diff options
Diffstat (limited to 'include')
21 files changed, 398 insertions, 222 deletions
diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h index 0c5eb7ed8b3f..48cfe51bfddc 100644 --- a/include/linux/netfilter.h +++ b/include/linux/netfilter.h | |||
@@ -5,13 +5,11 @@ | |||
5 | #include <linux/init.h> | 5 | #include <linux/init.h> |
6 | #include <linux/skbuff.h> | 6 | #include <linux/skbuff.h> |
7 | #include <linux/net.h> | 7 | #include <linux/net.h> |
8 | #include <linux/netdevice.h> | ||
9 | #include <linux/if.h> | 8 | #include <linux/if.h> |
10 | #include <linux/in.h> | 9 | #include <linux/in.h> |
11 | #include <linux/in6.h> | 10 | #include <linux/in6.h> |
12 | #include <linux/wait.h> | 11 | #include <linux/wait.h> |
13 | #include <linux/list.h> | 12 | #include <linux/list.h> |
14 | #include <net/net_namespace.h> | ||
15 | #endif | 13 | #endif |
16 | #include <linux/types.h> | 14 | #include <linux/types.h> |
17 | #include <linux/compiler.h> | 15 | #include <linux/compiler.h> |
@@ -52,6 +50,16 @@ enum nf_inet_hooks { | |||
52 | NF_INET_NUMHOOKS | 50 | NF_INET_NUMHOOKS |
53 | }; | 51 | }; |
54 | 52 | ||
53 | enum { | ||
54 | NFPROTO_UNSPEC = 0, | ||
55 | NFPROTO_IPV4 = 2, | ||
56 | NFPROTO_ARP = 3, | ||
57 | NFPROTO_BRIDGE = 7, | ||
58 | NFPROTO_IPV6 = 10, | ||
59 | NFPROTO_DECNET = 12, | ||
60 | NFPROTO_NUMPROTO, | ||
61 | }; | ||
62 | |||
55 | union nf_inet_addr { | 63 | union nf_inet_addr { |
56 | __u32 all[4]; | 64 | __u32 all[4]; |
57 | __be32 ip; | 65 | __be32 ip; |
@@ -92,8 +100,8 @@ struct nf_hook_ops | |||
92 | /* User fills in from here down. */ | 100 | /* User fills in from here down. */ |
93 | nf_hookfn *hook; | 101 | nf_hookfn *hook; |
94 | struct module *owner; | 102 | struct module *owner; |
95 | int pf; | 103 | u_int8_t pf; |
96 | int hooknum; | 104 | unsigned int hooknum; |
97 | /* Hooks are ordered in ascending priority. */ | 105 | /* Hooks are ordered in ascending priority. */ |
98 | int priority; | 106 | int priority; |
99 | }; | 107 | }; |
@@ -102,7 +110,7 @@ struct nf_sockopt_ops | |||
102 | { | 110 | { |
103 | struct list_head list; | 111 | struct list_head list; |
104 | 112 | ||
105 | int pf; | 113 | u_int8_t pf; |
106 | 114 | ||
107 | /* Non-inclusive ranges: use 0/0/NULL to never get called. */ | 115 | /* Non-inclusive ranges: use 0/0/NULL to never get called. */ |
108 | int set_optmin; | 116 | int set_optmin; |
@@ -138,9 +146,9 @@ extern struct ctl_path nf_net_netfilter_sysctl_path[]; | |||
138 | extern struct ctl_path nf_net_ipv4_netfilter_sysctl_path[]; | 146 | extern struct ctl_path nf_net_ipv4_netfilter_sysctl_path[]; |
139 | #endif /* CONFIG_SYSCTL */ | 147 | #endif /* CONFIG_SYSCTL */ |
140 | 148 | ||
141 | extern struct list_head nf_hooks[NPROTO][NF_MAX_HOOKS]; | 149 | extern struct list_head nf_hooks[NFPROTO_NUMPROTO][NF_MAX_HOOKS]; |
142 | 150 | ||
143 | int nf_hook_slow(int pf, unsigned int hook, struct sk_buff *skb, | 151 | int nf_hook_slow(u_int8_t pf, unsigned int hook, struct sk_buff *skb, |
144 | struct net_device *indev, struct net_device *outdev, | 152 | struct net_device *indev, struct net_device *outdev, |
145 | int (*okfn)(struct sk_buff *), int thresh); | 153 | int (*okfn)(struct sk_buff *), int thresh); |
146 | 154 | ||
@@ -151,7 +159,7 @@ int nf_hook_slow(int pf, unsigned int hook, struct sk_buff *skb, | |||
151 | * okfn must be invoked by the caller in this case. Any other return | 159 | * okfn must be invoked by the caller in this case. Any other return |
152 | * value indicates the packet has been consumed by the hook. | 160 | * value indicates the packet has been consumed by the hook. |
153 | */ | 161 | */ |
154 | static inline int nf_hook_thresh(int pf, unsigned int hook, | 162 | static inline int nf_hook_thresh(u_int8_t pf, unsigned int hook, |
155 | struct sk_buff *skb, | 163 | struct sk_buff *skb, |
156 | struct net_device *indev, | 164 | struct net_device *indev, |
157 | struct net_device *outdev, | 165 | struct net_device *outdev, |
@@ -167,7 +175,7 @@ static inline int nf_hook_thresh(int pf, unsigned int hook, | |||
167 | return nf_hook_slow(pf, hook, skb, indev, outdev, okfn, thresh); | 175 | return nf_hook_slow(pf, hook, skb, indev, outdev, okfn, thresh); |
168 | } | 176 | } |
169 | 177 | ||
170 | static inline int nf_hook(int pf, unsigned int hook, struct sk_buff *skb, | 178 | static inline int nf_hook(u_int8_t pf, unsigned int hook, struct sk_buff *skb, |
171 | struct net_device *indev, struct net_device *outdev, | 179 | struct net_device *indev, struct net_device *outdev, |
172 | int (*okfn)(struct sk_buff *)) | 180 | int (*okfn)(struct sk_buff *)) |
173 | { | 181 | { |
@@ -212,14 +220,14 @@ __ret;}) | |||
212 | NF_HOOK_THRESH(pf, hook, skb, indev, outdev, okfn, INT_MIN) | 220 | NF_HOOK_THRESH(pf, hook, skb, indev, outdev, okfn, INT_MIN) |
213 | 221 | ||
214 | /* Call setsockopt() */ | 222 | /* Call setsockopt() */ |
215 | int nf_setsockopt(struct sock *sk, int pf, int optval, char __user *opt, | 223 | int nf_setsockopt(struct sock *sk, u_int8_t pf, int optval, char __user *opt, |
216 | int len); | 224 | int len); |
217 | int nf_getsockopt(struct sock *sk, int pf, int optval, char __user *opt, | 225 | int nf_getsockopt(struct sock *sk, u_int8_t pf, int optval, char __user *opt, |
218 | int *len); | 226 | int *len); |
219 | 227 | ||
220 | int compat_nf_setsockopt(struct sock *sk, int pf, int optval, | 228 | int compat_nf_setsockopt(struct sock *sk, u_int8_t pf, int optval, |
221 | char __user *opt, int len); | 229 | char __user *opt, int len); |
222 | int compat_nf_getsockopt(struct sock *sk, int pf, int optval, | 230 | int compat_nf_getsockopt(struct sock *sk, u_int8_t pf, int optval, |
223 | char __user *opt, int *len); | 231 | char __user *opt, int *len); |
224 | 232 | ||
225 | /* Call this before modifying an existing packet: ensures it is | 233 | /* Call this before modifying an existing packet: ensures it is |
@@ -247,7 +255,7 @@ struct nf_afinfo { | |||
247 | int route_key_size; | 255 | int route_key_size; |
248 | }; | 256 | }; |
249 | 257 | ||
250 | extern const struct nf_afinfo *nf_afinfo[NPROTO]; | 258 | extern const struct nf_afinfo *nf_afinfo[NFPROTO_NUMPROTO]; |
251 | static inline const struct nf_afinfo *nf_get_afinfo(unsigned short family) | 259 | static inline const struct nf_afinfo *nf_get_afinfo(unsigned short family) |
252 | { | 260 | { |
253 | return rcu_dereference(nf_afinfo[family]); | 261 | return rcu_dereference(nf_afinfo[family]); |
@@ -292,7 +300,7 @@ extern void nf_unregister_afinfo(const struct nf_afinfo *afinfo); | |||
292 | extern void (*ip_nat_decode_session)(struct sk_buff *, struct flowi *); | 300 | extern void (*ip_nat_decode_session)(struct sk_buff *, struct flowi *); |
293 | 301 | ||
294 | static inline void | 302 | static inline void |
295 | nf_nat_decode_session(struct sk_buff *skb, struct flowi *fl, int family) | 303 | nf_nat_decode_session(struct sk_buff *skb, struct flowi *fl, u_int8_t family) |
296 | { | 304 | { |
297 | #ifdef CONFIG_NF_NAT_NEEDED | 305 | #ifdef CONFIG_NF_NAT_NEEDED |
298 | void (*decodefn)(struct sk_buff *, struct flowi *); | 306 | void (*decodefn)(struct sk_buff *, struct flowi *); |
@@ -315,7 +323,7 @@ extern struct proc_dir_entry *proc_net_netfilter; | |||
315 | #else /* !CONFIG_NETFILTER */ | 323 | #else /* !CONFIG_NETFILTER */ |
316 | #define NF_HOOK(pf, hook, skb, indev, outdev, okfn) (okfn)(skb) | 324 | #define NF_HOOK(pf, hook, skb, indev, outdev, okfn) (okfn)(skb) |
317 | #define NF_HOOK_COND(pf, hook, skb, indev, outdev, okfn, cond) (okfn)(skb) | 325 | #define NF_HOOK_COND(pf, hook, skb, indev, outdev, okfn, cond) (okfn)(skb) |
318 | static inline int nf_hook_thresh(int pf, unsigned int hook, | 326 | static inline int nf_hook_thresh(u_int8_t pf, unsigned int hook, |
319 | struct sk_buff *skb, | 327 | struct sk_buff *skb, |
320 | struct net_device *indev, | 328 | struct net_device *indev, |
321 | struct net_device *outdev, | 329 | struct net_device *outdev, |
@@ -324,7 +332,7 @@ static inline int nf_hook_thresh(int pf, unsigned int hook, | |||
324 | { | 332 | { |
325 | return okfn(skb); | 333 | return okfn(skb); |
326 | } | 334 | } |
327 | static inline int nf_hook(int pf, unsigned int hook, struct sk_buff *skb, | 335 | static inline int nf_hook(u_int8_t pf, unsigned int hook, struct sk_buff *skb, |
328 | struct net_device *indev, struct net_device *outdev, | 336 | struct net_device *indev, struct net_device *outdev, |
329 | int (*okfn)(struct sk_buff *)) | 337 | int (*okfn)(struct sk_buff *)) |
330 | { | 338 | { |
@@ -332,7 +340,9 @@ static inline int nf_hook(int pf, unsigned int hook, struct sk_buff *skb, | |||
332 | } | 340 | } |
333 | struct flowi; | 341 | struct flowi; |
334 | static inline void | 342 | static inline void |
335 | nf_nat_decode_session(struct sk_buff *skb, struct flowi *fl, int family) {} | 343 | nf_nat_decode_session(struct sk_buff *skb, struct flowi *fl, u_int8_t family) |
344 | { | ||
345 | } | ||
336 | #endif /*CONFIG_NETFILTER*/ | 346 | #endif /*CONFIG_NETFILTER*/ |
337 | 347 | ||
338 | #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE) | 348 | #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE) |
@@ -343,56 +353,5 @@ extern void (*nf_ct_destroy)(struct nf_conntrack *); | |||
343 | static inline void nf_ct_attach(struct sk_buff *new, struct sk_buff *skb) {} | 353 | static inline void nf_ct_attach(struct sk_buff *new, struct sk_buff *skb) {} |
344 | #endif | 354 | #endif |
345 | 355 | ||
346 | static inline struct net *nf_pre_routing_net(const struct net_device *in, | ||
347 | const struct net_device *out) | ||
348 | { | ||
349 | #ifdef CONFIG_NET_NS | ||
350 | return in->nd_net; | ||
351 | #else | ||
352 | return &init_net; | ||
353 | #endif | ||
354 | } | ||
355 | |||
356 | static inline struct net *nf_local_in_net(const struct net_device *in, | ||
357 | const struct net_device *out) | ||
358 | { | ||
359 | #ifdef CONFIG_NET_NS | ||
360 | return in->nd_net; | ||
361 | #else | ||
362 | return &init_net; | ||
363 | #endif | ||
364 | } | ||
365 | |||
366 | static inline struct net *nf_forward_net(const struct net_device *in, | ||
367 | const struct net_device *out) | ||
368 | { | ||
369 | #ifdef CONFIG_NET_NS | ||
370 | BUG_ON(in->nd_net != out->nd_net); | ||
371 | return in->nd_net; | ||
372 | #else | ||
373 | return &init_net; | ||
374 | #endif | ||
375 | } | ||
376 | |||
377 | static inline struct net *nf_local_out_net(const struct net_device *in, | ||
378 | const struct net_device *out) | ||
379 | { | ||
380 | #ifdef CONFIG_NET_NS | ||
381 | return out->nd_net; | ||
382 | #else | ||
383 | return &init_net; | ||
384 | #endif | ||
385 | } | ||
386 | |||
387 | static inline struct net *nf_post_routing_net(const struct net_device *in, | ||
388 | const struct net_device *out) | ||
389 | { | ||
390 | #ifdef CONFIG_NET_NS | ||
391 | return out->nd_net; | ||
392 | #else | ||
393 | return &init_net; | ||
394 | #endif | ||
395 | } | ||
396 | |||
397 | #endif /*__KERNEL__*/ | 356 | #endif /*__KERNEL__*/ |
398 | #endif /*__LINUX_NETFILTER_H*/ | 357 | #endif /*__LINUX_NETFILTER_H*/ |
diff --git a/include/linux/netfilter/Kbuild b/include/linux/netfilter/Kbuild index 3aff513d12c8..5a8af875bce2 100644 --- a/include/linux/netfilter/Kbuild +++ b/include/linux/netfilter/Kbuild | |||
@@ -32,6 +32,7 @@ header-y += xt_owner.h | |||
32 | header-y += xt_pkttype.h | 32 | header-y += xt_pkttype.h |
33 | header-y += xt_rateest.h | 33 | header-y += xt_rateest.h |
34 | header-y += xt_realm.h | 34 | header-y += xt_realm.h |
35 | header-y += xt_recent.h | ||
35 | header-y += xt_sctp.h | 36 | header-y += xt_sctp.h |
36 | header-y += xt_state.h | 37 | header-y += xt_state.h |
37 | header-y += xt_statistic.h | 38 | header-y += xt_statistic.h |
diff --git a/include/linux/netfilter/nf_conntrack_proto_gre.h b/include/linux/netfilter/nf_conntrack_proto_gre.h index 535e4219d2bb..2a10efda17fb 100644 --- a/include/linux/netfilter/nf_conntrack_proto_gre.h +++ b/include/linux/netfilter/nf_conntrack_proto_gre.h | |||
@@ -87,7 +87,7 @@ int nf_ct_gre_keymap_add(struct nf_conn *ct, enum ip_conntrack_dir dir, | |||
87 | /* delete keymap entries */ | 87 | /* delete keymap entries */ |
88 | void nf_ct_gre_keymap_destroy(struct nf_conn *ct); | 88 | void nf_ct_gre_keymap_destroy(struct nf_conn *ct); |
89 | 89 | ||
90 | extern void nf_ct_gre_keymap_flush(void); | 90 | extern void nf_ct_gre_keymap_flush(struct net *net); |
91 | extern void nf_nat_need_gre(void); | 91 | extern void nf_nat_need_gre(void); |
92 | 92 | ||
93 | #endif /* __KERNEL__ */ | 93 | #endif /* __KERNEL__ */ |
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h index 2326296b6f25..be41b609c88f 100644 --- a/include/linux/netfilter/x_tables.h +++ b/include/linux/netfilter/x_tables.h | |||
@@ -173,6 +173,98 @@ struct xt_counters_info | |||
173 | 173 | ||
174 | #include <linux/netdevice.h> | 174 | #include <linux/netdevice.h> |
175 | 175 | ||
176 | /** | ||
177 | * struct xt_match_param - parameters for match extensions' match functions | ||
178 | * | ||
179 | * @in: input netdevice | ||
180 | * @out: output netdevice | ||
181 | * @match: struct xt_match through which this function was invoked | ||
182 | * @matchinfo: per-match data | ||
183 | * @fragoff: packet is a fragment, this is the data offset | ||
184 | * @thoff: position of transport header relative to skb->data | ||
185 | * @hotdrop: drop packet if we had inspection problems | ||
186 | * @family: Actual NFPROTO_* through which the function is invoked | ||
187 | * (helpful when match->family == NFPROTO_UNSPEC) | ||
188 | */ | ||
189 | struct xt_match_param { | ||
190 | const struct net_device *in, *out; | ||
191 | const struct xt_match *match; | ||
192 | const void *matchinfo; | ||
193 | int fragoff; | ||
194 | unsigned int thoff; | ||
195 | bool *hotdrop; | ||
196 | u_int8_t family; | ||
197 | }; | ||
198 | |||
199 | /** | ||
200 | * struct xt_mtchk_param - parameters for match extensions' | ||
201 | * checkentry functions | ||
202 | * | ||
203 | * @table: table the rule is tried to be inserted into | ||
204 | * @entryinfo: the family-specific rule data | ||
205 | * (struct ipt_ip, ip6t_ip, ebt_entry) | ||
206 | * @match: struct xt_match through which this function was invoked | ||
207 | * @matchinfo: per-match data | ||
208 | * @hook_mask: via which hooks the new rule is reachable | ||
209 | */ | ||
210 | struct xt_mtchk_param { | ||
211 | const char *table; | ||
212 | const void *entryinfo; | ||
213 | const struct xt_match *match; | ||
214 | void *matchinfo; | ||
215 | unsigned int hook_mask; | ||
216 | u_int8_t family; | ||
217 | }; | ||
218 | |||
219 | /* Match destructor parameters */ | ||
220 | struct xt_mtdtor_param { | ||
221 | const struct xt_match *match; | ||
222 | void *matchinfo; | ||
223 | u_int8_t family; | ||
224 | }; | ||
225 | |||
226 | /** | ||
227 | * struct xt_target_param - parameters for target extensions' target functions | ||
228 | * | ||
229 | * @hooknum: hook through which this target was invoked | ||
230 | * @target: struct xt_target through which this function was invoked | ||
231 | * @targinfo: per-target data | ||
232 | * | ||
233 | * Other fields see above. | ||
234 | */ | ||
235 | struct xt_target_param { | ||
236 | const struct net_device *in, *out; | ||
237 | unsigned int hooknum; | ||
238 | const struct xt_target *target; | ||
239 | const void *targinfo; | ||
240 | u_int8_t family; | ||
241 | }; | ||
242 | |||
243 | /** | ||
244 | * struct xt_tgchk_param - parameters for target extensions' | ||
245 | * checkentry functions | ||
246 | * | ||
247 | * @entryinfo: the family-specific rule data | ||
248 | * (struct ipt_entry, ip6t_entry, arpt_entry, ebt_entry) | ||
249 | * | ||
250 | * Other fields see above. | ||
251 | */ | ||
252 | struct xt_tgchk_param { | ||
253 | const char *table; | ||
254 | void *entryinfo; | ||
255 | const struct xt_target *target; | ||
256 | void *targinfo; | ||
257 | unsigned int hook_mask; | ||
258 | u_int8_t family; | ||
259 | }; | ||
260 | |||
261 | /* Target destructor parameters */ | ||
262 | struct xt_tgdtor_param { | ||
263 | const struct xt_target *target; | ||
264 | void *targinfo; | ||
265 | u_int8_t family; | ||
266 | }; | ||
267 | |||
176 | struct xt_match | 268 | struct xt_match |
177 | { | 269 | { |
178 | struct list_head list; | 270 | struct list_head list; |
@@ -185,24 +277,13 @@ struct xt_match | |||
185 | non-linear skb, using skb_header_pointer and | 277 | non-linear skb, using skb_header_pointer and |
186 | skb_ip_make_writable. */ | 278 | skb_ip_make_writable. */ |
187 | bool (*match)(const struct sk_buff *skb, | 279 | bool (*match)(const struct sk_buff *skb, |
188 | const struct net_device *in, | 280 | const struct xt_match_param *); |
189 | const struct net_device *out, | ||
190 | const struct xt_match *match, | ||
191 | const void *matchinfo, | ||
192 | int offset, | ||
193 | unsigned int protoff, | ||
194 | bool *hotdrop); | ||
195 | 281 | ||
196 | /* Called when user tries to insert an entry of this type. */ | 282 | /* Called when user tries to insert an entry of this type. */ |
197 | /* Should return true or false. */ | 283 | bool (*checkentry)(const struct xt_mtchk_param *); |
198 | bool (*checkentry)(const char *tablename, | ||
199 | const void *ip, | ||
200 | const struct xt_match *match, | ||
201 | void *matchinfo, | ||
202 | unsigned int hook_mask); | ||
203 | 284 | ||
204 | /* Called when entry of this type deleted. */ | 285 | /* Called when entry of this type deleted. */ |
205 | void (*destroy)(const struct xt_match *match, void *matchinfo); | 286 | void (*destroy)(const struct xt_mtdtor_param *); |
206 | 287 | ||
207 | /* Called when userspace align differs from kernel space one */ | 288 | /* Called when userspace align differs from kernel space one */ |
208 | void (*compat_from_user)(void *dst, void *src); | 289 | void (*compat_from_user)(void *dst, void *src); |
@@ -235,24 +316,16 @@ struct xt_target | |||
235 | must now handle non-linear skbs, using skb_copy_bits and | 316 | must now handle non-linear skbs, using skb_copy_bits and |
236 | skb_ip_make_writable. */ | 317 | skb_ip_make_writable. */ |
237 | unsigned int (*target)(struct sk_buff *skb, | 318 | unsigned int (*target)(struct sk_buff *skb, |
238 | const struct net_device *in, | 319 | const struct xt_target_param *); |
239 | const struct net_device *out, | ||
240 | unsigned int hooknum, | ||
241 | const struct xt_target *target, | ||
242 | const void *targinfo); | ||
243 | 320 | ||
244 | /* Called when user tries to insert an entry of this type: | 321 | /* Called when user tries to insert an entry of this type: |
245 | hook_mask is a bitmask of hooks from which it can be | 322 | hook_mask is a bitmask of hooks from which it can be |
246 | called. */ | 323 | called. */ |
247 | /* Should return true or false. */ | 324 | /* Should return true or false. */ |
248 | bool (*checkentry)(const char *tablename, | 325 | bool (*checkentry)(const struct xt_tgchk_param *); |
249 | const void *entry, | ||
250 | const struct xt_target *target, | ||
251 | void *targinfo, | ||
252 | unsigned int hook_mask); | ||
253 | 326 | ||
254 | /* Called when entry of this type deleted. */ | 327 | /* Called when entry of this type deleted. */ |
255 | void (*destroy)(const struct xt_target *target, void *targinfo); | 328 | void (*destroy)(const struct xt_tgdtor_param *); |
256 | 329 | ||
257 | /* Called when userspace align differs from kernel space one */ | 330 | /* Called when userspace align differs from kernel space one */ |
258 | void (*compat_from_user)(void *dst, void *src); | 331 | void (*compat_from_user)(void *dst, void *src); |
@@ -292,7 +365,7 @@ struct xt_table | |||
292 | /* Set this to THIS_MODULE if you are a module, otherwise NULL */ | 365 | /* Set this to THIS_MODULE if you are a module, otherwise NULL */ |
293 | struct module *me; | 366 | struct module *me; |
294 | 367 | ||
295 | int af; /* address/protocol family */ | 368 | u_int8_t af; /* address/protocol family */ |
296 | }; | 369 | }; |
297 | 370 | ||
298 | #include <linux/netfilter_ipv4.h> | 371 | #include <linux/netfilter_ipv4.h> |
@@ -328,12 +401,10 @@ extern void xt_unregister_match(struct xt_match *target); | |||
328 | extern int xt_register_matches(struct xt_match *match, unsigned int n); | 401 | extern int xt_register_matches(struct xt_match *match, unsigned int n); |
329 | extern void xt_unregister_matches(struct xt_match *match, unsigned int n); | 402 | extern void xt_unregister_matches(struct xt_match *match, unsigned int n); |
330 | 403 | ||
331 | extern int xt_check_match(const struct xt_match *match, unsigned short family, | 404 | extern int xt_check_match(struct xt_mtchk_param *, |
332 | unsigned int size, const char *table, unsigned int hook, | 405 | unsigned int size, u_int8_t proto, bool inv_proto); |
333 | unsigned short proto, int inv_proto); | 406 | extern int xt_check_target(struct xt_tgchk_param *, |
334 | extern int xt_check_target(const struct xt_target *target, unsigned short family, | 407 | unsigned int size, u_int8_t proto, bool inv_proto); |
335 | unsigned int size, const char *table, unsigned int hook, | ||
336 | unsigned short proto, int inv_proto); | ||
337 | 408 | ||
338 | extern struct xt_table *xt_register_table(struct net *net, | 409 | extern struct xt_table *xt_register_table(struct net *net, |
339 | struct xt_table *table, | 410 | struct xt_table *table, |
@@ -346,19 +417,19 @@ extern struct xt_table_info *xt_replace_table(struct xt_table *table, | |||
346 | struct xt_table_info *newinfo, | 417 | struct xt_table_info *newinfo, |
347 | int *error); | 418 | int *error); |
348 | 419 | ||
349 | extern struct xt_match *xt_find_match(int af, const char *name, u8 revision); | 420 | extern struct xt_match *xt_find_match(u8 af, const char *name, u8 revision); |
350 | extern struct xt_target *xt_find_target(int af, const char *name, u8 revision); | 421 | extern struct xt_target *xt_find_target(u8 af, const char *name, u8 revision); |
351 | extern struct xt_target *xt_request_find_target(int af, const char *name, | 422 | extern struct xt_target *xt_request_find_target(u8 af, const char *name, |
352 | u8 revision); | 423 | u8 revision); |
353 | extern int xt_find_revision(int af, const char *name, u8 revision, int target, | 424 | extern int xt_find_revision(u8 af, const char *name, u8 revision, |
354 | int *err); | 425 | int target, int *err); |
355 | 426 | ||
356 | extern struct xt_table *xt_find_table_lock(struct net *net, int af, | 427 | extern struct xt_table *xt_find_table_lock(struct net *net, u_int8_t af, |
357 | const char *name); | 428 | const char *name); |
358 | extern void xt_table_unlock(struct xt_table *t); | 429 | extern void xt_table_unlock(struct xt_table *t); |
359 | 430 | ||
360 | extern int xt_proto_init(struct net *net, int af); | 431 | extern int xt_proto_init(struct net *net, u_int8_t af); |
361 | extern void xt_proto_fini(struct net *net, int af); | 432 | extern void xt_proto_fini(struct net *net, u_int8_t af); |
362 | 433 | ||
363 | extern struct xt_table_info *xt_alloc_table_info(unsigned int size); | 434 | extern struct xt_table_info *xt_alloc_table_info(unsigned int size); |
364 | extern void xt_free_table_info(struct xt_table_info *info); | 435 | extern void xt_free_table_info(struct xt_table_info *info); |
@@ -423,12 +494,12 @@ struct compat_xt_counters_info | |||
423 | #define COMPAT_XT_ALIGN(s) (((s) + (__alignof__(struct compat_xt_counters)-1)) \ | 494 | #define COMPAT_XT_ALIGN(s) (((s) + (__alignof__(struct compat_xt_counters)-1)) \ |
424 | & ~(__alignof__(struct compat_xt_counters)-1)) | 495 | & ~(__alignof__(struct compat_xt_counters)-1)) |
425 | 496 | ||
426 | extern void xt_compat_lock(int af); | 497 | extern void xt_compat_lock(u_int8_t af); |
427 | extern void xt_compat_unlock(int af); | 498 | extern void xt_compat_unlock(u_int8_t af); |
428 | 499 | ||
429 | extern int xt_compat_add_offset(int af, unsigned int offset, short delta); | 500 | extern int xt_compat_add_offset(u_int8_t af, unsigned int offset, short delta); |
430 | extern void xt_compat_flush_offsets(int af); | 501 | extern void xt_compat_flush_offsets(u_int8_t af); |
431 | extern short xt_compat_calc_jump(int af, unsigned int offset); | 502 | extern short xt_compat_calc_jump(u_int8_t af, unsigned int offset); |
432 | 503 | ||
433 | extern int xt_compat_match_offset(const struct xt_match *match); | 504 | extern int xt_compat_match_offset(const struct xt_match *match); |
434 | extern int xt_compat_match_from_user(struct xt_entry_match *m, | 505 | extern int xt_compat_match_from_user(struct xt_entry_match *m, |
diff --git a/include/linux/netfilter/xt_TPROXY.h b/include/linux/netfilter/xt_TPROXY.h new file mode 100644 index 000000000000..152e8f97132b --- /dev/null +++ b/include/linux/netfilter/xt_TPROXY.h | |||
@@ -0,0 +1,14 @@ | |||
1 | #ifndef _XT_TPROXY_H_target | ||
2 | #define _XT_TPROXY_H_target | ||
3 | |||
4 | /* TPROXY target is capable of marking the packet to perform | ||
5 | * redirection. We can get rid of that whenever we get support for | ||
6 | * mutliple targets in the same rule. */ | ||
7 | struct xt_tproxy_target_info { | ||
8 | u_int32_t mark_mask; | ||
9 | u_int32_t mark_value; | ||
10 | __be32 laddr; | ||
11 | __be16 lport; | ||
12 | }; | ||
13 | |||
14 | #endif /* _XT_TPROXY_H_target */ | ||
diff --git a/include/linux/netfilter/xt_recent.h b/include/linux/netfilter/xt_recent.h new file mode 100644 index 000000000000..5cfeb81c6794 --- /dev/null +++ b/include/linux/netfilter/xt_recent.h | |||
@@ -0,0 +1,26 @@ | |||
1 | #ifndef _LINUX_NETFILTER_XT_RECENT_H | ||
2 | #define _LINUX_NETFILTER_XT_RECENT_H 1 | ||
3 | |||
4 | enum { | ||
5 | XT_RECENT_CHECK = 1 << 0, | ||
6 | XT_RECENT_SET = 1 << 1, | ||
7 | XT_RECENT_UPDATE = 1 << 2, | ||
8 | XT_RECENT_REMOVE = 1 << 3, | ||
9 | XT_RECENT_TTL = 1 << 4, | ||
10 | |||
11 | XT_RECENT_SOURCE = 0, | ||
12 | XT_RECENT_DEST = 1, | ||
13 | |||
14 | XT_RECENT_NAME_LEN = 200, | ||
15 | }; | ||
16 | |||
17 | struct xt_recent_mtinfo { | ||
18 | u_int32_t seconds; | ||
19 | u_int32_t hit_count; | ||
20 | u_int8_t check_set; | ||
21 | u_int8_t invert; | ||
22 | char name[XT_RECENT_NAME_LEN]; | ||
23 | u_int8_t side; | ||
24 | }; | ||
25 | |||
26 | #endif /* _LINUX_NETFILTER_XT_RECENT_H */ | ||
diff --git a/include/linux/netfilter_bridge/ebtables.h b/include/linux/netfilter_bridge/ebtables.h index 892f5b7771c7..d45e29cd1cfb 100644 --- a/include/linux/netfilter_bridge/ebtables.h +++ b/include/linux/netfilter_bridge/ebtables.h | |||
@@ -31,6 +31,9 @@ | |||
31 | * The 4 lsb are more than enough to store the verdict. */ | 31 | * The 4 lsb are more than enough to store the verdict. */ |
32 | #define EBT_VERDICT_BITS 0x0000000F | 32 | #define EBT_VERDICT_BITS 0x0000000F |
33 | 33 | ||
34 | struct xt_match; | ||
35 | struct xt_target; | ||
36 | |||
34 | struct ebt_counter | 37 | struct ebt_counter |
35 | { | 38 | { |
36 | uint64_t pcnt; | 39 | uint64_t pcnt; |
@@ -121,7 +124,7 @@ struct ebt_entry_match | |||
121 | { | 124 | { |
122 | union { | 125 | union { |
123 | char name[EBT_FUNCTION_MAXNAMELEN]; | 126 | char name[EBT_FUNCTION_MAXNAMELEN]; |
124 | struct ebt_match *match; | 127 | struct xt_match *match; |
125 | } u; | 128 | } u; |
126 | /* size of data */ | 129 | /* size of data */ |
127 | unsigned int match_size; | 130 | unsigned int match_size; |
@@ -132,7 +135,7 @@ struct ebt_entry_watcher | |||
132 | { | 135 | { |
133 | union { | 136 | union { |
134 | char name[EBT_FUNCTION_MAXNAMELEN]; | 137 | char name[EBT_FUNCTION_MAXNAMELEN]; |
135 | struct ebt_watcher *watcher; | 138 | struct xt_target *watcher; |
136 | } u; | 139 | } u; |
137 | /* size of data */ | 140 | /* size of data */ |
138 | unsigned int watcher_size; | 141 | unsigned int watcher_size; |
@@ -143,7 +146,7 @@ struct ebt_entry_target | |||
143 | { | 146 | { |
144 | union { | 147 | union { |
145 | char name[EBT_FUNCTION_MAXNAMELEN]; | 148 | char name[EBT_FUNCTION_MAXNAMELEN]; |
146 | struct ebt_target *target; | 149 | struct xt_target *target; |
147 | } u; | 150 | } u; |
148 | /* size of data */ | 151 | /* size of data */ |
149 | unsigned int target_size; | 152 | unsigned int target_size; |
@@ -207,14 +210,17 @@ struct ebt_match | |||
207 | { | 210 | { |
208 | struct list_head list; | 211 | struct list_head list; |
209 | const char name[EBT_FUNCTION_MAXNAMELEN]; | 212 | const char name[EBT_FUNCTION_MAXNAMELEN]; |
210 | /* 0 == it matches */ | 213 | bool (*match)(const struct sk_buff *skb, const struct net_device *in, |
211 | int (*match)(const struct sk_buff *skb, const struct net_device *in, | 214 | const struct net_device *out, const struct xt_match *match, |
212 | const struct net_device *out, const void *matchdata, | 215 | const void *matchinfo, int offset, unsigned int protoff, |
213 | unsigned int datalen); | 216 | bool *hotdrop); |
214 | /* 0 == let it in */ | 217 | bool (*checkentry)(const char *table, const void *entry, |
215 | int (*check)(const char *tablename, unsigned int hookmask, | 218 | const struct xt_match *match, void *matchinfo, |
216 | const struct ebt_entry *e, void *matchdata, unsigned int datalen); | 219 | unsigned int hook_mask); |
217 | void (*destroy)(void *matchdata, unsigned int datalen); | 220 | void (*destroy)(const struct xt_match *match, void *matchinfo); |
221 | unsigned int matchsize; | ||
222 | u_int8_t revision; | ||
223 | u_int8_t family; | ||
218 | struct module *me; | 224 | struct module *me; |
219 | }; | 225 | }; |
220 | 226 | ||
@@ -222,13 +228,17 @@ struct ebt_watcher | |||
222 | { | 228 | { |
223 | struct list_head list; | 229 | struct list_head list; |
224 | const char name[EBT_FUNCTION_MAXNAMELEN]; | 230 | const char name[EBT_FUNCTION_MAXNAMELEN]; |
225 | void (*watcher)(const struct sk_buff *skb, unsigned int hooknr, | 231 | unsigned int (*target)(struct sk_buff *skb, |
226 | const struct net_device *in, const struct net_device *out, | 232 | const struct net_device *in, const struct net_device *out, |
227 | const void *watcherdata, unsigned int datalen); | 233 | unsigned int hook_num, const struct xt_target *target, |
228 | /* 0 == let it in */ | 234 | const void *targinfo); |
229 | int (*check)(const char *tablename, unsigned int hookmask, | 235 | bool (*checkentry)(const char *table, const void *entry, |
230 | const struct ebt_entry *e, void *watcherdata, unsigned int datalen); | 236 | const struct xt_target *target, void *targinfo, |
231 | void (*destroy)(void *watcherdata, unsigned int datalen); | 237 | unsigned int hook_mask); |
238 | void (*destroy)(const struct xt_target *target, void *targinfo); | ||
239 | unsigned int targetsize; | ||
240 | u_int8_t revision; | ||
241 | u_int8_t family; | ||
232 | struct module *me; | 242 | struct module *me; |
233 | }; | 243 | }; |
234 | 244 | ||
@@ -236,14 +246,18 @@ struct ebt_target | |||
236 | { | 246 | { |
237 | struct list_head list; | 247 | struct list_head list; |
238 | const char name[EBT_FUNCTION_MAXNAMELEN]; | 248 | const char name[EBT_FUNCTION_MAXNAMELEN]; |
239 | /* returns one of the standard verdicts */ | 249 | /* returns one of the standard EBT_* verdicts */ |
240 | int (*target)(struct sk_buff *skb, unsigned int hooknr, | 250 | unsigned int (*target)(struct sk_buff *skb, |
241 | const struct net_device *in, const struct net_device *out, | 251 | const struct net_device *in, const struct net_device *out, |
242 | const void *targetdata, unsigned int datalen); | 252 | unsigned int hook_num, const struct xt_target *target, |
243 | /* 0 == let it in */ | 253 | const void *targinfo); |
244 | int (*check)(const char *tablename, unsigned int hookmask, | 254 | bool (*checkentry)(const char *table, const void *entry, |
245 | const struct ebt_entry *e, void *targetdata, unsigned int datalen); | 255 | const struct xt_target *target, void *targinfo, |
246 | void (*destroy)(void *targetdata, unsigned int datalen); | 256 | unsigned int hook_mask); |
257 | void (*destroy)(const struct xt_target *target, void *targinfo); | ||
258 | unsigned int targetsize; | ||
259 | u_int8_t revision; | ||
260 | u_int8_t family; | ||
247 | struct module *me; | 261 | struct module *me; |
248 | }; | 262 | }; |
249 | 263 | ||
@@ -288,12 +302,6 @@ struct ebt_table | |||
288 | ~(__alignof__(struct ebt_replace)-1)) | 302 | ~(__alignof__(struct ebt_replace)-1)) |
289 | extern int ebt_register_table(struct ebt_table *table); | 303 | extern int ebt_register_table(struct ebt_table *table); |
290 | extern void ebt_unregister_table(struct ebt_table *table); | 304 | extern void ebt_unregister_table(struct ebt_table *table); |
291 | extern int ebt_register_match(struct ebt_match *match); | ||
292 | extern void ebt_unregister_match(struct ebt_match *match); | ||
293 | extern int ebt_register_watcher(struct ebt_watcher *watcher); | ||
294 | extern void ebt_unregister_watcher(struct ebt_watcher *watcher); | ||
295 | extern int ebt_register_target(struct ebt_target *target); | ||
296 | extern void ebt_unregister_target(struct ebt_target *target); | ||
297 | extern unsigned int ebt_do_table(unsigned int hook, struct sk_buff *skb, | 305 | extern unsigned int ebt_do_table(unsigned int hook, struct sk_buff *skb, |
298 | const struct net_device *in, const struct net_device *out, | 306 | const struct net_device *in, const struct net_device *out, |
299 | struct ebt_table *table); | 307 | struct ebt_table *table); |
@@ -302,9 +310,9 @@ extern unsigned int ebt_do_table(unsigned int hook, struct sk_buff *skb, | |||
302 | #define FWINV(bool,invflg) ((bool) ^ !!(info->invflags & invflg)) | 310 | #define FWINV(bool,invflg) ((bool) ^ !!(info->invflags & invflg)) |
303 | /* True if the hook mask denotes that the rule is in a base chain, | 311 | /* True if the hook mask denotes that the rule is in a base chain, |
304 | * used in the check() functions */ | 312 | * used in the check() functions */ |
305 | #define BASE_CHAIN (hookmask & (1 << NF_BR_NUMHOOKS)) | 313 | #define BASE_CHAIN (par->hook_mask & (1 << NF_BR_NUMHOOKS)) |
306 | /* Clear the bit in the hook mask that tells if the rule is on a base chain */ | 314 | /* Clear the bit in the hook mask that tells if the rule is on a base chain */ |
307 | #define CLEAR_BASE_CHAIN_BIT (hookmask &= ~(1 << NF_BR_NUMHOOKS)) | 315 | #define CLEAR_BASE_CHAIN_BIT (par->hook_mask &= ~(1 << NF_BR_NUMHOOKS)) |
308 | /* True if the target is not a standard target */ | 316 | /* True if the target is not a standard target */ |
309 | #define INVALID_TARGET (info->target < -NUM_STANDARD_TARGETS || info->target >= 0) | 317 | #define INVALID_TARGET (info->target < -NUM_STANDARD_TARGETS || info->target >= 0) |
310 | 318 | ||
diff --git a/include/linux/netfilter_ipv4/ipt_recent.h b/include/linux/netfilter_ipv4/ipt_recent.h index 6508a4592651..d636cca133c2 100644 --- a/include/linux/netfilter_ipv4/ipt_recent.h +++ b/include/linux/netfilter_ipv4/ipt_recent.h | |||
@@ -1,27 +1,21 @@ | |||
1 | #ifndef _IPT_RECENT_H | 1 | #ifndef _IPT_RECENT_H |
2 | #define _IPT_RECENT_H | 2 | #define _IPT_RECENT_H |
3 | 3 | ||
4 | #define RECENT_NAME "ipt_recent" | 4 | #include <linux/netfilter/xt_recent.h> |
5 | #define RECENT_VER "v0.3.1" | ||
6 | 5 | ||
7 | #define IPT_RECENT_CHECK 1 | 6 | #define ipt_recent_info xt_recent_mtinfo |
8 | #define IPT_RECENT_SET 2 | ||
9 | #define IPT_RECENT_UPDATE 4 | ||
10 | #define IPT_RECENT_REMOVE 8 | ||
11 | #define IPT_RECENT_TTL 16 | ||
12 | 7 | ||
13 | #define IPT_RECENT_SOURCE 0 | 8 | enum { |
14 | #define IPT_RECENT_DEST 1 | 9 | IPT_RECENT_CHECK = XT_RECENT_CHECK, |
10 | IPT_RECENT_SET = XT_RECENT_SET, | ||
11 | IPT_RECENT_UPDATE = XT_RECENT_UPDATE, | ||
12 | IPT_RECENT_REMOVE = XT_RECENT_REMOVE, | ||
13 | IPT_RECENT_TTL = XT_RECENT_TTL, | ||
15 | 14 | ||
16 | #define IPT_RECENT_NAME_LEN 200 | 15 | IPT_RECENT_SOURCE = XT_RECENT_SOURCE, |
16 | IPT_RECENT_DEST = XT_RECENT_DEST, | ||
17 | 17 | ||
18 | struct ipt_recent_info { | 18 | IPT_RECENT_NAME_LEN = XT_RECENT_NAME_LEN, |
19 | u_int32_t seconds; | ||
20 | u_int32_t hit_count; | ||
21 | u_int8_t check_set; | ||
22 | u_int8_t invert; | ||
23 | char name[IPT_RECENT_NAME_LEN]; | ||
24 | u_int8_t side; | ||
25 | }; | 19 | }; |
26 | 20 | ||
27 | #endif /*_IPT_RECENT_H*/ | 21 | #endif /*_IPT_RECENT_H*/ |
diff --git a/include/net/net_namespace.h b/include/net/net_namespace.h index a8eb43cf0c7e..708009be88b6 100644 --- a/include/net/net_namespace.h +++ b/include/net/net_namespace.h | |||
@@ -16,6 +16,9 @@ | |||
16 | #include <net/netns/ipv6.h> | 16 | #include <net/netns/ipv6.h> |
17 | #include <net/netns/dccp.h> | 17 | #include <net/netns/dccp.h> |
18 | #include <net/netns/x_tables.h> | 18 | #include <net/netns/x_tables.h> |
19 | #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE) | ||
20 | #include <net/netns/conntrack.h> | ||
21 | #endif | ||
19 | 22 | ||
20 | struct proc_dir_entry; | 23 | struct proc_dir_entry; |
21 | struct net_device; | 24 | struct net_device; |
@@ -67,6 +70,9 @@ struct net { | |||
67 | #endif | 70 | #endif |
68 | #ifdef CONFIG_NETFILTER | 71 | #ifdef CONFIG_NETFILTER |
69 | struct netns_xt xt; | 72 | struct netns_xt xt; |
73 | #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE) | ||
74 | struct netns_ct ct; | ||
75 | #endif | ||
70 | #endif | 76 | #endif |
71 | struct net_generic *gen; | 77 | struct net_generic *gen; |
72 | }; | 78 | }; |
diff --git a/include/net/netfilter/ipv4/nf_defrag_ipv4.h b/include/net/netfilter/ipv4/nf_defrag_ipv4.h new file mode 100644 index 000000000000..6b00ea38546b --- /dev/null +++ b/include/net/netfilter/ipv4/nf_defrag_ipv4.h | |||
@@ -0,0 +1,6 @@ | |||
1 | #ifndef _NF_DEFRAG_IPV4_H | ||
2 | #define _NF_DEFRAG_IPV4_H | ||
3 | |||
4 | extern void nf_defrag_ipv4_enable(void); | ||
5 | |||
6 | #endif /* _NF_DEFRAG_IPV4_H */ | ||
diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h index 0741ad592da0..b76a8685b5b5 100644 --- a/include/net/netfilter/nf_conntrack.h +++ b/include/net/netfilter/nf_conntrack.h | |||
@@ -123,7 +123,9 @@ struct nf_conn | |||
123 | 123 | ||
124 | /* Extensions */ | 124 | /* Extensions */ |
125 | struct nf_ct_ext *ext; | 125 | struct nf_ct_ext *ext; |
126 | 126 | #ifdef CONFIG_NET_NS | |
127 | struct net *ct_net; | ||
128 | #endif | ||
127 | struct rcu_head rcu; | 129 | struct rcu_head rcu; |
128 | }; | 130 | }; |
129 | 131 | ||
@@ -147,6 +149,17 @@ static inline u_int8_t nf_ct_protonum(const struct nf_conn *ct) | |||
147 | /* get master conntrack via master expectation */ | 149 | /* get master conntrack via master expectation */ |
148 | #define master_ct(conntr) (conntr->master) | 150 | #define master_ct(conntr) (conntr->master) |
149 | 151 | ||
152 | extern struct net init_net; | ||
153 | |||
154 | static inline struct net *nf_ct_net(const struct nf_conn *ct) | ||
155 | { | ||
156 | #ifdef CONFIG_NET_NS | ||
157 | return ct->ct_net; | ||
158 | #else | ||
159 | return &init_net; | ||
160 | #endif | ||
161 | } | ||
162 | |||
150 | /* Alter reply tuple (maybe alter helper). */ | 163 | /* Alter reply tuple (maybe alter helper). */ |
151 | extern void | 164 | extern void |
152 | nf_conntrack_alter_reply(struct nf_conn *ct, | 165 | nf_conntrack_alter_reply(struct nf_conn *ct, |
@@ -182,11 +195,11 @@ extern void nf_ct_free_hashtable(struct hlist_head *hash, int vmalloced, | |||
182 | unsigned int size); | 195 | unsigned int size); |
183 | 196 | ||
184 | extern struct nf_conntrack_tuple_hash * | 197 | extern struct nf_conntrack_tuple_hash * |
185 | __nf_conntrack_find(const struct nf_conntrack_tuple *tuple); | 198 | __nf_conntrack_find(struct net *net, const struct nf_conntrack_tuple *tuple); |
186 | 199 | ||
187 | extern void nf_conntrack_hash_insert(struct nf_conn *ct); | 200 | extern void nf_conntrack_hash_insert(struct nf_conn *ct); |
188 | 201 | ||
189 | extern void nf_conntrack_flush(void); | 202 | extern void nf_conntrack_flush(struct net *net); |
190 | 203 | ||
191 | extern bool nf_ct_get_tuplepr(const struct sk_buff *skb, | 204 | extern bool nf_ct_get_tuplepr(const struct sk_buff *skb, |
192 | unsigned int nhoff, u_int16_t l3num, | 205 | unsigned int nhoff, u_int16_t l3num, |
@@ -248,10 +261,11 @@ extern struct nf_conn nf_conntrack_untracked; | |||
248 | 261 | ||
249 | /* Iterate over all conntracks: if iter returns true, it's deleted. */ | 262 | /* Iterate over all conntracks: if iter returns true, it's deleted. */ |
250 | extern void | 263 | extern void |
251 | nf_ct_iterate_cleanup(int (*iter)(struct nf_conn *i, void *data), void *data); | 264 | nf_ct_iterate_cleanup(struct net *net, int (*iter)(struct nf_conn *i, void *data), void *data); |
252 | extern void nf_conntrack_free(struct nf_conn *ct); | 265 | extern void nf_conntrack_free(struct nf_conn *ct); |
253 | extern struct nf_conn * | 266 | extern struct nf_conn * |
254 | nf_conntrack_alloc(const struct nf_conntrack_tuple *orig, | 267 | nf_conntrack_alloc(struct net *net, |
268 | const struct nf_conntrack_tuple *orig, | ||
255 | const struct nf_conntrack_tuple *repl, | 269 | const struct nf_conntrack_tuple *repl, |
256 | gfp_t gfp); | 270 | gfp_t gfp); |
257 | 271 | ||
@@ -273,16 +287,14 @@ static inline int nf_ct_is_untracked(const struct sk_buff *skb) | |||
273 | 287 | ||
274 | extern int nf_conntrack_set_hashsize(const char *val, struct kernel_param *kp); | 288 | extern int nf_conntrack_set_hashsize(const char *val, struct kernel_param *kp); |
275 | extern unsigned int nf_conntrack_htable_size; | 289 | extern unsigned int nf_conntrack_htable_size; |
276 | extern int nf_conntrack_checksum; | ||
277 | extern atomic_t nf_conntrack_count; | ||
278 | extern int nf_conntrack_max; | 290 | extern int nf_conntrack_max; |
279 | 291 | ||
280 | DECLARE_PER_CPU(struct ip_conntrack_stat, nf_conntrack_stat); | 292 | #define NF_CT_STAT_INC(net, count) \ |
281 | #define NF_CT_STAT_INC(count) (__get_cpu_var(nf_conntrack_stat).count++) | 293 | (per_cpu_ptr((net)->ct.stat, raw_smp_processor_id())->count++) |
282 | #define NF_CT_STAT_INC_ATOMIC(count) \ | 294 | #define NF_CT_STAT_INC_ATOMIC(net, count) \ |
283 | do { \ | 295 | do { \ |
284 | local_bh_disable(); \ | 296 | local_bh_disable(); \ |
285 | __get_cpu_var(nf_conntrack_stat).count++; \ | 297 | per_cpu_ptr((net)->ct.stat, raw_smp_processor_id())->count++; \ |
286 | local_bh_enable(); \ | 298 | local_bh_enable(); \ |
287 | } while (0) | 299 | } while (0) |
288 | 300 | ||
diff --git a/include/net/netfilter/nf_conntrack_acct.h b/include/net/netfilter/nf_conntrack_acct.h index 5d5ae55d54c4..03e218f0be43 100644 --- a/include/net/netfilter/nf_conntrack_acct.h +++ b/include/net/netfilter/nf_conntrack_acct.h | |||
@@ -8,6 +8,7 @@ | |||
8 | 8 | ||
9 | #ifndef _NF_CONNTRACK_ACCT_H | 9 | #ifndef _NF_CONNTRACK_ACCT_H |
10 | #define _NF_CONNTRACK_ACCT_H | 10 | #define _NF_CONNTRACK_ACCT_H |
11 | #include <net/net_namespace.h> | ||
11 | #include <linux/netfilter/nf_conntrack_common.h> | 12 | #include <linux/netfilter/nf_conntrack_common.h> |
12 | #include <linux/netfilter/nf_conntrack_tuple_common.h> | 13 | #include <linux/netfilter/nf_conntrack_tuple_common.h> |
13 | #include <net/netfilter/nf_conntrack.h> | 14 | #include <net/netfilter/nf_conntrack.h> |
@@ -18,8 +19,6 @@ struct nf_conn_counter { | |||
18 | u_int64_t bytes; | 19 | u_int64_t bytes; |
19 | }; | 20 | }; |
20 | 21 | ||
21 | extern int nf_ct_acct; | ||
22 | |||
23 | static inline | 22 | static inline |
24 | struct nf_conn_counter *nf_conn_acct_find(const struct nf_conn *ct) | 23 | struct nf_conn_counter *nf_conn_acct_find(const struct nf_conn *ct) |
25 | { | 24 | { |
@@ -29,9 +28,10 @@ struct nf_conn_counter *nf_conn_acct_find(const struct nf_conn *ct) | |||
29 | static inline | 28 | static inline |
30 | struct nf_conn_counter *nf_ct_acct_ext_add(struct nf_conn *ct, gfp_t gfp) | 29 | struct nf_conn_counter *nf_ct_acct_ext_add(struct nf_conn *ct, gfp_t gfp) |
31 | { | 30 | { |
31 | struct net *net = nf_ct_net(ct); | ||
32 | struct nf_conn_counter *acct; | 32 | struct nf_conn_counter *acct; |
33 | 33 | ||
34 | if (!nf_ct_acct) | 34 | if (!net->ct.sysctl_acct) |
35 | return NULL; | 35 | return NULL; |
36 | 36 | ||
37 | acct = nf_ct_ext_add(ct, NF_CT_EXT_ACCT, gfp); | 37 | acct = nf_ct_ext_add(ct, NF_CT_EXT_ACCT, gfp); |
@@ -45,7 +45,7 @@ struct nf_conn_counter *nf_ct_acct_ext_add(struct nf_conn *ct, gfp_t gfp) | |||
45 | extern unsigned int | 45 | extern unsigned int |
46 | seq_print_acct(struct seq_file *s, const struct nf_conn *ct, int dir); | 46 | seq_print_acct(struct seq_file *s, const struct nf_conn *ct, int dir); |
47 | 47 | ||
48 | extern int nf_conntrack_acct_init(void); | 48 | extern int nf_conntrack_acct_init(struct net *net); |
49 | extern void nf_conntrack_acct_fini(void); | 49 | extern void nf_conntrack_acct_fini(struct net *net); |
50 | 50 | ||
51 | #endif /* _NF_CONNTRACK_ACCT_H */ | 51 | #endif /* _NF_CONNTRACK_ACCT_H */ |
diff --git a/include/net/netfilter/nf_conntrack_core.h b/include/net/netfilter/nf_conntrack_core.h index a81771210934..e78afe7f28e3 100644 --- a/include/net/netfilter/nf_conntrack_core.h +++ b/include/net/netfilter/nf_conntrack_core.h | |||
@@ -20,12 +20,13 @@ | |||
20 | /* This header is used to share core functionality between the | 20 | /* This header is used to share core functionality between the |
21 | standalone connection tracking module, and the compatibility layer's use | 21 | standalone connection tracking module, and the compatibility layer's use |
22 | of connection tracking. */ | 22 | of connection tracking. */ |
23 | extern unsigned int nf_conntrack_in(int pf, | 23 | extern unsigned int nf_conntrack_in(struct net *net, |
24 | u_int8_t pf, | ||
24 | unsigned int hooknum, | 25 | unsigned int hooknum, |
25 | struct sk_buff *skb); | 26 | struct sk_buff *skb); |
26 | 27 | ||
27 | extern int nf_conntrack_init(void); | 28 | extern int nf_conntrack_init(struct net *net); |
28 | extern void nf_conntrack_cleanup(void); | 29 | extern void nf_conntrack_cleanup(struct net *net); |
29 | 30 | ||
30 | extern int nf_conntrack_proto_init(void); | 31 | extern int nf_conntrack_proto_init(void); |
31 | extern void nf_conntrack_proto_fini(void); | 32 | extern void nf_conntrack_proto_fini(void); |
@@ -48,7 +49,7 @@ nf_ct_invert_tuple(struct nf_conntrack_tuple *inverse, | |||
48 | 49 | ||
49 | /* Find a connection corresponding to a tuple. */ | 50 | /* Find a connection corresponding to a tuple. */ |
50 | extern struct nf_conntrack_tuple_hash * | 51 | extern struct nf_conntrack_tuple_hash * |
51 | nf_conntrack_find_get(const struct nf_conntrack_tuple *tuple); | 52 | nf_conntrack_find_get(struct net *net, const struct nf_conntrack_tuple *tuple); |
52 | 53 | ||
53 | extern int __nf_conntrack_confirm(struct sk_buff *skb); | 54 | extern int __nf_conntrack_confirm(struct sk_buff *skb); |
54 | 55 | ||
@@ -71,8 +72,6 @@ print_tuple(struct seq_file *s, const struct nf_conntrack_tuple *tuple, | |||
71 | const struct nf_conntrack_l3proto *l3proto, | 72 | const struct nf_conntrack_l3proto *l3proto, |
72 | const struct nf_conntrack_l4proto *proto); | 73 | const struct nf_conntrack_l4proto *proto); |
73 | 74 | ||
74 | extern struct hlist_head *nf_conntrack_hash; | ||
75 | extern spinlock_t nf_conntrack_lock ; | 75 | extern spinlock_t nf_conntrack_lock ; |
76 | extern struct hlist_head unconfirmed; | ||
77 | 76 | ||
78 | #endif /* _NF_CONNTRACK_CORE_H */ | 77 | #endif /* _NF_CONNTRACK_CORE_H */ |
diff --git a/include/net/netfilter/nf_conntrack_ecache.h b/include/net/netfilter/nf_conntrack_ecache.h index f0b9078235c9..35f814c1e2ca 100644 --- a/include/net/netfilter/nf_conntrack_ecache.h +++ b/include/net/netfilter/nf_conntrack_ecache.h | |||
@@ -8,6 +8,7 @@ | |||
8 | 8 | ||
9 | #include <linux/notifier.h> | 9 | #include <linux/notifier.h> |
10 | #include <linux/interrupt.h> | 10 | #include <linux/interrupt.h> |
11 | #include <net/net_namespace.h> | ||
11 | #include <net/netfilter/nf_conntrack_expect.h> | 12 | #include <net/netfilter/nf_conntrack_expect.h> |
12 | 13 | ||
13 | #ifdef CONFIG_NF_CONNTRACK_EVENTS | 14 | #ifdef CONFIG_NF_CONNTRACK_EVENTS |
@@ -15,9 +16,6 @@ struct nf_conntrack_ecache { | |||
15 | struct nf_conn *ct; | 16 | struct nf_conn *ct; |
16 | unsigned int events; | 17 | unsigned int events; |
17 | }; | 18 | }; |
18 | DECLARE_PER_CPU(struct nf_conntrack_ecache, nf_conntrack_ecache); | ||
19 | |||
20 | #define CONNTRACK_ECACHE(x) (__get_cpu_var(nf_conntrack_ecache).x) | ||
21 | 19 | ||
22 | extern struct atomic_notifier_head nf_conntrack_chain; | 20 | extern struct atomic_notifier_head nf_conntrack_chain; |
23 | extern int nf_conntrack_register_notifier(struct notifier_block *nb); | 21 | extern int nf_conntrack_register_notifier(struct notifier_block *nb); |
@@ -25,17 +23,16 @@ extern int nf_conntrack_unregister_notifier(struct notifier_block *nb); | |||
25 | 23 | ||
26 | extern void nf_ct_deliver_cached_events(const struct nf_conn *ct); | 24 | extern void nf_ct_deliver_cached_events(const struct nf_conn *ct); |
27 | extern void __nf_ct_event_cache_init(struct nf_conn *ct); | 25 | extern void __nf_ct_event_cache_init(struct nf_conn *ct); |
28 | extern void nf_ct_event_cache_flush(void); | 26 | extern void nf_ct_event_cache_flush(struct net *net); |
29 | 27 | ||
30 | static inline void | 28 | static inline void |
31 | nf_conntrack_event_cache(enum ip_conntrack_events event, | 29 | nf_conntrack_event_cache(enum ip_conntrack_events event, struct nf_conn *ct) |
32 | const struct sk_buff *skb) | ||
33 | { | 30 | { |
34 | struct nf_conn *ct = (struct nf_conn *)skb->nfct; | 31 | struct net *net = nf_ct_net(ct); |
35 | struct nf_conntrack_ecache *ecache; | 32 | struct nf_conntrack_ecache *ecache; |
36 | 33 | ||
37 | local_bh_disable(); | 34 | local_bh_disable(); |
38 | ecache = &__get_cpu_var(nf_conntrack_ecache); | 35 | ecache = per_cpu_ptr(net->ct.ecache, raw_smp_processor_id()); |
39 | if (ct != ecache->ct) | 36 | if (ct != ecache->ct) |
40 | __nf_ct_event_cache_init(ct); | 37 | __nf_ct_event_cache_init(ct); |
41 | ecache->events |= event; | 38 | ecache->events |= event; |
@@ -60,6 +57,9 @@ nf_ct_expect_event(enum ip_conntrack_expect_events event, | |||
60 | atomic_notifier_call_chain(&nf_ct_expect_chain, event, exp); | 57 | atomic_notifier_call_chain(&nf_ct_expect_chain, event, exp); |
61 | } | 58 | } |
62 | 59 | ||
60 | extern int nf_conntrack_ecache_init(struct net *net); | ||
61 | extern void nf_conntrack_ecache_fini(struct net *net); | ||
62 | |||
63 | #else /* CONFIG_NF_CONNTRACK_EVENTS */ | 63 | #else /* CONFIG_NF_CONNTRACK_EVENTS */ |
64 | 64 | ||
65 | static inline void nf_conntrack_event_cache(enum ip_conntrack_events event, | 65 | static inline void nf_conntrack_event_cache(enum ip_conntrack_events event, |
@@ -69,7 +69,15 @@ static inline void nf_conntrack_event(enum ip_conntrack_events event, | |||
69 | static inline void nf_ct_deliver_cached_events(const struct nf_conn *ct) {} | 69 | static inline void nf_ct_deliver_cached_events(const struct nf_conn *ct) {} |
70 | static inline void nf_ct_expect_event(enum ip_conntrack_expect_events event, | 70 | static inline void nf_ct_expect_event(enum ip_conntrack_expect_events event, |
71 | struct nf_conntrack_expect *exp) {} | 71 | struct nf_conntrack_expect *exp) {} |
72 | static inline void nf_ct_event_cache_flush(void) {} | 72 | static inline void nf_ct_event_cache_flush(struct net *net) {} |
73 | |||
74 | static inline int nf_conntrack_ecache_init(struct net *net) | ||
75 | { | ||
76 | return 0; | ||
77 | |||
78 | static inline void nf_conntrack_ecache_fini(struct net *net) | ||
79 | { | ||
80 | } | ||
73 | #endif /* CONFIG_NF_CONNTRACK_EVENTS */ | 81 | #endif /* CONFIG_NF_CONNTRACK_EVENTS */ |
74 | 82 | ||
75 | #endif /*_NF_CONNTRACK_ECACHE_H*/ | 83 | #endif /*_NF_CONNTRACK_ECACHE_H*/ |
diff --git a/include/net/netfilter/nf_conntrack_expect.h b/include/net/netfilter/nf_conntrack_expect.h index dfdf4b459475..37a7fc1164b0 100644 --- a/include/net/netfilter/nf_conntrack_expect.h +++ b/include/net/netfilter/nf_conntrack_expect.h | |||
@@ -6,7 +6,6 @@ | |||
6 | #define _NF_CONNTRACK_EXPECT_H | 6 | #define _NF_CONNTRACK_EXPECT_H |
7 | #include <net/netfilter/nf_conntrack.h> | 7 | #include <net/netfilter/nf_conntrack.h> |
8 | 8 | ||
9 | extern struct hlist_head *nf_ct_expect_hash; | ||
10 | extern unsigned int nf_ct_expect_hsize; | 9 | extern unsigned int nf_ct_expect_hsize; |
11 | extern unsigned int nf_ct_expect_max; | 10 | extern unsigned int nf_ct_expect_max; |
12 | 11 | ||
@@ -56,6 +55,15 @@ struct nf_conntrack_expect | |||
56 | struct rcu_head rcu; | 55 | struct rcu_head rcu; |
57 | }; | 56 | }; |
58 | 57 | ||
58 | static inline struct net *nf_ct_exp_net(struct nf_conntrack_expect *exp) | ||
59 | { | ||
60 | #ifdef CONFIG_NET_NS | ||
61 | return exp->master->ct_net; /* by definition */ | ||
62 | #else | ||
63 | return &init_net; | ||
64 | #endif | ||
65 | } | ||
66 | |||
59 | struct nf_conntrack_expect_policy | 67 | struct nf_conntrack_expect_policy |
60 | { | 68 | { |
61 | unsigned int max_expected; | 69 | unsigned int max_expected; |
@@ -67,17 +75,17 @@ struct nf_conntrack_expect_policy | |||
67 | #define NF_CT_EXPECT_PERMANENT 0x1 | 75 | #define NF_CT_EXPECT_PERMANENT 0x1 |
68 | #define NF_CT_EXPECT_INACTIVE 0x2 | 76 | #define NF_CT_EXPECT_INACTIVE 0x2 |
69 | 77 | ||
70 | int nf_conntrack_expect_init(void); | 78 | int nf_conntrack_expect_init(struct net *net); |
71 | void nf_conntrack_expect_fini(void); | 79 | void nf_conntrack_expect_fini(struct net *net); |
72 | 80 | ||
73 | struct nf_conntrack_expect * | 81 | struct nf_conntrack_expect * |
74 | __nf_ct_expect_find(const struct nf_conntrack_tuple *tuple); | 82 | __nf_ct_expect_find(struct net *net, const struct nf_conntrack_tuple *tuple); |
75 | 83 | ||
76 | struct nf_conntrack_expect * | 84 | struct nf_conntrack_expect * |
77 | nf_ct_expect_find_get(const struct nf_conntrack_tuple *tuple); | 85 | nf_ct_expect_find_get(struct net *net, const struct nf_conntrack_tuple *tuple); |
78 | 86 | ||
79 | struct nf_conntrack_expect * | 87 | struct nf_conntrack_expect * |
80 | nf_ct_find_expectation(const struct nf_conntrack_tuple *tuple); | 88 | nf_ct_find_expectation(struct net *net, const struct nf_conntrack_tuple *tuple); |
81 | 89 | ||
82 | void nf_ct_unlink_expect(struct nf_conntrack_expect *exp); | 90 | void nf_ct_unlink_expect(struct nf_conntrack_expect *exp); |
83 | void nf_ct_remove_expectations(struct nf_conn *ct); | 91 | void nf_ct_remove_expectations(struct nf_conn *ct); |
@@ -86,7 +94,7 @@ void nf_ct_unexpect_related(struct nf_conntrack_expect *exp); | |||
86 | /* Allocate space for an expectation: this is mandatory before calling | 94 | /* Allocate space for an expectation: this is mandatory before calling |
87 | nf_ct_expect_related. You will have to call put afterwards. */ | 95 | nf_ct_expect_related. You will have to call put afterwards. */ |
88 | struct nf_conntrack_expect *nf_ct_expect_alloc(struct nf_conn *me); | 96 | struct nf_conntrack_expect *nf_ct_expect_alloc(struct nf_conn *me); |
89 | void nf_ct_expect_init(struct nf_conntrack_expect *, unsigned int, int, | 97 | void nf_ct_expect_init(struct nf_conntrack_expect *, unsigned int, u_int8_t, |
90 | const union nf_inet_addr *, | 98 | const union nf_inet_addr *, |
91 | const union nf_inet_addr *, | 99 | const union nf_inet_addr *, |
92 | u_int8_t, const __be16 *, const __be16 *); | 100 | u_int8_t, const __be16 *, const __be16 *); |
diff --git a/include/net/netfilter/nf_conntrack_l4proto.h b/include/net/netfilter/nf_conntrack_l4proto.h index 723df9d1cc35..7f2f43c77284 100644 --- a/include/net/netfilter/nf_conntrack_l4proto.h +++ b/include/net/netfilter/nf_conntrack_l4proto.h | |||
@@ -39,7 +39,7 @@ struct nf_conntrack_l4proto | |||
39 | const struct sk_buff *skb, | 39 | const struct sk_buff *skb, |
40 | unsigned int dataoff, | 40 | unsigned int dataoff, |
41 | enum ip_conntrack_info ctinfo, | 41 | enum ip_conntrack_info ctinfo, |
42 | int pf, | 42 | u_int8_t pf, |
43 | unsigned int hooknum); | 43 | unsigned int hooknum); |
44 | 44 | ||
45 | /* Called when a new connection for this protocol found; | 45 | /* Called when a new connection for this protocol found; |
@@ -50,9 +50,9 @@ struct nf_conntrack_l4proto | |||
50 | /* Called when a conntrack entry is destroyed */ | 50 | /* Called when a conntrack entry is destroyed */ |
51 | void (*destroy)(struct nf_conn *ct); | 51 | void (*destroy)(struct nf_conn *ct); |
52 | 52 | ||
53 | int (*error)(struct sk_buff *skb, unsigned int dataoff, | 53 | int (*error)(struct net *net, struct sk_buff *skb, unsigned int dataoff, |
54 | enum ip_conntrack_info *ctinfo, | 54 | enum ip_conntrack_info *ctinfo, |
55 | int pf, unsigned int hooknum); | 55 | u_int8_t pf, unsigned int hooknum); |
56 | 56 | ||
57 | /* Print out the per-protocol part of the tuple. Return like seq_* */ | 57 | /* Print out the per-protocol part of the tuple. Return like seq_* */ |
58 | int (*print_tuple)(struct seq_file *s, | 58 | int (*print_tuple)(struct seq_file *s, |
@@ -117,20 +117,19 @@ extern int nf_ct_port_nlattr_to_tuple(struct nlattr *tb[], | |||
117 | struct nf_conntrack_tuple *t); | 117 | struct nf_conntrack_tuple *t); |
118 | extern const struct nla_policy nf_ct_port_nla_policy[]; | 118 | extern const struct nla_policy nf_ct_port_nla_policy[]; |
119 | 119 | ||
120 | /* Log invalid packets */ | ||
121 | extern unsigned int nf_ct_log_invalid; | ||
122 | |||
123 | #ifdef CONFIG_SYSCTL | 120 | #ifdef CONFIG_SYSCTL |
124 | #ifdef DEBUG_INVALID_PACKETS | 121 | #ifdef DEBUG_INVALID_PACKETS |
125 | #define LOG_INVALID(proto) \ | 122 | #define LOG_INVALID(net, proto) \ |
126 | (nf_ct_log_invalid == (proto) || nf_ct_log_invalid == IPPROTO_RAW) | 123 | ((net)->ct.sysctl_log_invalid == (proto) || \ |
124 | (net)->ct.sysctl_log_invalid == IPPROTO_RAW) | ||
127 | #else | 125 | #else |
128 | #define LOG_INVALID(proto) \ | 126 | #define LOG_INVALID(net, proto) \ |
129 | ((nf_ct_log_invalid == (proto) || nf_ct_log_invalid == IPPROTO_RAW) \ | 127 | (((net)->ct.sysctl_log_invalid == (proto) || \ |
128 | (net)->ct.sysctl_log_invalid == IPPROTO_RAW) \ | ||
130 | && net_ratelimit()) | 129 | && net_ratelimit()) |
131 | #endif | 130 | #endif |
132 | #else | 131 | #else |
133 | #define LOG_INVALID(proto) 0 | 132 | #define LOG_INVALID(net, proto) 0 |
134 | #endif /* CONFIG_SYSCTL */ | 133 | #endif /* CONFIG_SYSCTL */ |
135 | 134 | ||
136 | #endif /*_NF_CONNTRACK_PROTOCOL_H*/ | 135 | #endif /*_NF_CONNTRACK_PROTOCOL_H*/ |
diff --git a/include/net/netfilter/nf_log.h b/include/net/netfilter/nf_log.h index 8c6b5ae45534..7182c06974f4 100644 --- a/include/net/netfilter/nf_log.h +++ b/include/net/netfilter/nf_log.h | |||
@@ -28,7 +28,7 @@ struct nf_loginfo { | |||
28 | } u; | 28 | } u; |
29 | }; | 29 | }; |
30 | 30 | ||
31 | typedef void nf_logfn(unsigned int pf, | 31 | typedef void nf_logfn(u_int8_t pf, |
32 | unsigned int hooknum, | 32 | unsigned int hooknum, |
33 | const struct sk_buff *skb, | 33 | const struct sk_buff *skb, |
34 | const struct net_device *in, | 34 | const struct net_device *in, |
@@ -43,12 +43,12 @@ struct nf_logger { | |||
43 | }; | 43 | }; |
44 | 44 | ||
45 | /* Function to register/unregister log function. */ | 45 | /* Function to register/unregister log function. */ |
46 | int nf_log_register(int pf, const struct nf_logger *logger); | 46 | int nf_log_register(u_int8_t pf, const struct nf_logger *logger); |
47 | void nf_log_unregister(const struct nf_logger *logger); | 47 | void nf_log_unregister(const struct nf_logger *logger); |
48 | void nf_log_unregister_pf(int pf); | 48 | void nf_log_unregister_pf(u_int8_t pf); |
49 | 49 | ||
50 | /* Calls the registered backend logging function */ | 50 | /* Calls the registered backend logging function */ |
51 | void nf_log_packet(int pf, | 51 | void nf_log_packet(u_int8_t pf, |
52 | unsigned int hooknum, | 52 | unsigned int hooknum, |
53 | const struct sk_buff *skb, | 53 | const struct sk_buff *skb, |
54 | const struct net_device *in, | 54 | const struct net_device *in, |
diff --git a/include/net/netfilter/nf_queue.h b/include/net/netfilter/nf_queue.h index d030044e9235..252fd1010b77 100644 --- a/include/net/netfilter/nf_queue.h +++ b/include/net/netfilter/nf_queue.h | |||
@@ -8,7 +8,7 @@ struct nf_queue_entry { | |||
8 | unsigned int id; | 8 | unsigned int id; |
9 | 9 | ||
10 | struct nf_hook_ops *elem; | 10 | struct nf_hook_ops *elem; |
11 | int pf; | 11 | u_int8_t pf; |
12 | unsigned int hook; | 12 | unsigned int hook; |
13 | struct net_device *indev; | 13 | struct net_device *indev; |
14 | struct net_device *outdev; | 14 | struct net_device *outdev; |
@@ -24,9 +24,9 @@ struct nf_queue_handler { | |||
24 | char *name; | 24 | char *name; |
25 | }; | 25 | }; |
26 | 26 | ||
27 | extern int nf_register_queue_handler(int pf, | 27 | extern int nf_register_queue_handler(u_int8_t pf, |
28 | const struct nf_queue_handler *qh); | 28 | const struct nf_queue_handler *qh); |
29 | extern int nf_unregister_queue_handler(int pf, | 29 | extern int nf_unregister_queue_handler(u_int8_t pf, |
30 | const struct nf_queue_handler *qh); | 30 | const struct nf_queue_handler *qh); |
31 | extern void nf_unregister_queue_handlers(const struct nf_queue_handler *qh); | 31 | extern void nf_unregister_queue_handlers(const struct nf_queue_handler *qh); |
32 | extern void nf_reinject(struct nf_queue_entry *entry, unsigned int verdict); | 32 | extern void nf_reinject(struct nf_queue_entry *entry, unsigned int verdict); |
diff --git a/include/net/netfilter/nf_tproxy_core.h b/include/net/netfilter/nf_tproxy_core.h new file mode 100644 index 000000000000..208b46f4d6d2 --- /dev/null +++ b/include/net/netfilter/nf_tproxy_core.h | |||
@@ -0,0 +1,32 @@ | |||
1 | #ifndef _NF_TPROXY_CORE_H | ||
2 | #define _NF_TPROXY_CORE_H | ||
3 | |||
4 | #include <linux/types.h> | ||
5 | #include <linux/in.h> | ||
6 | #include <linux/skbuff.h> | ||
7 | #include <net/sock.h> | ||
8 | #include <net/inet_sock.h> | ||
9 | #include <net/tcp.h> | ||
10 | |||
11 | /* look up and get a reference to a matching socket */ | ||
12 | extern struct sock * | ||
13 | nf_tproxy_get_sock_v4(struct net *net, const u8 protocol, | ||
14 | const __be32 saddr, const __be32 daddr, | ||
15 | const __be16 sport, const __be16 dport, | ||
16 | const struct net_device *in, bool listening); | ||
17 | |||
18 | static inline void | ||
19 | nf_tproxy_put_sock(struct sock *sk) | ||
20 | { | ||
21 | /* TIME_WAIT inet sockets have to be handled differently */ | ||
22 | if ((sk->sk_protocol == IPPROTO_TCP) && (sk->sk_state == TCP_TIME_WAIT)) | ||
23 | inet_twsk_put(inet_twsk(sk)); | ||
24 | else | ||
25 | sock_put(sk); | ||
26 | } | ||
27 | |||
28 | /* assign a socket to the skb -- consumes sk */ | ||
29 | int | ||
30 | nf_tproxy_assign_sock(struct sk_buff *skb, struct sock *sk); | ||
31 | |||
32 | #endif | ||
diff --git a/include/net/netns/conntrack.h b/include/net/netns/conntrack.h new file mode 100644 index 000000000000..f4498a62881b --- /dev/null +++ b/include/net/netns/conntrack.h | |||
@@ -0,0 +1,30 @@ | |||
1 | #ifndef __NETNS_CONNTRACK_H | ||
2 | #define __NETNS_CONNTRACK_H | ||
3 | |||
4 | #include <linux/list.h> | ||
5 | #include <asm/atomic.h> | ||
6 | |||
7 | struct ctl_table_header; | ||
8 | struct nf_conntrack_ecache; | ||
9 | |||
10 | struct netns_ct { | ||
11 | atomic_t count; | ||
12 | unsigned int expect_count; | ||
13 | struct hlist_head *hash; | ||
14 | struct hlist_head *expect_hash; | ||
15 | struct hlist_head unconfirmed; | ||
16 | struct ip_conntrack_stat *stat; | ||
17 | #ifdef CONFIG_NF_CONNTRACK_EVENTS | ||
18 | struct nf_conntrack_ecache *ecache; | ||
19 | #endif | ||
20 | int sysctl_acct; | ||
21 | int sysctl_checksum; | ||
22 | unsigned int sysctl_log_invalid; /* Log invalid packets */ | ||
23 | #ifdef CONFIG_SYSCTL | ||
24 | struct ctl_table_header *sysctl_header; | ||
25 | struct ctl_table_header *acct_sysctl_header; | ||
26 | #endif | ||
27 | int hash_vmalloc; | ||
28 | int expect_vmalloc; | ||
29 | }; | ||
30 | #endif | ||
diff --git a/include/net/netns/ipv4.h b/include/net/netns/ipv4.h index a6ed83853dcc..ece1c926b5d1 100644 --- a/include/net/netns/ipv4.h +++ b/include/net/netns/ipv4.h | |||
@@ -38,6 +38,9 @@ struct netns_ipv4 { | |||
38 | struct xt_table *iptable_raw; | 38 | struct xt_table *iptable_raw; |
39 | struct xt_table *arptable_filter; | 39 | struct xt_table *arptable_filter; |
40 | struct xt_table *iptable_security; | 40 | struct xt_table *iptable_security; |
41 | struct xt_table *nat_table; | ||
42 | struct hlist_head *nat_bysource; | ||
43 | int nat_vmalloced; | ||
41 | #endif | 44 | #endif |
42 | 45 | ||
43 | int sysctl_icmp_echo_ignore_all; | 46 | int sysctl_icmp_echo_ignore_all; |