[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables

This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables.  In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.

o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
  wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
  are now implemented as xt_FOOBAR.c files and provide module aliases
  to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
  include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
  around the xt_FOOBAR.h headers

Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.

Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
Harald Welte 2006-01-12 13:30:04 -08:00 committed by David S. Miller
parent 880b005f29
commit 2e4e6a17af
154 changed files with 3614 additions and 4148 deletions

View file

@ -154,6 +154,9 @@ struct ip_conntrack_stat
unsigned int expect_delete; unsigned int expect_delete;
}; };
/* call to create an explicit dependency on nf_conntrack. */
extern void need_conntrack(void);
#endif /* __KERNEL__ */ #endif /* __KERNEL__ */
#endif /* _NF_CONNTRACK_COMMON_H */ #endif /* _NF_CONNTRACK_COMMON_H */

View file

@ -0,0 +1,224 @@
#ifndef _X_TABLES_H
#define _X_TABLES_H
#define XT_FUNCTION_MAXNAMELEN 30
#define XT_TABLE_MAXNAMELEN 32
/* The argument to IPT_SO_GET_REVISION_*. Returns highest revision
* kernel supports, if >= revision. */
struct xt_get_revision
{
char name[XT_FUNCTION_MAXNAMELEN-1];
u_int8_t revision;
};
/* CONTINUE verdict for targets */
#define XT_CONTINUE 0xFFFFFFFF
/* For standard target */
#define XT_RETURN (-NF_REPEAT - 1)
#define XT_ALIGN(s) (((s) + (__alignof__(void *)-1)) & ~(__alignof__(void *)-1))
/* Standard return verdict, or do jump. */
#define XT_STANDARD_TARGET ""
/* Error verdict. */
#define XT_ERROR_TARGET "ERROR"
/*
* New IP firewall options for [gs]etsockopt at the RAW IP level.
* Unlike BSD Linux inherits IP options so you don't have to use a raw
* socket for this. Instead we check rights in the calls. */
#define XT_BASE_CTL 64 /* base for firewall socket options */
#define XT_SO_SET_REPLACE (XT_BASE_CTL)
#define XT_SO_SET_ADD_COUNTERS (XT_BASE_CTL + 1)
#define XT_SO_SET_MAX XT_SO_SET_ADD_COUNTERS
#define XT_SO_GET_INFO (XT_BASE_CTL)
#define XT_SO_GET_ENTRIES (XT_BASE_CTL + 1)
#define XT_SO_GET_REVISION_MATCH (XT_BASE_CTL + 2)
#define XT_SO_GET_REVISION_TARGET (XT_BASE_CTL + 3)
#define XT_SO_GET_MAX XT_SO_GET_REVISION_TARGET
#define SET_COUNTER(c,b,p) do { (c).bcnt = (b); (c).pcnt = (p); } while(0)
#define ADD_COUNTER(c,b,p) do { (c).bcnt += (b); (c).pcnt += (p); } while(0)
struct xt_counters
{
u_int64_t pcnt, bcnt; /* Packet and byte counters */
};
/* The argument to IPT_SO_ADD_COUNTERS. */
struct xt_counters_info
{
/* Which table. */
char name[XT_TABLE_MAXNAMELEN];
unsigned int num_counters;
/* The counters (actually `number' of these). */
struct xt_counters counters[0];
};
#define XT_INV_PROTO 0x40 /* Invert the sense of PROTO. */
#ifdef __KERNEL__
#include <linux/netdevice.h>
#define ASSERT_READ_LOCK(x)
#define ASSERT_WRITE_LOCK(x)
#include <linux/netfilter_ipv4/listhelp.h>
struct xt_match
{
struct list_head list;
const char name[XT_FUNCTION_MAXNAMELEN-1];
u_int8_t revision;
/* Return true or false: return FALSE and set *hotdrop = 1 to
force immediate packet drop. */
/* Arguments changed since 2.6.9, as this must now handle
non-linear skb, using skb_header_pointer and
skb_ip_make_writable. */
int (*match)(const struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
const void *matchinfo,
int offset,
unsigned int protoff,
int *hotdrop);
/* Called when user tries to insert an entry of this type. */
/* Should return true or false. */
int (*checkentry)(const char *tablename,
const void *ip,
void *matchinfo,
unsigned int matchinfosize,
unsigned int hook_mask);
/* Called when entry of this type deleted. */
void (*destroy)(void *matchinfo, unsigned int matchinfosize);
/* Set this to THIS_MODULE if you are a module, otherwise NULL */
struct module *me;
};
/* Registration hooks for targets. */
struct xt_target
{
struct list_head list;
const char name[XT_FUNCTION_MAXNAMELEN-1];
u_int8_t revision;
/* Returns verdict. Argument order changed since 2.6.9, as this
must now handle non-linear skbs, using skb_copy_bits and
skb_ip_make_writable. */
unsigned int (*target)(struct sk_buff **pskb,
const struct net_device *in,
const struct net_device *out,
unsigned int hooknum,
const void *targinfo,
void *userdata);
/* Called when user tries to insert an entry of this type:
hook_mask is a bitmask of hooks from which it can be
called. */
/* Should return true or false. */
int (*checkentry)(const char *tablename,
const void *entry,
void *targinfo,
unsigned int targinfosize,
unsigned int hook_mask);
/* Called when entry of this type deleted. */
void (*destroy)(void *targinfo, unsigned int targinfosize);
/* Set this to THIS_MODULE if you are a module, otherwise NULL */
struct module *me;
};
/* Furniture shopping... */
struct xt_table
{
struct list_head list;
/* A unique name... */
char name[XT_TABLE_MAXNAMELEN];
/* What hooks you will enter on */
unsigned int valid_hooks;
/* Lock for the curtain */
rwlock_t lock;
/* Man behind the curtain... */
//struct ip6t_table_info *private;
void *private;
/* Set this to THIS_MODULE if you are a module, otherwise NULL */
struct module *me;
int af; /* address/protocol family */
};
#include <linux/netfilter_ipv4.h>
/* The table itself */
struct xt_table_info
{
/* Size per table */
unsigned int size;
/* Number of entries: FIXME. --RR */
unsigned int number;
/* Initial number of entries. Needed for module usage count */
unsigned int initial_entries;
/* Entry points and underflows */
unsigned int hook_entry[NF_IP_NUMHOOKS];
unsigned int underflow[NF_IP_NUMHOOKS];
/* ipt_entry tables: one per CPU */
char *entries[NR_CPUS];
};
extern int xt_register_target(int af, struct xt_target *target);
extern void xt_unregister_target(int af, struct xt_target *target);
extern int xt_register_match(int af, struct xt_match *target);
extern void xt_unregister_match(int af, struct xt_match *target);
extern int xt_register_table(struct xt_table *table,
struct xt_table_info *bootstrap,
struct xt_table_info *newinfo);
extern void *xt_unregister_table(struct xt_table *table);
extern struct xt_table_info *xt_replace_table(struct xt_table *table,
unsigned int num_counters,
struct xt_table_info *newinfo,
int *error);
extern struct xt_match *xt_find_match(int af, const char *name, u8 revision);
extern struct xt_target *xt_find_target(int af, const char *name, u8 revision);
extern struct xt_target *xt_request_find_target(int af, const char *name,
u8 revision);
extern int xt_find_revision(int af, const char *name, u8 revision, int target,
int *err);
extern struct xt_table *xt_find_table_lock(int af, const char *name);
extern void xt_table_unlock(struct xt_table *t);
extern int xt_proto_init(int af);
extern void xt_proto_fini(int af);
extern struct xt_table_info *xt_alloc_table_info(unsigned int size);
extern void xt_free_table_info(struct xt_table_info *info);
#endif /* __KERNEL__ */
#endif /* _X_TABLES_H */

View file

@ -0,0 +1,8 @@
#ifndef _XT_CLASSIFY_H
#define _XT_CLASSIFY_H
struct xt_classify_target_info {
u_int32_t priority;
};
#endif /*_XT_CLASSIFY_H */

View file

@ -0,0 +1,25 @@
#ifndef _XT_CONNMARK_H_target
#define _XT_CONNMARK_H_target
/* Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
* by Henrik Nordstrom <hno@marasystems.com>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*/
enum {
XT_CONNMARK_SET = 0,
XT_CONNMARK_SAVE,
XT_CONNMARK_RESTORE
};
struct xt_connmark_target_info {
unsigned long mark;
unsigned long mask;
u_int8_t mode;
};
#endif /*_XT_CONNMARK_H_target*/

View file

@ -0,0 +1,21 @@
#ifndef _XT_MARK_H_target
#define _XT_MARK_H_target
/* Version 0 */
struct xt_mark_target_info {
unsigned long mark;
};
/* Version 1 */
enum {
XT_MARK_SET=0,
XT_MARK_AND,
XT_MARK_OR,
};
struct xt_mark_target_info_v1 {
unsigned long mark;
u_int8_t mode;
};
#endif /*_XT_MARK_H_target */

View file

@ -0,0 +1,16 @@
/* iptables module for using NFQUEUE mechanism
*
* (C) 2005 Harald Welte <laforge@netfilter.org>
*
* This software is distributed under GNU GPL v2, 1991
*
*/
#ifndef _XT_NFQ_TARGET_H
#define _XT_NFQ_TARGET_H
/* target info */
struct xt_NFQ_info {
u_int16_t queuenum;
};
#endif /* _XT_NFQ_TARGET_H */

View file

@ -0,0 +1,10 @@
#ifndef _XT_COMMENT_H
#define _XT_COMMENT_H
#define XT_MAX_COMMENT_LEN 256
struct xt_comment_info {
unsigned char comment[XT_MAX_COMMENT_LEN];
};
#endif /* XT_COMMENT_H */

View file

@ -0,0 +1,25 @@
#ifndef _XT_CONNBYTES_H
#define _XT_CONNBYTES_H
enum xt_connbytes_what {
XT_CONNBYTES_PKTS,
XT_CONNBYTES_BYTES,
XT_CONNBYTES_AVGPKT,
};
enum xt_connbytes_direction {
XT_CONNBYTES_DIR_ORIGINAL,
XT_CONNBYTES_DIR_REPLY,
XT_CONNBYTES_DIR_BOTH,
};
struct xt_connbytes_info
{
struct {
aligned_u64 from; /* count to be matched */
aligned_u64 to; /* count to be matched */
} count;
u_int8_t what; /* ipt_connbytes_what */
u_int8_t direction; /* ipt_connbytes_direction */
};
#endif

View file

@ -0,0 +1,18 @@
#ifndef _XT_CONNMARK_H
#define _XT_CONNMARK_H
/* Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
* by Henrik Nordstrom <hno@marasystems.com>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*/
struct xt_connmark_info {
unsigned long mark, mask;
u_int8_t invert;
};
#endif /*_XT_CONNMARK_H*/

View file

@ -0,0 +1,63 @@
/* Header file for kernel module to match connection tracking information.
* GPL (C) 2001 Marc Boucher (marc@mbsi.ca).
*/
#ifndef _XT_CONNTRACK_H
#define _XT_CONNTRACK_H
#include <linux/netfilter/nf_conntrack_tuple_common.h>
#include <linux/in.h>
#define XT_CONNTRACK_STATE_BIT(ctinfo) (1 << ((ctinfo)%IP_CT_IS_REPLY+1))
#define XT_CONNTRACK_STATE_INVALID (1 << 0)
#define XT_CONNTRACK_STATE_SNAT (1 << (IP_CT_NUMBER + 1))
#define XT_CONNTRACK_STATE_DNAT (1 << (IP_CT_NUMBER + 2))
#define XT_CONNTRACK_STATE_UNTRACKED (1 << (IP_CT_NUMBER + 3))
/* flags, invflags: */
#define XT_CONNTRACK_STATE 0x01
#define XT_CONNTRACK_PROTO 0x02
#define XT_CONNTRACK_ORIGSRC 0x04
#define XT_CONNTRACK_ORIGDST 0x08
#define XT_CONNTRACK_REPLSRC 0x10
#define XT_CONNTRACK_REPLDST 0x20
#define XT_CONNTRACK_STATUS 0x40
#define XT_CONNTRACK_EXPIRES 0x80
/* This is exposed to userspace, so remains frozen in time. */
struct ip_conntrack_old_tuple
{
struct {
__u32 ip;
union {
__u16 all;
} u;
} src;
struct {
__u32 ip;
union {
__u16 all;
} u;
/* The protocol. */
u16 protonum;
} dst;
};
struct xt_conntrack_info
{
unsigned int statemask, statusmask;
struct ip_conntrack_old_tuple tuple[IP_CT_DIR_MAX];
struct in_addr sipmsk[IP_CT_DIR_MAX], dipmsk[IP_CT_DIR_MAX];
unsigned long expires_min, expires_max;
/* Flags word */
u_int8_t flags;
/* Inverse flags */
u_int8_t invflags;
};
#endif /*_XT_CONNTRACK_H*/

View file

@ -0,0 +1,23 @@
#ifndef _XT_DCCP_H_
#define _XT_DCCP_H_
#define XT_DCCP_SRC_PORTS 0x01
#define XT_DCCP_DEST_PORTS 0x02
#define XT_DCCP_TYPE 0x04
#define XT_DCCP_OPTION 0x08
#define XT_DCCP_VALID_FLAGS 0x0f
struct xt_dccp_info {
u_int16_t dpts[2]; /* Min, Max */
u_int16_t spts[2]; /* Min, Max */
u_int16_t flags;
u_int16_t invflags;
u_int16_t typemask;
u_int8_t option;
};
#endif /* _XT_DCCP_H_ */

View file

@ -0,0 +1,8 @@
#ifndef _XT_HELPER_H
#define _XT_HELPER_H
struct xt_helper_info {
int invert;
char name[30];
};
#endif /* _XT_HELPER_H */

View file

@ -0,0 +1,9 @@
#ifndef _XT_LENGTH_H
#define _XT_LENGTH_H
struct xt_length_info {
u_int16_t min, max;
u_int8_t invert;
};
#endif /*_XT_LENGTH_H*/

View file

@ -0,0 +1,21 @@
#ifndef _XT_RATE_H
#define _XT_RATE_H
/* timings are in milliseconds. */
#define XT_LIMIT_SCALE 10000
/* 1/10,000 sec period => max of 10,000/sec. Min rate is then 429490
seconds, or one every 59 hours. */
struct xt_rateinfo {
u_int32_t avg; /* Average secs between packets * scale */
u_int32_t burst; /* Period multiplier for upper limit. */
/* Used internally by the kernel */
unsigned long prev;
u_int32_t credit;
u_int32_t credit_cap, cost;
/* Ugly, ugly fucker. */
struct xt_rateinfo *master;
};
#endif /*_XT_RATE_H*/

View file

@ -0,0 +1,8 @@
#ifndef _XT_MAC_H
#define _XT_MAC_H
struct xt_mac_info {
unsigned char srcaddr[ETH_ALEN];
int invert;
};
#endif /*_XT_MAC_H*/

View file

@ -0,0 +1,9 @@
#ifndef _XT_MARK_H
#define _XT_MARK_H
struct xt_mark_info {
unsigned long mark, mask;
u_int8_t invert;
};
#endif /*_XT_MARK_H*/

View file

@ -0,0 +1,24 @@
#ifndef _XT_PHYSDEV_H
#define _XT_PHYSDEV_H
#ifdef __KERNEL__
#include <linux/if.h>
#endif
#define XT_PHYSDEV_OP_IN 0x01
#define XT_PHYSDEV_OP_OUT 0x02
#define XT_PHYSDEV_OP_BRIDGED 0x04
#define XT_PHYSDEV_OP_ISIN 0x08
#define XT_PHYSDEV_OP_ISOUT 0x10
#define XT_PHYSDEV_OP_MASK (0x20 - 1)
struct xt_physdev_info {
char physindev[IFNAMSIZ];
char in_mask[IFNAMSIZ];
char physoutdev[IFNAMSIZ];
char out_mask[IFNAMSIZ];
u_int8_t invert;
u_int8_t bitmask;
};
#endif /*_XT_PHYSDEV_H*/

View file

@ -0,0 +1,8 @@
#ifndef _XT_PKTTYPE_H
#define _XT_PKTTYPE_H
struct xt_pkttype_info {
int pkttype;
int invert;
};
#endif /*_XT_PKTTYPE_H*/

View file

@ -0,0 +1,10 @@
#ifndef _XT_REALM_H
#define _XT_REALM_H
struct xt_realm_info {
u_int32_t id;
u_int32_t mask;
u_int8_t invert;
};
#endif /* _XT_REALM_H */

View file

@ -0,0 +1,107 @@
#ifndef _XT_SCTP_H_
#define _XT_SCTP_H_
#define XT_SCTP_SRC_PORTS 0x01
#define XT_SCTP_DEST_PORTS 0x02
#define XT_SCTP_CHUNK_TYPES 0x04
#define XT_SCTP_VALID_FLAGS 0x07
#define ELEMCOUNT(x) (sizeof(x)/sizeof(x[0]))
struct xt_sctp_flag_info {
u_int8_t chunktype;
u_int8_t flag;
u_int8_t flag_mask;
};
#define XT_NUM_SCTP_FLAGS 4
struct xt_sctp_info {
u_int16_t dpts[2]; /* Min, Max */
u_int16_t spts[2]; /* Min, Max */
u_int32_t chunkmap[256 / sizeof (u_int32_t)]; /* Bit mask of chunks to be matched according to RFC 2960 */
#define SCTP_CHUNK_MATCH_ANY 0x01 /* Match if any of the chunk types are present */
#define SCTP_CHUNK_MATCH_ALL 0x02 /* Match if all of the chunk types are present */
#define SCTP_CHUNK_MATCH_ONLY 0x04 /* Match if these are the only chunk types present */
u_int32_t chunk_match_type;
struct xt_sctp_flag_info flag_info[XT_NUM_SCTP_FLAGS];
int flag_count;
u_int32_t flags;
u_int32_t invflags;
};
#define bytes(type) (sizeof(type) * 8)
#define SCTP_CHUNKMAP_SET(chunkmap, type) \
do { \
chunkmap[type / bytes(u_int32_t)] |= \
1 << (type % bytes(u_int32_t)); \
} while (0)
#define SCTP_CHUNKMAP_CLEAR(chunkmap, type) \
do { \
chunkmap[type / bytes(u_int32_t)] &= \
~(1 << (type % bytes(u_int32_t))); \
} while (0)
#define SCTP_CHUNKMAP_IS_SET(chunkmap, type) \
({ \
(chunkmap[type / bytes (u_int32_t)] & \
(1 << (type % bytes (u_int32_t)))) ? 1: 0; \
})
#define SCTP_CHUNKMAP_RESET(chunkmap) \
do { \
int i; \
for (i = 0; i < ELEMCOUNT(chunkmap); i++) \
chunkmap[i] = 0; \
} while (0)
#define SCTP_CHUNKMAP_SET_ALL(chunkmap) \
do { \
int i; \
for (i = 0; i < ELEMCOUNT(chunkmap); i++) \
chunkmap[i] = ~0; \
} while (0)
#define SCTP_CHUNKMAP_COPY(destmap, srcmap) \
do { \
int i; \
for (i = 0; i < ELEMCOUNT(chunkmap); i++) \
destmap[i] = srcmap[i]; \
} while (0)
#define SCTP_CHUNKMAP_IS_CLEAR(chunkmap) \
({ \
int i; \
int flag = 1; \
for (i = 0; i < ELEMCOUNT(chunkmap); i++) { \
if (chunkmap[i]) { \
flag = 0; \
break; \
} \
} \
flag; \
})
#define SCTP_CHUNKMAP_IS_ALL_SET(chunkmap) \
({ \
int i; \
int flag = 1; \
for (i = 0; i < ELEMCOUNT(chunkmap); i++) { \
if (chunkmap[i] != ~0) { \
flag = 0; \
break; \
} \
} \
flag; \
})
#endif /* _XT_SCTP_H_ */

View file

@ -0,0 +1,13 @@
#ifndef _XT_STATE_H
#define _XT_STATE_H
#define XT_STATE_BIT(ctinfo) (1 << ((ctinfo)%IP_CT_IS_REPLY+1))
#define XT_STATE_INVALID (1 << 0)
#define XT_STATE_UNTRACKED (1 << (IP_CT_NUMBER + 1))
struct xt_state_info
{
unsigned int statemask;
};
#endif /*_XT_STATE_H*/

View file

@ -0,0 +1,18 @@
#ifndef _XT_STRING_H
#define _XT_STRING_H
#define XT_STRING_MAX_PATTERN_SIZE 128
#define XT_STRING_MAX_ALGO_NAME_SIZE 16
struct xt_string_info
{
u_int16_t from_offset;
u_int16_t to_offset;
char algo[XT_STRING_MAX_ALGO_NAME_SIZE];
char pattern[XT_STRING_MAX_PATTERN_SIZE];
u_int8_t patlen;
u_int8_t invert;
struct ts_config __attribute__((aligned(8))) *config;
};
#endif /*_XT_STRING_H*/

View file

@ -0,0 +1,9 @@
#ifndef _XT_TCPMSS_MATCH_H
#define _XT_TCPMSS_MATCH_H
struct xt_tcpmss_match_info {
u_int16_t mss_min, mss_max;
u_int8_t invert;
};
#endif /*_XT_TCPMSS_MATCH_H*/

View file

@ -0,0 +1,36 @@
#ifndef _XT_TCPUDP_H
#define _XT_TCPUDP_H
/* TCP matching stuff */
struct xt_tcp
{
u_int16_t spts[2]; /* Source port range. */
u_int16_t dpts[2]; /* Destination port range. */
u_int8_t option; /* TCP Option iff non-zero*/
u_int8_t flg_mask; /* TCP flags mask byte */
u_int8_t flg_cmp; /* TCP flags compare byte */
u_int8_t invflags; /* Inverse flags */
};
/* Values for "inv" field in struct ipt_tcp. */
#define XT_TCP_INV_SRCPT 0x01 /* Invert the sense of source ports. */
#define XT_TCP_INV_DSTPT 0x02 /* Invert the sense of dest ports. */
#define XT_TCP_INV_FLAGS 0x04 /* Invert the sense of TCP flags. */
#define XT_TCP_INV_OPTION 0x08 /* Invert the sense of option test. */
#define XT_TCP_INV_MASK 0x0F /* All possible flags. */
/* UDP matching stuff */
struct xt_udp
{
u_int16_t spts[2]; /* Source port range. */
u_int16_t dpts[2]; /* Destination port range. */
u_int8_t invflags; /* Inverse flags */
};
/* Values for "invflags" field in struct ipt_udp. */
#define XT_UDP_INV_SRCPT 0x01 /* Invert the sense of source ports. */
#define XT_UDP_INV_DSTPT 0x02 /* Invert the sense of dest ports. */
#define XT_UDP_INV_MASK 0x03 /* All possible flags. */
#endif

View file

@ -19,8 +19,12 @@
#include <linux/compiler.h> #include <linux/compiler.h>
#include <linux/netfilter_arp.h> #include <linux/netfilter_arp.h>
#define ARPT_FUNCTION_MAXNAMELEN 30 #include <linux/netfilter/x_tables.h>
#define ARPT_TABLE_MAXNAMELEN 32
#define ARPT_FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN
#define ARPT_TABLE_MAXNAMELEN XT_TABLE_MAXNAMELEN
#define arpt_target xt_target
#define arpt_table xt_table
#define ARPT_DEV_ADDR_LEN_MAX 16 #define ARPT_DEV_ADDR_LEN_MAX 16
@ -91,11 +95,6 @@ struct arpt_standard_target
int verdict; int verdict;
}; };
struct arpt_counters
{
u_int64_t pcnt, bcnt; /* Packet and byte counters */
};
/* Values for "flag" field in struct arpt_ip (general arp structure). /* Values for "flag" field in struct arpt_ip (general arp structure).
* No flags defined yet. * No flags defined yet.
*/ */
@ -130,7 +129,7 @@ struct arpt_entry
unsigned int comefrom; unsigned int comefrom;
/* Packet and byte counters. */ /* Packet and byte counters. */
struct arpt_counters counters; struct xt_counters counters;
/* The matches (if any), then the target. */ /* The matches (if any), then the target. */
unsigned char elems[0]; unsigned char elems[0];
@ -141,23 +140,24 @@ struct arpt_entry
* Unlike BSD Linux inherits IP options so you don't have to use a raw * Unlike BSD Linux inherits IP options so you don't have to use a raw
* socket for this. Instead we check rights in the calls. * socket for this. Instead we check rights in the calls.
*/ */
#define ARPT_BASE_CTL 96 /* base for firewall socket options */ #define ARPT_CTL_OFFSET 32
#define ARPT_BASE_CTL (XT_BASE_CTL+ARPT_CTL_OFFSET)
#define ARPT_SO_SET_REPLACE (ARPT_BASE_CTL) #define ARPT_SO_SET_REPLACE (XT_SO_SET_REPLACE+ARPT_CTL_OFFSET)
#define ARPT_SO_SET_ADD_COUNTERS (ARPT_BASE_CTL + 1) #define ARPT_SO_SET_ADD_COUNTERS (XT_SO_SET_ADD_COUNTERS+ARPT_CTL_OFFSET)
#define ARPT_SO_SET_MAX ARPT_SO_SET_ADD_COUNTERS #define ARPT_SO_SET_MAX (XT_SO_SET_MAX+ARPT_CTL_OFFSET)
#define ARPT_SO_GET_INFO (ARPT_BASE_CTL) #define ARPT_SO_GET_INFO (XT_SO_GET_INFO+ARPT_CTL_OFFSET)
#define ARPT_SO_GET_ENTRIES (ARPT_BASE_CTL + 1) #define ARPT_SO_GET_ENTRIES (XT_SO_GET_ENTRIES+ARPT_CTL_OFFSET)
/* #define ARPT_SO_GET_REVISION_MATCH (ARPT_BASE_CTL + 2)*/ /* #define ARPT_SO_GET_REVISION_MATCH XT_SO_GET_REVISION_MATCH */
#define ARPT_SO_GET_REVISION_TARGET (ARPT_BASE_CTL + 3) #define ARPT_SO_GET_REVISION_TARGET (XT_SO_GET_REVISION_TARGET+ARPT_CTL_OFFSET)
#define ARPT_SO_GET_MAX ARPT_SO_GET_REVISION_TARGET #define ARPT_SO_GET_MAX (XT_SO_GET_REVISION_TARGET+ARPT_CTL_OFFSET)
/* CONTINUE verdict for targets */ /* CONTINUE verdict for targets */
#define ARPT_CONTINUE 0xFFFFFFFF #define ARPT_CONTINUE XT_CONTINUE
/* For standard target */ /* For standard target */
#define ARPT_RETURN (-NF_REPEAT - 1) #define ARPT_RETURN XT_RETURN
/* The argument to ARPT_SO_GET_INFO */ /* The argument to ARPT_SO_GET_INFO */
struct arpt_getinfo struct arpt_getinfo
@ -208,23 +208,14 @@ struct arpt_replace
/* Number of counters (must be equal to current number of entries). */ /* Number of counters (must be equal to current number of entries). */
unsigned int num_counters; unsigned int num_counters;
/* The old entries' counters. */ /* The old entries' counters. */
struct arpt_counters __user *counters; struct xt_counters __user *counters;
/* The entries (hang off end: not really an array). */ /* The entries (hang off end: not really an array). */
struct arpt_entry entries[0]; struct arpt_entry entries[0];
}; };
/* The argument to ARPT_SO_ADD_COUNTERS. */ /* The argument to ARPT_SO_ADD_COUNTERS. */
struct arpt_counters_info #define arpt_counters_info xt_counters_info
{
/* Which table. */
char name[ARPT_TABLE_MAXNAMELEN];
unsigned int num_counters;
/* The counters (actually `number' of these). */
struct arpt_counters counters[0];
};
/* The argument to ARPT_SO_GET_ENTRIES. */ /* The argument to ARPT_SO_GET_ENTRIES. */
struct arpt_get_entries struct arpt_get_entries
@ -239,19 +230,10 @@ struct arpt_get_entries
struct arpt_entry entrytable[0]; struct arpt_entry entrytable[0];
}; };
/* The argument to ARPT_SO_GET_REVISION_*. Returns highest revision
* kernel supports, if >= revision. */
struct arpt_get_revision
{
char name[ARPT_FUNCTION_MAXNAMELEN-1];
u_int8_t revision;
};
/* Standard return verdict, or do jump. */ /* Standard return verdict, or do jump. */
#define ARPT_STANDARD_TARGET "" #define ARPT_STANDARD_TARGET XT_STANDARD_TARGET
/* Error verdict. */ /* Error verdict. */
#define ARPT_ERROR_TARGET "ERROR" #define ARPT_ERROR_TARGET XT_ERROR_TARGET
/* Helper functions */ /* Helper functions */
static __inline__ struct arpt_entry_target *arpt_get_target(struct arpt_entry *e) static __inline__ struct arpt_entry_target *arpt_get_target(struct arpt_entry *e)
@ -281,63 +263,8 @@ static __inline__ struct arpt_entry_target *arpt_get_target(struct arpt_entry *e
*/ */
#ifdef __KERNEL__ #ifdef __KERNEL__
/* Registration hooks for targets. */ #define arpt_register_target(tgt) xt_register_target(NF_ARP, tgt)
struct arpt_target #define arpt_unregister_target(tgt) xt_unregister_target(NF_ARP, tgt)
{
struct list_head list;
const char name[ARPT_FUNCTION_MAXNAMELEN-1];
u_int8_t revision;
/* Returns verdict. */
unsigned int (*target)(struct sk_buff **pskb,
unsigned int hooknum,
const struct net_device *in,
const struct net_device *out,
const void *targinfo,
void *userdata);
/* Called when user tries to insert an entry of this type:
hook_mask is a bitmask of hooks from which it can be
called. */
/* Should return true or false. */
int (*checkentry)(const char *tablename,
const struct arpt_entry *e,
void *targinfo,
unsigned int targinfosize,
unsigned int hook_mask);
/* Called when entry of this type deleted. */
void (*destroy)(void *targinfo, unsigned int targinfosize);
/* Set this to THIS_MODULE if you are a module, otherwise NULL */
struct module *me;
};
extern int arpt_register_target(struct arpt_target *target);
extern void arpt_unregister_target(struct arpt_target *target);
/* Furniture shopping... */
struct arpt_table
{
struct list_head list;
/* A unique name... */
char name[ARPT_TABLE_MAXNAMELEN];
/* What hooks you will enter on */
unsigned int valid_hooks;
/* Lock for the curtain */
rwlock_t lock;
/* Man behind the curtain... */
struct arpt_table_info *private;
/* Set this to THIS_MODULE if you are a module, otherwise NULL */
struct module *me;
};
extern int arpt_register_table(struct arpt_table *table, extern int arpt_register_table(struct arpt_table *table,
const struct arpt_replace *repl); const struct arpt_replace *repl);

View file

@ -199,9 +199,6 @@ ip_conntrack_put(struct ip_conntrack *ct)
nf_conntrack_put(&ct->ct_general); nf_conntrack_put(&ct->ct_general);
} }
/* call to create an explicit dependency on ip_conntrack. */
extern void need_ip_conntrack(void);
extern int invert_tuplepr(struct ip_conntrack_tuple *inverse, extern int invert_tuplepr(struct ip_conntrack_tuple *inverse,
const struct ip_conntrack_tuple *orig); const struct ip_conntrack_tuple *orig);

View file

@ -25,8 +25,14 @@
#include <linux/compiler.h> #include <linux/compiler.h>
#include <linux/netfilter_ipv4.h> #include <linux/netfilter_ipv4.h>
#define IPT_FUNCTION_MAXNAMELEN 30 #include <linux/netfilter/x_tables.h>
#define IPT_TABLE_MAXNAMELEN 32
#define IPT_FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN
#define IPT_TABLE_MAXNAMELEN XT_FUNCTION_MAXNAMELEN
#define ipt_match xt_match
#define ipt_target xt_target
#define ipt_table xt_table
#define ipt_get_revision xt_get_revision
/* Yes, Virginia, you have to zero the padding. */ /* Yes, Virginia, you have to zero the padding. */
struct ipt_ip { struct ipt_ip {
@ -102,10 +108,7 @@ struct ipt_standard_target
int verdict; int verdict;
}; };
struct ipt_counters #define ipt_counters xt_counters
{
u_int64_t pcnt, bcnt; /* Packet and byte counters */
};
/* Values for "flag" field in struct ipt_ip (general ip structure). */ /* Values for "flag" field in struct ipt_ip (general ip structure). */
#define IPT_F_FRAG 0x01 /* Set if rule is a fragment rule */ #define IPT_F_FRAG 0x01 /* Set if rule is a fragment rule */
@ -119,7 +122,7 @@ struct ipt_counters
#define IPT_INV_SRCIP 0x08 /* Invert the sense of SRC IP. */ #define IPT_INV_SRCIP 0x08 /* Invert the sense of SRC IP. */
#define IPT_INV_DSTIP 0x10 /* Invert the sense of DST OP. */ #define IPT_INV_DSTIP 0x10 /* Invert the sense of DST OP. */
#define IPT_INV_FRAG 0x20 /* Invert the sense of FRAG. */ #define IPT_INV_FRAG 0x20 /* Invert the sense of FRAG. */
#define IPT_INV_PROTO 0x40 /* Invert the sense of PROTO. */ #define IPT_INV_PROTO XT_INV_PROTO
#define IPT_INV_MASK 0x7F /* All possible flag bits mask. */ #define IPT_INV_MASK 0x7F /* All possible flag bits mask. */
/* This structure defines each of the firewall rules. Consists of 3 /* This structure defines each of the firewall rules. Consists of 3
@ -141,7 +144,7 @@ struct ipt_entry
unsigned int comefrom; unsigned int comefrom;
/* Packet and byte counters. */ /* Packet and byte counters. */
struct ipt_counters counters; struct xt_counters counters;
/* The matches (if any), then the target. */ /* The matches (if any), then the target. */
unsigned char elems[0]; unsigned char elems[0];
@ -151,54 +154,34 @@ struct ipt_entry
* New IP firewall options for [gs]etsockopt at the RAW IP level. * New IP firewall options for [gs]etsockopt at the RAW IP level.
* Unlike BSD Linux inherits IP options so you don't have to use a raw * Unlike BSD Linux inherits IP options so you don't have to use a raw
* socket for this. Instead we check rights in the calls. */ * socket for this. Instead we check rights in the calls. */
#define IPT_BASE_CTL 64 /* base for firewall socket options */ #define IPT_BASE_CTL XT_BASE_CTL
#define IPT_SO_SET_REPLACE (IPT_BASE_CTL) #define IPT_SO_SET_REPLACE XT_SO_SET_REPLACE
#define IPT_SO_SET_ADD_COUNTERS (IPT_BASE_CTL + 1) #define IPT_SO_SET_ADD_COUNTERS XT_SO_SET_ADD_COUNTERS
#define IPT_SO_SET_MAX IPT_SO_SET_ADD_COUNTERS #define IPT_SO_SET_MAX XT_SO_SET_MAX
#define IPT_SO_GET_INFO (IPT_BASE_CTL) #define IPT_SO_GET_INFO XT_SO_GET_INFO
#define IPT_SO_GET_ENTRIES (IPT_BASE_CTL + 1) #define IPT_SO_GET_ENTRIES XT_SO_GET_ENTRIES
#define IPT_SO_GET_REVISION_MATCH (IPT_BASE_CTL + 2) #define IPT_SO_GET_REVISION_MATCH XT_SO_GET_REVISION_MATCH
#define IPT_SO_GET_REVISION_TARGET (IPT_BASE_CTL + 3) #define IPT_SO_GET_REVISION_TARGET XT_SO_GET_REVISION_TARGET
#define IPT_SO_GET_MAX IPT_SO_GET_REVISION_TARGET #define IPT_SO_GET_MAX XT_SO_GET_REVISION_TARGET
/* CONTINUE verdict for targets */ #define IPT_CONTINUE XT_CONTINUE
#define IPT_CONTINUE 0xFFFFFFFF #define IPT_RETURN XT_RETURN
/* For standard target */ #include <linux/netfilter/xt_tcpudp.h>
#define IPT_RETURN (-NF_REPEAT - 1) #define ipt_udp xt_udp
#define ipt_tcp xt_tcp
/* TCP matching stuff */ #define IPT_TCP_INV_SRCPT XT_TCP_INV_SRCPT
struct ipt_tcp #define IPT_TCP_INV_DSTPT XT_TCP_INV_DSTPT
{ #define IPT_TCP_INV_FLAGS XT_TCP_INV_FLAGS
u_int16_t spts[2]; /* Source port range. */ #define IPT_TCP_INV_OPTION XT_TCP_INV_OPTION
u_int16_t dpts[2]; /* Destination port range. */ #define IPT_TCP_INV_MASK XT_TCP_INV_MASK
u_int8_t option; /* TCP Option iff non-zero*/
u_int8_t flg_mask; /* TCP flags mask byte */
u_int8_t flg_cmp; /* TCP flags compare byte */
u_int8_t invflags; /* Inverse flags */
};
/* Values for "inv" field in struct ipt_tcp. */ #define IPT_UDP_INV_SRCPT XT_UDP_INV_SRCPT
#define IPT_TCP_INV_SRCPT 0x01 /* Invert the sense of source ports. */ #define IPT_UDP_INV_DSTPT XT_UDP_INV_DSTPT
#define IPT_TCP_INV_DSTPT 0x02 /* Invert the sense of dest ports. */ #define IPT_UDP_INV_MASK XT_UDP_INV_MASK
#define IPT_TCP_INV_FLAGS 0x04 /* Invert the sense of TCP flags. */
#define IPT_TCP_INV_OPTION 0x08 /* Invert the sense of option test. */
#define IPT_TCP_INV_MASK 0x0F /* All possible flags. */
/* UDP matching stuff */
struct ipt_udp
{
u_int16_t spts[2]; /* Source port range. */
u_int16_t dpts[2]; /* Destination port range. */
u_int8_t invflags; /* Inverse flags */
};
/* Values for "invflags" field in struct ipt_udp. */
#define IPT_UDP_INV_SRCPT 0x01 /* Invert the sense of source ports. */
#define IPT_UDP_INV_DSTPT 0x02 /* Invert the sense of dest ports. */
#define IPT_UDP_INV_MASK 0x03 /* All possible flags. */
/* ICMP matching stuff */ /* ICMP matching stuff */
struct ipt_icmp struct ipt_icmp
@ -260,23 +243,14 @@ struct ipt_replace
/* Number of counters (must be equal to current number of entries). */ /* Number of counters (must be equal to current number of entries). */
unsigned int num_counters; unsigned int num_counters;
/* The old entries' counters. */ /* The old entries' counters. */
struct ipt_counters __user *counters; struct xt_counters __user *counters;
/* The entries (hang off end: not really an array). */ /* The entries (hang off end: not really an array). */
struct ipt_entry entries[0]; struct ipt_entry entries[0];
}; };
/* The argument to IPT_SO_ADD_COUNTERS. */ /* The argument to IPT_SO_ADD_COUNTERS. */
struct ipt_counters_info #define ipt_counters_info xt_counters_info
{
/* Which table. */
char name[IPT_TABLE_MAXNAMELEN];
unsigned int num_counters;
/* The counters (actually `number' of these). */
struct ipt_counters counters[0];
};
/* The argument to IPT_SO_GET_ENTRIES. */ /* The argument to IPT_SO_GET_ENTRIES. */
struct ipt_get_entries struct ipt_get_entries
@ -291,19 +265,10 @@ struct ipt_get_entries
struct ipt_entry entrytable[0]; struct ipt_entry entrytable[0];
}; };
/* The argument to IPT_SO_GET_REVISION_*. Returns highest revision
* kernel supports, if >= revision. */
struct ipt_get_revision
{
char name[IPT_FUNCTION_MAXNAMELEN-1];
u_int8_t revision;
};
/* Standard return verdict, or do jump. */ /* Standard return verdict, or do jump. */
#define IPT_STANDARD_TARGET "" #define IPT_STANDARD_TARGET XT_STANDARD_TARGET
/* Error verdict. */ /* Error verdict. */
#define IPT_ERROR_TARGET "ERROR" #define IPT_ERROR_TARGET XT_ERROR_TARGET
/* Helper functions */ /* Helper functions */
static __inline__ struct ipt_entry_target * static __inline__ struct ipt_entry_target *
@ -356,103 +321,18 @@ ipt_get_target(struct ipt_entry *e)
#include <linux/init.h> #include <linux/init.h>
extern void ipt_init(void) __init; extern void ipt_init(void) __init;
struct ipt_match #define ipt_register_target(tgt) xt_register_target(AF_INET, tgt)
{ #define ipt_unregister_target(tgt) xt_unregister_target(AF_INET, tgt)
struct list_head list;
const char name[IPT_FUNCTION_MAXNAMELEN-1]; #define ipt_register_match(mtch) xt_register_match(AF_INET, mtch)
#define ipt_unregister_match(mtch) xt_unregister_match(AF_INET, mtch)
u_int8_t revision; //#define ipt_register_table(tbl, repl) xt_register_table(AF_INET, tbl, repl)
//#define ipt_unregister_table(tbl) xt_unregister_table(AF_INET, tbl)
/* Return true or false: return FALSE and set *hotdrop = 1 to extern int ipt_register_table(struct ipt_table *table,
force immediate packet drop. */ const struct ipt_replace *repl);
/* Arguments changed since 2.4, as this must now handle extern void ipt_unregister_table(struct ipt_table *table);
non-linear skbs, using skb_copy_bits and
skb_ip_make_writable. */
int (*match)(const struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
const void *matchinfo,
int offset,
int *hotdrop);
/* Called when user tries to insert an entry of this type. */
/* Should return true or false. */
int (*checkentry)(const char *tablename,
const struct ipt_ip *ip,
void *matchinfo,
unsigned int matchinfosize,
unsigned int hook_mask);
/* Called when entry of this type deleted. */
void (*destroy)(void *matchinfo, unsigned int matchinfosize);
/* Set this to THIS_MODULE. */
struct module *me;
};
/* Registration hooks for targets. */
struct ipt_target
{
struct list_head list;
const char name[IPT_FUNCTION_MAXNAMELEN-1];
u_int8_t revision;
/* Called when user tries to insert an entry of this type:
hook_mask is a bitmask of hooks from which it can be
called. */
/* Should return true or false. */
int (*checkentry)(const char *tablename,
const struct ipt_entry *e,
void *targinfo,
unsigned int targinfosize,
unsigned int hook_mask);
/* Called when entry of this type deleted. */
void (*destroy)(void *targinfo, unsigned int targinfosize);
/* Returns verdict. Argument order changed since 2.4, as this
must now handle non-linear skbs, using skb_copy_bits and
skb_ip_make_writable. */
unsigned int (*target)(struct sk_buff **pskb,
const struct net_device *in,
const struct net_device *out,
unsigned int hooknum,
const void *targinfo,
void *userdata);
/* Set this to THIS_MODULE. */
struct module *me;
};
extern int ipt_register_target(struct ipt_target *target);
extern void ipt_unregister_target(struct ipt_target *target);
extern int ipt_register_match(struct ipt_match *match);
extern void ipt_unregister_match(struct ipt_match *match);
/* Furniture shopping... */
struct ipt_table
{
struct list_head list;
/* A unique name... */
char name[IPT_TABLE_MAXNAMELEN];
/* What hooks you will enter on */
unsigned int valid_hooks;
/* Lock for the curtain */
rwlock_t lock;
/* Man behind the curtain... */
struct ipt_table_info *private;
/* Set to THIS_MODULE. */
struct module *me;
};
/* net/sched/ipt.c: Gimme access to your targets! Gets target->me. */ /* net/sched/ipt.c: Gimme access to your targets! Gets target->me. */
extern struct ipt_target *ipt_find_target(const char *name, u8 revision); extern struct ipt_target *ipt_find_target(const char *name, u8 revision);
@ -476,9 +356,6 @@ struct ipt_error
struct ipt_error_target target; struct ipt_error_target target;
}; };
extern int ipt_register_table(struct ipt_table *table,
const struct ipt_replace *repl);
extern void ipt_unregister_table(struct ipt_table *table);
extern unsigned int ipt_do_table(struct sk_buff **pskb, extern unsigned int ipt_do_table(struct sk_buff **pskb,
unsigned int hook, unsigned int hook,
const struct net_device *in, const struct net_device *in,
@ -486,6 +363,6 @@ extern unsigned int ipt_do_table(struct sk_buff **pskb,
struct ipt_table *table, struct ipt_table *table,
void *userdata); void *userdata);
#define IPT_ALIGN(s) (((s) + (__alignof__(struct ipt_entry)-1)) & ~(__alignof__(struct ipt_entry)-1)) #define IPT_ALIGN(s) XT_ALIGN(s)
#endif /*__KERNEL__*/ #endif /*__KERNEL__*/
#endif /* _IPTABLES_H */ #endif /* _IPTABLES_H */

View file

@ -1,8 +1,7 @@
#ifndef _IPT_CLASSIFY_H #ifndef _IPT_CLASSIFY_H
#define _IPT_CLASSIFY_H #define _IPT_CLASSIFY_H
struct ipt_classify_target_info { #include <linux/netfilter/xt_CLASSIFY.h>
u_int32_t priority; #define ipt_classify_target_info xt_classify_target_info
};
#endif /*_IPT_CLASSIFY_H */ #endif /*_IPT_CLASSIFY_H */

View file

@ -9,17 +9,11 @@
* the Free Software Foundation; either version 2 of the License, or * the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version. * (at your option) any later version.
*/ */
#include <linux/netfilter/xt_CONNMARK.h>
#define IPT_CONNMARK_SET XT_CONNMARK_SET
#define IPT_CONNMARK_SAVE XT_CONNMARK_SAVE
#define IPT_CONNMARK_RESTORE XT_CONNMARK_RESTORE
enum { #define ipt_connmark_target_info xt_connmark_target_info
IPT_CONNMARK_SET = 0,
IPT_CONNMARK_SAVE,
IPT_CONNMARK_RESTORE
};
struct ipt_connmark_target_info {
unsigned long mark;
unsigned long mask;
u_int8_t mode;
};
#endif /*_IPT_CONNMARK_H_target*/ #endif /*_IPT_CONNMARK_H_target*/

View file

@ -1,20 +1,18 @@
#ifndef _IPT_MARK_H_target #ifndef _IPT_MARK_H_target
#define _IPT_MARK_H_target #define _IPT_MARK_H_target
/* Backwards compatibility for old userspace */
#include <linux/netfilter/xt_MARK.h>
/* Version 0 */ /* Version 0 */
struct ipt_mark_target_info { #define ipt_mark_target_info xt_mark_target_info
unsigned long mark;
};
/* Version 1 */ /* Version 1 */
enum { #define IPT_MARK_SET XT_MARK_SET
IPT_MARK_SET=0, #define IPT_MARK_AND XT_MARK_AND
IPT_MARK_AND, #define IPT_MARK_OR XT_MARK_OR
IPT_MARK_OR
}; #define ipt_mark_target_info_v1 xt_mark_target_info_v1
struct ipt_mark_target_info_v1 {
unsigned long mark;
u_int8_t mode;
};
#endif /*_IPT_MARK_H_target*/ #endif /*_IPT_MARK_H_target*/

View file

@ -8,9 +8,9 @@
#ifndef _IPT_NFQ_TARGET_H #ifndef _IPT_NFQ_TARGET_H
#define _IPT_NFQ_TARGET_H #define _IPT_NFQ_TARGET_H
/* target info */ /* Backwards compatibility for old userspace */
struct ipt_NFQ_info { #include <linux/netfilter/xt_NFQUEUE.h>
u_int16_t queuenum;
}; #define ipt_NFQ_info xt_NFQ_info
#endif /* _IPT_DSCP_TARGET_H */ #endif /* _IPT_DSCP_TARGET_H */

View file

@ -1,10 +1,10 @@
#ifndef _IPT_COMMENT_H #ifndef _IPT_COMMENT_H
#define _IPT_COMMENT_H #define _IPT_COMMENT_H
#define IPT_MAX_COMMENT_LEN 256 #include <linux/netfilter/xt_comment.h>
struct ipt_comment_info { #define IPT_MAX_COMMENT_LEN XT_MAX_COMMENT_LEN
unsigned char comment[IPT_MAX_COMMENT_LEN];
}; #define ipt_comment_info xt_comment_info
#endif /* _IPT_COMMENT_H */ #endif /* _IPT_COMMENT_H */

View file

@ -1,25 +1,18 @@
#ifndef _IPT_CONNBYTES_H #ifndef _IPT_CONNBYTES_H
#define _IPT_CONNBYTES_H #define _IPT_CONNBYTES_H
enum ipt_connbytes_what { #include <net/netfilter/xt_connbytes.h>
IPT_CONNBYTES_PKTS, #define ipt_connbytes_what xt_connbytes_what
IPT_CONNBYTES_BYTES,
IPT_CONNBYTES_AVGPKT,
};
enum ipt_connbytes_direction { #define IPT_CONNBYTES_PKTS XT_CONNBYTES_PACKETS
IPT_CONNBYTES_DIR_ORIGINAL, #define IPT_CONNBYTES_BYTES XT_CONNBYTES_BYTES
IPT_CONNBYTES_DIR_REPLY, #define IPT_CONNBYTES_AVGPKT XT_CONNBYTES_AVGPKT
IPT_CONNBYTES_DIR_BOTH,
}; #define ipt_connbytes_direction xt_connbytes_direction
#define IPT_CONNBYTES_DIR_ORIGINAL XT_CONNBYTES_DIR_ORIGINAL
#define IPT_CONNBYTES_DIR_REPLY XT_CONNBYTES_DIR_REPLY
#define IPT_CONNBYTES_DIR_BOTH XT_CONNBYTES_DIR_BOTH
#define ipt_connbytes_info xt_connbytes_info
struct ipt_connbytes_info
{
struct {
aligned_u64 from; /* count to be matched */
aligned_u64 to; /* count to be matched */
} count;
u_int8_t what; /* ipt_connbytes_what */
u_int8_t direction; /* ipt_connbytes_direction */
};
#endif #endif

View file

@ -1,18 +1,7 @@
#ifndef _IPT_CONNMARK_H #ifndef _IPT_CONNMARK_H
#define _IPT_CONNMARK_H #define _IPT_CONNMARK_H
/* Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com> #include <linux/netfilter/xt_connmark.h>
* by Henrik Nordstrom <hno@marasystems.com> #define ipt_connmark_info xt_connmark_info
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*/
struct ipt_connmark_info {
unsigned long mark, mask;
u_int8_t invert;
};
#endif /*_IPT_CONNMARK_H*/ #endif /*_IPT_CONNMARK_H*/

View file

@ -5,56 +5,24 @@
#ifndef _IPT_CONNTRACK_H #ifndef _IPT_CONNTRACK_H
#define _IPT_CONNTRACK_H #define _IPT_CONNTRACK_H
#define IPT_CONNTRACK_STATE_BIT(ctinfo) (1 << ((ctinfo)%IP_CT_IS_REPLY+1)) #include <linux/netfilter/xt_conntrack.h>
#define IPT_CONNTRACK_STATE_INVALID (1 << 0)
#define IPT_CONNTRACK_STATE_SNAT (1 << (IP_CT_NUMBER + 1)) #define IPT_CONNTRACK_STATE_BIT(ctinfo) XT_CONNTRACK_STATE_BIT(ctinfo)
#define IPT_CONNTRACK_STATE_DNAT (1 << (IP_CT_NUMBER + 2)) #define IPT_CONNTRACK_STATE_INVALID XT_CONNTRACK_STATE_INVALID
#define IPT_CONNTRACK_STATE_UNTRACKED (1 << (IP_CT_NUMBER + 3))
#define IPT_CONNTRACK_STATE_SNAT XT_CONNTRACK_STATE_SNAT
#define IPT_CONNTRACK_STATE_DNAT XT_CONNTRACK_STATE_DNAT
#define IPT_CONNTRACK_STATE_UNTRACKED XT_CONNTRACK_STATE_UNTRACKED
/* flags, invflags: */ /* flags, invflags: */
#define IPT_CONNTRACK_STATE 0x01 #define IPT_CONNTRACK_STATE XT_CONNTRACK_STATE
#define IPT_CONNTRACK_PROTO 0x02 #define IPT_CONNTRACK_PROTO XT_CONNTRACK_PROTO
#define IPT_CONNTRACK_ORIGSRC 0x04 #define IPT_CONNTRACK_ORIGSRC XT_CONNTRACK_ORIGSRC
#define IPT_CONNTRACK_ORIGDST 0x08 #define IPT_CONNTRACK_ORIGDST XT_CONNTRACK_ORIGDST
#define IPT_CONNTRACK_REPLSRC 0x10 #define IPT_CONNTRACK_REPLSRC XT_CONNTRACK_REPLSRC
#define IPT_CONNTRACK_REPLDST 0x20 #define IPT_CONNTRACK_REPLDST XT_CONNTRACK_REPLDST
#define IPT_CONNTRACK_STATUS 0x40 #define IPT_CONNTRACK_STATUS XT_CONNTRACK_STATUS
#define IPT_CONNTRACK_EXPIRES 0x80 #define IPT_CONNTRACK_EXPIRES XT_CONNTRACK_EXPIRES
/* This is exposed to userspace, so remains frozen in time. */ #define ipt_conntrack_info xt_conntrack_info
struct ip_conntrack_old_tuple
{
struct {
__u32 ip;
union {
__u16 all;
} u;
} src;
struct {
__u32 ip;
union {
__u16 all;
} u;
/* The protocol. */
u16 protonum;
} dst;
};
struct ipt_conntrack_info
{
unsigned int statemask, statusmask;
struct ip_conntrack_old_tuple tuple[IP_CT_DIR_MAX];
struct in_addr sipmsk[IP_CT_DIR_MAX], dipmsk[IP_CT_DIR_MAX];
unsigned long expires_min, expires_max;
/* Flags word */
u_int8_t flags;
/* Inverse flags */
u_int8_t invflags;
};
#endif /*_IPT_CONNTRACK_H*/ #endif /*_IPT_CONNTRACK_H*/

View file

@ -1,23 +1,15 @@
#ifndef _IPT_DCCP_H_ #ifndef _IPT_DCCP_H_
#define _IPT_DCCP_H_ #define _IPT_DCCP_H_
#define IPT_DCCP_SRC_PORTS 0x01 #include <linux/netfilter/xt_dccp.h>
#define IPT_DCCP_DEST_PORTS 0x02 #define IPT_DCCP_SRC_PORTS XT_DCCP_SRC_PORTS
#define IPT_DCCP_TYPE 0x04 #define IPT_DCCP_DEST_PORTS XT_DCCP_DEST_PORTS
#define IPT_DCCP_OPTION 0x08 #define IPT_DCCP_TYPE XT_DCCP_TYPE
#define IPT_DCCP_OPTION XT_DCCP_OPTION
#define IPT_DCCP_VALID_FLAGS 0x0f #define IPT_DCCP_VALID_FLAGS XT_DCCP_VALID_FLAGS
struct ipt_dccp_info { #define ipt_dccp_info xt_dccp_info
u_int16_t dpts[2]; /* Min, Max */
u_int16_t spts[2]; /* Min, Max */
u_int16_t flags;
u_int16_t invflags;
u_int16_t typemask;
u_int8_t option;
};
#endif /* _IPT_DCCP_H_ */ #endif /* _IPT_DCCP_H_ */

View file

@ -1,8 +1,7 @@
#ifndef _IPT_HELPER_H #ifndef _IPT_HELPER_H
#define _IPT_HELPER_H #define _IPT_HELPER_H
struct ipt_helper_info { #include <linux/netfilter/xt_helper.h>
int invert; #define ipt_helper_info xt_helper_info
char name[30];
};
#endif /* _IPT_HELPER_H */ #endif /* _IPT_HELPER_H */

View file

@ -1,9 +1,7 @@
#ifndef _IPT_LENGTH_H #ifndef _IPT_LENGTH_H
#define _IPT_LENGTH_H #define _IPT_LENGTH_H
struct ipt_length_info { #include <linux/netfilter/xt_length.h>
u_int16_t min, max; #define ipt_length_info xt_length_info
u_int8_t invert;
};
#endif /*_IPT_LENGTH_H*/ #endif /*_IPT_LENGTH_H*/

View file

@ -1,21 +1,8 @@
#ifndef _IPT_RATE_H #ifndef _IPT_RATE_H
#define _IPT_RATE_H #define _IPT_RATE_H
/* timings are in milliseconds. */ #include <linux/netfilter/xt_limit.h>
#define IPT_LIMIT_SCALE 10000 #define IPT_LIMIT_SCALE XT_LIMIT_SCALE
#define ipt_rateinfo xt_rateinfo
/* 1/10,000 sec period => max of 10,000/sec. Min rate is then 429490
seconds, or one every 59 hours. */
struct ipt_rateinfo {
u_int32_t avg; /* Average secs between packets * scale */
u_int32_t burst; /* Period multiplier for upper limit. */
/* Used internally by the kernel */
unsigned long prev;
u_int32_t credit;
u_int32_t credit_cap, cost;
/* Ugly, ugly fucker. */
struct ipt_rateinfo *master;
};
#endif /*_IPT_RATE_H*/ #endif /*_IPT_RATE_H*/

View file

@ -1,8 +1,7 @@
#ifndef _IPT_MAC_H #ifndef _IPT_MAC_H
#define _IPT_MAC_H #define _IPT_MAC_H
struct ipt_mac_info { #include <linux/netfilter/xt_mac.h>
unsigned char srcaddr[ETH_ALEN]; #define ipt_mac_info xt_mac_info
int invert;
};
#endif /*_IPT_MAC_H*/ #endif /*_IPT_MAC_H*/

View file

@ -1,9 +1,9 @@
#ifndef _IPT_MARK_H #ifndef _IPT_MARK_H
#define _IPT_MARK_H #define _IPT_MARK_H
struct ipt_mark_info { /* Backwards compatibility for old userspace */
unsigned long mark, mask; #include <linux/netfilter/xt_mark.h>
u_int8_t invert;
}; #define ipt_mark_info xt_mark_info
#endif /*_IPT_MARK_H*/ #endif /*_IPT_MARK_H*/

View file

@ -1,24 +1,17 @@
#ifndef _IPT_PHYSDEV_H #ifndef _IPT_PHYSDEV_H
#define _IPT_PHYSDEV_H #define _IPT_PHYSDEV_H
#ifdef __KERNEL__ /* Backwards compatibility for old userspace */
#include <linux/if.h>
#endif
#define IPT_PHYSDEV_OP_IN 0x01 #include <linux/netfilter/xt_physdev.h>
#define IPT_PHYSDEV_OP_OUT 0x02
#define IPT_PHYSDEV_OP_BRIDGED 0x04
#define IPT_PHYSDEV_OP_ISIN 0x08
#define IPT_PHYSDEV_OP_ISOUT 0x10
#define IPT_PHYSDEV_OP_MASK (0x20 - 1)
struct ipt_physdev_info { #define IPT_PHYSDEV_OP_IN XT_PHYSDEV_OP_IN
char physindev[IFNAMSIZ]; #define IPT_PHYSDEV_OP_OUT XT_PHYSDEV_OP_OUT
char in_mask[IFNAMSIZ]; #define IPT_PHYSDEV_OP_BRIDGED XT_PHYSDEV_OP_BRIDGED
char physoutdev[IFNAMSIZ]; #define IPT_PHYSDEV_OP_ISIN XT_PHYSDEV_OP_ISIN
char out_mask[IFNAMSIZ]; #define IPT_PHYSDEV_OP_ISOUT XT_PHYSDEV_OP_ISOUT
u_int8_t invert; #define IPT_PHYSDEV_OP_MASK XT_PHYSDEV_OP_MASK
u_int8_t bitmask;
}; #define ipt_physdev_info xt_physdev_info
#endif /*_IPT_PHYSDEV_H*/ #endif /*_IPT_PHYSDEV_H*/

View file

@ -1,8 +1,7 @@
#ifndef _IPT_PKTTYPE_H #ifndef _IPT_PKTTYPE_H
#define _IPT_PKTTYPE_H #define _IPT_PKTTYPE_H
struct ipt_pkttype_info { #include <linux/netfilter/xt_pkttype.h>
int pkttype; #define ipt_pkttype_info xt_pkttype_info
int invert;
};
#endif /*_IPT_PKTTYPE_H*/ #endif /*_IPT_PKTTYPE_H*/

View file

@ -1,10 +1,7 @@
#ifndef _IPT_REALM_H #ifndef _IPT_REALM_H
#define _IPT_REALM_H #define _IPT_REALM_H
struct ipt_realm_info { #include <linux/netfilter/xt_realm.h>
u_int32_t id; #define ipt_realm_info xt_realm_info
u_int32_t mask;
u_int8_t invert;
};
#endif /* _IPT_REALM_H */ #endif /* _IPT_REALM_H */

View file

@ -1,13 +1,15 @@
#ifndef _IPT_STATE_H #ifndef _IPT_STATE_H
#define _IPT_STATE_H #define _IPT_STATE_H
#define IPT_STATE_BIT(ctinfo) (1 << ((ctinfo)%IP_CT_IS_REPLY+1)) /* Backwards compatibility for old userspace */
#define IPT_STATE_INVALID (1 << 0)
#define IPT_STATE_UNTRACKED (1 << (IP_CT_NUMBER + 1)) #include <linux/netfilter/xt_state.h>
#define IPT_STATE_BIT XT_STATE_BIT
#define IPT_STATE_INVALID XT_STATE_INVALID
#define IPT_STATE_UNTRACKED XT_STATE_UNTRACKED
#define ipt_state_info xt_state_info
struct ipt_state_info
{
unsigned int statemask;
};
#endif /*_IPT_STATE_H*/ #endif /*_IPT_STATE_H*/

View file

@ -1,18 +1,10 @@
#ifndef _IPT_STRING_H #ifndef _IPT_STRING_H
#define _IPT_STRING_H #define _IPT_STRING_H
#define IPT_STRING_MAX_PATTERN_SIZE 128 #include <linux/netfilter/xt_string.h>
#define IPT_STRING_MAX_ALGO_NAME_SIZE 16
struct ipt_string_info #define IPT_STRING_MAX_PATTERN_SIZE XT_STRING_MAX_PATTERN_SIZE
{ #define IPT_STRING_MAX_ALGO_NAME_SIZE XT_STRING_MAX_ALGO_NAME_SIZE
u_int16_t from_offset; #define ipt_string_info xt_string_info
u_int16_t to_offset;
char algo[IPT_STRING_MAX_ALGO_NAME_SIZE];
char pattern[IPT_STRING_MAX_PATTERN_SIZE];
u_int8_t patlen;
u_int8_t invert;
struct ts_config __attribute__((aligned(8))) *config;
};
#endif /*_IPT_STRING_H*/ #endif /*_IPT_STRING_H*/

View file

@ -1,9 +1,7 @@
#ifndef _IPT_TCPMSS_MATCH_H #ifndef _IPT_TCPMSS_MATCH_H
#define _IPT_TCPMSS_MATCH_H #define _IPT_TCPMSS_MATCH_H
struct ipt_tcpmss_match_info { #include <linux/netfilter/xt_tcpmss.h>
u_int16_t mss_min, mss_max; #define ipt_tcpmss_match_info xt_tcpmss_match_info
u_int8_t invert;
};
#endif /*_IPT_TCPMSS_MATCH_H*/ #endif /*_IPT_TCPMSS_MATCH_H*/

View file

@ -25,8 +25,15 @@
#include <linux/compiler.h> #include <linux/compiler.h>
#include <linux/netfilter_ipv6.h> #include <linux/netfilter_ipv6.h>
#define IP6T_FUNCTION_MAXNAMELEN 30 #include <linux/netfilter/x_tables.h>
#define IP6T_TABLE_MAXNAMELEN 32
#define IP6T_FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN
#define IP6T_TABLE_MAXNAMELEN XT_TABLE_MAXNAMELEN
#define ip6t_match xt_match
#define ip6t_target xt_target
#define ip6t_table xt_table
#define ip6t_get_revision xt_get_revision
/* Yes, Virginia, you have to zero the padding. */ /* Yes, Virginia, you have to zero the padding. */
struct ip6t_ip6 { struct ip6t_ip6 {
@ -104,10 +111,7 @@ struct ip6t_standard_target
int verdict; int verdict;
}; };
struct ip6t_counters #define ip6t_counters xt_counters
{
u_int64_t pcnt, bcnt; /* Packet and byte counters */
};
/* Values for "flag" field in struct ip6t_ip6 (general ip6 structure). */ /* Values for "flag" field in struct ip6t_ip6 (general ip6 structure). */
#define IP6T_F_PROTO 0x01 /* Set if rule cares about upper #define IP6T_F_PROTO 0x01 /* Set if rule cares about upper
@ -123,7 +127,7 @@ struct ip6t_counters
#define IP6T_INV_SRCIP 0x08 /* Invert the sense of SRC IP. */ #define IP6T_INV_SRCIP 0x08 /* Invert the sense of SRC IP. */
#define IP6T_INV_DSTIP 0x10 /* Invert the sense of DST OP. */ #define IP6T_INV_DSTIP 0x10 /* Invert the sense of DST OP. */
#define IP6T_INV_FRAG 0x20 /* Invert the sense of FRAG. */ #define IP6T_INV_FRAG 0x20 /* Invert the sense of FRAG. */
#define IP6T_INV_PROTO 0x40 /* Invert the sense of PROTO. */ #define IP6T_INV_PROTO XT_INV_PROTO
#define IP6T_INV_MASK 0x7F /* All possible flag bits mask. */ #define IP6T_INV_MASK 0x7F /* All possible flag bits mask. */
/* This structure defines each of the firewall rules. Consists of 3 /* This structure defines each of the firewall rules. Consists of 3
@ -145,7 +149,7 @@ struct ip6t_entry
unsigned int comefrom; unsigned int comefrom;
/* Packet and byte counters. */ /* Packet and byte counters. */
struct ip6t_counters counters; struct xt_counters counters;
/* The matches (if any), then the target. */ /* The matches (if any), then the target. */
unsigned char elems[0]; unsigned char elems[0];
@ -155,54 +159,41 @@ struct ip6t_entry
* New IP firewall options for [gs]etsockopt at the RAW IP level. * New IP firewall options for [gs]etsockopt at the RAW IP level.
* Unlike BSD Linux inherits IP options so you don't have to use * Unlike BSD Linux inherits IP options so you don't have to use
* a raw socket for this. Instead we check rights in the calls. */ * a raw socket for this. Instead we check rights in the calls. */
#define IP6T_BASE_CTL 64 /* base for firewall socket options */ #define IP6T_BASE_CTL XT_BASE_CTL
#define IP6T_SO_SET_REPLACE (IP6T_BASE_CTL) #define IP6T_SO_SET_REPLACE XT_SO_SET_REPLACE
#define IP6T_SO_SET_ADD_COUNTERS (IP6T_BASE_CTL + 1) #define IP6T_SO_SET_ADD_COUNTERS XT_SO_SET_ADD_COUNTERS
#define IP6T_SO_SET_MAX IP6T_SO_SET_ADD_COUNTERS #define IP6T_SO_SET_MAX XT_SO_SET_MAX
#define IP6T_SO_GET_INFO (IP6T_BASE_CTL) #define IP6T_SO_GET_INFO XT_SO_GET_INFO
#define IP6T_SO_GET_ENTRIES (IP6T_BASE_CTL + 1) #define IP6T_SO_GET_ENTRIES XT_SO_GET_ENTRIES
#define IP6T_SO_GET_REVISION_MATCH (IP6T_BASE_CTL + 2) #define IP6T_SO_GET_REVISION_MATCH XT_SO_GET_REVISION_MATCH
#define IP6T_SO_GET_REVISION_TARGET (IP6T_BASE_CTL + 3) #define IP6T_SO_GET_REVISION_TARGET XT_SO_GET_REVISION_TARGET
#define IP6T_SO_GET_MAX IP6T_SO_GET_REVISION_TARGET #define IP6T_SO_GET_MAX XT_SO_GET_REVISION_TARGET
/* CONTINUE verdict for targets */ /* CONTINUE verdict for targets */
#define IP6T_CONTINUE 0xFFFFFFFF #define IP6T_CONTINUE XT_CONTINUE
/* For standard target */ /* For standard target */
#define IP6T_RETURN (-NF_REPEAT - 1) #define IP6T_RETURN XT_RETURN
/* TCP matching stuff */ /* TCP/UDP matching stuff */
struct ip6t_tcp #include <linux/netfilter/xt_tcpudp.h>
{
u_int16_t spts[2]; /* Source port range. */ #define ip6t_tcp xt_tcp
u_int16_t dpts[2]; /* Destination port range. */ #define ip6t_udp xt_udp
u_int8_t option; /* TCP Option iff non-zero*/
u_int8_t flg_mask; /* TCP flags mask byte */
u_int8_t flg_cmp; /* TCP flags compare byte */
u_int8_t invflags; /* Inverse flags */
};
/* Values for "inv" field in struct ipt_tcp. */ /* Values for "inv" field in struct ipt_tcp. */
#define IP6T_TCP_INV_SRCPT 0x01 /* Invert the sense of source ports. */ #define IP6T_TCP_INV_SRCPT XT_TCP_INV_SRCPT
#define IP6T_TCP_INV_DSTPT 0x02 /* Invert the sense of dest ports. */ #define IP6T_TCP_INV_DSTPT XT_TCP_INV_DSTPT
#define IP6T_TCP_INV_FLAGS 0x04 /* Invert the sense of TCP flags. */ #define IP6T_TCP_INV_FLAGS XT_TCP_INV_FLAGS
#define IP6T_TCP_INV_OPTION 0x08 /* Invert the sense of option test. */ #define IP6T_TCP_INV_OPTION XT_TCP_INV_OPTION
#define IP6T_TCP_INV_MASK 0x0F /* All possible flags. */ #define IP6T_TCP_INV_MASK XT_TCP_INV_MASK
/* UDP matching stuff */
struct ip6t_udp
{
u_int16_t spts[2]; /* Source port range. */
u_int16_t dpts[2]; /* Destination port range. */
u_int8_t invflags; /* Inverse flags */
};
/* Values for "invflags" field in struct ipt_udp. */ /* Values for "invflags" field in struct ipt_udp. */
#define IP6T_UDP_INV_SRCPT 0x01 /* Invert the sense of source ports. */ #define IP6T_UDP_INV_SRCPT XT_UDP_INV_SRCPT
#define IP6T_UDP_INV_DSTPT 0x02 /* Invert the sense of dest ports. */ #define IP6T_UDP_INV_DSTPT XT_UDP_INV_DSTPT
#define IP6T_UDP_INV_MASK 0x03 /* All possible flags. */ #define IP6T_UDP_INV_MASK XT_UDP_INV_MASK
/* ICMP matching stuff */ /* ICMP matching stuff */
struct ip6t_icmp struct ip6t_icmp
@ -264,23 +255,14 @@ struct ip6t_replace
/* Number of counters (must be equal to current number of entries). */ /* Number of counters (must be equal to current number of entries). */
unsigned int num_counters; unsigned int num_counters;
/* The old entries' counters. */ /* The old entries' counters. */
struct ip6t_counters __user *counters; struct xt_counters __user *counters;
/* The entries (hang off end: not really an array). */ /* The entries (hang off end: not really an array). */
struct ip6t_entry entries[0]; struct ip6t_entry entries[0];
}; };
/* The argument to IP6T_SO_ADD_COUNTERS. */ /* The argument to IP6T_SO_ADD_COUNTERS. */
struct ip6t_counters_info #define ip6t_counters_info xt_counters_info
{
/* Which table. */
char name[IP6T_TABLE_MAXNAMELEN];
unsigned int num_counters;
/* The counters (actually `number' of these). */
struct ip6t_counters counters[0];
};
/* The argument to IP6T_SO_GET_ENTRIES. */ /* The argument to IP6T_SO_GET_ENTRIES. */
struct ip6t_get_entries struct ip6t_get_entries
@ -295,19 +277,10 @@ struct ip6t_get_entries
struct ip6t_entry entrytable[0]; struct ip6t_entry entrytable[0];
}; };
/* The argument to IP6T_SO_GET_REVISION_*. Returns highest revision
* kernel supports, if >= revision. */
struct ip6t_get_revision
{
char name[IP6T_FUNCTION_MAXNAMELEN-1];
u_int8_t revision;
};
/* Standard return verdict, or do jump. */ /* Standard return verdict, or do jump. */
#define IP6T_STANDARD_TARGET "" #define IP6T_STANDARD_TARGET XT_STANDARD_TARGET
/* Error verdict. */ /* Error verdict. */
#define IP6T_ERROR_TARGET "ERROR" #define IP6T_ERROR_TARGET XT_ERROR_TARGET
/* Helper functions */ /* Helper functions */
static __inline__ struct ip6t_entry_target * static __inline__ struct ip6t_entry_target *
@ -361,104 +334,11 @@ ip6t_get_target(struct ip6t_entry *e)
#include <linux/init.h> #include <linux/init.h>
extern void ip6t_init(void) __init; extern void ip6t_init(void) __init;
struct ip6t_match #define ip6t_register_target(tgt) xt_register_target(AF_INET6, tgt)
{ #define ip6t_unregister_target(tgt) xt_unregister_target(AF_INET6, tgt)
struct list_head list;
const char name[IP6T_FUNCTION_MAXNAMELEN-1]; #define ip6t_register_match(match) xt_register_match(AF_INET6, match)
#define ip6t_unregister_match(match) xt_unregister_match(AF_INET6, match)
u_int8_t revision;
/* Return true or false: return FALSE and set *hotdrop = 1 to
force immediate packet drop. */
/* Arguments changed since 2.6.9, as this must now handle
non-linear skb, using skb_header_pointer and
skb_ip_make_writable. */
int (*match)(const struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
const void *matchinfo,
int offset,
unsigned int protoff,
int *hotdrop);
/* Called when user tries to insert an entry of this type. */
/* Should return true or false. */
int (*checkentry)(const char *tablename,
const struct ip6t_ip6 *ip,
void *matchinfo,
unsigned int matchinfosize,
unsigned int hook_mask);
/* Called when entry of this type deleted. */
void (*destroy)(void *matchinfo, unsigned int matchinfosize);
/* Set this to THIS_MODULE if you are a module, otherwise NULL */
struct module *me;
};
/* Registration hooks for targets. */
struct ip6t_target
{
struct list_head list;
const char name[IP6T_FUNCTION_MAXNAMELEN-1];
u_int8_t revision;
/* Returns verdict. Argument order changed since 2.6.9, as this
must now handle non-linear skbs, using skb_copy_bits and
skb_ip_make_writable. */
unsigned int (*target)(struct sk_buff **pskb,
const struct net_device *in,
const struct net_device *out,
unsigned int hooknum,
const void *targinfo,
void *userdata);
/* Called when user tries to insert an entry of this type:
hook_mask is a bitmask of hooks from which it can be
called. */
/* Should return true or false. */
int (*checkentry)(const char *tablename,
const struct ip6t_entry *e,
void *targinfo,
unsigned int targinfosize,
unsigned int hook_mask);
/* Called when entry of this type deleted. */
void (*destroy)(void *targinfo, unsigned int targinfosize);
/* Set this to THIS_MODULE if you are a module, otherwise NULL */
struct module *me;
};
extern int ip6t_register_target(struct ip6t_target *target);
extern void ip6t_unregister_target(struct ip6t_target *target);
extern int ip6t_register_match(struct ip6t_match *match);
extern void ip6t_unregister_match(struct ip6t_match *match);
/* Furniture shopping... */
struct ip6t_table
{
struct list_head list;
/* A unique name... */
char name[IP6T_TABLE_MAXNAMELEN];
/* What hooks you will enter on */
unsigned int valid_hooks;
/* Lock for the curtain */
rwlock_t lock;
/* Man behind the curtain... */
struct ip6t_table_info *private;
/* Set this to THIS_MODULE if you are a module, otherwise NULL */
struct module *me;
};
extern int ip6t_register_table(struct ip6t_table *table, extern int ip6t_register_table(struct ip6t_table *table,
const struct ip6t_replace *repl); const struct ip6t_replace *repl);

View file

@ -1,8 +1,9 @@
#ifndef _IP6T_MARK_H_target #ifndef _IP6T_MARK_H_target
#define _IP6T_MARK_H_target #define _IP6T_MARK_H_target
struct ip6t_mark_target_info { /* Backwards compatibility for old userspace */
unsigned long mark; #include <linux/netfilter/xt_MARK.h>
};
#endif /*_IPT_MARK_H_target*/ #define ip6t_mark_target_info xt_mark_target_info
#endif /*_IP6T_MARK_H_target*/

View file

@ -1,10 +1,8 @@
#ifndef _IP6T_LENGTH_H #ifndef _IP6T_LENGTH_H
#define _IP6T_LENGTH_H #define _IP6T_LENGTH_H
struct ip6t_length_info { #include <linux/netfilter/xt_length.h>
u_int16_t min, max; #define ip6t_length_info xt_length_info
u_int8_t invert;
};
#endif /*_IP6T_LENGTH_H*/ #endif /*_IP6T_LENGTH_H*/

View file

@ -1,21 +1,8 @@
#ifndef _IP6T_RATE_H #ifndef _IP6T_RATE_H
#define _IP6T_RATE_H #define _IP6T_RATE_H
/* timings are in milliseconds. */ #include <linux/netfilter/xt_limit.h>
#define IP6T_LIMIT_SCALE 10000 #define IP6T_LIMIT_SCALE XT_LIMIT_SCALE
#define ip6t_rateinfo xt_rateinfo
/* 1/10,000 sec period => max of 10,000/sec. Min rate is then 429490 #endif /*_IP6T_RATE_H*/
seconds, or one every 59 hours. */
struct ip6t_rateinfo {
u_int32_t avg; /* Average secs between packets * scale */
u_int32_t burst; /* Period multiplier for upper limit. */
/* Used internally by the kernel */
unsigned long prev;
u_int32_t credit;
u_int32_t credit_cap, cost;
/* Ugly, ugly fucker. */
struct ip6t_rateinfo *master;
};
#endif /*_IPT_RATE_H*/

View file

@ -1,8 +1,7 @@
#ifndef _IP6T_MAC_H #ifndef _IP6T_MAC_H
#define _IP6T_MAC_H #define _IP6T_MAC_H
struct ip6t_mac_info { #include <linux/netfilter/xt_mac.h>
unsigned char srcaddr[ETH_ALEN]; #define ip6t_mac_info xt_mac_info
int invert;
}; #endif /*_IP6T_MAC_H*/
#endif /*_IPT_MAC_H*/

View file

@ -1,9 +1,9 @@
#ifndef _IP6T_MARK_H #ifndef _IP6T_MARK_H
#define _IP6T_MARK_H #define _IP6T_MARK_H
struct ip6t_mark_info { /* Backwards compatibility for old userspace */
unsigned long mark, mask; #include <linux/netfilter/xt_mark.h>
u_int8_t invert;
}; #define ip6t_mark_info xt_mark_info
#endif /*_IPT_MARK_H*/ #endif /*_IPT_MARK_H*/

View file

@ -1,24 +1,17 @@
#ifndef _IP6T_PHYSDEV_H #ifndef _IP6T_PHYSDEV_H
#define _IP6T_PHYSDEV_H #define _IP6T_PHYSDEV_H
#ifdef __KERNEL__ /* Backwards compatibility for old userspace */
#include <linux/if.h>
#endif
#define IP6T_PHYSDEV_OP_IN 0x01 #include <linux/netfilter/xt_physdev.h>
#define IP6T_PHYSDEV_OP_OUT 0x02
#define IP6T_PHYSDEV_OP_BRIDGED 0x04
#define IP6T_PHYSDEV_OP_ISIN 0x08
#define IP6T_PHYSDEV_OP_ISOUT 0x10
#define IP6T_PHYSDEV_OP_MASK (0x20 - 1)
struct ip6t_physdev_info { #define IP6T_PHYSDEV_OP_IN XT_PHYSDEV_OP_IN
char physindev[IFNAMSIZ]; #define IP6T_PHYSDEV_OP_OUT XT_PHYSDEV_OP_OUT
char in_mask[IFNAMSIZ]; #define IP6T_PHYSDEV_OP_BRIDGED XT_PHYSDEV_OP_BRIDGED
char physoutdev[IFNAMSIZ]; #define IP6T_PHYSDEV_OP_ISIN XT_PHYSDEV_OP_ISIN
char out_mask[IFNAMSIZ]; #define IP6T_PHYSDEV_OP_ISOUT XT_PHYSDEV_OP_ISOUT
u_int8_t invert; #define IP6T_PHYSDEV_OP_MASK XT_PHYSDEV_OP_MASK
u_int8_t bitmask;
}; #define ip6t_physdev_info xt_physdev_info
#endif /*_IP6T_PHYSDEV_H*/ #endif /*_IP6T_PHYSDEV_H*/

View file

@ -37,7 +37,4 @@ struct nf_conntrack_ipv4 {
struct sk_buff * struct sk_buff *
nf_ct_ipv4_ct_gather_frags(struct sk_buff *skb); nf_ct_ipv4_ct_gather_frags(struct sk_buff *skb);
/* call to create an explicit dependency on nf_conntrack_l3proto_ipv4. */
extern void need_ip_conntrack(void);
#endif /*_NF_CONNTRACK_IPV4_H*/ #endif /*_NF_CONNTRACK_IPV4_H*/

View file

@ -221,9 +221,6 @@ extern void nf_ct_helper_put(struct nf_conntrack_helper *helper);
extern struct nf_conntrack_helper * extern struct nf_conntrack_helper *
__nf_conntrack_helper_find_byname(const char *name); __nf_conntrack_helper_find_byname(const char *name);
/* call to create an explicit dependency on nf_conntrack. */
extern void need_nf_conntrack(void);
extern int nf_ct_invert_tuplepr(struct nf_conntrack_tuple *inverse, extern int nf_ct_invert_tuplepr(struct nf_conntrack_tuple *inverse,
const struct nf_conntrack_tuple *orig); const struct nf_conntrack_tuple *orig);

View file

@ -15,6 +15,7 @@
#include <linux/netfilter.h> #include <linux/netfilter.h>
#include <linux/module.h> #include <linux/module.h>
#include <linux/ip.h> #include <linux/ip.h>
#include <linux/in.h>
#include <linux/if_arp.h> #include <linux/if_arp.h>
#include <linux/spinlock.h> #include <linux/spinlock.h>

View file

@ -182,6 +182,7 @@ config IP_NF_QUEUE
config IP_NF_IPTABLES config IP_NF_IPTABLES
tristate "IP tables support (required for filtering/masq/NAT)" tristate "IP tables support (required for filtering/masq/NAT)"
depends on NETFILTER_XTABLES
help help
iptables is a general, extensible packet identification framework. iptables is a general, extensible packet identification framework.
The packet filtering and full NAT (masquerading, port forwarding, The packet filtering and full NAT (masquerading, port forwarding,
@ -191,16 +192,6 @@ config IP_NF_IPTABLES
To compile it as a module, choose M here. If unsure, say N. To compile it as a module, choose M here. If unsure, say N.
# The matches. # The matches.
config IP_NF_MATCH_LIMIT
tristate "limit match support"
depends on IP_NF_IPTABLES
help
limit matching allows you to control the rate at which a rule can be
matched: mainly useful in combination with the LOG target ("LOG
target support", below) and to avoid some Denial of Service attacks.
To compile it as a module, choose M here. If unsure, say N.
config IP_NF_MATCH_IPRANGE config IP_NF_MATCH_IPRANGE
tristate "IP range match support" tristate "IP range match support"
depends on IP_NF_IPTABLES depends on IP_NF_IPTABLES
@ -210,37 +201,6 @@ config IP_NF_MATCH_IPRANGE
To compile it as a module, choose M here. If unsure, say N. To compile it as a module, choose M here. If unsure, say N.
config IP_NF_MATCH_MAC
tristate "MAC address match support"
depends on IP_NF_IPTABLES
help
MAC matching allows you to match packets based on the source
Ethernet address of the packet.
To compile it as a module, choose M here. If unsure, say N.
config IP_NF_MATCH_PKTTYPE
tristate "Packet type match support"
depends on IP_NF_IPTABLES
help
Packet type matching allows you to match a packet by
its "class", eg. BROADCAST, MULTICAST, ...
Typical usage:
iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG
To compile it as a module, choose M here. If unsure, say N.
config IP_NF_MATCH_MARK
tristate "netfilter MARK match support"
depends on IP_NF_IPTABLES
help
Netfilter mark matching allows you to match packets based on the
`nfmark' value in the packet. This can be set by the MARK target
(see below).
To compile it as a module, choose M here. If unsure, say N.
config IP_NF_MATCH_MULTIPORT config IP_NF_MATCH_MULTIPORT
tristate "Multiple port match support" tristate "Multiple port match support"
depends on IP_NF_IPTABLES depends on IP_NF_IPTABLES
@ -301,15 +261,6 @@ config IP_NF_MATCH_AH_ESP
To compile it as a module, choose M here. If unsure, say N. To compile it as a module, choose M here. If unsure, say N.
config IP_NF_MATCH_LENGTH
tristate "LENGTH match support"
depends on IP_NF_IPTABLES
help
This option allows you to match the length of a packet against a
specific value or range of values.
To compile it as a module, choose M here. If unsure, say N.
config IP_NF_MATCH_TTL config IP_NF_MATCH_TTL
tristate "TTL match support" tristate "TTL match support"
depends on IP_NF_IPTABLES depends on IP_NF_IPTABLES
@ -319,50 +270,6 @@ config IP_NF_MATCH_TTL
To compile it as a module, choose M here. If unsure, say N. To compile it as a module, choose M here. If unsure, say N.
config IP_NF_MATCH_TCPMSS
tristate "tcpmss match support"
depends on IP_NF_IPTABLES
help
This option adds a `tcpmss' match, which allows you to examine the
MSS value of TCP SYN packets, which control the maximum packet size
for that connection.
To compile it as a module, choose M here. If unsure, say N.
config IP_NF_MATCH_HELPER
tristate "Helper match support"
depends on IP_NF_IPTABLES
depends on IP_NF_CONNTRACK || NF_CONNTRACK_IPV4
help
Helper matching allows you to match packets in dynamic connections
tracked by a conntrack-helper, ie. ip_conntrack_ftp
To compile it as a module, choose M here. If unsure, say Y.
config IP_NF_MATCH_STATE
tristate "Connection state match support"
depends on IP_NF_IPTABLES
depends on IP_NF_CONNTRACK || NF_CONNTRACK_IPV4
help
Connection state matching allows you to match packets based on their
relationship to a tracked connection (ie. previous packets). This
is a powerful tool for packet classification.
To compile it as a module, choose M here. If unsure, say N.
config IP_NF_MATCH_CONNTRACK
tristate "Connection tracking match support"
depends on IP_NF_IPTABLES
depends on IP_NF_CONNTRACK || NF_CONNTRACK_IPV4
help
This is a general conntrack match module, a superset of the state match.
It allows matching on additional conntrack information, which is
useful in complex configurations, such as NAT gateways with multiple
internet links or tunnels.
To compile it as a module, choose M here. If unsure, say N.
config IP_NF_MATCH_OWNER config IP_NF_MATCH_OWNER
tristate "Owner match support" tristate "Owner match support"
depends on IP_NF_IPTABLES depends on IP_NF_IPTABLES
@ -372,15 +279,6 @@ config IP_NF_MATCH_OWNER
To compile it as a module, choose M here. If unsure, say N. To compile it as a module, choose M here. If unsure, say N.
config IP_NF_MATCH_PHYSDEV
tristate "Physdev match support"
depends on IP_NF_IPTABLES && BRIDGE_NETFILTER
help
Physdev packet matching matches against the physical bridge ports
the IP packet arrived on or will leave by.
To compile it as a module, choose M here. If unsure, say N.
config IP_NF_MATCH_ADDRTYPE config IP_NF_MATCH_ADDRTYPE
tristate 'address type match support' tristate 'address type match support'
depends on IP_NF_IPTABLES depends on IP_NF_IPTABLES
@ -391,75 +289,6 @@ config IP_NF_MATCH_ADDRTYPE
If you want to compile it as a module, say M here and read If you want to compile it as a module, say M here and read
<file:Documentation/modules.txt>. If unsure, say `N'. <file:Documentation/modules.txt>. If unsure, say `N'.
config IP_NF_MATCH_REALM
tristate 'realm match support'
depends on IP_NF_IPTABLES
select NET_CLS_ROUTE
help
This option adds a `realm' match, which allows you to use the realm
key from the routing subsystem inside iptables.
This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option
in tc world.
If you want to compile it as a module, say M here and read
<file:Documentation/modules.txt>. If unsure, say `N'.
config IP_NF_MATCH_SCTP
tristate 'SCTP protocol match support'
depends on IP_NF_IPTABLES
help
With this option enabled, you will be able to use the iptables
`sctp' match in order to match on SCTP source/destination ports
and SCTP chunk types.
If you want to compile it as a module, say M here and read
<file:Documentation/modules.txt>. If unsure, say `N'.
config IP_NF_MATCH_DCCP
tristate 'DCCP protocol match support'
depends on IP_NF_IPTABLES
help
With this option enabled, you will be able to use the iptables
`dccp' match in order to match on DCCP source/destination ports
and DCCP flags.
If you want to compile it as a module, say M here and read
<file:Documentation/modules.txt>. If unsure, say `N'.
config IP_NF_MATCH_COMMENT
tristate 'comment match support'
depends on IP_NF_IPTABLES
help
This option adds a `comment' dummy-match, which allows you to put
comments in your iptables ruleset.
If you want to compile it as a module, say M here and read
<file:Documentation/modules.txt>. If unsure, say `N'.
config IP_NF_MATCH_CONNMARK
tristate 'Connection mark match support'
depends on IP_NF_IPTABLES
depends on (IP_NF_CONNTRACK && IP_NF_CONNTRACK_MARK) || (NF_CONNTRACK_MARK && NF_CONNTRACK_IPV4)
help
This option adds a `connmark' match, which allows you to match the
connection mark value previously set for the session by `CONNMARK'.
If you want to compile it as a module, say M here and read
<file:Documentation/modules.txt>. The module will be called
ipt_connmark.o. If unsure, say `N'.
config IP_NF_MATCH_CONNBYTES
tristate 'Connection byte/packet counter match support'
depends on IP_NF_IPTABLES
depends on (IP_NF_CONNTRACK && IP_NF_CT_ACCT) || (NF_CT_ACCT && NF_CONNTRACK_IPV4)
help
This option adds a `connbytes' match, which allows you to match the
number of bytes and/or packets for each direction within a connection.
If you want to compile it as a module, say M here and read
<file:Documentation/modules.txt>. If unsure, say `N'.
config IP_NF_MATCH_HASHLIMIT config IP_NF_MATCH_HASHLIMIT
tristate 'hashlimit match support' tristate 'hashlimit match support'
depends on IP_NF_IPTABLES depends on IP_NF_IPTABLES
@ -474,19 +303,6 @@ config IP_NF_MATCH_HASHLIMIT
destination IP' or `500pps from any given source IP' with a single destination IP' or `500pps from any given source IP' with a single
IPtables rule. IPtables rule.
config IP_NF_MATCH_STRING
tristate 'string match support'
depends on IP_NF_IPTABLES
select TEXTSEARCH
select TEXTSEARCH_KMP
select TEXTSEARCH_BM
select TEXTSEARCH_FSM
help
This option adds a `string' match, which allows you to look for
pattern matchings in packets.
To compile it as a module, choose M here. If unsure, say N.
config IP_NF_MATCH_POLICY config IP_NF_MATCH_POLICY
tristate "IPsec policy match support" tristate "IPsec policy match support"
depends on IP_NF_IPTABLES && XFRM depends on IP_NF_IPTABLES && XFRM
@ -572,17 +388,6 @@ config IP_NF_TARGET_TCPMSS
To compile it as a module, choose M here. If unsure, say N. To compile it as a module, choose M here. If unsure, say N.
config IP_NF_TARGET_NFQUEUE
tristate "NFQUEUE Target Support"
depends on IP_NF_IPTABLES
help
This Target replaced the old obsolete QUEUE target.
As opposed to QUEUE, it supports 65535 different queues,
not just one.
To compile it as a module, choose M here. If unsure, say N.
# NAT + specific targets # NAT + specific targets
config IP_NF_NAT config IP_NF_NAT
tristate "Full NAT" tristate "Full NAT"
@ -735,31 +540,6 @@ config IP_NF_TARGET_DSCP
To compile it as a module, choose M here. If unsure, say N. To compile it as a module, choose M here. If unsure, say N.
config IP_NF_TARGET_MARK
tristate "MARK target support"
depends on IP_NF_MANGLE
help
This option adds a `MARK' target, which allows you to create rules
in the `mangle' table which alter the netfilter mark (nfmark) field
associated with the packet prior to routing. This can change
the routing method (see `Use netfilter MARK value as routing
key') and can also be used by other subsystems to change their
behavior.
To compile it as a module, choose M here. If unsure, say N.
config IP_NF_TARGET_CLASSIFY
tristate "CLASSIFY target support"
depends on IP_NF_MANGLE
help
This option adds a `CLASSIFY' target, which enables the user to set
the priority of a packet. Some qdiscs can use this value for
classification, among these are:
atm, cbq, dsmark, pfifo_fast, htb, prio
To compile it as a module, choose M here. If unsure, say N.
config IP_NF_TARGET_TTL config IP_NF_TARGET_TTL
tristate 'TTL target support' tristate 'TTL target support'
depends on IP_NF_MANGLE depends on IP_NF_MANGLE
@ -774,19 +554,6 @@ config IP_NF_TARGET_TTL
To compile it as a module, choose M here. If unsure, say N. To compile it as a module, choose M here. If unsure, say N.
config IP_NF_TARGET_CONNMARK
tristate 'CONNMARK target support'
depends on IP_NF_MANGLE
depends on (IP_NF_CONNTRACK && IP_NF_CONNTRACK_MARK) || (NF_CONNTRACK_MARK && NF_CONNTRACK_IPV4)
help
This option adds a `CONNMARK' target, which allows one to manipulate
the connection mark value. Similar to the MARK target, but
affects the connection mark value rather than the packet mark value.
If you want to compile it as a module, say M here and read
<file:Documentation/modules.txt>. The module will be called
ipt_CONNMARK.o. If unsure, say `N'.
config IP_NF_TARGET_CLUSTERIP config IP_NF_TARGET_CLUSTERIP
tristate "CLUSTERIP target support (EXPERIMENTAL)" tristate "CLUSTERIP target support (EXPERIMENTAL)"
depends on IP_NF_MANGLE && EXPERIMENTAL depends on IP_NF_MANGLE && EXPERIMENTAL
@ -810,23 +577,10 @@ config IP_NF_RAW
If you want to compile it as a module, say M here and read If you want to compile it as a module, say M here and read
<file:Documentation/modules.txt>. If unsure, say `N'. <file:Documentation/modules.txt>. If unsure, say `N'.
config IP_NF_TARGET_NOTRACK
tristate 'NOTRACK target support'
depends on IP_NF_RAW
depends on IP_NF_CONNTRACK || NF_CONNTRACK_IPV4
help
The NOTRACK target allows a select rule to specify
which packets *not* to enter the conntrack/NAT
subsystem with all the consequences (no ICMP error tracking,
no protocol helpers for the selected packets).
If you want to compile it as a module, say M here and read
<file:Documentation/modules.txt>. If unsure, say `N'.
# ARP tables # ARP tables
config IP_NF_ARPTABLES config IP_NF_ARPTABLES
tristate "ARP tables support" tristate "ARP tables support"
depends on NETFILTER_XTABLES
help help
arptables is a general, extensible packet identification framework. arptables is a general, extensible packet identification framework.
The ARP packet filtering and mangling (manipulation)subsystems The ARP packet filtering and mangling (manipulation)subsystems

View file

@ -47,14 +47,8 @@ obj-$(CONFIG_IP_NF_RAW) += iptable_raw.o
# matches # matches
obj-$(CONFIG_IP_NF_MATCH_HELPER) += ipt_helper.o obj-$(CONFIG_IP_NF_MATCH_HELPER) += ipt_helper.o
obj-$(CONFIG_IP_NF_MATCH_LIMIT) += ipt_limit.o
obj-$(CONFIG_IP_NF_MATCH_HASHLIMIT) += ipt_hashlimit.o obj-$(CONFIG_IP_NF_MATCH_HASHLIMIT) += ipt_hashlimit.o
obj-$(CONFIG_IP_NF_MATCH_SCTP) += ipt_sctp.o
obj-$(CONFIG_IP_NF_MATCH_DCCP) += ipt_dccp.o
obj-$(CONFIG_IP_NF_MATCH_MARK) += ipt_mark.o
obj-$(CONFIG_IP_NF_MATCH_MAC) += ipt_mac.o
obj-$(CONFIG_IP_NF_MATCH_IPRANGE) += ipt_iprange.o obj-$(CONFIG_IP_NF_MATCH_IPRANGE) += ipt_iprange.o
obj-$(CONFIG_IP_NF_MATCH_PKTTYPE) += ipt_pkttype.o
obj-$(CONFIG_IP_NF_MATCH_MULTIPORT) += ipt_multiport.o obj-$(CONFIG_IP_NF_MATCH_MULTIPORT) += ipt_multiport.o
obj-$(CONFIG_IP_NF_MATCH_OWNER) += ipt_owner.o obj-$(CONFIG_IP_NF_MATCH_OWNER) += ipt_owner.o
obj-$(CONFIG_IP_NF_MATCH_TOS) += ipt_tos.o obj-$(CONFIG_IP_NF_MATCH_TOS) += ipt_tos.o
@ -62,40 +56,25 @@ obj-$(CONFIG_IP_NF_MATCH_RECENT) += ipt_recent.o
obj-$(CONFIG_IP_NF_MATCH_ECN) += ipt_ecn.o obj-$(CONFIG_IP_NF_MATCH_ECN) += ipt_ecn.o
obj-$(CONFIG_IP_NF_MATCH_DSCP) += ipt_dscp.o obj-$(CONFIG_IP_NF_MATCH_DSCP) += ipt_dscp.o
obj-$(CONFIG_IP_NF_MATCH_AH_ESP) += ipt_ah.o ipt_esp.o obj-$(CONFIG_IP_NF_MATCH_AH_ESP) += ipt_ah.o ipt_esp.o
obj-$(CONFIG_IP_NF_MATCH_LENGTH) += ipt_length.o
obj-$(CONFIG_IP_NF_MATCH_TTL) += ipt_ttl.o obj-$(CONFIG_IP_NF_MATCH_TTL) += ipt_ttl.o
obj-$(CONFIG_IP_NF_MATCH_STATE) += ipt_state.o
obj-$(CONFIG_IP_NF_MATCH_CONNMARK) += ipt_connmark.o
obj-$(CONFIG_IP_NF_MATCH_CONNTRACK) += ipt_conntrack.o
obj-$(CONFIG_IP_NF_MATCH_CONNBYTES) += ipt_connbytes.o
obj-$(CONFIG_IP_NF_MATCH_TCPMSS) += ipt_tcpmss.o
obj-$(CONFIG_IP_NF_MATCH_REALM) += ipt_realm.o
obj-$(CONFIG_IP_NF_MATCH_ADDRTYPE) += ipt_addrtype.o obj-$(CONFIG_IP_NF_MATCH_ADDRTYPE) += ipt_addrtype.o
obj-$(CONFIG_IP_NF_MATCH_PHYSDEV) += ipt_physdev.o
obj-$(CONFIG_IP_NF_MATCH_POLICY) += ipt_policy.o obj-$(CONFIG_IP_NF_MATCH_POLICY) += ipt_policy.o
obj-$(CONFIG_IP_NF_MATCH_COMMENT) += ipt_comment.o
obj-$(CONFIG_IP_NF_MATCH_STRING) += ipt_string.o
# targets # targets
obj-$(CONFIG_IP_NF_TARGET_REJECT) += ipt_REJECT.o obj-$(CONFIG_IP_NF_TARGET_REJECT) += ipt_REJECT.o
obj-$(CONFIG_IP_NF_TARGET_TOS) += ipt_TOS.o obj-$(CONFIG_IP_NF_TARGET_TOS) += ipt_TOS.o
obj-$(CONFIG_IP_NF_TARGET_ECN) += ipt_ECN.o obj-$(CONFIG_IP_NF_TARGET_ECN) += ipt_ECN.o
obj-$(CONFIG_IP_NF_TARGET_DSCP) += ipt_DSCP.o obj-$(CONFIG_IP_NF_TARGET_DSCP) += ipt_DSCP.o
obj-$(CONFIG_IP_NF_TARGET_MARK) += ipt_MARK.o
obj-$(CONFIG_IP_NF_TARGET_MASQUERADE) += ipt_MASQUERADE.o obj-$(CONFIG_IP_NF_TARGET_MASQUERADE) += ipt_MASQUERADE.o
obj-$(CONFIG_IP_NF_TARGET_REDIRECT) += ipt_REDIRECT.o obj-$(CONFIG_IP_NF_TARGET_REDIRECT) += ipt_REDIRECT.o
obj-$(CONFIG_IP_NF_TARGET_NETMAP) += ipt_NETMAP.o obj-$(CONFIG_IP_NF_TARGET_NETMAP) += ipt_NETMAP.o
obj-$(CONFIG_IP_NF_TARGET_SAME) += ipt_SAME.o obj-$(CONFIG_IP_NF_TARGET_SAME) += ipt_SAME.o
obj-$(CONFIG_IP_NF_TARGET_CLASSIFY) += ipt_CLASSIFY.o
obj-$(CONFIG_IP_NF_NAT_SNMP_BASIC) += ip_nat_snmp_basic.o obj-$(CONFIG_IP_NF_NAT_SNMP_BASIC) += ip_nat_snmp_basic.o
obj-$(CONFIG_IP_NF_TARGET_LOG) += ipt_LOG.o obj-$(CONFIG_IP_NF_TARGET_LOG) += ipt_LOG.o
obj-$(CONFIG_IP_NF_TARGET_CONNMARK) += ipt_CONNMARK.o
obj-$(CONFIG_IP_NF_TARGET_ULOG) += ipt_ULOG.o obj-$(CONFIG_IP_NF_TARGET_ULOG) += ipt_ULOG.o
obj-$(CONFIG_IP_NF_TARGET_TCPMSS) += ipt_TCPMSS.o obj-$(CONFIG_IP_NF_TARGET_TCPMSS) += ipt_TCPMSS.o
obj-$(CONFIG_IP_NF_TARGET_NOTRACK) += ipt_NOTRACK.o
obj-$(CONFIG_IP_NF_TARGET_CLUSTERIP) += ipt_CLUSTERIP.o obj-$(CONFIG_IP_NF_TARGET_CLUSTERIP) += ipt_CLUSTERIP.o
obj-$(CONFIG_IP_NF_TARGET_TTL) += ipt_TTL.o obj-$(CONFIG_IP_NF_TARGET_TTL) += ipt_TTL.o
obj-$(CONFIG_IP_NF_TARGET_NFQUEUE) += ipt_NFQUEUE.o
# generic ARP tables # generic ARP tables
obj-$(CONFIG_IP_NF_ARPTABLES) += arp_tables.o obj-$(CONFIG_IP_NF_ARPTABLES) += arp_tables.o

View file

@ -24,6 +24,7 @@
#include <asm/uaccess.h> #include <asm/uaccess.h>
#include <asm/semaphore.h> #include <asm/semaphore.h>
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter_arp/arp_tables.h> #include <linux/netfilter_arp/arp_tables.h>
MODULE_LICENSE("GPL"); MODULE_LICENSE("GPL");
@ -55,28 +56,9 @@ do { \
#else #else
#define ARP_NF_ASSERT(x) #define ARP_NF_ASSERT(x)
#endif #endif
#define SMP_ALIGN(x) (((x) + SMP_CACHE_BYTES-1) & ~(SMP_CACHE_BYTES-1))
static DECLARE_MUTEX(arpt_mutex);
#define ASSERT_READ_LOCK(x) ARP_NF_ASSERT(down_trylock(&arpt_mutex) != 0)
#define ASSERT_WRITE_LOCK(x) ARP_NF_ASSERT(down_trylock(&arpt_mutex) != 0)
#include <linux/netfilter_ipv4/listhelp.h> #include <linux/netfilter_ipv4/listhelp.h>
struct arpt_table_info {
unsigned int size;
unsigned int number;
unsigned int initial_entries;
unsigned int hook_entry[NF_ARP_NUMHOOKS];
unsigned int underflow[NF_ARP_NUMHOOKS];
void *entries[NR_CPUS];
};
static LIST_HEAD(arpt_target);
static LIST_HEAD(arpt_tables);
#define SET_COUNTER(c,b,p) do { (c).bcnt = (b); (c).pcnt = (p); } while(0)
#define ADD_COUNTER(c,b,p) do { (c).bcnt += (b); (c).pcnt += (p); } while(0)
static inline int arp_devaddr_compare(const struct arpt_devaddr_info *ap, static inline int arp_devaddr_compare(const struct arpt_devaddr_info *ap,
char *hdr_addr, int len) char *hdr_addr, int len)
{ {
@ -223,9 +205,9 @@ static inline int arp_checkentry(const struct arpt_arp *arp)
} }
static unsigned int arpt_error(struct sk_buff **pskb, static unsigned int arpt_error(struct sk_buff **pskb,
unsigned int hooknum,
const struct net_device *in, const struct net_device *in,
const struct net_device *out, const struct net_device *out,
unsigned int hooknum,
const void *targinfo, const void *targinfo,
void *userinfo) void *userinfo)
{ {
@ -254,6 +236,7 @@ unsigned int arpt_do_table(struct sk_buff **pskb,
struct arpt_entry *e, *back; struct arpt_entry *e, *back;
const char *indev, *outdev; const char *indev, *outdev;
void *table_base; void *table_base;
struct xt_table_info *private = table->private;
/* ARP header, plus 2 device addresses, plus 2 IP addresses. */ /* ARP header, plus 2 device addresses, plus 2 IP addresses. */
if (!pskb_may_pull((*pskb), (sizeof(struct arphdr) + if (!pskb_may_pull((*pskb), (sizeof(struct arphdr) +
@ -265,9 +248,9 @@ unsigned int arpt_do_table(struct sk_buff **pskb,
outdev = out ? out->name : nulldevname; outdev = out ? out->name : nulldevname;
read_lock_bh(&table->lock); read_lock_bh(&table->lock);
table_base = (void *)table->private->entries[smp_processor_id()]; table_base = (void *)private->entries[smp_processor_id()];
e = get_entry(table_base, table->private->hook_entry[hook]); e = get_entry(table_base, private->hook_entry[hook]);
back = get_entry(table_base, table->private->underflow[hook]); back = get_entry(table_base, private->underflow[hook]);
arp = (*pskb)->nh.arph; arp = (*pskb)->nh.arph;
do { do {
@ -315,8 +298,8 @@ unsigned int arpt_do_table(struct sk_buff **pskb,
* abs. verdicts * abs. verdicts
*/ */
verdict = t->u.kernel.target->target(pskb, verdict = t->u.kernel.target->target(pskb,
hook,
in, out, in, out,
hook,
t->data, t->data,
userdata); userdata);
@ -341,106 +324,6 @@ unsigned int arpt_do_table(struct sk_buff **pskb,
return verdict; return verdict;
} }
/*
* These are weird, but module loading must not be done with mutex
* held (since they will register), and we have to have a single
* function to use try_then_request_module().
*/
/* Find table by name, grabs mutex & ref. Returns ERR_PTR() on error. */
static inline struct arpt_table *find_table_lock(const char *name)
{
struct arpt_table *t;
if (down_interruptible(&arpt_mutex) != 0)
return ERR_PTR(-EINTR);
list_for_each_entry(t, &arpt_tables, list)
if (strcmp(t->name, name) == 0 && try_module_get(t->me))
return t;
up(&arpt_mutex);
return NULL;
}
/* Find target, grabs ref. Returns ERR_PTR() on error. */
static inline struct arpt_target *find_target(const char *name, u8 revision)
{
struct arpt_target *t;
int err = 0;
if (down_interruptible(&arpt_mutex) != 0)
return ERR_PTR(-EINTR);
list_for_each_entry(t, &arpt_target, list) {
if (strcmp(t->name, name) == 0) {
if (t->revision == revision) {
if (try_module_get(t->me)) {
up(&arpt_mutex);
return t;
}
} else
err = -EPROTOTYPE; /* Found something. */
}
}
up(&arpt_mutex);
return ERR_PTR(err);
}
struct arpt_target *arpt_find_target(const char *name, u8 revision)
{
struct arpt_target *target;
target = try_then_request_module(find_target(name, revision),
"arpt_%s", name);
if (IS_ERR(target) || !target)
return NULL;
return target;
}
static int target_revfn(const char *name, u8 revision, int *bestp)
{
struct arpt_target *t;
int have_rev = 0;
list_for_each_entry(t, &arpt_target, list) {
if (strcmp(t->name, name) == 0) {
if (t->revision > *bestp)
*bestp = t->revision;
if (t->revision == revision)
have_rev =1;
}
}
return have_rev;
}
/* Returns true or false (if no such extension at all) */
static inline int find_revision(const char *name, u8 revision,
int (*revfn)(const char *, u8, int *),
int *err)
{
int have_rev, best = -1;
if (down_interruptible(&arpt_mutex) != 0) {
*err = -EINTR;
return 1;
}
have_rev = revfn(name, revision, &best);
up(&arpt_mutex);
/* Nothing at all? Return 0 to try loading module. */
if (best == -1) {
*err = -ENOENT;
return 0;
}
*err = best;
if (!have_rev)
*err = -EPROTONOSUPPORT;
return 1;
}
/* All zeroes == unconditional rule. */ /* All zeroes == unconditional rule. */
static inline int unconditional(const struct arpt_arp *arp) static inline int unconditional(const struct arpt_arp *arp)
{ {
@ -456,7 +339,7 @@ static inline int unconditional(const struct arpt_arp *arp)
/* Figures out from what hook each rule can be called: returns 0 if /* Figures out from what hook each rule can be called: returns 0 if
* there are loops. Puts hook bitmask in comefrom. * there are loops. Puts hook bitmask in comefrom.
*/ */
static int mark_source_chains(struct arpt_table_info *newinfo, static int mark_source_chains(struct xt_table_info *newinfo,
unsigned int valid_hooks, void *entry0) unsigned int valid_hooks, void *entry0)
{ {
unsigned int hook; unsigned int hook;
@ -587,8 +470,8 @@ static inline int check_entry(struct arpt_entry *e, const char *name, unsigned i
} }
t = arpt_get_target(e); t = arpt_get_target(e);
target = try_then_request_module(find_target(t->u.user.name, target = try_then_request_module(xt_find_target(NF_ARP, t->u.user.name,
t->u.user.revision), t->u.user.revision),
"arpt_%s", t->u.user.name); "arpt_%s", t->u.user.name);
if (IS_ERR(target) || !target) { if (IS_ERR(target) || !target) {
duprintf("check_entry: `%s' not found\n", t->u.user.name); duprintf("check_entry: `%s' not found\n", t->u.user.name);
@ -622,7 +505,7 @@ out:
} }
static inline int check_entry_size_and_hooks(struct arpt_entry *e, static inline int check_entry_size_and_hooks(struct arpt_entry *e,
struct arpt_table_info *newinfo, struct xt_table_info *newinfo,
unsigned char *base, unsigned char *base,
unsigned char *limit, unsigned char *limit,
const unsigned int *hook_entries, const unsigned int *hook_entries,
@ -656,7 +539,7 @@ static inline int check_entry_size_and_hooks(struct arpt_entry *e,
< 0 (not ARPT_RETURN). --RR */ < 0 (not ARPT_RETURN). --RR */
/* Clear counters and comefrom */ /* Clear counters and comefrom */
e->counters = ((struct arpt_counters) { 0, 0 }); e->counters = ((struct xt_counters) { 0, 0 });
e->comefrom = 0; e->comefrom = 0;
(*i)++; (*i)++;
@ -683,7 +566,7 @@ static inline int cleanup_entry(struct arpt_entry *e, unsigned int *i)
*/ */
static int translate_table(const char *name, static int translate_table(const char *name,
unsigned int valid_hooks, unsigned int valid_hooks,
struct arpt_table_info *newinfo, struct xt_table_info *newinfo,
void *entry0, void *entry0,
unsigned int size, unsigned int size,
unsigned int number, unsigned int number,
@ -764,34 +647,9 @@ static int translate_table(const char *name,
return ret; return ret;
} }
static struct arpt_table_info *replace_table(struct arpt_table *table,
unsigned int num_counters,
struct arpt_table_info *newinfo,
int *error)
{
struct arpt_table_info *oldinfo;
/* Do the substitution. */
write_lock_bh(&table->lock);
/* Check inside lock: is the old number correct? */
if (num_counters != table->private->number) {
duprintf("num_counters != table->private->number (%u/%u)\n",
num_counters, table->private->number);
write_unlock_bh(&table->lock);
*error = -EAGAIN;
return NULL;
}
oldinfo = table->private;
table->private = newinfo;
newinfo->initial_entries = oldinfo->initial_entries;
write_unlock_bh(&table->lock);
return oldinfo;
}
/* Gets counters. */ /* Gets counters. */
static inline int add_entry_to_counter(const struct arpt_entry *e, static inline int add_entry_to_counter(const struct arpt_entry *e,
struct arpt_counters total[], struct xt_counters total[],
unsigned int *i) unsigned int *i)
{ {
ADD_COUNTER(total[*i], e->counters.bcnt, e->counters.pcnt); ADD_COUNTER(total[*i], e->counters.bcnt, e->counters.pcnt);
@ -801,7 +659,7 @@ static inline int add_entry_to_counter(const struct arpt_entry *e,
} }
static inline int set_entry_to_counter(const struct arpt_entry *e, static inline int set_entry_to_counter(const struct arpt_entry *e,
struct arpt_counters total[], struct xt_counters total[],
unsigned int *i) unsigned int *i)
{ {
SET_COUNTER(total[*i], e->counters.bcnt, e->counters.pcnt); SET_COUNTER(total[*i], e->counters.bcnt, e->counters.pcnt);
@ -810,8 +668,8 @@ static inline int set_entry_to_counter(const struct arpt_entry *e,
return 0; return 0;
} }
static void get_counters(const struct arpt_table_info *t, static void get_counters(const struct xt_table_info *t,
struct arpt_counters counters[]) struct xt_counters counters[])
{ {
unsigned int cpu; unsigned int cpu;
unsigned int i; unsigned int i;
@ -849,7 +707,8 @@ static int copy_entries_to_user(unsigned int total_size,
{ {
unsigned int off, num, countersize; unsigned int off, num, countersize;
struct arpt_entry *e; struct arpt_entry *e;
struct arpt_counters *counters; struct xt_counters *counters;
struct xt_table_info *private = table->private;
int ret = 0; int ret = 0;
void *loc_cpu_entry; void *loc_cpu_entry;
@ -857,18 +716,18 @@ static int copy_entries_to_user(unsigned int total_size,
* (other than comefrom, which userspace doesn't care * (other than comefrom, which userspace doesn't care
* about). * about).
*/ */
countersize = sizeof(struct arpt_counters) * table->private->number; countersize = sizeof(struct xt_counters) * private->number;
counters = vmalloc(countersize); counters = vmalloc_node(countersize, numa_node_id());
if (counters == NULL) if (counters == NULL)
return -ENOMEM; return -ENOMEM;
/* First, sum counters... */ /* First, sum counters... */
write_lock_bh(&table->lock); write_lock_bh(&table->lock);
get_counters(table->private, counters); get_counters(private, counters);
write_unlock_bh(&table->lock); write_unlock_bh(&table->lock);
loc_cpu_entry = table->private->entries[raw_smp_processor_id()]; loc_cpu_entry = private->entries[raw_smp_processor_id()];
/* ... then copy entire thing ... */ /* ... then copy entire thing ... */
if (copy_to_user(userptr, loc_cpu_entry, total_size) != 0) { if (copy_to_user(userptr, loc_cpu_entry, total_size) != 0) {
ret = -EFAULT; ret = -EFAULT;
@ -911,75 +770,34 @@ static int get_entries(const struct arpt_get_entries *entries,
int ret; int ret;
struct arpt_table *t; struct arpt_table *t;
t = find_table_lock(entries->name); t = xt_find_table_lock(NF_ARP, entries->name);
if (t || !IS_ERR(t)) { if (t || !IS_ERR(t)) {
struct xt_table_info *private = t->private;
duprintf("t->private->number = %u\n", duprintf("t->private->number = %u\n",
t->private->number); private->number);
if (entries->size == t->private->size) if (entries->size == private->size)
ret = copy_entries_to_user(t->private->size, ret = copy_entries_to_user(private->size,
t, uptr->entrytable); t, uptr->entrytable);
else { else {
duprintf("get_entries: I've got %u not %u!\n", duprintf("get_entries: I've got %u not %u!\n",
t->private->size, private->size, entries->size);
entries->size);
ret = -EINVAL; ret = -EINVAL;
} }
module_put(t->me); module_put(t->me);
up(&arpt_mutex); xt_table_unlock(t);
} else } else
ret = t ? PTR_ERR(t) : -ENOENT; ret = t ? PTR_ERR(t) : -ENOENT;
return ret; return ret;
} }
static void free_table_info(struct arpt_table_info *info)
{
int cpu;
for_each_cpu(cpu) {
if (info->size <= PAGE_SIZE)
kfree(info->entries[cpu]);
else
vfree(info->entries[cpu]);
}
kfree(info);
}
static struct arpt_table_info *alloc_table_info(unsigned int size)
{
struct arpt_table_info *newinfo;
int cpu;
newinfo = kzalloc(sizeof(struct arpt_table_info), GFP_KERNEL);
if (!newinfo)
return NULL;
newinfo->size = size;
for_each_cpu(cpu) {
if (size <= PAGE_SIZE)
newinfo->entries[cpu] = kmalloc_node(size,
GFP_KERNEL,
cpu_to_node(cpu));
else
newinfo->entries[cpu] = vmalloc_node(size,
cpu_to_node(cpu));
if (newinfo->entries[cpu] == NULL) {
free_table_info(newinfo);
return NULL;
}
}
return newinfo;
}
static int do_replace(void __user *user, unsigned int len) static int do_replace(void __user *user, unsigned int len)
{ {
int ret; int ret;
struct arpt_replace tmp; struct arpt_replace tmp;
struct arpt_table *t; struct arpt_table *t;
struct arpt_table_info *newinfo, *oldinfo; struct xt_table_info *newinfo, *oldinfo;
struct arpt_counters *counters; struct xt_counters *counters;
void *loc_cpu_entry, *loc_cpu_old_entry; void *loc_cpu_entry, *loc_cpu_old_entry;
if (copy_from_user(&tmp, user, sizeof(tmp)) != 0) if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
@ -989,11 +807,7 @@ static int do_replace(void __user *user, unsigned int len)
if (len != sizeof(tmp) + tmp.size) if (len != sizeof(tmp) + tmp.size)
return -ENOPROTOOPT; return -ENOPROTOOPT;
/* Pedantry: prevent them from hitting BUG() in vmalloc.c --RR */ newinfo = xt_alloc_table_info(tmp.size);
if ((SMP_ALIGN(tmp.size) >> PAGE_SHIFT) + 2 > num_physpages)
return -ENOMEM;
newinfo = alloc_table_info(tmp.size);
if (!newinfo) if (!newinfo)
return -ENOMEM; return -ENOMEM;
@ -1005,7 +819,7 @@ static int do_replace(void __user *user, unsigned int len)
goto free_newinfo; goto free_newinfo;
} }
counters = vmalloc(tmp.num_counters * sizeof(struct arpt_counters)); counters = vmalloc(tmp.num_counters * sizeof(struct xt_counters));
if (!counters) { if (!counters) {
ret = -ENOMEM; ret = -ENOMEM;
goto free_newinfo; goto free_newinfo;
@ -1019,7 +833,7 @@ static int do_replace(void __user *user, unsigned int len)
duprintf("arp_tables: Translated table\n"); duprintf("arp_tables: Translated table\n");
t = try_then_request_module(find_table_lock(tmp.name), t = try_then_request_module(xt_find_table_lock(NF_ARP, tmp.name),
"arptable_%s", tmp.name); "arptable_%s", tmp.name);
if (!t || IS_ERR(t)) { if (!t || IS_ERR(t)) {
ret = t ? PTR_ERR(t) : -ENOENT; ret = t ? PTR_ERR(t) : -ENOENT;
@ -1034,7 +848,7 @@ static int do_replace(void __user *user, unsigned int len)
goto put_module; goto put_module;
} }
oldinfo = replace_table(t, tmp.num_counters, newinfo, &ret); oldinfo = xt_replace_table(t, tmp.num_counters, newinfo, &ret);
if (!oldinfo) if (!oldinfo)
goto put_module; goto put_module;
@ -1054,23 +868,23 @@ static int do_replace(void __user *user, unsigned int len)
loc_cpu_old_entry = oldinfo->entries[raw_smp_processor_id()]; loc_cpu_old_entry = oldinfo->entries[raw_smp_processor_id()];
ARPT_ENTRY_ITERATE(loc_cpu_old_entry, oldinfo->size, cleanup_entry,NULL); ARPT_ENTRY_ITERATE(loc_cpu_old_entry, oldinfo->size, cleanup_entry,NULL);
free_table_info(oldinfo); xt_free_table_info(oldinfo);
if (copy_to_user(tmp.counters, counters, if (copy_to_user(tmp.counters, counters,
sizeof(struct arpt_counters) * tmp.num_counters) != 0) sizeof(struct xt_counters) * tmp.num_counters) != 0)
ret = -EFAULT; ret = -EFAULT;
vfree(counters); vfree(counters);
up(&arpt_mutex); xt_table_unlock(t);
return ret; return ret;
put_module: put_module:
module_put(t->me); module_put(t->me);
up(&arpt_mutex); xt_table_unlock(t);
free_newinfo_counters_untrans: free_newinfo_counters_untrans:
ARPT_ENTRY_ITERATE(loc_cpu_entry, newinfo->size, cleanup_entry, NULL); ARPT_ENTRY_ITERATE(loc_cpu_entry, newinfo->size, cleanup_entry, NULL);
free_newinfo_counters: free_newinfo_counters:
vfree(counters); vfree(counters);
free_newinfo: free_newinfo:
free_table_info(newinfo); xt_free_table_info(newinfo);
return ret; return ret;
} }
@ -1078,7 +892,7 @@ static int do_replace(void __user *user, unsigned int len)
* and everything is OK. * and everything is OK.
*/ */
static inline int add_counter_to_entry(struct arpt_entry *e, static inline int add_counter_to_entry(struct arpt_entry *e,
const struct arpt_counters addme[], const struct xt_counters addme[],
unsigned int *i) unsigned int *i)
{ {
@ -1091,15 +905,16 @@ static inline int add_counter_to_entry(struct arpt_entry *e,
static int do_add_counters(void __user *user, unsigned int len) static int do_add_counters(void __user *user, unsigned int len)
{ {
unsigned int i; unsigned int i;
struct arpt_counters_info tmp, *paddc; struct xt_counters_info tmp, *paddc;
struct arpt_table *t; struct arpt_table *t;
struct xt_table_info *private;
int ret = 0; int ret = 0;
void *loc_cpu_entry; void *loc_cpu_entry;
if (copy_from_user(&tmp, user, sizeof(tmp)) != 0) if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
return -EFAULT; return -EFAULT;
if (len != sizeof(tmp) + tmp.num_counters*sizeof(struct arpt_counters)) if (len != sizeof(tmp) + tmp.num_counters*sizeof(struct xt_counters))
return -EINVAL; return -EINVAL;
paddc = vmalloc(len); paddc = vmalloc(len);
@ -1111,29 +926,30 @@ static int do_add_counters(void __user *user, unsigned int len)
goto free; goto free;
} }
t = find_table_lock(tmp.name); t = xt_find_table_lock(NF_ARP, tmp.name);
if (!t || IS_ERR(t)) { if (!t || IS_ERR(t)) {
ret = t ? PTR_ERR(t) : -ENOENT; ret = t ? PTR_ERR(t) : -ENOENT;
goto free; goto free;
} }
write_lock_bh(&t->lock); write_lock_bh(&t->lock);
if (t->private->number != paddc->num_counters) { private = t->private;
if (private->number != paddc->num_counters) {
ret = -EINVAL; ret = -EINVAL;
goto unlock_up_free; goto unlock_up_free;
} }
i = 0; i = 0;
/* Choose the copy that is on our node */ /* Choose the copy that is on our node */
loc_cpu_entry = t->private->entries[smp_processor_id()]; loc_cpu_entry = private->entries[smp_processor_id()];
ARPT_ENTRY_ITERATE(loc_cpu_entry, ARPT_ENTRY_ITERATE(loc_cpu_entry,
t->private->size, private->size,
add_counter_to_entry, add_counter_to_entry,
paddc->counters, paddc->counters,
&i); &i);
unlock_up_free: unlock_up_free:
write_unlock_bh(&t->lock); write_unlock_bh(&t->lock);
up(&arpt_mutex); xt_table_unlock(t);
module_put(t->me); module_put(t->me);
free: free:
vfree(paddc); vfree(paddc);
@ -1190,25 +1006,26 @@ static int do_arpt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len
} }
name[ARPT_TABLE_MAXNAMELEN-1] = '\0'; name[ARPT_TABLE_MAXNAMELEN-1] = '\0';
t = try_then_request_module(find_table_lock(name), t = try_then_request_module(xt_find_table_lock(NF_ARP, name),
"arptable_%s", name); "arptable_%s", name);
if (t && !IS_ERR(t)) { if (t && !IS_ERR(t)) {
struct arpt_getinfo info; struct arpt_getinfo info;
struct xt_table_info *private = t->private;
info.valid_hooks = t->valid_hooks; info.valid_hooks = t->valid_hooks;
memcpy(info.hook_entry, t->private->hook_entry, memcpy(info.hook_entry, private->hook_entry,
sizeof(info.hook_entry)); sizeof(info.hook_entry));
memcpy(info.underflow, t->private->underflow, memcpy(info.underflow, private->underflow,
sizeof(info.underflow)); sizeof(info.underflow));
info.num_entries = t->private->number; info.num_entries = private->number;
info.size = t->private->size; info.size = private->size;
strcpy(info.name, name); strcpy(info.name, name);
if (copy_to_user(user, &info, *len) != 0) if (copy_to_user(user, &info, *len) != 0)
ret = -EFAULT; ret = -EFAULT;
else else
ret = 0; ret = 0;
up(&arpt_mutex); xt_table_unlock(t);
module_put(t->me); module_put(t->me);
} else } else
ret = t ? PTR_ERR(t) : -ENOENT; ret = t ? PTR_ERR(t) : -ENOENT;
@ -1233,7 +1050,7 @@ static int do_arpt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len
} }
case ARPT_SO_GET_REVISION_TARGET: { case ARPT_SO_GET_REVISION_TARGET: {
struct arpt_get_revision rev; struct xt_get_revision rev;
if (*len != sizeof(rev)) { if (*len != sizeof(rev)) {
ret = -EINVAL; ret = -EINVAL;
@ -1244,8 +1061,8 @@ static int do_arpt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len
break; break;
} }
try_then_request_module(find_revision(rev.name, rev.revision, try_then_request_module(xt_find_revision(NF_ARP, rev.name,
target_revfn, &ret), rev.revision, 1, &ret),
"arpt_%s", rev.name); "arpt_%s", rev.name);
break; break;
} }
@ -1258,38 +1075,16 @@ static int do_arpt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len
return ret; return ret;
} }
/* Registration hooks for targets. */
int arpt_register_target(struct arpt_target *target)
{
int ret;
ret = down_interruptible(&arpt_mutex);
if (ret != 0)
return ret;
list_add(&target->list, &arpt_target);
up(&arpt_mutex);
return ret;
}
void arpt_unregister_target(struct arpt_target *target)
{
down(&arpt_mutex);
LIST_DELETE(&arpt_target, target);
up(&arpt_mutex);
}
int arpt_register_table(struct arpt_table *table, int arpt_register_table(struct arpt_table *table,
const struct arpt_replace *repl) const struct arpt_replace *repl)
{ {
int ret; int ret;
struct arpt_table_info *newinfo; struct xt_table_info *newinfo;
static struct arpt_table_info bootstrap static struct xt_table_info bootstrap
= { 0, 0, 0, { 0 }, { 0 }, { } }; = { 0, 0, 0, { 0 }, { 0 }, { } };
void *loc_cpu_entry; void *loc_cpu_entry;
newinfo = alloc_table_info(repl->size); newinfo = xt_alloc_table_info(repl->size);
if (!newinfo) { if (!newinfo) {
ret = -ENOMEM; ret = -ENOMEM;
return ret; return ret;
@ -1304,60 +1099,33 @@ int arpt_register_table(struct arpt_table *table,
repl->num_entries, repl->num_entries,
repl->hook_entry, repl->hook_entry,
repl->underflow); repl->underflow);
duprintf("arpt_register_table: translate table gives %d\n", ret); duprintf("arpt_register_table: translate table gives %d\n", ret);
if (ret != 0) { if (ret != 0) {
free_table_info(newinfo); xt_free_table_info(newinfo);
return ret; return ret;
} }
ret = down_interruptible(&arpt_mutex); if (xt_register_table(table, &bootstrap, newinfo) != 0) {
if (ret != 0) { xt_free_table_info(newinfo);
free_table_info(newinfo);
return ret; return ret;
} }
/* Don't autoload: we'd eat our tail... */ return 0;
if (list_named_find(&arpt_tables, table->name)) {
ret = -EEXIST;
goto free_unlock;
}
/* Simplifies replace_table code. */
table->private = &bootstrap;
if (!replace_table(table, 0, newinfo, &ret))
goto free_unlock;
duprintf("table->private->number = %u\n",
table->private->number);
/* save number of initial entries */
table->private->initial_entries = table->private->number;
rwlock_init(&table->lock);
list_prepend(&arpt_tables, table);
unlock:
up(&arpt_mutex);
return ret;
free_unlock:
free_table_info(newinfo);
goto unlock;
} }
void arpt_unregister_table(struct arpt_table *table) void arpt_unregister_table(struct arpt_table *table)
{ {
struct xt_table_info *private;
void *loc_cpu_entry; void *loc_cpu_entry;
down(&arpt_mutex); private = xt_unregister_table(table);
LIST_DELETE(&arpt_tables, table);
up(&arpt_mutex);
/* Decrease module usage counts and free resources */ /* Decrease module usage counts and free resources */
loc_cpu_entry = table->private->entries[raw_smp_processor_id()]; loc_cpu_entry = private->entries[raw_smp_processor_id()];
ARPT_ENTRY_ITERATE(loc_cpu_entry, table->private->size, ARPT_ENTRY_ITERATE(loc_cpu_entry, private->size,
cleanup_entry, NULL); cleanup_entry, NULL);
free_table_info(table->private); xt_free_table_info(private);
} }
/* The built-in targets: standard (NULL) and error. */ /* The built-in targets: standard (NULL) and error. */
@ -1380,52 +1148,15 @@ static struct nf_sockopt_ops arpt_sockopts = {
.get = do_arpt_get_ctl, .get = do_arpt_get_ctl,
}; };
#ifdef CONFIG_PROC_FS
static inline int print_name(const struct arpt_table *t,
off_t start_offset, char *buffer, int length,
off_t *pos, unsigned int *count)
{
if ((*count)++ >= start_offset) {
unsigned int namelen;
namelen = sprintf(buffer + *pos, "%s\n", t->name);
if (*pos + namelen > length) {
/* Stop iterating */
return 1;
}
*pos += namelen;
}
return 0;
}
static int arpt_get_tables(char *buffer, char **start, off_t offset, int length)
{
off_t pos = 0;
unsigned int count = 0;
if (down_interruptible(&arpt_mutex) != 0)
return 0;
LIST_FIND(&arpt_tables, print_name, struct arpt_table *,
offset, buffer, length, &pos, &count);
up(&arpt_mutex);
/* `start' hack - see fs/proc/generic.c line ~105 */
*start=(char *)((unsigned long)count-offset);
return pos;
}
#endif /*CONFIG_PROC_FS*/
static int __init init(void) static int __init init(void)
{ {
int ret; int ret;
xt_proto_init(NF_ARP);
/* Noone else will be downing sem now, so we won't sleep */ /* Noone else will be downing sem now, so we won't sleep */
down(&arpt_mutex); xt_register_target(NF_ARP, &arpt_standard_target);
list_append(&arpt_target, &arpt_standard_target); xt_register_target(NF_ARP, &arpt_error_target);
list_append(&arpt_target, &arpt_error_target);
up(&arpt_mutex);
/* Register setsockopt */ /* Register setsockopt */
ret = nf_register_sockopt(&arpt_sockopts); ret = nf_register_sockopt(&arpt_sockopts);
@ -1434,19 +1165,6 @@ static int __init init(void)
return ret; return ret;
} }
#ifdef CONFIG_PROC_FS
{
struct proc_dir_entry *proc;
proc = proc_net_create("arp_tables_names", 0, arpt_get_tables);
if (!proc) {
nf_unregister_sockopt(&arpt_sockopts);
return -ENOMEM;
}
proc->owner = THIS_MODULE;
}
#endif
printk("arp_tables: (C) 2002 David S. Miller\n"); printk("arp_tables: (C) 2002 David S. Miller\n");
return 0; return 0;
} }
@ -1454,16 +1172,12 @@ static int __init init(void)
static void __exit fini(void) static void __exit fini(void)
{ {
nf_unregister_sockopt(&arpt_sockopts); nf_unregister_sockopt(&arpt_sockopts);
#ifdef CONFIG_PROC_FS xt_proto_fini(NF_ARP);
proc_net_remove("arp_tables_names");
#endif
} }
EXPORT_SYMBOL(arpt_register_table); EXPORT_SYMBOL(arpt_register_table);
EXPORT_SYMBOL(arpt_unregister_table); EXPORT_SYMBOL(arpt_unregister_table);
EXPORT_SYMBOL(arpt_do_table); EXPORT_SYMBOL(arpt_do_table);
EXPORT_SYMBOL(arpt_register_target);
EXPORT_SYMBOL(arpt_unregister_target);
module_init(init); module_init(init);
module_exit(fini); module_exit(fini);

View file

@ -8,8 +8,9 @@ MODULE_AUTHOR("Bart De Schuymer <bdschuym@pandora.be>");
MODULE_DESCRIPTION("arptables arp payload mangle target"); MODULE_DESCRIPTION("arptables arp payload mangle target");
static unsigned int static unsigned int
target(struct sk_buff **pskb, unsigned int hooknum, const struct net_device *in, target(struct sk_buff **pskb, const struct net_device *in,
const struct net_device *out, const void *targinfo, void *userinfo) const struct net_device *out, unsigned int hooknum, const void *targinfo,
void *userinfo)
{ {
const struct arpt_mangle *mangle = targinfo; const struct arpt_mangle *mangle = targinfo;
struct arphdr *arp; struct arphdr *arp;
@ -64,7 +65,7 @@ target(struct sk_buff **pskb, unsigned int hooknum, const struct net_device *in,
} }
static int static int
checkentry(const char *tablename, const struct arpt_entry *e, void *targinfo, checkentry(const char *tablename, const void *e, void *targinfo,
unsigned int targinfosize, unsigned int hook_mask) unsigned int targinfosize, unsigned int hook_mask)
{ {
const struct arpt_mangle *mangle = targinfo; const struct arpt_mangle *mangle = targinfo;

View file

@ -145,6 +145,7 @@ static struct arpt_table packet_filter = {
.lock = RW_LOCK_UNLOCKED, .lock = RW_LOCK_UNLOCKED,
.private = NULL, .private = NULL,
.me = THIS_MODULE, .me = THIS_MODULE,
.af = NF_ARP,
}; };
/* The work comes in here from netfilter.c */ /* The work comes in here from netfilter.c */

View file

@ -944,7 +944,7 @@ module_exit(fini);
/* Some modules need us, but don't depend directly on any symbol. /* Some modules need us, but don't depend directly on any symbol.
They should call this. */ They should call this. */
void need_ip_conntrack(void) void need_conntrack(void)
{ {
} }
@ -962,7 +962,7 @@ EXPORT_SYMBOL(ip_ct_get_tuple);
EXPORT_SYMBOL(invert_tuplepr); EXPORT_SYMBOL(invert_tuplepr);
EXPORT_SYMBOL(ip_conntrack_alter_reply); EXPORT_SYMBOL(ip_conntrack_alter_reply);
EXPORT_SYMBOL(ip_conntrack_destroyed); EXPORT_SYMBOL(ip_conntrack_destroyed);
EXPORT_SYMBOL(need_ip_conntrack); EXPORT_SYMBOL(need_conntrack);
EXPORT_SYMBOL(ip_conntrack_helper_register); EXPORT_SYMBOL(ip_conntrack_helper_register);
EXPORT_SYMBOL(ip_conntrack_helper_unregister); EXPORT_SYMBOL(ip_conntrack_helper_unregister);
EXPORT_SYMBOL(ip_ct_iterate_cleanup); EXPORT_SYMBOL(ip_ct_iterate_cleanup);

View file

@ -95,6 +95,7 @@ static struct ipt_table nat_table = {
.valid_hooks = NAT_VALID_HOOKS, .valid_hooks = NAT_VALID_HOOKS,
.lock = RW_LOCK_UNLOCKED, .lock = RW_LOCK_UNLOCKED,
.me = THIS_MODULE, .me = THIS_MODULE,
.af = AF_INET,
}; };
/* Source NAT */ /* Source NAT */
@ -168,7 +169,7 @@ static unsigned int ipt_dnat_target(struct sk_buff **pskb,
} }
static int ipt_snat_checkentry(const char *tablename, static int ipt_snat_checkentry(const char *tablename,
const struct ipt_entry *e, const void *entry,
void *targinfo, void *targinfo,
unsigned int targinfosize, unsigned int targinfosize,
unsigned int hook_mask) unsigned int hook_mask)
@ -201,7 +202,7 @@ static int ipt_snat_checkentry(const char *tablename,
} }
static int ipt_dnat_checkentry(const char *tablename, static int ipt_dnat_checkentry(const char *tablename,
const struct ipt_entry *e, const void *entry,
void *targinfo, void *targinfo,
unsigned int targinfosize, unsigned int targinfosize,
unsigned int hook_mask) unsigned int hook_mask)

View file

@ -364,7 +364,7 @@ static int init_or_cleanup(int init)
{ {
int ret = 0; int ret = 0;
need_ip_conntrack(); need_conntrack();
if (!init) goto cleanup; if (!init) goto cleanup;

File diff suppressed because it is too large Load diff

View file

@ -379,12 +379,13 @@ target(struct sk_buff **pskb,
static int static int
checkentry(const char *tablename, checkentry(const char *tablename,
const struct ipt_entry *e, const void *e_void,
void *targinfo, void *targinfo,
unsigned int targinfosize, unsigned int targinfosize,
unsigned int hook_mask) unsigned int hook_mask)
{ {
struct ipt_clusterip_tgt_info *cipinfo = targinfo; struct ipt_clusterip_tgt_info *cipinfo = targinfo;
const struct ipt_entry *e = e_void;
struct clusterip_config *config; struct clusterip_config *config;

View file

@ -57,7 +57,7 @@ target(struct sk_buff **pskb,
static int static int
checkentry(const char *tablename, checkentry(const char *tablename,
const struct ipt_entry *e, const void *e_void,
void *targinfo, void *targinfo,
unsigned int targinfosize, unsigned int targinfosize,
unsigned int hook_mask) unsigned int hook_mask)

View file

@ -113,12 +113,13 @@ target(struct sk_buff **pskb,
static int static int
checkentry(const char *tablename, checkentry(const char *tablename,
const struct ipt_entry *e, const void *e_void,
void *targinfo, void *targinfo,
unsigned int targinfosize, unsigned int targinfosize,
unsigned int hook_mask) unsigned int hook_mask)
{ {
const struct ipt_ECN_info *einfo = (struct ipt_ECN_info *)targinfo; const struct ipt_ECN_info *einfo = (struct ipt_ECN_info *)targinfo;
const struct ipt_entry *e = e_void;
if (targinfosize != IPT_ALIGN(sizeof(struct ipt_ECN_info))) { if (targinfosize != IPT_ALIGN(sizeof(struct ipt_ECN_info))) {
printk(KERN_WARNING "ECN: targinfosize %u != %Zu\n", printk(KERN_WARNING "ECN: targinfosize %u != %Zu\n",

View file

@ -431,7 +431,7 @@ ipt_log_target(struct sk_buff **pskb,
} }
static int ipt_log_checkentry(const char *tablename, static int ipt_log_checkentry(const char *tablename,
const struct ipt_entry *e, const void *e,
void *targinfo, void *targinfo,
unsigned int targinfosize, unsigned int targinfosize,
unsigned int hook_mask) unsigned int hook_mask)

View file

@ -40,7 +40,7 @@ static DEFINE_RWLOCK(masq_lock);
/* FIXME: Multiple targets. --RR */ /* FIXME: Multiple targets. --RR */
static int static int
masquerade_check(const char *tablename, masquerade_check(const char *tablename,
const struct ipt_entry *e, const void *e,
void *targinfo, void *targinfo,
unsigned int targinfosize, unsigned int targinfosize,
unsigned int hook_mask) unsigned int hook_mask)

View file

@ -31,7 +31,7 @@ MODULE_DESCRIPTION("iptables 1:1 NAT mapping of IP networks target");
static int static int
check(const char *tablename, check(const char *tablename,
const struct ipt_entry *e, const void *e,
void *targinfo, void *targinfo,
unsigned int targinfosize, unsigned int targinfosize,
unsigned int hook_mask) unsigned int hook_mask)

View file

@ -1,70 +0,0 @@
/* iptables module for using new netfilter netlink queue
*
* (C) 2005 by Harald Welte <laforge@netfilter.org>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
* published by the Free Software Foundation.
*
*/
#include <linux/module.h>
#include <linux/skbuff.h>
#include <linux/netfilter.h>
#include <linux/netfilter_ipv4/ip_tables.h>
#include <linux/netfilter_ipv4/ipt_NFQUEUE.h>
MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
MODULE_DESCRIPTION("iptables NFQUEUE target");
MODULE_LICENSE("GPL");
static unsigned int
target(struct sk_buff **pskb,
const struct net_device *in,
const struct net_device *out,
unsigned int hooknum,
const void *targinfo,
void *userinfo)
{
const struct ipt_NFQ_info *tinfo = targinfo;
return NF_QUEUE_NR(tinfo->queuenum);
}
static int
checkentry(const char *tablename,
const struct ipt_entry *e,
void *targinfo,
unsigned int targinfosize,
unsigned int hook_mask)
{
if (targinfosize != IPT_ALIGN(sizeof(struct ipt_NFQ_info))) {
printk(KERN_WARNING "NFQUEUE: targinfosize %u != %Zu\n",
targinfosize,
IPT_ALIGN(sizeof(struct ipt_NFQ_info)));
return 0;
}
return 1;
}
static struct ipt_target ipt_NFQ_reg = {
.name = "NFQUEUE",
.target = target,
.checkentry = checkentry,
.me = THIS_MODULE,
};
static int __init init(void)
{
return ipt_register_target(&ipt_NFQ_reg);
}
static void __exit fini(void)
{
ipt_unregister_target(&ipt_NFQ_reg);
}
module_init(init);
module_exit(fini);

View file

@ -33,7 +33,7 @@ MODULE_DESCRIPTION("iptables REDIRECT target module");
/* FIXME: Take multiple ranges --RR */ /* FIXME: Take multiple ranges --RR */
static int static int
redirect_check(const char *tablename, redirect_check(const char *tablename,
const struct ipt_entry *e, const void *e,
void *targinfo, void *targinfo,
unsigned int targinfosize, unsigned int targinfosize,
unsigned int hook_mask) unsigned int hook_mask)

View file

@ -282,12 +282,13 @@ static unsigned int reject(struct sk_buff **pskb,
} }
static int check(const char *tablename, static int check(const char *tablename,
const struct ipt_entry *e, const void *e_void,
void *targinfo, void *targinfo,
unsigned int targinfosize, unsigned int targinfosize,
unsigned int hook_mask) unsigned int hook_mask)
{ {
const struct ipt_reject_info *rejinfo = targinfo; const struct ipt_reject_info *rejinfo = targinfo;
const struct ipt_entry *e = e_void;
if (targinfosize != IPT_ALIGN(sizeof(struct ipt_reject_info))) { if (targinfosize != IPT_ALIGN(sizeof(struct ipt_reject_info))) {
DEBUGP("REJECT: targinfosize %u != 0\n", targinfosize); DEBUGP("REJECT: targinfosize %u != 0\n", targinfosize);

View file

@ -49,7 +49,7 @@ MODULE_DESCRIPTION("iptables special SNAT module for consistent sourceip");
static int static int
same_check(const char *tablename, same_check(const char *tablename,
const struct ipt_entry *e, const void *e,
void *targinfo, void *targinfo,
unsigned int targinfosize, unsigned int targinfosize,
unsigned int hook_mask) unsigned int hook_mask)

View file

@ -210,12 +210,13 @@ static inline int find_syn_match(const struct ipt_entry_match *m)
/* Must specify -p tcp --syn/--tcp-flags SYN */ /* Must specify -p tcp --syn/--tcp-flags SYN */
static int static int
ipt_tcpmss_checkentry(const char *tablename, ipt_tcpmss_checkentry(const char *tablename,
const struct ipt_entry *e, const void *e_void,
void *targinfo, void *targinfo,
unsigned int targinfosize, unsigned int targinfosize,
unsigned int hook_mask) unsigned int hook_mask)
{ {
const struct ipt_tcpmss_info *tcpmssinfo = targinfo; const struct ipt_tcpmss_info *tcpmssinfo = targinfo;
const struct ipt_entry *e = e_void;
if (targinfosize != IPT_ALIGN(sizeof(struct ipt_tcpmss_info))) { if (targinfosize != IPT_ALIGN(sizeof(struct ipt_tcpmss_info))) {
DEBUGP("ipt_tcpmss_checkentry: targinfosize %u != %u\n", DEBUGP("ipt_tcpmss_checkentry: targinfosize %u != %u\n",

View file

@ -52,7 +52,7 @@ target(struct sk_buff **pskb,
static int static int
checkentry(const char *tablename, checkentry(const char *tablename,
const struct ipt_entry *e, const void *e_void,
void *targinfo, void *targinfo,
unsigned int targinfosize, unsigned int targinfosize,
unsigned int hook_mask) unsigned int hook_mask)

View file

@ -66,7 +66,7 @@ ipt_ttl_target(struct sk_buff **pskb, const struct net_device *in,
} }
static int ipt_ttl_checkentry(const char *tablename, static int ipt_ttl_checkentry(const char *tablename,
const struct ipt_entry *e, const void *e,
void *targinfo, void *targinfo,
unsigned int targinfosize, unsigned int targinfosize,
unsigned int hook_mask) unsigned int hook_mask)

View file

@ -330,7 +330,7 @@ static void ipt_logfn(unsigned int pf,
} }
static int ipt_ulog_checkentry(const char *tablename, static int ipt_ulog_checkentry(const char *tablename,
const struct ipt_entry *e, const void *e,
void *targinfo, void *targinfo,
unsigned int targinfosize, unsigned int targinfosize,
unsigned int hookmask) unsigned int hookmask)

View file

@ -29,7 +29,7 @@ static inline int match_type(u_int32_t addr, u_int16_t mask)
static int match(const struct sk_buff *skb, const struct net_device *in, static int match(const struct sk_buff *skb, const struct net_device *in,
const struct net_device *out, const void *matchinfo, const struct net_device *out, const void *matchinfo,
int offset, int *hotdrop) int offset, unsigned int protoff, int *hotdrop)
{ {
const struct ipt_addrtype_info *info = matchinfo; const struct ipt_addrtype_info *info = matchinfo;
const struct iphdr *iph = skb->nh.iph; const struct iphdr *iph = skb->nh.iph;
@ -43,7 +43,7 @@ static int match(const struct sk_buff *skb, const struct net_device *in,
return ret; return ret;
} }
static int checkentry(const char *tablename, const struct ipt_ip *ip, static int checkentry(const char *tablename, const void *ip,
void *matchinfo, unsigned int matchsize, void *matchinfo, unsigned int matchsize,
unsigned int hook_mask) unsigned int hook_mask)
{ {

View file

@ -41,6 +41,7 @@ match(const struct sk_buff *skb,
const struct net_device *out, const struct net_device *out,
const void *matchinfo, const void *matchinfo,
int offset, int offset,
unsigned int protoff,
int *hotdrop) int *hotdrop)
{ {
struct ip_auth_hdr _ahdr, *ah; struct ip_auth_hdr _ahdr, *ah;
@ -50,7 +51,7 @@ match(const struct sk_buff *skb,
if (offset) if (offset)
return 0; return 0;
ah = skb_header_pointer(skb, skb->nh.iph->ihl * 4, ah = skb_header_pointer(skb, protoff,
sizeof(_ahdr), &_ahdr); sizeof(_ahdr), &_ahdr);
if (ah == NULL) { if (ah == NULL) {
/* We've been asked to examine this packet, and we /* We've been asked to examine this packet, and we
@ -69,12 +70,13 @@ match(const struct sk_buff *skb,
/* Called when user tries to insert an entry of this type. */ /* Called when user tries to insert an entry of this type. */
static int static int
checkentry(const char *tablename, checkentry(const char *tablename,
const struct ipt_ip *ip, const void *ip_void,
void *matchinfo, void *matchinfo,
unsigned int matchinfosize, unsigned int matchinfosize,
unsigned int hook_mask) unsigned int hook_mask)
{ {
const struct ipt_ah *ahinfo = matchinfo; const struct ipt_ah *ahinfo = matchinfo;
const struct ipt_ip *ip = ip_void;
/* Must specify proto == AH, and no unknown invflags */ /* Must specify proto == AH, and no unknown invflags */
if (ip->proto != IPPROTO_AH || (ip->invflags & IPT_INV_PROTO)) { if (ip->proto != IPPROTO_AH || (ip->invflags & IPT_INV_PROTO)) {

View file

@ -21,7 +21,7 @@ MODULE_LICENSE("GPL");
static int match(const struct sk_buff *skb, const struct net_device *in, static int match(const struct sk_buff *skb, const struct net_device *in,
const struct net_device *out, const void *matchinfo, const struct net_device *out, const void *matchinfo,
int offset, int *hotdrop) int offset, unsigned int protoff, int *hotdrop)
{ {
const struct ipt_dscp_info *info = matchinfo; const struct ipt_dscp_info *info = matchinfo;
const struct iphdr *iph = skb->nh.iph; const struct iphdr *iph = skb->nh.iph;
@ -31,7 +31,7 @@ static int match(const struct sk_buff *skb, const struct net_device *in,
return ((iph->tos&IPT_DSCP_MASK) == sh_dscp) ^ info->invert; return ((iph->tos&IPT_DSCP_MASK) == sh_dscp) ^ info->invert;
} }
static int checkentry(const char *tablename, const struct ipt_ip *ip, static int checkentry(const char *tablename, const void *ip,
void *matchinfo, unsigned int matchsize, void *matchinfo, unsigned int matchsize,
unsigned int hook_mask) unsigned int hook_mask)
{ {

View file

@ -67,7 +67,7 @@ static inline int match_tcp(const struct sk_buff *skb,
static int match(const struct sk_buff *skb, const struct net_device *in, static int match(const struct sk_buff *skb, const struct net_device *in,
const struct net_device *out, const void *matchinfo, const struct net_device *out, const void *matchinfo,
int offset, int *hotdrop) int offset, unsigned int protoff, int *hotdrop)
{ {
const struct ipt_ecn_info *info = matchinfo; const struct ipt_ecn_info *info = matchinfo;
@ -85,11 +85,12 @@ static int match(const struct sk_buff *skb, const struct net_device *in,
return 1; return 1;
} }
static int checkentry(const char *tablename, const struct ipt_ip *ip, static int checkentry(const char *tablename, const void *ip_void,
void *matchinfo, unsigned int matchsize, void *matchinfo, unsigned int matchsize,
unsigned int hook_mask) unsigned int hook_mask)
{ {
const struct ipt_ecn_info *info = matchinfo; const struct ipt_ecn_info *info = matchinfo;
const struct ipt_ip *ip = ip_void;
if (matchsize != IPT_ALIGN(sizeof(struct ipt_ecn_info))) if (matchsize != IPT_ALIGN(sizeof(struct ipt_ecn_info)))
return 0; return 0;

View file

@ -42,6 +42,7 @@ match(const struct sk_buff *skb,
const struct net_device *out, const struct net_device *out,
const void *matchinfo, const void *matchinfo,
int offset, int offset,
unsigned int protoff,
int *hotdrop) int *hotdrop)
{ {
struct ip_esp_hdr _esp, *eh; struct ip_esp_hdr _esp, *eh;
@ -51,7 +52,7 @@ match(const struct sk_buff *skb,
if (offset) if (offset)
return 0; return 0;
eh = skb_header_pointer(skb, skb->nh.iph->ihl * 4, eh = skb_header_pointer(skb, protoff,
sizeof(_esp), &_esp); sizeof(_esp), &_esp);
if (eh == NULL) { if (eh == NULL) {
/* We've been asked to examine this packet, and we /* We've been asked to examine this packet, and we
@ -70,12 +71,13 @@ match(const struct sk_buff *skb,
/* Called when user tries to insert an entry of this type. */ /* Called when user tries to insert an entry of this type. */
static int static int
checkentry(const char *tablename, checkentry(const char *tablename,
const struct ipt_ip *ip, const void *ip_void,
void *matchinfo, void *matchinfo,
unsigned int matchinfosize, unsigned int matchinfosize,
unsigned int hook_mask) unsigned int hook_mask)
{ {
const struct ipt_esp *espinfo = matchinfo; const struct ipt_esp *espinfo = matchinfo;
const struct ipt_ip *ip = ip_void;
/* Must specify proto == ESP, and no unknown invflags */ /* Must specify proto == ESP, and no unknown invflags */
if (ip->proto != IPPROTO_ESP || (ip->invflags & IPT_INV_PROTO)) { if (ip->proto != IPPROTO_ESP || (ip->invflags & IPT_INV_PROTO)) {

View file

@ -429,6 +429,7 @@ hashlimit_match(const struct sk_buff *skb,
const struct net_device *out, const struct net_device *out,
const void *matchinfo, const void *matchinfo,
int offset, int offset,
unsigned int protoff,
int *hotdrop) int *hotdrop)
{ {
struct ipt_hashlimit_info *r = struct ipt_hashlimit_info *r =
@ -504,7 +505,7 @@ hashlimit_match(const struct sk_buff *skb,
static int static int
hashlimit_checkentry(const char *tablename, hashlimit_checkentry(const char *tablename,
const struct ipt_ip *ip, const void *inf,
void *matchinfo, void *matchinfo,
unsigned int matchsize, unsigned int matchsize,
unsigned int hook_mask) unsigned int hook_mask)

View file

@ -28,7 +28,7 @@ match(const struct sk_buff *skb,
const struct net_device *in, const struct net_device *in,
const struct net_device *out, const struct net_device *out,
const void *matchinfo, const void *matchinfo,
int offset, int *hotdrop) int offset, unsigned int protoff, int *hotdrop)
{ {
const struct ipt_iprange_info *info = matchinfo; const struct ipt_iprange_info *info = matchinfo;
const struct iphdr *iph = skb->nh.iph; const struct iphdr *iph = skb->nh.iph;
@ -63,7 +63,7 @@ match(const struct sk_buff *skb,
} }
static int check(const char *tablename, static int check(const char *tablename,
const struct ipt_ip *ip, const void *inf,
void *matchinfo, void *matchinfo,
unsigned int matchsize, unsigned int matchsize,
unsigned int hook_mask) unsigned int hook_mask)

View file

@ -1,64 +0,0 @@
/* Kernel module to match packet length. */
/* (C) 1999-2001 James Morris <jmorros@intercode.com.au>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
* published by the Free Software Foundation.
*/
#include <linux/module.h>
#include <linux/skbuff.h>
#include <linux/netfilter_ipv4/ipt_length.h>
#include <linux/netfilter_ipv4/ip_tables.h>
MODULE_AUTHOR("James Morris <jmorris@intercode.com.au>");
MODULE_DESCRIPTION("IP tables packet length matching module");
MODULE_LICENSE("GPL");
static int
match(const struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
const void *matchinfo,
int offset,
int *hotdrop)
{
const struct ipt_length_info *info = matchinfo;
u_int16_t pktlen = ntohs(skb->nh.iph->tot_len);
return (pktlen >= info->min && pktlen <= info->max) ^ info->invert;
}
static int
checkentry(const char *tablename,
const struct ipt_ip *ip,
void *matchinfo,
unsigned int matchsize,
unsigned int hook_mask)
{
if (matchsize != IPT_ALIGN(sizeof(struct ipt_length_info)))
return 0;
return 1;
}
static struct ipt_match length_match = {
.name = "length",
.match = &match,
.checkentry = &checkentry,
.me = THIS_MODULE,
};
static int __init init(void)
{
return ipt_register_match(&length_match);
}
static void __exit fini(void)
{
ipt_unregister_match(&length_match);
}
module_init(init);
module_exit(fini);

View file

@ -97,6 +97,7 @@ match(const struct sk_buff *skb,
const struct net_device *out, const struct net_device *out,
const void *matchinfo, const void *matchinfo,
int offset, int offset,
unsigned int protoff,
int *hotdrop) int *hotdrop)
{ {
u16 _ports[2], *pptr; u16 _ports[2], *pptr;
@ -105,7 +106,7 @@ match(const struct sk_buff *skb,
if (offset) if (offset)
return 0; return 0;
pptr = skb_header_pointer(skb, skb->nh.iph->ihl * 4, pptr = skb_header_pointer(skb, protoff,
sizeof(_ports), _ports); sizeof(_ports), _ports);
if (pptr == NULL) { if (pptr == NULL) {
/* We've been asked to examine this packet, and we /* We've been asked to examine this packet, and we
@ -128,6 +129,7 @@ match_v1(const struct sk_buff *skb,
const struct net_device *out, const struct net_device *out,
const void *matchinfo, const void *matchinfo,
int offset, int offset,
unsigned int protoff,
int *hotdrop) int *hotdrop)
{ {
u16 _ports[2], *pptr; u16 _ports[2], *pptr;
@ -136,7 +138,7 @@ match_v1(const struct sk_buff *skb,
if (offset) if (offset)
return 0; return 0;
pptr = skb_header_pointer(skb, skb->nh.iph->ihl * 4, pptr = skb_header_pointer(skb, protoff,
sizeof(_ports), _ports); sizeof(_ports), _ports);
if (pptr == NULL) { if (pptr == NULL) {
/* We've been asked to examine this packet, and we /* We've been asked to examine this packet, and we
@ -154,7 +156,7 @@ match_v1(const struct sk_buff *skb,
/* Called when user tries to insert an entry of this type. */ /* Called when user tries to insert an entry of this type. */
static int static int
checkentry(const char *tablename, checkentry(const char *tablename,
const struct ipt_ip *ip, const void *ip,
void *matchinfo, void *matchinfo,
unsigned int matchsize, unsigned int matchsize,
unsigned int hook_mask) unsigned int hook_mask)
@ -164,7 +166,7 @@ checkentry(const char *tablename,
static int static int
checkentry_v1(const char *tablename, checkentry_v1(const char *tablename,
const struct ipt_ip *ip, const void *ip,
void *matchinfo, void *matchinfo,
unsigned int matchsize, unsigned int matchsize,
unsigned int hook_mask) unsigned int hook_mask)

View file

@ -27,6 +27,7 @@ match(const struct sk_buff *skb,
const struct net_device *out, const struct net_device *out,
const void *matchinfo, const void *matchinfo,
int offset, int offset,
unsigned int protoff,
int *hotdrop) int *hotdrop)
{ {
const struct ipt_owner_info *info = matchinfo; const struct ipt_owner_info *info = matchinfo;
@ -51,7 +52,7 @@ match(const struct sk_buff *skb,
static int static int
checkentry(const char *tablename, checkentry(const char *tablename,
const struct ipt_ip *ip, const void *ip,
void *matchinfo, void *matchinfo,
unsigned int matchsize, unsigned int matchsize,
unsigned int hook_mask) unsigned int hook_mask)

View file

@ -1,135 +0,0 @@
/* Kernel module to match the bridge port in and
* out device for IP packets coming into contact with a bridge. */
/* (C) 2001-2003 Bart De Schuymer <bdschuym@pandora.be>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
* published by the Free Software Foundation.
*/
#include <linux/module.h>
#include <linux/netdevice.h>
#include <linux/skbuff.h>
#include <linux/netfilter_ipv4/ipt_physdev.h>
#include <linux/netfilter_ipv4/ip_tables.h>
#include <linux/netfilter_bridge.h>
#define MATCH 1
#define NOMATCH 0
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Bart De Schuymer <bdschuym@pandora.be>");
MODULE_DESCRIPTION("iptables bridge physical device match module");
static int
match(const struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
const void *matchinfo,
int offset,
int *hotdrop)
{
int i;
static const char nulldevname[IFNAMSIZ];
const struct ipt_physdev_info *info = matchinfo;
unsigned int ret;
const char *indev, *outdev;
struct nf_bridge_info *nf_bridge;
/* Not a bridged IP packet or no info available yet:
* LOCAL_OUT/mangle and LOCAL_OUT/nat don't know if
* the destination device will be a bridge. */
if (!(nf_bridge = skb->nf_bridge)) {
/* Return MATCH if the invert flags of the used options are on */
if ((info->bitmask & IPT_PHYSDEV_OP_BRIDGED) &&
!(info->invert & IPT_PHYSDEV_OP_BRIDGED))
return NOMATCH;
if ((info->bitmask & IPT_PHYSDEV_OP_ISIN) &&
!(info->invert & IPT_PHYSDEV_OP_ISIN))
return NOMATCH;
if ((info->bitmask & IPT_PHYSDEV_OP_ISOUT) &&
!(info->invert & IPT_PHYSDEV_OP_ISOUT))
return NOMATCH;
if ((info->bitmask & IPT_PHYSDEV_OP_IN) &&
!(info->invert & IPT_PHYSDEV_OP_IN))
return NOMATCH;
if ((info->bitmask & IPT_PHYSDEV_OP_OUT) &&
!(info->invert & IPT_PHYSDEV_OP_OUT))
return NOMATCH;
return MATCH;
}
/* This only makes sense in the FORWARD and POSTROUTING chains */
if ((info->bitmask & IPT_PHYSDEV_OP_BRIDGED) &&
(!!(nf_bridge->mask & BRNF_BRIDGED) ^
!(info->invert & IPT_PHYSDEV_OP_BRIDGED)))
return NOMATCH;
if ((info->bitmask & IPT_PHYSDEV_OP_ISIN &&
(!nf_bridge->physindev ^ !!(info->invert & IPT_PHYSDEV_OP_ISIN))) ||
(info->bitmask & IPT_PHYSDEV_OP_ISOUT &&
(!nf_bridge->physoutdev ^ !!(info->invert & IPT_PHYSDEV_OP_ISOUT))))
return NOMATCH;
if (!(info->bitmask & IPT_PHYSDEV_OP_IN))
goto match_outdev;
indev = nf_bridge->physindev ? nf_bridge->physindev->name : nulldevname;
for (i = 0, ret = 0; i < IFNAMSIZ/sizeof(unsigned int); i++) {
ret |= (((const unsigned int *)indev)[i]
^ ((const unsigned int *)info->physindev)[i])
& ((const unsigned int *)info->in_mask)[i];
}
if ((ret == 0) ^ !(info->invert & IPT_PHYSDEV_OP_IN))
return NOMATCH;
match_outdev:
if (!(info->bitmask & IPT_PHYSDEV_OP_OUT))
return MATCH;
outdev = nf_bridge->physoutdev ?
nf_bridge->physoutdev->name : nulldevname;
for (i = 0, ret = 0; i < IFNAMSIZ/sizeof(unsigned int); i++) {
ret |= (((const unsigned int *)outdev)[i]
^ ((const unsigned int *)info->physoutdev)[i])
& ((const unsigned int *)info->out_mask)[i];
}
return (ret != 0) ^ !(info->invert & IPT_PHYSDEV_OP_OUT);
}
static int
checkentry(const char *tablename,
const struct ipt_ip *ip,
void *matchinfo,
unsigned int matchsize,
unsigned int hook_mask)
{
const struct ipt_physdev_info *info = matchinfo;
if (matchsize != IPT_ALIGN(sizeof(struct ipt_physdev_info)))
return 0;
if (!(info->bitmask & IPT_PHYSDEV_OP_MASK) ||
info->bitmask & ~IPT_PHYSDEV_OP_MASK)
return 0;
return 1;
}
static struct ipt_match physdev_match = {
.name = "physdev",
.match = &match,
.checkentry = &checkentry,
.me = THIS_MODULE,
};
static int __init init(void)
{
return ipt_register_match(&physdev_match);
}
static void __exit fini(void)
{
ipt_unregister_match(&physdev_match);
}
module_init(init);
module_exit(fini);

View file

@ -104,6 +104,7 @@ match(const struct sk_buff *skb,
const struct net_device *out, const struct net_device *out,
const void *matchinfo, const void *matchinfo,
int offset, int offset,
unsigned int protoff,
int *hotdrop); int *hotdrop);
/* Function to hash a given address into the hash table of table_size size */ /* Function to hash a given address into the hash table of table_size size */
@ -317,7 +318,7 @@ static int ip_recent_ctrl(struct file *file, const char __user *input, unsigned
skb->nh.iph->daddr = 0; skb->nh.iph->daddr = 0;
/* Clear ttl since we have no way of knowing it */ /* Clear ttl since we have no way of knowing it */
skb->nh.iph->ttl = 0; skb->nh.iph->ttl = 0;
match(skb,NULL,NULL,info,0,NULL); match(skb,NULL,NULL,info,0,0,NULL);
kfree(skb->nh.iph); kfree(skb->nh.iph);
out_free_skb: out_free_skb:
@ -357,6 +358,7 @@ match(const struct sk_buff *skb,
const struct net_device *out, const struct net_device *out,
const void *matchinfo, const void *matchinfo,
int offset, int offset,
unsigned int protoff,
int *hotdrop) int *hotdrop)
{ {
int pkt_count, hits_found, ans; int pkt_count, hits_found, ans;
@ -654,7 +656,7 @@ match(const struct sk_buff *skb,
*/ */
static int static int
checkentry(const char *tablename, checkentry(const char *tablename,
const struct ipt_ip *ip, const void *ip,
void *matchinfo, void *matchinfo,
unsigned int matchsize, unsigned int matchsize,
unsigned int hook_mask) unsigned int hook_mask)

View file

@ -23,6 +23,7 @@ match(const struct sk_buff *skb,
const struct net_device *out, const struct net_device *out,
const void *matchinfo, const void *matchinfo,
int offset, int offset,
unsigned int protoff,
int *hotdrop) int *hotdrop)
{ {
const struct ipt_tos_info *info = matchinfo; const struct ipt_tos_info *info = matchinfo;
@ -32,7 +33,7 @@ match(const struct sk_buff *skb,
static int static int
checkentry(const char *tablename, checkentry(const char *tablename,
const struct ipt_ip *ip, const void *ip,
void *matchinfo, void *matchinfo,
unsigned int matchsize, unsigned int matchsize,
unsigned int hook_mask) unsigned int hook_mask)

View file

@ -21,7 +21,7 @@ MODULE_LICENSE("GPL");
static int match(const struct sk_buff *skb, const struct net_device *in, static int match(const struct sk_buff *skb, const struct net_device *in,
const struct net_device *out, const void *matchinfo, const struct net_device *out, const void *matchinfo,
int offset, int *hotdrop) int offset, unsigned int protoff, int *hotdrop)
{ {
const struct ipt_ttl_info *info = matchinfo; const struct ipt_ttl_info *info = matchinfo;
@ -47,7 +47,7 @@ static int match(const struct sk_buff *skb, const struct net_device *in,
return 0; return 0;
} }
static int checkentry(const char *tablename, const struct ipt_ip *ip, static int checkentry(const char *tablename, const void *ip,
void *matchinfo, unsigned int matchsize, void *matchinfo, unsigned int matchsize,
unsigned int hook_mask) unsigned int hook_mask)
{ {

View file

@ -78,7 +78,8 @@ static struct ipt_table packet_filter = {
.name = "filter", .name = "filter",
.valid_hooks = FILTER_VALID_HOOKS, .valid_hooks = FILTER_VALID_HOOKS,
.lock = RW_LOCK_UNLOCKED, .lock = RW_LOCK_UNLOCKED,
.me = THIS_MODULE .me = THIS_MODULE,
.af = AF_INET,
}; };
/* The work comes in here from netfilter.c. */ /* The work comes in here from netfilter.c. */

View file

@ -109,6 +109,7 @@ static struct ipt_table packet_mangler = {
.valid_hooks = MANGLE_VALID_HOOKS, .valid_hooks = MANGLE_VALID_HOOKS,
.lock = RW_LOCK_UNLOCKED, .lock = RW_LOCK_UNLOCKED,
.me = THIS_MODULE, .me = THIS_MODULE,
.af = AF_INET,
}; };
/* The work comes in here from netfilter.c. */ /* The work comes in here from netfilter.c. */

View file

@ -83,7 +83,8 @@ static struct ipt_table packet_raw = {
.name = "raw", .name = "raw",
.valid_hooks = RAW_VALID_HOOKS, .valid_hooks = RAW_VALID_HOOKS,
.lock = RW_LOCK_UNLOCKED, .lock = RW_LOCK_UNLOCKED,
.me = THIS_MODULE .me = THIS_MODULE,
.af = AF_INET,
}; };
/* The work comes in here from netfilter.c. */ /* The work comes in here from netfilter.c. */

View file

@ -575,7 +575,7 @@ MODULE_LICENSE("GPL");
static int __init init(void) static int __init init(void)
{ {
need_nf_conntrack(); need_conntrack();
return init_or_cleanup(1); return init_or_cleanup(1);
} }
@ -587,9 +587,4 @@ static void __exit fini(void)
module_init(init); module_init(init);
module_exit(fini); module_exit(fini);
void need_ip_conntrack(void)
{
}
EXPORT_SYMBOL(need_ip_conntrack);
EXPORT_SYMBOL(nf_ct_ipv4_gather_frags); EXPORT_SYMBOL(nf_ct_ipv4_gather_frags);

View file

@ -41,6 +41,7 @@ config IP6_NF_QUEUE
config IP6_NF_IPTABLES config IP6_NF_IPTABLES
tristate "IP6 tables support (required for filtering/masq/NAT)" tristate "IP6 tables support (required for filtering/masq/NAT)"
depends on NETFILTER_XTABLES
help help
ip6tables is a general, extensible packet identification framework. ip6tables is a general, extensible packet identification framework.
Currently only the packet filtering and packet mangling subsystem Currently only the packet filtering and packet mangling subsystem
@ -50,25 +51,6 @@ config IP6_NF_IPTABLES
To compile it as a module, choose M here. If unsure, say N. To compile it as a module, choose M here. If unsure, say N.
# The simple matches. # The simple matches.
config IP6_NF_MATCH_LIMIT
tristate "limit match support"
depends on IP6_NF_IPTABLES
help
limit matching allows you to control the rate at which a rule can be
matched: mainly useful in combination with the LOG target ("LOG
target support", below) and to avoid some Denial of Service attacks.
To compile it as a module, choose M here. If unsure, say N.
config IP6_NF_MATCH_MAC
tristate "MAC address match support"
depends on IP6_NF_IPTABLES
help
mac matching allows you to match packets based on the source
Ethernet address of the packet.
To compile it as a module, choose M here. If unsure, say N.
config IP6_NF_MATCH_RT config IP6_NF_MATCH_RT
tristate "Routing header match support" tristate "Routing header match support"
depends on IP6_NF_IPTABLES depends on IP6_NF_IPTABLES
@ -124,16 +106,6 @@ config IP6_NF_MATCH_OWNER
To compile it as a module, choose M here. If unsure, say N. To compile it as a module, choose M here. If unsure, say N.
config IP6_NF_MATCH_MARK
tristate "netfilter MARK match support"
depends on IP6_NF_IPTABLES
help
Netfilter mark matching allows you to match packets based on the
`nfmark' value in the packet. This can be set by the MARK target
(see below).
To compile it as a module, choose M here. If unsure, say N.
config IP6_NF_MATCH_IPV6HEADER config IP6_NF_MATCH_IPV6HEADER
tristate "IPv6 Extension Headers Match" tristate "IPv6 Extension Headers Match"
depends on IP6_NF_IPTABLES depends on IP6_NF_IPTABLES
@ -151,15 +123,6 @@ config IP6_NF_MATCH_AHESP
To compile it as a module, choose M here. If unsure, say N. To compile it as a module, choose M here. If unsure, say N.
config IP6_NF_MATCH_LENGTH
tristate "Packet Length match support"
depends on IP6_NF_IPTABLES
help
This option allows you to match the length of a packet against a
specific value or range of values.
To compile it as a module, choose M here. If unsure, say N.
config IP6_NF_MATCH_EUI64 config IP6_NF_MATCH_EUI64
tristate "EUI64 address check" tristate "EUI64 address check"
depends on IP6_NF_IPTABLES depends on IP6_NF_IPTABLES
@ -170,15 +133,6 @@ config IP6_NF_MATCH_EUI64
To compile it as a module, choose M here. If unsure, say N. To compile it as a module, choose M here. If unsure, say N.
config IP6_NF_MATCH_PHYSDEV
tristate "Physdev match support"
depends on IP6_NF_IPTABLES && BRIDGE_NETFILTER
help
Physdev packet matching matches against the physical bridge ports
the IP packet arrived on or will leave by.
To compile it as a module, choose M here. If unsure, say N.
config IP6_NF_MATCH_POLICY config IP6_NF_MATCH_POLICY
tristate "IPsec policy match support" tristate "IPsec policy match support"
depends on IP6_NF_IPTABLES && XFRM depends on IP6_NF_IPTABLES && XFRM
@ -219,17 +173,6 @@ config IP6_NF_TARGET_REJECT
To compile it as a module, choose M here. If unsure, say N. To compile it as a module, choose M here. If unsure, say N.
config IP6_NF_TARGET_NFQUEUE
tristate "NFQUEUE Target Support"
depends on IP6_NF_IPTABLES
help
This Target replaced the old obsolete QUEUE target.
As opposed to QUEUE, it supports 65535 different queues,
not just one.
To compile it as a module, choose M here. If unsure, say N.
config IP6_NF_MANGLE config IP6_NF_MANGLE
tristate "Packet mangling" tristate "Packet mangling"
depends on IP6_NF_IPTABLES depends on IP6_NF_IPTABLES
@ -240,19 +183,6 @@ config IP6_NF_MANGLE
To compile it as a module, choose M here. If unsure, say N. To compile it as a module, choose M here. If unsure, say N.
config IP6_NF_TARGET_MARK
tristate "MARK target support"
depends on IP6_NF_MANGLE
help
This option adds a `MARK' target, which allows you to create rules
in the `mangle' table which alter the netfilter mark (nfmark) field
associated with the packet packet prior to routing. This can change
the routing method (see `Use netfilter MARK value as routing
key') and can also be used by other subsystems to change their
behavior.
To compile it as a module, choose M here. If unsure, say N.
config IP6_NF_TARGET_HL config IP6_NF_TARGET_HL
tristate 'HL (hoplimit) target support' tristate 'HL (hoplimit) target support'
depends on IP6_NF_MANGLE depends on IP6_NF_MANGLE

View file

@ -4,10 +4,7 @@
# Link order matters here. # Link order matters here.
obj-$(CONFIG_IP6_NF_IPTABLES) += ip6_tables.o obj-$(CONFIG_IP6_NF_IPTABLES) += ip6_tables.o
obj-$(CONFIG_IP6_NF_MATCH_LIMIT) += ip6t_limit.o
obj-$(CONFIG_IP6_NF_MATCH_MARK) += ip6t_mark.o
obj-$(CONFIG_IP6_NF_MATCH_LENGTH) += ip6t_length.o obj-$(CONFIG_IP6_NF_MATCH_LENGTH) += ip6t_length.o
obj-$(CONFIG_IP6_NF_MATCH_MAC) += ip6t_mac.o
obj-$(CONFIG_IP6_NF_MATCH_RT) += ip6t_rt.o obj-$(CONFIG_IP6_NF_MATCH_RT) += ip6t_rt.o
obj-$(CONFIG_IP6_NF_MATCH_OPTS) += ip6t_hbh.o ip6t_dst.o obj-$(CONFIG_IP6_NF_MATCH_OPTS) += ip6t_hbh.o ip6t_dst.o
obj-$(CONFIG_IP6_NF_MATCH_IPV6HEADER) += ip6t_ipv6header.o obj-$(CONFIG_IP6_NF_MATCH_IPV6HEADER) += ip6t_ipv6header.o
@ -17,12 +14,9 @@ obj-$(CONFIG_IP6_NF_MATCH_POLICY) += ip6t_policy.o
obj-$(CONFIG_IP6_NF_MATCH_EUI64) += ip6t_eui64.o obj-$(CONFIG_IP6_NF_MATCH_EUI64) += ip6t_eui64.o
obj-$(CONFIG_IP6_NF_MATCH_MULTIPORT) += ip6t_multiport.o obj-$(CONFIG_IP6_NF_MATCH_MULTIPORT) += ip6t_multiport.o
obj-$(CONFIG_IP6_NF_MATCH_OWNER) += ip6t_owner.o obj-$(CONFIG_IP6_NF_MATCH_OWNER) += ip6t_owner.o
obj-$(CONFIG_IP6_NF_MATCH_PHYSDEV) += ip6t_physdev.o
obj-$(CONFIG_IP6_NF_FILTER) += ip6table_filter.o obj-$(CONFIG_IP6_NF_FILTER) += ip6table_filter.o
obj-$(CONFIG_IP6_NF_MANGLE) += ip6table_mangle.o obj-$(CONFIG_IP6_NF_MANGLE) += ip6table_mangle.o
obj-$(CONFIG_IP6_NF_TARGET_MARK) += ip6t_MARK.o
obj-$(CONFIG_IP6_NF_TARGET_HL) += ip6t_HL.o obj-$(CONFIG_IP6_NF_TARGET_HL) += ip6t_HL.o
obj-$(CONFIG_IP6_NF_TARGET_NFQUEUE) += ip6t_NFQUEUE.o
obj-$(CONFIG_IP6_NF_QUEUE) += ip6_queue.o obj-$(CONFIG_IP6_NF_QUEUE) += ip6_queue.o
obj-$(CONFIG_IP6_NF_TARGET_LOG) += ip6t_LOG.o obj-$(CONFIG_IP6_NF_TARGET_LOG) += ip6t_LOG.o
obj-$(CONFIG_IP6_NF_RAW) += ip6table_raw.o obj-$(CONFIG_IP6_NF_RAW) += ip6table_raw.o

Some files were not shown because too many files have changed in this diff Show more