From 6dc878a8ca39e93f70c42f3dd7260bde10c1e0f1 Mon Sep 17 00:00:00 2001 From: Gao feng Date: Thu, 4 Oct 2012 20:15:48 +0000 Subject: netlink: add reference of module in netlink_dump_start I get a panic when I use ss -a and rmmod inet_diag at the same time. It's because netlink_dump uses inet_diag_dump which belongs to module inet_diag. I search the codes and find many modules have the same problem. We need to add a reference to the module which the cb->dump belongs to. Thanks for all help from Stephen,Jan,Eric,Steffen and Pablo. Change From v3: change netlink_dump_start to inline,suggestion from Pablo and Eric. Change From v2: delete netlink_dump_done,and call module_put in netlink_dump and netlink_sock_destruct. Signed-off-by: Gao feng Signed-off-by: David S. Miller diff --git a/include/linux/netlink.h b/include/linux/netlink.h index f80c56a..6d3af05 100644 --- a/include/linux/netlink.h +++ b/include/linux/netlink.h @@ -245,6 +245,8 @@ struct netlink_callback { struct netlink_callback *cb); int (*done)(struct netlink_callback *cb); void *data; + /* the module that dump function belong to */ + struct module *module; u16 family; u16 min_dump_alloc; unsigned int prev_seq, seq; @@ -262,14 +264,24 @@ __nlmsg_put(struct sk_buff *skb, u32 portid, u32 seq, int type, int len, int fla struct netlink_dump_control { int (*dump)(struct sk_buff *skb, struct netlink_callback *); - int (*done)(struct netlink_callback*); + int (*done)(struct netlink_callback *); void *data; + struct module *module; u16 min_dump_alloc; }; -extern int netlink_dump_start(struct sock *ssk, struct sk_buff *skb, - const struct nlmsghdr *nlh, - struct netlink_dump_control *control); +extern int __netlink_dump_start(struct sock *ssk, struct sk_buff *skb, + const struct nlmsghdr *nlh, + struct netlink_dump_control *control); +static inline int netlink_dump_start(struct sock *ssk, struct sk_buff *skb, + const struct nlmsghdr *nlh, + struct netlink_dump_control *control) +{ + if (!control->module) + control->module = THIS_MODULE; + + return __netlink_dump_start(ssk, skb, nlh, control); +} #endif /* __KERNEL__ */ diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c index 0f2e3ad..01e944a 100644 --- a/net/netlink/af_netlink.c +++ b/net/netlink/af_netlink.c @@ -169,6 +169,8 @@ static void netlink_sock_destruct(struct sock *sk) if (nlk->cb) { if (nlk->cb->done) nlk->cb->done(nlk->cb); + + module_put(nlk->cb->module); netlink_destroy_callback(nlk->cb); } @@ -1758,6 +1760,7 @@ static int netlink_dump(struct sock *sk) nlk->cb = NULL; mutex_unlock(nlk->cb_mutex); + module_put(cb->module); netlink_consume_callback(cb); return 0; @@ -1767,9 +1770,9 @@ errout_skb: return err; } -int netlink_dump_start(struct sock *ssk, struct sk_buff *skb, - const struct nlmsghdr *nlh, - struct netlink_dump_control *control) +int __netlink_dump_start(struct sock *ssk, struct sk_buff *skb, + const struct nlmsghdr *nlh, + struct netlink_dump_control *control) { struct netlink_callback *cb; struct sock *sk; @@ -1784,6 +1787,7 @@ int netlink_dump_start(struct sock *ssk, struct sk_buff *skb, cb->done = control->done; cb->nlh = nlh; cb->data = control->data; + cb->module = control->module; cb->min_dump_alloc = control->min_dump_alloc; atomic_inc(&skb->users); cb->skb = skb; @@ -1794,19 +1798,28 @@ int netlink_dump_start(struct sock *ssk, struct sk_buff *skb, return -ECONNREFUSED; } nlk = nlk_sk(sk); - /* A dump is in progress... */ + mutex_lock(nlk->cb_mutex); + /* A dump is in progress... */ if (nlk->cb) { mutex_unlock(nlk->cb_mutex); netlink_destroy_callback(cb); - sock_put(sk); - return -EBUSY; + ret = -EBUSY; + goto out; } + /* add reference of module which cb->dump belongs to */ + if (!try_module_get(cb->module)) { + mutex_unlock(nlk->cb_mutex); + netlink_destroy_callback(cb); + ret = -EPROTONOSUPPORT; + goto out; + } + nlk->cb = cb; mutex_unlock(nlk->cb_mutex); ret = netlink_dump(sk); - +out: sock_put(sk); if (ret) @@ -1817,7 +1830,7 @@ int netlink_dump_start(struct sock *ssk, struct sk_buff *skb, */ return -EINTR; } -EXPORT_SYMBOL(netlink_dump_start); +EXPORT_SYMBOL(__netlink_dump_start); void netlink_ack(struct sk_buff *in_skb, struct nlmsghdr *nlh, int err) { -- cgit v0.10.2 From 809d5fc9bf6589276a12bd4fd611e4c7ff9940c3 Mon Sep 17 00:00:00 2001 From: Gao feng Date: Thu, 4 Oct 2012 20:15:49 +0000 Subject: infiniband: pass rdma_cm module to netlink_dump_start set netlink_dump_control.module to avoid panic. Signed-off-by: Gao feng Cc: Roland Dreier Cc: Sean Hefty Signed-off-by: David S. Miller diff --git a/drivers/infiniband/core/cma.c b/drivers/infiniband/core/cma.c index 26b3760..4fff27a 100644 --- a/drivers/infiniband/core/cma.c +++ b/drivers/infiniband/core/cma.c @@ -3498,7 +3498,8 @@ out: } static const struct ibnl_client_cbs cma_cb_table[] = { - [RDMA_NL_RDMA_CM_ID_STATS] = { .dump = cma_get_id_stats }, + [RDMA_NL_RDMA_CM_ID_STATS] = { .dump = cma_get_id_stats, + .module = THIS_MODULE }, }; static int __init cma_init(void) diff --git a/drivers/infiniband/core/netlink.c b/drivers/infiniband/core/netlink.c index fe10a94..da06abd 100644 --- a/drivers/infiniband/core/netlink.c +++ b/drivers/infiniband/core/netlink.c @@ -154,6 +154,7 @@ static int ibnl_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh) { struct netlink_dump_control c = { .dump = client->cb_table[op].dump, + .module = client->cb_table[op].module, }; return netlink_dump_start(nls, skb, nlh, &c); } diff --git a/include/rdma/rdma_netlink.h b/include/rdma/rdma_netlink.h index 3c5363a..bd3d8b2 100644 --- a/include/rdma/rdma_netlink.h +++ b/include/rdma/rdma_netlink.h @@ -39,6 +39,7 @@ struct rdma_cm_id_stats { struct ibnl_client_cbs { int (*dump)(struct sk_buff *skb, struct netlink_callback *nlcb); + struct module *module; }; int ibnl_init(void); -- cgit v0.10.2 From acb600def2110b1310466c0e485c0d26299898ae Mon Sep 17 00:00:00 2001 From: Eric Dumazet Date: Fri, 5 Oct 2012 06:23:55 +0000 Subject: net: remove skb recycling Over time, skb recycling infrastructure got litle interest and many bugs. Generic rx path skb allocation is now using page fragments for efficient GRO / TCP coalescing, and recyling a tx skb for rx path is not worth the pain. Last identified bug is that fat skbs can be recycled and it can endup using high order pages after few iterations. With help from Maxime Bizon, who pointed out that commit 87151b8689d (net: allow pskb_expand_head() to get maximum tailroom) introduced this regression for recycled skbs. Instead of fixing this bug, lets remove skb recycling. Drivers wanting really hot skbs should use build_skb() anyway, to allocate/populate sk_buff right before netif_receive_skb() Signed-off-by: Eric Dumazet Cc: Maxime Bizon Signed-off-by: David S. Miller diff --git a/drivers/net/ethernet/calxeda/xgmac.c b/drivers/net/ethernet/calxeda/xgmac.c index 2b4b4f5..16814b3 100644 --- a/drivers/net/ethernet/calxeda/xgmac.c +++ b/drivers/net/ethernet/calxeda/xgmac.c @@ -375,7 +375,6 @@ struct xgmac_priv { unsigned int tx_tail; void __iomem *base; - struct sk_buff_head rx_recycle; unsigned int dma_buf_sz; dma_addr_t dma_rx_phy; dma_addr_t dma_tx_phy; @@ -672,9 +671,7 @@ static void xgmac_rx_refill(struct xgmac_priv *priv) p = priv->dma_rx + entry; if (priv->rx_skbuff[entry] == NULL) { - skb = __skb_dequeue(&priv->rx_recycle); - if (skb == NULL) - skb = netdev_alloc_skb(priv->dev, priv->dma_buf_sz); + skb = netdev_alloc_skb(priv->dev, priv->dma_buf_sz); if (unlikely(skb == NULL)) break; @@ -887,17 +884,7 @@ static void xgmac_tx_complete(struct xgmac_priv *priv) desc_get_buf_len(p), DMA_TO_DEVICE); } - /* - * If there's room in the queue (limit it to size) - * we add this skb back into the pool, - * if it's the right size. - */ - if ((skb_queue_len(&priv->rx_recycle) < - DMA_RX_RING_SZ) && - skb_recycle_check(skb, priv->dma_buf_sz)) - __skb_queue_head(&priv->rx_recycle, skb); - else - dev_kfree_skb(skb); + dev_kfree_skb(skb); } if (dma_ring_space(priv->tx_head, priv->tx_tail, DMA_TX_RING_SZ) > @@ -1016,7 +1003,6 @@ static int xgmac_open(struct net_device *dev) dev->dev_addr); } - skb_queue_head_init(&priv->rx_recycle); memset(&priv->xstats, 0, sizeof(struct xgmac_extra_stats)); /* Initialize the XGMAC and descriptors */ @@ -1053,7 +1039,6 @@ static int xgmac_stop(struct net_device *dev) napi_disable(&priv->napi); writel(0, priv->base + XGMAC_DMA_INTR_ENA); - skb_queue_purge(&priv->rx_recycle); /* Disable the MAC core */ xgmac_mac_disable(priv->base); diff --git a/drivers/net/ethernet/freescale/gianfar.c b/drivers/net/ethernet/freescale/gianfar.c index a1b52ec..1d03dcd 100644 --- a/drivers/net/ethernet/freescale/gianfar.c +++ b/drivers/net/ethernet/freescale/gianfar.c @@ -1765,7 +1765,6 @@ static void free_skb_resources(struct gfar_private *priv) sizeof(struct rxbd8) * priv->total_rx_ring_size, priv->tx_queue[0]->tx_bd_base, priv->tx_queue[0]->tx_bd_dma_base); - skb_queue_purge(&priv->rx_recycle); } void gfar_start(struct net_device *dev) @@ -1943,8 +1942,6 @@ static int gfar_enet_open(struct net_device *dev) enable_napi(priv); - skb_queue_head_init(&priv->rx_recycle); - /* Initialize a bunch of registers */ init_registers(dev); @@ -2533,16 +2530,7 @@ static int gfar_clean_tx_ring(struct gfar_priv_tx_q *tx_queue) bytes_sent += skb->len; - /* If there's room in the queue (limit it to rx_buffer_size) - * we add this skb back into the pool, if it's the right size - */ - if (skb_queue_len(&priv->rx_recycle) < rx_queue->rx_ring_size && - skb_recycle_check(skb, priv->rx_buffer_size + - RXBUF_ALIGNMENT)) { - gfar_align_skb(skb); - skb_queue_head(&priv->rx_recycle, skb); - } else - dev_kfree_skb_any(skb); + dev_kfree_skb_any(skb); tx_queue->tx_skbuff[skb_dirtytx] = NULL; @@ -2608,7 +2596,7 @@ static void gfar_new_rxbdp(struct gfar_priv_rx_q *rx_queue, struct rxbd8 *bdp, static struct sk_buff *gfar_alloc_skb(struct net_device *dev) { struct gfar_private *priv = netdev_priv(dev); - struct sk_buff *skb = NULL; + struct sk_buff *skb; skb = netdev_alloc_skb(dev, priv->rx_buffer_size + RXBUF_ALIGNMENT); if (!skb) @@ -2621,14 +2609,7 @@ static struct sk_buff *gfar_alloc_skb(struct net_device *dev) struct sk_buff *gfar_new_skb(struct net_device *dev) { - struct gfar_private *priv = netdev_priv(dev); - struct sk_buff *skb = NULL; - - skb = skb_dequeue(&priv->rx_recycle); - if (!skb) - skb = gfar_alloc_skb(dev); - - return skb; + return gfar_alloc_skb(dev); } static inline void count_errors(unsigned short status, struct net_device *dev) @@ -2787,7 +2768,7 @@ int gfar_clean_rx_ring(struct gfar_priv_rx_q *rx_queue, int rx_work_limit) if (unlikely(!newskb)) newskb = skb; else if (skb) - skb_queue_head(&priv->rx_recycle, skb); + dev_kfree_skb(skb); } else { /* Increment the number of packets */ rx_queue->stats.rx_packets++; diff --git a/drivers/net/ethernet/freescale/gianfar.h b/drivers/net/ethernet/freescale/gianfar.h index 4141ef2..22eabc1 100644 --- a/drivers/net/ethernet/freescale/gianfar.h +++ b/drivers/net/ethernet/freescale/gianfar.h @@ -1080,8 +1080,6 @@ struct gfar_private { u32 cur_filer_idx; - struct sk_buff_head rx_recycle; - /* RX queue filer rule set*/ struct ethtool_rx_list rx_list; struct mutex rx_queue_access; diff --git a/drivers/net/ethernet/freescale/ucc_geth.c b/drivers/net/ethernet/freescale/ucc_geth.c index 1642884..dfa0aaa 100644 --- a/drivers/net/ethernet/freescale/ucc_geth.c +++ b/drivers/net/ethernet/freescale/ucc_geth.c @@ -209,14 +209,12 @@ static struct list_head *dequeue(struct list_head *lh) static struct sk_buff *get_new_skb(struct ucc_geth_private *ugeth, u8 __iomem *bd) { - struct sk_buff *skb = NULL; + struct sk_buff *skb; - skb = __skb_dequeue(&ugeth->rx_recycle); + skb = netdev_alloc_skb(ugeth->ndev, + ugeth->ug_info->uf_info.max_rx_buf_length + + UCC_GETH_RX_DATA_BUF_ALIGNMENT); if (!skb) - skb = netdev_alloc_skb(ugeth->ndev, - ugeth->ug_info->uf_info.max_rx_buf_length + - UCC_GETH_RX_DATA_BUF_ALIGNMENT); - if (skb == NULL) return NULL; /* We need the data buffer to be aligned properly. We will reserve @@ -2020,8 +2018,6 @@ static void ucc_geth_memclean(struct ucc_geth_private *ugeth) iounmap(ugeth->ug_regs); ugeth->ug_regs = NULL; } - - skb_queue_purge(&ugeth->rx_recycle); } static void ucc_geth_set_multi(struct net_device *dev) @@ -2230,8 +2226,6 @@ static int ucc_struct_init(struct ucc_geth_private *ugeth) return -ENOMEM; } - skb_queue_head_init(&ugeth->rx_recycle); - return 0; } @@ -3274,12 +3268,7 @@ static int ucc_geth_rx(struct ucc_geth_private *ugeth, u8 rxQ, int rx_work_limit if (netif_msg_rx_err(ugeth)) ugeth_err("%s, %d: ERROR!!! skb - 0x%08x", __func__, __LINE__, (u32) skb); - if (skb) { - skb->data = skb->head + NET_SKB_PAD; - skb->len = 0; - skb_reset_tail_pointer(skb); - __skb_queue_head(&ugeth->rx_recycle, skb); - } + dev_free_skb(skb); ugeth->rx_skbuff[rxQ][ugeth->skb_currx[rxQ]] = NULL; dev->stats.rx_dropped++; @@ -3349,13 +3338,7 @@ static int ucc_geth_tx(struct net_device *dev, u8 txQ) dev->stats.tx_packets++; - if (skb_queue_len(&ugeth->rx_recycle) < RX_BD_RING_LEN && - skb_recycle_check(skb, - ugeth->ug_info->uf_info.max_rx_buf_length + - UCC_GETH_RX_DATA_BUF_ALIGNMENT)) - __skb_queue_head(&ugeth->rx_recycle, skb); - else - dev_kfree_skb(skb); + dev_kfree_skb(skb); ugeth->tx_skbuff[txQ][ugeth->skb_dirtytx[txQ]] = NULL; ugeth->skb_dirtytx[txQ] = diff --git a/drivers/net/ethernet/freescale/ucc_geth.h b/drivers/net/ethernet/freescale/ucc_geth.h index f71b3e7..75f3371 100644 --- a/drivers/net/ethernet/freescale/ucc_geth.h +++ b/drivers/net/ethernet/freescale/ucc_geth.h @@ -1214,8 +1214,6 @@ struct ucc_geth_private { /* index of the first skb which hasn't been transmitted yet. */ u16 skb_dirtytx[NUM_TX_QUEUES]; - struct sk_buff_head rx_recycle; - struct ugeth_mii_info *mii_info; struct phy_device *phydev; phy_interface_t phy_interface; diff --git a/drivers/net/ethernet/marvell/mv643xx_eth.c b/drivers/net/ethernet/marvell/mv643xx_eth.c index 087b9e0..84c1326 100644 --- a/drivers/net/ethernet/marvell/mv643xx_eth.c +++ b/drivers/net/ethernet/marvell/mv643xx_eth.c @@ -412,7 +412,6 @@ struct mv643xx_eth_private { u8 work_rx_refill; int skb_size; - struct sk_buff_head rx_recycle; /* * RX state. @@ -673,9 +672,7 @@ static int rxq_refill(struct rx_queue *rxq, int budget) struct rx_desc *rx_desc; int size; - skb = __skb_dequeue(&mp->rx_recycle); - if (skb == NULL) - skb = netdev_alloc_skb(mp->dev, mp->skb_size); + skb = netdev_alloc_skb(mp->dev, mp->skb_size); if (skb == NULL) { mp->oom = 1; @@ -989,14 +986,7 @@ static int txq_reclaim(struct tx_queue *txq, int budget, int force) desc->byte_cnt, DMA_TO_DEVICE); } - if (skb != NULL) { - if (skb_queue_len(&mp->rx_recycle) < - mp->rx_ring_size && - skb_recycle_check(skb, mp->skb_size)) - __skb_queue_head(&mp->rx_recycle, skb); - else - dev_kfree_skb(skb); - } + dev_kfree_skb(skb); } __netif_tx_unlock(nq); @@ -2349,8 +2339,6 @@ static int mv643xx_eth_open(struct net_device *dev) napi_enable(&mp->napi); - skb_queue_head_init(&mp->rx_recycle); - mp->int_mask = INT_EXT; for (i = 0; i < mp->rxq_count; i++) { @@ -2445,8 +2433,6 @@ static int mv643xx_eth_stop(struct net_device *dev) mib_counters_update(mp); del_timer_sync(&mp->mib_counters_timer); - skb_queue_purge(&mp->rx_recycle); - for (i = 0; i < mp->rxq_count; i++) rxq_deinit(mp->rxq + i); for (i = 0; i < mp->txq_count; i++) diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac.h b/drivers/net/ethernet/stmicro/stmmac/stmmac.h index e872e1d..7d51a65 100644 --- a/drivers/net/ethernet/stmicro/stmmac/stmmac.h +++ b/drivers/net/ethernet/stmicro/stmmac/stmmac.h @@ -50,7 +50,6 @@ struct stmmac_priv { unsigned int dirty_rx; struct sk_buff **rx_skbuff; dma_addr_t *rx_skbuff_dma; - struct sk_buff_head rx_recycle; struct net_device *dev; dma_addr_t dma_rx_phy; diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c index 3be8833..c6cdbc4 100644 --- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c @@ -747,18 +747,7 @@ static void stmmac_tx(struct stmmac_priv *priv) priv->hw->ring->clean_desc3(p); if (likely(skb != NULL)) { - /* - * If there's room in the queue (limit it to size) - * we add this skb back into the pool, - * if it's the right size. - */ - if ((skb_queue_len(&priv->rx_recycle) < - priv->dma_rx_size) && - skb_recycle_check(skb, priv->dma_buf_sz)) - __skb_queue_head(&priv->rx_recycle, skb); - else - dev_kfree_skb(skb); - + dev_kfree_skb(skb); priv->tx_skbuff[entry] = NULL; } @@ -1169,7 +1158,6 @@ static int stmmac_open(struct net_device *dev) priv->eee_enabled = stmmac_eee_init(priv); napi_enable(&priv->napi); - skb_queue_head_init(&priv->rx_recycle); netif_start_queue(dev); return 0; @@ -1222,7 +1210,6 @@ static int stmmac_release(struct net_device *dev) kfree(priv->tm); #endif napi_disable(&priv->napi); - skb_queue_purge(&priv->rx_recycle); /* Free the IRQ lines */ free_irq(dev->irq, dev); @@ -1388,10 +1375,7 @@ static inline void stmmac_rx_refill(struct stmmac_priv *priv) if (likely(priv->rx_skbuff[entry] == NULL)) { struct sk_buff *skb; - skb = __skb_dequeue(&priv->rx_recycle); - if (skb == NULL) - skb = netdev_alloc_skb_ip_align(priv->dev, - bfsize); + skb = netdev_alloc_skb_ip_align(priv->dev, bfsize); if (unlikely(skb == NULL)) break; diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h index b33a3a1..6a2c34e 100644 --- a/include/linux/skbuff.h +++ b/include/linux/skbuff.h @@ -589,9 +589,6 @@ static inline struct sk_buff *alloc_skb_fclone(unsigned int size, return __alloc_skb(size, priority, SKB_ALLOC_FCLONE, NUMA_NO_NODE); } -extern void skb_recycle(struct sk_buff *skb); -extern bool skb_recycle_check(struct sk_buff *skb, int skb_size); - extern struct sk_buff *skb_morph(struct sk_buff *dst, struct sk_buff *src); extern int skb_copy_ubufs(struct sk_buff *skb, gfp_t gfp_mask); extern struct sk_buff *skb_clone(struct sk_buff *skb, @@ -2645,27 +2642,6 @@ static inline void skb_checksum_none_assert(const struct sk_buff *skb) bool skb_partial_csum_set(struct sk_buff *skb, u16 start, u16 off); -static inline bool skb_is_recycleable(const struct sk_buff *skb, int skb_size) -{ - if (irqs_disabled()) - return false; - - if (skb_shinfo(skb)->tx_flags & SKBTX_DEV_ZEROCOPY) - return false; - - if (skb_is_nonlinear(skb) || skb->fclone != SKB_FCLONE_UNAVAILABLE) - return false; - - skb_size = SKB_DATA_ALIGN(skb_size + NET_SKB_PAD); - if (skb_end_offset(skb) < skb_size) - return false; - - if (skb_shared(skb) || skb_cloned(skb)) - return false; - - return true; -} - /** * skb_head_is_locked - Determine if the skb->head is locked down * @skb: skb to check diff --git a/net/core/skbuff.c b/net/core/skbuff.c index cdc2859..6e04b1f 100644 --- a/net/core/skbuff.c +++ b/net/core/skbuff.c @@ -655,53 +655,6 @@ void consume_skb(struct sk_buff *skb) } EXPORT_SYMBOL(consume_skb); -/** - * skb_recycle - clean up an skb for reuse - * @skb: buffer - * - * Recycles the skb to be reused as a receive buffer. This - * function does any necessary reference count dropping, and - * cleans up the skbuff as if it just came from __alloc_skb(). - */ -void skb_recycle(struct sk_buff *skb) -{ - struct skb_shared_info *shinfo; - - skb_release_head_state(skb); - - shinfo = skb_shinfo(skb); - memset(shinfo, 0, offsetof(struct skb_shared_info, dataref)); - atomic_set(&shinfo->dataref, 1); - - memset(skb, 0, offsetof(struct sk_buff, tail)); - skb->data = skb->head + NET_SKB_PAD; - skb_reset_tail_pointer(skb); -} -EXPORT_SYMBOL(skb_recycle); - -/** - * skb_recycle_check - check if skb can be reused for receive - * @skb: buffer - * @skb_size: minimum receive buffer size - * - * Checks that the skb passed in is not shared or cloned, and - * that it is linear and its head portion at least as large as - * skb_size so that it can be recycled as a receive buffer. - * If these conditions are met, this function does any necessary - * reference count dropping and cleans up the skbuff as if it - * just came from __alloc_skb(). - */ -bool skb_recycle_check(struct sk_buff *skb, int skb_size) -{ - if (!skb_is_recycleable(skb, skb_size)) - return false; - - skb_recycle(skb); - - return true; -} -EXPORT_SYMBOL(skb_recycle_check); - static void __copy_skb_header(struct sk_buff *new, const struct sk_buff *old) { new->tstamp = old->tstamp; -- cgit v0.10.2 From 5b896029e9c4c9fd67eed80b7400dd68bdd93f52 Mon Sep 17 00:00:00 2001 From: Peter Senna Tschudin Date: Fri, 5 Oct 2012 10:41:03 +0000 Subject: drivers/net/ethernet/dec/tulip/dmfe.c: fix error return code The function dmfe_init_one() return 0 for success and negative value for most of its internal tests failures. There are three exceptions that are error cases going to err_out_*:. Fore this three cases the function abort its success execution path, but returns non negative value, making it dificult for a caller function to notice the error. This patch fixes the error cases that do not return negative values. This was found by Coccinelle, but the code change was made by hand. This patch is not robot generated. A simplified version of the semantic match that finds this problem is as follows: (http://coccinelle.lip6.fr/) // ( if@p1 (\(ret < 0\|ret != 0\)) { ... return ret; } | ret@p1 = 0 ) ... when != ret = e1 when != &ret *if(...) { ... when != ret = e2 when forall return ret; } // Signed-off-by: Peter Senna Tschudin Signed-off-by: David S. Miller diff --git a/drivers/net/ethernet/dec/tulip/dmfe.c b/drivers/net/ethernet/dec/tulip/dmfe.c index 4d6fe60..d23755e 100644 --- a/drivers/net/ethernet/dec/tulip/dmfe.c +++ b/drivers/net/ethernet/dec/tulip/dmfe.c @@ -446,13 +446,17 @@ static int __devinit dmfe_init_one (struct pci_dev *pdev, /* Allocate Tx/Rx descriptor memory */ db->desc_pool_ptr = pci_alloc_consistent(pdev, sizeof(struct tx_desc) * DESC_ALL_CNT + 0x20, &db->desc_pool_dma_ptr); - if (!db->desc_pool_ptr) + if (!db->desc_pool_ptr) { + err = -ENOMEM; goto err_out_res; + } db->buf_pool_ptr = pci_alloc_consistent(pdev, TX_BUF_ALLOC * TX_DESC_CNT + 4, &db->buf_pool_dma_ptr); - if (!db->buf_pool_ptr) + if (!db->buf_pool_ptr) { + err = -ENOMEM; goto err_out_free_desc; + } db->first_tx_desc = (struct tx_desc *) db->desc_pool_ptr; db->first_tx_desc_dma = db->desc_pool_dma_ptr; @@ -462,8 +466,10 @@ static int __devinit dmfe_init_one (struct pci_dev *pdev, db->chip_id = ent->driver_data; /* IO type range. */ db->ioaddr = pci_iomap(pdev, 0, 0); - if (!db->ioaddr) + if (!db->ioaddr) { + err = -ENOMEM; goto err_out_free_buf; + } db->chip_revision = pdev->revision; db->wol_mode = 0; -- cgit v0.10.2 From 52428d9169f8b4c26e806fb7473833bce3077de5 Mon Sep 17 00:00:00 2001 From: Peter Senna Tschudin Date: Fri, 5 Oct 2012 10:41:04 +0000 Subject: drivers/net/ethernet/natsemi/natsemi.c: fix error return code The function natsemi_probe1() return 0 for success and negative value for most of its internal tests failures. There is one exception that is error case going to err_create_file:. Fore this error case the function abort its success execution path, but returns non negative value, making it difficult for a caller function to notice the error. This patch fixes the error case that do not return negative value. This was found by Coccinelle, but the code change was made by hand. This patch is not robot generated. A simplified version of the semantic match that finds this problem is as follows: (http://coccinelle.lip6.fr/) // ( if@p1 (\(ret < 0\|ret != 0\)) { ... return ret; } | ret@p1 = 0 ) ... when != ret = e1 when != &ret *if(...) { ... when != ret = e2 when forall return ret; } // Signed-off-by: Peter Senna Tschudin Acked-by: Francois Romieu Signed-off-by: David S. Miller diff --git a/drivers/net/ethernet/natsemi/natsemi.c b/drivers/net/ethernet/natsemi/natsemi.c index 5b61d12..dbaaa99 100644 --- a/drivers/net/ethernet/natsemi/natsemi.c +++ b/drivers/net/ethernet/natsemi/natsemi.c @@ -947,8 +947,8 @@ static int __devinit natsemi_probe1 (struct pci_dev *pdev, i = register_netdev(dev); if (i) goto err_register_netdev; - - if (NATSEMI_CREATE_FILE(pdev, dspcfg_workaround)) + i = NATSEMI_CREATE_FILE(pdev, dspcfg_workaround); + if (i) goto err_create_file; if (netif_msg_drv(np)) { -- cgit v0.10.2 From 0968a9d1c8f1d0d91e64faf49f6b1ef4f8775aa6 Mon Sep 17 00:00:00 2001 From: Peter Senna Tschudin Date: Fri, 5 Oct 2012 10:41:07 +0000 Subject: drivers/net/ethernet/sis/sis900.c: fix error return code The function sis900_probe() return 0 for success and negative value for most of its internal tests failures. There is one exception that is error case going to err_out_cleardev:. Fore this error case, the function abort its success execution path, but returns non negative value, making it difficult for a caller function to notice the error. This patch fixes the error case that do not return negative value. This was found by Coccinelle, but the code change was made by hand. This patch is not robot generated. A simplified version of the semantic match that finds this problem is as follows: (http://coccinelle.lip6.fr/) // ( if@p1 (\(ret < 0\|ret != 0\)) { ... return ret; } | ret@p1 = 0 ) ... when != ret = e1 when != &ret *if(...) { ... when != ret = e2 when forall return ret; } // Signed-off-by: Peter Senna Tschudin Signed-off-by: David S. Miller diff --git a/drivers/net/ethernet/sis/sis900.c b/drivers/net/ethernet/sis/sis900.c index 203d9c6..fb9f6b3 100644 --- a/drivers/net/ethernet/sis/sis900.c +++ b/drivers/net/ethernet/sis/sis900.c @@ -478,8 +478,10 @@ static int __devinit sis900_probe(struct pci_dev *pci_dev, /* IO region. */ ioaddr = pci_iomap(pci_dev, 0, 0); - if (!ioaddr) + if (!ioaddr) { + ret = -ENOMEM; goto err_out_cleardev; + } sis_priv = netdev_priv(net_dev); sis_priv->ioaddr = ioaddr; -- cgit v0.10.2 From 87286477c4688e5324e24916a1b2da4972ea84ba Mon Sep 17 00:00:00 2001 From: Peter Senna Tschudin Date: Fri, 5 Oct 2012 11:33:03 +0000 Subject: drivers/net/irda/irtty-sir.c: fix error return code The function irtty_open() return 0 for success and negative value for most of its internal tests failures. There is one exception that is error case going to out_put:. For this error case, the function abort its success execution path, but returns non negative value, making it difficult for a caller function to notice the error. This patch fixes the error case that do not return negative value. This was found by Coccinelle, but the code change was made by hand. This patch is not robot generated. A simplified version of the semantic match that finds this problem is as follows: (http://coccinelle.lip6.fr/) // ( if@p1 (\(ret < 0\|ret != 0\)) { ... return ret; } | ret@p1 = 0 ) ... when != ret = e1 when != &ret *if(...) { ... when != ret = e2 when forall return ret; } // Signed-off-by: Peter Senna Tschudin Signed-off-by: David S. Miller diff --git a/drivers/net/irda/irtty-sir.c b/drivers/net/irda/irtty-sir.c index 30087ca..6e4d4b6 100644 --- a/drivers/net/irda/irtty-sir.c +++ b/drivers/net/irda/irtty-sir.c @@ -459,8 +459,10 @@ static int irtty_open(struct tty_struct *tty) /* allocate private device info block */ priv = kzalloc(sizeof(*priv), GFP_KERNEL); - if (!priv) + if (!priv) { + ret = -ENOMEM; goto out_put; + } priv->magic = IRTTY_MAGIC; priv->tty = tty; -- cgit v0.10.2 From 6734011f3c9a17070f157656f8b15e051e37aee1 Mon Sep 17 00:00:00 2001 From: Peter Senna Tschudin Date: Fri, 5 Oct 2012 11:33:04 +0000 Subject: drivers/net/irda/mcs7780.c: fix error return code The function mcs_probe() return 0 for success and negative value for most of its internal tests failures. There is one exception that is error case going to error2:. For this error case, the function abort its success execution path, but returns non negative value, making it difficult for a caller function to notice the error. This patch fixes the error case that do not return negative value. A simplified version of the semantic match that finds this problem is as follows: (http://coccinelle.lip6.fr/) // ( if@p1 (\(ret < 0\|ret != 0\)) { ... return ret; } | ret@p1 = 0 ) ... when != ret = e1 when != &ret *if(...) { ... when != ret = e2 when forall return ret; } // Signed-off-by: Peter Senna Tschudin Signed-off-by: David S. Miller diff --git a/drivers/net/irda/mcs7780.c b/drivers/net/irda/mcs7780.c index 1a00b59..f07c340 100644 --- a/drivers/net/irda/mcs7780.c +++ b/drivers/net/irda/mcs7780.c @@ -920,8 +920,10 @@ static int mcs_probe(struct usb_interface *intf, ndev->netdev_ops = &mcs_netdev_ops; - if (!intf->cur_altsetting) + if (!intf->cur_altsetting) { + ret = -ENOMEM; goto error2; + } ret = mcs_find_endpoints(mcs, intf->cur_altsetting->endpoint, intf->cur_altsetting->desc.bNumEndpoints); -- cgit v0.10.2 From cbd841ca91b4f87d62263f8d86af1b14a745c413 Mon Sep 17 00:00:00 2001 From: Peter Senna Tschudin Date: Fri, 5 Oct 2012 11:33:05 +0000 Subject: drivers/net/irda/pxaficp_ir.c: fix error return code The function pxa_irda_probe() return 0 for success and negative value for most of its internal tests failures. There is one exception that is error case going to err_mem_3:. For this error case, the function abort its success execution path, but returns non negative value, making it difficult for a caller function to notice the error. This patch fixes the error case that do not return negative value. This was found by Coccinelle, but the code change was made by hand. This patch is not robot generated. A simplified version of the semantic match that finds this problem is as follows: (http://coccinelle.lip6.fr/) // ( if@p1 (\(ret < 0\|ret != 0\)) { ... return ret; } | ret@p1 = 0 ) ... when != ret = e1 when != &ret *if(...) { ... when != ret = e2 when forall return ret; } // Signed-off-by: Peter Senna Tschudin Signed-off-by: David S. Miller diff --git a/drivers/net/irda/pxaficp_ir.c b/drivers/net/irda/pxaficp_ir.c index 002a442..858de05 100644 --- a/drivers/net/irda/pxaficp_ir.c +++ b/drivers/net/irda/pxaficp_ir.c @@ -846,8 +846,10 @@ static int pxa_irda_probe(struct platform_device *pdev) goto err_mem_2; dev = alloc_irdadev(sizeof(struct pxa_irda)); - if (!dev) + if (!dev) { + err = -ENOMEM; goto err_mem_3; + } SET_NETDEV_DEV(dev, &pdev->dev); si = netdev_priv(dev); -- cgit v0.10.2 From cd9d11607ebe106acab6cf3ad578e72c956823a1 Mon Sep 17 00:00:00 2001 From: Peter Senna Tschudin Date: Fri, 5 Oct 2012 11:33:06 +0000 Subject: drivers/net/irda/sa1100_ir.c: fix error return code The function sa1100_irda_probe() return 0 for success and negative value for most of its internal tests failures. There is one exception that is error case going to err_mem_4:. For this error case, the function abort its success execution path, but returns non negative value, making it difficult for a caller function to notice the error. This patch fixes the error case that do not return negative value. This was found by Coccinelle, but the code change was made by hand. This patch is not robot generated. A simplified version of the semantic match that finds this problem is as follows: (http://coccinelle.lip6.fr/) // ( if@p1 (\(ret < 0\|ret != 0\)) { ... return ret; } | ret@p1 = 0 ) ... when != ret = e1 when != &ret *if(...) { ... when != ret = e2 when forall return ret; } // Signed-off-by: Peter Senna Tschudin Signed-off-by: David S. Miller diff --git a/drivers/net/irda/sa1100_ir.c b/drivers/net/irda/sa1100_ir.c index e250675..42fde9e 100644 --- a/drivers/net/irda/sa1100_ir.c +++ b/drivers/net/irda/sa1100_ir.c @@ -940,8 +940,10 @@ static int sa1100_irda_probe(struct platform_device *pdev) goto err_mem_3; dev = alloc_irdadev(sizeof(struct sa1100_irda)); - if (!dev) + if (!dev) { + err = -ENOMEM; goto err_mem_4; + } SET_NETDEV_DEV(dev, &pdev->dev); -- cgit v0.10.2 From 812b074b5ba2937d2edc0e5b0019fa163ba86882 Mon Sep 17 00:00:00 2001 From: Peter Senna Tschudin Date: Fri, 5 Oct 2012 11:33:02 +0000 Subject: drivers/net/irda/sh_irda.c: fix error return code The function sh_irda_probe() return 0 for success and negative value for most of its internal tests failures. There is one exception that is error case going to err_mem_4:. For this error case, the function abort its success execution path, but returns non negative value, making it difficult for a caller function to notice the error. This patch fixes the error case that do not return negative value. This was found by Coccinelle, but the code change was made by hand. This patch is not robot generated. A simplified version of the semantic match that finds this problem is as follows: (http://coccinelle.lip6.fr/) // ( if@p1 (\(ret < 0\|ret != 0\)) { ... return ret; } | ret@p1 = 0 ) ... when != ret = e1 when != &ret *if(...) { ... when != ret = e2 when forall return ret; } // Signed-off-by: Peter Senna Tschudin Signed-off-by: David S. Miller diff --git a/drivers/net/irda/sh_irda.c b/drivers/net/irda/sh_irda.c index eb315b8..4b746d9 100644 --- a/drivers/net/irda/sh_irda.c +++ b/drivers/net/irda/sh_irda.c @@ -808,8 +808,8 @@ static int __devinit sh_irda_probe(struct platform_device *pdev) goto err_mem_4; platform_set_drvdata(pdev, ndev); - - if (request_irq(irq, sh_irda_irq, IRQF_DISABLED, "sh_irda", self)) { + err = request_irq(irq, sh_irda_irq, IRQF_DISABLED, "sh_irda", self); + if (err) { dev_warn(&pdev->dev, "Unable to attach sh_irda interrupt\n"); goto err_mem_4; } -- cgit v0.10.2 From 14834540cafff24944affd6290f01359799a48ce Mon Sep 17 00:00:00 2001 From: Peter Senna Tschudin Date: Fri, 5 Oct 2012 12:10:49 +0000 Subject: drivers/net/irda/sh_sir.c: fix error return code The function sh_sir_probe() return 0 for success and negative value for most of its internal tests failures. There are two exceptions that are error cases going to err_mem_*:. For this two cases, the function abort its success execution path, but returns non negative value, making it dificult for a caller function to notice the error. This patch fixes the error cases that do not return negative values. This was found by Coccinelle, but the code change was made by hand. This patch is not robot generated. A simplified version of the semantic match that finds this problem is as follows: (http://coccinelle.lip6.fr/) // ( if@p1 (\(ret < 0\|ret != 0\)) { ... return ret; } | ret@p1 = 0 ) ... when != ret = e1 when != &ret *if(...) { ... when != ret = e2 when forall return ret; } // Signed-off-by: Peter Senna Tschudin Signed-off-by: David S. Miller diff --git a/drivers/net/irda/sh_sir.c b/drivers/net/irda/sh_sir.c index 7951094..624ac19 100644 --- a/drivers/net/irda/sh_sir.c +++ b/drivers/net/irda/sh_sir.c @@ -741,6 +741,7 @@ static int __devinit sh_sir_probe(struct platform_device *pdev) self->clk = clk_get(&pdev->dev, clk_name); if (IS_ERR(self->clk)) { dev_err(&pdev->dev, "cannot get clock \"%s\"\n", clk_name); + err = -ENODEV; goto err_mem_3; } @@ -760,8 +761,8 @@ static int __devinit sh_sir_probe(struct platform_device *pdev) goto err_mem_4; platform_set_drvdata(pdev, ndev); - - if (request_irq(irq, sh_sir_irq, IRQF_DISABLED, "sh_sir", self)) { + err = request_irq(irq, sh_sir_irq, IRQF_DISABLED, "sh_sir", self); + if (err) { dev_warn(&pdev->dev, "Unable to attach sh_sir interrupt\n"); goto err_mem_4; } -- cgit v0.10.2 From 2dfc96719187d3cb632922a9455abd008db467eb Mon Sep 17 00:00:00 2001 From: Peter Senna Tschudin Date: Fri, 5 Oct 2012 12:10:50 +0000 Subject: drivers/net/ethernet/qlogic/qlcnic/qlcnic_main.c: fix error return code The function qlcnic_probe() return 0 for success and negative value for most of its internal tests failures. There is one exception that is error case going to err_out_free_netdev:. For this error case, the function abort its success execution path, but returns non negative value, making it difficult for a caller function to notice the error. This patch fixes the error case that do not return negative value. This was found by Coccinelle, but the code change was made by hand. This patch is not robot generated. A simplified version of the semantic match that finds this problem is as follows: (http://coccinelle.lip6.fr/) // ( if@p1 (\(ret < 0\|ret != 0\)) { ... return ret; } | ret@p1 = 0 ) ... when != ret = e1 when != &ret *if(...) { ... when != ret = e2 when forall return ret; } // Signed-off-by: Peter Senna Tschudin Signed-off-by: David S. Miller diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_main.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_main.c index 473ce13..24ad17e 100644 --- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_main.c +++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_main.c @@ -1601,7 +1601,8 @@ qlcnic_probe(struct pci_dev *pdev, const struct pci_device_id *ent) adapter->netdev = netdev; adapter->pdev = pdev; - if (qlcnic_alloc_adapter_resources(adapter)) + err = qlcnic_alloc_adapter_resources(adapter); + if (err) goto err_out_free_netdev; adapter->dev_rst_time = jiffies; -- cgit v0.10.2 From 86e506e39909d356ca1c76c00022f3c64f5b7665 Mon Sep 17 00:00:00 2001 From: Peter Senna Tschudin Date: Fri, 5 Oct 2012 12:10:51 +0000 Subject: drivers/net/ethernet/amd/amd8111e.c: fix error return code The function amd8111e_probe_one() return 0 for success and negative value for most of its internal tests failures. There are two exceptions that are error cases going to err_free_reg:. For this two cases, the function abort its success execution path, but returns non negative value, making it dificult for a caller function to notice the error. This patch fixes the error cases that do not return negative values. This was found by Coccinelle, but the code change was made by hand. This patch is not robot generated. A simplified version of the semantic match that finds this problem is as follows: (http://coccinelle.lip6.fr/) // ( if@p1 (\(ret < 0\|ret != 0\)) { ... return ret; } | ret@p1 = 0 ) ... when != ret = e1 when != &ret *if(...) { ... when != ret = e2 when forall return ret; } // Signed-off-by: Peter Senna Tschudin Signed-off-by: David S. Miller diff --git a/drivers/net/ethernet/amd/amd8111e.c b/drivers/net/ethernet/amd/amd8111e.c index 64d0d9c..3491d43 100644 --- a/drivers/net/ethernet/amd/amd8111e.c +++ b/drivers/net/ethernet/amd/amd8111e.c @@ -1845,6 +1845,7 @@ static int __devinit amd8111e_probe_one(struct pci_dev *pdev, if((pm_cap = pci_find_capability(pdev, PCI_CAP_ID_PM))==0){ printk(KERN_ERR "amd8111e: No Power Management capability, " "exiting.\n"); + err = -ENODEV; goto err_free_reg; } @@ -1852,6 +1853,7 @@ static int __devinit amd8111e_probe_one(struct pci_dev *pdev, if (pci_set_dma_mask(pdev, DMA_BIT_MASK(32)) < 0) { printk(KERN_ERR "amd8111e: DMA not supported," "exiting.\n"); + err = -ENODEV; goto err_free_reg; } -- cgit v0.10.2 From 691299201b1416e823bbada0df316c6408167aa7 Mon Sep 17 00:00:00 2001 From: Peter Senna Tschudin Date: Fri, 5 Oct 2012 12:10:52 +0000 Subject: drivers/net/ethernet/amd/au1000_eth.c: fix error return code The function au1000_probe() return 0 for success and negative value for most of its internal tests failures. There are exceptions that are error cases going to err_out:. For this cases, the function abort its success execution path, but returns non negative value, making it dificult for a caller function to notice the error. This patch fixes the error cases that do not return negative values. This was found by Coccinelle, but the code change was made by hand. This patch is not robot generated. A simplified version of the semantic match that finds this problem is as follows: (http://coccinelle.lip6.fr/) // ( if@p1 (\(ret < 0\|ret != 0\)) { ... return ret; } | ret@p1 = 0 ) ... when != ret = e1 when != &ret *if(...) { ... when != ret = e2 when forall return ret; } // Signed-off-by: Peter Senna Tschudin Signed-off-by: David S. Miller diff --git a/drivers/net/ethernet/amd/au1000_eth.c b/drivers/net/ethernet/amd/au1000_eth.c index 397596b..f195acf 100644 --- a/drivers/net/ethernet/amd/au1000_eth.c +++ b/drivers/net/ethernet/amd/au1000_eth.c @@ -1174,8 +1174,10 @@ static int __devinit au1000_probe(struct platform_device *pdev) snprintf(aup->mii_bus->id, MII_BUS_ID_SIZE, "%s-%x", pdev->name, aup->mac_id); aup->mii_bus->irq = kmalloc(sizeof(int)*PHY_MAX_ADDR, GFP_KERNEL); - if (aup->mii_bus->irq == NULL) + if (aup->mii_bus->irq == NULL) { + err = -ENOMEM; goto err_out; + } for (i = 0; i < PHY_MAX_ADDR; ++i) aup->mii_bus->irq[i] = PHY_POLL; @@ -1190,7 +1192,8 @@ static int __devinit au1000_probe(struct platform_device *pdev) goto err_mdiobus_reg; } - if (au1000_mii_probe(dev) != 0) + err = au1000_mii_probe(dev); + if (err != 0) goto err_out; pDBfree = NULL; @@ -1205,6 +1208,7 @@ static int __devinit au1000_probe(struct platform_device *pdev) } aup->pDBfree = pDBfree; + err = -ENODEV; for (i = 0; i < NUM_RX_DMA; i++) { pDB = au1000_GetFreeDB(aup); if (!pDB) @@ -1213,6 +1217,8 @@ static int __devinit au1000_probe(struct platform_device *pdev) aup->rx_dma_ring[i]->buff_stat = (unsigned)pDB->dma_addr; aup->rx_db_inuse[i] = pDB; } + + err = -ENODEV; for (i = 0; i < NUM_TX_DMA; i++) { pDB = au1000_GetFreeDB(aup); if (!pDB) -- cgit v0.10.2 From 97db4b9d02a8fc2f06514f10f6b426b97f6f7a0d Mon Sep 17 00:00:00 2001 From: Peter Senna Tschudin Date: Fri, 5 Oct 2012 12:10:53 +0000 Subject: drivers/net/ethernet/natsemi/xtsonic.c: fix error return code The function sonic_probe1() return 0 for success and negative value for most of its internal tests failures. There is one exception that is error case going to out:. For this error case, the function abort its success execution path, but returns non negative value, making it difficult for a caller function to notice the error. This patch fixes the error case that do not return negative value. This was found by Coccinelle, but the code change was made by hand. This patch is not robot generated. A simplified version of the semantic match that finds this problem is as follows: (http://coccinelle.lip6.fr/) // ( if@p1 (\(ret < 0\|ret != 0\)) { ... return ret; } | ret@p1 = 0 ) ... when != ret = e1 when != &ret *if(...) { ... when != ret = e2 when forall return ret; } // Signed-off-by: Peter Senna Tschudin Signed-off-by: David S. Miller diff --git a/drivers/net/ethernet/natsemi/xtsonic.c b/drivers/net/ethernet/natsemi/xtsonic.c index e01c0a0..7dfe883 100644 --- a/drivers/net/ethernet/natsemi/xtsonic.c +++ b/drivers/net/ethernet/natsemi/xtsonic.c @@ -205,6 +205,7 @@ static int __init sonic_probe1(struct net_device *dev) if (lp->descriptors == NULL) { printk(KERN_ERR "%s: couldn't alloc DMA memory for " " descriptors.\n", dev_name(lp->device)); + err = -ENOMEM; goto out; } -- cgit v0.10.2 From 043c4789726e6abb5be6115cb054af4926481952 Mon Sep 17 00:00:00 2001 From: Peter Senna Tschudin Date: Fri, 5 Oct 2012 12:40:52 +0000 Subject: drivers/net/ethernet/renesas/sh_eth.c: fix error return code The function sh_eth_drv_probe() return 0 for success and negative value for most of its internal tests failures. There is one exception that is error case going to out_release:. For this error case, the function abort its success execution path, but returns non negative value, making it difficult for a caller function to notice the error. This patch fixes the error case that do not return negative value. This was found by Coccinelle, but the code change was made by hand. This patch is not robot generated. A simplified version of the semantic match that finds this problem is as follows: (http://coccinelle.lip6.fr/) // ( if@p1 (\(ret < 0\|ret != 0\)) { ... return ret; } | ret@p1 = 0 ) ... when != ret = e1 when != &ret *if(...) { ... when != ret = e2 when forall return ret; } // Signed-off-by: Peter Senna Tschudin Signed-off-by: David S. Miller diff --git a/drivers/net/ethernet/renesas/sh_eth.c b/drivers/net/ethernet/renesas/sh_eth.c index bad8f2e..c8bfea0 100644 --- a/drivers/net/ethernet/renesas/sh_eth.c +++ b/drivers/net/ethernet/renesas/sh_eth.c @@ -2438,6 +2438,7 @@ static int sh_eth_drv_probe(struct platform_device *pdev) rtsu = platform_get_resource(pdev, IORESOURCE_MEM, 1); if (!rtsu) { dev_err(&pdev->dev, "Not found TSU resource\n"); + ret = -ENODEV; goto out_release; } mdp->tsu_addr = ioremap(rtsu->start, -- cgit v0.10.2 From 8c65ef4b8a21ab7edc7f35bb9a3892b0051b0158 Mon Sep 17 00:00:00 2001 From: Peter Senna Tschudin Date: Fri, 5 Oct 2012 12:40:53 +0000 Subject: drivers/net/ethernet/sun/niu.c: fix error return code The function niu_pci_init_one() return 0 for success and negative value for most of its internal tests failures. There is one exception that is error case going to err_out_free_res:. For this error case, the function abort its success execution path, but returns non negative value, making it difficult for a caller function to notice the error. This patch fixes the error case that do not return negative value. This was found by Coccinelle, but the code change was made by hand. This patch is not robot generated. A simplified version of the semantic match that finds this problem is as follows: (http://coccinelle.lip6.fr/) // ( if@p1 (\(ret < 0\|ret != 0\)) { ... return ret; } | ret@p1 = 0 ) ... when != ret = e1 when != &ret *if(...) { ... when != ret = e2 when forall return ret; } // Signed-off-by: Peter Senna Tschudin Signed-off-by: David S. Miller diff --git a/drivers/net/ethernet/sun/niu.c b/drivers/net/ethernet/sun/niu.c index 8419bf3..275b430 100644 --- a/drivers/net/ethernet/sun/niu.c +++ b/drivers/net/ethernet/sun/niu.c @@ -9788,6 +9788,7 @@ static int __devinit niu_pci_init_one(struct pci_dev *pdev, if (!pci_is_pcie(pdev)) { dev_err(&pdev->dev, "Cannot find PCI Express capability, aborting\n"); + err = -ENODEV; goto err_out_free_res; } -- cgit v0.10.2 From 4df128341ed5728bc8d8f75709258967f8cc2f5f Mon Sep 17 00:00:00 2001 From: Peter Senna Tschudin Date: Fri, 5 Oct 2012 12:40:54 +0000 Subject: drivers/net/ethernet/sun/sungem.c: fix error return code The function gem_init_one() return 0 for success and negative value for most of its internal tests failures. There is one exception that is error case going to err_out_free_consistent:. For this error case, the function abort its success execution path, but returns non negative value, making it difficult for a caller function to notice the error. This patch fixes the error case that do not return negative value. This was found by Coccinelle, but the code change was made by hand. This patch is not robot generated. A simplified version of the semantic match that finds this problem is as follows: (http://coccinelle.lip6.fr/) // ( if@p1 (\(ret < 0\|ret != 0\)) { ... return ret; } | ret@p1 = 0 ) ... when != ret = e1 when != &ret *if(...) { ... when != ret = e2 when forall return ret; } // Signed-off-by: Peter Senna Tschudin Signed-off-by: David S. Miller diff --git a/drivers/net/ethernet/sun/sungem.c b/drivers/net/ethernet/sun/sungem.c index 9ae12d0..6c8695e 100644 --- a/drivers/net/ethernet/sun/sungem.c +++ b/drivers/net/ethernet/sun/sungem.c @@ -2963,7 +2963,8 @@ static int __devinit gem_init_one(struct pci_dev *pdev, goto err_out_iounmap; } - if (gem_get_device_address(gp)) + err = gem_get_device_address(gp); + if (err) goto err_out_free_consistent; dev->netdev_ops = &gem_netdev_ops; -- cgit v0.10.2 From bbcf61fb30279c99e51b9d20b231e8513c5e6b1d Mon Sep 17 00:00:00 2001 From: Peter Senna Tschudin Date: Fri, 5 Oct 2012 12:40:55 +0000 Subject: drivers/net/ethernet/marvell/skge.c: fix error return code The function skge_probe() return 0 for success and negative value for most of its internal tests failures. There is one exception that is error case going to err_out_led_off:. For this error case, the function abort its success execution path, but returns non negative value, making it difficult for a caller function to notice the error. This patch fixes the error case that do not return negative value. This was found by Coccinelle, but the code change was made by hand. This patch is not robot generated. A simplified version of the semantic match that finds this problem is as follows: (http://coccinelle.lip6.fr/) // ( if@p1 (\(ret < 0\|ret != 0\)) { ... return ret; } | ret@p1 = 0 ) ... when != ret = e1 when != &ret *if(...) { ... when != ret = e2 when forall return ret; } // Signed-off-by: Peter Senna Tschudin Signed-off-by: David S. Miller diff --git a/drivers/net/ethernet/marvell/skge.c b/drivers/net/ethernet/marvell/skge.c index 5a30bf8..91836b5 100644 --- a/drivers/net/ethernet/marvell/skge.c +++ b/drivers/net/ethernet/marvell/skge.c @@ -3945,8 +3945,10 @@ static int __devinit skge_probe(struct pci_dev *pdev, skge_board_name(hw), hw->chip_rev); dev = skge_devinit(hw, 0, using_dac); - if (!dev) + if (!dev) { + err = -ENOMEM; goto err_out_led_off; + } /* Some motherboards are broken and has zero in ROM. */ if (!is_valid_ether_addr(dev->dev_addr)) -- cgit v0.10.2 From 0bd8ba18b9384e1c9104eee1d912fd5c8b4234c0 Mon Sep 17 00:00:00 2001 From: Peter Senna Tschudin Date: Fri, 5 Oct 2012 12:40:56 +0000 Subject: drivers/net/ethernet/marvell/sky2.c: fix error return code The function sky2_probe() return 0 for success and negative value for most of its internal tests failures. There are two exceptions that are error cases going to err_out*:. For this two cases, the function abort its success execution path, but returns non negative value, making it dificult for a caller function to notice the error. This patch fixes the error cases that do not return negative values. This was found by Coccinelle, but the code change was made by hand. This patch is not robot generated. A simplified version of the semantic match that finds this problem is as follows: (http://coccinelle.lip6.fr/) // ( if@p1 (\(ret < 0\|ret != 0\)) { ... return ret; } | ret@p1 = 0 ) ... when != ret = e1 when != &ret *if(...) { ... when != ret = e2 when forall return ret; } // Signed-off-by: Peter Senna Tschudin Signed-off-by: David S. Miller diff --git a/drivers/net/ethernet/marvell/sky2.c b/drivers/net/ethernet/marvell/sky2.c index 2b0748d..78946fe 100644 --- a/drivers/net/ethernet/marvell/sky2.c +++ b/drivers/net/ethernet/marvell/sky2.c @@ -4924,6 +4924,7 @@ static int __devinit sky2_probe(struct pci_dev *pdev, if (~reg == 0) { dev_err(&pdev->dev, "PCI configuration read error\n"); + err = -EIO; goto err_out; } @@ -4993,8 +4994,10 @@ static int __devinit sky2_probe(struct pci_dev *pdev, hw->st_size = hw->ports * roundup_pow_of_two(3*RX_MAX_PENDING + TX_MAX_PENDING); hw->st_le = pci_alloc_consistent(pdev, hw->st_size * sizeof(struct sky2_status_le), &hw->st_dma); - if (!hw->st_le) + if (!hw->st_le) { + err = -ENOMEM; goto err_out_reset; + } dev_info(&pdev->dev, "Yukon-2 %s chip revision %d\n", sky2_name(hw->chip_id, buf1, sizeof(buf1)), hw->chip_rev); -- cgit v0.10.2 From e1f165032c8bade3a6bdf546f8faf61fda4dd01c Mon Sep 17 00:00:00 2001 From: "ramesh.nagappa@gmail.com" Date: Fri, 5 Oct 2012 19:10:15 +0000 Subject: net: Fix skb_under_panic oops in neigh_resolve_output The retry loop in neigh_resolve_output() and neigh_connected_output() call dev_hard_header() with out reseting the skb to network_header. This causes the retry to fail with skb_under_panic. The fix is to reset the network_header within the retry loop. Signed-off-by: Ramesh Nagappa Reviewed-by: Shawn Lu Reviewed-by: Robert Coulson Reviewed-by: Billie Alsup Signed-off-by: David S. Miller diff --git a/net/core/neighbour.c b/net/core/neighbour.c index baca771..2257148 100644 --- a/net/core/neighbour.c +++ b/net/core/neighbour.c @@ -1301,8 +1301,6 @@ int neigh_resolve_output(struct neighbour *neigh, struct sk_buff *skb) if (!dst) goto discard; - __skb_pull(skb, skb_network_offset(skb)); - if (!neigh_event_send(neigh, skb)) { int err; struct net_device *dev = neigh->dev; @@ -1312,6 +1310,7 @@ int neigh_resolve_output(struct neighbour *neigh, struct sk_buff *skb) neigh_hh_init(neigh, dst); do { + __skb_pull(skb, skb_network_offset(skb)); seq = read_seqbegin(&neigh->ha_lock); err = dev_hard_header(skb, dev, ntohs(skb->protocol), neigh->ha, NULL, skb->len); @@ -1342,9 +1341,8 @@ int neigh_connected_output(struct neighbour *neigh, struct sk_buff *skb) unsigned int seq; int err; - __skb_pull(skb, skb_network_offset(skb)); - do { + __skb_pull(skb, skb_network_offset(skb)); seq = read_seqbegin(&neigh->ha_lock); err = dev_hard_header(skb, dev, ntohs(skb->protocol), neigh->ha, NULL, skb->len); -- cgit v0.10.2 From 51ec04038c113a811b177baa85d293feff9ce995 Mon Sep 17 00:00:00 2001 From: Eric Dumazet Date: Fri, 5 Oct 2012 20:43:30 +0000 Subject: ipv6: GRO should be ECN friendly IPv4 side of the problem was addressed in commit a9e050f4e7f9d (net: tcp: GRO should be ECN friendly) This patch does the same, but for IPv6 : A Traffic Class mismatch doesnt mean flows are different, but instead should force a flush of previous packets. This patch removes artificial packet reordering problem. Signed-off-by: Eric Dumazet Cc: Herbert Xu Signed-off-by: David S. Miller diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c index e22e6d8..f757e3b 100644 --- a/net/ipv6/af_inet6.c +++ b/net/ipv6/af_inet6.c @@ -880,22 +880,25 @@ static struct sk_buff **ipv6_gro_receive(struct sk_buff **head, nlen = skb_network_header_len(skb); for (p = *head; p; p = p->next) { - struct ipv6hdr *iph2; + const struct ipv6hdr *iph2; + __be32 first_word; /* */ if (!NAPI_GRO_CB(p)->same_flow) continue; iph2 = ipv6_hdr(p); + first_word = *(__be32 *)iph ^ *(__be32 *)iph2 ; - /* All fields must match except length. */ + /* All fields must match except length and Traffic Class. */ if (nlen != skb_network_header_len(p) || - memcmp(iph, iph2, offsetof(struct ipv6hdr, payload_len)) || + (first_word & htonl(0xF00FFFFF)) || memcmp(&iph->nexthdr, &iph2->nexthdr, nlen - offsetof(struct ipv6hdr, nexthdr))) { NAPI_GRO_CB(p)->same_flow = 0; continue; } - + /* flush if Traffic Class fields are different */ + NAPI_GRO_CB(p)->flush |= !!(first_word & htonl(0x0FF00000)); NAPI_GRO_CB(p)->flush |= flush; } -- cgit v0.10.2 From ca07e43e288956a0ad5e6bd075f7aa1fca3bca00 Mon Sep 17 00:00:00 2001 From: Eric Dumazet Date: Sat, 6 Oct 2012 22:28:06 +0000 Subject: net: gro: fix a potential crash in skb_gro_reset_offset Before accessing skb first fragment, better make sure there is one. This is probably not needed for old kernels, since an ethernet frame cannot contain only an ethernet header, but the recent GRO addition to tunnels makes this patch needed. Also skb_gro_reset_offset() can be static, it actually allows compiler to inline it. Signed-off-by: Eric Dumazet Cc: Herbert Xu Signed-off-by: David S. Miller diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h index 01646aa..a659fd0 100644 --- a/include/linux/netdevice.h +++ b/include/linux/netdevice.h @@ -1663,7 +1663,6 @@ extern int netpoll_trap(void); #endif extern int skb_gro_receive(struct sk_buff **head, struct sk_buff *skb); -extern void skb_gro_reset_offset(struct sk_buff *skb); static inline unsigned int skb_gro_offset(const struct sk_buff *skb) { diff --git a/net/core/dev.c b/net/core/dev.c index 1e0a184..de2bad7 100644 --- a/net/core/dev.c +++ b/net/core/dev.c @@ -3631,20 +3631,22 @@ gro_result_t napi_skb_finish(gro_result_t ret, struct sk_buff *skb) } EXPORT_SYMBOL(napi_skb_finish); -void skb_gro_reset_offset(struct sk_buff *skb) +static void skb_gro_reset_offset(struct sk_buff *skb) { + const struct skb_shared_info *pinfo = skb_shinfo(skb); + const skb_frag_t *frag0 = &pinfo->frags[0]; + NAPI_GRO_CB(skb)->data_offset = 0; NAPI_GRO_CB(skb)->frag0 = NULL; NAPI_GRO_CB(skb)->frag0_len = 0; if (skb->mac_header == skb->tail && - !PageHighMem(skb_frag_page(&skb_shinfo(skb)->frags[0]))) { - NAPI_GRO_CB(skb)->frag0 = - skb_frag_address(&skb_shinfo(skb)->frags[0]); - NAPI_GRO_CB(skb)->frag0_len = skb_frag_size(&skb_shinfo(skb)->frags[0]); + pinfo->nr_frags && + !PageHighMem(skb_frag_page(frag0))) { + NAPI_GRO_CB(skb)->frag0 = skb_frag_address(frag0); + NAPI_GRO_CB(skb)->frag0_len = skb_frag_size(frag0); } } -EXPORT_SYMBOL(skb_gro_reset_offset); gro_result_t napi_gro_receive(struct napi_struct *napi, struct sk_buff *skb) { -- cgit v0.10.2 From d717f14ee0ffb53cb59bd069a33ea36d03a5406e Mon Sep 17 00:00:00 2001 From: Wei Yongjun Date: Sun, 7 Oct 2012 03:23:06 +0000 Subject: vxlan: remove unused including Remove including that don't need it. dpatch engine is used to auto generate this patch. (https://github.com/weiyj/dpatch) Signed-off-by: Wei Yongjun Signed-off-by: David S. Miller diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c index 51de9ed..6f95580 100644 --- a/drivers/net/vxlan.c +++ b/drivers/net/vxlan.c @@ -28,7 +28,6 @@ #include #include #include -#include #include #include #include -- cgit v0.10.2 From 9545f4e2beb1b4faae5b57250f18b0047fa191fc Mon Sep 17 00:00:00 2001 From: Wei Yongjun Date: Sun, 7 Oct 2012 03:41:50 +0000 Subject: ptp: use list_move instead of list_del/list_add Using list_move() instead of list_del() + list_add(). dpatch engine is used to auto generate this patch. (https://github.com/weiyj/dpatch) Signed-off-by: Wei Yongjun Signed-off-by: David S. Miller diff --git a/drivers/net/ethernet/sfc/ptp.c b/drivers/net/ethernet/sfc/ptp.c index 5b3dd02..0767043f 100644 --- a/drivers/net/ethernet/sfc/ptp.c +++ b/drivers/net/ethernet/sfc/ptp.c @@ -640,8 +640,7 @@ static void efx_ptp_drop_time_expired_events(struct efx_nic *efx) evt = list_entry(cursor, struct efx_ptp_event_rx, link); if (time_after(jiffies, evt->expiry)) { - list_del(&evt->link); - list_add(&evt->link, &ptp->evt_free_list); + list_move(&evt->link, &ptp->evt_free_list); netif_warn(efx, hw, efx->net_dev, "PTP rx event dropped\n"); } @@ -684,8 +683,7 @@ static enum ptp_packet_state efx_ptp_match_rx(struct efx_nic *efx, match->state = PTP_PACKET_STATE_MATCHED; rc = PTP_PACKET_STATE_MATCHED; - list_del(&evt->link); - list_add(&evt->link, &ptp->evt_free_list); + list_move(&evt->link, &ptp->evt_free_list); break; } } @@ -820,8 +818,7 @@ static int efx_ptp_stop(struct efx_nic *efx) /* Drop any pending receive events */ spin_lock_bh(&efx->ptp_data->evt_lock); list_for_each_safe(cursor, next, &efx->ptp_data->evt_list) { - list_del(cursor); - list_add(cursor, &efx->ptp_data->evt_free_list); + list_move(cursor, &efx->ptp_data->evt_free_list); } spin_unlock_bh(&efx->ptp_data->evt_lock); -- cgit v0.10.2 From 594f88e96ebaf290e6509b37fff84b310ec1f155 Mon Sep 17 00:00:00 2001 From: Dan Carpenter Date: Mon, 8 Oct 2012 10:12:11 +0300 Subject: cxgb4: allocate enough data in t4_memory_rw() MEMWIN0_APERTURE is the size in bytes. Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller diff --git a/drivers/net/ethernet/chelsio/cxgb4/t4_hw.c b/drivers/net/ethernet/chelsio/cxgb4/t4_hw.c index 137a244..e914c41 100644 --- a/drivers/net/ethernet/chelsio/cxgb4/t4_hw.c +++ b/drivers/net/ethernet/chelsio/cxgb4/t4_hw.c @@ -417,7 +417,7 @@ static int t4_memory_rw(struct adapter *adap, int mtype, u32 addr, u32 len, if ((addr & 0x3) || (len & 0x3)) return -EINVAL; - data = vmalloc(MEMWIN0_APERTURE/sizeof(__be32)); + data = vmalloc(MEMWIN0_APERTURE); if (!data) return -ENOMEM; -- cgit v0.10.2 From d851c12b60471188e15e5c8405b289073e8dd025 Mon Sep 17 00:00:00 2001 From: Steffen Klassert Date: Sun, 7 Oct 2012 22:47:25 +0000 Subject: ipv4: Always invalidate or update the route on pmtu events Some protocols, like IPsec still cache routes. So we need to invalidate the old route on pmtu events to avoid the reuse of stale routes. We also need to update the mtu and expire time of the route if we already use a nh exception route, otherwise we ignore newly learned pmtu values after the first expiration. With this patch we always invalidate or update the route on pmtu events. Signed-off-by: Steffen Klassert Signed-off-by: David S. Miller diff --git a/net/ipv4/route.c b/net/ipv4/route.c index ff62206..90ba835 100644 --- a/net/ipv4/route.c +++ b/net/ipv4/route.c @@ -904,22 +904,29 @@ out: kfree_skb(skb); return 0; } -static u32 __ip_rt_update_pmtu(struct rtable *rt, struct flowi4 *fl4, u32 mtu) +static void __ip_rt_update_pmtu(struct rtable *rt, struct flowi4 *fl4, u32 mtu) { + struct dst_entry *dst = &rt->dst; struct fib_result res; if (mtu < ip_rt_min_pmtu) mtu = ip_rt_min_pmtu; + if (!rt->rt_pmtu) { + dst->obsolete = DST_OBSOLETE_KILL; + } else { + rt->rt_pmtu = mtu; + dst->expires = max(1UL, jiffies + ip_rt_mtu_expires); + } + rcu_read_lock(); - if (fib_lookup(dev_net(rt->dst.dev), fl4, &res) == 0) { + if (fib_lookup(dev_net(dst->dev), fl4, &res) == 0) { struct fib_nh *nh = &FIB_RES_NH(res); update_or_create_fnhe(nh, fl4->daddr, 0, mtu, jiffies + ip_rt_mtu_expires); } rcu_read_unlock(); - return mtu; } static void ip_rt_update_pmtu(struct dst_entry *dst, struct sock *sk, @@ -929,14 +936,7 @@ static void ip_rt_update_pmtu(struct dst_entry *dst, struct sock *sk, struct flowi4 fl4; ip_rt_build_flow_key(&fl4, sk, skb); - mtu = __ip_rt_update_pmtu(rt, &fl4, mtu); - - if (!rt->rt_pmtu) { - dst->obsolete = DST_OBSOLETE_KILL; - } else { - rt->rt_pmtu = mtu; - rt->dst.expires = max(1UL, jiffies + ip_rt_mtu_expires); - } + __ip_rt_update_pmtu(rt, &fl4, mtu); } void ipv4_update_pmtu(struct sk_buff *skb, struct net *net, u32 mtu, -- cgit v0.10.2 From 7f92d334ba19a0d8e96f8f8f092219553367d921 Mon Sep 17 00:00:00 2001 From: Steffen Klassert Date: Sun, 7 Oct 2012 22:48:18 +0000 Subject: ipv4: Don't create nh exeption when the device mtu is smaller than the reported pmtu When a local tool like tracepath tries to send packets bigger than the device mtu, we create a nh exeption and set the pmtu to device mtu. The device mtu does not expire, so check if the device mtu is smaller than the reported pmtu and don't crerate a nh exeption in that case. Signed-off-by: Steffen Klassert Signed-off-by: David S. Miller diff --git a/net/ipv4/route.c b/net/ipv4/route.c index 90ba835..741df67 100644 --- a/net/ipv4/route.c +++ b/net/ipv4/route.c @@ -909,6 +909,9 @@ static void __ip_rt_update_pmtu(struct rtable *rt, struct flowi4 *fl4, u32 mtu) struct dst_entry *dst = &rt->dst; struct fib_result res; + if (dst->dev->mtu < mtu) + return; + if (mtu < ip_rt_min_pmtu) mtu = ip_rt_min_pmtu; -- cgit v0.10.2 From ee9a8f7ab2edf801b8b514c310455c94acc232f6 Mon Sep 17 00:00:00 2001 From: Steffen Klassert Date: Mon, 8 Oct 2012 00:56:54 +0000 Subject: ipv4: Don't report stale pmtu values to userspace We report cached pmtu values even if they are already expired. Change this to not report these values after they are expired and fix a race in the expire time calculation, as suggested by Eric Dumazet. Signed-off-by: Steffen Klassert Signed-off-by: David S. Miller diff --git a/net/ipv4/route.c b/net/ipv4/route.c index 741df67..132e0df 100644 --- a/net/ipv4/route.c +++ b/net/ipv4/route.c @@ -2187,8 +2187,18 @@ static int rt_fill_info(struct net *net, __be32 dst, __be32 src, nla_put_be32(skb, RTA_GATEWAY, rt->rt_gateway)) goto nla_put_failure; + expires = rt->dst.expires; + if (expires) { + unsigned long now = jiffies; + + if (time_before(now, expires)) + expires -= now; + else + expires = 0; + } + memcpy(metrics, dst_metrics_ptr(&rt->dst), sizeof(metrics)); - if (rt->rt_pmtu) + if (rt->rt_pmtu && expires) metrics[RTAX_MTU - 1] = rt->rt_pmtu; if (rtnetlink_put_metrics(skb, metrics) < 0) goto nla_put_failure; @@ -2198,13 +2208,6 @@ static int rt_fill_info(struct net *net, __be32 dst, __be32 src, goto nla_put_failure; error = rt->dst.error; - expires = rt->dst.expires; - if (expires) { - if (time_before(jiffies, expires)) - expires -= jiffies; - else - expires = 0; - } if (rt_is_input_route(rt)) { if (nla_put_u32(skb, RTA_IIF, rt->rt_iif)) -- cgit v0.10.2 From 404d9e3fc322023619cf0a9c5c6efbbaf7e14ee8 Mon Sep 17 00:00:00 2001 From: Vipul Pandya Date: Mon, 8 Oct 2012 02:59:43 +0000 Subject: cxgb4: Address various sparse warnings This patch fixes type assignment issues, function definition and symbol shadowing which triggered sparse warnings. Signed-off-by: Jay Hernandez Signed-off-by: Vipul Pandya Signed-off-by: David S. Miller diff --git a/drivers/net/ethernet/chelsio/cxgb4/cxgb4.h b/drivers/net/ethernet/chelsio/cxgb4/cxgb4.h index 31752b2..a4da893 100644 --- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4.h +++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4.h @@ -696,6 +696,7 @@ int t4_seeprom_wp(struct adapter *adapter, bool enable); int get_vpd_params(struct adapter *adapter, struct vpd_params *p); int t4_load_fw(struct adapter *adapter, const u8 *fw_data, unsigned int size); unsigned int t4_flash_cfg_addr(struct adapter *adapter); +int t4_load_cfg(struct adapter *adapter, const u8 *cfg_data, unsigned int size); int t4_check_fw_version(struct adapter *adapter); int t4_prep_adapter(struct adapter *adapter); int t4_port_init(struct adapter *adap, int mbox, int pf, int vf); diff --git a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c index 6b9f6bb..604f4f8 100644 --- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c +++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c @@ -443,7 +443,10 @@ int dbfifo_int_thresh = 10; /* 10 == 640 entry threshold */ module_param(dbfifo_int_thresh, int, 0644); MODULE_PARM_DESC(dbfifo_int_thresh, "doorbell fifo interrupt threshold"); -int dbfifo_drain_delay = 1000; /* usecs to sleep while draining the dbfifo */ +/* + * usecs to sleep while draining the dbfifo + */ +static int dbfifo_drain_delay = 1000; module_param(dbfifo_drain_delay, int, 0644); MODULE_PARM_DESC(dbfifo_drain_delay, "usecs to sleep while draining the dbfifo"); @@ -636,7 +639,7 @@ static void name_msix_vecs(struct adapter *adap) static int request_msix_queue_irqs(struct adapter *adap) { struct sge *s = &adap->sge; - int err, ethqidx, ofldqidx = 0, rdmaqidx = 0, msi = 2; + int err, ethqidx, ofldqidx = 0, rdmaqidx = 0, msi_index = 2; err = request_irq(adap->msix_info[1].vec, t4_sge_intr_msix, 0, adap->msix_info[1].desc, &s->fw_evtq); @@ -644,56 +647,60 @@ static int request_msix_queue_irqs(struct adapter *adap) return err; for_each_ethrxq(s, ethqidx) { - err = request_irq(adap->msix_info[msi].vec, t4_sge_intr_msix, 0, - adap->msix_info[msi].desc, + err = request_irq(adap->msix_info[msi_index].vec, + t4_sge_intr_msix, 0, + adap->msix_info[msi_index].desc, &s->ethrxq[ethqidx].rspq); if (err) goto unwind; - msi++; + msi_index++; } for_each_ofldrxq(s, ofldqidx) { - err = request_irq(adap->msix_info[msi].vec, t4_sge_intr_msix, 0, - adap->msix_info[msi].desc, + err = request_irq(adap->msix_info[msi_index].vec, + t4_sge_intr_msix, 0, + adap->msix_info[msi_index].desc, &s->ofldrxq[ofldqidx].rspq); if (err) goto unwind; - msi++; + msi_index++; } for_each_rdmarxq(s, rdmaqidx) { - err = request_irq(adap->msix_info[msi].vec, t4_sge_intr_msix, 0, - adap->msix_info[msi].desc, + err = request_irq(adap->msix_info[msi_index].vec, + t4_sge_intr_msix, 0, + adap->msix_info[msi_index].desc, &s->rdmarxq[rdmaqidx].rspq); if (err) goto unwind; - msi++; + msi_index++; } return 0; unwind: while (--rdmaqidx >= 0) - free_irq(adap->msix_info[--msi].vec, + free_irq(adap->msix_info[--msi_index].vec, &s->rdmarxq[rdmaqidx].rspq); while (--ofldqidx >= 0) - free_irq(adap->msix_info[--msi].vec, + free_irq(adap->msix_info[--msi_index].vec, &s->ofldrxq[ofldqidx].rspq); while (--ethqidx >= 0) - free_irq(adap->msix_info[--msi].vec, &s->ethrxq[ethqidx].rspq); + free_irq(adap->msix_info[--msi_index].vec, + &s->ethrxq[ethqidx].rspq); free_irq(adap->msix_info[1].vec, &s->fw_evtq); return err; } static void free_msix_queue_irqs(struct adapter *adap) { - int i, msi = 2; + int i, msi_index = 2; struct sge *s = &adap->sge; free_irq(adap->msix_info[1].vec, &s->fw_evtq); for_each_ethrxq(s, i) - free_irq(adap->msix_info[msi++].vec, &s->ethrxq[i].rspq); + free_irq(adap->msix_info[msi_index++].vec, &s->ethrxq[i].rspq); for_each_ofldrxq(s, i) - free_irq(adap->msix_info[msi++].vec, &s->ofldrxq[i].rspq); + free_irq(adap->msix_info[msi_index++].vec, &s->ofldrxq[i].rspq); for_each_rdmarxq(s, i) - free_irq(adap->msix_info[msi++].vec, &s->rdmarxq[i].rspq); + free_irq(adap->msix_info[msi_index++].vec, &s->rdmarxq[i].rspq); } /** @@ -2535,9 +2542,8 @@ static int read_eq_indices(struct adapter *adap, u16 qid, u16 *pidx, u16 *cidx) ret = t4_mem_win_read_len(adap, addr, (__be32 *)&indices, 8); if (!ret) { - indices = be64_to_cpu(indices); - *cidx = (indices >> 25) & 0xffff; - *pidx = (indices >> 9) & 0xffff; + *cidx = (be64_to_cpu(indices) >> 25) & 0xffff; + *pidx = (be64_to_cpu(indices) >> 9) & 0xffff; } return ret; } @@ -3634,10 +3640,10 @@ static int adap_init0_no_config(struct adapter *adapter, int reset) * field selections will fit in the 36-bit budget. */ if (tp_vlan_pri_map != TP_VLAN_PRI_MAP_DEFAULT) { - int i, bits = 0; + int j, bits = 0; - for (i = TP_VLAN_PRI_MAP_FIRST; i <= TP_VLAN_PRI_MAP_LAST; i++) - switch (tp_vlan_pri_map & (1 << i)) { + for (j = TP_VLAN_PRI_MAP_FIRST; j <= TP_VLAN_PRI_MAP_LAST; j++) + switch (tp_vlan_pri_map & (1 << j)) { case 0: /* compressed filter field not enabled */ break; diff --git a/drivers/net/ethernet/chelsio/cxgb4/t4_hw.c b/drivers/net/ethernet/chelsio/cxgb4/t4_hw.c index e914c41..32eec15 100644 --- a/drivers/net/ethernet/chelsio/cxgb4/t4_hw.c +++ b/drivers/net/ethernet/chelsio/cxgb4/t4_hw.c @@ -380,9 +380,11 @@ static int t4_mem_win_rw(struct adapter *adap, u32 addr, __be32 *data, int dir) /* Collecting data 4 bytes at a time upto MEMWIN0_APERTURE */ for (i = 0; i < MEMWIN0_APERTURE; i = i+0x4) { if (dir) - *data++ = t4_read_reg(adap, (MEMWIN0_BASE + i)); + *data++ = (__force __be32) t4_read_reg(adap, + (MEMWIN0_BASE + i)); else - t4_write_reg(adap, (MEMWIN0_BASE + i), *data++); + t4_write_reg(adap, (MEMWIN0_BASE + i), + (__force u32) *data++); } return 0; @@ -744,7 +746,7 @@ static int t4_read_flash(struct adapter *adapter, unsigned int addr, if (ret) return ret; if (byte_oriented) - *data = htonl(*data); + *data = (__force __u32) (htonl(*data)); } return 0; } @@ -992,7 +994,7 @@ int t4_load_fw(struct adapter *adap, const u8 *fw_data, unsigned int size) int ret, addr; unsigned int i; u8 first_page[SF_PAGE_SIZE]; - const u32 *p = (const u32 *)fw_data; + const __be32 *p = (const __be32 *)fw_data; const struct fw_hdr *hdr = (const struct fw_hdr *)fw_data; unsigned int sf_sec_size = adap->params.sf_size / adap->params.sf_nsec; unsigned int fw_img_start = adap->params.sf_fw_start; @@ -2315,7 +2317,8 @@ int t4_mem_win_read_len(struct adapter *adap, u32 addr, __be32 *data, int len) t4_read_reg(adap, PCIE_MEM_ACCESS_OFFSET); for (i = 0; i < len; i += 4) - *data++ = t4_read_reg(adap, (MEMWIN0_BASE + off + i)); + *data++ = (__force __be32) t4_read_reg(adap, + (MEMWIN0_BASE + off + i)); return 0; } -- cgit v0.10.2 From a2af139ff1cd85df586690ff626619ab1ee88b0a Mon Sep 17 00:00:00 2001 From: Graham Gower Date: Mon, 8 Oct 2012 08:34:50 +0000 Subject: skge: Add DMA mask quirk for Marvell 88E8001 on ASUS P5NSLI motherboard Marvell 88E8001 on an ASUS P5NSLI motherboard is unable to send/receive packets on a system with >4gb ram unless a 32bit DMA mask is used. This issue has been around for years and a fix was sent 3.5 years ago, but there was some debate as to whether it should instead be fixed as a PCI quirk. http://www.spinics.net/lists/netdev/msg88670.html However, 18 months later a similar workaround was introduced for another chipset exhibiting the same problem. http://www.spinics.net/lists/netdev/msg142287.html Signed-off-by: Graham Gower Signed-off-by: Jan Ceuleers Acked-by: Stephen Hemminger Signed-off-by: David S. Miller diff --git a/drivers/net/ethernet/marvell/skge.c b/drivers/net/ethernet/marvell/skge.c index 91836b5..3f7dab4 100644 --- a/drivers/net/ethernet/marvell/skge.c +++ b/drivers/net/ethernet/marvell/skge.c @@ -4155,6 +4155,13 @@ static struct dmi_system_id skge_32bit_dma_boards[] = { DMI_MATCH(DMI_BOARD_NAME, "nForce"), }, }, + { + .ident = "ASUS P5NSLI", + .matches = { + DMI_MATCH(DMI_BOARD_VENDOR, "ASUSTeK Computer INC."), + DMI_MATCH(DMI_BOARD_NAME, "P5NSLI") + }, + }, {} }; -- cgit v0.10.2 From 2e71a6f8084e7ac87166dd77d99c44190fb844fc Mon Sep 17 00:00:00 2001 From: Eric Dumazet Date: Sat, 6 Oct 2012 08:08:49 +0000 Subject: net: gro: selective flush of packets Current GRO can hold packets in gro_list for almost unlimited time, in case napi->poll() handler consumes its budget over and over. In this case, napi_complete()/napi_gro_flush() are not called. Another problem is that gro_list is flushed in non friendly way : We scan the list and complete packets in the reverse order. (youngest packets first, oldest packets last) This defeats priorities that sender could have cooked. Since GRO currently only store TCP packets, we dont really notice the bug because of retransmits, but this behavior can add unexpected latencies, particularly on mice flows clamped by elephant flows. This patch makes sure no packet can stay more than 1 ms in queue, and only in stress situations. It also complete packets in the right order to minimize latencies. Signed-off-by: Eric Dumazet Cc: Herbert Xu Cc: Jesse Gross Cc: Tom Herbert Cc: Yuchung Cheng Signed-off-by: David S. Miller diff --git a/drivers/net/ethernet/marvell/skge.c b/drivers/net/ethernet/marvell/skge.c index 3f7dab4..9b9c2ac 100644 --- a/drivers/net/ethernet/marvell/skge.c +++ b/drivers/net/ethernet/marvell/skge.c @@ -3189,7 +3189,7 @@ static int skge_poll(struct napi_struct *napi, int to_do) if (work_done < to_do) { unsigned long flags; - napi_gro_flush(napi); + napi_gro_flush(napi, false); spin_lock_irqsave(&hw->hw_lock, flags); __napi_complete(napi); hw->intr_mask |= napimask[skge->port]; diff --git a/drivers/net/ethernet/realtek/8139cp.c b/drivers/net/ethernet/realtek/8139cp.c index 995d0cf..1c81825 100644 --- a/drivers/net/ethernet/realtek/8139cp.c +++ b/drivers/net/ethernet/realtek/8139cp.c @@ -563,7 +563,7 @@ rx_next: if (cpr16(IntrStatus) & cp_rx_intr_mask) goto rx_status_loop; - napi_gro_flush(napi); + napi_gro_flush(napi, false); spin_lock_irqsave(&cp->lock, flags); __napi_complete(napi); cpw16_f(IntrMask, cp_intr_mask); diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h index a659fd0..0a36fff 100644 --- a/include/linux/netdevice.h +++ b/include/linux/netdevice.h @@ -1497,19 +1497,22 @@ struct napi_gro_cb { /* This indicates where we are processing relative to skb->data. */ int data_offset; - /* This is non-zero if the packet may be of the same flow. */ - int same_flow; - /* This is non-zero if the packet cannot be merged with the new skb. */ int flush; /* Number of segments aggregated. */ - int count; + u16 count; + + /* This is non-zero if the packet may be of the same flow. */ + u8 same_flow; /* Free the skb? */ - int free; + u8 free; #define NAPI_GRO_FREE 1 #define NAPI_GRO_FREE_STOLEN_HEAD 2 + + /* jiffies when first packet was created/queued */ + unsigned long age; }; #define NAPI_GRO_CB(skb) ((struct napi_gro_cb *)(skb)->cb) @@ -2156,7 +2159,7 @@ extern gro_result_t dev_gro_receive(struct napi_struct *napi, extern gro_result_t napi_skb_finish(gro_result_t ret, struct sk_buff *skb); extern gro_result_t napi_gro_receive(struct napi_struct *napi, struct sk_buff *skb); -extern void napi_gro_flush(struct napi_struct *napi); +extern void napi_gro_flush(struct napi_struct *napi, bool flush_old); extern struct sk_buff * napi_get_frags(struct napi_struct *napi); extern gro_result_t napi_frags_finish(struct napi_struct *napi, struct sk_buff *skb, diff --git a/net/core/dev.c b/net/core/dev.c index de2bad7..d44668f 100644 --- a/net/core/dev.c +++ b/net/core/dev.c @@ -3471,17 +3471,31 @@ out: return netif_receive_skb(skb); } -inline void napi_gro_flush(struct napi_struct *napi) +/* napi->gro_list contains packets ordered by age. + * youngest packets at the head of it. + * Complete skbs in reverse order to reduce latencies. + */ +void napi_gro_flush(struct napi_struct *napi, bool flush_old) { - struct sk_buff *skb, *next; + struct sk_buff *skb, *prev = NULL; - for (skb = napi->gro_list; skb; skb = next) { - next = skb->next; + /* scan list and build reverse chain */ + for (skb = napi->gro_list; skb != NULL; skb = skb->next) { + skb->prev = prev; + prev = skb; + } + + for (skb = prev; skb; skb = prev) { skb->next = NULL; + + if (flush_old && NAPI_GRO_CB(skb)->age == jiffies) + return; + + prev = skb->prev; napi_gro_complete(skb); + napi->gro_count--; } - napi->gro_count = 0; napi->gro_list = NULL; } EXPORT_SYMBOL(napi_gro_flush); @@ -3542,6 +3556,7 @@ enum gro_result dev_gro_receive(struct napi_struct *napi, struct sk_buff *skb) napi->gro_count++; NAPI_GRO_CB(skb)->count = 1; + NAPI_GRO_CB(skb)->age = jiffies; skb_shinfo(skb)->gso_size = skb_gro_len(skb); skb->next = napi->gro_list; napi->gro_list = skb; @@ -3878,7 +3893,7 @@ void napi_complete(struct napi_struct *n) if (unlikely(test_bit(NAPI_STATE_NPSVC, &n->state))) return; - napi_gro_flush(n); + napi_gro_flush(n, false); local_irq_save(flags); __napi_complete(n); local_irq_restore(flags); @@ -3983,8 +3998,17 @@ static void net_rx_action(struct softirq_action *h) local_irq_enable(); napi_complete(n); local_irq_disable(); - } else + } else { + if (n->gro_list) { + /* flush too old packets + * If HZ < 1000, flush all packets. + */ + local_irq_enable(); + napi_gro_flush(n, HZ >= 1000); + local_irq_disable(); + } list_move_tail(&n->poll_list, &sd->poll_list); + } } netpoll_poll_unlock(have); -- cgit v0.10.2 From 48cc32d38a52d0b68f91a171a8d00531edc6a46e Mon Sep 17 00:00:00 2001 From: Florian Zumbiehl Date: Sun, 7 Oct 2012 15:51:58 +0000 Subject: vlan: don't deliver frames for unknown vlans to protocols 6a32e4f9dd9219261f8856f817e6655114cfec2f made the vlan code skip marking vlan-tagged frames for not locally configured vlans as PACKET_OTHERHOST if there was an rx_handler, as the rx_handler could cause the frame to be received on a different (virtual) vlan-capable interface where that vlan might be configured. As rx_handlers do not necessarily return RX_HANDLER_ANOTHER, this could cause frames for unknown vlans to be delivered to the protocol stack as if they had been received untagged. For example, if an ipv6 router advertisement that's tagged for a locally not configured vlan is received on an interface with macvlan interfaces attached, macvlan's rx_handler returns RX_HANDLER_PASS after delivering the frame to the macvlan interfaces, which caused it to be passed to the protocol stack, leading to ipv6 addresses for the announced prefix being configured even though those are completely unusable on the underlying interface. The fix moves marking as PACKET_OTHERHOST after the rx_handler so the rx_handler, if there is one, sees the frame unchanged, but afterwards, before the frame is delivered to the protocol stack, it gets marked whether there is an rx_handler or not. Signed-off-by: Florian Zumbiehl Signed-off-by: David S. Miller diff --git a/include/linux/if_vlan.h b/include/linux/if_vlan.h index e6ff12d..c0ff748 100644 --- a/include/linux/if_vlan.h +++ b/include/linux/if_vlan.h @@ -80,6 +80,8 @@ static inline int is_vlan_dev(struct net_device *dev) } #define vlan_tx_tag_present(__skb) ((__skb)->vlan_tci & VLAN_TAG_PRESENT) +#define vlan_tx_nonzero_tag_present(__skb) \ + (vlan_tx_tag_present(__skb) && ((__skb)->vlan_tci & VLAN_VID_MASK)) #define vlan_tx_tag_get(__skb) ((__skb)->vlan_tci & ~VLAN_TAG_PRESENT) #if defined(CONFIG_VLAN_8021Q) || defined(CONFIG_VLAN_8021Q_MODULE) @@ -89,7 +91,7 @@ extern struct net_device *__vlan_find_dev_deep(struct net_device *real_dev, extern struct net_device *vlan_dev_real_dev(const struct net_device *dev); extern u16 vlan_dev_vlan_id(const struct net_device *dev); -extern bool vlan_do_receive(struct sk_buff **skb, bool last_handler); +extern bool vlan_do_receive(struct sk_buff **skb); extern struct sk_buff *vlan_untag(struct sk_buff *skb); extern int vlan_vid_add(struct net_device *dev, unsigned short vid); @@ -120,10 +122,8 @@ static inline u16 vlan_dev_vlan_id(const struct net_device *dev) return 0; } -static inline bool vlan_do_receive(struct sk_buff **skb, bool last_handler) +static inline bool vlan_do_receive(struct sk_buff **skb) { - if (((*skb)->vlan_tci & VLAN_VID_MASK) && last_handler) - (*skb)->pkt_type = PACKET_OTHERHOST; return false; } diff --git a/net/8021q/vlan_core.c b/net/8021q/vlan_core.c index add69d0..fbbf1fa 100644 --- a/net/8021q/vlan_core.c +++ b/net/8021q/vlan_core.c @@ -5,7 +5,7 @@ #include #include "vlan.h" -bool vlan_do_receive(struct sk_buff **skbp, bool last_handler) +bool vlan_do_receive(struct sk_buff **skbp) { struct sk_buff *skb = *skbp; u16 vlan_id = skb->vlan_tci & VLAN_VID_MASK; @@ -13,14 +13,8 @@ bool vlan_do_receive(struct sk_buff **skbp, bool last_handler) struct vlan_pcpu_stats *rx_stats; vlan_dev = vlan_find_dev(skb->dev, vlan_id); - if (!vlan_dev) { - /* Only the last call to vlan_do_receive() should change - * pkt_type to PACKET_OTHERHOST - */ - if (vlan_id && last_handler) - skb->pkt_type = PACKET_OTHERHOST; + if (!vlan_dev) return false; - } skb = *skbp = skb_share_check(skb, GFP_ATOMIC); if (unlikely(!skb)) diff --git a/net/core/dev.c b/net/core/dev.c index d44668f..09cb3f6 100644 --- a/net/core/dev.c +++ b/net/core/dev.c @@ -3300,18 +3300,18 @@ ncls: && !skb_pfmemalloc_protocol(skb)) goto drop; - rx_handler = rcu_dereference(skb->dev->rx_handler); if (vlan_tx_tag_present(skb)) { if (pt_prev) { ret = deliver_skb(skb, pt_prev, orig_dev); pt_prev = NULL; } - if (vlan_do_receive(&skb, !rx_handler)) + if (vlan_do_receive(&skb)) goto another_round; else if (unlikely(!skb)) goto unlock; } + rx_handler = rcu_dereference(skb->dev->rx_handler); if (rx_handler) { if (pt_prev) { ret = deliver_skb(skb, pt_prev, orig_dev); @@ -3331,6 +3331,9 @@ ncls: } } + if (vlan_tx_nonzero_tag_present(skb)) + skb->pkt_type = PACKET_OTHERHOST; + /* deliver only exact match when indicated */ null_or_dev = deliver_exact ? skb->dev : NULL; -- cgit v0.10.2 From 863472454ce50d4ef0929c6aa738cc5d64b84679 Mon Sep 17 00:00:00 2001 From: Eric Dumazet Date: Mon, 8 Oct 2012 21:38:50 +0200 Subject: ipv6: gro: fix PV6_GRO_CB(skb)->proto problem It seems IPV6_GRO_CB(skb)->proto can be destroyed in skb_gro_receive() if a new skb is allocated (to serve as an anchor for frag_list) We copy NAPI_GRO_CB() only (not the IPV6 specific part) in : *NAPI_GRO_CB(nskb) = *NAPI_GRO_CB(p); So we leave IPV6_GRO_CB(nskb)->proto to 0 (fresh skb allocation) instead of IPPROTO_TCP (6) ipv6_gro_complete() isnt able to call ops->gro_complete() [ tcp6_gro_complete() ] Fix this by moving proto in NAPI_GRO_CB() and getting rid of IPV6_GRO_CB Signed-off-by: Eric Dumazet Cc: Herbert Xu Signed-off-by: David S. Miller diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h index 0a36fff..561c8bc 100644 --- a/include/linux/netdevice.h +++ b/include/linux/netdevice.h @@ -1513,6 +1513,9 @@ struct napi_gro_cb { /* jiffies when first packet was created/queued */ unsigned long age; + + /* Used in ipv6_gro_receive() */ + int proto; }; #define NAPI_GRO_CB(skb) ((struct napi_gro_cb *)(skb)->cb) diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c index f757e3b..a974247 100644 --- a/net/ipv6/af_inet6.c +++ b/net/ipv6/af_inet6.c @@ -822,13 +822,6 @@ out: return segs; } -struct ipv6_gro_cb { - struct napi_gro_cb napi; - int proto; -}; - -#define IPV6_GRO_CB(skb) ((struct ipv6_gro_cb *)(skb)->cb) - static struct sk_buff **ipv6_gro_receive(struct sk_buff **head, struct sk_buff *skb) { @@ -874,7 +867,7 @@ static struct sk_buff **ipv6_gro_receive(struct sk_buff **head, iph = ipv6_hdr(skb); } - IPV6_GRO_CB(skb)->proto = proto; + NAPI_GRO_CB(skb)->proto = proto; flush--; nlen = skb_network_header_len(skb); @@ -930,7 +923,7 @@ static int ipv6_gro_complete(struct sk_buff *skb) sizeof(*iph)); rcu_read_lock(); - ops = rcu_dereference(inet6_protos[IPV6_GRO_CB(skb)->proto]); + ops = rcu_dereference(inet6_protos[NAPI_GRO_CB(skb)->proto]); if (WARN_ON(!ops || !ops->gro_complete)) goto out_unlock; -- cgit v0.10.2 From e81da0e113a1b7fc7449ae6213f65f89ccac6d06 Mon Sep 17 00:00:00 2001 From: Julian Anastasov Date: Mon, 8 Oct 2012 11:41:15 +0000 Subject: ipv4: fix sending of redirects After "Cache input routes in fib_info nexthops" (commit d2d68ba9fe) and "Elide fib_validate_source() completely when possible" (commit 7a9bc9b81a) we can not send ICMP redirects. It seems we should not cache the RTCF_DOREDIRECT flag in nh_rth_input because the same fib_info can be used for traffic that is not redirected, eg. from other input devices or from sources that are not in same subnet. As result, we have to disable the caching of RTCF_DOREDIRECT flag and to force source validation for the case when forwarding traffic to the input device. If traffic comes from directly connected source we allow redirection as it was done before both changes. Avoid setting RTCF_DOREDIRECT if IN_DEV_TX_REDIRECTS is disabled, this can avoid source address validation and to help caching the routes. After the change "Adjust semantics of rt->rt_gateway" (commit f8126f1d51) we should make sure our ICMP_REDIR_HOST messages contain daddr instead of 0.0.0.0 when target is directly connected. Signed-off-by: Julian Anastasov Signed-off-by: David S. Miller diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c index 68c93d1..825c608 100644 --- a/net/ipv4/fib_frontend.c +++ b/net/ipv4/fib_frontend.c @@ -322,7 +322,8 @@ int fib_validate_source(struct sk_buff *skb, __be32 src, __be32 dst, { int r = secpath_exists(skb) ? 0 : IN_DEV_RPFILTER(idev); - if (!r && !fib_num_tclassid_users(dev_net(dev))) { + if (!r && !fib_num_tclassid_users(dev_net(dev)) && + (dev->ifindex != oif || !IN_DEV_TX_REDIRECTS(idev))) { *itag = 0; return 0; } diff --git a/net/ipv4/route.c b/net/ipv4/route.c index 132e0df..b90da1b 100644 --- a/net/ipv4/route.c +++ b/net/ipv4/route.c @@ -802,7 +802,8 @@ void ip_rt_send_redirect(struct sk_buff *skb) net = dev_net(rt->dst.dev); peer = inet_getpeer_v4(net->ipv4.peers, ip_hdr(skb)->saddr, 1); if (!peer) { - icmp_send(skb, ICMP_REDIRECT, ICMP_REDIR_HOST, rt->rt_gateway); + icmp_send(skb, ICMP_REDIRECT, ICMP_REDIR_HOST, + rt_nexthop(rt, ip_hdr(skb)->daddr)); return; } @@ -827,7 +828,9 @@ void ip_rt_send_redirect(struct sk_buff *skb) time_after(jiffies, (peer->rate_last + (ip_rt_redirect_load << peer->rate_tokens)))) { - icmp_send(skb, ICMP_REDIRECT, ICMP_REDIR_HOST, rt->rt_gateway); + __be32 gw = rt_nexthop(rt, ip_hdr(skb)->daddr); + + icmp_send(skb, ICMP_REDIRECT, ICMP_REDIR_HOST, gw); peer->rate_last = jiffies; ++peer->rate_tokens; #ifdef CONFIG_IP_ROUTE_VERBOSE @@ -835,7 +838,7 @@ void ip_rt_send_redirect(struct sk_buff *skb) peer->rate_tokens == ip_rt_redirect_number) net_warn_ratelimited("host %pI4/if%d ignores redirects for %pI4 to %pI4\n", &ip_hdr(skb)->saddr, inet_iif(skb), - &ip_hdr(skb)->daddr, &rt->rt_gateway); + &ip_hdr(skb)->daddr, &gw); #endif } out_put_peer: @@ -1442,10 +1445,13 @@ static int __mkroute_input(struct sk_buff *skb, goto cleanup; } - if (out_dev == in_dev && err && + do_cache = res->fi && !itag; + if (out_dev == in_dev && err && IN_DEV_TX_REDIRECTS(out_dev) && (IN_DEV_SHARED_MEDIA(out_dev) || - inet_addr_onlink(out_dev, saddr, FIB_RES_GW(*res)))) + inet_addr_onlink(out_dev, saddr, FIB_RES_GW(*res)))) { flags |= RTCF_DOREDIRECT; + do_cache = false; + } if (skb->protocol != htons(ETH_P_IP)) { /* Not IP (i.e. ARP). Do not create route, if it is @@ -1462,15 +1468,11 @@ static int __mkroute_input(struct sk_buff *skb, } } - do_cache = false; - if (res->fi) { - if (!itag) { - rth = rcu_dereference(FIB_RES_NH(*res).nh_rth_input); - if (rt_cache_valid(rth)) { - skb_dst_set_noref(skb, &rth->dst); - goto out; - } - do_cache = true; + if (do_cache) { + rth = rcu_dereference(FIB_RES_NH(*res).nh_rth_input); + if (rt_cache_valid(rth)) { + skb_dst_set_noref(skb, &rth->dst); + goto out; } } -- cgit v0.10.2 From e0adef0f7456d5d3a3bfe8ea61c7dddf146b40e1 Mon Sep 17 00:00:00 2001 From: Julian Anastasov Date: Mon, 8 Oct 2012 11:41:16 +0000 Subject: ipv4: fix forwarding for strict source routes After the change "Adjust semantics of rt->rt_gateway" (commit f8126f1d51) rt_gateway can be 0 but ip_forward() compares it directly with nexthop. What we want here is to check if traffic is to directly connected nexthop and to fail if using gateway. Signed-off-by: Julian Anastasov Signed-off-by: David S. Miller diff --git a/net/ipv4/ip_forward.c b/net/ipv4/ip_forward.c index ab09b12..7f35ac2 100644 --- a/net/ipv4/ip_forward.c +++ b/net/ipv4/ip_forward.c @@ -85,7 +85,7 @@ int ip_forward(struct sk_buff *skb) rt = skb_rtable(skb); - if (opt->is_strictroute && opt->nexthop != rt->rt_gateway) + if (opt->is_strictroute && rt->rt_gateway) goto sr_failed; if (unlikely(skb->len > dst_mtu(&rt->dst) && !skb_is_gso(skb) && -- cgit v0.10.2 From f8a17175c63fd3e8b573719f7538816f8c96abf4 Mon Sep 17 00:00:00 2001 From: Julian Anastasov Date: Mon, 8 Oct 2012 11:41:17 +0000 Subject: ipv4: make sure nh_pcpu_rth_output is always allocated Avoid checking nh_pcpu_rth_output in fast path, abort fib_info creation on alloc_percpu failure. Signed-off-by: Julian Anastasov Signed-off-by: David S. Miller diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c index 2677530..71b125c 100644 --- a/net/ipv4/fib_semantics.c +++ b/net/ipv4/fib_semantics.c @@ -840,6 +840,8 @@ struct fib_info *fib_create_info(struct fib_config *cfg) change_nexthops(fi) { nexthop_nh->nh_parent = fi; nexthop_nh->nh_pcpu_rth_output = alloc_percpu(struct rtable __rcu *); + if (!nexthop_nh->nh_pcpu_rth_output) + goto failure; } endfor_nexthops(fi) if (cfg->fc_mx) { diff --git a/net/ipv4/route.c b/net/ipv4/route.c index b90da1b..5b0180f 100644 --- a/net/ipv4/route.c +++ b/net/ipv4/route.c @@ -1207,8 +1207,6 @@ static bool rt_cache_route(struct fib_nh *nh, struct rtable *rt) if (rt_is_input_route(rt)) { p = (struct rtable **)&nh->nh_rth_input; } else { - if (!nh->nh_pcpu_rth_output) - goto nocache; p = (struct rtable **)__this_cpu_ptr(nh->nh_pcpu_rth_output); } orig = *p; @@ -1223,7 +1221,6 @@ static bool rt_cache_route(struct fib_nh *nh, struct rtable *rt) * unsuccessful at storing this route into the cache * we really need to set it. */ -nocache: rt->dst.flags |= DST_NOCACHE; ret = false; } -- cgit v0.10.2 From 155e8336c373d14d87a7f91e356d85ef4b93b8f9 Mon Sep 17 00:00:00 2001 From: Julian Anastasov Date: Mon, 8 Oct 2012 11:41:18 +0000 Subject: ipv4: introduce rt_uses_gateway Add new flag to remember when route is via gateway. We will use it to allow rt_gateway to contain address of directly connected host for the cases when DST_NOCACHE is used or when the NH exception caches per-destination route without DST_NOCACHE flag, i.e. when routes are not used for other destinations. By this way we force the neighbour resolving to work with the routed destination but we can use different address in the packet, feature needed for IPVS-DR where original packet for virtual IP is routed via route to real IP. Signed-off-by: Julian Anastasov Signed-off-by: David S. Miller diff --git a/include/net/route.h b/include/net/route.h index da22243..bc40b63 100644 --- a/include/net/route.h +++ b/include/net/route.h @@ -48,7 +48,8 @@ struct rtable { int rt_genid; unsigned int rt_flags; __u16 rt_type; - __u16 rt_is_input; + __u8 rt_is_input; + __u8 rt_uses_gateway; int rt_iif; diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c index f0c5b9c..d34ce29 100644 --- a/net/ipv4/inet_connection_sock.c +++ b/net/ipv4/inet_connection_sock.c @@ -406,7 +406,7 @@ struct dst_entry *inet_csk_route_req(struct sock *sk, rt = ip_route_output_flow(net, fl4, sk); if (IS_ERR(rt)) goto no_route; - if (opt && opt->opt.is_strictroute && rt->rt_gateway) + if (opt && opt->opt.is_strictroute && rt->rt_uses_gateway) goto route_err; return &rt->dst; @@ -442,7 +442,7 @@ struct dst_entry *inet_csk_route_child_sock(struct sock *sk, rt = ip_route_output_flow(net, fl4, sk); if (IS_ERR(rt)) goto no_route; - if (opt && opt->opt.is_strictroute && rt->rt_gateway) + if (opt && opt->opt.is_strictroute && rt->rt_uses_gateway) goto route_err; rcu_read_unlock(); return &rt->dst; diff --git a/net/ipv4/ip_forward.c b/net/ipv4/ip_forward.c index 7f35ac2..694de3b 100644 --- a/net/ipv4/ip_forward.c +++ b/net/ipv4/ip_forward.c @@ -85,7 +85,7 @@ int ip_forward(struct sk_buff *skb) rt = skb_rtable(skb); - if (opt->is_strictroute && rt->rt_gateway) + if (opt->is_strictroute && rt->rt_uses_gateway) goto sr_failed; if (unlikely(skb->len > dst_mtu(&rt->dst) && !skb_is_gso(skb) && diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c index 24a29a3..6537a40 100644 --- a/net/ipv4/ip_output.c +++ b/net/ipv4/ip_output.c @@ -193,7 +193,7 @@ static inline int ip_finish_output2(struct sk_buff *skb) } rcu_read_lock_bh(); - nexthop = rt->rt_gateway ? rt->rt_gateway : ip_hdr(skb)->daddr; + nexthop = (__force u32) rt_nexthop(rt, ip_hdr(skb)->daddr); neigh = __ipv4_neigh_lookup_noref(dev, nexthop); if (unlikely(!neigh)) neigh = __neigh_create(&arp_tbl, &nexthop, dev, false); @@ -371,7 +371,7 @@ int ip_queue_xmit(struct sk_buff *skb, struct flowi *fl) skb_dst_set_noref(skb, &rt->dst); packet_routed: - if (inet_opt && inet_opt->opt.is_strictroute && rt->rt_gateway) + if (inet_opt && inet_opt->opt.is_strictroute && rt->rt_uses_gateway) goto no_route; /* OK, we know where to send it, allocate and build IP header. */ diff --git a/net/ipv4/route.c b/net/ipv4/route.c index 5b0180f..3a116cb 100644 --- a/net/ipv4/route.c +++ b/net/ipv4/route.c @@ -1126,7 +1126,7 @@ static unsigned int ipv4_mtu(const struct dst_entry *dst) mtu = dst->dev->mtu; if (unlikely(dst_metric_locked(dst, RTAX_MTU))) { - if (rt->rt_gateway && mtu > 576) + if (rt->rt_uses_gateway && mtu > 576) mtu = 576; } @@ -1177,7 +1177,9 @@ static bool rt_bind_exception(struct rtable *rt, struct fib_nh_exception *fnhe, if (fnhe->fnhe_gw) { rt->rt_flags |= RTCF_REDIRECTED; rt->rt_gateway = fnhe->fnhe_gw; - } + rt->rt_uses_gateway = 1; + } else if (!rt->rt_gateway) + rt->rt_gateway = daddr; orig = rcu_dereference(fnhe->fnhe_rth); rcu_assign_pointer(fnhe->fnhe_rth, rt); @@ -1186,13 +1188,6 @@ static bool rt_bind_exception(struct rtable *rt, struct fib_nh_exception *fnhe, fnhe->fnhe_stamp = jiffies; ret = true; - } else { - /* Routes we intend to cache in nexthop exception have - * the DST_NOCACHE bit clear. However, if we are - * unsuccessful at storing this route into the cache - * we really need to set it. - */ - rt->dst.flags |= DST_NOCACHE; } spin_unlock_bh(&fnhe_lock); @@ -1215,15 +1210,8 @@ static bool rt_cache_route(struct fib_nh *nh, struct rtable *rt) if (prev == orig) { if (orig) rt_free(orig); - } else { - /* Routes we intend to cache in the FIB nexthop have - * the DST_NOCACHE bit clear. However, if we are - * unsuccessful at storing this route into the cache - * we really need to set it. - */ - rt->dst.flags |= DST_NOCACHE; + } else ret = false; - } return ret; } @@ -1284,8 +1272,10 @@ static void rt_set_nexthop(struct rtable *rt, __be32 daddr, if (fi) { struct fib_nh *nh = &FIB_RES_NH(*res); - if (nh->nh_gw && nh->nh_scope == RT_SCOPE_LINK) + if (nh->nh_gw && nh->nh_scope == RT_SCOPE_LINK) { rt->rt_gateway = nh->nh_gw; + rt->rt_uses_gateway = 1; + } dst_init_metrics(&rt->dst, fi->fib_metrics, true); #ifdef CONFIG_IP_ROUTE_CLASSID rt->dst.tclassid = nh->nh_tclassid; @@ -1294,8 +1284,18 @@ static void rt_set_nexthop(struct rtable *rt, __be32 daddr, cached = rt_bind_exception(rt, fnhe, daddr); else if (!(rt->dst.flags & DST_NOCACHE)) cached = rt_cache_route(nh, rt); - } - if (unlikely(!cached)) + if (unlikely(!cached)) { + /* Routes we intend to cache in nexthop exception or + * FIB nexthop have the DST_NOCACHE bit clear. + * However, if we are unsuccessful at storing this + * route into the cache we really need to set it. + */ + rt->dst.flags |= DST_NOCACHE; + if (!rt->rt_gateway) + rt->rt_gateway = daddr; + rt_add_uncached_list(rt); + } + } else rt_add_uncached_list(rt); #ifdef CONFIG_IP_ROUTE_CLASSID @@ -1363,6 +1363,7 @@ static int ip_route_input_mc(struct sk_buff *skb, __be32 daddr, __be32 saddr, rth->rt_iif = 0; rth->rt_pmtu = 0; rth->rt_gateway = 0; + rth->rt_uses_gateway = 0; INIT_LIST_HEAD(&rth->rt_uncached); if (our) { rth->dst.input= ip_local_deliver; @@ -1432,7 +1433,6 @@ static int __mkroute_input(struct sk_buff *skb, return -EINVAL; } - err = fib_validate_source(skb, saddr, daddr, tos, FIB_RES_OIF(*res), in_dev->dev, in_dev, &itag); if (err < 0) { @@ -1488,6 +1488,7 @@ static int __mkroute_input(struct sk_buff *skb, rth->rt_iif = 0; rth->rt_pmtu = 0; rth->rt_gateway = 0; + rth->rt_uses_gateway = 0; INIT_LIST_HEAD(&rth->rt_uncached); rth->dst.input = ip_forward; @@ -1658,6 +1659,7 @@ local_input: rth->rt_iif = 0; rth->rt_pmtu = 0; rth->rt_gateway = 0; + rth->rt_uses_gateway = 0; INIT_LIST_HEAD(&rth->rt_uncached); if (res.type == RTN_UNREACHABLE) { rth->dst.input= ip_error; @@ -1826,6 +1828,7 @@ static struct rtable *__mkroute_output(const struct fib_result *res, rth->rt_iif = orig_oif ? : 0; rth->rt_pmtu = 0; rth->rt_gateway = 0; + rth->rt_uses_gateway = 0; INIT_LIST_HEAD(&rth->rt_uncached); RT_CACHE_STAT_INC(out_slow_tot); @@ -2104,6 +2107,7 @@ struct dst_entry *ipv4_blackhole_route(struct net *net, struct dst_entry *dst_or rt->rt_flags = ort->rt_flags; rt->rt_type = ort->rt_type; rt->rt_gateway = ort->rt_gateway; + rt->rt_uses_gateway = ort->rt_uses_gateway; INIT_LIST_HEAD(&rt->rt_uncached); @@ -2182,7 +2186,7 @@ static int rt_fill_info(struct net *net, __be32 dst, __be32 src, if (nla_put_be32(skb, RTA_PREFSRC, fl4->saddr)) goto nla_put_failure; } - if (rt->rt_gateway && + if (rt->rt_uses_gateway && nla_put_be32(skb, RTA_GATEWAY, rt->rt_gateway)) goto nla_put_failure; diff --git a/net/ipv4/xfrm4_policy.c b/net/ipv4/xfrm4_policy.c index 681ea2f..05c5ab8 100644 --- a/net/ipv4/xfrm4_policy.c +++ b/net/ipv4/xfrm4_policy.c @@ -91,6 +91,7 @@ static int xfrm4_fill_dst(struct xfrm_dst *xdst, struct net_device *dev, RTCF_LOCAL); xdst->u.rt.rt_type = rt->rt_type; xdst->u.rt.rt_gateway = rt->rt_gateway; + xdst->u.rt.rt_uses_gateway = rt->rt_uses_gateway; xdst->u.rt.rt_pmtu = rt->rt_pmtu; INIT_LIST_HEAD(&xdst->u.rt.rt_uncached); -- cgit v0.10.2 From c92b96553a80c1dbe2ebe128bbe37c8f98f148bf Mon Sep 17 00:00:00 2001 From: Julian Anastasov Date: Mon, 8 Oct 2012 11:41:19 +0000 Subject: ipv4: Add FLOWI_FLAG_KNOWN_NH Add flag to request that output route should be returned with known rt_gateway, in case we want to use it as nexthop for neighbour resolving. The returned route can be cached as follows: - in NH exception: because the cached routes are not shared with other destinations - in FIB NH: when using gateway because all destinations for NH share same gateway As last option, to return rt_gateway!=0 we have to set DST_NOCACHE. Signed-off-by: Julian Anastasov Signed-off-by: David S. Miller diff --git a/include/net/flow.h b/include/net/flow.h index e1dd508..628e11b 100644 --- a/include/net/flow.h +++ b/include/net/flow.h @@ -21,6 +21,7 @@ struct flowi_common { __u8 flowic_flags; #define FLOWI_FLAG_ANYSRC 0x01 #define FLOWI_FLAG_CAN_SLEEP 0x02 +#define FLOWI_FLAG_KNOWN_NH 0x04 __u32 flowic_secid; }; diff --git a/net/ipv4/route.c b/net/ipv4/route.c index 3a116cb..1a0da8d 100644 --- a/net/ipv4/route.c +++ b/net/ipv4/route.c @@ -1762,6 +1762,7 @@ static struct rtable *__mkroute_output(const struct fib_result *res, struct in_device *in_dev; u16 type = res->type; struct rtable *rth; + bool do_cache; in_dev = __in_dev_get_rcu(dev_out); if (!in_dev) @@ -1798,24 +1799,36 @@ static struct rtable *__mkroute_output(const struct fib_result *res, } fnhe = NULL; + do_cache = fi != NULL; if (fi) { struct rtable __rcu **prth; + struct fib_nh *nh = &FIB_RES_NH(*res); - fnhe = find_exception(&FIB_RES_NH(*res), fl4->daddr); + fnhe = find_exception(nh, fl4->daddr); if (fnhe) prth = &fnhe->fnhe_rth; - else - prth = __this_cpu_ptr(FIB_RES_NH(*res).nh_pcpu_rth_output); + else { + if (unlikely(fl4->flowi4_flags & + FLOWI_FLAG_KNOWN_NH && + !(nh->nh_gw && + nh->nh_scope == RT_SCOPE_LINK))) { + do_cache = false; + goto add; + } + prth = __this_cpu_ptr(nh->nh_pcpu_rth_output); + } rth = rcu_dereference(*prth); if (rt_cache_valid(rth)) { dst_hold(&rth->dst); return rth; } } + +add: rth = rt_dst_alloc(dev_out, IN_DEV_CONF_GET(in_dev, NOPOLICY), IN_DEV_CONF_GET(in_dev, NOXFRM), - fi); + do_cache); if (!rth) return ERR_PTR(-ENOBUFS); -- cgit v0.10.2 From ad4d3ef8b7eb527cca478dc08c02c10936e64115 Mon Sep 17 00:00:00 2001 From: Julian Anastasov Date: Mon, 8 Oct 2012 11:41:20 +0000 Subject: ipvs: fix ARP resolving for direct routing mode After the change "Make neigh lookups directly in output packet path" (commit a263b30936) IPVS can not reach the real server for DR mode because we resolve the destination address from IP header, not from route neighbour. Use the new FLOWI_FLAG_KNOWN_NH flag to request output routes with known nexthop, so that it has preference on resolving. Signed-off-by: Julian Anastasov Signed-off-by: David S. Miller diff --git a/net/netfilter/ipvs/ip_vs_xmit.c b/net/netfilter/ipvs/ip_vs_xmit.c index 56f6d5d..cc4c809 100644 --- a/net/netfilter/ipvs/ip_vs_xmit.c +++ b/net/netfilter/ipvs/ip_vs_xmit.c @@ -50,6 +50,7 @@ enum { * local */ IP_VS_RT_MODE_CONNECT = 8, /* Always bind route to saddr */ + IP_VS_RT_MODE_KNOWN_NH = 16,/* Route via remote addr */ }; /* @@ -113,6 +114,8 @@ static struct rtable *do_output_route4(struct net *net, __be32 daddr, fl4.daddr = daddr; fl4.saddr = (rt_mode & IP_VS_RT_MODE_CONNECT) ? *saddr : 0; fl4.flowi4_tos = rtos; + fl4.flowi4_flags = (rt_mode & IP_VS_RT_MODE_KNOWN_NH) ? + FLOWI_FLAG_KNOWN_NH : 0; retry: rt = ip_route_output_key(net, &fl4); @@ -1061,7 +1064,8 @@ ip_vs_dr_xmit(struct sk_buff *skb, struct ip_vs_conn *cp, if (!(rt = __ip_vs_get_out_rt(skb, cp->dest, cp->daddr.ip, RT_TOS(iph->tos), IP_VS_RT_MODE_LOCAL | - IP_VS_RT_MODE_NON_LOCAL, NULL))) + IP_VS_RT_MODE_NON_LOCAL | + IP_VS_RT_MODE_KNOWN_NH, NULL))) goto tx_error_icmp; if (rt->rt_flags & RTCF_LOCAL) { ip_rt_put(rt); -- cgit v0.10.2 From 7c41c42c5d9db9efd8caab4764e912458a1a1a79 Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Mon, 8 Oct 2012 14:55:30 -0700 Subject: vxlan: fix more sparse warnings Fix a couple harmless sparse warnings reported by Fengguang Wu. Signed-off-by: Stephen Hemminger Signed-off-by: David S. Miller diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c index 6f95580..8be9bf0 100644 --- a/drivers/net/vxlan.c +++ b/drivers/net/vxlan.c @@ -1083,13 +1083,13 @@ static int vxlan_fill_info(struct sk_buff *skb, const struct net_device *dev) if (nla_put_u32(skb, IFLA_VXLAN_ID, vxlan->vni)) goto nla_put_failure; - if (vxlan->gaddr && nla_put_u32(skb, IFLA_VXLAN_GROUP, vxlan->gaddr)) + if (vxlan->gaddr && nla_put_be32(skb, IFLA_VXLAN_GROUP, vxlan->gaddr)) goto nla_put_failure; if (vxlan->link && nla_put_u32(skb, IFLA_VXLAN_LINK, vxlan->link)) goto nla_put_failure; - if (vxlan->saddr && nla_put_u32(skb, IFLA_VXLAN_LOCAL, vxlan->saddr)) + if (vxlan->saddr && nla_put_be32(skb, IFLA_VXLAN_LOCAL, vxlan->saddr)) goto nla_put_failure; if (nla_put_u8(skb, IFLA_VXLAN_TTL, vxlan->ttl) || -- cgit v0.10.2 From 66eef59f22275002f621ff9d951886b513d011b3 Mon Sep 17 00:00:00 2001 From: Michael Neuling Date: Tue, 9 Oct 2012 10:52:25 +1100 Subject: net: fix typo in freescale/ucc_geth.c The following patch: acb600d net: remove skb recycling added dev_free_skb() to drivers/net/ethernet/freescale/ucc_geth.c This is a typo and should be dev_kfree_skb(). This fixes this. Signed-off-by: Michael Neuling Signed-off-by: David S. Miller diff --git a/drivers/net/ethernet/freescale/ucc_geth.c b/drivers/net/ethernet/freescale/ucc_geth.c index dfa0aaa..0a70bb5 100644 --- a/drivers/net/ethernet/freescale/ucc_geth.c +++ b/drivers/net/ethernet/freescale/ucc_geth.c @@ -3268,7 +3268,7 @@ static int ucc_geth_rx(struct ucc_geth_private *ugeth, u8 rxQ, int rx_work_limit if (netif_msg_rx_err(ugeth)) ugeth_err("%s, %d: ERROR!!! skb - 0x%08x", __func__, __LINE__, (u32) skb); - dev_free_skb(skb); + dev_kfree_skb(skb); ugeth->rx_skbuff[rxQ][ugeth->skb_currx[rxQ]] = NULL; dev->stats.rx_dropped++; -- cgit v0.10.2 From 27a3aadcdc4f07c55f4d04e71268b6653ab4a4cf Mon Sep 17 00:00:00 2001 From: David Howells Date: Tue, 9 Oct 2012 09:48:40 +0100 Subject: UAPI: (Scripted) Disintegrate include/linux/caif Signed-off-by: David Howells Acked-by: Arnd Bergmann Acked-by: Thomas Gleixner Acked-by: Michael Kerrisk Acked-by: Paul E. McKenney Acked-by: Dave Jones diff --git a/include/linux/caif/Kbuild b/include/linux/caif/Kbuild index a9cf250..e69de29 100644 --- a/include/linux/caif/Kbuild +++ b/include/linux/caif/Kbuild @@ -1,2 +0,0 @@ -header-y += caif_socket.h -header-y += if_caif.h diff --git a/include/linux/caif/caif_socket.h b/include/linux/caif/caif_socket.h deleted file mode 100644 index 3f3bac6..0000000 --- a/include/linux/caif/caif_socket.h +++ /dev/null @@ -1,194 +0,0 @@ -/* linux/caif_socket.h - * CAIF Definitions for CAIF socket and network layer - * Copyright (C) ST-Ericsson AB 2010 - * Author: Sjur Brendeland/ sjur.brandeland@stericsson.com - * License terms: GNU General Public License (GPL) version 2 - */ - -#ifndef _LINUX_CAIF_SOCKET_H -#define _LINUX_CAIF_SOCKET_H - -#include -#include - -/** - * enum caif_link_selector - Physical Link Selection. - * @CAIF_LINK_HIGH_BANDW: Physical interface for high-bandwidth - * traffic. - * @CAIF_LINK_LOW_LATENCY: Physical interface for low-latency - * traffic. - * - * CAIF Link Layers can register their link properties. - * This enum is used for choosing between CAIF Link Layers when - * setting up CAIF Channels when multiple CAIF Link Layers exists. - */ -enum caif_link_selector { - CAIF_LINK_HIGH_BANDW, - CAIF_LINK_LOW_LATENCY -}; - -/** - * enum caif_channel_priority - CAIF channel priorities. - * - * @CAIF_PRIO_MIN: Min priority for a channel. - * @CAIF_PRIO_LOW: Low-priority channel. - * @CAIF_PRIO_NORMAL: Normal/default priority level. - * @CAIF_PRIO_HIGH: High priority level - * @CAIF_PRIO_MAX: Max priority for channel - * - * Priority can be set on CAIF Channels in order to - * prioritize between traffic on different CAIF Channels. - * These priority levels are recommended, but the priority value - * is not restricted to the values defined in this enum, any value - * between CAIF_PRIO_MIN and CAIF_PRIO_MAX could be used. - */ -enum caif_channel_priority { - CAIF_PRIO_MIN = 0x01, - CAIF_PRIO_LOW = 0x04, - CAIF_PRIO_NORMAL = 0x0f, - CAIF_PRIO_HIGH = 0x14, - CAIF_PRIO_MAX = 0x1F -}; - -/** - * enum caif_protocol_type - CAIF Channel type. - * @CAIFPROTO_AT: Classic AT channel. - * @CAIFPROTO_DATAGRAM: Datagram channel. - * @CAIFPROTO_DATAGRAM_LOOP: Datagram loopback channel, used for testing. - * @CAIFPROTO_UTIL: Utility (Psock) channel. - * @CAIFPROTO_RFM: Remote File Manager - * @CAIFPROTO_DEBUG: Debug link - * - * This enum defines the CAIF Channel type to be used. This defines - * the service to connect to on the modem. - */ -enum caif_protocol_type { - CAIFPROTO_AT, - CAIFPROTO_DATAGRAM, - CAIFPROTO_DATAGRAM_LOOP, - CAIFPROTO_UTIL, - CAIFPROTO_RFM, - CAIFPROTO_DEBUG, - _CAIFPROTO_MAX -}; -#define CAIFPROTO_MAX _CAIFPROTO_MAX - -/** - * enum caif_at_type - AT Service Endpoint - * @CAIF_ATTYPE_PLAIN: Connects to a plain vanilla AT channel. - */ -enum caif_at_type { - CAIF_ATTYPE_PLAIN = 2 -}; - /** - * enum caif_debug_type - Content selection for debug connection - * @CAIF_DEBUG_TRACE_INTERACTIVE: Connection will contain - * both trace and interactive debug. - * @CAIF_DEBUG_TRACE: Connection contains trace only. - * @CAIF_DEBUG_INTERACTIVE: Connection to interactive debug. - */ -enum caif_debug_type { - CAIF_DEBUG_TRACE_INTERACTIVE = 0, - CAIF_DEBUG_TRACE, - CAIF_DEBUG_INTERACTIVE, -}; - -/** - * enum caif_debug_service - Debug Service Endpoint - * @CAIF_RADIO_DEBUG_SERVICE: Debug service on the Radio sub-system - * @CAIF_APP_DEBUG_SERVICE: Debug for the applications sub-system - */ -enum caif_debug_service { - CAIF_RADIO_DEBUG_SERVICE = 1, - CAIF_APP_DEBUG_SERVICE -}; - -/** - * struct sockaddr_caif - the sockaddr structure for CAIF sockets. - * @family: Address family number, must be AF_CAIF. - * @u: Union of address data 'switched' by family. - * : - * @u.at: Applies when family = CAIFPROTO_AT. - * - * @u.at.type: Type of AT link to set up (enum caif_at_type). - * - * @u.util: Applies when family = CAIFPROTO_UTIL - * - * @u.util.service: Utility service name. - * - * @u.dgm: Applies when family = CAIFPROTO_DATAGRAM - * - * @u.dgm.connection_id: Datagram connection id. - * - * @u.dgm.nsapi: NSAPI of the PDP-Context. - * - * @u.rfm: Applies when family = CAIFPROTO_RFM - * - * @u.rfm.connection_id: Connection ID for RFM. - * - * @u.rfm.volume: Volume to mount. - * - * @u.dbg: Applies when family = CAIFPROTO_DEBUG. - * - * @u.dbg.type: Type of debug connection to set up - * (caif_debug_type). - * - * @u.dbg.service: Service sub-system to connect (caif_debug_service - * Description: - * This structure holds the connect parameters used for setting up a - * CAIF Channel. It defines the service to connect to on the modem. - */ -struct sockaddr_caif { - __kernel_sa_family_t family; - union { - struct { - __u8 type; /* type: enum caif_at_type */ - } at; /* CAIFPROTO_AT */ - struct { - char service[16]; - } util; /* CAIFPROTO_UTIL */ - union { - __u32 connection_id; - __u8 nsapi; - } dgm; /* CAIFPROTO_DATAGRAM(_LOOP)*/ - struct { - __u32 connection_id; - char volume[16]; - } rfm; /* CAIFPROTO_RFM */ - struct { - __u8 type; /* type:enum caif_debug_type */ - __u8 service; /* service:caif_debug_service */ - } dbg; /* CAIFPROTO_DEBUG */ - } u; -}; - -/** - * enum caif_socket_opts - CAIF option values for getsockopt and setsockopt. - * - * @CAIFSO_LINK_SELECT: Selector used if multiple CAIF Link layers are - * available. Either a high bandwidth - * link can be selected (CAIF_LINK_HIGH_BANDW) or - * or a low latency link (CAIF_LINK_LOW_LATENCY). - * This option is of type __u32. - * Alternatively SO_BINDTODEVICE can be used. - * - * @CAIFSO_REQ_PARAM: Used to set the request parameters for a - * utility channel. (maximum 256 bytes). This - * option must be set before connecting. - * - * @CAIFSO_RSP_PARAM: Gets the response parameters for a utility - * channel. (maximum 256 bytes). This option - * is valid after a successful connect. - * - * - * This enum defines the CAIF Socket options to be used on a socket - * of type PF_CAIF. - * - */ -enum caif_socket_opts { - CAIFSO_LINK_SELECT = 127, - CAIFSO_REQ_PARAM = 128, - CAIFSO_RSP_PARAM = 129, -}; - -#endif /* _LINUX_CAIF_SOCKET_H */ diff --git a/include/linux/caif/if_caif.h b/include/linux/caif/if_caif.h deleted file mode 100644 index 5e7eed4..0000000 --- a/include/linux/caif/if_caif.h +++ /dev/null @@ -1,34 +0,0 @@ -/* - * Copyright (C) ST-Ericsson AB 2010 - * Author: Sjur Brendeland/ sjur.brandeland@stericsson.com - * License terms: GNU General Public License (GPL) version 2 - */ - -#ifndef IF_CAIF_H_ -#define IF_CAIF_H_ -#include -#include -#include - -/** - * enum ifla_caif - CAIF NetlinkRT parameters. - * @IFLA_CAIF_IPV4_CONNID: Connection ID for IPv4 PDP Context. - * The type of attribute is NLA_U32. - * @IFLA_CAIF_IPV6_CONNID: Connection ID for IPv6 PDP Context. - * The type of attribute is NLA_U32. - * @IFLA_CAIF_LOOPBACK: If different from zero, device is doing loopback - * The type of attribute is NLA_U8. - * - * When using RT Netlink to create, destroy or configure a CAIF IP interface, - * enum ifla_caif is used to specify the configuration attributes. - */ -enum ifla_caif { - __IFLA_CAIF_UNSPEC, - IFLA_CAIF_IPV4_CONNID, - IFLA_CAIF_IPV6_CONNID, - IFLA_CAIF_LOOPBACK, - __IFLA_CAIF_MAX -}; -#define IFLA_CAIF_MAX (__IFLA_CAIF_MAX-1) - -#endif /*IF_CAIF_H_*/ diff --git a/include/uapi/linux/caif/Kbuild b/include/uapi/linux/caif/Kbuild index aafaa5a..4339661 100644 --- a/include/uapi/linux/caif/Kbuild +++ b/include/uapi/linux/caif/Kbuild @@ -1 +1,3 @@ # UAPI Header export list +header-y += caif_socket.h +header-y += if_caif.h diff --git a/include/uapi/linux/caif/caif_socket.h b/include/uapi/linux/caif/caif_socket.h new file mode 100644 index 0000000..3f3bac6 --- /dev/null +++ b/include/uapi/linux/caif/caif_socket.h @@ -0,0 +1,194 @@ +/* linux/caif_socket.h + * CAIF Definitions for CAIF socket and network layer + * Copyright (C) ST-Ericsson AB 2010 + * Author: Sjur Brendeland/ sjur.brandeland@stericsson.com + * License terms: GNU General Public License (GPL) version 2 + */ + +#ifndef _LINUX_CAIF_SOCKET_H +#define _LINUX_CAIF_SOCKET_H + +#include +#include + +/** + * enum caif_link_selector - Physical Link Selection. + * @CAIF_LINK_HIGH_BANDW: Physical interface for high-bandwidth + * traffic. + * @CAIF_LINK_LOW_LATENCY: Physical interface for low-latency + * traffic. + * + * CAIF Link Layers can register their link properties. + * This enum is used for choosing between CAIF Link Layers when + * setting up CAIF Channels when multiple CAIF Link Layers exists. + */ +enum caif_link_selector { + CAIF_LINK_HIGH_BANDW, + CAIF_LINK_LOW_LATENCY +}; + +/** + * enum caif_channel_priority - CAIF channel priorities. + * + * @CAIF_PRIO_MIN: Min priority for a channel. + * @CAIF_PRIO_LOW: Low-priority channel. + * @CAIF_PRIO_NORMAL: Normal/default priority level. + * @CAIF_PRIO_HIGH: High priority level + * @CAIF_PRIO_MAX: Max priority for channel + * + * Priority can be set on CAIF Channels in order to + * prioritize between traffic on different CAIF Channels. + * These priority levels are recommended, but the priority value + * is not restricted to the values defined in this enum, any value + * between CAIF_PRIO_MIN and CAIF_PRIO_MAX could be used. + */ +enum caif_channel_priority { + CAIF_PRIO_MIN = 0x01, + CAIF_PRIO_LOW = 0x04, + CAIF_PRIO_NORMAL = 0x0f, + CAIF_PRIO_HIGH = 0x14, + CAIF_PRIO_MAX = 0x1F +}; + +/** + * enum caif_protocol_type - CAIF Channel type. + * @CAIFPROTO_AT: Classic AT channel. + * @CAIFPROTO_DATAGRAM: Datagram channel. + * @CAIFPROTO_DATAGRAM_LOOP: Datagram loopback channel, used for testing. + * @CAIFPROTO_UTIL: Utility (Psock) channel. + * @CAIFPROTO_RFM: Remote File Manager + * @CAIFPROTO_DEBUG: Debug link + * + * This enum defines the CAIF Channel type to be used. This defines + * the service to connect to on the modem. + */ +enum caif_protocol_type { + CAIFPROTO_AT, + CAIFPROTO_DATAGRAM, + CAIFPROTO_DATAGRAM_LOOP, + CAIFPROTO_UTIL, + CAIFPROTO_RFM, + CAIFPROTO_DEBUG, + _CAIFPROTO_MAX +}; +#define CAIFPROTO_MAX _CAIFPROTO_MAX + +/** + * enum caif_at_type - AT Service Endpoint + * @CAIF_ATTYPE_PLAIN: Connects to a plain vanilla AT channel. + */ +enum caif_at_type { + CAIF_ATTYPE_PLAIN = 2 +}; + /** + * enum caif_debug_type - Content selection for debug connection + * @CAIF_DEBUG_TRACE_INTERACTIVE: Connection will contain + * both trace and interactive debug. + * @CAIF_DEBUG_TRACE: Connection contains trace only. + * @CAIF_DEBUG_INTERACTIVE: Connection to interactive debug. + */ +enum caif_debug_type { + CAIF_DEBUG_TRACE_INTERACTIVE = 0, + CAIF_DEBUG_TRACE, + CAIF_DEBUG_INTERACTIVE, +}; + +/** + * enum caif_debug_service - Debug Service Endpoint + * @CAIF_RADIO_DEBUG_SERVICE: Debug service on the Radio sub-system + * @CAIF_APP_DEBUG_SERVICE: Debug for the applications sub-system + */ +enum caif_debug_service { + CAIF_RADIO_DEBUG_SERVICE = 1, + CAIF_APP_DEBUG_SERVICE +}; + +/** + * struct sockaddr_caif - the sockaddr structure for CAIF sockets. + * @family: Address family number, must be AF_CAIF. + * @u: Union of address data 'switched' by family. + * : + * @u.at: Applies when family = CAIFPROTO_AT. + * + * @u.at.type: Type of AT link to set up (enum caif_at_type). + * + * @u.util: Applies when family = CAIFPROTO_UTIL + * + * @u.util.service: Utility service name. + * + * @u.dgm: Applies when family = CAIFPROTO_DATAGRAM + * + * @u.dgm.connection_id: Datagram connection id. + * + * @u.dgm.nsapi: NSAPI of the PDP-Context. + * + * @u.rfm: Applies when family = CAIFPROTO_RFM + * + * @u.rfm.connection_id: Connection ID for RFM. + * + * @u.rfm.volume: Volume to mount. + * + * @u.dbg: Applies when family = CAIFPROTO_DEBUG. + * + * @u.dbg.type: Type of debug connection to set up + * (caif_debug_type). + * + * @u.dbg.service: Service sub-system to connect (caif_debug_service + * Description: + * This structure holds the connect parameters used for setting up a + * CAIF Channel. It defines the service to connect to on the modem. + */ +struct sockaddr_caif { + __kernel_sa_family_t family; + union { + struct { + __u8 type; /* type: enum caif_at_type */ + } at; /* CAIFPROTO_AT */ + struct { + char service[16]; + } util; /* CAIFPROTO_UTIL */ + union { + __u32 connection_id; + __u8 nsapi; + } dgm; /* CAIFPROTO_DATAGRAM(_LOOP)*/ + struct { + __u32 connection_id; + char volume[16]; + } rfm; /* CAIFPROTO_RFM */ + struct { + __u8 type; /* type:enum caif_debug_type */ + __u8 service; /* service:caif_debug_service */ + } dbg; /* CAIFPROTO_DEBUG */ + } u; +}; + +/** + * enum caif_socket_opts - CAIF option values for getsockopt and setsockopt. + * + * @CAIFSO_LINK_SELECT: Selector used if multiple CAIF Link layers are + * available. Either a high bandwidth + * link can be selected (CAIF_LINK_HIGH_BANDW) or + * or a low latency link (CAIF_LINK_LOW_LATENCY). + * This option is of type __u32. + * Alternatively SO_BINDTODEVICE can be used. + * + * @CAIFSO_REQ_PARAM: Used to set the request parameters for a + * utility channel. (maximum 256 bytes). This + * option must be set before connecting. + * + * @CAIFSO_RSP_PARAM: Gets the response parameters for a utility + * channel. (maximum 256 bytes). This option + * is valid after a successful connect. + * + * + * This enum defines the CAIF Socket options to be used on a socket + * of type PF_CAIF. + * + */ +enum caif_socket_opts { + CAIFSO_LINK_SELECT = 127, + CAIFSO_REQ_PARAM = 128, + CAIFSO_RSP_PARAM = 129, +}; + +#endif /* _LINUX_CAIF_SOCKET_H */ diff --git a/include/uapi/linux/caif/if_caif.h b/include/uapi/linux/caif/if_caif.h new file mode 100644 index 0000000..5e7eed4 --- /dev/null +++ b/include/uapi/linux/caif/if_caif.h @@ -0,0 +1,34 @@ +/* + * Copyright (C) ST-Ericsson AB 2010 + * Author: Sjur Brendeland/ sjur.brandeland@stericsson.com + * License terms: GNU General Public License (GPL) version 2 + */ + +#ifndef IF_CAIF_H_ +#define IF_CAIF_H_ +#include +#include +#include + +/** + * enum ifla_caif - CAIF NetlinkRT parameters. + * @IFLA_CAIF_IPV4_CONNID: Connection ID for IPv4 PDP Context. + * The type of attribute is NLA_U32. + * @IFLA_CAIF_IPV6_CONNID: Connection ID for IPv6 PDP Context. + * The type of attribute is NLA_U32. + * @IFLA_CAIF_LOOPBACK: If different from zero, device is doing loopback + * The type of attribute is NLA_U8. + * + * When using RT Netlink to create, destroy or configure a CAIF IP interface, + * enum ifla_caif is used to specify the configuration attributes. + */ +enum ifla_caif { + __IFLA_CAIF_UNSPEC, + IFLA_CAIF_IPV4_CONNID, + IFLA_CAIF_IPV6_CONNID, + IFLA_CAIF_LOOPBACK, + __IFLA_CAIF_MAX +}; +#define IFLA_CAIF_MAX (__IFLA_CAIF_MAX-1) + +#endif /*IF_CAIF_H_*/ -- cgit v0.10.2 From 1855f1b1074ea8a76ced0f3ef25bbecd6b2a7222 Mon Sep 17 00:00:00 2001 From: David Howells Date: Tue, 9 Oct 2012 09:48:45 +0100 Subject: UAPI: (Scripted) Disintegrate include/linux/isdn Signed-off-by: David Howells Acked-by: Arnd Bergmann Acked-by: Thomas Gleixner Acked-by: Michael Kerrisk Acked-by: Paul E. McKenney Acked-by: Dave Jones diff --git a/include/linux/isdn/Kbuild b/include/linux/isdn/Kbuild index 991cdb2..e69de29 100644 --- a/include/linux/isdn/Kbuild +++ b/include/linux/isdn/Kbuild @@ -1 +0,0 @@ -header-y += capicmd.h diff --git a/include/linux/isdn/capicmd.h b/include/linux/isdn/capicmd.h deleted file mode 100644 index b58635f..0000000 --- a/include/linux/isdn/capicmd.h +++ /dev/null @@ -1,115 +0,0 @@ -/* $Id: capicmd.h,v 1.2.6.2 2001/09/23 22:24:33 kai Exp $ - * - * CAPI 2.0 Interface for Linux - * - * Copyright 1997 by Carsten Paeth - * - * This software may be used and distributed according to the terms - * of the GNU General Public License, incorporated herein by reference. - * - */ - -#ifndef __CAPICMD_H__ -#define __CAPICMD_H__ - -#define CAPI_MSG_BASELEN 8 -#define CAPI_DATA_B3_REQ_LEN (CAPI_MSG_BASELEN+4+4+2+2+2) -#define CAPI_DATA_B3_RESP_LEN (CAPI_MSG_BASELEN+4+2) - -/*----- CAPI commands -----*/ -#define CAPI_ALERT 0x01 -#define CAPI_CONNECT 0x02 -#define CAPI_CONNECT_ACTIVE 0x03 -#define CAPI_CONNECT_B3_ACTIVE 0x83 -#define CAPI_CONNECT_B3 0x82 -#define CAPI_CONNECT_B3_T90_ACTIVE 0x88 -#define CAPI_DATA_B3 0x86 -#define CAPI_DISCONNECT_B3 0x84 -#define CAPI_DISCONNECT 0x04 -#define CAPI_FACILITY 0x80 -#define CAPI_INFO 0x08 -#define CAPI_LISTEN 0x05 -#define CAPI_MANUFACTURER 0xff -#define CAPI_RESET_B3 0x87 -#define CAPI_SELECT_B_PROTOCOL 0x41 - -/*----- CAPI subcommands -----*/ - -#define CAPI_REQ 0x80 -#define CAPI_CONF 0x81 -#define CAPI_IND 0x82 -#define CAPI_RESP 0x83 - -/*----- CAPI combined commands -----*/ - -#define CAPICMD(cmd,subcmd) (((cmd)<<8)|(subcmd)) - -#define CAPI_DISCONNECT_REQ CAPICMD(CAPI_DISCONNECT,CAPI_REQ) -#define CAPI_DISCONNECT_CONF CAPICMD(CAPI_DISCONNECT,CAPI_CONF) -#define CAPI_DISCONNECT_IND CAPICMD(CAPI_DISCONNECT,CAPI_IND) -#define CAPI_DISCONNECT_RESP CAPICMD(CAPI_DISCONNECT,CAPI_RESP) - -#define CAPI_ALERT_REQ CAPICMD(CAPI_ALERT,CAPI_REQ) -#define CAPI_ALERT_CONF CAPICMD(CAPI_ALERT,CAPI_CONF) - -#define CAPI_CONNECT_REQ CAPICMD(CAPI_CONNECT,CAPI_REQ) -#define CAPI_CONNECT_CONF CAPICMD(CAPI_CONNECT,CAPI_CONF) -#define CAPI_CONNECT_IND CAPICMD(CAPI_CONNECT,CAPI_IND) -#define CAPI_CONNECT_RESP CAPICMD(CAPI_CONNECT,CAPI_RESP) - -#define CAPI_CONNECT_ACTIVE_REQ CAPICMD(CAPI_CONNECT_ACTIVE,CAPI_REQ) -#define CAPI_CONNECT_ACTIVE_CONF CAPICMD(CAPI_CONNECT_ACTIVE,CAPI_CONF) -#define CAPI_CONNECT_ACTIVE_IND CAPICMD(CAPI_CONNECT_ACTIVE,CAPI_IND) -#define CAPI_CONNECT_ACTIVE_RESP CAPICMD(CAPI_CONNECT_ACTIVE,CAPI_RESP) - -#define CAPI_SELECT_B_PROTOCOL_REQ CAPICMD(CAPI_SELECT_B_PROTOCOL,CAPI_REQ) -#define CAPI_SELECT_B_PROTOCOL_CONF CAPICMD(CAPI_SELECT_B_PROTOCOL,CAPI_CONF) - -#define CAPI_CONNECT_B3_ACTIVE_REQ CAPICMD(CAPI_CONNECT_B3_ACTIVE,CAPI_REQ) -#define CAPI_CONNECT_B3_ACTIVE_CONF CAPICMD(CAPI_CONNECT_B3_ACTIVE,CAPI_CONF) -#define CAPI_CONNECT_B3_ACTIVE_IND CAPICMD(CAPI_CONNECT_B3_ACTIVE,CAPI_IND) -#define CAPI_CONNECT_B3_ACTIVE_RESP CAPICMD(CAPI_CONNECT_B3_ACTIVE,CAPI_RESP) - -#define CAPI_CONNECT_B3_REQ CAPICMD(CAPI_CONNECT_B3,CAPI_REQ) -#define CAPI_CONNECT_B3_CONF CAPICMD(CAPI_CONNECT_B3,CAPI_CONF) -#define CAPI_CONNECT_B3_IND CAPICMD(CAPI_CONNECT_B3,CAPI_IND) -#define CAPI_CONNECT_B3_RESP CAPICMD(CAPI_CONNECT_B3,CAPI_RESP) - - -#define CAPI_CONNECT_B3_T90_ACTIVE_IND CAPICMD(CAPI_CONNECT_B3_T90_ACTIVE,CAPI_IND) -#define CAPI_CONNECT_B3_T90_ACTIVE_RESP CAPICMD(CAPI_CONNECT_B3_T90_ACTIVE,CAPI_RESP) - -#define CAPI_DATA_B3_REQ CAPICMD(CAPI_DATA_B3,CAPI_REQ) -#define CAPI_DATA_B3_CONF CAPICMD(CAPI_DATA_B3,CAPI_CONF) -#define CAPI_DATA_B3_IND CAPICMD(CAPI_DATA_B3,CAPI_IND) -#define CAPI_DATA_B3_RESP CAPICMD(CAPI_DATA_B3,CAPI_RESP) - -#define CAPI_DISCONNECT_B3_REQ CAPICMD(CAPI_DISCONNECT_B3,CAPI_REQ) -#define CAPI_DISCONNECT_B3_CONF CAPICMD(CAPI_DISCONNECT_B3,CAPI_CONF) -#define CAPI_DISCONNECT_B3_IND CAPICMD(CAPI_DISCONNECT_B3,CAPI_IND) -#define CAPI_DISCONNECT_B3_RESP CAPICMD(CAPI_DISCONNECT_B3,CAPI_RESP) - -#define CAPI_RESET_B3_REQ CAPICMD(CAPI_RESET_B3,CAPI_REQ) -#define CAPI_RESET_B3_CONF CAPICMD(CAPI_RESET_B3,CAPI_CONF) -#define CAPI_RESET_B3_IND CAPICMD(CAPI_RESET_B3,CAPI_IND) -#define CAPI_RESET_B3_RESP CAPICMD(CAPI_RESET_B3,CAPI_RESP) - -#define CAPI_LISTEN_REQ CAPICMD(CAPI_LISTEN,CAPI_REQ) -#define CAPI_LISTEN_CONF CAPICMD(CAPI_LISTEN,CAPI_CONF) - -#define CAPI_MANUFACTURER_REQ CAPICMD(CAPI_MANUFACTURER,CAPI_REQ) -#define CAPI_MANUFACTURER_CONF CAPICMD(CAPI_MANUFACTURER,CAPI_CONF) -#define CAPI_MANUFACTURER_IND CAPICMD(CAPI_MANUFACTURER,CAPI_IND) -#define CAPI_MANUFACTURER_RESP CAPICMD(CAPI_MANUFACTURER,CAPI_RESP) - -#define CAPI_FACILITY_REQ CAPICMD(CAPI_FACILITY,CAPI_REQ) -#define CAPI_FACILITY_CONF CAPICMD(CAPI_FACILITY,CAPI_CONF) -#define CAPI_FACILITY_IND CAPICMD(CAPI_FACILITY,CAPI_IND) -#define CAPI_FACILITY_RESP CAPICMD(CAPI_FACILITY,CAPI_RESP) - -#define CAPI_INFO_REQ CAPICMD(CAPI_INFO,CAPI_REQ) -#define CAPI_INFO_CONF CAPICMD(CAPI_INFO,CAPI_CONF) -#define CAPI_INFO_IND CAPICMD(CAPI_INFO,CAPI_IND) -#define CAPI_INFO_RESP CAPICMD(CAPI_INFO,CAPI_RESP) - -#endif /* __CAPICMD_H__ */ diff --git a/include/uapi/linux/isdn/Kbuild b/include/uapi/linux/isdn/Kbuild index aafaa5a..89e5285 100644 --- a/include/uapi/linux/isdn/Kbuild +++ b/include/uapi/linux/isdn/Kbuild @@ -1 +1,2 @@ # UAPI Header export list +header-y += capicmd.h diff --git a/include/uapi/linux/isdn/capicmd.h b/include/uapi/linux/isdn/capicmd.h new file mode 100644 index 0000000..b58635f --- /dev/null +++ b/include/uapi/linux/isdn/capicmd.h @@ -0,0 +1,115 @@ +/* $Id: capicmd.h,v 1.2.6.2 2001/09/23 22:24:33 kai Exp $ + * + * CAPI 2.0 Interface for Linux + * + * Copyright 1997 by Carsten Paeth + * + * This software may be used and distributed according to the terms + * of the GNU General Public License, incorporated herein by reference. + * + */ + +#ifndef __CAPICMD_H__ +#define __CAPICMD_H__ + +#define CAPI_MSG_BASELEN 8 +#define CAPI_DATA_B3_REQ_LEN (CAPI_MSG_BASELEN+4+4+2+2+2) +#define CAPI_DATA_B3_RESP_LEN (CAPI_MSG_BASELEN+4+2) + +/*----- CAPI commands -----*/ +#define CAPI_ALERT 0x01 +#define CAPI_CONNECT 0x02 +#define CAPI_CONNECT_ACTIVE 0x03 +#define CAPI_CONNECT_B3_ACTIVE 0x83 +#define CAPI_CONNECT_B3 0x82 +#define CAPI_CONNECT_B3_T90_ACTIVE 0x88 +#define CAPI_DATA_B3 0x86 +#define CAPI_DISCONNECT_B3 0x84 +#define CAPI_DISCONNECT 0x04 +#define CAPI_FACILITY 0x80 +#define CAPI_INFO 0x08 +#define CAPI_LISTEN 0x05 +#define CAPI_MANUFACTURER 0xff +#define CAPI_RESET_B3 0x87 +#define CAPI_SELECT_B_PROTOCOL 0x41 + +/*----- CAPI subcommands -----*/ + +#define CAPI_REQ 0x80 +#define CAPI_CONF 0x81 +#define CAPI_IND 0x82 +#define CAPI_RESP 0x83 + +/*----- CAPI combined commands -----*/ + +#define CAPICMD(cmd,subcmd) (((cmd)<<8)|(subcmd)) + +#define CAPI_DISCONNECT_REQ CAPICMD(CAPI_DISCONNECT,CAPI_REQ) +#define CAPI_DISCONNECT_CONF CAPICMD(CAPI_DISCONNECT,CAPI_CONF) +#define CAPI_DISCONNECT_IND CAPICMD(CAPI_DISCONNECT,CAPI_IND) +#define CAPI_DISCONNECT_RESP CAPICMD(CAPI_DISCONNECT,CAPI_RESP) + +#define CAPI_ALERT_REQ CAPICMD(CAPI_ALERT,CAPI_REQ) +#define CAPI_ALERT_CONF CAPICMD(CAPI_ALERT,CAPI_CONF) + +#define CAPI_CONNECT_REQ CAPICMD(CAPI_CONNECT,CAPI_REQ) +#define CAPI_CONNECT_CONF CAPICMD(CAPI_CONNECT,CAPI_CONF) +#define CAPI_CONNECT_IND CAPICMD(CAPI_CONNECT,CAPI_IND) +#define CAPI_CONNECT_RESP CAPICMD(CAPI_CONNECT,CAPI_RESP) + +#define CAPI_CONNECT_ACTIVE_REQ CAPICMD(CAPI_CONNECT_ACTIVE,CAPI_REQ) +#define CAPI_CONNECT_ACTIVE_CONF CAPICMD(CAPI_CONNECT_ACTIVE,CAPI_CONF) +#define CAPI_CONNECT_ACTIVE_IND CAPICMD(CAPI_CONNECT_ACTIVE,CAPI_IND) +#define CAPI_CONNECT_ACTIVE_RESP CAPICMD(CAPI_CONNECT_ACTIVE,CAPI_RESP) + +#define CAPI_SELECT_B_PROTOCOL_REQ CAPICMD(CAPI_SELECT_B_PROTOCOL,CAPI_REQ) +#define CAPI_SELECT_B_PROTOCOL_CONF CAPICMD(CAPI_SELECT_B_PROTOCOL,CAPI_CONF) + +#define CAPI_CONNECT_B3_ACTIVE_REQ CAPICMD(CAPI_CONNECT_B3_ACTIVE,CAPI_REQ) +#define CAPI_CONNECT_B3_ACTIVE_CONF CAPICMD(CAPI_CONNECT_B3_ACTIVE,CAPI_CONF) +#define CAPI_CONNECT_B3_ACTIVE_IND CAPICMD(CAPI_CONNECT_B3_ACTIVE,CAPI_IND) +#define CAPI_CONNECT_B3_ACTIVE_RESP CAPICMD(CAPI_CONNECT_B3_ACTIVE,CAPI_RESP) + +#define CAPI_CONNECT_B3_REQ CAPICMD(CAPI_CONNECT_B3,CAPI_REQ) +#define CAPI_CONNECT_B3_CONF CAPICMD(CAPI_CONNECT_B3,CAPI_CONF) +#define CAPI_CONNECT_B3_IND CAPICMD(CAPI_CONNECT_B3,CAPI_IND) +#define CAPI_CONNECT_B3_RESP CAPICMD(CAPI_CONNECT_B3,CAPI_RESP) + + +#define CAPI_CONNECT_B3_T90_ACTIVE_IND CAPICMD(CAPI_CONNECT_B3_T90_ACTIVE,CAPI_IND) +#define CAPI_CONNECT_B3_T90_ACTIVE_RESP CAPICMD(CAPI_CONNECT_B3_T90_ACTIVE,CAPI_RESP) + +#define CAPI_DATA_B3_REQ CAPICMD(CAPI_DATA_B3,CAPI_REQ) +#define CAPI_DATA_B3_CONF CAPICMD(CAPI_DATA_B3,CAPI_CONF) +#define CAPI_DATA_B3_IND CAPICMD(CAPI_DATA_B3,CAPI_IND) +#define CAPI_DATA_B3_RESP CAPICMD(CAPI_DATA_B3,CAPI_RESP) + +#define CAPI_DISCONNECT_B3_REQ CAPICMD(CAPI_DISCONNECT_B3,CAPI_REQ) +#define CAPI_DISCONNECT_B3_CONF CAPICMD(CAPI_DISCONNECT_B3,CAPI_CONF) +#define CAPI_DISCONNECT_B3_IND CAPICMD(CAPI_DISCONNECT_B3,CAPI_IND) +#define CAPI_DISCONNECT_B3_RESP CAPICMD(CAPI_DISCONNECT_B3,CAPI_RESP) + +#define CAPI_RESET_B3_REQ CAPICMD(CAPI_RESET_B3,CAPI_REQ) +#define CAPI_RESET_B3_CONF CAPICMD(CAPI_RESET_B3,CAPI_CONF) +#define CAPI_RESET_B3_IND CAPICMD(CAPI_RESET_B3,CAPI_IND) +#define CAPI_RESET_B3_RESP CAPICMD(CAPI_RESET_B3,CAPI_RESP) + +#define CAPI_LISTEN_REQ CAPICMD(CAPI_LISTEN,CAPI_REQ) +#define CAPI_LISTEN_CONF CAPICMD(CAPI_LISTEN,CAPI_CONF) + +#define CAPI_MANUFACTURER_REQ CAPICMD(CAPI_MANUFACTURER,CAPI_REQ) +#define CAPI_MANUFACTURER_CONF CAPICMD(CAPI_MANUFACTURER,CAPI_CONF) +#define CAPI_MANUFACTURER_IND CAPICMD(CAPI_MANUFACTURER,CAPI_IND) +#define CAPI_MANUFACTURER_RESP CAPICMD(CAPI_MANUFACTURER,CAPI_RESP) + +#define CAPI_FACILITY_REQ CAPICMD(CAPI_FACILITY,CAPI_REQ) +#define CAPI_FACILITY_CONF CAPICMD(CAPI_FACILITY,CAPI_CONF) +#define CAPI_FACILITY_IND CAPICMD(CAPI_FACILITY,CAPI_IND) +#define CAPI_FACILITY_RESP CAPICMD(CAPI_FACILITY,CAPI_RESP) + +#define CAPI_INFO_REQ CAPICMD(CAPI_INFO,CAPI_REQ) +#define CAPI_INFO_CONF CAPICMD(CAPI_INFO,CAPI_CONF) +#define CAPI_INFO_IND CAPICMD(CAPI_INFO,CAPI_IND) +#define CAPI_INFO_RESP CAPICMD(CAPI_INFO,CAPI_RESP) + +#endif /* __CAPICMD_H__ */ -- cgit v0.10.2 From 94d0ec58e63159ce5bcdfe612ee220eaeefa3b2a Mon Sep 17 00:00:00 2001 From: David Howells Date: Tue, 9 Oct 2012 09:48:54 +0100 Subject: UAPI: (Scripted) Disintegrate include/linux/netfilter Signed-off-by: David Howells Acked-by: Arnd Bergmann Acked-by: Thomas Gleixner Acked-by: Michael Kerrisk Acked-by: Paul E. McKenney Acked-by: Dave Jones diff --git a/include/linux/netfilter/Kbuild b/include/linux/netfilter/Kbuild index 874ae8f..b332202 100644 --- a/include/linux/netfilter/Kbuild +++ b/include/linux/netfilter/Kbuild @@ -1,78 +1 @@ header-y += ipset/ - -header-y += nf_conntrack_common.h -header-y += nf_conntrack_ftp.h -header-y += nf_conntrack_sctp.h -header-y += nf_conntrack_tcp.h -header-y += nf_conntrack_tuple_common.h -header-y += nf_nat.h -header-y += nfnetlink.h -header-y += nfnetlink_acct.h -header-y += nfnetlink_compat.h -header-y += nfnetlink_conntrack.h -header-y += nfnetlink_cthelper.h -header-y += nfnetlink_cttimeout.h -header-y += nfnetlink_log.h -header-y += nfnetlink_queue.h -header-y += x_tables.h -header-y += xt_AUDIT.h -header-y += xt_CHECKSUM.h -header-y += xt_CLASSIFY.h -header-y += xt_CONNMARK.h -header-y += xt_CONNSECMARK.h -header-y += xt_CT.h -header-y += xt_DSCP.h -header-y += xt_IDLETIMER.h -header-y += xt_LED.h -header-y += xt_LOG.h -header-y += xt_MARK.h -header-y += xt_nfacct.h -header-y += xt_NFLOG.h -header-y += xt_NFQUEUE.h -header-y += xt_RATEEST.h -header-y += xt_SECMARK.h -header-y += xt_TCPMSS.h -header-y += xt_TCPOPTSTRIP.h -header-y += xt_TEE.h -header-y += xt_TPROXY.h -header-y += xt_addrtype.h -header-y += xt_cluster.h -header-y += xt_comment.h -header-y += xt_connbytes.h -header-y += xt_connlimit.h -header-y += xt_connmark.h -header-y += xt_conntrack.h -header-y += xt_cpu.h -header-y += xt_dccp.h -header-y += xt_devgroup.h -header-y += xt_dscp.h -header-y += xt_ecn.h -header-y += xt_esp.h -header-y += xt_hashlimit.h -header-y += xt_helper.h -header-y += xt_iprange.h -header-y += xt_ipvs.h -header-y += xt_length.h -header-y += xt_limit.h -header-y += xt_mac.h -header-y += xt_mark.h -header-y += xt_multiport.h -header-y += xt_osf.h -header-y += xt_owner.h -header-y += xt_physdev.h -header-y += xt_pkttype.h -header-y += xt_policy.h -header-y += xt_quota.h -header-y += xt_rateest.h -header-y += xt_realm.h -header-y += xt_recent.h -header-y += xt_set.h -header-y += xt_sctp.h -header-y += xt_socket.h -header-y += xt_state.h -header-y += xt_statistic.h -header-y += xt_string.h -header-y += xt_tcpmss.h -header-y += xt_tcpudp.h -header-y += xt_time.h -header-y += xt_u32.h diff --git a/include/linux/netfilter/nf_conntrack_common.h b/include/linux/netfilter/nf_conntrack_common.h index d146872..127d0b9 100644 --- a/include/linux/netfilter/nf_conntrack_common.h +++ b/include/linux/netfilter/nf_conntrack_common.h @@ -1,119 +1,8 @@ #ifndef _NF_CONNTRACK_COMMON_H #define _NF_CONNTRACK_COMMON_H -/* Connection state tracking for netfilter. This is separated from, - but required by, the NAT layer; it can also be used by an iptables - extension. */ -enum ip_conntrack_info { - /* Part of an established connection (either direction). */ - IP_CT_ESTABLISHED, - /* Like NEW, but related to an existing connection, or ICMP error - (in either direction). */ - IP_CT_RELATED, +#include - /* Started a new connection to track (only - IP_CT_DIR_ORIGINAL); may be a retransmission. */ - IP_CT_NEW, - - /* >= this indicates reply direction */ - IP_CT_IS_REPLY, - - IP_CT_ESTABLISHED_REPLY = IP_CT_ESTABLISHED + IP_CT_IS_REPLY, - IP_CT_RELATED_REPLY = IP_CT_RELATED + IP_CT_IS_REPLY, - IP_CT_NEW_REPLY = IP_CT_NEW + IP_CT_IS_REPLY, - /* Number of distinct IP_CT types (no NEW in reply dirn). */ - IP_CT_NUMBER = IP_CT_IS_REPLY * 2 - 1 -}; - -/* Bitset representing status of connection. */ -enum ip_conntrack_status { - /* It's an expected connection: bit 0 set. This bit never changed */ - IPS_EXPECTED_BIT = 0, - IPS_EXPECTED = (1 << IPS_EXPECTED_BIT), - - /* We've seen packets both ways: bit 1 set. Can be set, not unset. */ - IPS_SEEN_REPLY_BIT = 1, - IPS_SEEN_REPLY = (1 << IPS_SEEN_REPLY_BIT), - - /* Conntrack should never be early-expired. */ - IPS_ASSURED_BIT = 2, - IPS_ASSURED = (1 << IPS_ASSURED_BIT), - - /* Connection is confirmed: originating packet has left box */ - IPS_CONFIRMED_BIT = 3, - IPS_CONFIRMED = (1 << IPS_CONFIRMED_BIT), - - /* Connection needs src nat in orig dir. This bit never changed. */ - IPS_SRC_NAT_BIT = 4, - IPS_SRC_NAT = (1 << IPS_SRC_NAT_BIT), - - /* Connection needs dst nat in orig dir. This bit never changed. */ - IPS_DST_NAT_BIT = 5, - IPS_DST_NAT = (1 << IPS_DST_NAT_BIT), - - /* Both together. */ - IPS_NAT_MASK = (IPS_DST_NAT | IPS_SRC_NAT), - - /* Connection needs TCP sequence adjusted. */ - IPS_SEQ_ADJUST_BIT = 6, - IPS_SEQ_ADJUST = (1 << IPS_SEQ_ADJUST_BIT), - - /* NAT initialization bits. */ - IPS_SRC_NAT_DONE_BIT = 7, - IPS_SRC_NAT_DONE = (1 << IPS_SRC_NAT_DONE_BIT), - - IPS_DST_NAT_DONE_BIT = 8, - IPS_DST_NAT_DONE = (1 << IPS_DST_NAT_DONE_BIT), - - /* Both together */ - IPS_NAT_DONE_MASK = (IPS_DST_NAT_DONE | IPS_SRC_NAT_DONE), - - /* Connection is dying (removed from lists), can not be unset. */ - IPS_DYING_BIT = 9, - IPS_DYING = (1 << IPS_DYING_BIT), - - /* Connection has fixed timeout. */ - IPS_FIXED_TIMEOUT_BIT = 10, - IPS_FIXED_TIMEOUT = (1 << IPS_FIXED_TIMEOUT_BIT), - - /* Conntrack is a template */ - IPS_TEMPLATE_BIT = 11, - IPS_TEMPLATE = (1 << IPS_TEMPLATE_BIT), - - /* Conntrack is a fake untracked entry */ - IPS_UNTRACKED_BIT = 12, - IPS_UNTRACKED = (1 << IPS_UNTRACKED_BIT), - - /* Conntrack got a helper explicitly attached via CT target. */ - IPS_HELPER_BIT = 13, - IPS_HELPER = (1 << IPS_HELPER_BIT), -}; - -/* Connection tracking event types */ -enum ip_conntrack_events { - IPCT_NEW, /* new conntrack */ - IPCT_RELATED, /* related conntrack */ - IPCT_DESTROY, /* destroyed conntrack */ - IPCT_REPLY, /* connection has seen two-way traffic */ - IPCT_ASSURED, /* connection status has changed to assured */ - IPCT_PROTOINFO, /* protocol information has changed */ - IPCT_HELPER, /* new helper has been set */ - IPCT_MARK, /* new mark has been set */ - IPCT_NATSEQADJ, /* NAT is doing sequence adjustment */ - IPCT_SECMARK, /* new security mark has been set */ -}; - -enum ip_conntrack_expect_events { - IPEXP_NEW, /* new expectation */ - IPEXP_DESTROY, /* destroyed expectation */ -}; - -/* expectation flags */ -#define NF_CT_EXPECT_PERMANENT 0x1 -#define NF_CT_EXPECT_INACTIVE 0x2 -#define NF_CT_EXPECT_USERSPACE 0x4 - -#ifdef __KERNEL__ struct ip_conntrack_stat { unsigned int searched; unsigned int found; @@ -136,6 +25,4 @@ struct ip_conntrack_stat { /* call to create an explicit dependency on nf_conntrack. */ extern void need_conntrack(void); -#endif /* __KERNEL__ */ - #endif /* _NF_CONNTRACK_COMMON_H */ diff --git a/include/linux/netfilter/nf_conntrack_ftp.h b/include/linux/netfilter/nf_conntrack_ftp.h index 8faf3f7..5f818b0 100644 --- a/include/linux/netfilter/nf_conntrack_ftp.h +++ b/include/linux/netfilter/nf_conntrack_ftp.h @@ -1,20 +1,8 @@ #ifndef _NF_CONNTRACK_FTP_H #define _NF_CONNTRACK_FTP_H -/* FTP tracking. */ -/* This enum is exposed to userspace */ -enum nf_ct_ftp_type { - /* PORT command from client */ - NF_CT_FTP_PORT, - /* PASV response from server */ - NF_CT_FTP_PASV, - /* EPRT command from client */ - NF_CT_FTP_EPRT, - /* EPSV response from server */ - NF_CT_FTP_EPSV, -}; +#include -#ifdef __KERNEL__ #define FTP_PORT 21 @@ -42,6 +30,4 @@ extern unsigned int (*nf_nat_ftp_hook)(struct sk_buff *skb, unsigned int matchoff, unsigned int matchlen, struct nf_conntrack_expect *exp); -#endif /* __KERNEL__ */ - #endif /* _NF_CONNTRACK_FTP_H */ diff --git a/include/linux/netfilter/nf_conntrack_sctp.h b/include/linux/netfilter/nf_conntrack_sctp.h deleted file mode 100644 index ceeefe6..0000000 --- a/include/linux/netfilter/nf_conntrack_sctp.h +++ /dev/null @@ -1,25 +0,0 @@ -#ifndef _NF_CONNTRACK_SCTP_H -#define _NF_CONNTRACK_SCTP_H -/* SCTP tracking. */ - -#include - -enum sctp_conntrack { - SCTP_CONNTRACK_NONE, - SCTP_CONNTRACK_CLOSED, - SCTP_CONNTRACK_COOKIE_WAIT, - SCTP_CONNTRACK_COOKIE_ECHOED, - SCTP_CONNTRACK_ESTABLISHED, - SCTP_CONNTRACK_SHUTDOWN_SENT, - SCTP_CONNTRACK_SHUTDOWN_RECD, - SCTP_CONNTRACK_SHUTDOWN_ACK_SENT, - SCTP_CONNTRACK_MAX -}; - -struct ip_ct_sctp { - enum sctp_conntrack state; - - __be32 vtag[IP_CT_DIR_MAX]; -}; - -#endif /* _NF_CONNTRACK_SCTP_H */ diff --git a/include/linux/netfilter/nf_conntrack_tcp.h b/include/linux/netfilter/nf_conntrack_tcp.h index e59868a..22db961 100644 --- a/include/linux/netfilter/nf_conntrack_tcp.h +++ b/include/linux/netfilter/nf_conntrack_tcp.h @@ -1,53 +1,8 @@ #ifndef _NF_CONNTRACK_TCP_H #define _NF_CONNTRACK_TCP_H -/* TCP tracking. */ -#include +#include -/* This is exposed to userspace (ctnetlink) */ -enum tcp_conntrack { - TCP_CONNTRACK_NONE, - TCP_CONNTRACK_SYN_SENT, - TCP_CONNTRACK_SYN_RECV, - TCP_CONNTRACK_ESTABLISHED, - TCP_CONNTRACK_FIN_WAIT, - TCP_CONNTRACK_CLOSE_WAIT, - TCP_CONNTRACK_LAST_ACK, - TCP_CONNTRACK_TIME_WAIT, - TCP_CONNTRACK_CLOSE, - TCP_CONNTRACK_LISTEN, /* obsolete */ -#define TCP_CONNTRACK_SYN_SENT2 TCP_CONNTRACK_LISTEN - TCP_CONNTRACK_MAX, - TCP_CONNTRACK_IGNORE, - TCP_CONNTRACK_RETRANS, - TCP_CONNTRACK_UNACK, - TCP_CONNTRACK_TIMEOUT_MAX -}; - -/* Window scaling is advertised by the sender */ -#define IP_CT_TCP_FLAG_WINDOW_SCALE 0x01 - -/* SACK is permitted by the sender */ -#define IP_CT_TCP_FLAG_SACK_PERM 0x02 - -/* This sender sent FIN first */ -#define IP_CT_TCP_FLAG_CLOSE_INIT 0x04 - -/* Be liberal in window checking */ -#define IP_CT_TCP_FLAG_BE_LIBERAL 0x08 - -/* Has unacknowledged data */ -#define IP_CT_TCP_FLAG_DATA_UNACKNOWLEDGED 0x10 - -/* The field td_maxack has been set */ -#define IP_CT_TCP_FLAG_MAXACK_SET 0x20 - -struct nf_ct_tcp_flags { - __u8 flags; - __u8 mask; -}; - -#ifdef __KERNEL__ struct ip_ct_tcp_state { u_int32_t td_end; /* max of seq + len */ @@ -74,6 +29,4 @@ struct ip_ct_tcp { u_int8_t last_flags; /* Last flags set */ }; -#endif /* __KERNEL__ */ - #endif /* _NF_CONNTRACK_TCP_H */ diff --git a/include/linux/netfilter/nf_conntrack_tuple_common.h b/include/linux/netfilter/nf_conntrack_tuple_common.h deleted file mode 100644 index 2f6bbc5..0000000 --- a/include/linux/netfilter/nf_conntrack_tuple_common.h +++ /dev/null @@ -1,39 +0,0 @@ -#ifndef _NF_CONNTRACK_TUPLE_COMMON_H -#define _NF_CONNTRACK_TUPLE_COMMON_H - -enum ip_conntrack_dir { - IP_CT_DIR_ORIGINAL, - IP_CT_DIR_REPLY, - IP_CT_DIR_MAX -}; - -/* The protocol-specific manipulable parts of the tuple: always in - * network order - */ -union nf_conntrack_man_proto { - /* Add other protocols here. */ - __be16 all; - - struct { - __be16 port; - } tcp; - struct { - __be16 port; - } udp; - struct { - __be16 id; - } icmp; - struct { - __be16 port; - } dccp; - struct { - __be16 port; - } sctp; - struct { - __be16 key; /* GRE key is 32bit, PPtP only uses 16bit */ - } gre; -}; - -#define CTINFO2DIR(ctinfo) ((ctinfo) >= IP_CT_IS_REPLY ? IP_CT_DIR_REPLY : IP_CT_DIR_ORIGINAL) - -#endif /* _NF_CONNTRACK_TUPLE_COMMON_H */ diff --git a/include/linux/netfilter/nf_nat.h b/include/linux/netfilter/nf_nat.h deleted file mode 100644 index bf0cc37..0000000 --- a/include/linux/netfilter/nf_nat.h +++ /dev/null @@ -1,33 +0,0 @@ -#ifndef _NETFILTER_NF_NAT_H -#define _NETFILTER_NF_NAT_H - -#include -#include - -#define NF_NAT_RANGE_MAP_IPS 1 -#define NF_NAT_RANGE_PROTO_SPECIFIED 2 -#define NF_NAT_RANGE_PROTO_RANDOM 4 -#define NF_NAT_RANGE_PERSISTENT 8 - -struct nf_nat_ipv4_range { - unsigned int flags; - __be32 min_ip; - __be32 max_ip; - union nf_conntrack_man_proto min; - union nf_conntrack_man_proto max; -}; - -struct nf_nat_ipv4_multi_range_compat { - unsigned int rangesize; - struct nf_nat_ipv4_range range[1]; -}; - -struct nf_nat_range { - unsigned int flags; - union nf_inet_addr min_addr; - union nf_inet_addr max_addr; - union nf_conntrack_man_proto min_proto; - union nf_conntrack_man_proto max_proto; -}; - -#endif /* _NETFILTER_NF_NAT_H */ diff --git a/include/linux/netfilter/nfnetlink.h b/include/linux/netfilter/nfnetlink.h index 18341cd..4966dde 100644 --- a/include/linux/netfilter/nfnetlink.h +++ b/include/linux/netfilter/nfnetlink.h @@ -1,63 +1,11 @@ #ifndef _NFNETLINK_H #define _NFNETLINK_H -#include -#include -enum nfnetlink_groups { - NFNLGRP_NONE, -#define NFNLGRP_NONE NFNLGRP_NONE - NFNLGRP_CONNTRACK_NEW, -#define NFNLGRP_CONNTRACK_NEW NFNLGRP_CONNTRACK_NEW - NFNLGRP_CONNTRACK_UPDATE, -#define NFNLGRP_CONNTRACK_UPDATE NFNLGRP_CONNTRACK_UPDATE - NFNLGRP_CONNTRACK_DESTROY, -#define NFNLGRP_CONNTRACK_DESTROY NFNLGRP_CONNTRACK_DESTROY - NFNLGRP_CONNTRACK_EXP_NEW, -#define NFNLGRP_CONNTRACK_EXP_NEW NFNLGRP_CONNTRACK_EXP_NEW - NFNLGRP_CONNTRACK_EXP_UPDATE, -#define NFNLGRP_CONNTRACK_EXP_UPDATE NFNLGRP_CONNTRACK_EXP_UPDATE - NFNLGRP_CONNTRACK_EXP_DESTROY, -#define NFNLGRP_CONNTRACK_EXP_DESTROY NFNLGRP_CONNTRACK_EXP_DESTROY - __NFNLGRP_MAX, -}; -#define NFNLGRP_MAX (__NFNLGRP_MAX - 1) - -/* General form of address family dependent message. - */ -struct nfgenmsg { - __u8 nfgen_family; /* AF_xxx */ - __u8 version; /* nfnetlink version */ - __be16 res_id; /* resource id */ -}; - -#define NFNETLINK_V0 0 - -/* netfilter netlink message types are split in two pieces: - * 8 bit subsystem, 8bit operation. - */ - -#define NFNL_SUBSYS_ID(x) ((x & 0xff00) >> 8) -#define NFNL_MSG_TYPE(x) (x & 0x00ff) - -/* No enum here, otherwise __stringify() trick of MODULE_ALIAS_NFNL_SUBSYS() - * won't work anymore */ -#define NFNL_SUBSYS_NONE 0 -#define NFNL_SUBSYS_CTNETLINK 1 -#define NFNL_SUBSYS_CTNETLINK_EXP 2 -#define NFNL_SUBSYS_QUEUE 3 -#define NFNL_SUBSYS_ULOG 4 -#define NFNL_SUBSYS_OSF 5 -#define NFNL_SUBSYS_IPSET 6 -#define NFNL_SUBSYS_ACCT 7 -#define NFNL_SUBSYS_CTNETLINK_TIMEOUT 8 -#define NFNL_SUBSYS_CTHELPER 9 -#define NFNL_SUBSYS_COUNT 10 - -#ifdef __KERNEL__ #include #include #include +#include struct nfnl_callback { int (*call)(struct sock *nl, struct sk_buff *skb, @@ -92,5 +40,4 @@ extern void nfnl_unlock(void); #define MODULE_ALIAS_NFNL_SUBSYS(subsys) \ MODULE_ALIAS("nfnetlink-subsys-" __stringify(subsys)) -#endif /* __KERNEL__ */ #endif /* _NFNETLINK_H */ diff --git a/include/linux/netfilter/nfnetlink_acct.h b/include/linux/netfilter/nfnetlink_acct.h index 7c4279b..bb4bbc9 100644 --- a/include/linux/netfilter/nfnetlink_acct.h +++ b/include/linux/netfilter/nfnetlink_acct.h @@ -1,29 +1,8 @@ #ifndef _NFNL_ACCT_H_ #define _NFNL_ACCT_H_ -#ifndef NFACCT_NAME_MAX -#define NFACCT_NAME_MAX 32 -#endif +#include -enum nfnl_acct_msg_types { - NFNL_MSG_ACCT_NEW, - NFNL_MSG_ACCT_GET, - NFNL_MSG_ACCT_GET_CTRZERO, - NFNL_MSG_ACCT_DEL, - NFNL_MSG_ACCT_MAX -}; - -enum nfnl_acct_type { - NFACCT_UNSPEC, - NFACCT_NAME, - NFACCT_PKTS, - NFACCT_BYTES, - NFACCT_USE, - __NFACCT_MAX -}; -#define NFACCT_MAX (__NFACCT_MAX - 1) - -#ifdef __KERNEL__ struct nf_acct; @@ -31,6 +10,4 @@ extern struct nf_acct *nfnl_acct_find_get(const char *filter_name); extern void nfnl_acct_put(struct nf_acct *acct); extern void nfnl_acct_update(const struct sk_buff *skb, struct nf_acct *nfacct); -#endif /* __KERNEL__ */ - #endif /* _NFNL_ACCT_H */ diff --git a/include/linux/netfilter/nfnetlink_compat.h b/include/linux/netfilter/nfnetlink_compat.h deleted file mode 100644 index ffb9503..0000000 --- a/include/linux/netfilter/nfnetlink_compat.h +++ /dev/null @@ -1,63 +0,0 @@ -#ifndef _NFNETLINK_COMPAT_H -#define _NFNETLINK_COMPAT_H - -#include - -#ifndef __KERNEL__ -/* Old nfnetlink macros for userspace */ - -/* nfnetlink groups: Up to 32 maximum */ -#define NF_NETLINK_CONNTRACK_NEW 0x00000001 -#define NF_NETLINK_CONNTRACK_UPDATE 0x00000002 -#define NF_NETLINK_CONNTRACK_DESTROY 0x00000004 -#define NF_NETLINK_CONNTRACK_EXP_NEW 0x00000008 -#define NF_NETLINK_CONNTRACK_EXP_UPDATE 0x00000010 -#define NF_NETLINK_CONNTRACK_EXP_DESTROY 0x00000020 - -/* Generic structure for encapsulation optional netfilter information. - * It is reminiscent of sockaddr, but with sa_family replaced - * with attribute type. - * ! This should someday be put somewhere generic as now rtnetlink and - * ! nfnetlink use the same attributes methods. - J. Schulist. - */ - -struct nfattr { - __u16 nfa_len; - __u16 nfa_type; /* we use 15 bits for the type, and the highest - * bit to indicate whether the payload is nested */ -}; - -/* FIXME: Apart from NFNL_NFA_NESTED shamelessly copy and pasted from - * rtnetlink.h, it's time to put this in a generic file */ - -#define NFNL_NFA_NEST 0x8000 -#define NFA_TYPE(attr) ((attr)->nfa_type & 0x7fff) - -#define NFA_ALIGNTO 4 -#define NFA_ALIGN(len) (((len) + NFA_ALIGNTO - 1) & ~(NFA_ALIGNTO - 1)) -#define NFA_OK(nfa,len) ((len) > 0 && (nfa)->nfa_len >= sizeof(struct nfattr) \ - && (nfa)->nfa_len <= (len)) -#define NFA_NEXT(nfa,attrlen) ((attrlen) -= NFA_ALIGN((nfa)->nfa_len), \ - (struct nfattr *)(((char *)(nfa)) + NFA_ALIGN((nfa)->nfa_len))) -#define NFA_LENGTH(len) (NFA_ALIGN(sizeof(struct nfattr)) + (len)) -#define NFA_SPACE(len) NFA_ALIGN(NFA_LENGTH(len)) -#define NFA_DATA(nfa) ((void *)(((char *)(nfa)) + NFA_LENGTH(0))) -#define NFA_PAYLOAD(nfa) ((int)((nfa)->nfa_len) - NFA_LENGTH(0)) -#define NFA_NEST(skb, type) \ -({ struct nfattr *__start = (struct nfattr *)skb_tail_pointer(skb); \ - NFA_PUT(skb, (NFNL_NFA_NEST | type), 0, NULL); \ - __start; }) -#define NFA_NEST_END(skb, start) \ -({ (start)->nfa_len = skb_tail_pointer(skb) - (unsigned char *)(start); \ - (skb)->len; }) -#define NFA_NEST_CANCEL(skb, start) \ -({ if (start) \ - skb_trim(skb, (unsigned char *) (start) - (skb)->data); \ - -1; }) - -#define NFM_NFA(n) ((struct nfattr *)(((char *)(n)) \ - + NLMSG_ALIGN(sizeof(struct nfgenmsg)))) -#define NFM_PAYLOAD(n) NLMSG_PAYLOAD(n, sizeof(struct nfgenmsg)) - -#endif /* ! __KERNEL__ */ -#endif /* _NFNETLINK_COMPAT_H */ diff --git a/include/linux/netfilter/nfnetlink_conntrack.h b/include/linux/netfilter/nfnetlink_conntrack.h deleted file mode 100644 index 43bfe3e..0000000 --- a/include/linux/netfilter/nfnetlink_conntrack.h +++ /dev/null @@ -1,248 +0,0 @@ -#ifndef _IPCONNTRACK_NETLINK_H -#define _IPCONNTRACK_NETLINK_H -#include - -enum cntl_msg_types { - IPCTNL_MSG_CT_NEW, - IPCTNL_MSG_CT_GET, - IPCTNL_MSG_CT_DELETE, - IPCTNL_MSG_CT_GET_CTRZERO, - IPCTNL_MSG_CT_GET_STATS_CPU, - IPCTNL_MSG_CT_GET_STATS, - - IPCTNL_MSG_MAX -}; - -enum ctnl_exp_msg_types { - IPCTNL_MSG_EXP_NEW, - IPCTNL_MSG_EXP_GET, - IPCTNL_MSG_EXP_DELETE, - IPCTNL_MSG_EXP_GET_STATS_CPU, - - IPCTNL_MSG_EXP_MAX -}; - - -enum ctattr_type { - CTA_UNSPEC, - CTA_TUPLE_ORIG, - CTA_TUPLE_REPLY, - CTA_STATUS, - CTA_PROTOINFO, - CTA_HELP, - CTA_NAT_SRC, -#define CTA_NAT CTA_NAT_SRC /* backwards compatibility */ - CTA_TIMEOUT, - CTA_MARK, - CTA_COUNTERS_ORIG, - CTA_COUNTERS_REPLY, - CTA_USE, - CTA_ID, - CTA_NAT_DST, - CTA_TUPLE_MASTER, - CTA_NAT_SEQ_ADJ_ORIG, - CTA_NAT_SEQ_ADJ_REPLY, - CTA_SECMARK, /* obsolete */ - CTA_ZONE, - CTA_SECCTX, - CTA_TIMESTAMP, - CTA_MARK_MASK, - __CTA_MAX -}; -#define CTA_MAX (__CTA_MAX - 1) - -enum ctattr_tuple { - CTA_TUPLE_UNSPEC, - CTA_TUPLE_IP, - CTA_TUPLE_PROTO, - __CTA_TUPLE_MAX -}; -#define CTA_TUPLE_MAX (__CTA_TUPLE_MAX - 1) - -enum ctattr_ip { - CTA_IP_UNSPEC, - CTA_IP_V4_SRC, - CTA_IP_V4_DST, - CTA_IP_V6_SRC, - CTA_IP_V6_DST, - __CTA_IP_MAX -}; -#define CTA_IP_MAX (__CTA_IP_MAX - 1) - -enum ctattr_l4proto { - CTA_PROTO_UNSPEC, - CTA_PROTO_NUM, - CTA_PROTO_SRC_PORT, - CTA_PROTO_DST_PORT, - CTA_PROTO_ICMP_ID, - CTA_PROTO_ICMP_TYPE, - CTA_PROTO_ICMP_CODE, - CTA_PROTO_ICMPV6_ID, - CTA_PROTO_ICMPV6_TYPE, - CTA_PROTO_ICMPV6_CODE, - __CTA_PROTO_MAX -}; -#define CTA_PROTO_MAX (__CTA_PROTO_MAX - 1) - -enum ctattr_protoinfo { - CTA_PROTOINFO_UNSPEC, - CTA_PROTOINFO_TCP, - CTA_PROTOINFO_DCCP, - CTA_PROTOINFO_SCTP, - __CTA_PROTOINFO_MAX -}; -#define CTA_PROTOINFO_MAX (__CTA_PROTOINFO_MAX - 1) - -enum ctattr_protoinfo_tcp { - CTA_PROTOINFO_TCP_UNSPEC, - CTA_PROTOINFO_TCP_STATE, - CTA_PROTOINFO_TCP_WSCALE_ORIGINAL, - CTA_PROTOINFO_TCP_WSCALE_REPLY, - CTA_PROTOINFO_TCP_FLAGS_ORIGINAL, - CTA_PROTOINFO_TCP_FLAGS_REPLY, - __CTA_PROTOINFO_TCP_MAX -}; -#define CTA_PROTOINFO_TCP_MAX (__CTA_PROTOINFO_TCP_MAX - 1) - -enum ctattr_protoinfo_dccp { - CTA_PROTOINFO_DCCP_UNSPEC, - CTA_PROTOINFO_DCCP_STATE, - CTA_PROTOINFO_DCCP_ROLE, - CTA_PROTOINFO_DCCP_HANDSHAKE_SEQ, - __CTA_PROTOINFO_DCCP_MAX, -}; -#define CTA_PROTOINFO_DCCP_MAX (__CTA_PROTOINFO_DCCP_MAX - 1) - -enum ctattr_protoinfo_sctp { - CTA_PROTOINFO_SCTP_UNSPEC, - CTA_PROTOINFO_SCTP_STATE, - CTA_PROTOINFO_SCTP_VTAG_ORIGINAL, - CTA_PROTOINFO_SCTP_VTAG_REPLY, - __CTA_PROTOINFO_SCTP_MAX -}; -#define CTA_PROTOINFO_SCTP_MAX (__CTA_PROTOINFO_SCTP_MAX - 1) - -enum ctattr_counters { - CTA_COUNTERS_UNSPEC, - CTA_COUNTERS_PACKETS, /* 64bit counters */ - CTA_COUNTERS_BYTES, /* 64bit counters */ - CTA_COUNTERS32_PACKETS, /* old 32bit counters, unused */ - CTA_COUNTERS32_BYTES, /* old 32bit counters, unused */ - __CTA_COUNTERS_MAX -}; -#define CTA_COUNTERS_MAX (__CTA_COUNTERS_MAX - 1) - -enum ctattr_tstamp { - CTA_TIMESTAMP_UNSPEC, - CTA_TIMESTAMP_START, - CTA_TIMESTAMP_STOP, - __CTA_TIMESTAMP_MAX -}; -#define CTA_TIMESTAMP_MAX (__CTA_TIMESTAMP_MAX - 1) - -enum ctattr_nat { - CTA_NAT_UNSPEC, - CTA_NAT_V4_MINIP, -#define CTA_NAT_MINIP CTA_NAT_V4_MINIP - CTA_NAT_V4_MAXIP, -#define CTA_NAT_MAXIP CTA_NAT_V4_MAXIP - CTA_NAT_PROTO, - CTA_NAT_V6_MINIP, - CTA_NAT_V6_MAXIP, - __CTA_NAT_MAX -}; -#define CTA_NAT_MAX (__CTA_NAT_MAX - 1) - -enum ctattr_protonat { - CTA_PROTONAT_UNSPEC, - CTA_PROTONAT_PORT_MIN, - CTA_PROTONAT_PORT_MAX, - __CTA_PROTONAT_MAX -}; -#define CTA_PROTONAT_MAX (__CTA_PROTONAT_MAX - 1) - -enum ctattr_natseq { - CTA_NAT_SEQ_UNSPEC, - CTA_NAT_SEQ_CORRECTION_POS, - CTA_NAT_SEQ_OFFSET_BEFORE, - CTA_NAT_SEQ_OFFSET_AFTER, - __CTA_NAT_SEQ_MAX -}; -#define CTA_NAT_SEQ_MAX (__CTA_NAT_SEQ_MAX - 1) - -enum ctattr_expect { - CTA_EXPECT_UNSPEC, - CTA_EXPECT_MASTER, - CTA_EXPECT_TUPLE, - CTA_EXPECT_MASK, - CTA_EXPECT_TIMEOUT, - CTA_EXPECT_ID, - CTA_EXPECT_HELP_NAME, - CTA_EXPECT_ZONE, - CTA_EXPECT_FLAGS, - CTA_EXPECT_CLASS, - CTA_EXPECT_NAT, - CTA_EXPECT_FN, - __CTA_EXPECT_MAX -}; -#define CTA_EXPECT_MAX (__CTA_EXPECT_MAX - 1) - -enum ctattr_expect_nat { - CTA_EXPECT_NAT_UNSPEC, - CTA_EXPECT_NAT_DIR, - CTA_EXPECT_NAT_TUPLE, - __CTA_EXPECT_NAT_MAX -}; -#define CTA_EXPECT_NAT_MAX (__CTA_EXPECT_NAT_MAX - 1) - -enum ctattr_help { - CTA_HELP_UNSPEC, - CTA_HELP_NAME, - CTA_HELP_INFO, - __CTA_HELP_MAX -}; -#define CTA_HELP_MAX (__CTA_HELP_MAX - 1) - -enum ctattr_secctx { - CTA_SECCTX_UNSPEC, - CTA_SECCTX_NAME, - __CTA_SECCTX_MAX -}; -#define CTA_SECCTX_MAX (__CTA_SECCTX_MAX - 1) - -enum ctattr_stats_cpu { - CTA_STATS_UNSPEC, - CTA_STATS_SEARCHED, - CTA_STATS_FOUND, - CTA_STATS_NEW, - CTA_STATS_INVALID, - CTA_STATS_IGNORE, - CTA_STATS_DELETE, - CTA_STATS_DELETE_LIST, - CTA_STATS_INSERT, - CTA_STATS_INSERT_FAILED, - CTA_STATS_DROP, - CTA_STATS_EARLY_DROP, - CTA_STATS_ERROR, - CTA_STATS_SEARCH_RESTART, - __CTA_STATS_MAX, -}; -#define CTA_STATS_MAX (__CTA_STATS_MAX - 1) - -enum ctattr_stats_global { - CTA_STATS_GLOBAL_UNSPEC, - CTA_STATS_GLOBAL_ENTRIES, - __CTA_STATS_GLOBAL_MAX, -}; -#define CTA_STATS_GLOBAL_MAX (__CTA_STATS_GLOBAL_MAX - 1) - -enum ctattr_expect_stats { - CTA_STATS_EXP_UNSPEC, - CTA_STATS_EXP_NEW, - CTA_STATS_EXP_CREATE, - CTA_STATS_EXP_DELETE, - __CTA_STATS_EXP_MAX, -}; -#define CTA_STATS_EXP_MAX (__CTA_STATS_EXP_MAX - 1) - -#endif /* _IPCONNTRACK_NETLINK_H */ diff --git a/include/linux/netfilter/nfnetlink_cthelper.h b/include/linux/netfilter/nfnetlink_cthelper.h deleted file mode 100644 index 33659f6..0000000 --- a/include/linux/netfilter/nfnetlink_cthelper.h +++ /dev/null @@ -1,55 +0,0 @@ -#ifndef _NFNL_CTHELPER_H_ -#define _NFNL_CTHELPER_H_ - -#define NFCT_HELPER_STATUS_DISABLED 0 -#define NFCT_HELPER_STATUS_ENABLED 1 - -enum nfnl_acct_msg_types { - NFNL_MSG_CTHELPER_NEW, - NFNL_MSG_CTHELPER_GET, - NFNL_MSG_CTHELPER_DEL, - NFNL_MSG_CTHELPER_MAX -}; - -enum nfnl_cthelper_type { - NFCTH_UNSPEC, - NFCTH_NAME, - NFCTH_TUPLE, - NFCTH_QUEUE_NUM, - NFCTH_POLICY, - NFCTH_PRIV_DATA_LEN, - NFCTH_STATUS, - __NFCTH_MAX -}; -#define NFCTH_MAX (__NFCTH_MAX - 1) - -enum nfnl_cthelper_policy_type { - NFCTH_POLICY_SET_UNSPEC, - NFCTH_POLICY_SET_NUM, - NFCTH_POLICY_SET, - NFCTH_POLICY_SET1 = NFCTH_POLICY_SET, - NFCTH_POLICY_SET2, - NFCTH_POLICY_SET3, - NFCTH_POLICY_SET4, - __NFCTH_POLICY_SET_MAX -}; -#define NFCTH_POLICY_SET_MAX (__NFCTH_POLICY_SET_MAX - 1) - -enum nfnl_cthelper_pol_type { - NFCTH_POLICY_UNSPEC, - NFCTH_POLICY_NAME, - NFCTH_POLICY_EXPECT_MAX, - NFCTH_POLICY_EXPECT_TIMEOUT, - __NFCTH_POLICY_MAX -}; -#define NFCTH_POLICY_MAX (__NFCTH_POLICY_MAX - 1) - -enum nfnl_cthelper_tuple_type { - NFCTH_TUPLE_UNSPEC, - NFCTH_TUPLE_L3PROTONUM, - NFCTH_TUPLE_L4PROTONUM, - __NFCTH_TUPLE_MAX, -}; -#define NFCTH_TUPLE_MAX (__NFCTH_TUPLE_MAX - 1) - -#endif /* _NFNL_CTHELPER_H */ diff --git a/include/linux/netfilter/nfnetlink_cttimeout.h b/include/linux/netfilter/nfnetlink_cttimeout.h deleted file mode 100644 index a2810a7..0000000 --- a/include/linux/netfilter/nfnetlink_cttimeout.h +++ /dev/null @@ -1,114 +0,0 @@ -#ifndef _CTTIMEOUT_NETLINK_H -#define _CTTIMEOUT_NETLINK_H -#include - -enum ctnl_timeout_msg_types { - IPCTNL_MSG_TIMEOUT_NEW, - IPCTNL_MSG_TIMEOUT_GET, - IPCTNL_MSG_TIMEOUT_DELETE, - - IPCTNL_MSG_TIMEOUT_MAX -}; - -enum ctattr_timeout { - CTA_TIMEOUT_UNSPEC, - CTA_TIMEOUT_NAME, - CTA_TIMEOUT_L3PROTO, - CTA_TIMEOUT_L4PROTO, - CTA_TIMEOUT_DATA, - CTA_TIMEOUT_USE, - __CTA_TIMEOUT_MAX -}; -#define CTA_TIMEOUT_MAX (__CTA_TIMEOUT_MAX - 1) - -enum ctattr_timeout_generic { - CTA_TIMEOUT_GENERIC_UNSPEC, - CTA_TIMEOUT_GENERIC_TIMEOUT, - __CTA_TIMEOUT_GENERIC_MAX -}; -#define CTA_TIMEOUT_GENERIC_MAX (__CTA_TIMEOUT_GENERIC_MAX - 1) - -enum ctattr_timeout_tcp { - CTA_TIMEOUT_TCP_UNSPEC, - CTA_TIMEOUT_TCP_SYN_SENT, - CTA_TIMEOUT_TCP_SYN_RECV, - CTA_TIMEOUT_TCP_ESTABLISHED, - CTA_TIMEOUT_TCP_FIN_WAIT, - CTA_TIMEOUT_TCP_CLOSE_WAIT, - CTA_TIMEOUT_TCP_LAST_ACK, - CTA_TIMEOUT_TCP_TIME_WAIT, - CTA_TIMEOUT_TCP_CLOSE, - CTA_TIMEOUT_TCP_SYN_SENT2, - CTA_TIMEOUT_TCP_RETRANS, - CTA_TIMEOUT_TCP_UNACK, - __CTA_TIMEOUT_TCP_MAX -}; -#define CTA_TIMEOUT_TCP_MAX (__CTA_TIMEOUT_TCP_MAX - 1) - -enum ctattr_timeout_udp { - CTA_TIMEOUT_UDP_UNSPEC, - CTA_TIMEOUT_UDP_UNREPLIED, - CTA_TIMEOUT_UDP_REPLIED, - __CTA_TIMEOUT_UDP_MAX -}; -#define CTA_TIMEOUT_UDP_MAX (__CTA_TIMEOUT_UDP_MAX - 1) - -enum ctattr_timeout_udplite { - CTA_TIMEOUT_UDPLITE_UNSPEC, - CTA_TIMEOUT_UDPLITE_UNREPLIED, - CTA_TIMEOUT_UDPLITE_REPLIED, - __CTA_TIMEOUT_UDPLITE_MAX -}; -#define CTA_TIMEOUT_UDPLITE_MAX (__CTA_TIMEOUT_UDPLITE_MAX - 1) - -enum ctattr_timeout_icmp { - CTA_TIMEOUT_ICMP_UNSPEC, - CTA_TIMEOUT_ICMP_TIMEOUT, - __CTA_TIMEOUT_ICMP_MAX -}; -#define CTA_TIMEOUT_ICMP_MAX (__CTA_TIMEOUT_ICMP_MAX - 1) - -enum ctattr_timeout_dccp { - CTA_TIMEOUT_DCCP_UNSPEC, - CTA_TIMEOUT_DCCP_REQUEST, - CTA_TIMEOUT_DCCP_RESPOND, - CTA_TIMEOUT_DCCP_PARTOPEN, - CTA_TIMEOUT_DCCP_OPEN, - CTA_TIMEOUT_DCCP_CLOSEREQ, - CTA_TIMEOUT_DCCP_CLOSING, - CTA_TIMEOUT_DCCP_TIMEWAIT, - __CTA_TIMEOUT_DCCP_MAX -}; -#define CTA_TIMEOUT_DCCP_MAX (__CTA_TIMEOUT_DCCP_MAX - 1) - -enum ctattr_timeout_sctp { - CTA_TIMEOUT_SCTP_UNSPEC, - CTA_TIMEOUT_SCTP_CLOSED, - CTA_TIMEOUT_SCTP_COOKIE_WAIT, - CTA_TIMEOUT_SCTP_COOKIE_ECHOED, - CTA_TIMEOUT_SCTP_ESTABLISHED, - CTA_TIMEOUT_SCTP_SHUTDOWN_SENT, - CTA_TIMEOUT_SCTP_SHUTDOWN_RECD, - CTA_TIMEOUT_SCTP_SHUTDOWN_ACK_SENT, - __CTA_TIMEOUT_SCTP_MAX -}; -#define CTA_TIMEOUT_SCTP_MAX (__CTA_TIMEOUT_SCTP_MAX - 1) - -enum ctattr_timeout_icmpv6 { - CTA_TIMEOUT_ICMPV6_UNSPEC, - CTA_TIMEOUT_ICMPV6_TIMEOUT, - __CTA_TIMEOUT_ICMPV6_MAX -}; -#define CTA_TIMEOUT_ICMPV6_MAX (__CTA_TIMEOUT_ICMPV6_MAX - 1) - -enum ctattr_timeout_gre { - CTA_TIMEOUT_GRE_UNSPEC, - CTA_TIMEOUT_GRE_UNREPLIED, - CTA_TIMEOUT_GRE_REPLIED, - __CTA_TIMEOUT_GRE_MAX -}; -#define CTA_TIMEOUT_GRE_MAX (__CTA_TIMEOUT_GRE_MAX - 1) - -#define CTNL_TIMEOUT_NAME_MAX 32 - -#endif diff --git a/include/linux/netfilter/nfnetlink_log.h b/include/linux/netfilter/nfnetlink_log.h deleted file mode 100644 index 90c2c95..0000000 --- a/include/linux/netfilter/nfnetlink_log.h +++ /dev/null @@ -1,97 +0,0 @@ -#ifndef _NFNETLINK_LOG_H -#define _NFNETLINK_LOG_H - -/* This file describes the netlink messages (i.e. 'protocol packets'), - * and not any kind of function definitions. It is shared between kernel and - * userspace. Don't put kernel specific stuff in here */ - -#include -#include - -enum nfulnl_msg_types { - NFULNL_MSG_PACKET, /* packet from kernel to userspace */ - NFULNL_MSG_CONFIG, /* connect to a particular queue */ - - NFULNL_MSG_MAX -}; - -struct nfulnl_msg_packet_hdr { - __be16 hw_protocol; /* hw protocol (network order) */ - __u8 hook; /* netfilter hook */ - __u8 _pad; -}; - -struct nfulnl_msg_packet_hw { - __be16 hw_addrlen; - __u16 _pad; - __u8 hw_addr[8]; -}; - -struct nfulnl_msg_packet_timestamp { - __aligned_be64 sec; - __aligned_be64 usec; -}; - -enum nfulnl_attr_type { - NFULA_UNSPEC, - NFULA_PACKET_HDR, - NFULA_MARK, /* __u32 nfmark */ - NFULA_TIMESTAMP, /* nfulnl_msg_packet_timestamp */ - NFULA_IFINDEX_INDEV, /* __u32 ifindex */ - NFULA_IFINDEX_OUTDEV, /* __u32 ifindex */ - NFULA_IFINDEX_PHYSINDEV, /* __u32 ifindex */ - NFULA_IFINDEX_PHYSOUTDEV, /* __u32 ifindex */ - NFULA_HWADDR, /* nfulnl_msg_packet_hw */ - NFULA_PAYLOAD, /* opaque data payload */ - NFULA_PREFIX, /* string prefix */ - NFULA_UID, /* user id of socket */ - NFULA_SEQ, /* instance-local sequence number */ - NFULA_SEQ_GLOBAL, /* global sequence number */ - NFULA_GID, /* group id of socket */ - NFULA_HWTYPE, /* hardware type */ - NFULA_HWHEADER, /* hardware header */ - NFULA_HWLEN, /* hardware header length */ - - __NFULA_MAX -}; -#define NFULA_MAX (__NFULA_MAX - 1) - -enum nfulnl_msg_config_cmds { - NFULNL_CFG_CMD_NONE, - NFULNL_CFG_CMD_BIND, - NFULNL_CFG_CMD_UNBIND, - NFULNL_CFG_CMD_PF_BIND, - NFULNL_CFG_CMD_PF_UNBIND, -}; - -struct nfulnl_msg_config_cmd { - __u8 command; /* nfulnl_msg_config_cmds */ -} __attribute__ ((packed)); - -struct nfulnl_msg_config_mode { - __be32 copy_range; - __u8 copy_mode; - __u8 _pad; -} __attribute__ ((packed)); - -enum nfulnl_attr_config { - NFULA_CFG_UNSPEC, - NFULA_CFG_CMD, /* nfulnl_msg_config_cmd */ - NFULA_CFG_MODE, /* nfulnl_msg_config_mode */ - NFULA_CFG_NLBUFSIZ, /* __u32 buffer size */ - NFULA_CFG_TIMEOUT, /* __u32 in 1/100 s */ - NFULA_CFG_QTHRESH, /* __u32 */ - NFULA_CFG_FLAGS, /* __u16 */ - __NFULA_CFG_MAX -}; -#define NFULA_CFG_MAX (__NFULA_CFG_MAX -1) - -#define NFULNL_COPY_NONE 0x00 -#define NFULNL_COPY_META 0x01 -#define NFULNL_COPY_PACKET 0x02 -/* 0xff is reserved, don't use it for new copy modes. */ - -#define NFULNL_CFG_F_SEQ 0x0001 -#define NFULNL_CFG_F_SEQ_GLOBAL 0x0002 - -#endif /* _NFNETLINK_LOG_H */ diff --git a/include/linux/netfilter/nfnetlink_queue.h b/include/linux/netfilter/nfnetlink_queue.h deleted file mode 100644 index 70ec8c2..0000000 --- a/include/linux/netfilter/nfnetlink_queue.h +++ /dev/null @@ -1,101 +0,0 @@ -#ifndef _NFNETLINK_QUEUE_H -#define _NFNETLINK_QUEUE_H - -#include -#include - -enum nfqnl_msg_types { - NFQNL_MSG_PACKET, /* packet from kernel to userspace */ - NFQNL_MSG_VERDICT, /* verdict from userspace to kernel */ - NFQNL_MSG_CONFIG, /* connect to a particular queue */ - NFQNL_MSG_VERDICT_BATCH, /* batchv from userspace to kernel */ - - NFQNL_MSG_MAX -}; - -struct nfqnl_msg_packet_hdr { - __be32 packet_id; /* unique ID of packet in queue */ - __be16 hw_protocol; /* hw protocol (network order) */ - __u8 hook; /* netfilter hook */ -} __attribute__ ((packed)); - -struct nfqnl_msg_packet_hw { - __be16 hw_addrlen; - __u16 _pad; - __u8 hw_addr[8]; -}; - -struct nfqnl_msg_packet_timestamp { - __aligned_be64 sec; - __aligned_be64 usec; -}; - -enum nfqnl_attr_type { - NFQA_UNSPEC, - NFQA_PACKET_HDR, - NFQA_VERDICT_HDR, /* nfqnl_msg_verdict_hrd */ - NFQA_MARK, /* __u32 nfmark */ - NFQA_TIMESTAMP, /* nfqnl_msg_packet_timestamp */ - NFQA_IFINDEX_INDEV, /* __u32 ifindex */ - NFQA_IFINDEX_OUTDEV, /* __u32 ifindex */ - NFQA_IFINDEX_PHYSINDEV, /* __u32 ifindex */ - NFQA_IFINDEX_PHYSOUTDEV, /* __u32 ifindex */ - NFQA_HWADDR, /* nfqnl_msg_packet_hw */ - NFQA_PAYLOAD, /* opaque data payload */ - NFQA_CT, /* nf_conntrack_netlink.h */ - NFQA_CT_INFO, /* enum ip_conntrack_info */ - NFQA_CAP_LEN, /* __u32 length of captured packet */ - - __NFQA_MAX -}; -#define NFQA_MAX (__NFQA_MAX - 1) - -struct nfqnl_msg_verdict_hdr { - __be32 verdict; - __be32 id; -}; - - -enum nfqnl_msg_config_cmds { - NFQNL_CFG_CMD_NONE, - NFQNL_CFG_CMD_BIND, - NFQNL_CFG_CMD_UNBIND, - NFQNL_CFG_CMD_PF_BIND, - NFQNL_CFG_CMD_PF_UNBIND, -}; - -struct nfqnl_msg_config_cmd { - __u8 command; /* nfqnl_msg_config_cmds */ - __u8 _pad; - __be16 pf; /* AF_xxx for PF_[UN]BIND */ -}; - -enum nfqnl_config_mode { - NFQNL_COPY_NONE, - NFQNL_COPY_META, - NFQNL_COPY_PACKET, -}; - -struct nfqnl_msg_config_params { - __be32 copy_range; - __u8 copy_mode; /* enum nfqnl_config_mode */ -} __attribute__ ((packed)); - - -enum nfqnl_attr_config { - NFQA_CFG_UNSPEC, - NFQA_CFG_CMD, /* nfqnl_msg_config_cmd */ - NFQA_CFG_PARAMS, /* nfqnl_msg_config_params */ - NFQA_CFG_QUEUE_MAXLEN, /* __u32 */ - NFQA_CFG_MASK, /* identify which flags to change */ - NFQA_CFG_FLAGS, /* value of these flags (__u32) */ - __NFQA_CFG_MAX -}; -#define NFQA_CFG_MAX (__NFQA_CFG_MAX-1) - -/* Flags for NFQA_CFG_FLAGS */ -#define NFQA_CFG_F_FAIL_OPEN (1 << 0) -#define NFQA_CFG_F_CONNTRACK (1 << 1) -#define NFQA_CFG_F_MAX (1 << 2) - -#endif /* _NFNETLINK_QUEUE_H */ diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h index 8d674a7..dd49566 100644 --- a/include/linux/netfilter/x_tables.h +++ b/include/linux/netfilter/x_tables.h @@ -1,191 +1,9 @@ #ifndef _X_TABLES_H #define _X_TABLES_H -#include -#include -#define XT_FUNCTION_MAXNAMELEN 30 -#define XT_EXTENSION_MAXNAMELEN 29 -#define XT_TABLE_MAXNAMELEN 32 - -struct xt_entry_match { - union { - struct { - __u16 match_size; - - /* Used by userspace */ - char name[XT_EXTENSION_MAXNAMELEN]; - __u8 revision; - } user; - struct { - __u16 match_size; - - /* Used inside the kernel */ - struct xt_match *match; - } kernel; - - /* Total length */ - __u16 match_size; - } u; - - unsigned char data[0]; -}; - -struct xt_entry_target { - union { - struct { - __u16 target_size; - - /* Used by userspace */ - char name[XT_EXTENSION_MAXNAMELEN]; - __u8 revision; - } user; - struct { - __u16 target_size; - - /* Used inside the kernel */ - struct xt_target *target; - } kernel; - - /* Total length */ - __u16 target_size; - } u; - - unsigned char data[0]; -}; - -#define XT_TARGET_INIT(__name, __size) \ -{ \ - .target.u.user = { \ - .target_size = XT_ALIGN(__size), \ - .name = __name, \ - }, \ -} - -struct xt_standard_target { - struct xt_entry_target target; - int verdict; -}; - -struct xt_error_target { - struct xt_entry_target target; - char errorname[XT_FUNCTION_MAXNAMELEN]; -}; - -/* The argument to IPT_SO_GET_REVISION_*. Returns highest revision - * kernel supports, if >= revision. */ -struct xt_get_revision { - char name[XT_EXTENSION_MAXNAMELEN]; - __u8 revision; -}; - -/* CONTINUE verdict for targets */ -#define XT_CONTINUE 0xFFFFFFFF - -/* For standard target */ -#define XT_RETURN (-NF_REPEAT - 1) - -/* this is a dummy structure to find out the alignment requirement for a struct - * containing all the fundamental data types that are used in ipt_entry, - * ip6t_entry and arpt_entry. This sucks, and it is a hack. It will be my - * personal pleasure to remove it -HW - */ -struct _xt_align { - __u8 u8; - __u16 u16; - __u32 u32; - __u64 u64; -}; - -#define XT_ALIGN(s) __ALIGN_KERNEL((s), __alignof__(struct _xt_align)) - -/* Standard return verdict, or do jump. */ -#define XT_STANDARD_TARGET "" -/* Error verdict. */ -#define XT_ERROR_TARGET "ERROR" - -#define SET_COUNTER(c,b,p) do { (c).bcnt = (b); (c).pcnt = (p); } while(0) -#define ADD_COUNTER(c,b,p) do { (c).bcnt += (b); (c).pcnt += (p); } while(0) - -struct xt_counters { - __u64 pcnt, bcnt; /* Packet and byte counters */ -}; - -/* The argument to IPT_SO_ADD_COUNTERS. */ -struct xt_counters_info { - /* Which table. */ - char name[XT_TABLE_MAXNAMELEN]; - - unsigned int num_counters; - - /* The counters (actually `number' of these). */ - struct xt_counters counters[0]; -}; - -#define XT_INV_PROTO 0x40 /* Invert the sense of PROTO. */ - -#ifndef __KERNEL__ -/* fn returns 0 to continue iteration */ -#define XT_MATCH_ITERATE(type, e, fn, args...) \ -({ \ - unsigned int __i; \ - int __ret = 0; \ - struct xt_entry_match *__m; \ - \ - for (__i = sizeof(type); \ - __i < (e)->target_offset; \ - __i += __m->u.match_size) { \ - __m = (void *)e + __i; \ - \ - __ret = fn(__m , ## args); \ - if (__ret != 0) \ - break; \ - } \ - __ret; \ -}) - -/* fn returns 0 to continue iteration */ -#define XT_ENTRY_ITERATE_CONTINUE(type, entries, size, n, fn, args...) \ -({ \ - unsigned int __i, __n; \ - int __ret = 0; \ - type *__entry; \ - \ - for (__i = 0, __n = 0; __i < (size); \ - __i += __entry->next_offset, __n++) { \ - __entry = (void *)(entries) + __i; \ - if (__n < n) \ - continue; \ - \ - __ret = fn(__entry , ## args); \ - if (__ret != 0) \ - break; \ - } \ - __ret; \ -}) - -/* fn returns 0 to continue iteration */ -#define XT_ENTRY_ITERATE(type, entries, size, fn, args...) \ - XT_ENTRY_ITERATE_CONTINUE(type, entries, size, 0, fn, args) - -#endif /* !__KERNEL__ */ - -/* pos is normally a struct ipt_entry/ip6t_entry/etc. */ -#define xt_entry_foreach(pos, ehead, esize) \ - for ((pos) = (typeof(pos))(ehead); \ - (pos) < (typeof(pos))((char *)(ehead) + (esize)); \ - (pos) = (typeof(pos))((char *)(pos) + (pos)->next_offset)) - -/* can only be xt_entry_match, so no use of typeof here */ -#define xt_ematch_foreach(pos, entry) \ - for ((pos) = (struct xt_entry_match *)entry->elems; \ - (pos) < (struct xt_entry_match *)((char *)(entry) + \ - (entry)->target_offset); \ - (pos) = (struct xt_entry_match *)((char *)(pos) + \ - (pos)->u.match_size)) - -#ifdef __KERNEL__ #include +#include /** * struct xt_action_param - parameters for matches/targets @@ -617,6 +435,4 @@ extern int xt_compat_target_to_user(const struct xt_entry_target *t, void __user **dstptr, unsigned int *size); #endif /* CONFIG_COMPAT */ -#endif /* __KERNEL__ */ - #endif /* _X_TABLES_H */ diff --git a/include/linux/netfilter/xt_AUDIT.h b/include/linux/netfilter/xt_AUDIT.h deleted file mode 100644 index 38751d2..0000000 --- a/include/linux/netfilter/xt_AUDIT.h +++ /dev/null @@ -1,30 +0,0 @@ -/* - * Header file for iptables xt_AUDIT target - * - * (C) 2010-2011 Thomas Graf - * (C) 2010-2011 Red Hat, Inc. - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License version 2 as - * published by the Free Software Foundation. - */ - -#ifndef _XT_AUDIT_TARGET_H -#define _XT_AUDIT_TARGET_H - -#include - -enum { - XT_AUDIT_TYPE_ACCEPT = 0, - XT_AUDIT_TYPE_DROP, - XT_AUDIT_TYPE_REJECT, - __XT_AUDIT_TYPE_MAX, -}; - -#define XT_AUDIT_TYPE_MAX (__XT_AUDIT_TYPE_MAX - 1) - -struct xt_audit_info { - __u8 type; /* XT_AUDIT_TYPE_* */ -}; - -#endif /* _XT_AUDIT_TARGET_H */ diff --git a/include/linux/netfilter/xt_CHECKSUM.h b/include/linux/netfilter/xt_CHECKSUM.h deleted file mode 100644 index 9a2e466..0000000 --- a/include/linux/netfilter/xt_CHECKSUM.h +++ /dev/null @@ -1,20 +0,0 @@ -/* Header file for iptables ipt_CHECKSUM target - * - * (C) 2002 by Harald Welte - * (C) 2010 Red Hat Inc - * Author: Michael S. Tsirkin - * - * This software is distributed under GNU GPL v2, 1991 -*/ -#ifndef _XT_CHECKSUM_TARGET_H -#define _XT_CHECKSUM_TARGET_H - -#include - -#define XT_CHECKSUM_OP_FILL 0x01 /* fill in checksum in IP header */ - -struct xt_CHECKSUM_info { - __u8 operation; /* bitset of operations */ -}; - -#endif /* _XT_CHECKSUM_TARGET_H */ diff --git a/include/linux/netfilter/xt_CLASSIFY.h b/include/linux/netfilter/xt_CLASSIFY.h deleted file mode 100644 index a813bf1..0000000 --- a/include/linux/netfilter/xt_CLASSIFY.h +++ /dev/null @@ -1,10 +0,0 @@ -#ifndef _XT_CLASSIFY_H -#define _XT_CLASSIFY_H - -#include - -struct xt_classify_target_info { - __u32 priority; -}; - -#endif /*_XT_CLASSIFY_H */ diff --git a/include/linux/netfilter/xt_CONNMARK.h b/include/linux/netfilter/xt_CONNMARK.h deleted file mode 100644 index 2f2e48e..0000000 --- a/include/linux/netfilter/xt_CONNMARK.h +++ /dev/null @@ -1,6 +0,0 @@ -#ifndef _XT_CONNMARK_H_target -#define _XT_CONNMARK_H_target - -#include - -#endif /*_XT_CONNMARK_H_target*/ diff --git a/include/linux/netfilter/xt_CONNSECMARK.h b/include/linux/netfilter/xt_CONNSECMARK.h deleted file mode 100644 index b973ff8..0000000 --- a/include/linux/netfilter/xt_CONNSECMARK.h +++ /dev/null @@ -1,15 +0,0 @@ -#ifndef _XT_CONNSECMARK_H_target -#define _XT_CONNSECMARK_H_target - -#include - -enum { - CONNSECMARK_SAVE = 1, - CONNSECMARK_RESTORE, -}; - -struct xt_connsecmark_target_info { - __u8 mode; -}; - -#endif /*_XT_CONNSECMARK_H_target */ diff --git a/include/linux/netfilter/xt_CT.h b/include/linux/netfilter/xt_CT.h deleted file mode 100644 index a064b8a..0000000 --- a/include/linux/netfilter/xt_CT.h +++ /dev/null @@ -1,31 +0,0 @@ -#ifndef _XT_CT_H -#define _XT_CT_H - -#include - -#define XT_CT_NOTRACK 0x1 - -struct xt_ct_target_info { - __u16 flags; - __u16 zone; - __u32 ct_events; - __u32 exp_events; - char helper[16]; - - /* Used internally by the kernel */ - struct nf_conn *ct __attribute__((aligned(8))); -}; - -struct xt_ct_target_info_v1 { - __u16 flags; - __u16 zone; - __u32 ct_events; - __u32 exp_events; - char helper[16]; - char timeout[32]; - - /* Used internally by the kernel */ - struct nf_conn *ct __attribute__((aligned(8))); -}; - -#endif /* _XT_CT_H */ diff --git a/include/linux/netfilter/xt_DSCP.h b/include/linux/netfilter/xt_DSCP.h deleted file mode 100644 index 648e0b3..0000000 --- a/include/linux/netfilter/xt_DSCP.h +++ /dev/null @@ -1,26 +0,0 @@ -/* x_tables module for setting the IPv4/IPv6 DSCP field - * - * (C) 2002 Harald Welte - * based on ipt_FTOS.c (C) 2000 by Matthew G. Marsh - * This software is distributed under GNU GPL v2, 1991 - * - * See RFC2474 for a description of the DSCP field within the IP Header. - * - * xt_DSCP.h,v 1.7 2002/03/14 12:03:13 laforge Exp -*/ -#ifndef _XT_DSCP_TARGET_H -#define _XT_DSCP_TARGET_H -#include -#include - -/* target info */ -struct xt_DSCP_info { - __u8 dscp; -}; - -struct xt_tos_target_info { - __u8 tos_value; - __u8 tos_mask; -}; - -#endif /* _XT_DSCP_TARGET_H */ diff --git a/include/linux/netfilter/xt_IDLETIMER.h b/include/linux/netfilter/xt_IDLETIMER.h deleted file mode 100644 index 208ae93..0000000 --- a/include/linux/netfilter/xt_IDLETIMER.h +++ /dev/null @@ -1,45 +0,0 @@ -/* - * linux/include/linux/netfilter/xt_IDLETIMER.h - * - * Header file for Xtables timer target module. - * - * Copyright (C) 2004, 2010 Nokia Corporation - * Written by Timo Teras - * - * Converted to x_tables and forward-ported to 2.6.34 - * by Luciano Coelho - * - * Contact: Luciano Coelho - * - * This program is free software; you can redistribute it and/or - * modify it under the terms of the GNU General Public License - * version 2 as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - * General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA - * 02110-1301 USA - */ - -#ifndef _XT_IDLETIMER_H -#define _XT_IDLETIMER_H - -#include - -#define MAX_IDLETIMER_LABEL_SIZE 28 - -struct idletimer_tg_info { - __u32 timeout; - - char label[MAX_IDLETIMER_LABEL_SIZE]; - - /* for kernel module internal use only */ - struct idletimer_tg *timer __attribute__((aligned(8))); -}; - -#endif diff --git a/include/linux/netfilter/xt_LED.h b/include/linux/netfilter/xt_LED.h deleted file mode 100644 index f5509e7..0000000 --- a/include/linux/netfilter/xt_LED.h +++ /dev/null @@ -1,15 +0,0 @@ -#ifndef _XT_LED_H -#define _XT_LED_H - -#include - -struct xt_led_info { - char id[27]; /* Unique ID for this trigger in the LED class */ - __u8 always_blink; /* Blink even if the LED is already on */ - __u32 delay; /* Delay until LED is switched off after trigger */ - - /* Kernel data used in the module */ - void *internal_data __attribute__((aligned(8))); -}; - -#endif /* _XT_LED_H */ diff --git a/include/linux/netfilter/xt_LOG.h b/include/linux/netfilter/xt_LOG.h deleted file mode 100644 index cac0790..0000000 --- a/include/linux/netfilter/xt_LOG.h +++ /dev/null @@ -1,19 +0,0 @@ -#ifndef _XT_LOG_H -#define _XT_LOG_H - -/* make sure not to change this without changing nf_log.h:NF_LOG_* (!) */ -#define XT_LOG_TCPSEQ 0x01 /* Log TCP sequence numbers */ -#define XT_LOG_TCPOPT 0x02 /* Log TCP options */ -#define XT_LOG_IPOPT 0x04 /* Log IP options */ -#define XT_LOG_UID 0x08 /* Log UID owning local socket */ -#define XT_LOG_NFLOG 0x10 /* Unsupported, don't reuse */ -#define XT_LOG_MACDECODE 0x20 /* Decode MAC header */ -#define XT_LOG_MASK 0x2f - -struct xt_log_info { - unsigned char level; - unsigned char logflags; - char prefix[30]; -}; - -#endif /* _XT_LOG_H */ diff --git a/include/linux/netfilter/xt_MARK.h b/include/linux/netfilter/xt_MARK.h deleted file mode 100644 index 41c456d..0000000 --- a/include/linux/netfilter/xt_MARK.h +++ /dev/null @@ -1,6 +0,0 @@ -#ifndef _XT_MARK_H_target -#define _XT_MARK_H_target - -#include - -#endif /*_XT_MARK_H_target */ diff --git a/include/linux/netfilter/xt_NFLOG.h b/include/linux/netfilter/xt_NFLOG.h deleted file mode 100644 index 87b5831..0000000 --- a/include/linux/netfilter/xt_NFLOG.h +++ /dev/null @@ -1,20 +0,0 @@ -#ifndef _XT_NFLOG_TARGET -#define _XT_NFLOG_TARGET - -#include - -#define XT_NFLOG_DEFAULT_GROUP 0x1 -#define XT_NFLOG_DEFAULT_THRESHOLD 0 - -#define XT_NFLOG_MASK 0x0 - -struct xt_nflog_info { - __u32 len; - __u16 group; - __u16 threshold; - __u16 flags; - __u16 pad; - char prefix[64]; -}; - -#endif /* _XT_NFLOG_TARGET */ diff --git a/include/linux/netfilter/xt_NFQUEUE.h b/include/linux/netfilter/xt_NFQUEUE.h deleted file mode 100644 index 9eafdbb..0000000 --- a/include/linux/netfilter/xt_NFQUEUE.h +++ /dev/null @@ -1,29 +0,0 @@ -/* iptables module for using NFQUEUE mechanism - * - * (C) 2005 Harald Welte - * - * This software is distributed under GNU GPL v2, 1991 - * -*/ -#ifndef _XT_NFQ_TARGET_H -#define _XT_NFQ_TARGET_H - -#include - -/* target info */ -struct xt_NFQ_info { - __u16 queuenum; -}; - -struct xt_NFQ_info_v1 { - __u16 queuenum; - __u16 queues_total; -}; - -struct xt_NFQ_info_v2 { - __u16 queuenum; - __u16 queues_total; - __u16 bypass; -}; - -#endif /* _XT_NFQ_TARGET_H */ diff --git a/include/linux/netfilter/xt_RATEEST.h b/include/linux/netfilter/xt_RATEEST.h deleted file mode 100644 index 6605e20..0000000 --- a/include/linux/netfilter/xt_RATEEST.h +++ /dev/null @@ -1,15 +0,0 @@ -#ifndef _XT_RATEEST_TARGET_H -#define _XT_RATEEST_TARGET_H - -#include - -struct xt_rateest_target_info { - char name[IFNAMSIZ]; - __s8 interval; - __u8 ewma_log; - - /* Used internally by the kernel */ - struct xt_rateest *est __attribute__((aligned(8))); -}; - -#endif /* _XT_RATEEST_TARGET_H */ diff --git a/include/linux/netfilter/xt_SECMARK.h b/include/linux/netfilter/xt_SECMARK.h deleted file mode 100644 index 989092b..0000000 --- a/include/linux/netfilter/xt_SECMARK.h +++ /dev/null @@ -1,22 +0,0 @@ -#ifndef _XT_SECMARK_H_target -#define _XT_SECMARK_H_target - -#include - -/* - * This is intended for use by various security subsystems (but not - * at the same time). - * - * 'mode' refers to the specific security subsystem which the - * packets are being marked for. - */ -#define SECMARK_MODE_SEL 0x01 /* SELinux */ -#define SECMARK_SECCTX_MAX 256 - -struct xt_secmark_target_info { - __u8 mode; - __u32 secid; - char secctx[SECMARK_SECCTX_MAX]; -}; - -#endif /*_XT_SECMARK_H_target */ diff --git a/include/linux/netfilter/xt_TCPMSS.h b/include/linux/netfilter/xt_TCPMSS.h deleted file mode 100644 index 9a6960a..0000000 --- a/include/linux/netfilter/xt_TCPMSS.h +++ /dev/null @@ -1,12 +0,0 @@ -#ifndef _XT_TCPMSS_H -#define _XT_TCPMSS_H - -#include - -struct xt_tcpmss_info { - __u16 mss; -}; - -#define XT_TCPMSS_CLAMP_PMTU 0xffff - -#endif /* _XT_TCPMSS_H */ diff --git a/include/linux/netfilter/xt_TCPOPTSTRIP.h b/include/linux/netfilter/xt_TCPOPTSTRIP.h deleted file mode 100644 index 7157318..0000000 --- a/include/linux/netfilter/xt_TCPOPTSTRIP.h +++ /dev/null @@ -1,15 +0,0 @@ -#ifndef _XT_TCPOPTSTRIP_H -#define _XT_TCPOPTSTRIP_H - -#include - -#define tcpoptstrip_set_bit(bmap, idx) \ - (bmap[(idx) >> 5] |= 1U << (idx & 31)) -#define tcpoptstrip_test_bit(bmap, idx) \ - (((1U << (idx & 31)) & bmap[(idx) >> 5]) != 0) - -struct xt_tcpoptstrip_target_info { - __u32 strip_bmap[8]; -}; - -#endif /* _XT_TCPOPTSTRIP_H */ diff --git a/include/linux/netfilter/xt_TEE.h b/include/linux/netfilter/xt_TEE.h deleted file mode 100644 index 5c21d5c..0000000 --- a/include/linux/netfilter/xt_TEE.h +++ /dev/null @@ -1,12 +0,0 @@ -#ifndef _XT_TEE_TARGET_H -#define _XT_TEE_TARGET_H - -struct xt_tee_tginfo { - union nf_inet_addr gw; - char oif[16]; - - /* used internally by the kernel */ - struct xt_tee_priv *priv __attribute__((aligned(8))); -}; - -#endif /* _XT_TEE_TARGET_H */ diff --git a/include/linux/netfilter/xt_TPROXY.h b/include/linux/netfilter/xt_TPROXY.h deleted file mode 100644 index 902043c..0000000 --- a/include/linux/netfilter/xt_TPROXY.h +++ /dev/null @@ -1,23 +0,0 @@ -#ifndef _XT_TPROXY_H -#define _XT_TPROXY_H - -#include - -/* TPROXY target is capable of marking the packet to perform - * redirection. We can get rid of that whenever we get support for - * mutliple targets in the same rule. */ -struct xt_tproxy_target_info { - __u32 mark_mask; - __u32 mark_value; - __be32 laddr; - __be16 lport; -}; - -struct xt_tproxy_target_info_v1 { - __u32 mark_mask; - __u32 mark_value; - union nf_inet_addr laddr; - __be16 lport; -}; - -#endif /* _XT_TPROXY_H */ diff --git a/include/linux/netfilter/xt_addrtype.h b/include/linux/netfilter/xt_addrtype.h deleted file mode 100644 index b156baa..0000000 --- a/include/linux/netfilter/xt_addrtype.h +++ /dev/null @@ -1,44 +0,0 @@ -#ifndef _XT_ADDRTYPE_H -#define _XT_ADDRTYPE_H - -#include - -enum { - XT_ADDRTYPE_INVERT_SOURCE = 0x0001, - XT_ADDRTYPE_INVERT_DEST = 0x0002, - XT_ADDRTYPE_LIMIT_IFACE_IN = 0x0004, - XT_ADDRTYPE_LIMIT_IFACE_OUT = 0x0008, -}; - - -/* rtn_type enum values from rtnetlink.h, but shifted */ -enum { - XT_ADDRTYPE_UNSPEC = 1 << 0, - XT_ADDRTYPE_UNICAST = 1 << 1, /* 1 << RTN_UNICAST */ - XT_ADDRTYPE_LOCAL = 1 << 2, /* 1 << RTN_LOCAL, etc */ - XT_ADDRTYPE_BROADCAST = 1 << 3, - XT_ADDRTYPE_ANYCAST = 1 << 4, - XT_ADDRTYPE_MULTICAST = 1 << 5, - XT_ADDRTYPE_BLACKHOLE = 1 << 6, - XT_ADDRTYPE_UNREACHABLE = 1 << 7, - XT_ADDRTYPE_PROHIBIT = 1 << 8, - XT_ADDRTYPE_THROW = 1 << 9, - XT_ADDRTYPE_NAT = 1 << 10, - XT_ADDRTYPE_XRESOLVE = 1 << 11, -}; - -struct xt_addrtype_info_v1 { - __u16 source; /* source-type mask */ - __u16 dest; /* dest-type mask */ - __u32 flags; -}; - -/* revision 0 */ -struct xt_addrtype_info { - __u16 source; /* source-type mask */ - __u16 dest; /* dest-type mask */ - __u32 invert_source; - __u32 invert_dest; -}; - -#endif diff --git a/include/linux/netfilter/xt_cluster.h b/include/linux/netfilter/xt_cluster.h deleted file mode 100644 index 9b883c8..0000000 --- a/include/linux/netfilter/xt_cluster.h +++ /dev/null @@ -1,19 +0,0 @@ -#ifndef _XT_CLUSTER_MATCH_H -#define _XT_CLUSTER_MATCH_H - -#include - -enum xt_cluster_flags { - XT_CLUSTER_F_INV = (1 << 0) -}; - -struct xt_cluster_match_info { - __u32 total_nodes; - __u32 node_mask; - __u32 hash_seed; - __u32 flags; -}; - -#define XT_CLUSTER_NODES_MAX 32 - -#endif /* _XT_CLUSTER_MATCH_H */ diff --git a/include/linux/netfilter/xt_comment.h b/include/linux/netfilter/xt_comment.h deleted file mode 100644 index 0ea5e79..0000000 --- a/include/linux/netfilter/xt_comment.h +++ /dev/null @@ -1,10 +0,0 @@ -#ifndef _XT_COMMENT_H -#define _XT_COMMENT_H - -#define XT_MAX_COMMENT_LEN 256 - -struct xt_comment_info { - char comment[XT_MAX_COMMENT_LEN]; -}; - -#endif /* XT_COMMENT_H */ diff --git a/include/linux/netfilter/xt_connbytes.h b/include/linux/netfilter/xt_connbytes.h deleted file mode 100644 index f1d6c15..0000000 --- a/include/linux/netfilter/xt_connbytes.h +++ /dev/null @@ -1,26 +0,0 @@ -#ifndef _XT_CONNBYTES_H -#define _XT_CONNBYTES_H - -#include - -enum xt_connbytes_what { - XT_CONNBYTES_PKTS, - XT_CONNBYTES_BYTES, - XT_CONNBYTES_AVGPKT, -}; - -enum xt_connbytes_direction { - XT_CONNBYTES_DIR_ORIGINAL, - XT_CONNBYTES_DIR_REPLY, - XT_CONNBYTES_DIR_BOTH, -}; - -struct xt_connbytes_info { - struct { - __aligned_u64 from; /* count to be matched */ - __aligned_u64 to; /* count to be matched */ - } count; - __u8 what; /* ipt_connbytes_what */ - __u8 direction; /* ipt_connbytes_direction */ -}; -#endif diff --git a/include/linux/netfilter/xt_connlimit.h b/include/linux/netfilter/xt_connlimit.h deleted file mode 100644 index f165609..0000000 --- a/include/linux/netfilter/xt_connlimit.h +++ /dev/null @@ -1,32 +0,0 @@ -#ifndef _XT_CONNLIMIT_H -#define _XT_CONNLIMIT_H - -#include -#include - -struct xt_connlimit_data; - -enum { - XT_CONNLIMIT_INVERT = 1 << 0, - XT_CONNLIMIT_DADDR = 1 << 1, -}; - -struct xt_connlimit_info { - union { - union nf_inet_addr mask; -#ifndef __KERNEL__ - union { - __be32 v4_mask; - __be32 v6_mask[4]; - }; -#endif - }; - unsigned int limit; - /* revision 1 */ - __u32 flags; - - /* Used internally by the kernel */ - struct xt_connlimit_data *data __attribute__((aligned(8))); -}; - -#endif /* _XT_CONNLIMIT_H */ diff --git a/include/linux/netfilter/xt_connmark.h b/include/linux/netfilter/xt_connmark.h deleted file mode 100644 index efc17a8..0000000 --- a/include/linux/netfilter/xt_connmark.h +++ /dev/null @@ -1,31 +0,0 @@ -#ifndef _XT_CONNMARK_H -#define _XT_CONNMARK_H - -#include - -/* Copyright (C) 2002,2004 MARA Systems AB - * by Henrik Nordstrom - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - */ - -enum { - XT_CONNMARK_SET = 0, - XT_CONNMARK_SAVE, - XT_CONNMARK_RESTORE -}; - -struct xt_connmark_tginfo1 { - __u32 ctmark, ctmask, nfmask; - __u8 mode; -}; - -struct xt_connmark_mtinfo1 { - __u32 mark, mask; - __u8 invert; -}; - -#endif /*_XT_CONNMARK_H*/ diff --git a/include/linux/netfilter/xt_conntrack.h b/include/linux/netfilter/xt_conntrack.h deleted file mode 100644 index e3c041d..0000000 --- a/include/linux/netfilter/xt_conntrack.h +++ /dev/null @@ -1,77 +0,0 @@ -/* Header file for kernel module to match connection tracking information. - * GPL (C) 2001 Marc Boucher (marc@mbsi.ca). - */ - -#ifndef _XT_CONNTRACK_H -#define _XT_CONNTRACK_H - -#include -#include -#include - -#define XT_CONNTRACK_STATE_BIT(ctinfo) (1 << ((ctinfo)%IP_CT_IS_REPLY+1)) -#define XT_CONNTRACK_STATE_INVALID (1 << 0) - -#define XT_CONNTRACK_STATE_SNAT (1 << (IP_CT_NUMBER + 1)) -#define XT_CONNTRACK_STATE_DNAT (1 << (IP_CT_NUMBER + 2)) -#define XT_CONNTRACK_STATE_UNTRACKED (1 << (IP_CT_NUMBER + 3)) - -/* flags, invflags: */ -enum { - XT_CONNTRACK_STATE = 1 << 0, - XT_CONNTRACK_PROTO = 1 << 1, - XT_CONNTRACK_ORIGSRC = 1 << 2, - XT_CONNTRACK_ORIGDST = 1 << 3, - XT_CONNTRACK_REPLSRC = 1 << 4, - XT_CONNTRACK_REPLDST = 1 << 5, - XT_CONNTRACK_STATUS = 1 << 6, - XT_CONNTRACK_EXPIRES = 1 << 7, - XT_CONNTRACK_ORIGSRC_PORT = 1 << 8, - XT_CONNTRACK_ORIGDST_PORT = 1 << 9, - XT_CONNTRACK_REPLSRC_PORT = 1 << 10, - XT_CONNTRACK_REPLDST_PORT = 1 << 11, - XT_CONNTRACK_DIRECTION = 1 << 12, -}; - -struct xt_conntrack_mtinfo1 { - union nf_inet_addr origsrc_addr, origsrc_mask; - union nf_inet_addr origdst_addr, origdst_mask; - union nf_inet_addr replsrc_addr, replsrc_mask; - union nf_inet_addr repldst_addr, repldst_mask; - __u32 expires_min, expires_max; - __u16 l4proto; - __be16 origsrc_port, origdst_port; - __be16 replsrc_port, repldst_port; - __u16 match_flags, invert_flags; - __u8 state_mask, status_mask; -}; - -struct xt_conntrack_mtinfo2 { - union nf_inet_addr origsrc_addr, origsrc_mask; - union nf_inet_addr origdst_addr, origdst_mask; - union nf_inet_addr replsrc_addr, replsrc_mask; - union nf_inet_addr repldst_addr, repldst_mask; - __u32 expires_min, expires_max; - __u16 l4proto; - __be16 origsrc_port, origdst_port; - __be16 replsrc_port, repldst_port; - __u16 match_flags, invert_flags; - __u16 state_mask, status_mask; -}; - -struct xt_conntrack_mtinfo3 { - union nf_inet_addr origsrc_addr, origsrc_mask; - union nf_inet_addr origdst_addr, origdst_mask; - union nf_inet_addr replsrc_addr, replsrc_mask; - union nf_inet_addr repldst_addr, repldst_mask; - __u32 expires_min, expires_max; - __u16 l4proto; - __u16 origsrc_port, origdst_port; - __u16 replsrc_port, repldst_port; - __u16 match_flags, invert_flags; - __u16 state_mask, status_mask; - __u16 origsrc_port_high, origdst_port_high; - __u16 replsrc_port_high, repldst_port_high; -}; - -#endif /*_XT_CONNTRACK_H*/ diff --git a/include/linux/netfilter/xt_cpu.h b/include/linux/netfilter/xt_cpu.h deleted file mode 100644 index 93c7f11..0000000 --- a/include/linux/netfilter/xt_cpu.h +++ /dev/null @@ -1,11 +0,0 @@ -#ifndef _XT_CPU_H -#define _XT_CPU_H - -#include - -struct xt_cpu_info { - __u32 cpu; - __u32 invert; -}; - -#endif /*_XT_CPU_H*/ diff --git a/include/linux/netfilter/xt_dccp.h b/include/linux/netfilter/xt_dccp.h deleted file mode 100644 index a579e1b..0000000 --- a/include/linux/netfilter/xt_dccp.h +++ /dev/null @@ -1,25 +0,0 @@ -#ifndef _XT_DCCP_H_ -#define _XT_DCCP_H_ - -#include - -#define XT_DCCP_SRC_PORTS 0x01 -#define XT_DCCP_DEST_PORTS 0x02 -#define XT_DCCP_TYPE 0x04 -#define XT_DCCP_OPTION 0x08 - -#define XT_DCCP_VALID_FLAGS 0x0f - -struct xt_dccp_info { - __u16 dpts[2]; /* Min, Max */ - __u16 spts[2]; /* Min, Max */ - - __u16 flags; - __u16 invflags; - - __u16 typemask; - __u8 option; -}; - -#endif /* _XT_DCCP_H_ */ - diff --git a/include/linux/netfilter/xt_devgroup.h b/include/linux/netfilter/xt_devgroup.h deleted file mode 100644 index 1babde0..0000000 --- a/include/linux/netfilter/xt_devgroup.h +++ /dev/null @@ -1,21 +0,0 @@ -#ifndef _XT_DEVGROUP_H -#define _XT_DEVGROUP_H - -#include - -enum xt_devgroup_flags { - XT_DEVGROUP_MATCH_SRC = 0x1, - XT_DEVGROUP_INVERT_SRC = 0x2, - XT_DEVGROUP_MATCH_DST = 0x4, - XT_DEVGROUP_INVERT_DST = 0x8, -}; - -struct xt_devgroup_info { - __u32 flags; - __u32 src_group; - __u32 src_mask; - __u32 dst_group; - __u32 dst_mask; -}; - -#endif /* _XT_DEVGROUP_H */ diff --git a/include/linux/netfilter/xt_dscp.h b/include/linux/netfilter/xt_dscp.h deleted file mode 100644 index 15f8932..0000000 --- a/include/linux/netfilter/xt_dscp.h +++ /dev/null @@ -1,31 +0,0 @@ -/* x_tables module for matching the IPv4/IPv6 DSCP field - * - * (C) 2002 Harald Welte - * This software is distributed under GNU GPL v2, 1991 - * - * See RFC2474 for a description of the DSCP field within the IP Header. - * - * xt_dscp.h,v 1.3 2002/08/05 19:00:21 laforge Exp -*/ -#ifndef _XT_DSCP_H -#define _XT_DSCP_H - -#include - -#define XT_DSCP_MASK 0xfc /* 11111100 */ -#define XT_DSCP_SHIFT 2 -#define XT_DSCP_MAX 0x3f /* 00111111 */ - -/* match info */ -struct xt_dscp_info { - __u8 dscp; - __u8 invert; -}; - -struct xt_tos_match_info { - __u8 tos_mask; - __u8 tos_value; - __u8 invert; -}; - -#endif /* _XT_DSCP_H */ diff --git a/include/linux/netfilter/xt_ecn.h b/include/linux/netfilter/xt_ecn.h deleted file mode 100644 index 7158fca..0000000 --- a/include/linux/netfilter/xt_ecn.h +++ /dev/null @@ -1,35 +0,0 @@ -/* iptables module for matching the ECN header in IPv4 and TCP header - * - * (C) 2002 Harald Welte - * - * This software is distributed under GNU GPL v2, 1991 - * - * ipt_ecn.h,v 1.4 2002/08/05 19:39:00 laforge Exp -*/ -#ifndef _XT_ECN_H -#define _XT_ECN_H - -#include -#include - -#define XT_ECN_IP_MASK (~XT_DSCP_MASK) - -#define XT_ECN_OP_MATCH_IP 0x01 -#define XT_ECN_OP_MATCH_ECE 0x10 -#define XT_ECN_OP_MATCH_CWR 0x20 - -#define XT_ECN_OP_MATCH_MASK 0xce - -/* match info */ -struct xt_ecn_info { - __u8 operation; - __u8 invert; - __u8 ip_ect; - union { - struct { - __u8 ect; - } tcp; - } proto; -}; - -#endif /* _XT_ECN_H */ diff --git a/include/linux/netfilter/xt_esp.h b/include/linux/netfilter/xt_esp.h deleted file mode 100644 index ee68824..0000000 --- a/include/linux/netfilter/xt_esp.h +++ /dev/null @@ -1,15 +0,0 @@ -#ifndef _XT_ESP_H -#define _XT_ESP_H - -#include - -struct xt_esp { - __u32 spis[2]; /* Security Parameter Index */ - __u8 invflags; /* Inverse flags */ -}; - -/* Values for "invflags" field in struct xt_esp. */ -#define XT_ESP_INV_SPI 0x01 /* Invert the sense of spi. */ -#define XT_ESP_INV_MASK 0x01 /* All possible flags. */ - -#endif /*_XT_ESP_H*/ diff --git a/include/linux/netfilter/xt_hashlimit.h b/include/linux/netfilter/xt_hashlimit.h index c42e52f..074790c 100644 --- a/include/linux/netfilter/xt_hashlimit.h +++ b/include/linux/netfilter/xt_hashlimit.h @@ -1,78 +1,9 @@ #ifndef _XT_HASHLIMIT_H #define _XT_HASHLIMIT_H -#include +#include -/* timings are in milliseconds. */ -#define XT_HASHLIMIT_SCALE 10000 -/* 1/10,000 sec period => max of 10,000/sec. Min rate is then 429490 - * seconds, or one packet every 59 hours. - */ - -/* packet length accounting is done in 16-byte steps */ -#define XT_HASHLIMIT_BYTE_SHIFT 4 - -/* details of this structure hidden by the implementation */ -struct xt_hashlimit_htable; - -enum { - XT_HASHLIMIT_HASH_DIP = 1 << 0, - XT_HASHLIMIT_HASH_DPT = 1 << 1, - XT_HASHLIMIT_HASH_SIP = 1 << 2, - XT_HASHLIMIT_HASH_SPT = 1 << 3, - XT_HASHLIMIT_INVERT = 1 << 4, - XT_HASHLIMIT_BYTES = 1 << 5, -}; -#ifdef __KERNEL__ #define XT_HASHLIMIT_ALL (XT_HASHLIMIT_HASH_DIP | XT_HASHLIMIT_HASH_DPT | \ XT_HASHLIMIT_HASH_SIP | XT_HASHLIMIT_HASH_SPT | \ XT_HASHLIMIT_INVERT | XT_HASHLIMIT_BYTES) -#endif - -struct hashlimit_cfg { - __u32 mode; /* bitmask of XT_HASHLIMIT_HASH_* */ - __u32 avg; /* Average secs between packets * scale */ - __u32 burst; /* Period multiplier for upper limit. */ - - /* user specified */ - __u32 size; /* how many buckets */ - __u32 max; /* max number of entries */ - __u32 gc_interval; /* gc interval */ - __u32 expire; /* when do entries expire? */ -}; - -struct xt_hashlimit_info { - char name [IFNAMSIZ]; /* name */ - struct hashlimit_cfg cfg; - - /* Used internally by the kernel */ - struct xt_hashlimit_htable *hinfo; - union { - void *ptr; - struct xt_hashlimit_info *master; - } u; -}; - -struct hashlimit_cfg1 { - __u32 mode; /* bitmask of XT_HASHLIMIT_HASH_* */ - __u32 avg; /* Average secs between packets * scale */ - __u32 burst; /* Period multiplier for upper limit. */ - - /* user specified */ - __u32 size; /* how many buckets */ - __u32 max; /* max number of entries */ - __u32 gc_interval; /* gc interval */ - __u32 expire; /* when do entries expire? */ - - __u8 srcmask, dstmask; -}; - -struct xt_hashlimit_mtinfo1 { - char name[IFNAMSIZ]; - struct hashlimit_cfg1 cfg; - - /* Used internally by the kernel */ - struct xt_hashlimit_htable *hinfo __attribute__((aligned(8))); -}; - #endif /*_XT_HASHLIMIT_H*/ diff --git a/include/linux/netfilter/xt_helper.h b/include/linux/netfilter/xt_helper.h deleted file mode 100644 index 6b42763..0000000 --- a/include/linux/netfilter/xt_helper.h +++ /dev/null @@ -1,8 +0,0 @@ -#ifndef _XT_HELPER_H -#define _XT_HELPER_H - -struct xt_helper_info { - int invert; - char name[30]; -}; -#endif /* _XT_HELPER_H */ diff --git a/include/linux/netfilter/xt_iprange.h b/include/linux/netfilter/xt_iprange.h deleted file mode 100644 index 25fd7cf..0000000 --- a/include/linux/netfilter/xt_iprange.h +++ /dev/null @@ -1,20 +0,0 @@ -#ifndef _LINUX_NETFILTER_XT_IPRANGE_H -#define _LINUX_NETFILTER_XT_IPRANGE_H 1 - -#include -#include - -enum { - IPRANGE_SRC = 1 << 0, /* match source IP address */ - IPRANGE_DST = 1 << 1, /* match destination IP address */ - IPRANGE_SRC_INV = 1 << 4, /* negate the condition */ - IPRANGE_DST_INV = 1 << 5, /* -"- */ -}; - -struct xt_iprange_mtinfo { - union nf_inet_addr src_min, src_max; - union nf_inet_addr dst_min, dst_max; - __u8 flags; -}; - -#endif /* _LINUX_NETFILTER_XT_IPRANGE_H */ diff --git a/include/linux/netfilter/xt_ipvs.h b/include/linux/netfilter/xt_ipvs.h deleted file mode 100644 index eff34ac..0000000 --- a/include/linux/netfilter/xt_ipvs.h +++ /dev/null @@ -1,29 +0,0 @@ -#ifndef _XT_IPVS_H -#define _XT_IPVS_H - -#include - -enum { - XT_IPVS_IPVS_PROPERTY = 1 << 0, /* all other options imply this one */ - XT_IPVS_PROTO = 1 << 1, - XT_IPVS_VADDR = 1 << 2, - XT_IPVS_VPORT = 1 << 3, - XT_IPVS_DIR = 1 << 4, - XT_IPVS_METHOD = 1 << 5, - XT_IPVS_VPORTCTL = 1 << 6, - XT_IPVS_MASK = (1 << 7) - 1, - XT_IPVS_ONCE_MASK = XT_IPVS_MASK & ~XT_IPVS_IPVS_PROPERTY -}; - -struct xt_ipvs_mtinfo { - union nf_inet_addr vaddr, vmask; - __be16 vport; - __u8 l4proto; - __u8 fwd_method; - __be16 vportctl; - - __u8 invert; - __u8 bitmask; -}; - -#endif /* _XT_IPVS_H */ diff --git a/include/linux/netfilter/xt_length.h b/include/linux/netfilter/xt_length.h deleted file mode 100644 index b82ed7c..0000000 --- a/include/linux/netfilter/xt_length.h +++ /dev/null @@ -1,11 +0,0 @@ -#ifndef _XT_LENGTH_H -#define _XT_LENGTH_H - -#include - -struct xt_length_info { - __u16 min, max; - __u8 invert; -}; - -#endif /*_XT_LENGTH_H*/ diff --git a/include/linux/netfilter/xt_limit.h b/include/linux/netfilter/xt_limit.h deleted file mode 100644 index bb47fc4..0000000 --- a/include/linux/netfilter/xt_limit.h +++ /dev/null @@ -1,24 +0,0 @@ -#ifndef _XT_RATE_H -#define _XT_RATE_H - -#include - -/* timings are in milliseconds. */ -#define XT_LIMIT_SCALE 10000 - -struct xt_limit_priv; - -/* 1/10,000 sec period => max of 10,000/sec. Min rate is then 429490 - seconds, or one every 59 hours. */ -struct xt_rateinfo { - __u32 avg; /* Average secs between packets * scale */ - __u32 burst; /* Period multiplier for upper limit. */ - - /* Used internally by the kernel */ - unsigned long prev; /* moved to xt_limit_priv */ - __u32 credit; /* moved to xt_limit_priv */ - __u32 credit_cap, cost; - - struct xt_limit_priv *master; -}; -#endif /*_XT_RATE_H*/ diff --git a/include/linux/netfilter/xt_mac.h b/include/linux/netfilter/xt_mac.h deleted file mode 100644 index b892cdc..0000000 --- a/include/linux/netfilter/xt_mac.h +++ /dev/null @@ -1,8 +0,0 @@ -#ifndef _XT_MAC_H -#define _XT_MAC_H - -struct xt_mac_info { - unsigned char srcaddr[ETH_ALEN]; - int invert; -}; -#endif /*_XT_MAC_H*/ diff --git a/include/linux/netfilter/xt_mark.h b/include/linux/netfilter/xt_mark.h deleted file mode 100644 index ecadc40..0000000 --- a/include/linux/netfilter/xt_mark.h +++ /dev/null @@ -1,15 +0,0 @@ -#ifndef _XT_MARK_H -#define _XT_MARK_H - -#include - -struct xt_mark_tginfo2 { - __u32 mark, mask; -}; - -struct xt_mark_mtinfo1 { - __u32 mark, mask; - __u8 invert; -}; - -#endif /*_XT_MARK_H*/ diff --git a/include/linux/netfilter/xt_multiport.h b/include/linux/netfilter/xt_multiport.h deleted file mode 100644 index 5b7e72d..0000000 --- a/include/linux/netfilter/xt_multiport.h +++ /dev/null @@ -1,29 +0,0 @@ -#ifndef _XT_MULTIPORT_H -#define _XT_MULTIPORT_H - -#include - -enum xt_multiport_flags { - XT_MULTIPORT_SOURCE, - XT_MULTIPORT_DESTINATION, - XT_MULTIPORT_EITHER -}; - -#define XT_MULTI_PORTS 15 - -/* Must fit inside union xt_matchinfo: 16 bytes */ -struct xt_multiport { - __u8 flags; /* Type of comparison */ - __u8 count; /* Number of ports */ - __u16 ports[XT_MULTI_PORTS]; /* Ports */ -}; - -struct xt_multiport_v1 { - __u8 flags; /* Type of comparison */ - __u8 count; /* Number of ports */ - __u16 ports[XT_MULTI_PORTS]; /* Ports */ - __u8 pflags[XT_MULTI_PORTS]; /* Port flags */ - __u8 invert; /* Invert flag */ -}; - -#endif /*_XT_MULTIPORT_H*/ diff --git a/include/linux/netfilter/xt_nfacct.h b/include/linux/netfilter/xt_nfacct.h deleted file mode 100644 index 3e19c8a..0000000 --- a/include/linux/netfilter/xt_nfacct.h +++ /dev/null @@ -1,13 +0,0 @@ -#ifndef _XT_NFACCT_MATCH_H -#define _XT_NFACCT_MATCH_H - -#include - -struct nf_acct; - -struct xt_nfacct_match_info { - char name[NFACCT_NAME_MAX]; - struct nf_acct *nfacct; -}; - -#endif /* _XT_NFACCT_MATCH_H */ diff --git a/include/linux/netfilter/xt_osf.h b/include/linux/netfilter/xt_osf.h deleted file mode 100644 index 18afa49..0000000 --- a/include/linux/netfilter/xt_osf.h +++ /dev/null @@ -1,135 +0,0 @@ -/* - * Copyright (c) 2003+ Evgeniy Polyakov - * - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - */ - -#ifndef _XT_OSF_H -#define _XT_OSF_H - -#include - -#define MAXGENRELEN 32 - -#define XT_OSF_GENRE (1<<0) -#define XT_OSF_TTL (1<<1) -#define XT_OSF_LOG (1<<2) -#define XT_OSF_INVERT (1<<3) - -#define XT_OSF_LOGLEVEL_ALL 0 /* log all matched fingerprints */ -#define XT_OSF_LOGLEVEL_FIRST 1 /* log only the first matced fingerprint */ -#define XT_OSF_LOGLEVEL_ALL_KNOWN 2 /* do not log unknown packets */ - -#define XT_OSF_TTL_TRUE 0 /* True ip and fingerprint TTL comparison */ -#define XT_OSF_TTL_LESS 1 /* Check if ip TTL is less than fingerprint one */ -#define XT_OSF_TTL_NOCHECK 2 /* Do not compare ip and fingerprint TTL at all */ - -struct xt_osf_info { - char genre[MAXGENRELEN]; - __u32 len; - __u32 flags; - __u32 loglevel; - __u32 ttl; -}; - -/* - * Wildcard MSS (kind of). - * It is used to implement a state machine for the different wildcard values - * of the MSS and window sizes. - */ -struct xt_osf_wc { - __u32 wc; - __u32 val; -}; - -/* - * This struct represents IANA options - * http://www.iana.org/assignments/tcp-parameters - */ -struct xt_osf_opt { - __u16 kind, length; - struct xt_osf_wc wc; -}; - -struct xt_osf_user_finger { - struct xt_osf_wc wss; - - __u8 ttl, df; - __u16 ss, mss; - __u16 opt_num; - - char genre[MAXGENRELEN]; - char version[MAXGENRELEN]; - char subtype[MAXGENRELEN]; - - /* MAX_IPOPTLEN is maximum if all options are NOPs or EOLs */ - struct xt_osf_opt opt[MAX_IPOPTLEN]; -}; - -struct xt_osf_nlmsg { - struct xt_osf_user_finger f; - struct iphdr ip; - struct tcphdr tcp; -}; - -/* Defines for IANA option kinds */ - -enum iana_options { - OSFOPT_EOL = 0, /* End of options */ - OSFOPT_NOP, /* NOP */ - OSFOPT_MSS, /* Maximum segment size */ - OSFOPT_WSO, /* Window scale option */ - OSFOPT_SACKP, /* SACK permitted */ - OSFOPT_SACK, /* SACK */ - OSFOPT_ECHO, - OSFOPT_ECHOREPLY, - OSFOPT_TS, /* Timestamp option */ - OSFOPT_POCP, /* Partial Order Connection Permitted */ - OSFOPT_POSP, /* Partial Order Service Profile */ - - /* Others are not used in the current OSF */ - OSFOPT_EMPTY = 255, -}; - -/* - * Initial window size option state machine: multiple of mss, mtu or - * plain numeric value. Can also be made as plain numeric value which - * is not a multiple of specified value. - */ -enum xt_osf_window_size_options { - OSF_WSS_PLAIN = 0, - OSF_WSS_MSS, - OSF_WSS_MTU, - OSF_WSS_MODULO, - OSF_WSS_MAX, -}; - -/* - * Add/remove fingerprint from the kernel. - */ -enum xt_osf_msg_types { - OSF_MSG_ADD, - OSF_MSG_REMOVE, - OSF_MSG_MAX, -}; - -enum xt_osf_attr_type { - OSF_ATTR_UNSPEC, - OSF_ATTR_FINGER, - OSF_ATTR_MAX, -}; - -#endif /* _XT_OSF_H */ diff --git a/include/linux/netfilter/xt_owner.h b/include/linux/netfilter/xt_owner.h deleted file mode 100644 index 2081761..0000000 --- a/include/linux/netfilter/xt_owner.h +++ /dev/null @@ -1,18 +0,0 @@ -#ifndef _XT_OWNER_MATCH_H -#define _XT_OWNER_MATCH_H - -#include - -enum { - XT_OWNER_UID = 1 << 0, - XT_OWNER_GID = 1 << 1, - XT_OWNER_SOCKET = 1 << 2, -}; - -struct xt_owner_match_info { - __u32 uid_min, uid_max; - __u32 gid_min, gid_max; - __u8 match, invert; -}; - -#endif /* _XT_OWNER_MATCH_H */ diff --git a/include/linux/netfilter/xt_physdev.h b/include/linux/netfilter/xt_physdev.h index 8555e39..5b5e417 100644 --- a/include/linux/netfilter/xt_physdev.h +++ b/include/linux/netfilter/xt_physdev.h @@ -1,26 +1,7 @@ #ifndef _XT_PHYSDEV_H #define _XT_PHYSDEV_H -#include - -#ifdef __KERNEL__ #include -#endif - -#define XT_PHYSDEV_OP_IN 0x01 -#define XT_PHYSDEV_OP_OUT 0x02 -#define XT_PHYSDEV_OP_BRIDGED 0x04 -#define XT_PHYSDEV_OP_ISIN 0x08 -#define XT_PHYSDEV_OP_ISOUT 0x10 -#define XT_PHYSDEV_OP_MASK (0x20 - 1) - -struct xt_physdev_info { - char physindev[IFNAMSIZ]; - char in_mask[IFNAMSIZ]; - char physoutdev[IFNAMSIZ]; - char out_mask[IFNAMSIZ]; - __u8 invert; - __u8 bitmask; -}; +#include #endif /*_XT_PHYSDEV_H*/ diff --git a/include/linux/netfilter/xt_pkttype.h b/include/linux/netfilter/xt_pkttype.h deleted file mode 100644 index f265cf5..0000000 --- a/include/linux/netfilter/xt_pkttype.h +++ /dev/null @@ -1,8 +0,0 @@ -#ifndef _XT_PKTTYPE_H -#define _XT_PKTTYPE_H - -struct xt_pkttype_info { - int pkttype; - int invert; -}; -#endif /*_XT_PKTTYPE_H*/ diff --git a/include/linux/netfilter/xt_policy.h b/include/linux/netfilter/xt_policy.h deleted file mode 100644 index be8ead0..0000000 --- a/include/linux/netfilter/xt_policy.h +++ /dev/null @@ -1,69 +0,0 @@ -#ifndef _XT_POLICY_H -#define _XT_POLICY_H - -#include - -#define XT_POLICY_MAX_ELEM 4 - -enum xt_policy_flags { - XT_POLICY_MATCH_IN = 0x1, - XT_POLICY_MATCH_OUT = 0x2, - XT_POLICY_MATCH_NONE = 0x4, - XT_POLICY_MATCH_STRICT = 0x8, -}; - -enum xt_policy_modes { - XT_POLICY_MODE_TRANSPORT, - XT_POLICY_MODE_TUNNEL -}; - -struct xt_policy_spec { - __u8 saddr:1, - daddr:1, - proto:1, - mode:1, - spi:1, - reqid:1; -}; - -#ifndef __KERNEL__ -union xt_policy_addr { - struct in_addr a4; - struct in6_addr a6; -}; -#endif - -struct xt_policy_elem { - union { -#ifdef __KERNEL__ - struct { - union nf_inet_addr saddr; - union nf_inet_addr smask; - union nf_inet_addr daddr; - union nf_inet_addr dmask; - }; -#else - struct { - union xt_policy_addr saddr; - union xt_policy_addr smask; - union xt_policy_addr daddr; - union xt_policy_addr dmask; - }; -#endif - }; - __be32 spi; - __u32 reqid; - __u8 proto; - __u8 mode; - - struct xt_policy_spec match; - struct xt_policy_spec invert; -}; - -struct xt_policy_info { - struct xt_policy_elem pol[XT_POLICY_MAX_ELEM]; - __u16 flags; - __u16 len; -}; - -#endif /* _XT_POLICY_H */ diff --git a/include/linux/netfilter/xt_quota.h b/include/linux/netfilter/xt_quota.h deleted file mode 100644 index 9314723..0000000 --- a/include/linux/netfilter/xt_quota.h +++ /dev/null @@ -1,22 +0,0 @@ -#ifndef _XT_QUOTA_H -#define _XT_QUOTA_H - -#include - -enum xt_quota_flags { - XT_QUOTA_INVERT = 0x1, -}; -#define XT_QUOTA_MASK 0x1 - -struct xt_quota_priv; - -struct xt_quota_info { - __u32 flags; - __u32 pad; - __aligned_u64 quota; - - /* Used internally by the kernel */ - struct xt_quota_priv *master; -}; - -#endif /* _XT_QUOTA_H */ diff --git a/include/linux/netfilter/xt_rateest.h b/include/linux/netfilter/xt_rateest.h deleted file mode 100644 index d40a619..0000000 --- a/include/linux/netfilter/xt_rateest.h +++ /dev/null @@ -1,37 +0,0 @@ -#ifndef _XT_RATEEST_MATCH_H -#define _XT_RATEEST_MATCH_H - -#include - -enum xt_rateest_match_flags { - XT_RATEEST_MATCH_INVERT = 1<<0, - XT_RATEEST_MATCH_ABS = 1<<1, - XT_RATEEST_MATCH_REL = 1<<2, - XT_RATEEST_MATCH_DELTA = 1<<3, - XT_RATEEST_MATCH_BPS = 1<<4, - XT_RATEEST_MATCH_PPS = 1<<5, -}; - -enum xt_rateest_match_mode { - XT_RATEEST_MATCH_NONE, - XT_RATEEST_MATCH_EQ, - XT_RATEEST_MATCH_LT, - XT_RATEEST_MATCH_GT, -}; - -struct xt_rateest_match_info { - char name1[IFNAMSIZ]; - char name2[IFNAMSIZ]; - __u16 flags; - __u16 mode; - __u32 bps1; - __u32 pps1; - __u32 bps2; - __u32 pps2; - - /* Used internally by the kernel */ - struct xt_rateest *est1 __attribute__((aligned(8))); - struct xt_rateest *est2 __attribute__((aligned(8))); -}; - -#endif /* _XT_RATEEST_MATCH_H */ diff --git a/include/linux/netfilter/xt_realm.h b/include/linux/netfilter/xt_realm.h deleted file mode 100644 index d4a82ee..0000000 --- a/include/linux/netfilter/xt_realm.h +++ /dev/null @@ -1,12 +0,0 @@ -#ifndef _XT_REALM_H -#define _XT_REALM_H - -#include - -struct xt_realm_info { - __u32 id; - __u32 mask; - __u8 invert; -}; - -#endif /* _XT_REALM_H */ diff --git a/include/linux/netfilter/xt_recent.h b/include/linux/netfilter/xt_recent.h deleted file mode 100644 index 6ef36c1..0000000 --- a/include/linux/netfilter/xt_recent.h +++ /dev/null @@ -1,45 +0,0 @@ -#ifndef _LINUX_NETFILTER_XT_RECENT_H -#define _LINUX_NETFILTER_XT_RECENT_H 1 - -#include - -enum { - XT_RECENT_CHECK = 1 << 0, - XT_RECENT_SET = 1 << 1, - XT_RECENT_UPDATE = 1 << 2, - XT_RECENT_REMOVE = 1 << 3, - XT_RECENT_TTL = 1 << 4, - XT_RECENT_REAP = 1 << 5, - - XT_RECENT_SOURCE = 0, - XT_RECENT_DEST = 1, - - XT_RECENT_NAME_LEN = 200, -}; - -/* Only allowed with --rcheck and --update */ -#define XT_RECENT_MODIFIERS (XT_RECENT_TTL|XT_RECENT_REAP) - -#define XT_RECENT_VALID_FLAGS (XT_RECENT_CHECK|XT_RECENT_SET|XT_RECENT_UPDATE|\ - XT_RECENT_REMOVE|XT_RECENT_TTL|XT_RECENT_REAP) - -struct xt_recent_mtinfo { - __u32 seconds; - __u32 hit_count; - __u8 check_set; - __u8 invert; - char name[XT_RECENT_NAME_LEN]; - __u8 side; -}; - -struct xt_recent_mtinfo_v1 { - __u32 seconds; - __u32 hit_count; - __u8 check_set; - __u8 invert; - char name[XT_RECENT_NAME_LEN]; - __u8 side; - union nf_inet_addr mask; -}; - -#endif /* _LINUX_NETFILTER_XT_RECENT_H */ diff --git a/include/linux/netfilter/xt_sctp.h b/include/linux/netfilter/xt_sctp.h deleted file mode 100644 index 29287be..0000000 --- a/include/linux/netfilter/xt_sctp.h +++ /dev/null @@ -1,92 +0,0 @@ -#ifndef _XT_SCTP_H_ -#define _XT_SCTP_H_ - -#include - -#define XT_SCTP_SRC_PORTS 0x01 -#define XT_SCTP_DEST_PORTS 0x02 -#define XT_SCTP_CHUNK_TYPES 0x04 - -#define XT_SCTP_VALID_FLAGS 0x07 - -struct xt_sctp_flag_info { - __u8 chunktype; - __u8 flag; - __u8 flag_mask; -}; - -#define XT_NUM_SCTP_FLAGS 4 - -struct xt_sctp_info { - __u16 dpts[2]; /* Min, Max */ - __u16 spts[2]; /* Min, Max */ - - __u32 chunkmap[256 / sizeof (__u32)]; /* Bit mask of chunks to be matched according to RFC 2960 */ - -#define SCTP_CHUNK_MATCH_ANY 0x01 /* Match if any of the chunk types are present */ -#define SCTP_CHUNK_MATCH_ALL 0x02 /* Match if all of the chunk types are present */ -#define SCTP_CHUNK_MATCH_ONLY 0x04 /* Match if these are the only chunk types present */ - - __u32 chunk_match_type; - struct xt_sctp_flag_info flag_info[XT_NUM_SCTP_FLAGS]; - int flag_count; - - __u32 flags; - __u32 invflags; -}; - -#define bytes(type) (sizeof(type) * 8) - -#define SCTP_CHUNKMAP_SET(chunkmap, type) \ - do { \ - (chunkmap)[type / bytes(__u32)] |= \ - 1 << (type % bytes(__u32)); \ - } while (0) - -#define SCTP_CHUNKMAP_CLEAR(chunkmap, type) \ - do { \ - (chunkmap)[type / bytes(__u32)] &= \ - ~(1 << (type % bytes(__u32))); \ - } while (0) - -#define SCTP_CHUNKMAP_IS_SET(chunkmap, type) \ -({ \ - ((chunkmap)[type / bytes (__u32)] & \ - (1 << (type % bytes (__u32)))) ? 1: 0; \ -}) - -#define SCTP_CHUNKMAP_RESET(chunkmap) \ - memset((chunkmap), 0, sizeof(chunkmap)) - -#define SCTP_CHUNKMAP_SET_ALL(chunkmap) \ - memset((chunkmap), ~0U, sizeof(chunkmap)) - -#define SCTP_CHUNKMAP_COPY(destmap, srcmap) \ - memcpy((destmap), (srcmap), sizeof(srcmap)) - -#define SCTP_CHUNKMAP_IS_CLEAR(chunkmap) \ - __sctp_chunkmap_is_clear((chunkmap), ARRAY_SIZE(chunkmap)) -static inline bool -__sctp_chunkmap_is_clear(const __u32 *chunkmap, unsigned int n) -{ - unsigned int i; - for (i = 0; i < n; ++i) - if (chunkmap[i]) - return false; - return true; -} - -#define SCTP_CHUNKMAP_IS_ALL_SET(chunkmap) \ - __sctp_chunkmap_is_all_set((chunkmap), ARRAY_SIZE(chunkmap)) -static inline bool -__sctp_chunkmap_is_all_set(const __u32 *chunkmap, unsigned int n) -{ - unsigned int i; - for (i = 0; i < n; ++i) - if (chunkmap[i] != ~0U) - return false; - return true; -} - -#endif /* _XT_SCTP_H_ */ - diff --git a/include/linux/netfilter/xt_set.h b/include/linux/netfilter/xt_set.h deleted file mode 100644 index e3a9978..0000000 --- a/include/linux/netfilter/xt_set.h +++ /dev/null @@ -1,65 +0,0 @@ -#ifndef _XT_SET_H -#define _XT_SET_H - -#include -#include - -/* Revision 0 interface: backward compatible with netfilter/iptables */ - -/* - * Option flags for kernel operations (xt_set_info_v0) - */ -#define IPSET_SRC 0x01 /* Source match/add */ -#define IPSET_DST 0x02 /* Destination match/add */ -#define IPSET_MATCH_INV 0x04 /* Inverse matching */ - -struct xt_set_info_v0 { - ip_set_id_t index; - union { - __u32 flags[IPSET_DIM_MAX + 1]; - struct { - __u32 __flags[IPSET_DIM_MAX]; - __u8 dim; - __u8 flags; - } compat; - } u; -}; - -/* match and target infos */ -struct xt_set_info_match_v0 { - struct xt_set_info_v0 match_set; -}; - -struct xt_set_info_target_v0 { - struct xt_set_info_v0 add_set; - struct xt_set_info_v0 del_set; -}; - -/* Revision 1 match and target */ - -struct xt_set_info { - ip_set_id_t index; - __u8 dim; - __u8 flags; -}; - -/* match and target infos */ -struct xt_set_info_match_v1 { - struct xt_set_info match_set; -}; - -struct xt_set_info_target_v1 { - struct xt_set_info add_set; - struct xt_set_info del_set; -}; - -/* Revision 2 target */ - -struct xt_set_info_target_v2 { - struct xt_set_info add_set; - struct xt_set_info del_set; - __u32 flags; - __u32 timeout; -}; - -#endif /*_XT_SET_H*/ diff --git a/include/linux/netfilter/xt_socket.h b/include/linux/netfilter/xt_socket.h deleted file mode 100644 index 26d7217..0000000 --- a/include/linux/netfilter/xt_socket.h +++ /dev/null @@ -1,14 +0,0 @@ -#ifndef _XT_SOCKET_H -#define _XT_SOCKET_H - -#include - -enum { - XT_SOCKET_TRANSPARENT = 1 << 0, -}; - -struct xt_socket_mtinfo1 { - __u8 flags; -}; - -#endif /* _XT_SOCKET_H */ diff --git a/include/linux/netfilter/xt_state.h b/include/linux/netfilter/xt_state.h deleted file mode 100644 index 7b32de8..0000000 --- a/include/linux/netfilter/xt_state.h +++ /dev/null @@ -1,12 +0,0 @@ -#ifndef _XT_STATE_H -#define _XT_STATE_H - -#define XT_STATE_BIT(ctinfo) (1 << ((ctinfo)%IP_CT_IS_REPLY+1)) -#define XT_STATE_INVALID (1 << 0) - -#define XT_STATE_UNTRACKED (1 << (IP_CT_NUMBER + 1)) - -struct xt_state_info { - unsigned int statemask; -}; -#endif /*_XT_STATE_H*/ diff --git a/include/linux/netfilter/xt_statistic.h b/include/linux/netfilter/xt_statistic.h deleted file mode 100644 index 4e983ef..0000000 --- a/include/linux/netfilter/xt_statistic.h +++ /dev/null @@ -1,36 +0,0 @@ -#ifndef _XT_STATISTIC_H -#define _XT_STATISTIC_H - -#include - -enum xt_statistic_mode { - XT_STATISTIC_MODE_RANDOM, - XT_STATISTIC_MODE_NTH, - __XT_STATISTIC_MODE_MAX -}; -#define XT_STATISTIC_MODE_MAX (__XT_STATISTIC_MODE_MAX - 1) - -enum xt_statistic_flags { - XT_STATISTIC_INVERT = 0x1, -}; -#define XT_STATISTIC_MASK 0x1 - -struct xt_statistic_priv; - -struct xt_statistic_info { - __u16 mode; - __u16 flags; - union { - struct { - __u32 probability; - } random; - struct { - __u32 every; - __u32 packet; - __u32 count; /* unused */ - } nth; - } u; - struct xt_statistic_priv *master __attribute__((aligned(8))); -}; - -#endif /* _XT_STATISTIC_H */ diff --git a/include/linux/netfilter/xt_string.h b/include/linux/netfilter/xt_string.h deleted file mode 100644 index 235347c..0000000 --- a/include/linux/netfilter/xt_string.h +++ /dev/null @@ -1,34 +0,0 @@ -#ifndef _XT_STRING_H -#define _XT_STRING_H - -#include - -#define XT_STRING_MAX_PATTERN_SIZE 128 -#define XT_STRING_MAX_ALGO_NAME_SIZE 16 - -enum { - XT_STRING_FLAG_INVERT = 0x01, - XT_STRING_FLAG_IGNORECASE = 0x02 -}; - -struct xt_string_info { - __u16 from_offset; - __u16 to_offset; - char algo[XT_STRING_MAX_ALGO_NAME_SIZE]; - char pattern[XT_STRING_MAX_PATTERN_SIZE]; - __u8 patlen; - union { - struct { - __u8 invert; - } v0; - - struct { - __u8 flags; - } v1; - } u; - - /* Used internally by the kernel */ - struct ts_config __attribute__((aligned(8))) *config; -}; - -#endif /*_XT_STRING_H*/ diff --git a/include/linux/netfilter/xt_tcpmss.h b/include/linux/netfilter/xt_tcpmss.h deleted file mode 100644 index fbac56b..0000000 --- a/include/linux/netfilter/xt_tcpmss.h +++ /dev/null @@ -1,11 +0,0 @@ -#ifndef _XT_TCPMSS_MATCH_H -#define _XT_TCPMSS_MATCH_H - -#include - -struct xt_tcpmss_match_info { - __u16 mss_min, mss_max; - __u8 invert; -}; - -#endif /*_XT_TCPMSS_MATCH_H*/ diff --git a/include/linux/netfilter/xt_tcpudp.h b/include/linux/netfilter/xt_tcpudp.h deleted file mode 100644 index 38aa7b3..0000000 --- a/include/linux/netfilter/xt_tcpudp.h +++ /dev/null @@ -1,36 +0,0 @@ -#ifndef _XT_TCPUDP_H -#define _XT_TCPUDP_H - -#include - -/* TCP matching stuff */ -struct xt_tcp { - __u16 spts[2]; /* Source port range. */ - __u16 dpts[2]; /* Destination port range. */ - __u8 option; /* TCP Option iff non-zero*/ - __u8 flg_mask; /* TCP flags mask byte */ - __u8 flg_cmp; /* TCP flags compare byte */ - __u8 invflags; /* Inverse flags */ -}; - -/* Values for "inv" field in struct ipt_tcp. */ -#define XT_TCP_INV_SRCPT 0x01 /* Invert the sense of source ports. */ -#define XT_TCP_INV_DSTPT 0x02 /* Invert the sense of dest ports. */ -#define XT_TCP_INV_FLAGS 0x04 /* Invert the sense of TCP flags. */ -#define XT_TCP_INV_OPTION 0x08 /* Invert the sense of option test. */ -#define XT_TCP_INV_MASK 0x0F /* All possible flags. */ - -/* UDP matching stuff */ -struct xt_udp { - __u16 spts[2]; /* Source port range. */ - __u16 dpts[2]; /* Destination port range. */ - __u8 invflags; /* Inverse flags */ -}; - -/* Values for "invflags" field in struct ipt_udp. */ -#define XT_UDP_INV_SRCPT 0x01 /* Invert the sense of source ports. */ -#define XT_UDP_INV_DSTPT 0x02 /* Invert the sense of dest ports. */ -#define XT_UDP_INV_MASK 0x03 /* All possible flags. */ - - -#endif diff --git a/include/linux/netfilter/xt_time.h b/include/linux/netfilter/xt_time.h deleted file mode 100644 index 0958860..0000000 --- a/include/linux/netfilter/xt_time.h +++ /dev/null @@ -1,32 +0,0 @@ -#ifndef _XT_TIME_H -#define _XT_TIME_H 1 - -#include - -struct xt_time_info { - __u32 date_start; - __u32 date_stop; - __u32 daytime_start; - __u32 daytime_stop; - __u32 monthdays_match; - __u8 weekdays_match; - __u8 flags; -}; - -enum { - /* Match against local time (instead of UTC) */ - XT_TIME_LOCAL_TZ = 1 << 0, - - /* treat timestart > timestop (e.g. 23:00-01:00) as single period */ - XT_TIME_CONTIGUOUS = 1 << 1, - - /* Shortcuts */ - XT_TIME_ALL_MONTHDAYS = 0xFFFFFFFE, - XT_TIME_ALL_WEEKDAYS = 0xFE, - XT_TIME_MIN_DAYTIME = 0, - XT_TIME_MAX_DAYTIME = 24 * 60 * 60 - 1, -}; - -#define XT_TIME_ALL_FLAGS (XT_TIME_LOCAL_TZ|XT_TIME_CONTIGUOUS) - -#endif /* _XT_TIME_H */ diff --git a/include/linux/netfilter/xt_u32.h b/include/linux/netfilter/xt_u32.h deleted file mode 100644 index 04d1bfe..0000000 --- a/include/linux/netfilter/xt_u32.h +++ /dev/null @@ -1,42 +0,0 @@ -#ifndef _XT_U32_H -#define _XT_U32_H 1 - -#include - -enum xt_u32_ops { - XT_U32_AND, - XT_U32_LEFTSH, - XT_U32_RIGHTSH, - XT_U32_AT, -}; - -struct xt_u32_location_element { - __u32 number; - __u8 nextop; -}; - -struct xt_u32_value_element { - __u32 min; - __u32 max; -}; - -/* - * Any way to allow for an arbitrary number of elements? - * For now, I settle with a limit of 10 each. - */ -#define XT_U32_MAXSIZE 10 - -struct xt_u32_test { - struct xt_u32_location_element location[XT_U32_MAXSIZE+1]; - struct xt_u32_value_element value[XT_U32_MAXSIZE+1]; - __u8 nnums; - __u8 nvalues; -}; - -struct xt_u32 { - struct xt_u32_test tests[XT_U32_MAXSIZE+1]; - __u8 ntests; - __u8 invert; -}; - -#endif /* _XT_U32_H */ diff --git a/include/uapi/linux/netfilter/Kbuild b/include/uapi/linux/netfilter/Kbuild index 4afbace..08f555f 100644 --- a/include/uapi/linux/netfilter/Kbuild +++ b/include/uapi/linux/netfilter/Kbuild @@ -1,2 +1,78 @@ # UAPI Header export list header-y += ipset/ +header-y += nf_conntrack_common.h +header-y += nf_conntrack_ftp.h +header-y += nf_conntrack_sctp.h +header-y += nf_conntrack_tcp.h +header-y += nf_conntrack_tuple_common.h +header-y += nf_nat.h +header-y += nfnetlink.h +header-y += nfnetlink_acct.h +header-y += nfnetlink_compat.h +header-y += nfnetlink_conntrack.h +header-y += nfnetlink_cthelper.h +header-y += nfnetlink_cttimeout.h +header-y += nfnetlink_log.h +header-y += nfnetlink_queue.h +header-y += x_tables.h +header-y += xt_AUDIT.h +header-y += xt_CHECKSUM.h +header-y += xt_CLASSIFY.h +header-y += xt_CONNMARK.h +header-y += xt_CONNSECMARK.h +header-y += xt_CT.h +header-y += xt_DSCP.h +header-y += xt_IDLETIMER.h +header-y += xt_LED.h +header-y += xt_LOG.h +header-y += xt_MARK.h +header-y += xt_NFLOG.h +header-y += xt_NFQUEUE.h +header-y += xt_RATEEST.h +header-y += xt_SECMARK.h +header-y += xt_TCPMSS.h +header-y += xt_TCPOPTSTRIP.h +header-y += xt_TEE.h +header-y += xt_TPROXY.h +header-y += xt_addrtype.h +header-y += xt_cluster.h +header-y += xt_comment.h +header-y += xt_connbytes.h +header-y += xt_connlimit.h +header-y += xt_connmark.h +header-y += xt_conntrack.h +header-y += xt_cpu.h +header-y += xt_dccp.h +header-y += xt_devgroup.h +header-y += xt_dscp.h +header-y += xt_ecn.h +header-y += xt_esp.h +header-y += xt_hashlimit.h +header-y += xt_helper.h +header-y += xt_iprange.h +header-y += xt_ipvs.h +header-y += xt_length.h +header-y += xt_limit.h +header-y += xt_mac.h +header-y += xt_mark.h +header-y += xt_multiport.h +header-y += xt_nfacct.h +header-y += xt_osf.h +header-y += xt_owner.h +header-y += xt_physdev.h +header-y += xt_pkttype.h +header-y += xt_policy.h +header-y += xt_quota.h +header-y += xt_rateest.h +header-y += xt_realm.h +header-y += xt_recent.h +header-y += xt_sctp.h +header-y += xt_set.h +header-y += xt_socket.h +header-y += xt_state.h +header-y += xt_statistic.h +header-y += xt_string.h +header-y += xt_tcpmss.h +header-y += xt_tcpudp.h +header-y += xt_time.h +header-y += xt_u32.h diff --git a/include/uapi/linux/netfilter/nf_conntrack_common.h b/include/uapi/linux/netfilter/nf_conntrack_common.h new file mode 100644 index 0000000..1644cdd --- /dev/null +++ b/include/uapi/linux/netfilter/nf_conntrack_common.h @@ -0,0 +1,117 @@ +#ifndef _UAPI_NF_CONNTRACK_COMMON_H +#define _UAPI_NF_CONNTRACK_COMMON_H +/* Connection state tracking for netfilter. This is separated from, + but required by, the NAT layer; it can also be used by an iptables + extension. */ +enum ip_conntrack_info { + /* Part of an established connection (either direction). */ + IP_CT_ESTABLISHED, + + /* Like NEW, but related to an existing connection, or ICMP error + (in either direction). */ + IP_CT_RELATED, + + /* Started a new connection to track (only + IP_CT_DIR_ORIGINAL); may be a retransmission. */ + IP_CT_NEW, + + /* >= this indicates reply direction */ + IP_CT_IS_REPLY, + + IP_CT_ESTABLISHED_REPLY = IP_CT_ESTABLISHED + IP_CT_IS_REPLY, + IP_CT_RELATED_REPLY = IP_CT_RELATED + IP_CT_IS_REPLY, + IP_CT_NEW_REPLY = IP_CT_NEW + IP_CT_IS_REPLY, + /* Number of distinct IP_CT types (no NEW in reply dirn). */ + IP_CT_NUMBER = IP_CT_IS_REPLY * 2 - 1 +}; + +/* Bitset representing status of connection. */ +enum ip_conntrack_status { + /* It's an expected connection: bit 0 set. This bit never changed */ + IPS_EXPECTED_BIT = 0, + IPS_EXPECTED = (1 << IPS_EXPECTED_BIT), + + /* We've seen packets both ways: bit 1 set. Can be set, not unset. */ + IPS_SEEN_REPLY_BIT = 1, + IPS_SEEN_REPLY = (1 << IPS_SEEN_REPLY_BIT), + + /* Conntrack should never be early-expired. */ + IPS_ASSURED_BIT = 2, + IPS_ASSURED = (1 << IPS_ASSURED_BIT), + + /* Connection is confirmed: originating packet has left box */ + IPS_CONFIRMED_BIT = 3, + IPS_CONFIRMED = (1 << IPS_CONFIRMED_BIT), + + /* Connection needs src nat in orig dir. This bit never changed. */ + IPS_SRC_NAT_BIT = 4, + IPS_SRC_NAT = (1 << IPS_SRC_NAT_BIT), + + /* Connection needs dst nat in orig dir. This bit never changed. */ + IPS_DST_NAT_BIT = 5, + IPS_DST_NAT = (1 << IPS_DST_NAT_BIT), + + /* Both together. */ + IPS_NAT_MASK = (IPS_DST_NAT | IPS_SRC_NAT), + + /* Connection needs TCP sequence adjusted. */ + IPS_SEQ_ADJUST_BIT = 6, + IPS_SEQ_ADJUST = (1 << IPS_SEQ_ADJUST_BIT), + + /* NAT initialization bits. */ + IPS_SRC_NAT_DONE_BIT = 7, + IPS_SRC_NAT_DONE = (1 << IPS_SRC_NAT_DONE_BIT), + + IPS_DST_NAT_DONE_BIT = 8, + IPS_DST_NAT_DONE = (1 << IPS_DST_NAT_DONE_BIT), + + /* Both together */ + IPS_NAT_DONE_MASK = (IPS_DST_NAT_DONE | IPS_SRC_NAT_DONE), + + /* Connection is dying (removed from lists), can not be unset. */ + IPS_DYING_BIT = 9, + IPS_DYING = (1 << IPS_DYING_BIT), + + /* Connection has fixed timeout. */ + IPS_FIXED_TIMEOUT_BIT = 10, + IPS_FIXED_TIMEOUT = (1 << IPS_FIXED_TIMEOUT_BIT), + + /* Conntrack is a template */ + IPS_TEMPLATE_BIT = 11, + IPS_TEMPLATE = (1 << IPS_TEMPLATE_BIT), + + /* Conntrack is a fake untracked entry */ + IPS_UNTRACKED_BIT = 12, + IPS_UNTRACKED = (1 << IPS_UNTRACKED_BIT), + + /* Conntrack got a helper explicitly attached via CT target. */ + IPS_HELPER_BIT = 13, + IPS_HELPER = (1 << IPS_HELPER_BIT), +}; + +/* Connection tracking event types */ +enum ip_conntrack_events { + IPCT_NEW, /* new conntrack */ + IPCT_RELATED, /* related conntrack */ + IPCT_DESTROY, /* destroyed conntrack */ + IPCT_REPLY, /* connection has seen two-way traffic */ + IPCT_ASSURED, /* connection status has changed to assured */ + IPCT_PROTOINFO, /* protocol information has changed */ + IPCT_HELPER, /* new helper has been set */ + IPCT_MARK, /* new mark has been set */ + IPCT_NATSEQADJ, /* NAT is doing sequence adjustment */ + IPCT_SECMARK, /* new security mark has been set */ +}; + +enum ip_conntrack_expect_events { + IPEXP_NEW, /* new expectation */ + IPEXP_DESTROY, /* destroyed expectation */ +}; + +/* expectation flags */ +#define NF_CT_EXPECT_PERMANENT 0x1 +#define NF_CT_EXPECT_INACTIVE 0x2 +#define NF_CT_EXPECT_USERSPACE 0x4 + + +#endif /* _UAPI_NF_CONNTRACK_COMMON_H */ diff --git a/include/uapi/linux/netfilter/nf_conntrack_ftp.h b/include/uapi/linux/netfilter/nf_conntrack_ftp.h new file mode 100644 index 0000000..1030315 --- /dev/null +++ b/include/uapi/linux/netfilter/nf_conntrack_ftp.h @@ -0,0 +1,18 @@ +#ifndef _UAPI_NF_CONNTRACK_FTP_H +#define _UAPI_NF_CONNTRACK_FTP_H +/* FTP tracking. */ + +/* This enum is exposed to userspace */ +enum nf_ct_ftp_type { + /* PORT command from client */ + NF_CT_FTP_PORT, + /* PASV response from server */ + NF_CT_FTP_PASV, + /* EPRT command from client */ + NF_CT_FTP_EPRT, + /* EPSV response from server */ + NF_CT_FTP_EPSV, +}; + + +#endif /* _UAPI_NF_CONNTRACK_FTP_H */ diff --git a/include/uapi/linux/netfilter/nf_conntrack_sctp.h b/include/uapi/linux/netfilter/nf_conntrack_sctp.h new file mode 100644 index 0000000..ceeefe6 --- /dev/null +++ b/include/uapi/linux/netfilter/nf_conntrack_sctp.h @@ -0,0 +1,25 @@ +#ifndef _NF_CONNTRACK_SCTP_H +#define _NF_CONNTRACK_SCTP_H +/* SCTP tracking. */ + +#include + +enum sctp_conntrack { + SCTP_CONNTRACK_NONE, + SCTP_CONNTRACK_CLOSED, + SCTP_CONNTRACK_COOKIE_WAIT, + SCTP_CONNTRACK_COOKIE_ECHOED, + SCTP_CONNTRACK_ESTABLISHED, + SCTP_CONNTRACK_SHUTDOWN_SENT, + SCTP_CONNTRACK_SHUTDOWN_RECD, + SCTP_CONNTRACK_SHUTDOWN_ACK_SENT, + SCTP_CONNTRACK_MAX +}; + +struct ip_ct_sctp { + enum sctp_conntrack state; + + __be32 vtag[IP_CT_DIR_MAX]; +}; + +#endif /* _NF_CONNTRACK_SCTP_H */ diff --git a/include/uapi/linux/netfilter/nf_conntrack_tcp.h b/include/uapi/linux/netfilter/nf_conntrack_tcp.h new file mode 100644 index 0000000..9993a42 --- /dev/null +++ b/include/uapi/linux/netfilter/nf_conntrack_tcp.h @@ -0,0 +1,51 @@ +#ifndef _UAPI_NF_CONNTRACK_TCP_H +#define _UAPI_NF_CONNTRACK_TCP_H +/* TCP tracking. */ + +#include + +/* This is exposed to userspace (ctnetlink) */ +enum tcp_conntrack { + TCP_CONNTRACK_NONE, + TCP_CONNTRACK_SYN_SENT, + TCP_CONNTRACK_SYN_RECV, + TCP_CONNTRACK_ESTABLISHED, + TCP_CONNTRACK_FIN_WAIT, + TCP_CONNTRACK_CLOSE_WAIT, + TCP_CONNTRACK_LAST_ACK, + TCP_CONNTRACK_TIME_WAIT, + TCP_CONNTRACK_CLOSE, + TCP_CONNTRACK_LISTEN, /* obsolete */ +#define TCP_CONNTRACK_SYN_SENT2 TCP_CONNTRACK_LISTEN + TCP_CONNTRACK_MAX, + TCP_CONNTRACK_IGNORE, + TCP_CONNTRACK_RETRANS, + TCP_CONNTRACK_UNACK, + TCP_CONNTRACK_TIMEOUT_MAX +}; + +/* Window scaling is advertised by the sender */ +#define IP_CT_TCP_FLAG_WINDOW_SCALE 0x01 + +/* SACK is permitted by the sender */ +#define IP_CT_TCP_FLAG_SACK_PERM 0x02 + +/* This sender sent FIN first */ +#define IP_CT_TCP_FLAG_CLOSE_INIT 0x04 + +/* Be liberal in window checking */ +#define IP_CT_TCP_FLAG_BE_LIBERAL 0x08 + +/* Has unacknowledged data */ +#define IP_CT_TCP_FLAG_DATA_UNACKNOWLEDGED 0x10 + +/* The field td_maxack has been set */ +#define IP_CT_TCP_FLAG_MAXACK_SET 0x20 + +struct nf_ct_tcp_flags { + __u8 flags; + __u8 mask; +}; + + +#endif /* _UAPI_NF_CONNTRACK_TCP_H */ diff --git a/include/uapi/linux/netfilter/nf_conntrack_tuple_common.h b/include/uapi/linux/netfilter/nf_conntrack_tuple_common.h new file mode 100644 index 0000000..2f6bbc5 --- /dev/null +++ b/include/uapi/linux/netfilter/nf_conntrack_tuple_common.h @@ -0,0 +1,39 @@ +#ifndef _NF_CONNTRACK_TUPLE_COMMON_H +#define _NF_CONNTRACK_TUPLE_COMMON_H + +enum ip_conntrack_dir { + IP_CT_DIR_ORIGINAL, + IP_CT_DIR_REPLY, + IP_CT_DIR_MAX +}; + +/* The protocol-specific manipulable parts of the tuple: always in + * network order + */ +union nf_conntrack_man_proto { + /* Add other protocols here. */ + __be16 all; + + struct { + __be16 port; + } tcp; + struct { + __be16 port; + } udp; + struct { + __be16 id; + } icmp; + struct { + __be16 port; + } dccp; + struct { + __be16 port; + } sctp; + struct { + __be16 key; /* GRE key is 32bit, PPtP only uses 16bit */ + } gre; +}; + +#define CTINFO2DIR(ctinfo) ((ctinfo) >= IP_CT_IS_REPLY ? IP_CT_DIR_REPLY : IP_CT_DIR_ORIGINAL) + +#endif /* _NF_CONNTRACK_TUPLE_COMMON_H */ diff --git a/include/uapi/linux/netfilter/nf_nat.h b/include/uapi/linux/netfilter/nf_nat.h new file mode 100644 index 0000000..bf0cc37 --- /dev/null +++ b/include/uapi/linux/netfilter/nf_nat.h @@ -0,0 +1,33 @@ +#ifndef _NETFILTER_NF_NAT_H +#define _NETFILTER_NF_NAT_H + +#include +#include + +#define NF_NAT_RANGE_MAP_IPS 1 +#define NF_NAT_RANGE_PROTO_SPECIFIED 2 +#define NF_NAT_RANGE_PROTO_RANDOM 4 +#define NF_NAT_RANGE_PERSISTENT 8 + +struct nf_nat_ipv4_range { + unsigned int flags; + __be32 min_ip; + __be32 max_ip; + union nf_conntrack_man_proto min; + union nf_conntrack_man_proto max; +}; + +struct nf_nat_ipv4_multi_range_compat { + unsigned int rangesize; + struct nf_nat_ipv4_range range[1]; +}; + +struct nf_nat_range { + unsigned int flags; + union nf_inet_addr min_addr; + union nf_inet_addr max_addr; + union nf_conntrack_man_proto min_proto; + union nf_conntrack_man_proto max_proto; +}; + +#endif /* _NETFILTER_NF_NAT_H */ diff --git a/include/uapi/linux/netfilter/nfnetlink.h b/include/uapi/linux/netfilter/nfnetlink.h new file mode 100644 index 0000000..4a4efaf --- /dev/null +++ b/include/uapi/linux/netfilter/nfnetlink.h @@ -0,0 +1,56 @@ +#ifndef _UAPI_NFNETLINK_H +#define _UAPI_NFNETLINK_H +#include +#include + +enum nfnetlink_groups { + NFNLGRP_NONE, +#define NFNLGRP_NONE NFNLGRP_NONE + NFNLGRP_CONNTRACK_NEW, +#define NFNLGRP_CONNTRACK_NEW NFNLGRP_CONNTRACK_NEW + NFNLGRP_CONNTRACK_UPDATE, +#define NFNLGRP_CONNTRACK_UPDATE NFNLGRP_CONNTRACK_UPDATE + NFNLGRP_CONNTRACK_DESTROY, +#define NFNLGRP_CONNTRACK_DESTROY NFNLGRP_CONNTRACK_DESTROY + NFNLGRP_CONNTRACK_EXP_NEW, +#define NFNLGRP_CONNTRACK_EXP_NEW NFNLGRP_CONNTRACK_EXP_NEW + NFNLGRP_CONNTRACK_EXP_UPDATE, +#define NFNLGRP_CONNTRACK_EXP_UPDATE NFNLGRP_CONNTRACK_EXP_UPDATE + NFNLGRP_CONNTRACK_EXP_DESTROY, +#define NFNLGRP_CONNTRACK_EXP_DESTROY NFNLGRP_CONNTRACK_EXP_DESTROY + __NFNLGRP_MAX, +}; +#define NFNLGRP_MAX (__NFNLGRP_MAX - 1) + +/* General form of address family dependent message. + */ +struct nfgenmsg { + __u8 nfgen_family; /* AF_xxx */ + __u8 version; /* nfnetlink version */ + __be16 res_id; /* resource id */ +}; + +#define NFNETLINK_V0 0 + +/* netfilter netlink message types are split in two pieces: + * 8 bit subsystem, 8bit operation. + */ + +#define NFNL_SUBSYS_ID(x) ((x & 0xff00) >> 8) +#define NFNL_MSG_TYPE(x) (x & 0x00ff) + +/* No enum here, otherwise __stringify() trick of MODULE_ALIAS_NFNL_SUBSYS() + * won't work anymore */ +#define NFNL_SUBSYS_NONE 0 +#define NFNL_SUBSYS_CTNETLINK 1 +#define NFNL_SUBSYS_CTNETLINK_EXP 2 +#define NFNL_SUBSYS_QUEUE 3 +#define NFNL_SUBSYS_ULOG 4 +#define NFNL_SUBSYS_OSF 5 +#define NFNL_SUBSYS_IPSET 6 +#define NFNL_SUBSYS_ACCT 7 +#define NFNL_SUBSYS_CTNETLINK_TIMEOUT 8 +#define NFNL_SUBSYS_CTHELPER 9 +#define NFNL_SUBSYS_COUNT 10 + +#endif /* _UAPI_NFNETLINK_H */ diff --git a/include/uapi/linux/netfilter/nfnetlink_acct.h b/include/uapi/linux/netfilter/nfnetlink_acct.h new file mode 100644 index 0000000..c7b6269 --- /dev/null +++ b/include/uapi/linux/netfilter/nfnetlink_acct.h @@ -0,0 +1,27 @@ +#ifndef _UAPI_NFNL_ACCT_H_ +#define _UAPI_NFNL_ACCT_H_ + +#ifndef NFACCT_NAME_MAX +#define NFACCT_NAME_MAX 32 +#endif + +enum nfnl_acct_msg_types { + NFNL_MSG_ACCT_NEW, + NFNL_MSG_ACCT_GET, + NFNL_MSG_ACCT_GET_CTRZERO, + NFNL_MSG_ACCT_DEL, + NFNL_MSG_ACCT_MAX +}; + +enum nfnl_acct_type { + NFACCT_UNSPEC, + NFACCT_NAME, + NFACCT_PKTS, + NFACCT_BYTES, + NFACCT_USE, + __NFACCT_MAX +}; +#define NFACCT_MAX (__NFACCT_MAX - 1) + + +#endif /* _UAPI_NFNL_ACCT_H_ */ diff --git a/include/uapi/linux/netfilter/nfnetlink_compat.h b/include/uapi/linux/netfilter/nfnetlink_compat.h new file mode 100644 index 0000000..ffb9503 --- /dev/null +++ b/include/uapi/linux/netfilter/nfnetlink_compat.h @@ -0,0 +1,63 @@ +#ifndef _NFNETLINK_COMPAT_H +#define _NFNETLINK_COMPAT_H + +#include + +#ifndef __KERNEL__ +/* Old nfnetlink macros for userspace */ + +/* nfnetlink groups: Up to 32 maximum */ +#define NF_NETLINK_CONNTRACK_NEW 0x00000001 +#define NF_NETLINK_CONNTRACK_UPDATE 0x00000002 +#define NF_NETLINK_CONNTRACK_DESTROY 0x00000004 +#define NF_NETLINK_CONNTRACK_EXP_NEW 0x00000008 +#define NF_NETLINK_CONNTRACK_EXP_UPDATE 0x00000010 +#define NF_NETLINK_CONNTRACK_EXP_DESTROY 0x00000020 + +/* Generic structure for encapsulation optional netfilter information. + * It is reminiscent of sockaddr, but with sa_family replaced + * with attribute type. + * ! This should someday be put somewhere generic as now rtnetlink and + * ! nfnetlink use the same attributes methods. - J. Schulist. + */ + +struct nfattr { + __u16 nfa_len; + __u16 nfa_type; /* we use 15 bits for the type, and the highest + * bit to indicate whether the payload is nested */ +}; + +/* FIXME: Apart from NFNL_NFA_NESTED shamelessly copy and pasted from + * rtnetlink.h, it's time to put this in a generic file */ + +#define NFNL_NFA_NEST 0x8000 +#define NFA_TYPE(attr) ((attr)->nfa_type & 0x7fff) + +#define NFA_ALIGNTO 4 +#define NFA_ALIGN(len) (((len) + NFA_ALIGNTO - 1) & ~(NFA_ALIGNTO - 1)) +#define NFA_OK(nfa,len) ((len) > 0 && (nfa)->nfa_len >= sizeof(struct nfattr) \ + && (nfa)->nfa_len <= (len)) +#define NFA_NEXT(nfa,attrlen) ((attrlen) -= NFA_ALIGN((nfa)->nfa_len), \ + (struct nfattr *)(((char *)(nfa)) + NFA_ALIGN((nfa)->nfa_len))) +#define NFA_LENGTH(len) (NFA_ALIGN(sizeof(struct nfattr)) + (len)) +#define NFA_SPACE(len) NFA_ALIGN(NFA_LENGTH(len)) +#define NFA_DATA(nfa) ((void *)(((char *)(nfa)) + NFA_LENGTH(0))) +#define NFA_PAYLOAD(nfa) ((int)((nfa)->nfa_len) - NFA_LENGTH(0)) +#define NFA_NEST(skb, type) \ +({ struct nfattr *__start = (struct nfattr *)skb_tail_pointer(skb); \ + NFA_PUT(skb, (NFNL_NFA_NEST | type), 0, NULL); \ + __start; }) +#define NFA_NEST_END(skb, start) \ +({ (start)->nfa_len = skb_tail_pointer(skb) - (unsigned char *)(start); \ + (skb)->len; }) +#define NFA_NEST_CANCEL(skb, start) \ +({ if (start) \ + skb_trim(skb, (unsigned char *) (start) - (skb)->data); \ + -1; }) + +#define NFM_NFA(n) ((struct nfattr *)(((char *)(n)) \ + + NLMSG_ALIGN(sizeof(struct nfgenmsg)))) +#define NFM_PAYLOAD(n) NLMSG_PAYLOAD(n, sizeof(struct nfgenmsg)) + +#endif /* ! __KERNEL__ */ +#endif /* _NFNETLINK_COMPAT_H */ diff --git a/include/uapi/linux/netfilter/nfnetlink_conntrack.h b/include/uapi/linux/netfilter/nfnetlink_conntrack.h new file mode 100644 index 0000000..43bfe3e --- /dev/null +++ b/include/uapi/linux/netfilter/nfnetlink_conntrack.h @@ -0,0 +1,248 @@ +#ifndef _IPCONNTRACK_NETLINK_H +#define _IPCONNTRACK_NETLINK_H +#include + +enum cntl_msg_types { + IPCTNL_MSG_CT_NEW, + IPCTNL_MSG_CT_GET, + IPCTNL_MSG_CT_DELETE, + IPCTNL_MSG_CT_GET_CTRZERO, + IPCTNL_MSG_CT_GET_STATS_CPU, + IPCTNL_MSG_CT_GET_STATS, + + IPCTNL_MSG_MAX +}; + +enum ctnl_exp_msg_types { + IPCTNL_MSG_EXP_NEW, + IPCTNL_MSG_EXP_GET, + IPCTNL_MSG_EXP_DELETE, + IPCTNL_MSG_EXP_GET_STATS_CPU, + + IPCTNL_MSG_EXP_MAX +}; + + +enum ctattr_type { + CTA_UNSPEC, + CTA_TUPLE_ORIG, + CTA_TUPLE_REPLY, + CTA_STATUS, + CTA_PROTOINFO, + CTA_HELP, + CTA_NAT_SRC, +#define CTA_NAT CTA_NAT_SRC /* backwards compatibility */ + CTA_TIMEOUT, + CTA_MARK, + CTA_COUNTERS_ORIG, + CTA_COUNTERS_REPLY, + CTA_USE, + CTA_ID, + CTA_NAT_DST, + CTA_TUPLE_MASTER, + CTA_NAT_SEQ_ADJ_ORIG, + CTA_NAT_SEQ_ADJ_REPLY, + CTA_SECMARK, /* obsolete */ + CTA_ZONE, + CTA_SECCTX, + CTA_TIMESTAMP, + CTA_MARK_MASK, + __CTA_MAX +}; +#define CTA_MAX (__CTA_MAX - 1) + +enum ctattr_tuple { + CTA_TUPLE_UNSPEC, + CTA_TUPLE_IP, + CTA_TUPLE_PROTO, + __CTA_TUPLE_MAX +}; +#define CTA_TUPLE_MAX (__CTA_TUPLE_MAX - 1) + +enum ctattr_ip { + CTA_IP_UNSPEC, + CTA_IP_V4_SRC, + CTA_IP_V4_DST, + CTA_IP_V6_SRC, + CTA_IP_V6_DST, + __CTA_IP_MAX +}; +#define CTA_IP_MAX (__CTA_IP_MAX - 1) + +enum ctattr_l4proto { + CTA_PROTO_UNSPEC, + CTA_PROTO_NUM, + CTA_PROTO_SRC_PORT, + CTA_PROTO_DST_PORT, + CTA_PROTO_ICMP_ID, + CTA_PROTO_ICMP_TYPE, + CTA_PROTO_ICMP_CODE, + CTA_PROTO_ICMPV6_ID, + CTA_PROTO_ICMPV6_TYPE, + CTA_PROTO_ICMPV6_CODE, + __CTA_PROTO_MAX +}; +#define CTA_PROTO_MAX (__CTA_PROTO_MAX - 1) + +enum ctattr_protoinfo { + CTA_PROTOINFO_UNSPEC, + CTA_PROTOINFO_TCP, + CTA_PROTOINFO_DCCP, + CTA_PROTOINFO_SCTP, + __CTA_PROTOINFO_MAX +}; +#define CTA_PROTOINFO_MAX (__CTA_PROTOINFO_MAX - 1) + +enum ctattr_protoinfo_tcp { + CTA_PROTOINFO_TCP_UNSPEC, + CTA_PROTOINFO_TCP_STATE, + CTA_PROTOINFO_TCP_WSCALE_ORIGINAL, + CTA_PROTOINFO_TCP_WSCALE_REPLY, + CTA_PROTOINFO_TCP_FLAGS_ORIGINAL, + CTA_PROTOINFO_TCP_FLAGS_REPLY, + __CTA_PROTOINFO_TCP_MAX +}; +#define CTA_PROTOINFO_TCP_MAX (__CTA_PROTOINFO_TCP_MAX - 1) + +enum ctattr_protoinfo_dccp { + CTA_PROTOINFO_DCCP_UNSPEC, + CTA_PROTOINFO_DCCP_STATE, + CTA_PROTOINFO_DCCP_ROLE, + CTA_PROTOINFO_DCCP_HANDSHAKE_SEQ, + __CTA_PROTOINFO_DCCP_MAX, +}; +#define CTA_PROTOINFO_DCCP_MAX (__CTA_PROTOINFO_DCCP_MAX - 1) + +enum ctattr_protoinfo_sctp { + CTA_PROTOINFO_SCTP_UNSPEC, + CTA_PROTOINFO_SCTP_STATE, + CTA_PROTOINFO_SCTP_VTAG_ORIGINAL, + CTA_PROTOINFO_SCTP_VTAG_REPLY, + __CTA_PROTOINFO_SCTP_MAX +}; +#define CTA_PROTOINFO_SCTP_MAX (__CTA_PROTOINFO_SCTP_MAX - 1) + +enum ctattr_counters { + CTA_COUNTERS_UNSPEC, + CTA_COUNTERS_PACKETS, /* 64bit counters */ + CTA_COUNTERS_BYTES, /* 64bit counters */ + CTA_COUNTERS32_PACKETS, /* old 32bit counters, unused */ + CTA_COUNTERS32_BYTES, /* old 32bit counters, unused */ + __CTA_COUNTERS_MAX +}; +#define CTA_COUNTERS_MAX (__CTA_COUNTERS_MAX - 1) + +enum ctattr_tstamp { + CTA_TIMESTAMP_UNSPEC, + CTA_TIMESTAMP_START, + CTA_TIMESTAMP_STOP, + __CTA_TIMESTAMP_MAX +}; +#define CTA_TIMESTAMP_MAX (__CTA_TIMESTAMP_MAX - 1) + +enum ctattr_nat { + CTA_NAT_UNSPEC, + CTA_NAT_V4_MINIP, +#define CTA_NAT_MINIP CTA_NAT_V4_MINIP + CTA_NAT_V4_MAXIP, +#define CTA_NAT_MAXIP CTA_NAT_V4_MAXIP + CTA_NAT_PROTO, + CTA_NAT_V6_MINIP, + CTA_NAT_V6_MAXIP, + __CTA_NAT_MAX +}; +#define CTA_NAT_MAX (__CTA_NAT_MAX - 1) + +enum ctattr_protonat { + CTA_PROTONAT_UNSPEC, + CTA_PROTONAT_PORT_MIN, + CTA_PROTONAT_PORT_MAX, + __CTA_PROTONAT_MAX +}; +#define CTA_PROTONAT_MAX (__CTA_PROTONAT_MAX - 1) + +enum ctattr_natseq { + CTA_NAT_SEQ_UNSPEC, + CTA_NAT_SEQ_CORRECTION_POS, + CTA_NAT_SEQ_OFFSET_BEFORE, + CTA_NAT_SEQ_OFFSET_AFTER, + __CTA_NAT_SEQ_MAX +}; +#define CTA_NAT_SEQ_MAX (__CTA_NAT_SEQ_MAX - 1) + +enum ctattr_expect { + CTA_EXPECT_UNSPEC, + CTA_EXPECT_MASTER, + CTA_EXPECT_TUPLE, + CTA_EXPECT_MASK, + CTA_EXPECT_TIMEOUT, + CTA_EXPECT_ID, + CTA_EXPECT_HELP_NAME, + CTA_EXPECT_ZONE, + CTA_EXPECT_FLAGS, + CTA_EXPECT_CLASS, + CTA_EXPECT_NAT, + CTA_EXPECT_FN, + __CTA_EXPECT_MAX +}; +#define CTA_EXPECT_MAX (__CTA_EXPECT_MAX - 1) + +enum ctattr_expect_nat { + CTA_EXPECT_NAT_UNSPEC, + CTA_EXPECT_NAT_DIR, + CTA_EXPECT_NAT_TUPLE, + __CTA_EXPECT_NAT_MAX +}; +#define CTA_EXPECT_NAT_MAX (__CTA_EXPECT_NAT_MAX - 1) + +enum ctattr_help { + CTA_HELP_UNSPEC, + CTA_HELP_NAME, + CTA_HELP_INFO, + __CTA_HELP_MAX +}; +#define CTA_HELP_MAX (__CTA_HELP_MAX - 1) + +enum ctattr_secctx { + CTA_SECCTX_UNSPEC, + CTA_SECCTX_NAME, + __CTA_SECCTX_MAX +}; +#define CTA_SECCTX_MAX (__CTA_SECCTX_MAX - 1) + +enum ctattr_stats_cpu { + CTA_STATS_UNSPEC, + CTA_STATS_SEARCHED, + CTA_STATS_FOUND, + CTA_STATS_NEW, + CTA_STATS_INVALID, + CTA_STATS_IGNORE, + CTA_STATS_DELETE, + CTA_STATS_DELETE_LIST, + CTA_STATS_INSERT, + CTA_STATS_INSERT_FAILED, + CTA_STATS_DROP, + CTA_STATS_EARLY_DROP, + CTA_STATS_ERROR, + CTA_STATS_SEARCH_RESTART, + __CTA_STATS_MAX, +}; +#define CTA_STATS_MAX (__CTA_STATS_MAX - 1) + +enum ctattr_stats_global { + CTA_STATS_GLOBAL_UNSPEC, + CTA_STATS_GLOBAL_ENTRIES, + __CTA_STATS_GLOBAL_MAX, +}; +#define CTA_STATS_GLOBAL_MAX (__CTA_STATS_GLOBAL_MAX - 1) + +enum ctattr_expect_stats { + CTA_STATS_EXP_UNSPEC, + CTA_STATS_EXP_NEW, + CTA_STATS_EXP_CREATE, + CTA_STATS_EXP_DELETE, + __CTA_STATS_EXP_MAX, +}; +#define CTA_STATS_EXP_MAX (__CTA_STATS_EXP_MAX - 1) + +#endif /* _IPCONNTRACK_NETLINK_H */ diff --git a/include/uapi/linux/netfilter/nfnetlink_cthelper.h b/include/uapi/linux/netfilter/nfnetlink_cthelper.h new file mode 100644 index 0000000..33659f6 --- /dev/null +++ b/include/uapi/linux/netfilter/nfnetlink_cthelper.h @@ -0,0 +1,55 @@ +#ifndef _NFNL_CTHELPER_H_ +#define _NFNL_CTHELPER_H_ + +#define NFCT_HELPER_STATUS_DISABLED 0 +#define NFCT_HELPER_STATUS_ENABLED 1 + +enum nfnl_acct_msg_types { + NFNL_MSG_CTHELPER_NEW, + NFNL_MSG_CTHELPER_GET, + NFNL_MSG_CTHELPER_DEL, + NFNL_MSG_CTHELPER_MAX +}; + +enum nfnl_cthelper_type { + NFCTH_UNSPEC, + NFCTH_NAME, + NFCTH_TUPLE, + NFCTH_QUEUE_NUM, + NFCTH_POLICY, + NFCTH_PRIV_DATA_LEN, + NFCTH_STATUS, + __NFCTH_MAX +}; +#define NFCTH_MAX (__NFCTH_MAX - 1) + +enum nfnl_cthelper_policy_type { + NFCTH_POLICY_SET_UNSPEC, + NFCTH_POLICY_SET_NUM, + NFCTH_POLICY_SET, + NFCTH_POLICY_SET1 = NFCTH_POLICY_SET, + NFCTH_POLICY_SET2, + NFCTH_POLICY_SET3, + NFCTH_POLICY_SET4, + __NFCTH_POLICY_SET_MAX +}; +#define NFCTH_POLICY_SET_MAX (__NFCTH_POLICY_SET_MAX - 1) + +enum nfnl_cthelper_pol_type { + NFCTH_POLICY_UNSPEC, + NFCTH_POLICY_NAME, + NFCTH_POLICY_EXPECT_MAX, + NFCTH_POLICY_EXPECT_TIMEOUT, + __NFCTH_POLICY_MAX +}; +#define NFCTH_POLICY_MAX (__NFCTH_POLICY_MAX - 1) + +enum nfnl_cthelper_tuple_type { + NFCTH_TUPLE_UNSPEC, + NFCTH_TUPLE_L3PROTONUM, + NFCTH_TUPLE_L4PROTONUM, + __NFCTH_TUPLE_MAX, +}; +#define NFCTH_TUPLE_MAX (__NFCTH_TUPLE_MAX - 1) + +#endif /* _NFNL_CTHELPER_H */ diff --git a/include/uapi/linux/netfilter/nfnetlink_cttimeout.h b/include/uapi/linux/netfilter/nfnetlink_cttimeout.h new file mode 100644 index 0000000..a2810a7 --- /dev/null +++ b/include/uapi/linux/netfilter/nfnetlink_cttimeout.h @@ -0,0 +1,114 @@ +#ifndef _CTTIMEOUT_NETLINK_H +#define _CTTIMEOUT_NETLINK_H +#include + +enum ctnl_timeout_msg_types { + IPCTNL_MSG_TIMEOUT_NEW, + IPCTNL_MSG_TIMEOUT_GET, + IPCTNL_MSG_TIMEOUT_DELETE, + + IPCTNL_MSG_TIMEOUT_MAX +}; + +enum ctattr_timeout { + CTA_TIMEOUT_UNSPEC, + CTA_TIMEOUT_NAME, + CTA_TIMEOUT_L3PROTO, + CTA_TIMEOUT_L4PROTO, + CTA_TIMEOUT_DATA, + CTA_TIMEOUT_USE, + __CTA_TIMEOUT_MAX +}; +#define CTA_TIMEOUT_MAX (__CTA_TIMEOUT_MAX - 1) + +enum ctattr_timeout_generic { + CTA_TIMEOUT_GENERIC_UNSPEC, + CTA_TIMEOUT_GENERIC_TIMEOUT, + __CTA_TIMEOUT_GENERIC_MAX +}; +#define CTA_TIMEOUT_GENERIC_MAX (__CTA_TIMEOUT_GENERIC_MAX - 1) + +enum ctattr_timeout_tcp { + CTA_TIMEOUT_TCP_UNSPEC, + CTA_TIMEOUT_TCP_SYN_SENT, + CTA_TIMEOUT_TCP_SYN_RECV, + CTA_TIMEOUT_TCP_ESTABLISHED, + CTA_TIMEOUT_TCP_FIN_WAIT, + CTA_TIMEOUT_TCP_CLOSE_WAIT, + CTA_TIMEOUT_TCP_LAST_ACK, + CTA_TIMEOUT_TCP_TIME_WAIT, + CTA_TIMEOUT_TCP_CLOSE, + CTA_TIMEOUT_TCP_SYN_SENT2, + CTA_TIMEOUT_TCP_RETRANS, + CTA_TIMEOUT_TCP_UNACK, + __CTA_TIMEOUT_TCP_MAX +}; +#define CTA_TIMEOUT_TCP_MAX (__CTA_TIMEOUT_TCP_MAX - 1) + +enum ctattr_timeout_udp { + CTA_TIMEOUT_UDP_UNSPEC, + CTA_TIMEOUT_UDP_UNREPLIED, + CTA_TIMEOUT_UDP_REPLIED, + __CTA_TIMEOUT_UDP_MAX +}; +#define CTA_TIMEOUT_UDP_MAX (__CTA_TIMEOUT_UDP_MAX - 1) + +enum ctattr_timeout_udplite { + CTA_TIMEOUT_UDPLITE_UNSPEC, + CTA_TIMEOUT_UDPLITE_UNREPLIED, + CTA_TIMEOUT_UDPLITE_REPLIED, + __CTA_TIMEOUT_UDPLITE_MAX +}; +#define CTA_TIMEOUT_UDPLITE_MAX (__CTA_TIMEOUT_UDPLITE_MAX - 1) + +enum ctattr_timeout_icmp { + CTA_TIMEOUT_ICMP_UNSPEC, + CTA_TIMEOUT_ICMP_TIMEOUT, + __CTA_TIMEOUT_ICMP_MAX +}; +#define CTA_TIMEOUT_ICMP_MAX (__CTA_TIMEOUT_ICMP_MAX - 1) + +enum ctattr_timeout_dccp { + CTA_TIMEOUT_DCCP_UNSPEC, + CTA_TIMEOUT_DCCP_REQUEST, + CTA_TIMEOUT_DCCP_RESPOND, + CTA_TIMEOUT_DCCP_PARTOPEN, + CTA_TIMEOUT_DCCP_OPEN, + CTA_TIMEOUT_DCCP_CLOSEREQ, + CTA_TIMEOUT_DCCP_CLOSING, + CTA_TIMEOUT_DCCP_TIMEWAIT, + __CTA_TIMEOUT_DCCP_MAX +}; +#define CTA_TIMEOUT_DCCP_MAX (__CTA_TIMEOUT_DCCP_MAX - 1) + +enum ctattr_timeout_sctp { + CTA_TIMEOUT_SCTP_UNSPEC, + CTA_TIMEOUT_SCTP_CLOSED, + CTA_TIMEOUT_SCTP_COOKIE_WAIT, + CTA_TIMEOUT_SCTP_COOKIE_ECHOED, + CTA_TIMEOUT_SCTP_ESTABLISHED, + CTA_TIMEOUT_SCTP_SHUTDOWN_SENT, + CTA_TIMEOUT_SCTP_SHUTDOWN_RECD, + CTA_TIMEOUT_SCTP_SHUTDOWN_ACK_SENT, + __CTA_TIMEOUT_SCTP_MAX +}; +#define CTA_TIMEOUT_SCTP_MAX (__CTA_TIMEOUT_SCTP_MAX - 1) + +enum ctattr_timeout_icmpv6 { + CTA_TIMEOUT_ICMPV6_UNSPEC, + CTA_TIMEOUT_ICMPV6_TIMEOUT, + __CTA_TIMEOUT_ICMPV6_MAX +}; +#define CTA_TIMEOUT_ICMPV6_MAX (__CTA_TIMEOUT_ICMPV6_MAX - 1) + +enum ctattr_timeout_gre { + CTA_TIMEOUT_GRE_UNSPEC, + CTA_TIMEOUT_GRE_UNREPLIED, + CTA_TIMEOUT_GRE_REPLIED, + __CTA_TIMEOUT_GRE_MAX +}; +#define CTA_TIMEOUT_GRE_MAX (__CTA_TIMEOUT_GRE_MAX - 1) + +#define CTNL_TIMEOUT_NAME_MAX 32 + +#endif diff --git a/include/uapi/linux/netfilter/nfnetlink_log.h b/include/uapi/linux/netfilter/nfnetlink_log.h new file mode 100644 index 0000000..90c2c95 --- /dev/null +++ b/include/uapi/linux/netfilter/nfnetlink_log.h @@ -0,0 +1,97 @@ +#ifndef _NFNETLINK_LOG_H +#define _NFNETLINK_LOG_H + +/* This file describes the netlink messages (i.e. 'protocol packets'), + * and not any kind of function definitions. It is shared between kernel and + * userspace. Don't put kernel specific stuff in here */ + +#include +#include + +enum nfulnl_msg_types { + NFULNL_MSG_PACKET, /* packet from kernel to userspace */ + NFULNL_MSG_CONFIG, /* connect to a particular queue */ + + NFULNL_MSG_MAX +}; + +struct nfulnl_msg_packet_hdr { + __be16 hw_protocol; /* hw protocol (network order) */ + __u8 hook; /* netfilter hook */ + __u8 _pad; +}; + +struct nfulnl_msg_packet_hw { + __be16 hw_addrlen; + __u16 _pad; + __u8 hw_addr[8]; +}; + +struct nfulnl_msg_packet_timestamp { + __aligned_be64 sec; + __aligned_be64 usec; +}; + +enum nfulnl_attr_type { + NFULA_UNSPEC, + NFULA_PACKET_HDR, + NFULA_MARK, /* __u32 nfmark */ + NFULA_TIMESTAMP, /* nfulnl_msg_packet_timestamp */ + NFULA_IFINDEX_INDEV, /* __u32 ifindex */ + NFULA_IFINDEX_OUTDEV, /* __u32 ifindex */ + NFULA_IFINDEX_PHYSINDEV, /* __u32 ifindex */ + NFULA_IFINDEX_PHYSOUTDEV, /* __u32 ifindex */ + NFULA_HWADDR, /* nfulnl_msg_packet_hw */ + NFULA_PAYLOAD, /* opaque data payload */ + NFULA_PREFIX, /* string prefix */ + NFULA_UID, /* user id of socket */ + NFULA_SEQ, /* instance-local sequence number */ + NFULA_SEQ_GLOBAL, /* global sequence number */ + NFULA_GID, /* group id of socket */ + NFULA_HWTYPE, /* hardware type */ + NFULA_HWHEADER, /* hardware header */ + NFULA_HWLEN, /* hardware header length */ + + __NFULA_MAX +}; +#define NFULA_MAX (__NFULA_MAX - 1) + +enum nfulnl_msg_config_cmds { + NFULNL_CFG_CMD_NONE, + NFULNL_CFG_CMD_BIND, + NFULNL_CFG_CMD_UNBIND, + NFULNL_CFG_CMD_PF_BIND, + NFULNL_CFG_CMD_PF_UNBIND, +}; + +struct nfulnl_msg_config_cmd { + __u8 command; /* nfulnl_msg_config_cmds */ +} __attribute__ ((packed)); + +struct nfulnl_msg_config_mode { + __be32 copy_range; + __u8 copy_mode; + __u8 _pad; +} __attribute__ ((packed)); + +enum nfulnl_attr_config { + NFULA_CFG_UNSPEC, + NFULA_CFG_CMD, /* nfulnl_msg_config_cmd */ + NFULA_CFG_MODE, /* nfulnl_msg_config_mode */ + NFULA_CFG_NLBUFSIZ, /* __u32 buffer size */ + NFULA_CFG_TIMEOUT, /* __u32 in 1/100 s */ + NFULA_CFG_QTHRESH, /* __u32 */ + NFULA_CFG_FLAGS, /* __u16 */ + __NFULA_CFG_MAX +}; +#define NFULA_CFG_MAX (__NFULA_CFG_MAX -1) + +#define NFULNL_COPY_NONE 0x00 +#define NFULNL_COPY_META 0x01 +#define NFULNL_COPY_PACKET 0x02 +/* 0xff is reserved, don't use it for new copy modes. */ + +#define NFULNL_CFG_F_SEQ 0x0001 +#define NFULNL_CFG_F_SEQ_GLOBAL 0x0002 + +#endif /* _NFNETLINK_LOG_H */ diff --git a/include/uapi/linux/netfilter/nfnetlink_queue.h b/include/uapi/linux/netfilter/nfnetlink_queue.h new file mode 100644 index 0000000..70ec8c2 --- /dev/null +++ b/include/uapi/linux/netfilter/nfnetlink_queue.h @@ -0,0 +1,101 @@ +#ifndef _NFNETLINK_QUEUE_H +#define _NFNETLINK_QUEUE_H + +#include +#include + +enum nfqnl_msg_types { + NFQNL_MSG_PACKET, /* packet from kernel to userspace */ + NFQNL_MSG_VERDICT, /* verdict from userspace to kernel */ + NFQNL_MSG_CONFIG, /* connect to a particular queue */ + NFQNL_MSG_VERDICT_BATCH, /* batchv from userspace to kernel */ + + NFQNL_MSG_MAX +}; + +struct nfqnl_msg_packet_hdr { + __be32 packet_id; /* unique ID of packet in queue */ + __be16 hw_protocol; /* hw protocol (network order) */ + __u8 hook; /* netfilter hook */ +} __attribute__ ((packed)); + +struct nfqnl_msg_packet_hw { + __be16 hw_addrlen; + __u16 _pad; + __u8 hw_addr[8]; +}; + +struct nfqnl_msg_packet_timestamp { + __aligned_be64 sec; + __aligned_be64 usec; +}; + +enum nfqnl_attr_type { + NFQA_UNSPEC, + NFQA_PACKET_HDR, + NFQA_VERDICT_HDR, /* nfqnl_msg_verdict_hrd */ + NFQA_MARK, /* __u32 nfmark */ + NFQA_TIMESTAMP, /* nfqnl_msg_packet_timestamp */ + NFQA_IFINDEX_INDEV, /* __u32 ifindex */ + NFQA_IFINDEX_OUTDEV, /* __u32 ifindex */ + NFQA_IFINDEX_PHYSINDEV, /* __u32 ifindex */ + NFQA_IFINDEX_PHYSOUTDEV, /* __u32 ifindex */ + NFQA_HWADDR, /* nfqnl_msg_packet_hw */ + NFQA_PAYLOAD, /* opaque data payload */ + NFQA_CT, /* nf_conntrack_netlink.h */ + NFQA_CT_INFO, /* enum ip_conntrack_info */ + NFQA_CAP_LEN, /* __u32 length of captured packet */ + + __NFQA_MAX +}; +#define NFQA_MAX (__NFQA_MAX - 1) + +struct nfqnl_msg_verdict_hdr { + __be32 verdict; + __be32 id; +}; + + +enum nfqnl_msg_config_cmds { + NFQNL_CFG_CMD_NONE, + NFQNL_CFG_CMD_BIND, + NFQNL_CFG_CMD_UNBIND, + NFQNL_CFG_CMD_PF_BIND, + NFQNL_CFG_CMD_PF_UNBIND, +}; + +struct nfqnl_msg_config_cmd { + __u8 command; /* nfqnl_msg_config_cmds */ + __u8 _pad; + __be16 pf; /* AF_xxx for PF_[UN]BIND */ +}; + +enum nfqnl_config_mode { + NFQNL_COPY_NONE, + NFQNL_COPY_META, + NFQNL_COPY_PACKET, +}; + +struct nfqnl_msg_config_params { + __be32 copy_range; + __u8 copy_mode; /* enum nfqnl_config_mode */ +} __attribute__ ((packed)); + + +enum nfqnl_attr_config { + NFQA_CFG_UNSPEC, + NFQA_CFG_CMD, /* nfqnl_msg_config_cmd */ + NFQA_CFG_PARAMS, /* nfqnl_msg_config_params */ + NFQA_CFG_QUEUE_MAXLEN, /* __u32 */ + NFQA_CFG_MASK, /* identify which flags to change */ + NFQA_CFG_FLAGS, /* value of these flags (__u32) */ + __NFQA_CFG_MAX +}; +#define NFQA_CFG_MAX (__NFQA_CFG_MAX-1) + +/* Flags for NFQA_CFG_FLAGS */ +#define NFQA_CFG_F_FAIL_OPEN (1 << 0) +#define NFQA_CFG_F_CONNTRACK (1 << 1) +#define NFQA_CFG_F_MAX (1 << 2) + +#endif /* _NFNETLINK_QUEUE_H */ diff --git a/include/uapi/linux/netfilter/x_tables.h b/include/uapi/linux/netfilter/x_tables.h new file mode 100644 index 0000000..c36969b --- /dev/null +++ b/include/uapi/linux/netfilter/x_tables.h @@ -0,0 +1,187 @@ +#ifndef _UAPI_X_TABLES_H +#define _UAPI_X_TABLES_H +#include +#include + +#define XT_FUNCTION_MAXNAMELEN 30 +#define XT_EXTENSION_MAXNAMELEN 29 +#define XT_TABLE_MAXNAMELEN 32 + +struct xt_entry_match { + union { + struct { + __u16 match_size; + + /* Used by userspace */ + char name[XT_EXTENSION_MAXNAMELEN]; + __u8 revision; + } user; + struct { + __u16 match_size; + + /* Used inside the kernel */ + struct xt_match *match; + } kernel; + + /* Total length */ + __u16 match_size; + } u; + + unsigned char data[0]; +}; + +struct xt_entry_target { + union { + struct { + __u16 target_size; + + /* Used by userspace */ + char name[XT_EXTENSION_MAXNAMELEN]; + __u8 revision; + } user; + struct { + __u16 target_size; + + /* Used inside the kernel */ + struct xt_target *target; + } kernel; + + /* Total length */ + __u16 target_size; + } u; + + unsigned char data[0]; +}; + +#define XT_TARGET_INIT(__name, __size) \ +{ \ + .target.u.user = { \ + .target_size = XT_ALIGN(__size), \ + .name = __name, \ + }, \ +} + +struct xt_standard_target { + struct xt_entry_target target; + int verdict; +}; + +struct xt_error_target { + struct xt_entry_target target; + char errorname[XT_FUNCTION_MAXNAMELEN]; +}; + +/* The argument to IPT_SO_GET_REVISION_*. Returns highest revision + * kernel supports, if >= revision. */ +struct xt_get_revision { + char name[XT_EXTENSION_MAXNAMELEN]; + __u8 revision; +}; + +/* CONTINUE verdict for targets */ +#define XT_CONTINUE 0xFFFFFFFF + +/* For standard target */ +#define XT_RETURN (-NF_REPEAT - 1) + +/* this is a dummy structure to find out the alignment requirement for a struct + * containing all the fundamental data types that are used in ipt_entry, + * ip6t_entry and arpt_entry. This sucks, and it is a hack. It will be my + * personal pleasure to remove it -HW + */ +struct _xt_align { + __u8 u8; + __u16 u16; + __u32 u32; + __u64 u64; +}; + +#define XT_ALIGN(s) __ALIGN_KERNEL((s), __alignof__(struct _xt_align)) + +/* Standard return verdict, or do jump. */ +#define XT_STANDARD_TARGET "" +/* Error verdict. */ +#define XT_ERROR_TARGET "ERROR" + +#define SET_COUNTER(c,b,p) do { (c).bcnt = (b); (c).pcnt = (p); } while(0) +#define ADD_COUNTER(c,b,p) do { (c).bcnt += (b); (c).pcnt += (p); } while(0) + +struct xt_counters { + __u64 pcnt, bcnt; /* Packet and byte counters */ +}; + +/* The argument to IPT_SO_ADD_COUNTERS. */ +struct xt_counters_info { + /* Which table. */ + char name[XT_TABLE_MAXNAMELEN]; + + unsigned int num_counters; + + /* The counters (actually `number' of these). */ + struct xt_counters counters[0]; +}; + +#define XT_INV_PROTO 0x40 /* Invert the sense of PROTO. */ + +#ifndef __KERNEL__ +/* fn returns 0 to continue iteration */ +#define XT_MATCH_ITERATE(type, e, fn, args...) \ +({ \ + unsigned int __i; \ + int __ret = 0; \ + struct xt_entry_match *__m; \ + \ + for (__i = sizeof(type); \ + __i < (e)->target_offset; \ + __i += __m->u.match_size) { \ + __m = (void *)e + __i; \ + \ + __ret = fn(__m , ## args); \ + if (__ret != 0) \ + break; \ + } \ + __ret; \ +}) + +/* fn returns 0 to continue iteration */ +#define XT_ENTRY_ITERATE_CONTINUE(type, entries, size, n, fn, args...) \ +({ \ + unsigned int __i, __n; \ + int __ret = 0; \ + type *__entry; \ + \ + for (__i = 0, __n = 0; __i < (size); \ + __i += __entry->next_offset, __n++) { \ + __entry = (void *)(entries) + __i; \ + if (__n < n) \ + continue; \ + \ + __ret = fn(__entry , ## args); \ + if (__ret != 0) \ + break; \ + } \ + __ret; \ +}) + +/* fn returns 0 to continue iteration */ +#define XT_ENTRY_ITERATE(type, entries, size, fn, args...) \ + XT_ENTRY_ITERATE_CONTINUE(type, entries, size, 0, fn, args) + +#endif /* !__KERNEL__ */ + +/* pos is normally a struct ipt_entry/ip6t_entry/etc. */ +#define xt_entry_foreach(pos, ehead, esize) \ + for ((pos) = (typeof(pos))(ehead); \ + (pos) < (typeof(pos))((char *)(ehead) + (esize)); \ + (pos) = (typeof(pos))((char *)(pos) + (pos)->next_offset)) + +/* can only be xt_entry_match, so no use of typeof here */ +#define xt_ematch_foreach(pos, entry) \ + for ((pos) = (struct xt_entry_match *)entry->elems; \ + (pos) < (struct xt_entry_match *)((char *)(entry) + \ + (entry)->target_offset); \ + (pos) = (struct xt_entry_match *)((char *)(pos) + \ + (pos)->u.match_size)) + + +#endif /* _UAPI_X_TABLES_H */ diff --git a/include/uapi/linux/netfilter/xt_AUDIT.h b/include/uapi/linux/netfilter/xt_AUDIT.h new file mode 100644 index 0000000..38751d2 --- /dev/null +++ b/include/uapi/linux/netfilter/xt_AUDIT.h @@ -0,0 +1,30 @@ +/* + * Header file for iptables xt_AUDIT target + * + * (C) 2010-2011 Thomas Graf + * (C) 2010-2011 Red Hat, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 as + * published by the Free Software Foundation. + */ + +#ifndef _XT_AUDIT_TARGET_H +#define _XT_AUDIT_TARGET_H + +#include + +enum { + XT_AUDIT_TYPE_ACCEPT = 0, + XT_AUDIT_TYPE_DROP, + XT_AUDIT_TYPE_REJECT, + __XT_AUDIT_TYPE_MAX, +}; + +#define XT_AUDIT_TYPE_MAX (__XT_AUDIT_TYPE_MAX - 1) + +struct xt_audit_info { + __u8 type; /* XT_AUDIT_TYPE_* */ +}; + +#endif /* _XT_AUDIT_TARGET_H */ diff --git a/include/uapi/linux/netfilter/xt_CHECKSUM.h b/include/uapi/linux/netfilter/xt_CHECKSUM.h new file mode 100644 index 0000000..9a2e466 --- /dev/null +++ b/include/uapi/linux/netfilter/xt_CHECKSUM.h @@ -0,0 +1,20 @@ +/* Header file for iptables ipt_CHECKSUM target + * + * (C) 2002 by Harald Welte + * (C) 2010 Red Hat Inc + * Author: Michael S. Tsirkin + * + * This software is distributed under GNU GPL v2, 1991 +*/ +#ifndef _XT_CHECKSUM_TARGET_H +#define _XT_CHECKSUM_TARGET_H + +#include + +#define XT_CHECKSUM_OP_FILL 0x01 /* fill in checksum in IP header */ + +struct xt_CHECKSUM_info { + __u8 operation; /* bitset of operations */ +}; + +#endif /* _XT_CHECKSUM_TARGET_H */ diff --git a/include/uapi/linux/netfilter/xt_CLASSIFY.h b/include/uapi/linux/netfilter/xt_CLASSIFY.h new file mode 100644 index 0000000..a813bf1 --- /dev/null +++ b/include/uapi/linux/netfilter/xt_CLASSIFY.h @@ -0,0 +1,10 @@ +#ifndef _XT_CLASSIFY_H +#define _XT_CLASSIFY_H + +#include + +struct xt_classify_target_info { + __u32 priority; +}; + +#endif /*_XT_CLASSIFY_H */ diff --git a/include/uapi/linux/netfilter/xt_CONNMARK.h b/include/uapi/linux/netfilter/xt_CONNMARK.h new file mode 100644 index 0000000..2f2e48e --- /dev/null +++ b/include/uapi/linux/netfilter/xt_CONNMARK.h @@ -0,0 +1,6 @@ +#ifndef _XT_CONNMARK_H_target +#define _XT_CONNMARK_H_target + +#include + +#endif /*_XT_CONNMARK_H_target*/ diff --git a/include/uapi/linux/netfilter/xt_CONNSECMARK.h b/include/uapi/linux/netfilter/xt_CONNSECMARK.h new file mode 100644 index 0000000..b973ff8 --- /dev/null +++ b/include/uapi/linux/netfilter/xt_CONNSECMARK.h @@ -0,0 +1,15 @@ +#ifndef _XT_CONNSECMARK_H_target +#define _XT_CONNSECMARK_H_target + +#include + +enum { + CONNSECMARK_SAVE = 1, + CONNSECMARK_RESTORE, +}; + +struct xt_connsecmark_target_info { + __u8 mode; +}; + +#endif /*_XT_CONNSECMARK_H_target */ diff --git a/include/uapi/linux/netfilter/xt_CT.h b/include/uapi/linux/netfilter/xt_CT.h new file mode 100644 index 0000000..a064b8a --- /dev/null +++ b/include/uapi/linux/netfilter/xt_CT.h @@ -0,0 +1,31 @@ +#ifndef _XT_CT_H +#define _XT_CT_H + +#include + +#define XT_CT_NOTRACK 0x1 + +struct xt_ct_target_info { + __u16 flags; + __u16 zone; + __u32 ct_events; + __u32 exp_events; + char helper[16]; + + /* Used internally by the kernel */ + struct nf_conn *ct __attribute__((aligned(8))); +}; + +struct xt_ct_target_info_v1 { + __u16 flags; + __u16 zone; + __u32 ct_events; + __u32 exp_events; + char helper[16]; + char timeout[32]; + + /* Used internally by the kernel */ + struct nf_conn *ct __attribute__((aligned(8))); +}; + +#endif /* _XT_CT_H */ diff --git a/include/uapi/linux/netfilter/xt_DSCP.h b/include/uapi/linux/netfilter/xt_DSCP.h new file mode 100644 index 0000000..648e0b3 --- /dev/null +++ b/include/uapi/linux/netfilter/xt_DSCP.h @@ -0,0 +1,26 @@ +/* x_tables module for setting the IPv4/IPv6 DSCP field + * + * (C) 2002 Harald Welte + * based on ipt_FTOS.c (C) 2000 by Matthew G. Marsh + * This software is distributed under GNU GPL v2, 1991 + * + * See RFC2474 for a description of the DSCP field within the IP Header. + * + * xt_DSCP.h,v 1.7 2002/03/14 12:03:13 laforge Exp +*/ +#ifndef _XT_DSCP_TARGET_H +#define _XT_DSCP_TARGET_H +#include +#include + +/* target info */ +struct xt_DSCP_info { + __u8 dscp; +}; + +struct xt_tos_target_info { + __u8 tos_value; + __u8 tos_mask; +}; + +#endif /* _XT_DSCP_TARGET_H */ diff --git a/include/uapi/linux/netfilter/xt_IDLETIMER.h b/include/uapi/linux/netfilter/xt_IDLETIMER.h new file mode 100644 index 0000000..208ae93 --- /dev/null +++ b/include/uapi/linux/netfilter/xt_IDLETIMER.h @@ -0,0 +1,45 @@ +/* + * linux/include/linux/netfilter/xt_IDLETIMER.h + * + * Header file for Xtables timer target module. + * + * Copyright (C) 2004, 2010 Nokia Corporation + * Written by Timo Teras + * + * Converted to x_tables and forward-ported to 2.6.34 + * by Luciano Coelho + * + * Contact: Luciano Coelho + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License + * version 2 as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA + * 02110-1301 USA + */ + +#ifndef _XT_IDLETIMER_H +#define _XT_IDLETIMER_H + +#include + +#define MAX_IDLETIMER_LABEL_SIZE 28 + +struct idletimer_tg_info { + __u32 timeout; + + char label[MAX_IDLETIMER_LABEL_SIZE]; + + /* for kernel module internal use only */ + struct idletimer_tg *timer __attribute__((aligned(8))); +}; + +#endif diff --git a/include/uapi/linux/netfilter/xt_LED.h b/include/uapi/linux/netfilter/xt_LED.h new file mode 100644 index 0000000..f5509e7 --- /dev/null +++ b/include/uapi/linux/netfilter/xt_LED.h @@ -0,0 +1,15 @@ +#ifndef _XT_LED_H +#define _XT_LED_H + +#include + +struct xt_led_info { + char id[27]; /* Unique ID for this trigger in the LED class */ + __u8 always_blink; /* Blink even if the LED is already on */ + __u32 delay; /* Delay until LED is switched off after trigger */ + + /* Kernel data used in the module */ + void *internal_data __attribute__((aligned(8))); +}; + +#endif /* _XT_LED_H */ diff --git a/include/uapi/linux/netfilter/xt_LOG.h b/include/uapi/linux/netfilter/xt_LOG.h new file mode 100644 index 0000000..cac0790 --- /dev/null +++ b/include/uapi/linux/netfilter/xt_LOG.h @@ -0,0 +1,19 @@ +#ifndef _XT_LOG_H +#define _XT_LOG_H + +/* make sure not to change this without changing nf_log.h:NF_LOG_* (!) */ +#define XT_LOG_TCPSEQ 0x01 /* Log TCP sequence numbers */ +#define XT_LOG_TCPOPT 0x02 /* Log TCP options */ +#define XT_LOG_IPOPT 0x04 /* Log IP options */ +#define XT_LOG_UID 0x08 /* Log UID owning local socket */ +#define XT_LOG_NFLOG 0x10 /* Unsupported, don't reuse */ +#define XT_LOG_MACDECODE 0x20 /* Decode MAC header */ +#define XT_LOG_MASK 0x2f + +struct xt_log_info { + unsigned char level; + unsigned char logflags; + char prefix[30]; +}; + +#endif /* _XT_LOG_H */ diff --git a/include/uapi/linux/netfilter/xt_MARK.h b/include/uapi/linux/netfilter/xt_MARK.h new file mode 100644 index 0000000..41c456d --- /dev/null +++ b/include/uapi/linux/netfilter/xt_MARK.h @@ -0,0 +1,6 @@ +#ifndef _XT_MARK_H_target +#define _XT_MARK_H_target + +#include + +#endif /*_XT_MARK_H_target */ diff --git a/include/uapi/linux/netfilter/xt_NFLOG.h b/include/uapi/linux/netfilter/xt_NFLOG.h new file mode 100644 index 0000000..87b5831 --- /dev/null +++ b/include/uapi/linux/netfilter/xt_NFLOG.h @@ -0,0 +1,20 @@ +#ifndef _XT_NFLOG_TARGET +#define _XT_NFLOG_TARGET + +#include + +#define XT_NFLOG_DEFAULT_GROUP 0x1 +#define XT_NFLOG_DEFAULT_THRESHOLD 0 + +#define XT_NFLOG_MASK 0x0 + +struct xt_nflog_info { + __u32 len; + __u16 group; + __u16 threshold; + __u16 flags; + __u16 pad; + char prefix[64]; +}; + +#endif /* _XT_NFLOG_TARGET */ diff --git a/include/uapi/linux/netfilter/xt_NFQUEUE.h b/include/uapi/linux/netfilter/xt_NFQUEUE.h new file mode 100644 index 0000000..9eafdbb --- /dev/null +++ b/include/uapi/linux/netfilter/xt_NFQUEUE.h @@ -0,0 +1,29 @@ +/* iptables module for using NFQUEUE mechanism + * + * (C) 2005 Harald Welte + * + * This software is distributed under GNU GPL v2, 1991 + * +*/ +#ifndef _XT_NFQ_TARGET_H +#define _XT_NFQ_TARGET_H + +#include + +/* target info */ +struct xt_NFQ_info { + __u16 queuenum; +}; + +struct xt_NFQ_info_v1 { + __u16 queuenum; + __u16 queues_total; +}; + +struct xt_NFQ_info_v2 { + __u16 queuenum; + __u16 queues_total; + __u16 bypass; +}; + +#endif /* _XT_NFQ_TARGET_H */ diff --git a/include/uapi/linux/netfilter/xt_RATEEST.h b/include/uapi/linux/netfilter/xt_RATEEST.h new file mode 100644 index 0000000..6605e20 --- /dev/null +++ b/include/uapi/linux/netfilter/xt_RATEEST.h @@ -0,0 +1,15 @@ +#ifndef _XT_RATEEST_TARGET_H +#define _XT_RATEEST_TARGET_H + +#include + +struct xt_rateest_target_info { + char name[IFNAMSIZ]; + __s8 interval; + __u8 ewma_log; + + /* Used internally by the kernel */ + struct xt_rateest *est __attribute__((aligned(8))); +}; + +#endif /* _XT_RATEEST_TARGET_H */ diff --git a/include/uapi/linux/netfilter/xt_SECMARK.h b/include/uapi/linux/netfilter/xt_SECMARK.h new file mode 100644 index 0000000..989092b --- /dev/null +++ b/include/uapi/linux/netfilter/xt_SECMARK.h @@ -0,0 +1,22 @@ +#ifndef _XT_SECMARK_H_target +#define _XT_SECMARK_H_target + +#include + +/* + * This is intended for use by various security subsystems (but not + * at the same time). + * + * 'mode' refers to the specific security subsystem which the + * packets are being marked for. + */ +#define SECMARK_MODE_SEL 0x01 /* SELinux */ +#define SECMARK_SECCTX_MAX 256 + +struct xt_secmark_target_info { + __u8 mode; + __u32 secid; + char secctx[SECMARK_SECCTX_MAX]; +}; + +#endif /*_XT_SECMARK_H_target */ diff --git a/include/uapi/linux/netfilter/xt_TCPMSS.h b/include/uapi/linux/netfilter/xt_TCPMSS.h new file mode 100644 index 0000000..9a6960a --- /dev/null +++ b/include/uapi/linux/netfilter/xt_TCPMSS.h @@ -0,0 +1,12 @@ +#ifndef _XT_TCPMSS_H +#define _XT_TCPMSS_H + +#include + +struct xt_tcpmss_info { + __u16 mss; +}; + +#define XT_TCPMSS_CLAMP_PMTU 0xffff + +#endif /* _XT_TCPMSS_H */ diff --git a/include/uapi/linux/netfilter/xt_TCPOPTSTRIP.h b/include/uapi/linux/netfilter/xt_TCPOPTSTRIP.h new file mode 100644 index 0000000..7157318 --- /dev/null +++ b/include/uapi/linux/netfilter/xt_TCPOPTSTRIP.h @@ -0,0 +1,15 @@ +#ifndef _XT_TCPOPTSTRIP_H +#define _XT_TCPOPTSTRIP_H + +#include + +#define tcpoptstrip_set_bit(bmap, idx) \ + (bmap[(idx) >> 5] |= 1U << (idx & 31)) +#define tcpoptstrip_test_bit(bmap, idx) \ + (((1U << (idx & 31)) & bmap[(idx) >> 5]) != 0) + +struct xt_tcpoptstrip_target_info { + __u32 strip_bmap[8]; +}; + +#endif /* _XT_TCPOPTSTRIP_H */ diff --git a/include/uapi/linux/netfilter/xt_TEE.h b/include/uapi/linux/netfilter/xt_TEE.h new file mode 100644 index 0000000..5c21d5c --- /dev/null +++ b/include/uapi/linux/netfilter/xt_TEE.h @@ -0,0 +1,12 @@ +#ifndef _XT_TEE_TARGET_H +#define _XT_TEE_TARGET_H + +struct xt_tee_tginfo { + union nf_inet_addr gw; + char oif[16]; + + /* used internally by the kernel */ + struct xt_tee_priv *priv __attribute__((aligned(8))); +}; + +#endif /* _XT_TEE_TARGET_H */ diff --git a/include/uapi/linux/netfilter/xt_TPROXY.h b/include/uapi/linux/netfilter/xt_TPROXY.h new file mode 100644 index 0000000..902043c --- /dev/null +++ b/include/uapi/linux/netfilter/xt_TPROXY.h @@ -0,0 +1,23 @@ +#ifndef _XT_TPROXY_H +#define _XT_TPROXY_H + +#include + +/* TPROXY target is capable of marking the packet to perform + * redirection. We can get rid of that whenever we get support for + * mutliple targets in the same rule. */ +struct xt_tproxy_target_info { + __u32 mark_mask; + __u32 mark_value; + __be32 laddr; + __be16 lport; +}; + +struct xt_tproxy_target_info_v1 { + __u32 mark_mask; + __u32 mark_value; + union nf_inet_addr laddr; + __be16 lport; +}; + +#endif /* _XT_TPROXY_H */ diff --git a/include/uapi/linux/netfilter/xt_addrtype.h b/include/uapi/linux/netfilter/xt_addrtype.h new file mode 100644 index 0000000..b156baa --- /dev/null +++ b/include/uapi/linux/netfilter/xt_addrtype.h @@ -0,0 +1,44 @@ +#ifndef _XT_ADDRTYPE_H +#define _XT_ADDRTYPE_H + +#include + +enum { + XT_ADDRTYPE_INVERT_SOURCE = 0x0001, + XT_ADDRTYPE_INVERT_DEST = 0x0002, + XT_ADDRTYPE_LIMIT_IFACE_IN = 0x0004, + XT_ADDRTYPE_LIMIT_IFACE_OUT = 0x0008, +}; + + +/* rtn_type enum values from rtnetlink.h, but shifted */ +enum { + XT_ADDRTYPE_UNSPEC = 1 << 0, + XT_ADDRTYPE_UNICAST = 1 << 1, /* 1 << RTN_UNICAST */ + XT_ADDRTYPE_LOCAL = 1 << 2, /* 1 << RTN_LOCAL, etc */ + XT_ADDRTYPE_BROADCAST = 1 << 3, + XT_ADDRTYPE_ANYCAST = 1 << 4, + XT_ADDRTYPE_MULTICAST = 1 << 5, + XT_ADDRTYPE_BLACKHOLE = 1 << 6, + XT_ADDRTYPE_UNREACHABLE = 1 << 7, + XT_ADDRTYPE_PROHIBIT = 1 << 8, + XT_ADDRTYPE_THROW = 1 << 9, + XT_ADDRTYPE_NAT = 1 << 10, + XT_ADDRTYPE_XRESOLVE = 1 << 11, +}; + +struct xt_addrtype_info_v1 { + __u16 source; /* source-type mask */ + __u16 dest; /* dest-type mask */ + __u32 flags; +}; + +/* revision 0 */ +struct xt_addrtype_info { + __u16 source; /* source-type mask */ + __u16 dest; /* dest-type mask */ + __u32 invert_source; + __u32 invert_dest; +}; + +#endif diff --git a/include/uapi/linux/netfilter/xt_cluster.h b/include/uapi/linux/netfilter/xt_cluster.h new file mode 100644 index 0000000..9b883c8 --- /dev/null +++ b/include/uapi/linux/netfilter/xt_cluster.h @@ -0,0 +1,19 @@ +#ifndef _XT_CLUSTER_MATCH_H +#define _XT_CLUSTER_MATCH_H + +#include + +enum xt_cluster_flags { + XT_CLUSTER_F_INV = (1 << 0) +}; + +struct xt_cluster_match_info { + __u32 total_nodes; + __u32 node_mask; + __u32 hash_seed; + __u32 flags; +}; + +#define XT_CLUSTER_NODES_MAX 32 + +#endif /* _XT_CLUSTER_MATCH_H */ diff --git a/include/uapi/linux/netfilter/xt_comment.h b/include/uapi/linux/netfilter/xt_comment.h new file mode 100644 index 0000000..0ea5e79 --- /dev/null +++ b/include/uapi/linux/netfilter/xt_comment.h @@ -0,0 +1,10 @@ +#ifndef _XT_COMMENT_H +#define _XT_COMMENT_H + +#define XT_MAX_COMMENT_LEN 256 + +struct xt_comment_info { + char comment[XT_MAX_COMMENT_LEN]; +}; + +#endif /* XT_COMMENT_H */ diff --git a/include/uapi/linux/netfilter/xt_connbytes.h b/include/uapi/linux/netfilter/xt_connbytes.h new file mode 100644 index 0000000..f1d6c15 --- /dev/null +++ b/include/uapi/linux/netfilter/xt_connbytes.h @@ -0,0 +1,26 @@ +#ifndef _XT_CONNBYTES_H +#define _XT_CONNBYTES_H + +#include + +enum xt_connbytes_what { + XT_CONNBYTES_PKTS, + XT_CONNBYTES_BYTES, + XT_CONNBYTES_AVGPKT, +}; + +enum xt_connbytes_direction { + XT_CONNBYTES_DIR_ORIGINAL, + XT_CONNBYTES_DIR_REPLY, + XT_CONNBYTES_DIR_BOTH, +}; + +struct xt_connbytes_info { + struct { + __aligned_u64 from; /* count to be matched */ + __aligned_u64 to; /* count to be matched */ + } count; + __u8 what; /* ipt_connbytes_what */ + __u8 direction; /* ipt_connbytes_direction */ +}; +#endif diff --git a/include/uapi/linux/netfilter/xt_connlimit.h b/include/uapi/linux/netfilter/xt_connlimit.h new file mode 100644 index 0000000..f165609 --- /dev/null +++ b/include/uapi/linux/netfilter/xt_connlimit.h @@ -0,0 +1,32 @@ +#ifndef _XT_CONNLIMIT_H +#define _XT_CONNLIMIT_H + +#include +#include + +struct xt_connlimit_data; + +enum { + XT_CONNLIMIT_INVERT = 1 << 0, + XT_CONNLIMIT_DADDR = 1 << 1, +}; + +struct xt_connlimit_info { + union { + union nf_inet_addr mask; +#ifndef __KERNEL__ + union { + __be32 v4_mask; + __be32 v6_mask[4]; + }; +#endif + }; + unsigned int limit; + /* revision 1 */ + __u32 flags; + + /* Used internally by the kernel */ + struct xt_connlimit_data *data __attribute__((aligned(8))); +}; + +#endif /* _XT_CONNLIMIT_H */ diff --git a/include/uapi/linux/netfilter/xt_connmark.h b/include/uapi/linux/netfilter/xt_connmark.h new file mode 100644 index 0000000..efc17a8 --- /dev/null +++ b/include/uapi/linux/netfilter/xt_connmark.h @@ -0,0 +1,31 @@ +#ifndef _XT_CONNMARK_H +#define _XT_CONNMARK_H + +#include + +/* Copyright (C) 2002,2004 MARA Systems AB + * by Henrik Nordstrom + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + */ + +enum { + XT_CONNMARK_SET = 0, + XT_CONNMARK_SAVE, + XT_CONNMARK_RESTORE +}; + +struct xt_connmark_tginfo1 { + __u32 ctmark, ctmask, nfmask; + __u8 mode; +}; + +struct xt_connmark_mtinfo1 { + __u32 mark, mask; + __u8 invert; +}; + +#endif /*_XT_CONNMARK_H*/ diff --git a/include/uapi/linux/netfilter/xt_conntrack.h b/include/uapi/linux/netfilter/xt_conntrack.h new file mode 100644 index 0000000..e3c041d --- /dev/null +++ b/include/uapi/linux/netfilter/xt_conntrack.h @@ -0,0 +1,77 @@ +/* Header file for kernel module to match connection tracking information. + * GPL (C) 2001 Marc Boucher (marc@mbsi.ca). + */ + +#ifndef _XT_CONNTRACK_H +#define _XT_CONNTRACK_H + +#include +#include +#include + +#define XT_CONNTRACK_STATE_BIT(ctinfo) (1 << ((ctinfo)%IP_CT_IS_REPLY+1)) +#define XT_CONNTRACK_STATE_INVALID (1 << 0) + +#define XT_CONNTRACK_STATE_SNAT (1 << (IP_CT_NUMBER + 1)) +#define XT_CONNTRACK_STATE_DNAT (1 << (IP_CT_NUMBER + 2)) +#define XT_CONNTRACK_STATE_UNTRACKED (1 << (IP_CT_NUMBER + 3)) + +/* flags, invflags: */ +enum { + XT_CONNTRACK_STATE = 1 << 0, + XT_CONNTRACK_PROTO = 1 << 1, + XT_CONNTRACK_ORIGSRC = 1 << 2, + XT_CONNTRACK_ORIGDST = 1 << 3, + XT_CONNTRACK_REPLSRC = 1 << 4, + XT_CONNTRACK_REPLDST = 1 << 5, + XT_CONNTRACK_STATUS = 1 << 6, + XT_CONNTRACK_EXPIRES = 1 << 7, + XT_CONNTRACK_ORIGSRC_PORT = 1 << 8, + XT_CONNTRACK_ORIGDST_PORT = 1 << 9, + XT_CONNTRACK_REPLSRC_PORT = 1 << 10, + XT_CONNTRACK_REPLDST_PORT = 1 << 11, + XT_CONNTRACK_DIRECTION = 1 << 12, +}; + +struct xt_conntrack_mtinfo1 { + union nf_inet_addr origsrc_addr, origsrc_mask; + union nf_inet_addr origdst_addr, origdst_mask; + union nf_inet_addr replsrc_addr, replsrc_mask; + union nf_inet_addr repldst_addr, repldst_mask; + __u32 expires_min, expires_max; + __u16 l4proto; + __be16 origsrc_port, origdst_port; + __be16 replsrc_port, repldst_port; + __u16 match_flags, invert_flags; + __u8 state_mask, status_mask; +}; + +struct xt_conntrack_mtinfo2 { + union nf_inet_addr origsrc_addr, origsrc_mask; + union nf_inet_addr origdst_addr, origdst_mask; + union nf_inet_addr replsrc_addr, replsrc_mask; + union nf_inet_addr repldst_addr, repldst_mask; + __u32 expires_min, expires_max; + __u16 l4proto; + __be16 origsrc_port, origdst_port; + __be16 replsrc_port, repldst_port; + __u16 match_flags, invert_flags; + __u16 state_mask, status_mask; +}; + +struct xt_conntrack_mtinfo3 { + union nf_inet_addr origsrc_addr, origsrc_mask; + union nf_inet_addr origdst_addr, origdst_mask; + union nf_inet_addr replsrc_addr, replsrc_mask; + union nf_inet_addr repldst_addr, repldst_mask; + __u32 expires_min, expires_max; + __u16 l4proto; + __u16 origsrc_port, origdst_port; + __u16 replsrc_port, repldst_port; + __u16 match_flags, invert_flags; + __u16 state_mask, status_mask; + __u16 origsrc_port_high, origdst_port_high; + __u16 replsrc_port_high, repldst_port_high; +}; + +#endif /*_XT_CONNTRACK_H*/ diff --git a/include/uapi/linux/netfilter/xt_cpu.h b/include/uapi/linux/netfilter/xt_cpu.h new file mode 100644 index 0000000..93c7f11 --- /dev/null +++ b/include/uapi/linux/netfilter/xt_cpu.h @@ -0,0 +1,11 @@ +#ifndef _XT_CPU_H +#define _XT_CPU_H + +#include + +struct xt_cpu_info { + __u32 cpu; + __u32 invert; +}; + +#endif /*_XT_CPU_H*/ diff --git a/include/uapi/linux/netfilter/xt_dccp.h b/include/uapi/linux/netfilter/xt_dccp.h new file mode 100644 index 0000000..a579e1b --- /dev/null +++ b/include/uapi/linux/netfilter/xt_dccp.h @@ -0,0 +1,25 @@ +#ifndef _XT_DCCP_H_ +#define _XT_DCCP_H_ + +#include + +#define XT_DCCP_SRC_PORTS 0x01 +#define XT_DCCP_DEST_PORTS 0x02 +#define XT_DCCP_TYPE 0x04 +#define XT_DCCP_OPTION 0x08 + +#define XT_DCCP_VALID_FLAGS 0x0f + +struct xt_dccp_info { + __u16 dpts[2]; /* Min, Max */ + __u16 spts[2]; /* Min, Max */ + + __u16 flags; + __u16 invflags; + + __u16 typemask; + __u8 option; +}; + +#endif /* _XT_DCCP_H_ */ + diff --git a/include/uapi/linux/netfilter/xt_devgroup.h b/include/uapi/linux/netfilter/xt_devgroup.h new file mode 100644 index 0000000..1babde0 --- /dev/null +++ b/include/uapi/linux/netfilter/xt_devgroup.h @@ -0,0 +1,21 @@ +#ifndef _XT_DEVGROUP_H +#define _XT_DEVGROUP_H + +#include + +enum xt_devgroup_flags { + XT_DEVGROUP_MATCH_SRC = 0x1, + XT_DEVGROUP_INVERT_SRC = 0x2, + XT_DEVGROUP_MATCH_DST = 0x4, + XT_DEVGROUP_INVERT_DST = 0x8, +}; + +struct xt_devgroup_info { + __u32 flags; + __u32 src_group; + __u32 src_mask; + __u32 dst_group; + __u32 dst_mask; +}; + +#endif /* _XT_DEVGROUP_H */ diff --git a/include/uapi/linux/netfilter/xt_dscp.h b/include/uapi/linux/netfilter/xt_dscp.h new file mode 100644 index 0000000..15f8932 --- /dev/null +++ b/include/uapi/linux/netfilter/xt_dscp.h @@ -0,0 +1,31 @@ +/* x_tables module for matching the IPv4/IPv6 DSCP field + * + * (C) 2002 Harald Welte + * This software is distributed under GNU GPL v2, 1991 + * + * See RFC2474 for a description of the DSCP field within the IP Header. + * + * xt_dscp.h,v 1.3 2002/08/05 19:00:21 laforge Exp +*/ +#ifndef _XT_DSCP_H +#define _XT_DSCP_H + +#include + +#define XT_DSCP_MASK 0xfc /* 11111100 */ +#define XT_DSCP_SHIFT 2 +#define XT_DSCP_MAX 0x3f /* 00111111 */ + +/* match info */ +struct xt_dscp_info { + __u8 dscp; + __u8 invert; +}; + +struct xt_tos_match_info { + __u8 tos_mask; + __u8 tos_value; + __u8 invert; +}; + +#endif /* _XT_DSCP_H */ diff --git a/include/uapi/linux/netfilter/xt_ecn.h b/include/uapi/linux/netfilter/xt_ecn.h new file mode 100644 index 0000000..7158fca --- /dev/null +++ b/include/uapi/linux/netfilter/xt_ecn.h @@ -0,0 +1,35 @@ +/* iptables module for matching the ECN header in IPv4 and TCP header + * + * (C) 2002 Harald Welte + * + * This software is distributed under GNU GPL v2, 1991 + * + * ipt_ecn.h,v 1.4 2002/08/05 19:39:00 laforge Exp +*/ +#ifndef _XT_ECN_H +#define _XT_ECN_H + +#include +#include + +#define XT_ECN_IP_MASK (~XT_DSCP_MASK) + +#define XT_ECN_OP_MATCH_IP 0x01 +#define XT_ECN_OP_MATCH_ECE 0x10 +#define XT_ECN_OP_MATCH_CWR 0x20 + +#define XT_ECN_OP_MATCH_MASK 0xce + +/* match info */ +struct xt_ecn_info { + __u8 operation; + __u8 invert; + __u8 ip_ect; + union { + struct { + __u8 ect; + } tcp; + } proto; +}; + +#endif /* _XT_ECN_H */ diff --git a/include/uapi/linux/netfilter/xt_esp.h b/include/uapi/linux/netfilter/xt_esp.h new file mode 100644 index 0000000..ee68824 --- /dev/null +++ b/include/uapi/linux/netfilter/xt_esp.h @@ -0,0 +1,15 @@ +#ifndef _XT_ESP_H +#define _XT_ESP_H + +#include + +struct xt_esp { + __u32 spis[2]; /* Security Parameter Index */ + __u8 invflags; /* Inverse flags */ +}; + +/* Values for "invflags" field in struct xt_esp. */ +#define XT_ESP_INV_SPI 0x01 /* Invert the sense of spi. */ +#define XT_ESP_INV_MASK 0x01 /* All possible flags. */ + +#endif /*_XT_ESP_H*/ diff --git a/include/uapi/linux/netfilter/xt_hashlimit.h b/include/uapi/linux/netfilter/xt_hashlimit.h new file mode 100644 index 0000000..cbfc43d --- /dev/null +++ b/include/uapi/linux/netfilter/xt_hashlimit.h @@ -0,0 +1,73 @@ +#ifndef _UAPI_XT_HASHLIMIT_H +#define _UAPI_XT_HASHLIMIT_H + +#include + +/* timings are in milliseconds. */ +#define XT_HASHLIMIT_SCALE 10000 +/* 1/10,000 sec period => max of 10,000/sec. Min rate is then 429490 + * seconds, or one packet every 59 hours. + */ + +/* packet length accounting is done in 16-byte steps */ +#define XT_HASHLIMIT_BYTE_SHIFT 4 + +/* details of this structure hidden by the implementation */ +struct xt_hashlimit_htable; + +enum { + XT_HASHLIMIT_HASH_DIP = 1 << 0, + XT_HASHLIMIT_HASH_DPT = 1 << 1, + XT_HASHLIMIT_HASH_SIP = 1 << 2, + XT_HASHLIMIT_HASH_SPT = 1 << 3, + XT_HASHLIMIT_INVERT = 1 << 4, + XT_HASHLIMIT_BYTES = 1 << 5, +}; + +struct hashlimit_cfg { + __u32 mode; /* bitmask of XT_HASHLIMIT_HASH_* */ + __u32 avg; /* Average secs between packets * scale */ + __u32 burst; /* Period multiplier for upper limit. */ + + /* user specified */ + __u32 size; /* how many buckets */ + __u32 max; /* max number of entries */ + __u32 gc_interval; /* gc interval */ + __u32 expire; /* when do entries expire? */ +}; + +struct xt_hashlimit_info { + char name [IFNAMSIZ]; /* name */ + struct hashlimit_cfg cfg; + + /* Used internally by the kernel */ + struct xt_hashlimit_htable *hinfo; + union { + void *ptr; + struct xt_hashlimit_info *master; + } u; +}; + +struct hashlimit_cfg1 { + __u32 mode; /* bitmask of XT_HASHLIMIT_HASH_* */ + __u32 avg; /* Average secs between packets * scale */ + __u32 burst; /* Period multiplier for upper limit. */ + + /* user specified */ + __u32 size; /* how many buckets */ + __u32 max; /* max number of entries */ + __u32 gc_interval; /* gc interval */ + __u32 expire; /* when do entries expire? */ + + __u8 srcmask, dstmask; +}; + +struct xt_hashlimit_mtinfo1 { + char name[IFNAMSIZ]; + struct hashlimit_cfg1 cfg; + + /* Used internally by the kernel */ + struct xt_hashlimit_htable *hinfo __attribute__((aligned(8))); +}; + +#endif /* _UAPI_XT_HASHLIMIT_H */ diff --git a/include/uapi/linux/netfilter/xt_helper.h b/include/uapi/linux/netfilter/xt_helper.h new file mode 100644 index 0000000..6b42763 --- /dev/null +++ b/include/uapi/linux/netfilter/xt_helper.h @@ -0,0 +1,8 @@ +#ifndef _XT_HELPER_H +#define _XT_HELPER_H + +struct xt_helper_info { + int invert; + char name[30]; +}; +#endif /* _XT_HELPER_H */ diff --git a/include/uapi/linux/netfilter/xt_iprange.h b/include/uapi/linux/netfilter/xt_iprange.h new file mode 100644 index 0000000..25fd7cf --- /dev/null +++ b/include/uapi/linux/netfilter/xt_iprange.h @@ -0,0 +1,20 @@ +#ifndef _LINUX_NETFILTER_XT_IPRANGE_H +#define _LINUX_NETFILTER_XT_IPRANGE_H 1 + +#include +#include + +enum { + IPRANGE_SRC = 1 << 0, /* match source IP address */ + IPRANGE_DST = 1 << 1, /* match destination IP address */ + IPRANGE_SRC_INV = 1 << 4, /* negate the condition */ + IPRANGE_DST_INV = 1 << 5, /* -"- */ +}; + +struct xt_iprange_mtinfo { + union nf_inet_addr src_min, src_max; + union nf_inet_addr dst_min, dst_max; + __u8 flags; +}; + +#endif /* _LINUX_NETFILTER_XT_IPRANGE_H */ diff --git a/include/uapi/linux/netfilter/xt_ipvs.h b/include/uapi/linux/netfilter/xt_ipvs.h new file mode 100644 index 0000000..eff34ac --- /dev/null +++ b/include/uapi/linux/netfilter/xt_ipvs.h @@ -0,0 +1,29 @@ +#ifndef _XT_IPVS_H +#define _XT_IPVS_H + +#include + +enum { + XT_IPVS_IPVS_PROPERTY = 1 << 0, /* all other options imply this one */ + XT_IPVS_PROTO = 1 << 1, + XT_IPVS_VADDR = 1 << 2, + XT_IPVS_VPORT = 1 << 3, + XT_IPVS_DIR = 1 << 4, + XT_IPVS_METHOD = 1 << 5, + XT_IPVS_VPORTCTL = 1 << 6, + XT_IPVS_MASK = (1 << 7) - 1, + XT_IPVS_ONCE_MASK = XT_IPVS_MASK & ~XT_IPVS_IPVS_PROPERTY +}; + +struct xt_ipvs_mtinfo { + union nf_inet_addr vaddr, vmask; + __be16 vport; + __u8 l4proto; + __u8 fwd_method; + __be16 vportctl; + + __u8 invert; + __u8 bitmask; +}; + +#endif /* _XT_IPVS_H */ diff --git a/include/uapi/linux/netfilter/xt_length.h b/include/uapi/linux/netfilter/xt_length.h new file mode 100644 index 0000000..b82ed7c --- /dev/null +++ b/include/uapi/linux/netfilter/xt_length.h @@ -0,0 +1,11 @@ +#ifndef _XT_LENGTH_H +#define _XT_LENGTH_H + +#include + +struct xt_length_info { + __u16 min, max; + __u8 invert; +}; + +#endif /*_XT_LENGTH_H*/ diff --git a/include/uapi/linux/netfilter/xt_limit.h b/include/uapi/linux/netfilter/xt_limit.h new file mode 100644 index 0000000..bb47fc4 --- /dev/null +++ b/include/uapi/linux/netfilter/xt_limit.h @@ -0,0 +1,24 @@ +#ifndef _XT_RATE_H +#define _XT_RATE_H + +#include + +/* timings are in milliseconds. */ +#define XT_LIMIT_SCALE 10000 + +struct xt_limit_priv; + +/* 1/10,000 sec period => max of 10,000/sec. Min rate is then 429490 + seconds, or one every 59 hours. */ +struct xt_rateinfo { + __u32 avg; /* Average secs between packets * scale */ + __u32 burst; /* Period multiplier for upper limit. */ + + /* Used internally by the kernel */ + unsigned long prev; /* moved to xt_limit_priv */ + __u32 credit; /* moved to xt_limit_priv */ + __u32 credit_cap, cost; + + struct xt_limit_priv *master; +}; +#endif /*_XT_RATE_H*/ diff --git a/include/uapi/linux/netfilter/xt_mac.h b/include/uapi/linux/netfilter/xt_mac.h new file mode 100644 index 0000000..b892cdc --- /dev/null +++ b/include/uapi/linux/netfilter/xt_mac.h @@ -0,0 +1,8 @@ +#ifndef _XT_MAC_H +#define _XT_MAC_H + +struct xt_mac_info { + unsigned char srcaddr[ETH_ALEN]; + int invert; +}; +#endif /*_XT_MAC_H*/ diff --git a/include/uapi/linux/netfilter/xt_mark.h b/include/uapi/linux/netfilter/xt_mark.h new file mode 100644 index 0000000..ecadc40 --- /dev/null +++ b/include/uapi/linux/netfilter/xt_mark.h @@ -0,0 +1,15 @@ +#ifndef _XT_MARK_H +#define _XT_MARK_H + +#include + +struct xt_mark_tginfo2 { + __u32 mark, mask; +}; + +struct xt_mark_mtinfo1 { + __u32 mark, mask; + __u8 invert; +}; + +#endif /*_XT_MARK_H*/ diff --git a/include/uapi/linux/netfilter/xt_multiport.h b/include/uapi/linux/netfilter/xt_multiport.h new file mode 100644 index 0000000..5b7e72d --- /dev/null +++ b/include/uapi/linux/netfilter/xt_multiport.h @@ -0,0 +1,29 @@ +#ifndef _XT_MULTIPORT_H +#define _XT_MULTIPORT_H + +#include + +enum xt_multiport_flags { + XT_MULTIPORT_SOURCE, + XT_MULTIPORT_DESTINATION, + XT_MULTIPORT_EITHER +}; + +#define XT_MULTI_PORTS 15 + +/* Must fit inside union xt_matchinfo: 16 bytes */ +struct xt_multiport { + __u8 flags; /* Type of comparison */ + __u8 count; /* Number of ports */ + __u16 ports[XT_MULTI_PORTS]; /* Ports */ +}; + +struct xt_multiport_v1 { + __u8 flags; /* Type of comparison */ + __u8 count; /* Number of ports */ + __u16 ports[XT_MULTI_PORTS]; /* Ports */ + __u8 pflags[XT_MULTI_PORTS]; /* Port flags */ + __u8 invert; /* Invert flag */ +}; + +#endif /*_XT_MULTIPORT_H*/ diff --git a/include/uapi/linux/netfilter/xt_nfacct.h b/include/uapi/linux/netfilter/xt_nfacct.h new file mode 100644 index 0000000..3e19c8a --- /dev/null +++ b/include/uapi/linux/netfilter/xt_nfacct.h @@ -0,0 +1,13 @@ +#ifndef _XT_NFACCT_MATCH_H +#define _XT_NFACCT_MATCH_H + +#include + +struct nf_acct; + +struct xt_nfacct_match_info { + char name[NFACCT_NAME_MAX]; + struct nf_acct *nfacct; +}; + +#endif /* _XT_NFACCT_MATCH_H */ diff --git a/include/uapi/linux/netfilter/xt_osf.h b/include/uapi/linux/netfilter/xt_osf.h new file mode 100644 index 0000000..18afa49 --- /dev/null +++ b/include/uapi/linux/netfilter/xt_osf.h @@ -0,0 +1,135 @@ +/* + * Copyright (c) 2003+ Evgeniy Polyakov + * + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + */ + +#ifndef _XT_OSF_H +#define _XT_OSF_H + +#include + +#define MAXGENRELEN 32 + +#define XT_OSF_GENRE (1<<0) +#define XT_OSF_TTL (1<<1) +#define XT_OSF_LOG (1<<2) +#define XT_OSF_INVERT (1<<3) + +#define XT_OSF_LOGLEVEL_ALL 0 /* log all matched fingerprints */ +#define XT_OSF_LOGLEVEL_FIRST 1 /* log only the first matced fingerprint */ +#define XT_OSF_LOGLEVEL_ALL_KNOWN 2 /* do not log unknown packets */ + +#define XT_OSF_TTL_TRUE 0 /* True ip and fingerprint TTL comparison */ +#define XT_OSF_TTL_LESS 1 /* Check if ip TTL is less than fingerprint one */ +#define XT_OSF_TTL_NOCHECK 2 /* Do not compare ip and fingerprint TTL at all */ + +struct xt_osf_info { + char genre[MAXGENRELEN]; + __u32 len; + __u32 flags; + __u32 loglevel; + __u32 ttl; +}; + +/* + * Wildcard MSS (kind of). + * It is used to implement a state machine for the different wildcard values + * of the MSS and window sizes. + */ +struct xt_osf_wc { + __u32 wc; + __u32 val; +}; + +/* + * This struct represents IANA options + * http://www.iana.org/assignments/tcp-parameters + */ +struct xt_osf_opt { + __u16 kind, length; + struct xt_osf_wc wc; +}; + +struct xt_osf_user_finger { + struct xt_osf_wc wss; + + __u8 ttl, df; + __u16 ss, mss; + __u16 opt_num; + + char genre[MAXGENRELEN]; + char version[MAXGENRELEN]; + char subtype[MAXGENRELEN]; + + /* MAX_IPOPTLEN is maximum if all options are NOPs or EOLs */ + struct xt_osf_opt opt[MAX_IPOPTLEN]; +}; + +struct xt_osf_nlmsg { + struct xt_osf_user_finger f; + struct iphdr ip; + struct tcphdr tcp; +}; + +/* Defines for IANA option kinds */ + +enum iana_options { + OSFOPT_EOL = 0, /* End of options */ + OSFOPT_NOP, /* NOP */ + OSFOPT_MSS, /* Maximum segment size */ + OSFOPT_WSO, /* Window scale option */ + OSFOPT_SACKP, /* SACK permitted */ + OSFOPT_SACK, /* SACK */ + OSFOPT_ECHO, + OSFOPT_ECHOREPLY, + OSFOPT_TS, /* Timestamp option */ + OSFOPT_POCP, /* Partial Order Connection Permitted */ + OSFOPT_POSP, /* Partial Order Service Profile */ + + /* Others are not used in the current OSF */ + OSFOPT_EMPTY = 255, +}; + +/* + * Initial window size option state machine: multiple of mss, mtu or + * plain numeric value. Can also be made as plain numeric value which + * is not a multiple of specified value. + */ +enum xt_osf_window_size_options { + OSF_WSS_PLAIN = 0, + OSF_WSS_MSS, + OSF_WSS_MTU, + OSF_WSS_MODULO, + OSF_WSS_MAX, +}; + +/* + * Add/remove fingerprint from the kernel. + */ +enum xt_osf_msg_types { + OSF_MSG_ADD, + OSF_MSG_REMOVE, + OSF_MSG_MAX, +}; + +enum xt_osf_attr_type { + OSF_ATTR_UNSPEC, + OSF_ATTR_FINGER, + OSF_ATTR_MAX, +}; + +#endif /* _XT_OSF_H */ diff --git a/include/uapi/linux/netfilter/xt_owner.h b/include/uapi/linux/netfilter/xt_owner.h new file mode 100644 index 0000000..2081761 --- /dev/null +++ b/include/uapi/linux/netfilter/xt_owner.h @@ -0,0 +1,18 @@ +#ifndef _XT_OWNER_MATCH_H +#define _XT_OWNER_MATCH_H + +#include + +enum { + XT_OWNER_UID = 1 << 0, + XT_OWNER_GID = 1 << 1, + XT_OWNER_SOCKET = 1 << 2, +}; + +struct xt_owner_match_info { + __u32 uid_min, uid_max; + __u32 gid_min, gid_max; + __u8 match, invert; +}; + +#endif /* _XT_OWNER_MATCH_H */ diff --git a/include/uapi/linux/netfilter/xt_physdev.h b/include/uapi/linux/netfilter/xt_physdev.h new file mode 100644 index 0000000..db7a298 --- /dev/null +++ b/include/uapi/linux/netfilter/xt_physdev.h @@ -0,0 +1,23 @@ +#ifndef _UAPI_XT_PHYSDEV_H +#define _UAPI_XT_PHYSDEV_H + +#include + + +#define XT_PHYSDEV_OP_IN 0x01 +#define XT_PHYSDEV_OP_OUT 0x02 +#define XT_PHYSDEV_OP_BRIDGED 0x04 +#define XT_PHYSDEV_OP_ISIN 0x08 +#define XT_PHYSDEV_OP_ISOUT 0x10 +#define XT_PHYSDEV_OP_MASK (0x20 - 1) + +struct xt_physdev_info { + char physindev[IFNAMSIZ]; + char in_mask[IFNAMSIZ]; + char physoutdev[IFNAMSIZ]; + char out_mask[IFNAMSIZ]; + __u8 invert; + __u8 bitmask; +}; + +#endif /* _UAPI_XT_PHYSDEV_H */ diff --git a/include/uapi/linux/netfilter/xt_pkttype.h b/include/uapi/linux/netfilter/xt_pkttype.h new file mode 100644 index 0000000..f265cf5 --- /dev/null +++ b/include/uapi/linux/netfilter/xt_pkttype.h @@ -0,0 +1,8 @@ +#ifndef _XT_PKTTYPE_H +#define _XT_PKTTYPE_H + +struct xt_pkttype_info { + int pkttype; + int invert; +}; +#endif /*_XT_PKTTYPE_H*/ diff --git a/include/uapi/linux/netfilter/xt_policy.h b/include/uapi/linux/netfilter/xt_policy.h new file mode 100644 index 0000000..be8ead0 --- /dev/null +++ b/include/uapi/linux/netfilter/xt_policy.h @@ -0,0 +1,69 @@ +#ifndef _XT_POLICY_H +#define _XT_POLICY_H + +#include + +#define XT_POLICY_MAX_ELEM 4 + +enum xt_policy_flags { + XT_POLICY_MATCH_IN = 0x1, + XT_POLICY_MATCH_OUT = 0x2, + XT_POLICY_MATCH_NONE = 0x4, + XT_POLICY_MATCH_STRICT = 0x8, +}; + +enum xt_policy_modes { + XT_POLICY_MODE_TRANSPORT, + XT_POLICY_MODE_TUNNEL +}; + +struct xt_policy_spec { + __u8 saddr:1, + daddr:1, + proto:1, + mode:1, + spi:1, + reqid:1; +}; + +#ifndef __KERNEL__ +union xt_policy_addr { + struct in_addr a4; + struct in6_addr a6; +}; +#endif + +struct xt_policy_elem { + union { +#ifdef __KERNEL__ + struct { + union nf_inet_addr saddr; + union nf_inet_addr smask; + union nf_inet_addr daddr; + union nf_inet_addr dmask; + }; +#else + struct { + union xt_policy_addr saddr; + union xt_policy_addr smask; + union xt_policy_addr daddr; + union xt_policy_addr dmask; + }; +#endif + }; + __be32 spi; + __u32 reqid; + __u8 proto; + __u8 mode; + + struct xt_policy_spec match; + struct xt_policy_spec invert; +}; + +struct xt_policy_info { + struct xt_policy_elem pol[XT_POLICY_MAX_ELEM]; + __u16 flags; + __u16 len; +}; + +#endif /* _XT_POLICY_H */ diff --git a/include/uapi/linux/netfilter/xt_quota.h b/include/uapi/linux/netfilter/xt_quota.h new file mode 100644 index 0000000..9314723 --- /dev/null +++ b/include/uapi/linux/netfilter/xt_quota.h @@ -0,0 +1,22 @@ +#ifndef _XT_QUOTA_H +#define _XT_QUOTA_H + +#include + +enum xt_quota_flags { + XT_QUOTA_INVERT = 0x1, +}; +#define XT_QUOTA_MASK 0x1 + +struct xt_quota_priv; + +struct xt_quota_info { + __u32 flags; + __u32 pad; + __aligned_u64 quota; + + /* Used internally by the kernel */ + struct xt_quota_priv *master; +}; + +#endif /* _XT_QUOTA_H */ diff --git a/include/uapi/linux/netfilter/xt_rateest.h b/include/uapi/linux/netfilter/xt_rateest.h new file mode 100644 index 0000000..d40a619 --- /dev/null +++ b/include/uapi/linux/netfilter/xt_rateest.h @@ -0,0 +1,37 @@ +#ifndef _XT_RATEEST_MATCH_H +#define _XT_RATEEST_MATCH_H + +#include + +enum xt_rateest_match_flags { + XT_RATEEST_MATCH_INVERT = 1<<0, + XT_RATEEST_MATCH_ABS = 1<<1, + XT_RATEEST_MATCH_REL = 1<<2, + XT_RATEEST_MATCH_DELTA = 1<<3, + XT_RATEEST_MATCH_BPS = 1<<4, + XT_RATEEST_MATCH_PPS = 1<<5, +}; + +enum xt_rateest_match_mode { + XT_RATEEST_MATCH_NONE, + XT_RATEEST_MATCH_EQ, + XT_RATEEST_MATCH_LT, + XT_RATEEST_MATCH_GT, +}; + +struct xt_rateest_match_info { + char name1[IFNAMSIZ]; + char name2[IFNAMSIZ]; + __u16 flags; + __u16 mode; + __u32 bps1; + __u32 pps1; + __u32 bps2; + __u32 pps2; + + /* Used internally by the kernel */ + struct xt_rateest *est1 __attribute__((aligned(8))); + struct xt_rateest *est2 __attribute__((aligned(8))); +}; + +#endif /* _XT_RATEEST_MATCH_H */ diff --git a/include/uapi/linux/netfilter/xt_realm.h b/include/uapi/linux/netfilter/xt_realm.h new file mode 100644 index 0000000..d4a82ee --- /dev/null +++ b/include/uapi/linux/netfilter/xt_realm.h @@ -0,0 +1,12 @@ +#ifndef _XT_REALM_H +#define _XT_REALM_H + +#include + +struct xt_realm_info { + __u32 id; + __u32 mask; + __u8 invert; +}; + +#endif /* _XT_REALM_H */ diff --git a/include/uapi/linux/netfilter/xt_recent.h b/include/uapi/linux/netfilter/xt_recent.h new file mode 100644 index 0000000..6ef36c1 --- /dev/null +++ b/include/uapi/linux/netfilter/xt_recent.h @@ -0,0 +1,45 @@ +#ifndef _LINUX_NETFILTER_XT_RECENT_H +#define _LINUX_NETFILTER_XT_RECENT_H 1 + +#include + +enum { + XT_RECENT_CHECK = 1 << 0, + XT_RECENT_SET = 1 << 1, + XT_RECENT_UPDATE = 1 << 2, + XT_RECENT_REMOVE = 1 << 3, + XT_RECENT_TTL = 1 << 4, + XT_RECENT_REAP = 1 << 5, + + XT_RECENT_SOURCE = 0, + XT_RECENT_DEST = 1, + + XT_RECENT_NAME_LEN = 200, +}; + +/* Only allowed with --rcheck and --update */ +#define XT_RECENT_MODIFIERS (XT_RECENT_TTL|XT_RECENT_REAP) + +#define XT_RECENT_VALID_FLAGS (XT_RECENT_CHECK|XT_RECENT_SET|XT_RECENT_UPDATE|\ + XT_RECENT_REMOVE|XT_RECENT_TTL|XT_RECENT_REAP) + +struct xt_recent_mtinfo { + __u32 seconds; + __u32 hit_count; + __u8 check_set; + __u8 invert; + char name[XT_RECENT_NAME_LEN]; + __u8 side; +}; + +struct xt_recent_mtinfo_v1 { + __u32 seconds; + __u32 hit_count; + __u8 check_set; + __u8 invert; + char name[XT_RECENT_NAME_LEN]; + __u8 side; + union nf_inet_addr mask; +}; + +#endif /* _LINUX_NETFILTER_XT_RECENT_H */ diff --git a/include/uapi/linux/netfilter/xt_sctp.h b/include/uapi/linux/netfilter/xt_sctp.h new file mode 100644 index 0000000..29287be --- /dev/null +++ b/include/uapi/linux/netfilter/xt_sctp.h @@ -0,0 +1,92 @@ +#ifndef _XT_SCTP_H_ +#define _XT_SCTP_H_ + +#include + +#define XT_SCTP_SRC_PORTS 0x01 +#define XT_SCTP_DEST_PORTS 0x02 +#define XT_SCTP_CHUNK_TYPES 0x04 + +#define XT_SCTP_VALID_FLAGS 0x07 + +struct xt_sctp_flag_info { + __u8 chunktype; + __u8 flag; + __u8 flag_mask; +}; + +#define XT_NUM_SCTP_FLAGS 4 + +struct xt_sctp_info { + __u16 dpts[2]; /* Min, Max */ + __u16 spts[2]; /* Min, Max */ + + __u32 chunkmap[256 / sizeof (__u32)]; /* Bit mask of chunks to be matched according to RFC 2960 */ + +#define SCTP_CHUNK_MATCH_ANY 0x01 /* Match if any of the chunk types are present */ +#define SCTP_CHUNK_MATCH_ALL 0x02 /* Match if all of the chunk types are present */ +#define SCTP_CHUNK_MATCH_ONLY 0x04 /* Match if these are the only chunk types present */ + + __u32 chunk_match_type; + struct xt_sctp_flag_info flag_info[XT_NUM_SCTP_FLAGS]; + int flag_count; + + __u32 flags; + __u32 invflags; +}; + +#define bytes(type) (sizeof(type) * 8) + +#define SCTP_CHUNKMAP_SET(chunkmap, type) \ + do { \ + (chunkmap)[type / bytes(__u32)] |= \ + 1 << (type % bytes(__u32)); \ + } while (0) + +#define SCTP_CHUNKMAP_CLEAR(chunkmap, type) \ + do { \ + (chunkmap)[type / bytes(__u32)] &= \ + ~(1 << (type % bytes(__u32))); \ + } while (0) + +#define SCTP_CHUNKMAP_IS_SET(chunkmap, type) \ +({ \ + ((chunkmap)[type / bytes (__u32)] & \ + (1 << (type % bytes (__u32)))) ? 1: 0; \ +}) + +#define SCTP_CHUNKMAP_RESET(chunkmap) \ + memset((chunkmap), 0, sizeof(chunkmap)) + +#define SCTP_CHUNKMAP_SET_ALL(chunkmap) \ + memset((chunkmap), ~0U, sizeof(chunkmap)) + +#define SCTP_CHUNKMAP_COPY(destmap, srcmap) \ + memcpy((destmap), (srcmap), sizeof(srcmap)) + +#define SCTP_CHUNKMAP_IS_CLEAR(chunkmap) \ + __sctp_chunkmap_is_clear((chunkmap), ARRAY_SIZE(chunkmap)) +static inline bool +__sctp_chunkmap_is_clear(const __u32 *chunkmap, unsigned int n) +{ + unsigned int i; + for (i = 0; i < n; ++i) + if (chunkmap[i]) + return false; + return true; +} + +#define SCTP_CHUNKMAP_IS_ALL_SET(chunkmap) \ + __sctp_chunkmap_is_all_set((chunkmap), ARRAY_SIZE(chunkmap)) +static inline bool +__sctp_chunkmap_is_all_set(const __u32 *chunkmap, unsigned int n) +{ + unsigned int i; + for (i = 0; i < n; ++i) + if (chunkmap[i] != ~0U) + return false; + return true; +} + +#endif /* _XT_SCTP_H_ */ + diff --git a/include/uapi/linux/netfilter/xt_set.h b/include/uapi/linux/netfilter/xt_set.h new file mode 100644 index 0000000..e3a9978 --- /dev/null +++ b/include/uapi/linux/netfilter/xt_set.h @@ -0,0 +1,65 @@ +#ifndef _XT_SET_H +#define _XT_SET_H + +#include +#include + +/* Revision 0 interface: backward compatible with netfilter/iptables */ + +/* + * Option flags for kernel operations (xt_set_info_v0) + */ +#define IPSET_SRC 0x01 /* Source match/add */ +#define IPSET_DST 0x02 /* Destination match/add */ +#define IPSET_MATCH_INV 0x04 /* Inverse matching */ + +struct xt_set_info_v0 { + ip_set_id_t index; + union { + __u32 flags[IPSET_DIM_MAX + 1]; + struct { + __u32 __flags[IPSET_DIM_MAX]; + __u8 dim; + __u8 flags; + } compat; + } u; +}; + +/* match and target infos */ +struct xt_set_info_match_v0 { + struct xt_set_info_v0 match_set; +}; + +struct xt_set_info_target_v0 { + struct xt_set_info_v0 add_set; + struct xt_set_info_v0 del_set; +}; + +/* Revision 1 match and target */ + +struct xt_set_info { + ip_set_id_t index; + __u8 dim; + __u8 flags; +}; + +/* match and target infos */ +struct xt_set_info_match_v1 { + struct xt_set_info match_set; +}; + +struct xt_set_info_target_v1 { + struct xt_set_info add_set; + struct xt_set_info del_set; +}; + +/* Revision 2 target */ + +struct xt_set_info_target_v2 { + struct xt_set_info add_set; + struct xt_set_info del_set; + __u32 flags; + __u32 timeout; +}; + +#endif /*_XT_SET_H*/ diff --git a/include/uapi/linux/netfilter/xt_socket.h b/include/uapi/linux/netfilter/xt_socket.h new file mode 100644 index 0000000..26d7217 --- /dev/null +++ b/include/uapi/linux/netfilter/xt_socket.h @@ -0,0 +1,14 @@ +#ifndef _XT_SOCKET_H +#define _XT_SOCKET_H + +#include + +enum { + XT_SOCKET_TRANSPARENT = 1 << 0, +}; + +struct xt_socket_mtinfo1 { + __u8 flags; +}; + +#endif /* _XT_SOCKET_H */ diff --git a/include/uapi/linux/netfilter/xt_state.h b/include/uapi/linux/netfilter/xt_state.h new file mode 100644 index 0000000..7b32de8 --- /dev/null +++ b/include/uapi/linux/netfilter/xt_state.h @@ -0,0 +1,12 @@ +#ifndef _XT_STATE_H +#define _XT_STATE_H + +#define XT_STATE_BIT(ctinfo) (1 << ((ctinfo)%IP_CT_IS_REPLY+1)) +#define XT_STATE_INVALID (1 << 0) + +#define XT_STATE_UNTRACKED (1 << (IP_CT_NUMBER + 1)) + +struct xt_state_info { + unsigned int statemask; +}; +#endif /*_XT_STATE_H*/ diff --git a/include/uapi/linux/netfilter/xt_statistic.h b/include/uapi/linux/netfilter/xt_statistic.h new file mode 100644 index 0000000..4e983ef --- /dev/null +++ b/include/uapi/linux/netfilter/xt_statistic.h @@ -0,0 +1,36 @@ +#ifndef _XT_STATISTIC_H +#define _XT_STATISTIC_H + +#include + +enum xt_statistic_mode { + XT_STATISTIC_MODE_RANDOM, + XT_STATISTIC_MODE_NTH, + __XT_STATISTIC_MODE_MAX +}; +#define XT_STATISTIC_MODE_MAX (__XT_STATISTIC_MODE_MAX - 1) + +enum xt_statistic_flags { + XT_STATISTIC_INVERT = 0x1, +}; +#define XT_STATISTIC_MASK 0x1 + +struct xt_statistic_priv; + +struct xt_statistic_info { + __u16 mode; + __u16 flags; + union { + struct { + __u32 probability; + } random; + struct { + __u32 every; + __u32 packet; + __u32 count; /* unused */ + } nth; + } u; + struct xt_statistic_priv *master __attribute__((aligned(8))); +}; + +#endif /* _XT_STATISTIC_H */ diff --git a/include/uapi/linux/netfilter/xt_string.h b/include/uapi/linux/netfilter/xt_string.h new file mode 100644 index 0000000..235347c --- /dev/null +++ b/include/uapi/linux/netfilter/xt_string.h @@ -0,0 +1,34 @@ +#ifndef _XT_STRING_H +#define _XT_STRING_H + +#include + +#define XT_STRING_MAX_PATTERN_SIZE 128 +#define XT_STRING_MAX_ALGO_NAME_SIZE 16 + +enum { + XT_STRING_FLAG_INVERT = 0x01, + XT_STRING_FLAG_IGNORECASE = 0x02 +}; + +struct xt_string_info { + __u16 from_offset; + __u16 to_offset; + char algo[XT_STRING_MAX_ALGO_NAME_SIZE]; + char pattern[XT_STRING_MAX_PATTERN_SIZE]; + __u8 patlen; + union { + struct { + __u8 invert; + } v0; + + struct { + __u8 flags; + } v1; + } u; + + /* Used internally by the kernel */ + struct ts_config __attribute__((aligned(8))) *config; +}; + +#endif /*_XT_STRING_H*/ diff --git a/include/uapi/linux/netfilter/xt_tcpmss.h b/include/uapi/linux/netfilter/xt_tcpmss.h new file mode 100644 index 0000000..fbac56b --- /dev/null +++ b/include/uapi/linux/netfilter/xt_tcpmss.h @@ -0,0 +1,11 @@ +#ifndef _XT_TCPMSS_MATCH_H +#define _XT_TCPMSS_MATCH_H + +#include + +struct xt_tcpmss_match_info { + __u16 mss_min, mss_max; + __u8 invert; +}; + +#endif /*_XT_TCPMSS_MATCH_H*/ diff --git a/include/uapi/linux/netfilter/xt_tcpudp.h b/include/uapi/linux/netfilter/xt_tcpudp.h new file mode 100644 index 0000000..38aa7b3 --- /dev/null +++ b/include/uapi/linux/netfilter/xt_tcpudp.h @@ -0,0 +1,36 @@ +#ifndef _XT_TCPUDP_H +#define _XT_TCPUDP_H + +#include + +/* TCP matching stuff */ +struct xt_tcp { + __u16 spts[2]; /* Source port range. */ + __u16 dpts[2]; /* Destination port range. */ + __u8 option; /* TCP Option iff non-zero*/ + __u8 flg_mask; /* TCP flags mask byte */ + __u8 flg_cmp; /* TCP flags compare byte */ + __u8 invflags; /* Inverse flags */ +}; + +/* Values for "inv" field in struct ipt_tcp. */ +#define XT_TCP_INV_SRCPT 0x01 /* Invert the sense of source ports. */ +#define XT_TCP_INV_DSTPT 0x02 /* Invert the sense of dest ports. */ +#define XT_TCP_INV_FLAGS 0x04 /* Invert the sense of TCP flags. */ +#define XT_TCP_INV_OPTION 0x08 /* Invert the sense of option test. */ +#define XT_TCP_INV_MASK 0x0F /* All possible flags. */ + +/* UDP matching stuff */ +struct xt_udp { + __u16 spts[2]; /* Source port range. */ + __u16 dpts[2]; /* Destination port range. */ + __u8 invflags; /* Inverse flags */ +}; + +/* Values for "invflags" field in struct ipt_udp. */ +#define XT_UDP_INV_SRCPT 0x01 /* Invert the sense of source ports. */ +#define XT_UDP_INV_DSTPT 0x02 /* Invert the sense of dest ports. */ +#define XT_UDP_INV_MASK 0x03 /* All possible flags. */ + + +#endif diff --git a/include/uapi/linux/netfilter/xt_time.h b/include/uapi/linux/netfilter/xt_time.h new file mode 100644 index 0000000..0958860 --- /dev/null +++ b/include/uapi/linux/netfilter/xt_time.h @@ -0,0 +1,32 @@ +#ifndef _XT_TIME_H +#define _XT_TIME_H 1 + +#include + +struct xt_time_info { + __u32 date_start; + __u32 date_stop; + __u32 daytime_start; + __u32 daytime_stop; + __u32 monthdays_match; + __u8 weekdays_match; + __u8 flags; +}; + +enum { + /* Match against local time (instead of UTC) */ + XT_TIME_LOCAL_TZ = 1 << 0, + + /* treat timestart > timestop (e.g. 23:00-01:00) as single period */ + XT_TIME_CONTIGUOUS = 1 << 1, + + /* Shortcuts */ + XT_TIME_ALL_MONTHDAYS = 0xFFFFFFFE, + XT_TIME_ALL_WEEKDAYS = 0xFE, + XT_TIME_MIN_DAYTIME = 0, + XT_TIME_MAX_DAYTIME = 24 * 60 * 60 - 1, +}; + +#define XT_TIME_ALL_FLAGS (XT_TIME_LOCAL_TZ|XT_TIME_CONTIGUOUS) + +#endif /* _XT_TIME_H */ diff --git a/include/uapi/linux/netfilter/xt_u32.h b/include/uapi/linux/netfilter/xt_u32.h new file mode 100644 index 0000000..04d1bfe --- /dev/null +++ b/include/uapi/linux/netfilter/xt_u32.h @@ -0,0 +1,42 @@ +#ifndef _XT_U32_H +#define _XT_U32_H 1 + +#include + +enum xt_u32_ops { + XT_U32_AND, + XT_U32_LEFTSH, + XT_U32_RIGHTSH, + XT_U32_AT, +}; + +struct xt_u32_location_element { + __u32 number; + __u8 nextop; +}; + +struct xt_u32_value_element { + __u32 min; + __u32 max; +}; + +/* + * Any way to allow for an arbitrary number of elements? + * For now, I settle with a limit of 10 each. + */ +#define XT_U32_MAXSIZE 10 + +struct xt_u32_test { + struct xt_u32_location_element location[XT_U32_MAXSIZE+1]; + struct xt_u32_value_element value[XT_U32_MAXSIZE+1]; + __u8 nnums; + __u8 nvalues; +}; + +struct xt_u32 { + struct xt_u32_test tests[XT_U32_MAXSIZE+1]; + __u8 ntests; + __u8 invert; +}; + +#endif /* _XT_U32_H */ -- cgit v0.10.2 From a82014149becc68695e7f1d62a8cc1e4ae062318 Mon Sep 17 00:00:00 2001 From: David Howells Date: Tue, 9 Oct 2012 09:48:55 +0100 Subject: UAPI: (Scripted) Disintegrate include/linux/netfilter/ipset Signed-off-by: David Howells Acked-by: Arnd Bergmann Acked-by: Thomas Gleixner Acked-by: Michael Kerrisk Acked-by: Paul E. McKenney Acked-by: Dave Jones diff --git a/include/linux/netfilter/ipset/Kbuild b/include/linux/netfilter/ipset/Kbuild index 601fe71..e69de29 100644 --- a/include/linux/netfilter/ipset/Kbuild +++ b/include/linux/netfilter/ipset/Kbuild @@ -1,4 +0,0 @@ -header-y += ip_set.h -header-y += ip_set_bitmap.h -header-y += ip_set_hash.h -header-y += ip_set_list.h diff --git a/include/linux/netfilter/ipset/ip_set.h b/include/linux/netfilter/ipset/ip_set.h index 528697b..7958e84 100644 --- a/include/linux/netfilter/ipset/ip_set.h +++ b/include/linux/netfilter/ipset/ip_set.h @@ -1,6 +1,3 @@ -#ifndef _IP_SET_H -#define _IP_SET_H - /* Copyright (C) 2000-2002 Joakim Axelsson * Patrick Schaaf * Martin Josefsson @@ -10,199 +7,9 @@ * it under the terms of the GNU General Public License version 2 as * published by the Free Software Foundation. */ +#ifndef _IP_SET_H +#define _IP_SET_H -#include - -/* The protocol version */ -#define IPSET_PROTOCOL 6 - -/* The max length of strings including NUL: set and type identifiers */ -#define IPSET_MAXNAMELEN 32 - -/* Message types and commands */ -enum ipset_cmd { - IPSET_CMD_NONE, - IPSET_CMD_PROTOCOL, /* 1: Return protocol version */ - IPSET_CMD_CREATE, /* 2: Create a new (empty) set */ - IPSET_CMD_DESTROY, /* 3: Destroy a (empty) set */ - IPSET_CMD_FLUSH, /* 4: Remove all elements from a set */ - IPSET_CMD_RENAME, /* 5: Rename a set */ - IPSET_CMD_SWAP, /* 6: Swap two sets */ - IPSET_CMD_LIST, /* 7: List sets */ - IPSET_CMD_SAVE, /* 8: Save sets */ - IPSET_CMD_ADD, /* 9: Add an element to a set */ - IPSET_CMD_DEL, /* 10: Delete an element from a set */ - IPSET_CMD_TEST, /* 11: Test an element in a set */ - IPSET_CMD_HEADER, /* 12: Get set header data only */ - IPSET_CMD_TYPE, /* 13: Get set type */ - IPSET_MSG_MAX, /* Netlink message commands */ - - /* Commands in userspace: */ - IPSET_CMD_RESTORE = IPSET_MSG_MAX, /* 14: Enter restore mode */ - IPSET_CMD_HELP, /* 15: Get help */ - IPSET_CMD_VERSION, /* 16: Get program version */ - IPSET_CMD_QUIT, /* 17: Quit from interactive mode */ - - IPSET_CMD_MAX, - - IPSET_CMD_COMMIT = IPSET_CMD_MAX, /* 18: Commit buffered commands */ -}; - -/* Attributes at command level */ -enum { - IPSET_ATTR_UNSPEC, - IPSET_ATTR_PROTOCOL, /* 1: Protocol version */ - IPSET_ATTR_SETNAME, /* 2: Name of the set */ - IPSET_ATTR_TYPENAME, /* 3: Typename */ - IPSET_ATTR_SETNAME2 = IPSET_ATTR_TYPENAME, /* Setname at rename/swap */ - IPSET_ATTR_REVISION, /* 4: Settype revision */ - IPSET_ATTR_FAMILY, /* 5: Settype family */ - IPSET_ATTR_FLAGS, /* 6: Flags at command level */ - IPSET_ATTR_DATA, /* 7: Nested attributes */ - IPSET_ATTR_ADT, /* 8: Multiple data containers */ - IPSET_ATTR_LINENO, /* 9: Restore lineno */ - IPSET_ATTR_PROTOCOL_MIN, /* 10: Minimal supported version number */ - IPSET_ATTR_REVISION_MIN = IPSET_ATTR_PROTOCOL_MIN, /* type rev min */ - __IPSET_ATTR_CMD_MAX, -}; -#define IPSET_ATTR_CMD_MAX (__IPSET_ATTR_CMD_MAX - 1) - -/* CADT specific attributes */ -enum { - IPSET_ATTR_IP = IPSET_ATTR_UNSPEC + 1, - IPSET_ATTR_IP_FROM = IPSET_ATTR_IP, - IPSET_ATTR_IP_TO, /* 2 */ - IPSET_ATTR_CIDR, /* 3 */ - IPSET_ATTR_PORT, /* 4 */ - IPSET_ATTR_PORT_FROM = IPSET_ATTR_PORT, - IPSET_ATTR_PORT_TO, /* 5 */ - IPSET_ATTR_TIMEOUT, /* 6 */ - IPSET_ATTR_PROTO, /* 7 */ - IPSET_ATTR_CADT_FLAGS, /* 8 */ - IPSET_ATTR_CADT_LINENO = IPSET_ATTR_LINENO, /* 9 */ - /* Reserve empty slots */ - IPSET_ATTR_CADT_MAX = 16, - /* Create-only specific attributes */ - IPSET_ATTR_GC, - IPSET_ATTR_HASHSIZE, - IPSET_ATTR_MAXELEM, - IPSET_ATTR_NETMASK, - IPSET_ATTR_PROBES, - IPSET_ATTR_RESIZE, - IPSET_ATTR_SIZE, - /* Kernel-only */ - IPSET_ATTR_ELEMENTS, - IPSET_ATTR_REFERENCES, - IPSET_ATTR_MEMSIZE, - - __IPSET_ATTR_CREATE_MAX, -}; -#define IPSET_ATTR_CREATE_MAX (__IPSET_ATTR_CREATE_MAX - 1) - -/* ADT specific attributes */ -enum { - IPSET_ATTR_ETHER = IPSET_ATTR_CADT_MAX + 1, - IPSET_ATTR_NAME, - IPSET_ATTR_NAMEREF, - IPSET_ATTR_IP2, - IPSET_ATTR_CIDR2, - IPSET_ATTR_IP2_TO, - IPSET_ATTR_IFACE, - __IPSET_ATTR_ADT_MAX, -}; -#define IPSET_ATTR_ADT_MAX (__IPSET_ATTR_ADT_MAX - 1) - -/* IP specific attributes */ -enum { - IPSET_ATTR_IPADDR_IPV4 = IPSET_ATTR_UNSPEC + 1, - IPSET_ATTR_IPADDR_IPV6, - __IPSET_ATTR_IPADDR_MAX, -}; -#define IPSET_ATTR_IPADDR_MAX (__IPSET_ATTR_IPADDR_MAX - 1) - -/* Error codes */ -enum ipset_errno { - IPSET_ERR_PRIVATE = 4096, - IPSET_ERR_PROTOCOL, - IPSET_ERR_FIND_TYPE, - IPSET_ERR_MAX_SETS, - IPSET_ERR_BUSY, - IPSET_ERR_EXIST_SETNAME2, - IPSET_ERR_TYPE_MISMATCH, - IPSET_ERR_EXIST, - IPSET_ERR_INVALID_CIDR, - IPSET_ERR_INVALID_NETMASK, - IPSET_ERR_INVALID_FAMILY, - IPSET_ERR_TIMEOUT, - IPSET_ERR_REFERENCED, - IPSET_ERR_IPADDR_IPV4, - IPSET_ERR_IPADDR_IPV6, - - /* Type specific error codes */ - IPSET_ERR_TYPE_SPECIFIC = 4352, -}; - -/* Flags at command level */ -enum ipset_cmd_flags { - IPSET_FLAG_BIT_EXIST = 0, - IPSET_FLAG_EXIST = (1 << IPSET_FLAG_BIT_EXIST), - IPSET_FLAG_BIT_LIST_SETNAME = 1, - IPSET_FLAG_LIST_SETNAME = (1 << IPSET_FLAG_BIT_LIST_SETNAME), - IPSET_FLAG_BIT_LIST_HEADER = 2, - IPSET_FLAG_LIST_HEADER = (1 << IPSET_FLAG_BIT_LIST_HEADER), - IPSET_FLAG_CMD_MAX = 15, /* Lower half */ -}; - -/* Flags at CADT attribute level */ -enum ipset_cadt_flags { - IPSET_FLAG_BIT_BEFORE = 0, - IPSET_FLAG_BEFORE = (1 << IPSET_FLAG_BIT_BEFORE), - IPSET_FLAG_BIT_PHYSDEV = 1, - IPSET_FLAG_PHYSDEV = (1 << IPSET_FLAG_BIT_PHYSDEV), - IPSET_FLAG_BIT_NOMATCH = 2, - IPSET_FLAG_NOMATCH = (1 << IPSET_FLAG_BIT_NOMATCH), - IPSET_FLAG_CADT_MAX = 15, /* Upper half */ -}; - -/* Commands with settype-specific attributes */ -enum ipset_adt { - IPSET_ADD, - IPSET_DEL, - IPSET_TEST, - IPSET_ADT_MAX, - IPSET_CREATE = IPSET_ADT_MAX, - IPSET_CADT_MAX, -}; - -/* Sets are identified by an index in kernel space. Tweak with ip_set_id_t - * and IPSET_INVALID_ID if you want to increase the max number of sets. - */ -typedef __u16 ip_set_id_t; - -#define IPSET_INVALID_ID 65535 - -enum ip_set_dim { - IPSET_DIM_ZERO = 0, - IPSET_DIM_ONE, - IPSET_DIM_TWO, - IPSET_DIM_THREE, - /* Max dimension in elements. - * If changed, new revision of iptables match/target is required. - */ - IPSET_DIM_MAX = 6, - IPSET_BIT_RETURN_NOMATCH = 7, -}; - -/* Option flags for kernel operations */ -enum ip_set_kopt { - IPSET_INV_MATCH = (1 << IPSET_DIM_ZERO), - IPSET_DIM_ONE_SRC = (1 << IPSET_DIM_ONE), - IPSET_DIM_TWO_SRC = (1 << IPSET_DIM_TWO), - IPSET_DIM_THREE_SRC = (1 << IPSET_DIM_THREE), - IPSET_RETURN_NOMATCH = (1 << IPSET_BIT_RETURN_NOMATCH), -}; - -#ifdef __KERNEL__ #include #include #include @@ -211,6 +18,7 @@ enum ip_set_kopt { #include #include #include +#include #define _IP_SET_MODULE_DESC(a, b, c) \ MODULE_DESCRIPTION(a " type of IP sets, revisions " b "-" c) @@ -476,31 +284,4 @@ bitmap_bytes(u32 a, u32 b) return 4 * ((((b - a + 8) / 8) + 3) / 4); } -#endif /* __KERNEL__ */ - -/* Interface to iptables/ip6tables */ - -#define SO_IP_SET 83 - -union ip_set_name_index { - char name[IPSET_MAXNAMELEN]; - ip_set_id_t index; -}; - -#define IP_SET_OP_GET_BYNAME 0x00000006 /* Get set index by name */ -struct ip_set_req_get_set { - unsigned int op; - unsigned int version; - union ip_set_name_index set; -}; - -#define IP_SET_OP_GET_BYINDEX 0x00000007 /* Get set name by index */ -/* Uses ip_set_req_get_set */ - -#define IP_SET_OP_VERSION 0x00000100 /* Ask kernel version */ -struct ip_set_req_version { - unsigned int op; - unsigned int version; -}; - #endif /*_IP_SET_H */ diff --git a/include/linux/netfilter/ipset/ip_set_bitmap.h b/include/linux/netfilter/ipset/ip_set_bitmap.h index 61a9e87..1a30646 100644 --- a/include/linux/netfilter/ipset/ip_set_bitmap.h +++ b/include/linux/netfilter/ipset/ip_set_bitmap.h @@ -1,15 +1,8 @@ #ifndef __IP_SET_BITMAP_H #define __IP_SET_BITMAP_H -/* Bitmap type specific error codes */ -enum { - /* The element is out of the range of the set */ - IPSET_ERR_BITMAP_RANGE = IPSET_ERR_TYPE_SPECIFIC, - /* The range exceeds the size limit of the set type */ - IPSET_ERR_BITMAP_RANGE_SIZE, -}; +#include -#ifdef __KERNEL__ #define IPSET_BITMAP_MAX_RANGE 0x0000FFFF /* Common functions */ @@ -26,6 +19,4 @@ range_to_mask(u32 from, u32 to, u8 *bits) return mask; } -#endif /* __KERNEL__ */ - #endif /* __IP_SET_BITMAP_H */ diff --git a/include/linux/netfilter/ipset/ip_set_hash.h b/include/linux/netfilter/ipset/ip_set_hash.h index e2a9fae..f98ddfb 100644 --- a/include/linux/netfilter/ipset/ip_set_hash.h +++ b/include/linux/netfilter/ipset/ip_set_hash.h @@ -1,23 +1,8 @@ #ifndef __IP_SET_HASH_H #define __IP_SET_HASH_H -/* Hash type specific error codes */ -enum { - /* Hash is full */ - IPSET_ERR_HASH_FULL = IPSET_ERR_TYPE_SPECIFIC, - /* Null-valued element */ - IPSET_ERR_HASH_ELEM, - /* Invalid protocol */ - IPSET_ERR_INVALID_PROTO, - /* Protocol missing but must be specified */ - IPSET_ERR_MISSING_PROTO, - /* Range not supported */ - IPSET_ERR_HASH_RANGE_UNSUPPORTED, - /* Invalid range */ - IPSET_ERR_HASH_RANGE, -}; +#include -#ifdef __KERNEL__ #define IPSET_DEFAULT_HASHSIZE 1024 #define IPSET_MIMINAL_HASHSIZE 64 @@ -25,6 +10,4 @@ enum { #define IPSET_DEFAULT_PROBES 4 #define IPSET_DEFAULT_RESIZE 100 -#endif /* __KERNEL__ */ - #endif /* __IP_SET_HASH_H */ diff --git a/include/linux/netfilter/ipset/ip_set_list.h b/include/linux/netfilter/ipset/ip_set_list.h index 40a63f3..68c2aea 100644 --- a/include/linux/netfilter/ipset/ip_set_list.h +++ b/include/linux/netfilter/ipset/ip_set_list.h @@ -1,27 +1,10 @@ #ifndef __IP_SET_LIST_H #define __IP_SET_LIST_H -/* List type specific error codes */ -enum { - /* Set name to be added/deleted/tested does not exist. */ - IPSET_ERR_NAME = IPSET_ERR_TYPE_SPECIFIC, - /* list:set type is not permitted to add */ - IPSET_ERR_LOOP, - /* Missing reference set */ - IPSET_ERR_BEFORE, - /* Reference set does not exist */ - IPSET_ERR_NAMEREF, - /* Set is full */ - IPSET_ERR_LIST_FULL, - /* Reference set is not added to the set */ - IPSET_ERR_REF_EXIST, -}; +#include -#ifdef __KERNEL__ #define IP_SET_LIST_DEFAULT_SIZE 8 #define IP_SET_LIST_MIN_SIZE 4 -#endif /* __KERNEL__ */ - #endif /* __IP_SET_LIST_H */ diff --git a/include/uapi/linux/netfilter/ipset/Kbuild b/include/uapi/linux/netfilter/ipset/Kbuild index aafaa5a..d268042 100644 --- a/include/uapi/linux/netfilter/ipset/Kbuild +++ b/include/uapi/linux/netfilter/ipset/Kbuild @@ -1 +1,5 @@ # UAPI Header export list +header-y += ip_set.h +header-y += ip_set_bitmap.h +header-y += ip_set_hash.h +header-y += ip_set_list.h diff --git a/include/uapi/linux/netfilter/ipset/ip_set.h b/include/uapi/linux/netfilter/ipset/ip_set.h new file mode 100644 index 0000000..fbee428 --- /dev/null +++ b/include/uapi/linux/netfilter/ipset/ip_set.h @@ -0,0 +1,231 @@ +/* Copyright (C) 2000-2002 Joakim Axelsson + * Patrick Schaaf + * Martin Josefsson + * Copyright (C) 2003-2011 Jozsef Kadlecsik + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 as + * published by the Free Software Foundation. + */ +#ifndef _UAPI_IP_SET_H +#define _UAPI_IP_SET_H + + +#include + +/* The protocol version */ +#define IPSET_PROTOCOL 6 + +/* The max length of strings including NUL: set and type identifiers */ +#define IPSET_MAXNAMELEN 32 + +/* Message types and commands */ +enum ipset_cmd { + IPSET_CMD_NONE, + IPSET_CMD_PROTOCOL, /* 1: Return protocol version */ + IPSET_CMD_CREATE, /* 2: Create a new (empty) set */ + IPSET_CMD_DESTROY, /* 3: Destroy a (empty) set */ + IPSET_CMD_FLUSH, /* 4: Remove all elements from a set */ + IPSET_CMD_RENAME, /* 5: Rename a set */ + IPSET_CMD_SWAP, /* 6: Swap two sets */ + IPSET_CMD_LIST, /* 7: List sets */ + IPSET_CMD_SAVE, /* 8: Save sets */ + IPSET_CMD_ADD, /* 9: Add an element to a set */ + IPSET_CMD_DEL, /* 10: Delete an element from a set */ + IPSET_CMD_TEST, /* 11: Test an element in a set */ + IPSET_CMD_HEADER, /* 12: Get set header data only */ + IPSET_CMD_TYPE, /* 13: Get set type */ + IPSET_MSG_MAX, /* Netlink message commands */ + + /* Commands in userspace: */ + IPSET_CMD_RESTORE = IPSET_MSG_MAX, /* 14: Enter restore mode */ + IPSET_CMD_HELP, /* 15: Get help */ + IPSET_CMD_VERSION, /* 16: Get program version */ + IPSET_CMD_QUIT, /* 17: Quit from interactive mode */ + + IPSET_CMD_MAX, + + IPSET_CMD_COMMIT = IPSET_CMD_MAX, /* 18: Commit buffered commands */ +}; + +/* Attributes at command level */ +enum { + IPSET_ATTR_UNSPEC, + IPSET_ATTR_PROTOCOL, /* 1: Protocol version */ + IPSET_ATTR_SETNAME, /* 2: Name of the set */ + IPSET_ATTR_TYPENAME, /* 3: Typename */ + IPSET_ATTR_SETNAME2 = IPSET_ATTR_TYPENAME, /* Setname at rename/swap */ + IPSET_ATTR_REVISION, /* 4: Settype revision */ + IPSET_ATTR_FAMILY, /* 5: Settype family */ + IPSET_ATTR_FLAGS, /* 6: Flags at command level */ + IPSET_ATTR_DATA, /* 7: Nested attributes */ + IPSET_ATTR_ADT, /* 8: Multiple data containers */ + IPSET_ATTR_LINENO, /* 9: Restore lineno */ + IPSET_ATTR_PROTOCOL_MIN, /* 10: Minimal supported version number */ + IPSET_ATTR_REVISION_MIN = IPSET_ATTR_PROTOCOL_MIN, /* type rev min */ + __IPSET_ATTR_CMD_MAX, +}; +#define IPSET_ATTR_CMD_MAX (__IPSET_ATTR_CMD_MAX - 1) + +/* CADT specific attributes */ +enum { + IPSET_ATTR_IP = IPSET_ATTR_UNSPEC + 1, + IPSET_ATTR_IP_FROM = IPSET_ATTR_IP, + IPSET_ATTR_IP_TO, /* 2 */ + IPSET_ATTR_CIDR, /* 3 */ + IPSET_ATTR_PORT, /* 4 */ + IPSET_ATTR_PORT_FROM = IPSET_ATTR_PORT, + IPSET_ATTR_PORT_TO, /* 5 */ + IPSET_ATTR_TIMEOUT, /* 6 */ + IPSET_ATTR_PROTO, /* 7 */ + IPSET_ATTR_CADT_FLAGS, /* 8 */ + IPSET_ATTR_CADT_LINENO = IPSET_ATTR_LINENO, /* 9 */ + /* Reserve empty slots */ + IPSET_ATTR_CADT_MAX = 16, + /* Create-only specific attributes */ + IPSET_ATTR_GC, + IPSET_ATTR_HASHSIZE, + IPSET_ATTR_MAXELEM, + IPSET_ATTR_NETMASK, + IPSET_ATTR_PROBES, + IPSET_ATTR_RESIZE, + IPSET_ATTR_SIZE, + /* Kernel-only */ + IPSET_ATTR_ELEMENTS, + IPSET_ATTR_REFERENCES, + IPSET_ATTR_MEMSIZE, + + __IPSET_ATTR_CREATE_MAX, +}; +#define IPSET_ATTR_CREATE_MAX (__IPSET_ATTR_CREATE_MAX - 1) + +/* ADT specific attributes */ +enum { + IPSET_ATTR_ETHER = IPSET_ATTR_CADT_MAX + 1, + IPSET_ATTR_NAME, + IPSET_ATTR_NAMEREF, + IPSET_ATTR_IP2, + IPSET_ATTR_CIDR2, + IPSET_ATTR_IP2_TO, + IPSET_ATTR_IFACE, + __IPSET_ATTR_ADT_MAX, +}; +#define IPSET_ATTR_ADT_MAX (__IPSET_ATTR_ADT_MAX - 1) + +/* IP specific attributes */ +enum { + IPSET_ATTR_IPADDR_IPV4 = IPSET_ATTR_UNSPEC + 1, + IPSET_ATTR_IPADDR_IPV6, + __IPSET_ATTR_IPADDR_MAX, +}; +#define IPSET_ATTR_IPADDR_MAX (__IPSET_ATTR_IPADDR_MAX - 1) + +/* Error codes */ +enum ipset_errno { + IPSET_ERR_PRIVATE = 4096, + IPSET_ERR_PROTOCOL, + IPSET_ERR_FIND_TYPE, + IPSET_ERR_MAX_SETS, + IPSET_ERR_BUSY, + IPSET_ERR_EXIST_SETNAME2, + IPSET_ERR_TYPE_MISMATCH, + IPSET_ERR_EXIST, + IPSET_ERR_INVALID_CIDR, + IPSET_ERR_INVALID_NETMASK, + IPSET_ERR_INVALID_FAMILY, + IPSET_ERR_TIMEOUT, + IPSET_ERR_REFERENCED, + IPSET_ERR_IPADDR_IPV4, + IPSET_ERR_IPADDR_IPV6, + + /* Type specific error codes */ + IPSET_ERR_TYPE_SPECIFIC = 4352, +}; + +/* Flags at command level */ +enum ipset_cmd_flags { + IPSET_FLAG_BIT_EXIST = 0, + IPSET_FLAG_EXIST = (1 << IPSET_FLAG_BIT_EXIST), + IPSET_FLAG_BIT_LIST_SETNAME = 1, + IPSET_FLAG_LIST_SETNAME = (1 << IPSET_FLAG_BIT_LIST_SETNAME), + IPSET_FLAG_BIT_LIST_HEADER = 2, + IPSET_FLAG_LIST_HEADER = (1 << IPSET_FLAG_BIT_LIST_HEADER), + IPSET_FLAG_CMD_MAX = 15, /* Lower half */ +}; + +/* Flags at CADT attribute level */ +enum ipset_cadt_flags { + IPSET_FLAG_BIT_BEFORE = 0, + IPSET_FLAG_BEFORE = (1 << IPSET_FLAG_BIT_BEFORE), + IPSET_FLAG_BIT_PHYSDEV = 1, + IPSET_FLAG_PHYSDEV = (1 << IPSET_FLAG_BIT_PHYSDEV), + IPSET_FLAG_BIT_NOMATCH = 2, + IPSET_FLAG_NOMATCH = (1 << IPSET_FLAG_BIT_NOMATCH), + IPSET_FLAG_CADT_MAX = 15, /* Upper half */ +}; + +/* Commands with settype-specific attributes */ +enum ipset_adt { + IPSET_ADD, + IPSET_DEL, + IPSET_TEST, + IPSET_ADT_MAX, + IPSET_CREATE = IPSET_ADT_MAX, + IPSET_CADT_MAX, +}; + +/* Sets are identified by an index in kernel space. Tweak with ip_set_id_t + * and IPSET_INVALID_ID if you want to increase the max number of sets. + */ +typedef __u16 ip_set_id_t; + +#define IPSET_INVALID_ID 65535 + +enum ip_set_dim { + IPSET_DIM_ZERO = 0, + IPSET_DIM_ONE, + IPSET_DIM_TWO, + IPSET_DIM_THREE, + /* Max dimension in elements. + * If changed, new revision of iptables match/target is required. + */ + IPSET_DIM_MAX = 6, + IPSET_BIT_RETURN_NOMATCH = 7, +}; + +/* Option flags for kernel operations */ +enum ip_set_kopt { + IPSET_INV_MATCH = (1 << IPSET_DIM_ZERO), + IPSET_DIM_ONE_SRC = (1 << IPSET_DIM_ONE), + IPSET_DIM_TWO_SRC = (1 << IPSET_DIM_TWO), + IPSET_DIM_THREE_SRC = (1 << IPSET_DIM_THREE), + IPSET_RETURN_NOMATCH = (1 << IPSET_BIT_RETURN_NOMATCH), +}; + + +/* Interface to iptables/ip6tables */ + +#define SO_IP_SET 83 + +union ip_set_name_index { + char name[IPSET_MAXNAMELEN]; + ip_set_id_t index; +}; + +#define IP_SET_OP_GET_BYNAME 0x00000006 /* Get set index by name */ +struct ip_set_req_get_set { + unsigned int op; + unsigned int version; + union ip_set_name_index set; +}; + +#define IP_SET_OP_GET_BYINDEX 0x00000007 /* Get set name by index */ +/* Uses ip_set_req_get_set */ + +#define IP_SET_OP_VERSION 0x00000100 /* Ask kernel version */ +struct ip_set_req_version { + unsigned int op; + unsigned int version; +}; + +#endif /* _UAPI_IP_SET_H */ diff --git a/include/uapi/linux/netfilter/ipset/ip_set_bitmap.h b/include/uapi/linux/netfilter/ipset/ip_set_bitmap.h new file mode 100644 index 0000000..6a2c038 --- /dev/null +++ b/include/uapi/linux/netfilter/ipset/ip_set_bitmap.h @@ -0,0 +1,13 @@ +#ifndef _UAPI__IP_SET_BITMAP_H +#define _UAPI__IP_SET_BITMAP_H + +/* Bitmap type specific error codes */ +enum { + /* The element is out of the range of the set */ + IPSET_ERR_BITMAP_RANGE = IPSET_ERR_TYPE_SPECIFIC, + /* The range exceeds the size limit of the set type */ + IPSET_ERR_BITMAP_RANGE_SIZE, +}; + + +#endif /* _UAPI__IP_SET_BITMAP_H */ diff --git a/include/uapi/linux/netfilter/ipset/ip_set_hash.h b/include/uapi/linux/netfilter/ipset/ip_set_hash.h new file mode 100644 index 0000000..352eecc --- /dev/null +++ b/include/uapi/linux/netfilter/ipset/ip_set_hash.h @@ -0,0 +1,21 @@ +#ifndef _UAPI__IP_SET_HASH_H +#define _UAPI__IP_SET_HASH_H + +/* Hash type specific error codes */ +enum { + /* Hash is full */ + IPSET_ERR_HASH_FULL = IPSET_ERR_TYPE_SPECIFIC, + /* Null-valued element */ + IPSET_ERR_HASH_ELEM, + /* Invalid protocol */ + IPSET_ERR_INVALID_PROTO, + /* Protocol missing but must be specified */ + IPSET_ERR_MISSING_PROTO, + /* Range not supported */ + IPSET_ERR_HASH_RANGE_UNSUPPORTED, + /* Invalid range */ + IPSET_ERR_HASH_RANGE, +}; + + +#endif /* _UAPI__IP_SET_HASH_H */ diff --git a/include/uapi/linux/netfilter/ipset/ip_set_list.h b/include/uapi/linux/netfilter/ipset/ip_set_list.h new file mode 100644 index 0000000..a44efaa --- /dev/null +++ b/include/uapi/linux/netfilter/ipset/ip_set_list.h @@ -0,0 +1,21 @@ +#ifndef _UAPI__IP_SET_LIST_H +#define _UAPI__IP_SET_LIST_H + +/* List type specific error codes */ +enum { + /* Set name to be added/deleted/tested does not exist. */ + IPSET_ERR_NAME = IPSET_ERR_TYPE_SPECIFIC, + /* list:set type is not permitted to add */ + IPSET_ERR_LOOP, + /* Missing reference set */ + IPSET_ERR_BEFORE, + /* Reference set does not exist */ + IPSET_ERR_NAMEREF, + /* Set is full */ + IPSET_ERR_LIST_FULL, + /* Reference set is not added to the set */ + IPSET_ERR_REF_EXIST, +}; + + +#endif /* _UAPI__IP_SET_LIST_H */ -- cgit v0.10.2 From 8922082ae6cd2783789e83ae9c67ffcbe5a2f4e1 Mon Sep 17 00:00:00 2001 From: David Howells Date: Tue, 9 Oct 2012 09:48:56 +0100 Subject: UAPI: (Scripted) Disintegrate include/linux/netfilter_arp Signed-off-by: David Howells Acked-by: Arnd Bergmann Acked-by: Thomas Gleixner Acked-by: Michael Kerrisk Acked-by: Paul E. McKenney Acked-by: Dave Jones diff --git a/include/linux/netfilter_arp/Kbuild b/include/linux/netfilter_arp/Kbuild index b27439c..e69de29 100644 --- a/include/linux/netfilter_arp/Kbuild +++ b/include/linux/netfilter_arp/Kbuild @@ -1,2 +0,0 @@ -header-y += arp_tables.h -header-y += arpt_mangle.h diff --git a/include/linux/netfilter_arp/arp_tables.h b/include/linux/netfilter_arp/arp_tables.h index e08565d..cfb7191 100644 --- a/include/linux/netfilter_arp/arp_tables.h +++ b/include/linux/netfilter_arp/arp_tables.h @@ -5,211 +5,14 @@ * network byte order. * flags are stored in host byte order (of course). */ - #ifndef _ARPTABLES_H #define _ARPTABLES_H -#ifdef __KERNEL__ #include #include #include #include -#endif -#include -#include -#include - -#include - -#ifndef __KERNEL__ -#define ARPT_FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN -#define ARPT_TABLE_MAXNAMELEN XT_TABLE_MAXNAMELEN -#define arpt_entry_target xt_entry_target -#define arpt_standard_target xt_standard_target -#define arpt_error_target xt_error_target -#define ARPT_CONTINUE XT_CONTINUE -#define ARPT_RETURN XT_RETURN -#define arpt_counters_info xt_counters_info -#define arpt_counters xt_counters -#define ARPT_STANDARD_TARGET XT_STANDARD_TARGET -#define ARPT_ERROR_TARGET XT_ERROR_TARGET -#define ARPT_ENTRY_ITERATE(entries, size, fn, args...) \ - XT_ENTRY_ITERATE(struct arpt_entry, entries, size, fn, ## args) -#endif - -#define ARPT_DEV_ADDR_LEN_MAX 16 - -struct arpt_devaddr_info { - char addr[ARPT_DEV_ADDR_LEN_MAX]; - char mask[ARPT_DEV_ADDR_LEN_MAX]; -}; - -/* Yes, Virginia, you have to zero the padding. */ -struct arpt_arp { - /* Source and target IP addr */ - struct in_addr src, tgt; - /* Mask for src and target IP addr */ - struct in_addr smsk, tmsk; - - /* Device hw address length, src+target device addresses */ - __u8 arhln, arhln_mask; - struct arpt_devaddr_info src_devaddr; - struct arpt_devaddr_info tgt_devaddr; - - /* ARP operation code. */ - __be16 arpop, arpop_mask; - - /* ARP hardware address and protocol address format. */ - __be16 arhrd, arhrd_mask; - __be16 arpro, arpro_mask; - - /* The protocol address length is only accepted if it is 4 - * so there is no use in offering a way to do filtering on it. - */ - - char iniface[IFNAMSIZ], outiface[IFNAMSIZ]; - unsigned char iniface_mask[IFNAMSIZ], outiface_mask[IFNAMSIZ]; - - /* Flags word */ - __u8 flags; - /* Inverse flags */ - __u16 invflags; -}; - -/* Values for "flag" field in struct arpt_ip (general arp structure). - * No flags defined yet. - */ -#define ARPT_F_MASK 0x00 /* All possible flag bits mask. */ - -/* Values for "inv" field in struct arpt_arp. */ -#define ARPT_INV_VIA_IN 0x0001 /* Invert the sense of IN IFACE. */ -#define ARPT_INV_VIA_OUT 0x0002 /* Invert the sense of OUT IFACE */ -#define ARPT_INV_SRCIP 0x0004 /* Invert the sense of SRC IP. */ -#define ARPT_INV_TGTIP 0x0008 /* Invert the sense of TGT IP. */ -#define ARPT_INV_SRCDEVADDR 0x0010 /* Invert the sense of SRC DEV ADDR. */ -#define ARPT_INV_TGTDEVADDR 0x0020 /* Invert the sense of TGT DEV ADDR. */ -#define ARPT_INV_ARPOP 0x0040 /* Invert the sense of ARP OP. */ -#define ARPT_INV_ARPHRD 0x0080 /* Invert the sense of ARP HRD. */ -#define ARPT_INV_ARPPRO 0x0100 /* Invert the sense of ARP PRO. */ -#define ARPT_INV_ARPHLN 0x0200 /* Invert the sense of ARP HLN. */ -#define ARPT_INV_MASK 0x03FF /* All possible flag bits mask. */ - -/* This structure defines each of the firewall rules. Consists of 3 - parts which are 1) general ARP header stuff 2) match specific - stuff 3) the target to perform if the rule matches */ -struct arpt_entry -{ - struct arpt_arp arp; - - /* Size of arpt_entry + matches */ - __u16 target_offset; - /* Size of arpt_entry + matches + target */ - __u16 next_offset; - - /* Back pointer */ - unsigned int comefrom; - - /* Packet and byte counters. */ - struct xt_counters counters; - - /* The matches (if any), then the target. */ - unsigned char elems[0]; -}; - -/* - * New IP firewall options for [gs]etsockopt at the RAW IP level. - * Unlike BSD Linux inherits IP options so you don't have to use a raw - * socket for this. Instead we check rights in the calls. - * - * ATTENTION: check linux/in.h before adding new number here. - */ -#define ARPT_BASE_CTL 96 - -#define ARPT_SO_SET_REPLACE (ARPT_BASE_CTL) -#define ARPT_SO_SET_ADD_COUNTERS (ARPT_BASE_CTL + 1) -#define ARPT_SO_SET_MAX ARPT_SO_SET_ADD_COUNTERS - -#define ARPT_SO_GET_INFO (ARPT_BASE_CTL) -#define ARPT_SO_GET_ENTRIES (ARPT_BASE_CTL + 1) -/* #define ARPT_SO_GET_REVISION_MATCH (APRT_BASE_CTL + 2) */ -#define ARPT_SO_GET_REVISION_TARGET (ARPT_BASE_CTL + 3) -#define ARPT_SO_GET_MAX (ARPT_SO_GET_REVISION_TARGET) - -/* The argument to ARPT_SO_GET_INFO */ -struct arpt_getinfo { - /* Which table: caller fills this in. */ - char name[XT_TABLE_MAXNAMELEN]; - - /* Kernel fills these in. */ - /* Which hook entry points are valid: bitmask */ - unsigned int valid_hooks; - - /* Hook entry points: one per netfilter hook. */ - unsigned int hook_entry[NF_ARP_NUMHOOKS]; - - /* Underflow points. */ - unsigned int underflow[NF_ARP_NUMHOOKS]; - - /* Number of entries */ - unsigned int num_entries; - - /* Size of entries. */ - unsigned int size; -}; - -/* The argument to ARPT_SO_SET_REPLACE. */ -struct arpt_replace { - /* Which table. */ - char name[XT_TABLE_MAXNAMELEN]; - - /* Which hook entry points are valid: bitmask. You can't - change this. */ - unsigned int valid_hooks; - - /* Number of entries */ - unsigned int num_entries; - - /* Total size of new entries */ - unsigned int size; - - /* Hook entry points. */ - unsigned int hook_entry[NF_ARP_NUMHOOKS]; - - /* Underflow points. */ - unsigned int underflow[NF_ARP_NUMHOOKS]; - - /* Information about old entries: */ - /* Number of counters (must be equal to current number of entries). */ - unsigned int num_counters; - /* The old entries' counters. */ - struct xt_counters __user *counters; - - /* The entries (hang off end: not really an array). */ - struct arpt_entry entries[0]; -}; - -/* The argument to ARPT_SO_GET_ENTRIES. */ -struct arpt_get_entries { - /* Which table: user fills this in. */ - char name[XT_TABLE_MAXNAMELEN]; - - /* User fills this in: total entry size. */ - unsigned int size; - - /* The entries. */ - struct arpt_entry entrytable[0]; -}; - -/* Helper functions */ -static __inline__ struct xt_entry_target *arpt_get_target(struct arpt_entry *e) -{ - return (void *)e + e->target_offset; -} - -/* - * Main firewall chains definitions and global var's definitions. - */ -#ifdef __KERNEL__ +#include /* Standard entry. */ struct arpt_standard { @@ -274,5 +77,4 @@ compat_arpt_get_target(struct compat_arpt_entry *e) } #endif /* CONFIG_COMPAT */ -#endif /*__KERNEL__*/ #endif /* _ARPTABLES_H */ diff --git a/include/linux/netfilter_arp/arpt_mangle.h b/include/linux/netfilter_arp/arpt_mangle.h deleted file mode 100644 index 250f502..0000000 --- a/include/linux/netfilter_arp/arpt_mangle.h +++ /dev/null @@ -1,26 +0,0 @@ -#ifndef _ARPT_MANGLE_H -#define _ARPT_MANGLE_H -#include - -#define ARPT_MANGLE_ADDR_LEN_MAX sizeof(struct in_addr) -struct arpt_mangle -{ - char src_devaddr[ARPT_DEV_ADDR_LEN_MAX]; - char tgt_devaddr[ARPT_DEV_ADDR_LEN_MAX]; - union { - struct in_addr src_ip; - } u_s; - union { - struct in_addr tgt_ip; - } u_t; - u_int8_t flags; - int target; -}; - -#define ARPT_MANGLE_SDEV 0x01 -#define ARPT_MANGLE_TDEV 0x02 -#define ARPT_MANGLE_SIP 0x04 -#define ARPT_MANGLE_TIP 0x08 -#define ARPT_MANGLE_MASK 0x0f - -#endif /* _ARPT_MANGLE_H */ diff --git a/include/uapi/linux/netfilter_arp/Kbuild b/include/uapi/linux/netfilter_arp/Kbuild index aafaa5a..62d5637 100644 --- a/include/uapi/linux/netfilter_arp/Kbuild +++ b/include/uapi/linux/netfilter_arp/Kbuild @@ -1 +1,3 @@ # UAPI Header export list +header-y += arp_tables.h +header-y += arpt_mangle.h diff --git a/include/uapi/linux/netfilter_arp/arp_tables.h b/include/uapi/linux/netfilter_arp/arp_tables.h new file mode 100644 index 0000000..a5a86a4 --- /dev/null +++ b/include/uapi/linux/netfilter_arp/arp_tables.h @@ -0,0 +1,206 @@ +/* + * Format of an ARP firewall descriptor + * + * src, tgt, src_mask, tgt_mask, arpop, arpop_mask are always stored in + * network byte order. + * flags are stored in host byte order (of course). + */ + +#ifndef _UAPI_ARPTABLES_H +#define _UAPI_ARPTABLES_H + +#include +#include +#include + +#include + +#ifndef __KERNEL__ +#define ARPT_FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN +#define ARPT_TABLE_MAXNAMELEN XT_TABLE_MAXNAMELEN +#define arpt_entry_target xt_entry_target +#define arpt_standard_target xt_standard_target +#define arpt_error_target xt_error_target +#define ARPT_CONTINUE XT_CONTINUE +#define ARPT_RETURN XT_RETURN +#define arpt_counters_info xt_counters_info +#define arpt_counters xt_counters +#define ARPT_STANDARD_TARGET XT_STANDARD_TARGET +#define ARPT_ERROR_TARGET XT_ERROR_TARGET +#define ARPT_ENTRY_ITERATE(entries, size, fn, args...) \ + XT_ENTRY_ITERATE(struct arpt_entry, entries, size, fn, ## args) +#endif + +#define ARPT_DEV_ADDR_LEN_MAX 16 + +struct arpt_devaddr_info { + char addr[ARPT_DEV_ADDR_LEN_MAX]; + char mask[ARPT_DEV_ADDR_LEN_MAX]; +}; + +/* Yes, Virginia, you have to zero the padding. */ +struct arpt_arp { + /* Source and target IP addr */ + struct in_addr src, tgt; + /* Mask for src and target IP addr */ + struct in_addr smsk, tmsk; + + /* Device hw address length, src+target device addresses */ + __u8 arhln, arhln_mask; + struct arpt_devaddr_info src_devaddr; + struct arpt_devaddr_info tgt_devaddr; + + /* ARP operation code. */ + __be16 arpop, arpop_mask; + + /* ARP hardware address and protocol address format. */ + __be16 arhrd, arhrd_mask; + __be16 arpro, arpro_mask; + + /* The protocol address length is only accepted if it is 4 + * so there is no use in offering a way to do filtering on it. + */ + + char iniface[IFNAMSIZ], outiface[IFNAMSIZ]; + unsigned char iniface_mask[IFNAMSIZ], outiface_mask[IFNAMSIZ]; + + /* Flags word */ + __u8 flags; + /* Inverse flags */ + __u16 invflags; +}; + +/* Values for "flag" field in struct arpt_ip (general arp structure). + * No flags defined yet. + */ +#define ARPT_F_MASK 0x00 /* All possible flag bits mask. */ + +/* Values for "inv" field in struct arpt_arp. */ +#define ARPT_INV_VIA_IN 0x0001 /* Invert the sense of IN IFACE. */ +#define ARPT_INV_VIA_OUT 0x0002 /* Invert the sense of OUT IFACE */ +#define ARPT_INV_SRCIP 0x0004 /* Invert the sense of SRC IP. */ +#define ARPT_INV_TGTIP 0x0008 /* Invert the sense of TGT IP. */ +#define ARPT_INV_SRCDEVADDR 0x0010 /* Invert the sense of SRC DEV ADDR. */ +#define ARPT_INV_TGTDEVADDR 0x0020 /* Invert the sense of TGT DEV ADDR. */ +#define ARPT_INV_ARPOP 0x0040 /* Invert the sense of ARP OP. */ +#define ARPT_INV_ARPHRD 0x0080 /* Invert the sense of ARP HRD. */ +#define ARPT_INV_ARPPRO 0x0100 /* Invert the sense of ARP PRO. */ +#define ARPT_INV_ARPHLN 0x0200 /* Invert the sense of ARP HLN. */ +#define ARPT_INV_MASK 0x03FF /* All possible flag bits mask. */ + +/* This structure defines each of the firewall rules. Consists of 3 + parts which are 1) general ARP header stuff 2) match specific + stuff 3) the target to perform if the rule matches */ +struct arpt_entry +{ + struct arpt_arp arp; + + /* Size of arpt_entry + matches */ + __u16 target_offset; + /* Size of arpt_entry + matches + target */ + __u16 next_offset; + + /* Back pointer */ + unsigned int comefrom; + + /* Packet and byte counters. */ + struct xt_counters counters; + + /* The matches (if any), then the target. */ + unsigned char elems[0]; +}; + +/* + * New IP firewall options for [gs]etsockopt at the RAW IP level. + * Unlike BSD Linux inherits IP options so you don't have to use a raw + * socket for this. Instead we check rights in the calls. + * + * ATTENTION: check linux/in.h before adding new number here. + */ +#define ARPT_BASE_CTL 96 + +#define ARPT_SO_SET_REPLACE (ARPT_BASE_CTL) +#define ARPT_SO_SET_ADD_COUNTERS (ARPT_BASE_CTL + 1) +#define ARPT_SO_SET_MAX ARPT_SO_SET_ADD_COUNTERS + +#define ARPT_SO_GET_INFO (ARPT_BASE_CTL) +#define ARPT_SO_GET_ENTRIES (ARPT_BASE_CTL + 1) +/* #define ARPT_SO_GET_REVISION_MATCH (APRT_BASE_CTL + 2) */ +#define ARPT_SO_GET_REVISION_TARGET (ARPT_BASE_CTL + 3) +#define ARPT_SO_GET_MAX (ARPT_SO_GET_REVISION_TARGET) + +/* The argument to ARPT_SO_GET_INFO */ +struct arpt_getinfo { + /* Which table: caller fills this in. */ + char name[XT_TABLE_MAXNAMELEN]; + + /* Kernel fills these in. */ + /* Which hook entry points are valid: bitmask */ + unsigned int valid_hooks; + + /* Hook entry points: one per netfilter hook. */ + unsigned int hook_entry[NF_ARP_NUMHOOKS]; + + /* Underflow points. */ + unsigned int underflow[NF_ARP_NUMHOOKS]; + + /* Number of entries */ + unsigned int num_entries; + + /* Size of entries. */ + unsigned int size; +}; + +/* The argument to ARPT_SO_SET_REPLACE. */ +struct arpt_replace { + /* Which table. */ + char name[XT_TABLE_MAXNAMELEN]; + + /* Which hook entry points are valid: bitmask. You can't + change this. */ + unsigned int valid_hooks; + + /* Number of entries */ + unsigned int num_entries; + + /* Total size of new entries */ + unsigned int size; + + /* Hook entry points. */ + unsigned int hook_entry[NF_ARP_NUMHOOKS]; + + /* Underflow points. */ + unsigned int underflow[NF_ARP_NUMHOOKS]; + + /* Information about old entries: */ + /* Number of counters (must be equal to current number of entries). */ + unsigned int num_counters; + /* The old entries' counters. */ + struct xt_counters __user *counters; + + /* The entries (hang off end: not really an array). */ + struct arpt_entry entries[0]; +}; + +/* The argument to ARPT_SO_GET_ENTRIES. */ +struct arpt_get_entries { + /* Which table: user fills this in. */ + char name[XT_TABLE_MAXNAMELEN]; + + /* User fills this in: total entry size. */ + unsigned int size; + + /* The entries. */ + struct arpt_entry entrytable[0]; +}; + +/* Helper functions */ +static __inline__ struct xt_entry_target *arpt_get_target(struct arpt_entry *e) +{ + return (void *)e + e->target_offset; +} + +/* + * Main firewall chains definitions and global var's definitions. + */ +#endif /* _UAPI_ARPTABLES_H */ diff --git a/include/uapi/linux/netfilter_arp/arpt_mangle.h b/include/uapi/linux/netfilter_arp/arpt_mangle.h new file mode 100644 index 0000000..250f502 --- /dev/null +++ b/include/uapi/linux/netfilter_arp/arpt_mangle.h @@ -0,0 +1,26 @@ +#ifndef _ARPT_MANGLE_H +#define _ARPT_MANGLE_H +#include + +#define ARPT_MANGLE_ADDR_LEN_MAX sizeof(struct in_addr) +struct arpt_mangle +{ + char src_devaddr[ARPT_DEV_ADDR_LEN_MAX]; + char tgt_devaddr[ARPT_DEV_ADDR_LEN_MAX]; + union { + struct in_addr src_ip; + } u_s; + union { + struct in_addr tgt_ip; + } u_t; + u_int8_t flags; + int target; +}; + +#define ARPT_MANGLE_SDEV 0x01 +#define ARPT_MANGLE_TDEV 0x02 +#define ARPT_MANGLE_SIP 0x04 +#define ARPT_MANGLE_TIP 0x08 +#define ARPT_MANGLE_MASK 0x0f + +#endif /* _ARPT_MANGLE_H */ -- cgit v0.10.2 From 55c5cd3cc179eb87faa9cc2d9741047dd1642aaf Mon Sep 17 00:00:00 2001 From: David Howells Date: Tue, 9 Oct 2012 09:48:58 +0100 Subject: UAPI: (Scripted) Disintegrate include/linux/netfilter_bridge Signed-off-by: David Howells Acked-by: Arnd Bergmann Acked-by: Thomas Gleixner Acked-by: Michael Kerrisk Acked-by: Paul E. McKenney Acked-by: Dave Jones diff --git a/include/linux/netfilter_bridge/Kbuild b/include/linux/netfilter_bridge/Kbuild index e48f1a3..e69de29 100644 --- a/include/linux/netfilter_bridge/Kbuild +++ b/include/linux/netfilter_bridge/Kbuild @@ -1,18 +0,0 @@ -header-y += ebt_802_3.h -header-y += ebt_among.h -header-y += ebt_arp.h -header-y += ebt_arpreply.h -header-y += ebt_ip.h -header-y += ebt_ip6.h -header-y += ebt_limit.h -header-y += ebt_log.h -header-y += ebt_mark_m.h -header-y += ebt_mark_t.h -header-y += ebt_nat.h -header-y += ebt_nflog.h -header-y += ebt_pkttype.h -header-y += ebt_redirect.h -header-y += ebt_stp.h -header-y += ebt_ulog.h -header-y += ebt_vlan.h -header-y += ebtables.h diff --git a/include/linux/netfilter_bridge/ebt_802_3.h b/include/linux/netfilter_bridge/ebt_802_3.h index be5be15..e17e8bf 100644 --- a/include/linux/netfilter_bridge/ebt_802_3.h +++ b/include/linux/netfilter_bridge/ebt_802_3.h @@ -1,70 +1,11 @@ #ifndef __LINUX_BRIDGE_EBT_802_3_H #define __LINUX_BRIDGE_EBT_802_3_H -#include - -#define EBT_802_3_SAP 0x01 -#define EBT_802_3_TYPE 0x02 - -#define EBT_802_3_MATCH "802_3" - -/* - * If frame has DSAP/SSAP value 0xaa you must check the SNAP type - * to discover what kind of packet we're carrying. - */ -#define CHECK_TYPE 0xaa - -/* - * Control field may be one or two bytes. If the first byte has - * the value 0x03 then the entire length is one byte, otherwise it is two. - * One byte controls are used in Unnumbered Information frames. - * Two byte controls are used in Numbered Information frames. - */ -#define IS_UI 0x03 - -#define EBT_802_3_MASK (EBT_802_3_SAP | EBT_802_3_TYPE | EBT_802_3) - -/* ui has one byte ctrl, ni has two */ -struct hdr_ui { - __u8 dsap; - __u8 ssap; - __u8 ctrl; - __u8 orig[3]; - __be16 type; -}; - -struct hdr_ni { - __u8 dsap; - __u8 ssap; - __be16 ctrl; - __u8 orig[3]; - __be16 type; -}; - -struct ebt_802_3_hdr { - __u8 daddr[6]; - __u8 saddr[6]; - __be16 len; - union { - struct hdr_ui ui; - struct hdr_ni ni; - } llc; -}; - -#ifdef __KERNEL__ #include +#include static inline struct ebt_802_3_hdr *ebt_802_3_hdr(const struct sk_buff *skb) { return (struct ebt_802_3_hdr *)skb_mac_header(skb); } #endif - -struct ebt_802_3_info { - __u8 sap; - __be16 type; - __u8 bitmask; - __u8 invflags; -}; - -#endif diff --git a/include/linux/netfilter_bridge/ebt_among.h b/include/linux/netfilter_bridge/ebt_among.h deleted file mode 100644 index bd4e3ad..0000000 --- a/include/linux/netfilter_bridge/ebt_among.h +++ /dev/null @@ -1,64 +0,0 @@ -#ifndef __LINUX_BRIDGE_EBT_AMONG_H -#define __LINUX_BRIDGE_EBT_AMONG_H - -#include - -#define EBT_AMONG_DST 0x01 -#define EBT_AMONG_SRC 0x02 - -/* Grzegorz Borowiak 2003 - * - * Write-once-read-many hash table, used for checking if a given - * MAC address belongs to a set or not and possibly for checking - * if it is related with a given IPv4 address. - * - * The hash value of an address is its last byte. - * - * In real-world ethernet addresses, values of the last byte are - * evenly distributed and there is no need to consider other bytes. - * It would only slow the routines down. - * - * For MAC address comparison speedup reasons, we introduce a trick. - * MAC address is mapped onto an array of two 32-bit integers. - * This pair of integers is compared with MAC addresses in the - * hash table, which are stored also in form of pairs of integers - * (in `cmp' array). This is quick as it requires only two elementary - * number comparisons in worst case. Further, we take advantage of - * fact that entropy of 3 last bytes of address is larger than entropy - * of 3 first bytes. So first we compare 4 last bytes of addresses and - * if they are the same we compare 2 first. - * - * Yes, it is a memory overhead, but in 2003 AD, who cares? - */ - -struct ebt_mac_wormhash_tuple { - __u32 cmp[2]; - __be32 ip; -}; - -struct ebt_mac_wormhash { - int table[257]; - int poolsize; - struct ebt_mac_wormhash_tuple pool[0]; -}; - -#define ebt_mac_wormhash_size(x) ((x) ? sizeof(struct ebt_mac_wormhash) \ - + (x)->poolsize * sizeof(struct ebt_mac_wormhash_tuple) : 0) - -struct ebt_among_info { - int wh_dst_ofs; - int wh_src_ofs; - int bitmask; -}; - -#define EBT_AMONG_DST_NEG 0x1 -#define EBT_AMONG_SRC_NEG 0x2 - -#define ebt_among_wh_dst(x) ((x)->wh_dst_ofs ? \ - (struct ebt_mac_wormhash*)((char*)(x) + (x)->wh_dst_ofs) : NULL) -#define ebt_among_wh_src(x) ((x)->wh_src_ofs ? \ - (struct ebt_mac_wormhash*)((char*)(x) + (x)->wh_src_ofs) : NULL) - -#define EBT_AMONG_MATCH "among" - -#endif diff --git a/include/linux/netfilter_bridge/ebt_arp.h b/include/linux/netfilter_bridge/ebt_arp.h deleted file mode 100644 index 522f3e4..0000000 --- a/include/linux/netfilter_bridge/ebt_arp.h +++ /dev/null @@ -1,36 +0,0 @@ -#ifndef __LINUX_BRIDGE_EBT_ARP_H -#define __LINUX_BRIDGE_EBT_ARP_H - -#include - -#define EBT_ARP_OPCODE 0x01 -#define EBT_ARP_HTYPE 0x02 -#define EBT_ARP_PTYPE 0x04 -#define EBT_ARP_SRC_IP 0x08 -#define EBT_ARP_DST_IP 0x10 -#define EBT_ARP_SRC_MAC 0x20 -#define EBT_ARP_DST_MAC 0x40 -#define EBT_ARP_GRAT 0x80 -#define EBT_ARP_MASK (EBT_ARP_OPCODE | EBT_ARP_HTYPE | EBT_ARP_PTYPE | \ - EBT_ARP_SRC_IP | EBT_ARP_DST_IP | EBT_ARP_SRC_MAC | EBT_ARP_DST_MAC | \ - EBT_ARP_GRAT) -#define EBT_ARP_MATCH "arp" - -struct ebt_arp_info -{ - __be16 htype; - __be16 ptype; - __be16 opcode; - __be32 saddr; - __be32 smsk; - __be32 daddr; - __be32 dmsk; - unsigned char smaddr[ETH_ALEN]; - unsigned char smmsk[ETH_ALEN]; - unsigned char dmaddr[ETH_ALEN]; - unsigned char dmmsk[ETH_ALEN]; - __u8 bitmask; - __u8 invflags; -}; - -#endif diff --git a/include/linux/netfilter_bridge/ebt_arpreply.h b/include/linux/netfilter_bridge/ebt_arpreply.h deleted file mode 100644 index 7e77896..0000000 --- a/include/linux/netfilter_bridge/ebt_arpreply.h +++ /dev/null @@ -1,10 +0,0 @@ -#ifndef __LINUX_BRIDGE_EBT_ARPREPLY_H -#define __LINUX_BRIDGE_EBT_ARPREPLY_H - -struct ebt_arpreply_info { - unsigned char mac[ETH_ALEN]; - int target; -}; -#define EBT_ARPREPLY_TARGET "arpreply" - -#endif diff --git a/include/linux/netfilter_bridge/ebt_ip.h b/include/linux/netfilter_bridge/ebt_ip.h deleted file mode 100644 index c4bbc41..0000000 --- a/include/linux/netfilter_bridge/ebt_ip.h +++ /dev/null @@ -1,44 +0,0 @@ -/* - * ebt_ip - * - * Authors: - * Bart De Schuymer - * - * April, 2002 - * - * Changes: - * added ip-sport and ip-dport - * Innominate Security Technologies AG - * September, 2002 - */ - -#ifndef __LINUX_BRIDGE_EBT_IP_H -#define __LINUX_BRIDGE_EBT_IP_H - -#include - -#define EBT_IP_SOURCE 0x01 -#define EBT_IP_DEST 0x02 -#define EBT_IP_TOS 0x04 -#define EBT_IP_PROTO 0x08 -#define EBT_IP_SPORT 0x10 -#define EBT_IP_DPORT 0x20 -#define EBT_IP_MASK (EBT_IP_SOURCE | EBT_IP_DEST | EBT_IP_TOS | EBT_IP_PROTO |\ - EBT_IP_SPORT | EBT_IP_DPORT ) -#define EBT_IP_MATCH "ip" - -/* the same values are used for the invflags */ -struct ebt_ip_info { - __be32 saddr; - __be32 daddr; - __be32 smsk; - __be32 dmsk; - __u8 tos; - __u8 protocol; - __u8 bitmask; - __u8 invflags; - __u16 sport[2]; - __u16 dport[2]; -}; - -#endif diff --git a/include/linux/netfilter_bridge/ebt_ip6.h b/include/linux/netfilter_bridge/ebt_ip6.h deleted file mode 100644 index 42b8896..0000000 --- a/include/linux/netfilter_bridge/ebt_ip6.h +++ /dev/null @@ -1,50 +0,0 @@ -/* - * ebt_ip6 - * - * Authors: - * Kuo-Lang Tseng - * Manohar Castelino - * - * Jan 11, 2008 - * - */ - -#ifndef __LINUX_BRIDGE_EBT_IP6_H -#define __LINUX_BRIDGE_EBT_IP6_H - -#include - -#define EBT_IP6_SOURCE 0x01 -#define EBT_IP6_DEST 0x02 -#define EBT_IP6_TCLASS 0x04 -#define EBT_IP6_PROTO 0x08 -#define EBT_IP6_SPORT 0x10 -#define EBT_IP6_DPORT 0x20 -#define EBT_IP6_ICMP6 0x40 - -#define EBT_IP6_MASK (EBT_IP6_SOURCE | EBT_IP6_DEST | EBT_IP6_TCLASS |\ - EBT_IP6_PROTO | EBT_IP6_SPORT | EBT_IP6_DPORT | \ - EBT_IP6_ICMP6) -#define EBT_IP6_MATCH "ip6" - -/* the same values are used for the invflags */ -struct ebt_ip6_info { - struct in6_addr saddr; - struct in6_addr daddr; - struct in6_addr smsk; - struct in6_addr dmsk; - __u8 tclass; - __u8 protocol; - __u8 bitmask; - __u8 invflags; - union { - __u16 sport[2]; - __u8 icmpv6_type[2]; - }; - union { - __u16 dport[2]; - __u8 icmpv6_code[2]; - }; -}; - -#endif diff --git a/include/linux/netfilter_bridge/ebt_limit.h b/include/linux/netfilter_bridge/ebt_limit.h deleted file mode 100644 index 66d80b3..0000000 --- a/include/linux/netfilter_bridge/ebt_limit.h +++ /dev/null @@ -1,24 +0,0 @@ -#ifndef __LINUX_BRIDGE_EBT_LIMIT_H -#define __LINUX_BRIDGE_EBT_LIMIT_H - -#include - -#define EBT_LIMIT_MATCH "limit" - -/* timings are in milliseconds. */ -#define EBT_LIMIT_SCALE 10000 - -/* 1/10,000 sec period => max of 10,000/sec. Min rate is then 429490 - seconds, or one every 59 hours. */ - -struct ebt_limit_info { - __u32 avg; /* Average secs between packets * scale */ - __u32 burst; /* Period multiplier for upper limit. */ - - /* Used internally by the kernel */ - unsigned long prev; - __u32 credit; - __u32 credit_cap, cost; -}; - -#endif diff --git a/include/linux/netfilter_bridge/ebt_log.h b/include/linux/netfilter_bridge/ebt_log.h deleted file mode 100644 index 7e7f1d1..0000000 --- a/include/linux/netfilter_bridge/ebt_log.h +++ /dev/null @@ -1,20 +0,0 @@ -#ifndef __LINUX_BRIDGE_EBT_LOG_H -#define __LINUX_BRIDGE_EBT_LOG_H - -#include - -#define EBT_LOG_IP 0x01 /* if the frame is made by ip, log the ip information */ -#define EBT_LOG_ARP 0x02 -#define EBT_LOG_NFLOG 0x04 -#define EBT_LOG_IP6 0x08 -#define EBT_LOG_MASK (EBT_LOG_IP | EBT_LOG_ARP | EBT_LOG_IP6) -#define EBT_LOG_PREFIX_SIZE 30 -#define EBT_LOG_WATCHER "log" - -struct ebt_log_info { - __u8 loglevel; - __u8 prefix[EBT_LOG_PREFIX_SIZE]; - __u32 bitmask; -}; - -#endif diff --git a/include/linux/netfilter_bridge/ebt_mark_m.h b/include/linux/netfilter_bridge/ebt_mark_m.h deleted file mode 100644 index 410f9e5..0000000 --- a/include/linux/netfilter_bridge/ebt_mark_m.h +++ /dev/null @@ -1,16 +0,0 @@ -#ifndef __LINUX_BRIDGE_EBT_MARK_M_H -#define __LINUX_BRIDGE_EBT_MARK_M_H - -#include - -#define EBT_MARK_AND 0x01 -#define EBT_MARK_OR 0x02 -#define EBT_MARK_MASK (EBT_MARK_AND | EBT_MARK_OR) -struct ebt_mark_m_info { - unsigned long mark, mask; - __u8 invert; - __u8 bitmask; -}; -#define EBT_MARK_MATCH "mark_m" - -#endif diff --git a/include/linux/netfilter_bridge/ebt_mark_t.h b/include/linux/netfilter_bridge/ebt_mark_t.h deleted file mode 100644 index 7d5a268..0000000 --- a/include/linux/netfilter_bridge/ebt_mark_t.h +++ /dev/null @@ -1,23 +0,0 @@ -#ifndef __LINUX_BRIDGE_EBT_MARK_T_H -#define __LINUX_BRIDGE_EBT_MARK_T_H - -/* The target member is reused for adding new actions, the - * value of the real target is -1 to -NUM_STANDARD_TARGETS. - * For backward compatibility, the 4 lsb (2 would be enough, - * but let's play it safe) are kept to designate this target. - * The remaining bits designate the action. By making the set - * action 0xfffffff0, the result will look ok for older - * versions. [September 2006] */ -#define MARK_SET_VALUE (0xfffffff0) -#define MARK_OR_VALUE (0xffffffe0) -#define MARK_AND_VALUE (0xffffffd0) -#define MARK_XOR_VALUE (0xffffffc0) - -struct ebt_mark_t_info { - unsigned long mark; - /* EBT_ACCEPT, EBT_DROP, EBT_CONTINUE or EBT_RETURN */ - int target; -}; -#define EBT_MARK_TARGET "mark" - -#endif diff --git a/include/linux/netfilter_bridge/ebt_nat.h b/include/linux/netfilter_bridge/ebt_nat.h deleted file mode 100644 index 5e74e3b..0000000 --- a/include/linux/netfilter_bridge/ebt_nat.h +++ /dev/null @@ -1,13 +0,0 @@ -#ifndef __LINUX_BRIDGE_EBT_NAT_H -#define __LINUX_BRIDGE_EBT_NAT_H - -#define NAT_ARP_BIT (0x00000010) -struct ebt_nat_info { - unsigned char mac[ETH_ALEN]; - /* EBT_ACCEPT, EBT_DROP, EBT_CONTINUE or EBT_RETURN */ - int target; -}; -#define EBT_SNAT_TARGET "snat" -#define EBT_DNAT_TARGET "dnat" - -#endif diff --git a/include/linux/netfilter_bridge/ebt_nflog.h b/include/linux/netfilter_bridge/ebt_nflog.h deleted file mode 100644 index df829fc..0000000 --- a/include/linux/netfilter_bridge/ebt_nflog.h +++ /dev/null @@ -1,23 +0,0 @@ -#ifndef __LINUX_BRIDGE_EBT_NFLOG_H -#define __LINUX_BRIDGE_EBT_NFLOG_H - -#include - -#define EBT_NFLOG_MASK 0x0 - -#define EBT_NFLOG_PREFIX_SIZE 64 -#define EBT_NFLOG_WATCHER "nflog" - -#define EBT_NFLOG_DEFAULT_GROUP 0x1 -#define EBT_NFLOG_DEFAULT_THRESHOLD 1 - -struct ebt_nflog_info { - __u32 len; - __u16 group; - __u16 threshold; - __u16 flags; - __u16 pad; - char prefix[EBT_NFLOG_PREFIX_SIZE]; -}; - -#endif /* __LINUX_BRIDGE_EBT_NFLOG_H */ diff --git a/include/linux/netfilter_bridge/ebt_pkttype.h b/include/linux/netfilter_bridge/ebt_pkttype.h deleted file mode 100644 index c241bad..0000000 --- a/include/linux/netfilter_bridge/ebt_pkttype.h +++ /dev/null @@ -1,12 +0,0 @@ -#ifndef __LINUX_BRIDGE_EBT_PKTTYPE_H -#define __LINUX_BRIDGE_EBT_PKTTYPE_H - -#include - -struct ebt_pkttype_info { - __u8 pkt_type; - __u8 invert; -}; -#define EBT_PKTTYPE_MATCH "pkttype" - -#endif diff --git a/include/linux/netfilter_bridge/ebt_redirect.h b/include/linux/netfilter_bridge/ebt_redirect.h deleted file mode 100644 index dd9622c..0000000 --- a/include/linux/netfilter_bridge/ebt_redirect.h +++ /dev/null @@ -1,10 +0,0 @@ -#ifndef __LINUX_BRIDGE_EBT_REDIRECT_H -#define __LINUX_BRIDGE_EBT_REDIRECT_H - -struct ebt_redirect_info { - /* EBT_ACCEPT, EBT_DROP, EBT_CONTINUE or EBT_RETURN */ - int target; -}; -#define EBT_REDIRECT_TARGET "redirect" - -#endif diff --git a/include/linux/netfilter_bridge/ebt_stp.h b/include/linux/netfilter_bridge/ebt_stp.h deleted file mode 100644 index 1025b9f..0000000 --- a/include/linux/netfilter_bridge/ebt_stp.h +++ /dev/null @@ -1,46 +0,0 @@ -#ifndef __LINUX_BRIDGE_EBT_STP_H -#define __LINUX_BRIDGE_EBT_STP_H - -#include - -#define EBT_STP_TYPE 0x0001 - -#define EBT_STP_FLAGS 0x0002 -#define EBT_STP_ROOTPRIO 0x0004 -#define EBT_STP_ROOTADDR 0x0008 -#define EBT_STP_ROOTCOST 0x0010 -#define EBT_STP_SENDERPRIO 0x0020 -#define EBT_STP_SENDERADDR 0x0040 -#define EBT_STP_PORT 0x0080 -#define EBT_STP_MSGAGE 0x0100 -#define EBT_STP_MAXAGE 0x0200 -#define EBT_STP_HELLOTIME 0x0400 -#define EBT_STP_FWDD 0x0800 - -#define EBT_STP_MASK 0x0fff -#define EBT_STP_CONFIG_MASK 0x0ffe - -#define EBT_STP_MATCH "stp" - -struct ebt_stp_config_info { - __u8 flags; - __u16 root_priol, root_priou; - char root_addr[6], root_addrmsk[6]; - __u32 root_costl, root_costu; - __u16 sender_priol, sender_priou; - char sender_addr[6], sender_addrmsk[6]; - __u16 portl, portu; - __u16 msg_agel, msg_ageu; - __u16 max_agel, max_ageu; - __u16 hello_timel, hello_timeu; - __u16 forward_delayl, forward_delayu; -}; - -struct ebt_stp_info { - __u8 type; - struct ebt_stp_config_info config; - __u16 bitmask; - __u16 invflags; -}; - -#endif diff --git a/include/linux/netfilter_bridge/ebt_ulog.h b/include/linux/netfilter_bridge/ebt_ulog.h deleted file mode 100644 index 89a6bec..0000000 --- a/include/linux/netfilter_bridge/ebt_ulog.h +++ /dev/null @@ -1,38 +0,0 @@ -#ifndef _EBT_ULOG_H -#define _EBT_ULOG_H - -#include - -#define EBT_ULOG_DEFAULT_NLGROUP 0 -#define EBT_ULOG_DEFAULT_QTHRESHOLD 1 -#define EBT_ULOG_MAXNLGROUPS 32 /* hardcoded netlink max */ -#define EBT_ULOG_PREFIX_LEN 32 -#define EBT_ULOG_MAX_QLEN 50 -#define EBT_ULOG_WATCHER "ulog" -#define EBT_ULOG_VERSION 1 - -struct ebt_ulog_info { - __u32 nlgroup; - unsigned int cprange; - unsigned int qthreshold; - char prefix[EBT_ULOG_PREFIX_LEN]; -}; - -typedef struct ebt_ulog_packet_msg { - int version; - char indev[IFNAMSIZ]; - char outdev[IFNAMSIZ]; - char physindev[IFNAMSIZ]; - char physoutdev[IFNAMSIZ]; - char prefix[EBT_ULOG_PREFIX_LEN]; - struct timeval stamp; - unsigned long mark; - unsigned int hook; - size_t data_len; - /* The complete packet, including Ethernet header and perhaps - * the VLAN header is appended */ - unsigned char data[0] __attribute__ - ((aligned (__alignof__(struct ebt_ulog_info)))); -} ebt_ulog_packet_msg_t; - -#endif /* _EBT_ULOG_H */ diff --git a/include/linux/netfilter_bridge/ebt_vlan.h b/include/linux/netfilter_bridge/ebt_vlan.h deleted file mode 100644 index 967d1d5..0000000 --- a/include/linux/netfilter_bridge/ebt_vlan.h +++ /dev/null @@ -1,22 +0,0 @@ -#ifndef __LINUX_BRIDGE_EBT_VLAN_H -#define __LINUX_BRIDGE_EBT_VLAN_H - -#include - -#define EBT_VLAN_ID 0x01 -#define EBT_VLAN_PRIO 0x02 -#define EBT_VLAN_ENCAP 0x04 -#define EBT_VLAN_MASK (EBT_VLAN_ID | EBT_VLAN_PRIO | EBT_VLAN_ENCAP) -#define EBT_VLAN_MATCH "vlan" - -struct ebt_vlan_info { - __u16 id; /* VLAN ID {1-4095} */ - __u8 prio; /* VLAN User Priority {0-7} */ - __be16 encap; /* VLAN Encapsulated frame code {0-65535} */ - __u8 bitmask; /* Args bitmask bit 1=1 - ID arg, - bit 2=1 User-Priority arg, bit 3=1 encap*/ - __u8 invflags; /* Inverse bitmask bit 1=1 - inversed ID arg, - bit 2=1 - inversed Pirority arg */ -}; - -#endif diff --git a/include/linux/netfilter_bridge/ebtables.h b/include/linux/netfilter_bridge/ebtables.h index 4dd5bd6..34e7a2b 100644 --- a/include/linux/netfilter_bridge/ebtables.h +++ b/include/linux/netfilter_bridge/ebtables.h @@ -9,191 +9,11 @@ * This code is stongly inspired on the iptables code which is * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling */ - #ifndef __LINUX_BRIDGE_EFF_H #define __LINUX_BRIDGE_EFF_H -#include -#include -#include - -#define EBT_TABLE_MAXNAMELEN 32 -#define EBT_CHAIN_MAXNAMELEN EBT_TABLE_MAXNAMELEN -#define EBT_FUNCTION_MAXNAMELEN EBT_TABLE_MAXNAMELEN - -/* verdicts >0 are "branches" */ -#define EBT_ACCEPT -1 -#define EBT_DROP -2 -#define EBT_CONTINUE -3 -#define EBT_RETURN -4 -#define NUM_STANDARD_TARGETS 4 -/* ebtables target modules store the verdict inside an int. We can - * reclaim a part of this int for backwards compatible extensions. - * The 4 lsb are more than enough to store the verdict. */ -#define EBT_VERDICT_BITS 0x0000000F - -struct xt_match; -struct xt_target; - -struct ebt_counter { - uint64_t pcnt; - uint64_t bcnt; -}; -struct ebt_replace { - char name[EBT_TABLE_MAXNAMELEN]; - unsigned int valid_hooks; - /* nr of rules in the table */ - unsigned int nentries; - /* total size of the entries */ - unsigned int entries_size; - /* start of the chains */ - struct ebt_entries __user *hook_entry[NF_BR_NUMHOOKS]; - /* nr of counters userspace expects back */ - unsigned int num_counters; - /* where the kernel will put the old counters */ - struct ebt_counter __user *counters; - char __user *entries; -}; +#include -struct ebt_replace_kernel { - char name[EBT_TABLE_MAXNAMELEN]; - unsigned int valid_hooks; - /* nr of rules in the table */ - unsigned int nentries; - /* total size of the entries */ - unsigned int entries_size; - /* start of the chains */ - struct ebt_entries *hook_entry[NF_BR_NUMHOOKS]; - /* nr of counters userspace expects back */ - unsigned int num_counters; - /* where the kernel will put the old counters */ - struct ebt_counter *counters; - char *entries; -}; - -struct ebt_entries { - /* this field is always set to zero - * See EBT_ENTRY_OR_ENTRIES. - * Must be same size as ebt_entry.bitmask */ - unsigned int distinguisher; - /* the chain name */ - char name[EBT_CHAIN_MAXNAMELEN]; - /* counter offset for this chain */ - unsigned int counter_offset; - /* one standard (accept, drop, return) per hook */ - int policy; - /* nr. of entries */ - unsigned int nentries; - /* entry list */ - char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace)))); -}; - -/* used for the bitmask of struct ebt_entry */ - -/* This is a hack to make a difference between an ebt_entry struct and an - * ebt_entries struct when traversing the entries from start to end. - * Using this simplifies the code a lot, while still being able to use - * ebt_entries. - * Contrary, iptables doesn't use something like ebt_entries and therefore uses - * different techniques for naming the policy and such. So, iptables doesn't - * need a hack like this. - */ -#define EBT_ENTRY_OR_ENTRIES 0x01 -/* these are the normal masks */ -#define EBT_NOPROTO 0x02 -#define EBT_802_3 0x04 -#define EBT_SOURCEMAC 0x08 -#define EBT_DESTMAC 0x10 -#define EBT_F_MASK (EBT_NOPROTO | EBT_802_3 | EBT_SOURCEMAC | EBT_DESTMAC \ - | EBT_ENTRY_OR_ENTRIES) - -#define EBT_IPROTO 0x01 -#define EBT_IIN 0x02 -#define EBT_IOUT 0x04 -#define EBT_ISOURCE 0x8 -#define EBT_IDEST 0x10 -#define EBT_ILOGICALIN 0x20 -#define EBT_ILOGICALOUT 0x40 -#define EBT_INV_MASK (EBT_IPROTO | EBT_IIN | EBT_IOUT | EBT_ILOGICALIN \ - | EBT_ILOGICALOUT | EBT_ISOURCE | EBT_IDEST) - -struct ebt_entry_match { - union { - char name[EBT_FUNCTION_MAXNAMELEN]; - struct xt_match *match; - } u; - /* size of data */ - unsigned int match_size; - unsigned char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace)))); -}; - -struct ebt_entry_watcher { - union { - char name[EBT_FUNCTION_MAXNAMELEN]; - struct xt_target *watcher; - } u; - /* size of data */ - unsigned int watcher_size; - unsigned char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace)))); -}; - -struct ebt_entry_target { - union { - char name[EBT_FUNCTION_MAXNAMELEN]; - struct xt_target *target; - } u; - /* size of data */ - unsigned int target_size; - unsigned char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace)))); -}; - -#define EBT_STANDARD_TARGET "standard" -struct ebt_standard_target { - struct ebt_entry_target target; - int verdict; -}; - -/* one entry */ -struct ebt_entry { - /* this needs to be the first field */ - unsigned int bitmask; - unsigned int invflags; - __be16 ethproto; - /* the physical in-dev */ - char in[IFNAMSIZ]; - /* the logical in-dev */ - char logical_in[IFNAMSIZ]; - /* the physical out-dev */ - char out[IFNAMSIZ]; - /* the logical out-dev */ - char logical_out[IFNAMSIZ]; - unsigned char sourcemac[ETH_ALEN]; - unsigned char sourcemsk[ETH_ALEN]; - unsigned char destmac[ETH_ALEN]; - unsigned char destmsk[ETH_ALEN]; - /* sizeof ebt_entry + matches */ - unsigned int watchers_offset; - /* sizeof ebt_entry + matches + watchers */ - unsigned int target_offset; - /* sizeof ebt_entry + matches + watchers + target */ - unsigned int next_offset; - unsigned char elems[0] __attribute__ ((aligned (__alignof__(struct ebt_replace)))); -}; - -/* {g,s}etsockopt numbers */ -#define EBT_BASE_CTL 128 - -#define EBT_SO_SET_ENTRIES (EBT_BASE_CTL) -#define EBT_SO_SET_COUNTERS (EBT_SO_SET_ENTRIES+1) -#define EBT_SO_SET_MAX (EBT_SO_SET_COUNTERS+1) - -#define EBT_SO_GET_INFO (EBT_BASE_CTL) -#define EBT_SO_GET_ENTRIES (EBT_SO_GET_INFO+1) -#define EBT_SO_GET_INIT_INFO (EBT_SO_GET_ENTRIES+1) -#define EBT_SO_GET_INIT_ENTRIES (EBT_SO_GET_INIT_INFO+1) -#define EBT_SO_GET_MAX (EBT_SO_GET_INIT_ENTRIES+1) - -#ifdef __KERNEL__ /* return values for match() functions */ #define EBT_MATCH 0 @@ -304,77 +124,4 @@ extern unsigned int ebt_do_table(unsigned int hook, struct sk_buff *skb, /* True if the target is not a standard target */ #define INVALID_TARGET (info->target < -NUM_STANDARD_TARGETS || info->target >= 0) -#endif /* __KERNEL__ */ - -/* blatently stolen from ip_tables.h - * fn returns 0 to continue iteration */ -#define EBT_MATCH_ITERATE(e, fn, args...) \ -({ \ - unsigned int __i; \ - int __ret = 0; \ - struct ebt_entry_match *__match; \ - \ - for (__i = sizeof(struct ebt_entry); \ - __i < (e)->watchers_offset; \ - __i += __match->match_size + \ - sizeof(struct ebt_entry_match)) { \ - __match = (void *)(e) + __i; \ - \ - __ret = fn(__match , ## args); \ - if (__ret != 0) \ - break; \ - } \ - if (__ret == 0) { \ - if (__i != (e)->watchers_offset) \ - __ret = -EINVAL; \ - } \ - __ret; \ -}) - -#define EBT_WATCHER_ITERATE(e, fn, args...) \ -({ \ - unsigned int __i; \ - int __ret = 0; \ - struct ebt_entry_watcher *__watcher; \ - \ - for (__i = e->watchers_offset; \ - __i < (e)->target_offset; \ - __i += __watcher->watcher_size + \ - sizeof(struct ebt_entry_watcher)) { \ - __watcher = (void *)(e) + __i; \ - \ - __ret = fn(__watcher , ## args); \ - if (__ret != 0) \ - break; \ - } \ - if (__ret == 0) { \ - if (__i != (e)->target_offset) \ - __ret = -EINVAL; \ - } \ - __ret; \ -}) - -#define EBT_ENTRY_ITERATE(entries, size, fn, args...) \ -({ \ - unsigned int __i; \ - int __ret = 0; \ - struct ebt_entry *__entry; \ - \ - for (__i = 0; __i < (size);) { \ - __entry = (void *)(entries) + __i; \ - __ret = fn(__entry , ## args); \ - if (__ret != 0) \ - break; \ - if (__entry->bitmask != 0) \ - __i += __entry->next_offset; \ - else \ - __i += sizeof(struct ebt_entries); \ - } \ - if (__ret == 0) { \ - if (__i != (size)) \ - __ret = -EINVAL; \ - } \ - __ret; \ -}) - #endif diff --git a/include/uapi/linux/netfilter_bridge/Kbuild b/include/uapi/linux/netfilter_bridge/Kbuild index aafaa5a..348717c 100644 --- a/include/uapi/linux/netfilter_bridge/Kbuild +++ b/include/uapi/linux/netfilter_bridge/Kbuild @@ -1 +1,19 @@ # UAPI Header export list +header-y += ebt_802_3.h +header-y += ebt_among.h +header-y += ebt_arp.h +header-y += ebt_arpreply.h +header-y += ebt_ip.h +header-y += ebt_ip6.h +header-y += ebt_limit.h +header-y += ebt_log.h +header-y += ebt_mark_m.h +header-y += ebt_mark_t.h +header-y += ebt_nat.h +header-y += ebt_nflog.h +header-y += ebt_pkttype.h +header-y += ebt_redirect.h +header-y += ebt_stp.h +header-y += ebt_ulog.h +header-y += ebt_vlan.h +header-y += ebtables.h diff --git a/include/uapi/linux/netfilter_bridge/ebt_802_3.h b/include/uapi/linux/netfilter_bridge/ebt_802_3.h new file mode 100644 index 0000000..5bf8491 --- /dev/null +++ b/include/uapi/linux/netfilter_bridge/ebt_802_3.h @@ -0,0 +1,62 @@ +#ifndef _UAPI__LINUX_BRIDGE_EBT_802_3_H +#define _UAPI__LINUX_BRIDGE_EBT_802_3_H + +#include + +#define EBT_802_3_SAP 0x01 +#define EBT_802_3_TYPE 0x02 + +#define EBT_802_3_MATCH "802_3" + +/* + * If frame has DSAP/SSAP value 0xaa you must check the SNAP type + * to discover what kind of packet we're carrying. + */ +#define CHECK_TYPE 0xaa + +/* + * Control field may be one or two bytes. If the first byte has + * the value 0x03 then the entire length is one byte, otherwise it is two. + * One byte controls are used in Unnumbered Information frames. + * Two byte controls are used in Numbered Information frames. + */ +#define IS_UI 0x03 + +#define EBT_802_3_MASK (EBT_802_3_SAP | EBT_802_3_TYPE | EBT_802_3) + +/* ui has one byte ctrl, ni has two */ +struct hdr_ui { + __u8 dsap; + __u8 ssap; + __u8 ctrl; + __u8 orig[3]; + __be16 type; +}; + +struct hdr_ni { + __u8 dsap; + __u8 ssap; + __be16 ctrl; + __u8 orig[3]; + __be16 type; +}; + +struct ebt_802_3_hdr { + __u8 daddr[6]; + __u8 saddr[6]; + __be16 len; + union { + struct hdr_ui ui; + struct hdr_ni ni; + } llc; +}; + + +struct ebt_802_3_info { + __u8 sap; + __be16 type; + __u8 bitmask; + __u8 invflags; +}; + +#endif /* _UAPI__LINUX_BRIDGE_EBT_802_3_H */ diff --git a/include/uapi/linux/netfilter_bridge/ebt_among.h b/include/uapi/linux/netfilter_bridge/ebt_among.h new file mode 100644 index 0000000..bd4e3ad --- /dev/null +++ b/include/uapi/linux/netfilter_bridge/ebt_among.h @@ -0,0 +1,64 @@ +#ifndef __LINUX_BRIDGE_EBT_AMONG_H +#define __LINUX_BRIDGE_EBT_AMONG_H + +#include + +#define EBT_AMONG_DST 0x01 +#define EBT_AMONG_SRC 0x02 + +/* Grzegorz Borowiak 2003 + * + * Write-once-read-many hash table, used for checking if a given + * MAC address belongs to a set or not and possibly for checking + * if it is related with a given IPv4 address. + * + * The hash value of an address is its last byte. + * + * In real-world ethernet addresses, values of the last byte are + * evenly distributed and there is no need to consider other bytes. + * It would only slow the routines down. + * + * For MAC address comparison speedup reasons, we introduce a trick. + * MAC address is mapped onto an array of two 32-bit integers. + * This pair of integers is compared with MAC addresses in the + * hash table, which are stored also in form of pairs of integers + * (in `cmp' array). This is quick as it requires only two elementary + * number comparisons in worst case. Further, we take advantage of + * fact that entropy of 3 last bytes of address is larger than entropy + * of 3 first bytes. So first we compare 4 last bytes of addresses and + * if they are the same we compare 2 first. + * + * Yes, it is a memory overhead, but in 2003 AD, who cares? + */ + +struct ebt_mac_wormhash_tuple { + __u32 cmp[2]; + __be32 ip; +}; + +struct ebt_mac_wormhash { + int table[257]; + int poolsize; + struct ebt_mac_wormhash_tuple pool[0]; +}; + +#define ebt_mac_wormhash_size(x) ((x) ? sizeof(struct ebt_mac_wormhash) \ + + (x)->poolsize * sizeof(struct ebt_mac_wormhash_tuple) : 0) + +struct ebt_among_info { + int wh_dst_ofs; + int wh_src_ofs; + int bitmask; +}; + +#define EBT_AMONG_DST_NEG 0x1 +#define EBT_AMONG_SRC_NEG 0x2 + +#define ebt_among_wh_dst(x) ((x)->wh_dst_ofs ? \ + (struct ebt_mac_wormhash*)((char*)(x) + (x)->wh_dst_ofs) : NULL) +#define ebt_among_wh_src(x) ((x)->wh_src_ofs ? \ + (struct ebt_mac_wormhash*)((char*)(x) + (x)->wh_src_ofs) : NULL) + +#define EBT_AMONG_MATCH "among" + +#endif diff --git a/include/uapi/linux/netfilter_bridge/ebt_arp.h b/include/uapi/linux/netfilter_bridge/ebt_arp.h new file mode 100644 index 0000000..522f3e4 --- /dev/null +++ b/include/uapi/linux/netfilter_bridge/ebt_arp.h @@ -0,0 +1,36 @@ +#ifndef __LINUX_BRIDGE_EBT_ARP_H +#define __LINUX_BRIDGE_EBT_ARP_H + +#include + +#define EBT_ARP_OPCODE 0x01 +#define EBT_ARP_HTYPE 0x02 +#define EBT_ARP_PTYPE 0x04 +#define EBT_ARP_SRC_IP 0x08 +#define EBT_ARP_DST_IP 0x10 +#define EBT_ARP_SRC_MAC 0x20 +#define EBT_ARP_DST_MAC 0x40 +#define EBT_ARP_GRAT 0x80 +#define EBT_ARP_MASK (EBT_ARP_OPCODE | EBT_ARP_HTYPE | EBT_ARP_PTYPE | \ + EBT_ARP_SRC_IP | EBT_ARP_DST_IP | EBT_ARP_SRC_MAC | EBT_ARP_DST_MAC | \ + EBT_ARP_GRAT) +#define EBT_ARP_MATCH "arp" + +struct ebt_arp_info +{ + __be16 htype; + __be16 ptype; + __be16 opcode; + __be32 saddr; + __be32 smsk; + __be32 daddr; + __be32 dmsk; + unsigned char smaddr[ETH_ALEN]; + unsigned char smmsk[ETH_ALEN]; + unsigned char dmaddr[ETH_ALEN]; + unsigned char dmmsk[ETH_ALEN]; + __u8 bitmask; + __u8 invflags; +}; + +#endif diff --git a/include/uapi/linux/netfilter_bridge/ebt_arpreply.h b/include/uapi/linux/netfilter_bridge/ebt_arpreply.h new file mode 100644 index 0000000..7e77896 --- /dev/null +++ b/include/uapi/linux/netfilter_bridge/ebt_arpreply.h @@ -0,0 +1,10 @@ +#ifndef __LINUX_BRIDGE_EBT_ARPREPLY_H +#define __LINUX_BRIDGE_EBT_ARPREPLY_H + +struct ebt_arpreply_info { + unsigned char mac[ETH_ALEN]; + int target; +}; +#define EBT_ARPREPLY_TARGET "arpreply" + +#endif diff --git a/include/uapi/linux/netfilter_bridge/ebt_ip.h b/include/uapi/linux/netfilter_bridge/ebt_ip.h new file mode 100644 index 0000000..c4bbc41 --- /dev/null +++ b/include/uapi/linux/netfilter_bridge/ebt_ip.h @@ -0,0 +1,44 @@ +/* + * ebt_ip + * + * Authors: + * Bart De Schuymer + * + * April, 2002 + * + * Changes: + * added ip-sport and ip-dport + * Innominate Security Technologies AG + * September, 2002 + */ + +#ifndef __LINUX_BRIDGE_EBT_IP_H +#define __LINUX_BRIDGE_EBT_IP_H + +#include + +#define EBT_IP_SOURCE 0x01 +#define EBT_IP_DEST 0x02 +#define EBT_IP_TOS 0x04 +#define EBT_IP_PROTO 0x08 +#define EBT_IP_SPORT 0x10 +#define EBT_IP_DPORT 0x20 +#define EBT_IP_MASK (EBT_IP_SOURCE | EBT_IP_DEST | EBT_IP_TOS | EBT_IP_PROTO |\ + EBT_IP_SPORT | EBT_IP_DPORT ) +#define EBT_IP_MATCH "ip" + +/* the same values are used for the invflags */ +struct ebt_ip_info { + __be32 saddr; + __be32 daddr; + __be32 smsk; + __be32 dmsk; + __u8 tos; + __u8 protocol; + __u8 bitmask; + __u8 invflags; + __u16 sport[2]; + __u16 dport[2]; +}; + +#endif diff --git a/include/uapi/linux/netfilter_bridge/ebt_ip6.h b/include/uapi/linux/netfilter_bridge/ebt_ip6.h new file mode 100644 index 0000000..42b8896 --- /dev/null +++ b/include/uapi/linux/netfilter_bridge/ebt_ip6.h @@ -0,0 +1,50 @@ +/* + * ebt_ip6 + * + * Authors: + * Kuo-Lang Tseng + * Manohar Castelino + * + * Jan 11, 2008 + * + */ + +#ifndef __LINUX_BRIDGE_EBT_IP6_H +#define __LINUX_BRIDGE_EBT_IP6_H + +#include + +#define EBT_IP6_SOURCE 0x01 +#define EBT_IP6_DEST 0x02 +#define EBT_IP6_TCLASS 0x04 +#define EBT_IP6_PROTO 0x08 +#define EBT_IP6_SPORT 0x10 +#define EBT_IP6_DPORT 0x20 +#define EBT_IP6_ICMP6 0x40 + +#define EBT_IP6_MASK (EBT_IP6_SOURCE | EBT_IP6_DEST | EBT_IP6_TCLASS |\ + EBT_IP6_PROTO | EBT_IP6_SPORT | EBT_IP6_DPORT | \ + EBT_IP6_ICMP6) +#define EBT_IP6_MATCH "ip6" + +/* the same values are used for the invflags */ +struct ebt_ip6_info { + struct in6_addr saddr; + struct in6_addr daddr; + struct in6_addr smsk; + struct in6_addr dmsk; + __u8 tclass; + __u8 protocol; + __u8 bitmask; + __u8 invflags; + union { + __u16 sport[2]; + __u8 icmpv6_type[2]; + }; + union { + __u16 dport[2]; + __u8 icmpv6_code[2]; + }; +}; + +#endif diff --git a/include/uapi/linux/netfilter_bridge/ebt_limit.h b/include/uapi/linux/netfilter_bridge/ebt_limit.h new file mode 100644 index 0000000..66d80b3 --- /dev/null +++ b/include/uapi/linux/netfilter_bridge/ebt_limit.h @@ -0,0 +1,24 @@ +#ifndef __LINUX_BRIDGE_EBT_LIMIT_H +#define __LINUX_BRIDGE_EBT_LIMIT_H + +#include + +#define EBT_LIMIT_MATCH "limit" + +/* timings are in milliseconds. */ +#define EBT_LIMIT_SCALE 10000 + +/* 1/10,000 sec period => max of 10,000/sec. Min rate is then 429490 + seconds, or one every 59 hours. */ + +struct ebt_limit_info { + __u32 avg; /* Average secs between packets * scale */ + __u32 burst; /* Period multiplier for upper limit. */ + + /* Used internally by the kernel */ + unsigned long prev; + __u32 credit; + __u32 credit_cap, cost; +}; + +#endif diff --git a/include/uapi/linux/netfilter_bridge/ebt_log.h b/include/uapi/linux/netfilter_bridge/ebt_log.h new file mode 100644 index 0000000..7e7f1d1 --- /dev/null +++ b/include/uapi/linux/netfilter_bridge/ebt_log.h @@ -0,0 +1,20 @@ +#ifndef __LINUX_BRIDGE_EBT_LOG_H +#define __LINUX_BRIDGE_EBT_LOG_H + +#include + +#define EBT_LOG_IP 0x01 /* if the frame is made by ip, log the ip information */ +#define EBT_LOG_ARP 0x02 +#define EBT_LOG_NFLOG 0x04 +#define EBT_LOG_IP6 0x08 +#define EBT_LOG_MASK (EBT_LOG_IP | EBT_LOG_ARP | EBT_LOG_IP6) +#define EBT_LOG_PREFIX_SIZE 30 +#define EBT_LOG_WATCHER "log" + +struct ebt_log_info { + __u8 loglevel; + __u8 prefix[EBT_LOG_PREFIX_SIZE]; + __u32 bitmask; +}; + +#endif diff --git a/include/uapi/linux/netfilter_bridge/ebt_mark_m.h b/include/uapi/linux/netfilter_bridge/ebt_mark_m.h new file mode 100644 index 0000000..410f9e5 --- /dev/null +++ b/include/uapi/linux/netfilter_bridge/ebt_mark_m.h @@ -0,0 +1,16 @@ +#ifndef __LINUX_BRIDGE_EBT_MARK_M_H +#define __LINUX_BRIDGE_EBT_MARK_M_H + +#include + +#define EBT_MARK_AND 0x01 +#define EBT_MARK_OR 0x02 +#define EBT_MARK_MASK (EBT_MARK_AND | EBT_MARK_OR) +struct ebt_mark_m_info { + unsigned long mark, mask; + __u8 invert; + __u8 bitmask; +}; +#define EBT_MARK_MATCH "mark_m" + +#endif diff --git a/include/uapi/linux/netfilter_bridge/ebt_mark_t.h b/include/uapi/linux/netfilter_bridge/ebt_mark_t.h new file mode 100644 index 0000000..7d5a268 --- /dev/null +++ b/include/uapi/linux/netfilter_bridge/ebt_mark_t.h @@ -0,0 +1,23 @@ +#ifndef __LINUX_BRIDGE_EBT_MARK_T_H +#define __LINUX_BRIDGE_EBT_MARK_T_H + +/* The target member is reused for adding new actions, the + * value of the real target is -1 to -NUM_STANDARD_TARGETS. + * For backward compatibility, the 4 lsb (2 would be enough, + * but let's play it safe) are kept to designate this target. + * The remaining bits designate the action. By making the set + * action 0xfffffff0, the result will look ok for older + * versions. [September 2006] */ +#define MARK_SET_VALUE (0xfffffff0) +#define MARK_OR_VALUE (0xffffffe0) +#define MARK_AND_VALUE (0xffffffd0) +#define MARK_XOR_VALUE (0xffffffc0) + +struct ebt_mark_t_info { + unsigned long mark; + /* EBT_ACCEPT, EBT_DROP, EBT_CONTINUE or EBT_RETURN */ + int target; +}; +#define EBT_MARK_TARGET "mark" + +#endif diff --git a/include/uapi/linux/netfilter_bridge/ebt_nat.h b/include/uapi/linux/netfilter_bridge/ebt_nat.h new file mode 100644 index 0000000..5e74e3b --- /dev/null +++ b/include/uapi/linux/netfilter_bridge/ebt_nat.h @@ -0,0 +1,13 @@ +#ifndef __LINUX_BRIDGE_EBT_NAT_H +#define __LINUX_BRIDGE_EBT_NAT_H + +#define NAT_ARP_BIT (0x00000010) +struct ebt_nat_info { + unsigned char mac[ETH_ALEN]; + /* EBT_ACCEPT, EBT_DROP, EBT_CONTINUE or EBT_RETURN */ + int target; +}; +#define EBT_SNAT_TARGET "snat" +#define EBT_DNAT_TARGET "dnat" + +#endif diff --git a/include/uapi/linux/netfilter_bridge/ebt_nflog.h b/include/uapi/linux/netfilter_bridge/ebt_nflog.h new file mode 100644 index 0000000..df829fc --- /dev/null +++ b/include/uapi/linux/netfilter_bridge/ebt_nflog.h @@ -0,0 +1,23 @@ +#ifndef __LINUX_BRIDGE_EBT_NFLOG_H +#define __LINUX_BRIDGE_EBT_NFLOG_H + +#include + +#define EBT_NFLOG_MASK 0x0 + +#define EBT_NFLOG_PREFIX_SIZE 64 +#define EBT_NFLOG_WATCHER "nflog" + +#define EBT_NFLOG_DEFAULT_GROUP 0x1 +#define EBT_NFLOG_DEFAULT_THRESHOLD 1 + +struct ebt_nflog_info { + __u32 len; + __u16 group; + __u16 threshold; + __u16 flags; + __u16 pad; + char prefix[EBT_NFLOG_PREFIX_SIZE]; +}; + +#endif /* __LINUX_BRIDGE_EBT_NFLOG_H */ diff --git a/include/uapi/linux/netfilter_bridge/ebt_pkttype.h b/include/uapi/linux/netfilter_bridge/ebt_pkttype.h new file mode 100644 index 0000000..c241bad --- /dev/null +++ b/include/uapi/linux/netfilter_bridge/ebt_pkttype.h @@ -0,0 +1,12 @@ +#ifndef __LINUX_BRIDGE_EBT_PKTTYPE_H +#define __LINUX_BRIDGE_EBT_PKTTYPE_H + +#include + +struct ebt_pkttype_info { + __u8 pkt_type; + __u8 invert; +}; +#define EBT_PKTTYPE_MATCH "pkttype" + +#endif diff --git a/include/uapi/linux/netfilter_bridge/ebt_redirect.h b/include/uapi/linux/netfilter_bridge/ebt_redirect.h new file mode 100644 index 0000000..dd9622c --- /dev/null +++ b/include/uapi/linux/netfilter_bridge/ebt_redirect.h @@ -0,0 +1,10 @@ +#ifndef __LINUX_BRIDGE_EBT_REDIRECT_H +#define __LINUX_BRIDGE_EBT_REDIRECT_H + +struct ebt_redirect_info { + /* EBT_ACCEPT, EBT_DROP, EBT_CONTINUE or EBT_RETURN */ + int target; +}; +#define EBT_REDIRECT_TARGET "redirect" + +#endif diff --git a/include/uapi/linux/netfilter_bridge/ebt_stp.h b/include/uapi/linux/netfilter_bridge/ebt_stp.h new file mode 100644 index 0000000..1025b9f --- /dev/null +++ b/include/uapi/linux/netfilter_bridge/ebt_stp.h @@ -0,0 +1,46 @@ +#ifndef __LINUX_BRIDGE_EBT_STP_H +#define __LINUX_BRIDGE_EBT_STP_H + +#include + +#define EBT_STP_TYPE 0x0001 + +#define EBT_STP_FLAGS 0x0002 +#define EBT_STP_ROOTPRIO 0x0004 +#define EBT_STP_ROOTADDR 0x0008 +#define EBT_STP_ROOTCOST 0x0010 +#define EBT_STP_SENDERPRIO 0x0020 +#define EBT_STP_SENDERADDR 0x0040 +#define EBT_STP_PORT 0x0080 +#define EBT_STP_MSGAGE 0x0100 +#define EBT_STP_MAXAGE 0x0200 +#define EBT_STP_HELLOTIME 0x0400 +#define EBT_STP_FWDD 0x0800 + +#define EBT_STP_MASK 0x0fff +#define EBT_STP_CONFIG_MASK 0x0ffe + +#define EBT_STP_MATCH "stp" + +struct ebt_stp_config_info { + __u8 flags; + __u16 root_priol, root_priou; + char root_addr[6], root_addrmsk[6]; + __u32 root_costl, root_costu; + __u16 sender_priol, sender_priou; + char sender_addr[6], sender_addrmsk[6]; + __u16 portl, portu; + __u16 msg_agel, msg_ageu; + __u16 max_agel, max_ageu; + __u16 hello_timel, hello_timeu; + __u16 forward_delayl, forward_delayu; +}; + +struct ebt_stp_info { + __u8 type; + struct ebt_stp_config_info config; + __u16 bitmask; + __u16 invflags; +}; + +#endif diff --git a/include/uapi/linux/netfilter_bridge/ebt_ulog.h b/include/uapi/linux/netfilter_bridge/ebt_ulog.h new file mode 100644 index 0000000..89a6bec --- /dev/null +++ b/include/uapi/linux/netfilter_bridge/ebt_ulog.h @@ -0,0 +1,38 @@ +#ifndef _EBT_ULOG_H +#define _EBT_ULOG_H + +#include + +#define EBT_ULOG_DEFAULT_NLGROUP 0 +#define EBT_ULOG_DEFAULT_QTHRESHOLD 1 +#define EBT_ULOG_MAXNLGROUPS 32 /* hardcoded netlink max */ +#define EBT_ULOG_PREFIX_LEN 32 +#define EBT_ULOG_MAX_QLEN 50 +#define EBT_ULOG_WATCHER "ulog" +#define EBT_ULOG_VERSION 1 + +struct ebt_ulog_info { + __u32 nlgroup; + unsigned int cprange; + unsigned int qthreshold; + char prefix[EBT_ULOG_PREFIX_LEN]; +}; + +typedef struct ebt_ulog_packet_msg { + int version; + char indev[IFNAMSIZ]; + char outdev[IFNAMSIZ]; + char physindev[IFNAMSIZ]; + char physoutdev[IFNAMSIZ]; + char prefix[EBT_ULOG_PREFIX_LEN]; + struct timeval stamp; + unsigned long mark; + unsigned int hook; + size_t data_len; + /* The complete packet, including Ethernet header and perhaps + * the VLAN header is appended */ + unsigned char data[0] __attribute__ + ((aligned (__alignof__(struct ebt_ulog_info)))); +} ebt_ulog_packet_msg_t; + +#endif /* _EBT_ULOG_H */ diff --git a/include/uapi/linux/netfilter_bridge/ebt_vlan.h b/include/uapi/linux/netfilter_bridge/ebt_vlan.h new file mode 100644 index 0000000..967d1d5 --- /dev/null +++ b/include/uapi/linux/netfilter_bridge/ebt_vlan.h @@ -0,0 +1,22 @@ +#ifndef __LINUX_BRIDGE_EBT_VLAN_H +#define __LINUX_BRIDGE_EBT_VLAN_H + +#include + +#define EBT_VLAN_ID 0x01 +#define EBT_VLAN_PRIO 0x02 +#define EBT_VLAN_ENCAP 0x04 +#define EBT_VLAN_MASK (EBT_VLAN_ID | EBT_VLAN_PRIO | EBT_VLAN_ENCAP) +#define EBT_VLAN_MATCH "vlan" + +struct ebt_vlan_info { + __u16 id; /* VLAN ID {1-4095} */ + __u8 prio; /* VLAN User Priority {0-7} */ + __be16 encap; /* VLAN Encapsulated frame code {0-65535} */ + __u8 bitmask; /* Args bitmask bit 1=1 - ID arg, + bit 2=1 User-Priority arg, bit 3=1 encap*/ + __u8 invflags; /* Inverse bitmask bit 1=1 - inversed ID arg, + bit 2=1 - inversed Pirority arg */ +}; + +#endif diff --git a/include/uapi/linux/netfilter_bridge/ebtables.h b/include/uapi/linux/netfilter_bridge/ebtables.h new file mode 100644 index 0000000..ba99336 --- /dev/null +++ b/include/uapi/linux/netfilter_bridge/ebtables.h @@ -0,0 +1,268 @@ +/* + * ebtables + * + * Authors: + * Bart De Schuymer + * + * ebtables.c,v 2.0, April, 2002 + * + * This code is stongly inspired on the iptables code which is + * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling + */ + +#ifndef _UAPI__LINUX_BRIDGE_EFF_H +#define _UAPI__LINUX_BRIDGE_EFF_H +#include +#include +#include + +#define EBT_TABLE_MAXNAMELEN 32 +#define EBT_CHAIN_MAXNAMELEN EBT_TABLE_MAXNAMELEN +#define EBT_FUNCTION_MAXNAMELEN EBT_TABLE_MAXNAMELEN + +/* verdicts >0 are "branches" */ +#define EBT_ACCEPT -1 +#define EBT_DROP -2 +#define EBT_CONTINUE -3 +#define EBT_RETURN -4 +#define NUM_STANDARD_TARGETS 4 +/* ebtables target modules store the verdict inside an int. We can + * reclaim a part of this int for backwards compatible extensions. + * The 4 lsb are more than enough to store the verdict. */ +#define EBT_VERDICT_BITS 0x0000000F + +struct xt_match; +struct xt_target; + +struct ebt_counter { + uint64_t pcnt; + uint64_t bcnt; +}; + +struct ebt_replace { + char name[EBT_TABLE_MAXNAMELEN]; + unsigned int valid_hooks; + /* nr of rules in the table */ + unsigned int nentries; + /* total size of the entries */ + unsigned int entries_size; + /* start of the chains */ + struct ebt_entries __user *hook_entry[NF_BR_NUMHOOKS]; + /* nr of counters userspace expects back */ + unsigned int num_counters; + /* where the kernel will put the old counters */ + struct ebt_counter __user *counters; + char __user *entries; +}; + +struct ebt_replace_kernel { + char name[EBT_TABLE_MAXNAMELEN]; + unsigned int valid_hooks; + /* nr of rules in the table */ + unsigned int nentries; + /* total size of the entries */ + unsigned int entries_size; + /* start of the chains */ + struct ebt_entries *hook_entry[NF_BR_NUMHOOKS]; + /* nr of counters userspace expects back */ + unsigned int num_counters; + /* where the kernel will put the old counters */ + struct ebt_counter *counters; + char *entries; +}; + +struct ebt_entries { + /* this field is always set to zero + * See EBT_ENTRY_OR_ENTRIES. + * Must be same size as ebt_entry.bitmask */ + unsigned int distinguisher; + /* the chain name */ + char name[EBT_CHAIN_MAXNAMELEN]; + /* counter offset for this chain */ + unsigned int counter_offset; + /* one standard (accept, drop, return) per hook */ + int policy; + /* nr. of entries */ + unsigned int nentries; + /* entry list */ + char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace)))); +}; + +/* used for the bitmask of struct ebt_entry */ + +/* This is a hack to make a difference between an ebt_entry struct and an + * ebt_entries struct when traversing the entries from start to end. + * Using this simplifies the code a lot, while still being able to use + * ebt_entries. + * Contrary, iptables doesn't use something like ebt_entries and therefore uses + * different techniques for naming the policy and such. So, iptables doesn't + * need a hack like this. + */ +#define EBT_ENTRY_OR_ENTRIES 0x01 +/* these are the normal masks */ +#define EBT_NOPROTO 0x02 +#define EBT_802_3 0x04 +#define EBT_SOURCEMAC 0x08 +#define EBT_DESTMAC 0x10 +#define EBT_F_MASK (EBT_NOPROTO | EBT_802_3 | EBT_SOURCEMAC | EBT_DESTMAC \ + | EBT_ENTRY_OR_ENTRIES) + +#define EBT_IPROTO 0x01 +#define EBT_IIN 0x02 +#define EBT_IOUT 0x04 +#define EBT_ISOURCE 0x8 +#define EBT_IDEST 0x10 +#define EBT_ILOGICALIN 0x20 +#define EBT_ILOGICALOUT 0x40 +#define EBT_INV_MASK (EBT_IPROTO | EBT_IIN | EBT_IOUT | EBT_ILOGICALIN \ + | EBT_ILOGICALOUT | EBT_ISOURCE | EBT_IDEST) + +struct ebt_entry_match { + union { + char name[EBT_FUNCTION_MAXNAMELEN]; + struct xt_match *match; + } u; + /* size of data */ + unsigned int match_size; + unsigned char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace)))); +}; + +struct ebt_entry_watcher { + union { + char name[EBT_FUNCTION_MAXNAMELEN]; + struct xt_target *watcher; + } u; + /* size of data */ + unsigned int watcher_size; + unsigned char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace)))); +}; + +struct ebt_entry_target { + union { + char name[EBT_FUNCTION_MAXNAMELEN]; + struct xt_target *target; + } u; + /* size of data */ + unsigned int target_size; + unsigned char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace)))); +}; + +#define EBT_STANDARD_TARGET "standard" +struct ebt_standard_target { + struct ebt_entry_target target; + int verdict; +}; + +/* one entry */ +struct ebt_entry { + /* this needs to be the first field */ + unsigned int bitmask; + unsigned int invflags; + __be16 ethproto; + /* the physical in-dev */ + char in[IFNAMSIZ]; + /* the logical in-dev */ + char logical_in[IFNAMSIZ]; + /* the physical out-dev */ + char out[IFNAMSIZ]; + /* the logical out-dev */ + char logical_out[IFNAMSIZ]; + unsigned char sourcemac[ETH_ALEN]; + unsigned char sourcemsk[ETH_ALEN]; + unsigned char destmac[ETH_ALEN]; + unsigned char destmsk[ETH_ALEN]; + /* sizeof ebt_entry + matches */ + unsigned int watchers_offset; + /* sizeof ebt_entry + matches + watchers */ + unsigned int target_offset; + /* sizeof ebt_entry + matches + watchers + target */ + unsigned int next_offset; + unsigned char elems[0] __attribute__ ((aligned (__alignof__(struct ebt_replace)))); +}; + +/* {g,s}etsockopt numbers */ +#define EBT_BASE_CTL 128 + +#define EBT_SO_SET_ENTRIES (EBT_BASE_CTL) +#define EBT_SO_SET_COUNTERS (EBT_SO_SET_ENTRIES+1) +#define EBT_SO_SET_MAX (EBT_SO_SET_COUNTERS+1) + +#define EBT_SO_GET_INFO (EBT_BASE_CTL) +#define EBT_SO_GET_ENTRIES (EBT_SO_GET_INFO+1) +#define EBT_SO_GET_INIT_INFO (EBT_SO_GET_ENTRIES+1) +#define EBT_SO_GET_INIT_ENTRIES (EBT_SO_GET_INIT_INFO+1) +#define EBT_SO_GET_MAX (EBT_SO_GET_INIT_ENTRIES+1) + + +/* blatently stolen from ip_tables.h + * fn returns 0 to continue iteration */ +#define EBT_MATCH_ITERATE(e, fn, args...) \ +({ \ + unsigned int __i; \ + int __ret = 0; \ + struct ebt_entry_match *__match; \ + \ + for (__i = sizeof(struct ebt_entry); \ + __i < (e)->watchers_offset; \ + __i += __match->match_size + \ + sizeof(struct ebt_entry_match)) { \ + __match = (void *)(e) + __i; \ + \ + __ret = fn(__match , ## args); \ + if (__ret != 0) \ + break; \ + } \ + if (__ret == 0) { \ + if (__i != (e)->watchers_offset) \ + __ret = -EINVAL; \ + } \ + __ret; \ +}) + +#define EBT_WATCHER_ITERATE(e, fn, args...) \ +({ \ + unsigned int __i; \ + int __ret = 0; \ + struct ebt_entry_watcher *__watcher; \ + \ + for (__i = e->watchers_offset; \ + __i < (e)->target_offset; \ + __i += __watcher->watcher_size + \ + sizeof(struct ebt_entry_watcher)) { \ + __watcher = (void *)(e) + __i; \ + \ + __ret = fn(__watcher , ## args); \ + if (__ret != 0) \ + break; \ + } \ + if (__ret == 0) { \ + if (__i != (e)->target_offset) \ + __ret = -EINVAL; \ + } \ + __ret; \ +}) + +#define EBT_ENTRY_ITERATE(entries, size, fn, args...) \ +({ \ + unsigned int __i; \ + int __ret = 0; \ + struct ebt_entry *__entry; \ + \ + for (__i = 0; __i < (size);) { \ + __entry = (void *)(entries) + __i; \ + __ret = fn(__entry , ## args); \ + if (__ret != 0) \ + break; \ + if (__entry->bitmask != 0) \ + __i += __entry->next_offset; \ + else \ + __i += sizeof(struct ebt_entries); \ + } \ + if (__ret == 0) { \ + if (__i != (size)) \ + __ret = -EINVAL; \ + } \ + __ret; \ +}) + +#endif /* _UAPI__LINUX_BRIDGE_EFF_H */ -- cgit v0.10.2 From 17c075923da59c217155d0758ee0715641ebc152 Mon Sep 17 00:00:00 2001 From: David Howells Date: Tue, 9 Oct 2012 09:48:59 +0100 Subject: UAPI: (Scripted) Disintegrate include/linux/netfilter_ipv4 Signed-off-by: David Howells Acked-by: Arnd Bergmann Acked-by: Thomas Gleixner Acked-by: Michael Kerrisk Acked-by: Paul E. McKenney Acked-by: Dave Jones diff --git a/include/linux/netfilter_ipv4/Kbuild b/include/linux/netfilter_ipv4/Kbuild index 8ba0c5b..e69de29 100644 --- a/include/linux/netfilter_ipv4/Kbuild +++ b/include/linux/netfilter_ipv4/Kbuild @@ -1,10 +0,0 @@ -header-y += ip_tables.h -header-y += ipt_CLUSTERIP.h -header-y += ipt_ECN.h -header-y += ipt_LOG.h -header-y += ipt_REJECT.h -header-y += ipt_TTL.h -header-y += ipt_ULOG.h -header-y += ipt_ah.h -header-y += ipt_ecn.h -header-y += ipt_ttl.h diff --git a/include/linux/netfilter_ipv4/ip_tables.h b/include/linux/netfilter_ipv4/ip_tables.h index db79231..901e84d 100644 --- a/include/linux/netfilter_ipv4/ip_tables.h +++ b/include/linux/netfilter_ipv4/ip_tables.h @@ -11,230 +11,17 @@ * flags are stored in host byte order (of course). * Port numbers are stored in HOST byte order. */ - #ifndef _IPTABLES_H #define _IPTABLES_H -#ifdef __KERNEL__ #include #include #include #include -#endif -#include -#include -#include - -#include - -#ifndef __KERNEL__ -#define IPT_FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN -#define IPT_TABLE_MAXNAMELEN XT_TABLE_MAXNAMELEN -#define ipt_match xt_match -#define ipt_target xt_target -#define ipt_table xt_table -#define ipt_get_revision xt_get_revision -#define ipt_entry_match xt_entry_match -#define ipt_entry_target xt_entry_target -#define ipt_standard_target xt_standard_target -#define ipt_error_target xt_error_target -#define ipt_counters xt_counters -#define IPT_CONTINUE XT_CONTINUE -#define IPT_RETURN XT_RETURN - -/* This group is older than old (iptables < v1.4.0-rc1~89) */ -#include -#define ipt_udp xt_udp -#define ipt_tcp xt_tcp -#define IPT_TCP_INV_SRCPT XT_TCP_INV_SRCPT -#define IPT_TCP_INV_DSTPT XT_TCP_INV_DSTPT -#define IPT_TCP_INV_FLAGS XT_TCP_INV_FLAGS -#define IPT_TCP_INV_OPTION XT_TCP_INV_OPTION -#define IPT_TCP_INV_MASK XT_TCP_INV_MASK -#define IPT_UDP_INV_SRCPT XT_UDP_INV_SRCPT -#define IPT_UDP_INV_DSTPT XT_UDP_INV_DSTPT -#define IPT_UDP_INV_MASK XT_UDP_INV_MASK - -/* The argument to IPT_SO_ADD_COUNTERS. */ -#define ipt_counters_info xt_counters_info -/* Standard return verdict, or do jump. */ -#define IPT_STANDARD_TARGET XT_STANDARD_TARGET -/* Error verdict. */ -#define IPT_ERROR_TARGET XT_ERROR_TARGET - -/* fn returns 0 to continue iteration */ -#define IPT_MATCH_ITERATE(e, fn, args...) \ - XT_MATCH_ITERATE(struct ipt_entry, e, fn, ## args) - -/* fn returns 0 to continue iteration */ -#define IPT_ENTRY_ITERATE(entries, size, fn, args...) \ - XT_ENTRY_ITERATE(struct ipt_entry, entries, size, fn, ## args) -#endif - -/* Yes, Virginia, you have to zero the padding. */ -struct ipt_ip { - /* Source and destination IP addr */ - struct in_addr src, dst; - /* Mask for src and dest IP addr */ - struct in_addr smsk, dmsk; - char iniface[IFNAMSIZ], outiface[IFNAMSIZ]; - unsigned char iniface_mask[IFNAMSIZ], outiface_mask[IFNAMSIZ]; - - /* Protocol, 0 = ANY */ - __u16 proto; - - /* Flags word */ - __u8 flags; - /* Inverse flags */ - __u8 invflags; -}; - -/* Values for "flag" field in struct ipt_ip (general ip structure). */ -#define IPT_F_FRAG 0x01 /* Set if rule is a fragment rule */ -#define IPT_F_GOTO 0x02 /* Set if jump is a goto */ -#define IPT_F_MASK 0x03 /* All possible flag bits mask. */ - -/* Values for "inv" field in struct ipt_ip. */ -#define IPT_INV_VIA_IN 0x01 /* Invert the sense of IN IFACE. */ -#define IPT_INV_VIA_OUT 0x02 /* Invert the sense of OUT IFACE */ -#define IPT_INV_TOS 0x04 /* Invert the sense of TOS. */ -#define IPT_INV_SRCIP 0x08 /* Invert the sense of SRC IP. */ -#define IPT_INV_DSTIP 0x10 /* Invert the sense of DST OP. */ -#define IPT_INV_FRAG 0x20 /* Invert the sense of FRAG. */ -#define IPT_INV_PROTO XT_INV_PROTO -#define IPT_INV_MASK 0x7F /* All possible flag bits mask. */ - -/* This structure defines each of the firewall rules. Consists of 3 - parts which are 1) general IP header stuff 2) match specific - stuff 3) the target to perform if the rule matches */ -struct ipt_entry { - struct ipt_ip ip; - - /* Mark with fields that we care about. */ - unsigned int nfcache; - - /* Size of ipt_entry + matches */ - __u16 target_offset; - /* Size of ipt_entry + matches + target */ - __u16 next_offset; - - /* Back pointer */ - unsigned int comefrom; - - /* Packet and byte counters. */ - struct xt_counters counters; - - /* The matches (if any), then the target. */ - unsigned char elems[0]; -}; - -/* - * New IP firewall options for [gs]etsockopt at the RAW IP level. - * Unlike BSD Linux inherits IP options so you don't have to use a raw - * socket for this. Instead we check rights in the calls. - * - * ATTENTION: check linux/in.h before adding new number here. - */ -#define IPT_BASE_CTL 64 - -#define IPT_SO_SET_REPLACE (IPT_BASE_CTL) -#define IPT_SO_SET_ADD_COUNTERS (IPT_BASE_CTL + 1) -#define IPT_SO_SET_MAX IPT_SO_SET_ADD_COUNTERS - -#define IPT_SO_GET_INFO (IPT_BASE_CTL) -#define IPT_SO_GET_ENTRIES (IPT_BASE_CTL + 1) -#define IPT_SO_GET_REVISION_MATCH (IPT_BASE_CTL + 2) -#define IPT_SO_GET_REVISION_TARGET (IPT_BASE_CTL + 3) -#define IPT_SO_GET_MAX IPT_SO_GET_REVISION_TARGET - -/* ICMP matching stuff */ -struct ipt_icmp { - __u8 type; /* type to match */ - __u8 code[2]; /* range of code */ - __u8 invflags; /* Inverse flags */ -}; - -/* Values for "inv" field for struct ipt_icmp. */ -#define IPT_ICMP_INV 0x01 /* Invert the sense of type/code test */ - -/* The argument to IPT_SO_GET_INFO */ -struct ipt_getinfo { - /* Which table: caller fills this in. */ - char name[XT_TABLE_MAXNAMELEN]; - - /* Kernel fills these in. */ - /* Which hook entry points are valid: bitmask */ - unsigned int valid_hooks; - - /* Hook entry points: one per netfilter hook. */ - unsigned int hook_entry[NF_INET_NUMHOOKS]; - - /* Underflow points. */ - unsigned int underflow[NF_INET_NUMHOOKS]; - - /* Number of entries */ - unsigned int num_entries; - - /* Size of entries. */ - unsigned int size; -}; - -/* The argument to IPT_SO_SET_REPLACE. */ -struct ipt_replace { - /* Which table. */ - char name[XT_TABLE_MAXNAMELEN]; - - /* Which hook entry points are valid: bitmask. You can't - change this. */ - unsigned int valid_hooks; - - /* Number of entries */ - unsigned int num_entries; - - /* Total size of new entries */ - unsigned int size; - - /* Hook entry points. */ - unsigned int hook_entry[NF_INET_NUMHOOKS]; - - /* Underflow points. */ - unsigned int underflow[NF_INET_NUMHOOKS]; - - /* Information about old entries: */ - /* Number of counters (must be equal to current number of entries). */ - unsigned int num_counters; - /* The old entries' counters. */ - struct xt_counters __user *counters; - - /* The entries (hang off end: not really an array). */ - struct ipt_entry entries[0]; -}; - -/* The argument to IPT_SO_GET_ENTRIES. */ -struct ipt_get_entries { - /* Which table: user fills this in. */ - char name[XT_TABLE_MAXNAMELEN]; - - /* User fills this in: total entry size. */ - unsigned int size; - - /* The entries. */ - struct ipt_entry entrytable[0]; -}; - -/* Helper functions */ -static __inline__ struct xt_entry_target * -ipt_get_target(struct ipt_entry *e) -{ - return (void *)e + e->target_offset; -} - -/* - * Main firewall chains definitions and global var's definitions. - */ -#ifdef __KERNEL__ #include +#include + extern void ipt_init(void) __init; extern struct xt_table *ipt_register_table(struct net *net, @@ -303,5 +90,4 @@ compat_ipt_get_target(struct compat_ipt_entry *e) } #endif /* CONFIG_COMPAT */ -#endif /*__KERNEL__*/ #endif /* _IPTABLES_H */ diff --git a/include/linux/netfilter_ipv4/ipt_CLUSTERIP.h b/include/linux/netfilter_ipv4/ipt_CLUSTERIP.h deleted file mode 100644 index c6a204c..0000000 --- a/include/linux/netfilter_ipv4/ipt_CLUSTERIP.h +++ /dev/null @@ -1,36 +0,0 @@ -#ifndef _IPT_CLUSTERIP_H_target -#define _IPT_CLUSTERIP_H_target - -#include - -enum clusterip_hashmode { - CLUSTERIP_HASHMODE_SIP = 0, - CLUSTERIP_HASHMODE_SIP_SPT, - CLUSTERIP_HASHMODE_SIP_SPT_DPT, -}; - -#define CLUSTERIP_HASHMODE_MAX CLUSTERIP_HASHMODE_SIP_SPT_DPT - -#define CLUSTERIP_MAX_NODES 16 - -#define CLUSTERIP_FLAG_NEW 0x00000001 - -struct clusterip_config; - -struct ipt_clusterip_tgt_info { - - __u32 flags; - - /* only relevant for new ones */ - __u8 clustermac[6]; - __u16 num_total_nodes; - __u16 num_local_nodes; - __u16 local_nodes[CLUSTERIP_MAX_NODES]; - __u32 hash_mode; - __u32 hash_initval; - - /* Used internally by the kernel */ - struct clusterip_config *config; -}; - -#endif /*_IPT_CLUSTERIP_H_target*/ diff --git a/include/linux/netfilter_ipv4/ipt_ECN.h b/include/linux/netfilter_ipv4/ipt_ECN.h deleted file mode 100644 index bb88d53..0000000 --- a/include/linux/netfilter_ipv4/ipt_ECN.h +++ /dev/null @@ -1,33 +0,0 @@ -/* Header file for iptables ipt_ECN target - * - * (C) 2002 by Harald Welte - * - * This software is distributed under GNU GPL v2, 1991 - * - * ipt_ECN.h,v 1.3 2002/05/29 12:17:40 laforge Exp -*/ -#ifndef _IPT_ECN_TARGET_H -#define _IPT_ECN_TARGET_H - -#include -#include - -#define IPT_ECN_IP_MASK (~XT_DSCP_MASK) - -#define IPT_ECN_OP_SET_IP 0x01 /* set ECN bits of IPv4 header */ -#define IPT_ECN_OP_SET_ECE 0x10 /* set ECE bit of TCP header */ -#define IPT_ECN_OP_SET_CWR 0x20 /* set CWR bit of TCP header */ - -#define IPT_ECN_OP_MASK 0xce - -struct ipt_ECN_info { - __u8 operation; /* bitset of operations */ - __u8 ip_ect; /* ECT codepoint of IPv4 header, pre-shifted */ - union { - struct { - __u8 ece:1, cwr:1; /* TCP ECT bits */ - } tcp; - } proto; -}; - -#endif /* _IPT_ECN_TARGET_H */ diff --git a/include/linux/netfilter_ipv4/ipt_LOG.h b/include/linux/netfilter_ipv4/ipt_LOG.h deleted file mode 100644 index 5d81520..0000000 --- a/include/linux/netfilter_ipv4/ipt_LOG.h +++ /dev/null @@ -1,21 +0,0 @@ -#ifndef _IPT_LOG_H -#define _IPT_LOG_H - -#warning "Please update iptables, this file will be removed soon!" - -/* make sure not to change this without changing netfilter.h:NF_LOG_* (!) */ -#define IPT_LOG_TCPSEQ 0x01 /* Log TCP sequence numbers */ -#define IPT_LOG_TCPOPT 0x02 /* Log TCP options */ -#define IPT_LOG_IPOPT 0x04 /* Log IP options */ -#define IPT_LOG_UID 0x08 /* Log UID owning local socket */ -#define IPT_LOG_NFLOG 0x10 /* Unsupported, don't reuse */ -#define IPT_LOG_MACDECODE 0x20 /* Decode MAC header */ -#define IPT_LOG_MASK 0x2f - -struct ipt_log_info { - unsigned char level; - unsigned char logflags; - char prefix[30]; -}; - -#endif /*_IPT_LOG_H*/ diff --git a/include/linux/netfilter_ipv4/ipt_REJECT.h b/include/linux/netfilter_ipv4/ipt_REJECT.h deleted file mode 100644 index 4293a1a..0000000 --- a/include/linux/netfilter_ipv4/ipt_REJECT.h +++ /dev/null @@ -1,20 +0,0 @@ -#ifndef _IPT_REJECT_H -#define _IPT_REJECT_H - -enum ipt_reject_with { - IPT_ICMP_NET_UNREACHABLE, - IPT_ICMP_HOST_UNREACHABLE, - IPT_ICMP_PROT_UNREACHABLE, - IPT_ICMP_PORT_UNREACHABLE, - IPT_ICMP_ECHOREPLY, - IPT_ICMP_NET_PROHIBITED, - IPT_ICMP_HOST_PROHIBITED, - IPT_TCP_RESET, - IPT_ICMP_ADMIN_PROHIBITED -}; - -struct ipt_reject_info { - enum ipt_reject_with with; /* reject type */ -}; - -#endif /*_IPT_REJECT_H*/ diff --git a/include/linux/netfilter_ipv4/ipt_TTL.h b/include/linux/netfilter_ipv4/ipt_TTL.h deleted file mode 100644 index f6ac169..0000000 --- a/include/linux/netfilter_ipv4/ipt_TTL.h +++ /dev/null @@ -1,23 +0,0 @@ -/* TTL modification module for IP tables - * (C) 2000 by Harald Welte */ - -#ifndef _IPT_TTL_H -#define _IPT_TTL_H - -#include - -enum { - IPT_TTL_SET = 0, - IPT_TTL_INC, - IPT_TTL_DEC -}; - -#define IPT_TTL_MAXMODE IPT_TTL_DEC - -struct ipt_TTL_info { - __u8 mode; - __u8 ttl; -}; - - -#endif diff --git a/include/linux/netfilter_ipv4/ipt_ULOG.h b/include/linux/netfilter_ipv4/ipt_ULOG.h deleted file mode 100644 index 417aad2..0000000 --- a/include/linux/netfilter_ipv4/ipt_ULOG.h +++ /dev/null @@ -1,49 +0,0 @@ -/* Header file for IP tables userspace logging, Version 1.8 - * - * (C) 2000-2002 by Harald Welte - * - * Distributed under the terms of GNU GPL */ - -#ifndef _IPT_ULOG_H -#define _IPT_ULOG_H - -#ifndef NETLINK_NFLOG -#define NETLINK_NFLOG 5 -#endif - -#define ULOG_DEFAULT_NLGROUP 1 -#define ULOG_DEFAULT_QTHRESHOLD 1 - -#define ULOG_MAC_LEN 80 -#define ULOG_PREFIX_LEN 32 - -#define ULOG_MAX_QLEN 50 -/* Why 50? Well... there is a limit imposed by the slab cache 131000 - * bytes. So the multipart netlink-message has to be < 131000 bytes. - * Assuming a standard ethernet-mtu of 1500, we could define this up - * to 80... but even 50 seems to be big enough. */ - -/* private data structure for each rule with a ULOG target */ -struct ipt_ulog_info { - unsigned int nl_group; - size_t copy_range; - size_t qthreshold; - char prefix[ULOG_PREFIX_LEN]; -}; - -/* Format of the ULOG packets passed through netlink */ -typedef struct ulog_packet_msg { - unsigned long mark; - long timestamp_sec; - long timestamp_usec; - unsigned int hook; - char indev_name[IFNAMSIZ]; - char outdev_name[IFNAMSIZ]; - size_t data_len; - char prefix[ULOG_PREFIX_LEN]; - unsigned char mac_len; - unsigned char mac[ULOG_MAC_LEN]; - unsigned char payload[0]; -} ulog_packet_msg_t; - -#endif /*_IPT_ULOG_H*/ diff --git a/include/linux/netfilter_ipv4/ipt_ah.h b/include/linux/netfilter_ipv4/ipt_ah.h deleted file mode 100644 index 4e02bb0..0000000 --- a/include/linux/netfilter_ipv4/ipt_ah.h +++ /dev/null @@ -1,17 +0,0 @@ -#ifndef _IPT_AH_H -#define _IPT_AH_H - -#include - -struct ipt_ah { - __u32 spis[2]; /* Security Parameter Index */ - __u8 invflags; /* Inverse flags */ -}; - - - -/* Values for "invflags" field in struct ipt_ah. */ -#define IPT_AH_INV_SPI 0x01 /* Invert the sense of spi. */ -#define IPT_AH_INV_MASK 0x01 /* All possible flags. */ - -#endif /*_IPT_AH_H*/ diff --git a/include/linux/netfilter_ipv4/ipt_ecn.h b/include/linux/netfilter_ipv4/ipt_ecn.h deleted file mode 100644 index 0e0c063..0000000 --- a/include/linux/netfilter_ipv4/ipt_ecn.h +++ /dev/null @@ -1,15 +0,0 @@ -#ifndef _IPT_ECN_H -#define _IPT_ECN_H - -#include -#define ipt_ecn_info xt_ecn_info - -enum { - IPT_ECN_IP_MASK = XT_ECN_IP_MASK, - IPT_ECN_OP_MATCH_IP = XT_ECN_OP_MATCH_IP, - IPT_ECN_OP_MATCH_ECE = XT_ECN_OP_MATCH_ECE, - IPT_ECN_OP_MATCH_CWR = XT_ECN_OP_MATCH_CWR, - IPT_ECN_OP_MATCH_MASK = XT_ECN_OP_MATCH_MASK, -}; - -#endif /* IPT_ECN_H */ diff --git a/include/linux/netfilter_ipv4/ipt_ttl.h b/include/linux/netfilter_ipv4/ipt_ttl.h deleted file mode 100644 index 37bee44..0000000 --- a/include/linux/netfilter_ipv4/ipt_ttl.h +++ /dev/null @@ -1,23 +0,0 @@ -/* IP tables module for matching the value of the TTL - * (C) 2000 by Harald Welte */ - -#ifndef _IPT_TTL_H -#define _IPT_TTL_H - -#include - -enum { - IPT_TTL_EQ = 0, /* equals */ - IPT_TTL_NE, /* not equals */ - IPT_TTL_LT, /* less than */ - IPT_TTL_GT, /* greater than */ -}; - - -struct ipt_ttl_info { - __u8 mode; - __u8 ttl; -}; - - -#endif diff --git a/include/uapi/linux/netfilter_ipv4/Kbuild b/include/uapi/linux/netfilter_ipv4/Kbuild index aafaa5a..fb00843 100644 --- a/include/uapi/linux/netfilter_ipv4/Kbuild +++ b/include/uapi/linux/netfilter_ipv4/Kbuild @@ -1 +1,11 @@ # UAPI Header export list +header-y += ip_tables.h +header-y += ipt_CLUSTERIP.h +header-y += ipt_ECN.h +header-y += ipt_LOG.h +header-y += ipt_REJECT.h +header-y += ipt_TTL.h +header-y += ipt_ULOG.h +header-y += ipt_ah.h +header-y += ipt_ecn.h +header-y += ipt_ttl.h diff --git a/include/uapi/linux/netfilter_ipv4/ip_tables.h b/include/uapi/linux/netfilter_ipv4/ip_tables.h new file mode 100644 index 0000000..f1e6ef2 --- /dev/null +++ b/include/uapi/linux/netfilter_ipv4/ip_tables.h @@ -0,0 +1,229 @@ +/* + * 25-Jul-1998 Major changes to allow for ip chain table + * + * 3-Jan-2000 Named tables to allow packet selection for different uses. + */ + +/* + * Format of an IP firewall descriptor + * + * src, dst, src_mask, dst_mask are always stored in network byte order. + * flags are stored in host byte order (of course). + * Port numbers are stored in HOST byte order. + */ + +#ifndef _UAPI_IPTABLES_H +#define _UAPI_IPTABLES_H + +#include +#include +#include + +#include + +#ifndef __KERNEL__ +#define IPT_FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN +#define IPT_TABLE_MAXNAMELEN XT_TABLE_MAXNAMELEN +#define ipt_match xt_match +#define ipt_target xt_target +#define ipt_table xt_table +#define ipt_get_revision xt_get_revision +#define ipt_entry_match xt_entry_match +#define ipt_entry_target xt_entry_target +#define ipt_standard_target xt_standard_target +#define ipt_error_target xt_error_target +#define ipt_counters xt_counters +#define IPT_CONTINUE XT_CONTINUE +#define IPT_RETURN XT_RETURN + +/* This group is older than old (iptables < v1.4.0-rc1~89) */ +#include +#define ipt_udp xt_udp +#define ipt_tcp xt_tcp +#define IPT_TCP_INV_SRCPT XT_TCP_INV_SRCPT +#define IPT_TCP_INV_DSTPT XT_TCP_INV_DSTPT +#define IPT_TCP_INV_FLAGS XT_TCP_INV_FLAGS +#define IPT_TCP_INV_OPTION XT_TCP_INV_OPTION +#define IPT_TCP_INV_MASK XT_TCP_INV_MASK +#define IPT_UDP_INV_SRCPT XT_UDP_INV_SRCPT +#define IPT_UDP_INV_DSTPT XT_UDP_INV_DSTPT +#define IPT_UDP_INV_MASK XT_UDP_INV_MASK + +/* The argument to IPT_SO_ADD_COUNTERS. */ +#define ipt_counters_info xt_counters_info +/* Standard return verdict, or do jump. */ +#define IPT_STANDARD_TARGET XT_STANDARD_TARGET +/* Error verdict. */ +#define IPT_ERROR_TARGET XT_ERROR_TARGET + +/* fn returns 0 to continue iteration */ +#define IPT_MATCH_ITERATE(e, fn, args...) \ + XT_MATCH_ITERATE(struct ipt_entry, e, fn, ## args) + +/* fn returns 0 to continue iteration */ +#define IPT_ENTRY_ITERATE(entries, size, fn, args...) \ + XT_ENTRY_ITERATE(struct ipt_entry, entries, size, fn, ## args) +#endif + +/* Yes, Virginia, you have to zero the padding. */ +struct ipt_ip { + /* Source and destination IP addr */ + struct in_addr src, dst; + /* Mask for src and dest IP addr */ + struct in_addr smsk, dmsk; + char iniface[IFNAMSIZ], outiface[IFNAMSIZ]; + unsigned char iniface_mask[IFNAMSIZ], outiface_mask[IFNAMSIZ]; + + /* Protocol, 0 = ANY */ + __u16 proto; + + /* Flags word */ + __u8 flags; + /* Inverse flags */ + __u8 invflags; +}; + +/* Values for "flag" field in struct ipt_ip (general ip structure). */ +#define IPT_F_FRAG 0x01 /* Set if rule is a fragment rule */ +#define IPT_F_GOTO 0x02 /* Set if jump is a goto */ +#define IPT_F_MASK 0x03 /* All possible flag bits mask. */ + +/* Values for "inv" field in struct ipt_ip. */ +#define IPT_INV_VIA_IN 0x01 /* Invert the sense of IN IFACE. */ +#define IPT_INV_VIA_OUT 0x02 /* Invert the sense of OUT IFACE */ +#define IPT_INV_TOS 0x04 /* Invert the sense of TOS. */ +#define IPT_INV_SRCIP 0x08 /* Invert the sense of SRC IP. */ +#define IPT_INV_DSTIP 0x10 /* Invert the sense of DST OP. */ +#define IPT_INV_FRAG 0x20 /* Invert the sense of FRAG. */ +#define IPT_INV_PROTO XT_INV_PROTO +#define IPT_INV_MASK 0x7F /* All possible flag bits mask. */ + +/* This structure defines each of the firewall rules. Consists of 3 + parts which are 1) general IP header stuff 2) match specific + stuff 3) the target to perform if the rule matches */ +struct ipt_entry { + struct ipt_ip ip; + + /* Mark with fields that we care about. */ + unsigned int nfcache; + + /* Size of ipt_entry + matches */ + __u16 target_offset; + /* Size of ipt_entry + matches + target */ + __u16 next_offset; + + /* Back pointer */ + unsigned int comefrom; + + /* Packet and byte counters. */ + struct xt_counters counters; + + /* The matches (if any), then the target. */ + unsigned char elems[0]; +}; + +/* + * New IP firewall options for [gs]etsockopt at the RAW IP level. + * Unlike BSD Linux inherits IP options so you don't have to use a raw + * socket for this. Instead we check rights in the calls. + * + * ATTENTION: check linux/in.h before adding new number here. + */ +#define IPT_BASE_CTL 64 + +#define IPT_SO_SET_REPLACE (IPT_BASE_CTL) +#define IPT_SO_SET_ADD_COUNTERS (IPT_BASE_CTL + 1) +#define IPT_SO_SET_MAX IPT_SO_SET_ADD_COUNTERS + +#define IPT_SO_GET_INFO (IPT_BASE_CTL) +#define IPT_SO_GET_ENTRIES (IPT_BASE_CTL + 1) +#define IPT_SO_GET_REVISION_MATCH (IPT_BASE_CTL + 2) +#define IPT_SO_GET_REVISION_TARGET (IPT_BASE_CTL + 3) +#define IPT_SO_GET_MAX IPT_SO_GET_REVISION_TARGET + +/* ICMP matching stuff */ +struct ipt_icmp { + __u8 type; /* type to match */ + __u8 code[2]; /* range of code */ + __u8 invflags; /* Inverse flags */ +}; + +/* Values for "inv" field for struct ipt_icmp. */ +#define IPT_ICMP_INV 0x01 /* Invert the sense of type/code test */ + +/* The argument to IPT_SO_GET_INFO */ +struct ipt_getinfo { + /* Which table: caller fills this in. */ + char name[XT_TABLE_MAXNAMELEN]; + + /* Kernel fills these in. */ + /* Which hook entry points are valid: bitmask */ + unsigned int valid_hooks; + + /* Hook entry points: one per netfilter hook. */ + unsigned int hook_entry[NF_INET_NUMHOOKS]; + + /* Underflow points. */ + unsigned int underflow[NF_INET_NUMHOOKS]; + + /* Number of entries */ + unsigned int num_entries; + + /* Size of entries. */ + unsigned int size; +}; + +/* The argument to IPT_SO_SET_REPLACE. */ +struct ipt_replace { + /* Which table. */ + char name[XT_TABLE_MAXNAMELEN]; + + /* Which hook entry points are valid: bitmask. You can't + change this. */ + unsigned int valid_hooks; + + /* Number of entries */ + unsigned int num_entries; + + /* Total size of new entries */ + unsigned int size; + + /* Hook entry points. */ + unsigned int hook_entry[NF_INET_NUMHOOKS]; + + /* Underflow points. */ + unsigned int underflow[NF_INET_NUMHOOKS]; + + /* Information about old entries: */ + /* Number of counters (must be equal to current number of entries). */ + unsigned int num_counters; + /* The old entries' counters. */ + struct xt_counters __user *counters; + + /* The entries (hang off end: not really an array). */ + struct ipt_entry entries[0]; +}; + +/* The argument to IPT_SO_GET_ENTRIES. */ +struct ipt_get_entries { + /* Which table: user fills this in. */ + char name[XT_TABLE_MAXNAMELEN]; + + /* User fills this in: total entry size. */ + unsigned int size; + + /* The entries. */ + struct ipt_entry entrytable[0]; +}; + +/* Helper functions */ +static __inline__ struct xt_entry_target * +ipt_get_target(struct ipt_entry *e) +{ + return (void *)e + e->target_offset; +} + +/* + * Main firewall chains definitions and global var's definitions. + */ +#endif /* _UAPI_IPTABLES_H */ diff --git a/include/uapi/linux/netfilter_ipv4/ipt_CLUSTERIP.h b/include/uapi/linux/netfilter_ipv4/ipt_CLUSTERIP.h new file mode 100644 index 0000000..c6a204c --- /dev/null +++ b/include/uapi/linux/netfilter_ipv4/ipt_CLUSTERIP.h @@ -0,0 +1,36 @@ +#ifndef _IPT_CLUSTERIP_H_target +#define _IPT_CLUSTERIP_H_target + +#include + +enum clusterip_hashmode { + CLUSTERIP_HASHMODE_SIP = 0, + CLUSTERIP_HASHMODE_SIP_SPT, + CLUSTERIP_HASHMODE_SIP_SPT_DPT, +}; + +#define CLUSTERIP_HASHMODE_MAX CLUSTERIP_HASHMODE_SIP_SPT_DPT + +#define CLUSTERIP_MAX_NODES 16 + +#define CLUSTERIP_FLAG_NEW 0x00000001 + +struct clusterip_config; + +struct ipt_clusterip_tgt_info { + + __u32 flags; + + /* only relevant for new ones */ + __u8 clustermac[6]; + __u16 num_total_nodes; + __u16 num_local_nodes; + __u16 local_nodes[CLUSTERIP_MAX_NODES]; + __u32 hash_mode; + __u32 hash_initval; + + /* Used internally by the kernel */ + struct clusterip_config *config; +}; + +#endif /*_IPT_CLUSTERIP_H_target*/ diff --git a/include/uapi/linux/netfilter_ipv4/ipt_ECN.h b/include/uapi/linux/netfilter_ipv4/ipt_ECN.h new file mode 100644 index 0000000..bb88d53 --- /dev/null +++ b/include/uapi/linux/netfilter_ipv4/ipt_ECN.h @@ -0,0 +1,33 @@ +/* Header file for iptables ipt_ECN target + * + * (C) 2002 by Harald Welte + * + * This software is distributed under GNU GPL v2, 1991 + * + * ipt_ECN.h,v 1.3 2002/05/29 12:17:40 laforge Exp +*/ +#ifndef _IPT_ECN_TARGET_H +#define _IPT_ECN_TARGET_H + +#include +#include + +#define IPT_ECN_IP_MASK (~XT_DSCP_MASK) + +#define IPT_ECN_OP_SET_IP 0x01 /* set ECN bits of IPv4 header */ +#define IPT_ECN_OP_SET_ECE 0x10 /* set ECE bit of TCP header */ +#define IPT_ECN_OP_SET_CWR 0x20 /* set CWR bit of TCP header */ + +#define IPT_ECN_OP_MASK 0xce + +struct ipt_ECN_info { + __u8 operation; /* bitset of operations */ + __u8 ip_ect; /* ECT codepoint of IPv4 header, pre-shifted */ + union { + struct { + __u8 ece:1, cwr:1; /* TCP ECT bits */ + } tcp; + } proto; +}; + +#endif /* _IPT_ECN_TARGET_H */ diff --git a/include/uapi/linux/netfilter_ipv4/ipt_LOG.h b/include/uapi/linux/netfilter_ipv4/ipt_LOG.h new file mode 100644 index 0000000..5d81520 --- /dev/null +++ b/include/uapi/linux/netfilter_ipv4/ipt_LOG.h @@ -0,0 +1,21 @@ +#ifndef _IPT_LOG_H +#define _IPT_LOG_H + +#warning "Please update iptables, this file will be removed soon!" + +/* make sure not to change this without changing netfilter.h:NF_LOG_* (!) */ +#define IPT_LOG_TCPSEQ 0x01 /* Log TCP sequence numbers */ +#define IPT_LOG_TCPOPT 0x02 /* Log TCP options */ +#define IPT_LOG_IPOPT 0x04 /* Log IP options */ +#define IPT_LOG_UID 0x08 /* Log UID owning local socket */ +#define IPT_LOG_NFLOG 0x10 /* Unsupported, don't reuse */ +#define IPT_LOG_MACDECODE 0x20 /* Decode MAC header */ +#define IPT_LOG_MASK 0x2f + +struct ipt_log_info { + unsigned char level; + unsigned char logflags; + char prefix[30]; +}; + +#endif /*_IPT_LOG_H*/ diff --git a/include/uapi/linux/netfilter_ipv4/ipt_REJECT.h b/include/uapi/linux/netfilter_ipv4/ipt_REJECT.h new file mode 100644 index 0000000..4293a1a --- /dev/null +++ b/include/uapi/linux/netfilter_ipv4/ipt_REJECT.h @@ -0,0 +1,20 @@ +#ifndef _IPT_REJECT_H +#define _IPT_REJECT_H + +enum ipt_reject_with { + IPT_ICMP_NET_UNREACHABLE, + IPT_ICMP_HOST_UNREACHABLE, + IPT_ICMP_PROT_UNREACHABLE, + IPT_ICMP_PORT_UNREACHABLE, + IPT_ICMP_ECHOREPLY, + IPT_ICMP_NET_PROHIBITED, + IPT_ICMP_HOST_PROHIBITED, + IPT_TCP_RESET, + IPT_ICMP_ADMIN_PROHIBITED +}; + +struct ipt_reject_info { + enum ipt_reject_with with; /* reject type */ +}; + +#endif /*_IPT_REJECT_H*/ diff --git a/include/uapi/linux/netfilter_ipv4/ipt_TTL.h b/include/uapi/linux/netfilter_ipv4/ipt_TTL.h new file mode 100644 index 0000000..f6ac169 --- /dev/null +++ b/include/uapi/linux/netfilter_ipv4/ipt_TTL.h @@ -0,0 +1,23 @@ +/* TTL modification module for IP tables + * (C) 2000 by Harald Welte */ + +#ifndef _IPT_TTL_H +#define _IPT_TTL_H + +#include + +enum { + IPT_TTL_SET = 0, + IPT_TTL_INC, + IPT_TTL_DEC +}; + +#define IPT_TTL_MAXMODE IPT_TTL_DEC + +struct ipt_TTL_info { + __u8 mode; + __u8 ttl; +}; + + +#endif diff --git a/include/uapi/linux/netfilter_ipv4/ipt_ULOG.h b/include/uapi/linux/netfilter_ipv4/ipt_ULOG.h new file mode 100644 index 0000000..417aad2 --- /dev/null +++ b/include/uapi/linux/netfilter_ipv4/ipt_ULOG.h @@ -0,0 +1,49 @@ +/* Header file for IP tables userspace logging, Version 1.8 + * + * (C) 2000-2002 by Harald Welte + * + * Distributed under the terms of GNU GPL */ + +#ifndef _IPT_ULOG_H +#define _IPT_ULOG_H + +#ifndef NETLINK_NFLOG +#define NETLINK_NFLOG 5 +#endif + +#define ULOG_DEFAULT_NLGROUP 1 +#define ULOG_DEFAULT_QTHRESHOLD 1 + +#define ULOG_MAC_LEN 80 +#define ULOG_PREFIX_LEN 32 + +#define ULOG_MAX_QLEN 50 +/* Why 50? Well... there is a limit imposed by the slab cache 131000 + * bytes. So the multipart netlink-message has to be < 131000 bytes. + * Assuming a standard ethernet-mtu of 1500, we could define this up + * to 80... but even 50 seems to be big enough. */ + +/* private data structure for each rule with a ULOG target */ +struct ipt_ulog_info { + unsigned int nl_group; + size_t copy_range; + size_t qthreshold; + char prefix[ULOG_PREFIX_LEN]; +}; + +/* Format of the ULOG packets passed through netlink */ +typedef struct ulog_packet_msg { + unsigned long mark; + long timestamp_sec; + long timestamp_usec; + unsigned int hook; + char indev_name[IFNAMSIZ]; + char outdev_name[IFNAMSIZ]; + size_t data_len; + char prefix[ULOG_PREFIX_LEN]; + unsigned char mac_len; + unsigned char mac[ULOG_MAC_LEN]; + unsigned char payload[0]; +} ulog_packet_msg_t; + +#endif /*_IPT_ULOG_H*/ diff --git a/include/uapi/linux/netfilter_ipv4/ipt_ah.h b/include/uapi/linux/netfilter_ipv4/ipt_ah.h new file mode 100644 index 0000000..4e02bb0 --- /dev/null +++ b/include/uapi/linux/netfilter_ipv4/ipt_ah.h @@ -0,0 +1,17 @@ +#ifndef _IPT_AH_H +#define _IPT_AH_H + +#include + +struct ipt_ah { + __u32 spis[2]; /* Security Parameter Index */ + __u8 invflags; /* Inverse flags */ +}; + + + +/* Values for "invflags" field in struct ipt_ah. */ +#define IPT_AH_INV_SPI 0x01 /* Invert the sense of spi. */ +#define IPT_AH_INV_MASK 0x01 /* All possible flags. */ + +#endif /*_IPT_AH_H*/ diff --git a/include/uapi/linux/netfilter_ipv4/ipt_ecn.h b/include/uapi/linux/netfilter_ipv4/ipt_ecn.h new file mode 100644 index 0000000..0e0c063 --- /dev/null +++ b/include/uapi/linux/netfilter_ipv4/ipt_ecn.h @@ -0,0 +1,15 @@ +#ifndef _IPT_ECN_H +#define _IPT_ECN_H + +#include +#define ipt_ecn_info xt_ecn_info + +enum { + IPT_ECN_IP_MASK = XT_ECN_IP_MASK, + IPT_ECN_OP_MATCH_IP = XT_ECN_OP_MATCH_IP, + IPT_ECN_OP_MATCH_ECE = XT_ECN_OP_MATCH_ECE, + IPT_ECN_OP_MATCH_CWR = XT_ECN_OP_MATCH_CWR, + IPT_ECN_OP_MATCH_MASK = XT_ECN_OP_MATCH_MASK, +}; + +#endif /* IPT_ECN_H */ diff --git a/include/uapi/linux/netfilter_ipv4/ipt_ttl.h b/include/uapi/linux/netfilter_ipv4/ipt_ttl.h new file mode 100644 index 0000000..37bee44 --- /dev/null +++ b/include/uapi/linux/netfilter_ipv4/ipt_ttl.h @@ -0,0 +1,23 @@ +/* IP tables module for matching the value of the TTL + * (C) 2000 by Harald Welte */ + +#ifndef _IPT_TTL_H +#define _IPT_TTL_H + +#include + +enum { + IPT_TTL_EQ = 0, /* equals */ + IPT_TTL_NE, /* not equals */ + IPT_TTL_LT, /* less than */ + IPT_TTL_GT, /* greater than */ +}; + + +struct ipt_ttl_info { + __u8 mode; + __u8 ttl; +}; + + +#endif -- cgit v0.10.2 From ff1e1756c974fc1cb68b6e74cd123ad59cf07a2d Mon Sep 17 00:00:00 2001 From: David Howells Date: Tue, 9 Oct 2012 09:49:01 +0100 Subject: UAPI: (Scripted) Disintegrate include/linux/netfilter_ipv6 Signed-off-by: David Howells Acked-by: Arnd Bergmann Acked-by: Thomas Gleixner Acked-by: Michael Kerrisk Acked-by: Paul E. McKenney Acked-by: Dave Jones diff --git a/include/linux/netfilter_ipv6/Kbuild b/include/linux/netfilter_ipv6/Kbuild index b88c005..e69de29 100644 --- a/include/linux/netfilter_ipv6/Kbuild +++ b/include/linux/netfilter_ipv6/Kbuild @@ -1,12 +0,0 @@ -header-y += ip6_tables.h -header-y += ip6t_HL.h -header-y += ip6t_LOG.h -header-y += ip6t_NPT.h -header-y += ip6t_REJECT.h -header-y += ip6t_ah.h -header-y += ip6t_frag.h -header-y += ip6t_hl.h -header-y += ip6t_ipv6header.h -header-y += ip6t_mh.h -header-y += ip6t_opts.h -header-y += ip6t_rt.h diff --git a/include/linux/netfilter_ipv6/ip6_tables.h b/include/linux/netfilter_ipv6/ip6_tables.h index 08c2cbb..5f84c62 100644 --- a/include/linux/netfilter_ipv6/ip6_tables.h +++ b/include/linux/netfilter_ipv6/ip6_tables.h @@ -11,268 +11,17 @@ * flags are stored in host byte order (of course). * Port numbers are stored in HOST byte order. */ - #ifndef _IP6_TABLES_H #define _IP6_TABLES_H -#ifdef __KERNEL__ #include #include #include #include -#endif -#include -#include -#include - -#include - -#ifndef __KERNEL__ -#define IP6T_FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN -#define IP6T_TABLE_MAXNAMELEN XT_TABLE_MAXNAMELEN -#define ip6t_match xt_match -#define ip6t_target xt_target -#define ip6t_table xt_table -#define ip6t_get_revision xt_get_revision -#define ip6t_entry_match xt_entry_match -#define ip6t_entry_target xt_entry_target -#define ip6t_standard_target xt_standard_target -#define ip6t_error_target xt_error_target -#define ip6t_counters xt_counters -#define IP6T_CONTINUE XT_CONTINUE -#define IP6T_RETURN XT_RETURN - -/* Pre-iptables-1.4.0 */ -#include -#define ip6t_tcp xt_tcp -#define ip6t_udp xt_udp -#define IP6T_TCP_INV_SRCPT XT_TCP_INV_SRCPT -#define IP6T_TCP_INV_DSTPT XT_TCP_INV_DSTPT -#define IP6T_TCP_INV_FLAGS XT_TCP_INV_FLAGS -#define IP6T_TCP_INV_OPTION XT_TCP_INV_OPTION -#define IP6T_TCP_INV_MASK XT_TCP_INV_MASK -#define IP6T_UDP_INV_SRCPT XT_UDP_INV_SRCPT -#define IP6T_UDP_INV_DSTPT XT_UDP_INV_DSTPT -#define IP6T_UDP_INV_MASK XT_UDP_INV_MASK - -#define ip6t_counters_info xt_counters_info -#define IP6T_STANDARD_TARGET XT_STANDARD_TARGET -#define IP6T_ERROR_TARGET XT_ERROR_TARGET -#define IP6T_MATCH_ITERATE(e, fn, args...) \ - XT_MATCH_ITERATE(struct ip6t_entry, e, fn, ## args) -#define IP6T_ENTRY_ITERATE(entries, size, fn, args...) \ - XT_ENTRY_ITERATE(struct ip6t_entry, entries, size, fn, ## args) -#endif - -/* Yes, Virginia, you have to zero the padding. */ -struct ip6t_ip6 { - /* Source and destination IP6 addr */ - struct in6_addr src, dst; - /* Mask for src and dest IP6 addr */ - struct in6_addr smsk, dmsk; - char iniface[IFNAMSIZ], outiface[IFNAMSIZ]; - unsigned char iniface_mask[IFNAMSIZ], outiface_mask[IFNAMSIZ]; - - /* Upper protocol number - * - The allowed value is 0 (any) or protocol number of last parsable - * header, which is 50 (ESP), 59 (No Next Header), 135 (MH), or - * the non IPv6 extension headers. - * - The protocol numbers of IPv6 extension headers except of ESP and - * MH do not match any packets. - * - You also need to set IP6T_FLAGS_PROTO to "flags" to check protocol. - */ - __u16 proto; - /* TOS to match iff flags & IP6T_F_TOS */ - __u8 tos; - - /* Flags word */ - __u8 flags; - /* Inverse flags */ - __u8 invflags; -}; - -/* Values for "flag" field in struct ip6t_ip6 (general ip6 structure). */ -#define IP6T_F_PROTO 0x01 /* Set if rule cares about upper - protocols */ -#define IP6T_F_TOS 0x02 /* Match the TOS. */ -#define IP6T_F_GOTO 0x04 /* Set if jump is a goto */ -#define IP6T_F_MASK 0x07 /* All possible flag bits mask. */ - -/* Values for "inv" field in struct ip6t_ip6. */ -#define IP6T_INV_VIA_IN 0x01 /* Invert the sense of IN IFACE. */ -#define IP6T_INV_VIA_OUT 0x02 /* Invert the sense of OUT IFACE */ -#define IP6T_INV_TOS 0x04 /* Invert the sense of TOS. */ -#define IP6T_INV_SRCIP 0x08 /* Invert the sense of SRC IP. */ -#define IP6T_INV_DSTIP 0x10 /* Invert the sense of DST OP. */ -#define IP6T_INV_FRAG 0x20 /* Invert the sense of FRAG. */ -#define IP6T_INV_PROTO XT_INV_PROTO -#define IP6T_INV_MASK 0x7F /* All possible flag bits mask. */ - -/* This structure defines each of the firewall rules. Consists of 3 - parts which are 1) general IP header stuff 2) match specific - stuff 3) the target to perform if the rule matches */ -struct ip6t_entry { - struct ip6t_ip6 ipv6; - - /* Mark with fields that we care about. */ - unsigned int nfcache; - - /* Size of ipt_entry + matches */ - __u16 target_offset; - /* Size of ipt_entry + matches + target */ - __u16 next_offset; - - /* Back pointer */ - unsigned int comefrom; - - /* Packet and byte counters. */ - struct xt_counters counters; - - /* The matches (if any), then the target. */ - unsigned char elems[0]; -}; - -/* Standard entry */ -struct ip6t_standard { - struct ip6t_entry entry; - struct xt_standard_target target; -}; - -struct ip6t_error { - struct ip6t_entry entry; - struct xt_error_target target; -}; - -#define IP6T_ENTRY_INIT(__size) \ -{ \ - .target_offset = sizeof(struct ip6t_entry), \ - .next_offset = (__size), \ -} - -#define IP6T_STANDARD_INIT(__verdict) \ -{ \ - .entry = IP6T_ENTRY_INIT(sizeof(struct ip6t_standard)), \ - .target = XT_TARGET_INIT(XT_STANDARD_TARGET, \ - sizeof(struct xt_standard_target)), \ - .target.verdict = -(__verdict) - 1, \ -} - -#define IP6T_ERROR_INIT \ -{ \ - .entry = IP6T_ENTRY_INIT(sizeof(struct ip6t_error)), \ - .target = XT_TARGET_INIT(XT_ERROR_TARGET, \ - sizeof(struct xt_error_target)), \ - .target.errorname = "ERROR", \ -} - -/* - * New IP firewall options for [gs]etsockopt at the RAW IP level. - * Unlike BSD Linux inherits IP options so you don't have to use - * a raw socket for this. Instead we check rights in the calls. - * - * ATTENTION: check linux/in6.h before adding new number here. - */ -#define IP6T_BASE_CTL 64 - -#define IP6T_SO_SET_REPLACE (IP6T_BASE_CTL) -#define IP6T_SO_SET_ADD_COUNTERS (IP6T_BASE_CTL + 1) -#define IP6T_SO_SET_MAX IP6T_SO_SET_ADD_COUNTERS - -#define IP6T_SO_GET_INFO (IP6T_BASE_CTL) -#define IP6T_SO_GET_ENTRIES (IP6T_BASE_CTL + 1) -#define IP6T_SO_GET_REVISION_MATCH (IP6T_BASE_CTL + 4) -#define IP6T_SO_GET_REVISION_TARGET (IP6T_BASE_CTL + 5) -#define IP6T_SO_GET_MAX IP6T_SO_GET_REVISION_TARGET - -/* ICMP matching stuff */ -struct ip6t_icmp { - __u8 type; /* type to match */ - __u8 code[2]; /* range of code */ - __u8 invflags; /* Inverse flags */ -}; - -/* Values for "inv" field for struct ipt_icmp. */ -#define IP6T_ICMP_INV 0x01 /* Invert the sense of type/code test */ - -/* The argument to IP6T_SO_GET_INFO */ -struct ip6t_getinfo { - /* Which table: caller fills this in. */ - char name[XT_TABLE_MAXNAMELEN]; - - /* Kernel fills these in. */ - /* Which hook entry points are valid: bitmask */ - unsigned int valid_hooks; - - /* Hook entry points: one per netfilter hook. */ - unsigned int hook_entry[NF_INET_NUMHOOKS]; - - /* Underflow points. */ - unsigned int underflow[NF_INET_NUMHOOKS]; - - /* Number of entries */ - unsigned int num_entries; - - /* Size of entries. */ - unsigned int size; -}; - -/* The argument to IP6T_SO_SET_REPLACE. */ -struct ip6t_replace { - /* Which table. */ - char name[XT_TABLE_MAXNAMELEN]; - - /* Which hook entry points are valid: bitmask. You can't - change this. */ - unsigned int valid_hooks; - - /* Number of entries */ - unsigned int num_entries; - - /* Total size of new entries */ - unsigned int size; - - /* Hook entry points. */ - unsigned int hook_entry[NF_INET_NUMHOOKS]; - - /* Underflow points. */ - unsigned int underflow[NF_INET_NUMHOOKS]; - - /* Information about old entries: */ - /* Number of counters (must be equal to current number of entries). */ - unsigned int num_counters; - /* The old entries' counters. */ - struct xt_counters __user *counters; - - /* The entries (hang off end: not really an array). */ - struct ip6t_entry entries[0]; -}; - -/* The argument to IP6T_SO_GET_ENTRIES. */ -struct ip6t_get_entries { - /* Which table: user fills this in. */ - char name[XT_TABLE_MAXNAMELEN]; - - /* User fills this in: total entry size. */ - unsigned int size; - - /* The entries. */ - struct ip6t_entry entrytable[0]; -}; - -/* Helper functions */ -static __inline__ struct xt_entry_target * -ip6t_get_target(struct ip6t_entry *e) -{ - return (void *)e + e->target_offset; -} - -/* - * Main firewall chains definitions and global var's definitions. - */ - -#ifdef __KERNEL__ #include +#include + extern void ip6t_init(void) __init; extern void *ip6t_alloc_initial_table(const struct xt_table *); @@ -327,5 +76,4 @@ compat_ip6t_get_target(struct compat_ip6t_entry *e) } #endif /* CONFIG_COMPAT */ -#endif /*__KERNEL__*/ #endif /* _IP6_TABLES_H */ diff --git a/include/linux/netfilter_ipv6/ip6t_HL.h b/include/linux/netfilter_ipv6/ip6t_HL.h deleted file mode 100644 index ebd8ead..0000000 --- a/include/linux/netfilter_ipv6/ip6t_HL.h +++ /dev/null @@ -1,24 +0,0 @@ -/* Hop Limit modification module for ip6tables - * Maciej Soltysiak - * Based on HW's TTL module */ - -#ifndef _IP6T_HL_H -#define _IP6T_HL_H - -#include - -enum { - IP6T_HL_SET = 0, - IP6T_HL_INC, - IP6T_HL_DEC -}; - -#define IP6T_HL_MAXMODE IP6T_HL_DEC - -struct ip6t_HL_info { - __u8 mode; - __u8 hop_limit; -}; - - -#endif diff --git a/include/linux/netfilter_ipv6/ip6t_LOG.h b/include/linux/netfilter_ipv6/ip6t_LOG.h deleted file mode 100644 index 3dd0bc4..0000000 --- a/include/linux/netfilter_ipv6/ip6t_LOG.h +++ /dev/null @@ -1,21 +0,0 @@ -#ifndef _IP6T_LOG_H -#define _IP6T_LOG_H - -#warning "Please update iptables, this file will be removed soon!" - -/* make sure not to change this without changing netfilter.h:NF_LOG_* (!) */ -#define IP6T_LOG_TCPSEQ 0x01 /* Log TCP sequence numbers */ -#define IP6T_LOG_TCPOPT 0x02 /* Log TCP options */ -#define IP6T_LOG_IPOPT 0x04 /* Log IP options */ -#define IP6T_LOG_UID 0x08 /* Log UID owning local socket */ -#define IP6T_LOG_NFLOG 0x10 /* Unsupported, don't use */ -#define IP6T_LOG_MACDECODE 0x20 /* Decode MAC header */ -#define IP6T_LOG_MASK 0x2f - -struct ip6t_log_info { - unsigned char level; - unsigned char logflags; - char prefix[30]; -}; - -#endif /*_IPT_LOG_H*/ diff --git a/include/linux/netfilter_ipv6/ip6t_NPT.h b/include/linux/netfilter_ipv6/ip6t_NPT.h deleted file mode 100644 index f763355..0000000 --- a/include/linux/netfilter_ipv6/ip6t_NPT.h +++ /dev/null @@ -1,16 +0,0 @@ -#ifndef __NETFILTER_IP6T_NPT -#define __NETFILTER_IP6T_NPT - -#include -#include - -struct ip6t_npt_tginfo { - union nf_inet_addr src_pfx; - union nf_inet_addr dst_pfx; - __u8 src_pfx_len; - __u8 dst_pfx_len; - /* Used internally by the kernel */ - __sum16 adjustment; -}; - -#endif /* __NETFILTER_IP6T_NPT */ diff --git a/include/linux/netfilter_ipv6/ip6t_REJECT.h b/include/linux/netfilter_ipv6/ip6t_REJECT.h deleted file mode 100644 index 205ed62..0000000 --- a/include/linux/netfilter_ipv6/ip6t_REJECT.h +++ /dev/null @@ -1,20 +0,0 @@ -#ifndef _IP6T_REJECT_H -#define _IP6T_REJECT_H - -#include - -enum ip6t_reject_with { - IP6T_ICMP6_NO_ROUTE, - IP6T_ICMP6_ADM_PROHIBITED, - IP6T_ICMP6_NOT_NEIGHBOUR, - IP6T_ICMP6_ADDR_UNREACH, - IP6T_ICMP6_PORT_UNREACH, - IP6T_ICMP6_ECHOREPLY, - IP6T_TCP_RESET -}; - -struct ip6t_reject_info { - __u32 with; /* reject type */ -}; - -#endif /*_IP6T_REJECT_H*/ diff --git a/include/linux/netfilter_ipv6/ip6t_ah.h b/include/linux/netfilter_ipv6/ip6t_ah.h deleted file mode 100644 index 5da2b65..0000000 --- a/include/linux/netfilter_ipv6/ip6t_ah.h +++ /dev/null @@ -1,22 +0,0 @@ -#ifndef _IP6T_AH_H -#define _IP6T_AH_H - -#include - -struct ip6t_ah { - __u32 spis[2]; /* Security Parameter Index */ - __u32 hdrlen; /* Header Length */ - __u8 hdrres; /* Test of the Reserved Filed */ - __u8 invflags; /* Inverse flags */ -}; - -#define IP6T_AH_SPI 0x01 -#define IP6T_AH_LEN 0x02 -#define IP6T_AH_RES 0x04 - -/* Values for "invflags" field in struct ip6t_ah. */ -#define IP6T_AH_INV_SPI 0x01 /* Invert the sense of spi. */ -#define IP6T_AH_INV_LEN 0x02 /* Invert the sense of length. */ -#define IP6T_AH_INV_MASK 0x03 /* All possible flags. */ - -#endif /*_IP6T_AH_H*/ diff --git a/include/linux/netfilter_ipv6/ip6t_frag.h b/include/linux/netfilter_ipv6/ip6t_frag.h deleted file mode 100644 index b47f61b..0000000 --- a/include/linux/netfilter_ipv6/ip6t_frag.h +++ /dev/null @@ -1,25 +0,0 @@ -#ifndef _IP6T_FRAG_H -#define _IP6T_FRAG_H - -#include - -struct ip6t_frag { - __u32 ids[2]; /* Security Parameter Index */ - __u32 hdrlen; /* Header Length */ - __u8 flags; /* */ - __u8 invflags; /* Inverse flags */ -}; - -#define IP6T_FRAG_IDS 0x01 -#define IP6T_FRAG_LEN 0x02 -#define IP6T_FRAG_RES 0x04 -#define IP6T_FRAG_FST 0x08 -#define IP6T_FRAG_MF 0x10 -#define IP6T_FRAG_NMF 0x20 - -/* Values for "invflags" field in struct ip6t_frag. */ -#define IP6T_FRAG_INV_IDS 0x01 /* Invert the sense of ids. */ -#define IP6T_FRAG_INV_LEN 0x02 /* Invert the sense of length. */ -#define IP6T_FRAG_INV_MASK 0x03 /* All possible flags. */ - -#endif /*_IP6T_FRAG_H*/ diff --git a/include/linux/netfilter_ipv6/ip6t_hl.h b/include/linux/netfilter_ipv6/ip6t_hl.h deleted file mode 100644 index 6e76dbc..0000000 --- a/include/linux/netfilter_ipv6/ip6t_hl.h +++ /dev/null @@ -1,24 +0,0 @@ -/* ip6tables module for matching the Hop Limit value - * Maciej Soltysiak - * Based on HW's ttl module */ - -#ifndef _IP6T_HL_H -#define _IP6T_HL_H - -#include - -enum { - IP6T_HL_EQ = 0, /* equals */ - IP6T_HL_NE, /* not equals */ - IP6T_HL_LT, /* less than */ - IP6T_HL_GT, /* greater than */ -}; - - -struct ip6t_hl_info { - __u8 mode; - __u8 hop_limit; -}; - - -#endif diff --git a/include/linux/netfilter_ipv6/ip6t_ipv6header.h b/include/linux/netfilter_ipv6/ip6t_ipv6header.h deleted file mode 100644 index efae3a2..0000000 --- a/include/linux/netfilter_ipv6/ip6t_ipv6header.h +++ /dev/null @@ -1,28 +0,0 @@ -/* ipv6header match - matches IPv6 packets based -on whether they contain certain headers */ - -/* Original idea: Brad Chapman - * Rewritten by: Andras Kis-Szabo */ - - -#ifndef __IPV6HEADER_H -#define __IPV6HEADER_H - -#include - -struct ip6t_ipv6header_info { - __u8 matchflags; - __u8 invflags; - __u8 modeflag; -}; - -#define MASK_HOPOPTS 128 -#define MASK_DSTOPTS 64 -#define MASK_ROUTING 32 -#define MASK_FRAGMENT 16 -#define MASK_AH 8 -#define MASK_ESP 4 -#define MASK_NONE 2 -#define MASK_PROTO 1 - -#endif /* __IPV6HEADER_H */ diff --git a/include/linux/netfilter_ipv6/ip6t_mh.h b/include/linux/netfilter_ipv6/ip6t_mh.h deleted file mode 100644 index a7729a5..0000000 --- a/include/linux/netfilter_ipv6/ip6t_mh.h +++ /dev/null @@ -1,16 +0,0 @@ -#ifndef _IP6T_MH_H -#define _IP6T_MH_H - -#include - -/* MH matching stuff */ -struct ip6t_mh { - __u8 types[2]; /* MH type range */ - __u8 invflags; /* Inverse flags */ -}; - -/* Values for "invflags" field in struct ip6t_mh. */ -#define IP6T_MH_INV_TYPE 0x01 /* Invert the sense of type. */ -#define IP6T_MH_INV_MASK 0x01 /* All possible flags. */ - -#endif /*_IP6T_MH_H*/ diff --git a/include/linux/netfilter_ipv6/ip6t_opts.h b/include/linux/netfilter_ipv6/ip6t_opts.h deleted file mode 100644 index 17d419a..0000000 --- a/include/linux/netfilter_ipv6/ip6t_opts.h +++ /dev/null @@ -1,24 +0,0 @@ -#ifndef _IP6T_OPTS_H -#define _IP6T_OPTS_H - -#include - -#define IP6T_OPTS_OPTSNR 16 - -struct ip6t_opts { - __u32 hdrlen; /* Header Length */ - __u8 flags; /* */ - __u8 invflags; /* Inverse flags */ - __u16 opts[IP6T_OPTS_OPTSNR]; /* opts */ - __u8 optsnr; /* Nr of OPts */ -}; - -#define IP6T_OPTS_LEN 0x01 -#define IP6T_OPTS_OPTS 0x02 -#define IP6T_OPTS_NSTRICT 0x04 - -/* Values for "invflags" field in struct ip6t_rt. */ -#define IP6T_OPTS_INV_LEN 0x01 /* Invert the sense of length. */ -#define IP6T_OPTS_INV_MASK 0x01 /* All possible flags. */ - -#endif /*_IP6T_OPTS_H*/ diff --git a/include/linux/netfilter_ipv6/ip6t_rt.h b/include/linux/netfilter_ipv6/ip6t_rt.h deleted file mode 100644 index 7605a5f..0000000 --- a/include/linux/netfilter_ipv6/ip6t_rt.h +++ /dev/null @@ -1,33 +0,0 @@ -#ifndef _IP6T_RT_H -#define _IP6T_RT_H - -#include -/*#include */ - -#define IP6T_RT_HOPS 16 - -struct ip6t_rt { - __u32 rt_type; /* Routing Type */ - __u32 segsleft[2]; /* Segments Left */ - __u32 hdrlen; /* Header Length */ - __u8 flags; /* */ - __u8 invflags; /* Inverse flags */ - struct in6_addr addrs[IP6T_RT_HOPS]; /* Hops */ - __u8 addrnr; /* Nr of Addresses */ -}; - -#define IP6T_RT_TYP 0x01 -#define IP6T_RT_SGS 0x02 -#define IP6T_RT_LEN 0x04 -#define IP6T_RT_RES 0x08 -#define IP6T_RT_FST_MASK 0x30 -#define IP6T_RT_FST 0x10 -#define IP6T_RT_FST_NSTRICT 0x20 - -/* Values for "invflags" field in struct ip6t_rt. */ -#define IP6T_RT_INV_TYP 0x01 /* Invert the sense of type. */ -#define IP6T_RT_INV_SGS 0x02 /* Invert the sense of Segments. */ -#define IP6T_RT_INV_LEN 0x04 /* Invert the sense of length. */ -#define IP6T_RT_INV_MASK 0x07 /* All possible flags. */ - -#endif /*_IP6T_RT_H*/ diff --git a/include/uapi/linux/netfilter_ipv6/Kbuild b/include/uapi/linux/netfilter_ipv6/Kbuild index aafaa5a..75a668c 100644 --- a/include/uapi/linux/netfilter_ipv6/Kbuild +++ b/include/uapi/linux/netfilter_ipv6/Kbuild @@ -1 +1,13 @@ # UAPI Header export list +header-y += ip6_tables.h +header-y += ip6t_HL.h +header-y += ip6t_LOG.h +header-y += ip6t_NPT.h +header-y += ip6t_REJECT.h +header-y += ip6t_ah.h +header-y += ip6t_frag.h +header-y += ip6t_hl.h +header-y += ip6t_ipv6header.h +header-y += ip6t_mh.h +header-y += ip6t_opts.h +header-y += ip6t_rt.h diff --git a/include/uapi/linux/netfilter_ipv6/ip6_tables.h b/include/uapi/linux/netfilter_ipv6/ip6_tables.h new file mode 100644 index 0000000..bf1ef65 --- /dev/null +++ b/include/uapi/linux/netfilter_ipv6/ip6_tables.h @@ -0,0 +1,267 @@ +/* + * 25-Jul-1998 Major changes to allow for ip chain table + * + * 3-Jan-2000 Named tables to allow packet selection for different uses. + */ + +/* + * Format of an IP6 firewall descriptor + * + * src, dst, src_mask, dst_mask are always stored in network byte order. + * flags are stored in host byte order (of course). + * Port numbers are stored in HOST byte order. + */ + +#ifndef _UAPI_IP6_TABLES_H +#define _UAPI_IP6_TABLES_H + +#include +#include +#include + +#include + +#ifndef __KERNEL__ +#define IP6T_FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN +#define IP6T_TABLE_MAXNAMELEN XT_TABLE_MAXNAMELEN +#define ip6t_match xt_match +#define ip6t_target xt_target +#define ip6t_table xt_table +#define ip6t_get_revision xt_get_revision +#define ip6t_entry_match xt_entry_match +#define ip6t_entry_target xt_entry_target +#define ip6t_standard_target xt_standard_target +#define ip6t_error_target xt_error_target +#define ip6t_counters xt_counters +#define IP6T_CONTINUE XT_CONTINUE +#define IP6T_RETURN XT_RETURN + +/* Pre-iptables-1.4.0 */ +#include +#define ip6t_tcp xt_tcp +#define ip6t_udp xt_udp +#define IP6T_TCP_INV_SRCPT XT_TCP_INV_SRCPT +#define IP6T_TCP_INV_DSTPT XT_TCP_INV_DSTPT +#define IP6T_TCP_INV_FLAGS XT_TCP_INV_FLAGS +#define IP6T_TCP_INV_OPTION XT_TCP_INV_OPTION +#define IP6T_TCP_INV_MASK XT_TCP_INV_MASK +#define IP6T_UDP_INV_SRCPT XT_UDP_INV_SRCPT +#define IP6T_UDP_INV_DSTPT XT_UDP_INV_DSTPT +#define IP6T_UDP_INV_MASK XT_UDP_INV_MASK + +#define ip6t_counters_info xt_counters_info +#define IP6T_STANDARD_TARGET XT_STANDARD_TARGET +#define IP6T_ERROR_TARGET XT_ERROR_TARGET +#define IP6T_MATCH_ITERATE(e, fn, args...) \ + XT_MATCH_ITERATE(struct ip6t_entry, e, fn, ## args) +#define IP6T_ENTRY_ITERATE(entries, size, fn, args...) \ + XT_ENTRY_ITERATE(struct ip6t_entry, entries, size, fn, ## args) +#endif + +/* Yes, Virginia, you have to zero the padding. */ +struct ip6t_ip6 { + /* Source and destination IP6 addr */ + struct in6_addr src, dst; + /* Mask for src and dest IP6 addr */ + struct in6_addr smsk, dmsk; + char iniface[IFNAMSIZ], outiface[IFNAMSIZ]; + unsigned char iniface_mask[IFNAMSIZ], outiface_mask[IFNAMSIZ]; + + /* Upper protocol number + * - The allowed value is 0 (any) or protocol number of last parsable + * header, which is 50 (ESP), 59 (No Next Header), 135 (MH), or + * the non IPv6 extension headers. + * - The protocol numbers of IPv6 extension headers except of ESP and + * MH do not match any packets. + * - You also need to set IP6T_FLAGS_PROTO to "flags" to check protocol. + */ + __u16 proto; + /* TOS to match iff flags & IP6T_F_TOS */ + __u8 tos; + + /* Flags word */ + __u8 flags; + /* Inverse flags */ + __u8 invflags; +}; + +/* Values for "flag" field in struct ip6t_ip6 (general ip6 structure). */ +#define IP6T_F_PROTO 0x01 /* Set if rule cares about upper + protocols */ +#define IP6T_F_TOS 0x02 /* Match the TOS. */ +#define IP6T_F_GOTO 0x04 /* Set if jump is a goto */ +#define IP6T_F_MASK 0x07 /* All possible flag bits mask. */ + +/* Values for "inv" field in struct ip6t_ip6. */ +#define IP6T_INV_VIA_IN 0x01 /* Invert the sense of IN IFACE. */ +#define IP6T_INV_VIA_OUT 0x02 /* Invert the sense of OUT IFACE */ +#define IP6T_INV_TOS 0x04 /* Invert the sense of TOS. */ +#define IP6T_INV_SRCIP 0x08 /* Invert the sense of SRC IP. */ +#define IP6T_INV_DSTIP 0x10 /* Invert the sense of DST OP. */ +#define IP6T_INV_FRAG 0x20 /* Invert the sense of FRAG. */ +#define IP6T_INV_PROTO XT_INV_PROTO +#define IP6T_INV_MASK 0x7F /* All possible flag bits mask. */ + +/* This structure defines each of the firewall rules. Consists of 3 + parts which are 1) general IP header stuff 2) match specific + stuff 3) the target to perform if the rule matches */ +struct ip6t_entry { + struct ip6t_ip6 ipv6; + + /* Mark with fields that we care about. */ + unsigned int nfcache; + + /* Size of ipt_entry + matches */ + __u16 target_offset; + /* Size of ipt_entry + matches + target */ + __u16 next_offset; + + /* Back pointer */ + unsigned int comefrom; + + /* Packet and byte counters. */ + struct xt_counters counters; + + /* The matches (if any), then the target. */ + unsigned char elems[0]; +}; + +/* Standard entry */ +struct ip6t_standard { + struct ip6t_entry entry; + struct xt_standard_target target; +}; + +struct ip6t_error { + struct ip6t_entry entry; + struct xt_error_target target; +}; + +#define IP6T_ENTRY_INIT(__size) \ +{ \ + .target_offset = sizeof(struct ip6t_entry), \ + .next_offset = (__size), \ +} + +#define IP6T_STANDARD_INIT(__verdict) \ +{ \ + .entry = IP6T_ENTRY_INIT(sizeof(struct ip6t_standard)), \ + .target = XT_TARGET_INIT(XT_STANDARD_TARGET, \ + sizeof(struct xt_standard_target)), \ + .target.verdict = -(__verdict) - 1, \ +} + +#define IP6T_ERROR_INIT \ +{ \ + .entry = IP6T_ENTRY_INIT(sizeof(struct ip6t_error)), \ + .target = XT_TARGET_INIT(XT_ERROR_TARGET, \ + sizeof(struct xt_error_target)), \ + .target.errorname = "ERROR", \ +} + +/* + * New IP firewall options for [gs]etsockopt at the RAW IP level. + * Unlike BSD Linux inherits IP options so you don't have to use + * a raw socket for this. Instead we check rights in the calls. + * + * ATTENTION: check linux/in6.h before adding new number here. + */ +#define IP6T_BASE_CTL 64 + +#define IP6T_SO_SET_REPLACE (IP6T_BASE_CTL) +#define IP6T_SO_SET_ADD_COUNTERS (IP6T_BASE_CTL + 1) +#define IP6T_SO_SET_MAX IP6T_SO_SET_ADD_COUNTERS + +#define IP6T_SO_GET_INFO (IP6T_BASE_CTL) +#define IP6T_SO_GET_ENTRIES (IP6T_BASE_CTL + 1) +#define IP6T_SO_GET_REVISION_MATCH (IP6T_BASE_CTL + 4) +#define IP6T_SO_GET_REVISION_TARGET (IP6T_BASE_CTL + 5) +#define IP6T_SO_GET_MAX IP6T_SO_GET_REVISION_TARGET + +/* ICMP matching stuff */ +struct ip6t_icmp { + __u8 type; /* type to match */ + __u8 code[2]; /* range of code */ + __u8 invflags; /* Inverse flags */ +}; + +/* Values for "inv" field for struct ipt_icmp. */ +#define IP6T_ICMP_INV 0x01 /* Invert the sense of type/code test */ + +/* The argument to IP6T_SO_GET_INFO */ +struct ip6t_getinfo { + /* Which table: caller fills this in. */ + char name[XT_TABLE_MAXNAMELEN]; + + /* Kernel fills these in. */ + /* Which hook entry points are valid: bitmask */ + unsigned int valid_hooks; + + /* Hook entry points: one per netfilter hook. */ + unsigned int hook_entry[NF_INET_NUMHOOKS]; + + /* Underflow points. */ + unsigned int underflow[NF_INET_NUMHOOKS]; + + /* Number of entries */ + unsigned int num_entries; + + /* Size of entries. */ + unsigned int size; +}; + +/* The argument to IP6T_SO_SET_REPLACE. */ +struct ip6t_replace { + /* Which table. */ + char name[XT_TABLE_MAXNAMELEN]; + + /* Which hook entry points are valid: bitmask. You can't + change this. */ + unsigned int valid_hooks; + + /* Number of entries */ + unsigned int num_entries; + + /* Total size of new entries */ + unsigned int size; + + /* Hook entry points. */ + unsigned int hook_entry[NF_INET_NUMHOOKS]; + + /* Underflow points. */ + unsigned int underflow[NF_INET_NUMHOOKS]; + + /* Information about old entries: */ + /* Number of counters (must be equal to current number of entries). */ + unsigned int num_counters; + /* The old entries' counters. */ + struct xt_counters __user *counters; + + /* The entries (hang off end: not really an array). */ + struct ip6t_entry entries[0]; +}; + +/* The argument to IP6T_SO_GET_ENTRIES. */ +struct ip6t_get_entries { + /* Which table: user fills this in. */ + char name[XT_TABLE_MAXNAMELEN]; + + /* User fills this in: total entry size. */ + unsigned int size; + + /* The entries. */ + struct ip6t_entry entrytable[0]; +}; + +/* Helper functions */ +static __inline__ struct xt_entry_target * +ip6t_get_target(struct ip6t_entry *e) +{ + return (void *)e + e->target_offset; +} + +/* + * Main firewall chains definitions and global var's definitions. + */ + +#endif /* _UAPI_IP6_TABLES_H */ diff --git a/include/uapi/linux/netfilter_ipv6/ip6t_HL.h b/include/uapi/linux/netfilter_ipv6/ip6t_HL.h new file mode 100644 index 0000000..ebd8ead --- /dev/null +++ b/include/uapi/linux/netfilter_ipv6/ip6t_HL.h @@ -0,0 +1,24 @@ +/* Hop Limit modification module for ip6tables + * Maciej Soltysiak + * Based on HW's TTL module */ + +#ifndef _IP6T_HL_H +#define _IP6T_HL_H + +#include + +enum { + IP6T_HL_SET = 0, + IP6T_HL_INC, + IP6T_HL_DEC +}; + +#define IP6T_HL_MAXMODE IP6T_HL_DEC + +struct ip6t_HL_info { + __u8 mode; + __u8 hop_limit; +}; + + +#endif diff --git a/include/uapi/linux/netfilter_ipv6/ip6t_LOG.h b/include/uapi/linux/netfilter_ipv6/ip6t_LOG.h new file mode 100644 index 0000000..3dd0bc4 --- /dev/null +++ b/include/uapi/linux/netfilter_ipv6/ip6t_LOG.h @@ -0,0 +1,21 @@ +#ifndef _IP6T_LOG_H +#define _IP6T_LOG_H + +#warning "Please update iptables, this file will be removed soon!" + +/* make sure not to change this without changing netfilter.h:NF_LOG_* (!) */ +#define IP6T_LOG_TCPSEQ 0x01 /* Log TCP sequence numbers */ +#define IP6T_LOG_TCPOPT 0x02 /* Log TCP options */ +#define IP6T_LOG_IPOPT 0x04 /* Log IP options */ +#define IP6T_LOG_UID 0x08 /* Log UID owning local socket */ +#define IP6T_LOG_NFLOG 0x10 /* Unsupported, don't use */ +#define IP6T_LOG_MACDECODE 0x20 /* Decode MAC header */ +#define IP6T_LOG_MASK 0x2f + +struct ip6t_log_info { + unsigned char level; + unsigned char logflags; + char prefix[30]; +}; + +#endif /*_IPT_LOG_H*/ diff --git a/include/uapi/linux/netfilter_ipv6/ip6t_NPT.h b/include/uapi/linux/netfilter_ipv6/ip6t_NPT.h new file mode 100644 index 0000000..f763355 --- /dev/null +++ b/include/uapi/linux/netfilter_ipv6/ip6t_NPT.h @@ -0,0 +1,16 @@ +#ifndef __NETFILTER_IP6T_NPT +#define __NETFILTER_IP6T_NPT + +#include +#include + +struct ip6t_npt_tginfo { + union nf_inet_addr src_pfx; + union nf_inet_addr dst_pfx; + __u8 src_pfx_len; + __u8 dst_pfx_len; + /* Used internally by the kernel */ + __sum16 adjustment; +}; + +#endif /* __NETFILTER_IP6T_NPT */ diff --git a/include/uapi/linux/netfilter_ipv6/ip6t_REJECT.h b/include/uapi/linux/netfilter_ipv6/ip6t_REJECT.h new file mode 100644 index 0000000..205ed62 --- /dev/null +++ b/include/uapi/linux/netfilter_ipv6/ip6t_REJECT.h @@ -0,0 +1,20 @@ +#ifndef _IP6T_REJECT_H +#define _IP6T_REJECT_H + +#include + +enum ip6t_reject_with { + IP6T_ICMP6_NO_ROUTE, + IP6T_ICMP6_ADM_PROHIBITED, + IP6T_ICMP6_NOT_NEIGHBOUR, + IP6T_ICMP6_ADDR_UNREACH, + IP6T_ICMP6_PORT_UNREACH, + IP6T_ICMP6_ECHOREPLY, + IP6T_TCP_RESET +}; + +struct ip6t_reject_info { + __u32 with; /* reject type */ +}; + +#endif /*_IP6T_REJECT_H*/ diff --git a/include/uapi/linux/netfilter_ipv6/ip6t_ah.h b/include/uapi/linux/netfilter_ipv6/ip6t_ah.h new file mode 100644 index 0000000..5da2b65 --- /dev/null +++ b/include/uapi/linux/netfilter_ipv6/ip6t_ah.h @@ -0,0 +1,22 @@ +#ifndef _IP6T_AH_H +#define _IP6T_AH_H + +#include + +struct ip6t_ah { + __u32 spis[2]; /* Security Parameter Index */ + __u32 hdrlen; /* Header Length */ + __u8 hdrres; /* Test of the Reserved Filed */ + __u8 invflags; /* Inverse flags */ +}; + +#define IP6T_AH_SPI 0x01 +#define IP6T_AH_LEN 0x02 +#define IP6T_AH_RES 0x04 + +/* Values for "invflags" field in struct ip6t_ah. */ +#define IP6T_AH_INV_SPI 0x01 /* Invert the sense of spi. */ +#define IP6T_AH_INV_LEN 0x02 /* Invert the sense of length. */ +#define IP6T_AH_INV_MASK 0x03 /* All possible flags. */ + +#endif /*_IP6T_AH_H*/ diff --git a/include/uapi/linux/netfilter_ipv6/ip6t_frag.h b/include/uapi/linux/netfilter_ipv6/ip6t_frag.h new file mode 100644 index 0000000..b47f61b --- /dev/null +++ b/include/uapi/linux/netfilter_ipv6/ip6t_frag.h @@ -0,0 +1,25 @@ +#ifndef _IP6T_FRAG_H +#define _IP6T_FRAG_H + +#include + +struct ip6t_frag { + __u32 ids[2]; /* Security Parameter Index */ + __u32 hdrlen; /* Header Length */ + __u8 flags; /* */ + __u8 invflags; /* Inverse flags */ +}; + +#define IP6T_FRAG_IDS 0x01 +#define IP6T_FRAG_LEN 0x02 +#define IP6T_FRAG_RES 0x04 +#define IP6T_FRAG_FST 0x08 +#define IP6T_FRAG_MF 0x10 +#define IP6T_FRAG_NMF 0x20 + +/* Values for "invflags" field in struct ip6t_frag. */ +#define IP6T_FRAG_INV_IDS 0x01 /* Invert the sense of ids. */ +#define IP6T_FRAG_INV_LEN 0x02 /* Invert the sense of length. */ +#define IP6T_FRAG_INV_MASK 0x03 /* All possible flags. */ + +#endif /*_IP6T_FRAG_H*/ diff --git a/include/uapi/linux/netfilter_ipv6/ip6t_hl.h b/include/uapi/linux/netfilter_ipv6/ip6t_hl.h new file mode 100644 index 0000000..6e76dbc --- /dev/null +++ b/include/uapi/linux/netfilter_ipv6/ip6t_hl.h @@ -0,0 +1,24 @@ +/* ip6tables module for matching the Hop Limit value + * Maciej Soltysiak + * Based on HW's ttl module */ + +#ifndef _IP6T_HL_H +#define _IP6T_HL_H + +#include + +enum { + IP6T_HL_EQ = 0, /* equals */ + IP6T_HL_NE, /* not equals */ + IP6T_HL_LT, /* less than */ + IP6T_HL_GT, /* greater than */ +}; + + +struct ip6t_hl_info { + __u8 mode; + __u8 hop_limit; +}; + + +#endif diff --git a/include/uapi/linux/netfilter_ipv6/ip6t_ipv6header.h b/include/uapi/linux/netfilter_ipv6/ip6t_ipv6header.h new file mode 100644 index 0000000..efae3a2 --- /dev/null +++ b/include/uapi/linux/netfilter_ipv6/ip6t_ipv6header.h @@ -0,0 +1,28 @@ +/* ipv6header match - matches IPv6 packets based +on whether they contain certain headers */ + +/* Original idea: Brad Chapman + * Rewritten by: Andras Kis-Szabo */ + + +#ifndef __IPV6HEADER_H +#define __IPV6HEADER_H + +#include + +struct ip6t_ipv6header_info { + __u8 matchflags; + __u8 invflags; + __u8 modeflag; +}; + +#define MASK_HOPOPTS 128 +#define MASK_DSTOPTS 64 +#define MASK_ROUTING 32 +#define MASK_FRAGMENT 16 +#define MASK_AH 8 +#define MASK_ESP 4 +#define MASK_NONE 2 +#define MASK_PROTO 1 + +#endif /* __IPV6HEADER_H */ diff --git a/include/uapi/linux/netfilter_ipv6/ip6t_mh.h b/include/uapi/linux/netfilter_ipv6/ip6t_mh.h new file mode 100644 index 0000000..a7729a5 --- /dev/null +++ b/include/uapi/linux/netfilter_ipv6/ip6t_mh.h @@ -0,0 +1,16 @@ +#ifndef _IP6T_MH_H +#define _IP6T_MH_H + +#include + +/* MH matching stuff */ +struct ip6t_mh { + __u8 types[2]; /* MH type range */ + __u8 invflags; /* Inverse flags */ +}; + +/* Values for "invflags" field in struct ip6t_mh. */ +#define IP6T_MH_INV_TYPE 0x01 /* Invert the sense of type. */ +#define IP6T_MH_INV_MASK 0x01 /* All possible flags. */ + +#endif /*_IP6T_MH_H*/ diff --git a/include/uapi/linux/netfilter_ipv6/ip6t_opts.h b/include/uapi/linux/netfilter_ipv6/ip6t_opts.h new file mode 100644 index 0000000..17d419a --- /dev/null +++ b/include/uapi/linux/netfilter_ipv6/ip6t_opts.h @@ -0,0 +1,24 @@ +#ifndef _IP6T_OPTS_H +#define _IP6T_OPTS_H + +#include + +#define IP6T_OPTS_OPTSNR 16 + +struct ip6t_opts { + __u32 hdrlen; /* Header Length */ + __u8 flags; /* */ + __u8 invflags; /* Inverse flags */ + __u16 opts[IP6T_OPTS_OPTSNR]; /* opts */ + __u8 optsnr; /* Nr of OPts */ +}; + +#define IP6T_OPTS_LEN 0x01 +#define IP6T_OPTS_OPTS 0x02 +#define IP6T_OPTS_NSTRICT 0x04 + +/* Values for "invflags" field in struct ip6t_rt. */ +#define IP6T_OPTS_INV_LEN 0x01 /* Invert the sense of length. */ +#define IP6T_OPTS_INV_MASK 0x01 /* All possible flags. */ + +#endif /*_IP6T_OPTS_H*/ diff --git a/include/uapi/linux/netfilter_ipv6/ip6t_rt.h b/include/uapi/linux/netfilter_ipv6/ip6t_rt.h new file mode 100644 index 0000000..7605a5f --- /dev/null +++ b/include/uapi/linux/netfilter_ipv6/ip6t_rt.h @@ -0,0 +1,33 @@ +#ifndef _IP6T_RT_H +#define _IP6T_RT_H + +#include +/*#include */ + +#define IP6T_RT_HOPS 16 + +struct ip6t_rt { + __u32 rt_type; /* Routing Type */ + __u32 segsleft[2]; /* Segments Left */ + __u32 hdrlen; /* Header Length */ + __u8 flags; /* */ + __u8 invflags; /* Inverse flags */ + struct in6_addr addrs[IP6T_RT_HOPS]; /* Hops */ + __u8 addrnr; /* Nr of Addresses */ +}; + +#define IP6T_RT_TYP 0x01 +#define IP6T_RT_SGS 0x02 +#define IP6T_RT_LEN 0x04 +#define IP6T_RT_RES 0x08 +#define IP6T_RT_FST_MASK 0x30 +#define IP6T_RT_FST 0x10 +#define IP6T_RT_FST_NSTRICT 0x20 + +/* Values for "invflags" field in struct ip6t_rt. */ +#define IP6T_RT_INV_TYP 0x01 /* Invert the sense of type. */ +#define IP6T_RT_INV_SGS 0x02 /* Invert the sense of Segments. */ +#define IP6T_RT_INV_LEN 0x04 /* Invert the sense of length. */ +#define IP6T_RT_INV_MASK 0x07 /* All possible flags. */ + +#endif /*_IP6T_RT_H*/ -- cgit v0.10.2 From 611128eb3927941abcfdca5b7515cf02aab601ec Mon Sep 17 00:00:00 2001 From: David Howells Date: Tue, 9 Oct 2012 09:49:05 +0100 Subject: UAPI: (Scripted) Disintegrate include/linux/tc_act Signed-off-by: David Howells Acked-by: Arnd Bergmann Acked-by: Thomas Gleixner Acked-by: Michael Kerrisk Acked-by: Paul E. McKenney Acked-by: Dave Jones diff --git a/include/linux/tc_act/Kbuild b/include/linux/tc_act/Kbuild index 67b501c..e69de29 100644 --- a/include/linux/tc_act/Kbuild +++ b/include/linux/tc_act/Kbuild @@ -1,7 +0,0 @@ -header-y += tc_gact.h -header-y += tc_ipt.h -header-y += tc_mirred.h -header-y += tc_pedit.h -header-y += tc_nat.h -header-y += tc_skbedit.h -header-y += tc_csum.h diff --git a/include/linux/tc_act/tc_csum.h b/include/linux/tc_act/tc_csum.h deleted file mode 100644 index a047c49..0000000 --- a/include/linux/tc_act/tc_csum.h +++ /dev/null @@ -1,32 +0,0 @@ -#ifndef __LINUX_TC_CSUM_H -#define __LINUX_TC_CSUM_H - -#include -#include - -#define TCA_ACT_CSUM 16 - -enum { - TCA_CSUM_UNSPEC, - TCA_CSUM_PARMS, - TCA_CSUM_TM, - __TCA_CSUM_MAX -}; -#define TCA_CSUM_MAX (__TCA_CSUM_MAX - 1) - -enum { - TCA_CSUM_UPDATE_FLAG_IPV4HDR = 1, - TCA_CSUM_UPDATE_FLAG_ICMP = 2, - TCA_CSUM_UPDATE_FLAG_IGMP = 4, - TCA_CSUM_UPDATE_FLAG_TCP = 8, - TCA_CSUM_UPDATE_FLAG_UDP = 16, - TCA_CSUM_UPDATE_FLAG_UDPLITE = 32 -}; - -struct tc_csum { - tc_gen; - - __u32 update_flags; -}; - -#endif /* __LINUX_TC_CSUM_H */ diff --git a/include/linux/tc_act/tc_gact.h b/include/linux/tc_act/tc_gact.h deleted file mode 100644 index f7bf94e..0000000 --- a/include/linux/tc_act/tc_gact.h +++ /dev/null @@ -1,32 +0,0 @@ -#ifndef __LINUX_TC_GACT_H -#define __LINUX_TC_GACT_H - -#include -#include - -#define TCA_ACT_GACT 5 -struct tc_gact { - tc_gen; - -}; - -struct tc_gact_p { -#define PGACT_NONE 0 -#define PGACT_NETRAND 1 -#define PGACT_DETERM 2 -#define MAX_RAND (PGACT_DETERM + 1 ) - __u16 ptype; - __u16 pval; - int paction; -}; - -enum { - TCA_GACT_UNSPEC, - TCA_GACT_TM, - TCA_GACT_PARMS, - TCA_GACT_PROB, - __TCA_GACT_MAX -}; -#define TCA_GACT_MAX (__TCA_GACT_MAX - 1) - -#endif diff --git a/include/linux/tc_act/tc_ipt.h b/include/linux/tc_act/tc_ipt.h deleted file mode 100644 index a233556..0000000 --- a/include/linux/tc_act/tc_ipt.h +++ /dev/null @@ -1,20 +0,0 @@ -#ifndef __LINUX_TC_IPT_H -#define __LINUX_TC_IPT_H - -#include - -#define TCA_ACT_IPT 6 - -enum { - TCA_IPT_UNSPEC, - TCA_IPT_TABLE, - TCA_IPT_HOOK, - TCA_IPT_INDEX, - TCA_IPT_CNT, - TCA_IPT_TM, - TCA_IPT_TARG, - __TCA_IPT_MAX -}; -#define TCA_IPT_MAX (__TCA_IPT_MAX - 1) - -#endif diff --git a/include/linux/tc_act/tc_mirred.h b/include/linux/tc_act/tc_mirred.h deleted file mode 100644 index 7561750..0000000 --- a/include/linux/tc_act/tc_mirred.h +++ /dev/null @@ -1,27 +0,0 @@ -#ifndef __LINUX_TC_MIR_H -#define __LINUX_TC_MIR_H - -#include -#include - -#define TCA_ACT_MIRRED 8 -#define TCA_EGRESS_REDIR 1 /* packet redirect to EGRESS*/ -#define TCA_EGRESS_MIRROR 2 /* mirror packet to EGRESS */ -#define TCA_INGRESS_REDIR 3 /* packet redirect to INGRESS*/ -#define TCA_INGRESS_MIRROR 4 /* mirror packet to INGRESS */ - -struct tc_mirred { - tc_gen; - int eaction; /* one of IN/EGRESS_MIRROR/REDIR */ - __u32 ifindex; /* ifindex of egress port */ -}; - -enum { - TCA_MIRRED_UNSPEC, - TCA_MIRRED_TM, - TCA_MIRRED_PARMS, - __TCA_MIRRED_MAX -}; -#define TCA_MIRRED_MAX (__TCA_MIRRED_MAX - 1) - -#endif diff --git a/include/linux/tc_act/tc_nat.h b/include/linux/tc_act/tc_nat.h deleted file mode 100644 index 6663aeb..0000000 --- a/include/linux/tc_act/tc_nat.h +++ /dev/null @@ -1,27 +0,0 @@ -#ifndef __LINUX_TC_NAT_H -#define __LINUX_TC_NAT_H - -#include -#include - -#define TCA_ACT_NAT 9 - -enum { - TCA_NAT_UNSPEC, - TCA_NAT_PARMS, - TCA_NAT_TM, - __TCA_NAT_MAX -}; -#define TCA_NAT_MAX (__TCA_NAT_MAX - 1) - -#define TCA_NAT_FLAG_EGRESS 1 - -struct tc_nat { - tc_gen; - __be32 old_addr; - __be32 new_addr; - __be32 mask; - __u32 flags; -}; - -#endif diff --git a/include/linux/tc_act/tc_pedit.h b/include/linux/tc_act/tc_pedit.h deleted file mode 100644 index 716cfab..0000000 --- a/include/linux/tc_act/tc_pedit.h +++ /dev/null @@ -1,34 +0,0 @@ -#ifndef __LINUX_TC_PED_H -#define __LINUX_TC_PED_H - -#include -#include - -#define TCA_ACT_PEDIT 7 - -enum { - TCA_PEDIT_UNSPEC, - TCA_PEDIT_TM, - TCA_PEDIT_PARMS, - __TCA_PEDIT_MAX -}; -#define TCA_PEDIT_MAX (__TCA_PEDIT_MAX - 1) - -struct tc_pedit_key { - __u32 mask; /* AND */ - __u32 val; /*XOR */ - __u32 off; /*offset */ - __u32 at; - __u32 offmask; - __u32 shift; -}; - -struct tc_pedit_sel { - tc_gen; - unsigned char nkeys; - unsigned char flags; - struct tc_pedit_key keys[0]; -}; -#define tc_pedit tc_pedit_sel - -#endif diff --git a/include/linux/tc_act/tc_skbedit.h b/include/linux/tc_act/tc_skbedit.h deleted file mode 100644 index 7a2e910..0000000 --- a/include/linux/tc_act/tc_skbedit.h +++ /dev/null @@ -1,46 +0,0 @@ -/* - * Copyright (c) 2008, Intel Corporation. - * - * This program is free software; you can redistribute it and/or modify it - * under the terms and conditions of the GNU General Public License, - * version 2, as published by the Free Software Foundation. - * - * This program is distributed in the hope it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or - * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for - * more details. - * - * You should have received a copy of the GNU General Public License along with - * this program; if not, write to the Free Software Foundation, Inc., 59 Temple - * Place - Suite 330, Boston, MA 02111-1307 USA. - * - * Author: Alexander Duyck - */ - -#ifndef __LINUX_TC_SKBEDIT_H -#define __LINUX_TC_SKBEDIT_H - -#include - -#define TCA_ACT_SKBEDIT 11 - -#define SKBEDIT_F_PRIORITY 0x1 -#define SKBEDIT_F_QUEUE_MAPPING 0x2 -#define SKBEDIT_F_MARK 0x4 - -struct tc_skbedit { - tc_gen; -}; - -enum { - TCA_SKBEDIT_UNSPEC, - TCA_SKBEDIT_TM, - TCA_SKBEDIT_PARMS, - TCA_SKBEDIT_PRIORITY, - TCA_SKBEDIT_QUEUE_MAPPING, - TCA_SKBEDIT_MARK, - __TCA_SKBEDIT_MAX -}; -#define TCA_SKBEDIT_MAX (__TCA_SKBEDIT_MAX - 1) - -#endif diff --git a/include/uapi/linux/tc_act/Kbuild b/include/uapi/linux/tc_act/Kbuild index aafaa5a..0623ec4 100644 --- a/include/uapi/linux/tc_act/Kbuild +++ b/include/uapi/linux/tc_act/Kbuild @@ -1 +1,8 @@ # UAPI Header export list +header-y += tc_csum.h +header-y += tc_gact.h +header-y += tc_ipt.h +header-y += tc_mirred.h +header-y += tc_nat.h +header-y += tc_pedit.h +header-y += tc_skbedit.h diff --git a/include/uapi/linux/tc_act/tc_csum.h b/include/uapi/linux/tc_act/tc_csum.h new file mode 100644 index 0000000..a047c49 --- /dev/null +++ b/include/uapi/linux/tc_act/tc_csum.h @@ -0,0 +1,32 @@ +#ifndef __LINUX_TC_CSUM_H +#define __LINUX_TC_CSUM_H + +#include +#include + +#define TCA_ACT_CSUM 16 + +enum { + TCA_CSUM_UNSPEC, + TCA_CSUM_PARMS, + TCA_CSUM_TM, + __TCA_CSUM_MAX +}; +#define TCA_CSUM_MAX (__TCA_CSUM_MAX - 1) + +enum { + TCA_CSUM_UPDATE_FLAG_IPV4HDR = 1, + TCA_CSUM_UPDATE_FLAG_ICMP = 2, + TCA_CSUM_UPDATE_FLAG_IGMP = 4, + TCA_CSUM_UPDATE_FLAG_TCP = 8, + TCA_CSUM_UPDATE_FLAG_UDP = 16, + TCA_CSUM_UPDATE_FLAG_UDPLITE = 32 +}; + +struct tc_csum { + tc_gen; + + __u32 update_flags; +}; + +#endif /* __LINUX_TC_CSUM_H */ diff --git a/include/uapi/linux/tc_act/tc_gact.h b/include/uapi/linux/tc_act/tc_gact.h new file mode 100644 index 0000000..f7bf94e --- /dev/null +++ b/include/uapi/linux/tc_act/tc_gact.h @@ -0,0 +1,32 @@ +#ifndef __LINUX_TC_GACT_H +#define __LINUX_TC_GACT_H + +#include +#include + +#define TCA_ACT_GACT 5 +struct tc_gact { + tc_gen; + +}; + +struct tc_gact_p { +#define PGACT_NONE 0 +#define PGACT_NETRAND 1 +#define PGACT_DETERM 2 +#define MAX_RAND (PGACT_DETERM + 1 ) + __u16 ptype; + __u16 pval; + int paction; +}; + +enum { + TCA_GACT_UNSPEC, + TCA_GACT_TM, + TCA_GACT_PARMS, + TCA_GACT_PROB, + __TCA_GACT_MAX +}; +#define TCA_GACT_MAX (__TCA_GACT_MAX - 1) + +#endif diff --git a/include/uapi/linux/tc_act/tc_ipt.h b/include/uapi/linux/tc_act/tc_ipt.h new file mode 100644 index 0000000..a233556 --- /dev/null +++ b/include/uapi/linux/tc_act/tc_ipt.h @@ -0,0 +1,20 @@ +#ifndef __LINUX_TC_IPT_H +#define __LINUX_TC_IPT_H + +#include + +#define TCA_ACT_IPT 6 + +enum { + TCA_IPT_UNSPEC, + TCA_IPT_TABLE, + TCA_IPT_HOOK, + TCA_IPT_INDEX, + TCA_IPT_CNT, + TCA_IPT_TM, + TCA_IPT_TARG, + __TCA_IPT_MAX +}; +#define TCA_IPT_MAX (__TCA_IPT_MAX - 1) + +#endif diff --git a/include/uapi/linux/tc_act/tc_mirred.h b/include/uapi/linux/tc_act/tc_mirred.h new file mode 100644 index 0000000..7561750 --- /dev/null +++ b/include/uapi/linux/tc_act/tc_mirred.h @@ -0,0 +1,27 @@ +#ifndef __LINUX_TC_MIR_H +#define __LINUX_TC_MIR_H + +#include +#include + +#define TCA_ACT_MIRRED 8 +#define TCA_EGRESS_REDIR 1 /* packet redirect to EGRESS*/ +#define TCA_EGRESS_MIRROR 2 /* mirror packet to EGRESS */ +#define TCA_INGRESS_REDIR 3 /* packet redirect to INGRESS*/ +#define TCA_INGRESS_MIRROR 4 /* mirror packet to INGRESS */ + +struct tc_mirred { + tc_gen; + int eaction; /* one of IN/EGRESS_MIRROR/REDIR */ + __u32 ifindex; /* ifindex of egress port */ +}; + +enum { + TCA_MIRRED_UNSPEC, + TCA_MIRRED_TM, + TCA_MIRRED_PARMS, + __TCA_MIRRED_MAX +}; +#define TCA_MIRRED_MAX (__TCA_MIRRED_MAX - 1) + +#endif diff --git a/include/uapi/linux/tc_act/tc_nat.h b/include/uapi/linux/tc_act/tc_nat.h new file mode 100644 index 0000000..6663aeb --- /dev/null +++ b/include/uapi/linux/tc_act/tc_nat.h @@ -0,0 +1,27 @@ +#ifndef __LINUX_TC_NAT_H +#define __LINUX_TC_NAT_H + +#include +#include + +#define TCA_ACT_NAT 9 + +enum { + TCA_NAT_UNSPEC, + TCA_NAT_PARMS, + TCA_NAT_TM, + __TCA_NAT_MAX +}; +#define TCA_NAT_MAX (__TCA_NAT_MAX - 1) + +#define TCA_NAT_FLAG_EGRESS 1 + +struct tc_nat { + tc_gen; + __be32 old_addr; + __be32 new_addr; + __be32 mask; + __u32 flags; +}; + +#endif diff --git a/include/uapi/linux/tc_act/tc_pedit.h b/include/uapi/linux/tc_act/tc_pedit.h new file mode 100644 index 0000000..716cfab --- /dev/null +++ b/include/uapi/linux/tc_act/tc_pedit.h @@ -0,0 +1,34 @@ +#ifndef __LINUX_TC_PED_H +#define __LINUX_TC_PED_H + +#include +#include + +#define TCA_ACT_PEDIT 7 + +enum { + TCA_PEDIT_UNSPEC, + TCA_PEDIT_TM, + TCA_PEDIT_PARMS, + __TCA_PEDIT_MAX +}; +#define TCA_PEDIT_MAX (__TCA_PEDIT_MAX - 1) + +struct tc_pedit_key { + __u32 mask; /* AND */ + __u32 val; /*XOR */ + __u32 off; /*offset */ + __u32 at; + __u32 offmask; + __u32 shift; +}; + +struct tc_pedit_sel { + tc_gen; + unsigned char nkeys; + unsigned char flags; + struct tc_pedit_key keys[0]; +}; +#define tc_pedit tc_pedit_sel + +#endif diff --git a/include/uapi/linux/tc_act/tc_skbedit.h b/include/uapi/linux/tc_act/tc_skbedit.h new file mode 100644 index 0000000..7a2e910 --- /dev/null +++ b/include/uapi/linux/tc_act/tc_skbedit.h @@ -0,0 +1,46 @@ +/* + * Copyright (c) 2008, Intel Corporation. + * + * This program is free software; you can redistribute it and/or modify it + * under the terms and conditions of the GNU General Public License, + * version 2, as published by the Free Software Foundation. + * + * This program is distributed in the hope it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for + * more details. + * + * You should have received a copy of the GNU General Public License along with + * this program; if not, write to the Free Software Foundation, Inc., 59 Temple + * Place - Suite 330, Boston, MA 02111-1307 USA. + * + * Author: Alexander Duyck + */ + +#ifndef __LINUX_TC_SKBEDIT_H +#define __LINUX_TC_SKBEDIT_H + +#include + +#define TCA_ACT_SKBEDIT 11 + +#define SKBEDIT_F_PRIORITY 0x1 +#define SKBEDIT_F_QUEUE_MAPPING 0x2 +#define SKBEDIT_F_MARK 0x4 + +struct tc_skbedit { + tc_gen; +}; + +enum { + TCA_SKBEDIT_UNSPEC, + TCA_SKBEDIT_TM, + TCA_SKBEDIT_PARMS, + TCA_SKBEDIT_PRIORITY, + TCA_SKBEDIT_QUEUE_MAPPING, + TCA_SKBEDIT_MARK, + __TCA_SKBEDIT_MAX +}; +#define TCA_SKBEDIT_MAX (__TCA_SKBEDIT_MAX - 1) + +#endif -- cgit v0.10.2 From b6bf56c6be2be7ccebebfd91b1f11889296cbd9e Mon Sep 17 00:00:00 2001 From: David Howells Date: Tue, 9 Oct 2012 09:49:06 +0100 Subject: UAPI: (Scripted) Disintegrate include/linux/tc_ematch Signed-off-by: David Howells Acked-by: Arnd Bergmann Acked-by: Thomas Gleixner Acked-by: Michael Kerrisk Acked-by: Paul E. McKenney Acked-by: Dave Jones diff --git a/include/linux/tc_ematch/Kbuild b/include/linux/tc_ematch/Kbuild index 4a58a1c..e69de29 100644 --- a/include/linux/tc_ematch/Kbuild +++ b/include/linux/tc_ematch/Kbuild @@ -1,4 +0,0 @@ -header-y += tc_em_cmp.h -header-y += tc_em_meta.h -header-y += tc_em_nbyte.h -header-y += tc_em_text.h diff --git a/include/linux/tc_ematch/tc_em_cmp.h b/include/linux/tc_ematch/tc_em_cmp.h deleted file mode 100644 index f34bb1b..0000000 --- a/include/linux/tc_ematch/tc_em_cmp.h +++ /dev/null @@ -1,25 +0,0 @@ -#ifndef __LINUX_TC_EM_CMP_H -#define __LINUX_TC_EM_CMP_H - -#include -#include - -struct tcf_em_cmp { - __u32 val; - __u32 mask; - __u16 off; - __u8 align:4; - __u8 flags:4; - __u8 layer:4; - __u8 opnd:4; -}; - -enum { - TCF_EM_ALIGN_U8 = 1, - TCF_EM_ALIGN_U16 = 2, - TCF_EM_ALIGN_U32 = 4 -}; - -#define TCF_EM_CMP_TRANS 1 - -#endif diff --git a/include/linux/tc_ematch/tc_em_meta.h b/include/linux/tc_ematch/tc_em_meta.h deleted file mode 100644 index b11f8ce..0000000 --- a/include/linux/tc_ematch/tc_em_meta.h +++ /dev/null @@ -1,92 +0,0 @@ -#ifndef __LINUX_TC_EM_META_H -#define __LINUX_TC_EM_META_H - -#include -#include - -enum { - TCA_EM_META_UNSPEC, - TCA_EM_META_HDR, - TCA_EM_META_LVALUE, - TCA_EM_META_RVALUE, - __TCA_EM_META_MAX -}; -#define TCA_EM_META_MAX (__TCA_EM_META_MAX - 1) - -struct tcf_meta_val { - __u16 kind; - __u8 shift; - __u8 op; -}; - -#define TCF_META_TYPE_MASK (0xf << 12) -#define TCF_META_TYPE(kind) (((kind) & TCF_META_TYPE_MASK) >> 12) -#define TCF_META_ID_MASK 0x7ff -#define TCF_META_ID(kind) ((kind) & TCF_META_ID_MASK) - -enum { - TCF_META_TYPE_VAR, - TCF_META_TYPE_INT, - __TCF_META_TYPE_MAX -}; -#define TCF_META_TYPE_MAX (__TCF_META_TYPE_MAX - 1) - -enum { - TCF_META_ID_VALUE, - TCF_META_ID_RANDOM, - TCF_META_ID_LOADAVG_0, - TCF_META_ID_LOADAVG_1, - TCF_META_ID_LOADAVG_2, - TCF_META_ID_DEV, - TCF_META_ID_PRIORITY, - TCF_META_ID_PROTOCOL, - TCF_META_ID_PKTTYPE, - TCF_META_ID_PKTLEN, - TCF_META_ID_DATALEN, - TCF_META_ID_MACLEN, - TCF_META_ID_NFMARK, - TCF_META_ID_TCINDEX, - TCF_META_ID_RTCLASSID, - TCF_META_ID_RTIIF, - TCF_META_ID_SK_FAMILY, - TCF_META_ID_SK_STATE, - TCF_META_ID_SK_REUSE, - TCF_META_ID_SK_BOUND_IF, - TCF_META_ID_SK_REFCNT, - TCF_META_ID_SK_SHUTDOWN, - TCF_META_ID_SK_PROTO, - TCF_META_ID_SK_TYPE, - TCF_META_ID_SK_RCVBUF, - TCF_META_ID_SK_RMEM_ALLOC, - TCF_META_ID_SK_WMEM_ALLOC, - TCF_META_ID_SK_OMEM_ALLOC, - TCF_META_ID_SK_WMEM_QUEUED, - TCF_META_ID_SK_RCV_QLEN, - TCF_META_ID_SK_SND_QLEN, - TCF_META_ID_SK_ERR_QLEN, - TCF_META_ID_SK_FORWARD_ALLOCS, - TCF_META_ID_SK_SNDBUF, - TCF_META_ID_SK_ALLOCS, - __TCF_META_ID_SK_ROUTE_CAPS, /* unimplemented but in ABI already */ - TCF_META_ID_SK_HASH, - TCF_META_ID_SK_LINGERTIME, - TCF_META_ID_SK_ACK_BACKLOG, - TCF_META_ID_SK_MAX_ACK_BACKLOG, - TCF_META_ID_SK_PRIO, - TCF_META_ID_SK_RCVLOWAT, - TCF_META_ID_SK_RCVTIMEO, - TCF_META_ID_SK_SNDTIMEO, - TCF_META_ID_SK_SENDMSG_OFF, - TCF_META_ID_SK_WRITE_PENDING, - TCF_META_ID_VLAN_TAG, - TCF_META_ID_RXHASH, - __TCF_META_ID_MAX -}; -#define TCF_META_ID_MAX (__TCF_META_ID_MAX - 1) - -struct tcf_meta_hdr { - struct tcf_meta_val left; - struct tcf_meta_val right; -}; - -#endif diff --git a/include/linux/tc_ematch/tc_em_nbyte.h b/include/linux/tc_ematch/tc_em_nbyte.h deleted file mode 100644 index 7172cfb..0000000 --- a/include/linux/tc_ematch/tc_em_nbyte.h +++ /dev/null @@ -1,13 +0,0 @@ -#ifndef __LINUX_TC_EM_NBYTE_H -#define __LINUX_TC_EM_NBYTE_H - -#include -#include - -struct tcf_em_nbyte { - __u16 off; - __u16 len:12; - __u8 layer:4; -}; - -#endif diff --git a/include/linux/tc_ematch/tc_em_text.h b/include/linux/tc_ematch/tc_em_text.h deleted file mode 100644 index 5aac404..0000000 --- a/include/linux/tc_ematch/tc_em_text.h +++ /dev/null @@ -1,19 +0,0 @@ -#ifndef __LINUX_TC_EM_TEXT_H -#define __LINUX_TC_EM_TEXT_H - -#include -#include - -#define TC_EM_TEXT_ALGOSIZ 16 - -struct tcf_em_text { - char algo[TC_EM_TEXT_ALGOSIZ]; - __u16 from_offset; - __u16 to_offset; - __u16 pattern_len; - __u8 from_layer:4; - __u8 to_layer:4; - __u8 pad; -}; - -#endif diff --git a/include/uapi/linux/tc_ematch/Kbuild b/include/uapi/linux/tc_ematch/Kbuild index aafaa5a..53fca39 100644 --- a/include/uapi/linux/tc_ematch/Kbuild +++ b/include/uapi/linux/tc_ematch/Kbuild @@ -1 +1,5 @@ # UAPI Header export list +header-y += tc_em_cmp.h +header-y += tc_em_meta.h +header-y += tc_em_nbyte.h +header-y += tc_em_text.h diff --git a/include/uapi/linux/tc_ematch/tc_em_cmp.h b/include/uapi/linux/tc_ematch/tc_em_cmp.h new file mode 100644 index 0000000..f34bb1b --- /dev/null +++ b/include/uapi/linux/tc_ematch/tc_em_cmp.h @@ -0,0 +1,25 @@ +#ifndef __LINUX_TC_EM_CMP_H +#define __LINUX_TC_EM_CMP_H + +#include +#include + +struct tcf_em_cmp { + __u32 val; + __u32 mask; + __u16 off; + __u8 align:4; + __u8 flags:4; + __u8 layer:4; + __u8 opnd:4; +}; + +enum { + TCF_EM_ALIGN_U8 = 1, + TCF_EM_ALIGN_U16 = 2, + TCF_EM_ALIGN_U32 = 4 +}; + +#define TCF_EM_CMP_TRANS 1 + +#endif diff --git a/include/uapi/linux/tc_ematch/tc_em_meta.h b/include/uapi/linux/tc_ematch/tc_em_meta.h new file mode 100644 index 0000000..b11f8ce --- /dev/null +++ b/include/uapi/linux/tc_ematch/tc_em_meta.h @@ -0,0 +1,92 @@ +#ifndef __LINUX_TC_EM_META_H +#define __LINUX_TC_EM_META_H + +#include +#include + +enum { + TCA_EM_META_UNSPEC, + TCA_EM_META_HDR, + TCA_EM_META_LVALUE, + TCA_EM_META_RVALUE, + __TCA_EM_META_MAX +}; +#define TCA_EM_META_MAX (__TCA_EM_META_MAX - 1) + +struct tcf_meta_val { + __u16 kind; + __u8 shift; + __u8 op; +}; + +#define TCF_META_TYPE_MASK (0xf << 12) +#define TCF_META_TYPE(kind) (((kind) & TCF_META_TYPE_MASK) >> 12) +#define TCF_META_ID_MASK 0x7ff +#define TCF_META_ID(kind) ((kind) & TCF_META_ID_MASK) + +enum { + TCF_META_TYPE_VAR, + TCF_META_TYPE_INT, + __TCF_META_TYPE_MAX +}; +#define TCF_META_TYPE_MAX (__TCF_META_TYPE_MAX - 1) + +enum { + TCF_META_ID_VALUE, + TCF_META_ID_RANDOM, + TCF_META_ID_LOADAVG_0, + TCF_META_ID_LOADAVG_1, + TCF_META_ID_LOADAVG_2, + TCF_META_ID_DEV, + TCF_META_ID_PRIORITY, + TCF_META_ID_PROTOCOL, + TCF_META_ID_PKTTYPE, + TCF_META_ID_PKTLEN, + TCF_META_ID_DATALEN, + TCF_META_ID_MACLEN, + TCF_META_ID_NFMARK, + TCF_META_ID_TCINDEX, + TCF_META_ID_RTCLASSID, + TCF_META_ID_RTIIF, + TCF_META_ID_SK_FAMILY, + TCF_META_ID_SK_STATE, + TCF_META_ID_SK_REUSE, + TCF_META_ID_SK_BOUND_IF, + TCF_META_ID_SK_REFCNT, + TCF_META_ID_SK_SHUTDOWN, + TCF_META_ID_SK_PROTO, + TCF_META_ID_SK_TYPE, + TCF_META_ID_SK_RCVBUF, + TCF_META_ID_SK_RMEM_ALLOC, + TCF_META_ID_SK_WMEM_ALLOC, + TCF_META_ID_SK_OMEM_ALLOC, + TCF_META_ID_SK_WMEM_QUEUED, + TCF_META_ID_SK_RCV_QLEN, + TCF_META_ID_SK_SND_QLEN, + TCF_META_ID_SK_ERR_QLEN, + TCF_META_ID_SK_FORWARD_ALLOCS, + TCF_META_ID_SK_SNDBUF, + TCF_META_ID_SK_ALLOCS, + __TCF_META_ID_SK_ROUTE_CAPS, /* unimplemented but in ABI already */ + TCF_META_ID_SK_HASH, + TCF_META_ID_SK_LINGERTIME, + TCF_META_ID_SK_ACK_BACKLOG, + TCF_META_ID_SK_MAX_ACK_BACKLOG, + TCF_META_ID_SK_PRIO, + TCF_META_ID_SK_RCVLOWAT, + TCF_META_ID_SK_RCVTIMEO, + TCF_META_ID_SK_SNDTIMEO, + TCF_META_ID_SK_SENDMSG_OFF, + TCF_META_ID_SK_WRITE_PENDING, + TCF_META_ID_VLAN_TAG, + TCF_META_ID_RXHASH, + __TCF_META_ID_MAX +}; +#define TCF_META_ID_MAX (__TCF_META_ID_MAX - 1) + +struct tcf_meta_hdr { + struct tcf_meta_val left; + struct tcf_meta_val right; +}; + +#endif diff --git a/include/uapi/linux/tc_ematch/tc_em_nbyte.h b/include/uapi/linux/tc_ematch/tc_em_nbyte.h new file mode 100644 index 0000000..7172cfb --- /dev/null +++ b/include/uapi/linux/tc_ematch/tc_em_nbyte.h @@ -0,0 +1,13 @@ +#ifndef __LINUX_TC_EM_NBYTE_H +#define __LINUX_TC_EM_NBYTE_H + +#include +#include + +struct tcf_em_nbyte { + __u16 off; + __u16 len:12; + __u8 layer:4; +}; + +#endif diff --git a/include/uapi/linux/tc_ematch/tc_em_text.h b/include/uapi/linux/tc_ematch/tc_em_text.h new file mode 100644 index 0000000..5aac404 --- /dev/null +++ b/include/uapi/linux/tc_ematch/tc_em_text.h @@ -0,0 +1,19 @@ +#ifndef __LINUX_TC_EM_TEXT_H +#define __LINUX_TC_EM_TEXT_H + +#include +#include + +#define TC_EM_TEXT_ALGOSIZ 16 + +struct tcf_em_text { + char algo[TC_EM_TEXT_ALGOSIZ]; + __u16 from_offset; + __u16 to_offset; + __u16 pattern_len; + __u8 from_layer:4; + __u8 to_layer:4; + __u8 pad; +}; + +#endif -- cgit v0.10.2 From 91e2b89b04d3f568dc4ec99f242a4a742061e399 Mon Sep 17 00:00:00 2001 From: Greg Rose Date: Wed, 3 Oct 2012 00:57:23 +0000 Subject: ixgbevf: Set the netdev number of Tx queues The driver was not setting the number of real Tx queues in the net_device structure. This caused some serious issues such as Tx hangs and extremely poor performance with some usages of the driver. The issue is best observed by running: iperf -c -P Where n is greater than one. The greater the value of n the more likely the problem is to show up. Signed-off-by: Greg Rose Signed-off-by: Jeff Kirsher diff --git a/drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c b/drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c index 0ee9bd4..de1ad50 100644 --- a/drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c +++ b/drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c @@ -1747,6 +1747,7 @@ err_tx_ring_allocation: **/ static int ixgbevf_set_interrupt_capability(struct ixgbevf_adapter *adapter) { + struct net_device *netdev = adapter->netdev; int err = 0; int vector, v_budget; @@ -1775,6 +1776,12 @@ static int ixgbevf_set_interrupt_capability(struct ixgbevf_adapter *adapter) ixgbevf_acquire_msix_vectors(adapter, v_budget); + err = netif_set_real_num_tx_queues(netdev, adapter->num_tx_queues); + if (err) + goto out; + + err = netif_set_real_num_rx_queues(netdev, adapter->num_rx_queues); + out: return err; } -- cgit v0.10.2 From c88887e09099b7f77659cb6aa1b9d670a7632f4b Mon Sep 17 00:00:00 2001 From: Alexander Duyck Date: Wed, 22 Aug 2012 02:04:37 +0000 Subject: ixgbe/ixgbevf: Limit maximum jumbo frame size to 9.5K to avoid Tx hangs This change limits the PF/VF driver to 9.5K max jumbo frame size in order prevent a possible Tx hang in the adapter when sending frames between pools. All of the parts in ixgbe support a maximum frame of 15.5K for standard traffic, however with SR-IOV or DCB enabled they should be limiting the MTU size to 9.5K. Instead of adding extra checks which would have to change the MTU when we go into or out of these modes it is preferred to just use a standard 9.5K MTU limit for all modes so that this extra overhead can be avoided. Signed-off-by: Alexander Duyck Tested-by: Phil Schmitt Tested-by: Sibai Li Signed-off-by: Jeff Kirsher diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe.h b/drivers/net/ethernet/intel/ixgbe/ixgbe.h index 5bd2676..30efc9f 100644 --- a/drivers/net/ethernet/intel/ixgbe/ixgbe.h +++ b/drivers/net/ethernet/intel/ixgbe/ixgbe.h @@ -410,7 +410,7 @@ static inline u16 ixgbe_desc_unused(struct ixgbe_ring *ring) #define IXGBE_TX_CTXTDESC(R, i) \ (&(((struct ixgbe_adv_tx_context_desc *)((R)->desc))[i])) -#define IXGBE_MAX_JUMBO_FRAME_SIZE 16128 +#define IXGBE_MAX_JUMBO_FRAME_SIZE 9728 /* Maximum Supported Size 9.5KB */ #ifdef IXGBE_FCOE /* Use 3K as the baby jumbo frame size for FCoE */ #define IXGBE_FCOE_JUMBO_FRAME_SIZE 3072 diff --git a/drivers/net/ethernet/intel/ixgbevf/ixgbevf.h b/drivers/net/ethernet/intel/ixgbevf/ixgbevf.h index 383b4e1..4a9c9c2 100644 --- a/drivers/net/ethernet/intel/ixgbevf/ixgbevf.h +++ b/drivers/net/ethernet/intel/ixgbevf/ixgbevf.h @@ -175,7 +175,7 @@ struct ixgbevf_q_vector { #define IXGBEVF_TX_CTXTDESC(R, i) \ (&(((struct ixgbe_adv_tx_context_desc *)((R)->desc))[i])) -#define IXGBE_MAX_JUMBO_FRAME_SIZE 16128 +#define IXGBE_MAX_JUMBO_FRAME_SIZE 9728 /* Maximum Supported Size 9.5KB */ #define OTHER_VECTOR 1 #define NON_Q_VECTORS (OTHER_VECTOR) -- cgit v0.10.2 From 16e310ae6ed352c4963b1f2413fcd88fa693eeda Mon Sep 17 00:00:00 2001 From: Bruce Allan Date: Tue, 9 Oct 2012 01:11:26 +0000 Subject: e1000e: add device IDs for i218 i218 is the next-generation LOM that will be available on systems with the Lynx Point LP Platform Controller Hub (PCH) chipset from Intel. This patch provides the initial support of those devices. Signed-off-by: Bruce Allan Signed-off-by: Jeff Kirsher diff --git a/drivers/net/ethernet/intel/e1000e/hw.h b/drivers/net/ethernet/intel/e1000e/hw.h index ed5b409..d37bfd9 100644 --- a/drivers/net/ethernet/intel/e1000e/hw.h +++ b/drivers/net/ethernet/intel/e1000e/hw.h @@ -412,6 +412,8 @@ enum e1e_registers { #define E1000_DEV_ID_PCH2_LV_V 0x1503 #define E1000_DEV_ID_PCH_LPT_I217_LM 0x153A #define E1000_DEV_ID_PCH_LPT_I217_V 0x153B +#define E1000_DEV_ID_PCH_LPTLP_I218_LM 0x155A +#define E1000_DEV_ID_PCH_LPTLP_I218_V 0x1559 #define E1000_REVISION_4 4 diff --git a/drivers/net/ethernet/intel/e1000e/netdev.c b/drivers/net/ethernet/intel/e1000e/netdev.c index fb659dd..de57a2b 100644 --- a/drivers/net/ethernet/intel/e1000e/netdev.c +++ b/drivers/net/ethernet/intel/e1000e/netdev.c @@ -6558,6 +6558,8 @@ static DEFINE_PCI_DEVICE_TABLE(e1000_pci_tbl) = { { PCI_VDEVICE(INTEL, E1000_DEV_ID_PCH_LPT_I217_LM), board_pch_lpt }, { PCI_VDEVICE(INTEL, E1000_DEV_ID_PCH_LPT_I217_V), board_pch_lpt }, + { PCI_VDEVICE(INTEL, E1000_DEV_ID_PCH_LPTLP_I218_LM), board_pch_lpt }, + { PCI_VDEVICE(INTEL, E1000_DEV_ID_PCH_LPTLP_I218_V), board_pch_lpt }, { 0, 0, 0, 0, 0, 0, 0 } /* terminate list */ }; -- cgit v0.10.2 From 0f796579848f284705cef8c9348f8178b37e1abe Mon Sep 17 00:00:00 2001 From: Haicheng Li Date: Mon, 8 Oct 2012 23:43:12 +0000 Subject: pch_gbe: Fix build error by selecting all the possible dependencies. Fengguang reported a kernel build failure as following: drivers/built-in.o: In function `pch_gbe_ioctl': pch_gbe_main.c:(.text+0x510370): undefined reference to `pch_ch_control_write' pch_gbe_main.c:(.text+0x510393): undefined reference to `pch_ch_control_write' pch_gbe_main.c:(.text+0x5103b3): undefined reference to `pch_ch_control_write' ... It's a regression by commit da1586461. The root cause is that the CONFIG_PPS is not set there, consequently CONFIG_PTP_1588_CLOCK can not be set anyway, which finally causes ptp_pch and pch_gbe_main build failures. As David prefers to use *select* to fix such module co-dependency issues, this patch explicitly selects all the possible dependencies of PCH_PTP. Reported-by: Fengguang Wu Reviewed-by: David S. Miller Signed-off-by: Haicheng Li Signed-off-by: David S. Miller diff --git a/drivers/net/ethernet/oki-semi/pch_gbe/Kconfig b/drivers/net/ethernet/oki-semi/pch_gbe/Kconfig index 9730241..5296cc8 100644 --- a/drivers/net/ethernet/oki-semi/pch_gbe/Kconfig +++ b/drivers/net/ethernet/oki-semi/pch_gbe/Kconfig @@ -26,6 +26,9 @@ if PCH_GBE config PCH_PTP bool "PCH PTP clock support" default n + depends on EXPERIMENTAL + select PPS + select PTP_1588_CLOCK select PTP_1588_CLOCK_PCH ---help--- Say Y here if you want to use Precision Time Protocol (PTP) in the -- cgit v0.10.2 From 1451ae6ef8bff77007338b2870bb3de2658afff8 Mon Sep 17 00:00:00 2001 From: Ajit Khaparde Date: Mon, 8 Oct 2012 18:18:21 +0000 Subject: be2net: Remove code that stops further access to BE NIC based on UE bits On certain platforms, BE hardware could falsely indicate UE. For BE family of NICs, do not set hw_error based on the UE bits. If there was a real fatal error, the corresponding h/w block will automatically go offline and stop traffic. Signed-off-by: Ajit Khaparde Signed-off-by: David S. Miller diff --git a/drivers/net/ethernet/emulex/benet/be_main.c b/drivers/net/ethernet/emulex/benet/be_main.c index eb3f2cb..d1b6cc5 100644 --- a/drivers/net/ethernet/emulex/benet/be_main.c +++ b/drivers/net/ethernet/emulex/benet/be_main.c @@ -2129,8 +2129,11 @@ void be_detect_error(struct be_adapter *adapter) ue_hi = (ue_hi & ~ue_hi_mask); } - if (ue_lo || ue_hi || - sliport_status & SLIPORT_STATUS_ERR_MASK) { + /* On certain platforms BE hardware can indicate spurious UEs. + * Allow the h/w to stop working completely in case of a real UE. + * Hence not setting the hw_error for UE detection. + */ + if (sliport_status & SLIPORT_STATUS_ERR_MASK) { adapter->hw_error = true; dev_err(&adapter->pdev->dev, "Error detected in the card\n"); -- cgit v0.10.2 From 50fb47ae4d812d5eabc57539701dc0fd6404495e Mon Sep 17 00:00:00 2001 From: Dan Carpenter Date: Mon, 8 Oct 2012 21:20:48 +0000 Subject: farsync: fix support for over 30 cards We're trying to fill a 64 bit bitmap but only the lower 30 shifts work because the shift wraps around. Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller diff --git a/drivers/net/wan/farsync.c b/drivers/net/wan/farsync.c index 1a62318..b627132 100644 --- a/drivers/net/wan/farsync.c +++ b/drivers/net/wan/farsync.c @@ -597,7 +597,7 @@ fst_q_work_item(u64 * queue, int card_index) * bottom half for the card. Note the limitation of 64 cards. * That ought to be enough */ - mask = 1 << card_index; + mask = (u64)1 << card_index; *queue |= mask; spin_unlock_irqrestore(&fst_work_q_lock, flags); } -- cgit v0.10.2 From 4085a7f0a09c73ef3e9de113c9f04d78c79be645 Mon Sep 17 00:00:00 2001 From: Mark Brown Date: Mon, 8 Oct 2012 22:55:43 +0000 Subject: netdev/phy: Prototype of_mdio_find_bus() Ensure that of_mdio_find_bus() matches the prototype in the header (and stop sparse complaining) by including the header with the prototype. Signed-off-by: Mark Brown Signed-off-by: David S. Miller diff --git a/drivers/net/phy/mdio_bus.c b/drivers/net/phy/mdio_bus.c index 170eb41..c1ef300 100644 --- a/drivers/net/phy/mdio_bus.c +++ b/drivers/net/phy/mdio_bus.c @@ -26,6 +26,7 @@ #include #include #include +#include #include #include #include -- cgit v0.10.2 From 5175a5e76bbdf20a614fb47ce7a38f0f39e70226 Mon Sep 17 00:00:00 2001 From: "jeff.liu" Date: Mon, 8 Oct 2012 18:57:27 +0000 Subject: RDS: fix rds-ping spinlock recursion This is the revised patch for fixing rds-ping spinlock recursion according to Venkat's suggestions. RDS ping/pong over TCP feature has been broken for years(2.6.39 to 3.6.0) since we have to set TCP cork and call kernel_sendmsg() between ping/pong which both need to lock "struct sock *sk". However, this lock has already been hold before rds_tcp_data_ready() callback is triggerred. As a result, we always facing spinlock resursion which would resulting in system panic. Given that RDS ping is only used to test the connectivity and not for serious performance measurements, we can queue the pong transmit to rds_wq as a delayed response. Reported-by: Dan Carpenter CC: Venkat Venkatsubra CC: David S. Miller CC: James Morris Signed-off-by: Jie Liu Signed-off-by: David S. Miller diff --git a/net/rds/send.c b/net/rds/send.c index 96531d4..88eace5 100644 --- a/net/rds/send.c +++ b/net/rds/send.c @@ -1122,7 +1122,7 @@ rds_send_pong(struct rds_connection *conn, __be16 dport) rds_stats_inc(s_send_pong); if (!test_bit(RDS_LL_SEND_FULL, &conn->c_flags)) - rds_send_xmit(conn); + queue_delayed_work(rds_wq, &conn->c_send_w, 0); rds_message_put(rm); return 0; -- cgit v0.10.2