]>
Commit | Line | Data |
---|---|---|
4356d229 | 1 | diff -Nur --exclude '*.orig' linux-2.4.20.org/Documentation/Configure.help linux-2.4.20/Documentation/Configure.help |
2 | --- linux-2.4.20.org/Documentation/Configure.help Wed Sep 24 08:52:58 2003 | |
3 | +++ linux-2.4.20/Documentation/Configure.help Wed Sep 24 09:18:15 2003 | |
4 | @@ -2543,6 +2543,50 @@ | |
5 | If you want to compile it as a module, say M here and read | |
6 | <file:Documentation/modules.txt>. If unsure, say `N'. | |
7 | ||
8 | +Amanda protocol support | |
9 | +CONFIG_IP_NF_AMANDA | |
10 | + If you are running the Amanda backup package (http://www.amanda.org/) | |
11 | + on this machine or machines that will be MASQUERADED through this | |
12 | + machine, then you may want to enable this feature. This allows the | |
13 | + connection tracking and natting code to allow the sub-channels that | |
14 | + Amanda requires for communication of the backup data, messages and | |
15 | + index. | |
16 | + | |
17 | + If you want to compile it as a module, say M here and read | |
18 | + Documentation/modules.txt. If unsure, say `N'. | |
19 | + | |
20 | + | |
21 | +CuSeeMe protocol support | |
22 | +CONFIG_IP_NF_CUSEEME | |
23 | + The CuSeeMe conferencing protocol is problematic when used in | |
24 | + conjunction with NAT; even though there are no random ports used for | |
25 | + extra connections, the messages contain IP addresses inside them. | |
26 | + This NAT helper mangles the IP address inside packets so both | |
27 | + parties don't get confused. | |
28 | + | |
29 | + If you want to compile it as a module, say M here and read | |
30 | + <file:Documentation/modules.txt>. If unsure, say `Y'. | |
31 | + | |
32 | +MMS protocol support | |
33 | +CONFIG_IP_NF_MMS | |
34 | + Tracking MMS (Microsoft Windows Media Services) connections | |
35 | + could be problematic if random ports are used to send the | |
36 | + streaming content. This option allows users to track streaming | |
37 | + connections over random UDP or TCP ports. | |
38 | + | |
39 | + If you want to compile it as a module, say M here and read | |
40 | + <file:Documentation/modules.txt>. If unsure, say `Y'. | |
41 | + | |
42 | +Quake III Arena protocol support | |
43 | +CONFIG_IP_NF_QUAKE3 | |
44 | + Quake III Arena connection tracking helper. This module allows for a | |
45 | + stricter firewall rulebase if one only allows traffic to a master | |
46 | + server. Connections to Quake III server IP addresses and ports returned | |
47 | + by the master server will be tracked automatically. | |
48 | + | |
49 | + If you want to compile it as a module, say M here and read | |
50 | + <file:Documentation/modules.txt>. If unsure, say `Y'. | |
51 | + | |
52 | IRC Send/Chat protocol support | |
53 | CONFIG_IP_NF_IRC | |
54 | There is a commonly-used extension to IRC called | |
55 | @@ -2557,6 +2601,118 @@ | |
56 | If you want to compile it as a module, say 'M' here and read | |
57 | Documentation/modules.txt. If unsure, say 'N'. | |
58 | ||
59 | +TFTP protocol support | |
60 | +CONFIG_IP_NF_TFTP | |
61 | + TFTP connection tracking helper, this is required depending | |
62 | + on how restrictive your ruleset is. | |
63 | + If you are using a tftp client behind -j SNAT or -j MASQUERADING | |
64 | + you will need this. | |
65 | + | |
66 | + If you want to compile it as a module, say M here and read | |
67 | + Documentation/modules.txt. If unsure, say `Y'. | |
68 | + | |
69 | +Per connection mark support | |
70 | +CONFIG_IP_NF_CONNTRACK_MARK | |
71 | + This option enables support for connection marks, used by the | |
72 | + `CONNMARK' target and `connmark' match. Similar to the mark value | |
73 | + of packets, but this mark value is kept in the conntrack session | |
74 | + instead of the individual packets. | |
75 | + | |
76 | +CONNMARK target support | |
77 | +CONFIG_IP_NF_TARGET_CONNMARK | |
78 | + This option adds a `CONNMARK' target, which allows one to manipulate | |
79 | + the connection mark value. Similar to the MARK target, but | |
80 | + affects the connection mark value rather than the packet mark value. | |
81 | + | |
82 | + If you want to compile it as a module, say M here and read | |
83 | + Documentation/modules.txt. The module will be called | |
84 | + ipt_CONNMARK.o. If unsure, say `N'. | |
85 | + | |
86 | +connmark match support | |
87 | +CONFIP_IP_NF_MATCH_CONNMARK | |
88 | + This option adds a `connmark' match, which allows you to match the | |
89 | + connection mark value previously set for the session by `CONNMARK'. | |
90 | + | |
91 | +Eggdrop bot support | |
92 | +CONFIG_IP_NF_EGG | |
93 | + If you are running an eggdrop hub bot on this machine, then you | |
94 | + may want to enable this feature. This enables eggdrop bots to share | |
95 | + their user file to other eggdrop bots. | |
96 | + | |
97 | + If you want to compile it as a module, say M here and read | |
98 | + Documentation/modules.txt. If unsure, say `N'. | |
99 | + | |
100 | +H.323 (netmeeting) support | |
101 | +CONFIG_IP_NF_H323 | |
102 | + H.323 is a standard signalling protocol used by teleconferencing | |
103 | + softwares like netmeeting. With the ip_conntrack_h323 and | |
104 | + the ip_nat_h323 modules you can support the protocol on a connection | |
105 | + tracking/NATing firewall. | |
106 | + | |
107 | + If you want to compile it as a module, say 'M' here and read | |
108 | + Documentation/modules.txt. If unsure, say 'N'. | |
109 | + | |
110 | +PPTP conntrack and NAT support | |
111 | +CONFIG_IP_NF_PPTP | |
112 | + This module adds support for PPTP (Point to Point Tunnelling Protocol, | |
113 | + RFC2637) conncection tracking and NAT. | |
114 | + | |
115 | + If you are running PPTP sessions over a stateful firewall or NAT box, | |
116 | + you may want to enable this feature. | |
117 | + | |
118 | + Please note that not all PPTP modes of operation are supported yet. | |
119 | + For more info, read top of the file net/ipv4/netfilter/ip_conntrack_pptp.c | |
120 | + | |
121 | + If you want to compile it as a module, say M here and read | |
122 | + Documentation/modules.txt. If unsure, say `N'. | |
123 | + | |
124 | +GRE protocol conntrack and NAT support | |
125 | +CONFIG_IP_NF_CT_PROTO_GRE | |
126 | + This module adds generic support for connection tracking and NAT of the | |
127 | + GRE protocol (RFC1701, RFC2784). Please note that this will only work | |
128 | + with GRE connections using the key field of the GRE header. | |
129 | + | |
130 | + You will need GRE support to enable PPTP support. | |
131 | + | |
132 | + If you want to compile it as a module, say `M' here and read | |
133 | + Documentation/modules.txt. If unsire, say `N'. | |
134 | + | |
135 | +RSH protocol support | |
136 | +CONFIG_IP_NF_RSH | |
137 | + The RSH connection tracker is required if the dynamic | |
138 | + stderr "Server to Client" connection is to occur during a | |
139 | + normal RSH session. This typically operates as follows; | |
140 | + | |
141 | + Client 0:1023 --> Server 514 (stream 1 - stdin/stdout) | |
142 | + Client 0:1023 <-- Server 0:1023 (stream 2 - stderr) | |
143 | + | |
144 | + This connection tracker will identify new RSH sessions, | |
145 | + extract the outbound session details, and notify netfilter | |
146 | + of pending "related" sessions. | |
147 | + | |
148 | + Warning: This module could be dangerous. It is not "best | |
149 | + practice" to use RSH, use SSH in all instances. | |
150 | + (see rfc1244, rfc1948, rfc2179, etc ad-nauseum) | |
151 | + | |
152 | + | |
153 | + If you want to compile it as a module, say M here and read | |
154 | + <file:Documentation/modules.txt>. If unsure, say `N'. | |
155 | + | |
156 | +Talk protocol support | |
157 | +CONFIG_IP_NF_TALK | |
158 | + The talk protocols (both otalk/talk - or talk/ntalk, to confuse | |
159 | + you by the different namings about which is old or which is new :-) | |
160 | + use an additional channel to setup the talk session and a separated | |
161 | + data channel for the actual conversation (like in FTP). Both the | |
162 | + initiating and the setup channels are over UDP, while the data channel | |
163 | + is over TCP, on a random port. The conntrack part of this extension | |
164 | + will enable you to let in/out talk sessions easily by matching these | |
165 | + connections as RELATED by the state match, while the NAT part helps | |
166 | + you to let talk sessions trough a NAT machine. | |
167 | + | |
168 | + If you want to compile it as a module, say 'M' here and read | |
169 | + Documentation/modules.txt. If unsure, say 'N'. | |
170 | + | |
171 | FTP protocol support | |
172 | CONFIG_IP_NF_FTP | |
173 | Tracking FTP connections is problematic: special helpers are | |
174 | @@ -2584,6 +2740,33 @@ | |
175 | If you want to compile it as a module, say M here and read | |
176 | <file:Documentation/modules.txt>. If unsure, say `N'. | |
177 | ||
178 | +recent match support | |
179 | +CONFIG_IP_NF_MATCH_RECENT | |
180 | + This match is used for creating one or many lists of recently | |
181 | + used addresses and then matching against that/those list(s). | |
182 | + | |
183 | + Short options are available by using 'iptables -m recent -h' | |
184 | + Official Website: <http://snowman.net/projects/ipt_recent/> | |
185 | + | |
186 | + If you want to compile it as a module, say M here and read | |
187 | + Documentation/modules.txt. If unsure, say `N'. | |
188 | + | |
189 | +quota match support | |
190 | +CONFIG_IP_NF_MATCH_QUOTA | |
191 | + This match implements network quotas. | |
192 | + | |
193 | + If you want to compile it as a module, say M here and read | |
194 | + Documentation/modules.txt. If unsure, say `N'. | |
195 | + | |
196 | + | |
197 | +addrtype match support | |
198 | +CONFIG_IP_NF_MATCH_ADDRTYPE | |
199 | + This option allows you to match what routing thinks of an address, | |
200 | + eg. UNICAST, LOCAL, BROADCAST, ... | |
201 | + | |
202 | + If you want to compile it as a module, say M here and read | |
203 | + Documentation/modules.txt. If unsure, say `N'. | |
204 | + | |
205 | limit match support | |
206 | CONFIG_IP_NF_MATCH_LIMIT | |
207 | limit matching allows you to control the rate at which a rule can be | |
208 | @@ -2635,6 +2818,14 @@ | |
209 | If you want to compile it as a module, say M here and read | |
210 | <file:Documentation/modules.txt>. If unsure, say `N'. | |
211 | ||
212 | +Multiple port with ranges match support | |
213 | +CONFIG_IP_NF_MATCH_MPORT | |
214 | + This is an enhanced multiport match which supports port | |
215 | + ranges as well as single ports. | |
216 | + | |
217 | + If you want to compile it as a module, say M here and read | |
218 | + Documentation/modules.txt. If unsure, say `N'. | |
219 | + | |
220 | Multiple port match support | |
221 | CONFIG_IP_NF_MATCH_MULTIPORT | |
222 | Multiport matching allows you to match TCP or UDP packets based on | |
223 | @@ -2652,6 +2843,18 @@ | |
224 | If you want to compile it as a module, say M here and read | |
225 | Documentation/modules.txt. If unsure, say `N'. | |
226 | ||
227 | +U32 patch support | |
228 | +CONFIG_IP_NF_MATCH_U32 | |
229 | + U32 allows you to extract quantities of up to 4 bytes from a packet, | |
230 | + AND them with specified masks, shift them by specified amounts and | |
231 | + test whether the results are in any of a set of specified ranges. | |
232 | + The specification of what to extract is general enough to skip over | |
233 | + headers with lengths stored in the packet, as in IP or TCP header | |
234 | + lengths. | |
235 | + | |
236 | + Details and examples are in the kernel module source. | |
237 | + | |
238 | + | |
239 | LENGTH match support | |
240 | CONFIG_IP_NF_MATCH_LENGTH | |
241 | This option allows you to match the length of a packet against a | |
242 | @@ -2690,6 +2893,132 @@ | |
243 | ||
244 | ||
245 | ||
246 | +Fuzzy Logic Controller match support | |
247 | +CONFIG_IP_NF_MATCH_FUZZY | |
248 | + This option adds a `fuzzy' match, | |
249 | + which allows you to match packets according to a fuzzy logic | |
250 | + based law . | |
251 | + | |
252 | + If you want to compile it as a module, say M here and read | |
253 | + Documentation/modules.txt. If unsure, say `N'. | |
254 | + | |
255 | + | |
256 | +iprange match support | |
257 | +CONFIG_IP_NF_MATCH_IPRANGE | |
258 | + This option makes possible to match IP addresses against | |
259 | + IP address ranges. | |
260 | + | |
261 | + If you want to compile it as a module, say M here and read | |
262 | + <file:Documentation/modules.txt>. If unsure, say `N'. | |
263 | + | |
264 | + | |
265 | +IPV4OPTIONS patch support | |
266 | +CONFIG_IP_NF_MATCH_IPV4OPTIONS | |
267 | + This option adds a IPV4OPTIONS match. | |
268 | + It allows you to filter options like source routing, | |
269 | + record route, timestamp and router-altert. | |
270 | + | |
271 | + If you say Y here, try iptables -m ipv4options --help for more information. | |
272 | + | |
273 | + If you want to compile it as a module, say M here and read | |
274 | + Documentation/modules.txt. If unsure, say `N'. | |
275 | + | |
276 | + | |
277 | +Nth match support | |
278 | +CONFIG_IP_NF_MATCH_NTH | |
279 | + This option adds a `Nth' match, which allow you to make | |
280 | + rules that match every Nth packet. By default there are | |
281 | + 16 different counters. | |
282 | + | |
283 | +[options] | |
284 | + --every Nth Match every Nth packet | |
285 | + [--counter] num Use counter 0-15 (default:0) | |
286 | + [--start] num Initialize the counter at the number 'num' | |
287 | + instead of 0. Must be between 0 and Nth-1 | |
288 | + [--packet] num Match on 'num' packet. Must be between 0 | |
289 | + and Nth-1. | |
290 | + | |
291 | + If --packet is used for a counter than | |
292 | + there must be Nth number of --packet | |
293 | + rules, covering all values between 0 and | |
294 | + Nth-1 inclusively. | |
295 | + | |
296 | + If you want to compile it as a module, say M here and read | |
297 | + Documentation/modules.txt. If unsure, say `N'. | |
298 | + | |
299 | + | |
300 | +OSF match support | |
301 | +CONFIG_IP_NF_MATCH_OSF | |
302 | + | |
303 | + The idea of passive OS fingerprint matching exists for quite a long time, | |
304 | + but was created as extension fo OpenBSD pf only some weeks ago. | |
305 | + Original idea was lurked in some OpenBSD mailing list (thanks | |
306 | + grange@open...) and than adopted for Linux netfilter in form of this code. | |
307 | + | |
308 | + Original table was created by Michal Zalewski <lcamtuf@coredump.cx> for | |
309 | + his excellent p0f and than changed a bit for more convenience. | |
310 | + | |
311 | + This module compares some data(WS, MSS, options and it's order, ttl, | |
312 | + df and others) from first SYN packet (actually from packets with SYN | |
313 | + bit set) with hardcoded in fingers[] table ones. | |
314 | + | |
315 | + If you say Y here, try iptables -m osf --help for more information. | |
316 | + | |
317 | + If you want to compile it as a module, say M here and read | |
318 | + Documentation/modules.txt. If unsure, say `N'. | |
319 | + | |
320 | +psd match support | |
321 | +CONFIG_IP_NF_MATCH_PSD | |
322 | + This option adds a `psd' match, which allows you to create rules in | |
323 | + any iptables table wich will detect TCP and UDP port scans. | |
324 | + | |
325 | + If you want to compile it as a module, say M here and read | |
326 | + Documentation/modules.txt. If unsure, say `N'. | |
327 | + | |
328 | + | |
329 | +Random match support | |
330 | +CONFIG_IP_NF_MATCH_RANDOM | |
331 | + This option adds a `random' match, | |
332 | + which allow you to match packets randomly | |
333 | + following a given probability. | |
334 | + | |
335 | + If you want to compile it as a module, say M here and read | |
336 | + Documentation/modules.txt. If unsure, say `N'. | |
337 | + | |
338 | + | |
339 | +REALM match support | |
340 | +CONFIG_IP_NF_MATCH_REALM | |
341 | + This option adds a `realm' match, which allows you to use the realm | |
342 | + key from the routing subsytem inside iptables. | |
343 | + | |
344 | + This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option | |
345 | + in tc world. | |
346 | + | |
347 | + If you want to compile it as a module, say M here and read | |
348 | + Documentation/modules.txt. If unsure, say `N'. | |
349 | + | |
350 | + | |
351 | +TIME patch support | |
352 | +CONFIG_IP_NF_MATCH_TIME | |
353 | + This option adds a `time' match, which allows you | |
354 | + to matchbased on the packet arrival time | |
355 | + (arrival time at the machine which the netfilter is running on) or | |
356 | + departure time (for locally generated packets). | |
357 | + | |
358 | + If you say Y here, try iptables -m time --help for more information. | |
359 | + | |
360 | + If you want to compile it as a module, say M here and read | |
361 | + Documentation/modules.txt. If unsure, say `N'. | |
362 | + | |
363 | + | |
364 | +Condition variable match support | |
365 | +CONFIG_IP_NF_MATCH_CONDITION | |
366 | + This option allows you to match firewall rules against condition | |
367 | + variables stored in the /proc/net/ipt_condition directory. | |
368 | + | |
369 | + If you want to compile it as a module, say M here and read | |
370 | + Documentation/modules.txt. If unsure, say `N'. | |
371 | + | |
372 | TOS match support | |
373 | CONFIG_IP_NF_MATCH_TOS | |
374 | TOS matching allows you to match packets based on the Type Of | |
375 | @@ -2710,6 +3039,44 @@ | |
376 | Documentation/modules.txt. If unsure, say `N'. | |
377 | ||
378 | ||
379 | +Connections/IP limit match support | |
380 | +CONFIG_IP_NF_MATCH_CONNLIMIT | |
381 | + This match allows you to restrict the number of parallel TCP | |
382 | + connections to a server per client IP address (or address block). | |
383 | + | |
384 | + If you want to compile it as a module, say M here and read | |
385 | + Documentation/modules.txt. If unsure, say `N'. | |
386 | + | |
387 | +RPC match support | |
388 | +CONFIG_IP_NF_MATCH_RPC | |
389 | + This adds CONFIG_IP_NF_MATCH_RPC, which is the RPC connection | |
390 | + matcher and tracker. | |
391 | + | |
392 | + This option supplies two connection tracking modules; | |
393 | + ip_conntrack_rpc_udp and ip_conntrack_rpc_tcp, which track | |
394 | + portmapper requests using UDP and TCP respectively. | |
395 | + | |
396 | + This option also adds an RPC match module for iptables, which | |
397 | + matches both via the old "record match" method and a new | |
398 | + "procedure match" method. The older method matches all RPC | |
399 | + procedure packets that relate to previously recorded packets | |
400 | + seen querying a portmapper. The newer method matches only | |
401 | + those RPC procedure packets explicitly specified by the user, | |
402 | + and that can then be related to previously recorded packets | |
403 | + seen querying a portmapper. | |
404 | + | |
405 | + These three modules are required if RPCs are to be filtered | |
406 | + accurately; as RPCs are allocated pseudo-randomly to UDP and | |
407 | + TCP ports as they register with the portmapper. | |
408 | + | |
409 | + Up to 8 portmapper ports per module, and up to 128 RPC | |
410 | + procedures per iptables rule, may be specified by the user, | |
411 | + to enable effective RPC management. | |
412 | + | |
413 | + | |
414 | + If you want to compile it as a module, say M here and read | |
415 | + <file:Documentation/modules.txt>. If unsure, say `N'. | |
416 | + | |
417 | Connection state match support | |
418 | CONFIG_IP_NF_MATCH_STATE | |
419 | Connection state matching allows you to match packets based on their | |
420 | @@ -2719,6 +3086,14 @@ | |
421 | If you want to compile it as a module, say M here and read | |
422 | <file:Documentation/modules.txt>. If unsure, say `N'. | |
423 | ||
424 | +String match support (EXPERIMENTAL) | |
425 | +CONFIG_IP_NF_MATCH_STRING | |
426 | + String matching alows you to match packets which contain a | |
427 | + specified string of characters. | |
428 | + | |
429 | + If you want to compile it as a module, say M here and read | |
430 | + Documentation/modules.txt. If unsure, say `N'. | |
431 | + | |
432 | Unclean match support | |
433 | CONFIG_IP_NF_MATCH_UNCLEAN | |
434 | Unclean packet matching matches any strange or invalid packets, by | |
435 | @@ -2735,6 +3110,52 @@ | |
436 | If you want to compile it as a module, say M here and read | |
437 | <file:Documentation/modules.txt>. If unsure, say `N'. | |
438 | ||
439 | +TARPIT target support | |
440 | +CONFIG_IP_NF_TARGET_TARPIT | |
441 | + Adds a TARPIT target to iptables, which captures and holds | |
442 | + incoming TCP connections using no local per-connection resources. | |
443 | + Connections are accepted, but immediately switched to the persist | |
444 | + state (0 byte window), in which the remote side stops sending data | |
445 | + and asks to continue every 60-240 seconds. Attempts to close the | |
446 | + connection are ignored, forcing the remote side to time out the | |
447 | + connection in 12-24 minutes. | |
448 | + | |
449 | + This offers similar functionality to LaBrea | |
450 | + <http://www.hackbusters.net/LaBrea/> but doesn't require dedicated | |
451 | + hardware or IPs. Any TCP port that you would normally DROP or REJECT | |
452 | + can instead become a tarpit. | |
453 | + | |
454 | +raw table support (required for NOTRACK/TRACE) | |
455 | +CONFIG_IP_NF_RAW | |
456 | + This option adds a `raw' table to iptables. This table is the very | |
457 | + first in the netfilter framework and hooks in at the PREROUTING | |
458 | + and OUTPUT chains. | |
459 | + | |
460 | + If you want to compile it as a module, say M here and read | |
461 | + <file:Documentation/modules.txt>. If unsure, say `N'. | |
462 | + | |
463 | +TRACE target support | |
464 | +CONFIG_IP_NF_TARGET_TRACE | |
465 | + The TRACE target allows packets to be traced as those | |
466 | + matches any subsequent rule in any table/rule. The matched | |
467 | + rule and the packet is logged with the prefix | |
468 | + | |
469 | + TRACE: tablename/chainname/rulenum | |
470 | + | |
471 | + If you want to compile it as a module, say M here and read | |
472 | + <file:Documentation/modules.txt>. If unsure, say `N'. | |
473 | + | |
474 | +NOTRACK target support | |
475 | +CONFIG_IP_NF_TARGET_NOTRACK | |
476 | + The NOTRACK target allows a select rule to specify | |
477 | + which packets *not* to enter the conntrack/NAT | |
478 | + subsystem with all the consequences (no ICMP error tracking, | |
479 | + no protocol helpers for the selected packets). | |
480 | + | |
481 | + If you want to compile it as a module, say M here and read | |
482 | + <file:Documentation/modules.txt>. If unsure, say `N'. | |
483 | + | |
484 | + | |
485 | Packet filtering | |
486 | CONFIG_IP_NF_FILTER | |
487 | Packet filtering defines a table `filter', which has a series of | |
488 | @@ -2744,6 +3165,24 @@ | |
489 | If you want to compile it as a module, say M here and read | |
490 | <file:Documentation/modules.txt>. If unsure, say `N'. | |
491 | ||
492 | +IPV4OPTSSTRIP target support | |
493 | +CONFIG_IP_NF_TARGET_IPV4OPTSSTRIP | |
494 | + This option adds an IPV4OPTSSTRIP target. | |
495 | + This target allows you to strip all IP options in a packet. | |
496 | + | |
497 | + If you want to compile it as a module, say M here and read | |
498 | + Documentation/modules.txt. If unsure, say `N'. | |
499 | + | |
500 | + | |
501 | +NETLINK target support | |
502 | +CONFIG_IP_NF_TARGET_NETLINK | |
503 | + The NETLINK target allows you to recieve packets in userspace via | |
504 | + the kernel firewall netlink socket. Apps such as fwmon | |
505 | + (http://firestorm.geek-ware.co.uk) can then recieve and dislpay | |
506 | + these packets. This option is basically a re-implementation of the | |
507 | + ipchains -o option. | |
508 | + | |
509 | + | |
510 | REJECT target support | |
511 | CONFIG_IP_NF_TARGET_REJECT | |
512 | The REJECT target allows a filtering rule to specify that an ICMP | |
513 | @@ -2808,6 +3247,27 @@ | |
514 | If you want to compile it as a module, say M here and read | |
515 | <file:Documentation/modules.txt>. If unsure, say `N'. | |
516 | ||
517 | +NETMAP target support | |
518 | +CONFIG_IP_NF_TARGET_NETMAP | |
519 | + NETMAP is an implementation of static 1:1 NAT mapping of network | |
520 | + addresses. It maps the network address part, while keeping the | |
521 | + host address part intact. It is similar to Fast NAT, except that | |
522 | + Netfilter's connection tracking doesn't work well with Fast NAT. | |
523 | + | |
524 | + If you want to compile it as a module, say M here and read | |
525 | + Documentation/modules.txt. The module will be called | |
526 | + ipt_NETMAP.o. If unsure, say `N'. | |
527 | + | |
528 | +SAME NAT target support | |
529 | +CONFIG_IP_NF_TARGET_SAME | |
530 | + This option adds a `SAME' target, which works like the standard | |
531 | + SNAT target, but attempts to give clients the same IP for all | |
532 | + connections. | |
533 | + | |
534 | + If you want to compile it as a module, say M here and read | |
535 | + Documentation/modules.txt. The module will be called | |
536 | + ipt_SAME.o. If unsure, say `N'. | |
537 | + | |
538 | REDIRECT target support | |
539 | CONFIG_IP_NF_TARGET_REDIRECT | |
540 | REDIRECT is a special case of NAT: all incoming connections are | |
541 | @@ -2866,6 +3326,42 @@ | |
542 | If you want to compile it as a module, say M here and read | |
543 | <file:Documentation/modules.txt>. If unsure, say `N'. | |
544 | ||
545 | +IMQ target support | |
546 | +CONFIG_IP_NF_TARGET_IMQ | |
547 | + This option adds a `IMQ' target which is used to specify if and | |
548 | + to which imq device packets should get enqueued/dequeued. | |
549 | + | |
550 | + If you want to compile it as a module, say M here and read | |
551 | + <file:Documentation/modules.txt>. If unsure, say `N'. | |
552 | + | |
553 | +IPMARK target support | |
554 | +CONFIG_IP_NF_TARGET_IPMARK | |
555 | + This option adds a `IPMARK' target, which allows you to create rules | |
556 | + in the `mangle' table which alter the netfilter mark (nfmark) field | |
557 | + basing on the source or destination ip address of the packet. | |
558 | + This is very useful for very fast massive mangling and marking. | |
559 | + | |
560 | + If you want to compile it as a module, say M here and read | |
561 | + <file:Documentation/modules.txt>. If unsure, say `N'. | |
562 | + | |
563 | + | |
564 | + | |
565 | +ROUTE target support | |
566 | +CONFIG_IP_NF_TARGET_ROUTE | |
567 | + This option adds a `ROUTE' target, which enables you to setup unusual | |
568 | + routes. For example, the ROUTE lets you route a received packet through | |
569 | + an interface or towards a host, even if the regular destination of the | |
570 | + packet is the router itself. The ROUTE target is also able to change the | |
571 | + incoming interface of a packet. | |
572 | + | |
573 | + The target can be or not a final target. It has to be used inside the | |
574 | + mangle table. | |
575 | + | |
576 | + If you want to compile it as a module, say M here and read | |
577 | + Documentation/modules.txt. The module will be called ipt_ROUTE.o. | |
578 | + If unsure, say `N'. | |
579 | + | |
580 | + | |
581 | MARK target support | |
582 | CONFIG_IP_NF_TARGET_MARK | |
583 | This option adds a `MARK' target, which allows you to create rules | |
584 | @@ -2933,6 +3429,73 @@ | |
585 | If you want to compile it as a module, say M here and read | |
586 | Documentation/modules.txt. If unsure, say `N'. | |
587 | ||
588 | +TTL target support | |
589 | +CONFIG_IP_NF_TARGET_TTL | |
590 | + This option adds a `TTL' target, which enables the user to set | |
591 | + the TTL value or increment / decrement the TTL value by a given | |
592 | + amount. | |
593 | + | |
594 | + If you want to compile it as a module, say M here and read | |
595 | + Documentation/modules.txt. If unsure, say `N'. | |
596 | + | |
597 | +pool match and target support | |
598 | +CONFIG_IP_NF_MATCH_POOL | |
599 | + Pool matching lets you use bitmaps with one bit per address from some | |
600 | + range of IP addresses; the match depends on whether a checked source | |
601 | + or destination address has its bit set in the pool. | |
602 | + | |
603 | + There is also a POOL netfilter target, which can be used to set or remove | |
604 | + the addresses of a packet from a pool. | |
605 | + | |
606 | + To define and use pools, you need userlevel utilities: a patched iptables, | |
607 | + and the program ippool(8), which defines the pools and their bounds. | |
608 | + The current release of pool matching is ippool-0.0.2, and can be found | |
609 | + in the archives of the netfilter mailing list at | |
610 | + http://lists.samba.org/netfilter/. | |
611 | + | |
612 | + If you want to compile it as a module, say M here and read | |
613 | + Documentation/modules.txt. If unsure, say `N'. | |
614 | + | |
615 | +pool match and target statistics gathering | |
616 | +CONFIG_IP_POOL_STATISTICS | |
617 | + This option controls whether usage gathering code is compiled into the | |
618 | + ip_pool module. Disabling statistics may be substantially faster. | |
619 | + | |
620 | +CLASSIFY target support | |
621 | +CONFIG_IP_NF_TARGET_CLASSIFY | |
622 | + This option adds a `CLASSIFY' target, which enables the user to set | |
623 | + the priority of a packet. Some qdiscs can use this value for classification, | |
624 | + among these are: | |
625 | + | |
626 | + atm, cbq, dsmark, pfifo_fast, htb, prio | |
627 | + | |
628 | + If you want to compile it as a module, say M here and read | |
629 | + Documentation/modules.txt. If unsure, say `N'. | |
630 | + | |
631 | +TCPLAG target support | |
632 | +CONFIG_IP_NF_TARGET_TCPLAG | |
633 | + This option adds a `TCPLAG' target, intended for INPUT, OUTPUT and | |
634 | + FORWARD chains. | |
635 | + | |
636 | + This target has no effect on packets but will passively monitor TCP/IP | |
637 | + connections and send lag estimates to syslog. Lag estimates are | |
638 | + generated by considering the time delay between SEQ and matching ACK, | |
639 | + which does not map precisely to any particular network property. | |
640 | + We can say that a fast network will typically give smaller lag values | |
641 | + than a slow network. | |
642 | + | |
643 | + Safest option is to choose `M' here and compile as a module, | |
644 | + the module will do nothing until activated using the `iptables' utility. | |
645 | + | |
646 | + | |
647 | +XOR target support | |
648 | +CONFIG_IP_NF_TARGET_XOR | |
649 | + This option adds a `XOR' target, which can encrypt TCP and | |
650 | + UDP traffic using a simple XOR encryption. | |
651 | + | |
652 | + If you want to compile it as a module, say M here and read | |
653 | + Documentation/modules.txt. If unsure, say `N'. | |
654 | + | |
655 | LOG target support | |
656 | CONFIG_IP_NF_TARGET_LOG | |
657 | This option adds a `LOG' target, which allows you to create rules in | |
658 | @@ -2972,6 +3535,93 @@ | |
659 | If you want to compile it as a module, say M here and read | |
660 | Documentation/modules.txt. If unsure, say `N'. | |
661 | ||
662 | +AH/ESP match support (EXPERIMENTAL) | |
663 | +CONFIG_IP6_NF_MATCH_AHESP | |
664 | + These two match extensions (`ah' and `esp') allow you to match a | |
665 | + range of SPIs inside AH or ESP headers of IPv6 packets. | |
666 | + | |
667 | + If you want to compile it as a module, say M here and read | |
668 | + Documentation/modules.txt. If unsure, say `N'. | |
669 | + | |
670 | + | |
671 | +Fragmentation header match support (EXPERIMENTAL) | |
672 | +CONFIG_IP6_NF_MATCH_FRAG | |
673 | + This match extension (`frag') allow you to select the packet based on the | |
674 | + fileds of the fragmentation header of the IPv6 packets. | |
675 | + | |
676 | + If you want to compile it as a module, say M here and read | |
677 | + Documentation/modules.txt. If unsure, say `N'. | |
678 | + | |
679 | + | |
680 | +IPv6 Extension Headers Match (EXPERIMENTAL) | |
681 | +CONFIG_IP6_NF_MATCH_IPV6HEADER | |
682 | + extension header matching allows you to controll the packets based | |
683 | + on their extension headers. | |
684 | + | |
685 | + If you want to compile it as a module, say M here and read | |
686 | + Documentation/modules.txt. If unsure, say `N'. | |
687 | + | |
688 | + | |
689 | +Fragmentation header match support (EXPERIMENTAL) | |
690 | +CONFIG_IP6_NF_MATCH_OPTS | |
691 | + These match extensions (`hbh' and `dst') allow you to select the packet | |
692 | + based on the fileds of the option header of the IPv6 packets. | |
693 | + | |
694 | + If you want to compile it as a module, say M here and read | |
695 | + Documentation/modules.txt. If unsure, say `N'. | |
696 | + | |
697 | + | |
698 | +Fragmentation header match support (EXPERIMENTAL) | |
699 | +CONFIG_IP6_NF_MATCH_RT | |
700 | + This match extension (`rt') allow you to select the packet based on the | |
701 | + fileds of the routing header of the IPv6 packets. | |
702 | + | |
703 | + If you want to compile it as a module, say M here and read | |
704 | + Documentation/modules.txt. If unsure, say `N'. | |
705 | + | |
706 | + | |
707 | +Fuzzy Logic Controller match support | |
708 | +CONFIG_IP6_NF_MATCH_FUZZY | |
709 | + This option adds a `fuzzy' match, which allows you to match | |
710 | + packets according to a fuzzy logic based law. | |
711 | + | |
712 | + If you want to compile it as a module, say M here and read | |
713 | + Documentation/modules.txt. If unsure, say `N'. | |
714 | + | |
715 | + | |
716 | +Nth match support | |
717 | +CONFIG_IP6_NF_MATCH_NTH | |
718 | + This option adds a `Nth' match, which allow you to make | |
719 | + rules that match every Nth packet. By default there are | |
720 | + 16 different counters. | |
721 | + | |
722 | +[options] | |
723 | + --every Nth Match every Nth packet | |
724 | + [--counter] num Use counter 0-15 (default:0) | |
725 | + [--start] num Initialize the counter at the number 'num' | |
726 | + instead of 0. Must be between 0 and Nth-1 | |
727 | + [--packet] num Match on 'num' packet. Must be between 0 | |
728 | + and Nth-1. | |
729 | + | |
730 | + If --packet is used for a counter than | |
731 | + there must be Nth number of --packet | |
732 | + rules, covering all values between 0 and | |
733 | + Nth-1 inclusively. | |
734 | + | |
735 | + If you want to compile it as a module, say M here and read | |
736 | + Documentation/modules.txt. If unsure, say `N'. | |
737 | + | |
738 | + | |
739 | +Random match support | |
740 | +CONFIG_IP6_NF_MATCH_RANDOM | |
741 | + This option adds a `random' match, | |
742 | + which allow you to match packets randomly | |
743 | + following a given probability. | |
744 | + | |
745 | + If you want to compile it as a module, say M here and read | |
746 | + Documentation/modules.txt. If unsure, say `N'. | |
747 | + | |
748 | + | |
749 | MAC address match support | |
750 | CONFIG_IP6_NF_MATCH_MAC | |
751 | mac matching allows you to match packets based on the source | |
752 | @@ -2988,6 +3638,14 @@ | |
753 | If you want to compile it as a module, say M here and read | |
754 | Documentation/modules.txt. If unsure, say `N'. | |
755 | ||
756 | +Condition variable match support | |
757 | +CONFIG_IP6_NF_MATCH_CONDITION | |
758 | + This option allows you to match firewall rules against condition | |
759 | + variables stored in the /proc/net/ipt_condition directory. | |
760 | + | |
761 | + If you want to compile it as a module, say M here and read | |
762 | + Documentation/modules.txt. If unsure, say `N'. | |
763 | + | |
764 | Netfilter MARK match support | |
765 | CONFIG_IP6_NF_MATCH_MARK | |
766 | Netfilter mark matching allows you to match packets based on the | |
767 | @@ -3031,6 +3689,35 @@ | |
768 | If you want to compile it as a module, say M here and read | |
769 | <file:Documentation/modules.txt>. If unsure, say `N'. | |
770 | ||
771 | +REJECT target support | |
772 | +CONFIG_IP6_NF_TARGET_REJECT | |
773 | + The REJECT target allows a filtering rule to specify that an ICMPv6 | |
774 | + error should be issued in response to an incoming packet, rather | |
775 | + than silently being dropped. | |
776 | + | |
777 | + If you want to compile it as a module, say M here and read | |
778 | + Documentation/modules.txt. If unsure, say `N'. | |
779 | + | |
780 | +raw table support (required for TRACE) | |
781 | +CONFIG_IP6_NF_RAW | |
782 | + This option adds a `raw' table to ip6tables. This table is the very | |
783 | + first in the netfilter framework and hooks in at the PREROUTING | |
784 | + and OUTPUT chains. | |
785 | + | |
786 | + If you want to compile it as a module, say M here and read | |
787 | + <file:Documentation/modules.txt>. If unsure, say `N'. | |
788 | + | |
789 | +TRACE target support | |
790 | +CONFIG_IP6_NF_TARGET_TRACE | |
791 | + The TRACE target allows packets to be traced as those | |
792 | + matches any subsequent rule in any table/rule. The matched | |
793 | + rule and the packet is logged with the prefix | |
794 | + | |
795 | + TRACE: tablename/chainname/rulenum | |
796 | + | |
797 | + If you want to compile it as a module, say M here and read | |
798 | + <file:Documentation/modules.txt>. If unsure, say `N'. | |
799 | + | |
800 | Packet filtering | |
801 | CONFIG_IP6_NF_FILTER | |
802 | Packet filtering defines a table `filter', which has a series of | |
803 | @@ -3049,6 +3736,26 @@ | |
804 | If you want to compile it as a module, say M here and read | |
805 | <file:Documentation/modules.txt>. If unsure, say `N'. | |
806 | ||
807 | +IMQ target support | |
808 | +CONFIG_IP6_NF_TARGET_IMQ | |
809 | + This option adds a `IMQ' target which is used to specify if and | |
810 | + to which imq device packets should get enqueued/dequeued. | |
811 | + | |
812 | + If you want to compile it as a module, say M here and read | |
813 | + <file:Documentation/modules.txt>. If unsure, say `N'. | |
814 | + | |
815 | +ROUTE target support | |
816 | +CONFIG_IP6_NF_TARGET_ROUTE | |
817 | + This option adds a `ROUTE' target, which enables you to setup unusual | |
818 | + routes. The ROUTE target is also able to change the incoming interface | |
819 | + of a packet. | |
820 | + | |
821 | + The target can be or not a final target. It has to be used inside the | |
822 | + mangle table. | |
823 | + | |
824 | + Not working as a module. | |
825 | + | |
826 | + | |
827 | MARK target support | |
828 | CONFIG_IP6_NF_TARGET_MARK | |
829 | This option adds a `MARK' target, which allows you to create rules | |
830 | @@ -3061,6 +3768,11 @@ | |
831 | If you want to compile it as a module, say M here and read | |
832 | <file:Documentation/modules.txt>. If unsure, say `N'. | |
833 | ||
834 | +ARP payload mangling | |
835 | +CONFIG_IP_NF_ARP_MANGLE | |
836 | + Allows altering the ARP packet payload: source and destination | |
837 | + hardware and network addresses. | |
838 | + | |
839 | TCP Explicit Congestion Notification support | |
840 | CONFIG_INET_ECN | |
841 | Explicit Congestion Notification (ECN) allows routers to notify | |
842 | @@ -3096,6 +3808,22 @@ | |
843 | ||
844 | If you want to compile it as a module, say M here and read | |
845 | <file:Documentation/modules.txt>. If unsure, say `N'. | |
846 | + | |
847 | +HL match support | |
848 | +CONFIG_IP6_NF_MATCH_HL | |
849 | + This option adds a `hl' match, which allows you match the value of | |
850 | + the IPv6 Hop Limit field. | |
851 | + | |
852 | + If you want to compile it as a module, say M here and read | |
853 | + <file:Documentation/modules.txt>. If unsure, say `N'. | |
854 | + | |
855 | +HL target support | |
856 | +CONFIG_IP6_NF_TARGET_HL | |
857 | + This option adds a `HL' target, which allows you to modify the value of | |
858 | + IPv6 Hop Limit field. | |
859 | + | |
860 | + If you want to compile it as a module, say M here and read | |
861 | + <file:Documentation/modules.txt>. If unsure, say `N'. | |
862 | ||
863 | LOG target support | |
864 | CONFIG_IP6_NF_TARGET_LOG | |
865 | diff -Nur --exclude '*.orig' linux-2.4.20.org/include/linux/jhash.h linux-2.4.20/include/linux/jhash.h | |
866 | --- linux-2.4.20.org/include/linux/jhash.h Thu Jan 1 00:00:00 1970 | |
867 | +++ linux-2.4.20/include/linux/jhash.h Wed Sep 24 09:16:14 2003 | |
868 | @@ -0,0 +1,143 @@ | |
869 | +#ifndef _LINUX_JHASH_H | |
870 | +#define _LINUX_JHASH_H | |
871 | + | |
872 | +/* jhash.h: Jenkins hash support. | |
873 | + * | |
874 | + * Copyright (C) 1996 Bob Jenkins (bob_jenkins@burtleburtle.net) | |
875 | + * | |
876 | + * http://burtleburtle.net/bob/hash/ | |
877 | + * | |
878 | + * These are the credits from Bob's sources: | |
879 | + * | |
880 | + * lookup2.c, by Bob Jenkins, December 1996, Public Domain. | |
881 | + * hash(), hash2(), hash3, and mix() are externally useful functions. | |
882 | + * Routines to test the hash are included if SELF_TEST is defined. | |
883 | + * You can use this free for any purpose. It has no warranty. | |
884 | + * | |
885 | + * Copyright (C) 2003 David S. Miller (davem@redhat.com) | |
886 | + * | |
887 | + * I've modified Bob's hash to be useful in the Linux kernel, and | |
888 | + * any bugs present are surely my fault. -DaveM | |
889 | + */ | |
890 | + | |
891 | +/* NOTE: Arguments are modified. */ | |
892 | +#define __jhash_mix(a, b, c) \ | |
893 | +{ \ | |
894 | + a -= b; a -= c; a ^= (c>>13); \ | |
895 | + b -= c; b -= a; b ^= (a<<8); \ | |
896 | + c -= a; c -= b; c ^= (b>>13); \ | |
897 | + a -= b; a -= c; a ^= (c>>12); \ | |
898 | + b -= c; b -= a; b ^= (a<<16); \ | |
899 | + c -= a; c -= b; c ^= (b>>5); \ | |
900 | + a -= b; a -= c; a ^= (c>>3); \ | |
901 | + b -= c; b -= a; b ^= (a<<10); \ | |
902 | + c -= a; c -= b; c ^= (b>>15); \ | |
903 | +} | |
904 | + | |
905 | +/* The golden ration: an arbitrary value */ | |
906 | +#define JHASH_GOLDEN_RATIO 0x9e3779b9 | |
907 | + | |
908 | +/* The most generic version, hashes an arbitrary sequence | |
909 | + * of bytes. No alignment or length assumptions are made about | |
910 | + * the input key. | |
911 | + */ | |
912 | +static inline u32 jhash(void *key, u32 length, u32 initval) | |
913 | +{ | |
914 | + u32 a, b, c, len; | |
915 | + u8 *k = key; | |
916 | + | |
917 | + len = length; | |
918 | + a = b = JHASH_GOLDEN_RATIO; | |
919 | + c = initval; | |
920 | + | |
921 | + while (len >= 12) { | |
922 | + a += (k[0] +((u32)k[1]<<8) +((u32)k[2]<<16) +((u32)k[3]<<24)); | |
923 | + b += (k[4] +((u32)k[5]<<8) +((u32)k[6]<<16) +((u32)k[7]<<24)); | |
924 | + c += (k[8] +((u32)k[9]<<8) +((u32)k[10]<<16)+((u32)k[11]<<24)); | |
925 | + | |
926 | + __jhash_mix(a,b,c); | |
927 | + | |
928 | + k += 12; | |
929 | + len -= 12; | |
930 | + } | |
931 | + | |
932 | + c += length; | |
933 | + switch (len) { | |
934 | + case 11: c += ((u32)k[10]<<24); | |
935 | + case 10: c += ((u32)k[9]<<16); | |
936 | + case 9 : c += ((u32)k[8]<<8); | |
937 | + case 8 : b += ((u32)k[7]<<24); | |
938 | + case 7 : b += ((u32)k[6]<<16); | |
939 | + case 6 : b += ((u32)k[5]<<8); | |
940 | + case 5 : b += k[4]; | |
941 | + case 4 : a += ((u32)k[3]<<24); | |
942 | + case 3 : a += ((u32)k[2]<<16); | |
943 | + case 2 : a += ((u32)k[1]<<8); | |
944 | + case 1 : a += k[0]; | |
945 | + }; | |
946 | + | |
947 | + __jhash_mix(a,b,c); | |
948 | + | |
949 | + return c; | |
950 | +} | |
951 | + | |
952 | +/* A special optimized version that handles 1 or more of u32s. | |
953 | + * The length parameter here is the number of u32s in the key. | |
954 | + */ | |
955 | +static inline u32 jhash2(u32 *k, u32 length, u32 initval) | |
956 | +{ | |
957 | + u32 a, b, c, len; | |
958 | + | |
959 | + a = b = JHASH_GOLDEN_RATIO; | |
960 | + c = initval; | |
961 | + len = length; | |
962 | + | |
963 | + while (len >= 3) { | |
964 | + a += k[0]; | |
965 | + b += k[1]; | |
966 | + c += k[2]; | |
967 | + __jhash_mix(a, b, c); | |
968 | + k += 3; len -= 3; | |
969 | + } | |
970 | + | |
971 | + c += length * 4; | |
972 | + | |
973 | + switch (len) { | |
974 | + case 2 : b += k[1]; | |
975 | + case 1 : a += k[0]; | |
976 | + }; | |
977 | + | |
978 | + __jhash_mix(a,b,c); | |
979 | + | |
980 | + return c; | |
981 | +} | |
982 | + | |
983 | + | |
984 | +/* A special ultra-optimized versions that knows they are hashing exactly | |
985 | + * 3, 2 or 1 word(s). | |
986 | + * | |
987 | + * NOTE: In partilar the "c += length; __jhash_mix(a,b,c);" normally | |
988 | + * done at the end is not done here. | |
989 | + */ | |
990 | +static inline u32 jhash_3words(u32 a, u32 b, u32 c, u32 initval) | |
991 | +{ | |
992 | + a += JHASH_GOLDEN_RATIO; | |
993 | + b += JHASH_GOLDEN_RATIO; | |
994 | + c += initval; | |
995 | + | |
996 | + __jhash_mix(a, b, c); | |
997 | + | |
998 | + return c; | |
999 | +} | |
1000 | + | |
1001 | +static inline u32 jhash_2words(u32 a, u32 b, u32 initval) | |
1002 | +{ | |
1003 | + return jhash_3words(a, b, 0, initval); | |
1004 | +} | |
1005 | + | |
1006 | +static inline u32 jhash_1word(u32 a, u32 initval) | |
1007 | +{ | |
1008 | + return jhash_3words(a, 0, 0, initval); | |
1009 | +} | |
1010 | + | |
1011 | +#endif /* _LINUX_JHASH_H */ | |
1012 | diff -Nur --exclude '*.orig' linux-2.4.20.org/include/linux/netfilter.h linux-2.4.20/include/linux/netfilter.h | |
1013 | --- linux-2.4.20.org/include/linux/netfilter.h Thu Nov 22 19:47:48 2001 | |
1014 | +++ linux-2.4.20/include/linux/netfilter.h Wed Sep 24 09:18:12 2003 | |
1015 | @@ -19,9 +19,11 @@ | |
1016 | #define NF_REPEAT 4 | |
1017 | #define NF_MAX_VERDICT NF_REPEAT | |
1018 | ||
1019 | -/* Generic cache responses from hook functions. */ | |
1020 | -#define NFC_ALTERED 0x8000 | |
1021 | +/* Generic cache responses from hook functions. | |
1022 | + <= 0x2000 is used for protocol-flags. */ | |
1023 | #define NFC_UNKNOWN 0x4000 | |
1024 | +#define NFC_ALTERED 0x8000 | |
1025 | +#define NFC_TRACE 0x10000 | |
1026 | ||
1027 | #ifdef __KERNEL__ | |
1028 | #include <linux/config.h> | |
1029 | diff -Nur --exclude '*.orig' linux-2.4.20.org/include/linux/netfilter_arp/arpt_mangle.h linux-2.4.20/include/linux/netfilter_arp/arpt_mangle.h | |
1030 | --- linux-2.4.20.org/include/linux/netfilter_arp/arpt_mangle.h Thu Jan 1 00:00:00 1970 | |
1031 | +++ linux-2.4.20/include/linux/netfilter_arp/arpt_mangle.h Wed Sep 24 09:16:17 2003 | |
1032 | @@ -0,0 +1,26 @@ | |
1033 | +#ifndef _ARPT_MANGLE_H | |
1034 | +#define _ARPT_MANGLE_H | |
1035 | +#include <linux/netfilter_arp/arp_tables.h> | |
1036 | + | |
1037 | +#define ARPT_MANGLE_ADDR_LEN_MAX sizeof(struct in_addr) | |
1038 | +struct arpt_mangle | |
1039 | +{ | |
1040 | + char src_devaddr[ARPT_DEV_ADDR_LEN_MAX]; | |
1041 | + char tgt_devaddr[ARPT_DEV_ADDR_LEN_MAX]; | |
1042 | + union { | |
1043 | + struct in_addr src_ip; | |
1044 | + } u_s; | |
1045 | + union { | |
1046 | + struct in_addr tgt_ip; | |
1047 | + } u_t; | |
1048 | + u_int8_t flags; | |
1049 | + int target; | |
1050 | +}; | |
1051 | + | |
1052 | +#define ARPT_MANGLE_SDEV 0x01 | |
1053 | +#define ARPT_MANGLE_TDEV 0x02 | |
1054 | +#define ARPT_MANGLE_SIP 0x04 | |
1055 | +#define ARPT_MANGLE_TIP 0x08 | |
1056 | +#define ARPT_MANGLE_MASK 0x0f | |
1057 | + | |
1058 | +#endif /* _ARPT_MANGLE_H */ | |
1059 | diff -Nur --exclude '*.orig' linux-2.4.20.org/include/linux/netfilter_ipv4/ip_conntrack.h linux-2.4.20/include/linux/netfilter_ipv4/ip_conntrack.h | |
1060 | --- linux-2.4.20.org/include/linux/netfilter_ipv4/ip_conntrack.h Thu Nov 28 23:53:15 2002 | |
1061 | +++ linux-2.4.20/include/linux/netfilter_ipv4/ip_conntrack.h Wed Sep 24 09:18:16 2003 | |
1062 | @@ -6,6 +6,7 @@ | |
1063 | ||
1064 | #include <linux/config.h> | |
1065 | #include <linux/netfilter_ipv4/ip_conntrack_tuple.h> | |
1066 | +#include <linux/bitops.h> | |
1067 | #include <asm/atomic.h> | |
1068 | ||
1069 | enum ip_conntrack_info | |
1070 | @@ -41,29 +42,50 @@ | |
1071 | /* Conntrack should never be early-expired. */ | |
1072 | IPS_ASSURED_BIT = 2, | |
1073 | IPS_ASSURED = (1 << IPS_ASSURED_BIT), | |
1074 | + | |
1075 | + /* Connection is confirmed: originating packet has left box */ | |
1076 | + IPS_CONFIRMED_BIT = 3, | |
1077 | + IPS_CONFIRMED = (1 << IPS_CONFIRMED_BIT), | |
1078 | }; | |
1079 | ||
1080 | #include <linux/netfilter_ipv4/ip_conntrack_tcp.h> | |
1081 | #include <linux/netfilter_ipv4/ip_conntrack_icmp.h> | |
1082 | +#include <linux/netfilter_ipv4/ip_conntrack_proto_gre.h> | |
1083 | ||
1084 | /* per conntrack: protocol private data */ | |
1085 | union ip_conntrack_proto { | |
1086 | /* insert conntrack proto private data here */ | |
1087 | + struct ip_ct_gre gre; | |
1088 | struct ip_ct_tcp tcp; | |
1089 | struct ip_ct_icmp icmp; | |
1090 | }; | |
1091 | ||
1092 | union ip_conntrack_expect_proto { | |
1093 | /* insert expect proto private data here */ | |
1094 | + struct ip_ct_gre_expect gre; | |
1095 | }; | |
1096 | ||
1097 | /* Add protocol helper include file here */ | |
1098 | +#include <linux/netfilter_ipv4/ip_conntrack_talk.h> | |
1099 | +#include <linux/netfilter_ipv4/ip_conntrack_rsh.h> | |
1100 | +#include <linux/netfilter_ipv4/ip_conntrack_pptp.h> | |
1101 | +#include <linux/netfilter_ipv4/ip_conntrack_mms.h> | |
1102 | +#include <linux/netfilter_ipv4/ip_conntrack_h323.h> | |
1103 | + | |
1104 | +#include <linux/netfilter_ipv4/ip_conntrack_amanda.h> | |
1105 | + | |
1106 | #include <linux/netfilter_ipv4/ip_conntrack_ftp.h> | |
1107 | #include <linux/netfilter_ipv4/ip_conntrack_irc.h> | |
1108 | ||
1109 | /* per expectation: application helper private data */ | |
1110 | union ip_conntrack_expect_help { | |
1111 | /* insert conntrack helper private data (expect) here */ | |
1112 | + struct ip_ct_talk_expect exp_talk_info; | |
1113 | + struct ip_ct_rsh_expect exp_rsh_info; | |
1114 | + struct ip_ct_pptp_expect exp_pptp_info; | |
1115 | + struct ip_ct_mms_expect exp_mms_info; | |
1116 | + struct ip_ct_h225_expect exp_h225_info; | |
1117 | + struct ip_ct_amanda_expect exp_amanda_info; | |
1118 | struct ip_ct_ftp_expect exp_ftp_info; | |
1119 | struct ip_ct_irc_expect exp_irc_info; | |
1120 | ||
1121 | @@ -77,16 +99,23 @@ | |
1122 | /* per conntrack: application helper private data */ | |
1123 | union ip_conntrack_help { | |
1124 | /* insert conntrack helper private data (master) here */ | |
1125 | + struct ip_ct_talk_master ct_talk_info; | |
1126 | + struct ip_ct_rsh_master ct_rsh_info; | |
1127 | + struct ip_ct_pptp_master ct_pptp_info; | |
1128 | + struct ip_ct_mms_master ct_mms_info; | |
1129 | + struct ip_ct_h225_master ct_h225_info; | |
1130 | struct ip_ct_ftp_master ct_ftp_info; | |
1131 | struct ip_ct_irc_master ct_irc_info; | |
1132 | }; | |
1133 | ||
1134 | #ifdef CONFIG_IP_NF_NAT_NEEDED | |
1135 | #include <linux/netfilter_ipv4/ip_nat.h> | |
1136 | +#include <linux/netfilter_ipv4/ip_nat_pptp.h> | |
1137 | ||
1138 | /* per conntrack: nat application helper private data */ | |
1139 | union ip_conntrack_nat_help { | |
1140 | /* insert nat helper private data here */ | |
1141 | + struct ip_nat_pptp nat_pptp_info; | |
1142 | }; | |
1143 | #endif | |
1144 | ||
1145 | @@ -159,7 +188,7 @@ | |
1146 | struct ip_conntrack_tuple_hash tuplehash[IP_CT_DIR_MAX]; | |
1147 | ||
1148 | /* Have we seen traffic both ways yet? (bitset) */ | |
1149 | - volatile unsigned long status; | |
1150 | + unsigned long status; | |
1151 | ||
1152 | /* Timer function; drops refcnt when it goes off. */ | |
1153 | struct timer_list timeout; | |
1154 | @@ -198,6 +227,9 @@ | |
1155 | } nat; | |
1156 | #endif /* CONFIG_IP_NF_NAT_NEEDED */ | |
1157 | ||
1158 | +#if defined(CONFIG_IP_NF_CONNTRACK_MARK) | |
1159 | + unsigned long mark; | |
1160 | +#endif | |
1161 | }; | |
1162 | ||
1163 | /* get master conntrack via master expectation */ | |
1164 | @@ -238,6 +270,9 @@ | |
1165 | extern void ip_ct_refresh(struct ip_conntrack *ct, | |
1166 | unsigned long extra_jiffies); | |
1167 | ||
1168 | +/* Kill conntrack */ | |
1169 | +extern void ip_ct_death_by_timeout(unsigned long ul_conntrack); | |
1170 | + | |
1171 | /* These are for NAT. Icky. */ | |
1172 | /* Call me when a conntrack is destroyed. */ | |
1173 | extern void (*ip_conntrack_destroyed)(struct ip_conntrack *conntrack); | |
1174 | @@ -254,9 +289,12 @@ | |
1175 | /* It's confirmed if it is, or has been in the hash table. */ | |
1176 | static inline int is_confirmed(struct ip_conntrack *ct) | |
1177 | { | |
1178 | - return ct->tuplehash[IP_CT_DIR_ORIGINAL].list.next != NULL; | |
1179 | + return test_bit(IPS_CONFIRMED_BIT, &ct->status); | |
1180 | } | |
1181 | ||
1182 | extern unsigned int ip_conntrack_htable_size; | |
1183 | + | |
1184 | +/* A fake conntrack entry which never vanishes. */ | |
1185 | +extern struct ip_conntrack ip_conntrack_untracked; | |
1186 | #endif /* __KERNEL__ */ | |
1187 | #endif /* _IP_CONNTRACK_H */ | |
1188 | diff -Nur --exclude '*.orig' linux-2.4.20.org/include/linux/netfilter_ipv4/ip_conntrack_amanda.h linux-2.4.20/include/linux/netfilter_ipv4/ip_conntrack_amanda.h | |
1189 | --- linux-2.4.20.org/include/linux/netfilter_ipv4/ip_conntrack_amanda.h Thu Jan 1 00:00:00 1970 | |
1190 | +++ linux-2.4.20/include/linux/netfilter_ipv4/ip_conntrack_amanda.h Wed Sep 24 09:16:14 2003 | |
1191 | @@ -0,0 +1,29 @@ | |
1192 | +#ifndef _IP_CONNTRACK_AMANDA_H | |
1193 | +#define _IP_CONNTRACK_AMANDA_H | |
1194 | +/* AMANDA tracking. */ | |
1195 | + | |
1196 | +#ifdef __KERNEL__ | |
1197 | + | |
1198 | +#include <linux/netfilter_ipv4/lockhelp.h> | |
1199 | + | |
1200 | +/* Protects amanda part of conntracks */ | |
1201 | +DECLARE_LOCK_EXTERN(ip_amanda_lock); | |
1202 | + | |
1203 | +#endif | |
1204 | + | |
1205 | +struct conn { | |
1206 | + char* match; | |
1207 | + int matchlen; | |
1208 | +}; | |
1209 | + | |
1210 | +#define NUM_MSGS 3 | |
1211 | + | |
1212 | + | |
1213 | +struct ip_ct_amanda_expect | |
1214 | +{ | |
1215 | + u_int16_t port; /* port number of this expectation */ | |
1216 | + u_int16_t offset; /* offset of the port specification in ctrl packet */ | |
1217 | + u_int16_t len; /* the length of the port number specification */ | |
1218 | +}; | |
1219 | + | |
1220 | +#endif /* _IP_CONNTRACK_AMANDA_H */ | |
1221 | diff -Nur --exclude '*.orig' linux-2.4.20.org/include/linux/netfilter_ipv4/ip_conntrack_core.h linux-2.4.20/include/linux/netfilter_ipv4/ip_conntrack_core.h | |
1222 | --- linux-2.4.20.org/include/linux/netfilter_ipv4/ip_conntrack_core.h Thu Nov 28 23:53:15 2002 | |
1223 | +++ linux-2.4.20/include/linux/netfilter_ipv4/ip_conntrack_core.h Wed Sep 24 09:16:17 2003 | |
1224 | @@ -1,5 +1,6 @@ | |
1225 | #ifndef _IP_CONNTRACK_CORE_H | |
1226 | #define _IP_CONNTRACK_CORE_H | |
1227 | +#include <linux/netfilter.h> | |
1228 | #include <linux/netfilter_ipv4/lockhelp.h> | |
1229 | ||
1230 | /* This header is used to share core functionality between the | |
1231 | diff -Nur --exclude '*.orig' linux-2.4.20.org/include/linux/netfilter_ipv4/ip_conntrack_cuseeme.h linux-2.4.20/include/linux/netfilter_ipv4/ip_conntrack_cuseeme.h | |
1232 | --- linux-2.4.20.org/include/linux/netfilter_ipv4/ip_conntrack_cuseeme.h Thu Jan 1 00:00:00 1970 | |
1233 | +++ linux-2.4.20/include/linux/netfilter_ipv4/ip_conntrack_cuseeme.h Wed Sep 24 09:17:38 2003 | |
1234 | @@ -0,0 +1,70 @@ | |
1235 | +#ifndef _IP_CT_CUSEEME | |
1236 | +#define _IP_CT_CUSEEME | |
1237 | + | |
1238 | +#define CUSEEME_PORT 7648 | |
1239 | + | |
1240 | +/* These structs come from the 2.2 ip_masq_cuseeme code... */ | |
1241 | + | |
1242 | +#pragma pack(1) | |
1243 | +/* CuSeeMe data header */ | |
1244 | +struct cu_header { | |
1245 | + u_int16_t dest_family; | |
1246 | + u_int16_t dest_port; | |
1247 | + u_int32_t dest_addr; | |
1248 | + int16_t family; | |
1249 | + u_int16_t port; | |
1250 | + u_int32_t addr; | |
1251 | + u_int32_t seq; | |
1252 | + u_int16_t msg; | |
1253 | + u_int16_t data_type; | |
1254 | + /* possible values: | |
1255 | + * 1 small video | |
1256 | + * 2 big video | |
1257 | + * 3 audio | |
1258 | + * 100 acknowledge connectivity when there | |
1259 | + * is nothing else to send | |
1260 | + * 101 OpenContinue packet | |
1261 | + * 104 display a text message and | |
1262 | + * disconnect (used by reflector to | |
1263 | + * kick clients off) | |
1264 | + * 105 display a text message (welcome | |
1265 | + * message from reflector) | |
1266 | + * 106 exchanged among reflectors for | |
1267 | + * reflector interoperation | |
1268 | + * 107 carry aux stream data when there is | |
1269 | + * no video to piggy-back on | |
1270 | + * 108 obsolete (used in Mac alpha version) | |
1271 | + * 109 obsolete (used in Mac alpha version) | |
1272 | + * 110 used for data rate control | |
1273 | + * 111 used for data rate control | |
1274 | + * 256 aux data control messages | |
1275 | + * 257 aux data packets | |
1276 | + * */ | |
1277 | + u_int16_t packet_len; | |
1278 | +}; | |
1279 | + | |
1280 | +/* Open Continue Header */ | |
1281 | +struct oc_header { | |
1282 | + struct cu_header cu_head; | |
1283 | + u_int16_t client_count; /* Number of client info structs */ | |
1284 | + u_int32_t seq_no; | |
1285 | + char user_name[20]; | |
1286 | + char stuff[4]; /* Flags, version stuff, etc */ | |
1287 | +}; | |
1288 | + | |
1289 | +/* Client info structures */ | |
1290 | +struct client_info { | |
1291 | + u_int32_t address; /* Client address */ | |
1292 | + char stuff[8]; /* Flags, pruning bitfield, packet counts, etc */ | |
1293 | +}; | |
1294 | +#pragma pack() | |
1295 | + | |
1296 | +/* This structure is per expected connection */ | |
1297 | +struct ip_ct_cuseeme_expect { | |
1298 | +}; | |
1299 | + | |
1300 | +/* This structure exists only once per master */ | |
1301 | +struct ip_ct_cuseeme_master { | |
1302 | +}; | |
1303 | + | |
1304 | +#endif /* _IP_CT_CUSEEME */ | |
1305 | diff -Nur --exclude '*.orig' linux-2.4.20.org/include/linux/netfilter_ipv4/ip_conntrack_h323.h linux-2.4.20/include/linux/netfilter_ipv4/ip_conntrack_h323.h | |
1306 | --- linux-2.4.20.org/include/linux/netfilter_ipv4/ip_conntrack_h323.h Thu Jan 1 00:00:00 1970 | |
1307 | +++ linux-2.4.20/include/linux/netfilter_ipv4/ip_conntrack_h323.h Wed Sep 24 09:17:43 2003 | |
1308 | @@ -0,0 +1,30 @@ | |
1309 | +#ifndef _IP_CONNTRACK_H323_H | |
1310 | +#define _IP_CONNTRACK_H323_H | |
1311 | +/* H.323 connection tracking. */ | |
1312 | + | |
1313 | +#ifdef __KERNEL__ | |
1314 | +/* Protects H.323 related data */ | |
1315 | +DECLARE_LOCK_EXTERN(ip_h323_lock); | |
1316 | +#endif | |
1317 | + | |
1318 | +/* Default H.225 port */ | |
1319 | +#define H225_PORT 1720 | |
1320 | + | |
1321 | +/* This structure is per expected connection */ | |
1322 | +struct ip_ct_h225_expect { | |
1323 | + u_int16_t port; /* Port of the H.225 helper/RTCP/RTP channel */ | |
1324 | + enum ip_conntrack_dir dir; /* Direction of the original connection */ | |
1325 | + unsigned int offset; /* offset of the address in the payload */ | |
1326 | +}; | |
1327 | + | |
1328 | +/* This structure exists only once per master */ | |
1329 | +struct ip_ct_h225_master { | |
1330 | + int is_h225; /* H.225 or H.245 connection */ | |
1331 | +#ifdef CONFIG_IP_NF_NAT_NEEDED | |
1332 | + enum ip_conntrack_dir dir; /* Direction of the original connection */ | |
1333 | + u_int32_t seq[IP_CT_DIR_MAX]; /* Exceptional packet mangling for signal addressess... */ | |
1334 | + unsigned int offset[IP_CT_DIR_MAX]; /* ...and the offset of the addresses in the payload */ | |
1335 | +#endif | |
1336 | +}; | |
1337 | + | |
1338 | +#endif /* _IP_CONNTRACK_H323_H */ | |
1339 | diff -Nur --exclude '*.orig' linux-2.4.20.org/include/linux/netfilter_ipv4/ip_conntrack_mms.h linux-2.4.20/include/linux/netfilter_ipv4/ip_conntrack_mms.h | |
1340 | --- linux-2.4.20.org/include/linux/netfilter_ipv4/ip_conntrack_mms.h Thu Jan 1 00:00:00 1970 | |
1341 | +++ linux-2.4.20/include/linux/netfilter_ipv4/ip_conntrack_mms.h Wed Sep 24 09:17:48 2003 | |
1342 | @@ -0,0 +1,31 @@ | |
1343 | +#ifndef _IP_CONNTRACK_MMS_H | |
1344 | +#define _IP_CONNTRACK_MMS_H | |
1345 | +/* MMS tracking. */ | |
1346 | + | |
1347 | +#ifdef __KERNEL__ | |
1348 | +#include <linux/netfilter_ipv4/lockhelp.h> | |
1349 | + | |
1350 | +DECLARE_LOCK_EXTERN(ip_mms_lock); | |
1351 | + | |
1352 | +#define MMS_PORT 1755 | |
1353 | +#define MMS_SRV_MSG_ID 196610 | |
1354 | + | |
1355 | +#define MMS_SRV_MSG_OFFSET 36 | |
1356 | +#define MMS_SRV_UNICODE_STRING_OFFSET 60 | |
1357 | +#define MMS_SRV_CHUNKLENLV_OFFSET 16 | |
1358 | +#define MMS_SRV_CHUNKLENLM_OFFSET 32 | |
1359 | +#define MMS_SRV_MESSAGELENGTH_OFFSET 8 | |
1360 | +#endif | |
1361 | + | |
1362 | +/* This structure is per expected connection */ | |
1363 | +struct ip_ct_mms_expect { | |
1364 | + u_int32_t len; | |
1365 | + u_int32_t padding; | |
1366 | + u_int16_t port; | |
1367 | +}; | |
1368 | + | |
1369 | +/* This structure exists only once per master */ | |
1370 | +struct ip_ct_mms_master { | |
1371 | +}; | |
1372 | + | |
1373 | +#endif /* _IP_CONNTRACK_MMS_H */ | |
1374 | diff -Nur --exclude '*.orig' linux-2.4.20.org/include/linux/netfilter_ipv4/ip_conntrack_pptp.h linux-2.4.20/include/linux/netfilter_ipv4/ip_conntrack_pptp.h | |
1375 | --- linux-2.4.20.org/include/linux/netfilter_ipv4/ip_conntrack_pptp.h Thu Jan 1 00:00:00 1970 | |
1376 | +++ linux-2.4.20/include/linux/netfilter_ipv4/ip_conntrack_pptp.h Wed Sep 24 09:17:55 2003 | |
1377 | @@ -0,0 +1,313 @@ | |
1378 | +/* PPTP constants and structs */ | |
1379 | +#ifndef _CONNTRACK_PPTP_H | |
1380 | +#define _CONNTRACK_PPTP_H | |
1381 | + | |
1382 | +/* state of the control session */ | |
1383 | +enum pptp_ctrlsess_state { | |
1384 | + PPTP_SESSION_NONE, /* no session present */ | |
1385 | + PPTP_SESSION_ERROR, /* some session error */ | |
1386 | + PPTP_SESSION_STOPREQ, /* stop_sess request seen */ | |
1387 | + PPTP_SESSION_REQUESTED, /* start_sess request seen */ | |
1388 | + PPTP_SESSION_CONFIRMED, /* session established */ | |
1389 | +}; | |
1390 | + | |
1391 | +/* state of the call inside the control session */ | |
1392 | +enum pptp_ctrlcall_state { | |
1393 | + PPTP_CALL_NONE, | |
1394 | + PPTP_CALL_ERROR, | |
1395 | + PPTP_CALL_OUT_REQ, | |
1396 | + PPTP_CALL_OUT_CONF, | |
1397 | + PPTP_CALL_IN_REQ, | |
1398 | + PPTP_CALL_IN_REP, | |
1399 | + PPTP_CALL_IN_CONF, | |
1400 | + PPTP_CALL_CLEAR_REQ, | |
1401 | +}; | |
1402 | + | |
1403 | + | |
1404 | +/* conntrack private data */ | |
1405 | +struct ip_ct_pptp_master { | |
1406 | + enum pptp_ctrlsess_state sstate; /* session state */ | |
1407 | + | |
1408 | + /* everything below is going to be per-expectation in newnat, | |
1409 | + * since there could be more than one call within one session */ | |
1410 | + enum pptp_ctrlcall_state cstate; /* call state */ | |
1411 | + u_int16_t pac_call_id; /* call id of PAC, host byte order */ | |
1412 | + u_int16_t pns_call_id; /* call id of PNS, host byte order */ | |
1413 | +}; | |
1414 | + | |
1415 | +/* conntrack_expect private member */ | |
1416 | +struct ip_ct_pptp_expect { | |
1417 | + enum pptp_ctrlcall_state cstate; /* call state */ | |
1418 | + u_int16_t pac_call_id; /* call id of PAC */ | |
1419 | + u_int16_t pns_call_id; /* call id of PNS */ | |
1420 | +}; | |
1421 | + | |
1422 | + | |
1423 | +#ifdef __KERNEL__ | |
1424 | + | |
1425 | +#include <linux/netfilter_ipv4/lockhelp.h> | |
1426 | +DECLARE_LOCK_EXTERN(ip_pptp_lock); | |
1427 | + | |
1428 | +#define IP_CONNTR_PPTP PPTP_CONTROL_PORT | |
1429 | + | |
1430 | +union pptp_ctrl_union { | |
1431 | + void *rawreq; | |
1432 | + struct PptpStartSessionRequest *sreq; | |
1433 | + struct PptpStartSessionReply *srep; | |
1434 | + struct PptpStopSessionReqest *streq; | |
1435 | + struct PptpStopSessionReply *strep; | |
1436 | + struct PptpOutCallRequest *ocreq; | |
1437 | + struct PptpOutCallReply *ocack; | |
1438 | + struct PptpInCallRequest *icreq; | |
1439 | + struct PptpInCallReply *icack; | |
1440 | + struct PptpInCallConnected *iccon; | |
1441 | + struct PptpClearCallRequest *clrreq; | |
1442 | + struct PptpCallDisconnectNotify *disc; | |
1443 | + struct PptpWanErrorNotify *wanerr; | |
1444 | + struct PptpSetLinkInfo *setlink; | |
1445 | +}; | |
1446 | + | |
1447 | + | |
1448 | + | |
1449 | +#define PPTP_CONTROL_PORT 1723 | |
1450 | + | |
1451 | +#define PPTP_PACKET_CONTROL 1 | |
1452 | +#define PPTP_PACKET_MGMT 2 | |
1453 | + | |
1454 | +#define PPTP_MAGIC_COOKIE 0x1a2b3c4d | |
1455 | + | |
1456 | +struct pptp_pkt_hdr { | |
1457 | + __u16 packetLength; | |
1458 | + __u16 packetType; | |
1459 | + __u32 magicCookie; | |
1460 | +}; | |
1461 | + | |
1462 | +/* PptpControlMessageType values */ | |
1463 | +#define PPTP_START_SESSION_REQUEST 1 | |
1464 | +#define PPTP_START_SESSION_REPLY 2 | |
1465 | +#define PPTP_STOP_SESSION_REQUEST 3 | |
1466 | +#define PPTP_STOP_SESSION_REPLY 4 | |
1467 | +#define PPTP_ECHO_REQUEST 5 | |
1468 | +#define PPTP_ECHO_REPLY 6 | |
1469 | +#define PPTP_OUT_CALL_REQUEST 7 | |
1470 | +#define PPTP_OUT_CALL_REPLY 8 | |
1471 | +#define PPTP_IN_CALL_REQUEST 9 | |
1472 | +#define PPTP_IN_CALL_REPLY 10 | |
1473 | +#define PPTP_IN_CALL_CONNECT 11 | |
1474 | +#define PPTP_CALL_CLEAR_REQUEST 12 | |
1475 | +#define PPTP_CALL_DISCONNECT_NOTIFY 13 | |
1476 | +#define PPTP_WAN_ERROR_NOTIFY 14 | |
1477 | +#define PPTP_SET_LINK_INFO 15 | |
1478 | + | |
1479 | +#define PPTP_MSG_MAX 15 | |
1480 | + | |
1481 | +/* PptpGeneralError values */ | |
1482 | +#define PPTP_ERROR_CODE_NONE 0 | |
1483 | +#define PPTP_NOT_CONNECTED 1 | |
1484 | +#define PPTP_BAD_FORMAT 2 | |
1485 | +#define PPTP_BAD_VALUE 3 | |
1486 | +#define PPTP_NO_RESOURCE 4 | |
1487 | +#define PPTP_BAD_CALLID 5 | |
1488 | +#define PPTP_REMOVE_DEVICE_ERROR 6 | |
1489 | + | |
1490 | +struct PptpControlHeader { | |
1491 | + __u16 messageType; | |
1492 | + __u16 reserved; | |
1493 | +}; | |
1494 | + | |
1495 | +/* FramingCapability Bitmap Values */ | |
1496 | +#define PPTP_FRAME_CAP_ASYNC 0x1 | |
1497 | +#define PPTP_FRAME_CAP_SYNC 0x2 | |
1498 | + | |
1499 | +/* BearerCapability Bitmap Values */ | |
1500 | +#define PPTP_BEARER_CAP_ANALOG 0x1 | |
1501 | +#define PPTP_BEARER_CAP_DIGITAL 0x2 | |
1502 | + | |
1503 | +struct PptpStartSessionRequest { | |
1504 | + __u16 protocolVersion; | |
1505 | + __u8 reserved1; | |
1506 | + __u8 reserved2; | |
1507 | + __u32 framingCapability; | |
1508 | + __u32 bearerCapability; | |
1509 | + __u16 maxChannels; | |
1510 | + __u16 firmwareRevision; | |
1511 | + __u8 hostName[64]; | |
1512 | + __u8 vendorString[64]; | |
1513 | +}; | |
1514 | + | |
1515 | +/* PptpStartSessionResultCode Values */ | |
1516 | +#define PPTP_START_OK 1 | |
1517 | +#define PPTP_START_GENERAL_ERROR 2 | |
1518 | +#define PPTP_START_ALREADY_CONNECTED 3 | |
1519 | +#define PPTP_START_NOT_AUTHORIZED 4 | |
1520 | +#define PPTP_START_UNKNOWN_PROTOCOL 5 | |
1521 | + | |
1522 | +struct PptpStartSessionReply { | |
1523 | + __u16 protocolVersion; | |
1524 | + __u8 resultCode; | |
1525 | + __u8 generalErrorCode; | |
1526 | + __u32 framingCapability; | |
1527 | + __u32 bearerCapability; | |
1528 | + __u16 maxChannels; | |
1529 | + __u16 firmwareRevision; | |
1530 | + __u8 hostName[64]; | |
1531 | + __u8 vendorString[64]; | |
1532 | +}; | |
1533 | + | |
1534 | +/* PptpStopReasons */ | |
1535 | +#define PPTP_STOP_NONE 1 | |
1536 | +#define PPTP_STOP_PROTOCOL 2 | |
1537 | +#define PPTP_STOP_LOCAL_SHUTDOWN 3 | |
1538 | + | |
1539 | +struct PptpStopSessionRequest { | |
1540 | + __u8 reason; | |
1541 | +}; | |
1542 | + | |
1543 | +/* PptpStopSessionResultCode */ | |
1544 | +#define PPTP_STOP_OK 1 | |
1545 | +#define PPTP_STOP_GENERAL_ERROR 2 | |
1546 | + | |
1547 | +struct PptpStopSessionReply { | |
1548 | + __u8 resultCode; | |
1549 | + __u8 generalErrorCode; | |
1550 | +}; | |
1551 | + | |
1552 | +struct PptpEchoRequest { | |
1553 | + __u32 identNumber; | |
1554 | +}; | |
1555 | + | |
1556 | +/* PptpEchoReplyResultCode */ | |
1557 | +#define PPTP_ECHO_OK 1 | |
1558 | +#define PPTP_ECHO_GENERAL_ERROR 2 | |
1559 | + | |
1560 | +struct PptpEchoReply { | |
1561 | + __u32 identNumber; | |
1562 | + __u8 resultCode; | |
1563 | + __u8 generalErrorCode; | |
1564 | + __u16 reserved; | |
1565 | +}; | |
1566 | + | |
1567 | +/* PptpFramingType */ | |
1568 | +#define PPTP_ASYNC_FRAMING 1 | |
1569 | +#define PPTP_SYNC_FRAMING 2 | |
1570 | +#define PPTP_DONT_CARE_FRAMING 3 | |
1571 | + | |
1572 | +/* PptpCallBearerType */ | |
1573 | +#define PPTP_ANALOG_TYPE 1 | |
1574 | +#define PPTP_DIGITAL_TYPE 2 | |
1575 | +#define PPTP_DONT_CARE_BEARER_TYPE 3 | |
1576 | + | |
1577 | +struct PptpOutCallRequest { | |
1578 | + __u16 callID; | |
1579 | + __u16 callSerialNumber; | |
1580 | + __u32 minBPS; | |
1581 | + __u32 maxBPS; | |
1582 | + __u32 bearerType; | |
1583 | + __u32 framingType; | |
1584 | + __u16 packetWindow; | |
1585 | + __u16 packetProcDelay; | |
1586 | + __u16 reserved1; | |
1587 | + __u16 phoneNumberLength; | |
1588 | + __u16 reserved2; | |
1589 | + __u8 phoneNumber[64]; | |
1590 | + __u8 subAddress[64]; | |
1591 | +}; | |
1592 | + | |
1593 | +/* PptpCallResultCode */ | |
1594 | +#define PPTP_OUTCALL_CONNECT 1 | |
1595 | +#define PPTP_OUTCALL_GENERAL_ERROR 2 | |
1596 | +#define PPTP_OUTCALL_NO_CARRIER 3 | |
1597 | +#define PPTP_OUTCALL_BUSY 4 | |
1598 | +#define PPTP_OUTCALL_NO_DIAL_TONE 5 | |
1599 | +#define PPTP_OUTCALL_TIMEOUT 6 | |
1600 | +#define PPTP_OUTCALL_DONT_ACCEPT 7 | |
1601 | + | |
1602 | +struct PptpOutCallReply { | |
1603 | + __u16 callID; | |
1604 | + __u16 peersCallID; | |
1605 | + __u8 resultCode; | |
1606 | + __u8 generalErrorCode; | |
1607 | + __u16 causeCode; | |
1608 | + __u32 connectSpeed; | |
1609 | + __u16 packetWindow; | |
1610 | + __u16 packetProcDelay; | |
1611 | + __u32 physChannelID; | |
1612 | +}; | |
1613 | + | |
1614 | +struct PptpInCallRequest { | |
1615 | + __u16 callID; | |
1616 | + __u16 callSerialNumber; | |
1617 | + __u32 callBearerType; | |
1618 | + __u32 physChannelID; | |
1619 | + __u16 dialedNumberLength; | |
1620 | + __u16 dialingNumberLength; | |
1621 | + __u8 dialedNumber[64]; | |
1622 | + __u8 dialingNumber[64]; | |
1623 | + __u8 subAddress[64]; | |
1624 | +}; | |
1625 | + | |
1626 | +/* PptpInCallResultCode */ | |
1627 | +#define PPTP_INCALL_ACCEPT 1 | |
1628 | +#define PPTP_INCALL_GENERAL_ERROR 2 | |
1629 | +#define PPTP_INCALL_DONT_ACCEPT 3 | |
1630 | + | |
1631 | +struct PptpInCallReply { | |
1632 | + __u16 callID; | |
1633 | + __u16 peersCallID; | |
1634 | + __u8 resultCode; | |
1635 | + __u8 generalErrorCode; | |
1636 | + __u16 packetWindow; | |
1637 | + __u16 packetProcDelay; | |
1638 | + __u16 reserved; | |
1639 | +}; | |
1640 | + | |
1641 | +struct PptpInCallConnected { | |
1642 | + __u16 peersCallID; | |
1643 | + __u16 reserved; | |
1644 | + __u32 connectSpeed; | |
1645 | + __u16 packetWindow; | |
1646 | + __u16 packetProcDelay; | |
1647 | + __u32 callFramingType; | |
1648 | +}; | |
1649 | + | |
1650 | +struct PptpClearCallRequest { | |
1651 | + __u16 callID; | |
1652 | + __u16 reserved; | |
1653 | +}; | |
1654 | + | |
1655 | +struct PptpCallDisconnectNotify { | |
1656 | + __u16 callID; | |
1657 | + __u8 resultCode; | |
1658 | + __u8 generalErrorCode; | |
1659 | + __u16 causeCode; | |
1660 | + __u16 reserved; | |
1661 | + __u8 callStatistics[128]; | |
1662 | +}; | |
1663 | + | |
1664 | +struct PptpWanErrorNotify { | |
1665 | + __u16 peersCallID; | |
1666 | + __u16 reserved; | |
1667 | + __u32 crcErrors; | |
1668 | + __u32 framingErrors; | |
1669 | + __u32 hardwareOverRuns; | |
1670 | + __u32 bufferOverRuns; | |
1671 | + __u32 timeoutErrors; | |
1672 | + __u32 alignmentErrors; | |
1673 | +}; | |
1674 | + | |
1675 | +struct PptpSetLinkInfo { | |
1676 | + __u16 peersCallID; | |
1677 | + __u16 reserved; | |
1678 | + __u32 sendAccm; | |
1679 | + __u32 recvAccm; | |
1680 | +}; | |
1681 | + | |
1682 | + | |
1683 | +struct pptp_priv_data { | |
1684 | + __u16 call_id; | |
1685 | + __u16 mcall_id; | |
1686 | + __u16 pcall_id; | |
1687 | +}; | |
1688 | + | |
1689 | +#endif /* __KERNEL__ */ | |
1690 | +#endif /* _CONNTRACK_PPTP_H */ | |
1691 | diff -Nur --exclude '*.orig' linux-2.4.20.org/include/linux/netfilter_ipv4/ip_conntrack_proto_gre.h linux-2.4.20/include/linux/netfilter_ipv4/ip_conntrack_proto_gre.h | |
1692 | --- linux-2.4.20.org/include/linux/netfilter_ipv4/ip_conntrack_proto_gre.h Thu Jan 1 00:00:00 1970 | |
1693 | +++ linux-2.4.20/include/linux/netfilter_ipv4/ip_conntrack_proto_gre.h Wed Sep 24 09:17:55 2003 | |
1694 | @@ -0,0 +1,123 @@ | |
1695 | +#ifndef _CONNTRACK_PROTO_GRE_H | |
1696 | +#define _CONNTRACK_PROTO_GRE_H | |
1697 | +#include <asm/byteorder.h> | |
1698 | + | |
1699 | +/* GRE PROTOCOL HEADER */ | |
1700 | + | |
1701 | +/* GRE Version field */ | |
1702 | +#define GRE_VERSION_1701 0x0 | |
1703 | +#define GRE_VERSION_PPTP 0x1 | |
1704 | + | |
1705 | +/* GRE Protocol field */ | |
1706 | +#define GRE_PROTOCOL_PPTP 0x880B | |
1707 | + | |
1708 | +/* GRE Flags */ | |
1709 | +#define GRE_FLAG_C 0x80 | |
1710 | +#define GRE_FLAG_R 0x40 | |
1711 | +#define GRE_FLAG_K 0x20 | |
1712 | +#define GRE_FLAG_S 0x10 | |
1713 | +#define GRE_FLAG_A 0x80 | |
1714 | + | |
1715 | +#define GRE_IS_C(f) ((f)&GRE_FLAG_C) | |
1716 | +#define GRE_IS_R(f) ((f)&GRE_FLAG_R) | |
1717 | +#define GRE_IS_K(f) ((f)&GRE_FLAG_K) | |
1718 | +#define GRE_IS_S(f) ((f)&GRE_FLAG_S) | |
1719 | +#define GRE_IS_A(f) ((f)&GRE_FLAG_A) | |
1720 | + | |
1721 | +/* GRE is a mess: Four different standards */ | |
1722 | +struct gre_hdr { | |
1723 | +#if defined(__LITTLE_ENDIAN_BITFIELD) | |
1724 | + __u16 rec:3, | |
1725 | + srr:1, | |
1726 | + seq:1, | |
1727 | + key:1, | |
1728 | + routing:1, | |
1729 | + csum:1, | |
1730 | + version:3, | |
1731 | + reserved:4, | |
1732 | + ack:1; | |
1733 | +#elif defined(__BIG_ENDIAN_BITFIELD) | |
1734 | + __u16 csum:1, | |
1735 | + routing:1, | |
1736 | + key:1, | |
1737 | + seq:1, | |
1738 | + srr:1, | |
1739 | + rec:3, | |
1740 | + ack:1, | |
1741 | + reserved:4, | |
1742 | + version:3; | |
1743 | +#else | |
1744 | +#error "Adjust your <asm/byteorder.h> defines" | |
1745 | +#endif | |
1746 | + __u16 protocol; | |
1747 | +}; | |
1748 | + | |
1749 | +/* modified GRE header for PPTP */ | |
1750 | +struct gre_hdr_pptp { | |
1751 | + __u8 flags; /* bitfield */ | |
1752 | + __u8 version; /* should be GRE_VERSION_PPTP */ | |
1753 | + __u16 protocol; /* should be GRE_PROTOCOL_PPTP */ | |
1754 | + __u16 payload_len; /* size of ppp payload, not inc. gre header */ | |
1755 | + __u16 call_id; /* peer's call_id for this session */ | |
1756 | + __u32 seq; /* sequence number. Present if S==1 */ | |
1757 | + __u32 ack; /* seq number of highest packet recieved by */ | |
1758 | + /* sender in this session */ | |
1759 | +}; | |
1760 | + | |
1761 | + | |
1762 | +/* this is part of ip_conntrack */ | |
1763 | +struct ip_ct_gre { | |
1764 | + unsigned int stream_timeout; | |
1765 | + unsigned int timeout; | |
1766 | +}; | |
1767 | + | |
1768 | +/* this is part of ip_conntrack_expect */ | |
1769 | +struct ip_ct_gre_expect { | |
1770 | + struct ip_ct_gre_keymap *keymap_orig, *keymap_reply; | |
1771 | +}; | |
1772 | + | |
1773 | +#ifdef __KERNEL__ | |
1774 | +struct ip_conntrack_expect; | |
1775 | + | |
1776 | +/* structure for original <-> reply keymap */ | |
1777 | +struct ip_ct_gre_keymap { | |
1778 | + struct list_head list; | |
1779 | + | |
1780 | + struct ip_conntrack_tuple tuple; | |
1781 | +}; | |
1782 | + | |
1783 | + | |
1784 | +/* add new tuple->key_reply pair to keymap */ | |
1785 | +int ip_ct_gre_keymap_add(struct ip_conntrack_expect *exp, | |
1786 | + struct ip_conntrack_tuple *t, | |
1787 | + int reply); | |
1788 | + | |
1789 | +/* change an existing keymap entry */ | |
1790 | +void ip_ct_gre_keymap_change(struct ip_ct_gre_keymap *km, | |
1791 | + struct ip_conntrack_tuple *t); | |
1792 | + | |
1793 | +/* delete keymap entries */ | |
1794 | +void ip_ct_gre_keymap_destroy(struct ip_conntrack_expect *exp); | |
1795 | + | |
1796 | + | |
1797 | +/* get pointer to gre key, if present */ | |
1798 | +static inline u_int32_t *gre_key(struct gre_hdr *greh) | |
1799 | +{ | |
1800 | + if (!greh->key) | |
1801 | + return NULL; | |
1802 | + if (greh->csum || greh->routing) | |
1803 | + return (u_int32_t *) (greh+sizeof(*greh)+4); | |
1804 | + return (u_int32_t *) (greh+sizeof(*greh)); | |
1805 | +} | |
1806 | + | |
1807 | +/* get pointer ot gre csum, if present */ | |
1808 | +static inline u_int16_t *gre_csum(struct gre_hdr *greh) | |
1809 | +{ | |
1810 | + if (!greh->csum) | |
1811 | + return NULL; | |
1812 | + return (u_int16_t *) (greh+sizeof(*greh)); | |
1813 | +} | |
1814 | + | |
1815 | +#endif /* __KERNEL__ */ | |
1816 | + | |
1817 | +#endif /* _CONNTRACK_PROTO_GRE_H */ | |
1818 | diff -Nur --exclude '*.orig' linux-2.4.20.org/include/linux/netfilter_ipv4/ip_conntrack_protocol.h linux-2.4.20/include/linux/netfilter_ipv4/ip_conntrack_protocol.h | |
1819 | --- linux-2.4.20.org/include/linux/netfilter_ipv4/ip_conntrack_protocol.h Thu Nov 28 23:53:15 2002 | |
1820 | +++ linux-2.4.20/include/linux/netfilter_ipv4/ip_conntrack_protocol.h Wed Sep 24 09:18:12 2003 | |
1821 | @@ -57,6 +57,12 @@ | |
1822 | extern int ip_conntrack_protocol_register(struct ip_conntrack_protocol *proto); | |
1823 | extern void ip_conntrack_protocol_unregister(struct ip_conntrack_protocol *proto); | |
1824 | ||
1825 | +/* Get the tuple from the packet and return 1 if it's succeeded. */ | |
1826 | +extern int | |
1827 | +ip_conntrack_get_tuple(const struct iphdr *iph, size_t len, | |
1828 | + struct ip_conntrack_tuple *tuple, | |
1829 | + struct ip_conntrack_protocol *protocol); | |
1830 | + | |
1831 | /* Existing built-in protocols */ | |
1832 | extern struct ip_conntrack_protocol ip_conntrack_protocol_tcp; | |
1833 | extern struct ip_conntrack_protocol ip_conntrack_protocol_udp; | |
1834 | diff -Nur --exclude '*.orig' linux-2.4.20.org/include/linux/netfilter_ipv4/ip_conntrack_quake3.h linux-2.4.20/include/linux/netfilter_ipv4/ip_conntrack_quake3.h | |
1835 | --- linux-2.4.20.org/include/linux/netfilter_ipv4/ip_conntrack_quake3.h Thu Jan 1 00:00:00 1970 | |
1836 | +++ linux-2.4.20/include/linux/netfilter_ipv4/ip_conntrack_quake3.h Wed Sep 24 09:17:58 2003 | |
1837 | @@ -0,0 +1,21 @@ | |
1838 | +#ifndef _IP_CT_QUAKE3 | |
1839 | +#define _IP_CT_QUAKE3 | |
1840 | + | |
1841 | +/* Don't confuse with 27960, often used as the Server Port */ | |
1842 | +#define QUAKE3_MASTER_PORT 27950 | |
1843 | + | |
1844 | +struct quake3_search { | |
1845 | + const char marker[4]; /* always 0xff 0xff 0xff 0xff ? */ | |
1846 | + const char *pattern; | |
1847 | + size_t plen; | |
1848 | +}; | |
1849 | + | |
1850 | +/* This structure is per expected connection */ | |
1851 | +struct ip_ct_quake3_expect { | |
1852 | +}; | |
1853 | + | |
1854 | +/* This structure exists only once per master */ | |
1855 | +struct ip_ct_quake3_master { | |
1856 | +}; | |
1857 | + | |
1858 | +#endif /* _IP_CT_QUAKE3 */ | |
1859 | diff -Nur --exclude '*.orig' linux-2.4.20.org/include/linux/netfilter_ipv4/ip_conntrack_rpc.h linux-2.4.20/include/linux/netfilter_ipv4/ip_conntrack_rpc.h | |
1860 | --- linux-2.4.20.org/include/linux/netfilter_ipv4/ip_conntrack_rpc.h Thu Jan 1 00:00:00 1970 | |
1861 | +++ linux-2.4.20/include/linux/netfilter_ipv4/ip_conntrack_rpc.h Wed Sep 24 09:18:01 2003 | |
1862 | @@ -0,0 +1,68 @@ | |
1863 | +/* RPC extension for IP connection tracking, Version 2.2 | |
1864 | + * (C) 2000 by Marcelo Barbosa Lima <marcelo.lima@dcc.unicamp.br> | |
1865 | + * - original rpc tracking module | |
1866 | + * - "recent" connection handling for kernel 2.3+ netfilter | |
1867 | + * | |
1868 | + * (C) 2001 by Rusty Russell <rusty@rustcorp.com.au> | |
1869 | + * - upgraded conntrack modules to oldnat api - kernel 2.4.0+ | |
1870 | + * | |
1871 | + * (C) 2002 by Ian (Larry) Latter <Ian.Latter@mq.edu.au> | |
1872 | + * - upgraded conntrack modules to newnat api - kernel 2.4.20+ | |
1873 | + * - extended matching to support filtering on procedures | |
1874 | + * | |
1875 | + * ip_conntrack_rpc.h,v 2.2 2003/01/12 18:30:00 | |
1876 | + * | |
1877 | + * This program is free software; you can redistribute it and/or | |
1878 | + * modify it under the terms of the GNU General Public License | |
1879 | + * as published by the Free Software Foundation; either version | |
1880 | + * 2 of the License, or (at your option) any later version. | |
1881 | + ** | |
1882 | + */ | |
1883 | + | |
1884 | +#include <asm/param.h> | |
1885 | +#include <linux/sched.h> | |
1886 | +#include <linux/timer.h> | |
1887 | +#include <linux/stddef.h> | |
1888 | +#include <linux/list.h> | |
1889 | + | |
1890 | +#include <linux/netfilter_ipv4/ip_conntrack_helper.h> | |
1891 | + | |
1892 | +#ifndef _IP_CONNTRACK_RPC_H | |
1893 | +#define _IP_CONNTRACK_RPC_H | |
1894 | + | |
1895 | +#define RPC_PORT 111 | |
1896 | + | |
1897 | + | |
1898 | +/* Datum in RPC packets are encoded in XDR */ | |
1899 | +#define IXDR_GET_INT32(buf) ((u_int32_t) ntohl((uint32_t)*buf)) | |
1900 | + | |
1901 | +/* Fast timeout, to deny DoS atacks */ | |
1902 | +#define EXP (60 * HZ) | |
1903 | + | |
1904 | +/* Normal timeouts */ | |
1905 | +#define EXPIRES (180 * HZ) | |
1906 | + | |
1907 | +/* For future conections RPC, using client's cache bindings | |
1908 | + * I'll use ip_conntrack_lock to lock these lists */ | |
1909 | + | |
1910 | +/* This identifies each request and stores protocol */ | |
1911 | +struct request_p { | |
1912 | + struct list_head list; | |
1913 | + | |
1914 | + u_int32_t xid; | |
1915 | + u_int32_t ip; | |
1916 | + u_int16_t port; | |
1917 | + | |
1918 | + /* Protocol */ | |
1919 | + u_int16_t proto; | |
1920 | + | |
1921 | + struct timer_list timeout; | |
1922 | +}; | |
1923 | + | |
1924 | +static inline int request_p_cmp(const struct request_p *p, u_int32_t xid, | |
1925 | + u_int32_t ip, u_int32_t port) { | |
1926 | + return (p->xid == xid && p->ip == ip && p->port); | |
1927 | + | |
1928 | +} | |
1929 | + | |
1930 | +#endif /* _IP_CONNTRACK_RPC_H */ | |
1931 | diff -Nur --exclude '*.orig' linux-2.4.20.org/include/linux/netfilter_ipv4/ip_conntrack_rsh.h linux-2.4.20/include/linux/netfilter_ipv4/ip_conntrack_rsh.h | |
1932 | --- linux-2.4.20.org/include/linux/netfilter_ipv4/ip_conntrack_rsh.h Thu Jan 1 00:00:00 1970 | |
1933 | +++ linux-2.4.20/include/linux/netfilter_ipv4/ip_conntrack_rsh.h Wed Sep 24 09:18:03 2003 | |
1934 | @@ -0,0 +1,35 @@ | |
1935 | +/* RSH extension for IP connection tracking, Version 1.0 | |
1936 | + * (C) 2002 by Ian (Larry) Latter <Ian.Latter@mq.edu.au> | |
1937 | + * based on HW's ip_conntrack_irc.c | |
1938 | + * | |
1939 | + * ip_conntrack_rsh.c,v 1.0 2002/07/17 14:49:26 | |
1940 | + * | |
1941 | + * This program is free software; you can redistribute it and/or | |
1942 | + * modify it under the terms of the GNU General Public License | |
1943 | + * as published by the Free Software Foundation; either version | |
1944 | + * 2 of the License, or (at your option) any later version. | |
1945 | + */ | |
1946 | +#ifndef _IP_CONNTRACK_RSH_H | |
1947 | +#define _IP_CONNTRACK_RSH_H | |
1948 | + | |
1949 | +#ifdef __KERNEL__ | |
1950 | +#include <linux/netfilter_ipv4/lockhelp.h> | |
1951 | + | |
1952 | +DECLARE_LOCK_EXTERN(ip_rsh_lock); | |
1953 | +#endif | |
1954 | + | |
1955 | + | |
1956 | +#define RSH_PORT 514 | |
1957 | + | |
1958 | +/* This structure is per expected connection */ | |
1959 | +struct ip_ct_rsh_expect | |
1960 | +{ | |
1961 | + u_int16_t port; | |
1962 | +}; | |
1963 | + | |
1964 | +/* This structure exists only once per master */ | |
1965 | +struct ip_ct_rsh_master { | |
1966 | +}; | |
1967 | + | |
1968 | +#endif /* _IP_CONNTRACK_RSH_H */ | |
1969 | + | |
1970 | diff -Nur --exclude '*.orig' linux-2.4.20.org/include/linux/netfilter_ipv4/ip_conntrack_talk.h linux-2.4.20/include/linux/netfilter_ipv4/ip_conntrack_talk.h | |
1971 | --- linux-2.4.20.org/include/linux/netfilter_ipv4/ip_conntrack_talk.h Thu Jan 1 00:00:00 1970 | |
1972 | +++ linux-2.4.20/include/linux/netfilter_ipv4/ip_conntrack_talk.h Wed Sep 24 09:18:08 2003 | |
1973 | @@ -0,0 +1,152 @@ | |
1974 | +#ifndef _IP_CONNTRACK_TALK_H | |
1975 | +#define _IP_CONNTRACK_TALK_H | |
1976 | +/* TALK tracking. */ | |
1977 | + | |
1978 | +#ifdef __KERNEL__ | |
1979 | +#include <linux/in.h> | |
1980 | +#include <linux/netfilter_ipv4/lockhelp.h> | |
1981 | + | |
1982 | +/* Protects talk part of conntracks */ | |
1983 | +DECLARE_LOCK_EXTERN(ip_talk_lock); | |
1984 | +#endif | |
1985 | + | |
1986 | + | |
1987 | +#define TALK_PORT 517 | |
1988 | +#define NTALK_PORT 518 | |
1989 | + | |
1990 | +/* talk structures and constants from <protocols/talkd.h> */ | |
1991 | + | |
1992 | +/* | |
1993 | + * 4.3BSD struct sockaddr | |
1994 | + */ | |
1995 | +struct talk_addr { | |
1996 | + u_int16_t ta_family; | |
1997 | + u_int16_t ta_port; | |
1998 | + u_int32_t ta_addr; | |
1999 | + u_int32_t ta_junk1; | |
2000 | + u_int32_t ta_junk2; | |
2001 | +}; | |
2002 | + | |
2003 | +#define TALK_OLD_NSIZE 9 | |
2004 | +#define TALK_NSIZE 12 | |
2005 | +#define TALK_TTY_NSIZE 16 | |
2006 | + | |
2007 | +/* | |
2008 | + * Client->server request message formats. | |
2009 | + */ | |
2010 | +struct talk_msg { | |
2011 | + u_char type; /* request type, see below */ | |
2012 | + char l_name[TALK_OLD_NSIZE];/* caller's name */ | |
2013 | + char r_name[TALK_OLD_NSIZE];/* callee's name */ | |
2014 | + u_char pad; | |
2015 | + u_int32_t id_num; /* message id */ | |
2016 | + int32_t pid; /* caller's process id */ | |
2017 | + char r_tty[TALK_TTY_NSIZE];/* callee's tty name */ | |
2018 | + struct talk_addr addr; /* old (4.3) style */ | |
2019 | + struct talk_addr ctl_addr; /* old (4.3) style */ | |
2020 | +}; | |
2021 | + | |
2022 | +struct ntalk_msg { | |
2023 | + u_char vers; /* protocol version */ | |
2024 | + u_char type; /* request type, see below */ | |
2025 | + u_char answer; /* not used */ | |
2026 | + u_char pad; | |
2027 | + u_int32_t id_num; /* message id */ | |
2028 | + struct talk_addr addr; /* old (4.3) style */ | |
2029 | + struct talk_addr ctl_addr; /* old (4.3) style */ | |
2030 | + int32_t pid; /* caller's process id */ | |
2031 | + char l_name[TALK_NSIZE];/* caller's name */ | |
2032 | + char r_name[TALK_NSIZE];/* callee's name */ | |
2033 | + char r_tty[TALK_TTY_NSIZE];/* callee's tty name */ | |
2034 | +}; | |
2035 | + | |
2036 | +struct ntalk2_msg { | |
2037 | + u_char vers; /* talk protocol version */ | |
2038 | + u_char type; /* request type */ | |
2039 | + u_char answer; /* */ | |
2040 | + u_char extended; /* !0 if additional parts */ | |
2041 | + u_int32_t id_num; /* message id number (dels) */ | |
2042 | + struct talk_addr addr; /* target address */ | |
2043 | + struct talk_addr ctl_addr; /* reply to address */ | |
2044 | + int32_t pid; /* caller's process id */ | |
2045 | + char l_name[TALK_NSIZE]; /* caller's name */ | |
2046 | + char r_name[TALK_NSIZE]; /* callee's name */ | |
2047 | + char r_tty[TALK_TTY_NSIZE]; /* callee's tty */ | |
2048 | +}; | |
2049 | + | |
2050 | +/* | |
2051 | + * Server->client response message formats. | |
2052 | + */ | |
2053 | +struct talk_response { | |
2054 | + u_char type; /* type of request message, see below */ | |
2055 | + u_char answer; /* response to request message, see below */ | |
2056 | + u_char pad[2]; | |
2057 | + u_int32_t id_num; /* message id */ | |
2058 | + struct talk_addr addr; /* address for establishing conversation */ | |
2059 | +}; | |
2060 | + | |
2061 | +struct ntalk_response { | |
2062 | + u_char vers; /* protocol version */ | |
2063 | + u_char type; /* type of request message, see below */ | |
2064 | + u_char answer; /* response to request message, see below */ | |
2065 | + u_char pad; | |
2066 | + u_int32_t id_num; /* message id */ | |
2067 | + struct talk_addr addr; /* address for establishing conversation */ | |
2068 | +}; | |
2069 | + | |
2070 | +struct ntalk2_response { | |
2071 | + u_char vers; /* protocol version */ | |
2072 | + u_char type; /* type of request message */ | |
2073 | + u_char answer; /* response to request */ | |
2074 | + u_char rvers; /* Version of answering vers*/ | |
2075 | + u_int32_t id_num; /* message id number */ | |
2076 | + struct talk_addr addr; /* address for connection */ | |
2077 | + /* This is at the end to compatiblize this with NTALK version. */ | |
2078 | + char r_name[TALK_NSIZE]; /* callee's name */ | |
2079 | +}; | |
2080 | + | |
2081 | +#define TALK_STR(data, talk_str, member) ((struct talk_str *)data)->member) | |
2082 | +#define TALK_RESP(data, ver, member) (ver ? ((struct ntalk_response *)data)->member : ((struct talk_response *)data)->member) | |
2083 | +#define TALK_MSG(data, ver, member) (ver ? ((struct ntalk_msg *)data)->member : ((struct talk_msg *)data)->member) | |
2084 | + | |
2085 | +#define TALK_VERSION 0 /* protocol versions */ | |
2086 | +#define NTALK_VERSION 1 | |
2087 | +#define NTALK2_VERSION 2 | |
2088 | + | |
2089 | +/* message type values */ | |
2090 | +#define LEAVE_INVITE 0 /* leave invitation with server */ | |
2091 | +#define LOOK_UP 1 /* check for invitation by callee */ | |
2092 | +#define DELETE 2 /* delete invitation by caller */ | |
2093 | +#define ANNOUNCE 3 /* announce invitation by caller */ | |
2094 | +/* NTALK2 */ | |
2095 | +#define REPLY_QUERY 4 /* request reply data from local daemon */ | |
2096 | + | |
2097 | +/* answer values */ | |
2098 | +#define SUCCESS 0 /* operation completed properly */ | |
2099 | +#define NOT_HERE 1 /* callee not logged in */ | |
2100 | +#define FAILED 2 /* operation failed for unexplained reason */ | |
2101 | +#define MACHINE_UNKNOWN 3 /* caller's machine name unknown */ | |
2102 | +#define PERMISSION_DENIED 4 /* callee's tty doesn't permit announce */ | |
2103 | +#define UNKNOWN_REQUEST 5 /* request has invalid type value */ | |
2104 | +#define BADVERSION 6 /* request has invalid protocol version */ | |
2105 | +#define BADADDR 7 /* request has invalid addr value */ | |
2106 | +#define BADCTLADDR 8 /* request has invalid ctl_addr value */ | |
2107 | +/* NTALK2 */ | |
2108 | +#define NO_CALLER 9 /* no-one calling answer from REPLY */ | |
2109 | +#define TRY_HERE 10 /* Not on this machine, try this */ | |
2110 | +#define SELECTIVE_REFUSAL 11 /* User Filter refusal. */ | |
2111 | +#define MAX_RESPONSE_TYPE 11 /* Make sure this is updated */ | |
2112 | + | |
2113 | +/* We don't really need much for talk */ | |
2114 | +struct ip_ct_talk_expect | |
2115 | +{ | |
2116 | + /* Port that was to be used */ | |
2117 | + u_int16_t port; | |
2118 | +}; | |
2119 | + | |
2120 | +/* This structure exists only once per master */ | |
2121 | +struct ip_ct_talk_master | |
2122 | +{ | |
2123 | +}; | |
2124 | + | |
2125 | +#endif /* _IP_CONNTRACK_TALK_H */ | |
2126 | diff -Nur --exclude '*.orig' linux-2.4.20.org/include/linux/netfilter_ipv4/ip_conntrack_tftp.h linux-2.4.20/include/linux/netfilter_ipv4/ip_conntrack_tftp.h | |
2127 | --- linux-2.4.20.org/include/linux/netfilter_ipv4/ip_conntrack_tftp.h Thu Jan 1 00:00:00 1970 | |
2128 | +++ linux-2.4.20/include/linux/netfilter_ipv4/ip_conntrack_tftp.h Wed Sep 24 09:16:14 2003 | |
2129 | @@ -0,0 +1,13 @@ | |
2130 | +#ifndef _IP_CT_TFTP | |
2131 | +#define _IP_CT_TFTP | |
2132 | + | |
2133 | +#define TFTP_PORT 69 | |
2134 | + | |
2135 | +struct tftphdr { | |
2136 | + u_int16_t opcode; | |
2137 | +}; | |
2138 | + | |
2139 | +#define TFTP_OPCODE_READ 1 | |
2140 | +#define TFTP_OPCODE_WRITE 2 | |
2141 | + | |
2142 | +#endif /* _IP_CT_TFTP */ | |
2143 | diff -Nur --exclude '*.orig' linux-2.4.20.org/include/linux/netfilter_ipv4/ip_conntrack_tuple.h linux-2.4.20/include/linux/netfilter_ipv4/ip_conntrack_tuple.h | |
2144 | --- linux-2.4.20.org/include/linux/netfilter_ipv4/ip_conntrack_tuple.h Mon Feb 25 19:38:13 2002 | |
2145 | +++ linux-2.4.20/include/linux/netfilter_ipv4/ip_conntrack_tuple.h Wed Sep 24 09:17:55 2003 | |
2146 | @@ -14,7 +14,7 @@ | |
2147 | union ip_conntrack_manip_proto | |
2148 | { | |
2149 | /* Add other protocols here. */ | |
2150 | - u_int16_t all; | |
2151 | + u_int32_t all; | |
2152 | ||
2153 | struct { | |
2154 | u_int16_t port; | |
2155 | @@ -25,6 +25,9 @@ | |
2156 | struct { | |
2157 | u_int16_t id; | |
2158 | } icmp; | |
2159 | + struct { | |
2160 | + u_int32_t key; | |
2161 | + } gre; | |
2162 | }; | |
2163 | ||
2164 | /* The manipulable part of the tuple. */ | |
2165 | @@ -44,7 +47,7 @@ | |
2166 | u_int32_t ip; | |
2167 | union { | |
2168 | /* Add other protocols here. */ | |
2169 | - u_int16_t all; | |
2170 | + u_int64_t all; | |
2171 | ||
2172 | struct { | |
2173 | u_int16_t port; | |
2174 | @@ -55,6 +58,11 @@ | |
2175 | struct { | |
2176 | u_int8_t type, code; | |
2177 | } icmp; | |
2178 | + struct { | |
2179 | + u_int16_t protocol; | |
2180 | + u_int8_t version; | |
2181 | + u_int32_t key; | |
2182 | + } gre; | |
2183 | } u; | |
2184 | ||
2185 | /* The protocol. */ | |
2186 | @@ -62,6 +70,14 @@ | |
2187 | } dst; | |
2188 | }; | |
2189 | ||
2190 | +/* This is optimized opposed to a memset of the whole structure. Everything we | |
2191 | + * really care about is the source/destination unions */ | |
2192 | +#define IP_CT_TUPLE_BLANK(tuple) \ | |
2193 | + do { \ | |
2194 | + (tuple)->src.u.all = 0; \ | |
2195 | + (tuple)->dst.u.all = 0; \ | |
2196 | + } while (0) | |
2197 | + | |
2198 | enum ip_conntrack_dir | |
2199 | { | |
2200 | IP_CT_DIR_ORIGINAL, | |
2201 | @@ -72,10 +88,16 @@ | |
2202 | #ifdef __KERNEL__ | |
2203 | ||
2204 | #define DUMP_TUPLE(tp) \ | |
2205 | -DEBUGP("tuple %p: %u %u.%u.%u.%u:%hu -> %u.%u.%u.%u:%hu\n", \ | |
2206 | +DEBUGP("tuple %p: %u %u.%u.%u.%u:%u -> %u.%u.%u.%u:%u\n", \ | |
2207 | (tp), (tp)->dst.protonum, \ | |
2208 | - NIPQUAD((tp)->src.ip), ntohs((tp)->src.u.all), \ | |
2209 | - NIPQUAD((tp)->dst.ip), ntohs((tp)->dst.u.all)) | |
2210 | + NIPQUAD((tp)->src.ip), ntohl((tp)->src.u.all), \ | |
2211 | + NIPQUAD((tp)->dst.ip), ntohl((tp)->dst.u.all)) | |
2212 | + | |
2213 | +#define DUMP_TUPLE_RAW(x) \ | |
2214 | + DEBUGP("tuple %p: %u %u.%u.%u.%u:0x%08x -> %u.%u.%u.%u:0x%08x\n",\ | |
2215 | + (x), (x)->dst.protonum, \ | |
2216 | + NIPQUAD((x)->src.ip), ntohl((x)->src.u.all), \ | |
2217 | + NIPQUAD((x)->dst.ip), ntohl((x)->dst.u.all)) | |
2218 | ||
2219 | #define CTINFO2DIR(ctinfo) ((ctinfo) >= IP_CT_IS_REPLY ? IP_CT_DIR_REPLY : IP_CT_DIR_ORIGINAL) | |
2220 | ||
2221 | diff -Nur --exclude '*.orig' linux-2.4.20.org/include/linux/netfilter_ipv4/ip_logging.h linux-2.4.20/include/linux/netfilter_ipv4/ip_logging.h | |
2222 | --- linux-2.4.20.org/include/linux/netfilter_ipv4/ip_logging.h Thu Jan 1 00:00:00 1970 | |
2223 | +++ linux-2.4.20/include/linux/netfilter_ipv4/ip_logging.h Wed Sep 24 09:16:23 2003 | |
2224 | @@ -0,0 +1,20 @@ | |
2225 | +/* IPv4 macros for the internal logging interface. */ | |
2226 | +#ifndef __IP_LOGGING_H | |
2227 | +#define __IP_LOGGING_H | |
2228 | + | |
2229 | +#ifdef __KERNEL__ | |
2230 | +#include <linux/socket.h> | |
2231 | +#include <linux/netfilter_logging.h> | |
2232 | + | |
2233 | +#define nf_log_ip_packet(pskb,hooknum,in,out,fmt,args...) \ | |
2234 | + nf_log_packet(AF_INET,pskb,hooknum,in,out,fmt,##args) | |
2235 | + | |
2236 | +#define nf_log_ip(pfh,len,fmt,args...) \ | |
2237 | + nf_log(AF_INET,pfh,len,fmt,##args) | |
2238 | + | |
2239 | +#define nf_ip_log_register(logging) nf_log_register(AF_INET,logging) | |
2240 | +#define nf_ip_log_unregister(logging) nf_log_unregister(AF_INET,logging) | |
2241 | + | |
2242 | +#endif /*__KERNEL__*/ | |
2243 | + | |
2244 | +#endif /*__IP_LOGGING_H*/ | |
2245 | diff -Nur --exclude '*.orig' linux-2.4.20.org/include/linux/netfilter_ipv4/ip_nat_helper.h linux-2.4.20/include/linux/netfilter_ipv4/ip_nat_helper.h | |
2246 | --- linux-2.4.20.org/include/linux/netfilter_ipv4/ip_nat_helper.h Thu Nov 28 23:53:15 2002 | |
2247 | +++ linux-2.4.20/include/linux/netfilter_ipv4/ip_nat_helper.h Wed Sep 24 09:16:14 2003 | |
2248 | @@ -50,6 +50,13 @@ | |
2249 | unsigned int match_len, | |
2250 | char *rep_buffer, | |
2251 | unsigned int rep_len); | |
2252 | +extern int ip_nat_mangle_udp_packet(struct sk_buff **skb, | |
2253 | + struct ip_conntrack *ct, | |
2254 | + enum ip_conntrack_info ctinfo, | |
2255 | + unsigned int match_offset, | |
2256 | + unsigned int match_len, | |
2257 | + char *rep_buffer, | |
2258 | + unsigned int rep_len); | |
2259 | extern int ip_nat_seq_adjust(struct sk_buff *skb, | |
2260 | struct ip_conntrack *ct, | |
2261 | enum ip_conntrack_info ctinfo); | |
2262 | diff -Nur --exclude '*.orig' linux-2.4.20.org/include/linux/netfilter_ipv4/ip_nat_pptp.h linux-2.4.20/include/linux/netfilter_ipv4/ip_nat_pptp.h | |
2263 | --- linux-2.4.20.org/include/linux/netfilter_ipv4/ip_nat_pptp.h Thu Jan 1 00:00:00 1970 | |
2264 | +++ linux-2.4.20/include/linux/netfilter_ipv4/ip_nat_pptp.h Wed Sep 24 09:17:55 2003 | |
2265 | @@ -0,0 +1,11 @@ | |
2266 | +/* PPTP constants and structs */ | |
2267 | +#ifndef _NAT_PPTP_H | |
2268 | +#define _NAT_PPTP_H | |
2269 | + | |
2270 | +/* conntrack private data */ | |
2271 | +struct ip_nat_pptp { | |
2272 | + u_int16_t pns_call_id; /* NAT'ed PNS call id */ | |
2273 | + u_int16_t pac_call_id; /* NAT'ed PAC call id */ | |
2274 | +}; | |
2275 | + | |
2276 | +#endif /* _NAT_PPTP_H */ | |
2277 | diff -Nur --exclude '*.orig' linux-2.4.20.org/include/linux/netfilter_ipv4/ip_nat_rule.h linux-2.4.20/include/linux/netfilter_ipv4/ip_nat_rule.h | |
2278 | --- linux-2.4.20.org/include/linux/netfilter_ipv4/ip_nat_rule.h Thu Nov 28 23:53:15 2002 | |
2279 | +++ linux-2.4.20/include/linux/netfilter_ipv4/ip_nat_rule.h Wed Sep 24 09:16:27 2003 | |
2280 | @@ -14,5 +14,10 @@ | |
2281 | const struct net_device *out, | |
2282 | struct ip_conntrack *ct, | |
2283 | struct ip_nat_info *info); | |
2284 | + | |
2285 | +extern unsigned int | |
2286 | +alloc_null_binding(struct ip_conntrack *conntrack, | |
2287 | + struct ip_nat_info *info, | |
2288 | + unsigned int hooknum); | |
2289 | #endif | |
2290 | #endif /* _IP_NAT_RULE_H */ | |
2291 | diff -Nur --exclude '*.orig' linux-2.4.20.org/include/linux/netfilter_ipv4/ip_pool.h linux-2.4.20/include/linux/netfilter_ipv4/ip_pool.h | |
2292 | --- linux-2.4.20.org/include/linux/netfilter_ipv4/ip_pool.h Thu Jan 1 00:00:00 1970 | |
2293 | +++ linux-2.4.20/include/linux/netfilter_ipv4/ip_pool.h Wed Sep 24 09:16:59 2003 | |
2294 | @@ -0,0 +1,64 @@ | |
2295 | +#ifndef _IP_POOL_H | |
2296 | +#define _IP_POOL_H | |
2297 | + | |
2298 | +/***************************************************************************/ | |
2299 | +/* This program is free software; you can redistribute it and/or modify */ | |
2300 | +/* it under the terms of the GNU General Public License as published by */ | |
2301 | +/* the Free Software Foundation; either version 2 of the License, or */ | |
2302 | +/* (at your option) any later version. */ | |
2303 | +/* */ | |
2304 | +/* This program is distributed in the hope that it will be useful, */ | |
2305 | +/* but WITHOUT ANY WARRANTY; without even the implied warranty of */ | |
2306 | +/* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the */ | |
2307 | +/* GNU General Public License for more details. */ | |
2308 | +/* */ | |
2309 | +/* You should have received a copy of the GNU General Public License */ | |
2310 | +/* along with this program; if not, write to the Free Software */ | |
2311 | +/* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA*/ | |
2312 | +/***************************************************************************/ | |
2313 | + | |
2314 | +/* A sockopt of such quality has hardly ever been seen before on the open | |
2315 | + * market! This little beauty, hardly ever used: above 64, so it's | |
2316 | + * traditionally used for firewalling, not touched (even once!) by the | |
2317 | + * 2.0, 2.2 and 2.4 kernels! | |
2318 | + * | |
2319 | + * Comes with its own certificate of authenticity, valid anywhere in the | |
2320 | + * Free world! | |
2321 | + * | |
2322 | + * Rusty, 19.4.2000 | |
2323 | + */ | |
2324 | +#define SO_IP_POOL 81 | |
2325 | + | |
2326 | +typedef int ip_pool_t; /* pool index */ | |
2327 | +#define IP_POOL_NONE ((ip_pool_t)-1) | |
2328 | + | |
2329 | +struct ip_pool_request { | |
2330 | + int op; | |
2331 | + ip_pool_t index; | |
2332 | + u_int32_t addr; | |
2333 | + u_int32_t addr2; | |
2334 | +}; | |
2335 | + | |
2336 | +/* NOTE: I deliberately break the first cut ippool utility. Nobody uses it. */ | |
2337 | + | |
2338 | +#define IP_POOL_BAD001 0x00000010 | |
2339 | + | |
2340 | +#define IP_POOL_FLUSH 0x00000011 /* req.index, no arguments */ | |
2341 | +#define IP_POOL_INIT 0x00000012 /* from addr to addr2 incl. */ | |
2342 | +#define IP_POOL_DESTROY 0x00000013 /* req.index, no arguments */ | |
2343 | +#define IP_POOL_ADD_ADDR 0x00000014 /* add addr to pool */ | |
2344 | +#define IP_POOL_DEL_ADDR 0x00000015 /* del addr from pool */ | |
2345 | +#define IP_POOL_HIGH_NR 0x00000016 /* result in req.index */ | |
2346 | +#define IP_POOL_LOOKUP 0x00000017 /* result in addr and addr2 */ | |
2347 | +#define IP_POOL_USAGE 0x00000018 /* result in addr */ | |
2348 | +#define IP_POOL_TEST_ADDR 0x00000019 /* result (0/1) returned */ | |
2349 | + | |
2350 | +#ifdef __KERNEL__ | |
2351 | + | |
2352 | +/* NOTE: ip_pool_match() and ip_pool_mod() expect ADDR to be host byte order */ | |
2353 | +extern int ip_pool_match(ip_pool_t pool, u_int32_t addr); | |
2354 | +extern int ip_pool_mod(ip_pool_t pool, u_int32_t addr, int isdel); | |
2355 | + | |
2356 | +#endif | |
2357 | + | |
2358 | +#endif /*_IP_POOL_H*/ | |
2359 | diff -Nur --exclude '*.orig' linux-2.4.20.org/include/linux/netfilter_ipv4/ipt_CLASSIFY.h linux-2.4.20/include/linux/netfilter_ipv4/ipt_CLASSIFY.h | |
2360 | --- linux-2.4.20.org/include/linux/netfilter_ipv4/ipt_CLASSIFY.h Thu Jan 1 00:00:00 1970 | |
2361 | +++ linux-2.4.20/include/linux/netfilter_ipv4/ipt_CLASSIFY.h Wed Sep 24 09:17:14 2003 | |
2362 | @@ -0,0 +1,8 @@ | |
2363 | +#ifndef _IPT_CLASSIFY_H | |
2364 | +#define _IPT_CLASSIFY_H | |
2365 | + | |
2366 | +struct ipt_classify_target_info { | |
2367 | + u_int32_t priority; | |
2368 | +}; | |
2369 | + | |
2370 | +#endif /*_IPT_CLASSIFY_H */ | |
2371 | diff -Nur --exclude '*.orig' linux-2.4.20.org/include/linux/netfilter_ipv4/ipt_CONNMARK.h linux-2.4.20/include/linux/netfilter_ipv4/ipt_CONNMARK.h | |
2372 | --- linux-2.4.20.org/include/linux/netfilter_ipv4/ipt_CONNMARK.h Thu Jan 1 00:00:00 1970 | |
2373 | +++ linux-2.4.20/include/linux/netfilter_ipv4/ipt_CONNMARK.h Wed Sep 24 09:17:17 2003 | |
2374 | @@ -0,0 +1,15 @@ | |
2375 | +#ifndef _IPT_CONNMARK_H_target | |
2376 | +#define _IPT_CONNMARK_H_target | |
2377 | + | |
2378 | +enum { | |
2379 | + IPT_CONNMARK_SET = 0, | |
2380 | + IPT_CONNMARK_SAVE, | |
2381 | + IPT_CONNMARK_RESTORE | |
2382 | +}; | |
2383 | + | |
2384 | +struct ipt_connmark_target_info { | |
2385 | + unsigned long mark; | |
2386 | + u_int8_t mode; | |
2387 | +}; | |
2388 | + | |
2389 | +#endif /*_IPT_CONNMARK_H_target*/ | |
2390 | diff -Nur --exclude '*.orig' linux-2.4.20.org/include/linux/netfilter_ipv4/ipt_IMQ.h linux-2.4.20/include/linux/netfilter_ipv4/ipt_IMQ.h | |
2391 | --- linux-2.4.20.org/include/linux/netfilter_ipv4/ipt_IMQ.h Thu Jan 1 00:00:00 1970 | |
2392 | +++ linux-2.4.20/include/linux/netfilter_ipv4/ipt_IMQ.h Wed Sep 24 09:17:19 2003 | |
2393 | @@ -0,0 +1,8 @@ | |
2394 | +#ifndef _IPT_IMQ_H | |
2395 | +#define _IPT_IMQ_H | |
2396 | + | |
2397 | +struct ipt_imq_info { | |
2398 | + unsigned int todev; /* target imq device */ | |
2399 | +}; | |
2400 | + | |
2401 | +#endif /* _IPT_IMQ_H */ | |
2402 | diff -Nur --exclude '*.orig' linux-2.4.20.org/include/linux/netfilter_ipv4/ipt_IPMARK.h linux-2.4.20/include/linux/netfilter_ipv4/ipt_IPMARK.h | |
2403 | --- linux-2.4.20.org/include/linux/netfilter_ipv4/ipt_IPMARK.h Thu Jan 1 00:00:00 1970 | |
2404 | +++ linux-2.4.20/include/linux/netfilter_ipv4/ipt_IPMARK.h Wed Sep 24 09:17:23 2003 | |
2405 | @@ -0,0 +1,13 @@ | |
2406 | +#ifndef _IPT_IPMARK_H_target | |
2407 | +#define _IPT_IPMARK_H_target | |
2408 | + | |
2409 | +struct ipt_ipmark_target_info { | |
2410 | + unsigned long andmask; | |
2411 | + unsigned long ormask; | |
2412 | + unsigned int addr; | |
2413 | +}; | |
2414 | + | |
2415 | +#define IPT_IPMARK_SRC 0 | |
2416 | +#define IPT_IPMARK_DST 1 | |
2417 | + | |
2418 | +#endif /*_IPT_IPMARK_H_target*/ | |
2419 | diff -Nur --exclude '*.orig' linux-2.4.20.org/include/linux/netfilter_ipv4/ipt_NETLINK.h linux-2.4.20/include/linux/netfilter_ipv4/ipt_NETLINK.h | |
2420 | --- linux-2.4.20.org/include/linux/netfilter_ipv4/ipt_NETLINK.h Thu Jan 1 00:00:00 1970 | |
2421 | +++ linux-2.4.20/include/linux/netfilter_ipv4/ipt_NETLINK.h Wed Sep 24 09:16:32 2003 | |
2422 | @@ -0,0 +1,27 @@ | |
2423 | +#ifndef _IPT_FWMON_H | |
2424 | +#define _IPT_FWMON_H | |
2425 | + | |
2426 | +/* Bitmask macros */ | |
2427 | +#define MASK(x,y) (x & y) | |
2428 | +#define MASK_SET(x,y) x |= y | |
2429 | +#define MASK_UNSET(x,y) x &= ~y | |
2430 | + | |
2431 | +#define USE_MARK 0x00000001 | |
2432 | +#define USE_DROP 0x00000002 | |
2433 | +#define USE_SIZE 0x00000004 | |
2434 | + | |
2435 | +struct ipt_nldata | |
2436 | +{ | |
2437 | + unsigned int flags; | |
2438 | + unsigned int mark; | |
2439 | + unsigned int size; | |
2440 | +}; | |
2441 | + | |
2442 | +/* Old header */ | |
2443 | +struct netlink_t { | |
2444 | + unsigned int len; | |
2445 | + unsigned int mark; | |
2446 | + char iface[IFNAMSIZ]; | |
2447 | +}; | |
2448 | + | |
2449 | +#endif /*_IPT_FWMON_H*/ | |
2450 | diff -Nur --exclude '*.orig' linux-2.4.20.org/include/linux/netfilter_ipv4/ipt_REJECT.h linux-2.4.20/include/linux/netfilter_ipv4/ipt_REJECT.h | |
2451 | --- linux-2.4.20.org/include/linux/netfilter_ipv4/ipt_REJECT.h Fri Jul 14 19:20:23 2000 | |
2452 | +++ linux-2.4.20/include/linux/netfilter_ipv4/ipt_REJECT.h Wed Sep 24 09:18:09 2003 | |
2453 | @@ -9,11 +9,13 @@ | |
2454 | IPT_ICMP_ECHOREPLY, | |
2455 | IPT_ICMP_NET_PROHIBITED, | |
2456 | IPT_ICMP_HOST_PROHIBITED, | |
2457 | - IPT_TCP_RESET | |
2458 | + IPT_TCP_RESET, | |
2459 | + IPT_ICMP_ADMIN_PROHIBITED | |
2460 | }; | |
2461 | ||
2462 | struct ipt_reject_info { | |
2463 | enum ipt_reject_with with; /* reject type */ | |
2464 | + u_int8_t fake_source_address; /* 1: fake src addr with original packet dest, 0: no fake */ | |
2465 | }; | |
2466 | ||
2467 | -#endif /*_IPT_REJECT_H*/ | |
2468 | +#endif /* _IPT_REJECT_H */ | |
2469 | diff -Nur --exclude '*.orig' linux-2.4.20.org/include/linux/netfilter_ipv4/ipt_ROUTE.h linux-2.4.20/include/linux/netfilter_ipv4/ipt_ROUTE.h | |
2470 | --- linux-2.4.20.org/include/linux/netfilter_ipv4/ipt_ROUTE.h Thu Jan 1 00:00:00 1970 | |
2471 | +++ linux-2.4.20/include/linux/netfilter_ipv4/ipt_ROUTE.h Wed Sep 24 09:17:25 2003 | |
2472 | @@ -0,0 +1,22 @@ | |
2473 | +/* Header file for iptables ipt_ROUTE target | |
2474 | + * | |
2475 |