aboutsummaryrefslogtreecommitdiffstats
path: root/include
diff options
context:
space:
mode:
Diffstat (limited to 'include')
-rw-r--r--include/linux/netfilter.h76
-rw-r--r--include/linux/netfilter/nf_conntrack_dccp.h40
-rw-r--r--include/linux/netfilter/nfnetlink_conntrack.h8
-rw-r--r--include/linux/netfilter/x_tables.h4
-rw-r--r--include/linux/netfilter/xt_sctp.h84
-rw-r--r--include/linux/netfilter_arp/arp_tables.h17
-rw-r--r--include/linux/netfilter_bridge/ebt_nflog.h21
-rw-r--r--include/linux/netfilter_ipv4.h2
-rw-r--r--include/net/netfilter/nf_conntrack.h32
-rw-r--r--include/net/netfilter/nf_conntrack_core.h4
-rw-r--r--include/net/netfilter/nf_conntrack_l3proto.h19
-rw-r--r--include/net/netfilter/nf_conntrack_l4proto.h13
-rw-r--r--include/net/netfilter/nf_conntrack_tuple.h47
-rw-r--r--include/net/netfilter/nf_nat_helper.h3
-rw-r--r--include/net/netfilter/nf_nat_protocol.h46
-rw-r--r--include/net/netfilter/nf_nat_rule.h3
16 files changed, 273 insertions, 146 deletions
diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h
index 89e6c72ad295..e4c66593b5c6 100644
--- a/include/linux/netfilter.h
+++ b/include/linux/netfilter.h
@@ -6,11 +6,13 @@
6#include <linux/types.h> 6#include <linux/types.h>
7#include <linux/skbuff.h> 7#include <linux/skbuff.h>
8#include <linux/net.h> 8#include <linux/net.h>
9#include <linux/netdevice.h>
9#include <linux/if.h> 10#include <linux/if.h>
10#include <linux/in.h> 11#include <linux/in.h>
11#include <linux/in6.h> 12#include <linux/in6.h>
12#include <linux/wait.h> 13#include <linux/wait.h>
13#include <linux/list.h> 14#include <linux/list.h>
15#include <net/net_namespace.h>
14#endif 16#endif
15#include <linux/compiler.h> 17#include <linux/compiler.h>
16 18
@@ -76,7 +78,6 @@ extern void netfilter_init(void);
76#define NF_MAX_HOOKS 8 78#define NF_MAX_HOOKS 8
77 79
78struct sk_buff; 80struct sk_buff;
79struct net_device;
80 81
81typedef unsigned int nf_hookfn(unsigned int hooknum, 82typedef unsigned int nf_hookfn(unsigned int hooknum,
82 struct sk_buff *skb, 83 struct sk_buff *skb,
@@ -233,6 +234,11 @@ struct nf_afinfo {
233 unsigned short family; 234 unsigned short family;
234 __sum16 (*checksum)(struct sk_buff *skb, unsigned int hook, 235 __sum16 (*checksum)(struct sk_buff *skb, unsigned int hook,
235 unsigned int dataoff, u_int8_t protocol); 236 unsigned int dataoff, u_int8_t protocol);
237 __sum16 (*checksum_partial)(struct sk_buff *skb,
238 unsigned int hook,
239 unsigned int dataoff,
240 unsigned int len,
241 u_int8_t protocol);
236 int (*route)(struct dst_entry **dst, struct flowi *fl); 242 int (*route)(struct dst_entry **dst, struct flowi *fl);
237 void (*saveroute)(const struct sk_buff *skb, 243 void (*saveroute)(const struct sk_buff *skb,
238 struct nf_queue_entry *entry); 244 struct nf_queue_entry *entry);
@@ -262,6 +268,23 @@ nf_checksum(struct sk_buff *skb, unsigned int hook, unsigned int dataoff,
262 return csum; 268 return csum;
263} 269}
264 270
271static inline __sum16
272nf_checksum_partial(struct sk_buff *skb, unsigned int hook,
273 unsigned int dataoff, unsigned int len,
274 u_int8_t protocol, unsigned short family)
275{
276 const struct nf_afinfo *afinfo;
277 __sum16 csum = 0;
278
279 rcu_read_lock();
280 afinfo = nf_get_afinfo(family);
281 if (afinfo)
282 csum = afinfo->checksum_partial(skb, hook, dataoff, len,
283 protocol);
284 rcu_read_unlock();
285 return csum;
286}
287
265extern int nf_register_afinfo(const struct nf_afinfo *afinfo); 288extern int nf_register_afinfo(const struct nf_afinfo *afinfo);
266extern void nf_unregister_afinfo(const struct nf_afinfo *afinfo); 289extern void nf_unregister_afinfo(const struct nf_afinfo *afinfo);
267 290
@@ -320,5 +343,56 @@ extern void (*nf_ct_destroy)(struct nf_conntrack *);
320static inline void nf_ct_attach(struct sk_buff *new, struct sk_buff *skb) {} 343static inline void nf_ct_attach(struct sk_buff *new, struct sk_buff *skb) {}
321#endif 344#endif
322 345
346static inline struct net *nf_pre_routing_net(const struct net_device *in,
347 const struct net_device *out)
348{
349#ifdef CONFIG_NET_NS
350 return in->nd_net;
351#else
352 return &init_net;
353#endif
354}
355
356static inline struct net *nf_local_in_net(const struct net_device *in,
357 const struct net_device *out)
358{
359#ifdef CONFIG_NET_NS
360 return in->nd_net;
361#else
362 return &init_net;
363#endif
364}
365
366static inline struct net *nf_forward_net(const struct net_device *in,
367 const struct net_device *out)
368{
369#ifdef CONFIG_NET_NS
370 BUG_ON(in->nd_net != out->nd_net);
371 return in->nd_net;
372#else
373 return &init_net;
374#endif
375}
376
377static inline struct net *nf_local_out_net(const struct net_device *in,
378 const struct net_device *out)
379{
380#ifdef CONFIG_NET_NS
381 return out->nd_net;
382#else
383 return &init_net;
384#endif
385}
386
387static inline struct net *nf_post_routing_net(const struct net_device *in,
388 const struct net_device *out)
389{
390#ifdef CONFIG_NET_NS
391 return out->nd_net;
392#else
393 return &init_net;
394#endif
395}
396
323#endif /*__KERNEL__*/ 397#endif /*__KERNEL__*/
324#endif /*__LINUX_NETFILTER_H*/ 398#endif /*__LINUX_NETFILTER_H*/
diff --git a/include/linux/netfilter/nf_conntrack_dccp.h b/include/linux/netfilter/nf_conntrack_dccp.h
new file mode 100644
index 000000000000..40dcc82058d1
--- /dev/null
+++ b/include/linux/netfilter/nf_conntrack_dccp.h
@@ -0,0 +1,40 @@
1#ifndef _NF_CONNTRACK_DCCP_H
2#define _NF_CONNTRACK_DCCP_H
3
4/* Exposed to userspace over nfnetlink */
5enum ct_dccp_states {
6 CT_DCCP_NONE,
7 CT_DCCP_REQUEST,
8 CT_DCCP_RESPOND,
9 CT_DCCP_PARTOPEN,
10 CT_DCCP_OPEN,
11 CT_DCCP_CLOSEREQ,
12 CT_DCCP_CLOSING,
13 CT_DCCP_TIMEWAIT,
14 CT_DCCP_IGNORE,
15 CT_DCCP_INVALID,
16 __CT_DCCP_MAX
17};
18#define CT_DCCP_MAX (__CT_DCCP_MAX - 1)
19
20enum ct_dccp_roles {
21 CT_DCCP_ROLE_CLIENT,
22 CT_DCCP_ROLE_SERVER,
23 __CT_DCCP_ROLE_MAX
24};
25#define CT_DCCP_ROLE_MAX (__CT_DCCP_ROLE_MAX - 1)
26
27#ifdef __KERNEL__
28#include <net/netfilter/nf_conntrack_tuple.h>
29
30struct nf_ct_dccp {
31 u_int8_t role[IP_CT_DIR_MAX];
32 u_int8_t state;
33 u_int8_t last_pkt;
34 u_int8_t last_dir;
35 u_int64_t handshake_seq;
36};
37
38#endif /* __KERNEL__ */
39
40#endif /* _NF_CONNTRACK_DCCP_H */
diff --git a/include/linux/netfilter/nfnetlink_conntrack.h b/include/linux/netfilter/nfnetlink_conntrack.h
index e3e1533aba2d..0a383ac083cb 100644
--- a/include/linux/netfilter/nfnetlink_conntrack.h
+++ b/include/linux/netfilter/nfnetlink_conntrack.h
@@ -80,6 +80,7 @@ enum ctattr_l4proto {
80enum ctattr_protoinfo { 80enum ctattr_protoinfo {
81 CTA_PROTOINFO_UNSPEC, 81 CTA_PROTOINFO_UNSPEC,
82 CTA_PROTOINFO_TCP, 82 CTA_PROTOINFO_TCP,
83 CTA_PROTOINFO_DCCP,
83 __CTA_PROTOINFO_MAX 84 __CTA_PROTOINFO_MAX
84}; 85};
85#define CTA_PROTOINFO_MAX (__CTA_PROTOINFO_MAX - 1) 86#define CTA_PROTOINFO_MAX (__CTA_PROTOINFO_MAX - 1)
@@ -95,6 +96,13 @@ enum ctattr_protoinfo_tcp {
95}; 96};
96#define CTA_PROTOINFO_TCP_MAX (__CTA_PROTOINFO_TCP_MAX - 1) 97#define CTA_PROTOINFO_TCP_MAX (__CTA_PROTOINFO_TCP_MAX - 1)
97 98
99enum ctattr_protoinfo_dccp {
100 CTA_PROTOINFO_DCCP_UNSPEC,
101 CTA_PROTOINFO_DCCP_STATE,
102 __CTA_PROTOINFO_DCCP_MAX,
103};
104#define CTA_PROTOINFO_DCCP_MAX (__CTA_PROTOINFO_DCCP_MAX - 1)
105
98enum ctattr_counters { 106enum ctattr_counters {
99 CTA_COUNTERS_UNSPEC, 107 CTA_COUNTERS_UNSPEC,
100 CTA_COUNTERS_PACKETS, /* old 64bit counters */ 108 CTA_COUNTERS_PACKETS, /* old 64bit counters */
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index b2c62cc618f5..2326296b6f25 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -430,13 +430,13 @@ extern int xt_compat_add_offset(int af, unsigned int offset, short delta);
430extern void xt_compat_flush_offsets(int af); 430extern void xt_compat_flush_offsets(int af);
431extern short xt_compat_calc_jump(int af, unsigned int offset); 431extern short xt_compat_calc_jump(int af, unsigned int offset);
432 432
433extern int xt_compat_match_offset(struct xt_match *match); 433extern int xt_compat_match_offset(const struct xt_match *match);
434extern int xt_compat_match_from_user(struct xt_entry_match *m, 434extern int xt_compat_match_from_user(struct xt_entry_match *m,
435 void **dstptr, unsigned int *size); 435 void **dstptr, unsigned int *size);
436extern int xt_compat_match_to_user(struct xt_entry_match *m, 436extern int xt_compat_match_to_user(struct xt_entry_match *m,
437 void __user **dstptr, unsigned int *size); 437 void __user **dstptr, unsigned int *size);
438 438
439extern int xt_compat_target_offset(struct xt_target *target); 439extern int xt_compat_target_offset(const struct xt_target *target);
440extern void xt_compat_target_from_user(struct xt_entry_target *t, 440extern void xt_compat_target_from_user(struct xt_entry_target *t,
441 void **dstptr, unsigned int *size); 441 void **dstptr, unsigned int *size);
442extern int xt_compat_target_to_user(struct xt_entry_target *t, 442extern int xt_compat_target_to_user(struct xt_entry_target *t,
diff --git a/include/linux/netfilter/xt_sctp.h b/include/linux/netfilter/xt_sctp.h
index dd5a4fd4cfd3..32000ba6ecef 100644
--- a/include/linux/netfilter/xt_sctp.h
+++ b/include/linux/netfilter/xt_sctp.h
@@ -37,68 +37,54 @@ struct xt_sctp_info {
37 37
38#define SCTP_CHUNKMAP_SET(chunkmap, type) \ 38#define SCTP_CHUNKMAP_SET(chunkmap, type) \
39 do { \ 39 do { \
40 chunkmap[type / bytes(u_int32_t)] |= \ 40 (chunkmap)[type / bytes(u_int32_t)] |= \
41 1 << (type % bytes(u_int32_t)); \ 41 1 << (type % bytes(u_int32_t)); \
42 } while (0) 42 } while (0)
43 43
44#define SCTP_CHUNKMAP_CLEAR(chunkmap, type) \ 44#define SCTP_CHUNKMAP_CLEAR(chunkmap, type) \
45 do { \ 45 do { \
46 chunkmap[type / bytes(u_int32_t)] &= \ 46 (chunkmap)[type / bytes(u_int32_t)] &= \
47 ~(1 << (type % bytes(u_int32_t))); \ 47 ~(1 << (type % bytes(u_int32_t))); \
48 } while (0) 48 } while (0)
49 49
50#define SCTP_CHUNKMAP_IS_SET(chunkmap, type) \ 50#define SCTP_CHUNKMAP_IS_SET(chunkmap, type) \
51({ \ 51({ \
52 (chunkmap[type / bytes (u_int32_t)] & \ 52 ((chunkmap)[type / bytes (u_int32_t)] & \
53 (1 << (type % bytes (u_int32_t)))) ? 1: 0; \ 53 (1 << (type % bytes (u_int32_t)))) ? 1: 0; \
54}) 54})
55 55
56#define SCTP_CHUNKMAP_RESET(chunkmap) \ 56#define SCTP_CHUNKMAP_RESET(chunkmap) \
57 do { \ 57 memset((chunkmap), 0, sizeof(chunkmap))
58 int i; \ 58
59 for (i = 0; i < ARRAY_SIZE(chunkmap); i++) \ 59#define SCTP_CHUNKMAP_SET_ALL(chunkmap) \
60 chunkmap[i] = 0; \ 60 memset((chunkmap), ~0U, sizeof(chunkmap))
61 } while (0) 61
62 62#define SCTP_CHUNKMAP_COPY(destmap, srcmap) \
63#define SCTP_CHUNKMAP_SET_ALL(chunkmap) \ 63 memcpy((destmap), (srcmap), sizeof(srcmap))
64 do { \ 64
65 int i; \ 65#define SCTP_CHUNKMAP_IS_CLEAR(chunkmap) \
66 for (i = 0; i < ARRAY_SIZE(chunkmap); i++) \ 66 __sctp_chunkmap_is_clear((chunkmap), ARRAY_SIZE(chunkmap))
67 chunkmap[i] = ~0; \ 67static inline bool
68 } while (0) 68__sctp_chunkmap_is_clear(const u_int32_t *chunkmap, unsigned int n)
69 69{
70#define SCTP_CHUNKMAP_COPY(destmap, srcmap) \ 70 unsigned int i;
71 do { \ 71 for (i = 0; i < n; ++i)
72 int i; \ 72 if (chunkmap[i])
73 for (i = 0; i < ARRAY_SIZE(srcmap); i++) \ 73 return false;
74 destmap[i] = srcmap[i]; \ 74 return true;
75 } while (0) 75}
76 76
77#define SCTP_CHUNKMAP_IS_CLEAR(chunkmap) \ 77#define SCTP_CHUNKMAP_IS_ALL_SET(chunkmap) \
78({ \ 78 __sctp_chunkmap_is_all_set((chunkmap), ARRAY_SIZE(chunkmap))
79 int i; \ 79static inline bool
80 int flag = 1; \ 80__sctp_chunkmap_is_all_set(const u_int32_t *chunkmap, unsigned int n)
81 for (i = 0; i < ARRAY_SIZE(chunkmap); i++) { \ 81{
82 if (chunkmap[i]) { \ 82 unsigned int i;
83 flag = 0; \ 83 for (i = 0; i < n; ++i)
84 break; \ 84 if (chunkmap[i] != ~0U)
85 } \ 85 return false;
86 } \ 86 return true;
87 flag; \ 87}
88})
89
90#define SCTP_CHUNKMAP_IS_ALL_SET(chunkmap) \
91({ \
92 int i; \
93 int flag = 1; \
94 for (i = 0; i < ARRAY_SIZE(chunkmap); i++) { \
95 if (chunkmap[i] != ~0) { \
96 flag = 0; \
97 break; \
98 } \
99 } \
100 flag; \
101})
102 88
103#endif /* _XT_SCTP_H_ */ 89#endif /* _XT_SCTP_H_ */
104 90
diff --git a/include/linux/netfilter_arp/arp_tables.h b/include/linux/netfilter_arp/arp_tables.h
index db223ca92c8b..dd9c97f2d436 100644
--- a/include/linux/netfilter_arp/arp_tables.h
+++ b/include/linux/netfilter_arp/arp_tables.h
@@ -23,8 +23,6 @@
23 23
24#define ARPT_FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN 24#define ARPT_FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN
25#define ARPT_TABLE_MAXNAMELEN XT_TABLE_MAXNAMELEN 25#define ARPT_TABLE_MAXNAMELEN XT_TABLE_MAXNAMELEN
26#define arpt_target xt_target
27#define arpt_table xt_table
28 26
29#define ARPT_DEV_ADDR_LEN_MAX 16 27#define ARPT_DEV_ADDR_LEN_MAX 16
30 28
@@ -266,20 +264,15 @@ struct arpt_error
266 .target.errorname = "ERROR", \ 264 .target.errorname = "ERROR", \
267} 265}
268 266
269#define arpt_register_target(tgt) \ 267extern struct xt_table *arpt_register_table(struct net *net,
270({ (tgt)->family = NF_ARP; \ 268 struct xt_table *table,
271 xt_register_target(tgt); }) 269 const struct arpt_replace *repl);
272#define arpt_unregister_target(tgt) xt_unregister_target(tgt) 270extern void arpt_unregister_table(struct xt_table *table);
273
274extern struct arpt_table *arpt_register_table(struct net *net,
275 struct arpt_table *table,
276 const struct arpt_replace *repl);
277extern void arpt_unregister_table(struct arpt_table *table);
278extern unsigned int arpt_do_table(struct sk_buff *skb, 271extern unsigned int arpt_do_table(struct sk_buff *skb,
279 unsigned int hook, 272 unsigned int hook,
280 const struct net_device *in, 273 const struct net_device *in,
281 const struct net_device *out, 274 const struct net_device *out,
282 struct arpt_table *table); 275 struct xt_table *table);
283 276
284#define ARPT_ALIGN(s) XT_ALIGN(s) 277#define ARPT_ALIGN(s) XT_ALIGN(s)
285 278
diff --git a/include/linux/netfilter_bridge/ebt_nflog.h b/include/linux/netfilter_bridge/ebt_nflog.h
new file mode 100644
index 000000000000..052817849b83
--- /dev/null
+++ b/include/linux/netfilter_bridge/ebt_nflog.h
@@ -0,0 +1,21 @@
1#ifndef __LINUX_BRIDGE_EBT_NFLOG_H
2#define __LINUX_BRIDGE_EBT_NFLOG_H
3
4#define EBT_NFLOG_MASK 0x0
5
6#define EBT_NFLOG_PREFIX_SIZE 64
7#define EBT_NFLOG_WATCHER "nflog"
8
9#define EBT_NFLOG_DEFAULT_GROUP 0x1
10#define EBT_NFLOG_DEFAULT_THRESHOLD 1
11
12struct ebt_nflog_info {
13 u_int32_t len;
14 u_int16_t group;
15 u_int16_t threshold;
16 u_int16_t flags;
17 u_int16_t pad;
18 char prefix[EBT_NFLOG_PREFIX_SIZE];
19};
20
21#endif /* __LINUX_BRIDGE_EBT_NFLOG_H */
diff --git a/include/linux/netfilter_ipv4.h b/include/linux/netfilter_ipv4.h
index 9a10092e358c..650318b0c405 100644
--- a/include/linux/netfilter_ipv4.h
+++ b/include/linux/netfilter_ipv4.h
@@ -62,8 +62,6 @@ enum nf_ip_hook_priorities {
62 NF_IP_PRI_FILTER = 0, 62 NF_IP_PRI_FILTER = 0,
63 NF_IP_PRI_NAT_SRC = 100, 63 NF_IP_PRI_NAT_SRC = 100,
64 NF_IP_PRI_SELINUX_LAST = 225, 64 NF_IP_PRI_SELINUX_LAST = 225,
65 NF_IP_PRI_CONNTRACK_HELPER = INT_MAX - 2,
66 NF_IP_PRI_NAT_SEQ_ADJUST = INT_MAX - 1,
67 NF_IP_PRI_CONNTRACK_CONFIRM = INT_MAX, 65 NF_IP_PRI_CONNTRACK_CONFIRM = INT_MAX,
68 NF_IP_PRI_LAST = INT_MAX, 66 NF_IP_PRI_LAST = INT_MAX,
69}; 67};
diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h
index a3567a7a6d67..2dbd6c015b94 100644
--- a/include/net/netfilter/nf_conntrack.h
+++ b/include/net/netfilter/nf_conntrack.h
@@ -20,6 +20,7 @@
20#include <asm/atomic.h> 20#include <asm/atomic.h>
21 21
22#include <linux/netfilter/nf_conntrack_tcp.h> 22#include <linux/netfilter/nf_conntrack_tcp.h>
23#include <linux/netfilter/nf_conntrack_dccp.h>
23#include <linux/netfilter/nf_conntrack_sctp.h> 24#include <linux/netfilter/nf_conntrack_sctp.h>
24#include <linux/netfilter/nf_conntrack_proto_gre.h> 25#include <linux/netfilter/nf_conntrack_proto_gre.h>
25#include <net/netfilter/ipv4/nf_conntrack_icmp.h> 26#include <net/netfilter/ipv4/nf_conntrack_icmp.h>
@@ -30,6 +31,7 @@
30/* per conntrack: protocol private data */ 31/* per conntrack: protocol private data */
31union nf_conntrack_proto { 32union nf_conntrack_proto {
32 /* insert conntrack proto private data here */ 33 /* insert conntrack proto private data here */
34 struct nf_ct_dccp dccp;
33 struct ip_ct_sctp sctp; 35 struct ip_ct_sctp sctp;
34 struct ip_ct_tcp tcp; 36 struct ip_ct_tcp tcp;
35 struct ip_ct_icmp icmp; 37 struct ip_ct_icmp icmp;
@@ -63,14 +65,7 @@ union nf_conntrack_help {
63#include <linux/timer.h> 65#include <linux/timer.h>
64 66
65#ifdef CONFIG_NETFILTER_DEBUG 67#ifdef CONFIG_NETFILTER_DEBUG
66#define NF_CT_ASSERT(x) \ 68#define NF_CT_ASSERT(x) WARN_ON(!(x))
67do { \
68 if (!(x)) \
69 /* Wooah! I'm tripping my conntrack in a frenzy of \
70 netplay... */ \
71 printk("NF_CT_ASSERT: %s:%i(%s)\n", \
72 __FILE__, __LINE__, __FUNCTION__); \
73} while(0)
74#else 69#else
75#define NF_CT_ASSERT(x) 70#define NF_CT_ASSERT(x)
76#endif 71#endif
@@ -145,6 +140,16 @@ nf_ct_tuplehash_to_ctrack(const struct nf_conntrack_tuple_hash *hash)
145 tuplehash[hash->tuple.dst.dir]); 140 tuplehash[hash->tuple.dst.dir]);
146} 141}
147 142
143static inline u_int16_t nf_ct_l3num(const struct nf_conn *ct)
144{
145 return ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.l3num;
146}
147
148static inline u_int8_t nf_ct_protonum(const struct nf_conn *ct)
149{
150 return ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.protonum;
151}
152
148/* get master conntrack via master expectation */ 153/* get master conntrack via master expectation */
149#define master_ct(conntr) (conntr->master) 154#define master_ct(conntr) (conntr->master)
150 155
@@ -189,12 +194,11 @@ extern void nf_conntrack_hash_insert(struct nf_conn *ct);
189 194
190extern void nf_conntrack_flush(void); 195extern void nf_conntrack_flush(void);
191 196
192extern int nf_ct_get_tuplepr(const struct sk_buff *skb, 197extern bool nf_ct_get_tuplepr(const struct sk_buff *skb,
193 unsigned int nhoff, 198 unsigned int nhoff, u_int16_t l3num,
194 u_int16_t l3num, 199 struct nf_conntrack_tuple *tuple);
195 struct nf_conntrack_tuple *tuple); 200extern bool nf_ct_invert_tuplepr(struct nf_conntrack_tuple *inverse,
196extern int nf_ct_invert_tuplepr(struct nf_conntrack_tuple *inverse, 201 const struct nf_conntrack_tuple *orig);
197 const struct nf_conntrack_tuple *orig);
198 202
199extern void __nf_ct_refresh_acct(struct nf_conn *ct, 203extern void __nf_ct_refresh_acct(struct nf_conn *ct,
200 enum ip_conntrack_info ctinfo, 204 enum ip_conntrack_info ctinfo,
diff --git a/include/net/netfilter/nf_conntrack_core.h b/include/net/netfilter/nf_conntrack_core.h
index 9ee26469c759..a81771210934 100644
--- a/include/net/netfilter/nf_conntrack_core.h
+++ b/include/net/netfilter/nf_conntrack_core.h
@@ -30,7 +30,7 @@ extern void nf_conntrack_cleanup(void);
30extern int nf_conntrack_proto_init(void); 30extern int nf_conntrack_proto_init(void);
31extern void nf_conntrack_proto_fini(void); 31extern void nf_conntrack_proto_fini(void);
32 32
33extern int 33extern bool
34nf_ct_get_tuple(const struct sk_buff *skb, 34nf_ct_get_tuple(const struct sk_buff *skb,
35 unsigned int nhoff, 35 unsigned int nhoff,
36 unsigned int dataoff, 36 unsigned int dataoff,
@@ -40,7 +40,7 @@ nf_ct_get_tuple(const struct sk_buff *skb,
40 const struct nf_conntrack_l3proto *l3proto, 40 const struct nf_conntrack_l3proto *l3proto,
41 const struct nf_conntrack_l4proto *l4proto); 41 const struct nf_conntrack_l4proto *l4proto);
42 42
43extern int 43extern bool
44nf_ct_invert_tuple(struct nf_conntrack_tuple *inverse, 44nf_ct_invert_tuple(struct nf_conntrack_tuple *inverse,
45 const struct nf_conntrack_tuple *orig, 45 const struct nf_conntrack_tuple *orig,
46 const struct nf_conntrack_l3proto *l3proto, 46 const struct nf_conntrack_l3proto *l3proto,
diff --git a/include/net/netfilter/nf_conntrack_l3proto.h b/include/net/netfilter/nf_conntrack_l3proto.h
index b886e3ae6cad..0378676c3dd8 100644
--- a/include/net/netfilter/nf_conntrack_l3proto.h
+++ b/include/net/netfilter/nf_conntrack_l3proto.h
@@ -28,31 +28,20 @@ struct nf_conntrack_l3proto
28 * Try to fill in the third arg: nhoff is offset of l3 proto 28 * Try to fill in the third arg: nhoff is offset of l3 proto
29 * hdr. Return true if possible. 29 * hdr. Return true if possible.
30 */ 30 */
31 int (*pkt_to_tuple)(const struct sk_buff *skb, unsigned int nhoff, 31 bool (*pkt_to_tuple)(const struct sk_buff *skb, unsigned int nhoff,
32 struct nf_conntrack_tuple *tuple); 32 struct nf_conntrack_tuple *tuple);
33 33
34 /* 34 /*
35 * Invert the per-proto part of the tuple: ie. turn xmit into reply. 35 * Invert the per-proto part of the tuple: ie. turn xmit into reply.
36 * Some packets can't be inverted: return 0 in that case. 36 * Some packets can't be inverted: return 0 in that case.
37 */ 37 */
38 int (*invert_tuple)(struct nf_conntrack_tuple *inverse, 38 bool (*invert_tuple)(struct nf_conntrack_tuple *inverse,
39 const struct nf_conntrack_tuple *orig); 39 const struct nf_conntrack_tuple *orig);
40 40
41 /* Print out the per-protocol part of the tuple. */ 41 /* Print out the per-protocol part of the tuple. */
42 int (*print_tuple)(struct seq_file *s, 42 int (*print_tuple)(struct seq_file *s,
43 const struct nf_conntrack_tuple *); 43 const struct nf_conntrack_tuple *);
44 44
45 /* Returns verdict for packet, or -1 for invalid. */
46 int (*packet)(struct nf_conn *ct,
47 const struct sk_buff *skb,
48 enum ip_conntrack_info ctinfo);
49
50 /*
51 * Called when a new connection for this protocol found;
52 * returns TRUE if it's OK. If so, packet() called next.
53 */
54 int (*new)(struct nf_conn *ct, const struct sk_buff *skb);
55
56 /* 45 /*
57 * Called before tracking. 46 * Called before tracking.
58 * *dataoff: offset of protocol header (TCP, UDP,...) in skb 47 * *dataoff: offset of protocol header (TCP, UDP,...) in skb
diff --git a/include/net/netfilter/nf_conntrack_l4proto.h b/include/net/netfilter/nf_conntrack_l4proto.h
index efc16eccddb1..723df9d1cc35 100644
--- a/include/net/netfilter/nf_conntrack_l4proto.h
+++ b/include/net/netfilter/nf_conntrack_l4proto.h
@@ -25,15 +25,14 @@ struct nf_conntrack_l4proto
25 25
26 /* Try to fill in the third arg: dataoff is offset past network protocol 26 /* Try to fill in the third arg: dataoff is offset past network protocol
27 hdr. Return true if possible. */ 27 hdr. Return true if possible. */
28 int (*pkt_to_tuple)(const struct sk_buff *skb, 28 bool (*pkt_to_tuple)(const struct sk_buff *skb, unsigned int dataoff,
29 unsigned int dataoff, 29 struct nf_conntrack_tuple *tuple);
30 struct nf_conntrack_tuple *tuple);
31 30
32 /* Invert the per-proto part of the tuple: ie. turn xmit into reply. 31 /* Invert the per-proto part of the tuple: ie. turn xmit into reply.
33 * Some packets can't be inverted: return 0 in that case. 32 * Some packets can't be inverted: return 0 in that case.
34 */ 33 */
35 int (*invert_tuple)(struct nf_conntrack_tuple *inverse, 34 bool (*invert_tuple)(struct nf_conntrack_tuple *inverse,
36 const struct nf_conntrack_tuple *orig); 35 const struct nf_conntrack_tuple *orig);
37 36
38 /* Returns verdict for packet, or -1 for invalid. */ 37 /* Returns verdict for packet, or -1 for invalid. */
39 int (*packet)(struct nf_conn *ct, 38 int (*packet)(struct nf_conn *ct,
@@ -45,8 +44,8 @@ struct nf_conntrack_l4proto
45 44
46 /* Called when a new connection for this protocol found; 45 /* Called when a new connection for this protocol found;
47 * returns TRUE if it's OK. If so, packet() called next. */ 46 * returns TRUE if it's OK. If so, packet() called next. */
48 int (*new)(struct nf_conn *ct, const struct sk_buff *skb, 47 bool (*new)(struct nf_conn *ct, const struct sk_buff *skb,
49 unsigned int dataoff); 48 unsigned int dataoff);
50 49
51 /* Called when a conntrack entry is destroyed */ 50 /* Called when a conntrack entry is destroyed */
52 void (*destroy)(struct nf_conn *ct); 51 void (*destroy)(struct nf_conn *ct);
diff --git a/include/net/netfilter/nf_conntrack_tuple.h b/include/net/netfilter/nf_conntrack_tuple.h
index 168c91754d89..1bb7087833d3 100644
--- a/include/net/netfilter/nf_conntrack_tuple.h
+++ b/include/net/netfilter/nf_conntrack_tuple.h
@@ -41,6 +41,9 @@ union nf_conntrack_man_proto
41 } icmp; 41 } icmp;
42 struct { 42 struct {
43 __be16 port; 43 __be16 port;
44 } dccp;
45 struct {
46 __be16 port;
44 } sctp; 47 } sctp;
45 struct { 48 struct {
46 __be16 key; /* GRE key is 32bit, PPtP only uses 16bit */ 49 __be16 key; /* GRE key is 32bit, PPtP only uses 16bit */
@@ -79,6 +82,9 @@ struct nf_conntrack_tuple
79 } icmp; 82 } icmp;
80 struct { 83 struct {
81 __be16 port; 84 __be16 port;
85 } dccp;
86 struct {
87 __be16 port;
82 } sctp; 88 } sctp;
83 struct { 89 struct {
84 __be16 key; 90 __be16 key;
@@ -145,8 +151,6 @@ static inline void nf_ct_dump_tuple(const struct nf_conntrack_tuple *t)
145 } 151 }
146} 152}
147 153
148#define NF_CT_DUMP_TUPLE(tp) nf_ct_dump_tuple(tp)
149
150/* If we're the first tuple, it's the original dir. */ 154/* If we're the first tuple, it's the original dir. */
151#define NF_CT_DIRECTION(h) \ 155#define NF_CT_DIRECTION(h) \
152 ((enum ip_conntrack_dir)(h)->tuple.dst.dir) 156 ((enum ip_conntrack_dir)(h)->tuple.dst.dir)
@@ -160,61 +164,64 @@ struct nf_conntrack_tuple_hash
160 164
161#endif /* __KERNEL__ */ 165#endif /* __KERNEL__ */
162 166
163static inline int __nf_ct_tuple_src_equal(const struct nf_conntrack_tuple *t1, 167static inline bool __nf_ct_tuple_src_equal(const struct nf_conntrack_tuple *t1,
164 const struct nf_conntrack_tuple *t2) 168 const struct nf_conntrack_tuple *t2)
165{ 169{
166 return (nf_inet_addr_cmp(&t1->src.u3, &t2->src.u3) && 170 return (nf_inet_addr_cmp(&t1->src.u3, &t2->src.u3) &&
167 t1->src.u.all == t2->src.u.all && 171 t1->src.u.all == t2->src.u.all &&
168 t1->src.l3num == t2->src.l3num); 172 t1->src.l3num == t2->src.l3num);
169} 173}
170 174
171static inline int __nf_ct_tuple_dst_equal(const struct nf_conntrack_tuple *t1, 175static inline bool __nf_ct_tuple_dst_equal(const struct nf_conntrack_tuple *t1,
172 const struct nf_conntrack_tuple *t2) 176 const struct nf_conntrack_tuple *t2)
173{ 177{
174 return (nf_inet_addr_cmp(&t1->dst.u3, &t2->dst.u3) && 178 return (nf_inet_addr_cmp(&t1->dst.u3, &t2->dst.u3) &&
175 t1->dst.u.all == t2->dst.u.all && 179 t1->dst.u.all == t2->dst.u.all &&
176 t1->dst.protonum == t2->dst.protonum); 180 t1->dst.protonum == t2->dst.protonum);
177} 181}
178 182
179static inline int nf_ct_tuple_equal(const struct nf_conntrack_tuple *t1, 183static inline bool nf_ct_tuple_equal(const struct nf_conntrack_tuple *t1,
180 const struct nf_conntrack_tuple *t2) 184 const struct nf_conntrack_tuple *t2)
181{ 185{
182 return __nf_ct_tuple_src_equal(t1, t2) && 186 return __nf_ct_tuple_src_equal(t1, t2) &&
183 __nf_ct_tuple_dst_equal(t1, t2); 187 __nf_ct_tuple_dst_equal(t1, t2);
184} 188}
185 189
186static inline int nf_ct_tuple_mask_equal(const struct nf_conntrack_tuple_mask *m1, 190static inline bool
187 const struct nf_conntrack_tuple_mask *m2) 191nf_ct_tuple_mask_equal(const struct nf_conntrack_tuple_mask *m1,
192 const struct nf_conntrack_tuple_mask *m2)
188{ 193{
189 return (nf_inet_addr_cmp(&m1->src.u3, &m2->src.u3) && 194 return (nf_inet_addr_cmp(&m1->src.u3, &m2->src.u3) &&
190 m1->src.u.all == m2->src.u.all); 195 m1->src.u.all == m2->src.u.all);
191} 196}
192 197
193static inline int nf_ct_tuple_src_mask_cmp(const struct nf_conntrack_tuple *t1, 198static inline bool
194 const struct nf_conntrack_tuple *t2, 199nf_ct_tuple_src_mask_cmp(const struct nf_conntrack_tuple *t1,
195 const struct nf_conntrack_tuple_mask *mask) 200 const struct nf_conntrack_tuple *t2,
201 const struct nf_conntrack_tuple_mask *mask)
196{ 202{
197 int count; 203 int count;
198 204
199 for (count = 0; count < NF_CT_TUPLE_L3SIZE; count++) { 205 for (count = 0; count < NF_CT_TUPLE_L3SIZE; count++) {
200 if ((t1->src.u3.all[count] ^ t2->src.u3.all[count]) & 206 if ((t1->src.u3.all[count] ^ t2->src.u3.all[count]) &
201 mask->src.u3.all[count]) 207 mask->src.u3.all[count])
202 return 0; 208 return false;
203 } 209 }
204 210
205 if ((t1->src.u.all ^ t2->src.u.all) & mask->src.u.all) 211 if ((t1->src.u.all ^ t2->src.u.all) & mask->src.u.all)
206 return 0; 212 return false;
207 213
208 if (t1->src.l3num != t2->src.l3num || 214 if (t1->src.l3num != t2->src.l3num ||
209 t1->dst.protonum != t2->dst.protonum) 215 t1->dst.protonum != t2->dst.protonum)
210 return 0; 216 return false;
211 217
212 return 1; 218 return true;
213} 219}
214 220
215static inline int nf_ct_tuple_mask_cmp(const struct nf_conntrack_tuple *t, 221static inline bool
216 const struct nf_conntrack_tuple *tuple, 222nf_ct_tuple_mask_cmp(const struct nf_conntrack_tuple *t,
217 const struct nf_conntrack_tuple_mask *mask) 223 const struct nf_conntrack_tuple *tuple,
224 const struct nf_conntrack_tuple_mask *mask)
218{ 225{
219 return nf_ct_tuple_src_mask_cmp(t, tuple, mask) && 226 return nf_ct_tuple_src_mask_cmp(t, tuple, mask) &&
220 __nf_ct_tuple_dst_equal(t, tuple); 227 __nf_ct_tuple_dst_equal(t, tuple);
diff --git a/include/net/netfilter/nf_nat_helper.h b/include/net/netfilter/nf_nat_helper.h
index 58dd22687949..237a961f40e1 100644
--- a/include/net/netfilter/nf_nat_helper.h
+++ b/include/net/netfilter/nf_nat_helper.h
@@ -24,6 +24,9 @@ extern int nf_nat_mangle_udp_packet(struct sk_buff *skb,
24extern int nf_nat_seq_adjust(struct sk_buff *skb, 24extern int nf_nat_seq_adjust(struct sk_buff *skb,
25 struct nf_conn *ct, 25 struct nf_conn *ct,
26 enum ip_conntrack_info ctinfo); 26 enum ip_conntrack_info ctinfo);
27extern int (*nf_nat_seq_adjust_hook)(struct sk_buff *skb,
28 struct nf_conn *ct,
29 enum ip_conntrack_info ctinfo);
27 30
28/* Setup NAT on this expected conntrack so it follows master, but goes 31/* Setup NAT on this expected conntrack so it follows master, but goes
29 * to port ct->master->saved_proto. */ 32 * to port ct->master->saved_proto. */
diff --git a/include/net/netfilter/nf_nat_protocol.h b/include/net/netfilter/nf_nat_protocol.h
index 4aa0edbb5b96..f3662c4394ef 100644
--- a/include/net/netfilter/nf_nat_protocol.h
+++ b/include/net/netfilter/nf_nat_protocol.h
@@ -8,9 +8,6 @@ struct nf_nat_range;
8 8
9struct nf_nat_protocol 9struct nf_nat_protocol
10{ 10{
11 /* Protocol name */
12 const char *name;
13
14 /* Protocol number. */ 11 /* Protocol number. */
15 unsigned int protonum; 12 unsigned int protonum;
16 13
@@ -18,25 +15,25 @@ struct nf_nat_protocol
18 15
19 /* Translate a packet to the target according to manip type. 16 /* Translate a packet to the target according to manip type.
20 Return true if succeeded. */ 17 Return true if succeeded. */
21 int (*manip_pkt)(struct sk_buff *skb, 18 bool (*manip_pkt)(struct sk_buff *skb,
22 unsigned int iphdroff, 19 unsigned int iphdroff,
23 const struct nf_conntrack_tuple *tuple, 20 const struct nf_conntrack_tuple *tuple,
24 enum nf_nat_manip_type maniptype); 21 enum nf_nat_manip_type maniptype);
25 22
26 /* Is the manipable part of the tuple between min and max incl? */ 23 /* Is the manipable part of the tuple between min and max incl? */
27 int (*in_range)(const struct nf_conntrack_tuple *tuple, 24 bool (*in_range)(const struct nf_conntrack_tuple *tuple,
28 enum nf_nat_manip_type maniptype, 25 enum nf_nat_manip_type maniptype,
29 const union nf_conntrack_man_proto *min, 26 const union nf_conntrack_man_proto *min,
30 const union nf_conntrack_man_proto *max); 27 const union nf_conntrack_man_proto *max);
31 28
32 /* Alter the per-proto part of the tuple (depending on 29 /* Alter the per-proto part of the tuple (depending on
33 maniptype), to give a unique tuple in the given range if 30 maniptype), to give a unique tuple in the given range if
34 possible; return false if not. Per-protocol part of tuple 31 possible; return false if not. Per-protocol part of tuple
35 is initialized to the incoming packet. */ 32 is initialized to the incoming packet. */
36 int (*unique_tuple)(struct nf_conntrack_tuple *tuple, 33 bool (*unique_tuple)(struct nf_conntrack_tuple *tuple,
37 const struct nf_nat_range *range, 34 const struct nf_nat_range *range,
38 enum nf_nat_manip_type maniptype, 35 enum nf_nat_manip_type maniptype,
39 const struct nf_conn *ct); 36 const struct nf_conn *ct);
40 37
41 int (*range_to_nlattr)(struct sk_buff *skb, 38 int (*range_to_nlattr)(struct sk_buff *skb,
42 const struct nf_nat_range *range); 39 const struct nf_nat_range *range);
@@ -62,9 +59,20 @@ extern int init_protocols(void) __init;
62extern void cleanup_protocols(void); 59extern void cleanup_protocols(void);
63extern const struct nf_nat_protocol *find_nat_proto(u_int16_t protonum); 60extern const struct nf_nat_protocol *find_nat_proto(u_int16_t protonum);
64 61
65extern int nf_nat_port_range_to_nlattr(struct sk_buff *skb, 62extern bool nf_nat_proto_in_range(const struct nf_conntrack_tuple *tuple,
66 const struct nf_nat_range *range); 63 enum nf_nat_manip_type maniptype,
67extern int nf_nat_port_nlattr_to_range(struct nlattr *tb[], 64 const union nf_conntrack_man_proto *min,
68 struct nf_nat_range *range); 65 const union nf_conntrack_man_proto *max);
66
67extern bool nf_nat_proto_unique_tuple(struct nf_conntrack_tuple *tuple,
68 const struct nf_nat_range *range,
69 enum nf_nat_manip_type maniptype,
70 const struct nf_conn *ct,
71 u_int16_t *rover);
72
73extern int nf_nat_proto_range_to_nlattr(struct sk_buff *skb,
74 const struct nf_nat_range *range);
75extern int nf_nat_proto_nlattr_to_range(struct nlattr *tb[],
76 struct nf_nat_range *range);
69 77
70#endif /*_NF_NAT_PROTO_H*/ 78#endif /*_NF_NAT_PROTO_H*/
diff --git a/include/net/netfilter/nf_nat_rule.h b/include/net/netfilter/nf_nat_rule.h
index 75d1825031d7..e4a18ae361c6 100644
--- a/include/net/netfilter/nf_nat_rule.h
+++ b/include/net/netfilter/nf_nat_rule.h
@@ -14,7 +14,4 @@ extern int nf_nat_rule_find(struct sk_buff *skb,
14 14
15extern unsigned int 15extern unsigned int
16alloc_null_binding(struct nf_conn *ct, unsigned int hooknum); 16alloc_null_binding(struct nf_conn *ct, unsigned int hooknum);
17
18extern unsigned int
19alloc_null_binding_confirmed(struct nf_conn *ct, unsigned int hooknum);
20#endif /* _NF_NAT_RULE_H */ 17#endif /* _NF_NAT_RULE_H */