summaryrefslogtreecommitdiffstats
path: root/include/linux
diff options
context:
space:
mode:
Diffstat (limited to 'include/linux')
-rw-r--r--include/linux/kernel.h62
-rw-r--r--include/linux/netfilter/x_tables.h30
-rw-r--r--include/linux/netfilter/xt_CONNMARK.h22
-rw-r--r--include/linux/netfilter/xt_MARK.h6
-rw-r--r--include/linux/netfilter/xt_TEE.h3
-rw-r--r--include/linux/netfilter/xt_connmark.h11
-rw-r--r--include/linux/netfilter/xt_mark.h4
-rw-r--r--include/linux/netfilter/xt_recent.h7
-rw-r--r--include/linux/netfilter/xt_set.h110
-rw-r--r--include/linux/netfilter_ipv4/ip_set.h498
-rw-r--r--include/linux/netfilter_ipv4/ipt_set.h21
-rw-r--r--include/linux/netfilter_ipv6.h1
12 files changed, 221 insertions, 554 deletions
diff --git a/include/linux/kernel.h b/include/linux/kernel.h
new file mode 100644
index 00000000..d1671a01
--- /dev/null
+++ b/include/linux/kernel.h
@@ -0,0 +1,62 @@
+#ifndef _LINUX_KERNEL_H
+#define _LINUX_KERNEL_H
+
+/*
+ * 'kernel.h' contains some often-used function prototypes etc
+ */
+#define __ALIGN_KERNEL(x, a) __ALIGN_KERNEL_MASK(x, (typeof(x))(a) - 1)
+#define __ALIGN_KERNEL_MASK(x, mask) (((x) + (mask)) & ~(mask))
+
+
+
+#define SI_LOAD_SHIFT 16
+struct sysinfo {
+ long uptime; /* Seconds since boot */
+ unsigned long loads[3]; /* 1, 5, and 15 minute load averages */
+ unsigned long totalram; /* Total usable main memory size */
+ unsigned long freeram; /* Available memory size */
+ unsigned long sharedram; /* Amount of shared memory */
+ unsigned long bufferram; /* Memory used by buffers */
+ unsigned long totalswap; /* Total swap space size */
+ unsigned long freeswap; /* swap space still available */
+ unsigned short procs; /* Number of current processes */
+ unsigned short pad; /* explicit padding for m68k */
+ unsigned long totalhigh; /* Total high memory size */
+ unsigned long freehigh; /* Available high memory size */
+ unsigned int mem_unit; /* Memory unit size in bytes */
+ char _f[20-2*sizeof(long)-sizeof(int)]; /* Padding: libc5 uses this.. */
+};
+
+/* Force a compilation error if condition is true */
+#define BUILD_BUG_ON(condition) ((void)BUILD_BUG_ON_ZERO(condition))
+
+/* Force a compilation error if condition is constant and true */
+#define MAYBE_BUILD_BUG_ON(cond) ((void)sizeof(char[1 - 2 * !!(cond)]))
+
+/* Force a compilation error if a constant expression is not a power of 2 */
+#define BUILD_BUG_ON_NOT_POWER_OF_2(n) \
+ BUILD_BUG_ON((n) == 0 || (((n) & ((n) - 1)) != 0))
+
+/* Force a compilation error if condition is true, but also produce a
+ result (of value 0 and type size_t), so the expression can be used
+ e.g. in a structure initializer (or where-ever else comma expressions
+ aren't permitted). */
+#define BUILD_BUG_ON_ZERO(e) (sizeof(struct { int:-!!(e); }))
+#define BUILD_BUG_ON_NULL(e) ((void *)sizeof(struct { int:-!!(e); }))
+
+/* Trap pasters of __FUNCTION__ at compile-time */
+#define __FUNCTION__ (__func__)
+
+/* This helps us to avoid #ifdef CONFIG_NUMA */
+#ifdef CONFIG_NUMA
+#define NUMA_BUILD 1
+#else
+#define NUMA_BUILD 0
+#endif
+
+/* Rebuild everything on CONFIG_FTRACE_MCOUNT_RECORD */
+#ifdef CONFIG_FTRACE_MCOUNT_RECORD
+# define REBUILD_DUE_TO_FTRACE_MCOUNT_RECORD
+#endif
+
+#endif
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index ccb56410..fa2d9578 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -1,9 +1,10 @@
#ifndef _X_TABLES_H
#define _X_TABLES_H
-
+#include <linux/kernel.h>
#include <linux/types.h>
#define XT_FUNCTION_MAXNAMELEN 30
+#define XT_EXTENSION_MAXNAMELEN 29
#define XT_TABLE_MAXNAMELEN 32
struct xt_entry_match {
@@ -12,8 +13,7 @@ struct xt_entry_match {
__u16 match_size;
/* Used by userspace */
- char name[XT_FUNCTION_MAXNAMELEN-1];
-
+ char name[XT_EXTENSION_MAXNAMELEN];
__u8 revision;
} user;
struct {
@@ -36,8 +36,7 @@ struct xt_entry_target {
__u16 target_size;
/* Used by userspace */
- char name[XT_FUNCTION_MAXNAMELEN-1];
-
+ char name[XT_EXTENSION_MAXNAMELEN];
__u8 revision;
} user;
struct {
@@ -70,8 +69,7 @@ struct xt_standard_target {
/* The argument to IPT_SO_GET_REVISION_*. Returns highest revision
* kernel supports, if >= revision. */
struct xt_get_revision {
- char name[XT_FUNCTION_MAXNAMELEN-1];
-
+ char name[XT_EXTENSION_MAXNAMELEN];
__u8 revision;
};
@@ -93,8 +91,7 @@ struct _xt_align {
__u64 u64;
};
-#define XT_ALIGN(s) (((s) + (__alignof__(struct _xt_align)-1)) \
- & ~(__alignof__(struct _xt_align)-1))
+#define XT_ALIGN(s) __ALIGN_KERNEL((s), __alignof__(struct _xt_align))
/* Standard return verdict, or do jump. */
#define XT_STANDARD_TARGET ""
@@ -165,4 +162,19 @@ struct xt_counters_info {
XT_ENTRY_ITERATE_CONTINUE(type, entries, size, 0, fn, args)
+/* pos is normally a struct ipt_entry/ip6t_entry/etc. */
+#define xt_entry_foreach(pos, ehead, esize) \
+ for ((pos) = (typeof(pos))(ehead); \
+ (pos) < (typeof(pos))((char *)(ehead) + (esize)); \
+ (pos) = (typeof(pos))((char *)(pos) + (pos)->next_offset))
+
+/* can only be xt_entry_match, so no use of typeof here */
+#define xt_ematch_foreach(pos, entry) \
+ for ((pos) = (struct xt_entry_match *)entry->elems; \
+ (pos) < (struct xt_entry_match *)((char *)(entry) + \
+ (entry)->target_offset); \
+ (pos) = (struct xt_entry_match *)((char *)(pos) + \
+ (pos)->u.match_size))
+
+
#endif /* _X_TABLES_H */
diff --git a/include/linux/netfilter/xt_CONNMARK.h b/include/linux/netfilter/xt_CONNMARK.h
index 0a854586..2f2e48ec 100644
--- a/include/linux/netfilter/xt_CONNMARK.h
+++ b/include/linux/netfilter/xt_CONNMARK.h
@@ -1,26 +1,6 @@
#ifndef _XT_CONNMARK_H_target
#define _XT_CONNMARK_H_target
-#include <linux/types.h>
-
-/* Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
- * by Henrik Nordstrom <hno@marasystems.com>
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- */
-
-enum {
- XT_CONNMARK_SET = 0,
- XT_CONNMARK_SAVE,
- XT_CONNMARK_RESTORE
-};
-
-struct xt_connmark_tginfo1 {
- __u32 ctmark, ctmask, nfmask;
- __u8 mode;
-};
+#include <linux/netfilter/xt_connmark.h>
#endif /*_XT_CONNMARK_H_target*/
diff --git a/include/linux/netfilter/xt_MARK.h b/include/linux/netfilter/xt_MARK.h
index bc9561bd..41c456de 100644
--- a/include/linux/netfilter/xt_MARK.h
+++ b/include/linux/netfilter/xt_MARK.h
@@ -1,10 +1,6 @@
#ifndef _XT_MARK_H_target
#define _XT_MARK_H_target
-#include <linux/types.h>
-
-struct xt_mark_tginfo2 {
- __u32 mark, mask;
-};
+#include <linux/netfilter/xt_mark.h>
#endif /*_XT_MARK_H_target */
diff --git a/include/linux/netfilter/xt_TEE.h b/include/linux/netfilter/xt_TEE.h
index 55d4a501..5c21d5c8 100644
--- a/include/linux/netfilter/xt_TEE.h
+++ b/include/linux/netfilter/xt_TEE.h
@@ -4,6 +4,9 @@
struct xt_tee_tginfo {
union nf_inet_addr gw;
char oif[16];
+
+ /* used internally by the kernel */
+ struct xt_tee_priv *priv __attribute__((aligned(8)));
};
#endif /* _XT_TEE_TARGET_H */
diff --git a/include/linux/netfilter/xt_connmark.h b/include/linux/netfilter/xt_connmark.h
index 619e47cd..efc17a83 100644
--- a/include/linux/netfilter/xt_connmark.h
+++ b/include/linux/netfilter/xt_connmark.h
@@ -12,6 +12,17 @@
* (at your option) any later version.
*/
+enum {
+ XT_CONNMARK_SET = 0,
+ XT_CONNMARK_SAVE,
+ XT_CONNMARK_RESTORE
+};
+
+struct xt_connmark_tginfo1 {
+ __u32 ctmark, ctmask, nfmask;
+ __u8 mode;
+};
+
struct xt_connmark_mtinfo1 {
__u32 mark, mask;
__u8 invert;
diff --git a/include/linux/netfilter/xt_mark.h b/include/linux/netfilter/xt_mark.h
index 6607c8f3..ecadc40d 100644
--- a/include/linux/netfilter/xt_mark.h
+++ b/include/linux/netfilter/xt_mark.h
@@ -3,6 +3,10 @@
#include <linux/types.h>
+struct xt_mark_tginfo2 {
+ __u32 mark, mask;
+};
+
struct xt_mark_mtinfo1 {
__u32 mark, mask;
__u8 invert;
diff --git a/include/linux/netfilter/xt_recent.h b/include/linux/netfilter/xt_recent.h
index d2c27660..83318e01 100644
--- a/include/linux/netfilter/xt_recent.h
+++ b/include/linux/netfilter/xt_recent.h
@@ -9,6 +9,7 @@ enum {
XT_RECENT_UPDATE = 1 << 2,
XT_RECENT_REMOVE = 1 << 3,
XT_RECENT_TTL = 1 << 4,
+ XT_RECENT_REAP = 1 << 5,
XT_RECENT_SOURCE = 0,
XT_RECENT_DEST = 1,
@@ -16,6 +17,12 @@ enum {
XT_RECENT_NAME_LEN = 200,
};
+/* Only allowed with --rcheck and --update */
+#define XT_RECENT_MODIFIERS (XT_RECENT_TTL|XT_RECENT_REAP)
+
+#define XT_RECENT_VALID_FLAGS (XT_RECENT_CHECK|XT_RECENT_SET|XT_RECENT_UPDATE|\
+ XT_RECENT_REMOVE|XT_RECENT_TTL|XT_RECENT_REAP)
+
struct xt_recent_mtinfo {
__u32 seconds;
__u32 hit_count;
diff --git a/include/linux/netfilter/xt_set.h b/include/linux/netfilter/xt_set.h
new file mode 100644
index 00000000..3ad31378
--- /dev/null
+++ b/include/linux/netfilter/xt_set.h
@@ -0,0 +1,110 @@
+#ifndef _XT_SET_H
+#define _XT_SET_H
+
+/* The protocol version */
+#define IPSET_PROTOCOL 5
+
+/* The max length of strings including NUL: set and type identifiers */
+#define IPSET_MAXNAMELEN 32
+
+/* Sets are identified by an index in kernel space. Tweak with ip_set_id_t
+ * and IPSET_INVALID_ID if you want to increase the max number of sets.
+ */
+typedef uint16_t ip_set_id_t;
+
+#define IPSET_INVALID_ID 65535
+
+enum ip_set_dim {
+ IPSET_DIM_ZERO = 0,
+ IPSET_DIM_ONE,
+ IPSET_DIM_TWO,
+ IPSET_DIM_THREE,
+ /* Max dimension in elements.
+ * If changed, new revision of iptables match/target is required.
+ */
+ IPSET_DIM_MAX = 6,
+};
+
+/* Option flags for kernel operations */
+enum ip_set_kopt {
+ IPSET_INV_MATCH = (1 << IPSET_DIM_ZERO),
+ IPSET_DIM_ONE_SRC = (1 << IPSET_DIM_ONE),
+ IPSET_DIM_TWO_SRC = (1 << IPSET_DIM_TWO),
+ IPSET_DIM_THREE_SRC = (1 << IPSET_DIM_THREE),
+};
+
+/* Interface to iptables/ip6tables */
+
+#define SO_IP_SET 83
+
+union ip_set_name_index {
+ char name[IPSET_MAXNAMELEN];
+ ip_set_id_t index;
+};
+
+#define IP_SET_OP_GET_BYNAME 0x00000006 /* Get set index by name */
+struct ip_set_req_get_set {
+ unsigned op;
+ unsigned version;
+ union ip_set_name_index set;
+};
+
+#define IP_SET_OP_GET_BYINDEX 0x00000007 /* Get set name by index */
+/* Uses ip_set_req_get_set */
+
+#define IP_SET_OP_VERSION 0x00000100 /* Ask kernel version */
+struct ip_set_req_version {
+ unsigned op;
+ unsigned version;
+};
+
+/* Revision 0 interface: backward compatible with netfilter/iptables */
+
+/*
+ * Option flags for kernel operations (xt_set_info_v0)
+ */
+#define IPSET_SRC 0x01 /* Source match/add */
+#define IPSET_DST 0x02 /* Destination match/add */
+#define IPSET_MATCH_INV 0x04 /* Inverse matching */
+
+struct xt_set_info_v0 {
+ ip_set_id_t index;
+ union {
+ u_int32_t flags[IPSET_DIM_MAX + 1];
+ struct {
+ u_int32_t __flags[IPSET_DIM_MAX];
+ u_int8_t dim;
+ u_int8_t flags;
+ } compat;
+ } u;
+};
+
+/* match and target infos */
+struct xt_set_info_match_v0 {
+ struct xt_set_info_v0 match_set;
+};
+
+struct xt_set_info_target_v0 {
+ struct xt_set_info_v0 add_set;
+ struct xt_set_info_v0 del_set;
+};
+
+/* Revision 1: current interface to netfilter/iptables */
+
+struct xt_set_info {
+ ip_set_id_t index;
+ u_int8_t dim;
+ u_int8_t flags;
+};
+
+/* match and target infos */
+struct xt_set_info_match {
+ struct xt_set_info match_set;
+};
+
+struct xt_set_info_target {
+ struct xt_set_info add_set;
+ struct xt_set_info del_set;
+};
+
+#endif /*_XT_SET_H*/
diff --git a/include/linux/netfilter_ipv4/ip_set.h b/include/linux/netfilter_ipv4/ip_set.h
deleted file mode 100644
index 92a746e9..00000000
--- a/include/linux/netfilter_ipv4/ip_set.h
+++ /dev/null
@@ -1,498 +0,0 @@
-#ifndef _IP_SET_H
-#define _IP_SET_H
-
-/* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu>
- * Patrick Schaaf <bof@bof.de>
- * Martin Josefsson <gandalf@wlug.westbo.se>
- * Copyright (C) 2003-2004 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
- */
-
-#if 0
-#define IP_SET_DEBUG
-#endif
-
-/*
- * A sockopt of such quality has hardly ever been seen before on the open
- * market! This little beauty, hardly ever used: above 64, so it's
- * traditionally used for firewalling, not touched (even once!) by the
- * 2.0, 2.2 and 2.4 kernels!
- *
- * Comes with its own certificate of authenticity, valid anywhere in the
- * Free world!
- *
- * Rusty, 19.4.2000
- */
-#define SO_IP_SET 83
-
-/*
- * Heavily modify by Joakim Axelsson 08.03.2002
- * - Made it more modulebased
- *
- * Additional heavy modifications by Jozsef Kadlecsik 22.02.2004
- * - bindings added
- * - in order to "deal with" backward compatibility, renamed to ipset
- */
-
-/*
- * Used so that the kernel module and ipset-binary can match their versions
- */
-#define IP_SET_PROTOCOL_VERSION 2
-
-#define IP_SET_MAXNAMELEN 32 /* set names and set typenames */
-
-/* Lets work with our own typedef for representing an IP address.
- * We hope to make the code more portable, possibly to IPv6...
- *
- * The representation works in HOST byte order, because most set types
- * will perform arithmetic operations and compare operations.
- *
- * For now the type is an uint32_t.
- *
- * Make sure to ONLY use the functions when translating and parsing
- * in order to keep the host byte order and make it more portable:
- * parse_ip()
- * parse_mask()
- * parse_ipandmask()
- * ip_tostring()
- * (Joakim: where are they???)
- */
-
-typedef uint32_t ip_set_ip_t;
-
-/* Sets are identified by an id in kernel space. Tweak with ip_set_id_t
- * and IP_SET_INVALID_ID if you want to increase the max number of sets.
- */
-typedef uint16_t ip_set_id_t;
-
-#define IP_SET_INVALID_ID 65535
-
-/* How deep we follow bindings */
-#define IP_SET_MAX_BINDINGS 6
-
-/*
- * Option flags for kernel operations (ipt_set_info)
- */
-#define IPSET_SRC 0x01 /* Source match/add */
-#define IPSET_DST 0x02 /* Destination match/add */
-#define IPSET_MATCH_INV 0x04 /* Inverse matching */
-
-/*
- * Set features
- */
-#define IPSET_TYPE_IP 0x01 /* IP address type of set */
-#define IPSET_TYPE_PORT 0x02 /* Port type of set */
-#define IPSET_DATA_SINGLE 0x04 /* Single data storage */
-#define IPSET_DATA_DOUBLE 0x08 /* Double data storage */
-
-/* Reserved keywords */
-#define IPSET_TOKEN_DEFAULT ":default:"
-#define IPSET_TOKEN_ALL ":all:"
-
-/* SO_IP_SET operation constants, and their request struct types.
- *
- * Operation ids:
- * 0-99: commands with version checking
- * 100-199: add/del/test/bind/unbind
- * 200-299: list, save, restore
- */
-
-/* Single shot operations:
- * version, create, destroy, flush, rename and swap
- *
- * Sets are identified by name.
- */
-
-#define IP_SET_REQ_STD \
- unsigned op; \
- unsigned version; \
- char name[IP_SET_MAXNAMELEN]
-
-#define IP_SET_OP_CREATE 0x00000001 /* Create a new (empty) set */
-struct ip_set_req_create {
- IP_SET_REQ_STD;
- char typename[IP_SET_MAXNAMELEN];
-};
-
-#define IP_SET_OP_DESTROY 0x00000002 /* Remove a (empty) set */
-struct ip_set_req_std {
- IP_SET_REQ_STD;
-};
-
-#define IP_SET_OP_FLUSH 0x00000003 /* Remove all IPs in a set */
-/* Uses ip_set_req_std */
-
-#define IP_SET_OP_RENAME 0x00000004 /* Rename a set */
-/* Uses ip_set_req_create */
-
-#define IP_SET_OP_SWAP 0x00000005 /* Swap two sets */
-/* Uses ip_set_req_create */
-
-union ip_set_name_index {
- char name[IP_SET_MAXNAMELEN];
- ip_set_id_t index;
-};
-
-#define IP_SET_OP_GET_BYNAME 0x00000006 /* Get set index by name */
-struct ip_set_req_get_set {
- unsigned op;
- unsigned version;
- union ip_set_name_index set;
-};
-
-#define IP_SET_OP_GET_BYINDEX 0x00000007 /* Get set name by index */
-/* Uses ip_set_req_get_set */
-
-#define IP_SET_OP_VERSION 0x00000100 /* Ask kernel version */
-struct ip_set_req_version {
- unsigned op;
- unsigned version;
-};
-
-/* Double shots operations:
- * add, del, test, bind and unbind.
- *
- * First we query the kernel to get the index and type of the target set,
- * then issue the command. Validity of IP is checked in kernel in order
- * to minimalize sockopt operations.
- */
-
-/* Get minimal set data for add/del/test/bind/unbind IP */
-#define IP_SET_OP_ADT_GET 0x00000010 /* Get set and type */
-struct ip_set_req_adt_get {
- unsigned op;
- unsigned version;
- union ip_set_name_index set;
- char typename[IP_SET_MAXNAMELEN];
-};
-
-#define IP_SET_REQ_BYINDEX \
- unsigned op; \
- ip_set_id_t index;
-
-struct ip_set_req_adt {
- IP_SET_REQ_BYINDEX;
-};
-
-#define IP_SET_OP_ADD_IP 0x00000101 /* Add an IP to a set */
-/* Uses ip_set_req_adt, with type specific addage */
-
-#define IP_SET_OP_DEL_IP 0x00000102 /* Remove an IP from a set */
-/* Uses ip_set_req_adt, with type specific addage */
-
-#define IP_SET_OP_TEST_IP 0x00000103 /* Test an IP in a set */
-/* Uses ip_set_req_adt, with type specific addage */
-
-#define IP_SET_OP_BIND_SET 0x00000104 /* Bind an IP to a set */
-/* Uses ip_set_req_bind, with type specific addage */
-struct ip_set_req_bind {
- IP_SET_REQ_BYINDEX;
- char binding[IP_SET_MAXNAMELEN];
-};
-
-#define IP_SET_OP_UNBIND_SET 0x00000105 /* Unbind an IP from a set */
-/* Uses ip_set_req_bind, with type speficic addage
- * index = 0 means unbinding for all sets */
-
-#define IP_SET_OP_TEST_BIND_SET 0x00000106 /* Test binding an IP to a set */
-/* Uses ip_set_req_bind, with type specific addage */
-
-/* Multiple shots operations: list, save, restore.
- *
- * - check kernel version and query the max number of sets
- * - get the basic information on all sets
- * and size required for the next step
- * - get actual set data: header, data, bindings
- */
-
-/* Get max_sets and the index of a queried set
- */
-#define IP_SET_OP_MAX_SETS 0x00000020
-struct ip_set_req_max_sets {
- unsigned op;
- unsigned version;
- ip_set_id_t max_sets; /* max_sets */
- ip_set_id_t sets; /* real number of sets */
- union ip_set_name_index set; /* index of set if name used */
-};
-
-/* Get the id and name of the sets plus size for next step */
-#define IP_SET_OP_LIST_SIZE 0x00000201
-#define IP_SET_OP_SAVE_SIZE 0x00000202
-struct ip_set_req_setnames {
- unsigned op;
- ip_set_id_t index; /* set to list/save */
- size_t size; /* size to get setdata/bindings */
- /* followed by sets number of struct ip_set_name_list */
-};
-
-struct ip_set_name_list {
- char name[IP_SET_MAXNAMELEN];
- char typename[IP_SET_MAXNAMELEN];
- ip_set_id_t index;
- ip_set_id_t id;
-};
-
-/* The actual list operation */
-#define IP_SET_OP_LIST 0x00000203
-struct ip_set_req_list {
- IP_SET_REQ_BYINDEX;
- /* sets number of struct ip_set_list in reply */
-};
-
-struct ip_set_list {
- ip_set_id_t index;
- ip_set_id_t binding;
- u_int32_t ref;
- size_t header_size; /* Set header data of header_size */
- size_t members_size; /* Set members data of members_size */
- size_t bindings_size; /* Set bindings data of bindings_size */
-};
-
-struct ip_set_hash_list {
- ip_set_ip_t ip;
- ip_set_id_t binding;
-};
-
-/* The save operation */
-#define IP_SET_OP_SAVE 0x00000204
-/* Uses ip_set_req_list, in the reply replaced by
- * sets number of struct ip_set_save plus a marker
- * ip_set_save followed by ip_set_hash_save structures.
- */
-struct ip_set_save {
- ip_set_id_t index;
- ip_set_id_t binding;
- size_t header_size; /* Set header data of header_size */
- size_t members_size; /* Set members data of members_size */
-};
-
-/* At restoring, ip == 0 means default binding for the given set: */
-struct ip_set_hash_save {
- ip_set_ip_t ip;
- ip_set_id_t id;
- ip_set_id_t binding;
-};
-
-/* The restore operation */
-#define IP_SET_OP_RESTORE 0x00000205
-/* Uses ip_set_req_setnames followed by ip_set_restore structures
- * plus a marker ip_set_restore, followed by ip_set_hash_save
- * structures.
- */
-struct ip_set_restore {
- char name[IP_SET_MAXNAMELEN];
- char typename[IP_SET_MAXNAMELEN];
- ip_set_id_t index;
- size_t header_size; /* Create data of header_size */
- size_t members_size; /* Set members data of members_size */
-};
-
-static inline int bitmap_bytes(ip_set_ip_t a, ip_set_ip_t b)
-{
- return 4 * ((((b - a + 8) / 8) + 3) / 4);
-}
-
-#ifdef __KERNEL__
-
-#define ip_set_printk(format, args...) \
- do { \
- printk("%s: %s: ", __FILE__, __FUNCTION__); \
- printk(format "\n" , ## args); \
- } while (0)
-
-#if defined(IP_SET_DEBUG)
-#define DP(format, args...) \
- do { \
- printk("%s: %s (DBG): ", __FILE__, __FUNCTION__);\
- printk(format "\n" , ## args); \
- } while (0)
-#define IP_SET_ASSERT(x) \
- do { \
- if (!(x)) \
- printk("IP_SET_ASSERT: %s:%i(%s)\n", \
- __FILE__, __LINE__, __FUNCTION__); \
- } while (0)
-#else
-#define DP(format, args...)
-#define IP_SET_ASSERT(x)
-#endif
-
-struct ip_set;
-
-/*
- * The ip_set_type definition - one per set type, e.g. "ipmap".
- *
- * Each individual set has a pointer, set->type, going to one
- * of these structures. Function pointers inside the structure implement
- * the real behaviour of the sets.
- *
- * If not mentioned differently, the implementation behind the function
- * pointers of a set_type, is expected to return 0 if ok, and a negative
- * errno (e.g. -EINVAL) on error.
- */
-struct ip_set_type {
- struct list_head list; /* next in list of set types */
-
- /* test for IP in set (kernel: iptables -m set src|dst)
- * return 0 if not in set, 1 if in set.
- */
- int (*testip_kernel) (struct ip_set *set,
- const struct sk_buff * skb,
- ip_set_ip_t *ip,
- const u_int32_t *flags,
- unsigned char index);
-
- /* test for IP in set (userspace: ipset -T set IP)
- * return 0 if not in set, 1 if in set.
- */
- int (*testip) (struct ip_set *set,
- const void *data, size_t size,
- ip_set_ip_t *ip);
-
- /*
- * Size of the data structure passed by when
- * adding/deletin/testing an entry.
- */
- size_t reqsize;
-
- /* Add IP into set (userspace: ipset -A set IP)
- * Return -EEXIST if the address is already in the set,
- * and -ERANGE if the address lies outside the set bounds.
- * If the address was not already in the set, 0 is returned.
- */
- int (*addip) (struct ip_set *set,
- const void *data, size_t size,
- ip_set_ip_t *ip);
-
- /* Add IP into set (kernel: iptables ... -j SET set src|dst)
- * Return -EEXIST if the address is already in the set,
- * and -ERANGE if the address lies outside the set bounds.
- * If the address was not already in the set, 0 is returned.
- */
- int (*addip_kernel) (struct ip_set *set,
- const struct sk_buff * skb,
- ip_set_ip_t *ip,
- const u_int32_t *flags,
- unsigned char index);
-
- /* remove IP from set (userspace: ipset -D set --entry x)
- * Return -EEXIST if the address is NOT in the set,
- * and -ERANGE if the address lies outside the set bounds.
- * If the address really was in the set, 0 is returned.
- */
- int (*delip) (struct ip_set *set,
- const void *data, size_t size,
- ip_set_ip_t *ip);
-
- /* remove IP from set (kernel: iptables ... -j SET --entry x)
- * Return -EEXIST if the address is NOT in the set,
- * and -ERANGE if the address lies outside the set bounds.
- * If the address really was in the set, 0 is returned.
- */
- int (*delip_kernel) (struct ip_set *set,
- const struct sk_buff * skb,
- ip_set_ip_t *ip,
- const u_int32_t *flags,
- unsigned char index);
-
- /* new set creation - allocated type specific items
- */
- int (*create) (struct ip_set *set,
- const void *data, size_t size);
-
- /* retry the operation after successfully tweaking the set
- */
- int (*retry) (struct ip_set *set);
-
- /* set destruction - free type specific items
- * There is no return value.
- * Can be called only when child sets are destroyed.
- */
- void (*destroy) (struct ip_set *set);
-
- /* set flushing - reset all bits in the set, or something similar.
- * There is no return value.
- */
- void (*flush) (struct ip_set *set);
-
- /* Listing: size needed for header
- */
- size_t header_size;
-
- /* Listing: Get the header
- *
- * Fill in the information in "data".
- * This function is always run after list_header_size() under a
- * writelock on the set. Therefor is the length of "data" always
- * correct.
- */
- void (*list_header) (const struct ip_set *set,
- void *data);
-
- /* Listing: Get the size for the set members
- */
- int (*list_members_size) (const struct ip_set *set);
-
- /* Listing: Get the set members
- *
- * Fill in the information in "data".
- * This function is always run after list_member_size() under a
- * writelock on the set. Therefor is the length of "data" always
- * correct.
- */
- void (*list_members) (const struct ip_set *set,
- void *data);
-
- char typename[IP_SET_MAXNAMELEN];
- unsigned char features;
- int protocol_version;
-
- /* Set this to THIS_MODULE if you are a module, otherwise NULL */
- struct module *me;
-};
-
-extern int ip_set_register_set_type(struct ip_set_type *set_type);
-extern void ip_set_unregister_set_type(struct ip_set_type *set_type);
-
-/* A generic ipset */
-struct ip_set {
- char name[IP_SET_MAXNAMELEN]; /* the name of the set */
- rwlock_t lock; /* lock for concurrency control */
- ip_set_id_t id; /* set id for swapping */
- ip_set_id_t binding; /* default binding for the set */
- atomic_t ref; /* in kernel and in hash references */
- struct ip_set_type *type; /* the set types */
- void *data; /* pooltype specific data */
-};
-
-/* Structure to bind set elements to sets */
-struct ip_set_hash {
- struct list_head list; /* list of clashing entries in hash */
- ip_set_ip_t ip; /* ip from set */
- ip_set_id_t id; /* set id */
- ip_set_id_t binding; /* set we bind the element to */
-};
-
-/* register and unregister set references */
-extern ip_set_id_t ip_set_get_byname(const char name[IP_SET_MAXNAMELEN]);
-extern ip_set_id_t ip_set_get_byindex(ip_set_id_t id);
-extern void ip_set_put(ip_set_id_t id);
-
-/* API for iptables set match, and SET target */
-extern void ip_set_addip_kernel(ip_set_id_t id,
- const struct sk_buff *skb,
- const u_int32_t *flags);
-extern void ip_set_delip_kernel(ip_set_id_t id,
- const struct sk_buff *skb,
- const u_int32_t *flags);
-extern int ip_set_testip_kernel(ip_set_id_t id,
- const struct sk_buff *skb,
- const u_int32_t *flags);
-
-#endif /* __KERNEL__ */
-
-#endif /*_IP_SET_H*/
diff --git a/include/linux/netfilter_ipv4/ipt_set.h b/include/linux/netfilter_ipv4/ipt_set.h
deleted file mode 100644
index 2a18b93d..00000000
--- a/include/linux/netfilter_ipv4/ipt_set.h
+++ /dev/null
@@ -1,21 +0,0 @@
-#ifndef _IPT_SET_H
-#define _IPT_SET_H
-
-#include <linux/netfilter_ipv4/ip_set.h>
-
-struct ipt_set_info {
- ip_set_id_t index;
- u_int32_t flags[IP_SET_MAX_BINDINGS + 1];
-};
-
-/* match info */
-struct ipt_set_info_match {
- struct ipt_set_info match_set;
-};
-
-struct ipt_set_info_target {
- struct ipt_set_info add_set;
- struct ipt_set_info del_set;
-};
-
-#endif /*_IPT_SET_H*/
diff --git a/include/linux/netfilter_ipv6.h b/include/linux/netfilter_ipv6.h
index 7430b392..f155b9d3 100644
--- a/include/linux/netfilter_ipv6.h
+++ b/include/linux/netfilter_ipv6.h
@@ -57,6 +57,7 @@
enum nf_ip6_hook_priorities {
NF_IP6_PRI_FIRST = INT_MIN,
NF_IP6_PRI_CONNTRACK_DEFRAG = -400,
+ NF_IP6_PRI_RAW = -300,
NF_IP6_PRI_SELINUX_FIRST = -225,
NF_IP6_PRI_CONNTRACK = -200,
NF_IP6_PRI_MANGLE = -150,