diff -uNr linux-libc-headers-2.6.7.0.orig/include/linux/netfilter_ipv4/ip_conntrack.h linux-libc-headers-2.6.7.0/include/linux/netfilter_ipv4/ip_conntrack.h --- linux-libc-headers-2.6.7.0.orig/include/linux/netfilter_ipv4/ip_conntrack.h 2004-01-18 00:04:34.000000000 +0100 +++ linux-libc-headers-2.6.7.0/include/linux/netfilter_ipv4/ip_conntrack.h 2004-07-14 12:50:38.273551592 +0200 @@ -49,10 +49,12 @@ #include #include +#include /* per conntrack: protocol private data */ union ip_conntrack_proto { /* insert conntrack proto private data here */ + struct ip_ct_sctp sctp; struct ip_ct_tcp tcp; struct ip_ct_icmp icmp; }; diff -uNr linux-libc-headers-2.6.7.0.orig/include/linux/netfilter_ipv4/ip_conntrack_sctp.h linux-libc-headers-2.6.7.0/include/linux/netfilter_ipv4/ip_conntrack_sctp.h --- linux-libc-headers-2.6.7.0.orig/include/linux/netfilter_ipv4/ip_conntrack_sctp.h 1970-01-01 01:00:00.000000000 +0100 +++ linux-libc-headers-2.6.7.0/include/linux/netfilter_ipv4/ip_conntrack_sctp.h 2004-07-14 11:50:58.000000000 +0200 @@ -0,0 +1,25 @@ +#ifndef _IP_CONNTRACK_SCTP_H +#define _IP_CONNTRACK_SCTP_H +/* SCTP tracking. */ + +enum sctp_conntrack { + SCTP_CONNTRACK_NONE, + SCTP_CONNTRACK_CLOSED, + SCTP_CONNTRACK_COOKIE_WAIT, + SCTP_CONNTRACK_COOKIE_ECHOED, + SCTP_CONNTRACK_ESTABLISHED, + SCTP_CONNTRACK_SHUTDOWN_SENT, + SCTP_CONNTRACK_SHUTDOWN_RECD, + SCTP_CONNTRACK_SHUTDOWN_ACK_SENT, + SCTP_CONNTRACK_MAX +}; + +struct ip_ct_sctp +{ + enum sctp_conntrack state; + + u_int32_t vtag[IP_CT_DIR_MAX]; + u_int32_t ttag[IP_CT_DIR_MAX]; +}; + +#endif /* _IP_CONNTRACK_SCTP_H */ diff -uNr linux-libc-headers-2.6.7.0.orig/include/linux/netfilter_ipv4/ip_conntrack_tuple.h linux-libc-headers-2.6.7.0/include/linux/netfilter_ipv4/ip_conntrack_tuple.h --- linux-libc-headers-2.6.7.0.orig/include/linux/netfilter_ipv4/ip_conntrack_tuple.h 2004-01-05 19:42:34.000000000 +0100 +++ linux-libc-headers-2.6.7.0/include/linux/netfilter_ipv4/ip_conntrack_tuple.h 2004-07-14 12:46:47.012708584 +0200 @@ -25,6 +25,9 @@ struct { u_int16_t id; } icmp; + struct { + u_int16_t port; + } sctp; }; /* The manipulable part of the tuple. */ @@ -55,6 +58,9 @@ struct { u_int8_t type, code; } icmp; + struct { + u_int16_t port; + } sctp; } u; /* The protocol. */ diff -uNr linux-libc-headers-2.6.7.0.orig/include/linux/netfilter_ipv4/ip_logging.h linux-libc-headers-2.6.7.0/include/linux/netfilter_ipv4/ip_logging.h --- linux-libc-headers-2.6.7.0.orig/include/linux/netfilter_ipv4/ip_logging.h 1970-01-01 01:00:00.000000000 +0100 +++ linux-libc-headers-2.6.7.0/include/linux/netfilter_ipv4/ip_logging.h 2004-07-14 12:47:56.539138960 +0200 @@ -0,0 +1,5 @@ +/* IPv4 macros for the internal logging interface. */ +#ifndef __IP_LOGGING_H +#define __IP_LOGGING_H + +#endif /*__IP_LOGGING_H*/ diff -uNr linux-libc-headers-2.6.7.0.orig/include/linux/netfilter_ipv4/ip_queue.h linux-libc-headers-2.6.7.0/include/linux/netfilter_ipv4/ip_queue.h --- linux-libc-headers-2.6.7.0.orig/include/linux/netfilter_ipv4/ip_queue.h 2004-06-09 14:00:52.000000000 +0200 +++ linux-libc-headers-2.6.7.0/include/linux/netfilter_ipv4/ip_queue.h 2004-07-14 12:48:22.756153368 +0200 @@ -7,7 +7,7 @@ #ifndef _IP_QUEUE_H #define _IP_QUEUE_H -#include +#include /* Messages sent from kernel */ typedef struct ipq_packet_msg { @@ -39,10 +39,20 @@ unsigned char payload[0]; /* Optional replacement packet */ } ipq_verdict_msg_t; +typedef struct ipq_vwmark_msg { + unsigned int value; /* Verdict to hand to netfilter */ + unsigned long id; /* Packet ID for this verdict */ + size_t data_len; /* Length of replacement data */ + unsigned char payload[0]; /* Optional replacement packet */ + unsigned long nfmark; /* Mark for the Packet */ +} ipq_vwmark_msg_t; + + typedef struct ipq_peer_msg { union { ipq_verdict_msg_t verdict; ipq_mode_msg_t mode; + ipq_vwmark_msg_t vwmark; } msg; } ipq_peer_msg_t; @@ -59,6 +69,7 @@ #define IPQM_MODE (IPQM_BASE + 1) /* Mode request from peer */ #define IPQM_VERDICT (IPQM_BASE + 2) /* Verdict from peer */ #define IPQM_PACKET (IPQM_BASE + 3) /* Packet from kernel */ -#define IPQM_MAX (IPQM_BASE + 4) +#define IPQM_VWMARK (IPQM_BASE + 4) /* Verdict and mark from peer */ +#define IPQM_MAX (IPQM_BASE + 5) #endif /*_IP_QUEUE_H*/ diff -uNr linux-libc-headers-2.6.7.0.orig/include/linux/netfilter_ipv4/ip_tables.h linux-libc-headers-2.6.7.0/include/linux/netfilter_ipv4/ip_tables.h --- linux-libc-headers-2.6.7.0.orig/include/linux/netfilter_ipv4/ip_tables.h 2004-06-23 23:52:57.000000000 +0200 +++ linux-libc-headers-2.6.7.0/include/linux/netfilter_ipv4/ip_tables.h 2004-07-14 12:48:40.502455520 +0200 @@ -276,8 +276,6 @@ struct ipt_entry entrytable[0]; }; -extern struct semaphore ipt_mutex; - /* Standard return verdict, or do jump. */ #define IPT_STANDARD_TARGET "" /* Error verdict. */ diff -uNr linux-libc-headers-2.6.7.0.orig/include/linux/netfilter_ipv4/ipt_account.h linux-libc-headers-2.6.7.0/include/linux/netfilter_ipv4/ipt_account.h --- linux-libc-headers-2.6.7.0.orig/include/linux/netfilter_ipv4/ipt_account.h 1970-01-01 01:00:00.000000000 +0100 +++ linux-libc-headers-2.6.7.0/include/linux/netfilter_ipv4/ipt_account.h 2004-07-14 11:50:58.000000000 +0200 @@ -0,0 +1,21 @@ +/* + * accounting match (ipt_account.c) + * (C) 2003,2004 by Piotr Gasid³o (quaker@barbara.eu.org) + * + * Version: 0.1.5 + * + * This software is distributed under the terms of GNU GPL + */ + +#ifndef _IPT_ACCOUNT_H_ +#define _IPT_ACCOUNT_H_ + +#define IPT_ACCOUNT_NAME_LEN 64 + +struct t_ipt_account_info { + char name[IPT_ACCOUNT_NAME_LEN]; + u_int32_t network; + u_int32_t netmask; +}; + +#endif diff -uNr linux-libc-headers-2.6.7.0.orig/include/linux/netfilter_ipv4/ipt_addrtype.h linux-libc-headers-2.6.7.0/include/linux/netfilter_ipv4/ipt_addrtype.h --- linux-libc-headers-2.6.7.0.orig/include/linux/netfilter_ipv4/ipt_addrtype.h 1970-01-01 01:00:00.000000000 +0100 +++ linux-libc-headers-2.6.7.0/include/linux/netfilter_ipv4/ipt_addrtype.h 2004-07-14 11:50:45.000000000 +0200 @@ -0,0 +1,11 @@ +#ifndef _IPT_ADDRTYPE_H +#define _IPT_ADDRTYPE_H + +struct ipt_addrtype_info { + u_int16_t source; /* source-type mask */ + u_int16_t dest; /* dest-type mask */ + u_int32_t invert_source; + u_int32_t invert_dest; +}; + +#endif diff -uNr linux-libc-headers-2.6.7.0.orig/include/linux/netfilter_ipv4/ipt_connlimit.h linux-libc-headers-2.6.7.0/include/linux/netfilter_ipv4/ipt_connlimit.h --- linux-libc-headers-2.6.7.0.orig/include/linux/netfilter_ipv4/ipt_connlimit.h 1970-01-01 01:00:00.000000000 +0100 +++ linux-libc-headers-2.6.7.0/include/linux/netfilter_ipv4/ipt_connlimit.h 2004-07-14 11:50:58.000000000 +0200 @@ -0,0 +1,12 @@ +#ifndef _IPT_CONNLIMIT_H +#define _IPT_CONNLIMIT_H + +struct ipt_connlimit_data; + +struct ipt_connlimit_info { + int limit; + int inverse; + u_int32_t mask; + struct ipt_connlimit_data *data; +}; +#endif /* _IPT_CONNLIMIT_H */ diff -uNr linux-libc-headers-2.6.7.0.orig/include/linux/netfilter_ipv4/ipt_connmark.h linux-libc-headers-2.6.7.0/include/linux/netfilter_ipv4/ipt_connmark.h --- linux-libc-headers-2.6.7.0.orig/include/linux/netfilter_ipv4/ipt_connmark.h 1970-01-01 01:00:00.000000000 +0100 +++ linux-libc-headers-2.6.7.0/include/linux/netfilter_ipv4/ipt_connmark.h 2004-07-14 11:50:58.000000000 +0200 @@ -0,0 +1,18 @@ +#ifndef _IPT_CONNMARK_H +#define _IPT_CONNMARK_H + +/* Copyright (C) 2002,2004 MARA Systems AB + * by Henrik Nordstrom + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + */ + +struct ipt_connmark_info { + unsigned long mark, mask; + u_int8_t invert; +}; + +#endif /*_IPT_CONNMARK_H*/ diff -uNr linux-libc-headers-2.6.7.0.orig/include/linux/netfilter_ipv4/ipt_CONNMARK.h linux-libc-headers-2.6.7.0/include/linux/netfilter_ipv4/ipt_CONNMARK.h --- linux-libc-headers-2.6.7.0.orig/include/linux/netfilter_ipv4/ipt_CONNMARK.h 1970-01-01 01:00:00.000000000 +0100 +++ linux-libc-headers-2.6.7.0/include/linux/netfilter_ipv4/ipt_CONNMARK.h 2004-07-14 11:50:58.000000000 +0200 @@ -0,0 +1,25 @@ +#ifndef _IPT_CONNMARK_H_target +#define _IPT_CONNMARK_H_target + +/* Copyright (C) 2002,2004 MARA Systems AB + * by Henrik Nordstrom + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + */ + +enum { + IPT_CONNMARK_SET = 0, + IPT_CONNMARK_SAVE, + IPT_CONNMARK_RESTORE +}; + +struct ipt_connmark_target_info { + unsigned long mark; + unsigned long mask; + u_int8_t mode; +}; + +#endif /*_IPT_CONNMARK_H_target*/ diff -uNr linux-libc-headers-2.6.7.0.orig/include/linux/netfilter_ipv4/ipt_dstlimit.h linux-libc-headers-2.6.7.0/include/linux/netfilter_ipv4/ipt_dstlimit.h --- linux-libc-headers-2.6.7.0.orig/include/linux/netfilter_ipv4/ipt_dstlimit.h 1970-01-01 01:00:00.000000000 +0100 +++ linux-libc-headers-2.6.7.0/include/linux/netfilter_ipv4/ipt_dstlimit.h 2004-07-14 11:50:58.000000000 +0200 @@ -0,0 +1,39 @@ +#ifndef _IPT_DSTLIMIT_H +#define _IPT_DSTLIMIT_H + +/* timings are in milliseconds. */ +#define IPT_DSTLIMIT_SCALE 10000 +/* 1/10,000 sec period => max of 10,000/sec. Min rate is then 429490 + seconds, or one every 59 hours. */ + +/* details of this structure hidden by the implementation */ +struct ipt_dstlimit_htable; + +#define IPT_DSTLIMIT_HASH_DIP 0x0001 +#define IPT_DSTLIMIT_HASH_DPT 0x0002 +#define IPT_DSTLIMIT_HASH_SIP 0x0004 + +struct dstlimit_cfg { + u_int32_t mode; /* bitmask of IPT_DSTLIMIT_HASH_* */ + u_int32_t avg; /* Average secs between packets * scale */ + u_int32_t burst; /* Period multiplier for upper limit. */ + + /* user specified */ + u_int32_t size; /* how many buckets */ + u_int32_t max; /* max number of entries */ + u_int32_t gc_interval; /* gc interval */ + u_int32_t expire; /* when do entries expire? */ +}; + +struct ipt_dstlimit_info { + char name [IFNAMSIZ]; /* name */ + struct dstlimit_cfg cfg; + struct ipt_dstlimit_htable *hinfo; + + /* Used internally by the kernel */ + union { + void *ptr; + struct ipt_dstlimit_info *master; + } u; +}; +#endif /*_IPT_DSTLIMIT_H*/ diff -uNr linux-libc-headers-2.6.7.0.orig/include/linux/netfilter_ipv4/ipt_fuzzy.h linux-libc-headers-2.6.7.0/include/linux/netfilter_ipv4/ipt_fuzzy.h --- linux-libc-headers-2.6.7.0.orig/include/linux/netfilter_ipv4/ipt_fuzzy.h 1970-01-01 01:00:00.000000000 +0100 +++ linux-libc-headers-2.6.7.0/include/linux/netfilter_ipv4/ipt_fuzzy.h 2004-07-14 11:50:58.000000000 +0200 @@ -0,0 +1,21 @@ +#ifndef _IPT_FUZZY_H +#define _IPT_FUZZY_H + +#include +#include + +#define MAXFUZZYRATE 10000000 +#define MINFUZZYRATE 3 + +struct ipt_fuzzy_info { + u_int32_t minimum_rate; + u_int32_t maximum_rate; + u_int32_t packets_total; + u_int32_t bytes_total; + u_int32_t previous_time; + u_int32_t present_time; + u_int32_t mean_rate; + u_int8_t acceptance_rate; +}; + +#endif /*_IPT_FUZZY_H*/ diff -uNr linux-libc-headers-2.6.7.0.orig/include/linux/netfilter_ipv4/ipt_IMQ.h linux-libc-headers-2.6.7.0/include/linux/netfilter_ipv4/ipt_IMQ.h --- linux-libc-headers-2.6.7.0.orig/include/linux/netfilter_ipv4/ipt_IMQ.h 1970-01-01 01:00:00.000000000 +0100 +++ linux-libc-headers-2.6.7.0/include/linux/netfilter_ipv4/ipt_IMQ.h 2004-07-14 11:50:58.000000000 +0200 @@ -0,0 +1,8 @@ +#ifndef _IPT_IMQ_H +#define _IPT_IMQ_H + +struct ipt_imq_info { + unsigned int todev; /* target imq device */ +}; + +#endif /* _IPT_IMQ_H */ diff -uNr linux-libc-headers-2.6.7.0.orig/include/linux/netfilter_ipv4/ipt_IPMARK.h linux-libc-headers-2.6.7.0/include/linux/netfilter_ipv4/ipt_IPMARK.h --- linux-libc-headers-2.6.7.0.orig/include/linux/netfilter_ipv4/ipt_IPMARK.h 1970-01-01 01:00:00.000000000 +0100 +++ linux-libc-headers-2.6.7.0/include/linux/netfilter_ipv4/ipt_IPMARK.h 2004-07-14 11:50:58.000000000 +0200 @@ -0,0 +1,13 @@ +#ifndef _IPT_IPMARK_H_target +#define _IPT_IPMARK_H_target + +struct ipt_ipmark_target_info { + unsigned long andmask; + unsigned long ormask; + unsigned int addr; +}; + +#define IPT_IPMARK_SRC 0 +#define IPT_IPMARK_DST 1 + +#endif /*_IPT_IPMARK_H_target*/ diff -uNr linux-libc-headers-2.6.7.0.orig/include/linux/netfilter_ipv4/ipt_ipv4options.h linux-libc-headers-2.6.7.0/include/linux/netfilter_ipv4/ipt_ipv4options.h --- linux-libc-headers-2.6.7.0.orig/include/linux/netfilter_ipv4/ipt_ipv4options.h 1970-01-01 01:00:00.000000000 +0100 +++ linux-libc-headers-2.6.7.0/include/linux/netfilter_ipv4/ipt_ipv4options.h 2004-07-14 11:50:58.000000000 +0200 @@ -0,0 +1,21 @@ +#ifndef __ipt_ipv4options_h_included__ +#define __ipt_ipv4options_h_included__ + +#define IPT_IPV4OPTION_MATCH_SSRR 0x01 /* For strict source routing */ +#define IPT_IPV4OPTION_MATCH_LSRR 0x02 /* For loose source routing */ +#define IPT_IPV4OPTION_DONT_MATCH_SRR 0x04 /* any source routing */ +#define IPT_IPV4OPTION_MATCH_RR 0x08 /* For Record route */ +#define IPT_IPV4OPTION_DONT_MATCH_RR 0x10 +#define IPT_IPV4OPTION_MATCH_TIMESTAMP 0x20 /* For timestamp request */ +#define IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP 0x40 +#define IPT_IPV4OPTION_MATCH_ROUTER_ALERT 0x80 /* For router-alert */ +#define IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT 0x100 +#define IPT_IPV4OPTION_MATCH_ANY_OPT 0x200 /* match packet with any option */ +#define IPT_IPV4OPTION_DONT_MATCH_ANY_OPT 0x400 /* match packet with no option */ + +struct ipt_ipv4options_info { + u_int16_t options; +}; + + +#endif /* __ipt_ipv4options_h_included__ */ diff -uNr linux-libc-headers-2.6.7.0.orig/include/linux/netfilter_ipv4/ipt_layer7.h linux-libc-headers-2.6.7.0/include/linux/netfilter_ipv4/ipt_layer7.h --- linux-libc-headers-2.6.7.0.orig/include/linux/netfilter_ipv4/ipt_layer7.h 1970-01-01 01:00:00.000000000 +0100 +++ linux-libc-headers-2.6.7.0/include/linux/netfilter_ipv4/ipt_layer7.h 2004-07-14 11:50:58.000000000 +0200 @@ -0,0 +1,26 @@ +/* + By Matthew Strait , Dec 2003. + http://l7-filter.sf.net + + This program is free software; you can redistribute it and/or + modify it under the terms of the GNU General Public License + as published by the Free Software Foundation; either version + 2 of the License, or (at your option) any later version. + http://www.gnu.org/licenses/gpl.txt +*/ + +#ifndef _IPT_LAYER7_H +#define _IPT_LAYER7_H + +#define MAX_PATTERN_LEN 8192 +#define MAX_PROTOCOL_LEN 256 + +typedef char *(*proc_ipt_search) (char *, char, char *); + +struct ipt_layer7_info { + char protocol[MAX_PROTOCOL_LEN]; + char invert:1; + char pattern[MAX_PATTERN_LEN]; +}; + +#endif /* _IPT_LAYER7_H */ diff -uNr linux-libc-headers-2.6.7.0.orig/include/linux/netfilter_ipv4/ipt_mport.h linux-libc-headers-2.6.7.0/include/linux/netfilter_ipv4/ipt_mport.h --- linux-libc-headers-2.6.7.0.orig/include/linux/netfilter_ipv4/ipt_mport.h 1970-01-01 01:00:00.000000000 +0100 +++ linux-libc-headers-2.6.7.0/include/linux/netfilter_ipv4/ipt_mport.h 2004-07-14 11:50:58.000000000 +0200 @@ -0,0 +1,24 @@ +#ifndef _IPT_MPORT_H +#define _IPT_MPORT_H +#include + +#define IPT_MPORT_SOURCE (1<<0) +#define IPT_MPORT_DESTINATION (1<<1) +#define IPT_MPORT_EITHER (IPT_MPORT_SOURCE|IPT_MPORT_DESTINATION) + +#define IPT_MULTI_PORTS 15 + +/* Must fit inside union ipt_matchinfo: 32 bytes */ +/* every entry in ports[] except for the last one has one bit in pflags + * associated with it. If this bit is set, the port is the first port of + * a portrange, with the next entry being the last. + * End of list is marked with pflags bit set and port=65535. + * If 14 ports are used (last one does not have a pflag), the last port + * is repeated to fill the last entry in ports[] */ +struct ipt_mport +{ + u_int8_t flags:2; /* Type of comparison */ + u_int16_t pflags:14; /* Port flags */ + u_int16_t ports[IPT_MULTI_PORTS]; /* Ports */ +}; +#endif /*_IPT_MPORT_H*/ diff -uNr linux-libc-headers-2.6.7.0.orig/include/linux/netfilter_ipv4/ipt_nth.h linux-libc-headers-2.6.7.0/include/linux/netfilter_ipv4/ipt_nth.h --- linux-libc-headers-2.6.7.0.orig/include/linux/netfilter_ipv4/ipt_nth.h 1970-01-01 01:00:00.000000000 +0100 +++ linux-libc-headers-2.6.7.0/include/linux/netfilter_ipv4/ipt_nth.h 2004-07-14 11:50:58.000000000 +0200 @@ -0,0 +1,19 @@ +#ifndef _IPT_NTH_H +#define _IPT_NTH_H + +#include +#include + +#ifndef IPT_NTH_NUM_COUNTERS +#define IPT_NTH_NUM_COUNTERS 16 +#endif + +struct ipt_nth_info { + u_int8_t every; + u_int8_t not; + u_int8_t startat; + u_int8_t counter; + u_int8_t packet; +}; + +#endif /*_IPT_NTH_H*/ diff -uNr linux-libc-headers-2.6.7.0.orig/include/linux/netfilter_ipv4/ipt_policy.h linux-libc-headers-2.6.7.0/include/linux/netfilter_ipv4/ipt_policy.h --- linux-libc-headers-2.6.7.0.orig/include/linux/netfilter_ipv4/ipt_policy.h 1970-01-01 01:00:00.000000000 +0100 +++ linux-libc-headers-2.6.7.0/include/linux/netfilter_ipv4/ipt_policy.h 2004-07-14 11:50:58.000000000 +0200 @@ -0,0 +1,52 @@ +#ifndef _IPT_POLICY_H +#define _IPT_POLICY_H + +#define POLICY_MAX_ELEM 4 + +enum ipt_policy_flags +{ + POLICY_MATCH_IN = 0x1, + POLICY_MATCH_OUT = 0x2, + POLICY_MATCH_NONE = 0x4, + POLICY_MATCH_STRICT = 0x8, +}; + +enum ipt_policy_modes +{ + POLICY_MODE_TRANSPORT, + POLICY_MODE_TUNNEL +}; + +struct ipt_policy_spec +{ + u_int8_t saddr:1, + daddr:1, + proto:1, + mode:1, + spi:1, + reqid:1; +}; + +struct ipt_policy_elem +{ + u_int32_t saddr; + u_int32_t smask; + u_int32_t daddr; + u_int32_t dmask; + u_int32_t spi; + u_int32_t reqid; + u_int8_t proto; + u_int8_t mode; + + struct ipt_policy_spec match; + struct ipt_policy_spec invert; +}; + +struct ipt_policy_info +{ + struct ipt_policy_elem pol[POLICY_MAX_ELEM]; + u_int16_t flags; + u_int16_t len; +}; + +#endif /* _IPT_POLICY_H */ diff -uNr linux-libc-headers-2.6.7.0.orig/include/linux/netfilter_ipv4/ipt_psd.h linux-libc-headers-2.6.7.0/include/linux/netfilter_ipv4/ipt_psd.h --- linux-libc-headers-2.6.7.0.orig/include/linux/netfilter_ipv4/ipt_psd.h 1970-01-01 01:00:00.000000000 +0100 +++ linux-libc-headers-2.6.7.0/include/linux/netfilter_ipv4/ipt_psd.h 2004-07-14 11:50:58.000000000 +0200 @@ -0,0 +1,40 @@ +#ifndef _IPT_PSD_H +#define _IPT_PSD_H + +#include +#include + +/* + * High port numbers have a lower weight to reduce the frequency of false + * positives, such as from passive mode FTP transfers. + */ +#define PORT_WEIGHT_PRIV 3 +#define PORT_WEIGHT_HIGH 1 + +/* + * Port scan detection thresholds: at least COUNT ports need to be scanned + * from the same source, with no longer than DELAY ticks between ports. + */ +#define SCAN_MIN_COUNT 7 +#define SCAN_MAX_COUNT (SCAN_MIN_COUNT * PORT_WEIGHT_PRIV) +#define SCAN_WEIGHT_THRESHOLD SCAN_MAX_COUNT +#define SCAN_DELAY_THRESHOLD (300) /* old usage of HZ here was erroneously and broke under uml */ + +/* + * Keep track of up to LIST_SIZE source addresses, using a hash table of + * HASH_SIZE entries for faster lookups, but limiting hash collisions to + * HASH_MAX source addresses per the same hash value. + */ +#define LIST_SIZE 0x100 +#define HASH_LOG 9 +#define HASH_SIZE (1 << HASH_LOG) +#define HASH_MAX 0x10 + +struct ipt_psd_info { + unsigned int weight_threshold; + unsigned int delay_threshold; + unsigned short lo_ports_weight; + unsigned short hi_ports_weight; +}; + +#endif /*_IPT_PSD_H*/ diff -uNr linux-libc-headers-2.6.7.0.orig/include/linux/netfilter_ipv4/ipt_quota.h linux-libc-headers-2.6.7.0/include/linux/netfilter_ipv4/ipt_quota.h --- linux-libc-headers-2.6.7.0.orig/include/linux/netfilter_ipv4/ipt_quota.h 1970-01-01 01:00:00.000000000 +0100 +++ linux-libc-headers-2.6.7.0/include/linux/netfilter_ipv4/ipt_quota.h 2004-07-14 11:50:58.000000000 +0200 @@ -0,0 +1,11 @@ +#ifndef _IPT_QUOTA_H +#define _IPT_QUOTA_H + +/* print debug info in both kernel/netfilter module & iptable library */ +//#define DEBUG_IPT_QUOTA + +struct ipt_quota_info { + u_int64_t quota; +}; + +#endif /*_IPT_QUOTA_H*/ diff -uNr linux-libc-headers-2.6.7.0.orig/include/linux/netfilter_ipv4/ipt_realm.h linux-libc-headers-2.6.7.0/include/linux/netfilter_ipv4/ipt_realm.h --- linux-libc-headers-2.6.7.0.orig/include/linux/netfilter_ipv4/ipt_realm.h 1970-01-01 01:00:00.000000000 +0100 +++ linux-libc-headers-2.6.7.0/include/linux/netfilter_ipv4/ipt_realm.h 2004-07-14 11:50:45.000000000 +0200 @@ -0,0 +1,10 @@ +#ifndef _IPT_REALM_H +#define _IPT_REALM_H + +struct ipt_realm_info { + u_int32_t id; + u_int32_t mask; + u_int8_t invert; +}; + +#endif /* _IPT_REALM_H */ diff -uNr linux-libc-headers-2.6.7.0.orig/include/linux/netfilter_ipv4/ipt_ROUTE.h linux-libc-headers-2.6.7.0/include/linux/netfilter_ipv4/ipt_ROUTE.h --- linux-libc-headers-2.6.7.0.orig/include/linux/netfilter_ipv4/ipt_ROUTE.h 1970-01-01 01:00:00.000000000 +0100 +++ linux-libc-headers-2.6.7.0/include/linux/netfilter_ipv4/ipt_ROUTE.h 2004-07-14 11:50:58.000000000 +0200 @@ -0,0 +1,22 @@ +/* Header file for iptables ipt_ROUTE target + * + * (C) 2002 by Cédric de Launois + * + * This software is distributed under GNU GPL v2, 1991 + */ +#ifndef _IPT_ROUTE_H_target +#define _IPT_ROUTE_H_target + +#define IPT_ROUTE_IFNAMSIZ 16 + +struct ipt_route_target_info { + char oif[IPT_ROUTE_IFNAMSIZ]; /* Output Interface Name */ + char iif[IPT_ROUTE_IFNAMSIZ]; /* Input Interface Name */ + u_int32_t gw; /* IP address of gateway */ + u_int8_t flags; +}; + +/* Values for "flags" field */ +#define IPT_ROUTE_CONTINUE 0x01 + +#endif /*_IPT_ROUTE_H_target*/ diff -uNr linux-libc-headers-2.6.7.0.orig/include/linux/netfilter_ipv4/ipt_sctp.h linux-libc-headers-2.6.7.0/include/linux/netfilter_ipv4/ipt_sctp.h --- linux-libc-headers-2.6.7.0.orig/include/linux/netfilter_ipv4/ipt_sctp.h 1970-01-01 01:00:00.000000000 +0100 +++ linux-libc-headers-2.6.7.0/include/linux/netfilter_ipv4/ipt_sctp.h 2004-07-14 11:50:58.000000000 +0200 @@ -0,0 +1,107 @@ +#ifndef _IPT_SCTP_H_ +#define _IPT_SCTP_H_ + +#define IPT_SCTP_SRC_PORTS 0x01 +#define IPT_SCTP_DEST_PORTS 0x02 +#define IPT_SCTP_CHUNK_TYPES 0x04 + +#define IPT_SCTP_VALID_FLAGS 0x07 + +#define ELEMCOUNT(x) (sizeof(x)/sizeof(x[0])) + + +struct ipt_sctp_flag_info { + u_int8_t chunktype; + u_int8_t flag; + u_int8_t flag_mask; +}; + +#define IPT_NUM_SCTP_FLAGS 4 + +struct ipt_sctp_info { + u_int16_t dpts[2]; /* Min, Max */ + u_int16_t spts[2]; /* Min, Max */ + + u_int32_t chunkmap[256 / sizeof (u_int32_t)]; /* Bit mask of chunks to be matched according to RFC 2960 */ + +#define SCTP_CHUNK_MATCH_ANY 0x01 /* Match if any of the chunk types are present */ +#define SCTP_CHUNK_MATCH_ALL 0x02 /* Match if all of the chunk types are present */ +#define SCTP_CHUNK_MATCH_ONLY 0x04 /* Match if these are the only chunk types present */ + + u_int32_t chunk_match_type; + struct ipt_sctp_flag_info flag_info[IPT_NUM_SCTP_FLAGS]; + int flag_count; + + u_int32_t flags; + u_int32_t invflags; +}; + +#define bytes(type) (sizeof(type) * 8) + +#define SCTP_CHUNKMAP_SET(chunkmap, type) \ + do { \ + chunkmap[type / bytes(u_int32_t)] |= \ + 1 << (type % bytes(u_int32_t)); \ + } while (0) + +#define SCTP_CHUNKMAP_CLEAR(chunkmap, type) \ + do { \ + chunkmap[type / bytes(u_int32_t)] &= \ + ~(1 << (type % bytes(u_int32_t))); \ + } while (0) + +#define SCTP_CHUNKMAP_IS_SET(chunkmap, type) \ +({ \ + (chunkmap[type / bytes (u_int32_t)] & \ + (1 << (type % bytes (u_int32_t)))) ? 1: 0; \ +}) + +#define SCTP_CHUNKMAP_RESET(chunkmap) \ + do { \ + int i; \ + for (i = 0; i < ELEMCOUNT(chunkmap); i++) \ + chunkmap[i] = 0; \ + } while (0) + +#define SCTP_CHUNKMAP_SET_ALL(chunkmap) \ + do { \ + int i; \ + for (i = 0; i < ELEMCOUNT(chunkmap); i++) \ + chunkmap[i] = ~0; \ + } while (0) + +#define SCTP_CHUNKMAP_COPY(destmap, srcmap) \ + do { \ + int i; \ + for (i = 0; i < ELEMCOUNT(chunkmap); i++) \ + destmap[i] = srcmap[i]; \ + } while (0) + +#define SCTP_CHUNKMAP_IS_CLEAR(chunkmap) \ +({ \ + int i; \ + int flag = 1; \ + for (i = 0; i < ELEMCOUNT(chunkmap); i++) { \ + if (chunkmap[i]) { \ + flag = 0; \ + break; \ + } \ + } \ + flag; \ +}) + +#define SCTP_CHUNKMAP_IS_ALL_SET(chunkmap) \ +({ \ + int i; \ + int flag = 1; \ + for (i = 0; i < ELEMCOUNT(chunkmap); i++) { \ + if (chunkmap[i] != ~0) { \ + flag = 0; \ + break; \ + } \ + } \ + flag; \ +}) + +#endif /* _IPT_SCTP_H_ */ + diff -uNr linux-libc-headers-2.6.7.0.orig/include/linux/netfilter_ipv4/ipt_string.h linux-libc-headers-2.6.7.0/include/linux/netfilter_ipv4/ipt_string.h --- linux-libc-headers-2.6.7.0.orig/include/linux/netfilter_ipv4/ipt_string.h 1970-01-01 01:00:00.000000000 +0100 +++ linux-libc-headers-2.6.7.0/include/linux/netfilter_ipv4/ipt_string.h 2004-07-14 11:50:58.000000000 +0200 @@ -0,0 +1,21 @@ +#ifndef _IPT_STRING_H +#define _IPT_STRING_H + +/* *** PERFORMANCE TWEAK *** + * Packet size and search string threshold, + * above which sublinear searches is used. */ +#define IPT_STRING_HAYSTACK_THRESH 100 +#define IPT_STRING_NEEDLE_THRESH 20 + +#define BM_MAX_NLEN 256 +#define BM_MAX_HLEN 1024 + +typedef char *(*proc_ipt_search) (char *, char *, int, int); + +struct ipt_string_info { + char string[BM_MAX_NLEN]; + u_int16_t invert; + u_int16_t len; +}; + +#endif /* _IPT_STRING_H */ diff -uNr linux-libc-headers-2.6.7.0.orig/include/linux/netfilter_ipv4/ipt_time.h linux-libc-headers-2.6.7.0/include/linux/netfilter_ipv4/ipt_time.h --- linux-libc-headers-2.6.7.0.orig/include/linux/netfilter_ipv4/ipt_time.h 1970-01-01 01:00:00.000000000 +0100 +++ linux-libc-headers-2.6.7.0/include/linux/netfilter_ipv4/ipt_time.h 2004-07-14 11:50:58.000000000 +0200 @@ -0,0 +1,15 @@ +#ifndef __ipt_time_h_included__ +#define __ipt_time_h_included__ + + +struct ipt_time_info { + u_int8_t days_match; /* 1 bit per day. -SMTWTFS */ + u_int16_t time_start; /* 0 < time_start < 23*60+59 = 1439 */ + u_int16_t time_stop; /* 0:0 < time_stat < 23:59 */ + u_int8_t kerneltime; /* ignore skb time (and use kerneltime) or not. */ + time_t date_start; + time_t date_stop; +}; + + +#endif /* __ipt_time_h_included__ */ diff -uNr linux-libc-headers-2.6.7.0.orig/include/linux/netfilter_ipv4/ipt_TTL.h linux-libc-headers-2.6.7.0/include/linux/netfilter_ipv4/ipt_TTL.h --- linux-libc-headers-2.6.7.0.orig/include/linux/netfilter_ipv4/ipt_TTL.h 1970-01-01 01:00:00.000000000 +0100 +++ linux-libc-headers-2.6.7.0/include/linux/netfilter_ipv4/ipt_TTL.h 2004-07-14 11:50:58.000000000 +0200 @@ -0,0 +1,21 @@ +/* TTL modification module for IP tables + * (C) 2000 by Harald Welte */ + +#ifndef _IPT_TTL_H +#define _IPT_TTL_H + +enum { + IPT_TTL_SET = 0, + IPT_TTL_INC, + IPT_TTL_DEC +}; + +#define IPT_TTL_MAXMODE IPT_TTL_DEC + +struct ipt_TTL_info { + u_int8_t mode; + u_int8_t ttl; +}; + + +#endif diff -uNr linux-libc-headers-2.6.7.0.orig/include/linux/netfilter_ipv4/ipt_XOR.h linux-libc-headers-2.6.7.0/include/linux/netfilter_ipv4/ipt_XOR.h --- linux-libc-headers-2.6.7.0.orig/include/linux/netfilter_ipv4/ipt_XOR.h 1970-01-01 01:00:00.000000000 +0100 +++ linux-libc-headers-2.6.7.0/include/linux/netfilter_ipv4/ipt_XOR.h 2004-07-14 11:50:58.000000000 +0200 @@ -0,0 +1,9 @@ +#ifndef _IPT_XOR_H +#define _IPT_XOR_H + +struct ipt_XOR_info { + char key[30]; + u_int8_t block_size; +}; + +#endif /* _IPT_XOR_H */ diff -uNr linux-libc-headers-2.6.7.0.orig/include/linux/netfilter_ipv6/ip6_logging.h linux-libc-headers-2.6.7.0/include/linux/netfilter_ipv6/ip6_logging.h --- linux-libc-headers-2.6.7.0.orig/include/linux/netfilter_ipv6/ip6_logging.h 1970-01-01 01:00:00.000000000 +0100 +++ linux-libc-headers-2.6.7.0/include/linux/netfilter_ipv6/ip6_logging.h 2004-07-14 12:43:01.246030336 +0200 @@ -0,0 +1,5 @@ +/* IPv6 macros for the nternal logging interface. */ +#ifndef __IP6_LOGGING_H +#define __IP6_LOGGING_H + +#endif /*__IP6_LOGGING_H*/ diff -uNr linux-libc-headers-2.6.7.0.orig/include/linux/netfilter_ipv6/ip6_tables.h linux-libc-headers-2.6.7.0/include/linux/netfilter_ipv6/ip6_tables.h --- linux-libc-headers-2.6.7.0.orig/include/linux/netfilter_ipv6/ip6_tables.h 2004-06-23 23:52:58.000000000 +0200 +++ linux-libc-headers-2.6.7.0/include/linux/netfilter_ipv6/ip6_tables.h 2004-07-14 12:45:13.405938976 +0200 @@ -99,8 +99,6 @@ u_int64_t pcnt, bcnt; /* Packet and byte counters */ }; -static DECLARE_MUTEX(ip6t_mutex); - /* Values for "flag" field in struct ip6t_ip6 (general ip6 structure). */ #define IP6T_F_PROTO 0x01 /* Set if rule cares about upper protocols */ diff -uNr linux-libc-headers-2.6.7.0.orig/include/linux/netfilter_ipv6/ip6t_fuzzy.h linux-libc-headers-2.6.7.0/include/linux/netfilter_ipv6/ip6t_fuzzy.h --- linux-libc-headers-2.6.7.0.orig/include/linux/netfilter_ipv6/ip6t_fuzzy.h 1970-01-01 01:00:00.000000000 +0100 +++ linux-libc-headers-2.6.7.0/include/linux/netfilter_ipv6/ip6t_fuzzy.h 2004-07-14 11:50:58.000000000 +0200 @@ -0,0 +1,21 @@ +#ifndef _IP6T_FUZZY_H +#define _IP6T_FUZZY_H + +#include +#include + +#define MAXFUZZYRATE 10000000 +#define MINFUZZYRATE 3 + +struct ip6t_fuzzy_info { + u_int32_t minimum_rate; + u_int32_t maximum_rate; + u_int32_t packets_total; + u_int32_t bytes_total; + u_int32_t previous_time; + u_int32_t present_time; + u_int32_t mean_rate; + u_int8_t acceptance_rate; +}; + +#endif /*_IP6T_FUZZY_H*/ diff -uNr linux-libc-headers-2.6.7.0.orig/include/linux/netfilter_ipv6/ip6t_HL.h linux-libc-headers-2.6.7.0/include/linux/netfilter_ipv6/ip6t_HL.h --- linux-libc-headers-2.6.7.0.orig/include/linux/netfilter_ipv6/ip6t_HL.h 1970-01-01 01:00:00.000000000 +0100 +++ linux-libc-headers-2.6.7.0/include/linux/netfilter_ipv6/ip6t_HL.h 2004-07-14 11:50:58.000000000 +0200 @@ -0,0 +1,22 @@ +/* Hop Limit modification module for ip6tables + * Maciej Soltysiak + * Based on HW's TTL module */ + +#ifndef _IP6T_HL_H +#define _IP6T_HL_H + +enum { + IP6T_HL_SET = 0, + IP6T_HL_INC, + IP6T_HL_DEC +}; + +#define IP6T_HL_MAXMODE IP6T_HL_DEC + +struct ip6t_HL_info { + u_int8_t mode; + u_int8_t hop_limit; +}; + + +#endif diff -uNr linux-libc-headers-2.6.7.0.orig/include/linux/netfilter_ipv6/ip6t_nth.h linux-libc-headers-2.6.7.0/include/linux/netfilter_ipv6/ip6t_nth.h --- linux-libc-headers-2.6.7.0.orig/include/linux/netfilter_ipv6/ip6t_nth.h 1970-01-01 01:00:00.000000000 +0100 +++ linux-libc-headers-2.6.7.0/include/linux/netfilter_ipv6/ip6t_nth.h 2004-07-14 11:50:58.000000000 +0200 @@ -0,0 +1,19 @@ +#ifndef _IP6T_NTH_H +#define _IP6T_NTH_H + +#include +#include + +#ifndef IP6T_NTH_NUM_COUNTERS +#define IP6T_NTH_NUM_COUNTERS 16 +#endif + +struct ip6t_nth_info { + u_int8_t every; + u_int8_t not; + u_int8_t startat; + u_int8_t counter; + u_int8_t packet; +}; + +#endif /*_IP6T_NTH_H*/ diff -uNr linux-libc-headers-2.6.7.0.orig/include/linux/netfilter_ipv6/ip6t_owner.h linux-libc-headers-2.6.7.0/include/linux/netfilter_ipv6/ip6t_owner.h --- linux-libc-headers-2.6.7.0.orig/include/linux/netfilter_ipv6/ip6t_owner.h 2003-12-15 19:46:58.000000000 +0100 +++ linux-libc-headers-2.6.7.0/include/linux/netfilter_ipv6/ip6t_owner.h 2004-07-14 11:50:58.000000000 +0200 @@ -6,12 +6,14 @@ #define IP6T_OWNER_GID 0x02 #define IP6T_OWNER_PID 0x04 #define IP6T_OWNER_SID 0x08 +#define IP6T_OWNER_COMM 0x10 struct ip6t_owner_info { uid_t uid; gid_t gid; pid_t pid; pid_t sid; + char comm[16]; u_int8_t match, invert; /* flags */ }; diff -uNr linux-libc-headers-2.6.7.0.orig/include/linux/netfilter_ipv6/ip6t_policy.h linux-libc-headers-2.6.7.0/include/linux/netfilter_ipv6/ip6t_policy.h --- linux-libc-headers-2.6.7.0.orig/include/linux/netfilter_ipv6/ip6t_policy.h 1970-01-01 01:00:00.000000000 +0100 +++ linux-libc-headers-2.6.7.0/include/linux/netfilter_ipv6/ip6t_policy.h 2004-07-14 11:50:58.000000000 +0200 @@ -0,0 +1,52 @@ +#ifndef _IP6T_POLICY_H +#define _IP6T_POLICY_H + +#define POLICY_MAX_ELEM 4 + +enum ip6t_policy_flags +{ + POLICY_MATCH_IN = 0x1, + POLICY_MATCH_OUT = 0x2, + POLICY_MATCH_NONE = 0x4, + POLICY_MATCH_STRICT = 0x8, +}; + +enum ip6t_policy_modes +{ + POLICY_MODE_TRANSPORT, + POLICY_MODE_TUNNEL +}; + +struct ip6t_policy_spec +{ + u_int8_t saddr:1, + daddr:1, + proto:1, + mode:1, + spi:1, + reqid:1; +}; + +struct ip6t_policy_elem +{ + struct in6_addr saddr; + struct in6_addr smask; + struct in6_addr daddr; + struct in6_addr dmask; + u_int32_t spi; + u_int32_t reqid; + u_int8_t proto; + u_int8_t mode; + + struct ip6t_policy_spec match; + struct ip6t_policy_spec invert; +}; + +struct ip6t_policy_info +{ + struct ip6t_policy_elem pol[POLICY_MAX_ELEM]; + u_int16_t flags; + u_int16_t len; +}; + +#endif /* _IP6T_POLICY_H */ diff -uNr linux-libc-headers-2.6.7.0.orig/include/linux/netfilter_ipv6/ip6t_REJECT.h linux-libc-headers-2.6.7.0/include/linux/netfilter_ipv6/ip6t_REJECT.h --- linux-libc-headers-2.6.7.0.orig/include/linux/netfilter_ipv6/ip6t_REJECT.h 2004-03-05 16:36:39.000000000 +0100 +++ linux-libc-headers-2.6.7.0/include/linux/netfilter_ipv6/ip6t_REJECT.h 2004-07-14 11:50:58.000000000 +0200 @@ -2,15 +2,17 @@ #define _IP6T_REJECT_H enum ip6t_reject_with { - IP6T_ICMP_NET_UNREACHABLE, - IP6T_ICMP_HOST_UNREACHABLE, - IP6T_ICMP_PROT_UNREACHABLE, - IP6T_ICMP_PORT_UNREACHABLE, - IP6T_ICMP_ECHOREPLY + IP6T_ICMP6_NO_ROUTE, + IP6T_ICMP6_ADM_PROHIBITED, + IP6T_ICMP6_NOT_NEIGHBOUR, + IP6T_ICMP6_ADDR_UNREACH, + IP6T_ICMP6_PORT_UNREACH, + IP6T_ICMP6_ECHOREPLY, + IP6T_TCP_RESET }; struct ip6t_reject_info { enum ip6t_reject_with with; /* reject type */ }; -#endif /*_IPT_REJECT_H*/ +#endif /*_IP6T_REJECT_H*/ diff -uNr linux-libc-headers-2.6.7.0.orig/include/linux/netfilter_ipv6/ip6t_ROUTE.h linux-libc-headers-2.6.7.0/include/linux/netfilter_ipv6/ip6t_ROUTE.h --- linux-libc-headers-2.6.7.0.orig/include/linux/netfilter_ipv6/ip6t_ROUTE.h 1970-01-01 01:00:00.000000000 +0100 +++ linux-libc-headers-2.6.7.0/include/linux/netfilter_ipv6/ip6t_ROUTE.h 2004-07-14 11:50:58.000000000 +0200 @@ -0,0 +1,22 @@ +/* Header file for iptables ip6t_ROUTE target + * + * (C) 2003 by Cédric de Launois + * + * This software is distributed under GNU GPL v2, 1991 + */ +#ifndef _IPT_ROUTE_H_target +#define _IPT_ROUTE_H_target + +#define IP6T_ROUTE_IFNAMSIZ 16 + +struct ip6t_route_target_info { + char oif[IP6T_ROUTE_IFNAMSIZ]; /* Output Interface Name */ + char iif[IP6T_ROUTE_IFNAMSIZ]; /* Input Interface Name */ + u_int32_t gw[4]; /* IPv6 address of gateway */ + u_int8_t flags; +}; + +/* Values for "flags" field */ +#define IP6T_ROUTE_CONTINUE 0x01 + +#endif /*_IP6T_ROUTE_H_target*/