12 files changed, 1128 insertions, 0 deletions
diff --git a/kernel/include/linux/netfilter_ipv4/ip_set.h b/kernel/include/linux/netfilter_ipv4/ip_set.h
new file mode 100644
index 0000000..92a746e
--- /dev/null
+++ b/kernel/include/linux/netfilter_ipv4/ip_set.h
@@ -0,0 +1,498 @@
+#ifndef _IP_SET_H
+#define _IP_SET_H
+
+/* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu>
+ *                         Patrick Schaaf <bof@bof.de>
+ *                         Martin Josefsson <gandalf@wlug.westbo.se>
+ * Copyright (C) 2003-2004 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.  
+ */
+
+#if 0
+#define IP_SET_DEBUG
+#endif
+
+/*
+ * A sockopt of such quality has hardly ever been seen before on the open
+ * market!  This little beauty, hardly ever used: above 64, so it's
+ * traditionally used for firewalling, not touched (even once!) by the
+ * 2.0, 2.2 and 2.4 kernels!
+ *
+ * Comes with its own certificate of authenticity, valid anywhere in the
+ * Free world!
+ *
+ * Rusty, 19.4.2000
+ */
+#define SO_IP_SET 		83
+
+/*
+ * Heavily modify by Joakim Axelsson 08.03.2002
+ * - Made it more modulebased
+ *
+ * Additional heavy modifications by Jozsef Kadlecsik 22.02.2004
+ * - bindings added
+ * - in order to "deal with" backward compatibility, renamed to ipset
+ */
+
+/* 
+ * Used so that the kernel module and ipset-binary can match their versions 
+ */
+#define IP_SET_PROTOCOL_VERSION 2
+
+#define IP_SET_MAXNAMELEN 32	/* set names and set typenames */
+
+/* Lets work with our own typedef for representing an IP address.
+ * We hope to make the code more portable, possibly to IPv6...
+ *
+ * The representation works in HOST byte order, because most set types
+ * will perform arithmetic operations and compare operations.
+ * 
+ * For now the type is an uint32_t.
+ *
+ * Make sure to ONLY use the functions when translating and parsing
+ * in order to keep the host byte order and make it more portable:
+ *  parse_ip()
+ *  parse_mask()
+ *  parse_ipandmask()
+ *  ip_tostring()
+ * (Joakim: where are they???)
+ */
+
+typedef uint32_t ip_set_ip_t;
+
+/* Sets are identified by an id in kernel space. Tweak with ip_set_id_t
+ * and IP_SET_INVALID_ID if you want to increase the max number of sets.
+ */
+typedef uint16_t ip_set_id_t;
+
+#define IP_SET_INVALID_ID	65535
+
+/* How deep we follow bindings */
+#define IP_SET_MAX_BINDINGS	6
+
+/*
+ * Option flags for kernel operations (ipt_set_info)
+ */
+#define IPSET_SRC 		0x01	/* Source match/add */
+#define IPSET_DST		0x02	/* Destination match/add */
+#define IPSET_MATCH_INV		0x04	/* Inverse matching */
+
+/*
+ * Set features
+ */
+#define IPSET_TYPE_IP		0x01	/* IP address type of set */
+#define IPSET_TYPE_PORT		0x02	/* Port type of set */
+#define IPSET_DATA_SINGLE	0x04	/* Single data storage */
+#define IPSET_DATA_DOUBLE	0x08	/* Double data storage */
+
+/* Reserved keywords */
+#define IPSET_TOKEN_DEFAULT	":default:"
+#define IPSET_TOKEN_ALL		":all:"
+
+/* SO_IP_SET operation constants, and their request struct types.
+ *
+ * Operation ids:
+ *	  0-99:	 commands with version checking
+ *	100-199: add/del/test/bind/unbind
+ *	200-299: list, save, restore
+ */
+
+/* Single shot operations: 
+ * version, create, destroy, flush, rename and swap 
+ *
+ * Sets are identified by name.
+ */
+
+#define IP_SET_REQ_STD		\
+	unsigned op;		\
+	unsigned version;	\
+	char name[IP_SET_MAXNAMELEN]
+
+#define IP_SET_OP_CREATE	0x00000001	/* Create a new (empty) set */
+struct ip_set_req_create {
+	IP_SET_REQ_STD;
+	char typename[IP_SET_MAXNAMELEN];
+};
+
+#define IP_SET_OP_DESTROY	0x00000002	/* Remove a (empty) set */
+struct ip_set_req_std {
+	IP_SET_REQ_STD;
+};
+
+#define IP_SET_OP_FLUSH		0x00000003	/* Remove all IPs in a set */
+/* Uses ip_set_req_std */
+
+#define IP_SET_OP_RENAME	0x00000004	/* Rename a set */
+/* Uses ip_set_req_create */
+
+#define IP_SET_OP_SWAP		0x00000005	/* Swap two sets */
+/* Uses ip_set_req_create */
+
+union ip_set_name_index {
+	char name[IP_SET_MAXNAMELEN];
+	ip_set_id_t index;
+};
+
+#define IP_SET_OP_GET_BYNAME	0x00000006	/* Get set index by name */
+struct ip_set_req_get_set {
+	unsigned op;
+	unsigned version;
+	union ip_set_name_index set;
+};
+
+#define IP_SET_OP_GET_BYINDEX	0x00000007	/* Get set name by index */
+/* Uses ip_set_req_get_set */
+
+#define IP_SET_OP_VERSION	0x00000100	/* Ask kernel version */
+struct ip_set_req_version {
+	unsigned op;
+	unsigned version;
+};
+
+/* Double shots operations: 
+ * add, del, test, bind and unbind.
+ *
+ * First we query the kernel to get the index and type of the target set,
+ * then issue the command. Validity of IP is checked in kernel in order
+ * to minimalize sockopt operations.
+ */
+
+/* Get minimal set data for add/del/test/bind/unbind IP */
+#define IP_SET_OP_ADT_GET	0x00000010	/* Get set and type */
+struct ip_set_req_adt_get {
+	unsigned op;
+	unsigned version;
+	union ip_set_name_index set;
+	char typename[IP_SET_MAXNAMELEN];
+};
+
+#define IP_SET_REQ_BYINDEX	\
+	unsigned op;		\
+	ip_set_id_t index;
+
+struct ip_set_req_adt {
+	IP_SET_REQ_BYINDEX;
+};
+
+#define IP_SET_OP_ADD_IP	0x00000101	/* Add an IP to a set */
+/* Uses ip_set_req_adt, with type specific addage */
+
+#define IP_SET_OP_DEL_IP	0x00000102	/* Remove an IP from a set */
+/* Uses ip_set_req_adt, with type specific addage */
+
+#define IP_SET_OP_TEST_IP	0x00000103	/* Test an IP in a set */
+/* Uses ip_set_req_adt, with type specific addage */
+
+#define IP_SET_OP_BIND_SET	0x00000104	/* Bind an IP to a set */
+/* Uses ip_set_req_bind, with type specific addage */
+struct ip_set_req_bind {
+	IP_SET_REQ_BYINDEX;
+	char binding[IP_SET_MAXNAMELEN];
+};
+
+#define IP_SET_OP_UNBIND_SET	0x00000105	/* Unbind an IP from a set */
+/* Uses ip_set_req_bind, with type speficic addage 
+ * index = 0 means unbinding for all sets */
+
+#define IP_SET_OP_TEST_BIND_SET	0x00000106	/* Test binding an IP to a set */
+/* Uses ip_set_req_bind, with type specific addage */
+
+/* Multiple shots operations: list, save, restore.
+ *
+ * - check kernel version and query the max number of sets
+ * - get the basic information on all sets
+ *   and size required for the next step
+ * - get actual set data: header, data, bindings
+ */
+
+/* Get max_sets and the index of a queried set
+ */
+#define IP_SET_OP_MAX_SETS	0x00000020
+struct ip_set_req_max_sets {
+	unsigned op;
+	unsigned version;
+	ip_set_id_t max_sets;		/* max_sets */
+	ip_set_id_t sets;		/* real number of sets */
+	union ip_set_name_index set;	/* index of set if name used */
+};
+
+/* Get the id and name of the sets plus size for next step */
+#define IP_SET_OP_LIST_SIZE	0x00000201
+#define IP_SET_OP_SAVE_SIZE	0x00000202
+struct ip_set_req_setnames {
+	unsigned op;
+	ip_set_id_t index;		/* set to list/save */
+	size_t size;			/* size to get setdata/bindings */
+	/* followed by sets number of struct ip_set_name_list */
+};
+
+struct ip_set_name_list {
+	char name[IP_SET_MAXNAMELEN];
+	char typename[IP_SET_MAXNAMELEN];
+	ip_set_id_t index;
+	ip_set_id_t id;
+};
+
+/* The actual list operation */
+#define IP_SET_OP_LIST		0x00000203
+struct ip_set_req_list {
+	IP_SET_REQ_BYINDEX;
+	/* sets number of struct ip_set_list in reply */ 
+};
+
+struct ip_set_list {
+	ip_set_id_t index;
+	ip_set_id_t binding;
+	u_int32_t ref;
+	size_t header_size;	/* Set header data of header_size */
+	size_t members_size;	/* Set members data of members_size */
+	size_t bindings_size;	/* Set bindings data of bindings_size */
+};
+
+struct ip_set_hash_list {
+	ip_set_ip_t ip;
+	ip_set_id_t binding;
+};
+
+/* The save operation */
+#define IP_SET_OP_SAVE		0x00000204
+/* Uses ip_set_req_list, in the reply replaced by
+ * sets number of struct ip_set_save plus a marker
+ * ip_set_save followed by ip_set_hash_save structures.
+ */
+struct ip_set_save {
+	ip_set_id_t index;
+	ip_set_id_t binding;
+	size_t header_size;	/* Set header data of header_size */
+	size_t members_size;	/* Set members data of members_size */
+};
+
+/* At restoring, ip == 0 means default binding for the given set: */
+struct ip_set_hash_save {
+	ip_set_ip_t ip;
+	ip_set_id_t id;
+	ip_set_id_t binding;
+};
+
+/* The restore operation */
+#define IP_SET_OP_RESTORE	0x00000205
+/* Uses ip_set_req_setnames followed by ip_set_restore structures
+ * plus a marker ip_set_restore, followed by ip_set_hash_save 
+ * structures.
+ */
+struct ip_set_restore {
+	char name[IP_SET_MAXNAMELEN];
+	char typename[IP_SET_MAXNAMELEN];
+	ip_set_id_t index;
+	size_t header_size;	/* Create data of header_size */
+	size_t members_size;	/* Set members data of members_size */
+};
+
+static inline int bitmap_bytes(ip_set_ip_t a, ip_set_ip_t b)
+{
+	return 4 * ((((b - a + 8) / 8) + 3) / 4);
+}
+
+#ifdef __KERNEL__
+
+#define ip_set_printk(format, args...) 			\
+	do {							\
+		printk("%s: %s: ", __FILE__, __FUNCTION__);	\
+		printk(format "\n" , ## args);			\
+	} while (0)
+
+#if defined(IP_SET_DEBUG)
+#define DP(format, args...) 					\
+	do {							\
+		printk("%s: %s (DBG): ", __FILE__, __FUNCTION__);\
+		printk(format "\n" , ## args);			\
+	} while (0)
+#define IP_SET_ASSERT(x)					\
+	do {							\
+		if (!(x))					\
+			printk("IP_SET_ASSERT: %s:%i(%s)\n",	\
+				__FILE__, __LINE__, __FUNCTION__); \
+	} while (0)
+#else
+#define DP(format, args...)
+#define IP_SET_ASSERT(x)
+#endif
+
+struct ip_set;
+
+/*
+ * The ip_set_type definition - one per set type, e.g. "ipmap".
+ *
+ * Each individual set has a pointer, set->type, going to one
+ * of these structures. Function pointers inside the structure implement
+ * the real behaviour of the sets.
+ *
+ * If not mentioned differently, the implementation behind the function
+ * pointers of a set_type, is expected to return 0 if ok, and a negative
+ * errno (e.g. -EINVAL) on error.
+ */
+struct ip_set_type {
+	struct list_head list;	/* next in list of set types */
+
+	/* test for IP in set (kernel: iptables -m set src|dst)
+	 * return 0 if not in set, 1 if in set.
+	 */
+	int (*testip_kernel) (struct ip_set *set,
+			      const struct sk_buff * skb, 
+			      ip_set_ip_t *ip,
+			      const u_int32_t *flags,
+			      unsigned char index);
+
+	/* test for IP in set (userspace: ipset -T set IP)
+	 * return 0 if not in set, 1 if in set.
+	 */
+	int (*testip) (struct ip_set *set,
+		       const void *data, size_t size,
+		       ip_set_ip_t *ip);
+
+	/*
+	 * Size of the data structure passed by when
+	 * adding/deletin/testing an entry.
+	 */
+	size_t reqsize;
+
+	/* Add IP into set (userspace: ipset -A set IP)
+	 * Return -EEXIST if the address is already in the set,
+	 * and -ERANGE if the address lies outside the set bounds.
+	 * If the address was not already in the set, 0 is returned.
+	 */
+	int (*addip) (struct ip_set *set, 
+		      const void *data, size_t size,
+		      ip_set_ip_t *ip);
+
+	/* Add IP into set (kernel: iptables ... -j SET set src|dst)
+	 * Return -EEXIST if the address is already in the set,
+	 * and -ERANGE if the address lies outside the set bounds.
+	 * If the address was not already in the set, 0 is returned.
+	 */
+	int (*addip_kernel) (struct ip_set *set,
+			     const struct sk_buff * skb, 
+			     ip_set_ip_t *ip,
+			     const u_int32_t *flags,
+			     unsigned char index);
+
+	/* remove IP from set (userspace: ipset -D set --entry x)
+	 * Return -EEXIST if the address is NOT in the set,
+	 * and -ERANGE if the address lies outside the set bounds.
+	 * If the address really was in the set, 0 is returned.
+	 */
+	int (*delip) (struct ip_set *set, 
+		      const void *data, size_t size,
+		      ip_set_ip_t *ip);
+
+	/* remove IP from set (kernel: iptables ... -j SET --entry x)
+	 * Return -EEXIST if the address is NOT in the set,
+	 * and -ERANGE if the address lies outside the set bounds.
+	 * If the address really was in the set, 0 is returned.
+	 */
+	int (*delip_kernel) (struct ip_set *set,
+			     const struct sk_buff * skb, 
+			     ip_set_ip_t *ip,
+			     const u_int32_t *flags,
+			     unsigned char index);
+
+	/* new set creation - allocated type specific items
+	 */
+	int (*create) (struct ip_set *set,
+		       const void *data, size_t size);
+
+	/* retry the operation after successfully tweaking the set
+	 */
+	int (*retry) (struct ip_set *set);
+
+	/* set destruction - free type specific items
+	 * There is no return value.
+	 * Can be called only when child sets are destroyed.
+	 */
+	void (*destroy) (struct ip_set *set);
+
+	/* set flushing - reset all bits in the set, or something similar.
+	 * There is no return value.
+	 */
+	void (*flush) (struct ip_set *set);
+
+	/* Listing: size needed for header
+	 */
+	size_t header_size;
+
+	/* Listing: Get the header
+	 *
+	 * Fill in the information in "data".
+	 * This function is always run after list_header_size() under a 
+	 * writelock on the set. Therefor is the length of "data" always 
+	 * correct. 
+	 */
+	void (*list_header) (const struct ip_set *set, 
+			     void *data);
+
+	/* Listing: Get the size for the set members
+	 */
+	int (*list_members_size) (const struct ip_set *set);
+
+	/* Listing: Get the set members
+	 *
+	 * Fill in the information in "data".
+	 * This function is always run after list_member_size() under a 
+	 * writelock on the set. Therefor is the length of "data" always 
+	 * correct. 
+	 */
+	void (*list_members) (const struct ip_set *set,
+			      void *data);
+
+	char typename[IP_SET_MAXNAMELEN];
+	unsigned char features;
+	int protocol_version;
+
+	/* Set this to THIS_MODULE if you are a module, otherwise NULL */
+	struct module *me;
+};
+
+extern int ip_set_register_set_type(struct ip_set_type *set_type);
+extern void ip_set_unregister_set_type(struct ip_set_type *set_type);
+
+/* A generic ipset */
+struct ip_set {
+	char name[IP_SET_MAXNAMELEN];	/* the name of the set */
+	rwlock_t lock;			/* lock for concurrency control */
+	ip_set_id_t id;			/* set id for swapping */
+	ip_set_id_t binding;		/* default binding for the set */
+	atomic_t ref;			/* in kernel and in hash references */
+	struct ip_set_type *type; 	/* the set types */
+	void *data;			/* pooltype specific data */
+};
+
+/* Structure to bind set elements to sets */
+struct ip_set_hash {
+	struct list_head list;		/* list of clashing entries in hash */
+	ip_set_ip_t ip;			/* ip from set */
+	ip_set_id_t id;			/* set id */
+	ip_set_id_t binding;		/* set we bind the element to */
+};
+
+/* register and unregister set references */
+extern ip_set_id_t ip_set_get_byname(const char name[IP_SET_MAXNAMELEN]);
+extern ip_set_id_t ip_set_get_byindex(ip_set_id_t id);
+extern void ip_set_put(ip_set_id_t id);
+
+/* API for iptables set match, and SET target */
+extern void ip_set_addip_kernel(ip_set_id_t id,
+				const struct sk_buff *skb,
+				const u_int32_t *flags);
+extern void ip_set_delip_kernel(ip_set_id_t id,
+				const struct sk_buff *skb,
+				const u_int32_t *flags);
+extern int ip_set_testip_kernel(ip_set_id_t id,
+				const struct sk_buff *skb,
+				const u_int32_t *flags);
+
+#endif				/* __KERNEL__ */
+
+#endif /*_IP_SET_H*/
diff --git a/kernel/include/linux/netfilter_ipv4/ip_set_iphash.h b/kernel/include/linux/netfilter_ipv4/ip_set_iphash.h
new file mode 100644
index 0000000..7de854b
--- /dev/null
+++ b/kernel/include/linux/netfilter_ipv4/ip_set_iphash.h
@@ -0,0 +1,30 @@
+#ifndef __IP_SET_IPHASH_H
+#define __IP_SET_IPHASH_H
+
+#include <linux/netfilter_ipv4/ip_set.h>
+
+#define SETTYPE_NAME "iphash"
+#define MAX_RANGE 0x0000FFFF
+
+struct ip_set_iphash {
+	ip_set_ip_t *members;		/* the iphash proper */
+	uint32_t elements;		/* number of elements */
+	uint32_t hashsize;		/* hash size */
+	uint16_t probes;		/* max number of probes  */
+	uint16_t resize;		/* resize factor in percent */
+	ip_set_ip_t netmask;		/* netmask */
+	void *initval[0];		/* initvals for jhash_1word */
+};
+
+struct ip_set_req_iphash_create {
+	uint32_t hashsize;
+	uint16_t probes;
+	uint16_t resize;
+	ip_set_ip_t netmask;
+};
+
+struct ip_set_req_iphash {
+	ip_set_ip_t ip;
+};
+
+#endif	/* __IP_SET_IPHASH_H */
diff --git a/kernel/include/linux/netfilter_ipv4/ip_set_ipmap.h b/kernel/include/linux/netfilter_ipv4/ip_set_ipmap.h
new file mode 100644
index 0000000..2435102
--- /dev/null
+++ b/kernel/include/linux/netfilter_ipv4/ip_set_ipmap.h
@@ -0,0 +1,56 @@
+#ifndef __IP_SET_IPMAP_H
+#define __IP_SET_IPMAP_H
+
+#include <linux/netfilter_ipv4/ip_set.h>
+
+#define SETTYPE_NAME "ipmap"
+#define MAX_RANGE 0x0000FFFF
+
+struct ip_set_ipmap {
+	void *members;			/* the ipmap proper */
+	ip_set_ip_t first_ip;		/* host byte order, included in range */
+	ip_set_ip_t last_ip;		/* host byte order, included in range */
+	ip_set_ip_t netmask;		/* subnet netmask */
+	ip_set_ip_t sizeid;		/* size of set in IPs */
+	ip_set_ip_t hosts;		/* number of hosts in a subnet */
+};
+
+struct ip_set_req_ipmap_create {
+	ip_set_ip_t from;
+	ip_set_ip_t to;
+	ip_set_ip_t netmask;
+};
+
+struct ip_set_req_ipmap {
+	ip_set_ip_t ip;
+};
+
+unsigned int
+mask_to_bits(ip_set_ip_t mask)
+{
+	unsigned int bits = 32;
+	ip_set_ip_t maskaddr;
+	
+	if (mask == 0xFFFFFFFF)
+		return bits;
+	
+	maskaddr = 0xFFFFFFFE;
+	while (--bits >= 0 && maskaddr != mask)
+		maskaddr <<= 1;
+	
+	return bits;
+}
+
+ip_set_ip_t
+range_to_mask(ip_set_ip_t from, ip_set_ip_t to, unsigned int *bits)
+{
+	ip_set_ip_t mask = 0xFFFFFFFE;
+	
+	*bits = 32;
+	while (--(*bits) >= 0 && mask && (to & mask) != from)
+		mask <<= 1;
+		
+	return mask;
+}
+	
+#endif /* __IP_SET_IPMAP_H */
diff --git a/kernel/include/linux/netfilter_ipv4/ip_set_ipporthash.h b/kernel/include/linux/netfilter_ipv4/ip_set_ipporthash.h
new file mode 100644
index 0000000..b715c56
--- /dev/null
+++ b/kernel/include/linux/netfilter_ipv4/ip_set_ipporthash.h
@@ -0,0 +1,34 @@
+#ifndef __IP_SET_IPPORTHASH_H
+#define __IP_SET_IPPORTHASH_H
+
+#include <linux/netfilter_ipv4/ip_set.h>
+
+#define SETTYPE_NAME "ipporthash"
+#define MAX_RANGE 0x0000FFFF
+#define INVALID_PORT	(MAX_RANGE + 1)
+
+struct ip_set_ipporthash {
+	ip_set_ip_t *members;		/* the ipporthash proper */
+	uint32_t elements;		/* number of elements */
+	uint32_t hashsize;		/* hash size */
+	uint16_t probes;		/* max number of probes  */
+	uint16_t resize;		/* resize factor in percent */
+	ip_set_ip_t first_ip;		/* host byte order, included in range */
+	ip_set_ip_t last_ip;		/* host byte order, included in range */
+	void *initval[0];		/* initvals for jhash_1word */
+};
+
+struct ip_set_req_ipporthash_create {
+	uint32_t hashsize;
+	uint16_t probes;
+	uint16_t resize;
+	ip_set_ip_t from;
+	ip_set_ip_t to;
+};
+
+struct ip_set_req_ipporthash {
+	ip_set_ip_t ip;
+	ip_set_ip_t port;
+};
+
+#endif	/* __IP_SET_IPPORTHASH_H */
diff --git a/kernel/include/linux/netfilter_ipv4/ip_set_iptree.h b/kernel/include/linux/netfilter_ipv4/ip_set_iptree.h
new file mode 100644
index 0000000..64e716b
--- /dev/null
+++ b/kernel/include/linux/netfilter_ipv4/ip_set_iptree.h
@@ -0,0 +1,40 @@
+#ifndef __IP_SET_IPTREE_H
+#define __IP_SET_IPTREE_H
+
+#include <linux/netfilter_ipv4/ip_set.h>
+
+#define SETTYPE_NAME "iptree"
+#define MAX_RANGE 0x0000FFFF
+
+struct ip_set_iptreed {
+	unsigned long expires[256];	   	/* x.x.x.ADDR */
+};
+
+struct ip_set_iptreec {
+	struct ip_set_iptreed *tree[256];	/* x.x.ADDR.* */
+};
+
+struct ip_set_iptreeb {
+	struct ip_set_iptreec *tree[256];	/* x.ADDR.*.* */
+};
+
+struct ip_set_iptree {
+	unsigned int timeout;
+	unsigned int gc_interval;
+#ifdef __KERNEL__
+	uint32_t elements;		/* number of elements */
+	struct timer_list gc;
+	struct ip_set_iptreeb *tree[256];	/* ADDR.*.*.* */
+#endif
+};
+
+struct ip_set_req_iptree_create {
+	unsigned int timeout;
+};
+
+struct ip_set_req_iptree {
+	ip_set_ip_t ip;
+	unsigned int timeout;
+};
+
+#endif	/* __IP_SET_IPTREE_H */
diff --git a/kernel/include/linux/netfilter_ipv4/ip_set_iptreemap.h b/kernel/include/linux/netfilter_ipv4/ip_set_iptreemap.h
new file mode 100644
index 0000000..bef576a
--- /dev/null
+++ b/kernel/include/linux/netfilter_ipv4/ip_set_iptreemap.h
@@ -0,0 +1,40 @@
+#ifndef __IP_SET_IPTREEMAP_H
+#define __IP_SET_IPTREEMAP_H
+
+#include <linux/netfilter_ipv4/ip_set.h>
+
+#define SETTYPE_NAME "iptreemap"
+
+#ifdef __KERNEL__
+struct ip_set_iptreemap_d {
+	unsigned char bitmap[32]; /* x.x.x.y */
+};
+
+struct ip_set_iptreemap_c {
+	struct ip_set_iptreemap_d *tree[256]; /* x.x.y.x */
+};
+
+struct ip_set_iptreemap_b {
+	struct ip_set_iptreemap_c *tree[256]; /* x.y.x.x */
+	unsigned char dirty[32];
+};
+#endif
+
+struct ip_set_iptreemap {
+	unsigned int gc_interval;
+#ifdef __KERNEL__
+	struct timer_list gc;
+	struct ip_set_iptreemap_b *tree[256]; /* y.x.x.x */
+#endif
+};
+
+struct ip_set_req_iptreemap_create {
+	unsigned int gc_interval;
+};
+
+struct ip_set_req_iptreemap {
+	ip_set_ip_t start;
+	ip_set_ip_t end;
+};
+
+#endif /* __IP_SET_IPTREEMAP_H */
diff --git a/kernel/include/linux/netfilter_ipv4/ip_set_jhash.h b/kernel/include/linux/netfilter_ipv4/ip_set_jhash.h
new file mode 100644
index 0000000..25c6b97
--- /dev/null
+++ b/kernel/include/linux/netfilter_ipv4/ip_set_jhash.h
@@ -0,0 +1,148 @@
+#ifndef _LINUX_IPSET_JHASH_H
+#define _LINUX_IPSET_JHASH_H
+
+/* This is a copy of linux/jhash.h but the types u32/u8 are changed
+ * to __u32/__u8 so that the header file can be included into
+ * userspace code as well. Jozsef Kadlecsik (kadlec@blackhole.kfki.hu)
+ */
+
+/* jhash.h: Jenkins hash support.
+ *
+ * Copyright (C) 1996 Bob Jenkins (bob_jenkins@burtleburtle.net)
+ *
+ * http://burtleburtle.net/bob/hash/
+ *
+ * These are the credits from Bob's sources:
+ *
+ * lookup2.c, by Bob Jenkins, December 1996, Public Domain.
+ * hash(), hash2(), hash3, and mix() are externally useful functions.
+ * Routines to test the hash are included if SELF_TEST is defined.
+ * You can use this free for any purpose.  It has no warranty.
+ *
+ * Copyright (C) 2003 David S. Miller (davem@redhat.com)
+ *
+ * I've modified Bob's hash to be useful in the Linux kernel, and
+ * any bugs present are surely my fault.  -DaveM
+ */
+
+/* NOTE: Arguments are modified. */
+#define __jhash_mix(a, b, c) \
+{ \
+  a -= b; a -= c; a ^= (c>>13); \
+  b -= c; b -= a; b ^= (a<<8); \
+  c -= a; c -= b; c ^= (b>>13); \
+  a -= b; a -= c; a ^= (c>>12);  \
+  b -= c; b -= a; b ^= (a<<16); \
+  c -= a; c -= b; c ^= (b>>5); \
+  a -= b; a -= c; a ^= (c>>3);  \
+  b -= c; b -= a; b ^= (a<<10); \
+  c -= a; c -= b; c ^= (b>>15); \
+}
+
+/* The golden ration: an arbitrary value */
+#define JHASH_GOLDEN_RATIO	0x9e3779b9
+
+/* The most generic version, hashes an arbitrary sequence
+ * of bytes.  No alignment or length assumptions are made about
+ * the input key.
+ */
+static inline __u32 jhash(void *key, __u32 length, __u32 initval)
+{
+	__u32 a, b, c, len;
+	__u8 *k = key;
+
+	len = length;
+	a = b = JHASH_GOLDEN_RATIO;
+	c = initval;
+
+	while (len >= 12) {
+		a += (k[0] +((__u32)k[1]<<8) +((__u32)k[2]<<16) +((__u32)k[3]<<24));
+		b += (k[4] +((__u32)k[5]<<8) +((__u32)k[6]<<16) +((__u32)k[7]<<24));
+		c += (k[8] +((__u32)k[9]<<8) +((__u32)k[10]<<16)+((__u32)k[11]<<24));
+
+		__jhash_mix(a,b,c);
+
+		k += 12;
+		len -= 12;
+	}
+
+	c += length;
+	switch (len) {
+	case 11: c += ((__u32)k[10]<<24);
+	case 10: c += ((__u32)k[9]<<16);
+	case 9 : c += ((__u32)k[8]<<8);
+	case 8 : b += ((__u32)k[7]<<24);
+	case 7 : b += ((__u32)k[6]<<16);
+	case 6 : b += ((__u32)k[5]<<8);
+	case 5 : b += k[4];
+	case 4 : a += ((__u32)k[3]<<24);
+	case 3 : a += ((__u32)k[2]<<16);
+	case 2 : a += ((__u32)k[1]<<8);
+	case 1 : a += k[0];
+	};
+
+	__jhash_mix(a,b,c);
+
+	return c;
+}
+
+/* A special optimized version that handles 1 or more of __u32s.
+ * The length parameter here is the number of __u32s in the key.
+ */
+static inline __u32 jhash2(__u32 *k, __u32 length, __u32 initval)
+{
+	__u32 a, b, c, len;
+
+	a = b = JHASH_GOLDEN_RATIO;
+	c = initval;
+	len = length;
+
+	while (len >= 3) {
+		a += k[0];
+		b += k[1];
+		c += k[2];
+		__jhash_mix(a, b, c);
+		k += 3; len -= 3;
+	}
+
+	c += length * 4;
+
+	switch (len) {
+	case 2 : b += k[1];
+	case 1 : a += k[0];
+	};
+
+	__jhash_mix(a,b,c);
+
+	return c;
+}
+
+
+/* A special ultra-optimized versions that knows they are hashing exactly
+ * 3, 2 or 1 word(s).
+ *
+ * NOTE: In partilar the "c += length; __jhash_mix(a,b,c);" normally
+ *       done at the end is not done here.
+ */
+static inline __u32 jhash_3words(__u32 a, __u32 b, __u32 c, __u32 initval)
+{
+	a += JHASH_GOLDEN_RATIO;
+	b += JHASH_GOLDEN_RATIO;
+	c += initval;
+
+	__jhash_mix(a, b, c);
+
+	return c;
+}
+
+static inline __u32 jhash_2words(__u32 a, __u32 b, __u32 initval)
+{
+	return jhash_3words(a, b, 0, initval);
+}
+
+static inline __u32 jhash_1word(__u32 a, __u32 initval)
+{
+	return jhash_3words(a, 0, 0, initval);
+}
+
+#endif /* _LINUX_IPSET_JHASH_H */
diff --git a/kernel/include/linux/netfilter_ipv4/ip_set_macipmap.h b/kernel/include/linux/netfilter_ipv4/ip_set_macipmap.h
new file mode 100644
index 0000000..ee34c9b
--- /dev/null
+++ b/kernel/include/linux/netfilter_ipv4/ip_set_macipmap.h
@@ -0,0 +1,38 @@
+#ifndef __IP_SET_MACIPMAP_H
+#define __IP_SET_MACIPMAP_H
+
+#include <linux/netfilter_ipv4/ip_set.h>
+
+#define SETTYPE_NAME "macipmap"
+#define MAX_RANGE 0x0000FFFF
+
+/* general flags */
+#define IPSET_MACIP_MATCHUNSET	1
+
+/* per ip flags */
+#define IPSET_MACIP_ISSET	1
+
+struct ip_set_macipmap {
+	void *members;			/* the macipmap proper */
+	ip_set_ip_t first_ip;		/* host byte order, included in range */
+	ip_set_ip_t last_ip;		/* host byte order, included in range */
+	u_int32_t flags;
+};
+
+struct ip_set_req_macipmap_create {
+	ip_set_ip_t from;
+	ip_set_ip_t to;
+	u_int32_t flags;
+};
+
+struct ip_set_req_macipmap {
+	ip_set_ip_t ip;
+	unsigned char ethernet[ETH_ALEN];
+};
+
+struct ip_set_macip {
+	unsigned short flags;
+	unsigned char ethernet[ETH_ALEN];
+};
+
+#endif	/* __IP_SET_MACIPMAP_H */
diff --git a/kernel/include/linux/netfilter_ipv4/ip_set_malloc.h b/kernel/include/linux/netfilter_ipv4/ip_set_malloc.h
new file mode 100644
index 0000000..30701f4
--- /dev/null
+++ b/kernel/include/linux/netfilter_ipv4/ip_set_malloc.h
@@ -0,0 +1,143 @@
+#ifndef _IP_SET_MALLOC_H
+#define _IP_SET_MALLOC_H
+
+#ifdef __KERNEL__
+
+static size_t max_malloc_size = 0, max_page_size = 0;
+
+static inline bool init_max_page_size(void)
+{
+	size_t page_size = 0;
+	
+#define CACHE(x) if (max_page_size == 0 || x < max_page_size)	\
+			page_size = x;
+#include <linux/kmalloc_sizes.h>
+#undef CACHE
+	if (page_size) {
+		if (max_malloc_size == 0)
+			max_malloc_size = page_size;
+
+		max_page_size = page_size;
+
+		return 1;
+	}
+	return 0;
+}
+
+struct harray {
+	size_t max_elements;
+	void *arrays[0];
+};
+
+static inline void * 
+__harray_malloc(size_t hashsize, size_t typesize, int flags)
+{
+	struct harray *harray;
+	size_t max_elements, size, i, j;
+
+	BUG_ON(max_page_size == 0);
+
+	if (typesize > max_page_size)
+		return NULL;
+
+	max_elements = max_page_size/typesize;
+	size = hashsize/max_elements;
+	if (hashsize % max_elements)
+		size++;
+	
+	/* Last pointer signals end of arrays */
+	harray = kmalloc(sizeof(struct harray) + (size + 1) * sizeof(void *),
+			 flags);
+
+	if (!harray)
+		return NULL;
+	
+	for (i = 0; i < size - 1; i++) {
+		harray->arrays[i] = kmalloc(max_elements * typesize, flags);
+		if (!harray->arrays[i])
+			goto undo;
+		memset(harray->arrays[i], 0, max_elements * typesize);
+	}
+	harray->arrays[i] = kmalloc((hashsize - i * max_elements) * typesize, 
+				    flags);
+	if (!harray->arrays[i])
+		goto undo;
+	memset(harray->arrays[i], 0, (hashsize - i * max_elements) * typesize);
+
+	harray->max_elements = max_elements;
+	harray->arrays[size] = NULL;
+	
+	return (void *)harray;
+
+    undo:
+    	for (j = 0; j < i; j++) {
+    		kfree(harray->arrays[j]);
+    	}
+    	kfree(harray);
+    	return NULL;
+}
+
+static inline void *
+harray_malloc(size_t hashsize, size_t typesize, int flags)
+{
+	void *harray;
+	
+	do {
+		harray = __harray_malloc(hashsize, typesize, flags|__GFP_NOWARN);
+	} while (harray == NULL && init_max_page_size());
+	
+	return harray;
+}		
+
+static inline void harray_free(void *h)
+{
+	struct harray *harray = (struct harray *) h;
+	size_t i;
+	
+    	for (i = 0; harray->arrays[i] != NULL; i++)
+    		kfree(harray->arrays[i]);
+    	kfree(harray);
+}
+
+static inline void harray_flush(void *h, size_t hashsize, size_t typesize)
+{
+	struct harray *harray = (struct harray *) h;
+	size_t i;
+	
+    	for (i = 0; harray->arrays[i+1] != NULL; i++)
+		memset(harray->arrays[i], 0, harray->max_elements * typesize);
+	memset(harray->arrays[i], 0, 
+	       (hashsize - i * harray->max_elements) * typesize);
+}
+
+#define HARRAY_ELEM(h, type, which)				\
+({								\
+	struct harray *__h = (struct harray *)(h);		\
+	((type)((__h)->arrays[(which)/(__h)->max_elements])	\
+		+ (which)%(__h)->max_elements);			\
+})
+
+/* General memory allocation and deallocation */
+static inline void * ip_set_malloc(size_t bytes)
+{
+	BUG_ON(max_malloc_size == 0);
+
+	if (bytes > max_malloc_size)
+		return vmalloc(bytes);
+	else
+		return kmalloc(bytes, GFP_KERNEL | __GFP_NOWARN);
+}
+
+static inline void ip_set_free(void * data, size_t bytes)
+{
+	BUG_ON(max_malloc_size == 0);
+
+	if (bytes > max_malloc_size)
+		vfree(data);
+	else
+		kfree(data);
+}
+
+#endif				/* __KERNEL__ */
+
+#endif /*_IP_SET_MALLOC_H*/
diff --git a/kernel/include/linux/netfilter_ipv4/ip_set_nethash.h b/kernel/include/linux/netfilter_ipv4/ip_set_nethash.h
new file mode 100644
index 0000000..172ef02
--- /dev/null
+++ b/kernel/include/linux/netfilter_ipv4/ip_set_nethash.h
@@ -0,0 +1,55 @@
+#ifndef __IP_SET_NETHASH_H
+#define __IP_SET_NETHASH_H
+
+#include <linux/netfilter_ipv4/ip_set.h>
+
+#define SETTYPE_NAME "nethash"
+#define MAX_RANGE 0x0000FFFF
+
+struct ip_set_nethash {
+	ip_set_ip_t *members;		/* the nethash proper */
+	uint32_t elements;		/* number of elements */
+	uint32_t hashsize;		/* hash size */
+	uint16_t probes;		/* max number of probes  */
+	uint16_t resize;		/* resize factor in percent */
+	unsigned char cidr[30];		/* CIDR sizes */
+	void *initval[0];		/* initvals for jhash_1word */
+};
+
+struct ip_set_req_nethash_create {
+	uint32_t hashsize;
+	uint16_t probes;
+	uint16_t resize;
+};
+
+struct ip_set_req_nethash {
+	ip_set_ip_t ip;
+	unsigned char cidr;
+};
+
+static unsigned char shifts[] = {255, 253, 249, 241, 225, 193, 129, 1};
+
+static inline ip_set_ip_t 
+pack(ip_set_ip_t ip, unsigned char cidr)
+{
+	ip_set_ip_t addr, *paddr = &addr;
+	unsigned char n, t, *a;
+
+	addr = htonl(ip & (0xFFFFFFFF << (32 - (cidr))));
+#ifdef __KERNEL__
+	DP("ip:%u.%u.%u.%u/%u", NIPQUAD(addr), cidr);
+#endif
+	n = cidr / 8;
+	t = cidr % 8;	
+	a = &((unsigned char *)paddr)[n];
+	*a = *a /(1 << (8 - t)) + shifts[t];
+#ifdef __KERNEL__
+	DP("n: %u, t: %u, a: %u", n, t, *a);
+	DP("ip:%u.%u.%u.%u/%u, %u.%u.%u.%u",
+	   HIPQUAD(ip), cidr, NIPQUAD(addr));
+#endif
+
+	return ntohl(addr);
+}
+
+#endif	/* __IP_SET_NETHASH_H */
diff --git a/kernel/include/linux/netfilter_ipv4/ip_set_portmap.h b/kernel/include/linux/netfilter_ipv4/ip_set_portmap.h
new file mode 100644
index 0000000..c17165c
--- /dev/null
+++ b/kernel/include/linux/netfilter_ipv4/ip_set_portmap.h
@@ -0,0 +1,25 @@
+#ifndef __IP_SET_PORTMAP_H
+#define __IP_SET_PORTMAP_H
+
+#include <linux/netfilter_ipv4/ip_set.h>
+
+#define SETTYPE_NAME	"portmap"
+#define MAX_RANGE	0x0000FFFF
+#define INVALID_PORT	(MAX_RANGE + 1)
+
+struct ip_set_portmap {
+	void *members;			/* the portmap proper */
+	ip_set_ip_t first_port;		/* host byte order, included in range */
+	ip_set_ip_t last_port;		/* host byte order, included in range */
+};
+
+struct ip_set_req_portmap_create {
+	ip_set_ip_t from;
+	ip_set_ip_t to;
+};
+
+struct ip_set_req_portmap {
+	ip_set_ip_t port;
+};
+
+#endif /* __IP_SET_PORTMAP_H */
diff --git a/kernel/include/linux/netfilter_ipv4/ipt_set.h b/kernel/include/linux/netfilter_ipv4/ipt_set.h
new file mode 100644
index 0000000..2a18b93
--- /dev/null
+++ b/kernel/include/linux/netfilter_ipv4/ipt_set.h
@@ -0,0 +1,21 @@
+#ifndef _IPT_SET_H
+#define _IPT_SET_H
+
+#include <linux/netfilter_ipv4/ip_set.h>
+
+struct ipt_set_info {
+	ip_set_id_t index;
+	u_int32_t flags[IP_SET_MAX_BINDINGS + 1];
+};
+
+/* match info */
+struct ipt_set_info_match {
+	struct ipt_set_info match_set;
+};
+
+struct ipt_set_info_target {
+	struct ipt_set_info add_set;
+	struct ipt_set_info del_set;
+};
+
+#endif /*_IPT_SET_H*/