_list {
2261 + ip_set_id_t index;
2262 + ip_set_id_t binding;
2264 + size_t header_size; /* Set header data of header_size */
2265 + size_t members_size; /* Set members data of members_size */
2266 + size_t bindings_size; /* Set bindings data of bindings_size */
2269 +struct ip_set_hash_list {
2271 + ip_set_id_t binding;
2274 +/* The save operation */
2275 +#define IP_SET_OP_SAVE 0x00000204
2276 +/* Uses ip_set_req_list, in the reply replaced by
2277 + * sets number of struct ip_set_save plus a marker
2278 + * ip_set_save followed by ip_set_hash_save structures.
2280 +struct ip_set_save {
2281 + ip_set_id_t index;
2282 + ip_set_id_t binding;
2283 + size_t header_size; /* Set header data of header_size */
2284 + size_t members_size; /* Set members data of members_size */
2287 +/* At restoring, ip == 0 means default binding for the given set: */
2288 +struct ip_set_hash_save {
2291 + ip_set_id_t binding;
2294 +/* The restore operation */
2295 +#define IP_SET_OP_RESTORE 0x00000205
2296 +/* Uses ip_set_req_setnames followed by ip_set_restore structures
2297 + * plus a marker ip_set_restore, followed by ip_set_hash_save
2300 +struct ip_set_restore {
2301 + char name[IP_SET_MAXNAMELEN];
2302 + char typename[IP_SET_MAXNAMELEN];
2303 + ip_set_id_t index;
2304 + size_t header_size; /* Create data of header_size */
2305 + size_t members_size; /* Set members data of members_size */
2308 +static inline int bitmap_bytes(ip_set_ip_t a, ip_set_ip_t b)
2310 + return 4 * ((((b - a + 8) / 8) + 3) / 4);
2315 +#define ip_set_printk(format, args...) \
2317 + printk("%s: %s: ", __FILE__, __FUNCTION__); \
2318 + printk(format "\n" , ## args); \
2321 +#if defined(IP_SET_DEBUG)
2322 +#define DP(format, args...) \
2324 + printk("%s: %s (DBG): ", __FILE__, __FUNCTION__);\
2325 + printk(format "\n" , ## args); \
2327 +#define IP_SET_ASSERT(x) \
2330 + printk("IP_SET_ASSERT: %s:%i(%s)\n", \
2331 + __FILE__, __LINE__, __FUNCTION__); \
2334 +#define DP(format, args...)
2335 +#define IP_SET_ASSERT(x)
2341 + * The ip_set_type definition - one per set type, e.g. "ipmap".
2343 + * Each individual set has a pointer, set->type, going to one
2344 + * of these structures. Function pointers inside the structure implement
2345 + * the real behaviour of the sets.
2347 + * If not mentioned differently, the implementation behind the function
2348 + * pointers of a set_type, is expected to return 0 if ok, and a negative
2349 + * errno (e.g. -EINVAL) on error.
2351 +struct ip_set_type {
2352 + struct list_head list; /* next in list of set types */
2354 + /* test for IP in set (kernel: iptables -m set src|dst)
2355 + * return 0 if not in set, 1 if in set.
2357 + int (*testip_kernel) (struct ip_set *set,
2358 + const struct sk_buff * skb,
2362 + /* test for IP in set (userspace: ipset -T set IP)
2363 + * return 0 if not in set, 1 if in set.
2365 + int (*testip) (struct ip_set *set,
2366 + const void *data, size_t size,
2370 + * Size of the data structure passed by when
2371 + * adding/deletin/testing an entry.
2375 + /* Add IP into set (userspace: ipset -A set IP)
2376 + * Return -EEXIST if the address is already in the set,
2377 + * and -ERANGE if the address lies outside the set bounds.
2378 + * If the address was not already in the set, 0 is returned.
2380 + int (*addip) (struct ip_set *set,
2381 + const void *data, size_t size,
2384 + /* Add IP into set (kernel: iptables ... -j SET set src|dst)
2385 + * Return -EEXIST if the address is already in the set,
2386 + * and -ERANGE if the address lies outside the set bounds.
2387 + * If the address was not already in the set, 0 is returned.
2389 + int (*addip_kernel) (struct ip_set *set,
2390 + const struct sk_buff * skb,
2394 + /* remove IP from set (userspace: ipset -D set --entry x)
2395 + * Return -EEXIST if the address is NOT in the set,
2396 + * and -ERANGE if the address lies outside the set bounds.
2397 + * If the address really was in the set, 0 is returned.
2399 + int (*delip) (struct ip_set *set,
2400 + const void *data, size_t size,
2403 + /* remove IP from set (kernel: iptables ... -j SET --entry x)
2404 + * Return -EEXIST if the address is NOT in the set,
2405 + * and -ERANGE if the address lies outside the set bounds.
2406 + * If the address really was in the set, 0 is returned.
2408 + int (*delip_kernel) (struct ip_set *set,
2409 + const struct sk_buff * skb,
2413 + /* new set creation - allocated type specific items
2415 + int (*create) (struct ip_set *set,
2416 + const void *data, size_t size);
2418 + /* retry the operation after successfully tweaking the set
2420 + int (*retry) (struct ip_set *set);
2422 + /* set destruction - free type specific items
2423 + * There is no return value.
2424 + * Can be called only when child sets are destroyed.
2426 + void (*destroy) (struct ip_set *set);
2428 + /* set flushing - reset all bits in the set, or something similar.
2429 + * There is no return value.
2431 + void (*flush) (struct ip_set *set);
2433 + /* Listing: size needed for header
2435 + size_t header_size;
2437 + /* Listing: Get the header
2439 + * Fill in the information in "data".
2440 + * This function is always run after list_header_size() under a
2441 + * writelock on the set. Therefor is the length of "data" always
2444 + void (*list_header) (const struct ip_set *set,
2447 + /* Listing: Get the size for the set members
2449 + int (*list_members_size) (const struct ip_set *set);
2451 + /* Listing: Get the set members
2453 + * Fill in the information in "data".
2454 + * This function is always run after list_member_size() under a
2455 + * writelock on the set. Therefor is the length of "data" always
2458 + void (*list_members) (const struct ip_set *set,
2461 + char typename[IP_SET_MAXNAMELEN];
2463 + int protocol_version;
2465 + /* Set this to THIS_MODULE if you are a module, otherwise NULL */
2466 + struct module *me;
2469 +extern int ip_set_register_set_type(struct ip_set_type *set_type);
2470 +extern void ip_set_unregister_set_type(struct ip_set_type *set_type);
2472 +/* A generic ipset */
2474 + char name[IP_SET_MAXNAMELEN]; /* the name of the set */
2475 + rwlock_t lock; /* lock for concurrency control */
2476 + ip_set_id_t id; /* set id for swapping */
2477 + ip_set_id_t binding; /* default binding for the set */
2478 + atomic_t ref; /* in kernel and in hash references */
2479 + struct ip_set_type *type; /* the set types */
2480 + void *data; /* pooltype specific data */
2483 +/* Structure to bind set elements to sets */
2484 +struct ip_set_hash {
2485 + struct list_head list; /* list of clashing entries in hash */
2486 + ip_set_ip_t ip; /* ip from set */
2487 + ip_set_id_t id; /* set id */
2488 + ip_set_id_t binding; /* set we bind the element to */
2491 +/* register and unregister set references */
2492 +extern ip_set_id_t ip_set_get_byname(const char name[IP_SET_MAXNAMELEN]);
2493 +extern ip_set_id_t ip_set_get_byindex(ip_set_id_t id);
2494 +extern void ip_set_put(ip_set_id_t id);
2496 +/* API for iptables set match, and SET target */
2497 +extern void ip_set_addip_kernel(ip_set_id_t id,
2498 + const struct sk_buff *skb,
2499 + const u_int32_t *flags);
2500 +extern void ip_set_delip_kernel(ip_set_id_t id,
2501 + const struct sk_buff *skb,
2502 + const u_int32_t *flags);
2503 +extern int ip_set_testip_kernel(ip_set_id_t id,
2504 + const struct sk_buff *skb,
2505 + const u_int32_t *flags);
2507 +#endif /* __KERNEL__ */
2509 +#endif /*_IP_SET_H*/
2510 diff -uNr include.orig/linux/netfilter_ipv4/ip_set_iphash.h usr/include/linux/netfilter_ipv4/ip_set_iphash.h
2511 --- include.orig/linux/netfilter_ipv4/ip_set_iphash.h 1970-01-01 01:00:00.000000000 +0100
2512 +++ usr/include/linux/netfilter_ipv4/ip_set_iphash.h 2005-08-02 20:02:17.803233104 +0200
2514 +#ifndef __IP_SET_IPHASH_H
2515 +#define __IP_SET_IPHASH_H
2517 +#include <linux/netfilter_ipv4/ip_set.h>
2519 +#define SETTYPE_NAME "iphash"
2520 +#define MAX_RANGE 0x0000FFFF
2522 +struct ip_set_iphash {
2523 + ip_set_ip_t *members; /* the iphash proper */
2524 + uint32_t initval; /* initval for jhash_1word */
2525 + uint32_t prime; /* prime for double hashing */
2526 + uint32_t hashsize; /* hash size */
2527 + uint16_t probes; /* max number of probes */
2528 + uint16_t resize; /* resize factor in percent */
2529 + ip_set_ip_t netmask; /* netmask */
2532 +struct ip_set_req_iphash_create {
2533 + uint32_t hashsize;
2536 + ip_set_ip_t netmask;
2539 +struct ip_set_req_iphash {
2543 +#endif /* __IP_SET_IPHASH_H */
2544 diff -uNr include.orig/linux/netfilter_ipv4/ip_set_ipmap.h usr/include/linux/netfilter_ipv4/ip_set_ipmap.h
2545 --- include.orig/linux/netfilter_ipv4/ip_set_ipmap.h 1970-01-01 01:00:00.000000000 +0100
2546 +++ usr/include/linux/netfilter_ipv4/ip_set_ipmap.h 2005-08-02 20:02:17.763239184 +0200
2548 +#ifndef __IP_SET_IPMAP_H
2549 +#define __IP_SET_IPMAP_H
2551 +#include <linux/netfilter_ipv4/ip_set.h>
2553 +#define SETTYPE_NAME "ipmap"
2554 +#define MAX_RANGE 0x0000FFFF
2556 +struct ip_set_ipmap {
2557 + void *members; /* the ipmap proper */
2558 + ip_set_ip_t first_ip; /* host byte order, included in range */
2559 + ip_set_ip_t last_ip; /* host byte order, included in range */
2560 + ip_set_ip_t netmask; /* subnet netmask */
2561 + ip_set_ip_t sizeid; /* size of set in IPs */
2562 + u_int16_t hosts; /* number of hosts in a subnet */
2565 +struct ip_set_req_ipmap_create {
2568 + ip_set_ip_t netmask;
2571 +struct ip_set_req_ipmap {
2576 +mask_to_bits(ip_set_ip_t mask)
2578 + unsigned int bits = 32;
2579 + ip_set_ip_t maskaddr;
2581 + if (mask == 0xFFFFFFFF)
2584 + maskaddr = 0xFFFFFFFE;
2585 + while (--bits >= 0 && maskaddr != mask)
2592 +range_to_mask(ip_set_ip_t from, ip_set_ip_t to, unsigned int *bits)
2594 + ip_set_ip_t mask = 0xFFFFFFFE;
2597 + while (--(*bits) >= 0 && mask && (to & mask) != from)
2603 +#endif /* __IP_SET_IPMAP_H */
2604 diff -uNr include.orig/linux/netfilter_ipv4/ip_set_iptree.h usr/include/linux/netfilter_ipv4/ip_set_iptree.h
2605 --- include.orig/linux/netfilter_ipv4/ip_set_iptree.h 1970-01-01 01:00:00.000000000 +0100
2606 +++ usr/include/linux/netfilter_ipv4/ip_set_iptree.h 2005-08-02 20:02:17.810232040 +0200
2608 +#ifndef __IP_SET_IPTREE_H
2609 +#define __IP_SET_IPTREE_H
2611 +#include <linux/netfilter_ipv4/ip_set.h>
2613 +#define SETTYPE_NAME "iptree"
2614 +#define MAX_RANGE 0x0000FFFF
2616 +struct ip_set_iptreed {
2617 + unsigned long expires[255]; /* x.x.x.ADDR */
2620 +struct ip_set_iptreec {
2621 + struct ip_set_iptreed *tree[255]; /* x.x.ADDR.* */
2624 +struct ip_set_iptreeb {
2625 + struct ip_set_iptreec *tree[255]; /* x.ADDR.*.* */
2628 +struct ip_set_iptree {
2629 + unsigned int timeout;
2630 + unsigned int gc_interval;
2632 + struct timer_list gc;
2633 + struct ip_set_iptreeb *tree[255]; /* ADDR.*.*.* */
2637 +struct ip_set_req_iptree_create {
2638 + unsigned int timeout;
2641 +struct ip_set_req_iptree {
2643 + unsigned int timeout;
2646 +#endif /* __IP_SET_IPTREE_H */
2647 diff -uNr include.orig/linux/netfilter_ipv4/ip_set_jhash.h usr/include/linux/netfilter_ipv4/ip_set_jhash.h
2648 --- include.orig/linux/netfilter_ipv4/ip_set_jhash.h 1970-01-01 01:00:00.000000000 +0100
2649 +++ usr/include/linux/netfilter_ipv4/ip_set_jhash.h 2005-08-02 20:02:17.758239944 +0200
2651 +#ifndef _LINUX_IPSET_JHASH_H
2652 +#define _LINUX_IPSET_JHASH_H
2654 +/* This is a copy of linux/jhash.h but the types u32/u8 are changed
2655 + * to __u32/__u8 so that the header file can be included into
2656 + * userspace code as well. Jozsef Kadlecsik (kadlec@blackhole.kfki.hu)
2659 +/* jhash.h: Jenkins hash support.
2661 + * Copyright (C) 1996 Bob Jenkins (bob_jenkins@burtleburtle.net)
2663 + * http://burtleburtle.net/bob/hash/
2665 + * These are the credits from Bob's sources:
2667 + * lookup2.c, by Bob Jenkins, December 1996, Public Domain.
2668 + * hash(), hash2(), hash3, and mix() are externally useful functions.
2669 + * Routines to test the hash are included if SELF_TEST is defined.
2670 + * You can use this free for any purpose. It has no warranty.
2672 + * Copyright (C) 2003 David S. Miller (davem@redhat.com)
2674 + * I've modified Bob's hash to be useful in the Linux kernel, and
2675 + * any bugs present are surely my fault. -DaveM
2678 +/* NOTE: Arguments are modified. */
2679 +#define __jhash_mix(a, b, c) \
2681 + a -= b; a -= c; a ^= (c>>13); \
2682 + b -= c; b -= a; b ^= (a<<8); \
2683 + c -= a; c -= b; c ^= (b>>13); \
2684 + a -= b; a -= c; a ^= (c>>12); \
2685 + b -= c; b -= a; b ^= (a<<16); \
2686 + c -= a; c -= b; c ^= (b>>5); \
2687 + a -= b; a -= c; a ^= (c>>3); \
2688 + b -= c; b -= a; b ^= (a<<10); \
2689 + c -= a; c -= b; c ^= (b>>15); \
2692 +/* The golden ration: an arbitrary value */
2693 +#define JHASH_GOLDEN_RATIO 0x9e3779b9
2695 +/* The most generic version, hashes an arbitrary sequence
2696 + * of bytes. No alignment or length assumptions are made about
2699 +static inline __u32 jhash(void *key, __u32 length, __u32 initval)
2701 + __u32 a, b, c, len;
2705 + a = b = JHASH_GOLDEN_RATIO;
2708 + while (len >= 12) {
2709 + a += (k[0] +((__u32)k[1]<<8) +((__u32)k[2]<<16) +((__u32)k[3]<<24));
2710 + b += (k[4] +((__u32)k[5]<<8) +((__u32)k[6]<<16) +((__u32)k[7]<<24));
2711 + c += (k[8] +((__u32)k[9]<<8) +((__u32)k[10]<<16)+((__u32)k[11]<<24));
2713 + __jhash_mix(a,b,c);
2721 + case 11: c += ((__u32)k[10]<<24);
2722 + case 10: c += ((__u32)k[9]<<16);
2723 + case 9 : c += ((__u32)k[8]<<8);
2724 + case 8 : b += ((__u32)k[7]<<24);
2725 + case 7 : b += ((__u32)k[6]<<16);
2726 + case 6 : b += ((__u32)k[5]<<8);
2727 + case 5 : b += k[4];
2728 + case 4 : a += ((__u32)k[3]<<24);
2729 + case 3 : a += ((__u32)k[2]<<16);
2730 + case 2 : a += ((__u32)k[1]<<8);
2731 + case 1 : a += k[0];
2734 + __jhash_mix(a,b,c);
2739 +/* A special optimized version that handles 1 or more of __u32s.
2740 + * The length parameter here is the number of __u32s in the key.
2742 +static inline __u32 jhash2(__u32 *k, __u32 length, __u32 initval)
2744 + __u32 a, b, c, len;
2746 + a = b = JHASH_GOLDEN_RATIO;
2750 + while (len >= 3) {
2754 + __jhash_mix(a, b, c);
2761 + case 2 : b += k[1];
2762 + case 1 : a += k[0];
2765 + __jhash_mix(a,b,c);
2771 +/* A special ultra-optimized versions that knows they are hashing exactly
2772 + * 3, 2 or 1 word(s).
2774 + * NOTE: In partilar the "c += length; __jhash_mix(a,b,c);" normally
2775 + * done at the end is not done here.
2777 +static inline __u32 jhash_3words(__u32 a, __u32 b, __u32 c, __u32 initval)
2779 + a += JHASH_GOLDEN_RATIO;
2780 + b += JHASH_GOLDEN_RATIO;
2783 + __jhash_mix(a, b, c);
2788 +static inline __u32 jhash_2words(__u32 a, __u32 b, __u32 initval)
2790 + return jhash_3words(a, b, 0, initval);
2793 +static inline __u32 jhash_1word(__u32 a, __u32 initval)
2795 + return jhash_3words(a, 0, 0, initval);
2798 +#endif /* _LINUX_IPSET_JHASH_H */
2799 diff -uNr include.orig/linux/netfilter_ipv4/ip_set_macipmap.h usr/include/linux/netfilter_ipv4/ip_set_macipmap.h
2800 --- include.orig/linux/netfilter_ipv4/ip_set_macipmap.h 1970-01-01 01:00:00.000000000 +0100
2801 +++ usr/include/linux/netfilter_ipv4/ip_set_macipmap.h 2005-08-02 20:02:17.776237208 +0200
2803 +#ifndef __IP_SET_MACIPMAP_H
2804 +#define __IP_SET_MACIPMAP_H
2806 +#include <linux/netfilter_ipv4/ip_set.h>
2808 +#define SETTYPE_NAME "macipmap"
2809 +#define MAX_RANGE 0x0000FFFF
2811 +/* general flags */
2812 +#define IPSET_MACIP_MATCHUNSET 1
2815 +#define IPSET_MACIP_ISSET 1
2817 +struct ip_set_macipmap {
2818 + void *members; /* the macipmap proper */
2819 + ip_set_ip_t first_ip; /* host byte order, included in range */
2820 + ip_set_ip_t last_ip; /* host byte order, included in range */
2824 +struct ip_set_req_macipmap_create {
2830 +struct ip_set_req_macipmap {
2832 + unsigned char ethernet[ETH_ALEN];
2835 +struct ip_set_macip {
2836 + unsigned short flags;
2837 + unsigned char ethernet[ETH_ALEN];
2840 +#endif /* __IP_SET_MACIPMAP_H */
2841 diff -uNr include.orig/linux/netfilter_ipv4/ip_set_malloc.h usr/include/linux/netfilter_ipv4/ip_set_malloc.h
2842 --- include.orig/linux/netfilter_ipv4/ip_set_malloc.h 1970-01-01 01:00:00.000000000 +0100
2843 +++ usr/include/linux/netfilter_ipv4/ip_set_malloc.h 2005-08-02 20:02:17.788235384 +0200
2845 +#ifndef _IP_SET_MALLOC_H
2846 +#define _IP_SET_MALLOC_H
2850 +/* Memory allocation and deallocation */
2851 +static size_t max_malloc_size = 0;
2853 +static inline void init_max_malloc_size(void)
2855 +#define CACHE(x) max_malloc_size = x;
2856 +#include <linux/kmalloc_sizes.h>
2860 +static inline void * ip_set_malloc(size_t bytes)
2862 + if (bytes > max_malloc_size)
2863 + return vmalloc(bytes);
2865 + return kmalloc(bytes, GFP_KERNEL);
2868 +static inline void ip_set_free(void * data, size_t bytes)
2870 + if (bytes > max_malloc_size)
2876 +#endif /* __KERNEL__ */
2878 +#endif /*_IP_SET_MALLOC_H*/
2879 diff -uNr include.orig/linux/netfilter_ipv4/ip_set_nethash.h usr/include/linux/netfilter_ipv4/ip_set_nethash.h
2880 --- include.orig/linux/netfilter_ipv4/ip_set_nethash.h 1970-01-01 01:00:00.000000000 +0100
2881 +++ usr/include/linux/netfilter_ipv4/ip_set_nethash.h 2005-08-02 20:02:17.755240400 +0200
2883 +#ifndef __IP_SET_NETHASH_H
2884 +#define __IP_SET_NETHASH_H
2886 +#include <linux/netfilter_ipv4/ip_set.h>
2888 +#define SETTYPE_NAME "nethash"
2889 +#define MAX_RANGE 0x0000FFFF
2891 +struct ip_set_nethash {
2892 + ip_set_ip_t *members; /* the nethash proper */
2893 + uint32_t initval; /* initval for jhash_1word */
2894 + uint32_t prime; /* prime for double hashing */
2895 + uint32_t hashsize; /* hash size */
2896 + uint16_t probes; /* max number of probes */
2897 + uint16_t resize; /* resize factor in percent */
2898 + unsigned char cidr[30]; /* CIDR sizes */
2901 +struct ip_set_req_nethash_create {
2902 + uint32_t hashsize;
2907 +struct ip_set_req_nethash {
2909 + unsigned char cidr;
2912 +static unsigned char shifts[] = {255, 253, 249, 241, 225, 193, 129, 1};
2914 +static inline ip_set_ip_t
2915 +pack(ip_set_ip_t ip, unsigned char cidr)
2917 + ip_set_ip_t addr, *paddr = &addr;
2918 + unsigned char n, t, *a;
2920 + addr = htonl(ip & (0xFFFFFFFF << (32 - (cidr))));
2922 + DP("ip:%u.%u.%u.%u/%u", NIPQUAD(addr), cidr);
2926 + a = &((unsigned char *)paddr)[n];
2927 + *a = *a /(1 << (8 - t)) + shifts[t];
2929 + DP("n: %u, t: %u, a: %u", n, t, *a);
2930 + DP("ip:%u.%u.%u.%u/%u, %u.%u.%u.%u",
2931 + HIPQUAD(ip), cidr, NIPQUAD(addr));
2934 + return ntohl(addr);
2937 +#endif /* __IP_SET_NETHASH_H */
2938 diff -uNr include.orig/linux/netfilter_ipv4/ip_set_portmap.h usr/include/linux/netfilter_ipv4/ip_set_portmap.h
2939 --- include.orig/linux/netfilter_ipv4/ip_set_portmap.h 1970-01-01 01:00:00.000000000 +0100
2940 +++ usr/include/linux/netfilter_ipv4/ip_set_portmap.h 2005-08-02 20:02:17.772237816 +0200
2942 +#ifndef __IP_SET_PORTMAP_H
2943 +#define __IP_SET_PORTMAP_H
2945 +#include <linux/netfilter_ipv4/ip_set.h>
2947 +#define SETTYPE_NAME "portmap"
2948 +#define MAX_RANGE 0x0000FFFF
2949 +#define INVALID_PORT (MAX_RANGE + 1)
2951 +struct ip_set_portmap {
2952 + void *members; /* the portmap proper */
2953 + ip_set_ip_t first_port; /* host byte order, included in range */
2954 + ip_set_ip_t last_port; /* host byte order, included in range */
2957 +struct ip_set_req_portmap_create {
2962 +struct ip_set_req_portmap {
2966 +#endif /* __IP_SET_PORTMAP_H */
2967 diff -uNr include.orig/linux/netfilter_ipv4/ip_set_prime.h usr/include/linux/netfilter_ipv4/ip_set_prime.h
2968 --- include.orig/linux/netfilter_ipv4/ip_set_prime.h 1970-01-01 01:00:00.000000000 +0100
2969 +++ usr/include/linux/netfilter_ipv4/ip_set_prime.h 2005-08-02 20:02:17.825229760 +0200
2971 +#ifndef __IP_SET_PRIME_H
2972 +#define __IP_SET_PRIME_H
2974 +static inline unsigned make_prime_bound(unsigned nr)
2976 + unsigned long long nr64 = nr;
2977 + unsigned long long x = 1;
2979 + while (x <= nr64) { x <<= 2; nr <<= 1; }
2983 +static inline int make_prime_check(unsigned nr)
2986 + unsigned b = make_prime_bound(nr);
2988 + if (0 == (nr % x)) return 0;
2994 +static unsigned make_prime(unsigned nr)
2996 + if (0 == (nr & 1)) nr--;
2998 + if (make_prime_check(nr)) return nr;
3004 +#endif /* __IP_SET_PRIME_H */
3005 diff -uNr include.orig/linux/netfilter_ipv4/ip_tables.h usr/include/linux/netfilter_ipv4/ip_tables.h
3006 --- include.orig/linux/netfilter_ipv4/ip_tables.h 2005-07-06 02:17:20.000000000 +0200
3007 +++ usr/include/linux/netfilter_ipv4/ip_tables.h 2005-08-02 20:02:17.815231280 +0200
3010 /* Values for "flag" field in struct ipt_ip (general ip structure). */
3011 #define IPT_F_FRAG 0x01 /* Set if rule is a fragment rule */
3012 -#define IPT_F_MASK 0x01 /* All possible flag bits mask. */
3013 +#define IPT_F_GOTO 0x02 /* Set if jump is a goto */
3014 +#define IPT_F_MASK 0x03 /* All possible flag bits mask. */
3016 /* Values for "inv" field in struct ipt_ip. */
3017 #define IPT_INV_VIA_IN 0x01 /* Invert the sense of IN IFACE. */
3018 @@ -148,12 +149,23 @@
3019 #define IPT_SO_SET_ADD_COUNTERS (IPT_BASE_CTL + 1)
3020 #define IPT_SO_SET_MAX IPT_SO_SET_ADD_COUNTERS
3022 +#define IPT_SO_SET_ACCOUNT_HANDLE_FREE (IPT_BASE_CTL + 3)
3023 +#define IPT_SO_SET_ACCOUNT_HANDLE_FREE_ALL (IPT_BASE_CTL + 4)
3024 +#define IPT_SO_SET_ACCOUNT_MAX IPT_SO_SET_ACCOUNT_HANDLE_FREE_ALL
3026 #define IPT_SO_GET_INFO (IPT_BASE_CTL)
3027 #define IPT_SO_GET_ENTRIES (IPT_BASE_CTL + 1)
3028 #define IPT_SO_GET_REVISION_MATCH (IPT_BASE_CTL + 2)
3029 #define IPT_SO_GET_REVISION_TARGET (IPT_BASE_CTL + 3)
3030 #define IPT_SO_GET_MAX IPT_SO_GET_REVISION_TARGET
3032 +#define IPT_SO_GET_ACCOUNT_PREPARE_READ (IPT_BASE_CTL + 3)
3033 +#define IPT_SO_GET_ACCOUNT_PREPARE_READ_FLUSH (IPT_BASE_CTL + 4)
3034 +#define IPT_SO_GET_ACCOUNT_GET_DATA (IPT_BASE_CTL + 5)
3035 +#define IPT_SO_GET_ACCOUNT_GET_HANDLE_USAGE (IPT_BASE_CTL + 6)
3036 +#define IPT_SO_GET_ACCOUNT_GET_TABLE_NAMES (IPT_BASE_CTL + 7)
3037 +#define IPT_SO_GET_ACCOUNT_MAX IPT_SO_GET_ACCOUNT_GET_TABLE_NAMES
3039 /* CONTINUE verdict for targets */
3040 #define IPT_CONTINUE 0xFFFFFFFF
3042 diff -uNr include.orig/linux/netfilter_ipv4/ipt_account.h usr/include/linux/netfilter_ipv4/ipt_account.h
3043 --- include.orig/linux/netfilter_ipv4/ipt_account.h 1970-01-01 01:00:00.000000000 +0100
3044 +++ usr/include/linux/netfilter_ipv4/ipt_account.h 2005-08-02 20:02:17.786235688 +0200
3047 + * accounting match (ipt_account.c)
3048 + * (C) 2003,2004 by Piotr Gasidlo (quaker@barbara.eu.org)
3052 + * This software is distributed under the terms of GNU GPL
3055 +#ifndef _IPT_ACCOUNT_H_
3056 +#define _IPT_ACCOUNT_H_
3058 +#define IPT_ACCOUNT_NAME_LEN 64
3060 +#define IPT_ACCOUNT_NAME "ipt_account"
3061 +#define IPT_ACCOUNT_VERSION "0.1.7"
3063 +struct t_ipt_account_info {
3064 + char name[IPT_ACCOUNT_NAME_LEN];
3065 + u_int32_t network;
3066 + u_int32_t netmask;
3067 + int shortlisting:1;
3072 diff -uNr include.orig/linux/netfilter_ipv4/ipt_ACCOUNT.h usr/include/linux/netfilter_ipv4/ipt_ACCOUNT.h
3073 --- include.orig/linux/netfilter_ipv4/ipt_ACCOUNT.h 1970-01-01 01:00:00.000000000 +0100
3074 +++ usr/include/linux/netfilter_ipv4/ipt_ACCOUNT.h 2005-08-02 20:02:17.817230976 +0200
3076 +/***************************************************************************
3077 + * Copyright (C) 2004 by Intra2net AG *
3078 + * opensource@intra2net.com *
3080 + * This program is free software; you can redistribute it and/or modify *
3081 + * it under the terms of the GNU General Public License *
3082 + * version 2 as published by the Free Software Foundation; *
3084 + ***************************************************************************/
3086 +#ifndef _IPT_ACCOUNT_H
3087 +#define _IPT_ACCOUNT_H
3089 +#define ACCOUNT_MAX_TABLES 32
3090 +#define ACCOUNT_TABLE_NAME_LEN 32
3091 +#define ACCOUNT_MAX_HANDLES 10
3093 +/* Structure for the userspace part of ipt_ACCOUNT */
3094 +struct ipt_acc_info {
3096 + u_int32_t net_mask;
3097 + char table_name[ACCOUNT_TABLE_NAME_LEN];
3101 +/* Internal table structure, generated by check_entry() */
3102 +struct ipt_acc_table {
3103 + char name[ACCOUNT_TABLE_NAME_LEN]; /* name of the table */
3104 + u_int32_t ip; /* base IP of network */
3105 + u_int32_t netmask; /* netmask of the network */
3106 + unsigned char depth; /* size of network:
3107 + 0: 8 bit, 1: 16bit, 2: 24 bit */
3108 + u_int32_t refcount; /* refcount of this table.
3109 + if zero, destroy it */
3110 + u_int32_t itemcount; /* number of IPs in this table */
3111 + void *data; /* pointer to the actual data,
3112 + depending on netmask */
3115 +/* Internal handle structure */
3116 +struct ipt_acc_handle {
3117 + u_int32_t ip; /* base IP of network. Used for
3118 + caculating the final IP during
3120 + unsigned char depth; /* size of network. See above for
3122 + u_int32_t itemcount; /* number of IPs in this table */
3123 + void *data; /* pointer to the actual data,
3124 + depending on size */
3127 +/* Handle structure for communication with the userspace library */
3128 +struct ipt_acc_handle_sockopt {
3129 + u_int32_t handle_nr; /* Used for HANDLE_FREE */
3130 + char name[ACCOUNT_TABLE_NAME_LEN]; /* Used for HANDLE_PREPARE_READ/
3131 + HANDLE_READ_FLUSH */
3132 + u_int32_t itemcount; /* Used for HANDLE_PREPARE_READ/
3133 + HANDLE_READ_FLUSH */
3136 +/* Used for every IP entry
3137 + Size is 16 bytes so that 256 (class C network) * 16
3138 + fits in one kernel (zero) page */
3139 +struct ipt_acc_ip {
3140 + u_int32_t src_packets;
3141 + u_int32_t src_bytes;
3142 + u_int32_t dst_packets;
3143 + u_int32_t dst_bytes;
3147 + Used for every IP when returning data
3149 +struct ipt_acc_handle_ip {
3151 + u_int32_t src_packets;
3152 + u_int32_t src_bytes;
3153 + u_int32_t dst_packets;
3154 + u_int32_t dst_bytes;
3158 + The IPs are organized as an array so that direct slot
3159 + calculations are possible.
3160 + Only 8 bit networks are preallocated, 16/24 bit networks
3161 + allocate their slots when needed -> very efficent.
3163 +struct ipt_acc_mask_24 {
3164 + struct ipt_acc_ip ip[256];
3167 +struct ipt_acc_mask_16 {
3168 + struct ipt_acc_mask_24 *mask_24[256];
3171 +struct ipt_acc_mask_8 {
3172 + struct ipt_acc_mask_16 *mask_16[256];
3175 +#endif /*_IPT_ACCOUNT_H*/
3176 diff -uNr include.orig/linux/netfilter_ipv4/ipt_addrtype.h usr/include/linux/netfilter_ipv4/ipt_addrtype.h
3177 --- include.orig/linux/netfilter_ipv4/ipt_addrtype.h 2004-10-31 20:56:02.000000000 +0100
3178 +++ usr/include/linux/netfilter_ipv4/ipt_addrtype.h 2005-08-02 20:02:17.751241008 +0200
3180 struct ipt_addrtype_info {
3181 u_int16_t source; /* source-type mask */
3182 u_int16_t dest; /* dest-type mask */
3183 - u_int32_t invert_source;
3184 - u_int32_t invert_dest;
3185 + int invert_source;
3190 diff -uNr include.orig/linux/netfilter_ipv4/ipt_CLUSTERIP.h usr/include/linux/netfilter_ipv4/ipt_CLUSTERIP.h
3191 --- include.orig/linux/netfilter_ipv4/ipt_CLUSTERIP.h 2005-01-08 15:03:55.000000000 +0100
3192 +++ usr/include/linux/netfilter_ipv4/ipt_CLUSTERIP.h 2005-08-02 20:02:17.832228696 +0200
3195 #define CLUSTERIP_HASHMODE_MAX CLUSTERIP_HASHMODE_SIP_SPT_DPT
3197 -#define CLUSTERIP_MAX_NODES 16
3198 +#define CLUSTERIP_MAX_NODES 8
3200 #define CLUSTERIP_FLAG_NEW 0x00000001
3202 diff -uNr include.orig/linux/netfilter_ipv4/ipt_connlimit.h usr/include/linux/netfilter_ipv4/ipt_connlimit.h
3203 --- include.orig/linux/netfilter_ipv4/ipt_connlimit.h 1970-01-01 01:00:00.000000000 +0100
3204 +++ usr/include/linux/netfilter_ipv4/ipt_connlimit.h 2005-08-02 20:02:17.723245264 +0200
3206 +#ifndef _IPT_CONNLIMIT_H
3207 +#define _IPT_CONNLIMIT_H
3209 +struct ipt_connlimit_data;
3211 +struct ipt_connlimit_info {
3215 + struct ipt_connlimit_data *data;
3217 +#endif /* _IPT_CONNLIMIT_H */
3218 diff -uNr include.orig/linux/netfilter_ipv4/ipt_fuzzy.h usr/include/linux/netfilter_ipv4/ipt_fuzzy.h
3219 --- include.orig/linux/netfilter_ipv4/ipt_fuzzy.h 1970-01-01 01:00:00.000000000 +0100
3220 +++ usr/include/linux/netfilter_ipv4/ipt_fuzzy.h 2005-08-02 20:02:17.781236448 +0200
3222 +#ifndef _IPT_FUZZY_H
3223 +#define _IPT_FUZZY_H
3225 +#include <linux/param.h>
3226 +#include <linux/types.h>
3228 +#define MAXFUZZYRATE 10000000
3229 +#define MINFUZZYRATE 3
3231 +struct ipt_fuzzy_info {
3232 + u_int32_t minimum_rate;
3233 + u_int32_t maximum_rate;
3234 + u_int32_t packets_total;
3235 + u_int32_t bytes_total;
3236 + u_int32_t previous_time;
3237 + u_int32_t present_time;
3238 + u_int32_t mean_rate;
3239 + u_int8_t acceptance_rate;
3242 +#endif /*_IPT_FUZZY_H*/
3243 diff -uNr include.orig/linux/netfilter_ipv4/ipt_geoip.h usr/include/linux/netfilter_ipv4/ipt_geoip.h
3244 --- include.orig/linux/netfilter_ipv4/ipt_geoip.h 1970-01-01 01:00:00.000000000 +0100
3245 +++ usr/include/linux/netfilter_ipv4/ipt_geoip.h 2005-08-02 20:02:17.769238272 +0200
3247 +/* ipt_geoip.h header file for libipt_geoip.c and ipt_geoip.c
3249 + * This program is free software; you can redistribute it and/or modify
3250 + * it under the terms of the GNU General Public License as published by
3251 + * the Free Software Foundation; either version 2 of the License, or
3252 + * (at your option) any later version.
3254 + * Copyright (c) 2004 Cookinglinux
3256 +#ifndef _IPT_GEOIP_H
3257 +#define _IPT_GEOIP_H
3259 +#define IPT_GEOIP_SRC 0x01 /* Perform check on Source IP */
3260 +#define IPT_GEOIP_DST 0x02 /* Perform check on Destination IP */
3261 +#define IPT_GEOIP_INV 0x04 /* Negate the condition */
3263 +#define IPT_GEOIP_MAX 15 /* Maximum of countries */
3265 +struct geoip_subnet {
3270 +struct geoip_info {
3271 + struct geoip_subnet *subnets;
3275 + struct geoip_info *next;
3276 + struct geoip_info *prev;
3279 +struct ipt_geoip_info {
3282 + u_int16_t cc[IPT_GEOIP_MAX];
3284 + /* Used internally by the kernel */
3285 + struct geoip_info *mem[IPT_GEOIP_MAX];
3286 + u_int8_t *refcount;
3288 + /* not implemented yet:
3293 +#define COUNTRY(cc) (cc >> 8), (cc & 0x00FF)
3297 diff -uNr include.orig/linux/netfilter_ipv4/ipt_IPMARK.h usr/include/linux/netfilter_ipv4/ipt_IPMARK.h
3298 --- include.orig/linux/netfilter_ipv4/ipt_IPMARK.h 1970-01-01 01:00:00.000000000 +0100
3299 +++ usr/include/linux/netfilter_ipv4/ipt_IPMARK.h 2005-08-02 20:02:17.756240248 +0200
3301 +#ifndef _IPT_IPMARK_H_target
3302 +#define _IPT_IPMARK_H_target
3304 +struct ipt_ipmark_target_info {
3305 + unsigned long andmask;
3306 + unsigned long ormask;
3307 + unsigned int addr;
3310 +#define IPT_IPMARK_SRC 0
3311 +#define IPT_IPMARK_DST 1
3313 +#endif /*_IPT_IPMARK_H_target*/
3314 diff -uNr include.orig/linux/netfilter_ipv4/ipt_ipp2p.h usr/include/linux/netfilter_ipv4/ipt_ipp2p.h
3315 --- include.orig/linux/netfilter_ipv4/ipt_ipp2p.h 1970-01-01 01:00:00.000000000 +0100
3316 +++ usr/include/linux/netfilter_ipv4/ipt_ipp2p.h 2005-08-02 20:02:17.784235992 +0200
3318 +#ifndef __IPT_IPP2P_H
3319 +#define __IPT_IPP2P_H
3320 +#define IPP2P_VERSION "0.7.4"
3322 +struct ipt_p2p_info {
3327 +#endif //__IPT_IPP2P_H
3329 +#define SHORT_HAND_IPP2P 1 /* --ipp2p switch*/
3330 +#define SHORT_HAND_DATA 4 /* --ipp2p-data switch*/
3331 +#define SHORT_HAND_NONE 5 /* no short hand*/
3333 +#define IPP2P_EDK 2
3334 +#define IPP2P_DATA_KAZAA 8
3335 +#define IPP2P_DATA_EDK 16
3336 +#define IPP2P_DATA_DC 32
3337 +#define IPP2P_DC 64
3338 +#define IPP2P_DATA_GNU 128
3339 +#define IPP2P_GNU 256
3340 +#define IPP2P_KAZAA 512
3341 +#define IPP2P_BIT 1024
3342 +#define IPP2P_APPLE 2048
3343 +#define IPP2P_SOUL 4096
3344 +#define IPP2P_WINMX 8192
3345 +#define IPP2P_ARES 16384
3347 diff -uNr include.orig/linux/netfilter_ipv4/ipt_ipv4options.h usr/include/linux/netfilter_ipv4/ipt_ipv4options.h
3348 --- include.orig/linux/netfilter_ipv4/ipt_ipv4options.h 1970-01-01 01:00:00.000000000 +0100
3349 +++ usr/include/linux/netfilter_ipv4/ipt_ipv4options.h 2005-08-02 20:02:17.733243744 +0200
3351 +#ifndef __ipt_ipv4options_h_included__
3352 +#define __ipt_ipv4options_h_included__
3354 +#define IPT_IPV4OPTION_MATCH_SSRR 0x01 /* For strict source routing */
3355 +#define IPT_IPV4OPTION_MATCH_LSRR 0x02 /* For loose source routing */
3356 +#define IPT_IPV4OPTION_DONT_MATCH_SRR 0x04 /* any source routing */
3357 +#define IPT_IPV4OPTION_MATCH_RR 0x08 /* For Record route */
3358 +#define IPT_IPV4OPTION_DONT_MATCH_RR 0x10
3359 +#define IPT_IPV4OPTION_MATCH_TIMESTAMP 0x20 /* For timestamp request */
3360 +#define IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP 0x40
3361 +#define IPT_IPV4OPTION_MATCH_ROUTER_ALERT 0x80 /* For router-alert */
3362 +#define IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT 0x100
3363 +#define IPT_IPV4OPTION_MATCH_ANY_OPT 0x200 /* match packet with any option */
3364 +#define IPT_IPV4OPTION_DONT_MATCH_ANY_OPT 0x400 /* match packet with no option */
3366 +struct ipt_ipv4options_info {
3367 + u_int16_t options;
3371 +#endif /* __ipt_ipv4options_h_included__ */
3372 diff -uNr include.orig/linux/netfilter_ipv4/ipt_layer7.h usr/include/linux/netfilter_ipv4/ipt_layer7.h
3373 --- include.orig/linux/netfilter_ipv4/ipt_layer7.h 1970-01-01 01:00:00.000000000 +0100
3374 +++ usr/include/linux/netfilter_ipv4/ipt_layer7.h 2005-08-02 20:02:17.736243288 +0200
3377 + By Matthew Strait <quadong@users.sf.net>, Dec 2003.
3378 + http://l7-filter.sf.net
3380 + This program is free software; you can redistribute it and/or
3381 + modify it under the terms of the GNU General Public License
3382 + as published by the Free Software Foundation; either version
3383 + 2 of the License, or (at your option) any later version.
3384 + http://www.gnu.org/licenses/gpl.txt
3387 +#ifndef _IPT_LAYER7_H
3388 +#define _IPT_LAYER7_H
3390 +#define MAX_PATTERN_LEN 8192
3391 +#define MAX_PROTOCOL_LEN 256
3393 +typedef char *(*proc_ipt_search) (char *, char, char *);
3395 +struct ipt_layer7_info {
3396 + char protocol[MAX_PROTOCOL_LEN];
3398 + char pattern[MAX_PATTERN_LEN];
3401 +#endif /* _IPT_LAYER7_H */
3402 diff -uNr include.orig/linux/netfilter_ipv4/ipt_nth.h usr/include/linux/netfilter_ipv4/ipt_nth.h
3403 --- include.orig/linux/netfilter_ipv4/ipt_nth.h 1970-01-01 01:00:00.000000000 +0100
3404 +++ usr/include/linux/netfilter_ipv4/ipt_nth.h 2005-08-02 20:02:17.760239640 +0200
3409 +#include <linux/param.h>
3410 +#include <linux/types.h>
3412 +#ifndef IPT_NTH_NUM_COUNTERS
3413 +#define IPT_NTH_NUM_COUNTERS 16
3416 +struct ipt_nth_info {
3424 +#endif /*_IPT_NTH_H*/
3425 diff -uNr include.orig/linux/netfilter_ipv4/ipt_osf.h usr/include/linux/netfilter_ipv4/ipt_osf.h
3426 --- include.orig/linux/netfilter_ipv4/ipt_osf.h 1970-01-01 01:00:00.000000000 +0100
3427 +++ usr/include/linux/netfilter_ipv4/ipt_osf.h 2005-08-02 20:02:17.783236144 +0200
3432 + * Copyright (c) 2003 Evgeniy Polyakov <johnpol@2ka.mipt.ru>
3435 + * This program is free software; you can redistribute it and/or modify
3436 + * it under the terms of the GNU General Public License as published by
3437 + * the Free Software Foundation; either version 2 of the License, or
3438 + * (at your option) any later version.
3440 + * This program is distributed in the hope that it will be useful,
3441 + * but WITHOUT ANY WARRANTY; without even the implied warranty of
3442 + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
3443 + * GNU General Public License for more details.
3445 + * You should have received a copy of the GNU General Public License
3446 + * along with this program; if not, write to the Free Software
3447 + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
3453 +#define MAXGENRELEN 32
3454 +#define MAXDETLEN 64
3456 +#define IPT_OSF_GENRE 1
3457 +#define IPT_OSF_SMART 2
3458 +#define IPT_OSF_LOG 4
3459 +#define IPT_OSF_NETLINK 8
3460 +#define IPT_OSF_CONNECTOR 16
3462 +#define IPT_OSF_LOGLEVEL_ALL 0
3463 +#define IPT_OSF_LOGLEVEL_FIRST 1
3466 +#include <netinet/ip.h>
3467 +#include <netinet/tcp.h>
3471 + struct list_head *prev, *next;
3475 +struct ipt_osf_info
3477 + char genre[MAXGENRELEN];
3479 + unsigned long flags;
3481 + int invert; /* UNSUPPORTED */
3487 + unsigned long val;
3490 +/* This struct represents IANA options
3491 + * http://www.iana.org/assignments/tcp-parameters
3495 + unsigned char kind;
3496 + unsigned char length;
3502 + struct list_head flist;
3503 + struct osf_wc wss;
3504 + unsigned char ttl;
3507 + unsigned char genre[MAXGENRELEN];
3508 + unsigned char version[MAXGENRELEN], subtype[MAXGENRELEN];
3510 + /* Not needed, but for consistency with original table from Michal Zalewski */
3511 + unsigned char details[MAXDETLEN];
3514 + struct osf_opt opt[MAX_IPOPTLEN]; /* In case it is all NOP or EOL */
3518 +struct ipt_osf_nlmsg
3520 + struct osf_finger f;
3522 + struct tcphdr tcp;
3527 +#include <linux/list.h>
3528 +#include <net/tcp.h>
3531 +/* Defines for IANA option kinds */
3533 +#define OSFOPT_EOL 0 /* End of options */
3534 +#define OSFOPT_NOP 1 /* NOP */
3535 +#define OSFOPT_MSS 2 /* Maximum segment size */
3536 +#define OSFOPT_WSO 3 /* Window scale option */
3537 +#define OSFOPT_SACKP 4 /* SACK permitted */
3538 +#define OSFOPT_SACK 5 /* SACK */
3539 +#define OSFOPT_ECHO 6
3540 +#define OSFOPT_ECHOREPLY 7
3541 +#define OSFOPT_TS 8 /* Timestamp option */
3542 +#define OSFOPT_POCP 9 /* Partial Order Connection Permitted */
3543 +#define OSFOPT_POSP 10 /* Partial Order Service Profile */
3544 +/* Others are not used in current OSF */
3546 +static struct osf_opt IANA_opts[] =
3553 + {5, 1 ,}, /* SACK length is not defined */
3559 + {11, 1,}, /* CC: Suppose 1 */
3560 + {12, 1,}, /* the same */
3561 + {13, 1,}, /* and here too */
3563 + {15, 1,}, /* TCP Alternate Checksum Data. Length is not defined */
3577 +#endif /* __KERNEL__ */
3579 +#endif /* _IPT_OSF_H */
3580 diff -uNr include.orig/linux/netfilter_ipv4/ipt_policy.h usr/include/linux/netfilter_ipv4/ipt_policy.h
3581 --- include.orig/linux/netfilter_ipv4/ipt_policy.h 1970-01-01 01:00:00.000000000 +0100
3582 +++ usr/include/linux/netfilter_ipv4/ipt_policy.h 2005-08-02 20:02:17.735243440 +0200
3584 +#ifndef _IPT_POLICY_H
3585 +#define _IPT_POLICY_H
3587 +#define POLICY_MAX_ELEM 4
3589 +enum ipt_policy_flags
3591 + POLICY_MATCH_IN = 0x1,
3592 + POLICY_MATCH_OUT = 0x2,
3593 + POLICY_MATCH_NONE = 0x4,
3594 + POLICY_MATCH_STRICT = 0x8,
3597 +enum ipt_policy_modes
3599 + POLICY_MODE_TRANSPORT,
3600 + POLICY_MODE_TUNNEL
3603 +struct ipt_policy_spec
3613 +struct ipt_policy_elem
3624 + struct ipt_policy_spec match;
3625 + struct ipt_policy_spec invert;
3628 +struct ipt_policy_info
3630 + struct ipt_policy_elem pol[POLICY_MAX_ELEM];
3635 +#endif /* _IPT_POLICY_H */
3636 diff -uNr include.orig/linux/netfilter_ipv4/ipt_psd.h usr/include/linux/netfilter_ipv4/ipt_psd.h
3637 --- include.orig/linux/netfilter_ipv4/ipt_psd.h 1970-01-01 01:00:00.000000000 +0100
3638 +++ usr/include/linux/netfilter_ipv4/ipt_psd.h 2005-08-02 20:02:17.778236904 +0200
3643 +#include <linux/param.h>
3644 +#include <linux/types.h>
3647 + * High port numbers have a lower weight to reduce the frequency of false
3648 + * positives, such as from passive mode FTP transfers.
3650 +#define PORT_WEIGHT_PRIV 3
3651 +#define PORT_WEIGHT_HIGH 1
3654 + * Port scan detection thresholds: at least COUNT ports need to be scanned
3655 + * from the same source, with no longer than DELAY ticks between ports.
3657 +#define SCAN_MIN_COUNT 7
3658 +#define SCAN_MAX_COUNT (SCAN_MIN_COUNT * PORT_WEIGHT_PRIV)
3659 +#define SCAN_WEIGHT_THRESHOLD SCAN_MAX_COUNT
3660 +#define SCAN_DELAY_THRESHOLD (300) /* old usage of HZ here was erroneously and broke under uml */
3663 + * Keep track of up to LIST_SIZE source addresses, using a hash table of
3664 + * HASH_SIZE entries for faster lookups, but limiting hash collisions to
3665 + * HASH_MAX source addresses per the same hash value.
3667 +#define LIST_SIZE 0x100
3669 +#define HASH_SIZE (1 << HASH_LOG)
3670 +#define HASH_MAX 0x10
3672 +struct ipt_psd_info {
3673 + unsigned int weight_threshold;
3674 + unsigned int delay_threshold;
3675 + unsigned short lo_ports_weight;
3676 + unsigned short hi_ports_weight;
3679 +#endif /*_IPT_PSD_H*/
3680 diff -uNr include.orig/linux/netfilter_ipv4/ipt_quota.h usr/include/linux/netfilter_ipv4/ipt_quota.h
3681 --- include.orig/linux/netfilter_ipv4/ipt_quota.h 1970-01-01 01:00:00.000000000 +0100
3682 +++ usr/include/linux/netfilter_ipv4/ipt_quota.h 2005-08-02 20:02:17.762239336 +0200
3684 +#ifndef _IPT_QUOTA_H
3685 +#define _IPT_QUOTA_H
3687 +/* print debug info in both kernel/netfilter module & iptable library */
3688 +//#define DEBUG_IPT_QUOTA
3690 +struct ipt_quota_info {
3692 + struct ipt_quota_info *master;
3695 +#endif /*_IPT_QUOTA_H*/
3696 diff -uNr include.orig/linux/netfilter_ipv4/ipt_recent.h usr/include/linux/netfilter_ipv4/ipt_recent.h
3697 --- include.orig/linux/netfilter_ipv4/ipt_recent.h 2004-10-31 20:56:00.000000000 +0100
3698 +++ usr/include/linux/netfilter_ipv4/ipt_recent.h 2005-08-02 20:02:17.720245720 +0200
3700 #define _IPT_RECENT_H
3702 #define RECENT_NAME "ipt_recent"
3703 -#define RECENT_VER "v0.3.1"
3704 +#define RECENT_VER "v0.3.2"
3706 #define IPT_RECENT_CHECK 1
3707 #define IPT_RECENT_SET 2
3708 diff -uNr include.orig/linux/netfilter_ipv4/ipt_ROUTE.h usr/include/linux/netfilter_ipv4/ipt_ROUTE.h
3709 --- include.orig/linux/netfilter_ipv4/ipt_ROUTE.h 1970-01-01 01:00:00.000000000 +0100
3710 +++ usr/include/linux/netfilter_ipv4/ipt_ROUTE.h 2005-08-02 20:02:17.726244808 +0200
3712 +/* Header file for iptables ipt_ROUTE target
3714 + * (C) 2002 by Cédric de Launois <delaunois@info.ucl.ac.be>
3716 + * This software is distributed under GNU GPL v2, 1991
3718 +#ifndef _IPT_ROUTE_H_target
3719 +#define _IPT_ROUTE_H_target
3721 +#define IPT_ROUTE_IFNAMSIZ 16
3723 +struct ipt_route_target_info {
3724 + char oif[IPT_ROUTE_IFNAMSIZ]; /* Output Interface Name */
3725 + char iif[IPT_ROUTE_IFNAMSIZ]; /* Input Interface Name */
3726 + u_int32_t gw; /* IP address of gateway */
3730 +/* Values for "flags" field */
3731 +#define IPT_ROUTE_CONTINUE 0x01
3732 +#define IPT_ROUTE_TEE 0x02
3734 +#endif /*_IPT_ROUTE_H_target*/
3735 diff -uNr include.orig/linux/netfilter_ipv4/ipt_set.h usr/include/linux/netfilter_ipv4/ipt_set.h
3736 --- include.orig/linux/netfilter_ipv4/ipt_set.h 1970-01-01 01:00:00.000000000 +0100
3737 +++ usr/include/linux/netfilter_ipv4/ipt_set.h 2005-08-02 20:02:17.721245568 +0200
3742 +#include <linux/netfilter_ipv4/ip_set.h>
3744 +struct ipt_set_info {
3745 + ip_set_id_t index;
3746 + u_int32_t flags[IP_SET_MAX_BINDINGS + 1];
3750 +struct ipt_set_info_match {
3751 + struct ipt_set_info match_set;
3754 +struct ipt_set_info_target {
3755 + struct ipt_set_info add_set;
3756 + struct ipt_set_info del_set;
3759 +#endif /*_IPT_SET_H*/
3760 diff -uNr include.orig/linux/netfilter_ipv4/ipt_string.h usr/include/linux/netfilter_ipv4/ipt_string.h
3761 --- include.orig/linux/netfilter_ipv4/ipt_string.h 1970-01-01 01:00:00.000000000 +0100
3762 +++ usr/include/linux/netfilter_ipv4/ipt_string.h 2005-08-02 20:02:17.805232800 +0200
3764 +#ifndef _IPT_STRING_H
3765 +#define _IPT_STRING_H
3767 +/* *** PERFORMANCE TWEAK ***
3768 + * Packet size and search string threshold,
3769 + * above which sublinear searches is used. */
3770 +#define IPT_STRING_HAYSTACK_THRESH 100
3771 +#define IPT_STRING_NEEDLE_THRESH 20
3773 +#define BM_MAX_NLEN 256
3774 +#define BM_MAX_HLEN 1024
3776 +typedef char *(*proc_ipt_search) (char *, char *, int, int);
3778 +struct ipt_string_info {
3779 + char string[BM_MAX_NLEN];
3784 +#endif /* _IPT_STRING_H */
3785 diff -uNr include.orig/linux/netfilter_ipv4/ipt_time.h usr/include/linux/netfilter_ipv4/ipt_time.h
3786 --- include.orig/linux/netfilter_ipv4/ipt_time.h 1970-01-01 01:00:00.000000000 +0100
3787 +++ usr/include/linux/netfilter_ipv4/ipt_time.h 2005-08-02 20:02:17.765238880 +0200
3789 +#ifndef __ipt_time_h_included__
3790 +#define __ipt_time_h_included__
3793 +struct ipt_time_info {
3794 + u_int8_t days_match; /* 1 bit per day. -SMTWTFS */
3795 + u_int16_t time_start; /* 0 < time_start < 23*60+59 = 1439 */
3796 + u_int16_t time_stop; /* 0:0 < time_stat < 23:59 */
3798 + /* FIXME: Keep this one for userspace iptables binary compability: */
3799 + u_int8_t kerneltime; /* ignore skb time (and use kerneltime) or not. */
3801 + time_t date_start;
3806 +#endif /* __ipt_time_h_included__ */
3807 diff -uNr include.orig/linux/netfilter_ipv4/ipt_TTL.h usr/include/linux/netfilter_ipv4/ipt_TTL.h
3808 --- include.orig/linux/netfilter_ipv4/ipt_TTL.h 1970-01-01 01:00:00.000000000 +0100
3809 +++ usr/include/linux/netfilter_ipv4/ipt_TTL.h 2005-08-02 20:02:17.801233408 +0200
3811 +/* TTL modification module for IP tables
3812 + * (C) 2000 by Harald Welte <laforge@gnumonks.org> */
3823 +#define IPT_TTL_MAXMODE IPT_TTL_DEC
3825 +struct ipt_TTL_info {
3832 diff -uNr include.orig/linux/netfilter_ipv4/ipt_u32.h usr/include/linux/netfilter_ipv4/ipt_u32.h
3833 --- include.orig/linux/netfilter_ipv4/ipt_u32.h 1970-01-01 01:00:00.000000000 +0100
3834 +++ usr/include/linux/netfilter_ipv4/ipt_u32.h 2005-08-02 20:02:17.809232192 +0200
3838 +#include <linux/netfilter_ipv4/ip_tables.h>
3848 +struct ipt_u32_location_element
3853 +struct ipt_u32_value_element
3858 +/* *** any way to allow for an arbitrary number of elements?
3859 + for now I settle for a limit of 10 of each */
3860 +#define U32MAXSIZE 10
3861 +struct ipt_u32_test
3864 + struct ipt_u32_location_element location[U32MAXSIZE+1];
3866 + struct ipt_u32_value_element value[U32MAXSIZE+1];
3872 + struct ipt_u32_test tests[U32MAXSIZE+1];
3875 +#endif /*_IPT_U32_H*/
3876 diff -uNr include.orig/linux/netfilter_ipv4/ipt_XOR.h usr/include/linux/netfilter_ipv4/ipt_XOR.h
3877 --- include.orig/linux/netfilter_ipv4/ipt_XOR.h 1970-01-01 01:00:00.000000000 +0100
3878 +++ usr/include/linux/netfilter_ipv4/ipt_XOR.h 2005-08-02 20:02:17.830229000 +0200
3883 +struct ipt_XOR_info {
3885 + u_int8_t block_size;
3888 +#endif /* _IPT_XOR_H */
3889 diff -uNr include.orig/linux/netfilter_ipv4.h usr/include/linux/netfilter_ipv4.h
3890 --- include.orig/linux/netfilter_ipv4.h 2005-07-06 02:17:21.000000000 +0200
3891 +++ usr/include/linux/netfilter_ipv4.h 2005-08-02 20:02:17.660254840 +0200
3894 #include <linux/netfilter.h>
3896 -/* IP Cache bits. */
3897 -/* Src IP address. */
3898 -#define NFC_IP_SRC 0x0001
3899 -/* Dest IP address. */
3900 -#define NFC_IP_DST 0x0002
3901 -/* Input device. */
3902 -#define NFC_IP_IF_IN 0x0004
3903 -/* Output device. */
3904 -#define NFC_IP_IF_OUT 0x0008
3906 -#define NFC_IP_TOS 0x0010
3908 -#define NFC_IP_PROTO 0x0020
3910 -#define NFC_IP_OPTIONS 0x0040
3911 -/* Frag & flags. */
3912 -#define NFC_IP_FRAG 0x0080
3914 -/* Per-protocol information: only matters if proto match. */
3916 -#define NFC_IP_TCPFLAGS 0x0100
3918 -#define NFC_IP_SRC_PT 0x0200
3920 -#define NFC_IP_DST_PT 0x0400
3921 -/* Something else about the proto */
3922 -#define NFC_IP_PROTO_UNKNOWN 0x2000
3925 /* After promisc drops, checksum checks. */
3926 #define NF_IP_PRE_ROUTING 0
3927 diff -uNr include.orig/linux/netfilter_ipv6/ip6t_fuzzy.h usr/include/linux/netfilter_ipv6/ip6t_fuzzy.h
3928 --- include.orig/linux/netfilter_ipv6/ip6t_fuzzy.h 1970-01-01 01:00:00.000000000 +0100
3929 +++ usr/include/linux/netfilter_ipv6/ip6t_fuzzy.h 2005-08-02 20:02:17.652256056 +0200
3931 +#ifndef _IP6T_FUZZY_H
3932 +#define _IP6T_FUZZY_H
3934 +#include <linux/param.h>
3935 +#include <linux/types.h>
3937 +#define MAXFUZZYRATE 10000000
3938 +#define MINFUZZYRATE 3
3940 +struct ip6t_fuzzy_info {
3941 + u_int32_t minimum_rate;
3942 + u_int32_t maximum_rate;
3943 + u_int32_t packets_total;
3944 + u_int32_t bytes_total;
3945 + u_int32_t previous_time;
3946 + u_int32_t present_time;
3947 + u_int32_t mean_rate;
3948 + u_int8_t acceptance_rate;
3951 +#endif /*_IP6T_FUZZY_H*/
3952 diff -uNr include.orig/linux/netfilter_ipv6/ip6t_HL.h usr/include/linux/netfilter_ipv6/ip6t_HL.h
3953 --- include.orig/linux/netfilter_ipv6/ip6t_HL.h 1970-01-01 01:00:00.000000000 +0100
3954 +++ usr/include/linux/netfilter_ipv6/ip6t_HL.h 2005-08-02 20:02:17.656255448 +0200
3956 +/* Hop Limit modification module for ip6tables
3957 + * Maciej Soltysiak <solt@dns.toxicfilms.tv>
3958 + * Based on HW's TTL module */
3969 +#define IP6T_HL_MAXMODE IP6T_HL_DEC
3971 +struct ip6t_HL_info {
3973 + u_int8_t hop_limit;
3978 diff -uNr include.orig/linux/netfilter_ipv6/ip6t_nth.h usr/include/linux/netfilter_ipv6/ip6t_nth.h
3979 --- include.orig/linux/netfilter_ipv6/ip6t_nth.h 1970-01-01 01:00:00.000000000 +0100
3980 +++ usr/include/linux/netfilter_ipv6/ip6t_nth.h 2005-08-02 20:02:17.652256056 +0200
3982 +#ifndef _IP6T_NTH_H
3983 +#define _IP6T_NTH_H
3985 +#include <linux/param.h>
3986 +#include <linux/types.h>
3988 +#ifndef IP6T_NTH_NUM_COUNTERS
3989 +#define IP6T_NTH_NUM_COUNTERS 16
3992 +struct ip6t_nth_info {
4000 +#endif /*_IP6T_NTH_H*/
4001 diff -uNr include.orig/linux/netfilter_ipv6/ip6t_policy.h usr/include/linux/netfilter_ipv6/ip6t_policy.h
4002 --- include.orig/linux/netfilter_ipv6/ip6t_policy.h 1970-01-01 01:00:00.000000000 +0100
4003 +++ usr/include/linux/netfilter_ipv6/ip6t_policy.h 2005-08-02 20:02:17.655255600 +0200
4005 +#ifndef _IP6T_POLICY_H
4006 +#define _IP6T_POLICY_H
4008 +#define POLICY_MAX_ELEM 4
4010 +enum ip6t_policy_flags
4012 + POLICY_MATCH_IN = 0x1,
4013 + POLICY_MATCH_OUT = 0x2,
4014 + POLICY_MATCH_NONE = 0x4,
4015 + POLICY_MATCH_STRICT = 0x8,
4018 +enum ip6t_policy_modes
4020 + POLICY_MODE_TRANSPORT,
4021 + POLICY_MODE_TUNNEL
4024 +struct ip6t_policy_spec
4034 +struct ip6t_policy_elem
4036 + struct in6_addr saddr;
4037 + struct in6_addr smask;
4038 + struct in6_addr daddr;
4039 + struct in6_addr dmask;
4045 + struct ip6t_policy_spec match;
4046 + struct ip6t_policy_spec invert;
4049 +struct ip6t_policy_info
4051 + struct ip6t_policy_elem pol[POLICY_MAX_ELEM];
4056 +#endif /* _IP6T_POLICY_H */
4057 diff -uNr include.orig/linux/netfilter_ipv6/ip6t_REJECT.h usr/include/linux/netfilter_ipv6/ip6t_REJECT.h
4058 --- include.orig/linux/netfilter_ipv6/ip6t_REJECT.h 1970-01-01 01:00:00.000000000 +0100
4059 +++ usr/include/linux/netfilter_ipv6/ip6t_REJECT.h 2005-08-02 20:02:17.657255296 +0200
4061 +#ifndef _IP6T_REJECT_H
4062 +#define _IP6T_REJECT_H
4064 +enum ip6t_reject_with {
4065 + IP6T_ICMP6_NO_ROUTE,
4066 + IP6T_ICMP6_ADM_PROHIBITED,
4067 + IP6T_ICMP6_NOT_NEIGHBOUR,
4068 + IP6T_ICMP6_ADDR_UNREACH,
4069 + IP6T_ICMP6_PORT_UNREACH,
4070 + IP6T_ICMP6_ECHOREPLY,
4074 +struct ip6t_reject_info {
4075 + enum ip6t_reject_with with; /* reject type */
4078 +#endif /*_IP6T_REJECT_H*/
4079 diff -uNr include.orig/linux/netfilter_ipv6/ip6t_ROUTE.h usr/include/linux/netfilter_ipv6/ip6t_ROUTE.h
4080 --- include.orig/linux/netfilter_ipv6/ip6t_ROUTE.h 1970-01-01 01:00:00.000000000 +0100
4081 +++ usr/include/linux/netfilter_ipv6/ip6t_ROUTE.h 2005-08-02 20:02:17.654255752 +0200
4083 +/* Header file for iptables ip6t_ROUTE target
4085 + * (C) 2003 by Cédric de Launois <delaunois@info.ucl.ac.be>
4087 + * This software is distributed under GNU GPL v2, 1991
4089 +#ifndef _IPT_ROUTE_H_target
4090 +#define _IPT_ROUTE_H_target
4092 +#define IP6T_ROUTE_IFNAMSIZ 16
4094 +struct ip6t_route_target_info {
4095 + char oif[IP6T_ROUTE_IFNAMSIZ]; /* Output Interface Name */
4096 + char iif[IP6T_ROUTE_IFNAMSIZ]; /* Input Interface Name */
4097 + u_int32_t gw[4]; /* IPv6 address of gateway */
4101 +/* Values for "flags" field */
4102 +#define IP6T_ROUTE_CONTINUE 0x01
4103 +#define IP6T_ROUTE_TEE 0x02
4105 +#endif /*_IP6T_ROUTE_H_target*/
4106 diff -uNr include.orig/linux/netfilter_ipv6.h usr/include/linux/netfilter_ipv6.h
4107 --- include.orig/linux/netfilter_ipv6.h 2004-10-31 20:55:40.000000000 +0100
4108 +++ usr/include/linux/netfilter_ipv6.h 2005-08-02 20:02:17.661254688 +0200
4111 enum nf_ip6_hook_priorities {
4112 NF_IP6_PRI_FIRST = INT_MIN,
4113 + NF_IP6_PRI_CONNTRACK_DEFRAG = -400,
4114 NF_IP6_PRI_SELINUX_FIRST = -225,
4115 NF_IP6_PRI_CONNTRACK = -200,
4116 NF_IP6_PRI_BRIDGE_SABOTAGE_FORWARD = -175,
4118 NF_IP6_PRI_LAST = INT_MAX,
4121 +#define SO_ORIGINAL_DST 80
4123 #endif /*__LINUX_IP6_NETFILTER_H*/
4124 diff -uNr include.orig/linux/netlink.h usr/include/linux/netlink.h
4125 --- include.orig/linux/netlink.h 2005-01-08 15:03:40.000000000 +0100
4126 +++ usr/include/linux/netlink.h 2005-08-02 20:02:17.679251952 +0200
4128 #define NETLINK_SELINUX 7 /* SELinux event notifications */
4129 #define NETLINK_ARPD 8
4130 #define NETLINK_AUDIT 9 /* auditing */
4131 +#define NETLINK_NETFILTER 10 /* netfilter subsystem */
4132 #define NETLINK_ROUTE6 11 /* af_inet6 route comm channel */
4133 #define NETLINK_IP6_FW 13
4134 #define NETLINK_DNRTMSG 14 /* DECnet routing messages */
4135 diff -uNr include.orig/linux/skbuff.h usr/include/linux/skbuff.h
4136 --- include.orig/linux/skbuff.h 2005-07-06 02:17:21.000000000 +0200
4137 +++ usr/include/linux/skbuff.h 2005-08-02 20:02:17.667253776 +0200
4141 struct nf_conntrack *nfct;
4142 +#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
4143 + struct sk_buff *nfct_reasm;
4145 #ifdef CONFIG_NETFILTER_DEBUG
4146 unsigned int nf_debug;
4148 diff -uNr include.orig/linux/sysctl.h usr/include/linux/sysctl.h
4149 --- include.orig/linux/sysctl.h 2005-07-06 02:17:21.000000000 +0200
4150 +++ usr/include/linux/sysctl.h 2005-08-02 20:03:45.127957728 +0200
4154 NET_KHTTPD=17, /* [<2.6] */
4160 /* /proc/sys/kernel/random */
4161 @@ -258,6 +259,42 @@
4162 NET_UNIX_MAX_DGRAM_QLEN=3
4165 +/* /proc/sys/net/netfilter */
4168 + NET_NF_CONNTRACK_MAX=1,
4169 + NET_NF_CONNTRACK_TCP_TIMEOUT_SYN_SENT=2,
4170 + NET_NF_CONNTRACK_TCP_TIMEOUT_SYN_RECV=3,
4171 + NET_NF_CONNTRACK_TCP_TIMEOUT_ESTABLISHED=4,
4172 + NET_NF_CONNTRACK_TCP_TIMEOUT_FIN_WAIT=5,
4173 + NET_NF_CONNTRACK_TCP_TIMEOUT_CLOSE_WAIT=6,
4174 + NET_NF_CONNTRACK_TCP_TIMEOUT_LAST_ACK=7,
4175 + NET_NF_CONNTRACK_TCP_TIMEOUT_TIME_WAIT=8,
4176 + NET_NF_CONNTRACK_TCP_TIMEOUT_CLOSE=9,
4177 + NET_NF_CONNTRACK_UDP_TIMEOUT=10,
4178 + NET_NF_CONNTRACK_UDP_TIMEOUT_STREAM=11,
4179 + NET_NF_CONNTRACK_ICMP_TIMEOUT=12,
4180 + NET_NF_CONNTRACK_GENERIC_TIMEOUT=13,
4181 + NET_NF_CONNTRACK_BUCKETS=14,
4182 + NET_NF_CONNTRACK_LOG_INVALID=15,
4183 + NET_NF_CONNTRACK_TCP_TIMEOUT_MAX_RETRANS=16,
4184 + NET_NF_CONNTRACK_TCP_LOOSE=17,
4185 + NET_NF_CONNTRACK_TCP_BE_LIBERAL=18,
4186 + NET_NF_CONNTRACK_TCP_MAX_RETRANS=19,
4187 + NET_NF_CONNTRACK_SCTP_TIMEOUT_CLOSED=20,
4188 + NET_NF_CONNTRACK_SCTP_TIMEOUT_COOKIE_WAIT=21,
4189 + NET_NF_CONNTRACK_SCTP_TIMEOUT_COOKIE_ECHOED=22,
4190 + NET_NF_CONNTRACK_SCTP_TIMEOUT_ESTABLISHED=23,
4191 + NET_NF_CONNTRACK_SCTP_TIMEOUT_SHUTDOWN_SENT=24,
4192 + NET_NF_CONNTRACK_SCTP_TIMEOUT_SHUTDOWN_RECD=25,
4193 + NET_NF_CONNTRACK_SCTP_TIMEOUT_SHUTDOWN_ACK_SENT=26,
4194 + NET_NF_CONNTRACK_COUNT=27,
4195 + NET_NF_CONNTRACK_ICMPV6_TIMEOUT=28,
4196 + NET_NF_CONNTRACK_FRAG6_TIMEOUT=29,
4197 + NET_NF_CONNTRACK_FRAG6_LOW_THRESH=30,
4198 + NET_NF_CONNTRACK_FRAG6_HIGH_THRESH=31,
4201 /* /proc/sys/net/ipv4 */