diff options
-rw-r--r-- | include/linux/netfilter/Kbuild | 77 | ||||
-rw-r--r-- | include/linux/netfilter/nf_conntrack_common.h | 115 | ||||
-rw-r--r-- | include/linux/netfilter/nf_conntrack_ftp.h | 16 | ||||
-rw-r--r-- | include/linux/netfilter/nf_conntrack_tcp.h | 49 | ||||
-rw-r--r-- | include/linux/netfilter/nfnetlink.h | 55 | ||||
-rw-r--r-- | include/linux/netfilter/nfnetlink_acct.h | 25 | ||||
-rw-r--r-- | include/linux/netfilter/x_tables.h | 186 | ||||
-rw-r--r-- | include/linux/netfilter/xt_hashlimit.h | 71 | ||||
-rw-r--r-- | include/linux/netfilter/xt_physdev.h | 21 | ||||
-rw-r--r-- | include/uapi/linux/netfilter/Kbuild | 76 | ||||
-rw-r--r-- | include/uapi/linux/netfilter/nf_conntrack_common.h | 117 | ||||
-rw-r--r-- | include/uapi/linux/netfilter/nf_conntrack_ftp.h | 18 | ||||
-rw-r--r-- | include/uapi/linux/netfilter/nf_conntrack_sctp.h (renamed from include/linux/netfilter/nf_conntrack_sctp.h) | 0 | ||||
-rw-r--r-- | include/uapi/linux/netfilter/nf_conntrack_tcp.h | 51 | ||||
-rw-r--r-- | include/uapi/linux/netfilter/nf_conntrack_tuple_common.h (renamed from include/linux/netfilter/nf_conntrack_tuple_common.h) | 0 | ||||
-rw-r--r-- | include/uapi/linux/netfilter/nf_nat.h (renamed from include/linux/netfilter/nf_nat.h) | 0 | ||||
-rw-r--r-- | include/uapi/linux/netfilter/nfnetlink.h | 56 | ||||
-rw-r--r-- | include/uapi/linux/netfilter/nfnetlink_acct.h | 27 | ||||
-rw-r--r-- | include/uapi/linux/netfilter/nfnetlink_compat.h (renamed from include/linux/netfilter/nfnetlink_compat.h) | 0 | ||||
-rw-r--r-- | include/uapi/linux/netfilter/nfnetlink_conntrack.h (renamed from include/linux/netfilter/nfnetlink_conntrack.h) | 0 | ||||
-rw-r--r-- | include/uapi/linux/netfilter/nfnetlink_cthelper.h (renamed from include/linux/netfilter/nfnetlink_cthelper.h) | 0 | ||||
-rw-r--r-- | include/uapi/linux/netfilter/nfnetlink_cttimeout.h (renamed from include/linux/netfilter/nfnetlink_cttimeout.h) | 0 | ||||
-rw-r--r-- | include/uapi/linux/netfilter/nfnetlink_log.h (renamed from include/linux/netfilter/nfnetlink_log.h) | 0 | ||||
-rw-r--r-- | include/uapi/linux/netfilter/nfnetlink_queue.h (renamed from include/linux/netfilter/nfnetlink_queue.h) | 0 | ||||
-rw-r--r-- | include/uapi/linux/netfilter/x_tables.h | 187 | ||||
-rw-r--r-- | include/uapi/linux/netfilter/xt_AUDIT.h (renamed from include/linux/netfilter/xt_AUDIT.h) | 0 | ||||
-rw-r--r-- | include/uapi/linux/netfilter/xt_CHECKSUM.h (renamed from include/linux/netfilter/xt_CHECKSUM.h) | 0 | ||||
-rw-r--r-- | include/uapi/linux/netfilter/xt_CLASSIFY.h (renamed from include/linux/netfilter/xt_CLASSIFY.h) | 0 | ||||
-rw-r--r-- | include/uapi/linux/netfilter/xt_CONNMARK.h (renamed from include/linux/netfilter/xt_CONNMARK.h) | 0 | ||||
-rw-r--r-- | include/uapi/linux/netfilter/xt_CONNSECMARK.h (renamed from include/linux/netfilter/xt_CONNSECMARK.h) | 0 | ||||
-rw-r--r-- | include/uapi/linux/netfilter/xt_CT.h (renamed from include/linux/netfilter/xt_CT.h) | 0 | ||||
-rw-r--r-- | include/uapi/linux/netfilter/xt_DSCP.h (renamed from include/linux/netfilter/xt_DSCP.h) | 0 | ||||
-rw-r--r-- | include/uapi/linux/netfilter/xt_IDLETIMER.h (renamed from include/linux/netfilter/xt_IDLETIMER.h) | 0 | ||||
-rw-r--r-- | include/uapi/linux/netfilter/xt_LED.h (renamed from include/linux/netfilter/xt_LED.h) | 0 | ||||
-rw-r--r-- | include/uapi/linux/netfilter/xt_LOG.h (renamed from include/linux/netfilter/xt_LOG.h) | 0 | ||||
-rw-r--r-- | include/uapi/linux/netfilter/xt_MARK.h (renamed from include/linux/netfilter/xt_MARK.h) | 0 | ||||
-rw-r--r-- | include/uapi/linux/netfilter/xt_NFLOG.h (renamed from include/linux/netfilter/xt_NFLOG.h) | 0 | ||||
-rw-r--r-- | include/uapi/linux/netfilter/xt_NFQUEUE.h (renamed from include/linux/netfilter/xt_NFQUEUE.h) | 0 | ||||
-rw-r--r-- | include/uapi/linux/netfilter/xt_RATEEST.h (renamed from include/linux/netfilter/xt_RATEEST.h) | 0 | ||||
-rw-r--r-- | include/uapi/linux/netfilter/xt_SECMARK.h (renamed from include/linux/netfilter/xt_SECMARK.h) | 0 | ||||
-rw-r--r-- | include/uapi/linux/netfilter/xt_TCPMSS.h (renamed from include/linux/netfilter/xt_TCPMSS.h) | 0 | ||||
-rw-r--r-- | include/uapi/linux/netfilter/xt_TCPOPTSTRIP.h (renamed from include/linux/netfilter/xt_TCPOPTSTRIP.h) | 0 | ||||
-rw-r--r-- | include/uapi/linux/netfilter/xt_TEE.h (renamed from include/linux/netfilter/xt_TEE.h) | 0 | ||||
-rw-r--r-- | include/uapi/linux/netfilter/xt_TPROXY.h (renamed from include/linux/netfilter/xt_TPROXY.h) | 0 | ||||
-rw-r--r-- | include/uapi/linux/netfilter/xt_addrtype.h (renamed from include/linux/netfilter/xt_addrtype.h) | 0 | ||||
-rw-r--r-- | include/uapi/linux/netfilter/xt_cluster.h (renamed from include/linux/netfilter/xt_cluster.h) | 0 | ||||
-rw-r--r-- | include/uapi/linux/netfilter/xt_comment.h (renamed from include/linux/netfilter/xt_comment.h) | 0 | ||||
-rw-r--r-- | include/uapi/linux/netfilter/xt_connbytes.h (renamed from include/linux/netfilter/xt_connbytes.h) | 0 | ||||
-rw-r--r-- | include/uapi/linux/netfilter/xt_connlimit.h (renamed from include/linux/netfilter/xt_connlimit.h) | 0 | ||||
-rw-r--r-- | include/uapi/linux/netfilter/xt_connmark.h (renamed from include/linux/netfilter/xt_connmark.h) | 0 | ||||
-rw-r--r-- | include/uapi/linux/netfilter/xt_conntrack.h (renamed from include/linux/netfilter/xt_conntrack.h) | 0 | ||||
-rw-r--r-- | include/uapi/linux/netfilter/xt_cpu.h (renamed from include/linux/netfilter/xt_cpu.h) | 0 | ||||
-rw-r--r-- | include/uapi/linux/netfilter/xt_dccp.h (renamed from include/linux/netfilter/xt_dccp.h) | 0 | ||||
-rw-r--r-- | include/uapi/linux/netfilter/xt_devgroup.h (renamed from include/linux/netfilter/xt_devgroup.h) | 0 | ||||
-rw-r--r-- | include/uapi/linux/netfilter/xt_dscp.h (renamed from include/linux/netfilter/xt_dscp.h) | 0 | ||||
-rw-r--r-- | include/uapi/linux/netfilter/xt_ecn.h (renamed from include/linux/netfilter/xt_ecn.h) | 0 | ||||
-rw-r--r-- | include/uapi/linux/netfilter/xt_esp.h (renamed from include/linux/netfilter/xt_esp.h) | 0 | ||||
-rw-r--r-- | include/uapi/linux/netfilter/xt_hashlimit.h | 73 | ||||
-rw-r--r-- | include/uapi/linux/netfilter/xt_helper.h (renamed from include/linux/netfilter/xt_helper.h) | 0 | ||||
-rw-r--r-- | include/uapi/linux/netfilter/xt_iprange.h (renamed from include/linux/netfilter/xt_iprange.h) | 0 | ||||
-rw-r--r-- | include/uapi/linux/netfilter/xt_ipvs.h (renamed from include/linux/netfilter/xt_ipvs.h) | 0 | ||||
-rw-r--r-- | include/uapi/linux/netfilter/xt_length.h (renamed from include/linux/netfilter/xt_length.h) | 0 | ||||
-rw-r--r-- | include/uapi/linux/netfilter/xt_limit.h (renamed from include/linux/netfilter/xt_limit.h) | 0 | ||||
-rw-r--r-- | include/uapi/linux/netfilter/xt_mac.h (renamed from include/linux/netfilter/xt_mac.h) | 0 | ||||
-rw-r--r-- | include/uapi/linux/netfilter/xt_mark.h (renamed from include/linux/netfilter/xt_mark.h) | 0 | ||||
-rw-r--r-- | include/uapi/linux/netfilter/xt_multiport.h (renamed from include/linux/netfilter/xt_multiport.h) | 0 | ||||
-rw-r--r-- | include/uapi/linux/netfilter/xt_nfacct.h (renamed from include/linux/netfilter/xt_nfacct.h) | 0 | ||||
-rw-r--r-- | include/uapi/linux/netfilter/xt_osf.h (renamed from include/linux/netfilter/xt_osf.h) | 0 | ||||
-rw-r--r-- | include/uapi/linux/netfilter/xt_owner.h (renamed from include/linux/netfilter/xt_owner.h) | 0 | ||||
-rw-r--r-- | include/uapi/linux/netfilter/xt_physdev.h | 23 | ||||
-rw-r--r-- | include/uapi/linux/netfilter/xt_pkttype.h (renamed from include/linux/netfilter/xt_pkttype.h) | 0 | ||||
-rw-r--r-- | include/uapi/linux/netfilter/xt_policy.h (renamed from include/linux/netfilter/xt_policy.h) | 0 | ||||
-rw-r--r-- | include/uapi/linux/netfilter/xt_quota.h (renamed from include/linux/netfilter/xt_quota.h) | 0 | ||||
-rw-r--r-- | include/uapi/linux/netfilter/xt_rateest.h (renamed from include/linux/netfilter/xt_rateest.h) | 0 | ||||
-rw-r--r-- | include/uapi/linux/netfilter/xt_realm.h (renamed from include/linux/netfilter/xt_realm.h) | 0 | ||||
-rw-r--r-- | include/uapi/linux/netfilter/xt_recent.h (renamed from include/linux/netfilter/xt_recent.h) | 0 | ||||
-rw-r--r-- | include/uapi/linux/netfilter/xt_sctp.h (renamed from include/linux/netfilter/xt_sctp.h) | 0 | ||||
-rw-r--r-- | include/uapi/linux/netfilter/xt_set.h (renamed from include/linux/netfilter/xt_set.h) | 0 | ||||
-rw-r--r-- | include/uapi/linux/netfilter/xt_socket.h (renamed from include/linux/netfilter/xt_socket.h) | 0 | ||||
-rw-r--r-- | include/uapi/linux/netfilter/xt_state.h (renamed from include/linux/netfilter/xt_state.h) | 0 | ||||
-rw-r--r-- | include/uapi/linux/netfilter/xt_statistic.h (renamed from include/linux/netfilter/xt_statistic.h) | 0 | ||||
-rw-r--r-- | include/uapi/linux/netfilter/xt_string.h (renamed from include/linux/netfilter/xt_string.h) | 0 | ||||
-rw-r--r-- | include/uapi/linux/netfilter/xt_tcpmss.h (renamed from include/linux/netfilter/xt_tcpmss.h) | 0 | ||||
-rw-r--r-- | include/uapi/linux/netfilter/xt_tcpudp.h (renamed from include/linux/netfilter/xt_tcpudp.h) | 0 | ||||
-rw-r--r-- | include/uapi/linux/netfilter/xt_time.h (renamed from include/linux/netfilter/xt_time.h) | 0 | ||||
-rw-r--r-- | include/uapi/linux/netfilter/xt_u32.h (renamed from include/linux/netfilter/xt_u32.h) | 0 |
86 files changed, 636 insertions, 607 deletions
diff --git a/include/linux/netfilter/Kbuild b/include/linux/netfilter/Kbuild index 874ae8f2706b..b3322023e9a5 100644 --- a/include/linux/netfilter/Kbuild +++ b/include/linux/netfilter/Kbuild @@ -1,78 +1 @@ header-y += ipset/ - -header-y += nf_conntrack_common.h -header-y += nf_conntrack_ftp.h -header-y += nf_conntrack_sctp.h -header-y += nf_conntrack_tcp.h -header-y += nf_conntrack_tuple_common.h -header-y += nf_nat.h -header-y += nfnetlink.h -header-y += nfnetlink_acct.h -header-y += nfnetlink_compat.h -header-y += nfnetlink_conntrack.h -header-y += nfnetlink_cthelper.h -header-y += nfnetlink_cttimeout.h -header-y += nfnetlink_log.h -header-y += nfnetlink_queue.h -header-y += x_tables.h -header-y += xt_AUDIT.h -header-y += xt_CHECKSUM.h -header-y += xt_CLASSIFY.h -header-y += xt_CONNMARK.h -header-y += xt_CONNSECMARK.h -header-y += xt_CT.h -header-y += xt_DSCP.h -header-y += xt_IDLETIMER.h -header-y += xt_LED.h -header-y += xt_LOG.h -header-y += xt_MARK.h -header-y += xt_nfacct.h -header-y += xt_NFLOG.h -header-y += xt_NFQUEUE.h -header-y += xt_RATEEST.h -header-y += xt_SECMARK.h -header-y += xt_TCPMSS.h -header-y += xt_TCPOPTSTRIP.h -header-y += xt_TEE.h -header-y += xt_TPROXY.h -header-y += xt_addrtype.h -header-y += xt_cluster.h -header-y += xt_comment.h -header-y += xt_connbytes.h -header-y += xt_connlimit.h -header-y += xt_connmark.h -header-y += xt_conntrack.h -header-y += xt_cpu.h -header-y += xt_dccp.h -header-y += xt_devgroup.h -header-y += xt_dscp.h -header-y += xt_ecn.h -header-y += xt_esp.h -header-y += xt_hashlimit.h -header-y += xt_helper.h -header-y += xt_iprange.h -header-y += xt_ipvs.h -header-y += xt_length.h -header-y += xt_limit.h -header-y += xt_mac.h -header-y += xt_mark.h -header-y += xt_multiport.h -header-y += xt_osf.h -header-y += xt_owner.h -header-y += xt_physdev.h -header-y += xt_pkttype.h -header-y += xt_policy.h -header-y += xt_quota.h -header-y += xt_rateest.h -header-y += xt_realm.h -header-y += xt_recent.h -header-y += xt_set.h -header-y += xt_sctp.h -header-y += xt_socket.h -header-y += xt_state.h -header-y += xt_statistic.h -header-y += xt_string.h -header-y += xt_tcpmss.h -header-y += xt_tcpudp.h -header-y += xt_time.h -header-y += xt_u32.h diff --git a/include/linux/netfilter/nf_conntrack_common.h b/include/linux/netfilter/nf_conntrack_common.h index d146872a0b91..127d0b90604f 100644 --- a/include/linux/netfilter/nf_conntrack_common.h +++ b/include/linux/netfilter/nf_conntrack_common.h @@ -1,119 +1,8 @@ #ifndef _NF_CONNTRACK_COMMON_H #define _NF_CONNTRACK_COMMON_H -/* Connection state tracking for netfilter. This is separated from, - but required by, the NAT layer; it can also be used by an iptables - extension. */ -enum ip_conntrack_info { - /* Part of an established connection (either direction). */ - IP_CT_ESTABLISHED, - /* Like NEW, but related to an existing connection, or ICMP error - (in either direction). */ - IP_CT_RELATED, +#include <uapi/linux/netfilter/nf_conntrack_common.h> - /* Started a new connection to track (only - IP_CT_DIR_ORIGINAL); may be a retransmission. */ - IP_CT_NEW, - - /* >= this indicates reply direction */ - IP_CT_IS_REPLY, - - IP_CT_ESTABLISHED_REPLY = IP_CT_ESTABLISHED + IP_CT_IS_REPLY, - IP_CT_RELATED_REPLY = IP_CT_RELATED + IP_CT_IS_REPLY, - IP_CT_NEW_REPLY = IP_CT_NEW + IP_CT_IS_REPLY, - /* Number of distinct IP_CT types (no NEW in reply dirn). */ - IP_CT_NUMBER = IP_CT_IS_REPLY * 2 - 1 -}; - -/* Bitset representing status of connection. */ -enum ip_conntrack_status { - /* It's an expected connection: bit 0 set. This bit never changed */ - IPS_EXPECTED_BIT = 0, - IPS_EXPECTED = (1 << IPS_EXPECTED_BIT), - - /* We've seen packets both ways: bit 1 set. Can be set, not unset. */ - IPS_SEEN_REPLY_BIT = 1, - IPS_SEEN_REPLY = (1 << IPS_SEEN_REPLY_BIT), - - /* Conntrack should never be early-expired. */ - IPS_ASSURED_BIT = 2, - IPS_ASSURED = (1 << IPS_ASSURED_BIT), - - /* Connection is confirmed: originating packet has left box */ - IPS_CONFIRMED_BIT = 3, - IPS_CONFIRMED = (1 << IPS_CONFIRMED_BIT), - - /* Connection needs src nat in orig dir. This bit never changed. */ - IPS_SRC_NAT_BIT = 4, - IPS_SRC_NAT = (1 << IPS_SRC_NAT_BIT), - - /* Connection needs dst nat in orig dir. This bit never changed. */ - IPS_DST_NAT_BIT = 5, - IPS_DST_NAT = (1 << IPS_DST_NAT_BIT), - - /* Both together. */ - IPS_NAT_MASK = (IPS_DST_NAT | IPS_SRC_NAT), - - /* Connection needs TCP sequence adjusted. */ - IPS_SEQ_ADJUST_BIT = 6, - IPS_SEQ_ADJUST = (1 << IPS_SEQ_ADJUST_BIT), - - /* NAT initialization bits. */ - IPS_SRC_NAT_DONE_BIT = 7, - IPS_SRC_NAT_DONE = (1 << IPS_SRC_NAT_DONE_BIT), - - IPS_DST_NAT_DONE_BIT = 8, - IPS_DST_NAT_DONE = (1 << IPS_DST_NAT_DONE_BIT), - - /* Both together */ - IPS_NAT_DONE_MASK = (IPS_DST_NAT_DONE | IPS_SRC_NAT_DONE), - - /* Connection is dying (removed from lists), can not be unset. */ - IPS_DYING_BIT = 9, - IPS_DYING = (1 << IPS_DYING_BIT), - - /* Connection has fixed timeout. */ - IPS_FIXED_TIMEOUT_BIT = 10, - IPS_FIXED_TIMEOUT = (1 << IPS_FIXED_TIMEOUT_BIT), - - /* Conntrack is a template */ - IPS_TEMPLATE_BIT = 11, - IPS_TEMPLATE = (1 << IPS_TEMPLATE_BIT), - - /* Conntrack is a fake untracked entry */ - IPS_UNTRACKED_BIT = 12, - IPS_UNTRACKED = (1 << IPS_UNTRACKED_BIT), - - /* Conntrack got a helper explicitly attached via CT target. */ - IPS_HELPER_BIT = 13, - IPS_HELPER = (1 << IPS_HELPER_BIT), -}; - -/* Connection tracking event types */ -enum ip_conntrack_events { - IPCT_NEW, /* new conntrack */ - IPCT_RELATED, /* related conntrack */ - IPCT_DESTROY, /* destroyed conntrack */ - IPCT_REPLY, /* connection has seen two-way traffic */ - IPCT_ASSURED, /* connection status has changed to assured */ - IPCT_PROTOINFO, /* protocol information has changed */ - IPCT_HELPER, /* new helper has been set */ - IPCT_MARK, /* new mark has been set */ - IPCT_NATSEQADJ, /* NAT is doing sequence adjustment */ - IPCT_SECMARK, /* new security mark has been set */ -}; - -enum ip_conntrack_expect_events { - IPEXP_NEW, /* new expectation */ - IPEXP_DESTROY, /* destroyed expectation */ -}; - -/* expectation flags */ -#define NF_CT_EXPECT_PERMANENT 0x1 -#define NF_CT_EXPECT_INACTIVE 0x2 -#define NF_CT_EXPECT_USERSPACE 0x4 - -#ifdef __KERNEL__ struct ip_conntrack_stat { unsigned int searched; unsigned int found; @@ -136,6 +25,4 @@ struct ip_conntrack_stat { /* call to create an explicit dependency on nf_conntrack. */ extern void need_conntrack(void); -#endif /* __KERNEL__ */ - #endif /* _NF_CONNTRACK_COMMON_H */ diff --git a/include/linux/netfilter/nf_conntrack_ftp.h b/include/linux/netfilter/nf_conntrack_ftp.h index 8faf3f792d13..5f818b01e035 100644 --- a/include/linux/netfilter/nf_conntrack_ftp.h +++ b/include/linux/netfilter/nf_conntrack_ftp.h @@ -1,20 +1,8 @@ #ifndef _NF_CONNTRACK_FTP_H #define _NF_CONNTRACK_FTP_H -/* FTP tracking. */ -/* This enum is exposed to userspace */ -enum nf_ct_ftp_type { - /* PORT command from client */ - NF_CT_FTP_PORT, - /* PASV response from server */ - NF_CT_FTP_PASV, - /* EPRT command from client */ - NF_CT_FTP_EPRT, - /* EPSV response from server */ - NF_CT_FTP_EPSV, -}; +#include <uapi/linux/netfilter/nf_conntrack_ftp.h> -#ifdef __KERNEL__ #define FTP_PORT 21 @@ -42,6 +30,4 @@ extern unsigned int (*nf_nat_ftp_hook)(struct sk_buff *skb, unsigned int matchoff, unsigned int matchlen, struct nf_conntrack_expect *exp); -#endif /* __KERNEL__ */ - #endif /* _NF_CONNTRACK_FTP_H */ diff --git a/include/linux/netfilter/nf_conntrack_tcp.h b/include/linux/netfilter/nf_conntrack_tcp.h index e59868ae12d4..22db9614b584 100644 --- a/include/linux/netfilter/nf_conntrack_tcp.h +++ b/include/linux/netfilter/nf_conntrack_tcp.h @@ -1,53 +1,8 @@ #ifndef _NF_CONNTRACK_TCP_H #define _NF_CONNTRACK_TCP_H -/* TCP tracking. */ -#include <linux/types.h> +#include <uapi/linux/netfilter/nf_conntrack_tcp.h> -/* This is exposed to userspace (ctnetlink) */ -enum tcp_conntrack { - TCP_CONNTRACK_NONE, - TCP_CONNTRACK_SYN_SENT, - TCP_CONNTRACK_SYN_RECV, - TCP_CONNTRACK_ESTABLISHED, - TCP_CONNTRACK_FIN_WAIT, - TCP_CONNTRACK_CLOSE_WAIT, - TCP_CONNTRACK_LAST_ACK, - TCP_CONNTRACK_TIME_WAIT, - TCP_CONNTRACK_CLOSE, - TCP_CONNTRACK_LISTEN, /* obsolete */ -#define TCP_CONNTRACK_SYN_SENT2 TCP_CONNTRACK_LISTEN - TCP_CONNTRACK_MAX, - TCP_CONNTRACK_IGNORE, - TCP_CONNTRACK_RETRANS, - TCP_CONNTRACK_UNACK, - TCP_CONNTRACK_TIMEOUT_MAX -}; - -/* Window scaling is advertised by the sender */ -#define IP_CT_TCP_FLAG_WINDOW_SCALE 0x01 - -/* SACK is permitted by the sender */ -#define IP_CT_TCP_FLAG_SACK_PERM 0x02 - -/* This sender sent FIN first */ -#define IP_CT_TCP_FLAG_CLOSE_INIT 0x04 - -/* Be liberal in window checking */ -#define IP_CT_TCP_FLAG_BE_LIBERAL 0x08 - -/* Has unacknowledged data */ -#define IP_CT_TCP_FLAG_DATA_UNACKNOWLEDGED 0x10 - -/* The field td_maxack has been set */ -#define IP_CT_TCP_FLAG_MAXACK_SET 0x20 - -struct nf_ct_tcp_flags { - __u8 flags; - __u8 mask; -}; - -#ifdef __KERNEL__ struct ip_ct_tcp_state { u_int32_t td_end; /* max of seq + len */ @@ -74,6 +29,4 @@ struct ip_ct_tcp { u_int8_t last_flags; /* Last flags set */ }; -#endif /* __KERNEL__ */ - #endif /* _NF_CONNTRACK_TCP_H */ diff --git a/include/linux/netfilter/nfnetlink.h b/include/linux/netfilter/nfnetlink.h index 18341cdb2443..4966ddec039b 100644 --- a/include/linux/netfilter/nfnetlink.h +++ b/include/linux/netfilter/nfnetlink.h @@ -1,63 +1,11 @@ #ifndef _NFNETLINK_H #define _NFNETLINK_H -#include <linux/types.h> -#include <linux/netfilter/nfnetlink_compat.h> -enum nfnetlink_groups { - NFNLGRP_NONE, -#define NFNLGRP_NONE NFNLGRP_NONE - NFNLGRP_CONNTRACK_NEW, -#define NFNLGRP_CONNTRACK_NEW NFNLGRP_CONNTRACK_NEW - NFNLGRP_CONNTRACK_UPDATE, -#define NFNLGRP_CONNTRACK_UPDATE NFNLGRP_CONNTRACK_UPDATE - NFNLGRP_CONNTRACK_DESTROY, -#define NFNLGRP_CONNTRACK_DESTROY NFNLGRP_CONNTRACK_DESTROY - NFNLGRP_CONNTRACK_EXP_NEW, -#define NFNLGRP_CONNTRACK_EXP_NEW NFNLGRP_CONNTRACK_EXP_NEW - NFNLGRP_CONNTRACK_EXP_UPDATE, -#define NFNLGRP_CONNTRACK_EXP_UPDATE NFNLGRP_CONNTRACK_EXP_UPDATE - NFNLGRP_CONNTRACK_EXP_DESTROY, -#define NFNLGRP_CONNTRACK_EXP_DESTROY NFNLGRP_CONNTRACK_EXP_DESTROY - __NFNLGRP_MAX, -}; -#define NFNLGRP_MAX (__NFNLGRP_MAX - 1) - -/* General form of address family dependent message. - */ -struct nfgenmsg { - __u8 nfgen_family; /* AF_xxx */ - __u8 version; /* nfnetlink version */ - __be16 res_id; /* resource id */ -}; - -#define NFNETLINK_V0 0 - -/* netfilter netlink message types are split in two pieces: - * 8 bit subsystem, 8bit operation. - */ - -#define NFNL_SUBSYS_ID(x) ((x & 0xff00) >> 8) -#define NFNL_MSG_TYPE(x) (x & 0x00ff) - -/* No enum here, otherwise __stringify() trick of MODULE_ALIAS_NFNL_SUBSYS() - * won't work anymore */ -#define NFNL_SUBSYS_NONE 0 -#define NFNL_SUBSYS_CTNETLINK 1 -#define NFNL_SUBSYS_CTNETLINK_EXP 2 -#define NFNL_SUBSYS_QUEUE 3 -#define NFNL_SUBSYS_ULOG 4 -#define NFNL_SUBSYS_OSF 5 -#define NFNL_SUBSYS_IPSET 6 -#define NFNL_SUBSYS_ACCT 7 -#define NFNL_SUBSYS_CTNETLINK_TIMEOUT 8 -#define NFNL_SUBSYS_CTHELPER 9 -#define NFNL_SUBSYS_COUNT 10 - -#ifdef __KERNEL__ #include <linux/netlink.h> #include <linux/capability.h> #include <net/netlink.h> +#include <uapi/linux/netfilter/nfnetlink.h> struct nfnl_callback { int (*call)(struct sock *nl, struct sk_buff *skb, @@ -92,5 +40,4 @@ extern void nfnl_unlock(void); #define MODULE_ALIAS_NFNL_SUBSYS(subsys) \ MODULE_ALIAS("nfnetlink-subsys-" __stringify(subsys)) -#endif /* __KERNEL__ */ #endif /* _NFNETLINK_H */ diff --git a/include/linux/netfilter/nfnetlink_acct.h b/include/linux/netfilter/nfnetlink_acct.h index 7c4279b4ae7a..bb4bbc9b7a18 100644 --- a/include/linux/netfilter/nfnetlink_acct.h +++ b/include/linux/netfilter/nfnetlink_acct.h @@ -1,29 +1,8 @@ #ifndef _NFNL_ACCT_H_ #define _NFNL_ACCT_H_ -#ifndef NFACCT_NAME_MAX -#define NFACCT_NAME_MAX 32 -#endif +#include <uapi/linux/netfilter/nfnetlink_acct.h> -enum nfnl_acct_msg_types { - NFNL_MSG_ACCT_NEW, - NFNL_MSG_ACCT_GET, - NFNL_MSG_ACCT_GET_CTRZERO, - NFNL_MSG_ACCT_DEL, - NFNL_MSG_ACCT_MAX -}; - -enum nfnl_acct_type { - NFACCT_UNSPEC, - NFACCT_NAME, - NFACCT_PKTS, - NFACCT_BYTES, - NFACCT_USE, - __NFACCT_MAX -}; -#define NFACCT_MAX (__NFACCT_MAX - 1) - -#ifdef __KERNEL__ struct nf_acct; @@ -31,6 +10,4 @@ extern struct nf_acct *nfnl_acct_find_get(const char *filter_name); extern void nfnl_acct_put(struct nf_acct *acct); extern void nfnl_acct_update(const struct sk_buff *skb, struct nf_acct *nfacct); -#endif /* __KERNEL__ */ - #endif /* _NFNL_ACCT_H */ diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h index 8d674a786744..dd49566315c6 100644 --- a/include/linux/netfilter/x_tables.h +++ b/include/linux/netfilter/x_tables.h @@ -1,191 +1,9 @@ #ifndef _X_TABLES_H #define _X_TABLES_H -#include <linux/kernel.h> -#include <linux/types.h> -#define XT_FUNCTION_MAXNAMELEN 30 -#define XT_EXTENSION_MAXNAMELEN 29 -#define XT_TABLE_MAXNAMELEN 32 - -struct xt_entry_match { - union { - struct { - __u16 match_size; - - /* Used by userspace */ - char name[XT_EXTENSION_MAXNAMELEN]; - __u8 revision; - } user; - struct { - __u16 match_size; - - /* Used inside the kernel */ - struct xt_match *match; - } kernel; - - /* Total length */ - __u16 match_size; - } u; - - unsigned char data[0]; -}; - -struct xt_entry_target { - union { - struct { - __u16 target_size; - - /* Used by userspace */ - char name[XT_EXTENSION_MAXNAMELEN]; - __u8 revision; - } user; - struct { - __u16 target_size; - - /* Used inside the kernel */ - struct xt_target *target; - } kernel; - - /* Total length */ - __u16 target_size; - } u; - - unsigned char data[0]; -}; - -#define XT_TARGET_INIT(__name, __size) \ -{ \ - .target.u.user = { \ - .target_size = XT_ALIGN(__size), \ - .name = __name, \ - }, \ -} - -struct xt_standard_target { - struct xt_entry_target target; - int verdict; -}; - -struct xt_error_target { - struct xt_entry_target target; - char errorname[XT_FUNCTION_MAXNAMELEN]; -}; - -/* The argument to IPT_SO_GET_REVISION_*. Returns highest revision - * kernel supports, if >= revision. */ -struct xt_get_revision { - char name[XT_EXTENSION_MAXNAMELEN]; - __u8 revision; -}; - -/* CONTINUE verdict for targets */ -#define XT_CONTINUE 0xFFFFFFFF - -/* For standard target */ -#define XT_RETURN (-NF_REPEAT - 1) - -/* this is a dummy structure to find out the alignment requirement for a struct - * containing all the fundamental data types that are used in ipt_entry, - * ip6t_entry and arpt_entry. This sucks, and it is a hack. It will be my - * personal pleasure to remove it -HW - */ -struct _xt_align { - __u8 u8; - __u16 u16; - __u32 u32; - __u64 u64; -}; - -#define XT_ALIGN(s) __ALIGN_KERNEL((s), __alignof__(struct _xt_align)) - -/* Standard return verdict, or do jump. */ -#define XT_STANDARD_TARGET "" -/* Error verdict. */ -#define XT_ERROR_TARGET "ERROR" - -#define SET_COUNTER(c,b,p) do { (c).bcnt = (b); (c).pcnt = (p); } while(0) -#define ADD_COUNTER(c,b,p) do { (c).bcnt += (b); (c).pcnt += (p); } while(0) - -struct xt_counters { - __u64 pcnt, bcnt; /* Packet and byte counters */ -}; - -/* The argument to IPT_SO_ADD_COUNTERS. */ -struct xt_counters_info { - /* Which table. */ - char name[XT_TABLE_MAXNAMELEN]; - - unsigned int num_counters; - - /* The counters (actually `number' of these). */ - struct xt_counters counters[0]; -}; - -#define XT_INV_PROTO 0x40 /* Invert the sense of PROTO. */ - -#ifndef __KERNEL__ -/* fn returns 0 to continue iteration */ -#define XT_MATCH_ITERATE(type, e, fn, args...) \ -({ \ - unsigned int __i; \ - int __ret = 0; \ - struct xt_entry_match *__m; \ - \ - for (__i = sizeof(type); \ - __i < (e)->target_offset; \ - __i += __m->u.match_size) { \ - __m = (void *)e + __i; \ - \ - __ret = fn(__m , ## args); \ - if (__ret != 0) \ - break; \ - } \ - __ret; \ -}) - -/* fn returns 0 to continue iteration */ -#define XT_ENTRY_ITERATE_CONTINUE(type, entries, size, n, fn, args...) \ -({ \ - unsigned int __i, __n; \ - int __ret = 0; \ - type *__entry; \ - \ - for (__i = 0, __n = 0; __i < (size); \ - __i += __entry->next_offset, __n++) { \ - __entry = (void *)(entries) + __i; \ - if (__n < n) \ - continue; \ - \ - __ret = fn(__entry , ## args); \ - if (__ret != 0) \ - break; \ - } \ - __ret; \ -}) - -/* fn returns 0 to continue iteration */ -#define XT_ENTRY_ITERATE(type, entries, size, fn, args...) \ - XT_ENTRY_ITERATE_CONTINUE(type, entries, size, 0, fn, args) - -#endif /* !__KERNEL__ */ - -/* pos is normally a struct ipt_entry/ip6t_entry/etc. */ -#define xt_entry_foreach(pos, ehead, esize) \ - for ((pos) = (typeof(pos))(ehead); \ - (pos) < (typeof(pos))((char *)(ehead) + (esize)); \ - (pos) = (typeof(pos))((char *)(pos) + (pos)->next_offset)) - -/* can only be xt_entry_match, so no use of typeof here */ -#define xt_ematch_foreach(pos, entry) \ - for ((pos) = (struct xt_entry_match *)entry->elems; \ - (pos) < (struct xt_entry_match *)((char *)(entry) + \ - (entry)->target_offset); \ - (pos) = (struct xt_entry_match *)((char *)(pos) + \ - (pos)->u.match_size)) - -#ifdef __KERNEL__ #include <linux/netdevice.h> +#include <uapi/linux/netfilter/x_tables.h> /** * struct xt_action_param - parameters for matches/targets @@ -617,6 +435,4 @@ extern int xt_compat_target_to_user(const struct xt_entry_target *t, void __user **dstptr, unsigned int *size); #endif /* CONFIG_COMPAT */ -#endif /* __KERNEL__ */ - #endif /* _X_TABLES_H */ diff --git a/include/linux/netfilter/xt_hashlimit.h b/include/linux/netfilter/xt_hashlimit.h index c42e52f39f8f..074790c0cf74 100644 --- a/include/linux/netfilter/xt_hashlimit.h +++ b/include/linux/netfilter/xt_hashlimit.h @@ -1,78 +1,9 @@ #ifndef _XT_HASHLIMIT_H #define _XT_HASHLIMIT_H -#include <linux/types.h> +#include <uapi/linux/netfilter/xt_hashlimit.h> -/* timings are in milliseconds. */ -#define XT_HASHLIMIT_SCALE 10000 -/* 1/10,000 sec period => max of 10,000/sec. Min rate is then 429490 - * seconds, or one packet every 59 hours. - */ - -/* packet length accounting is done in 16-byte steps */ -#define XT_HASHLIMIT_BYTE_SHIFT 4 - -/* details of this structure hidden by the implementation */ -struct xt_hashlimit_htable; - -enum { - XT_HASHLIMIT_HASH_DIP = 1 << 0, - XT_HASHLIMIT_HASH_DPT = 1 << 1, - XT_HASHLIMIT_HASH_SIP = 1 << 2, - XT_HASHLIMIT_HASH_SPT = 1 << 3, - XT_HASHLIMIT_INVERT = 1 << 4, - XT_HASHLIMIT_BYTES = 1 << 5, -}; -#ifdef __KERNEL__ #define XT_HASHLIMIT_ALL (XT_HASHLIMIT_HASH_DIP | XT_HASHLIMIT_HASH_DPT | \ XT_HASHLIMIT_HASH_SIP | XT_HASHLIMIT_HASH_SPT | \ XT_HASHLIMIT_INVERT | XT_HASHLIMIT_BYTES) -#endif - -struct hashlimit_cfg { - __u32 mode; /* bitmask of XT_HASHLIMIT_HASH_* */ - __u32 avg; /* Average secs between packets * scale */ - __u32 burst; /* Period multiplier for upper limit. */ - - /* user specified */ - __u32 size; /* how many buckets */ - __u32 max; /* max number of entries */ - __u32 gc_interval; /* gc interval */ - __u32 expire; /* when do entries expire? */ -}; - -struct xt_hashlimit_info { - char name [IFNAMSIZ]; /* name */ - struct hashlimit_cfg cfg; - - /* Used internally by the kernel */ - struct xt_hashlimit_htable *hinfo; - union { - void *ptr; - struct xt_hashlimit_info *master; - } u; -}; - -struct hashlimit_cfg1 { - __u32 mode; /* bitmask of XT_HASHLIMIT_HASH_* */ - __u32 avg; /* Average secs between packets * scale */ - __u32 burst; /* Period multiplier for upper limit. */ - - /* user specified */ - __u32 size; /* how many buckets */ - __u32 max; /* max number of entries */ - __u32 gc_interval; /* gc interval */ - __u32 expire; /* when do entries expire? */ - - __u8 srcmask, dstmask; -}; - -struct xt_hashlimit_mtinfo1 { - char name[IFNAMSIZ]; - struct hashlimit_cfg1 cfg; - - /* Used internally by the kernel */ - struct xt_hashlimit_htable *hinfo __attribute__((aligned(8))); -}; - #endif /*_XT_HASHLIMIT_H*/ diff --git a/include/linux/netfilter/xt_physdev.h b/include/linux/netfilter/xt_physdev.h index 8555e399886d..5b5e41716d69 100644 --- a/include/linux/netfilter/xt_physdev.h +++ b/include/linux/netfilter/xt_physdev.h @@ -1,26 +1,7 @@ #ifndef _XT_PHYSDEV_H #define _XT_PHYSDEV_H -#include <linux/types.h> - -#ifdef __KERNEL__ #include <linux/if.h> -#endif - -#define XT_PHYSDEV_OP_IN 0x01 -#define XT_PHYSDEV_OP_OUT 0x02 -#define XT_PHYSDEV_OP_BRIDGED 0x04 -#define XT_PHYSDEV_OP_ISIN 0x08 -#define XT_PHYSDEV_OP_ISOUT 0x10 -#define XT_PHYSDEV_OP_MASK (0x20 - 1) - -struct xt_physdev_info { - char physindev[IFNAMSIZ]; - char in_mask[IFNAMSIZ]; - char physoutdev[IFNAMSIZ]; - char out_mask[IFNAMSIZ]; - __u8 invert; - __u8 bitmask; -}; +#include <uapi/linux/netfilter/xt_physdev.h> #endif /*_XT_PHYSDEV_H*/ diff --git a/include/uapi/linux/netfilter/Kbuild b/include/uapi/linux/netfilter/Kbuild index 4afbace8e869..08f555fef13f 100644 --- a/include/uapi/linux/netfilter/Kbuild +++ b/include/uapi/linux/netfilter/Kbuild @@ -1,2 +1,78 @@ # UAPI Header export list header-y += ipset/ +header-y += nf_conntrack_common.h +header-y += nf_conntrack_ftp.h +header-y += nf_conntrack_sctp.h +header-y += nf_conntrack_tcp.h +header-y += nf_conntrack_tuple_common.h +header-y += nf_nat.h +header-y += nfnetlink.h +header-y += nfnetlink_acct.h +header-y += nfnetlink_compat.h +header-y += nfnetlink_conntrack.h +header-y += nfnetlink_cthelper.h +header-y += nfnetlink_cttimeout.h +header-y += nfnetlink_log.h +header-y += nfnetlink_queue.h +header-y += x_tables.h +header-y += xt_AUDIT.h +header-y += xt_CHECKSUM.h +header-y += xt_CLASSIFY.h +header-y += xt_CONNMARK.h +header-y += xt_CONNSECMARK.h +header-y += xt_CT.h +header-y += xt_DSCP.h +header-y += xt_IDLETIMER.h +header-y += xt_LED.h +header-y += xt_LOG.h +header-y += xt_MARK.h +header-y += xt_NFLOG.h +header-y += xt_NFQUEUE.h +header-y += xt_RATEEST.h +header-y += xt_SECMARK.h +header-y += xt_TCPMSS.h +header-y += xt_TCPOPTSTRIP.h +header-y += xt_TEE.h +header-y += xt_TPROXY.h +header-y += xt_addrtype.h +header-y += xt_cluster.h +header-y += xt_comment.h +header-y += xt_connbytes.h +header-y += xt_connlimit.h +header-y += xt_connmark.h +header-y += xt_conntrack.h +header-y += xt_cpu.h +header-y += xt_dccp.h +header-y += xt_devgroup.h +header-y += xt_dscp.h +header-y += xt_ecn.h +header-y += xt_esp.h +header-y += xt_hashlimit.h +header-y += xt_helper.h +header-y += xt_iprange.h +header-y += xt_ipvs.h +header-y += xt_length.h +header-y += xt_limit.h +header-y += xt_mac.h +header-y += xt_mark.h +header-y += xt_multiport.h +header-y += xt_nfacct.h +header-y += xt_osf.h +header-y += xt_owner.h +header-y += xt_physdev.h +header-y += xt_pkttype.h +header-y += xt_policy.h +header-y += xt_quota.h +header-y += xt_rateest.h +header-y += xt_realm.h +header-y += xt_recent.h +header-y += xt_sctp.h +header-y += xt_set.h +header-y += xt_socket.h +header-y += xt_state.h +header-y += xt_statistic.h +header-y += xt_string.h +header-y += xt_tcpmss.h +header-y += xt_tcpudp.h +header-y += xt_time.h +header-y += xt_u32.h diff --git a/include/uapi/linux/netfilter/nf_conntrack_common.h b/include/uapi/linux/netfilter/nf_conntrack_common.h new file mode 100644 index 000000000000..1644cdd8be91 --- /dev/null +++ b/include/uapi/linux/netfilter/nf_conntrack_common.h @@ -0,0 +1,117 @@ +#ifndef _UAPI_NF_CONNTRACK_COMMON_H +#define _UAPI_NF_CONNTRACK_COMMON_H +/* Connection state tracking for netfilter. This is separated from, + but required by, the NAT layer; it can also be used by an iptables + extension. */ +enum ip_conntrack_info { + /* Part of an established connection (either direction). */ + IP_CT_ESTABLISHED, + + /* Like NEW, but related to an existing connection, or ICMP error + (in either direction). */ + IP_CT_RELATED, + + /* Started a new connection to track (only + IP_CT_DIR_ORIGINAL); may be a retransmission. */ + IP_CT_NEW, + + /* >= this indicates reply direction */ + IP_CT_IS_REPLY, + + IP_CT_ESTABLISHED_REPLY = IP_CT_ESTABLISHED + IP_CT_IS_REPLY, + IP_CT_RELATED_REPLY = IP_CT_RELATED + IP_CT_IS_REPLY, + IP_CT_NEW_REPLY = IP_CT_NEW + IP_CT_IS_REPLY, + /* Number of distinct IP_CT types (no NEW in reply dirn). */ + IP_CT_NUMBER = IP_CT_IS_REPLY * 2 - 1 +}; + +/* Bitset representing status of connection. */ +enum ip_conntrack_status { + /* It's an expected connection: bit 0 set. This bit never changed */ + IPS_EXPECTED_BIT = 0, + IPS_EXPECTED = (1 << IPS_EXPECTED_BIT), + + /* We've seen packets both ways: bit 1 set. Can be set, not unset. */ + IPS_SEEN_REPLY_BIT = 1, + IPS_SEEN_REPLY = (1 << IPS_SEEN_REPLY_BIT), + + /* Conntrack should never be early-expired. */ + IPS_ASSURED_BIT = 2, + IPS_ASSURED = (1 << IPS_ASSURED_BIT), + + /* Connection is confirmed: originating packet has left box */ + IPS_CONFIRMED_BIT = 3, + IPS_CONFIRMED = (1 << IPS_CONFIRMED_BIT), + + /* Connection needs src nat in orig dir. This bit never changed. */ + IPS_SRC_NAT_BIT = 4, + IPS_SRC_NAT = (1 << IPS_SRC_NAT_BIT), + + /* Connection needs dst nat in orig dir. This bit never changed. */ + IPS_DST_NAT_BIT = 5, + IPS_DST_NAT = (1 << IPS_DST_NAT_BIT), + + /* Both together. */ + IPS_NAT_MASK = (IPS_DST_NAT | IPS_SRC_NAT), + + /* Connection needs TCP sequence adjusted. */ + IPS_SEQ_ADJUST_BIT = 6, + IPS_SEQ_ADJUST = (1 << IPS_SEQ_ADJUST_BIT), + + /* NAT initialization bits. */ + IPS_SRC_NAT_DONE_BIT = 7, + IPS_SRC_NAT_DONE = (1 << IPS_SRC_NAT_DONE_BIT), + + IPS_DST_NAT_DONE_BIT = 8, + IPS_DST_NAT_DONE = (1 << IPS_DST_NAT_DONE_BIT), + + /* Both together */ + IPS_NAT_DONE_MASK = (IPS_DST_NAT_DONE | IPS_SRC_NAT_DONE), + + /* Connection is dying (removed from lists), can not be unset. */ + IPS_DYING_BIT = 9, + IPS_DYING = (1 << IPS_DYING_BIT), + + /* Connection has fixed timeout. */ + IPS_FIXED_TIMEOUT_BIT = 10, + IPS_FIXED_TIMEOUT = (1 << IPS_FIXED_TIMEOUT_BIT), + + /* Conntrack is a template */ + IPS_TEMPLATE_BIT = 11, + IPS_TEMPLATE = (1 << IPS_TEMPLATE_BIT), + + /* Conntrack is a fake untracked entry */ + IPS_UNTRACKED_BIT = 12, + IPS_UNTRACKED = (1 << IPS_UNTRACKED_BIT), + + /* Conntrack got a helper explicitly attached via CT target. */ + IPS_HELPER_BIT = 13, + IPS_HELPER = (1 << IPS_HELPER_BIT), +}; + +/* Connection tracking event types */ +enum ip_conntrack_events { + IPCT_NEW, /* new conntrack */ + IPCT_RELATED, /* related conntrack */ + IPCT_DESTROY, /* destroyed conntrack */ + IPCT_REPLY, /* connection has seen two-way traffic */ + IPCT_ASSURED, /* connection status has changed to assured */ + IPCT_PROTOINFO, /* protocol information has changed */ + IPCT_HELPER, /* new helper has been set */ + IPCT_MARK, /* new mark has been set */ + IPCT_NATSEQADJ, /* NAT is doing sequence adjustment */ + IPCT_SECMARK, /* new security mark has been set */ +}; + +enum ip_conntrack_expect_events { + IPEXP_NEW, /* new expectation */ + IPEXP_DESTROY, /* destroyed expectation */ +}; + +/* expectation flags */ +#define NF_CT_EXPECT_PERMANENT 0x1 +#define NF_CT_EXPECT_INACTIVE 0x2 +#define NF_CT_EXPECT_USERSPACE 0x4 + + +#endif /* _UAPI_NF_CONNTRACK_COMMON_H */ diff --git a/include/uapi/linux/netfilter/nf_conntrack_ftp.h b/include/uapi/linux/netfilter/nf_conntrack_ftp.h new file mode 100644 index 000000000000..1030315a41b5 --- /dev/null +++ b/include/uapi/linux/netfilter/nf_conntrack_ftp.h @@ -0,0 +1,18 @@ +#ifndef _UAPI_NF_CONNTRACK_FTP_H +#define _UAPI_NF_CONNTRACK_FTP_H +/* FTP tracking. */ + +/* This enum is exposed to userspace */ +enum nf_ct_ftp_type { + /* PORT command from client */ + NF_CT_FTP_PORT, + /* PASV response from server */ + NF_CT_FTP_PASV, + /* EPRT command from client */ + NF_CT_FTP_EPRT, + /* EPSV response from server */ + NF_CT_FTP_EPSV, +}; + + +#endif /* _UAPI_NF_CONNTRACK_FTP_H */ diff --git a/include/linux/netfilter/nf_conntrack_sctp.h b/include/uapi/linux/netfilter/nf_conntrack_sctp.h index ceeefe6681b5..ceeefe6681b5 100644 --- a/include/linux/netfilter/nf_conntrack_sctp.h +++ b/include/uapi/linux/netfilter/nf_conntrack_sctp.h diff --git a/include/uapi/linux/netfilter/nf_conntrack_tcp.h b/include/uapi/linux/netfilter/nf_conntrack_tcp.h new file mode 100644 index 000000000000..9993a421201c --- /dev/null +++ b/include/uapi/linux/netfilter/nf_conntrack_tcp.h @@ -0,0 +1,51 @@ +#ifndef _UAPI_NF_CONNTRACK_TCP_H +#define _UAPI_NF_CONNTRACK_TCP_H +/* TCP tracking. */ + +#include <linux/types.h> + +/* This is exposed to userspace (ctnetlink) */ +enum tcp_conntrack { + TCP_CONNTRACK_NONE, + TCP_CONNTRACK_SYN_SENT, + TCP_CONNTRACK_SYN_RECV, + TCP_CONNTRACK_ESTABLISHED, + TCP_CONNTRACK_FIN_WAIT, + TCP_CONNTRACK_CLOSE_WAIT, + TCP_CONNTRACK_LAST_ACK, + TCP_CONNTRACK_TIME_WAIT, + TCP_CONNTRACK_CLOSE, + TCP_CONNTRACK_LISTEN, /* obsolete */ +#define TCP_CONNTRACK_SYN_SENT2 TCP_CONNTRACK_LISTEN + TCP_CONNTRACK_MAX, + TCP_CONNTRACK_IGNORE, + TCP_CONNTRACK_RETRANS, + TCP_CONNTRACK_UNACK, + TCP_CONNTRACK_TIMEOUT_MAX +}; + +/* Window scaling is advertised by the sender */ +#define IP_CT_TCP_FLAG_WINDOW_SCALE 0x01 + +/* SACK is permitted by the sender */ +#define IP_CT_TCP_FLAG_SACK_PERM 0x02 + +/* This sender sent FIN first */ +#define IP_CT_TCP_FLAG_CLOSE_INIT 0x04 + +/* Be liberal in window checking */ +#define IP_CT_TCP_FLAG_BE_LIBERAL 0x08 + +/* Has unacknowledged data */ +#define IP_CT_TCP_FLAG_DATA_UNACKNOWLEDGED 0x10 + +/* The field td_maxack has been set */ +#define IP_CT_TCP_FLAG_MAXACK_SET 0x20 + +struct nf_ct_tcp_flags { + __u8 flags; + __u8 mask; +}; + + +#endif /* _UAPI_NF_CONNTRACK_TCP_H */ diff --git a/include/linux/netfilter/nf_conntrack_tuple_common.h b/include/uapi/linux/netfilter/nf_conntrack_tuple_common.h index 2f6bbc5b8125..2f6bbc5b8125 100644 --- a/include/linux/netfilter/nf_conntrack_tuple_common.h +++ b/include/uapi/linux/netfilter/nf_conntrack_tuple_common.h diff --git a/include/linux/netfilter/nf_nat.h b/include/uapi/linux/netfilter/nf_nat.h index bf0cc373ffb6..bf0cc373ffb6 100644 --- a/include/linux/netfilter/nf_nat.h +++ b/include/uapi/linux/netfilter/nf_nat.h diff --git a/include/uapi/linux/netfilter/nfnetlink.h b/include/uapi/linux/netfilter/nfnetlink.h new file mode 100644 index 000000000000..4a4efafad5f4 --- /dev/null +++ b/include/uapi/linux/netfilter/nfnetlink.h @@ -0,0 +1,56 @@ +#ifndef _UAPI_NFNETLINK_H +#define _UAPI_NFNETLINK_H +#include <linux/types.h> +#include <linux/netfilter/nfnetlink_compat.h> + +enum nfnetlink_groups { + NFNLGRP_NONE, +#define NFNLGRP_NONE NFNLGRP_NONE + NFNLGRP_CONNTRACK_NEW, +#define NFNLGRP_CONNTRACK_NEW NFNLGRP_CONNTRACK_NEW + NFNLGRP_CONNTRACK_UPDATE, +#define NFNLGRP_CONNTRACK_UPDATE NFNLGRP_CONNTRACK_UPDATE + NFNLGRP_CONNTRACK_DESTROY, +#define NFNLGRP_CONNTRACK_DESTROY NFNLGRP_CONNTRACK_DESTROY + NFNLGRP_CONNTRACK_EXP_NEW, +#define NFNLGRP_CONNTRACK_EXP_NEW NFNLGRP_CONNTRACK_EXP_NEW + NFNLGRP_CONNTRACK_EXP_UPDATE, +#define NFNLGRP_CONNTRACK_EXP_UPDATE NFNLGRP_CONNTRACK_EXP_UPDATE + NFNLGRP_CONNTRACK_EXP_DESTROY, +#define NFNLGRP_CONNTRACK_EXP_DESTROY NFNLGRP_CONNTRACK_EXP_DESTROY + __NFNLGRP_MAX, +}; +#define NFNLGRP_MAX (__NFNLGRP_MAX - 1) + +/* General form of address family dependent message. + */ +struct nfgenmsg { + __u8 nfgen_family; /* AF_xxx */ + __u8 version; /* nfnetlink version */ + __be16 res_id; /* resource id */ +}; + +#define NFNETLINK_V0 0 + +/* netfilter netlink message types are split in two pieces: + * 8 bit subsystem, 8bit operation. + */ + +#define NFNL_SUBSYS_ID(x) ((x & 0xff00) >> 8) +#define NFNL_MSG_TYPE(x) (x & 0x00ff) + +/* No enum here, otherwise __stringify() trick of MODULE_ALIAS_NFNL_SUBSYS() + * won't work anymore */ +#define NFNL_SUBSYS_NONE 0 +#define NFNL_SUBSYS_CTNETLINK 1 +#define NFNL_SUBSYS_CTNETLINK_EXP 2 +#define NFNL_SUBSYS_QUEUE 3 +#define NFNL_SUBSYS_ULOG 4 +#define NFNL_SUBSYS_OSF 5 +#define NFNL_SUBSYS_IPSET 6 +#define NFNL_SUBSYS_ACCT 7 +#define NFNL_SUBSYS_CTNETLINK_TIMEOUT 8 +#define NFNL_SUBSYS_CTHELPER 9 +#define NFNL_SUBSYS_COUNT 10 + +#endif /* _UAPI_NFNETLINK_H */ diff --git a/include/uapi/linux/netfilter/nfnetlink_acct.h b/include/uapi/linux/netfilter/nfnetlink_acct.h new file mode 100644 index 000000000000..c7b6269e760b --- /dev/null +++ b/include/uapi/linux/netfilter/nfnetlink_acct.h @@ -0,0 +1,27 @@ +#ifndef _UAPI_NFNL_ACCT_H_ +#define _UAPI_NFNL_ACCT_H_ + +#ifndef NFACCT_NAME_MAX +#define NFACCT_NAME_MAX 32 +#endif + +enum nfnl_acct_msg_types { + NFNL_MSG_ACCT_NEW, + NFNL_MSG_ACCT_GET, + NFNL_MSG_ACCT_GET_CTRZERO, + NFNL_MSG_ACCT_DEL, + NFNL_MSG_ACCT_MAX +}; + +enum nfnl_acct_type { + NFACCT_UNSPEC, + NFACCT_NAME, + NFACCT_PKTS, + NFACCT_BYTES, + NFACCT_USE, + __NFACCT_MAX +}; +#define NFACCT_MAX (__NFACCT_MAX - 1) + + +#endif /* _UAPI_NFNL_ACCT_H_ */ diff --git a/include/linux/netfilter/nfnetlink_compat.h b/include/uapi/linux/netfilter/nfnetlink_compat.h index ffb95036bbd4..ffb95036bbd4 100644 --- a/include/linux/netfilter/nfnetlink_compat.h +++ b/include/uapi/linux/netfilter/nfnetlink_compat.h diff --git a/include/linux/netfilter/nfnetlink_conntrack.h b/include/uapi/linux/netfilter/nfnetlink_conntrack.h index 43bfe3e1685b..43bfe3e1685b 100644 --- a/include/linux/netfilter/nfnetlink_conntrack.h +++ b/include/uapi/linux/netfilter/nfnetlink_conntrack.h diff --git a/include/linux/netfilter/nfnetlink_cthelper.h b/include/uapi/linux/netfilter/nfnetlink_cthelper.h index 33659f6fad3e..33659f6fad3e 100644 --- a/include/linux/netfilter/nfnetlink_cthelper.h +++ b/include/uapi/linux/netfilter/nfnetlink_cthelper.h diff --git a/include/linux/netfilter/nfnetlink_cttimeout.h b/include/uapi/linux/netfilter/nfnetlink_cttimeout.h index a2810a7c5e30..a2810a7c5e30 100644 --- a/include/linux/netfilter/nfnetlink_cttimeout.h +++ b/include/uapi/linux/netfilter/nfnetlink_cttimeout.h diff --git a/include/linux/netfilter/nfnetlink_log.h b/include/uapi/linux/netfilter/nfnetlink_log.h index 90c2c9575bac..90c2c9575bac 100644 --- a/include/linux/netfilter/nfnetlink_log.h +++ b/include/uapi/linux/netfilter/nfnetlink_log.h diff --git a/include/linux/netfilter/nfnetlink_queue.h b/include/uapi/linux/netfilter/nfnetlink_queue.h index 70ec8c2bc11a..70ec8c2bc11a 100644 --- a/include/linux/netfilter/nfnetlink_queue.h +++ b/include/uapi/linux/netfilter/nfnetlink_queue.h diff --git a/include/uapi/linux/netfilter/x_tables.h b/include/uapi/linux/netfilter/x_tables.h new file mode 100644 index 000000000000..c36969b91533 --- /dev/null +++ b/include/uapi/linux/netfilter/x_tables.h @@ -0,0 +1,187 @@ +#ifndef _UAPI_X_TABLES_H +#define _UAPI_X_TABLES_H +#include <linux/kernel.h> +#include <linux/types.h> + +#define XT_FUNCTION_MAXNAMELEN 30 +#define XT_EXTENSION_MAXNAMELEN 29 +#define XT_TABLE_MAXNAMELEN 32 + +struct xt_entry_match { + union { + struct { + __u16 match_size; + + /* Used by userspace */ + char name[XT_EXTENSION_MAXNAMELEN]; + __u8 revision; + } user; + struct { + __u16 match_size; + + /* Used inside the kernel */ + struct xt_match *match; + } kernel; + + /* Total length */ + __u16 match_size; + } u; + + unsigned char data[0]; +}; + +struct xt_entry_target { + union { + struct { + __u16 target_size; + + /* Used by userspace */ + char name[XT_EXTENSION_MAXNAMELEN]; + __u8 revision; + } user; + struct { + __u16 target_size; + + /* Used inside the kernel */ + struct xt_target *target; + } kernel; + + /* Total length */ + __u16 target_size; + } u; + + unsigned char data[0]; +}; + +#define XT_TARGET_INIT(__name, __size) \ +{ \ + .target.u.user = { \ + .target_size = XT_ALIGN(__size), \ + .name = __name, \ + }, \ +} + +struct xt_standard_target { + struct xt_entry_target target; + int verdict; +}; + +struct xt_error_target { + struct xt_entry_target target; + char errorname[XT_FUNCTION_MAXNAMELEN]; +}; + +/* The argument to IPT_SO_GET_REVISION_*. Returns highest revision + * kernel supports, if >= revision. */ +struct xt_get_revision { + char name[XT_EXTENSION_MAXNAMELEN]; + __u8 revision; +}; + +/* CONTINUE verdict for targets */ +#define XT_CONTINUE 0xFFFFFFFF + +/* For standard target */ +#define XT_RETURN (-NF_REPEAT - 1) + +/* this is a dummy structure to find out the alignment requirement for a struct + * containing all the fundamental data types that are used in ipt_entry, + * ip6t_entry and arpt_entry. This sucks, and it is a hack. It will be my + * personal pleasure to remove it -HW + */ +struct _xt_align { + __u8 u8; + __u16 u16; + __u32 u32; + __u64 u64; +}; + +#define XT_ALIGN(s) __ALIGN_KERNEL((s), __alignof__(struct _xt_align)) + +/* Standard return verdict, or do jump. */ +#define XT_STANDARD_TARGET "" +/* Error verdict. */ +#define XT_ERROR_TARGET "ERROR" + +#define SET_COUNTER(c,b,p) do { (c).bcnt = (b); (c).pcnt = (p); } while(0) +#define ADD_COUNTER(c,b,p) do { (c).bcnt += (b); (c).pcnt += (p); } while(0) + +struct xt_counters { + __u64 pcnt, bcnt; /* Packet and byte counters */ +}; + +/* The argument to IPT_SO_ADD_COUNTERS. */ +struct xt_counters_info { + /* Which table. */ + char name[XT_TABLE_MAXNAMELEN]; + + unsigned int num_counters; + + /* The counters (actually `number' of these). */ + struct xt_counters counters[0]; +}; + +#define XT_INV_PROTO 0x40 /* Invert the sense of PROTO. */ + +#ifndef __KERNEL__ +/* fn returns 0 to continue iteration */ +#define XT_MATCH_ITERATE(type, e, fn, args...) \ +({ \ + unsigned int __i; \ + int __ret = 0; \ + struct xt_entry_match *__m; \ + \ + for (__i = sizeof(type); \ + __i < (e)->target_offset; \ + __i += __m->u.match_size) { \ + __m = (void *)e + __i; \ + \ + __ret = fn(__m , ## args); \ + if (__ret != 0) \ + break; \ + } \ + __ret; \ +}) + +/* fn returns 0 to continue iteration */ +#define XT_ENTRY_ITERATE_CONTINUE(type, entries, size, n, fn, args...) \ +({ \ + unsigned int __i, __n; \ + int __ret = 0; \ + type *__entry; \ + \ + for (__i = 0, __n = 0; __i < (size); \ + __i += __entry->next_offset, __n++) { \ + __entry = (void *)(entries) + __i; \ + if (__n < n) \ + continue; \ + \ + __ret = fn(__entry , ## args); \ + if (__ret != 0) \ + break; \ + } \ + __ret; \ +}) + +/* fn returns 0 to continue iteration */ +#define XT_ENTRY_ITERATE(type, entries, size, fn, args...) \ + XT_ENTRY_ITERATE_CONTINUE(type, entries, size, 0, fn, args) + +#endif /* !__KERNEL__ */ + +/* pos is normally a struct ipt_entry/ip6t_entry/etc. */ +#define xt_entry_foreach(pos, ehead, esize) \ + for ((pos) = (typeof(pos))(ehead); \ + (pos) < (typeof(pos))((char *)(ehead) + (esize)); \ + (pos) = (typeof(pos))((char *)(pos) + (pos)->next_offset)) + +/* can only be xt_entry_match, so no use of typeof here */ +#define xt_ematch_foreach(pos, entry) \ + for ((pos) = (struct xt_entry_match *)entry->elems; \ + (pos) < (struct xt_entry_match *)((char *)(entry) + \ + (entry)->target_offset); \ + (pos) = (struct xt_entry_match *)((char *)(pos) + \ + (pos)->u.match_size)) + + +#endif /* _UAPI_X_TABLES_H */ diff --git a/include/linux/netfilter/xt_AUDIT.h b/include/uapi/linux/netfilter/xt_AUDIT.h index 38751d2ea52b..38751d2ea52b 100644 --- a/include/linux/netfilter/xt_AUDIT.h +++ b/include/uapi/linux/netfilter/xt_AUDIT.h diff --git a/include/linux/netfilter/xt_CHECKSUM.h b/include/uapi/linux/netfilter/xt_CHECKSUM.h index 9a2e4661654e..9a2e4661654e 100644 --- a/include/linux/netfilter/xt_CHECKSUM.h +++ b/include/uapi/linux/netfilter/xt_CHECKSUM.h diff --git a/include/linux/netfilter/xt_CLASSIFY.h b/include/uapi/linux/netfilter/xt_CLASSIFY.h index a813bf14dd63..a813bf14dd63 100644 --- a/include/linux/netfilter/xt_CLASSIFY.h +++ b/include/uapi/linux/netfilter/xt_CLASSIFY.h diff --git a/include/linux/netfilter/xt_CONNMARK.h b/include/uapi/linux/netfilter/xt_CONNMARK.h index 2f2e48ec8023..2f2e48ec8023 100644 --- a/include/linux/netfilter/xt_CONNMARK.h +++ b/include/uapi/linux/netfilter/xt_CONNMARK.h diff --git a/include/linux/netfilter/xt_CONNSECMARK.h b/include/uapi/linux/netfilter/xt_CONNSECMARK.h index b973ff80fa1e..b973ff80fa1e 100644 --- a/include/linux/netfilter/xt_CONNSECMARK.h +++ b/include/uapi/linux/netfilter/xt_CONNSECMARK.h diff --git a/include/linux/netfilter/xt_CT.h b/include/uapi/linux/netfilter/xt_CT.h index a064b8af360c..a064b8af360c 100644 --- a/include/linux/netfilter/xt_CT.h +++ b/include/uapi/linux/netfilter/xt_CT.h diff --git a/include/linux/netfilter/xt_DSCP.h b/include/uapi/linux/netfilter/xt_DSCP.h index 648e0b3bed29..648e0b3bed29 100644 --- a/include/linux/netfilter/xt_DSCP.h +++ b/include/uapi/linux/netfilter/xt_DSCP.h diff --git a/include/linux/netfilter/xt_IDLETIMER.h b/include/uapi/linux/netfilter/xt_IDLETIMER.h index 208ae9387331..208ae9387331 100644 --- a/include/linux/netfilter/xt_IDLETIMER.h +++ b/include/uapi/linux/netfilter/xt_IDLETIMER.h diff --git a/include/linux/netfilter/xt_LED.h b/include/uapi/linux/netfilter/xt_LED.h index f5509e7524d3..f5509e7524d3 100644 --- a/include/linux/netfilter/xt_LED.h +++ b/include/uapi/linux/netfilter/xt_LED.h diff --git a/include/linux/netfilter/xt_LOG.h b/include/uapi/linux/netfilter/xt_LOG.h index cac079095305..cac079095305 100644 --- a/include/linux/netfilter/xt_LOG.h +++ b/include/uapi/linux/netfilter/xt_LOG.h diff --git a/include/linux/netfilter/xt_MARK.h b/include/uapi/linux/netfilter/xt_MARK.h index 41c456deba22..41c456deba22 100644 --- a/include/linux/netfilter/xt_MARK.h +++ b/include/uapi/linux/netfilter/xt_MARK.h diff --git a/include/linux/netfilter/xt_NFLOG.h b/include/uapi/linux/netfilter/xt_NFLOG.h index 87b58311ce6b..87b58311ce6b 100644 --- a/include/linux/netfilter/xt_NFLOG.h +++ b/include/uapi/linux/netfilter/xt_NFLOG.h diff --git a/include/linux/netfilter/xt_NFQUEUE.h b/include/uapi/linux/netfilter/xt_NFQUEUE.h index 9eafdbbb401c..9eafdbbb401c 100644 --- a/include/linux/netfilter/xt_NFQUEUE.h +++ b/include/uapi/linux/netfilter/xt_NFQUEUE.h diff --git a/include/linux/netfilter/xt_RATEEST.h b/include/uapi/linux/netfilter/xt_RATEEST.h index 6605e20ad8cf..6605e20ad8cf 100644 --- a/include/linux/netfilter/xt_RATEEST.h +++ b/include/uapi/linux/netfilter/xt_RATEEST.h diff --git a/include/linux/netfilter/xt_SECMARK.h b/include/uapi/linux/netfilter/xt_SECMARK.h index 989092bd6274..989092bd6274 100644 --- a/include/linux/netfilter/xt_SECMARK.h +++ b/include/uapi/linux/netfilter/xt_SECMARK.h diff --git a/include/linux/netfilter/xt_TCPMSS.h b/include/uapi/linux/netfilter/xt_TCPMSS.h index 9a6960afc134..9a6960afc134 100644 --- a/include/linux/netfilter/xt_TCPMSS.h +++ b/include/uapi/linux/netfilter/xt_TCPMSS.h diff --git a/include/linux/netfilter/xt_TCPOPTSTRIP.h b/include/uapi/linux/netfilter/xt_TCPOPTSTRIP.h index 7157318499c2..7157318499c2 100644 --- a/include/linux/netfilter/xt_TCPOPTSTRIP.h +++ b/include/uapi/linux/netfilter/xt_TCPOPTSTRIP.h diff --git a/include/linux/netfilter/xt_TEE.h b/include/uapi/linux/netfilter/xt_TEE.h index 5c21d5c829af..5c21d5c829af 100644 --- a/include/linux/netfilter/xt_TEE.h +++ b/include/uapi/linux/netfilter/xt_TEE.h diff --git a/include/linux/netfilter/xt_TPROXY.h b/include/uapi/linux/netfilter/xt_TPROXY.h index 902043c2073f..902043c2073f 100644 --- a/include/linux/netfilter/xt_TPROXY.h +++ b/include/uapi/linux/netfilter/xt_TPROXY.h diff --git a/include/linux/netfilter/xt_addrtype.h b/include/uapi/linux/netfilter/xt_addrtype.h index b156baa9d55e..b156baa9d55e 100644 --- a/include/linux/netfilter/xt_addrtype.h +++ b/include/uapi/linux/netfilter/xt_addrtype.h diff --git a/include/linux/netfilter/xt_cluster.h b/include/uapi/linux/netfilter/xt_cluster.h index 9b883c8fbf54..9b883c8fbf54 100644 --- a/include/linux/netfilter/xt_cluster.h +++ b/include/uapi/linux/netfilter/xt_cluster.h diff --git a/include/linux/netfilter/xt_comment.h b/include/uapi/linux/netfilter/xt_comment.h index 0ea5e79f5bd7..0ea5e79f5bd7 100644 --- a/include/linux/netfilter/xt_comment.h +++ b/include/uapi/linux/netfilter/xt_comment.h diff --git a/include/linux/netfilter/xt_connbytes.h b/include/uapi/linux/netfilter/xt_connbytes.h index f1d6c15bd9e3..f1d6c15bd9e3 100644 --- a/include/linux/netfilter/xt_connbytes.h +++ b/include/uapi/linux/netfilter/xt_connbytes.h diff --git a/include/linux/netfilter/xt_connlimit.h b/include/uapi/linux/netfilter/xt_connlimit.h index f1656096121e..f1656096121e 100644 --- a/include/linux/netfilter/xt_connlimit.h +++ b/include/uapi/linux/netfilter/xt_connlimit.h diff --git a/include/linux/netfilter/xt_connmark.h b/include/uapi/linux/netfilter/xt_connmark.h index efc17a8305fb..efc17a8305fb 100644 --- a/include/linux/netfilter/xt_connmark.h +++ b/include/uapi/linux/netfilter/xt_connmark.h diff --git a/include/linux/netfilter/xt_conntrack.h b/include/uapi/linux/netfilter/xt_conntrack.h index e3c041d54020..e3c041d54020 100644 --- a/include/linux/netfilter/xt_conntrack.h +++ b/include/uapi/linux/netfilter/xt_conntrack.h diff --git a/include/linux/netfilter/xt_cpu.h b/include/uapi/linux/netfilter/xt_cpu.h index 93c7f11d8f42..93c7f11d8f42 100644 --- a/include/linux/netfilter/xt_cpu.h +++ b/include/uapi/linux/netfilter/xt_cpu.h diff --git a/include/linux/netfilter/xt_dccp.h b/include/uapi/linux/netfilter/xt_dccp.h index a579e1b6f040..a579e1b6f040 100644 --- a/include/linux/netfilter/xt_dccp.h +++ b/include/uapi/linux/netfilter/xt_dccp.h diff --git a/include/linux/netfilter/xt_devgroup.h b/include/uapi/linux/netfilter/xt_devgroup.h index 1babde0ec900..1babde0ec900 100644 --- a/include/linux/netfilter/xt_devgroup.h +++ b/include/uapi/linux/netfilter/xt_devgroup.h diff --git a/include/linux/netfilter/xt_dscp.h b/include/uapi/linux/netfilter/xt_dscp.h index 15f8932ad5ce..15f8932ad5ce 100644 --- a/include/linux/netfilter/xt_dscp.h +++ b/include/uapi/linux/netfilter/xt_dscp.h diff --git a/include/linux/netfilter/xt_ecn.h b/include/uapi/linux/netfilter/xt_ecn.h index 7158fca364f2..7158fca364f2 100644 --- a/include/linux/netfilter/xt_ecn.h +++ b/include/uapi/linux/netfilter/xt_ecn.h diff --git a/include/linux/netfilter/xt_esp.h b/include/uapi/linux/netfilter/xt_esp.h index ee6882408000..ee6882408000 100644 --- a/include/linux/netfilter/xt_esp.h +++ b/include/uapi/linux/netfilter/xt_esp.h diff --git a/include/uapi/linux/netfilter/xt_hashlimit.h b/include/uapi/linux/netfilter/xt_hashlimit.h new file mode 100644 index 000000000000..cbfc43d1af68 --- /dev/null +++ b/include/uapi/linux/netfilter/xt_hashlimit.h @@ -0,0 +1,73 @@ +#ifndef _UAPI_XT_HASHLIMIT_H +#define _UAPI_XT_HASHLIMIT_H + +#include <linux/types.h> + +/* timings are in milliseconds. */ +#define XT_HASHLIMIT_SCALE 10000 +/* 1/10,000 sec period => max of 10,000/sec. Min rate is then 429490 + * seconds, or one packet every 59 hours. + */ + +/* packet length accounting is done in 16-byte steps */ +#define XT_HASHLIMIT_BYTE_SHIFT 4 + +/* details of this structure hidden by the implementation */ +struct xt_hashlimit_htable; + +enum { + XT_HASHLIMIT_HASH_DIP = 1 << 0, + XT_HASHLIMIT_HASH_DPT = 1 << 1, + XT_HASHLIMIT_HASH_SIP = 1 << 2, + XT_HASHLIMIT_HASH_SPT = 1 << 3, + XT_HASHLIMIT_INVERT = 1 << 4, + XT_HASHLIMIT_BYTES = 1 << 5, +}; + +struct hashlimit_cfg { + __u32 mode; /* bitmask of XT_HASHLIMIT_HASH_* */ + __u32 avg; /* Average secs between packets * scale */ + __u32 burst; /* Period multiplier for upper limit. */ + + /* user specified */ + __u32 size; /* how many buckets */ + __u32 max; /* max number of entries */ + __u32 gc_interval; /* gc interval */ + __u32 expire; /* when do entries expire? */ +}; + +struct xt_hashlimit_info { + char name [IFNAMSIZ]; /* name */ + struct hashlimit_cfg cfg; + + /* Used internally by the kernel */ + struct xt_hashlimit_htable *hinfo; + union { + void *ptr; + struct xt_hashlimit_info *master; + } u; +}; + +struct hashlimit_cfg1 { + __u32 mode; /* bitmask of XT_HASHLIMIT_HASH_* */ + __u32 avg; /* Average secs between packets * scale */ + __u32 burst; /* Period multiplier for upper limit. */ + + /* user specified */ + __u32 size; /* how many buckets */ + __u32 max; /* max number of entries */ + __u32 gc_interval; /* gc interval */ + __u32 expire; /* when do entries expire? */ + + __u8 srcmask, dstmask; +}; + +struct xt_hashlimit_mtinfo1 { + char name[IFNAMSIZ]; + struct hashlimit_cfg1 cfg; + + /* Used internally by the kernel */ + struct xt_hashlimit_htable *hinfo __attribute__((aligned(8))); +}; + +#endif /* _UAPI_XT_HASHLIMIT_H */ diff --git a/include/linux/netfilter/xt_helper.h b/include/uapi/linux/netfilter/xt_helper.h index 6b42763f999d..6b42763f999d 100644 --- a/include/linux/netfilter/xt_helper.h +++ b/include/uapi/linux/netfilter/xt_helper.h diff --git a/include/linux/netfilter/xt_iprange.h b/include/uapi/linux/netfilter/xt_iprange.h index 25fd7cf851f0..25fd7cf851f0 100644 --- a/include/linux/netfilter/xt_iprange.h +++ b/include/uapi/linux/netfilter/xt_iprange.h diff --git a/include/linux/netfilter/xt_ipvs.h b/include/uapi/linux/netfilter/xt_ipvs.h index eff34ac18808..eff34ac18808 100644 --- a/include/linux/netfilter/xt_ipvs.h +++ b/include/uapi/linux/netfilter/xt_ipvs.h diff --git a/include/linux/netfilter/xt_length.h b/include/uapi/linux/netfilter/xt_length.h index b82ed7c4b1e0..b82ed7c4b1e0 100644 --- a/include/linux/netfilter/xt_length.h +++ b/include/uapi/linux/netfilter/xt_length.h diff --git a/include/linux/netfilter/xt_limit.h b/include/uapi/linux/netfilter/xt_limit.h index bb47fc4d2ade..bb47fc4d2ade 100644 --- a/include/linux/netfilter/xt_limit.h +++ b/include/uapi/linux/netfilter/xt_limit.h diff --git a/include/linux/netfilter/xt_mac.h b/include/uapi/linux/netfilter/xt_mac.h index b892cdc67e06..b892cdc67e06 100644 --- a/include/linux/netfilter/xt_mac.h +++ b/include/uapi/linux/netfilter/xt_mac.h diff --git a/include/linux/netfilter/xt_mark.h b/include/uapi/linux/netfilter/xt_mark.h index ecadc40d5cde..ecadc40d5cde 100644 --- a/include/linux/netfilter/xt_mark.h +++ b/include/uapi/linux/netfilter/xt_mark.h diff --git a/include/linux/netfilter/xt_multiport.h b/include/uapi/linux/netfilter/xt_multiport.h index 5b7e72dfffc5..5b7e72dfffc5 100644 --- a/include/linux/netfilter/xt_multiport.h +++ b/include/uapi/linux/netfilter/xt_multiport.h diff --git a/include/linux/netfilter/xt_nfacct.h b/include/uapi/linux/netfilter/xt_nfacct.h index 3e19c8a86576..3e19c8a86576 100644 --- a/include/linux/netfilter/xt_nfacct.h +++ b/include/uapi/linux/netfilter/xt_nfacct.h diff --git a/include/linux/netfilter/xt_osf.h b/include/uapi/linux/netfilter/xt_osf.h index 18afa495f973..18afa495f973 100644 --- a/include/linux/netfilter/xt_osf.h +++ b/include/uapi/linux/netfilter/xt_osf.h diff --git a/include/linux/netfilter/xt_owner.h b/include/uapi/linux/netfilter/xt_owner.h index 2081761714b5..2081761714b5 100644 --- a/include/linux/netfilter/xt_owner.h +++ b/include/uapi/linux/netfilter/xt_owner.h diff --git a/include/uapi/linux/netfilter/xt_physdev.h b/include/uapi/linux/netfilter/xt_physdev.h new file mode 100644 index 000000000000..db7a2982e9c0 --- /dev/null +++ b/include/uapi/linux/netfilter/xt_physdev.h @@ -0,0 +1,23 @@ +#ifndef _UAPI_XT_PHYSDEV_H +#define _UAPI_XT_PHYSDEV_H + +#include <linux/types.h> + + +#define XT_PHYSDEV_OP_IN 0x01 +#define XT_PHYSDEV_OP_OUT 0x02 +#define XT_PHYSDEV_OP_BRIDGED 0x04 +#define XT_PHYSDEV_OP_ISIN 0x08 +#define XT_PHYSDEV_OP_ISOUT 0x10 +#define XT_PHYSDEV_OP_MASK (0x20 - 1) + +struct xt_physdev_info { + char physindev[IFNAMSIZ]; + char in_mask[IFNAMSIZ]; + char physoutdev[IFNAMSIZ]; + char out_mask[IFNAMSIZ]; + __u8 invert; + __u8 bitmask; +}; + +#endif /* _UAPI_XT_PHYSDEV_H */ diff --git a/include/linux/netfilter/xt_pkttype.h b/include/uapi/linux/netfilter/xt_pkttype.h index f265cf52faea..f265cf52faea 100644 --- a/include/linux/netfilter/xt_pkttype.h +++ b/include/uapi/linux/netfilter/xt_pkttype.h diff --git a/include/linux/netfilter/xt_policy.h b/include/uapi/linux/netfilter/xt_policy.h index be8ead05c316..be8ead05c316 100644 --- a/include/linux/netfilter/xt_policy.h +++ b/include/uapi/linux/netfilter/xt_policy.h diff --git a/include/linux/netfilter/xt_quota.h b/include/uapi/linux/netfilter/xt_quota.h index 9314723f39ca..9314723f39ca 100644 --- a/include/linux/netfilter/xt_quota.h +++ b/include/uapi/linux/netfilter/xt_quota.h diff --git a/include/linux/netfilter/xt_rateest.h b/include/uapi/linux/netfilter/xt_rateest.h index d40a6196842a..d40a6196842a 100644 --- a/include/linux/netfilter/xt_rateest.h +++ b/include/uapi/linux/netfilter/xt_rateest.h diff --git a/include/linux/netfilter/xt_realm.h b/include/uapi/linux/netfilter/xt_realm.h index d4a82ee56a02..d4a82ee56a02 100644 --- a/include/linux/netfilter/xt_realm.h +++ b/include/uapi/linux/netfilter/xt_realm.h diff --git a/include/linux/netfilter/xt_recent.h b/include/uapi/linux/netfilter/xt_recent.h index 6ef36c113e89..6ef36c113e89 100644 --- a/include/linux/netfilter/xt_recent.h +++ b/include/uapi/linux/netfilter/xt_recent.h diff --git a/include/linux/netfilter/xt_sctp.h b/include/uapi/linux/netfilter/xt_sctp.h index 29287be696a2..29287be696a2 100644 --- a/include/linux/netfilter/xt_sctp.h +++ b/include/uapi/linux/netfilter/xt_sctp.h diff --git a/include/linux/netfilter/xt_set.h b/include/uapi/linux/netfilter/xt_set.h index e3a9978f259f..e3a9978f259f 100644 --- a/include/linux/netfilter/xt_set.h +++ b/include/uapi/linux/netfilter/xt_set.h diff --git a/include/linux/netfilter/xt_socket.h b/include/uapi/linux/netfilter/xt_socket.h index 26d7217bd4f1..26d7217bd4f1 100644 --- a/include/linux/netfilter/xt_socket.h +++ b/include/uapi/linux/netfilter/xt_socket.h diff --git a/include/linux/netfilter/xt_state.h b/include/uapi/linux/netfilter/xt_state.h index 7b32de886613..7b32de886613 100644 --- a/include/linux/netfilter/xt_state.h +++ b/include/uapi/linux/netfilter/xt_state.h diff --git a/include/linux/netfilter/xt_statistic.h b/include/uapi/linux/netfilter/xt_statistic.h index 4e983ef0c968..4e983ef0c968 100644 --- a/include/linux/netfilter/xt_statistic.h +++ b/include/uapi/linux/netfilter/xt_statistic.h diff --git a/include/linux/netfilter/xt_string.h b/include/uapi/linux/netfilter/xt_string.h index 235347c02eab..235347c02eab 100644 --- a/include/linux/netfilter/xt_string.h +++ b/include/uapi/linux/netfilter/xt_string.h diff --git a/include/linux/netfilter/xt_tcpmss.h b/include/uapi/linux/netfilter/xt_tcpmss.h index fbac56b9e667..fbac56b9e667 100644 --- a/include/linux/netfilter/xt_tcpmss.h +++ b/include/uapi/linux/netfilter/xt_tcpmss.h diff --git a/include/linux/netfilter/xt_tcpudp.h b/include/uapi/linux/netfilter/xt_tcpudp.h index 38aa7b399021..38aa7b399021 100644 --- a/include/linux/netfilter/xt_tcpudp.h +++ b/include/uapi/linux/netfilter/xt_tcpudp.h diff --git a/include/linux/netfilter/xt_time.h b/include/uapi/linux/netfilter/xt_time.h index 095886019396..095886019396 100644 --- a/include/linux/netfilter/xt_time.h +++ b/include/uapi/linux/netfilter/xt_time.h diff --git a/include/linux/netfilter/xt_u32.h b/include/uapi/linux/netfilter/xt_u32.h index 04d1bfea03c2..04d1bfea03c2 100644 --- a/include/linux/netfilter/xt_u32.h +++ b/include/uapi/linux/netfilter/xt_u32.h |