aboutsummaryrefslogtreecommitdiffstats
path: root/include
diff options
context:
space:
mode:
Diffstat (limited to 'include')
-rw-r--r--include/linux/netfilter.h97
-rw-r--r--include/linux/netfilter/Kbuild1
-rw-r--r--include/linux/netfilter/nf_conntrack_proto_gre.h2
-rw-r--r--include/linux/netfilter/x_tables.h161
-rw-r--r--include/linux/netfilter/xt_TPROXY.h14
-rw-r--r--include/linux/netfilter/xt_recent.h26
-rw-r--r--include/linux/netfilter_bridge/ebtables.h76
-rw-r--r--include/linux/netfilter_ipv4/ipt_recent.h28
-rw-r--r--include/net/net_namespace.h6
-rw-r--r--include/net/netfilter/ipv4/nf_defrag_ipv4.h6
-rw-r--r--include/net/netfilter/nf_conntrack.h34
-rw-r--r--include/net/netfilter/nf_conntrack_acct.h10
-rw-r--r--include/net/netfilter/nf_conntrack_core.h11
-rw-r--r--include/net/netfilter/nf_conntrack_ecache.h26
-rw-r--r--include/net/netfilter/nf_conntrack_expect.h22
-rw-r--r--include/net/netfilter/nf_conntrack_l4proto.h21
-rw-r--r--include/net/netfilter/nf_log.h8
-rw-r--r--include/net/netfilter/nf_queue.h6
-rw-r--r--include/net/netfilter/nf_tproxy_core.h32
-rw-r--r--include/net/netns/conntrack.h30
-rw-r--r--include/net/netns/ipv4.h3
21 files changed, 398 insertions, 222 deletions
diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h
index 0c5eb7ed8b3f..48cfe51bfddc 100644
--- a/include/linux/netfilter.h
+++ b/include/linux/netfilter.h
@@ -5,13 +5,11 @@
5#include <linux/init.h> 5#include <linux/init.h>
6#include <linux/skbuff.h> 6#include <linux/skbuff.h>
7#include <linux/net.h> 7#include <linux/net.h>
8#include <linux/netdevice.h>
9#include <linux/if.h> 8#include <linux/if.h>
10#include <linux/in.h> 9#include <linux/in.h>
11#include <linux/in6.h> 10#include <linux/in6.h>
12#include <linux/wait.h> 11#include <linux/wait.h>
13#include <linux/list.h> 12#include <linux/list.h>
14#include <net/net_namespace.h>
15#endif 13#endif
16#include <linux/types.h> 14#include <linux/types.h>
17#include <linux/compiler.h> 15#include <linux/compiler.h>
@@ -52,6 +50,16 @@ enum nf_inet_hooks {
52 NF_INET_NUMHOOKS 50 NF_INET_NUMHOOKS
53}; 51};
54 52
53enum {
54 NFPROTO_UNSPEC = 0,
55 NFPROTO_IPV4 = 2,
56 NFPROTO_ARP = 3,
57 NFPROTO_BRIDGE = 7,
58 NFPROTO_IPV6 = 10,
59 NFPROTO_DECNET = 12,
60 NFPROTO_NUMPROTO,
61};
62
55union nf_inet_addr { 63union nf_inet_addr {
56 __u32 all[4]; 64 __u32 all[4];
57 __be32 ip; 65 __be32 ip;
@@ -92,8 +100,8 @@ struct nf_hook_ops
92 /* User fills in from here down. */ 100 /* User fills in from here down. */
93 nf_hookfn *hook; 101 nf_hookfn *hook;
94 struct module *owner; 102 struct module *owner;
95 int pf; 103 u_int8_t pf;
96 int hooknum; 104 unsigned int hooknum;
97 /* Hooks are ordered in ascending priority. */ 105 /* Hooks are ordered in ascending priority. */
98 int priority; 106 int priority;
99}; 107};
@@ -102,7 +110,7 @@ struct nf_sockopt_ops
102{ 110{
103 struct list_head list; 111 struct list_head list;
104 112
105 int pf; 113 u_int8_t pf;
106 114
107 /* Non-inclusive ranges: use 0/0/NULL to never get called. */ 115 /* Non-inclusive ranges: use 0/0/NULL to never get called. */
108 int set_optmin; 116 int set_optmin;
@@ -138,9 +146,9 @@ extern struct ctl_path nf_net_netfilter_sysctl_path[];
138extern struct ctl_path nf_net_ipv4_netfilter_sysctl_path[]; 146extern struct ctl_path nf_net_ipv4_netfilter_sysctl_path[];
139#endif /* CONFIG_SYSCTL */ 147#endif /* CONFIG_SYSCTL */
140 148
141extern struct list_head nf_hooks[NPROTO][NF_MAX_HOOKS]; 149extern struct list_head nf_hooks[NFPROTO_NUMPROTO][NF_MAX_HOOKS];
142 150
143int nf_hook_slow(int pf, unsigned int hook, struct sk_buff *skb, 151int nf_hook_slow(u_int8_t pf, unsigned int hook, struct sk_buff *skb,
144 struct net_device *indev, struct net_device *outdev, 152 struct net_device *indev, struct net_device *outdev,
145 int (*okfn)(struct sk_buff *), int thresh); 153 int (*okfn)(struct sk_buff *), int thresh);
146 154
@@ -151,7 +159,7 @@ int nf_hook_slow(int pf, unsigned int hook, struct sk_buff *skb,
151 * okfn must be invoked by the caller in this case. Any other return 159 * okfn must be invoked by the caller in this case. Any other return
152 * value indicates the packet has been consumed by the hook. 160 * value indicates the packet has been consumed by the hook.
153 */ 161 */
154static inline int nf_hook_thresh(int pf, unsigned int hook, 162static inline int nf_hook_thresh(u_int8_t pf, unsigned int hook,
155 struct sk_buff *skb, 163 struct sk_buff *skb,
156 struct net_device *indev, 164 struct net_device *indev,
157 struct net_device *outdev, 165 struct net_device *outdev,
@@ -167,7 +175,7 @@ static inline int nf_hook_thresh(int pf, unsigned int hook,
167 return nf_hook_slow(pf, hook, skb, indev, outdev, okfn, thresh); 175 return nf_hook_slow(pf, hook, skb, indev, outdev, okfn, thresh);
168} 176}
169 177
170static inline int nf_hook(int pf, unsigned int hook, struct sk_buff *skb, 178static inline int nf_hook(u_int8_t pf, unsigned int hook, struct sk_buff *skb,
171 struct net_device *indev, struct net_device *outdev, 179 struct net_device *indev, struct net_device *outdev,
172 int (*okfn)(struct sk_buff *)) 180 int (*okfn)(struct sk_buff *))
173{ 181{
@@ -212,14 +220,14 @@ __ret;})
212 NF_HOOK_THRESH(pf, hook, skb, indev, outdev, okfn, INT_MIN) 220 NF_HOOK_THRESH(pf, hook, skb, indev, outdev, okfn, INT_MIN)
213 221
214/* Call setsockopt() */ 222/* Call setsockopt() */
215int nf_setsockopt(struct sock *sk, int pf, int optval, char __user *opt, 223int nf_setsockopt(struct sock *sk, u_int8_t pf, int optval, char __user *opt,
216 int len); 224 int len);
217int nf_getsockopt(struct sock *sk, int pf, int optval, char __user *opt, 225int nf_getsockopt(struct sock *sk, u_int8_t pf, int optval, char __user *opt,
218 int *len); 226 int *len);
219 227
220int compat_nf_setsockopt(struct sock *sk, int pf, int optval, 228int compat_nf_setsockopt(struct sock *sk, u_int8_t pf, int optval,
221 char __user *opt, int len); 229 char __user *opt, int len);
222int compat_nf_getsockopt(struct sock *sk, int pf, int optval, 230int compat_nf_getsockopt(struct sock *sk, u_int8_t pf, int optval,
223 char __user *opt, int *len); 231 char __user *opt, int *len);
224 232
225/* Call this before modifying an existing packet: ensures it is 233/* Call this before modifying an existing packet: ensures it is
@@ -247,7 +255,7 @@ struct nf_afinfo {
247 int route_key_size; 255 int route_key_size;
248}; 256};
249 257
250extern const struct nf_afinfo *nf_afinfo[NPROTO]; 258extern const struct nf_afinfo *nf_afinfo[NFPROTO_NUMPROTO];
251static inline const struct nf_afinfo *nf_get_afinfo(unsigned short family) 259static inline const struct nf_afinfo *nf_get_afinfo(unsigned short family)
252{ 260{
253 return rcu_dereference(nf_afinfo[family]); 261 return rcu_dereference(nf_afinfo[family]);
@@ -292,7 +300,7 @@ extern void nf_unregister_afinfo(const struct nf_afinfo *afinfo);
292extern void (*ip_nat_decode_session)(struct sk_buff *, struct flowi *); 300extern void (*ip_nat_decode_session)(struct sk_buff *, struct flowi *);
293 301
294static inline void 302static inline void
295nf_nat_decode_session(struct sk_buff *skb, struct flowi *fl, int family) 303nf_nat_decode_session(struct sk_buff *skb, struct flowi *fl, u_int8_t family)
296{ 304{
297#ifdef CONFIG_NF_NAT_NEEDED 305#ifdef CONFIG_NF_NAT_NEEDED
298 void (*decodefn)(struct sk_buff *, struct flowi *); 306 void (*decodefn)(struct sk_buff *, struct flowi *);
@@ -315,7 +323,7 @@ extern struct proc_dir_entry *proc_net_netfilter;
315#else /* !CONFIG_NETFILTER */ 323#else /* !CONFIG_NETFILTER */
316#define NF_HOOK(pf, hook, skb, indev, outdev, okfn) (okfn)(skb) 324#define NF_HOOK(pf, hook, skb, indev, outdev, okfn) (okfn)(skb)
317#define NF_HOOK_COND(pf, hook, skb, indev, outdev, okfn, cond) (okfn)(skb) 325#define NF_HOOK_COND(pf, hook, skb, indev, outdev, okfn, cond) (okfn)(skb)
318static inline int nf_hook_thresh(int pf, unsigned int hook, 326static inline int nf_hook_thresh(u_int8_t pf, unsigned int hook,
319 struct sk_buff *skb, 327 struct sk_buff *skb,
320 struct net_device *indev, 328 struct net_device *indev,
321 struct net_device *outdev, 329 struct net_device *outdev,
@@ -324,7 +332,7 @@ static inline int nf_hook_thresh(int pf, unsigned int hook,
324{ 332{
325 return okfn(skb); 333 return okfn(skb);
326} 334}
327static inline int nf_hook(int pf, unsigned int hook, struct sk_buff *skb, 335static inline int nf_hook(u_int8_t pf, unsigned int hook, struct sk_buff *skb,
328 struct net_device *indev, struct net_device *outdev, 336 struct net_device *indev, struct net_device *outdev,
329 int (*okfn)(struct sk_buff *)) 337 int (*okfn)(struct sk_buff *))
330{ 338{
@@ -332,7 +340,9 @@ static inline int nf_hook(int pf, unsigned int hook, struct sk_buff *skb,
332} 340}
333struct flowi; 341struct flowi;
334static inline void 342static inline void
335nf_nat_decode_session(struct sk_buff *skb, struct flowi *fl, int family) {} 343nf_nat_decode_session(struct sk_buff *skb, struct flowi *fl, u_int8_t family)
344{
345}
336#endif /*CONFIG_NETFILTER*/ 346#endif /*CONFIG_NETFILTER*/
337 347
338#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE) 348#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
@@ -343,56 +353,5 @@ extern void (*nf_ct_destroy)(struct nf_conntrack *);
343static inline void nf_ct_attach(struct sk_buff *new, struct sk_buff *skb) {} 353static inline void nf_ct_attach(struct sk_buff *new, struct sk_buff *skb) {}
344#endif 354#endif
345 355
346static inline struct net *nf_pre_routing_net(const struct net_device *in,
347 const struct net_device *out)
348{
349#ifdef CONFIG_NET_NS
350 return in->nd_net;
351#else
352 return &init_net;
353#endif
354}
355
356static inline struct net *nf_local_in_net(const struct net_device *in,
357 const struct net_device *out)
358{
359#ifdef CONFIG_NET_NS
360 return in->nd_net;
361#else
362 return &init_net;
363#endif
364}
365
366static inline struct net *nf_forward_net(const struct net_device *in,
367 const struct net_device *out)
368{
369#ifdef CONFIG_NET_NS
370 BUG_ON(in->nd_net != out->nd_net);
371 return in->nd_net;
372#else
373 return &init_net;
374#endif
375}
376
377static inline struct net *nf_local_out_net(const struct net_device *in,
378 const struct net_device *out)
379{
380#ifdef CONFIG_NET_NS
381 return out->nd_net;
382#else
383 return &init_net;
384#endif
385}
386
387static inline struct net *nf_post_routing_net(const struct net_device *in,
388 const struct net_device *out)
389{
390#ifdef CONFIG_NET_NS
391 return out->nd_net;
392#else
393 return &init_net;
394#endif
395}
396
397#endif /*__KERNEL__*/ 356#endif /*__KERNEL__*/
398#endif /*__LINUX_NETFILTER_H*/ 357#endif /*__LINUX_NETFILTER_H*/
diff --git a/include/linux/netfilter/Kbuild b/include/linux/netfilter/Kbuild
index 3aff513d12c8..5a8af875bce2 100644
--- a/include/linux/netfilter/Kbuild
+++ b/include/linux/netfilter/Kbuild
@@ -32,6 +32,7 @@ header-y += xt_owner.h
32header-y += xt_pkttype.h 32header-y += xt_pkttype.h
33header-y += xt_rateest.h 33header-y += xt_rateest.h
34header-y += xt_realm.h 34header-y += xt_realm.h
35header-y += xt_recent.h
35header-y += xt_sctp.h 36header-y += xt_sctp.h
36header-y += xt_state.h 37header-y += xt_state.h
37header-y += xt_statistic.h 38header-y += xt_statistic.h
diff --git a/include/linux/netfilter/nf_conntrack_proto_gre.h b/include/linux/netfilter/nf_conntrack_proto_gre.h
index 535e4219d2bb..2a10efda17fb 100644
--- a/include/linux/netfilter/nf_conntrack_proto_gre.h
+++ b/include/linux/netfilter/nf_conntrack_proto_gre.h
@@ -87,7 +87,7 @@ int nf_ct_gre_keymap_add(struct nf_conn *ct, enum ip_conntrack_dir dir,
87/* delete keymap entries */ 87/* delete keymap entries */
88void nf_ct_gre_keymap_destroy(struct nf_conn *ct); 88void nf_ct_gre_keymap_destroy(struct nf_conn *ct);
89 89
90extern void nf_ct_gre_keymap_flush(void); 90extern void nf_ct_gre_keymap_flush(struct net *net);
91extern void nf_nat_need_gre(void); 91extern void nf_nat_need_gre(void);
92 92
93#endif /* __KERNEL__ */ 93#endif /* __KERNEL__ */
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index 2326296b6f25..be41b609c88f 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -173,6 +173,98 @@ struct xt_counters_info
173 173
174#include <linux/netdevice.h> 174#include <linux/netdevice.h>
175 175
176/**
177 * struct xt_match_param - parameters for match extensions' match functions
178 *
179 * @in: input netdevice
180 * @out: output netdevice
181 * @match: struct xt_match through which this function was invoked
182 * @matchinfo: per-match data
183 * @fragoff: packet is a fragment, this is the data offset
184 * @thoff: position of transport header relative to skb->data
185 * @hotdrop: drop packet if we had inspection problems
186 * @family: Actual NFPROTO_* through which the function is invoked
187 * (helpful when match->family == NFPROTO_UNSPEC)
188 */
189struct xt_match_param {
190 const struct net_device *in, *out;
191 const struct xt_match *match;
192 const void *matchinfo;
193 int fragoff;
194 unsigned int thoff;
195 bool *hotdrop;
196 u_int8_t family;
197};
198
199/**
200 * struct xt_mtchk_param - parameters for match extensions'
201 * checkentry functions
202 *
203 * @table: table the rule is tried to be inserted into
204 * @entryinfo: the family-specific rule data
205 * (struct ipt_ip, ip6t_ip, ebt_entry)
206 * @match: struct xt_match through which this function was invoked
207 * @matchinfo: per-match data
208 * @hook_mask: via which hooks the new rule is reachable
209 */
210struct xt_mtchk_param {
211 const char *table;
212 const void *entryinfo;
213 const struct xt_match *match;
214 void *matchinfo;
215 unsigned int hook_mask;
216 u_int8_t family;
217};
218
219/* Match destructor parameters */
220struct xt_mtdtor_param {
221 const struct xt_match *match;
222 void *matchinfo;
223 u_int8_t family;
224};
225
226/**
227 * struct xt_target_param - parameters for target extensions' target functions
228 *
229 * @hooknum: hook through which this target was invoked
230 * @target: struct xt_target through which this function was invoked
231 * @targinfo: per-target data
232 *
233 * Other fields see above.
234 */
235struct xt_target_param {
236 const struct net_device *in, *out;
237 unsigned int hooknum;
238 const struct xt_target *target;
239 const void *targinfo;
240 u_int8_t family;
241};
242
243/**
244 * struct xt_tgchk_param - parameters for target extensions'
245 * checkentry functions
246 *
247 * @entryinfo: the family-specific rule data
248 * (struct ipt_entry, ip6t_entry, arpt_entry, ebt_entry)
249 *
250 * Other fields see above.
251 */
252struct xt_tgchk_param {
253 const char *table;
254 void *entryinfo;
255 const struct xt_target *target;
256 void *targinfo;
257 unsigned int hook_mask;
258 u_int8_t family;
259};
260
261/* Target destructor parameters */
262struct xt_tgdtor_param {
263 const struct xt_target *target;
264 void *targinfo;
265 u_int8_t family;
266};
267
176struct xt_match 268struct xt_match
177{ 269{
178 struct list_head list; 270 struct list_head list;
@@ -185,24 +277,13 @@ struct xt_match
185 non-linear skb, using skb_header_pointer and 277 non-linear skb, using skb_header_pointer and
186 skb_ip_make_writable. */ 278 skb_ip_make_writable. */
187 bool (*match)(const struct sk_buff *skb, 279 bool (*match)(const struct sk_buff *skb,
188 const struct net_device *in, 280 const struct xt_match_param *);
189 const struct net_device *out,
190 const struct xt_match *match,
191 const void *matchinfo,
192 int offset,
193 unsigned int protoff,
194 bool *hotdrop);
195 281
196 /* Called when user tries to insert an entry of this type. */ 282 /* Called when user tries to insert an entry of this type. */
197 /* Should return true or false. */ 283 bool (*checkentry)(const struct xt_mtchk_param *);
198 bool (*checkentry)(const char *tablename,
199 const void *ip,
200 const struct xt_match *match,
201 void *matchinfo,
202 unsigned int hook_mask);
203 284
204 /* Called when entry of this type deleted. */ 285 /* Called when entry of this type deleted. */
205 void (*destroy)(const struct xt_match *match, void *matchinfo); 286 void (*destroy)(const struct xt_mtdtor_param *);
206 287
207 /* Called when userspace align differs from kernel space one */ 288 /* Called when userspace align differs from kernel space one */
208 void (*compat_from_user)(void *dst, void *src); 289 void (*compat_from_user)(void *dst, void *src);
@@ -235,24 +316,16 @@ struct xt_target
235 must now handle non-linear skbs, using skb_copy_bits and 316 must now handle non-linear skbs, using skb_copy_bits and
236 skb_ip_make_writable. */ 317 skb_ip_make_writable. */
237 unsigned int (*target)(struct sk_buff *skb, 318 unsigned int (*target)(struct sk_buff *skb,
238 const struct net_device *in, 319 const struct xt_target_param *);
239 const struct net_device *out,
240 unsigned int hooknum,
241 const struct xt_target *target,
242 const void *targinfo);
243 320
244 /* Called when user tries to insert an entry of this type: 321 /* Called when user tries to insert an entry of this type:
245 hook_mask is a bitmask of hooks from which it can be 322 hook_mask is a bitmask of hooks from which it can be
246 called. */ 323 called. */
247 /* Should return true or false. */ 324 /* Should return true or false. */
248 bool (*checkentry)(const char *tablename, 325 bool (*checkentry)(const struct xt_tgchk_param *);
249 const void *entry,
250 const struct xt_target *target,
251 void *targinfo,
252 unsigned int hook_mask);
253 326
254 /* Called when entry of this type deleted. */ 327 /* Called when entry of this type deleted. */
255 void (*destroy)(const struct xt_target *target, void *targinfo); 328 void (*destroy)(const struct xt_tgdtor_param *);
256 329
257 /* Called when userspace align differs from kernel space one */ 330 /* Called when userspace align differs from kernel space one */
258 void (*compat_from_user)(void *dst, void *src); 331 void (*compat_from_user)(void *dst, void *src);
@@ -292,7 +365,7 @@ struct xt_table
292 /* Set this to THIS_MODULE if you are a module, otherwise NULL */ 365 /* Set this to THIS_MODULE if you are a module, otherwise NULL */
293 struct module *me; 366 struct module *me;
294 367
295 int af; /* address/protocol family */ 368 u_int8_t af; /* address/protocol family */
296}; 369};
297 370
298#include <linux/netfilter_ipv4.h> 371#include <linux/netfilter_ipv4.h>
@@ -328,12 +401,10 @@ extern void xt_unregister_match(struct xt_match *target);
328extern int xt_register_matches(struct xt_match *match, unsigned int n); 401extern int xt_register_matches(struct xt_match *match, unsigned int n);
329extern void xt_unregister_matches(struct xt_match *match, unsigned int n); 402extern void xt_unregister_matches(struct xt_match *match, unsigned int n);
330 403
331extern int xt_check_match(const struct xt_match *match, unsigned short family, 404extern int xt_check_match(struct xt_mtchk_param *,
332 unsigned int size, const char *table, unsigned int hook, 405 unsigned int size, u_int8_t proto, bool inv_proto);
333 unsigned short proto, int inv_proto); 406extern int xt_check_target(struct xt_tgchk_param *,
334extern int xt_check_target(const struct xt_target *target, unsigned short family, 407 unsigned int size, u_int8_t proto, bool inv_proto);
335 unsigned int size, const char *table, unsigned int hook,
336 unsigned short proto, int inv_proto);
337 408
338extern struct xt_table *xt_register_table(struct net *net, 409extern struct xt_table *xt_register_table(struct net *net,
339 struct xt_table *table, 410 struct xt_table *table,
@@ -346,19 +417,19 @@ extern struct xt_table_info *xt_replace_table(struct xt_table *table,
346 struct xt_table_info *newinfo, 417 struct xt_table_info *newinfo,
347 int *error); 418 int *error);
348 419
349extern struct xt_match *xt_find_match(int af, const char *name, u8 revision); 420extern struct xt_match *xt_find_match(u8 af, const char *name, u8 revision);
350extern struct xt_target *xt_find_target(int af, const char *name, u8 revision); 421extern struct xt_target *xt_find_target(u8 af, const char *name, u8 revision);
351extern struct xt_target *xt_request_find_target(int af, const char *name, 422extern struct xt_target *xt_request_find_target(u8 af, const char *name,
352 u8 revision); 423 u8 revision);
353extern int xt_find_revision(int af, const char *name, u8 revision, int target, 424extern int xt_find_revision(u8 af, const char *name, u8 revision,
354 int *err); 425 int target, int *err);
355 426
356extern struct xt_table *xt_find_table_lock(struct net *net, int af, 427extern struct xt_table *xt_find_table_lock(struct net *net, u_int8_t af,
357 const char *name); 428 const char *name);
358extern void xt_table_unlock(struct xt_table *t); 429extern void xt_table_unlock(struct xt_table *t);
359 430
360extern int xt_proto_init(struct net *net, int af); 431extern int xt_proto_init(struct net *net, u_int8_t af);
361extern void xt_proto_fini(struct net *net, int af); 432extern void xt_proto_fini(struct net *net, u_int8_t af);
362 433
363extern struct xt_table_info *xt_alloc_table_info(unsigned int size); 434extern struct xt_table_info *xt_alloc_table_info(unsigned int size);
364extern void xt_free_table_info(struct xt_table_info *info); 435extern void xt_free_table_info(struct xt_table_info *info);
@@ -423,12 +494,12 @@ struct compat_xt_counters_info
423#define COMPAT_XT_ALIGN(s) (((s) + (__alignof__(struct compat_xt_counters)-1)) \ 494#define COMPAT_XT_ALIGN(s) (((s) + (__alignof__(struct compat_xt_counters)-1)) \
424 & ~(__alignof__(struct compat_xt_counters)-1)) 495 & ~(__alignof__(struct compat_xt_counters)-1))
425 496
426extern void xt_compat_lock(int af); 497extern void xt_compat_lock(u_int8_t af);
427extern void xt_compat_unlock(int af); 498extern void xt_compat_unlock(u_int8_t af);
428 499
429extern int xt_compat_add_offset(int af, unsigned int offset, short delta); 500extern int xt_compat_add_offset(u_int8_t af, unsigned int offset, short delta);
430extern void xt_compat_flush_offsets(int af); 501extern void xt_compat_flush_offsets(u_int8_t af);
431extern short xt_compat_calc_jump(int af, unsigned int offset); 502extern short xt_compat_calc_jump(u_int8_t af, unsigned int offset);
432 503
433extern int xt_compat_match_offset(const struct xt_match *match); 504extern int xt_compat_match_offset(const struct xt_match *match);
434extern int xt_compat_match_from_user(struct xt_entry_match *m, 505extern int xt_compat_match_from_user(struct xt_entry_match *m,
diff --git a/include/linux/netfilter/xt_TPROXY.h b/include/linux/netfilter/xt_TPROXY.h
new file mode 100644
index 000000000000..152e8f97132b
--- /dev/null
+++ b/include/linux/netfilter/xt_TPROXY.h
@@ -0,0 +1,14 @@
1#ifndef _XT_TPROXY_H_target
2#define _XT_TPROXY_H_target
3
4/* TPROXY target is capable of marking the packet to perform
5 * redirection. We can get rid of that whenever we get support for
6 * mutliple targets in the same rule. */
7struct xt_tproxy_target_info {
8 u_int32_t mark_mask;
9 u_int32_t mark_value;
10 __be32 laddr;
11 __be16 lport;
12};
13
14#endif /* _XT_TPROXY_H_target */
diff --git a/include/linux/netfilter/xt_recent.h b/include/linux/netfilter/xt_recent.h
new file mode 100644
index 000000000000..5cfeb81c6794
--- /dev/null
+++ b/include/linux/netfilter/xt_recent.h
@@ -0,0 +1,26 @@
1#ifndef _LINUX_NETFILTER_XT_RECENT_H
2#define _LINUX_NETFILTER_XT_RECENT_H 1
3
4enum {
5 XT_RECENT_CHECK = 1 << 0,
6 XT_RECENT_SET = 1 << 1,
7 XT_RECENT_UPDATE = 1 << 2,
8 XT_RECENT_REMOVE = 1 << 3,
9 XT_RECENT_TTL = 1 << 4,
10
11 XT_RECENT_SOURCE = 0,
12 XT_RECENT_DEST = 1,
13
14 XT_RECENT_NAME_LEN = 200,
15};
16
17struct xt_recent_mtinfo {
18 u_int32_t seconds;
19 u_int32_t hit_count;
20 u_int8_t check_set;
21 u_int8_t invert;
22 char name[XT_RECENT_NAME_LEN];
23 u_int8_t side;
24};
25
26#endif /* _LINUX_NETFILTER_XT_RECENT_H */
diff --git a/include/linux/netfilter_bridge/ebtables.h b/include/linux/netfilter_bridge/ebtables.h
index 892f5b7771c7..d45e29cd1cfb 100644
--- a/include/linux/netfilter_bridge/ebtables.h
+++ b/include/linux/netfilter_bridge/ebtables.h
@@ -31,6 +31,9 @@
31 * The 4 lsb are more than enough to store the verdict. */ 31 * The 4 lsb are more than enough to store the verdict. */
32#define EBT_VERDICT_BITS 0x0000000F 32#define EBT_VERDICT_BITS 0x0000000F
33 33
34struct xt_match;
35struct xt_target;
36
34struct ebt_counter 37struct ebt_counter
35{ 38{
36 uint64_t pcnt; 39 uint64_t pcnt;
@@ -121,7 +124,7 @@ struct ebt_entry_match
121{ 124{
122 union { 125 union {
123 char name[EBT_FUNCTION_MAXNAMELEN]; 126 char name[EBT_FUNCTION_MAXNAMELEN];
124 struct ebt_match *match; 127 struct xt_match *match;
125 } u; 128 } u;
126 /* size of data */ 129 /* size of data */
127 unsigned int match_size; 130 unsigned int match_size;
@@ -132,7 +135,7 @@ struct ebt_entry_watcher
132{ 135{
133 union { 136 union {
134 char name[EBT_FUNCTION_MAXNAMELEN]; 137 char name[EBT_FUNCTION_MAXNAMELEN];
135 struct ebt_watcher *watcher; 138 struct xt_target *watcher;
136 } u; 139 } u;
137 /* size of data */ 140 /* size of data */
138 unsigned int watcher_size; 141 unsigned int watcher_size;
@@ -143,7 +146,7 @@ struct ebt_entry_target
143{ 146{
144 union { 147 union {
145 char name[EBT_FUNCTION_MAXNAMELEN]; 148 char name[EBT_FUNCTION_MAXNAMELEN];
146 struct ebt_target *target; 149 struct xt_target *target;
147 } u; 150 } u;
148 /* size of data */ 151 /* size of data */
149 unsigned int target_size; 152 unsigned int target_size;
@@ -207,14 +210,17 @@ struct ebt_match
207{ 210{
208 struct list_head list; 211 struct list_head list;
209 const char name[EBT_FUNCTION_MAXNAMELEN]; 212 const char name[EBT_FUNCTION_MAXNAMELEN];
210 /* 0 == it matches */ 213 bool (*match)(const struct sk_buff *skb, const struct net_device *in,
211 int (*match)(const struct sk_buff *skb, const struct net_device *in, 214 const struct net_device *out, const struct xt_match *match,
212 const struct net_device *out, const void *matchdata, 215 const void *matchinfo, int offset, unsigned int protoff,
213 unsigned int datalen); 216 bool *hotdrop);
214 /* 0 == let it in */ 217 bool (*checkentry)(const char *table, const void *entry,
215 int (*check)(const char *tablename, unsigned int hookmask, 218 const struct xt_match *match, void *matchinfo,
216 const struct ebt_entry *e, void *matchdata, unsigned int datalen); 219 unsigned int hook_mask);
217 void (*destroy)(void *matchdata, unsigned int datalen); 220 void (*destroy)(const struct xt_match *match, void *matchinfo);
221 unsigned int matchsize;
222 u_int8_t revision;
223 u_int8_t family;
218 struct module *me; 224 struct module *me;
219}; 225};
220 226
@@ -222,13 +228,17 @@ struct ebt_watcher
222{ 228{
223 struct list_head list; 229 struct list_head list;
224 const char name[EBT_FUNCTION_MAXNAMELEN]; 230 const char name[EBT_FUNCTION_MAXNAMELEN];
225 void (*watcher)(const struct sk_buff *skb, unsigned int hooknr, 231 unsigned int (*target)(struct sk_buff *skb,
226 const struct net_device *in, const struct net_device *out, 232 const struct net_device *in, const struct net_device *out,
227 const void *watcherdata, unsigned int datalen); 233 unsigned int hook_num, const struct xt_target *target,
228 /* 0 == let it in */ 234 const void *targinfo);
229 int (*check)(const char *tablename, unsigned int hookmask, 235 bool (*checkentry)(const char *table, const void *entry,
230 const struct ebt_entry *e, void *watcherdata, unsigned int datalen); 236 const struct xt_target *target, void *targinfo,
231 void (*destroy)(void *watcherdata, unsigned int datalen); 237 unsigned int hook_mask);
238 void (*destroy)(const struct xt_target *target, void *targinfo);
239 unsigned int targetsize;
240 u_int8_t revision;
241 u_int8_t family;
232 struct module *me; 242 struct module *me;
233}; 243};
234 244
@@ -236,14 +246,18 @@ struct ebt_target
236{ 246{
237 struct list_head list; 247 struct list_head list;
238 const char name[EBT_FUNCTION_MAXNAMELEN]; 248 const char name[EBT_FUNCTION_MAXNAMELEN];
239 /* returns one of the standard verdicts */ 249 /* returns one of the standard EBT_* verdicts */
240 int (*target)(struct sk_buff *skb, unsigned int hooknr, 250 unsigned int (*target)(struct sk_buff *skb,
241 const struct net_device *in, const struct net_device *out, 251 const struct net_device *in, const struct net_device *out,
242 const void *targetdata, unsigned int datalen); 252 unsigned int hook_num, const struct xt_target *target,
243 /* 0 == let it in */ 253 const void *targinfo);
244 int (*check)(const char *tablename, unsigned int hookmask, 254 bool (*checkentry)(const char *table, const void *entry,
245 const struct ebt_entry *e, void *targetdata, unsigned int datalen); 255 const struct xt_target *target, void *targinfo,
246 void (*destroy)(void *targetdata, unsigned int datalen); 256 unsigned int hook_mask);
257 void (*destroy)(const struct xt_target *target, void *targinfo);
258 unsigned int targetsize;
259 u_int8_t revision;
260 u_int8_t family;
247 struct module *me; 261 struct module *me;
248}; 262};
249 263
@@ -288,12 +302,6 @@ struct ebt_table
288 ~(__alignof__(struct ebt_replace)-1)) 302 ~(__alignof__(struct ebt_replace)-1))
289extern int ebt_register_table(struct ebt_table *table); 303extern int ebt_register_table(struct ebt_table *table);
290extern void ebt_unregister_table(struct ebt_table *table); 304extern void ebt_unregister_table(struct ebt_table *table);
291extern int ebt_register_match(struct ebt_match *match);
292extern void ebt_unregister_match(struct ebt_match *match);
293extern int ebt_register_watcher(struct ebt_watcher *watcher);
294extern void ebt_unregister_watcher(struct ebt_watcher *watcher);
295extern int ebt_register_target(struct ebt_target *target);
296extern void ebt_unregister_target(struct ebt_target *target);
297extern unsigned int ebt_do_table(unsigned int hook, struct sk_buff *skb, 305extern unsigned int ebt_do_table(unsigned int hook, struct sk_buff *skb,
298 const struct net_device *in, const struct net_device *out, 306 const struct net_device *in, const struct net_device *out,
299 struct ebt_table *table); 307 struct ebt_table *table);
@@ -302,9 +310,9 @@ extern unsigned int ebt_do_table(unsigned int hook, struct sk_buff *skb,
302#define FWINV(bool,invflg) ((bool) ^ !!(info->invflags & invflg)) 310#define FWINV(bool,invflg) ((bool) ^ !!(info->invflags & invflg))
303/* True if the hook mask denotes that the rule is in a base chain, 311/* True if the hook mask denotes that the rule is in a base chain,
304 * used in the check() functions */ 312 * used in the check() functions */
305#define BASE_CHAIN (hookmask & (1 << NF_BR_NUMHOOKS)) 313#define BASE_CHAIN (par->hook_mask & (1 << NF_BR_NUMHOOKS))
306/* Clear the bit in the hook mask that tells if the rule is on a base chain */ 314/* Clear the bit in the hook mask that tells if the rule is on a base chain */
307#define CLEAR_BASE_CHAIN_BIT (hookmask &= ~(1 << NF_BR_NUMHOOKS)) 315#define CLEAR_BASE_CHAIN_BIT (par->hook_mask &= ~(1 << NF_BR_NUMHOOKS))
308/* True if the target is not a standard target */ 316/* True if the target is not a standard target */
309#define INVALID_TARGET (info->target < -NUM_STANDARD_TARGETS || info->target >= 0) 317#define INVALID_TARGET (info->target < -NUM_STANDARD_TARGETS || info->target >= 0)
310 318
diff --git a/include/linux/netfilter_ipv4/ipt_recent.h b/include/linux/netfilter_ipv4/ipt_recent.h
index 6508a4592651..d636cca133c2 100644
--- a/include/linux/netfilter_ipv4/ipt_recent.h
+++ b/include/linux/netfilter_ipv4/ipt_recent.h
@@ -1,27 +1,21 @@
1#ifndef _IPT_RECENT_H 1#ifndef _IPT_RECENT_H
2#define _IPT_RECENT_H 2#define _IPT_RECENT_H
3 3
4#define RECENT_NAME "ipt_recent" 4#include <linux/netfilter/xt_recent.h>
5#define RECENT_VER "v0.3.1"
6 5
7#define IPT_RECENT_CHECK 1 6#define ipt_recent_info xt_recent_mtinfo
8#define IPT_RECENT_SET 2
9#define IPT_RECENT_UPDATE 4
10#define IPT_RECENT_REMOVE 8
11#define IPT_RECENT_TTL 16
12 7
13#define IPT_RECENT_SOURCE 0 8enum {
14#define IPT_RECENT_DEST 1 9 IPT_RECENT_CHECK = XT_RECENT_CHECK,
10 IPT_RECENT_SET = XT_RECENT_SET,
11 IPT_RECENT_UPDATE = XT_RECENT_UPDATE,
12 IPT_RECENT_REMOVE = XT_RECENT_REMOVE,
13 IPT_RECENT_TTL = XT_RECENT_TTL,
15 14
16#define IPT_RECENT_NAME_LEN 200 15 IPT_RECENT_SOURCE = XT_RECENT_SOURCE,
16 IPT_RECENT_DEST = XT_RECENT_DEST,
17 17
18struct ipt_recent_info { 18 IPT_RECENT_NAME_LEN = XT_RECENT_NAME_LEN,
19 u_int32_t seconds;
20 u_int32_t hit_count;
21 u_int8_t check_set;
22 u_int8_t invert;
23 char name[IPT_RECENT_NAME_LEN];
24 u_int8_t side;
25}; 19};
26 20
27#endif /*_IPT_RECENT_H*/ 21#endif /*_IPT_RECENT_H*/
diff --git a/include/net/net_namespace.h b/include/net/net_namespace.h
index a8eb43cf0c7e..708009be88b6 100644
--- a/include/net/net_namespace.h
+++ b/include/net/net_namespace.h
@@ -16,6 +16,9 @@
16#include <net/netns/ipv6.h> 16#include <net/netns/ipv6.h>
17#include <net/netns/dccp.h> 17#include <net/netns/dccp.h>
18#include <net/netns/x_tables.h> 18#include <net/netns/x_tables.h>
19#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
20#include <net/netns/conntrack.h>
21#endif
19 22
20struct proc_dir_entry; 23struct proc_dir_entry;
21struct net_device; 24struct net_device;
@@ -67,6 +70,9 @@ struct net {
67#endif 70#endif
68#ifdef CONFIG_NETFILTER 71#ifdef CONFIG_NETFILTER
69 struct netns_xt xt; 72 struct netns_xt xt;
73#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
74 struct netns_ct ct;
75#endif
70#endif 76#endif
71 struct net_generic *gen; 77 struct net_generic *gen;
72}; 78};
diff --git a/include/net/netfilter/ipv4/nf_defrag_ipv4.h b/include/net/netfilter/ipv4/nf_defrag_ipv4.h
new file mode 100644
index 000000000000..6b00ea38546b
--- /dev/null
+++ b/include/net/netfilter/ipv4/nf_defrag_ipv4.h
@@ -0,0 +1,6 @@
1#ifndef _NF_DEFRAG_IPV4_H
2#define _NF_DEFRAG_IPV4_H
3
4extern void nf_defrag_ipv4_enable(void);
5
6#endif /* _NF_DEFRAG_IPV4_H */
diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h
index 0741ad592da0..b76a8685b5b5 100644
--- a/include/net/netfilter/nf_conntrack.h
+++ b/include/net/netfilter/nf_conntrack.h
@@ -123,7 +123,9 @@ struct nf_conn
123 123
124 /* Extensions */ 124 /* Extensions */
125 struct nf_ct_ext *ext; 125 struct nf_ct_ext *ext;
126 126#ifdef CONFIG_NET_NS
127 struct net *ct_net;
128#endif
127 struct rcu_head rcu; 129 struct rcu_head rcu;
128}; 130};
129 131
@@ -147,6 +149,17 @@ static inline u_int8_t nf_ct_protonum(const struct nf_conn *ct)
147/* get master conntrack via master expectation */ 149/* get master conntrack via master expectation */
148#define master_ct(conntr) (conntr->master) 150#define master_ct(conntr) (conntr->master)
149 151
152extern struct net init_net;
153
154static inline struct net *nf_ct_net(const struct nf_conn *ct)
155{
156#ifdef CONFIG_NET_NS
157 return ct->ct_net;
158#else
159 return &init_net;
160#endif
161}
162
150/* Alter reply tuple (maybe alter helper). */ 163/* Alter reply tuple (maybe alter helper). */
151extern void 164extern void
152nf_conntrack_alter_reply(struct nf_conn *ct, 165nf_conntrack_alter_reply(struct nf_conn *ct,
@@ -182,11 +195,11 @@ extern void nf_ct_free_hashtable(struct hlist_head *hash, int vmalloced,
182 unsigned int size); 195 unsigned int size);
183 196
184extern struct nf_conntrack_tuple_hash * 197extern struct nf_conntrack_tuple_hash *
185__nf_conntrack_find(const struct nf_conntrack_tuple *tuple); 198__nf_conntrack_find(struct net *net, const struct nf_conntrack_tuple *tuple);
186 199
187extern void nf_conntrack_hash_insert(struct nf_conn *ct); 200extern void nf_conntrack_hash_insert(struct nf_conn *ct);
188 201
189extern void nf_conntrack_flush(void); 202extern void nf_conntrack_flush(struct net *net);
190 203
191extern bool nf_ct_get_tuplepr(const struct sk_buff *skb, 204extern bool nf_ct_get_tuplepr(const struct sk_buff *skb,
192 unsigned int nhoff, u_int16_t l3num, 205 unsigned int nhoff, u_int16_t l3num,
@@ -248,10 +261,11 @@ extern struct nf_conn nf_conntrack_untracked;
248 261
249/* Iterate over all conntracks: if iter returns true, it's deleted. */ 262/* Iterate over all conntracks: if iter returns true, it's deleted. */
250extern void 263extern void
251nf_ct_iterate_cleanup(int (*iter)(struct nf_conn *i, void *data), void *data); 264nf_ct_iterate_cleanup(struct net *net, int (*iter)(struct nf_conn *i, void *data), void *data);
252extern void nf_conntrack_free(struct nf_conn *ct); 265extern void nf_conntrack_free(struct nf_conn *ct);
253extern struct nf_conn * 266extern struct nf_conn *
254nf_conntrack_alloc(const struct nf_conntrack_tuple *orig, 267nf_conntrack_alloc(struct net *net,
268 const struct nf_conntrack_tuple *orig,
255 const struct nf_conntrack_tuple *repl, 269 const struct nf_conntrack_tuple *repl,
256 gfp_t gfp); 270 gfp_t gfp);
257 271
@@ -273,16 +287,14 @@ static inline int nf_ct_is_untracked(const struct sk_buff *skb)
273 287
274extern int nf_conntrack_set_hashsize(const char *val, struct kernel_param *kp); 288extern int nf_conntrack_set_hashsize(const char *val, struct kernel_param *kp);
275extern unsigned int nf_conntrack_htable_size; 289extern unsigned int nf_conntrack_htable_size;
276extern int nf_conntrack_checksum;
277extern atomic_t nf_conntrack_count;
278extern int nf_conntrack_max; 290extern int nf_conntrack_max;
279 291
280DECLARE_PER_CPU(struct ip_conntrack_stat, nf_conntrack_stat); 292#define NF_CT_STAT_INC(net, count) \
281#define NF_CT_STAT_INC(count) (__get_cpu_var(nf_conntrack_stat).count++) 293 (per_cpu_ptr((net)->ct.stat, raw_smp_processor_id())->count++)
282#define NF_CT_STAT_INC_ATOMIC(count) \ 294#define NF_CT_STAT_INC_ATOMIC(net, count) \
283do { \ 295do { \
284 local_bh_disable(); \ 296 local_bh_disable(); \
285 __get_cpu_var(nf_conntrack_stat).count++; \ 297 per_cpu_ptr((net)->ct.stat, raw_smp_processor_id())->count++; \
286 local_bh_enable(); \ 298 local_bh_enable(); \
287} while (0) 299} while (0)
288 300
diff --git a/include/net/netfilter/nf_conntrack_acct.h b/include/net/netfilter/nf_conntrack_acct.h
index 5d5ae55d54c4..03e218f0be43 100644
--- a/include/net/netfilter/nf_conntrack_acct.h
+++ b/include/net/netfilter/nf_conntrack_acct.h
@@ -8,6 +8,7 @@
8 8
9#ifndef _NF_CONNTRACK_ACCT_H 9#ifndef _NF_CONNTRACK_ACCT_H
10#define _NF_CONNTRACK_ACCT_H 10#define _NF_CONNTRACK_ACCT_H
11#include <net/net_namespace.h>
11#include <linux/netfilter/nf_conntrack_common.h> 12#include <linux/netfilter/nf_conntrack_common.h>
12#include <linux/netfilter/nf_conntrack_tuple_common.h> 13#include <linux/netfilter/nf_conntrack_tuple_common.h>
13#include <net/netfilter/nf_conntrack.h> 14#include <net/netfilter/nf_conntrack.h>
@@ -18,8 +19,6 @@ struct nf_conn_counter {
18 u_int64_t bytes; 19 u_int64_t bytes;
19}; 20};
20 21
21extern int nf_ct_acct;
22
23static inline 22static inline
24struct nf_conn_counter *nf_conn_acct_find(const struct nf_conn *ct) 23struct nf_conn_counter *nf_conn_acct_find(const struct nf_conn *ct)
25{ 24{
@@ -29,9 +28,10 @@ struct nf_conn_counter *nf_conn_acct_find(const struct nf_conn *ct)
29static inline 28static inline
30struct nf_conn_counter *nf_ct_acct_ext_add(struct nf_conn *ct, gfp_t gfp) 29struct nf_conn_counter *nf_ct_acct_ext_add(struct nf_conn *ct, gfp_t gfp)
31{ 30{
31 struct net *net = nf_ct_net(ct);
32 struct nf_conn_counter *acct; 32 struct nf_conn_counter *acct;
33 33
34 if (!nf_ct_acct) 34 if (!net->ct.sysctl_acct)
35 return NULL; 35 return NULL;
36 36
37 acct = nf_ct_ext_add(ct, NF_CT_EXT_ACCT, gfp); 37 acct = nf_ct_ext_add(ct, NF_CT_EXT_ACCT, gfp);
@@ -45,7 +45,7 @@ struct nf_conn_counter *nf_ct_acct_ext_add(struct nf_conn *ct, gfp_t gfp)
45extern unsigned int 45extern unsigned int
46seq_print_acct(struct seq_file *s, const struct nf_conn *ct, int dir); 46seq_print_acct(struct seq_file *s, const struct nf_conn *ct, int dir);
47 47
48extern int nf_conntrack_acct_init(void); 48extern int nf_conntrack_acct_init(struct net *net);
49extern void nf_conntrack_acct_fini(void); 49extern void nf_conntrack_acct_fini(struct net *net);
50 50
51#endif /* _NF_CONNTRACK_ACCT_H */ 51#endif /* _NF_CONNTRACK_ACCT_H */
diff --git a/include/net/netfilter/nf_conntrack_core.h b/include/net/netfilter/nf_conntrack_core.h
index a81771210934..e78afe7f28e3 100644
--- a/include/net/netfilter/nf_conntrack_core.h
+++ b/include/net/netfilter/nf_conntrack_core.h
@@ -20,12 +20,13 @@
20/* This header is used to share core functionality between the 20/* This header is used to share core functionality between the
21 standalone connection tracking module, and the compatibility layer's use 21 standalone connection tracking module, and the compatibility layer's use
22 of connection tracking. */ 22 of connection tracking. */
23extern unsigned int nf_conntrack_in(int pf, 23extern unsigned int nf_conntrack_in(struct net *net,
24 u_int8_t pf,
24 unsigned int hooknum, 25 unsigned int hooknum,
25 struct sk_buff *skb); 26 struct sk_buff *skb);
26 27
27extern int nf_conntrack_init(void); 28extern int nf_conntrack_init(struct net *net);
28extern void nf_conntrack_cleanup(void); 29extern void nf_conntrack_cleanup(struct net *net);
29 30
30extern int nf_conntrack_proto_init(void); 31extern int nf_conntrack_proto_init(void);
31extern void nf_conntrack_proto_fini(void); 32extern void nf_conntrack_proto_fini(void);
@@ -48,7 +49,7 @@ nf_ct_invert_tuple(struct nf_conntrack_tuple *inverse,
48 49
49/* Find a connection corresponding to a tuple. */ 50/* Find a connection corresponding to a tuple. */
50extern struct nf_conntrack_tuple_hash * 51extern struct nf_conntrack_tuple_hash *
51nf_conntrack_find_get(const struct nf_conntrack_tuple *tuple); 52nf_conntrack_find_get(struct net *net, const struct nf_conntrack_tuple *tuple);
52 53
53extern int __nf_conntrack_confirm(struct sk_buff *skb); 54extern int __nf_conntrack_confirm(struct sk_buff *skb);
54 55
@@ -71,8 +72,6 @@ print_tuple(struct seq_file *s, const struct nf_conntrack_tuple *tuple,
71 const struct nf_conntrack_l3proto *l3proto, 72 const struct nf_conntrack_l3proto *l3proto,
72 const struct nf_conntrack_l4proto *proto); 73 const struct nf_conntrack_l4proto *proto);
73 74
74extern struct hlist_head *nf_conntrack_hash;
75extern spinlock_t nf_conntrack_lock ; 75extern spinlock_t nf_conntrack_lock ;
76extern struct hlist_head unconfirmed;
77 76
78#endif /* _NF_CONNTRACK_CORE_H */ 77#endif /* _NF_CONNTRACK_CORE_H */
diff --git a/include/net/netfilter/nf_conntrack_ecache.h b/include/net/netfilter/nf_conntrack_ecache.h
index f0b9078235c9..35f814c1e2ca 100644
--- a/include/net/netfilter/nf_conntrack_ecache.h
+++ b/include/net/netfilter/nf_conntrack_ecache.h
@@ -8,6 +8,7 @@
8 8
9#include <linux/notifier.h> 9#include <linux/notifier.h>
10#include <linux/interrupt.h> 10#include <linux/interrupt.h>
11#include <net/net_namespace.h>
11#include <net/netfilter/nf_conntrack_expect.h> 12#include <net/netfilter/nf_conntrack_expect.h>
12 13
13#ifdef CONFIG_NF_CONNTRACK_EVENTS 14#ifdef CONFIG_NF_CONNTRACK_EVENTS
@@ -15,9 +16,6 @@ struct nf_conntrack_ecache {
15 struct nf_conn *ct; 16 struct nf_conn *ct;
16 unsigned int events; 17 unsigned int events;
17}; 18};
18DECLARE_PER_CPU(struct nf_conntrack_ecache, nf_conntrack_ecache);
19
20#define CONNTRACK_ECACHE(x) (__get_cpu_var(nf_conntrack_ecache).x)
21 19
22extern struct atomic_notifier_head nf_conntrack_chain; 20extern struct atomic_notifier_head nf_conntrack_chain;
23extern int nf_conntrack_register_notifier(struct notifier_block *nb); 21extern int nf_conntrack_register_notifier(struct notifier_block *nb);
@@ -25,17 +23,16 @@ extern int nf_conntrack_unregister_notifier(struct notifier_block *nb);
25 23
26extern void nf_ct_deliver_cached_events(const struct nf_conn *ct); 24extern void nf_ct_deliver_cached_events(const struct nf_conn *ct);
27extern void __nf_ct_event_cache_init(struct nf_conn *ct); 25extern void __nf_ct_event_cache_init(struct nf_conn *ct);
28extern void nf_ct_event_cache_flush(void); 26extern void nf_ct_event_cache_flush(struct net *net);
29 27
30static inline void 28static inline void
31nf_conntrack_event_cache(enum ip_conntrack_events event, 29nf_conntrack_event_cache(enum ip_conntrack_events event, struct nf_conn *ct)
32 const struct sk_buff *skb)
33{ 30{
34 struct nf_conn *ct = (struct nf_conn *)skb->nfct; 31 struct net *net = nf_ct_net(ct);
35 struct nf_conntrack_ecache *ecache; 32 struct nf_conntrack_ecache *ecache;
36 33
37 local_bh_disable(); 34 local_bh_disable();
38 ecache = &__get_cpu_var(nf_conntrack_ecache); 35 ecache = per_cpu_ptr(net->ct.ecache, raw_smp_processor_id());
39 if (ct != ecache->ct) 36 if (ct != ecache->ct)
40 __nf_ct_event_cache_init(ct); 37 __nf_ct_event_cache_init(ct);
41 ecache->events |= event; 38 ecache->events |= event;
@@ -60,6 +57,9 @@ nf_ct_expect_event(enum ip_conntrack_expect_events event,
60 atomic_notifier_call_chain(&nf_ct_expect_chain, event, exp); 57 atomic_notifier_call_chain(&nf_ct_expect_chain, event, exp);
61} 58}
62 59
60extern int nf_conntrack_ecache_init(struct net *net);
61extern void nf_conntrack_ecache_fini(struct net *net);
62
63#else /* CONFIG_NF_CONNTRACK_EVENTS */ 63#else /* CONFIG_NF_CONNTRACK_EVENTS */
64 64
65static inline void nf_conntrack_event_cache(enum ip_conntrack_events event, 65static inline void nf_conntrack_event_cache(enum ip_conntrack_events event,
@@ -69,7 +69,15 @@ static inline void nf_conntrack_event(enum ip_conntrack_events event,
69static inline void nf_ct_deliver_cached_events(const struct nf_conn *ct) {} 69static inline void nf_ct_deliver_cached_events(const struct nf_conn *ct) {}
70static inline void nf_ct_expect_event(enum ip_conntrack_expect_events event, 70static inline void nf_ct_expect_event(enum ip_conntrack_expect_events event,
71 struct nf_conntrack_expect *exp) {} 71 struct nf_conntrack_expect *exp) {}
72static inline void nf_ct_event_cache_flush(void) {} 72static inline void nf_ct_event_cache_flush(struct net *net) {}
73
74static inline int nf_conntrack_ecache_init(struct net *net)
75{
76 return 0;
77
78static inline void nf_conntrack_ecache_fini(struct net *net)
79{
80}
73#endif /* CONFIG_NF_CONNTRACK_EVENTS */ 81#endif /* CONFIG_NF_CONNTRACK_EVENTS */
74 82
75#endif /*_NF_CONNTRACK_ECACHE_H*/ 83#endif /*_NF_CONNTRACK_ECACHE_H*/
diff --git a/include/net/netfilter/nf_conntrack_expect.h b/include/net/netfilter/nf_conntrack_expect.h
index dfdf4b459475..37a7fc1164b0 100644
--- a/include/net/netfilter/nf_conntrack_expect.h
+++ b/include/net/netfilter/nf_conntrack_expect.h
@@ -6,7 +6,6 @@
6#define _NF_CONNTRACK_EXPECT_H 6#define _NF_CONNTRACK_EXPECT_H
7#include <net/netfilter/nf_conntrack.h> 7#include <net/netfilter/nf_conntrack.h>
8 8
9extern struct hlist_head *nf_ct_expect_hash;
10extern unsigned int nf_ct_expect_hsize; 9extern unsigned int nf_ct_expect_hsize;
11extern unsigned int nf_ct_expect_max; 10extern unsigned int nf_ct_expect_max;
12 11
@@ -56,6 +55,15 @@ struct nf_conntrack_expect
56 struct rcu_head rcu; 55 struct rcu_head rcu;
57}; 56};
58 57
58static inline struct net *nf_ct_exp_net(struct nf_conntrack_expect *exp)
59{
60#ifdef CONFIG_NET_NS
61 return exp->master->ct_net; /* by definition */
62#else
63 return &init_net;
64#endif
65}
66
59struct nf_conntrack_expect_policy 67struct nf_conntrack_expect_policy
60{ 68{
61 unsigned int max_expected; 69 unsigned int max_expected;
@@ -67,17 +75,17 @@ struct nf_conntrack_expect_policy
67#define NF_CT_EXPECT_PERMANENT 0x1 75#define NF_CT_EXPECT_PERMANENT 0x1
68#define NF_CT_EXPECT_INACTIVE 0x2 76#define NF_CT_EXPECT_INACTIVE 0x2
69 77
70int nf_conntrack_expect_init(void); 78int nf_conntrack_expect_init(struct net *net);
71void nf_conntrack_expect_fini(void); 79void nf_conntrack_expect_fini(struct net *net);
72 80
73struct nf_conntrack_expect * 81struct nf_conntrack_expect *
74__nf_ct_expect_find(const struct nf_conntrack_tuple *tuple); 82__nf_ct_expect_find(struct net *net, const struct nf_conntrack_tuple *tuple);
75 83
76struct nf_conntrack_expect * 84struct nf_conntrack_expect *
77nf_ct_expect_find_get(const struct nf_conntrack_tuple *tuple); 85nf_ct_expect_find_get(struct net *net, const struct nf_conntrack_tuple *tuple);
78 86
79struct nf_conntrack_expect * 87struct nf_conntrack_expect *
80nf_ct_find_expectation(const struct nf_conntrack_tuple *tuple); 88nf_ct_find_expectation(struct net *net, const struct nf_conntrack_tuple *tuple);
81 89
82void nf_ct_unlink_expect(struct nf_conntrack_expect *exp); 90void nf_ct_unlink_expect(struct nf_conntrack_expect *exp);
83void nf_ct_remove_expectations(struct nf_conn *ct); 91void nf_ct_remove_expectations(struct nf_conn *ct);
@@ -86,7 +94,7 @@ void nf_ct_unexpect_related(struct nf_conntrack_expect *exp);
86/* Allocate space for an expectation: this is mandatory before calling 94/* Allocate space for an expectation: this is mandatory before calling
87 nf_ct_expect_related. You will have to call put afterwards. */ 95 nf_ct_expect_related. You will have to call put afterwards. */
88struct nf_conntrack_expect *nf_ct_expect_alloc(struct nf_conn *me); 96struct nf_conntrack_expect *nf_ct_expect_alloc(struct nf_conn *me);
89void nf_ct_expect_init(struct nf_conntrack_expect *, unsigned int, int, 97void nf_ct_expect_init(struct nf_conntrack_expect *, unsigned int, u_int8_t,
90 const union nf_inet_addr *, 98 const union nf_inet_addr *,
91 const union nf_inet_addr *, 99 const union nf_inet_addr *,
92 u_int8_t, const __be16 *, const __be16 *); 100 u_int8_t, const __be16 *, const __be16 *);
diff --git a/include/net/netfilter/nf_conntrack_l4proto.h b/include/net/netfilter/nf_conntrack_l4proto.h
index 723df9d1cc35..7f2f43c77284 100644
--- a/include/net/netfilter/nf_conntrack_l4proto.h
+++ b/include/net/netfilter/nf_conntrack_l4proto.h
@@ -39,7 +39,7 @@ struct nf_conntrack_l4proto
39 const struct sk_buff *skb, 39 const struct sk_buff *skb,
40 unsigned int dataoff, 40 unsigned int dataoff,
41 enum ip_conntrack_info ctinfo, 41 enum ip_conntrack_info ctinfo,
42 int pf, 42 u_int8_t pf,
43 unsigned int hooknum); 43 unsigned int hooknum);
44 44
45 /* Called when a new connection for this protocol found; 45 /* Called when a new connection for this protocol found;
@@ -50,9 +50,9 @@ struct nf_conntrack_l4proto
50 /* Called when a conntrack entry is destroyed */ 50 /* Called when a conntrack entry is destroyed */
51 void (*destroy)(struct nf_conn *ct); 51 void (*destroy)(struct nf_conn *ct);
52 52
53 int (*error)(struct sk_buff *skb, unsigned int dataoff, 53 int (*error)(struct net *net, struct sk_buff *skb, unsigned int dataoff,
54 enum ip_conntrack_info *ctinfo, 54 enum ip_conntrack_info *ctinfo,
55 int pf, unsigned int hooknum); 55 u_int8_t pf, unsigned int hooknum);
56 56
57 /* Print out the per-protocol part of the tuple. Return like seq_* */ 57 /* Print out the per-protocol part of the tuple. Return like seq_* */
58 int (*print_tuple)(struct seq_file *s, 58 int (*print_tuple)(struct seq_file *s,
@@ -117,20 +117,19 @@ extern int nf_ct_port_nlattr_to_tuple(struct nlattr *tb[],
117 struct nf_conntrack_tuple *t); 117 struct nf_conntrack_tuple *t);
118extern const struct nla_policy nf_ct_port_nla_policy[]; 118extern const struct nla_policy nf_ct_port_nla_policy[];
119 119
120/* Log invalid packets */
121extern unsigned int nf_ct_log_invalid;
122
123#ifdef CONFIG_SYSCTL 120#ifdef CONFIG_SYSCTL
124#ifdef DEBUG_INVALID_PACKETS 121#ifdef DEBUG_INVALID_PACKETS
125#define LOG_INVALID(proto) \ 122#define LOG_INVALID(net, proto) \
126 (nf_ct_log_invalid == (proto) || nf_ct_log_invalid == IPPROTO_RAW) 123 ((net)->ct.sysctl_log_invalid == (proto) || \
124 (net)->ct.sysctl_log_invalid == IPPROTO_RAW)
127#else 125#else
128#define LOG_INVALID(proto) \ 126#define LOG_INVALID(net, proto) \
129 ((nf_ct_log_invalid == (proto) || nf_ct_log_invalid == IPPROTO_RAW) \ 127 (((net)->ct.sysctl_log_invalid == (proto) || \
128 (net)->ct.sysctl_log_invalid == IPPROTO_RAW) \
130 && net_ratelimit()) 129 && net_ratelimit())
131#endif 130#endif
132#else 131#else
133#define LOG_INVALID(proto) 0 132#define LOG_INVALID(net, proto) 0
134#endif /* CONFIG_SYSCTL */ 133#endif /* CONFIG_SYSCTL */
135 134
136#endif /*_NF_CONNTRACK_PROTOCOL_H*/ 135#endif /*_NF_CONNTRACK_PROTOCOL_H*/
diff --git a/include/net/netfilter/nf_log.h b/include/net/netfilter/nf_log.h
index 8c6b5ae45534..7182c06974f4 100644
--- a/include/net/netfilter/nf_log.h
+++ b/include/net/netfilter/nf_log.h
@@ -28,7 +28,7 @@ struct nf_loginfo {
28 } u; 28 } u;
29}; 29};
30 30
31typedef void nf_logfn(unsigned int pf, 31typedef void nf_logfn(u_int8_t pf,
32 unsigned int hooknum, 32 unsigned int hooknum,
33 const struct sk_buff *skb, 33 const struct sk_buff *skb,
34 const struct net_device *in, 34 const struct net_device *in,
@@ -43,12 +43,12 @@ struct nf_logger {
43}; 43};
44 44
45/* Function to register/unregister log function. */ 45/* Function to register/unregister log function. */
46int nf_log_register(int pf, const struct nf_logger *logger); 46int nf_log_register(u_int8_t pf, const struct nf_logger *logger);
47void nf_log_unregister(const struct nf_logger *logger); 47void nf_log_unregister(const struct nf_logger *logger);
48void nf_log_unregister_pf(int pf); 48void nf_log_unregister_pf(u_int8_t pf);
49 49
50/* Calls the registered backend logging function */ 50/* Calls the registered backend logging function */
51void nf_log_packet(int pf, 51void nf_log_packet(u_int8_t pf,
52 unsigned int hooknum, 52 unsigned int hooknum,
53 const struct sk_buff *skb, 53 const struct sk_buff *skb,
54 const struct net_device *in, 54 const struct net_device *in,
diff --git a/include/net/netfilter/nf_queue.h b/include/net/netfilter/nf_queue.h
index d030044e9235..252fd1010b77 100644
--- a/include/net/netfilter/nf_queue.h
+++ b/include/net/netfilter/nf_queue.h
@@ -8,7 +8,7 @@ struct nf_queue_entry {
8 unsigned int id; 8 unsigned int id;
9 9
10 struct nf_hook_ops *elem; 10 struct nf_hook_ops *elem;
11 int pf; 11 u_int8_t pf;
12 unsigned int hook; 12 unsigned int hook;
13 struct net_device *indev; 13 struct net_device *indev;
14 struct net_device *outdev; 14 struct net_device *outdev;
@@ -24,9 +24,9 @@ struct nf_queue_handler {
24 char *name; 24 char *name;
25}; 25};
26 26
27extern int nf_register_queue_handler(int pf, 27extern int nf_register_queue_handler(u_int8_t pf,
28 const struct nf_queue_handler *qh); 28 const struct nf_queue_handler *qh);
29extern int nf_unregister_queue_handler(int pf, 29extern int nf_unregister_queue_handler(u_int8_t pf,
30 const struct nf_queue_handler *qh); 30 const struct nf_queue_handler *qh);
31extern void nf_unregister_queue_handlers(const struct nf_queue_handler *qh); 31extern void nf_unregister_queue_handlers(const struct nf_queue_handler *qh);
32extern void nf_reinject(struct nf_queue_entry *entry, unsigned int verdict); 32extern void nf_reinject(struct nf_queue_entry *entry, unsigned int verdict);
diff --git a/include/net/netfilter/nf_tproxy_core.h b/include/net/netfilter/nf_tproxy_core.h
new file mode 100644
index 000000000000..208b46f4d6d2
--- /dev/null
+++ b/include/net/netfilter/nf_tproxy_core.h
@@ -0,0 +1,32 @@
1#ifndef _NF_TPROXY_CORE_H
2#define _NF_TPROXY_CORE_H
3
4#include <linux/types.h>
5#include <linux/in.h>
6#include <linux/skbuff.h>
7#include <net/sock.h>
8#include <net/inet_sock.h>
9#include <net/tcp.h>
10
11/* look up and get a reference to a matching socket */
12extern struct sock *
13nf_tproxy_get_sock_v4(struct net *net, const u8 protocol,
14 const __be32 saddr, const __be32 daddr,
15 const __be16 sport, const __be16 dport,
16 const struct net_device *in, bool listening);
17
18static inline void
19nf_tproxy_put_sock(struct sock *sk)
20{
21 /* TIME_WAIT inet sockets have to be handled differently */
22 if ((sk->sk_protocol == IPPROTO_TCP) && (sk->sk_state == TCP_TIME_WAIT))
23 inet_twsk_put(inet_twsk(sk));
24 else
25 sock_put(sk);
26}
27
28/* assign a socket to the skb -- consumes sk */
29int
30nf_tproxy_assign_sock(struct sk_buff *skb, struct sock *sk);
31
32#endif
diff --git a/include/net/netns/conntrack.h b/include/net/netns/conntrack.h
new file mode 100644
index 000000000000..f4498a62881b
--- /dev/null
+++ b/include/net/netns/conntrack.h
@@ -0,0 +1,30 @@
1#ifndef __NETNS_CONNTRACK_H
2#define __NETNS_CONNTRACK_H
3
4#include <linux/list.h>
5#include <asm/atomic.h>
6
7struct ctl_table_header;
8struct nf_conntrack_ecache;
9
10struct netns_ct {
11 atomic_t count;
12 unsigned int expect_count;
13 struct hlist_head *hash;
14 struct hlist_head *expect_hash;
15 struct hlist_head unconfirmed;
16 struct ip_conntrack_stat *stat;
17#ifdef CONFIG_NF_CONNTRACK_EVENTS
18 struct nf_conntrack_ecache *ecache;
19#endif
20 int sysctl_acct;
21 int sysctl_checksum;
22 unsigned int sysctl_log_invalid; /* Log invalid packets */
23#ifdef CONFIG_SYSCTL
24 struct ctl_table_header *sysctl_header;
25 struct ctl_table_header *acct_sysctl_header;
26#endif
27 int hash_vmalloc;
28 int expect_vmalloc;
29};
30#endif
diff --git a/include/net/netns/ipv4.h b/include/net/netns/ipv4.h
index a6ed83853dcc..ece1c926b5d1 100644
--- a/include/net/netns/ipv4.h
+++ b/include/net/netns/ipv4.h
@@ -38,6 +38,9 @@ struct netns_ipv4 {
38 struct xt_table *iptable_raw; 38 struct xt_table *iptable_raw;
39 struct xt_table *arptable_filter; 39 struct xt_table *arptable_filter;
40 struct xt_table *iptable_security; 40 struct xt_table *iptable_security;
41 struct xt_table *nat_table;
42 struct hlist_head *nat_bysource;
43 int nat_vmalloced;
41#endif 44#endif
42 45
43 int sysctl_icmp_echo_ignore_all; 46 int sysctl_icmp_echo_ignore_all;