TononixOS/ubports_kernel_google_msm
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables

Browse Source 
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables.  In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.

o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
  wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
  are now implemented as xt_FOOBAR.c files and provide module aliases
  to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
  include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
  around the xt_FOOBAR.h headers

Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.

Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
Harald Welte
2006-01-12 13:30:04 -08:00
committed by David S. Miller
parent 880b005f29
commit 2e4e6a17af
154 changed files with 3614 additions and 4148 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
include/linux/netfilter/nf_conntrack_common.h
View File

@@ -154,6 +154,9 @@ struct ip_conntrack_stat
unsigned int expect_delete;
};
/* call to create an explicit dependency on nf_conntrack. */
extern void need_conntrack(void);
#endif /* __KERNEL__ */
#endif /* _NF_CONNTRACK_COMMON_H */

224
include/linux/netfilter/x_tables.h Normal file
View File

@@ -0,0 +1,224 @@
#ifndef _X_TABLES_H
#define _X_TABLES_H
#define XT_FUNCTION_MAXNAMELEN 30
#define XT_TABLE_MAXNAMELEN 32
/* The argument to IPT_SO_GET_REVISION_*. Returns highest revision
* kernel supports, if >= revision. */
struct xt_get_revision
{
char name[XT_FUNCTION_MAXNAMELEN-1];
u_int8_t revision;
};
/* CONTINUE verdict for targets */
#define XT_CONTINUE 0xFFFFFFFF
/* For standard target */
#define XT_RETURN (-NF_REPEAT - 1)
#define XT_ALIGN(s) (((s) + (__alignof__(void *)-1)) & ~(__alignof__(void *)-1))
/* Standard return verdict, or do jump. */
#define XT_STANDARD_TARGET ""
/* Error verdict. */
#define XT_ERROR_TARGET "ERROR"
/*
* New IP firewall options for [gs]etsockopt at the RAW IP level.
* Unlike BSD Linux inherits IP options so you don't have to use a raw
* socket for this. Instead we check rights in the calls. */
#define XT_BASE_CTL 64 /* base for firewall socket options */
#define XT_SO_SET_REPLACE (XT_BASE_CTL)
#define XT_SO_SET_ADD_COUNTERS (XT_BASE_CTL + 1)
#define XT_SO_SET_MAX XT_SO_SET_ADD_COUNTERS
#define XT_SO_GET_INFO (XT_BASE_CTL)
#define XT_SO_GET_ENTRIES (XT_BASE_CTL + 1)
#define XT_SO_GET_REVISION_MATCH (XT_BASE_CTL + 2)
#define XT_SO_GET_REVISION_TARGET (XT_BASE_CTL + 3)
#define XT_SO_GET_MAX XT_SO_GET_REVISION_TARGET
#define SET_COUNTER(c,b,p) do { (c).bcnt = (b); (c).pcnt = (p); } while(0)
#define ADD_COUNTER(c,b,p) do { (c).bcnt += (b); (c).pcnt += (p); } while(0)
struct xt_counters
{
u_int64_t pcnt, bcnt; /* Packet and byte counters */
};
/* The argument to IPT_SO_ADD_COUNTERS. */
struct xt_counters_info
{
/* Which table. */
char name[XT_TABLE_MAXNAMELEN];
unsigned int num_counters;
/* The counters (actually `number' of these). */
struct xt_counters counters[0];
};
#define XT_INV_PROTO 0x40 /* Invert the sense of PROTO. */
#ifdef __KERNEL__
#include <linux/netdevice.h>
#define ASSERT_READ_LOCK(x)
#define ASSERT_WRITE_LOCK(x)
#include <linux/netfilter_ipv4/listhelp.h>
struct xt_match
{
struct list_head list;
const char name[XT_FUNCTION_MAXNAMELEN-1];
u_int8_t revision;
/* Return true or false: return FALSE and set *hotdrop = 1 to
force immediate packet drop. */
/* Arguments changed since 2.6.9, as this must now handle
non-linear skb, using skb_header_pointer and
skb_ip_make_writable. */
int (*match)(const struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
const void *matchinfo,
int offset,
unsigned int protoff,
int *hotdrop);
/* Called when user tries to insert an entry of this type. */
/* Should return true or false. */
int (*checkentry)(const char *tablename,
const void *ip,
void *matchinfo,
unsigned int matchinfosize,
unsigned int hook_mask);
/* Called when entry of this type deleted. */
void (*destroy)(void *matchinfo, unsigned int matchinfosize);
/* Set this to THIS_MODULE if you are a module, otherwise NULL */
struct module *me;
};
/* Registration hooks for targets. */
struct xt_target
{
struct list_head list;
const char name[XT_FUNCTION_MAXNAMELEN-1];
u_int8_t revision;
/* Returns verdict. Argument order changed since 2.6.9, as this
must now handle non-linear skbs, using skb_copy_bits and
skb_ip_make_writable. */
unsigned int (*target)(struct sk_buff **pskb,
const struct net_device *in,
const struct net_device *out,
unsigned int hooknum,
const void *targinfo,
void *userdata);
/* Called when user tries to insert an entry of this type:
hook_mask is a bitmask of hooks from which it can be
called. */
/* Should return true or false. */
int (*checkentry)(const char *tablename,
const void *entry,
void *targinfo,
unsigned int targinfosize,
unsigned int hook_mask);
/* Called when entry of this type deleted. */
void (*destroy)(void *targinfo, unsigned int targinfosize);
/* Set this to THIS_MODULE if you are a module, otherwise NULL */
struct module *me;
};
/* Furniture shopping... */
struct xt_table
{
struct list_head list;
/* A unique name... */
char name[XT_TABLE_MAXNAMELEN];
/* What hooks you will enter on */
unsigned int valid_hooks;
/* Lock for the curtain */
rwlock_t lock;
/* Man behind the curtain... */
//struct ip6t_table_info *private;
void *private;
/* Set this to THIS_MODULE if you are a module, otherwise NULL */
struct module *me;
int af; /* address/protocol family */
};
#include <linux/netfilter_ipv4.h>
/* The table itself */
struct xt_table_info
{
/* Size per table */
unsigned int size;
/* Number of entries: FIXME. --RR */
unsigned int number;
/* Initial number of entries. Needed for module usage count */
unsigned int initial_entries;
/* Entry points and underflows */
unsigned int hook_entry[NF_IP_NUMHOOKS];
unsigned int underflow[NF_IP_NUMHOOKS];
/* ipt_entry tables: one per CPU */
char *entries[NR_CPUS];
};
extern int xt_register_target(int af, struct xt_target *target);
extern void xt_unregister_target(int af, struct xt_target *target);
extern int xt_register_match(int af, struct xt_match *target);
extern void xt_unregister_match(int af, struct xt_match *target);
extern int xt_register_table(struct xt_table *table,
struct xt_table_info *bootstrap,
struct xt_table_info *newinfo);
extern void *xt_unregister_table(struct xt_table *table);
extern struct xt_table_info *xt_replace_table(struct xt_table *table,
unsigned int num_counters,
struct xt_table_info *newinfo,
int *error);
extern struct xt_match *xt_find_match(int af, const char *name, u8 revision);
extern struct xt_target *xt_find_target(int af, const char *name, u8 revision);
extern struct xt_target *xt_request_find_target(int af, const char *name,
u8 revision);
extern int xt_find_revision(int af, const char *name, u8 revision, int target,
int *err);
extern struct xt_table *xt_find_table_lock(int af, const char *name);
extern void xt_table_unlock(struct xt_table *t);
extern int xt_proto_init(int af);
extern void xt_proto_fini(int af);
extern struct xt_table_info *xt_alloc_table_info(unsigned int size);
extern void xt_free_table_info(struct xt_table_info *info);
#endif /* __KERNEL__ */
#endif /* _X_TABLES_H */

8
include/linux/netfilter/xt_CLASSIFY.h Normal file
View File

@@ -0,0 +1,8 @@
#ifndef _XT_CLASSIFY_H
#define _XT_CLASSIFY_H
struct xt_classify_target_info {
u_int32_t priority;
};
#endif /*_XT_CLASSIFY_H */

25
include/linux/netfilter/xt_CONNMARK.h Normal file
View File

@@ -0,0 +1,25 @@
#ifndef _XT_CONNMARK_H_target
#define _XT_CONNMARK_H_target
/* Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
* by Henrik Nordstrom <hno@marasystems.com>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*/
enum {
XT_CONNMARK_SET = 0,
XT_CONNMARK_SAVE,
XT_CONNMARK_RESTORE
};
struct xt_connmark_target_info {
unsigned long mark;
unsigned long mask;
u_int8_t mode;
};
#endif /*_XT_CONNMARK_H_target*/

21
include/linux/netfilter/xt_MARK.h Normal file
View File

@@ -0,0 +1,21 @@
#ifndef _XT_MARK_H_target
#define _XT_MARK_H_target
/* Version 0 */
struct xt_mark_target_info {
unsigned long mark;
};
/* Version 1 */
enum {
XT_MARK_SET=0,
XT_MARK_AND,
XT_MARK_OR,
};
struct xt_mark_target_info_v1 {
unsigned long mark;
u_int8_t mode;
};
#endif /*_XT_MARK_H_target */

16
include/linux/netfilter/xt_NFQUEUE.h Normal file
View File

@@ -0,0 +1,16 @@
/* iptables module for using NFQUEUE mechanism
*
* (C) 2005 Harald Welte <laforge@netfilter.org>
*
* This software is distributed under GNU GPL v2, 1991
*
*/
#ifndef _XT_NFQ_TARGET_H
#define _XT_NFQ_TARGET_H
/* target info */
struct xt_NFQ_info {
u_int16_t queuenum;
};
#endif /* _XT_NFQ_TARGET_H */

10
include/linux/netfilter/xt_comment.h Normal file
View File

@@ -0,0 +1,10 @@
#ifndef _XT_COMMENT_H
#define _XT_COMMENT_H
#define XT_MAX_COMMENT_LEN 256
struct xt_comment_info {
unsigned char comment[XT_MAX_COMMENT_LEN];
};
#endif /* XT_COMMENT_H */

25
include/linux/netfilter/xt_connbytes.h Normal file
View File

@@ -0,0 +1,25 @@
#ifndef _XT_CONNBYTES_H
#define _XT_CONNBYTES_H
enum xt_connbytes_what {
XT_CONNBYTES_PKTS,
XT_CONNBYTES_BYTES,
XT_CONNBYTES_AVGPKT,
};
enum xt_connbytes_direction {
XT_CONNBYTES_DIR_ORIGINAL,
XT_CONNBYTES_DIR_REPLY,
XT_CONNBYTES_DIR_BOTH,
};
struct xt_connbytes_info
{
struct {
aligned_u64 from; /* count to be matched */
aligned_u64 to; /* count to be matched */
} count;
u_int8_t what; /* ipt_connbytes_what */
u_int8_t direction; /* ipt_connbytes_direction */
};
#endif

18
include/linux/netfilter/xt_connmark.h Normal file
View File

@@ -0,0 +1,18 @@
#ifndef _XT_CONNMARK_H
#define _XT_CONNMARK_H
/* Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
* by Henrik Nordstrom <hno@marasystems.com>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*/
struct xt_connmark_info {
unsigned long mark, mask;
u_int8_t invert;
};
#endif /*_XT_CONNMARK_H*/

63
include/linux/netfilter/xt_conntrack.h Normal file
View File

@@ -0,0 +1,63 @@
/* Header file for kernel module to match connection tracking information.
* GPL (C) 2001 Marc Boucher (marc@mbsi.ca).
*/
#ifndef _XT_CONNTRACK_H
#define _XT_CONNTRACK_H
#include <linux/netfilter/nf_conntrack_tuple_common.h>
#include <linux/in.h>
#define XT_CONNTRACK_STATE_BIT(ctinfo) (1 << ((ctinfo)%IP_CT_IS_REPLY+1))
#define XT_CONNTRACK_STATE_INVALID (1 << 0)
#define XT_CONNTRACK_STATE_SNAT (1 << (IP_CT_NUMBER + 1))
#define XT_CONNTRACK_STATE_DNAT (1 << (IP_CT_NUMBER + 2))
#define XT_CONNTRACK_STATE_UNTRACKED (1 << (IP_CT_NUMBER + 3))
/* flags, invflags: */
#define XT_CONNTRACK_STATE 0x01
#define XT_CONNTRACK_PROTO 0x02
#define XT_CONNTRACK_ORIGSRC 0x04
#define XT_CONNTRACK_ORIGDST 0x08
#define XT_CONNTRACK_REPLSRC 0x10
#define XT_CONNTRACK_REPLDST 0x20
#define XT_CONNTRACK_STATUS 0x40
#define XT_CONNTRACK_EXPIRES 0x80
/* This is exposed to userspace, so remains frozen in time. */
struct ip_conntrack_old_tuple
{
struct {
__u32 ip;
union {
__u16 all;
} u;
} src;
struct {
__u32 ip;
union {
__u16 all;
} u;
/* The protocol. */
u16 protonum;
} dst;
};
struct xt_conntrack_info
{
unsigned int statemask, statusmask;
struct ip_conntrack_old_tuple tuple[IP_CT_DIR_MAX];
struct in_addr sipmsk[IP_CT_DIR_MAX], dipmsk[IP_CT_DIR_MAX];
unsigned long expires_min, expires_max;
/* Flags word */
u_int8_t flags;
/* Inverse flags */
u_int8_t invflags;
};
#endif /*_XT_CONNTRACK_H*/

23
include/linux/netfilter/xt_dccp.h Normal file
View File

@@ -0,0 +1,23 @@
#ifndef _XT_DCCP_H_
#define _XT_DCCP_H_
#define XT_DCCP_SRC_PORTS 0x01
#define XT_DCCP_DEST_PORTS 0x02
#define XT_DCCP_TYPE 0x04
#define XT_DCCP_OPTION 0x08
#define XT_DCCP_VALID_FLAGS 0x0f
struct xt_dccp_info {
u_int16_t dpts[2]; /* Min, Max */
u_int16_t spts[2]; /* Min, Max */
u_int16_t flags;
u_int16_t invflags;
u_int16_t typemask;
u_int8_t option;
};
#endif /* _XT_DCCP_H_ */

8
include/linux/netfilter/xt_helper.h Normal file
View File

@@ -0,0 +1,8 @@
#ifndef _XT_HELPER_H
#define _XT_HELPER_H
struct xt_helper_info {
int invert;
char name[30];
};
#endif /* _XT_HELPER_H */

9
include/linux/netfilter/xt_length.h Normal file
View File

@@ -0,0 +1,9 @@
#ifndef _XT_LENGTH_H
#define _XT_LENGTH_H
struct xt_length_info {
u_int16_t min, max;
u_int8_t invert;
};
#endif /*_XT_LENGTH_H*/

21
include/linux/netfilter/xt_limit.h Normal file
View File

@@ -0,0 +1,21 @@
#ifndef _XT_RATE_H
#define _XT_RATE_H
/* timings are in milliseconds. */
#define XT_LIMIT_SCALE 10000
/* 1/10,000 sec period => max of 10,000/sec. Min rate is then 429490
seconds, or one every 59 hours. */
struct xt_rateinfo {
u_int32_t avg; /* Average secs between packets * scale */
u_int32_t burst; /* Period multiplier for upper limit. */
/* Used internally by the kernel */
unsigned long prev;
u_int32_t credit;
u_int32_t credit_cap, cost;
/* Ugly, ugly fucker. */
struct xt_rateinfo *master;
};
#endif /*_XT_RATE_H*/

8
include/linux/netfilter/xt_mac.h Normal file
View File

@@ -0,0 +1,8 @@
#ifndef _XT_MAC_H
#define _XT_MAC_H
struct xt_mac_info {
unsigned char srcaddr[ETH_ALEN];
int invert;
};
#endif /*_XT_MAC_H*/

9
include/linux/netfilter/xt_mark.h Normal file
View File

@@ -0,0 +1,9 @@
#ifndef _XT_MARK_H
#define _XT_MARK_H
struct xt_mark_info {
unsigned long mark, mask;
u_int8_t invert;
};
#endif /*_XT_MARK_H*/

24
include/linux/netfilter/xt_physdev.h Normal file
View File

@@ -0,0 +1,24 @@
#ifndef _XT_PHYSDEV_H
#define _XT_PHYSDEV_H
#ifdef __KERNEL__
#include <linux/if.h>
#endif
#define XT_PHYSDEV_OP_IN 0x01
#define XT_PHYSDEV_OP_OUT 0x02
#define XT_PHYSDEV_OP_BRIDGED 0x04
#define XT_PHYSDEV_OP_ISIN 0x08
#define XT_PHYSDEV_OP_ISOUT 0x10
#define XT_PHYSDEV_OP_MASK (0x20 - 1)
struct xt_physdev_info {
char physindev[IFNAMSIZ];
char in_mask[IFNAMSIZ];
char physoutdev[IFNAMSIZ];
char out_mask[IFNAMSIZ];
u_int8_t invert;
u_int8_t bitmask;
};
#endif /*_XT_PHYSDEV_H*/

8
include/linux/netfilter/xt_pkttype.h Normal file
View File

@@ -0,0 +1,8 @@
#ifndef _XT_PKTTYPE_H
#define _XT_PKTTYPE_H
struct xt_pkttype_info {
int pkttype;
int invert;
};
#endif /*_XT_PKTTYPE_H*/

10
include/linux/netfilter/xt_realm.h Normal file
View File

@@ -0,0 +1,10 @@
#ifndef _XT_REALM_H
#define _XT_REALM_H
struct xt_realm_info {
u_int32_t id;
u_int32_t mask;
u_int8_t invert;
};
#endif /* _XT_REALM_H */

107
include/linux/netfilter/xt_sctp.h Normal file
View File

@@ -0,0 +1,107 @@
#ifndef _XT_SCTP_H_
#define _XT_SCTP_H_
#define XT_SCTP_SRC_PORTS 0x01
#define XT_SCTP_DEST_PORTS 0x02
#define XT_SCTP_CHUNK_TYPES 0x04
#define XT_SCTP_VALID_FLAGS 0x07
#define ELEMCOUNT(x) (sizeof(x)/sizeof(x[0]))
struct xt_sctp_flag_info {
u_int8_t chunktype;
u_int8_t flag;
u_int8_t flag_mask;
};
#define XT_NUM_SCTP_FLAGS 4
struct xt_sctp_info {
u_int16_t dpts[2]; /* Min, Max */
u_int16_t spts[2]; /* Min, Max */
u_int32_t chunkmap[256 / sizeof (u_int32_t)]; /* Bit mask of chunks to be matched according to RFC 2960 */
#define SCTP_CHUNK_MATCH_ANY 0x01 /* Match if any of the chunk types are present */
#define SCTP_CHUNK_MATCH_ALL 0x02 /* Match if all of the chunk types are present */
#define SCTP_CHUNK_MATCH_ONLY 0x04 /* Match if these are the only chunk types present */
u_int32_t chunk_match_type;
struct xt_sctp_flag_info flag_info[XT_NUM_SCTP_FLAGS];
int flag_count;
u_int32_t flags;
u_int32_t invflags;
};
#define bytes(type) (sizeof(type) * 8)
#define SCTP_CHUNKMAP_SET(chunkmap, type) \
do { \
chunkmap[type / bytes(u_int32_t)] |= \
1 << (type % bytes(u_int32_t)); \
} while (0)
#define SCTP_CHUNKMAP_CLEAR(chunkmap, type) \
do { \
chunkmap[type / bytes(u_int32_t)] &= \
~(1 << (type % bytes(u_int32_t))); \
} while (0)
#define SCTP_CHUNKMAP_IS_SET(chunkmap, type) \
({ \
(chunkmap[type / bytes (u_int32_t)] & \
(1 << (type % bytes (u_int32_t)))) ? 1: 0; \
})
#define SCTP_CHUNKMAP_RESET(chunkmap) \
do { \
int i; \
for (i = 0; i < ELEMCOUNT(chunkmap); i++) \
chunkmap[i] = 0; \
} while (0)
#define SCTP_CHUNKMAP_SET_ALL(chunkmap) \
do { \
int i; \
for (i = 0; i < ELEMCOUNT(chunkmap); i++) \
chunkmap[i] = ~0; \
} while (0)
#define SCTP_CHUNKMAP_COPY(destmap, srcmap) \
do { \
int i; \
for (i = 0; i < ELEMCOUNT(chunkmap); i++) \
destmap[i] = srcmap[i]; \
} while (0)
#define SCTP_CHUNKMAP_IS_CLEAR(chunkmap) \
({ \
int i; \
int flag = 1; \
for (i = 0; i < ELEMCOUNT(chunkmap); i++) { \
if (chunkmap[i]) { \
flag = 0; \
break; \
} \
} \
flag; \
})
#define SCTP_CHUNKMAP_IS_ALL_SET(chunkmap) \
({ \
int i; \
int flag = 1; \
for (i = 0; i < ELEMCOUNT(chunkmap); i++) { \
if (chunkmap[i] != ~0) { \
flag = 0; \
break; \
} \
} \
flag; \
})
#endif /* _XT_SCTP_H_ */

13
include/linux/netfilter/xt_state.h Normal file
View File

@@ -0,0 +1,13 @@
#ifndef _XT_STATE_H
#define _XT_STATE_H
#define XT_STATE_BIT(ctinfo) (1 << ((ctinfo)%IP_CT_IS_REPLY+1))
#define XT_STATE_INVALID (1 << 0)
#define XT_STATE_UNTRACKED (1 << (IP_CT_NUMBER + 1))
struct xt_state_info
{
unsigned int statemask;
};
#endif /*_XT_STATE_H*/

18
include/linux/netfilter/xt_string.h Normal file
View File

@@ -0,0 +1,18 @@
#ifndef _XT_STRING_H
#define _XT_STRING_H
#define XT_STRING_MAX_PATTERN_SIZE 128
#define XT_STRING_MAX_ALGO_NAME_SIZE 16
struct xt_string_info
{
u_int16_t from_offset;
u_int16_t to_offset;
char algo[XT_STRING_MAX_ALGO_NAME_SIZE];
char pattern[XT_STRING_MAX_PATTERN_SIZE];
u_int8_t patlen;
u_int8_t invert;
struct ts_config __attribute__((aligned(8))) *config;
};
#endif /*_XT_STRING_H*/

9
include/linux/netfilter/xt_tcpmss.h Normal file
View File

@@ -0,0 +1,9 @@
#ifndef _XT_TCPMSS_MATCH_H
#define _XT_TCPMSS_MATCH_H
struct xt_tcpmss_match_info {
u_int16_t mss_min, mss_max;
u_int8_t invert;
};
#endif /*_XT_TCPMSS_MATCH_H*/

36
include/linux/netfilter/xt_tcpudp.h Normal file
View File

@@ -0,0 +1,36 @@
#ifndef _XT_TCPUDP_H
#define _XT_TCPUDP_H
/* TCP matching stuff */
struct xt_tcp
{
u_int16_t spts[2]; /* Source port range. */
u_int16_t dpts[2]; /* Destination port range. */
u_int8_t option; /* TCP Option iff non-zero*/
u_int8_t flg_mask; /* TCP flags mask byte */
u_int8_t flg_cmp; /* TCP flags compare byte */
u_int8_t invflags; /* Inverse flags */
};
/* Values for "inv" field in struct ipt_tcp. */
#define XT_TCP_INV_SRCPT 0x01 /* Invert the sense of source ports. */
#define XT_TCP_INV_DSTPT 0x02 /* Invert the sense of dest ports. */
#define XT_TCP_INV_FLAGS 0x04 /* Invert the sense of TCP flags. */
#define XT_TCP_INV_OPTION 0x08 /* Invert the sense of option test. */
#define XT_TCP_INV_MASK 0x0F /* All possible flags. */
/* UDP matching stuff */
struct xt_udp
{
u_int16_t spts[2]; /* Source port range. */
u_int16_t dpts[2]; /* Destination port range. */
u_int8_t invflags; /* Inverse flags */
};
/* Values for "invflags" field in struct ipt_udp. */
#define XT_UDP_INV_SRCPT 0x01 /* Invert the sense of source ports. */
#define XT_UDP_INV_DSTPT 0x02 /* Invert the sense of dest ports. */
#define XT_UDP_INV_MASK 0x03 /* All possible flags. */
#endif

123
include/linux/netfilter_arp/arp_tables.h
View File

@@ -19,8 +19,12 @@
#include <linux/compiler.h>
#include <linux/netfilter_arp.h>
#define ARPT_FUNCTION_MAXNAMELEN 30
#define ARPT_TABLE_MAXNAMELEN 32
#include <linux/netfilter/x_tables.h>
#define ARPT_FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN
#define ARPT_TABLE_MAXNAMELEN XT_TABLE_MAXNAMELEN
#define arpt_target xt_target
#define arpt_table xt_table
#define ARPT_DEV_ADDR_LEN_MAX 16
@@ -91,11 +95,6 @@ struct arpt_standard_target
int verdict;
};
struct arpt_counters
{
u_int64_t pcnt, bcnt; /* Packet and byte counters */
};
/* Values for "flag" field in struct arpt_ip (general arp structure).
* No flags defined yet.
*/
@@ -130,7 +129,7 @@ struct arpt_entry
unsigned int comefrom;
/* Packet and byte counters. */
struct arpt_counters counters;
struct xt_counters counters;
/* The matches (if any), then the target. */
unsigned char elems[0];
@@ -141,23 +140,24 @@ struct arpt_entry
* Unlike BSD Linux inherits IP options so you don't have to use a raw
* socket for this. Instead we check rights in the calls.
*/
#define ARPT_BASE_CTL 96 /* base for firewall socket options */
#define ARPT_CTL_OFFSET 32
#define ARPT_BASE_CTL (XT_BASE_CTL+ARPT_CTL_OFFSET)
#define ARPT_SO_SET_REPLACE (ARPT_BASE_CTL)
#define ARPT_SO_SET_ADD_COUNTERS (ARPT_BASE_CTL + 1)
#define ARPT_SO_SET_MAX ARPT_SO_SET_ADD_COUNTERS
#define ARPT_SO_SET_REPLACE (XT_SO_SET_REPLACE+ARPT_CTL_OFFSET)
#define ARPT_SO_SET_ADD_COUNTERS (XT_SO_SET_ADD_COUNTERS+ARPT_CTL_OFFSET)
#define ARPT_SO_SET_MAX (XT_SO_SET_MAX+ARPT_CTL_OFFSET)
#define ARPT_SO_GET_INFO (ARPT_BASE_CTL)
#define ARPT_SO_GET_ENTRIES (ARPT_BASE_CTL + 1)
/* #define ARPT_SO_GET_REVISION_MATCH (ARPT_BASE_CTL + 2)*/
#define ARPT_SO_GET_REVISION_TARGET (ARPT_BASE_CTL + 3)
#define ARPT_SO_GET_MAX ARPT_SO_GET_REVISION_TARGET
#define ARPT_SO_GET_INFO (XT_SO_GET_INFO+ARPT_CTL_OFFSET)
#define ARPT_SO_GET_ENTRIES (XT_SO_GET_ENTRIES+ARPT_CTL_OFFSET)
/* #define ARPT_SO_GET_REVISION_MATCH XT_SO_GET_REVISION_MATCH */
#define ARPT_SO_GET_REVISION_TARGET (XT_SO_GET_REVISION_TARGET+ARPT_CTL_OFFSET)
#define ARPT_SO_GET_MAX (XT_SO_GET_REVISION_TARGET+ARPT_CTL_OFFSET)
/* CONTINUE verdict for targets */
#define ARPT_CONTINUE 0xFFFFFFFF
#define ARPT_CONTINUE XT_CONTINUE
/* For standard target */
#define ARPT_RETURN (-NF_REPEAT - 1)
#define ARPT_RETURN XT_RETURN
/* The argument to ARPT_SO_GET_INFO */
struct arpt_getinfo
@@ -208,23 +208,14 @@ struct arpt_replace
/* Number of counters (must be equal to current number of entries). */
unsigned int num_counters;
/* The old entries' counters. */
struct arpt_counters __user *counters;
struct xt_counters __user *counters;
/* The entries (hang off end: not really an array). */
struct arpt_entry entries[0];
};
/* The argument to ARPT_SO_ADD_COUNTERS. */
struct arpt_counters_info
{
/* Which table. */
char name[ARPT_TABLE_MAXNAMELEN];
unsigned int num_counters;
/* The counters (actually `number' of these). */
struct arpt_counters counters[0];
};
#define arpt_counters_info xt_counters_info
/* The argument to ARPT_SO_GET_ENTRIES. */
struct arpt_get_entries
@@ -239,19 +230,10 @@ struct arpt_get_entries
struct arpt_entry entrytable[0];
};
/* The argument to ARPT_SO_GET_REVISION_*. Returns highest revision
* kernel supports, if >= revision. */
struct arpt_get_revision
{
char name[ARPT_FUNCTION_MAXNAMELEN-1];
u_int8_t revision;
};
/* Standard return verdict, or do jump. */
#define ARPT_STANDARD_TARGET ""
#define ARPT_STANDARD_TARGET XT_STANDARD_TARGET
/* Error verdict. */
#define ARPT_ERROR_TARGET "ERROR"
#define ARPT_ERROR_TARGET XT_ERROR_TARGET
/* Helper functions */
static __inline__ struct arpt_entry_target *arpt_get_target(struct arpt_entry *e)
@@ -281,63 +263,8 @@ static __inline__ struct arpt_entry_target *arpt_get_target(struct arpt_entry *e
*/
#ifdef __KERNEL__
/* Registration hooks for targets. */
struct arpt_target
{
struct list_head list;
const char name[ARPT_FUNCTION_MAXNAMELEN-1];
u_int8_t revision;
/* Returns verdict. */
unsigned int (*target)(struct sk_buff **pskb,
unsigned int hooknum,
const struct net_device *in,
const struct net_device *out,
const void *targinfo,
void *userdata);
/* Called when user tries to insert an entry of this type:
hook_mask is a bitmask of hooks from which it can be
called. */
/* Should return true or false. */
int (*checkentry)(const char *tablename,
const struct arpt_entry *e,
void *targinfo,
unsigned int targinfosize,
unsigned int hook_mask);
/* Called when entry of this type deleted. */
void (*destroy)(void *targinfo, unsigned int targinfosize);
/* Set this to THIS_MODULE if you are a module, otherwise NULL */
struct module *me;
};
extern int arpt_register_target(struct arpt_target *target);
extern void arpt_unregister_target(struct arpt_target *target);
/* Furniture shopping... */
struct arpt_table
{
struct list_head list;
/* A unique name... */
char name[ARPT_TABLE_MAXNAMELEN];
/* What hooks you will enter on */
unsigned int valid_hooks;
/* Lock for the curtain */
rwlock_t lock;
/* Man behind the curtain... */
struct arpt_table_info *private;
/* Set this to THIS_MODULE if you are a module, otherwise NULL */
struct module *me;
};
#define arpt_register_target(tgt) xt_register_target(NF_ARP, tgt)
#define arpt_unregister_target(tgt) xt_unregister_target(NF_ARP, tgt)
extern int arpt_register_table(struct arpt_table *table,
const struct arpt_replace *repl);

3
include/linux/netfilter_ipv4/ip_conntrack.h
View File

@@ -199,9 +199,6 @@ ip_conntrack_put(struct ip_conntrack *ct)
nf_conntrack_put(&ct->ct_general);
}
/* call to create an explicit dependency on ip_conntrack. */
extern void need_ip_conntrack(void);
extern int invert_tuplepr(struct ip_conntrack_tuple *inverse,
const struct ip_conntrack_tuple *orig);

217
include/linux/netfilter_ipv4/ip_tables.h
View File

@@ -25,8 +25,14 @@
#include <linux/compiler.h>
#include <linux/netfilter_ipv4.h>
#define IPT_FUNCTION_MAXNAMELEN 30
#define IPT_TABLE_MAXNAMELEN 32
#include <linux/netfilter/x_tables.h>
#define IPT_FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN
#define IPT_TABLE_MAXNAMELEN XT_FUNCTION_MAXNAMELEN
#define ipt_match xt_match
#define ipt_target xt_target
#define ipt_table xt_table
#define ipt_get_revision xt_get_revision
/* Yes, Virginia, you have to zero the padding. */
struct ipt_ip {
@@ -102,10 +108,7 @@ struct ipt_standard_target
int verdict;
};
struct ipt_counters
{
u_int64_t pcnt, bcnt; /* Packet and byte counters */
};
#define ipt_counters xt_counters
/* Values for "flag" field in struct ipt_ip (general ip structure). */
#define IPT_F_FRAG 0x01 /* Set if rule is a fragment rule */
@@ -119,7 +122,7 @@ struct ipt_counters
#define IPT_INV_SRCIP 0x08 /* Invert the sense of SRC IP. */
#define IPT_INV_DSTIP 0x10 /* Invert the sense of DST OP. */
#define IPT_INV_FRAG 0x20 /* Invert the sense of FRAG. */
#define IPT_INV_PROTO 0x40 /* Invert the sense of PROTO. */
#define IPT_INV_PROTO XT_INV_PROTO
#define IPT_INV_MASK 0x7F /* All possible flag bits mask. */
/* This structure defines each of the firewall rules. Consists of 3
@@ -141,7 +144,7 @@ struct ipt_entry
unsigned int comefrom;
/* Packet and byte counters. */
struct ipt_counters counters;
struct xt_counters counters;
/* The matches (if any), then the target. */
unsigned char elems[0];
@@ -151,54 +154,34 @@ struct ipt_entry
* New IP firewall options for [gs]etsockopt at the RAW IP level.
* Unlike BSD Linux inherits IP options so you don't have to use a raw
* socket for this. Instead we check rights in the calls. */
#define IPT_BASE_CTL 64 /* base for firewall socket options */
#define IPT_BASE_CTL XT_BASE_CTL
#define IPT_SO_SET_REPLACE (IPT_BASE_CTL)
#define IPT_SO_SET_ADD_COUNTERS (IPT_BASE_CTL + 1)
#define IPT_SO_SET_MAX IPT_SO_SET_ADD_COUNTERS
#define IPT_SO_SET_REPLACE XT_SO_SET_REPLACE
#define IPT_SO_SET_ADD_COUNTERS XT_SO_SET_ADD_COUNTERS
#define IPT_SO_SET_MAX XT_SO_SET_MAX
#define IPT_SO_GET_INFO (IPT_BASE_CTL)
#define IPT_SO_GET_ENTRIES (IPT_BASE_CTL + 1)
#define IPT_SO_GET_REVISION_MATCH (IPT_BASE_CTL + 2)
#define IPT_SO_GET_REVISION_TARGET (IPT_BASE_CTL + 3)
#define IPT_SO_GET_MAX IPT_SO_GET_REVISION_TARGET
#define IPT_SO_GET_INFO XT_SO_GET_INFO
#define IPT_SO_GET_ENTRIES XT_SO_GET_ENTRIES
#define IPT_SO_GET_REVISION_MATCH XT_SO_GET_REVISION_MATCH
#define IPT_SO_GET_REVISION_TARGET XT_SO_GET_REVISION_TARGET
#define IPT_SO_GET_MAX XT_SO_GET_REVISION_TARGET
/* CONTINUE verdict for targets */
#define IPT_CONTINUE 0xFFFFFFFF
#define IPT_CONTINUE XT_CONTINUE
#define IPT_RETURN XT_RETURN
/* For standard target */
#define IPT_RETURN (-NF_REPEAT - 1)
#include <linux/netfilter/xt_tcpudp.h>
#define ipt_udp xt_udp
#define ipt_tcp xt_tcp
/* TCP matching stuff */
struct ipt_tcp
{
u_int16_t spts[2]; /* Source port range. */
u_int16_t dpts[2]; /* Destination port range. */
u_int8_t option; /* TCP Option iff non-zero*/
u_int8_t flg_mask; /* TCP flags mask byte */
u_int8_t flg_cmp; /* TCP flags compare byte */
u_int8_t invflags; /* Inverse flags */
};
#define IPT_TCP_INV_SRCPT XT_TCP_INV_SRCPT
#define IPT_TCP_INV_DSTPT XT_TCP_INV_DSTPT
#define IPT_TCP_INV_FLAGS XT_TCP_INV_FLAGS
#define IPT_TCP_INV_OPTION XT_TCP_INV_OPTION
#define IPT_TCP_INV_MASK XT_TCP_INV_MASK
/* Values for "inv" field in struct ipt_tcp. */
#define IPT_TCP_INV_SRCPT 0x01 /* Invert the sense of source ports. */
#define IPT_TCP_INV_DSTPT 0x02 /* Invert the sense of dest ports. */
#define IPT_TCP_INV_FLAGS 0x04 /* Invert the sense of TCP flags. */
#define IPT_TCP_INV_OPTION 0x08 /* Invert the sense of option test. */
#define IPT_TCP_INV_MASK 0x0F /* All possible flags. */
/* UDP matching stuff */
struct ipt_udp
{
u_int16_t spts[2]; /* Source port range. */
u_int16_t dpts[2]; /* Destination port range. */
u_int8_t invflags; /* Inverse flags */
};
/* Values for "invflags" field in struct ipt_udp. */
#define IPT_UDP_INV_SRCPT 0x01 /* Invert the sense of source ports. */
#define IPT_UDP_INV_DSTPT 0x02 /* Invert the sense of dest ports. */
#define IPT_UDP_INV_MASK 0x03 /* All possible flags. */
#define IPT_UDP_INV_SRCPT XT_UDP_INV_SRCPT
#define IPT_UDP_INV_DSTPT XT_UDP_INV_DSTPT
#define IPT_UDP_INV_MASK XT_UDP_INV_MASK
/* ICMP matching stuff */
struct ipt_icmp
@@ -260,23 +243,14 @@ struct ipt_replace
/* Number of counters (must be equal to current number of entries). */
unsigned int num_counters;
/* The old entries' counters. */
struct ipt_counters __user *counters;
struct xt_counters __user *counters;
/* The entries (hang off end: not really an array). */
struct ipt_entry entries[0];
};
/* The argument to IPT_SO_ADD_COUNTERS. */
struct ipt_counters_info
{
/* Which table. */
char name[IPT_TABLE_MAXNAMELEN];
unsigned int num_counters;
/* The counters (actually `number' of these). */
struct ipt_counters counters[0];
};
#define ipt_counters_info xt_counters_info
/* The argument to IPT_SO_GET_ENTRIES. */
struct ipt_get_entries
@@ -291,19 +265,10 @@ struct ipt_get_entries
struct ipt_entry entrytable[0];
};
/* The argument to IPT_SO_GET_REVISION_*. Returns highest revision
* kernel supports, if >= revision. */
struct ipt_get_revision
{
char name[IPT_FUNCTION_MAXNAMELEN-1];
u_int8_t revision;
};
/* Standard return verdict, or do jump. */
#define IPT_STANDARD_TARGET ""
#define IPT_STANDARD_TARGET XT_STANDARD_TARGET
/* Error verdict. */
#define IPT_ERROR_TARGET "ERROR"
#define IPT_ERROR_TARGET XT_ERROR_TARGET
/* Helper functions */
static __inline__ struct ipt_entry_target *
@@ -356,103 +321,18 @@ ipt_get_target(struct ipt_entry *e)
#include <linux/init.h>
extern void ipt_init(void) __init;
struct ipt_match
{
struct list_head list;
#define ipt_register_target(tgt) xt_register_target(AF_INET, tgt)
#define ipt_unregister_target(tgt) xt_unregister_target(AF_INET, tgt)
const char name[IPT_FUNCTION_MAXNAMELEN-1];
#define ipt_register_match(mtch) xt_register_match(AF_INET, mtch)
#define ipt_unregister_match(mtch) xt_unregister_match(AF_INET, mtch)
u_int8_t revision;
//#define ipt_register_table(tbl, repl) xt_register_table(AF_INET, tbl, repl)
//#define ipt_unregister_table(tbl) xt_unregister_table(AF_INET, tbl)
/* Return true or false: return FALSE and set *hotdrop = 1 to
force immediate packet drop. */
/* Arguments changed since 2.4, as this must now handle
non-linear skbs, using skb_copy_bits and
skb_ip_make_writable. */
int (*match)(const struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
const void *matchinfo,
int offset,
int *hotdrop);
/* Called when user tries to insert an entry of this type. */
/* Should return true or false. */
int (*checkentry)(const char *tablename,
const struct ipt_ip *ip,
void *matchinfo,
unsigned int matchinfosize,
unsigned int hook_mask);
/* Called when entry of this type deleted. */
void (*destroy)(void *matchinfo, unsigned int matchinfosize);
/* Set this to THIS_MODULE. */
struct module *me;
};
/* Registration hooks for targets. */
struct ipt_target
{
struct list_head list;
const char name[IPT_FUNCTION_MAXNAMELEN-1];
u_int8_t revision;
/* Called when user tries to insert an entry of this type:
hook_mask is a bitmask of hooks from which it can be
called. */
/* Should return true or false. */
int (*checkentry)(const char *tablename,
const struct ipt_entry *e,
void *targinfo,
unsigned int targinfosize,
unsigned int hook_mask);
/* Called when entry of this type deleted. */
void (*destroy)(void *targinfo, unsigned int targinfosize);
/* Returns verdict. Argument order changed since 2.4, as this
must now handle non-linear skbs, using skb_copy_bits and
skb_ip_make_writable. */
unsigned int (*target)(struct sk_buff **pskb,
const struct net_device *in,
const struct net_device *out,
unsigned int hooknum,
const void *targinfo,
void *userdata);
/* Set this to THIS_MODULE. */
struct module *me;
};
extern int ipt_register_target(struct ipt_target *target);
extern void ipt_unregister_target(struct ipt_target *target);
extern int ipt_register_match(struct ipt_match *match);
extern void ipt_unregister_match(struct ipt_match *match);
/* Furniture shopping... */
struct ipt_table
{
struct list_head list;
/* A unique name... */
char name[IPT_TABLE_MAXNAMELEN];
/* What hooks you will enter on */
unsigned int valid_hooks;
/* Lock for the curtain */
rwlock_t lock;
/* Man behind the curtain... */
struct ipt_table_info *private;
/* Set to THIS_MODULE. */
struct module *me;
};
extern int ipt_register_table(struct ipt_table *table,
const struct ipt_replace *repl);
extern void ipt_unregister_table(struct ipt_table *table);
/* net/sched/ipt.c: Gimme access to your targets! Gets target->me. */
extern struct ipt_target *ipt_find_target(const char *name, u8 revision);
@@ -476,9 +356,6 @@ struct ipt_error
struct ipt_error_target target;
};
extern int ipt_register_table(struct ipt_table *table,
const struct ipt_replace *repl);
extern void ipt_unregister_table(struct ipt_table *table);
extern unsigned int ipt_do_table(struct sk_buff **pskb,
unsigned int hook,
const struct net_device *in,
@@ -486,6 +363,6 @@ extern unsigned int ipt_do_table(struct sk_buff **pskb,
struct ipt_table *table,
void *userdata);
#define IPT_ALIGN(s) (((s) + (__alignof__(struct ipt_entry)-1)) & ~(__alignof__(struct ipt_entry)-1))
#define IPT_ALIGN(s) XT_ALIGN(s)
#endif /*__KERNEL__*/
#endif /* _IPTABLES_H */

5
include/linux/netfilter_ipv4/ipt_CLASSIFY.h
View File

@@ -1,8 +1,7 @@
#ifndef _IPT_CLASSIFY_H
#define _IPT_CLASSIFY_H
struct ipt_classify_target_info {
u_int32_t priority;
};
#include <linux/netfilter/xt_CLASSIFY.h>
#define ipt_classify_target_info xt_classify_target_info
#endif /*_IPT_CLASSIFY_H */

16
include/linux/netfilter_ipv4/ipt_CONNMARK.h
View File

@@ -9,17 +9,11 @@
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*/
#include <linux/netfilter/xt_CONNMARK.h>
#define IPT_CONNMARK_SET XT_CONNMARK_SET
#define IPT_CONNMARK_SAVE XT_CONNMARK_SAVE
#define IPT_CONNMARK_RESTORE XT_CONNMARK_RESTORE
enum {
IPT_CONNMARK_SET = 0,
IPT_CONNMARK_SAVE,
IPT_CONNMARK_RESTORE
};
struct ipt_connmark_target_info {
unsigned long mark;
unsigned long mask;
u_int8_t mode;
};
#define ipt_connmark_target_info xt_connmark_target_info
#endif /*_IPT_CONNMARK_H_target*/

22
include/linux/netfilter_ipv4/ipt_MARK.h
View File

@@ -1,20 +1,18 @@
#ifndef _IPT_MARK_H_target
#define _IPT_MARK_H_target
/* Backwards compatibility for old userspace */
#include <linux/netfilter/xt_MARK.h>
/* Version 0 */
struct ipt_mark_target_info {
unsigned long mark;
};
#define ipt_mark_target_info xt_mark_target_info
/* Version 1 */
enum {
IPT_MARK_SET=0,
IPT_MARK_AND,
IPT_MARK_OR
};
#define IPT_MARK_SET XT_MARK_SET
#define IPT_MARK_AND XT_MARK_AND
#define IPT_MARK_OR XT_MARK_OR
#define ipt_mark_target_info_v1 xt_mark_target_info_v1
struct ipt_mark_target_info_v1 {
unsigned long mark;
u_int8_t mode;
};
#endif /*_IPT_MARK_H_target*/

8
include/linux/netfilter_ipv4/ipt_NFQUEUE.h
View File

@@ -8,9 +8,9 @@
#ifndef _IPT_NFQ_TARGET_H
#define _IPT_NFQ_TARGET_H
/* target info */
struct ipt_NFQ_info {
u_int16_t queuenum;
};
/* Backwards compatibility for old userspace */
#include <linux/netfilter/xt_NFQUEUE.h>
#define ipt_NFQ_info xt_NFQ_info
#endif /* _IPT_DSCP_TARGET_H */

8
include/linux/netfilter_ipv4/ipt_comment.h
View File

@@ -1,10 +1,10 @@
#ifndef _IPT_COMMENT_H
#define _IPT_COMMENT_H
#define IPT_MAX_COMMENT_LEN 256
#include <linux/netfilter/xt_comment.h>
struct ipt_comment_info {
unsigned char comment[IPT_MAX_COMMENT_LEN];
};
#define IPT_MAX_COMMENT_LEN XT_MAX_COMMENT_LEN
#define ipt_comment_info xt_comment_info
#endif /* _IPT_COMMENT_H */

31
include/linux/netfilter_ipv4/ipt_connbytes.h
View File

@@ -1,25 +1,18 @@
#ifndef _IPT_CONNBYTES_H
#define _IPT_CONNBYTES_H
enum ipt_connbytes_what {
IPT_CONNBYTES_PKTS,
IPT_CONNBYTES_BYTES,
IPT_CONNBYTES_AVGPKT,
};
#include <net/netfilter/xt_connbytes.h>
#define ipt_connbytes_what xt_connbytes_what
enum ipt_connbytes_direction {
IPT_CONNBYTES_DIR_ORIGINAL,
IPT_CONNBYTES_DIR_REPLY,
IPT_CONNBYTES_DIR_BOTH,
};
#define IPT_CONNBYTES_PKTS XT_CONNBYTES_PACKETS
#define IPT_CONNBYTES_BYTES XT_CONNBYTES_BYTES
#define IPT_CONNBYTES_AVGPKT XT_CONNBYTES_AVGPKT
#define ipt_connbytes_direction xt_connbytes_direction
#define IPT_CONNBYTES_DIR_ORIGINAL XT_CONNBYTES_DIR_ORIGINAL
#define IPT_CONNBYTES_DIR_REPLY XT_CONNBYTES_DIR_REPLY
#define IPT_CONNBYTES_DIR_BOTH XT_CONNBYTES_DIR_BOTH
#define ipt_connbytes_info xt_connbytes_info
struct ipt_connbytes_info
{
struct {
aligned_u64 from; /* count to be matched */
aligned_u64 to; /* count to be matched */
} count;
u_int8_t what; /* ipt_connbytes_what */
u_int8_t direction; /* ipt_connbytes_direction */
};
#endif

15
include/linux/netfilter_ipv4/ipt_connmark.h
View File

@@ -1,18 +1,7 @@
#ifndef _IPT_CONNMARK_H
#define _IPT_CONNMARK_H
/* Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
* by Henrik Nordstrom <hno@marasystems.com>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*/
struct ipt_connmark_info {
unsigned long mark, mask;
u_int8_t invert;
};
#include <linux/netfilter/xt_connmark.h>
#define ipt_connmark_info xt_connmark_info
#endif /*_IPT_CONNMARK_H*/

64
include/linux/netfilter_ipv4/ipt_conntrack.h
View File

@@ -5,56 +5,24 @@
#ifndef _IPT_CONNTRACK_H
#define _IPT_CONNTRACK_H
#define IPT_CONNTRACK_STATE_BIT(ctinfo) (1 << ((ctinfo)%IP_CT_IS_REPLY+1))
#define IPT_CONNTRACK_STATE_INVALID (1 << 0)
#include <linux/netfilter/xt_conntrack.h>
#define IPT_CONNTRACK_STATE_SNAT (1 << (IP_CT_NUMBER + 1))
#define IPT_CONNTRACK_STATE_DNAT (1 << (IP_CT_NUMBER + 2))
#define IPT_CONNTRACK_STATE_UNTRACKED (1 << (IP_CT_NUMBER + 3))
#define IPT_CONNTRACK_STATE_BIT(ctinfo) XT_CONNTRACK_STATE_BIT(ctinfo)
#define IPT_CONNTRACK_STATE_INVALID XT_CONNTRACK_STATE_INVALID
#define IPT_CONNTRACK_STATE_SNAT XT_CONNTRACK_STATE_SNAT
#define IPT_CONNTRACK_STATE_DNAT XT_CONNTRACK_STATE_DNAT
#define IPT_CONNTRACK_STATE_UNTRACKED XT_CONNTRACK_STATE_UNTRACKED
/* flags, invflags: */
#define IPT_CONNTRACK_STATE 0x01
#define IPT_CONNTRACK_PROTO 0x02
#define IPT_CONNTRACK_ORIGSRC 0x04
#define IPT_CONNTRACK_ORIGDST 0x08
#define IPT_CONNTRACK_REPLSRC 0x10
#define IPT_CONNTRACK_REPLDST 0x20
#define IPT_CONNTRACK_STATUS 0x40
#define IPT_CONNTRACK_EXPIRES 0x80
#define IPT_CONNTRACK_STATE XT_CONNTRACK_STATE
#define IPT_CONNTRACK_PROTO XT_CONNTRACK_PROTO
#define IPT_CONNTRACK_ORIGSRC XT_CONNTRACK_ORIGSRC
#define IPT_CONNTRACK_ORIGDST XT_CONNTRACK_ORIGDST
#define IPT_CONNTRACK_REPLSRC XT_CONNTRACK_REPLSRC
#define IPT_CONNTRACK_REPLDST XT_CONNTRACK_REPLDST
#define IPT_CONNTRACK_STATUS XT_CONNTRACK_STATUS
#define IPT_CONNTRACK_EXPIRES XT_CONNTRACK_EXPIRES
/* This is exposed to userspace, so remains frozen in time. */
struct ip_conntrack_old_tuple
{
struct {
__u32 ip;
union {
__u16 all;
} u;
} src;
struct {
__u32 ip;
union {
__u16 all;
} u;
/* The protocol. */
u16 protonum;
} dst;
};
struct ipt_conntrack_info
{
unsigned int statemask, statusmask;
struct ip_conntrack_old_tuple tuple[IP_CT_DIR_MAX];
struct in_addr sipmsk[IP_CT_DIR_MAX], dipmsk[IP_CT_DIR_MAX];
unsigned long expires_min, expires_max;
/* Flags word */
u_int8_t flags;
/* Inverse flags */
u_int8_t invflags;
};
#define ipt_conntrack_info xt_conntrack_info
#endif /*_IPT_CONNTRACK_H*/

22
include/linux/netfilter_ipv4/ipt_dccp.h
View File

@@ -1,23 +1,15 @@
#ifndef _IPT_DCCP_H_
#define _IPT_DCCP_H_
#define IPT_DCCP_SRC_PORTS 0x01
#define IPT_DCCP_DEST_PORTS 0x02
#define IPT_DCCP_TYPE 0x04
#define IPT_DCCP_OPTION 0x08
#include <linux/netfilter/xt_dccp.h>
#define IPT_DCCP_SRC_PORTS XT_DCCP_SRC_PORTS
#define IPT_DCCP_DEST_PORTS XT_DCCP_DEST_PORTS
#define IPT_DCCP_TYPE XT_DCCP_TYPE
#define IPT_DCCP_OPTION XT_DCCP_OPTION
#define IPT_DCCP_VALID_FLAGS 0x0f
#define IPT_DCCP_VALID_FLAGS XT_DCCP_VALID_FLAGS
struct ipt_dccp_info {
u_int16_t dpts[2]; /* Min, Max */
u_int16_t spts[2]; /* Min, Max */
u_int16_t flags;
u_int16_t invflags;
u_int16_t typemask;
u_int8_t option;
};
#define ipt_dccp_info xt_dccp_info
#endif /* _IPT_DCCP_H_ */

7
include/linux/netfilter_ipv4/ipt_helper.h
View File

@@ -1,8 +1,7 @@
#ifndef _IPT_HELPER_H
#define _IPT_HELPER_H
struct ipt_helper_info {
int invert;
char name[30];
};
#include <linux/netfilter/xt_helper.h>
#define ipt_helper_info xt_helper_info
#endif /* _IPT_HELPER_H */

6
include/linux/netfilter_ipv4/ipt_length.h
View File

@@ -1,9 +1,7 @@
#ifndef _IPT_LENGTH_H
#define _IPT_LENGTH_H
struct ipt_length_info {
u_int16_t min, max;
u_int8_t invert;
};
#include <linux/netfilter/xt_length.h>
#define ipt_length_info xt_length_info
#endif /*_IPT_LENGTH_H*/

19
include/linux/netfilter_ipv4/ipt_limit.h
View File

@@ -1,21 +1,8 @@
#ifndef _IPT_RATE_H
#define _IPT_RATE_H
/* timings are in milliseconds. */
#define IPT_LIMIT_SCALE 10000
#include <linux/netfilter/xt_limit.h>
#define IPT_LIMIT_SCALE XT_LIMIT_SCALE
#define ipt_rateinfo xt_rateinfo
/* 1/10,000 sec period => max of 10,000/sec. Min rate is then 429490
seconds, or one every 59 hours. */
struct ipt_rateinfo {
u_int32_t avg; /* Average secs between packets * scale */
u_int32_t burst; /* Period multiplier for upper limit. */
/* Used internally by the kernel */
unsigned long prev;
u_int32_t credit;
u_int32_t credit_cap, cost;
/* Ugly, ugly fucker. */
struct ipt_rateinfo *master;
};
#endif /*_IPT_RATE_H*/

7
include/linux/netfilter_ipv4/ipt_mac.h
View File

@@ -1,8 +1,7 @@
#ifndef _IPT_MAC_H
#define _IPT_MAC_H
struct ipt_mac_info {
unsigned char srcaddr[ETH_ALEN];
int invert;
};
#include <linux/netfilter/xt_mac.h>
#define ipt_mac_info xt_mac_info
#endif /*_IPT_MAC_H*/

8
include/linux/netfilter_ipv4/ipt_mark.h
View File

@@ -1,9 +1,9 @@
#ifndef _IPT_MARK_H
#define _IPT_MARK_H
struct ipt_mark_info {
unsigned long mark, mask;
u_int8_t invert;
};
/* Backwards compatibility for old userspace */
#include <linux/netfilter/xt_mark.h>
#define ipt_mark_info xt_mark_info
#endif /*_IPT_MARK_H*/

27
include/linux/netfilter_ipv4/ipt_physdev.h
View File

@@ -1,24 +1,17 @@
#ifndef _IPT_PHYSDEV_H
#define _IPT_PHYSDEV_H
#ifdef __KERNEL__
#include <linux/if.h>
#endif
/* Backwards compatibility for old userspace */
#define IPT_PHYSDEV_OP_IN 0x01
#define IPT_PHYSDEV_OP_OUT 0x02
#define IPT_PHYSDEV_OP_BRIDGED 0x04
#define IPT_PHYSDEV_OP_ISIN 0x08
#define IPT_PHYSDEV_OP_ISOUT 0x10
#define IPT_PHYSDEV_OP_MASK (0x20 - 1)
#include <linux/netfilter/xt_physdev.h>
struct ipt_physdev_info {
char physindev[IFNAMSIZ];
char in_mask[IFNAMSIZ];
char physoutdev[IFNAMSIZ];
char out_mask[IFNAMSIZ];
u_int8_t invert;
u_int8_t bitmask;
};
#define IPT_PHYSDEV_OP_IN XT_PHYSDEV_OP_IN
#define IPT_PHYSDEV_OP_OUT XT_PHYSDEV_OP_OUT
#define IPT_PHYSDEV_OP_BRIDGED XT_PHYSDEV_OP_BRIDGED
#define IPT_PHYSDEV_OP_ISIN XT_PHYSDEV_OP_ISIN
#define IPT_PHYSDEV_OP_ISOUT XT_PHYSDEV_OP_ISOUT
#define IPT_PHYSDEV_OP_MASK XT_PHYSDEV_OP_MASK
#define ipt_physdev_info xt_physdev_info
#endif /*_IPT_PHYSDEV_H*/

7
include/linux/netfilter_ipv4/ipt_pkttype.h
View File

@@ -1,8 +1,7 @@
#ifndef _IPT_PKTTYPE_H
#define _IPT_PKTTYPE_H
struct ipt_pkttype_info {
int pkttype;
int invert;
};
#include <linux/netfilter/xt_pkttype.h>
#define ipt_pkttype_info xt_pkttype_info
#endif /*_IPT_PKTTYPE_H*/

7
include/linux/netfilter_ipv4/ipt_realm.h
View File

@@ -1,10 +1,7 @@
#ifndef _IPT_REALM_H
#define _IPT_REALM_H
struct ipt_realm_info {
u_int32_t id;
u_int32_t mask;
u_int8_t invert;
};
#include <linux/netfilter/xt_realm.h>
#define ipt_realm_info xt_realm_info
#endif /* _IPT_REALM_H */

16
include/linux/netfilter_ipv4/ipt_state.h
View File

@@ -1,13 +1,15 @@
#ifndef _IPT_STATE_H
#define _IPT_STATE_H
#define IPT_STATE_BIT(ctinfo) (1 << ((ctinfo)%IP_CT_IS_REPLY+1))
#define IPT_STATE_INVALID (1 << 0)
/* Backwards compatibility for old userspace */
#define IPT_STATE_UNTRACKED (1 << (IP_CT_NUMBER + 1))
#include <linux/netfilter/xt_state.h>
#define IPT_STATE_BIT XT_STATE_BIT
#define IPT_STATE_INVALID XT_STATE_INVALID
#define IPT_STATE_UNTRACKED XT_STATE_UNTRACKED
#define ipt_state_info xt_state_info
struct ipt_state_info
{
unsigned int statemask;
};
#endif /*_IPT_STATE_H*/

16
include/linux/netfilter_ipv4/ipt_string.h
View File

@@ -1,18 +1,10 @@
#ifndef _IPT_STRING_H
#define _IPT_STRING_H
#define IPT_STRING_MAX_PATTERN_SIZE 128
#define IPT_STRING_MAX_ALGO_NAME_SIZE 16
#include <linux/netfilter/xt_string.h>
struct ipt_string_info
{
u_int16_t from_offset;
u_int16_t to_offset;
char algo[IPT_STRING_MAX_ALGO_NAME_SIZE];
char pattern[IPT_STRING_MAX_PATTERN_SIZE];
u_int8_t patlen;
u_int8_t invert;
struct ts_config __attribute__((aligned(8))) *config;
};
#define IPT_STRING_MAX_PATTERN_SIZE XT_STRING_MAX_PATTERN_SIZE
#define IPT_STRING_MAX_ALGO_NAME_SIZE XT_STRING_MAX_ALGO_NAME_SIZE
#define ipt_string_info xt_string_info
#endif /*_IPT_STRING_H*/

6
include/linux/netfilter_ipv4/ipt_tcpmss.h
View File

@@ -1,9 +1,7 @@
#ifndef _IPT_TCPMSS_MATCH_H
#define _IPT_TCPMSS_MATCH_H
struct ipt_tcpmss_match_info {
u_int16_t mss_min, mss_max;
u_int8_t invert;
};
#include <linux/netfilter/xt_tcpmss.h>
#define ipt_tcpmss_match_info xt_tcpmss_match_info
#endif /*_IPT_TCPMSS_MATCH_H*/

208
include/linux/netfilter_ipv6/ip6_tables.h
View File

@@ -25,8 +25,15 @@
#include <linux/compiler.h>
#include <linux/netfilter_ipv6.h>
#define IP6T_FUNCTION_MAXNAMELEN 30
#define IP6T_TABLE_MAXNAMELEN 32
#include <linux/netfilter/x_tables.h>
#define IP6T_FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN
#define IP6T_TABLE_MAXNAMELEN XT_TABLE_MAXNAMELEN
#define ip6t_match xt_match
#define ip6t_target xt_target
#define ip6t_table xt_table
#define ip6t_get_revision xt_get_revision
/* Yes, Virginia, you have to zero the padding. */
struct ip6t_ip6 {
@@ -104,10 +111,7 @@ struct ip6t_standard_target
int verdict;
};
struct ip6t_counters
{
u_int64_t pcnt, bcnt; /* Packet and byte counters */
};
#define ip6t_counters xt_counters
/* Values for "flag" field in struct ip6t_ip6 (general ip6 structure). */
#define IP6T_F_PROTO 0x01 /* Set if rule cares about upper
@@ -123,7 +127,7 @@ struct ip6t_counters
#define IP6T_INV_SRCIP 0x08 /* Invert the sense of SRC IP. */
#define IP6T_INV_DSTIP 0x10 /* Invert the sense of DST OP. */
#define IP6T_INV_FRAG 0x20 /* Invert the sense of FRAG. */
#define IP6T_INV_PROTO 0x40 /* Invert the sense of PROTO. */
#define IP6T_INV_PROTO XT_INV_PROTO
#define IP6T_INV_MASK 0x7F /* All possible flag bits mask. */
/* This structure defines each of the firewall rules. Consists of 3
@@ -145,7 +149,7 @@ struct ip6t_entry
unsigned int comefrom;
/* Packet and byte counters. */
struct ip6t_counters counters;
struct xt_counters counters;
/* The matches (if any), then the target. */
unsigned char elems[0];
@@ -155,54 +159,41 @@ struct ip6t_entry
* New IP firewall options for [gs]etsockopt at the RAW IP level.
* Unlike BSD Linux inherits IP options so you don't have to use
* a raw socket for this. Instead we check rights in the calls. */
#define IP6T_BASE_CTL 64 /* base for firewall socket options */
#define IP6T_BASE_CTL XT_BASE_CTL
#define IP6T_SO_SET_REPLACE (IP6T_BASE_CTL)
#define IP6T_SO_SET_ADD_COUNTERS (IP6T_BASE_CTL + 1)
#define IP6T_SO_SET_MAX IP6T_SO_SET_ADD_COUNTERS
#define IP6T_SO_SET_REPLACE XT_SO_SET_REPLACE
#define IP6T_SO_SET_ADD_COUNTERS XT_SO_SET_ADD_COUNTERS
#define IP6T_SO_SET_MAX XT_SO_SET_MAX
#define IP6T_SO_GET_INFO (IP6T_BASE_CTL)
#define IP6T_SO_GET_ENTRIES (IP6T_BASE_CTL + 1)
#define IP6T_SO_GET_REVISION_MATCH (IP6T_BASE_CTL + 2)
#define IP6T_SO_GET_REVISION_TARGET (IP6T_BASE_CTL + 3)
#define IP6T_SO_GET_MAX IP6T_SO_GET_REVISION_TARGET
#define IP6T_SO_GET_INFO XT_SO_GET_INFO
#define IP6T_SO_GET_ENTRIES XT_SO_GET_ENTRIES
#define IP6T_SO_GET_REVISION_MATCH XT_SO_GET_REVISION_MATCH
#define IP6T_SO_GET_REVISION_TARGET XT_SO_GET_REVISION_TARGET
#define IP6T_SO_GET_MAX XT_SO_GET_REVISION_TARGET
/* CONTINUE verdict for targets */
#define IP6T_CONTINUE 0xFFFFFFFF
#define IP6T_CONTINUE XT_CONTINUE
/* For standard target */
#define IP6T_RETURN (-NF_REPEAT - 1)
#define IP6T_RETURN XT_RETURN
/* TCP matching stuff */
struct ip6t_tcp
{
u_int16_t spts[2]; /* Source port range. */
u_int16_t dpts[2]; /* Destination port range. */
u_int8_t option; /* TCP Option iff non-zero*/
u_int8_t flg_mask; /* TCP flags mask byte */
u_int8_t flg_cmp; /* TCP flags compare byte */
u_int8_t invflags; /* Inverse flags */
};
/* TCP/UDP matching stuff */
#include <linux/netfilter/xt_tcpudp.h>
#define ip6t_tcp xt_tcp
#define ip6t_udp xt_udp
/* Values for "inv" field in struct ipt_tcp. */
#define IP6T_TCP_INV_SRCPT 0x01 /* Invert the sense of source ports. */
#define IP6T_TCP_INV_DSTPT 0x02 /* Invert the sense of dest ports. */
#define IP6T_TCP_INV_FLAGS 0x04 /* Invert the sense of TCP flags. */
#define IP6T_TCP_INV_OPTION 0x08 /* Invert the sense of option test. */
#define IP6T_TCP_INV_MASK 0x0F /* All possible flags. */
/* UDP matching stuff */
struct ip6t_udp
{
u_int16_t spts[2]; /* Source port range. */
u_int16_t dpts[2]; /* Destination port range. */
u_int8_t invflags; /* Inverse flags */
};
#define IP6T_TCP_INV_SRCPT XT_TCP_INV_SRCPT
#define IP6T_TCP_INV_DSTPT XT_TCP_INV_DSTPT
#define IP6T_TCP_INV_FLAGS XT_TCP_INV_FLAGS
#define IP6T_TCP_INV_OPTION XT_TCP_INV_OPTION
#define IP6T_TCP_INV_MASK XT_TCP_INV_MASK
/* Values for "invflags" field in struct ipt_udp. */
#define IP6T_UDP_INV_SRCPT 0x01 /* Invert the sense of source ports. */
#define IP6T_UDP_INV_DSTPT 0x02 /* Invert the sense of dest ports. */
#define IP6T_UDP_INV_MASK 0x03 /* All possible flags. */
#define IP6T_UDP_INV_SRCPT XT_UDP_INV_SRCPT
#define IP6T_UDP_INV_DSTPT XT_UDP_INV_DSTPT
#define IP6T_UDP_INV_MASK XT_UDP_INV_MASK
/* ICMP matching stuff */
struct ip6t_icmp
@@ -264,23 +255,14 @@ struct ip6t_replace
/* Number of counters (must be equal to current number of entries). */
unsigned int num_counters;
/* The old entries' counters. */
struct ip6t_counters __user *counters;
struct xt_counters __user *counters;
/* The entries (hang off end: not really an array). */
struct ip6t_entry entries[0];
};
/* The argument to IP6T_SO_ADD_COUNTERS. */
struct ip6t_counters_info
{
/* Which table. */
char name[IP6T_TABLE_MAXNAMELEN];
unsigned int num_counters;
/* The counters (actually `number' of these). */
struct ip6t_counters counters[0];
};
#define ip6t_counters_info xt_counters_info
/* The argument to IP6T_SO_GET_ENTRIES. */
struct ip6t_get_entries
@@ -295,19 +277,10 @@ struct ip6t_get_entries
struct ip6t_entry entrytable[0];
};
/* The argument to IP6T_SO_GET_REVISION_*. Returns highest revision
* kernel supports, if >= revision. */
struct ip6t_get_revision
{
char name[IP6T_FUNCTION_MAXNAMELEN-1];
u_int8_t revision;
};
/* Standard return verdict, or do jump. */
#define IP6T_STANDARD_TARGET ""
#define IP6T_STANDARD_TARGET XT_STANDARD_TARGET
/* Error verdict. */
#define IP6T_ERROR_TARGET "ERROR"
#define IP6T_ERROR_TARGET XT_ERROR_TARGET
/* Helper functions */
static __inline__ struct ip6t_entry_target *
@@ -361,104 +334,11 @@ ip6t_get_target(struct ip6t_entry *e)
#include <linux/init.h>
extern void ip6t_init(void) __init;
struct ip6t_match
{
struct list_head list;
#define ip6t_register_target(tgt) xt_register_target(AF_INET6, tgt)
#define ip6t_unregister_target(tgt) xt_unregister_target(AF_INET6, tgt)
const char name[IP6T_FUNCTION_MAXNAMELEN-1];
u_int8_t revision;
/* Return true or false: return FALSE and set *hotdrop = 1 to
force immediate packet drop. */
/* Arguments changed since 2.6.9, as this must now handle
non-linear skb, using skb_header_pointer and
skb_ip_make_writable. */
int (*match)(const struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
const void *matchinfo,
int offset,
unsigned int protoff,
int *hotdrop);
/* Called when user tries to insert an entry of this type. */
/* Should return true or false. */
int (*checkentry)(const char *tablename,
const struct ip6t_ip6 *ip,
void *matchinfo,
unsigned int matchinfosize,
unsigned int hook_mask);
/* Called when entry of this type deleted. */
void (*destroy)(void *matchinfo, unsigned int matchinfosize);
/* Set this to THIS_MODULE if you are a module, otherwise NULL */
struct module *me;
};
/* Registration hooks for targets. */
struct ip6t_target
{
struct list_head list;
const char name[IP6T_FUNCTION_MAXNAMELEN-1];
u_int8_t revision;
/* Returns verdict. Argument order changed since 2.6.9, as this
must now handle non-linear skbs, using skb_copy_bits and
skb_ip_make_writable. */
unsigned int (*target)(struct sk_buff **pskb,
const struct net_device *in,
const struct net_device *out,
unsigned int hooknum,
const void *targinfo,
void *userdata);
/* Called when user tries to insert an entry of this type:
hook_mask is a bitmask of hooks from which it can be
called. */
/* Should return true or false. */
int (*checkentry)(const char *tablename,
const struct ip6t_entry *e,
void *targinfo,
unsigned int targinfosize,
unsigned int hook_mask);
/* Called when entry of this type deleted. */
void (*destroy)(void *targinfo, unsigned int targinfosize);
/* Set this to THIS_MODULE if you are a module, otherwise NULL */
struct module *me;
};
extern int ip6t_register_target(struct ip6t_target *target);
extern void ip6t_unregister_target(struct ip6t_target *target);
extern int ip6t_register_match(struct ip6t_match *match);
extern void ip6t_unregister_match(struct ip6t_match *match);
/* Furniture shopping... */
struct ip6t_table
{
struct list_head list;
/* A unique name... */
char name[IP6T_TABLE_MAXNAMELEN];
/* What hooks you will enter on */
unsigned int valid_hooks;
/* Lock for the curtain */
rwlock_t lock;
/* Man behind the curtain... */
struct ip6t_table_info *private;
/* Set this to THIS_MODULE if you are a module, otherwise NULL */
struct module *me;
};
#define ip6t_register_match(match) xt_register_match(AF_INET6, match)
#define ip6t_unregister_match(match) xt_unregister_match(AF_INET6, match)
extern int ip6t_register_table(struct ip6t_table *table,
const struct ip6t_replace *repl);

9
include/linux/netfilter_ipv6/ip6t_MARK.h
View File

@@ -1,8 +1,9 @@
#ifndef _IP6T_MARK_H_target
#define _IP6T_MARK_H_target
struct ip6t_mark_target_info {
unsigned long mark;
};
/* Backwards compatibility for old userspace */
#include <linux/netfilter/xt_MARK.h>
#endif /*_IPT_MARK_H_target*/
#define ip6t_mark_target_info xt_mark_target_info
#endif /*_IP6T_MARK_H_target*/

6
include/linux/netfilter_ipv6/ip6t_length.h
View File

@@ -1,10 +1,8 @@
#ifndef _IP6T_LENGTH_H
#define _IP6T_LENGTH_H
struct ip6t_length_info {
u_int16_t min, max;
u_int8_t invert;
};
#include <linux/netfilter/xt_length.h>
#define ip6t_length_info xt_length_info
#endif /*_IP6T_LENGTH_H*/

21
include/linux/netfilter_ipv6/ip6t_limit.h
View File

@@ -1,21 +1,8 @@
#ifndef _IP6T_RATE_H
#define _IP6T_RATE_H
/* timings are in milliseconds. */
#define IP6T_LIMIT_SCALE 10000
#include <linux/netfilter/xt_limit.h>
#define IP6T_LIMIT_SCALE XT_LIMIT_SCALE
#define ip6t_rateinfo xt_rateinfo
/* 1/10,000 sec period => max of 10,000/sec. Min rate is then 429490
seconds, or one every 59 hours. */
struct ip6t_rateinfo {
u_int32_t avg; /* Average secs between packets * scale */
u_int32_t burst; /* Period multiplier for upper limit. */
/* Used internally by the kernel */
unsigned long prev;
u_int32_t credit;
u_int32_t credit_cap, cost;
/* Ugly, ugly fucker. */
struct ip6t_rateinfo *master;
};
#endif /*_IPT_RATE_H*/
#endif /*_IP6T_RATE_H*/

9
include/linux/netfilter_ipv6/ip6t_mac.h
View File

@@ -1,8 +1,7 @@
#ifndef _IP6T_MAC_H
#define _IP6T_MAC_H
struct ip6t_mac_info {
unsigned char srcaddr[ETH_ALEN];
int invert;
};
#endif /*_IPT_MAC_H*/
#include <linux/netfilter/xt_mac.h>
#define ip6t_mac_info xt_mac_info
#endif /*_IP6T_MAC_H*/

8
include/linux/netfilter_ipv6/ip6t_mark.h
View File

@@ -1,9 +1,9 @@
#ifndef _IP6T_MARK_H
#define _IP6T_MARK_H
struct ip6t_mark_info {
unsigned long mark, mask;
u_int8_t invert;
};
/* Backwards compatibility for old userspace */
#include <linux/netfilter/xt_mark.h>
#define ip6t_mark_info xt_mark_info
#endif /*_IPT_MARK_H*/

27
include/linux/netfilter_ipv6/ip6t_physdev.h
View File

@@ -1,24 +1,17 @@
#ifndef _IP6T_PHYSDEV_H
#define _IP6T_PHYSDEV_H
#ifdef __KERNEL__
#include <linux/if.h>
#endif
/* Backwards compatibility for old userspace */
#define IP6T_PHYSDEV_OP_IN 0x01
#define IP6T_PHYSDEV_OP_OUT 0x02
#define IP6T_PHYSDEV_OP_BRIDGED 0x04
#define IP6T_PHYSDEV_OP_ISIN 0x08
#define IP6T_PHYSDEV_OP_ISOUT 0x10
#define IP6T_PHYSDEV_OP_MASK (0x20 - 1)
#include <linux/netfilter/xt_physdev.h>
struct ip6t_physdev_info {
char physindev[IFNAMSIZ];
char in_mask[IFNAMSIZ];
char physoutdev[IFNAMSIZ];
char out_mask[IFNAMSIZ];
u_int8_t invert;
u_int8_t bitmask;
};
#define IP6T_PHYSDEV_OP_IN XT_PHYSDEV_OP_IN
#define IP6T_PHYSDEV_OP_OUT XT_PHYSDEV_OP_OUT
#define IP6T_PHYSDEV_OP_BRIDGED XT_PHYSDEV_OP_BRIDGED
#define IP6T_PHYSDEV_OP_ISIN XT_PHYSDEV_OP_ISIN
#define IP6T_PHYSDEV_OP_ISOUT XT_PHYSDEV_OP_ISOUT
#define IP6T_PHYSDEV_OP_MASK XT_PHYSDEV_OP_MASK
#define ip6t_physdev_info xt_physdev_info
#endif /*_IP6T_PHYSDEV_H*/