aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDavid Howells <dhowells@redhat.com>2012-10-09 04:48:54 -0400
committerDavid Howells <dhowells@redhat.com>2012-10-09 04:48:54 -0400
commit94d0ec58e63159ce5bcdfe612ee220eaeefa3b2a (patch)
treeec8326cdbfd3a323067ca17760d2f14193b81342
parent27a3aadcdc4f07c55f4d04e71268b6653ab4a4cf (diff)
UAPI: (Scripted) Disintegrate include/linux/netfilter
Signed-off-by: David Howells <dhowells@redhat.com> Acked-by: Arnd Bergmann <arnd@arndb.de> Acked-by: Thomas Gleixner <tglx@linutronix.de> Acked-by: Michael Kerrisk <mtk.manpages@gmail.com> Acked-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com> Acked-by: Dave Jones <davej@redhat.com>
Diffstat
-rw-r--r--include/linux/netfilter/Kbuild77
-rw-r--r--include/linux/netfilter/nf_conntrack_common.h115
-rw-r--r--include/linux/netfilter/nf_conntrack_ftp.h16
-rw-r--r--include/linux/netfilter/nf_conntrack_tcp.h49
-rw-r--r--include/linux/netfilter/nfnetlink.h55
-rw-r--r--include/linux/netfilter/nfnetlink_acct.h25
-rw-r--r--include/linux/netfilter/x_tables.h186
-rw-r--r--include/linux/netfilter/xt_hashlimit.h71
-rw-r--r--include/linux/netfilter/xt_physdev.h21
-rw-r--r--include/uapi/linux/netfilter/Kbuild76
-rw-r--r--include/uapi/linux/netfilter/nf_conntrack_common.h117
-rw-r--r--include/uapi/linux/netfilter/nf_conntrack_ftp.h18
-rw-r--r--include/uapi/linux/netfilter/nf_conntrack_sctp.h (renamed from include/linux/netfilter/nf_conntrack_sctp.h)0
-rw-r--r--include/uapi/linux/netfilter/nf_conntrack_tcp.h51
-rw-r--r--include/uapi/linux/netfilter/nf_conntrack_tuple_common.h (renamed from include/linux/netfilter/nf_conntrack_tuple_common.h)0
-rw-r--r--include/uapi/linux/netfilter/nf_nat.h (renamed from include/linux/netfilter/nf_nat.h)0
-rw-r--r--include/uapi/linux/netfilter/nfnetlink.h56
-rw-r--r--include/uapi/linux/netfilter/nfnetlink_acct.h27
-rw-r--r--include/uapi/linux/netfilter/nfnetlink_compat.h (renamed from include/linux/netfilter/nfnetlink_compat.h)0
-rw-r--r--include/uapi/linux/netfilter/nfnetlink_conntrack.h (renamed from include/linux/netfilter/nfnetlink_conntrack.h)0
-rw-r--r--include/uapi/linux/netfilter/nfnetlink_cthelper.h (renamed from include/linux/netfilter/nfnetlink_cthelper.h)0
-rw-r--r--include/uapi/linux/netfilter/nfnetlink_cttimeout.h (renamed from include/linux/netfilter/nfnetlink_cttimeout.h)0
-rw-r--r--include/uapi/linux/netfilter/nfnetlink_log.h (renamed from include/linux/netfilter/nfnetlink_log.h)0
-rw-r--r--include/uapi/linux/netfilter/nfnetlink_queue.h (renamed from include/linux/netfilter/nfnetlink_queue.h)0
-rw-r--r--include/uapi/linux/netfilter/x_tables.h187
-rw-r--r--include/uapi/linux/netfilter/xt_AUDIT.h (renamed from include/linux/netfilter/xt_AUDIT.h)0
-rw-r--r--include/uapi/linux/netfilter/xt_CHECKSUM.h (renamed from include/linux/netfilter/xt_CHECKSUM.h)0
-rw-r--r--include/uapi/linux/netfilter/xt_CLASSIFY.h (renamed from include/linux/netfilter/xt_CLASSIFY.h)0
-rw-r--r--include/uapi/linux/netfilter/xt_CONNMARK.h (renamed from include/linux/netfilter/xt_CONNMARK.h)0
-rw-r--r--include/uapi/linux/netfilter/xt_CONNSECMARK.h (renamed from include/linux/netfilter/xt_CONNSECMARK.h)0
-rw-r--r--include/uapi/linux/netfilter/xt_CT.h (renamed from include/linux/netfilter/xt_CT.h)0
-rw-r--r--include/uapi/linux/netfilter/xt_DSCP.h (renamed from include/linux/netfilter/xt_DSCP.h)0
-rw-r--r--include/uapi/linux/netfilter/xt_IDLETIMER.h (renamed from include/linux/netfilter/xt_IDLETIMER.h)0
-rw-r--r--include/uapi/linux/netfilter/xt_LED.h (renamed from include/linux/netfilter/xt_LED.h)0
-rw-r--r--include/uapi/linux/netfilter/xt_LOG.h (renamed from include/linux/netfilter/xt_LOG.h)0
-rw-r--r--include/uapi/linux/netfilter/xt_MARK.h (renamed from include/linux/netfilter/xt_MARK.h)0
-rw-r--r--include/uapi/linux/netfilter/xt_NFLOG.h (renamed from include/linux/netfilter/xt_NFLOG.h)0
-rw-r--r--include/uapi/linux/netfilter/xt_NFQUEUE.h (renamed from include/linux/netfilter/xt_NFQUEUE.h)0
-rw-r--r--include/uapi/linux/netfilter/xt_RATEEST.h (renamed from include/linux/netfilter/xt_RATEEST.h)0
-rw-r--r--include/uapi/linux/netfilter/xt_SECMARK.h (renamed from include/linux/netfilter/xt_SECMARK.h)0
-rw-r--r--include/uapi/linux/netfilter/xt_TCPMSS.h (renamed from include/linux/netfilter/xt_TCPMSS.h)0
-rw-r--r--include/uapi/linux/netfilter/xt_TCPOPTSTRIP.h (renamed from include/linux/netfilter/xt_TCPOPTSTRIP.h)0
-rw-r--r--include/uapi/linux/netfilter/xt_TEE.h (renamed from include/linux/netfilter/xt_TEE.h)0
-rw-r--r--include/uapi/linux/netfilter/xt_TPROXY.h (renamed from include/linux/netfilter/xt_TPROXY.h)0
-rw-r--r--include/uapi/linux/netfilter/xt_addrtype.h (renamed from include/linux/netfilter/xt_addrtype.h)0
-rw-r--r--include/uapi/linux/netfilter/xt_cluster.h (renamed from include/linux/netfilter/xt_cluster.h)0
-rw-r--r--include/uapi/linux/netfilter/xt_comment.h (renamed from include/linux/netfilter/xt_comment.h)0
-rw-r--r--include/uapi/linux/netfilter/xt_connbytes.h (renamed from include/linux/netfilter/xt_connbytes.h)0
-rw-r--r--include/uapi/linux/netfilter/xt_connlimit.h (renamed from include/linux/netfilter/xt_connlimit.h)0
-rw-r--r--include/uapi/linux/netfilter/xt_connmark.h (renamed from include/linux/netfilter/xt_connmark.h)0
-rw-r--r--include/uapi/linux/netfilter/xt_conntrack.h (renamed from include/linux/netfilter/xt_conntrack.h)0
-rw-r--r--include/uapi/linux/netfilter/xt_cpu.h (renamed from include/linux/netfilter/xt_cpu.h)0
-rw-r--r--include/uapi/linux/netfilter/xt_dccp.h (renamed from include/linux/netfilter/xt_dccp.h)0
-rw-r--r--include/uapi/linux/netfilter/xt_devgroup.h (renamed from include/linux/netfilter/xt_devgroup.h)0
-rw-r--r--include/uapi/linux/netfilter/xt_dscp.h (renamed from include/linux/netfilter/xt_dscp.h)0
-rw-r--r--include/uapi/linux/netfilter/xt_ecn.h (renamed from include/linux/netfilter/xt_ecn.h)0
-rw-r--r--include/uapi/linux/netfilter/xt_esp.h (renamed from include/linux/netfilter/xt_esp.h)0
-rw-r--r--include/uapi/linux/netfilter/xt_hashlimit.h73
-rw-r--r--include/uapi/linux/netfilter/xt_helper.h (renamed from include/linux/netfilter/xt_helper.h)0
-rw-r--r--include/uapi/linux/netfilter/xt_iprange.h (renamed from include/linux/netfilter/xt_iprange.h)0
-rw-r--r--include/uapi/linux/netfilter/xt_ipvs.h (renamed from include/linux/netfilter/xt_ipvs.h)0
-rw-r--r--include/uapi/linux/netfilter/xt_length.h (renamed from include/linux/netfilter/xt_length.h)0
-rw-r--r--include/uapi/linux/netfilter/xt_limit.h (renamed from include/linux/netfilter/xt_limit.h)0
-rw-r--r--include/uapi/linux/netfilter/xt_mac.h (renamed from include/linux/netfilter/xt_mac.h)0
-rw-r--r--include/uapi/linux/netfilter/xt_mark.h (renamed from include/linux/netfilter/xt_mark.h)0
-rw-r--r--include/uapi/linux/netfilter/xt_multiport.h (renamed from include/linux/netfilter/xt_multiport.h)0
-rw-r--r--include/uapi/linux/netfilter/xt_nfacct.h (renamed from include/linux/netfilter/xt_nfacct.h)0
-rw-r--r--include/uapi/linux/netfilter/xt_osf.h (renamed from include/linux/netfilter/xt_osf.h)0
-rw-r--r--include/uapi/linux/netfilter/xt_owner.h (renamed from include/linux/netfilter/xt_owner.h)0
-rw-r--r--include/uapi/linux/netfilter/xt_physdev.h23
-rw-r--r--include/uapi/linux/netfilter/xt_pkttype.h (renamed from include/linux/netfilter/xt_pkttype.h)0
-rw-r--r--include/uapi/linux/netfilter/xt_policy.h (renamed from include/linux/netfilter/xt_policy.h)0
-rw-r--r--include/uapi/linux/netfilter/xt_quota.h (renamed from include/linux/netfilter/xt_quota.h)0
-rw-r--r--include/uapi/linux/netfilter/xt_rateest.h (renamed from include/linux/netfilter/xt_rateest.h)0
-rw-r--r--include/uapi/linux/netfilter/xt_realm.h (renamed from include/linux/netfilter/xt_realm.h)0
-rw-r--r--include/uapi/linux/netfilter/xt_recent.h (renamed from include/linux/netfilter/xt_recent.h)0
-rw-r--r--include/uapi/linux/netfilter/xt_sctp.h (renamed from include/linux/netfilter/xt_sctp.h)0
-rw-r--r--include/uapi/linux/netfilter/xt_set.h (renamed from include/linux/netfilter/xt_set.h)0
-rw-r--r--include/uapi/linux/netfilter/xt_socket.h (renamed from include/linux/netfilter/xt_socket.h)0
-rw-r--r--include/uapi/linux/netfilter/xt_state.h (renamed from include/linux/netfilter/xt_state.h)0
-rw-r--r--include/uapi/linux/netfilter/xt_statistic.h (renamed from include/linux/netfilter/xt_statistic.h)0
-rw-r--r--include/uapi/linux/netfilter/xt_string.h (renamed from include/linux/netfilter/xt_string.h)0
-rw-r--r--include/uapi/linux/netfilter/xt_tcpmss.h (renamed from include/linux/netfilter/xt_tcpmss.h)0
-rw-r--r--include/uapi/linux/netfilter/xt_tcpudp.h (renamed from include/linux/netfilter/xt_tcpudp.h)0
-rw-r--r--include/uapi/linux/netfilter/xt_time.h (renamed from include/linux/netfilter/xt_time.h)0
-rw-r--r--include/uapi/linux/netfilter/xt_u32.h (renamed from include/linux/netfilter/xt_u32.h)0
86 files changed, 636 insertions, 607 deletions
diff --git a/include/linux/netfilter/Kbuild b/include/linux/netfilter/Kbuild
index 874ae8f2706b..b3322023e9a5 100644
--- a/include/linux/netfilter/Kbuild
+++ b/include/linux/netfilter/Kbuild
@@ -1,78 +1 @@
1header-y += ipset/ header-y += ipset/
2
3header-y += nf_conntrack_common.h
4header-y += nf_conntrack_ftp.h
5header-y += nf_conntrack_sctp.h
6header-y += nf_conntrack_tcp.h
7header-y += nf_conntrack_tuple_common.h
8header-y += nf_nat.h
9header-y += nfnetlink.h
10header-y += nfnetlink_acct.h
11header-y += nfnetlink_compat.h
12header-y += nfnetlink_conntrack.h
13header-y += nfnetlink_cthelper.h
14header-y += nfnetlink_cttimeout.h
15header-y += nfnetlink_log.h
16header-y += nfnetlink_queue.h
17header-y += x_tables.h
18header-y += xt_AUDIT.h
19header-y += xt_CHECKSUM.h
20header-y += xt_CLASSIFY.h
21header-y += xt_CONNMARK.h
22header-y += xt_CONNSECMARK.h
23header-y += xt_CT.h
24header-y += xt_DSCP.h
25header-y += xt_IDLETIMER.h
26header-y += xt_LED.h
27header-y += xt_LOG.h
28header-y += xt_MARK.h
29header-y += xt_nfacct.h
30header-y += xt_NFLOG.h
31header-y += xt_NFQUEUE.h
32header-y += xt_RATEEST.h
33header-y += xt_SECMARK.h
34header-y += xt_TCPMSS.h
35header-y += xt_TCPOPTSTRIP.h
36header-y += xt_TEE.h
37header-y += xt_TPROXY.h
38header-y += xt_addrtype.h
39header-y += xt_cluster.h
40header-y += xt_comment.h
41header-y += xt_connbytes.h
42header-y += xt_connlimit.h
43header-y += xt_connmark.h
44header-y += xt_conntrack.h
45header-y += xt_cpu.h
46header-y += xt_dccp.h
47header-y += xt_devgroup.h
48header-y += xt_dscp.h
49header-y += xt_ecn.h
50header-y += xt_esp.h
51header-y += xt_hashlimit.h
52header-y += xt_helper.h
53header-y += xt_iprange.h
54header-y += xt_ipvs.h
55header-y += xt_length.h
56header-y += xt_limit.h
57header-y += xt_mac.h
58header-y += xt_mark.h
59header-y += xt_multiport.h
60header-y += xt_osf.h
61header-y += xt_owner.h
62header-y += xt_physdev.h
63header-y += xt_pkttype.h
64header-y += xt_policy.h
65header-y += xt_quota.h
66header-y += xt_rateest.h
67header-y += xt_realm.h
68header-y += xt_recent.h
69header-y += xt_set.h
70header-y += xt_sctp.h
71header-y += xt_socket.h
72header-y += xt_state.h
73header-y += xt_statistic.h
74header-y += xt_string.h
75header-y += xt_tcpmss.h
76header-y += xt_tcpudp.h
77header-y += xt_time.h
78header-y += xt_u32.h
diff --git a/include/linux/netfilter/nf_conntrack_common.h b/include/linux/netfilter/nf_conntrack_common.h
index d146872a0b91..127d0b90604f 100644
--- a/include/linux/netfilter/nf_conntrack_common.h
+++ b/include/linux/netfilter/nf_conntrack_common.h
@@ -1,119 +1,8 @@
1#ifndef _NF_CONNTRACK_COMMON_H 1#ifndef _NF_CONNTRACK_COMMON_H
2#define _NF_CONNTRACK_COMMON_H 2#define _NF_CONNTRACK_COMMON_H
3/* Connection state tracking for netfilter. This is separated from,
4 but required by, the NAT layer; it can also be used by an iptables
5 extension. */
6enum ip_conntrack_info {
7 /* Part of an established connection (either direction). */
8 IP_CT_ESTABLISHED,
9 3
10 /* Like NEW, but related to an existing connection, or ICMP error 4#include <uapi/linux/netfilter/nf_conntrack_common.h>
11 (in either direction). */
12 IP_CT_RELATED,
13 5
14 /* Started a new connection to track (only
15 IP_CT_DIR_ORIGINAL); may be a retransmission. */
16 IP_CT_NEW,
17
18 /* >= this indicates reply direction */
19 IP_CT_IS_REPLY,
20
21 IP_CT_ESTABLISHED_REPLY = IP_CT_ESTABLISHED + IP_CT_IS_REPLY,
22 IP_CT_RELATED_REPLY = IP_CT_RELATED + IP_CT_IS_REPLY,
23 IP_CT_NEW_REPLY = IP_CT_NEW + IP_CT_IS_REPLY,
24 /* Number of distinct IP_CT types (no NEW in reply dirn). */
25 IP_CT_NUMBER = IP_CT_IS_REPLY * 2 - 1
26};
27
28/* Bitset representing status of connection. */
29enum ip_conntrack_status {
30 /* It's an expected connection: bit 0 set. This bit never changed */
31 IPS_EXPECTED_BIT = 0,
32 IPS_EXPECTED = (1 << IPS_EXPECTED_BIT),
33
34 /* We've seen packets both ways: bit 1 set. Can be set, not unset. */
35 IPS_SEEN_REPLY_BIT = 1,
36 IPS_SEEN_REPLY = (1 << IPS_SEEN_REPLY_BIT),
37
38 /* Conntrack should never be early-expired. */
39 IPS_ASSURED_BIT = 2,
40 IPS_ASSURED = (1 << IPS_ASSURED_BIT),
41
42 /* Connection is confirmed: originating packet has left box */
43 IPS_CONFIRMED_BIT = 3,
44 IPS_CONFIRMED = (1 << IPS_CONFIRMED_BIT),
45
46 /* Connection needs src nat in orig dir. This bit never changed. */
47 IPS_SRC_NAT_BIT = 4,
48 IPS_SRC_NAT = (1 << IPS_SRC_NAT_BIT),
49
50 /* Connection needs dst nat in orig dir. This bit never changed. */
51 IPS_DST_NAT_BIT = 5,
52 IPS_DST_NAT = (1 << IPS_DST_NAT_BIT),
53
54 /* Both together. */
55 IPS_NAT_MASK = (IPS_DST_NAT | IPS_SRC_NAT),
56
57 /* Connection needs TCP sequence adjusted. */
58 IPS_SEQ_ADJUST_BIT = 6,
59 IPS_SEQ_ADJUST = (1 << IPS_SEQ_ADJUST_BIT),
60
61 /* NAT initialization bits. */
62 IPS_SRC_NAT_DONE_BIT = 7,
63 IPS_SRC_NAT_DONE = (1 << IPS_SRC_NAT_DONE_BIT),
64
65 IPS_DST_NAT_DONE_BIT = 8,
66 IPS_DST_NAT_DONE = (1 << IPS_DST_NAT_DONE_BIT),
67
68 /* Both together */
69 IPS_NAT_DONE_MASK = (IPS_DST_NAT_DONE | IPS_SRC_NAT_DONE),
70
71 /* Connection is dying (removed from lists), can not be unset. */
72 IPS_DYING_BIT = 9,
73 IPS_DYING = (1 << IPS_DYING_BIT),
74
75 /* Connection has fixed timeout. */
76 IPS_FIXED_TIMEOUT_BIT = 10,
77 IPS_FIXED_TIMEOUT = (1 << IPS_FIXED_TIMEOUT_BIT),
78
79 /* Conntrack is a template */
80 IPS_TEMPLATE_BIT = 11,
81 IPS_TEMPLATE = (1 << IPS_TEMPLATE_BIT),
82
83 /* Conntrack is a fake untracked entry */
84 IPS_UNTRACKED_BIT = 12,
85 IPS_UNTRACKED = (1 << IPS_UNTRACKED_BIT),
86
87 /* Conntrack got a helper explicitly attached via CT target. */
88 IPS_HELPER_BIT = 13,
89 IPS_HELPER = (1 << IPS_HELPER_BIT),
90};
91
92/* Connection tracking event types */
93enum ip_conntrack_events {
94 IPCT_NEW, /* new conntrack */
95 IPCT_RELATED, /* related conntrack */
96 IPCT_DESTROY, /* destroyed conntrack */
97 IPCT_REPLY, /* connection has seen two-way traffic */
98 IPCT_ASSURED, /* connection status has changed to assured */
99 IPCT_PROTOINFO, /* protocol information has changed */
100 IPCT_HELPER, /* new helper has been set */
101 IPCT_MARK, /* new mark has been set */
102 IPCT_NATSEQADJ, /* NAT is doing sequence adjustment */
103 IPCT_SECMARK, /* new security mark has been set */
104};
105
106enum ip_conntrack_expect_events {
107 IPEXP_NEW, /* new expectation */
108 IPEXP_DESTROY, /* destroyed expectation */
109};
110
111/* expectation flags */
112#define NF_CT_EXPECT_PERMANENT 0x1
113#define NF_CT_EXPECT_INACTIVE 0x2
114#define NF_CT_EXPECT_USERSPACE 0x4
115
116#ifdef __KERNEL__
117struct ip_conntrack_stat { 6struct ip_conntrack_stat {
118 unsigned int searched; 7 unsigned int searched;
119 unsigned int found; 8 unsigned int found;
@@ -136,6 +25,4 @@ struct ip_conntrack_stat {
136/* call to create an explicit dependency on nf_conntrack. */ 25/* call to create an explicit dependency on nf_conntrack. */
137extern void need_conntrack(void); 26extern void need_conntrack(void);
138 27
139#endif /* __KERNEL__ */
140
141#endif /* _NF_CONNTRACK_COMMON_H */ 28#endif /* _NF_CONNTRACK_COMMON_H */
diff --git a/include/linux/netfilter/nf_conntrack_ftp.h b/include/linux/netfilter/nf_conntrack_ftp.h
index 8faf3f792d13..5f818b01e035 100644
--- a/include/linux/netfilter/nf_conntrack_ftp.h
+++ b/include/linux/netfilter/nf_conntrack_ftp.h
@@ -1,20 +1,8 @@
1#ifndef _NF_CONNTRACK_FTP_H 1#ifndef _NF_CONNTRACK_FTP_H
2#define _NF_CONNTRACK_FTP_H 2#define _NF_CONNTRACK_FTP_H
3/* FTP tracking. */
4 3
5/* This enum is exposed to userspace */ 4#include <uapi/linux/netfilter/nf_conntrack_ftp.h>
6enum nf_ct_ftp_type {
7 /* PORT command from client */
8 NF_CT_FTP_PORT,
9 /* PASV response from server */
10 NF_CT_FTP_PASV,
11 /* EPRT command from client */
12 NF_CT_FTP_EPRT,
13 /* EPSV response from server */
14 NF_CT_FTP_EPSV,
15};
16 5
17#ifdef __KERNEL__
18 6
19#define FTP_PORT 21 7#define FTP_PORT 21
20 8
@@ -42,6 +30,4 @@ extern unsigned int (*nf_nat_ftp_hook)(struct sk_buff *skb,
42 unsigned int matchoff, 30 unsigned int matchoff,
43 unsigned int matchlen, 31 unsigned int matchlen,
44 struct nf_conntrack_expect *exp); 32 struct nf_conntrack_expect *exp);
45#endif /* __KERNEL__ */
46
47#endif /* _NF_CONNTRACK_FTP_H */ 33#endif /* _NF_CONNTRACK_FTP_H */
diff --git a/include/linux/netfilter/nf_conntrack_tcp.h b/include/linux/netfilter/nf_conntrack_tcp.h
index e59868ae12d4..22db9614b584 100644
--- a/include/linux/netfilter/nf_conntrack_tcp.h
+++ b/include/linux/netfilter/nf_conntrack_tcp.h
@@ -1,53 +1,8 @@
1#ifndef _NF_CONNTRACK_TCP_H 1#ifndef _NF_CONNTRACK_TCP_H
2#define _NF_CONNTRACK_TCP_H 2#define _NF_CONNTRACK_TCP_H
3/* TCP tracking. */
4 3
5#include <linux/types.h> 4#include <uapi/linux/netfilter/nf_conntrack_tcp.h>
6 5
7/* This is exposed to userspace (ctnetlink) */
8enum tcp_conntrack {
9 TCP_CONNTRACK_NONE,
10 TCP_CONNTRACK_SYN_SENT,
11 TCP_CONNTRACK_SYN_RECV,
12 TCP_CONNTRACK_ESTABLISHED,
13 TCP_CONNTRACK_FIN_WAIT,
14 TCP_CONNTRACK_CLOSE_WAIT,
15 TCP_CONNTRACK_LAST_ACK,
16 TCP_CONNTRACK_TIME_WAIT,
17 TCP_CONNTRACK_CLOSE,
18 TCP_CONNTRACK_LISTEN, /* obsolete */
19#define TCP_CONNTRACK_SYN_SENT2 TCP_CONNTRACK_LISTEN
20 TCP_CONNTRACK_MAX,
21 TCP_CONNTRACK_IGNORE,
22 TCP_CONNTRACK_RETRANS,
23 TCP_CONNTRACK_UNACK,
24 TCP_CONNTRACK_TIMEOUT_MAX
25};
26
27/* Window scaling is advertised by the sender */
28#define IP_CT_TCP_FLAG_WINDOW_SCALE 0x01
29
30/* SACK is permitted by the sender */
31#define IP_CT_TCP_FLAG_SACK_PERM 0x02
32
33/* This sender sent FIN first */
34#define IP_CT_TCP_FLAG_CLOSE_INIT 0x04
35
36/* Be liberal in window checking */
37#define IP_CT_TCP_FLAG_BE_LIBERAL 0x08
38
39/* Has unacknowledged data */
40#define IP_CT_TCP_FLAG_DATA_UNACKNOWLEDGED 0x10
41
42/* The field td_maxack has been set */
43#define IP_CT_TCP_FLAG_MAXACK_SET 0x20
44
45struct nf_ct_tcp_flags {
46 __u8 flags;
47 __u8 mask;
48};
49
50#ifdef __KERNEL__
51 6
52struct ip_ct_tcp_state { 7struct ip_ct_tcp_state {
53 u_int32_t td_end; /* max of seq + len */ 8 u_int32_t td_end; /* max of seq + len */
@@ -74,6 +29,4 @@ struct ip_ct_tcp {
74 u_int8_t last_flags; /* Last flags set */ 29 u_int8_t last_flags; /* Last flags set */
75}; 30};
76 31
77#endif /* __KERNEL__ */
78
79#endif /* _NF_CONNTRACK_TCP_H */ 32#endif /* _NF_CONNTRACK_TCP_H */
diff --git a/include/linux/netfilter/nfnetlink.h b/include/linux/netfilter/nfnetlink.h
index 18341cdb2443..4966ddec039b 100644
--- a/include/linux/netfilter/nfnetlink.h
+++ b/include/linux/netfilter/nfnetlink.h
@@ -1,63 +1,11 @@
1#ifndef _NFNETLINK_H 1#ifndef _NFNETLINK_H
2#define _NFNETLINK_H 2#define _NFNETLINK_H
3#include <linux/types.h>
4#include <linux/netfilter/nfnetlink_compat.h>
5 3
6enum nfnetlink_groups {
7 NFNLGRP_NONE,
8#define NFNLGRP_NONE NFNLGRP_NONE
9 NFNLGRP_CONNTRACK_NEW,
10#define NFNLGRP_CONNTRACK_NEW NFNLGRP_CONNTRACK_NEW
11 NFNLGRP_CONNTRACK_UPDATE,
12#define NFNLGRP_CONNTRACK_UPDATE NFNLGRP_CONNTRACK_UPDATE
13 NFNLGRP_CONNTRACK_DESTROY,
14#define NFNLGRP_CONNTRACK_DESTROY NFNLGRP_CONNTRACK_DESTROY
15 NFNLGRP_CONNTRACK_EXP_NEW,
16#define NFNLGRP_CONNTRACK_EXP_NEW NFNLGRP_CONNTRACK_EXP_NEW
17 NFNLGRP_CONNTRACK_EXP_UPDATE,
18#define NFNLGRP_CONNTRACK_EXP_UPDATE NFNLGRP_CONNTRACK_EXP_UPDATE
19 NFNLGRP_CONNTRACK_EXP_DESTROY,
20#define NFNLGRP_CONNTRACK_EXP_DESTROY NFNLGRP_CONNTRACK_EXP_DESTROY
21 __NFNLGRP_MAX,
22};
23#define NFNLGRP_MAX (__NFNLGRP_MAX - 1)
24
25/* General form of address family dependent message.
26 */
27struct nfgenmsg {
28 __u8 nfgen_family; /* AF_xxx */
29 __u8 version; /* nfnetlink version */
30 __be16 res_id; /* resource id */
31};
32
33#define NFNETLINK_V0 0
34
35/* netfilter netlink message types are split in two pieces:
36 * 8 bit subsystem, 8bit operation.
37 */
38
39#define NFNL_SUBSYS_ID(x) ((x & 0xff00) >> 8)
40#define NFNL_MSG_TYPE(x) (x & 0x00ff)
41
42/* No enum here, otherwise __stringify() trick of MODULE_ALIAS_NFNL_SUBSYS()
43 * won't work anymore */
44#define NFNL_SUBSYS_NONE 0
45#define NFNL_SUBSYS_CTNETLINK 1
46#define NFNL_SUBSYS_CTNETLINK_EXP 2
47#define NFNL_SUBSYS_QUEUE 3
48#define NFNL_SUBSYS_ULOG 4
49#define NFNL_SUBSYS_OSF 5
50#define NFNL_SUBSYS_IPSET 6
51#define NFNL_SUBSYS_ACCT 7
52#define NFNL_SUBSYS_CTNETLINK_TIMEOUT 8
53#define NFNL_SUBSYS_CTHELPER 9
54#define NFNL_SUBSYS_COUNT 10
55
56#ifdef __KERNEL__
57 4
58#include <linux/netlink.h> 5#include <linux/netlink.h>
59#include <linux/capability.h> 6#include <linux/capability.h>
60#include <net/netlink.h> 7#include <net/netlink.h>
8#include <uapi/linux/netfilter/nfnetlink.h>
61 9
62struct nfnl_callback { 10struct nfnl_callback {
63 int (*call)(struct sock *nl, struct sk_buff *skb, 11 int (*call)(struct sock *nl, struct sk_buff *skb,
@@ -92,5 +40,4 @@ extern void nfnl_unlock(void);
92#define MODULE_ALIAS_NFNL_SUBSYS(subsys) \ 40#define MODULE_ALIAS_NFNL_SUBSYS(subsys) \
93 MODULE_ALIAS("nfnetlink-subsys-" __stringify(subsys)) 41 MODULE_ALIAS("nfnetlink-subsys-" __stringify(subsys))
94 42
95#endif /* __KERNEL__ */
96#endif /* _NFNETLINK_H */ 43#endif /* _NFNETLINK_H */
diff --git a/include/linux/netfilter/nfnetlink_acct.h b/include/linux/netfilter/nfnetlink_acct.h
index 7c4279b4ae7a..bb4bbc9b7a18 100644
--- a/include/linux/netfilter/nfnetlink_acct.h
+++ b/include/linux/netfilter/nfnetlink_acct.h
@@ -1,29 +1,8 @@
1#ifndef _NFNL_ACCT_H_ 1#ifndef _NFNL_ACCT_H_
2#define _NFNL_ACCT_H_ 2#define _NFNL_ACCT_H_
3 3
4#ifndef NFACCT_NAME_MAX 4#include <uapi/linux/netfilter/nfnetlink_acct.h>
5#define NFACCT_NAME_MAX 32
6#endif
7 5
8enum nfnl_acct_msg_types {
9 NFNL_MSG_ACCT_NEW,
10 NFNL_MSG_ACCT_GET,
11 NFNL_MSG_ACCT_GET_CTRZERO,
12 NFNL_MSG_ACCT_DEL,
13 NFNL_MSG_ACCT_MAX
14};
15
16enum nfnl_acct_type {
17 NFACCT_UNSPEC,
18 NFACCT_NAME,
19 NFACCT_PKTS,
20 NFACCT_BYTES,
21 NFACCT_USE,
22 __NFACCT_MAX
23};
24#define NFACCT_MAX (__NFACCT_MAX - 1)
25
26#ifdef __KERNEL__
27 6
28struct nf_acct; 7struct nf_acct;
29 8
@@ -31,6 +10,4 @@ extern struct nf_acct *nfnl_acct_find_get(const char *filter_name);
31extern void nfnl_acct_put(struct nf_acct *acct); 10extern void nfnl_acct_put(struct nf_acct *acct);
32extern void nfnl_acct_update(const struct sk_buff *skb, struct nf_acct *nfacct); 11extern void nfnl_acct_update(const struct sk_buff *skb, struct nf_acct *nfacct);
33 12
34#endif /* __KERNEL__ */
35
36#endif /* _NFNL_ACCT_H */ 13#endif /* _NFNL_ACCT_H */
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index 8d674a786744..dd49566315c6 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -1,191 +1,9 @@
1#ifndef _X_TABLES_H 1#ifndef _X_TABLES_H
2#define _X_TABLES_H 2#define _X_TABLES_H
3#include <linux/kernel.h>
4#include <linux/types.h>
5 3
6#define XT_FUNCTION_MAXNAMELEN 30
7#define XT_EXTENSION_MAXNAMELEN 29
8#define XT_TABLE_MAXNAMELEN 32
9
10struct xt_entry_match {
11 union {
12 struct {
13 __u16 match_size;
14
15 /* Used by userspace */
16 char name[XT_EXTENSION_MAXNAMELEN];
17 __u8 revision;
18 } user;
19 struct {
20 __u16 match_size;
21
22 /* Used inside the kernel */
23 struct xt_match *match;
24 } kernel;
25
26 /* Total length */
27 __u16 match_size;
28 } u;
29
30 unsigned char data[0];
31};
32
33struct xt_entry_target {
34 union {
35 struct {
36 __u16 target_size;
37
38 /* Used by userspace */
39 char name[XT_EXTENSION_MAXNAMELEN];
40 __u8 revision;
41 } user;
42 struct {
43 __u16 target_size;
44
45 /* Used inside the kernel */
46 struct xt_target *target;
47 } kernel;
48
49 /* Total length */
50 __u16 target_size;
51 } u;
52
53 unsigned char data[0];
54};
55
56#define XT_TARGET_INIT(__name, __size) \
57{ \
58 .target.u.user = { \
59 .target_size = XT_ALIGN(__size), \
60 .name = __name, \
61 }, \
62}
63
64struct xt_standard_target {
65 struct xt_entry_target target;
66 int verdict;
67};
68
69struct xt_error_target {
70 struct xt_entry_target target;
71 char errorname[XT_FUNCTION_MAXNAMELEN];
72};
73
74/* The argument to IPT_SO_GET_REVISION_*. Returns highest revision
75 * kernel supports, if >= revision. */
76struct xt_get_revision {
77 char name[XT_EXTENSION_MAXNAMELEN];
78 __u8 revision;
79};
80
81/* CONTINUE verdict for targets */
82#define XT_CONTINUE 0xFFFFFFFF
83
84/* For standard target */
85#define XT_RETURN (-NF_REPEAT - 1)
86
87/* this is a dummy structure to find out the alignment requirement for a struct
88 * containing all the fundamental data types that are used in ipt_entry,
89 * ip6t_entry and arpt_entry. This sucks, and it is a hack. It will be my
90 * personal pleasure to remove it -HW
91 */
92struct _xt_align {
93 __u8 u8;
94 __u16 u16;
95 __u32 u32;
96 __u64 u64;
97};
98
99#define XT_ALIGN(s) __ALIGN_KERNEL((s), __alignof__(struct _xt_align))
100
101/* Standard return verdict, or do jump. */
102#define XT_STANDARD_TARGET ""
103/* Error verdict. */
104#define XT_ERROR_TARGET "ERROR"
105
106#define SET_COUNTER(c,b,p) do { (c).bcnt = (b); (c).pcnt = (p); } while(0)
107#define ADD_COUNTER(c,b,p) do { (c).bcnt += (b); (c).pcnt += (p); } while(0)
108
109struct xt_counters {
110 __u64 pcnt, bcnt; /* Packet and byte counters */
111};
112
113/* The argument to IPT_SO_ADD_COUNTERS. */
114struct xt_counters_info {
115 /* Which table. */
116 char name[XT_TABLE_MAXNAMELEN];
117
118 unsigned int num_counters;
119
120 /* The counters (actually `number' of these). */
121 struct xt_counters counters[0];
122};
123
124#define XT_INV_PROTO 0x40 /* Invert the sense of PROTO. */
125
126#ifndef __KERNEL__
127/* fn returns 0 to continue iteration */
128#define XT_MATCH_ITERATE(type, e, fn, args...) \
129({ \
130 unsigned int __i; \
131 int __ret = 0; \
132 struct xt_entry_match *__m; \
133 \
134 for (__i = sizeof(type); \
135 __i < (e)->target_offset; \
136 __i += __m->u.match_size) { \
137 __m = (void *)e + __i; \
138 \
139 __ret = fn(__m , ## args); \
140 if (__ret != 0) \
141 break; \
142 } \
143 __ret; \
144})
145
146/* fn returns 0 to continue iteration */
147#define XT_ENTRY_ITERATE_CONTINUE(type, entries, size, n, fn, args...) \
148({ \
149 unsigned int __i, __n; \
150 int __ret = 0; \
151 type *__entry; \
152 \
153 for (__i = 0, __n = 0; __i < (size); \
154 __i += __entry->next_offset, __n++) { \
155 __entry = (void *)(entries) + __i; \
156 if (__n < n) \
157 continue; \
158 \
159 __ret = fn(__entry , ## args); \
160 if (__ret != 0) \
161 break; \
162 } \
163 __ret; \
164})
165
166/* fn returns 0 to continue iteration */
167#define XT_ENTRY_ITERATE(type, entries, size, fn, args...) \
168 XT_ENTRY_ITERATE_CONTINUE(type, entries, size, 0, fn, args)
169
170#endif /* !__KERNEL__ */
171
172/* pos is normally a struct ipt_entry/ip6t_entry/etc. */
173#define xt_entry_foreach(pos, ehead, esize) \
174 for ((pos) = (typeof(pos))(ehead); \
175 (pos) < (typeof(pos))((char *)(ehead) + (esize)); \
176 (pos) = (typeof(pos))((char *)(pos) + (pos)->next_offset))
177
178/* can only be xt_entry_match, so no use of typeof here */
179#define xt_ematch_foreach(pos, entry) \
180 for ((pos) = (struct xt_entry_match *)entry->elems; \
181 (pos) < (struct xt_entry_match *)((char *)(entry) + \
182 (entry)->target_offset); \
183 (pos) = (struct xt_entry_match *)((char *)(pos) + \
184 (pos)->u.match_size))
185
186#ifdef __KERNEL__
187 4
188#include <linux/netdevice.h> 5#include <linux/netdevice.h>
6#include <uapi/linux/netfilter/x_tables.h>
189 7
190/** 8/**
191 * struct xt_action_param - parameters for matches/targets 9 * struct xt_action_param - parameters for matches/targets
@@ -617,6 +435,4 @@ extern int xt_compat_target_to_user(const struct xt_entry_target *t,
617 void __user **dstptr, unsigned int *size); 435 void __user **dstptr, unsigned int *size);
618 436
619#endif /* CONFIG_COMPAT */ 437#endif /* CONFIG_COMPAT */
620#endif /* __KERNEL__ */
621
622#endif /* _X_TABLES_H */ 438#endif /* _X_TABLES_H */
diff --git a/include/linux/netfilter/xt_hashlimit.h b/include/linux/netfilter/xt_hashlimit.h
index c42e52f39f8f..074790c0cf74 100644
--- a/include/linux/netfilter/xt_hashlimit.h
+++ b/include/linux/netfilter/xt_hashlimit.h
@@ -1,78 +1,9 @@
1#ifndef _XT_HASHLIMIT_H 1#ifndef _XT_HASHLIMIT_H
2#define _XT_HASHLIMIT_H 2#define _XT_HASHLIMIT_H
3 3
4#include <linux/types.h> 4#include <uapi/linux/netfilter/xt_hashlimit.h>
5 5
6/* timings are in milliseconds. */
7#define XT_HASHLIMIT_SCALE 10000
8/* 1/10,000 sec period => max of 10,000/sec. Min rate is then 429490
9 * seconds, or one packet every 59 hours.
10 */
11
12/* packet length accounting is done in 16-byte steps */
13#define XT_HASHLIMIT_BYTE_SHIFT 4
14
15/* details of this structure hidden by the implementation */
16struct xt_hashlimit_htable;
17
18enum {
19 XT_HASHLIMIT_HASH_DIP = 1 << 0,
20 XT_HASHLIMIT_HASH_DPT = 1 << 1,
21 XT_HASHLIMIT_HASH_SIP = 1 << 2,
22 XT_HASHLIMIT_HASH_SPT = 1 << 3,
23 XT_HASHLIMIT_INVERT = 1 << 4,
24 XT_HASHLIMIT_BYTES = 1 << 5,
25};
26#ifdef __KERNEL__
27#define XT_HASHLIMIT_ALL (XT_HASHLIMIT_HASH_DIP | XT_HASHLIMIT_HASH_DPT | \ 6#define XT_HASHLIMIT_ALL (XT_HASHLIMIT_HASH_DIP | XT_HASHLIMIT_HASH_DPT | \
28 XT_HASHLIMIT_HASH_SIP | XT_HASHLIMIT_HASH_SPT | \ 7 XT_HASHLIMIT_HASH_SIP | XT_HASHLIMIT_HASH_SPT | \
29 XT_HASHLIMIT_INVERT | XT_HASHLIMIT_BYTES) 8 XT_HASHLIMIT_INVERT | XT_HASHLIMIT_BYTES)
30#endif
31
32struct hashlimit_cfg {
33 __u32 mode; /* bitmask of XT_HASHLIMIT_HASH_* */
34 __u32 avg; /* Average secs between packets * scale */
35 __u32 burst; /* Period multiplier for upper limit. */
36
37 /* user specified */
38 __u32 size; /* how many buckets */
39 __u32 max; /* max number of entries */
40 __u32 gc_interval; /* gc interval */
41 __u32 expire; /* when do entries expire? */
42};
43
44struct xt_hashlimit_info {
45 char name [IFNAMSIZ]; /* name */
46 struct hashlimit_cfg cfg;
47
48 /* Used internally by the kernel */
49 struct xt_hashlimit_htable *hinfo;
50 union {
51 void *ptr;
52 struct xt_hashlimit_info *master;
53 } u;
54};
55
56struct hashlimit_cfg1 {
57 __u32 mode; /* bitmask of XT_HASHLIMIT_HASH_* */
58 __u32 avg; /* Average secs between packets * scale */
59 __u32 burst; /* Period multiplier for upper limit. */
60
61 /* user specified */
62 __u32 size; /* how many buckets */
63 __u32 max; /* max number of entries */
64 __u32 gc_interval; /* gc interval */
65 __u32 expire; /* when do entries expire? */
66
67 __u8 srcmask, dstmask;
68};
69
70struct xt_hashlimit_mtinfo1 {
71 char name[IFNAMSIZ];
72 struct hashlimit_cfg1 cfg;
73
74 /* Used internally by the kernel */
75 struct xt_hashlimit_htable *hinfo __attribute__((aligned(8)));
76};
77
78#endif /*_XT_HASHLIMIT_H*/ 9#endif /*_XT_HASHLIMIT_H*/
diff --git a/include/linux/netfilter/xt_physdev.h b/include/linux/netfilter/xt_physdev.h
index 8555e399886d..5b5e41716d69 100644
--- a/include/linux/netfilter/xt_physdev.h
+++ b/include/linux/netfilter/xt_physdev.h
@@ -1,26 +1,7 @@
1#ifndef _XT_PHYSDEV_H 1#ifndef _XT_PHYSDEV_H
2#define _XT_PHYSDEV_H 2#define _XT_PHYSDEV_H
3 3
4#include <linux/types.h>
5
6#ifdef __KERNEL__
7#include <linux/if.h> 4#include <linux/if.h>
8#endif 5#include <uapi/linux/netfilter/xt_physdev.h>
9
10#define XT_PHYSDEV_OP_IN 0x01
11#define XT_PHYSDEV_OP_OUT 0x02
12#define XT_PHYSDEV_OP_BRIDGED 0x04
13#define XT_PHYSDEV_OP_ISIN 0x08
14#define XT_PHYSDEV_OP_ISOUT 0x10
15#define XT_PHYSDEV_OP_MASK (0x20 - 1)
16
17struct xt_physdev_info {
18 char physindev[IFNAMSIZ];
19 char in_mask[IFNAMSIZ];
20 char physoutdev[IFNAMSIZ];
21 char out_mask[IFNAMSIZ];
22 __u8 invert;
23 __u8 bitmask;
24};
25 6
26#endif /*_XT_PHYSDEV_H*/ 7#endif /*_XT_PHYSDEV_H*/
diff --git a/include/uapi/linux/netfilter/Kbuild b/include/uapi/linux/netfilter/Kbuild
index 4afbace8e869..08f555fef13f 100644
--- a/include/uapi/linux/netfilter/Kbuild
+++ b/include/uapi/linux/netfilter/Kbuild
@@ -1,2 +1,78 @@
1# UAPI Header export list 1# UAPI Header export list
2header-y += ipset/ 2header-y += ipset/
3header-y += nf_conntrack_common.h
4header-y += nf_conntrack_ftp.h
5header-y += nf_conntrack_sctp.h
6header-y += nf_conntrack_tcp.h
7header-y += nf_conntrack_tuple_common.h
8header-y += nf_nat.h
9header-y += nfnetlink.h
10header-y += nfnetlink_acct.h
11header-y += nfnetlink_compat.h
12header-y += nfnetlink_conntrack.h
13header-y += nfnetlink_cthelper.h
14header-y += nfnetlink_cttimeout.h
15header-y += nfnetlink_log.h
16header-y += nfnetlink_queue.h
17header-y += x_tables.h
18header-y += xt_AUDIT.h
19header-y += xt_CHECKSUM.h
20header-y += xt_CLASSIFY.h
21header-y += xt_CONNMARK.h
22header-y += xt_CONNSECMARK.h
23header-y += xt_CT.h
24header-y += xt_DSCP.h
25header-y += xt_IDLETIMER.h
26header-y += xt_LED.h
27header-y += xt_LOG.h
28header-y += xt_MARK.h
29header-y += xt_NFLOG.h
30header-y += xt_NFQUEUE.h
31header-y += xt_RATEEST.h
32header-y += xt_SECMARK.h
33header-y += xt_TCPMSS.h
34header-y += xt_TCPOPTSTRIP.h
35header-y += xt_TEE.h
36header-y += xt_TPROXY.h
37header-y += xt_addrtype.h
38header-y += xt_cluster.h
39header-y += xt_comment.h
40header-y += xt_connbytes.h
41header-y += xt_connlimit.h
42header-y += xt_connmark.h
43header-y += xt_conntrack.h
44header-y += xt_cpu.h
45header-y += xt_dccp.h
46header-y += xt_devgroup.h
47header-y += xt_dscp.h
48header-y += xt_ecn.h
49header-y += xt_esp.h
50header-y += xt_hashlimit.h
51header-y += xt_helper.h
52header-y += xt_iprange.h
53header-y += xt_ipvs.h
54header-y += xt_length.h
55header-y += xt_limit.h
56header-y += xt_mac.h
57header-y += xt_mark.h
58header-y += xt_multiport.h
59header-y += xt_nfacct.h
60header-y += xt_osf.h
61header-y += xt_owner.h
62header-y += xt_physdev.h
63header-y += xt_pkttype.h
64header-y += xt_policy.h
65header-y += xt_quota.h
66header-y += xt_rateest.h
67header-y += xt_realm.h
68header-y += xt_recent.h
69header-y += xt_sctp.h
70header-y += xt_set.h
71header-y += xt_socket.h
72header-y += xt_state.h
73header-y += xt_statistic.h
74header-y += xt_string.h
75header-y += xt_tcpmss.h
76header-y += xt_tcpudp.h
77header-y += xt_time.h
78header-y += xt_u32.h
diff --git a/include/uapi/linux/netfilter/nf_conntrack_common.h b/include/uapi/linux/netfilter/nf_conntrack_common.h
new file mode 100644
index 000000000000..1644cdd8be91
--- /dev/null
+++ b/include/uapi/linux/netfilter/nf_conntrack_common.h
@@ -0,0 +1,117 @@
1#ifndef _UAPI_NF_CONNTRACK_COMMON_H
2#define _UAPI_NF_CONNTRACK_COMMON_H
3/* Connection state tracking for netfilter. This is separated from,
4 but required by, the NAT layer; it can also be used by an iptables
5 extension. */
6enum ip_conntrack_info {
7 /* Part of an established connection (either direction). */
8 IP_CT_ESTABLISHED,
9
10 /* Like NEW, but related to an existing connection, or ICMP error
11 (in either direction). */
12 IP_CT_RELATED,
13
14 /* Started a new connection to track (only
15 IP_CT_DIR_ORIGINAL); may be a retransmission. */
16 IP_CT_NEW,
17
18 /* >= this indicates reply direction */
19 IP_CT_IS_REPLY,
20
21 IP_CT_ESTABLISHED_REPLY = IP_CT_ESTABLISHED + IP_CT_IS_REPLY,
22 IP_CT_RELATED_REPLY = IP_CT_RELATED + IP_CT_IS_REPLY,
23 IP_CT_NEW_REPLY = IP_CT_NEW + IP_CT_IS_REPLY,
24 /* Number of distinct IP_CT types (no NEW in reply dirn). */
25 IP_CT_NUMBER = IP_CT_IS_REPLY * 2 - 1
26};
27
28/* Bitset representing status of connection. */
29enum ip_conntrack_status {
30 /* It's an expected connection: bit 0 set. This bit never changed */
31 IPS_EXPECTED_BIT = 0,
32 IPS_EXPECTED = (1 << IPS_EXPECTED_BIT),
33
34 /* We've seen packets both ways: bit 1 set. Can be set, not unset. */
35 IPS_SEEN_REPLY_BIT = 1,
36 IPS_SEEN_REPLY = (1 << IPS_SEEN_REPLY_BIT),
37
38 /* Conntrack should never be early-expired. */
39 IPS_ASSURED_BIT = 2,
40 IPS_ASSURED = (1 << IPS_ASSURED_BIT),
41
42 /* Connection is confirmed: originating packet has left box */
43 IPS_CONFIRMED_BIT = 3,
44 IPS_CONFIRMED = (1 << IPS_CONFIRMED_BIT),
45
46 /* Connection needs src nat in orig dir. This bit never changed. */
47 IPS_SRC_NAT_BIT = 4,
48 IPS_SRC_NAT = (1 << IPS_SRC_NAT_BIT),
49
50 /* Connection needs dst nat in orig dir. This bit never changed. */
51 IPS_DST_NAT_BIT = 5,
52 IPS_DST_NAT = (1 << IPS_DST_NAT_BIT),
53
54 /* Both together. */
55 IPS_NAT_MASK = (IPS_DST_NAT | IPS_SRC_NAT),
56
57 /* Connection needs TCP sequence adjusted. */
58 IPS_SEQ_ADJUST_BIT = 6,
59 IPS_SEQ_ADJUST = (1 << IPS_SEQ_ADJUST_BIT),
60
61 /* NAT initialization bits. */
62 IPS_SRC_NAT_DONE_BIT = 7,
63 IPS_SRC_NAT_DONE = (1 << IPS_SRC_NAT_DONE_BIT),
64
65 IPS_DST_NAT_DONE_BIT = 8,
66 IPS_DST_NAT_DONE = (1 << IPS_DST_NAT_DONE_BIT),
67
68 /* Both together */
69 IPS_NAT_DONE_MASK = (IPS_DST_NAT_DONE | IPS_SRC_NAT_DONE),
70
71 /* Connection is dying (removed from lists), can not be unset. */
72 IPS_DYING_BIT = 9,
73 IPS_DYING = (1 << IPS_DYING_BIT),
74
75 /* Connection has fixed timeout. */
76 IPS_FIXED_TIMEOUT_BIT = 10,
77 IPS_FIXED_TIMEOUT = (1 << IPS_FIXED_TIMEOUT_BIT),
78
79 /* Conntrack is a template */
80 IPS_TEMPLATE_BIT = 11,
81 IPS_TEMPLATE = (1 << IPS_TEMPLATE_BIT),
82
83 /* Conntrack is a fake untracked entry */
84 IPS_UNTRACKED_BIT = 12,
85 IPS_UNTRACKED = (1 << IPS_UNTRACKED_BIT),
86
87 /* Conntrack got a helper explicitly attached via CT target. */
88 IPS_HELPER_BIT = 13,
89 IPS_HELPER = (1 << IPS_HELPER_BIT),
90};
91
92/* Connection tracking event types */
93enum ip_conntrack_events {
94 IPCT_NEW, /* new conntrack */
95 IPCT_RELATED, /* related conntrack */
96 IPCT_DESTROY, /* destroyed conntrack */
97 IPCT_REPLY, /* connection has seen two-way traffic */
98 IPCT_ASSURED, /* connection status has changed to assured */
99 IPCT_PROTOINFO, /* protocol information has changed */
100 IPCT_HELPER, /* new helper has been set */
101 IPCT_MARK, /* new mark has been set */
102 IPCT_NATSEQADJ, /* NAT is doing sequence adjustment */
103 IPCT_SECMARK, /* new security mark has been set */
104};
105
106enum ip_conntrack_expect_events {
107 IPEXP_NEW, /* new expectation */
108 IPEXP_DESTROY, /* destroyed expectation */
109};
110
111/* expectation flags */
112#define NF_CT_EXPECT_PERMANENT 0x1
113#define NF_CT_EXPECT_INACTIVE 0x2
114#define NF_CT_EXPECT_USERSPACE 0x4
115
116
117#endif /* _UAPI_NF_CONNTRACK_COMMON_H */
diff --git a/include/uapi/linux/netfilter/nf_conntrack_ftp.h b/include/uapi/linux/netfilter/nf_conntrack_ftp.h
new file mode 100644
index 000000000000..1030315a41b5
--- /dev/null
+++ b/include/uapi/linux/netfilter/nf_conntrack_ftp.h
@@ -0,0 +1,18 @@
1#ifndef _UAPI_NF_CONNTRACK_FTP_H
2#define _UAPI_NF_CONNTRACK_FTP_H
3/* FTP tracking. */
4
5/* This enum is exposed to userspace */
6enum nf_ct_ftp_type {
7 /* PORT command from client */
8 NF_CT_FTP_PORT,
9 /* PASV response from server */
10 NF_CT_FTP_PASV,
11 /* EPRT command from client */
12 NF_CT_FTP_EPRT,
13 /* EPSV response from server */
14 NF_CT_FTP_EPSV,
15};
16
17
18#endif /* _UAPI_NF_CONNTRACK_FTP_H */
diff --git a/include/linux/netfilter/nf_conntrack_sctp.h b/include/uapi/linux/netfilter/nf_conntrack_sctp.h
index ceeefe6681b5..ceeefe6681b5 100644
--- a/include/linux/netfilter/nf_conntrack_sctp.h
+++ b/include/uapi/linux/netfilter/nf_conntrack_sctp.h
diff --git a/include/uapi/linux/netfilter/nf_conntrack_tcp.h b/include/uapi/linux/netfilter/nf_conntrack_tcp.h
new file mode 100644
index 000000000000..9993a421201c
--- /dev/null
+++ b/include/uapi/linux/netfilter/nf_conntrack_tcp.h
@@ -0,0 +1,51 @@
1#ifndef _UAPI_NF_CONNTRACK_TCP_H
2#define _UAPI_NF_CONNTRACK_TCP_H
3/* TCP tracking. */
4
5#include <linux/types.h>
6
7/* This is exposed to userspace (ctnetlink) */
8enum tcp_conntrack {
9 TCP_CONNTRACK_NONE,
10 TCP_CONNTRACK_SYN_SENT,
11 TCP_CONNTRACK_SYN_RECV,
12 TCP_CONNTRACK_ESTABLISHED,
13 TCP_CONNTRACK_FIN_WAIT,
14 TCP_CONNTRACK_CLOSE_WAIT,
15 TCP_CONNTRACK_LAST_ACK,
16 TCP_CONNTRACK_TIME_WAIT,
17 TCP_CONNTRACK_CLOSE,
18 TCP_CONNTRACK_LISTEN, /* obsolete */
19#define TCP_CONNTRACK_SYN_SENT2 TCP_CONNTRACK_LISTEN
20 TCP_CONNTRACK_MAX,
21 TCP_CONNTRACK_IGNORE,
22 TCP_CONNTRACK_RETRANS,
23 TCP_CONNTRACK_UNACK,
24 TCP_CONNTRACK_TIMEOUT_MAX
25};
26
27/* Window scaling is advertised by the sender */
28#define IP_CT_TCP_FLAG_WINDOW_SCALE 0x01
29
30/* SACK is permitted by the sender */
31#define IP_CT_TCP_FLAG_SACK_PERM 0x02
32
33/* This sender sent FIN first */
34#define IP_CT_TCP_FLAG_CLOSE_INIT 0x04
35
36/* Be liberal in window checking */
37#define IP_CT_TCP_FLAG_BE_LIBERAL 0x08
38
39/* Has unacknowledged data */
40#define IP_CT_TCP_FLAG_DATA_UNACKNOWLEDGED 0x10
41
42/* The field td_maxack has been set */
43#define IP_CT_TCP_FLAG_MAXACK_SET 0x20
44
45struct nf_ct_tcp_flags {
46 __u8 flags;
47 __u8 mask;
48};
49
50
51#endif /* _UAPI_NF_CONNTRACK_TCP_H */
diff --git a/include/linux/netfilter/nf_conntrack_tuple_common.h b/include/uapi/linux/netfilter/nf_conntrack_tuple_common.h
index 2f6bbc5b8125..2f6bbc5b8125 100644
--- a/include/linux/netfilter/nf_conntrack_tuple_common.h
+++ b/include/uapi/linux/netfilter/nf_conntrack_tuple_common.h
diff --git a/include/linux/netfilter/nf_nat.h b/include/uapi/linux/netfilter/nf_nat.h
index bf0cc373ffb6..bf0cc373ffb6 100644
--- a/include/linux/netfilter/nf_nat.h
+++ b/include/uapi/linux/netfilter/nf_nat.h
diff --git a/include/uapi/linux/netfilter/nfnetlink.h b/include/uapi/linux/netfilter/nfnetlink.h
new file mode 100644
index 000000000000..4a4efafad5f4
--- /dev/null
+++ b/include/uapi/linux/netfilter/nfnetlink.h
@@ -0,0 +1,56 @@
1#ifndef _UAPI_NFNETLINK_H
2#define _UAPI_NFNETLINK_H
3#include <linux/types.h>
4#include <linux/netfilter/nfnetlink_compat.h>
5
6enum nfnetlink_groups {
7 NFNLGRP_NONE,
8#define NFNLGRP_NONE NFNLGRP_NONE
9 NFNLGRP_CONNTRACK_NEW,
10#define NFNLGRP_CONNTRACK_NEW NFNLGRP_CONNTRACK_NEW
11 NFNLGRP_CONNTRACK_UPDATE,
12#define NFNLGRP_CONNTRACK_UPDATE NFNLGRP_CONNTRACK_UPDATE
13 NFNLGRP_CONNTRACK_DESTROY,
14#define NFNLGRP_CONNTRACK_DESTROY NFNLGRP_CONNTRACK_DESTROY
15 NFNLGRP_CONNTRACK_EXP_NEW,
16#define NFNLGRP_CONNTRACK_EXP_NEW NFNLGRP_CONNTRACK_EXP_NEW
17 NFNLGRP_CONNTRACK_EXP_UPDATE,
18#define NFNLGRP_CONNTRACK_EXP_UPDATE NFNLGRP_CONNTRACK_EXP_UPDATE
19 NFNLGRP_CONNTRACK_EXP_DESTROY,
20#define NFNLGRP_CONNTRACK_EXP_DESTROY NFNLGRP_CONNTRACK_EXP_DESTROY
21 __NFNLGRP_MAX,
22};
23#define NFNLGRP_MAX (__NFNLGRP_MAX - 1)
24
25/* General form of address family dependent message.
26 */
27struct nfgenmsg {
28 __u8 nfgen_family; /* AF_xxx */
29 __u8 version; /* nfnetlink version */
30 __be16 res_id; /* resource id */
31};
32
33#define NFNETLINK_V0 0
34
35/* netfilter netlink message types are split in two pieces:
36 * 8 bit subsystem, 8bit operation.
37 */
38
39#define NFNL_SUBSYS_ID(x) ((x & 0xff00) >> 8)
40#define NFNL_MSG_TYPE(x) (x & 0x00ff)
41
42/* No enum here, otherwise __stringify() trick of MODULE_ALIAS_NFNL_SUBSYS()
43 * won't work anymore */
44#define NFNL_SUBSYS_NONE 0
45#define NFNL_SUBSYS_CTNETLINK 1
46#define NFNL_SUBSYS_CTNETLINK_EXP 2
47#define NFNL_SUBSYS_QUEUE 3
48#define NFNL_SUBSYS_ULOG 4
49#define NFNL_SUBSYS_OSF 5
50#define NFNL_SUBSYS_IPSET 6
51#define NFNL_SUBSYS_ACCT 7
52#define NFNL_SUBSYS_CTNETLINK_TIMEOUT 8
53#define NFNL_SUBSYS_CTHELPER 9
54#define NFNL_SUBSYS_COUNT 10
55
56#endif /* _UAPI_NFNETLINK_H */
diff --git a/include/uapi/linux/netfilter/nfnetlink_acct.h b/include/uapi/linux/netfilter/nfnetlink_acct.h
new file mode 100644
index 000000000000..c7b6269e760b
--- /dev/null
+++ b/include/uapi/linux/netfilter/nfnetlink_acct.h
@@ -0,0 +1,27 @@
1#ifndef _UAPI_NFNL_ACCT_H_
2#define _UAPI_NFNL_ACCT_H_
3
4#ifndef NFACCT_NAME_MAX
5#define NFACCT_NAME_MAX 32
6#endif
7
8enum nfnl_acct_msg_types {
9 NFNL_MSG_ACCT_NEW,
10 NFNL_MSG_ACCT_GET,
11 NFNL_MSG_ACCT_GET_CTRZERO,
12 NFNL_MSG_ACCT_DEL,
13 NFNL_MSG_ACCT_MAX
14};
15
16enum nfnl_acct_type {
17 NFACCT_UNSPEC,
18 NFACCT_NAME,
19 NFACCT_PKTS,
20 NFACCT_BYTES,
21 NFACCT_USE,
22 __NFACCT_MAX
23};
24#define NFACCT_MAX (__NFACCT_MAX - 1)
25
26
27#endif /* _UAPI_NFNL_ACCT_H_ */
diff --git a/include/linux/netfilter/nfnetlink_compat.h b/include/uapi/linux/netfilter/nfnetlink_compat.h
index ffb95036bbd4..ffb95036bbd4 100644
--- a/include/linux/netfilter/nfnetlink_compat.h
+++ b/include/uapi/linux/netfilter/nfnetlink_compat.h
diff --git a/include/linux/netfilter/nfnetlink_conntrack.h b/include/uapi/linux/netfilter/nfnetlink_conntrack.h
index 43bfe3e1685b..43bfe3e1685b 100644
--- a/include/linux/netfilter/nfnetlink_conntrack.h
+++ b/include/uapi/linux/netfilter/nfnetlink_conntrack.h
diff --git a/include/linux/netfilter/nfnetlink_cthelper.h b/include/uapi/linux/netfilter/nfnetlink_cthelper.h
index 33659f6fad3e..33659f6fad3e 100644
--- a/include/linux/netfilter/nfnetlink_cthelper.h
+++ b/include/uapi/linux/netfilter/nfnetlink_cthelper.h
diff --git a/include/linux/netfilter/nfnetlink_cttimeout.h b/include/uapi/linux/netfilter/nfnetlink_cttimeout.h
index a2810a7c5e30..a2810a7c5e30 100644
--- a/include/linux/netfilter/nfnetlink_cttimeout.h
+++ b/include/uapi/linux/netfilter/nfnetlink_cttimeout.h
diff --git a/include/linux/netfilter/nfnetlink_log.h b/include/uapi/linux/netfilter/nfnetlink_log.h
index 90c2c9575bac..90c2c9575bac 100644
--- a/include/linux/netfilter/nfnetlink_log.h
+++ b/include/uapi/linux/netfilter/nfnetlink_log.h
diff --git a/include/linux/netfilter/nfnetlink_queue.h b/include/uapi/linux/netfilter/nfnetlink_queue.h
index 70ec8c2bc11a..70ec8c2bc11a 100644
--- a/include/linux/netfilter/nfnetlink_queue.h
+++ b/include/uapi/linux/netfilter/nfnetlink_queue.h
diff --git a/include/uapi/linux/netfilter/x_tables.h b/include/uapi/linux/netfilter/x_tables.h
new file mode 100644
index 000000000000..c36969b91533
--- /dev/null
+++ b/include/uapi/linux/netfilter/x_tables.h
@@ -0,0 +1,187 @@
1#ifndef _UAPI_X_TABLES_H
2#define _UAPI_X_TABLES_H
3#include <linux/kernel.h>
4#include <linux/types.h>
5
6#define XT_FUNCTION_MAXNAMELEN 30
7#define XT_EXTENSION_MAXNAMELEN 29
8#define XT_TABLE_MAXNAMELEN 32
9
10struct xt_entry_match {
11 union {
12 struct {
13 __u16 match_size;
14
15 /* Used by userspace */
16 char name[XT_EXTENSION_MAXNAMELEN];
17 __u8 revision;
18 } user;
19 struct {
20 __u16 match_size;
21
22 /* Used inside the kernel */
23 struct xt_match *match;
24 } kernel;
25
26 /* Total length */
27 __u16 match_size;
28 } u;
29
30 unsigned char data[0];
31};
32
33struct xt_entry_target {
34 union {
35 struct {
36 __u16 target_size;
37
38 /* Used by userspace */
39 char name[XT_EXTENSION_MAXNAMELEN];
40 __u8 revision;
41 } user;
42 struct {
43 __u16 target_size;
44
45 /* Used inside the kernel */
46 struct xt_target *target;
47 } kernel;
48
49 /* Total length */
50 __u16 target_size;
51 } u;
52
53 unsigned char data[0];
54};
55
56#define XT_TARGET_INIT(__name, __size) \
57{ \
58 .target.u.user = { \
59 .target_size = XT_ALIGN(__size), \
60 .name = __name, \
61 }, \
62}
63
64struct xt_standard_target {
65 struct xt_entry_target target;
66 int verdict;
67};
68
69struct xt_error_target {
70 struct xt_entry_target target;
71 char errorname[XT_FUNCTION_MAXNAMELEN];
72};
73
74/* The argument to IPT_SO_GET_REVISION_*. Returns highest revision
75 * kernel supports, if >= revision. */
76struct xt_get_revision {
77 char name[XT_EXTENSION_MAXNAMELEN];
78 __u8 revision;
79};
80
81/* CONTINUE verdict for targets */
82#define XT_CONTINUE 0xFFFFFFFF
83
84/* For standard target */
85#define XT_RETURN (-NF_REPEAT - 1)
86
87/* this is a dummy structure to find out the alignment requirement for a struct
88 * containing all the fundamental data types that are used in ipt_entry,
89 * ip6t_entry and arpt_entry. This sucks, and it is a hack. It will be my
90 * personal pleasure to remove it -HW
91 */
92struct _xt_align {
93 __u8 u8;
94 __u16 u16;
95 __u32 u32;
96 __u64 u64;
97};
98
99#define XT_ALIGN(s) __ALIGN_KERNEL((s), __alignof__(struct _xt_align))
100
101/* Standard return verdict, or do jump. */
102#define XT_STANDARD_TARGET ""
103/* Error verdict. */
104#define XT_ERROR_TARGET "ERROR"
105
106#define SET_COUNTER(c,b,p) do { (c).bcnt = (b); (c).pcnt = (p); } while(0)
107#define ADD_COUNTER(c,b,p) do { (c).bcnt += (b); (c).pcnt += (p); } while(0)
108
109struct xt_counters {
110 __u64 pcnt, bcnt; /* Packet and byte counters */
111};
112
113/* The argument to IPT_SO_ADD_COUNTERS. */
114struct xt_counters_info {
115 /* Which table. */
116 char name[XT_TABLE_MAXNAMELEN];
117
118 unsigned int num_counters;
119
120 /* The counters (actually `number' of these). */
121 struct xt_counters counters[0];
122};
123
124#define XT_INV_PROTO 0x40 /* Invert the sense of PROTO. */
125
126#ifndef __KERNEL__
127/* fn returns 0 to continue iteration */
128#define XT_MATCH_ITERATE(type, e, fn, args...) \
129({ \
130 unsigned int __i; \
131 int __ret = 0; \
132 struct xt_entry_match *__m; \
133 \
134 for (__i = sizeof(type); \
135 __i < (e)->target_offset; \
136 __i += __m->u.match_size) { \
137 __m = (void *)e + __i; \
138 \
139 __ret = fn(__m , ## args); \
140 if (__ret != 0) \
141 break; \
142 } \
143 __ret; \
144})
145
146/* fn returns 0 to continue iteration */
147#define XT_ENTRY_ITERATE_CONTINUE(type, entries, size, n, fn, args...) \
148({ \
149 unsigned int __i, __n; \
150 int __ret = 0; \
151 type *__entry; \
152 \
153 for (__i = 0, __n = 0; __i < (size); \
154 __i += __entry->next_offset, __n++) { \
155 __entry = (void *)(entries) + __i; \
156 if (__n < n) \
157 continue; \
158 \
159 __ret = fn(__entry , ## args); \
160 if (__ret != 0) \
161 break; \
162 } \
163 __ret; \
164})
165
166/* fn returns 0 to continue iteration */
167#define XT_ENTRY_ITERATE(type, entries, size, fn, args...) \
168 XT_ENTRY_ITERATE_CONTINUE(type, entries, size, 0, fn, args)
169
170#endif /* !__KERNEL__ */
171
172/* pos is normally a struct ipt_entry/ip6t_entry/etc. */
173#define xt_entry_foreach(pos, ehead, esize) \
174 for ((pos) = (typeof(pos))(ehead); \
175 (pos) < (typeof(pos))((char *)(ehead) + (esize)); \
176 (pos) = (typeof(pos))((char *)(pos) + (pos)->next_offset))
177
178/* can only be xt_entry_match, so no use of typeof here */
179#define xt_ematch_foreach(pos, entry) \
180 for ((pos) = (struct xt_entry_match *)entry->elems; \
181 (pos) < (struct xt_entry_match *)((char *)(entry) + \
182 (entry)->target_offset); \
183 (pos) = (struct xt_entry_match *)((char *)(pos) + \
184 (pos)->u.match_size))
185
186
187#endif /* _UAPI_X_TABLES_H */
diff --git a/include/linux/netfilter/xt_AUDIT.h b/include/uapi/linux/netfilter/xt_AUDIT.h
index 38751d2ea52b..38751d2ea52b 100644
--- a/include/linux/netfilter/xt_AUDIT.h
+++ b/include/uapi/linux/netfilter/xt_AUDIT.h
diff --git a/include/linux/netfilter/xt_CHECKSUM.h b/include/uapi/linux/netfilter/xt_CHECKSUM.h
index 9a2e4661654e..9a2e4661654e 100644
--- a/include/linux/netfilter/xt_CHECKSUM.h
+++ b/include/uapi/linux/netfilter/xt_CHECKSUM.h
diff --git a/include/linux/netfilter/xt_CLASSIFY.h b/include/uapi/linux/netfilter/xt_CLASSIFY.h
index a813bf14dd63..a813bf14dd63 100644
--- a/include/linux/netfilter/xt_CLASSIFY.h
+++ b/include/uapi/linux/netfilter/xt_CLASSIFY.h
diff --git a/include/linux/netfilter/xt_CONNMARK.h b/include/uapi/linux/netfilter/xt_CONNMARK.h
index 2f2e48ec8023..2f2e48ec8023 100644
--- a/include/linux/netfilter/xt_CONNMARK.h
+++ b/include/uapi/linux/netfilter/xt_CONNMARK.h
diff --git a/include/linux/netfilter/xt_CONNSECMARK.h b/include/uapi/linux/netfilter/xt_CONNSECMARK.h
index b973ff80fa1e..b973ff80fa1e 100644
--- a/include/linux/netfilter/xt_CONNSECMARK.h
+++ b/include/uapi/linux/netfilter/xt_CONNSECMARK.h
diff --git a/include/linux/netfilter/xt_CT.h b/include/uapi/linux/netfilter/xt_CT.h
index a064b8af360c..a064b8af360c 100644
--- a/include/linux/netfilter/xt_CT.h
+++ b/include/uapi/linux/netfilter/xt_CT.h
diff --git a/include/linux/netfilter/xt_DSCP.h b/include/uapi/linux/netfilter/xt_DSCP.h
index 648e0b3bed29..648e0b3bed29 100644
--- a/include/linux/netfilter/xt_DSCP.h
+++ b/include/uapi/linux/netfilter/xt_DSCP.h
diff --git a/include/linux/netfilter/xt_IDLETIMER.h b/include/uapi/linux/netfilter/xt_IDLETIMER.h
index 208ae9387331..208ae9387331 100644
--- a/include/linux/netfilter/xt_IDLETIMER.h
+++ b/include/uapi/linux/netfilter/xt_IDLETIMER.h
diff --git a/include/linux/netfilter/xt_LED.h b/include/uapi/linux/netfilter/xt_LED.h
index f5509e7524d3..f5509e7524d3 100644
--- a/include/linux/netfilter/xt_LED.h
+++ b/include/uapi/linux/netfilter/xt_LED.h
diff --git a/include/linux/netfilter/xt_LOG.h b/include/uapi/linux/netfilter/xt_LOG.h
index cac079095305..cac079095305 100644
--- a/include/linux/netfilter/xt_LOG.h
+++ b/include/uapi/linux/netfilter/xt_LOG.h
diff --git a/include/linux/netfilter/xt_MARK.h b/include/uapi/linux/netfilter/xt_MARK.h
index 41c456deba22..41c456deba22 100644
--- a/include/linux/netfilter/xt_MARK.h
+++ b/include/uapi/linux/netfilter/xt_MARK.h
diff --git a/include/linux/netfilter/xt_NFLOG.h b/include/uapi/linux/netfilter/xt_NFLOG.h
index 87b58311ce6b..87b58311ce6b 100644
--- a/include/linux/netfilter/xt_NFLOG.h
+++ b/include/uapi/linux/netfilter/xt_NFLOG.h
diff --git a/include/linux/netfilter/xt_NFQUEUE.h b/include/uapi/linux/netfilter/xt_NFQUEUE.h
index 9eafdbbb401c..9eafdbbb401c 100644
--- a/include/linux/netfilter/xt_NFQUEUE.h
+++ b/include/uapi/linux/netfilter/xt_NFQUEUE.h
diff --git a/include/linux/netfilter/xt_RATEEST.h b/include/uapi/linux/netfilter/xt_RATEEST.h
index 6605e20ad8cf..6605e20ad8cf 100644
--- a/include/linux/netfilter/xt_RATEEST.h
+++ b/include/uapi/linux/netfilter/xt_RATEEST.h
diff --git a/include/linux/netfilter/xt_SECMARK.h b/include/uapi/linux/netfilter/xt_SECMARK.h
index 989092bd6274..989092bd6274 100644
--- a/include/linux/netfilter/xt_SECMARK.h
+++ b/include/uapi/linux/netfilter/xt_SECMARK.h
diff --git a/include/linux/netfilter/xt_TCPMSS.h b/include/uapi/linux/netfilter/xt_TCPMSS.h
index 9a6960afc134..9a6960afc134 100644
--- a/include/linux/netfilter/xt_TCPMSS.h
+++ b/include/uapi/linux/netfilter/xt_TCPMSS.h
diff --git a/include/linux/netfilter/xt_TCPOPTSTRIP.h b/include/uapi/linux/netfilter/xt_TCPOPTSTRIP.h
index 7157318499c2..7157318499c2 100644
--- a/include/linux/netfilter/xt_TCPOPTSTRIP.h
+++ b/include/uapi/linux/netfilter/xt_TCPOPTSTRIP.h
diff --git a/include/linux/netfilter/xt_TEE.h b/include/uapi/linux/netfilter/xt_TEE.h
index 5c21d5c829af..5c21d5c829af 100644
--- a/include/linux/netfilter/xt_TEE.h
+++ b/include/uapi/linux/netfilter/xt_TEE.h
diff --git a/include/linux/netfilter/xt_TPROXY.h b/include/uapi/linux/netfilter/xt_TPROXY.h
index 902043c2073f..902043c2073f 100644
--- a/include/linux/netfilter/xt_TPROXY.h
+++ b/include/uapi/linux/netfilter/xt_TPROXY.h
diff --git a/include/linux/netfilter/xt_addrtype.h b/include/uapi/linux/netfilter/xt_addrtype.h
index b156baa9d55e..b156baa9d55e 100644
--- a/include/linux/netfilter/xt_addrtype.h
+++ b/include/uapi/linux/netfilter/xt_addrtype.h
diff --git a/include/linux/netfilter/xt_cluster.h b/include/uapi/linux/netfilter/xt_cluster.h
index 9b883c8fbf54..9b883c8fbf54 100644
--- a/include/linux/netfilter/xt_cluster.h
+++ b/include/uapi/linux/netfilter/xt_cluster.h
diff --git a/include/linux/netfilter/xt_comment.h b/include/uapi/linux/netfilter/xt_comment.h
index 0ea5e79f5bd7..0ea5e79f5bd7 100644
--- a/include/linux/netfilter/xt_comment.h
+++ b/include/uapi/linux/netfilter/xt_comment.h
diff --git a/include/linux/netfilter/xt_connbytes.h b/include/uapi/linux/netfilter/xt_connbytes.h
index f1d6c15bd9e3..f1d6c15bd9e3 100644
--- a/include/linux/netfilter/xt_connbytes.h
+++ b/include/uapi/linux/netfilter/xt_connbytes.h
diff --git a/include/linux/netfilter/xt_connlimit.h b/include/uapi/linux/netfilter/xt_connlimit.h
index f1656096121e..f1656096121e 100644
--- a/include/linux/netfilter/xt_connlimit.h
+++ b/include/uapi/linux/netfilter/xt_connlimit.h
diff --git a/include/linux/netfilter/xt_connmark.h b/include/uapi/linux/netfilter/xt_connmark.h
index efc17a8305fb..efc17a8305fb 100644
--- a/include/linux/netfilter/xt_connmark.h
+++ b/include/uapi/linux/netfilter/xt_connmark.h
diff --git a/include/linux/netfilter/xt_conntrack.h b/include/uapi/linux/netfilter/xt_conntrack.h
index e3c041d54020..e3c041d54020 100644
--- a/include/linux/netfilter/xt_conntrack.h
+++ b/include/uapi/linux/netfilter/xt_conntrack.h
diff --git a/include/linux/netfilter/xt_cpu.h b/include/uapi/linux/netfilter/xt_cpu.h
index 93c7f11d8f42..93c7f11d8f42 100644
--- a/include/linux/netfilter/xt_cpu.h
+++ b/include/uapi/linux/netfilter/xt_cpu.h
diff --git a/include/linux/netfilter/xt_dccp.h b/include/uapi/linux/netfilter/xt_dccp.h
index a579e1b6f040..a579e1b6f040 100644
--- a/include/linux/netfilter/xt_dccp.h
+++ b/include/uapi/linux/netfilter/xt_dccp.h
diff --git a/include/linux/netfilter/xt_devgroup.h b/include/uapi/linux/netfilter/xt_devgroup.h
index 1babde0ec900..1babde0ec900 100644
--- a/include/linux/netfilter/xt_devgroup.h
+++ b/include/uapi/linux/netfilter/xt_devgroup.h
diff --git a/include/linux/netfilter/xt_dscp.h b/include/uapi/linux/netfilter/xt_dscp.h
index 15f8932ad5ce..15f8932ad5ce 100644
--- a/include/linux/netfilter/xt_dscp.h
+++ b/include/uapi/linux/netfilter/xt_dscp.h
diff --git a/include/linux/netfilter/xt_ecn.h b/include/uapi/linux/netfilter/xt_ecn.h
index 7158fca364f2..7158fca364f2 100644
--- a/include/linux/netfilter/xt_ecn.h
+++ b/include/uapi/linux/netfilter/xt_ecn.h
diff --git a/include/linux/netfilter/xt_esp.h b/include/uapi/linux/netfilter/xt_esp.h
index ee6882408000..ee6882408000 100644
--- a/include/linux/netfilter/xt_esp.h
+++ b/include/uapi/linux/netfilter/xt_esp.h
diff --git a/include/uapi/linux/netfilter/xt_hashlimit.h b/include/uapi/linux/netfilter/xt_hashlimit.h
new file mode 100644
index 000000000000..cbfc43d1af68
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_hashlimit.h
@@ -0,0 +1,73 @@
1#ifndef _UAPI_XT_HASHLIMIT_H
2#define _UAPI_XT_HASHLIMIT_H
3
4#include <linux/types.h>
5
6/* timings are in milliseconds. */
7#define XT_HASHLIMIT_SCALE 10000
8/* 1/10,000 sec period => max of 10,000/sec. Min rate is then 429490
9 * seconds, or one packet every 59 hours.
10 */
11
12/* packet length accounting is done in 16-byte steps */
13#define XT_HASHLIMIT_BYTE_SHIFT 4
14
15/* details of this structure hidden by the implementation */
16struct xt_hashlimit_htable;
17
18enum {
19 XT_HASHLIMIT_HASH_DIP = 1 << 0,
20 XT_HASHLIMIT_HASH_DPT = 1 << 1,
21 XT_HASHLIMIT_HASH_SIP = 1 << 2,
22 XT_HASHLIMIT_HASH_SPT = 1 << 3,
23 XT_HASHLIMIT_INVERT = 1 << 4,
24 XT_HASHLIMIT_BYTES = 1 << 5,
25};
26
27struct hashlimit_cfg {
28 __u32 mode; /* bitmask of XT_HASHLIMIT_HASH_* */
29 __u32 avg; /* Average secs between packets * scale */
30 __u32 burst; /* Period multiplier for upper limit. */
31
32 /* user specified */
33 __u32 size; /* how many buckets */
34 __u32 max; /* max number of entries */
35 __u32 gc_interval; /* gc interval */
36 __u32 expire; /* when do entries expire? */
37};
38
39struct xt_hashlimit_info {
40 char name [IFNAMSIZ]; /* name */
41 struct hashlimit_cfg cfg;
42
43 /* Used internally by the kernel */
44 struct xt_hashlimit_htable *hinfo;
45 union {
46 void *ptr;
47 struct xt_hashlimit_info *master;
48 } u;
49};
50
51struct hashlimit_cfg1 {
52 __u32 mode; /* bitmask of XT_HASHLIMIT_HASH_* */
53 __u32 avg; /* Average secs between packets * scale */
54 __u32 burst; /* Period multiplier for upper limit. */
55
56 /* user specified */
57 __u32 size; /* how many buckets */
58 __u32 max; /* max number of entries */
59 __u32 gc_interval; /* gc interval */
60 __u32 expire; /* when do entries expire? */
61
62 __u8 srcmask, dstmask;
63};
64
65struct xt_hashlimit_mtinfo1 {
66 char name[IFNAMSIZ];
67 struct hashlimit_cfg1 cfg;
68
69 /* Used internally by the kernel */
70 struct xt_hashlimit_htable *hinfo __attribute__((aligned(8)));
71};
72
73#endif /* _UAPI_XT_HASHLIMIT_H */
diff --git a/include/linux/netfilter/xt_helper.h b/include/uapi/linux/netfilter/xt_helper.h
index 6b42763f999d..6b42763f999d 100644
--- a/include/linux/netfilter/xt_helper.h
+++ b/include/uapi/linux/netfilter/xt_helper.h
diff --git a/include/linux/netfilter/xt_iprange.h b/include/uapi/linux/netfilter/xt_iprange.h
index 25fd7cf851f0..25fd7cf851f0 100644
--- a/include/linux/netfilter/xt_iprange.h
+++ b/include/uapi/linux/netfilter/xt_iprange.h
diff --git a/include/linux/netfilter/xt_ipvs.h b/include/uapi/linux/netfilter/xt_ipvs.h
index eff34ac18808..eff34ac18808 100644
--- a/include/linux/netfilter/xt_ipvs.h
+++ b/include/uapi/linux/netfilter/xt_ipvs.h
diff --git a/include/linux/netfilter/xt_length.h b/include/uapi/linux/netfilter/xt_length.h
index b82ed7c4b1e0..b82ed7c4b1e0 100644
--- a/include/linux/netfilter/xt_length.h
+++ b/include/uapi/linux/netfilter/xt_length.h
diff --git a/include/linux/netfilter/xt_limit.h b/include/uapi/linux/netfilter/xt_limit.h
index bb47fc4d2ade..bb47fc4d2ade 100644
--- a/include/linux/netfilter/xt_limit.h
+++ b/include/uapi/linux/netfilter/xt_limit.h
diff --git a/include/linux/netfilter/xt_mac.h b/include/uapi/linux/netfilter/xt_mac.h
index b892cdc67e06..b892cdc67e06 100644
--- a/include/linux/netfilter/xt_mac.h
+++ b/include/uapi/linux/netfilter/xt_mac.h
diff --git a/include/linux/netfilter/xt_mark.h b/include/uapi/linux/netfilter/xt_mark.h
index ecadc40d5cde..ecadc40d5cde 100644
--- a/include/linux/netfilter/xt_mark.h
+++ b/include/uapi/linux/netfilter/xt_mark.h
diff --git a/include/linux/netfilter/xt_multiport.h b/include/uapi/linux/netfilter/xt_multiport.h
index 5b7e72dfffc5..5b7e72dfffc5 100644
--- a/include/linux/netfilter/xt_multiport.h
+++ b/include/uapi/linux/netfilter/xt_multiport.h
diff --git a/include/linux/netfilter/xt_nfacct.h b/include/uapi/linux/netfilter/xt_nfacct.h
index 3e19c8a86576..3e19c8a86576 100644
--- a/include/linux/netfilter/xt_nfacct.h
+++ b/include/uapi/linux/netfilter/xt_nfacct.h
diff --git a/include/linux/netfilter/xt_osf.h b/include/uapi/linux/netfilter/xt_osf.h
index 18afa495f973..18afa495f973 100644
--- a/include/linux/netfilter/xt_osf.h
+++ b/include/uapi/linux/netfilter/xt_osf.h
diff --git a/include/linux/netfilter/xt_owner.h b/include/uapi/linux/netfilter/xt_owner.h
index 2081761714b5..2081761714b5 100644
--- a/include/linux/netfilter/xt_owner.h
+++ b/include/uapi/linux/netfilter/xt_owner.h
diff --git a/include/uapi/linux/netfilter/xt_physdev.h b/include/uapi/linux/netfilter/xt_physdev.h
new file mode 100644
index 000000000000..db7a2982e9c0
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_physdev.h
@@ -0,0 +1,23 @@
1#ifndef _UAPI_XT_PHYSDEV_H
2#define _UAPI_XT_PHYSDEV_H
3
4#include <linux/types.h>
5
6
7#define XT_PHYSDEV_OP_IN 0x01
8#define XT_PHYSDEV_OP_OUT 0x02
9#define XT_PHYSDEV_OP_BRIDGED 0x04
10#define XT_PHYSDEV_OP_ISIN 0x08
11#define XT_PHYSDEV_OP_ISOUT 0x10
12#define XT_PHYSDEV_OP_MASK (0x20 - 1)
13
14struct xt_physdev_info {
15 char physindev[IFNAMSIZ];
16 char in_mask[IFNAMSIZ];
17 char physoutdev[IFNAMSIZ];
18 char out_mask[IFNAMSIZ];
19 __u8 invert;
20 __u8 bitmask;
21};
22
23#endif /* _UAPI_XT_PHYSDEV_H */
diff --git a/include/linux/netfilter/xt_pkttype.h b/include/uapi/linux/netfilter/xt_pkttype.h
index f265cf52faea..f265cf52faea 100644
--- a/include/linux/netfilter/xt_pkttype.h
+++ b/include/uapi/linux/netfilter/xt_pkttype.h
diff --git a/include/linux/netfilter/xt_policy.h b/include/uapi/linux/netfilter/xt_policy.h
index be8ead05c316..be8ead05c316 100644
--- a/include/linux/netfilter/xt_policy.h
+++ b/include/uapi/linux/netfilter/xt_policy.h
diff --git a/include/linux/netfilter/xt_quota.h b/include/uapi/linux/netfilter/xt_quota.h
index 9314723f39ca..9314723f39ca 100644
--- a/include/linux/netfilter/xt_quota.h
+++ b/include/uapi/linux/netfilter/xt_quota.h
diff --git a/include/linux/netfilter/xt_rateest.h b/include/uapi/linux/netfilter/xt_rateest.h
index d40a6196842a..d40a6196842a 100644
--- a/include/linux/netfilter/xt_rateest.h
+++ b/include/uapi/linux/netfilter/xt_rateest.h
diff --git a/include/linux/netfilter/xt_realm.h b/include/uapi/linux/netfilter/xt_realm.h
index d4a82ee56a02..d4a82ee56a02 100644
--- a/include/linux/netfilter/xt_realm.h
+++ b/include/uapi/linux/netfilter/xt_realm.h
diff --git a/include/linux/netfilter/xt_recent.h b/include/uapi/linux/netfilter/xt_recent.h
index 6ef36c113e89..6ef36c113e89 100644
--- a/include/linux/netfilter/xt_recent.h
+++ b/include/uapi/linux/netfilter/xt_recent.h
diff --git a/include/linux/netfilter/xt_sctp.h b/include/uapi/linux/netfilter/xt_sctp.h
index 29287be696a2..29287be696a2 100644
--- a/include/linux/netfilter/xt_sctp.h
+++ b/include/uapi/linux/netfilter/xt_sctp.h
diff --git a/include/linux/netfilter/xt_set.h b/include/uapi/linux/netfilter/xt_set.h
index e3a9978f259f..e3a9978f259f 100644
--- a/include/linux/netfilter/xt_set.h
+++ b/include/uapi/linux/netfilter/xt_set.h
diff --git a/include/linux/netfilter/xt_socket.h b/include/uapi/linux/netfilter/xt_socket.h
index 26d7217bd4f1..26d7217bd4f1 100644
--- a/include/linux/netfilter/xt_socket.h
+++ b/include/uapi/linux/netfilter/xt_socket.h
diff --git a/include/linux/netfilter/xt_state.h b/include/uapi/linux/netfilter/xt_state.h
index 7b32de886613..7b32de886613 100644
--- a/include/linux/netfilter/xt_state.h
+++ b/include/uapi/linux/netfilter/xt_state.h
diff --git a/include/linux/netfilter/xt_statistic.h b/include/uapi/linux/netfilter/xt_statistic.h
index 4e983ef0c968..4e983ef0c968 100644
--- a/include/linux/netfilter/xt_statistic.h
+++ b/include/uapi/linux/netfilter/xt_statistic.h
diff --git a/include/linux/netfilter/xt_string.h b/include/uapi/linux/netfilter/xt_string.h
index 235347c02eab..235347c02eab 100644
--- a/include/linux/netfilter/xt_string.h
+++ b/include/uapi/linux/netfilter/xt_string.h
diff --git a/include/linux/netfilter/xt_tcpmss.h b/include/uapi/linux/netfilter/xt_tcpmss.h
index fbac56b9e667..fbac56b9e667 100644
--- a/include/linux/netfilter/xt_tcpmss.h
+++ b/include/uapi/linux/netfilter/xt_tcpmss.h
diff --git a/include/linux/netfilter/xt_tcpudp.h b/include/uapi/linux/netfilter/xt_tcpudp.h
index 38aa7b399021..38aa7b399021 100644
--- a/include/linux/netfilter/xt_tcpudp.h
+++ b/include/uapi/linux/netfilter/xt_tcpudp.h
diff --git a/include/linux/netfilter/xt_time.h b/include/uapi/linux/netfilter/xt_time.h
index 095886019396..095886019396 100644
--- a/include/linux/netfilter/xt_time.h
+++ b/include/uapi/linux/netfilter/xt_time.h
diff --git a/include/linux/netfilter/xt_u32.h b/include/uapi/linux/netfilter/xt_u32.h
index 04d1bfea03c2..04d1bfea03c2 100644
--- a/include/linux/netfilter/xt_u32.h
+++ b/include/uapi/linux/netfilter/xt_u32.h
generated by cgit v1.2.2 (git 2.25.0) at 2025-08-13 09:43:44 -0400