aboutsummaryrefslogtreecommitdiffstats
path: root/include
diff options
context:
space:
mode:
Diffstat (limited to 'include')
-rw-r--r--include/linux/netfilter/Kbuild3
-rw-r--r--include/linux/netfilter/nf_conntrack_common.h4
-rw-r--r--include/linux/netfilter/nf_conntrack_tuple_common.h27
-rw-r--r--include/linux/netfilter/nf_nat.h25
-rw-r--r--include/linux/netfilter/nfnetlink.h3
-rw-r--r--include/linux/netfilter/nfnetlink_acct.h36
-rw-r--r--include/linux/netfilter/xt_CT.h3
-rw-r--r--include/linux/netfilter/xt_nfacct.h13
-rw-r--r--include/linux/netfilter/xt_rpfilter.h23
-rw-r--r--include/linux/netfilter_ipv4/Kbuild1
-rw-r--r--include/linux/netfilter_ipv4/nf_nat.h58
-rw-r--r--include/net/ip6_route.h2
-rw-r--r--include/net/netfilter/nf_conntrack_acct.h4
-rw-r--r--include/net/netfilter/nf_conntrack_expect.h1
-rw-r--r--include/net/netfilter/nf_conntrack_tuple.h1
-rw-r--r--include/net/netfilter/nf_nat.h10
-rw-r--r--include/net/netfilter/nf_nat_core.h2
-rw-r--r--include/net/netfilter/nf_nat_protocol.h17
18 files changed, 149 insertions, 84 deletions
diff --git a/include/linux/netfilter/Kbuild b/include/linux/netfilter/Kbuild
index a1b410c76fc3..e630a2ed4f18 100644
--- a/include/linux/netfilter/Kbuild
+++ b/include/linux/netfilter/Kbuild
@@ -5,7 +5,9 @@ header-y += nf_conntrack_ftp.h
5header-y += nf_conntrack_sctp.h 5header-y += nf_conntrack_sctp.h
6header-y += nf_conntrack_tcp.h 6header-y += nf_conntrack_tcp.h
7header-y += nf_conntrack_tuple_common.h 7header-y += nf_conntrack_tuple_common.h
8header-y += nf_nat.h
8header-y += nfnetlink.h 9header-y += nfnetlink.h
10header-y += nfnetlink_acct.h
9header-y += nfnetlink_compat.h 11header-y += nfnetlink_compat.h
10header-y += nfnetlink_conntrack.h 12header-y += nfnetlink_conntrack.h
11header-y += nfnetlink_log.h 13header-y += nfnetlink_log.h
@@ -21,6 +23,7 @@ header-y += xt_DSCP.h
21header-y += xt_IDLETIMER.h 23header-y += xt_IDLETIMER.h
22header-y += xt_LED.h 24header-y += xt_LED.h
23header-y += xt_MARK.h 25header-y += xt_MARK.h
26header-y += xt_nfacct.h
24header-y += xt_NFLOG.h 27header-y += xt_NFLOG.h
25header-y += xt_NFQUEUE.h 28header-y += xt_NFQUEUE.h
26header-y += xt_RATEEST.h 29header-y += xt_RATEEST.h
diff --git a/include/linux/netfilter/nf_conntrack_common.h b/include/linux/netfilter/nf_conntrack_common.h
index 0d3dd66322ec..9e3a2838291b 100644
--- a/include/linux/netfilter/nf_conntrack_common.h
+++ b/include/linux/netfilter/nf_conntrack_common.h
@@ -83,6 +83,10 @@ enum ip_conntrack_status {
83 /* Conntrack is a fake untracked entry */ 83 /* Conntrack is a fake untracked entry */
84 IPS_UNTRACKED_BIT = 12, 84 IPS_UNTRACKED_BIT = 12,
85 IPS_UNTRACKED = (1 << IPS_UNTRACKED_BIT), 85 IPS_UNTRACKED = (1 << IPS_UNTRACKED_BIT),
86
87 /* Conntrack has a userspace helper. */
88 IPS_USERSPACE_HELPER_BIT = 13,
89 IPS_USERSPACE_HELPER = (1 << IPS_USERSPACE_HELPER_BIT),
86}; 90};
87 91
88/* Connection tracking event types */ 92/* Connection tracking event types */
diff --git a/include/linux/netfilter/nf_conntrack_tuple_common.h b/include/linux/netfilter/nf_conntrack_tuple_common.h
index 2ea22b018a87..2f6bbc5b8125 100644
--- a/include/linux/netfilter/nf_conntrack_tuple_common.h
+++ b/include/linux/netfilter/nf_conntrack_tuple_common.h
@@ -7,6 +7,33 @@ enum ip_conntrack_dir {
7 IP_CT_DIR_MAX 7 IP_CT_DIR_MAX
8}; 8};
9 9
10/* The protocol-specific manipulable parts of the tuple: always in
11 * network order
12 */
13union nf_conntrack_man_proto {
14 /* Add other protocols here. */
15 __be16 all;
16
17 struct {
18 __be16 port;
19 } tcp;
20 struct {
21 __be16 port;
22 } udp;
23 struct {
24 __be16 id;
25 } icmp;
26 struct {
27 __be16 port;
28 } dccp;
29 struct {
30 __be16 port;
31 } sctp;
32 struct {
33 __be16 key; /* GRE key is 32bit, PPtP only uses 16bit */
34 } gre;
35};
36
10#define CTINFO2DIR(ctinfo) ((ctinfo) >= IP_CT_IS_REPLY ? IP_CT_DIR_REPLY : IP_CT_DIR_ORIGINAL) 37#define CTINFO2DIR(ctinfo) ((ctinfo) >= IP_CT_IS_REPLY ? IP_CT_DIR_REPLY : IP_CT_DIR_ORIGINAL)
11 38
12#endif /* _NF_CONNTRACK_TUPLE_COMMON_H */ 39#endif /* _NF_CONNTRACK_TUPLE_COMMON_H */
diff --git a/include/linux/netfilter/nf_nat.h b/include/linux/netfilter/nf_nat.h
new file mode 100644
index 000000000000..8df2d13730b2
--- /dev/null
+++ b/include/linux/netfilter/nf_nat.h
@@ -0,0 +1,25 @@
1#ifndef _NETFILTER_NF_NAT_H
2#define _NETFILTER_NF_NAT_H
3
4#include <linux/netfilter.h>
5#include <linux/netfilter/nf_conntrack_tuple_common.h>
6
7#define NF_NAT_RANGE_MAP_IPS 1
8#define NF_NAT_RANGE_PROTO_SPECIFIED 2
9#define NF_NAT_RANGE_PROTO_RANDOM 4
10#define NF_NAT_RANGE_PERSISTENT 8
11
12struct nf_nat_ipv4_range {
13 unsigned int flags;
14 __be32 min_ip;
15 __be32 max_ip;
16 union nf_conntrack_man_proto min;
17 union nf_conntrack_man_proto max;
18};
19
20struct nf_nat_ipv4_multi_range_compat {
21 unsigned int rangesize;
22 struct nf_nat_ipv4_range range[1];
23};
24
25#endif /* _NETFILTER_NF_NAT_H */
diff --git a/include/linux/netfilter/nfnetlink.h b/include/linux/netfilter/nfnetlink.h
index 74d33861473c..b64454c2f79f 100644
--- a/include/linux/netfilter/nfnetlink.h
+++ b/include/linux/netfilter/nfnetlink.h
@@ -48,7 +48,8 @@ struct nfgenmsg {
48#define NFNL_SUBSYS_ULOG 4 48#define NFNL_SUBSYS_ULOG 4
49#define NFNL_SUBSYS_OSF 5 49#define NFNL_SUBSYS_OSF 5
50#define NFNL_SUBSYS_IPSET 6 50#define NFNL_SUBSYS_IPSET 6
51#define NFNL_SUBSYS_COUNT 7 51#define NFNL_SUBSYS_ACCT 7
52#define NFNL_SUBSYS_COUNT 8
52 53
53#ifdef __KERNEL__ 54#ifdef __KERNEL__
54 55
diff --git a/include/linux/netfilter/nfnetlink_acct.h b/include/linux/netfilter/nfnetlink_acct.h
new file mode 100644
index 000000000000..7c4279b4ae7a
--- /dev/null
+++ b/include/linux/netfilter/nfnetlink_acct.h
@@ -0,0 +1,36 @@
1#ifndef _NFNL_ACCT_H_
2#define _NFNL_ACCT_H_
3
4#ifndef NFACCT_NAME_MAX
5#define NFACCT_NAME_MAX 32
6#endif
7
8enum nfnl_acct_msg_types {
9 NFNL_MSG_ACCT_NEW,
10 NFNL_MSG_ACCT_GET,
11 NFNL_MSG_ACCT_GET_CTRZERO,
12 NFNL_MSG_ACCT_DEL,
13 NFNL_MSG_ACCT_MAX
14};
15
16enum nfnl_acct_type {
17 NFACCT_UNSPEC,
18 NFACCT_NAME,
19 NFACCT_PKTS,
20 NFACCT_BYTES,
21 NFACCT_USE,
22 __NFACCT_MAX
23};
24#define NFACCT_MAX (__NFACCT_MAX - 1)
25
26#ifdef __KERNEL__
27
28struct nf_acct;
29
30extern struct nf_acct *nfnl_acct_find_get(const char *filter_name);
31extern void nfnl_acct_put(struct nf_acct *acct);
32extern void nfnl_acct_update(const struct sk_buff *skb, struct nf_acct *nfacct);
33
34#endif /* __KERNEL__ */
35
36#endif /* _NFNL_ACCT_H */
diff --git a/include/linux/netfilter/xt_CT.h b/include/linux/netfilter/xt_CT.h
index b56e76811c04..6390f0992f36 100644
--- a/include/linux/netfilter/xt_CT.h
+++ b/include/linux/netfilter/xt_CT.h
@@ -3,7 +3,8 @@
3 3
4#include <linux/types.h> 4#include <linux/types.h>
5 5
6#define XT_CT_NOTRACK 0x1 6#define XT_CT_NOTRACK 0x1
7#define XT_CT_USERSPACE_HELPER 0x2
7 8
8struct xt_ct_target_info { 9struct xt_ct_target_info {
9 __u16 flags; 10 __u16 flags;
diff --git a/include/linux/netfilter/xt_nfacct.h b/include/linux/netfilter/xt_nfacct.h
new file mode 100644
index 000000000000..3e19c8a86576
--- /dev/null
+++ b/include/linux/netfilter/xt_nfacct.h
@@ -0,0 +1,13 @@
1#ifndef _XT_NFACCT_MATCH_H
2#define _XT_NFACCT_MATCH_H
3
4#include <linux/netfilter/nfnetlink_acct.h>
5
6struct nf_acct;
7
8struct xt_nfacct_match_info {
9 char name[NFACCT_NAME_MAX];
10 struct nf_acct *nfacct;
11};
12
13#endif /* _XT_NFACCT_MATCH_H */
diff --git a/include/linux/netfilter/xt_rpfilter.h b/include/linux/netfilter/xt_rpfilter.h
new file mode 100644
index 000000000000..8358d4f71952
--- /dev/null
+++ b/include/linux/netfilter/xt_rpfilter.h
@@ -0,0 +1,23 @@
1#ifndef _XT_RPATH_H
2#define _XT_RPATH_H
3
4#include <linux/types.h>
5
6enum {
7 XT_RPFILTER_LOOSE = 1 << 0,
8 XT_RPFILTER_VALID_MARK = 1 << 1,
9 XT_RPFILTER_ACCEPT_LOCAL = 1 << 2,
10 XT_RPFILTER_INVERT = 1 << 3,
11#ifdef __KERNEL__
12 XT_RPFILTER_OPTION_MASK = XT_RPFILTER_LOOSE |
13 XT_RPFILTER_VALID_MARK |
14 XT_RPFILTER_ACCEPT_LOCAL |
15 XT_RPFILTER_INVERT,
16#endif
17};
18
19struct xt_rpfilter_info {
20 __u8 flags;
21};
22
23#endif
diff --git a/include/linux/netfilter_ipv4/Kbuild b/include/linux/netfilter_ipv4/Kbuild
index c3b45480ecf7..f9930c87fff3 100644
--- a/include/linux/netfilter_ipv4/Kbuild
+++ b/include/linux/netfilter_ipv4/Kbuild
@@ -12,4 +12,3 @@ header-y += ipt_ah.h
12header-y += ipt_ecn.h 12header-y += ipt_ecn.h
13header-y += ipt_realm.h 13header-y += ipt_realm.h
14header-y += ipt_ttl.h 14header-y += ipt_ttl.h
15header-y += nf_nat.h
diff --git a/include/linux/netfilter_ipv4/nf_nat.h b/include/linux/netfilter_ipv4/nf_nat.h
deleted file mode 100644
index 7a861d09fc86..000000000000
--- a/include/linux/netfilter_ipv4/nf_nat.h
+++ /dev/null
@@ -1,58 +0,0 @@
1#ifndef _LINUX_NF_NAT_H
2#define _LINUX_NF_NAT_H
3
4#include <linux/types.h>
5
6#define IP_NAT_RANGE_MAP_IPS 1
7#define IP_NAT_RANGE_PROTO_SPECIFIED 2
8#define IP_NAT_RANGE_PROTO_RANDOM 4
9#define IP_NAT_RANGE_PERSISTENT 8
10
11/* The protocol-specific manipulable parts of the tuple. */
12union nf_conntrack_man_proto {
13 /* Add other protocols here. */
14 __be16 all;
15
16 struct {
17 __be16 port;
18 } tcp;
19 struct {
20 __be16 port;
21 } udp;
22 struct {
23 __be16 id;
24 } icmp;
25 struct {
26 __be16 port;
27 } dccp;
28 struct {
29 __be16 port;
30 } sctp;
31 struct {
32 __be16 key; /* GRE key is 32bit, PPtP only uses 16bit */
33 } gre;
34};
35
36/* Single range specification. */
37struct nf_nat_range {
38 /* Set to OR of flags above. */
39 unsigned int flags;
40
41 /* Inclusive: network order. */
42 __be32 min_ip, max_ip;
43
44 /* Inclusive: network order */
45 union nf_conntrack_man_proto min, max;
46};
47
48/* For backwards compat: don't use in modern code. */
49struct nf_nat_multi_range_compat {
50 unsigned int rangesize; /* Must be 1. */
51
52 /* hangs off end. */
53 struct nf_nat_range range[1];
54};
55
56#define nf_nat_multi_range nf_nat_multi_range_compat
57
58#endif
diff --git a/include/net/ip6_route.h b/include/net/ip6_route.h
index 789d5f47d5e3..2ad92ca4e6f3 100644
--- a/include/net/ip6_route.h
+++ b/include/net/ip6_route.h
@@ -70,6 +70,8 @@ extern void ip6_route_input(struct sk_buff *skb);
70extern struct dst_entry * ip6_route_output(struct net *net, 70extern struct dst_entry * ip6_route_output(struct net *net,
71 const struct sock *sk, 71 const struct sock *sk,
72 struct flowi6 *fl6); 72 struct flowi6 *fl6);
73extern struct dst_entry * ip6_route_lookup(struct net *net,
74 struct flowi6 *fl6, int flags);
73 75
74extern int ip6_route_init(void); 76extern int ip6_route_init(void);
75extern void ip6_route_cleanup(void); 77extern void ip6_route_cleanup(void);
diff --git a/include/net/netfilter/nf_conntrack_acct.h b/include/net/netfilter/nf_conntrack_acct.h
index 4e9c63a20db2..463ae8e16696 100644
--- a/include/net/netfilter/nf_conntrack_acct.h
+++ b/include/net/netfilter/nf_conntrack_acct.h
@@ -15,8 +15,8 @@
15#include <net/netfilter/nf_conntrack_extend.h> 15#include <net/netfilter/nf_conntrack_extend.h>
16 16
17struct nf_conn_counter { 17struct nf_conn_counter {
18 u_int64_t packets; 18 atomic64_t packets;
19 u_int64_t bytes; 19 atomic64_t bytes;
20}; 20};
21 21
22static inline 22static inline
diff --git a/include/net/netfilter/nf_conntrack_expect.h b/include/net/netfilter/nf_conntrack_expect.h
index 0f8a8c587532..4619caadd9d1 100644
--- a/include/net/netfilter/nf_conntrack_expect.h
+++ b/include/net/netfilter/nf_conntrack_expect.h
@@ -91,7 +91,6 @@ static inline void nf_ct_unlink_expect(struct nf_conntrack_expect *exp)
91 91
92void nf_ct_remove_expectations(struct nf_conn *ct); 92void nf_ct_remove_expectations(struct nf_conn *ct);
93void nf_ct_unexpect_related(struct nf_conntrack_expect *exp); 93void nf_ct_unexpect_related(struct nf_conntrack_expect *exp);
94void nf_ct_remove_userspace_expectations(void);
95 94
96/* Allocate space for an expectation: this is mandatory before calling 95/* Allocate space for an expectation: this is mandatory before calling
97 nf_ct_expect_related. You will have to call put afterwards. */ 96 nf_ct_expect_related. You will have to call put afterwards. */
diff --git a/include/net/netfilter/nf_conntrack_tuple.h b/include/net/netfilter/nf_conntrack_tuple.h
index 2f8fb77bfdd1..aea3f8221be0 100644
--- a/include/net/netfilter/nf_conntrack_tuple.h
+++ b/include/net/netfilter/nf_conntrack_tuple.h
@@ -12,7 +12,6 @@
12 12
13#include <linux/netfilter/x_tables.h> 13#include <linux/netfilter/x_tables.h>
14#include <linux/netfilter/nf_conntrack_tuple_common.h> 14#include <linux/netfilter/nf_conntrack_tuple_common.h>
15#include <linux/netfilter_ipv4/nf_nat.h>
16#include <linux/list_nulls.h> 15#include <linux/list_nulls.h>
17 16
18/* A `tuple' is a structure containing the information to uniquely 17/* A `tuple' is a structure containing the information to uniquely
diff --git a/include/net/netfilter/nf_nat.h b/include/net/netfilter/nf_nat.h
index b8872df7285f..b4de990b55f1 100644
--- a/include/net/netfilter/nf_nat.h
+++ b/include/net/netfilter/nf_nat.h
@@ -1,14 +1,12 @@
1#ifndef _NF_NAT_H 1#ifndef _NF_NAT_H
2#define _NF_NAT_H 2#define _NF_NAT_H
3#include <linux/netfilter_ipv4.h> 3#include <linux/netfilter_ipv4.h>
4#include <linux/netfilter_ipv4/nf_nat.h> 4#include <linux/netfilter/nf_nat.h>
5#include <net/netfilter/nf_conntrack_tuple.h> 5#include <net/netfilter/nf_conntrack_tuple.h>
6 6
7#define NF_NAT_MAPPING_TYPE_MAX_NAMELEN 16
8
9enum nf_nat_manip_type { 7enum nf_nat_manip_type {
10 IP_NAT_MANIP_SRC, 8 NF_NAT_MANIP_SRC,
11 IP_NAT_MANIP_DST 9 NF_NAT_MANIP_DST
12}; 10};
13 11
14/* SRC manip occurs POST_ROUTING or LOCAL_IN */ 12/* SRC manip occurs POST_ROUTING or LOCAL_IN */
@@ -52,7 +50,7 @@ struct nf_conn_nat {
52 50
53/* Set up the info structure to map into this range. */ 51/* Set up the info structure to map into this range. */
54extern unsigned int nf_nat_setup_info(struct nf_conn *ct, 52extern unsigned int nf_nat_setup_info(struct nf_conn *ct,
55 const struct nf_nat_range *range, 53 const struct nf_nat_ipv4_range *range,
56 enum nf_nat_manip_type maniptype); 54 enum nf_nat_manip_type maniptype);
57 55
58/* Is this tuple already taken? (not by us)*/ 56/* Is this tuple already taken? (not by us)*/
diff --git a/include/net/netfilter/nf_nat_core.h b/include/net/netfilter/nf_nat_core.h
index 3dc7b98effeb..b13d8d18d595 100644
--- a/include/net/netfilter/nf_nat_core.h
+++ b/include/net/netfilter/nf_nat_core.h
@@ -20,7 +20,7 @@ extern int nf_nat_icmp_reply_translation(struct nf_conn *ct,
20static inline int nf_nat_initialized(struct nf_conn *ct, 20static inline int nf_nat_initialized(struct nf_conn *ct,
21 enum nf_nat_manip_type manip) 21 enum nf_nat_manip_type manip)
22{ 22{
23 if (manip == IP_NAT_MANIP_SRC) 23 if (manip == NF_NAT_MANIP_SRC)
24 return ct->status & IPS_SRC_NAT_DONE; 24 return ct->status & IPS_SRC_NAT_DONE;
25 else 25 else
26 return ct->status & IPS_DST_NAT_DONE; 26 return ct->status & IPS_DST_NAT_DONE;
diff --git a/include/net/netfilter/nf_nat_protocol.h b/include/net/netfilter/nf_nat_protocol.h
index 93cc90d28e66..7b0b51165f70 100644
--- a/include/net/netfilter/nf_nat_protocol.h
+++ b/include/net/netfilter/nf_nat_protocol.h
@@ -4,14 +4,12 @@
4#include <net/netfilter/nf_nat.h> 4#include <net/netfilter/nf_nat.h>
5#include <linux/netfilter/nfnetlink_conntrack.h> 5#include <linux/netfilter/nfnetlink_conntrack.h>
6 6
7struct nf_nat_range; 7struct nf_nat_ipv4_range;
8 8
9struct nf_nat_protocol { 9struct nf_nat_protocol {
10 /* Protocol number. */ 10 /* Protocol number. */
11 unsigned int protonum; 11 unsigned int protonum;
12 12
13 struct module *me;
14
15 /* Translate a packet to the target according to manip type. 13 /* Translate a packet to the target according to manip type.
16 Return true if succeeded. */ 14 Return true if succeeded. */
17 bool (*manip_pkt)(struct sk_buff *skb, 15 bool (*manip_pkt)(struct sk_buff *skb,
@@ -30,15 +28,12 @@ struct nf_nat_protocol {
30 possible. Per-protocol part of tuple is initialized to the 28 possible. Per-protocol part of tuple is initialized to the
31 incoming packet. */ 29 incoming packet. */
32 void (*unique_tuple)(struct nf_conntrack_tuple *tuple, 30 void (*unique_tuple)(struct nf_conntrack_tuple *tuple,
33 const struct nf_nat_range *range, 31 const struct nf_nat_ipv4_range *range,
34 enum nf_nat_manip_type maniptype, 32 enum nf_nat_manip_type maniptype,
35 const struct nf_conn *ct); 33 const struct nf_conn *ct);
36 34
37 int (*range_to_nlattr)(struct sk_buff *skb,
38 const struct nf_nat_range *range);
39
40 int (*nlattr_to_range)(struct nlattr *tb[], 35 int (*nlattr_to_range)(struct nlattr *tb[],
41 struct nf_nat_range *range); 36 struct nf_nat_ipv4_range *range);
42}; 37};
43 38
44/* Protocol registration. */ 39/* Protocol registration. */
@@ -61,14 +56,12 @@ extern bool nf_nat_proto_in_range(const struct nf_conntrack_tuple *tuple,
61 const union nf_conntrack_man_proto *max); 56 const union nf_conntrack_man_proto *max);
62 57
63extern void nf_nat_proto_unique_tuple(struct nf_conntrack_tuple *tuple, 58extern void nf_nat_proto_unique_tuple(struct nf_conntrack_tuple *tuple,
64 const struct nf_nat_range *range, 59 const struct nf_nat_ipv4_range *range,
65 enum nf_nat_manip_type maniptype, 60 enum nf_nat_manip_type maniptype,
66 const struct nf_conn *ct, 61 const struct nf_conn *ct,
67 u_int16_t *rover); 62 u_int16_t *rover);
68 63
69extern int nf_nat_proto_range_to_nlattr(struct sk_buff *skb,
70 const struct nf_nat_range *range);
71extern int nf_nat_proto_nlattr_to_range(struct nlattr *tb[], 64extern int nf_nat_proto_nlattr_to_range(struct nlattr *tb[],
72 struct nf_nat_range *range); 65 struct nf_nat_ipv4_range *range);
73 66
74#endif /*_NF_NAT_PROTO_H*/ 67#endif /*_NF_NAT_PROTO_H*/