diff options
author | Paul Mackerras <paulus@samba.org> | 2008-01-31 11:25:51 +1100 |
---|---|---|
committer | Paul Mackerras <paulus@samba.org> | 2008-01-31 11:25:51 +1100 |
commit | bd45ac0c5daae35e7c71138172e63df5cf644cf6 (patch) | |
tree | 5eb5a599bf6a9d7a8a34e802db932aa9e9555de4 /include/linux/netfilter | |
parent | 4eece4ccf997c0e6d8fdad3d842e37b16b8d705f (diff) | |
parent | 5bdeae46be6dfe9efa44a548bd622af325f4bdb4 (diff) |
Merge branch 'linux-2.6'
Diffstat (limited to 'include/linux/netfilter')
25 files changed, 254 insertions, 18 deletions
diff --git a/include/linux/netfilter/Kbuild b/include/linux/netfilter/Kbuild index b87e83a5e07..91fef0cae42 100644 --- a/include/linux/netfilter/Kbuild +++ b/include/linux/netfilter/Kbuild @@ -10,6 +10,7 @@ header-y += xt_DSCP.h header-y += xt_MARK.h header-y += xt_NFLOG.h header-y += xt_NFQUEUE.h +header-y += xt_RATEEST.h header-y += xt_SECMARK.h header-y += xt_TCPMSS.h header-y += xt_comment.h @@ -20,14 +21,17 @@ header-y += xt_dccp.h header-y += xt_dscp.h header-y += xt_esp.h header-y += xt_hashlimit.h +header-y += xt_iprange.h header-y += xt_helper.h header-y += xt_length.h header-y += xt_limit.h header-y += xt_mac.h header-y += xt_mark.h header-y += xt_multiport.h +header-y += xt_owner.h header-y += xt_pkttype.h header-y += xt_policy.h +header-y += xt_rateest.h header-y += xt_realm.h header-y += xt_sctp.h header-y += xt_state.h diff --git a/include/linux/netfilter/nf_conntrack_common.h b/include/linux/netfilter/nf_conntrack_common.h index 9e0dae07861..bad1eb760f6 100644 --- a/include/linux/netfilter/nf_conntrack_common.h +++ b/include/linux/netfilter/nf_conntrack_common.h @@ -129,6 +129,14 @@ enum ip_conntrack_events /* Mark is set */ IPCT_MARK_BIT = 12, IPCT_MARK = (1 << IPCT_MARK_BIT), + + /* NAT sequence adjustment */ + IPCT_NATSEQADJ_BIT = 13, + IPCT_NATSEQADJ = (1 << IPCT_NATSEQADJ_BIT), + + /* Secmark is set */ + IPCT_SECMARK_BIT = 14, + IPCT_SECMARK = (1 << IPCT_SECMARK_BIT), }; enum ip_conntrack_expect_events { diff --git a/include/linux/netfilter/nf_conntrack_h323.h b/include/linux/netfilter/nf_conntrack_h323.h index aabd24ac763..26f9226ea72 100644 --- a/include/linux/netfilter/nf_conntrack_h323.h +++ b/include/linux/netfilter/nf_conntrack_h323.h @@ -31,7 +31,7 @@ struct nf_conn; extern int get_h225_addr(struct nf_conn *ct, unsigned char *data, TransportAddress *taddr, - union nf_conntrack_address *addr, __be16 *port); + union nf_inet_addr *addr, __be16 *port); extern void nf_conntrack_h245_expect(struct nf_conn *new, struct nf_conntrack_expect *this); extern void nf_conntrack_q931_expect(struct nf_conn *new, @@ -39,12 +39,12 @@ extern void nf_conntrack_q931_expect(struct nf_conn *new, extern int (*set_h245_addr_hook) (struct sk_buff *skb, unsigned char **data, int dataoff, H245_TransportAddress *taddr, - union nf_conntrack_address *addr, + union nf_inet_addr *addr, __be16 port); extern int (*set_h225_addr_hook) (struct sk_buff *skb, unsigned char **data, int dataoff, TransportAddress *taddr, - union nf_conntrack_address *addr, + union nf_inet_addr *addr, __be16 port); extern int (*set_sig_addr_hook) (struct sk_buff *skb, struct nf_conn *ct, diff --git a/include/linux/netfilter/nf_conntrack_sctp.h b/include/linux/netfilter/nf_conntrack_sctp.h index 5cf2c115cce..768f78c4ac5 100644 --- a/include/linux/netfilter/nf_conntrack_sctp.h +++ b/include/linux/netfilter/nf_conntrack_sctp.h @@ -21,7 +21,6 @@ struct ip_ct_sctp enum sctp_conntrack state; __be32 vtag[IP_CT_DIR_MAX]; - u_int32_t ttag[IP_CT_DIR_MAX]; }; #endif /* _NF_CONNTRACK_SCTP_H */ diff --git a/include/linux/netfilter/nfnetlink_conntrack.h b/include/linux/netfilter/nfnetlink_conntrack.h index 4affa3fe78e..e3e1533aba2 100644 --- a/include/linux/netfilter/nfnetlink_conntrack.h +++ b/include/linux/netfilter/nfnetlink_conntrack.h @@ -37,6 +37,9 @@ enum ctattr_type { CTA_ID, CTA_NAT_DST, CTA_TUPLE_MASTER, + CTA_NAT_SEQ_ADJ_ORIG, + CTA_NAT_SEQ_ADJ_REPLY, + CTA_SECMARK, __CTA_MAX }; #define CTA_MAX (__CTA_MAX - 1) @@ -119,6 +122,14 @@ enum ctattr_protonat { }; #define CTA_PROTONAT_MAX (__CTA_PROTONAT_MAX - 1) +enum ctattr_natseq { + CTA_NAT_SEQ_CORRECTION_POS, + CTA_NAT_SEQ_OFFSET_BEFORE, + CTA_NAT_SEQ_OFFSET_AFTER, + __CTA_NAT_SEQ_MAX +}; +#define CTA_NAT_SEQ_MAX (__CTA_NAT_SEQ_MAX - 1) + enum ctattr_expect { CTA_EXPECT_UNSPEC, CTA_EXPECT_MASTER, diff --git a/include/linux/netfilter/nfnetlink_log.h b/include/linux/netfilter/nfnetlink_log.h index 5966afa026e..a8572133292 100644 --- a/include/linux/netfilter/nfnetlink_log.h +++ b/include/linux/netfilter/nfnetlink_log.h @@ -47,6 +47,7 @@ enum nfulnl_attr_type { NFULA_UID, /* user id of socket */ NFULA_SEQ, /* instance-local sequence number */ NFULA_SEQ_GLOBAL, /* global sequence number */ + NFULA_GID, /* group id of socket */ __NFULA_MAX }; diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h index 03e6ce979ea..b99ede51318 100644 --- a/include/linux/netfilter/x_tables.h +++ b/include/linux/netfilter/x_tables.h @@ -126,6 +126,49 @@ struct xt_counters_info #define XT_INV_PROTO 0x40 /* Invert the sense of PROTO. */ +/* fn returns 0 to continue iteration */ +#define XT_MATCH_ITERATE(type, e, fn, args...) \ +({ \ + unsigned int __i; \ + int __ret = 0; \ + struct xt_entry_match *__m; \ + \ + for (__i = sizeof(type); \ + __i < (e)->target_offset; \ + __i += __m->u.match_size) { \ + __m = (void *)e + __i; \ + \ + __ret = fn(__m , ## args); \ + if (__ret != 0) \ + break; \ + } \ + __ret; \ +}) + +/* fn returns 0 to continue iteration */ +#define XT_ENTRY_ITERATE_CONTINUE(type, entries, size, n, fn, args...) \ +({ \ + unsigned int __i, __n; \ + int __ret = 0; \ + type *__entry; \ + \ + for (__i = 0, __n = 0; __i < (size); \ + __i += __entry->next_offset, __n++) { \ + __entry = (void *)(entries) + __i; \ + if (__n < n) \ + continue; \ + \ + __ret = fn(__entry , ## args); \ + if (__ret != 0) \ + break; \ + } \ + __ret; \ +}) + +/* fn returns 0 to continue iteration */ +#define XT_ENTRY_ITERATE(type, entries, size, fn, args...) \ + XT_ENTRY_ITERATE_CONTINUE(type, entries, size, 0, fn, args) + #ifdef __KERNEL__ #include <linux/netdevice.h> @@ -265,13 +308,16 @@ struct xt_table_info unsigned int initial_entries; /* Entry points and underflows */ - unsigned int hook_entry[NF_IP_NUMHOOKS]; - unsigned int underflow[NF_IP_NUMHOOKS]; + unsigned int hook_entry[NF_INET_NUMHOOKS]; + unsigned int underflow[NF_INET_NUMHOOKS]; /* ipt_entry tables: one per CPU */ - char *entries[NR_CPUS]; + /* Note : this field MUST be the last one, see XT_TABLE_INFO_SZ */ + char *entries[1]; }; +#define XT_TABLE_INFO_SZ (offsetof(struct xt_table_info, entries) \ + + nr_cpu_ids * sizeof(char *)) extern int xt_register_target(struct xt_target *target); extern void xt_unregister_target(struct xt_target *target); extern int xt_register_targets(struct xt_target *target, unsigned int n); @@ -378,9 +424,13 @@ struct compat_xt_counters_info extern void xt_compat_lock(int af); extern void xt_compat_unlock(int af); +extern int xt_compat_add_offset(int af, unsigned int offset, short delta); +extern void xt_compat_flush_offsets(int af); +extern short xt_compat_calc_jump(int af, unsigned int offset); + extern int xt_compat_match_offset(struct xt_match *match); -extern void xt_compat_match_from_user(struct xt_entry_match *m, - void **dstptr, int *size); +extern int xt_compat_match_from_user(struct xt_entry_match *m, + void **dstptr, int *size); extern int xt_compat_match_to_user(struct xt_entry_match *m, void __user **dstptr, int *size); diff --git a/include/linux/netfilter/xt_CONNMARK.h b/include/linux/netfilter/xt_CONNMARK.h index 9f744689fff..4e58ba43c28 100644 --- a/include/linux/netfilter/xt_CONNMARK.h +++ b/include/linux/netfilter/xt_CONNMARK.h @@ -22,4 +22,9 @@ struct xt_connmark_target_info { u_int8_t mode; }; +struct xt_connmark_tginfo1 { + u_int32_t ctmark, ctmask, nfmask; + u_int8_t mode; +}; + #endif /*_XT_CONNMARK_H_target*/ diff --git a/include/linux/netfilter/xt_DSCP.h b/include/linux/netfilter/xt_DSCP.h index 3c7c963997b..14da1968e2c 100644 --- a/include/linux/netfilter/xt_DSCP.h +++ b/include/linux/netfilter/xt_DSCP.h @@ -17,4 +17,9 @@ struct xt_DSCP_info { u_int8_t dscp; }; +struct xt_tos_target_info { + u_int8_t tos_value; + u_int8_t tos_mask; +}; + #endif /* _XT_DSCP_TARGET_H */ diff --git a/include/linux/netfilter/xt_MARK.h b/include/linux/netfilter/xt_MARK.h index b021e93ee5d..778b278fd9f 100644 --- a/include/linux/netfilter/xt_MARK.h +++ b/include/linux/netfilter/xt_MARK.h @@ -18,4 +18,8 @@ struct xt_mark_target_info_v1 { u_int8_t mode; }; +struct xt_mark_tginfo2 { + u_int32_t mark, mask; +}; + #endif /*_XT_MARK_H_target */ diff --git a/include/linux/netfilter/xt_RATEEST.h b/include/linux/netfilter/xt_RATEEST.h new file mode 100644 index 00000000000..f79e3133cbe --- /dev/null +++ b/include/linux/netfilter/xt_RATEEST.h @@ -0,0 +1,13 @@ +#ifndef _XT_RATEEST_TARGET_H +#define _XT_RATEEST_TARGET_H + +struct xt_rateest_target_info { + char name[IFNAMSIZ]; + int8_t interval; + u_int8_t ewma_log; + + /* Used internally by the kernel */ + struct xt_rateest *est __attribute__((aligned(8))); +}; + +#endif /* _XT_RATEEST_TARGET_H */ diff --git a/include/linux/netfilter/xt_TCPOPTSTRIP.h b/include/linux/netfilter/xt_TCPOPTSTRIP.h new file mode 100644 index 00000000000..2db543214ff --- /dev/null +++ b/include/linux/netfilter/xt_TCPOPTSTRIP.h @@ -0,0 +1,13 @@ +#ifndef _XT_TCPOPTSTRIP_H +#define _XT_TCPOPTSTRIP_H + +#define tcpoptstrip_set_bit(bmap, idx) \ + (bmap[(idx) >> 5] |= 1U << (idx & 31)) +#define tcpoptstrip_test_bit(bmap, idx) \ + (((1U << (idx & 31)) & bmap[(idx) >> 5]) != 0) + +struct xt_tcpoptstrip_target_info { + u_int32_t strip_bmap[8]; +}; + +#endif /* _XT_TCPOPTSTRIP_H */ diff --git a/include/linux/netfilter/xt_connlimit.h b/include/linux/netfilter/xt_connlimit.h index 37e933c9987..7e3284bcbd2 100644 --- a/include/linux/netfilter/xt_connlimit.h +++ b/include/linux/netfilter/xt_connlimit.h @@ -5,12 +5,17 @@ struct xt_connlimit_data; struct xt_connlimit_info { union { - __be32 v4_mask; - __be32 v6_mask[4]; + union nf_inet_addr mask; +#ifndef __KERNEL__ + union { + __be32 v4_mask; + __be32 v6_mask[4]; + }; +#endif }; unsigned int limit, inverse; - /* this needs to be at the end */ + /* Used internally by the kernel */ struct xt_connlimit_data *data __attribute__((aligned(8))); }; diff --git a/include/linux/netfilter/xt_connmark.h b/include/linux/netfilter/xt_connmark.h index c592f6ae088..359ef86918d 100644 --- a/include/linux/netfilter/xt_connmark.h +++ b/include/linux/netfilter/xt_connmark.h @@ -15,4 +15,9 @@ struct xt_connmark_info { u_int8_t invert; }; +struct xt_connmark_mtinfo1 { + u_int32_t mark, mask; + u_int8_t invert; +}; + #endif /*_XT_CONNMARK_H*/ diff --git a/include/linux/netfilter/xt_conntrack.h b/include/linux/netfilter/xt_conntrack.h index 70b6f718cf4..d2492a3329b 100644 --- a/include/linux/netfilter/xt_conntrack.h +++ b/include/linux/netfilter/xt_conntrack.h @@ -6,7 +6,9 @@ #define _XT_CONNTRACK_H #include <linux/netfilter/nf_conntrack_tuple_common.h> -#include <linux/in.h> +#ifdef __KERNEL__ +# include <linux/in.h> +#endif #define XT_CONNTRACK_STATE_BIT(ctinfo) (1 << ((ctinfo)%IP_CT_IS_REPLY+1)) #define XT_CONNTRACK_STATE_INVALID (1 << 0) @@ -60,4 +62,16 @@ struct xt_conntrack_info /* Inverse flags */ u_int8_t invflags; }; + +struct xt_conntrack_mtinfo1 { + union nf_inet_addr origsrc_addr, origsrc_mask; + union nf_inet_addr origdst_addr, origdst_mask; + union nf_inet_addr replsrc_addr, replsrc_mask; + union nf_inet_addr repldst_addr, repldst_mask; + u_int32_t expires_min, expires_max; + u_int16_t l4proto; + u_int8_t state_mask, status_mask; + u_int8_t match_flags, invert_flags; +}; + #endif /*_XT_CONNTRACK_H*/ diff --git a/include/linux/netfilter/xt_dscp.h b/include/linux/netfilter/xt_dscp.h index 1da61e6acaf..f49bc1a648d 100644 --- a/include/linux/netfilter/xt_dscp.h +++ b/include/linux/netfilter/xt_dscp.h @@ -20,4 +20,10 @@ struct xt_dscp_info { u_int8_t invert; }; +struct xt_tos_match_info { + u_int8_t tos_mask; + u_int8_t tos_value; + u_int8_t invert; +}; + #endif /* _XT_DSCP_H */ diff --git a/include/linux/netfilter/xt_hashlimit.h b/include/linux/netfilter/xt_hashlimit.h index b4556b8edbf..c19972e4564 100644 --- a/include/linux/netfilter/xt_hashlimit.h +++ b/include/linux/netfilter/xt_hashlimit.h @@ -29,9 +29,9 @@ struct hashlimit_cfg { struct xt_hashlimit_info { char name [IFNAMSIZ]; /* name */ struct hashlimit_cfg cfg; - struct xt_hashlimit_htable *hinfo; /* Used internally by the kernel */ + struct xt_hashlimit_htable *hinfo; union { void *ptr; struct xt_hashlimit_info *master; diff --git a/include/linux/netfilter/xt_iprange.h b/include/linux/netfilter/xt_iprange.h new file mode 100644 index 00000000000..a4299c7d368 --- /dev/null +++ b/include/linux/netfilter/xt_iprange.h @@ -0,0 +1,17 @@ +#ifndef _LINUX_NETFILTER_XT_IPRANGE_H +#define _LINUX_NETFILTER_XT_IPRANGE_H 1 + +enum { + IPRANGE_SRC = 1 << 0, /* match source IP address */ + IPRANGE_DST = 1 << 1, /* match destination IP address */ + IPRANGE_SRC_INV = 1 << 4, /* negate the condition */ + IPRANGE_DST_INV = 1 << 5, /* -"- */ +}; + +struct xt_iprange_mtinfo { + union nf_inet_addr src_min, src_max; + union nf_inet_addr dst_min, dst_max; + u_int8_t flags; +}; + +#endif /* _LINUX_NETFILTER_XT_IPRANGE_H */ diff --git a/include/linux/netfilter/xt_mark.h b/include/linux/netfilter/xt_mark.h index 802dd4842ca..fae74bc3f34 100644 --- a/include/linux/netfilter/xt_mark.h +++ b/include/linux/netfilter/xt_mark.h @@ -6,4 +6,9 @@ struct xt_mark_info { u_int8_t invert; }; +struct xt_mark_mtinfo1 { + u_int32_t mark, mask; + u_int8_t invert; +}; + #endif /*_XT_MARK_H*/ diff --git a/include/linux/netfilter/xt_owner.h b/include/linux/netfilter/xt_owner.h new file mode 100644 index 00000000000..eacd34efebd --- /dev/null +++ b/include/linux/netfilter/xt_owner.h @@ -0,0 +1,16 @@ +#ifndef _XT_OWNER_MATCH_H +#define _XT_OWNER_MATCH_H + +enum { + XT_OWNER_UID = 1 << 0, + XT_OWNER_GID = 1 << 1, + XT_OWNER_SOCKET = 1 << 2, +}; + +struct xt_owner_match_info { + u_int32_t uid; + u_int32_t gid; + u_int8_t match, invert; +}; + +#endif /* _XT_OWNER_MATCH_H */ diff --git a/include/linux/netfilter/xt_policy.h b/include/linux/netfilter/xt_policy.h index 45654d359a6..053d8cc6546 100644 --- a/include/linux/netfilter/xt_policy.h +++ b/include/linux/netfilter/xt_policy.h @@ -27,18 +27,33 @@ struct xt_policy_spec reqid:1; }; +#ifndef __KERNEL__ union xt_policy_addr { struct in_addr a4; struct in6_addr a6; }; +#endif struct xt_policy_elem { - union xt_policy_addr saddr; - union xt_policy_addr smask; - union xt_policy_addr daddr; - union xt_policy_addr dmask; + union { +#ifdef __KERNEL__ + struct { + union nf_inet_addr saddr; + union nf_inet_addr smask; + union nf_inet_addr daddr; + union nf_inet_addr dmask; + }; +#else + struct { + union xt_policy_addr saddr; + union xt_policy_addr smask; + union xt_policy_addr daddr; + union xt_policy_addr dmask; + }; +#endif + }; __be32 spi; u_int32_t reqid; u_int8_t proto; diff --git a/include/linux/netfilter/xt_quota.h b/include/linux/netfilter/xt_quota.h index acd7fd77bbe..4c8368d781e 100644 --- a/include/linux/netfilter/xt_quota.h +++ b/include/linux/netfilter/xt_quota.h @@ -9,6 +9,8 @@ enum xt_quota_flags { struct xt_quota_info { u_int32_t flags; u_int32_t pad; + + /* Used internally by the kernel */ aligned_u64 quota; struct xt_quota_info *master; }; diff --git a/include/linux/netfilter/xt_rateest.h b/include/linux/netfilter/xt_rateest.h new file mode 100644 index 00000000000..2010cb74250 --- /dev/null +++ b/include/linux/netfilter/xt_rateest.h @@ -0,0 +1,35 @@ +#ifndef _XT_RATEEST_MATCH_H +#define _XT_RATEEST_MATCH_H + +enum xt_rateest_match_flags { + XT_RATEEST_MATCH_INVERT = 1<<0, + XT_RATEEST_MATCH_ABS = 1<<1, + XT_RATEEST_MATCH_REL = 1<<2, + XT_RATEEST_MATCH_DELTA = 1<<3, + XT_RATEEST_MATCH_BPS = 1<<4, + XT_RATEEST_MATCH_PPS = 1<<5, +}; + +enum xt_rateest_match_mode { + XT_RATEEST_MATCH_NONE, + XT_RATEEST_MATCH_EQ, + XT_RATEEST_MATCH_LT, + XT_RATEEST_MATCH_GT, +}; + +struct xt_rateest_match_info { + char name1[IFNAMSIZ]; + char name2[IFNAMSIZ]; + u_int16_t flags; + u_int16_t mode; + u_int32_t bps1; + u_int32_t pps1; + u_int32_t bps2; + u_int32_t pps2; + + /* Used internally by the kernel */ + struct xt_rateest *est1 __attribute__((aligned(8))); + struct xt_rateest *est2 __attribute__((aligned(8))); +}; + +#endif /* _XT_RATEEST_MATCH_H */ diff --git a/include/linux/netfilter/xt_statistic.h b/include/linux/netfilter/xt_statistic.h index c344e9916e2..3d38bc97504 100644 --- a/include/linux/netfilter/xt_statistic.h +++ b/include/linux/netfilter/xt_statistic.h @@ -23,6 +23,7 @@ struct xt_statistic_info { struct { u_int32_t every; u_int32_t packet; + /* Used internally by the kernel */ u_int32_t count; } nth; } u; diff --git a/include/linux/netfilter/xt_string.h b/include/linux/netfilter/xt_string.h index 3b3419f2637..bb21dd1aee2 100644 --- a/include/linux/netfilter/xt_string.h +++ b/include/linux/netfilter/xt_string.h @@ -12,6 +12,8 @@ struct xt_string_info char pattern[XT_STRING_MAX_PATTERN_SIZE]; u_int8_t patlen; u_int8_t invert; + + /* Used internally by the kernel */ struct ts_config __attribute__((aligned(8))) *config; }; |