Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-next-2.6

9 files changed, 161 insertions, 74 deletions

diff --git a/include/linux/netfilter/Kbuild b/include/linux/netfilter/Kbuild
index af9d2fb97212..2aea50399c0b 100644
--- a/include/linux/netfilter/Kbuild
+++ b/include/linux/netfilter/Kbuild
@@ -33,6 +33,7 @@ header-y += xt_limit.h
 header-y += xt_mac.h
 header-y += xt_mark.h
 header-y += xt_multiport.h
+header-y += xt_osf.h
 header-y += xt_owner.h
 header-y += xt_pkttype.h
 header-y += xt_quota.h
diff --git a/include/linux/netfilter/nf_conntrack_common.h b/include/linux/netfilter/nf_conntrack_common.h
index 885cbe282260..a8248ee422b7 100644
--- a/include/linux/netfilter/nf_conntrack_common.h
+++ b/include/linux/netfilter/nf_conntrack_common.h
@@ -75,75 +75,6 @@ enum ip_conntrack_status {
         IPS_FIXED_TIMEOUT = (1 << IPS_FIXED_TIMEOUT_BIT),
 };
 
-/* Connection tracking event bits */
-enum ip_conntrack_events
-{
-        /* New conntrack */
-        IPCT_NEW_BIT = 0,
-        IPCT_NEW = (1 << IPCT_NEW_BIT),
-
-        /* Expected connection */
-        IPCT_RELATED_BIT = 1,
-        IPCT_RELATED = (1 << IPCT_RELATED_BIT),
-
-        /* Destroyed conntrack */
-        IPCT_DESTROY_BIT = 2,
-        IPCT_DESTROY = (1 << IPCT_DESTROY_BIT),
-
-        /* Timer has been refreshed */
-        IPCT_REFRESH_BIT = 3,
-        IPCT_REFRESH = (1 << IPCT_REFRESH_BIT),
-
-        /* Status has changed */
-        IPCT_STATUS_BIT = 4,
-        IPCT_STATUS = (1 << IPCT_STATUS_BIT),
-
-        /* Update of protocol info */
-        IPCT_PROTOINFO_BIT = 5,
-        IPCT_PROTOINFO = (1 << IPCT_PROTOINFO_BIT),
-
-        /* Volatile protocol info */
-        IPCT_PROTOINFO_VOLATILE_BIT = 6,
-        IPCT_PROTOINFO_VOLATILE = (1 << IPCT_PROTOINFO_VOLATILE_BIT),
-
-        /* New helper for conntrack */
-        IPCT_HELPER_BIT = 7,
-        IPCT_HELPER = (1 << IPCT_HELPER_BIT),
-
-        /* Update of helper info */
-        IPCT_HELPINFO_BIT = 8,
-        IPCT_HELPINFO = (1 << IPCT_HELPINFO_BIT),
-
-        /* Volatile helper info */
-        IPCT_HELPINFO_VOLATILE_BIT = 9,
-        IPCT_HELPINFO_VOLATILE = (1 << IPCT_HELPINFO_VOLATILE_BIT),
-
-        /* NAT info */
-        IPCT_NATINFO_BIT = 10,
-        IPCT_NATINFO = (1 << IPCT_NATINFO_BIT),
-
-        /* Counter highest bit has been set, unused */
-        IPCT_COUNTER_FILLING_BIT = 11,
-        IPCT_COUNTER_FILLING = (1 << IPCT_COUNTER_FILLING_BIT),
-
-        /* Mark is set */
-        IPCT_MARK_BIT = 12,
-        IPCT_MARK = (1 << IPCT_MARK_BIT),
-
-        /* NAT sequence adjustment */
-        IPCT_NATSEQADJ_BIT = 13,
-        IPCT_NATSEQADJ = (1 << IPCT_NATSEQADJ_BIT),
-
-        /* Secmark is set */
-        IPCT_SECMARK_BIT = 14,
-        IPCT_SECMARK = (1 << IPCT_SECMARK_BIT),
-};
-
-enum ip_conntrack_expect_events {
-        IPEXP_NEW_BIT = 0,
-        IPEXP_NEW = (1 << IPEXP_NEW_BIT),
-};
-
 #ifdef __KERNEL__
 struct ip_conntrack_stat
 {
diff --git a/include/linux/netfilter/nf_conntrack_tcp.h b/include/linux/netfilter/nf_conntrack_tcp.h
index b2f384d42611..4352feed2377 100644
--- a/include/linux/netfilter/nf_conntrack_tcp.h
+++ b/include/linux/netfilter/nf_conntrack_tcp.h
@@ -15,7 +15,8 @@ enum tcp_conntrack {
         TCP_CONNTRACK_LAST_ACK,
         TCP_CONNTRACK_TIME_WAIT,
         TCP_CONNTRACK_CLOSE,
-        TCP_CONNTRACK_LISTEN,
+        TCP_CONNTRACK_LISTEN,   /* obsolete */
+#define TCP_CONNTRACK_SYN_SENT2 TCP_CONNTRACK_LISTEN
         TCP_CONNTRACK_MAX,
         TCP_CONNTRACK_IGNORE
 };
diff --git a/include/linux/netfilter/nfnetlink.h b/include/linux/netfilter/nfnetlink.h
index c600083cbdf5..bff4d5741d98 100644
--- a/include/linux/netfilter/nfnetlink.h
+++ b/include/linux/netfilter/nfnetlink.h
@@ -46,7 +46,8 @@ struct nfgenmsg {
 #define NFNL_SUBSYS_CTNETLINK_EXP       2
 #define NFNL_SUBSYS_QUEUE               3
 #define NFNL_SUBSYS_ULOG                4
-#define NFNL_SUBSYS_COUNT               5
+#define NFNL_SUBSYS_OSF                 5
+#define NFNL_SUBSYS_COUNT               6
 
 #ifdef __KERNEL__
 
@@ -75,7 +76,7 @@ extern int nfnetlink_subsys_unregister(const struct nfnetlink_subsystem *n);
 
 extern int nfnetlink_has_listeners(unsigned int group);
 extern int nfnetlink_send(struct sk_buff *skb, u32 pid, unsigned group, 
-                          int echo);
+                          int echo, gfp_t flags);
 extern void nfnetlink_set_err(u32 pid, u32 group, int error);
 extern int nfnetlink_unicast(struct sk_buff *skb, u_int32_t pid, int flags);
 
diff --git a/include/linux/netfilter/nfnetlink_conntrack.h b/include/linux/netfilter/nfnetlink_conntrack.h
index 1a865e48b8eb..ed4ef8d0b11b 100644
--- a/include/linux/netfilter/nfnetlink_conntrack.h
+++ b/include/linux/netfilter/nfnetlink_conntrack.h
@@ -101,6 +101,7 @@ enum ctattr_protoinfo_dccp {
         CTA_PROTOINFO_DCCP_UNSPEC,
         CTA_PROTOINFO_DCCP_STATE,
         CTA_PROTOINFO_DCCP_ROLE,
+        CTA_PROTOINFO_DCCP_HANDSHAKE_SEQ,
         __CTA_PROTOINFO_DCCP_MAX,
 };
 #define CTA_PROTOINFO_DCCP_MAX (__CTA_PROTOINFO_DCCP_MAX - 1)
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index c9efe039dc57..1030b7593898 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -184,9 +184,10 @@ struct xt_counters_info
  * @matchinfo:  per-match data
  * @fragoff:    packet is a fragment, this is the data offset
  * @thoff:      position of transport header relative to skb->data
- * @hotdrop:    drop packet if we had inspection problems
+ * @hook:       hook number given packet came from
  * @family:     Actual NFPROTO_* through which the function is invoked
  *              (helpful when match->family == NFPROTO_UNSPEC)
+ * @hotdrop:    drop packet if we had inspection problems
  */
 struct xt_match_param {
         const struct net_device *in, *out;
@@ -194,8 +195,9 @@ struct xt_match_param {
         const void *matchinfo;
         int fragoff;
         unsigned int thoff;
-        bool *hotdrop;
+        unsigned int hooknum;
         u_int8_t family;
+        bool *hotdrop;
 };
 
 /**
diff --git a/include/linux/netfilter/xt_NFQUEUE.h b/include/linux/netfilter/xt_NFQUEUE.h
index 982a89f78272..2584f4a777de 100644
--- a/include/linux/netfilter/xt_NFQUEUE.h
+++ b/include/linux/netfilter/xt_NFQUEUE.h
@@ -15,4 +15,9 @@ struct xt_NFQ_info {
         __u16 queuenum;
 };
 
+struct xt_NFQ_info_v1 {
+        __u16 queuenum;
+        __u16 queues_total;
+};
+
 #endif /* _XT_NFQ_TARGET_H */
diff --git a/include/linux/netfilter/xt_osf.h b/include/linux/netfilter/xt_osf.h
new file mode 100644
index 000000000000..fd2272e0959a
--- /dev/null
+++ b/include/linux/netfilter/xt_osf.h
@@ -0,0 +1,133 @@
+/*
+ * Copyright (c) 2003+ Evgeniy Polyakov <johnpol@2ka.mxt.ru>
+ *
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ */
+
+#ifndef _XT_OSF_H
+#define _XT_OSF_H
+
+#define MAXGENRELEN             32
+
+#define XT_OSF_GENRE            (1<<0)
+#define XT_OSF_TTL              (1<<1)
+#define XT_OSF_LOG              (1<<2)
+#define XT_OSF_INVERT           (1<<3)
+
+#define XT_OSF_LOGLEVEL_ALL     0       /* log all matched fingerprints */
+#define XT_OSF_LOGLEVEL_FIRST   1       /* log only the first matced fingerprint */
+#define XT_OSF_LOGLEVEL_ALL_KNOWN       2 /* do not log unknown packets */
+
+#define XT_OSF_TTL_TRUE         0       /* True ip and fingerprint TTL comparison */
+#define XT_OSF_TTL_LESS         1       /* Check if ip TTL is less than fingerprint one */
+#define XT_OSF_TTL_NOCHECK      2       /* Do not compare ip and fingerprint TTL at all */
+
+struct xt_osf_info {
+        char                    genre[MAXGENRELEN];
+        __u32                   len;
+        __u32                   flags;
+        __u32                   loglevel;
+        __u32                   ttl;
+};
+
+/*
+ * Wildcard MSS (kind of).
+ * It is used to implement a state machine for the different wildcard values
+ * of the MSS and window sizes.
+ */
+struct xt_osf_wc {
+        __u32                   wc;
+        __u32                   val;
+};
+
+/*
+ * This struct represents IANA options
+ * http://www.iana.org/assignments/tcp-parameters
+ */
+struct xt_osf_opt {
+        __u16                   kind, length;
+        struct xt_osf_wc        wc;
+};
+
+struct xt_osf_user_finger {
+        struct xt_osf_wc        wss;
+
+        __u8                    ttl, df;
+        __u16                   ss, mss;
+        __u16                   opt_num;
+
+        char                    genre[MAXGENRELEN];
+        char                    version[MAXGENRELEN];
+        char                    subtype[MAXGENRELEN];
+
+        /* MAX_IPOPTLEN is maximum if all options are NOPs or EOLs */
+        struct xt_osf_opt       opt[MAX_IPOPTLEN];
+};
+
+struct xt_osf_nlmsg {
+        struct xt_osf_user_finger       f;
+        struct iphdr            ip;
+        struct tcphdr           tcp;
+};
+
+/* Defines for IANA option kinds */
+
+enum iana_options {
+        OSFOPT_EOL = 0,         /* End of options */
+        OSFOPT_NOP,             /* NOP */
+        OSFOPT_MSS,             /* Maximum segment size */
+        OSFOPT_WSO,             /* Window scale option */
+        OSFOPT_SACKP,           /* SACK permitted */
+        OSFOPT_SACK,            /* SACK */
+        OSFOPT_ECHO,
+        OSFOPT_ECHOREPLY,
+        OSFOPT_TS,              /* Timestamp option */
+        OSFOPT_POCP,            /* Partial Order Connection Permitted */
+        OSFOPT_POSP,            /* Partial Order Service Profile */
+
+        /* Others are not used in the current OSF */
+        OSFOPT_EMPTY = 255,
+};
+
+/*
+ * Initial window size option state machine: multiple of mss, mtu or
+ * plain numeric value. Can also be made as plain numeric value which
+ * is not a multiple of specified value.
+ */
+enum xt_osf_window_size_options {
+        OSF_WSS_PLAIN   = 0,
+        OSF_WSS_MSS,
+        OSF_WSS_MTU,
+        OSF_WSS_MODULO,
+        OSF_WSS_MAX,
+};
+
+/*
+ * Add/remove fingerprint from the kernel.
+ */
+enum xt_osf_msg_types {
+        OSF_MSG_ADD,
+        OSF_MSG_REMOVE,
+        OSF_MSG_MAX,
+};
+
+enum xt_osf_attr_type {
+        OSF_ATTR_UNSPEC,
+        OSF_ATTR_FINGER,
+        OSF_ATTR_MAX,
+};
+
+#endif                          /* _XT_OSF_H */
diff --git a/include/linux/netfilter/xt_socket.h b/include/linux/netfilter/xt_socket.h
new file mode 100644
index 000000000000..6f475b8ff34b
--- /dev/null
+++ b/include/linux/netfilter/xt_socket.h
@@ -0,0 +1,12 @@
+#ifndef _XT_SOCKET_H
+#define _XT_SOCKET_H
+
+enum {
+        XT_SOCKET_TRANSPARENT = 1 << 0,
+};
+
+struct xt_socket_mtinfo1 {
+        __u8 flags;
+};
+
+#endif /* _XT_SOCKET_H */