aboutsummaryrefslogtreecommitdiffstats
path: root/include/uapi
diff options
context:
space:
mode:
authorDavid Howells <dhowells@redhat.com>2012-10-09 04:48:54 -0400
committerDavid Howells <dhowells@redhat.com>2012-10-09 04:48:54 -0400
commit94d0ec58e63159ce5bcdfe612ee220eaeefa3b2a (patch)
treeec8326cdbfd3a323067ca17760d2f14193b81342 /include/uapi
parent27a3aadcdc4f07c55f4d04e71268b6653ab4a4cf (diff)
UAPI: (Scripted) Disintegrate include/linux/netfilter
Signed-off-by: David Howells <dhowells@redhat.com> Acked-by: Arnd Bergmann <arnd@arndb.de> Acked-by: Thomas Gleixner <tglx@linutronix.de> Acked-by: Michael Kerrisk <mtk.manpages@gmail.com> Acked-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com> Acked-by: Dave Jones <davej@redhat.com>
Diffstat (limited to 'include/uapi')
-rw-r--r--include/uapi/linux/netfilter/Kbuild76
-rw-r--r--include/uapi/linux/netfilter/nf_conntrack_common.h117
-rw-r--r--include/uapi/linux/netfilter/nf_conntrack_ftp.h18
-rw-r--r--include/uapi/linux/netfilter/nf_conntrack_sctp.h25
-rw-r--r--include/uapi/linux/netfilter/nf_conntrack_tcp.h51
-rw-r--r--include/uapi/linux/netfilter/nf_conntrack_tuple_common.h39
-rw-r--r--include/uapi/linux/netfilter/nf_nat.h33
-rw-r--r--include/uapi/linux/netfilter/nfnetlink.h56
-rw-r--r--include/uapi/linux/netfilter/nfnetlink_acct.h27
-rw-r--r--include/uapi/linux/netfilter/nfnetlink_compat.h63
-rw-r--r--include/uapi/linux/netfilter/nfnetlink_conntrack.h248
-rw-r--r--include/uapi/linux/netfilter/nfnetlink_cthelper.h55
-rw-r--r--include/uapi/linux/netfilter/nfnetlink_cttimeout.h114
-rw-r--r--include/uapi/linux/netfilter/nfnetlink_log.h97
-rw-r--r--include/uapi/linux/netfilter/nfnetlink_queue.h101
-rw-r--r--include/uapi/linux/netfilter/x_tables.h187
-rw-r--r--include/uapi/linux/netfilter/xt_AUDIT.h30
-rw-r--r--include/uapi/linux/netfilter/xt_CHECKSUM.h20
-rw-r--r--include/uapi/linux/netfilter/xt_CLASSIFY.h10
-rw-r--r--include/uapi/linux/netfilter/xt_CONNMARK.h6
-rw-r--r--include/uapi/linux/netfilter/xt_CONNSECMARK.h15
-rw-r--r--include/uapi/linux/netfilter/xt_CT.h31
-rw-r--r--include/uapi/linux/netfilter/xt_DSCP.h26
-rw-r--r--include/uapi/linux/netfilter/xt_IDLETIMER.h45
-rw-r--r--include/uapi/linux/netfilter/xt_LED.h15
-rw-r--r--include/uapi/linux/netfilter/xt_LOG.h19
-rw-r--r--include/uapi/linux/netfilter/xt_MARK.h6
-rw-r--r--include/uapi/linux/netfilter/xt_NFLOG.h20
-rw-r--r--include/uapi/linux/netfilter/xt_NFQUEUE.h29
-rw-r--r--include/uapi/linux/netfilter/xt_RATEEST.h15
-rw-r--r--include/uapi/linux/netfilter/xt_SECMARK.h22
-rw-r--r--include/uapi/linux/netfilter/xt_TCPMSS.h12
-rw-r--r--include/uapi/linux/netfilter/xt_TCPOPTSTRIP.h15
-rw-r--r--include/uapi/linux/netfilter/xt_TEE.h12
-rw-r--r--include/uapi/linux/netfilter/xt_TPROXY.h23
-rw-r--r--include/uapi/linux/netfilter/xt_addrtype.h44
-rw-r--r--include/uapi/linux/netfilter/xt_cluster.h19
-rw-r--r--include/uapi/linux/netfilter/xt_comment.h10
-rw-r--r--include/uapi/linux/netfilter/xt_connbytes.h26
-rw-r--r--include/uapi/linux/netfilter/xt_connlimit.h32
-rw-r--r--include/uapi/linux/netfilter/xt_connmark.h31
-rw-r--r--include/uapi/linux/netfilter/xt_conntrack.h77
-rw-r--r--include/uapi/linux/netfilter/xt_cpu.h11
-rw-r--r--include/uapi/linux/netfilter/xt_dccp.h25
-rw-r--r--include/uapi/linux/netfilter/xt_devgroup.h21
-rw-r--r--include/uapi/linux/netfilter/xt_dscp.h31
-rw-r--r--include/uapi/linux/netfilter/xt_ecn.h35
-rw-r--r--include/uapi/linux/netfilter/xt_esp.h15
-rw-r--r--include/uapi/linux/netfilter/xt_hashlimit.h73
-rw-r--r--include/uapi/linux/netfilter/xt_helper.h8
-rw-r--r--include/uapi/linux/netfilter/xt_iprange.h20
-rw-r--r--include/uapi/linux/netfilter/xt_ipvs.h29
-rw-r--r--include/uapi/linux/netfilter/xt_length.h11
-rw-r--r--include/uapi/linux/netfilter/xt_limit.h24
-rw-r--r--include/uapi/linux/netfilter/xt_mac.h8
-rw-r--r--include/uapi/linux/netfilter/xt_mark.h15
-rw-r--r--include/uapi/linux/netfilter/xt_multiport.h29
-rw-r--r--include/uapi/linux/netfilter/xt_nfacct.h13
-rw-r--r--include/uapi/linux/netfilter/xt_osf.h135
-rw-r--r--include/uapi/linux/netfilter/xt_owner.h18
-rw-r--r--include/uapi/linux/netfilter/xt_physdev.h23
-rw-r--r--include/uapi/linux/netfilter/xt_pkttype.h8
-rw-r--r--include/uapi/linux/netfilter/xt_policy.h69
-rw-r--r--include/uapi/linux/netfilter/xt_quota.h22
-rw-r--r--include/uapi/linux/netfilter/xt_rateest.h37
-rw-r--r--include/uapi/linux/netfilter/xt_realm.h12
-rw-r--r--include/uapi/linux/netfilter/xt_recent.h45
-rw-r--r--include/uapi/linux/netfilter/xt_sctp.h92
-rw-r--r--include/uapi/linux/netfilter/xt_set.h65
-rw-r--r--include/uapi/linux/netfilter/xt_socket.h14
-rw-r--r--include/uapi/linux/netfilter/xt_state.h12
-rw-r--r--include/uapi/linux/netfilter/xt_statistic.h36
-rw-r--r--include/uapi/linux/netfilter/xt_string.h34
-rw-r--r--include/uapi/linux/netfilter/xt_tcpmss.h11
-rw-r--r--include/uapi/linux/netfilter/xt_tcpudp.h36
-rw-r--r--include/uapi/linux/netfilter/xt_time.h32
-rw-r--r--include/uapi/linux/netfilter/xt_u32.h42
77 files changed, 3028 insertions, 0 deletions
diff --git a/include/uapi/linux/netfilter/Kbuild b/include/uapi/linux/netfilter/Kbuild
index 4afbace8e86..08f555fef13 100644
--- a/include/uapi/linux/netfilter/Kbuild
+++ b/include/uapi/linux/netfilter/Kbuild
@@ -1,2 +1,78 @@
1# UAPI Header export list 1# UAPI Header export list
2header-y += ipset/ 2header-y += ipset/
3header-y += nf_conntrack_common.h
4header-y += nf_conntrack_ftp.h
5header-y += nf_conntrack_sctp.h
6header-y += nf_conntrack_tcp.h
7header-y += nf_conntrack_tuple_common.h
8header-y += nf_nat.h
9header-y += nfnetlink.h
10header-y += nfnetlink_acct.h
11header-y += nfnetlink_compat.h
12header-y += nfnetlink_conntrack.h
13header-y += nfnetlink_cthelper.h
14header-y += nfnetlink_cttimeout.h
15header-y += nfnetlink_log.h
16header-y += nfnetlink_queue.h
17header-y += x_tables.h
18header-y += xt_AUDIT.h
19header-y += xt_CHECKSUM.h
20header-y += xt_CLASSIFY.h
21header-y += xt_CONNMARK.h
22header-y += xt_CONNSECMARK.h
23header-y += xt_CT.h
24header-y += xt_DSCP.h
25header-y += xt_IDLETIMER.h
26header-y += xt_LED.h
27header-y += xt_LOG.h
28header-y += xt_MARK.h
29header-y += xt_NFLOG.h
30header-y += xt_NFQUEUE.h
31header-y += xt_RATEEST.h
32header-y += xt_SECMARK.h
33header-y += xt_TCPMSS.h
34header-y += xt_TCPOPTSTRIP.h
35header-y += xt_TEE.h
36header-y += xt_TPROXY.h
37header-y += xt_addrtype.h
38header-y += xt_cluster.h
39header-y += xt_comment.h
40header-y += xt_connbytes.h
41header-y += xt_connlimit.h
42header-y += xt_connmark.h
43header-y += xt_conntrack.h
44header-y += xt_cpu.h
45header-y += xt_dccp.h
46header-y += xt_devgroup.h
47header-y += xt_dscp.h
48header-y += xt_ecn.h
49header-y += xt_esp.h
50header-y += xt_hashlimit.h
51header-y += xt_helper.h
52header-y += xt_iprange.h
53header-y += xt_ipvs.h
54header-y += xt_length.h
55header-y += xt_limit.h
56header-y += xt_mac.h
57header-y += xt_mark.h
58header-y += xt_multiport.h
59header-y += xt_nfacct.h
60header-y += xt_osf.h
61header-y += xt_owner.h
62header-y += xt_physdev.h
63header-y += xt_pkttype.h
64header-y += xt_policy.h
65header-y += xt_quota.h
66header-y += xt_rateest.h
67header-y += xt_realm.h
68header-y += xt_recent.h
69header-y += xt_sctp.h
70header-y += xt_set.h
71header-y += xt_socket.h
72header-y += xt_state.h
73header-y += xt_statistic.h
74header-y += xt_string.h
75header-y += xt_tcpmss.h
76header-y += xt_tcpudp.h
77header-y += xt_time.h
78header-y += xt_u32.h
diff --git a/include/uapi/linux/netfilter/nf_conntrack_common.h b/include/uapi/linux/netfilter/nf_conntrack_common.h
new file mode 100644
index 00000000000..1644cdd8be9
--- /dev/null
+++ b/include/uapi/linux/netfilter/nf_conntrack_common.h
@@ -0,0 +1,117 @@
1#ifndef _UAPI_NF_CONNTRACK_COMMON_H
2#define _UAPI_NF_CONNTRACK_COMMON_H
3/* Connection state tracking for netfilter. This is separated from,
4 but required by, the NAT layer; it can also be used by an iptables
5 extension. */
6enum ip_conntrack_info {
7 /* Part of an established connection (either direction). */
8 IP_CT_ESTABLISHED,
9
10 /* Like NEW, but related to an existing connection, or ICMP error
11 (in either direction). */
12 IP_CT_RELATED,
13
14 /* Started a new connection to track (only
15 IP_CT_DIR_ORIGINAL); may be a retransmission. */
16 IP_CT_NEW,
17
18 /* >= this indicates reply direction */
19 IP_CT_IS_REPLY,
20
21 IP_CT_ESTABLISHED_REPLY = IP_CT_ESTABLISHED + IP_CT_IS_REPLY,
22 IP_CT_RELATED_REPLY = IP_CT_RELATED + IP_CT_IS_REPLY,
23 IP_CT_NEW_REPLY = IP_CT_NEW + IP_CT_IS_REPLY,
24 /* Number of distinct IP_CT types (no NEW in reply dirn). */
25 IP_CT_NUMBER = IP_CT_IS_REPLY * 2 - 1
26};
27
28/* Bitset representing status of connection. */
29enum ip_conntrack_status {
30 /* It's an expected connection: bit 0 set. This bit never changed */
31 IPS_EXPECTED_BIT = 0,
32 IPS_EXPECTED = (1 << IPS_EXPECTED_BIT),
33
34 /* We've seen packets both ways: bit 1 set. Can be set, not unset. */
35 IPS_SEEN_REPLY_BIT = 1,
36 IPS_SEEN_REPLY = (1 << IPS_SEEN_REPLY_BIT),
37
38 /* Conntrack should never be early-expired. */
39 IPS_ASSURED_BIT = 2,
40 IPS_ASSURED = (1 << IPS_ASSURED_BIT),
41
42 /* Connection is confirmed: originating packet has left box */
43 IPS_CONFIRMED_BIT = 3,
44 IPS_CONFIRMED = (1 << IPS_CONFIRMED_BIT),
45
46 /* Connection needs src nat in orig dir. This bit never changed. */
47 IPS_SRC_NAT_BIT = 4,
48 IPS_SRC_NAT = (1 << IPS_SRC_NAT_BIT),
49
50 /* Connection needs dst nat in orig dir. This bit never changed. */
51 IPS_DST_NAT_BIT = 5,
52 IPS_DST_NAT = (1 << IPS_DST_NAT_BIT),
53
54 /* Both together. */
55 IPS_NAT_MASK = (IPS_DST_NAT | IPS_SRC_NAT),
56
57 /* Connection needs TCP sequence adjusted. */
58 IPS_SEQ_ADJUST_BIT = 6,
59 IPS_SEQ_ADJUST = (1 << IPS_SEQ_ADJUST_BIT),
60
61 /* NAT initialization bits. */
62 IPS_SRC_NAT_DONE_BIT = 7,
63 IPS_SRC_NAT_DONE = (1 << IPS_SRC_NAT_DONE_BIT),
64
65 IPS_DST_NAT_DONE_BIT = 8,
66 IPS_DST_NAT_DONE = (1 << IPS_DST_NAT_DONE_BIT),
67
68 /* Both together */
69 IPS_NAT_DONE_MASK = (IPS_DST_NAT_DONE | IPS_SRC_NAT_DONE),
70
71 /* Connection is dying (removed from lists), can not be unset. */
72 IPS_DYING_BIT = 9,
73 IPS_DYING = (1 << IPS_DYING_BIT),
74
75 /* Connection has fixed timeout. */
76 IPS_FIXED_TIMEOUT_BIT = 10,
77 IPS_FIXED_TIMEOUT = (1 << IPS_FIXED_TIMEOUT_BIT),
78
79 /* Conntrack is a template */
80 IPS_TEMPLATE_BIT = 11,
81 IPS_TEMPLATE = (1 << IPS_TEMPLATE_BIT),
82
83 /* Conntrack is a fake untracked entry */
84 IPS_UNTRACKED_BIT = 12,
85 IPS_UNTRACKED = (1 << IPS_UNTRACKED_BIT),
86
87 /* Conntrack got a helper explicitly attached via CT target. */
88 IPS_HELPER_BIT = 13,
89 IPS_HELPER = (1 << IPS_HELPER_BIT),
90};
91
92/* Connection tracking event types */
93enum ip_conntrack_events {
94 IPCT_NEW, /* new conntrack */
95 IPCT_RELATED, /* related conntrack */
96 IPCT_DESTROY, /* destroyed conntrack */
97 IPCT_REPLY, /* connection has seen two-way traffic */
98 IPCT_ASSURED, /* connection status has changed to assured */
99 IPCT_PROTOINFO, /* protocol information has changed */
100 IPCT_HELPER, /* new helper has been set */
101 IPCT_MARK, /* new mark has been set */
102 IPCT_NATSEQADJ, /* NAT is doing sequence adjustment */
103 IPCT_SECMARK, /* new security mark has been set */
104};
105
106enum ip_conntrack_expect_events {
107 IPEXP_NEW, /* new expectation */
108 IPEXP_DESTROY, /* destroyed expectation */
109};
110
111/* expectation flags */
112#define NF_CT_EXPECT_PERMANENT 0x1
113#define NF_CT_EXPECT_INACTIVE 0x2
114#define NF_CT_EXPECT_USERSPACE 0x4
115
116
117#endif /* _UAPI_NF_CONNTRACK_COMMON_H */
diff --git a/include/uapi/linux/netfilter/nf_conntrack_ftp.h b/include/uapi/linux/netfilter/nf_conntrack_ftp.h
new file mode 100644
index 00000000000..1030315a41b
--- /dev/null
+++ b/include/uapi/linux/netfilter/nf_conntrack_ftp.h
@@ -0,0 +1,18 @@
1#ifndef _UAPI_NF_CONNTRACK_FTP_H
2#define _UAPI_NF_CONNTRACK_FTP_H
3/* FTP tracking. */
4
5/* This enum is exposed to userspace */
6enum nf_ct_ftp_type {
7 /* PORT command from client */
8 NF_CT_FTP_PORT,
9 /* PASV response from server */
10 NF_CT_FTP_PASV,
11 /* EPRT command from client */
12 NF_CT_FTP_EPRT,
13 /* EPSV response from server */
14 NF_CT_FTP_EPSV,
15};
16
17
18#endif /* _UAPI_NF_CONNTRACK_FTP_H */
diff --git a/include/uapi/linux/netfilter/nf_conntrack_sctp.h b/include/uapi/linux/netfilter/nf_conntrack_sctp.h
new file mode 100644
index 00000000000..ceeefe6681b
--- /dev/null
+++ b/include/uapi/linux/netfilter/nf_conntrack_sctp.h
@@ -0,0 +1,25 @@
1#ifndef _NF_CONNTRACK_SCTP_H
2#define _NF_CONNTRACK_SCTP_H
3/* SCTP tracking. */
4
5#include <linux/netfilter/nf_conntrack_tuple_common.h>
6
7enum sctp_conntrack {
8 SCTP_CONNTRACK_NONE,
9 SCTP_CONNTRACK_CLOSED,
10 SCTP_CONNTRACK_COOKIE_WAIT,
11 SCTP_CONNTRACK_COOKIE_ECHOED,
12 SCTP_CONNTRACK_ESTABLISHED,
13 SCTP_CONNTRACK_SHUTDOWN_SENT,
14 SCTP_CONNTRACK_SHUTDOWN_RECD,
15 SCTP_CONNTRACK_SHUTDOWN_ACK_SENT,
16 SCTP_CONNTRACK_MAX
17};
18
19struct ip_ct_sctp {
20 enum sctp_conntrack state;
21
22 __be32 vtag[IP_CT_DIR_MAX];
23};
24
25#endif /* _NF_CONNTRACK_SCTP_H */
diff --git a/include/uapi/linux/netfilter/nf_conntrack_tcp.h b/include/uapi/linux/netfilter/nf_conntrack_tcp.h
new file mode 100644
index 00000000000..9993a421201
--- /dev/null
+++ b/include/uapi/linux/netfilter/nf_conntrack_tcp.h
@@ -0,0 +1,51 @@
1#ifndef _UAPI_NF_CONNTRACK_TCP_H
2#define _UAPI_NF_CONNTRACK_TCP_H
3/* TCP tracking. */
4
5#include <linux/types.h>
6
7/* This is exposed to userspace (ctnetlink) */
8enum tcp_conntrack {
9 TCP_CONNTRACK_NONE,
10 TCP_CONNTRACK_SYN_SENT,
11 TCP_CONNTRACK_SYN_RECV,
12 TCP_CONNTRACK_ESTABLISHED,
13 TCP_CONNTRACK_FIN_WAIT,
14 TCP_CONNTRACK_CLOSE_WAIT,
15 TCP_CONNTRACK_LAST_ACK,
16 TCP_CONNTRACK_TIME_WAIT,
17 TCP_CONNTRACK_CLOSE,
18 TCP_CONNTRACK_LISTEN, /* obsolete */
19#define TCP_CONNTRACK_SYN_SENT2 TCP_CONNTRACK_LISTEN
20 TCP_CONNTRACK_MAX,
21 TCP_CONNTRACK_IGNORE,
22 TCP_CONNTRACK_RETRANS,
23 TCP_CONNTRACK_UNACK,
24 TCP_CONNTRACK_TIMEOUT_MAX
25};
26
27/* Window scaling is advertised by the sender */
28#define IP_CT_TCP_FLAG_WINDOW_SCALE 0x01
29
30/* SACK is permitted by the sender */
31#define IP_CT_TCP_FLAG_SACK_PERM 0x02
32
33/* This sender sent FIN first */
34#define IP_CT_TCP_FLAG_CLOSE_INIT 0x04
35
36/* Be liberal in window checking */
37#define IP_CT_TCP_FLAG_BE_LIBERAL 0x08
38
39/* Has unacknowledged data */
40#define IP_CT_TCP_FLAG_DATA_UNACKNOWLEDGED 0x10
41
42/* The field td_maxack has been set */
43#define IP_CT_TCP_FLAG_MAXACK_SET 0x20
44
45struct nf_ct_tcp_flags {
46 __u8 flags;
47 __u8 mask;
48};
49
50
51#endif /* _UAPI_NF_CONNTRACK_TCP_H */
diff --git a/include/uapi/linux/netfilter/nf_conntrack_tuple_common.h b/include/uapi/linux/netfilter/nf_conntrack_tuple_common.h
new file mode 100644
index 00000000000..2f6bbc5b812
--- /dev/null
+++ b/include/uapi/linux/netfilter/nf_conntrack_tuple_common.h
@@ -0,0 +1,39 @@
1#ifndef _NF_CONNTRACK_TUPLE_COMMON_H
2#define _NF_CONNTRACK_TUPLE_COMMON_H
3
4enum ip_conntrack_dir {
5 IP_CT_DIR_ORIGINAL,
6 IP_CT_DIR_REPLY,
7 IP_CT_DIR_MAX
8};
9
10/* The protocol-specific manipulable parts of the tuple: always in
11 * network order
12 */
13union nf_conntrack_man_proto {
14 /* Add other protocols here. */
15 __be16 all;
16
17 struct {
18 __be16 port;
19 } tcp;
20 struct {
21 __be16 port;
22 } udp;
23 struct {
24 __be16 id;
25 } icmp;
26 struct {
27 __be16 port;
28 } dccp;
29 struct {
30 __be16 port;
31 } sctp;
32 struct {
33 __be16 key; /* GRE key is 32bit, PPtP only uses 16bit */
34 } gre;
35};
36
37#define CTINFO2DIR(ctinfo) ((ctinfo) >= IP_CT_IS_REPLY ? IP_CT_DIR_REPLY : IP_CT_DIR_ORIGINAL)
38
39#endif /* _NF_CONNTRACK_TUPLE_COMMON_H */
diff --git a/include/uapi/linux/netfilter/nf_nat.h b/include/uapi/linux/netfilter/nf_nat.h
new file mode 100644
index 00000000000..bf0cc373ffb
--- /dev/null
+++ b/include/uapi/linux/netfilter/nf_nat.h
@@ -0,0 +1,33 @@
1#ifndef _NETFILTER_NF_NAT_H
2#define _NETFILTER_NF_NAT_H
3
4#include <linux/netfilter.h>
5#include <linux/netfilter/nf_conntrack_tuple_common.h>
6
7#define NF_NAT_RANGE_MAP_IPS 1
8#define NF_NAT_RANGE_PROTO_SPECIFIED 2
9#define NF_NAT_RANGE_PROTO_RANDOM 4
10#define NF_NAT_RANGE_PERSISTENT 8
11
12struct nf_nat_ipv4_range {
13 unsigned int flags;
14 __be32 min_ip;
15 __be32 max_ip;
16 union nf_conntrack_man_proto min;
17 union nf_conntrack_man_proto max;
18};
19
20struct nf_nat_ipv4_multi_range_compat {
21 unsigned int rangesize;
22 struct nf_nat_ipv4_range range[1];
23};
24
25struct nf_nat_range {
26 unsigned int flags;
27 union nf_inet_addr min_addr;
28 union nf_inet_addr max_addr;
29 union nf_conntrack_man_proto min_proto;
30 union nf_conntrack_man_proto max_proto;
31};
32
33#endif /* _NETFILTER_NF_NAT_H */
diff --git a/include/uapi/linux/netfilter/nfnetlink.h b/include/uapi/linux/netfilter/nfnetlink.h
new file mode 100644
index 00000000000..4a4efafad5f
--- /dev/null
+++ b/include/uapi/linux/netfilter/nfnetlink.h
@@ -0,0 +1,56 @@
1#ifndef _UAPI_NFNETLINK_H
2#define _UAPI_NFNETLINK_H
3#include <linux/types.h>
4#include <linux/netfilter/nfnetlink_compat.h>
5
6enum nfnetlink_groups {
7 NFNLGRP_NONE,
8#define NFNLGRP_NONE NFNLGRP_NONE
9 NFNLGRP_CONNTRACK_NEW,
10#define NFNLGRP_CONNTRACK_NEW NFNLGRP_CONNTRACK_NEW
11 NFNLGRP_CONNTRACK_UPDATE,
12#define NFNLGRP_CONNTRACK_UPDATE NFNLGRP_CONNTRACK_UPDATE
13 NFNLGRP_CONNTRACK_DESTROY,
14#define NFNLGRP_CONNTRACK_DESTROY NFNLGRP_CONNTRACK_DESTROY
15 NFNLGRP_CONNTRACK_EXP_NEW,
16#define NFNLGRP_CONNTRACK_EXP_NEW NFNLGRP_CONNTRACK_EXP_NEW
17 NFNLGRP_CONNTRACK_EXP_UPDATE,
18#define NFNLGRP_CONNTRACK_EXP_UPDATE NFNLGRP_CONNTRACK_EXP_UPDATE
19 NFNLGRP_CONNTRACK_EXP_DESTROY,
20#define NFNLGRP_CONNTRACK_EXP_DESTROY NFNLGRP_CONNTRACK_EXP_DESTROY
21 __NFNLGRP_MAX,
22};
23#define NFNLGRP_MAX (__NFNLGRP_MAX - 1)
24
25/* General form of address family dependent message.
26 */
27struct nfgenmsg {
28 __u8 nfgen_family; /* AF_xxx */
29 __u8 version; /* nfnetlink version */
30 __be16 res_id; /* resource id */
31};
32
33#define NFNETLINK_V0 0
34
35/* netfilter netlink message types are split in two pieces:
36 * 8 bit subsystem, 8bit operation.
37 */
38
39#define NFNL_SUBSYS_ID(x) ((x & 0xff00) >> 8)
40#define NFNL_MSG_TYPE(x) (x & 0x00ff)
41
42/* No enum here, otherwise __stringify() trick of MODULE_ALIAS_NFNL_SUBSYS()
43 * won't work anymore */
44#define NFNL_SUBSYS_NONE 0
45#define NFNL_SUBSYS_CTNETLINK 1
46#define NFNL_SUBSYS_CTNETLINK_EXP 2
47#define NFNL_SUBSYS_QUEUE 3
48#define NFNL_SUBSYS_ULOG 4
49#define NFNL_SUBSYS_OSF 5
50#define NFNL_SUBSYS_IPSET 6
51#define NFNL_SUBSYS_ACCT 7
52#define NFNL_SUBSYS_CTNETLINK_TIMEOUT 8
53#define NFNL_SUBSYS_CTHELPER 9
54#define NFNL_SUBSYS_COUNT 10
55
56#endif /* _UAPI_NFNETLINK_H */
diff --git a/include/uapi/linux/netfilter/nfnetlink_acct.h b/include/uapi/linux/netfilter/nfnetlink_acct.h
new file mode 100644
index 00000000000..c7b6269e760
--- /dev/null
+++ b/include/uapi/linux/netfilter/nfnetlink_acct.h
@@ -0,0 +1,27 @@
1#ifndef _UAPI_NFNL_ACCT_H_
2#define _UAPI_NFNL_ACCT_H_
3
4#ifndef NFACCT_NAME_MAX
5#define NFACCT_NAME_MAX 32
6#endif
7
8enum nfnl_acct_msg_types {
9 NFNL_MSG_ACCT_NEW,
10 NFNL_MSG_ACCT_GET,
11 NFNL_MSG_ACCT_GET_CTRZERO,
12 NFNL_MSG_ACCT_DEL,
13 NFNL_MSG_ACCT_MAX
14};
15
16enum nfnl_acct_type {
17 NFACCT_UNSPEC,
18 NFACCT_NAME,
19 NFACCT_PKTS,
20 NFACCT_BYTES,
21 NFACCT_USE,
22 __NFACCT_MAX
23};
24#define NFACCT_MAX (__NFACCT_MAX - 1)
25
26
27#endif /* _UAPI_NFNL_ACCT_H_ */
diff --git a/include/uapi/linux/netfilter/nfnetlink_compat.h b/include/uapi/linux/netfilter/nfnetlink_compat.h
new file mode 100644
index 00000000000..ffb95036bbd
--- /dev/null
+++ b/include/uapi/linux/netfilter/nfnetlink_compat.h
@@ -0,0 +1,63 @@
1#ifndef _NFNETLINK_COMPAT_H
2#define _NFNETLINK_COMPAT_H
3
4#include <linux/types.h>
5
6#ifndef __KERNEL__
7/* Old nfnetlink macros for userspace */
8
9/* nfnetlink groups: Up to 32 maximum */
10#define NF_NETLINK_CONNTRACK_NEW 0x00000001
11#define NF_NETLINK_CONNTRACK_UPDATE 0x00000002
12#define NF_NETLINK_CONNTRACK_DESTROY 0x00000004
13#define NF_NETLINK_CONNTRACK_EXP_NEW 0x00000008
14#define NF_NETLINK_CONNTRACK_EXP_UPDATE 0x00000010
15#define NF_NETLINK_CONNTRACK_EXP_DESTROY 0x00000020
16
17/* Generic structure for encapsulation optional netfilter information.
18 * It is reminiscent of sockaddr, but with sa_family replaced
19 * with attribute type.
20 * ! This should someday be put somewhere generic as now rtnetlink and
21 * ! nfnetlink use the same attributes methods. - J. Schulist.
22 */
23
24struct nfattr {
25 __u16 nfa_len;
26 __u16 nfa_type; /* we use 15 bits for the type, and the highest
27 * bit to indicate whether the payload is nested */
28};
29
30/* FIXME: Apart from NFNL_NFA_NESTED shamelessly copy and pasted from
31 * rtnetlink.h, it's time to put this in a generic file */
32
33#define NFNL_NFA_NEST 0x8000
34#define NFA_TYPE(attr) ((attr)->nfa_type & 0x7fff)
35
36#define NFA_ALIGNTO 4
37#define NFA_ALIGN(len) (((len) + NFA_ALIGNTO - 1) & ~(NFA_ALIGNTO - 1))
38#define NFA_OK(nfa,len) ((len) > 0 && (nfa)->nfa_len >= sizeof(struct nfattr) \
39 && (nfa)->nfa_len <= (len))
40#define NFA_NEXT(nfa,attrlen) ((attrlen) -= NFA_ALIGN((nfa)->nfa_len), \
41 (struct nfattr *)(((char *)(nfa)) + NFA_ALIGN((nfa)->nfa_len)))
42#define NFA_LENGTH(len) (NFA_ALIGN(sizeof(struct nfattr)) + (len))
43#define NFA_SPACE(len) NFA_ALIGN(NFA_LENGTH(len))
44#define NFA_DATA(nfa) ((void *)(((char *)(nfa)) + NFA_LENGTH(0)))
45#define NFA_PAYLOAD(nfa) ((int)((nfa)->nfa_len) - NFA_LENGTH(0))
46#define NFA_NEST(skb, type) \
47({ struct nfattr *__start = (struct nfattr *)skb_tail_pointer(skb); \
48 NFA_PUT(skb, (NFNL_NFA_NEST | type), 0, NULL); \
49 __start; })
50#define NFA_NEST_END(skb, start) \
51({ (start)->nfa_len = skb_tail_pointer(skb) - (unsigned char *)(start); \
52 (skb)->len; })
53#define NFA_NEST_CANCEL(skb, start) \
54({ if (start) \
55 skb_trim(skb, (unsigned char *) (start) - (skb)->data); \
56 -1; })
57
58#define NFM_NFA(n) ((struct nfattr *)(((char *)(n)) \
59 + NLMSG_ALIGN(sizeof(struct nfgenmsg))))
60#define NFM_PAYLOAD(n) NLMSG_PAYLOAD(n, sizeof(struct nfgenmsg))
61
62#endif /* ! __KERNEL__ */
63#endif /* _NFNETLINK_COMPAT_H */
diff --git a/include/uapi/linux/netfilter/nfnetlink_conntrack.h b/include/uapi/linux/netfilter/nfnetlink_conntrack.h
new file mode 100644
index 00000000000..43bfe3e1685
--- /dev/null
+++ b/include/uapi/linux/netfilter/nfnetlink_conntrack.h
@@ -0,0 +1,248 @@
1#ifndef _IPCONNTRACK_NETLINK_H
2#define _IPCONNTRACK_NETLINK_H
3#include <linux/netfilter/nfnetlink.h>
4
5enum cntl_msg_types {
6 IPCTNL_MSG_CT_NEW,
7 IPCTNL_MSG_CT_GET,
8 IPCTNL_MSG_CT_DELETE,
9 IPCTNL_MSG_CT_GET_CTRZERO,
10 IPCTNL_MSG_CT_GET_STATS_CPU,
11 IPCTNL_MSG_CT_GET_STATS,
12
13 IPCTNL_MSG_MAX
14};
15
16enum ctnl_exp_msg_types {
17 IPCTNL_MSG_EXP_NEW,
18 IPCTNL_MSG_EXP_GET,
19 IPCTNL_MSG_EXP_DELETE,
20 IPCTNL_MSG_EXP_GET_STATS_CPU,
21
22 IPCTNL_MSG_EXP_MAX
23};
24
25
26enum ctattr_type {
27 CTA_UNSPEC,
28 CTA_TUPLE_ORIG,
29 CTA_TUPLE_REPLY,
30 CTA_STATUS,
31 CTA_PROTOINFO,
32 CTA_HELP,
33 CTA_NAT_SRC,
34#define CTA_NAT CTA_NAT_SRC /* backwards compatibility */
35 CTA_TIMEOUT,
36 CTA_MARK,
37 CTA_COUNTERS_ORIG,
38 CTA_COUNTERS_REPLY,
39 CTA_USE,
40 CTA_ID,
41 CTA_NAT_DST,
42 CTA_TUPLE_MASTER,
43 CTA_NAT_SEQ_ADJ_ORIG,
44 CTA_NAT_SEQ_ADJ_REPLY,
45 CTA_SECMARK, /* obsolete */
46 CTA_ZONE,
47 CTA_SECCTX,
48 CTA_TIMESTAMP,
49 CTA_MARK_MASK,
50 __CTA_MAX
51};
52#define CTA_MAX (__CTA_MAX - 1)
53
54enum ctattr_tuple {
55 CTA_TUPLE_UNSPEC,
56 CTA_TUPLE_IP,
57 CTA_TUPLE_PROTO,
58 __CTA_TUPLE_MAX
59};
60#define CTA_TUPLE_MAX (__CTA_TUPLE_MAX - 1)
61
62enum ctattr_ip {
63 CTA_IP_UNSPEC,
64 CTA_IP_V4_SRC,
65 CTA_IP_V4_DST,
66 CTA_IP_V6_SRC,
67 CTA_IP_V6_DST,
68 __CTA_IP_MAX
69};
70#define CTA_IP_MAX (__CTA_IP_MAX - 1)
71
72enum ctattr_l4proto {
73 CTA_PROTO_UNSPEC,
74 CTA_PROTO_NUM,
75 CTA_PROTO_SRC_PORT,
76 CTA_PROTO_DST_PORT,
77 CTA_PROTO_ICMP_ID,
78 CTA_PROTO_ICMP_TYPE,
79 CTA_PROTO_ICMP_CODE,
80 CTA_PROTO_ICMPV6_ID,
81 CTA_PROTO_ICMPV6_TYPE,
82 CTA_PROTO_ICMPV6_CODE,
83 __CTA_PROTO_MAX
84};
85#define CTA_PROTO_MAX (__CTA_PROTO_MAX - 1)
86
87enum ctattr_protoinfo {
88 CTA_PROTOINFO_UNSPEC,
89 CTA_PROTOINFO_TCP,
90 CTA_PROTOINFO_DCCP,
91 CTA_PROTOINFO_SCTP,
92 __CTA_PROTOINFO_MAX
93};
94#define CTA_PROTOINFO_MAX (__CTA_PROTOINFO_MAX - 1)
95
96enum ctattr_protoinfo_tcp {
97 CTA_PROTOINFO_TCP_UNSPEC,
98 CTA_PROTOINFO_TCP_STATE,
99 CTA_PROTOINFO_TCP_WSCALE_ORIGINAL,
100 CTA_PROTOINFO_TCP_WSCALE_REPLY,
101 CTA_PROTOINFO_TCP_FLAGS_ORIGINAL,
102 CTA_PROTOINFO_TCP_FLAGS_REPLY,
103 __CTA_PROTOINFO_TCP_MAX
104};
105#define CTA_PROTOINFO_TCP_MAX (__CTA_PROTOINFO_TCP_MAX - 1)
106
107enum ctattr_protoinfo_dccp {
108 CTA_PROTOINFO_DCCP_UNSPEC,
109 CTA_PROTOINFO_DCCP_STATE,
110 CTA_PROTOINFO_DCCP_ROLE,
111 CTA_PROTOINFO_DCCP_HANDSHAKE_SEQ,
112 __CTA_PROTOINFO_DCCP_MAX,
113};
114#define CTA_PROTOINFO_DCCP_MAX (__CTA_PROTOINFO_DCCP_MAX - 1)
115
116enum ctattr_protoinfo_sctp {
117 CTA_PROTOINFO_SCTP_UNSPEC,
118 CTA_PROTOINFO_SCTP_STATE,
119 CTA_PROTOINFO_SCTP_VTAG_ORIGINAL,
120 CTA_PROTOINFO_SCTP_VTAG_REPLY,
121 __CTA_PROTOINFO_SCTP_MAX
122};
123#define CTA_PROTOINFO_SCTP_MAX (__CTA_PROTOINFO_SCTP_MAX - 1)
124
125enum ctattr_counters {
126 CTA_COUNTERS_UNSPEC,
127 CTA_COUNTERS_PACKETS, /* 64bit counters */
128 CTA_COUNTERS_BYTES, /* 64bit counters */
129 CTA_COUNTERS32_PACKETS, /* old 32bit counters, unused */
130 CTA_COUNTERS32_BYTES, /* old 32bit counters, unused */
131 __CTA_COUNTERS_MAX
132};
133#define CTA_COUNTERS_MAX (__CTA_COUNTERS_MAX - 1)
134
135enum ctattr_tstamp {
136 CTA_TIMESTAMP_UNSPEC,
137 CTA_TIMESTAMP_START,
138 CTA_TIMESTAMP_STOP,
139 __CTA_TIMESTAMP_MAX
140};
141#define CTA_TIMESTAMP_MAX (__CTA_TIMESTAMP_MAX - 1)
142
143enum ctattr_nat {
144 CTA_NAT_UNSPEC,
145 CTA_NAT_V4_MINIP,
146#define CTA_NAT_MINIP CTA_NAT_V4_MINIP
147 CTA_NAT_V4_MAXIP,
148#define CTA_NAT_MAXIP CTA_NAT_V4_MAXIP
149 CTA_NAT_PROTO,
150 CTA_NAT_V6_MINIP,
151 CTA_NAT_V6_MAXIP,
152 __CTA_NAT_MAX
153};
154#define CTA_NAT_MAX (__CTA_NAT_MAX - 1)
155
156enum ctattr_protonat {
157 CTA_PROTONAT_UNSPEC,
158 CTA_PROTONAT_PORT_MIN,
159 CTA_PROTONAT_PORT_MAX,
160 __CTA_PROTONAT_MAX
161};
162#define CTA_PROTONAT_MAX (__CTA_PROTONAT_MAX - 1)
163
164enum ctattr_natseq {
165 CTA_NAT_SEQ_UNSPEC,
166 CTA_NAT_SEQ_CORRECTION_POS,
167 CTA_NAT_SEQ_OFFSET_BEFORE,
168 CTA_NAT_SEQ_OFFSET_AFTER,
169 __CTA_NAT_SEQ_MAX
170};
171#define CTA_NAT_SEQ_MAX (__CTA_NAT_SEQ_MAX - 1)
172
173enum ctattr_expect {
174 CTA_EXPECT_UNSPEC,
175 CTA_EXPECT_MASTER,
176 CTA_EXPECT_TUPLE,
177 CTA_EXPECT_MASK,
178 CTA_EXPECT_TIMEOUT,
179 CTA_EXPECT_ID,
180 CTA_EXPECT_HELP_NAME,
181 CTA_EXPECT_ZONE,
182 CTA_EXPECT_FLAGS,
183 CTA_EXPECT_CLASS,
184 CTA_EXPECT_NAT,
185 CTA_EXPECT_FN,
186 __CTA_EXPECT_MAX
187};
188#define CTA_EXPECT_MAX (__CTA_EXPECT_MAX - 1)
189
190enum ctattr_expect_nat {
191 CTA_EXPECT_NAT_UNSPEC,
192 CTA_EXPECT_NAT_DIR,
193 CTA_EXPECT_NAT_TUPLE,
194 __CTA_EXPECT_NAT_MAX
195};
196#define CTA_EXPECT_NAT_MAX (__CTA_EXPECT_NAT_MAX - 1)
197
198enum ctattr_help {
199 CTA_HELP_UNSPEC,
200 CTA_HELP_NAME,
201 CTA_HELP_INFO,
202 __CTA_HELP_MAX
203};
204#define CTA_HELP_MAX (__CTA_HELP_MAX - 1)
205
206enum ctattr_secctx {
207 CTA_SECCTX_UNSPEC,
208 CTA_SECCTX_NAME,
209 __CTA_SECCTX_MAX
210};
211#define CTA_SECCTX_MAX (__CTA_SECCTX_MAX - 1)
212
213enum ctattr_stats_cpu {
214 CTA_STATS_UNSPEC,
215 CTA_STATS_SEARCHED,
216 CTA_STATS_FOUND,
217 CTA_STATS_NEW,
218 CTA_STATS_INVALID,
219 CTA_STATS_IGNORE,
220 CTA_STATS_DELETE,
221 CTA_STATS_DELETE_LIST,
222 CTA_STATS_INSERT,
223 CTA_STATS_INSERT_FAILED,
224 CTA_STATS_DROP,
225 CTA_STATS_EARLY_DROP,
226 CTA_STATS_ERROR,
227 CTA_STATS_SEARCH_RESTART,
228 __CTA_STATS_MAX,
229};
230#define CTA_STATS_MAX (__CTA_STATS_MAX - 1)
231
232enum ctattr_stats_global {
233 CTA_STATS_GLOBAL_UNSPEC,
234 CTA_STATS_GLOBAL_ENTRIES,
235 __CTA_STATS_GLOBAL_MAX,
236};
237#define CTA_STATS_GLOBAL_MAX (__CTA_STATS_GLOBAL_MAX - 1)
238
239enum ctattr_expect_stats {
240 CTA_STATS_EXP_UNSPEC,
241 CTA_STATS_EXP_NEW,
242 CTA_STATS_EXP_CREATE,
243 CTA_STATS_EXP_DELETE,
244 __CTA_STATS_EXP_MAX,
245};
246#define CTA_STATS_EXP_MAX (__CTA_STATS_EXP_MAX - 1)
247
248#endif /* _IPCONNTRACK_NETLINK_H */
diff --git a/include/uapi/linux/netfilter/nfnetlink_cthelper.h b/include/uapi/linux/netfilter/nfnetlink_cthelper.h
new file mode 100644
index 00000000000..33659f6fad3
--- /dev/null
+++ b/include/uapi/linux/netfilter/nfnetlink_cthelper.h
@@ -0,0 +1,55 @@
1#ifndef _NFNL_CTHELPER_H_
2#define _NFNL_CTHELPER_H_
3
4#define NFCT_HELPER_STATUS_DISABLED 0
5#define NFCT_HELPER_STATUS_ENABLED 1
6
7enum nfnl_acct_msg_types {
8 NFNL_MSG_CTHELPER_NEW,
9 NFNL_MSG_CTHELPER_GET,
10 NFNL_MSG_CTHELPER_DEL,
11 NFNL_MSG_CTHELPER_MAX
12};
13
14enum nfnl_cthelper_type {
15 NFCTH_UNSPEC,
16 NFCTH_NAME,
17 NFCTH_TUPLE,
18 NFCTH_QUEUE_NUM,
19 NFCTH_POLICY,
20 NFCTH_PRIV_DATA_LEN,
21 NFCTH_STATUS,
22 __NFCTH_MAX
23};
24#define NFCTH_MAX (__NFCTH_MAX - 1)
25
26enum nfnl_cthelper_policy_type {
27 NFCTH_POLICY_SET_UNSPEC,
28 NFCTH_POLICY_SET_NUM,
29 NFCTH_POLICY_SET,
30 NFCTH_POLICY_SET1 = NFCTH_POLICY_SET,
31 NFCTH_POLICY_SET2,
32 NFCTH_POLICY_SET3,
33 NFCTH_POLICY_SET4,
34 __NFCTH_POLICY_SET_MAX
35};
36#define NFCTH_POLICY_SET_MAX (__NFCTH_POLICY_SET_MAX - 1)
37
38enum nfnl_cthelper_pol_type {
39 NFCTH_POLICY_UNSPEC,
40 NFCTH_POLICY_NAME,
41 NFCTH_POLICY_EXPECT_MAX,
42 NFCTH_POLICY_EXPECT_TIMEOUT,
43 __NFCTH_POLICY_MAX
44};
45#define NFCTH_POLICY_MAX (__NFCTH_POLICY_MAX - 1)
46
47enum nfnl_cthelper_tuple_type {
48 NFCTH_TUPLE_UNSPEC,
49 NFCTH_TUPLE_L3PROTONUM,
50 NFCTH_TUPLE_L4PROTONUM,
51 __NFCTH_TUPLE_MAX,
52};
53#define NFCTH_TUPLE_MAX (__NFCTH_TUPLE_MAX - 1)
54
55#endif /* _NFNL_CTHELPER_H */
diff --git a/include/uapi/linux/netfilter/nfnetlink_cttimeout.h b/include/uapi/linux/netfilter/nfnetlink_cttimeout.h
new file mode 100644
index 00000000000..a2810a7c5e3
--- /dev/null
+++ b/include/uapi/linux/netfilter/nfnetlink_cttimeout.h
@@ -0,0 +1,114 @@
1#ifndef _CTTIMEOUT_NETLINK_H
2#define _CTTIMEOUT_NETLINK_H
3#include <linux/netfilter/nfnetlink.h>
4
5enum ctnl_timeout_msg_types {
6 IPCTNL_MSG_TIMEOUT_NEW,
7 IPCTNL_MSG_TIMEOUT_GET,
8 IPCTNL_MSG_TIMEOUT_DELETE,
9
10 IPCTNL_MSG_TIMEOUT_MAX
11};
12
13enum ctattr_timeout {
14 CTA_TIMEOUT_UNSPEC,
15 CTA_TIMEOUT_NAME,
16 CTA_TIMEOUT_L3PROTO,
17 CTA_TIMEOUT_L4PROTO,
18 CTA_TIMEOUT_DATA,
19 CTA_TIMEOUT_USE,
20 __CTA_TIMEOUT_MAX
21};
22#define CTA_TIMEOUT_MAX (__CTA_TIMEOUT_MAX - 1)
23
24enum ctattr_timeout_generic {
25 CTA_TIMEOUT_GENERIC_UNSPEC,
26 CTA_TIMEOUT_GENERIC_TIMEOUT,
27 __CTA_TIMEOUT_GENERIC_MAX
28};
29#define CTA_TIMEOUT_GENERIC_MAX (__CTA_TIMEOUT_GENERIC_MAX - 1)
30
31enum ctattr_timeout_tcp {
32 CTA_TIMEOUT_TCP_UNSPEC,
33 CTA_TIMEOUT_TCP_SYN_SENT,
34 CTA_TIMEOUT_TCP_SYN_RECV,
35 CTA_TIMEOUT_TCP_ESTABLISHED,
36 CTA_TIMEOUT_TCP_FIN_WAIT,
37 CTA_TIMEOUT_TCP_CLOSE_WAIT,
38 CTA_TIMEOUT_TCP_LAST_ACK,
39 CTA_TIMEOUT_TCP_TIME_WAIT,
40 CTA_TIMEOUT_TCP_CLOSE,
41 CTA_TIMEOUT_TCP_SYN_SENT2,
42 CTA_TIMEOUT_TCP_RETRANS,
43 CTA_TIMEOUT_TCP_UNACK,
44 __CTA_TIMEOUT_TCP_MAX
45};
46#define CTA_TIMEOUT_TCP_MAX (__CTA_TIMEOUT_TCP_MAX - 1)
47
48enum ctattr_timeout_udp {
49 CTA_TIMEOUT_UDP_UNSPEC,
50 CTA_TIMEOUT_UDP_UNREPLIED,
51 CTA_TIMEOUT_UDP_REPLIED,
52 __CTA_TIMEOUT_UDP_MAX
53};
54#define CTA_TIMEOUT_UDP_MAX (__CTA_TIMEOUT_UDP_MAX - 1)
55
56enum ctattr_timeout_udplite {
57 CTA_TIMEOUT_UDPLITE_UNSPEC,
58 CTA_TIMEOUT_UDPLITE_UNREPLIED,
59 CTA_TIMEOUT_UDPLITE_REPLIED,
60 __CTA_TIMEOUT_UDPLITE_MAX
61};
62#define CTA_TIMEOUT_UDPLITE_MAX (__CTA_TIMEOUT_UDPLITE_MAX - 1)
63
64enum ctattr_timeout_icmp {
65 CTA_TIMEOUT_ICMP_UNSPEC,
66 CTA_TIMEOUT_ICMP_TIMEOUT,
67 __CTA_TIMEOUT_ICMP_MAX
68};
69#define CTA_TIMEOUT_ICMP_MAX (__CTA_TIMEOUT_ICMP_MAX - 1)
70
71enum ctattr_timeout_dccp {
72 CTA_TIMEOUT_DCCP_UNSPEC,
73 CTA_TIMEOUT_DCCP_REQUEST,
74 CTA_TIMEOUT_DCCP_RESPOND,
75 CTA_TIMEOUT_DCCP_PARTOPEN,
76 CTA_TIMEOUT_DCCP_OPEN,
77 CTA_TIMEOUT_DCCP_CLOSEREQ,
78 CTA_TIMEOUT_DCCP_CLOSING,
79 CTA_TIMEOUT_DCCP_TIMEWAIT,
80 __CTA_TIMEOUT_DCCP_MAX
81};
82#define CTA_TIMEOUT_DCCP_MAX (__CTA_TIMEOUT_DCCP_MAX - 1)
83
84enum ctattr_timeout_sctp {
85 CTA_TIMEOUT_SCTP_UNSPEC,
86 CTA_TIMEOUT_SCTP_CLOSED,
87 CTA_TIMEOUT_SCTP_COOKIE_WAIT,
88 CTA_TIMEOUT_SCTP_COOKIE_ECHOED,
89 CTA_TIMEOUT_SCTP_ESTABLISHED,
90 CTA_TIMEOUT_SCTP_SHUTDOWN_SENT,
91 CTA_TIMEOUT_SCTP_SHUTDOWN_RECD,
92 CTA_TIMEOUT_SCTP_SHUTDOWN_ACK_SENT,
93 __CTA_TIMEOUT_SCTP_MAX
94};
95#define CTA_TIMEOUT_SCTP_MAX (__CTA_TIMEOUT_SCTP_MAX - 1)
96
97enum ctattr_timeout_icmpv6 {
98 CTA_TIMEOUT_ICMPV6_UNSPEC,
99 CTA_TIMEOUT_ICMPV6_TIMEOUT,
100 __CTA_TIMEOUT_ICMPV6_MAX
101};
102#define CTA_TIMEOUT_ICMPV6_MAX (__CTA_TIMEOUT_ICMPV6_MAX - 1)
103
104enum ctattr_timeout_gre {
105 CTA_TIMEOUT_GRE_UNSPEC,
106 CTA_TIMEOUT_GRE_UNREPLIED,
107 CTA_TIMEOUT_GRE_REPLIED,
108 __CTA_TIMEOUT_GRE_MAX
109};
110#define CTA_TIMEOUT_GRE_MAX (__CTA_TIMEOUT_GRE_MAX - 1)
111
112#define CTNL_TIMEOUT_NAME_MAX 32
113
114#endif
diff --git a/include/uapi/linux/netfilter/nfnetlink_log.h b/include/uapi/linux/netfilter/nfnetlink_log.h
new file mode 100644
index 00000000000..90c2c9575ba
--- /dev/null
+++ b/include/uapi/linux/netfilter/nfnetlink_log.h
@@ -0,0 +1,97 @@
1#ifndef _NFNETLINK_LOG_H
2#define _NFNETLINK_LOG_H
3
4/* This file describes the netlink messages (i.e. 'protocol packets'),
5 * and not any kind of function definitions. It is shared between kernel and
6 * userspace. Don't put kernel specific stuff in here */
7
8#include <linux/types.h>
9#include <linux/netfilter/nfnetlink.h>
10
11enum nfulnl_msg_types {
12 NFULNL_MSG_PACKET, /* packet from kernel to userspace */
13 NFULNL_MSG_CONFIG, /* connect to a particular queue */
14
15 NFULNL_MSG_MAX
16};
17
18struct nfulnl_msg_packet_hdr {
19 __be16 hw_protocol; /* hw protocol (network order) */
20 __u8 hook; /* netfilter hook */
21 __u8 _pad;
22};
23
24struct nfulnl_msg_packet_hw {
25 __be16 hw_addrlen;
26 __u16 _pad;
27 __u8 hw_addr[8];
28};
29
30struct nfulnl_msg_packet_timestamp {
31 __aligned_be64 sec;
32 __aligned_be64 usec;
33};
34
35enum nfulnl_attr_type {
36 NFULA_UNSPEC,
37 NFULA_PACKET_HDR,
38 NFULA_MARK, /* __u32 nfmark */
39 NFULA_TIMESTAMP, /* nfulnl_msg_packet_timestamp */
40 NFULA_IFINDEX_INDEV, /* __u32 ifindex */
41 NFULA_IFINDEX_OUTDEV, /* __u32 ifindex */
42 NFULA_IFINDEX_PHYSINDEV, /* __u32 ifindex */
43 NFULA_IFINDEX_PHYSOUTDEV, /* __u32 ifindex */
44 NFULA_HWADDR, /* nfulnl_msg_packet_hw */
45 NFULA_PAYLOAD, /* opaque data payload */
46 NFULA_PREFIX, /* string prefix */
47 NFULA_UID, /* user id of socket */
48 NFULA_SEQ, /* instance-local sequence number */
49 NFULA_SEQ_GLOBAL, /* global sequence number */
50 NFULA_GID, /* group id of socket */
51 NFULA_HWTYPE, /* hardware type */
52 NFULA_HWHEADER, /* hardware header */
53 NFULA_HWLEN, /* hardware header length */
54
55 __NFULA_MAX
56};
57#define NFULA_MAX (__NFULA_MAX - 1)
58
59enum nfulnl_msg_config_cmds {
60 NFULNL_CFG_CMD_NONE,
61 NFULNL_CFG_CMD_BIND,
62 NFULNL_CFG_CMD_UNBIND,
63 NFULNL_CFG_CMD_PF_BIND,
64 NFULNL_CFG_CMD_PF_UNBIND,
65};
66
67struct nfulnl_msg_config_cmd {
68 __u8 command; /* nfulnl_msg_config_cmds */
69} __attribute__ ((packed));
70
71struct nfulnl_msg_config_mode {
72 __be32 copy_range;
73 __u8 copy_mode;
74 __u8 _pad;
75} __attribute__ ((packed));
76
77enum nfulnl_attr_config {
78 NFULA_CFG_UNSPEC,
79 NFULA_CFG_CMD, /* nfulnl_msg_config_cmd */
80 NFULA_CFG_MODE, /* nfulnl_msg_config_mode */
81 NFULA_CFG_NLBUFSIZ, /* __u32 buffer size */
82 NFULA_CFG_TIMEOUT, /* __u32 in 1/100 s */
83 NFULA_CFG_QTHRESH, /* __u32 */
84 NFULA_CFG_FLAGS, /* __u16 */
85 __NFULA_CFG_MAX
86};
87#define NFULA_CFG_MAX (__NFULA_CFG_MAX -1)
88
89#define NFULNL_COPY_NONE 0x00
90#define NFULNL_COPY_META 0x01
91#define NFULNL_COPY_PACKET 0x02
92/* 0xff is reserved, don't use it for new copy modes. */
93
94#define NFULNL_CFG_F_SEQ 0x0001
95#define NFULNL_CFG_F_SEQ_GLOBAL 0x0002
96
97#endif /* _NFNETLINK_LOG_H */
diff --git a/include/uapi/linux/netfilter/nfnetlink_queue.h b/include/uapi/linux/netfilter/nfnetlink_queue.h
new file mode 100644
index 00000000000..70ec8c2bc11
--- /dev/null
+++ b/include/uapi/linux/netfilter/nfnetlink_queue.h
@@ -0,0 +1,101 @@
1#ifndef _NFNETLINK_QUEUE_H
2#define _NFNETLINK_QUEUE_H
3
4#include <linux/types.h>
5#include <linux/netfilter/nfnetlink.h>
6
7enum nfqnl_msg_types {
8 NFQNL_MSG_PACKET, /* packet from kernel to userspace */
9 NFQNL_MSG_VERDICT, /* verdict from userspace to kernel */
10 NFQNL_MSG_CONFIG, /* connect to a particular queue */
11 NFQNL_MSG_VERDICT_BATCH, /* batchv from userspace to kernel */
12
13 NFQNL_MSG_MAX
14};
15
16struct nfqnl_msg_packet_hdr {
17 __be32 packet_id; /* unique ID of packet in queue */
18 __be16 hw_protocol; /* hw protocol (network order) */
19 __u8 hook; /* netfilter hook */
20} __attribute__ ((packed));
21
22struct nfqnl_msg_packet_hw {
23 __be16 hw_addrlen;
24 __u16 _pad;
25 __u8 hw_addr[8];
26};
27
28struct nfqnl_msg_packet_timestamp {
29 __aligned_be64 sec;
30 __aligned_be64 usec;
31};
32
33enum nfqnl_attr_type {
34 NFQA_UNSPEC,
35 NFQA_PACKET_HDR,
36 NFQA_VERDICT_HDR, /* nfqnl_msg_verdict_hrd */
37 NFQA_MARK, /* __u32 nfmark */
38 NFQA_TIMESTAMP, /* nfqnl_msg_packet_timestamp */
39 NFQA_IFINDEX_INDEV, /* __u32 ifindex */
40 NFQA_IFINDEX_OUTDEV, /* __u32 ifindex */
41 NFQA_IFINDEX_PHYSINDEV, /* __u32 ifindex */
42 NFQA_IFINDEX_PHYSOUTDEV, /* __u32 ifindex */
43 NFQA_HWADDR, /* nfqnl_msg_packet_hw */
44 NFQA_PAYLOAD, /* opaque data payload */
45 NFQA_CT, /* nf_conntrack_netlink.h */
46 NFQA_CT_INFO, /* enum ip_conntrack_info */
47 NFQA_CAP_LEN, /* __u32 length of captured packet */
48
49 __NFQA_MAX
50};
51#define NFQA_MAX (__NFQA_MAX - 1)
52
53struct nfqnl_msg_verdict_hdr {
54 __be32 verdict;
55 __be32 id;
56};
57
58
59enum nfqnl_msg_config_cmds {
60 NFQNL_CFG_CMD_NONE,
61 NFQNL_CFG_CMD_BIND,
62 NFQNL_CFG_CMD_UNBIND,
63 NFQNL_CFG_CMD_PF_BIND,
64 NFQNL_CFG_CMD_PF_UNBIND,
65};
66
67struct nfqnl_msg_config_cmd {
68 __u8 command; /* nfqnl_msg_config_cmds */
69 __u8 _pad;
70 __be16 pf; /* AF_xxx for PF_[UN]BIND */
71};
72
73enum nfqnl_config_mode {
74 NFQNL_COPY_NONE,
75 NFQNL_COPY_META,
76 NFQNL_COPY_PACKET,
77};
78
79struct nfqnl_msg_config_params {
80 __be32 copy_range;
81 __u8 copy_mode; /* enum nfqnl_config_mode */
82} __attribute__ ((packed));
83
84
85enum nfqnl_attr_config {
86 NFQA_CFG_UNSPEC,
87 NFQA_CFG_CMD, /* nfqnl_msg_config_cmd */
88 NFQA_CFG_PARAMS, /* nfqnl_msg_config_params */
89 NFQA_CFG_QUEUE_MAXLEN, /* __u32 */
90 NFQA_CFG_MASK, /* identify which flags to change */
91 NFQA_CFG_FLAGS, /* value of these flags (__u32) */
92 __NFQA_CFG_MAX
93};
94#define NFQA_CFG_MAX (__NFQA_CFG_MAX-1)
95
96/* Flags for NFQA_CFG_FLAGS */
97#define NFQA_CFG_F_FAIL_OPEN (1 << 0)
98#define NFQA_CFG_F_CONNTRACK (1 << 1)
99#define NFQA_CFG_F_MAX (1 << 2)
100
101#endif /* _NFNETLINK_QUEUE_H */
diff --git a/include/uapi/linux/netfilter/x_tables.h b/include/uapi/linux/netfilter/x_tables.h
new file mode 100644
index 00000000000..c36969b9153
--- /dev/null
+++ b/include/uapi/linux/netfilter/x_tables.h
@@ -0,0 +1,187 @@
1#ifndef _UAPI_X_TABLES_H
2#define _UAPI_X_TABLES_H
3#include <linux/kernel.h>
4#include <linux/types.h>
5
6#define XT_FUNCTION_MAXNAMELEN 30
7#define XT_EXTENSION_MAXNAMELEN 29
8#define XT_TABLE_MAXNAMELEN 32
9
10struct xt_entry_match {
11 union {
12 struct {
13 __u16 match_size;
14
15 /* Used by userspace */
16 char name[XT_EXTENSION_MAXNAMELEN];
17 __u8 revision;
18 } user;
19 struct {
20 __u16 match_size;
21
22 /* Used inside the kernel */
23 struct xt_match *match;
24 } kernel;
25
26 /* Total length */
27 __u16 match_size;
28 } u;
29
30 unsigned char data[0];
31};
32
33struct xt_entry_target {
34 union {
35 struct {
36 __u16 target_size;
37
38 /* Used by userspace */
39 char name[XT_EXTENSION_MAXNAMELEN];
40 __u8 revision;
41 } user;
42 struct {
43 __u16 target_size;
44
45 /* Used inside the kernel */
46 struct xt_target *target;
47 } kernel;
48
49 /* Total length */
50 __u16 target_size;
51 } u;
52
53 unsigned char data[0];
54};
55
56#define XT_TARGET_INIT(__name, __size) \
57{ \
58 .target.u.user = { \
59 .target_size = XT_ALIGN(__size), \
60 .name = __name, \
61 }, \
62}
63
64struct xt_standard_target {
65 struct xt_entry_target target;
66 int verdict;
67};
68
69struct xt_error_target {
70 struct xt_entry_target target;
71 char errorname[XT_FUNCTION_MAXNAMELEN];
72};
73
74/* The argument to IPT_SO_GET_REVISION_*. Returns highest revision
75 * kernel supports, if >= revision. */
76struct xt_get_revision {
77 char name[XT_EXTENSION_MAXNAMELEN];
78 __u8 revision;
79};
80
81/* CONTINUE verdict for targets */
82#define XT_CONTINUE 0xFFFFFFFF
83
84/* For standard target */
85#define XT_RETURN (-NF_REPEAT - 1)
86
87/* this is a dummy structure to find out the alignment requirement for a struct
88 * containing all the fundamental data types that are used in ipt_entry,
89 * ip6t_entry and arpt_entry. This sucks, and it is a hack. It will be my
90 * personal pleasure to remove it -HW
91 */
92struct _xt_align {
93 __u8 u8;
94 __u16 u16;
95 __u32 u32;
96 __u64 u64;
97};
98
99#define XT_ALIGN(s) __ALIGN_KERNEL((s), __alignof__(struct _xt_align))
100
101/* Standard return verdict, or do jump. */
102#define XT_STANDARD_TARGET ""
103/* Error verdict. */
104#define XT_ERROR_TARGET "ERROR"
105
106#define SET_COUNTER(c,b,p) do { (c).bcnt = (b); (c).pcnt = (p); } while(0)
107#define ADD_COUNTER(c,b,p) do { (c).bcnt += (b); (c).pcnt += (p); } while(0)
108
109struct xt_counters {
110 __u64 pcnt, bcnt; /* Packet and byte counters */
111};
112
113/* The argument to IPT_SO_ADD_COUNTERS. */
114struct xt_counters_info {
115 /* Which table. */
116 char name[XT_TABLE_MAXNAMELEN];
117
118 unsigned int num_counters;
119
120 /* The counters (actually `number' of these). */
121 struct xt_counters counters[0];
122};
123
124#define XT_INV_PROTO 0x40 /* Invert the sense of PROTO. */
125
126#ifndef __KERNEL__
127/* fn returns 0 to continue iteration */
128#define XT_MATCH_ITERATE(type, e, fn, args...) \
129({ \
130 unsigned int __i; \
131 int __ret = 0; \
132 struct xt_entry_match *__m; \
133 \
134 for (__i = sizeof(type); \
135 __i < (e)->target_offset; \
136 __i += __m->u.match_size) { \
137 __m = (void *)e + __i; \
138 \
139 __ret = fn(__m , ## args); \
140 if (__ret != 0) \
141 break; \
142 } \
143 __ret; \
144})
145
146/* fn returns 0 to continue iteration */
147#define XT_ENTRY_ITERATE_CONTINUE(type, entries, size, n, fn, args...) \
148({ \
149 unsigned int __i, __n; \
150 int __ret = 0; \
151 type *__entry; \
152 \
153 for (__i = 0, __n = 0; __i < (size); \
154 __i += __entry->next_offset, __n++) { \
155 __entry = (void *)(entries) + __i; \
156 if (__n < n) \
157 continue; \
158 \
159 __ret = fn(__entry , ## args); \
160 if (__ret != 0) \
161 break; \
162 } \
163 __ret; \
164})
165
166/* fn returns 0 to continue iteration */
167#define XT_ENTRY_ITERATE(type, entries, size, fn, args...) \
168 XT_ENTRY_ITERATE_CONTINUE(type, entries, size, 0, fn, args)
169
170#endif /* !__KERNEL__ */
171
172/* pos is normally a struct ipt_entry/ip6t_entry/etc. */
173#define xt_entry_foreach(pos, ehead, esize) \
174 for ((pos) = (typeof(pos))(ehead); \
175 (pos) < (typeof(pos))((char *)(ehead) + (esize)); \
176 (pos) = (typeof(pos))((char *)(pos) + (pos)->next_offset))
177
178/* can only be xt_entry_match, so no use of typeof here */
179#define xt_ematch_foreach(pos, entry) \
180 for ((pos) = (struct xt_entry_match *)entry->elems; \
181 (pos) < (struct xt_entry_match *)((char *)(entry) + \
182 (entry)->target_offset); \
183 (pos) = (struct xt_entry_match *)((char *)(pos) + \
184 (pos)->u.match_size))
185
186
187#endif /* _UAPI_X_TABLES_H */
diff --git a/include/uapi/linux/netfilter/xt_AUDIT.h b/include/uapi/linux/netfilter/xt_AUDIT.h
new file mode 100644
index 00000000000..38751d2ea52
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_AUDIT.h
@@ -0,0 +1,30 @@
1/*
2 * Header file for iptables xt_AUDIT target
3 *
4 * (C) 2010-2011 Thomas Graf <tgraf@redhat.com>
5 * (C) 2010-2011 Red Hat, Inc.
6 *
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License version 2 as
9 * published by the Free Software Foundation.
10 */
11
12#ifndef _XT_AUDIT_TARGET_H
13#define _XT_AUDIT_TARGET_H
14
15#include <linux/types.h>
16
17enum {
18 XT_AUDIT_TYPE_ACCEPT = 0,
19 XT_AUDIT_TYPE_DROP,
20 XT_AUDIT_TYPE_REJECT,
21 __XT_AUDIT_TYPE_MAX,
22};
23
24#define XT_AUDIT_TYPE_MAX (__XT_AUDIT_TYPE_MAX - 1)
25
26struct xt_audit_info {
27 __u8 type; /* XT_AUDIT_TYPE_* */
28};
29
30#endif /* _XT_AUDIT_TARGET_H */
diff --git a/include/uapi/linux/netfilter/xt_CHECKSUM.h b/include/uapi/linux/netfilter/xt_CHECKSUM.h
new file mode 100644
index 00000000000..9a2e4661654
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_CHECKSUM.h
@@ -0,0 +1,20 @@
1/* Header file for iptables ipt_CHECKSUM target
2 *
3 * (C) 2002 by Harald Welte <laforge@gnumonks.org>
4 * (C) 2010 Red Hat Inc
5 * Author: Michael S. Tsirkin <mst@redhat.com>
6 *
7 * This software is distributed under GNU GPL v2, 1991
8*/
9#ifndef _XT_CHECKSUM_TARGET_H
10#define _XT_CHECKSUM_TARGET_H
11
12#include <linux/types.h>
13
14#define XT_CHECKSUM_OP_FILL 0x01 /* fill in checksum in IP header */
15
16struct xt_CHECKSUM_info {
17 __u8 operation; /* bitset of operations */
18};
19
20#endif /* _XT_CHECKSUM_TARGET_H */
diff --git a/include/uapi/linux/netfilter/xt_CLASSIFY.h b/include/uapi/linux/netfilter/xt_CLASSIFY.h
new file mode 100644
index 00000000000..a813bf14dd6
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_CLASSIFY.h
@@ -0,0 +1,10 @@
1#ifndef _XT_CLASSIFY_H
2#define _XT_CLASSIFY_H
3
4#include <linux/types.h>
5
6struct xt_classify_target_info {
7 __u32 priority;
8};
9
10#endif /*_XT_CLASSIFY_H */
diff --git a/include/uapi/linux/netfilter/xt_CONNMARK.h b/include/uapi/linux/netfilter/xt_CONNMARK.h
new file mode 100644
index 00000000000..2f2e48ec802
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_CONNMARK.h
@@ -0,0 +1,6 @@
1#ifndef _XT_CONNMARK_H_target
2#define _XT_CONNMARK_H_target
3
4#include <linux/netfilter/xt_connmark.h>
5
6#endif /*_XT_CONNMARK_H_target*/
diff --git a/include/uapi/linux/netfilter/xt_CONNSECMARK.h b/include/uapi/linux/netfilter/xt_CONNSECMARK.h
new file mode 100644
index 00000000000..b973ff80fa1
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_CONNSECMARK.h
@@ -0,0 +1,15 @@
1#ifndef _XT_CONNSECMARK_H_target
2#define _XT_CONNSECMARK_H_target
3
4#include <linux/types.h>
5
6enum {
7 CONNSECMARK_SAVE = 1,
8 CONNSECMARK_RESTORE,
9};
10
11struct xt_connsecmark_target_info {
12 __u8 mode;
13};
14
15#endif /*_XT_CONNSECMARK_H_target */
diff --git a/include/uapi/linux/netfilter/xt_CT.h b/include/uapi/linux/netfilter/xt_CT.h
new file mode 100644
index 00000000000..a064b8af360
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_CT.h
@@ -0,0 +1,31 @@
1#ifndef _XT_CT_H
2#define _XT_CT_H
3
4#include <linux/types.h>
5
6#define XT_CT_NOTRACK 0x1
7
8struct xt_ct_target_info {
9 __u16 flags;
10 __u16 zone;
11 __u32 ct_events;
12 __u32 exp_events;
13 char helper[16];
14
15 /* Used internally by the kernel */
16 struct nf_conn *ct __attribute__((aligned(8)));
17};
18
19struct xt_ct_target_info_v1 {
20 __u16 flags;
21 __u16 zone;
22 __u32 ct_events;
23 __u32 exp_events;
24 char helper[16];
25 char timeout[32];
26
27 /* Used internally by the kernel */
28 struct nf_conn *ct __attribute__((aligned(8)));
29};
30
31#endif /* _XT_CT_H */
diff --git a/include/uapi/linux/netfilter/xt_DSCP.h b/include/uapi/linux/netfilter/xt_DSCP.h
new file mode 100644
index 00000000000..648e0b3bed2
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_DSCP.h
@@ -0,0 +1,26 @@
1/* x_tables module for setting the IPv4/IPv6 DSCP field
2 *
3 * (C) 2002 Harald Welte <laforge@gnumonks.org>
4 * based on ipt_FTOS.c (C) 2000 by Matthew G. Marsh <mgm@paktronix.com>
5 * This software is distributed under GNU GPL v2, 1991
6 *
7 * See RFC2474 for a description of the DSCP field within the IP Header.
8 *
9 * xt_DSCP.h,v 1.7 2002/03/14 12:03:13 laforge Exp
10*/
11#ifndef _XT_DSCP_TARGET_H
12#define _XT_DSCP_TARGET_H
13#include <linux/netfilter/xt_dscp.h>
14#include <linux/types.h>
15
16/* target info */
17struct xt_DSCP_info {
18 __u8 dscp;
19};
20
21struct xt_tos_target_info {
22 __u8 tos_value;
23 __u8 tos_mask;
24};
25
26#endif /* _XT_DSCP_TARGET_H */
diff --git a/include/uapi/linux/netfilter/xt_IDLETIMER.h b/include/uapi/linux/netfilter/xt_IDLETIMER.h
new file mode 100644
index 00000000000..208ae938733
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_IDLETIMER.h
@@ -0,0 +1,45 @@
1/*
2 * linux/include/linux/netfilter/xt_IDLETIMER.h
3 *
4 * Header file for Xtables timer target module.
5 *
6 * Copyright (C) 2004, 2010 Nokia Corporation
7 * Written by Timo Teras <ext-timo.teras@nokia.com>
8 *
9 * Converted to x_tables and forward-ported to 2.6.34
10 * by Luciano Coelho <luciano.coelho@nokia.com>
11 *
12 * Contact: Luciano Coelho <luciano.coelho@nokia.com>
13 *
14 * This program is free software; you can redistribute it and/or
15 * modify it under the terms of the GNU General Public License
16 * version 2 as published by the Free Software Foundation.
17 *
18 * This program is distributed in the hope that it will be useful, but
19 * WITHOUT ANY WARRANTY; without even the implied warranty of
20 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
21 * General Public License for more details.
22 *
23 * You should have received a copy of the GNU General Public License
24 * along with this program; if not, write to the Free Software
25 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
26 * 02110-1301 USA
27 */
28
29#ifndef _XT_IDLETIMER_H
30#define _XT_IDLETIMER_H
31
32#include <linux/types.h>
33
34#define MAX_IDLETIMER_LABEL_SIZE 28
35
36struct idletimer_tg_info {
37 __u32 timeout;
38
39 char label[MAX_IDLETIMER_LABEL_SIZE];
40
41 /* for kernel module internal use only */
42 struct idletimer_tg *timer __attribute__((aligned(8)));
43};
44
45#endif
diff --git a/include/uapi/linux/netfilter/xt_LED.h b/include/uapi/linux/netfilter/xt_LED.h
new file mode 100644
index 00000000000..f5509e7524d
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_LED.h
@@ -0,0 +1,15 @@
1#ifndef _XT_LED_H
2#define _XT_LED_H
3
4#include <linux/types.h>
5
6struct xt_led_info {
7 char id[27]; /* Unique ID for this trigger in the LED class */
8 __u8 always_blink; /* Blink even if the LED is already on */
9 __u32 delay; /* Delay until LED is switched off after trigger */
10
11 /* Kernel data used in the module */
12 void *internal_data __attribute__((aligned(8)));
13};
14
15#endif /* _XT_LED_H */
diff --git a/include/uapi/linux/netfilter/xt_LOG.h b/include/uapi/linux/netfilter/xt_LOG.h
new file mode 100644
index 00000000000..cac07909530
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_LOG.h
@@ -0,0 +1,19 @@
1#ifndef _XT_LOG_H
2#define _XT_LOG_H
3
4/* make sure not to change this without changing nf_log.h:NF_LOG_* (!) */
5#define XT_LOG_TCPSEQ 0x01 /* Log TCP sequence numbers */
6#define XT_LOG_TCPOPT 0x02 /* Log TCP options */
7#define XT_LOG_IPOPT 0x04 /* Log IP options */
8#define XT_LOG_UID 0x08 /* Log UID owning local socket */
9#define XT_LOG_NFLOG 0x10 /* Unsupported, don't reuse */
10#define XT_LOG_MACDECODE 0x20 /* Decode MAC header */
11#define XT_LOG_MASK 0x2f
12
13struct xt_log_info {
14 unsigned char level;
15 unsigned char logflags;
16 char prefix[30];
17};
18
19#endif /* _XT_LOG_H */
diff --git a/include/uapi/linux/netfilter/xt_MARK.h b/include/uapi/linux/netfilter/xt_MARK.h
new file mode 100644
index 00000000000..41c456deba2
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_MARK.h
@@ -0,0 +1,6 @@
1#ifndef _XT_MARK_H_target
2#define _XT_MARK_H_target
3
4#include <linux/netfilter/xt_mark.h>
5
6#endif /*_XT_MARK_H_target */
diff --git a/include/uapi/linux/netfilter/xt_NFLOG.h b/include/uapi/linux/netfilter/xt_NFLOG.h
new file mode 100644
index 00000000000..87b58311ce6
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_NFLOG.h
@@ -0,0 +1,20 @@
1#ifndef _XT_NFLOG_TARGET
2#define _XT_NFLOG_TARGET
3
4#include <linux/types.h>
5
6#define XT_NFLOG_DEFAULT_GROUP 0x1
7#define XT_NFLOG_DEFAULT_THRESHOLD 0
8
9#define XT_NFLOG_MASK 0x0
10
11struct xt_nflog_info {
12 __u32 len;
13 __u16 group;
14 __u16 threshold;
15 __u16 flags;
16 __u16 pad;
17 char prefix[64];
18};
19
20#endif /* _XT_NFLOG_TARGET */
diff --git a/include/uapi/linux/netfilter/xt_NFQUEUE.h b/include/uapi/linux/netfilter/xt_NFQUEUE.h
new file mode 100644
index 00000000000..9eafdbbb401
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_NFQUEUE.h
@@ -0,0 +1,29 @@
1/* iptables module for using NFQUEUE mechanism
2 *
3 * (C) 2005 Harald Welte <laforge@netfilter.org>
4 *
5 * This software is distributed under GNU GPL v2, 1991
6 *
7*/
8#ifndef _XT_NFQ_TARGET_H
9#define _XT_NFQ_TARGET_H
10
11#include <linux/types.h>
12
13/* target info */
14struct xt_NFQ_info {
15 __u16 queuenum;
16};
17
18struct xt_NFQ_info_v1 {
19 __u16 queuenum;
20 __u16 queues_total;
21};
22
23struct xt_NFQ_info_v2 {
24 __u16 queuenum;
25 __u16 queues_total;
26 __u16 bypass;
27};
28
29#endif /* _XT_NFQ_TARGET_H */
diff --git a/include/uapi/linux/netfilter/xt_RATEEST.h b/include/uapi/linux/netfilter/xt_RATEEST.h
new file mode 100644
index 00000000000..6605e20ad8c
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_RATEEST.h
@@ -0,0 +1,15 @@
1#ifndef _XT_RATEEST_TARGET_H
2#define _XT_RATEEST_TARGET_H
3
4#include <linux/types.h>
5
6struct xt_rateest_target_info {
7 char name[IFNAMSIZ];
8 __s8 interval;
9 __u8 ewma_log;
10
11 /* Used internally by the kernel */
12 struct xt_rateest *est __attribute__((aligned(8)));
13};
14
15#endif /* _XT_RATEEST_TARGET_H */
diff --git a/include/uapi/linux/netfilter/xt_SECMARK.h b/include/uapi/linux/netfilter/xt_SECMARK.h
new file mode 100644
index 00000000000..989092bd627
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_SECMARK.h
@@ -0,0 +1,22 @@
1#ifndef _XT_SECMARK_H_target
2#define _XT_SECMARK_H_target
3
4#include <linux/types.h>
5
6/*
7 * This is intended for use by various security subsystems (but not
8 * at the same time).
9 *
10 * 'mode' refers to the specific security subsystem which the
11 * packets are being marked for.
12 */
13#define SECMARK_MODE_SEL 0x01 /* SELinux */
14#define SECMARK_SECCTX_MAX 256
15
16struct xt_secmark_target_info {
17 __u8 mode;
18 __u32 secid;
19 char secctx[SECMARK_SECCTX_MAX];
20};
21
22#endif /*_XT_SECMARK_H_target */
diff --git a/include/uapi/linux/netfilter/xt_TCPMSS.h b/include/uapi/linux/netfilter/xt_TCPMSS.h
new file mode 100644
index 00000000000..9a6960afc13
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_TCPMSS.h
@@ -0,0 +1,12 @@
1#ifndef _XT_TCPMSS_H
2#define _XT_TCPMSS_H
3
4#include <linux/types.h>
5
6struct xt_tcpmss_info {
7 __u16 mss;
8};
9
10#define XT_TCPMSS_CLAMP_PMTU 0xffff
11
12#endif /* _XT_TCPMSS_H */
diff --git a/include/uapi/linux/netfilter/xt_TCPOPTSTRIP.h b/include/uapi/linux/netfilter/xt_TCPOPTSTRIP.h
new file mode 100644
index 00000000000..7157318499c
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_TCPOPTSTRIP.h
@@ -0,0 +1,15 @@
1#ifndef _XT_TCPOPTSTRIP_H
2#define _XT_TCPOPTSTRIP_H
3
4#include <linux/types.h>
5
6#define tcpoptstrip_set_bit(bmap, idx) \
7 (bmap[(idx) >> 5] |= 1U << (idx & 31))
8#define tcpoptstrip_test_bit(bmap, idx) \
9 (((1U << (idx & 31)) & bmap[(idx) >> 5]) != 0)
10
11struct xt_tcpoptstrip_target_info {
12 __u32 strip_bmap[8];
13};
14
15#endif /* _XT_TCPOPTSTRIP_H */
diff --git a/include/uapi/linux/netfilter/xt_TEE.h b/include/uapi/linux/netfilter/xt_TEE.h
new file mode 100644
index 00000000000..5c21d5c829a
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_TEE.h
@@ -0,0 +1,12 @@
1#ifndef _XT_TEE_TARGET_H
2#define _XT_TEE_TARGET_H
3
4struct xt_tee_tginfo {
5 union nf_inet_addr gw;
6 char oif[16];
7
8 /* used internally by the kernel */
9 struct xt_tee_priv *priv __attribute__((aligned(8)));
10};
11
12#endif /* _XT_TEE_TARGET_H */
diff --git a/include/uapi/linux/netfilter/xt_TPROXY.h b/include/uapi/linux/netfilter/xt_TPROXY.h
new file mode 100644
index 00000000000..902043c2073
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_TPROXY.h
@@ -0,0 +1,23 @@
1#ifndef _XT_TPROXY_H
2#define _XT_TPROXY_H
3
4#include <linux/types.h>
5
6/* TPROXY target is capable of marking the packet to perform
7 * redirection. We can get rid of that whenever we get support for
8 * mutliple targets in the same rule. */
9struct xt_tproxy_target_info {
10 __u32 mark_mask;
11 __u32 mark_value;
12 __be32 laddr;
13 __be16 lport;
14};
15
16struct xt_tproxy_target_info_v1 {
17 __u32 mark_mask;
18 __u32 mark_value;
19 union nf_inet_addr laddr;
20 __be16 lport;
21};
22
23#endif /* _XT_TPROXY_H */
diff --git a/include/uapi/linux/netfilter/xt_addrtype.h b/include/uapi/linux/netfilter/xt_addrtype.h
new file mode 100644
index 00000000000..b156baa9d55
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_addrtype.h
@@ -0,0 +1,44 @@
1#ifndef _XT_ADDRTYPE_H
2#define _XT_ADDRTYPE_H
3
4#include <linux/types.h>
5
6enum {
7 XT_ADDRTYPE_INVERT_SOURCE = 0x0001,
8 XT_ADDRTYPE_INVERT_DEST = 0x0002,
9 XT_ADDRTYPE_LIMIT_IFACE_IN = 0x0004,
10 XT_ADDRTYPE_LIMIT_IFACE_OUT = 0x0008,
11};
12
13
14/* rtn_type enum values from rtnetlink.h, but shifted */
15enum {
16 XT_ADDRTYPE_UNSPEC = 1 << 0,
17 XT_ADDRTYPE_UNICAST = 1 << 1, /* 1 << RTN_UNICAST */
18 XT_ADDRTYPE_LOCAL = 1 << 2, /* 1 << RTN_LOCAL, etc */
19 XT_ADDRTYPE_BROADCAST = 1 << 3,
20 XT_ADDRTYPE_ANYCAST = 1 << 4,
21 XT_ADDRTYPE_MULTICAST = 1 << 5,
22 XT_ADDRTYPE_BLACKHOLE = 1 << 6,
23 XT_ADDRTYPE_UNREACHABLE = 1 << 7,
24 XT_ADDRTYPE_PROHIBIT = 1 << 8,
25 XT_ADDRTYPE_THROW = 1 << 9,
26 XT_ADDRTYPE_NAT = 1 << 10,
27 XT_ADDRTYPE_XRESOLVE = 1 << 11,
28};
29
30struct xt_addrtype_info_v1 {
31 __u16 source; /* source-type mask */
32 __u16 dest; /* dest-type mask */
33 __u32 flags;
34};
35
36/* revision 0 */
37struct xt_addrtype_info {
38 __u16 source; /* source-type mask */
39 __u16 dest; /* dest-type mask */
40 __u32 invert_source;
41 __u32 invert_dest;
42};
43
44#endif
diff --git a/include/uapi/linux/netfilter/xt_cluster.h b/include/uapi/linux/netfilter/xt_cluster.h
new file mode 100644
index 00000000000..9b883c8fbf5
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_cluster.h
@@ -0,0 +1,19 @@
1#ifndef _XT_CLUSTER_MATCH_H
2#define _XT_CLUSTER_MATCH_H
3
4#include <linux/types.h>
5
6enum xt_cluster_flags {
7 XT_CLUSTER_F_INV = (1 << 0)
8};
9
10struct xt_cluster_match_info {
11 __u32 total_nodes;
12 __u32 node_mask;
13 __u32 hash_seed;
14 __u32 flags;
15};
16
17#define XT_CLUSTER_NODES_MAX 32
18
19#endif /* _XT_CLUSTER_MATCH_H */
diff --git a/include/uapi/linux/netfilter/xt_comment.h b/include/uapi/linux/netfilter/xt_comment.h
new file mode 100644
index 00000000000..0ea5e79f5bd
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_comment.h
@@ -0,0 +1,10 @@
1#ifndef _XT_COMMENT_H
2#define _XT_COMMENT_H
3
4#define XT_MAX_COMMENT_LEN 256
5
6struct xt_comment_info {
7 char comment[XT_MAX_COMMENT_LEN];
8};
9
10#endif /* XT_COMMENT_H */
diff --git a/include/uapi/linux/netfilter/xt_connbytes.h b/include/uapi/linux/netfilter/xt_connbytes.h
new file mode 100644
index 00000000000..f1d6c15bd9e
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_connbytes.h
@@ -0,0 +1,26 @@
1#ifndef _XT_CONNBYTES_H
2#define _XT_CONNBYTES_H
3
4#include <linux/types.h>
5
6enum xt_connbytes_what {
7 XT_CONNBYTES_PKTS,
8 XT_CONNBYTES_BYTES,
9 XT_CONNBYTES_AVGPKT,
10};
11
12enum xt_connbytes_direction {
13 XT_CONNBYTES_DIR_ORIGINAL,
14 XT_CONNBYTES_DIR_REPLY,
15 XT_CONNBYTES_DIR_BOTH,
16};
17
18struct xt_connbytes_info {
19 struct {
20 __aligned_u64 from; /* count to be matched */
21 __aligned_u64 to; /* count to be matched */
22 } count;
23 __u8 what; /* ipt_connbytes_what */
24 __u8 direction; /* ipt_connbytes_direction */
25};
26#endif
diff --git a/include/uapi/linux/netfilter/xt_connlimit.h b/include/uapi/linux/netfilter/xt_connlimit.h
new file mode 100644
index 00000000000..f1656096121
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_connlimit.h
@@ -0,0 +1,32 @@
1#ifndef _XT_CONNLIMIT_H
2#define _XT_CONNLIMIT_H
3
4#include <linux/types.h>
5#include <linux/netfilter.h>
6
7struct xt_connlimit_data;
8
9enum {
10 XT_CONNLIMIT_INVERT = 1 << 0,
11 XT_CONNLIMIT_DADDR = 1 << 1,
12};
13
14struct xt_connlimit_info {
15 union {
16 union nf_inet_addr mask;
17#ifndef __KERNEL__
18 union {
19 __be32 v4_mask;
20 __be32 v6_mask[4];
21 };
22#endif
23 };
24 unsigned int limit;
25 /* revision 1 */
26 __u32 flags;
27
28 /* Used internally by the kernel */
29 struct xt_connlimit_data *data __attribute__((aligned(8)));
30};
31
32#endif /* _XT_CONNLIMIT_H */
diff --git a/include/uapi/linux/netfilter/xt_connmark.h b/include/uapi/linux/netfilter/xt_connmark.h
new file mode 100644
index 00000000000..efc17a8305f
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_connmark.h
@@ -0,0 +1,31 @@
1#ifndef _XT_CONNMARK_H
2#define _XT_CONNMARK_H
3
4#include <linux/types.h>
5
6/* Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
7 * by Henrik Nordstrom <hno@marasystems.com>
8 *
9 * This program is free software; you can redistribute it and/or modify
10 * it under the terms of the GNU General Public License as published by
11 * the Free Software Foundation; either version 2 of the License, or
12 * (at your option) any later version.
13 */
14
15enum {
16 XT_CONNMARK_SET = 0,
17 XT_CONNMARK_SAVE,
18 XT_CONNMARK_RESTORE
19};
20
21struct xt_connmark_tginfo1 {
22 __u32 ctmark, ctmask, nfmask;
23 __u8 mode;
24};
25
26struct xt_connmark_mtinfo1 {
27 __u32 mark, mask;
28 __u8 invert;
29};
30
31#endif /*_XT_CONNMARK_H*/
diff --git a/include/uapi/linux/netfilter/xt_conntrack.h b/include/uapi/linux/netfilter/xt_conntrack.h
new file mode 100644
index 00000000000..e3c041d5402
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_conntrack.h
@@ -0,0 +1,77 @@
1/* Header file for kernel module to match connection tracking information.
2 * GPL (C) 2001 Marc Boucher (marc@mbsi.ca).
3 */
4
5#ifndef _XT_CONNTRACK_H
6#define _XT_CONNTRACK_H
7
8#include <linux/types.h>
9#include <linux/netfilter.h>
10#include <linux/netfilter/nf_conntrack_tuple_common.h>
11
12#define XT_CONNTRACK_STATE_BIT(ctinfo) (1 << ((ctinfo)%IP_CT_IS_REPLY+1))
13#define XT_CONNTRACK_STATE_INVALID (1 << 0)
14
15#define XT_CONNTRACK_STATE_SNAT (1 << (IP_CT_NUMBER + 1))
16#define XT_CONNTRACK_STATE_DNAT (1 << (IP_CT_NUMBER + 2))
17#define XT_CONNTRACK_STATE_UNTRACKED (1 << (IP_CT_NUMBER + 3))
18
19/* flags, invflags: */
20enum {
21 XT_CONNTRACK_STATE = 1 << 0,
22 XT_CONNTRACK_PROTO = 1 << 1,
23 XT_CONNTRACK_ORIGSRC = 1 << 2,
24 XT_CONNTRACK_ORIGDST = 1 << 3,
25 XT_CONNTRACK_REPLSRC = 1 << 4,
26 XT_CONNTRACK_REPLDST = 1 << 5,
27 XT_CONNTRACK_STATUS = 1 << 6,
28 XT_CONNTRACK_EXPIRES = 1 << 7,
29 XT_CONNTRACK_ORIGSRC_PORT = 1 << 8,
30 XT_CONNTRACK_ORIGDST_PORT = 1 << 9,
31 XT_CONNTRACK_REPLSRC_PORT = 1 << 10,
32 XT_CONNTRACK_REPLDST_PORT = 1 << 11,
33 XT_CONNTRACK_DIRECTION = 1 << 12,
34};
35
36struct xt_conntrack_mtinfo1 {
37 union nf_inet_addr origsrc_addr, origsrc_mask;
38 union nf_inet_addr origdst_addr, origdst_mask;
39 union nf_inet_addr replsrc_addr, replsrc_mask;
40 union nf_inet_addr repldst_addr, repldst_mask;
41 __u32 expires_min, expires_max;
42 __u16 l4proto;
43 __be16 origsrc_port, origdst_port;
44 __be16 replsrc_port, repldst_port;
45 __u16 match_flags, invert_flags;
46 __u8 state_mask, status_mask;
47};
48
49struct xt_conntrack_mtinfo2 {
50 union nf_inet_addr origsrc_addr, origsrc_mask;
51 union nf_inet_addr origdst_addr, origdst_mask;
52 union nf_inet_addr replsrc_addr, replsrc_mask;
53 union nf_inet_addr repldst_addr, repldst_mask;
54 __u32 expires_min, expires_max;
55 __u16 l4proto;
56 __be16 origsrc_port, origdst_port;
57 __be16 replsrc_port, repldst_port;
58 __u16 match_flags, invert_flags;
59 __u16 state_mask, status_mask;
60};
61
62struct xt_conntrack_mtinfo3 {
63 union nf_inet_addr origsrc_addr, origsrc_mask;
64 union nf_inet_addr origdst_addr, origdst_mask;
65 union nf_inet_addr replsrc_addr, replsrc_mask;
66 union nf_inet_addr repldst_addr, repldst_mask;
67 __u32 expires_min, expires_max;
68 __u16 l4proto;
69 __u16 origsrc_port, origdst_port;
70 __u16 replsrc_port, repldst_port;
71 __u16 match_flags, invert_flags;
72 __u16 state_mask, status_mask;
73 __u16 origsrc_port_high, origdst_port_high;
74 __u16 replsrc_port_high, repldst_port_high;
75};
76
77#endif /*_XT_CONNTRACK_H*/
diff --git a/include/uapi/linux/netfilter/xt_cpu.h b/include/uapi/linux/netfilter/xt_cpu.h
new file mode 100644
index 00000000000..93c7f11d8f4
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_cpu.h
@@ -0,0 +1,11 @@
1#ifndef _XT_CPU_H
2#define _XT_CPU_H
3
4#include <linux/types.h>
5
6struct xt_cpu_info {
7 __u32 cpu;
8 __u32 invert;
9};
10
11#endif /*_XT_CPU_H*/
diff --git a/include/uapi/linux/netfilter/xt_dccp.h b/include/uapi/linux/netfilter/xt_dccp.h
new file mode 100644
index 00000000000..a579e1b6f04
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_dccp.h
@@ -0,0 +1,25 @@
1#ifndef _XT_DCCP_H_
2#define _XT_DCCP_H_
3
4#include <linux/types.h>
5
6#define XT_DCCP_SRC_PORTS 0x01
7#define XT_DCCP_DEST_PORTS 0x02
8#define XT_DCCP_TYPE 0x04
9#define XT_DCCP_OPTION 0x08
10
11#define XT_DCCP_VALID_FLAGS 0x0f
12
13struct xt_dccp_info {
14 __u16 dpts[2]; /* Min, Max */
15 __u16 spts[2]; /* Min, Max */
16
17 __u16 flags;
18 __u16 invflags;
19
20 __u16 typemask;
21 __u8 option;
22};
23
24#endif /* _XT_DCCP_H_ */
25
diff --git a/include/uapi/linux/netfilter/xt_devgroup.h b/include/uapi/linux/netfilter/xt_devgroup.h
new file mode 100644
index 00000000000..1babde0ec90
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_devgroup.h
@@ -0,0 +1,21 @@
1#ifndef _XT_DEVGROUP_H
2#define _XT_DEVGROUP_H
3
4#include <linux/types.h>
5
6enum xt_devgroup_flags {
7 XT_DEVGROUP_MATCH_SRC = 0x1,
8 XT_DEVGROUP_INVERT_SRC = 0x2,
9 XT_DEVGROUP_MATCH_DST = 0x4,
10 XT_DEVGROUP_INVERT_DST = 0x8,
11};
12
13struct xt_devgroup_info {
14 __u32 flags;
15 __u32 src_group;
16 __u32 src_mask;
17 __u32 dst_group;
18 __u32 dst_mask;
19};
20
21#endif /* _XT_DEVGROUP_H */
diff --git a/include/uapi/linux/netfilter/xt_dscp.h b/include/uapi/linux/netfilter/xt_dscp.h
new file mode 100644
index 00000000000..15f8932ad5c
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_dscp.h
@@ -0,0 +1,31 @@
1/* x_tables module for matching the IPv4/IPv6 DSCP field
2 *
3 * (C) 2002 Harald Welte <laforge@gnumonks.org>
4 * This software is distributed under GNU GPL v2, 1991
5 *
6 * See RFC2474 for a description of the DSCP field within the IP Header.
7 *
8 * xt_dscp.h,v 1.3 2002/08/05 19:00:21 laforge Exp
9*/
10#ifndef _XT_DSCP_H
11#define _XT_DSCP_H
12
13#include <linux/types.h>
14
15#define XT_DSCP_MASK 0xfc /* 11111100 */
16#define XT_DSCP_SHIFT 2
17#define XT_DSCP_MAX 0x3f /* 00111111 */
18
19/* match info */
20struct xt_dscp_info {
21 __u8 dscp;
22 __u8 invert;
23};
24
25struct xt_tos_match_info {
26 __u8 tos_mask;
27 __u8 tos_value;
28 __u8 invert;
29};
30
31#endif /* _XT_DSCP_H */
diff --git a/include/uapi/linux/netfilter/xt_ecn.h b/include/uapi/linux/netfilter/xt_ecn.h
new file mode 100644
index 00000000000..7158fca364f
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_ecn.h
@@ -0,0 +1,35 @@
1/* iptables module for matching the ECN header in IPv4 and TCP header
2 *
3 * (C) 2002 Harald Welte <laforge@gnumonks.org>
4 *
5 * This software is distributed under GNU GPL v2, 1991
6 *
7 * ipt_ecn.h,v 1.4 2002/08/05 19:39:00 laforge Exp
8*/
9#ifndef _XT_ECN_H
10#define _XT_ECN_H
11
12#include <linux/types.h>
13#include <linux/netfilter/xt_dscp.h>
14
15#define XT_ECN_IP_MASK (~XT_DSCP_MASK)
16
17#define XT_ECN_OP_MATCH_IP 0x01
18#define XT_ECN_OP_MATCH_ECE 0x10
19#define XT_ECN_OP_MATCH_CWR 0x20
20
21#define XT_ECN_OP_MATCH_MASK 0xce
22
23/* match info */
24struct xt_ecn_info {
25 __u8 operation;
26 __u8 invert;
27 __u8 ip_ect;
28 union {
29 struct {
30 __u8 ect;
31 } tcp;
32 } proto;
33};
34
35#endif /* _XT_ECN_H */
diff --git a/include/uapi/linux/netfilter/xt_esp.h b/include/uapi/linux/netfilter/xt_esp.h
new file mode 100644
index 00000000000..ee688240800
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_esp.h
@@ -0,0 +1,15 @@
1#ifndef _XT_ESP_H
2#define _XT_ESP_H
3
4#include <linux/types.h>
5
6struct xt_esp {
7 __u32 spis[2]; /* Security Parameter Index */
8 __u8 invflags; /* Inverse flags */
9};
10
11/* Values for "invflags" field in struct xt_esp. */
12#define XT_ESP_INV_SPI 0x01 /* Invert the sense of spi. */
13#define XT_ESP_INV_MASK 0x01 /* All possible flags. */
14
15#endif /*_XT_ESP_H*/
diff --git a/include/uapi/linux/netfilter/xt_hashlimit.h b/include/uapi/linux/netfilter/xt_hashlimit.h
new file mode 100644
index 00000000000..cbfc43d1af6
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_hashlimit.h
@@ -0,0 +1,73 @@
1#ifndef _UAPI_XT_HASHLIMIT_H
2#define _UAPI_XT_HASHLIMIT_H
3
4#include <linux/types.h>
5
6/* timings are in milliseconds. */
7#define XT_HASHLIMIT_SCALE 10000
8/* 1/10,000 sec period => max of 10,000/sec. Min rate is then 429490
9 * seconds, or one packet every 59 hours.
10 */
11
12/* packet length accounting is done in 16-byte steps */
13#define XT_HASHLIMIT_BYTE_SHIFT 4
14
15/* details of this structure hidden by the implementation */
16struct xt_hashlimit_htable;
17
18enum {
19 XT_HASHLIMIT_HASH_DIP = 1 << 0,
20 XT_HASHLIMIT_HASH_DPT = 1 << 1,
21 XT_HASHLIMIT_HASH_SIP = 1 << 2,
22 XT_HASHLIMIT_HASH_SPT = 1 << 3,
23 XT_HASHLIMIT_INVERT = 1 << 4,
24 XT_HASHLIMIT_BYTES = 1 << 5,
25};
26
27struct hashlimit_cfg {
28 __u32 mode; /* bitmask of XT_HASHLIMIT_HASH_* */
29 __u32 avg; /* Average secs between packets * scale */
30 __u32 burst; /* Period multiplier for upper limit. */
31
32 /* user specified */
33 __u32 size; /* how many buckets */
34 __u32 max; /* max number of entries */
35 __u32 gc_interval; /* gc interval */
36 __u32 expire; /* when do entries expire? */
37};
38
39struct xt_hashlimit_info {
40 char name [IFNAMSIZ]; /* name */
41 struct hashlimit_cfg cfg;
42
43 /* Used internally by the kernel */
44 struct xt_hashlimit_htable *hinfo;
45 union {
46 void *ptr;
47 struct xt_hashlimit_info *master;
48 } u;
49};
50
51struct hashlimit_cfg1 {
52 __u32 mode; /* bitmask of XT_HASHLIMIT_HASH_* */
53 __u32 avg; /* Average secs between packets * scale */
54 __u32 burst; /* Period multiplier for upper limit. */
55
56 /* user specified */
57 __u32 size; /* how many buckets */
58 __u32 max; /* max number of entries */
59 __u32 gc_interval; /* gc interval */
60 __u32 expire; /* when do entries expire? */
61
62 __u8 srcmask, dstmask;
63};
64
65struct xt_hashlimit_mtinfo1 {
66 char name[IFNAMSIZ];
67 struct hashlimit_cfg1 cfg;
68
69 /* Used internally by the kernel */
70 struct xt_hashlimit_htable *hinfo __attribute__((aligned(8)));
71};
72
73#endif /* _UAPI_XT_HASHLIMIT_H */
diff --git a/include/uapi/linux/netfilter/xt_helper.h b/include/uapi/linux/netfilter/xt_helper.h
new file mode 100644
index 00000000000..6b42763f999
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_helper.h
@@ -0,0 +1,8 @@
1#ifndef _XT_HELPER_H
2#define _XT_HELPER_H
3
4struct xt_helper_info {
5 int invert;
6 char name[30];
7};
8#endif /* _XT_HELPER_H */
diff --git a/include/uapi/linux/netfilter/xt_iprange.h b/include/uapi/linux/netfilter/xt_iprange.h
new file mode 100644
index 00000000000..25fd7cf851f
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_iprange.h
@@ -0,0 +1,20 @@
1#ifndef _LINUX_NETFILTER_XT_IPRANGE_H
2#define _LINUX_NETFILTER_XT_IPRANGE_H 1
3
4#include <linux/types.h>
5#include <linux/netfilter.h>
6
7enum {
8 IPRANGE_SRC = 1 << 0, /* match source IP address */
9 IPRANGE_DST = 1 << 1, /* match destination IP address */
10 IPRANGE_SRC_INV = 1 << 4, /* negate the condition */
11 IPRANGE_DST_INV = 1 << 5, /* -"- */
12};
13
14struct xt_iprange_mtinfo {
15 union nf_inet_addr src_min, src_max;
16 union nf_inet_addr dst_min, dst_max;
17 __u8 flags;
18};
19
20#endif /* _LINUX_NETFILTER_XT_IPRANGE_H */
diff --git a/include/uapi/linux/netfilter/xt_ipvs.h b/include/uapi/linux/netfilter/xt_ipvs.h
new file mode 100644
index 00000000000..eff34ac1880
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_ipvs.h
@@ -0,0 +1,29 @@
1#ifndef _XT_IPVS_H
2#define _XT_IPVS_H
3
4#include <linux/types.h>
5
6enum {
7 XT_IPVS_IPVS_PROPERTY = 1 << 0, /* all other options imply this one */
8 XT_IPVS_PROTO = 1 << 1,
9 XT_IPVS_VADDR = 1 << 2,
10 XT_IPVS_VPORT = 1 << 3,
11 XT_IPVS_DIR = 1 << 4,
12 XT_IPVS_METHOD = 1 << 5,
13 XT_IPVS_VPORTCTL = 1 << 6,
14 XT_IPVS_MASK = (1 << 7) - 1,
15 XT_IPVS_ONCE_MASK = XT_IPVS_MASK & ~XT_IPVS_IPVS_PROPERTY
16};
17
18struct xt_ipvs_mtinfo {
19 union nf_inet_addr vaddr, vmask;
20 __be16 vport;
21 __u8 l4proto;
22 __u8 fwd_method;
23 __be16 vportctl;
24
25 __u8 invert;
26 __u8 bitmask;
27};
28
29#endif /* _XT_IPVS_H */
diff --git a/include/uapi/linux/netfilter/xt_length.h b/include/uapi/linux/netfilter/xt_length.h
new file mode 100644
index 00000000000..b82ed7c4b1e
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_length.h
@@ -0,0 +1,11 @@
1#ifndef _XT_LENGTH_H
2#define _XT_LENGTH_H
3
4#include <linux/types.h>
5
6struct xt_length_info {
7 __u16 min, max;
8 __u8 invert;
9};
10
11#endif /*_XT_LENGTH_H*/
diff --git a/include/uapi/linux/netfilter/xt_limit.h b/include/uapi/linux/netfilter/xt_limit.h
new file mode 100644
index 00000000000..bb47fc4d2ad
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_limit.h
@@ -0,0 +1,24 @@
1#ifndef _XT_RATE_H
2#define _XT_RATE_H
3
4#include <linux/types.h>
5
6/* timings are in milliseconds. */
7#define XT_LIMIT_SCALE 10000
8
9struct xt_limit_priv;
10
11/* 1/10,000 sec period => max of 10,000/sec. Min rate is then 429490
12 seconds, or one every 59 hours. */
13struct xt_rateinfo {
14 __u32 avg; /* Average secs between packets * scale */
15 __u32 burst; /* Period multiplier for upper limit. */
16
17 /* Used internally by the kernel */
18 unsigned long prev; /* moved to xt_limit_priv */
19 __u32 credit; /* moved to xt_limit_priv */
20 __u32 credit_cap, cost;
21
22 struct xt_limit_priv *master;
23};
24#endif /*_XT_RATE_H*/
diff --git a/include/uapi/linux/netfilter/xt_mac.h b/include/uapi/linux/netfilter/xt_mac.h
new file mode 100644
index 00000000000..b892cdc67e0
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_mac.h
@@ -0,0 +1,8 @@
1#ifndef _XT_MAC_H
2#define _XT_MAC_H
3
4struct xt_mac_info {
5 unsigned char srcaddr[ETH_ALEN];
6 int invert;
7};
8#endif /*_XT_MAC_H*/
diff --git a/include/uapi/linux/netfilter/xt_mark.h b/include/uapi/linux/netfilter/xt_mark.h
new file mode 100644
index 00000000000..ecadc40d5cd
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_mark.h
@@ -0,0 +1,15 @@
1#ifndef _XT_MARK_H
2#define _XT_MARK_H
3
4#include <linux/types.h>
5
6struct xt_mark_tginfo2 {
7 __u32 mark, mask;
8};
9
10struct xt_mark_mtinfo1 {
11 __u32 mark, mask;
12 __u8 invert;
13};
14
15#endif /*_XT_MARK_H*/
diff --git a/include/uapi/linux/netfilter/xt_multiport.h b/include/uapi/linux/netfilter/xt_multiport.h
new file mode 100644
index 00000000000..5b7e72dfffc
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_multiport.h
@@ -0,0 +1,29 @@
1#ifndef _XT_MULTIPORT_H
2#define _XT_MULTIPORT_H
3
4#include <linux/types.h>
5
6enum xt_multiport_flags {
7 XT_MULTIPORT_SOURCE,
8 XT_MULTIPORT_DESTINATION,
9 XT_MULTIPORT_EITHER
10};
11
12#define XT_MULTI_PORTS 15
13
14/* Must fit inside union xt_matchinfo: 16 bytes */
15struct xt_multiport {
16 __u8 flags; /* Type of comparison */
17 __u8 count; /* Number of ports */
18 __u16 ports[XT_MULTI_PORTS]; /* Ports */
19};
20
21struct xt_multiport_v1 {
22 __u8 flags; /* Type of comparison */
23 __u8 count; /* Number of ports */
24 __u16 ports[XT_MULTI_PORTS]; /* Ports */
25 __u8 pflags[XT_MULTI_PORTS]; /* Port flags */
26 __u8 invert; /* Invert flag */
27};
28
29#endif /*_XT_MULTIPORT_H*/
diff --git a/include/uapi/linux/netfilter/xt_nfacct.h b/include/uapi/linux/netfilter/xt_nfacct.h
new file mode 100644
index 00000000000..3e19c8a8657
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_nfacct.h
@@ -0,0 +1,13 @@
1#ifndef _XT_NFACCT_MATCH_H
2#define _XT_NFACCT_MATCH_H
3
4#include <linux/netfilter/nfnetlink_acct.h>
5
6struct nf_acct;
7
8struct xt_nfacct_match_info {
9 char name[NFACCT_NAME_MAX];
10 struct nf_acct *nfacct;
11};
12
13#endif /* _XT_NFACCT_MATCH_H */
diff --git a/include/uapi/linux/netfilter/xt_osf.h b/include/uapi/linux/netfilter/xt_osf.h
new file mode 100644
index 00000000000..18afa495f97
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_osf.h
@@ -0,0 +1,135 @@
1/*
2 * Copyright (c) 2003+ Evgeniy Polyakov <johnpol@2ka.mxt.ru>
3 *
4 *
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License as published by
7 * the Free Software Foundation; either version 2 of the License, or
8 * (at your option) any later version.
9 *
10 * This program is distributed in the hope that it will be useful,
11 * but WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 * GNU General Public License for more details.
14 *
15 * You should have received a copy of the GNU General Public License
16 * along with this program; if not, write to the Free Software
17 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
18 */
19
20#ifndef _XT_OSF_H
21#define _XT_OSF_H
22
23#include <linux/types.h>
24
25#define MAXGENRELEN 32
26
27#define XT_OSF_GENRE (1<<0)
28#define XT_OSF_TTL (1<<1)
29#define XT_OSF_LOG (1<<2)
30#define XT_OSF_INVERT (1<<3)
31
32#define XT_OSF_LOGLEVEL_ALL 0 /* log all matched fingerprints */
33#define XT_OSF_LOGLEVEL_FIRST 1 /* log only the first matced fingerprint */
34#define XT_OSF_LOGLEVEL_ALL_KNOWN 2 /* do not log unknown packets */
35
36#define XT_OSF_TTL_TRUE 0 /* True ip and fingerprint TTL comparison */
37#define XT_OSF_TTL_LESS 1 /* Check if ip TTL is less than fingerprint one */
38#define XT_OSF_TTL_NOCHECK 2 /* Do not compare ip and fingerprint TTL at all */
39
40struct xt_osf_info {
41 char genre[MAXGENRELEN];
42 __u32 len;
43 __u32 flags;
44 __u32 loglevel;
45 __u32 ttl;
46};
47
48/*
49 * Wildcard MSS (kind of).
50 * It is used to implement a state machine for the different wildcard values
51 * of the MSS and window sizes.
52 */
53struct xt_osf_wc {
54 __u32 wc;
55 __u32 val;
56};
57
58/*
59 * This struct represents IANA options
60 * http://www.iana.org/assignments/tcp-parameters
61 */
62struct xt_osf_opt {
63 __u16 kind, length;
64 struct xt_osf_wc wc;
65};
66
67struct xt_osf_user_finger {
68 struct xt_osf_wc wss;
69
70 __u8 ttl, df;
71 __u16 ss, mss;
72 __u16 opt_num;
73
74 char genre[MAXGENRELEN];
75 char version[MAXGENRELEN];
76 char subtype[MAXGENRELEN];
77
78 /* MAX_IPOPTLEN is maximum if all options are NOPs or EOLs */
79 struct xt_osf_opt opt[MAX_IPOPTLEN];
80};
81
82struct xt_osf_nlmsg {
83 struct xt_osf_user_finger f;
84 struct iphdr ip;
85 struct tcphdr tcp;
86};
87
88/* Defines for IANA option kinds */
89
90enum iana_options {
91 OSFOPT_EOL = 0, /* End of options */
92 OSFOPT_NOP, /* NOP */
93 OSFOPT_MSS, /* Maximum segment size */
94 OSFOPT_WSO, /* Window scale option */
95 OSFOPT_SACKP, /* SACK permitted */
96 OSFOPT_SACK, /* SACK */
97 OSFOPT_ECHO,
98 OSFOPT_ECHOREPLY,
99 OSFOPT_TS, /* Timestamp option */
100 OSFOPT_POCP, /* Partial Order Connection Permitted */
101 OSFOPT_POSP, /* Partial Order Service Profile */
102
103 /* Others are not used in the current OSF */
104 OSFOPT_EMPTY = 255,
105};
106
107/*
108 * Initial window size option state machine: multiple of mss, mtu or
109 * plain numeric value. Can also be made as plain numeric value which
110 * is not a multiple of specified value.
111 */
112enum xt_osf_window_size_options {
113 OSF_WSS_PLAIN = 0,
114 OSF_WSS_MSS,
115 OSF_WSS_MTU,
116 OSF_WSS_MODULO,
117 OSF_WSS_MAX,
118};
119
120/*
121 * Add/remove fingerprint from the kernel.
122 */
123enum xt_osf_msg_types {
124 OSF_MSG_ADD,
125 OSF_MSG_REMOVE,
126 OSF_MSG_MAX,
127};
128
129enum xt_osf_attr_type {
130 OSF_ATTR_UNSPEC,
131 OSF_ATTR_FINGER,
132 OSF_ATTR_MAX,
133};
134
135#endif /* _XT_OSF_H */
diff --git a/include/uapi/linux/netfilter/xt_owner.h b/include/uapi/linux/netfilter/xt_owner.h
new file mode 100644
index 00000000000..2081761714b
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_owner.h
@@ -0,0 +1,18 @@
1#ifndef _XT_OWNER_MATCH_H
2#define _XT_OWNER_MATCH_H
3
4#include <linux/types.h>
5
6enum {
7 XT_OWNER_UID = 1 << 0,
8 XT_OWNER_GID = 1 << 1,
9 XT_OWNER_SOCKET = 1 << 2,
10};
11
12struct xt_owner_match_info {
13 __u32 uid_min, uid_max;
14 __u32 gid_min, gid_max;
15 __u8 match, invert;
16};
17
18#endif /* _XT_OWNER_MATCH_H */
diff --git a/include/uapi/linux/netfilter/xt_physdev.h b/include/uapi/linux/netfilter/xt_physdev.h
new file mode 100644
index 00000000000..db7a2982e9c
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_physdev.h
@@ -0,0 +1,23 @@
1#ifndef _UAPI_XT_PHYSDEV_H
2#define _UAPI_XT_PHYSDEV_H
3
4#include <linux/types.h>
5
6
7#define XT_PHYSDEV_OP_IN 0x01
8#define XT_PHYSDEV_OP_OUT 0x02
9#define XT_PHYSDEV_OP_BRIDGED 0x04
10#define XT_PHYSDEV_OP_ISIN 0x08
11#define XT_PHYSDEV_OP_ISOUT 0x10
12#define XT_PHYSDEV_OP_MASK (0x20 - 1)
13
14struct xt_physdev_info {
15 char physindev[IFNAMSIZ];
16 char in_mask[IFNAMSIZ];
17 char physoutdev[IFNAMSIZ];
18 char out_mask[IFNAMSIZ];
19 __u8 invert;
20 __u8 bitmask;
21};
22
23#endif /* _UAPI_XT_PHYSDEV_H */
diff --git a/include/uapi/linux/netfilter/xt_pkttype.h b/include/uapi/linux/netfilter/xt_pkttype.h
new file mode 100644
index 00000000000..f265cf52fae
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_pkttype.h
@@ -0,0 +1,8 @@
1#ifndef _XT_PKTTYPE_H
2#define _XT_PKTTYPE_H
3
4struct xt_pkttype_info {
5 int pkttype;
6 int invert;
7};
8#endif /*_XT_PKTTYPE_H*/
diff --git a/include/uapi/linux/netfilter/xt_policy.h b/include/uapi/linux/netfilter/xt_policy.h
new file mode 100644
index 00000000000..be8ead05c31
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_policy.h
@@ -0,0 +1,69 @@
1#ifndef _XT_POLICY_H
2#define _XT_POLICY_H
3
4#include <linux/types.h>
5
6#define XT_POLICY_MAX_ELEM 4
7
8enum xt_policy_flags {
9 XT_POLICY_MATCH_IN = 0x1,
10 XT_POLICY_MATCH_OUT = 0x2,
11 XT_POLICY_MATCH_NONE = 0x4,
12 XT_POLICY_MATCH_STRICT = 0x8,
13};
14
15enum xt_policy_modes {
16 XT_POLICY_MODE_TRANSPORT,
17 XT_POLICY_MODE_TUNNEL
18};
19
20struct xt_policy_spec {
21 __u8 saddr:1,
22 daddr:1,
23 proto:1,
24 mode:1,
25 spi:1,
26 reqid:1;
27};
28
29#ifndef __KERNEL__
30union xt_policy_addr {
31 struct in_addr a4;
32 struct in6_addr a6;
33};
34#endif
35
36struct xt_policy_elem {
37 union {
38#ifdef __KERNEL__
39 struct {
40 union nf_inet_addr saddr;
41 union nf_inet_addr smask;
42 union nf_inet_addr daddr;
43 union nf_inet_addr dmask;
44 };
45#else
46 struct {
47 union xt_policy_addr saddr;
48 union xt_policy_addr smask;
49 union xt_policy_addr daddr;
50 union xt_policy_addr dmask;
51 };
52#endif
53 };
54 __be32 spi;
55 __u32 reqid;
56 __u8 proto;
57 __u8 mode;
58
59 struct xt_policy_spec match;
60 struct xt_policy_spec invert;
61};
62
63struct xt_policy_info {
64 struct xt_policy_elem pol[XT_POLICY_MAX_ELEM];
65 __u16 flags;
66 __u16 len;
67};
68
69#endif /* _XT_POLICY_H */
diff --git a/include/uapi/linux/netfilter/xt_quota.h b/include/uapi/linux/netfilter/xt_quota.h
new file mode 100644
index 00000000000..9314723f39c
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_quota.h
@@ -0,0 +1,22 @@
1#ifndef _XT_QUOTA_H
2#define _XT_QUOTA_H
3
4#include <linux/types.h>
5
6enum xt_quota_flags {
7 XT_QUOTA_INVERT = 0x1,
8};
9#define XT_QUOTA_MASK 0x1
10
11struct xt_quota_priv;
12
13struct xt_quota_info {
14 __u32 flags;
15 __u32 pad;
16 __aligned_u64 quota;
17
18 /* Used internally by the kernel */
19 struct xt_quota_priv *master;
20};
21
22#endif /* _XT_QUOTA_H */
diff --git a/include/uapi/linux/netfilter/xt_rateest.h b/include/uapi/linux/netfilter/xt_rateest.h
new file mode 100644
index 00000000000..d40a6196842
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_rateest.h
@@ -0,0 +1,37 @@
1#ifndef _XT_RATEEST_MATCH_H
2#define _XT_RATEEST_MATCH_H
3
4#include <linux/types.h>
5
6enum xt_rateest_match_flags {
7 XT_RATEEST_MATCH_INVERT = 1<<0,
8 XT_RATEEST_MATCH_ABS = 1<<1,
9 XT_RATEEST_MATCH_REL = 1<<2,
10 XT_RATEEST_MATCH_DELTA = 1<<3,
11 XT_RATEEST_MATCH_BPS = 1<<4,
12 XT_RATEEST_MATCH_PPS = 1<<5,
13};
14
15enum xt_rateest_match_mode {
16 XT_RATEEST_MATCH_NONE,
17 XT_RATEEST_MATCH_EQ,
18 XT_RATEEST_MATCH_LT,
19 XT_RATEEST_MATCH_GT,
20};
21
22struct xt_rateest_match_info {
23 char name1[IFNAMSIZ];
24 char name2[IFNAMSIZ];
25 __u16 flags;
26 __u16 mode;
27 __u32 bps1;
28 __u32 pps1;
29 __u32 bps2;
30 __u32 pps2;
31
32 /* Used internally by the kernel */
33 struct xt_rateest *est1 __attribute__((aligned(8)));
34 struct xt_rateest *est2 __attribute__((aligned(8)));
35};
36
37#endif /* _XT_RATEEST_MATCH_H */
diff --git a/include/uapi/linux/netfilter/xt_realm.h b/include/uapi/linux/netfilter/xt_realm.h
new file mode 100644
index 00000000000..d4a82ee56a0
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_realm.h
@@ -0,0 +1,12 @@
1#ifndef _XT_REALM_H
2#define _XT_REALM_H
3
4#include <linux/types.h>
5
6struct xt_realm_info {
7 __u32 id;
8 __u32 mask;
9 __u8 invert;
10};
11
12#endif /* _XT_REALM_H */
diff --git a/include/uapi/linux/netfilter/xt_recent.h b/include/uapi/linux/netfilter/xt_recent.h
new file mode 100644
index 00000000000..6ef36c113e8
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_recent.h
@@ -0,0 +1,45 @@
1#ifndef _LINUX_NETFILTER_XT_RECENT_H
2#define _LINUX_NETFILTER_XT_RECENT_H 1
3
4#include <linux/types.h>
5
6enum {
7 XT_RECENT_CHECK = 1 << 0,
8 XT_RECENT_SET = 1 << 1,
9 XT_RECENT_UPDATE = 1 << 2,
10 XT_RECENT_REMOVE = 1 << 3,
11 XT_RECENT_TTL = 1 << 4,
12 XT_RECENT_REAP = 1 << 5,
13
14 XT_RECENT_SOURCE = 0,
15 XT_RECENT_DEST = 1,
16
17 XT_RECENT_NAME_LEN = 200,
18};
19
20/* Only allowed with --rcheck and --update */
21#define XT_RECENT_MODIFIERS (XT_RECENT_TTL|XT_RECENT_REAP)
22
23#define XT_RECENT_VALID_FLAGS (XT_RECENT_CHECK|XT_RECENT_SET|XT_RECENT_UPDATE|\
24 XT_RECENT_REMOVE|XT_RECENT_TTL|XT_RECENT_REAP)
25
26struct xt_recent_mtinfo {
27 __u32 seconds;
28 __u32 hit_count;
29 __u8 check_set;
30 __u8 invert;
31 char name[XT_RECENT_NAME_LEN];
32 __u8 side;
33};
34
35struct xt_recent_mtinfo_v1 {
36 __u32 seconds;
37 __u32 hit_count;
38 __u8 check_set;
39 __u8 invert;
40 char name[XT_RECENT_NAME_LEN];
41 __u8 side;
42 union nf_inet_addr mask;
43};
44
45#endif /* _LINUX_NETFILTER_XT_RECENT_H */
diff --git a/include/uapi/linux/netfilter/xt_sctp.h b/include/uapi/linux/netfilter/xt_sctp.h
new file mode 100644
index 00000000000..29287be696a
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_sctp.h
@@ -0,0 +1,92 @@
1#ifndef _XT_SCTP_H_
2#define _XT_SCTP_H_
3
4#include <linux/types.h>
5
6#define XT_SCTP_SRC_PORTS 0x01
7#define XT_SCTP_DEST_PORTS 0x02
8#define XT_SCTP_CHUNK_TYPES 0x04
9
10#define XT_SCTP_VALID_FLAGS 0x07
11
12struct xt_sctp_flag_info {
13 __u8 chunktype;
14 __u8 flag;
15 __u8 flag_mask;
16};
17
18#define XT_NUM_SCTP_FLAGS 4
19
20struct xt_sctp_info {
21 __u16 dpts[2]; /* Min, Max */
22 __u16 spts[2]; /* Min, Max */
23
24 __u32 chunkmap[256 / sizeof (__u32)]; /* Bit mask of chunks to be matched according to RFC 2960 */
25
26#define SCTP_CHUNK_MATCH_ANY 0x01 /* Match if any of the chunk types are present */
27#define SCTP_CHUNK_MATCH_ALL 0x02 /* Match if all of the chunk types are present */
28#define SCTP_CHUNK_MATCH_ONLY 0x04 /* Match if these are the only chunk types present */
29
30 __u32 chunk_match_type;
31 struct xt_sctp_flag_info flag_info[XT_NUM_SCTP_FLAGS];
32 int flag_count;
33
34 __u32 flags;
35 __u32 invflags;
36};
37
38#define bytes(type) (sizeof(type) * 8)
39
40#define SCTP_CHUNKMAP_SET(chunkmap, type) \
41 do { \
42 (chunkmap)[type / bytes(__u32)] |= \
43 1 << (type % bytes(__u32)); \
44 } while (0)
45
46#define SCTP_CHUNKMAP_CLEAR(chunkmap, type) \
47 do { \
48 (chunkmap)[type / bytes(__u32)] &= \
49 ~(1 << (type % bytes(__u32))); \
50 } while (0)
51
52#define SCTP_CHUNKMAP_IS_SET(chunkmap, type) \
53({ \
54 ((chunkmap)[type / bytes (__u32)] & \
55 (1 << (type % bytes (__u32)))) ? 1: 0; \
56})
57
58#define SCTP_CHUNKMAP_RESET(chunkmap) \
59 memset((chunkmap), 0, sizeof(chunkmap))
60
61#define SCTP_CHUNKMAP_SET_ALL(chunkmap) \
62 memset((chunkmap), ~0U, sizeof(chunkmap))
63
64#define SCTP_CHUNKMAP_COPY(destmap, srcmap) \
65 memcpy((destmap), (srcmap), sizeof(srcmap))
66
67#define SCTP_CHUNKMAP_IS_CLEAR(chunkmap) \
68 __sctp_chunkmap_is_clear((chunkmap), ARRAY_SIZE(chunkmap))
69static inline bool
70__sctp_chunkmap_is_clear(const __u32 *chunkmap, unsigned int n)
71{
72 unsigned int i;
73 for (i = 0; i < n; ++i)
74 if (chunkmap[i])
75 return false;
76 return true;
77}
78
79#define SCTP_CHUNKMAP_IS_ALL_SET(chunkmap) \
80 __sctp_chunkmap_is_all_set((chunkmap), ARRAY_SIZE(chunkmap))
81static inline bool
82__sctp_chunkmap_is_all_set(const __u32 *chunkmap, unsigned int n)
83{
84 unsigned int i;
85 for (i = 0; i < n; ++i)
86 if (chunkmap[i] != ~0U)
87 return false;
88 return true;
89}
90
91#endif /* _XT_SCTP_H_ */
92
diff --git a/include/uapi/linux/netfilter/xt_set.h b/include/uapi/linux/netfilter/xt_set.h
new file mode 100644
index 00000000000..e3a9978f259
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_set.h
@@ -0,0 +1,65 @@
1#ifndef _XT_SET_H
2#define _XT_SET_H
3
4#include <linux/types.h>
5#include <linux/netfilter/ipset/ip_set.h>
6
7/* Revision 0 interface: backward compatible with netfilter/iptables */
8
9/*
10 * Option flags for kernel operations (xt_set_info_v0)
11 */
12#define IPSET_SRC 0x01 /* Source match/add */
13#define IPSET_DST 0x02 /* Destination match/add */
14#define IPSET_MATCH_INV 0x04 /* Inverse matching */
15
16struct xt_set_info_v0 {
17 ip_set_id_t index;
18 union {
19 __u32 flags[IPSET_DIM_MAX + 1];
20 struct {
21 __u32 __flags[IPSET_DIM_MAX];
22 __u8 dim;
23 __u8 flags;
24 } compat;
25 } u;
26};
27
28/* match and target infos */
29struct xt_set_info_match_v0 {
30 struct xt_set_info_v0 match_set;
31};
32
33struct xt_set_info_target_v0 {
34 struct xt_set_info_v0 add_set;
35 struct xt_set_info_v0 del_set;
36};
37
38/* Revision 1 match and target */
39
40struct xt_set_info {
41 ip_set_id_t index;
42 __u8 dim;
43 __u8 flags;
44};
45
46/* match and target infos */
47struct xt_set_info_match_v1 {
48 struct xt_set_info match_set;
49};
50
51struct xt_set_info_target_v1 {
52 struct xt_set_info add_set;
53 struct xt_set_info del_set;
54};
55
56/* Revision 2 target */
57
58struct xt_set_info_target_v2 {
59 struct xt_set_info add_set;
60 struct xt_set_info del_set;
61 __u32 flags;
62 __u32 timeout;
63};
64
65#endif /*_XT_SET_H*/
diff --git a/include/uapi/linux/netfilter/xt_socket.h b/include/uapi/linux/netfilter/xt_socket.h
new file mode 100644
index 00000000000..26d7217bd4f
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_socket.h
@@ -0,0 +1,14 @@
1#ifndef _XT_SOCKET_H
2#define _XT_SOCKET_H
3
4#include <linux/types.h>
5
6enum {
7 XT_SOCKET_TRANSPARENT = 1 << 0,
8};
9
10struct xt_socket_mtinfo1 {
11 __u8 flags;
12};
13
14#endif /* _XT_SOCKET_H */
diff --git a/include/uapi/linux/netfilter/xt_state.h b/include/uapi/linux/netfilter/xt_state.h
new file mode 100644
index 00000000000..7b32de88661
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_state.h
@@ -0,0 +1,12 @@
1#ifndef _XT_STATE_H
2#define _XT_STATE_H
3
4#define XT_STATE_BIT(ctinfo) (1 << ((ctinfo)%IP_CT_IS_REPLY+1))
5#define XT_STATE_INVALID (1 << 0)
6
7#define XT_STATE_UNTRACKED (1 << (IP_CT_NUMBER + 1))
8
9struct xt_state_info {
10 unsigned int statemask;
11};
12#endif /*_XT_STATE_H*/
diff --git a/include/uapi/linux/netfilter/xt_statistic.h b/include/uapi/linux/netfilter/xt_statistic.h
new file mode 100644
index 00000000000..4e983ef0c96
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_statistic.h
@@ -0,0 +1,36 @@
1#ifndef _XT_STATISTIC_H
2#define _XT_STATISTIC_H
3
4#include <linux/types.h>
5
6enum xt_statistic_mode {
7 XT_STATISTIC_MODE_RANDOM,
8 XT_STATISTIC_MODE_NTH,
9 __XT_STATISTIC_MODE_MAX
10};
11#define XT_STATISTIC_MODE_MAX (__XT_STATISTIC_MODE_MAX - 1)
12
13enum xt_statistic_flags {
14 XT_STATISTIC_INVERT = 0x1,
15};
16#define XT_STATISTIC_MASK 0x1
17
18struct xt_statistic_priv;
19
20struct xt_statistic_info {
21 __u16 mode;
22 __u16 flags;
23 union {
24 struct {
25 __u32 probability;
26 } random;
27 struct {
28 __u32 every;
29 __u32 packet;
30 __u32 count; /* unused */
31 } nth;
32 } u;
33 struct xt_statistic_priv *master __attribute__((aligned(8)));
34};
35
36#endif /* _XT_STATISTIC_H */
diff --git a/include/uapi/linux/netfilter/xt_string.h b/include/uapi/linux/netfilter/xt_string.h
new file mode 100644
index 00000000000..235347c02ea
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_string.h
@@ -0,0 +1,34 @@
1#ifndef _XT_STRING_H
2#define _XT_STRING_H
3
4#include <linux/types.h>
5
6#define XT_STRING_MAX_PATTERN_SIZE 128
7#define XT_STRING_MAX_ALGO_NAME_SIZE 16
8
9enum {
10 XT_STRING_FLAG_INVERT = 0x01,
11 XT_STRING_FLAG_IGNORECASE = 0x02
12};
13
14struct xt_string_info {
15 __u16 from_offset;
16 __u16 to_offset;
17 char algo[XT_STRING_MAX_ALGO_NAME_SIZE];
18 char pattern[XT_STRING_MAX_PATTERN_SIZE];
19 __u8 patlen;
20 union {
21 struct {
22 __u8 invert;
23 } v0;
24
25 struct {
26 __u8 flags;
27 } v1;
28 } u;
29
30 /* Used internally by the kernel */
31 struct ts_config __attribute__((aligned(8))) *config;
32};
33
34#endif /*_XT_STRING_H*/
diff --git a/include/uapi/linux/netfilter/xt_tcpmss.h b/include/uapi/linux/netfilter/xt_tcpmss.h
new file mode 100644
index 00000000000..fbac56b9e66
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_tcpmss.h
@@ -0,0 +1,11 @@
1#ifndef _XT_TCPMSS_MATCH_H
2#define _XT_TCPMSS_MATCH_H
3
4#include <linux/types.h>
5
6struct xt_tcpmss_match_info {
7 __u16 mss_min, mss_max;
8 __u8 invert;
9};
10
11#endif /*_XT_TCPMSS_MATCH_H*/
diff --git a/include/uapi/linux/netfilter/xt_tcpudp.h b/include/uapi/linux/netfilter/xt_tcpudp.h
new file mode 100644
index 00000000000..38aa7b39902
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_tcpudp.h
@@ -0,0 +1,36 @@
1#ifndef _XT_TCPUDP_H
2#define _XT_TCPUDP_H
3
4#include <linux/types.h>
5
6/* TCP matching stuff */
7struct xt_tcp {
8 __u16 spts[2]; /* Source port range. */
9 __u16 dpts[2]; /* Destination port range. */
10 __u8 option; /* TCP Option iff non-zero*/
11 __u8 flg_mask; /* TCP flags mask byte */
12 __u8 flg_cmp; /* TCP flags compare byte */
13 __u8 invflags; /* Inverse flags */
14};
15
16/* Values for "inv" field in struct ipt_tcp. */
17#define XT_TCP_INV_SRCPT 0x01 /* Invert the sense of source ports. */
18#define XT_TCP_INV_DSTPT 0x02 /* Invert the sense of dest ports. */
19#define XT_TCP_INV_FLAGS 0x04 /* Invert the sense of TCP flags. */
20#define XT_TCP_INV_OPTION 0x08 /* Invert the sense of option test. */
21#define XT_TCP_INV_MASK 0x0F /* All possible flags. */
22
23/* UDP matching stuff */
24struct xt_udp {
25 __u16 spts[2]; /* Source port range. */
26 __u16 dpts[2]; /* Destination port range. */
27 __u8 invflags; /* Inverse flags */
28};
29
30/* Values for "invflags" field in struct ipt_udp. */
31#define XT_UDP_INV_SRCPT 0x01 /* Invert the sense of source ports. */
32#define XT_UDP_INV_DSTPT 0x02 /* Invert the sense of dest ports. */
33#define XT_UDP_INV_MASK 0x03 /* All possible flags. */
34
35
36#endif
diff --git a/include/uapi/linux/netfilter/xt_time.h b/include/uapi/linux/netfilter/xt_time.h
new file mode 100644
index 00000000000..09588601939
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_time.h
@@ -0,0 +1,32 @@
1#ifndef _XT_TIME_H
2#define _XT_TIME_H 1
3
4#include <linux/types.h>
5
6struct xt_time_info {
7 __u32 date_start;
8 __u32 date_stop;
9 __u32 daytime_start;
10 __u32 daytime_stop;
11 __u32 monthdays_match;
12 __u8 weekdays_match;
13 __u8 flags;
14};
15
16enum {
17 /* Match against local time (instead of UTC) */
18 XT_TIME_LOCAL_TZ = 1 << 0,
19
20 /* treat timestart > timestop (e.g. 23:00-01:00) as single period */
21 XT_TIME_CONTIGUOUS = 1 << 1,
22
23 /* Shortcuts */
24 XT_TIME_ALL_MONTHDAYS = 0xFFFFFFFE,
25 XT_TIME_ALL_WEEKDAYS = 0xFE,
26 XT_TIME_MIN_DAYTIME = 0,
27 XT_TIME_MAX_DAYTIME = 24 * 60 * 60 - 1,
28};
29
30#define XT_TIME_ALL_FLAGS (XT_TIME_LOCAL_TZ|XT_TIME_CONTIGUOUS)
31
32#endif /* _XT_TIME_H */
diff --git a/include/uapi/linux/netfilter/xt_u32.h b/include/uapi/linux/netfilter/xt_u32.h
new file mode 100644
index 00000000000..04d1bfea03c
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_u32.h
@@ -0,0 +1,42 @@
1#ifndef _XT_U32_H
2#define _XT_U32_H 1
3
4#include <linux/types.h>
5
6enum xt_u32_ops {
7 XT_U32_AND,
8 XT_U32_LEFTSH,
9 XT_U32_RIGHTSH,
10 XT_U32_AT,
11};
12
13struct xt_u32_location_element {
14 __u32 number;
15 __u8 nextop;
16};
17
18struct xt_u32_value_element {
19 __u32 min;
20 __u32 max;
21};
22
23/*
24 * Any way to allow for an arbitrary number of elements?
25 * For now, I settle with a limit of 10 each.
26 */
27#define XT_U32_MAXSIZE 10
28
29struct xt_u32_test {
30 struct xt_u32_location_element location[XT_U32_MAXSIZE+1];
31 struct xt_u32_value_element value[XT_U32_MAXSIZE+1];
32 __u8 nnums;
33 __u8 nvalues;
34};
35
36struct xt_u32 {
37 struct xt_u32_test tests[XT_U32_MAXSIZE+1];
38 __u8 ntests;
39 __u8 invert;
40};
41
42#endif /* _XT_U32_H */
generated by cgit v1.2.2 (git 2.25.0) at 2025-01-01 03:12:21 -0500