aboutsummaryrefslogtreecommitdiffstats
path: root/include/uapi
diff options
context:
space:
mode:
Diffstat (limited to 'include/uapi')
-rw-r--r--include/uapi/linux/caif/Kbuild2
-rw-r--r--include/uapi/linux/caif/caif_socket.h194
-rw-r--r--include/uapi/linux/caif/if_caif.h34
-rw-r--r--include/uapi/linux/isdn/Kbuild1
-rw-r--r--include/uapi/linux/isdn/capicmd.h115
-rw-r--r--include/uapi/linux/netfilter/Kbuild76
-rw-r--r--include/uapi/linux/netfilter/ipset/Kbuild4
-rw-r--r--include/uapi/linux/netfilter/ipset/ip_set.h231
-rw-r--r--include/uapi/linux/netfilter/ipset/ip_set_bitmap.h13
-rw-r--r--include/uapi/linux/netfilter/ipset/ip_set_hash.h21
-rw-r--r--include/uapi/linux/netfilter/ipset/ip_set_list.h21
-rw-r--r--include/uapi/linux/netfilter/nf_conntrack_common.h117
-rw-r--r--include/uapi/linux/netfilter/nf_conntrack_ftp.h18
-rw-r--r--include/uapi/linux/netfilter/nf_conntrack_sctp.h25
-rw-r--r--include/uapi/linux/netfilter/nf_conntrack_tcp.h51
-rw-r--r--include/uapi/linux/netfilter/nf_conntrack_tuple_common.h39
-rw-r--r--include/uapi/linux/netfilter/nf_nat.h33
-rw-r--r--include/uapi/linux/netfilter/nfnetlink.h56
-rw-r--r--include/uapi/linux/netfilter/nfnetlink_acct.h27
-rw-r--r--include/uapi/linux/netfilter/nfnetlink_compat.h63
-rw-r--r--include/uapi/linux/netfilter/nfnetlink_conntrack.h248
-rw-r--r--include/uapi/linux/netfilter/nfnetlink_cthelper.h55
-rw-r--r--include/uapi/linux/netfilter/nfnetlink_cttimeout.h114
-rw-r--r--include/uapi/linux/netfilter/nfnetlink_log.h97
-rw-r--r--include/uapi/linux/netfilter/nfnetlink_queue.h101
-rw-r--r--include/uapi/linux/netfilter/x_tables.h187
-rw-r--r--include/uapi/linux/netfilter/xt_AUDIT.h30
-rw-r--r--include/uapi/linux/netfilter/xt_CHECKSUM.h20
-rw-r--r--include/uapi/linux/netfilter/xt_CLASSIFY.h10
-rw-r--r--include/uapi/linux/netfilter/xt_CONNMARK.h6
-rw-r--r--include/uapi/linux/netfilter/xt_CONNSECMARK.h15
-rw-r--r--include/uapi/linux/netfilter/xt_CT.h31
-rw-r--r--include/uapi/linux/netfilter/xt_DSCP.h26
-rw-r--r--include/uapi/linux/netfilter/xt_IDLETIMER.h45
-rw-r--r--include/uapi/linux/netfilter/xt_LED.h15
-rw-r--r--include/uapi/linux/netfilter/xt_LOG.h19
-rw-r--r--include/uapi/linux/netfilter/xt_MARK.h6
-rw-r--r--include/uapi/linux/netfilter/xt_NFLOG.h20
-rw-r--r--include/uapi/linux/netfilter/xt_NFQUEUE.h29
-rw-r--r--include/uapi/linux/netfilter/xt_RATEEST.h15
-rw-r--r--include/uapi/linux/netfilter/xt_SECMARK.h22
-rw-r--r--include/uapi/linux/netfilter/xt_TCPMSS.h12
-rw-r--r--include/uapi/linux/netfilter/xt_TCPOPTSTRIP.h15
-rw-r--r--include/uapi/linux/netfilter/xt_TEE.h12
-rw-r--r--include/uapi/linux/netfilter/xt_TPROXY.h23
-rw-r--r--include/uapi/linux/netfilter/xt_addrtype.h44
-rw-r--r--include/uapi/linux/netfilter/xt_cluster.h19
-rw-r--r--include/uapi/linux/netfilter/xt_comment.h10
-rw-r--r--include/uapi/linux/netfilter/xt_connbytes.h26
-rw-r--r--include/uapi/linux/netfilter/xt_connlimit.h32
-rw-r--r--include/uapi/linux/netfilter/xt_connmark.h31
-rw-r--r--include/uapi/linux/netfilter/xt_conntrack.h77
-rw-r--r--include/uapi/linux/netfilter/xt_cpu.h11
-rw-r--r--include/uapi/linux/netfilter/xt_dccp.h25
-rw-r--r--include/uapi/linux/netfilter/xt_devgroup.h21
-rw-r--r--include/uapi/linux/netfilter/xt_dscp.h31
-rw-r--r--include/uapi/linux/netfilter/xt_ecn.h35
-rw-r--r--include/uapi/linux/netfilter/xt_esp.h15
-rw-r--r--include/uapi/linux/netfilter/xt_hashlimit.h73
-rw-r--r--include/uapi/linux/netfilter/xt_helper.h8
-rw-r--r--include/uapi/linux/netfilter/xt_iprange.h20
-rw-r--r--include/uapi/linux/netfilter/xt_ipvs.h29
-rw-r--r--include/uapi/linux/netfilter/xt_length.h11
-rw-r--r--include/uapi/linux/netfilter/xt_limit.h24
-rw-r--r--include/uapi/linux/netfilter/xt_mac.h8
-rw-r--r--include/uapi/linux/netfilter/xt_mark.h15
-rw-r--r--include/uapi/linux/netfilter/xt_multiport.h29
-rw-r--r--include/uapi/linux/netfilter/xt_nfacct.h13
-rw-r--r--include/uapi/linux/netfilter/xt_osf.h135
-rw-r--r--include/uapi/linux/netfilter/xt_owner.h18
-rw-r--r--include/uapi/linux/netfilter/xt_physdev.h23
-rw-r--r--include/uapi/linux/netfilter/xt_pkttype.h8
-rw-r--r--include/uapi/linux/netfilter/xt_policy.h69
-rw-r--r--include/uapi/linux/netfilter/xt_quota.h22
-rw-r--r--include/uapi/linux/netfilter/xt_rateest.h37
-rw-r--r--include/uapi/linux/netfilter/xt_realm.h12
-rw-r--r--include/uapi/linux/netfilter/xt_recent.h45
-rw-r--r--include/uapi/linux/netfilter/xt_sctp.h92
-rw-r--r--include/uapi/linux/netfilter/xt_set.h65
-rw-r--r--include/uapi/linux/netfilter/xt_socket.h14
-rw-r--r--include/uapi/linux/netfilter/xt_state.h12
-rw-r--r--include/uapi/linux/netfilter/xt_statistic.h36
-rw-r--r--include/uapi/linux/netfilter/xt_string.h34
-rw-r--r--include/uapi/linux/netfilter/xt_tcpmss.h11
-rw-r--r--include/uapi/linux/netfilter/xt_tcpudp.h36
-rw-r--r--include/uapi/linux/netfilter/xt_time.h32
-rw-r--r--include/uapi/linux/netfilter/xt_u32.h42
-rw-r--r--include/uapi/linux/netfilter_arp/Kbuild2
-rw-r--r--include/uapi/linux/netfilter_arp/arp_tables.h206
-rw-r--r--include/uapi/linux/netfilter_arp/arpt_mangle.h26
-rw-r--r--include/uapi/linux/netfilter_bridge/Kbuild18
-rw-r--r--include/uapi/linux/netfilter_bridge/ebt_802_3.h62
-rw-r--r--include/uapi/linux/netfilter_bridge/ebt_among.h64
-rw-r--r--include/uapi/linux/netfilter_bridge/ebt_arp.h36
-rw-r--r--include/uapi/linux/netfilter_bridge/ebt_arpreply.h10
-rw-r--r--include/uapi/linux/netfilter_bridge/ebt_ip.h44
-rw-r--r--include/uapi/linux/netfilter_bridge/ebt_ip6.h50
-rw-r--r--include/uapi/linux/netfilter_bridge/ebt_limit.h24
-rw-r--r--include/uapi/linux/netfilter_bridge/ebt_log.h20
-rw-r--r--include/uapi/linux/netfilter_bridge/ebt_mark_m.h16
-rw-r--r--include/uapi/linux/netfilter_bridge/ebt_mark_t.h23
-rw-r--r--include/uapi/linux/netfilter_bridge/ebt_nat.h13
-rw-r--r--include/uapi/linux/netfilter_bridge/ebt_nflog.h23
-rw-r--r--include/uapi/linux/netfilter_bridge/ebt_pkttype.h12
-rw-r--r--include/uapi/linux/netfilter_bridge/ebt_redirect.h10
-rw-r--r--include/uapi/linux/netfilter_bridge/ebt_stp.h46
-rw-r--r--include/uapi/linux/netfilter_bridge/ebt_ulog.h38
-rw-r--r--include/uapi/linux/netfilter_bridge/ebt_vlan.h22
-rw-r--r--include/uapi/linux/netfilter_bridge/ebtables.h268
-rw-r--r--include/uapi/linux/netfilter_ipv4/Kbuild10
-rw-r--r--include/uapi/linux/netfilter_ipv4/ip_tables.h229
-rw-r--r--include/uapi/linux/netfilter_ipv4/ipt_CLUSTERIP.h36
-rw-r--r--include/uapi/linux/netfilter_ipv4/ipt_ECN.h33
-rw-r--r--include/uapi/linux/netfilter_ipv4/ipt_LOG.h21
-rw-r--r--include/uapi/linux/netfilter_ipv4/ipt_REJECT.h20
-rw-r--r--include/uapi/linux/netfilter_ipv4/ipt_TTL.h23
-rw-r--r--include/uapi/linux/netfilter_ipv4/ipt_ULOG.h49
-rw-r--r--include/uapi/linux/netfilter_ipv4/ipt_ah.h17
-rw-r--r--include/uapi/linux/netfilter_ipv4/ipt_ecn.h15
-rw-r--r--include/uapi/linux/netfilter_ipv4/ipt_ttl.h23
-rw-r--r--include/uapi/linux/netfilter_ipv6/Kbuild12
-rw-r--r--include/uapi/linux/netfilter_ipv6/ip6_tables.h267
-rw-r--r--include/uapi/linux/netfilter_ipv6/ip6t_HL.h24
-rw-r--r--include/uapi/linux/netfilter_ipv6/ip6t_LOG.h21
-rw-r--r--include/uapi/linux/netfilter_ipv6/ip6t_NPT.h16
-rw-r--r--include/uapi/linux/netfilter_ipv6/ip6t_REJECT.h20
-rw-r--r--include/uapi/linux/netfilter_ipv6/ip6t_ah.h22
-rw-r--r--include/uapi/linux/netfilter_ipv6/ip6t_frag.h25
-rw-r--r--include/uapi/linux/netfilter_ipv6/ip6t_hl.h24
-rw-r--r--include/uapi/linux/netfilter_ipv6/ip6t_ipv6header.h28
-rw-r--r--include/uapi/linux/netfilter_ipv6/ip6t_mh.h16
-rw-r--r--include/uapi/linux/netfilter_ipv6/ip6t_opts.h24
-rw-r--r--include/uapi/linux/netfilter_ipv6/ip6t_rt.h33
-rw-r--r--include/uapi/linux/tc_act/Kbuild7
-rw-r--r--include/uapi/linux/tc_act/tc_csum.h32
-rw-r--r--include/uapi/linux/tc_act/tc_gact.h32
-rw-r--r--include/uapi/linux/tc_act/tc_ipt.h20
-rw-r--r--include/uapi/linux/tc_act/tc_mirred.h27
-rw-r--r--include/uapi/linux/tc_act/tc_nat.h27
-rw-r--r--include/uapi/linux/tc_act/tc_pedit.h34
-rw-r--r--include/uapi/linux/tc_act/tc_skbedit.h46
-rw-r--r--include/uapi/linux/tc_ematch/Kbuild4
-rw-r--r--include/uapi/linux/tc_ematch/tc_em_cmp.h25
-rw-r--r--include/uapi/linux/tc_ematch/tc_em_meta.h92
-rw-r--r--include/uapi/linux/tc_ematch/tc_em_nbyte.h13
-rw-r--r--include/uapi/linux/tc_ematch/tc_em_text.h19
146 files changed, 6083 insertions, 0 deletions
diff --git a/include/uapi/linux/caif/Kbuild b/include/uapi/linux/caif/Kbuild
index aafaa5aa54d4..43396612d3a3 100644
--- a/include/uapi/linux/caif/Kbuild
+++ b/include/uapi/linux/caif/Kbuild
@@ -1 +1,3 @@
1# UAPI Header export list 1# UAPI Header export list
2header-y += caif_socket.h
3header-y += if_caif.h
diff --git a/include/uapi/linux/caif/caif_socket.h b/include/uapi/linux/caif/caif_socket.h
new file mode 100644
index 000000000000..3f3bac6af7bc
--- /dev/null
+++ b/include/uapi/linux/caif/caif_socket.h
@@ -0,0 +1,194 @@
1/* linux/caif_socket.h
2 * CAIF Definitions for CAIF socket and network layer
3 * Copyright (C) ST-Ericsson AB 2010
4 * Author: Sjur Brendeland/ sjur.brandeland@stericsson.com
5 * License terms: GNU General Public License (GPL) version 2
6 */
7
8#ifndef _LINUX_CAIF_SOCKET_H
9#define _LINUX_CAIF_SOCKET_H
10
11#include <linux/types.h>
12#include <linux/socket.h>
13
14/**
15 * enum caif_link_selector - Physical Link Selection.
16 * @CAIF_LINK_HIGH_BANDW: Physical interface for high-bandwidth
17 * traffic.
18 * @CAIF_LINK_LOW_LATENCY: Physical interface for low-latency
19 * traffic.
20 *
21 * CAIF Link Layers can register their link properties.
22 * This enum is used for choosing between CAIF Link Layers when
23 * setting up CAIF Channels when multiple CAIF Link Layers exists.
24 */
25enum caif_link_selector {
26 CAIF_LINK_HIGH_BANDW,
27 CAIF_LINK_LOW_LATENCY
28};
29
30/**
31 * enum caif_channel_priority - CAIF channel priorities.
32 *
33 * @CAIF_PRIO_MIN: Min priority for a channel.
34 * @CAIF_PRIO_LOW: Low-priority channel.
35 * @CAIF_PRIO_NORMAL: Normal/default priority level.
36 * @CAIF_PRIO_HIGH: High priority level
37 * @CAIF_PRIO_MAX: Max priority for channel
38 *
39 * Priority can be set on CAIF Channels in order to
40 * prioritize between traffic on different CAIF Channels.
41 * These priority levels are recommended, but the priority value
42 * is not restricted to the values defined in this enum, any value
43 * between CAIF_PRIO_MIN and CAIF_PRIO_MAX could be used.
44 */
45enum caif_channel_priority {
46 CAIF_PRIO_MIN = 0x01,
47 CAIF_PRIO_LOW = 0x04,
48 CAIF_PRIO_NORMAL = 0x0f,
49 CAIF_PRIO_HIGH = 0x14,
50 CAIF_PRIO_MAX = 0x1F
51};
52
53/**
54 * enum caif_protocol_type - CAIF Channel type.
55 * @CAIFPROTO_AT: Classic AT channel.
56 * @CAIFPROTO_DATAGRAM: Datagram channel.
57 * @CAIFPROTO_DATAGRAM_LOOP: Datagram loopback channel, used for testing.
58 * @CAIFPROTO_UTIL: Utility (Psock) channel.
59 * @CAIFPROTO_RFM: Remote File Manager
60 * @CAIFPROTO_DEBUG: Debug link
61 *
62 * This enum defines the CAIF Channel type to be used. This defines
63 * the service to connect to on the modem.
64 */
65enum caif_protocol_type {
66 CAIFPROTO_AT,
67 CAIFPROTO_DATAGRAM,
68 CAIFPROTO_DATAGRAM_LOOP,
69 CAIFPROTO_UTIL,
70 CAIFPROTO_RFM,
71 CAIFPROTO_DEBUG,
72 _CAIFPROTO_MAX
73};
74#define CAIFPROTO_MAX _CAIFPROTO_MAX
75
76/**
77 * enum caif_at_type - AT Service Endpoint
78 * @CAIF_ATTYPE_PLAIN: Connects to a plain vanilla AT channel.
79 */
80enum caif_at_type {
81 CAIF_ATTYPE_PLAIN = 2
82};
83 /**
84 * enum caif_debug_type - Content selection for debug connection
85 * @CAIF_DEBUG_TRACE_INTERACTIVE: Connection will contain
86 * both trace and interactive debug.
87 * @CAIF_DEBUG_TRACE: Connection contains trace only.
88 * @CAIF_DEBUG_INTERACTIVE: Connection to interactive debug.
89 */
90enum caif_debug_type {
91 CAIF_DEBUG_TRACE_INTERACTIVE = 0,
92 CAIF_DEBUG_TRACE,
93 CAIF_DEBUG_INTERACTIVE,
94};
95
96/**
97 * enum caif_debug_service - Debug Service Endpoint
98 * @CAIF_RADIO_DEBUG_SERVICE: Debug service on the Radio sub-system
99 * @CAIF_APP_DEBUG_SERVICE: Debug for the applications sub-system
100 */
101enum caif_debug_service {
102 CAIF_RADIO_DEBUG_SERVICE = 1,
103 CAIF_APP_DEBUG_SERVICE
104};
105
106/**
107 * struct sockaddr_caif - the sockaddr structure for CAIF sockets.
108 * @family: Address family number, must be AF_CAIF.
109 * @u: Union of address data 'switched' by family.
110 * :
111 * @u.at: Applies when family = CAIFPROTO_AT.
112 *
113 * @u.at.type: Type of AT link to set up (enum caif_at_type).
114 *
115 * @u.util: Applies when family = CAIFPROTO_UTIL
116 *
117 * @u.util.service: Utility service name.
118 *
119 * @u.dgm: Applies when family = CAIFPROTO_DATAGRAM
120 *
121 * @u.dgm.connection_id: Datagram connection id.
122 *
123 * @u.dgm.nsapi: NSAPI of the PDP-Context.
124 *
125 * @u.rfm: Applies when family = CAIFPROTO_RFM
126 *
127 * @u.rfm.connection_id: Connection ID for RFM.
128 *
129 * @u.rfm.volume: Volume to mount.
130 *
131 * @u.dbg: Applies when family = CAIFPROTO_DEBUG.
132 *
133 * @u.dbg.type: Type of debug connection to set up
134 * (caif_debug_type).
135 *
136 * @u.dbg.service: Service sub-system to connect (caif_debug_service
137 * Description:
138 * This structure holds the connect parameters used for setting up a
139 * CAIF Channel. It defines the service to connect to on the modem.
140 */
141struct sockaddr_caif {
142 __kernel_sa_family_t family;
143 union {
144 struct {
145 __u8 type; /* type: enum caif_at_type */
146 } at; /* CAIFPROTO_AT */
147 struct {
148 char service[16];
149 } util; /* CAIFPROTO_UTIL */
150 union {
151 __u32 connection_id;
152 __u8 nsapi;
153 } dgm; /* CAIFPROTO_DATAGRAM(_LOOP)*/
154 struct {
155 __u32 connection_id;
156 char volume[16];
157 } rfm; /* CAIFPROTO_RFM */
158 struct {
159 __u8 type; /* type:enum caif_debug_type */
160 __u8 service; /* service:caif_debug_service */
161 } dbg; /* CAIFPROTO_DEBUG */
162 } u;
163};
164
165/**
166 * enum caif_socket_opts - CAIF option values for getsockopt and setsockopt.
167 *
168 * @CAIFSO_LINK_SELECT: Selector used if multiple CAIF Link layers are
169 * available. Either a high bandwidth
170 * link can be selected (CAIF_LINK_HIGH_BANDW) or
171 * or a low latency link (CAIF_LINK_LOW_LATENCY).
172 * This option is of type __u32.
173 * Alternatively SO_BINDTODEVICE can be used.
174 *
175 * @CAIFSO_REQ_PARAM: Used to set the request parameters for a
176 * utility channel. (maximum 256 bytes). This
177 * option must be set before connecting.
178 *
179 * @CAIFSO_RSP_PARAM: Gets the response parameters for a utility
180 * channel. (maximum 256 bytes). This option
181 * is valid after a successful connect.
182 *
183 *
184 * This enum defines the CAIF Socket options to be used on a socket
185 * of type PF_CAIF.
186 *
187 */
188enum caif_socket_opts {
189 CAIFSO_LINK_SELECT = 127,
190 CAIFSO_REQ_PARAM = 128,
191 CAIFSO_RSP_PARAM = 129,
192};
193
194#endif /* _LINUX_CAIF_SOCKET_H */
diff --git a/include/uapi/linux/caif/if_caif.h b/include/uapi/linux/caif/if_caif.h
new file mode 100644
index 000000000000..5e7eed4edf51
--- /dev/null
+++ b/include/uapi/linux/caif/if_caif.h
@@ -0,0 +1,34 @@
1/*
2 * Copyright (C) ST-Ericsson AB 2010
3 * Author: Sjur Brendeland/ sjur.brandeland@stericsson.com
4 * License terms: GNU General Public License (GPL) version 2
5 */
6
7#ifndef IF_CAIF_H_
8#define IF_CAIF_H_
9#include <linux/sockios.h>
10#include <linux/types.h>
11#include <linux/socket.h>
12
13/**
14 * enum ifla_caif - CAIF NetlinkRT parameters.
15 * @IFLA_CAIF_IPV4_CONNID: Connection ID for IPv4 PDP Context.
16 * The type of attribute is NLA_U32.
17 * @IFLA_CAIF_IPV6_CONNID: Connection ID for IPv6 PDP Context.
18 * The type of attribute is NLA_U32.
19 * @IFLA_CAIF_LOOPBACK: If different from zero, device is doing loopback
20 * The type of attribute is NLA_U8.
21 *
22 * When using RT Netlink to create, destroy or configure a CAIF IP interface,
23 * enum ifla_caif is used to specify the configuration attributes.
24 */
25enum ifla_caif {
26 __IFLA_CAIF_UNSPEC,
27 IFLA_CAIF_IPV4_CONNID,
28 IFLA_CAIF_IPV6_CONNID,
29 IFLA_CAIF_LOOPBACK,
30 __IFLA_CAIF_MAX
31};
32#define IFLA_CAIF_MAX (__IFLA_CAIF_MAX-1)
33
34#endif /*IF_CAIF_H_*/
diff --git a/include/uapi/linux/isdn/Kbuild b/include/uapi/linux/isdn/Kbuild
index aafaa5aa54d4..89e52850bf29 100644
--- a/include/uapi/linux/isdn/Kbuild
+++ b/include/uapi/linux/isdn/Kbuild
@@ -1 +1,2 @@
1# UAPI Header export list 1# UAPI Header export list
2header-y += capicmd.h
diff --git a/include/uapi/linux/isdn/capicmd.h b/include/uapi/linux/isdn/capicmd.h
new file mode 100644
index 000000000000..b58635f722da
--- /dev/null
+++ b/include/uapi/linux/isdn/capicmd.h
@@ -0,0 +1,115 @@
1/* $Id: capicmd.h,v 1.2.6.2 2001/09/23 22:24:33 kai Exp $
2 *
3 * CAPI 2.0 Interface for Linux
4 *
5 * Copyright 1997 by Carsten Paeth <calle@calle.de>
6 *
7 * This software may be used and distributed according to the terms
8 * of the GNU General Public License, incorporated herein by reference.
9 *
10 */
11
12#ifndef __CAPICMD_H__
13#define __CAPICMD_H__
14
15#define CAPI_MSG_BASELEN 8
16#define CAPI_DATA_B3_REQ_LEN (CAPI_MSG_BASELEN+4+4+2+2+2)
17#define CAPI_DATA_B3_RESP_LEN (CAPI_MSG_BASELEN+4+2)
18
19/*----- CAPI commands -----*/
20#define CAPI_ALERT 0x01
21#define CAPI_CONNECT 0x02
22#define CAPI_CONNECT_ACTIVE 0x03
23#define CAPI_CONNECT_B3_ACTIVE 0x83
24#define CAPI_CONNECT_B3 0x82
25#define CAPI_CONNECT_B3_T90_ACTIVE 0x88
26#define CAPI_DATA_B3 0x86
27#define CAPI_DISCONNECT_B3 0x84
28#define CAPI_DISCONNECT 0x04
29#define CAPI_FACILITY 0x80
30#define CAPI_INFO 0x08
31#define CAPI_LISTEN 0x05
32#define CAPI_MANUFACTURER 0xff
33#define CAPI_RESET_B3 0x87
34#define CAPI_SELECT_B_PROTOCOL 0x41
35
36/*----- CAPI subcommands -----*/
37
38#define CAPI_REQ 0x80
39#define CAPI_CONF 0x81
40#define CAPI_IND 0x82
41#define CAPI_RESP 0x83
42
43/*----- CAPI combined commands -----*/
44
45#define CAPICMD(cmd,subcmd) (((cmd)<<8)|(subcmd))
46
47#define CAPI_DISCONNECT_REQ CAPICMD(CAPI_DISCONNECT,CAPI_REQ)
48#define CAPI_DISCONNECT_CONF CAPICMD(CAPI_DISCONNECT,CAPI_CONF)
49#define CAPI_DISCONNECT_IND CAPICMD(CAPI_DISCONNECT,CAPI_IND)
50#define CAPI_DISCONNECT_RESP CAPICMD(CAPI_DISCONNECT,CAPI_RESP)
51
52#define CAPI_ALERT_REQ CAPICMD(CAPI_ALERT,CAPI_REQ)
53#define CAPI_ALERT_CONF CAPICMD(CAPI_ALERT,CAPI_CONF)
54
55#define CAPI_CONNECT_REQ CAPICMD(CAPI_CONNECT,CAPI_REQ)
56#define CAPI_CONNECT_CONF CAPICMD(CAPI_CONNECT,CAPI_CONF)
57#define CAPI_CONNECT_IND CAPICMD(CAPI_CONNECT,CAPI_IND)
58#define CAPI_CONNECT_RESP CAPICMD(CAPI_CONNECT,CAPI_RESP)
59
60#define CAPI_CONNECT_ACTIVE_REQ CAPICMD(CAPI_CONNECT_ACTIVE,CAPI_REQ)
61#define CAPI_CONNECT_ACTIVE_CONF CAPICMD(CAPI_CONNECT_ACTIVE,CAPI_CONF)
62#define CAPI_CONNECT_ACTIVE_IND CAPICMD(CAPI_CONNECT_ACTIVE,CAPI_IND)
63#define CAPI_CONNECT_ACTIVE_RESP CAPICMD(CAPI_CONNECT_ACTIVE,CAPI_RESP)
64
65#define CAPI_SELECT_B_PROTOCOL_REQ CAPICMD(CAPI_SELECT_B_PROTOCOL,CAPI_REQ)
66#define CAPI_SELECT_B_PROTOCOL_CONF CAPICMD(CAPI_SELECT_B_PROTOCOL,CAPI_CONF)
67
68#define CAPI_CONNECT_B3_ACTIVE_REQ CAPICMD(CAPI_CONNECT_B3_ACTIVE,CAPI_REQ)
69#define CAPI_CONNECT_B3_ACTIVE_CONF CAPICMD(CAPI_CONNECT_B3_ACTIVE,CAPI_CONF)
70#define CAPI_CONNECT_B3_ACTIVE_IND CAPICMD(CAPI_CONNECT_B3_ACTIVE,CAPI_IND)
71#define CAPI_CONNECT_B3_ACTIVE_RESP CAPICMD(CAPI_CONNECT_B3_ACTIVE,CAPI_RESP)
72
73#define CAPI_CONNECT_B3_REQ CAPICMD(CAPI_CONNECT_B3,CAPI_REQ)
74#define CAPI_CONNECT_B3_CONF CAPICMD(CAPI_CONNECT_B3,CAPI_CONF)
75#define CAPI_CONNECT_B3_IND CAPICMD(CAPI_CONNECT_B3,CAPI_IND)
76#define CAPI_CONNECT_B3_RESP CAPICMD(CAPI_CONNECT_B3,CAPI_RESP)
77
78
79#define CAPI_CONNECT_B3_T90_ACTIVE_IND CAPICMD(CAPI_CONNECT_B3_T90_ACTIVE,CAPI_IND)
80#define CAPI_CONNECT_B3_T90_ACTIVE_RESP CAPICMD(CAPI_CONNECT_B3_T90_ACTIVE,CAPI_RESP)
81
82#define CAPI_DATA_B3_REQ CAPICMD(CAPI_DATA_B3,CAPI_REQ)
83#define CAPI_DATA_B3_CONF CAPICMD(CAPI_DATA_B3,CAPI_CONF)
84#define CAPI_DATA_B3_IND CAPICMD(CAPI_DATA_B3,CAPI_IND)
85#define CAPI_DATA_B3_RESP CAPICMD(CAPI_DATA_B3,CAPI_RESP)
86
87#define CAPI_DISCONNECT_B3_REQ CAPICMD(CAPI_DISCONNECT_B3,CAPI_REQ)
88#define CAPI_DISCONNECT_B3_CONF CAPICMD(CAPI_DISCONNECT_B3,CAPI_CONF)
89#define CAPI_DISCONNECT_B3_IND CAPICMD(CAPI_DISCONNECT_B3,CAPI_IND)
90#define CAPI_DISCONNECT_B3_RESP CAPICMD(CAPI_DISCONNECT_B3,CAPI_RESP)
91
92#define CAPI_RESET_B3_REQ CAPICMD(CAPI_RESET_B3,CAPI_REQ)
93#define CAPI_RESET_B3_CONF CAPICMD(CAPI_RESET_B3,CAPI_CONF)
94#define CAPI_RESET_B3_IND CAPICMD(CAPI_RESET_B3,CAPI_IND)
95#define CAPI_RESET_B3_RESP CAPICMD(CAPI_RESET_B3,CAPI_RESP)
96
97#define CAPI_LISTEN_REQ CAPICMD(CAPI_LISTEN,CAPI_REQ)
98#define CAPI_LISTEN_CONF CAPICMD(CAPI_LISTEN,CAPI_CONF)
99
100#define CAPI_MANUFACTURER_REQ CAPICMD(CAPI_MANUFACTURER,CAPI_REQ)
101#define CAPI_MANUFACTURER_CONF CAPICMD(CAPI_MANUFACTURER,CAPI_CONF)
102#define CAPI_MANUFACTURER_IND CAPICMD(CAPI_MANUFACTURER,CAPI_IND)
103#define CAPI_MANUFACTURER_RESP CAPICMD(CAPI_MANUFACTURER,CAPI_RESP)
104
105#define CAPI_FACILITY_REQ CAPICMD(CAPI_FACILITY,CAPI_REQ)
106#define CAPI_FACILITY_CONF CAPICMD(CAPI_FACILITY,CAPI_CONF)
107#define CAPI_FACILITY_IND CAPICMD(CAPI_FACILITY,CAPI_IND)
108#define CAPI_FACILITY_RESP CAPICMD(CAPI_FACILITY,CAPI_RESP)
109
110#define CAPI_INFO_REQ CAPICMD(CAPI_INFO,CAPI_REQ)
111#define CAPI_INFO_CONF CAPICMD(CAPI_INFO,CAPI_CONF)
112#define CAPI_INFO_IND CAPICMD(CAPI_INFO,CAPI_IND)
113#define CAPI_INFO_RESP CAPICMD(CAPI_INFO,CAPI_RESP)
114
115#endif /* __CAPICMD_H__ */
diff --git a/include/uapi/linux/netfilter/Kbuild b/include/uapi/linux/netfilter/Kbuild
index 4afbace8e869..08f555fef13f 100644
--- a/include/uapi/linux/netfilter/Kbuild
+++ b/include/uapi/linux/netfilter/Kbuild
@@ -1,2 +1,78 @@
1# UAPI Header export list 1# UAPI Header export list
2header-y += ipset/ 2header-y += ipset/
3header-y += nf_conntrack_common.h
4header-y += nf_conntrack_ftp.h
5header-y += nf_conntrack_sctp.h
6header-y += nf_conntrack_tcp.h
7header-y += nf_conntrack_tuple_common.h
8header-y += nf_nat.h
9header-y += nfnetlink.h
10header-y += nfnetlink_acct.h
11header-y += nfnetlink_compat.h
12header-y += nfnetlink_conntrack.h
13header-y += nfnetlink_cthelper.h
14header-y += nfnetlink_cttimeout.h
15header-y += nfnetlink_log.h
16header-y += nfnetlink_queue.h
17header-y += x_tables.h
18header-y += xt_AUDIT.h
19header-y += xt_CHECKSUM.h
20header-y += xt_CLASSIFY.h
21header-y += xt_CONNMARK.h
22header-y += xt_CONNSECMARK.h
23header-y += xt_CT.h
24header-y += xt_DSCP.h
25header-y += xt_IDLETIMER.h
26header-y += xt_LED.h
27header-y += xt_LOG.h
28header-y += xt_MARK.h
29header-y += xt_NFLOG.h
30header-y += xt_NFQUEUE.h
31header-y += xt_RATEEST.h
32header-y += xt_SECMARK.h
33header-y += xt_TCPMSS.h
34header-y += xt_TCPOPTSTRIP.h
35header-y += xt_TEE.h
36header-y += xt_TPROXY.h
37header-y += xt_addrtype.h
38header-y += xt_cluster.h
39header-y += xt_comment.h
40header-y += xt_connbytes.h
41header-y += xt_connlimit.h
42header-y += xt_connmark.h
43header-y += xt_conntrack.h
44header-y += xt_cpu.h
45header-y += xt_dccp.h
46header-y += xt_devgroup.h
47header-y += xt_dscp.h
48header-y += xt_ecn.h
49header-y += xt_esp.h
50header-y += xt_hashlimit.h
51header-y += xt_helper.h
52header-y += xt_iprange.h
53header-y += xt_ipvs.h
54header-y += xt_length.h
55header-y += xt_limit.h
56header-y += xt_mac.h
57header-y += xt_mark.h
58header-y += xt_multiport.h
59header-y += xt_nfacct.h
60header-y += xt_osf.h
61header-y += xt_owner.h
62header-y += xt_physdev.h
63header-y += xt_pkttype.h
64header-y += xt_policy.h
65header-y += xt_quota.h
66header-y += xt_rateest.h
67header-y += xt_realm.h
68header-y += xt_recent.h
69header-y += xt_sctp.h
70header-y += xt_set.h
71header-y += xt_socket.h
72header-y += xt_state.h
73header-y += xt_statistic.h
74header-y += xt_string.h
75header-y += xt_tcpmss.h
76header-y += xt_tcpudp.h
77header-y += xt_time.h
78header-y += xt_u32.h
diff --git a/include/uapi/linux/netfilter/ipset/Kbuild b/include/uapi/linux/netfilter/ipset/Kbuild
index aafaa5aa54d4..d2680423d9ab 100644
--- a/include/uapi/linux/netfilter/ipset/Kbuild
+++ b/include/uapi/linux/netfilter/ipset/Kbuild
@@ -1 +1,5 @@
1# UAPI Header export list 1# UAPI Header export list
2header-y += ip_set.h
3header-y += ip_set_bitmap.h
4header-y += ip_set_hash.h
5header-y += ip_set_list.h
diff --git a/include/uapi/linux/netfilter/ipset/ip_set.h b/include/uapi/linux/netfilter/ipset/ip_set.h
new file mode 100644
index 000000000000..fbee42807a11
--- /dev/null
+++ b/include/uapi/linux/netfilter/ipset/ip_set.h
@@ -0,0 +1,231 @@
1/* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu>
2 * Patrick Schaaf <bof@bof.de>
3 * Martin Josefsson <gandalf@wlug.westbo.se>
4 * Copyright (C) 2003-2011 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License version 2 as
8 * published by the Free Software Foundation.
9 */
10#ifndef _UAPI_IP_SET_H
11#define _UAPI_IP_SET_H
12
13
14#include <linux/types.h>
15
16/* The protocol version */
17#define IPSET_PROTOCOL 6
18
19/* The max length of strings including NUL: set and type identifiers */
20#define IPSET_MAXNAMELEN 32
21
22/* Message types and commands */
23enum ipset_cmd {
24 IPSET_CMD_NONE,
25 IPSET_CMD_PROTOCOL, /* 1: Return protocol version */
26 IPSET_CMD_CREATE, /* 2: Create a new (empty) set */
27 IPSET_CMD_DESTROY, /* 3: Destroy a (empty) set */
28 IPSET_CMD_FLUSH, /* 4: Remove all elements from a set */
29 IPSET_CMD_RENAME, /* 5: Rename a set */
30 IPSET_CMD_SWAP, /* 6: Swap two sets */
31 IPSET_CMD_LIST, /* 7: List sets */
32 IPSET_CMD_SAVE, /* 8: Save sets */
33 IPSET_CMD_ADD, /* 9: Add an element to a set */
34 IPSET_CMD_DEL, /* 10: Delete an element from a set */
35 IPSET_CMD_TEST, /* 11: Test an element in a set */
36 IPSET_CMD_HEADER, /* 12: Get set header data only */
37 IPSET_CMD_TYPE, /* 13: Get set type */
38 IPSET_MSG_MAX, /* Netlink message commands */
39
40 /* Commands in userspace: */
41 IPSET_CMD_RESTORE = IPSET_MSG_MAX, /* 14: Enter restore mode */
42 IPSET_CMD_HELP, /* 15: Get help */
43 IPSET_CMD_VERSION, /* 16: Get program version */
44 IPSET_CMD_QUIT, /* 17: Quit from interactive mode */
45
46 IPSET_CMD_MAX,
47
48 IPSET_CMD_COMMIT = IPSET_CMD_MAX, /* 18: Commit buffered commands */
49};
50
51/* Attributes at command level */
52enum {
53 IPSET_ATTR_UNSPEC,
54 IPSET_ATTR_PROTOCOL, /* 1: Protocol version */
55 IPSET_ATTR_SETNAME, /* 2: Name of the set */
56 IPSET_ATTR_TYPENAME, /* 3: Typename */
57 IPSET_ATTR_SETNAME2 = IPSET_ATTR_TYPENAME, /* Setname at rename/swap */
58 IPSET_ATTR_REVISION, /* 4: Settype revision */
59 IPSET_ATTR_FAMILY, /* 5: Settype family */
60 IPSET_ATTR_FLAGS, /* 6: Flags at command level */
61 IPSET_ATTR_DATA, /* 7: Nested attributes */
62 IPSET_ATTR_ADT, /* 8: Multiple data containers */
63 IPSET_ATTR_LINENO, /* 9: Restore lineno */
64 IPSET_ATTR_PROTOCOL_MIN, /* 10: Minimal supported version number */
65 IPSET_ATTR_REVISION_MIN = IPSET_ATTR_PROTOCOL_MIN, /* type rev min */
66 __IPSET_ATTR_CMD_MAX,
67};
68#define IPSET_ATTR_CMD_MAX (__IPSET_ATTR_CMD_MAX - 1)
69
70/* CADT specific attributes */
71enum {
72 IPSET_ATTR_IP = IPSET_ATTR_UNSPEC + 1,
73 IPSET_ATTR_IP_FROM = IPSET_ATTR_IP,
74 IPSET_ATTR_IP_TO, /* 2 */
75 IPSET_ATTR_CIDR, /* 3 */
76 IPSET_ATTR_PORT, /* 4 */
77 IPSET_ATTR_PORT_FROM = IPSET_ATTR_PORT,
78 IPSET_ATTR_PORT_TO, /* 5 */
79 IPSET_ATTR_TIMEOUT, /* 6 */
80 IPSET_ATTR_PROTO, /* 7 */
81 IPSET_ATTR_CADT_FLAGS, /* 8 */
82 IPSET_ATTR_CADT_LINENO = IPSET_ATTR_LINENO, /* 9 */
83 /* Reserve empty slots */
84 IPSET_ATTR_CADT_MAX = 16,
85 /* Create-only specific attributes */
86 IPSET_ATTR_GC,
87 IPSET_ATTR_HASHSIZE,
88 IPSET_ATTR_MAXELEM,
89 IPSET_ATTR_NETMASK,
90 IPSET_ATTR_PROBES,
91 IPSET_ATTR_RESIZE,
92 IPSET_ATTR_SIZE,
93 /* Kernel-only */
94 IPSET_ATTR_ELEMENTS,
95 IPSET_ATTR_REFERENCES,
96 IPSET_ATTR_MEMSIZE,
97
98 __IPSET_ATTR_CREATE_MAX,
99};
100#define IPSET_ATTR_CREATE_MAX (__IPSET_ATTR_CREATE_MAX - 1)
101
102/* ADT specific attributes */
103enum {
104 IPSET_ATTR_ETHER = IPSET_ATTR_CADT_MAX + 1,
105 IPSET_ATTR_NAME,
106 IPSET_ATTR_NAMEREF,
107 IPSET_ATTR_IP2,
108 IPSET_ATTR_CIDR2,
109 IPSET_ATTR_IP2_TO,
110 IPSET_ATTR_IFACE,
111 __IPSET_ATTR_ADT_MAX,
112};
113#define IPSET_ATTR_ADT_MAX (__IPSET_ATTR_ADT_MAX - 1)
114
115/* IP specific attributes */
116enum {
117 IPSET_ATTR_IPADDR_IPV4 = IPSET_ATTR_UNSPEC + 1,
118 IPSET_ATTR_IPADDR_IPV6,
119 __IPSET_ATTR_IPADDR_MAX,
120};
121#define IPSET_ATTR_IPADDR_MAX (__IPSET_ATTR_IPADDR_MAX - 1)
122
123/* Error codes */
124enum ipset_errno {
125 IPSET_ERR_PRIVATE = 4096,
126 IPSET_ERR_PROTOCOL,
127 IPSET_ERR_FIND_TYPE,
128 IPSET_ERR_MAX_SETS,
129 IPSET_ERR_BUSY,
130 IPSET_ERR_EXIST_SETNAME2,
131 IPSET_ERR_TYPE_MISMATCH,
132 IPSET_ERR_EXIST,
133 IPSET_ERR_INVALID_CIDR,
134 IPSET_ERR_INVALID_NETMASK,
135 IPSET_ERR_INVALID_FAMILY,
136 IPSET_ERR_TIMEOUT,
137 IPSET_ERR_REFERENCED,
138 IPSET_ERR_IPADDR_IPV4,
139 IPSET_ERR_IPADDR_IPV6,
140
141 /* Type specific error codes */
142 IPSET_ERR_TYPE_SPECIFIC = 4352,
143};
144
145/* Flags at command level */
146enum ipset_cmd_flags {
147 IPSET_FLAG_BIT_EXIST = 0,
148 IPSET_FLAG_EXIST = (1 << IPSET_FLAG_BIT_EXIST),
149 IPSET_FLAG_BIT_LIST_SETNAME = 1,
150 IPSET_FLAG_LIST_SETNAME = (1 << IPSET_FLAG_BIT_LIST_SETNAME),
151 IPSET_FLAG_BIT_LIST_HEADER = 2,
152 IPSET_FLAG_LIST_HEADER = (1 << IPSET_FLAG_BIT_LIST_HEADER),
153 IPSET_FLAG_CMD_MAX = 15, /* Lower half */
154};
155
156/* Flags at CADT attribute level */
157enum ipset_cadt_flags {
158 IPSET_FLAG_BIT_BEFORE = 0,
159 IPSET_FLAG_BEFORE = (1 << IPSET_FLAG_BIT_BEFORE),
160 IPSET_FLAG_BIT_PHYSDEV = 1,
161 IPSET_FLAG_PHYSDEV = (1 << IPSET_FLAG_BIT_PHYSDEV),
162 IPSET_FLAG_BIT_NOMATCH = 2,
163 IPSET_FLAG_NOMATCH = (1 << IPSET_FLAG_BIT_NOMATCH),
164 IPSET_FLAG_CADT_MAX = 15, /* Upper half */
165};
166
167/* Commands with settype-specific attributes */
168enum ipset_adt {
169 IPSET_ADD,
170 IPSET_DEL,
171 IPSET_TEST,
172 IPSET_ADT_MAX,
173 IPSET_CREATE = IPSET_ADT_MAX,
174 IPSET_CADT_MAX,
175};
176
177/* Sets are identified by an index in kernel space. Tweak with ip_set_id_t
178 * and IPSET_INVALID_ID if you want to increase the max number of sets.
179 */
180typedef __u16 ip_set_id_t;
181
182#define IPSET_INVALID_ID 65535
183
184enum ip_set_dim {
185 IPSET_DIM_ZERO = 0,
186 IPSET_DIM_ONE,
187 IPSET_DIM_TWO,
188 IPSET_DIM_THREE,
189 /* Max dimension in elements.
190 * If changed, new revision of iptables match/target is required.
191 */
192 IPSET_DIM_MAX = 6,
193 IPSET_BIT_RETURN_NOMATCH = 7,
194};
195
196/* Option flags for kernel operations */
197enum ip_set_kopt {
198 IPSET_INV_MATCH = (1 << IPSET_DIM_ZERO),
199 IPSET_DIM_ONE_SRC = (1 << IPSET_DIM_ONE),
200 IPSET_DIM_TWO_SRC = (1 << IPSET_DIM_TWO),
201 IPSET_DIM_THREE_SRC = (1 << IPSET_DIM_THREE),
202 IPSET_RETURN_NOMATCH = (1 << IPSET_BIT_RETURN_NOMATCH),
203};
204
205
206/* Interface to iptables/ip6tables */
207
208#define SO_IP_SET 83
209
210union ip_set_name_index {
211 char name[IPSET_MAXNAMELEN];
212 ip_set_id_t index;
213};
214
215#define IP_SET_OP_GET_BYNAME 0x00000006 /* Get set index by name */
216struct ip_set_req_get_set {
217 unsigned int op;
218 unsigned int version;
219 union ip_set_name_index set;
220};
221
222#define IP_SET_OP_GET_BYINDEX 0x00000007 /* Get set name by index */
223/* Uses ip_set_req_get_set */
224
225#define IP_SET_OP_VERSION 0x00000100 /* Ask kernel version */
226struct ip_set_req_version {
227 unsigned int op;
228 unsigned int version;
229};
230
231#endif /* _UAPI_IP_SET_H */
diff --git a/include/uapi/linux/netfilter/ipset/ip_set_bitmap.h b/include/uapi/linux/netfilter/ipset/ip_set_bitmap.h
new file mode 100644
index 000000000000..6a2c038d1888
--- /dev/null
+++ b/include/uapi/linux/netfilter/ipset/ip_set_bitmap.h
@@ -0,0 +1,13 @@
1#ifndef _UAPI__IP_SET_BITMAP_H
2#define _UAPI__IP_SET_BITMAP_H
3
4/* Bitmap type specific error codes */
5enum {
6 /* The element is out of the range of the set */
7 IPSET_ERR_BITMAP_RANGE = IPSET_ERR_TYPE_SPECIFIC,
8 /* The range exceeds the size limit of the set type */
9 IPSET_ERR_BITMAP_RANGE_SIZE,
10};
11
12
13#endif /* _UAPI__IP_SET_BITMAP_H */
diff --git a/include/uapi/linux/netfilter/ipset/ip_set_hash.h b/include/uapi/linux/netfilter/ipset/ip_set_hash.h
new file mode 100644
index 000000000000..352eeccdc7f2
--- /dev/null
+++ b/include/uapi/linux/netfilter/ipset/ip_set_hash.h
@@ -0,0 +1,21 @@
1#ifndef _UAPI__IP_SET_HASH_H
2#define _UAPI__IP_SET_HASH_H
3
4/* Hash type specific error codes */
5enum {
6 /* Hash is full */
7 IPSET_ERR_HASH_FULL = IPSET_ERR_TYPE_SPECIFIC,
8 /* Null-valued element */
9 IPSET_ERR_HASH_ELEM,
10 /* Invalid protocol */
11 IPSET_ERR_INVALID_PROTO,
12 /* Protocol missing but must be specified */
13 IPSET_ERR_MISSING_PROTO,
14 /* Range not supported */
15 IPSET_ERR_HASH_RANGE_UNSUPPORTED,
16 /* Invalid range */
17 IPSET_ERR_HASH_RANGE,
18};
19
20
21#endif /* _UAPI__IP_SET_HASH_H */
diff --git a/include/uapi/linux/netfilter/ipset/ip_set_list.h b/include/uapi/linux/netfilter/ipset/ip_set_list.h
new file mode 100644
index 000000000000..a44efaa98213
--- /dev/null
+++ b/include/uapi/linux/netfilter/ipset/ip_set_list.h
@@ -0,0 +1,21 @@
1#ifndef _UAPI__IP_SET_LIST_H
2#define _UAPI__IP_SET_LIST_H
3
4/* List type specific error codes */
5enum {
6 /* Set name to be added/deleted/tested does not exist. */
7 IPSET_ERR_NAME = IPSET_ERR_TYPE_SPECIFIC,
8 /* list:set type is not permitted to add */
9 IPSET_ERR_LOOP,
10 /* Missing reference set */
11 IPSET_ERR_BEFORE,
12 /* Reference set does not exist */
13 IPSET_ERR_NAMEREF,
14 /* Set is full */
15 IPSET_ERR_LIST_FULL,
16 /* Reference set is not added to the set */
17 IPSET_ERR_REF_EXIST,
18};
19
20
21#endif /* _UAPI__IP_SET_LIST_H */
diff --git a/include/uapi/linux/netfilter/nf_conntrack_common.h b/include/uapi/linux/netfilter/nf_conntrack_common.h
new file mode 100644
index 000000000000..1644cdd8be91
--- /dev/null
+++ b/include/uapi/linux/netfilter/nf_conntrack_common.h
@@ -0,0 +1,117 @@
1#ifndef _UAPI_NF_CONNTRACK_COMMON_H
2#define _UAPI_NF_CONNTRACK_COMMON_H
3/* Connection state tracking for netfilter. This is separated from,
4 but required by, the NAT layer; it can also be used by an iptables
5 extension. */
6enum ip_conntrack_info {
7 /* Part of an established connection (either direction). */
8 IP_CT_ESTABLISHED,
9
10 /* Like NEW, but related to an existing connection, or ICMP error
11 (in either direction). */
12 IP_CT_RELATED,
13
14 /* Started a new connection to track (only
15 IP_CT_DIR_ORIGINAL); may be a retransmission. */
16 IP_CT_NEW,
17
18 /* >= this indicates reply direction */
19 IP_CT_IS_REPLY,
20
21 IP_CT_ESTABLISHED_REPLY = IP_CT_ESTABLISHED + IP_CT_IS_REPLY,
22 IP_CT_RELATED_REPLY = IP_CT_RELATED + IP_CT_IS_REPLY,
23 IP_CT_NEW_REPLY = IP_CT_NEW + IP_CT_IS_REPLY,
24 /* Number of distinct IP_CT types (no NEW in reply dirn). */
25 IP_CT_NUMBER = IP_CT_IS_REPLY * 2 - 1
26};
27
28/* Bitset representing status of connection. */
29enum ip_conntrack_status {
30 /* It's an expected connection: bit 0 set. This bit never changed */
31 IPS_EXPECTED_BIT = 0,
32 IPS_EXPECTED = (1 << IPS_EXPECTED_BIT),
33
34 /* We've seen packets both ways: bit 1 set. Can be set, not unset. */
35 IPS_SEEN_REPLY_BIT = 1,
36 IPS_SEEN_REPLY = (1 << IPS_SEEN_REPLY_BIT),
37
38 /* Conntrack should never be early-expired. */
39 IPS_ASSURED_BIT = 2,
40 IPS_ASSURED = (1 << IPS_ASSURED_BIT),
41
42 /* Connection is confirmed: originating packet has left box */
43 IPS_CONFIRMED_BIT = 3,
44 IPS_CONFIRMED = (1 << IPS_CONFIRMED_BIT),
45
46 /* Connection needs src nat in orig dir. This bit never changed. */
47 IPS_SRC_NAT_BIT = 4,
48 IPS_SRC_NAT = (1 << IPS_SRC_NAT_BIT),
49
50 /* Connection needs dst nat in orig dir. This bit never changed. */
51 IPS_DST_NAT_BIT = 5,
52 IPS_DST_NAT = (1 << IPS_DST_NAT_BIT),
53
54 /* Both together. */
55 IPS_NAT_MASK = (IPS_DST_NAT | IPS_SRC_NAT),
56
57 /* Connection needs TCP sequence adjusted. */
58 IPS_SEQ_ADJUST_BIT = 6,
59 IPS_SEQ_ADJUST = (1 << IPS_SEQ_ADJUST_BIT),
60
61 /* NAT initialization bits. */
62 IPS_SRC_NAT_DONE_BIT = 7,
63 IPS_SRC_NAT_DONE = (1 << IPS_SRC_NAT_DONE_BIT),
64
65 IPS_DST_NAT_DONE_BIT = 8,
66 IPS_DST_NAT_DONE = (1 << IPS_DST_NAT_DONE_BIT),
67
68 /* Both together */
69 IPS_NAT_DONE_MASK = (IPS_DST_NAT_DONE | IPS_SRC_NAT_DONE),
70
71 /* Connection is dying (removed from lists), can not be unset. */
72 IPS_DYING_BIT = 9,
73 IPS_DYING = (1 << IPS_DYING_BIT),
74
75 /* Connection has fixed timeout. */
76 IPS_FIXED_TIMEOUT_BIT = 10,
77 IPS_FIXED_TIMEOUT = (1 << IPS_FIXED_TIMEOUT_BIT),
78
79 /* Conntrack is a template */
80 IPS_TEMPLATE_BIT = 11,
81 IPS_TEMPLATE = (1 << IPS_TEMPLATE_BIT),
82
83 /* Conntrack is a fake untracked entry */
84 IPS_UNTRACKED_BIT = 12,
85 IPS_UNTRACKED = (1 << IPS_UNTRACKED_BIT),
86
87 /* Conntrack got a helper explicitly attached via CT target. */
88 IPS_HELPER_BIT = 13,
89 IPS_HELPER = (1 << IPS_HELPER_BIT),
90};
91
92/* Connection tracking event types */
93enum ip_conntrack_events {
94 IPCT_NEW, /* new conntrack */
95 IPCT_RELATED, /* related conntrack */
96 IPCT_DESTROY, /* destroyed conntrack */
97 IPCT_REPLY, /* connection has seen two-way traffic */
98 IPCT_ASSURED, /* connection status has changed to assured */
99 IPCT_PROTOINFO, /* protocol information has changed */
100 IPCT_HELPER, /* new helper has been set */
101 IPCT_MARK, /* new mark has been set */
102 IPCT_NATSEQADJ, /* NAT is doing sequence adjustment */
103 IPCT_SECMARK, /* new security mark has been set */
104};
105
106enum ip_conntrack_expect_events {
107 IPEXP_NEW, /* new expectation */
108 IPEXP_DESTROY, /* destroyed expectation */
109};
110
111/* expectation flags */
112#define NF_CT_EXPECT_PERMANENT 0x1
113#define NF_CT_EXPECT_INACTIVE 0x2
114#define NF_CT_EXPECT_USERSPACE 0x4
115
116
117#endif /* _UAPI_NF_CONNTRACK_COMMON_H */
diff --git a/include/uapi/linux/netfilter/nf_conntrack_ftp.h b/include/uapi/linux/netfilter/nf_conntrack_ftp.h
new file mode 100644
index 000000000000..1030315a41b5
--- /dev/null
+++ b/include/uapi/linux/netfilter/nf_conntrack_ftp.h
@@ -0,0 +1,18 @@
1#ifndef _UAPI_NF_CONNTRACK_FTP_H
2#define _UAPI_NF_CONNTRACK_FTP_H
3/* FTP tracking. */
4
5/* This enum is exposed to userspace */
6enum nf_ct_ftp_type {
7 /* PORT command from client */
8 NF_CT_FTP_PORT,
9 /* PASV response from server */
10 NF_CT_FTP_PASV,
11 /* EPRT command from client */
12 NF_CT_FTP_EPRT,
13 /* EPSV response from server */
14 NF_CT_FTP_EPSV,
15};
16
17
18#endif /* _UAPI_NF_CONNTRACK_FTP_H */
diff --git a/include/uapi/linux/netfilter/nf_conntrack_sctp.h b/include/uapi/linux/netfilter/nf_conntrack_sctp.h
new file mode 100644
index 000000000000..ceeefe6681b5
--- /dev/null
+++ b/include/uapi/linux/netfilter/nf_conntrack_sctp.h
@@ -0,0 +1,25 @@
1#ifndef _NF_CONNTRACK_SCTP_H
2#define _NF_CONNTRACK_SCTP_H
3/* SCTP tracking. */
4
5#include <linux/netfilter/nf_conntrack_tuple_common.h>
6
7enum sctp_conntrack {
8 SCTP_CONNTRACK_NONE,
9 SCTP_CONNTRACK_CLOSED,
10 SCTP_CONNTRACK_COOKIE_WAIT,
11 SCTP_CONNTRACK_COOKIE_ECHOED,
12 SCTP_CONNTRACK_ESTABLISHED,
13 SCTP_CONNTRACK_SHUTDOWN_SENT,
14 SCTP_CONNTRACK_SHUTDOWN_RECD,
15 SCTP_CONNTRACK_SHUTDOWN_ACK_SENT,
16 SCTP_CONNTRACK_MAX
17};
18
19struct ip_ct_sctp {
20 enum sctp_conntrack state;
21
22 __be32 vtag[IP_CT_DIR_MAX];
23};
24
25#endif /* _NF_CONNTRACK_SCTP_H */
diff --git a/include/uapi/linux/netfilter/nf_conntrack_tcp.h b/include/uapi/linux/netfilter/nf_conntrack_tcp.h
new file mode 100644
index 000000000000..9993a421201c
--- /dev/null
+++ b/include/uapi/linux/netfilter/nf_conntrack_tcp.h
@@ -0,0 +1,51 @@
1#ifndef _UAPI_NF_CONNTRACK_TCP_H
2#define _UAPI_NF_CONNTRACK_TCP_H
3/* TCP tracking. */
4
5#include <linux/types.h>
6
7/* This is exposed to userspace (ctnetlink) */
8enum tcp_conntrack {
9 TCP_CONNTRACK_NONE,
10 TCP_CONNTRACK_SYN_SENT,
11 TCP_CONNTRACK_SYN_RECV,
12 TCP_CONNTRACK_ESTABLISHED,
13 TCP_CONNTRACK_FIN_WAIT,
14 TCP_CONNTRACK_CLOSE_WAIT,
15 TCP_CONNTRACK_LAST_ACK,
16 TCP_CONNTRACK_TIME_WAIT,
17 TCP_CONNTRACK_CLOSE,
18 TCP_CONNTRACK_LISTEN, /* obsolete */
19#define TCP_CONNTRACK_SYN_SENT2 TCP_CONNTRACK_LISTEN
20 TCP_CONNTRACK_MAX,
21 TCP_CONNTRACK_IGNORE,
22 TCP_CONNTRACK_RETRANS,
23 TCP_CONNTRACK_UNACK,
24 TCP_CONNTRACK_TIMEOUT_MAX
25};
26
27/* Window scaling is advertised by the sender */
28#define IP_CT_TCP_FLAG_WINDOW_SCALE 0x01
29
30/* SACK is permitted by the sender */
31#define IP_CT_TCP_FLAG_SACK_PERM 0x02
32
33/* This sender sent FIN first */
34#define IP_CT_TCP_FLAG_CLOSE_INIT 0x04
35
36/* Be liberal in window checking */
37#define IP_CT_TCP_FLAG_BE_LIBERAL 0x08
38
39/* Has unacknowledged data */
40#define IP_CT_TCP_FLAG_DATA_UNACKNOWLEDGED 0x10
41
42/* The field td_maxack has been set */
43#define IP_CT_TCP_FLAG_MAXACK_SET 0x20
44
45struct nf_ct_tcp_flags {
46 __u8 flags;
47 __u8 mask;
48};
49
50
51#endif /* _UAPI_NF_CONNTRACK_TCP_H */
diff --git a/include/uapi/linux/netfilter/nf_conntrack_tuple_common.h b/include/uapi/linux/netfilter/nf_conntrack_tuple_common.h
new file mode 100644
index 000000000000..2f6bbc5b8125
--- /dev/null
+++ b/include/uapi/linux/netfilter/nf_conntrack_tuple_common.h
@@ -0,0 +1,39 @@
1#ifndef _NF_CONNTRACK_TUPLE_COMMON_H
2#define _NF_CONNTRACK_TUPLE_COMMON_H
3
4enum ip_conntrack_dir {
5 IP_CT_DIR_ORIGINAL,
6 IP_CT_DIR_REPLY,
7 IP_CT_DIR_MAX
8};
9
10/* The protocol-specific manipulable parts of the tuple: always in
11 * network order
12 */
13union nf_conntrack_man_proto {
14 /* Add other protocols here. */
15 __be16 all;
16
17 struct {
18 __be16 port;
19 } tcp;
20 struct {
21 __be16 port;
22 } udp;
23 struct {
24 __be16 id;
25 } icmp;
26 struct {
27 __be16 port;
28 } dccp;
29 struct {
30 __be16 port;
31 } sctp;
32 struct {
33 __be16 key; /* GRE key is 32bit, PPtP only uses 16bit */
34 } gre;
35};
36
37#define CTINFO2DIR(ctinfo) ((ctinfo) >= IP_CT_IS_REPLY ? IP_CT_DIR_REPLY : IP_CT_DIR_ORIGINAL)
38
39#endif /* _NF_CONNTRACK_TUPLE_COMMON_H */
diff --git a/include/uapi/linux/netfilter/nf_nat.h b/include/uapi/linux/netfilter/nf_nat.h
new file mode 100644
index 000000000000..bf0cc373ffb6
--- /dev/null
+++ b/include/uapi/linux/netfilter/nf_nat.h
@@ -0,0 +1,33 @@
1#ifndef _NETFILTER_NF_NAT_H
2#define _NETFILTER_NF_NAT_H
3
4#include <linux/netfilter.h>
5#include <linux/netfilter/nf_conntrack_tuple_common.h>
6
7#define NF_NAT_RANGE_MAP_IPS 1
8#define NF_NAT_RANGE_PROTO_SPECIFIED 2
9#define NF_NAT_RANGE_PROTO_RANDOM 4
10#define NF_NAT_RANGE_PERSISTENT 8
11
12struct nf_nat_ipv4_range {
13 unsigned int flags;
14 __be32 min_ip;
15 __be32 max_ip;
16 union nf_conntrack_man_proto min;
17 union nf_conntrack_man_proto max;
18};
19
20struct nf_nat_ipv4_multi_range_compat {
21 unsigned int rangesize;
22 struct nf_nat_ipv4_range range[1];
23};
24
25struct nf_nat_range {
26 unsigned int flags;
27 union nf_inet_addr min_addr;
28 union nf_inet_addr max_addr;
29 union nf_conntrack_man_proto min_proto;
30 union nf_conntrack_man_proto max_proto;
31};
32
33#endif /* _NETFILTER_NF_NAT_H */
diff --git a/include/uapi/linux/netfilter/nfnetlink.h b/include/uapi/linux/netfilter/nfnetlink.h
new file mode 100644
index 000000000000..4a4efafad5f4
--- /dev/null
+++ b/include/uapi/linux/netfilter/nfnetlink.h
@@ -0,0 +1,56 @@
1#ifndef _UAPI_NFNETLINK_H
2#define _UAPI_NFNETLINK_H
3#include <linux/types.h>
4#include <linux/netfilter/nfnetlink_compat.h>
5
6enum nfnetlink_groups {
7 NFNLGRP_NONE,
8#define NFNLGRP_NONE NFNLGRP_NONE
9 NFNLGRP_CONNTRACK_NEW,
10#define NFNLGRP_CONNTRACK_NEW NFNLGRP_CONNTRACK_NEW
11 NFNLGRP_CONNTRACK_UPDATE,
12#define NFNLGRP_CONNTRACK_UPDATE NFNLGRP_CONNTRACK_UPDATE
13 NFNLGRP_CONNTRACK_DESTROY,
14#define NFNLGRP_CONNTRACK_DESTROY NFNLGRP_CONNTRACK_DESTROY
15 NFNLGRP_CONNTRACK_EXP_NEW,
16#define NFNLGRP_CONNTRACK_EXP_NEW NFNLGRP_CONNTRACK_EXP_NEW
17 NFNLGRP_CONNTRACK_EXP_UPDATE,
18#define NFNLGRP_CONNTRACK_EXP_UPDATE NFNLGRP_CONNTRACK_EXP_UPDATE
19 NFNLGRP_CONNTRACK_EXP_DESTROY,
20#define NFNLGRP_CONNTRACK_EXP_DESTROY NFNLGRP_CONNTRACK_EXP_DESTROY
21 __NFNLGRP_MAX,
22};
23#define NFNLGRP_MAX (__NFNLGRP_MAX - 1)
24
25/* General form of address family dependent message.
26 */
27struct nfgenmsg {
28 __u8 nfgen_family; /* AF_xxx */
29 __u8 version; /* nfnetlink version */
30 __be16 res_id; /* resource id */
31};
32
33#define NFNETLINK_V0 0
34
35/* netfilter netlink message types are split in two pieces:
36 * 8 bit subsystem, 8bit operation.
37 */
38
39#define NFNL_SUBSYS_ID(x) ((x & 0xff00) >> 8)
40#define NFNL_MSG_TYPE(x) (x & 0x00ff)
41
42/* No enum here, otherwise __stringify() trick of MODULE_ALIAS_NFNL_SUBSYS()
43 * won't work anymore */
44#define NFNL_SUBSYS_NONE 0
45#define NFNL_SUBSYS_CTNETLINK 1
46#define NFNL_SUBSYS_CTNETLINK_EXP 2
47#define NFNL_SUBSYS_QUEUE 3
48#define NFNL_SUBSYS_ULOG 4
49#define NFNL_SUBSYS_OSF 5
50#define NFNL_SUBSYS_IPSET 6
51#define NFNL_SUBSYS_ACCT 7
52#define NFNL_SUBSYS_CTNETLINK_TIMEOUT 8
53#define NFNL_SUBSYS_CTHELPER 9
54#define NFNL_SUBSYS_COUNT 10
55
56#endif /* _UAPI_NFNETLINK_H */
diff --git a/include/uapi/linux/netfilter/nfnetlink_acct.h b/include/uapi/linux/netfilter/nfnetlink_acct.h
new file mode 100644
index 000000000000..c7b6269e760b
--- /dev/null
+++ b/include/uapi/linux/netfilter/nfnetlink_acct.h
@@ -0,0 +1,27 @@
1#ifndef _UAPI_NFNL_ACCT_H_
2#define _UAPI_NFNL_ACCT_H_
3
4#ifndef NFACCT_NAME_MAX
5#define NFACCT_NAME_MAX 32
6#endif
7
8enum nfnl_acct_msg_types {
9 NFNL_MSG_ACCT_NEW,
10 NFNL_MSG_ACCT_GET,
11 NFNL_MSG_ACCT_GET_CTRZERO,
12 NFNL_MSG_ACCT_DEL,
13 NFNL_MSG_ACCT_MAX
14};
15
16enum nfnl_acct_type {
17 NFACCT_UNSPEC,
18 NFACCT_NAME,
19 NFACCT_PKTS,
20 NFACCT_BYTES,
21 NFACCT_USE,
22 __NFACCT_MAX
23};
24#define NFACCT_MAX (__NFACCT_MAX - 1)
25
26
27#endif /* _UAPI_NFNL_ACCT_H_ */
diff --git a/include/uapi/linux/netfilter/nfnetlink_compat.h b/include/uapi/linux/netfilter/nfnetlink_compat.h
new file mode 100644
index 000000000000..ffb95036bbd4
--- /dev/null
+++ b/include/uapi/linux/netfilter/nfnetlink_compat.h
@@ -0,0 +1,63 @@
1#ifndef _NFNETLINK_COMPAT_H
2#define _NFNETLINK_COMPAT_H
3
4#include <linux/types.h>
5
6#ifndef __KERNEL__
7/* Old nfnetlink macros for userspace */
8
9/* nfnetlink groups: Up to 32 maximum */
10#define NF_NETLINK_CONNTRACK_NEW 0x00000001
11#define NF_NETLINK_CONNTRACK_UPDATE 0x00000002
12#define NF_NETLINK_CONNTRACK_DESTROY 0x00000004
13#define NF_NETLINK_CONNTRACK_EXP_NEW 0x00000008
14#define NF_NETLINK_CONNTRACK_EXP_UPDATE 0x00000010
15#define NF_NETLINK_CONNTRACK_EXP_DESTROY 0x00000020
16
17/* Generic structure for encapsulation optional netfilter information.
18 * It is reminiscent of sockaddr, but with sa_family replaced
19 * with attribute type.
20 * ! This should someday be put somewhere generic as now rtnetlink and
21 * ! nfnetlink use the same attributes methods. - J. Schulist.
22 */
23
24struct nfattr {
25 __u16 nfa_len;
26 __u16 nfa_type; /* we use 15 bits for the type, and the highest
27 * bit to indicate whether the payload is nested */
28};
29
30/* FIXME: Apart from NFNL_NFA_NESTED shamelessly copy and pasted from
31 * rtnetlink.h, it's time to put this in a generic file */
32
33#define NFNL_NFA_NEST 0x8000
34#define NFA_TYPE(attr) ((attr)->nfa_type & 0x7fff)
35
36#define NFA_ALIGNTO 4
37#define NFA_ALIGN(len) (((len) + NFA_ALIGNTO - 1) & ~(NFA_ALIGNTO - 1))
38#define NFA_OK(nfa,len) ((len) > 0 && (nfa)->nfa_len >= sizeof(struct nfattr) \
39 && (nfa)->nfa_len <= (len))
40#define NFA_NEXT(nfa,attrlen) ((attrlen) -= NFA_ALIGN((nfa)->nfa_len), \
41 (struct nfattr *)(((char *)(nfa)) + NFA_ALIGN((nfa)->nfa_len)))
42#define NFA_LENGTH(len) (NFA_ALIGN(sizeof(struct nfattr)) + (len))
43#define NFA_SPACE(len) NFA_ALIGN(NFA_LENGTH(len))
44#define NFA_DATA(nfa) ((void *)(((char *)(nfa)) + NFA_LENGTH(0)))
45#define NFA_PAYLOAD(nfa) ((int)((nfa)->nfa_len) - NFA_LENGTH(0))
46#define NFA_NEST(skb, type) \
47({ struct nfattr *__start = (struct nfattr *)skb_tail_pointer(skb); \
48 NFA_PUT(skb, (NFNL_NFA_NEST | type), 0, NULL); \
49 __start; })
50#define NFA_NEST_END(skb, start) \
51({ (start)->nfa_len = skb_tail_pointer(skb) - (unsigned char *)(start); \
52 (skb)->len; })
53#define NFA_NEST_CANCEL(skb, start) \
54({ if (start) \
55 skb_trim(skb, (unsigned char *) (start) - (skb)->data); \
56 -1; })
57
58#define NFM_NFA(n) ((struct nfattr *)(((char *)(n)) \
59 + NLMSG_ALIGN(sizeof(struct nfgenmsg))))
60#define NFM_PAYLOAD(n) NLMSG_PAYLOAD(n, sizeof(struct nfgenmsg))
61
62#endif /* ! __KERNEL__ */
63#endif /* _NFNETLINK_COMPAT_H */
diff --git a/include/uapi/linux/netfilter/nfnetlink_conntrack.h b/include/uapi/linux/netfilter/nfnetlink_conntrack.h
new file mode 100644
index 000000000000..43bfe3e1685b
--- /dev/null
+++ b/include/uapi/linux/netfilter/nfnetlink_conntrack.h
@@ -0,0 +1,248 @@
1#ifndef _IPCONNTRACK_NETLINK_H
2#define _IPCONNTRACK_NETLINK_H
3#include <linux/netfilter/nfnetlink.h>
4
5enum cntl_msg_types {
6 IPCTNL_MSG_CT_NEW,
7 IPCTNL_MSG_CT_GET,
8 IPCTNL_MSG_CT_DELETE,
9 IPCTNL_MSG_CT_GET_CTRZERO,
10 IPCTNL_MSG_CT_GET_STATS_CPU,
11 IPCTNL_MSG_CT_GET_STATS,
12
13 IPCTNL_MSG_MAX
14};
15
16enum ctnl_exp_msg_types {
17 IPCTNL_MSG_EXP_NEW,
18 IPCTNL_MSG_EXP_GET,
19 IPCTNL_MSG_EXP_DELETE,
20 IPCTNL_MSG_EXP_GET_STATS_CPU,
21
22 IPCTNL_MSG_EXP_MAX
23};
24
25
26enum ctattr_type {
27 CTA_UNSPEC,
28 CTA_TUPLE_ORIG,
29 CTA_TUPLE_REPLY,
30 CTA_STATUS,
31 CTA_PROTOINFO,
32 CTA_HELP,
33 CTA_NAT_SRC,
34#define CTA_NAT CTA_NAT_SRC /* backwards compatibility */
35 CTA_TIMEOUT,
36 CTA_MARK,
37 CTA_COUNTERS_ORIG,
38 CTA_COUNTERS_REPLY,
39 CTA_USE,
40 CTA_ID,
41 CTA_NAT_DST,
42 CTA_TUPLE_MASTER,
43 CTA_NAT_SEQ_ADJ_ORIG,
44 CTA_NAT_SEQ_ADJ_REPLY,
45 CTA_SECMARK, /* obsolete */
46 CTA_ZONE,
47 CTA_SECCTX,
48 CTA_TIMESTAMP,
49 CTA_MARK_MASK,
50 __CTA_MAX
51};
52#define CTA_MAX (__CTA_MAX - 1)
53
54enum ctattr_tuple {
55 CTA_TUPLE_UNSPEC,
56 CTA_TUPLE_IP,
57 CTA_TUPLE_PROTO,
58 __CTA_TUPLE_MAX
59};
60#define CTA_TUPLE_MAX (__CTA_TUPLE_MAX - 1)
61
62enum ctattr_ip {
63 CTA_IP_UNSPEC,
64 CTA_IP_V4_SRC,
65 CTA_IP_V4_DST,
66 CTA_IP_V6_SRC,
67 CTA_IP_V6_DST,
68 __CTA_IP_MAX
69};
70#define CTA_IP_MAX (__CTA_IP_MAX - 1)
71
72enum ctattr_l4proto {
73 CTA_PROTO_UNSPEC,
74 CTA_PROTO_NUM,
75 CTA_PROTO_SRC_PORT,
76 CTA_PROTO_DST_PORT,
77 CTA_PROTO_ICMP_ID,
78 CTA_PROTO_ICMP_TYPE,
79 CTA_PROTO_ICMP_CODE,
80 CTA_PROTO_ICMPV6_ID,
81 CTA_PROTO_ICMPV6_TYPE,
82 CTA_PROTO_ICMPV6_CODE,
83 __CTA_PROTO_MAX
84};
85#define CTA_PROTO_MAX (__CTA_PROTO_MAX - 1)
86
87enum ctattr_protoinfo {
88 CTA_PROTOINFO_UNSPEC,
89 CTA_PROTOINFO_TCP,
90 CTA_PROTOINFO_DCCP,
91 CTA_PROTOINFO_SCTP,
92 __CTA_PROTOINFO_MAX
93};
94#define CTA_PROTOINFO_MAX (__CTA_PROTOINFO_MAX - 1)
95
96enum ctattr_protoinfo_tcp {
97 CTA_PROTOINFO_TCP_UNSPEC,
98 CTA_PROTOINFO_TCP_STATE,
99 CTA_PROTOINFO_TCP_WSCALE_ORIGINAL,
100 CTA_PROTOINFO_TCP_WSCALE_REPLY,
101 CTA_PROTOINFO_TCP_FLAGS_ORIGINAL,
102 CTA_PROTOINFO_TCP_FLAGS_REPLY,
103 __CTA_PROTOINFO_TCP_MAX
104};
105#define CTA_PROTOINFO_TCP_MAX (__CTA_PROTOINFO_TCP_MAX - 1)
106
107enum ctattr_protoinfo_dccp {
108 CTA_PROTOINFO_DCCP_UNSPEC,
109 CTA_PROTOINFO_DCCP_STATE,
110 CTA_PROTOINFO_DCCP_ROLE,
111 CTA_PROTOINFO_DCCP_HANDSHAKE_SEQ,
112 __CTA_PROTOINFO_DCCP_MAX,
113};
114#define CTA_PROTOINFO_DCCP_MAX (__CTA_PROTOINFO_DCCP_MAX - 1)
115
116enum ctattr_protoinfo_sctp {
117 CTA_PROTOINFO_SCTP_UNSPEC,
118 CTA_PROTOINFO_SCTP_STATE,
119 CTA_PROTOINFO_SCTP_VTAG_ORIGINAL,
120 CTA_PROTOINFO_SCTP_VTAG_REPLY,
121 __CTA_PROTOINFO_SCTP_MAX
122};
123#define CTA_PROTOINFO_SCTP_MAX (__CTA_PROTOINFO_SCTP_MAX - 1)
124
125enum ctattr_counters {
126 CTA_COUNTERS_UNSPEC,
127 CTA_COUNTERS_PACKETS, /* 64bit counters */
128 CTA_COUNTERS_BYTES, /* 64bit counters */
129 CTA_COUNTERS32_PACKETS, /* old 32bit counters, unused */
130 CTA_COUNTERS32_BYTES, /* old 32bit counters, unused */
131 __CTA_COUNTERS_MAX
132};
133#define CTA_COUNTERS_MAX (__CTA_COUNTERS_MAX - 1)
134
135enum ctattr_tstamp {
136 CTA_TIMESTAMP_UNSPEC,
137 CTA_TIMESTAMP_START,
138 CTA_TIMESTAMP_STOP,
139 __CTA_TIMESTAMP_MAX
140};
141#define CTA_TIMESTAMP_MAX (__CTA_TIMESTAMP_MAX - 1)
142
143enum ctattr_nat {
144 CTA_NAT_UNSPEC,
145 CTA_NAT_V4_MINIP,
146#define CTA_NAT_MINIP CTA_NAT_V4_MINIP
147 CTA_NAT_V4_MAXIP,
148#define CTA_NAT_MAXIP CTA_NAT_V4_MAXIP
149 CTA_NAT_PROTO,
150 CTA_NAT_V6_MINIP,
151 CTA_NAT_V6_MAXIP,
152 __CTA_NAT_MAX
153};
154#define CTA_NAT_MAX (__CTA_NAT_MAX - 1)
155
156enum ctattr_protonat {
157 CTA_PROTONAT_UNSPEC,
158 CTA_PROTONAT_PORT_MIN,
159 CTA_PROTONAT_PORT_MAX,
160 __CTA_PROTONAT_MAX
161};
162#define CTA_PROTONAT_MAX (__CTA_PROTONAT_MAX - 1)
163
164enum ctattr_natseq {
165 CTA_NAT_SEQ_UNSPEC,
166 CTA_NAT_SEQ_CORRECTION_POS,
167 CTA_NAT_SEQ_OFFSET_BEFORE,
168 CTA_NAT_SEQ_OFFSET_AFTER,
169 __CTA_NAT_SEQ_MAX
170};
171#define CTA_NAT_SEQ_MAX (__CTA_NAT_SEQ_MAX - 1)
172
173enum ctattr_expect {
174 CTA_EXPECT_UNSPEC,
175 CTA_EXPECT_MASTER,
176 CTA_EXPECT_TUPLE,
177 CTA_EXPECT_MASK,
178 CTA_EXPECT_TIMEOUT,
179 CTA_EXPECT_ID,
180 CTA_EXPECT_HELP_NAME,
181 CTA_EXPECT_ZONE,
182 CTA_EXPECT_FLAGS,
183 CTA_EXPECT_CLASS,
184 CTA_EXPECT_NAT,
185 CTA_EXPECT_FN,
186 __CTA_EXPECT_MAX
187};
188#define CTA_EXPECT_MAX (__CTA_EXPECT_MAX - 1)
189
190enum ctattr_expect_nat {
191 CTA_EXPECT_NAT_UNSPEC,
192 CTA_EXPECT_NAT_DIR,
193 CTA_EXPECT_NAT_TUPLE,
194 __CTA_EXPECT_NAT_MAX
195};
196#define CTA_EXPECT_NAT_MAX (__CTA_EXPECT_NAT_MAX - 1)
197
198enum ctattr_help {
199 CTA_HELP_UNSPEC,
200 CTA_HELP_NAME,
201 CTA_HELP_INFO,
202 __CTA_HELP_MAX
203};
204#define CTA_HELP_MAX (__CTA_HELP_MAX - 1)
205
206enum ctattr_secctx {
207 CTA_SECCTX_UNSPEC,
208 CTA_SECCTX_NAME,
209 __CTA_SECCTX_MAX
210};
211#define CTA_SECCTX_MAX (__CTA_SECCTX_MAX - 1)
212
213enum ctattr_stats_cpu {
214 CTA_STATS_UNSPEC,
215 CTA_STATS_SEARCHED,
216 CTA_STATS_FOUND,
217 CTA_STATS_NEW,
218 CTA_STATS_INVALID,
219 CTA_STATS_IGNORE,
220 CTA_STATS_DELETE,
221 CTA_STATS_DELETE_LIST,
222 CTA_STATS_INSERT,
223 CTA_STATS_INSERT_FAILED,
224 CTA_STATS_DROP,
225 CTA_STATS_EARLY_DROP,
226 CTA_STATS_ERROR,
227 CTA_STATS_SEARCH_RESTART,
228 __CTA_STATS_MAX,
229};
230#define CTA_STATS_MAX (__CTA_STATS_MAX - 1)
231
232enum ctattr_stats_global {
233 CTA_STATS_GLOBAL_UNSPEC,
234 CTA_STATS_GLOBAL_ENTRIES,
235 __CTA_STATS_GLOBAL_MAX,
236};
237#define CTA_STATS_GLOBAL_MAX (__CTA_STATS_GLOBAL_MAX - 1)
238
239enum ctattr_expect_stats {
240 CTA_STATS_EXP_UNSPEC,
241 CTA_STATS_EXP_NEW,
242 CTA_STATS_EXP_CREATE,
243 CTA_STATS_EXP_DELETE,
244 __CTA_STATS_EXP_MAX,
245};
246#define CTA_STATS_EXP_MAX (__CTA_STATS_EXP_MAX - 1)
247
248#endif /* _IPCONNTRACK_NETLINK_H */
diff --git a/include/uapi/linux/netfilter/nfnetlink_cthelper.h b/include/uapi/linux/netfilter/nfnetlink_cthelper.h
new file mode 100644
index 000000000000..33659f6fad3e
--- /dev/null
+++ b/include/uapi/linux/netfilter/nfnetlink_cthelper.h
@@ -0,0 +1,55 @@
1#ifndef _NFNL_CTHELPER_H_
2#define _NFNL_CTHELPER_H_
3
4#define NFCT_HELPER_STATUS_DISABLED 0
5#define NFCT_HELPER_STATUS_ENABLED 1
6
7enum nfnl_acct_msg_types {
8 NFNL_MSG_CTHELPER_NEW,
9 NFNL_MSG_CTHELPER_GET,
10 NFNL_MSG_CTHELPER_DEL,
11 NFNL_MSG_CTHELPER_MAX
12};
13
14enum nfnl_cthelper_type {
15 NFCTH_UNSPEC,
16 NFCTH_NAME,
17 NFCTH_TUPLE,
18 NFCTH_QUEUE_NUM,
19 NFCTH_POLICY,
20 NFCTH_PRIV_DATA_LEN,
21 NFCTH_STATUS,
22 __NFCTH_MAX
23};
24#define NFCTH_MAX (__NFCTH_MAX - 1)
25
26enum nfnl_cthelper_policy_type {
27 NFCTH_POLICY_SET_UNSPEC,
28 NFCTH_POLICY_SET_NUM,
29 NFCTH_POLICY_SET,
30 NFCTH_POLICY_SET1 = NFCTH_POLICY_SET,
31 NFCTH_POLICY_SET2,
32 NFCTH_POLICY_SET3,
33 NFCTH_POLICY_SET4,
34 __NFCTH_POLICY_SET_MAX
35};
36#define NFCTH_POLICY_SET_MAX (__NFCTH_POLICY_SET_MAX - 1)
37
38enum nfnl_cthelper_pol_type {
39 NFCTH_POLICY_UNSPEC,
40 NFCTH_POLICY_NAME,
41 NFCTH_POLICY_EXPECT_MAX,
42 NFCTH_POLICY_EXPECT_TIMEOUT,
43 __NFCTH_POLICY_MAX
44};
45#define NFCTH_POLICY_MAX (__NFCTH_POLICY_MAX - 1)
46
47enum nfnl_cthelper_tuple_type {
48 NFCTH_TUPLE_UNSPEC,
49 NFCTH_TUPLE_L3PROTONUM,
50 NFCTH_TUPLE_L4PROTONUM,
51 __NFCTH_TUPLE_MAX,
52};
53#define NFCTH_TUPLE_MAX (__NFCTH_TUPLE_MAX - 1)
54
55#endif /* _NFNL_CTHELPER_H */
diff --git a/include/uapi/linux/netfilter/nfnetlink_cttimeout.h b/include/uapi/linux/netfilter/nfnetlink_cttimeout.h
new file mode 100644
index 000000000000..a2810a7c5e30
--- /dev/null
+++ b/include/uapi/linux/netfilter/nfnetlink_cttimeout.h
@@ -0,0 +1,114 @@
1#ifndef _CTTIMEOUT_NETLINK_H
2#define _CTTIMEOUT_NETLINK_H
3#include <linux/netfilter/nfnetlink.h>
4
5enum ctnl_timeout_msg_types {
6 IPCTNL_MSG_TIMEOUT_NEW,
7 IPCTNL_MSG_TIMEOUT_GET,
8 IPCTNL_MSG_TIMEOUT_DELETE,
9
10 IPCTNL_MSG_TIMEOUT_MAX
11};
12
13enum ctattr_timeout {
14 CTA_TIMEOUT_UNSPEC,
15 CTA_TIMEOUT_NAME,
16 CTA_TIMEOUT_L3PROTO,
17 CTA_TIMEOUT_L4PROTO,
18 CTA_TIMEOUT_DATA,
19 CTA_TIMEOUT_USE,
20 __CTA_TIMEOUT_MAX
21};
22#define CTA_TIMEOUT_MAX (__CTA_TIMEOUT_MAX - 1)
23
24enum ctattr_timeout_generic {
25 CTA_TIMEOUT_GENERIC_UNSPEC,
26 CTA_TIMEOUT_GENERIC_TIMEOUT,
27 __CTA_TIMEOUT_GENERIC_MAX
28};
29#define CTA_TIMEOUT_GENERIC_MAX (__CTA_TIMEOUT_GENERIC_MAX - 1)
30
31enum ctattr_timeout_tcp {
32 CTA_TIMEOUT_TCP_UNSPEC,
33 CTA_TIMEOUT_TCP_SYN_SENT,
34 CTA_TIMEOUT_TCP_SYN_RECV,
35 CTA_TIMEOUT_TCP_ESTABLISHED,
36 CTA_TIMEOUT_TCP_FIN_WAIT,
37 CTA_TIMEOUT_TCP_CLOSE_WAIT,
38 CTA_TIMEOUT_TCP_LAST_ACK,
39 CTA_TIMEOUT_TCP_TIME_WAIT,
40 CTA_TIMEOUT_TCP_CLOSE,
41 CTA_TIMEOUT_TCP_SYN_SENT2,
42 CTA_TIMEOUT_TCP_RETRANS,
43 CTA_TIMEOUT_TCP_UNACK,
44 __CTA_TIMEOUT_TCP_MAX
45};
46#define CTA_TIMEOUT_TCP_MAX (__CTA_TIMEOUT_TCP_MAX - 1)
47
48enum ctattr_timeout_udp {
49 CTA_TIMEOUT_UDP_UNSPEC,
50 CTA_TIMEOUT_UDP_UNREPLIED,
51 CTA_TIMEOUT_UDP_REPLIED,
52 __CTA_TIMEOUT_UDP_MAX
53};
54#define CTA_TIMEOUT_UDP_MAX (__CTA_TIMEOUT_UDP_MAX - 1)
55
56enum ctattr_timeout_udplite {
57 CTA_TIMEOUT_UDPLITE_UNSPEC,
58 CTA_TIMEOUT_UDPLITE_UNREPLIED,
59 CTA_TIMEOUT_UDPLITE_REPLIED,
60 __CTA_TIMEOUT_UDPLITE_MAX
61};
62#define CTA_TIMEOUT_UDPLITE_MAX (__CTA_TIMEOUT_UDPLITE_MAX - 1)
63
64enum ctattr_timeout_icmp {
65 CTA_TIMEOUT_ICMP_UNSPEC,
66 CTA_TIMEOUT_ICMP_TIMEOUT,
67 __CTA_TIMEOUT_ICMP_MAX
68};
69#define CTA_TIMEOUT_ICMP_MAX (__CTA_TIMEOUT_ICMP_MAX - 1)
70
71enum ctattr_timeout_dccp {
72 CTA_TIMEOUT_DCCP_UNSPEC,
73 CTA_TIMEOUT_DCCP_REQUEST,
74 CTA_TIMEOUT_DCCP_RESPOND,
75 CTA_TIMEOUT_DCCP_PARTOPEN,
76 CTA_TIMEOUT_DCCP_OPEN,
77 CTA_TIMEOUT_DCCP_CLOSEREQ,
78 CTA_TIMEOUT_DCCP_CLOSING,
79 CTA_TIMEOUT_DCCP_TIMEWAIT,
80 __CTA_TIMEOUT_DCCP_MAX
81};
82#define CTA_TIMEOUT_DCCP_MAX (__CTA_TIMEOUT_DCCP_MAX - 1)
83
84enum ctattr_timeout_sctp {
85 CTA_TIMEOUT_SCTP_UNSPEC,
86 CTA_TIMEOUT_SCTP_CLOSED,
87 CTA_TIMEOUT_SCTP_COOKIE_WAIT,
88 CTA_TIMEOUT_SCTP_COOKIE_ECHOED,
89 CTA_TIMEOUT_SCTP_ESTABLISHED,
90 CTA_TIMEOUT_SCTP_SHUTDOWN_SENT,
91 CTA_TIMEOUT_SCTP_SHUTDOWN_RECD,
92 CTA_TIMEOUT_SCTP_SHUTDOWN_ACK_SENT,
93 __CTA_TIMEOUT_SCTP_MAX
94};
95#define CTA_TIMEOUT_SCTP_MAX (__CTA_TIMEOUT_SCTP_MAX - 1)
96
97enum ctattr_timeout_icmpv6 {
98 CTA_TIMEOUT_ICMPV6_UNSPEC,
99 CTA_TIMEOUT_ICMPV6_TIMEOUT,
100 __CTA_TIMEOUT_ICMPV6_MAX
101};
102#define CTA_TIMEOUT_ICMPV6_MAX (__CTA_TIMEOUT_ICMPV6_MAX - 1)
103
104enum ctattr_timeout_gre {
105 CTA_TIMEOUT_GRE_UNSPEC,
106 CTA_TIMEOUT_GRE_UNREPLIED,
107 CTA_TIMEOUT_GRE_REPLIED,
108 __CTA_TIMEOUT_GRE_MAX
109};
110#define CTA_TIMEOUT_GRE_MAX (__CTA_TIMEOUT_GRE_MAX - 1)
111
112#define CTNL_TIMEOUT_NAME_MAX 32
113
114#endif
diff --git a/include/uapi/linux/netfilter/nfnetlink_log.h b/include/uapi/linux/netfilter/nfnetlink_log.h
new file mode 100644
index 000000000000..90c2c9575bac
--- /dev/null
+++ b/include/uapi/linux/netfilter/nfnetlink_log.h
@@ -0,0 +1,97 @@
1#ifndef _NFNETLINK_LOG_H
2#define _NFNETLINK_LOG_H
3
4/* This file describes the netlink messages (i.e. 'protocol packets'),
5 * and not any kind of function definitions. It is shared between kernel and
6 * userspace. Don't put kernel specific stuff in here */
7
8#include <linux/types.h>
9#include <linux/netfilter/nfnetlink.h>
10
11enum nfulnl_msg_types {
12 NFULNL_MSG_PACKET, /* packet from kernel to userspace */
13 NFULNL_MSG_CONFIG, /* connect to a particular queue */
14
15 NFULNL_MSG_MAX
16};
17
18struct nfulnl_msg_packet_hdr {
19 __be16 hw_protocol; /* hw protocol (network order) */
20 __u8 hook; /* netfilter hook */
21 __u8 _pad;
22};
23
24struct nfulnl_msg_packet_hw {
25 __be16 hw_addrlen;
26 __u16 _pad;
27 __u8 hw_addr[8];
28};
29
30struct nfulnl_msg_packet_timestamp {
31 __aligned_be64 sec;
32 __aligned_be64 usec;
33};
34
35enum nfulnl_attr_type {
36 NFULA_UNSPEC,
37 NFULA_PACKET_HDR,
38 NFULA_MARK, /* __u32 nfmark */
39 NFULA_TIMESTAMP, /* nfulnl_msg_packet_timestamp */
40 NFULA_IFINDEX_INDEV, /* __u32 ifindex */
41 NFULA_IFINDEX_OUTDEV, /* __u32 ifindex */
42 NFULA_IFINDEX_PHYSINDEV, /* __u32 ifindex */
43 NFULA_IFINDEX_PHYSOUTDEV, /* __u32 ifindex */
44 NFULA_HWADDR, /* nfulnl_msg_packet_hw */
45 NFULA_PAYLOAD, /* opaque data payload */
46 NFULA_PREFIX, /* string prefix */
47 NFULA_UID, /* user id of socket */
48 NFULA_SEQ, /* instance-local sequence number */
49 NFULA_SEQ_GLOBAL, /* global sequence number */
50 NFULA_GID, /* group id of socket */
51 NFULA_HWTYPE, /* hardware type */
52 NFULA_HWHEADER, /* hardware header */
53 NFULA_HWLEN, /* hardware header length */
54
55 __NFULA_MAX
56};
57#define NFULA_MAX (__NFULA_MAX - 1)
58
59enum nfulnl_msg_config_cmds {
60 NFULNL_CFG_CMD_NONE,
61 NFULNL_CFG_CMD_BIND,
62 NFULNL_CFG_CMD_UNBIND,
63 NFULNL_CFG_CMD_PF_BIND,
64 NFULNL_CFG_CMD_PF_UNBIND,
65};
66
67struct nfulnl_msg_config_cmd {
68 __u8 command; /* nfulnl_msg_config_cmds */
69} __attribute__ ((packed));
70
71struct nfulnl_msg_config_mode {
72 __be32 copy_range;
73 __u8 copy_mode;
74 __u8 _pad;
75} __attribute__ ((packed));
76
77enum nfulnl_attr_config {
78 NFULA_CFG_UNSPEC,
79 NFULA_CFG_CMD, /* nfulnl_msg_config_cmd */
80 NFULA_CFG_MODE, /* nfulnl_msg_config_mode */
81 NFULA_CFG_NLBUFSIZ, /* __u32 buffer size */
82 NFULA_CFG_TIMEOUT, /* __u32 in 1/100 s */
83 NFULA_CFG_QTHRESH, /* __u32 */
84 NFULA_CFG_FLAGS, /* __u16 */
85 __NFULA_CFG_MAX
86};
87#define NFULA_CFG_MAX (__NFULA_CFG_MAX -1)
88
89#define NFULNL_COPY_NONE 0x00
90#define NFULNL_COPY_META 0x01
91#define NFULNL_COPY_PACKET 0x02
92/* 0xff is reserved, don't use it for new copy modes. */
93
94#define NFULNL_CFG_F_SEQ 0x0001
95#define NFULNL_CFG_F_SEQ_GLOBAL 0x0002
96
97#endif /* _NFNETLINK_LOG_H */
diff --git a/include/uapi/linux/netfilter/nfnetlink_queue.h b/include/uapi/linux/netfilter/nfnetlink_queue.h
new file mode 100644
index 000000000000..70ec8c2bc11a
--- /dev/null
+++ b/include/uapi/linux/netfilter/nfnetlink_queue.h
@@ -0,0 +1,101 @@
1#ifndef _NFNETLINK_QUEUE_H
2#define _NFNETLINK_QUEUE_H
3
4#include <linux/types.h>
5#include <linux/netfilter/nfnetlink.h>
6
7enum nfqnl_msg_types {
8 NFQNL_MSG_PACKET, /* packet from kernel to userspace */
9 NFQNL_MSG_VERDICT, /* verdict from userspace to kernel */
10 NFQNL_MSG_CONFIG, /* connect to a particular queue */
11 NFQNL_MSG_VERDICT_BATCH, /* batchv from userspace to kernel */
12
13 NFQNL_MSG_MAX
14};
15
16struct nfqnl_msg_packet_hdr {
17 __be32 packet_id; /* unique ID of packet in queue */
18 __be16 hw_protocol; /* hw protocol (network order) */
19 __u8 hook; /* netfilter hook */
20} __attribute__ ((packed));
21
22struct nfqnl_msg_packet_hw {
23 __be16 hw_addrlen;
24 __u16 _pad;
25 __u8 hw_addr[8];
26};
27
28struct nfqnl_msg_packet_timestamp {
29 __aligned_be64 sec;
30 __aligned_be64 usec;
31};
32
33enum nfqnl_attr_type {
34 NFQA_UNSPEC,
35 NFQA_PACKET_HDR,
36 NFQA_VERDICT_HDR, /* nfqnl_msg_verdict_hrd */
37 NFQA_MARK, /* __u32 nfmark */
38 NFQA_TIMESTAMP, /* nfqnl_msg_packet_timestamp */
39 NFQA_IFINDEX_INDEV, /* __u32 ifindex */
40 NFQA_IFINDEX_OUTDEV, /* __u32 ifindex */
41 NFQA_IFINDEX_PHYSINDEV, /* __u32 ifindex */
42 NFQA_IFINDEX_PHYSOUTDEV, /* __u32 ifindex */
43 NFQA_HWADDR, /* nfqnl_msg_packet_hw */
44 NFQA_PAYLOAD, /* opaque data payload */
45 NFQA_CT, /* nf_conntrack_netlink.h */
46 NFQA_CT_INFO, /* enum ip_conntrack_info */
47 NFQA_CAP_LEN, /* __u32 length of captured packet */
48
49 __NFQA_MAX
50};
51#define NFQA_MAX (__NFQA_MAX - 1)
52
53struct nfqnl_msg_verdict_hdr {
54 __be32 verdict;
55 __be32 id;
56};
57
58
59enum nfqnl_msg_config_cmds {
60 NFQNL_CFG_CMD_NONE,
61 NFQNL_CFG_CMD_BIND,
62 NFQNL_CFG_CMD_UNBIND,
63 NFQNL_CFG_CMD_PF_BIND,
64 NFQNL_CFG_CMD_PF_UNBIND,
65};
66
67struct nfqnl_msg_config_cmd {
68 __u8 command; /* nfqnl_msg_config_cmds */
69 __u8 _pad;
70 __be16 pf; /* AF_xxx for PF_[UN]BIND */
71};
72
73enum nfqnl_config_mode {
74 NFQNL_COPY_NONE,
75 NFQNL_COPY_META,
76 NFQNL_COPY_PACKET,
77};
78
79struct nfqnl_msg_config_params {
80 __be32 copy_range;
81 __u8 copy_mode; /* enum nfqnl_config_mode */
82} __attribute__ ((packed));
83
84
85enum nfqnl_attr_config {
86 NFQA_CFG_UNSPEC,
87 NFQA_CFG_CMD, /* nfqnl_msg_config_cmd */
88 NFQA_CFG_PARAMS, /* nfqnl_msg_config_params */
89 NFQA_CFG_QUEUE_MAXLEN, /* __u32 */
90 NFQA_CFG_MASK, /* identify which flags to change */
91 NFQA_CFG_FLAGS, /* value of these flags (__u32) */
92 __NFQA_CFG_MAX
93};
94#define NFQA_CFG_MAX (__NFQA_CFG_MAX-1)
95
96/* Flags for NFQA_CFG_FLAGS */
97#define NFQA_CFG_F_FAIL_OPEN (1 << 0)
98#define NFQA_CFG_F_CONNTRACK (1 << 1)
99#define NFQA_CFG_F_MAX (1 << 2)
100
101#endif /* _NFNETLINK_QUEUE_H */
diff --git a/include/uapi/linux/netfilter/x_tables.h b/include/uapi/linux/netfilter/x_tables.h
new file mode 100644
index 000000000000..c36969b91533
--- /dev/null
+++ b/include/uapi/linux/netfilter/x_tables.h
@@ -0,0 +1,187 @@
1#ifndef _UAPI_X_TABLES_H
2#define _UAPI_X_TABLES_H
3#include <linux/kernel.h>
4#include <linux/types.h>
5
6#define XT_FUNCTION_MAXNAMELEN 30
7#define XT_EXTENSION_MAXNAMELEN 29
8#define XT_TABLE_MAXNAMELEN 32
9
10struct xt_entry_match {
11 union {
12 struct {
13 __u16 match_size;
14
15 /* Used by userspace */
16 char name[XT_EXTENSION_MAXNAMELEN];
17 __u8 revision;
18 } user;
19 struct {
20 __u16 match_size;
21
22 /* Used inside the kernel */
23 struct xt_match *match;
24 } kernel;
25
26 /* Total length */
27 __u16 match_size;
28 } u;
29
30 unsigned char data[0];
31};
32
33struct xt_entry_target {
34 union {
35 struct {
36 __u16 target_size;
37
38 /* Used by userspace */
39 char name[XT_EXTENSION_MAXNAMELEN];
40 __u8 revision;
41 } user;
42 struct {
43 __u16 target_size;
44
45 /* Used inside the kernel */
46 struct xt_target *target;
47 } kernel;
48
49 /* Total length */
50 __u16 target_size;
51 } u;
52
53 unsigned char data[0];
54};
55
56#define XT_TARGET_INIT(__name, __size) \
57{ \
58 .target.u.user = { \
59 .target_size = XT_ALIGN(__size), \
60 .name = __name, \
61 }, \
62}
63
64struct xt_standard_target {
65 struct xt_entry_target target;
66 int verdict;
67};
68
69struct xt_error_target {
70 struct xt_entry_target target;
71 char errorname[XT_FUNCTION_MAXNAMELEN];
72};
73
74/* The argument to IPT_SO_GET_REVISION_*. Returns highest revision
75 * kernel supports, if >= revision. */
76struct xt_get_revision {
77 char name[XT_EXTENSION_MAXNAMELEN];
78 __u8 revision;
79};
80
81/* CONTINUE verdict for targets */
82#define XT_CONTINUE 0xFFFFFFFF
83
84/* For standard target */
85#define XT_RETURN (-NF_REPEAT - 1)
86
87/* this is a dummy structure to find out the alignment requirement for a struct
88 * containing all the fundamental data types that are used in ipt_entry,
89 * ip6t_entry and arpt_entry. This sucks, and it is a hack. It will be my
90 * personal pleasure to remove it -HW
91 */
92struct _xt_align {
93 __u8 u8;
94 __u16 u16;
95 __u32 u32;
96 __u64 u64;
97};
98
99#define XT_ALIGN(s) __ALIGN_KERNEL((s), __alignof__(struct _xt_align))
100
101/* Standard return verdict, or do jump. */
102#define XT_STANDARD_TARGET ""
103/* Error verdict. */
104#define XT_ERROR_TARGET "ERROR"
105
106#define SET_COUNTER(c,b,p) do { (c).bcnt = (b); (c).pcnt = (p); } while(0)
107#define ADD_COUNTER(c,b,p) do { (c).bcnt += (b); (c).pcnt += (p); } while(0)
108
109struct xt_counters {
110 __u64 pcnt, bcnt; /* Packet and byte counters */
111};
112
113/* The argument to IPT_SO_ADD_COUNTERS. */
114struct xt_counters_info {
115 /* Which table. */
116 char name[XT_TABLE_MAXNAMELEN];
117
118 unsigned int num_counters;
119
120 /* The counters (actually `number' of these). */
121 struct xt_counters counters[0];
122};
123
124#define XT_INV_PROTO 0x40 /* Invert the sense of PROTO. */
125
126#ifndef __KERNEL__
127/* fn returns 0 to continue iteration */
128#define XT_MATCH_ITERATE(type, e, fn, args...) \
129({ \
130 unsigned int __i; \
131 int __ret = 0; \
132 struct xt_entry_match *__m; \
133 \
134 for (__i = sizeof(type); \
135 __i < (e)->target_offset; \
136 __i += __m->u.match_size) { \
137 __m = (void *)e + __i; \
138 \
139 __ret = fn(__m , ## args); \
140 if (__ret != 0) \
141 break; \
142 } \
143 __ret; \
144})
145
146/* fn returns 0 to continue iteration */
147#define XT_ENTRY_ITERATE_CONTINUE(type, entries, size, n, fn, args...) \
148({ \
149 unsigned int __i, __n; \
150 int __ret = 0; \
151 type *__entry; \
152 \
153 for (__i = 0, __n = 0; __i < (size); \
154 __i += __entry->next_offset, __n++) { \
155 __entry = (void *)(entries) + __i; \
156 if (__n < n) \
157 continue; \
158 \
159 __ret = fn(__entry , ## args); \
160 if (__ret != 0) \
161 break; \
162 } \
163 __ret; \
164})
165
166/* fn returns 0 to continue iteration */
167#define XT_ENTRY_ITERATE(type, entries, size, fn, args...) \
168 XT_ENTRY_ITERATE_CONTINUE(type, entries, size, 0, fn, args)
169
170#endif /* !__KERNEL__ */
171
172/* pos is normally a struct ipt_entry/ip6t_entry/etc. */
173#define xt_entry_foreach(pos, ehead, esize) \
174 for ((pos) = (typeof(pos))(ehead); \
175 (pos) < (typeof(pos))((char *)(ehead) + (esize)); \
176 (pos) = (typeof(pos))((char *)(pos) + (pos)->next_offset))
177
178/* can only be xt_entry_match, so no use of typeof here */
179#define xt_ematch_foreach(pos, entry) \
180 for ((pos) = (struct xt_entry_match *)entry->elems; \
181 (pos) < (struct xt_entry_match *)((char *)(entry) + \
182 (entry)->target_offset); \
183 (pos) = (struct xt_entry_match *)((char *)(pos) + \
184 (pos)->u.match_size))
185
186
187#endif /* _UAPI_X_TABLES_H */
diff --git a/include/uapi/linux/netfilter/xt_AUDIT.h b/include/uapi/linux/netfilter/xt_AUDIT.h
new file mode 100644
index 000000000000..38751d2ea52b
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_AUDIT.h
@@ -0,0 +1,30 @@
1/*
2 * Header file for iptables xt_AUDIT target
3 *
4 * (C) 2010-2011 Thomas Graf <tgraf@redhat.com>
5 * (C) 2010-2011 Red Hat, Inc.
6 *
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License version 2 as
9 * published by the Free Software Foundation.
10 */
11
12#ifndef _XT_AUDIT_TARGET_H
13#define _XT_AUDIT_TARGET_H
14
15#include <linux/types.h>
16
17enum {
18 XT_AUDIT_TYPE_ACCEPT = 0,
19 XT_AUDIT_TYPE_DROP,
20 XT_AUDIT_TYPE_REJECT,
21 __XT_AUDIT_TYPE_MAX,
22};
23
24#define XT_AUDIT_TYPE_MAX (__XT_AUDIT_TYPE_MAX - 1)
25
26struct xt_audit_info {
27 __u8 type; /* XT_AUDIT_TYPE_* */
28};
29
30#endif /* _XT_AUDIT_TARGET_H */
diff --git a/include/uapi/linux/netfilter/xt_CHECKSUM.h b/include/uapi/linux/netfilter/xt_CHECKSUM.h
new file mode 100644
index 000000000000..9a2e4661654e
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_CHECKSUM.h
@@ -0,0 +1,20 @@
1/* Header file for iptables ipt_CHECKSUM target
2 *
3 * (C) 2002 by Harald Welte <laforge@gnumonks.org>
4 * (C) 2010 Red Hat Inc
5 * Author: Michael S. Tsirkin <mst@redhat.com>
6 *
7 * This software is distributed under GNU GPL v2, 1991
8*/
9#ifndef _XT_CHECKSUM_TARGET_H
10#define _XT_CHECKSUM_TARGET_H
11
12#include <linux/types.h>
13
14#define XT_CHECKSUM_OP_FILL 0x01 /* fill in checksum in IP header */
15
16struct xt_CHECKSUM_info {
17 __u8 operation; /* bitset of operations */
18};
19
20#endif /* _XT_CHECKSUM_TARGET_H */
diff --git a/include/uapi/linux/netfilter/xt_CLASSIFY.h b/include/uapi/linux/netfilter/xt_CLASSIFY.h
new file mode 100644
index 000000000000..a813bf14dd63
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_CLASSIFY.h
@@ -0,0 +1,10 @@
1#ifndef _XT_CLASSIFY_H
2#define _XT_CLASSIFY_H
3
4#include <linux/types.h>
5
6struct xt_classify_target_info {
7 __u32 priority;
8};
9
10#endif /*_XT_CLASSIFY_H */
diff --git a/include/uapi/linux/netfilter/xt_CONNMARK.h b/include/uapi/linux/netfilter/xt_CONNMARK.h
new file mode 100644
index 000000000000..2f2e48ec8023
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_CONNMARK.h
@@ -0,0 +1,6 @@
1#ifndef _XT_CONNMARK_H_target
2#define _XT_CONNMARK_H_target
3
4#include <linux/netfilter/xt_connmark.h>
5
6#endif /*_XT_CONNMARK_H_target*/
diff --git a/include/uapi/linux/netfilter/xt_CONNSECMARK.h b/include/uapi/linux/netfilter/xt_CONNSECMARK.h
new file mode 100644
index 000000000000..b973ff80fa1e
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_CONNSECMARK.h
@@ -0,0 +1,15 @@
1#ifndef _XT_CONNSECMARK_H_target
2#define _XT_CONNSECMARK_H_target
3
4#include <linux/types.h>
5
6enum {
7 CONNSECMARK_SAVE = 1,
8 CONNSECMARK_RESTORE,
9};
10
11struct xt_connsecmark_target_info {
12 __u8 mode;
13};
14
15#endif /*_XT_CONNSECMARK_H_target */
diff --git a/include/uapi/linux/netfilter/xt_CT.h b/include/uapi/linux/netfilter/xt_CT.h
new file mode 100644
index 000000000000..a064b8af360c
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_CT.h
@@ -0,0 +1,31 @@
1#ifndef _XT_CT_H
2#define _XT_CT_H
3
4#include <linux/types.h>
5
6#define XT_CT_NOTRACK 0x1
7
8struct xt_ct_target_info {
9 __u16 flags;
10 __u16 zone;
11 __u32 ct_events;
12 __u32 exp_events;
13 char helper[16];
14
15 /* Used internally by the kernel */
16 struct nf_conn *ct __attribute__((aligned(8)));
17};
18
19struct xt_ct_target_info_v1 {
20 __u16 flags;
21 __u16 zone;
22 __u32 ct_events;
23 __u32 exp_events;
24 char helper[16];
25 char timeout[32];
26
27 /* Used internally by the kernel */
28 struct nf_conn *ct __attribute__((aligned(8)));
29};
30
31#endif /* _XT_CT_H */
diff --git a/include/uapi/linux/netfilter/xt_DSCP.h b/include/uapi/linux/netfilter/xt_DSCP.h
new file mode 100644
index 000000000000..648e0b3bed29
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_DSCP.h
@@ -0,0 +1,26 @@
1/* x_tables module for setting the IPv4/IPv6 DSCP field
2 *
3 * (C) 2002 Harald Welte <laforge@gnumonks.org>
4 * based on ipt_FTOS.c (C) 2000 by Matthew G. Marsh <mgm@paktronix.com>
5 * This software is distributed under GNU GPL v2, 1991
6 *
7 * See RFC2474 for a description of the DSCP field within the IP Header.
8 *
9 * xt_DSCP.h,v 1.7 2002/03/14 12:03:13 laforge Exp
10*/
11#ifndef _XT_DSCP_TARGET_H
12#define _XT_DSCP_TARGET_H
13#include <linux/netfilter/xt_dscp.h>
14#include <linux/types.h>
15
16/* target info */
17struct xt_DSCP_info {
18 __u8 dscp;
19};
20
21struct xt_tos_target_info {
22 __u8 tos_value;
23 __u8 tos_mask;
24};
25
26#endif /* _XT_DSCP_TARGET_H */
diff --git a/include/uapi/linux/netfilter/xt_IDLETIMER.h b/include/uapi/linux/netfilter/xt_IDLETIMER.h
new file mode 100644
index 000000000000..208ae9387331
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_IDLETIMER.h
@@ -0,0 +1,45 @@
1/*
2 * linux/include/linux/netfilter/xt_IDLETIMER.h
3 *
4 * Header file for Xtables timer target module.
5 *
6 * Copyright (C) 2004, 2010 Nokia Corporation
7 * Written by Timo Teras <ext-timo.teras@nokia.com>
8 *
9 * Converted to x_tables and forward-ported to 2.6.34
10 * by Luciano Coelho <luciano.coelho@nokia.com>
11 *
12 * Contact: Luciano Coelho <luciano.coelho@nokia.com>
13 *
14 * This program is free software; you can redistribute it and/or
15 * modify it under the terms of the GNU General Public License
16 * version 2 as published by the Free Software Foundation.
17 *
18 * This program is distributed in the hope that it will be useful, but
19 * WITHOUT ANY WARRANTY; without even the implied warranty of
20 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
21 * General Public License for more details.
22 *
23 * You should have received a copy of the GNU General Public License
24 * along with this program; if not, write to the Free Software
25 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
26 * 02110-1301 USA
27 */
28
29#ifndef _XT_IDLETIMER_H
30#define _XT_IDLETIMER_H
31
32#include <linux/types.h>
33
34#define MAX_IDLETIMER_LABEL_SIZE 28
35
36struct idletimer_tg_info {
37 __u32 timeout;
38
39 char label[MAX_IDLETIMER_LABEL_SIZE];
40
41 /* for kernel module internal use only */
42 struct idletimer_tg *timer __attribute__((aligned(8)));
43};
44
45#endif
diff --git a/include/uapi/linux/netfilter/xt_LED.h b/include/uapi/linux/netfilter/xt_LED.h
new file mode 100644
index 000000000000..f5509e7524d3
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_LED.h
@@ -0,0 +1,15 @@
1#ifndef _XT_LED_H
2#define _XT_LED_H
3
4#include <linux/types.h>
5
6struct xt_led_info {
7 char id[27]; /* Unique ID for this trigger in the LED class */
8 __u8 always_blink; /* Blink even if the LED is already on */
9 __u32 delay; /* Delay until LED is switched off after trigger */
10
11 /* Kernel data used in the module */
12 void *internal_data __attribute__((aligned(8)));
13};
14
15#endif /* _XT_LED_H */
diff --git a/include/uapi/linux/netfilter/xt_LOG.h b/include/uapi/linux/netfilter/xt_LOG.h
new file mode 100644
index 000000000000..cac079095305
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_LOG.h
@@ -0,0 +1,19 @@
1#ifndef _XT_LOG_H
2#define _XT_LOG_H
3
4/* make sure not to change this without changing nf_log.h:NF_LOG_* (!) */
5#define XT_LOG_TCPSEQ 0x01 /* Log TCP sequence numbers */
6#define XT_LOG_TCPOPT 0x02 /* Log TCP options */
7#define XT_LOG_IPOPT 0x04 /* Log IP options */
8#define XT_LOG_UID 0x08 /* Log UID owning local socket */
9#define XT_LOG_NFLOG 0x10 /* Unsupported, don't reuse */
10#define XT_LOG_MACDECODE 0x20 /* Decode MAC header */
11#define XT_LOG_MASK 0x2f
12
13struct xt_log_info {
14 unsigned char level;
15 unsigned char logflags;
16 char prefix[30];
17};
18
19#endif /* _XT_LOG_H */
diff --git a/include/uapi/linux/netfilter/xt_MARK.h b/include/uapi/linux/netfilter/xt_MARK.h
new file mode 100644
index 000000000000..41c456deba22
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_MARK.h
@@ -0,0 +1,6 @@
1#ifndef _XT_MARK_H_target
2#define _XT_MARK_H_target
3
4#include <linux/netfilter/xt_mark.h>
5
6#endif /*_XT_MARK_H_target */
diff --git a/include/uapi/linux/netfilter/xt_NFLOG.h b/include/uapi/linux/netfilter/xt_NFLOG.h
new file mode 100644
index 000000000000..87b58311ce6b
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_NFLOG.h
@@ -0,0 +1,20 @@
1#ifndef _XT_NFLOG_TARGET
2#define _XT_NFLOG_TARGET
3
4#include <linux/types.h>
5
6#define XT_NFLOG_DEFAULT_GROUP 0x1
7#define XT_NFLOG_DEFAULT_THRESHOLD 0
8
9#define XT_NFLOG_MASK 0x0
10
11struct xt_nflog_info {
12 __u32 len;
13 __u16 group;
14 __u16 threshold;
15 __u16 flags;
16 __u16 pad;
17 char prefix[64];
18};
19
20#endif /* _XT_NFLOG_TARGET */
diff --git a/include/uapi/linux/netfilter/xt_NFQUEUE.h b/include/uapi/linux/netfilter/xt_NFQUEUE.h
new file mode 100644
index 000000000000..9eafdbbb401c
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_NFQUEUE.h
@@ -0,0 +1,29 @@
1/* iptables module for using NFQUEUE mechanism
2 *
3 * (C) 2005 Harald Welte <laforge@netfilter.org>
4 *
5 * This software is distributed under GNU GPL v2, 1991
6 *
7*/
8#ifndef _XT_NFQ_TARGET_H
9#define _XT_NFQ_TARGET_H
10
11#include <linux/types.h>
12
13/* target info */
14struct xt_NFQ_info {
15 __u16 queuenum;
16};
17
18struct xt_NFQ_info_v1 {
19 __u16 queuenum;
20 __u16 queues_total;
21};
22
23struct xt_NFQ_info_v2 {
24 __u16 queuenum;
25 __u16 queues_total;
26 __u16 bypass;
27};
28
29#endif /* _XT_NFQ_TARGET_H */
diff --git a/include/uapi/linux/netfilter/xt_RATEEST.h b/include/uapi/linux/netfilter/xt_RATEEST.h
new file mode 100644
index 000000000000..6605e20ad8cf
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_RATEEST.h
@@ -0,0 +1,15 @@
1#ifndef _XT_RATEEST_TARGET_H
2#define _XT_RATEEST_TARGET_H
3
4#include <linux/types.h>
5
6struct xt_rateest_target_info {
7 char name[IFNAMSIZ];
8 __s8 interval;
9 __u8 ewma_log;
10
11 /* Used internally by the kernel */
12 struct xt_rateest *est __attribute__((aligned(8)));
13};
14
15#endif /* _XT_RATEEST_TARGET_H */
diff --git a/include/uapi/linux/netfilter/xt_SECMARK.h b/include/uapi/linux/netfilter/xt_SECMARK.h
new file mode 100644
index 000000000000..989092bd6274
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_SECMARK.h
@@ -0,0 +1,22 @@
1#ifndef _XT_SECMARK_H_target
2#define _XT_SECMARK_H_target
3
4#include <linux/types.h>
5
6/*
7 * This is intended for use by various security subsystems (but not
8 * at the same time).
9 *
10 * 'mode' refers to the specific security subsystem which the
11 * packets are being marked for.
12 */
13#define SECMARK_MODE_SEL 0x01 /* SELinux */
14#define SECMARK_SECCTX_MAX 256
15
16struct xt_secmark_target_info {
17 __u8 mode;
18 __u32 secid;
19 char secctx[SECMARK_SECCTX_MAX];
20};
21
22#endif /*_XT_SECMARK_H_target */
diff --git a/include/uapi/linux/netfilter/xt_TCPMSS.h b/include/uapi/linux/netfilter/xt_TCPMSS.h
new file mode 100644
index 000000000000..9a6960afc134
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_TCPMSS.h
@@ -0,0 +1,12 @@
1#ifndef _XT_TCPMSS_H
2#define _XT_TCPMSS_H
3
4#include <linux/types.h>
5
6struct xt_tcpmss_info {
7 __u16 mss;
8};
9
10#define XT_TCPMSS_CLAMP_PMTU 0xffff
11
12#endif /* _XT_TCPMSS_H */
diff --git a/include/uapi/linux/netfilter/xt_TCPOPTSTRIP.h b/include/uapi/linux/netfilter/xt_TCPOPTSTRIP.h
new file mode 100644
index 000000000000..7157318499c2
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_TCPOPTSTRIP.h
@@ -0,0 +1,15 @@
1#ifndef _XT_TCPOPTSTRIP_H
2#define _XT_TCPOPTSTRIP_H
3
4#include <linux/types.h>
5
6#define tcpoptstrip_set_bit(bmap, idx) \
7 (bmap[(idx) >> 5] |= 1U << (idx & 31))
8#define tcpoptstrip_test_bit(bmap, idx) \
9 (((1U << (idx & 31)) & bmap[(idx) >> 5]) != 0)
10
11struct xt_tcpoptstrip_target_info {
12 __u32 strip_bmap[8];
13};
14
15#endif /* _XT_TCPOPTSTRIP_H */
diff --git a/include/uapi/linux/netfilter/xt_TEE.h b/include/uapi/linux/netfilter/xt_TEE.h
new file mode 100644
index 000000000000..5c21d5c829af
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_TEE.h
@@ -0,0 +1,12 @@
1#ifndef _XT_TEE_TARGET_H
2#define _XT_TEE_TARGET_H
3
4struct xt_tee_tginfo {
5 union nf_inet_addr gw;
6 char oif[16];
7
8 /* used internally by the kernel */
9 struct xt_tee_priv *priv __attribute__((aligned(8)));
10};
11
12#endif /* _XT_TEE_TARGET_H */
diff --git a/include/uapi/linux/netfilter/xt_TPROXY.h b/include/uapi/linux/netfilter/xt_TPROXY.h
new file mode 100644
index 000000000000..902043c2073f
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_TPROXY.h
@@ -0,0 +1,23 @@
1#ifndef _XT_TPROXY_H
2#define _XT_TPROXY_H
3
4#include <linux/types.h>
5
6/* TPROXY target is capable of marking the packet to perform
7 * redirection. We can get rid of that whenever we get support for
8 * mutliple targets in the same rule. */
9struct xt_tproxy_target_info {
10 __u32 mark_mask;
11 __u32 mark_value;
12 __be32 laddr;
13 __be16 lport;
14};
15
16struct xt_tproxy_target_info_v1 {
17 __u32 mark_mask;
18 __u32 mark_value;
19 union nf_inet_addr laddr;
20 __be16 lport;
21};
22
23#endif /* _XT_TPROXY_H */
diff --git a/include/uapi/linux/netfilter/xt_addrtype.h b/include/uapi/linux/netfilter/xt_addrtype.h
new file mode 100644
index 000000000000..b156baa9d55e
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_addrtype.h
@@ -0,0 +1,44 @@
1#ifndef _XT_ADDRTYPE_H
2#define _XT_ADDRTYPE_H
3
4#include <linux/types.h>
5
6enum {
7 XT_ADDRTYPE_INVERT_SOURCE = 0x0001,
8 XT_ADDRTYPE_INVERT_DEST = 0x0002,
9 XT_ADDRTYPE_LIMIT_IFACE_IN = 0x0004,
10 XT_ADDRTYPE_LIMIT_IFACE_OUT = 0x0008,
11};
12
13
14/* rtn_type enum values from rtnetlink.h, but shifted */
15enum {
16 XT_ADDRTYPE_UNSPEC = 1 << 0,
17 XT_ADDRTYPE_UNICAST = 1 << 1, /* 1 << RTN_UNICAST */
18 XT_ADDRTYPE_LOCAL = 1 << 2, /* 1 << RTN_LOCAL, etc */
19 XT_ADDRTYPE_BROADCAST = 1 << 3,
20 XT_ADDRTYPE_ANYCAST = 1 << 4,
21 XT_ADDRTYPE_MULTICAST = 1 << 5,
22 XT_ADDRTYPE_BLACKHOLE = 1 << 6,
23 XT_ADDRTYPE_UNREACHABLE = 1 << 7,
24 XT_ADDRTYPE_PROHIBIT = 1 << 8,
25 XT_ADDRTYPE_THROW = 1 << 9,
26 XT_ADDRTYPE_NAT = 1 << 10,
27 XT_ADDRTYPE_XRESOLVE = 1 << 11,
28};
29
30struct xt_addrtype_info_v1 {
31 __u16 source; /* source-type mask */
32 __u16 dest; /* dest-type mask */
33 __u32 flags;
34};
35
36/* revision 0 */
37struct xt_addrtype_info {
38 __u16 source; /* source-type mask */
39 __u16 dest; /* dest-type mask */
40 __u32 invert_source;
41 __u32 invert_dest;
42};
43
44#endif
diff --git a/include/uapi/linux/netfilter/xt_cluster.h b/include/uapi/linux/netfilter/xt_cluster.h
new file mode 100644
index 000000000000..9b883c8fbf54
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_cluster.h
@@ -0,0 +1,19 @@
1#ifndef _XT_CLUSTER_MATCH_H
2#define _XT_CLUSTER_MATCH_H
3
4#include <linux/types.h>
5
6enum xt_cluster_flags {
7 XT_CLUSTER_F_INV = (1 << 0)
8};
9
10struct xt_cluster_match_info {
11 __u32 total_nodes;
12 __u32 node_mask;
13 __u32 hash_seed;
14 __u32 flags;
15};
16
17#define XT_CLUSTER_NODES_MAX 32
18
19#endif /* _XT_CLUSTER_MATCH_H */
diff --git a/include/uapi/linux/netfilter/xt_comment.h b/include/uapi/linux/netfilter/xt_comment.h
new file mode 100644
index 000000000000..0ea5e79f5bd7
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_comment.h
@@ -0,0 +1,10 @@
1#ifndef _XT_COMMENT_H
2#define _XT_COMMENT_H
3
4#define XT_MAX_COMMENT_LEN 256
5
6struct xt_comment_info {
7 char comment[XT_MAX_COMMENT_LEN];
8};
9
10#endif /* XT_COMMENT_H */
diff --git a/include/uapi/linux/netfilter/xt_connbytes.h b/include/uapi/linux/netfilter/xt_connbytes.h
new file mode 100644
index 000000000000..f1d6c15bd9e3
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_connbytes.h
@@ -0,0 +1,26 @@
1#ifndef _XT_CONNBYTES_H
2#define _XT_CONNBYTES_H
3
4#include <linux/types.h>
5
6enum xt_connbytes_what {
7 XT_CONNBYTES_PKTS,
8 XT_CONNBYTES_BYTES,
9 XT_CONNBYTES_AVGPKT,
10};
11
12enum xt_connbytes_direction {
13 XT_CONNBYTES_DIR_ORIGINAL,
14 XT_CONNBYTES_DIR_REPLY,
15 XT_CONNBYTES_DIR_BOTH,
16};
17
18struct xt_connbytes_info {
19 struct {
20 __aligned_u64 from; /* count to be matched */
21 __aligned_u64 to; /* count to be matched */
22 } count;
23 __u8 what; /* ipt_connbytes_what */
24 __u8 direction; /* ipt_connbytes_direction */
25};
26#endif
diff --git a/include/uapi/linux/netfilter/xt_connlimit.h b/include/uapi/linux/netfilter/xt_connlimit.h
new file mode 100644
index 000000000000..f1656096121e
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_connlimit.h
@@ -0,0 +1,32 @@
1#ifndef _XT_CONNLIMIT_H
2#define _XT_CONNLIMIT_H
3
4#include <linux/types.h>
5#include <linux/netfilter.h>
6
7struct xt_connlimit_data;
8
9enum {
10 XT_CONNLIMIT_INVERT = 1 << 0,
11 XT_CONNLIMIT_DADDR = 1 << 1,
12};
13
14struct xt_connlimit_info {
15 union {
16 union nf_inet_addr mask;
17#ifndef __KERNEL__
18 union {
19 __be32 v4_mask;
20 __be32 v6_mask[4];
21 };
22#endif
23 };
24 unsigned int limit;
25 /* revision 1 */
26 __u32 flags;
27
28 /* Used internally by the kernel */
29 struct xt_connlimit_data *data __attribute__((aligned(8)));
30};
31
32#endif /* _XT_CONNLIMIT_H */
diff --git a/include/uapi/linux/netfilter/xt_connmark.h b/include/uapi/linux/netfilter/xt_connmark.h
new file mode 100644
index 000000000000..efc17a8305fb
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_connmark.h
@@ -0,0 +1,31 @@
1#ifndef _XT_CONNMARK_H
2#define _XT_CONNMARK_H
3
4#include <linux/types.h>
5
6/* Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
7 * by Henrik Nordstrom <hno@marasystems.com>
8 *
9 * This program is free software; you can redistribute it and/or modify
10 * it under the terms of the GNU General Public License as published by
11 * the Free Software Foundation; either version 2 of the License, or
12 * (at your option) any later version.
13 */
14
15enum {
16 XT_CONNMARK_SET = 0,
17 XT_CONNMARK_SAVE,
18 XT_CONNMARK_RESTORE
19};
20
21struct xt_connmark_tginfo1 {
22 __u32 ctmark, ctmask, nfmask;
23 __u8 mode;
24};
25
26struct xt_connmark_mtinfo1 {
27 __u32 mark, mask;
28 __u8 invert;
29};
30
31#endif /*_XT_CONNMARK_H*/
diff --git a/include/uapi/linux/netfilter/xt_conntrack.h b/include/uapi/linux/netfilter/xt_conntrack.h
new file mode 100644
index 000000000000..e3c041d54020
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_conntrack.h
@@ -0,0 +1,77 @@
1/* Header file for kernel module to match connection tracking information.
2 * GPL (C) 2001 Marc Boucher (marc@mbsi.ca).
3 */
4
5#ifndef _XT_CONNTRACK_H
6#define _XT_CONNTRACK_H
7
8#include <linux/types.h>
9#include <linux/netfilter.h>
10#include <linux/netfilter/nf_conntrack_tuple_common.h>
11
12#define XT_CONNTRACK_STATE_BIT(ctinfo) (1 << ((ctinfo)%IP_CT_IS_REPLY+1))
13#define XT_CONNTRACK_STATE_INVALID (1 << 0)
14
15#define XT_CONNTRACK_STATE_SNAT (1 << (IP_CT_NUMBER + 1))
16#define XT_CONNTRACK_STATE_DNAT (1 << (IP_CT_NUMBER + 2))
17#define XT_CONNTRACK_STATE_UNTRACKED (1 << (IP_CT_NUMBER + 3))
18
19/* flags, invflags: */
20enum {
21 XT_CONNTRACK_STATE = 1 << 0,
22 XT_CONNTRACK_PROTO = 1 << 1,
23 XT_CONNTRACK_ORIGSRC = 1 << 2,
24 XT_CONNTRACK_ORIGDST = 1 << 3,
25 XT_CONNTRACK_REPLSRC = 1 << 4,
26 XT_CONNTRACK_REPLDST = 1 << 5,
27 XT_CONNTRACK_STATUS = 1 << 6,
28 XT_CONNTRACK_EXPIRES = 1 << 7,
29 XT_CONNTRACK_ORIGSRC_PORT = 1 << 8,
30 XT_CONNTRACK_ORIGDST_PORT = 1 << 9,
31 XT_CONNTRACK_REPLSRC_PORT = 1 << 10,
32 XT_CONNTRACK_REPLDST_PORT = 1 << 11,
33 XT_CONNTRACK_DIRECTION = 1 << 12,
34};
35
36struct xt_conntrack_mtinfo1 {
37 union nf_inet_addr origsrc_addr, origsrc_mask;
38 union nf_inet_addr origdst_addr, origdst_mask;
39 union nf_inet_addr replsrc_addr, replsrc_mask;
40 union nf_inet_addr repldst_addr, repldst_mask;
41 __u32 expires_min, expires_max;
42 __u16 l4proto;
43 __be16 origsrc_port, origdst_port;
44 __be16 replsrc_port, repldst_port;
45 __u16 match_flags, invert_flags;
46 __u8 state_mask, status_mask;
47};
48
49struct xt_conntrack_mtinfo2 {
50 union nf_inet_addr origsrc_addr, origsrc_mask;
51 union nf_inet_addr origdst_addr, origdst_mask;
52 union nf_inet_addr replsrc_addr, replsrc_mask;
53 union nf_inet_addr repldst_addr, repldst_mask;
54 __u32 expires_min, expires_max;
55 __u16 l4proto;
56 __be16 origsrc_port, origdst_port;
57 __be16 replsrc_port, repldst_port;
58 __u16 match_flags, invert_flags;
59 __u16 state_mask, status_mask;
60};
61
62struct xt_conntrack_mtinfo3 {
63 union nf_inet_addr origsrc_addr, origsrc_mask;
64 union nf_inet_addr origdst_addr, origdst_mask;
65 union nf_inet_addr replsrc_addr, replsrc_mask;
66 union nf_inet_addr repldst_addr, repldst_mask;
67 __u32 expires_min, expires_max;
68 __u16 l4proto;
69 __u16 origsrc_port, origdst_port;
70 __u16 replsrc_port, repldst_port;
71 __u16 match_flags, invert_flags;
72 __u16 state_mask, status_mask;
73 __u16 origsrc_port_high, origdst_port_high;
74 __u16 replsrc_port_high, repldst_port_high;
75};
76
77#endif /*_XT_CONNTRACK_H*/
diff --git a/include/uapi/linux/netfilter/xt_cpu.h b/include/uapi/linux/netfilter/xt_cpu.h
new file mode 100644
index 000000000000..93c7f11d8f42
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_cpu.h
@@ -0,0 +1,11 @@
1#ifndef _XT_CPU_H
2#define _XT_CPU_H
3
4#include <linux/types.h>
5
6struct xt_cpu_info {
7 __u32 cpu;
8 __u32 invert;
9};
10
11#endif /*_XT_CPU_H*/
diff --git a/include/uapi/linux/netfilter/xt_dccp.h b/include/uapi/linux/netfilter/xt_dccp.h
new file mode 100644
index 000000000000..a579e1b6f040
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_dccp.h
@@ -0,0 +1,25 @@
1#ifndef _XT_DCCP_H_
2#define _XT_DCCP_H_
3
4#include <linux/types.h>
5
6#define XT_DCCP_SRC_PORTS 0x01
7#define XT_DCCP_DEST_PORTS 0x02
8#define XT_DCCP_TYPE 0x04
9#define XT_DCCP_OPTION 0x08
10
11#define XT_DCCP_VALID_FLAGS 0x0f
12
13struct xt_dccp_info {
14 __u16 dpts[2]; /* Min, Max */
15 __u16 spts[2]; /* Min, Max */
16
17 __u16 flags;
18 __u16 invflags;
19
20 __u16 typemask;
21 __u8 option;
22};
23
24#endif /* _XT_DCCP_H_ */
25
diff --git a/include/uapi/linux/netfilter/xt_devgroup.h b/include/uapi/linux/netfilter/xt_devgroup.h
new file mode 100644
index 000000000000..1babde0ec900
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_devgroup.h
@@ -0,0 +1,21 @@
1#ifndef _XT_DEVGROUP_H
2#define _XT_DEVGROUP_H
3
4#include <linux/types.h>
5
6enum xt_devgroup_flags {
7 XT_DEVGROUP_MATCH_SRC = 0x1,
8 XT_DEVGROUP_INVERT_SRC = 0x2,
9 XT_DEVGROUP_MATCH_DST = 0x4,
10 XT_DEVGROUP_INVERT_DST = 0x8,
11};
12
13struct xt_devgroup_info {
14 __u32 flags;
15 __u32 src_group;
16 __u32 src_mask;
17 __u32 dst_group;
18 __u32 dst_mask;
19};
20
21#endif /* _XT_DEVGROUP_H */
diff --git a/include/uapi/linux/netfilter/xt_dscp.h b/include/uapi/linux/netfilter/xt_dscp.h
new file mode 100644
index 000000000000..15f8932ad5ce
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_dscp.h
@@ -0,0 +1,31 @@
1/* x_tables module for matching the IPv4/IPv6 DSCP field
2 *
3 * (C) 2002 Harald Welte <laforge@gnumonks.org>
4 * This software is distributed under GNU GPL v2, 1991
5 *
6 * See RFC2474 for a description of the DSCP field within the IP Header.
7 *
8 * xt_dscp.h,v 1.3 2002/08/05 19:00:21 laforge Exp
9*/
10#ifndef _XT_DSCP_H
11#define _XT_DSCP_H
12
13#include <linux/types.h>
14
15#define XT_DSCP_MASK 0xfc /* 11111100 */
16#define XT_DSCP_SHIFT 2
17#define XT_DSCP_MAX 0x3f /* 00111111 */
18
19/* match info */
20struct xt_dscp_info {
21 __u8 dscp;
22 __u8 invert;
23};
24
25struct xt_tos_match_info {
26 __u8 tos_mask;
27 __u8 tos_value;
28 __u8 invert;
29};
30
31#endif /* _XT_DSCP_H */
diff --git a/include/uapi/linux/netfilter/xt_ecn.h b/include/uapi/linux/netfilter/xt_ecn.h
new file mode 100644
index 000000000000..7158fca364f2
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_ecn.h
@@ -0,0 +1,35 @@
1/* iptables module for matching the ECN header in IPv4 and TCP header
2 *
3 * (C) 2002 Harald Welte <laforge@gnumonks.org>
4 *
5 * This software is distributed under GNU GPL v2, 1991
6 *
7 * ipt_ecn.h,v 1.4 2002/08/05 19:39:00 laforge Exp
8*/
9#ifndef _XT_ECN_H
10#define _XT_ECN_H
11
12#include <linux/types.h>
13#include <linux/netfilter/xt_dscp.h>
14
15#define XT_ECN_IP_MASK (~XT_DSCP_MASK)
16
17#define XT_ECN_OP_MATCH_IP 0x01
18#define XT_ECN_OP_MATCH_ECE 0x10
19#define XT_ECN_OP_MATCH_CWR 0x20
20
21#define XT_ECN_OP_MATCH_MASK 0xce
22
23/* match info */
24struct xt_ecn_info {
25 __u8 operation;
26 __u8 invert;
27 __u8 ip_ect;
28 union {
29 struct {
30 __u8 ect;
31 } tcp;
32 } proto;
33};
34
35#endif /* _XT_ECN_H */
diff --git a/include/uapi/linux/netfilter/xt_esp.h b/include/uapi/linux/netfilter/xt_esp.h
new file mode 100644
index 000000000000..ee6882408000
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_esp.h
@@ -0,0 +1,15 @@
1#ifndef _XT_ESP_H
2#define _XT_ESP_H
3
4#include <linux/types.h>
5
6struct xt_esp {
7 __u32 spis[2]; /* Security Parameter Index */
8 __u8 invflags; /* Inverse flags */
9};
10
11/* Values for "invflags" field in struct xt_esp. */
12#define XT_ESP_INV_SPI 0x01 /* Invert the sense of spi. */
13#define XT_ESP_INV_MASK 0x01 /* All possible flags. */
14
15#endif /*_XT_ESP_H*/
diff --git a/include/uapi/linux/netfilter/xt_hashlimit.h b/include/uapi/linux/netfilter/xt_hashlimit.h
new file mode 100644
index 000000000000..cbfc43d1af68
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_hashlimit.h
@@ -0,0 +1,73 @@
1#ifndef _UAPI_XT_HASHLIMIT_H
2#define _UAPI_XT_HASHLIMIT_H
3
4#include <linux/types.h>
5
6/* timings are in milliseconds. */
7#define XT_HASHLIMIT_SCALE 10000
8/* 1/10,000 sec period => max of 10,000/sec. Min rate is then 429490
9 * seconds, or one packet every 59 hours.
10 */
11
12/* packet length accounting is done in 16-byte steps */
13#define XT_HASHLIMIT_BYTE_SHIFT 4
14
15/* details of this structure hidden by the implementation */
16struct xt_hashlimit_htable;
17
18enum {
19 XT_HASHLIMIT_HASH_DIP = 1 << 0,
20 XT_HASHLIMIT_HASH_DPT = 1 << 1,
21 XT_HASHLIMIT_HASH_SIP = 1 << 2,
22 XT_HASHLIMIT_HASH_SPT = 1 << 3,
23 XT_HASHLIMIT_INVERT = 1 << 4,
24 XT_HASHLIMIT_BYTES = 1 << 5,
25};
26
27struct hashlimit_cfg {
28 __u32 mode; /* bitmask of XT_HASHLIMIT_HASH_* */
29 __u32 avg; /* Average secs between packets * scale */
30 __u32 burst; /* Period multiplier for upper limit. */
31
32 /* user specified */
33 __u32 size; /* how many buckets */
34 __u32 max; /* max number of entries */
35 __u32 gc_interval; /* gc interval */
36 __u32 expire; /* when do entries expire? */
37};
38
39struct xt_hashlimit_info {
40 char name [IFNAMSIZ]; /* name */
41 struct hashlimit_cfg cfg;
42
43 /* Used internally by the kernel */
44 struct xt_hashlimit_htable *hinfo;
45 union {
46 void *ptr;
47 struct xt_hashlimit_info *master;
48 } u;
49};
50
51struct hashlimit_cfg1 {
52 __u32 mode; /* bitmask of XT_HASHLIMIT_HASH_* */
53 __u32 avg; /* Average secs between packets * scale */
54 __u32 burst; /* Period multiplier for upper limit. */
55
56 /* user specified */
57 __u32 size; /* how many buckets */
58 __u32 max; /* max number of entries */
59 __u32 gc_interval; /* gc interval */
60 __u32 expire; /* when do entries expire? */
61
62 __u8 srcmask, dstmask;
63};
64
65struct xt_hashlimit_mtinfo1 {
66 char name[IFNAMSIZ];
67 struct hashlimit_cfg1 cfg;
68
69 /* Used internally by the kernel */
70 struct xt_hashlimit_htable *hinfo __attribute__((aligned(8)));
71};
72
73#endif /* _UAPI_XT_HASHLIMIT_H */
diff --git a/include/uapi/linux/netfilter/xt_helper.h b/include/uapi/linux/netfilter/xt_helper.h
new file mode 100644
index 000000000000..6b42763f999d
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_helper.h
@@ -0,0 +1,8 @@
1#ifndef _XT_HELPER_H
2#define _XT_HELPER_H
3
4struct xt_helper_info {
5 int invert;
6 char name[30];
7};
8#endif /* _XT_HELPER_H */
diff --git a/include/uapi/linux/netfilter/xt_iprange.h b/include/uapi/linux/netfilter/xt_iprange.h
new file mode 100644
index 000000000000..25fd7cf851f0
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_iprange.h
@@ -0,0 +1,20 @@
1#ifndef _LINUX_NETFILTER_XT_IPRANGE_H
2#define _LINUX_NETFILTER_XT_IPRANGE_H 1
3
4#include <linux/types.h>
5#include <linux/netfilter.h>
6
7enum {
8 IPRANGE_SRC = 1 << 0, /* match source IP address */
9 IPRANGE_DST = 1 << 1, /* match destination IP address */
10 IPRANGE_SRC_INV = 1 << 4, /* negate the condition */
11 IPRANGE_DST_INV = 1 << 5, /* -"- */
12};
13
14struct xt_iprange_mtinfo {
15 union nf_inet_addr src_min, src_max;
16 union nf_inet_addr dst_min, dst_max;
17 __u8 flags;
18};
19
20#endif /* _LINUX_NETFILTER_XT_IPRANGE_H */
diff --git a/include/uapi/linux/netfilter/xt_ipvs.h b/include/uapi/linux/netfilter/xt_ipvs.h
new file mode 100644
index 000000000000..eff34ac18808
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_ipvs.h
@@ -0,0 +1,29 @@
1#ifndef _XT_IPVS_H
2#define _XT_IPVS_H
3
4#include <linux/types.h>
5
6enum {
7 XT_IPVS_IPVS_PROPERTY = 1 << 0, /* all other options imply this one */
8 XT_IPVS_PROTO = 1 << 1,
9 XT_IPVS_VADDR = 1 << 2,
10 XT_IPVS_VPORT = 1 << 3,
11 XT_IPVS_DIR = 1 << 4,
12 XT_IPVS_METHOD = 1 << 5,
13 XT_IPVS_VPORTCTL = 1 << 6,
14 XT_IPVS_MASK = (1 << 7) - 1,
15 XT_IPVS_ONCE_MASK = XT_IPVS_MASK & ~XT_IPVS_IPVS_PROPERTY
16};
17
18struct xt_ipvs_mtinfo {
19 union nf_inet_addr vaddr, vmask;
20 __be16 vport;
21 __u8 l4proto;
22 __u8 fwd_method;
23 __be16 vportctl;
24
25 __u8 invert;
26 __u8 bitmask;
27};
28
29#endif /* _XT_IPVS_H */
diff --git a/include/uapi/linux/netfilter/xt_length.h b/include/uapi/linux/netfilter/xt_length.h
new file mode 100644
index 000000000000..b82ed7c4b1e0
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_length.h
@@ -0,0 +1,11 @@
1#ifndef _XT_LENGTH_H
2#define _XT_LENGTH_H
3
4#include <linux/types.h>
5
6struct xt_length_info {
7 __u16 min, max;
8 __u8 invert;
9};
10
11#endif /*_XT_LENGTH_H*/
diff --git a/include/uapi/linux/netfilter/xt_limit.h b/include/uapi/linux/netfilter/xt_limit.h
new file mode 100644
index 000000000000..bb47fc4d2ade
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_limit.h
@@ -0,0 +1,24 @@
1#ifndef _XT_RATE_H
2#define _XT_RATE_H
3
4#include <linux/types.h>
5
6/* timings are in milliseconds. */
7#define XT_LIMIT_SCALE 10000
8
9struct xt_limit_priv;
10
11/* 1/10,000 sec period => max of 10,000/sec. Min rate is then 429490
12 seconds, or one every 59 hours. */
13struct xt_rateinfo {
14 __u32 avg; /* Average secs between packets * scale */
15 __u32 burst; /* Period multiplier for upper limit. */
16
17 /* Used internally by the kernel */
18 unsigned long prev; /* moved to xt_limit_priv */
19 __u32 credit; /* moved to xt_limit_priv */
20 __u32 credit_cap, cost;
21
22 struct xt_limit_priv *master;
23};
24#endif /*_XT_RATE_H*/
diff --git a/include/uapi/linux/netfilter/xt_mac.h b/include/uapi/linux/netfilter/xt_mac.h
new file mode 100644
index 000000000000..b892cdc67e06
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_mac.h
@@ -0,0 +1,8 @@
1#ifndef _XT_MAC_H
2#define _XT_MAC_H
3
4struct xt_mac_info {
5 unsigned char srcaddr[ETH_ALEN];
6 int invert;
7};
8#endif /*_XT_MAC_H*/
diff --git a/include/uapi/linux/netfilter/xt_mark.h b/include/uapi/linux/netfilter/xt_mark.h
new file mode 100644
index 000000000000..ecadc40d5cde
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_mark.h
@@ -0,0 +1,15 @@
1#ifndef _XT_MARK_H
2#define _XT_MARK_H
3
4#include <linux/types.h>
5
6struct xt_mark_tginfo2 {
7 __u32 mark, mask;
8};
9
10struct xt_mark_mtinfo1 {
11 __u32 mark, mask;
12 __u8 invert;
13};
14
15#endif /*_XT_MARK_H*/
diff --git a/include/uapi/linux/netfilter/xt_multiport.h b/include/uapi/linux/netfilter/xt_multiport.h
new file mode 100644
index 000000000000..5b7e72dfffc5
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_multiport.h
@@ -0,0 +1,29 @@
1#ifndef _XT_MULTIPORT_H
2#define _XT_MULTIPORT_H
3
4#include <linux/types.h>
5
6enum xt_multiport_flags {
7 XT_MULTIPORT_SOURCE,
8 XT_MULTIPORT_DESTINATION,
9 XT_MULTIPORT_EITHER
10};
11
12#define XT_MULTI_PORTS 15
13
14/* Must fit inside union xt_matchinfo: 16 bytes */
15struct xt_multiport {
16 __u8 flags; /* Type of comparison */
17 __u8 count; /* Number of ports */
18 __u16 ports[XT_MULTI_PORTS]; /* Ports */
19};
20
21struct xt_multiport_v1 {
22 __u8 flags; /* Type of comparison */
23 __u8 count; /* Number of ports */
24 __u16 ports[XT_MULTI_PORTS]; /* Ports */
25 __u8 pflags[XT_MULTI_PORTS]; /* Port flags */
26 __u8 invert; /* Invert flag */
27};
28
29#endif /*_XT_MULTIPORT_H*/
diff --git a/include/uapi/linux/netfilter/xt_nfacct.h b/include/uapi/linux/netfilter/xt_nfacct.h
new file mode 100644
index 000000000000..3e19c8a86576
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_nfacct.h
@@ -0,0 +1,13 @@
1#ifndef _XT_NFACCT_MATCH_H
2#define _XT_NFACCT_MATCH_H
3
4#include <linux/netfilter/nfnetlink_acct.h>
5
6struct nf_acct;
7
8struct xt_nfacct_match_info {
9 char name[NFACCT_NAME_MAX];
10 struct nf_acct *nfacct;
11};
12
13#endif /* _XT_NFACCT_MATCH_H */
diff --git a/include/uapi/linux/netfilter/xt_osf.h b/include/uapi/linux/netfilter/xt_osf.h
new file mode 100644
index 000000000000..18afa495f973
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_osf.h
@@ -0,0 +1,135 @@
1/*
2 * Copyright (c) 2003+ Evgeniy Polyakov <johnpol@2ka.mxt.ru>
3 *
4 *
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License as published by
7 * the Free Software Foundation; either version 2 of the License, or
8 * (at your option) any later version.
9 *
10 * This program is distributed in the hope that it will be useful,
11 * but WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 * GNU General Public License for more details.
14 *
15 * You should have received a copy of the GNU General Public License
16 * along with this program; if not, write to the Free Software
17 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
18 */
19
20#ifndef _XT_OSF_H
21#define _XT_OSF_H
22
23#include <linux/types.h>
24
25#define MAXGENRELEN 32
26
27#define XT_OSF_GENRE (1<<0)
28#define XT_OSF_TTL (1<<1)
29#define XT_OSF_LOG (1<<2)
30#define XT_OSF_INVERT (1<<3)
31
32#define XT_OSF_LOGLEVEL_ALL 0 /* log all matched fingerprints */
33#define XT_OSF_LOGLEVEL_FIRST 1 /* log only the first matced fingerprint */
34#define XT_OSF_LOGLEVEL_ALL_KNOWN 2 /* do not log unknown packets */
35
36#define XT_OSF_TTL_TRUE 0 /* True ip and fingerprint TTL comparison */
37#define XT_OSF_TTL_LESS 1 /* Check if ip TTL is less than fingerprint one */
38#define XT_OSF_TTL_NOCHECK 2 /* Do not compare ip and fingerprint TTL at all */
39
40struct xt_osf_info {
41 char genre[MAXGENRELEN];
42 __u32 len;
43 __u32 flags;
44 __u32 loglevel;
45 __u32 ttl;
46};
47
48/*
49 * Wildcard MSS (kind of).
50 * It is used to implement a state machine for the different wildcard values
51 * of the MSS and window sizes.
52 */
53struct xt_osf_wc {
54 __u32 wc;
55 __u32 val;
56};
57
58/*
59 * This struct represents IANA options
60 * http://www.iana.org/assignments/tcp-parameters
61 */
62struct xt_osf_opt {
63 __u16 kind, length;
64 struct xt_osf_wc wc;
65};
66
67struct xt_osf_user_finger {
68 struct xt_osf_wc wss;
69
70 __u8 ttl, df;
71 __u16 ss, mss;
72 __u16 opt_num;
73
74 char genre[MAXGENRELEN];
75 char version[MAXGENRELEN];
76 char subtype[MAXGENRELEN];
77
78 /* MAX_IPOPTLEN is maximum if all options are NOPs or EOLs */
79 struct xt_osf_opt opt[MAX_IPOPTLEN];
80};
81
82struct xt_osf_nlmsg {
83 struct xt_osf_user_finger f;
84 struct iphdr ip;
85 struct tcphdr tcp;
86};
87
88/* Defines for IANA option kinds */
89
90enum iana_options {
91 OSFOPT_EOL = 0, /* End of options */
92 OSFOPT_NOP, /* NOP */
93 OSFOPT_MSS, /* Maximum segment size */
94 OSFOPT_WSO, /* Window scale option */
95 OSFOPT_SACKP, /* SACK permitted */
96 OSFOPT_SACK, /* SACK */
97 OSFOPT_ECHO,
98 OSFOPT_ECHOREPLY,
99 OSFOPT_TS, /* Timestamp option */
100 OSFOPT_POCP, /* Partial Order Connection Permitted */
101 OSFOPT_POSP, /* Partial Order Service Profile */
102
103 /* Others are not used in the current OSF */
104 OSFOPT_EMPTY = 255,
105};
106
107/*
108 * Initial window size option state machine: multiple of mss, mtu or
109 * plain numeric value. Can also be made as plain numeric value which
110 * is not a multiple of specified value.
111 */
112enum xt_osf_window_size_options {
113 OSF_WSS_PLAIN = 0,
114 OSF_WSS_MSS,
115 OSF_WSS_MTU,
116 OSF_WSS_MODULO,
117 OSF_WSS_MAX,
118};
119
120/*
121 * Add/remove fingerprint from the kernel.
122 */
123enum xt_osf_msg_types {
124 OSF_MSG_ADD,
125 OSF_MSG_REMOVE,
126 OSF_MSG_MAX,
127};
128
129enum xt_osf_attr_type {
130 OSF_ATTR_UNSPEC,
131 OSF_ATTR_FINGER,
132 OSF_ATTR_MAX,
133};
134
135#endif /* _XT_OSF_H */
diff --git a/include/uapi/linux/netfilter/xt_owner.h b/include/uapi/linux/netfilter/xt_owner.h
new file mode 100644
index 000000000000..2081761714b5
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_owner.h
@@ -0,0 +1,18 @@
1#ifndef _XT_OWNER_MATCH_H
2#define _XT_OWNER_MATCH_H
3
4#include <linux/types.h>
5
6enum {
7 XT_OWNER_UID = 1 << 0,
8 XT_OWNER_GID = 1 << 1,
9 XT_OWNER_SOCKET = 1 << 2,
10};
11
12struct xt_owner_match_info {
13 __u32 uid_min, uid_max;
14 __u32 gid_min, gid_max;
15 __u8 match, invert;
16};
17
18#endif /* _XT_OWNER_MATCH_H */
diff --git a/include/uapi/linux/netfilter/xt_physdev.h b/include/uapi/linux/netfilter/xt_physdev.h
new file mode 100644
index 000000000000..db7a2982e9c0
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_physdev.h
@@ -0,0 +1,23 @@
1#ifndef _UAPI_XT_PHYSDEV_H
2#define _UAPI_XT_PHYSDEV_H
3
4#include <linux/types.h>
5
6
7#define XT_PHYSDEV_OP_IN 0x01
8#define XT_PHYSDEV_OP_OUT 0x02
9#define XT_PHYSDEV_OP_BRIDGED 0x04
10#define XT_PHYSDEV_OP_ISIN 0x08
11#define XT_PHYSDEV_OP_ISOUT 0x10
12#define XT_PHYSDEV_OP_MASK (0x20 - 1)
13
14struct xt_physdev_info {
15 char physindev[IFNAMSIZ];
16 char in_mask[IFNAMSIZ];
17 char physoutdev[IFNAMSIZ];
18 char out_mask[IFNAMSIZ];
19 __u8 invert;
20 __u8 bitmask;
21};
22
23#endif /* _UAPI_XT_PHYSDEV_H */
diff --git a/include/uapi/linux/netfilter/xt_pkttype.h b/include/uapi/linux/netfilter/xt_pkttype.h
new file mode 100644
index 000000000000..f265cf52faea
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_pkttype.h
@@ -0,0 +1,8 @@
1#ifndef _XT_PKTTYPE_H
2#define _XT_PKTTYPE_H
3
4struct xt_pkttype_info {
5 int pkttype;
6 int invert;
7};
8#endif /*_XT_PKTTYPE_H*/
diff --git a/include/uapi/linux/netfilter/xt_policy.h b/include/uapi/linux/netfilter/xt_policy.h
new file mode 100644
index 000000000000..be8ead05c316
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_policy.h
@@ -0,0 +1,69 @@
1#ifndef _XT_POLICY_H
2#define _XT_POLICY_H
3
4#include <linux/types.h>
5
6#define XT_POLICY_MAX_ELEM 4
7
8enum xt_policy_flags {
9 XT_POLICY_MATCH_IN = 0x1,
10 XT_POLICY_MATCH_OUT = 0x2,
11 XT_POLICY_MATCH_NONE = 0x4,
12 XT_POLICY_MATCH_STRICT = 0x8,
13};
14
15enum xt_policy_modes {
16 XT_POLICY_MODE_TRANSPORT,
17 XT_POLICY_MODE_TUNNEL
18};
19
20struct xt_policy_spec {
21 __u8 saddr:1,
22 daddr:1,
23 proto:1,
24 mode:1,
25 spi:1,
26 reqid:1;
27};
28
29#ifndef __KERNEL__
30union xt_policy_addr {
31 struct in_addr a4;
32 struct in6_addr a6;
33};
34#endif
35
36struct xt_policy_elem {
37 union {
38#ifdef __KERNEL__
39 struct {
40 union nf_inet_addr saddr;
41 union nf_inet_addr smask;
42 union nf_inet_addr daddr;
43 union nf_inet_addr dmask;
44 };
45#else
46 struct {
47 union xt_policy_addr saddr;
48 union xt_policy_addr smask;
49 union xt_policy_addr daddr;
50 union xt_policy_addr dmask;
51 };
52#endif
53 };
54 __be32 spi;
55 __u32 reqid;
56 __u8 proto;
57 __u8 mode;
58
59 struct xt_policy_spec match;
60 struct xt_policy_spec invert;
61};
62
63struct xt_policy_info {
64 struct xt_policy_elem pol[XT_POLICY_MAX_ELEM];
65 __u16 flags;
66 __u16 len;
67};
68
69#endif /* _XT_POLICY_H */
diff --git a/include/uapi/linux/netfilter/xt_quota.h b/include/uapi/linux/netfilter/xt_quota.h
new file mode 100644
index 000000000000..9314723f39ca
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_quota.h
@@ -0,0 +1,22 @@
1#ifndef _XT_QUOTA_H
2#define _XT_QUOTA_H
3
4#include <linux/types.h>
5
6enum xt_quota_flags {
7 XT_QUOTA_INVERT = 0x1,
8};
9#define XT_QUOTA_MASK 0x1
10
11struct xt_quota_priv;
12
13struct xt_quota_info {
14 __u32 flags;
15 __u32 pad;
16 __aligned_u64 quota;
17
18 /* Used internally by the kernel */
19 struct xt_quota_priv *master;
20};
21
22#endif /* _XT_QUOTA_H */
diff --git a/include/uapi/linux/netfilter/xt_rateest.h b/include/uapi/linux/netfilter/xt_rateest.h
new file mode 100644
index 000000000000..d40a6196842a
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_rateest.h
@@ -0,0 +1,37 @@
1#ifndef _XT_RATEEST_MATCH_H
2#define _XT_RATEEST_MATCH_H
3
4#include <linux/types.h>
5
6enum xt_rateest_match_flags {
7 XT_RATEEST_MATCH_INVERT = 1<<0,
8 XT_RATEEST_MATCH_ABS = 1<<1,
9 XT_RATEEST_MATCH_REL = 1<<2,
10 XT_RATEEST_MATCH_DELTA = 1<<3,
11 XT_RATEEST_MATCH_BPS = 1<<4,
12 XT_RATEEST_MATCH_PPS = 1<<5,
13};
14
15enum xt_rateest_match_mode {
16 XT_RATEEST_MATCH_NONE,
17 XT_RATEEST_MATCH_EQ,
18 XT_RATEEST_MATCH_LT,
19 XT_RATEEST_MATCH_GT,
20};
21
22struct xt_rateest_match_info {
23 char name1[IFNAMSIZ];
24 char name2[IFNAMSIZ];
25 __u16 flags;
26 __u16 mode;
27 __u32 bps1;
28 __u32 pps1;
29 __u32 bps2;
30 __u32 pps2;
31
32 /* Used internally by the kernel */
33 struct xt_rateest *est1 __attribute__((aligned(8)));
34 struct xt_rateest *est2 __attribute__((aligned(8)));
35};
36
37#endif /* _XT_RATEEST_MATCH_H */
diff --git a/include/uapi/linux/netfilter/xt_realm.h b/include/uapi/linux/netfilter/xt_realm.h
new file mode 100644
index 000000000000..d4a82ee56a02
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_realm.h
@@ -0,0 +1,12 @@
1#ifndef _XT_REALM_H
2#define _XT_REALM_H
3
4#include <linux/types.h>
5
6struct xt_realm_info {
7 __u32 id;
8 __u32 mask;
9 __u8 invert;
10};
11
12#endif /* _XT_REALM_H */
diff --git a/include/uapi/linux/netfilter/xt_recent.h b/include/uapi/linux/netfilter/xt_recent.h
new file mode 100644
index 000000000000..6ef36c113e89
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_recent.h
@@ -0,0 +1,45 @@
1#ifndef _LINUX_NETFILTER_XT_RECENT_H
2#define _LINUX_NETFILTER_XT_RECENT_H 1
3
4#include <linux/types.h>
5
6enum {
7 XT_RECENT_CHECK = 1 << 0,
8 XT_RECENT_SET = 1 << 1,
9 XT_RECENT_UPDATE = 1 << 2,
10 XT_RECENT_REMOVE = 1 << 3,
11 XT_RECENT_TTL = 1 << 4,
12 XT_RECENT_REAP = 1 << 5,
13
14 XT_RECENT_SOURCE = 0,
15 XT_RECENT_DEST = 1,
16
17 XT_RECENT_NAME_LEN = 200,
18};
19
20/* Only allowed with --rcheck and --update */
21#define XT_RECENT_MODIFIERS (XT_RECENT_TTL|XT_RECENT_REAP)
22
23#define XT_RECENT_VALID_FLAGS (XT_RECENT_CHECK|XT_RECENT_SET|XT_RECENT_UPDATE|\
24 XT_RECENT_REMOVE|XT_RECENT_TTL|XT_RECENT_REAP)
25
26struct xt_recent_mtinfo {
27 __u32 seconds;
28 __u32 hit_count;
29 __u8 check_set;
30 __u8 invert;
31 char name[XT_RECENT_NAME_LEN];
32 __u8 side;
33};
34
35struct xt_recent_mtinfo_v1 {
36 __u32 seconds;
37 __u32 hit_count;
38 __u8 check_set;
39 __u8 invert;
40 char name[XT_RECENT_NAME_LEN];
41 __u8 side;
42 union nf_inet_addr mask;
43};
44
45#endif /* _LINUX_NETFILTER_XT_RECENT_H */
diff --git a/include/uapi/linux/netfilter/xt_sctp.h b/include/uapi/linux/netfilter/xt_sctp.h
new file mode 100644
index 000000000000..29287be696a2
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_sctp.h
@@ -0,0 +1,92 @@
1#ifndef _XT_SCTP_H_
2#define _XT_SCTP_H_
3
4#include <linux/types.h>
5
6#define XT_SCTP_SRC_PORTS 0x01
7#define XT_SCTP_DEST_PORTS 0x02
8#define XT_SCTP_CHUNK_TYPES 0x04
9
10#define XT_SCTP_VALID_FLAGS 0x07
11
12struct xt_sctp_flag_info {
13 __u8 chunktype;
14 __u8 flag;
15 __u8 flag_mask;
16};
17
18#define XT_NUM_SCTP_FLAGS 4
19
20struct xt_sctp_info {
21 __u16 dpts[2]; /* Min, Max */
22 __u16 spts[2]; /* Min, Max */
23
24 __u32 chunkmap[256 / sizeof (__u32)]; /* Bit mask of chunks to be matched according to RFC 2960 */
25
26#define SCTP_CHUNK_MATCH_ANY 0x01 /* Match if any of the chunk types are present */
27#define SCTP_CHUNK_MATCH_ALL 0x02 /* Match if all of the chunk types are present */
28#define SCTP_CHUNK_MATCH_ONLY 0x04 /* Match if these are the only chunk types present */
29
30 __u32 chunk_match_type;
31 struct xt_sctp_flag_info flag_info[XT_NUM_SCTP_FLAGS];
32 int flag_count;
33
34 __u32 flags;
35 __u32 invflags;
36};
37
38#define bytes(type) (sizeof(type) * 8)
39
40#define SCTP_CHUNKMAP_SET(chunkmap, type) \
41 do { \
42 (chunkmap)[type / bytes(__u32)] |= \
43 1 << (type % bytes(__u32)); \
44 } while (0)
45
46#define SCTP_CHUNKMAP_CLEAR(chunkmap, type) \
47 do { \
48 (chunkmap)[type / bytes(__u32)] &= \
49 ~(1 << (type % bytes(__u32))); \
50 } while (0)
51
52#define SCTP_CHUNKMAP_IS_SET(chunkmap, type) \
53({ \
54 ((chunkmap)[type / bytes (__u32)] & \
55 (1 << (type % bytes (__u32)))) ? 1: 0; \
56})
57
58#define SCTP_CHUNKMAP_RESET(chunkmap) \
59 memset((chunkmap), 0, sizeof(chunkmap))
60
61#define SCTP_CHUNKMAP_SET_ALL(chunkmap) \
62 memset((chunkmap), ~0U, sizeof(chunkmap))
63
64#define SCTP_CHUNKMAP_COPY(destmap, srcmap) \
65 memcpy((destmap), (srcmap), sizeof(srcmap))
66
67#define SCTP_CHUNKMAP_IS_CLEAR(chunkmap) \
68 __sctp_chunkmap_is_clear((chunkmap), ARRAY_SIZE(chunkmap))
69static inline bool
70__sctp_chunkmap_is_clear(const __u32 *chunkmap, unsigned int n)
71{
72 unsigned int i;
73 for (i = 0; i < n; ++i)
74 if (chunkmap[i])
75 return false;
76 return true;
77}
78
79#define SCTP_CHUNKMAP_IS_ALL_SET(chunkmap) \
80 __sctp_chunkmap_is_all_set((chunkmap), ARRAY_SIZE(chunkmap))
81static inline bool
82__sctp_chunkmap_is_all_set(const __u32 *chunkmap, unsigned int n)
83{
84 unsigned int i;
85 for (i = 0; i < n; ++i)
86 if (chunkmap[i] != ~0U)
87 return false;
88 return true;
89}
90
91#endif /* _XT_SCTP_H_ */
92
diff --git a/include/uapi/linux/netfilter/xt_set.h b/include/uapi/linux/netfilter/xt_set.h
new file mode 100644
index 000000000000..e3a9978f259f
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_set.h
@@ -0,0 +1,65 @@
1#ifndef _XT_SET_H
2#define _XT_SET_H
3
4#include <linux/types.h>
5#include <linux/netfilter/ipset/ip_set.h>
6
7/* Revision 0 interface: backward compatible with netfilter/iptables */
8
9/*
10 * Option flags for kernel operations (xt_set_info_v0)
11 */
12#define IPSET_SRC 0x01 /* Source match/add */
13#define IPSET_DST 0x02 /* Destination match/add */
14#define IPSET_MATCH_INV 0x04 /* Inverse matching */
15
16struct xt_set_info_v0 {
17 ip_set_id_t index;
18 union {
19 __u32 flags[IPSET_DIM_MAX + 1];
20 struct {
21 __u32 __flags[IPSET_DIM_MAX];
22 __u8 dim;
23 __u8 flags;
24 } compat;
25 } u;
26};
27
28/* match and target infos */
29struct xt_set_info_match_v0 {
30 struct xt_set_info_v0 match_set;
31};
32
33struct xt_set_info_target_v0 {
34 struct xt_set_info_v0 add_set;
35 struct xt_set_info_v0 del_set;
36};
37
38/* Revision 1 match and target */
39
40struct xt_set_info {
41 ip_set_id_t index;
42 __u8 dim;
43 __u8 flags;
44};
45
46/* match and target infos */
47struct xt_set_info_match_v1 {
48 struct xt_set_info match_set;
49};
50
51struct xt_set_info_target_v1 {
52 struct xt_set_info add_set;
53 struct xt_set_info del_set;
54};
55
56/* Revision 2 target */
57
58struct xt_set_info_target_v2 {
59 struct xt_set_info add_set;
60 struct xt_set_info del_set;
61 __u32 flags;
62 __u32 timeout;
63};
64
65#endif /*_XT_SET_H*/
diff --git a/include/uapi/linux/netfilter/xt_socket.h b/include/uapi/linux/netfilter/xt_socket.h
new file mode 100644
index 000000000000..26d7217bd4f1
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_socket.h
@@ -0,0 +1,14 @@
1#ifndef _XT_SOCKET_H
2#define _XT_SOCKET_H
3
4#include <linux/types.h>
5
6enum {
7 XT_SOCKET_TRANSPARENT = 1 << 0,
8};
9
10struct xt_socket_mtinfo1 {
11 __u8 flags;
12};
13
14#endif /* _XT_SOCKET_H */
diff --git a/include/uapi/linux/netfilter/xt_state.h b/include/uapi/linux/netfilter/xt_state.h
new file mode 100644
index 000000000000..7b32de886613
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_state.h
@@ -0,0 +1,12 @@
1#ifndef _XT_STATE_H
2#define _XT_STATE_H
3
4#define XT_STATE_BIT(ctinfo) (1 << ((ctinfo)%IP_CT_IS_REPLY+1))
5#define XT_STATE_INVALID (1 << 0)
6
7#define XT_STATE_UNTRACKED (1 << (IP_CT_NUMBER + 1))
8
9struct xt_state_info {
10 unsigned int statemask;
11};
12#endif /*_XT_STATE_H*/
diff --git a/include/uapi/linux/netfilter/xt_statistic.h b/include/uapi/linux/netfilter/xt_statistic.h
new file mode 100644
index 000000000000..4e983ef0c968
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_statistic.h
@@ -0,0 +1,36 @@
1#ifndef _XT_STATISTIC_H
2#define _XT_STATISTIC_H
3
4#include <linux/types.h>
5
6enum xt_statistic_mode {
7 XT_STATISTIC_MODE_RANDOM,
8 XT_STATISTIC_MODE_NTH,
9 __XT_STATISTIC_MODE_MAX
10};
11#define XT_STATISTIC_MODE_MAX (__XT_STATISTIC_MODE_MAX - 1)
12
13enum xt_statistic_flags {
14 XT_STATISTIC_INVERT = 0x1,
15};
16#define XT_STATISTIC_MASK 0x1
17
18struct xt_statistic_priv;
19
20struct xt_statistic_info {
21 __u16 mode;
22 __u16 flags;
23 union {
24 struct {
25 __u32 probability;
26 } random;
27 struct {
28 __u32 every;
29 __u32 packet;
30 __u32 count; /* unused */
31 } nth;
32 } u;
33 struct xt_statistic_priv *master __attribute__((aligned(8)));
34};
35
36#endif /* _XT_STATISTIC_H */
diff --git a/include/uapi/linux/netfilter/xt_string.h b/include/uapi/linux/netfilter/xt_string.h
new file mode 100644
index 000000000000..235347c02eab
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_string.h
@@ -0,0 +1,34 @@
1#ifndef _XT_STRING_H
2#define _XT_STRING_H
3
4#include <linux/types.h>
5
6#define XT_STRING_MAX_PATTERN_SIZE 128
7#define XT_STRING_MAX_ALGO_NAME_SIZE 16
8
9enum {
10 XT_STRING_FLAG_INVERT = 0x01,
11 XT_STRING_FLAG_IGNORECASE = 0x02
12};
13
14struct xt_string_info {
15 __u16 from_offset;
16 __u16 to_offset;
17 char algo[XT_STRING_MAX_ALGO_NAME_SIZE];
18 char pattern[XT_STRING_MAX_PATTERN_SIZE];
19 __u8 patlen;
20 union {
21 struct {
22 __u8 invert;
23 } v0;
24
25 struct {
26 __u8 flags;
27 } v1;
28 } u;
29
30 /* Used internally by the kernel */
31 struct ts_config __attribute__((aligned(8))) *config;
32};
33
34#endif /*_XT_STRING_H*/
diff --git a/include/uapi/linux/netfilter/xt_tcpmss.h b/include/uapi/linux/netfilter/xt_tcpmss.h
new file mode 100644
index 000000000000..fbac56b9e667
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_tcpmss.h
@@ -0,0 +1,11 @@
1#ifndef _XT_TCPMSS_MATCH_H
2#define _XT_TCPMSS_MATCH_H
3
4#include <linux/types.h>
5
6struct xt_tcpmss_match_info {
7 __u16 mss_min, mss_max;
8 __u8 invert;
9};
10
11#endif /*_XT_TCPMSS_MATCH_H*/
diff --git a/include/uapi/linux/netfilter/xt_tcpudp.h b/include/uapi/linux/netfilter/xt_tcpudp.h
new file mode 100644
index 000000000000..38aa7b399021
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_tcpudp.h
@@ -0,0 +1,36 @@
1#ifndef _XT_TCPUDP_H
2#define _XT_TCPUDP_H
3
4#include <linux/types.h>
5
6/* TCP matching stuff */
7struct xt_tcp {
8 __u16 spts[2]; /* Source port range. */
9 __u16 dpts[2]; /* Destination port range. */
10 __u8 option; /* TCP Option iff non-zero*/
11 __u8 flg_mask; /* TCP flags mask byte */
12 __u8 flg_cmp; /* TCP flags compare byte */
13 __u8 invflags; /* Inverse flags */
14};
15
16/* Values for "inv" field in struct ipt_tcp. */
17#define XT_TCP_INV_SRCPT 0x01 /* Invert the sense of source ports. */
18#define XT_TCP_INV_DSTPT 0x02 /* Invert the sense of dest ports. */
19#define XT_TCP_INV_FLAGS 0x04 /* Invert the sense of TCP flags. */
20#define XT_TCP_INV_OPTION 0x08 /* Invert the sense of option test. */
21#define XT_TCP_INV_MASK 0x0F /* All possible flags. */
22
23/* UDP matching stuff */
24struct xt_udp {
25 __u16 spts[2]; /* Source port range. */
26 __u16 dpts[2]; /* Destination port range. */
27 __u8 invflags; /* Inverse flags */
28};
29
30/* Values for "invflags" field in struct ipt_udp. */
31#define XT_UDP_INV_SRCPT 0x01 /* Invert the sense of source ports. */
32#define XT_UDP_INV_DSTPT 0x02 /* Invert the sense of dest ports. */
33#define XT_UDP_INV_MASK 0x03 /* All possible flags. */
34
35
36#endif
diff --git a/include/uapi/linux/netfilter/xt_time.h b/include/uapi/linux/netfilter/xt_time.h
new file mode 100644
index 000000000000..095886019396
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_time.h
@@ -0,0 +1,32 @@
1#ifndef _XT_TIME_H
2#define _XT_TIME_H 1
3
4#include <linux/types.h>
5
6struct xt_time_info {
7 __u32 date_start;
8 __u32 date_stop;
9 __u32 daytime_start;
10 __u32 daytime_stop;
11 __u32 monthdays_match;
12 __u8 weekdays_match;
13 __u8 flags;
14};
15
16enum {
17 /* Match against local time (instead of UTC) */
18 XT_TIME_LOCAL_TZ = 1 << 0,
19
20 /* treat timestart > timestop (e.g. 23:00-01:00) as single period */
21 XT_TIME_CONTIGUOUS = 1 << 1,
22
23 /* Shortcuts */
24 XT_TIME_ALL_MONTHDAYS = 0xFFFFFFFE,
25 XT_TIME_ALL_WEEKDAYS = 0xFE,
26 XT_TIME_MIN_DAYTIME = 0,
27 XT_TIME_MAX_DAYTIME = 24 * 60 * 60 - 1,
28};
29
30#define XT_TIME_ALL_FLAGS (XT_TIME_LOCAL_TZ|XT_TIME_CONTIGUOUS)
31
32#endif /* _XT_TIME_H */
diff --git a/include/uapi/linux/netfilter/xt_u32.h b/include/uapi/linux/netfilter/xt_u32.h
new file mode 100644
index 000000000000..04d1bfea03c2
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_u32.h
@@ -0,0 +1,42 @@
1#ifndef _XT_U32_H
2#define _XT_U32_H 1
3
4#include <linux/types.h>
5
6enum xt_u32_ops {
7 XT_U32_AND,
8 XT_U32_LEFTSH,
9 XT_U32_RIGHTSH,
10 XT_U32_AT,
11};
12
13struct xt_u32_location_element {
14 __u32 number;
15 __u8 nextop;
16};
17
18struct xt_u32_value_element {
19 __u32 min;
20 __u32 max;
21};
22
23/*
24 * Any way to allow for an arbitrary number of elements?
25 * For now, I settle with a limit of 10 each.
26 */
27#define XT_U32_MAXSIZE 10
28
29struct xt_u32_test {
30 struct xt_u32_location_element location[XT_U32_MAXSIZE+1];
31 struct xt_u32_value_element value[XT_U32_MAXSIZE+1];
32 __u8 nnums;
33 __u8 nvalues;
34};
35
36struct xt_u32 {
37 struct xt_u32_test tests[XT_U32_MAXSIZE+1];
38 __u8 ntests;
39 __u8 invert;
40};
41
42#endif /* _XT_U32_H */
diff --git a/include/uapi/linux/netfilter_arp/Kbuild b/include/uapi/linux/netfilter_arp/Kbuild
index aafaa5aa54d4..62d5637cc0ac 100644
--- a/include/uapi/linux/netfilter_arp/Kbuild
+++ b/include/uapi/linux/netfilter_arp/Kbuild
@@ -1 +1,3 @@
1# UAPI Header export list 1# UAPI Header export list
2header-y += arp_tables.h
3header-y += arpt_mangle.h
diff --git a/include/uapi/linux/netfilter_arp/arp_tables.h b/include/uapi/linux/netfilter_arp/arp_tables.h
new file mode 100644
index 000000000000..a5a86a4db6b3
--- /dev/null
+++ b/include/uapi/linux/netfilter_arp/arp_tables.h
@@ -0,0 +1,206 @@
1/*
2 * Format of an ARP firewall descriptor
3 *
4 * src, tgt, src_mask, tgt_mask, arpop, arpop_mask are always stored in
5 * network byte order.
6 * flags are stored in host byte order (of course).
7 */
8
9#ifndef _UAPI_ARPTABLES_H
10#define _UAPI_ARPTABLES_H
11
12#include <linux/types.h>
13#include <linux/compiler.h>
14#include <linux/netfilter_arp.h>
15
16#include <linux/netfilter/x_tables.h>
17
18#ifndef __KERNEL__
19#define ARPT_FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN
20#define ARPT_TABLE_MAXNAMELEN XT_TABLE_MAXNAMELEN
21#define arpt_entry_target xt_entry_target
22#define arpt_standard_target xt_standard_target
23#define arpt_error_target xt_error_target
24#define ARPT_CONTINUE XT_CONTINUE
25#define ARPT_RETURN XT_RETURN
26#define arpt_counters_info xt_counters_info
27#define arpt_counters xt_counters
28#define ARPT_STANDARD_TARGET XT_STANDARD_TARGET
29#define ARPT_ERROR_TARGET XT_ERROR_TARGET
30#define ARPT_ENTRY_ITERATE(entries, size, fn, args...) \
31 XT_ENTRY_ITERATE(struct arpt_entry, entries, size, fn, ## args)
32#endif
33
34#define ARPT_DEV_ADDR_LEN_MAX 16
35
36struct arpt_devaddr_info {
37 char addr[ARPT_DEV_ADDR_LEN_MAX];
38 char mask[ARPT_DEV_ADDR_LEN_MAX];
39};
40
41/* Yes, Virginia, you have to zero the padding. */
42struct arpt_arp {
43 /* Source and target IP addr */
44 struct in_addr src, tgt;
45 /* Mask for src and target IP addr */
46 struct in_addr smsk, tmsk;
47
48 /* Device hw address length, src+target device addresses */
49 __u8 arhln, arhln_mask;
50 struct arpt_devaddr_info src_devaddr;
51 struct arpt_devaddr_info tgt_devaddr;
52
53 /* ARP operation code. */
54 __be16 arpop, arpop_mask;
55
56 /* ARP hardware address and protocol address format. */
57 __be16 arhrd, arhrd_mask;
58 __be16 arpro, arpro_mask;
59
60 /* The protocol address length is only accepted if it is 4
61 * so there is no use in offering a way to do filtering on it.
62 */
63
64 char iniface[IFNAMSIZ], outiface[IFNAMSIZ];
65 unsigned char iniface_mask[IFNAMSIZ], outiface_mask[IFNAMSIZ];
66
67 /* Flags word */
68 __u8 flags;
69 /* Inverse flags */
70 __u16 invflags;
71};
72
73/* Values for "flag" field in struct arpt_ip (general arp structure).
74 * No flags defined yet.
75 */
76#define ARPT_F_MASK 0x00 /* All possible flag bits mask. */
77
78/* Values for "inv" field in struct arpt_arp. */
79#define ARPT_INV_VIA_IN 0x0001 /* Invert the sense of IN IFACE. */
80#define ARPT_INV_VIA_OUT 0x0002 /* Invert the sense of OUT IFACE */
81#define ARPT_INV_SRCIP 0x0004 /* Invert the sense of SRC IP. */
82#define ARPT_INV_TGTIP 0x0008 /* Invert the sense of TGT IP. */
83#define ARPT_INV_SRCDEVADDR 0x0010 /* Invert the sense of SRC DEV ADDR. */
84#define ARPT_INV_TGTDEVADDR 0x0020 /* Invert the sense of TGT DEV ADDR. */
85#define ARPT_INV_ARPOP 0x0040 /* Invert the sense of ARP OP. */
86#define ARPT_INV_ARPHRD 0x0080 /* Invert the sense of ARP HRD. */
87#define ARPT_INV_ARPPRO 0x0100 /* Invert the sense of ARP PRO. */
88#define ARPT_INV_ARPHLN 0x0200 /* Invert the sense of ARP HLN. */
89#define ARPT_INV_MASK 0x03FF /* All possible flag bits mask. */
90
91/* This structure defines each of the firewall rules. Consists of 3
92 parts which are 1) general ARP header stuff 2) match specific
93 stuff 3) the target to perform if the rule matches */
94struct arpt_entry
95{
96 struct arpt_arp arp;
97
98 /* Size of arpt_entry + matches */
99 __u16 target_offset;
100 /* Size of arpt_entry + matches + target */
101 __u16 next_offset;
102
103 /* Back pointer */
104 unsigned int comefrom;
105
106 /* Packet and byte counters. */
107 struct xt_counters counters;
108
109 /* The matches (if any), then the target. */
110 unsigned char elems[0];
111};
112
113/*
114 * New IP firewall options for [gs]etsockopt at the RAW IP level.
115 * Unlike BSD Linux inherits IP options so you don't have to use a raw
116 * socket for this. Instead we check rights in the calls.
117 *
118 * ATTENTION: check linux/in.h before adding new number here.
119 */
120#define ARPT_BASE_CTL 96
121
122#define ARPT_SO_SET_REPLACE (ARPT_BASE_CTL)
123#define ARPT_SO_SET_ADD_COUNTERS (ARPT_BASE_CTL + 1)
124#define ARPT_SO_SET_MAX ARPT_SO_SET_ADD_COUNTERS
125
126#define ARPT_SO_GET_INFO (ARPT_BASE_CTL)
127#define ARPT_SO_GET_ENTRIES (ARPT_BASE_CTL + 1)
128/* #define ARPT_SO_GET_REVISION_MATCH (APRT_BASE_CTL + 2) */
129#define ARPT_SO_GET_REVISION_TARGET (ARPT_BASE_CTL + 3)
130#define ARPT_SO_GET_MAX (ARPT_SO_GET_REVISION_TARGET)
131
132/* The argument to ARPT_SO_GET_INFO */
133struct arpt_getinfo {
134 /* Which table: caller fills this in. */
135 char name[XT_TABLE_MAXNAMELEN];
136
137 /* Kernel fills these in. */
138 /* Which hook entry points are valid: bitmask */
139 unsigned int valid_hooks;
140
141 /* Hook entry points: one per netfilter hook. */
142 unsigned int hook_entry[NF_ARP_NUMHOOKS];
143
144 /* Underflow points. */
145 unsigned int underflow[NF_ARP_NUMHOOKS];
146
147 /* Number of entries */
148 unsigned int num_entries;
149
150 /* Size of entries. */
151 unsigned int size;
152};
153
154/* The argument to ARPT_SO_SET_REPLACE. */
155struct arpt_replace {
156 /* Which table. */
157 char name[XT_TABLE_MAXNAMELEN];
158
159 /* Which hook entry points are valid: bitmask. You can't
160 change this. */
161 unsigned int valid_hooks;
162
163 /* Number of entries */
164 unsigned int num_entries;
165
166 /* Total size of new entries */
167 unsigned int size;
168
169 /* Hook entry points. */
170 unsigned int hook_entry[NF_ARP_NUMHOOKS];
171
172 /* Underflow points. */
173 unsigned int underflow[NF_ARP_NUMHOOKS];
174
175 /* Information about old entries: */
176 /* Number of counters (must be equal to current number of entries). */
177 unsigned int num_counters;
178 /* The old entries' counters. */
179 struct xt_counters __user *counters;
180
181 /* The entries (hang off end: not really an array). */
182 struct arpt_entry entries[0];
183};
184
185/* The argument to ARPT_SO_GET_ENTRIES. */
186struct arpt_get_entries {
187 /* Which table: user fills this in. */
188 char name[XT_TABLE_MAXNAMELEN];
189
190 /* User fills this in: total entry size. */
191 unsigned int size;
192
193 /* The entries. */
194 struct arpt_entry entrytable[0];
195};
196
197/* Helper functions */
198static __inline__ struct xt_entry_target *arpt_get_target(struct arpt_entry *e)
199{
200 return (void *)e + e->target_offset;
201}
202
203/*
204 * Main firewall chains definitions and global var's definitions.
205 */
206#endif /* _UAPI_ARPTABLES_H */
diff --git a/include/uapi/linux/netfilter_arp/arpt_mangle.h b/include/uapi/linux/netfilter_arp/arpt_mangle.h
new file mode 100644
index 000000000000..250f502902bb
--- /dev/null
+++ b/include/uapi/linux/netfilter_arp/arpt_mangle.h
@@ -0,0 +1,26 @@
1#ifndef _ARPT_MANGLE_H
2#define _ARPT_MANGLE_H
3#include <linux/netfilter_arp/arp_tables.h>
4
5#define ARPT_MANGLE_ADDR_LEN_MAX sizeof(struct in_addr)
6struct arpt_mangle
7{
8 char src_devaddr[ARPT_DEV_ADDR_LEN_MAX];
9 char tgt_devaddr[ARPT_DEV_ADDR_LEN_MAX];
10 union {
11 struct in_addr src_ip;
12 } u_s;
13 union {
14 struct in_addr tgt_ip;
15 } u_t;
16 u_int8_t flags;
17 int target;
18};
19
20#define ARPT_MANGLE_SDEV 0x01
21#define ARPT_MANGLE_TDEV 0x02
22#define ARPT_MANGLE_SIP 0x04
23#define ARPT_MANGLE_TIP 0x08
24#define ARPT_MANGLE_MASK 0x0f
25
26#endif /* _ARPT_MANGLE_H */
diff --git a/include/uapi/linux/netfilter_bridge/Kbuild b/include/uapi/linux/netfilter_bridge/Kbuild
index aafaa5aa54d4..348717c3a22f 100644
--- a/include/uapi/linux/netfilter_bridge/Kbuild
+++ b/include/uapi/linux/netfilter_bridge/Kbuild
@@ -1 +1,19 @@
1# UAPI Header export list 1# UAPI Header export list
2header-y += ebt_802_3.h
3header-y += ebt_among.h
4header-y += ebt_arp.h
5header-y += ebt_arpreply.h
6header-y += ebt_ip.h
7header-y += ebt_ip6.h
8header-y += ebt_limit.h
9header-y += ebt_log.h
10header-y += ebt_mark_m.h
11header-y += ebt_mark_t.h
12header-y += ebt_nat.h
13header-y += ebt_nflog.h
14header-y += ebt_pkttype.h
15header-y += ebt_redirect.h
16header-y += ebt_stp.h
17header-y += ebt_ulog.h
18header-y += ebt_vlan.h
19header-y += ebtables.h
diff --git a/include/uapi/linux/netfilter_bridge/ebt_802_3.h b/include/uapi/linux/netfilter_bridge/ebt_802_3.h
new file mode 100644
index 000000000000..5bf84912a082
--- /dev/null
+++ b/include/uapi/linux/netfilter_bridge/ebt_802_3.h
@@ -0,0 +1,62 @@
1#ifndef _UAPI__LINUX_BRIDGE_EBT_802_3_H
2#define _UAPI__LINUX_BRIDGE_EBT_802_3_H
3
4#include <linux/types.h>
5
6#define EBT_802_3_SAP 0x01
7#define EBT_802_3_TYPE 0x02
8
9#define EBT_802_3_MATCH "802_3"
10
11/*
12 * If frame has DSAP/SSAP value 0xaa you must check the SNAP type
13 * to discover what kind of packet we're carrying.
14 */
15#define CHECK_TYPE 0xaa
16
17/*
18 * Control field may be one or two bytes. If the first byte has
19 * the value 0x03 then the entire length is one byte, otherwise it is two.
20 * One byte controls are used in Unnumbered Information frames.
21 * Two byte controls are used in Numbered Information frames.
22 */
23#define IS_UI 0x03
24
25#define EBT_802_3_MASK (EBT_802_3_SAP | EBT_802_3_TYPE | EBT_802_3)
26
27/* ui has one byte ctrl, ni has two */
28struct hdr_ui {
29 __u8 dsap;
30 __u8 ssap;
31 __u8 ctrl;
32 __u8 orig[3];
33 __be16 type;
34};
35
36struct hdr_ni {
37 __u8 dsap;
38 __u8 ssap;
39 __be16 ctrl;
40 __u8 orig[3];
41 __be16 type;
42};
43
44struct ebt_802_3_hdr {
45 __u8 daddr[6];
46 __u8 saddr[6];
47 __be16 len;
48 union {
49 struct hdr_ui ui;
50 struct hdr_ni ni;
51 } llc;
52};
53
54
55struct ebt_802_3_info {
56 __u8 sap;
57 __be16 type;
58 __u8 bitmask;
59 __u8 invflags;
60};
61
62#endif /* _UAPI__LINUX_BRIDGE_EBT_802_3_H */
diff --git a/include/uapi/linux/netfilter_bridge/ebt_among.h b/include/uapi/linux/netfilter_bridge/ebt_among.h
new file mode 100644
index 000000000000..bd4e3ad0b706
--- /dev/null
+++ b/include/uapi/linux/netfilter_bridge/ebt_among.h
@@ -0,0 +1,64 @@
1#ifndef __LINUX_BRIDGE_EBT_AMONG_H
2#define __LINUX_BRIDGE_EBT_AMONG_H
3
4#include <linux/types.h>
5
6#define EBT_AMONG_DST 0x01
7#define EBT_AMONG_SRC 0x02
8
9/* Grzegorz Borowiak <grzes@gnu.univ.gda.pl> 2003
10 *
11 * Write-once-read-many hash table, used for checking if a given
12 * MAC address belongs to a set or not and possibly for checking
13 * if it is related with a given IPv4 address.
14 *
15 * The hash value of an address is its last byte.
16 *
17 * In real-world ethernet addresses, values of the last byte are
18 * evenly distributed and there is no need to consider other bytes.
19 * It would only slow the routines down.
20 *
21 * For MAC address comparison speedup reasons, we introduce a trick.
22 * MAC address is mapped onto an array of two 32-bit integers.
23 * This pair of integers is compared with MAC addresses in the
24 * hash table, which are stored also in form of pairs of integers
25 * (in `cmp' array). This is quick as it requires only two elementary
26 * number comparisons in worst case. Further, we take advantage of
27 * fact that entropy of 3 last bytes of address is larger than entropy
28 * of 3 first bytes. So first we compare 4 last bytes of addresses and
29 * if they are the same we compare 2 first.
30 *
31 * Yes, it is a memory overhead, but in 2003 AD, who cares?
32 */
33
34struct ebt_mac_wormhash_tuple {
35 __u32 cmp[2];
36 __be32 ip;
37};
38
39struct ebt_mac_wormhash {
40 int table[257];
41 int poolsize;
42 struct ebt_mac_wormhash_tuple pool[0];
43};
44
45#define ebt_mac_wormhash_size(x) ((x) ? sizeof(struct ebt_mac_wormhash) \
46 + (x)->poolsize * sizeof(struct ebt_mac_wormhash_tuple) : 0)
47
48struct ebt_among_info {
49 int wh_dst_ofs;
50 int wh_src_ofs;
51 int bitmask;
52};
53
54#define EBT_AMONG_DST_NEG 0x1
55#define EBT_AMONG_SRC_NEG 0x2
56
57#define ebt_among_wh_dst(x) ((x)->wh_dst_ofs ? \
58 (struct ebt_mac_wormhash*)((char*)(x) + (x)->wh_dst_ofs) : NULL)
59#define ebt_among_wh_src(x) ((x)->wh_src_ofs ? \
60 (struct ebt_mac_wormhash*)((char*)(x) + (x)->wh_src_ofs) : NULL)
61
62#define EBT_AMONG_MATCH "among"
63
64#endif
diff --git a/include/uapi/linux/netfilter_bridge/ebt_arp.h b/include/uapi/linux/netfilter_bridge/ebt_arp.h
new file mode 100644
index 000000000000..522f3e427f49
--- /dev/null
+++ b/include/uapi/linux/netfilter_bridge/ebt_arp.h
@@ -0,0 +1,36 @@
1#ifndef __LINUX_BRIDGE_EBT_ARP_H
2#define __LINUX_BRIDGE_EBT_ARP_H
3
4#include <linux/types.h>
5
6#define EBT_ARP_OPCODE 0x01
7#define EBT_ARP_HTYPE 0x02
8#define EBT_ARP_PTYPE 0x04
9#define EBT_ARP_SRC_IP 0x08
10#define EBT_ARP_DST_IP 0x10
11#define EBT_ARP_SRC_MAC 0x20
12#define EBT_ARP_DST_MAC 0x40
13#define EBT_ARP_GRAT 0x80
14#define EBT_ARP_MASK (EBT_ARP_OPCODE | EBT_ARP_HTYPE | EBT_ARP_PTYPE | \
15 EBT_ARP_SRC_IP | EBT_ARP_DST_IP | EBT_ARP_SRC_MAC | EBT_ARP_DST_MAC | \
16 EBT_ARP_GRAT)
17#define EBT_ARP_MATCH "arp"
18
19struct ebt_arp_info
20{
21 __be16 htype;
22 __be16 ptype;
23 __be16 opcode;
24 __be32 saddr;
25 __be32 smsk;
26 __be32 daddr;
27 __be32 dmsk;
28 unsigned char smaddr[ETH_ALEN];
29 unsigned char smmsk[ETH_ALEN];
30 unsigned char dmaddr[ETH_ALEN];
31 unsigned char dmmsk[ETH_ALEN];
32 __u8 bitmask;
33 __u8 invflags;
34};
35
36#endif
diff --git a/include/uapi/linux/netfilter_bridge/ebt_arpreply.h b/include/uapi/linux/netfilter_bridge/ebt_arpreply.h
new file mode 100644
index 000000000000..7e77896e1fbf
--- /dev/null
+++ b/include/uapi/linux/netfilter_bridge/ebt_arpreply.h
@@ -0,0 +1,10 @@
1#ifndef __LINUX_BRIDGE_EBT_ARPREPLY_H
2#define __LINUX_BRIDGE_EBT_ARPREPLY_H
3
4struct ebt_arpreply_info {
5 unsigned char mac[ETH_ALEN];
6 int target;
7};
8#define EBT_ARPREPLY_TARGET "arpreply"
9
10#endif
diff --git a/include/uapi/linux/netfilter_bridge/ebt_ip.h b/include/uapi/linux/netfilter_bridge/ebt_ip.h
new file mode 100644
index 000000000000..c4bbc41b0ea4
--- /dev/null
+++ b/include/uapi/linux/netfilter_bridge/ebt_ip.h
@@ -0,0 +1,44 @@
1/*
2 * ebt_ip
3 *
4 * Authors:
5 * Bart De Schuymer <bart.de.schuymer@pandora.be>
6 *
7 * April, 2002
8 *
9 * Changes:
10 * added ip-sport and ip-dport
11 * Innominate Security Technologies AG <mhopf@innominate.com>
12 * September, 2002
13 */
14
15#ifndef __LINUX_BRIDGE_EBT_IP_H
16#define __LINUX_BRIDGE_EBT_IP_H
17
18#include <linux/types.h>
19
20#define EBT_IP_SOURCE 0x01
21#define EBT_IP_DEST 0x02
22#define EBT_IP_TOS 0x04
23#define EBT_IP_PROTO 0x08
24#define EBT_IP_SPORT 0x10
25#define EBT_IP_DPORT 0x20
26#define EBT_IP_MASK (EBT_IP_SOURCE | EBT_IP_DEST | EBT_IP_TOS | EBT_IP_PROTO |\
27 EBT_IP_SPORT | EBT_IP_DPORT )
28#define EBT_IP_MATCH "ip"
29
30/* the same values are used for the invflags */
31struct ebt_ip_info {
32 __be32 saddr;
33 __be32 daddr;
34 __be32 smsk;
35 __be32 dmsk;
36 __u8 tos;
37 __u8 protocol;
38 __u8 bitmask;
39 __u8 invflags;
40 __u16 sport[2];
41 __u16 dport[2];
42};
43
44#endif
diff --git a/include/uapi/linux/netfilter_bridge/ebt_ip6.h b/include/uapi/linux/netfilter_bridge/ebt_ip6.h
new file mode 100644
index 000000000000..42b889682721
--- /dev/null
+++ b/include/uapi/linux/netfilter_bridge/ebt_ip6.h
@@ -0,0 +1,50 @@
1/*
2 * ebt_ip6
3 *
4 * Authors:
5 * Kuo-Lang Tseng <kuo-lang.tseng@intel.com>
6 * Manohar Castelino <manohar.r.castelino@intel.com>
7 *
8 * Jan 11, 2008
9 *
10 */
11
12#ifndef __LINUX_BRIDGE_EBT_IP6_H
13#define __LINUX_BRIDGE_EBT_IP6_H
14
15#include <linux/types.h>
16
17#define EBT_IP6_SOURCE 0x01
18#define EBT_IP6_DEST 0x02
19#define EBT_IP6_TCLASS 0x04
20#define EBT_IP6_PROTO 0x08
21#define EBT_IP6_SPORT 0x10
22#define EBT_IP6_DPORT 0x20
23#define EBT_IP6_ICMP6 0x40
24
25#define EBT_IP6_MASK (EBT_IP6_SOURCE | EBT_IP6_DEST | EBT_IP6_TCLASS |\
26 EBT_IP6_PROTO | EBT_IP6_SPORT | EBT_IP6_DPORT | \
27 EBT_IP6_ICMP6)
28#define EBT_IP6_MATCH "ip6"
29
30/* the same values are used for the invflags */
31struct ebt_ip6_info {
32 struct in6_addr saddr;
33 struct in6_addr daddr;
34 struct in6_addr smsk;
35 struct in6_addr dmsk;
36 __u8 tclass;
37 __u8 protocol;
38 __u8 bitmask;
39 __u8 invflags;
40 union {
41 __u16 sport[2];
42 __u8 icmpv6_type[2];
43 };
44 union {
45 __u16 dport[2];
46 __u8 icmpv6_code[2];
47 };
48};
49
50#endif
diff --git a/include/uapi/linux/netfilter_bridge/ebt_limit.h b/include/uapi/linux/netfilter_bridge/ebt_limit.h
new file mode 100644
index 000000000000..66d80b30ba0e
--- /dev/null
+++ b/include/uapi/linux/netfilter_bridge/ebt_limit.h
@@ -0,0 +1,24 @@
1#ifndef __LINUX_BRIDGE_EBT_LIMIT_H
2#define __LINUX_BRIDGE_EBT_LIMIT_H
3
4#include <linux/types.h>
5
6#define EBT_LIMIT_MATCH "limit"
7
8/* timings are in milliseconds. */
9#define EBT_LIMIT_SCALE 10000
10
11/* 1/10,000 sec period => max of 10,000/sec. Min rate is then 429490
12 seconds, or one every 59 hours. */
13
14struct ebt_limit_info {
15 __u32 avg; /* Average secs between packets * scale */
16 __u32 burst; /* Period multiplier for upper limit. */
17
18 /* Used internally by the kernel */
19 unsigned long prev;
20 __u32 credit;
21 __u32 credit_cap, cost;
22};
23
24#endif
diff --git a/include/uapi/linux/netfilter_bridge/ebt_log.h b/include/uapi/linux/netfilter_bridge/ebt_log.h
new file mode 100644
index 000000000000..7e7f1d1fe494
--- /dev/null
+++ b/include/uapi/linux/netfilter_bridge/ebt_log.h
@@ -0,0 +1,20 @@
1#ifndef __LINUX_BRIDGE_EBT_LOG_H
2#define __LINUX_BRIDGE_EBT_LOG_H
3
4#include <linux/types.h>
5
6#define EBT_LOG_IP 0x01 /* if the frame is made by ip, log the ip information */
7#define EBT_LOG_ARP 0x02
8#define EBT_LOG_NFLOG 0x04
9#define EBT_LOG_IP6 0x08
10#define EBT_LOG_MASK (EBT_LOG_IP | EBT_LOG_ARP | EBT_LOG_IP6)
11#define EBT_LOG_PREFIX_SIZE 30
12#define EBT_LOG_WATCHER "log"
13
14struct ebt_log_info {
15 __u8 loglevel;
16 __u8 prefix[EBT_LOG_PREFIX_SIZE];
17 __u32 bitmask;
18};
19
20#endif
diff --git a/include/uapi/linux/netfilter_bridge/ebt_mark_m.h b/include/uapi/linux/netfilter_bridge/ebt_mark_m.h
new file mode 100644
index 000000000000..410f9e5a71d4
--- /dev/null
+++ b/include/uapi/linux/netfilter_bridge/ebt_mark_m.h
@@ -0,0 +1,16 @@
1#ifndef __LINUX_BRIDGE_EBT_MARK_M_H
2#define __LINUX_BRIDGE_EBT_MARK_M_H
3
4#include <linux/types.h>
5
6#define EBT_MARK_AND 0x01
7#define EBT_MARK_OR 0x02
8#define EBT_MARK_MASK (EBT_MARK_AND | EBT_MARK_OR)
9struct ebt_mark_m_info {
10 unsigned long mark, mask;
11 __u8 invert;
12 __u8 bitmask;
13};
14#define EBT_MARK_MATCH "mark_m"
15
16#endif
diff --git a/include/uapi/linux/netfilter_bridge/ebt_mark_t.h b/include/uapi/linux/netfilter_bridge/ebt_mark_t.h
new file mode 100644
index 000000000000..7d5a268a4311
--- /dev/null
+++ b/include/uapi/linux/netfilter_bridge/ebt_mark_t.h
@@ -0,0 +1,23 @@
1#ifndef __LINUX_BRIDGE_EBT_MARK_T_H
2#define __LINUX_BRIDGE_EBT_MARK_T_H
3
4/* The target member is reused for adding new actions, the
5 * value of the real target is -1 to -NUM_STANDARD_TARGETS.
6 * For backward compatibility, the 4 lsb (2 would be enough,
7 * but let's play it safe) are kept to designate this target.
8 * The remaining bits designate the action. By making the set
9 * action 0xfffffff0, the result will look ok for older
10 * versions. [September 2006] */
11#define MARK_SET_VALUE (0xfffffff0)
12#define MARK_OR_VALUE (0xffffffe0)
13#define MARK_AND_VALUE (0xffffffd0)
14#define MARK_XOR_VALUE (0xffffffc0)
15
16struct ebt_mark_t_info {
17 unsigned long mark;
18 /* EBT_ACCEPT, EBT_DROP, EBT_CONTINUE or EBT_RETURN */
19 int target;
20};
21#define EBT_MARK_TARGET "mark"
22
23#endif
diff --git a/include/uapi/linux/netfilter_bridge/ebt_nat.h b/include/uapi/linux/netfilter_bridge/ebt_nat.h
new file mode 100644
index 000000000000..5e74e3b03bd6
--- /dev/null
+++ b/include/uapi/linux/netfilter_bridge/ebt_nat.h
@@ -0,0 +1,13 @@
1#ifndef __LINUX_BRIDGE_EBT_NAT_H
2#define __LINUX_BRIDGE_EBT_NAT_H
3
4#define NAT_ARP_BIT (0x00000010)
5struct ebt_nat_info {
6 unsigned char mac[ETH_ALEN];
7 /* EBT_ACCEPT, EBT_DROP, EBT_CONTINUE or EBT_RETURN */
8 int target;
9};
10#define EBT_SNAT_TARGET "snat"
11#define EBT_DNAT_TARGET "dnat"
12
13#endif
diff --git a/include/uapi/linux/netfilter_bridge/ebt_nflog.h b/include/uapi/linux/netfilter_bridge/ebt_nflog.h
new file mode 100644
index 000000000000..df829fce9125
--- /dev/null
+++ b/include/uapi/linux/netfilter_bridge/ebt_nflog.h
@@ -0,0 +1,23 @@
1#ifndef __LINUX_BRIDGE_EBT_NFLOG_H
2#define __LINUX_BRIDGE_EBT_NFLOG_H
3
4#include <linux/types.h>
5
6#define EBT_NFLOG_MASK 0x0
7
8#define EBT_NFLOG_PREFIX_SIZE 64
9#define EBT_NFLOG_WATCHER "nflog"
10
11#define EBT_NFLOG_DEFAULT_GROUP 0x1
12#define EBT_NFLOG_DEFAULT_THRESHOLD 1
13
14struct ebt_nflog_info {
15 __u32 len;
16 __u16 group;
17 __u16 threshold;
18 __u16 flags;
19 __u16 pad;
20 char prefix[EBT_NFLOG_PREFIX_SIZE];
21};
22
23#endif /* __LINUX_BRIDGE_EBT_NFLOG_H */
diff --git a/include/uapi/linux/netfilter_bridge/ebt_pkttype.h b/include/uapi/linux/netfilter_bridge/ebt_pkttype.h
new file mode 100644
index 000000000000..c241badcd036
--- /dev/null
+++ b/include/uapi/linux/netfilter_bridge/ebt_pkttype.h
@@ -0,0 +1,12 @@
1#ifndef __LINUX_BRIDGE_EBT_PKTTYPE_H
2#define __LINUX_BRIDGE_EBT_PKTTYPE_H
3
4#include <linux/types.h>
5
6struct ebt_pkttype_info {
7 __u8 pkt_type;
8 __u8 invert;
9};
10#define EBT_PKTTYPE_MATCH "pkttype"
11
12#endif
diff --git a/include/uapi/linux/netfilter_bridge/ebt_redirect.h b/include/uapi/linux/netfilter_bridge/ebt_redirect.h
new file mode 100644
index 000000000000..dd9622ce8488
--- /dev/null
+++ b/include/uapi/linux/netfilter_bridge/ebt_redirect.h
@@ -0,0 +1,10 @@
1#ifndef __LINUX_BRIDGE_EBT_REDIRECT_H
2#define __LINUX_BRIDGE_EBT_REDIRECT_H
3
4struct ebt_redirect_info {
5 /* EBT_ACCEPT, EBT_DROP, EBT_CONTINUE or EBT_RETURN */
6 int target;
7};
8#define EBT_REDIRECT_TARGET "redirect"
9
10#endif
diff --git a/include/uapi/linux/netfilter_bridge/ebt_stp.h b/include/uapi/linux/netfilter_bridge/ebt_stp.h
new file mode 100644
index 000000000000..1025b9f5fb7d
--- /dev/null
+++ b/include/uapi/linux/netfilter_bridge/ebt_stp.h
@@ -0,0 +1,46 @@
1#ifndef __LINUX_BRIDGE_EBT_STP_H
2#define __LINUX_BRIDGE_EBT_STP_H
3
4#include <linux/types.h>
5
6#define EBT_STP_TYPE 0x0001
7
8#define EBT_STP_FLAGS 0x0002
9#define EBT_STP_ROOTPRIO 0x0004
10#define EBT_STP_ROOTADDR 0x0008
11#define EBT_STP_ROOTCOST 0x0010
12#define EBT_STP_SENDERPRIO 0x0020
13#define EBT_STP_SENDERADDR 0x0040
14#define EBT_STP_PORT 0x0080
15#define EBT_STP_MSGAGE 0x0100
16#define EBT_STP_MAXAGE 0x0200
17#define EBT_STP_HELLOTIME 0x0400
18#define EBT_STP_FWDD 0x0800
19
20#define EBT_STP_MASK 0x0fff
21#define EBT_STP_CONFIG_MASK 0x0ffe
22
23#define EBT_STP_MATCH "stp"
24
25struct ebt_stp_config_info {
26 __u8 flags;
27 __u16 root_priol, root_priou;
28 char root_addr[6], root_addrmsk[6];
29 __u32 root_costl, root_costu;
30 __u16 sender_priol, sender_priou;
31 char sender_addr[6], sender_addrmsk[6];
32 __u16 portl, portu;
33 __u16 msg_agel, msg_ageu;
34 __u16 max_agel, max_ageu;
35 __u16 hello_timel, hello_timeu;
36 __u16 forward_delayl, forward_delayu;
37};
38
39struct ebt_stp_info {
40 __u8 type;
41 struct ebt_stp_config_info config;
42 __u16 bitmask;
43 __u16 invflags;
44};
45
46#endif
diff --git a/include/uapi/linux/netfilter_bridge/ebt_ulog.h b/include/uapi/linux/netfilter_bridge/ebt_ulog.h
new file mode 100644
index 000000000000..89a6becb5269
--- /dev/null
+++ b/include/uapi/linux/netfilter_bridge/ebt_ulog.h
@@ -0,0 +1,38 @@
1#ifndef _EBT_ULOG_H
2#define _EBT_ULOG_H
3
4#include <linux/types.h>
5
6#define EBT_ULOG_DEFAULT_NLGROUP 0
7#define EBT_ULOG_DEFAULT_QTHRESHOLD 1
8#define EBT_ULOG_MAXNLGROUPS 32 /* hardcoded netlink max */
9#define EBT_ULOG_PREFIX_LEN 32
10#define EBT_ULOG_MAX_QLEN 50
11#define EBT_ULOG_WATCHER "ulog"
12#define EBT_ULOG_VERSION 1
13
14struct ebt_ulog_info {
15 __u32 nlgroup;
16 unsigned int cprange;
17 unsigned int qthreshold;
18 char prefix[EBT_ULOG_PREFIX_LEN];
19};
20
21typedef struct ebt_ulog_packet_msg {
22 int version;
23 char indev[IFNAMSIZ];
24 char outdev[IFNAMSIZ];
25 char physindev[IFNAMSIZ];
26 char physoutdev[IFNAMSIZ];
27 char prefix[EBT_ULOG_PREFIX_LEN];
28 struct timeval stamp;
29 unsigned long mark;
30 unsigned int hook;
31 size_t data_len;
32 /* The complete packet, including Ethernet header and perhaps
33 * the VLAN header is appended */
34 unsigned char data[0] __attribute__
35 ((aligned (__alignof__(struct ebt_ulog_info))));
36} ebt_ulog_packet_msg_t;
37
38#endif /* _EBT_ULOG_H */
diff --git a/include/uapi/linux/netfilter_bridge/ebt_vlan.h b/include/uapi/linux/netfilter_bridge/ebt_vlan.h
new file mode 100644
index 000000000000..967d1d5cf98d
--- /dev/null
+++ b/include/uapi/linux/netfilter_bridge/ebt_vlan.h
@@ -0,0 +1,22 @@
1#ifndef __LINUX_BRIDGE_EBT_VLAN_H
2#define __LINUX_BRIDGE_EBT_VLAN_H
3
4#include <linux/types.h>
5
6#define EBT_VLAN_ID 0x01
7#define EBT_VLAN_PRIO 0x02
8#define EBT_VLAN_ENCAP 0x04
9#define EBT_VLAN_MASK (EBT_VLAN_ID | EBT_VLAN_PRIO | EBT_VLAN_ENCAP)
10#define EBT_VLAN_MATCH "vlan"
11
12struct ebt_vlan_info {
13 __u16 id; /* VLAN ID {1-4095} */
14 __u8 prio; /* VLAN User Priority {0-7} */
15 __be16 encap; /* VLAN Encapsulated frame code {0-65535} */
16 __u8 bitmask; /* Args bitmask bit 1=1 - ID arg,
17 bit 2=1 User-Priority arg, bit 3=1 encap*/
18 __u8 invflags; /* Inverse bitmask bit 1=1 - inversed ID arg,
19 bit 2=1 - inversed Pirority arg */
20};
21
22#endif
diff --git a/include/uapi/linux/netfilter_bridge/ebtables.h b/include/uapi/linux/netfilter_bridge/ebtables.h
new file mode 100644
index 000000000000..ba993360dbe9
--- /dev/null
+++ b/include/uapi/linux/netfilter_bridge/ebtables.h
@@ -0,0 +1,268 @@
1/*
2 * ebtables
3 *
4 * Authors:
5 * Bart De Schuymer <bdschuym@pandora.be>
6 *
7 * ebtables.c,v 2.0, April, 2002
8 *
9 * This code is stongly inspired on the iptables code which is
10 * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
11 */
12
13#ifndef _UAPI__LINUX_BRIDGE_EFF_H
14#define _UAPI__LINUX_BRIDGE_EFF_H
15#include <linux/if.h>
16#include <linux/netfilter_bridge.h>
17#include <linux/if_ether.h>
18
19#define EBT_TABLE_MAXNAMELEN 32
20#define EBT_CHAIN_MAXNAMELEN EBT_TABLE_MAXNAMELEN
21#define EBT_FUNCTION_MAXNAMELEN EBT_TABLE_MAXNAMELEN
22
23/* verdicts >0 are "branches" */
24#define EBT_ACCEPT -1
25#define EBT_DROP -2
26#define EBT_CONTINUE -3
27#define EBT_RETURN -4
28#define NUM_STANDARD_TARGETS 4
29/* ebtables target modules store the verdict inside an int. We can
30 * reclaim a part of this int for backwards compatible extensions.
31 * The 4 lsb are more than enough to store the verdict. */
32#define EBT_VERDICT_BITS 0x0000000F
33
34struct xt_match;
35struct xt_target;
36
37struct ebt_counter {
38 uint64_t pcnt;
39 uint64_t bcnt;
40};
41
42struct ebt_replace {
43 char name[EBT_TABLE_MAXNAMELEN];
44 unsigned int valid_hooks;
45 /* nr of rules in the table */
46 unsigned int nentries;
47 /* total size of the entries */
48 unsigned int entries_size;
49 /* start of the chains */
50 struct ebt_entries __user *hook_entry[NF_BR_NUMHOOKS];
51 /* nr of counters userspace expects back */
52 unsigned int num_counters;
53 /* where the kernel will put the old counters */
54 struct ebt_counter __user *counters;
55 char __user *entries;
56};
57
58struct ebt_replace_kernel {
59 char name[EBT_TABLE_MAXNAMELEN];
60 unsigned int valid_hooks;
61 /* nr of rules in the table */
62 unsigned int nentries;
63 /* total size of the entries */
64 unsigned int entries_size;
65 /* start of the chains */
66 struct ebt_entries *hook_entry[NF_BR_NUMHOOKS];
67 /* nr of counters userspace expects back */
68 unsigned int num_counters;
69 /* where the kernel will put the old counters */
70 struct ebt_counter *counters;
71 char *entries;
72};
73
74struct ebt_entries {
75 /* this field is always set to zero
76 * See EBT_ENTRY_OR_ENTRIES.
77 * Must be same size as ebt_entry.bitmask */
78 unsigned int distinguisher;
79 /* the chain name */
80 char name[EBT_CHAIN_MAXNAMELEN];
81 /* counter offset for this chain */
82 unsigned int counter_offset;
83 /* one standard (accept, drop, return) per hook */
84 int policy;
85 /* nr. of entries */
86 unsigned int nentries;
87 /* entry list */
88 char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace))));
89};
90
91/* used for the bitmask of struct ebt_entry */
92
93/* This is a hack to make a difference between an ebt_entry struct and an
94 * ebt_entries struct when traversing the entries from start to end.
95 * Using this simplifies the code a lot, while still being able to use
96 * ebt_entries.
97 * Contrary, iptables doesn't use something like ebt_entries and therefore uses
98 * different techniques for naming the policy and such. So, iptables doesn't
99 * need a hack like this.
100 */
101#define EBT_ENTRY_OR_ENTRIES 0x01
102/* these are the normal masks */
103#define EBT_NOPROTO 0x02
104#define EBT_802_3 0x04
105#define EBT_SOURCEMAC 0x08
106#define EBT_DESTMAC 0x10
107#define EBT_F_MASK (EBT_NOPROTO | EBT_802_3 | EBT_SOURCEMAC | EBT_DESTMAC \
108 | EBT_ENTRY_OR_ENTRIES)
109
110#define EBT_IPROTO 0x01
111#define EBT_IIN 0x02
112#define EBT_IOUT 0x04
113#define EBT_ISOURCE 0x8
114#define EBT_IDEST 0x10
115#define EBT_ILOGICALIN 0x20
116#define EBT_ILOGICALOUT 0x40
117#define EBT_INV_MASK (EBT_IPROTO | EBT_IIN | EBT_IOUT | EBT_ILOGICALIN \
118 | EBT_ILOGICALOUT | EBT_ISOURCE | EBT_IDEST)
119
120struct ebt_entry_match {
121 union {
122 char name[EBT_FUNCTION_MAXNAMELEN];
123 struct xt_match *match;
124 } u;
125 /* size of data */
126 unsigned int match_size;
127 unsigned char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace))));
128};
129
130struct ebt_entry_watcher {
131 union {
132 char name[EBT_FUNCTION_MAXNAMELEN];
133 struct xt_target *watcher;
134 } u;
135 /* size of data */
136 unsigned int watcher_size;
137 unsigned char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace))));
138};
139
140struct ebt_entry_target {
141 union {
142 char name[EBT_FUNCTION_MAXNAMELEN];
143 struct xt_target *target;
144 } u;
145 /* size of data */
146 unsigned int target_size;
147 unsigned char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace))));
148};
149
150#define EBT_STANDARD_TARGET "standard"
151struct ebt_standard_target {
152 struct ebt_entry_target target;
153 int verdict;
154};
155
156/* one entry */
157struct ebt_entry {
158 /* this needs to be the first field */
159 unsigned int bitmask;
160 unsigned int invflags;
161 __be16 ethproto;
162 /* the physical in-dev */
163 char in[IFNAMSIZ];
164 /* the logical in-dev */
165 char logical_in[IFNAMSIZ];
166 /* the physical out-dev */
167 char out[IFNAMSIZ];
168 /* the logical out-dev */
169 char logical_out[IFNAMSIZ];
170 unsigned char sourcemac[ETH_ALEN];
171 unsigned char sourcemsk[ETH_ALEN];
172 unsigned char destmac[ETH_ALEN];
173 unsigned char destmsk[ETH_ALEN];
174 /* sizeof ebt_entry + matches */
175 unsigned int watchers_offset;
176 /* sizeof ebt_entry + matches + watchers */
177 unsigned int target_offset;
178 /* sizeof ebt_entry + matches + watchers + target */
179 unsigned int next_offset;
180 unsigned char elems[0] __attribute__ ((aligned (__alignof__(struct ebt_replace))));
181};
182
183/* {g,s}etsockopt numbers */
184#define EBT_BASE_CTL 128
185
186#define EBT_SO_SET_ENTRIES (EBT_BASE_CTL)
187#define EBT_SO_SET_COUNTERS (EBT_SO_SET_ENTRIES+1)
188#define EBT_SO_SET_MAX (EBT_SO_SET_COUNTERS+1)
189
190#define EBT_SO_GET_INFO (EBT_BASE_CTL)
191#define EBT_SO_GET_ENTRIES (EBT_SO_GET_INFO+1)
192#define EBT_SO_GET_INIT_INFO (EBT_SO_GET_ENTRIES+1)
193#define EBT_SO_GET_INIT_ENTRIES (EBT_SO_GET_INIT_INFO+1)
194#define EBT_SO_GET_MAX (EBT_SO_GET_INIT_ENTRIES+1)
195
196
197/* blatently stolen from ip_tables.h
198 * fn returns 0 to continue iteration */
199#define EBT_MATCH_ITERATE(e, fn, args...) \
200({ \
201 unsigned int __i; \
202 int __ret = 0; \
203 struct ebt_entry_match *__match; \
204 \
205 for (__i = sizeof(struct ebt_entry); \
206 __i < (e)->watchers_offset; \
207 __i += __match->match_size + \
208 sizeof(struct ebt_entry_match)) { \
209 __match = (void *)(e) + __i; \
210 \
211 __ret = fn(__match , ## args); \
212 if (__ret != 0) \
213 break; \
214 } \
215 if (__ret == 0) { \
216 if (__i != (e)->watchers_offset) \
217 __ret = -EINVAL; \
218 } \
219 __ret; \
220})
221
222#define EBT_WATCHER_ITERATE(e, fn, args...) \
223({ \
224 unsigned int __i; \
225 int __ret = 0; \
226 struct ebt_entry_watcher *__watcher; \
227 \
228 for (__i = e->watchers_offset; \
229 __i < (e)->target_offset; \
230 __i += __watcher->watcher_size + \
231 sizeof(struct ebt_entry_watcher)) { \
232 __watcher = (void *)(e) + __i; \
233 \
234 __ret = fn(__watcher , ## args); \
235 if (__ret != 0) \
236 break; \
237 } \
238 if (__ret == 0) { \
239 if (__i != (e)->target_offset) \
240 __ret = -EINVAL; \
241 } \
242 __ret; \
243})
244
245#define EBT_ENTRY_ITERATE(entries, size, fn, args...) \
246({ \
247 unsigned int __i; \
248 int __ret = 0; \
249 struct ebt_entry *__entry; \
250 \
251 for (__i = 0; __i < (size);) { \
252 __entry = (void *)(entries) + __i; \
253 __ret = fn(__entry , ## args); \
254 if (__ret != 0) \
255 break; \
256 if (__entry->bitmask != 0) \
257 __i += __entry->next_offset; \
258 else \
259 __i += sizeof(struct ebt_entries); \
260 } \
261 if (__ret == 0) { \
262 if (__i != (size)) \
263 __ret = -EINVAL; \
264 } \
265 __ret; \
266})
267
268#endif /* _UAPI__LINUX_BRIDGE_EFF_H */
diff --git a/include/uapi/linux/netfilter_ipv4/Kbuild b/include/uapi/linux/netfilter_ipv4/Kbuild
index aafaa5aa54d4..fb008437dde1 100644
--- a/include/uapi/linux/netfilter_ipv4/Kbuild
+++ b/include/uapi/linux/netfilter_ipv4/Kbuild
@@ -1 +1,11 @@
1# UAPI Header export list 1# UAPI Header export list
2header-y += ip_tables.h
3header-y += ipt_CLUSTERIP.h
4header-y += ipt_ECN.h
5header-y += ipt_LOG.h
6header-y += ipt_REJECT.h
7header-y += ipt_TTL.h
8header-y += ipt_ULOG.h
9header-y += ipt_ah.h
10header-y += ipt_ecn.h
11header-y += ipt_ttl.h
diff --git a/include/uapi/linux/netfilter_ipv4/ip_tables.h b/include/uapi/linux/netfilter_ipv4/ip_tables.h
new file mode 100644
index 000000000000..f1e6ef256034
--- /dev/null
+++ b/include/uapi/linux/netfilter_ipv4/ip_tables.h
@@ -0,0 +1,229 @@
1/*
2 * 25-Jul-1998 Major changes to allow for ip chain table
3 *
4 * 3-Jan-2000 Named tables to allow packet selection for different uses.
5 */
6
7/*
8 * Format of an IP firewall descriptor
9 *
10 * src, dst, src_mask, dst_mask are always stored in network byte order.
11 * flags are stored in host byte order (of course).
12 * Port numbers are stored in HOST byte order.
13 */
14
15#ifndef _UAPI_IPTABLES_H
16#define _UAPI_IPTABLES_H
17
18#include <linux/types.h>
19#include <linux/compiler.h>
20#include <linux/netfilter_ipv4.h>
21
22#include <linux/netfilter/x_tables.h>
23
24#ifndef __KERNEL__
25#define IPT_FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN
26#define IPT_TABLE_MAXNAMELEN XT_TABLE_MAXNAMELEN
27#define ipt_match xt_match
28#define ipt_target xt_target
29#define ipt_table xt_table
30#define ipt_get_revision xt_get_revision
31#define ipt_entry_match xt_entry_match
32#define ipt_entry_target xt_entry_target
33#define ipt_standard_target xt_standard_target
34#define ipt_error_target xt_error_target
35#define ipt_counters xt_counters
36#define IPT_CONTINUE XT_CONTINUE
37#define IPT_RETURN XT_RETURN
38
39/* This group is older than old (iptables < v1.4.0-rc1~89) */
40#include <linux/netfilter/xt_tcpudp.h>
41#define ipt_udp xt_udp
42#define ipt_tcp xt_tcp
43#define IPT_TCP_INV_SRCPT XT_TCP_INV_SRCPT
44#define IPT_TCP_INV_DSTPT XT_TCP_INV_DSTPT
45#define IPT_TCP_INV_FLAGS XT_TCP_INV_FLAGS
46#define IPT_TCP_INV_OPTION XT_TCP_INV_OPTION
47#define IPT_TCP_INV_MASK XT_TCP_INV_MASK
48#define IPT_UDP_INV_SRCPT XT_UDP_INV_SRCPT
49#define IPT_UDP_INV_DSTPT XT_UDP_INV_DSTPT
50#define IPT_UDP_INV_MASK XT_UDP_INV_MASK
51
52/* The argument to IPT_SO_ADD_COUNTERS. */
53#define ipt_counters_info xt_counters_info
54/* Standard return verdict, or do jump. */
55#define IPT_STANDARD_TARGET XT_STANDARD_TARGET
56/* Error verdict. */
57#define IPT_ERROR_TARGET XT_ERROR_TARGET
58
59/* fn returns 0 to continue iteration */
60#define IPT_MATCH_ITERATE(e, fn, args...) \
61 XT_MATCH_ITERATE(struct ipt_entry, e, fn, ## args)
62
63/* fn returns 0 to continue iteration */
64#define IPT_ENTRY_ITERATE(entries, size, fn, args...) \
65 XT_ENTRY_ITERATE(struct ipt_entry, entries, size, fn, ## args)
66#endif
67
68/* Yes, Virginia, you have to zero the padding. */
69struct ipt_ip {
70 /* Source and destination IP addr */
71 struct in_addr src, dst;
72 /* Mask for src and dest IP addr */
73 struct in_addr smsk, dmsk;
74 char iniface[IFNAMSIZ], outiface[IFNAMSIZ];
75 unsigned char iniface_mask[IFNAMSIZ], outiface_mask[IFNAMSIZ];
76
77 /* Protocol, 0 = ANY */
78 __u16 proto;
79
80 /* Flags word */
81 __u8 flags;
82 /* Inverse flags */
83 __u8 invflags;
84};
85
86/* Values for "flag" field in struct ipt_ip (general ip structure). */
87#define IPT_F_FRAG 0x01 /* Set if rule is a fragment rule */
88#define IPT_F_GOTO 0x02 /* Set if jump is a goto */
89#define IPT_F_MASK 0x03 /* All possible flag bits mask. */
90
91/* Values for "inv" field in struct ipt_ip. */
92#define IPT_INV_VIA_IN 0x01 /* Invert the sense of IN IFACE. */
93#define IPT_INV_VIA_OUT 0x02 /* Invert the sense of OUT IFACE */
94#define IPT_INV_TOS 0x04 /* Invert the sense of TOS. */
95#define IPT_INV_SRCIP 0x08 /* Invert the sense of SRC IP. */
96#define IPT_INV_DSTIP 0x10 /* Invert the sense of DST OP. */
97#define IPT_INV_FRAG 0x20 /* Invert the sense of FRAG. */
98#define IPT_INV_PROTO XT_INV_PROTO
99#define IPT_INV_MASK 0x7F /* All possible flag bits mask. */
100
101/* This structure defines each of the firewall rules. Consists of 3
102 parts which are 1) general IP header stuff 2) match specific
103 stuff 3) the target to perform if the rule matches */
104struct ipt_entry {
105 struct ipt_ip ip;
106
107 /* Mark with fields that we care about. */
108 unsigned int nfcache;
109
110 /* Size of ipt_entry + matches */
111 __u16 target_offset;
112 /* Size of ipt_entry + matches + target */
113 __u16 next_offset;
114
115 /* Back pointer */
116 unsigned int comefrom;
117
118 /* Packet and byte counters. */
119 struct xt_counters counters;
120
121 /* The matches (if any), then the target. */
122 unsigned char elems[0];
123};
124
125/*
126 * New IP firewall options for [gs]etsockopt at the RAW IP level.
127 * Unlike BSD Linux inherits IP options so you don't have to use a raw
128 * socket for this. Instead we check rights in the calls.
129 *
130 * ATTENTION: check linux/in.h before adding new number here.
131 */
132#define IPT_BASE_CTL 64
133
134#define IPT_SO_SET_REPLACE (IPT_BASE_CTL)
135#define IPT_SO_SET_ADD_COUNTERS (IPT_BASE_CTL + 1)
136#define IPT_SO_SET_MAX IPT_SO_SET_ADD_COUNTERS
137
138#define IPT_SO_GET_INFO (IPT_BASE_CTL)
139#define IPT_SO_GET_ENTRIES (IPT_BASE_CTL + 1)
140#define IPT_SO_GET_REVISION_MATCH (IPT_BASE_CTL + 2)
141#define IPT_SO_GET_REVISION_TARGET (IPT_BASE_CTL + 3)
142#define IPT_SO_GET_MAX IPT_SO_GET_REVISION_TARGET
143
144/* ICMP matching stuff */
145struct ipt_icmp {
146 __u8 type; /* type to match */
147 __u8 code[2]; /* range of code */
148 __u8 invflags; /* Inverse flags */
149};
150
151/* Values for "inv" field for struct ipt_icmp. */
152#define IPT_ICMP_INV 0x01 /* Invert the sense of type/code test */
153
154/* The argument to IPT_SO_GET_INFO */
155struct ipt_getinfo {
156 /* Which table: caller fills this in. */
157 char name[XT_TABLE_MAXNAMELEN];
158
159 /* Kernel fills these in. */
160 /* Which hook entry points are valid: bitmask */
161 unsigned int valid_hooks;
162
163 /* Hook entry points: one per netfilter hook. */
164 unsigned int hook_entry[NF_INET_NUMHOOKS];
165
166 /* Underflow points. */
167 unsigned int underflow[NF_INET_NUMHOOKS];
168
169 /* Number of entries */
170 unsigned int num_entries;
171
172 /* Size of entries. */
173 unsigned int size;
174};
175
176/* The argument to IPT_SO_SET_REPLACE. */
177struct ipt_replace {
178 /* Which table. */
179 char name[XT_TABLE_MAXNAMELEN];
180
181 /* Which hook entry points are valid: bitmask. You can't
182 change this. */
183 unsigned int valid_hooks;
184
185 /* Number of entries */
186 unsigned int num_entries;
187
188 /* Total size of new entries */
189 unsigned int size;
190
191 /* Hook entry points. */
192 unsigned int hook_entry[NF_INET_NUMHOOKS];
193
194 /* Underflow points. */
195 unsigned int underflow[NF_INET_NUMHOOKS];
196
197 /* Information about old entries: */
198 /* Number of counters (must be equal to current number of entries). */
199 unsigned int num_counters;
200 /* The old entries' counters. */
201 struct xt_counters __user *counters;
202
203 /* The entries (hang off end: not really an array). */
204 struct ipt_entry entries[0];
205};
206
207/* The argument to IPT_SO_GET_ENTRIES. */
208struct ipt_get_entries {
209 /* Which table: user fills this in. */
210 char name[XT_TABLE_MAXNAMELEN];
211
212 /* User fills this in: total entry size. */
213 unsigned int size;
214
215 /* The entries. */
216 struct ipt_entry entrytable[0];
217};
218
219/* Helper functions */
220static __inline__ struct xt_entry_target *
221ipt_get_target(struct ipt_entry *e)
222{
223 return (void *)e + e->target_offset;
224}
225
226/*
227 * Main firewall chains definitions and global var's definitions.
228 */
229#endif /* _UAPI_IPTABLES_H */
diff --git a/include/uapi/linux/netfilter_ipv4/ipt_CLUSTERIP.h b/include/uapi/linux/netfilter_ipv4/ipt_CLUSTERIP.h
new file mode 100644
index 000000000000..c6a204c97047
--- /dev/null
+++ b/include/uapi/linux/netfilter_ipv4/ipt_CLUSTERIP.h
@@ -0,0 +1,36 @@
1#ifndef _IPT_CLUSTERIP_H_target
2#define _IPT_CLUSTERIP_H_target
3
4#include <linux/types.h>
5
6enum clusterip_hashmode {
7 CLUSTERIP_HASHMODE_SIP = 0,
8 CLUSTERIP_HASHMODE_SIP_SPT,
9 CLUSTERIP_HASHMODE_SIP_SPT_DPT,
10};
11
12#define CLUSTERIP_HASHMODE_MAX CLUSTERIP_HASHMODE_SIP_SPT_DPT
13
14#define CLUSTERIP_MAX_NODES 16
15
16#define CLUSTERIP_FLAG_NEW 0x00000001
17
18struct clusterip_config;
19
20struct ipt_clusterip_tgt_info {
21
22 __u32 flags;
23
24 /* only relevant for new ones */
25 __u8 clustermac[6];
26 __u16 num_total_nodes;
27 __u16 num_local_nodes;
28 __u16 local_nodes[CLUSTERIP_MAX_NODES];
29 __u32 hash_mode;
30 __u32 hash_initval;
31
32 /* Used internally by the kernel */
33 struct clusterip_config *config;
34};
35
36#endif /*_IPT_CLUSTERIP_H_target*/
diff --git a/include/uapi/linux/netfilter_ipv4/ipt_ECN.h b/include/uapi/linux/netfilter_ipv4/ipt_ECN.h
new file mode 100644
index 000000000000..bb88d5315a4d
--- /dev/null
+++ b/include/uapi/linux/netfilter_ipv4/ipt_ECN.h
@@ -0,0 +1,33 @@
1/* Header file for iptables ipt_ECN target
2 *
3 * (C) 2002 by Harald Welte <laforge@gnumonks.org>
4 *
5 * This software is distributed under GNU GPL v2, 1991
6 *
7 * ipt_ECN.h,v 1.3 2002/05/29 12:17:40 laforge Exp
8*/
9#ifndef _IPT_ECN_TARGET_H
10#define _IPT_ECN_TARGET_H
11
12#include <linux/types.h>
13#include <linux/netfilter/xt_DSCP.h>
14
15#define IPT_ECN_IP_MASK (~XT_DSCP_MASK)
16
17#define IPT_ECN_OP_SET_IP 0x01 /* set ECN bits of IPv4 header */
18#define IPT_ECN_OP_SET_ECE 0x10 /* set ECE bit of TCP header */
19#define IPT_ECN_OP_SET_CWR 0x20 /* set CWR bit of TCP header */
20
21#define IPT_ECN_OP_MASK 0xce
22
23struct ipt_ECN_info {
24 __u8 operation; /* bitset of operations */
25 __u8 ip_ect; /* ECT codepoint of IPv4 header, pre-shifted */
26 union {
27 struct {
28 __u8 ece:1, cwr:1; /* TCP ECT bits */
29 } tcp;
30 } proto;
31};
32
33#endif /* _IPT_ECN_TARGET_H */
diff --git a/include/uapi/linux/netfilter_ipv4/ipt_LOG.h b/include/uapi/linux/netfilter_ipv4/ipt_LOG.h
new file mode 100644
index 000000000000..5d8152077d71
--- /dev/null
+++ b/include/uapi/linux/netfilter_ipv4/ipt_LOG.h
@@ -0,0 +1,21 @@
1#ifndef _IPT_LOG_H
2#define _IPT_LOG_H
3
4#warning "Please update iptables, this file will be removed soon!"
5
6/* make sure not to change this without changing netfilter.h:NF_LOG_* (!) */
7#define IPT_LOG_TCPSEQ 0x01 /* Log TCP sequence numbers */
8#define IPT_LOG_TCPOPT 0x02 /* Log TCP options */
9#define IPT_LOG_IPOPT 0x04 /* Log IP options */
10#define IPT_LOG_UID 0x08 /* Log UID owning local socket */
11#define IPT_LOG_NFLOG 0x10 /* Unsupported, don't reuse */
12#define IPT_LOG_MACDECODE 0x20 /* Decode MAC header */
13#define IPT_LOG_MASK 0x2f
14
15struct ipt_log_info {
16 unsigned char level;
17 unsigned char logflags;
18 char prefix[30];
19};
20
21#endif /*_IPT_LOG_H*/
diff --git a/include/uapi/linux/netfilter_ipv4/ipt_REJECT.h b/include/uapi/linux/netfilter_ipv4/ipt_REJECT.h
new file mode 100644
index 000000000000..4293a1ad1b01
--- /dev/null
+++ b/include/uapi/linux/netfilter_ipv4/ipt_REJECT.h
@@ -0,0 +1,20 @@
1#ifndef _IPT_REJECT_H
2#define _IPT_REJECT_H
3
4enum ipt_reject_with {
5 IPT_ICMP_NET_UNREACHABLE,
6 IPT_ICMP_HOST_UNREACHABLE,
7 IPT_ICMP_PROT_UNREACHABLE,
8 IPT_ICMP_PORT_UNREACHABLE,
9 IPT_ICMP_ECHOREPLY,
10 IPT_ICMP_NET_PROHIBITED,
11 IPT_ICMP_HOST_PROHIBITED,
12 IPT_TCP_RESET,
13 IPT_ICMP_ADMIN_PROHIBITED
14};
15
16struct ipt_reject_info {
17 enum ipt_reject_with with; /* reject type */
18};
19
20#endif /*_IPT_REJECT_H*/
diff --git a/include/uapi/linux/netfilter_ipv4/ipt_TTL.h b/include/uapi/linux/netfilter_ipv4/ipt_TTL.h
new file mode 100644
index 000000000000..f6ac169d92f9
--- /dev/null
+++ b/include/uapi/linux/netfilter_ipv4/ipt_TTL.h
@@ -0,0 +1,23 @@
1/* TTL modification module for IP tables
2 * (C) 2000 by Harald Welte <laforge@netfilter.org> */
3
4#ifndef _IPT_TTL_H
5#define _IPT_TTL_H
6
7#include <linux/types.h>
8
9enum {
10 IPT_TTL_SET = 0,
11 IPT_TTL_INC,
12 IPT_TTL_DEC
13};
14
15#define IPT_TTL_MAXMODE IPT_TTL_DEC
16
17struct ipt_TTL_info {
18 __u8 mode;
19 __u8 ttl;
20};
21
22
23#endif
diff --git a/include/uapi/linux/netfilter_ipv4/ipt_ULOG.h b/include/uapi/linux/netfilter_ipv4/ipt_ULOG.h
new file mode 100644
index 000000000000..417aad280bcc
--- /dev/null
+++ b/include/uapi/linux/netfilter_ipv4/ipt_ULOG.h
@@ -0,0 +1,49 @@
1/* Header file for IP tables userspace logging, Version 1.8
2 *
3 * (C) 2000-2002 by Harald Welte <laforge@gnumonks.org>
4 *
5 * Distributed under the terms of GNU GPL */
6
7#ifndef _IPT_ULOG_H
8#define _IPT_ULOG_H
9
10#ifndef NETLINK_NFLOG
11#define NETLINK_NFLOG 5
12#endif
13
14#define ULOG_DEFAULT_NLGROUP 1
15#define ULOG_DEFAULT_QTHRESHOLD 1
16
17#define ULOG_MAC_LEN 80
18#define ULOG_PREFIX_LEN 32
19
20#define ULOG_MAX_QLEN 50
21/* Why 50? Well... there is a limit imposed by the slab cache 131000
22 * bytes. So the multipart netlink-message has to be < 131000 bytes.
23 * Assuming a standard ethernet-mtu of 1500, we could define this up
24 * to 80... but even 50 seems to be big enough. */
25
26/* private data structure for each rule with a ULOG target */
27struct ipt_ulog_info {
28 unsigned int nl_group;
29 size_t copy_range;
30 size_t qthreshold;
31 char prefix[ULOG_PREFIX_LEN];
32};
33
34/* Format of the ULOG packets passed through netlink */
35typedef struct ulog_packet_msg {
36 unsigned long mark;
37 long timestamp_sec;
38 long timestamp_usec;
39 unsigned int hook;
40 char indev_name[IFNAMSIZ];
41 char outdev_name[IFNAMSIZ];
42 size_t data_len;
43 char prefix[ULOG_PREFIX_LEN];
44 unsigned char mac_len;
45 unsigned char mac[ULOG_MAC_LEN];
46 unsigned char payload[0];
47} ulog_packet_msg_t;
48
49#endif /*_IPT_ULOG_H*/
diff --git a/include/uapi/linux/netfilter_ipv4/ipt_ah.h b/include/uapi/linux/netfilter_ipv4/ipt_ah.h
new file mode 100644
index 000000000000..4e02bb0119e3
--- /dev/null
+++ b/include/uapi/linux/netfilter_ipv4/ipt_ah.h
@@ -0,0 +1,17 @@
1#ifndef _IPT_AH_H
2#define _IPT_AH_H
3
4#include <linux/types.h>
5
6struct ipt_ah {
7 __u32 spis[2]; /* Security Parameter Index */
8 __u8 invflags; /* Inverse flags */
9};
10
11
12
13/* Values for "invflags" field in struct ipt_ah. */
14#define IPT_AH_INV_SPI 0x01 /* Invert the sense of spi. */
15#define IPT_AH_INV_MASK 0x01 /* All possible flags. */
16
17#endif /*_IPT_AH_H*/
diff --git a/include/uapi/linux/netfilter_ipv4/ipt_ecn.h b/include/uapi/linux/netfilter_ipv4/ipt_ecn.h
new file mode 100644
index 000000000000..0e0c063dbf60
--- /dev/null
+++ b/include/uapi/linux/netfilter_ipv4/ipt_ecn.h
@@ -0,0 +1,15 @@
1#ifndef _IPT_ECN_H
2#define _IPT_ECN_H
3
4#include <linux/netfilter/xt_ecn.h>
5#define ipt_ecn_info xt_ecn_info
6
7enum {
8 IPT_ECN_IP_MASK = XT_ECN_IP_MASK,
9 IPT_ECN_OP_MATCH_IP = XT_ECN_OP_MATCH_IP,
10 IPT_ECN_OP_MATCH_ECE = XT_ECN_OP_MATCH_ECE,
11 IPT_ECN_OP_MATCH_CWR = XT_ECN_OP_MATCH_CWR,
12 IPT_ECN_OP_MATCH_MASK = XT_ECN_OP_MATCH_MASK,
13};
14
15#endif /* IPT_ECN_H */
diff --git a/include/uapi/linux/netfilter_ipv4/ipt_ttl.h b/include/uapi/linux/netfilter_ipv4/ipt_ttl.h
new file mode 100644
index 000000000000..37bee4442486
--- /dev/null
+++ b/include/uapi/linux/netfilter_ipv4/ipt_ttl.h
@@ -0,0 +1,23 @@
1/* IP tables module for matching the value of the TTL
2 * (C) 2000 by Harald Welte <laforge@gnumonks.org> */
3
4#ifndef _IPT_TTL_H
5#define _IPT_TTL_H
6
7#include <linux/types.h>
8
9enum {
10 IPT_TTL_EQ = 0, /* equals */
11 IPT_TTL_NE, /* not equals */
12 IPT_TTL_LT, /* less than */
13 IPT_TTL_GT, /* greater than */
14};
15
16
17struct ipt_ttl_info {
18 __u8 mode;
19 __u8 ttl;
20};
21
22
23#endif
diff --git a/include/uapi/linux/netfilter_ipv6/Kbuild b/include/uapi/linux/netfilter_ipv6/Kbuild
index aafaa5aa54d4..75a668ca2353 100644
--- a/include/uapi/linux/netfilter_ipv6/Kbuild
+++ b/include/uapi/linux/netfilter_ipv6/Kbuild
@@ -1 +1,13 @@
1# UAPI Header export list 1# UAPI Header export list
2header-y += ip6_tables.h
3header-y += ip6t_HL.h
4header-y += ip6t_LOG.h
5header-y += ip6t_NPT.h
6header-y += ip6t_REJECT.h
7header-y += ip6t_ah.h
8header-y += ip6t_frag.h
9header-y += ip6t_hl.h
10header-y += ip6t_ipv6header.h
11header-y += ip6t_mh.h
12header-y += ip6t_opts.h
13header-y += ip6t_rt.h
diff --git a/include/uapi/linux/netfilter_ipv6/ip6_tables.h b/include/uapi/linux/netfilter_ipv6/ip6_tables.h
new file mode 100644
index 000000000000..bf1ef65cc582
--- /dev/null
+++ b/include/uapi/linux/netfilter_ipv6/ip6_tables.h
@@ -0,0 +1,267 @@
1/*
2 * 25-Jul-1998 Major changes to allow for ip chain table
3 *
4 * 3-Jan-2000 Named tables to allow packet selection for different uses.
5 */
6
7/*
8 * Format of an IP6 firewall descriptor
9 *
10 * src, dst, src_mask, dst_mask are always stored in network byte order.
11 * flags are stored in host byte order (of course).
12 * Port numbers are stored in HOST byte order.
13 */
14
15#ifndef _UAPI_IP6_TABLES_H
16#define _UAPI_IP6_TABLES_H
17
18#include <linux/types.h>
19#include <linux/compiler.h>
20#include <linux/netfilter_ipv6.h>
21
22#include <linux/netfilter/x_tables.h>
23
24#ifndef __KERNEL__
25#define IP6T_FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN
26#define IP6T_TABLE_MAXNAMELEN XT_TABLE_MAXNAMELEN
27#define ip6t_match xt_match
28#define ip6t_target xt_target
29#define ip6t_table xt_table
30#define ip6t_get_revision xt_get_revision
31#define ip6t_entry_match xt_entry_match
32#define ip6t_entry_target xt_entry_target
33#define ip6t_standard_target xt_standard_target
34#define ip6t_error_target xt_error_target
35#define ip6t_counters xt_counters
36#define IP6T_CONTINUE XT_CONTINUE
37#define IP6T_RETURN XT_RETURN
38
39/* Pre-iptables-1.4.0 */
40#include <linux/netfilter/xt_tcpudp.h>
41#define ip6t_tcp xt_tcp
42#define ip6t_udp xt_udp
43#define IP6T_TCP_INV_SRCPT XT_TCP_INV_SRCPT
44#define IP6T_TCP_INV_DSTPT XT_TCP_INV_DSTPT
45#define IP6T_TCP_INV_FLAGS XT_TCP_INV_FLAGS
46#define IP6T_TCP_INV_OPTION XT_TCP_INV_OPTION
47#define IP6T_TCP_INV_MASK XT_TCP_INV_MASK
48#define IP6T_UDP_INV_SRCPT XT_UDP_INV_SRCPT
49#define IP6T_UDP_INV_DSTPT XT_UDP_INV_DSTPT
50#define IP6T_UDP_INV_MASK XT_UDP_INV_MASK
51
52#define ip6t_counters_info xt_counters_info
53#define IP6T_STANDARD_TARGET XT_STANDARD_TARGET
54#define IP6T_ERROR_TARGET XT_ERROR_TARGET
55#define IP6T_MATCH_ITERATE(e, fn, args...) \
56 XT_MATCH_ITERATE(struct ip6t_entry, e, fn, ## args)
57#define IP6T_ENTRY_ITERATE(entries, size, fn, args...) \
58 XT_ENTRY_ITERATE(struct ip6t_entry, entries, size, fn, ## args)
59#endif
60
61/* Yes, Virginia, you have to zero the padding. */
62struct ip6t_ip6 {
63 /* Source and destination IP6 addr */
64 struct in6_addr src, dst;
65 /* Mask for src and dest IP6 addr */
66 struct in6_addr smsk, dmsk;
67 char iniface[IFNAMSIZ], outiface[IFNAMSIZ];
68 unsigned char iniface_mask[IFNAMSIZ], outiface_mask[IFNAMSIZ];
69
70 /* Upper protocol number
71 * - The allowed value is 0 (any) or protocol number of last parsable
72 * header, which is 50 (ESP), 59 (No Next Header), 135 (MH), or
73 * the non IPv6 extension headers.
74 * - The protocol numbers of IPv6 extension headers except of ESP and
75 * MH do not match any packets.
76 * - You also need to set IP6T_FLAGS_PROTO to "flags" to check protocol.
77 */
78 __u16 proto;
79 /* TOS to match iff flags & IP6T_F_TOS */
80 __u8 tos;
81
82 /* Flags word */
83 __u8 flags;
84 /* Inverse flags */
85 __u8 invflags;
86};
87
88/* Values for "flag" field in struct ip6t_ip6 (general ip6 structure). */
89#define IP6T_F_PROTO 0x01 /* Set if rule cares about upper
90 protocols */
91#define IP6T_F_TOS 0x02 /* Match the TOS. */
92#define IP6T_F_GOTO 0x04 /* Set if jump is a goto */
93#define IP6T_F_MASK 0x07 /* All possible flag bits mask. */
94
95/* Values for "inv" field in struct ip6t_ip6. */
96#define IP6T_INV_VIA_IN 0x01 /* Invert the sense of IN IFACE. */
97#define IP6T_INV_VIA_OUT 0x02 /* Invert the sense of OUT IFACE */
98#define IP6T_INV_TOS 0x04 /* Invert the sense of TOS. */
99#define IP6T_INV_SRCIP 0x08 /* Invert the sense of SRC IP. */
100#define IP6T_INV_DSTIP 0x10 /* Invert the sense of DST OP. */
101#define IP6T_INV_FRAG 0x20 /* Invert the sense of FRAG. */
102#define IP6T_INV_PROTO XT_INV_PROTO
103#define IP6T_INV_MASK 0x7F /* All possible flag bits mask. */
104
105/* This structure defines each of the firewall rules. Consists of 3
106 parts which are 1) general IP header stuff 2) match specific
107 stuff 3) the target to perform if the rule matches */
108struct ip6t_entry {
109 struct ip6t_ip6 ipv6;
110
111 /* Mark with fields that we care about. */
112 unsigned int nfcache;
113
114 /* Size of ipt_entry + matches */
115 __u16 target_offset;
116 /* Size of ipt_entry + matches + target */
117 __u16 next_offset;
118
119 /* Back pointer */
120 unsigned int comefrom;
121
122 /* Packet and byte counters. */
123 struct xt_counters counters;
124
125 /* The matches (if any), then the target. */
126 unsigned char elems[0];
127};
128
129/* Standard entry */
130struct ip6t_standard {
131 struct ip6t_entry entry;
132 struct xt_standard_target target;
133};
134
135struct ip6t_error {
136 struct ip6t_entry entry;
137 struct xt_error_target target;
138};
139
140#define IP6T_ENTRY_INIT(__size) \
141{ \
142 .target_offset = sizeof(struct ip6t_entry), \
143 .next_offset = (__size), \
144}
145
146#define IP6T_STANDARD_INIT(__verdict) \
147{ \
148 .entry = IP6T_ENTRY_INIT(sizeof(struct ip6t_standard)), \
149 .target = XT_TARGET_INIT(XT_STANDARD_TARGET, \
150 sizeof(struct xt_standard_target)), \
151 .target.verdict = -(__verdict) - 1, \
152}
153
154#define IP6T_ERROR_INIT \
155{ \
156 .entry = IP6T_ENTRY_INIT(sizeof(struct ip6t_error)), \
157 .target = XT_TARGET_INIT(XT_ERROR_TARGET, \
158 sizeof(struct xt_error_target)), \
159 .target.errorname = "ERROR", \
160}
161
162/*
163 * New IP firewall options for [gs]etsockopt at the RAW IP level.
164 * Unlike BSD Linux inherits IP options so you don't have to use
165 * a raw socket for this. Instead we check rights in the calls.
166 *
167 * ATTENTION: check linux/in6.h before adding new number here.
168 */
169#define IP6T_BASE_CTL 64
170
171#define IP6T_SO_SET_REPLACE (IP6T_BASE_CTL)
172#define IP6T_SO_SET_ADD_COUNTERS (IP6T_BASE_CTL + 1)
173#define IP6T_SO_SET_MAX IP6T_SO_SET_ADD_COUNTERS
174
175#define IP6T_SO_GET_INFO (IP6T_BASE_CTL)
176#define IP6T_SO_GET_ENTRIES (IP6T_BASE_CTL + 1)
177#define IP6T_SO_GET_REVISION_MATCH (IP6T_BASE_CTL + 4)
178#define IP6T_SO_GET_REVISION_TARGET (IP6T_BASE_CTL + 5)
179#define IP6T_SO_GET_MAX IP6T_SO_GET_REVISION_TARGET
180
181/* ICMP matching stuff */
182struct ip6t_icmp {
183 __u8 type; /* type to match */
184 __u8 code[2]; /* range of code */
185 __u8 invflags; /* Inverse flags */
186};
187
188/* Values for "inv" field for struct ipt_icmp. */
189#define IP6T_ICMP_INV 0x01 /* Invert the sense of type/code test */
190
191/* The argument to IP6T_SO_GET_INFO */
192struct ip6t_getinfo {
193 /* Which table: caller fills this in. */
194 char name[XT_TABLE_MAXNAMELEN];
195
196 /* Kernel fills these in. */
197 /* Which hook entry points are valid: bitmask */
198 unsigned int valid_hooks;
199
200 /* Hook entry points: one per netfilter hook. */
201 unsigned int hook_entry[NF_INET_NUMHOOKS];
202
203 /* Underflow points. */
204 unsigned int underflow[NF_INET_NUMHOOKS];
205
206 /* Number of entries */
207 unsigned int num_entries;
208
209 /* Size of entries. */
210 unsigned int size;
211};
212
213/* The argument to IP6T_SO_SET_REPLACE. */
214struct ip6t_replace {
215 /* Which table. */
216 char name[XT_TABLE_MAXNAMELEN];
217
218 /* Which hook entry points are valid: bitmask. You can't
219 change this. */
220 unsigned int valid_hooks;
221
222 /* Number of entries */
223 unsigned int num_entries;
224
225 /* Total size of new entries */
226 unsigned int size;
227
228 /* Hook entry points. */
229 unsigned int hook_entry[NF_INET_NUMHOOKS];
230
231 /* Underflow points. */
232 unsigned int underflow[NF_INET_NUMHOOKS];
233
234 /* Information about old entries: */
235 /* Number of counters (must be equal to current number of entries). */
236 unsigned int num_counters;
237 /* The old entries' counters. */
238 struct xt_counters __user *counters;
239
240 /* The entries (hang off end: not really an array). */
241 struct ip6t_entry entries[0];
242};
243
244/* The argument to IP6T_SO_GET_ENTRIES. */
245struct ip6t_get_entries {
246 /* Which table: user fills this in. */
247 char name[XT_TABLE_MAXNAMELEN];
248
249 /* User fills this in: total entry size. */
250 unsigned int size;
251
252 /* The entries. */
253 struct ip6t_entry entrytable[0];
254};
255
256/* Helper functions */
257static __inline__ struct xt_entry_target *
258ip6t_get_target(struct ip6t_entry *e)
259{
260 return (void *)e + e->target_offset;
261}
262
263/*
264 * Main firewall chains definitions and global var's definitions.
265 */
266
267#endif /* _UAPI_IP6_TABLES_H */
diff --git a/include/uapi/linux/netfilter_ipv6/ip6t_HL.h b/include/uapi/linux/netfilter_ipv6/ip6t_HL.h
new file mode 100644
index 000000000000..ebd8ead1bb63
--- /dev/null
+++ b/include/uapi/linux/netfilter_ipv6/ip6t_HL.h
@@ -0,0 +1,24 @@
1/* Hop Limit modification module for ip6tables
2 * Maciej Soltysiak <solt@dns.toxicfilms.tv>
3 * Based on HW's TTL module */
4
5#ifndef _IP6T_HL_H
6#define _IP6T_HL_H
7
8#include <linux/types.h>
9
10enum {
11 IP6T_HL_SET = 0,
12 IP6T_HL_INC,
13 IP6T_HL_DEC
14};
15
16#define IP6T_HL_MAXMODE IP6T_HL_DEC
17
18struct ip6t_HL_info {
19 __u8 mode;
20 __u8 hop_limit;
21};
22
23
24#endif
diff --git a/include/uapi/linux/netfilter_ipv6/ip6t_LOG.h b/include/uapi/linux/netfilter_ipv6/ip6t_LOG.h
new file mode 100644
index 000000000000..3dd0bc4e0735
--- /dev/null
+++ b/include/uapi/linux/netfilter_ipv6/ip6t_LOG.h
@@ -0,0 +1,21 @@
1#ifndef _IP6T_LOG_H
2#define _IP6T_LOG_H
3
4#warning "Please update iptables, this file will be removed soon!"
5
6/* make sure not to change this without changing netfilter.h:NF_LOG_* (!) */
7#define IP6T_LOG_TCPSEQ 0x01 /* Log TCP sequence numbers */
8#define IP6T_LOG_TCPOPT 0x02 /* Log TCP options */
9#define IP6T_LOG_IPOPT 0x04 /* Log IP options */
10#define IP6T_LOG_UID 0x08 /* Log UID owning local socket */
11#define IP6T_LOG_NFLOG 0x10 /* Unsupported, don't use */
12#define IP6T_LOG_MACDECODE 0x20 /* Decode MAC header */
13#define IP6T_LOG_MASK 0x2f
14
15struct ip6t_log_info {
16 unsigned char level;
17 unsigned char logflags;
18 char prefix[30];
19};
20
21#endif /*_IPT_LOG_H*/
diff --git a/include/uapi/linux/netfilter_ipv6/ip6t_NPT.h b/include/uapi/linux/netfilter_ipv6/ip6t_NPT.h
new file mode 100644
index 000000000000..f763355481b5
--- /dev/null
+++ b/include/uapi/linux/netfilter_ipv6/ip6t_NPT.h
@@ -0,0 +1,16 @@
1#ifndef __NETFILTER_IP6T_NPT
2#define __NETFILTER_IP6T_NPT
3
4#include <linux/types.h>
5#include <linux/netfilter.h>
6
7struct ip6t_npt_tginfo {
8 union nf_inet_addr src_pfx;
9 union nf_inet_addr dst_pfx;
10 __u8 src_pfx_len;
11 __u8 dst_pfx_len;
12 /* Used internally by the kernel */
13 __sum16 adjustment;
14};
15
16#endif /* __NETFILTER_IP6T_NPT */
diff --git a/include/uapi/linux/netfilter_ipv6/ip6t_REJECT.h b/include/uapi/linux/netfilter_ipv6/ip6t_REJECT.h
new file mode 100644
index 000000000000..205ed62e4605
--- /dev/null
+++ b/include/uapi/linux/netfilter_ipv6/ip6t_REJECT.h
@@ -0,0 +1,20 @@
1#ifndef _IP6T_REJECT_H
2#define _IP6T_REJECT_H
3
4#include <linux/types.h>
5
6enum ip6t_reject_with {
7 IP6T_ICMP6_NO_ROUTE,
8 IP6T_ICMP6_ADM_PROHIBITED,
9 IP6T_ICMP6_NOT_NEIGHBOUR,
10 IP6T_ICMP6_ADDR_UNREACH,
11 IP6T_ICMP6_PORT_UNREACH,
12 IP6T_ICMP6_ECHOREPLY,
13 IP6T_TCP_RESET
14};
15
16struct ip6t_reject_info {
17 __u32 with; /* reject type */
18};
19
20#endif /*_IP6T_REJECT_H*/
diff --git a/include/uapi/linux/netfilter_ipv6/ip6t_ah.h b/include/uapi/linux/netfilter_ipv6/ip6t_ah.h
new file mode 100644
index 000000000000..5da2b65cb3ad
--- /dev/null
+++ b/include/uapi/linux/netfilter_ipv6/ip6t_ah.h
@@ -0,0 +1,22 @@
1#ifndef _IP6T_AH_H
2#define _IP6T_AH_H
3
4#include <linux/types.h>
5
6struct ip6t_ah {
7 __u32 spis[2]; /* Security Parameter Index */
8 __u32 hdrlen; /* Header Length */
9 __u8 hdrres; /* Test of the Reserved Filed */
10 __u8 invflags; /* Inverse flags */
11};
12
13#define IP6T_AH_SPI 0x01
14#define IP6T_AH_LEN 0x02
15#define IP6T_AH_RES 0x04
16
17/* Values for "invflags" field in struct ip6t_ah. */
18#define IP6T_AH_INV_SPI 0x01 /* Invert the sense of spi. */
19#define IP6T_AH_INV_LEN 0x02 /* Invert the sense of length. */
20#define IP6T_AH_INV_MASK 0x03 /* All possible flags. */
21
22#endif /*_IP6T_AH_H*/
diff --git a/include/uapi/linux/netfilter_ipv6/ip6t_frag.h b/include/uapi/linux/netfilter_ipv6/ip6t_frag.h
new file mode 100644
index 000000000000..b47f61b9e082
--- /dev/null
+++ b/include/uapi/linux/netfilter_ipv6/ip6t_frag.h
@@ -0,0 +1,25 @@
1#ifndef _IP6T_FRAG_H
2#define _IP6T_FRAG_H
3
4#include <linux/types.h>
5
6struct ip6t_frag {
7 __u32 ids[2]; /* Security Parameter Index */
8 __u32 hdrlen; /* Header Length */
9 __u8 flags; /* */
10 __u8 invflags; /* Inverse flags */
11};
12
13#define IP6T_FRAG_IDS 0x01
14#define IP6T_FRAG_LEN 0x02
15#define IP6T_FRAG_RES 0x04
16#define IP6T_FRAG_FST 0x08
17#define IP6T_FRAG_MF 0x10
18#define IP6T_FRAG_NMF 0x20
19
20/* Values for "invflags" field in struct ip6t_frag. */
21#define IP6T_FRAG_INV_IDS 0x01 /* Invert the sense of ids. */
22#define IP6T_FRAG_INV_LEN 0x02 /* Invert the sense of length. */
23#define IP6T_FRAG_INV_MASK 0x03 /* All possible flags. */
24
25#endif /*_IP6T_FRAG_H*/
diff --git a/include/uapi/linux/netfilter_ipv6/ip6t_hl.h b/include/uapi/linux/netfilter_ipv6/ip6t_hl.h
new file mode 100644
index 000000000000..6e76dbc6c19a
--- /dev/null
+++ b/include/uapi/linux/netfilter_ipv6/ip6t_hl.h
@@ -0,0 +1,24 @@
1/* ip6tables module for matching the Hop Limit value
2 * Maciej Soltysiak <solt@dns.toxicfilms.tv>
3 * Based on HW's ttl module */
4
5#ifndef _IP6T_HL_H
6#define _IP6T_HL_H
7
8#include <linux/types.h>
9
10enum {
11 IP6T_HL_EQ = 0, /* equals */
12 IP6T_HL_NE, /* not equals */
13 IP6T_HL_LT, /* less than */
14 IP6T_HL_GT, /* greater than */
15};
16
17
18struct ip6t_hl_info {
19 __u8 mode;
20 __u8 hop_limit;
21};
22
23
24#endif
diff --git a/include/uapi/linux/netfilter_ipv6/ip6t_ipv6header.h b/include/uapi/linux/netfilter_ipv6/ip6t_ipv6header.h
new file mode 100644
index 000000000000..efae3a20c214
--- /dev/null
+++ b/include/uapi/linux/netfilter_ipv6/ip6t_ipv6header.h
@@ -0,0 +1,28 @@
1/* ipv6header match - matches IPv6 packets based
2on whether they contain certain headers */
3
4/* Original idea: Brad Chapman
5 * Rewritten by: Andras Kis-Szabo <kisza@sch.bme.hu> */
6
7
8#ifndef __IPV6HEADER_H
9#define __IPV6HEADER_H
10
11#include <linux/types.h>
12
13struct ip6t_ipv6header_info {
14 __u8 matchflags;
15 __u8 invflags;
16 __u8 modeflag;
17};
18
19#define MASK_HOPOPTS 128
20#define MASK_DSTOPTS 64
21#define MASK_ROUTING 32
22#define MASK_FRAGMENT 16
23#define MASK_AH 8
24#define MASK_ESP 4
25#define MASK_NONE 2
26#define MASK_PROTO 1
27
28#endif /* __IPV6HEADER_H */
diff --git a/include/uapi/linux/netfilter_ipv6/ip6t_mh.h b/include/uapi/linux/netfilter_ipv6/ip6t_mh.h
new file mode 100644
index 000000000000..a7729a5025cd
--- /dev/null
+++ b/include/uapi/linux/netfilter_ipv6/ip6t_mh.h
@@ -0,0 +1,16 @@
1#ifndef _IP6T_MH_H
2#define _IP6T_MH_H
3
4#include <linux/types.h>
5
6/* MH matching stuff */
7struct ip6t_mh {
8 __u8 types[2]; /* MH type range */
9 __u8 invflags; /* Inverse flags */
10};
11
12/* Values for "invflags" field in struct ip6t_mh. */
13#define IP6T_MH_INV_TYPE 0x01 /* Invert the sense of type. */
14#define IP6T_MH_INV_MASK 0x01 /* All possible flags. */
15
16#endif /*_IP6T_MH_H*/
diff --git a/include/uapi/linux/netfilter_ipv6/ip6t_opts.h b/include/uapi/linux/netfilter_ipv6/ip6t_opts.h
new file mode 100644
index 000000000000..17d419a811fd
--- /dev/null
+++ b/include/uapi/linux/netfilter_ipv6/ip6t_opts.h
@@ -0,0 +1,24 @@
1#ifndef _IP6T_OPTS_H
2#define _IP6T_OPTS_H
3
4#include <linux/types.h>
5
6#define IP6T_OPTS_OPTSNR 16
7
8struct ip6t_opts {
9 __u32 hdrlen; /* Header Length */
10 __u8 flags; /* */
11 __u8 invflags; /* Inverse flags */
12 __u16 opts[IP6T_OPTS_OPTSNR]; /* opts */
13 __u8 optsnr; /* Nr of OPts */
14};
15
16#define IP6T_OPTS_LEN 0x01
17#define IP6T_OPTS_OPTS 0x02
18#define IP6T_OPTS_NSTRICT 0x04
19
20/* Values for "invflags" field in struct ip6t_rt. */
21#define IP6T_OPTS_INV_LEN 0x01 /* Invert the sense of length. */
22#define IP6T_OPTS_INV_MASK 0x01 /* All possible flags. */
23
24#endif /*_IP6T_OPTS_H*/
diff --git a/include/uapi/linux/netfilter_ipv6/ip6t_rt.h b/include/uapi/linux/netfilter_ipv6/ip6t_rt.h
new file mode 100644
index 000000000000..7605a5ff81cd
--- /dev/null
+++ b/include/uapi/linux/netfilter_ipv6/ip6t_rt.h
@@ -0,0 +1,33 @@
1#ifndef _IP6T_RT_H
2#define _IP6T_RT_H
3
4#include <linux/types.h>
5/*#include <linux/in6.h>*/
6
7#define IP6T_RT_HOPS 16
8
9struct ip6t_rt {
10 __u32 rt_type; /* Routing Type */
11 __u32 segsleft[2]; /* Segments Left */
12 __u32 hdrlen; /* Header Length */
13 __u8 flags; /* */
14 __u8 invflags; /* Inverse flags */
15 struct in6_addr addrs[IP6T_RT_HOPS]; /* Hops */
16 __u8 addrnr; /* Nr of Addresses */
17};
18
19#define IP6T_RT_TYP 0x01
20#define IP6T_RT_SGS 0x02
21#define IP6T_RT_LEN 0x04
22#define IP6T_RT_RES 0x08
23#define IP6T_RT_FST_MASK 0x30
24#define IP6T_RT_FST 0x10
25#define IP6T_RT_FST_NSTRICT 0x20
26
27/* Values for "invflags" field in struct ip6t_rt. */
28#define IP6T_RT_INV_TYP 0x01 /* Invert the sense of type. */
29#define IP6T_RT_INV_SGS 0x02 /* Invert the sense of Segments. */
30#define IP6T_RT_INV_LEN 0x04 /* Invert the sense of length. */
31#define IP6T_RT_INV_MASK 0x07 /* All possible flags. */
32
33#endif /*_IP6T_RT_H*/
diff --git a/include/uapi/linux/tc_act/Kbuild b/include/uapi/linux/tc_act/Kbuild
index aafaa5aa54d4..0623ec4e728f 100644
--- a/include/uapi/linux/tc_act/Kbuild
+++ b/include/uapi/linux/tc_act/Kbuild
@@ -1 +1,8 @@
1# UAPI Header export list 1# UAPI Header export list
2header-y += tc_csum.h
3header-y += tc_gact.h
4header-y += tc_ipt.h
5header-y += tc_mirred.h
6header-y += tc_nat.h
7header-y += tc_pedit.h
8header-y += tc_skbedit.h
diff --git a/include/uapi/linux/tc_act/tc_csum.h b/include/uapi/linux/tc_act/tc_csum.h
new file mode 100644
index 000000000000..a047c49a3153
--- /dev/null
+++ b/include/uapi/linux/tc_act/tc_csum.h
@@ -0,0 +1,32 @@
1#ifndef __LINUX_TC_CSUM_H
2#define __LINUX_TC_CSUM_H
3
4#include <linux/types.h>
5#include <linux/pkt_cls.h>
6
7#define TCA_ACT_CSUM 16
8
9enum {
10 TCA_CSUM_UNSPEC,
11 TCA_CSUM_PARMS,
12 TCA_CSUM_TM,
13 __TCA_CSUM_MAX
14};
15#define TCA_CSUM_MAX (__TCA_CSUM_MAX - 1)
16
17enum {
18 TCA_CSUM_UPDATE_FLAG_IPV4HDR = 1,
19 TCA_CSUM_UPDATE_FLAG_ICMP = 2,
20 TCA_CSUM_UPDATE_FLAG_IGMP = 4,
21 TCA_CSUM_UPDATE_FLAG_TCP = 8,
22 TCA_CSUM_UPDATE_FLAG_UDP = 16,
23 TCA_CSUM_UPDATE_FLAG_UDPLITE = 32
24};
25
26struct tc_csum {
27 tc_gen;
28
29 __u32 update_flags;
30};
31
32#endif /* __LINUX_TC_CSUM_H */
diff --git a/include/uapi/linux/tc_act/tc_gact.h b/include/uapi/linux/tc_act/tc_gact.h
new file mode 100644
index 000000000000..f7bf94eed510
--- /dev/null
+++ b/include/uapi/linux/tc_act/tc_gact.h
@@ -0,0 +1,32 @@
1#ifndef __LINUX_TC_GACT_H
2#define __LINUX_TC_GACT_H
3
4#include <linux/types.h>
5#include <linux/pkt_cls.h>
6
7#define TCA_ACT_GACT 5
8struct tc_gact {
9 tc_gen;
10
11};
12
13struct tc_gact_p {
14#define PGACT_NONE 0
15#define PGACT_NETRAND 1
16#define PGACT_DETERM 2
17#define MAX_RAND (PGACT_DETERM + 1 )
18 __u16 ptype;
19 __u16 pval;
20 int paction;
21};
22
23enum {
24 TCA_GACT_UNSPEC,
25 TCA_GACT_TM,
26 TCA_GACT_PARMS,
27 TCA_GACT_PROB,
28 __TCA_GACT_MAX
29};
30#define TCA_GACT_MAX (__TCA_GACT_MAX - 1)
31
32#endif
diff --git a/include/uapi/linux/tc_act/tc_ipt.h b/include/uapi/linux/tc_act/tc_ipt.h
new file mode 100644
index 000000000000..a2335563d21f
--- /dev/null
+++ b/include/uapi/linux/tc_act/tc_ipt.h
@@ -0,0 +1,20 @@
1#ifndef __LINUX_TC_IPT_H
2#define __LINUX_TC_IPT_H
3
4#include <linux/pkt_cls.h>
5
6#define TCA_ACT_IPT 6
7
8enum {
9 TCA_IPT_UNSPEC,
10 TCA_IPT_TABLE,
11 TCA_IPT_HOOK,
12 TCA_IPT_INDEX,
13 TCA_IPT_CNT,
14 TCA_IPT_TM,
15 TCA_IPT_TARG,
16 __TCA_IPT_MAX
17};
18#define TCA_IPT_MAX (__TCA_IPT_MAX - 1)
19
20#endif
diff --git a/include/uapi/linux/tc_act/tc_mirred.h b/include/uapi/linux/tc_act/tc_mirred.h
new file mode 100644
index 000000000000..7561750e8fd6
--- /dev/null
+++ b/include/uapi/linux/tc_act/tc_mirred.h
@@ -0,0 +1,27 @@
1#ifndef __LINUX_TC_MIR_H
2#define __LINUX_TC_MIR_H
3
4#include <linux/types.h>
5#include <linux/pkt_cls.h>
6
7#define TCA_ACT_MIRRED 8
8#define TCA_EGRESS_REDIR 1 /* packet redirect to EGRESS*/
9#define TCA_EGRESS_MIRROR 2 /* mirror packet to EGRESS */
10#define TCA_INGRESS_REDIR 3 /* packet redirect to INGRESS*/
11#define TCA_INGRESS_MIRROR 4 /* mirror packet to INGRESS */
12
13struct tc_mirred {
14 tc_gen;
15 int eaction; /* one of IN/EGRESS_MIRROR/REDIR */
16 __u32 ifindex; /* ifindex of egress port */
17};
18
19enum {
20 TCA_MIRRED_UNSPEC,
21 TCA_MIRRED_TM,
22 TCA_MIRRED_PARMS,
23 __TCA_MIRRED_MAX
24};
25#define TCA_MIRRED_MAX (__TCA_MIRRED_MAX - 1)
26
27#endif
diff --git a/include/uapi/linux/tc_act/tc_nat.h b/include/uapi/linux/tc_act/tc_nat.h
new file mode 100644
index 000000000000..6663aeba0b9a
--- /dev/null
+++ b/include/uapi/linux/tc_act/tc_nat.h
@@ -0,0 +1,27 @@
1#ifndef __LINUX_TC_NAT_H
2#define __LINUX_TC_NAT_H
3
4#include <linux/pkt_cls.h>
5#include <linux/types.h>
6
7#define TCA_ACT_NAT 9
8
9enum {
10 TCA_NAT_UNSPEC,
11 TCA_NAT_PARMS,
12 TCA_NAT_TM,
13 __TCA_NAT_MAX
14};
15#define TCA_NAT_MAX (__TCA_NAT_MAX - 1)
16
17#define TCA_NAT_FLAG_EGRESS 1
18
19struct tc_nat {
20 tc_gen;
21 __be32 old_addr;
22 __be32 new_addr;
23 __be32 mask;
24 __u32 flags;
25};
26
27#endif
diff --git a/include/uapi/linux/tc_act/tc_pedit.h b/include/uapi/linux/tc_act/tc_pedit.h
new file mode 100644
index 000000000000..716cfabcd5b2
--- /dev/null
+++ b/include/uapi/linux/tc_act/tc_pedit.h
@@ -0,0 +1,34 @@
1#ifndef __LINUX_TC_PED_H
2#define __LINUX_TC_PED_H
3
4#include <linux/types.h>
5#include <linux/pkt_cls.h>
6
7#define TCA_ACT_PEDIT 7
8
9enum {
10 TCA_PEDIT_UNSPEC,
11 TCA_PEDIT_TM,
12 TCA_PEDIT_PARMS,
13 __TCA_PEDIT_MAX
14};
15#define TCA_PEDIT_MAX (__TCA_PEDIT_MAX - 1)
16
17struct tc_pedit_key {
18 __u32 mask; /* AND */
19 __u32 val; /*XOR */
20 __u32 off; /*offset */
21 __u32 at;
22 __u32 offmask;
23 __u32 shift;
24};
25
26struct tc_pedit_sel {
27 tc_gen;
28 unsigned char nkeys;
29 unsigned char flags;
30 struct tc_pedit_key keys[0];
31};
32#define tc_pedit tc_pedit_sel
33
34#endif
diff --git a/include/uapi/linux/tc_act/tc_skbedit.h b/include/uapi/linux/tc_act/tc_skbedit.h
new file mode 100644
index 000000000000..7a2e910a5f08
--- /dev/null
+++ b/include/uapi/linux/tc_act/tc_skbedit.h
@@ -0,0 +1,46 @@
1/*
2 * Copyright (c) 2008, Intel Corporation.
3 *
4 * This program is free software; you can redistribute it and/or modify it
5 * under the terms and conditions of the GNU General Public License,
6 * version 2, as published by the Free Software Foundation.
7 *
8 * This program is distributed in the hope it will be useful, but WITHOUT
9 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
10 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
11 * more details.
12 *
13 * You should have received a copy of the GNU General Public License along with
14 * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
15 * Place - Suite 330, Boston, MA 02111-1307 USA.
16 *
17 * Author: Alexander Duyck <alexander.h.duyck@intel.com>
18 */
19
20#ifndef __LINUX_TC_SKBEDIT_H
21#define __LINUX_TC_SKBEDIT_H
22
23#include <linux/pkt_cls.h>
24
25#define TCA_ACT_SKBEDIT 11
26
27#define SKBEDIT_F_PRIORITY 0x1
28#define SKBEDIT_F_QUEUE_MAPPING 0x2
29#define SKBEDIT_F_MARK 0x4
30
31struct tc_skbedit {
32 tc_gen;
33};
34
35enum {
36 TCA_SKBEDIT_UNSPEC,
37 TCA_SKBEDIT_TM,
38 TCA_SKBEDIT_PARMS,
39 TCA_SKBEDIT_PRIORITY,
40 TCA_SKBEDIT_QUEUE_MAPPING,
41 TCA_SKBEDIT_MARK,
42 __TCA_SKBEDIT_MAX
43};
44#define TCA_SKBEDIT_MAX (__TCA_SKBEDIT_MAX - 1)
45
46#endif
diff --git a/include/uapi/linux/tc_ematch/Kbuild b/include/uapi/linux/tc_ematch/Kbuild
index aafaa5aa54d4..53fca3925535 100644
--- a/include/uapi/linux/tc_ematch/Kbuild
+++ b/include/uapi/linux/tc_ematch/Kbuild
@@ -1 +1,5 @@
1# UAPI Header export list 1# UAPI Header export list
2header-y += tc_em_cmp.h
3header-y += tc_em_meta.h
4header-y += tc_em_nbyte.h
5header-y += tc_em_text.h
diff --git a/include/uapi/linux/tc_ematch/tc_em_cmp.h b/include/uapi/linux/tc_ematch/tc_em_cmp.h
new file mode 100644
index 000000000000..f34bb1bae083
--- /dev/null
+++ b/include/uapi/linux/tc_ematch/tc_em_cmp.h
@@ -0,0 +1,25 @@
1#ifndef __LINUX_TC_EM_CMP_H
2#define __LINUX_TC_EM_CMP_H
3
4#include <linux/types.h>
5#include <linux/pkt_cls.h>
6
7struct tcf_em_cmp {
8 __u32 val;
9 __u32 mask;
10 __u16 off;
11 __u8 align:4;
12 __u8 flags:4;
13 __u8 layer:4;
14 __u8 opnd:4;
15};
16
17enum {
18 TCF_EM_ALIGN_U8 = 1,
19 TCF_EM_ALIGN_U16 = 2,
20 TCF_EM_ALIGN_U32 = 4
21};
22
23#define TCF_EM_CMP_TRANS 1
24
25#endif
diff --git a/include/uapi/linux/tc_ematch/tc_em_meta.h b/include/uapi/linux/tc_ematch/tc_em_meta.h
new file mode 100644
index 000000000000..b11f8ce2d3c0
--- /dev/null
+++ b/include/uapi/linux/tc_ematch/tc_em_meta.h
@@ -0,0 +1,92 @@
1#ifndef __LINUX_TC_EM_META_H
2#define __LINUX_TC_EM_META_H
3
4#include <linux/types.h>
5#include <linux/pkt_cls.h>
6
7enum {
8 TCA_EM_META_UNSPEC,
9 TCA_EM_META_HDR,
10 TCA_EM_META_LVALUE,
11 TCA_EM_META_RVALUE,
12 __TCA_EM_META_MAX
13};
14#define TCA_EM_META_MAX (__TCA_EM_META_MAX - 1)
15
16struct tcf_meta_val {
17 __u16 kind;
18 __u8 shift;
19 __u8 op;
20};
21
22#define TCF_META_TYPE_MASK (0xf << 12)
23#define TCF_META_TYPE(kind) (((kind) & TCF_META_TYPE_MASK) >> 12)
24#define TCF_META_ID_MASK 0x7ff
25#define TCF_META_ID(kind) ((kind) & TCF_META_ID_MASK)
26
27enum {
28 TCF_META_TYPE_VAR,
29 TCF_META_TYPE_INT,
30 __TCF_META_TYPE_MAX
31};
32#define TCF_META_TYPE_MAX (__TCF_META_TYPE_MAX - 1)
33
34enum {
35 TCF_META_ID_VALUE,
36 TCF_META_ID_RANDOM,
37 TCF_META_ID_LOADAVG_0,
38 TCF_META_ID_LOADAVG_1,
39 TCF_META_ID_LOADAVG_2,
40 TCF_META_ID_DEV,
41 TCF_META_ID_PRIORITY,
42 TCF_META_ID_PROTOCOL,
43 TCF_META_ID_PKTTYPE,
44 TCF_META_ID_PKTLEN,
45 TCF_META_ID_DATALEN,
46 TCF_META_ID_MACLEN,
47 TCF_META_ID_NFMARK,
48 TCF_META_ID_TCINDEX,
49 TCF_META_ID_RTCLASSID,
50 TCF_META_ID_RTIIF,
51 TCF_META_ID_SK_FAMILY,
52 TCF_META_ID_SK_STATE,
53 TCF_META_ID_SK_REUSE,
54 TCF_META_ID_SK_BOUND_IF,
55 TCF_META_ID_SK_REFCNT,
56 TCF_META_ID_SK_SHUTDOWN,
57 TCF_META_ID_SK_PROTO,
58 TCF_META_ID_SK_TYPE,
59 TCF_META_ID_SK_RCVBUF,
60 TCF_META_ID_SK_RMEM_ALLOC,
61 TCF_META_ID_SK_WMEM_ALLOC,
62 TCF_META_ID_SK_OMEM_ALLOC,
63 TCF_META_ID_SK_WMEM_QUEUED,
64 TCF_META_ID_SK_RCV_QLEN,
65 TCF_META_ID_SK_SND_QLEN,
66 TCF_META_ID_SK_ERR_QLEN,
67 TCF_META_ID_SK_FORWARD_ALLOCS,
68 TCF_META_ID_SK_SNDBUF,
69 TCF_META_ID_SK_ALLOCS,
70 __TCF_META_ID_SK_ROUTE_CAPS, /* unimplemented but in ABI already */
71 TCF_META_ID_SK_HASH,
72 TCF_META_ID_SK_LINGERTIME,
73 TCF_META_ID_SK_ACK_BACKLOG,
74 TCF_META_ID_SK_MAX_ACK_BACKLOG,
75 TCF_META_ID_SK_PRIO,
76 TCF_META_ID_SK_RCVLOWAT,
77 TCF_META_ID_SK_RCVTIMEO,
78 TCF_META_ID_SK_SNDTIMEO,
79 TCF_META_ID_SK_SENDMSG_OFF,
80 TCF_META_ID_SK_WRITE_PENDING,
81 TCF_META_ID_VLAN_TAG,
82 TCF_META_ID_RXHASH,
83 __TCF_META_ID_MAX
84};
85#define TCF_META_ID_MAX (__TCF_META_ID_MAX - 1)
86
87struct tcf_meta_hdr {
88 struct tcf_meta_val left;
89 struct tcf_meta_val right;
90};
91
92#endif
diff --git a/include/uapi/linux/tc_ematch/tc_em_nbyte.h b/include/uapi/linux/tc_ematch/tc_em_nbyte.h
new file mode 100644
index 000000000000..7172cfb999c1
--- /dev/null
+++ b/include/uapi/linux/tc_ematch/tc_em_nbyte.h
@@ -0,0 +1,13 @@
1#ifndef __LINUX_TC_EM_NBYTE_H
2#define __LINUX_TC_EM_NBYTE_H
3
4#include <linux/types.h>
5#include <linux/pkt_cls.h>
6
7struct tcf_em_nbyte {
8 __u16 off;
9 __u16 len:12;
10 __u8 layer:4;
11};
12
13#endif
diff --git a/include/uapi/linux/tc_ematch/tc_em_text.h b/include/uapi/linux/tc_ematch/tc_em_text.h
new file mode 100644
index 000000000000..5aac4045ba88
--- /dev/null
+++ b/include/uapi/linux/tc_ematch/tc_em_text.h
@@ -0,0 +1,19 @@
1#ifndef __LINUX_TC_EM_TEXT_H
2#define __LINUX_TC_EM_TEXT_H
3
4#include <linux/types.h>
5#include <linux/pkt_cls.h>
6
7#define TC_EM_TEXT_ALGOSIZ 16
8
9struct tcf_em_text {
10 char algo[TC_EM_TEXT_ALGOSIZ];
11 __u16 from_offset;
12 __u16 to_offset;
13 __u16 pattern_len;
14 __u8 from_layer:4;
15 __u8 to_layer:4;
16 __u8 pad;
17};
18
19#endif
generated by cgit v1.2.2 (git 2.25.0) at 2026-05-14 10:15:18 -0400