-77

include/linux/netfilter/Kbuild

reviewed

··· 1 1 header-y += ipset/ 2 2 - 3 3 - header-y += nf_conntrack_common.h 4 4 - header-y += nf_conntrack_ftp.h 5 5 - header-y += nf_conntrack_sctp.h 6 6 - header-y += nf_conntrack_tcp.h 7 7 - header-y += nf_conntrack_tuple_common.h 8 8 - header-y += nf_nat.h 9 9 - header-y += nfnetlink.h 10 10 - header-y += nfnetlink_acct.h 11 11 - header-y += nfnetlink_compat.h 12 12 - header-y += nfnetlink_conntrack.h 13 13 - header-y += nfnetlink_cthelper.h 14 14 - header-y += nfnetlink_cttimeout.h 15 15 - header-y += nfnetlink_log.h 16 16 - header-y += nfnetlink_queue.h 17 17 - header-y += x_tables.h 18 18 - header-y += xt_AUDIT.h 19 19 - header-y += xt_CHECKSUM.h 20 20 - header-y += xt_CLASSIFY.h 21 21 - header-y += xt_CONNMARK.h 22 22 - header-y += xt_CONNSECMARK.h 23 23 - header-y += xt_CT.h 24 24 - header-y += xt_DSCP.h 25 25 - header-y += xt_IDLETIMER.h 26 26 - header-y += xt_LED.h 27 27 - header-y += xt_LOG.h 28 28 - header-y += xt_MARK.h 29 29 - header-y += xt_nfacct.h 30 30 - header-y += xt_NFLOG.h 31 31 - header-y += xt_NFQUEUE.h 32 32 - header-y += xt_RATEEST.h 33 33 - header-y += xt_SECMARK.h 34 34 - header-y += xt_TCPMSS.h 35 35 - header-y += xt_TCPOPTSTRIP.h 36 36 - header-y += xt_TEE.h 37 37 - header-y += xt_TPROXY.h 38 38 - header-y += xt_addrtype.h 39 39 - header-y += xt_cluster.h 40 40 - header-y += xt_comment.h 41 41 - header-y += xt_connbytes.h 42 42 - header-y += xt_connlimit.h 43 43 - header-y += xt_connmark.h 44 44 - header-y += xt_conntrack.h 45 45 - header-y += xt_cpu.h 46 46 - header-y += xt_dccp.h 47 47 - header-y += xt_devgroup.h 48 48 - header-y += xt_dscp.h 49 49 - header-y += xt_ecn.h 50 50 - header-y += xt_esp.h 51 51 - header-y += xt_hashlimit.h 52 52 - header-y += xt_helper.h 53 53 - header-y += xt_iprange.h 54 54 - header-y += xt_ipvs.h 55 55 - header-y += xt_length.h 56 56 - header-y += xt_limit.h 57 57 - header-y += xt_mac.h 58 58 - header-y += xt_mark.h 59 59 - header-y += xt_multiport.h 60 60 - header-y += xt_osf.h 61 61 - header-y += xt_owner.h 62 62 - header-y += xt_physdev.h 63 63 - header-y += xt_pkttype.h 64 64 - header-y += xt_policy.h 65 65 - header-y += xt_quota.h 66 66 - header-y += xt_rateest.h 67 67 - header-y += xt_realm.h 68 68 - header-y += xt_recent.h 69 69 - header-y += xt_set.h 70 70 - header-y += xt_sctp.h 71 71 - header-y += xt_socket.h 72 72 - header-y += xt_state.h 73 73 - header-y += xt_statistic.h 74 74 - header-y += xt_string.h 75 75 - header-y += xt_tcpmss.h 76 76 - header-y += xt_tcpudp.h 77 77 - header-y += xt_time.h 78 78 - header-y += xt_u32.h

+1 -114

include/linux/netfilter/nf_conntrack_common.h

reviewed

··· 1 1 #ifndef _NF_CONNTRACK_COMMON_H 2 2 #define _NF_CONNTRACK_COMMON_H 3 3 - /* Connection state tracking for netfilter. This is separated from, 4 4 - but required by, the NAT layer; it can also be used by an iptables 5 5 - extension. */ 6 6 - enum ip_conntrack_info { 7 7 - /* Part of an established connection (either direction). */ 8 8 - IP_CT_ESTABLISHED, 9 3 10 10 - /* Like NEW, but related to an existing connection, or ICMP error 11 11 - (in either direction). */ 12 12 - IP_CT_RELATED, 4 4 + #include <uapi/linux/netfilter/nf_conntrack_common.h> 13 5 14 14 - /* Started a new connection to track (only 15 15 - IP_CT_DIR_ORIGINAL); may be a retransmission. */ 16 16 - IP_CT_NEW, 17 17 - 18 18 - /* >= this indicates reply direction */ 19 19 - IP_CT_IS_REPLY, 20 20 - 21 21 - IP_CT_ESTABLISHED_REPLY = IP_CT_ESTABLISHED + IP_CT_IS_REPLY, 22 22 - IP_CT_RELATED_REPLY = IP_CT_RELATED + IP_CT_IS_REPLY, 23 23 - IP_CT_NEW_REPLY = IP_CT_NEW + IP_CT_IS_REPLY, 24 24 - /* Number of distinct IP_CT types (no NEW in reply dirn). */ 25 25 - IP_CT_NUMBER = IP_CT_IS_REPLY * 2 - 1 26 26 - }; 27 27 - 28 28 - /* Bitset representing status of connection. */ 29 29 - enum ip_conntrack_status { 30 30 - /* It's an expected connection: bit 0 set. This bit never changed */ 31 31 - IPS_EXPECTED_BIT = 0, 32 32 - IPS_EXPECTED = (1 << IPS_EXPECTED_BIT), 33 33 - 34 34 - /* We've seen packets both ways: bit 1 set. Can be set, not unset. */ 35 35 - IPS_SEEN_REPLY_BIT = 1, 36 36 - IPS_SEEN_REPLY = (1 << IPS_SEEN_REPLY_BIT), 37 37 - 38 38 - /* Conntrack should never be early-expired. */ 39 39 - IPS_ASSURED_BIT = 2, 40 40 - IPS_ASSURED = (1 << IPS_ASSURED_BIT), 41 41 - 42 42 - /* Connection is confirmed: originating packet has left box */ 43 43 - IPS_CONFIRMED_BIT = 3, 44 44 - IPS_CONFIRMED = (1 << IPS_CONFIRMED_BIT), 45 45 - 46 46 - /* Connection needs src nat in orig dir. This bit never changed. */ 47 47 - IPS_SRC_NAT_BIT = 4, 48 48 - IPS_SRC_NAT = (1 << IPS_SRC_NAT_BIT), 49 49 - 50 50 - /* Connection needs dst nat in orig dir. This bit never changed. */ 51 51 - IPS_DST_NAT_BIT = 5, 52 52 - IPS_DST_NAT = (1 << IPS_DST_NAT_BIT), 53 53 - 54 54 - /* Both together. */ 55 55 - IPS_NAT_MASK = (IPS_DST_NAT | IPS_SRC_NAT), 56 56 - 57 57 - /* Connection needs TCP sequence adjusted. */ 58 58 - IPS_SEQ_ADJUST_BIT = 6, 59 59 - IPS_SEQ_ADJUST = (1 << IPS_SEQ_ADJUST_BIT), 60 60 - 61 61 - /* NAT initialization bits. */ 62 62 - IPS_SRC_NAT_DONE_BIT = 7, 63 63 - IPS_SRC_NAT_DONE = (1 << IPS_SRC_NAT_DONE_BIT), 64 64 - 65 65 - IPS_DST_NAT_DONE_BIT = 8, 66 66 - IPS_DST_NAT_DONE = (1 << IPS_DST_NAT_DONE_BIT), 67 67 - 68 68 - /* Both together */ 69 69 - IPS_NAT_DONE_MASK = (IPS_DST_NAT_DONE | IPS_SRC_NAT_DONE), 70 70 - 71 71 - /* Connection is dying (removed from lists), can not be unset. */ 72 72 - IPS_DYING_BIT = 9, 73 73 - IPS_DYING = (1 << IPS_DYING_BIT), 74 74 - 75 75 - /* Connection has fixed timeout. */ 76 76 - IPS_FIXED_TIMEOUT_BIT = 10, 77 77 - IPS_FIXED_TIMEOUT = (1 << IPS_FIXED_TIMEOUT_BIT), 78 78 - 79 79 - /* Conntrack is a template */ 80 80 - IPS_TEMPLATE_BIT = 11, 81 81 - IPS_TEMPLATE = (1 << IPS_TEMPLATE_BIT), 82 82 - 83 83 - /* Conntrack is a fake untracked entry */ 84 84 - IPS_UNTRACKED_BIT = 12, 85 85 - IPS_UNTRACKED = (1 << IPS_UNTRACKED_BIT), 86 86 - 87 87 - /* Conntrack got a helper explicitly attached via CT target. */ 88 88 - IPS_HELPER_BIT = 13, 89 89 - IPS_HELPER = (1 << IPS_HELPER_BIT), 90 90 - }; 91 91 - 92 92 - /* Connection tracking event types */ 93 93 - enum ip_conntrack_events { 94 94 - IPCT_NEW, /* new conntrack */ 95 95 - IPCT_RELATED, /* related conntrack */ 96 96 - IPCT_DESTROY, /* destroyed conntrack */ 97 97 - IPCT_REPLY, /* connection has seen two-way traffic */ 98 98 - IPCT_ASSURED, /* connection status has changed to assured */ 99 99 - IPCT_PROTOINFO, /* protocol information has changed */ 100 100 - IPCT_HELPER, /* new helper has been set */ 101 101 - IPCT_MARK, /* new mark has been set */ 102 102 - IPCT_NATSEQADJ, /* NAT is doing sequence adjustment */ 103 103 - IPCT_SECMARK, /* new security mark has been set */ 104 104 - }; 105 105 - 106 106 - enum ip_conntrack_expect_events { 107 107 - IPEXP_NEW, /* new expectation */ 108 108 - IPEXP_DESTROY, /* destroyed expectation */ 109 109 - }; 110 110 - 111 111 - /* expectation flags */ 112 112 - #define NF_CT_EXPECT_PERMANENT 0x1 113 113 - #define NF_CT_EXPECT_INACTIVE 0x2 114 114 - #define NF_CT_EXPECT_USERSPACE 0x4 115 115 - 116 116 - #ifdef __KERNEL__ 117 6 struct ip_conntrack_stat { 118 7 unsigned int searched; 119 8 unsigned int found; ··· 24 135 25 136 /* call to create an explicit dependency on nf_conntrack. */ 26 137 extern void need_conntrack(void); 27 27 - 28 28 - #endif /* __KERNEL__ */ 29 138 30 139 #endif /* _NF_CONNTRACK_COMMON_H */

+1 -15

include/linux/netfilter/nf_conntrack_ftp.h

reviewed

··· 1 1 #ifndef _NF_CONNTRACK_FTP_H 2 2 #define _NF_CONNTRACK_FTP_H 3 3 - /* FTP tracking. */ 4 3 5 5 - /* This enum is exposed to userspace */ 6 6 - enum nf_ct_ftp_type { 7 7 - /* PORT command from client */ 8 8 - NF_CT_FTP_PORT, 9 9 - /* PASV response from server */ 10 10 - NF_CT_FTP_PASV, 11 11 - /* EPRT command from client */ 12 12 - NF_CT_FTP_EPRT, 13 13 - /* EPSV response from server */ 14 14 - NF_CT_FTP_EPSV, 15 15 - }; 4 4 + #include <uapi/linux/netfilter/nf_conntrack_ftp.h> 16 5 17 17 - #ifdef __KERNEL__ 18 6 19 7 #define FTP_PORT 21 20 8 ··· 30 42 unsigned int matchoff, 31 43 unsigned int matchlen, 32 44 struct nf_conntrack_expect *exp); 33 33 - #endif /* __KERNEL__ */ 34 34 - 35 45 #endif /* _NF_CONNTRACK_FTP_H */

include/linux/netfilter/nf_conntrack_sctp.h include/uapi/linux/netfilter/nf_conntrack_sctp.h

reviewed

+1 -48

include/linux/netfilter/nf_conntrack_tcp.h

reviewed

··· 1 1 #ifndef _NF_CONNTRACK_TCP_H 2 2 #define _NF_CONNTRACK_TCP_H 3 3 - /* TCP tracking. */ 4 3 5 5 - #include <linux/types.h> 4 4 + #include <uapi/linux/netfilter/nf_conntrack_tcp.h> 6 5 7 7 - /* This is exposed to userspace (ctnetlink) */ 8 8 - enum tcp_conntrack { 9 9 - TCP_CONNTRACK_NONE, 10 10 - TCP_CONNTRACK_SYN_SENT, 11 11 - TCP_CONNTRACK_SYN_RECV, 12 12 - TCP_CONNTRACK_ESTABLISHED, 13 13 - TCP_CONNTRACK_FIN_WAIT, 14 14 - TCP_CONNTRACK_CLOSE_WAIT, 15 15 - TCP_CONNTRACK_LAST_ACK, 16 16 - TCP_CONNTRACK_TIME_WAIT, 17 17 - TCP_CONNTRACK_CLOSE, 18 18 - TCP_CONNTRACK_LISTEN, /* obsolete */ 19 19 - #define TCP_CONNTRACK_SYN_SENT2 TCP_CONNTRACK_LISTEN 20 20 - TCP_CONNTRACK_MAX, 21 21 - TCP_CONNTRACK_IGNORE, 22 22 - TCP_CONNTRACK_RETRANS, 23 23 - TCP_CONNTRACK_UNACK, 24 24 - TCP_CONNTRACK_TIMEOUT_MAX 25 25 - }; 26 26 - 27 27 - /* Window scaling is advertised by the sender */ 28 28 - #define IP_CT_TCP_FLAG_WINDOW_SCALE 0x01 29 29 - 30 30 - /* SACK is permitted by the sender */ 31 31 - #define IP_CT_TCP_FLAG_SACK_PERM 0x02 32 32 - 33 33 - /* This sender sent FIN first */ 34 34 - #define IP_CT_TCP_FLAG_CLOSE_INIT 0x04 35 35 - 36 36 - /* Be liberal in window checking */ 37 37 - #define IP_CT_TCP_FLAG_BE_LIBERAL 0x08 38 38 - 39 39 - /* Has unacknowledged data */ 40 40 - #define IP_CT_TCP_FLAG_DATA_UNACKNOWLEDGED 0x10 41 41 - 42 42 - /* The field td_maxack has been set */ 43 43 - #define IP_CT_TCP_FLAG_MAXACK_SET 0x20 44 44 - 45 45 - struct nf_ct_tcp_flags { 46 46 - __u8 flags; 47 47 - __u8 mask; 48 48 - }; 49 49 - 50 50 - #ifdef __KERNEL__ 51 6 52 7 struct ip_ct_tcp_state { 53 8 u_int32_t td_end; /* max of seq + len */ ··· 28 73 u_int8_t last_wscale; /* Last window scaling factor seen */ 29 74 u_int8_t last_flags; /* Last flags set */ 30 75 }; 31 31 - 32 32 - #endif /* __KERNEL__ */ 33 76 34 77 #endif /* _NF_CONNTRACK_TCP_H */

include/linux/netfilter/nf_conntrack_tuple_common.h include/uapi/linux/netfilter/nf_conntrack_tuple_common.h

reviewed

include/linux/netfilter/nf_nat.h include/uapi/linux/netfilter/nf_nat.h

reviewed

+1 -54

include/linux/netfilter/nfnetlink.h

reviewed

··· 1 1 #ifndef _NFNETLINK_H 2 2 #define _NFNETLINK_H 3 3 - #include <linux/types.h> 4 4 - #include <linux/netfilter/nfnetlink_compat.h> 5 3 6 6 - enum nfnetlink_groups { 7 7 - NFNLGRP_NONE, 8 8 - #define NFNLGRP_NONE NFNLGRP_NONE 9 9 - NFNLGRP_CONNTRACK_NEW, 10 10 - #define NFNLGRP_CONNTRACK_NEW NFNLGRP_CONNTRACK_NEW 11 11 - NFNLGRP_CONNTRACK_UPDATE, 12 12 - #define NFNLGRP_CONNTRACK_UPDATE NFNLGRP_CONNTRACK_UPDATE 13 13 - NFNLGRP_CONNTRACK_DESTROY, 14 14 - #define NFNLGRP_CONNTRACK_DESTROY NFNLGRP_CONNTRACK_DESTROY 15 15 - NFNLGRP_CONNTRACK_EXP_NEW, 16 16 - #define NFNLGRP_CONNTRACK_EXP_NEW NFNLGRP_CONNTRACK_EXP_NEW 17 17 - NFNLGRP_CONNTRACK_EXP_UPDATE, 18 18 - #define NFNLGRP_CONNTRACK_EXP_UPDATE NFNLGRP_CONNTRACK_EXP_UPDATE 19 19 - NFNLGRP_CONNTRACK_EXP_DESTROY, 20 20 - #define NFNLGRP_CONNTRACK_EXP_DESTROY NFNLGRP_CONNTRACK_EXP_DESTROY 21 21 - __NFNLGRP_MAX, 22 22 - }; 23 23 - #define NFNLGRP_MAX (__NFNLGRP_MAX - 1) 24 24 - 25 25 - /* General form of address family dependent message. 26 26 - */ 27 27 - struct nfgenmsg { 28 28 - __u8 nfgen_family; /* AF_xxx */ 29 29 - __u8 version; /* nfnetlink version */ 30 30 - __be16 res_id; /* resource id */ 31 31 - }; 32 32 - 33 33 - #define NFNETLINK_V0 0 34 34 - 35 35 - /* netfilter netlink message types are split in two pieces: 36 36 - * 8 bit subsystem, 8bit operation. 37 37 - */ 38 38 - 39 39 - #define NFNL_SUBSYS_ID(x) ((x & 0xff00) >> 8) 40 40 - #define NFNL_MSG_TYPE(x) (x & 0x00ff) 41 41 - 42 42 - /* No enum here, otherwise __stringify() trick of MODULE_ALIAS_NFNL_SUBSYS() 43 43 - * won't work anymore */ 44 44 - #define NFNL_SUBSYS_NONE 0 45 45 - #define NFNL_SUBSYS_CTNETLINK 1 46 46 - #define NFNL_SUBSYS_CTNETLINK_EXP 2 47 47 - #define NFNL_SUBSYS_QUEUE 3 48 48 - #define NFNL_SUBSYS_ULOG 4 49 49 - #define NFNL_SUBSYS_OSF 5 50 50 - #define NFNL_SUBSYS_IPSET 6 51 51 - #define NFNL_SUBSYS_ACCT 7 52 52 - #define NFNL_SUBSYS_CTNETLINK_TIMEOUT 8 53 53 - #define NFNL_SUBSYS_CTHELPER 9 54 54 - #define NFNL_SUBSYS_COUNT 10 55 55 - 56 56 - #ifdef __KERNEL__ 57 4 58 5 #include <linux/netlink.h> 59 6 #include <linux/capability.h> 60 7 #include <net/netlink.h> 8 8 + #include <uapi/linux/netfilter/nfnetlink.h> 61 9 62 10 struct nfnl_callback { 63 11 int (*call)(struct sock *nl, struct sk_buff *skb, ··· 40 92 #define MODULE_ALIAS_NFNL_SUBSYS(subsys) \ 41 93 MODULE_ALIAS("nfnetlink-subsys-" __stringify(subsys)) 42 94 43 43 - #endif /* __KERNEL__ */ 44 95 #endif /* _NFNETLINK_H */

+1 -24

include/linux/netfilter/nfnetlink_acct.h

reviewed

··· 1 1 #ifndef _NFNL_ACCT_H_ 2 2 #define _NFNL_ACCT_H_ 3 3 4 4 - #ifndef NFACCT_NAME_MAX 5 5 - #define NFACCT_NAME_MAX 32 6 6 - #endif 4 4 + #include <uapi/linux/netfilter/nfnetlink_acct.h> 7 5 8 8 - enum nfnl_acct_msg_types { 9 9 - NFNL_MSG_ACCT_NEW, 10 10 - NFNL_MSG_ACCT_GET, 11 11 - NFNL_MSG_ACCT_GET_CTRZERO, 12 12 - NFNL_MSG_ACCT_DEL, 13 13 - NFNL_MSG_ACCT_MAX 14 14 - }; 15 15 - 16 16 - enum nfnl_acct_type { 17 17 - NFACCT_UNSPEC, 18 18 - NFACCT_NAME, 19 19 - NFACCT_PKTS, 20 20 - NFACCT_BYTES, 21 21 - NFACCT_USE, 22 22 - __NFACCT_MAX 23 23 - }; 24 24 - #define NFACCT_MAX (__NFACCT_MAX - 1) 25 25 - 26 26 - #ifdef __KERNEL__ 27 6 28 7 struct nf_acct; 29 8 30 9 extern struct nf_acct *nfnl_acct_find_get(const char *filter_name); 31 10 extern void nfnl_acct_put(struct nf_acct *acct); 32 11 extern void nfnl_acct_update(const struct sk_buff *skb, struct nf_acct *nfacct); 33 33 - 34 34 - #endif /* __KERNEL__ */ 35 12 36 13 #endif /* _NFNL_ACCT_H */

include/linux/netfilter/nfnetlink_compat.h include/uapi/linux/netfilter/nfnetlink_compat.h

reviewed

include/linux/netfilter/nfnetlink_conntrack.h include/uapi/linux/netfilter/nfnetlink_conntrack.h

reviewed

include/linux/netfilter/nfnetlink_cthelper.h include/uapi/linux/netfilter/nfnetlink_cthelper.h

reviewed

include/linux/netfilter/nfnetlink_cttimeout.h include/uapi/linux/netfilter/nfnetlink_cttimeout.h

reviewed

include/linux/netfilter/nfnetlink_log.h include/uapi/linux/netfilter/nfnetlink_log.h

reviewed

include/linux/netfilter/nfnetlink_queue.h include/uapi/linux/netfilter/nfnetlink_queue.h

reviewed

+1 -185

include/linux/netfilter/x_tables.h

reviewed

··· 1 1 #ifndef _X_TABLES_H 2 2 #define _X_TABLES_H 3 3 - #include <linux/kernel.h> 4 4 - #include <linux/types.h> 5 3 6 6 - #define XT_FUNCTION_MAXNAMELEN 30 7 7 - #define XT_EXTENSION_MAXNAMELEN 29 8 8 - #define XT_TABLE_MAXNAMELEN 32 9 9 - 10 10 - struct xt_entry_match { 11 11 - union { 12 12 - struct { 13 13 - __u16 match_size; 14 14 - 15 15 - /* Used by userspace */ 16 16 - char name[XT_EXTENSION_MAXNAMELEN]; 17 17 - __u8 revision; 18 18 - } user; 19 19 - struct { 20 20 - __u16 match_size; 21 21 - 22 22 - /* Used inside the kernel */ 23 23 - struct xt_match *match; 24 24 - } kernel; 25 25 - 26 26 - /* Total length */ 27 27 - __u16 match_size; 28 28 - } u; 29 29 - 30 30 - unsigned char data[0]; 31 31 - }; 32 32 - 33 33 - struct xt_entry_target { 34 34 - union { 35 35 - struct { 36 36 - __u16 target_size; 37 37 - 38 38 - /* Used by userspace */ 39 39 - char name[XT_EXTENSION_MAXNAMELEN]; 40 40 - __u8 revision; 41 41 - } user; 42 42 - struct { 43 43 - __u16 target_size; 44 44 - 45 45 - /* Used inside the kernel */ 46 46 - struct xt_target *target; 47 47 - } kernel; 48 48 - 49 49 - /* Total length */ 50 50 - __u16 target_size; 51 51 - } u; 52 52 - 53 53 - unsigned char data[0]; 54 54 - }; 55 55 - 56 56 - #define XT_TARGET_INIT(__name, __size) \ 57 57 - { \ 58 58 - .target.u.user = { \ 59 59 - .target_size = XT_ALIGN(__size), \ 60 60 - .name = __name, \ 61 61 - }, \ 62 62 - } 63 63 - 64 64 - struct xt_standard_target { 65 65 - struct xt_entry_target target; 66 66 - int verdict; 67 67 - }; 68 68 - 69 69 - struct xt_error_target { 70 70 - struct xt_entry_target target; 71 71 - char errorname[XT_FUNCTION_MAXNAMELEN]; 72 72 - }; 73 73 - 74 74 - /* The argument to IPT_SO_GET_REVISION_*. Returns highest revision 75 75 - * kernel supports, if >= revision. */ 76 76 - struct xt_get_revision { 77 77 - char name[XT_EXTENSION_MAXNAMELEN]; 78 78 - __u8 revision; 79 79 - }; 80 80 - 81 81 - /* CONTINUE verdict for targets */ 82 82 - #define XT_CONTINUE 0xFFFFFFFF 83 83 - 84 84 - /* For standard target */ 85 85 - #define XT_RETURN (-NF_REPEAT - 1) 86 86 - 87 87 - /* this is a dummy structure to find out the alignment requirement for a struct 88 88 - * containing all the fundamental data types that are used in ipt_entry, 89 89 - * ip6t_entry and arpt_entry. This sucks, and it is a hack. It will be my 90 90 - * personal pleasure to remove it -HW 91 91 - */ 92 92 - struct _xt_align { 93 93 - __u8 u8; 94 94 - __u16 u16; 95 95 - __u32 u32; 96 96 - __u64 u64; 97 97 - }; 98 98 - 99 99 - #define XT_ALIGN(s) __ALIGN_KERNEL((s), __alignof__(struct _xt_align)) 100 100 - 101 101 - /* Standard return verdict, or do jump. */ 102 102 - #define XT_STANDARD_TARGET "" 103 103 - /* Error verdict. */ 104 104 - #define XT_ERROR_TARGET "ERROR" 105 105 - 106 106 - #define SET_COUNTER(c,b,p) do { (c).bcnt = (b); (c).pcnt = (p); } while(0) 107 107 - #define ADD_COUNTER(c,b,p) do { (c).bcnt += (b); (c).pcnt += (p); } while(0) 108 108 - 109 109 - struct xt_counters { 110 110 - __u64 pcnt, bcnt; /* Packet and byte counters */ 111 111 - }; 112 112 - 113 113 - /* The argument to IPT_SO_ADD_COUNTERS. */ 114 114 - struct xt_counters_info { 115 115 - /* Which table. */ 116 116 - char name[XT_TABLE_MAXNAMELEN]; 117 117 - 118 118 - unsigned int num_counters; 119 119 - 120 120 - /* The counters (actually `number' of these). */ 121 121 - struct xt_counters counters[0]; 122 122 - }; 123 123 - 124 124 - #define XT_INV_PROTO 0x40 /* Invert the sense of PROTO. */ 125 125 - 126 126 - #ifndef __KERNEL__ 127 127 - /* fn returns 0 to continue iteration */ 128 128 - #define XT_MATCH_ITERATE(type, e, fn, args...) \ 129 129 - ({ \ 130 130 - unsigned int __i; \ 131 131 - int __ret = 0; \ 132 132 - struct xt_entry_match *__m; \ 133 133 - \ 134 134 - for (__i = sizeof(type); \ 135 135 - __i < (e)->target_offset; \ 136 136 - __i += __m->u.match_size) { \ 137 137 - __m = (void *)e + __i; \ 138 138 - \ 139 139 - __ret = fn(__m , ## args); \ 140 140 - if (__ret != 0) \ 141 141 - break; \ 142 142 - } \ 143 143 - __ret; \ 144 144 - }) 145 145 - 146 146 - /* fn returns 0 to continue iteration */ 147 147 - #define XT_ENTRY_ITERATE_CONTINUE(type, entries, size, n, fn, args...) \ 148 148 - ({ \ 149 149 - unsigned int __i, __n; \ 150 150 - int __ret = 0; \ 151 151 - type *__entry; \ 152 152 - \ 153 153 - for (__i = 0, __n = 0; __i < (size); \ 154 154 - __i += __entry->next_offset, __n++) { \ 155 155 - __entry = (void *)(entries) + __i; \ 156 156 - if (__n < n) \ 157 157 - continue; \ 158 158 - \ 159 159 - __ret = fn(__entry , ## args); \ 160 160 - if (__ret != 0) \ 161 161 - break; \ 162 162 - } \ 163 163 - __ret; \ 164 164 - }) 165 165 - 166 166 - /* fn returns 0 to continue iteration */ 167 167 - #define XT_ENTRY_ITERATE(type, entries, size, fn, args...) \ 168 168 - XT_ENTRY_ITERATE_CONTINUE(type, entries, size, 0, fn, args) 169 169 - 170 170 - #endif /* !__KERNEL__ */ 171 171 - 172 172 - /* pos is normally a struct ipt_entry/ip6t_entry/etc. */ 173 173 - #define xt_entry_foreach(pos, ehead, esize) \ 174 174 - for ((pos) = (typeof(pos))(ehead); \ 175 175 - (pos) < (typeof(pos))((char *)(ehead) + (esize)); \ 176 176 - (pos) = (typeof(pos))((char *)(pos) + (pos)->next_offset)) 177 177 - 178 178 - /* can only be xt_entry_match, so no use of typeof here */ 179 179 - #define xt_ematch_foreach(pos, entry) \ 180 180 - for ((pos) = (struct xt_entry_match *)entry->elems; \ 181 181 - (pos) < (struct xt_entry_match *)((char *)(entry) + \ 182 182 - (entry)->target_offset); \ 183 183 - (pos) = (struct xt_entry_match *)((char *)(pos) + \ 184 184 - (pos)->u.match_size)) 185 185 - 186 186 - #ifdef __KERNEL__ 187 4 188 5 #include <linux/netdevice.h> 6 6 + #include <uapi/linux/netfilter/x_tables.h> 189 7 190 8 /** 191 9 * struct xt_action_param - parameters for matches/targets ··· 435 617 void __user **dstptr, unsigned int *size); 436 618 437 619 #endif /* CONFIG_COMPAT */ 438 438 - #endif /* __KERNEL__ */ 439 439 - 440 620 #endif /* _X_TABLES_H */

include/linux/netfilter/xt_AUDIT.h include/uapi/linux/netfilter/xt_AUDIT.h

reviewed

include/linux/netfilter/xt_CHECKSUM.h include/uapi/linux/netfilter/xt_CHECKSUM.h

reviewed

include/linux/netfilter/xt_CLASSIFY.h include/uapi/linux/netfilter/xt_CLASSIFY.h

reviewed

include/linux/netfilter/xt_CONNMARK.h include/uapi/linux/netfilter/xt_CONNMARK.h

reviewed

include/linux/netfilter/xt_CONNSECMARK.h include/uapi/linux/netfilter/xt_CONNSECMARK.h

reviewed

include/linux/netfilter/xt_CT.h include/uapi/linux/netfilter/xt_CT.h

reviewed

include/linux/netfilter/xt_DSCP.h include/uapi/linux/netfilter/xt_DSCP.h

reviewed

include/linux/netfilter/xt_IDLETIMER.h include/uapi/linux/netfilter/xt_IDLETIMER.h

reviewed

include/linux/netfilter/xt_LED.h include/uapi/linux/netfilter/xt_LED.h

reviewed

include/linux/netfilter/xt_LOG.h include/uapi/linux/netfilter/xt_LOG.h

reviewed

include/linux/netfilter/xt_MARK.h include/uapi/linux/netfilter/xt_MARK.h

reviewed

include/linux/netfilter/xt_NFLOG.h include/uapi/linux/netfilter/xt_NFLOG.h

reviewed

include/linux/netfilter/xt_NFQUEUE.h include/uapi/linux/netfilter/xt_NFQUEUE.h

reviewed

include/linux/netfilter/xt_RATEEST.h include/uapi/linux/netfilter/xt_RATEEST.h

reviewed

include/linux/netfilter/xt_SECMARK.h include/uapi/linux/netfilter/xt_SECMARK.h

reviewed

include/linux/netfilter/xt_TCPMSS.h include/uapi/linux/netfilter/xt_TCPMSS.h

reviewed

include/linux/netfilter/xt_TCPOPTSTRIP.h include/uapi/linux/netfilter/xt_TCPOPTSTRIP.h

reviewed

include/linux/netfilter/xt_TEE.h include/uapi/linux/netfilter/xt_TEE.h

reviewed

include/linux/netfilter/xt_TPROXY.h include/uapi/linux/netfilter/xt_TPROXY.h

reviewed

include/linux/netfilter/xt_addrtype.h include/uapi/linux/netfilter/xt_addrtype.h

reviewed

include/linux/netfilter/xt_cluster.h include/uapi/linux/netfilter/xt_cluster.h

reviewed

include/linux/netfilter/xt_comment.h include/uapi/linux/netfilter/xt_comment.h

reviewed

include/linux/netfilter/xt_connbytes.h include/uapi/linux/netfilter/xt_connbytes.h

reviewed

include/linux/netfilter/xt_connlimit.h include/uapi/linux/netfilter/xt_connlimit.h

reviewed

include/linux/netfilter/xt_connmark.h include/uapi/linux/netfilter/xt_connmark.h

reviewed

include/linux/netfilter/xt_conntrack.h include/uapi/linux/netfilter/xt_conntrack.h

reviewed

include/linux/netfilter/xt_cpu.h include/uapi/linux/netfilter/xt_cpu.h

reviewed

include/linux/netfilter/xt_dccp.h include/uapi/linux/netfilter/xt_dccp.h

reviewed

include/linux/netfilter/xt_devgroup.h include/uapi/linux/netfilter/xt_devgroup.h

reviewed

include/linux/netfilter/xt_dscp.h include/uapi/linux/netfilter/xt_dscp.h

reviewed

include/linux/netfilter/xt_ecn.h include/uapi/linux/netfilter/xt_ecn.h

reviewed

include/linux/netfilter/xt_esp.h include/uapi/linux/netfilter/xt_esp.h

reviewed

+1 -70

include/linux/netfilter/xt_hashlimit.h

reviewed

··· 1 1 #ifndef _XT_HASHLIMIT_H 2 2 #define _XT_HASHLIMIT_H 3 3 4 4 - #include <linux/types.h> 4 4 + #include <uapi/linux/netfilter/xt_hashlimit.h> 5 5 6 6 - /* timings are in milliseconds. */ 7 7 - #define XT_HASHLIMIT_SCALE 10000 8 8 - /* 1/10,000 sec period => max of 10,000/sec. Min rate is then 429490 9 9 - * seconds, or one packet every 59 hours. 10 10 - */ 11 11 - 12 12 - /* packet length accounting is done in 16-byte steps */ 13 13 - #define XT_HASHLIMIT_BYTE_SHIFT 4 14 14 - 15 15 - /* details of this structure hidden by the implementation */ 16 16 - struct xt_hashlimit_htable; 17 17 - 18 18 - enum { 19 19 - XT_HASHLIMIT_HASH_DIP = 1 << 0, 20 20 - XT_HASHLIMIT_HASH_DPT = 1 << 1, 21 21 - XT_HASHLIMIT_HASH_SIP = 1 << 2, 22 22 - XT_HASHLIMIT_HASH_SPT = 1 << 3, 23 23 - XT_HASHLIMIT_INVERT = 1 << 4, 24 24 - XT_HASHLIMIT_BYTES = 1 << 5, 25 25 - }; 26 26 - #ifdef __KERNEL__ 27 6 #define XT_HASHLIMIT_ALL (XT_HASHLIMIT_HASH_DIP | XT_HASHLIMIT_HASH_DPT | \ 28 7 XT_HASHLIMIT_HASH_SIP | XT_HASHLIMIT_HASH_SPT | \ 29 8 XT_HASHLIMIT_INVERT | XT_HASHLIMIT_BYTES) 30 30 - #endif 31 31 - 32 32 - struct hashlimit_cfg { 33 33 - __u32 mode; /* bitmask of XT_HASHLIMIT_HASH_* */ 34 34 - __u32 avg; /* Average secs between packets * scale */ 35 35 - __u32 burst; /* Period multiplier for upper limit. */ 36 36 - 37 37 - /* user specified */ 38 38 - __u32 size; /* how many buckets */ 39 39 - __u32 max; /* max number of entries */ 40 40 - __u32 gc_interval; /* gc interval */ 41 41 - __u32 expire; /* when do entries expire? */ 42 42 - }; 43 43 - 44 44 - struct xt_hashlimit_info { 45 45 - char name [IFNAMSIZ]; /* name */ 46 46 - struct hashlimit_cfg cfg; 47 47 - 48 48 - /* Used internally by the kernel */ 49 49 - struct xt_hashlimit_htable *hinfo; 50 50 - union { 51 51 - void *ptr; 52 52 - struct xt_hashlimit_info *master; 53 53 - } u; 54 54 - }; 55 55 - 56 56 - struct hashlimit_cfg1 { 57 57 - __u32 mode; /* bitmask of XT_HASHLIMIT_HASH_* */ 58 58 - __u32 avg; /* Average secs between packets * scale */ 59 59 - __u32 burst; /* Period multiplier for upper limit. */ 60 60 - 61 61 - /* user specified */ 62 62 - __u32 size; /* how many buckets */ 63 63 - __u32 max; /* max number of entries */ 64 64 - __u32 gc_interval; /* gc interval */ 65 65 - __u32 expire; /* when do entries expire? */ 66 66 - 67 67 - __u8 srcmask, dstmask; 68 68 - }; 69 69 - 70 70 - struct xt_hashlimit_mtinfo1 { 71 71 - char name[IFNAMSIZ]; 72 72 - struct hashlimit_cfg1 cfg; 73 73 - 74 74 - /* Used internally by the kernel */ 75 75 - struct xt_hashlimit_htable *hinfo __attribute__((aligned(8))); 76 76 - }; 77 77 - 78 9 #endif /*_XT_HASHLIMIT_H*/

include/linux/netfilter/xt_helper.h include/uapi/linux/netfilter/xt_helper.h

reviewed

include/linux/netfilter/xt_iprange.h include/uapi/linux/netfilter/xt_iprange.h

reviewed

include/linux/netfilter/xt_ipvs.h include/uapi/linux/netfilter/xt_ipvs.h

reviewed

include/linux/netfilter/xt_length.h include/uapi/linux/netfilter/xt_length.h

reviewed

include/linux/netfilter/xt_limit.h include/uapi/linux/netfilter/xt_limit.h

reviewed

include/linux/netfilter/xt_mac.h include/uapi/linux/netfilter/xt_mac.h

reviewed

include/linux/netfilter/xt_mark.h include/uapi/linux/netfilter/xt_mark.h

reviewed

include/linux/netfilter/xt_multiport.h include/uapi/linux/netfilter/xt_multiport.h

reviewed

include/linux/netfilter/xt_nfacct.h include/uapi/linux/netfilter/xt_nfacct.h

reviewed

include/linux/netfilter/xt_osf.h include/uapi/linux/netfilter/xt_osf.h

reviewed

include/linux/netfilter/xt_owner.h include/uapi/linux/netfilter/xt_owner.h

reviewed

+1 -20

include/linux/netfilter/xt_physdev.h

reviewed

··· 1 1 #ifndef _XT_PHYSDEV_H 2 2 #define _XT_PHYSDEV_H 3 3 4 4 - #include <linux/types.h> 5 5 - 6 6 - #ifdef __KERNEL__ 7 4 #include <linux/if.h> 8 8 - #endif 9 9 - 10 10 - #define XT_PHYSDEV_OP_IN 0x01 11 11 - #define XT_PHYSDEV_OP_OUT 0x02 12 12 - #define XT_PHYSDEV_OP_BRIDGED 0x04 13 13 - #define XT_PHYSDEV_OP_ISIN 0x08 14 14 - #define XT_PHYSDEV_OP_ISOUT 0x10 15 15 - #define XT_PHYSDEV_OP_MASK (0x20 - 1) 16 16 - 17 17 - struct xt_physdev_info { 18 18 - char physindev[IFNAMSIZ]; 19 19 - char in_mask[IFNAMSIZ]; 20 20 - char physoutdev[IFNAMSIZ]; 21 21 - char out_mask[IFNAMSIZ]; 22 22 - __u8 invert; 23 23 - __u8 bitmask; 24 24 - }; 5 5 + #include <uapi/linux/netfilter/xt_physdev.h> 25 6 26 7 #endif /*_XT_PHYSDEV_H*/

include/linux/netfilter/xt_pkttype.h include/uapi/linux/netfilter/xt_pkttype.h

reviewed

include/linux/netfilter/xt_policy.h include/uapi/linux/netfilter/xt_policy.h

reviewed

include/linux/netfilter/xt_quota.h include/uapi/linux/netfilter/xt_quota.h

reviewed

include/linux/netfilter/xt_rateest.h include/uapi/linux/netfilter/xt_rateest.h

reviewed

include/linux/netfilter/xt_realm.h include/uapi/linux/netfilter/xt_realm.h

reviewed

include/linux/netfilter/xt_recent.h include/uapi/linux/netfilter/xt_recent.h

reviewed

include/linux/netfilter/xt_sctp.h include/uapi/linux/netfilter/xt_sctp.h

reviewed

include/linux/netfilter/xt_set.h include/uapi/linux/netfilter/xt_set.h

reviewed

include/linux/netfilter/xt_socket.h include/uapi/linux/netfilter/xt_socket.h

reviewed

include/linux/netfilter/xt_state.h include/uapi/linux/netfilter/xt_state.h

reviewed

include/linux/netfilter/xt_statistic.h include/uapi/linux/netfilter/xt_statistic.h

reviewed

include/linux/netfilter/xt_string.h include/uapi/linux/netfilter/xt_string.h

reviewed

include/linux/netfilter/xt_tcpmss.h include/uapi/linux/netfilter/xt_tcpmss.h

reviewed

include/linux/netfilter/xt_tcpudp.h include/uapi/linux/netfilter/xt_tcpudp.h

reviewed

include/linux/netfilter/xt_time.h include/uapi/linux/netfilter/xt_time.h

reviewed

include/linux/netfilter/xt_u32.h include/uapi/linux/netfilter/xt_u32.h

reviewed

+76

include/uapi/linux/netfilter/Kbuild

reviewed

··· 1 1 # UAPI Header export list 2 2 header-y += ipset/ 3 3 + header-y += nf_conntrack_common.h 4 4 + header-y += nf_conntrack_ftp.h 5 5 + header-y += nf_conntrack_sctp.h 6 6 + header-y += nf_conntrack_tcp.h 7 7 + header-y += nf_conntrack_tuple_common.h 8 8 + header-y += nf_nat.h 9 9 + header-y += nfnetlink.h 10 10 + header-y += nfnetlink_acct.h 11 11 + header-y += nfnetlink_compat.h 12 12 + header-y += nfnetlink_conntrack.h 13 13 + header-y += nfnetlink_cthelper.h 14 14 + header-y += nfnetlink_cttimeout.h 15 15 + header-y += nfnetlink_log.h 16 16 + header-y += nfnetlink_queue.h 17 17 + header-y += x_tables.h 18 18 + header-y += xt_AUDIT.h 19 19 + header-y += xt_CHECKSUM.h 20 20 + header-y += xt_CLASSIFY.h 21 21 + header-y += xt_CONNMARK.h 22 22 + header-y += xt_CONNSECMARK.h 23 23 + header-y += xt_CT.h 24 24 + header-y += xt_DSCP.h 25 25 + header-y += xt_IDLETIMER.h 26 26 + header-y += xt_LED.h 27 27 + header-y += xt_LOG.h 28 28 + header-y += xt_MARK.h 29 29 + header-y += xt_NFLOG.h 30 30 + header-y += xt_NFQUEUE.h 31 31 + header-y += xt_RATEEST.h 32 32 + header-y += xt_SECMARK.h 33 33 + header-y += xt_TCPMSS.h 34 34 + header-y += xt_TCPOPTSTRIP.h 35 35 + header-y += xt_TEE.h 36 36 + header-y += xt_TPROXY.h 37 37 + header-y += xt_addrtype.h 38 38 + header-y += xt_cluster.h 39 39 + header-y += xt_comment.h 40 40 + header-y += xt_connbytes.h 41 41 + header-y += xt_connlimit.h 42 42 + header-y += xt_connmark.h 43 43 + header-y += xt_conntrack.h 44 44 + header-y += xt_cpu.h 45 45 + header-y += xt_dccp.h 46 46 + header-y += xt_devgroup.h 47 47 + header-y += xt_dscp.h 48 48 + header-y += xt_ecn.h 49 49 + header-y += xt_esp.h 50 50 + header-y += xt_hashlimit.h 51 51 + header-y += xt_helper.h 52 52 + header-y += xt_iprange.h 53 53 + header-y += xt_ipvs.h 54 54 + header-y += xt_length.h 55 55 + header-y += xt_limit.h 56 56 + header-y += xt_mac.h 57 57 + header-y += xt_mark.h 58 58 + header-y += xt_multiport.h 59 59 + header-y += xt_nfacct.h 60 60 + header-y += xt_osf.h 61 61 + header-y += xt_owner.h 62 62 + header-y += xt_physdev.h 63 63 + header-y += xt_pkttype.h 64 64 + header-y += xt_policy.h 65 65 + header-y += xt_quota.h 66 66 + header-y += xt_rateest.h 67 67 + header-y += xt_realm.h 68 68 + header-y += xt_recent.h 69 69 + header-y += xt_sctp.h 70 70 + header-y += xt_set.h 71 71 + header-y += xt_socket.h 72 72 + header-y += xt_state.h 73 73 + header-y += xt_statistic.h 74 74 + header-y += xt_string.h 75 75 + header-y += xt_tcpmss.h 76 76 + header-y += xt_tcpudp.h 77 77 + header-y += xt_time.h 78 78 + header-y += xt_u32.h

+117

include/uapi/linux/netfilter/nf_conntrack_common.h

reviewed

··· 1 1 + #ifndef _UAPI_NF_CONNTRACK_COMMON_H 2 2 + #define _UAPI_NF_CONNTRACK_COMMON_H 3 3 + /* Connection state tracking for netfilter. This is separated from, 4 4 + but required by, the NAT layer; it can also be used by an iptables 5 5 + extension. */ 6 6 + enum ip_conntrack_info { 7 7 + /* Part of an established connection (either direction). */ 8 8 + IP_CT_ESTABLISHED, 9 9 + 10 10 + /* Like NEW, but related to an existing connection, or ICMP error 11 11 + (in either direction). */ 12 12 + IP_CT_RELATED, 13 13 + 14 14 + /* Started a new connection to track (only 15 15 + IP_CT_DIR_ORIGINAL); may be a retransmission. */ 16 16 + IP_CT_NEW, 17 17 + 18 18 + /* >= this indicates reply direction */ 19 19 + IP_CT_IS_REPLY, 20 20 + 21 21 + IP_CT_ESTABLISHED_REPLY = IP_CT_ESTABLISHED + IP_CT_IS_REPLY, 22 22 + IP_CT_RELATED_REPLY = IP_CT_RELATED + IP_CT_IS_REPLY, 23 23 + IP_CT_NEW_REPLY = IP_CT_NEW + IP_CT_IS_REPLY, 24 24 + /* Number of distinct IP_CT types (no NEW in reply dirn). */ 25 25 + IP_CT_NUMBER = IP_CT_IS_REPLY * 2 - 1 26 26 + }; 27 27 + 28 28 + /* Bitset representing status of connection. */ 29 29 + enum ip_conntrack_status { 30 30 + /* It's an expected connection: bit 0 set. This bit never changed */ 31 31 + IPS_EXPECTED_BIT = 0, 32 32 + IPS_EXPECTED = (1 << IPS_EXPECTED_BIT), 33 33 + 34 34 + /* We've seen packets both ways: bit 1 set. Can be set, not unset. */ 35 35 + IPS_SEEN_REPLY_BIT = 1, 36 36 + IPS_SEEN_REPLY = (1 << IPS_SEEN_REPLY_BIT), 37 37 + 38 38 + /* Conntrack should never be early-expired. */ 39 39 + IPS_ASSURED_BIT = 2, 40 40 + IPS_ASSURED = (1 << IPS_ASSURED_BIT), 41 41 + 42 42 + /* Connection is confirmed: originating packet has left box */ 43 43 + IPS_CONFIRMED_BIT = 3, 44 44 + IPS_CONFIRMED = (1 << IPS_CONFIRMED_BIT), 45 45 + 46 46 + /* Connection needs src nat in orig dir. This bit never changed. */ 47 47 + IPS_SRC_NAT_BIT = 4, 48 48 + IPS_SRC_NAT = (1 << IPS_SRC_NAT_BIT), 49 49 + 50 50 + /* Connection needs dst nat in orig dir. This bit never changed. */ 51 51 + IPS_DST_NAT_BIT = 5, 52 52 + IPS_DST_NAT = (1 << IPS_DST_NAT_BIT), 53 53 + 54 54 + /* Both together. */ 55 55 + IPS_NAT_MASK = (IPS_DST_NAT | IPS_SRC_NAT), 56 56 + 57 57 + /* Connection needs TCP sequence adjusted. */ 58 58 + IPS_SEQ_ADJUST_BIT = 6, 59 59 + IPS_SEQ_ADJUST = (1 << IPS_SEQ_ADJUST_BIT), 60 60 + 61 61 + /* NAT initialization bits. */ 62 62 + IPS_SRC_NAT_DONE_BIT = 7, 63 63 + IPS_SRC_NAT_DONE = (1 << IPS_SRC_NAT_DONE_BIT), 64 64 + 65 65 + IPS_DST_NAT_DONE_BIT = 8, 66 66 + IPS_DST_NAT_DONE = (1 << IPS_DST_NAT_DONE_BIT), 67 67 + 68 68 + /* Both together */ 69 69 + IPS_NAT_DONE_MASK = (IPS_DST_NAT_DONE | IPS_SRC_NAT_DONE), 70 70 + 71 71 + /* Connection is dying (removed from lists), can not be unset. */ 72 72 + IPS_DYING_BIT = 9, 73 73 + IPS_DYING = (1 << IPS_DYING_BIT), 74 74 + 75 75 + /* Connection has fixed timeout. */ 76 76 + IPS_FIXED_TIMEOUT_BIT = 10, 77 77 + IPS_FIXED_TIMEOUT = (1 << IPS_FIXED_TIMEOUT_BIT), 78 78 + 79 79 + /* Conntrack is a template */ 80 80 + IPS_TEMPLATE_BIT = 11, 81 81 + IPS_TEMPLATE = (1 << IPS_TEMPLATE_BIT), 82 82 + 83 83 + /* Conntrack is a fake untracked entry */ 84 84 + IPS_UNTRACKED_BIT = 12, 85 85 + IPS_UNTRACKED = (1 << IPS_UNTRACKED_BIT), 86 86 + 87 87 + /* Conntrack got a helper explicitly attached via CT target. */ 88 88 + IPS_HELPER_BIT = 13, 89 89 + IPS_HELPER = (1 << IPS_HELPER_BIT), 90 90 + }; 91 91 + 92 92 + /* Connection tracking event types */ 93 93 + enum ip_conntrack_events { 94 94 + IPCT_NEW, /* new conntrack */ 95 95 + IPCT_RELATED, /* related conntrack */ 96 96 + IPCT_DESTROY, /* destroyed conntrack */ 97 97 + IPCT_REPLY, /* connection has seen two-way traffic */ 98 98 + IPCT_ASSURED, /* connection status has changed to assured */ 99 99 + IPCT_PROTOINFO, /* protocol information has changed */ 100 100 + IPCT_HELPER, /* new helper has been set */ 101 101 + IPCT_MARK, /* new mark has been set */ 102 102 + IPCT_NATSEQADJ, /* NAT is doing sequence adjustment */ 103 103 + IPCT_SECMARK, /* new security mark has been set */ 104 104 + }; 105 105 + 106 106 + enum ip_conntrack_expect_events { 107 107 + IPEXP_NEW, /* new expectation */ 108 108 + IPEXP_DESTROY, /* destroyed expectation */ 109 109 + }; 110 110 + 111 111 + /* expectation flags */ 112 112 + #define NF_CT_EXPECT_PERMANENT 0x1 113 113 + #define NF_CT_EXPECT_INACTIVE 0x2 114 114 + #define NF_CT_EXPECT_USERSPACE 0x4 115 115 + 116 116 + 117 117 + #endif /* _UAPI_NF_CONNTRACK_COMMON_H */

+18

include/uapi/linux/netfilter/nf_conntrack_ftp.h

reviewed

··· 1 1 + #ifndef _UAPI_NF_CONNTRACK_FTP_H 2 2 + #define _UAPI_NF_CONNTRACK_FTP_H 3 3 + /* FTP tracking. */ 4 4 + 5 5 + /* This enum is exposed to userspace */ 6 6 + enum nf_ct_ftp_type { 7 7 + /* PORT command from client */ 8 8 + NF_CT_FTP_PORT, 9 9 + /* PASV response from server */ 10 10 + NF_CT_FTP_PASV, 11 11 + /* EPRT command from client */ 12 12 + NF_CT_FTP_EPRT, 13 13 + /* EPSV response from server */ 14 14 + NF_CT_FTP_EPSV, 15 15 + }; 16 16 + 17 17 + 18 18 + #endif /* _UAPI_NF_CONNTRACK_FTP_H */

+51

include/uapi/linux/netfilter/nf_conntrack_tcp.h

reviewed

··· 1 1 + #ifndef _UAPI_NF_CONNTRACK_TCP_H 2 2 + #define _UAPI_NF_CONNTRACK_TCP_H 3 3 + /* TCP tracking. */ 4 4 + 5 5 + #include <linux/types.h> 6 6 + 7 7 + /* This is exposed to userspace (ctnetlink) */ 8 8 + enum tcp_conntrack { 9 9 + TCP_CONNTRACK_NONE, 10 10 + TCP_CONNTRACK_SYN_SENT, 11 11 + TCP_CONNTRACK_SYN_RECV, 12 12 + TCP_CONNTRACK_ESTABLISHED, 13 13 + TCP_CONNTRACK_FIN_WAIT, 14 14 + TCP_CONNTRACK_CLOSE_WAIT, 15 15 + TCP_CONNTRACK_LAST_ACK, 16 16 + TCP_CONNTRACK_TIME_WAIT, 17 17 + TCP_CONNTRACK_CLOSE, 18 18 + TCP_CONNTRACK_LISTEN, /* obsolete */ 19 19 + #define TCP_CONNTRACK_SYN_SENT2 TCP_CONNTRACK_LISTEN 20 20 + TCP_CONNTRACK_MAX, 21 21 + TCP_CONNTRACK_IGNORE, 22 22 + TCP_CONNTRACK_RETRANS, 23 23 + TCP_CONNTRACK_UNACK, 24 24 + TCP_CONNTRACK_TIMEOUT_MAX 25 25 + }; 26 26 + 27 27 + /* Window scaling is advertised by the sender */ 28 28 + #define IP_CT_TCP_FLAG_WINDOW_SCALE 0x01 29 29 + 30 30 + /* SACK is permitted by the sender */ 31 31 + #define IP_CT_TCP_FLAG_SACK_PERM 0x02 32 32 + 33 33 + /* This sender sent FIN first */ 34 34 + #define IP_CT_TCP_FLAG_CLOSE_INIT 0x04 35 35 + 36 36 + /* Be liberal in window checking */ 37 37 + #define IP_CT_TCP_FLAG_BE_LIBERAL 0x08 38 38 + 39 39 + /* Has unacknowledged data */ 40 40 + #define IP_CT_TCP_FLAG_DATA_UNACKNOWLEDGED 0x10 41 41 + 42 42 + /* The field td_maxack has been set */ 43 43 + #define IP_CT_TCP_FLAG_MAXACK_SET 0x20 44 44 + 45 45 + struct nf_ct_tcp_flags { 46 46 + __u8 flags; 47 47 + __u8 mask; 48 48 + }; 49 49 + 50 50 + 51 51 + #endif /* _UAPI_NF_CONNTRACK_TCP_H */

+56

include/uapi/linux/netfilter/nfnetlink.h

reviewed

··· 1 1 + #ifndef _UAPI_NFNETLINK_H 2 2 + #define _UAPI_NFNETLINK_H 3 3 + #include <linux/types.h> 4 4 + #include <linux/netfilter/nfnetlink_compat.h> 5 5 + 6 6 + enum nfnetlink_groups { 7 7 + NFNLGRP_NONE, 8 8 + #define NFNLGRP_NONE NFNLGRP_NONE 9 9 + NFNLGRP_CONNTRACK_NEW, 10 10 + #define NFNLGRP_CONNTRACK_NEW NFNLGRP_CONNTRACK_NEW 11 11 + NFNLGRP_CONNTRACK_UPDATE, 12 12 + #define NFNLGRP_CONNTRACK_UPDATE NFNLGRP_CONNTRACK_UPDATE 13 13 + NFNLGRP_CONNTRACK_DESTROY, 14 14 + #define NFNLGRP_CONNTRACK_DESTROY NFNLGRP_CONNTRACK_DESTROY 15 15 + NFNLGRP_CONNTRACK_EXP_NEW, 16 16 + #define NFNLGRP_CONNTRACK_EXP_NEW NFNLGRP_CONNTRACK_EXP_NEW 17 17 + NFNLGRP_CONNTRACK_EXP_UPDATE, 18 18 + #define NFNLGRP_CONNTRACK_EXP_UPDATE NFNLGRP_CONNTRACK_EXP_UPDATE 19 19 + NFNLGRP_CONNTRACK_EXP_DESTROY, 20 20 + #define NFNLGRP_CONNTRACK_EXP_DESTROY NFNLGRP_CONNTRACK_EXP_DESTROY 21 21 + __NFNLGRP_MAX, 22 22 + }; 23 23 + #define NFNLGRP_MAX (__NFNLGRP_MAX - 1) 24 24 + 25 25 + /* General form of address family dependent message. 26 26 + */ 27 27 + struct nfgenmsg { 28 28 + __u8 nfgen_family; /* AF_xxx */ 29 29 + __u8 version; /* nfnetlink version */ 30 30 + __be16 res_id; /* resource id */ 31 31 + }; 32 32 + 33 33 + #define NFNETLINK_V0 0 34 34 + 35 35 + /* netfilter netlink message types are split in two pieces: 36 36 + * 8 bit subsystem, 8bit operation. 37 37 + */ 38 38 + 39 39 + #define NFNL_SUBSYS_ID(x) ((x & 0xff00) >> 8) 40 40 + #define NFNL_MSG_TYPE(x) (x & 0x00ff) 41 41 + 42 42 + /* No enum here, otherwise __stringify() trick of MODULE_ALIAS_NFNL_SUBSYS() 43 43 + * won't work anymore */ 44 44 + #define NFNL_SUBSYS_NONE 0 45 45 + #define NFNL_SUBSYS_CTNETLINK 1 46 46 + #define NFNL_SUBSYS_CTNETLINK_EXP 2 47 47 + #define NFNL_SUBSYS_QUEUE 3 48 48 + #define NFNL_SUBSYS_ULOG 4 49 49 + #define NFNL_SUBSYS_OSF 5 50 50 + #define NFNL_SUBSYS_IPSET 6 51 51 + #define NFNL_SUBSYS_ACCT 7 52 52 + #define NFNL_SUBSYS_CTNETLINK_TIMEOUT 8 53 53 + #define NFNL_SUBSYS_CTHELPER 9 54 54 + #define NFNL_SUBSYS_COUNT 10 55 55 + 56 56 + #endif /* _UAPI_NFNETLINK_H */

+27

include/uapi/linux/netfilter/nfnetlink_acct.h

reviewed

··· 1 1 + #ifndef _UAPI_NFNL_ACCT_H_ 2 2 + #define _UAPI_NFNL_ACCT_H_ 3 3 + 4 4 + #ifndef NFACCT_NAME_MAX 5 5 + #define NFACCT_NAME_MAX 32 6 6 + #endif 7 7 + 8 8 + enum nfnl_acct_msg_types { 9 9 + NFNL_MSG_ACCT_NEW, 10 10 + NFNL_MSG_ACCT_GET, 11 11 + NFNL_MSG_ACCT_GET_CTRZERO, 12 12 + NFNL_MSG_ACCT_DEL, 13 13 + NFNL_MSG_ACCT_MAX 14 14 + }; 15 15 + 16 16 + enum nfnl_acct_type { 17 17 + NFACCT_UNSPEC, 18 18 + NFACCT_NAME, 19 19 + NFACCT_PKTS, 20 20 + NFACCT_BYTES, 21 21 + NFACCT_USE, 22 22 + __NFACCT_MAX 23 23 + }; 24 24 + #define NFACCT_MAX (__NFACCT_MAX - 1) 25 25 + 26 26 + 27 27 + #endif /* _UAPI_NFNL_ACCT_H_ */

+187

include/uapi/linux/netfilter/x_tables.h

reviewed

··· 1 1 + #ifndef _UAPI_X_TABLES_H 2 2 + #define _UAPI_X_TABLES_H 3 3 + #include <linux/kernel.h> 4 4 + #include <linux/types.h> 5 5 + 6 6 + #define XT_FUNCTION_MAXNAMELEN 30 7 7 + #define XT_EXTENSION_MAXNAMELEN 29 8 8 + #define XT_TABLE_MAXNAMELEN 32 9 9 + 10 10 + struct xt_entry_match { 11 11 + union { 12 12 + struct { 13 13 + __u16 match_size; 14 14 + 15 15 + /* Used by userspace */ 16 16 + char name[XT_EXTENSION_MAXNAMELEN]; 17 17 + __u8 revision; 18 18 + } user; 19 19 + struct { 20 20 + __u16 match_size; 21 21 + 22 22 + /* Used inside the kernel */ 23 23 + struct xt_match *match; 24 24 + } kernel; 25 25 + 26 26 + /* Total length */ 27 27 + __u16 match_size; 28 28 + } u; 29 29 + 30 30 + unsigned char data[0]; 31 31 + }; 32 32 + 33 33 + struct xt_entry_target { 34 34 + union { 35 35 + struct { 36 36 + __u16 target_size; 37 37 + 38 38 + /* Used by userspace */ 39 39 + char name[XT_EXTENSION_MAXNAMELEN]; 40 40 + __u8 revision; 41 41 + } user; 42 42 + struct { 43 43 + __u16 target_size; 44 44 + 45 45 + /* Used inside the kernel */ 46 46 + struct xt_target *target; 47 47 + } kernel; 48 48 + 49 49 + /* Total length */ 50 50 + __u16 target_size; 51 51 + } u; 52 52 + 53 53 + unsigned char data[0]; 54 54 + }; 55 55 + 56 56 + #define XT_TARGET_INIT(__name, __size) \ 57 57 + { \ 58 58 + .target.u.user = { \ 59 59 + .target_size = XT_ALIGN(__size), \ 60 60 + .name = __name, \ 61 61 + }, \ 62 62 + } 63 63 + 64 64 + struct xt_standard_target { 65 65 + struct xt_entry_target target; 66 66 + int verdict; 67 67 + }; 68 68 + 69 69 + struct xt_error_target { 70 70 + struct xt_entry_target target; 71 71 + char errorname[XT_FUNCTION_MAXNAMELEN]; 72 72 + }; 73 73 + 74 74 + /* The argument to IPT_SO_GET_REVISION_*. Returns highest revision 75 75 + * kernel supports, if >= revision. */ 76 76 + struct xt_get_revision { 77 77 + char name[XT_EXTENSION_MAXNAMELEN]; 78 78 + __u8 revision; 79 79 + }; 80 80 + 81 81 + /* CONTINUE verdict for targets */ 82 82 + #define XT_CONTINUE 0xFFFFFFFF 83 83 + 84 84 + /* For standard target */ 85 85 + #define XT_RETURN (-NF_REPEAT - 1) 86 86 + 87 87 + /* this is a dummy structure to find out the alignment requirement for a struct 88 88 + * containing all the fundamental data types that are used in ipt_entry, 89 89 + * ip6t_entry and arpt_entry. This sucks, and it is a hack. It will be my 90 90 + * personal pleasure to remove it -HW 91 91 + */ 92 92 + struct _xt_align { 93 93 + __u8 u8; 94 94 + __u16 u16; 95 95 + __u32 u32; 96 96 + __u64 u64; 97 97 + }; 98 98 + 99 99 + #define XT_ALIGN(s) __ALIGN_KERNEL((s), __alignof__(struct _xt_align)) 100 100 + 101 101 + /* Standard return verdict, or do jump. */ 102 102 + #define XT_STANDARD_TARGET "" 103 103 + /* Error verdict. */ 104 104 + #define XT_ERROR_TARGET "ERROR" 105 105 + 106 106 + #define SET_COUNTER(c,b,p) do { (c).bcnt = (b); (c).pcnt = (p); } while(0) 107 107 + #define ADD_COUNTER(c,b,p) do { (c).bcnt += (b); (c).pcnt += (p); } while(0) 108 108 + 109 109 + struct xt_counters { 110 110 + __u64 pcnt, bcnt; /* Packet and byte counters */ 111 111 + }; 112 112 + 113 113 + /* The argument to IPT_SO_ADD_COUNTERS. */ 114 114 + struct xt_counters_info { 115 115 + /* Which table. */ 116 116 + char name[XT_TABLE_MAXNAMELEN]; 117 117 + 118 118 + unsigned int num_counters; 119 119 + 120 120 + /* The counters (actually `number' of these). */ 121 121 + struct xt_counters counters[0]; 122 122 + }; 123 123 + 124 124 + #define XT_INV_PROTO 0x40 /* Invert the sense of PROTO. */ 125 125 + 126 126 + #ifndef __KERNEL__ 127 127 + /* fn returns 0 to continue iteration */ 128 128 + #define XT_MATCH_ITERATE(type, e, fn, args...) \ 129 129 + ({ \ 130 130 + unsigned int __i; \ 131 131 + int __ret = 0; \ 132 132 + struct xt_entry_match *__m; \ 133 133 + \ 134 134 + for (__i = sizeof(type); \ 135 135 + __i < (e)->target_offset; \ 136 136 + __i += __m->u.match_size) { \ 137 137 + __m = (void *)e + __i; \ 138 138 + \ 139 139 + __ret = fn(__m , ## args); \ 140 140 + if (__ret != 0) \ 141 141 + break; \ 142 142 + } \ 143 143 + __ret; \ 144 144 + }) 145 145 + 146 146 + /* fn returns 0 to continue iteration */ 147 147 + #define XT_ENTRY_ITERATE_CONTINUE(type, entries, size, n, fn, args...) \ 148 148 + ({ \ 149 149 + unsigned int __i, __n; \ 150 150 + int __ret = 0; \ 151 151 + type *__entry; \ 152 152 + \ 153 153 + for (__i = 0, __n = 0; __i < (size); \ 154 154 + __i += __entry->next_offset, __n++) { \ 155 155 + __entry = (void *)(entries) + __i; \ 156 156 + if (__n < n) \ 157 157 + continue; \ 158 158 + \ 159 159 + __ret = fn(__entry , ## args); \ 160 160 + if (__ret != 0) \ 161 161 + break; \ 162 162 + } \ 163 163 + __ret; \ 164 164 + }) 165 165 + 166 166 + /* fn returns 0 to continue iteration */ 167 167 + #define XT_ENTRY_ITERATE(type, entries, size, fn, args...) \ 168 168 + XT_ENTRY_ITERATE_CONTINUE(type, entries, size, 0, fn, args) 169 169 + 170 170 + #endif /* !__KERNEL__ */ 171 171 + 172 172 + /* pos is normally a struct ipt_entry/ip6t_entry/etc. */ 173 173 + #define xt_entry_foreach(pos, ehead, esize) \ 174 174 + for ((pos) = (typeof(pos))(ehead); \ 175 175 + (pos) < (typeof(pos))((char *)(ehead) + (esize)); \ 176 176 + (pos) = (typeof(pos))((char *)(pos) + (pos)->next_offset)) 177 177 + 178 178 + /* can only be xt_entry_match, so no use of typeof here */ 179 179 + #define xt_ematch_foreach(pos, entry) \ 180 180 + for ((pos) = (struct xt_entry_match *)entry->elems; \ 181 181 + (pos) < (struct xt_entry_match *)((char *)(entry) + \ 182 182 + (entry)->target_offset); \ 183 183 + (pos) = (struct xt_entry_match *)((char *)(pos) + \ 184 184 + (pos)->u.match_size)) 185 185 + 186 186 + 187 187 + #endif /* _UAPI_X_TABLES_H */

+73

include/uapi/linux/netfilter/xt_hashlimit.h

reviewed

··· 1 1 + #ifndef _UAPI_XT_HASHLIMIT_H 2 2 + #define _UAPI_XT_HASHLIMIT_H 3 3 + 4 4 + #include <linux/types.h> 5 5 + 6 6 + /* timings are in milliseconds. */ 7 7 + #define XT_HASHLIMIT_SCALE 10000 8 8 + /* 1/10,000 sec period => max of 10,000/sec. Min rate is then 429490 9 9 + * seconds, or one packet every 59 hours. 10 10 + */ 11 11 + 12 12 + /* packet length accounting is done in 16-byte steps */ 13 13 + #define XT_HASHLIMIT_BYTE_SHIFT 4 14 14 + 15 15 + /* details of this structure hidden by the implementation */ 16 16 + struct xt_hashlimit_htable; 17 17 + 18 18 + enum { 19 19 + XT_HASHLIMIT_HASH_DIP = 1 << 0, 20 20 + XT_HASHLIMIT_HASH_DPT = 1 << 1, 21 21 + XT_HASHLIMIT_HASH_SIP = 1 << 2, 22 22 + XT_HASHLIMIT_HASH_SPT = 1 << 3, 23 23 + XT_HASHLIMIT_INVERT = 1 << 4, 24 24 + XT_HASHLIMIT_BYTES = 1 << 5, 25 25 + }; 26 26 + 27 27 + struct hashlimit_cfg { 28 28 + __u32 mode; /* bitmask of XT_HASHLIMIT_HASH_* */ 29 29 + __u32 avg; /* Average secs between packets * scale */ 30 30 + __u32 burst; /* Period multiplier for upper limit. */ 31 31 + 32 32 + /* user specified */ 33 33 + __u32 size; /* how many buckets */ 34 34 + __u32 max; /* max number of entries */ 35 35 + __u32 gc_interval; /* gc interval */ 36 36 + __u32 expire; /* when do entries expire? */ 37 37 + }; 38 38 + 39 39 + struct xt_hashlimit_info { 40 40 + char name [IFNAMSIZ]; /* name */ 41 41 + struct hashlimit_cfg cfg; 42 42 + 43 43 + /* Used internally by the kernel */ 44 44 + struct xt_hashlimit_htable *hinfo; 45 45 + union { 46 46 + void *ptr; 47 47 + struct xt_hashlimit_info *master; 48 48 + } u; 49 49 + }; 50 50 + 51 51 + struct hashlimit_cfg1 { 52 52 + __u32 mode; /* bitmask of XT_HASHLIMIT_HASH_* */ 53 53 + __u32 avg; /* Average secs between packets * scale */ 54 54 + __u32 burst; /* Period multiplier for upper limit. */ 55 55 + 56 56 + /* user specified */ 57 57 + __u32 size; /* how many buckets */ 58 58 + __u32 max; /* max number of entries */ 59 59 + __u32 gc_interval; /* gc interval */ 60 60 + __u32 expire; /* when do entries expire? */ 61 61 + 62 62 + __u8 srcmask, dstmask; 63 63 + }; 64 64 + 65 65 + struct xt_hashlimit_mtinfo1 { 66 66 + char name[IFNAMSIZ]; 67 67 + struct hashlimit_cfg1 cfg; 68 68 + 69 69 + /* Used internally by the kernel */ 70 70 + struct xt_hashlimit_htable *hinfo __attribute__((aligned(8))); 71 71 + }; 72 72 + 73 73 + #endif /* _UAPI_XT_HASHLIMIT_H */

+23

include/uapi/linux/netfilter/xt_physdev.h

reviewed

··· 1 1 + #ifndef _UAPI_XT_PHYSDEV_H 2 2 + #define _UAPI_XT_PHYSDEV_H 3 3 + 4 4 + #include <linux/types.h> 5 5 + 6 6 + 7 7 + #define XT_PHYSDEV_OP_IN 0x01 8 8 + #define XT_PHYSDEV_OP_OUT 0x02 9 9 + #define XT_PHYSDEV_OP_BRIDGED 0x04 10 10 + #define XT_PHYSDEV_OP_ISIN 0x08 11 11 + #define XT_PHYSDEV_OP_ISOUT 0x10 12 12 + #define XT_PHYSDEV_OP_MASK (0x20 - 1) 13 13 + 14 14 + struct xt_physdev_info { 15 15 + char physindev[IFNAMSIZ]; 16 16 + char in_mask[IFNAMSIZ]; 17 17 + char physoutdev[IFNAMSIZ]; 18 18 + char out_mask[IFNAMSIZ]; 19 19 + __u8 invert; 20 20 + __u8 bitmask; 21 21 + }; 22 22 + 23 23 + #endif /* _UAPI_XT_PHYSDEV_H */