URL
https://opencores.org/ocsvn/or1k/or1k/trunk
Subversion Repositories or1k
Compare Revisions
- This comparison shows the changes necessary to convert path
/or1k/tags/LINUX_2_4_26_OR32/linux/linux-2.4/include/linux/netfilter_ipv4
- from Rev 1279 to Rev 1765
- ↔ Reverse comparison
Rev 1279 → Rev 1765
/ipt_limit.h
0,0 → 1,21
#ifndef _IPT_RATE_H |
#define _IPT_RATE_H |
|
/* timings are in milliseconds. */ |
#define IPT_LIMIT_SCALE 10000 |
|
/* 1/10,000 sec period => max of 10,000/sec. Min rate is then 429490 |
seconds, or one every 59 hours. */ |
struct ipt_rateinfo { |
u_int32_t avg; /* Average secs between packets * scale */ |
u_int32_t burst; /* Period multiplier for upper limit. */ |
|
/* Used internally by the kernel */ |
unsigned long prev; |
u_int32_t credit; |
u_int32_t credit_cap, cost; |
|
/* Ugly, ugly fucker. */ |
struct ipt_rateinfo *master; |
}; |
#endif /*_IPT_RATE_H*/ |
/ipt_helper.h
0,0 → 1,8
#ifndef _IPT_HELPER_H |
#define _IPT_HELPER_H |
|
struct ipt_helper_info { |
int invert; |
char name[30]; |
}; |
#endif /* _IPT_HELPER_H */ |
/ip_nat_protocol.h
0,0 → 1,57
/* Header for use in defining a given protocol. */ |
#ifndef _IP_NAT_PROTOCOL_H |
#define _IP_NAT_PROTOCOL_H |
#include <linux/init.h> |
#include <linux/list.h> |
|
struct iphdr; |
struct ip_nat_range; |
|
struct ip_nat_protocol |
{ |
struct list_head list; |
|
/* Protocol name */ |
const char *name; |
|
/* Protocol number. */ |
unsigned int protonum; |
|
/* Do a packet translation according to the ip_nat_proto_manip |
* and manip type. */ |
void (*manip_pkt)(struct iphdr *iph, size_t len, |
const struct ip_conntrack_manip *manip, |
enum ip_nat_manip_type maniptype); |
|
/* Is the manipable part of the tuple between min and max incl? */ |
int (*in_range)(const struct ip_conntrack_tuple *tuple, |
enum ip_nat_manip_type maniptype, |
const union ip_conntrack_manip_proto *min, |
const union ip_conntrack_manip_proto *max); |
|
/* Alter the per-proto part of the tuple (depending on |
maniptype), to give a unique tuple in the given range if |
possible; return false if not. Per-protocol part of tuple |
is initialized to the incoming packet. */ |
int (*unique_tuple)(struct ip_conntrack_tuple *tuple, |
const struct ip_nat_range *range, |
enum ip_nat_manip_type maniptype, |
const struct ip_conntrack *conntrack); |
|
unsigned int (*print)(char *buffer, |
const struct ip_conntrack_tuple *match, |
const struct ip_conntrack_tuple *mask); |
|
unsigned int (*print_range)(char *buffer, |
const struct ip_nat_range *range); |
}; |
|
/* Protocol registration. */ |
extern int ip_nat_protocol_register(struct ip_nat_protocol *proto); |
extern void ip_nat_protocol_unregister(struct ip_nat_protocol *proto); |
|
extern int init_protocols(void) __init; |
extern void cleanup_protocols(void); |
extern struct ip_nat_protocol *find_nat_proto(u_int16_t protonum); |
|
#endif /*_IP_NAT_PROTO_H*/ |
/ipt_state.h
0,0 → 1,11
#ifndef _IPT_STATE_H |
#define _IPT_STATE_H |
|
#define IPT_STATE_BIT(ctinfo) (1 << ((ctinfo)%IP_CT_IS_REPLY+1)) |
#define IPT_STATE_INVALID (1 << 0) |
|
struct ipt_state_info |
{ |
unsigned int statemask; |
}; |
#endif /*_IPT_STATE_H*/ |
/ipt_recent.h
0,0 → 1,27
#ifndef _IPT_RECENT_H |
#define _IPT_RECENT_H |
|
#define RECENT_NAME "ipt_recent" |
#define RECENT_VER "v0.3.1" |
|
#define IPT_RECENT_CHECK 1 |
#define IPT_RECENT_SET 2 |
#define IPT_RECENT_UPDATE 4 |
#define IPT_RECENT_REMOVE 8 |
#define IPT_RECENT_TTL 16 |
|
#define IPT_RECENT_SOURCE 0 |
#define IPT_RECENT_DEST 1 |
|
#define IPT_RECENT_NAME_LEN 200 |
|
struct ipt_recent_info { |
u_int32_t seconds; |
u_int32_t hit_count; |
u_int8_t check_set; |
u_int8_t invert; |
char name[IPT_RECENT_NAME_LEN]; |
u_int8_t side; |
}; |
|
#endif /*_IPT_RECENT_H*/ |
/ipfwadm_core.h
0,0 → 1,256
#ifndef _IPFWADM_CORE_H |
#define _IPFWADM_CORE_H |
/* Minor modifications to fit on compatibility framework: |
Rusty.Russell@rustcorp.com.au |
*/ |
|
/* |
* IP firewalling code. This is taken from 4.4BSD. Please note the |
* copyright message below. As per the GPL it must be maintained |
* and the licenses thus do not conflict. While this port is subject |
* to the GPL I also place my modifications under the original |
* license in recognition of the original copyright. |
* |
* Ported from BSD to Linux, |
* Alan Cox 22/Nov/1994. |
* Merged and included the FreeBSD-Current changes at Ugen's request |
* (but hey it's a lot cleaner now). Ugen would prefer in some ways |
* we waited for his final product but since Linux 1.2.0 is about to |
* appear it's not practical - Read: It works, it's not clean but please |
* don't consider it to be his standard of finished work. |
* Alan. |
* |
* Fixes: |
* Pauline Middelink : Added masquerading. |
* Jos Vos : Separate input and output firewall |
* chains, new "insert" and "append" |
* commands to replace "add" commands, |
* add ICMP header to struct ip_fwpkt. |
* Jos Vos : Add support for matching device names. |
* Willy Konynenberg : Add transparent proxying support. |
* Jos Vos : Add options for input/output accounting. |
* |
* All the real work was done by ..... |
*/ |
|
/* |
* Copyright (c) 1993 Daniel Boulet |
* Copyright (c) 1994 Ugen J.S.Antsilevich |
* |
* Redistribution and use in source forms, with and without modification, |
* are permitted provided that this entire comment appears intact. |
* |
* Redistribution in binary form may occur without any restrictions. |
* Obviously, it would be nice if you gave credit where credit is due |
* but requiring it would be too onerous. |
* |
* This software is provided ``AS IS'' without any warranties of any kind. |
*/ |
|
/* |
* Format of an IP firewall descriptor |
* |
* src, dst, src_mask, dst_mask are always stored in network byte order. |
* flags and num_*_ports are stored in host byte order (of course). |
* Port numbers are stored in HOST byte order. |
*/ |
|
#ifdef __KERNEL__ |
#include <linux/icmp.h> |
#include <linux/in.h> |
#include <linux/ip.h> |
#include <linux/tcp.h> |
#include <linux/udp.h> |
#endif |
|
struct ip_fw |
{ |
struct ip_fw *fw_next; /* Next firewall on chain */ |
struct in_addr fw_src, fw_dst; /* Source and destination IP addr */ |
struct in_addr fw_smsk, fw_dmsk; /* Mask for src and dest IP addr */ |
struct in_addr fw_via; /* IP address of interface "via" */ |
struct net_device *fw_viadev; /* device of interface "via" */ |
__u16 fw_flg; /* Flags word */ |
__u16 fw_nsp, fw_ndp; /* N'of src ports and # of dst ports */ |
/* in ports array (dst ports follow */ |
/* src ports; max of 10 ports in all; */ |
/* count of 0 means match all ports) */ |
#define IP_FW_MAX_PORTS 10 /* A reasonable maximum */ |
__u16 fw_pts[IP_FW_MAX_PORTS]; /* Array of port numbers to match */ |
unsigned long fw_pcnt,fw_bcnt; /* Packet and byte counters */ |
__u8 fw_tosand, fw_tosxor; /* Revised packet priority */ |
char fw_vianame[IFNAMSIZ]; /* name of interface "via" */ |
}; |
|
/* |
* Values for "flags" field . |
*/ |
|
#define IP_FW_F_ALL 0x0000 /* This is a universal packet firewall*/ |
#define IP_FW_F_TCP 0x0001 /* This is a TCP packet firewall */ |
#define IP_FW_F_UDP 0x0002 /* This is a UDP packet firewall */ |
#define IP_FW_F_ICMP 0x0003 /* This is a ICMP packet firewall */ |
#define IP_FW_F_KIND 0x0003 /* Mask to isolate firewall kind */ |
#define IP_FW_F_ACCEPT 0x0004 /* This is an accept firewall (as * |
* opposed to a deny firewall)* |
* */ |
#define IP_FW_F_SRNG 0x0008 /* The first two src ports are a min * |
* and max range (stored in host byte * |
* order). * |
* */ |
#define IP_FW_F_DRNG 0x0010 /* The first two dst ports are a min * |
* and max range (stored in host byte * |
* order). * |
* (ports[0] <= port <= ports[1]) * |
* */ |
#define IP_FW_F_PRN 0x0020 /* In verbose mode print this firewall*/ |
#define IP_FW_F_BIDIR 0x0040 /* For bidirectional firewalls */ |
#define IP_FW_F_TCPSYN 0x0080 /* For tcp packets-check SYN only */ |
#define IP_FW_F_ICMPRPL 0x0100 /* Send back icmp unreachable packet */ |
#define IP_FW_F_MASQ 0x0200 /* Masquerading */ |
#define IP_FW_F_TCPACK 0x0400 /* For tcp-packets match if ACK is set*/ |
#define IP_FW_F_REDIR 0x0800 /* Redirect to local port fw_pts[n] */ |
#define IP_FW_F_ACCTIN 0x1000 /* Account incoming packets only. */ |
#define IP_FW_F_ACCTOUT 0x2000 /* Account outgoing packets only. */ |
|
#define IP_FW_F_MASK 0x3FFF /* All possible flag bits mask */ |
|
/* |
* New IP firewall options for [gs]etsockopt at the RAW IP level. |
* Unlike BSD Linux inherits IP options so you don't have to use |
* a raw socket for this. Instead we check rights in the calls. |
*/ |
|
#define IP_FW_BASE_CTL 64 /* base for firewall socket options */ |
|
#define IP_FW_COMMAND 0x00FF /* mask for command without chain */ |
#define IP_FW_TYPE 0x0300 /* mask for type (chain) */ |
#define IP_FW_SHIFT 8 /* shift count for type (chain) */ |
|
#define IP_FW_FWD 0 |
#define IP_FW_IN 1 |
#define IP_FW_OUT 2 |
#define IP_FW_ACCT 3 |
#define IP_FW_CHAINS 4 /* total number of ip_fw chains */ |
#define IP_FW_MASQ 5 |
|
#define IP_FW_INSERT (IP_FW_BASE_CTL) |
#define IP_FW_APPEND (IP_FW_BASE_CTL+1) |
#define IP_FW_DELETE (IP_FW_BASE_CTL+2) |
#define IP_FW_FLUSH (IP_FW_BASE_CTL+3) |
#define IP_FW_ZERO (IP_FW_BASE_CTL+4) |
#define IP_FW_POLICY (IP_FW_BASE_CTL+5) |
#define IP_FW_CHECK (IP_FW_BASE_CTL+6) |
#define IP_FW_MASQ_TIMEOUTS (IP_FW_BASE_CTL+7) |
|
#define IP_FW_INSERT_FWD (IP_FW_INSERT | (IP_FW_FWD << IP_FW_SHIFT)) |
#define IP_FW_APPEND_FWD (IP_FW_APPEND | (IP_FW_FWD << IP_FW_SHIFT)) |
#define IP_FW_DELETE_FWD (IP_FW_DELETE | (IP_FW_FWD << IP_FW_SHIFT)) |
#define IP_FW_FLUSH_FWD (IP_FW_FLUSH | (IP_FW_FWD << IP_FW_SHIFT)) |
#define IP_FW_ZERO_FWD (IP_FW_ZERO | (IP_FW_FWD << IP_FW_SHIFT)) |
#define IP_FW_POLICY_FWD (IP_FW_POLICY | (IP_FW_FWD << IP_FW_SHIFT)) |
#define IP_FW_CHECK_FWD (IP_FW_CHECK | (IP_FW_FWD << IP_FW_SHIFT)) |
|
#define IP_FW_INSERT_IN (IP_FW_INSERT | (IP_FW_IN << IP_FW_SHIFT)) |
#define IP_FW_APPEND_IN (IP_FW_APPEND | (IP_FW_IN << IP_FW_SHIFT)) |
#define IP_FW_DELETE_IN (IP_FW_DELETE | (IP_FW_IN << IP_FW_SHIFT)) |
#define IP_FW_FLUSH_IN (IP_FW_FLUSH | (IP_FW_IN << IP_FW_SHIFT)) |
#define IP_FW_ZERO_IN (IP_FW_ZERO | (IP_FW_IN << IP_FW_SHIFT)) |
#define IP_FW_POLICY_IN (IP_FW_POLICY | (IP_FW_IN << IP_FW_SHIFT)) |
#define IP_FW_CHECK_IN (IP_FW_CHECK | (IP_FW_IN << IP_FW_SHIFT)) |
|
#define IP_FW_INSERT_OUT (IP_FW_INSERT | (IP_FW_OUT << IP_FW_SHIFT)) |
#define IP_FW_APPEND_OUT (IP_FW_APPEND | (IP_FW_OUT << IP_FW_SHIFT)) |
#define IP_FW_DELETE_OUT (IP_FW_DELETE | (IP_FW_OUT << IP_FW_SHIFT)) |
#define IP_FW_FLUSH_OUT (IP_FW_FLUSH | (IP_FW_OUT << IP_FW_SHIFT)) |
#define IP_FW_ZERO_OUT (IP_FW_ZERO | (IP_FW_OUT << IP_FW_SHIFT)) |
#define IP_FW_POLICY_OUT (IP_FW_POLICY | (IP_FW_OUT << IP_FW_SHIFT)) |
#define IP_FW_CHECK_OUT (IP_FW_CHECK | (IP_FW_OUT << IP_FW_SHIFT)) |
|
#define IP_ACCT_INSERT (IP_FW_INSERT | (IP_FW_ACCT << IP_FW_SHIFT)) |
#define IP_ACCT_APPEND (IP_FW_APPEND | (IP_FW_ACCT << IP_FW_SHIFT)) |
#define IP_ACCT_DELETE (IP_FW_DELETE | (IP_FW_ACCT << IP_FW_SHIFT)) |
#define IP_ACCT_FLUSH (IP_FW_FLUSH | (IP_FW_ACCT << IP_FW_SHIFT)) |
#define IP_ACCT_ZERO (IP_FW_ZERO | (IP_FW_ACCT << IP_FW_SHIFT)) |
|
#define IP_FW_MASQ_INSERT (IP_FW_INSERT | (IP_FW_MASQ << IP_FW_SHIFT)) |
#define IP_FW_MASQ_ADD (IP_FW_APPEND | (IP_FW_MASQ << IP_FW_SHIFT)) |
#define IP_FW_MASQ_DEL (IP_FW_DELETE | (IP_FW_MASQ << IP_FW_SHIFT)) |
#define IP_FW_MASQ_FLUSH (IP_FW_FLUSH | (IP_FW_MASQ << IP_FW_SHIFT)) |
|
#define IP_FW_MASQ_INSERT (IP_FW_INSERT | (IP_FW_MASQ << IP_FW_SHIFT)) |
#define IP_FW_MASQ_ADD (IP_FW_APPEND | (IP_FW_MASQ << IP_FW_SHIFT)) |
#define IP_FW_MASQ_DEL (IP_FW_DELETE | (IP_FW_MASQ << IP_FW_SHIFT)) |
#define IP_FW_MASQ_FLUSH (IP_FW_FLUSH | (IP_FW_MASQ << IP_FW_SHIFT)) |
|
struct ip_fwpkt |
{ |
struct iphdr fwp_iph; /* IP header */ |
union { |
struct tcphdr fwp_tcph; /* TCP header or */ |
struct udphdr fwp_udph; /* UDP header */ |
struct icmphdr fwp_icmph; /* ICMP header */ |
} fwp_protoh; |
struct in_addr fwp_via; /* interface address */ |
char fwp_vianame[IFNAMSIZ]; /* interface name */ |
}; |
|
#define IP_FW_MASQCTL_MAX 256 |
#define IP_MASQ_MOD_NMAX 32 |
|
struct ip_fw_masqctl |
{ |
int mctl_action; |
union { |
struct { |
char name[IP_MASQ_MOD_NMAX]; |
char data[1]; |
} mod; |
} u; |
}; |
|
/* |
* timeouts for ip masquerading |
*/ |
|
struct ip_fw_masq; |
|
/* |
* Main firewall chains definitions and global var's definitions. |
*/ |
|
#ifdef __KERNEL__ |
|
/* Modes used in the ip_fw_chk() routine. */ |
#define IP_FW_MODE_FW 0x00 /* kernel firewall check */ |
#define IP_FW_MODE_ACCT_IN 0x01 /* accounting (incoming) */ |
#define IP_FW_MODE_ACCT_OUT 0x02 /* accounting (outgoing) */ |
#define IP_FW_MODE_CHK 0x04 /* check requested by user */ |
|
#include <linux/config.h> |
#ifdef CONFIG_IP_FIREWALL |
extern struct ip_fw *ip_fw_in_chain; |
extern struct ip_fw *ip_fw_out_chain; |
extern struct ip_fw *ip_fw_fwd_chain; |
extern int ip_fw_in_policy; |
extern int ip_fw_out_policy; |
extern int ip_fw_fwd_policy; |
extern int ip_fw_ctl(int, void *, int); |
#endif |
#ifdef CONFIG_IP_ACCT |
extern struct ip_fw *ip_acct_chain; |
extern int ip_acct_ctl(int, void *, int); |
#endif |
#ifdef CONFIG_IP_MASQUERADE |
extern int ip_masq_ctl(int, void *, int); |
#endif |
#ifdef CONFIG_IP_MASQUERADE |
extern int ip_masq_ctl(int, void *, int); |
#endif |
|
extern int ip_fw_masq_timeouts(void *user, int len); |
|
extern int ip_fw_chk(struct iphdr *, struct net_device *, __u16 *, |
struct ip_fw *, int, int); |
#endif /* KERNEL */ |
#endif /* _IP_FW_H */ |
/lockhelp.h
0,0 → 1,129
#ifndef _LOCKHELP_H |
#define _LOCKHELP_H |
#include <linux/config.h> |
|
#include <linux/spinlock.h> |
#include <asm/atomic.h> |
#include <linux/interrupt.h> |
#include <linux/smp.h> |
|
/* Header to do help in lock debugging. */ |
|
#ifdef CONFIG_NETFILTER_DEBUG |
struct spinlock_debug |
{ |
spinlock_t l; |
atomic_t locked_by; |
}; |
|
struct rwlock_debug |
{ |
rwlock_t l; |
long read_locked_map; |
long write_locked_map; |
}; |
|
#define DECLARE_LOCK(l) \ |
struct spinlock_debug l = { SPIN_LOCK_UNLOCKED, ATOMIC_INIT(-1) } |
#define DECLARE_LOCK_EXTERN(l) \ |
extern struct spinlock_debug l |
#define DECLARE_RWLOCK(l) \ |
struct rwlock_debug l = { RW_LOCK_UNLOCKED, 0, 0 } |
#define DECLARE_RWLOCK_EXTERN(l) \ |
extern struct rwlock_debug l |
|
#define MUST_BE_LOCKED(l) \ |
do { if (atomic_read(&(l)->locked_by) != smp_processor_id()) \ |
printk("ASSERT %s:%u %s unlocked\n", __FILE__, __LINE__, #l); \ |
} while(0) |
|
#define MUST_BE_UNLOCKED(l) \ |
do { if (atomic_read(&(l)->locked_by) == smp_processor_id()) \ |
printk("ASSERT %s:%u %s locked\n", __FILE__, __LINE__, #l); \ |
} while(0) |
|
/* Write locked OK as well. */ |
#define MUST_BE_READ_LOCKED(l) \ |
do { if (!((l)->read_locked_map & (1UL << smp_processor_id())) \ |
&& !((l)->write_locked_map & (1UL << smp_processor_id()))) \ |
printk("ASSERT %s:%u %s not readlocked\n", __FILE__, __LINE__, #l); \ |
} while(0) |
|
#define MUST_BE_WRITE_LOCKED(l) \ |
do { if (!((l)->write_locked_map & (1UL << smp_processor_id()))) \ |
printk("ASSERT %s:%u %s not writelocked\n", __FILE__, __LINE__, #l); \ |
} while(0) |
|
#define MUST_BE_READ_WRITE_UNLOCKED(l) \ |
do { if ((l)->read_locked_map & (1UL << smp_processor_id())) \ |
printk("ASSERT %s:%u %s readlocked\n", __FILE__, __LINE__, #l); \ |
else if ((l)->write_locked_map & (1UL << smp_processor_id())) \ |
printk("ASSERT %s:%u %s writelocked\n", __FILE__, __LINE__, #l); \ |
} while(0) |
|
#define LOCK_BH(lk) \ |
do { \ |
MUST_BE_UNLOCKED(lk); \ |
spin_lock_bh(&(lk)->l); \ |
atomic_set(&(lk)->locked_by, smp_processor_id()); \ |
} while(0) |
|
#define UNLOCK_BH(lk) \ |
do { \ |
MUST_BE_LOCKED(lk); \ |
atomic_set(&(lk)->locked_by, -1); \ |
spin_unlock_bh(&(lk)->l); \ |
} while(0) |
|
#define READ_LOCK(lk) \ |
do { \ |
MUST_BE_READ_WRITE_UNLOCKED(lk); \ |
read_lock_bh(&(lk)->l); \ |
set_bit(smp_processor_id(), &(lk)->read_locked_map); \ |
} while(0) |
|
#define WRITE_LOCK(lk) \ |
do { \ |
MUST_BE_READ_WRITE_UNLOCKED(lk); \ |
write_lock_bh(&(lk)->l); \ |
set_bit(smp_processor_id(), &(lk)->write_locked_map); \ |
} while(0) |
|
#define READ_UNLOCK(lk) \ |
do { \ |
if (!((lk)->read_locked_map & (1UL << smp_processor_id()))) \ |
printk("ASSERT: %s:%u %s not readlocked\n", \ |
__FILE__, __LINE__, #lk); \ |
clear_bit(smp_processor_id(), &(lk)->read_locked_map); \ |
read_unlock_bh(&(lk)->l); \ |
} while(0) |
|
#define WRITE_UNLOCK(lk) \ |
do { \ |
MUST_BE_WRITE_LOCKED(lk); \ |
clear_bit(smp_processor_id(), &(lk)->write_locked_map); \ |
write_unlock_bh(&(lk)->l); \ |
} while(0) |
|
#else |
#define DECLARE_LOCK(l) spinlock_t l = SPIN_LOCK_UNLOCKED |
#define DECLARE_LOCK_EXTERN(l) extern spinlock_t l |
#define DECLARE_RWLOCK(l) rwlock_t l = RW_LOCK_UNLOCKED |
#define DECLARE_RWLOCK_EXTERN(l) extern rwlock_t l |
|
#define MUST_BE_LOCKED(l) |
#define MUST_BE_UNLOCKED(l) |
#define MUST_BE_READ_LOCKED(l) |
#define MUST_BE_WRITE_LOCKED(l) |
#define MUST_BE_READ_WRITE_UNLOCKED(l) |
|
#define LOCK_BH(l) spin_lock_bh(l) |
#define UNLOCK_BH(l) spin_unlock_bh(l) |
|
#define READ_LOCK(l) read_lock_bh(l) |
#define WRITE_LOCK(l) write_lock_bh(l) |
#define READ_UNLOCK(l) read_unlock_bh(l) |
#define WRITE_UNLOCK(l) write_unlock_bh(l) |
#endif /*CONFIG_NETFILTER_DEBUG*/ |
|
#endif /* _LOCKHELP_H */ |
/ipt_esp.h
0,0 → 1,16
#ifndef _IPT_ESP_H |
#define _IPT_ESP_H |
|
struct ipt_esp |
{ |
u_int32_t spis[2]; /* Security Parameter Index */ |
u_int8_t invflags; /* Inverse flags */ |
}; |
|
|
|
/* Values for "invflags" field in struct ipt_esp. */ |
#define IPT_ESP_INV_SPI 0x01 /* Invert the sense of spi. */ |
#define IPT_ESP_INV_MASK 0x01 /* All possible flags. */ |
|
#endif /*_IPT_ESP_H*/ |
/ipt_ah.h
0,0 → 1,16
#ifndef _IPT_AH_H |
#define _IPT_AH_H |
|
struct ipt_ah |
{ |
u_int32_t spis[2]; /* Security Parameter Index */ |
u_int8_t invflags; /* Inverse flags */ |
}; |
|
|
|
/* Values for "invflags" field in struct ipt_ah. */ |
#define IPT_AH_INV_SPI 0x01 /* Invert the sense of spi. */ |
#define IPT_AH_INV_MASK 0x01 /* All possible flags. */ |
|
#endif /*_IPT_AH_H*/ |
/ipchains_core.h
0,0 → 1,193
/* |
* This code is heavily based on the code in ip_fw.h; see that file for |
* copyrights and attributions. This code is basically GPL. |
* |
* 15-Feb-1997: Major changes to allow graphs for firewall rules. |
* Paul Russell <Paul.Russell@rustcorp.com.au> and |
* Michael Neuling <Michael.Neuling@rustcorp.com.au> |
* 2-Nov-1997: Changed types to __u16, etc. |
* Removed IP_FW_F_TCPACK & IP_FW_F_BIDIR. |
* Added inverse flags field. |
* Removed multiple port specs. |
*/ |
|
/* |
* Format of an IP firewall descriptor |
* |
* src, dst, src_mask, dst_mask are always stored in network byte order. |
* flags are stored in host byte order (of course). |
* Port numbers are stored in HOST byte order. |
*/ |
|
#ifndef _IP_FWCHAINS_H |
#define _IP_FWCHAINS_H |
|
#ifdef __KERNEL__ |
#include <linux/icmp.h> |
#include <linux/in.h> |
#include <linux/ip.h> |
#include <linux/tcp.h> |
#include <linux/udp.h> |
#endif /* __KERNEL__ */ |
#define IP_FW_MAX_LABEL_LENGTH 8 |
typedef char ip_chainlabel[IP_FW_MAX_LABEL_LENGTH+1]; |
|
struct ip_fw |
{ |
struct in_addr fw_src, fw_dst; /* Source and destination IP addr */ |
struct in_addr fw_smsk, fw_dmsk; /* Mask for src and dest IP addr */ |
__u32 fw_mark; /* ID to stamp on packet */ |
__u16 fw_proto; /* Protocol, 0 = ANY */ |
__u16 fw_flg; /* Flags word */ |
__u16 fw_invflg; /* Inverse flags */ |
__u16 fw_spts[2]; /* Source port range. */ |
__u16 fw_dpts[2]; /* Destination port range. */ |
__u16 fw_redirpt; /* Port to redirect to. */ |
__u16 fw_outputsize; /* Max amount to output to |
NETLINK */ |
char fw_vianame[IFNAMSIZ]; /* name of interface "via" */ |
__u8 fw_tosand, fw_tosxor; /* Revised packet priority */ |
}; |
|
struct ip_fwuser |
{ |
struct ip_fw ipfw; |
ip_chainlabel label; |
}; |
|
/* Values for "fw_flg" field . */ |
#define IP_FW_F_PRN 0x0001 /* Print packet if it matches */ |
#define IP_FW_F_TCPSYN 0x0002 /* For tcp packets-check SYN only */ |
#define IP_FW_F_FRAG 0x0004 /* Set if rule is a fragment rule */ |
#define IP_FW_F_MARKABS 0x0008 /* Set the mark to fw_mark, not add. */ |
#define IP_FW_F_WILDIF 0x0010 /* Need only match start of interface name. */ |
#define IP_FW_F_NETLINK 0x0020 /* Redirect to netlink: 2.1.x only */ |
#define IP_FW_F_MASK 0x003F /* All possible flag bits mask */ |
|
/* Values for "fw_invflg" field. */ |
#define IP_FW_INV_SRCIP 0x0001 /* Invert the sense of fw_src. */ |
#define IP_FW_INV_DSTIP 0x0002 /* Invert the sense of fw_dst. */ |
#define IP_FW_INV_PROTO 0x0004 /* Invert the sense of fw_proto. */ |
#define IP_FW_INV_SRCPT 0x0008 /* Invert the sense of source ports. */ |
#define IP_FW_INV_DSTPT 0x0010 /* Invert the sense of destination ports. */ |
#define IP_FW_INV_VIA 0x0020 /* Invert the sense of fw_vianame. */ |
#define IP_FW_INV_SYN 0x0040 /* Invert the sense of IP_FW_F_TCPSYN. */ |
#define IP_FW_INV_FRAG 0x0080 /* Invert the sense of IP_FW_F_FRAG. */ |
|
/* |
* New IP firewall options for [gs]etsockopt at the RAW IP level. |
* Unlike BSD Linux inherits IP options so you don't have to use |
* a raw socket for this. Instead we check rights in the calls. */ |
|
#define IP_FW_BASE_CTL 64 /* base for firewall socket options */ |
|
#define IP_FW_APPEND (IP_FW_BASE_CTL) /* Takes ip_fwchange */ |
#define IP_FW_REPLACE (IP_FW_BASE_CTL+1) /* Takes ip_fwnew */ |
#define IP_FW_DELETE_NUM (IP_FW_BASE_CTL+2) /* Takes ip_fwdelnum */ |
#define IP_FW_DELETE (IP_FW_BASE_CTL+3) /* Takes ip_fwchange */ |
#define IP_FW_INSERT (IP_FW_BASE_CTL+4) /* Takes ip_fwnew */ |
#define IP_FW_FLUSH (IP_FW_BASE_CTL+5) /* Takes ip_chainlabel */ |
#define IP_FW_ZERO (IP_FW_BASE_CTL+6) /* Takes ip_chainlabel */ |
#define IP_FW_CHECK (IP_FW_BASE_CTL+7) /* Takes ip_fwtest */ |
#define IP_FW_MASQ_TIMEOUTS (IP_FW_BASE_CTL+8) /* Takes 3 ints */ |
#define IP_FW_CREATECHAIN (IP_FW_BASE_CTL+9) /* Takes ip_chainlabel */ |
#define IP_FW_DELETECHAIN (IP_FW_BASE_CTL+10) /* Takes ip_chainlabel */ |
#define IP_FW_POLICY (IP_FW_BASE_CTL+11) /* Takes ip_fwpolicy */ |
/* Masquerade control, only 1 optname */ |
|
#define IP_FW_MASQ_CTL (IP_FW_BASE_CTL+12) /* General ip_masq ctl */ |
|
/* Builtin chain labels */ |
#define IP_FW_LABEL_FORWARD "forward" |
#define IP_FW_LABEL_INPUT "input" |
#define IP_FW_LABEL_OUTPUT "output" |
|
/* Special targets */ |
#define IP_FW_LABEL_MASQUERADE "MASQ" |
#define IP_FW_LABEL_REDIRECT "REDIRECT" |
#define IP_FW_LABEL_ACCEPT "ACCEPT" |
#define IP_FW_LABEL_BLOCK "DENY" |
#define IP_FW_LABEL_REJECT "REJECT" |
#define IP_FW_LABEL_RETURN "RETURN" |
#define IP_FW_LABEL_QUEUE "QUEUE" |
|
/* Files in /proc/net */ |
#define IP_FW_PROC_CHAINS "ip_fwchains" |
#define IP_FW_PROC_CHAIN_NAMES "ip_fwnames" |
|
|
struct ip_fwpkt |
{ |
struct iphdr fwp_iph; /* IP header */ |
union { |
struct tcphdr fwp_tcph; /* TCP header or */ |
struct udphdr fwp_udph; /* UDP header */ |
struct icmphdr fwp_icmph; /* ICMP header */ |
} fwp_protoh; |
struct in_addr fwp_via; /* interface address */ |
char fwp_vianame[IFNAMSIZ]; /* interface name */ |
}; |
|
/* The argument to IP_FW_DELETE and IP_FW_APPEND */ |
struct ip_fwchange |
{ |
struct ip_fwuser fwc_rule; |
ip_chainlabel fwc_label; |
}; |
|
/* The argument to IP_FW_CHECK. */ |
struct ip_fwtest |
{ |
struct ip_fwpkt fwt_packet; /* Packet to be tested */ |
ip_chainlabel fwt_label; /* Block to start test in */ |
}; |
|
/* The argument to IP_FW_DELETE_NUM */ |
struct ip_fwdelnum |
{ |
__u32 fwd_rulenum; |
ip_chainlabel fwd_label; |
}; |
|
/* The argument to IP_FW_REPLACE and IP_FW_INSERT */ |
struct ip_fwnew |
{ |
__u32 fwn_rulenum; |
struct ip_fwuser fwn_rule; |
ip_chainlabel fwn_label; |
}; |
|
/* The argument to IP_FW_POLICY */ |
struct ip_fwpolicy |
{ |
ip_chainlabel fwp_policy; |
ip_chainlabel fwp_label; |
}; |
/* |
* timeouts for ip masquerading |
*/ |
|
extern int ip_fw_masq_timeouts(void *, int); |
|
|
/* |
* Main firewall chains definitions and global var's definitions. |
*/ |
|
#ifdef __KERNEL__ |
|
#include <linux/config.h> |
#include <linux/version.h> |
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,1,0) |
#include <linux/init.h> |
extern void ip_fw_init(void) __init; |
#else /* 2.0.x */ |
extern void ip_fw_init(void); |
#endif /* 2.1.x */ |
extern int ip_fw_ctl(int, void *, int); |
#ifdef CONFIG_IP_MASQUERADE |
extern int ip_masq_uctl(int, char *, int); |
#endif |
#endif /* KERNEL */ |
|
#endif /* _IP_FWCHAINS_H */ |
/ipt_owner.h
0,0 → 1,20
#ifndef _IPT_OWNER_H |
#define _IPT_OWNER_H |
|
/* match and invert flags */ |
#define IPT_OWNER_UID 0x01 |
#define IPT_OWNER_GID 0x02 |
#define IPT_OWNER_PID 0x04 |
#define IPT_OWNER_SID 0x08 |
#define IPT_OWNER_COMM 0x10 |
|
struct ipt_owner_info { |
uid_t uid; |
gid_t gid; |
pid_t pid; |
pid_t sid; |
char comm[16]; |
u_int8_t match, invert; /* flags */ |
}; |
|
#endif /*_IPT_OWNER_H*/ |
/ip_conntrack_irc.h
0,0 → 1,50
/* IRC extension for IP connection tracking. |
* (C) 2000 by Harald Welte <laforge@gnumonks.org> |
* based on RR's ip_conntrack_ftp.h |
* |
* ip_conntrack_irc.h,v 1.6 2000/11/07 18:26:42 laforge Exp |
* |
* This program is free software; you can redistribute it and/or |
* modify it under the terms of the GNU General Public License |
* as published by the Free Software Foundation; either version |
* 2 of the License, or (at your option) any later version. |
* |
* |
*/ |
#ifndef _IP_CONNTRACK_IRC_H |
#define _IP_CONNTRACK_IRC_H |
|
/* We record seq number and length of irc ip/port text here: all in |
host order. */ |
|
/* This structure is per expected connection */ |
struct ip_ct_irc_expect |
{ |
/* length of IP address */ |
u_int32_t len; |
/* Port that was to be used */ |
u_int16_t port; |
}; |
|
/* This structure exists only once per master */ |
struct ip_ct_irc_master { |
}; |
|
|
#ifdef __KERNEL__ |
|
#include <linux/netfilter_ipv4/lockhelp.h> |
|
#define IRC_PORT 6667 |
|
struct dccproto { |
char* match; |
int matchlen; |
}; |
|
/* Protects irc part of conntracks */ |
DECLARE_LOCK_EXTERN(ip_irc_lock); |
|
#endif /* __KERNEL__ */ |
|
#endif /* _IP_CONNTRACK_IRC_H */ |
/ip_conntrack_tftp.h
0,0 → 1,13
#ifndef _IP_CT_TFTP |
#define _IP_CT_TFTP |
|
#define TFTP_PORT 69 |
|
struct tftphdr { |
u_int16_t opcode; |
}; |
|
#define TFTP_OPCODE_READ 1 |
#define TFTP_OPCODE_WRITE 2 |
|
#endif /* _IP_CT_TFTP */ |
/compat_firewall.h
0,0 → 1,45
/* Minor modifications to fit on compatibility framework: |
Rusty.Russell@rustcorp.com.au |
*/ |
|
#ifndef __LINUX_FIREWALL_H |
#define __LINUX_FIREWALL_H |
|
/* |
* Definitions for loadable firewall modules |
*/ |
|
#define FW_QUEUE 0 |
#define FW_BLOCK 1 |
#define FW_ACCEPT 2 |
#define FW_REJECT (-1) |
#define FW_REDIRECT 3 |
#define FW_MASQUERADE 4 |
#define FW_SKIP 5 |
|
struct firewall_ops |
{ |
struct firewall_ops *next; |
int (*fw_forward)(struct firewall_ops *this, int pf, |
struct net_device *dev, void *phdr, void *arg, |
struct sk_buff **pskb); |
int (*fw_input)(struct firewall_ops *this, int pf, |
struct net_device *dev, void *phdr, void *arg, |
struct sk_buff **pskb); |
int (*fw_output)(struct firewall_ops *this, int pf, |
struct net_device *dev, void *phdr, void *arg, |
struct sk_buff **pskb); |
/* These may be NULL. */ |
int (*fw_acct_in)(struct firewall_ops *this, int pf, |
struct net_device *dev, void *phdr, void *arg, |
struct sk_buff **pskb); |
int (*fw_acct_out)(struct firewall_ops *this, int pf, |
struct net_device *dev, void *phdr, void *arg, |
struct sk_buff **pskb); |
}; |
|
extern int register_firewall(int pf, struct firewall_ops *fw); |
extern int unregister_firewall(int pf, struct firewall_ops *fw); |
|
extern int ip_fw_masq_timeouts(void *user, int len); |
#endif /* __LINUX_FIREWALL_H */ |
/ip_nat_helper.h
0,0 → 1,64
#ifndef _IP_NAT_HELPER_H |
#define _IP_NAT_HELPER_H |
/* NAT protocol helper routines. */ |
|
#include <linux/netfilter_ipv4/ip_conntrack.h> |
|
struct sk_buff; |
|
/* Flags */ |
/* NAT helper must be called on every packet (for TCP) */ |
#define IP_NAT_HELPER_F_ALWAYS 0x01 |
/* Standalone NAT helper, without a conntrack part */ |
#define IP_NAT_HELPER_F_STANDALONE 0x02 |
|
struct ip_nat_helper |
{ |
struct list_head list; /* Internal use */ |
|
const char *name; /* name of the module */ |
unsigned char flags; /* Flags (see above) */ |
struct module *me; /* pointer to self */ |
|
/* Mask of things we will help: vs. tuple from server */ |
struct ip_conntrack_tuple tuple; |
struct ip_conntrack_tuple mask; |
|
/* Helper function: returns verdict */ |
unsigned int (*help)(struct ip_conntrack *ct, |
struct ip_conntrack_expect *exp, |
struct ip_nat_info *info, |
enum ip_conntrack_info ctinfo, |
unsigned int hooknum, |
struct sk_buff **pskb); |
|
/* Returns verdict and sets up NAT for this connection */ |
unsigned int (*expect)(struct sk_buff **pskb, |
unsigned int hooknum, |
struct ip_conntrack *ct, |
struct ip_nat_info *info); |
}; |
|
extern struct list_head helpers; |
|
extern int ip_nat_helper_register(struct ip_nat_helper *me); |
extern void ip_nat_helper_unregister(struct ip_nat_helper *me); |
extern int ip_nat_mangle_tcp_packet(struct sk_buff **skb, |
struct ip_conntrack *ct, |
enum ip_conntrack_info ctinfo, |
unsigned int match_offset, |
unsigned int match_len, |
char *rep_buffer, |
unsigned int rep_len); |
extern int ip_nat_mangle_udp_packet(struct sk_buff **skb, |
struct ip_conntrack *ct, |
enum ip_conntrack_info ctinfo, |
unsigned int match_offset, |
unsigned int match_len, |
char *rep_buffer, |
unsigned int rep_len); |
extern int ip_nat_seq_adjust(struct sk_buff *skb, |
struct ip_conntrack *ct, |
enum ip_conntrack_info ctinfo); |
extern void ip_nat_delete_sack(struct sk_buff *skb); |
#endif |
/ip_conntrack.h
0,0 → 1,269
#ifndef _IP_CONNTRACK_H |
#define _IP_CONNTRACK_H |
/* Connection state tracking for netfilter. This is separated from, |
but required by, the NAT layer; it can also be used by an iptables |
extension. */ |
|
#include <linux/config.h> |
#include <linux/netfilter_ipv4/ip_conntrack_tuple.h> |
#include <linux/bitops.h> |
#include <asm/atomic.h> |
|
enum ip_conntrack_info |
{ |
/* Part of an established connection (either direction). */ |
IP_CT_ESTABLISHED, |
|
/* Like NEW, but related to an existing connection, or ICMP error |
(in either direction). */ |
IP_CT_RELATED, |
|
/* Started a new connection to track (only |
IP_CT_DIR_ORIGINAL); may be a retransmission. */ |
IP_CT_NEW, |
|
/* >= this indicates reply direction */ |
IP_CT_IS_REPLY, |
|
/* Number of distinct IP_CT types (no NEW in reply dirn). */ |
IP_CT_NUMBER = IP_CT_IS_REPLY * 2 - 1 |
}; |
|
/* Bitset representing status of connection. */ |
enum ip_conntrack_status { |
/* It's an expected connection: bit 0 set. This bit never changed */ |
IPS_EXPECTED_BIT = 0, |
IPS_EXPECTED = (1 << IPS_EXPECTED_BIT), |
|
/* We've seen packets both ways: bit 1 set. Can be set, not unset. */ |
IPS_SEEN_REPLY_BIT = 1, |
IPS_SEEN_REPLY = (1 << IPS_SEEN_REPLY_BIT), |
|
/* Conntrack should never be early-expired. */ |
IPS_ASSURED_BIT = 2, |
IPS_ASSURED = (1 << IPS_ASSURED_BIT), |
|
/* Connection is confirmed: originating packet has left box */ |
IPS_CONFIRMED_BIT = 3, |
IPS_CONFIRMED = (1 << IPS_CONFIRMED_BIT), |
}; |
|
#include <linux/netfilter_ipv4/ip_conntrack_tcp.h> |
#include <linux/netfilter_ipv4/ip_conntrack_icmp.h> |
|
/* per conntrack: protocol private data */ |
union ip_conntrack_proto { |
/* insert conntrack proto private data here */ |
struct ip_ct_tcp tcp; |
struct ip_ct_icmp icmp; |
}; |
|
union ip_conntrack_expect_proto { |
/* insert expect proto private data here */ |
}; |
|
/* Add protocol helper include file here */ |
#include <linux/netfilter_ipv4/ip_conntrack_amanda.h> |
|
#include <linux/netfilter_ipv4/ip_conntrack_ftp.h> |
#include <linux/netfilter_ipv4/ip_conntrack_irc.h> |
|
/* per expectation: application helper private data */ |
union ip_conntrack_expect_help { |
/* insert conntrack helper private data (expect) here */ |
struct ip_ct_amanda_expect exp_amanda_info; |
struct ip_ct_ftp_expect exp_ftp_info; |
struct ip_ct_irc_expect exp_irc_info; |
|
#ifdef CONFIG_IP_NF_NAT_NEEDED |
union { |
/* insert nat helper private data (expect) here */ |
} nat; |
#endif |
}; |
|
/* per conntrack: application helper private data */ |
union ip_conntrack_help { |
/* insert conntrack helper private data (master) here */ |
struct ip_ct_ftp_master ct_ftp_info; |
struct ip_ct_irc_master ct_irc_info; |
}; |
|
#ifdef CONFIG_IP_NF_NAT_NEEDED |
#include <linux/netfilter_ipv4/ip_nat.h> |
|
/* per conntrack: nat application helper private data */ |
union ip_conntrack_nat_help { |
/* insert nat helper private data here */ |
}; |
#endif |
|
#ifdef __KERNEL__ |
|
#include <linux/types.h> |
#include <linux/skbuff.h> |
|
#ifdef CONFIG_NF_DEBUG |
#define IP_NF_ASSERT(x) \ |
do { \ |
if (!(x)) \ |
/* Wooah! I'm tripping my conntrack in a frenzy of \ |
netplay... */ \ |
printk("NF_IP_ASSERT: %s:%i(%s)\n", \ |
__FILE__, __LINE__, __FUNCTION__); \ |
} while(0) |
#else |
#define IP_NF_ASSERT(x) |
#endif |
|
struct ip_conntrack_expect |
{ |
/* Internal linked list (global expectation list) */ |
struct list_head list; |
|
/* reference count */ |
atomic_t use; |
|
/* expectation list for this master */ |
struct list_head expected_list; |
|
/* The conntrack of the master connection */ |
struct ip_conntrack *expectant; |
|
/* The conntrack of the sibling connection, set after |
* expectation arrived */ |
struct ip_conntrack *sibling; |
|
/* Tuple saved for conntrack */ |
struct ip_conntrack_tuple ct_tuple; |
|
/* Timer function; deletes the expectation. */ |
struct timer_list timeout; |
|
/* Data filled out by the conntrack helpers follow: */ |
|
/* We expect this tuple, with the following mask */ |
struct ip_conntrack_tuple tuple, mask; |
|
/* Function to call after setup and insertion */ |
int (*expectfn)(struct ip_conntrack *new); |
|
/* At which sequence number did this expectation occur */ |
u_int32_t seq; |
|
union ip_conntrack_expect_proto proto; |
|
union ip_conntrack_expect_help help; |
}; |
|
struct ip_conntrack_helper; |
|
struct ip_conntrack |
{ |
/* Usage count in here is 1 for hash table/destruct timer, 1 per skb, |
plus 1 for any connection(s) we are `master' for */ |
struct nf_conntrack ct_general; |
|
/* These are my tuples; original and reply */ |
struct ip_conntrack_tuple_hash tuplehash[IP_CT_DIR_MAX]; |
|
/* Have we seen traffic both ways yet? (bitset) */ |
unsigned long status; |
|
/* Timer function; drops refcnt when it goes off. */ |
struct timer_list timeout; |
|
/* If we're expecting another related connection, this will be |
in expected linked list */ |
struct list_head sibling_list; |
|
/* Current number of expected connections */ |
unsigned int expecting; |
|
/* If we were expected by an expectation, this will be it */ |
struct ip_conntrack_expect *master; |
|
/* Helper, if any. */ |
struct ip_conntrack_helper *helper; |
|
/* Our various nf_ct_info structs specify *what* relation this |
packet has to the conntrack */ |
struct nf_ct_info infos[IP_CT_NUMBER]; |
|
/* Storage reserved for other modules: */ |
|
union ip_conntrack_proto proto; |
|
union ip_conntrack_help help; |
|
#ifdef CONFIG_IP_NF_NAT_NEEDED |
struct { |
struct ip_nat_info info; |
union ip_conntrack_nat_help help; |
#if defined(CONFIG_IP_NF_TARGET_MASQUERADE) || \ |
defined(CONFIG_IP_NF_TARGET_MASQUERADE_MODULE) |
int masq_index; |
#endif |
} nat; |
#endif /* CONFIG_IP_NF_NAT_NEEDED */ |
|
}; |
|
/* get master conntrack via master expectation */ |
#define master_ct(conntr) (conntr->master ? conntr->master->expectant : NULL) |
|
/* Alter reply tuple (maybe alter helper). If it's already taken, |
return 0 and don't do alteration. */ |
extern int |
ip_conntrack_alter_reply(struct ip_conntrack *conntrack, |
const struct ip_conntrack_tuple *newreply); |
|
/* Is this tuple taken? (ignoring any belonging to the given |
conntrack). */ |
extern int |
ip_conntrack_tuple_taken(const struct ip_conntrack_tuple *tuple, |
const struct ip_conntrack *ignored_conntrack); |
|
/* Return conntrack_info and tuple hash for given skb. */ |
extern struct ip_conntrack * |
ip_conntrack_get(struct sk_buff *skb, enum ip_conntrack_info *ctinfo); |
|
/* decrement reference count on a conntrack */ |
extern inline void ip_conntrack_put(struct ip_conntrack *ct); |
|
/* find unconfirmed expectation based on tuple */ |
struct ip_conntrack_expect * |
ip_conntrack_expect_find_get(const struct ip_conntrack_tuple *tuple); |
|
/* decrement reference count on an expectation */ |
void ip_conntrack_expect_put(struct ip_conntrack_expect *exp); |
|
extern int invert_tuplepr(struct ip_conntrack_tuple *inverse, |
const struct ip_conntrack_tuple *orig); |
|
/* Refresh conntrack for this many jiffies */ |
extern void ip_ct_refresh(struct ip_conntrack *ct, |
unsigned long extra_jiffies); |
|
/* These are for NAT. Icky. */ |
/* Call me when a conntrack is destroyed. */ |
extern void (*ip_conntrack_destroyed)(struct ip_conntrack *conntrack); |
|
/* Returns new sk_buff, or NULL */ |
struct sk_buff * |
ip_ct_gather_frags(struct sk_buff *skb); |
|
/* Delete all conntracks which match. */ |
extern void |
ip_ct_selective_cleanup(int (*kill)(const struct ip_conntrack *i, void *data), |
void *data); |
|
/* It's confirmed if it is, or has been in the hash table. */ |
static inline int is_confirmed(struct ip_conntrack *ct) |
{ |
return test_bit(IPS_CONFIRMED_BIT, &ct->status); |
} |
|
extern unsigned int ip_conntrack_htable_size; |
#endif /* __KERNEL__ */ |
#endif /* _IP_CONNTRACK_H */ |
/ipt_pkttype.h
0,0 → 1,8
#ifndef _IPT_PKTTYPE_H |
#define _IPT_PKTTYPE_H |
|
struct ipt_pkttype_info { |
int pkttype; |
int invert; |
}; |
#endif /*_IPT_PKTTYPE_H*/ |
/ipt_tos.h
0,0 → 1,13
#ifndef _IPT_TOS_H |
#define _IPT_TOS_H |
|
struct ipt_tos_info { |
u_int8_t tos; |
u_int8_t invert; |
}; |
|
#ifndef IPTOS_NORMALSVC |
#define IPTOS_NORMALSVC 0 |
#endif |
|
#endif /*_IPT_TOS_H*/ |
/ipt_ECN.h
0,0 → 1,31
/* Header file for iptables ipt_ECN target |
* |
* (C) 2002 by Harald Welte <laforge@gnumonks.org> |
* |
* This software is distributed under GNU GPL v2, 1991 |
* |
* ipt_ECN.h,v 1.3 2002/05/29 12:17:40 laforge Exp |
*/ |
#ifndef _IPT_ECN_TARGET_H |
#define _IPT_ECN_TARGET_H |
#include <linux/netfilter_ipv4/ipt_DSCP.h> |
|
#define IPT_ECN_IP_MASK (~IPT_DSCP_MASK) |
|
#define IPT_ECN_OP_SET_IP 0x01 /* set ECN bits of IPv4 header */ |
#define IPT_ECN_OP_SET_ECE 0x10 /* set ECE bit of TCP header */ |
#define IPT_ECN_OP_SET_CWR 0x20 /* set CWR bit of TCP header */ |
|
#define IPT_ECN_OP_MASK 0xce |
|
struct ipt_ECN_info { |
u_int8_t operation; /* bitset of operations */ |
u_int8_t ip_ect; /* ECT codepoint of IPv4 header, pre-shifted */ |
union { |
struct { |
u_int8_t ece:1, cwr:1; /* TCP ECT bits */ |
} tcp; |
} proto; |
}; |
|
#endif /* _IPT_ECN_TARGET_H */ |
/ip_conntrack_core.h
0,0 → 1,52
#ifndef _IP_CONNTRACK_CORE_H |
#define _IP_CONNTRACK_CORE_H |
#include <linux/netfilter.h> |
#include <linux/netfilter_ipv4/lockhelp.h> |
|
/* This header is used to share core functionality between the |
standalone connection tracking module, and the compatibility layer's use |
of connection tracking. */ |
extern unsigned int ip_conntrack_in(unsigned int hooknum, |
struct sk_buff **pskb, |
const struct net_device *in, |
const struct net_device *out, |
int (*okfn)(struct sk_buff *)); |
|
extern int ip_conntrack_init(void); |
extern void ip_conntrack_cleanup(void); |
|
struct ip_conntrack_protocol; |
extern struct ip_conntrack_protocol *ip_ct_find_proto(u_int8_t protocol); |
/* Like above, but you already have conntrack read lock. */ |
extern struct ip_conntrack_protocol *__ip_ct_find_proto(u_int8_t protocol); |
extern struct list_head protocol_list; |
|
/* Returns conntrack if it dealt with ICMP, and filled in skb->nfct */ |
extern struct ip_conntrack *icmp_error_track(struct sk_buff *skb, |
enum ip_conntrack_info *ctinfo, |
unsigned int hooknum); |
extern int get_tuple(const struct iphdr *iph, size_t len, |
struct ip_conntrack_tuple *tuple, |
struct ip_conntrack_protocol *protocol); |
|
/* Find a connection corresponding to a tuple. */ |
struct ip_conntrack_tuple_hash * |
ip_conntrack_find_get(const struct ip_conntrack_tuple *tuple, |
const struct ip_conntrack *ignored_conntrack); |
|
extern int __ip_conntrack_confirm(struct nf_ct_info *nfct); |
|
/* Confirm a connection: returns NF_DROP if packet must be dropped. */ |
static inline int ip_conntrack_confirm(struct sk_buff *skb) |
{ |
if (skb->nfct |
&& !is_confirmed((struct ip_conntrack *)skb->nfct->master)) |
return __ip_conntrack_confirm(skb->nfct); |
return NF_ACCEPT; |
} |
|
extern struct list_head *ip_conntrack_hash; |
extern struct list_head ip_conntrack_expect_list; |
DECLARE_RWLOCK_EXTERN(ip_conntrack_lock); |
#endif /* _IP_CONNTRACK_CORE_H */ |
|
/ipt_ULOG.h
0,0 → 1,46
/* Header file for IP tables userspace logging, Version 1.8 |
* |
* (C) 2000-2002 by Harald Welte <laforge@gnumonks.org> |
* |
* Distributed under the terms of GNU GPL */ |
|
#ifndef _IPT_ULOG_H |
#define _IPT_ULOG_H |
|
#ifndef NETLINK_NFLOG |
#define NETLINK_NFLOG 5 |
#endif |
|
#define ULOG_MAC_LEN 80 |
#define ULOG_PREFIX_LEN 32 |
|
#define ULOG_MAX_QLEN 50 |
/* Why 50? Well... there is a limit imposed by the slab cache 131000 |
* bytes. So the multipart netlink-message has to be < 131000 bytes. |
* Assuming a standard ethernet-mtu of 1500, we could define this up |
* to 80... but even 50 seems to be big enough. */ |
|
/* private data structure for each rule with a ULOG target */ |
struct ipt_ulog_info { |
unsigned int nl_group; |
size_t copy_range; |
size_t qthreshold; |
char prefix[ULOG_PREFIX_LEN]; |
}; |
|
/* Format of the ULOG packets passed through netlink */ |
typedef struct ulog_packet_msg { |
unsigned long mark; |
long timestamp_sec; |
long timestamp_usec; |
unsigned int hook; |
char indev_name[IFNAMSIZ]; |
char outdev_name[IFNAMSIZ]; |
size_t data_len; |
char prefix[ULOG_PREFIX_LEN]; |
unsigned char mac_len; |
unsigned char mac[ULOG_MAC_LEN]; |
unsigned char payload[0]; |
} ulog_packet_msg_t; |
|
#endif /*_IPT_ULOG_H*/ |
/ip_conntrack_ftp.h
0,0 → 1,48
#ifndef _IP_CONNTRACK_FTP_H |
#define _IP_CONNTRACK_FTP_H |
/* FTP tracking. */ |
|
#ifdef __KERNEL__ |
|
#include <linux/netfilter_ipv4/lockhelp.h> |
|
/* Protects ftp part of conntracks */ |
DECLARE_LOCK_EXTERN(ip_ftp_lock); |
|
#define FTP_PORT 21 |
|
#endif /* __KERNEL__ */ |
|
enum ip_ct_ftp_type |
{ |
/* PORT command from client */ |
IP_CT_FTP_PORT, |
/* PASV response from server */ |
IP_CT_FTP_PASV, |
/* EPRT command from client */ |
IP_CT_FTP_EPRT, |
/* EPSV response from server */ |
IP_CT_FTP_EPSV, |
}; |
|
/* This structure is per expected connection */ |
struct ip_ct_ftp_expect |
{ |
/* We record seq number and length of ftp ip/port text here: all in |
* host order. */ |
|
/* sequence number of IP address in packet is in ip_conntrack_expect */ |
u_int32_t len; /* length of IP address */ |
enum ip_ct_ftp_type ftptype; /* PORT or PASV ? */ |
u_int16_t port; /* TCP port that was to be used */ |
}; |
|
/* This structure exists only once per master */ |
struct ip_ct_ftp_master { |
/* Next valid seq position for cmd matching after newline */ |
u_int32_t seq_aft_nl[IP_CT_DIR_MAX]; |
/* 0 means seq_match_aft_nl not set */ |
int seq_aft_nl_set[IP_CT_DIR_MAX]; |
}; |
|
#endif /* _IP_CONNTRACK_FTP_H */ |
/ip_conntrack_tuple.h
0,0 → 1,139
#ifndef _IP_CONNTRACK_TUPLE_H |
#define _IP_CONNTRACK_TUPLE_H |
|
/* A `tuple' is a structure containing the information to uniquely |
identify a connection. ie. if two packets have the same tuple, they |
are in the same connection; if not, they are not. |
|
We divide the structure along "manipulatable" and |
"non-manipulatable" lines, for the benefit of the NAT code. |
*/ |
|
/* The protocol-specific manipulable parts of the tuple: always in |
network order! */ |
union ip_conntrack_manip_proto |
{ |
/* Add other protocols here. */ |
u_int16_t all; |
|
struct { |
u_int16_t port; |
} tcp; |
struct { |
u_int16_t port; |
} udp; |
struct { |
u_int16_t id; |
} icmp; |
}; |
|
/* The manipulable part of the tuple. */ |
struct ip_conntrack_manip |
{ |
u_int32_t ip; |
union ip_conntrack_manip_proto u; |
}; |
|
/* This contains the information to distinguish a connection. */ |
struct ip_conntrack_tuple |
{ |
struct ip_conntrack_manip src; |
|
/* These are the parts of the tuple which are fixed. */ |
struct { |
u_int32_t ip; |
union { |
/* Add other protocols here. */ |
u_int16_t all; |
|
struct { |
u_int16_t port; |
} tcp; |
struct { |
u_int16_t port; |
} udp; |
struct { |
u_int8_t type, code; |
} icmp; |
} u; |
|
/* The protocol. */ |
u_int16_t protonum; |
} dst; |
}; |
|
/* This is optimized opposed to a memset of the whole structure. Everything we |
* really care about is the source/destination unions */ |
#define IP_CT_TUPLE_U_BLANK(tuple) \ |
do { \ |
(tuple)->src.u.all = 0; \ |
(tuple)->dst.u.all = 0; \ |
} while (0) |
|
enum ip_conntrack_dir |
{ |
IP_CT_DIR_ORIGINAL, |
IP_CT_DIR_REPLY, |
IP_CT_DIR_MAX |
}; |
|
#ifdef __KERNEL__ |
|
#define DUMP_TUPLE(tp) \ |
DEBUGP("tuple %p: %u %u.%u.%u.%u:%hu -> %u.%u.%u.%u:%hu\n", \ |
(tp), (tp)->dst.protonum, \ |
NIPQUAD((tp)->src.ip), ntohs((tp)->src.u.all), \ |
NIPQUAD((tp)->dst.ip), ntohs((tp)->dst.u.all)) |
|
#define CTINFO2DIR(ctinfo) ((ctinfo) >= IP_CT_IS_REPLY ? IP_CT_DIR_REPLY : IP_CT_DIR_ORIGINAL) |
|
/* If we're the first tuple, it's the original dir. */ |
#define DIRECTION(h) ((enum ip_conntrack_dir)(&(h)->ctrack->tuplehash[1] == (h))) |
|
/* Connections have two entries in the hash table: one for each way */ |
struct ip_conntrack_tuple_hash |
{ |
struct list_head list; |
|
struct ip_conntrack_tuple tuple; |
|
/* this == &ctrack->tuplehash[DIRECTION(this)]. */ |
struct ip_conntrack *ctrack; |
}; |
|
#endif /* __KERNEL__ */ |
|
static inline int ip_ct_tuple_src_equal(const struct ip_conntrack_tuple *t1, |
const struct ip_conntrack_tuple *t2) |
{ |
return t1->src.ip == t2->src.ip |
&& t1->src.u.all == t2->src.u.all; |
} |
|
static inline int ip_ct_tuple_dst_equal(const struct ip_conntrack_tuple *t1, |
const struct ip_conntrack_tuple *t2) |
{ |
return t1->dst.ip == t2->dst.ip |
&& t1->dst.u.all == t2->dst.u.all |
&& t1->dst.protonum == t2->dst.protonum; |
} |
|
static inline int ip_ct_tuple_equal(const struct ip_conntrack_tuple *t1, |
const struct ip_conntrack_tuple *t2) |
{ |
return ip_ct_tuple_src_equal(t1, t2) && ip_ct_tuple_dst_equal(t1, t2); |
} |
|
static inline int ip_ct_tuple_mask_cmp(const struct ip_conntrack_tuple *t, |
const struct ip_conntrack_tuple *tuple, |
const struct ip_conntrack_tuple *mask) |
{ |
return !(((t->src.ip ^ tuple->src.ip) & mask->src.ip) |
|| ((t->dst.ip ^ tuple->dst.ip) & mask->dst.ip) |
|| ((t->src.u.all ^ tuple->src.u.all) & mask->src.u.all) |
|| ((t->dst.u.all ^ tuple->dst.u.all) & mask->dst.u.all) |
|| ((t->dst.protonum ^ tuple->dst.protonum) |
& mask->dst.protonum)); |
} |
|
#endif /* _IP_CONNTRACK_TUPLE_H */ |
/listhelp.h
0,0 → 1,125
#ifndef _LISTHELP_H |
#define _LISTHELP_H |
#include <linux/config.h> |
#include <linux/list.h> |
#include <linux/netfilter_ipv4/lockhelp.h> |
|
/* Header to do more comprehensive job than linux/list.h; assume list |
is first entry in structure. */ |
|
/* Return pointer to first true entry, if any, or NULL. A macro |
required to allow inlining of cmpfn. */ |
#define LIST_FIND(head, cmpfn, type, args...) \ |
({ \ |
const struct list_head *__i, *__j = NULL; \ |
\ |
ASSERT_READ_LOCK(head); \ |
list_for_each(__i, (head)) \ |
if (cmpfn((const type)__i , ## args)) { \ |
__j = __i; \ |
break; \ |
} \ |
(type)__j; \ |
}) |
|
#define LIST_FIND_W(head, cmpfn, type, args...) \ |
({ \ |
const struct list_head *__i, *__j = NULL; \ |
\ |
ASSERT_WRITE_LOCK(head); \ |
list_for_each(__i, (head)) \ |
if (cmpfn((type)__i , ## args)) { \ |
__j = __i; \ |
break; \ |
} \ |
(type)__j; \ |
}) |
|
/* Just like LIST_FIND but we search backwards */ |
#define LIST_FIND_B(head, cmpfn, type, args...) \ |
({ \ |
const struct list_head *__i, *__j = NULL; \ |
\ |
ASSERT_READ_LOCK(head); \ |
list_for_each_prev(__i, (head)) \ |
if (cmpfn((const type)__i , ## args)) { \ |
__j = __i; \ |
break; \ |
} \ |
(type)__j; \ |
}) |
|
static inline int |
__list_cmp_same(const void *p1, const void *p2) { return p1 == p2; } |
|
/* Is this entry in the list? */ |
static inline int |
list_inlist(struct list_head *head, const void *entry) |
{ |
return LIST_FIND(head, __list_cmp_same, void *, entry) != NULL; |
} |
|
/* Delete from list. */ |
#ifdef CONFIG_NETFILTER_DEBUG |
#define LIST_DELETE(head, oldentry) \ |
do { \ |
ASSERT_WRITE_LOCK(head); \ |
if (!list_inlist(head, oldentry)) \ |
printk("LIST_DELETE: %s:%u `%s'(%p) not in %s.\n", \ |
__FILE__, __LINE__, #oldentry, oldentry, #head); \ |
else list_del((struct list_head *)oldentry); \ |
} while(0) |
#else |
#define LIST_DELETE(head, oldentry) list_del((struct list_head *)oldentry) |
#endif |
|
/* Append. */ |
static inline void |
list_append(struct list_head *head, void *new) |
{ |
ASSERT_WRITE_LOCK(head); |
list_add((new), (head)->prev); |
} |
|
/* Prepend. */ |
static inline void |
list_prepend(struct list_head *head, void *new) |
{ |
ASSERT_WRITE_LOCK(head); |
list_add(new, head); |
} |
|
/* Insert according to ordering function; insert before first true. */ |
#define LIST_INSERT(head, new, cmpfn) \ |
do { \ |
struct list_head *__i; \ |
ASSERT_WRITE_LOCK(head); \ |
list_for_each(__i, (head)) \ |
if ((new), (typeof (new))__i) \ |
break; \ |
list_add((struct list_head *)(new), __i->prev); \ |
} while(0) |
|
/* If the field after the list_head is a nul-terminated string, you |
can use these functions. */ |
static inline int __list_cmp_name(const void *i, const char *name) |
{ |
return strcmp(name, i+sizeof(struct list_head)) == 0; |
} |
|
/* Returns false if same name already in list, otherwise does insert. */ |
static inline int |
list_named_insert(struct list_head *head, void *new) |
{ |
if (LIST_FIND(head, __list_cmp_name, void *, |
new + sizeof(struct list_head))) |
return 0; |
list_prepend(head, new); |
return 1; |
} |
|
/* Find this named element in the list. */ |
#define list_named_find(head, name) \ |
LIST_FIND(head, __list_cmp_name, void *, name) |
|
#endif /*_LISTHELP_H*/ |
/ipt_tcpmss.h
0,0 → 1,9
#ifndef _IPT_TCPMSS_MATCH_H |
#define _IPT_TCPMSS_MATCH_H |
|
struct ipt_tcpmss_match_info { |
u_int16_t mss_min, mss_max; |
u_int8_t invert; |
}; |
|
#endif /*_IPT_TCPMSS_MATCH_H*/ |
/ipt_TCPMSS.h
0,0 → 1,10
#ifndef _IPT_TCPMSS_H |
#define _IPT_TCPMSS_H |
|
struct ipt_tcpmss_info { |
u_int16_t mss; |
}; |
|
#define IPT_TCPMSS_CLAMP_PMTU 0xffff |
|
#endif /*_IPT_TCPMSS_H*/ |
/ip_conntrack_protocol.h
0,0 → 1,65
/* Header for use in defining a given protocol for connection tracking. */ |
#ifndef _IP_CONNTRACK_PROTOCOL_H |
#define _IP_CONNTRACK_PROTOCOL_H |
#include <linux/netfilter_ipv4/ip_conntrack.h> |
|
struct ip_conntrack_protocol |
{ |
/* Next pointer. */ |
struct list_head list; |
|
/* Protocol number. */ |
u_int8_t proto; |
|
/* Protocol name */ |
const char *name; |
|
/* Try to fill in the third arg; return true if possible. */ |
int (*pkt_to_tuple)(const void *datah, size_t datalen, |
struct ip_conntrack_tuple *tuple); |
|
/* Invert the per-proto part of the tuple: ie. turn xmit into reply. |
* Some packets can't be inverted: return 0 in that case. |
*/ |
int (*invert_tuple)(struct ip_conntrack_tuple *inverse, |
const struct ip_conntrack_tuple *orig); |
|
/* Print out the per-protocol part of the tuple. */ |
unsigned int (*print_tuple)(char *buffer, |
const struct ip_conntrack_tuple *); |
|
/* Print out the private part of the conntrack. */ |
unsigned int (*print_conntrack)(char *buffer, |
const struct ip_conntrack *); |
|
/* Returns verdict for packet, or -1 for invalid. */ |
int (*packet)(struct ip_conntrack *conntrack, |
struct iphdr *iph, size_t len, |
enum ip_conntrack_info ctinfo); |
|
/* Called when a new connection for this protocol found; |
* returns TRUE if it's OK. If so, packet() called next. */ |
int (*new)(struct ip_conntrack *conntrack, struct iphdr *iph, |
size_t len); |
|
/* Called when a conntrack entry is destroyed */ |
void (*destroy)(struct ip_conntrack *conntrack); |
|
/* Has to decide if a expectation matches one packet or not */ |
int (*exp_matches_pkt)(struct ip_conntrack_expect *exp, |
struct sk_buff **pskb); |
|
/* Module (if any) which this is connected to. */ |
struct module *me; |
}; |
|
/* Protocol registration. */ |
extern int ip_conntrack_protocol_register(struct ip_conntrack_protocol *proto); |
extern void ip_conntrack_protocol_unregister(struct ip_conntrack_protocol *proto); |
|
/* Existing built-in protocols */ |
extern struct ip_conntrack_protocol ip_conntrack_protocol_tcp; |
extern struct ip_conntrack_protocol ip_conntrack_protocol_udp; |
extern struct ip_conntrack_protocol ip_conntrack_protocol_icmp; |
extern int ip_conntrack_protocol_tcp_init(void); |
#endif /*_IP_CONNTRACK_PROTOCOL_H*/ |
/ipt_length.h
0,0 → 1,9
#ifndef _IPT_LENGTH_H |
#define _IPT_LENGTH_H |
|
struct ipt_length_info { |
u_int16_t min, max; |
u_int8_t invert; |
}; |
|
#endif /*_IPT_LENGTH_H*/ |
/ipt_LOG.h
0,0 → 1,15
#ifndef _IPT_LOG_H |
#define _IPT_LOG_H |
|
#define IPT_LOG_TCPSEQ 0x01 /* Log TCP sequence numbers */ |
#define IPT_LOG_TCPOPT 0x02 /* Log TCP options */ |
#define IPT_LOG_IPOPT 0x04 /* Log IP options */ |
#define IPT_LOG_MASK 0x07 |
|
struct ipt_log_info { |
unsigned char level; |
unsigned char logflags; |
char prefix[30]; |
}; |
|
#endif /*_IPT_LOG_H*/ |
/ipt_conntrack.h
0,0 → 1,38
/* Header file for kernel module to match connection tracking information. |
* GPL (C) 2001 Marc Boucher (marc@mbsi.ca). |
*/ |
|
#ifndef _IPT_CONNTRACK_H |
#define _IPT_CONNTRACK_H |
|
#define IPT_CONNTRACK_STATE_BIT(ctinfo) (1 << ((ctinfo)%IP_CT_IS_REPLY+1)) |
#define IPT_CONNTRACK_STATE_INVALID (1 << 0) |
|
#define IPT_CONNTRACK_STATE_SNAT (1 << (IP_CT_NUMBER + 1)) |
#define IPT_CONNTRACK_STATE_DNAT (1 << (IP_CT_NUMBER + 2)) |
|
/* flags, invflags: */ |
#define IPT_CONNTRACK_STATE 0x01 |
#define IPT_CONNTRACK_PROTO 0x02 |
#define IPT_CONNTRACK_ORIGSRC 0x04 |
#define IPT_CONNTRACK_ORIGDST 0x08 |
#define IPT_CONNTRACK_REPLSRC 0x10 |
#define IPT_CONNTRACK_REPLDST 0x20 |
#define IPT_CONNTRACK_STATUS 0x40 |
#define IPT_CONNTRACK_EXPIRES 0x80 |
|
struct ipt_conntrack_info |
{ |
unsigned int statemask, statusmask; |
|
struct ip_conntrack_tuple tuple[IP_CT_DIR_MAX]; |
struct in_addr sipmsk[IP_CT_DIR_MAX], dipmsk[IP_CT_DIR_MAX]; |
|
unsigned long expires_min, expires_max; |
|
/* Flags word */ |
u_int8_t flags; |
/* Inverse flags */ |
u_int8_t invflags; |
}; |
#endif /*_IPT_CONNTRACK_H*/ |
/ip_nat_rule.h
0,0 → 1,23
#ifndef _IP_NAT_RULE_H |
#define _IP_NAT_RULE_H |
#include <linux/netfilter_ipv4/ip_conntrack.h> |
#include <linux/netfilter_ipv4/ip_tables.h> |
#include <linux/netfilter_ipv4/ip_nat.h> |
|
#ifdef __KERNEL__ |
|
extern int ip_nat_rule_init(void) __init; |
extern void ip_nat_rule_cleanup(void); |
extern int ip_nat_rule_find(struct sk_buff **pskb, |
unsigned int hooknum, |
const struct net_device *in, |
const struct net_device *out, |
struct ip_conntrack *ct, |
struct ip_nat_info *info); |
|
extern unsigned int |
alloc_null_binding(struct ip_conntrack *conntrack, |
struct ip_nat_info *info, |
unsigned int hooknum); |
#endif |
#endif /* _IP_NAT_RULE_H */ |
/ip_tables.h
0,0 → 1,447
/* |
* 25-Jul-1998 Major changes to allow for ip chain table |
* |
* 3-Jan-2000 Named tables to allow packet selection for different uses. |
*/ |
|
/* |
* Format of an IP firewall descriptor |
* |
* src, dst, src_mask, dst_mask are always stored in network byte order. |
* flags are stored in host byte order (of course). |
* Port numbers are stored in HOST byte order. |
*/ |
|
#ifndef _IPTABLES_H |
#define _IPTABLES_H |
|
#ifdef __KERNEL__ |
#include <linux/if.h> |
#include <linux/types.h> |
#include <linux/in.h> |
#include <linux/ip.h> |
#include <linux/skbuff.h> |
#endif |
#include <linux/netfilter_ipv4.h> |
|
#define IPT_FUNCTION_MAXNAMELEN 30 |
#define IPT_TABLE_MAXNAMELEN 32 |
|
/* Yes, Virginia, you have to zero the padding. */ |
struct ipt_ip { |
/* Source and destination IP addr */ |
struct in_addr src, dst; |
/* Mask for src and dest IP addr */ |
struct in_addr smsk, dmsk; |
char iniface[IFNAMSIZ], outiface[IFNAMSIZ]; |
unsigned char iniface_mask[IFNAMSIZ], outiface_mask[IFNAMSIZ]; |
|
/* Protocol, 0 = ANY */ |
u_int16_t proto; |
|
/* Flags word */ |
u_int8_t flags; |
/* Inverse flags */ |
u_int8_t invflags; |
}; |
|
struct ipt_entry_match |
{ |
union { |
struct { |
u_int16_t match_size; |
|
/* Used by userspace */ |
char name[IPT_FUNCTION_MAXNAMELEN]; |
} user; |
struct { |
u_int16_t match_size; |
|
/* Used inside the kernel */ |
struct ipt_match *match; |
} kernel; |
|
/* Total length */ |
u_int16_t match_size; |
} u; |
|
unsigned char data[0]; |
}; |
|
struct ipt_entry_target |
{ |
union { |
struct { |
u_int16_t target_size; |
|
/* Used by userspace */ |
char name[IPT_FUNCTION_MAXNAMELEN]; |
} user; |
struct { |
u_int16_t target_size; |
|
/* Used inside the kernel */ |
struct ipt_target *target; |
} kernel; |
|
/* Total length */ |
u_int16_t target_size; |
} u; |
|
unsigned char data[0]; |
}; |
|
struct ipt_standard_target |
{ |
struct ipt_entry_target target; |
int verdict; |
}; |
|
struct ipt_counters |
{ |
u_int64_t pcnt, bcnt; /* Packet and byte counters */ |
}; |
|
/* Values for "flag" field in struct ipt_ip (general ip structure). */ |
#define IPT_F_FRAG 0x01 /* Set if rule is a fragment rule */ |
#define IPT_F_MASK 0x01 /* All possible flag bits mask. */ |
|
/* Values for "inv" field in struct ipt_ip. */ |
#define IPT_INV_VIA_IN 0x01 /* Invert the sense of IN IFACE. */ |
#define IPT_INV_VIA_OUT 0x02 /* Invert the sense of OUT IFACE */ |
#define IPT_INV_TOS 0x04 /* Invert the sense of TOS. */ |
#define IPT_INV_SRCIP 0x08 /* Invert the sense of SRC IP. */ |
#define IPT_INV_DSTIP 0x10 /* Invert the sense of DST OP. */ |
#define IPT_INV_FRAG 0x20 /* Invert the sense of FRAG. */ |
#define IPT_INV_PROTO 0x40 /* Invert the sense of PROTO. */ |
#define IPT_INV_MASK 0x7F /* All possible flag bits mask. */ |
|
/* This structure defines each of the firewall rules. Consists of 3 |
parts which are 1) general IP header stuff 2) match specific |
stuff 3) the target to perform if the rule matches */ |
struct ipt_entry |
{ |
struct ipt_ip ip; |
|
/* Mark with fields that we care about. */ |
unsigned int nfcache; |
|
/* Size of ipt_entry + matches */ |
u_int16_t target_offset; |
/* Size of ipt_entry + matches + target */ |
u_int16_t next_offset; |
|
/* Back pointer */ |
unsigned int comefrom; |
|
/* Packet and byte counters. */ |
struct ipt_counters counters; |
|
/* The matches (if any), then the target. */ |
unsigned char elems[0]; |
}; |
|
/* |
* New IP firewall options for [gs]etsockopt at the RAW IP level. |
* Unlike BSD Linux inherits IP options so you don't have to use a raw |
* socket for this. Instead we check rights in the calls. */ |
#define IPT_BASE_CTL 64 /* base for firewall socket options */ |
|
#define IPT_SO_SET_REPLACE (IPT_BASE_CTL) |
#define IPT_SO_SET_ADD_COUNTERS (IPT_BASE_CTL + 1) |
#define IPT_SO_SET_MAX IPT_SO_SET_ADD_COUNTERS |
|
#define IPT_SO_GET_INFO (IPT_BASE_CTL) |
#define IPT_SO_GET_ENTRIES (IPT_BASE_CTL + 1) |
#define IPT_SO_GET_MAX IPT_SO_GET_ENTRIES |
|
/* CONTINUE verdict for targets */ |
#define IPT_CONTINUE 0xFFFFFFFF |
|
/* For standard target */ |
#define IPT_RETURN (-NF_MAX_VERDICT - 1) |
|
/* TCP matching stuff */ |
struct ipt_tcp |
{ |
u_int16_t spts[2]; /* Source port range. */ |
u_int16_t dpts[2]; /* Destination port range. */ |
u_int8_t option; /* TCP Option iff non-zero*/ |
u_int8_t flg_mask; /* TCP flags mask byte */ |
u_int8_t flg_cmp; /* TCP flags compare byte */ |
u_int8_t invflags; /* Inverse flags */ |
}; |
|
/* Values for "inv" field in struct ipt_tcp. */ |
#define IPT_TCP_INV_SRCPT 0x01 /* Invert the sense of source ports. */ |
#define IPT_TCP_INV_DSTPT 0x02 /* Invert the sense of dest ports. */ |
#define IPT_TCP_INV_FLAGS 0x04 /* Invert the sense of TCP flags. */ |
#define IPT_TCP_INV_OPTION 0x08 /* Invert the sense of option test. */ |
#define IPT_TCP_INV_MASK 0x0F /* All possible flags. */ |
|
/* UDP matching stuff */ |
struct ipt_udp |
{ |
u_int16_t spts[2]; /* Source port range. */ |
u_int16_t dpts[2]; /* Destination port range. */ |
u_int8_t invflags; /* Inverse flags */ |
}; |
|
/* Values for "invflags" field in struct ipt_udp. */ |
#define IPT_UDP_INV_SRCPT 0x01 /* Invert the sense of source ports. */ |
#define IPT_UDP_INV_DSTPT 0x02 /* Invert the sense of dest ports. */ |
#define IPT_UDP_INV_MASK 0x03 /* All possible flags. */ |
|
/* ICMP matching stuff */ |
struct ipt_icmp |
{ |
u_int8_t type; /* type to match */ |
u_int8_t code[2]; /* range of code */ |
u_int8_t invflags; /* Inverse flags */ |
}; |
|
/* Values for "inv" field for struct ipt_icmp. */ |
#define IPT_ICMP_INV 0x01 /* Invert the sense of type/code test */ |
|
/* The argument to IPT_SO_GET_INFO */ |
struct ipt_getinfo |
{ |
/* Which table: caller fills this in. */ |
char name[IPT_TABLE_MAXNAMELEN]; |
|
/* Kernel fills these in. */ |
/* Which hook entry points are valid: bitmask */ |
unsigned int valid_hooks; |
|
/* Hook entry points: one per netfilter hook. */ |
unsigned int hook_entry[NF_IP_NUMHOOKS]; |
|
/* Underflow points. */ |
unsigned int underflow[NF_IP_NUMHOOKS]; |
|
/* Number of entries */ |
unsigned int num_entries; |
|
/* Size of entries. */ |
unsigned int size; |
}; |
|
/* The argument to IPT_SO_SET_REPLACE. */ |
struct ipt_replace |
{ |
/* Which table. */ |
char name[IPT_TABLE_MAXNAMELEN]; |
|
/* Which hook entry points are valid: bitmask. You can't |
change this. */ |
unsigned int valid_hooks; |
|
/* Number of entries */ |
unsigned int num_entries; |
|
/* Total size of new entries */ |
unsigned int size; |
|
/* Hook entry points. */ |
unsigned int hook_entry[NF_IP_NUMHOOKS]; |
|
/* Underflow points. */ |
unsigned int underflow[NF_IP_NUMHOOKS]; |
|
/* Information about old entries: */ |
/* Number of counters (must be equal to current number of entries). */ |
unsigned int num_counters; |
/* The old entries' counters. */ |
struct ipt_counters *counters; |
|
/* The entries (hang off end: not really an array). */ |
struct ipt_entry entries[0]; |
}; |
|
/* The argument to IPT_SO_ADD_COUNTERS. */ |
struct ipt_counters_info |
{ |
/* Which table. */ |
char name[IPT_TABLE_MAXNAMELEN]; |
|
unsigned int num_counters; |
|
/* The counters (actually `number' of these). */ |
struct ipt_counters counters[0]; |
}; |
|
/* The argument to IPT_SO_GET_ENTRIES. */ |
struct ipt_get_entries |
{ |
/* Which table: user fills this in. */ |
char name[IPT_TABLE_MAXNAMELEN]; |
|
/* User fills this in: total entry size. */ |
unsigned int size; |
|
/* The entries. */ |
struct ipt_entry entrytable[0]; |
}; |
|
/* Standard return verdict, or do jump. */ |
#define IPT_STANDARD_TARGET "" |
/* Error verdict. */ |
#define IPT_ERROR_TARGET "ERROR" |
|
/* Helper functions */ |
static __inline__ struct ipt_entry_target * |
ipt_get_target(struct ipt_entry *e) |
{ |
return (void *)e + e->target_offset; |
} |
|
/* fn returns 0 to continue iteration */ |
#define IPT_MATCH_ITERATE(e, fn, args...) \ |
({ \ |
unsigned int __i; \ |
int __ret = 0; \ |
struct ipt_entry_match *__match; \ |
\ |
for (__i = sizeof(struct ipt_entry); \ |
__i < (e)->target_offset; \ |
__i += __match->u.match_size) { \ |
__match = (void *)(e) + __i; \ |
\ |
__ret = fn(__match , ## args); \ |
if (__ret != 0) \ |
break; \ |
} \ |
__ret; \ |
}) |
|
/* fn returns 0 to continue iteration */ |
#define IPT_ENTRY_ITERATE(entries, size, fn, args...) \ |
({ \ |
unsigned int __i; \ |
int __ret = 0; \ |
struct ipt_entry *__entry; \ |
\ |
for (__i = 0; __i < (size); __i += __entry->next_offset) { \ |
__entry = (void *)(entries) + __i; \ |
\ |
__ret = fn(__entry , ## args); \ |
if (__ret != 0) \ |
break; \ |
} \ |
__ret; \ |
}) |
|
/* |
* Main firewall chains definitions and global var's definitions. |
*/ |
#ifdef __KERNEL__ |
|
#include <linux/init.h> |
extern void ipt_init(void) __init; |
|
struct ipt_match |
{ |
struct list_head list; |
|
const char name[IPT_FUNCTION_MAXNAMELEN]; |
|
/* Return true or false: return FALSE and set *hotdrop = 1 to |
force immediate packet drop. */ |
int (*match)(const struct sk_buff *skb, |
const struct net_device *in, |
const struct net_device *out, |
const void *matchinfo, |
int offset, |
const void *hdr, |
u_int16_t datalen, |
int *hotdrop); |
|
/* Called when user tries to insert an entry of this type. */ |
/* Should return true or false. */ |
int (*checkentry)(const char *tablename, |
const struct ipt_ip *ip, |
void *matchinfo, |
unsigned int matchinfosize, |
unsigned int hook_mask); |
|
/* Called when entry of this type deleted. */ |
void (*destroy)(void *matchinfo, unsigned int matchinfosize); |
|
/* Set this to THIS_MODULE if you are a module, otherwise NULL */ |
struct module *me; |
}; |
|
/* Registration hooks for targets. */ |
struct ipt_target |
{ |
struct list_head list; |
|
const char name[IPT_FUNCTION_MAXNAMELEN]; |
|
/* Returns verdict. */ |
unsigned int (*target)(struct sk_buff **pskb, |
unsigned int hooknum, |
const struct net_device *in, |
const struct net_device *out, |
const void *targinfo, |
void *userdata); |
|
/* Called when user tries to insert an entry of this type: |
hook_mask is a bitmask of hooks from which it can be |
called. */ |
/* Should return true or false. */ |
int (*checkentry)(const char *tablename, |
const struct ipt_entry *e, |
void *targinfo, |
unsigned int targinfosize, |
unsigned int hook_mask); |
|
/* Called when entry of this type deleted. */ |
void (*destroy)(void *targinfo, unsigned int targinfosize); |
|
/* Set this to THIS_MODULE if you are a module, otherwise NULL */ |
struct module *me; |
}; |
|
extern int ipt_register_target(struct ipt_target *target); |
extern void ipt_unregister_target(struct ipt_target *target); |
|
extern int ipt_register_match(struct ipt_match *match); |
extern void ipt_unregister_match(struct ipt_match *match); |
|
/* Furniture shopping... */ |
struct ipt_table |
{ |
struct list_head list; |
|
/* A unique name... */ |
char name[IPT_TABLE_MAXNAMELEN]; |
|
/* Seed table: copied in register_table */ |
struct ipt_replace *table; |
|
/* What hooks you will enter on */ |
unsigned int valid_hooks; |
|
/* Lock for the curtain */ |
rwlock_t lock; |
|
/* Man behind the curtain... */ |
struct ipt_table_info *private; |
|
/* Set this to THIS_MODULE if you are a module, otherwise NULL */ |
struct module *me; |
}; |
|
extern int ipt_register_table(struct ipt_table *table); |
extern void ipt_unregister_table(struct ipt_table *table); |
extern unsigned int ipt_do_table(struct sk_buff **pskb, |
unsigned int hook, |
const struct net_device *in, |
const struct net_device *out, |
struct ipt_table *table, |
void *userdata); |
|
#define IPT_ALIGN(s) (((s) + (__alignof__(struct ipt_entry)-1)) & ~(__alignof__(struct ipt_entry)-1)) |
#endif /*__KERNEL__*/ |
#endif /* _IPTABLES_H */ |
/ipt_dscp.h
0,0 → 1,23
/* iptables module for matching the IPv4 DSCP field |
* |
* (C) 2002 Harald Welte <laforge@gnumonks.org> |
* This software is distributed under GNU GPL v2, 1991 |
* |
* See RFC2474 for a description of the DSCP field within the IP Header. |
* |
* ipt_dscp.h,v 1.3 2002/08/05 19:00:21 laforge Exp |
*/ |
#ifndef _IPT_DSCP_H |
#define _IPT_DSCP_H |
|
#define IPT_DSCP_MASK 0xfc /* 11111100 */ |
#define IPT_DSCP_SHIFT 2 |
#define IPT_DSCP_MAX 0x3f /* 00111111 */ |
|
/* match info */ |
struct ipt_dscp_info { |
u_int8_t dscp; |
u_int8_t invert; |
}; |
|
#endif /* _IPT_DSCP_H */ |
/ipt_DSCP.h
0,0 → 1,20
/* iptables module for setting the IPv4 DSCP field |
* |
* (C) 2002 Harald Welte <laforge@gnumonks.org> |
* based on ipt_FTOS.c (C) 2000 by Matthew G. Marsh <mgm@paktronix.com> |
* This software is distributed under GNU GPL v2, 1991 |
* |
* See RFC2474 for a description of the DSCP field within the IP Header. |
* |
* ipt_DSCP.h,v 1.7 2002/03/14 12:03:13 laforge Exp |
*/ |
#ifndef _IPT_DSCP_TARGET_H |
#define _IPT_DSCP_TARGET_H |
#include <linux/netfilter_ipv4/ipt_dscp.h> |
|
/* target info */ |
struct ipt_DSCP_info { |
u_int8_t dscp; |
}; |
|
#endif /* _IPT_DSCP_TARGET_H */ |
/ipt_mark.h
0,0 → 1,9
#ifndef _IPT_MARK_H |
#define _IPT_MARK_H |
|
struct ipt_mark_info { |
unsigned long mark, mask; |
u_int8_t invert; |
}; |
|
#endif /*_IPT_MARK_H*/ |
/ipt_MARK.h
0,0 → 1,8
#ifndef _IPT_MARK_H_target |
#define _IPT_MARK_H_target |
|
struct ipt_mark_target_info { |
unsigned long mark; |
}; |
|
#endif /*_IPT_MARK_H_target*/ |
/ip_conntrack_helper.h
0,0 → 1,45
/* IP connection tracking helpers. */ |
#ifndef _IP_CONNTRACK_HELPER_H |
#define _IP_CONNTRACK_HELPER_H |
#include <linux/netfilter_ipv4/ip_conntrack.h> |
|
struct module; |
|
/* Reuse expectation when max_expected reached */ |
#define IP_CT_HELPER_F_REUSE_EXPECT 0x01 |
|
struct ip_conntrack_helper |
{ |
struct list_head list; /* Internal use. */ |
|
const char *name; /* name of the module */ |
unsigned char flags; /* Flags (see above) */ |
struct module *me; /* pointer to self */ |
unsigned int max_expected; /* Maximum number of concurrent |
* expected connections */ |
unsigned int timeout; /* timeout for expecteds */ |
|
/* Mask of things we will help (compared against server response) */ |
struct ip_conntrack_tuple tuple; |
struct ip_conntrack_tuple mask; |
|
/* Function to call when data passes; return verdict, or -1 to |
invalidate. */ |
int (*help)(const struct iphdr *, size_t len, |
struct ip_conntrack *ct, |
enum ip_conntrack_info conntrackinfo); |
}; |
|
extern int ip_conntrack_helper_register(struct ip_conntrack_helper *); |
extern void ip_conntrack_helper_unregister(struct ip_conntrack_helper *); |
|
extern struct ip_conntrack_helper *ip_ct_find_helper(const struct ip_conntrack_tuple *tuple); |
|
/* Add an expected connection: can have more than one per connection */ |
extern int ip_conntrack_expect_related(struct ip_conntrack *related_to, |
struct ip_conntrack_expect *exp); |
extern int ip_conntrack_change_expect(struct ip_conntrack_expect *expect, |
struct ip_conntrack_tuple *newtuple); |
extern void ip_conntrack_unexpect_related(struct ip_conntrack_expect *exp); |
|
#endif /*_IP_CONNTRACK_HELPER_H*/ |
/ip_nat.h
0,0 → 1,130
#ifndef _IP_NAT_H |
#define _IP_NAT_H |
#include <linux/netfilter_ipv4.h> |
#include <linux/netfilter_ipv4/ip_conntrack_tuple.h> |
|
#define IP_NAT_MAPPING_TYPE_MAX_NAMELEN 16 |
|
enum ip_nat_manip_type |
{ |
IP_NAT_MANIP_SRC, |
IP_NAT_MANIP_DST |
}; |
|
#ifndef CONFIG_IP_NF_NAT_LOCAL |
/* SRC manip occurs only on POST_ROUTING */ |
#define HOOK2MANIP(hooknum) ((hooknum) != NF_IP_POST_ROUTING) |
#else |
/* SRC manip occurs POST_ROUTING or LOCAL_IN */ |
#define HOOK2MANIP(hooknum) ((hooknum) != NF_IP_POST_ROUTING && (hooknum) != NF_IP_LOCAL_IN) |
#endif |
|
/* 2.3.19 (I hope) will define this in linux/netfilter_ipv4.h. */ |
#ifndef SO_ORIGINAL_DST |
#define SO_ORIGINAL_DST 80 |
#endif |
|
#define IP_NAT_RANGE_MAP_IPS 1 |
#define IP_NAT_RANGE_PROTO_SPECIFIED 2 |
/* Used internally by get_unique_tuple(). */ |
#define IP_NAT_RANGE_FULL 4 |
|
/* NAT sequence number modifications */ |
struct ip_nat_seq { |
/* position of the last TCP sequence number |
* modification (if any) */ |
u_int32_t correction_pos; |
/* sequence number offset before and after last modification */ |
int32_t offset_before, offset_after; |
}; |
|
/* Single range specification. */ |
struct ip_nat_range |
{ |
/* Set to OR of flags above. */ |
unsigned int flags; |
|
/* Inclusive: network order. */ |
u_int32_t min_ip, max_ip; |
|
/* Inclusive: network order */ |
union ip_conntrack_manip_proto min, max; |
}; |
|
/* A range consists of an array of 1 or more ip_nat_range */ |
struct ip_nat_multi_range |
{ |
unsigned int rangesize; |
|
/* hangs off end. */ |
struct ip_nat_range range[1]; |
}; |
|
/* Worst case: local-out manip + 1 post-routing, and reverse dirn. */ |
#define IP_NAT_MAX_MANIPS (2*3) |
|
struct ip_nat_info_manip |
{ |
/* The direction. */ |
u_int8_t direction; |
|
/* Which hook the manipulation happens on. */ |
u_int8_t hooknum; |
|
/* The manipulation type. */ |
u_int8_t maniptype; |
|
/* Manipulations to occur at each conntrack in this dirn. */ |
struct ip_conntrack_manip manip; |
}; |
|
#ifdef __KERNEL__ |
#include <linux/list.h> |
#include <linux/netfilter_ipv4/lockhelp.h> |
|
/* Protects NAT hash tables, and NAT-private part of conntracks. */ |
DECLARE_RWLOCK_EXTERN(ip_nat_lock); |
|
/* Hashes for by-source and IP/protocol. */ |
struct ip_nat_hash |
{ |
struct list_head list; |
|
/* conntrack we're embedded in: NULL if not in hash. */ |
struct ip_conntrack *conntrack; |
}; |
|
/* The structure embedded in the conntrack structure. */ |
struct ip_nat_info |
{ |
/* Set to zero when conntrack created: bitmask of maniptypes */ |
int initialized; |
|
unsigned int num_manips; |
|
/* Manipulations to be done on this conntrack. */ |
struct ip_nat_info_manip manips[IP_NAT_MAX_MANIPS]; |
|
struct ip_nat_hash bysource, byipsproto; |
|
/* Helper (NULL if none). */ |
struct ip_nat_helper *helper; |
|
struct ip_nat_seq seq[IP_CT_DIR_MAX]; |
}; |
|
/* Set up the info structure to map into this range. */ |
extern unsigned int ip_nat_setup_info(struct ip_conntrack *conntrack, |
const struct ip_nat_multi_range *mr, |
unsigned int hooknum); |
|
/* Is this tuple already taken? (not by us)*/ |
extern int ip_nat_used_tuple(const struct ip_conntrack_tuple *tuple, |
const struct ip_conntrack *ignored_conntrack); |
|
/* Calculate relative checksum. */ |
extern u_int16_t ip_nat_cheat_check(u_int32_t oldvalinv, |
u_int32_t newval, |
u_int16_t oldcheck); |
#endif /*__KERNEL__*/ |
#endif |
/ipt_multiport.h
0,0 → 1,21
#ifndef _IPT_MULTIPORT_H |
#define _IPT_MULTIPORT_H |
#include <linux/netfilter_ipv4/ip_tables.h> |
|
enum ipt_multiport_flags |
{ |
IPT_MULTIPORT_SOURCE, |
IPT_MULTIPORT_DESTINATION, |
IPT_MULTIPORT_EITHER |
}; |
|
#define IPT_MULTI_PORTS 15 |
|
/* Must fit inside union ipt_matchinfo: 16 bytes */ |
struct ipt_multiport |
{ |
u_int8_t flags; /* Type of comparison */ |
u_int8_t count; /* Number of ports */ |
u_int16_t ports[IPT_MULTI_PORTS]; /* Ports */ |
}; |
#endif /*_IPT_MULTIPORT_H*/ |
/ip_conntrack_amanda.h
0,0 → 1,12
#ifndef _IP_CONNTRACK_AMANDA_H |
#define _IP_CONNTRACK_AMANDA_H |
/* AMANDA tracking. */ |
|
struct ip_ct_amanda_expect |
{ |
u_int16_t port; /* port number of this expectation */ |
u_int16_t offset; /* offset of port in ctrl packet */ |
u_int16_t len; /* length of the port number string */ |
}; |
|
#endif /* _IP_CONNTRACK_AMANDA_H */ |
/ipt_mac.h
0,0 → 1,8
#ifndef _IPT_MAC_H |
#define _IPT_MAC_H |
|
struct ipt_mac_info { |
unsigned char srcaddr[ETH_ALEN]; |
int invert; |
}; |
#endif /*_IPT_MAC_H*/ |
/ip_queue.h
0,0 → 1,72
/* |
* This is a module which is used for queueing IPv4 packets and |
* communicating with userspace via netlink. |
* |
* (C) 2000 James Morris, this code is GPL. |
*/ |
#ifndef _IP_QUEUE_H |
#define _IP_QUEUE_H |
|
#ifdef __KERNEL__ |
#ifdef DEBUG_IPQ |
#define QDEBUG(x...) printk(KERN_DEBUG ## x) |
#else |
#define QDEBUG(x...) |
#endif /* DEBUG_IPQ */ |
#else |
#include <net/if.h> |
#endif /* ! __KERNEL__ */ |
|
/* Messages sent from kernel */ |
typedef struct ipq_packet_msg { |
unsigned long packet_id; /* ID of queued packet */ |
unsigned long mark; /* Netfilter mark value */ |
long timestamp_sec; /* Packet arrival time (seconds) */ |
long timestamp_usec; /* Packet arrvial time (+useconds) */ |
unsigned int hook; /* Netfilter hook we rode in on */ |
char indev_name[IFNAMSIZ]; /* Name of incoming interface */ |
char outdev_name[IFNAMSIZ]; /* Name of outgoing interface */ |
unsigned short hw_protocol; /* Hardware protocol (network order) */ |
unsigned short hw_type; /* Hardware type */ |
unsigned char hw_addrlen; /* Hardware address length */ |
unsigned char hw_addr[8]; /* Hardware address */ |
size_t data_len; /* Length of packet data */ |
unsigned char payload[0]; /* Optional packet data */ |
} ipq_packet_msg_t; |
|
/* Messages sent from userspace */ |
typedef struct ipq_mode_msg { |
unsigned char value; /* Requested mode */ |
size_t range; /* Optional range of packet requested */ |
} ipq_mode_msg_t; |
|
typedef struct ipq_verdict_msg { |
unsigned int value; /* Verdict to hand to netfilter */ |
unsigned long id; /* Packet ID for this verdict */ |
size_t data_len; /* Length of replacement data */ |
unsigned char payload[0]; /* Optional replacement packet */ |
} ipq_verdict_msg_t; |
|
typedef struct ipq_peer_msg { |
union { |
ipq_verdict_msg_t verdict; |
ipq_mode_msg_t mode; |
} msg; |
} ipq_peer_msg_t; |
|
/* Packet delivery modes */ |
enum { |
IPQ_COPY_NONE, /* Initial mode, packets are dropped */ |
IPQ_COPY_META, /* Copy metadata */ |
IPQ_COPY_PACKET /* Copy metadata + packet (range) */ |
}; |
#define IPQ_COPY_MAX IPQ_COPY_PACKET |
|
/* Types of messages */ |
#define IPQM_BASE 0x10 /* standard netlink messages below this */ |
#define IPQM_MODE (IPQM_BASE + 1) /* Mode request from peer */ |
#define IPQM_VERDICT (IPQM_BASE + 2) /* Verdict from peer */ |
#define IPQM_PACKET (IPQM_BASE + 3) /* Packet from kernel */ |
#define IPQM_MAX (IPQM_BASE + 4) |
|
#endif /*_IP_QUEUE_H*/ |
/ipt_ttl.h
0,0 → 1,21
/* IP tables module for matching the value of the TTL |
* (C) 2000 by Harald Welte <laforge@gnumonks.org> */ |
|
#ifndef _IPT_TTL_H |
#define _IPT_TTL_H |
|
enum { |
IPT_TTL_EQ = 0, /* equals */ |
IPT_TTL_NE, /* not equals */ |
IPT_TTL_LT, /* less than */ |
IPT_TTL_GT, /* greater than */ |
}; |
|
|
struct ipt_ttl_info { |
u_int8_t mode; |
u_int8_t ttl; |
}; |
|
|
#endif |
/ip_conntrack_tcp.h
0,0 → 1,28
#ifndef _IP_CONNTRACK_TCP_H |
#define _IP_CONNTRACK_TCP_H |
/* TCP tracking. */ |
|
enum tcp_conntrack { |
TCP_CONNTRACK_NONE, |
TCP_CONNTRACK_ESTABLISHED, |
TCP_CONNTRACK_SYN_SENT, |
TCP_CONNTRACK_SYN_RECV, |
TCP_CONNTRACK_FIN_WAIT, |
TCP_CONNTRACK_TIME_WAIT, |
TCP_CONNTRACK_CLOSE, |
TCP_CONNTRACK_CLOSE_WAIT, |
TCP_CONNTRACK_LAST_ACK, |
TCP_CONNTRACK_LISTEN, |
TCP_CONNTRACK_MAX |
}; |
|
struct ip_ct_tcp |
{ |
enum tcp_conntrack state; |
|
/* Poor man's window tracking: sequence number of valid ACK |
handshake completion packet */ |
u_int32_t handshake_ack; |
}; |
|
#endif /* _IP_CONNTRACK_TCP_H */ |
/ipt_ecn.h
0,0 → 1,33
/* iptables module for matching the ECN header in IPv4 and TCP header |
* |
* (C) 2002 Harald Welte <laforge@gnumonks.org> |
* |
* This software is distributed under GNU GPL v2, 1991 |
* |
* ipt_ecn.h,v 1.4 2002/08/05 19:39:00 laforge Exp |
*/ |
#ifndef _IPT_ECN_H |
#define _IPT_ECN_H |
#include <linux/netfilter_ipv4/ipt_dscp.h> |
|
#define IPT_ECN_IP_MASK (~IPT_DSCP_MASK) |
|
#define IPT_ECN_OP_MATCH_IP 0x01 |
#define IPT_ECN_OP_MATCH_ECE 0x10 |
#define IPT_ECN_OP_MATCH_CWR 0x20 |
|
#define IPT_ECN_OP_MATCH_MASK 0xce |
|
/* match info */ |
struct ipt_ecn_info { |
u_int8_t operation; |
u_int8_t invert; |
u_int8_t ip_ect; |
union { |
struct { |
u_int8_t ect; |
} tcp; |
} proto; |
}; |
|
#endif /* _IPT_ECN_H */ |
/ipt_TOS.h
0,0 → 1,12
#ifndef _IPT_TOS_H_target |
#define _IPT_TOS_H_target |
|
#ifndef IPTOS_NORMALSVC |
#define IPTOS_NORMALSVC 0 |
#endif |
|
struct ipt_tos_target_info { |
u_int8_t tos; |
}; |
|
#endif /*_IPT_TOS_H_target*/ |
/ip_conntrack_icmp.h
0,0 → 1,11
#ifndef _IP_CONNTRACK_ICMP_H |
#define _IP_CONNTRACK_ICMP_H |
/* ICMP tracking. */ |
#include <asm/atomic.h> |
|
struct ip_ct_icmp |
{ |
/* Optimization: when number in == number out, forget immediately. */ |
atomic_t count; |
}; |
#endif /* _IP_CONNTRACK_ICMP_H */ |
/ip_nat_core.h
0,0 → 1,33
#ifndef _IP_NAT_CORE_H |
#define _IP_NAT_CORE_H |
#include <linux/list.h> |
#include <linux/netfilter_ipv4/ip_conntrack.h> |
|
/* This header used to share core functionality between the standalone |
NAT module, and the compatibility layer's use of NAT for masquerading. */ |
extern int ip_nat_init(void); |
extern void ip_nat_cleanup(void); |
|
extern unsigned int do_bindings(struct ip_conntrack *ct, |
enum ip_conntrack_info conntrackinfo, |
struct ip_nat_info *info, |
unsigned int hooknum, |
struct sk_buff **pskb); |
|
extern struct list_head protos; |
|
extern unsigned int icmp_reply_translation(struct sk_buff *skb, |
struct ip_conntrack *conntrack, |
unsigned int hooknum, |
int dir); |
|
extern void replace_in_hashes(struct ip_conntrack *conntrack, |
struct ip_nat_info *info); |
extern void place_in_hashes(struct ip_conntrack *conntrack, |
struct ip_nat_info *info); |
|
/* Built-in protocols. */ |
extern struct ip_nat_protocol ip_nat_protocol_tcp; |
extern struct ip_nat_protocol ip_nat_protocol_udp; |
extern struct ip_nat_protocol ip_nat_protocol_icmp; |
#endif /* _IP_NAT_CORE_H */ |
/ipt_REJECT.h
0,0 → 1,20
#ifndef _IPT_REJECT_H |
#define _IPT_REJECT_H |
|
enum ipt_reject_with { |
IPT_ICMP_NET_UNREACHABLE, |
IPT_ICMP_HOST_UNREACHABLE, |
IPT_ICMP_PROT_UNREACHABLE, |
IPT_ICMP_PORT_UNREACHABLE, |
IPT_ICMP_ECHOREPLY, |
IPT_ICMP_NET_PROHIBITED, |
IPT_ICMP_HOST_PROHIBITED, |
IPT_TCP_RESET, |
IPT_ICMP_ADMIN_PROHIBITED |
}; |
|
struct ipt_reject_info { |
enum ipt_reject_with with; /* reject type */ |
}; |
|
#endif /*_IPT_REJECT_H*/ |