Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next

Pablo Neira Ayuso says: ==================== The following patchset contains Netfilter updates for your net-next tree, mostly ipset improvements and enhancements features, they are: * Don't call ip_nest_end needlessly in the error path from me, suggested by Pablo Neira Ayuso, from Jozsef Kadlecsik. * Fixed sparse warnings about shadowed variable and missing rcu annotation and fix of "may be used uninitialized" warnings, also from Jozsef. * Renamed simple macro names to avoid namespace issues, reported by David Laight, again from Jozsef. * Use fix sized type for timeout in the extension part, and cosmetic ordering of matches and targets separatedly in xt_set.c, from Jozsef. * Support package fragments for IPv4 protos without ports from Anders K. Pedersen. For example this allows a hash:ip,port ipset containing the entry 192.168.0.1,gre:0 to match all package fragments for PPTP VPN tunnels to/from the host. Without this patch only the first package fragment (with fragment offset 0) was matched. * Introduced a new operation to get both setname and family, from Jozsef. ip[6]tables set match and SET target need to know the family of the set in order to reject adding rules which refer to a set with a non-mathcing family. Currently such rules are silently accepted and then ignored instead of generating an error message to the user. * Reworked extensions support in ipset types from Jozsef. The approach of defining structures with all variations is not manageable as the number of extensions grows. Therefore a blob for the extensions is introduced, somewhat similar to conntrack. The support of extensions which need a per data destroy function is added as well. * When an element timed out in a list:set type of set, the garbage collector skipped the checking of the next element. So the purging was delayed to the next run of the gc, fixed by Jozsef. * A small Kconfig fix: NETFILTER_NETLINK cannot be selected and ipset requires it. * hash:net,net type from Oliver Smith. The type provides the ability to store pairs of subnets in a set. * Comment for ipset entries from Oliver Smith. This makes possible to annotate entries in a set with comments, for example: ipset n foo hash:net,net comment ipset a foo 10.0.0.0/21,192.168.1.0/24 comment "office nets A and B" * Fix of hash types resizing with comment extension from Jozsef. * Fix of new extensions for list:set type when an element is added into a slot from where another element was pushed away from Jozsef. * Introduction of a common function for the listing of the element extensions from Jozsef. * Net namespace support for ipset from Vitaly Lavrov. * hash:net,port,net type from Oliver Smith, which makes possible to store the triples of two subnets and a protocol, port pair in a set. * Get xt_TCPMSS working with net namespace, by Gao feng. * Use the proper net netnamespace to allocate skbs, also by Gao feng. * A couple of cleanups for the conntrack SIP helper, by Holger Eitzenberger. * Extend cttimeout to allow setting default conntrack timeouts via nfnetlink, so we can get rid of all our sysctl/proc interfaces in the future for timeout tuning, from me. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
author: David S. Miller <davem@davemloft.net> 2013-10-04 13:26:38 -0400
committer: David S. Miller <davem@davemloft.net> 2013-10-04 13:26:38 -0400
commit: d639feaaf3f40cd90b75a2fec5b7d5c3f96c2c88 (patch)
tree: 1517467ea9853f0bd61923dd619c1c937b80673c /include
parent: 96f817fedec48b59c9e8b22141cec4e56ad47913 (diff)
parent: 91cb498e6a34b429a032f8cfbb57dde28cd20e0c (diff)
6 files changed, 259 insertions, 78 deletions
diff --git a/include/linux/netfilter/ipset/ip_set.h b/include/linux/netfilter/ipset/ip_set.h
index 9ac9fbde7b61..7967516adc0d 100644
--- a/include/linux/netfilter/ipset/ip_set.h
+++ b/include/linux/netfilter/ipset/ip_set.h
@@ -49,31 +49,68 @@ enum ip_set_feature {
 /* Set extensions */
 enum ip_set_extension {
-        IPSET_EXT_NONE = 0,
+        IPSET_EXT_BIT_TIMEOUT = 0,
-        IPSET_EXT_BIT_TIMEOUT = 1,
        IPSET_EXT_TIMEOUT = (1 << IPSET_EXT_BIT_TIMEOUT),
-        IPSET_EXT_BIT_COUNTER = 2,
+        IPSET_EXT_BIT_COUNTER = 1,
        IPSET_EXT_COUNTER = (1 << IPSET_EXT_BIT_COUNTER),
-};
+        IPSET_EXT_BIT_COMMENT = 2,
+        IPSET_EXT_COMMENT = (1 << IPSET_EXT_BIT_COMMENT),
-/* Extension offsets */
+        /* Mark set with an extension which needs to call destroy */
-enum ip_set_offset {
+        IPSET_EXT_BIT_DESTROY = 7,
-        IPSET_OFFSET_TIMEOUT = 0,
+        IPSET_EXT_DESTROY = (1 << IPSET_EXT_BIT_DESTROY),
-        IPSET_OFFSET_COUNTER,
-        IPSET_OFFSET_MAX,
 };
 #define SET_WITH_TIMEOUT(s)     ((s)->extensions & IPSET_EXT_TIMEOUT)
 #define SET_WITH_COUNTER(s)     ((s)->extensions & IPSET_EXT_COUNTER)
+#define SET_WITH_COMMENT(s)     ((s)->extensions & IPSET_EXT_COMMENT)
+/* Extension id, in size order */
+enum ip_set_ext_id {
+        IPSET_EXT_ID_COUNTER = 0,
+        IPSET_EXT_ID_TIMEOUT,
+        IPSET_EXT_ID_COMMENT,
+        IPSET_EXT_ID_MAX,
+};
+/* Extension type */
+struct ip_set_ext_type {
+        /* Destroy extension private data (can be NULL) */
+        void (*destroy)(void *ext);
+        enum ip_set_extension type;
+        enum ipset_cadt_flags flag;
+        /* Size and minimal alignment */
+        u8 len;
+        u8 align;
+};
+extern const struct ip_set_ext_type ip_set_extensions[];
 struct ip_set_ext {
-        unsigned long timeout;
        u64 packets;
        u64 bytes;
+        u32 timeout;
+        char *comment;
+};
+struct ip_set_counter {
+        atomic64_t bytes;
+        atomic64_t packets;
+};
+struct ip_set_comment {
+        char *str;
 };
 struct ip_set;
+#define ext_timeout(e, s)       \
+(unsigned long *)(((void *)(e)) + (s)->offset[IPSET_EXT_ID_TIMEOUT])
+#define ext_counter(e, s)       \
+(struct ip_set_counter *)(((void *)(e)) + (s)->offset[IPSET_EXT_ID_COUNTER])
+#define ext_comment(e, s)       \
+(struct ip_set_comment *)(((void *)(e)) + (s)->offset[IPSET_EXT_ID_COMMENT])
 typedef int (*ipset_adtfn)(struct ip_set *set, void *value,
                           const struct ip_set_ext *ext,
                           struct ip_set_ext *mext, u32 cmdflags);
@@ -147,7 +184,8 @@ struct ip_set_type {
        u8 revision_min, revision_max;
        /* Create set */
-        int (*create)(struct ip_set *set, struct nlattr *tb[], u32 flags);
+        int (*create)(struct net *net, struct ip_set *set,
+                      struct nlattr *tb[], u32 flags);
        /* Attribute policies */
        const struct nla_policy create_policy[IPSET_ATTR_CREATE_MAX + 1];
@@ -179,14 +217,45 @@ struct ip_set {
        u8 revision;
        /* Extensions */
        u8 extensions;
+        /* Default timeout value, if enabled */
+        u32 timeout;
+        /* Element data size */
+        size_t dsize;
+        /* Offsets to extensions in elements */
+        size_t offset[IPSET_EXT_ID_MAX];
        /* The type specific data */
        void *data;
 };
-struct ip_set_counter {
+static inline void
-        atomic64_t bytes;
+ip_set_ext_destroy(struct ip_set *set, void *data)
-        atomic64_t packets;
+{
-};
+        /* Check that the extension is enabled for the set and
+         * call it's destroy function for its extension part in data.
+         */
+        if (SET_WITH_COMMENT(set))
+                ip_set_extensions[IPSET_EXT_ID_COMMENT].destroy(
+                        ext_comment(data, set));
+}
+static inline int
+ip_set_put_flags(struct sk_buff *skb, struct ip_set *set)
+{
+        u32 cadt_flags = 0;
+        if (SET_WITH_TIMEOUT(set))
+                if (unlikely(nla_put_net32(skb, IPSET_ATTR_TIMEOUT,
+                                           htonl(set->timeout))))
+                        return -EMSGSIZE;
+        if (SET_WITH_COUNTER(set))
+                cadt_flags |= IPSET_FLAG_WITH_COUNTERS;
+        if (SET_WITH_COMMENT(set))
+                cadt_flags |= IPSET_FLAG_WITH_COMMENT;
+        if (!cadt_flags)
+                return 0;
+        return nla_put_net32(skb, IPSET_ATTR_CADT_FLAGS, htonl(cadt_flags));
+}
 static inline void
 ip_set_add_bytes(u64 bytes, struct ip_set_counter *counter)
@@ -248,12 +317,13 @@ ip_set_init_counter(struct ip_set_counter *counter,
 }
 /* register and unregister set references */
-extern ip_set_id_t ip_set_get_byname(const char *name, struct ip_set **set);
+extern ip_set_id_t ip_set_get_byname(struct net *net,
-extern void ip_set_put_byindex(ip_set_id_t index);
+                                     const char *name, struct ip_set **set);
-extern const char *ip_set_name_byindex(ip_set_id_t index);
+extern void ip_set_put_byindex(struct net *net, ip_set_id_t index);
-extern ip_set_id_t ip_set_nfnl_get(const char *name);
+extern const char *ip_set_name_byindex(struct net *net, ip_set_id_t index);
-extern ip_set_id_t ip_set_nfnl_get_byindex(ip_set_id_t index);
+extern ip_set_id_t ip_set_nfnl_get(struct net *net, const char *name);
-extern void ip_set_nfnl_put(ip_set_id_t index);
+extern ip_set_id_t ip_set_nfnl_get_byindex(struct net *net, ip_set_id_t index);
+extern void ip_set_nfnl_put(struct net *net, ip_set_id_t index);
 /* API for iptables set match, and SET target */
@@ -272,6 +342,8 @@ extern void *ip_set_alloc(size_t size);
 extern void ip_set_free(void *members);
 extern int ip_set_get_ipaddr4(struct nlattr *nla,  __be32 *ipaddr);
 extern int ip_set_get_ipaddr6(struct nlattr *nla, union nf_inet_addr *ipaddr);
+extern size_t ip_set_elem_len(struct ip_set *set, struct nlattr *tb[],
+                              size_t len);
 extern int ip_set_get_extensions(struct ip_set *set, struct nlattr *tb[],
                                 struct ip_set_ext *ext);
@@ -389,13 +461,40 @@ bitmap_bytes(u32 a, u32 b)
 }
 #include <linux/netfilter/ipset/ip_set_timeout.h>
+#include <linux/netfilter/ipset/ip_set_comment.h>
-#define IP_SET_INIT_KEXT(skb, opt, map)                 \
+static inline int
+ip_set_put_extensions(struct sk_buff *skb, const struct ip_set *set,
+                      const void *e, bool active)
+{
+        if (SET_WITH_TIMEOUT(set)) {
+                unsigned long *timeout = ext_timeout(e, set);
+                if (nla_put_net32(skb, IPSET_ATTR_TIMEOUT,
+                        htonl(active ? ip_set_timeout_get(timeout)
+                                : *timeout)))
+                        return -EMSGSIZE;
+        }
+        if (SET_WITH_COUNTER(set) &&
+            ip_set_put_counter(skb, ext_counter(e, set)))
+                return -EMSGSIZE;
+        if (SET_WITH_COMMENT(set) &&
+            ip_set_put_comment(skb, ext_comment(e, set)))
+                return -EMSGSIZE;
+        return 0;
+}
+#define IP_SET_INIT_KEXT(skb, opt, set)                 \
        { .bytes = (skb)->len, .packets = 1,            \
-          .timeout = ip_set_adt_opt_timeout(opt, map) }
+          .timeout = ip_set_adt_opt_timeout(opt, set) }
-#define IP_SET_INIT_UEXT(map)                           \
+#define IP_SET_INIT_UEXT(set)                           \
        { .bytes = ULLONG_MAX, .packets = ULLONG_MAX,   \
-          .timeout = (map)->timeout }
+          .timeout = (set)->timeout }
+#define IP_SET_INIT_CIDR(a, b) ((a) ? (a) : (b))
+#define IPSET_CONCAT(a, b)              a##b
+#define IPSET_TOKEN(a, b)               IPSET_CONCAT(a, b)
 #endif /*_IP_SET_H */
diff --git a/include/linux/netfilter/ipset/ip_set_comment.h b/include/linux/netfilter/ipset/ip_set_comment.h
new file mode 100644
index 000000000000..21217ea008d7
--- /dev/null
+++ b/include/linux/netfilter/ipset/ip_set_comment.h
@@ -0,0 +1,57 @@
+#ifndef _IP_SET_COMMENT_H
+#define _IP_SET_COMMENT_H
+/* Copyright (C) 2013 Oliver Smith <oliver@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+#ifdef __KERNEL__
+static inline char*
+ip_set_comment_uget(struct nlattr *tb)
+{
+        return nla_data(tb);
+}
+static inline void
+ip_set_init_comment(struct ip_set_comment *comment,
+                    const struct ip_set_ext *ext)
+{
+        size_t len = ext->comment ? strlen(ext->comment) : 0;
+        if (unlikely(comment->str)) {
+                kfree(comment->str);
+                comment->str = NULL;
+        }
+        if (!len)
+                return;
+        if (unlikely(len > IPSET_MAX_COMMENT_SIZE))
+                len = IPSET_MAX_COMMENT_SIZE;
+        comment->str = kzalloc(len + 1, GFP_ATOMIC);
+        if (unlikely(!comment->str))
+                return;
+        strlcpy(comment->str, ext->comment, len + 1);
+}
+static inline int
+ip_set_put_comment(struct sk_buff *skb, struct ip_set_comment *comment)
+{
+        if (!comment->str)
+                return 0;
+        return nla_put_string(skb, IPSET_ATTR_COMMENT, comment->str);
+}
+static inline void
+ip_set_comment_free(struct ip_set_comment *comment)
+{
+        if (unlikely(!comment->str))
+                return;
+        kfree(comment->str);
+        comment->str = NULL;
+}
+#endif
+#endif
diff --git a/include/linux/netfilter/ipset/ip_set_timeout.h b/include/linux/netfilter/ipset/ip_set_timeout.h
index 3aac04167ca7..83c2f9e0886c 100644
--- a/include/linux/netfilter/ipset/ip_set_timeout.h
+++ b/include/linux/netfilter/ipset/ip_set_timeout.h
@@ -23,8 +23,8 @@
 /* Set is defined with timeout support: timeout value may be 0 */
 #define IPSET_NO_TIMEOUT        UINT_MAX
-#define ip_set_adt_opt_timeout(opt, map)        \
+#define ip_set_adt_opt_timeout(opt, set)        \
-((opt)->ext.timeout != IPSET_NO_TIMEOUT ? (opt)->ext.timeout : (map)->timeout)
+((opt)->ext.timeout != IPSET_NO_TIMEOUT ? (opt)->ext.timeout : (set)->timeout)
 static inline unsigned int
 ip_set_timeout_uget(struct nlattr *tb)
diff --git a/include/linux/netfilter/nf_conntrack_sip.h b/include/linux/netfilter/nf_conntrack_sip.h
index 5cac0207b95d..d5af3c27fb7d 100644
--- a/include/linux/netfilter/nf_conntrack_sip.h
+++ b/include/linux/netfilter/nf_conntrack_sip.h
@@ -107,55 +107,64 @@ enum sdp_header_types {
        SDP_HDR_MEDIA,
 };
-extern unsigned int (*nf_nat_sip_hook)(struct sk_buff *skb,
+struct nf_nat_sip_hooks {
-                                       unsigned int protoff,
+        unsigned int (*msg)(struct sk_buff *skb,
-                                       unsigned int dataoff,
+                            unsigned int protoff,
-                                       const char **dptr,
+                            unsigned int dataoff,
-                                       unsigned int *datalen);
+                            const char **dptr,
-extern void (*nf_nat_sip_seq_adjust_hook)(struct sk_buff *skb,
+                            unsigned int *datalen);
-                                          unsigned int protoff, s16 off);
-extern unsigned int (*nf_nat_sip_expect_hook)(struct sk_buff *skb,
+        void (*seq_adjust)(struct sk_buff *skb,
-                                              unsigned int protoff,
+                           unsigned int protoff, s16 off);
-                                              unsigned int dataoff,
-                                              const char **dptr,
+        unsigned int (*expect)(struct sk_buff *skb,
-                                              unsigned int *datalen,
+                               unsigned int protoff,
-                                              struct nf_conntrack_expect *exp,
+                               unsigned int dataoff,
-                                              unsigned int matchoff,
+                               const char **dptr,
-                                              unsigned int matchlen);
+                               unsigned int *datalen,
-extern unsigned int (*nf_nat_sdp_addr_hook)(struct sk_buff *skb,
+                               struct nf_conntrack_expect *exp,
-                                            unsigned int protoff,
+                               unsigned int matchoff,
-                                            unsigned int dataoff,
+                               unsigned int matchlen);
-                                            const char **dptr,
-                                            unsigned int *datalen,
+        unsigned int (*sdp_addr)(struct sk_buff *skb,
-                                            unsigned int sdpoff,
+                                 unsigned int protoff,
-                                            enum sdp_header_types type,
+                                 unsigned int dataoff,
-                                            enum sdp_header_types term,
+                                 const char **dptr,
-                                            const union nf_inet_addr *addr);
+                                 unsigned int *datalen,
-extern unsigned int (*nf_nat_sdp_port_hook)(struct sk_buff *skb,
+                                 unsigned int sdpoff,
-                                            unsigned int protoff,
+                                 enum sdp_header_types type,
-                                            unsigned int dataoff,
+                                 enum sdp_header_types term,
-                                            const char **dptr,
+                                 const union nf_inet_addr *addr);
-                                            unsigned int *datalen,
-                                            unsigned int matchoff,
+        unsigned int (*sdp_port)(struct sk_buff *skb,
-                                            unsigned int matchlen,
+                                 unsigned int protoff,
-                                            u_int16_t port);
+                                 unsigned int dataoff,
-extern unsigned int (*nf_nat_sdp_session_hook)(struct sk_buff *skb,
+                                 const char **dptr,
-                                               unsigned int protoff,
+                                 unsigned int *datalen,
-                                               unsigned int dataoff,
+                                 unsigned int matchoff,
-                                               const char **dptr,
+                                 unsigned int matchlen,
-                                               unsigned int *datalen,
+                                 u_int16_t port);
-                                               unsigned int sdpoff,
-                                               const union nf_inet_addr *addr);
+        unsigned int (*sdp_session)(struct sk_buff *skb,
-extern unsigned int (*nf_nat_sdp_media_hook)(struct sk_buff *skb,
+                                    unsigned int protoff,
-                                             unsigned int protoff,
+                                    unsigned int dataoff,
-                                             unsigned int dataoff,
+                                    const char **dptr,
-                                             const char **dptr,
+                                    unsigned int *datalen,
-                                             unsigned int *datalen,
+                                    unsigned int sdpoff,
-                                             struct nf_conntrack_expect *rtp_exp,
+                                    const union nf_inet_addr *addr);
-                                             struct nf_conntrack_expect *rtcp_exp,
-                                             unsigned int mediaoff,
+        unsigned int (*sdp_media)(struct sk_buff *skb,
-                                             unsigned int medialen,
+                                  unsigned int protoff,
-                                             union nf_inet_addr *rtp_addr);
+                                  unsigned int dataoff,
+                                  const char **dptr,
+                                  unsigned int *datalen,
+                                  struct nf_conntrack_expect *rtp_exp,
+                                  struct nf_conntrack_expect *rtcp_exp,
+                                  unsigned int mediaoff,
+                                  unsigned int medialen,
+                                  union nf_inet_addr *rtp_addr);
+};
+extern const struct nf_nat_sip_hooks *nf_nat_sip_hooks;
 int ct_sip_parse_request(const struct nf_conn *ct, const char *dptr,
                         unsigned int datalen, unsigned int *matchoff,
diff --git a/include/uapi/linux/netfilter/ipset/ip_set.h b/include/uapi/linux/netfilter/ipset/ip_set.h
index 8024cdf13b70..25d3b2f79c02 100644
--- a/include/uapi/linux/netfilter/ipset/ip_set.h
+++ b/include/uapi/linux/netfilter/ipset/ip_set.h
@@ -10,12 +10,14 @@
 #ifndef _UAPI_IP_SET_H
 #define _UAPI_IP_SET_H
 #include <linux/types.h>
 /* The protocol version */
 #define IPSET_PROTOCOL          6
+/* The maximum permissible comment length we will accept over netlink */
+#define IPSET_MAX_COMMENT_SIZE  255
 /* The max length of strings including NUL: set and type identifiers */
 #define IPSET_MAXNAMELEN        32
@@ -110,6 +112,7 @@ enum {
        IPSET_ATTR_IFACE,
        IPSET_ATTR_BYTES,
        IPSET_ATTR_PACKETS,
+        IPSET_ATTR_COMMENT,
        __IPSET_ATTR_ADT_MAX,
 };
 #define IPSET_ATTR_ADT_MAX      (__IPSET_ATTR_ADT_MAX - 1)
@@ -140,6 +143,7 @@ enum ipset_errno {
        IPSET_ERR_IPADDR_IPV4,
        IPSET_ERR_IPADDR_IPV6,
        IPSET_ERR_COUNTER,
+        IPSET_ERR_COMMENT,
        /* Type specific error codes */
        IPSET_ERR_TYPE_SPECIFIC = 4352,
@@ -176,6 +180,8 @@ enum ipset_cadt_flags {
        IPSET_FLAG_NOMATCH      = (1 << IPSET_FLAG_BIT_NOMATCH),
        IPSET_FLAG_BIT_WITH_COUNTERS = 3,
        IPSET_FLAG_WITH_COUNTERS = (1 << IPSET_FLAG_BIT_WITH_COUNTERS),
+        IPSET_FLAG_BIT_WITH_COMMENT = 4,
+        IPSET_FLAG_WITH_COMMENT = (1 << IPSET_FLAG_BIT_WITH_COMMENT),
        IPSET_FLAG_CADT_MAX     = 15,
 };
@@ -250,6 +256,14 @@ struct ip_set_req_get_set {
 #define IP_SET_OP_GET_BYINDEX   0x00000007      /* Get set name by index */
 /* Uses ip_set_req_get_set */
+#define IP_SET_OP_GET_FNAME     0x00000008      /* Get set index and family */
+struct ip_set_req_get_set_family {
+        unsigned int op;
+        unsigned int version;
+        unsigned int family;
+        union ip_set_name_index set;
+};
 #define IP_SET_OP_VERSION       0x00000100      /* Ask kernel version */
 struct ip_set_req_version {
        unsigned int op;
diff --git a/include/uapi/linux/netfilter/nfnetlink_cttimeout.h b/include/uapi/linux/netfilter/nfnetlink_cttimeout.h
index a2810a7c5e30..1ab0b97b3a1e 100644
--- a/include/uapi/linux/netfilter/nfnetlink_cttimeout.h
+++ b/include/uapi/linux/netfilter/nfnetlink_cttimeout.h
@@ -6,6 +6,8 @@ enum ctnl_timeout_msg_types {
        IPCTNL_MSG_TIMEOUT_NEW,
        IPCTNL_MSG_TIMEOUT_GET,
        IPCTNL_MSG_TIMEOUT_DELETE,
+        IPCTNL_MSG_TIMEOUT_DEFAULT_SET,
+        IPCTNL_MSG_TIMEOUT_DEFAULT_GET,
        IPCTNL_MSG_TIMEOUT_MAX
 };
author	David S. Miller <davem@davemloft.net>	2013-10-04 13:26:38 -0400
committer	David S. Miller <davem@davemloft.net>	2013-10-04 13:26:38 -0400
commit	d639feaaf3f40cd90b75a2fec5b7d5c3f96c2c88 (patch)
tree	1517467ea9853f0bd61923dd619c1c937b80673c /include
parent	96f817fedec48b59c9e8b22141cec4e56ad47913 (diff)
parent	91cb498e6a34b429a032f8cfbb57dde28cd20e0c (diff)

diff --git a/include/linux/netfilter/ipset/ip_set.h b/include/linux/netfilter/ipset/ip_set.h index 9ac9fbde7b61..7967516adc0d 100644 --- a/include/linux/netfilter/ipset/ip_set.h +++ b/include/linux/netfilter/ipset/ip_set.h
@@ -49,31 +49,68 @@ enum ip_set_feature {
49		49
50	/* Set extensions */	50	/* Set extensions */
51	enum ip_set_extension {	51	enum ip_set_extension {
52	IPSET_EXT_NONE = 0,	52	IPSET_EXT_BIT_TIMEOUT = 0,
53	IPSET_EXT_BIT_TIMEOUT = 1,
54	IPSET_EXT_TIMEOUT = (1 << IPSET_EXT_BIT_TIMEOUT),	53	IPSET_EXT_TIMEOUT = (1 << IPSET_EXT_BIT_TIMEOUT),
55	IPSET_EXT_BIT_COUNTER = 2,	54	IPSET_EXT_BIT_COUNTER = 1,
56	IPSET_EXT_COUNTER = (1 << IPSET_EXT_BIT_COUNTER),	55	IPSET_EXT_COUNTER = (1 << IPSET_EXT_BIT_COUNTER),
57	};	56	IPSET_EXT_BIT_COMMENT = 2,
58		57	IPSET_EXT_COMMENT = (1 << IPSET_EXT_BIT_COMMENT),
59	/* Extension offsets */	58	/* Mark set with an extension which needs to call destroy */
60	enum ip_set_offset {	59	IPSET_EXT_BIT_DESTROY = 7,
61	IPSET_OFFSET_TIMEOUT = 0,	60	IPSET_EXT_DESTROY = (1 << IPSET_EXT_BIT_DESTROY),
62	IPSET_OFFSET_COUNTER,
63	IPSET_OFFSET_MAX,
64	};	61	};
65		62
66	#define SET_WITH_TIMEOUT(s) ((s)->extensions & IPSET_EXT_TIMEOUT)	63	#define SET_WITH_TIMEOUT(s) ((s)->extensions & IPSET_EXT_TIMEOUT)
67	#define SET_WITH_COUNTER(s) ((s)->extensions & IPSET_EXT_COUNTER)	64	#define SET_WITH_COUNTER(s) ((s)->extensions & IPSET_EXT_COUNTER)
		65	#define SET_WITH_COMMENT(s) ((s)->extensions & IPSET_EXT_COMMENT)
		66
		67	/* Extension id, in size order */
		68	enum ip_set_ext_id {
		69	IPSET_EXT_ID_COUNTER = 0,
		70	IPSET_EXT_ID_TIMEOUT,
		71	IPSET_EXT_ID_COMMENT,
		72	IPSET_EXT_ID_MAX,
		73	};
		74
		75	/* Extension type */
		76	struct ip_set_ext_type {
		77	/* Destroy extension private data (can be NULL) */
		78	void (destroy)(void ext);
		79	enum ip_set_extension type;
		80	enum ipset_cadt_flags flag;
		81	/* Size and minimal alignment */
		82	u8 len;
		83	u8 align;
		84	};
		85
		86	extern const struct ip_set_ext_type ip_set_extensions[];
68		87
69	struct ip_set_ext {	88	struct ip_set_ext {
70	unsigned long timeout;
71	u64 packets;	89	u64 packets;
72	u64 bytes;	90	u64 bytes;
		91	u32 timeout;
		92	char *comment;
		93	};
		94
		95	struct ip_set_counter {
		96	atomic64_t bytes;
		97	atomic64_t packets;
		98	};
		99
		100	struct ip_set_comment {
		101	char *str;
73	};	102	};
74		103
75	struct ip_set;	104	struct ip_set;
76		105
		106	#define ext_timeout(e, s) \
		107	(unsigned long )(((void )(e)) + (s)->offset[IPSET_EXT_ID_TIMEOUT])
		108	#define ext_counter(e, s) \
		109	(struct ip_set_counter )(((void )(e)) + (s)->offset[IPSET_EXT_ID_COUNTER])
		110	#define ext_comment(e, s) \
		111	(struct ip_set_comment )(((void )(e)) + (s)->offset[IPSET_EXT_ID_COMMENT])
		112
		113
77	typedef int (ipset_adtfn)(struct ip_set set, void *value,	114	typedef int (ipset_adtfn)(struct ip_set set, void *value,
78	const struct ip_set_ext *ext,	115	const struct ip_set_ext *ext,
79	struct ip_set_ext *mext, u32 cmdflags);	116	struct ip_set_ext *mext, u32 cmdflags);
@@ -147,7 +184,8 @@ struct ip_set_type {
147	u8 revision_min, revision_max;	184	u8 revision_min, revision_max;
148		185
149	/* Create set */	186	/* Create set */
150	int (create)(struct ip_set set, struct nlattr *tb[], u32 flags);	187	int (create)(struct net net, struct ip_set *set,
		188	struct nlattr *tb[], u32 flags);
151		189
152	/* Attribute policies */	190	/* Attribute policies */
153	const struct nla_policy create_policy[IPSET_ATTR_CREATE_MAX + 1];	191	const struct nla_policy create_policy[IPSET_ATTR_CREATE_MAX + 1];
@@ -179,14 +217,45 @@ struct ip_set {
179	u8 revision;	217	u8 revision;
180	/* Extensions */	218	/* Extensions */
181	u8 extensions;	219	u8 extensions;
		220	/* Default timeout value, if enabled */
		221	u32 timeout;
		222	/* Element data size */
		223	size_t dsize;
		224	/* Offsets to extensions in elements */
		225	size_t offset[IPSET_EXT_ID_MAX];
182	/* The type specific data */	226	/* The type specific data */
183	void *data;	227	void *data;
184	};	228	};
185		229
186	struct ip_set_counter {	230	static inline void
187	atomic64_t bytes;	231	ip_set_ext_destroy(struct ip_set set, void data)
188	atomic64_t packets;	232	{
189	};	233	/* Check that the extension is enabled for the set and
		234	* call it's destroy function for its extension part in data.
		235	*/
		236	if (SET_WITH_COMMENT(set))
		237	ip_set_extensions[IPSET_EXT_ID_COMMENT].destroy(
		238	ext_comment(data, set));
		239	}
		240
		241	static inline int
		242	ip_set_put_flags(struct sk_buff skb, struct ip_set set)
		243	{
		244	u32 cadt_flags = 0;
		245
		246	if (SET_WITH_TIMEOUT(set))
		247	if (unlikely(nla_put_net32(skb, IPSET_ATTR_TIMEOUT,
		248	htonl(set->timeout))))
		249	return -EMSGSIZE;
		250	if (SET_WITH_COUNTER(set))
		251	cadt_flags \|= IPSET_FLAG_WITH_COUNTERS;
		252	if (SET_WITH_COMMENT(set))
		253	cadt_flags \|= IPSET_FLAG_WITH_COMMENT;
		254
		255	if (!cadt_flags)
		256	return 0;
		257	return nla_put_net32(skb, IPSET_ATTR_CADT_FLAGS, htonl(cadt_flags));
		258	}
190		259
191	static inline void	260	static inline void
192	ip_set_add_bytes(u64 bytes, struct ip_set_counter *counter)	261	ip_set_add_bytes(u64 bytes, struct ip_set_counter *counter)
@@ -248,12 +317,13 @@ ip_set_init_counter(struct ip_set_counter *counter,
248	}	317	}
249		318
250	/* register and unregister set references */	319	/* register and unregister set references */
251	extern ip_set_id_t ip_set_get_byname(const char name, struct ip_set *set);	320	extern ip_set_id_t ip_set_get_byname(struct net *net,
252	extern void ip_set_put_byindex(ip_set_id_t index);	321	const char name, struct ip_set *set);
253	extern const char *ip_set_name_byindex(ip_set_id_t index);	322	extern void ip_set_put_byindex(struct net *net, ip_set_id_t index);
254	extern ip_set_id_t ip_set_nfnl_get(const char *name);	323	extern const char ip_set_name_byindex(struct net net, ip_set_id_t index);
255	extern ip_set_id_t ip_set_nfnl_get_byindex(ip_set_id_t index);	324	extern ip_set_id_t ip_set_nfnl_get(struct net net, const char name);
256	extern void ip_set_nfnl_put(ip_set_id_t index);	325	extern ip_set_id_t ip_set_nfnl_get_byindex(struct net *net, ip_set_id_t index);
		326	extern void ip_set_nfnl_put(struct net *net, ip_set_id_t index);
257		327
258	/* API for iptables set match, and SET target */	328	/* API for iptables set match, and SET target */
259		329
@@ -272,6 +342,8 @@ extern void *ip_set_alloc(size_t size);
272	extern void ip_set_free(void *members);	342	extern void ip_set_free(void *members);
273	extern int ip_set_get_ipaddr4(struct nlattr nla, __be32 ipaddr);	343	extern int ip_set_get_ipaddr4(struct nlattr nla, __be32 ipaddr);
274	extern int ip_set_get_ipaddr6(struct nlattr nla, union nf_inet_addr ipaddr);	344	extern int ip_set_get_ipaddr6(struct nlattr nla, union nf_inet_addr ipaddr);
		345	extern size_t ip_set_elem_len(struct ip_set set, struct nlattr tb[],
		346	size_t len);
275	extern int ip_set_get_extensions(struct ip_set set, struct nlattr tb[],	347	extern int ip_set_get_extensions(struct ip_set set, struct nlattr tb[],
276	struct ip_set_ext *ext);	348	struct ip_set_ext *ext);
277		349
@@ -389,13 +461,40 @@ bitmap_bytes(u32 a, u32 b)
389	}	461	}
390		462
391	#include <linux/netfilter/ipset/ip_set_timeout.h>	463	#include <linux/netfilter/ipset/ip_set_timeout.h>
		464	#include <linux/netfilter/ipset/ip_set_comment.h>
392		465
393	#define IP_SET_INIT_KEXT(skb, opt, map) \	466	static inline int
		467	ip_set_put_extensions(struct sk_buff skb, const struct ip_set set,
		468	const void *e, bool active)
		469	{
		470	if (SET_WITH_TIMEOUT(set)) {
		471	unsigned long *timeout = ext_timeout(e, set);
		472
		473	if (nla_put_net32(skb, IPSET_ATTR_TIMEOUT,
		474	htonl(active ? ip_set_timeout_get(timeout)
		475	: *timeout)))
		476	return -EMSGSIZE;
		477	}
		478	if (SET_WITH_COUNTER(set) &&
		479	ip_set_put_counter(skb, ext_counter(e, set)))
		480	return -EMSGSIZE;
		481	if (SET_WITH_COMMENT(set) &&
		482	ip_set_put_comment(skb, ext_comment(e, set)))
		483	return -EMSGSIZE;
		484	return 0;
		485	}
		486
		487	#define IP_SET_INIT_KEXT(skb, opt, set) \
394	{ .bytes = (skb)->len, .packets = 1, \	488	{ .bytes = (skb)->len, .packets = 1, \
395	.timeout = ip_set_adt_opt_timeout(opt, map) }	489	.timeout = ip_set_adt_opt_timeout(opt, set) }
396		490
397	#define IP_SET_INIT_UEXT(map) \	491	#define IP_SET_INIT_UEXT(set) \
398	{ .bytes = ULLONG_MAX, .packets = ULLONG_MAX, \	492	{ .bytes = ULLONG_MAX, .packets = ULLONG_MAX, \
399	.timeout = (map)->timeout }	493	.timeout = (set)->timeout }
		494
		495	#define IP_SET_INIT_CIDR(a, b) ((a) ? (a) : (b))
		496
		497	#define IPSET_CONCAT(a, b) a##b
		498	#define IPSET_TOKEN(a, b) IPSET_CONCAT(a, b)
400		499
401	#endif /_IP_SET_H /	500	#endif /_IP_SET_H /


diff --git a/include/linux/netfilter/ipset/ip_set_comment.h b/include/linux/netfilter/ipset/ip_set_comment.h new file mode 100644 index 000000000000..21217ea008d7 --- /dev/null +++ b/include/linux/netfilter/ipset/ip_set_comment.h
@@ -0,0 +1,57 @@
		1	#ifndef _IP_SET_COMMENT_H
		2	#define _IP_SET_COMMENT_H
		3
		4	/* Copyright (C) 2013 Oliver Smith <oliver@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa>
		5	*
		6	* This program is free software; you can redistribute it and/or modify
		7	* it under the terms of the GNU General Public License version 2 as
		8	* published by the Free Software Foundation.
		9	*/
		10
		11	#ifdef __KERNEL__
		12
		13	static inline char*
		14	ip_set_comment_uget(struct nlattr *tb)
		15	{
		16	return nla_data(tb);
		17	}
		18
		19	static inline void
		20	ip_set_init_comment(struct ip_set_comment *comment,
		21	const struct ip_set_ext *ext)
		22	{
		23	size_t len = ext->comment ? strlen(ext->comment) : 0;
		24
		25	if (unlikely(comment->str)) {
		26	kfree(comment->str);
		27	comment->str = NULL;
		28	}
		29	if (!len)
		30	return;
		31	if (unlikely(len > IPSET_MAX_COMMENT_SIZE))
		32	len = IPSET_MAX_COMMENT_SIZE;
		33	comment->str = kzalloc(len + 1, GFP_ATOMIC);
		34	if (unlikely(!comment->str))
		35	return;
		36	strlcpy(comment->str, ext->comment, len + 1);
		37	}
		38
		39	static inline int
		40	ip_set_put_comment(struct sk_buff skb, struct ip_set_comment comment)
		41	{
		42	if (!comment->str)
		43	return 0;
		44	return nla_put_string(skb, IPSET_ATTR_COMMENT, comment->str);
		45	}
		46
		47	static inline void
		48	ip_set_comment_free(struct ip_set_comment *comment)
		49	{
		50	if (unlikely(!comment->str))
		51	return;
		52	kfree(comment->str);
		53	comment->str = NULL;
		54	}
		55
		56	#endif
		57	#endif


diff --git a/include/linux/netfilter/ipset/ip_set_timeout.h b/include/linux/netfilter/ipset/ip_set_timeout.h index 3aac04167ca7..83c2f9e0886c 100644 --- a/include/linux/netfilter/ipset/ip_set_timeout.h +++ b/include/linux/netfilter/ipset/ip_set_timeout.h
@@ -23,8 +23,8 @@
23	/* Set is defined with timeout support: timeout value may be 0 */	23	/* Set is defined with timeout support: timeout value may be 0 */
24	#define IPSET_NO_TIMEOUT UINT_MAX	24	#define IPSET_NO_TIMEOUT UINT_MAX
25		25
26	#define ip_set_adt_opt_timeout(opt, map) \	26	#define ip_set_adt_opt_timeout(opt, set) \
27	((opt)->ext.timeout != IPSET_NO_TIMEOUT ? (opt)->ext.timeout : (map)->timeout)	27	((opt)->ext.timeout != IPSET_NO_TIMEOUT ? (opt)->ext.timeout : (set)->timeout)
28		28
29	static inline unsigned int	29	static inline unsigned int
30	ip_set_timeout_uget(struct nlattr *tb)	30	ip_set_timeout_uget(struct nlattr *tb)


diff --git a/include/linux/netfilter/nf_conntrack_sip.h b/include/linux/netfilter/nf_conntrack_sip.h index 5cac0207b95d..d5af3c27fb7d 100644 --- a/include/linux/netfilter/nf_conntrack_sip.h +++ b/include/linux/netfilter/nf_conntrack_sip.h
@@ -107,55 +107,64 @@ enum sdp_header_types {
107	SDP_HDR_MEDIA,	107	SDP_HDR_MEDIA,
108	};	108	};
109		109
110	extern unsigned int (nf_nat_sip_hook)(struct sk_buff skb,	110	struct nf_nat_sip_hooks {
111	unsigned int protoff,	111	unsigned int (msg)(struct sk_buff skb,
112	unsigned int dataoff,	112	unsigned int protoff,
113	const char **dptr,	113	unsigned int dataoff,
114	unsigned int *datalen);	114	const char **dptr,
115	extern void (nf_nat_sip_seq_adjust_hook)(struct sk_buff skb,	115	unsigned int *datalen);
116	unsigned int protoff, s16 off);	116
117	extern unsigned int (nf_nat_sip_expect_hook)(struct sk_buff skb,	117	void (seq_adjust)(struct sk_buff skb,
118	unsigned int protoff,	118	unsigned int protoff, s16 off);
119	unsigned int dataoff,	119
120	const char **dptr,	120	unsigned int (expect)(struct sk_buff skb,
121	unsigned int *datalen,	121	unsigned int protoff,
122	struct nf_conntrack_expect *exp,	122	unsigned int dataoff,
123	unsigned int matchoff,	123	const char **dptr,
124	unsigned int matchlen);	124	unsigned int *datalen,
125	extern unsigned int (nf_nat_sdp_addr_hook)(struct sk_buff skb,	125	struct nf_conntrack_expect *exp,
126	unsigned int protoff,	126	unsigned int matchoff,
127	unsigned int dataoff,	127	unsigned int matchlen);
128	const char **dptr,	128
129	unsigned int *datalen,	129	unsigned int (sdp_addr)(struct sk_buff skb,
130	unsigned int sdpoff,	130	unsigned int protoff,
131	enum sdp_header_types type,	131	unsigned int dataoff,
132	enum sdp_header_types term,	132	const char **dptr,
133	const union nf_inet_addr *addr);	133	unsigned int *datalen,
134	extern unsigned int (nf_nat_sdp_port_hook)(struct sk_buff skb,	134	unsigned int sdpoff,
135	unsigned int protoff,	135	enum sdp_header_types type,
136	unsigned int dataoff,	136	enum sdp_header_types term,
137	const char **dptr,	137	const union nf_inet_addr *addr);
138	unsigned int *datalen,	138
139	unsigned int matchoff,	139	unsigned int (sdp_port)(struct sk_buff skb,
140	unsigned int matchlen,	140	unsigned int protoff,
141	u_int16_t port);	141	unsigned int dataoff,
142	extern unsigned int (nf_nat_sdp_session_hook)(struct sk_buff skb,	142	const char **dptr,
143	unsigned int protoff,	143	unsigned int *datalen,
144	unsigned int dataoff,	144	unsigned int matchoff,
145	const char **dptr,	145	unsigned int matchlen,
146	unsigned int *datalen,	146	u_int16_t port);
147	unsigned int sdpoff,	147
148	const union nf_inet_addr *addr);	148	unsigned int (sdp_session)(struct sk_buff skb,
149	extern unsigned int (nf_nat_sdp_media_hook)(struct sk_buff skb,	149	unsigned int protoff,
150	unsigned int protoff,	150	unsigned int dataoff,
151	unsigned int dataoff,	151	const char **dptr,
152	const char **dptr,	152	unsigned int *datalen,
153	unsigned int *datalen,	153	unsigned int sdpoff,
154	struct nf_conntrack_expect *rtp_exp,	154	const union nf_inet_addr *addr);
155	struct nf_conntrack_expect *rtcp_exp,	155
156	unsigned int mediaoff,	156	unsigned int (sdp_media)(struct sk_buff skb,
157	unsigned int medialen,	157	unsigned int protoff,
158	union nf_inet_addr *rtp_addr);	158	unsigned int dataoff,
		159	const char **dptr,
		160	unsigned int *datalen,
		161	struct nf_conntrack_expect *rtp_exp,
		162	struct nf_conntrack_expect *rtcp_exp,
		163	unsigned int mediaoff,
		164	unsigned int medialen,
		165	union nf_inet_addr *rtp_addr);
		166	};
		167	extern const struct nf_nat_sip_hooks *nf_nat_sip_hooks;
159		168
160	int ct_sip_parse_request(const struct nf_conn ct, const char dptr,	169	int ct_sip_parse_request(const struct nf_conn ct, const char dptr,
161	unsigned int datalen, unsigned int *matchoff,	170	unsigned int datalen, unsigned int *matchoff,


diff --git a/include/uapi/linux/netfilter/ipset/ip_set.h b/include/uapi/linux/netfilter/ipset/ip_set.h index 8024cdf13b70..25d3b2f79c02 100644 --- a/include/uapi/linux/netfilter/ipset/ip_set.h +++ b/include/uapi/linux/netfilter/ipset/ip_set.h
@@ -10,12 +10,14 @@
10	#ifndef _UAPI_IP_SET_H	10	#ifndef _UAPI_IP_SET_H
11	#define _UAPI_IP_SET_H	11	#define _UAPI_IP_SET_H
12		12
13
14	#include <linux/types.h>	13	#include <linux/types.h>
15		14
16	/* The protocol version */	15	/* The protocol version */
17	#define IPSET_PROTOCOL 6	16	#define IPSET_PROTOCOL 6
18		17
		18	/* The maximum permissible comment length we will accept over netlink */
		19	#define IPSET_MAX_COMMENT_SIZE 255
		20
19	/* The max length of strings including NUL: set and type identifiers */	21	/* The max length of strings including NUL: set and type identifiers */
20	#define IPSET_MAXNAMELEN 32	22	#define IPSET_MAXNAMELEN 32
21		23
@@ -110,6 +112,7 @@ enum {
110	IPSET_ATTR_IFACE,	112	IPSET_ATTR_IFACE,
111	IPSET_ATTR_BYTES,	113	IPSET_ATTR_BYTES,
112	IPSET_ATTR_PACKETS,	114	IPSET_ATTR_PACKETS,
		115	IPSET_ATTR_COMMENT,
113	__IPSET_ATTR_ADT_MAX,	116	__IPSET_ATTR_ADT_MAX,
114	};	117	};
115	#define IPSET_ATTR_ADT_MAX (__IPSET_ATTR_ADT_MAX - 1)	118	#define IPSET_ATTR_ADT_MAX (__IPSET_ATTR_ADT_MAX - 1)
@@ -140,6 +143,7 @@ enum ipset_errno {
140	IPSET_ERR_IPADDR_IPV4,	143	IPSET_ERR_IPADDR_IPV4,
141	IPSET_ERR_IPADDR_IPV6,	144	IPSET_ERR_IPADDR_IPV6,
142	IPSET_ERR_COUNTER,	145	IPSET_ERR_COUNTER,
		146	IPSET_ERR_COMMENT,
143		147
144	/* Type specific error codes */	148	/* Type specific error codes */
145	IPSET_ERR_TYPE_SPECIFIC = 4352,	149	IPSET_ERR_TYPE_SPECIFIC = 4352,
@@ -176,6 +180,8 @@ enum ipset_cadt_flags {
176	IPSET_FLAG_NOMATCH = (1 << IPSET_FLAG_BIT_NOMATCH),	180	IPSET_FLAG_NOMATCH = (1 << IPSET_FLAG_BIT_NOMATCH),
177	IPSET_FLAG_BIT_WITH_COUNTERS = 3,	181	IPSET_FLAG_BIT_WITH_COUNTERS = 3,
178	IPSET_FLAG_WITH_COUNTERS = (1 << IPSET_FLAG_BIT_WITH_COUNTERS),	182	IPSET_FLAG_WITH_COUNTERS = (1 << IPSET_FLAG_BIT_WITH_COUNTERS),
		183	IPSET_FLAG_BIT_WITH_COMMENT = 4,
		184	IPSET_FLAG_WITH_COMMENT = (1 << IPSET_FLAG_BIT_WITH_COMMENT),
179	IPSET_FLAG_CADT_MAX = 15,	185	IPSET_FLAG_CADT_MAX = 15,
180	};	186	};
181		187
@@ -250,6 +256,14 @@ struct ip_set_req_get_set {
250	#define IP_SET_OP_GET_BYINDEX 0x00000007 /* Get set name by index */	256	#define IP_SET_OP_GET_BYINDEX 0x00000007 /* Get set name by index */
251	/* Uses ip_set_req_get_set */	257	/* Uses ip_set_req_get_set */
252		258
		259	#define IP_SET_OP_GET_FNAME 0x00000008 /* Get set index and family */
		260	struct ip_set_req_get_set_family {
		261	unsigned int op;
		262	unsigned int version;
		263	unsigned int family;
		264	union ip_set_name_index set;
		265	};
		266
253	#define IP_SET_OP_VERSION 0x00000100 /* Ask kernel version */	267	#define IP_SET_OP_VERSION 0x00000100 /* Ask kernel version */
254	struct ip_set_req_version {	268	struct ip_set_req_version {
255	unsigned int op;	269	unsigned int op;


diff --git a/include/uapi/linux/netfilter/nfnetlink_cttimeout.h b/include/uapi/linux/netfilter/nfnetlink_cttimeout.h index a2810a7c5e30..1ab0b97b3a1e 100644 --- a/include/uapi/linux/netfilter/nfnetlink_cttimeout.h +++ b/include/uapi/linux/netfilter/nfnetlink_cttimeout.h
@@ -6,6 +6,8 @@ enum ctnl_timeout_msg_types {
6	IPCTNL_MSG_TIMEOUT_NEW,	6	IPCTNL_MSG_TIMEOUT_NEW,
7	IPCTNL_MSG_TIMEOUT_GET,	7	IPCTNL_MSG_TIMEOUT_GET,
8	IPCTNL_MSG_TIMEOUT_DELETE,	8	IPCTNL_MSG_TIMEOUT_DELETE,
		9	IPCTNL_MSG_TIMEOUT_DEFAULT_SET,
		10	IPCTNL_MSG_TIMEOUT_DEFAULT_GET,
9		11
10	IPCTNL_MSG_TIMEOUT_MAX	12	IPCTNL_MSG_TIMEOUT_MAX
11	};	13	};