14 files changed, 395 insertions, 0 deletions

diff --git a/include/linux/netfilter_ipv4/Kbuild b/include/linux/netfilter_ipv4/Kbuild
new file mode 100644
index 00000000000..f9930c87fff
--- /dev/null
+++ b/include/linux/netfilter_ipv4/Kbuild
@@ -0,0 +1,14 @@
+header-y += ip_queue.h
+header-y += ip_tables.h
+header-y += ipt_CLUSTERIP.h
+header-y += ipt_ECN.h
+header-y += ipt_LOG.h
+header-y += ipt_REJECT.h
+header-y += ipt_SAME.h
+header-y += ipt_TTL.h
+header-y += ipt_ULOG.h
+header-y += ipt_addrtype.h
+header-y += ipt_ah.h
+header-y += ipt_ecn.h
+header-y += ipt_realm.h
+header-y += ipt_ttl.h
diff --git a/include/linux/netfilter_ipv4/ip_queue.h b/include/linux/netfilter_ipv4/ip_queue.h
new file mode 100644
index 00000000000..a03507f465f
--- /dev/null
+++ b/include/linux/netfilter_ipv4/ip_queue.h
@@ -0,0 +1,72 @@
+/*
+ * This is a module which is used for queueing IPv4 packets and
+ * communicating with userspace via netlink.
+ *
+ * (C) 2000 James Morris, this code is GPL.
+ */
+#ifndef _IP_QUEUE_H
+#define _IP_QUEUE_H
+
+#ifdef __KERNEL__
+#ifdef DEBUG_IPQ
+#define QDEBUG(x...) printk(KERN_DEBUG ## x)
+#else
+#define QDEBUG(x...)
+#endif  /* DEBUG_IPQ */
+#else
+#include <net/if.h>
+#endif  /* ! __KERNEL__ */
+
+/* Messages sent from kernel */
+typedef struct ipq_packet_msg {
+        unsigned long packet_id;        /* ID of queued packet */
+        unsigned long mark;             /* Netfilter mark value */
+        long timestamp_sec;             /* Packet arrival time (seconds) */
+        long timestamp_usec;            /* Packet arrvial time (+useconds) */
+        unsigned int hook;              /* Netfilter hook we rode in on */
+        char indev_name[IFNAMSIZ];      /* Name of incoming interface */
+        char outdev_name[IFNAMSIZ];     /* Name of outgoing interface */
+        __be16 hw_protocol;             /* Hardware protocol (network order) */
+        unsigned short hw_type;         /* Hardware type */
+        unsigned char hw_addrlen;       /* Hardware address length */
+        unsigned char hw_addr[8];       /* Hardware address */
+        size_t data_len;                /* Length of packet data */
+        unsigned char payload[0];       /* Optional packet data */
+} ipq_packet_msg_t;
+
+/* Messages sent from userspace */
+typedef struct ipq_mode_msg {
+        unsigned char value;            /* Requested mode */
+        size_t range;                   /* Optional range of packet requested */
+} ipq_mode_msg_t;
+
+typedef struct ipq_verdict_msg {
+        unsigned int value;             /* Verdict to hand to netfilter */
+        unsigned long id;               /* Packet ID for this verdict */
+        size_t data_len;                /* Length of replacement data */
+        unsigned char payload[0];       /* Optional replacement packet */
+} ipq_verdict_msg_t;
+
+typedef struct ipq_peer_msg {
+        union {
+                ipq_verdict_msg_t verdict;
+                ipq_mode_msg_t mode;
+        } msg;
+} ipq_peer_msg_t;
+
+/* Packet delivery modes */
+enum {
+        IPQ_COPY_NONE,          /* Initial mode, packets are dropped */
+        IPQ_COPY_META,          /* Copy metadata */
+        IPQ_COPY_PACKET         /* Copy metadata + packet (range) */
+};
+#define IPQ_COPY_MAX IPQ_COPY_PACKET
+
+/* Types of messages */
+#define IPQM_BASE       0x10    /* standard netlink messages below this */
+#define IPQM_MODE       (IPQM_BASE + 1)         /* Mode request from peer */
+#define IPQM_VERDICT    (IPQM_BASE + 2)         /* Verdict from peer */ 
+#define IPQM_PACKET     (IPQM_BASE + 3)         /* Packet from kernel */
+#define IPQM_MAX        (IPQM_BASE + 4)
+
+#endif /*_IP_QUEUE_H*/
diff --git a/include/linux/netfilter_ipv4/ipt_CLUSTERIP.h b/include/linux/netfilter_ipv4/ipt_CLUSTERIP.h
new file mode 100644
index 00000000000..c6a204c9704
--- /dev/null
+++ b/include/linux/netfilter_ipv4/ipt_CLUSTERIP.h
@@ -0,0 +1,36 @@
+#ifndef _IPT_CLUSTERIP_H_target
+#define _IPT_CLUSTERIP_H_target
+
+#include <linux/types.h>
+
+enum clusterip_hashmode {
+    CLUSTERIP_HASHMODE_SIP = 0,
+    CLUSTERIP_HASHMODE_SIP_SPT,
+    CLUSTERIP_HASHMODE_SIP_SPT_DPT,
+};
+
+#define CLUSTERIP_HASHMODE_MAX CLUSTERIP_HASHMODE_SIP_SPT_DPT
+
+#define CLUSTERIP_MAX_NODES 16
+
+#define CLUSTERIP_FLAG_NEW 0x00000001
+
+struct clusterip_config;
+
+struct ipt_clusterip_tgt_info {
+
+        __u32 flags;
+
+        /* only relevant for new ones */
+        __u8 clustermac[6];
+        __u16 num_total_nodes;
+        __u16 num_local_nodes;
+        __u16 local_nodes[CLUSTERIP_MAX_NODES];
+        __u32 hash_mode;
+        __u32 hash_initval;
+
+        /* Used internally by the kernel */
+        struct clusterip_config *config;
+};
+
+#endif /*_IPT_CLUSTERIP_H_target*/
diff --git a/include/linux/netfilter_ipv4/ipt_ECN.h b/include/linux/netfilter_ipv4/ipt_ECN.h
new file mode 100644
index 00000000000..bb88d5315a4
--- /dev/null
+++ b/include/linux/netfilter_ipv4/ipt_ECN.h
@@ -0,0 +1,33 @@
+/* Header file for iptables ipt_ECN target
+ *
+ * (C) 2002 by Harald Welte <laforge@gnumonks.org>
+ *
+ * This software is distributed under GNU GPL v2, 1991
+ * 
+ * ipt_ECN.h,v 1.3 2002/05/29 12:17:40 laforge Exp
+*/
+#ifndef _IPT_ECN_TARGET_H
+#define _IPT_ECN_TARGET_H
+
+#include <linux/types.h>
+#include <linux/netfilter/xt_DSCP.h>
+
+#define IPT_ECN_IP_MASK (~XT_DSCP_MASK)
+
+#define IPT_ECN_OP_SET_IP       0x01    /* set ECN bits of IPv4 header */
+#define IPT_ECN_OP_SET_ECE      0x10    /* set ECE bit of TCP header */
+#define IPT_ECN_OP_SET_CWR      0x20    /* set CWR bit of TCP header */
+
+#define IPT_ECN_OP_MASK         0xce
+
+struct ipt_ECN_info {
+        __u8 operation; /* bitset of operations */
+        __u8 ip_ect;    /* ECT codepoint of IPv4 header, pre-shifted */
+        union {
+                struct {
+                        __u8 ece:1, cwr:1; /* TCP ECT bits */
+                } tcp;
+        } proto;
+};
+
+#endif /* _IPT_ECN_TARGET_H */
diff --git a/include/linux/netfilter_ipv4/ipt_LOG.h b/include/linux/netfilter_ipv4/ipt_LOG.h
new file mode 100644
index 00000000000..dcdbadf9fd4
--- /dev/null
+++ b/include/linux/netfilter_ipv4/ipt_LOG.h
@@ -0,0 +1,19 @@
+#ifndef _IPT_LOG_H
+#define _IPT_LOG_H
+
+/* make sure not to change this without changing netfilter.h:NF_LOG_* (!) */
+#define IPT_LOG_TCPSEQ          0x01    /* Log TCP sequence numbers */
+#define IPT_LOG_TCPOPT          0x02    /* Log TCP options */
+#define IPT_LOG_IPOPT           0x04    /* Log IP options */
+#define IPT_LOG_UID             0x08    /* Log UID owning local socket */
+#define IPT_LOG_NFLOG           0x10    /* Unsupported, don't reuse */
+#define IPT_LOG_MACDECODE       0x20    /* Decode MAC header */
+#define IPT_LOG_MASK            0x2f
+
+struct ipt_log_info {
+        unsigned char level;
+        unsigned char logflags;
+        char prefix[30];
+};
+
+#endif /*_IPT_LOG_H*/
diff --git a/include/linux/netfilter_ipv4/ipt_REJECT.h b/include/linux/netfilter_ipv4/ipt_REJECT.h
new file mode 100644
index 00000000000..4293a1ad1b0
--- /dev/null
+++ b/include/linux/netfilter_ipv4/ipt_REJECT.h
@@ -0,0 +1,20 @@
+#ifndef _IPT_REJECT_H
+#define _IPT_REJECT_H
+
+enum ipt_reject_with {
+        IPT_ICMP_NET_UNREACHABLE,
+        IPT_ICMP_HOST_UNREACHABLE,
+        IPT_ICMP_PROT_UNREACHABLE,
+        IPT_ICMP_PORT_UNREACHABLE,
+        IPT_ICMP_ECHOREPLY,
+        IPT_ICMP_NET_PROHIBITED,
+        IPT_ICMP_HOST_PROHIBITED,
+        IPT_TCP_RESET,
+        IPT_ICMP_ADMIN_PROHIBITED
+};
+
+struct ipt_reject_info {
+        enum ipt_reject_with with;      /* reject type */
+};
+
+#endif /*_IPT_REJECT_H*/
diff --git a/include/linux/netfilter_ipv4/ipt_SAME.h b/include/linux/netfilter_ipv4/ipt_SAME.h
new file mode 100644
index 00000000000..5bca78267af
--- /dev/null
+++ b/include/linux/netfilter_ipv4/ipt_SAME.h
@@ -0,0 +1,20 @@
+#ifndef _IPT_SAME_H
+#define _IPT_SAME_H
+
+#include <linux/types.h>
+
+#define IPT_SAME_MAX_RANGE      10
+
+#define IPT_SAME_NODST          0x01
+
+struct ipt_same_info {
+        unsigned char info;
+        __u32 rangesize;
+        __u32 ipnum;
+        __u32 *iparray;
+
+        /* hangs off end. */
+        struct nf_nat_range range[IPT_SAME_MAX_RANGE];
+};
+
+#endif /*_IPT_SAME_H*/
diff --git a/include/linux/netfilter_ipv4/ipt_TTL.h b/include/linux/netfilter_ipv4/ipt_TTL.h
new file mode 100644
index 00000000000..f6ac169d92f
--- /dev/null
+++ b/include/linux/netfilter_ipv4/ipt_TTL.h
@@ -0,0 +1,23 @@
+/* TTL modification module for IP tables
+ * (C) 2000 by Harald Welte <laforge@netfilter.org> */
+
+#ifndef _IPT_TTL_H
+#define _IPT_TTL_H
+
+#include <linux/types.h>
+
+enum {
+        IPT_TTL_SET = 0,
+        IPT_TTL_INC,
+        IPT_TTL_DEC
+};
+
+#define IPT_TTL_MAXMODE IPT_TTL_DEC
+
+struct ipt_TTL_info {
+        __u8    mode;
+        __u8    ttl;
+};
+
+
+#endif
diff --git a/include/linux/netfilter_ipv4/ipt_ULOG.h b/include/linux/netfilter_ipv4/ipt_ULOG.h
new file mode 100644
index 00000000000..417aad280bc
--- /dev/null
+++ b/include/linux/netfilter_ipv4/ipt_ULOG.h
@@ -0,0 +1,49 @@
+/* Header file for IP tables userspace logging, Version 1.8
+ *
+ * (C) 2000-2002 by Harald Welte <laforge@gnumonks.org>
+ * 
+ * Distributed under the terms of GNU GPL */
+
+#ifndef _IPT_ULOG_H
+#define _IPT_ULOG_H
+
+#ifndef NETLINK_NFLOG
+#define NETLINK_NFLOG   5
+#endif
+
+#define ULOG_DEFAULT_NLGROUP    1
+#define ULOG_DEFAULT_QTHRESHOLD 1
+
+#define ULOG_MAC_LEN    80
+#define ULOG_PREFIX_LEN 32
+
+#define ULOG_MAX_QLEN   50
+/* Why 50? Well... there is a limit imposed by the slab cache 131000
+ * bytes. So the multipart netlink-message has to be < 131000 bytes.
+ * Assuming a standard ethernet-mtu of 1500, we could define this up
+ * to 80... but even 50 seems to be big enough. */
+
+/* private data structure for each rule with a ULOG target */
+struct ipt_ulog_info {
+        unsigned int nl_group;
+        size_t copy_range;
+        size_t qthreshold;
+        char prefix[ULOG_PREFIX_LEN];
+};
+
+/* Format of the ULOG packets passed through netlink */
+typedef struct ulog_packet_msg {
+        unsigned long mark;
+        long timestamp_sec;
+        long timestamp_usec;
+        unsigned int hook;
+        char indev_name[IFNAMSIZ];
+        char outdev_name[IFNAMSIZ];
+        size_t data_len;
+        char prefix[ULOG_PREFIX_LEN];
+        unsigned char mac_len;
+        unsigned char mac[ULOG_MAC_LEN];
+        unsigned char payload[0];
+} ulog_packet_msg_t;
+
+#endif /*_IPT_ULOG_H*/
diff --git a/include/linux/netfilter_ipv4/ipt_addrtype.h b/include/linux/netfilter_ipv4/ipt_addrtype.h
new file mode 100644
index 00000000000..0da42237c8d
--- /dev/null
+++ b/include/linux/netfilter_ipv4/ipt_addrtype.h
@@ -0,0 +1,27 @@
+#ifndef _IPT_ADDRTYPE_H
+#define _IPT_ADDRTYPE_H
+
+#include <linux/types.h>
+
+enum {
+        IPT_ADDRTYPE_INVERT_SOURCE      = 0x0001,
+        IPT_ADDRTYPE_INVERT_DEST        = 0x0002,
+        IPT_ADDRTYPE_LIMIT_IFACE_IN     = 0x0004,
+        IPT_ADDRTYPE_LIMIT_IFACE_OUT    = 0x0008,
+};
+
+struct ipt_addrtype_info_v1 {
+        __u16   source;         /* source-type mask */
+        __u16   dest;           /* dest-type mask */
+        __u32   flags;
+};
+
+/* revision 0 */
+struct ipt_addrtype_info {
+        __u16   source;         /* source-type mask */
+        __u16   dest;           /* dest-type mask */
+        __u32   invert_source;
+        __u32   invert_dest;
+};
+
+#endif
diff --git a/include/linux/netfilter_ipv4/ipt_ah.h b/include/linux/netfilter_ipv4/ipt_ah.h
new file mode 100644
index 00000000000..4e02bb0119e
--- /dev/null
+++ b/include/linux/netfilter_ipv4/ipt_ah.h
@@ -0,0 +1,17 @@
+#ifndef _IPT_AH_H
+#define _IPT_AH_H
+
+#include <linux/types.h>
+
+struct ipt_ah {
+        __u32 spis[2];                  /* Security Parameter Index */
+        __u8  invflags;                 /* Inverse flags */
+};
+
+
+
+/* Values for "invflags" field in struct ipt_ah. */
+#define IPT_AH_INV_SPI          0x01    /* Invert the sense of spi. */
+#define IPT_AH_INV_MASK 0x01    /* All possible flags. */
+
+#endif /*_IPT_AH_H*/
diff --git a/include/linux/netfilter_ipv4/ipt_ecn.h b/include/linux/netfilter_ipv4/ipt_ecn.h
new file mode 100644
index 00000000000..eabf95fb7d3
--- /dev/null
+++ b/include/linux/netfilter_ipv4/ipt_ecn.h
@@ -0,0 +1,35 @@
+/* iptables module for matching the ECN header in IPv4 and TCP header
+ *
+ * (C) 2002 Harald Welte <laforge@gnumonks.org>
+ *
+ * This software is distributed under GNU GPL v2, 1991
+ * 
+ * ipt_ecn.h,v 1.4 2002/08/05 19:39:00 laforge Exp
+*/
+#ifndef _IPT_ECN_H
+#define _IPT_ECN_H
+
+#include <linux/types.h>
+#include <linux/netfilter/xt_dscp.h>
+
+#define IPT_ECN_IP_MASK (~XT_DSCP_MASK)
+
+#define IPT_ECN_OP_MATCH_IP     0x01
+#define IPT_ECN_OP_MATCH_ECE    0x10
+#define IPT_ECN_OP_MATCH_CWR    0x20
+
+#define IPT_ECN_OP_MATCH_MASK   0xce
+
+/* match info */
+struct ipt_ecn_info {
+        __u8 operation;
+        __u8 invert;
+        __u8 ip_ect;
+        union {
+                struct {
+                        __u8 ect;
+                } tcp;
+        } proto;
+};
+
+#endif /* _IPT_ECN_H */
diff --git a/include/linux/netfilter_ipv4/ipt_realm.h b/include/linux/netfilter_ipv4/ipt_realm.h
new file mode 100644
index 00000000000..b3996eaa018
--- /dev/null
+++ b/include/linux/netfilter_ipv4/ipt_realm.h
@@ -0,0 +1,7 @@
+#ifndef _IPT_REALM_H
+#define _IPT_REALM_H
+
+#include <linux/netfilter/xt_realm.h>
+#define ipt_realm_info xt_realm_info
+
+#endif /* _IPT_REALM_H */
diff --git a/include/linux/netfilter_ipv4/ipt_ttl.h b/include/linux/netfilter_ipv4/ipt_ttl.h
new file mode 100644
index 00000000000..37bee444248
--- /dev/null
+++ b/include/linux/netfilter_ipv4/ipt_ttl.h
@@ -0,0 +1,23 @@
+/* IP tables module for matching the value of the TTL
+ * (C) 2000 by Harald Welte <laforge@gnumonks.org> */
+
+#ifndef _IPT_TTL_H
+#define _IPT_TTL_H
+
+#include <linux/types.h>
+
+enum {
+        IPT_TTL_EQ = 0,         /* equals */
+        IPT_TTL_NE,             /* not equals */
+        IPT_TTL_LT,             /* less than */
+        IPT_TTL_GT,             /* greater than */
+};
+
+
+struct ipt_ttl_info {
+        __u8    mode;
+        __u8    ttl;
+};
+
+
+#endif