diff options
Diffstat (limited to 'include')
-rw-r--r-- | include/linux/netfilter.h | 76 | ||||
-rw-r--r-- | include/linux/netfilter/nf_conntrack_dccp.h | 40 | ||||
-rw-r--r-- | include/linux/netfilter/nfnetlink_conntrack.h | 8 | ||||
-rw-r--r-- | include/linux/netfilter/x_tables.h | 4 | ||||
-rw-r--r-- | include/linux/netfilter/xt_sctp.h | 84 | ||||
-rw-r--r-- | include/linux/netfilter_arp/arp_tables.h | 17 | ||||
-rw-r--r-- | include/linux/netfilter_bridge/ebt_nflog.h | 21 | ||||
-rw-r--r-- | include/linux/netfilter_ipv4.h | 2 | ||||
-rw-r--r-- | include/net/netfilter/nf_conntrack.h | 32 | ||||
-rw-r--r-- | include/net/netfilter/nf_conntrack_core.h | 4 | ||||
-rw-r--r-- | include/net/netfilter/nf_conntrack_l3proto.h | 19 | ||||
-rw-r--r-- | include/net/netfilter/nf_conntrack_l4proto.h | 13 | ||||
-rw-r--r-- | include/net/netfilter/nf_conntrack_tuple.h | 47 | ||||
-rw-r--r-- | include/net/netfilter/nf_nat_helper.h | 3 | ||||
-rw-r--r-- | include/net/netfilter/nf_nat_protocol.h | 46 | ||||
-rw-r--r-- | include/net/netfilter/nf_nat_rule.h | 3 |
16 files changed, 273 insertions, 146 deletions
diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h index 89e6c72ad295..e4c66593b5c6 100644 --- a/include/linux/netfilter.h +++ b/include/linux/netfilter.h | |||
@@ -6,11 +6,13 @@ | |||
6 | #include <linux/types.h> | 6 | #include <linux/types.h> |
7 | #include <linux/skbuff.h> | 7 | #include <linux/skbuff.h> |
8 | #include <linux/net.h> | 8 | #include <linux/net.h> |
9 | #include <linux/netdevice.h> | ||
9 | #include <linux/if.h> | 10 | #include <linux/if.h> |
10 | #include <linux/in.h> | 11 | #include <linux/in.h> |
11 | #include <linux/in6.h> | 12 | #include <linux/in6.h> |
12 | #include <linux/wait.h> | 13 | #include <linux/wait.h> |
13 | #include <linux/list.h> | 14 | #include <linux/list.h> |
15 | #include <net/net_namespace.h> | ||
14 | #endif | 16 | #endif |
15 | #include <linux/compiler.h> | 17 | #include <linux/compiler.h> |
16 | 18 | ||
@@ -76,7 +78,6 @@ extern void netfilter_init(void); | |||
76 | #define NF_MAX_HOOKS 8 | 78 | #define NF_MAX_HOOKS 8 |
77 | 79 | ||
78 | struct sk_buff; | 80 | struct sk_buff; |
79 | struct net_device; | ||
80 | 81 | ||
81 | typedef unsigned int nf_hookfn(unsigned int hooknum, | 82 | typedef unsigned int nf_hookfn(unsigned int hooknum, |
82 | struct sk_buff *skb, | 83 | struct sk_buff *skb, |
@@ -233,6 +234,11 @@ struct nf_afinfo { | |||
233 | unsigned short family; | 234 | unsigned short family; |
234 | __sum16 (*checksum)(struct sk_buff *skb, unsigned int hook, | 235 | __sum16 (*checksum)(struct sk_buff *skb, unsigned int hook, |
235 | unsigned int dataoff, u_int8_t protocol); | 236 | unsigned int dataoff, u_int8_t protocol); |
237 | __sum16 (*checksum_partial)(struct sk_buff *skb, | ||
238 | unsigned int hook, | ||
239 | unsigned int dataoff, | ||
240 | unsigned int len, | ||
241 | u_int8_t protocol); | ||
236 | int (*route)(struct dst_entry **dst, struct flowi *fl); | 242 | int (*route)(struct dst_entry **dst, struct flowi *fl); |
237 | void (*saveroute)(const struct sk_buff *skb, | 243 | void (*saveroute)(const struct sk_buff *skb, |
238 | struct nf_queue_entry *entry); | 244 | struct nf_queue_entry *entry); |
@@ -262,6 +268,23 @@ nf_checksum(struct sk_buff *skb, unsigned int hook, unsigned int dataoff, | |||
262 | return csum; | 268 | return csum; |
263 | } | 269 | } |
264 | 270 | ||
271 | static inline __sum16 | ||
272 | nf_checksum_partial(struct sk_buff *skb, unsigned int hook, | ||
273 | unsigned int dataoff, unsigned int len, | ||
274 | u_int8_t protocol, unsigned short family) | ||
275 | { | ||
276 | const struct nf_afinfo *afinfo; | ||
277 | __sum16 csum = 0; | ||
278 | |||
279 | rcu_read_lock(); | ||
280 | afinfo = nf_get_afinfo(family); | ||
281 | if (afinfo) | ||
282 | csum = afinfo->checksum_partial(skb, hook, dataoff, len, | ||
283 | protocol); | ||
284 | rcu_read_unlock(); | ||
285 | return csum; | ||
286 | } | ||
287 | |||
265 | extern int nf_register_afinfo(const struct nf_afinfo *afinfo); | 288 | extern int nf_register_afinfo(const struct nf_afinfo *afinfo); |
266 | extern void nf_unregister_afinfo(const struct nf_afinfo *afinfo); | 289 | extern void nf_unregister_afinfo(const struct nf_afinfo *afinfo); |
267 | 290 | ||
@@ -320,5 +343,56 @@ extern void (*nf_ct_destroy)(struct nf_conntrack *); | |||
320 | static inline void nf_ct_attach(struct sk_buff *new, struct sk_buff *skb) {} | 343 | static inline void nf_ct_attach(struct sk_buff *new, struct sk_buff *skb) {} |
321 | #endif | 344 | #endif |
322 | 345 | ||
346 | static inline struct net *nf_pre_routing_net(const struct net_device *in, | ||
347 | const struct net_device *out) | ||
348 | { | ||
349 | #ifdef CONFIG_NET_NS | ||
350 | return in->nd_net; | ||
351 | #else | ||
352 | return &init_net; | ||
353 | #endif | ||
354 | } | ||
355 | |||
356 | static inline struct net *nf_local_in_net(const struct net_device *in, | ||
357 | const struct net_device *out) | ||
358 | { | ||
359 | #ifdef CONFIG_NET_NS | ||
360 | return in->nd_net; | ||
361 | #else | ||
362 | return &init_net; | ||
363 | #endif | ||
364 | } | ||
365 | |||
366 | static inline struct net *nf_forward_net(const struct net_device *in, | ||
367 | const struct net_device *out) | ||
368 | { | ||
369 | #ifdef CONFIG_NET_NS | ||
370 | BUG_ON(in->nd_net != out->nd_net); | ||
371 | return in->nd_net; | ||
372 | #else | ||
373 | return &init_net; | ||
374 | #endif | ||
375 | } | ||
376 | |||
377 | static inline struct net *nf_local_out_net(const struct net_device *in, | ||
378 | const struct net_device *out) | ||
379 | { | ||
380 | #ifdef CONFIG_NET_NS | ||
381 | return out->nd_net; | ||
382 | #else | ||
383 | return &init_net; | ||
384 | #endif | ||
385 | } | ||
386 | |||
387 | static inline struct net *nf_post_routing_net(const struct net_device *in, | ||
388 | const struct net_device *out) | ||
389 | { | ||
390 | #ifdef CONFIG_NET_NS | ||
391 | return out->nd_net; | ||
392 | #else | ||
393 | return &init_net; | ||
394 | #endif | ||
395 | } | ||
396 | |||
323 | #endif /*__KERNEL__*/ | 397 | #endif /*__KERNEL__*/ |
324 | #endif /*__LINUX_NETFILTER_H*/ | 398 | #endif /*__LINUX_NETFILTER_H*/ |
diff --git a/include/linux/netfilter/nf_conntrack_dccp.h b/include/linux/netfilter/nf_conntrack_dccp.h new file mode 100644 index 000000000000..40dcc82058d1 --- /dev/null +++ b/include/linux/netfilter/nf_conntrack_dccp.h | |||
@@ -0,0 +1,40 @@ | |||
1 | #ifndef _NF_CONNTRACK_DCCP_H | ||
2 | #define _NF_CONNTRACK_DCCP_H | ||
3 | |||
4 | /* Exposed to userspace over nfnetlink */ | ||
5 | enum ct_dccp_states { | ||
6 | CT_DCCP_NONE, | ||
7 | CT_DCCP_REQUEST, | ||
8 | CT_DCCP_RESPOND, | ||
9 | CT_DCCP_PARTOPEN, | ||
10 | CT_DCCP_OPEN, | ||
11 | CT_DCCP_CLOSEREQ, | ||
12 | CT_DCCP_CLOSING, | ||
13 | CT_DCCP_TIMEWAIT, | ||
14 | CT_DCCP_IGNORE, | ||
15 | CT_DCCP_INVALID, | ||
16 | __CT_DCCP_MAX | ||
17 | }; | ||
18 | #define CT_DCCP_MAX (__CT_DCCP_MAX - 1) | ||
19 | |||
20 | enum ct_dccp_roles { | ||
21 | CT_DCCP_ROLE_CLIENT, | ||
22 | CT_DCCP_ROLE_SERVER, | ||
23 | __CT_DCCP_ROLE_MAX | ||
24 | }; | ||
25 | #define CT_DCCP_ROLE_MAX (__CT_DCCP_ROLE_MAX - 1) | ||
26 | |||
27 | #ifdef __KERNEL__ | ||
28 | #include <net/netfilter/nf_conntrack_tuple.h> | ||
29 | |||
30 | struct nf_ct_dccp { | ||
31 | u_int8_t role[IP_CT_DIR_MAX]; | ||
32 | u_int8_t state; | ||
33 | u_int8_t last_pkt; | ||
34 | u_int8_t last_dir; | ||
35 | u_int64_t handshake_seq; | ||
36 | }; | ||
37 | |||
38 | #endif /* __KERNEL__ */ | ||
39 | |||
40 | #endif /* _NF_CONNTRACK_DCCP_H */ | ||
diff --git a/include/linux/netfilter/nfnetlink_conntrack.h b/include/linux/netfilter/nfnetlink_conntrack.h index e3e1533aba2d..0a383ac083cb 100644 --- a/include/linux/netfilter/nfnetlink_conntrack.h +++ b/include/linux/netfilter/nfnetlink_conntrack.h | |||
@@ -80,6 +80,7 @@ enum ctattr_l4proto { | |||
80 | enum ctattr_protoinfo { | 80 | enum ctattr_protoinfo { |
81 | CTA_PROTOINFO_UNSPEC, | 81 | CTA_PROTOINFO_UNSPEC, |
82 | CTA_PROTOINFO_TCP, | 82 | CTA_PROTOINFO_TCP, |
83 | CTA_PROTOINFO_DCCP, | ||
83 | __CTA_PROTOINFO_MAX | 84 | __CTA_PROTOINFO_MAX |
84 | }; | 85 | }; |
85 | #define CTA_PROTOINFO_MAX (__CTA_PROTOINFO_MAX - 1) | 86 | #define CTA_PROTOINFO_MAX (__CTA_PROTOINFO_MAX - 1) |
@@ -95,6 +96,13 @@ enum ctattr_protoinfo_tcp { | |||
95 | }; | 96 | }; |
96 | #define CTA_PROTOINFO_TCP_MAX (__CTA_PROTOINFO_TCP_MAX - 1) | 97 | #define CTA_PROTOINFO_TCP_MAX (__CTA_PROTOINFO_TCP_MAX - 1) |
97 | 98 | ||
99 | enum ctattr_protoinfo_dccp { | ||
100 | CTA_PROTOINFO_DCCP_UNSPEC, | ||
101 | CTA_PROTOINFO_DCCP_STATE, | ||
102 | __CTA_PROTOINFO_DCCP_MAX, | ||
103 | }; | ||
104 | #define CTA_PROTOINFO_DCCP_MAX (__CTA_PROTOINFO_DCCP_MAX - 1) | ||
105 | |||
98 | enum ctattr_counters { | 106 | enum ctattr_counters { |
99 | CTA_COUNTERS_UNSPEC, | 107 | CTA_COUNTERS_UNSPEC, |
100 | CTA_COUNTERS_PACKETS, /* old 64bit counters */ | 108 | CTA_COUNTERS_PACKETS, /* old 64bit counters */ |
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h index b2c62cc618f5..2326296b6f25 100644 --- a/include/linux/netfilter/x_tables.h +++ b/include/linux/netfilter/x_tables.h | |||
@@ -430,13 +430,13 @@ extern int xt_compat_add_offset(int af, unsigned int offset, short delta); | |||
430 | extern void xt_compat_flush_offsets(int af); | 430 | extern void xt_compat_flush_offsets(int af); |
431 | extern short xt_compat_calc_jump(int af, unsigned int offset); | 431 | extern short xt_compat_calc_jump(int af, unsigned int offset); |
432 | 432 | ||
433 | extern int xt_compat_match_offset(struct xt_match *match); | 433 | extern int xt_compat_match_offset(const struct xt_match *match); |
434 | extern int xt_compat_match_from_user(struct xt_entry_match *m, | 434 | extern int xt_compat_match_from_user(struct xt_entry_match *m, |
435 | void **dstptr, unsigned int *size); | 435 | void **dstptr, unsigned int *size); |
436 | extern int xt_compat_match_to_user(struct xt_entry_match *m, | 436 | extern int xt_compat_match_to_user(struct xt_entry_match *m, |
437 | void __user **dstptr, unsigned int *size); | 437 | void __user **dstptr, unsigned int *size); |
438 | 438 | ||
439 | extern int xt_compat_target_offset(struct xt_target *target); | 439 | extern int xt_compat_target_offset(const struct xt_target *target); |
440 | extern void xt_compat_target_from_user(struct xt_entry_target *t, | 440 | extern void xt_compat_target_from_user(struct xt_entry_target *t, |
441 | void **dstptr, unsigned int *size); | 441 | void **dstptr, unsigned int *size); |
442 | extern int xt_compat_target_to_user(struct xt_entry_target *t, | 442 | extern int xt_compat_target_to_user(struct xt_entry_target *t, |
diff --git a/include/linux/netfilter/xt_sctp.h b/include/linux/netfilter/xt_sctp.h index dd5a4fd4cfd3..32000ba6ecef 100644 --- a/include/linux/netfilter/xt_sctp.h +++ b/include/linux/netfilter/xt_sctp.h | |||
@@ -37,68 +37,54 @@ struct xt_sctp_info { | |||
37 | 37 | ||
38 | #define SCTP_CHUNKMAP_SET(chunkmap, type) \ | 38 | #define SCTP_CHUNKMAP_SET(chunkmap, type) \ |
39 | do { \ | 39 | do { \ |
40 | chunkmap[type / bytes(u_int32_t)] |= \ | 40 | (chunkmap)[type / bytes(u_int32_t)] |= \ |
41 | 1 << (type % bytes(u_int32_t)); \ | 41 | 1 << (type % bytes(u_int32_t)); \ |
42 | } while (0) | 42 | } while (0) |
43 | 43 | ||
44 | #define SCTP_CHUNKMAP_CLEAR(chunkmap, type) \ | 44 | #define SCTP_CHUNKMAP_CLEAR(chunkmap, type) \ |
45 | do { \ | 45 | do { \ |
46 | chunkmap[type / bytes(u_int32_t)] &= \ | 46 | (chunkmap)[type / bytes(u_int32_t)] &= \ |
47 | ~(1 << (type % bytes(u_int32_t))); \ | 47 | ~(1 << (type % bytes(u_int32_t))); \ |
48 | } while (0) | 48 | } while (0) |
49 | 49 | ||
50 | #define SCTP_CHUNKMAP_IS_SET(chunkmap, type) \ | 50 | #define SCTP_CHUNKMAP_IS_SET(chunkmap, type) \ |
51 | ({ \ | 51 | ({ \ |
52 | (chunkmap[type / bytes (u_int32_t)] & \ | 52 | ((chunkmap)[type / bytes (u_int32_t)] & \ |
53 | (1 << (type % bytes (u_int32_t)))) ? 1: 0; \ | 53 | (1 << (type % bytes (u_int32_t)))) ? 1: 0; \ |
54 | }) | 54 | }) |
55 | 55 | ||
56 | #define SCTP_CHUNKMAP_RESET(chunkmap) \ | 56 | #define SCTP_CHUNKMAP_RESET(chunkmap) \ |
57 | do { \ | 57 | memset((chunkmap), 0, sizeof(chunkmap)) |
58 | int i; \ | 58 | |
59 | for (i = 0; i < ARRAY_SIZE(chunkmap); i++) \ | 59 | #define SCTP_CHUNKMAP_SET_ALL(chunkmap) \ |
60 | chunkmap[i] = 0; \ | 60 | memset((chunkmap), ~0U, sizeof(chunkmap)) |
61 | } while (0) | 61 | |
62 | 62 | #define SCTP_CHUNKMAP_COPY(destmap, srcmap) \ | |
63 | #define SCTP_CHUNKMAP_SET_ALL(chunkmap) \ | 63 | memcpy((destmap), (srcmap), sizeof(srcmap)) |
64 | do { \ | 64 | |
65 | int i; \ | 65 | #define SCTP_CHUNKMAP_IS_CLEAR(chunkmap) \ |
66 | for (i = 0; i < ARRAY_SIZE(chunkmap); i++) \ | 66 | __sctp_chunkmap_is_clear((chunkmap), ARRAY_SIZE(chunkmap)) |
67 | chunkmap[i] = ~0; \ | 67 | static inline bool |
68 | } while (0) | 68 | __sctp_chunkmap_is_clear(const u_int32_t *chunkmap, unsigned int n) |
69 | 69 | { | |
70 | #define SCTP_CHUNKMAP_COPY(destmap, srcmap) \ | 70 | unsigned int i; |
71 | do { \ | 71 | for (i = 0; i < n; ++i) |
72 | int i; \ | 72 | if (chunkmap[i]) |
73 | for (i = 0; i < ARRAY_SIZE(srcmap); i++) \ | 73 | return false; |
74 | destmap[i] = srcmap[i]; \ | 74 | return true; |
75 | } while (0) | 75 | } |
76 | 76 | ||
77 | #define SCTP_CHUNKMAP_IS_CLEAR(chunkmap) \ | 77 | #define SCTP_CHUNKMAP_IS_ALL_SET(chunkmap) \ |
78 | ({ \ | 78 | __sctp_chunkmap_is_all_set((chunkmap), ARRAY_SIZE(chunkmap)) |
79 | int i; \ | 79 | static inline bool |
80 | int flag = 1; \ | 80 | __sctp_chunkmap_is_all_set(const u_int32_t *chunkmap, unsigned int n) |
81 | for (i = 0; i < ARRAY_SIZE(chunkmap); i++) { \ | 81 | { |
82 | if (chunkmap[i]) { \ | 82 | unsigned int i; |
83 | flag = 0; \ | 83 | for (i = 0; i < n; ++i) |
84 | break; \ | 84 | if (chunkmap[i] != ~0U) |
85 | } \ | 85 | return false; |
86 | } \ | 86 | return true; |
87 | flag; \ | 87 | } |
88 | }) | ||
89 | |||
90 | #define SCTP_CHUNKMAP_IS_ALL_SET(chunkmap) \ | ||
91 | ({ \ | ||
92 | int i; \ | ||
93 | int flag = 1; \ | ||
94 | for (i = 0; i < ARRAY_SIZE(chunkmap); i++) { \ | ||
95 | if (chunkmap[i] != ~0) { \ | ||
96 | flag = 0; \ | ||
97 | break; \ | ||
98 | } \ | ||
99 | } \ | ||
100 | flag; \ | ||
101 | }) | ||
102 | 88 | ||
103 | #endif /* _XT_SCTP_H_ */ | 89 | #endif /* _XT_SCTP_H_ */ |
104 | 90 | ||
diff --git a/include/linux/netfilter_arp/arp_tables.h b/include/linux/netfilter_arp/arp_tables.h index db223ca92c8b..dd9c97f2d436 100644 --- a/include/linux/netfilter_arp/arp_tables.h +++ b/include/linux/netfilter_arp/arp_tables.h | |||
@@ -23,8 +23,6 @@ | |||
23 | 23 | ||
24 | #define ARPT_FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN | 24 | #define ARPT_FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN |
25 | #define ARPT_TABLE_MAXNAMELEN XT_TABLE_MAXNAMELEN | 25 | #define ARPT_TABLE_MAXNAMELEN XT_TABLE_MAXNAMELEN |
26 | #define arpt_target xt_target | ||
27 | #define arpt_table xt_table | ||
28 | 26 | ||
29 | #define ARPT_DEV_ADDR_LEN_MAX 16 | 27 | #define ARPT_DEV_ADDR_LEN_MAX 16 |
30 | 28 | ||
@@ -266,20 +264,15 @@ struct arpt_error | |||
266 | .target.errorname = "ERROR", \ | 264 | .target.errorname = "ERROR", \ |
267 | } | 265 | } |
268 | 266 | ||
269 | #define arpt_register_target(tgt) \ | 267 | extern struct xt_table *arpt_register_table(struct net *net, |
270 | ({ (tgt)->family = NF_ARP; \ | 268 | struct xt_table *table, |
271 | xt_register_target(tgt); }) | 269 | const struct arpt_replace *repl); |
272 | #define arpt_unregister_target(tgt) xt_unregister_target(tgt) | 270 | extern void arpt_unregister_table(struct xt_table *table); |
273 | |||
274 | extern struct arpt_table *arpt_register_table(struct net *net, | ||
275 | struct arpt_table *table, | ||
276 | const struct arpt_replace *repl); | ||
277 | extern void arpt_unregister_table(struct arpt_table *table); | ||
278 | extern unsigned int arpt_do_table(struct sk_buff *skb, | 271 | extern unsigned int arpt_do_table(struct sk_buff *skb, |
279 | unsigned int hook, | 272 | unsigned int hook, |
280 | const struct net_device *in, | 273 | const struct net_device *in, |
281 | const struct net_device *out, | 274 | const struct net_device *out, |
282 | struct arpt_table *table); | 275 | struct xt_table *table); |
283 | 276 | ||
284 | #define ARPT_ALIGN(s) XT_ALIGN(s) | 277 | #define ARPT_ALIGN(s) XT_ALIGN(s) |
285 | 278 | ||
diff --git a/include/linux/netfilter_bridge/ebt_nflog.h b/include/linux/netfilter_bridge/ebt_nflog.h new file mode 100644 index 000000000000..052817849b83 --- /dev/null +++ b/include/linux/netfilter_bridge/ebt_nflog.h | |||
@@ -0,0 +1,21 @@ | |||
1 | #ifndef __LINUX_BRIDGE_EBT_NFLOG_H | ||
2 | #define __LINUX_BRIDGE_EBT_NFLOG_H | ||
3 | |||
4 | #define EBT_NFLOG_MASK 0x0 | ||
5 | |||
6 | #define EBT_NFLOG_PREFIX_SIZE 64 | ||
7 | #define EBT_NFLOG_WATCHER "nflog" | ||
8 | |||
9 | #define EBT_NFLOG_DEFAULT_GROUP 0x1 | ||
10 | #define EBT_NFLOG_DEFAULT_THRESHOLD 1 | ||
11 | |||
12 | struct ebt_nflog_info { | ||
13 | u_int32_t len; | ||
14 | u_int16_t group; | ||
15 | u_int16_t threshold; | ||
16 | u_int16_t flags; | ||
17 | u_int16_t pad; | ||
18 | char prefix[EBT_NFLOG_PREFIX_SIZE]; | ||
19 | }; | ||
20 | |||
21 | #endif /* __LINUX_BRIDGE_EBT_NFLOG_H */ | ||
diff --git a/include/linux/netfilter_ipv4.h b/include/linux/netfilter_ipv4.h index 9a10092e358c..650318b0c405 100644 --- a/include/linux/netfilter_ipv4.h +++ b/include/linux/netfilter_ipv4.h | |||
@@ -62,8 +62,6 @@ enum nf_ip_hook_priorities { | |||
62 | NF_IP_PRI_FILTER = 0, | 62 | NF_IP_PRI_FILTER = 0, |
63 | NF_IP_PRI_NAT_SRC = 100, | 63 | NF_IP_PRI_NAT_SRC = 100, |
64 | NF_IP_PRI_SELINUX_LAST = 225, | 64 | NF_IP_PRI_SELINUX_LAST = 225, |
65 | NF_IP_PRI_CONNTRACK_HELPER = INT_MAX - 2, | ||
66 | NF_IP_PRI_NAT_SEQ_ADJUST = INT_MAX - 1, | ||
67 | NF_IP_PRI_CONNTRACK_CONFIRM = INT_MAX, | 65 | NF_IP_PRI_CONNTRACK_CONFIRM = INT_MAX, |
68 | NF_IP_PRI_LAST = INT_MAX, | 66 | NF_IP_PRI_LAST = INT_MAX, |
69 | }; | 67 | }; |
diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h index a3567a7a6d67..2dbd6c015b94 100644 --- a/include/net/netfilter/nf_conntrack.h +++ b/include/net/netfilter/nf_conntrack.h | |||
@@ -20,6 +20,7 @@ | |||
20 | #include <asm/atomic.h> | 20 | #include <asm/atomic.h> |
21 | 21 | ||
22 | #include <linux/netfilter/nf_conntrack_tcp.h> | 22 | #include <linux/netfilter/nf_conntrack_tcp.h> |
23 | #include <linux/netfilter/nf_conntrack_dccp.h> | ||
23 | #include <linux/netfilter/nf_conntrack_sctp.h> | 24 | #include <linux/netfilter/nf_conntrack_sctp.h> |
24 | #include <linux/netfilter/nf_conntrack_proto_gre.h> | 25 | #include <linux/netfilter/nf_conntrack_proto_gre.h> |
25 | #include <net/netfilter/ipv4/nf_conntrack_icmp.h> | 26 | #include <net/netfilter/ipv4/nf_conntrack_icmp.h> |
@@ -30,6 +31,7 @@ | |||
30 | /* per conntrack: protocol private data */ | 31 | /* per conntrack: protocol private data */ |
31 | union nf_conntrack_proto { | 32 | union nf_conntrack_proto { |
32 | /* insert conntrack proto private data here */ | 33 | /* insert conntrack proto private data here */ |
34 | struct nf_ct_dccp dccp; | ||
33 | struct ip_ct_sctp sctp; | 35 | struct ip_ct_sctp sctp; |
34 | struct ip_ct_tcp tcp; | 36 | struct ip_ct_tcp tcp; |
35 | struct ip_ct_icmp icmp; | 37 | struct ip_ct_icmp icmp; |
@@ -63,14 +65,7 @@ union nf_conntrack_help { | |||
63 | #include <linux/timer.h> | 65 | #include <linux/timer.h> |
64 | 66 | ||
65 | #ifdef CONFIG_NETFILTER_DEBUG | 67 | #ifdef CONFIG_NETFILTER_DEBUG |
66 | #define NF_CT_ASSERT(x) \ | 68 | #define NF_CT_ASSERT(x) WARN_ON(!(x)) |
67 | do { \ | ||
68 | if (!(x)) \ | ||
69 | /* Wooah! I'm tripping my conntrack in a frenzy of \ | ||
70 | netplay... */ \ | ||
71 | printk("NF_CT_ASSERT: %s:%i(%s)\n", \ | ||
72 | __FILE__, __LINE__, __FUNCTION__); \ | ||
73 | } while(0) | ||
74 | #else | 69 | #else |
75 | #define NF_CT_ASSERT(x) | 70 | #define NF_CT_ASSERT(x) |
76 | #endif | 71 | #endif |
@@ -145,6 +140,16 @@ nf_ct_tuplehash_to_ctrack(const struct nf_conntrack_tuple_hash *hash) | |||
145 | tuplehash[hash->tuple.dst.dir]); | 140 | tuplehash[hash->tuple.dst.dir]); |
146 | } | 141 | } |
147 | 142 | ||
143 | static inline u_int16_t nf_ct_l3num(const struct nf_conn *ct) | ||
144 | { | ||
145 | return ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.l3num; | ||
146 | } | ||
147 | |||
148 | static inline u_int8_t nf_ct_protonum(const struct nf_conn *ct) | ||
149 | { | ||
150 | return ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.protonum; | ||
151 | } | ||
152 | |||
148 | /* get master conntrack via master expectation */ | 153 | /* get master conntrack via master expectation */ |
149 | #define master_ct(conntr) (conntr->master) | 154 | #define master_ct(conntr) (conntr->master) |
150 | 155 | ||
@@ -189,12 +194,11 @@ extern void nf_conntrack_hash_insert(struct nf_conn *ct); | |||
189 | 194 | ||
190 | extern void nf_conntrack_flush(void); | 195 | extern void nf_conntrack_flush(void); |
191 | 196 | ||
192 | extern int nf_ct_get_tuplepr(const struct sk_buff *skb, | 197 | extern bool nf_ct_get_tuplepr(const struct sk_buff *skb, |
193 | unsigned int nhoff, | 198 | unsigned int nhoff, u_int16_t l3num, |
194 | u_int16_t l3num, | 199 | struct nf_conntrack_tuple *tuple); |
195 | struct nf_conntrack_tuple *tuple); | 200 | extern bool nf_ct_invert_tuplepr(struct nf_conntrack_tuple *inverse, |
196 | extern int nf_ct_invert_tuplepr(struct nf_conntrack_tuple *inverse, | 201 | const struct nf_conntrack_tuple *orig); |
197 | const struct nf_conntrack_tuple *orig); | ||
198 | 202 | ||
199 | extern void __nf_ct_refresh_acct(struct nf_conn *ct, | 203 | extern void __nf_ct_refresh_acct(struct nf_conn *ct, |
200 | enum ip_conntrack_info ctinfo, | 204 | enum ip_conntrack_info ctinfo, |
diff --git a/include/net/netfilter/nf_conntrack_core.h b/include/net/netfilter/nf_conntrack_core.h index 9ee26469c759..a81771210934 100644 --- a/include/net/netfilter/nf_conntrack_core.h +++ b/include/net/netfilter/nf_conntrack_core.h | |||
@@ -30,7 +30,7 @@ extern void nf_conntrack_cleanup(void); | |||
30 | extern int nf_conntrack_proto_init(void); | 30 | extern int nf_conntrack_proto_init(void); |
31 | extern void nf_conntrack_proto_fini(void); | 31 | extern void nf_conntrack_proto_fini(void); |
32 | 32 | ||
33 | extern int | 33 | extern bool |
34 | nf_ct_get_tuple(const struct sk_buff *skb, | 34 | nf_ct_get_tuple(const struct sk_buff *skb, |
35 | unsigned int nhoff, | 35 | unsigned int nhoff, |
36 | unsigned int dataoff, | 36 | unsigned int dataoff, |
@@ -40,7 +40,7 @@ nf_ct_get_tuple(const struct sk_buff *skb, | |||
40 | const struct nf_conntrack_l3proto *l3proto, | 40 | const struct nf_conntrack_l3proto *l3proto, |
41 | const struct nf_conntrack_l4proto *l4proto); | 41 | const struct nf_conntrack_l4proto *l4proto); |
42 | 42 | ||
43 | extern int | 43 | extern bool |
44 | nf_ct_invert_tuple(struct nf_conntrack_tuple *inverse, | 44 | nf_ct_invert_tuple(struct nf_conntrack_tuple *inverse, |
45 | const struct nf_conntrack_tuple *orig, | 45 | const struct nf_conntrack_tuple *orig, |
46 | const struct nf_conntrack_l3proto *l3proto, | 46 | const struct nf_conntrack_l3proto *l3proto, |
diff --git a/include/net/netfilter/nf_conntrack_l3proto.h b/include/net/netfilter/nf_conntrack_l3proto.h index b886e3ae6cad..0378676c3dd8 100644 --- a/include/net/netfilter/nf_conntrack_l3proto.h +++ b/include/net/netfilter/nf_conntrack_l3proto.h | |||
@@ -28,31 +28,20 @@ struct nf_conntrack_l3proto | |||
28 | * Try to fill in the third arg: nhoff is offset of l3 proto | 28 | * Try to fill in the third arg: nhoff is offset of l3 proto |
29 | * hdr. Return true if possible. | 29 | * hdr. Return true if possible. |
30 | */ | 30 | */ |
31 | int (*pkt_to_tuple)(const struct sk_buff *skb, unsigned int nhoff, | 31 | bool (*pkt_to_tuple)(const struct sk_buff *skb, unsigned int nhoff, |
32 | struct nf_conntrack_tuple *tuple); | 32 | struct nf_conntrack_tuple *tuple); |
33 | 33 | ||
34 | /* | 34 | /* |
35 | * Invert the per-proto part of the tuple: ie. turn xmit into reply. | 35 | * Invert the per-proto part of the tuple: ie. turn xmit into reply. |
36 | * Some packets can't be inverted: return 0 in that case. | 36 | * Some packets can't be inverted: return 0 in that case. |
37 | */ | 37 | */ |
38 | int (*invert_tuple)(struct nf_conntrack_tuple *inverse, | 38 | bool (*invert_tuple)(struct nf_conntrack_tuple *inverse, |
39 | const struct nf_conntrack_tuple *orig); | 39 | const struct nf_conntrack_tuple *orig); |
40 | 40 | ||
41 | /* Print out the per-protocol part of the tuple. */ | 41 | /* Print out the per-protocol part of the tuple. */ |
42 | int (*print_tuple)(struct seq_file *s, | 42 | int (*print_tuple)(struct seq_file *s, |
43 | const struct nf_conntrack_tuple *); | 43 | const struct nf_conntrack_tuple *); |
44 | 44 | ||
45 | /* Returns verdict for packet, or -1 for invalid. */ | ||
46 | int (*packet)(struct nf_conn *ct, | ||
47 | const struct sk_buff *skb, | ||
48 | enum ip_conntrack_info ctinfo); | ||
49 | |||
50 | /* | ||
51 | * Called when a new connection for this protocol found; | ||
52 | * returns TRUE if it's OK. If so, packet() called next. | ||
53 | */ | ||
54 | int (*new)(struct nf_conn *ct, const struct sk_buff *skb); | ||
55 | |||
56 | /* | 45 | /* |
57 | * Called before tracking. | 46 | * Called before tracking. |
58 | * *dataoff: offset of protocol header (TCP, UDP,...) in skb | 47 | * *dataoff: offset of protocol header (TCP, UDP,...) in skb |
diff --git a/include/net/netfilter/nf_conntrack_l4proto.h b/include/net/netfilter/nf_conntrack_l4proto.h index efc16eccddb1..723df9d1cc35 100644 --- a/include/net/netfilter/nf_conntrack_l4proto.h +++ b/include/net/netfilter/nf_conntrack_l4proto.h | |||
@@ -25,15 +25,14 @@ struct nf_conntrack_l4proto | |||
25 | 25 | ||
26 | /* Try to fill in the third arg: dataoff is offset past network protocol | 26 | /* Try to fill in the third arg: dataoff is offset past network protocol |
27 | hdr. Return true if possible. */ | 27 | hdr. Return true if possible. */ |
28 | int (*pkt_to_tuple)(const struct sk_buff *skb, | 28 | bool (*pkt_to_tuple)(const struct sk_buff *skb, unsigned int dataoff, |
29 | unsigned int dataoff, | 29 | struct nf_conntrack_tuple *tuple); |
30 | struct nf_conntrack_tuple *tuple); | ||
31 | 30 | ||
32 | /* Invert the per-proto part of the tuple: ie. turn xmit into reply. | 31 | /* Invert the per-proto part of the tuple: ie. turn xmit into reply. |
33 | * Some packets can't be inverted: return 0 in that case. | 32 | * Some packets can't be inverted: return 0 in that case. |
34 | */ | 33 | */ |
35 | int (*invert_tuple)(struct nf_conntrack_tuple *inverse, | 34 | bool (*invert_tuple)(struct nf_conntrack_tuple *inverse, |
36 | const struct nf_conntrack_tuple *orig); | 35 | const struct nf_conntrack_tuple *orig); |
37 | 36 | ||
38 | /* Returns verdict for packet, or -1 for invalid. */ | 37 | /* Returns verdict for packet, or -1 for invalid. */ |
39 | int (*packet)(struct nf_conn *ct, | 38 | int (*packet)(struct nf_conn *ct, |
@@ -45,8 +44,8 @@ struct nf_conntrack_l4proto | |||
45 | 44 | ||
46 | /* Called when a new connection for this protocol found; | 45 | /* Called when a new connection for this protocol found; |
47 | * returns TRUE if it's OK. If so, packet() called next. */ | 46 | * returns TRUE if it's OK. If so, packet() called next. */ |
48 | int (*new)(struct nf_conn *ct, const struct sk_buff *skb, | 47 | bool (*new)(struct nf_conn *ct, const struct sk_buff *skb, |
49 | unsigned int dataoff); | 48 | unsigned int dataoff); |
50 | 49 | ||
51 | /* Called when a conntrack entry is destroyed */ | 50 | /* Called when a conntrack entry is destroyed */ |
52 | void (*destroy)(struct nf_conn *ct); | 51 | void (*destroy)(struct nf_conn *ct); |
diff --git a/include/net/netfilter/nf_conntrack_tuple.h b/include/net/netfilter/nf_conntrack_tuple.h index 168c91754d89..1bb7087833d3 100644 --- a/include/net/netfilter/nf_conntrack_tuple.h +++ b/include/net/netfilter/nf_conntrack_tuple.h | |||
@@ -41,6 +41,9 @@ union nf_conntrack_man_proto | |||
41 | } icmp; | 41 | } icmp; |
42 | struct { | 42 | struct { |
43 | __be16 port; | 43 | __be16 port; |
44 | } dccp; | ||
45 | struct { | ||
46 | __be16 port; | ||
44 | } sctp; | 47 | } sctp; |
45 | struct { | 48 | struct { |
46 | __be16 key; /* GRE key is 32bit, PPtP only uses 16bit */ | 49 | __be16 key; /* GRE key is 32bit, PPtP only uses 16bit */ |
@@ -79,6 +82,9 @@ struct nf_conntrack_tuple | |||
79 | } icmp; | 82 | } icmp; |
80 | struct { | 83 | struct { |
81 | __be16 port; | 84 | __be16 port; |
85 | } dccp; | ||
86 | struct { | ||
87 | __be16 port; | ||
82 | } sctp; | 88 | } sctp; |
83 | struct { | 89 | struct { |
84 | __be16 key; | 90 | __be16 key; |
@@ -145,8 +151,6 @@ static inline void nf_ct_dump_tuple(const struct nf_conntrack_tuple *t) | |||
145 | } | 151 | } |
146 | } | 152 | } |
147 | 153 | ||
148 | #define NF_CT_DUMP_TUPLE(tp) nf_ct_dump_tuple(tp) | ||
149 | |||
150 | /* If we're the first tuple, it's the original dir. */ | 154 | /* If we're the first tuple, it's the original dir. */ |
151 | #define NF_CT_DIRECTION(h) \ | 155 | #define NF_CT_DIRECTION(h) \ |
152 | ((enum ip_conntrack_dir)(h)->tuple.dst.dir) | 156 | ((enum ip_conntrack_dir)(h)->tuple.dst.dir) |
@@ -160,61 +164,64 @@ struct nf_conntrack_tuple_hash | |||
160 | 164 | ||
161 | #endif /* __KERNEL__ */ | 165 | #endif /* __KERNEL__ */ |
162 | 166 | ||
163 | static inline int __nf_ct_tuple_src_equal(const struct nf_conntrack_tuple *t1, | 167 | static inline bool __nf_ct_tuple_src_equal(const struct nf_conntrack_tuple *t1, |
164 | const struct nf_conntrack_tuple *t2) | 168 | const struct nf_conntrack_tuple *t2) |
165 | { | 169 | { |
166 | return (nf_inet_addr_cmp(&t1->src.u3, &t2->src.u3) && | 170 | return (nf_inet_addr_cmp(&t1->src.u3, &t2->src.u3) && |
167 | t1->src.u.all == t2->src.u.all && | 171 | t1->src.u.all == t2->src.u.all && |
168 | t1->src.l3num == t2->src.l3num); | 172 | t1->src.l3num == t2->src.l3num); |
169 | } | 173 | } |
170 | 174 | ||
171 | static inline int __nf_ct_tuple_dst_equal(const struct nf_conntrack_tuple *t1, | 175 | static inline bool __nf_ct_tuple_dst_equal(const struct nf_conntrack_tuple *t1, |
172 | const struct nf_conntrack_tuple *t2) | 176 | const struct nf_conntrack_tuple *t2) |
173 | { | 177 | { |
174 | return (nf_inet_addr_cmp(&t1->dst.u3, &t2->dst.u3) && | 178 | return (nf_inet_addr_cmp(&t1->dst.u3, &t2->dst.u3) && |
175 | t1->dst.u.all == t2->dst.u.all && | 179 | t1->dst.u.all == t2->dst.u.all && |
176 | t1->dst.protonum == t2->dst.protonum); | 180 | t1->dst.protonum == t2->dst.protonum); |
177 | } | 181 | } |
178 | 182 | ||
179 | static inline int nf_ct_tuple_equal(const struct nf_conntrack_tuple *t1, | 183 | static inline bool nf_ct_tuple_equal(const struct nf_conntrack_tuple *t1, |
180 | const struct nf_conntrack_tuple *t2) | 184 | const struct nf_conntrack_tuple *t2) |
181 | { | 185 | { |
182 | return __nf_ct_tuple_src_equal(t1, t2) && | 186 | return __nf_ct_tuple_src_equal(t1, t2) && |
183 | __nf_ct_tuple_dst_equal(t1, t2); | 187 | __nf_ct_tuple_dst_equal(t1, t2); |
184 | } | 188 | } |
185 | 189 | ||
186 | static inline int nf_ct_tuple_mask_equal(const struct nf_conntrack_tuple_mask *m1, | 190 | static inline bool |
187 | const struct nf_conntrack_tuple_mask *m2) | 191 | nf_ct_tuple_mask_equal(const struct nf_conntrack_tuple_mask *m1, |
192 | const struct nf_conntrack_tuple_mask *m2) | ||
188 | { | 193 | { |
189 | return (nf_inet_addr_cmp(&m1->src.u3, &m2->src.u3) && | 194 | return (nf_inet_addr_cmp(&m1->src.u3, &m2->src.u3) && |
190 | m1->src.u.all == m2->src.u.all); | 195 | m1->src.u.all == m2->src.u.all); |
191 | } | 196 | } |
192 | 197 | ||
193 | static inline int nf_ct_tuple_src_mask_cmp(const struct nf_conntrack_tuple *t1, | 198 | static inline bool |
194 | const struct nf_conntrack_tuple *t2, | 199 | nf_ct_tuple_src_mask_cmp(const struct nf_conntrack_tuple *t1, |
195 | const struct nf_conntrack_tuple_mask *mask) | 200 | const struct nf_conntrack_tuple *t2, |
201 | const struct nf_conntrack_tuple_mask *mask) | ||
196 | { | 202 | { |
197 | int count; | 203 | int count; |
198 | 204 | ||
199 | for (count = 0; count < NF_CT_TUPLE_L3SIZE; count++) { | 205 | for (count = 0; count < NF_CT_TUPLE_L3SIZE; count++) { |
200 | if ((t1->src.u3.all[count] ^ t2->src.u3.all[count]) & | 206 | if ((t1->src.u3.all[count] ^ t2->src.u3.all[count]) & |
201 | mask->src.u3.all[count]) | 207 | mask->src.u3.all[count]) |
202 | return 0; | 208 | return false; |
203 | } | 209 | } |
204 | 210 | ||
205 | if ((t1->src.u.all ^ t2->src.u.all) & mask->src.u.all) | 211 | if ((t1->src.u.all ^ t2->src.u.all) & mask->src.u.all) |
206 | return 0; | 212 | return false; |
207 | 213 | ||
208 | if (t1->src.l3num != t2->src.l3num || | 214 | if (t1->src.l3num != t2->src.l3num || |
209 | t1->dst.protonum != t2->dst.protonum) | 215 | t1->dst.protonum != t2->dst.protonum) |
210 | return 0; | 216 | return false; |
211 | 217 | ||
212 | return 1; | 218 | return true; |
213 | } | 219 | } |
214 | 220 | ||
215 | static inline int nf_ct_tuple_mask_cmp(const struct nf_conntrack_tuple *t, | 221 | static inline bool |
216 | const struct nf_conntrack_tuple *tuple, | 222 | nf_ct_tuple_mask_cmp(const struct nf_conntrack_tuple *t, |
217 | const struct nf_conntrack_tuple_mask *mask) | 223 | const struct nf_conntrack_tuple *tuple, |
224 | const struct nf_conntrack_tuple_mask *mask) | ||
218 | { | 225 | { |
219 | return nf_ct_tuple_src_mask_cmp(t, tuple, mask) && | 226 | return nf_ct_tuple_src_mask_cmp(t, tuple, mask) && |
220 | __nf_ct_tuple_dst_equal(t, tuple); | 227 | __nf_ct_tuple_dst_equal(t, tuple); |
diff --git a/include/net/netfilter/nf_nat_helper.h b/include/net/netfilter/nf_nat_helper.h index 58dd22687949..237a961f40e1 100644 --- a/include/net/netfilter/nf_nat_helper.h +++ b/include/net/netfilter/nf_nat_helper.h | |||
@@ -24,6 +24,9 @@ extern int nf_nat_mangle_udp_packet(struct sk_buff *skb, | |||
24 | extern int nf_nat_seq_adjust(struct sk_buff *skb, | 24 | extern int nf_nat_seq_adjust(struct sk_buff *skb, |
25 | struct nf_conn *ct, | 25 | struct nf_conn *ct, |
26 | enum ip_conntrack_info ctinfo); | 26 | enum ip_conntrack_info ctinfo); |
27 | extern int (*nf_nat_seq_adjust_hook)(struct sk_buff *skb, | ||
28 | struct nf_conn *ct, | ||
29 | enum ip_conntrack_info ctinfo); | ||
27 | 30 | ||
28 | /* Setup NAT on this expected conntrack so it follows master, but goes | 31 | /* Setup NAT on this expected conntrack so it follows master, but goes |
29 | * to port ct->master->saved_proto. */ | 32 | * to port ct->master->saved_proto. */ |
diff --git a/include/net/netfilter/nf_nat_protocol.h b/include/net/netfilter/nf_nat_protocol.h index 4aa0edbb5b96..f3662c4394ef 100644 --- a/include/net/netfilter/nf_nat_protocol.h +++ b/include/net/netfilter/nf_nat_protocol.h | |||
@@ -8,9 +8,6 @@ struct nf_nat_range; | |||
8 | 8 | ||
9 | struct nf_nat_protocol | 9 | struct nf_nat_protocol |
10 | { | 10 | { |
11 | /* Protocol name */ | ||
12 | const char *name; | ||
13 | |||
14 | /* Protocol number. */ | 11 | /* Protocol number. */ |
15 | unsigned int protonum; | 12 | unsigned int protonum; |
16 | 13 | ||
@@ -18,25 +15,25 @@ struct nf_nat_protocol | |||
18 | 15 | ||
19 | /* Translate a packet to the target according to manip type. | 16 | /* Translate a packet to the target according to manip type. |
20 | Return true if succeeded. */ | 17 | Return true if succeeded. */ |
21 | int (*manip_pkt)(struct sk_buff *skb, | 18 | bool (*manip_pkt)(struct sk_buff *skb, |
22 | unsigned int iphdroff, | 19 | unsigned int iphdroff, |
23 | const struct nf_conntrack_tuple *tuple, | 20 | const struct nf_conntrack_tuple *tuple, |
24 | enum nf_nat_manip_type maniptype); | 21 | enum nf_nat_manip_type maniptype); |
25 | 22 | ||
26 | /* Is the manipable part of the tuple between min and max incl? */ | 23 | /* Is the manipable part of the tuple between min and max incl? */ |
27 | int (*in_range)(const struct nf_conntrack_tuple *tuple, | 24 | bool (*in_range)(const struct nf_conntrack_tuple *tuple, |
28 | enum nf_nat_manip_type maniptype, | 25 | enum nf_nat_manip_type maniptype, |
29 | const union nf_conntrack_man_proto *min, | 26 | const union nf_conntrack_man_proto *min, |
30 | const union nf_conntrack_man_proto *max); | 27 | const union nf_conntrack_man_proto *max); |
31 | 28 | ||
32 | /* Alter the per-proto part of the tuple (depending on | 29 | /* Alter the per-proto part of the tuple (depending on |
33 | maniptype), to give a unique tuple in the given range if | 30 | maniptype), to give a unique tuple in the given range if |
34 | possible; return false if not. Per-protocol part of tuple | 31 | possible; return false if not. Per-protocol part of tuple |
35 | is initialized to the incoming packet. */ | 32 | is initialized to the incoming packet. */ |
36 | int (*unique_tuple)(struct nf_conntrack_tuple *tuple, | 33 | bool (*unique_tuple)(struct nf_conntrack_tuple *tuple, |
37 | const struct nf_nat_range *range, | 34 | const struct nf_nat_range *range, |
38 | enum nf_nat_manip_type maniptype, | 35 | enum nf_nat_manip_type maniptype, |
39 | const struct nf_conn *ct); | 36 | const struct nf_conn *ct); |
40 | 37 | ||
41 | int (*range_to_nlattr)(struct sk_buff *skb, | 38 | int (*range_to_nlattr)(struct sk_buff *skb, |
42 | const struct nf_nat_range *range); | 39 | const struct nf_nat_range *range); |
@@ -62,9 +59,20 @@ extern int init_protocols(void) __init; | |||
62 | extern void cleanup_protocols(void); | 59 | extern void cleanup_protocols(void); |
63 | extern const struct nf_nat_protocol *find_nat_proto(u_int16_t protonum); | 60 | extern const struct nf_nat_protocol *find_nat_proto(u_int16_t protonum); |
64 | 61 | ||
65 | extern int nf_nat_port_range_to_nlattr(struct sk_buff *skb, | 62 | extern bool nf_nat_proto_in_range(const struct nf_conntrack_tuple *tuple, |
66 | const struct nf_nat_range *range); | 63 | enum nf_nat_manip_type maniptype, |
67 | extern int nf_nat_port_nlattr_to_range(struct nlattr *tb[], | 64 | const union nf_conntrack_man_proto *min, |
68 | struct nf_nat_range *range); | 65 | const union nf_conntrack_man_proto *max); |
66 | |||
67 | extern bool nf_nat_proto_unique_tuple(struct nf_conntrack_tuple *tuple, | ||
68 | const struct nf_nat_range *range, | ||
69 | enum nf_nat_manip_type maniptype, | ||
70 | const struct nf_conn *ct, | ||
71 | u_int16_t *rover); | ||
72 | |||
73 | extern int nf_nat_proto_range_to_nlattr(struct sk_buff *skb, | ||
74 | const struct nf_nat_range *range); | ||
75 | extern int nf_nat_proto_nlattr_to_range(struct nlattr *tb[], | ||
76 | struct nf_nat_range *range); | ||
69 | 77 | ||
70 | #endif /*_NF_NAT_PROTO_H*/ | 78 | #endif /*_NF_NAT_PROTO_H*/ |
diff --git a/include/net/netfilter/nf_nat_rule.h b/include/net/netfilter/nf_nat_rule.h index 75d1825031d7..e4a18ae361c6 100644 --- a/include/net/netfilter/nf_nat_rule.h +++ b/include/net/netfilter/nf_nat_rule.h | |||
@@ -14,7 +14,4 @@ extern int nf_nat_rule_find(struct sk_buff *skb, | |||
14 | 14 | ||
15 | extern unsigned int | 15 | extern unsigned int |
16 | alloc_null_binding(struct nf_conn *ct, unsigned int hooknum); | 16 | alloc_null_binding(struct nf_conn *ct, unsigned int hooknum); |
17 | |||
18 | extern unsigned int | ||
19 | alloc_null_binding_confirmed(struct nf_conn *ct, unsigned int hooknum); | ||
20 | #endif /* _NF_NAT_RULE_H */ | 17 | #endif /* _NF_NAT_RULE_H */ |