diff options
author | Andreas Baumann <mail@andreasbaumann.cc> | 2015-01-03 12:04:58 +0100 |
---|---|---|
committer | Andreas Baumann <mail@andreasbaumann.cc> | 2015-01-03 12:04:58 +0100 |
commit | 008d0be72b2f160382c6e880765e96b64a050c65 (patch) | |
tree | 36f48a98a3815a408e2ce1693dd182af90f80305 /release/src/linux/linux/include/linux/netfilter_ipv4 | |
parent | 611becfb8726c60cb060368541ad98191d4532f5 (diff) | |
download | tomato-008d0be72b2f160382c6e880765e96b64a050c65.tar.gz tomato-008d0be72b2f160382c6e880765e96b64a050c65.tar.bz2 |
imported original firmware WRT54GL_v4.30.11_11_US
Diffstat (limited to 'release/src/linux/linux/include/linux/netfilter_ipv4')
64 files changed, 3692 insertions, 0 deletions
diff --git a/release/src/linux/linux/include/linux/netfilter_ipv4/compat_firewall.h b/release/src/linux/linux/include/linux/netfilter_ipv4/compat_firewall.h new file mode 100644 index 00000000..ed07ff91 --- /dev/null +++ b/release/src/linux/linux/include/linux/netfilter_ipv4/compat_firewall.h @@ -0,0 +1,45 @@ +/* Minor modifications to fit on compatibility framework: + Rusty.Russell@rustcorp.com.au +*/ + +#ifndef __LINUX_FIREWALL_H +#define __LINUX_FIREWALL_H + +/* + * Definitions for loadable firewall modules + */ + +#define FW_QUEUE 0 +#define FW_BLOCK 1 +#define FW_ACCEPT 2 +#define FW_REJECT (-1) +#define FW_REDIRECT 3 +#define FW_MASQUERADE 4 +#define FW_SKIP 5 + +struct firewall_ops +{ + struct firewall_ops *next; + int (*fw_forward)(struct firewall_ops *this, int pf, + struct net_device *dev, void *phdr, void *arg, + struct sk_buff **pskb); + int (*fw_input)(struct firewall_ops *this, int pf, + struct net_device *dev, void *phdr, void *arg, + struct sk_buff **pskb); + int (*fw_output)(struct firewall_ops *this, int pf, + struct net_device *dev, void *phdr, void *arg, + struct sk_buff **pskb); + /* These may be NULL. */ + int (*fw_acct_in)(struct firewall_ops *this, int pf, + struct net_device *dev, void *phdr, void *arg, + struct sk_buff **pskb); + int (*fw_acct_out)(struct firewall_ops *this, int pf, + struct net_device *dev, void *phdr, void *arg, + struct sk_buff **pskb); +}; + +extern int register_firewall(int pf, struct firewall_ops *fw); +extern int unregister_firewall(int pf, struct firewall_ops *fw); + +extern int ip_fw_masq_timeouts(void *user, int len); +#endif /* __LINUX_FIREWALL_H */ diff --git a/release/src/linux/linux/include/linux/netfilter_ipv4/ip_autofw.h b/release/src/linux/linux/include/linux/netfilter_ipv4/ip_autofw.h new file mode 100644 index 00000000..e6528a78 --- /dev/null +++ b/release/src/linux/linux/include/linux/netfilter_ipv4/ip_autofw.h @@ -0,0 +1,17 @@ +#ifndef _IP_AUTOFW_H +#define _IP_AUTOFW_H + +#define AUTOFW_MASTER_TIMEOUT 600 /* 600 secs */ + +struct ip_autofw_info { + u_int16_t proto; /* Related protocol */ + u_int16_t dport[2]; /* Related destination port range */ + u_int16_t to[2]; /* Port range to map related destination port range to */ +}; + +struct ip_autofw_expect { + u_int16_t dport[2]; /* Related destination port range */ + u_int16_t to[2]; /* Port range to map related destination port range to */ +}; + +#endif /*_IP_AUTOFW_H*/ diff --git a/release/src/linux/linux/include/linux/netfilter_ipv4/ip_conntrack.h b/release/src/linux/linux/include/linux/netfilter_ipv4/ip_conntrack.h new file mode 100644 index 00000000..314f6cc3 --- /dev/null +++ b/release/src/linux/linux/include/linux/netfilter_ipv4/ip_conntrack.h @@ -0,0 +1,295 @@ +#ifndef _IP_CONNTRACK_H +#define _IP_CONNTRACK_H +/* Connection state tracking for netfilter. This is separated from, + but required by, the NAT layer; it can also be used by an iptables + extension. */ + +#include <linux/config.h> +#include <linux/netfilter_ipv4/ip_conntrack_tuple.h> +#include <asm/atomic.h> + +enum ip_conntrack_info +{ + /* Part of an established connection (either direction). */ + IP_CT_ESTABLISHED, + + /* Like NEW, but related to an existing connection, or ICMP error + (in either direction). */ + IP_CT_RELATED, + + /* Started a new connection to track (only + IP_CT_DIR_ORIGINAL); may be a retransmission. */ + IP_CT_NEW, + + /* >= this indicates reply direction */ + IP_CT_IS_REPLY, + + /* Number of distinct IP_CT types (no NEW in reply dirn). */ + IP_CT_NUMBER = IP_CT_IS_REPLY * 2 - 1 +}; + +/* Bitset representing status of connection. */ +enum ip_conntrack_status { + /* It's an expected connection: bit 0 set. This bit never changed */ + IPS_EXPECTED_BIT = 0, + IPS_EXPECTED = (1 << IPS_EXPECTED_BIT), + + /* We've seen packets both ways: bit 1 set. Can be set, not unset. */ + IPS_SEEN_REPLY_BIT = 1, + IPS_SEEN_REPLY = (1 << IPS_SEEN_REPLY_BIT), + + /* Conntrack should never be early-expired. */ + IPS_ASSURED_BIT = 2, + IPS_ASSURED = (1 << IPS_ASSURED_BIT), +}; + +#include <linux/netfilter_ipv4/ip_conntrack_tcp.h> +#include <linux/netfilter_ipv4/ip_conntrack_icmp.h> +#include <linux/netfilter_ipv4/ip_conntrack_proto_gre.h> +#include <linux/netfilter_ipv4/ip_conntrack_proto_esp.h> + +/* per conntrack: protocol private data */ +union ip_conntrack_proto { + /* insert conntrack proto private data here */ + struct ip_ct_gre gre; + struct ip_ct_tcp tcp; + struct ip_ct_icmp icmp; +}; + +union ip_conntrack_expect_proto { + /* insert expect proto private data here */ + struct ip_ct_gre_expect gre; +}; + +/* Add protocol helper include file here */ +#include <linux/netfilter_ipv4/ip_conntrack_pptp.h> +#include <linux/netfilter_ipv4/ip_conntrack_sip.h> +#include <linux/netfilter_ipv4/ip_conntrack_mms.h> +#include <linux/netfilter_ipv4/ip_conntrack_h323.h> + +#include <linux/netfilter_ipv4/ip_conntrack_ftp.h> +#include <linux/netfilter_ipv4/ip_conntrack_irc.h> +#ifdef CONFIG_IP_NF_NAT_RTSP +#include <linux/netfilter_ipv4/ip_conntrack_rtsp.h> +#endif +#include <linux/netfilter_ipv4/ip_autofw.h> + +/* per expectation: application helper private data */ +union ip_conntrack_expect_help { + /* insert conntrack helper private data (expect) here */ + struct ip_ct_pptp_expect exp_pptp_info; + struct ip_ct_sip_expect exp_sip_info; + struct ip_ct_mms_expect exp_mms_info; + struct ip_ct_h225_expect exp_h225_info; + struct ip_ct_ftp_expect exp_ftp_info; + struct ip_ct_irc_expect exp_irc_info; + struct ip_autofw_expect exp_autofw_info; +#ifdef CONFIG_IP_NF_NAT_RTSP + struct ip_ct_rtsp_expect exp_rtsp_info; +#endif +#ifdef CONFIG_IP_NF_NAT_NEEDED + union { + /* insert nat helper private data (expect) here */ + } nat; +#endif +}; + +/* per conntrack: application helper private data */ +union ip_conntrack_help { + /* insert conntrack helper private data (master) here */ + struct ip_ct_pptp_master ct_pptp_info; + struct ip_ct_sip_master ct_sip_info; + struct ip_ct_mms_master ct_mms_info; + struct ip_ct_h225_master ct_h225_info; + struct ip_ct_ftp_master ct_ftp_info; + struct ip_ct_irc_master ct_irc_info; +#ifdef CONFIG_IP_NF_NAT_RTSP + struct ip_ct_rtsp_master ct_rtsp_info; +#endif +}; + +#ifdef CONFIG_IP_NF_NAT_NEEDED +#include <linux/netfilter_ipv4/ip_nat.h> +#include <linux/netfilter_ipv4/ip_nat_pptp.h> + +/* per conntrack: nat application helper private data */ +union ip_conntrack_nat_help { + /* insert nat helper private data here */ + struct ip_nat_pptp nat_pptp_info; +}; +#endif + +#ifdef __KERNEL__ + +#include <linux/types.h> +#include <linux/skbuff.h> + +#ifdef CONFIG_NF_DEBUG +#define IP_NF_ASSERT(x) \ +do { \ + if (!(x)) \ + /* Wooah! I'm tripping my conntrack in a frenzy of \ + netplay... */ \ + printk("NF_IP_ASSERT: %s:%i(%s)\n", \ + __FILE__, __LINE__, __FUNCTION__); \ +} while(0) +#else +#define IP_NF_ASSERT(x) +#endif + +struct ip_conntrack_expect +{ + /* Internal linked list (global expectation list) */ + struct list_head list; + + /* reference count */ + atomic_t use; + + /* expectation list for this master */ + struct list_head expected_list; + + /* The conntrack of the master connection */ + struct ip_conntrack *expectant; + + /* The conntrack of the sibling connection, set after + * expectation arrived */ + struct ip_conntrack *sibling; + + /* Tuple saved for conntrack */ + struct ip_conntrack_tuple ct_tuple; + + /* Timer function; deletes the expectation. */ + struct timer_list timeout; + + /* Data filled out by the conntrack helpers follow: */ + + /* We expect this tuple, with the following mask */ + struct ip_conntrack_tuple tuple, mask; + + /* Function to call after setup and insertion */ + int (*expectfn)(struct ip_conntrack *new); + + /* At which sequence number did this expectation occur */ + u_int32_t seq; + + union ip_conntrack_expect_proto proto; + + union ip_conntrack_expect_help help; +}; + +#include <linux/netfilter_ipv4/ip_conntrack_helper.h> +struct ip_conntrack +{ + /* Usage count in here is 1 for hash table/destruct timer, 1 per skb, + plus 1 for any connection(s) we are `master' for */ + struct nf_conntrack ct_general; + + /* These are my tuples; original and reply */ + struct ip_conntrack_tuple_hash tuplehash[IP_CT_DIR_MAX]; + + /* Have we seen traffic both ways yet? (bitset) */ + volatile unsigned long status; + + /* Timer function; drops refcnt when it goes off. */ + struct timer_list timeout; + + /* If we're expecting another related connection, this will be + in expected linked list */ + struct list_head sibling_list; + + /* Current number of expected connections */ + unsigned int expecting; + + /* If we were expected by an expectation, this will be it */ + struct ip_conntrack_expect *master; + + /* Helper, if any. */ + struct ip_conntrack_helper *helper; + + /* Our various nf_ct_info structs specify *what* relation this + packet has to the conntrack */ + struct nf_ct_info infos[IP_CT_NUMBER]; + + /* Storage reserved for other modules: */ + + union ip_conntrack_proto proto; + + union ip_conntrack_help help; + +#ifdef CONFIG_IP_NF_NAT_NEEDED + struct { + struct ip_nat_info info; + union ip_conntrack_nat_help help; +#if defined(CONFIG_IP_NF_TARGET_MASQUERADE) || \ + defined(CONFIG_IP_NF_TARGET_MASQUERADE_MODULE) + int masq_index; +#endif + } nat; +#endif /* CONFIG_IP_NF_NAT_NEEDED */ + +}; + +/* get master conntrack via master expectation */ +#define master_ct(conntr) (conntr->master ? conntr->master->expectant : NULL) + +/* Alter reply tuple (maybe alter helper). If it's already taken, + return 0 and don't do alteration. */ +extern int +ip_conntrack_alter_reply(struct ip_conntrack *conntrack, + const struct ip_conntrack_tuple *newreply); + +/* Is this tuple taken? (ignoring any belonging to the given + conntrack). */ +extern int +ip_conntrack_tuple_taken(const struct ip_conntrack_tuple *tuple, + const struct ip_conntrack *ignored_conntrack); + +/* Return conntrack_info and tuple hash for given skb. */ +extern struct ip_conntrack * +ip_conntrack_get(struct sk_buff *skb, enum ip_conntrack_info *ctinfo); + +/* decrement reference count on a conntrack */ +extern inline void ip_conntrack_put(struct ip_conntrack *ct); + +/* find unconfirmed expectation based on tuple */ +struct ip_conntrack_expect * +ip_conntrack_expect_find_get(const struct ip_conntrack_tuple *tuple); + +/* decrement reference count on an expectation */ +void ip_conntrack_expect_put(struct ip_conntrack_expect *exp); + +extern struct module *ip_conntrack_module; + +extern int invert_tuplepr(struct ip_conntrack_tuple *inverse, + const struct ip_conntrack_tuple *orig); + +/* Refresh conntrack for this many jiffies */ +extern void ip_ct_refresh(struct ip_conntrack *ct, + unsigned long extra_jiffies); + +/* These are for NAT. Icky. */ +/* Call me when a conntrack is destroyed. */ +extern void (*ip_conntrack_destroyed)(struct ip_conntrack *conntrack); + +/* Returns new sk_buff, or NULL */ +struct sk_buff * +ip_ct_gather_frags(struct sk_buff *skb); + +/* Delete all conntracks which match. */ +extern void +ip_ct_selective_cleanup(int (*kill)(const struct ip_conntrack *i, void *data), + void *data); + +/* It's confirmed if it is, or has been in the hash table. */ +static inline int is_confirmed(struct ip_conntrack *ct) +{ + return ct->tuplehash[IP_CT_DIR_ORIGINAL].list.next != NULL; +} + +extern unsigned int ip_conntrack_htable_size; + +/* connection tracking time out variables. */ +extern int sysctl_ip_conntrack_tcp_timeouts[10]; +extern int sysctl_ip_conntrack_udp_timeouts[2]; +#endif /* __KERNEL__ */ +#endif /* _IP_CONNTRACK_H */ diff --git a/release/src/linux/linux/include/linux/netfilter_ipv4/ip_conntrack_core.h b/release/src/linux/linux/include/linux/netfilter_ipv4/ip_conntrack_core.h new file mode 100644 index 00000000..c46f0e86 --- /dev/null +++ b/release/src/linux/linux/include/linux/netfilter_ipv4/ip_conntrack_core.h @@ -0,0 +1,51 @@ +#ifndef _IP_CONNTRACK_CORE_H +#define _IP_CONNTRACK_CORE_H +#include <linux/netfilter_ipv4/lockhelp.h> + +/* This header is used to share core functionality between the + standalone connection tracking module, and the compatibility layer's use + of connection tracking. */ +extern unsigned int ip_conntrack_in(unsigned int hooknum, + struct sk_buff **pskb, + const struct net_device *in, + const struct net_device *out, + int (*okfn)(struct sk_buff *)); + +extern int ip_conntrack_init(void); +extern void ip_conntrack_cleanup(void); + +struct ip_conntrack_protocol; +extern struct ip_conntrack_protocol *ip_ct_find_proto(u_int8_t protocol); +/* Like above, but you already have conntrack read lock. */ +extern struct ip_conntrack_protocol *__ip_ct_find_proto(u_int8_t protocol); +extern struct list_head protocol_list; + +/* Returns conntrack if it dealt with ICMP, and filled in skb->nfct */ +extern struct ip_conntrack *icmp_error_track(struct sk_buff *skb, + enum ip_conntrack_info *ctinfo, + unsigned int hooknum); +extern int get_tuple(const struct iphdr *iph, size_t len, + struct ip_conntrack_tuple *tuple, + struct ip_conntrack_protocol *protocol); + +/* Find a connection corresponding to a tuple. */ +struct ip_conntrack_tuple_hash * +ip_conntrack_find_get(const struct ip_conntrack_tuple *tuple, + const struct ip_conntrack *ignored_conntrack); + +extern int __ip_conntrack_confirm(struct nf_ct_info *nfct); + +/* Confirm a connection: returns NF_DROP if packet must be dropped. */ +static inline int ip_conntrack_confirm(struct sk_buff *skb) +{ + if (skb->nfct + && !is_confirmed((struct ip_conntrack *)skb->nfct->master)) + return __ip_conntrack_confirm(skb->nfct); + return NF_ACCEPT; +} + +extern struct list_head *ip_conntrack_hash; +extern struct list_head ip_conntrack_expect_list; +DECLARE_RWLOCK_EXTERN(ip_conntrack_lock); +#endif /* _IP_CONNTRACK_CORE_H */ + diff --git a/release/src/linux/linux/include/linux/netfilter_ipv4/ip_conntrack_ftp.h b/release/src/linux/linux/include/linux/netfilter_ipv4/ip_conntrack_ftp.h new file mode 100644 index 00000000..677db49e --- /dev/null +++ b/release/src/linux/linux/include/linux/netfilter_ipv4/ip_conntrack_ftp.h @@ -0,0 +1,48 @@ +#ifndef _IP_CONNTRACK_FTP_H +#define _IP_CONNTRACK_FTP_H +/* FTP tracking. */ + +#ifdef __KERNEL__ + +#include <linux/netfilter_ipv4/lockhelp.h> + +/* Protects ftp part of conntracks */ +DECLARE_LOCK_EXTERN(ip_ftp_lock); + +#define FTP_PORT 21 + +#endif /* __KERNEL__ */ + +enum ip_ct_ftp_type +{ + /* PORT command from client */ + IP_CT_FTP_PORT, + /* PASV response from server */ + IP_CT_FTP_PASV, + /* EPRT command from client */ + IP_CT_FTP_EPRT, + /* EPSV response from server */ + IP_CT_FTP_EPSV, +}; + +/* This structure is per expected connection */ +struct ip_ct_ftp_expect +{ + /* We record seq number and length of ftp ip/port text here: all in + * host order. */ + + /* sequence number of IP address in packet is in ip_conntrack_expect */ + u_int32_t len; /* length of IP address */ + enum ip_ct_ftp_type ftptype; /* PORT or PASV ? */ + u_int16_t port; /* TCP port that was to be used */ +}; + +/* This structure exists only once per master */ +struct ip_ct_ftp_master { + /* Next valid seq position for cmd matching after newline */ + u_int32_t seq_aft_nl[IP_CT_DIR_MAX]; + /* 0 means seq_match_aft_nl not set */ + int seq_aft_nl_set[IP_CT_DIR_MAX]; +}; + +#endif /* _IP_CONNTRACK_FTP_H */ diff --git a/release/src/linux/linux/include/linux/netfilter_ipv4/ip_conntrack_h323.h b/release/src/linux/linux/include/linux/netfilter_ipv4/ip_conntrack_h323.h new file mode 100644 index 00000000..10221fe9 --- /dev/null +++ b/release/src/linux/linux/include/linux/netfilter_ipv4/ip_conntrack_h323.h @@ -0,0 +1,30 @@ +#ifndef _IP_CONNTRACK_H323_H +#define _IP_CONNTRACK_H323_H +/* H.323 connection tracking. */ + +#ifdef __KERNEL__ +/* Protects H.323 related data */ +DECLARE_LOCK_EXTERN(ip_h323_lock); +#endif + +/* Default H.225 port */ +#define H225_PORT 1720 + +/* This structure is per expected connection */ +struct ip_ct_h225_expect { + u_int16_t port; /* Port of the H.225 helper/RTCP/RTP channel */ + enum ip_conntrack_dir dir; /* Direction of the original connection */ + unsigned int offset; /* offset of the address in the payload */ +}; + +/* This structure exists only once per master */ +struct ip_ct_h225_master { + int is_h225; /* H.225 or H.245 connection */ +#ifdef CONFIG_IP_NF_NAT_NEEDED + enum ip_conntrack_dir dir; /* Direction of the original connection */ + u_int32_t seq[IP_CT_DIR_MAX]; /* Exceptional packet mangling for signal addressess... */ + unsigned int offset[IP_CT_DIR_MAX]; /* ...and the offset of the addresses in the payload */ +#endif +}; + +#endif /* _IP_CONNTRACK_H323_H */ diff --git a/release/src/linux/linux/include/linux/netfilter_ipv4/ip_conntrack_helper.h b/release/src/linux/linux/include/linux/netfilter_ipv4/ip_conntrack_helper.h new file mode 100644 index 00000000..d092a4fc --- /dev/null +++ b/release/src/linux/linux/include/linux/netfilter_ipv4/ip_conntrack_helper.h @@ -0,0 +1,45 @@ +/* IP connection tracking helpers. */ +#ifndef _IP_CONNTRACK_HELPER_H +#define _IP_CONNTRACK_HELPER_H +#include <linux/netfilter_ipv4/ip_conntrack.h> + +struct module; + +/* Reuse expectation when max_expected reached */ +#define IP_CT_HELPER_F_REUSE_EXPECT 0x01 + +struct ip_conntrack_helper +{ + struct list_head list; /* Internal use. */ + + const char *name; /* name of the module */ + unsigned char flags; /* Flags (see above) */ + struct module *me; /* pointer to self */ + unsigned int max_expected; /* Maximum number of concurrent + * expected connections */ + unsigned int timeout; /* timeout for expecteds */ + + /* Mask of things we will help (compared against server response) */ + struct ip_conntrack_tuple tuple; + struct ip_conntrack_tuple mask; + + /* Function to call when data passes; return verdict, or -1 to + invalidate. */ + int (*help)(const struct iphdr *, size_t len, + struct ip_conntrack *ct, + enum ip_conntrack_info conntrackinfo); +}; + +extern int ip_conntrack_helper_register(struct ip_conntrack_helper *); +extern void ip_conntrack_helper_unregister(struct ip_conntrack_helper *); + +extern struct ip_conntrack_helper *ip_ct_find_helper(const struct ip_conntrack_tuple *tuple); + +/* Add an expected connection: can have more than one per connection */ +extern int ip_conntrack_expect_related(struct ip_conntrack *related_to, + struct ip_conntrack_expect *exp); +extern int ip_conntrack_change_expect(struct ip_conntrack_expect *expect, + struct ip_conntrack_tuple *newtuple); +extern void ip_conntrack_unexpect_related(struct ip_conntrack_expect *exp); + +#endif /*_IP_CONNTRACK_HELPER_H*/ diff --git a/release/src/linux/linux/include/linux/netfilter_ipv4/ip_conntrack_icmp.h b/release/src/linux/linux/include/linux/netfilter_ipv4/ip_conntrack_icmp.h new file mode 100644 index 00000000..f1664abb --- /dev/null +++ b/release/src/linux/linux/include/linux/netfilter_ipv4/ip_conntrack_icmp.h @@ -0,0 +1,11 @@ +#ifndef _IP_CONNTRACK_ICMP_H +#define _IP_CONNTRACK_ICMP_H +/* ICMP tracking. */ +#include <asm/atomic.h> + +struct ip_ct_icmp +{ + /* Optimization: when number in == number out, forget immediately. */ + atomic_t count; +}; +#endif /* _IP_CONNTRACK_ICMP_H */ diff --git a/release/src/linux/linux/include/linux/netfilter_ipv4/ip_conntrack_irc.h b/release/src/linux/linux/include/linux/netfilter_ipv4/ip_conntrack_irc.h new file mode 100644 index 00000000..55571bec --- /dev/null +++ b/release/src/linux/linux/include/linux/netfilter_ipv4/ip_conntrack_irc.h @@ -0,0 +1,50 @@ +/* IRC extension for IP connection tracking. + * (C) 2000 by Harald Welte <laforge@gnumonks.org> + * based on RR's ip_conntrack_ftp.h + * + * ip_conntrack_irc.h,v 1.6 2000/11/07 18:26:42 laforge Exp + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License + * as published by the Free Software Foundation; either version + * 2 of the License, or (at your option) any later version. + * + * + */ +#ifndef _IP_CONNTRACK_IRC_H +#define _IP_CONNTRACK_IRC_H + +/* We record seq number and length of irc ip/port text here: all in + host order. */ + +/* This structure is per expected connection */ +struct ip_ct_irc_expect +{ + /* length of IP address */ + u_int32_t len; + /* Port that was to be used */ + u_int16_t port; +}; + +/* This structure exists only once per master */ +struct ip_ct_irc_master { +}; + + +#ifdef __KERNEL__ + +#include <linux/netfilter_ipv4/lockhelp.h> + +#define IRC_PORT 6667 + +struct dccproto { + char* match; + int matchlen; +}; + +/* Protects irc part of conntracks */ +DECLARE_LOCK_EXTERN(ip_irc_lock); + +#endif /* __KERNEL__ */ + +#endif /* _IP_CONNTRACK_IRC_H */ diff --git a/release/src/linux/linux/include/linux/netfilter_ipv4/ip_conntrack_mms.h b/release/src/linux/linux/include/linux/netfilter_ipv4/ip_conntrack_mms.h new file mode 100644 index 00000000..c83922c1 --- /dev/null +++ b/release/src/linux/linux/include/linux/netfilter_ipv4/ip_conntrack_mms.h @@ -0,0 +1,31 @@ +#ifndef _IP_CONNTRACK_MMS_H +#define _IP_CONNTRACK_MMS_H +/* MMS tracking. */ + +#ifdef __KERNEL__ +#include <linux/netfilter_ipv4/lockhelp.h> + +DECLARE_LOCK_EXTERN(ip_mms_lock); + +#define MMS_PORT 1755 +#define MMS_SRV_MSG_ID 196610 + +#define MMS_SRV_MSG_OFFSET 36 +#define MMS_SRV_UNICODE_STRING_OFFSET 60 +#define MMS_SRV_CHUNKLENLV_OFFSET 16 +#define MMS_SRV_CHUNKLENLM_OFFSET 32 +#define MMS_SRV_MESSAGELENGTH_OFFSET 8 +#endif + +/* This structure is per expected connection */ +struct ip_ct_mms_expect { + u_int32_t len; + u_int32_t padding; + u_int16_t port; +}; + +/* This structure exists only once per master */ +struct ip_ct_mms_master { +}; + +#endif /* _IP_CONNTRACK_MMS_H */ diff --git a/release/src/linux/linux/include/linux/netfilter_ipv4/ip_conntrack_pptp.h b/release/src/linux/linux/include/linux/netfilter_ipv4/ip_conntrack_pptp.h new file mode 100644 index 00000000..5155f57e --- /dev/null +++ b/release/src/linux/linux/include/linux/netfilter_ipv4/ip_conntrack_pptp.h @@ -0,0 +1,313 @@ +/* PPTP constants and structs */ +#ifndef _CONNTRACK_PPTP_H +#define _CONNTRACK_PPTP_H + +/* state of the control session */ +enum pptp_ctrlsess_state { + PPTP_SESSION_NONE, /* no session present */ + PPTP_SESSION_ERROR, /* some session error */ + PPTP_SESSION_STOPREQ, /* stop_sess request seen */ + PPTP_SESSION_REQUESTED, /* start_sess request seen */ + PPTP_SESSION_CONFIRMED, /* session established */ +}; + +/* state of the call inside the control session */ +enum pptp_ctrlcall_state { + PPTP_CALL_NONE, + PPTP_CALL_ERROR, + PPTP_CALL_OUT_REQ, + PPTP_CALL_OUT_CONF, + PPTP_CALL_IN_REQ, + PPTP_CALL_IN_REP, + PPTP_CALL_IN_CONF, + PPTP_CALL_CLEAR_REQ, +}; + + +/* conntrack private data */ +struct ip_ct_pptp_master { + enum pptp_ctrlsess_state sstate; /* session state */ + + /* everything below is going to be per-expectation in newnat, + * since there could be more than one call within one session */ + enum pptp_ctrlcall_state cstate; /* call state */ + u_int16_t pac_call_id; /* call id of PAC, host byte order */ + u_int16_t pns_call_id; /* call id of PNS, host byte order */ +}; + +/* conntrack_expect private member */ +struct ip_ct_pptp_expect { + enum pptp_ctrlcall_state cstate; /* call state */ + u_int16_t pac_call_id; /* call id of PAC */ + u_int16_t pns_call_id; /* call id of PNS */ +}; + + +#ifdef __KERNEL__ + +#include <linux/netfilter_ipv4/lockhelp.h> +DECLARE_LOCK_EXTERN(ip_pptp_lock); + +#define IP_CONNTR_PPTP PPTP_CONTROL_PORT + +union pptp_ctrl_union { + void *rawreq; + struct PptpStartSessionRequest *sreq; + struct PptpStartSessionReply *srep; + struct PptpStopSessionReqest *streq; + struct PptpStopSessionReply *strep; + struct PptpOutCallRequest *ocreq; + struct PptpOutCallReply *ocack; + struct PptpInCallRequest *icreq; + struct PptpInCallReply *icack; + struct PptpInCallConnected *iccon; + struct PptpClearCallRequest *clrreq; + struct PptpCallDisconnectNotify *disc; + struct PptpWanErrorNotify *wanerr; + struct PptpSetLinkInfo *setlink; +}; + + + +#define PPTP_CONTROL_PORT 1723 + +#define PPTP_PACKET_CONTROL 1 +#define PPTP_PACKET_MGMT 2 + +#define PPTP_MAGIC_COOKIE 0x1a2b3c4d + +struct pptp_pkt_hdr { + __u16 packetLength; + __u16 packetType; + __u32 magicCookie; +}; + +/* PptpControlMessageType values */ +#define PPTP_START_SESSION_REQUEST 1 +#define PPTP_START_SESSION_REPLY 2 +#define PPTP_STOP_SESSION_REQUEST 3 +#define PPTP_STOP_SESSION_REPLY 4 +#define PPTP_ECHO_REQUEST 5 +#define PPTP_ECHO_REPLY 6 +#define PPTP_OUT_CALL_REQUEST 7 +#define PPTP_OUT_CALL_REPLY 8 +#define PPTP_IN_CALL_REQUEST 9 +#define PPTP_IN_CALL_REPLY 10 +#define PPTP_IN_CALL_CONNECT 11 +#define PPTP_CALL_CLEAR_REQUEST 12 +#define PPTP_CALL_DISCONNECT_NOTIFY 13 +#define PPTP_WAN_ERROR_NOTIFY 14 +#define PPTP_SET_LINK_INFO 15 + +#define PPTP_MSG_MAX 15 + +/* PptpGeneralError values */ +#define PPTP_ERROR_CODE_NONE 0 +#define PPTP_NOT_CONNECTED 1 +#define PPTP_BAD_FORMAT 2 +#define PPTP_BAD_VALUE 3 +#define PPTP_NO_RESOURCE 4 +#define PPTP_BAD_CALLID 5 +#define PPTP_REMOVE_DEVICE_ERROR 6 + +struct PptpControlHeader { + __u16 messageType; + __u16 reserved; +}; + +/* FramingCapability Bitmap Values */ +#define PPTP_FRAME_CAP_ASYNC 0x1 +#define PPTP_FRAME_CAP_SYNC 0x2 + +/* BearerCapability Bitmap Values */ +#define PPTP_BEARER_CAP_ANALOG 0x1 +#define PPTP_BEARER_CAP_DIGITAL 0x2 + +struct PptpStartSessionRequest { + __u16 protocolVersion; + __u8 reserved1; + __u8 reserved2; + __u32 framingCapability; + __u32 bearerCapability; + __u16 maxChannels; + __u16 firmwareRevision; + __u8 hostName[64]; + __u8 vendorString[64]; +}; + +/* PptpStartSessionResultCode Values */ +#define PPTP_START_OK 1 +#define PPTP_START_GENERAL_ERROR 2 +#define PPTP_START_ALREADY_CONNECTED 3 +#define PPTP_START_NOT_AUTHORIZED 4 +#define PPTP_START_UNKNOWN_PROTOCOL 5 + +struct PptpStartSessionReply { + __u16 protocolVersion; + __u8 resultCode; + __u8 generalErrorCode; + __u32 framingCapability; + __u32 bearerCapability; + __u16 maxChannels; + __u16 firmwareRevision; + __u8 hostName[64]; + __u8 vendorString[64]; +}; + +/* PptpStopReasons */ +#define PPTP_STOP_NONE 1 +#define PPTP_STOP_PROTOCOL 2 +#define PPTP_STOP_LOCAL_SHUTDOWN 3 + +struct PptpStopSessionRequest { + __u8 reason; +}; + +/* PptpStopSessionResultCode */ +#define PPTP_STOP_OK 1 +#define PPTP_STOP_GENERAL_ERROR 2 + +struct PptpStopSessionReply { + __u8 resultCode; + __u8 generalErrorCode; +}; + +struct PptpEchoRequest { + __u32 identNumber; +}; + +/* PptpEchoReplyResultCode */ +#define PPTP_ECHO_OK 1 +#define PPTP_ECHO_GENERAL_ERROR 2 + +struct PptpEchoReply { + __u32 identNumber; + __u8 resultCode; + __u8 generalErrorCode; + __u16 reserved; +}; + +/* PptpFramingType */ +#define PPTP_ASYNC_FRAMING 1 +#define PPTP_SYNC_FRAMING 2 +#define PPTP_DONT_CARE_FRAMING 3 + +/* PptpCallBearerType */ +#define PPTP_ANALOG_TYPE 1 +#define PPTP_DIGITAL_TYPE 2 +#define PPTP_DONT_CARE_BEARER_TYPE 3 + +struct PptpOutCallRequest { + __u16 callID; + __u16 callSerialNumber; + __u32 minBPS; + __u32 maxBPS; + __u32 bearerType; + __u32 framingType; + __u16 packetWindow; + __u16 packetProcDelay; + __u16 reserved1; + __u16 phoneNumberLength; + __u16 reserved2; + __u8 phoneNumber[64]; + __u8 subAddress[64]; +}; + +/* PptpCallResultCode */ +#define PPTP_OUTCALL_CONNECT 1 +#define PPTP_OUTCALL_GENERAL_ERROR 2 +#define PPTP_OUTCALL_NO_CARRIER 3 +#define PPTP_OUTCALL_BUSY 4 +#define PPTP_OUTCALL_NO_DIAL_TONE 5 +#define PPTP_OUTCALL_TIMEOUT 6 +#define PPTP_OUTCALL_DONT_ACCEPT 7 + +struct PptpOutCallReply { + __u16 callID; + __u16 peersCallID; + __u8 resultCode; + __u8 generalErrorCode; + __u16 causeCode; + __u32 connectSpeed; + __u16 packetWindow; + __u16 packetProcDelay; + __u32 physChannelID; +}; + +struct PptpInCallRequest { + __u16 callID; + __u16 callSerialNumber; + __u32 callBearerType; + __u32 physChannelID; + __u16 dialedNumberLength; + __u16 dialingNumberLength; + __u8 dialedNumber[64]; + __u8 dialingNumber[64]; + __u8 subAddress[64]; +}; + +/* PptpInCallResultCode */ +#define PPTP_INCALL_ACCEPT 1 +#define PPTP_INCALL_GENERAL_ERROR 2 +#define PPTP_INCALL_DONT_ACCEPT 3 + +struct PptpInCallReply { + __u16 callID; + __u16 peersCallID; + __u8 resultCode; + __u8 generalErrorCode; + __u16 packetWindow; + __u16 packetProcDelay; + __u16 reserved; +}; + +struct PptpInCallConnected { + __u16 peersCallID; + __u16 reserved; + __u32 connectSpeed; + __u16 packetWindow; + __u16 packetProcDelay; + __u32 callFramingType; +}; + +struct PptpClearCallRequest { + __u16 callID; + __u16 reserved; +}; + +struct PptpCallDisconnectNotify { + __u16 callID; + __u8 resultCode; + __u8 generalErrorCode; + __u16 causeCode; + __u16 reserved; + __u8 callStatistics[128]; +}; + +struct PptpWanErrorNotify { + __u16 peersCallID; + __u16 reserved; + __u32 crcErrors; + __u32 framingErrors; + __u32 hardwareOverRuns; + __u32 bufferOverRuns; + __u32 timeoutErrors; + __u32 alignmentErrors; +}; + +struct PptpSetLinkInfo { + __u16 peersCallID; + __u16 reserved; + __u32 sendAccm; + __u32 recvAccm; +}; + + +struct pptp_priv_data { + __u16 call_id; + __u16 mcall_id; + __u16 pcall_id; +}; + +#endif /* __KERNEL__ */ +#endif /* _CONNTRACK_PPTP_H */ diff --git a/release/src/linux/linux/include/linux/netfilter_ipv4/ip_conntrack_proto_esp.h b/release/src/linux/linux/include/linux/netfilter_ipv4/ip_conntrack_proto_esp.h new file mode 100755 index 00000000..acb4d9ec --- /dev/null +++ b/release/src/linux/linux/include/linux/netfilter_ipv4/ip_conntrack_proto_esp.h @@ -0,0 +1,70 @@ +#ifndef _CONNTRACK_PROTO_ESP_H +#define _CONNTRACK_PROTO_ESP_H +#include <asm/byteorder.h> + +/* ESP PROTOCOL HEADER */ + +/* ESP Variate field */ +#define ESP_PROTOCOL (0x32) + +/* ESP is a mess*/ +struct esp_hdr { + __u32 spi; + __u32 seq; +}; + + +/* this is part of ip_conntrack */ +struct ip_ct_esp { + unsigned int stream_timeout; + unsigned int timeout; +}; + +/* this is part of ip_conntrack_expect */ +struct ip_ct_esp_expect { + struct ip_ct_esp_spi *spi_orig, *spi_reply; +}; + +#ifdef __KERNEL__ +struct ip_conntrack_expect; + + +/* conntrack private data */ +struct ip_ct_esp_master +{ + unsigned int sip; + unsigned int dip; + unsigned int spi; + unsigned int dir; +}; + +/* conntrack isakmp data */ +struct isakmp_hdr +{ + unsigned int init_cookie[2]; + unsigned int resp_cookie[2]; + unsigned int next_payload :8, + maj_ver :4, + min_ver :4, + exchang_type:8, + flag:8; + unsigned int msg_id; + unsigned int len; +}; + +/* structure for original ip <-> reply spi to find correct ip */ +struct ip_ct_esp_spi +{ + struct list_head list; + struct timer_list timeout; /* Timer for list destroying */ + //struct ip_ct_esp_master esp_master; + struct ip_conntrack_tuple esp_master; +}; + +unsigned int esp_packet_in(const struct iphdr *iph, u_int32_t *sip, u_int32_t *dip); +unsigned int esp_packet_out(const struct iphdr *iph, unsigned int len,enum ip_conntrack_info ctinfo ); + +#endif /* __KERNEL__ */ + +#endif /* _CONNTRACK_PROTO_ESP_H */ + diff --git a/release/src/linux/linux/include/linux/netfilter_ipv4/ip_conntrack_proto_gre.h b/release/src/linux/linux/include/linux/netfilter_ipv4/ip_conntrack_proto_gre.h new file mode 100644 index 00000000..738e99a2 --- /dev/null +++ b/release/src/linux/linux/include/linux/netfilter_ipv4/ip_conntrack_proto_gre.h @@ -0,0 +1,121 @@ +#ifndef _CONNTRACK_PROTO_GRE_H +#define _CONNTRACK_PROTO_GRE_H +#include <asm/byteorder.h> + +/* GRE PROTOCOL HEADER */ + +/* GRE Version field */ +#define GRE_VERSION_1701 0x0 +#define GRE_VERSION_PPTP 0x1 + +/* GRE Protocol field */ +#define GRE_PROTOCOL_PPTP 0x880B + +/* GRE Flags */ +#define GRE_FLAG_C 0x80 +#define GRE_FLAG_R 0x40 +#define GRE_FLAG_K 0x20 +#define GRE_FLAG_S 0x10 +#define GRE_FLAG_A 0x80 + +#define GRE_IS_C(f) ((f)&GRE_FLAG_C) +#define GRE_IS_R(f) ((f)&GRE_FLAG_R) +#define GRE_IS_K(f) ((f)&GRE_FLAG_K) +#define GRE_IS_S(f) ((f)&GRE_FLAG_S) +#define GRE_IS_A(f) ((f)&GRE_FLAG_A) + +/* GRE is a mess: Four different standards */ +struct gre_hdr { +#if defined(__LITTLE_ENDIAN_BITFIELD) + __u16 rec:3, + srr:1, + seq:1, + key:1, + routing:1, + csum:1, + version:3, + reserved:4, + ack:1; +#elif defined(__BIG_ENDIAN_BITFIELD) + __u16 csum:1, + routing:1, + key:1, + seq:1, + srr:1, + rec:3, + ack:1, + reserved:4, + version:3; +#else +#error "Adjust your <asm/byteorder.h> defines" +#endif + __u16 protocol; +}; + +/* modified GRE header for PPTP */ +struct gre_hdr_pptp { + __u8 flags; /* bitfield */ + __u8 version; /* should be GRE_VERSION_PPTP */ + __u16 protocol; /* should be GRE_PROTOCOL_PPTP */ + __u16 payload_len; /* size of ppp payload, not inc. gre header */ + __u16 call_id; /* peer's call_id for this session */ + __u32 seq; /* sequence number. Present if S==1 */ + __u32 ack; /* seq number of highest packet recieved by */ + /* sender in this session */ +}; + + +/* this is part of ip_conntrack */ +struct ip_ct_gre { + unsigned int stream_timeout; + unsigned int timeout; +}; + +/* this is part of ip_conntrack_expect */ +struct ip_ct_gre_expect { + struct ip_ct_gre_keymap *keymap_orig, *keymap_reply; +}; + +#ifdef __KERNEL__ + +/* structure for original <-> reply keymap */ +struct ip_ct_gre_keymap { + struct list_head list; + + struct ip_conntrack_tuple tuple; + struct ip_conntrack_expect *master; +}; + + +/* add new tuple->key_reply pair to keymap */ +int ip_ct_gre_keymap_add(struct ip_conntrack_expect *exp, + struct ip_conntrack_tuple *t, + int reply); + +/* change an existing keymap entry */ +void ip_ct_gre_keymap_change(struct ip_ct_gre_keymap *km, + struct ip_conntrack_tuple *t); + + + +/* get pointer to gre key, if present */ +static inline u_int32_t *gre_key(struct gre_hdr *greh) +{ + if (!greh->key) + return NULL; + if (greh->csum || greh->routing) + return (u_int32_t *) (greh+sizeof(*greh)+4); + return (u_int32_t *) (greh+sizeof(*greh)); +} + +/* get pointer ot gre csum, if present */ +static inline u_int16_t *gre_csum(struct gre_hdr *greh) +{ + if (!greh->csum) + return NULL; + return (u_int16_t *) (greh+sizeof(*greh)); +} + +#endif /* __KERNEL__ */ + +#endif /* _CONNTRACK_PROTO_GRE_H */ diff --git a/release/src/linux/linux/include/linux/netfilter_ipv4/ip_conntrack_protocol.h b/release/src/linux/linux/include/linux/netfilter_ipv4/ip_conntrack_protocol.h new file mode 100644 index 00000000..e99cd7de --- /dev/null +++ b/release/src/linux/linux/include/linux/netfilter_ipv4/ip_conntrack_protocol.h @@ -0,0 +1,65 @@ +/* Header for use in defining a given protocol for connection tracking. */ +#ifndef _IP_CONNTRACK_PROTOCOL_H +#define _IP_CONNTRACK_PROTOCOL_H +#include <linux/netfilter_ipv4/ip_conntrack.h> + +struct ip_conntrack_protocol +{ + /* Next pointer. */ + struct list_head list; + + /* Protocol number. */ + u_int8_t proto; + + /* Protocol name */ + const char *name; + + /* Try to fill in the third arg; return true if possible. */ + int (*pkt_to_tuple)(const void *datah, size_t datalen, + struct ip_conntrack_tuple *tuple); + + /* Invert the per-proto part of the tuple: ie. turn xmit into reply. + * Some packets can't be inverted: return 0 in that case. + */ + int (*invert_tuple)(struct ip_conntrack_tuple *inverse, + const struct ip_conntrack_tuple *orig); + + /* Print out the per-protocol part of the tuple. */ + unsigned int (*print_tuple)(char *buffer, + const struct ip_conntrack_tuple *); + + /* Print out the private part of the conntrack. */ + unsigned int (*print_conntrack)(char *buffer, + const struct ip_conntrack *); + + /* Returns verdict for packet, or -1 for invalid. */ + int (*packet)(struct ip_conntrack *conntrack, + struct iphdr *iph, size_t len, + enum ip_conntrack_info ctinfo); + + /* Called when a new connection for this protocol found; + * returns TRUE if it's OK. If so, packet() called next. */ + int (*new)(struct ip_conntrack *conntrack, struct iphdr *iph, + size_t len); + + /* Called when a conntrack entry is destroyed */ + void (*destroy)(struct ip_conntrack *conntrack); + + /* Has to decide if a expectation matches one packet or not */ + int (*exp_matches_pkt)(struct ip_conntrack_expect *exp, + struct sk_buff **pskb); + + /* Module (if any) which this is connected to. */ + struct module *me; +}; + +/* Protocol registration. */ +extern int ip_conntrack_protocol_register(struct ip_conntrack_protocol *proto); +extern void ip_conntrack_protocol_unregister(struct ip_conntrack_protocol *proto); + +/* Existing built-in protocols */ +extern struct ip_conntrack_protocol ip_conntrack_protocol_tcp; +extern struct ip_conntrack_protocol ip_conntrack_protocol_udp; +extern struct ip_conntrack_protocol ip_conntrack_protocol_icmp; +extern int ip_conntrack_protocol_tcp_init(void); +#endif /*_IP_CONNTRACK_PROTOCOL_H*/ diff --git a/release/src/linux/linux/include/linux/netfilter_ipv4/ip_conntrack_rtsp.h b/release/src/linux/linux/include/linux/netfilter_ipv4/ip_conntrack_rtsp.h new file mode 100644 index 00000000..878d37f4 --- /dev/null +++ b/release/src/linux/linux/include/linux/netfilter_ipv4/ip_conntrack_rtsp.h @@ -0,0 +1,70 @@ +/* + * RTSP extension for IP connection tracking. + * (C) 2003 by Tom Marshall <tmarshall@real.com> + * based on ip_conntrack_irc.h + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License + * as published by the Free Software Foundation; either version + * 2 of the License, or (at your option) any later version. + */ +#ifndef _IP_CONNTRACK_RTSP_H +#define _IP_CONNTRACK_RTSP_H + +//#define IP_NF_RTSP_DEBUG +#define IP_NF_RTSP_VERSION "0.01" + +/* port block types */ +typedef enum { + pb_single, /* client_port=x */ + pb_range, /* client_port=x-y */ + pb_discon /* client_port=x/y (rtspbis) */ +} portblock_t; + +/* We record seq number and length of rtsp headers here, all in host order. */ + +/* + * This structure is per expected connection. It is a member of struct + * ip_conntrack_expect. The TCP SEQ for the conntrack expect is stored + * there and we are expected to only store the length of the data which + * needs replaced. If a packet contains multiple RTSP messages, we create + * one expected connection per message. + * + * We use these variables to mark the entire header block. This may seem + * like overkill, but the nature of RTSP requires it. A header may appear + * multiple times in a message. We must treat two Transport headers the + * same as one Transport header with two entries. + */ +struct ip_ct_rtsp_expect +{ + u_int32_t len; /* length of header block */ + portblock_t pbtype; /* Type of port block that was requested */ + u_int16_t loport; /* Port that was requested, low or first */ + u_int16_t hiport; /* Port that was requested, high or second */ + //wuzh add 2006.6.26 to distinguish RTCP expect and RTP expect + u_int16_t isrtcpexp; +#if 0 + uint method; /* RTSP method */ + uint cseq; /* CSeq from request */ +#endif +}; + +/* This structure exists only once per master */ +struct ip_ct_rtsp_master +{ + /* Empty (?) */ +}; + + +#ifdef __KERNEL__ + +#include <linux/netfilter_ipv4/lockhelp.h> + +#define RTSP_PORT 554 + +/* Protects rtsp part of conntracks */ +DECLARE_LOCK_EXTERN(ip_rtsp_lock); + +#endif /* __KERNEL__ */ + +#endif /* _IP_CONNTRACK_RTSP_H */ diff --git a/release/src/linux/linux/include/linux/netfilter_ipv4/ip_conntrack_sip.h b/release/src/linux/linux/include/linux/netfilter_ipv4/ip_conntrack_sip.h new file mode 100644 index 00000000..7de89a25 --- /dev/null +++ b/release/src/linux/linux/include/linux/netfilter_ipv4/ip_conntrack_sip.h @@ -0,0 +1,56 @@ +#ifndef _IP_CONNTRACK_SIP_H +#define _IP_CONNTRACK_SIP_H +/* SIP tracking. */ + +#ifdef __KERNEL__ + +#include <linux/netfilter_ipv4/lockhelp.h> + +/* Protects sip part of conntracks */ +DECLARE_LOCK_EXTERN(ip_sip_lock); + +#define SIP_PORT 5060 /* UDP */ +#define SIP_EXPIRES 3600 /* seconds */ +#define RTP_TIMEOUT 180 /* seconds */ + +#endif /* __KERNEL__ */ + +/* SIP Request */ +#define SIP_INVITE 0x01 +#define SIP_ACK 0x02 +#define SIP_BYE 0x04 +/* SIP Response */ +#define SIP_100 0x10 +#define SIP_200 0x20 +#define SIP_200_BYE 0x40 +/* SIP session direction */ +#define SIP_OUTGOING 0 +#define SIP_INCOMING 1 + +enum ip_ct_conntype +{ + CONN_SIP, + CONN_RTP, + CONN_RTCP, +}; + +/* This structure is per expected connection */ +struct ip_ct_sip_expect +{ + u_int16_t port; /* TCP port that was to be used */ + + enum ip_ct_conntype type; + int nated; +}; + +/* This structure exists only once per master */ +struct ip_ct_sip_master { + int mangled; + u_int16_t rtpport; +}; + +extern u_int16_t find_sdp_audio_port(const char *data, size_t dlen, + unsigned int *numoff, unsigned int *numlen); +extern int find_sdp_rtp_addr(const char *data, size_t dlen, + unsigned int *numoff, unsigned int *numlen, u_int32_t *addr); +#endif /* _IP_CONNTRACK_SIP_H */ diff --git a/release/src/linux/linux/include/linux/netfilter_ipv4/ip_conntrack_tcp.h b/release/src/linux/linux/include/linux/netfilter_ipv4/ip_conntrack_tcp.h new file mode 100644 index 00000000..d6698c91 --- /dev/null +++ b/release/src/linux/linux/include/linux/netfilter_ipv4/ip_conntrack_tcp.h @@ -0,0 +1,28 @@ +#ifndef _IP_CONNTRACK_TCP_H +#define _IP_CONNTRACK_TCP_H +/* TCP tracking. */ + +enum tcp_conntrack { + TCP_CONNTRACK_NONE, + TCP_CONNTRACK_ESTABLISHED, + TCP_CONNTRACK_SYN_SENT, + TCP_CONNTRACK_SYN_RECV, + TCP_CONNTRACK_FIN_WAIT, + TCP_CONNTRACK_TIME_WAIT, + TCP_CONNTRACK_CLOSE, + TCP_CONNTRACK_CLOSE_WAIT, + TCP_CONNTRACK_LAST_ACK, + TCP_CONNTRACK_LISTEN, + TCP_CONNTRACK_MAX +}; + +struct ip_ct_tcp +{ + enum tcp_conntrack state; + + /* Poor man's window tracking: sequence number of valid ACK + handshake completion packet */ + u_int32_t handshake_ack; +}; + +#endif /* _IP_CONNTRACK_TCP_H */ diff --git a/release/src/linux/linux/include/linux/netfilter_ipv4/ip_conntrack_tftp.h b/release/src/linux/linux/include/linux/netfilter_ipv4/ip_conntrack_tftp.h new file mode 100644 index 00000000..7a68bafa --- /dev/null +++ b/release/src/linux/linux/include/linux/netfilter_ipv4/ip_conntrack_tftp.h @@ -0,0 +1,13 @@ +#ifndef _IP_CT_TFTP +#define _IP_CT_TFTP + +#define TFTP_PORT 69 + +struct tftphdr { + u_int16_t opcode; +}; + +#define TFTP_OPCODE_READ 1 +#define TFTP_OPCODE_WRITE 2 + +#endif /* _IP_CT_TFTP */ diff --git a/release/src/linux/linux/include/linux/netfilter_ipv4/ip_conntrack_tuple.h b/release/src/linux/linux/include/linux/netfilter_ipv4/ip_conntrack_tuple.h new file mode 100644 index 00000000..770935d3 --- /dev/null +++ b/release/src/linux/linux/include/linux/netfilter_ipv4/ip_conntrack_tuple.h @@ -0,0 +1,152 @@ +#ifndef _IP_CONNTRACK_TUPLE_H +#define _IP_CONNTRACK_TUPLE_H + +/* A `tuple' is a structure containing the information to uniquely + identify a connection. ie. if two packets have the same tuple, they + are in the same connection; if not, they are not. + + We divide the structure along "manipulatable" and + "non-manipulatable" lines, for the benefit of the NAT code. +*/ + +/* The protocol-specific manipulable parts of the tuple: always in + network order! */ +union ip_conntrack_manip_proto +{ + /* Add other protocols here. */ + u_int32_t all; + + struct { + u_int16_t port; + } tcp; + struct { + u_int16_t port; + } udp; + struct { + u_int16_t id; + } icmp; + struct { + u_int32_t key; + } gre; + struct { + u_int32_t spi; + } esp; +}; + +/* The manipulable part of the tuple. */ +struct ip_conntrack_manip +{ + u_int32_t ip; + union ip_conntrack_manip_proto u; +}; + +/* This contains the information to distinguish a connection. */ +struct ip_conntrack_tuple +{ + struct ip_conntrack_manip src; + + /* These are the parts of the tuple which are fixed. */ + struct { + u_int32_t ip; + union { + /* Add other protocols here. */ + u_int64_t all; + + struct { + u_int16_t port; + } tcp; + struct { + u_int16_t port; + unsigned int init_cookie;//xiaoqin add for multi-ipsec passthrough,2005.12.19 + } udp; + struct { + u_int8_t type, code; + } icmp; + struct { + u_int16_t protocol; + u_int8_t version; + u_int32_t key; + } gre; + struct { + u_int32_t spi; + } esp; + } u; + + /* The protocol. */ + u_int16_t protonum; + } dst; +}; + +enum ip_conntrack_dir +{ + IP_CT_DIR_ORIGINAL, + IP_CT_DIR_REPLY, + IP_CT_DIR_MAX +}; + +#ifdef __KERNEL__ + +#define DUMP_TUPLE(tp) \ +DEBUGP("tuple %p: %u %u.%u.%u.%u:%u -> %u.%u.%u.%u:%u\n", \ + (tp), (tp)->dst.protonum, \ + NIPQUAD((tp)->src.ip), ntohl((tp)->src.u.all), \ + NIPQUAD((tp)->dst.ip), ntohl((tp)->dst.u.all)) + +#define DUMP_TUPLE_RAW(x) \ + DEBUGP("tuple %p: %u %u.%u.%u.%u:0x%08x -> %u.%u.%u.%u:0x%08x\n",\ + (x), (x)->dst.protonum, \ + NIPQUAD((x)->src.ip), ntohl((x)->src.u.all), \ + NIPQUAD((x)->dst.ip), ntohl((x)->dst.u.all)) + +#define CTINFO2DIR(ctinfo) ((ctinfo) >= IP_CT_IS_REPLY ? IP_CT_DIR_REPLY : IP_CT_DIR_ORIGINAL) + +/* If we're the first tuple, it's the original dir. */ +#define DIRECTION(h) ((enum ip_conntrack_dir)(&(h)->ctrack->tuplehash[1] == (h))) + +/* Connections have two entries in the hash table: one for each way */ +struct ip_conntrack_tuple_hash +{ + struct list_head list; + + struct ip_conntrack_tuple tuple; + + /* this == &ctrack->tuplehash[DIRECTION(this)]. */ + struct ip_conntrack *ctrack; +}; + +#endif /* __KERNEL__ */ + +static inline int ip_ct_tuple_src_equal(const struct ip_conntrack_tuple *t1, + const struct ip_conntrack_tuple *t2) +{ + return t1->src.ip == t2->src.ip + && t1->src.u.all == t2->src.u.all; +} + +static inline int ip_ct_tuple_dst_equal(const struct ip_conntrack_tuple *t1, + const struct ip_conntrack_tuple *t2) +{ + return t1->dst.ip == t2->dst.ip + && t1->dst.u.all == t2->dst.u.all + && t1->dst.protonum == t2->dst.protonum; +} + +static inline int ip_ct_tuple_equal(const struct ip_conntrack_tuple *t1, + const struct ip_conntrack_tuple *t2) +{ + return ip_ct_tuple_src_equal(t1, t2) && ip_ct_tuple_dst_equal(t1, t2); +} + +static inline int ip_ct_tuple_mask_cmp(const struct ip_conntrack_tuple *t, + const struct ip_conntrack_tuple *tuple, + const struct ip_conntrack_tuple *mask) +{ + return !(((t->src.ip ^ tuple->src.ip) & mask->src.ip) + || ((t->dst.ip ^ tuple->dst.ip) & mask->dst.ip) + || ((t->src.u.all ^ tuple->src.u.all) & mask->src.u.all) + || ((t->dst.u.all ^ tuple->dst.u.all) & mask->dst.u.all) + || ((t->dst.protonum ^ tuple->dst.protonum) + & mask->dst.protonum)); +} + +#endif /* _IP_CONNTRACK_TUPLE_H */ diff --git a/release/src/linux/linux/include/linux/netfilter_ipv4/ip_conntrack_udp.h b/release/src/linux/linux/include/linux/netfilter_ipv4/ip_conntrack_udp.h new file mode 100644 index 00000000..dcf72046 --- /dev/null +++ b/release/src/linux/linux/include/linux/netfilter_ipv4/ip_conntrack_udp.h @@ -0,0 +1,6 @@ +#ifndef _IP_CONNTRACK_UDP_H +#define _IP_CONNTRACK_UDP_H + +#define UDP_TIMEOUT 0 +#define UDP_STREAM_TIMEOUT 1 +#endif /* _IP_CONNTRACK_UDP_H */ diff --git a/release/src/linux/linux/include/linux/netfilter_ipv4/ip_nat.h b/release/src/linux/linux/include/linux/netfilter_ipv4/ip_nat.h new file mode 100644 index 00000000..b5764a06 --- /dev/null +++ b/release/src/linux/linux/include/linux/netfilter_ipv4/ip_nat.h @@ -0,0 +1,133 @@ +#ifndef _IP_NAT_H +#define _IP_NAT_H +#include <linux/netfilter_ipv4.h> +#include <linux/netfilter_ipv4/ip_conntrack_tuple.h> + +#define IP_NAT_MAPPING_TYPE_MAX_NAMELEN 16 + +enum ip_nat_manip_type +{ + IP_NAT_MANIP_SRC, + IP_NAT_MANIP_DST +}; + +#ifndef CONFIG_IP_NF_NAT_LOCAL +/* SRC manip occurs only on POST_ROUTING */ +#define HOOK2MANIP(hooknum) ((hooknum) != NF_IP_POST_ROUTING) +#else +/* SRC manip occurs POST_ROUTING or LOCAL_IN */ +#define HOOK2MANIP(hooknum) ((hooknum) != NF_IP_POST_ROUTING && (hooknum) != NF_IP_LOCAL_IN) +#endif + +/* 2.3.19 (I hope) will define this in linux/netfilter_ipv4.h. */ +#ifndef SO_ORIGINAL_DST +#define SO_ORIGINAL_DST 80 +#endif + +#define IP_NAT_RANGE_MAP_IPS 1 +#define IP_NAT_RANGE_PROTO_SPECIFIED 2 +/* Used internally by get_unique_tuple(). */ +#define IP_NAT_RANGE_FULL 4 + +/* NAT sequence number modifications */ +struct ip_nat_seq { + /* position of the last TCP sequence number + * modification (if any) */ + u_int32_t correction_pos; + /* sequence number offset before and after last modification */ + int32_t offset_before, offset_after; +}; + +/* Single range specification. */ +struct ip_nat_range +{ + /* Set to OR of flags above. */ + unsigned int flags; + + /* Inclusive: network order. */ + u_int32_t min_ip, max_ip; + + /* Inclusive: network order */ + union ip_conntrack_manip_proto min, max; +}; + +/* A range consists of an array of 1 or more ip_nat_range */ +struct ip_nat_multi_range +{ + unsigned int rangesize; + + /* hangs off end. */ + struct ip_nat_range range[1]; +}; + +/* Worst case: local-out manip + 1 post-routing, and reverse dirn. */ +#define IP_NAT_MAX_MANIPS (2*3) + +struct ip_nat_info_manip +{ + /* The direction. */ + u_int8_t direction; + + /* Which hook the manipulation happens on. */ + u_int8_t hooknum; + + /* The manipulation type. */ + u_int8_t maniptype; + + /* Manipulations to occur at each conntrack in this dirn. */ + struct ip_conntrack_manip manip; +}; + +#ifdef __KERNEL__ +#include <linux/list.h> +#include <linux/netfilter_ipv4/lockhelp.h> + +/* Protects NAT hash tables, and NAT-private part of conntracks. */ +DECLARE_RWLOCK_EXTERN(ip_nat_lock); + +/* Hashes for by-source and IP/protocol. */ +struct ip_nat_hash +{ + struct list_head list; + + /* conntrack we're embedded in: NULL if not in hash. */ + struct ip_conntrack *conntrack; +}; + +/* The structure embedded in the conntrack structure. */ +struct ip_nat_info +{ + /* Set to zero when conntrack created: bitmask of maniptypes */ + int initialized; + + unsigned int num_manips; + + /* Manipulations to be done on this conntrack. */ + struct ip_nat_info_manip manips[IP_NAT_MAX_MANIPS]; + + /* The mapping type which created us (NULL for null mapping). */ + const struct ip_nat_mapping_type *mtype; + + struct ip_nat_hash bysource, byipsproto; + + /* Helper (NULL if none). */ + struct ip_nat_helper *helper; + + struct ip_nat_seq seq[IP_CT_DIR_MAX]; +}; + +/* Set up the info structure to map into this range. */ +extern unsigned int ip_nat_setup_info(struct ip_conntrack *conntrack, + const struct ip_nat_multi_range *mr, + unsigned int hooknum); + +/* Is this tuple already taken? (not by us)*/ +extern int ip_nat_used_tuple(const struct ip_conntrack_tuple *tuple, + const struct ip_conntrack *ignored_conntrack); + +/* Calculate relative checksum. */ +extern u_int16_t ip_nat_cheat_check(u_int32_t oldvalinv, + u_int32_t newval, + u_int16_t oldcheck); +#endif /*__KERNEL__*/ +#endif diff --git a/release/src/linux/linux/include/linux/netfilter_ipv4/ip_nat_core.h b/release/src/linux/linux/include/linux/netfilter_ipv4/ip_nat_core.h new file mode 100644 index 00000000..e34e0833 --- /dev/null +++ b/release/src/linux/linux/include/linux/netfilter_ipv4/ip_nat_core.h @@ -0,0 +1,33 @@ +#ifndef _IP_NAT_CORE_H +#define _IP_NAT_CORE_H +#include <linux/list.h> +#include <linux/netfilter_ipv4/ip_conntrack.h> + +/* This header used to share core functionality between the standalone + NAT module, and the compatibility layer's use of NAT for masquerading. */ +extern int ip_nat_init(void); +extern void ip_nat_cleanup(void); + +extern unsigned int do_bindings(struct ip_conntrack *ct, + enum ip_conntrack_info conntrackinfo, + struct ip_nat_info *info, + unsigned int hooknum, + struct sk_buff **pskb); + +extern struct list_head protos; + +extern unsigned int icmp_reply_translation(struct sk_buff *skb, + struct ip_conntrack *conntrack, + unsigned int hooknum, + int dir); + +extern void replace_in_hashes(struct ip_conntrack *conntrack, + struct ip_nat_info *info); +extern void place_in_hashes(struct ip_conntrack *conntrack, + struct ip_nat_info *info); + +/* Built-in protocols. */ +extern struct ip_nat_protocol ip_nat_protocol_tcp; +extern struct ip_nat_protocol ip_nat_protocol_udp; +extern struct ip_nat_protocol ip_nat_protocol_icmp; +#endif /* _IP_NAT_CORE_H */ diff --git a/release/src/linux/linux/include/linux/netfilter_ipv4/ip_nat_helper.h b/release/src/linux/linux/include/linux/netfilter_ipv4/ip_nat_helper.h new file mode 100644 index 00000000..8e2996f7 --- /dev/null +++ b/release/src/linux/linux/include/linux/netfilter_ipv4/ip_nat_helper.h @@ -0,0 +1,64 @@ +#ifndef _IP_NAT_HELPER_H +#define _IP_NAT_HELPER_H +/* NAT protocol helper routines. */ + +#include <linux/netfilter_ipv4/ip_conntrack.h> + +struct sk_buff; + +/* Flags */ +/* NAT helper must be called on every packet (for TCP) */ +#define IP_NAT_HELPER_F_ALWAYS 0x01 +/* Standalone NAT helper, without a conntrack part */ +#define IP_NAT_HELPER_F_STANDALONE 0x02 + +struct ip_nat_helper +{ + struct list_head list; /* Internal use */ + + const char *name; /* name of the module */ + unsigned char flags; /* Flags (see above) */ + struct module *me; /* pointer to self */ + + /* Mask of things we will help: vs. tuple from server */ + struct ip_conntrack_tuple tuple; + struct ip_conntrack_tuple mask; + + /* Helper function: returns verdict */ + unsigned int (*help)(struct ip_conntrack *ct, + struct ip_conntrack_expect *exp, + struct ip_nat_info *info, + enum ip_conntrack_info ctinfo, + unsigned int hooknum, + struct sk_buff **pskb); + + /* Returns verdict and sets up NAT for this connection */ + unsigned int (*expect)(struct sk_buff **pskb, + unsigned int hooknum, + struct ip_conntrack *ct, + struct ip_nat_info *info); +}; + +extern struct list_head helpers; + +extern int ip_nat_helper_register(struct ip_nat_helper *me); +extern void ip_nat_helper_unregister(struct ip_nat_helper *me); +extern int ip_nat_mangle_tcp_packet(struct sk_buff **skb, + struct ip_conntrack *ct, + enum ip_conntrack_info ctinfo, + unsigned int match_offset, + unsigned int match_len, + char *rep_buffer, + unsigned int rep_len); +extern int ip_nat_mangle_udp_packet(struct sk_buff **skb, + struct ip_conntrack *ct, + enum ip_conntrack_info ctinfo, + unsigned int match_offset, + unsigned int match_len, + char *rep_buffer, + unsigned int rep_len); +extern int ip_nat_seq_adjust(struct sk_buff *skb, + struct ip_conntrack *ct, + enum ip_conntrack_info ctinfo); +extern void ip_nat_delete_sack(struct sk_buff *skb); +#endif diff --git a/release/src/linux/linux/include/linux/netfilter_ipv4/ip_nat_pptp.h b/release/src/linux/linux/include/linux/netfilter_ipv4/ip_nat_pptp.h new file mode 100644 index 00000000..eaf66c2e --- /dev/null +++ b/release/src/linux/linux/include/linux/netfilter_ipv4/ip_nat_pptp.h @@ -0,0 +1,11 @@ +/* PPTP constants and structs */ +#ifndef _NAT_PPTP_H +#define _NAT_PPTP_H + +/* conntrack private data */ +struct ip_nat_pptp { + u_int16_t pns_call_id; /* NAT'ed PNS call id */ + u_int16_t pac_call_id; /* NAT'ed PAC call id */ +}; + +#endif /* _NAT_PPTP_H */ diff --git a/release/src/linux/linux/include/linux/netfilter_ipv4/ip_nat_protocol.h b/release/src/linux/linux/include/linux/netfilter_ipv4/ip_nat_protocol.h new file mode 100644 index 00000000..42e2ebf3 --- /dev/null +++ b/release/src/linux/linux/include/linux/netfilter_ipv4/ip_nat_protocol.h @@ -0,0 +1,57 @@ +/* Header for use in defining a given protocol. */ +#ifndef _IP_NAT_PROTOCOL_H +#define _IP_NAT_PROTOCOL_H +#include <linux/init.h> +#include <linux/list.h> + +struct iphdr; +struct ip_nat_range; + +struct ip_nat_protocol +{ + struct list_head list; + + /* Protocol name */ + const char *name; + + /* Protocol number. */ + unsigned int protonum; + + /* Do a packet translation according to the ip_nat_proto_manip + * and manip type. */ + void (*manip_pkt)(struct iphdr *iph, size_t len, + const struct ip_conntrack_manip *manip, + enum ip_nat_manip_type maniptype); + + /* Is the manipable part of the tuple between min and max incl? */ + int (*in_range)(const struct ip_conntrack_tuple *tuple, + enum ip_nat_manip_type maniptype, + const union ip_conntrack_manip_proto *min, + const union ip_conntrack_manip_proto *max); + + /* Alter the per-proto part of the tuple (depending on + maniptype), to give a unique tuple in the given range if + possible; return false if not. Per-protocol part of tuple + is initialized to the incoming packet. */ + int (*unique_tuple)(struct ip_conntrack_tuple *tuple, + const struct ip_nat_range *range, + enum ip_nat_manip_type maniptype, + const struct ip_conntrack *conntrack); + + unsigned int (*print)(char *buffer, + const struct ip_conntrack_tuple *match, + const struct ip_conntrack_tuple *mask); + + unsigned int (*print_range)(char *buffer, + const struct ip_nat_range *range); +}; + +/* Protocol registration. */ +extern int ip_nat_protocol_register(struct ip_nat_protocol *proto); +extern void ip_nat_protocol_unregister(struct ip_nat_protocol *proto); + +extern int init_protocols(void) __init; +extern void cleanup_protocols(void); +extern struct ip_nat_protocol *find_nat_proto(u_int16_t protonum); + +#endif /*_IP_NAT_PROTO_H*/ diff --git a/release/src/linux/linux/include/linux/netfilter_ipv4/ip_nat_rule.h b/release/src/linux/linux/include/linux/netfilter_ipv4/ip_nat_rule.h new file mode 100644 index 00000000..488efcee --- /dev/null +++ b/release/src/linux/linux/include/linux/netfilter_ipv4/ip_nat_rule.h @@ -0,0 +1,18 @@ +#ifndef _IP_NAT_RULE_H +#define _IP_NAT_RULE_H +#include <linux/netfilter_ipv4/ip_conntrack.h> +#include <linux/netfilter_ipv4/ip_tables.h> +#include <linux/netfilter_ipv4/ip_nat.h> + +#ifdef __KERNEL__ + +extern int ip_nat_rule_init(void) __init; +extern void ip_nat_rule_cleanup(void); +extern int ip_nat_rule_find(struct sk_buff **pskb, + unsigned int hooknum, + const struct net_device *in, + const struct net_device *out, + struct ip_conntrack *ct, + struct ip_nat_info *info); +#endif +#endif /* _IP_NAT_RULE_H */ diff --git a/release/src/linux/linux/include/linux/netfilter_ipv4/ip_pool.h b/release/src/linux/linux/include/linux/netfilter_ipv4/ip_pool.h new file mode 100644 index 00000000..fd09ecec --- /dev/null +++ b/release/src/linux/linux/include/linux/netfilter_ipv4/ip_pool.h @@ -0,0 +1,64 @@ +#ifndef _IP_POOL_H +#define _IP_POOL_H + +/***************************************************************************/ +/* This program is free software; you can redistribute it and/or modify */ +/* it under the terms of the GNU General Public License as published by */ +/* the Free Software Foundation; either version 2 of the License, or */ +/* (at your option) any later version. */ +/* */ +/* This program is distributed in the hope that it will be useful, */ +/* but WITHOUT ANY WARRANTY; without even the implied warranty of */ +/* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the */ +/* GNU General Public License for more details. */ +/* */ +/* You should have received a copy of the GNU General Public License */ +/* along with this program; if not, write to the Free Software */ +/* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA*/ +/***************************************************************************/ + +/* A sockopt of such quality has hardly ever been seen before on the open + * market! This little beauty, hardly ever used: above 64, so it's + * traditionally used for firewalling, not touched (even once!) by the + * 2.0, 2.2 and 2.4 kernels! + * + * Comes with its own certificate of authenticity, valid anywhere in the + * Free world! + * + * Rusty, 19.4.2000 + */ +#define SO_IP_POOL 81 + +typedef int ip_pool_t; /* pool index */ +#define IP_POOL_NONE ((ip_pool_t)-1) + +struct ip_pool_request { + int op; + ip_pool_t index; + u_int32_t addr; + u_int32_t addr2; +}; + +/* NOTE: I deliberately break the first cut ippool utility. Nobody uses it. */ + +#define IP_POOL_BAD001 0x00000010 + +#define IP_POOL_FLUSH 0x00000011 /* req.index, no arguments */ +#define IP_POOL_INIT 0x00000012 /* from addr to addr2 incl. */ +#define IP_POOL_DESTROY 0x00000013 /* req.index, no arguments */ +#define IP_POOL_ADD_ADDR 0x00000014 /* add addr to pool */ +#define IP_POOL_DEL_ADDR 0x00000015 /* del addr from pool */ +#define IP_POOL_HIGH_NR 0x00000016 /* result in req.index */ +#define IP_POOL_LOOKUP 0x00000017 /* result in addr and addr2 */ +#define IP_POOL_USAGE 0x00000018 /* result in addr */ +#define IP_POOL_TEST_ADDR 0x00000019 /* result (0/1) returned */ + +#ifdef __KERNEL__ + +/* NOTE: ip_pool_match() and ip_pool_mod() expect ADDR to be host byte order */ +extern int ip_pool_match(ip_pool_t pool, u_int32_t addr); +extern int ip_pool_mod(ip_pool_t pool, u_int32_t addr, int isdel); + +#endif + +#endif /*_IP_POOL_H*/ diff --git a/release/src/linux/linux/include/linux/netfilter_ipv4/ip_queue.h b/release/src/linux/linux/include/linux/netfilter_ipv4/ip_queue.h new file mode 100644 index 00000000..aa08d68c --- /dev/null +++ b/release/src/linux/linux/include/linux/netfilter_ipv4/ip_queue.h @@ -0,0 +1,72 @@ +/* + * This is a module which is used for queueing IPv4 packets and + * communicating with userspace via netlink. + * + * (C) 2000 James Morris, this code is GPL. + */ +#ifndef _IP_QUEUE_H +#define _IP_QUEUE_H + +#ifdef __KERNEL__ +#ifdef DEBUG_IPQ +#define QDEBUG(x...) printk(KERN_DEBUG ## x) +#else +#define QDEBUG(x...) +#endif /* DEBUG_IPQ */ +#else +#include <net/if.h> +#endif /* ! __KERNEL__ */ + +/* Messages sent from kernel */ +typedef struct ipq_packet_msg { + unsigned long packet_id; /* ID of queued packet */ + unsigned long mark; /* Netfilter mark value */ + long timestamp_sec; /* Packet arrival time (seconds) */ + long timestamp_usec; /* Packet arrvial time (+useconds) */ + unsigned int hook; /* Netfilter hook we rode in on */ + char indev_name[IFNAMSIZ]; /* Name of incoming interface */ + char outdev_name[IFNAMSIZ]; /* Name of outgoing interface */ + unsigned short hw_protocol; /* Hardware protocol (network order) */ + unsigned short hw_type; /* Hardware type */ + unsigned char hw_addrlen; /* Hardware address length */ + unsigned char hw_addr[8]; /* Hardware address */ + size_t data_len; /* Length of packet data */ + unsigned char payload[0]; /* Optional packet data */ +} ipq_packet_msg_t; + +/* Messages sent from userspace */ +typedef struct ipq_mode_msg { + unsigned char value; /* Requested mode */ + size_t range; /* Optional range of packet requested */ +} ipq_mode_msg_t; + +typedef struct ipq_verdict_msg { + unsigned int value; /* Verdict to hand to netfilter */ + unsigned long id; /* Packet ID for this verdict */ + size_t data_len; /* Length of replacement data */ + unsigned char payload[0]; /* Optional replacement packet */ +} ipq_verdict_msg_t; + +typedef struct ipq_peer_msg { + union { + ipq_verdict_msg_t verdict; + ipq_mode_msg_t mode; + } msg; +} ipq_peer_msg_t; + +/* Packet delivery modes */ +enum { + IPQ_COPY_NONE, /* Initial mode, packets are dropped */ + IPQ_COPY_META, /* Copy metadata */ + IPQ_COPY_PACKET /* Copy metadata + packet (range) */ +}; +#define IPQ_COPY_MAX IPQ_COPY_PACKET + +/* Types of messages */ +#define IPQM_BASE 0x10 /* standard netlink messages below this */ +#define IPQM_MODE (IPQM_BASE + 1) /* Mode request from peer */ +#define IPQM_VERDICT (IPQM_BASE + 2) /* Verdict from peer */ +#define IPQM_PACKET (IPQM_BASE + 3) /* Packet from kernel */ +#define IPQM_MAX (IPQM_BASE + 4) + +#endif /*_IP_QUEUE_H*/ diff --git a/release/src/linux/linux/include/linux/netfilter_ipv4/ip_tables.h b/release/src/linux/linux/include/linux/netfilter_ipv4/ip_tables.h new file mode 100644 index 00000000..d2a7f4b4 --- /dev/null +++ b/release/src/linux/linux/include/linux/netfilter_ipv4/ip_tables.h @@ -0,0 +1,447 @@ +/* + * 25-Jul-1998 Major changes to allow for ip chain table + * + * 3-Jan-2000 Named tables to allow packet selection for different uses. + */ + +/* + * Format of an IP firewall descriptor + * + * src, dst, src_mask, dst_mask are always stored in network byte order. + * flags are stored in host byte order (of course). + * Port numbers are stored in HOST byte order. + */ + +#ifndef _IPTABLES_H +#define _IPTABLES_H + +#ifdef __KERNEL__ +#include <linux/if.h> +#include <linux/types.h> +#include <linux/in.h> +#include <linux/ip.h> +#include <linux/skbuff.h> +#endif +#include <linux/netfilter_ipv4.h> + +#define IPT_FUNCTION_MAXNAMELEN 30 +#define IPT_TABLE_MAXNAMELEN 32 + +/* Yes, Virginia, you have to zero the padding. */ +struct ipt_ip { + /* Source and destination IP addr */ + struct in_addr src, dst; + /* Mask for src and dest IP addr */ + struct in_addr smsk, dmsk; + char iniface[IFNAMSIZ], outiface[IFNAMSIZ]; + unsigned char iniface_mask[IFNAMSIZ], outiface_mask[IFNAMSIZ]; + + /* Protocol, 0 = ANY */ + u_int16_t proto; + + /* Flags word */ + u_int8_t flags; + /* Inverse flags */ + u_int8_t invflags; +}; + +struct ipt_entry_match +{ + union { + struct { + u_int16_t match_size; + + /* Used by userspace */ + char name[IPT_FUNCTION_MAXNAMELEN]; + } user; + struct { + u_int16_t match_size; + + /* Used inside the kernel */ + struct ipt_match *match; + } kernel; + + /* Total length */ + u_int16_t match_size; + } u; + + unsigned char data[0]; +}; + +struct ipt_entry_target +{ + union { + struct { + u_int16_t target_size; + + /* Used by userspace */ + char name[IPT_FUNCTION_MAXNAMELEN]; + } user; + struct { + u_int16_t target_size; + + /* Used inside the kernel */ + struct ipt_target *target; + } kernel; + + /* Total length */ + u_int16_t target_size; + } u; + + unsigned char data[0]; +}; + +struct ipt_standard_target +{ + struct ipt_entry_target target; + int verdict; +}; + +struct ipt_counters +{ + u_int64_t pcnt, bcnt; /* Packet and byte counters */ +}; + +/* Values for "flag" field in struct ipt_ip (general ip structure). */ +#define IPT_F_FRAG 0x01 /* Set if rule is a fragment rule */ +#define IPT_F_MASK 0x01 /* All possible flag bits mask. */ + +/* Values for "inv" field in struct ipt_ip. */ +#define IPT_INV_VIA_IN 0x01 /* Invert the sense of IN IFACE. */ +#define IPT_INV_VIA_OUT 0x02 /* Invert the sense of OUT IFACE */ +#define IPT_INV_TOS 0x04 /* Invert the sense of TOS. */ +#define IPT_INV_SRCIP 0x08 /* Invert the sense of SRC IP. */ +#define IPT_INV_DSTIP 0x10 /* Invert the sense of DST OP. */ +#define IPT_INV_FRAG 0x20 /* Invert the sense of FRAG. */ +#define IPT_INV_PROTO 0x40 /* Invert the sense of PROTO. */ +#define IPT_INV_MASK 0x7F /* All possible flag bits mask. */ + +/* This structure defines each of the firewall rules. Consists of 3 + parts which are 1) general IP header stuff 2) match specific + stuff 3) the target to perform if the rule matches */ +struct ipt_entry +{ + struct ipt_ip ip; + + /* Mark with fields that we care about. */ + unsigned int nfcache; + + /* Size of ipt_entry + matches */ + u_int16_t target_offset; + /* Size of ipt_entry + matches + target */ + u_int16_t next_offset; + + /* Back pointer */ + unsigned int comefrom; + + /* Packet and byte counters. */ + struct ipt_counters counters; + + /* The matches (if any), then the target. */ + unsigned char elems[0]; +}; + +/* + * New IP firewall options for [gs]etsockopt at the RAW IP level. + * Unlike BSD Linux inherits IP options so you don't have to use a raw + * socket for this. Instead we check rights in the calls. */ +#define IPT_BASE_CTL 64 /* base for firewall socket options */ + +#define IPT_SO_SET_REPLACE (IPT_BASE_CTL) +#define IPT_SO_SET_ADD_COUNTERS (IPT_BASE_CTL + 1) +#define IPT_SO_SET_MAX IPT_SO_SET_ADD_COUNTERS + +#define IPT_SO_GET_INFO (IPT_BASE_CTL) +#define IPT_SO_GET_ENTRIES (IPT_BASE_CTL + 1) +#define IPT_SO_GET_MAX IPT_SO_GET_ENTRIES + +/* CONTINUE verdict for targets */ +#define IPT_CONTINUE 0xFFFFFFFF + +/* For standard target */ +#define IPT_RETURN (-NF_MAX_VERDICT - 1) + +/* TCP matching stuff */ +struct ipt_tcp +{ + u_int16_t spts[2]; /* Source port range. */ + u_int16_t dpts[2]; /* Destination port range. */ + u_int8_t option; /* TCP Option iff non-zero*/ + u_int8_t flg_mask; /* TCP flags mask byte */ + u_int8_t flg_cmp; /* TCP flags compare byte */ + u_int8_t invflags; /* Inverse flags */ +}; + +/* Values for "inv" field in struct ipt_tcp. */ +#define IPT_TCP_INV_SRCPT 0x01 /* Invert the sense of source ports. */ +#define IPT_TCP_INV_DSTPT 0x02 /* Invert the sense of dest ports. */ +#define IPT_TCP_INV_FLAGS 0x04 /* Invert the sense of TCP flags. */ +#define IPT_TCP_INV_OPTION 0x08 /* Invert the sense of option test. */ +#define IPT_TCP_INV_MASK 0x0F /* All possible flags. */ + +/* UDP matching stuff */ +struct ipt_udp +{ + u_int16_t spts[2]; /* Source port range. */ + u_int16_t dpts[2]; /* Destination port range. */ + u_int8_t invflags; /* Inverse flags */ +}; + +/* Values for "invflags" field in struct ipt_udp. */ +#define IPT_UDP_INV_SRCPT 0x01 /* Invert the sense of source ports. */ +#define IPT_UDP_INV_DSTPT 0x02 /* Invert the sense of dest ports. */ +#define IPT_UDP_INV_MASK 0x03 /* All possible flags. */ + +/* ICMP matching stuff */ +struct ipt_icmp +{ + u_int8_t type; /* type to match */ + u_int8_t code[2]; /* range of code */ + u_int8_t invflags; /* Inverse flags */ +}; + +/* Values for "inv" field for struct ipt_icmp. */ +#define IPT_ICMP_INV 0x01 /* Invert the sense of type/code test */ + +/* The argument to IPT_SO_GET_INFO */ +struct ipt_getinfo +{ + /* Which table: caller fills this in. */ + char name[IPT_TABLE_MAXNAMELEN]; + + /* Kernel fills these in. */ + /* Which hook entry points are valid: bitmask */ + unsigned int valid_hooks; + + /* Hook entry points: one per netfilter hook. */ + unsigned int hook_entry[NF_IP_NUMHOOKS]; + + /* Underflow points. */ + unsigned int underflow[NF_IP_NUMHOOKS]; + + /* Number of entries */ + unsigned int num_entries; + + /* Size of entries. */ + unsigned int size; +}; + +/* The argument to IPT_SO_SET_REPLACE. */ +struct ipt_replace +{ + /* Which table. */ + char name[IPT_TABLE_MAXNAMELEN]; + + /* Which hook entry points are valid: bitmask. You can't + change this. */ + unsigned int valid_hooks; + + /* Number of entries */ + unsigned int num_entries; + + /* Total size of new entries */ + unsigned int size; + + /* Hook entry points. */ + unsigned int hook_entry[NF_IP_NUMHOOKS]; + + /* Underflow points. */ + unsigned int underflow[NF_IP_NUMHOOKS]; + + /* Information about old entries: */ + /* Number of counters (must be equal to current number of entries). */ + unsigned int num_counters; + /* The old entries' counters. */ + struct ipt_counters *counters; + + /* The entries (hang off end: not really an array). */ + struct ipt_entry entries[0]; +}; + +/* The argument to IPT_SO_ADD_COUNTERS. */ +struct ipt_counters_info +{ + /* Which table. */ + char name[IPT_TABLE_MAXNAMELEN]; + + unsigned int num_counters; + + /* The counters (actually `number' of these). */ + struct ipt_counters counters[0]; +}; + +/* The argument to IPT_SO_GET_ENTRIES. */ +struct ipt_get_entries +{ + /* Which table: user fills this in. */ + char name[IPT_TABLE_MAXNAMELEN]; + + /* User fills this in: total entry size. */ + unsigned int size; + + /* The entries. */ + struct ipt_entry entrytable[0]; +}; + +/* Standard return verdict, or do jump. */ +#define IPT_STANDARD_TARGET "" +/* Error verdict. */ +#define IPT_ERROR_TARGET "ERROR" + +/* Helper functions */ +static __inline__ struct ipt_entry_target * +ipt_get_target(struct ipt_entry *e) +{ + return (void *)e + e->target_offset; +} + +/* fn returns 0 to continue iteration */ +#define IPT_MATCH_ITERATE(e, fn, args...) \ +({ \ + unsigned int __i; \ + int __ret = 0; \ + struct ipt_entry_match *__match; \ + \ + for (__i = sizeof(struct ipt_entry); \ + __i < (e)->target_offset; \ + __i += __match->u.match_size) { \ + __match = (void *)(e) + __i; \ + \ + __ret = fn(__match , ## args); \ + if (__ret != 0) \ + break; \ + } \ + __ret; \ +}) + +/* fn returns 0 to continue iteration */ +#define IPT_ENTRY_ITERATE(entries, size, fn, args...) \ +({ \ + unsigned int __i; \ + int __ret = 0; \ + struct ipt_entry *__entry; \ + \ + for (__i = 0; __i < (size); __i += __entry->next_offset) { \ + __entry = (void *)(entries) + __i; \ + \ + __ret = fn(__entry , ## args); \ + if (__ret != 0) \ + break; \ + } \ + __ret; \ +}) + +/* + * Main firewall chains definitions and global var's definitions. + */ +#ifdef __KERNEL__ + +#include <linux/init.h> +extern void ipt_init(void) __init; + +struct ipt_match +{ + struct list_head list; + + const char name[IPT_FUNCTION_MAXNAMELEN]; + + /* Return true or false: return FALSE and set *hotdrop = 1 to + force immediate packet drop. */ + int (*match)(const struct sk_buff *skb, + const struct net_device *in, + const struct net_device *out, + const void *matchinfo, + int offset, + const void *hdr, + u_int16_t datalen, + int *hotdrop); + + /* Called when user tries to insert an entry of this type. */ + /* Should return true or false. */ + int (*checkentry)(const char *tablename, + const struct ipt_ip *ip, + void *matchinfo, + unsigned int matchinfosize, + unsigned int hook_mask); + + /* Called when entry of this type deleted. */ + void (*destroy)(void *matchinfo, unsigned int matchinfosize); + + /* Set this to THIS_MODULE if you are a module, otherwise NULL */ + struct module *me; +}; + +/* Registration hooks for targets. */ +struct ipt_target +{ + struct list_head list; + + const char name[IPT_FUNCTION_MAXNAMELEN]; + + /* Returns verdict. */ + unsigned int (*target)(struct sk_buff **pskb, + unsigned int hooknum, + const struct net_device *in, + const struct net_device *out, + const void *targinfo, + void *userdata); + + /* Called when user tries to insert an entry of this type: + hook_mask is a bitmask of hooks from which it can be + called. */ + /* Should return true or false. */ + int (*checkentry)(const char *tablename, + const struct ipt_entry *e, + void *targinfo, + unsigned int targinfosize, + unsigned int hook_mask); + + /* Called when entry of this type deleted. */ + void (*destroy)(void *targinfo, unsigned int targinfosize); + + /* Set this to THIS_MODULE if you are a module, otherwise NULL */ + struct module *me; +}; + +extern int ipt_register_target(struct ipt_target *target); +extern void ipt_unregister_target(struct ipt_target *target); + +extern int ipt_register_match(struct ipt_match *match); +extern void ipt_unregister_match(struct ipt_match *match); + +/* Furniture shopping... */ +struct ipt_table +{ + struct list_head list; + + /* A unique name... */ + char name[IPT_TABLE_MAXNAMELEN]; + + /* Seed table: copied in register_table */ + struct ipt_replace *table; + + /* What hooks you will enter on */ + unsigned int valid_hooks; + + /* Lock for the curtain */ + rwlock_t lock; + + /* Man behind the curtain... */ + struct ipt_table_info *private; + + /* Set this to THIS_MODULE if you are a module, otherwise NULL */ + struct module *me; +}; + +extern int ipt_register_table(struct ipt_table *table); +extern void ipt_unregister_table(struct ipt_table *table); +extern unsigned int ipt_do_table(struct sk_buff **pskb, + unsigned int hook, + const struct net_device *in, + const struct net_device *out, + struct ipt_table *table, + void *userdata); + +#define IPT_ALIGN(s) (((s) + (__alignof__(struct ipt_entry)-1)) & ~(__alignof__(struct ipt_entry)-1)) +#endif /*__KERNEL__*/ +#endif /* _IPTABLES_H */ diff --git a/release/src/linux/linux/include/linux/netfilter_ipv4/ipchains_core.h b/release/src/linux/linux/include/linux/netfilter_ipv4/ipchains_core.h new file mode 100644 index 00000000..13546ff8 --- /dev/null +++ b/release/src/linux/linux/include/linux/netfilter_ipv4/ipchains_core.h @@ -0,0 +1,193 @@ +/* + * This code is heavily based on the code in ip_fw.h; see that file for + * copyrights and attributions. This code is basically GPL. + * + * 15-Feb-1997: Major changes to allow graphs for firewall rules. + * Paul Russell <Paul.Russell@rustcorp.com.au> and + * Michael Neuling <Michael.Neuling@rustcorp.com.au> + * 2-Nov-1997: Changed types to __u16, etc. + * Removed IP_FW_F_TCPACK & IP_FW_F_BIDIR. + * Added inverse flags field. + * Removed multiple port specs. + */ + +/* + * Format of an IP firewall descriptor + * + * src, dst, src_mask, dst_mask are always stored in network byte order. + * flags are stored in host byte order (of course). + * Port numbers are stored in HOST byte order. + */ + +#ifndef _IP_FWCHAINS_H +#define _IP_FWCHAINS_H + +#ifdef __KERNEL__ +#include <linux/icmp.h> +#include <linux/in.h> +#include <linux/ip.h> +#include <linux/tcp.h> +#include <linux/udp.h> +#endif /* __KERNEL__ */ +#define IP_FW_MAX_LABEL_LENGTH 8 +typedef char ip_chainlabel[IP_FW_MAX_LABEL_LENGTH+1]; + +struct ip_fw +{ + struct in_addr fw_src, fw_dst; /* Source and destination IP addr */ + struct in_addr fw_smsk, fw_dmsk; /* Mask for src and dest IP addr */ + __u32 fw_mark; /* ID to stamp on packet */ + __u16 fw_proto; /* Protocol, 0 = ANY */ + __u16 fw_flg; /* Flags word */ + __u16 fw_invflg; /* Inverse flags */ + __u16 fw_spts[2]; /* Source port range. */ + __u16 fw_dpts[2]; /* Destination port range. */ + __u16 fw_redirpt; /* Port to redirect to. */ + __u16 fw_outputsize; /* Max amount to output to + NETLINK */ + char fw_vianame[IFNAMSIZ]; /* name of interface "via" */ + __u8 fw_tosand, fw_tosxor; /* Revised packet priority */ +}; + +struct ip_fwuser +{ + struct ip_fw ipfw; + ip_chainlabel label; +}; + +/* Values for "fw_flg" field . */ +#define IP_FW_F_PRN 0x0001 /* Print packet if it matches */ +#define IP_FW_F_TCPSYN 0x0002 /* For tcp packets-check SYN only */ +#define IP_FW_F_FRAG 0x0004 /* Set if rule is a fragment rule */ +#define IP_FW_F_MARKABS 0x0008 /* Set the mark to fw_mark, not add. */ +#define IP_FW_F_WILDIF 0x0010 /* Need only match start of interface name. */ +#define IP_FW_F_NETLINK 0x0020 /* Redirect to netlink: 2.1.x only */ +#define IP_FW_F_MASK 0x003F /* All possible flag bits mask */ + +/* Values for "fw_invflg" field. */ +#define IP_FW_INV_SRCIP 0x0001 /* Invert the sense of fw_src. */ +#define IP_FW_INV_DSTIP 0x0002 /* Invert the sense of fw_dst. */ +#define IP_FW_INV_PROTO 0x0004 /* Invert the sense of fw_proto. */ +#define IP_FW_INV_SRCPT 0x0008 /* Invert the sense of source ports. */ +#define IP_FW_INV_DSTPT 0x0010 /* Invert the sense of destination ports. */ +#define IP_FW_INV_VIA 0x0020 /* Invert the sense of fw_vianame. */ +#define IP_FW_INV_SYN 0x0040 /* Invert the sense of IP_FW_F_TCPSYN. */ +#define IP_FW_INV_FRAG 0x0080 /* Invert the sense of IP_FW_F_FRAG. */ + +/* + * New IP firewall options for [gs]etsockopt at the RAW IP level. + * Unlike BSD Linux inherits IP options so you don't have to use + * a raw socket for this. Instead we check rights in the calls. */ + +#define IP_FW_BASE_CTL 64 /* base for firewall socket options */ + +#define IP_FW_APPEND (IP_FW_BASE_CTL) /* Takes ip_fwchange */ +#define IP_FW_REPLACE (IP_FW_BASE_CTL+1) /* Takes ip_fwnew */ +#define IP_FW_DELETE_NUM (IP_FW_BASE_CTL+2) /* Takes ip_fwdelnum */ +#define IP_FW_DELETE (IP_FW_BASE_CTL+3) /* Takes ip_fwchange */ +#define IP_FW_INSERT (IP_FW_BASE_CTL+4) /* Takes ip_fwnew */ +#define IP_FW_FLUSH (IP_FW_BASE_CTL+5) /* Takes ip_chainlabel */ +#define IP_FW_ZERO (IP_FW_BASE_CTL+6) /* Takes ip_chainlabel */ +#define IP_FW_CHECK (IP_FW_BASE_CTL+7) /* Takes ip_fwtest */ +#define IP_FW_MASQ_TIMEOUTS (IP_FW_BASE_CTL+8) /* Takes 3 ints */ +#define IP_FW_CREATECHAIN (IP_FW_BASE_CTL+9) /* Takes ip_chainlabel */ +#define IP_FW_DELETECHAIN (IP_FW_BASE_CTL+10) /* Takes ip_chainlabel */ +#define IP_FW_POLICY (IP_FW_BASE_CTL+11) /* Takes ip_fwpolicy */ +/* Masquerade control, only 1 optname */ + +#define IP_FW_MASQ_CTL (IP_FW_BASE_CTL+12) /* General ip_masq ctl */ + +/* Builtin chain labels */ +#define IP_FW_LABEL_FORWARD "forward" +#define IP_FW_LABEL_INPUT "input" +#define IP_FW_LABEL_OUTPUT "output" + +/* Special targets */ +#define IP_FW_LABEL_MASQUERADE "MASQ" +#define IP_FW_LABEL_REDIRECT "REDIRECT" +#define IP_FW_LABEL_ACCEPT "ACCEPT" +#define IP_FW_LABEL_BLOCK "DENY" +#define IP_FW_LABEL_REJECT "REJECT" +#define IP_FW_LABEL_RETURN "RETURN" +#define IP_FW_LABEL_QUEUE "QUEUE" + +/* Files in /proc/net */ +#define IP_FW_PROC_CHAINS "ip_fwchains" +#define IP_FW_PROC_CHAIN_NAMES "ip_fwnames" + + +struct ip_fwpkt +{ + struct iphdr fwp_iph; /* IP header */ + union { + struct tcphdr fwp_tcph; /* TCP header or */ + struct udphdr fwp_udph; /* UDP header */ + struct icmphdr fwp_icmph; /* ICMP header */ + } fwp_protoh; + struct in_addr fwp_via; /* interface address */ + char fwp_vianame[IFNAMSIZ]; /* interface name */ +}; + +/* The argument to IP_FW_DELETE and IP_FW_APPEND */ +struct ip_fwchange +{ + struct ip_fwuser fwc_rule; + ip_chainlabel fwc_label; +}; + +/* The argument to IP_FW_CHECK. */ +struct ip_fwtest +{ + struct ip_fwpkt fwt_packet; /* Packet to be tested */ + ip_chainlabel fwt_label; /* Block to start test in */ +}; + +/* The argument to IP_FW_DELETE_NUM */ +struct ip_fwdelnum +{ + __u32 fwd_rulenum; + ip_chainlabel fwd_label; +}; + +/* The argument to IP_FW_REPLACE and IP_FW_INSERT */ +struct ip_fwnew +{ + __u32 fwn_rulenum; + struct ip_fwuser fwn_rule; + ip_chainlabel fwn_label; +}; + +/* The argument to IP_FW_POLICY */ +struct ip_fwpolicy +{ + ip_chainlabel fwp_policy; + ip_chainlabel fwp_label; +}; +/* + * timeouts for ip masquerading + */ + +extern int ip_fw_masq_timeouts(void *, int); + + +/* + * Main firewall chains definitions and global var's definitions. + */ + +#ifdef __KERNEL__ + +#include <linux/config.h> +#include <linux/version.h> +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,1,0) +#include <linux/init.h> +extern void ip_fw_init(void) __init; +#else /* 2.0.x */ +extern void ip_fw_init(void); +#endif /* 2.1.x */ +extern int ip_fw_ctl(int, void *, int); +#ifdef CONFIG_IP_MASQUERADE +extern int ip_masq_uctl(int, char *, int); +#endif +#endif /* KERNEL */ + +#endif /* _IP_FWCHAINS_H */ diff --git a/release/src/linux/linux/include/linux/netfilter_ipv4/ipfwadm_core.h b/release/src/linux/linux/include/linux/netfilter_ipv4/ipfwadm_core.h new file mode 100644 index 00000000..8294efd7 --- /dev/null +++ b/release/src/linux/linux/include/linux/netfilter_ipv4/ipfwadm_core.h @@ -0,0 +1,256 @@ +#ifndef _IPFWADM_CORE_H +#define _IPFWADM_CORE_H +/* Minor modifications to fit on compatibility framework: + Rusty.Russell@rustcorp.com.au +*/ + +/* + * IP firewalling code. This is taken from 4.4BSD. Please note the + * copyright message below. As per the GPL it must be maintained + * and the licenses thus do not conflict. While this port is subject + * to the GPL I also place my modifications under the original + * license in recognition of the original copyright. + * + * Ported from BSD to Linux, + * Alan Cox 22/Nov/1994. + * Merged and included the FreeBSD-Current changes at Ugen's request + * (but hey it's a lot cleaner now). Ugen would prefer in some ways + * we waited for his final product but since Linux 1.2.0 is about to + * appear it's not practical - Read: It works, it's not clean but please + * don't consider it to be his standard of finished work. + * Alan. + * + * Fixes: + * Pauline Middelink : Added masquerading. + * Jos Vos : Separate input and output firewall + * chains, new "insert" and "append" + * commands to replace "add" commands, + * add ICMP header to struct ip_fwpkt. + * Jos Vos : Add support for matching device names. + * Willy Konynenberg : Add transparent proxying support. + * Jos Vos : Add options for input/output accounting. + * + * All the real work was done by ..... + */ + +/* + * Copyright (c) 1993 Daniel Boulet + * Copyright (c) 1994 Ugen J.S.Antsilevich + * + * Redistribution and use in source forms, with and without modification, + * are permitted provided that this entire comment appears intact. + * + * Redistribution in binary form may occur without any restrictions. + * Obviously, it would be nice if you gave credit where credit is due + * but requiring it would be too onerous. + * + * This software is provided ``AS IS'' without any warranties of any kind. + */ + +/* + * Format of an IP firewall descriptor + * + * src, dst, src_mask, dst_mask are always stored in network byte order. + * flags and num_*_ports are stored in host byte order (of course). + * Port numbers are stored in HOST byte order. + */ + +#ifdef __KERNEL__ +#include <linux/icmp.h> +#include <linux/in.h> +#include <linux/ip.h> +#include <linux/tcp.h> +#include <linux/udp.h> +#endif + +struct ip_fw +{ + struct ip_fw *fw_next; /* Next firewall on chain */ + struct in_addr fw_src, fw_dst; /* Source and destination IP addr */ + struct in_addr fw_smsk, fw_dmsk; /* Mask for src and dest IP addr */ + struct in_addr fw_via; /* IP address of interface "via" */ + struct net_device *fw_viadev; /* device of interface "via" */ + __u16 fw_flg; /* Flags word */ + __u16 fw_nsp, fw_ndp; /* N'of src ports and # of dst ports */ + /* in ports array (dst ports follow */ + /* src ports; max of 10 ports in all; */ + /* count of 0 means match all ports) */ +#define IP_FW_MAX_PORTS 10 /* A reasonable maximum */ + __u16 fw_pts[IP_FW_MAX_PORTS]; /* Array of port numbers to match */ + unsigned long fw_pcnt,fw_bcnt; /* Packet and byte counters */ + __u8 fw_tosand, fw_tosxor; /* Revised packet priority */ + char fw_vianame[IFNAMSIZ]; /* name of interface "via" */ +}; + +/* + * Values for "flags" field . + */ + +#define IP_FW_F_ALL 0x0000 /* This is a universal packet firewall*/ +#define IP_FW_F_TCP 0x0001 /* This is a TCP packet firewall */ +#define IP_FW_F_UDP 0x0002 /* This is a UDP packet firewall */ +#define IP_FW_F_ICMP 0x0003 /* This is a ICMP packet firewall */ +#define IP_FW_F_KIND 0x0003 /* Mask to isolate firewall kind */ +#define IP_FW_F_ACCEPT 0x0004 /* This is an accept firewall (as * + * opposed to a deny firewall)* + * */ +#define IP_FW_F_SRNG 0x0008 /* The first two src ports are a min * + * and max range (stored in host byte * + * order). * + * */ +#define IP_FW_F_DRNG 0x0010 /* The first two dst ports are a min * + * and max range (stored in host byte * + * order). * + * (ports[0] <= port <= ports[1]) * + * */ +#define IP_FW_F_PRN 0x0020 /* In verbose mode print this firewall*/ +#define IP_FW_F_BIDIR 0x0040 /* For bidirectional firewalls */ +#define IP_FW_F_TCPSYN 0x0080 /* For tcp packets-check SYN only */ +#define IP_FW_F_ICMPRPL 0x0100 /* Send back icmp unreachable packet */ +#define IP_FW_F_MASQ 0x0200 /* Masquerading */ +#define IP_FW_F_TCPACK 0x0400 /* For tcp-packets match if ACK is set*/ +#define IP_FW_F_REDIR 0x0800 /* Redirect to local port fw_pts[n] */ +#define IP_FW_F_ACCTIN 0x1000 /* Account incoming packets only. */ +#define IP_FW_F_ACCTOUT 0x2000 /* Account outgoing packets only. */ + +#define IP_FW_F_MASK 0x3FFF /* All possible flag bits mask */ + +/* + * New IP firewall options for [gs]etsockopt at the RAW IP level. + * Unlike BSD Linux inherits IP options so you don't have to use + * a raw socket for this. Instead we check rights in the calls. + */ + +#define IP_FW_BASE_CTL 64 /* base for firewall socket options */ + +#define IP_FW_COMMAND 0x00FF /* mask for command without chain */ +#define IP_FW_TYPE 0x0300 /* mask for type (chain) */ +#define IP_FW_SHIFT 8 /* shift count for type (chain) */ + +#define IP_FW_FWD 0 +#define IP_FW_IN 1 +#define IP_FW_OUT 2 +#define IP_FW_ACCT 3 +#define IP_FW_CHAINS 4 /* total number of ip_fw chains */ +#define IP_FW_MASQ 5 + +#define IP_FW_INSERT (IP_FW_BASE_CTL) +#define IP_FW_APPEND (IP_FW_BASE_CTL+1) +#define IP_FW_DELETE (IP_FW_BASE_CTL+2) +#define IP_FW_FLUSH (IP_FW_BASE_CTL+3) +#define IP_FW_ZERO (IP_FW_BASE_CTL+4) +#define IP_FW_POLICY (IP_FW_BASE_CTL+5) +#define IP_FW_CHECK (IP_FW_BASE_CTL+6) +#define IP_FW_MASQ_TIMEOUTS (IP_FW_BASE_CTL+7) + +#define IP_FW_INSERT_FWD (IP_FW_INSERT | (IP_FW_FWD << IP_FW_SHIFT)) +#define IP_FW_APPEND_FWD (IP_FW_APPEND | (IP_FW_FWD << IP_FW_SHIFT)) +#define IP_FW_DELETE_FWD (IP_FW_DELETE | (IP_FW_FWD << IP_FW_SHIFT)) +#define IP_FW_FLUSH_FWD (IP_FW_FLUSH | (IP_FW_FWD << IP_FW_SHIFT)) +#define IP_FW_ZERO_FWD (IP_FW_ZERO | (IP_FW_FWD << IP_FW_SHIFT)) +#define IP_FW_POLICY_FWD (IP_FW_POLICY | (IP_FW_FWD << IP_FW_SHIFT)) +#define IP_FW_CHECK_FWD (IP_FW_CHECK | (IP_FW_FWD << IP_FW_SHIFT)) + +#define IP_FW_INSERT_IN (IP_FW_INSERT | (IP_FW_IN << IP_FW_SHIFT)) +#define IP_FW_APPEND_IN (IP_FW_APPEND | (IP_FW_IN << IP_FW_SHIFT)) +#define IP_FW_DELETE_IN (IP_FW_DELETE | (IP_FW_IN << IP_FW_SHIFT)) +#define IP_FW_FLUSH_IN (IP_FW_FLUSH | (IP_FW_IN << IP_FW_SHIFT)) +#define IP_FW_ZERO_IN (IP_FW_ZERO | (IP_FW_IN << IP_FW_SHIFT)) +#define IP_FW_POLICY_IN (IP_FW_POLICY | (IP_FW_IN << IP_FW_SHIFT)) +#define IP_FW_CHECK_IN (IP_FW_CHECK | (IP_FW_IN << IP_FW_SHIFT)) + +#define IP_FW_INSERT_OUT (IP_FW_INSERT | (IP_FW_OUT << IP_FW_SHIFT)) +#define IP_FW_APPEND_OUT (IP_FW_APPEND | (IP_FW_OUT << IP_FW_SHIFT)) +#define IP_FW_DELETE_OUT (IP_FW_DELETE | (IP_FW_OUT << IP_FW_SHIFT)) +#define IP_FW_FLUSH_OUT (IP_FW_FLUSH | (IP_FW_OUT << IP_FW_SHIFT)) +#define IP_FW_ZERO_OUT (IP_FW_ZERO | (IP_FW_OUT << IP_FW_SHIFT)) +#define IP_FW_POLICY_OUT (IP_FW_POLICY | (IP_FW_OUT << IP_FW_SHIFT)) +#define IP_FW_CHECK_OUT (IP_FW_CHECK | (IP_FW_OUT << IP_FW_SHIFT)) + +#define IP_ACCT_INSERT (IP_FW_INSERT | (IP_FW_ACCT << IP_FW_SHIFT)) +#define IP_ACCT_APPEND (IP_FW_APPEND | (IP_FW_ACCT << IP_FW_SHIFT)) +#define IP_ACCT_DELETE (IP_FW_DELETE | (IP_FW_ACCT << IP_FW_SHIFT)) +#define IP_ACCT_FLUSH (IP_FW_FLUSH | (IP_FW_ACCT << IP_FW_SHIFT)) +#define IP_ACCT_ZERO (IP_FW_ZERO | (IP_FW_ACCT << IP_FW_SHIFT)) + +#define IP_FW_MASQ_INSERT (IP_FW_INSERT | (IP_FW_MASQ << IP_FW_SHIFT)) +#define IP_FW_MASQ_ADD (IP_FW_APPEND | (IP_FW_MASQ << IP_FW_SHIFT)) +#define IP_FW_MASQ_DEL (IP_FW_DELETE | (IP_FW_MASQ << IP_FW_SHIFT)) +#define IP_FW_MASQ_FLUSH (IP_FW_FLUSH | (IP_FW_MASQ << IP_FW_SHIFT)) + +#define IP_FW_MASQ_INSERT (IP_FW_INSERT | (IP_FW_MASQ << IP_FW_SHIFT)) +#define IP_FW_MASQ_ADD (IP_FW_APPEND | (IP_FW_MASQ << IP_FW_SHIFT)) +#define IP_FW_MASQ_DEL (IP_FW_DELETE | (IP_FW_MASQ << IP_FW_SHIFT)) +#define IP_FW_MASQ_FLUSH (IP_FW_FLUSH | (IP_FW_MASQ << IP_FW_SHIFT)) + +struct ip_fwpkt +{ + struct iphdr fwp_iph; /* IP header */ + union { + struct tcphdr fwp_tcph; /* TCP header or */ + struct udphdr fwp_udph; /* UDP header */ + struct icmphdr fwp_icmph; /* ICMP header */ + } fwp_protoh; + struct in_addr fwp_via; /* interface address */ + char fwp_vianame[IFNAMSIZ]; /* interface name */ +}; + +#define IP_FW_MASQCTL_MAX 256 +#define IP_MASQ_MOD_NMAX 32 + +struct ip_fw_masqctl +{ + int mctl_action; + union { + struct { + char name[IP_MASQ_MOD_NMAX]; + char data[1]; + } mod; + } u; +}; + +/* + * timeouts for ip masquerading + */ + +struct ip_fw_masq; + +/* + * Main firewall chains definitions and global var's definitions. + */ + +#ifdef __KERNEL__ + +/* Modes used in the ip_fw_chk() routine. */ +#define IP_FW_MODE_FW 0x00 /* kernel firewall check */ +#define IP_FW_MODE_ACCT_IN 0x01 /* accounting (incoming) */ +#define IP_FW_MODE_ACCT_OUT 0x02 /* accounting (outgoing) */ +#define IP_FW_MODE_CHK 0x04 /* check requested by user */ + +#include <linux/config.h> +#ifdef CONFIG_IP_FIREWALL +extern struct ip_fw *ip_fw_in_chain; +extern struct ip_fw *ip_fw_out_chain; +extern struct ip_fw *ip_fw_fwd_chain; +extern int ip_fw_in_policy; +extern int ip_fw_out_policy; +extern int ip_fw_fwd_policy; +extern int ip_fw_ctl(int, void *, int); +#endif +#ifdef CONFIG_IP_ACCT +extern struct ip_fw *ip_acct_chain; +extern int ip_acct_ctl(int, void *, int); +#endif +#ifdef CONFIG_IP_MASQUERADE +extern int ip_masq_ctl(int, void *, int); +#endif +#ifdef CONFIG_IP_MASQUERADE +extern int ip_masq_ctl(int, void *, int); +#endif + +extern int ip_fw_masq_timeouts(void *user, int len); + +extern int ip_fw_chk(struct iphdr *, struct net_device *, __u16 *, + struct ip_fw *, int, int); +#endif /* KERNEL */ +#endif /* _IP_FW_H */ diff --git a/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_DSCP.h b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_DSCP.h new file mode 100644 index 00000000..b30f510b --- /dev/null +++ b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_DSCP.h @@ -0,0 +1,20 @@ +/* iptables module for setting the IPv4 DSCP field + * + * (C) 2002 Harald Welte <laforge@gnumonks.org> + * based on ipt_FTOS.c (C) 2000 by Matthew G. Marsh <mgm@paktronix.com> + * This software is distributed under GNU GPL v2, 1991 + * + * See RFC2474 for a description of the DSCP field within the IP Header. + * + * ipt_DSCP.h,v 1.7 2002/03/14 12:03:13 laforge Exp +*/ +#ifndef _IPT_DSCP_TARGET_H +#define _IPT_DSCP_TARGET_H +#include <linux/netfilter_ipv4/ipt_dscp.h> + +/* target info */ +struct ipt_DSCP_info { + u_int8_t dscp; +}; + +#endif /* _IPT_DSCP_TARGET_H */ diff --git a/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_ECN.h b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_ECN.h new file mode 100644 index 00000000..94e0d986 --- /dev/null +++ b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_ECN.h @@ -0,0 +1,31 @@ +/* Header file for iptables ipt_ECN target + * + * (C) 2002 by Harald Welte <laforge@gnumonks.org> + * + * This software is distributed under GNU GPL v2, 1991 + * + * ipt_ECN.h,v 1.3 2002/05/29 12:17:40 laforge Exp +*/ +#ifndef _IPT_ECN_TARGET_H +#define _IPT_ECN_TARGET_H +#include <linux/netfilter_ipv4/ipt_DSCP.h> + +#define IPT_ECN_IP_MASK (~IPT_DSCP_MASK) + +#define IPT_ECN_OP_SET_IP 0x01 /* set ECN bits of IPv4 header */ +#define IPT_ECN_OP_SET_ECE 0x10 /* set ECE bit of TCP header */ +#define IPT_ECN_OP_SET_CWR 0x20 /* set CWR bit of TCP header */ + +#define IPT_ECN_OP_MASK 0xce + +struct ipt_ECN_info { + u_int8_t operation; /* bitset of operations */ + u_int8_t ip_ect; /* ECT codepoint of IPv4 header, pre-shifted */ + union { + struct { + u_int8_t ece:1, cwr:1; /* TCP ECT bits */ + } tcp; + } proto; +}; + +#endif /* _IPT_ECN_TARGET_H */ diff --git a/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_LOG.h b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_LOG.h new file mode 100644 index 00000000..481e1284 --- /dev/null +++ b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_LOG.h @@ -0,0 +1,15 @@ +#ifndef _IPT_LOG_H +#define _IPT_LOG_H + +#define IPT_LOG_TCPSEQ 0x01 /* Log TCP sequence numbers */ +#define IPT_LOG_TCPOPT 0x02 /* Log TCP options */ +#define IPT_LOG_IPOPT 0x04 /* Log IP options */ +#define IPT_LOG_MASK 0x07 + +struct ipt_log_info { + unsigned char level; + unsigned char logflags; + char prefix[30]; +}; + +#endif /*_IPT_LOG_H*/ diff --git a/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_MARK.h b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_MARK.h new file mode 100644 index 00000000..cc57ae7a --- /dev/null +++ b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_MARK.h @@ -0,0 +1,8 @@ +#ifndef _IPT_MARK_H_target +#define _IPT_MARK_H_target + +struct ipt_mark_target_info { + unsigned long mark; +}; + +#endif /*_IPT_MARK_H_target*/ diff --git a/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_REJECT.h b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_REJECT.h new file mode 100644 index 00000000..ad195e43 --- /dev/null +++ b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_REJECT.h @@ -0,0 +1,19 @@ +#ifndef _IPT_REJECT_H +#define _IPT_REJECT_H + +enum ipt_reject_with { + IPT_ICMP_NET_UNREACHABLE, + IPT_ICMP_HOST_UNREACHABLE, + IPT_ICMP_PROT_UNREACHABLE, + IPT_ICMP_PORT_UNREACHABLE, + IPT_ICMP_ECHOREPLY, + IPT_ICMP_NET_PROHIBITED, + IPT_ICMP_HOST_PROHIBITED, + IPT_TCP_RESET +}; + +struct ipt_reject_info { + enum ipt_reject_with with; /* reject type */ +}; + +#endif /*_IPT_REJECT_H*/ diff --git a/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_TCPMSS.h b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_TCPMSS.h new file mode 100644 index 00000000..aadb3958 --- /dev/null +++ b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_TCPMSS.h @@ -0,0 +1,10 @@ +#ifndef _IPT_TCPMSS_H +#define _IPT_TCPMSS_H + +struct ipt_tcpmss_info { + u_int16_t mss; +}; + +#define IPT_TCPMSS_CLAMP_PMTU 0xffff + +#endif /*_IPT_TCPMSS_H*/ diff --git a/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_TOS.h b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_TOS.h new file mode 100644 index 00000000..6bf9e1fd --- /dev/null +++ b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_TOS.h @@ -0,0 +1,12 @@ +#ifndef _IPT_TOS_H_target +#define _IPT_TOS_H_target + +#ifndef IPTOS_NORMALSVC +#define IPTOS_NORMALSVC 0 +#endif + +struct ipt_tos_target_info { + u_int8_t tos; +}; + +#endif /*_IPT_TOS_H_target*/ diff --git a/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_TRIGGER.h b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_TRIGGER.h new file mode 100644 index 00000000..886e2019 --- /dev/null +++ b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_TRIGGER.h @@ -0,0 +1,24 @@ +#ifndef _IPT_TRIGGER_H_target +#define _IPT_TRIGGER_H_target + +#define TRIGGER_TIMEOUT 600 /* 600 secs */ + +enum ipt_trigger_type +{ + IPT_TRIGGER_DNAT = 1, + IPT_TRIGGER_IN = 2, + IPT_TRIGGER_OUT = 3 +}; + +struct ipt_trigger_ports { + u_int16_t mport[2]; /* Related destination port range */ + u_int16_t rport[2]; /* Port range to map related destination port range to */ +}; + +struct ipt_trigger_info { + enum ipt_trigger_type type; + u_int16_t proto; /* Related protocol */ + struct ipt_trigger_ports ports; +}; + +#endif /*_IPT_TRIGGER_H_target*/ diff --git a/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_ULOG.h b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_ULOG.h new file mode 100644 index 00000000..dd8379a2 --- /dev/null +++ b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_ULOG.h @@ -0,0 +1,46 @@ +/* Header file for IP tables userspace logging, Version 1.8 + * + * (C) 2000-2002 by Harald Welte <laforge@gnumonks.org> + * + * Distributed under the terms of GNU GPL */ + +#ifndef _IPT_ULOG_H +#define _IPT_ULOG_H + +#ifndef NETLINK_NFLOG +#define NETLINK_NFLOG 5 +#endif + +#define ULOG_MAC_LEN 80 +#define ULOG_PREFIX_LEN 32 + +#define ULOG_MAX_QLEN 50 +/* Why 50? Well... there is a limit imposed by the slab cache 131000 + * bytes. So the multipart netlink-message has to be < 131000 bytes. + * Assuming a standard ethernet-mtu of 1500, we could define this up + * to 80... but even 50 seems to be big enough. */ + +/* private data structure for each rule with a ULOG target */ +struct ipt_ulog_info { + unsigned int nl_group; + size_t copy_range; + size_t qthreshold; + char prefix[ULOG_PREFIX_LEN]; +}; + +/* Format of the ULOG packets passed through netlink */ +typedef struct ulog_packet_msg { + unsigned long mark; + long timestamp_sec; + long timestamp_usec; + unsigned int hook; + char indev_name[IFNAMSIZ]; + char outdev_name[IFNAMSIZ]; + size_t data_len; + char prefix[ULOG_PREFIX_LEN]; + unsigned char mac_len; + unsigned char mac[ULOG_MAC_LEN]; + unsigned char payload[0]; +} ulog_packet_msg_t; + +#endif /*_IPT_ULOG_H*/ diff --git a/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_ah.h b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_ah.h new file mode 100644 index 00000000..7b9a2ac7 --- /dev/null +++ b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_ah.h @@ -0,0 +1,16 @@ +#ifndef _IPT_AH_H +#define _IPT_AH_H + +struct ipt_ah +{ + u_int32_t spis[2]; /* Security Parameter Index */ + u_int8_t invflags; /* Inverse flags */ +}; + + + +/* Values for "invflags" field in struct ipt_ah. */ +#define IPT_AH_INV_SPI 0x01 /* Invert the sense of spi. */ +#define IPT_AH_INV_MASK 0x01 /* All possible flags. */ + +#endif /*_IPT_AH_H*/ diff --git a/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_conntrack.h b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_conntrack.h new file mode 100644 index 00000000..10b0c763 --- /dev/null +++ b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_conntrack.h @@ -0,0 +1,38 @@ +/* Header file for kernel module to match connection tracking information. + * GPL (C) 2001 Marc Boucher (marc@mbsi.ca). + */ + +#ifndef _IPT_CONNTRACK_H +#define _IPT_CONNTRACK_H + +#define IPT_CONNTRACK_STATE_BIT(ctinfo) (1 << ((ctinfo)%IP_CT_IS_REPLY+1)) +#define IPT_CONNTRACK_STATE_INVALID (1 << 0) + +#define IPT_CONNTRACK_STATE_SNAT (1 << (IP_CT_NUMBER + 1)) +#define IPT_CONNTRACK_STATE_DNAT (1 << (IP_CT_NUMBER + 2)) + +/* flags, invflags: */ +#define IPT_CONNTRACK_STATE 0x01 +#define IPT_CONNTRACK_PROTO 0x02 +#define IPT_CONNTRACK_ORIGSRC 0x04 +#define IPT_CONNTRACK_ORIGDST 0x08 +#define IPT_CONNTRACK_REPLSRC 0x10 +#define IPT_CONNTRACK_REPLDST 0x20 +#define IPT_CONNTRACK_STATUS 0x40 +#define IPT_CONNTRACK_EXPIRES 0x80 + +struct ipt_conntrack_info +{ + unsigned int statemask, statusmask; + + struct ip_conntrack_tuple tuple[IP_CT_DIR_MAX]; + struct in_addr sipmsk[IP_CT_DIR_MAX], dipmsk[IP_CT_DIR_MAX]; + + unsigned long expires_min, expires_max; + + /* Flags word */ + u_int8_t flags; + /* Inverse flags */ + u_int8_t invflags; +}; +#endif /*_IPT_CONNTRACK_H*/ diff --git a/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_dscp.h b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_dscp.h new file mode 100644 index 00000000..2fa6dfe9 --- /dev/null +++ b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_dscp.h @@ -0,0 +1,23 @@ +/* iptables module for matching the IPv4 DSCP field + * + * (C) 2002 Harald Welte <laforge@gnumonks.org> + * This software is distributed under GNU GPL v2, 1991 + * + * See RFC2474 for a description of the DSCP field within the IP Header. + * + * ipt_dscp.h,v 1.3 2002/08/05 19:00:21 laforge Exp +*/ +#ifndef _IPT_DSCP_H +#define _IPT_DSCP_H + +#define IPT_DSCP_MASK 0xfc /* 11111100 */ +#define IPT_DSCP_SHIFT 2 +#define IPT_DSCP_MAX 0x3f /* 00111111 */ + +/* match info */ +struct ipt_dscp_info { + u_int8_t dscp; + u_int8_t invert; +}; + +#endif /* _IPT_DSCP_H */ diff --git a/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_ecn.h b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_ecn.h new file mode 100644 index 00000000..1f0d9a4d --- /dev/null +++ b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_ecn.h @@ -0,0 +1,33 @@ +/* iptables module for matching the ECN header in IPv4 and TCP header + * + * (C) 2002 Harald Welte <laforge@gnumonks.org> + * + * This software is distributed under GNU GPL v2, 1991 + * + * ipt_ecn.h,v 1.4 2002/08/05 19:39:00 laforge Exp +*/ +#ifndef _IPT_ECN_H +#define _IPT_ECN_H +#include <linux/netfilter_ipv4/ipt_dscp.h> + +#define IPT_ECN_IP_MASK (~IPT_DSCP_MASK) + +#define IPT_ECN_OP_MATCH_IP 0x01 +#define IPT_ECN_OP_MATCH_ECE 0x10 +#define IPT_ECN_OP_MATCH_CWR 0x20 + +#define IPT_ECN_OP_MATCH_MASK 0xce + +/* match info */ +struct ipt_ecn_info { + u_int8_t operation; + u_int8_t invert; + u_int8_t ip_ect; + union { + struct { + u_int8_t ect; + } tcp; + } proto; +}; + +#endif /* _IPT_ECN_H */ diff --git a/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_esp.h b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_esp.h new file mode 100644 index 00000000..c782a83e --- /dev/null +++ b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_esp.h @@ -0,0 +1,16 @@ +#ifndef _IPT_ESP_H +#define _IPT_ESP_H + +struct ipt_esp +{ + u_int32_t spis[2]; /* Security Parameter Index */ + u_int8_t invflags; /* Inverse flags */ +}; + + + +/* Values for "invflags" field in struct ipt_esp. */ +#define IPT_ESP_INV_SPI 0x01 /* Invert the sense of spi. */ +#define IPT_ESP_INV_MASK 0x01 /* All possible flags. */ + +#endif /*_IPT_ESP_H*/ diff --git a/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_helper.h b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_helper.h new file mode 100644 index 00000000..6f12ecb8 --- /dev/null +++ b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_helper.h @@ -0,0 +1,8 @@ +#ifndef _IPT_HELPER_H +#define _IPT_HELPER_H + +struct ipt_helper_info { + int invert; + char name[30]; +}; +#endif /* _IPT_HELPER_H */ diff --git a/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_length.h b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_length.h new file mode 100644 index 00000000..6e088522 --- /dev/null +++ b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_length.h @@ -0,0 +1,9 @@ +#ifndef _IPT_LENGTH_H +#define _IPT_LENGTH_H + +struct ipt_length_info { + u_int16_t min, max; + u_int8_t invert; +}; + +#endif /*_IPT_LENGTH_H*/ diff --git a/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_limit.h b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_limit.h new file mode 100644 index 00000000..25645340 --- /dev/null +++ b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_limit.h @@ -0,0 +1,21 @@ +#ifndef _IPT_RATE_H +#define _IPT_RATE_H + +/* timings are in milliseconds. */ +#define IPT_LIMIT_SCALE 10000 + +/* 1/10,000 sec period => max of 10,000/sec. Min rate is then 429490 + seconds, or one every 59 hours. */ +struct ipt_rateinfo { + u_int32_t avg; /* Average secs between packets * scale */ + u_int32_t burst; /* Period multiplier for upper limit. */ + + /* Used internally by the kernel */ + unsigned long prev; + u_int32_t credit; + u_int32_t credit_cap, cost; + + /* Ugly, ugly fucker. */ + struct ipt_rateinfo *master; +}; +#endif /*_IPT_RATE_H*/ diff --git a/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_mac.h b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_mac.h new file mode 100644 index 00000000..f8d5b8e7 --- /dev/null +++ b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_mac.h @@ -0,0 +1,8 @@ +#ifndef _IPT_MAC_H +#define _IPT_MAC_H + +struct ipt_mac_info { + unsigned char srcaddr[ETH_ALEN]; + int invert; +}; +#endif /*_IPT_MAC_H*/ diff --git a/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_mark.h b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_mark.h new file mode 100644 index 00000000..f3952b56 --- /dev/null +++ b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_mark.h @@ -0,0 +1,9 @@ +#ifndef _IPT_MARK_H +#define _IPT_MARK_H + +struct ipt_mark_info { + unsigned long mark, mask; + u_int8_t invert; +}; + +#endif /*_IPT_MARK_H*/ diff --git a/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_mport.h b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_mport.h new file mode 100644 index 00000000..5c3c55a4 --- /dev/null +++ b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_mport.h @@ -0,0 +1,24 @@ +#ifndef _IPT_MPORT_H +#define _IPT_MPORT_H +#include <linux/netfilter_ipv4/ip_tables.h> + +#define IPT_MPORT_SOURCE (1<<0) +#define IPT_MPORT_DESTINATION (1<<1) +#define IPT_MPORT_EITHER (IPT_MPORT_SOURCE|IPT_MPORT_DESTINATION) + +#define IPT_MULTI_PORTS 15 + +/* Must fit inside union ipt_matchinfo: 32 bytes */ +/* every entry in ports[] except for the last one has one bit in pflags + * associated with it. If this bit is set, the port is the first port of + * a portrange, with the next entry being the last. + * End of list is marked with pflags bit set and port=65535. + * If 14 ports are used (last one does not have a pflag), the last port + * is repeated to fill the last entry in ports[] */ +struct ipt_mport +{ + u_int8_t flags:2; /* Type of comparison */ + u_int16_t pflags:14; /* Port flags */ + u_int16_t ports[IPT_MULTI_PORTS]; /* Ports */ +}; +#endif /*_IPT_MPORT_H*/ diff --git a/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_multiport.h b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_multiport.h new file mode 100644 index 00000000..f6e50ae9 --- /dev/null +++ b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_multiport.h @@ -0,0 +1,21 @@ +#ifndef _IPT_MULTIPORT_H +#define _IPT_MULTIPORT_H +#include <linux/netfilter_ipv4/ip_tables.h> + +enum ipt_multiport_flags +{ + IPT_MULTIPORT_SOURCE, + IPT_MULTIPORT_DESTINATION, + IPT_MULTIPORT_EITHER +}; + +#define IPT_MULTI_PORTS 15 + +/* Must fit inside union ipt_matchinfo: 16 bytes */ +struct ipt_multiport +{ + u_int8_t flags; /* Type of comparison */ + u_int8_t count; /* Number of ports */ + u_int16_t ports[IPT_MULTI_PORTS]; /* Ports */ +}; +#endif /*_IPT_MULTIPORT_H*/ diff --git a/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_owner.h b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_owner.h new file mode 100644 index 00000000..92f4bdac --- /dev/null +++ b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_owner.h @@ -0,0 +1,20 @@ +#ifndef _IPT_OWNER_H +#define _IPT_OWNER_H + +/* match and invert flags */ +#define IPT_OWNER_UID 0x01 +#define IPT_OWNER_GID 0x02 +#define IPT_OWNER_PID 0x04 +#define IPT_OWNER_SID 0x08 +#define IPT_OWNER_COMM 0x10 + +struct ipt_owner_info { + uid_t uid; + gid_t gid; + pid_t pid; + pid_t sid; + char comm[16]; + u_int8_t match, invert; /* flags */ +}; + +#endif /*_IPT_OWNER_H*/ diff --git a/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_physdev.h b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_physdev.h new file mode 100644 index 00000000..7538c865 --- /dev/null +++ b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_physdev.h @@ -0,0 +1,24 @@ +#ifndef _IPT_PHYSDEV_H +#define _IPT_PHYSDEV_H + +#ifdef __KERNEL__ +#include <linux/if.h> +#endif + +#define IPT_PHYSDEV_OP_IN 0x01 +#define IPT_PHYSDEV_OP_OUT 0x02 +#define IPT_PHYSDEV_OP_BRIDGED 0x04 +#define IPT_PHYSDEV_OP_ISIN 0x08 +#define IPT_PHYSDEV_OP_ISOUT 0x10 +#define IPT_PHYSDEV_OP_MASK (0x20 - 1) + +struct ipt_physdev_info { + char physindev[IFNAMSIZ]; + char in_mask[IFNAMSIZ]; + char physoutdev[IFNAMSIZ]; + char out_mask[IFNAMSIZ]; + u_int8_t invert; + u_int8_t bitmask; +}; + +#endif /*_IPT_PHYSDEV_H*/ diff --git a/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_pkttype.h b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_pkttype.h new file mode 100644 index 00000000..d53a6584 --- /dev/null +++ b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_pkttype.h @@ -0,0 +1,8 @@ +#ifndef _IPT_PKTTYPE_H +#define _IPT_PKTTYPE_H + +struct ipt_pkttype_info { + int pkttype; + int invert; +}; +#endif /*_IPT_PKTTYPE_H*/ diff --git a/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_pool.h b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_pool.h new file mode 100644 index 00000000..f0c5779b --- /dev/null +++ b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_pool.h @@ -0,0 +1,25 @@ +#ifndef _IPT_POOL_H +#define _IPT_POOL_H + +#include <linux/netfilter_ipv4/ip_pool.h> + +#define IPT_POOL_INV_SRC 0x00000001 +#define IPT_POOL_INV_DST 0x00000002 +#define IPT_POOL_DEL_SRC 0x00000004 +#define IPT_POOL_DEL_DST 0x00000008 +#define IPT_POOL_INV_MOD_SRC 0x00000010 +#define IPT_POOL_INV_MOD_DST 0x00000020 +#define IPT_POOL_MOD_SRC_ACCEPT 0x00000040 +#define IPT_POOL_MOD_DST_ACCEPT 0x00000080 +#define IPT_POOL_MOD_SRC_DROP 0x00000100 +#define IPT_POOL_MOD_DST_DROP 0x00000200 + +/* match info */ +struct ipt_pool_info +{ + ip_pool_t src; + ip_pool_t dst; + unsigned flags; +}; + +#endif /*_IPT_POOL_H*/ diff --git a/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_state.h b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_state.h new file mode 100644 index 00000000..e298baf1 --- /dev/null +++ b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_state.h @@ -0,0 +1,11 @@ +#ifndef _IPT_STATE_H +#define _IPT_STATE_H + +#define IPT_STATE_BIT(ctinfo) (1 << ((ctinfo)%IP_CT_IS_REPLY+1)) +#define IPT_STATE_INVALID (1 << 0) + +struct ipt_state_info +{ + unsigned int statemask; +}; +#endif /*_IPT_STATE_H*/ diff --git a/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_tcpmss.h b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_tcpmss.h new file mode 100644 index 00000000..e2b14397 --- /dev/null +++ b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_tcpmss.h @@ -0,0 +1,9 @@ +#ifndef _IPT_TCPMSS_MATCH_H +#define _IPT_TCPMSS_MATCH_H + +struct ipt_tcpmss_match_info { + u_int16_t mss_min, mss_max; + u_int8_t invert; +}; + +#endif /*_IPT_TCPMSS_MATCH_H*/ diff --git a/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_time.h b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_time.h new file mode 100644 index 00000000..1ccdbb3d --- /dev/null +++ b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_time.h @@ -0,0 +1,13 @@ +#ifndef __ipt_time_h_included__ +#define __ipt_time_h_included__ + + +struct ipt_time_info { + unsigned int days_match; /* 1 bit per day (bit 0 = Sunday) */ + unsigned int time_start; /* 0 < time_start < 24*60*60-1 = 86399 */ + unsigned int time_stop; /* 0 < time_end < 24*60*60-1 = 86399 */ + int kerneltime; /* ignore skb time (and use kerneltime) or not. */ +}; + + +#endif /* __ipt_time_h_included__ */ diff --git a/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_tos.h b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_tos.h new file mode 100644 index 00000000..a21f5df2 --- /dev/null +++ b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_tos.h @@ -0,0 +1,13 @@ +#ifndef _IPT_TOS_H +#define _IPT_TOS_H + +struct ipt_tos_info { + u_int8_t tos; + u_int8_t invert; +}; + +#ifndef IPTOS_NORMALSVC +#define IPTOS_NORMALSVC 0 +#endif + +#endif /*_IPT_TOS_H*/ diff --git a/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_ttl.h b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_ttl.h new file mode 100644 index 00000000..ee24fd86 --- /dev/null +++ b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_ttl.h @@ -0,0 +1,21 @@ +/* IP tables module for matching the value of the TTL + * (C) 2000 by Harald Welte <laforge@gnumonks.org> */ + +#ifndef _IPT_TTL_H +#define _IPT_TTL_H + +enum { + IPT_TTL_EQ = 0, /* equals */ + IPT_TTL_NE, /* not equals */ + IPT_TTL_LT, /* less than */ + IPT_TTL_GT, /* greater than */ +}; + + +struct ipt_ttl_info { + u_int8_t mode; + u_int8_t ttl; +}; + + +#endif diff --git a/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_webstr.h b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_webstr.h new file mode 100644 index 00000000..1b88651c --- /dev/null +++ b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_webstr.h @@ -0,0 +1,28 @@ +#ifndef _IPT_WEBSTR_H +#define _IPT_WEBSTR_H + +#define BM_MAX_NLEN 256 +#define BM_MAX_HLEN 1024 + +#define BLK_JAVA 0x01 +#define BLK_ACTIVE 0x02 +#define BLK_COOKIE 0x04 +#define BLK_PROXY 0x08 + +typedef char *(*proc_ipt_search) (char *, char *, int, int); + +struct ipt_webstr_info { + char string[BM_MAX_NLEN]; + u_int16_t invert; + u_int16_t len; + u_int8_t type; +}; + +enum ipt_webstr_type +{ + IPT_WEBSTR_HOST, + IPT_WEBSTR_URL, + IPT_WEBSTR_CONTENT +}; + +#endif /* _IPT_WEBSTR_H */ diff --git a/release/src/linux/linux/include/linux/netfilter_ipv4/listhelp.h b/release/src/linux/linux/include/linux/netfilter_ipv4/listhelp.h new file mode 100644 index 00000000..3f82ad2b --- /dev/null +++ b/release/src/linux/linux/include/linux/netfilter_ipv4/listhelp.h @@ -0,0 +1,115 @@ +#ifndef _LISTHELP_H +#define _LISTHELP_H +#include <linux/config.h> +#include <linux/list.h> +#include <linux/netfilter_ipv4/lockhelp.h> + +/* Header to do more comprehensive job than linux/list.h; assume list + is first entry in structure. */ + +/* Return pointer to first true entry, if any, or NULL. A macro + required to allow inlining of cmpfn. */ +#define LIST_FIND(head, cmpfn, type, args...) \ +({ \ + const struct list_head *__i = (head); \ + \ + ASSERT_READ_LOCK(head); \ + do { \ + __i = __i->next; \ + if (__i == (head)) { \ + __i = NULL; \ + break; \ + } \ + } while (!cmpfn((const type)__i , ## args)); \ + (type)__i; \ +}) + +#define LIST_FIND_W(head, cmpfn, type, args...) \ +({ \ + const struct list_head *__i = (head); \ + \ + ASSERT_WRITE_LOCK(head); \ + do { \ + __i = __i->next; \ + if (__i == (head)) { \ + __i = NULL; \ + break; \ + } \ + } while (!cmpfn((type)__i , ## args)); \ + (type)__i; \ +}) + +static inline int +__list_cmp_same(const void *p1, const void *p2) { return p1 == p2; } + +/* Is this entry in the list? */ +static inline int +list_inlist(struct list_head *head, const void *entry) +{ + return LIST_FIND(head, __list_cmp_same, void *, entry) != NULL; +} + +/* Delete from list. */ +#ifdef CONFIG_NETFILTER_DEBUG +#define LIST_DELETE(head, oldentry) \ +do { \ + ASSERT_WRITE_LOCK(head); \ + if (!list_inlist(head, oldentry)) \ + printk("LIST_DELETE: %s:%u `%s'(%p) not in %s.\n", \ + __FILE__, __LINE__, #oldentry, oldentry, #head); \ + else list_del((struct list_head *)oldentry); \ +} while(0) +#else +#define LIST_DELETE(head, oldentry) list_del((struct list_head *)oldentry) +#endif + +/* Append. */ +static inline void +list_append(struct list_head *head, void *new) +{ + ASSERT_WRITE_LOCK(head); + list_add((new), (head)->prev); +} + +/* Prepend. */ +static inline void +list_prepend(struct list_head *head, void *new) +{ + ASSERT_WRITE_LOCK(head); + list_add(new, head); +} + +/* Insert according to ordering function; insert before first true. */ +#define LIST_INSERT(head, new, cmpfn) \ +do { \ + struct list_head *__i; \ + ASSERT_WRITE_LOCK(head); \ + for (__i = (head)->next; \ + !cmpfn((new), (typeof (new))__i) && __i != (head); \ + __i = __i->next); \ + list_add((struct list_head *)(new), __i->prev); \ +} while(0) + +/* If the field after the list_head is a nul-terminated string, you + can use these functions. */ +static inline int __list_cmp_name(const void *i, const char *name) +{ + return strcmp(name, i+sizeof(struct list_head)) == 0; +} + +/* Returns false if same name already in list, otherwise does insert. */ +static inline int +list_named_insert(struct list_head *head, void *new) +{ + if (LIST_FIND(head, __list_cmp_name, void *, + new + sizeof(struct list_head))) + return 0; + list_prepend(head, new); + return 1; +} + +/* Find this named element in the list. */ +#define list_named_find(head, name) \ +LIST_FIND(head, __list_cmp_name, void *, name) + +#endif /*_LISTHELP_H*/ diff --git a/release/src/linux/linux/include/linux/netfilter_ipv4/lockhelp.h b/release/src/linux/linux/include/linux/netfilter_ipv4/lockhelp.h new file mode 100644 index 00000000..46a688e5 --- /dev/null +++ b/release/src/linux/linux/include/linux/netfilter_ipv4/lockhelp.h @@ -0,0 +1,129 @@ +#ifndef _LOCKHELP_H +#define _LOCKHELP_H +#include <linux/config.h> + +#include <linux/spinlock.h> +#include <asm/atomic.h> +#include <linux/interrupt.h> +#include <linux/smp.h> + +/* Header to do help in lock debugging. */ + +#ifdef CONFIG_NETFILTER_DEBUG +struct spinlock_debug +{ + spinlock_t l; + atomic_t locked_by; +}; + +struct rwlock_debug +{ + rwlock_t l; + long read_locked_map; + long write_locked_map; +}; + +#define DECLARE_LOCK(l) \ +struct spinlock_debug l = { SPIN_LOCK_UNLOCKED, ATOMIC_INIT(-1) } +#define DECLARE_LOCK_EXTERN(l) \ +extern struct spinlock_debug l +#define DECLARE_RWLOCK(l) \ +struct rwlock_debug l = { RW_LOCK_UNLOCKED, 0, 0 } +#define DECLARE_RWLOCK_EXTERN(l) \ +extern struct rwlock_debug l + +#define MUST_BE_LOCKED(l) \ +do { if (atomic_read(&(l)->locked_by) != smp_processor_id()) \ + printk("ASSERT %s:%u %s unlocked\n", __FILE__, __LINE__, #l); \ +} while(0) + +#define MUST_BE_UNLOCKED(l) \ +do { if (atomic_read(&(l)->locked_by) == smp_processor_id()) \ + printk("ASSERT %s:%u %s locked\n", __FILE__, __LINE__, #l); \ +} while(0) + +/* Write locked OK as well. */ \ +#define MUST_BE_READ_LOCKED(l) \ +do { if (!((l)->read_locked_map & (1 << smp_processor_id())) \ + && !((l)->write_locked_map & (1 << smp_processor_id()))) \ + printk("ASSERT %s:%u %s not readlocked\n", __FILE__, __LINE__, #l); \ +} while(0) + +#define MUST_BE_WRITE_LOCKED(l) \ +do { if (!((l)->write_locked_map & (1 << smp_processor_id()))) \ + printk("ASSERT %s:%u %s not writelocked\n", __FILE__, __LINE__, #l); \ +} while(0) + +#define MUST_BE_READ_WRITE_UNLOCKED(l) \ +do { if ((l)->read_locked_map & (1 << smp_processor_id())) \ + printk("ASSERT %s:%u %s readlocked\n", __FILE__, __LINE__, #l); \ + else if ((l)->write_locked_map & (1 << smp_processor_id())) \ + printk("ASSERT %s:%u %s writelocked\n", __FILE__, __LINE__, #l); \ +} while(0) + +#define LOCK_BH(lk) \ +do { \ + MUST_BE_UNLOCKED(lk); \ + spin_lock_bh(&(lk)->l); \ + atomic_set(&(lk)->locked_by, smp_processor_id()); \ +} while(0) + +#define UNLOCK_BH(lk) \ +do { \ + MUST_BE_LOCKED(lk); \ + atomic_set(&(lk)->locked_by, -1); \ + spin_unlock_bh(&(lk)->l); \ +} while(0) + +#define READ_LOCK(lk) \ +do { \ + MUST_BE_READ_WRITE_UNLOCKED(lk); \ + read_lock_bh(&(lk)->l); \ + set_bit(smp_processor_id(), &(lk)->read_locked_map); \ +} while(0) + +#define WRITE_LOCK(lk) \ +do { \ + MUST_BE_READ_WRITE_UNLOCKED(lk); \ + write_lock_bh(&(lk)->l); \ + set_bit(smp_processor_id(), &(lk)->write_locked_map); \ +} while(0) + +#define READ_UNLOCK(lk) \ +do { \ + if (!((lk)->read_locked_map & (1 << smp_processor_id()))) \ + printk("ASSERT: %s:%u %s not readlocked\n", \ + __FILE__, __LINE__, #lk); \ + clear_bit(smp_processor_id(), &(lk)->read_locked_map); \ + read_unlock_bh(&(lk)->l); \ +} while(0) + +#define WRITE_UNLOCK(lk) \ +do { \ + MUST_BE_WRITE_LOCKED(lk); \ + clear_bit(smp_processor_id(), &(lk)->write_locked_map); \ + write_unlock_bh(&(lk)->l); \ +} while(0) + +#else +#define DECLARE_LOCK(l) spinlock_t l = SPIN_LOCK_UNLOCKED +#define DECLARE_LOCK_EXTERN(l) extern spinlock_t l +#define DECLARE_RWLOCK(l) rwlock_t l = RW_LOCK_UNLOCKED +#define DECLARE_RWLOCK_EXTERN(l) extern rwlock_t l + +#define MUST_BE_LOCKED(l) +#define MUST_BE_UNLOCKED(l) +#define MUST_BE_READ_LOCKED(l) +#define MUST_BE_WRITE_LOCKED(l) +#define MUST_BE_READ_WRITE_UNLOCKED(l) + +#define LOCK_BH(l) spin_lock_bh(l) +#define UNLOCK_BH(l) spin_unlock_bh(l) + +#define READ_LOCK(l) read_lock_bh(l) +#define WRITE_LOCK(l) write_lock_bh(l) +#define READ_UNLOCK(l) read_unlock_bh(l) +#define WRITE_UNLOCK(l) write_unlock_bh(l) +#endif /*CONFIG_NETFILTER_DEBUG*/ + +#endif /* _LOCKHELP_H */ |