OpenCores
URL https://opencores.org/ocsvn/or1k/or1k/trunk

Subversion Repositories or1k

Compare Revisions

  • This comparison shows the changes necessary to convert path 
    /or1k/tags/LINUX_2_4_26_OR32/linux/linux-2.4/include/linux/netfilter_ipv4
    from Rev 1279 to Rev 1765
    Reverse comparison
  •

Rev 1279 → Rev 1765

/ipt_limit.h
0,0 → 1,21
#ifndef _IPT_RATE_H
#define _IPT_RATE_H
 
/* timings are in milliseconds. */
#define IPT_LIMIT_SCALE 10000
 
/* 1/10,000 sec period => max of 10,000/sec. Min rate is then 429490
seconds, or one every 59 hours. */
struct ipt_rateinfo {
u_int32_t avg; /* Average secs between packets * scale */
u_int32_t burst; /* Period multiplier for upper limit. */
 
/* Used internally by the kernel */
unsigned long prev;
u_int32_t credit;
u_int32_t credit_cap, cost;
 
/* Ugly, ugly fucker. */
struct ipt_rateinfo *master;
};
#endif /*_IPT_RATE_H*/
/ipt_helper.h
0,0 → 1,8
#ifndef _IPT_HELPER_H
#define _IPT_HELPER_H
 
struct ipt_helper_info {
int invert;
char name[30];
};
#endif /* _IPT_HELPER_H */
/ip_nat_protocol.h
0,0 → 1,57
/* Header for use in defining a given protocol. */
#ifndef _IP_NAT_PROTOCOL_H
#define _IP_NAT_PROTOCOL_H
#include <linux/init.h>
#include <linux/list.h>
 
struct iphdr;
struct ip_nat_range;
 
struct ip_nat_protocol
{
struct list_head list;
 
/* Protocol name */
const char *name;
 
/* Protocol number. */
unsigned int protonum;
 
/* Do a packet translation according to the ip_nat_proto_manip
* and manip type. */
void (*manip_pkt)(struct iphdr *iph, size_t len,
const struct ip_conntrack_manip *manip,
enum ip_nat_manip_type maniptype);
 
/* Is the manipable part of the tuple between min and max incl? */
int (*in_range)(const struct ip_conntrack_tuple *tuple,
enum ip_nat_manip_type maniptype,
const union ip_conntrack_manip_proto *min,
const union ip_conntrack_manip_proto *max);
 
/* Alter the per-proto part of the tuple (depending on
maniptype), to give a unique tuple in the given range if
possible; return false if not. Per-protocol part of tuple
is initialized to the incoming packet. */
int (*unique_tuple)(struct ip_conntrack_tuple *tuple,
const struct ip_nat_range *range,
enum ip_nat_manip_type maniptype,
const struct ip_conntrack *conntrack);
 
unsigned int (*print)(char *buffer,
const struct ip_conntrack_tuple *match,
const struct ip_conntrack_tuple *mask);
 
unsigned int (*print_range)(char *buffer,
const struct ip_nat_range *range);
};
 
/* Protocol registration. */
extern int ip_nat_protocol_register(struct ip_nat_protocol *proto);
extern void ip_nat_protocol_unregister(struct ip_nat_protocol *proto);
 
extern int init_protocols(void) __init;
extern void cleanup_protocols(void);
extern struct ip_nat_protocol *find_nat_proto(u_int16_t protonum);
 
#endif /*_IP_NAT_PROTO_H*/
/ipt_state.h
0,0 → 1,11
#ifndef _IPT_STATE_H
#define _IPT_STATE_H
 
#define IPT_STATE_BIT(ctinfo) (1 << ((ctinfo)%IP_CT_IS_REPLY+1))
#define IPT_STATE_INVALID (1 << 0)
 
struct ipt_state_info
{
unsigned int statemask;
};
#endif /*_IPT_STATE_H*/
/ipt_recent.h
0,0 → 1,27
#ifndef _IPT_RECENT_H
#define _IPT_RECENT_H
 
#define RECENT_NAME "ipt_recent"
#define RECENT_VER "v0.3.1"
 
#define IPT_RECENT_CHECK 1
#define IPT_RECENT_SET 2
#define IPT_RECENT_UPDATE 4
#define IPT_RECENT_REMOVE 8
#define IPT_RECENT_TTL 16
 
#define IPT_RECENT_SOURCE 0
#define IPT_RECENT_DEST 1
 
#define IPT_RECENT_NAME_LEN 200
 
struct ipt_recent_info {
u_int32_t seconds;
u_int32_t hit_count;
u_int8_t check_set;
u_int8_t invert;
char name[IPT_RECENT_NAME_LEN];
u_int8_t side;
};
 
#endif /*_IPT_RECENT_H*/
/ipfwadm_core.h
0,0 → 1,256
#ifndef _IPFWADM_CORE_H
#define _IPFWADM_CORE_H
/* Minor modifications to fit on compatibility framework:
Rusty.Russell@rustcorp.com.au
*/
 
/*
* IP firewalling code. This is taken from 4.4BSD. Please note the
* copyright message below. As per the GPL it must be maintained
* and the licenses thus do not conflict. While this port is subject
* to the GPL I also place my modifications under the original
* license in recognition of the original copyright.
*
* Ported from BSD to Linux,
* Alan Cox 22/Nov/1994.
* Merged and included the FreeBSD-Current changes at Ugen's request
* (but hey it's a lot cleaner now). Ugen would prefer in some ways
* we waited for his final product but since Linux 1.2.0 is about to
* appear it's not practical - Read: It works, it's not clean but please
* don't consider it to be his standard of finished work.
* Alan.
*
* Fixes:
* Pauline Middelink : Added masquerading.
* Jos Vos : Separate input and output firewall
* chains, new "insert" and "append"
* commands to replace "add" commands,
* add ICMP header to struct ip_fwpkt.
* Jos Vos : Add support for matching device names.
* Willy Konynenberg : Add transparent proxying support.
* Jos Vos : Add options for input/output accounting.
*
* All the real work was done by .....
*/
 
/*
* Copyright (c) 1993 Daniel Boulet
* Copyright (c) 1994 Ugen J.S.Antsilevich
*
* Redistribution and use in source forms, with and without modification,
* are permitted provided that this entire comment appears intact.
*
* Redistribution in binary form may occur without any restrictions.
* Obviously, it would be nice if you gave credit where credit is due
* but requiring it would be too onerous.
*
* This software is provided ``AS IS'' without any warranties of any kind.
*/
 
/*
* Format of an IP firewall descriptor
*
* src, dst, src_mask, dst_mask are always stored in network byte order.
* flags and num_*_ports are stored in host byte order (of course).
* Port numbers are stored in HOST byte order.
*/
 
#ifdef __KERNEL__
#include <linux/icmp.h>
#include <linux/in.h>
#include <linux/ip.h>
#include <linux/tcp.h>
#include <linux/udp.h>
#endif
 
struct ip_fw
{
struct ip_fw *fw_next; /* Next firewall on chain */
struct in_addr fw_src, fw_dst; /* Source and destination IP addr */
struct in_addr fw_smsk, fw_dmsk; /* Mask for src and dest IP addr */
struct in_addr fw_via; /* IP address of interface "via" */
struct net_device *fw_viadev; /* device of interface "via" */
__u16 fw_flg; /* Flags word */
__u16 fw_nsp, fw_ndp; /* N'of src ports and # of dst ports */
/* in ports array (dst ports follow */
/* src ports; max of 10 ports in all; */
/* count of 0 means match all ports) */
#define IP_FW_MAX_PORTS 10 /* A reasonable maximum */
__u16 fw_pts[IP_FW_MAX_PORTS]; /* Array of port numbers to match */
unsigned long fw_pcnt,fw_bcnt; /* Packet and byte counters */
__u8 fw_tosand, fw_tosxor; /* Revised packet priority */
char fw_vianame[IFNAMSIZ]; /* name of interface "via" */
};
 
/*
* Values for "flags" field .
*/
 
#define IP_FW_F_ALL 0x0000 /* This is a universal packet firewall*/
#define IP_FW_F_TCP 0x0001 /* This is a TCP packet firewall */
#define IP_FW_F_UDP 0x0002 /* This is a UDP packet firewall */
#define IP_FW_F_ICMP 0x0003 /* This is a ICMP packet firewall */
#define IP_FW_F_KIND 0x0003 /* Mask to isolate firewall kind */
#define IP_FW_F_ACCEPT 0x0004 /* This is an accept firewall (as *
* opposed to a deny firewall)*
* */
#define IP_FW_F_SRNG 0x0008 /* The first two src ports are a min *
* and max range (stored in host byte *
* order). *
* */
#define IP_FW_F_DRNG 0x0010 /* The first two dst ports are a min *
* and max range (stored in host byte *
* order). *
* (ports[0] <= port <= ports[1]) *
* */
#define IP_FW_F_PRN 0x0020 /* In verbose mode print this firewall*/
#define IP_FW_F_BIDIR 0x0040 /* For bidirectional firewalls */
#define IP_FW_F_TCPSYN 0x0080 /* For tcp packets-check SYN only */
#define IP_FW_F_ICMPRPL 0x0100 /* Send back icmp unreachable packet */
#define IP_FW_F_MASQ 0x0200 /* Masquerading */
#define IP_FW_F_TCPACK 0x0400 /* For tcp-packets match if ACK is set*/
#define IP_FW_F_REDIR 0x0800 /* Redirect to local port fw_pts[n] */
#define IP_FW_F_ACCTIN 0x1000 /* Account incoming packets only. */
#define IP_FW_F_ACCTOUT 0x2000 /* Account outgoing packets only. */
 
#define IP_FW_F_MASK 0x3FFF /* All possible flag bits mask */
 
/*
* New IP firewall options for [gs]etsockopt at the RAW IP level.
* Unlike BSD Linux inherits IP options so you don't have to use
* a raw socket for this. Instead we check rights in the calls.
*/
 
#define IP_FW_BASE_CTL 64 /* base for firewall socket options */
 
#define IP_FW_COMMAND 0x00FF /* mask for command without chain */
#define IP_FW_TYPE 0x0300 /* mask for type (chain) */
#define IP_FW_SHIFT 8 /* shift count for type (chain) */
 
#define IP_FW_FWD 0
#define IP_FW_IN 1
#define IP_FW_OUT 2
#define IP_FW_ACCT 3
#define IP_FW_CHAINS 4 /* total number of ip_fw chains */
#define IP_FW_MASQ 5
 
#define IP_FW_INSERT (IP_FW_BASE_CTL)
#define IP_FW_APPEND (IP_FW_BASE_CTL+1)
#define IP_FW_DELETE (IP_FW_BASE_CTL+2)
#define IP_FW_FLUSH (IP_FW_BASE_CTL+3)
#define IP_FW_ZERO (IP_FW_BASE_CTL+4)
#define IP_FW_POLICY (IP_FW_BASE_CTL+5)
#define IP_FW_CHECK (IP_FW_BASE_CTL+6)
#define IP_FW_MASQ_TIMEOUTS (IP_FW_BASE_CTL+7)
 
#define IP_FW_INSERT_FWD (IP_FW_INSERT | (IP_FW_FWD << IP_FW_SHIFT))
#define IP_FW_APPEND_FWD (IP_FW_APPEND | (IP_FW_FWD << IP_FW_SHIFT))
#define IP_FW_DELETE_FWD (IP_FW_DELETE | (IP_FW_FWD << IP_FW_SHIFT))
#define IP_FW_FLUSH_FWD (IP_FW_FLUSH | (IP_FW_FWD << IP_FW_SHIFT))
#define IP_FW_ZERO_FWD (IP_FW_ZERO | (IP_FW_FWD << IP_FW_SHIFT))
#define IP_FW_POLICY_FWD (IP_FW_POLICY | (IP_FW_FWD << IP_FW_SHIFT))
#define IP_FW_CHECK_FWD (IP_FW_CHECK | (IP_FW_FWD << IP_FW_SHIFT))
 
#define IP_FW_INSERT_IN (IP_FW_INSERT | (IP_FW_IN << IP_FW_SHIFT))
#define IP_FW_APPEND_IN (IP_FW_APPEND | (IP_FW_IN << IP_FW_SHIFT))
#define IP_FW_DELETE_IN (IP_FW_DELETE | (IP_FW_IN << IP_FW_SHIFT))
#define IP_FW_FLUSH_IN (IP_FW_FLUSH | (IP_FW_IN << IP_FW_SHIFT))
#define IP_FW_ZERO_IN (IP_FW_ZERO | (IP_FW_IN << IP_FW_SHIFT))
#define IP_FW_POLICY_IN (IP_FW_POLICY | (IP_FW_IN << IP_FW_SHIFT))
#define IP_FW_CHECK_IN (IP_FW_CHECK | (IP_FW_IN << IP_FW_SHIFT))
 
#define IP_FW_INSERT_OUT (IP_FW_INSERT | (IP_FW_OUT << IP_FW_SHIFT))
#define IP_FW_APPEND_OUT (IP_FW_APPEND | (IP_FW_OUT << IP_FW_SHIFT))
#define IP_FW_DELETE_OUT (IP_FW_DELETE | (IP_FW_OUT << IP_FW_SHIFT))
#define IP_FW_FLUSH_OUT (IP_FW_FLUSH | (IP_FW_OUT << IP_FW_SHIFT))
#define IP_FW_ZERO_OUT (IP_FW_ZERO | (IP_FW_OUT << IP_FW_SHIFT))
#define IP_FW_POLICY_OUT (IP_FW_POLICY | (IP_FW_OUT << IP_FW_SHIFT))
#define IP_FW_CHECK_OUT (IP_FW_CHECK | (IP_FW_OUT << IP_FW_SHIFT))
 
#define IP_ACCT_INSERT (IP_FW_INSERT | (IP_FW_ACCT << IP_FW_SHIFT))
#define IP_ACCT_APPEND (IP_FW_APPEND | (IP_FW_ACCT << IP_FW_SHIFT))
#define IP_ACCT_DELETE (IP_FW_DELETE | (IP_FW_ACCT << IP_FW_SHIFT))
#define IP_ACCT_FLUSH (IP_FW_FLUSH | (IP_FW_ACCT << IP_FW_SHIFT))
#define IP_ACCT_ZERO (IP_FW_ZERO | (IP_FW_ACCT << IP_FW_SHIFT))
 
#define IP_FW_MASQ_INSERT (IP_FW_INSERT | (IP_FW_MASQ << IP_FW_SHIFT))
#define IP_FW_MASQ_ADD (IP_FW_APPEND | (IP_FW_MASQ << IP_FW_SHIFT))
#define IP_FW_MASQ_DEL (IP_FW_DELETE | (IP_FW_MASQ << IP_FW_SHIFT))
#define IP_FW_MASQ_FLUSH (IP_FW_FLUSH | (IP_FW_MASQ << IP_FW_SHIFT))
 
#define IP_FW_MASQ_INSERT (IP_FW_INSERT | (IP_FW_MASQ << IP_FW_SHIFT))
#define IP_FW_MASQ_ADD (IP_FW_APPEND | (IP_FW_MASQ << IP_FW_SHIFT))
#define IP_FW_MASQ_DEL (IP_FW_DELETE | (IP_FW_MASQ << IP_FW_SHIFT))
#define IP_FW_MASQ_FLUSH (IP_FW_FLUSH | (IP_FW_MASQ << IP_FW_SHIFT))
 
struct ip_fwpkt
{
struct iphdr fwp_iph; /* IP header */
union {
struct tcphdr fwp_tcph; /* TCP header or */
struct udphdr fwp_udph; /* UDP header */
struct icmphdr fwp_icmph; /* ICMP header */
} fwp_protoh;
struct in_addr fwp_via; /* interface address */
char fwp_vianame[IFNAMSIZ]; /* interface name */
};
 
#define IP_FW_MASQCTL_MAX 256
#define IP_MASQ_MOD_NMAX 32
 
struct ip_fw_masqctl
{
int mctl_action;
union {
struct {
char name[IP_MASQ_MOD_NMAX];
char data[1];
} mod;
} u;
};
 
/*
* timeouts for ip masquerading
*/
 
struct ip_fw_masq;
 
/*
* Main firewall chains definitions and global var's definitions.
*/
 
#ifdef __KERNEL__
 
/* Modes used in the ip_fw_chk() routine. */
#define IP_FW_MODE_FW 0x00 /* kernel firewall check */
#define IP_FW_MODE_ACCT_IN 0x01 /* accounting (incoming) */
#define IP_FW_MODE_ACCT_OUT 0x02 /* accounting (outgoing) */
#define IP_FW_MODE_CHK 0x04 /* check requested by user */
 
#include <linux/config.h>
#ifdef CONFIG_IP_FIREWALL
extern struct ip_fw *ip_fw_in_chain;
extern struct ip_fw *ip_fw_out_chain;
extern struct ip_fw *ip_fw_fwd_chain;
extern int ip_fw_in_policy;
extern int ip_fw_out_policy;
extern int ip_fw_fwd_policy;
extern int ip_fw_ctl(int, void *, int);
#endif
#ifdef CONFIG_IP_ACCT
extern struct ip_fw *ip_acct_chain;
extern int ip_acct_ctl(int, void *, int);
#endif
#ifdef CONFIG_IP_MASQUERADE
extern int ip_masq_ctl(int, void *, int);
#endif
#ifdef CONFIG_IP_MASQUERADE
extern int ip_masq_ctl(int, void *, int);
#endif
 
extern int ip_fw_masq_timeouts(void *user, int len);
 
extern int ip_fw_chk(struct iphdr *, struct net_device *, __u16 *,
struct ip_fw *, int, int);
#endif /* KERNEL */
#endif /* _IP_FW_H */
/lockhelp.h
0,0 → 1,129
#ifndef _LOCKHELP_H
#define _LOCKHELP_H
#include <linux/config.h>
 
#include <linux/spinlock.h>
#include <asm/atomic.h>
#include <linux/interrupt.h>
#include <linux/smp.h>
 
/* Header to do help in lock debugging. */
 
#ifdef CONFIG_NETFILTER_DEBUG
struct spinlock_debug
{
spinlock_t l;
atomic_t locked_by;
};
 
struct rwlock_debug
{
rwlock_t l;
long read_locked_map;
long write_locked_map;
};
 
#define DECLARE_LOCK(l) \
struct spinlock_debug l = { SPIN_LOCK_UNLOCKED, ATOMIC_INIT(-1) }
#define DECLARE_LOCK_EXTERN(l) \
extern struct spinlock_debug l
#define DECLARE_RWLOCK(l) \
struct rwlock_debug l = { RW_LOCK_UNLOCKED, 0, 0 }
#define DECLARE_RWLOCK_EXTERN(l) \
extern struct rwlock_debug l
 
#define MUST_BE_LOCKED(l) \
do { if (atomic_read(&(l)->locked_by) != smp_processor_id()) \
printk("ASSERT %s:%u %s unlocked\n", __FILE__, __LINE__, #l); \
} while(0)
 
#define MUST_BE_UNLOCKED(l) \
do { if (atomic_read(&(l)->locked_by) == smp_processor_id()) \
printk("ASSERT %s:%u %s locked\n", __FILE__, __LINE__, #l); \
} while(0)
 
/* Write locked OK as well. */
#define MUST_BE_READ_LOCKED(l) \
do { if (!((l)->read_locked_map & (1UL << smp_processor_id())) \
&& !((l)->write_locked_map & (1UL << smp_processor_id()))) \
printk("ASSERT %s:%u %s not readlocked\n", __FILE__, __LINE__, #l); \
} while(0)
 
#define MUST_BE_WRITE_LOCKED(l) \
do { if (!((l)->write_locked_map & (1UL << smp_processor_id()))) \
printk("ASSERT %s:%u %s not writelocked\n", __FILE__, __LINE__, #l); \
} while(0)
 
#define MUST_BE_READ_WRITE_UNLOCKED(l) \
do { if ((l)->read_locked_map & (1UL << smp_processor_id())) \
printk("ASSERT %s:%u %s readlocked\n", __FILE__, __LINE__, #l); \
else if ((l)->write_locked_map & (1UL << smp_processor_id())) \
printk("ASSERT %s:%u %s writelocked\n", __FILE__, __LINE__, #l); \
} while(0)
 
#define LOCK_BH(lk) \
do { \
MUST_BE_UNLOCKED(lk); \
spin_lock_bh(&(lk)->l); \
atomic_set(&(lk)->locked_by, smp_processor_id()); \
} while(0)
 
#define UNLOCK_BH(lk) \
do { \
MUST_BE_LOCKED(lk); \
atomic_set(&(lk)->locked_by, -1); \
spin_unlock_bh(&(lk)->l); \
} while(0)
 
#define READ_LOCK(lk) \
do { \
MUST_BE_READ_WRITE_UNLOCKED(lk); \
read_lock_bh(&(lk)->l); \
set_bit(smp_processor_id(), &(lk)->read_locked_map); \
} while(0)
 
#define WRITE_LOCK(lk) \
do { \
MUST_BE_READ_WRITE_UNLOCKED(lk); \
write_lock_bh(&(lk)->l); \
set_bit(smp_processor_id(), &(lk)->write_locked_map); \
} while(0)
 
#define READ_UNLOCK(lk) \
do { \
if (!((lk)->read_locked_map & (1UL << smp_processor_id()))) \
printk("ASSERT: %s:%u %s not readlocked\n", \
__FILE__, __LINE__, #lk); \
clear_bit(smp_processor_id(), &(lk)->read_locked_map); \
read_unlock_bh(&(lk)->l); \
} while(0)
 
#define WRITE_UNLOCK(lk) \
do { \
MUST_BE_WRITE_LOCKED(lk); \
clear_bit(smp_processor_id(), &(lk)->write_locked_map); \
write_unlock_bh(&(lk)->l); \
} while(0)
 
#else
#define DECLARE_LOCK(l) spinlock_t l = SPIN_LOCK_UNLOCKED
#define DECLARE_LOCK_EXTERN(l) extern spinlock_t l
#define DECLARE_RWLOCK(l) rwlock_t l = RW_LOCK_UNLOCKED
#define DECLARE_RWLOCK_EXTERN(l) extern rwlock_t l
 
#define MUST_BE_LOCKED(l)
#define MUST_BE_UNLOCKED(l)
#define MUST_BE_READ_LOCKED(l)
#define MUST_BE_WRITE_LOCKED(l)
#define MUST_BE_READ_WRITE_UNLOCKED(l)
 
#define LOCK_BH(l) spin_lock_bh(l)
#define UNLOCK_BH(l) spin_unlock_bh(l)
 
#define READ_LOCK(l) read_lock_bh(l)
#define WRITE_LOCK(l) write_lock_bh(l)
#define READ_UNLOCK(l) read_unlock_bh(l)
#define WRITE_UNLOCK(l) write_unlock_bh(l)
#endif /*CONFIG_NETFILTER_DEBUG*/
 
#endif /* _LOCKHELP_H */
/ipt_esp.h
0,0 → 1,16
#ifndef _IPT_ESP_H
#define _IPT_ESP_H
 
struct ipt_esp
{
u_int32_t spis[2]; /* Security Parameter Index */
u_int8_t invflags; /* Inverse flags */
};
 
 
 
/* Values for "invflags" field in struct ipt_esp. */
#define IPT_ESP_INV_SPI 0x01 /* Invert the sense of spi. */
#define IPT_ESP_INV_MASK 0x01 /* All possible flags. */
 
#endif /*_IPT_ESP_H*/
/ipt_ah.h
0,0 → 1,16
#ifndef _IPT_AH_H
#define _IPT_AH_H
 
struct ipt_ah
{
u_int32_t spis[2]; /* Security Parameter Index */
u_int8_t invflags; /* Inverse flags */
};
 
 
 
/* Values for "invflags" field in struct ipt_ah. */
#define IPT_AH_INV_SPI 0x01 /* Invert the sense of spi. */
#define IPT_AH_INV_MASK 0x01 /* All possible flags. */
 
#endif /*_IPT_AH_H*/
/ipchains_core.h
0,0 → 1,193
/*
* This code is heavily based on the code in ip_fw.h; see that file for
* copyrights and attributions. This code is basically GPL.
*
* 15-Feb-1997: Major changes to allow graphs for firewall rules.
* Paul Russell <Paul.Russell@rustcorp.com.au> and
* Michael Neuling <Michael.Neuling@rustcorp.com.au>
* 2-Nov-1997: Changed types to __u16, etc.
* Removed IP_FW_F_TCPACK & IP_FW_F_BIDIR.
* Added inverse flags field.
* Removed multiple port specs.
*/
 
/*
* Format of an IP firewall descriptor
*
* src, dst, src_mask, dst_mask are always stored in network byte order.
* flags are stored in host byte order (of course).
* Port numbers are stored in HOST byte order.
*/
 
#ifndef _IP_FWCHAINS_H
#define _IP_FWCHAINS_H
 
#ifdef __KERNEL__
#include <linux/icmp.h>
#include <linux/in.h>
#include <linux/ip.h>
#include <linux/tcp.h>
#include <linux/udp.h>
#endif /* __KERNEL__ */
#define IP_FW_MAX_LABEL_LENGTH 8
typedef char ip_chainlabel[IP_FW_MAX_LABEL_LENGTH+1];
 
struct ip_fw
{
struct in_addr fw_src, fw_dst; /* Source and destination IP addr */
struct in_addr fw_smsk, fw_dmsk; /* Mask for src and dest IP addr */
__u32 fw_mark; /* ID to stamp on packet */
__u16 fw_proto; /* Protocol, 0 = ANY */
__u16 fw_flg; /* Flags word */
__u16 fw_invflg; /* Inverse flags */
__u16 fw_spts[2]; /* Source port range. */
__u16 fw_dpts[2]; /* Destination port range. */
__u16 fw_redirpt; /* Port to redirect to. */
__u16 fw_outputsize; /* Max amount to output to
NETLINK */
char fw_vianame[IFNAMSIZ]; /* name of interface "via" */
__u8 fw_tosand, fw_tosxor; /* Revised packet priority */
};
 
struct ip_fwuser
{
struct ip_fw ipfw;
ip_chainlabel label;
};
 
/* Values for "fw_flg" field . */
#define IP_FW_F_PRN 0x0001 /* Print packet if it matches */
#define IP_FW_F_TCPSYN 0x0002 /* For tcp packets-check SYN only */
#define IP_FW_F_FRAG 0x0004 /* Set if rule is a fragment rule */
#define IP_FW_F_MARKABS 0x0008 /* Set the mark to fw_mark, not add. */
#define IP_FW_F_WILDIF 0x0010 /* Need only match start of interface name. */
#define IP_FW_F_NETLINK 0x0020 /* Redirect to netlink: 2.1.x only */
#define IP_FW_F_MASK 0x003F /* All possible flag bits mask */
 
/* Values for "fw_invflg" field. */
#define IP_FW_INV_SRCIP 0x0001 /* Invert the sense of fw_src. */
#define IP_FW_INV_DSTIP 0x0002 /* Invert the sense of fw_dst. */
#define IP_FW_INV_PROTO 0x0004 /* Invert the sense of fw_proto. */
#define IP_FW_INV_SRCPT 0x0008 /* Invert the sense of source ports. */
#define IP_FW_INV_DSTPT 0x0010 /* Invert the sense of destination ports. */
#define IP_FW_INV_VIA 0x0020 /* Invert the sense of fw_vianame. */
#define IP_FW_INV_SYN 0x0040 /* Invert the sense of IP_FW_F_TCPSYN. */
#define IP_FW_INV_FRAG 0x0080 /* Invert the sense of IP_FW_F_FRAG. */
 
/*
* New IP firewall options for [gs]etsockopt at the RAW IP level.
* Unlike BSD Linux inherits IP options so you don't have to use
* a raw socket for this. Instead we check rights in the calls. */
 
#define IP_FW_BASE_CTL 64 /* base for firewall socket options */
 
#define IP_FW_APPEND (IP_FW_BASE_CTL) /* Takes ip_fwchange */
#define IP_FW_REPLACE (IP_FW_BASE_CTL+1) /* Takes ip_fwnew */
#define IP_FW_DELETE_NUM (IP_FW_BASE_CTL+2) /* Takes ip_fwdelnum */
#define IP_FW_DELETE (IP_FW_BASE_CTL+3) /* Takes ip_fwchange */
#define IP_FW_INSERT (IP_FW_BASE_CTL+4) /* Takes ip_fwnew */
#define IP_FW_FLUSH (IP_FW_BASE_CTL+5) /* Takes ip_chainlabel */
#define IP_FW_ZERO (IP_FW_BASE_CTL+6) /* Takes ip_chainlabel */
#define IP_FW_CHECK (IP_FW_BASE_CTL+7) /* Takes ip_fwtest */
#define IP_FW_MASQ_TIMEOUTS (IP_FW_BASE_CTL+8) /* Takes 3 ints */
#define IP_FW_CREATECHAIN (IP_FW_BASE_CTL+9) /* Takes ip_chainlabel */
#define IP_FW_DELETECHAIN (IP_FW_BASE_CTL+10) /* Takes ip_chainlabel */
#define IP_FW_POLICY (IP_FW_BASE_CTL+11) /* Takes ip_fwpolicy */
/* Masquerade control, only 1 optname */
 
#define IP_FW_MASQ_CTL (IP_FW_BASE_CTL+12) /* General ip_masq ctl */
 
/* Builtin chain labels */
#define IP_FW_LABEL_FORWARD "forward"
#define IP_FW_LABEL_INPUT "input"
#define IP_FW_LABEL_OUTPUT "output"
 
/* Special targets */
#define IP_FW_LABEL_MASQUERADE "MASQ"
#define IP_FW_LABEL_REDIRECT "REDIRECT"
#define IP_FW_LABEL_ACCEPT "ACCEPT"
#define IP_FW_LABEL_BLOCK "DENY"
#define IP_FW_LABEL_REJECT "REJECT"
#define IP_FW_LABEL_RETURN "RETURN"
#define IP_FW_LABEL_QUEUE "QUEUE"
 
/* Files in /proc/net */
#define IP_FW_PROC_CHAINS "ip_fwchains"
#define IP_FW_PROC_CHAIN_NAMES "ip_fwnames"
 
 
struct ip_fwpkt
{
struct iphdr fwp_iph; /* IP header */
union {
struct tcphdr fwp_tcph; /* TCP header or */
struct udphdr fwp_udph; /* UDP header */
struct icmphdr fwp_icmph; /* ICMP header */
} fwp_protoh;
struct in_addr fwp_via; /* interface address */
char fwp_vianame[IFNAMSIZ]; /* interface name */
};
 
/* The argument to IP_FW_DELETE and IP_FW_APPEND */
struct ip_fwchange
{
struct ip_fwuser fwc_rule;
ip_chainlabel fwc_label;
};
 
/* The argument to IP_FW_CHECK. */
struct ip_fwtest
{
struct ip_fwpkt fwt_packet; /* Packet to be tested */
ip_chainlabel fwt_label; /* Block to start test in */
};
/* The argument to IP_FW_DELETE_NUM */
struct ip_fwdelnum
{
__u32 fwd_rulenum;
ip_chainlabel fwd_label;
};
 
/* The argument to IP_FW_REPLACE and IP_FW_INSERT */
struct ip_fwnew
{
__u32 fwn_rulenum;
struct ip_fwuser fwn_rule;
ip_chainlabel fwn_label;
};
 
/* The argument to IP_FW_POLICY */
struct ip_fwpolicy
{
ip_chainlabel fwp_policy;
ip_chainlabel fwp_label;
};
/*
* timeouts for ip masquerading
*/
 
extern int ip_fw_masq_timeouts(void *, int);
 
 
/*
* Main firewall chains definitions and global var's definitions.
*/
 
#ifdef __KERNEL__
 
#include <linux/config.h>
#include <linux/version.h>
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,1,0)
#include <linux/init.h>
extern void ip_fw_init(void) __init;
#else /* 2.0.x */
extern void ip_fw_init(void);
#endif /* 2.1.x */
extern int ip_fw_ctl(int, void *, int);
#ifdef CONFIG_IP_MASQUERADE
extern int ip_masq_uctl(int, char *, int);
#endif
#endif /* KERNEL */
 
#endif /* _IP_FWCHAINS_H */
/ipt_owner.h
0,0 → 1,20
#ifndef _IPT_OWNER_H
#define _IPT_OWNER_H
 
/* match and invert flags */
#define IPT_OWNER_UID 0x01
#define IPT_OWNER_GID 0x02
#define IPT_OWNER_PID 0x04
#define IPT_OWNER_SID 0x08
#define IPT_OWNER_COMM 0x10
 
struct ipt_owner_info {
uid_t uid;
gid_t gid;
pid_t pid;
pid_t sid;
char comm[16];
u_int8_t match, invert; /* flags */
};
 
#endif /*_IPT_OWNER_H*/
/ip_conntrack_irc.h
0,0 → 1,50
/* IRC extension for IP connection tracking.
* (C) 2000 by Harald Welte <laforge@gnumonks.org>
* based on RR's ip_conntrack_ftp.h
*
* ip_conntrack_irc.h,v 1.6 2000/11/07 18:26:42 laforge Exp
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version
* 2 of the License, or (at your option) any later version.
*
*
*/
#ifndef _IP_CONNTRACK_IRC_H
#define _IP_CONNTRACK_IRC_H
 
/* We record seq number and length of irc ip/port text here: all in
host order. */
 
/* This structure is per expected connection */
struct ip_ct_irc_expect
{
/* length of IP address */
u_int32_t len;
/* Port that was to be used */
u_int16_t port;
};
 
/* This structure exists only once per master */
struct ip_ct_irc_master {
};
 
 
#ifdef __KERNEL__
 
#include <linux/netfilter_ipv4/lockhelp.h>
 
#define IRC_PORT 6667
 
struct dccproto {
char* match;
int matchlen;
};
 
/* Protects irc part of conntracks */
DECLARE_LOCK_EXTERN(ip_irc_lock);
 
#endif /* __KERNEL__ */
 
#endif /* _IP_CONNTRACK_IRC_H */
/ip_conntrack_tftp.h
0,0 → 1,13
#ifndef _IP_CT_TFTP
#define _IP_CT_TFTP
 
#define TFTP_PORT 69
 
struct tftphdr {
u_int16_t opcode;
};
 
#define TFTP_OPCODE_READ 1
#define TFTP_OPCODE_WRITE 2
 
#endif /* _IP_CT_TFTP */
/compat_firewall.h
0,0 → 1,45
/* Minor modifications to fit on compatibility framework:
Rusty.Russell@rustcorp.com.au
*/
 
#ifndef __LINUX_FIREWALL_H
#define __LINUX_FIREWALL_H
 
/*
* Definitions for loadable firewall modules
*/
 
#define FW_QUEUE 0
#define FW_BLOCK 1
#define FW_ACCEPT 2
#define FW_REJECT (-1)
#define FW_REDIRECT 3
#define FW_MASQUERADE 4
#define FW_SKIP 5
 
struct firewall_ops
{
struct firewall_ops *next;
int (*fw_forward)(struct firewall_ops *this, int pf,
struct net_device *dev, void *phdr, void *arg,
struct sk_buff **pskb);
int (*fw_input)(struct firewall_ops *this, int pf,
struct net_device *dev, void *phdr, void *arg,
struct sk_buff **pskb);
int (*fw_output)(struct firewall_ops *this, int pf,
struct net_device *dev, void *phdr, void *arg,
struct sk_buff **pskb);
/* These may be NULL. */
int (*fw_acct_in)(struct firewall_ops *this, int pf,
struct net_device *dev, void *phdr, void *arg,
struct sk_buff **pskb);
int (*fw_acct_out)(struct firewall_ops *this, int pf,
struct net_device *dev, void *phdr, void *arg,
struct sk_buff **pskb);
};
 
extern int register_firewall(int pf, struct firewall_ops *fw);
extern int unregister_firewall(int pf, struct firewall_ops *fw);
 
extern int ip_fw_masq_timeouts(void *user, int len);
#endif /* __LINUX_FIREWALL_H */
/ip_nat_helper.h
0,0 → 1,64
#ifndef _IP_NAT_HELPER_H
#define _IP_NAT_HELPER_H
/* NAT protocol helper routines. */
 
#include <linux/netfilter_ipv4/ip_conntrack.h>
 
struct sk_buff;
 
/* Flags */
/* NAT helper must be called on every packet (for TCP) */
#define IP_NAT_HELPER_F_ALWAYS 0x01
/* Standalone NAT helper, without a conntrack part */
#define IP_NAT_HELPER_F_STANDALONE 0x02
 
struct ip_nat_helper
{
struct list_head list; /* Internal use */
 
const char *name; /* name of the module */
unsigned char flags; /* Flags (see above) */
struct module *me; /* pointer to self */
/* Mask of things we will help: vs. tuple from server */
struct ip_conntrack_tuple tuple;
struct ip_conntrack_tuple mask;
/* Helper function: returns verdict */
unsigned int (*help)(struct ip_conntrack *ct,
struct ip_conntrack_expect *exp,
struct ip_nat_info *info,
enum ip_conntrack_info ctinfo,
unsigned int hooknum,
struct sk_buff **pskb);
 
/* Returns verdict and sets up NAT for this connection */
unsigned int (*expect)(struct sk_buff **pskb,
unsigned int hooknum,
struct ip_conntrack *ct,
struct ip_nat_info *info);
};
 
extern struct list_head helpers;
 
extern int ip_nat_helper_register(struct ip_nat_helper *me);
extern void ip_nat_helper_unregister(struct ip_nat_helper *me);
extern int ip_nat_mangle_tcp_packet(struct sk_buff **skb,
struct ip_conntrack *ct,
enum ip_conntrack_info ctinfo,
unsigned int match_offset,
unsigned int match_len,
char *rep_buffer,
unsigned int rep_len);
extern int ip_nat_mangle_udp_packet(struct sk_buff **skb,
struct ip_conntrack *ct,
enum ip_conntrack_info ctinfo,
unsigned int match_offset,
unsigned int match_len,
char *rep_buffer,
unsigned int rep_len);
extern int ip_nat_seq_adjust(struct sk_buff *skb,
struct ip_conntrack *ct,
enum ip_conntrack_info ctinfo);
extern void ip_nat_delete_sack(struct sk_buff *skb);
#endif
/ip_conntrack.h
0,0 → 1,269
#ifndef _IP_CONNTRACK_H
#define _IP_CONNTRACK_H
/* Connection state tracking for netfilter. This is separated from,
but required by, the NAT layer; it can also be used by an iptables
extension. */
 
#include <linux/config.h>
#include <linux/netfilter_ipv4/ip_conntrack_tuple.h>
#include <linux/bitops.h>
#include <asm/atomic.h>
 
enum ip_conntrack_info
{
/* Part of an established connection (either direction). */
IP_CT_ESTABLISHED,
 
/* Like NEW, but related to an existing connection, or ICMP error
(in either direction). */
IP_CT_RELATED,
 
/* Started a new connection to track (only
IP_CT_DIR_ORIGINAL); may be a retransmission. */
IP_CT_NEW,
 
/* >= this indicates reply direction */
IP_CT_IS_REPLY,
 
/* Number of distinct IP_CT types (no NEW in reply dirn). */
IP_CT_NUMBER = IP_CT_IS_REPLY * 2 - 1
};
 
/* Bitset representing status of connection. */
enum ip_conntrack_status {
/* It's an expected connection: bit 0 set. This bit never changed */
IPS_EXPECTED_BIT = 0,
IPS_EXPECTED = (1 << IPS_EXPECTED_BIT),
 
/* We've seen packets both ways: bit 1 set. Can be set, not unset. */
IPS_SEEN_REPLY_BIT = 1,
IPS_SEEN_REPLY = (1 << IPS_SEEN_REPLY_BIT),
 
/* Conntrack should never be early-expired. */
IPS_ASSURED_BIT = 2,
IPS_ASSURED = (1 << IPS_ASSURED_BIT),
 
/* Connection is confirmed: originating packet has left box */
IPS_CONFIRMED_BIT = 3,
IPS_CONFIRMED = (1 << IPS_CONFIRMED_BIT),
};
 
#include <linux/netfilter_ipv4/ip_conntrack_tcp.h>
#include <linux/netfilter_ipv4/ip_conntrack_icmp.h>
 
/* per conntrack: protocol private data */
union ip_conntrack_proto {
/* insert conntrack proto private data here */
struct ip_ct_tcp tcp;
struct ip_ct_icmp icmp;
};
 
union ip_conntrack_expect_proto {
/* insert expect proto private data here */
};
 
/* Add protocol helper include file here */
#include <linux/netfilter_ipv4/ip_conntrack_amanda.h>
 
#include <linux/netfilter_ipv4/ip_conntrack_ftp.h>
#include <linux/netfilter_ipv4/ip_conntrack_irc.h>
 
/* per expectation: application helper private data */
union ip_conntrack_expect_help {
/* insert conntrack helper private data (expect) here */
struct ip_ct_amanda_expect exp_amanda_info;
struct ip_ct_ftp_expect exp_ftp_info;
struct ip_ct_irc_expect exp_irc_info;
 
#ifdef CONFIG_IP_NF_NAT_NEEDED
union {
/* insert nat helper private data (expect) here */
} nat;
#endif
};
 
/* per conntrack: application helper private data */
union ip_conntrack_help {
/* insert conntrack helper private data (master) here */
struct ip_ct_ftp_master ct_ftp_info;
struct ip_ct_irc_master ct_irc_info;
};
 
#ifdef CONFIG_IP_NF_NAT_NEEDED
#include <linux/netfilter_ipv4/ip_nat.h>
 
/* per conntrack: nat application helper private data */
union ip_conntrack_nat_help {
/* insert nat helper private data here */
};
#endif
 
#ifdef __KERNEL__
 
#include <linux/types.h>
#include <linux/skbuff.h>
 
#ifdef CONFIG_NF_DEBUG
#define IP_NF_ASSERT(x) \
do { \
if (!(x)) \
/* Wooah! I'm tripping my conntrack in a frenzy of \
netplay... */ \
printk("NF_IP_ASSERT: %s:%i(%s)\n", \
__FILE__, __LINE__, __FUNCTION__); \
} while(0)
#else
#define IP_NF_ASSERT(x)
#endif
 
struct ip_conntrack_expect
{
/* Internal linked list (global expectation list) */
struct list_head list;
 
/* reference count */
atomic_t use;
 
/* expectation list for this master */
struct list_head expected_list;
 
/* The conntrack of the master connection */
struct ip_conntrack *expectant;
 
/* The conntrack of the sibling connection, set after
* expectation arrived */
struct ip_conntrack *sibling;
 
/* Tuple saved for conntrack */
struct ip_conntrack_tuple ct_tuple;
 
/* Timer function; deletes the expectation. */
struct timer_list timeout;
 
/* Data filled out by the conntrack helpers follow: */
 
/* We expect this tuple, with the following mask */
struct ip_conntrack_tuple tuple, mask;
 
/* Function to call after setup and insertion */
int (*expectfn)(struct ip_conntrack *new);
 
/* At which sequence number did this expectation occur */
u_int32_t seq;
union ip_conntrack_expect_proto proto;
 
union ip_conntrack_expect_help help;
};
 
struct ip_conntrack_helper;
 
struct ip_conntrack
{
/* Usage count in here is 1 for hash table/destruct timer, 1 per skb,
plus 1 for any connection(s) we are `master' for */
struct nf_conntrack ct_general;
 
/* These are my tuples; original and reply */
struct ip_conntrack_tuple_hash tuplehash[IP_CT_DIR_MAX];
 
/* Have we seen traffic both ways yet? (bitset) */
unsigned long status;
 
/* Timer function; drops refcnt when it goes off. */
struct timer_list timeout;
 
/* If we're expecting another related connection, this will be
in expected linked list */
struct list_head sibling_list;
/* Current number of expected connections */
unsigned int expecting;
 
/* If we were expected by an expectation, this will be it */
struct ip_conntrack_expect *master;
 
/* Helper, if any. */
struct ip_conntrack_helper *helper;
 
/* Our various nf_ct_info structs specify *what* relation this
packet has to the conntrack */
struct nf_ct_info infos[IP_CT_NUMBER];
 
/* Storage reserved for other modules: */
 
union ip_conntrack_proto proto;
 
union ip_conntrack_help help;
 
#ifdef CONFIG_IP_NF_NAT_NEEDED
struct {
struct ip_nat_info info;
union ip_conntrack_nat_help help;
#if defined(CONFIG_IP_NF_TARGET_MASQUERADE) || \
defined(CONFIG_IP_NF_TARGET_MASQUERADE_MODULE)
int masq_index;
#endif
} nat;
#endif /* CONFIG_IP_NF_NAT_NEEDED */
 
};
 
/* get master conntrack via master expectation */
#define master_ct(conntr) (conntr->master ? conntr->master->expectant : NULL)
 
/* Alter reply tuple (maybe alter helper). If it's already taken,
return 0 and don't do alteration. */
extern int
ip_conntrack_alter_reply(struct ip_conntrack *conntrack,
const struct ip_conntrack_tuple *newreply);
 
/* Is this tuple taken? (ignoring any belonging to the given
conntrack). */
extern int
ip_conntrack_tuple_taken(const struct ip_conntrack_tuple *tuple,
const struct ip_conntrack *ignored_conntrack);
 
/* Return conntrack_info and tuple hash for given skb. */
extern struct ip_conntrack *
ip_conntrack_get(struct sk_buff *skb, enum ip_conntrack_info *ctinfo);
 
/* decrement reference count on a conntrack */
extern inline void ip_conntrack_put(struct ip_conntrack *ct);
 
/* find unconfirmed expectation based on tuple */
struct ip_conntrack_expect *
ip_conntrack_expect_find_get(const struct ip_conntrack_tuple *tuple);
 
/* decrement reference count on an expectation */
void ip_conntrack_expect_put(struct ip_conntrack_expect *exp);
 
extern int invert_tuplepr(struct ip_conntrack_tuple *inverse,
const struct ip_conntrack_tuple *orig);
 
/* Refresh conntrack for this many jiffies */
extern void ip_ct_refresh(struct ip_conntrack *ct,
unsigned long extra_jiffies);
 
/* These are for NAT. Icky. */
/* Call me when a conntrack is destroyed. */
extern void (*ip_conntrack_destroyed)(struct ip_conntrack *conntrack);
 
/* Returns new sk_buff, or NULL */
struct sk_buff *
ip_ct_gather_frags(struct sk_buff *skb);
 
/* Delete all conntracks which match. */
extern void
ip_ct_selective_cleanup(int (*kill)(const struct ip_conntrack *i, void *data),
void *data);
 
/* It's confirmed if it is, or has been in the hash table. */
static inline int is_confirmed(struct ip_conntrack *ct)
{
return test_bit(IPS_CONFIRMED_BIT, &ct->status);
}
 
extern unsigned int ip_conntrack_htable_size;
#endif /* __KERNEL__ */
#endif /* _IP_CONNTRACK_H */
/ipt_pkttype.h
0,0 → 1,8
#ifndef _IPT_PKTTYPE_H
#define _IPT_PKTTYPE_H
 
struct ipt_pkttype_info {
int pkttype;
int invert;
};
#endif /*_IPT_PKTTYPE_H*/
/ipt_tos.h
0,0 → 1,13
#ifndef _IPT_TOS_H
#define _IPT_TOS_H
 
struct ipt_tos_info {
u_int8_t tos;
u_int8_t invert;
};
 
#ifndef IPTOS_NORMALSVC
#define IPTOS_NORMALSVC 0
#endif
 
#endif /*_IPT_TOS_H*/
/ipt_ECN.h
0,0 → 1,31
/* Header file for iptables ipt_ECN target
*
* (C) 2002 by Harald Welte <laforge@gnumonks.org>
*
* This software is distributed under GNU GPL v2, 1991
*
* ipt_ECN.h,v 1.3 2002/05/29 12:17:40 laforge Exp
*/
#ifndef _IPT_ECN_TARGET_H
#define _IPT_ECN_TARGET_H
#include <linux/netfilter_ipv4/ipt_DSCP.h>
 
#define IPT_ECN_IP_MASK (~IPT_DSCP_MASK)
 
#define IPT_ECN_OP_SET_IP 0x01 /* set ECN bits of IPv4 header */
#define IPT_ECN_OP_SET_ECE 0x10 /* set ECE bit of TCP header */
#define IPT_ECN_OP_SET_CWR 0x20 /* set CWR bit of TCP header */
 
#define IPT_ECN_OP_MASK 0xce
 
struct ipt_ECN_info {
u_int8_t operation; /* bitset of operations */
u_int8_t ip_ect; /* ECT codepoint of IPv4 header, pre-shifted */
union {
struct {
u_int8_t ece:1, cwr:1; /* TCP ECT bits */
} tcp;
} proto;
};
 
#endif /* _IPT_ECN_TARGET_H */
/ip_conntrack_core.h
0,0 → 1,52
#ifndef _IP_CONNTRACK_CORE_H
#define _IP_CONNTRACK_CORE_H
#include <linux/netfilter.h>
#include <linux/netfilter_ipv4/lockhelp.h>
 
/* This header is used to share core functionality between the
standalone connection tracking module, and the compatibility layer's use
of connection tracking. */
extern unsigned int ip_conntrack_in(unsigned int hooknum,
struct sk_buff **pskb,
const struct net_device *in,
const struct net_device *out,
int (*okfn)(struct sk_buff *));
 
extern int ip_conntrack_init(void);
extern void ip_conntrack_cleanup(void);
 
struct ip_conntrack_protocol;
extern struct ip_conntrack_protocol *ip_ct_find_proto(u_int8_t protocol);
/* Like above, but you already have conntrack read lock. */
extern struct ip_conntrack_protocol *__ip_ct_find_proto(u_int8_t protocol);
extern struct list_head protocol_list;
 
/* Returns conntrack if it dealt with ICMP, and filled in skb->nfct */
extern struct ip_conntrack *icmp_error_track(struct sk_buff *skb,
enum ip_conntrack_info *ctinfo,
unsigned int hooknum);
extern int get_tuple(const struct iphdr *iph, size_t len,
struct ip_conntrack_tuple *tuple,
struct ip_conntrack_protocol *protocol);
 
/* Find a connection corresponding to a tuple. */
struct ip_conntrack_tuple_hash *
ip_conntrack_find_get(const struct ip_conntrack_tuple *tuple,
const struct ip_conntrack *ignored_conntrack);
 
extern int __ip_conntrack_confirm(struct nf_ct_info *nfct);
 
/* Confirm a connection: returns NF_DROP if packet must be dropped. */
static inline int ip_conntrack_confirm(struct sk_buff *skb)
{
if (skb->nfct
&& !is_confirmed((struct ip_conntrack *)skb->nfct->master))
return __ip_conntrack_confirm(skb->nfct);
return NF_ACCEPT;
}
 
extern struct list_head *ip_conntrack_hash;
extern struct list_head ip_conntrack_expect_list;
DECLARE_RWLOCK_EXTERN(ip_conntrack_lock);
#endif /* _IP_CONNTRACK_CORE_H */
 
/ipt_ULOG.h
0,0 → 1,46
/* Header file for IP tables userspace logging, Version 1.8
*
* (C) 2000-2002 by Harald Welte <laforge@gnumonks.org>
*
* Distributed under the terms of GNU GPL */
 
#ifndef _IPT_ULOG_H
#define _IPT_ULOG_H
 
#ifndef NETLINK_NFLOG
#define NETLINK_NFLOG 5
#endif
 
#define ULOG_MAC_LEN 80
#define ULOG_PREFIX_LEN 32
 
#define ULOG_MAX_QLEN 50
/* Why 50? Well... there is a limit imposed by the slab cache 131000
* bytes. So the multipart netlink-message has to be < 131000 bytes.
* Assuming a standard ethernet-mtu of 1500, we could define this up
* to 80... but even 50 seems to be big enough. */
 
/* private data structure for each rule with a ULOG target */
struct ipt_ulog_info {
unsigned int nl_group;
size_t copy_range;
size_t qthreshold;
char prefix[ULOG_PREFIX_LEN];
};
 
/* Format of the ULOG packets passed through netlink */
typedef struct ulog_packet_msg {
unsigned long mark;
long timestamp_sec;
long timestamp_usec;
unsigned int hook;
char indev_name[IFNAMSIZ];
char outdev_name[IFNAMSIZ];
size_t data_len;
char prefix[ULOG_PREFIX_LEN];
unsigned char mac_len;
unsigned char mac[ULOG_MAC_LEN];
unsigned char payload[0];
} ulog_packet_msg_t;
 
#endif /*_IPT_ULOG_H*/
/ip_conntrack_ftp.h
0,0 → 1,48
#ifndef _IP_CONNTRACK_FTP_H
#define _IP_CONNTRACK_FTP_H
/* FTP tracking. */
 
#ifdef __KERNEL__
 
#include <linux/netfilter_ipv4/lockhelp.h>
 
/* Protects ftp part of conntracks */
DECLARE_LOCK_EXTERN(ip_ftp_lock);
 
#define FTP_PORT 21
 
#endif /* __KERNEL__ */
 
enum ip_ct_ftp_type
{
/* PORT command from client */
IP_CT_FTP_PORT,
/* PASV response from server */
IP_CT_FTP_PASV,
/* EPRT command from client */
IP_CT_FTP_EPRT,
/* EPSV response from server */
IP_CT_FTP_EPSV,
};
 
/* This structure is per expected connection */
struct ip_ct_ftp_expect
{
/* We record seq number and length of ftp ip/port text here: all in
* host order. */
 
/* sequence number of IP address in packet is in ip_conntrack_expect */
u_int32_t len; /* length of IP address */
enum ip_ct_ftp_type ftptype; /* PORT or PASV ? */
u_int16_t port; /* TCP port that was to be used */
};
 
/* This structure exists only once per master */
struct ip_ct_ftp_master {
/* Next valid seq position for cmd matching after newline */
u_int32_t seq_aft_nl[IP_CT_DIR_MAX];
/* 0 means seq_match_aft_nl not set */
int seq_aft_nl_set[IP_CT_DIR_MAX];
};
 
#endif /* _IP_CONNTRACK_FTP_H */
/ip_conntrack_tuple.h
0,0 → 1,139
#ifndef _IP_CONNTRACK_TUPLE_H
#define _IP_CONNTRACK_TUPLE_H
 
/* A `tuple' is a structure containing the information to uniquely
identify a connection. ie. if two packets have the same tuple, they
are in the same connection; if not, they are not.
 
We divide the structure along "manipulatable" and
"non-manipulatable" lines, for the benefit of the NAT code.
*/
 
/* The protocol-specific manipulable parts of the tuple: always in
network order! */
union ip_conntrack_manip_proto
{
/* Add other protocols here. */
u_int16_t all;
 
struct {
u_int16_t port;
} tcp;
struct {
u_int16_t port;
} udp;
struct {
u_int16_t id;
} icmp;
};
 
/* The manipulable part of the tuple. */
struct ip_conntrack_manip
{
u_int32_t ip;
union ip_conntrack_manip_proto u;
};
 
/* This contains the information to distinguish a connection. */
struct ip_conntrack_tuple
{
struct ip_conntrack_manip src;
 
/* These are the parts of the tuple which are fixed. */
struct {
u_int32_t ip;
union {
/* Add other protocols here. */
u_int16_t all;
 
struct {
u_int16_t port;
} tcp;
struct {
u_int16_t port;
} udp;
struct {
u_int8_t type, code;
} icmp;
} u;
 
/* The protocol. */
u_int16_t protonum;
} dst;
};
 
/* This is optimized opposed to a memset of the whole structure. Everything we
* really care about is the source/destination unions */
#define IP_CT_TUPLE_U_BLANK(tuple) \
do { \
(tuple)->src.u.all = 0; \
(tuple)->dst.u.all = 0; \
} while (0)
 
enum ip_conntrack_dir
{
IP_CT_DIR_ORIGINAL,
IP_CT_DIR_REPLY,
IP_CT_DIR_MAX
};
 
#ifdef __KERNEL__
 
#define DUMP_TUPLE(tp) \
DEBUGP("tuple %p: %u %u.%u.%u.%u:%hu -> %u.%u.%u.%u:%hu\n", \
(tp), (tp)->dst.protonum, \
NIPQUAD((tp)->src.ip), ntohs((tp)->src.u.all), \
NIPQUAD((tp)->dst.ip), ntohs((tp)->dst.u.all))
 
#define CTINFO2DIR(ctinfo) ((ctinfo) >= IP_CT_IS_REPLY ? IP_CT_DIR_REPLY : IP_CT_DIR_ORIGINAL)
 
/* If we're the first tuple, it's the original dir. */
#define DIRECTION(h) ((enum ip_conntrack_dir)(&(h)->ctrack->tuplehash[1] == (h)))
 
/* Connections have two entries in the hash table: one for each way */
struct ip_conntrack_tuple_hash
{
struct list_head list;
 
struct ip_conntrack_tuple tuple;
 
/* this == &ctrack->tuplehash[DIRECTION(this)]. */
struct ip_conntrack *ctrack;
};
 
#endif /* __KERNEL__ */
 
static inline int ip_ct_tuple_src_equal(const struct ip_conntrack_tuple *t1,
const struct ip_conntrack_tuple *t2)
{
return t1->src.ip == t2->src.ip
&& t1->src.u.all == t2->src.u.all;
}
 
static inline int ip_ct_tuple_dst_equal(const struct ip_conntrack_tuple *t1,
const struct ip_conntrack_tuple *t2)
{
return t1->dst.ip == t2->dst.ip
&& t1->dst.u.all == t2->dst.u.all
&& t1->dst.protonum == t2->dst.protonum;
}
 
static inline int ip_ct_tuple_equal(const struct ip_conntrack_tuple *t1,
const struct ip_conntrack_tuple *t2)
{
return ip_ct_tuple_src_equal(t1, t2) && ip_ct_tuple_dst_equal(t1, t2);
}
 
static inline int ip_ct_tuple_mask_cmp(const struct ip_conntrack_tuple *t,
const struct ip_conntrack_tuple *tuple,
const struct ip_conntrack_tuple *mask)
{
return !(((t->src.ip ^ tuple->src.ip) & mask->src.ip)
|| ((t->dst.ip ^ tuple->dst.ip) & mask->dst.ip)
|| ((t->src.u.all ^ tuple->src.u.all) & mask->src.u.all)
|| ((t->dst.u.all ^ tuple->dst.u.all) & mask->dst.u.all)
|| ((t->dst.protonum ^ tuple->dst.protonum)
& mask->dst.protonum));
}
 
#endif /* _IP_CONNTRACK_TUPLE_H */
/listhelp.h
0,0 → 1,125
#ifndef _LISTHELP_H
#define _LISTHELP_H
#include <linux/config.h>
#include <linux/list.h>
#include <linux/netfilter_ipv4/lockhelp.h>
 
/* Header to do more comprehensive job than linux/list.h; assume list
is first entry in structure. */
 
/* Return pointer to first true entry, if any, or NULL. A macro
required to allow inlining of cmpfn. */
#define LIST_FIND(head, cmpfn, type, args...) \
({ \
const struct list_head *__i, *__j = NULL; \
\
ASSERT_READ_LOCK(head); \
list_for_each(__i, (head)) \
if (cmpfn((const type)__i , ## args)) { \
__j = __i; \
break; \
} \
(type)__j; \
})
 
#define LIST_FIND_W(head, cmpfn, type, args...) \
({ \
const struct list_head *__i, *__j = NULL; \
\
ASSERT_WRITE_LOCK(head); \
list_for_each(__i, (head)) \
if (cmpfn((type)__i , ## args)) { \
__j = __i; \
break; \
} \
(type)__j; \
})
 
/* Just like LIST_FIND but we search backwards */
#define LIST_FIND_B(head, cmpfn, type, args...) \
({ \
const struct list_head *__i, *__j = NULL; \
\
ASSERT_READ_LOCK(head); \
list_for_each_prev(__i, (head)) \
if (cmpfn((const type)__i , ## args)) { \
__j = __i; \
break; \
} \
(type)__j; \
})
 
static inline int
__list_cmp_same(const void *p1, const void *p2) { return p1 == p2; }
 
/* Is this entry in the list? */
static inline int
list_inlist(struct list_head *head, const void *entry)
{
return LIST_FIND(head, __list_cmp_same, void *, entry) != NULL;
}
 
/* Delete from list. */
#ifdef CONFIG_NETFILTER_DEBUG
#define LIST_DELETE(head, oldentry) \
do { \
ASSERT_WRITE_LOCK(head); \
if (!list_inlist(head, oldentry)) \
printk("LIST_DELETE: %s:%u `%s'(%p) not in %s.\n", \
__FILE__, __LINE__, #oldentry, oldentry, #head); \
else list_del((struct list_head *)oldentry); \
} while(0)
#else
#define LIST_DELETE(head, oldentry) list_del((struct list_head *)oldentry)
#endif
 
/* Append. */
static inline void
list_append(struct list_head *head, void *new)
{
ASSERT_WRITE_LOCK(head);
list_add((new), (head)->prev);
}
 
/* Prepend. */
static inline void
list_prepend(struct list_head *head, void *new)
{
ASSERT_WRITE_LOCK(head);
list_add(new, head);
}
 
/* Insert according to ordering function; insert before first true. */
#define LIST_INSERT(head, new, cmpfn) \
do { \
struct list_head *__i; \
ASSERT_WRITE_LOCK(head); \
list_for_each(__i, (head)) \
if ((new), (typeof (new))__i) \
break; \
list_add((struct list_head *)(new), __i->prev); \
} while(0)
 
/* If the field after the list_head is a nul-terminated string, you
can use these functions. */
static inline int __list_cmp_name(const void *i, const char *name)
{
return strcmp(name, i+sizeof(struct list_head)) == 0;
}
 
/* Returns false if same name already in list, otherwise does insert. */
static inline int
list_named_insert(struct list_head *head, void *new)
{
if (LIST_FIND(head, __list_cmp_name, void *,
new + sizeof(struct list_head)))
return 0;
list_prepend(head, new);
return 1;
}
 
/* Find this named element in the list. */
#define list_named_find(head, name) \
LIST_FIND(head, __list_cmp_name, void *, name)
 
#endif /*_LISTHELP_H*/
/ipt_tcpmss.h
0,0 → 1,9
#ifndef _IPT_TCPMSS_MATCH_H
#define _IPT_TCPMSS_MATCH_H
 
struct ipt_tcpmss_match_info {
u_int16_t mss_min, mss_max;
u_int8_t invert;
};
 
#endif /*_IPT_TCPMSS_MATCH_H*/
/ipt_TCPMSS.h
0,0 → 1,10
#ifndef _IPT_TCPMSS_H
#define _IPT_TCPMSS_H
 
struct ipt_tcpmss_info {
u_int16_t mss;
};
 
#define IPT_TCPMSS_CLAMP_PMTU 0xffff
 
#endif /*_IPT_TCPMSS_H*/
/ip_conntrack_protocol.h
0,0 → 1,65
/* Header for use in defining a given protocol for connection tracking. */
#ifndef _IP_CONNTRACK_PROTOCOL_H
#define _IP_CONNTRACK_PROTOCOL_H
#include <linux/netfilter_ipv4/ip_conntrack.h>
 
struct ip_conntrack_protocol
{
/* Next pointer. */
struct list_head list;
 
/* Protocol number. */
u_int8_t proto;
 
/* Protocol name */
const char *name;
 
/* Try to fill in the third arg; return true if possible. */
int (*pkt_to_tuple)(const void *datah, size_t datalen,
struct ip_conntrack_tuple *tuple);
 
/* Invert the per-proto part of the tuple: ie. turn xmit into reply.
* Some packets can't be inverted: return 0 in that case.
*/
int (*invert_tuple)(struct ip_conntrack_tuple *inverse,
const struct ip_conntrack_tuple *orig);
 
/* Print out the per-protocol part of the tuple. */
unsigned int (*print_tuple)(char *buffer,
const struct ip_conntrack_tuple *);
 
/* Print out the private part of the conntrack. */
unsigned int (*print_conntrack)(char *buffer,
const struct ip_conntrack *);
 
/* Returns verdict for packet, or -1 for invalid. */
int (*packet)(struct ip_conntrack *conntrack,
struct iphdr *iph, size_t len,
enum ip_conntrack_info ctinfo);
 
/* Called when a new connection for this protocol found;
* returns TRUE if it's OK. If so, packet() called next. */
int (*new)(struct ip_conntrack *conntrack, struct iphdr *iph,
size_t len);
 
/* Called when a conntrack entry is destroyed */
void (*destroy)(struct ip_conntrack *conntrack);
 
/* Has to decide if a expectation matches one packet or not */
int (*exp_matches_pkt)(struct ip_conntrack_expect *exp,
struct sk_buff **pskb);
 
/* Module (if any) which this is connected to. */
struct module *me;
};
 
/* Protocol registration. */
extern int ip_conntrack_protocol_register(struct ip_conntrack_protocol *proto);
extern void ip_conntrack_protocol_unregister(struct ip_conntrack_protocol *proto);
 
/* Existing built-in protocols */
extern struct ip_conntrack_protocol ip_conntrack_protocol_tcp;
extern struct ip_conntrack_protocol ip_conntrack_protocol_udp;
extern struct ip_conntrack_protocol ip_conntrack_protocol_icmp;
extern int ip_conntrack_protocol_tcp_init(void);
#endif /*_IP_CONNTRACK_PROTOCOL_H*/
/ipt_length.h
0,0 → 1,9
#ifndef _IPT_LENGTH_H
#define _IPT_LENGTH_H
 
struct ipt_length_info {
u_int16_t min, max;
u_int8_t invert;
};
 
#endif /*_IPT_LENGTH_H*/
/ipt_LOG.h
0,0 → 1,15
#ifndef _IPT_LOG_H
#define _IPT_LOG_H
 
#define IPT_LOG_TCPSEQ 0x01 /* Log TCP sequence numbers */
#define IPT_LOG_TCPOPT 0x02 /* Log TCP options */
#define IPT_LOG_IPOPT 0x04 /* Log IP options */
#define IPT_LOG_MASK 0x07
 
struct ipt_log_info {
unsigned char level;
unsigned char logflags;
char prefix[30];
};
 
#endif /*_IPT_LOG_H*/
/ipt_conntrack.h
0,0 → 1,38
/* Header file for kernel module to match connection tracking information.
* GPL (C) 2001 Marc Boucher (marc@mbsi.ca).
*/
 
#ifndef _IPT_CONNTRACK_H
#define _IPT_CONNTRACK_H
 
#define IPT_CONNTRACK_STATE_BIT(ctinfo) (1 << ((ctinfo)%IP_CT_IS_REPLY+1))
#define IPT_CONNTRACK_STATE_INVALID (1 << 0)
 
#define IPT_CONNTRACK_STATE_SNAT (1 << (IP_CT_NUMBER + 1))
#define IPT_CONNTRACK_STATE_DNAT (1 << (IP_CT_NUMBER + 2))
 
/* flags, invflags: */
#define IPT_CONNTRACK_STATE 0x01
#define IPT_CONNTRACK_PROTO 0x02
#define IPT_CONNTRACK_ORIGSRC 0x04
#define IPT_CONNTRACK_ORIGDST 0x08
#define IPT_CONNTRACK_REPLSRC 0x10
#define IPT_CONNTRACK_REPLDST 0x20
#define IPT_CONNTRACK_STATUS 0x40
#define IPT_CONNTRACK_EXPIRES 0x80
 
struct ipt_conntrack_info
{
unsigned int statemask, statusmask;
 
struct ip_conntrack_tuple tuple[IP_CT_DIR_MAX];
struct in_addr sipmsk[IP_CT_DIR_MAX], dipmsk[IP_CT_DIR_MAX];
 
unsigned long expires_min, expires_max;
 
/* Flags word */
u_int8_t flags;
/* Inverse flags */
u_int8_t invflags;
};
#endif /*_IPT_CONNTRACK_H*/
/ip_nat_rule.h
0,0 → 1,23
#ifndef _IP_NAT_RULE_H
#define _IP_NAT_RULE_H
#include <linux/netfilter_ipv4/ip_conntrack.h>
#include <linux/netfilter_ipv4/ip_tables.h>
#include <linux/netfilter_ipv4/ip_nat.h>
 
#ifdef __KERNEL__
 
extern int ip_nat_rule_init(void) __init;
extern void ip_nat_rule_cleanup(void);
extern int ip_nat_rule_find(struct sk_buff **pskb,
unsigned int hooknum,
const struct net_device *in,
const struct net_device *out,
struct ip_conntrack *ct,
struct ip_nat_info *info);
 
extern unsigned int
alloc_null_binding(struct ip_conntrack *conntrack,
struct ip_nat_info *info,
unsigned int hooknum);
#endif
#endif /* _IP_NAT_RULE_H */
/ip_tables.h
0,0 → 1,447
/*
* 25-Jul-1998 Major changes to allow for ip chain table
*
* 3-Jan-2000 Named tables to allow packet selection for different uses.
*/
 
/*
* Format of an IP firewall descriptor
*
* src, dst, src_mask, dst_mask are always stored in network byte order.
* flags are stored in host byte order (of course).
* Port numbers are stored in HOST byte order.
*/
 
#ifndef _IPTABLES_H
#define _IPTABLES_H
 
#ifdef __KERNEL__
#include <linux/if.h>
#include <linux/types.h>
#include <linux/in.h>
#include <linux/ip.h>
#include <linux/skbuff.h>
#endif
#include <linux/netfilter_ipv4.h>
 
#define IPT_FUNCTION_MAXNAMELEN 30
#define IPT_TABLE_MAXNAMELEN 32
 
/* Yes, Virginia, you have to zero the padding. */
struct ipt_ip {
/* Source and destination IP addr */
struct in_addr src, dst;
/* Mask for src and dest IP addr */
struct in_addr smsk, dmsk;
char iniface[IFNAMSIZ], outiface[IFNAMSIZ];
unsigned char iniface_mask[IFNAMSIZ], outiface_mask[IFNAMSIZ];
 
/* Protocol, 0 = ANY */
u_int16_t proto;
 
/* Flags word */
u_int8_t flags;
/* Inverse flags */
u_int8_t invflags;
};
 
struct ipt_entry_match
{
union {
struct {
u_int16_t match_size;
 
/* Used by userspace */
char name[IPT_FUNCTION_MAXNAMELEN];
} user;
struct {
u_int16_t match_size;
 
/* Used inside the kernel */
struct ipt_match *match;
} kernel;
 
/* Total length */
u_int16_t match_size;
} u;
 
unsigned char data[0];
};
 
struct ipt_entry_target
{
union {
struct {
u_int16_t target_size;
 
/* Used by userspace */
char name[IPT_FUNCTION_MAXNAMELEN];
} user;
struct {
u_int16_t target_size;
 
/* Used inside the kernel */
struct ipt_target *target;
} kernel;
 
/* Total length */
u_int16_t target_size;
} u;
 
unsigned char data[0];
};
 
struct ipt_standard_target
{
struct ipt_entry_target target;
int verdict;
};
 
struct ipt_counters
{
u_int64_t pcnt, bcnt; /* Packet and byte counters */
};
 
/* Values for "flag" field in struct ipt_ip (general ip structure). */
#define IPT_F_FRAG 0x01 /* Set if rule is a fragment rule */
#define IPT_F_MASK 0x01 /* All possible flag bits mask. */
 
/* Values for "inv" field in struct ipt_ip. */
#define IPT_INV_VIA_IN 0x01 /* Invert the sense of IN IFACE. */
#define IPT_INV_VIA_OUT 0x02 /* Invert the sense of OUT IFACE */
#define IPT_INV_TOS 0x04 /* Invert the sense of TOS. */
#define IPT_INV_SRCIP 0x08 /* Invert the sense of SRC IP. */
#define IPT_INV_DSTIP 0x10 /* Invert the sense of DST OP. */
#define IPT_INV_FRAG 0x20 /* Invert the sense of FRAG. */
#define IPT_INV_PROTO 0x40 /* Invert the sense of PROTO. */
#define IPT_INV_MASK 0x7F /* All possible flag bits mask. */
 
/* This structure defines each of the firewall rules. Consists of 3
parts which are 1) general IP header stuff 2) match specific
stuff 3) the target to perform if the rule matches */
struct ipt_entry
{
struct ipt_ip ip;
 
/* Mark with fields that we care about. */
unsigned int nfcache;
 
/* Size of ipt_entry + matches */
u_int16_t target_offset;
/* Size of ipt_entry + matches + target */
u_int16_t next_offset;
 
/* Back pointer */
unsigned int comefrom;
 
/* Packet and byte counters. */
struct ipt_counters counters;
 
/* The matches (if any), then the target. */
unsigned char elems[0];
};
 
/*
* New IP firewall options for [gs]etsockopt at the RAW IP level.
* Unlike BSD Linux inherits IP options so you don't have to use a raw
* socket for this. Instead we check rights in the calls. */
#define IPT_BASE_CTL 64 /* base for firewall socket options */
 
#define IPT_SO_SET_REPLACE (IPT_BASE_CTL)
#define IPT_SO_SET_ADD_COUNTERS (IPT_BASE_CTL + 1)
#define IPT_SO_SET_MAX IPT_SO_SET_ADD_COUNTERS
 
#define IPT_SO_GET_INFO (IPT_BASE_CTL)
#define IPT_SO_GET_ENTRIES (IPT_BASE_CTL + 1)
#define IPT_SO_GET_MAX IPT_SO_GET_ENTRIES
 
/* CONTINUE verdict for targets */
#define IPT_CONTINUE 0xFFFFFFFF
 
/* For standard target */
#define IPT_RETURN (-NF_MAX_VERDICT - 1)
 
/* TCP matching stuff */
struct ipt_tcp
{
u_int16_t spts[2]; /* Source port range. */
u_int16_t dpts[2]; /* Destination port range. */
u_int8_t option; /* TCP Option iff non-zero*/
u_int8_t flg_mask; /* TCP flags mask byte */
u_int8_t flg_cmp; /* TCP flags compare byte */
u_int8_t invflags; /* Inverse flags */
};
 
/* Values for "inv" field in struct ipt_tcp. */
#define IPT_TCP_INV_SRCPT 0x01 /* Invert the sense of source ports. */
#define IPT_TCP_INV_DSTPT 0x02 /* Invert the sense of dest ports. */
#define IPT_TCP_INV_FLAGS 0x04 /* Invert the sense of TCP flags. */
#define IPT_TCP_INV_OPTION 0x08 /* Invert the sense of option test. */
#define IPT_TCP_INV_MASK 0x0F /* All possible flags. */
 
/* UDP matching stuff */
struct ipt_udp
{
u_int16_t spts[2]; /* Source port range. */
u_int16_t dpts[2]; /* Destination port range. */
u_int8_t invflags; /* Inverse flags */
};
 
/* Values for "invflags" field in struct ipt_udp. */
#define IPT_UDP_INV_SRCPT 0x01 /* Invert the sense of source ports. */
#define IPT_UDP_INV_DSTPT 0x02 /* Invert the sense of dest ports. */
#define IPT_UDP_INV_MASK 0x03 /* All possible flags. */
 
/* ICMP matching stuff */
struct ipt_icmp
{
u_int8_t type; /* type to match */
u_int8_t code[2]; /* range of code */
u_int8_t invflags; /* Inverse flags */
};
 
/* Values for "inv" field for struct ipt_icmp. */
#define IPT_ICMP_INV 0x01 /* Invert the sense of type/code test */
 
/* The argument to IPT_SO_GET_INFO */
struct ipt_getinfo
{
/* Which table: caller fills this in. */
char name[IPT_TABLE_MAXNAMELEN];
 
/* Kernel fills these in. */
/* Which hook entry points are valid: bitmask */
unsigned int valid_hooks;
 
/* Hook entry points: one per netfilter hook. */
unsigned int hook_entry[NF_IP_NUMHOOKS];
 
/* Underflow points. */
unsigned int underflow[NF_IP_NUMHOOKS];
 
/* Number of entries */
unsigned int num_entries;
 
/* Size of entries. */
unsigned int size;
};
 
/* The argument to IPT_SO_SET_REPLACE. */
struct ipt_replace
{
/* Which table. */
char name[IPT_TABLE_MAXNAMELEN];
 
/* Which hook entry points are valid: bitmask. You can't
change this. */
unsigned int valid_hooks;
 
/* Number of entries */
unsigned int num_entries;
 
/* Total size of new entries */
unsigned int size;
 
/* Hook entry points. */
unsigned int hook_entry[NF_IP_NUMHOOKS];
 
/* Underflow points. */
unsigned int underflow[NF_IP_NUMHOOKS];
 
/* Information about old entries: */
/* Number of counters (must be equal to current number of entries). */
unsigned int num_counters;
/* The old entries' counters. */
struct ipt_counters *counters;
 
/* The entries (hang off end: not really an array). */
struct ipt_entry entries[0];
};
 
/* The argument to IPT_SO_ADD_COUNTERS. */
struct ipt_counters_info
{
/* Which table. */
char name[IPT_TABLE_MAXNAMELEN];
 
unsigned int num_counters;
 
/* The counters (actually `number' of these). */
struct ipt_counters counters[0];
};
 
/* The argument to IPT_SO_GET_ENTRIES. */
struct ipt_get_entries
{
/* Which table: user fills this in. */
char name[IPT_TABLE_MAXNAMELEN];
 
/* User fills this in: total entry size. */
unsigned int size;
 
/* The entries. */
struct ipt_entry entrytable[0];
};
 
/* Standard return verdict, or do jump. */
#define IPT_STANDARD_TARGET ""
/* Error verdict. */
#define IPT_ERROR_TARGET "ERROR"
 
/* Helper functions */
static __inline__ struct ipt_entry_target *
ipt_get_target(struct ipt_entry *e)
{
return (void *)e + e->target_offset;
}
 
/* fn returns 0 to continue iteration */
#define IPT_MATCH_ITERATE(e, fn, args...) \
({ \
unsigned int __i; \
int __ret = 0; \
struct ipt_entry_match *__match; \
\
for (__i = sizeof(struct ipt_entry); \
__i < (e)->target_offset; \
__i += __match->u.match_size) { \
__match = (void *)(e) + __i; \
\
__ret = fn(__match , ## args); \
if (__ret != 0) \
break; \
} \
__ret; \
})
 
/* fn returns 0 to continue iteration */
#define IPT_ENTRY_ITERATE(entries, size, fn, args...) \
({ \
unsigned int __i; \
int __ret = 0; \
struct ipt_entry *__entry; \
\
for (__i = 0; __i < (size); __i += __entry->next_offset) { \
__entry = (void *)(entries) + __i; \
\
__ret = fn(__entry , ## args); \
if (__ret != 0) \
break; \
} \
__ret; \
})
 
/*
* Main firewall chains definitions and global var's definitions.
*/
#ifdef __KERNEL__
 
#include <linux/init.h>
extern void ipt_init(void) __init;
 
struct ipt_match
{
struct list_head list;
 
const char name[IPT_FUNCTION_MAXNAMELEN];
 
/* Return true or false: return FALSE and set *hotdrop = 1 to
force immediate packet drop. */
int (*match)(const struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
const void *matchinfo,
int offset,
const void *hdr,
u_int16_t datalen,
int *hotdrop);
 
/* Called when user tries to insert an entry of this type. */
/* Should return true or false. */
int (*checkentry)(const char *tablename,
const struct ipt_ip *ip,
void *matchinfo,
unsigned int matchinfosize,
unsigned int hook_mask);
 
/* Called when entry of this type deleted. */
void (*destroy)(void *matchinfo, unsigned int matchinfosize);
 
/* Set this to THIS_MODULE if you are a module, otherwise NULL */
struct module *me;
};
 
/* Registration hooks for targets. */
struct ipt_target
{
struct list_head list;
 
const char name[IPT_FUNCTION_MAXNAMELEN];
 
/* Returns verdict. */
unsigned int (*target)(struct sk_buff **pskb,
unsigned int hooknum,
const struct net_device *in,
const struct net_device *out,
const void *targinfo,
void *userdata);
 
/* Called when user tries to insert an entry of this type:
hook_mask is a bitmask of hooks from which it can be
called. */
/* Should return true or false. */
int (*checkentry)(const char *tablename,
const struct ipt_entry *e,
void *targinfo,
unsigned int targinfosize,
unsigned int hook_mask);
 
/* Called when entry of this type deleted. */
void (*destroy)(void *targinfo, unsigned int targinfosize);
 
/* Set this to THIS_MODULE if you are a module, otherwise NULL */
struct module *me;
};
 
extern int ipt_register_target(struct ipt_target *target);
extern void ipt_unregister_target(struct ipt_target *target);
 
extern int ipt_register_match(struct ipt_match *match);
extern void ipt_unregister_match(struct ipt_match *match);
 
/* Furniture shopping... */
struct ipt_table
{
struct list_head list;
 
/* A unique name... */
char name[IPT_TABLE_MAXNAMELEN];
 
/* Seed table: copied in register_table */
struct ipt_replace *table;
 
/* What hooks you will enter on */
unsigned int valid_hooks;
 
/* Lock for the curtain */
rwlock_t lock;
 
/* Man behind the curtain... */
struct ipt_table_info *private;
 
/* Set this to THIS_MODULE if you are a module, otherwise NULL */
struct module *me;
};
 
extern int ipt_register_table(struct ipt_table *table);
extern void ipt_unregister_table(struct ipt_table *table);
extern unsigned int ipt_do_table(struct sk_buff **pskb,
unsigned int hook,
const struct net_device *in,
const struct net_device *out,
struct ipt_table *table,
void *userdata);
 
#define IPT_ALIGN(s) (((s) + (__alignof__(struct ipt_entry)-1)) & ~(__alignof__(struct ipt_entry)-1))
#endif /*__KERNEL__*/
#endif /* _IPTABLES_H */
/ipt_dscp.h
0,0 → 1,23
/* iptables module for matching the IPv4 DSCP field
*
* (C) 2002 Harald Welte <laforge@gnumonks.org>
* This software is distributed under GNU GPL v2, 1991
*
* See RFC2474 for a description of the DSCP field within the IP Header.
*
* ipt_dscp.h,v 1.3 2002/08/05 19:00:21 laforge Exp
*/
#ifndef _IPT_DSCP_H
#define _IPT_DSCP_H
 
#define IPT_DSCP_MASK 0xfc /* 11111100 */
#define IPT_DSCP_SHIFT 2
#define IPT_DSCP_MAX 0x3f /* 00111111 */
 
/* match info */
struct ipt_dscp_info {
u_int8_t dscp;
u_int8_t invert;
};
 
#endif /* _IPT_DSCP_H */
/ipt_DSCP.h
0,0 → 1,20
/* iptables module for setting the IPv4 DSCP field
*
* (C) 2002 Harald Welte <laforge@gnumonks.org>
* based on ipt_FTOS.c (C) 2000 by Matthew G. Marsh <mgm@paktronix.com>
* This software is distributed under GNU GPL v2, 1991
*
* See RFC2474 for a description of the DSCP field within the IP Header.
*
* ipt_DSCP.h,v 1.7 2002/03/14 12:03:13 laforge Exp
*/
#ifndef _IPT_DSCP_TARGET_H
#define _IPT_DSCP_TARGET_H
#include <linux/netfilter_ipv4/ipt_dscp.h>
 
/* target info */
struct ipt_DSCP_info {
u_int8_t dscp;
};
 
#endif /* _IPT_DSCP_TARGET_H */
/ipt_mark.h
0,0 → 1,9
#ifndef _IPT_MARK_H
#define _IPT_MARK_H
 
struct ipt_mark_info {
unsigned long mark, mask;
u_int8_t invert;
};
 
#endif /*_IPT_MARK_H*/
/ipt_MARK.h
0,0 → 1,8
#ifndef _IPT_MARK_H_target
#define _IPT_MARK_H_target
 
struct ipt_mark_target_info {
unsigned long mark;
};
 
#endif /*_IPT_MARK_H_target*/
/ip_conntrack_helper.h
0,0 → 1,45
/* IP connection tracking helpers. */
#ifndef _IP_CONNTRACK_HELPER_H
#define _IP_CONNTRACK_HELPER_H
#include <linux/netfilter_ipv4/ip_conntrack.h>
 
struct module;
 
/* Reuse expectation when max_expected reached */
#define IP_CT_HELPER_F_REUSE_EXPECT 0x01
 
struct ip_conntrack_helper
{
struct list_head list; /* Internal use. */
 
const char *name; /* name of the module */
unsigned char flags; /* Flags (see above) */
struct module *me; /* pointer to self */
unsigned int max_expected; /* Maximum number of concurrent
* expected connections */
unsigned int timeout; /* timeout for expecteds */
 
/* Mask of things we will help (compared against server response) */
struct ip_conntrack_tuple tuple;
struct ip_conntrack_tuple mask;
/* Function to call when data passes; return verdict, or -1 to
invalidate. */
int (*help)(const struct iphdr *, size_t len,
struct ip_conntrack *ct,
enum ip_conntrack_info conntrackinfo);
};
 
extern int ip_conntrack_helper_register(struct ip_conntrack_helper *);
extern void ip_conntrack_helper_unregister(struct ip_conntrack_helper *);
 
extern struct ip_conntrack_helper *ip_ct_find_helper(const struct ip_conntrack_tuple *tuple);
 
/* Add an expected connection: can have more than one per connection */
extern int ip_conntrack_expect_related(struct ip_conntrack *related_to,
struct ip_conntrack_expect *exp);
extern int ip_conntrack_change_expect(struct ip_conntrack_expect *expect,
struct ip_conntrack_tuple *newtuple);
extern void ip_conntrack_unexpect_related(struct ip_conntrack_expect *exp);
 
#endif /*_IP_CONNTRACK_HELPER_H*/
/ip_nat.h
0,0 → 1,130
#ifndef _IP_NAT_H
#define _IP_NAT_H
#include <linux/netfilter_ipv4.h>
#include <linux/netfilter_ipv4/ip_conntrack_tuple.h>
 
#define IP_NAT_MAPPING_TYPE_MAX_NAMELEN 16
 
enum ip_nat_manip_type
{
IP_NAT_MANIP_SRC,
IP_NAT_MANIP_DST
};
 
#ifndef CONFIG_IP_NF_NAT_LOCAL
/* SRC manip occurs only on POST_ROUTING */
#define HOOK2MANIP(hooknum) ((hooknum) != NF_IP_POST_ROUTING)
#else
/* SRC manip occurs POST_ROUTING or LOCAL_IN */
#define HOOK2MANIP(hooknum) ((hooknum) != NF_IP_POST_ROUTING && (hooknum) != NF_IP_LOCAL_IN)
#endif
 
/* 2.3.19 (I hope) will define this in linux/netfilter_ipv4.h. */
#ifndef SO_ORIGINAL_DST
#define SO_ORIGINAL_DST 80
#endif
 
#define IP_NAT_RANGE_MAP_IPS 1
#define IP_NAT_RANGE_PROTO_SPECIFIED 2
/* Used internally by get_unique_tuple(). */
#define IP_NAT_RANGE_FULL 4
 
/* NAT sequence number modifications */
struct ip_nat_seq {
/* position of the last TCP sequence number
* modification (if any) */
u_int32_t correction_pos;
/* sequence number offset before and after last modification */
int32_t offset_before, offset_after;
};
 
/* Single range specification. */
struct ip_nat_range
{
/* Set to OR of flags above. */
unsigned int flags;
 
/* Inclusive: network order. */
u_int32_t min_ip, max_ip;
 
/* Inclusive: network order */
union ip_conntrack_manip_proto min, max;
};
 
/* A range consists of an array of 1 or more ip_nat_range */
struct ip_nat_multi_range
{
unsigned int rangesize;
 
/* hangs off end. */
struct ip_nat_range range[1];
};
 
/* Worst case: local-out manip + 1 post-routing, and reverse dirn. */
#define IP_NAT_MAX_MANIPS (2*3)
 
struct ip_nat_info_manip
{
/* The direction. */
u_int8_t direction;
 
/* Which hook the manipulation happens on. */
u_int8_t hooknum;
 
/* The manipulation type. */
u_int8_t maniptype;
 
/* Manipulations to occur at each conntrack in this dirn. */
struct ip_conntrack_manip manip;
};
 
#ifdef __KERNEL__
#include <linux/list.h>
#include <linux/netfilter_ipv4/lockhelp.h>
 
/* Protects NAT hash tables, and NAT-private part of conntracks. */
DECLARE_RWLOCK_EXTERN(ip_nat_lock);
 
/* Hashes for by-source and IP/protocol. */
struct ip_nat_hash
{
struct list_head list;
 
/* conntrack we're embedded in: NULL if not in hash. */
struct ip_conntrack *conntrack;
};
 
/* The structure embedded in the conntrack structure. */
struct ip_nat_info
{
/* Set to zero when conntrack created: bitmask of maniptypes */
int initialized;
 
unsigned int num_manips;
 
/* Manipulations to be done on this conntrack. */
struct ip_nat_info_manip manips[IP_NAT_MAX_MANIPS];
 
struct ip_nat_hash bysource, byipsproto;
 
/* Helper (NULL if none). */
struct ip_nat_helper *helper;
 
struct ip_nat_seq seq[IP_CT_DIR_MAX];
};
 
/* Set up the info structure to map into this range. */
extern unsigned int ip_nat_setup_info(struct ip_conntrack *conntrack,
const struct ip_nat_multi_range *mr,
unsigned int hooknum);
 
/* Is this tuple already taken? (not by us)*/
extern int ip_nat_used_tuple(const struct ip_conntrack_tuple *tuple,
const struct ip_conntrack *ignored_conntrack);
 
/* Calculate relative checksum. */
extern u_int16_t ip_nat_cheat_check(u_int32_t oldvalinv,
u_int32_t newval,
u_int16_t oldcheck);
#endif /*__KERNEL__*/
#endif
/ipt_multiport.h
0,0 → 1,21
#ifndef _IPT_MULTIPORT_H
#define _IPT_MULTIPORT_H
#include <linux/netfilter_ipv4/ip_tables.h>
 
enum ipt_multiport_flags
{
IPT_MULTIPORT_SOURCE,
IPT_MULTIPORT_DESTINATION,
IPT_MULTIPORT_EITHER
};
 
#define IPT_MULTI_PORTS 15
 
/* Must fit inside union ipt_matchinfo: 16 bytes */
struct ipt_multiport
{
u_int8_t flags; /* Type of comparison */
u_int8_t count; /* Number of ports */
u_int16_t ports[IPT_MULTI_PORTS]; /* Ports */
};
#endif /*_IPT_MULTIPORT_H*/
/ip_conntrack_amanda.h
0,0 → 1,12
#ifndef _IP_CONNTRACK_AMANDA_H
#define _IP_CONNTRACK_AMANDA_H
/* AMANDA tracking. */
 
struct ip_ct_amanda_expect
{
u_int16_t port; /* port number of this expectation */
u_int16_t offset; /* offset of port in ctrl packet */
u_int16_t len; /* length of the port number string */
};
 
#endif /* _IP_CONNTRACK_AMANDA_H */
/ipt_mac.h
0,0 → 1,8
#ifndef _IPT_MAC_H
#define _IPT_MAC_H
 
struct ipt_mac_info {
unsigned char srcaddr[ETH_ALEN];
int invert;
};
#endif /*_IPT_MAC_H*/
/ip_queue.h
0,0 → 1,72
/*
* This is a module which is used for queueing IPv4 packets and
* communicating with userspace via netlink.
*
* (C) 2000 James Morris, this code is GPL.
*/
#ifndef _IP_QUEUE_H
#define _IP_QUEUE_H
 
#ifdef __KERNEL__
#ifdef DEBUG_IPQ
#define QDEBUG(x...) printk(KERN_DEBUG ## x)
#else
#define QDEBUG(x...)
#endif /* DEBUG_IPQ */
#else
#include <net/if.h>
#endif /* ! __KERNEL__ */
 
/* Messages sent from kernel */
typedef struct ipq_packet_msg {
unsigned long packet_id; /* ID of queued packet */
unsigned long mark; /* Netfilter mark value */
long timestamp_sec; /* Packet arrival time (seconds) */
long timestamp_usec; /* Packet arrvial time (+useconds) */
unsigned int hook; /* Netfilter hook we rode in on */
char indev_name[IFNAMSIZ]; /* Name of incoming interface */
char outdev_name[IFNAMSIZ]; /* Name of outgoing interface */
unsigned short hw_protocol; /* Hardware protocol (network order) */
unsigned short hw_type; /* Hardware type */
unsigned char hw_addrlen; /* Hardware address length */
unsigned char hw_addr[8]; /* Hardware address */
size_t data_len; /* Length of packet data */
unsigned char payload[0]; /* Optional packet data */
} ipq_packet_msg_t;
 
/* Messages sent from userspace */
typedef struct ipq_mode_msg {
unsigned char value; /* Requested mode */
size_t range; /* Optional range of packet requested */
} ipq_mode_msg_t;
 
typedef struct ipq_verdict_msg {
unsigned int value; /* Verdict to hand to netfilter */
unsigned long id; /* Packet ID for this verdict */
size_t data_len; /* Length of replacement data */
unsigned char payload[0]; /* Optional replacement packet */
} ipq_verdict_msg_t;
 
typedef struct ipq_peer_msg {
union {
ipq_verdict_msg_t verdict;
ipq_mode_msg_t mode;
} msg;
} ipq_peer_msg_t;
 
/* Packet delivery modes */
enum {
IPQ_COPY_NONE, /* Initial mode, packets are dropped */
IPQ_COPY_META, /* Copy metadata */
IPQ_COPY_PACKET /* Copy metadata + packet (range) */
};
#define IPQ_COPY_MAX IPQ_COPY_PACKET
 
/* Types of messages */
#define IPQM_BASE 0x10 /* standard netlink messages below this */
#define IPQM_MODE (IPQM_BASE + 1) /* Mode request from peer */
#define IPQM_VERDICT (IPQM_BASE + 2) /* Verdict from peer */
#define IPQM_PACKET (IPQM_BASE + 3) /* Packet from kernel */
#define IPQM_MAX (IPQM_BASE + 4)
 
#endif /*_IP_QUEUE_H*/
/ipt_ttl.h
0,0 → 1,21
/* IP tables module for matching the value of the TTL
* (C) 2000 by Harald Welte <laforge@gnumonks.org> */
 
#ifndef _IPT_TTL_H
#define _IPT_TTL_H
 
enum {
IPT_TTL_EQ = 0, /* equals */
IPT_TTL_NE, /* not equals */
IPT_TTL_LT, /* less than */
IPT_TTL_GT, /* greater than */
};
 
 
struct ipt_ttl_info {
u_int8_t mode;
u_int8_t ttl;
};
 
 
#endif
/ip_conntrack_tcp.h
0,0 → 1,28
#ifndef _IP_CONNTRACK_TCP_H
#define _IP_CONNTRACK_TCP_H
/* TCP tracking. */
 
enum tcp_conntrack {
TCP_CONNTRACK_NONE,
TCP_CONNTRACK_ESTABLISHED,
TCP_CONNTRACK_SYN_SENT,
TCP_CONNTRACK_SYN_RECV,
TCP_CONNTRACK_FIN_WAIT,
TCP_CONNTRACK_TIME_WAIT,
TCP_CONNTRACK_CLOSE,
TCP_CONNTRACK_CLOSE_WAIT,
TCP_CONNTRACK_LAST_ACK,
TCP_CONNTRACK_LISTEN,
TCP_CONNTRACK_MAX
};
 
struct ip_ct_tcp
{
enum tcp_conntrack state;
 
/* Poor man's window tracking: sequence number of valid ACK
handshake completion packet */
u_int32_t handshake_ack;
};
 
#endif /* _IP_CONNTRACK_TCP_H */
/ipt_ecn.h
0,0 → 1,33
/* iptables module for matching the ECN header in IPv4 and TCP header
*
* (C) 2002 Harald Welte <laforge@gnumonks.org>
*
* This software is distributed under GNU GPL v2, 1991
*
* ipt_ecn.h,v 1.4 2002/08/05 19:39:00 laforge Exp
*/
#ifndef _IPT_ECN_H
#define _IPT_ECN_H
#include <linux/netfilter_ipv4/ipt_dscp.h>
 
#define IPT_ECN_IP_MASK (~IPT_DSCP_MASK)
 
#define IPT_ECN_OP_MATCH_IP 0x01
#define IPT_ECN_OP_MATCH_ECE 0x10
#define IPT_ECN_OP_MATCH_CWR 0x20
 
#define IPT_ECN_OP_MATCH_MASK 0xce
 
/* match info */
struct ipt_ecn_info {
u_int8_t operation;
u_int8_t invert;
u_int8_t ip_ect;
union {
struct {
u_int8_t ect;
} tcp;
} proto;
};
 
#endif /* _IPT_ECN_H */
/ipt_TOS.h
0,0 → 1,12
#ifndef _IPT_TOS_H_target
#define _IPT_TOS_H_target
 
#ifndef IPTOS_NORMALSVC
#define IPTOS_NORMALSVC 0
#endif
 
struct ipt_tos_target_info {
u_int8_t tos;
};
 
#endif /*_IPT_TOS_H_target*/
/ip_conntrack_icmp.h
0,0 → 1,11
#ifndef _IP_CONNTRACK_ICMP_H
#define _IP_CONNTRACK_ICMP_H
/* ICMP tracking. */
#include <asm/atomic.h>
 
struct ip_ct_icmp
{
/* Optimization: when number in == number out, forget immediately. */
atomic_t count;
};
#endif /* _IP_CONNTRACK_ICMP_H */
/ip_nat_core.h
0,0 → 1,33
#ifndef _IP_NAT_CORE_H
#define _IP_NAT_CORE_H
#include <linux/list.h>
#include <linux/netfilter_ipv4/ip_conntrack.h>
 
/* This header used to share core functionality between the standalone
NAT module, and the compatibility layer's use of NAT for masquerading. */
extern int ip_nat_init(void);
extern void ip_nat_cleanup(void);
 
extern unsigned int do_bindings(struct ip_conntrack *ct,
enum ip_conntrack_info conntrackinfo,
struct ip_nat_info *info,
unsigned int hooknum,
struct sk_buff **pskb);
 
extern struct list_head protos;
 
extern unsigned int icmp_reply_translation(struct sk_buff *skb,
struct ip_conntrack *conntrack,
unsigned int hooknum,
int dir);
 
extern void replace_in_hashes(struct ip_conntrack *conntrack,
struct ip_nat_info *info);
extern void place_in_hashes(struct ip_conntrack *conntrack,
struct ip_nat_info *info);
 
/* Built-in protocols. */
extern struct ip_nat_protocol ip_nat_protocol_tcp;
extern struct ip_nat_protocol ip_nat_protocol_udp;
extern struct ip_nat_protocol ip_nat_protocol_icmp;
#endif /* _IP_NAT_CORE_H */
/ipt_REJECT.h
0,0 → 1,20
#ifndef _IPT_REJECT_H
#define _IPT_REJECT_H
 
enum ipt_reject_with {
IPT_ICMP_NET_UNREACHABLE,
IPT_ICMP_HOST_UNREACHABLE,
IPT_ICMP_PROT_UNREACHABLE,
IPT_ICMP_PORT_UNREACHABLE,
IPT_ICMP_ECHOREPLY,
IPT_ICMP_NET_PROHIBITED,
IPT_ICMP_HOST_PROHIBITED,
IPT_TCP_RESET,
IPT_ICMP_ADMIN_PROHIBITED
};
 
struct ipt_reject_info {
enum ipt_reject_with with; /* reject type */
};
 
#endif /*_IPT_REJECT_H*/

powered by: WebSVN 2.1.0

© copyright 1999-2024 OpenCores.org, equivalent to Oliscience, all rights reserved. OpenCores®, registered trademark.