* iptables features 20110905
@ 2011-09-05 18:24 Jan Engelhardt
2011-09-05 18:24 ` [PATCH 1/3] libxt_addrtype: rename from libipt_addrtype Jan Engelhardt
` (2 more replies)
0 siblings, 3 replies; 8+ messages in thread
From: Jan Engelhardt @ 2011-09-05 18:24 UTC (permalink / raw)
To: netfilter-devel
The following changes since commit bf42cf92ea0c53e5470a20d62d00e5e83379f4d5:
Merge branch 'stable' of git://dev.medozas.de/iptables (2011-09-05 20:16:07 +0200)
are available in the git repository at:
git://dev.medozas.de/iptables master
Jan Engelhardt (3):
libxt_addrtype: rename from libipt_addrtype
libxt_addrtype: add support for revision 1
include: refresh include files from kernel 3.1-rc3
extensions/{libipt_addrtype.c => libxt_addrtype.c} | 56 ++---
.../{libipt_addrtype.man => libxt_addrtype.man} | 0
include/linux/kernel.h | 33 ---
include/linux/netfilter.h | 18 ++-
include/linux/netfilter/ipset/ip_set.h | 225 ++++++++++++++++++++
include/linux/netfilter/nf_conntrack_common.h | 14 ++
.../linux/netfilter/nf_conntrack_tuple_common.h | 3 +-
include/linux/netfilter/x_tables.h | 5 +
include/linux/netfilter/xt_CT.h | 2 +
include/linux/netfilter/xt_TCPOPTSTRIP.h | 2 +
include/linux/netfilter/xt_TPROXY.h | 2 +
include/linux/netfilter/xt_addrtype.h | 44 ++++
include/linux/netfilter/xt_cluster.h | 2 +
include/linux/netfilter/xt_connbytes.h | 4 +-
include/linux/netfilter/xt_connlimit.h | 2 +
include/linux/netfilter/xt_physdev.h | 3 -
include/linux/netfilter/xt_policy.h | 11 -
include/linux/netfilter/xt_quota.h | 4 +-
include/linux/netfilter/xt_sctp.h | 4 +-
include/linux/netfilter/xt_set.h | 81 +------
include/linux/netfilter/xt_socket.h | 2 +
include/linux/netfilter/xt_time.h | 2 +
include/linux/netfilter/xt_u32.h | 2 +
include/linux/netfilter_ipv4/ip_tables.h | 82 ++++----
include/linux/netfilter_ipv4/ipt_CLUSTERIP.h | 16 +-
include/linux/netfilter_ipv4/ipt_ECN.h | 8 +-
include/linux/netfilter_ipv4/ipt_SAME.h | 8 +-
include/linux/netfilter_ipv4/ipt_TTL.h | 6 +-
include/linux/netfilter_ipv4/ipt_addrtype.h | 16 +-
include/linux/netfilter_ipv4/ipt_ah.h | 6 +-
include/linux/netfilter_ipv4/ipt_ecn.h | 10 +-
include/linux/netfilter_ipv4/ipt_ttl.h | 6 +-
include/linux/netfilter_ipv6/ip6_tables.h | 100 ++++------
include/linux/netfilter_ipv6/ip6t_HL.h | 6 +-
include/linux/netfilter_ipv6/ip6t_REJECT.h | 4 +-
include/linux/netfilter_ipv6/ip6t_ah.h | 10 +-
include/linux/netfilter_ipv6/ip6t_frag.h | 10 +-
include/linux/netfilter_ipv6/ip6t_hl.h | 6 +-
include/linux/netfilter_ipv6/ip6t_ipv6header.h | 8 +-
include/linux/netfilter_ipv6/ip6t_mh.h | 6 +-
include/linux/netfilter_ipv6/ip6t_opts.h | 12 +-
include/linux/netfilter_ipv6/ip6t_rt.h | 13 +-
include/linux/types.h | 13 ++
43 files changed, 543 insertions(+), 324 deletions(-)
rename extensions/{libipt_addrtype.c => libxt_addrtype.c} (82%)
rename extensions/{libipt_addrtype.man => libxt_addrtype.man} (100%)
create mode 100644 include/linux/netfilter/ipset/ip_set.h
create mode 100644 include/linux/netfilter/xt_addrtype.h
^ permalink raw reply [flat|nested] 8+ messages in thread
* [PATCH 1/3] libxt_addrtype: rename from libipt_addrtype
2011-09-05 18:24 iptables features 20110905 Jan Engelhardt
@ 2011-09-05 18:24 ` Jan Engelhardt
2011-09-06 11:34 ` Pablo Neira Ayuso
2011-09-05 18:24 ` [PATCH 2/3] libxt_addrtype: add support for revision 1 Jan Engelhardt
2011-09-05 18:24 ` [PATCH 3/3] include: refresh include files from kernel 3.1-rc3 Jan Engelhardt
2 siblings, 1 reply; 8+ messages in thread
From: Jan Engelhardt @ 2011-09-05 18:24 UTC (permalink / raw)
To: netfilter-devel
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
extensions/libipt_addrtype.c | 308 ----------------------------------------
extensions/libipt_addrtype.man | 69 ---------
extensions/libxt_addrtype.c | 308 ++++++++++++++++++++++++++++++++++++++++
extensions/libxt_addrtype.man | 69 +++++++++
4 files changed, 377 insertions(+), 377 deletions(-)
delete mode 100644 extensions/libipt_addrtype.c
delete mode 100644 extensions/libipt_addrtype.man
create mode 100644 extensions/libxt_addrtype.c
create mode 100644 extensions/libxt_addrtype.man
diff --git a/extensions/libipt_addrtype.c b/extensions/libipt_addrtype.c
deleted file mode 100644
index 3dec626..0000000
--- a/extensions/libipt_addrtype.c
+++ /dev/null
@@ -1,308 +0,0 @@
-/* Shared library add-on to iptables to add addrtype matching support
- *
- * This program is released under the terms of GNU GPL */
-#include <stdio.h>
-#include <string.h>
-#include <xtables.h>
-#include <linux/netfilter_ipv4/ipt_addrtype.h>
-
-enum {
- O_SRC_TYPE = 0,
- O_DST_TYPE,
- O_LIMIT_IFACE_IN,
- O_LIMIT_IFACE_OUT,
- F_SRC_TYPE = 1 << O_SRC_TYPE,
- F_DST_TYPE = 1 << O_DST_TYPE,
- F_LIMIT_IFACE_IN = 1 << O_LIMIT_IFACE_IN,
- F_LIMIT_IFACE_OUT = 1 << O_LIMIT_IFACE_OUT,
-};
-
-/* from linux/rtnetlink.h, must match order of enumeration */
-static const char *const rtn_names[] = {
- "UNSPEC",
- "UNICAST",
- "LOCAL",
- "BROADCAST",
- "ANYCAST",
- "MULTICAST",
- "BLACKHOLE",
- "UNREACHABLE",
- "PROHIBIT",
- "THROW",
- "NAT",
- "XRESOLVE",
- NULL
-};
-
-static void addrtype_help_types(void)
-{
- int i;
-
- for (i = 0; rtn_names[i]; i++)
- printf(" %s\n", rtn_names[i]);
-}
-
-static void addrtype_help_v0(void)
-{
- printf(
-"Address type match options:\n"
-" [!] --src-type type[,...] Match source address type\n"
-" [!] --dst-type type[,...] Match destination address type\n"
-"\n"
-"Valid types: \n");
- addrtype_help_types();
-}
-
-static void addrtype_help_v1(void)
-{
- printf(
-"Address type match options:\n"
-" [!] --src-type type[,...] Match source address type\n"
-" [!] --dst-type type[,...] Match destination address type\n"
-" --limit-iface-in Match only on the packet's incoming device\n"
-" --limit-iface-out Match only on the packet's incoming device\n"
-"\n"
-"Valid types: \n");
- addrtype_help_types();
-}
-
-static int
-parse_type(const char *name, size_t len, uint16_t *mask)
-{
- int i;
-
- for (i = 0; rtn_names[i]; i++)
- if (strncasecmp(name, rtn_names[i], len) == 0) {
- /* build up bitmask for kernel module */
- *mask |= (1 << i);
- return 1;
- }
-
- return 0;
-}
-
-static void parse_types(const char *arg, uint16_t *mask)
-{
- const char *comma;
-
- while ((comma = strchr(arg, ',')) != NULL) {
- if (comma == arg || !parse_type(arg, comma-arg, mask))
- xtables_error(PARAMETER_PROBLEM,
- "addrtype: bad type `%s'", arg);
- arg = comma + 1;
- }
-
- if (strlen(arg) == 0 || !parse_type(arg, strlen(arg), mask))
- xtables_error(PARAMETER_PROBLEM, "addrtype: bad type \"%s\"", arg);
-}
-
-static void addrtype_parse_v0(struct xt_option_call *cb)
-{
- struct ipt_addrtype_info *info = cb->data;
-
- xtables_option_parse(cb);
- switch (cb->entry->id) {
- case O_SRC_TYPE:
- parse_types(cb->arg, &info->source);
- if (cb->invert)
- info->invert_source = 1;
- break;
- case O_DST_TYPE:
- parse_types(cb->arg, &info->dest);
- if (cb->invert)
- info->invert_dest = 1;
- break;
- }
-}
-
-static void addrtype_parse_v1(struct xt_option_call *cb)
-{
- struct ipt_addrtype_info_v1 *info = cb->data;
-
- xtables_option_parse(cb);
- switch (cb->entry->id) {
- case O_SRC_TYPE:
- parse_types(cb->arg, &info->source);
- if (cb->invert)
- info->flags |= IPT_ADDRTYPE_INVERT_SOURCE;
- break;
- case O_DST_TYPE:
- parse_types(cb->arg, &info->dest);
- if (cb->invert)
- info->flags |= IPT_ADDRTYPE_INVERT_DEST;
- break;
- case O_LIMIT_IFACE_IN:
- info->flags |= IPT_ADDRTYPE_LIMIT_IFACE_IN;
- break;
- case O_LIMIT_IFACE_OUT:
- info->flags |= IPT_ADDRTYPE_LIMIT_IFACE_OUT;
- break;
- }
-}
-
-static void addrtype_check(struct xt_fcheck_call *cb)
-{
- if (!(cb->xflags & (F_SRC_TYPE | F_DST_TYPE)))
- xtables_error(PARAMETER_PROBLEM,
- "addrtype: you must specify --src-type or --dst-type");
-}
-
-static void print_types(uint16_t mask)
-{
- const char *sep = "";
- int i;
-
- for (i = 0; rtn_names[i]; i++)
- if (mask & (1 << i)) {
- printf("%s%s", sep, rtn_names[i]);
- sep = ",";
- }
-}
-
-static void addrtype_print_v0(const void *ip, const struct xt_entry_match *match,
- int numeric)
-{
- const struct ipt_addrtype_info *info =
- (struct ipt_addrtype_info *) match->data;
-
- printf(" ADDRTYPE match");
- if (info->source) {
- printf(" src-type ");
- if (info->invert_source)
- printf("!");
- print_types(info->source);
- }
- if (info->dest) {
- printf(" dst-type");
- if (info->invert_dest)
- printf("!");
- print_types(info->dest);
- }
-}
-
-static void addrtype_print_v1(const void *ip, const struct xt_entry_match *match,
- int numeric)
-{
- const struct ipt_addrtype_info_v1 *info =
- (struct ipt_addrtype_info_v1 *) match->data;
-
- printf(" ADDRTYPE match");
- if (info->source) {
- printf(" src-type ");
- if (info->flags & IPT_ADDRTYPE_INVERT_SOURCE)
- printf("!");
- print_types(info->source);
- }
- if (info->dest) {
- printf(" dst-type ");
- if (info->flags & IPT_ADDRTYPE_INVERT_DEST)
- printf("!");
- print_types(info->dest);
- }
- if (info->flags & IPT_ADDRTYPE_LIMIT_IFACE_IN) {
- printf(" limit-in");
- }
- if (info->flags & IPT_ADDRTYPE_LIMIT_IFACE_OUT) {
- printf(" limit-out");
- }
-}
-
-static void addrtype_save_v0(const void *ip, const struct xt_entry_match *match)
-{
- const struct ipt_addrtype_info *info =
- (struct ipt_addrtype_info *) match->data;
-
- if (info->source) {
- if (info->invert_source)
- printf(" !");
- printf(" --src-type ");
- print_types(info->source);
- }
- if (info->dest) {
- if (info->invert_dest)
- printf(" !");
- printf(" --dst-type ");
- print_types(info->dest);
- }
-}
-
-static void addrtype_save_v1(const void *ip, const struct xt_entry_match *match)
-{
- const struct ipt_addrtype_info_v1 *info =
- (struct ipt_addrtype_info_v1 *) match->data;
-
- if (info->source) {
- if (info->flags & IPT_ADDRTYPE_INVERT_SOURCE)
- printf(" !");
- printf(" --src-type ");
- print_types(info->source);
- }
- if (info->dest) {
- if (info->flags & IPT_ADDRTYPE_INVERT_DEST)
- printf(" !");
- printf(" --dst-type ");
- print_types(info->dest);
- }
- if (info->flags & IPT_ADDRTYPE_LIMIT_IFACE_IN) {
- printf(" --limit-iface-in");
- }
- if (info->flags & IPT_ADDRTYPE_LIMIT_IFACE_OUT) {
- printf(" --limit-iface-out");
- }
-}
-
-static const struct xt_option_entry addrtype_opts_v0[] = {
- {.name = "src-type", .id = O_SRC_TYPE, .type = XTTYPE_STRING,
- .flags = XTOPT_INVERT},
- {.name = "dst-type", .id = O_DST_TYPE, .type = XTTYPE_STRING,
- .flags = XTOPT_INVERT},
- XTOPT_TABLEEND,
-};
-
-static const struct xt_option_entry addrtype_opts_v1[] = {
- {.name = "src-type", .id = O_SRC_TYPE, .type = XTTYPE_STRING,
- .flags = XTOPT_INVERT},
- {.name = "dst-type", .id = O_DST_TYPE, .type = XTTYPE_STRING,
- .flags = XTOPT_INVERT},
- {.name = "limit-iface-in", .id = O_LIMIT_IFACE_IN,
- .type = XTTYPE_NONE, .excl = F_LIMIT_IFACE_OUT},
- {.name = "limit-iface-out", .id = O_LIMIT_IFACE_OUT,
- .type = XTTYPE_NONE, .excl = F_LIMIT_IFACE_IN},
- XTOPT_TABLEEND,
-};
-
-static struct xtables_match addrtype_mt_reg[] = {
- {
- .name = "addrtype",
- .version = XTABLES_VERSION,
- .family = NFPROTO_IPV4,
- .size = XT_ALIGN(sizeof(struct ipt_addrtype_info)),
- .userspacesize = XT_ALIGN(sizeof(struct ipt_addrtype_info)),
- .help = addrtype_help_v0,
- .print = addrtype_print_v0,
- .save = addrtype_save_v0,
- .x6_parse = addrtype_parse_v0,
- .x6_fcheck = addrtype_check,
- .x6_options = addrtype_opts_v0,
- },
- {
- .name = "addrtype",
- .revision = 1,
- .version = XTABLES_VERSION,
- .family = NFPROTO_IPV4,
- .size = XT_ALIGN(sizeof(struct ipt_addrtype_info_v1)),
- .userspacesize = XT_ALIGN(sizeof(struct ipt_addrtype_info_v1)),
- .help = addrtype_help_v1,
- .print = addrtype_print_v1,
- .save = addrtype_save_v1,
- .x6_parse = addrtype_parse_v1,
- .x6_fcheck = addrtype_check,
- .x6_options = addrtype_opts_v1,
- },
-};
-
-
-void _init(void)
-{
- xtables_register_matches(addrtype_mt_reg, ARRAY_SIZE(addrtype_mt_reg));
-}
diff --git a/extensions/libipt_addrtype.man b/extensions/libipt_addrtype.man
deleted file mode 100644
index 16fd9df..0000000
--- a/extensions/libipt_addrtype.man
+++ /dev/null
@@ -1,69 +0,0 @@
-This module matches packets based on their
-.B address type.
-Address types are used within the kernel networking stack and categorize
-addresses into various groups. The exact definition of that group depends on the specific layer three protocol.
-.PP
-The following address types are possible:
-.TP
-.BI "UNSPEC"
-an unspecified address (i.e. 0.0.0.0)
-.TP
-.BI "UNICAST"
-an unicast address
-.TP
-.BI "LOCAL"
-a local address
-.TP
-.BI "BROADCAST"
-a broadcast address
-.TP
-.BI "ANYCAST"
-an anycast packet
-.TP
-.BI "MULTICAST"
-a multicast address
-.TP
-.BI "BLACKHOLE"
-a blackhole address
-.TP
-.BI "UNREACHABLE"
-an unreachable address
-.TP
-.BI "PROHIBIT"
-a prohibited address
-.TP
-.BI "THROW"
-FIXME
-.TP
-.BI "NAT"
-FIXME
-.TP
-.BI "XRESOLVE"
-.TP
-[\fB!\fP] \fB\-\-src\-type\fP \fItype\fP
-Matches if the source address is of given type
-.TP
-[\fB!\fP] \fB\-\-dst\-type\fP \fItype\fP
-Matches if the destination address is of given type
-.TP
-.BI "\-\-limit\-iface\-in"
-The address type checking can be limited to the interface the packet is coming
-in. This option is only valid in the
-.BR PREROUTING ,
-.B INPUT
-and
-.B FORWARD
-chains. It cannot be specified with the
-\fB\-\-limit\-iface\-out\fP
-option.
-.TP
-\fB\-\-limit\-iface\-out\fP
-The address type checking can be limited to the interface the packet is going
-out. This option is only valid in the
-.BR POSTROUTING ,
-.B OUTPUT
-and
-.B FORWARD
-chains. It cannot be specified with the
-\fB\-\-limit\-iface\-in\fP
-option.
diff --git a/extensions/libxt_addrtype.c b/extensions/libxt_addrtype.c
new file mode 100644
index 0000000..3dec626
--- /dev/null
+++ b/extensions/libxt_addrtype.c
@@ -0,0 +1,308 @@
+/* Shared library add-on to iptables to add addrtype matching support
+ *
+ * This program is released under the terms of GNU GPL */
+#include <stdio.h>
+#include <string.h>
+#include <xtables.h>
+#include <linux/netfilter_ipv4/ipt_addrtype.h>
+
+enum {
+ O_SRC_TYPE = 0,
+ O_DST_TYPE,
+ O_LIMIT_IFACE_IN,
+ O_LIMIT_IFACE_OUT,
+ F_SRC_TYPE = 1 << O_SRC_TYPE,
+ F_DST_TYPE = 1 << O_DST_TYPE,
+ F_LIMIT_IFACE_IN = 1 << O_LIMIT_IFACE_IN,
+ F_LIMIT_IFACE_OUT = 1 << O_LIMIT_IFACE_OUT,
+};
+
+/* from linux/rtnetlink.h, must match order of enumeration */
+static const char *const rtn_names[] = {
+ "UNSPEC",
+ "UNICAST",
+ "LOCAL",
+ "BROADCAST",
+ "ANYCAST",
+ "MULTICAST",
+ "BLACKHOLE",
+ "UNREACHABLE",
+ "PROHIBIT",
+ "THROW",
+ "NAT",
+ "XRESOLVE",
+ NULL
+};
+
+static void addrtype_help_types(void)
+{
+ int i;
+
+ for (i = 0; rtn_names[i]; i++)
+ printf(" %s\n", rtn_names[i]);
+}
+
+static void addrtype_help_v0(void)
+{
+ printf(
+"Address type match options:\n"
+" [!] --src-type type[,...] Match source address type\n"
+" [!] --dst-type type[,...] Match destination address type\n"
+"\n"
+"Valid types: \n");
+ addrtype_help_types();
+}
+
+static void addrtype_help_v1(void)
+{
+ printf(
+"Address type match options:\n"
+" [!] --src-type type[,...] Match source address type\n"
+" [!] --dst-type type[,...] Match destination address type\n"
+" --limit-iface-in Match only on the packet's incoming device\n"
+" --limit-iface-out Match only on the packet's incoming device\n"
+"\n"
+"Valid types: \n");
+ addrtype_help_types();
+}
+
+static int
+parse_type(const char *name, size_t len, uint16_t *mask)
+{
+ int i;
+
+ for (i = 0; rtn_names[i]; i++)
+ if (strncasecmp(name, rtn_names[i], len) == 0) {
+ /* build up bitmask for kernel module */
+ *mask |= (1 << i);
+ return 1;
+ }
+
+ return 0;
+}
+
+static void parse_types(const char *arg, uint16_t *mask)
+{
+ const char *comma;
+
+ while ((comma = strchr(arg, ',')) != NULL) {
+ if (comma == arg || !parse_type(arg, comma-arg, mask))
+ xtables_error(PARAMETER_PROBLEM,
+ "addrtype: bad type `%s'", arg);
+ arg = comma + 1;
+ }
+
+ if (strlen(arg) == 0 || !parse_type(arg, strlen(arg), mask))
+ xtables_error(PARAMETER_PROBLEM, "addrtype: bad type \"%s\"", arg);
+}
+
+static void addrtype_parse_v0(struct xt_option_call *cb)
+{
+ struct ipt_addrtype_info *info = cb->data;
+
+ xtables_option_parse(cb);
+ switch (cb->entry->id) {
+ case O_SRC_TYPE:
+ parse_types(cb->arg, &info->source);
+ if (cb->invert)
+ info->invert_source = 1;
+ break;
+ case O_DST_TYPE:
+ parse_types(cb->arg, &info->dest);
+ if (cb->invert)
+ info->invert_dest = 1;
+ break;
+ }
+}
+
+static void addrtype_parse_v1(struct xt_option_call *cb)
+{
+ struct ipt_addrtype_info_v1 *info = cb->data;
+
+ xtables_option_parse(cb);
+ switch (cb->entry->id) {
+ case O_SRC_TYPE:
+ parse_types(cb->arg, &info->source);
+ if (cb->invert)
+ info->flags |= IPT_ADDRTYPE_INVERT_SOURCE;
+ break;
+ case O_DST_TYPE:
+ parse_types(cb->arg, &info->dest);
+ if (cb->invert)
+ info->flags |= IPT_ADDRTYPE_INVERT_DEST;
+ break;
+ case O_LIMIT_IFACE_IN:
+ info->flags |= IPT_ADDRTYPE_LIMIT_IFACE_IN;
+ break;
+ case O_LIMIT_IFACE_OUT:
+ info->flags |= IPT_ADDRTYPE_LIMIT_IFACE_OUT;
+ break;
+ }
+}
+
+static void addrtype_check(struct xt_fcheck_call *cb)
+{
+ if (!(cb->xflags & (F_SRC_TYPE | F_DST_TYPE)))
+ xtables_error(PARAMETER_PROBLEM,
+ "addrtype: you must specify --src-type or --dst-type");
+}
+
+static void print_types(uint16_t mask)
+{
+ const char *sep = "";
+ int i;
+
+ for (i = 0; rtn_names[i]; i++)
+ if (mask & (1 << i)) {
+ printf("%s%s", sep, rtn_names[i]);
+ sep = ",";
+ }
+}
+
+static void addrtype_print_v0(const void *ip, const struct xt_entry_match *match,
+ int numeric)
+{
+ const struct ipt_addrtype_info *info =
+ (struct ipt_addrtype_info *) match->data;
+
+ printf(" ADDRTYPE match");
+ if (info->source) {
+ printf(" src-type ");
+ if (info->invert_source)
+ printf("!");
+ print_types(info->source);
+ }
+ if (info->dest) {
+ printf(" dst-type");
+ if (info->invert_dest)
+ printf("!");
+ print_types(info->dest);
+ }
+}
+
+static void addrtype_print_v1(const void *ip, const struct xt_entry_match *match,
+ int numeric)
+{
+ const struct ipt_addrtype_info_v1 *info =
+ (struct ipt_addrtype_info_v1 *) match->data;
+
+ printf(" ADDRTYPE match");
+ if (info->source) {
+ printf(" src-type ");
+ if (info->flags & IPT_ADDRTYPE_INVERT_SOURCE)
+ printf("!");
+ print_types(info->source);
+ }
+ if (info->dest) {
+ printf(" dst-type ");
+ if (info->flags & IPT_ADDRTYPE_INVERT_DEST)
+ printf("!");
+ print_types(info->dest);
+ }
+ if (info->flags & IPT_ADDRTYPE_LIMIT_IFACE_IN) {
+ printf(" limit-in");
+ }
+ if (info->flags & IPT_ADDRTYPE_LIMIT_IFACE_OUT) {
+ printf(" limit-out");
+ }
+}
+
+static void addrtype_save_v0(const void *ip, const struct xt_entry_match *match)
+{
+ const struct ipt_addrtype_info *info =
+ (struct ipt_addrtype_info *) match->data;
+
+ if (info->source) {
+ if (info->invert_source)
+ printf(" !");
+ printf(" --src-type ");
+ print_types(info->source);
+ }
+ if (info->dest) {
+ if (info->invert_dest)
+ printf(" !");
+ printf(" --dst-type ");
+ print_types(info->dest);
+ }
+}
+
+static void addrtype_save_v1(const void *ip, const struct xt_entry_match *match)
+{
+ const struct ipt_addrtype_info_v1 *info =
+ (struct ipt_addrtype_info_v1 *) match->data;
+
+ if (info->source) {
+ if (info->flags & IPT_ADDRTYPE_INVERT_SOURCE)
+ printf(" !");
+ printf(" --src-type ");
+ print_types(info->source);
+ }
+ if (info->dest) {
+ if (info->flags & IPT_ADDRTYPE_INVERT_DEST)
+ printf(" !");
+ printf(" --dst-type ");
+ print_types(info->dest);
+ }
+ if (info->flags & IPT_ADDRTYPE_LIMIT_IFACE_IN) {
+ printf(" --limit-iface-in");
+ }
+ if (info->flags & IPT_ADDRTYPE_LIMIT_IFACE_OUT) {
+ printf(" --limit-iface-out");
+ }
+}
+
+static const struct xt_option_entry addrtype_opts_v0[] = {
+ {.name = "src-type", .id = O_SRC_TYPE, .type = XTTYPE_STRING,
+ .flags = XTOPT_INVERT},
+ {.name = "dst-type", .id = O_DST_TYPE, .type = XTTYPE_STRING,
+ .flags = XTOPT_INVERT},
+ XTOPT_TABLEEND,
+};
+
+static const struct xt_option_entry addrtype_opts_v1[] = {
+ {.name = "src-type", .id = O_SRC_TYPE, .type = XTTYPE_STRING,
+ .flags = XTOPT_INVERT},
+ {.name = "dst-type", .id = O_DST_TYPE, .type = XTTYPE_STRING,
+ .flags = XTOPT_INVERT},
+ {.name = "limit-iface-in", .id = O_LIMIT_IFACE_IN,
+ .type = XTTYPE_NONE, .excl = F_LIMIT_IFACE_OUT},
+ {.name = "limit-iface-out", .id = O_LIMIT_IFACE_OUT,
+ .type = XTTYPE_NONE, .excl = F_LIMIT_IFACE_IN},
+ XTOPT_TABLEEND,
+};
+
+static struct xtables_match addrtype_mt_reg[] = {
+ {
+ .name = "addrtype",
+ .version = XTABLES_VERSION,
+ .family = NFPROTO_IPV4,
+ .size = XT_ALIGN(sizeof(struct ipt_addrtype_info)),
+ .userspacesize = XT_ALIGN(sizeof(struct ipt_addrtype_info)),
+ .help = addrtype_help_v0,
+ .print = addrtype_print_v0,
+ .save = addrtype_save_v0,
+ .x6_parse = addrtype_parse_v0,
+ .x6_fcheck = addrtype_check,
+ .x6_options = addrtype_opts_v0,
+ },
+ {
+ .name = "addrtype",
+ .revision = 1,
+ .version = XTABLES_VERSION,
+ .family = NFPROTO_IPV4,
+ .size = XT_ALIGN(sizeof(struct ipt_addrtype_info_v1)),
+ .userspacesize = XT_ALIGN(sizeof(struct ipt_addrtype_info_v1)),
+ .help = addrtype_help_v1,
+ .print = addrtype_print_v1,
+ .save = addrtype_save_v1,
+ .x6_parse = addrtype_parse_v1,
+ .x6_fcheck = addrtype_check,
+ .x6_options = addrtype_opts_v1,
+ },
+};
+
+
+void _init(void)
+{
+ xtables_register_matches(addrtype_mt_reg, ARRAY_SIZE(addrtype_mt_reg));
+}
diff --git a/extensions/libxt_addrtype.man b/extensions/libxt_addrtype.man
new file mode 100644
index 0000000..16fd9df
--- /dev/null
+++ b/extensions/libxt_addrtype.man
@@ -0,0 +1,69 @@
+This module matches packets based on their
+.B address type.
+Address types are used within the kernel networking stack and categorize
+addresses into various groups. The exact definition of that group depends on the specific layer three protocol.
+.PP
+The following address types are possible:
+.TP
+.BI "UNSPEC"
+an unspecified address (i.e. 0.0.0.0)
+.TP
+.BI "UNICAST"
+an unicast address
+.TP
+.BI "LOCAL"
+a local address
+.TP
+.BI "BROADCAST"
+a broadcast address
+.TP
+.BI "ANYCAST"
+an anycast packet
+.TP
+.BI "MULTICAST"
+a multicast address
+.TP
+.BI "BLACKHOLE"
+a blackhole address
+.TP
+.BI "UNREACHABLE"
+an unreachable address
+.TP
+.BI "PROHIBIT"
+a prohibited address
+.TP
+.BI "THROW"
+FIXME
+.TP
+.BI "NAT"
+FIXME
+.TP
+.BI "XRESOLVE"
+.TP
+[\fB!\fP] \fB\-\-src\-type\fP \fItype\fP
+Matches if the source address is of given type
+.TP
+[\fB!\fP] \fB\-\-dst\-type\fP \fItype\fP
+Matches if the destination address is of given type
+.TP
+.BI "\-\-limit\-iface\-in"
+The address type checking can be limited to the interface the packet is coming
+in. This option is only valid in the
+.BR PREROUTING ,
+.B INPUT
+and
+.B FORWARD
+chains. It cannot be specified with the
+\fB\-\-limit\-iface\-out\fP
+option.
+.TP
+\fB\-\-limit\-iface\-out\fP
+The address type checking can be limited to the interface the packet is going
+out. This option is only valid in the
+.BR POSTROUTING ,
+.B OUTPUT
+and
+.B FORWARD
+chains. It cannot be specified with the
+\fB\-\-limit\-iface\-in\fP
+option.
--
1.7.3.4
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH 2/3] libxt_addrtype: add support for revision 1
2011-09-05 18:24 iptables features 20110905 Jan Engelhardt
2011-09-05 18:24 ` [PATCH 1/3] libxt_addrtype: rename from libipt_addrtype Jan Engelhardt
@ 2011-09-05 18:24 ` Jan Engelhardt
2011-09-05 18:56 ` Florian Westphal
2011-09-05 18:24 ` [PATCH 3/3] include: refresh include files from kernel 3.1-rc3 Jan Engelhardt
2 siblings, 1 reply; 8+ messages in thread
From: Jan Engelhardt @ 2011-09-05 18:24 UTC (permalink / raw)
To: netfilter-devel
Rev 1 was added to the kernel in commit v2.6.39-rc1~468^2~10^2~1 but
there was no corresponding iptables patch so far.
Cc: Florian Westphal <fw@strlen.de>
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
extensions/libxt_addrtype.c | 56 ++++++++++++++-------------------
include/linux/netfilter/xt_addrtype.h | 44 ++++++++++++++++++++++++++
2 files changed, 68 insertions(+), 32 deletions(-)
create mode 100644 include/linux/netfilter/xt_addrtype.h
diff --git a/extensions/libxt_addrtype.c b/extensions/libxt_addrtype.c
index 3dec626..59072b3 100644
--- a/extensions/libxt_addrtype.c
+++ b/extensions/libxt_addrtype.c
@@ -4,7 +4,7 @@
#include <stdio.h>
#include <string.h>
#include <xtables.h>
-#include <linux/netfilter_ipv4/ipt_addrtype.h>
+#include <linux/netfilter/xt_addrtype.h>
enum {
O_SRC_TYPE = 0,
@@ -98,7 +98,7 @@ static void parse_types(const char *arg, uint16_t *mask)
static void addrtype_parse_v0(struct xt_option_call *cb)
{
- struct ipt_addrtype_info *info = cb->data;
+ struct xt_addrtype_info *info = cb->data;
xtables_option_parse(cb);
switch (cb->entry->id) {
@@ -117,25 +117,25 @@ static void addrtype_parse_v0(struct xt_option_call *cb)
static void addrtype_parse_v1(struct xt_option_call *cb)
{
- struct ipt_addrtype_info_v1 *info = cb->data;
+ struct xt_addrtype_info_v1 *info = cb->data;
xtables_option_parse(cb);
switch (cb->entry->id) {
case O_SRC_TYPE:
parse_types(cb->arg, &info->source);
if (cb->invert)
- info->flags |= IPT_ADDRTYPE_INVERT_SOURCE;
+ info->flags |= XT_ADDRTYPE_INVERT_SOURCE;
break;
case O_DST_TYPE:
parse_types(cb->arg, &info->dest);
if (cb->invert)
- info->flags |= IPT_ADDRTYPE_INVERT_DEST;
+ info->flags |= XT_ADDRTYPE_INVERT_DEST;
break;
case O_LIMIT_IFACE_IN:
- info->flags |= IPT_ADDRTYPE_LIMIT_IFACE_IN;
+ info->flags |= XT_ADDRTYPE_LIMIT_IFACE_IN;
break;
case O_LIMIT_IFACE_OUT:
- info->flags |= IPT_ADDRTYPE_LIMIT_IFACE_OUT;
+ info->flags |= XT_ADDRTYPE_LIMIT_IFACE_OUT;
break;
}
}
@@ -162,8 +162,7 @@ static void print_types(uint16_t mask)
static void addrtype_print_v0(const void *ip, const struct xt_entry_match *match,
int numeric)
{
- const struct ipt_addrtype_info *info =
- (struct ipt_addrtype_info *) match->data;
+ const struct xt_addrtype_info *info = (const void *)match->data;
printf(" ADDRTYPE match");
if (info->source) {
@@ -183,34 +182,30 @@ static void addrtype_print_v0(const void *ip, const struct xt_entry_match *match
static void addrtype_print_v1(const void *ip, const struct xt_entry_match *match,
int numeric)
{
- const struct ipt_addrtype_info_v1 *info =
- (struct ipt_addrtype_info_v1 *) match->data;
+ const struct xt_addrtype_info_v1 *info = (const void *)match->data;
printf(" ADDRTYPE match");
if (info->source) {
printf(" src-type ");
- if (info->flags & IPT_ADDRTYPE_INVERT_SOURCE)
+ if (info->flags & XT_ADDRTYPE_INVERT_SOURCE)
printf("!");
print_types(info->source);
}
if (info->dest) {
printf(" dst-type ");
- if (info->flags & IPT_ADDRTYPE_INVERT_DEST)
+ if (info->flags & XT_ADDRTYPE_INVERT_DEST)
printf("!");
print_types(info->dest);
}
- if (info->flags & IPT_ADDRTYPE_LIMIT_IFACE_IN) {
+ if (info->flags & XT_ADDRTYPE_LIMIT_IFACE_IN)
printf(" limit-in");
- }
- if (info->flags & IPT_ADDRTYPE_LIMIT_IFACE_OUT) {
+ if (info->flags & XT_ADDRTYPE_LIMIT_IFACE_OUT)
printf(" limit-out");
- }
}
static void addrtype_save_v0(const void *ip, const struct xt_entry_match *match)
{
- const struct ipt_addrtype_info *info =
- (struct ipt_addrtype_info *) match->data;
+ const struct xt_addrtype_info *info = (const void *)match->data;
if (info->source) {
if (info->invert_source)
@@ -228,27 +223,24 @@ static void addrtype_save_v0(const void *ip, const struct xt_entry_match *match)
static void addrtype_save_v1(const void *ip, const struct xt_entry_match *match)
{
- const struct ipt_addrtype_info_v1 *info =
- (struct ipt_addrtype_info_v1 *) match->data;
+ const struct xt_addrtype_info_v1 *info = (const void *)match->data;
if (info->source) {
- if (info->flags & IPT_ADDRTYPE_INVERT_SOURCE)
+ if (info->flags & XT_ADDRTYPE_INVERT_SOURCE)
printf(" !");
printf(" --src-type ");
print_types(info->source);
}
if (info->dest) {
- if (info->flags & IPT_ADDRTYPE_INVERT_DEST)
+ if (info->flags & XT_ADDRTYPE_INVERT_DEST)
printf(" !");
printf(" --dst-type ");
print_types(info->dest);
}
- if (info->flags & IPT_ADDRTYPE_LIMIT_IFACE_IN) {
+ if (info->flags & XT_ADDRTYPE_LIMIT_IFACE_IN)
printf(" --limit-iface-in");
- }
- if (info->flags & IPT_ADDRTYPE_LIMIT_IFACE_OUT) {
+ if (info->flags & XT_ADDRTYPE_LIMIT_IFACE_OUT)
printf(" --limit-iface-out");
- }
}
static const struct xt_option_entry addrtype_opts_v0[] = {
@@ -276,8 +268,8 @@ static struct xtables_match addrtype_mt_reg[] = {
.name = "addrtype",
.version = XTABLES_VERSION,
.family = NFPROTO_IPV4,
- .size = XT_ALIGN(sizeof(struct ipt_addrtype_info)),
- .userspacesize = XT_ALIGN(sizeof(struct ipt_addrtype_info)),
+ .size = XT_ALIGN(sizeof(struct xt_addrtype_info)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_addrtype_info)),
.help = addrtype_help_v0,
.print = addrtype_print_v0,
.save = addrtype_save_v0,
@@ -289,9 +281,9 @@ static struct xtables_match addrtype_mt_reg[] = {
.name = "addrtype",
.revision = 1,
.version = XTABLES_VERSION,
- .family = NFPROTO_IPV4,
- .size = XT_ALIGN(sizeof(struct ipt_addrtype_info_v1)),
- .userspacesize = XT_ALIGN(sizeof(struct ipt_addrtype_info_v1)),
+ .family = NFPROTO_UNSPEC,
+ .size = XT_ALIGN(sizeof(struct xt_addrtype_info_v1)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_addrtype_info_v1)),
.help = addrtype_help_v1,
.print = addrtype_print_v1,
.save = addrtype_save_v1,
diff --git a/include/linux/netfilter/xt_addrtype.h b/include/linux/netfilter/xt_addrtype.h
new file mode 100644
index 0000000..b156baa
--- /dev/null
+++ b/include/linux/netfilter/xt_addrtype.h
@@ -0,0 +1,44 @@
+#ifndef _XT_ADDRTYPE_H
+#define _XT_ADDRTYPE_H
+
+#include <linux/types.h>
+
+enum {
+ XT_ADDRTYPE_INVERT_SOURCE = 0x0001,
+ XT_ADDRTYPE_INVERT_DEST = 0x0002,
+ XT_ADDRTYPE_LIMIT_IFACE_IN = 0x0004,
+ XT_ADDRTYPE_LIMIT_IFACE_OUT = 0x0008,
+};
+
+
+/* rtn_type enum values from rtnetlink.h, but shifted */
+enum {
+ XT_ADDRTYPE_UNSPEC = 1 << 0,
+ XT_ADDRTYPE_UNICAST = 1 << 1, /* 1 << RTN_UNICAST */
+ XT_ADDRTYPE_LOCAL = 1 << 2, /* 1 << RTN_LOCAL, etc */
+ XT_ADDRTYPE_BROADCAST = 1 << 3,
+ XT_ADDRTYPE_ANYCAST = 1 << 4,
+ XT_ADDRTYPE_MULTICAST = 1 << 5,
+ XT_ADDRTYPE_BLACKHOLE = 1 << 6,
+ XT_ADDRTYPE_UNREACHABLE = 1 << 7,
+ XT_ADDRTYPE_PROHIBIT = 1 << 8,
+ XT_ADDRTYPE_THROW = 1 << 9,
+ XT_ADDRTYPE_NAT = 1 << 10,
+ XT_ADDRTYPE_XRESOLVE = 1 << 11,
+};
+
+struct xt_addrtype_info_v1 {
+ __u16 source; /* source-type mask */
+ __u16 dest; /* dest-type mask */
+ __u32 flags;
+};
+
+/* revision 0 */
+struct xt_addrtype_info {
+ __u16 source; /* source-type mask */
+ __u16 dest; /* dest-type mask */
+ __u32 invert_source;
+ __u32 invert_dest;
+};
+
+#endif
--
1.7.3.4
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH 3/3] include: refresh include files from kernel 3.1-rc3
2011-09-05 18:24 iptables features 20110905 Jan Engelhardt
2011-09-05 18:24 ` [PATCH 1/3] libxt_addrtype: rename from libipt_addrtype Jan Engelhardt
2011-09-05 18:24 ` [PATCH 2/3] libxt_addrtype: add support for revision 1 Jan Engelhardt
@ 2011-09-05 18:24 ` Jan Engelhardt
2 siblings, 0 replies; 8+ messages in thread
From: Jan Engelhardt @ 2011-09-05 18:24 UTC (permalink / raw)
To: netfilter-devel
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
include/linux/kernel.h | 33 ---
include/linux/netfilter.h | 18 ++-
include/linux/netfilter/ipset/ip_set.h | 225 ++++++++++++++++++++
include/linux/netfilter/nf_conntrack_common.h | 14 ++
.../linux/netfilter/nf_conntrack_tuple_common.h | 3 +-
include/linux/netfilter/x_tables.h | 5 +
include/linux/netfilter/xt_CT.h | 2 +
include/linux/netfilter/xt_TCPOPTSTRIP.h | 2 +
include/linux/netfilter/xt_TPROXY.h | 2 +
include/linux/netfilter/xt_cluster.h | 2 +
include/linux/netfilter/xt_connbytes.h | 4 +-
include/linux/netfilter/xt_connlimit.h | 2 +
include/linux/netfilter/xt_physdev.h | 3 -
include/linux/netfilter/xt_policy.h | 11 -
include/linux/netfilter/xt_quota.h | 4 +-
include/linux/netfilter/xt_sctp.h | 4 +-
include/linux/netfilter/xt_set.h | 81 +------
include/linux/netfilter/xt_socket.h | 2 +
include/linux/netfilter/xt_time.h | 2 +
include/linux/netfilter/xt_u32.h | 2 +
include/linux/netfilter_ipv4/ip_tables.h | 82 ++++----
include/linux/netfilter_ipv4/ipt_CLUSTERIP.h | 16 +-
include/linux/netfilter_ipv4/ipt_ECN.h | 8 +-
include/linux/netfilter_ipv4/ipt_SAME.h | 8 +-
include/linux/netfilter_ipv4/ipt_TTL.h | 6 +-
include/linux/netfilter_ipv4/ipt_addrtype.h | 16 +-
include/linux/netfilter_ipv4/ipt_ah.h | 6 +-
include/linux/netfilter_ipv4/ipt_ecn.h | 10 +-
include/linux/netfilter_ipv4/ipt_ttl.h | 6 +-
include/linux/netfilter_ipv6/ip6_tables.h | 100 ++++------
include/linux/netfilter_ipv6/ip6t_HL.h | 6 +-
include/linux/netfilter_ipv6/ip6t_REJECT.h | 4 +-
include/linux/netfilter_ipv6/ip6t_ah.h | 10 +-
include/linux/netfilter_ipv6/ip6t_frag.h | 10 +-
include/linux/netfilter_ipv6/ip6t_hl.h | 6 +-
| 8 +-
include/linux/netfilter_ipv6/ip6t_mh.h | 6 +-
include/linux/netfilter_ipv6/ip6t_opts.h | 12 +-
include/linux/netfilter_ipv6/ip6t_rt.h | 13 +-
include/linux/types.h | 13 ++
40 files changed, 475 insertions(+), 292 deletions(-)
create mode 100644 include/linux/netfilter/ipset/ip_set.h
diff --git a/include/linux/kernel.h b/include/linux/kernel.h
index d1671a0..d4c59f6 100644
--- a/include/linux/kernel.h
+++ b/include/linux/kernel.h
@@ -8,7 +8,6 @@
#define __ALIGN_KERNEL_MASK(x, mask) (((x) + (mask)) & ~(mask))
-
#define SI_LOAD_SHIFT 16
struct sysinfo {
long uptime; /* Seconds since boot */
@@ -27,36 +26,4 @@ struct sysinfo {
char _f[20-2*sizeof(long)-sizeof(int)]; /* Padding: libc5 uses this.. */
};
-/* Force a compilation error if condition is true */
-#define BUILD_BUG_ON(condition) ((void)BUILD_BUG_ON_ZERO(condition))
-
-/* Force a compilation error if condition is constant and true */
-#define MAYBE_BUILD_BUG_ON(cond) ((void)sizeof(char[1 - 2 * !!(cond)]))
-
-/* Force a compilation error if a constant expression is not a power of 2 */
-#define BUILD_BUG_ON_NOT_POWER_OF_2(n) \
- BUILD_BUG_ON((n) == 0 || (((n) & ((n) - 1)) != 0))
-
-/* Force a compilation error if condition is true, but also produce a
- result (of value 0 and type size_t), so the expression can be used
- e.g. in a structure initializer (or where-ever else comma expressions
- aren't permitted). */
-#define BUILD_BUG_ON_ZERO(e) (sizeof(struct { int:-!!(e); }))
-#define BUILD_BUG_ON_NULL(e) ((void *)sizeof(struct { int:-!!(e); }))
-
-/* Trap pasters of __FUNCTION__ at compile-time */
-#define __FUNCTION__ (__func__)
-
-/* This helps us to avoid #ifdef CONFIG_NUMA */
-#ifdef CONFIG_NUMA
-#define NUMA_BUILD 1
-#else
-#define NUMA_BUILD 0
-#endif
-
-/* Rebuild everything on CONFIG_FTRACE_MCOUNT_RECORD */
-#ifdef CONFIG_FTRACE_MCOUNT_RECORD
-# define REBUILD_DUE_TO_FTRACE_MCOUNT_RECORD
-#endif
-
#endif
diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h
index 2eb00b6..5477131 100644
--- a/include/linux/netfilter.h
+++ b/include/linux/netfilter.h
@@ -3,6 +3,7 @@
#include <linux/types.h>
+#include <linux/sysctl.h>
/* Responses from hook functions. */
#define NF_DROP 0
@@ -14,14 +15,20 @@
#define NF_MAX_VERDICT NF_STOP
/* we overload the higher bits for encoding auxiliary data such as the queue
- * number. Not nice, but better than additional function arguments. */
-#define NF_VERDICT_MASK 0x0000ffff
-#define NF_VERDICT_BITS 16
+ * number or errno values. Not nice, but better than additional function
+ * arguments. */
+#define NF_VERDICT_MASK 0x000000ff
+
+/* extra verdict flags have mask 0x0000ff00 */
+#define NF_VERDICT_FLAG_QUEUE_BYPASS 0x00008000
+/* queue number (NF_QUEUE) or errno (NF_DROP) */
#define NF_VERDICT_QMASK 0xffff0000
#define NF_VERDICT_QBITS 16
-#define NF_QUEUE_NR(x) ((((x) << NF_VERDICT_BITS) & NF_VERDICT_QMASK) | NF_QUEUE)
+#define NF_QUEUE_NR(x) ((((x) << 16) & NF_VERDICT_QMASK) | NF_QUEUE)
+
+#define NF_DROP_ERR(x) (((-x) << 16) | NF_DROP)
/* only for userspace compatibility */
/* Generic cache responses from hook functions.
@@ -29,6 +36,9 @@
#define NFC_UNKNOWN 0x4000
#define NFC_ALTERED 0x8000
+/* NF_VERDICT_BITS should be 8 now, but userspace might break if this changes */
+#define NF_VERDICT_BITS 16
+
enum nf_inet_hooks {
NF_INET_PRE_ROUTING,
NF_INET_LOCAL_IN,
diff --git a/include/linux/netfilter/ipset/ip_set.h b/include/linux/netfilter/ipset/ip_set.h
new file mode 100644
index 0000000..79cb077
--- /dev/null
+++ b/include/linux/netfilter/ipset/ip_set.h
@@ -0,0 +1,225 @@
+#ifndef _IP_SET_H
+#define _IP_SET_H
+
+/* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu>
+ * Patrick Schaaf <bof@bof.de>
+ * Martin Josefsson <gandalf@wlug.westbo.se>
+ * Copyright (C) 2003-2011 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+
+#include <linux/types.h>
+
+/* The protocol version */
+#define IPSET_PROTOCOL 6
+
+/* The max length of strings including NUL: set and type identifiers */
+#define IPSET_MAXNAMELEN 32
+
+/* Message types and commands */
+enum ipset_cmd {
+ IPSET_CMD_NONE,
+ IPSET_CMD_PROTOCOL, /* 1: Return protocol version */
+ IPSET_CMD_CREATE, /* 2: Create a new (empty) set */
+ IPSET_CMD_DESTROY, /* 3: Destroy a (empty) set */
+ IPSET_CMD_FLUSH, /* 4: Remove all elements from a set */
+ IPSET_CMD_RENAME, /* 5: Rename a set */
+ IPSET_CMD_SWAP, /* 6: Swap two sets */
+ IPSET_CMD_LIST, /* 7: List sets */
+ IPSET_CMD_SAVE, /* 8: Save sets */
+ IPSET_CMD_ADD, /* 9: Add an element to a set */
+ IPSET_CMD_DEL, /* 10: Delete an element from a set */
+ IPSET_CMD_TEST, /* 11: Test an element in a set */
+ IPSET_CMD_HEADER, /* 12: Get set header data only */
+ IPSET_CMD_TYPE, /* 13: Get set type */
+ IPSET_MSG_MAX, /* Netlink message commands */
+
+ /* Commands in userspace: */
+ IPSET_CMD_RESTORE = IPSET_MSG_MAX, /* 14: Enter restore mode */
+ IPSET_CMD_HELP, /* 15: Get help */
+ IPSET_CMD_VERSION, /* 16: Get program version */
+ IPSET_CMD_QUIT, /* 17: Quit from interactive mode */
+
+ IPSET_CMD_MAX,
+
+ IPSET_CMD_COMMIT = IPSET_CMD_MAX, /* 18: Commit buffered commands */
+};
+
+/* Attributes at command level */
+enum {
+ IPSET_ATTR_UNSPEC,
+ IPSET_ATTR_PROTOCOL, /* 1: Protocol version */
+ IPSET_ATTR_SETNAME, /* 2: Name of the set */
+ IPSET_ATTR_TYPENAME, /* 3: Typename */
+ IPSET_ATTR_SETNAME2 = IPSET_ATTR_TYPENAME, /* Setname at rename/swap */
+ IPSET_ATTR_REVISION, /* 4: Settype revision */
+ IPSET_ATTR_FAMILY, /* 5: Settype family */
+ IPSET_ATTR_FLAGS, /* 6: Flags at command level */
+ IPSET_ATTR_DATA, /* 7: Nested attributes */
+ IPSET_ATTR_ADT, /* 8: Multiple data containers */
+ IPSET_ATTR_LINENO, /* 9: Restore lineno */
+ IPSET_ATTR_PROTOCOL_MIN, /* 10: Minimal supported version number */
+ IPSET_ATTR_REVISION_MIN = IPSET_ATTR_PROTOCOL_MIN, /* type rev min */
+ __IPSET_ATTR_CMD_MAX,
+};
+#define IPSET_ATTR_CMD_MAX (__IPSET_ATTR_CMD_MAX - 1)
+
+/* CADT specific attributes */
+enum {
+ IPSET_ATTR_IP = IPSET_ATTR_UNSPEC + 1,
+ IPSET_ATTR_IP_FROM = IPSET_ATTR_IP,
+ IPSET_ATTR_IP_TO, /* 2 */
+ IPSET_ATTR_CIDR, /* 3 */
+ IPSET_ATTR_PORT, /* 4 */
+ IPSET_ATTR_PORT_FROM = IPSET_ATTR_PORT,
+ IPSET_ATTR_PORT_TO, /* 5 */
+ IPSET_ATTR_TIMEOUT, /* 6 */
+ IPSET_ATTR_PROTO, /* 7 */
+ IPSET_ATTR_CADT_FLAGS, /* 8 */
+ IPSET_ATTR_CADT_LINENO = IPSET_ATTR_LINENO, /* 9 */
+ /* Reserve empty slots */
+ IPSET_ATTR_CADT_MAX = 16,
+ /* Create-only specific attributes */
+ IPSET_ATTR_GC,
+ IPSET_ATTR_HASHSIZE,
+ IPSET_ATTR_MAXELEM,
+ IPSET_ATTR_NETMASK,
+ IPSET_ATTR_PROBES,
+ IPSET_ATTR_RESIZE,
+ IPSET_ATTR_SIZE,
+ /* Kernel-only */
+ IPSET_ATTR_ELEMENTS,
+ IPSET_ATTR_REFERENCES,
+ IPSET_ATTR_MEMSIZE,
+
+ __IPSET_ATTR_CREATE_MAX,
+};
+#define IPSET_ATTR_CREATE_MAX (__IPSET_ATTR_CREATE_MAX - 1)
+
+/* ADT specific attributes */
+enum {
+ IPSET_ATTR_ETHER = IPSET_ATTR_CADT_MAX + 1,
+ IPSET_ATTR_NAME,
+ IPSET_ATTR_NAMEREF,
+ IPSET_ATTR_IP2,
+ IPSET_ATTR_CIDR2,
+ IPSET_ATTR_IP2_TO,
+ IPSET_ATTR_IFACE,
+ __IPSET_ATTR_ADT_MAX,
+};
+#define IPSET_ATTR_ADT_MAX (__IPSET_ATTR_ADT_MAX - 1)
+
+/* IP specific attributes */
+enum {
+ IPSET_ATTR_IPADDR_IPV4 = IPSET_ATTR_UNSPEC + 1,
+ IPSET_ATTR_IPADDR_IPV6,
+ __IPSET_ATTR_IPADDR_MAX,
+};
+#define IPSET_ATTR_IPADDR_MAX (__IPSET_ATTR_IPADDR_MAX - 1)
+
+/* Error codes */
+enum ipset_errno {
+ IPSET_ERR_PRIVATE = 4096,
+ IPSET_ERR_PROTOCOL,
+ IPSET_ERR_FIND_TYPE,
+ IPSET_ERR_MAX_SETS,
+ IPSET_ERR_BUSY,
+ IPSET_ERR_EXIST_SETNAME2,
+ IPSET_ERR_TYPE_MISMATCH,
+ IPSET_ERR_EXIST,
+ IPSET_ERR_INVALID_CIDR,
+ IPSET_ERR_INVALID_NETMASK,
+ IPSET_ERR_INVALID_FAMILY,
+ IPSET_ERR_TIMEOUT,
+ IPSET_ERR_REFERENCED,
+ IPSET_ERR_IPADDR_IPV4,
+ IPSET_ERR_IPADDR_IPV6,
+
+ /* Type specific error codes */
+ IPSET_ERR_TYPE_SPECIFIC = 4352,
+};
+
+/* Flags at command level */
+enum ipset_cmd_flags {
+ IPSET_FLAG_BIT_EXIST = 0,
+ IPSET_FLAG_EXIST = (1 << IPSET_FLAG_BIT_EXIST),
+ IPSET_FLAG_BIT_LIST_SETNAME = 1,
+ IPSET_FLAG_LIST_SETNAME = (1 << IPSET_FLAG_BIT_LIST_SETNAME),
+ IPSET_FLAG_BIT_LIST_HEADER = 2,
+ IPSET_FLAG_LIST_HEADER = (1 << IPSET_FLAG_BIT_LIST_HEADER),
+};
+
+/* Flags at CADT attribute level */
+enum ipset_cadt_flags {
+ IPSET_FLAG_BIT_BEFORE = 0,
+ IPSET_FLAG_BEFORE = (1 << IPSET_FLAG_BIT_BEFORE),
+ IPSET_FLAG_BIT_PHYSDEV = 1,
+ IPSET_FLAG_PHYSDEV = (1 << IPSET_FLAG_BIT_PHYSDEV),
+};
+
+/* Commands with settype-specific attributes */
+enum ipset_adt {
+ IPSET_ADD,
+ IPSET_DEL,
+ IPSET_TEST,
+ IPSET_ADT_MAX,
+ IPSET_CREATE = IPSET_ADT_MAX,
+ IPSET_CADT_MAX,
+};
+
+/* Sets are identified by an index in kernel space. Tweak with ip_set_id_t
+ * and IPSET_INVALID_ID if you want to increase the max number of sets.
+ */
+typedef __u16 ip_set_id_t;
+
+#define IPSET_INVALID_ID 65535
+
+enum ip_set_dim {
+ IPSET_DIM_ZERO = 0,
+ IPSET_DIM_ONE,
+ IPSET_DIM_TWO,
+ IPSET_DIM_THREE,
+ /* Max dimension in elements.
+ * If changed, new revision of iptables match/target is required.
+ */
+ IPSET_DIM_MAX = 6,
+};
+
+/* Option flags for kernel operations */
+enum ip_set_kopt {
+ IPSET_INV_MATCH = (1 << IPSET_DIM_ZERO),
+ IPSET_DIM_ONE_SRC = (1 << IPSET_DIM_ONE),
+ IPSET_DIM_TWO_SRC = (1 << IPSET_DIM_TWO),
+ IPSET_DIM_THREE_SRC = (1 << IPSET_DIM_THREE),
+};
+
+
+/* Interface to iptables/ip6tables */
+
+#define SO_IP_SET 83
+
+union ip_set_name_index {
+ char name[IPSET_MAXNAMELEN];
+ ip_set_id_t index;
+};
+
+#define IP_SET_OP_GET_BYNAME 0x00000006 /* Get set index by name */
+struct ip_set_req_get_set {
+ unsigned op;
+ unsigned version;
+ union ip_set_name_index set;
+};
+
+#define IP_SET_OP_GET_BYINDEX 0x00000007 /* Get set name by index */
+/* Uses ip_set_req_get_set */
+
+#define IP_SET_OP_VERSION 0x00000100 /* Ask kernel version */
+struct ip_set_req_version {
+ unsigned op;
+ unsigned version;
+};
+
+#endif /*_IP_SET_H */
diff --git a/include/linux/netfilter/nf_conntrack_common.h b/include/linux/netfilter/nf_conntrack_common.h
index 34a7fc6..38aa52d 100644
--- a/include/linux/netfilter/nf_conntrack_common.h
+++ b/include/linux/netfilter/nf_conntrack_common.h
@@ -18,6 +18,9 @@ enum ip_conntrack_info {
/* >= this indicates reply direction */
IP_CT_IS_REPLY,
+ IP_CT_ESTABLISHED_REPLY = IP_CT_ESTABLISHED + IP_CT_IS_REPLY,
+ IP_CT_RELATED_REPLY = IP_CT_RELATED + IP_CT_IS_REPLY,
+ IP_CT_NEW_REPLY = IP_CT_NEW + IP_CT_IS_REPLY,
/* Number of distinct IP_CT types (no NEW in reply dirn). */
IP_CT_NUMBER = IP_CT_IS_REPLY * 2 - 1
};
@@ -76,6 +79,10 @@ enum ip_conntrack_status {
/* Conntrack is a template */
IPS_TEMPLATE_BIT = 11,
IPS_TEMPLATE = (1 << IPS_TEMPLATE_BIT),
+
+ /* Conntrack is a fake untracked entry */
+ IPS_UNTRACKED_BIT = 12,
+ IPS_UNTRACKED = (1 << IPS_UNTRACKED_BIT),
};
/* Connection tracking event types */
@@ -94,6 +101,13 @@ enum ip_conntrack_events {
enum ip_conntrack_expect_events {
IPEXP_NEW, /* new expectation */
+ IPEXP_DESTROY, /* destroyed expectation */
};
+/* expectation flags */
+#define NF_CT_EXPECT_PERMANENT 0x1
+#define NF_CT_EXPECT_INACTIVE 0x2
+#define NF_CT_EXPECT_USERSPACE 0x4
+
+
#endif /* _NF_CONNTRACK_COMMON_H */
diff --git a/include/linux/netfilter/nf_conntrack_tuple_common.h b/include/linux/netfilter/nf_conntrack_tuple_common.h
index 8e145f0..2ea22b0 100644
--- a/include/linux/netfilter/nf_conntrack_tuple_common.h
+++ b/include/linux/netfilter/nf_conntrack_tuple_common.h
@@ -1,8 +1,7 @@
#ifndef _NF_CONNTRACK_TUPLE_COMMON_H
#define _NF_CONNTRACK_TUPLE_COMMON_H
-enum ip_conntrack_dir
-{
+enum ip_conntrack_dir {
IP_CT_DIR_ORIGINAL,
IP_CT_DIR_REPLY,
IP_CT_DIR_MAX
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index fa2d957..4120970 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -66,6 +66,11 @@ struct xt_standard_target {
int verdict;
};
+struct xt_error_target {
+ struct xt_entry_target target;
+ char errorname[XT_FUNCTION_MAXNAMELEN];
+};
+
/* The argument to IPT_SO_GET_REVISION_*. Returns highest revision
* kernel supports, if >= revision. */
struct xt_get_revision {
diff --git a/include/linux/netfilter/xt_CT.h b/include/linux/netfilter/xt_CT.h
index fbf4c56..b56e768 100644
--- a/include/linux/netfilter/xt_CT.h
+++ b/include/linux/netfilter/xt_CT.h
@@ -1,6 +1,8 @@
#ifndef _XT_CT_H
#define _XT_CT_H
+#include <linux/types.h>
+
#define XT_CT_NOTRACK 0x1
struct xt_ct_target_info {
diff --git a/include/linux/netfilter/xt_TCPOPTSTRIP.h b/include/linux/netfilter/xt_TCPOPTSTRIP.h
index 342ef14..7157318 100644
--- a/include/linux/netfilter/xt_TCPOPTSTRIP.h
+++ b/include/linux/netfilter/xt_TCPOPTSTRIP.h
@@ -1,6 +1,8 @@
#ifndef _XT_TCPOPTSTRIP_H
#define _XT_TCPOPTSTRIP_H
+#include <linux/types.h>
+
#define tcpoptstrip_set_bit(bmap, idx) \
(bmap[(idx) >> 5] |= 1U << (idx & 31))
#define tcpoptstrip_test_bit(bmap, idx) \
diff --git a/include/linux/netfilter/xt_TPROXY.h b/include/linux/netfilter/xt_TPROXY.h
index 8097e0b..902043c 100644
--- a/include/linux/netfilter/xt_TPROXY.h
+++ b/include/linux/netfilter/xt_TPROXY.h
@@ -1,6 +1,8 @@
#ifndef _XT_TPROXY_H
#define _XT_TPROXY_H
+#include <linux/types.h>
+
/* TPROXY target is capable of marking the packet to perform
* redirection. We can get rid of that whenever we get support for
* mutliple targets in the same rule. */
diff --git a/include/linux/netfilter/xt_cluster.h b/include/linux/netfilter/xt_cluster.h
index 66cfa3c..9b883c8 100644
--- a/include/linux/netfilter/xt_cluster.h
+++ b/include/linux/netfilter/xt_cluster.h
@@ -1,6 +1,8 @@
#ifndef _XT_CLUSTER_MATCH_H
#define _XT_CLUSTER_MATCH_H
+#include <linux/types.h>
+
enum xt_cluster_flags {
XT_CLUSTER_F_INV = (1 << 0)
};
diff --git a/include/linux/netfilter/xt_connbytes.h b/include/linux/netfilter/xt_connbytes.h
index 92fcbb0..f1d6c15 100644
--- a/include/linux/netfilter/xt_connbytes.h
+++ b/include/linux/netfilter/xt_connbytes.h
@@ -17,8 +17,8 @@ enum xt_connbytes_direction {
struct xt_connbytes_info {
struct {
- aligned_u64 from; /* count to be matched */
- aligned_u64 to; /* count to be matched */
+ __aligned_u64 from; /* count to be matched */
+ __aligned_u64 to; /* count to be matched */
} count;
__u8 what; /* ipt_connbytes_what */
__u8 direction; /* ipt_connbytes_direction */
diff --git a/include/linux/netfilter/xt_connlimit.h b/include/linux/netfilter/xt_connlimit.h
index ba774d3..f9e8c67 100644
--- a/include/linux/netfilter/xt_connlimit.h
+++ b/include/linux/netfilter/xt_connlimit.h
@@ -1,6 +1,8 @@
#ifndef _XT_CONNLIMIT_H
#define _XT_CONNLIMIT_H
+#include <linux/types.h>
+
struct xt_connlimit_data;
enum {
diff --git a/include/linux/netfilter/xt_physdev.h b/include/linux/netfilter/xt_physdev.h
index 8555e39..7d53660 100644
--- a/include/linux/netfilter/xt_physdev.h
+++ b/include/linux/netfilter/xt_physdev.h
@@ -3,9 +3,6 @@
#include <linux/types.h>
-#ifdef __KERNEL__
-#include <linux/if.h>
-#endif
#define XT_PHYSDEV_OP_IN 0x01
#define XT_PHYSDEV_OP_OUT 0x02
diff --git a/include/linux/netfilter/xt_policy.h b/include/linux/netfilter/xt_policy.h
index be8ead0..d246eac 100644
--- a/include/linux/netfilter/xt_policy.h
+++ b/include/linux/netfilter/xt_policy.h
@@ -26,30 +26,19 @@ struct xt_policy_spec {
reqid:1;
};
-#ifndef __KERNEL__
union xt_policy_addr {
struct in_addr a4;
struct in6_addr a6;
};
-#endif
struct xt_policy_elem {
union {
-#ifdef __KERNEL__
- struct {
- union nf_inet_addr saddr;
- union nf_inet_addr smask;
- union nf_inet_addr daddr;
- union nf_inet_addr dmask;
- };
-#else
struct {
union xt_policy_addr saddr;
union xt_policy_addr smask;
union xt_policy_addr daddr;
union xt_policy_addr dmask;
};
-#endif
};
__be32 spi;
__u32 reqid;
diff --git a/include/linux/netfilter/xt_quota.h b/include/linux/netfilter/xt_quota.h
index 8bda65f..9314723 100644
--- a/include/linux/netfilter/xt_quota.h
+++ b/include/linux/netfilter/xt_quota.h
@@ -1,6 +1,8 @@
#ifndef _XT_QUOTA_H
#define _XT_QUOTA_H
+#include <linux/types.h>
+
enum xt_quota_flags {
XT_QUOTA_INVERT = 0x1,
};
@@ -11,7 +13,7 @@ struct xt_quota_priv;
struct xt_quota_info {
__u32 flags;
__u32 pad;
- aligned_u64 quota;
+ __aligned_u64 quota;
/* Used internally by the kernel */
struct xt_quota_priv *master;
diff --git a/include/linux/netfilter/xt_sctp.h b/include/linux/netfilter/xt_sctp.h
index 29287be..a501e61 100644
--- a/include/linux/netfilter/xt_sctp.h
+++ b/include/linux/netfilter/xt_sctp.h
@@ -66,7 +66,7 @@ struct xt_sctp_info {
#define SCTP_CHUNKMAP_IS_CLEAR(chunkmap) \
__sctp_chunkmap_is_clear((chunkmap), ARRAY_SIZE(chunkmap))
-static inline bool
+static __inline__ bool
__sctp_chunkmap_is_clear(const __u32 *chunkmap, unsigned int n)
{
unsigned int i;
@@ -78,7 +78,7 @@ __sctp_chunkmap_is_clear(const __u32 *chunkmap, unsigned int n)
#define SCTP_CHUNKMAP_IS_ALL_SET(chunkmap) \
__sctp_chunkmap_is_all_set((chunkmap), ARRAY_SIZE(chunkmap))
-static inline bool
+static __inline__ bool
__sctp_chunkmap_is_all_set(const __u32 *chunkmap, unsigned int n)
{
unsigned int i;
diff --git a/include/linux/netfilter/xt_set.h b/include/linux/netfilter/xt_set.h
index 4379ce9..e3a9978 100644
--- a/include/linux/netfilter/xt_set.h
+++ b/include/linux/netfilter/xt_set.h
@@ -1,62 +1,8 @@
#ifndef _XT_SET_H
#define _XT_SET_H
-/* The protocol version */
-#define IPSET_PROTOCOL 5
-
-/* The max length of strings including NUL: set and type identifiers */
-#define IPSET_MAXNAMELEN 32
-
-/* Sets are identified by an index in kernel space. Tweak with ip_set_id_t
- * and IPSET_INVALID_ID if you want to increase the max number of sets.
- */
-typedef uint16_t ip_set_id_t;
-
-#define IPSET_INVALID_ID 65535
-
-enum ip_set_dim {
- IPSET_DIM_ZERO = 0,
- IPSET_DIM_ONE,
- IPSET_DIM_TWO,
- IPSET_DIM_THREE,
- /* Max dimension in elements.
- * If changed, new revision of iptables match/target is required.
- */
- IPSET_DIM_MAX = 6,
-};
-
-/* Option flags for kernel operations */
-enum ip_set_kopt {
- IPSET_INV_MATCH = (1 << IPSET_DIM_ZERO),
- IPSET_DIM_ONE_SRC = (1 << IPSET_DIM_ONE),
- IPSET_DIM_TWO_SRC = (1 << IPSET_DIM_TWO),
- IPSET_DIM_THREE_SRC = (1 << IPSET_DIM_THREE),
-};
-
-/* Interface to iptables/ip6tables */
-
-#define SO_IP_SET 83
-
-union ip_set_name_index {
- char name[IPSET_MAXNAMELEN];
- ip_set_id_t index;
-};
-
-#define IP_SET_OP_GET_BYNAME 0x00000006 /* Get set index by name */
-struct ip_set_req_get_set {
- unsigned op;
- unsigned version;
- union ip_set_name_index set;
-};
-
-#define IP_SET_OP_GET_BYINDEX 0x00000007 /* Get set name by index */
-/* Uses ip_set_req_get_set */
-
-#define IP_SET_OP_VERSION 0x00000100 /* Ask kernel version */
-struct ip_set_req_version {
- unsigned op;
- unsigned version;
-};
+#include <linux/types.h>
+#include <linux/netfilter/ipset/ip_set.h>
/* Revision 0 interface: backward compatible with netfilter/iptables */
@@ -70,11 +16,11 @@ struct ip_set_req_version {
struct xt_set_info_v0 {
ip_set_id_t index;
union {
- u_int32_t flags[IPSET_DIM_MAX + 1];
+ __u32 flags[IPSET_DIM_MAX + 1];
struct {
- u_int32_t __flags[IPSET_DIM_MAX];
- u_int8_t dim;
- u_int8_t flags;
+ __u32 __flags[IPSET_DIM_MAX];
+ __u8 dim;
+ __u8 flags;
} compat;
} u;
};
@@ -89,12 +35,12 @@ struct xt_set_info_target_v0 {
struct xt_set_info_v0 del_set;
};
-/* Revision 1 match and target */
+/* Revision 1 match and target */
struct xt_set_info {
ip_set_id_t index;
- u_int8_t dim;
- u_int8_t flags;
+ __u8 dim;
+ __u8 flags;
};
/* match and target infos */
@@ -109,16 +55,11 @@ struct xt_set_info_target_v1 {
/* Revision 2 target */
-enum ipset_cmd_flags {
- IPSET_FLAG_BIT_EXIST = 0,
- IPSET_FLAG_EXIST = (1 << IPSET_FLAG_BIT_EXIST),
-};
-
struct xt_set_info_target_v2 {
struct xt_set_info add_set;
struct xt_set_info del_set;
- u_int32_t flags;
- u_int32_t timeout;
+ __u32 flags;
+ __u32 timeout;
};
#endif /*_XT_SET_H*/
diff --git a/include/linux/netfilter/xt_socket.h b/include/linux/netfilter/xt_socket.h
index 6f475b8..26d7217 100644
--- a/include/linux/netfilter/xt_socket.h
+++ b/include/linux/netfilter/xt_socket.h
@@ -1,6 +1,8 @@
#ifndef _XT_SOCKET_H
#define _XT_SOCKET_H
+#include <linux/types.h>
+
enum {
XT_SOCKET_TRANSPARENT = 1 << 0,
};
diff --git a/include/linux/netfilter/xt_time.h b/include/linux/netfilter/xt_time.h
index b8bd456..7c37fac 100644
--- a/include/linux/netfilter/xt_time.h
+++ b/include/linux/netfilter/xt_time.h
@@ -1,6 +1,8 @@
#ifndef _XT_TIME_H
#define _XT_TIME_H 1
+#include <linux/types.h>
+
struct xt_time_info {
__u32 date_start;
__u32 date_stop;
diff --git a/include/linux/netfilter/xt_u32.h b/include/linux/netfilter/xt_u32.h
index e8c3d87..04d1bfe 100644
--- a/include/linux/netfilter/xt_u32.h
+++ b/include/linux/netfilter/xt_u32.h
@@ -1,6 +1,8 @@
#ifndef _XT_U32_H
#define _XT_U32_H 1
+#include <linux/types.h>
+
enum xt_u32_ops {
XT_U32_AND,
XT_U32_LEFTSH,
diff --git a/include/linux/netfilter_ipv4/ip_tables.h b/include/linux/netfilter_ipv4/ip_tables.h
index 735f4b1..57fd82a 100644
--- a/include/linux/netfilter_ipv4/ip_tables.h
+++ b/include/linux/netfilter_ipv4/ip_tables.h
@@ -27,6 +27,41 @@
#define ipt_target xt_target
#define ipt_table xt_table
#define ipt_get_revision xt_get_revision
+#define ipt_entry_match xt_entry_match
+#define ipt_entry_target xt_entry_target
+#define ipt_standard_target xt_standard_target
+#define ipt_error_target xt_error_target
+#define ipt_counters xt_counters
+#define IPT_CONTINUE XT_CONTINUE
+#define IPT_RETURN XT_RETURN
+
+/* This group is older than old (iptables < v1.4.0-rc1~89) */
+#include <linux/netfilter/xt_tcpudp.h>
+#define ipt_udp xt_udp
+#define ipt_tcp xt_tcp
+#define IPT_TCP_INV_SRCPT XT_TCP_INV_SRCPT
+#define IPT_TCP_INV_DSTPT XT_TCP_INV_DSTPT
+#define IPT_TCP_INV_FLAGS XT_TCP_INV_FLAGS
+#define IPT_TCP_INV_OPTION XT_TCP_INV_OPTION
+#define IPT_TCP_INV_MASK XT_TCP_INV_MASK
+#define IPT_UDP_INV_SRCPT XT_UDP_INV_SRCPT
+#define IPT_UDP_INV_DSTPT XT_UDP_INV_DSTPT
+#define IPT_UDP_INV_MASK XT_UDP_INV_MASK
+
+/* The argument to IPT_SO_ADD_COUNTERS. */
+#define ipt_counters_info xt_counters_info
+/* Standard return verdict, or do jump. */
+#define IPT_STANDARD_TARGET XT_STANDARD_TARGET
+/* Error verdict. */
+#define IPT_ERROR_TARGET XT_ERROR_TARGET
+
+/* fn returns 0 to continue iteration */
+#define IPT_MATCH_ITERATE(e, fn, args...) \
+ XT_MATCH_ITERATE(struct ipt_entry, e, fn, ## args)
+
+/* fn returns 0 to continue iteration */
+#define IPT_ENTRY_ITERATE(entries, size, fn, args...) \
+ XT_ENTRY_ITERATE(struct ipt_entry, entries, size, fn, ## args)
/* Yes, Virginia, you have to zero the padding. */
struct ipt_ip {
@@ -46,12 +81,6 @@ struct ipt_ip {
u_int8_t invflags;
};
-#define ipt_entry_match xt_entry_match
-#define ipt_entry_target xt_entry_target
-#define ipt_standard_target xt_standard_target
-
-#define ipt_counters xt_counters
-
/* Values for "flag" field in struct ipt_ip (general ip structure). */
#define IPT_F_FRAG 0x01 /* Set if rule is a fragment rule */
#define IPT_F_GOTO 0x02 /* Set if jump is a goto */
@@ -110,23 +139,6 @@ struct ipt_entry {
#define IPT_SO_GET_REVISION_TARGET (IPT_BASE_CTL + 3)
#define IPT_SO_GET_MAX IPT_SO_GET_REVISION_TARGET
-#define IPT_CONTINUE XT_CONTINUE
-#define IPT_RETURN XT_RETURN
-
-#include <linux/netfilter/xt_tcpudp.h>
-#define ipt_udp xt_udp
-#define ipt_tcp xt_tcp
-
-#define IPT_TCP_INV_SRCPT XT_TCP_INV_SRCPT
-#define IPT_TCP_INV_DSTPT XT_TCP_INV_DSTPT
-#define IPT_TCP_INV_FLAGS XT_TCP_INV_FLAGS
-#define IPT_TCP_INV_OPTION XT_TCP_INV_OPTION
-#define IPT_TCP_INV_MASK XT_TCP_INV_MASK
-
-#define IPT_UDP_INV_SRCPT XT_UDP_INV_SRCPT
-#define IPT_UDP_INV_DSTPT XT_UDP_INV_DSTPT
-#define IPT_UDP_INV_MASK XT_UDP_INV_MASK
-
/* ICMP matching stuff */
struct ipt_icmp {
u_int8_t type; /* type to match */
@@ -140,7 +152,7 @@ struct ipt_icmp {
/* The argument to IPT_SO_GET_INFO */
struct ipt_getinfo {
/* Which table: caller fills this in. */
- char name[IPT_TABLE_MAXNAMELEN];
+ char name[XT_TABLE_MAXNAMELEN];
/* Kernel fills these in. */
/* Which hook entry points are valid: bitmask */
@@ -162,7 +174,7 @@ struct ipt_getinfo {
/* The argument to IPT_SO_SET_REPLACE. */
struct ipt_replace {
/* Which table. */
- char name[IPT_TABLE_MAXNAMELEN];
+ char name[XT_TABLE_MAXNAMELEN];
/* Which hook entry points are valid: bitmask. You can't
change this. */
@@ -190,13 +202,10 @@ struct ipt_replace {
struct ipt_entry entries[0];
};
-/* The argument to IPT_SO_ADD_COUNTERS. */
-#define ipt_counters_info xt_counters_info
-
/* The argument to IPT_SO_GET_ENTRIES. */
struct ipt_get_entries {
/* Which table: user fills this in. */
- char name[IPT_TABLE_MAXNAMELEN];
+ char name[XT_TABLE_MAXNAMELEN];
/* User fills this in: total entry size. */
unsigned int size;
@@ -205,26 +214,13 @@ struct ipt_get_entries {
struct ipt_entry entrytable[0];
};
-/* Standard return verdict, or do jump. */
-#define IPT_STANDARD_TARGET XT_STANDARD_TARGET
-/* Error verdict. */
-#define IPT_ERROR_TARGET XT_ERROR_TARGET
-
/* Helper functions */
-static __inline__ struct ipt_entry_target *
+static __inline__ struct xt_entry_target *
ipt_get_target(struct ipt_entry *e)
{
return (void *)e + e->target_offset;
}
-/* fn returns 0 to continue iteration */
-#define IPT_MATCH_ITERATE(e, fn, args...) \
- XT_MATCH_ITERATE(struct ipt_entry, e, fn, ## args)
-
-/* fn returns 0 to continue iteration */
-#define IPT_ENTRY_ITERATE(entries, size, fn, args...) \
- XT_ENTRY_ITERATE(struct ipt_entry, entries, size, fn, ## args)
-
/*
* Main firewall chains definitions and global var's definitions.
*/
diff --git a/include/linux/netfilter_ipv4/ipt_CLUSTERIP.h b/include/linux/netfilter_ipv4/ipt_CLUSTERIP.h
index e5a3687..c6a204c 100644
--- a/include/linux/netfilter_ipv4/ipt_CLUSTERIP.h
+++ b/include/linux/netfilter_ipv4/ipt_CLUSTERIP.h
@@ -1,6 +1,8 @@
#ifndef _IPT_CLUSTERIP_H_target
#define _IPT_CLUSTERIP_H_target
+#include <linux/types.h>
+
enum clusterip_hashmode {
CLUSTERIP_HASHMODE_SIP = 0,
CLUSTERIP_HASHMODE_SIP_SPT,
@@ -17,15 +19,15 @@ struct clusterip_config;
struct ipt_clusterip_tgt_info {
- u_int32_t flags;
+ __u32 flags;
/* only relevant for new ones */
- u_int8_t clustermac[6];
- u_int16_t num_total_nodes;
- u_int16_t num_local_nodes;
- u_int16_t local_nodes[CLUSTERIP_MAX_NODES];
- u_int32_t hash_mode;
- u_int32_t hash_initval;
+ __u8 clustermac[6];
+ __u16 num_total_nodes;
+ __u16 num_local_nodes;
+ __u16 local_nodes[CLUSTERIP_MAX_NODES];
+ __u32 hash_mode;
+ __u32 hash_initval;
/* Used internally by the kernel */
struct clusterip_config *config;
diff --git a/include/linux/netfilter_ipv4/ipt_ECN.h b/include/linux/netfilter_ipv4/ipt_ECN.h
index 7ca4591..bb88d53 100644
--- a/include/linux/netfilter_ipv4/ipt_ECN.h
+++ b/include/linux/netfilter_ipv4/ipt_ECN.h
@@ -8,6 +8,8 @@
*/
#ifndef _IPT_ECN_TARGET_H
#define _IPT_ECN_TARGET_H
+
+#include <linux/types.h>
#include <linux/netfilter/xt_DSCP.h>
#define IPT_ECN_IP_MASK (~XT_DSCP_MASK)
@@ -19,11 +21,11 @@
#define IPT_ECN_OP_MASK 0xce
struct ipt_ECN_info {
- u_int8_t operation; /* bitset of operations */
- u_int8_t ip_ect; /* ECT codepoint of IPv4 header, pre-shifted */
+ __u8 operation; /* bitset of operations */
+ __u8 ip_ect; /* ECT codepoint of IPv4 header, pre-shifted */
union {
struct {
- u_int8_t ece:1, cwr:1; /* TCP ECT bits */
+ __u8 ece:1, cwr:1; /* TCP ECT bits */
} tcp;
} proto;
};
diff --git a/include/linux/netfilter_ipv4/ipt_SAME.h b/include/linux/netfilter_ipv4/ipt_SAME.h
index 2529660..5bca782 100644
--- a/include/linux/netfilter_ipv4/ipt_SAME.h
+++ b/include/linux/netfilter_ipv4/ipt_SAME.h
@@ -1,15 +1,17 @@
#ifndef _IPT_SAME_H
#define _IPT_SAME_H
+#include <linux/types.h>
+
#define IPT_SAME_MAX_RANGE 10
#define IPT_SAME_NODST 0x01
struct ipt_same_info {
unsigned char info;
- u_int32_t rangesize;
- u_int32_t ipnum;
- u_int32_t *iparray;
+ __u32 rangesize;
+ __u32 ipnum;
+ __u32 *iparray;
/* hangs off end. */
struct nf_nat_range range[IPT_SAME_MAX_RANGE];
diff --git a/include/linux/netfilter_ipv4/ipt_TTL.h b/include/linux/netfilter_ipv4/ipt_TTL.h
index ee6611e..f6ac169 100644
--- a/include/linux/netfilter_ipv4/ipt_TTL.h
+++ b/include/linux/netfilter_ipv4/ipt_TTL.h
@@ -4,6 +4,8 @@
#ifndef _IPT_TTL_H
#define _IPT_TTL_H
+#include <linux/types.h>
+
enum {
IPT_TTL_SET = 0,
IPT_TTL_INC,
@@ -13,8 +15,8 @@ enum {
#define IPT_TTL_MAXMODE IPT_TTL_DEC
struct ipt_TTL_info {
- u_int8_t mode;
- u_int8_t ttl;
+ __u8 mode;
+ __u8 ttl;
};
diff --git a/include/linux/netfilter_ipv4/ipt_addrtype.h b/include/linux/netfilter_ipv4/ipt_addrtype.h
index 446de6a..0da4223 100644
--- a/include/linux/netfilter_ipv4/ipt_addrtype.h
+++ b/include/linux/netfilter_ipv4/ipt_addrtype.h
@@ -1,6 +1,8 @@
#ifndef _IPT_ADDRTYPE_H
#define _IPT_ADDRTYPE_H
+#include <linux/types.h>
+
enum {
IPT_ADDRTYPE_INVERT_SOURCE = 0x0001,
IPT_ADDRTYPE_INVERT_DEST = 0x0002,
@@ -9,17 +11,17 @@ enum {
};
struct ipt_addrtype_info_v1 {
- u_int16_t source; /* source-type mask */
- u_int16_t dest; /* dest-type mask */
- u_int32_t flags;
+ __u16 source; /* source-type mask */
+ __u16 dest; /* dest-type mask */
+ __u32 flags;
};
/* revision 0 */
struct ipt_addrtype_info {
- u_int16_t source; /* source-type mask */
- u_int16_t dest; /* dest-type mask */
- u_int32_t invert_source;
- u_int32_t invert_dest;
+ __u16 source; /* source-type mask */
+ __u16 dest; /* dest-type mask */
+ __u32 invert_source;
+ __u32 invert_dest;
};
#endif
diff --git a/include/linux/netfilter_ipv4/ipt_ah.h b/include/linux/netfilter_ipv4/ipt_ah.h
index 2e555b4..4e02bb0 100644
--- a/include/linux/netfilter_ipv4/ipt_ah.h
+++ b/include/linux/netfilter_ipv4/ipt_ah.h
@@ -1,9 +1,11 @@
#ifndef _IPT_AH_H
#define _IPT_AH_H
+#include <linux/types.h>
+
struct ipt_ah {
- u_int32_t spis[2]; /* Security Parameter Index */
- u_int8_t invflags; /* Inverse flags */
+ __u32 spis[2]; /* Security Parameter Index */
+ __u8 invflags; /* Inverse flags */
};
diff --git a/include/linux/netfilter_ipv4/ipt_ecn.h b/include/linux/netfilter_ipv4/ipt_ecn.h
index 9945baa..eabf95f 100644
--- a/include/linux/netfilter_ipv4/ipt_ecn.h
+++ b/include/linux/netfilter_ipv4/ipt_ecn.h
@@ -8,6 +8,8 @@
*/
#ifndef _IPT_ECN_H
#define _IPT_ECN_H
+
+#include <linux/types.h>
#include <linux/netfilter/xt_dscp.h>
#define IPT_ECN_IP_MASK (~XT_DSCP_MASK)
@@ -20,12 +22,12 @@
/* match info */
struct ipt_ecn_info {
- u_int8_t operation;
- u_int8_t invert;
- u_int8_t ip_ect;
+ __u8 operation;
+ __u8 invert;
+ __u8 ip_ect;
union {
struct {
- u_int8_t ect;
+ __u8 ect;
} tcp;
} proto;
};
diff --git a/include/linux/netfilter_ipv4/ipt_ttl.h b/include/linux/netfilter_ipv4/ipt_ttl.h
index ee24fd8..37bee44 100644
--- a/include/linux/netfilter_ipv4/ipt_ttl.h
+++ b/include/linux/netfilter_ipv4/ipt_ttl.h
@@ -4,6 +4,8 @@
#ifndef _IPT_TTL_H
#define _IPT_TTL_H
+#include <linux/types.h>
+
enum {
IPT_TTL_EQ = 0, /* equals */
IPT_TTL_NE, /* not equals */
@@ -13,8 +15,8 @@ enum {
struct ipt_ttl_info {
- u_int8_t mode;
- u_int8_t ttl;
+ __u8 mode;
+ __u8 ttl;
};
diff --git a/include/linux/netfilter_ipv6/ip6_tables.h b/include/linux/netfilter_ipv6/ip6_tables.h
index 6179032..3f19a97 100644
--- a/include/linux/netfilter_ipv6/ip6_tables.h
+++ b/include/linux/netfilter_ipv6/ip6_tables.h
@@ -23,11 +23,38 @@
#define IP6T_FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN
#define IP6T_TABLE_MAXNAMELEN XT_TABLE_MAXNAMELEN
-
#define ip6t_match xt_match
#define ip6t_target xt_target
#define ip6t_table xt_table
#define ip6t_get_revision xt_get_revision
+#define ip6t_entry_match xt_entry_match
+#define ip6t_entry_target xt_entry_target
+#define ip6t_standard_target xt_standard_target
+#define ip6t_error_target xt_error_target
+#define ip6t_counters xt_counters
+#define IP6T_CONTINUE XT_CONTINUE
+#define IP6T_RETURN XT_RETURN
+
+/* Pre-iptables-1.4.0 */
+#include <linux/netfilter/xt_tcpudp.h>
+#define ip6t_tcp xt_tcp
+#define ip6t_udp xt_udp
+#define IP6T_TCP_INV_SRCPT XT_TCP_INV_SRCPT
+#define IP6T_TCP_INV_DSTPT XT_TCP_INV_DSTPT
+#define IP6T_TCP_INV_FLAGS XT_TCP_INV_FLAGS
+#define IP6T_TCP_INV_OPTION XT_TCP_INV_OPTION
+#define IP6T_TCP_INV_MASK XT_TCP_INV_MASK
+#define IP6T_UDP_INV_SRCPT XT_UDP_INV_SRCPT
+#define IP6T_UDP_INV_DSTPT XT_UDP_INV_DSTPT
+#define IP6T_UDP_INV_MASK XT_UDP_INV_MASK
+
+#define ip6t_counters_info xt_counters_info
+#define IP6T_STANDARD_TARGET XT_STANDARD_TARGET
+#define IP6T_ERROR_TARGET XT_ERROR_TARGET
+#define IP6T_MATCH_ITERATE(e, fn, args...) \
+ XT_MATCH_ITERATE(struct ip6t_entry, e, fn, ## args)
+#define IP6T_ENTRY_ITERATE(entries, size, fn, args...) \
+ XT_ENTRY_ITERATE(struct ip6t_entry, entries, size, fn, ## args)
/* Yes, Virginia, you have to zero the padding. */
struct ip6t_ip6 {
@@ -56,12 +83,6 @@ struct ip6t_ip6 {
u_int8_t invflags;
};
-#define ip6t_entry_match xt_entry_match
-#define ip6t_entry_target xt_entry_target
-#define ip6t_standard_target xt_standard_target
-
-#define ip6t_counters xt_counters
-
/* Values for "flag" field in struct ip6t_ip6 (general ip6 structure). */
#define IP6T_F_PROTO 0x01 /* Set if rule cares about upper
protocols */
@@ -106,17 +127,12 @@ struct ip6t_entry {
/* Standard entry */
struct ip6t_standard {
struct ip6t_entry entry;
- struct ip6t_standard_target target;
-};
-
-struct ip6t_error_target {
- struct ip6t_entry_target target;
- char errorname[IP6T_FUNCTION_MAXNAMELEN];
+ struct xt_standard_target target;
};
struct ip6t_error {
struct ip6t_entry entry;
- struct ip6t_error_target target;
+ struct xt_error_target target;
};
#define IP6T_ENTRY_INIT(__size) \
@@ -128,16 +144,16 @@ struct ip6t_error {
#define IP6T_STANDARD_INIT(__verdict) \
{ \
.entry = IP6T_ENTRY_INIT(sizeof(struct ip6t_standard)), \
- .target = XT_TARGET_INIT(IP6T_STANDARD_TARGET, \
- sizeof(struct ip6t_standard_target)), \
+ .target = XT_TARGET_INIT(XT_STANDARD_TARGET, \
+ sizeof(struct xt_standard_target)), \
.target.verdict = -(__verdict) - 1, \
}
#define IP6T_ERROR_INIT \
{ \
.entry = IP6T_ENTRY_INIT(sizeof(struct ip6t_error)), \
- .target = XT_TARGET_INIT(IP6T_ERROR_TARGET, \
- sizeof(struct ip6t_error_target)), \
+ .target = XT_TARGET_INIT(XT_ERROR_TARGET, \
+ sizeof(struct xt_error_target)), \
.target.errorname = "ERROR", \
}
@@ -160,30 +176,6 @@ struct ip6t_error {
#define IP6T_SO_GET_REVISION_TARGET (IP6T_BASE_CTL + 5)
#define IP6T_SO_GET_MAX IP6T_SO_GET_REVISION_TARGET
-/* CONTINUE verdict for targets */
-#define IP6T_CONTINUE XT_CONTINUE
-
-/* For standard target */
-#define IP6T_RETURN XT_RETURN
-
-/* TCP/UDP matching stuff */
-#include <linux/netfilter/xt_tcpudp.h>
-
-#define ip6t_tcp xt_tcp
-#define ip6t_udp xt_udp
-
-/* Values for "inv" field in struct ipt_tcp. */
-#define IP6T_TCP_INV_SRCPT XT_TCP_INV_SRCPT
-#define IP6T_TCP_INV_DSTPT XT_TCP_INV_DSTPT
-#define IP6T_TCP_INV_FLAGS XT_TCP_INV_FLAGS
-#define IP6T_TCP_INV_OPTION XT_TCP_INV_OPTION
-#define IP6T_TCP_INV_MASK XT_TCP_INV_MASK
-
-/* Values for "invflags" field in struct ipt_udp. */
-#define IP6T_UDP_INV_SRCPT XT_UDP_INV_SRCPT
-#define IP6T_UDP_INV_DSTPT XT_UDP_INV_DSTPT
-#define IP6T_UDP_INV_MASK XT_UDP_INV_MASK
-
/* ICMP matching stuff */
struct ip6t_icmp {
u_int8_t type; /* type to match */
@@ -197,7 +189,7 @@ struct ip6t_icmp {
/* The argument to IP6T_SO_GET_INFO */
struct ip6t_getinfo {
/* Which table: caller fills this in. */
- char name[IP6T_TABLE_MAXNAMELEN];
+ char name[XT_TABLE_MAXNAMELEN];
/* Kernel fills these in. */
/* Which hook entry points are valid: bitmask */
@@ -219,7 +211,7 @@ struct ip6t_getinfo {
/* The argument to IP6T_SO_SET_REPLACE. */
struct ip6t_replace {
/* Which table. */
- char name[IP6T_TABLE_MAXNAMELEN];
+ char name[XT_TABLE_MAXNAMELEN];
/* Which hook entry points are valid: bitmask. You can't
change this. */
@@ -247,13 +239,10 @@ struct ip6t_replace {
struct ip6t_entry entries[0];
};
-/* The argument to IP6T_SO_ADD_COUNTERS. */
-#define ip6t_counters_info xt_counters_info
-
/* The argument to IP6T_SO_GET_ENTRIES. */
struct ip6t_get_entries {
/* Which table: user fills this in. */
- char name[IP6T_TABLE_MAXNAMELEN];
+ char name[XT_TABLE_MAXNAMELEN];
/* User fills this in: total entry size. */
unsigned int size;
@@ -262,26 +251,13 @@ struct ip6t_get_entries {
struct ip6t_entry entrytable[0];
};
-/* Standard return verdict, or do jump. */
-#define IP6T_STANDARD_TARGET XT_STANDARD_TARGET
-/* Error verdict. */
-#define IP6T_ERROR_TARGET XT_ERROR_TARGET
-
/* Helper functions */
-static __inline__ struct ip6t_entry_target *
+static __inline__ struct xt_entry_target *
ip6t_get_target(struct ip6t_entry *e)
{
return (void *)e + e->target_offset;
}
-/* fn returns 0 to continue iteration */
-#define IP6T_MATCH_ITERATE(e, fn, args...) \
- XT_MATCH_ITERATE(struct ip6t_entry, e, fn, ## args)
-
-/* fn returns 0 to continue iteration */
-#define IP6T_ENTRY_ITERATE(entries, size, fn, args...) \
- XT_ENTRY_ITERATE(struct ip6t_entry, entries, size, fn, ## args)
-
/*
* Main firewall chains definitions and global var's definitions.
*/
diff --git a/include/linux/netfilter_ipv6/ip6t_HL.h b/include/linux/netfilter_ipv6/ip6t_HL.h
index afb7813..ebd8ead 100644
--- a/include/linux/netfilter_ipv6/ip6t_HL.h
+++ b/include/linux/netfilter_ipv6/ip6t_HL.h
@@ -5,6 +5,8 @@
#ifndef _IP6T_HL_H
#define _IP6T_HL_H
+#include <linux/types.h>
+
enum {
IP6T_HL_SET = 0,
IP6T_HL_INC,
@@ -14,8 +16,8 @@ enum {
#define IP6T_HL_MAXMODE IP6T_HL_DEC
struct ip6t_HL_info {
- u_int8_t mode;
- u_int8_t hop_limit;
+ __u8 mode;
+ __u8 hop_limit;
};
diff --git a/include/linux/netfilter_ipv6/ip6t_REJECT.h b/include/linux/netfilter_ipv6/ip6t_REJECT.h
index 6be6504..205ed62 100644
--- a/include/linux/netfilter_ipv6/ip6t_REJECT.h
+++ b/include/linux/netfilter_ipv6/ip6t_REJECT.h
@@ -1,6 +1,8 @@
#ifndef _IP6T_REJECT_H
#define _IP6T_REJECT_H
+#include <linux/types.h>
+
enum ip6t_reject_with {
IP6T_ICMP6_NO_ROUTE,
IP6T_ICMP6_ADM_PROHIBITED,
@@ -12,7 +14,7 @@ enum ip6t_reject_with {
};
struct ip6t_reject_info {
- u_int32_t with; /* reject type */
+ __u32 with; /* reject type */
};
#endif /*_IP6T_REJECT_H*/
diff --git a/include/linux/netfilter_ipv6/ip6t_ah.h b/include/linux/netfilter_ipv6/ip6t_ah.h
index 17a745c..5da2b65 100644
--- a/include/linux/netfilter_ipv6/ip6t_ah.h
+++ b/include/linux/netfilter_ipv6/ip6t_ah.h
@@ -1,11 +1,13 @@
#ifndef _IP6T_AH_H
#define _IP6T_AH_H
+#include <linux/types.h>
+
struct ip6t_ah {
- u_int32_t spis[2]; /* Security Parameter Index */
- u_int32_t hdrlen; /* Header Length */
- u_int8_t hdrres; /* Test of the Reserved Filed */
- u_int8_t invflags; /* Inverse flags */
+ __u32 spis[2]; /* Security Parameter Index */
+ __u32 hdrlen; /* Header Length */
+ __u8 hdrres; /* Test of the Reserved Filed */
+ __u8 invflags; /* Inverse flags */
};
#define IP6T_AH_SPI 0x01
diff --git a/include/linux/netfilter_ipv6/ip6t_frag.h b/include/linux/netfilter_ipv6/ip6t_frag.h
index 3724d08..b47f61b 100644
--- a/include/linux/netfilter_ipv6/ip6t_frag.h
+++ b/include/linux/netfilter_ipv6/ip6t_frag.h
@@ -1,11 +1,13 @@
#ifndef _IP6T_FRAG_H
#define _IP6T_FRAG_H
+#include <linux/types.h>
+
struct ip6t_frag {
- u_int32_t ids[2]; /* Security Parameter Index */
- u_int32_t hdrlen; /* Header Length */
- u_int8_t flags; /* */
- u_int8_t invflags; /* Inverse flags */
+ __u32 ids[2]; /* Security Parameter Index */
+ __u32 hdrlen; /* Header Length */
+ __u8 flags; /* */
+ __u8 invflags; /* Inverse flags */
};
#define IP6T_FRAG_IDS 0x01
diff --git a/include/linux/netfilter_ipv6/ip6t_hl.h b/include/linux/netfilter_ipv6/ip6t_hl.h
index 5ef91b8..6e76dbc 100644
--- a/include/linux/netfilter_ipv6/ip6t_hl.h
+++ b/include/linux/netfilter_ipv6/ip6t_hl.h
@@ -5,6 +5,8 @@
#ifndef _IP6T_HL_H
#define _IP6T_HL_H
+#include <linux/types.h>
+
enum {
IP6T_HL_EQ = 0, /* equals */
IP6T_HL_NE, /* not equals */
@@ -14,8 +16,8 @@ enum {
struct ip6t_hl_info {
- u_int8_t mode;
- u_int8_t hop_limit;
+ __u8 mode;
+ __u8 hop_limit;
};
--git a/include/linux/netfilter_ipv6/ip6t_ipv6header.h b/include/linux/netfilter_ipv6/ip6t_ipv6header.h
index 01dfd44..efae3a2 100644
--- a/include/linux/netfilter_ipv6/ip6t_ipv6header.h
+++ b/include/linux/netfilter_ipv6/ip6t_ipv6header.h
@@ -8,10 +8,12 @@ on whether they contain certain headers */
#ifndef __IPV6HEADER_H
#define __IPV6HEADER_H
+#include <linux/types.h>
+
struct ip6t_ipv6header_info {
- u_int8_t matchflags;
- u_int8_t invflags;
- u_int8_t modeflag;
+ __u8 matchflags;
+ __u8 invflags;
+ __u8 modeflag;
};
#define MASK_HOPOPTS 128
diff --git a/include/linux/netfilter_ipv6/ip6t_mh.h b/include/linux/netfilter_ipv6/ip6t_mh.h
index 18549bc..a7729a5 100644
--- a/include/linux/netfilter_ipv6/ip6t_mh.h
+++ b/include/linux/netfilter_ipv6/ip6t_mh.h
@@ -1,10 +1,12 @@
#ifndef _IP6T_MH_H
#define _IP6T_MH_H
+#include <linux/types.h>
+
/* MH matching stuff */
struct ip6t_mh {
- u_int8_t types[2]; /* MH type range */
- u_int8_t invflags; /* Inverse flags */
+ __u8 types[2]; /* MH type range */
+ __u8 invflags; /* Inverse flags */
};
/* Values for "invflags" field in struct ip6t_mh. */
diff --git a/include/linux/netfilter_ipv6/ip6t_opts.h b/include/linux/netfilter_ipv6/ip6t_opts.h
index 62d89bc..17d419a 100644
--- a/include/linux/netfilter_ipv6/ip6t_opts.h
+++ b/include/linux/netfilter_ipv6/ip6t_opts.h
@@ -1,14 +1,16 @@
#ifndef _IP6T_OPTS_H
#define _IP6T_OPTS_H
+#include <linux/types.h>
+
#define IP6T_OPTS_OPTSNR 16
struct ip6t_opts {
- u_int32_t hdrlen; /* Header Length */
- u_int8_t flags; /* */
- u_int8_t invflags; /* Inverse flags */
- u_int16_t opts[IP6T_OPTS_OPTSNR]; /* opts */
- u_int8_t optsnr; /* Nr of OPts */
+ __u32 hdrlen; /* Header Length */
+ __u8 flags; /* */
+ __u8 invflags; /* Inverse flags */
+ __u16 opts[IP6T_OPTS_OPTSNR]; /* opts */
+ __u8 optsnr; /* Nr of OPts */
};
#define IP6T_OPTS_LEN 0x01
diff --git a/include/linux/netfilter_ipv6/ip6t_rt.h b/include/linux/netfilter_ipv6/ip6t_rt.h
index ab91bfd..7605a5f 100644
--- a/include/linux/netfilter_ipv6/ip6t_rt.h
+++ b/include/linux/netfilter_ipv6/ip6t_rt.h
@@ -1,18 +1,19 @@
#ifndef _IP6T_RT_H
#define _IP6T_RT_H
+#include <linux/types.h>
/*#include <linux/in6.h>*/
#define IP6T_RT_HOPS 16
struct ip6t_rt {
- u_int32_t rt_type; /* Routing Type */
- u_int32_t segsleft[2]; /* Segments Left */
- u_int32_t hdrlen; /* Header Length */
- u_int8_t flags; /* */
- u_int8_t invflags; /* Inverse flags */
+ __u32 rt_type; /* Routing Type */
+ __u32 segsleft[2]; /* Segments Left */
+ __u32 hdrlen; /* Header Length */
+ __u8 flags; /* */
+ __u8 invflags; /* Inverse flags */
struct in6_addr addrs[IP6T_RT_HOPS]; /* Hops */
- u_int8_t addrnr; /* Nr of Addresses */
+ __u8 addrnr; /* Nr of Addresses */
};
#define IP6T_RT_TYP 0x01
diff --git a/include/linux/types.h b/include/linux/types.h
index 8b483c8..630cd3b 100644
--- a/include/linux/types.h
+++ b/include/linux/types.h
@@ -34,5 +34,18 @@ typedef __u64 __bitwise __be64;
typedef __u16 __bitwise __sum16;
typedef __u32 __bitwise __wsum;
+/*
+ * aligned_u64 should be used in defining kernel<->userspace ABIs to avoid
+ * common 32/64-bit compat problems.
+ * 64-bit values align to 4-byte boundaries on x86_32 (and possibly other
+ * architectures) and to 8-byte boundaries on 64-bit architetures. The new
+ * aligned_64 type enforces 8-byte alignment so that structs containing
+ * aligned_64 values have the same alignment on 32-bit and 64-bit architectures.
+ * No conversions are necessary between 32-bit user-space and a 64-bit kernel.
+ */
+#define __aligned_u64 __u64 __attribute__((aligned(8)))
+#define __aligned_be64 __be64 __attribute__((aligned(8)))
+#define __aligned_le64 __le64 __attribute__((aligned(8)))
+
#endif /* __ASSEMBLY__ */
#endif /* _LINUX_TYPES_H */
--
1.7.3.4
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [PATCH 2/3] libxt_addrtype: add support for revision 1
2011-09-05 18:24 ` [PATCH 2/3] libxt_addrtype: add support for revision 1 Jan Engelhardt
@ 2011-09-05 18:56 ` Florian Westphal
0 siblings, 0 replies; 8+ messages in thread
From: Florian Westphal @ 2011-09-05 18:56 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: netfilter-devel
Jan Engelhardt <jengelh@medozas.de> wrote:
> Rev 1 was added to the kernel in commit v2.6.39-rc1~468^2~10^2~1 but
> there was no corresponding iptables patch so far.
>
> Cc: Florian Westphal <fw@strlen.de>
Weird, I could have sworn I did send a patch for userspace
too...
Thanks for taking care of this Jan.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH 1/3] libxt_addrtype: rename from libipt_addrtype
2011-09-05 18:24 ` [PATCH 1/3] libxt_addrtype: rename from libipt_addrtype Jan Engelhardt
@ 2011-09-06 11:34 ` Pablo Neira Ayuso
2011-09-06 11:46 ` Jan Engelhardt
0 siblings, 1 reply; 8+ messages in thread
From: Pablo Neira Ayuso @ 2011-09-06 11:34 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: netfilter-devel
On Mon, Sep 05, 2011 at 08:24:38PM +0200, Jan Engelhardt wrote:
> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
> ---
> extensions/libipt_addrtype.c | 308 ----------------------------------------
> extensions/libipt_addrtype.man | 69 ---------
> extensions/libxt_addrtype.c | 308 ++++++++++++++++++++++++++++++++++++++++
> extensions/libxt_addrtype.man | 69 +++++++++
> 4 files changed, 377 insertions(+), 377 deletions(-)
> delete mode 100644 extensions/libipt_addrtype.c
> delete mode 100644 extensions/libipt_addrtype.man
> create mode 100644 extensions/libxt_addrtype.c
> create mode 100644 extensions/libxt_addrtype.man
You can get smaller patches with -M option in git-format-patch. Just
to let you know for the next time you have to make some renaming.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH 1/3] libxt_addrtype: rename from libipt_addrtype
2011-09-06 11:34 ` Pablo Neira Ayuso
@ 2011-09-06 11:46 ` Jan Engelhardt
2011-09-06 16:14 ` Pablo Neira Ayuso
0 siblings, 1 reply; 8+ messages in thread
From: Jan Engelhardt @ 2011-09-06 11:46 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel
On Tuesday 2011-09-06 13:34, Pablo Neira Ayuso wrote:
>On Mon, Sep 05, 2011 at 08:24:38PM +0200, Jan Engelhardt wrote:
>> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
>> ---
>> extensions/libipt_addrtype.c | 308 ----------------------------------------
>> extensions/libipt_addrtype.man | 69 ---------
>> extensions/libxt_addrtype.c | 308 ++++++++++++++++++++++++++++++++++++++++
>> extensions/libxt_addrtype.man | 69 +++++++++
>> 4 files changed, 377 insertions(+), 377 deletions(-)
>> delete mode 100644 extensions/libipt_addrtype.c
>> delete mode 100644 extensions/libipt_addrtype.man
>> create mode 100644 extensions/libxt_addrtype.c
>> create mode 100644 extensions/libxt_addrtype.man
>
>You can get smaller patches with -M option in git-format-patch. Just
>to let you know for the next time you have to make some renaming.
Does -M also work with git send-email? 'Cause that is what I used..
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH 1/3] libxt_addrtype: rename from libipt_addrtype
2011-09-06 11:46 ` Jan Engelhardt
@ 2011-09-06 16:14 ` Pablo Neira Ayuso
0 siblings, 0 replies; 8+ messages in thread
From: Pablo Neira Ayuso @ 2011-09-06 16:14 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: netfilter-devel
On Tue, Sep 06, 2011 at 01:46:57PM +0200, Jan Engelhardt wrote:
> On Tuesday 2011-09-06 13:34, Pablo Neira Ayuso wrote:
>
> >On Mon, Sep 05, 2011 at 08:24:38PM +0200, Jan Engelhardt wrote:
> >> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
> >> ---
> >> extensions/libipt_addrtype.c | 308 ----------------------------------------
> >> extensions/libipt_addrtype.man | 69 ---------
> >> extensions/libxt_addrtype.c | 308 ++++++++++++++++++++++++++++++++++++++++
> >> extensions/libxt_addrtype.man | 69 +++++++++
> >> 4 files changed, 377 insertions(+), 377 deletions(-)
> >> delete mode 100644 extensions/libipt_addrtype.c
> >> delete mode 100644 extensions/libipt_addrtype.man
> >> create mode 100644 extensions/libxt_addrtype.c
> >> create mode 100644 extensions/libxt_addrtype.man
> >
> >You can get smaller patches with -M option in git-format-patch. Just
> >to let you know for the next time you have to make some renaming.
>
> Does -M also work with git send-email? 'Cause that is what I used..
If you use git-format-patch + git-send-email like me, it should work
fine.
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2011-09-06 16:14 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-09-05 18:24 iptables features 20110905 Jan Engelhardt
2011-09-05 18:24 ` [PATCH 1/3] libxt_addrtype: rename from libipt_addrtype Jan Engelhardt
2011-09-06 11:34 ` Pablo Neira Ayuso
2011-09-06 11:46 ` Jan Engelhardt
2011-09-06 16:14 ` Pablo Neira Ayuso
2011-09-05 18:24 ` [PATCH 2/3] libxt_addrtype: add support for revision 1 Jan Engelhardt
2011-09-05 18:56 ` Florian Westphal
2011-09-05 18:24 ` [PATCH 3/3] include: refresh include files from kernel 3.1-rc3 Jan Engelhardt
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).