UAPI: (Scripted) Disintegrate include/linux/netfilter

Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Michael Kerrisk <mtk.manpages@gmail.com>
Acked-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Acked-by: Dave Jones <davej@redhat.com>

diff --git a/include/linux/netfilter/Kbuild b/include/linux/netfilter/Kbuild
index 874ae8f..b332202 100644 (file)
--- a/include/linux/netfilter/Kbuild
+++ b/include/linux/netfilter/Kbuild
@@ -1,78 +1 @@
 header-y += ipset/
-
-header-y += nf_conntrack_common.h
-header-y += nf_conntrack_ftp.h
-header-y += nf_conntrack_sctp.h
-header-y += nf_conntrack_tcp.h
-header-y += nf_conntrack_tuple_common.h
-header-y += nf_nat.h
-header-y += nfnetlink.h
-header-y += nfnetlink_acct.h
-header-y += nfnetlink_compat.h
-header-y += nfnetlink_conntrack.h
-header-y += nfnetlink_cthelper.h
-header-y += nfnetlink_cttimeout.h
-header-y += nfnetlink_log.h
-header-y += nfnetlink_queue.h
-header-y += x_tables.h
-header-y += xt_AUDIT.h
-header-y += xt_CHECKSUM.h
-header-y += xt_CLASSIFY.h
-header-y += xt_CONNMARK.h
-header-y += xt_CONNSECMARK.h
-header-y += xt_CT.h
-header-y += xt_DSCP.h
-header-y += xt_IDLETIMER.h
-header-y += xt_LED.h
-header-y += xt_LOG.h
-header-y += xt_MARK.h
-header-y += xt_nfacct.h
-header-y += xt_NFLOG.h
-header-y += xt_NFQUEUE.h
-header-y += xt_RATEEST.h
-header-y += xt_SECMARK.h
-header-y += xt_TCPMSS.h
-header-y += xt_TCPOPTSTRIP.h
-header-y += xt_TEE.h
-header-y += xt_TPROXY.h
-header-y += xt_addrtype.h
-header-y += xt_cluster.h
-header-y += xt_comment.h
-header-y += xt_connbytes.h
-header-y += xt_connlimit.h
-header-y += xt_connmark.h
-header-y += xt_conntrack.h
-header-y += xt_cpu.h
-header-y += xt_dccp.h
-header-y += xt_devgroup.h
-header-y += xt_dscp.h
-header-y += xt_ecn.h
-header-y += xt_esp.h
-header-y += xt_hashlimit.h
-header-y += xt_helper.h
-header-y += xt_iprange.h
-header-y += xt_ipvs.h
-header-y += xt_length.h
-header-y += xt_limit.h
-header-y += xt_mac.h
-header-y += xt_mark.h
-header-y += xt_multiport.h
-header-y += xt_osf.h
-header-y += xt_owner.h
-header-y += xt_physdev.h
-header-y += xt_pkttype.h
-header-y += xt_policy.h
-header-y += xt_quota.h
-header-y += xt_rateest.h
-header-y += xt_realm.h
-header-y += xt_recent.h
-header-y += xt_set.h
-header-y += xt_sctp.h
-header-y += xt_socket.h
-header-y += xt_state.h
-header-y += xt_statistic.h
-header-y += xt_string.h
-header-y += xt_tcpmss.h
-header-y += xt_tcpudp.h
-header-y += xt_time.h
-header-y += xt_u32.h

diff --git a/include/linux/netfilter/nf_conntrack_common.h b/include/linux/netfilter/nf_conntrack_common.h
index d146872..127d0b9 100644 (file)
--- a/include/linux/netfilter/nf_conntrack_common.h
+++ b/include/linux/netfilter/nf_conntrack_common.h
@@ -1,119 +1,8 @@
 #ifndef _NF_CONNTRACK_COMMON_H
 #define _NF_CONNTRACK_COMMON_H
-/* Connection state tracking for netfilter.  This is separated from,
-   but required by, the NAT layer; it can also be used by an iptables
-   extension. */
-enum ip_conntrack_info {
-       /* Part of an established connection (either direction). */
-       IP_CT_ESTABLISHED,
 
-       /* Like NEW, but related to an existing connection, or ICMP error
-          (in either direction). */
-       IP_CT_RELATED,
+#include <uapi/linux/netfilter/nf_conntrack_common.h>
 
-       /* Started a new connection to track (only
-           IP_CT_DIR_ORIGINAL); may be a retransmission. */
-       IP_CT_NEW,
-
-       /* >= this indicates reply direction */
-       IP_CT_IS_REPLY,
-
-       IP_CT_ESTABLISHED_REPLY = IP_CT_ESTABLISHED + IP_CT_IS_REPLY,
-       IP_CT_RELATED_REPLY = IP_CT_RELATED + IP_CT_IS_REPLY,
-       IP_CT_NEW_REPLY = IP_CT_NEW + IP_CT_IS_REPLY,   
-       /* Number of distinct IP_CT types (no NEW in reply dirn). */
-       IP_CT_NUMBER = IP_CT_IS_REPLY * 2 - 1
-};
-
-/* Bitset representing status of connection. */
-enum ip_conntrack_status {
-       /* It's an expected connection: bit 0 set.  This bit never changed */
-       IPS_EXPECTED_BIT = 0,
-       IPS_EXPECTED = (1 << IPS_EXPECTED_BIT),
-
-       /* We've seen packets both ways: bit 1 set.  Can be set, not unset. */
-       IPS_SEEN_REPLY_BIT = 1,
-       IPS_SEEN_REPLY = (1 << IPS_SEEN_REPLY_BIT),
-
-       /* Conntrack should never be early-expired. */
-       IPS_ASSURED_BIT = 2,
-       IPS_ASSURED = (1 << IPS_ASSURED_BIT),
-
-       /* Connection is confirmed: originating packet has left box */
-       IPS_CONFIRMED_BIT = 3,
-       IPS_CONFIRMED = (1 << IPS_CONFIRMED_BIT),
-
-       /* Connection needs src nat in orig dir.  This bit never changed. */
-       IPS_SRC_NAT_BIT = 4,
-       IPS_SRC_NAT = (1 << IPS_SRC_NAT_BIT),
-
-       /* Connection needs dst nat in orig dir.  This bit never changed. */
-       IPS_DST_NAT_BIT = 5,
-       IPS_DST_NAT = (1 << IPS_DST_NAT_BIT),
-
-       /* Both together. */
-       IPS_NAT_MASK = (IPS_DST_NAT | IPS_SRC_NAT),
-
-       /* Connection needs TCP sequence adjusted. */
-       IPS_SEQ_ADJUST_BIT = 6,
-       IPS_SEQ_ADJUST = (1 << IPS_SEQ_ADJUST_BIT),
-
-       /* NAT initialization bits. */
-       IPS_SRC_NAT_DONE_BIT = 7,
-       IPS_SRC_NAT_DONE = (1 << IPS_SRC_NAT_DONE_BIT),
-
-       IPS_DST_NAT_DONE_BIT = 8,
-       IPS_DST_NAT_DONE = (1 << IPS_DST_NAT_DONE_BIT),
-
-       /* Both together */
-       IPS_NAT_DONE_MASK = (IPS_DST_NAT_DONE | IPS_SRC_NAT_DONE),
-
-       /* Connection is dying (removed from lists), can not be unset. */
-       IPS_DYING_BIT = 9,
-       IPS_DYING = (1 << IPS_DYING_BIT),
-
-       /* Connection has fixed timeout. */
-       IPS_FIXED_TIMEOUT_BIT = 10,
-       IPS_FIXED_TIMEOUT = (1 << IPS_FIXED_TIMEOUT_BIT),
-
-       /* Conntrack is a template */
-       IPS_TEMPLATE_BIT = 11,
-       IPS_TEMPLATE = (1 << IPS_TEMPLATE_BIT),
-
-       /* Conntrack is a fake untracked entry */
-       IPS_UNTRACKED_BIT = 12,
-       IPS_UNTRACKED = (1 << IPS_UNTRACKED_BIT),
-
-       /* Conntrack got a helper explicitly attached via CT target. */
-       IPS_HELPER_BIT = 13,
-       IPS_HELPER = (1 << IPS_HELPER_BIT),
-};
-
-/* Connection tracking event types */
-enum ip_conntrack_events {
-       IPCT_NEW,               /* new conntrack */
-       IPCT_RELATED,           /* related conntrack */
-       IPCT_DESTROY,           /* destroyed conntrack */
-       IPCT_REPLY,             /* connection has seen two-way traffic */
-       IPCT_ASSURED,           /* connection status has changed to assured */
-       IPCT_PROTOINFO,         /* protocol information has changed */
-       IPCT_HELPER,            /* new helper has been set */
-       IPCT_MARK,              /* new mark has been set */
-       IPCT_NATSEQADJ,         /* NAT is doing sequence adjustment */
-       IPCT_SECMARK,           /* new security mark has been set */
-};
-
-enum ip_conntrack_expect_events {
-       IPEXP_NEW,              /* new expectation */
-       IPEXP_DESTROY,          /* destroyed expectation */
-};
-
-/* expectation flags */
-#define NF_CT_EXPECT_PERMANENT         0x1
-#define NF_CT_EXPECT_INACTIVE          0x2
-#define NF_CT_EXPECT_USERSPACE         0x4
-
-#ifdef __KERNEL__
 struct ip_conntrack_stat {
        unsigned int searched;
        unsigned int found;
@@ -136,6 +25,4 @@ struct ip_conntrack_stat {
 /* call to create an explicit dependency on nf_conntrack. */
 extern void need_conntrack(void);
 
-#endif /* __KERNEL__ */
-
 #endif /* _NF_CONNTRACK_COMMON_H */

diff --git a/include/linux/netfilter/nf_conntrack_ftp.h b/include/linux/netfilter/nf_conntrack_ftp.h
index 8faf3f7..5f818b0 100644 (file)
--- a/include/linux/netfilter/nf_conntrack_ftp.h
+++ b/include/linux/netfilter/nf_conntrack_ftp.h
@@ -1,20 +1,8 @@
 #ifndef _NF_CONNTRACK_FTP_H
 #define _NF_CONNTRACK_FTP_H
-/* FTP tracking. */
 
-/* This enum is exposed to userspace */
-enum nf_ct_ftp_type {
-       /* PORT command from client */
-       NF_CT_FTP_PORT,
-       /* PASV response from server */
-       NF_CT_FTP_PASV,
-       /* EPRT command from client */
-       NF_CT_FTP_EPRT,
-       /* EPSV response from server */
-       NF_CT_FTP_EPSV,
-};
+#include <uapi/linux/netfilter/nf_conntrack_ftp.h>
 
-#ifdef __KERNEL__
 
 #define FTP_PORT       21
 
@@ -42,6 +30,4 @@ extern unsigned int (*nf_nat_ftp_hook)(struct sk_buff *skb,
                                       unsigned int matchoff,
                                       unsigned int matchlen,
                                       struct nf_conntrack_expect *exp);
-#endif /* __KERNEL__ */
-
 #endif /* _NF_CONNTRACK_FTP_H */

diff --git a/include/linux/netfilter/nf_conntrack_sctp.h b/include/linux/netfilter/nf_conntrack_sctp.h
deleted file mode 100644 (file)
index ceeefe6..0000000
--- a/include/linux/netfilter/nf_conntrack_sctp.h
+++ /dev/null
@@ -1,25 +0,0 @@
-#ifndef _NF_CONNTRACK_SCTP_H
-#define _NF_CONNTRACK_SCTP_H
-/* SCTP tracking. */
-
-#include <linux/netfilter/nf_conntrack_tuple_common.h>
-
-enum sctp_conntrack {
-       SCTP_CONNTRACK_NONE,
-       SCTP_CONNTRACK_CLOSED,
-       SCTP_CONNTRACK_COOKIE_WAIT,
-       SCTP_CONNTRACK_COOKIE_ECHOED,
-       SCTP_CONNTRACK_ESTABLISHED,
-       SCTP_CONNTRACK_SHUTDOWN_SENT,
-       SCTP_CONNTRACK_SHUTDOWN_RECD,
-       SCTP_CONNTRACK_SHUTDOWN_ACK_SENT,
-       SCTP_CONNTRACK_MAX
-};
-
-struct ip_ct_sctp {
-       enum sctp_conntrack state;
-
-       __be32 vtag[IP_CT_DIR_MAX];
-};
-
-#endif /* _NF_CONNTRACK_SCTP_H */

diff --git a/include/linux/netfilter/nf_conntrack_tcp.h b/include/linux/netfilter/nf_conntrack_tcp.h
index e59868a..22db961 100644 (file)
--- a/include/linux/netfilter/nf_conntrack_tcp.h
+++ b/include/linux/netfilter/nf_conntrack_tcp.h
@@ -1,53 +1,8 @@
 #ifndef _NF_CONNTRACK_TCP_H
 #define _NF_CONNTRACK_TCP_H
-/* TCP tracking. */
 
-#include <linux/types.h>
+#include <uapi/linux/netfilter/nf_conntrack_tcp.h>
 
-/* This is exposed to userspace (ctnetlink) */
-enum tcp_conntrack {
-       TCP_CONNTRACK_NONE,
-       TCP_CONNTRACK_SYN_SENT,
-       TCP_CONNTRACK_SYN_RECV,
-       TCP_CONNTRACK_ESTABLISHED,
-       TCP_CONNTRACK_FIN_WAIT,
-       TCP_CONNTRACK_CLOSE_WAIT,
-       TCP_CONNTRACK_LAST_ACK,
-       TCP_CONNTRACK_TIME_WAIT,
-       TCP_CONNTRACK_CLOSE,
-       TCP_CONNTRACK_LISTEN,   /* obsolete */
-#define TCP_CONNTRACK_SYN_SENT2        TCP_CONNTRACK_LISTEN
-       TCP_CONNTRACK_MAX,
-       TCP_CONNTRACK_IGNORE,
-       TCP_CONNTRACK_RETRANS,
-       TCP_CONNTRACK_UNACK,
-       TCP_CONNTRACK_TIMEOUT_MAX
-};
-
-/* Window scaling is advertised by the sender */
-#define IP_CT_TCP_FLAG_WINDOW_SCALE            0x01
-
-/* SACK is permitted by the sender */
-#define IP_CT_TCP_FLAG_SACK_PERM               0x02
-
-/* This sender sent FIN first */
-#define IP_CT_TCP_FLAG_CLOSE_INIT              0x04
-
-/* Be liberal in window checking */
-#define IP_CT_TCP_FLAG_BE_LIBERAL              0x08
-
-/* Has unacknowledged data */
-#define IP_CT_TCP_FLAG_DATA_UNACKNOWLEDGED     0x10
-
-/* The field td_maxack has been set */
-#define IP_CT_TCP_FLAG_MAXACK_SET              0x20
-
-struct nf_ct_tcp_flags {
-       __u8 flags;
-       __u8 mask;
-};
-
-#ifdef __KERNEL__
 
 struct ip_ct_tcp_state {
        u_int32_t       td_end;         /* max of seq + len */
@@ -74,6 +29,4 @@ struct ip_ct_tcp {
        u_int8_t        last_flags;     /* Last flags set */
 };
 
-#endif /* __KERNEL__ */
-
 #endif /* _NF_CONNTRACK_TCP_H */

diff --git a/include/linux/netfilter/nf_conntrack_tuple_common.h b/include/linux/netfilter/nf_conntrack_tuple_common.h
deleted file mode 100644 (file)
index 2f6bbc5..0000000
--- a/include/linux/netfilter/nf_conntrack_tuple_common.h
+++ /dev/null
@@ -1,39 +0,0 @@
-#ifndef _NF_CONNTRACK_TUPLE_COMMON_H
-#define _NF_CONNTRACK_TUPLE_COMMON_H
-
-enum ip_conntrack_dir {
-       IP_CT_DIR_ORIGINAL,
-       IP_CT_DIR_REPLY,
-       IP_CT_DIR_MAX
-};
-
-/* The protocol-specific manipulable parts of the tuple: always in
- * network order
- */
-union nf_conntrack_man_proto {
-       /* Add other protocols here. */
-       __be16 all;
-
-       struct {
-               __be16 port;
-       } tcp;
-       struct {
-               __be16 port;
-       } udp;
-       struct {
-               __be16 id;
-       } icmp;
-       struct {
-               __be16 port;
-       } dccp;
-       struct {
-               __be16 port;
-       } sctp;
-       struct {
-               __be16 key;     /* GRE key is 32bit, PPtP only uses 16bit */
-       } gre;
-};
-
-#define CTINFO2DIR(ctinfo) ((ctinfo) >= IP_CT_IS_REPLY ? IP_CT_DIR_REPLY : IP_CT_DIR_ORIGINAL)
-
-#endif /* _NF_CONNTRACK_TUPLE_COMMON_H */

diff --git a/include/linux/netfilter/nf_nat.h b/include/linux/netfilter/nf_nat.h
deleted file mode 100644 (file)
index bf0cc37..0000000
--- a/include/linux/netfilter/nf_nat.h
+++ /dev/null
@@ -1,33 +0,0 @@
-#ifndef _NETFILTER_NF_NAT_H
-#define _NETFILTER_NF_NAT_H
-
-#include <linux/netfilter.h>
-#include <linux/netfilter/nf_conntrack_tuple_common.h>
-
-#define NF_NAT_RANGE_MAP_IPS           1
-#define NF_NAT_RANGE_PROTO_SPECIFIED   2
-#define NF_NAT_RANGE_PROTO_RANDOM      4
-#define NF_NAT_RANGE_PERSISTENT                8
-
-struct nf_nat_ipv4_range {
-       unsigned int                    flags;
-       __be32                          min_ip;
-       __be32                          max_ip;
-       union nf_conntrack_man_proto    min;
-       union nf_conntrack_man_proto    max;
-};
-
-struct nf_nat_ipv4_multi_range_compat {
-       unsigned int                    rangesize;
-       struct nf_nat_ipv4_range        range[1];
-};
-
-struct nf_nat_range {
-       unsigned int                    flags;
-       union nf_inet_addr              min_addr;
-       union nf_inet_addr              max_addr;
-       union nf_conntrack_man_proto    min_proto;
-       union nf_conntrack_man_proto    max_proto;
-};
-
-#endif /* _NETFILTER_NF_NAT_H */

diff --git a/include/linux/netfilter/nfnetlink.h b/include/linux/netfilter/nfnetlink.h
index 18341cd..4966dde 100644 (file)
--- a/include/linux/netfilter/nfnetlink.h
+++ b/include/linux/netfilter/nfnetlink.h
@@ -1,63 +1,11 @@
 #ifndef _NFNETLINK_H
 #define _NFNETLINK_H
-#include <linux/types.h>
-#include <linux/netfilter/nfnetlink_compat.h>
 
-enum nfnetlink_groups {
-       NFNLGRP_NONE,
-#define NFNLGRP_NONE                   NFNLGRP_NONE
-       NFNLGRP_CONNTRACK_NEW,
-#define NFNLGRP_CONNTRACK_NEW          NFNLGRP_CONNTRACK_NEW
-       NFNLGRP_CONNTRACK_UPDATE,
-#define NFNLGRP_CONNTRACK_UPDATE       NFNLGRP_CONNTRACK_UPDATE
-       NFNLGRP_CONNTRACK_DESTROY,
-#define NFNLGRP_CONNTRACK_DESTROY      NFNLGRP_CONNTRACK_DESTROY
-       NFNLGRP_CONNTRACK_EXP_NEW,
-#define        NFNLGRP_CONNTRACK_EXP_NEW       NFNLGRP_CONNTRACK_EXP_NEW
-       NFNLGRP_CONNTRACK_EXP_UPDATE,
-#define NFNLGRP_CONNTRACK_EXP_UPDATE   NFNLGRP_CONNTRACK_EXP_UPDATE
-       NFNLGRP_CONNTRACK_EXP_DESTROY,
-#define NFNLGRP_CONNTRACK_EXP_DESTROY  NFNLGRP_CONNTRACK_EXP_DESTROY
-       __NFNLGRP_MAX,
-};
-#define NFNLGRP_MAX    (__NFNLGRP_MAX - 1)
-
-/* General form of address family dependent message.
- */
-struct nfgenmsg {
-       __u8  nfgen_family;             /* AF_xxx */
-       __u8  version;          /* nfnetlink version */
-       __be16    res_id;               /* resource id */
-};
-
-#define NFNETLINK_V0   0
-
-/* netfilter netlink message types are split in two pieces:
- * 8 bit subsystem, 8bit operation.
- */
-
-#define NFNL_SUBSYS_ID(x)      ((x & 0xff00) >> 8)
-#define NFNL_MSG_TYPE(x)       (x & 0x00ff)
-
-/* No enum here, otherwise __stringify() trick of MODULE_ALIAS_NFNL_SUBSYS()
- * won't work anymore */
-#define NFNL_SUBSYS_NONE               0
-#define NFNL_SUBSYS_CTNETLINK          1
-#define NFNL_SUBSYS_CTNETLINK_EXP      2
-#define NFNL_SUBSYS_QUEUE              3
-#define NFNL_SUBSYS_ULOG               4
-#define NFNL_SUBSYS_OSF                        5
-#define NFNL_SUBSYS_IPSET              6
-#define NFNL_SUBSYS_ACCT               7
-#define NFNL_SUBSYS_CTNETLINK_TIMEOUT  8
-#define NFNL_SUBSYS_CTHELPER           9
-#define NFNL_SUBSYS_COUNT              10
-
-#ifdef __KERNEL__
 
 #include <linux/netlink.h>
 #include <linux/capability.h>
 #include <net/netlink.h>
+#include <uapi/linux/netfilter/nfnetlink.h>
 
 struct nfnl_callback {
        int (*call)(struct sock *nl, struct sk_buff *skb, 
@@ -92,5 +40,4 @@ extern void nfnl_unlock(void);
 #define MODULE_ALIAS_NFNL_SUBSYS(subsys) \
        MODULE_ALIAS("nfnetlink-subsys-" __stringify(subsys))
 
-#endif /* __KERNEL__ */
 #endif /* _NFNETLINK_H */

diff --git a/include/linux/netfilter/nfnetlink_acct.h b/include/linux/netfilter/nfnetlink_acct.h
index 7c4279b..bb4bbc9 100644 (file)
--- a/include/linux/netfilter/nfnetlink_acct.h
+++ b/include/linux/netfilter/nfnetlink_acct.h
@@ -1,29 +1,8 @@
 #ifndef _NFNL_ACCT_H_
 #define _NFNL_ACCT_H_
 
-#ifndef NFACCT_NAME_MAX
-#define NFACCT_NAME_MAX                32
-#endif
+#include <uapi/linux/netfilter/nfnetlink_acct.h>
 
-enum nfnl_acct_msg_types {
-       NFNL_MSG_ACCT_NEW,
-       NFNL_MSG_ACCT_GET,
-       NFNL_MSG_ACCT_GET_CTRZERO,
-       NFNL_MSG_ACCT_DEL,
-       NFNL_MSG_ACCT_MAX
-};
-
-enum nfnl_acct_type {
-       NFACCT_UNSPEC,
-       NFACCT_NAME,
-       NFACCT_PKTS,
-       NFACCT_BYTES,
-       NFACCT_USE,
-       __NFACCT_MAX
-};
-#define NFACCT_MAX (__NFACCT_MAX - 1)
-
-#ifdef __KERNEL__
 
 struct nf_acct;
 
@@ -31,6 +10,4 @@ extern struct nf_acct *nfnl_acct_find_get(const char *filter_name);
 extern void nfnl_acct_put(struct nf_acct *acct);
 extern void nfnl_acct_update(const struct sk_buff *skb, struct nf_acct *nfacct);
 
-#endif /* __KERNEL__ */
-
 #endif /* _NFNL_ACCT_H */

diff --git a/include/linux/netfilter/nfnetlink_compat.h b/include/linux/netfilter/nfnetlink_compat.h
deleted file mode 100644 (file)
index ffb9503..0000000
--- a/include/linux/netfilter/nfnetlink_compat.h
+++ /dev/null
@@ -1,63 +0,0 @@
-#ifndef _NFNETLINK_COMPAT_H
-#define _NFNETLINK_COMPAT_H
-
-#include <linux/types.h>
-
-#ifndef __KERNEL__
-/* Old nfnetlink macros for userspace */
-
-/* nfnetlink groups: Up to 32 maximum */
-#define NF_NETLINK_CONNTRACK_NEW               0x00000001
-#define NF_NETLINK_CONNTRACK_UPDATE            0x00000002
-#define NF_NETLINK_CONNTRACK_DESTROY           0x00000004
-#define NF_NETLINK_CONNTRACK_EXP_NEW           0x00000008
-#define NF_NETLINK_CONNTRACK_EXP_UPDATE                0x00000010
-#define NF_NETLINK_CONNTRACK_EXP_DESTROY       0x00000020
-
-/* Generic structure for encapsulation optional netfilter information.
- * It is reminiscent of sockaddr, but with sa_family replaced
- * with attribute type.
- * ! This should someday be put somewhere generic as now rtnetlink and
- * ! nfnetlink use the same attributes methods. - J. Schulist.
- */
-
-struct nfattr {
-       __u16 nfa_len;
-       __u16 nfa_type; /* we use 15 bits for the type, and the highest
-                                * bit to indicate whether the payload is nested */
-};
-
-/* FIXME: Apart from NFNL_NFA_NESTED shamelessly copy and pasted from
- * rtnetlink.h, it's time to put this in a generic file */
-
-#define NFNL_NFA_NEST  0x8000
-#define NFA_TYPE(attr)         ((attr)->nfa_type & 0x7fff)
-
-#define NFA_ALIGNTO     4
-#define NFA_ALIGN(len) (((len) + NFA_ALIGNTO - 1) & ~(NFA_ALIGNTO - 1))
-#define NFA_OK(nfa,len)        ((len) > 0 && (nfa)->nfa_len >= sizeof(struct nfattr) \
-       && (nfa)->nfa_len <= (len))
-#define NFA_NEXT(nfa,attrlen)  ((attrlen) -= NFA_ALIGN((nfa)->nfa_len), \
-       (struct nfattr *)(((char *)(nfa)) + NFA_ALIGN((nfa)->nfa_len)))
-#define NFA_LENGTH(len)        (NFA_ALIGN(sizeof(struct nfattr)) + (len))
-#define NFA_SPACE(len) NFA_ALIGN(NFA_LENGTH(len))
-#define NFA_DATA(nfa)   ((void *)(((char *)(nfa)) + NFA_LENGTH(0)))
-#define NFA_PAYLOAD(nfa) ((int)((nfa)->nfa_len) - NFA_LENGTH(0))
-#define NFA_NEST(skb, type) \
-({     struct nfattr *__start = (struct nfattr *)skb_tail_pointer(skb); \
-       NFA_PUT(skb, (NFNL_NFA_NEST | type), 0, NULL); \
-       __start;  })
-#define NFA_NEST_END(skb, start) \
-({      (start)->nfa_len = skb_tail_pointer(skb) - (unsigned char *)(start); \
-        (skb)->len; })
-#define NFA_NEST_CANCEL(skb, start) \
-({      if (start) \
-                skb_trim(skb, (unsigned char *) (start) - (skb)->data); \
-        -1; })
-
-#define NFM_NFA(n)      ((struct nfattr *)(((char *)(n)) \
-        + NLMSG_ALIGN(sizeof(struct nfgenmsg))))
-#define NFM_PAYLOAD(n)  NLMSG_PAYLOAD(n, sizeof(struct nfgenmsg))
-
-#endif /* ! __KERNEL__ */
-#endif /* _NFNETLINK_COMPAT_H */

diff --git a/include/linux/netfilter/nfnetlink_conntrack.h b/include/linux/netfilter/nfnetlink_conntrack.h
deleted file mode 100644 (file)
index 43bfe3e..0000000
--- a/include/linux/netfilter/nfnetlink_conntrack.h
+++ /dev/null
@@ -1,248 +0,0 @@
-#ifndef _IPCONNTRACK_NETLINK_H
-#define _IPCONNTRACK_NETLINK_H
-#include <linux/netfilter/nfnetlink.h>
-
-enum cntl_msg_types {
-       IPCTNL_MSG_CT_NEW,
-       IPCTNL_MSG_CT_GET,
-       IPCTNL_MSG_CT_DELETE,
-       IPCTNL_MSG_CT_GET_CTRZERO,
-       IPCTNL_MSG_CT_GET_STATS_CPU,
-       IPCTNL_MSG_CT_GET_STATS,
-
-       IPCTNL_MSG_MAX
-};
-
-enum ctnl_exp_msg_types {
-       IPCTNL_MSG_EXP_NEW,
-       IPCTNL_MSG_EXP_GET,
-       IPCTNL_MSG_EXP_DELETE,
-       IPCTNL_MSG_EXP_GET_STATS_CPU,
-
-       IPCTNL_MSG_EXP_MAX
-};
-
-
-enum ctattr_type {
-       CTA_UNSPEC,
-       CTA_TUPLE_ORIG,
-       CTA_TUPLE_REPLY,
-       CTA_STATUS,
-       CTA_PROTOINFO,
-       CTA_HELP,
-       CTA_NAT_SRC,
-#define CTA_NAT        CTA_NAT_SRC     /* backwards compatibility */
-       CTA_TIMEOUT,
-       CTA_MARK,
-       CTA_COUNTERS_ORIG,
-       CTA_COUNTERS_REPLY,
-       CTA_USE,
-       CTA_ID,
-       CTA_NAT_DST,
-       CTA_TUPLE_MASTER,
-       CTA_NAT_SEQ_ADJ_ORIG,
-       CTA_NAT_SEQ_ADJ_REPLY,
-       CTA_SECMARK,            /* obsolete */
-       CTA_ZONE,
-       CTA_SECCTX,
-       CTA_TIMESTAMP,
-       CTA_MARK_MASK,
-       __CTA_MAX
-};
-#define CTA_MAX (__CTA_MAX - 1)
-
-enum ctattr_tuple {
-       CTA_TUPLE_UNSPEC,
-       CTA_TUPLE_IP,
-       CTA_TUPLE_PROTO,
-       __CTA_TUPLE_MAX
-};
-#define CTA_TUPLE_MAX (__CTA_TUPLE_MAX - 1)
-
-enum ctattr_ip {
-       CTA_IP_UNSPEC,
-       CTA_IP_V4_SRC,
-       CTA_IP_V4_DST,
-       CTA_IP_V6_SRC,
-       CTA_IP_V6_DST,
-       __CTA_IP_MAX
-};
-#define CTA_IP_MAX (__CTA_IP_MAX - 1)
-
-enum ctattr_l4proto {
-       CTA_PROTO_UNSPEC,
-       CTA_PROTO_NUM,
-       CTA_PROTO_SRC_PORT,
-       CTA_PROTO_DST_PORT,
-       CTA_PROTO_ICMP_ID,
-       CTA_PROTO_ICMP_TYPE,
-       CTA_PROTO_ICMP_CODE,
-       CTA_PROTO_ICMPV6_ID,
-       CTA_PROTO_ICMPV6_TYPE,
-       CTA_PROTO_ICMPV6_CODE,
-       __CTA_PROTO_MAX
-};
-#define CTA_PROTO_MAX (__CTA_PROTO_MAX - 1)
-
-enum ctattr_protoinfo {
-       CTA_PROTOINFO_UNSPEC,
-       CTA_PROTOINFO_TCP,
-       CTA_PROTOINFO_DCCP,
-       CTA_PROTOINFO_SCTP,
-       __CTA_PROTOINFO_MAX
-};
-#define CTA_PROTOINFO_MAX (__CTA_PROTOINFO_MAX - 1)
-
-enum ctattr_protoinfo_tcp {
-       CTA_PROTOINFO_TCP_UNSPEC,
-       CTA_PROTOINFO_TCP_STATE,
-       CTA_PROTOINFO_TCP_WSCALE_ORIGINAL,
-       CTA_PROTOINFO_TCP_WSCALE_REPLY,
-       CTA_PROTOINFO_TCP_FLAGS_ORIGINAL,
-       CTA_PROTOINFO_TCP_FLAGS_REPLY,
-       __CTA_PROTOINFO_TCP_MAX
-};
-#define CTA_PROTOINFO_TCP_MAX (__CTA_PROTOINFO_TCP_MAX - 1)
-
-enum ctattr_protoinfo_dccp {
-       CTA_PROTOINFO_DCCP_UNSPEC,
-       CTA_PROTOINFO_DCCP_STATE,
-       CTA_PROTOINFO_DCCP_ROLE,
-       CTA_PROTOINFO_DCCP_HANDSHAKE_SEQ,
-       __CTA_PROTOINFO_DCCP_MAX,
-};
-#define CTA_PROTOINFO_DCCP_MAX (__CTA_PROTOINFO_DCCP_MAX - 1)
-
-enum ctattr_protoinfo_sctp {
-       CTA_PROTOINFO_SCTP_UNSPEC,
-       CTA_PROTOINFO_SCTP_STATE,
-       CTA_PROTOINFO_SCTP_VTAG_ORIGINAL,
-       CTA_PROTOINFO_SCTP_VTAG_REPLY,
-       __CTA_PROTOINFO_SCTP_MAX
-};
-#define CTA_PROTOINFO_SCTP_MAX (__CTA_PROTOINFO_SCTP_MAX - 1)
-
-enum ctattr_counters {
-       CTA_COUNTERS_UNSPEC,
-       CTA_COUNTERS_PACKETS,           /* 64bit counters */
-       CTA_COUNTERS_BYTES,             /* 64bit counters */
-       CTA_COUNTERS32_PACKETS,         /* old 32bit counters, unused */
-       CTA_COUNTERS32_BYTES,           /* old 32bit counters, unused */
-       __CTA_COUNTERS_MAX
-};
-#define CTA_COUNTERS_MAX (__CTA_COUNTERS_MAX - 1)
-
-enum ctattr_tstamp {
-       CTA_TIMESTAMP_UNSPEC,
-       CTA_TIMESTAMP_START,
-       CTA_TIMESTAMP_STOP,
-       __CTA_TIMESTAMP_MAX
-};
-#define CTA_TIMESTAMP_MAX (__CTA_TIMESTAMP_MAX - 1)
-
-enum ctattr_nat {
-       CTA_NAT_UNSPEC,
-       CTA_NAT_V4_MINIP,
-#define CTA_NAT_MINIP CTA_NAT_V4_MINIP
-       CTA_NAT_V4_MAXIP,
-#define CTA_NAT_MAXIP CTA_NAT_V4_MAXIP
-       CTA_NAT_PROTO,
-       CTA_NAT_V6_MINIP,
-       CTA_NAT_V6_MAXIP,
-       __CTA_NAT_MAX
-};
-#define CTA_NAT_MAX (__CTA_NAT_MAX - 1)
-
-enum ctattr_protonat {
-       CTA_PROTONAT_UNSPEC,
-       CTA_PROTONAT_PORT_MIN,
-       CTA_PROTONAT_PORT_MAX,
-       __CTA_PROTONAT_MAX
-};
-#define CTA_PROTONAT_MAX (__CTA_PROTONAT_MAX - 1)
-
-enum ctattr_natseq {
-       CTA_NAT_SEQ_UNSPEC,
-       CTA_NAT_SEQ_CORRECTION_POS,
-       CTA_NAT_SEQ_OFFSET_BEFORE,
-       CTA_NAT_SEQ_OFFSET_AFTER,
-       __CTA_NAT_SEQ_MAX
-};
-#define CTA_NAT_SEQ_MAX (__CTA_NAT_SEQ_MAX - 1)
-
-enum ctattr_expect {
-       CTA_EXPECT_UNSPEC,
-       CTA_EXPECT_MASTER,
-       CTA_EXPECT_TUPLE,
-       CTA_EXPECT_MASK,
-       CTA_EXPECT_TIMEOUT,
-       CTA_EXPECT_ID,
-       CTA_EXPECT_HELP_NAME,
-       CTA_EXPECT_ZONE,
-       CTA_EXPECT_FLAGS,
-       CTA_EXPECT_CLASS,
-       CTA_EXPECT_NAT,
-       CTA_EXPECT_FN,
-       __CTA_EXPECT_MAX
-};
-#define CTA_EXPECT_MAX (__CTA_EXPECT_MAX - 1)
-
-enum ctattr_expect_nat {
-       CTA_EXPECT_NAT_UNSPEC,
-       CTA_EXPECT_NAT_DIR,
-       CTA_EXPECT_NAT_TUPLE,
-       __CTA_EXPECT_NAT_MAX
-};
-#define CTA_EXPECT_NAT_MAX (__CTA_EXPECT_NAT_MAX - 1)
-
-enum ctattr_help {
-       CTA_HELP_UNSPEC,
-       CTA_HELP_NAME,
-       CTA_HELP_INFO,
-       __CTA_HELP_MAX
-};
-#define CTA_HELP_MAX (__CTA_HELP_MAX - 1)
-
-enum ctattr_secctx {
-       CTA_SECCTX_UNSPEC,
-       CTA_SECCTX_NAME,
-       __CTA_SECCTX_MAX
-};
-#define CTA_SECCTX_MAX (__CTA_SECCTX_MAX - 1)
-
-enum ctattr_stats_cpu {
-       CTA_STATS_UNSPEC,
-       CTA_STATS_SEARCHED,
-       CTA_STATS_FOUND,
-       CTA_STATS_NEW,
-       CTA_STATS_INVALID,
-       CTA_STATS_IGNORE,
-       CTA_STATS_DELETE,
-       CTA_STATS_DELETE_LIST,
-       CTA_STATS_INSERT,
-       CTA_STATS_INSERT_FAILED,
-       CTA_STATS_DROP,
-       CTA_STATS_EARLY_DROP,
-       CTA_STATS_ERROR,
-       CTA_STATS_SEARCH_RESTART,
-       __CTA_STATS_MAX,
-};
-#define CTA_STATS_MAX (__CTA_STATS_MAX - 1)
-
-enum ctattr_stats_global {
-       CTA_STATS_GLOBAL_UNSPEC,
-       CTA_STATS_GLOBAL_ENTRIES,
-       __CTA_STATS_GLOBAL_MAX,
-};
-#define CTA_STATS_GLOBAL_MAX (__CTA_STATS_GLOBAL_MAX - 1)
-
-enum ctattr_expect_stats {
-       CTA_STATS_EXP_UNSPEC,
-       CTA_STATS_EXP_NEW,
-       CTA_STATS_EXP_CREATE,
-       CTA_STATS_EXP_DELETE,
-       __CTA_STATS_EXP_MAX,
-};
-#define CTA_STATS_EXP_MAX (__CTA_STATS_EXP_MAX - 1)
-
-#endif /* _IPCONNTRACK_NETLINK_H */

diff --git a/include/linux/netfilter/nfnetlink_cthelper.h b/include/linux/netfilter/nfnetlink_cthelper.h
deleted file mode 100644 (file)
index 33659f6..0000000
--- a/include/linux/netfilter/nfnetlink_cthelper.h
+++ /dev/null
@@ -1,55 +0,0 @@
-#ifndef _NFNL_CTHELPER_H_
-#define _NFNL_CTHELPER_H_
-
-#define NFCT_HELPER_STATUS_DISABLED    0
-#define NFCT_HELPER_STATUS_ENABLED     1
-
-enum nfnl_acct_msg_types {
-       NFNL_MSG_CTHELPER_NEW,
-       NFNL_MSG_CTHELPER_GET,
-       NFNL_MSG_CTHELPER_DEL,
-       NFNL_MSG_CTHELPER_MAX
-};
-
-enum nfnl_cthelper_type {
-       NFCTH_UNSPEC,
-       NFCTH_NAME,
-       NFCTH_TUPLE,
-       NFCTH_QUEUE_NUM,
-       NFCTH_POLICY,
-       NFCTH_PRIV_DATA_LEN,
-       NFCTH_STATUS,
-       __NFCTH_MAX
-};
-#define NFCTH_MAX (__NFCTH_MAX - 1)
-
-enum nfnl_cthelper_policy_type {
-       NFCTH_POLICY_SET_UNSPEC,
-       NFCTH_POLICY_SET_NUM,
-       NFCTH_POLICY_SET,
-       NFCTH_POLICY_SET1       = NFCTH_POLICY_SET,
-       NFCTH_POLICY_SET2,
-       NFCTH_POLICY_SET3,
-       NFCTH_POLICY_SET4,
-       __NFCTH_POLICY_SET_MAX
-};
-#define NFCTH_POLICY_SET_MAX (__NFCTH_POLICY_SET_MAX - 1)
-
-enum nfnl_cthelper_pol_type {
-       NFCTH_POLICY_UNSPEC,
-       NFCTH_POLICY_NAME,
-       NFCTH_POLICY_EXPECT_MAX,
-       NFCTH_POLICY_EXPECT_TIMEOUT,
-       __NFCTH_POLICY_MAX
-};
-#define NFCTH_POLICY_MAX (__NFCTH_POLICY_MAX - 1)
-
-enum nfnl_cthelper_tuple_type {
-       NFCTH_TUPLE_UNSPEC,
-       NFCTH_TUPLE_L3PROTONUM,
-       NFCTH_TUPLE_L4PROTONUM,
-       __NFCTH_TUPLE_MAX,
-};
-#define NFCTH_TUPLE_MAX (__NFCTH_TUPLE_MAX - 1)
-
-#endif /* _NFNL_CTHELPER_H */

diff --git a/include/linux/netfilter/nfnetlink_cttimeout.h b/include/linux/netfilter/nfnetlink_cttimeout.h
deleted file mode 100644 (file)
index a2810a7..0000000
--- a/include/linux/netfilter/nfnetlink_cttimeout.h
+++ /dev/null
@@ -1,114 +0,0 @@
-#ifndef _CTTIMEOUT_NETLINK_H
-#define _CTTIMEOUT_NETLINK_H
-#include <linux/netfilter/nfnetlink.h>
-
-enum ctnl_timeout_msg_types {
-       IPCTNL_MSG_TIMEOUT_NEW,
-       IPCTNL_MSG_TIMEOUT_GET,
-       IPCTNL_MSG_TIMEOUT_DELETE,
-
-       IPCTNL_MSG_TIMEOUT_MAX
-};
-
-enum ctattr_timeout {
-       CTA_TIMEOUT_UNSPEC,
-       CTA_TIMEOUT_NAME,
-       CTA_TIMEOUT_L3PROTO,
-       CTA_TIMEOUT_L4PROTO,
-       CTA_TIMEOUT_DATA,
-       CTA_TIMEOUT_USE,
-       __CTA_TIMEOUT_MAX
-};
-#define CTA_TIMEOUT_MAX (__CTA_TIMEOUT_MAX - 1)
-
-enum ctattr_timeout_generic {
-       CTA_TIMEOUT_GENERIC_UNSPEC,
-       CTA_TIMEOUT_GENERIC_TIMEOUT,
-       __CTA_TIMEOUT_GENERIC_MAX
-};
-#define CTA_TIMEOUT_GENERIC_MAX (__CTA_TIMEOUT_GENERIC_MAX - 1)
-
-enum ctattr_timeout_tcp {
-       CTA_TIMEOUT_TCP_UNSPEC,
-       CTA_TIMEOUT_TCP_SYN_SENT,
-       CTA_TIMEOUT_TCP_SYN_RECV,
-       CTA_TIMEOUT_TCP_ESTABLISHED,
-       CTA_TIMEOUT_TCP_FIN_WAIT,
-       CTA_TIMEOUT_TCP_CLOSE_WAIT,
-       CTA_TIMEOUT_TCP_LAST_ACK,
-       CTA_TIMEOUT_TCP_TIME_WAIT,
-       CTA_TIMEOUT_TCP_CLOSE,
-       CTA_TIMEOUT_TCP_SYN_SENT2,
-       CTA_TIMEOUT_TCP_RETRANS,
-       CTA_TIMEOUT_TCP_UNACK,
-       __CTA_TIMEOUT_TCP_MAX
-};
-#define CTA_TIMEOUT_TCP_MAX (__CTA_TIMEOUT_TCP_MAX - 1)
-
-enum ctattr_timeout_udp {
-       CTA_TIMEOUT_UDP_UNSPEC,
-       CTA_TIMEOUT_UDP_UNREPLIED,
-       CTA_TIMEOUT_UDP_REPLIED,
-       __CTA_TIMEOUT_UDP_MAX
-};
-#define CTA_TIMEOUT_UDP_MAX (__CTA_TIMEOUT_UDP_MAX - 1)
-
-enum ctattr_timeout_udplite {
-       CTA_TIMEOUT_UDPLITE_UNSPEC,
-       CTA_TIMEOUT_UDPLITE_UNREPLIED,
-       CTA_TIMEOUT_UDPLITE_REPLIED,
-       __CTA_TIMEOUT_UDPLITE_MAX
-};
-#define CTA_TIMEOUT_UDPLITE_MAX (__CTA_TIMEOUT_UDPLITE_MAX - 1)
-
-enum ctattr_timeout_icmp {
-       CTA_TIMEOUT_ICMP_UNSPEC,
-       CTA_TIMEOUT_ICMP_TIMEOUT,
-       __CTA_TIMEOUT_ICMP_MAX
-};
-#define CTA_TIMEOUT_ICMP_MAX (__CTA_TIMEOUT_ICMP_MAX - 1)
-
-enum ctattr_timeout_dccp {
-       CTA_TIMEOUT_DCCP_UNSPEC,
-       CTA_TIMEOUT_DCCP_REQUEST,
-       CTA_TIMEOUT_DCCP_RESPOND,
-       CTA_TIMEOUT_DCCP_PARTOPEN,
-       CTA_TIMEOUT_DCCP_OPEN,
-       CTA_TIMEOUT_DCCP_CLOSEREQ,
-       CTA_TIMEOUT_DCCP_CLOSING,
-       CTA_TIMEOUT_DCCP_TIMEWAIT,
-       __CTA_TIMEOUT_DCCP_MAX
-};
-#define CTA_TIMEOUT_DCCP_MAX (__CTA_TIMEOUT_DCCP_MAX - 1)
-
-enum ctattr_timeout_sctp {
-       CTA_TIMEOUT_SCTP_UNSPEC,
-       CTA_TIMEOUT_SCTP_CLOSED,
-       CTA_TIMEOUT_SCTP_COOKIE_WAIT,
-       CTA_TIMEOUT_SCTP_COOKIE_ECHOED,
-       CTA_TIMEOUT_SCTP_ESTABLISHED,
-       CTA_TIMEOUT_SCTP_SHUTDOWN_SENT,
-       CTA_TIMEOUT_SCTP_SHUTDOWN_RECD,
-       CTA_TIMEOUT_SCTP_SHUTDOWN_ACK_SENT,
-       __CTA_TIMEOUT_SCTP_MAX
-};
-#define CTA_TIMEOUT_SCTP_MAX (__CTA_TIMEOUT_SCTP_MAX - 1)
-
-enum ctattr_timeout_icmpv6 {
-       CTA_TIMEOUT_ICMPV6_UNSPEC,
-       CTA_TIMEOUT_ICMPV6_TIMEOUT,
-       __CTA_TIMEOUT_ICMPV6_MAX
-};
-#define CTA_TIMEOUT_ICMPV6_MAX (__CTA_TIMEOUT_ICMPV6_MAX - 1)
-
-enum ctattr_timeout_gre {
-       CTA_TIMEOUT_GRE_UNSPEC,
-       CTA_TIMEOUT_GRE_UNREPLIED,
-       CTA_TIMEOUT_GRE_REPLIED,
-       __CTA_TIMEOUT_GRE_MAX
-};
-#define CTA_TIMEOUT_GRE_MAX (__CTA_TIMEOUT_GRE_MAX - 1)
-
-#define CTNL_TIMEOUT_NAME_MAX  32
-
-#endif

diff --git a/include/linux/netfilter/nfnetlink_log.h b/include/linux/netfilter/nfnetlink_log.h
deleted file mode 100644 (file)
index 90c2c95..0000000
--- a/include/linux/netfilter/nfnetlink_log.h
+++ /dev/null
@@ -1,97 +0,0 @@
-#ifndef _NFNETLINK_LOG_H
-#define _NFNETLINK_LOG_H
-
-/* This file describes the netlink messages (i.e. 'protocol packets'),
- * and not any kind of function definitions.  It is shared between kernel and
- * userspace.  Don't put kernel specific stuff in here */
-
-#include <linux/types.h>
-#include <linux/netfilter/nfnetlink.h>
-
-enum nfulnl_msg_types {
-       NFULNL_MSG_PACKET,              /* packet from kernel to userspace */
-       NFULNL_MSG_CONFIG,              /* connect to a particular queue */
-
-       NFULNL_MSG_MAX
-};
-
-struct nfulnl_msg_packet_hdr {
-       __be16          hw_protocol;    /* hw protocol (network order) */
-       __u8    hook;           /* netfilter hook */
-       __u8    _pad;
-};
-
-struct nfulnl_msg_packet_hw {
-       __be16          hw_addrlen;
-       __u16   _pad;
-       __u8    hw_addr[8];
-};
-
-struct nfulnl_msg_packet_timestamp {
-       __aligned_be64  sec;
-       __aligned_be64  usec;
-};
-
-enum nfulnl_attr_type {
-       NFULA_UNSPEC,
-       NFULA_PACKET_HDR,
-       NFULA_MARK,                     /* __u32 nfmark */
-       NFULA_TIMESTAMP,                /* nfulnl_msg_packet_timestamp */
-       NFULA_IFINDEX_INDEV,            /* __u32 ifindex */
-       NFULA_IFINDEX_OUTDEV,           /* __u32 ifindex */
-       NFULA_IFINDEX_PHYSINDEV,        /* __u32 ifindex */
-       NFULA_IFINDEX_PHYSOUTDEV,       /* __u32 ifindex */
-       NFULA_HWADDR,                   /* nfulnl_msg_packet_hw */
-       NFULA_PAYLOAD,                  /* opaque data payload */
-       NFULA_PREFIX,                   /* string prefix */
-       NFULA_UID,                      /* user id of socket */
-       NFULA_SEQ,                      /* instance-local sequence number */
-       NFULA_SEQ_GLOBAL,               /* global sequence number */
-       NFULA_GID,                      /* group id of socket */
-       NFULA_HWTYPE,                   /* hardware type */
-       NFULA_HWHEADER,                 /* hardware header */
-       NFULA_HWLEN,                    /* hardware header length */
-
-       __NFULA_MAX
-};
-#define NFULA_MAX (__NFULA_MAX - 1)
-
-enum nfulnl_msg_config_cmds {
-       NFULNL_CFG_CMD_NONE,
-       NFULNL_CFG_CMD_BIND,
-       NFULNL_CFG_CMD_UNBIND,
-       NFULNL_CFG_CMD_PF_BIND,
-       NFULNL_CFG_CMD_PF_UNBIND,
-};
-
-struct nfulnl_msg_config_cmd {
-       __u8    command;        /* nfulnl_msg_config_cmds */
-} __attribute__ ((packed));
-
-struct nfulnl_msg_config_mode {
-       __be32          copy_range;
-       __u8    copy_mode;
-       __u8    _pad;
-} __attribute__ ((packed));
-
-enum nfulnl_attr_config {
-       NFULA_CFG_UNSPEC,
-       NFULA_CFG_CMD,                  /* nfulnl_msg_config_cmd */
-       NFULA_CFG_MODE,                 /* nfulnl_msg_config_mode */
-       NFULA_CFG_NLBUFSIZ,             /* __u32 buffer size */
-       NFULA_CFG_TIMEOUT,              /* __u32 in 1/100 s */
-       NFULA_CFG_QTHRESH,              /* __u32 */
-       NFULA_CFG_FLAGS,                /* __u16 */
-       __NFULA_CFG_MAX
-};
-#define NFULA_CFG_MAX (__NFULA_CFG_MAX -1)
-
-#define NFULNL_COPY_NONE       0x00
-#define NFULNL_COPY_META       0x01
-#define NFULNL_COPY_PACKET     0x02
-/* 0xff is reserved, don't use it for new copy modes. */
-
-#define NFULNL_CFG_F_SEQ       0x0001
-#define NFULNL_CFG_F_SEQ_GLOBAL        0x0002
-
-#endif /* _NFNETLINK_LOG_H */

diff --git a/include/linux/netfilter/nfnetlink_queue.h b/include/linux/netfilter/nfnetlink_queue.h
deleted file mode 100644 (file)
index 70ec8c2..0000000
--- a/include/linux/netfilter/nfnetlink_queue.h
+++ /dev/null
@@ -1,101 +0,0 @@
-#ifndef _NFNETLINK_QUEUE_H
-#define _NFNETLINK_QUEUE_H
-
-#include <linux/types.h>
-#include <linux/netfilter/nfnetlink.h>
-
-enum nfqnl_msg_types {
-       NFQNL_MSG_PACKET,               /* packet from kernel to userspace */
-       NFQNL_MSG_VERDICT,              /* verdict from userspace to kernel */
-       NFQNL_MSG_CONFIG,               /* connect to a particular queue */
-       NFQNL_MSG_VERDICT_BATCH,        /* batchv from userspace to kernel */
-
-       NFQNL_MSG_MAX
-};
-
-struct nfqnl_msg_packet_hdr {
-       __be32          packet_id;      /* unique ID of packet in queue */
-       __be16          hw_protocol;    /* hw protocol (network order) */
-       __u8    hook;           /* netfilter hook */
-} __attribute__ ((packed));
-
-struct nfqnl_msg_packet_hw {
-       __be16          hw_addrlen;
-       __u16   _pad;
-       __u8    hw_addr[8];
-};
-
-struct nfqnl_msg_packet_timestamp {
-       __aligned_be64  sec;
-       __aligned_be64  usec;
-};
-
-enum nfqnl_attr_type {
-       NFQA_UNSPEC,
-       NFQA_PACKET_HDR,
-       NFQA_VERDICT_HDR,               /* nfqnl_msg_verdict_hrd */
-       NFQA_MARK,                      /* __u32 nfmark */
-       NFQA_TIMESTAMP,                 /* nfqnl_msg_packet_timestamp */
-       NFQA_IFINDEX_INDEV,             /* __u32 ifindex */
-       NFQA_IFINDEX_OUTDEV,            /* __u32 ifindex */
-       NFQA_IFINDEX_PHYSINDEV,         /* __u32 ifindex */
-       NFQA_IFINDEX_PHYSOUTDEV,        /* __u32 ifindex */
-       NFQA_HWADDR,                    /* nfqnl_msg_packet_hw */
-       NFQA_PAYLOAD,                   /* opaque data payload */
-       NFQA_CT,                        /* nf_conntrack_netlink.h */
-       NFQA_CT_INFO,                   /* enum ip_conntrack_info */
-       NFQA_CAP_LEN,                   /* __u32 length of captured packet */
-
-       __NFQA_MAX
-};
-#define NFQA_MAX (__NFQA_MAX - 1)
-
-struct nfqnl_msg_verdict_hdr {
-       __be32 verdict;
-       __be32 id;
-};
-
-
-enum nfqnl_msg_config_cmds {
-       NFQNL_CFG_CMD_NONE,
-       NFQNL_CFG_CMD_BIND,
-       NFQNL_CFG_CMD_UNBIND,
-       NFQNL_CFG_CMD_PF_BIND,
-       NFQNL_CFG_CMD_PF_UNBIND,
-};
-
-struct nfqnl_msg_config_cmd {
-       __u8    command;        /* nfqnl_msg_config_cmds */
-       __u8    _pad;
-       __be16          pf;             /* AF_xxx for PF_[UN]BIND */
-};
-
-enum nfqnl_config_mode {
-       NFQNL_COPY_NONE,
-       NFQNL_COPY_META,
-       NFQNL_COPY_PACKET,
-};
-
-struct nfqnl_msg_config_params {
-       __be32          copy_range;
-       __u8    copy_mode;      /* enum nfqnl_config_mode */
-} __attribute__ ((packed));
-
-
-enum nfqnl_attr_config {
-       NFQA_CFG_UNSPEC,
-       NFQA_CFG_CMD,                   /* nfqnl_msg_config_cmd */
-       NFQA_CFG_PARAMS,                /* nfqnl_msg_config_params */
-       NFQA_CFG_QUEUE_MAXLEN,          /* __u32 */
-       NFQA_CFG_MASK,                  /* identify which flags to change */
-       NFQA_CFG_FLAGS,                 /* value of these flags (__u32) */
-       __NFQA_CFG_MAX
-};
-#define NFQA_CFG_MAX (__NFQA_CFG_MAX-1)
-
-/* Flags for NFQA_CFG_FLAGS */
-#define NFQA_CFG_F_FAIL_OPEN                   (1 << 0)
-#define NFQA_CFG_F_CONNTRACK                   (1 << 1)
-#define NFQA_CFG_F_MAX                         (1 << 2)
-
-#endif /* _NFNETLINK_QUEUE_H */

diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index 8d674a7..dd49566 100644 (file)
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -1,191 +1,9 @@
 #ifndef _X_TABLES_H
 #define _X_TABLES_H
-#include <linux/kernel.h>
-#include <linux/types.h>
 
-#define XT_FUNCTION_MAXNAMELEN 30
-#define XT_EXTENSION_MAXNAMELEN 29
-#define XT_TABLE_MAXNAMELEN 32
-
-struct xt_entry_match {
-       union {
-               struct {
-                       __u16 match_size;
-
-                       /* Used by userspace */
-                       char name[XT_EXTENSION_MAXNAMELEN];
-                       __u8 revision;
-               } user;
-               struct {
-                       __u16 match_size;
-
-                       /* Used inside the kernel */
-                       struct xt_match *match;
-               } kernel;
-
-               /* Total length */
-               __u16 match_size;
-       } u;
-
-       unsigned char data[0];
-};
-
-struct xt_entry_target {
-       union {
-               struct {
-                       __u16 target_size;
-
-                       /* Used by userspace */
-                       char name[XT_EXTENSION_MAXNAMELEN];
-                       __u8 revision;
-               } user;
-               struct {
-                       __u16 target_size;
-
-                       /* Used inside the kernel */
-                       struct xt_target *target;
-               } kernel;
-
-               /* Total length */
-               __u16 target_size;
-       } u;
-
-       unsigned char data[0];
-};
-
-#define XT_TARGET_INIT(__name, __size)                                        \
-{                                                                             \
-       .target.u.user = {                                                     \
-               .target_size    = XT_ALIGN(__size),                            \
-               .name           = __name,                                      \
-       },                                                                     \
-}
-
-struct xt_standard_target {
-       struct xt_entry_target target;
-       int verdict;
-};
-
-struct xt_error_target {
-       struct xt_entry_target target;
-       char errorname[XT_FUNCTION_MAXNAMELEN];
-};
-
-/* The argument to IPT_SO_GET_REVISION_*.  Returns highest revision
- * kernel supports, if >= revision. */
-struct xt_get_revision {
-       char name[XT_EXTENSION_MAXNAMELEN];
-       __u8 revision;
-};
-
-/* CONTINUE verdict for targets */
-#define XT_CONTINUE 0xFFFFFFFF
-
-/* For standard target */
-#define XT_RETURN (-NF_REPEAT - 1)
-
-/* this is a dummy structure to find out the alignment requirement for a struct
- * containing all the fundamental data types that are used in ipt_entry,
- * ip6t_entry and arpt_entry.  This sucks, and it is a hack.  It will be my
- * personal pleasure to remove it -HW
- */
-struct _xt_align {
-       __u8 u8;
-       __u16 u16;
-       __u32 u32;
-       __u64 u64;
-};
-
-#define XT_ALIGN(s) __ALIGN_KERNEL((s), __alignof__(struct _xt_align))
-
-/* Standard return verdict, or do jump. */
-#define XT_STANDARD_TARGET ""
-/* Error verdict. */
-#define XT_ERROR_TARGET "ERROR"
-
-#define SET_COUNTER(c,b,p) do { (c).bcnt = (b); (c).pcnt = (p); } while(0)
-#define ADD_COUNTER(c,b,p) do { (c).bcnt += (b); (c).pcnt += (p); } while(0)
-
-struct xt_counters {
-       __u64 pcnt, bcnt;                       /* Packet and byte counters */
-};
-
-/* The argument to IPT_SO_ADD_COUNTERS. */
-struct xt_counters_info {
-       /* Which table. */
-       char name[XT_TABLE_MAXNAMELEN];
-
-       unsigned int num_counters;
-
-       /* The counters (actually `number' of these). */
-       struct xt_counters counters[0];
-};
-
-#define XT_INV_PROTO           0x40    /* Invert the sense of PROTO. */
-
-#ifndef __KERNEL__
-/* fn returns 0 to continue iteration */
-#define XT_MATCH_ITERATE(type, e, fn, args...)                 \
-({                                                             \
-       unsigned int __i;                                       \
-       int __ret = 0;                                          \
-       struct xt_entry_match *__m;                             \
-                                                               \
-       for (__i = sizeof(type);                                \
-            __i < (e)->target_offset;                          \
-            __i += __m->u.match_size) {                        \
-               __m = (void *)e + __i;                          \
-                                                               \
-               __ret = fn(__m , ## args);                      \
-               if (__ret != 0)                                 \
-                       break;                                  \
-       }                                                       \
-       __ret;                                                  \
-})
-
-/* fn returns 0 to continue iteration */
-#define XT_ENTRY_ITERATE_CONTINUE(type, entries, size, n, fn, args...) \
-({                                                             \
-       unsigned int __i, __n;                                  \
-       int __ret = 0;                                          \
-       type *__entry;                                          \
-                                                               \
-       for (__i = 0, __n = 0; __i < (size);                    \
-            __i += __entry->next_offset, __n++) {              \
-               __entry = (void *)(entries) + __i;              \
-               if (__n < n)                                    \
-                       continue;                               \
-                                                               \
-               __ret = fn(__entry , ## args);                  \
-               if (__ret != 0)                                 \
-                       break;                                  \
-       }                                                       \
-       __ret;                                                  \
-})
-
-/* fn returns 0 to continue iteration */
-#define XT_ENTRY_ITERATE(type, entries, size, fn, args...) \
-       XT_ENTRY_ITERATE_CONTINUE(type, entries, size, 0, fn, args)
-
-#endif /* !__KERNEL__ */
-
-/* pos is normally a struct ipt_entry/ip6t_entry/etc. */
-#define xt_entry_foreach(pos, ehead, esize) \
-       for ((pos) = (typeof(pos))(ehead); \
-            (pos) < (typeof(pos))((char *)(ehead) + (esize)); \
-            (pos) = (typeof(pos))((char *)(pos) + (pos)->next_offset))
-
-/* can only be xt_entry_match, so no use of typeof here */
-#define xt_ematch_foreach(pos, entry) \
-       for ((pos) = (struct xt_entry_match *)entry->elems; \
-            (pos) < (struct xt_entry_match *)((char *)(entry) + \
-                    (entry)->target_offset); \
-            (pos) = (struct xt_entry_match *)((char *)(pos) + \
-                    (pos)->u.match_size))
-
-#ifdef __KERNEL__
 
 #include <linux/netdevice.h>
+#include <uapi/linux/netfilter/x_tables.h>
 
 /**
  * struct xt_action_param - parameters for matches/targets
@@ -617,6 +435,4 @@ extern int xt_compat_target_to_user(const struct xt_entry_target *t,
                                    void __user **dstptr, unsigned int *size);
 
 #endif /* CONFIG_COMPAT */
-#endif /* __KERNEL__ */
-
 #endif /* _X_TABLES_H */

diff --git a/include/linux/netfilter/xt_AUDIT.h b/include/linux/netfilter/xt_AUDIT.h
deleted file mode 100644 (file)
index 38751d2..0000000
--- a/include/linux/netfilter/xt_AUDIT.h
+++ /dev/null
@@ -1,30 +0,0 @@
-/*
- * Header file for iptables xt_AUDIT target
- *
- * (C) 2010-2011 Thomas Graf <tgraf@redhat.com>
- * (C) 2010-2011 Red Hat, Inc.
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
- */
-
-#ifndef _XT_AUDIT_TARGET_H
-#define _XT_AUDIT_TARGET_H
-
-#include <linux/types.h>
-
-enum {
-       XT_AUDIT_TYPE_ACCEPT = 0,
-       XT_AUDIT_TYPE_DROP,
-       XT_AUDIT_TYPE_REJECT,
-       __XT_AUDIT_TYPE_MAX,
-};
-
-#define XT_AUDIT_TYPE_MAX (__XT_AUDIT_TYPE_MAX - 1)
-
-struct xt_audit_info {
-       __u8 type; /* XT_AUDIT_TYPE_* */
-};
-
-#endif /* _XT_AUDIT_TARGET_H */

diff --git a/include/linux/netfilter/xt_CHECKSUM.h b/include/linux/netfilter/xt_CHECKSUM.h
deleted file mode 100644 (file)
index 9a2e466..0000000
--- a/include/linux/netfilter/xt_CHECKSUM.h
+++ /dev/null
@@ -1,20 +0,0 @@
-/* Header file for iptables ipt_CHECKSUM target
- *
- * (C) 2002 by Harald Welte <laforge@gnumonks.org>
- * (C) 2010 Red Hat Inc
- * Author: Michael S. Tsirkin <mst@redhat.com>
- *
- * This software is distributed under GNU GPL v2, 1991
-*/
-#ifndef _XT_CHECKSUM_TARGET_H
-#define _XT_CHECKSUM_TARGET_H
-
-#include <linux/types.h>
-
-#define XT_CHECKSUM_OP_FILL    0x01    /* fill in checksum in IP header */
-
-struct xt_CHECKSUM_info {
-       __u8 operation; /* bitset of operations */
-};
-
-#endif /* _XT_CHECKSUM_TARGET_H */

diff --git a/include/linux/netfilter/xt_CLASSIFY.h b/include/linux/netfilter/xt_CLASSIFY.h
deleted file mode 100644 (file)
index a813bf1..0000000
--- a/include/linux/netfilter/xt_CLASSIFY.h
+++ /dev/null
@@ -1,10 +0,0 @@
-#ifndef _XT_CLASSIFY_H
-#define _XT_CLASSIFY_H
-
-#include <linux/types.h>
-
-struct xt_classify_target_info {
-       __u32 priority;
-};
-
-#endif /*_XT_CLASSIFY_H */

diff --git a/include/linux/netfilter/xt_CONNMARK.h b/include/linux/netfilter/xt_CONNMARK.h
deleted file mode 100644 (file)
index 2f2e48e..0000000
--- a/include/linux/netfilter/xt_CONNMARK.h
+++ /dev/null
@@ -1,6 +0,0 @@
-#ifndef _XT_CONNMARK_H_target
-#define _XT_CONNMARK_H_target
-
-#include <linux/netfilter/xt_connmark.h>
-
-#endif /*_XT_CONNMARK_H_target*/

diff --git a/include/linux/netfilter/xt_CONNSECMARK.h b/include/linux/netfilter/xt_CONNSECMARK.h
deleted file mode 100644 (file)
index b973ff8..0000000
--- a/include/linux/netfilter/xt_CONNSECMARK.h
+++ /dev/null
@@ -1,15 +0,0 @@
-#ifndef _XT_CONNSECMARK_H_target
-#define _XT_CONNSECMARK_H_target
-
-#include <linux/types.h>
-
-enum {
-       CONNSECMARK_SAVE = 1,
-       CONNSECMARK_RESTORE,
-};
-
-struct xt_connsecmark_target_info {
-       __u8 mode;
-};
-
-#endif /*_XT_CONNSECMARK_H_target */

diff --git a/include/linux/netfilter/xt_CT.h b/include/linux/netfilter/xt_CT.h
deleted file mode 100644 (file)
index a064b8a..0000000
--- a/include/linux/netfilter/xt_CT.h
+++ /dev/null
@@ -1,31 +0,0 @@
-#ifndef _XT_CT_H
-#define _XT_CT_H
-
-#include <linux/types.h>
-
-#define XT_CT_NOTRACK  0x1
-
-struct xt_ct_target_info {
-       __u16 flags;
-       __u16 zone;
-       __u32 ct_events;
-       __u32 exp_events;
-       char helper[16];
-
-       /* Used internally by the kernel */
-       struct nf_conn  *ct __attribute__((aligned(8)));
-};
-
-struct xt_ct_target_info_v1 {
-       __u16 flags;
-       __u16 zone;
-       __u32 ct_events;
-       __u32 exp_events;
-       char helper[16];
-       char timeout[32];
-
-       /* Used internally by the kernel */
-       struct nf_conn  *ct __attribute__((aligned(8)));
-};
-
-#endif /* _XT_CT_H */

diff --git a/include/linux/netfilter/xt_DSCP.h b/include/linux/netfilter/xt_DSCP.h
deleted file mode 100644 (file)
index 648e0b3..0000000
--- a/include/linux/netfilter/xt_DSCP.h
+++ /dev/null
@@ -1,26 +0,0 @@
-/* x_tables module for setting the IPv4/IPv6 DSCP field
- *
- * (C) 2002 Harald Welte <laforge@gnumonks.org>
- * based on ipt_FTOS.c (C) 2000 by Matthew G. Marsh <mgm@paktronix.com>
- * This software is distributed under GNU GPL v2, 1991
- *
- * See RFC2474 for a description of the DSCP field within the IP Header.
- *
- * xt_DSCP.h,v 1.7 2002/03/14 12:03:13 laforge Exp
-*/
-#ifndef _XT_DSCP_TARGET_H
-#define _XT_DSCP_TARGET_H
-#include <linux/netfilter/xt_dscp.h>
-#include <linux/types.h>
-
-/* target info */
-struct xt_DSCP_info {
-       __u8 dscp;
-};
-
-struct xt_tos_target_info {
-       __u8 tos_value;
-       __u8 tos_mask;
-};
-
-#endif /* _XT_DSCP_TARGET_H */

diff --git a/include/linux/netfilter/xt_IDLETIMER.h b/include/linux/netfilter/xt_IDLETIMER.h
deleted file mode 100644 (file)
index 208ae93..0000000
--- a/include/linux/netfilter/xt_IDLETIMER.h
+++ /dev/null
@@ -1,45 +0,0 @@
-/*
- * linux/include/linux/netfilter/xt_IDLETIMER.h
- *
- * Header file for Xtables timer target module.
- *
- * Copyright (C) 2004, 2010 Nokia Corporation
- * Written by Timo Teras <ext-timo.teras@nokia.com>
- *
- * Converted to x_tables and forward-ported to 2.6.34
- * by Luciano Coelho <luciano.coelho@nokia.com>
- *
- * Contact: Luciano Coelho <luciano.coelho@nokia.com>
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * version 2 as published by the Free Software Foundation.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
- * 02110-1301 USA
- */
-
-#ifndef _XT_IDLETIMER_H
-#define _XT_IDLETIMER_H
-
-#include <linux/types.h>
-
-#define MAX_IDLETIMER_LABEL_SIZE 28
-
-struct idletimer_tg_info {
-       __u32 timeout;
-
-       char label[MAX_IDLETIMER_LABEL_SIZE];
-
-       /* for kernel module internal use only */
-       struct idletimer_tg *timer __attribute__((aligned(8)));
-};
-
-#endif

diff --git a/include/linux/netfilter/xt_LED.h b/include/linux/netfilter/xt_LED.h
deleted file mode 100644 (file)
index f5509e7..0000000
--- a/include/linux/netfilter/xt_LED.h
+++ /dev/null
@@ -1,15 +0,0 @@
-#ifndef _XT_LED_H
-#define _XT_LED_H
-
-#include <linux/types.h>
-
-struct xt_led_info {
-       char id[27];        /* Unique ID for this trigger in the LED class */
-       __u8 always_blink;  /* Blink even if the LED is already on */
-       __u32 delay;        /* Delay until LED is switched off after trigger */
-
-       /* Kernel data used in the module */
-       void *internal_data __attribute__((aligned(8)));
-};
-
-#endif /* _XT_LED_H */

diff --git a/include/linux/netfilter/xt_LOG.h b/include/linux/netfilter/xt_LOG.h
deleted file mode 100644 (file)
index cac0790..0000000
--- a/include/linux/netfilter/xt_LOG.h
+++ /dev/null
@@ -1,19 +0,0 @@
-#ifndef _XT_LOG_H
-#define _XT_LOG_H
-
-/* make sure not to change this without changing nf_log.h:NF_LOG_* (!) */
-#define XT_LOG_TCPSEQ          0x01    /* Log TCP sequence numbers */
-#define XT_LOG_TCPOPT          0x02    /* Log TCP options */
-#define XT_LOG_IPOPT           0x04    /* Log IP options */
-#define XT_LOG_UID             0x08    /* Log UID owning local socket */
-#define XT_LOG_NFLOG           0x10    /* Unsupported, don't reuse */
-#define XT_LOG_MACDECODE       0x20    /* Decode MAC header */
-#define XT_LOG_MASK            0x2f
-
-struct xt_log_info {
-       unsigned char level;
-       unsigned char logflags;
-       char prefix[30];
-};
-
-#endif /* _XT_LOG_H */

diff --git a/include/linux/netfilter/xt_MARK.h b/include/linux/netfilter/xt_MARK.h
deleted file mode 100644 (file)
index 41c456d..0000000
--- a/include/linux/netfilter/xt_MARK.h
+++ /dev/null
@@ -1,6 +0,0 @@
-#ifndef _XT_MARK_H_target
-#define _XT_MARK_H_target
-
-#include <linux/netfilter/xt_mark.h>
-
-#endif /*_XT_MARK_H_target */

diff --git a/include/linux/netfilter/xt_NFLOG.h b/include/linux/netfilter/xt_NFLOG.h
deleted file mode 100644 (file)
index 87b5831..0000000
--- a/include/linux/netfilter/xt_NFLOG.h
+++ /dev/null
@@ -1,20 +0,0 @@
-#ifndef _XT_NFLOG_TARGET
-#define _XT_NFLOG_TARGET
-
-#include <linux/types.h>
-
-#define XT_NFLOG_DEFAULT_GROUP         0x1
-#define XT_NFLOG_DEFAULT_THRESHOLD     0
-
-#define XT_NFLOG_MASK                  0x0
-
-struct xt_nflog_info {
-       __u32   len;
-       __u16   group;
-       __u16   threshold;
-       __u16   flags;
-       __u16   pad;
-       char            prefix[64];
-};
-
-#endif /* _XT_NFLOG_TARGET */

diff --git a/include/linux/netfilter/xt_NFQUEUE.h b/include/linux/netfilter/xt_NFQUEUE.h
deleted file mode 100644 (file)
index 9eafdbb..0000000
--- a/include/linux/netfilter/xt_NFQUEUE.h
+++ /dev/null
@@ -1,29 +0,0 @@
-/* iptables module for using NFQUEUE mechanism
- *
- * (C) 2005 Harald Welte <laforge@netfilter.org>
- *
- * This software is distributed under GNU GPL v2, 1991
- * 
-*/
-#ifndef _XT_NFQ_TARGET_H
-#define _XT_NFQ_TARGET_H
-
-#include <linux/types.h>
-
-/* target info */
-struct xt_NFQ_info {
-       __u16 queuenum;
-};
-
-struct xt_NFQ_info_v1 {
-       __u16 queuenum;
-       __u16 queues_total;
-};
-
-struct xt_NFQ_info_v2 {
-       __u16 queuenum;
-       __u16 queues_total;
-       __u16 bypass;
-};
-
-#endif /* _XT_NFQ_TARGET_H */

diff --git a/include/linux/netfilter/xt_RATEEST.h b/include/linux/netfilter/xt_RATEEST.h
deleted file mode 100644 (file)
index 6605e20..0000000
--- a/include/linux/netfilter/xt_RATEEST.h
+++ /dev/null
@@ -1,15 +0,0 @@
-#ifndef _XT_RATEEST_TARGET_H
-#define _XT_RATEEST_TARGET_H
-
-#include <linux/types.h>
-
-struct xt_rateest_target_info {
-       char                    name[IFNAMSIZ];
-       __s8                    interval;
-       __u8            ewma_log;
-
-       /* Used internally by the kernel */
-       struct xt_rateest       *est __attribute__((aligned(8)));
-};
-
-#endif /* _XT_RATEEST_TARGET_H */

diff --git a/include/linux/netfilter/xt_SECMARK.h b/include/linux/netfilter/xt_SECMARK.h
deleted file mode 100644 (file)
index 989092b..0000000
--- a/include/linux/netfilter/xt_SECMARK.h
+++ /dev/null
@@ -1,22 +0,0 @@
-#ifndef _XT_SECMARK_H_target
-#define _XT_SECMARK_H_target
-
-#include <linux/types.h>
-
-/*
- * This is intended for use by various security subsystems (but not
- * at the same time).
- *
- * 'mode' refers to the specific security subsystem which the
- * packets are being marked for.
- */
-#define SECMARK_MODE_SEL       0x01            /* SELinux */
-#define SECMARK_SECCTX_MAX     256
-
-struct xt_secmark_target_info {
-       __u8 mode;
-       __u32 secid;
-       char secctx[SECMARK_SECCTX_MAX];
-};
-
-#endif /*_XT_SECMARK_H_target */

diff --git a/include/linux/netfilter/xt_TCPMSS.h b/include/linux/netfilter/xt_TCPMSS.h
deleted file mode 100644 (file)
index 9a6960a..0000000
--- a/include/linux/netfilter/xt_TCPMSS.h
+++ /dev/null
@@ -1,12 +0,0 @@
-#ifndef _XT_TCPMSS_H
-#define _XT_TCPMSS_H
-
-#include <linux/types.h>
-
-struct xt_tcpmss_info {
-       __u16 mss;
-};
-
-#define XT_TCPMSS_CLAMP_PMTU 0xffff
-
-#endif /* _XT_TCPMSS_H */

diff --git a/include/linux/netfilter/xt_TCPOPTSTRIP.h b/include/linux/netfilter/xt_TCPOPTSTRIP.h
deleted file mode 100644 (file)
index 7157318..0000000
--- a/include/linux/netfilter/xt_TCPOPTSTRIP.h
+++ /dev/null
@@ -1,15 +0,0 @@
-#ifndef _XT_TCPOPTSTRIP_H
-#define _XT_TCPOPTSTRIP_H
-
-#include <linux/types.h>
-
-#define tcpoptstrip_set_bit(bmap, idx) \
-       (bmap[(idx) >> 5] |= 1U << (idx & 31))
-#define tcpoptstrip_test_bit(bmap, idx) \
-       (((1U << (idx & 31)) & bmap[(idx) >> 5]) != 0)
-
-struct xt_tcpoptstrip_target_info {
-       __u32 strip_bmap[8];
-};
-
-#endif /* _XT_TCPOPTSTRIP_H */

diff --git a/include/linux/netfilter/xt_TEE.h b/include/linux/netfilter/xt_TEE.h
deleted file mode 100644 (file)
index 5c21d5c..0000000
--- a/include/linux/netfilter/xt_TEE.h
+++ /dev/null
@@ -1,12 +0,0 @@
-#ifndef _XT_TEE_TARGET_H
-#define _XT_TEE_TARGET_H
-
-struct xt_tee_tginfo {
-       union nf_inet_addr gw;
-       char oif[16];
-
-       /* used internally by the kernel */
-       struct xt_tee_priv *priv __attribute__((aligned(8)));
-};
-
-#endif /* _XT_TEE_TARGET_H */

diff --git a/include/linux/netfilter/xt_TPROXY.h b/include/linux/netfilter/xt_TPROXY.h
deleted file mode 100644 (file)
index 902043c..0000000
--- a/include/linux/netfilter/xt_TPROXY.h
+++ /dev/null
@@ -1,23 +0,0 @@
-#ifndef _XT_TPROXY_H
-#define _XT_TPROXY_H
-
-#include <linux/types.h>
-
-/* TPROXY target is capable of marking the packet to perform
- * redirection. We can get rid of that whenever we get support for
- * mutliple targets in the same rule. */
-struct xt_tproxy_target_info {
-       __u32 mark_mask;
-       __u32 mark_value;
-       __be32 laddr;
-       __be16 lport;
-};
-
-struct xt_tproxy_target_info_v1 {
-       __u32 mark_mask;
-       __u32 mark_value;
-       union nf_inet_addr laddr;
-       __be16 lport;
-};
-
-#endif /* _XT_TPROXY_H */

diff --git a/include/linux/netfilter/xt_addrtype.h b/include/linux/netfilter/xt_addrtype.h
deleted file mode 100644 (file)
index b156baa..0000000
--- a/include/linux/netfilter/xt_addrtype.h
+++ /dev/null
@@ -1,44 +0,0 @@
-#ifndef _XT_ADDRTYPE_H
-#define _XT_ADDRTYPE_H
-
-#include <linux/types.h>
-
-enum {
-       XT_ADDRTYPE_INVERT_SOURCE       = 0x0001,
-       XT_ADDRTYPE_INVERT_DEST         = 0x0002,
-       XT_ADDRTYPE_LIMIT_IFACE_IN      = 0x0004,
-       XT_ADDRTYPE_LIMIT_IFACE_OUT     = 0x0008,
-};
-
-
-/* rtn_type enum values from rtnetlink.h, but shifted */
-enum {
-       XT_ADDRTYPE_UNSPEC = 1 << 0,
-       XT_ADDRTYPE_UNICAST = 1 << 1,   /* 1 << RTN_UNICAST */
-       XT_ADDRTYPE_LOCAL  = 1 << 2,    /* 1 << RTN_LOCAL, etc */
-       XT_ADDRTYPE_BROADCAST = 1 << 3,
-       XT_ADDRTYPE_ANYCAST = 1 << 4,
-       XT_ADDRTYPE_MULTICAST = 1 << 5,
-       XT_ADDRTYPE_BLACKHOLE = 1 << 6,
-       XT_ADDRTYPE_UNREACHABLE = 1 << 7,
-       XT_ADDRTYPE_PROHIBIT = 1 << 8,
-       XT_ADDRTYPE_THROW = 1 << 9,
-       XT_ADDRTYPE_NAT = 1 << 10,
-       XT_ADDRTYPE_XRESOLVE = 1 << 11,
-};
-
-struct xt_addrtype_info_v1 {
-       __u16   source;         /* source-type mask */
-       __u16   dest;           /* dest-type mask */
-       __u32   flags;
-};
-
-/* revision 0 */
-struct xt_addrtype_info {
-       __u16   source;         /* source-type mask */
-       __u16   dest;           /* dest-type mask */
-       __u32   invert_source;
-       __u32   invert_dest;
-};
-
-#endif

diff --git a/include/linux/netfilter/xt_cluster.h b/include/linux/netfilter/xt_cluster.h
deleted file mode 100644 (file)
index 9b883c8..0000000
--- a/include/linux/netfilter/xt_cluster.h
+++ /dev/null
@@ -1,19 +0,0 @@
-#ifndef _XT_CLUSTER_MATCH_H
-#define _XT_CLUSTER_MATCH_H
-
-#include <linux/types.h>
-
-enum xt_cluster_flags {
-       XT_CLUSTER_F_INV        = (1 << 0)
-};
-
-struct xt_cluster_match_info {
-       __u32 total_nodes;
-       __u32 node_mask;
-       __u32 hash_seed;
-       __u32 flags;
-};
-
-#define XT_CLUSTER_NODES_MAX   32
-
-#endif /* _XT_CLUSTER_MATCH_H */

diff --git a/include/linux/netfilter/xt_comment.h b/include/linux/netfilter/xt_comment.h
deleted file mode 100644 (file)
index 0ea5e79..0000000
--- a/include/linux/netfilter/xt_comment.h
+++ /dev/null
@@ -1,10 +0,0 @@
-#ifndef _XT_COMMENT_H
-#define _XT_COMMENT_H
-
-#define XT_MAX_COMMENT_LEN 256
-
-struct xt_comment_info {
-       char comment[XT_MAX_COMMENT_LEN];
-};
-
-#endif /* XT_COMMENT_H */

diff --git a/include/linux/netfilter/xt_connbytes.h b/include/linux/netfilter/xt_connbytes.h
deleted file mode 100644 (file)
index f1d6c15..0000000
--- a/include/linux/netfilter/xt_connbytes.h
+++ /dev/null
@@ -1,26 +0,0 @@
-#ifndef _XT_CONNBYTES_H
-#define _XT_CONNBYTES_H
-
-#include <linux/types.h>
-
-enum xt_connbytes_what {
-       XT_CONNBYTES_PKTS,
-       XT_CONNBYTES_BYTES,
-       XT_CONNBYTES_AVGPKT,
-};
-
-enum xt_connbytes_direction {
-       XT_CONNBYTES_DIR_ORIGINAL,
-       XT_CONNBYTES_DIR_REPLY,
-       XT_CONNBYTES_DIR_BOTH,
-};
-
-struct xt_connbytes_info {
-       struct {
-               __aligned_u64 from;     /* count to be matched */
-               __aligned_u64 to;       /* count to be matched */
-       } count;
-       __u8 what;              /* ipt_connbytes_what */
-       __u8 direction; /* ipt_connbytes_direction */
-};
-#endif

diff --git a/include/linux/netfilter/xt_connlimit.h b/include/linux/netfilter/xt_connlimit.h
deleted file mode 100644 (file)
index f165609..0000000
--- a/include/linux/netfilter/xt_connlimit.h
+++ /dev/null
@@ -1,32 +0,0 @@
-#ifndef _XT_CONNLIMIT_H
-#define _XT_CONNLIMIT_H
-
-#include <linux/types.h>
-#include <linux/netfilter.h>
-
-struct xt_connlimit_data;
-
-enum {
-       XT_CONNLIMIT_INVERT = 1 << 0,
-       XT_CONNLIMIT_DADDR  = 1 << 1,
-};
-
-struct xt_connlimit_info {
-       union {
-               union nf_inet_addr mask;
-#ifndef __KERNEL__
-               union {
-                       __be32 v4_mask;
-                       __be32 v6_mask[4];
-               };
-#endif
-       };
-       unsigned int limit;
-       /* revision 1 */
-       __u32 flags;
-
-       /* Used internally by the kernel */
-       struct xt_connlimit_data *data __attribute__((aligned(8)));
-};
-
-#endif /* _XT_CONNLIMIT_H */

diff --git a/include/linux/netfilter/xt_connmark.h b/include/linux/netfilter/xt_connmark.h
deleted file mode 100644 (file)
index efc17a8..0000000
--- a/include/linux/netfilter/xt_connmark.h
+++ /dev/null
@@ -1,31 +0,0 @@
-#ifndef _XT_CONNMARK_H
-#define _XT_CONNMARK_H
-
-#include <linux/types.h>
-
-/* Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
- * by Henrik Nordstrom <hno@marasystems.com>
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- */
-
-enum {
-       XT_CONNMARK_SET = 0,
-       XT_CONNMARK_SAVE,
-       XT_CONNMARK_RESTORE
-};
-
-struct xt_connmark_tginfo1 {
-       __u32 ctmark, ctmask, nfmask;
-       __u8 mode;
-};
-
-struct xt_connmark_mtinfo1 {
-       __u32 mark, mask;
-       __u8 invert;
-};
-
-#endif /*_XT_CONNMARK_H*/

diff --git a/include/linux/netfilter/xt_conntrack.h b/include/linux/netfilter/xt_conntrack.h
deleted file mode 100644 (file)
index e3c041d..0000000
--- a/include/linux/netfilter/xt_conntrack.h
+++ /dev/null
@@ -1,77 +0,0 @@
-/* Header file for kernel module to match connection tracking information.
- * GPL (C) 2001  Marc Boucher (marc@mbsi.ca).
- */
-
-#ifndef _XT_CONNTRACK_H
-#define _XT_CONNTRACK_H
-
-#include <linux/types.h>
-#include <linux/netfilter.h>
-#include <linux/netfilter/nf_conntrack_tuple_common.h>
-
-#define XT_CONNTRACK_STATE_BIT(ctinfo) (1 << ((ctinfo)%IP_CT_IS_REPLY+1))
-#define XT_CONNTRACK_STATE_INVALID (1 << 0)
-
-#define XT_CONNTRACK_STATE_SNAT (1 << (IP_CT_NUMBER + 1))
-#define XT_CONNTRACK_STATE_DNAT (1 << (IP_CT_NUMBER + 2))
-#define XT_CONNTRACK_STATE_UNTRACKED (1 << (IP_CT_NUMBER + 3))
-
-/* flags, invflags: */
-enum {
-       XT_CONNTRACK_STATE        = 1 << 0,
-       XT_CONNTRACK_PROTO        = 1 << 1,
-       XT_CONNTRACK_ORIGSRC      = 1 << 2,
-       XT_CONNTRACK_ORIGDST      = 1 << 3,
-       XT_CONNTRACK_REPLSRC      = 1 << 4,
-       XT_CONNTRACK_REPLDST      = 1 << 5,
-       XT_CONNTRACK_STATUS       = 1 << 6,
-       XT_CONNTRACK_EXPIRES      = 1 << 7,
-       XT_CONNTRACK_ORIGSRC_PORT = 1 << 8,
-       XT_CONNTRACK_ORIGDST_PORT = 1 << 9,
-       XT_CONNTRACK_REPLSRC_PORT = 1 << 10,
-       XT_CONNTRACK_REPLDST_PORT = 1 << 11,
-       XT_CONNTRACK_DIRECTION    = 1 << 12,
-};
-
-struct xt_conntrack_mtinfo1 {
-       union nf_inet_addr origsrc_addr, origsrc_mask;
-       union nf_inet_addr origdst_addr, origdst_mask;
-       union nf_inet_addr replsrc_addr, replsrc_mask;
-       union nf_inet_addr repldst_addr, repldst_mask;
-       __u32 expires_min, expires_max;
-       __u16 l4proto;
-       __be16 origsrc_port, origdst_port;
-       __be16 replsrc_port, repldst_port;
-       __u16 match_flags, invert_flags;
-       __u8 state_mask, status_mask;
-};
-
-struct xt_conntrack_mtinfo2 {
-       union nf_inet_addr origsrc_addr, origsrc_mask;
-       union nf_inet_addr origdst_addr, origdst_mask;
-       union nf_inet_addr replsrc_addr, replsrc_mask;
-       union nf_inet_addr repldst_addr, repldst_mask;
-       __u32 expires_min, expires_max;
-       __u16 l4proto;
-       __be16 origsrc_port, origdst_port;
-       __be16 replsrc_port, repldst_port;
-       __u16 match_flags, invert_flags;
-       __u16 state_mask, status_mask;
-};
-
-struct xt_conntrack_mtinfo3 {
-       union nf_inet_addr origsrc_addr, origsrc_mask;
-       union nf_inet_addr origdst_addr, origdst_mask;
-       union nf_inet_addr replsrc_addr, replsrc_mask;
-       union nf_inet_addr repldst_addr, repldst_mask;
-       __u32 expires_min, expires_max;
-       __u16 l4proto;
-       __u16 origsrc_port, origdst_port;
-       __u16 replsrc_port, repldst_port;
-       __u16 match_flags, invert_flags;
-       __u16 state_mask, status_mask;
-       __u16 origsrc_port_high, origdst_port_high;
-       __u16 replsrc_port_high, repldst_port_high;
-};
-
-#endif /*_XT_CONNTRACK_H*/

diff --git a/include/linux/netfilter/xt_cpu.h b/include/linux/netfilter/xt_cpu.h
deleted file mode 100644 (file)
index 93c7f11..0000000
--- a/include/linux/netfilter/xt_cpu.h
+++ /dev/null
@@ -1,11 +0,0 @@
-#ifndef _XT_CPU_H
-#define _XT_CPU_H
-
-#include <linux/types.h>
-
-struct xt_cpu_info {
-       __u32   cpu;
-       __u32   invert;
-};
-
-#endif /*_XT_CPU_H*/

diff --git a/include/linux/netfilter/xt_dccp.h b/include/linux/netfilter/xt_dccp.h
deleted file mode 100644 (file)
index a579e1b..0000000
--- a/include/linux/netfilter/xt_dccp.h
+++ /dev/null
@@ -1,25 +0,0 @@
-#ifndef _XT_DCCP_H_
-#define _XT_DCCP_H_
-
-#include <linux/types.h>
-
-#define XT_DCCP_SRC_PORTS              0x01
-#define XT_DCCP_DEST_PORTS             0x02
-#define XT_DCCP_TYPE                   0x04
-#define XT_DCCP_OPTION                 0x08
-
-#define XT_DCCP_VALID_FLAGS            0x0f
-
-struct xt_dccp_info {
-       __u16 dpts[2];  /* Min, Max */
-       __u16 spts[2];  /* Min, Max */
-
-       __u16 flags;
-       __u16 invflags;
-
-       __u16 typemask;
-       __u8 option;
-};
-
-#endif /* _XT_DCCP_H_ */
-

diff --git a/include/linux/netfilter/xt_devgroup.h b/include/linux/netfilter/xt_devgroup.h
deleted file mode 100644 (file)
index 1babde0..0000000
--- a/include/linux/netfilter/xt_devgroup.h
+++ /dev/null
@@ -1,21 +0,0 @@
-#ifndef _XT_DEVGROUP_H
-#define _XT_DEVGROUP_H
-
-#include <linux/types.h>
-
-enum xt_devgroup_flags {
-       XT_DEVGROUP_MATCH_SRC   = 0x1,
-       XT_DEVGROUP_INVERT_SRC  = 0x2,
-       XT_DEVGROUP_MATCH_DST   = 0x4,
-       XT_DEVGROUP_INVERT_DST  = 0x8,
-};
-
-struct xt_devgroup_info {
-       __u32   flags;
-       __u32   src_group;
-       __u32   src_mask;
-       __u32   dst_group;
-       __u32   dst_mask;
-};
-
-#endif /* _XT_DEVGROUP_H */

diff --git a/include/linux/netfilter/xt_dscp.h b/include/linux/netfilter/xt_dscp.h
deleted file mode 100644 (file)
index 15f8932..0000000
--- a/include/linux/netfilter/xt_dscp.h
+++ /dev/null
@@ -1,31 +0,0 @@
-/* x_tables module for matching the IPv4/IPv6 DSCP field
- *
- * (C) 2002 Harald Welte <laforge@gnumonks.org>
- * This software is distributed under GNU GPL v2, 1991
- *
- * See RFC2474 for a description of the DSCP field within the IP Header.
- *
- * xt_dscp.h,v 1.3 2002/08/05 19:00:21 laforge Exp
-*/
-#ifndef _XT_DSCP_H
-#define _XT_DSCP_H
-
-#include <linux/types.h>
-
-#define XT_DSCP_MASK   0xfc    /* 11111100 */
-#define XT_DSCP_SHIFT  2
-#define XT_DSCP_MAX    0x3f    /* 00111111 */
-
-/* match info */
-struct xt_dscp_info {
-       __u8 dscp;
-       __u8 invert;
-};
-
-struct xt_tos_match_info {
-       __u8 tos_mask;
-       __u8 tos_value;
-       __u8 invert;
-};
-
-#endif /* _XT_DSCP_H */

diff --git a/include/linux/netfilter/xt_ecn.h b/include/linux/netfilter/xt_ecn.h
deleted file mode 100644 (file)
index 7158fca..0000000
--- a/include/linux/netfilter/xt_ecn.h
+++ /dev/null
@@ -1,35 +0,0 @@
-/* iptables module for matching the ECN header in IPv4 and TCP header
- *
- * (C) 2002 Harald Welte <laforge@gnumonks.org>
- *
- * This software is distributed under GNU GPL v2, 1991
- * 
- * ipt_ecn.h,v 1.4 2002/08/05 19:39:00 laforge Exp
-*/
-#ifndef _XT_ECN_H
-#define _XT_ECN_H
-
-#include <linux/types.h>
-#include <linux/netfilter/xt_dscp.h>
-
-#define XT_ECN_IP_MASK (~XT_DSCP_MASK)
-
-#define XT_ECN_OP_MATCH_IP     0x01
-#define XT_ECN_OP_MATCH_ECE    0x10
-#define XT_ECN_OP_MATCH_CWR    0x20
-
-#define XT_ECN_OP_MATCH_MASK   0xce
-
-/* match info */
-struct xt_ecn_info {
-       __u8 operation;
-       __u8 invert;
-       __u8 ip_ect;
-       union {
-               struct {
-                       __u8 ect;
-               } tcp;
-       } proto;
-};
-
-#endif /* _XT_ECN_H */

diff --git a/include/linux/netfilter/xt_esp.h b/include/linux/netfilter/xt_esp.h
deleted file mode 100644 (file)
index ee68824..0000000
--- a/include/linux/netfilter/xt_esp.h
+++ /dev/null
@@ -1,15 +0,0 @@
-#ifndef _XT_ESP_H
-#define _XT_ESP_H
-
-#include <linux/types.h>
-
-struct xt_esp {
-       __u32 spis[2];  /* Security Parameter Index */
-       __u8  invflags; /* Inverse flags */
-};
-
-/* Values for "invflags" field in struct xt_esp. */
-#define XT_ESP_INV_SPI 0x01    /* Invert the sense of spi. */
-#define XT_ESP_INV_MASK        0x01    /* All possible flags. */
-
-#endif /*_XT_ESP_H*/

diff --git a/include/linux/netfilter/xt_hashlimit.h b/include/linux/netfilter/xt_hashlimit.h
index c42e52f..074790c 100644 (file)
--- a/include/linux/netfilter/xt_hashlimit.h
+++ b/include/linux/netfilter/xt_hashlimit.h
@@ -1,78 +1,9 @@
 #ifndef _XT_HASHLIMIT_H
 #define _XT_HASHLIMIT_H
 
-#include <linux/types.h>
+#include <uapi/linux/netfilter/xt_hashlimit.h>
 
-/* timings are in milliseconds. */
-#define XT_HASHLIMIT_SCALE 10000
-/* 1/10,000 sec period => max of 10,000/sec.  Min rate is then 429490
- * seconds, or one packet every 59 hours.
- */
-
-/* packet length accounting is done in 16-byte steps */
-#define XT_HASHLIMIT_BYTE_SHIFT 4
-
-/* details of this structure hidden by the implementation */
-struct xt_hashlimit_htable;
-
-enum {
-       XT_HASHLIMIT_HASH_DIP = 1 << 0,
-       XT_HASHLIMIT_HASH_DPT = 1 << 1,
-       XT_HASHLIMIT_HASH_SIP = 1 << 2,
-       XT_HASHLIMIT_HASH_SPT = 1 << 3,
-       XT_HASHLIMIT_INVERT   = 1 << 4,
-       XT_HASHLIMIT_BYTES    = 1 << 5,
-};
-#ifdef __KERNEL__
 #define XT_HASHLIMIT_ALL (XT_HASHLIMIT_HASH_DIP | XT_HASHLIMIT_HASH_DPT | \
                          XT_HASHLIMIT_HASH_SIP | XT_HASHLIMIT_HASH_SPT | \
                          XT_HASHLIMIT_INVERT | XT_HASHLIMIT_BYTES)
-#endif
-
-struct hashlimit_cfg {
-       __u32 mode;       /* bitmask of XT_HASHLIMIT_HASH_* */
-       __u32 avg;    /* Average secs between packets * scale */
-       __u32 burst;  /* Period multiplier for upper limit. */
-
-       /* user specified */
-       __u32 size;             /* how many buckets */
-       __u32 max;              /* max number of entries */
-       __u32 gc_interval;      /* gc interval */
-       __u32 expire;   /* when do entries expire? */
-};
-
-struct xt_hashlimit_info {
-       char name [IFNAMSIZ];           /* name */
-       struct hashlimit_cfg cfg;
-
-       /* Used internally by the kernel */
-       struct xt_hashlimit_htable *hinfo;
-       union {
-               void *ptr;
-               struct xt_hashlimit_info *master;
-       } u;
-};
-
-struct hashlimit_cfg1 {
-       __u32 mode;       /* bitmask of XT_HASHLIMIT_HASH_* */
-       __u32 avg;    /* Average secs between packets * scale */
-       __u32 burst;  /* Period multiplier for upper limit. */
-
-       /* user specified */
-       __u32 size;             /* how many buckets */
-       __u32 max;              /* max number of entries */
-       __u32 gc_interval;      /* gc interval */
-       __u32 expire;   /* when do entries expire? */
-
-       __u8 srcmask, dstmask;
-};
-
-struct xt_hashlimit_mtinfo1 {
-       char name[IFNAMSIZ];
-       struct hashlimit_cfg1 cfg;
-
-       /* Used internally by the kernel */
-       struct xt_hashlimit_htable *hinfo __attribute__((aligned(8)));
-};
-
 #endif /*_XT_HASHLIMIT_H*/

diff --git a/include/linux/netfilter/xt_helper.h b/include/linux/netfilter/xt_helper.h
deleted file mode 100644 (file)
index 6b42763..0000000
--- a/include/linux/netfilter/xt_helper.h
+++ /dev/null
@@ -1,8 +0,0 @@
-#ifndef _XT_HELPER_H
-#define _XT_HELPER_H
-
-struct xt_helper_info {
-       int invert;
-       char name[30];
-};
-#endif /* _XT_HELPER_H */

diff --git a/include/linux/netfilter/xt_iprange.h b/include/linux/netfilter/xt_iprange.h
deleted file mode 100644 (file)
index 25fd7cf..0000000
--- a/include/linux/netfilter/xt_iprange.h
+++ /dev/null
@@ -1,20 +0,0 @@
-#ifndef _LINUX_NETFILTER_XT_IPRANGE_H
-#define _LINUX_NETFILTER_XT_IPRANGE_H 1
-
-#include <linux/types.h>
-#include <linux/netfilter.h>
-
-enum {
-       IPRANGE_SRC     = 1 << 0,       /* match source IP address */
-       IPRANGE_DST     = 1 << 1,       /* match destination IP address */
-       IPRANGE_SRC_INV = 1 << 4,       /* negate the condition */
-       IPRANGE_DST_INV = 1 << 5,       /* -"- */
-};
-
-struct xt_iprange_mtinfo {
-       union nf_inet_addr src_min, src_max;
-       union nf_inet_addr dst_min, dst_max;
-       __u8 flags;
-};
-
-#endif /* _LINUX_NETFILTER_XT_IPRANGE_H */

diff --git a/include/linux/netfilter/xt_ipvs.h b/include/linux/netfilter/xt_ipvs.h
deleted file mode 100644 (file)
index eff34ac..0000000
--- a/include/linux/netfilter/xt_ipvs.h
+++ /dev/null
@@ -1,29 +0,0 @@
-#ifndef _XT_IPVS_H
-#define _XT_IPVS_H
-
-#include <linux/types.h>
-
-enum {
-       XT_IPVS_IPVS_PROPERTY = 1 << 0, /* all other options imply this one */
-       XT_IPVS_PROTO =         1 << 1,
-       XT_IPVS_VADDR =         1 << 2,
-       XT_IPVS_VPORT =         1 << 3,
-       XT_IPVS_DIR =           1 << 4,
-       XT_IPVS_METHOD =        1 << 5,
-       XT_IPVS_VPORTCTL =      1 << 6,
-       XT_IPVS_MASK =          (1 << 7) - 1,
-       XT_IPVS_ONCE_MASK =     XT_IPVS_MASK & ~XT_IPVS_IPVS_PROPERTY
-};
-
-struct xt_ipvs_mtinfo {
-       union nf_inet_addr      vaddr, vmask;
-       __be16                  vport;
-       __u8                    l4proto;
-       __u8                    fwd_method;
-       __be16                  vportctl;
-
-       __u8                    invert;
-       __u8                    bitmask;
-};
-
-#endif /* _XT_IPVS_H */

diff --git a/include/linux/netfilter/xt_length.h b/include/linux/netfilter/xt_length.h
deleted file mode 100644 (file)
index b82ed7c..0000000
--- a/include/linux/netfilter/xt_length.h
+++ /dev/null
@@ -1,11 +0,0 @@
-#ifndef _XT_LENGTH_H
-#define _XT_LENGTH_H
-
-#include <linux/types.h>
-
-struct xt_length_info {
-    __u16      min, max;
-    __u8       invert;
-};
-
-#endif /*_XT_LENGTH_H*/

diff --git a/include/linux/netfilter/xt_limit.h b/include/linux/netfilter/xt_limit.h
deleted file mode 100644 (file)
index bb47fc4..0000000
--- a/include/linux/netfilter/xt_limit.h
+++ /dev/null
@@ -1,24 +0,0 @@
-#ifndef _XT_RATE_H
-#define _XT_RATE_H
-
-#include <linux/types.h>
-
-/* timings are in milliseconds. */
-#define XT_LIMIT_SCALE 10000
-
-struct xt_limit_priv;
-
-/* 1/10,000 sec period => max of 10,000/sec.  Min rate is then 429490
-   seconds, or one every 59 hours. */
-struct xt_rateinfo {
-       __u32 avg;    /* Average secs between packets * scale */
-       __u32 burst;  /* Period multiplier for upper limit. */
-
-       /* Used internally by the kernel */
-       unsigned long prev; /* moved to xt_limit_priv */
-       __u32 credit; /* moved to xt_limit_priv */
-       __u32 credit_cap, cost;
-
-       struct xt_limit_priv *master;
-};
-#endif /*_XT_RATE_H*/

diff --git a/include/linux/netfilter/xt_mac.h b/include/linux/netfilter/xt_mac.h
deleted file mode 100644 (file)
index b892cdc..0000000
--- a/include/linux/netfilter/xt_mac.h
+++ /dev/null
@@ -1,8 +0,0 @@
-#ifndef _XT_MAC_H
-#define _XT_MAC_H
-
-struct xt_mac_info {
-    unsigned char srcaddr[ETH_ALEN];
-    int invert;
-};
-#endif /*_XT_MAC_H*/

diff --git a/include/linux/netfilter/xt_mark.h b/include/linux/netfilter/xt_mark.h
deleted file mode 100644 (file)
index ecadc40..0000000
--- a/include/linux/netfilter/xt_mark.h
+++ /dev/null
@@ -1,15 +0,0 @@
-#ifndef _XT_MARK_H
-#define _XT_MARK_H
-
-#include <linux/types.h>
-
-struct xt_mark_tginfo2 {
-       __u32 mark, mask;
-};
-
-struct xt_mark_mtinfo1 {
-       __u32 mark, mask;
-       __u8 invert;
-};
-
-#endif /*_XT_MARK_H*/

diff --git a/include/linux/netfilter/xt_multiport.h b/include/linux/netfilter/xt_multiport.h
deleted file mode 100644 (file)
index 5b7e72d..0000000
--- a/include/linux/netfilter/xt_multiport.h
+++ /dev/null
@@ -1,29 +0,0 @@
-#ifndef _XT_MULTIPORT_H
-#define _XT_MULTIPORT_H
-
-#include <linux/types.h>
-
-enum xt_multiport_flags {
-       XT_MULTIPORT_SOURCE,
-       XT_MULTIPORT_DESTINATION,
-       XT_MULTIPORT_EITHER
-};
-
-#define XT_MULTI_PORTS 15
-
-/* Must fit inside union xt_matchinfo: 16 bytes */
-struct xt_multiport {
-       __u8 flags;                             /* Type of comparison */
-       __u8 count;                             /* Number of ports */
-       __u16 ports[XT_MULTI_PORTS];    /* Ports */
-};
-
-struct xt_multiport_v1 {
-       __u8 flags;                             /* Type of comparison */
-       __u8 count;                             /* Number of ports */
-       __u16 ports[XT_MULTI_PORTS];    /* Ports */
-       __u8 pflags[XT_MULTI_PORTS];    /* Port flags */
-       __u8 invert;                    /* Invert flag */
-};
-
-#endif /*_XT_MULTIPORT_H*/

diff --git a/include/linux/netfilter/xt_nfacct.h b/include/linux/netfilter/xt_nfacct.h
deleted file mode 100644 (file)
index 3e19c8a..0000000
--- a/include/linux/netfilter/xt_nfacct.h
+++ /dev/null
@@ -1,13 +0,0 @@
-#ifndef _XT_NFACCT_MATCH_H
-#define _XT_NFACCT_MATCH_H
-
-#include <linux/netfilter/nfnetlink_acct.h>
-
-struct nf_acct;
-
-struct xt_nfacct_match_info {
-       char            name[NFACCT_NAME_MAX];
-       struct nf_acct  *nfacct;
-};
-
-#endif /* _XT_NFACCT_MATCH_H */

diff --git a/include/linux/netfilter/xt_osf.h b/include/linux/netfilter/xt_osf.h
deleted file mode 100644 (file)
index 18afa49..0000000
--- a/include/linux/netfilter/xt_osf.h
+++ /dev/null
@@ -1,135 +0,0 @@
-/*
- * Copyright (c) 2003+ Evgeniy Polyakov <johnpol@2ka.mxt.ru>
- *
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
- */
-
-#ifndef _XT_OSF_H
-#define _XT_OSF_H
-
-#include <linux/types.h>
-
-#define MAXGENRELEN            32
-
-#define XT_OSF_GENRE           (1<<0)
-#define        XT_OSF_TTL              (1<<1)
-#define XT_OSF_LOG             (1<<2)
-#define XT_OSF_INVERT          (1<<3)
-
-#define XT_OSF_LOGLEVEL_ALL    0       /* log all matched fingerprints */
-#define XT_OSF_LOGLEVEL_FIRST  1       /* log only the first matced fingerprint */
-#define XT_OSF_LOGLEVEL_ALL_KNOWN      2 /* do not log unknown packets */
-
-#define XT_OSF_TTL_TRUE                0       /* True ip and fingerprint TTL comparison */
-#define XT_OSF_TTL_LESS                1       /* Check if ip TTL is less than fingerprint one */
-#define XT_OSF_TTL_NOCHECK     2       /* Do not compare ip and fingerprint TTL at all */
-
-struct xt_osf_info {
-       char                    genre[MAXGENRELEN];
-       __u32                   len;
-       __u32                   flags;
-       __u32                   loglevel;
-       __u32                   ttl;
-};
-
-/*
- * Wildcard MSS (kind of).
- * It is used to implement a state machine for the different wildcard values
- * of the MSS and window sizes.
- */
-struct xt_osf_wc {
-       __u32                   wc;
-       __u32                   val;
-};
-
-/*
- * This struct represents IANA options
- * http://www.iana.org/assignments/tcp-parameters
- */
-struct xt_osf_opt {
-       __u16                   kind, length;
-       struct xt_osf_wc        wc;
-};
-
-struct xt_osf_user_finger {
-       struct xt_osf_wc        wss;
-
-       __u8                    ttl, df;
-       __u16                   ss, mss;
-       __u16                   opt_num;
-
-       char                    genre[MAXGENRELEN];
-       char                    version[MAXGENRELEN];
-       char                    subtype[MAXGENRELEN];
-
-       /* MAX_IPOPTLEN is maximum if all options are NOPs or EOLs */
-       struct xt_osf_opt       opt[MAX_IPOPTLEN];
-};
-
-struct xt_osf_nlmsg {
-       struct xt_osf_user_finger       f;
-       struct iphdr            ip;
-       struct tcphdr           tcp;
-};
-
-/* Defines for IANA option kinds */
-
-enum iana_options {
-       OSFOPT_EOL = 0,         /* End of options */
-       OSFOPT_NOP,             /* NOP */
-       OSFOPT_MSS,             /* Maximum segment size */
-       OSFOPT_WSO,             /* Window scale option */
-       OSFOPT_SACKP,           /* SACK permitted */
-       OSFOPT_SACK,            /* SACK */
-       OSFOPT_ECHO,
-       OSFOPT_ECHOREPLY,
-       OSFOPT_TS,              /* Timestamp option */
-       OSFOPT_POCP,            /* Partial Order Connection Permitted */
-       OSFOPT_POSP,            /* Partial Order Service Profile */
-
-       /* Others are not used in the current OSF */
-       OSFOPT_EMPTY = 255,
-};
-
-/*
- * Initial window size option state machine: multiple of mss, mtu or
- * plain numeric value. Can also be made as plain numeric value which
- * is not a multiple of specified value.
- */
-enum xt_osf_window_size_options {
-       OSF_WSS_PLAIN   = 0,
-       OSF_WSS_MSS,
-       OSF_WSS_MTU,
-       OSF_WSS_MODULO,
-       OSF_WSS_MAX,
-};
-
-/*
- * Add/remove fingerprint from the kernel.
- */
-enum xt_osf_msg_types {
-       OSF_MSG_ADD,
-       OSF_MSG_REMOVE,
-       OSF_MSG_MAX,
-};
-
-enum xt_osf_attr_type {
-       OSF_ATTR_UNSPEC,
-       OSF_ATTR_FINGER,
-       OSF_ATTR_MAX,
-};
-
-#endif                         /* _XT_OSF_H */

diff --git a/include/linux/netfilter/xt_owner.h b/include/linux/netfilter/xt_owner.h
deleted file mode 100644 (file)
index 2081761..0000000
--- a/include/linux/netfilter/xt_owner.h
+++ /dev/null
@@ -1,18 +0,0 @@
-#ifndef _XT_OWNER_MATCH_H
-#define _XT_OWNER_MATCH_H
-
-#include <linux/types.h>
-
-enum {
-       XT_OWNER_UID    = 1 << 0,
-       XT_OWNER_GID    = 1 << 1,
-       XT_OWNER_SOCKET = 1 << 2,
-};
-
-struct xt_owner_match_info {
-       __u32 uid_min, uid_max;
-       __u32 gid_min, gid_max;
-       __u8 match, invert;
-};
-
-#endif /* _XT_OWNER_MATCH_H */

diff --git a/include/linux/netfilter/xt_physdev.h b/include/linux/netfilter/xt_physdev.h
index 8555e39..5b5e417 100644 (file)
--- a/include/linux/netfilter/xt_physdev.h
+++ b/include/linux/netfilter/xt_physdev.h
@@ -1,26 +1,7 @@
 #ifndef _XT_PHYSDEV_H
 #define _XT_PHYSDEV_H
 
-#include <linux/types.h>
-
-#ifdef __KERNEL__
 #include <linux/if.h>
-#endif
-
-#define XT_PHYSDEV_OP_IN               0x01
-#define XT_PHYSDEV_OP_OUT              0x02
-#define XT_PHYSDEV_OP_BRIDGED          0x04
-#define XT_PHYSDEV_OP_ISIN             0x08
-#define XT_PHYSDEV_OP_ISOUT            0x10
-#define XT_PHYSDEV_OP_MASK             (0x20 - 1)
-
-struct xt_physdev_info {
-       char physindev[IFNAMSIZ];
-       char in_mask[IFNAMSIZ];
-       char physoutdev[IFNAMSIZ];
-       char out_mask[IFNAMSIZ];
-       __u8 invert;
-       __u8 bitmask;
-};
+#include <uapi/linux/netfilter/xt_physdev.h>
 
 #endif /*_XT_PHYSDEV_H*/

diff --git a/include/linux/netfilter/xt_pkttype.h b/include/linux/netfilter/xt_pkttype.h
deleted file mode 100644 (file)
index f265cf5..0000000
--- a/include/linux/netfilter/xt_pkttype.h
+++ /dev/null
@@ -1,8 +0,0 @@
-#ifndef _XT_PKTTYPE_H
-#define _XT_PKTTYPE_H
-
-struct xt_pkttype_info {
-       int     pkttype;
-       int     invert;
-};
-#endif /*_XT_PKTTYPE_H*/

diff --git a/include/linux/netfilter/xt_policy.h b/include/linux/netfilter/xt_policy.h
deleted file mode 100644 (file)
index be8ead0..0000000
--- a/include/linux/netfilter/xt_policy.h
+++ /dev/null
@@ -1,69 +0,0 @@
-#ifndef _XT_POLICY_H
-#define _XT_POLICY_H
-
-#include <linux/types.h>
-
-#define XT_POLICY_MAX_ELEM     4
-
-enum xt_policy_flags {
-       XT_POLICY_MATCH_IN      = 0x1,
-       XT_POLICY_MATCH_OUT     = 0x2,
-       XT_POLICY_MATCH_NONE    = 0x4,
-       XT_POLICY_MATCH_STRICT  = 0x8,
-};
-
-enum xt_policy_modes {
-       XT_POLICY_MODE_TRANSPORT,
-       XT_POLICY_MODE_TUNNEL
-};
-
-struct xt_policy_spec {
-       __u8    saddr:1,
-                       daddr:1,
-                       proto:1,
-                       mode:1,
-                       spi:1,
-                       reqid:1;
-};
-
-#ifndef __KERNEL__
-union xt_policy_addr {
-       struct in_addr  a4;
-       struct in6_addr a6;
-};
-#endif
-
-struct xt_policy_elem {
-       union {
-#ifdef __KERNEL__
-               struct {
-                       union nf_inet_addr saddr;
-                       union nf_inet_addr smask;
-                       union nf_inet_addr daddr;
-                       union nf_inet_addr dmask;
-               };
-#else
-               struct {
-                       union xt_policy_addr saddr;
-                       union xt_policy_addr smask;
-                       union xt_policy_addr daddr;
-                       union xt_policy_addr dmask;
-               };
-#endif
-       };
-       __be32                  spi;
-       __u32           reqid;
-       __u8            proto;
-       __u8            mode;
-
-       struct xt_policy_spec   match;
-       struct xt_policy_spec   invert;
-};
-
-struct xt_policy_info {
-       struct xt_policy_elem pol[XT_POLICY_MAX_ELEM];
-       __u16 flags;
-       __u16 len;
-};
-
-#endif /* _XT_POLICY_H */

diff --git a/include/linux/netfilter/xt_quota.h b/include/linux/netfilter/xt_quota.h
deleted file mode 100644 (file)
index 9314723..0000000
--- a/include/linux/netfilter/xt_quota.h
+++ /dev/null
@@ -1,22 +0,0 @@
-#ifndef _XT_QUOTA_H
-#define _XT_QUOTA_H
-
-#include <linux/types.h>
-
-enum xt_quota_flags {
-       XT_QUOTA_INVERT         = 0x1,
-};
-#define XT_QUOTA_MASK          0x1
-
-struct xt_quota_priv;
-
-struct xt_quota_info {
-       __u32 flags;
-       __u32 pad;
-       __aligned_u64 quota;
-
-       /* Used internally by the kernel */
-       struct xt_quota_priv    *master;
-};
-
-#endif /* _XT_QUOTA_H */

diff --git a/include/linux/netfilter/xt_rateest.h b/include/linux/netfilter/xt_rateest.h
deleted file mode 100644 (file)
index d40a619..0000000
--- a/include/linux/netfilter/xt_rateest.h
+++ /dev/null
@@ -1,37 +0,0 @@
-#ifndef _XT_RATEEST_MATCH_H
-#define _XT_RATEEST_MATCH_H
-
-#include <linux/types.h>
-
-enum xt_rateest_match_flags {
-       XT_RATEEST_MATCH_INVERT = 1<<0,
-       XT_RATEEST_MATCH_ABS    = 1<<1,
-       XT_RATEEST_MATCH_REL    = 1<<2,
-       XT_RATEEST_MATCH_DELTA  = 1<<3,
-       XT_RATEEST_MATCH_BPS    = 1<<4,
-       XT_RATEEST_MATCH_PPS    = 1<<5,
-};
-
-enum xt_rateest_match_mode {
-       XT_RATEEST_MATCH_NONE,
-       XT_RATEEST_MATCH_EQ,
-       XT_RATEEST_MATCH_LT,
-       XT_RATEEST_MATCH_GT,
-};
-
-struct xt_rateest_match_info {
-       char                    name1[IFNAMSIZ];
-       char                    name2[IFNAMSIZ];
-       __u16           flags;
-       __u16           mode;
-       __u32           bps1;
-       __u32           pps1;
-       __u32           bps2;
-       __u32           pps2;
-
-       /* Used internally by the kernel */
-       struct xt_rateest       *est1 __attribute__((aligned(8)));
-       struct xt_rateest       *est2 __attribute__((aligned(8)));
-};
-
-#endif /* _XT_RATEEST_MATCH_H */

diff --git a/include/linux/netfilter/xt_realm.h b/include/linux/netfilter/xt_realm.h
deleted file mode 100644 (file)
index d4a82ee..0000000
--- a/include/linux/netfilter/xt_realm.h
+++ /dev/null
@@ -1,12 +0,0 @@
-#ifndef _XT_REALM_H
-#define _XT_REALM_H
-
-#include <linux/types.h>
-
-struct xt_realm_info {
-       __u32 id;
-       __u32 mask;
-       __u8 invert;
-};
-
-#endif /* _XT_REALM_H */

diff --git a/include/linux/netfilter/xt_recent.h b/include/linux/netfilter/xt_recent.h
deleted file mode 100644 (file)
index 6ef36c1..0000000
--- a/include/linux/netfilter/xt_recent.h
+++ /dev/null
@@ -1,45 +0,0 @@
-#ifndef _LINUX_NETFILTER_XT_RECENT_H
-#define _LINUX_NETFILTER_XT_RECENT_H 1
-
-#include <linux/types.h>
-
-enum {
-       XT_RECENT_CHECK    = 1 << 0,
-       XT_RECENT_SET      = 1 << 1,
-       XT_RECENT_UPDATE   = 1 << 2,
-       XT_RECENT_REMOVE   = 1 << 3,
-       XT_RECENT_TTL      = 1 << 4,
-       XT_RECENT_REAP     = 1 << 5,
-
-       XT_RECENT_SOURCE   = 0,
-       XT_RECENT_DEST     = 1,
-
-       XT_RECENT_NAME_LEN = 200,
-};
-
-/* Only allowed with --rcheck and --update */
-#define XT_RECENT_MODIFIERS (XT_RECENT_TTL|XT_RECENT_REAP)
-
-#define XT_RECENT_VALID_FLAGS (XT_RECENT_CHECK|XT_RECENT_SET|XT_RECENT_UPDATE|\
-                              XT_RECENT_REMOVE|XT_RECENT_TTL|XT_RECENT_REAP)
-
-struct xt_recent_mtinfo {
-       __u32 seconds;
-       __u32 hit_count;
-       __u8 check_set;
-       __u8 invert;
-       char name[XT_RECENT_NAME_LEN];
-       __u8 side;
-};
-
-struct xt_recent_mtinfo_v1 {
-       __u32 seconds;
-       __u32 hit_count;
-       __u8 check_set;
-       __u8 invert;
-       char name[XT_RECENT_NAME_LEN];
-       __u8 side;
-       union nf_inet_addr mask;
-};
-
-#endif /* _LINUX_NETFILTER_XT_RECENT_H */

diff --git a/include/linux/netfilter/xt_sctp.h b/include/linux/netfilter/xt_sctp.h
deleted file mode 100644 (file)
index 29287be..0000000
--- a/include/linux/netfilter/xt_sctp.h
+++ /dev/null
@@ -1,92 +0,0 @@
-#ifndef _XT_SCTP_H_
-#define _XT_SCTP_H_
-
-#include <linux/types.h>
-
-#define XT_SCTP_SRC_PORTS              0x01
-#define XT_SCTP_DEST_PORTS             0x02
-#define XT_SCTP_CHUNK_TYPES            0x04
-
-#define XT_SCTP_VALID_FLAGS            0x07
-
-struct xt_sctp_flag_info {
-       __u8 chunktype;
-       __u8 flag;
-       __u8 flag_mask;
-};
-
-#define XT_NUM_SCTP_FLAGS      4
-
-struct xt_sctp_info {
-       __u16 dpts[2];  /* Min, Max */
-       __u16 spts[2];  /* Min, Max */
-
-       __u32 chunkmap[256 / sizeof (__u32)];  /* Bit mask of chunks to be matched according to RFC 2960 */
-
-#define SCTP_CHUNK_MATCH_ANY   0x01  /* Match if any of the chunk types are present */
-#define SCTP_CHUNK_MATCH_ALL   0x02  /* Match if all of the chunk types are present */
-#define SCTP_CHUNK_MATCH_ONLY  0x04  /* Match if these are the only chunk types present */
-
-       __u32 chunk_match_type;
-       struct xt_sctp_flag_info flag_info[XT_NUM_SCTP_FLAGS];
-       int flag_count;
-
-       __u32 flags;
-       __u32 invflags;
-};
-
-#define bytes(type) (sizeof(type) * 8)
-
-#define SCTP_CHUNKMAP_SET(chunkmap, type)              \
-       do {                                            \
-               (chunkmap)[type / bytes(__u32)] |=      \
-                       1 << (type % bytes(__u32));     \
-       } while (0)
-
-#define SCTP_CHUNKMAP_CLEAR(chunkmap, type)                    \
-       do {                                                    \
-               (chunkmap)[type / bytes(__u32)] &=              \
-                       ~(1 << (type % bytes(__u32)));  \
-       } while (0)
-
-#define SCTP_CHUNKMAP_IS_SET(chunkmap, type)                   \
-({                                                             \
-       ((chunkmap)[type / bytes (__u32)] &             \
-               (1 << (type % bytes (__u32)))) ? 1: 0;  \
-})
-
-#define SCTP_CHUNKMAP_RESET(chunkmap) \
-       memset((chunkmap), 0, sizeof(chunkmap))
-
-#define SCTP_CHUNKMAP_SET_ALL(chunkmap) \
-       memset((chunkmap), ~0U, sizeof(chunkmap))
-
-#define SCTP_CHUNKMAP_COPY(destmap, srcmap) \
-       memcpy((destmap), (srcmap), sizeof(srcmap))
-
-#define SCTP_CHUNKMAP_IS_CLEAR(chunkmap) \
-       __sctp_chunkmap_is_clear((chunkmap), ARRAY_SIZE(chunkmap))
-static inline bool
-__sctp_chunkmap_is_clear(const __u32 *chunkmap, unsigned int n)
-{
-       unsigned int i;
-       for (i = 0; i < n; ++i)
-               if (chunkmap[i])
-                       return false;
-       return true;
-}
-
-#define SCTP_CHUNKMAP_IS_ALL_SET(chunkmap) \
-       __sctp_chunkmap_is_all_set((chunkmap), ARRAY_SIZE(chunkmap))
-static inline bool
-__sctp_chunkmap_is_all_set(const __u32 *chunkmap, unsigned int n)
-{
-       unsigned int i;
-       for (i = 0; i < n; ++i)
-               if (chunkmap[i] != ~0U)
-                       return false;
-       return true;
-}
-
-#endif /* _XT_SCTP_H_ */
-

diff --git a/include/linux/netfilter/xt_set.h b/include/linux/netfilter/xt_set.h
deleted file mode 100644 (file)
index e3a9978..0000000
--- a/include/linux/netfilter/xt_set.h
+++ /dev/null
@@ -1,65 +0,0 @@
-#ifndef _XT_SET_H
-#define _XT_SET_H
-
-#include <linux/types.h>
-#include <linux/netfilter/ipset/ip_set.h>
-
-/* Revision 0 interface: backward compatible with netfilter/iptables */
-
-/*
- * Option flags for kernel operations (xt_set_info_v0)
- */
-#define IPSET_SRC              0x01    /* Source match/add */
-#define IPSET_DST              0x02    /* Destination match/add */
-#define IPSET_MATCH_INV                0x04    /* Inverse matching */
-
-struct xt_set_info_v0 {
-       ip_set_id_t index;
-       union {
-               __u32 flags[IPSET_DIM_MAX + 1];
-               struct {
-                       __u32 __flags[IPSET_DIM_MAX];
-                       __u8 dim;
-                       __u8 flags;
-               } compat;
-       } u;
-};
-
-/* match and target infos */
-struct xt_set_info_match_v0 {
-       struct xt_set_info_v0 match_set;
-};
-
-struct xt_set_info_target_v0 {
-       struct xt_set_info_v0 add_set;
-       struct xt_set_info_v0 del_set;
-};
-
-/* Revision 1  match and target */
-
-struct xt_set_info {
-       ip_set_id_t index;
-       __u8 dim;
-       __u8 flags;
-};
-
-/* match and target infos */
-struct xt_set_info_match_v1 {
-       struct xt_set_info match_set;
-};
-
-struct xt_set_info_target_v1 {
-       struct xt_set_info add_set;
-       struct xt_set_info del_set;
-};
-
-/* Revision 2 target */
-
-struct xt_set_info_target_v2 {
-       struct xt_set_info add_set;
-       struct xt_set_info del_set;
-       __u32 flags;
-       __u32 timeout;
-};
-
-#endif /*_XT_SET_H*/

diff --git a/include/linux/netfilter/xt_socket.h b/include/linux/netfilter/xt_socket.h
deleted file mode 100644 (file)
index 26d7217..0000000
--- a/include/linux/netfilter/xt_socket.h
+++ /dev/null
@@ -1,14 +0,0 @@
-#ifndef _XT_SOCKET_H
-#define _XT_SOCKET_H
-
-#include <linux/types.h>
-
-enum {
-       XT_SOCKET_TRANSPARENT = 1 << 0,
-};
-
-struct xt_socket_mtinfo1 {
-       __u8 flags;
-};
-
-#endif /* _XT_SOCKET_H */

diff --git a/include/linux/netfilter/xt_state.h b/include/linux/netfilter/xt_state.h
deleted file mode 100644 (file)
index 7b32de8..0000000
--- a/include/linux/netfilter/xt_state.h
+++ /dev/null
@@ -1,12 +0,0 @@
-#ifndef _XT_STATE_H
-#define _XT_STATE_H
-
-#define XT_STATE_BIT(ctinfo) (1 << ((ctinfo)%IP_CT_IS_REPLY+1))
-#define XT_STATE_INVALID (1 << 0)
-
-#define XT_STATE_UNTRACKED (1 << (IP_CT_NUMBER + 1))
-
-struct xt_state_info {
-       unsigned int statemask;
-};
-#endif /*_XT_STATE_H*/

diff --git a/include/linux/netfilter/xt_statistic.h b/include/linux/netfilter/xt_statistic.h
deleted file mode 100644 (file)
index 4e983ef..0000000
--- a/include/linux/netfilter/xt_statistic.h
+++ /dev/null
@@ -1,36 +0,0 @@
-#ifndef _XT_STATISTIC_H
-#define _XT_STATISTIC_H
-
-#include <linux/types.h>
-
-enum xt_statistic_mode {
-       XT_STATISTIC_MODE_RANDOM,
-       XT_STATISTIC_MODE_NTH,
-       __XT_STATISTIC_MODE_MAX
-};
-#define XT_STATISTIC_MODE_MAX (__XT_STATISTIC_MODE_MAX - 1)
-
-enum xt_statistic_flags {
-       XT_STATISTIC_INVERT             = 0x1,
-};
-#define XT_STATISTIC_MASK              0x1
-
-struct xt_statistic_priv;
-
-struct xt_statistic_info {
-       __u16                   mode;
-       __u16                   flags;
-       union {
-               struct {
-                       __u32   probability;
-               } random;
-               struct {
-                       __u32   every;
-                       __u32   packet;
-                       __u32   count; /* unused */
-               } nth;
-       } u;
-       struct xt_statistic_priv *master __attribute__((aligned(8)));
-};
-
-#endif /* _XT_STATISTIC_H */

diff --git a/include/linux/netfilter/xt_string.h b/include/linux/netfilter/xt_string.h
deleted file mode 100644 (file)
index 235347c..0000000
--- a/include/linux/netfilter/xt_string.h
+++ /dev/null
@@ -1,34 +0,0 @@
-#ifndef _XT_STRING_H
-#define _XT_STRING_H
-
-#include <linux/types.h>
-
-#define XT_STRING_MAX_PATTERN_SIZE 128
-#define XT_STRING_MAX_ALGO_NAME_SIZE 16
-
-enum {
-       XT_STRING_FLAG_INVERT           = 0x01,
-       XT_STRING_FLAG_IGNORECASE       = 0x02
-};
-
-struct xt_string_info {
-       __u16 from_offset;
-       __u16 to_offset;
-       char      algo[XT_STRING_MAX_ALGO_NAME_SIZE];
-       char      pattern[XT_STRING_MAX_PATTERN_SIZE];
-       __u8  patlen;
-       union {
-               struct {
-                       __u8  invert;
-               } v0;
-
-               struct {
-                       __u8  flags;
-               } v1;
-       } u;
-
-       /* Used internally by the kernel */
-       struct ts_config __attribute__((aligned(8))) *config;
-};
-
-#endif /*_XT_STRING_H*/

diff --git a/include/linux/netfilter/xt_tcpmss.h b/include/linux/netfilter/xt_tcpmss.h
deleted file mode 100644 (file)
index fbac56b..0000000
--- a/include/linux/netfilter/xt_tcpmss.h
+++ /dev/null
@@ -1,11 +0,0 @@
-#ifndef _XT_TCPMSS_MATCH_H
-#define _XT_TCPMSS_MATCH_H
-
-#include <linux/types.h>
-
-struct xt_tcpmss_match_info {
-    __u16 mss_min, mss_max;
-    __u8 invert;
-};
-
-#endif /*_XT_TCPMSS_MATCH_H*/

diff --git a/include/linux/netfilter/xt_tcpudp.h b/include/linux/netfilter/xt_tcpudp.h
deleted file mode 100644 (file)
index 38aa7b3..0000000
--- a/include/linux/netfilter/xt_tcpudp.h
+++ /dev/null
@@ -1,36 +0,0 @@
-#ifndef _XT_TCPUDP_H
-#define _XT_TCPUDP_H
-
-#include <linux/types.h>
-
-/* TCP matching stuff */
-struct xt_tcp {
-       __u16 spts[2];                  /* Source port range. */
-       __u16 dpts[2];                  /* Destination port range. */
-       __u8 option;                    /* TCP Option iff non-zero*/
-       __u8 flg_mask;                  /* TCP flags mask byte */
-       __u8 flg_cmp;                   /* TCP flags compare byte */
-       __u8 invflags;                  /* Inverse flags */
-};
-
-/* Values for "inv" field in struct ipt_tcp. */
-#define XT_TCP_INV_SRCPT       0x01    /* Invert the sense of source ports. */
-#define XT_TCP_INV_DSTPT       0x02    /* Invert the sense of dest ports. */
-#define XT_TCP_INV_FLAGS       0x04    /* Invert the sense of TCP flags. */
-#define XT_TCP_INV_OPTION      0x08    /* Invert the sense of option test. */
-#define XT_TCP_INV_MASK                0x0F    /* All possible flags. */
-
-/* UDP matching stuff */
-struct xt_udp {
-       __u16 spts[2];                  /* Source port range. */
-       __u16 dpts[2];                  /* Destination port range. */
-       __u8 invflags;                  /* Inverse flags */
-};
-
-/* Values for "invflags" field in struct ipt_udp. */
-#define XT_UDP_INV_SRCPT       0x01    /* Invert the sense of source ports. */
-#define XT_UDP_INV_DSTPT       0x02    /* Invert the sense of dest ports. */
-#define XT_UDP_INV_MASK        0x03    /* All possible flags. */
-
-
-#endif

diff --git a/include/linux/netfilter/xt_time.h b/include/linux/netfilter/xt_time.h
deleted file mode 100644 (file)
index 0958860..0000000
--- a/include/linux/netfilter/xt_time.h
+++ /dev/null
@@ -1,32 +0,0 @@
-#ifndef _XT_TIME_H
-#define _XT_TIME_H 1
-
-#include <linux/types.h>
-
-struct xt_time_info {
-       __u32 date_start;
-       __u32 date_stop;
-       __u32 daytime_start;
-       __u32 daytime_stop;
-       __u32 monthdays_match;
-       __u8 weekdays_match;
-       __u8 flags;
-};
-
-enum {
-       /* Match against local time (instead of UTC) */
-       XT_TIME_LOCAL_TZ = 1 << 0,
-
-       /* treat timestart > timestop (e.g. 23:00-01:00) as single period */
-       XT_TIME_CONTIGUOUS = 1 << 1,
-
-       /* Shortcuts */
-       XT_TIME_ALL_MONTHDAYS = 0xFFFFFFFE,
-       XT_TIME_ALL_WEEKDAYS  = 0xFE,
-       XT_TIME_MIN_DAYTIME   = 0,
-       XT_TIME_MAX_DAYTIME   = 24 * 60 * 60 - 1,
-};
-
-#define XT_TIME_ALL_FLAGS (XT_TIME_LOCAL_TZ|XT_TIME_CONTIGUOUS)
-
-#endif /* _XT_TIME_H */

diff --git a/include/linux/netfilter/xt_u32.h b/include/linux/netfilter/xt_u32.h
deleted file mode 100644 (file)
index 04d1bfe..0000000
--- a/include/linux/netfilter/xt_u32.h
+++ /dev/null
@@ -1,42 +0,0 @@
-#ifndef _XT_U32_H
-#define _XT_U32_H 1
-
-#include <linux/types.h>
-
-enum xt_u32_ops {
-       XT_U32_AND,
-       XT_U32_LEFTSH,
-       XT_U32_RIGHTSH,
-       XT_U32_AT,
-};
-
-struct xt_u32_location_element {
-       __u32 number;
-       __u8 nextop;
-};
-
-struct xt_u32_value_element {
-       __u32 min;
-       __u32 max;
-};
-
-/*
- * Any way to allow for an arbitrary number of elements?
- * For now, I settle with a limit of 10 each.
- */
-#define XT_U32_MAXSIZE 10
-
-struct xt_u32_test {
-       struct xt_u32_location_element location[XT_U32_MAXSIZE+1];
-       struct xt_u32_value_element value[XT_U32_MAXSIZE+1];
-       __u8 nnums;
-       __u8 nvalues;
-};
-
-struct xt_u32 {
-       struct xt_u32_test tests[XT_U32_MAXSIZE+1];
-       __u8 ntests;
-       __u8 invert;
-};
-
-#endif /* _XT_U32_H */

diff --git a/include/uapi/linux/netfilter/Kbuild b/include/uapi/linux/netfilter/Kbuild
index 4afbace..08f555f 100644 (file)
--- a/include/uapi/linux/netfilter/Kbuild
+++ b/include/uapi/linux/netfilter/Kbuild
@@ -1,2 +1,78 @@
 # UAPI Header export list
 header-y += ipset/
+header-y += nf_conntrack_common.h
+header-y += nf_conntrack_ftp.h
+header-y += nf_conntrack_sctp.h
+header-y += nf_conntrack_tcp.h
+header-y += nf_conntrack_tuple_common.h
+header-y += nf_nat.h
+header-y += nfnetlink.h
+header-y += nfnetlink_acct.h
+header-y += nfnetlink_compat.h
+header-y += nfnetlink_conntrack.h
+header-y += nfnetlink_cthelper.h
+header-y += nfnetlink_cttimeout.h
+header-y += nfnetlink_log.h
+header-y += nfnetlink_queue.h
+header-y += x_tables.h
+header-y += xt_AUDIT.h
+header-y += xt_CHECKSUM.h
+header-y += xt_CLASSIFY.h
+header-y += xt_CONNMARK.h
+header-y += xt_CONNSECMARK.h
+header-y += xt_CT.h
+header-y += xt_DSCP.h
+header-y += xt_IDLETIMER.h
+header-y += xt_LED.h
+header-y += xt_LOG.h
+header-y += xt_MARK.h
+header-y += xt_NFLOG.h
+header-y += xt_NFQUEUE.h
+header-y += xt_RATEEST.h
+header-y += xt_SECMARK.h
+header-y += xt_TCPMSS.h
+header-y += xt_TCPOPTSTRIP.h
+header-y += xt_TEE.h
+header-y += xt_TPROXY.h
+header-y += xt_addrtype.h
+header-y += xt_cluster.h
+header-y += xt_comment.h
+header-y += xt_connbytes.h
+header-y += xt_connlimit.h
+header-y += xt_connmark.h
+header-y += xt_conntrack.h
+header-y += xt_cpu.h
+header-y += xt_dccp.h
+header-y += xt_devgroup.h
+header-y += xt_dscp.h
+header-y += xt_ecn.h
+header-y += xt_esp.h
+header-y += xt_hashlimit.h
+header-y += xt_helper.h
+header-y += xt_iprange.h
+header-y += xt_ipvs.h
+header-y += xt_length.h
+header-y += xt_limit.h
+header-y += xt_mac.h
+header-y += xt_mark.h
+header-y += xt_multiport.h
+header-y += xt_nfacct.h
+header-y += xt_osf.h
+header-y += xt_owner.h
+header-y += xt_physdev.h
+header-y += xt_pkttype.h
+header-y += xt_policy.h
+header-y += xt_quota.h
+header-y += xt_rateest.h
+header-y += xt_realm.h
+header-y += xt_recent.h
+header-y += xt_sctp.h
+header-y += xt_set.h
+header-y += xt_socket.h
+header-y += xt_state.h
+header-y += xt_statistic.h
+header-y += xt_string.h
+header-y += xt_tcpmss.h
+header-y += xt_tcpudp.h
+header-y += xt_time.h
+header-y += xt_u32.h

diff --git a/include/uapi/linux/netfilter/nf_conntrack_common.h b/include/uapi/linux/netfilter/nf_conntrack_common.h
new file mode 100644 (file)
index 0000000..1644cdd
--- /dev/null
+++ b/include/uapi/linux/netfilter/nf_conntrack_common.h
@@ -0,0 +1,117 @@
+#ifndef _UAPI_NF_CONNTRACK_COMMON_H
+#define _UAPI_NF_CONNTRACK_COMMON_H
+/* Connection state tracking for netfilter.  This is separated from,
+   but required by, the NAT layer; it can also be used by an iptables
+   extension. */
+enum ip_conntrack_info {
+       /* Part of an established connection (either direction). */
+       IP_CT_ESTABLISHED,
+
+       /* Like NEW, but related to an existing connection, or ICMP error
+          (in either direction). */
+       IP_CT_RELATED,
+
+       /* Started a new connection to track (only
+           IP_CT_DIR_ORIGINAL); may be a retransmission. */
+       IP_CT_NEW,
+
+       /* >= this indicates reply direction */
+       IP_CT_IS_REPLY,
+
+       IP_CT_ESTABLISHED_REPLY = IP_CT_ESTABLISHED + IP_CT_IS_REPLY,
+       IP_CT_RELATED_REPLY = IP_CT_RELATED + IP_CT_IS_REPLY,
+       IP_CT_NEW_REPLY = IP_CT_NEW + IP_CT_IS_REPLY,   
+       /* Number of distinct IP_CT types (no NEW in reply dirn). */
+       IP_CT_NUMBER = IP_CT_IS_REPLY * 2 - 1
+};
+
+/* Bitset representing status of connection. */
+enum ip_conntrack_status {
+       /* It's an expected connection: bit 0 set.  This bit never changed */
+       IPS_EXPECTED_BIT = 0,
+       IPS_EXPECTED = (1 << IPS_EXPECTED_BIT),
+
+       /* We've seen packets both ways: bit 1 set.  Can be set, not unset. */
+       IPS_SEEN_REPLY_BIT = 1,
+       IPS_SEEN_REPLY = (1 << IPS_SEEN_REPLY_BIT),
+
+       /* Conntrack should never be early-expired. */
+       IPS_ASSURED_BIT = 2,
+       IPS_ASSURED = (1 << IPS_ASSURED_BIT),
+
+       /* Connection is confirmed: originating packet has left box */
+       IPS_CONFIRMED_BIT = 3,
+       IPS_CONFIRMED = (1 << IPS_CONFIRMED_BIT),
+
+       /* Connection needs src nat in orig dir.  This bit never changed. */
+       IPS_SRC_NAT_BIT = 4,
+       IPS_SRC_NAT = (1 << IPS_SRC_NAT_BIT),
+
+       /* Connection needs dst nat in orig dir.  This bit never changed. */
+       IPS_DST_NAT_BIT = 5,
+       IPS_DST_NAT = (1 << IPS_DST_NAT_BIT),
+
+       /* Both together. */
+       IPS_NAT_MASK = (IPS_DST_NAT | IPS_SRC_NAT),
+
+       /* Connection needs TCP sequence adjusted. */
+       IPS_SEQ_ADJUST_BIT = 6,
+       IPS_SEQ_ADJUST = (1 << IPS_SEQ_ADJUST_BIT),
+
+       /* NAT initialization bits. */
+       IPS_SRC_NAT_DONE_BIT = 7,
+       IPS_SRC_NAT_DONE = (1 << IPS_SRC_NAT_DONE_BIT),
+
+       IPS_DST_NAT_DONE_BIT = 8,
+       IPS_DST_NAT_DONE = (1 << IPS_DST_NAT_DONE_BIT),
+
+       /* Both together */
+       IPS_NAT_DONE_MASK = (IPS_DST_NAT_DONE | IPS_SRC_NAT_DONE),
+
+       /* Connection is dying (removed from lists), can not be unset. */
+       IPS_DYING_BIT = 9,
+       IPS_DYING = (1 << IPS_DYING_BIT),
+
+       /* Connection has fixed timeout. */
+       IPS_FIXED_TIMEOUT_BIT = 10,
+       IPS_FIXED_TIMEOUT = (1 << IPS_FIXED_TIMEOUT_BIT),
+
+       /* Conntrack is a template */
+       IPS_TEMPLATE_BIT = 11,
+       IPS_TEMPLATE = (1 << IPS_TEMPLATE_BIT),
+
+       /* Conntrack is a fake untracked entry */
+       IPS_UNTRACKED_BIT = 12,
+       IPS_UNTRACKED = (1 << IPS_UNTRACKED_BIT),
+
+       /* Conntrack got a helper explicitly attached via CT target. */
+       IPS_HELPER_BIT = 13,
+       IPS_HELPER = (1 << IPS_HELPER_BIT),
+};
+
+/* Connection tracking event types */
+enum ip_conntrack_events {
+       IPCT_NEW,               /* new conntrack */
+       IPCT_RELATED,           /* related conntrack */
+       IPCT_DESTROY,           /* destroyed conntrack */
+       IPCT_REPLY,             /* connection has seen two-way traffic */
+       IPCT_ASSURED,           /* connection status has changed to assured */
+       IPCT_PROTOINFO,         /* protocol information has changed */
+       IPCT_HELPER,            /* new helper has been set */
+       IPCT_MARK,              /* new mark has been set */
+       IPCT_NATSEQADJ,         /* NAT is doing sequence adjustment */
+       IPCT_SECMARK,           /* new security mark has been set */
+};
+
+enum ip_conntrack_expect_events {
+       IPEXP_NEW,              /* new expectation */
+       IPEXP_DESTROY,          /* destroyed expectation */
+};
+
+/* expectation flags */
+#define NF_CT_EXPECT_PERMANENT         0x1
+#define NF_CT_EXPECT_INACTIVE          0x2
+#define NF_CT_EXPECT_USERSPACE         0x4
+
+
+#endif /* _UAPI_NF_CONNTRACK_COMMON_H */

diff --git a/include/uapi/linux/netfilter/nf_conntrack_ftp.h b/include/uapi/linux/netfilter/nf_conntrack_ftp.h
new file mode 100644 (file)
index 0000000..1030315
--- /dev/null
+++ b/include/uapi/linux/netfilter/nf_conntrack_ftp.h
@@ -0,0 +1,18 @@
+#ifndef _UAPI_NF_CONNTRACK_FTP_H
+#define _UAPI_NF_CONNTRACK_FTP_H
+/* FTP tracking. */
+
+/* This enum is exposed to userspace */
+enum nf_ct_ftp_type {
+       /* PORT command from client */
+       NF_CT_FTP_PORT,
+       /* PASV response from server */
+       NF_CT_FTP_PASV,
+       /* EPRT command from client */
+       NF_CT_FTP_EPRT,
+       /* EPSV response from server */
+       NF_CT_FTP_EPSV,
+};
+
+
+#endif /* _UAPI_NF_CONNTRACK_FTP_H */

diff --git a/include/uapi/linux/netfilter/nf_conntrack_sctp.h b/include/uapi/linux/netfilter/nf_conntrack_sctp.h
new file mode 100644 (file)
index 0000000..ceeefe6
--- /dev/null
+++ b/include/uapi/linux/netfilter/nf_conntrack_sctp.h
@@ -0,0 +1,25 @@
+#ifndef _NF_CONNTRACK_SCTP_H
+#define _NF_CONNTRACK_SCTP_H
+/* SCTP tracking. */
+
+#include <linux/netfilter/nf_conntrack_tuple_common.h>
+
+enum sctp_conntrack {
+       SCTP_CONNTRACK_NONE,
+       SCTP_CONNTRACK_CLOSED,
+       SCTP_CONNTRACK_COOKIE_WAIT,
+       SCTP_CONNTRACK_COOKIE_ECHOED,
+       SCTP_CONNTRACK_ESTABLISHED,
+       SCTP_CONNTRACK_SHUTDOWN_SENT,
+       SCTP_CONNTRACK_SHUTDOWN_RECD,
+       SCTP_CONNTRACK_SHUTDOWN_ACK_SENT,
+       SCTP_CONNTRACK_MAX
+};
+
+struct ip_ct_sctp {
+       enum sctp_conntrack state;
+
+       __be32 vtag[IP_CT_DIR_MAX];
+};
+
+#endif /* _NF_CONNTRACK_SCTP_H */

diff --git a/include/uapi/linux/netfilter/nf_conntrack_tcp.h b/include/uapi/linux/netfilter/nf_conntrack_tcp.h
new file mode 100644 (file)
index 0000000..9993a42
--- /dev/null
+++ b/include/uapi/linux/netfilter/nf_conntrack_tcp.h
@@ -0,0 +1,51 @@
+#ifndef _UAPI_NF_CONNTRACK_TCP_H
+#define _UAPI_NF_CONNTRACK_TCP_H
+/* TCP tracking. */
+
+#include <linux/types.h>
+
+/* This is exposed to userspace (ctnetlink) */
+enum tcp_conntrack {
+       TCP_CONNTRACK_NONE,
+       TCP_CONNTRACK_SYN_SENT,
+       TCP_CONNTRACK_SYN_RECV,
+       TCP_CONNTRACK_ESTABLISHED,
+       TCP_CONNTRACK_FIN_WAIT,
+       TCP_CONNTRACK_CLOSE_WAIT,
+       TCP_CONNTRACK_LAST_ACK,
+       TCP_CONNTRACK_TIME_WAIT,
+       TCP_CONNTRACK_CLOSE,
+       TCP_CONNTRACK_LISTEN,   /* obsolete */
+#define TCP_CONNTRACK_SYN_SENT2        TCP_CONNTRACK_LISTEN
+       TCP_CONNTRACK_MAX,
+       TCP_CONNTRACK_IGNORE,
+       TCP_CONNTRACK_RETRANS,
+       TCP_CONNTRACK_UNACK,
+       TCP_CONNTRACK_TIMEOUT_MAX
+};
+
+/* Window scaling is advertised by the sender */
+#define IP_CT_TCP_FLAG_WINDOW_SCALE            0x01
+
+/* SACK is permitted by the sender */
+#define IP_CT_TCP_FLAG_SACK_PERM               0x02
+
+/* This sender sent FIN first */
+#define IP_CT_TCP_FLAG_CLOSE_INIT              0x04
+
+/* Be liberal in window checking */
+#define IP_CT_TCP_FLAG_BE_LIBERAL              0x08
+
+/* Has unacknowledged data */
+#define IP_CT_TCP_FLAG_DATA_UNACKNOWLEDGED     0x10
+
+/* The field td_maxack has been set */
+#define IP_CT_TCP_FLAG_MAXACK_SET              0x20
+
+struct nf_ct_tcp_flags {
+       __u8 flags;
+       __u8 mask;
+};
+
+
+#endif /* _UAPI_NF_CONNTRACK_TCP_H */

diff --git a/include/uapi/linux/netfilter/nf_conntrack_tuple_common.h b/include/uapi/linux/netfilter/nf_conntrack_tuple_common.h
new file mode 100644 (file)
index 0000000..2f6bbc5
--- /dev/null
+++ b/include/uapi/linux/netfilter/nf_conntrack_tuple_common.h
@@ -0,0 +1,39 @@
+#ifndef _NF_CONNTRACK_TUPLE_COMMON_H
+#define _NF_CONNTRACK_TUPLE_COMMON_H
+
+enum ip_conntrack_dir {
+       IP_CT_DIR_ORIGINAL,
+       IP_CT_DIR_REPLY,
+       IP_CT_DIR_MAX
+};
+
+/* The protocol-specific manipulable parts of the tuple: always in
+ * network order
+ */
+union nf_conntrack_man_proto {
+       /* Add other protocols here. */
+       __be16 all;
+
+       struct {
+               __be16 port;
+       } tcp;
+       struct {
+               __be16 port;
+       } udp;
+       struct {
+               __be16 id;
+       } icmp;
+       struct {
+               __be16 port;
+       } dccp;
+       struct {
+               __be16 port;
+       } sctp;
+       struct {
+               __be16 key;     /* GRE key is 32bit, PPtP only uses 16bit */
+       } gre;
+};
+
+#define CTINFO2DIR(ctinfo) ((ctinfo) >= IP_CT_IS_REPLY ? IP_CT_DIR_REPLY : IP_CT_DIR_ORIGINAL)
+
+#endif /* _NF_CONNTRACK_TUPLE_COMMON_H */

diff --git a/include/uapi/linux/netfilter/nf_nat.h b/include/uapi/linux/netfilter/nf_nat.h
new file mode 100644 (file)
index 0000000..bf0cc37
--- /dev/null
+++ b/include/uapi/linux/netfilter/nf_nat.h
@@ -0,0 +1,33 @@
+#ifndef _NETFILTER_NF_NAT_H
+#define _NETFILTER_NF_NAT_H
+
+#include <linux/netfilter.h>
+#include <linux/netfilter/nf_conntrack_tuple_common.h>
+
+#define NF_NAT_RANGE_MAP_IPS           1
+#define NF_NAT_RANGE_PROTO_SPECIFIED   2
+#define NF_NAT_RANGE_PROTO_RANDOM      4
+#define NF_NAT_RANGE_PERSISTENT                8
+
+struct nf_nat_ipv4_range {
+       unsigned int                    flags;
+       __be32                          min_ip;
+       __be32                          max_ip;
+       union nf_conntrack_man_proto    min;
+       union nf_conntrack_man_proto    max;
+};
+
+struct nf_nat_ipv4_multi_range_compat {
+       unsigned int                    rangesize;
+       struct nf_nat_ipv4_range        range[1];
+};
+
+struct nf_nat_range {
+       unsigned int                    flags;
+       union nf_inet_addr              min_addr;
+       union nf_inet_addr              max_addr;
+       union nf_conntrack_man_proto    min_proto;
+       union nf_conntrack_man_proto    max_proto;
+};
+
+#endif /* _NETFILTER_NF_NAT_H */

diff --git a/include/uapi/linux/netfilter/nfnetlink.h b/include/uapi/linux/netfilter/nfnetlink.h
new file mode 100644 (file)
index 0000000..4a4efaf
--- /dev/null
+++ b/include/uapi/linux/netfilter/nfnetlink.h
@@ -0,0 +1,56 @@
+#ifndef _UAPI_NFNETLINK_H
+#define _UAPI_NFNETLINK_H
+#include <linux/types.h>
+#include <linux/netfilter/nfnetlink_compat.h>
+
+enum nfnetlink_groups {
+       NFNLGRP_NONE,
+#define NFNLGRP_NONE                   NFNLGRP_NONE
+       NFNLGRP_CONNTRACK_NEW,
+#define NFNLGRP_CONNTRACK_NEW          NFNLGRP_CONNTRACK_NEW
+       NFNLGRP_CONNTRACK_UPDATE,
+#define NFNLGRP_CONNTRACK_UPDATE       NFNLGRP_CONNTRACK_UPDATE
+       NFNLGRP_CONNTRACK_DESTROY,
+#define NFNLGRP_CONNTRACK_DESTROY      NFNLGRP_CONNTRACK_DESTROY
+       NFNLGRP_CONNTRACK_EXP_NEW,
+#define        NFNLGRP_CONNTRACK_EXP_NEW       NFNLGRP_CONNTRACK_EXP_NEW
+       NFNLGRP_CONNTRACK_EXP_UPDATE,
+#define NFNLGRP_CONNTRACK_EXP_UPDATE   NFNLGRP_CONNTRACK_EXP_UPDATE
+       NFNLGRP_CONNTRACK_EXP_DESTROY,
+#define NFNLGRP_CONNTRACK_EXP_DESTROY  NFNLGRP_CONNTRACK_EXP_DESTROY
+       __NFNLGRP_MAX,
+};
+#define NFNLGRP_MAX    (__NFNLGRP_MAX - 1)
+
+/* General form of address family dependent message.
+ */
+struct nfgenmsg {
+       __u8  nfgen_family;             /* AF_xxx */
+       __u8  version;          /* nfnetlink version */
+       __be16    res_id;               /* resource id */
+};
+
+#define NFNETLINK_V0   0
+
+/* netfilter netlink message types are split in two pieces:
+ * 8 bit subsystem, 8bit operation.
+ */
+
+#define NFNL_SUBSYS_ID(x)      ((x & 0xff00) >> 8)
+#define NFNL_MSG_TYPE(x)       (x & 0x00ff)
+
+/* No enum here, otherwise __stringify() trick of MODULE_ALIAS_NFNL_SUBSYS()
+ * won't work anymore */
+#define NFNL_SUBSYS_NONE               0
+#define NFNL_SUBSYS_CTNETLINK          1
+#define NFNL_SUBSYS_CTNETLINK_EXP      2
+#define NFNL_SUBSYS_QUEUE              3
+#define NFNL_SUBSYS_ULOG               4
+#define NFNL_SUBSYS_OSF                        5
+#define NFNL_SUBSYS_IPSET              6
+#define NFNL_SUBSYS_ACCT               7
+#define NFNL_SUBSYS_CTNETLINK_TIMEOUT  8
+#define NFNL_SUBSYS_CTHELPER           9
+#define NFNL_SUBSYS_COUNT              10
+
+#endif /* _UAPI_NFNETLINK_H */

diff --git a/include/uapi/linux/netfilter/nfnetlink_acct.h b/include/uapi/linux/netfilter/nfnetlink_acct.h
new file mode 100644 (file)
index 0000000..c7b6269
--- /dev/null
+++ b/include/uapi/linux/netfilter/nfnetlink_acct.h
@@ -0,0 +1,27 @@
+#ifndef _UAPI_NFNL_ACCT_H_
+#define _UAPI_NFNL_ACCT_H_
+
+#ifndef NFACCT_NAME_MAX
+#define NFACCT_NAME_MAX                32
+#endif
+
+enum nfnl_acct_msg_types {
+       NFNL_MSG_ACCT_NEW,
+       NFNL_MSG_ACCT_GET,
+       NFNL_MSG_ACCT_GET_CTRZERO,
+       NFNL_MSG_ACCT_DEL,
+       NFNL_MSG_ACCT_MAX
+};
+
+enum nfnl_acct_type {
+       NFACCT_UNSPEC,
+       NFACCT_NAME,
+       NFACCT_PKTS,
+       NFACCT_BYTES,
+       NFACCT_USE,
+       __NFACCT_MAX
+};
+#define NFACCT_MAX (__NFACCT_MAX - 1)
+
+
+#endif /* _UAPI_NFNL_ACCT_H_ */

diff --git a/include/uapi/linux/netfilter/nfnetlink_compat.h b/include/uapi/linux/netfilter/nfnetlink_compat.h
new file mode 100644 (file)
index 0000000..ffb9503
--- /dev/null
+++ b/include/uapi/linux/netfilter/nfnetlink_compat.h
@@ -0,0 +1,63 @@
+#ifndef _NFNETLINK_COMPAT_H
+#define _NFNETLINK_COMPAT_H
+
+#include <linux/types.h>
+
+#ifndef __KERNEL__
+/* Old nfnetlink macros for userspace */
+
+/* nfnetlink groups: Up to 32 maximum */
+#define NF_NETLINK_CONNTRACK_NEW               0x00000001
+#define NF_NETLINK_CONNTRACK_UPDATE            0x00000002
+#define NF_NETLINK_CONNTRACK_DESTROY           0x00000004
+#define NF_NETLINK_CONNTRACK_EXP_NEW           0x00000008
+#define NF_NETLINK_CONNTRACK_EXP_UPDATE                0x00000010
+#define NF_NETLINK_CONNTRACK_EXP_DESTROY       0x00000020
+
+/* Generic structure for encapsulation optional netfilter information.
+ * It is reminiscent of sockaddr, but with sa_family replaced
+ * with attribute type.
+ * ! This should someday be put somewhere generic as now rtnetlink and
+ * ! nfnetlink use the same attributes methods. - J. Schulist.
+ */
+
+struct nfattr {
+       __u16 nfa_len;
+       __u16 nfa_type; /* we use 15 bits for the type, and the highest
+                                * bit to indicate whether the payload is nested */
+};
+
+/* FIXME: Apart from NFNL_NFA_NESTED shamelessly copy and pasted from
+ * rtnetlink.h, it's time to put this in a generic file */
+
+#define NFNL_NFA_NEST  0x8000
+#define NFA_TYPE(attr)         ((attr)->nfa_type & 0x7fff)
+
+#define NFA_ALIGNTO     4
+#define NFA_ALIGN(len) (((len) + NFA_ALIGNTO - 1) & ~(NFA_ALIGNTO - 1))
+#define NFA_OK(nfa,len)        ((len) > 0 && (nfa)->nfa_len >= sizeof(struct nfattr) \
+       && (nfa)->nfa_len <= (len))
+#define NFA_NEXT(nfa,attrlen)  ((attrlen) -= NFA_ALIGN((nfa)->nfa_len), \
+       (struct nfattr *)(((char *)(nfa)) + NFA_ALIGN((nfa)->nfa_len)))
+#define NFA_LENGTH(len)        (NFA_ALIGN(sizeof(struct nfattr)) + (len))
+#define NFA_SPACE(len) NFA_ALIGN(NFA_LENGTH(len))
+#define NFA_DATA(nfa)   ((void *)(((char *)(nfa)) + NFA_LENGTH(0)))
+#define NFA_PAYLOAD(nfa) ((int)((nfa)->nfa_len) - NFA_LENGTH(0))
+#define NFA_NEST(skb, type) \
+({     struct nfattr *__start = (struct nfattr *)skb_tail_pointer(skb); \
+       NFA_PUT(skb, (NFNL_NFA_NEST | type), 0, NULL); \
+       __start;  })
+#define NFA_NEST_END(skb, start) \
+({      (start)->nfa_len = skb_tail_pointer(skb) - (unsigned char *)(start); \
+        (skb)->len; })
+#define NFA_NEST_CANCEL(skb, start) \
+({      if (start) \
+                skb_trim(skb, (unsigned char *) (start) - (skb)->data); \
+        -1; })
+
+#define NFM_NFA(n)      ((struct nfattr *)(((char *)(n)) \
+        + NLMSG_ALIGN(sizeof(struct nfgenmsg))))
+#define NFM_PAYLOAD(n)  NLMSG_PAYLOAD(n, sizeof(struct nfgenmsg))
+
+#endif /* ! __KERNEL__ */
+#endif /* _NFNETLINK_COMPAT_H */

diff --git a/include/uapi/linux/netfilter/nfnetlink_conntrack.h b/include/uapi/linux/netfilter/nfnetlink_conntrack.h
new file mode 100644 (file)
index 0000000..43bfe3e
--- /dev/null
+++ b/include/uapi/linux/netfilter/nfnetlink_conntrack.h
@@ -0,0 +1,248 @@
+#ifndef _IPCONNTRACK_NETLINK_H
+#define _IPCONNTRACK_NETLINK_H
+#include <linux/netfilter/nfnetlink.h>
+
+enum cntl_msg_types {
+       IPCTNL_MSG_CT_NEW,
+       IPCTNL_MSG_CT_GET,
+       IPCTNL_MSG_CT_DELETE,
+       IPCTNL_MSG_CT_GET_CTRZERO,
+       IPCTNL_MSG_CT_GET_STATS_CPU,
+       IPCTNL_MSG_CT_GET_STATS,
+
+       IPCTNL_MSG_MAX
+};
+
+enum ctnl_exp_msg_types {
+       IPCTNL_MSG_EXP_NEW,
+       IPCTNL_MSG_EXP_GET,
+       IPCTNL_MSG_EXP_DELETE,
+       IPCTNL_MSG_EXP_GET_STATS_CPU,
+
+       IPCTNL_MSG_EXP_MAX
+};
+
+
+enum ctattr_type {
+       CTA_UNSPEC,
+       CTA_TUPLE_ORIG,
+       CTA_TUPLE_REPLY,
+       CTA_STATUS,
+       CTA_PROTOINFO,
+       CTA_HELP,
+       CTA_NAT_SRC,
+#define CTA_NAT        CTA_NAT_SRC     /* backwards compatibility */
+       CTA_TIMEOUT,
+       CTA_MARK,
+       CTA_COUNTERS_ORIG,
+       CTA_COUNTERS_REPLY,
+       CTA_USE,
+       CTA_ID,
+       CTA_NAT_DST,
+       CTA_TUPLE_MASTER,
+       CTA_NAT_SEQ_ADJ_ORIG,
+       CTA_NAT_SEQ_ADJ_REPLY,
+       CTA_SECMARK,            /* obsolete */
+       CTA_ZONE,
+       CTA_SECCTX,
+       CTA_TIMESTAMP,
+       CTA_MARK_MASK,
+       __CTA_MAX
+};
+#define CTA_MAX (__CTA_MAX - 1)
+
+enum ctattr_tuple {
+       CTA_TUPLE_UNSPEC,
+       CTA_TUPLE_IP,
+       CTA_TUPLE_PROTO,
+       __CTA_TUPLE_MAX
+};
+#define CTA_TUPLE_MAX (__CTA_TUPLE_MAX - 1)
+
+enum ctattr_ip {
+       CTA_IP_UNSPEC,
+       CTA_IP_V4_SRC,
+       CTA_IP_V4_DST,
+       CTA_IP_V6_SRC,
+       CTA_IP_V6_DST,
+       __CTA_IP_MAX
+};
+#define CTA_IP_MAX (__CTA_IP_MAX - 1)
+
+enum ctattr_l4proto {
+       CTA_PROTO_UNSPEC,
+       CTA_PROTO_NUM,
+       CTA_PROTO_SRC_PORT,
+       CTA_PROTO_DST_PORT,
+       CTA_PROTO_ICMP_ID,
+       CTA_PROTO_ICMP_TYPE,
+       CTA_PROTO_ICMP_CODE,
+       CTA_PROTO_ICMPV6_ID,
+       CTA_PROTO_ICMPV6_TYPE,
+       CTA_PROTO_ICMPV6_CODE,
+       __CTA_PROTO_MAX
+};
+#define CTA_PROTO_MAX (__CTA_PROTO_MAX - 1)
+
+enum ctattr_protoinfo {
+       CTA_PROTOINFO_UNSPEC,
+       CTA_PROTOINFO_TCP,
+       CTA_PROTOINFO_DCCP,
+       CTA_PROTOINFO_SCTP,
+       __CTA_PROTOINFO_MAX
+};
+#define CTA_PROTOINFO_MAX (__CTA_PROTOINFO_MAX - 1)
+
+enum ctattr_protoinfo_tcp {
+       CTA_PROTOINFO_TCP_UNSPEC,
+       CTA_PROTOINFO_TCP_STATE,
+       CTA_PROTOINFO_TCP_WSCALE_ORIGINAL,
+       CTA_PROTOINFO_TCP_WSCALE_REPLY,
+       CTA_PROTOINFO_TCP_FLAGS_ORIGINAL,
+       CTA_PROTOINFO_TCP_FLAGS_REPLY,
+       __CTA_PROTOINFO_TCP_MAX
+};
+#define CTA_PROTOINFO_TCP_MAX (__CTA_PROTOINFO_TCP_MAX - 1)
+
+enum ctattr_protoinfo_dccp {
+       CTA_PROTOINFO_DCCP_UNSPEC,
+       CTA_PROTOINFO_DCCP_STATE,
+       CTA_PROTOINFO_DCCP_ROLE,
+       CTA_PROTOINFO_DCCP_HANDSHAKE_SEQ,
+       __CTA_PROTOINFO_DCCP_MAX,
+};
+#define CTA_PROTOINFO_DCCP_MAX (__CTA_PROTOINFO_DCCP_MAX - 1)
+
+enum ctattr_protoinfo_sctp {
+       CTA_PROTOINFO_SCTP_UNSPEC,
+       CTA_PROTOINFO_SCTP_STATE,
+       CTA_PROTOINFO_SCTP_VTAG_ORIGINAL,
+       CTA_PROTOINFO_SCTP_VTAG_REPLY,
+       __CTA_PROTOINFO_SCTP_MAX
+};
+#define CTA_PROTOINFO_SCTP_MAX (__CTA_PROTOINFO_SCTP_MAX - 1)
+
+enum ctattr_counters {
+       CTA_COUNTERS_UNSPEC,
+       CTA_COUNTERS_PACKETS,           /* 64bit counters */
+       CTA_COUNTERS_BYTES,             /* 64bit counters */
+       CTA_COUNTERS32_PACKETS,         /* old 32bit counters, unused */
+       CTA_COUNTERS32_BYTES,           /* old 32bit counters, unused */
+       __CTA_COUNTERS_MAX
+};
+#define CTA_COUNTERS_MAX (__CTA_COUNTERS_MAX - 1)
+
+enum ctattr_tstamp {
+       CTA_TIMESTAMP_UNSPEC,
+       CTA_TIMESTAMP_START,
+       CTA_TIMESTAMP_STOP,
+       __CTA_TIMESTAMP_MAX
+};
+#define CTA_TIMESTAMP_MAX (__CTA_TIMESTAMP_MAX - 1)
+
+enum ctattr_nat {
+       CTA_NAT_UNSPEC,
+       CTA_NAT_V4_MINIP,
+#define CTA_NAT_MINIP CTA_NAT_V4_MINIP
+       CTA_NAT_V4_MAXIP,
+#define CTA_NAT_MAXIP CTA_NAT_V4_MAXIP
+       CTA_NAT_PROTO,
+       CTA_NAT_V6_MINIP,
+       CTA_NAT_V6_MAXIP,
+       __CTA_NAT_MAX
+};
+#define CTA_NAT_MAX (__CTA_NAT_MAX - 1)
+
+enum ctattr_protonat {
+       CTA_PROTONAT_UNSPEC,
+       CTA_PROTONAT_PORT_MIN,
+       CTA_PROTONAT_PORT_MAX,
+       __CTA_PROTONAT_MAX
+};
+#define CTA_PROTONAT_MAX (__CTA_PROTONAT_MAX - 1)
+
+enum ctattr_natseq {
+       CTA_NAT_SEQ_UNSPEC,
+       CTA_NAT_SEQ_CORRECTION_POS,
+       CTA_NAT_SEQ_OFFSET_BEFORE,
+       CTA_NAT_SEQ_OFFSET_AFTER,
+       __CTA_NAT_SEQ_MAX
+};
+#define CTA_NAT_SEQ_MAX (__CTA_NAT_SEQ_MAX - 1)
+
+enum ctattr_expect {
+       CTA_EXPECT_UNSPEC,
+       CTA_EXPECT_MASTER,
+       CTA_EXPECT_TUPLE,
+       CTA_EXPECT_MASK,
+       CTA_EXPECT_TIMEOUT,
+       CTA_EXPECT_ID,
+       CTA_EXPECT_HELP_NAME,
+       CTA_EXPECT_ZONE,
+       CTA_EXPECT_FLAGS,
+       CTA_EXPECT_CLASS,
+       CTA_EXPECT_NAT,
+       CTA_EXPECT_FN,
+       __CTA_EXPECT_MAX
+};
+#define CTA_EXPECT_MAX (__CTA_EXPECT_MAX - 1)
+
+enum ctattr_expect_nat {
+       CTA_EXPECT_NAT_UNSPEC,
+       CTA_EXPECT_NAT_DIR,
+       CTA_EXPECT_NAT_TUPLE,
+       __CTA_EXPECT_NAT_MAX
+};
+#define CTA_EXPECT_NAT_MAX (__CTA_EXPECT_NAT_MAX - 1)
+
+enum ctattr_help {
+       CTA_HELP_UNSPEC,
+       CTA_HELP_NAME,
+       CTA_HELP_INFO,
+       __CTA_HELP_MAX
+};
+#define CTA_HELP_MAX (__CTA_HELP_MAX - 1)
+
+enum ctattr_secctx {
+       CTA_SECCTX_UNSPEC,
+       CTA_SECCTX_NAME,
+       __CTA_SECCTX_MAX
+};
+#define CTA_SECCTX_MAX (__CTA_SECCTX_MAX - 1)
+
+enum ctattr_stats_cpu {
+       CTA_STATS_UNSPEC,
+       CTA_STATS_SEARCHED,
+       CTA_STATS_FOUND,
+       CTA_STATS_NEW,
+       CTA_STATS_INVALID,
+       CTA_STATS_IGNORE,
+       CTA_STATS_DELETE,
+       CTA_STATS_DELETE_LIST,
+       CTA_STATS_INSERT,
+       CTA_STATS_INSERT_FAILED,
+       CTA_STATS_DROP,
+       CTA_STATS_EARLY_DROP,
+       CTA_STATS_ERROR,
+       CTA_STATS_SEARCH_RESTART,
+       __CTA_STATS_MAX,
+};
+#define CTA_STATS_MAX (__CTA_STATS_MAX - 1)
+
+enum ctattr_stats_global {
+       CTA_STATS_GLOBAL_UNSPEC,
+       CTA_STATS_GLOBAL_ENTRIES,
+       __CTA_STATS_GLOBAL_MAX,
+};
+#define CTA_STATS_GLOBAL_MAX (__CTA_STATS_GLOBAL_MAX - 1)
+
+enum ctattr_expect_stats {
+       CTA_STATS_EXP_UNSPEC,
+       CTA_STATS_EXP_NEW,
+       CTA_STATS_EXP_CREATE,
+       CTA_STATS_EXP_DELETE,
+       __CTA_STATS_EXP_MAX,
+};
+#define CTA_STATS_EXP_MAX (__CTA_STATS_EXP_MAX - 1)
+
+#endif /* _IPCONNTRACK_NETLINK_H */

diff --git a/include/uapi/linux/netfilter/nfnetlink_cthelper.h b/include/uapi/linux/netfilter/nfnetlink_cthelper.h
new file mode 100644 (file)
index 0000000..33659f6
--- /dev/null
+++ b/include/uapi/linux/netfilter/nfnetlink_cthelper.h
@@ -0,0 +1,55 @@
+#ifndef _NFNL_CTHELPER_H_
+#define _NFNL_CTHELPER_H_
+
+#define NFCT_HELPER_STATUS_DISABLED    0
+#define NFCT_HELPER_STATUS_ENABLED     1
+
+enum nfnl_acct_msg_types {
+       NFNL_MSG_CTHELPER_NEW,
+       NFNL_MSG_CTHELPER_GET,
+       NFNL_MSG_CTHELPER_DEL,
+       NFNL_MSG_CTHELPER_MAX
+};
+
+enum nfnl_cthelper_type {
+       NFCTH_UNSPEC,
+       NFCTH_NAME,
+       NFCTH_TUPLE,
+       NFCTH_QUEUE_NUM,
+       NFCTH_POLICY,
+       NFCTH_PRIV_DATA_LEN,
+       NFCTH_STATUS,
+       __NFCTH_MAX
+};
+#define NFCTH_MAX (__NFCTH_MAX - 1)
+
+enum nfnl_cthelper_policy_type {
+       NFCTH_POLICY_SET_UNSPEC,
+       NFCTH_POLICY_SET_NUM,
+       NFCTH_POLICY_SET,
+       NFCTH_POLICY_SET1       = NFCTH_POLICY_SET,
+       NFCTH_POLICY_SET2,
+       NFCTH_POLICY_SET3,
+       NFCTH_POLICY_SET4,
+       __NFCTH_POLICY_SET_MAX
+};
+#define NFCTH_POLICY_SET_MAX (__NFCTH_POLICY_SET_MAX - 1)
+
+enum nfnl_cthelper_pol_type {
+       NFCTH_POLICY_UNSPEC,
+       NFCTH_POLICY_NAME,
+       NFCTH_POLICY_EXPECT_MAX,
+       NFCTH_POLICY_EXPECT_TIMEOUT,
+       __NFCTH_POLICY_MAX
+};
+#define NFCTH_POLICY_MAX (__NFCTH_POLICY_MAX - 1)
+
+enum nfnl_cthelper_tuple_type {
+       NFCTH_TUPLE_UNSPEC,
+       NFCTH_TUPLE_L3PROTONUM,
+       NFCTH_TUPLE_L4PROTONUM,
+       __NFCTH_TUPLE_MAX,
+};
+#define NFCTH_TUPLE_MAX (__NFCTH_TUPLE_MAX - 1)
+
+#endif /* _NFNL_CTHELPER_H */

diff --git a/include/uapi/linux/netfilter/nfnetlink_cttimeout.h b/include/uapi/linux/netfilter/nfnetlink_cttimeout.h
new file mode 100644 (file)
index 0000000..a2810a7
--- /dev/null
+++ b/include/uapi/linux/netfilter/nfnetlink_cttimeout.h
@@ -0,0 +1,114 @@
+#ifndef _CTTIMEOUT_NETLINK_H
+#define _CTTIMEOUT_NETLINK_H
+#include <linux/netfilter/nfnetlink.h>
+
+enum ctnl_timeout_msg_types {
+       IPCTNL_MSG_TIMEOUT_NEW,
+       IPCTNL_MSG_TIMEOUT_GET,
+       IPCTNL_MSG_TIMEOUT_DELETE,
+
+       IPCTNL_MSG_TIMEOUT_MAX
+};
+
+enum ctattr_timeout {
+       CTA_TIMEOUT_UNSPEC,
+       CTA_TIMEOUT_NAME,
+       CTA_TIMEOUT_L3PROTO,
+       CTA_TIMEOUT_L4PROTO,
+       CTA_TIMEOUT_DATA,
+       CTA_TIMEOUT_USE,
+       __CTA_TIMEOUT_MAX
+};
+#define CTA_TIMEOUT_MAX (__CTA_TIMEOUT_MAX - 1)
+
+enum ctattr_timeout_generic {
+       CTA_TIMEOUT_GENERIC_UNSPEC,
+       CTA_TIMEOUT_GENERIC_TIMEOUT,
+       __CTA_TIMEOUT_GENERIC_MAX
+};
+#define CTA_TIMEOUT_GENERIC_MAX (__CTA_TIMEOUT_GENERIC_MAX - 1)
+
+enum ctattr_timeout_tcp {
+       CTA_TIMEOUT_TCP_UNSPEC,
+       CTA_TIMEOUT_TCP_SYN_SENT,
+       CTA_TIMEOUT_TCP_SYN_RECV,
+       CTA_TIMEOUT_TCP_ESTABLISHED,
+       CTA_TIMEOUT_TCP_FIN_WAIT,
+       CTA_TIMEOUT_TCP_CLOSE_WAIT,
+       CTA_TIMEOUT_TCP_LAST_ACK,
+       CTA_TIMEOUT_TCP_TIME_WAIT,
+       CTA_TIMEOUT_TCP_CLOSE,
+       CTA_TIMEOUT_TCP_SYN_SENT2,
+       CTA_TIMEOUT_TCP_RETRANS,
+       CTA_TIMEOUT_TCP_UNACK,
+       __CTA_TIMEOUT_TCP_MAX
+};
+#define CTA_TIMEOUT_TCP_MAX (__CTA_TIMEOUT_TCP_MAX - 1)
+
+enum ctattr_timeout_udp {
+       CTA_TIMEOUT_UDP_UNSPEC,
+       CTA_TIMEOUT_UDP_UNREPLIED,
+       CTA_TIMEOUT_UDP_REPLIED,
+       __CTA_TIMEOUT_UDP_MAX
+};
+#define CTA_TIMEOUT_UDP_MAX (__CTA_TIMEOUT_UDP_MAX - 1)
+
+enum ctattr_timeout_udplite {
+       CTA_TIMEOUT_UDPLITE_UNSPEC,
+       CTA_TIMEOUT_UDPLITE_UNREPLIED,
+       CTA_TIMEOUT_UDPLITE_REPLIED,
+       __CTA_TIMEOUT_UDPLITE_MAX
+};
+#define CTA_TIMEOUT_UDPLITE_MAX (__CTA_TIMEOUT_UDPLITE_MAX - 1)
+
+enum ctattr_timeout_icmp {
+       CTA_TIMEOUT_ICMP_UNSPEC,
+       CTA_TIMEOUT_ICMP_TIMEOUT,
+       __CTA_TIMEOUT_ICMP_MAX
+};
+#define CTA_TIMEOUT_ICMP_MAX (__CTA_TIMEOUT_ICMP_MAX - 1)
+
+enum ctattr_timeout_dccp {
+       CTA_TIMEOUT_DCCP_UNSPEC,
+       CTA_TIMEOUT_DCCP_REQUEST,
+       CTA_TIMEOUT_DCCP_RESPOND,
+       CTA_TIMEOUT_DCCP_PARTOPEN,
+       CTA_TIMEOUT_DCCP_OPEN,
+       CTA_TIMEOUT_DCCP_CLOSEREQ,
+       CTA_TIMEOUT_DCCP_CLOSING,
+       CTA_TIMEOUT_DCCP_TIMEWAIT,
+       __CTA_TIMEOUT_DCCP_MAX
+};
+#define CTA_TIMEOUT_DCCP_MAX (__CTA_TIMEOUT_DCCP_MAX - 1)
+
+enum ctattr_timeout_sctp {
+       CTA_TIMEOUT_SCTP_UNSPEC,
+       CTA_TIMEOUT_SCTP_CLOSED,
+       CTA_TIMEOUT_SCTP_COOKIE_WAIT,
+       CTA_TIMEOUT_SCTP_COOKIE_ECHOED,
+       CTA_TIMEOUT_SCTP_ESTABLISHED,
+       CTA_TIMEOUT_SCTP_SHUTDOWN_SENT,
+       CTA_TIMEOUT_SCTP_SHUTDOWN_RECD,
+       CTA_TIMEOUT_SCTP_SHUTDOWN_ACK_SENT,
+       __CTA_TIMEOUT_SCTP_MAX
+};
+#define CTA_TIMEOUT_SCTP_MAX (__CTA_TIMEOUT_SCTP_MAX - 1)
+
+enum ctattr_timeout_icmpv6 {
+       CTA_TIMEOUT_ICMPV6_UNSPEC,
+       CTA_TIMEOUT_ICMPV6_TIMEOUT,
+       __CTA_TIMEOUT_ICMPV6_MAX
+};
+#define CTA_TIMEOUT_ICMPV6_MAX (__CTA_TIMEOUT_ICMPV6_MAX - 1)
+
+enum ctattr_timeout_gre {
+       CTA_TIMEOUT_GRE_UNSPEC,
+       CTA_TIMEOUT_GRE_UNREPLIED,
+       CTA_TIMEOUT_GRE_REPLIED,
+       __CTA_TIMEOUT_GRE_MAX
+};
+#define CTA_TIMEOUT_GRE_MAX (__CTA_TIMEOUT_GRE_MAX - 1)
+
+#define CTNL_TIMEOUT_NAME_MAX  32
+
+#endif

diff --git a/include/uapi/linux/netfilter/nfnetlink_log.h b/include/uapi/linux/netfilter/nfnetlink_log.h
new file mode 100644 (file)
index 0000000..90c2c95
--- /dev/null
+++ b/include/uapi/linux/netfilter/nfnetlink_log.h
@@ -0,0 +1,97 @@
+#ifndef _NFNETLINK_LOG_H
+#define _NFNETLINK_LOG_H
+
+/* This file describes the netlink messages (i.e. 'protocol packets'),
+ * and not any kind of function definitions.  It is shared between kernel and
+ * userspace.  Don't put kernel specific stuff in here */
+
+#include <linux/types.h>
+#include <linux/netfilter/nfnetlink.h>
+
+enum nfulnl_msg_types {
+       NFULNL_MSG_PACKET,              /* packet from kernel to userspace */
+       NFULNL_MSG_CONFIG,              /* connect to a particular queue */
+
+       NFULNL_MSG_MAX
+};
+
+struct nfulnl_msg_packet_hdr {
+       __be16          hw_protocol;    /* hw protocol (network order) */
+       __u8    hook;           /* netfilter hook */
+       __u8    _pad;
+};
+
+struct nfulnl_msg_packet_hw {
+       __be16          hw_addrlen;
+       __u16   _pad;
+       __u8    hw_addr[8];
+};
+
+struct nfulnl_msg_packet_timestamp {
+       __aligned_be64  sec;
+       __aligned_be64  usec;
+};
+
+enum nfulnl_attr_type {
+       NFULA_UNSPEC,
+       NFULA_PACKET_HDR,
+       NFULA_MARK,                     /* __u32 nfmark */
+       NFULA_TIMESTAMP,                /* nfulnl_msg_packet_timestamp */
+       NFULA_IFINDEX_INDEV,            /* __u32 ifindex */
+       NFULA_IFINDEX_OUTDEV,           /* __u32 ifindex */
+       NFULA_IFINDEX_PHYSINDEV,        /* __u32 ifindex */
+       NFULA_IFINDEX_PHYSOUTDEV,       /* __u32 ifindex */
+       NFULA_HWADDR,                   /* nfulnl_msg_packet_hw */
+       NFULA_PAYLOAD,                  /* opaque data payload */
+       NFULA_PREFIX,                   /* string prefix */
+       NFULA_UID,                      /* user id of socket */
+       NFULA_SEQ,                      /* instance-local sequence number */
+       NFULA_SEQ_GLOBAL,               /* global sequence number */
+       NFULA_GID,                      /* group id of socket */
+       NFULA_HWTYPE,                   /* hardware type */
+       NFULA_HWHEADER,                 /* hardware header */
+       NFULA_HWLEN,                    /* hardware header length */
+
+       __NFULA_MAX
+};
+#define NFULA_MAX (__NFULA_MAX - 1)
+
+enum nfulnl_msg_config_cmds {
+       NFULNL_CFG_CMD_NONE,
+       NFULNL_CFG_CMD_BIND,
+       NFULNL_CFG_CMD_UNBIND,
+       NFULNL_CFG_CMD_PF_BIND,
+       NFULNL_CFG_CMD_PF_UNBIND,
+};
+
+struct nfulnl_msg_config_cmd {
+       __u8    command;        /* nfulnl_msg_config_cmds */
+} __attribute__ ((packed));
+
+struct nfulnl_msg_config_mode {
+       __be32          copy_range;
+       __u8    copy_mode;
+       __u8    _pad;
+} __attribute__ ((packed));
+
+enum nfulnl_attr_config {
+       NFULA_CFG_UNSPEC,
+       NFULA_CFG_CMD,                  /* nfulnl_msg_config_cmd */
+       NFULA_CFG_MODE,                 /* nfulnl_msg_config_mode */
+       NFULA_CFG_NLBUFSIZ,             /* __u32 buffer size */
+       NFULA_CFG_TIMEOUT,              /* __u32 in 1/100 s */
+       NFULA_CFG_QTHRESH,              /* __u32 */
+       NFULA_CFG_FLAGS,                /* __u16 */
+       __NFULA_CFG_MAX
+};
+#define NFULA_CFG_MAX (__NFULA_CFG_MAX -1)
+
+#define NFULNL_COPY_NONE       0x00
+#define NFULNL_COPY_META       0x01
+#define NFULNL_COPY_PACKET     0x02
+/* 0xff is reserved, don't use it for new copy modes. */
+
+#define NFULNL_CFG_F_SEQ       0x0001
+#define NFULNL_CFG_F_SEQ_GLOBAL        0x0002
+
+#endif /* _NFNETLINK_LOG_H */

diff --git a/include/uapi/linux/netfilter/nfnetlink_queue.h b/include/uapi/linux/netfilter/nfnetlink_queue.h
new file mode 100644 (file)
index 0000000..70ec8c2
--- /dev/null
+++ b/include/uapi/linux/netfilter/nfnetlink_queue.h
@@ -0,0 +1,101 @@
+#ifndef _NFNETLINK_QUEUE_H
+#define _NFNETLINK_QUEUE_H
+
+#include <linux/types.h>
+#include <linux/netfilter/nfnetlink.h>
+
+enum nfqnl_msg_types {
+       NFQNL_MSG_PACKET,               /* packet from kernel to userspace */
+       NFQNL_MSG_VERDICT,              /* verdict from userspace to kernel */
+       NFQNL_MSG_CONFIG,               /* connect to a particular queue */
+       NFQNL_MSG_VERDICT_BATCH,        /* batchv from userspace to kernel */
+
+       NFQNL_MSG_MAX
+};
+
+struct nfqnl_msg_packet_hdr {
+       __be32          packet_id;      /* unique ID of packet in queue */
+       __be16          hw_protocol;    /* hw protocol (network order) */
+       __u8    hook;           /* netfilter hook */
+} __attribute__ ((packed));
+
+struct nfqnl_msg_packet_hw {
+       __be16          hw_addrlen;
+       __u16   _pad;
+       __u8    hw_addr[8];
+};
+
+struct nfqnl_msg_packet_timestamp {
+       __aligned_be64  sec;
+       __aligned_be64  usec;
+};
+
+enum nfqnl_attr_type {
+       NFQA_UNSPEC,
+       NFQA_PACKET_HDR,
+       NFQA_VERDICT_HDR,               /* nfqnl_msg_verdict_hrd */
+       NFQA_MARK,                      /* __u32 nfmark */
+       NFQA_TIMESTAMP,                 /* nfqnl_msg_packet_timestamp */
+       NFQA_IFINDEX_INDEV,             /* __u32 ifindex */
+       NFQA_IFINDEX_OUTDEV,            /* __u32 ifindex */
+       NFQA_IFINDEX_PHYSINDEV,         /* __u32 ifindex */
+       NFQA_IFINDEX_PHYSOUTDEV,        /* __u32 ifindex */
+       NFQA_HWADDR,                    /* nfqnl_msg_packet_hw */
+       NFQA_PAYLOAD,                   /* opaque data payload */
+       NFQA_CT,                        /* nf_conntrack_netlink.h */
+       NFQA_CT_INFO,                   /* enum ip_conntrack_info */
+       NFQA_CAP_LEN,                   /* __u32 length of captured packet */
+
+       __NFQA_MAX
+};
+#define NFQA_MAX (__NFQA_MAX - 1)
+
+struct nfqnl_msg_verdict_hdr {
+       __be32 verdict;
+       __be32 id;
+};
+
+
+enum nfqnl_msg_config_cmds {
+       NFQNL_CFG_CMD_NONE,
+       NFQNL_CFG_CMD_BIND,
+       NFQNL_CFG_CMD_UNBIND,
+       NFQNL_CFG_CMD_PF_BIND,
+       NFQNL_CFG_CMD_PF_UNBIND,
+};
+
+struct nfqnl_msg_config_cmd {
+       __u8    command;        /* nfqnl_msg_config_cmds */
+       __u8    _pad;
+       __be16          pf;             /* AF_xxx for PF_[UN]BIND */
+};
+
+enum nfqnl_config_mode {
+       NFQNL_COPY_NONE,
+       NFQNL_COPY_META,
+       NFQNL_COPY_PACKET,
+};
+
+struct nfqnl_msg_config_params {
+       __be32          copy_range;
+       __u8    copy_mode;      /* enum nfqnl_config_mode */
+} __attribute__ ((packed));
+
+
+enum nfqnl_attr_config {
+       NFQA_CFG_UNSPEC,
+       NFQA_CFG_CMD,                   /* nfqnl_msg_config_cmd */
+       NFQA_CFG_PARAMS,                /* nfqnl_msg_config_params */
+       NFQA_CFG_QUEUE_MAXLEN,          /* __u32 */
+       NFQA_CFG_MASK,                  /* identify which flags to change */
+       NFQA_CFG_FLAGS,                 /* value of these flags (__u32) */
+       __NFQA_CFG_MAX
+};
+#define NFQA_CFG_MAX (__NFQA_CFG_MAX-1)
+
+/* Flags for NFQA_CFG_FLAGS */
+#define NFQA_CFG_F_FAIL_OPEN                   (1 << 0)
+#define NFQA_CFG_F_CONNTRACK                   (1 << 1)
+#define NFQA_CFG_F_MAX                         (1 << 2)
+
+#endif /* _NFNETLINK_QUEUE_H */

diff --git a/include/uapi/linux/netfilter/x_tables.h b/include/uapi/linux/netfilter/x_tables.h
new file mode 100644 (file)
index 0000000..c36969b
--- /dev/null
+++ b/include/uapi/linux/netfilter/x_tables.h
@@ -0,0 +1,187 @@
+#ifndef _UAPI_X_TABLES_H
+#define _UAPI_X_TABLES_H
+#include <linux/kernel.h>
+#include <linux/types.h>
+
+#define XT_FUNCTION_MAXNAMELEN 30
+#define XT_EXTENSION_MAXNAMELEN 29
+#define XT_TABLE_MAXNAMELEN 32
+
+struct xt_entry_match {
+       union {
+               struct {
+                       __u16 match_size;
+
+                       /* Used by userspace */
+                       char name[XT_EXTENSION_MAXNAMELEN];
+                       __u8 revision;
+               } user;
+               struct {
+                       __u16 match_size;
+
+                       /* Used inside the kernel */
+                       struct xt_match *match;
+               } kernel;
+
+               /* Total length */
+               __u16 match_size;
+       } u;
+
+       unsigned char data[0];
+};
+
+struct xt_entry_target {
+       union {
+               struct {
+                       __u16 target_size;
+
+                       /* Used by userspace */
+                       char name[XT_EXTENSION_MAXNAMELEN];
+                       __u8 revision;
+               } user;
+               struct {
+                       __u16 target_size;
+
+                       /* Used inside the kernel */
+                       struct xt_target *target;
+               } kernel;
+
+               /* Total length */
+               __u16 target_size;
+       } u;
+
+       unsigned char data[0];
+};
+
+#define XT_TARGET_INIT(__name, __size)                                        \
+{                                                                             \
+       .target.u.user = {                                                     \
+               .target_size    = XT_ALIGN(__size),                            \
+               .name           = __name,                                      \
+       },                                                                     \
+}
+
+struct xt_standard_target {
+       struct xt_entry_target target;
+       int verdict;
+};
+
+struct xt_error_target {
+       struct xt_entry_target target;
+       char errorname[XT_FUNCTION_MAXNAMELEN];
+};
+
+/* The argument to IPT_SO_GET_REVISION_*.  Returns highest revision
+ * kernel supports, if >= revision. */
+struct xt_get_revision {
+       char name[XT_EXTENSION_MAXNAMELEN];
+       __u8 revision;
+};
+
+/* CONTINUE verdict for targets */
+#define XT_CONTINUE 0xFFFFFFFF
+
+/* For standard target */
+#define XT_RETURN (-NF_REPEAT - 1)
+
+/* this is a dummy structure to find out the alignment requirement for a struct
+ * containing all the fundamental data types that are used in ipt_entry,
+ * ip6t_entry and arpt_entry.  This sucks, and it is a hack.  It will be my
+ * personal pleasure to remove it -HW
+ */
+struct _xt_align {
+       __u8 u8;
+       __u16 u16;
+       __u32 u32;
+       __u64 u64;
+};
+
+#define XT_ALIGN(s) __ALIGN_KERNEL((s), __alignof__(struct _xt_align))
+
+/* Standard return verdict, or do jump. */
+#define XT_STANDARD_TARGET ""
+/* Error verdict. */
+#define XT_ERROR_TARGET "ERROR"
+
+#define SET_COUNTER(c,b,p) do { (c).bcnt = (b); (c).pcnt = (p); } while(0)
+#define ADD_COUNTER(c,b,p) do { (c).bcnt += (b); (c).pcnt += (p); } while(0)
+
+struct xt_counters {
+       __u64 pcnt, bcnt;                       /* Packet and byte counters */
+};
+
+/* The argument to IPT_SO_ADD_COUNTERS. */
+struct xt_counters_info {
+       /* Which table. */
+       char name[XT_TABLE_MAXNAMELEN];
+
+       unsigned int num_counters;
+
+       /* The counters (actually `number' of these). */
+       struct xt_counters counters[0];
+};
+
+#define XT_INV_PROTO           0x40    /* Invert the sense of PROTO. */
+
+#ifndef __KERNEL__
+/* fn returns 0 to continue iteration */
+#define XT_MATCH_ITERATE(type, e, fn, args...)                 \
+({                                                             \
+       unsigned int __i;                                       \
+       int __ret = 0;                                          \
+       struct xt_entry_match *__m;                             \
+                                                               \
+       for (__i = sizeof(type);                                \
+            __i < (e)->target_offset;                          \
+            __i += __m->u.match_size) {                        \
+               __m = (void *)e + __i;                          \
+                                                               \
+               __ret = fn(__m , ## args);                      \
+               if (__ret != 0)                                 \
+                       break;                                  \
+       }                                                       \
+       __ret;                                                  \
+})
+
+/* fn returns 0 to continue iteration */
+#define XT_ENTRY_ITERATE_CONTINUE(type, entries, size, n, fn, args...) \
+({                                                             \
+       unsigned int __i, __n;                                  \
+       int __ret = 0;                                          \
+       type *__entry;                                          \
+                                                               \
+       for (__i = 0, __n = 0; __i < (size);                    \
+            __i += __entry->next_offset, __n++) {              \
+               __entry = (void *)(entries) + __i;              \
+               if (__n < n)                                    \
+                       continue;                               \
+                                                               \
+               __ret = fn(__entry , ## args);                  \
+               if (__ret != 0)                                 \
+                       break;                                  \
+       }                                                       \
+       __ret;                                                  \
+})
+
+/* fn returns 0 to continue iteration */
+#define XT_ENTRY_ITERATE(type, entries, size, fn, args...) \
+       XT_ENTRY_ITERATE_CONTINUE(type, entries, size, 0, fn, args)
+
+#endif /* !__KERNEL__ */
+
+/* pos is normally a struct ipt_entry/ip6t_entry/etc. */
+#define xt_entry_foreach(pos, ehead, esize) \
+       for ((pos) = (typeof(pos))(ehead); \
+            (pos) < (typeof(pos))((char *)(ehead) + (esize)); \
+            (pos) = (typeof(pos))((char *)(pos) + (pos)->next_offset))
+
+/* can only be xt_entry_match, so no use of typeof here */
+#define xt_ematch_foreach(pos, entry) \
+       for ((pos) = (struct xt_entry_match *)entry->elems; \
+            (pos) < (struct xt_entry_match *)((char *)(entry) + \
+                    (entry)->target_offset); \
+            (pos) = (struct xt_entry_match *)((char *)(pos) + \
+                    (pos)->u.match_size))
+
+
+#endif /* _UAPI_X_TABLES_H */

diff --git a/include/uapi/linux/netfilter/xt_AUDIT.h b/include/uapi/linux/netfilter/xt_AUDIT.h
new file mode 100644 (file)
index 0000000..38751d2
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_AUDIT.h
@@ -0,0 +1,30 @@
+/*
+ * Header file for iptables xt_AUDIT target
+ *
+ * (C) 2010-2011 Thomas Graf <tgraf@redhat.com>
+ * (C) 2010-2011 Red Hat, Inc.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+
+#ifndef _XT_AUDIT_TARGET_H
+#define _XT_AUDIT_TARGET_H
+
+#include <linux/types.h>
+
+enum {
+       XT_AUDIT_TYPE_ACCEPT = 0,
+       XT_AUDIT_TYPE_DROP,
+       XT_AUDIT_TYPE_REJECT,
+       __XT_AUDIT_TYPE_MAX,
+};
+
+#define XT_AUDIT_TYPE_MAX (__XT_AUDIT_TYPE_MAX - 1)
+
+struct xt_audit_info {
+       __u8 type; /* XT_AUDIT_TYPE_* */
+};
+
+#endif /* _XT_AUDIT_TARGET_H */

diff --git a/include/uapi/linux/netfilter/xt_CHECKSUM.h b/include/uapi/linux/netfilter/xt_CHECKSUM.h
new file mode 100644 (file)
index 0000000..9a2e466
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_CHECKSUM.h
@@ -0,0 +1,20 @@
+/* Header file for iptables ipt_CHECKSUM target
+ *
+ * (C) 2002 by Harald Welte <laforge@gnumonks.org>
+ * (C) 2010 Red Hat Inc
+ * Author: Michael S. Tsirkin <mst@redhat.com>
+ *
+ * This software is distributed under GNU GPL v2, 1991
+*/
+#ifndef _XT_CHECKSUM_TARGET_H
+#define _XT_CHECKSUM_TARGET_H
+
+#include <linux/types.h>
+
+#define XT_CHECKSUM_OP_FILL    0x01    /* fill in checksum in IP header */
+
+struct xt_CHECKSUM_info {
+       __u8 operation; /* bitset of operations */
+};
+
+#endif /* _XT_CHECKSUM_TARGET_H */

diff --git a/include/uapi/linux/netfilter/xt_CLASSIFY.h b/include/uapi/linux/netfilter/xt_CLASSIFY.h
new file mode 100644 (file)
index 0000000..a813bf1
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_CLASSIFY.h
@@ -0,0 +1,10 @@
+#ifndef _XT_CLASSIFY_H
+#define _XT_CLASSIFY_H
+
+#include <linux/types.h>
+
+struct xt_classify_target_info {
+       __u32 priority;
+};
+
+#endif /*_XT_CLASSIFY_H */

diff --git a/include/uapi/linux/netfilter/xt_CONNMARK.h b/include/uapi/linux/netfilter/xt_CONNMARK.h
new file mode 100644 (file)
index 0000000..2f2e48e
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_CONNMARK.h
@@ -0,0 +1,6 @@
+#ifndef _XT_CONNMARK_H_target
+#define _XT_CONNMARK_H_target
+
+#include <linux/netfilter/xt_connmark.h>
+
+#endif /*_XT_CONNMARK_H_target*/

diff --git a/include/uapi/linux/netfilter/xt_CONNSECMARK.h b/include/uapi/linux/netfilter/xt_CONNSECMARK.h
new file mode 100644 (file)
index 0000000..b973ff8
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_CONNSECMARK.h
@@ -0,0 +1,15 @@
+#ifndef _XT_CONNSECMARK_H_target
+#define _XT_CONNSECMARK_H_target
+
+#include <linux/types.h>
+
+enum {
+       CONNSECMARK_SAVE = 1,
+       CONNSECMARK_RESTORE,
+};
+
+struct xt_connsecmark_target_info {
+       __u8 mode;
+};
+
+#endif /*_XT_CONNSECMARK_H_target */

diff --git a/include/uapi/linux/netfilter/xt_CT.h b/include/uapi/linux/netfilter/xt_CT.h
new file mode 100644 (file)
index 0000000..a064b8a
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_CT.h
@@ -0,0 +1,31 @@
+#ifndef _XT_CT_H
+#define _XT_CT_H
+
+#include <linux/types.h>
+
+#define XT_CT_NOTRACK  0x1
+
+struct xt_ct_target_info {
+       __u16 flags;
+       __u16 zone;
+       __u32 ct_events;
+       __u32 exp_events;
+       char helper[16];
+
+       /* Used internally by the kernel */
+       struct nf_conn  *ct __attribute__((aligned(8)));
+};
+
+struct xt_ct_target_info_v1 {
+       __u16 flags;
+       __u16 zone;
+       __u32 ct_events;
+       __u32 exp_events;
+       char helper[16];
+       char timeout[32];
+
+       /* Used internally by the kernel */
+       struct nf_conn  *ct __attribute__((aligned(8)));
+};
+
+#endif /* _XT_CT_H */

diff --git a/include/uapi/linux/netfilter/xt_DSCP.h b/include/uapi/linux/netfilter/xt_DSCP.h
new file mode 100644 (file)
index 0000000..648e0b3
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_DSCP.h
@@ -0,0 +1,26 @@
+/* x_tables module for setting the IPv4/IPv6 DSCP field
+ *
+ * (C) 2002 Harald Welte <laforge@gnumonks.org>
+ * based on ipt_FTOS.c (C) 2000 by Matthew G. Marsh <mgm@paktronix.com>
+ * This software is distributed under GNU GPL v2, 1991
+ *
+ * See RFC2474 for a description of the DSCP field within the IP Header.
+ *
+ * xt_DSCP.h,v 1.7 2002/03/14 12:03:13 laforge Exp
+*/
+#ifndef _XT_DSCP_TARGET_H
+#define _XT_DSCP_TARGET_H
+#include <linux/netfilter/xt_dscp.h>
+#include <linux/types.h>
+
+/* target info */
+struct xt_DSCP_info {
+       __u8 dscp;
+};
+
+struct xt_tos_target_info {
+       __u8 tos_value;
+       __u8 tos_mask;
+};
+
+#endif /* _XT_DSCP_TARGET_H */

diff --git a/include/uapi/linux/netfilter/xt_IDLETIMER.h b/include/uapi/linux/netfilter/xt_IDLETIMER.h
new file mode 100644 (file)
index 0000000..208ae93
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_IDLETIMER.h
@@ -0,0 +1,45 @@
+/*
+ * linux/include/linux/netfilter/xt_IDLETIMER.h
+ *
+ * Header file for Xtables timer target module.
+ *
+ * Copyright (C) 2004, 2010 Nokia Corporation
+ * Written by Timo Teras <ext-timo.teras@nokia.com>
+ *
+ * Converted to x_tables and forward-ported to 2.6.34
+ * by Luciano Coelho <luciano.coelho@nokia.com>
+ *
+ * Contact: Luciano Coelho <luciano.coelho@nokia.com>
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * version 2 as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA
+ */
+
+#ifndef _XT_IDLETIMER_H
+#define _XT_IDLETIMER_H
+
+#include <linux/types.h>
+
+#define MAX_IDLETIMER_LABEL_SIZE 28
+
+struct idletimer_tg_info {
+       __u32 timeout;
+
+       char label[MAX_IDLETIMER_LABEL_SIZE];
+
+       /* for kernel module internal use only */
+       struct idletimer_tg *timer __attribute__((aligned(8)));
+};
+
+#endif

diff --git a/include/uapi/linux/netfilter/xt_LED.h b/include/uapi/linux/netfilter/xt_LED.h
new file mode 100644 (file)
index 0000000..f5509e7
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_LED.h
@@ -0,0 +1,15 @@
+#ifndef _XT_LED_H
+#define _XT_LED_H
+
+#include <linux/types.h>
+
+struct xt_led_info {
+       char id[27];        /* Unique ID for this trigger in the LED class */
+       __u8 always_blink;  /* Blink even if the LED is already on */
+       __u32 delay;        /* Delay until LED is switched off after trigger */
+
+       /* Kernel data used in the module */
+       void *internal_data __attribute__((aligned(8)));
+};
+
+#endif /* _XT_LED_H */

diff --git a/include/uapi/linux/netfilter/xt_LOG.h b/include/uapi/linux/netfilter/xt_LOG.h
new file mode 100644 (file)
index 0000000..cac0790
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_LOG.h
@@ -0,0 +1,19 @@
+#ifndef _XT_LOG_H
+#define _XT_LOG_H
+
+/* make sure not to change this without changing nf_log.h:NF_LOG_* (!) */
+#define XT_LOG_TCPSEQ          0x01    /* Log TCP sequence numbers */
+#define XT_LOG_TCPOPT          0x02    /* Log TCP options */
+#define XT_LOG_IPOPT           0x04    /* Log IP options */
+#define XT_LOG_UID             0x08    /* Log UID owning local socket */
+#define XT_LOG_NFLOG           0x10    /* Unsupported, don't reuse */
+#define XT_LOG_MACDECODE       0x20    /* Decode MAC header */
+#define XT_LOG_MASK            0x2f
+
+struct xt_log_info {
+       unsigned char level;
+       unsigned char logflags;
+       char prefix[30];
+};
+
+#endif /* _XT_LOG_H */

diff --git a/include/uapi/linux/netfilter/xt_MARK.h b/include/uapi/linux/netfilter/xt_MARK.h
new file mode 100644 (file)
index 0000000..41c456d
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_MARK.h
@@ -0,0 +1,6 @@
+#ifndef _XT_MARK_H_target
+#define _XT_MARK_H_target
+
+#include <linux/netfilter/xt_mark.h>
+
+#endif /*_XT_MARK_H_target */

diff --git a/include/uapi/linux/netfilter/xt_NFLOG.h b/include/uapi/linux/netfilter/xt_NFLOG.h
new file mode 100644 (file)
index 0000000..87b5831
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_NFLOG.h
@@ -0,0 +1,20 @@
+#ifndef _XT_NFLOG_TARGET
+#define _XT_NFLOG_TARGET
+
+#include <linux/types.h>
+
+#define XT_NFLOG_DEFAULT_GROUP         0x1
+#define XT_NFLOG_DEFAULT_THRESHOLD     0
+
+#define XT_NFLOG_MASK                  0x0
+
+struct xt_nflog_info {
+       __u32   len;
+       __u16   group;
+       __u16   threshold;
+       __u16   flags;
+       __u16   pad;
+       char            prefix[64];
+};
+
+#endif /* _XT_NFLOG_TARGET */

diff --git a/include/uapi/linux/netfilter/xt_NFQUEUE.h b/include/uapi/linux/netfilter/xt_NFQUEUE.h
new file mode 100644 (file)
index 0000000..9eafdbb
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_NFQUEUE.h
@@ -0,0 +1,29 @@
+/* iptables module for using NFQUEUE mechanism
+ *
+ * (C) 2005 Harald Welte <laforge@netfilter.org>
+ *
+ * This software is distributed under GNU GPL v2, 1991
+ * 
+*/
+#ifndef _XT_NFQ_TARGET_H
+#define _XT_NFQ_TARGET_H
+
+#include <linux/types.h>
+
+/* target info */
+struct xt_NFQ_info {
+       __u16 queuenum;
+};
+
+struct xt_NFQ_info_v1 {
+       __u16 queuenum;
+       __u16 queues_total;
+};
+
+struct xt_NFQ_info_v2 {
+       __u16 queuenum;
+       __u16 queues_total;
+       __u16 bypass;
+};
+
+#endif /* _XT_NFQ_TARGET_H */

diff --git a/include/uapi/linux/netfilter/xt_RATEEST.h b/include/uapi/linux/netfilter/xt_RATEEST.h
new file mode 100644 (file)
index 0000000..6605e20
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_RATEEST.h
@@ -0,0 +1,15 @@
+#ifndef _XT_RATEEST_TARGET_H
+#define _XT_RATEEST_TARGET_H
+
+#include <linux/types.h>
+
+struct xt_rateest_target_info {
+       char                    name[IFNAMSIZ];
+       __s8                    interval;
+       __u8            ewma_log;
+
+       /* Used internally by the kernel */
+       struct xt_rateest       *est __attribute__((aligned(8)));
+};
+
+#endif /* _XT_RATEEST_TARGET_H */

diff --git a/include/uapi/linux/netfilter/xt_SECMARK.h b/include/uapi/linux/netfilter/xt_SECMARK.h
new file mode 100644 (file)
index 0000000..989092b
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_SECMARK.h
@@ -0,0 +1,22 @@
+#ifndef _XT_SECMARK_H_target
+#define _XT_SECMARK_H_target
+
+#include <linux/types.h>
+
+/*
+ * This is intended for use by various security subsystems (but not
+ * at the same time).
+ *
+ * 'mode' refers to the specific security subsystem which the
+ * packets are being marked for.
+ */
+#define SECMARK_MODE_SEL       0x01            /* SELinux */
+#define SECMARK_SECCTX_MAX     256
+
+struct xt_secmark_target_info {
+       __u8 mode;
+       __u32 secid;
+       char secctx[SECMARK_SECCTX_MAX];
+};
+
+#endif /*_XT_SECMARK_H_target */

diff --git a/include/uapi/linux/netfilter/xt_TCPMSS.h b/include/uapi/linux/netfilter/xt_TCPMSS.h
new file mode 100644 (file)
index 0000000..9a6960a
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_TCPMSS.h
@@ -0,0 +1,12 @@
+#ifndef _XT_TCPMSS_H
+#define _XT_TCPMSS_H
+
+#include <linux/types.h>
+
+struct xt_tcpmss_info {
+       __u16 mss;
+};
+
+#define XT_TCPMSS_CLAMP_PMTU 0xffff
+
+#endif /* _XT_TCPMSS_H */

diff --git a/include/uapi/linux/netfilter/xt_TCPOPTSTRIP.h b/include/uapi/linux/netfilter/xt_TCPOPTSTRIP.h
new file mode 100644 (file)
index 0000000..7157318
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_TCPOPTSTRIP.h
@@ -0,0 +1,15 @@
+#ifndef _XT_TCPOPTSTRIP_H
+#define _XT_TCPOPTSTRIP_H
+
+#include <linux/types.h>
+
+#define tcpoptstrip_set_bit(bmap, idx) \
+       (bmap[(idx) >> 5] |= 1U << (idx & 31))
+#define tcpoptstrip_test_bit(bmap, idx) \
+       (((1U << (idx & 31)) & bmap[(idx) >> 5]) != 0)
+
+struct xt_tcpoptstrip_target_info {
+       __u32 strip_bmap[8];
+};
+
+#endif /* _XT_TCPOPTSTRIP_H */

diff --git a/include/uapi/linux/netfilter/xt_TEE.h b/include/uapi/linux/netfilter/xt_TEE.h
new file mode 100644 (file)
index 0000000..5c21d5c
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_TEE.h
@@ -0,0 +1,12 @@
+#ifndef _XT_TEE_TARGET_H
+#define _XT_TEE_TARGET_H
+
+struct xt_tee_tginfo {
+       union nf_inet_addr gw;
+       char oif[16];
+
+       /* used internally by the kernel */
+       struct xt_tee_priv *priv __attribute__((aligned(8)));
+};
+
+#endif /* _XT_TEE_TARGET_H */

diff --git a/include/uapi/linux/netfilter/xt_TPROXY.h b/include/uapi/linux/netfilter/xt_TPROXY.h
new file mode 100644 (file)
index 0000000..902043c
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_TPROXY.h
@@ -0,0 +1,23 @@
+#ifndef _XT_TPROXY_H
+#define _XT_TPROXY_H
+
+#include <linux/types.h>
+
+/* TPROXY target is capable of marking the packet to perform
+ * redirection. We can get rid of that whenever we get support for
+ * mutliple targets in the same rule. */
+struct xt_tproxy_target_info {
+       __u32 mark_mask;
+       __u32 mark_value;
+       __be32 laddr;
+       __be16 lport;
+};
+
+struct xt_tproxy_target_info_v1 {
+       __u32 mark_mask;
+       __u32 mark_value;
+       union nf_inet_addr laddr;
+       __be16 lport;
+};
+
+#endif /* _XT_TPROXY_H */

diff --git a/include/uapi/linux/netfilter/xt_addrtype.h b/include/uapi/linux/netfilter/xt_addrtype.h
new file mode 100644 (file)
index 0000000..b156baa
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_addrtype.h
@@ -0,0 +1,44 @@
+#ifndef _XT_ADDRTYPE_H
+#define _XT_ADDRTYPE_H
+
+#include <linux/types.h>
+
+enum {
+       XT_ADDRTYPE_INVERT_SOURCE       = 0x0001,
+       XT_ADDRTYPE_INVERT_DEST         = 0x0002,
+       XT_ADDRTYPE_LIMIT_IFACE_IN      = 0x0004,
+       XT_ADDRTYPE_LIMIT_IFACE_OUT     = 0x0008,
+};
+
+
+/* rtn_type enum values from rtnetlink.h, but shifted */
+enum {
+       XT_ADDRTYPE_UNSPEC = 1 << 0,
+       XT_ADDRTYPE_UNICAST = 1 << 1,   /* 1 << RTN_UNICAST */
+       XT_ADDRTYPE_LOCAL  = 1 << 2,    /* 1 << RTN_LOCAL, etc */
+       XT_ADDRTYPE_BROADCAST = 1 << 3,
+       XT_ADDRTYPE_ANYCAST = 1 << 4,
+       XT_ADDRTYPE_MULTICAST = 1 << 5,
+       XT_ADDRTYPE_BLACKHOLE = 1 << 6,
+       XT_ADDRTYPE_UNREACHABLE = 1 << 7,
+       XT_ADDRTYPE_PROHIBIT = 1 << 8,
+       XT_ADDRTYPE_THROW = 1 << 9,
+       XT_ADDRTYPE_NAT = 1 << 10,
+       XT_ADDRTYPE_XRESOLVE = 1 << 11,
+};
+
+struct xt_addrtype_info_v1 {
+       __u16   source;         /* source-type mask */
+       __u16   dest;           /* dest-type mask */
+       __u32   flags;
+};
+
+/* revision 0 */
+struct xt_addrtype_info {
+       __u16   source;         /* source-type mask */
+       __u16   dest;           /* dest-type mask */
+       __u32   invert_source;
+       __u32   invert_dest;
+};
+
+#endif

diff --git a/include/uapi/linux/netfilter/xt_cluster.h b/include/uapi/linux/netfilter/xt_cluster.h
new file mode 100644 (file)
index 0000000..9b883c8
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_cluster.h
@@ -0,0 +1,19 @@
+#ifndef _XT_CLUSTER_MATCH_H
+#define _XT_CLUSTER_MATCH_H
+
+#include <linux/types.h>
+
+enum xt_cluster_flags {
+       XT_CLUSTER_F_INV        = (1 << 0)
+};
+
+struct xt_cluster_match_info {
+       __u32 total_nodes;
+       __u32 node_mask;
+       __u32 hash_seed;
+       __u32 flags;
+};
+
+#define XT_CLUSTER_NODES_MAX   32
+
+#endif /* _XT_CLUSTER_MATCH_H */

diff --git a/include/uapi/linux/netfilter/xt_comment.h b/include/uapi/linux/netfilter/xt_comment.h
new file mode 100644 (file)
index 0000000..0ea5e79
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_comment.h
@@ -0,0 +1,10 @@
+#ifndef _XT_COMMENT_H
+#define _XT_COMMENT_H
+
+#define XT_MAX_COMMENT_LEN 256
+
+struct xt_comment_info {
+       char comment[XT_MAX_COMMENT_LEN];
+};
+
+#endif /* XT_COMMENT_H */

diff --git a/include/uapi/linux/netfilter/xt_connbytes.h b/include/uapi/linux/netfilter/xt_connbytes.h
new file mode 100644 (file)
index 0000000..f1d6c15
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_connbytes.h
@@ -0,0 +1,26 @@
+#ifndef _XT_CONNBYTES_H
+#define _XT_CONNBYTES_H
+
+#include <linux/types.h>
+
+enum xt_connbytes_what {
+       XT_CONNBYTES_PKTS,
+       XT_CONNBYTES_BYTES,
+       XT_CONNBYTES_AVGPKT,
+};
+
+enum xt_connbytes_direction {
+       XT_CONNBYTES_DIR_ORIGINAL,
+       XT_CONNBYTES_DIR_REPLY,
+       XT_CONNBYTES_DIR_BOTH,
+};
+
+struct xt_connbytes_info {
+       struct {
+               __aligned_u64 from;     /* count to be matched */
+               __aligned_u64 to;       /* count to be matched */
+       } count;
+       __u8 what;              /* ipt_connbytes_what */
+       __u8 direction; /* ipt_connbytes_direction */
+};
+#endif

diff --git a/include/uapi/linux/netfilter/xt_connlimit.h b/include/uapi/linux/netfilter/xt_connlimit.h
new file mode 100644 (file)
index 0000000..f165609
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_connlimit.h
@@ -0,0 +1,32 @@
+#ifndef _XT_CONNLIMIT_H
+#define _XT_CONNLIMIT_H
+
+#include <linux/types.h>
+#include <linux/netfilter.h>
+
+struct xt_connlimit_data;
+
+enum {
+       XT_CONNLIMIT_INVERT = 1 << 0,
+       XT_CONNLIMIT_DADDR  = 1 << 1,
+};
+
+struct xt_connlimit_info {
+       union {
+               union nf_inet_addr mask;
+#ifndef __KERNEL__
+               union {
+                       __be32 v4_mask;
+                       __be32 v6_mask[4];
+               };
+#endif
+       };
+       unsigned int limit;
+       /* revision 1 */
+       __u32 flags;
+
+       /* Used internally by the kernel */
+       struct xt_connlimit_data *data __attribute__((aligned(8)));
+};
+
+#endif /* _XT_CONNLIMIT_H */

diff --git a/include/uapi/linux/netfilter/xt_connmark.h b/include/uapi/linux/netfilter/xt_connmark.h
new file mode 100644 (file)
index 0000000..efc17a8
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_connmark.h
@@ -0,0 +1,31 @@
+#ifndef _XT_CONNMARK_H
+#define _XT_CONNMARK_H
+
+#include <linux/types.h>
+
+/* Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
+ * by Henrik Nordstrom <hno@marasystems.com>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ */
+
+enum {
+       XT_CONNMARK_SET = 0,
+       XT_CONNMARK_SAVE,
+       XT_CONNMARK_RESTORE
+};
+
+struct xt_connmark_tginfo1 {
+       __u32 ctmark, ctmask, nfmask;
+       __u8 mode;
+};
+
+struct xt_connmark_mtinfo1 {
+       __u32 mark, mask;
+       __u8 invert;
+};
+
+#endif /*_XT_CONNMARK_H*/

diff --git a/include/uapi/linux/netfilter/xt_conntrack.h b/include/uapi/linux/netfilter/xt_conntrack.h
new file mode 100644 (file)
index 0000000..e3c041d
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_conntrack.h
@@ -0,0 +1,77 @@
+/* Header file for kernel module to match connection tracking information.
+ * GPL (C) 2001  Marc Boucher (marc@mbsi.ca).
+ */
+
+#ifndef _XT_CONNTRACK_H
+#define _XT_CONNTRACK_H
+
+#include <linux/types.h>
+#include <linux/netfilter.h>
+#include <linux/netfilter/nf_conntrack_tuple_common.h>
+
+#define XT_CONNTRACK_STATE_BIT(ctinfo) (1 << ((ctinfo)%IP_CT_IS_REPLY+1))
+#define XT_CONNTRACK_STATE_INVALID (1 << 0)
+
+#define XT_CONNTRACK_STATE_SNAT (1 << (IP_CT_NUMBER + 1))
+#define XT_CONNTRACK_STATE_DNAT (1 << (IP_CT_NUMBER + 2))
+#define XT_CONNTRACK_STATE_UNTRACKED (1 << (IP_CT_NUMBER + 3))
+
+/* flags, invflags: */
+enum {
+       XT_CONNTRACK_STATE        = 1 << 0,
+       XT_CONNTRACK_PROTO        = 1 << 1,
+       XT_CONNTRACK_ORIGSRC      = 1 << 2,
+       XT_CONNTRACK_ORIGDST      = 1 << 3,
+       XT_CONNTRACK_REPLSRC      = 1 << 4,
+       XT_CONNTRACK_REPLDST      = 1 << 5,
+       XT_CONNTRACK_STATUS       = 1 << 6,
+       XT_CONNTRACK_EXPIRES      = 1 << 7,
+       XT_CONNTRACK_ORIGSRC_PORT = 1 << 8,
+       XT_CONNTRACK_ORIGDST_PORT = 1 << 9,
+       XT_CONNTRACK_REPLSRC_PORT = 1 << 10,
+       XT_CONNTRACK_REPLDST_PORT = 1 << 11,
+       XT_CONNTRACK_DIRECTION    = 1 << 12,
+};
+
+struct xt_conntrack_mtinfo1 {
+       union nf_inet_addr origsrc_addr, origsrc_mask;
+       union nf_inet_addr origdst_addr, origdst_mask;
+       union nf_inet_addr replsrc_addr, replsrc_mask;
+       union nf_inet_addr repldst_addr, repldst_mask;
+       __u32 expires_min, expires_max;
+       __u16 l4proto;
+       __be16 origsrc_port, origdst_port;
+       __be16 replsrc_port, repldst_port;
+       __u16 match_flags, invert_flags;
+       __u8 state_mask, status_mask;
+};
+
+struct xt_conntrack_mtinfo2 {
+       union nf_inet_addr origsrc_addr, origsrc_mask;
+       union nf_inet_addr origdst_addr, origdst_mask;
+       union nf_inet_addr replsrc_addr, replsrc_mask;
+       union nf_inet_addr repldst_addr, repldst_mask;
+       __u32 expires_min, expires_max;
+       __u16 l4proto;
+       __be16 origsrc_port, origdst_port;
+       __be16 replsrc_port, repldst_port;
+       __u16 match_flags, invert_flags;
+       __u16 state_mask, status_mask;
+};
+
+struct xt_conntrack_mtinfo3 {
+       union nf_inet_addr origsrc_addr, origsrc_mask;
+       union nf_inet_addr origdst_addr, origdst_mask;
+       union nf_inet_addr replsrc_addr, replsrc_mask;
+       union nf_inet_addr repldst_addr, repldst_mask;
+       __u32 expires_min, expires_max;
+       __u16 l4proto;
+       __u16 origsrc_port, origdst_port;
+       __u16 replsrc_port, repldst_port;
+       __u16 match_flags, invert_flags;
+       __u16 state_mask, status_mask;
+       __u16 origsrc_port_high, origdst_port_high;
+       __u16 replsrc_port_high, repldst_port_high;
+};
+
+#endif /*_XT_CONNTRACK_H*/

diff --git a/include/uapi/linux/netfilter/xt_cpu.h b/include/uapi/linux/netfilter/xt_cpu.h
new file mode 100644 (file)
index 0000000..93c7f11
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_cpu.h
@@ -0,0 +1,11 @@
+#ifndef _XT_CPU_H
+#define _XT_CPU_H
+
+#include <linux/types.h>
+
+struct xt_cpu_info {
+       __u32   cpu;
+       __u32   invert;
+};
+
+#endif /*_XT_CPU_H*/

diff --git a/include/uapi/linux/netfilter/xt_dccp.h b/include/uapi/linux/netfilter/xt_dccp.h
new file mode 100644 (file)
index 0000000..a579e1b
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_dccp.h
@@ -0,0 +1,25 @@
+#ifndef _XT_DCCP_H_
+#define _XT_DCCP_H_
+
+#include <linux/types.h>
+
+#define XT_DCCP_SRC_PORTS              0x01
+#define XT_DCCP_DEST_PORTS             0x02
+#define XT_DCCP_TYPE                   0x04
+#define XT_DCCP_OPTION                 0x08
+
+#define XT_DCCP_VALID_FLAGS            0x0f
+
+struct xt_dccp_info {
+       __u16 dpts[2];  /* Min, Max */
+       __u16 spts[2];  /* Min, Max */
+
+       __u16 flags;
+       __u16 invflags;
+
+       __u16 typemask;
+       __u8 option;
+};
+
+#endif /* _XT_DCCP_H_ */
+

diff --git a/include/uapi/linux/netfilter/xt_devgroup.h b/include/uapi/linux/netfilter/xt_devgroup.h
new file mode 100644 (file)
index 0000000..1babde0
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_devgroup.h
@@ -0,0 +1,21 @@
+#ifndef _XT_DEVGROUP_H
+#define _XT_DEVGROUP_H
+
+#include <linux/types.h>
+
+enum xt_devgroup_flags {
+       XT_DEVGROUP_MATCH_SRC   = 0x1,
+       XT_DEVGROUP_INVERT_SRC  = 0x2,
+       XT_DEVGROUP_MATCH_DST   = 0x4,
+       XT_DEVGROUP_INVERT_DST  = 0x8,
+};
+
+struct xt_devgroup_info {
+       __u32   flags;
+       __u32   src_group;
+       __u32   src_mask;
+       __u32   dst_group;
+       __u32   dst_mask;
+};
+
+#endif /* _XT_DEVGROUP_H */

diff --git a/include/uapi/linux/netfilter/xt_dscp.h b/include/uapi/linux/netfilter/xt_dscp.h
new file mode 100644 (file)
index 0000000..15f8932
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_dscp.h
@@ -0,0 +1,31 @@
+/* x_tables module for matching the IPv4/IPv6 DSCP field
+ *
+ * (C) 2002 Harald Welte <laforge@gnumonks.org>
+ * This software is distributed under GNU GPL v2, 1991
+ *
+ * See RFC2474 for a description of the DSCP field within the IP Header.
+ *
+ * xt_dscp.h,v 1.3 2002/08/05 19:00:21 laforge Exp
+*/
+#ifndef _XT_DSCP_H
+#define _XT_DSCP_H
+
+#include <linux/types.h>
+
+#define XT_DSCP_MASK   0xfc    /* 11111100 */
+#define XT_DSCP_SHIFT  2
+#define XT_DSCP_MAX    0x3f    /* 00111111 */
+
+/* match info */
+struct xt_dscp_info {
+       __u8 dscp;
+       __u8 invert;
+};
+
+struct xt_tos_match_info {
+       __u8 tos_mask;
+       __u8 tos_value;
+       __u8 invert;
+};
+
+#endif /* _XT_DSCP_H */

diff --git a/include/uapi/linux/netfilter/xt_ecn.h b/include/uapi/linux/netfilter/xt_ecn.h
new file mode 100644 (file)
index 0000000..7158fca
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_ecn.h
@@ -0,0 +1,35 @@
+/* iptables module for matching the ECN header in IPv4 and TCP header
+ *
+ * (C) 2002 Harald Welte <laforge@gnumonks.org>
+ *
+ * This software is distributed under GNU GPL v2, 1991
+ * 
+ * ipt_ecn.h,v 1.4 2002/08/05 19:39:00 laforge Exp
+*/
+#ifndef _XT_ECN_H
+#define _XT_ECN_H
+
+#include <linux/types.h>
+#include <linux/netfilter/xt_dscp.h>
+
+#define XT_ECN_IP_MASK (~XT_DSCP_MASK)
+
+#define XT_ECN_OP_MATCH_IP     0x01
+#define XT_ECN_OP_MATCH_ECE    0x10
+#define XT_ECN_OP_MATCH_CWR    0x20
+
+#define XT_ECN_OP_MATCH_MASK   0xce
+
+/* match info */
+struct xt_ecn_info {
+       __u8 operation;
+       __u8 invert;
+       __u8 ip_ect;
+       union {
+               struct {
+                       __u8 ect;
+               } tcp;
+       } proto;
+};
+
+#endif /* _XT_ECN_H */

diff --git a/include/uapi/linux/netfilter/xt_esp.h b/include/uapi/linux/netfilter/xt_esp.h
new file mode 100644 (file)
index 0000000..ee68824
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_esp.h
@@ -0,0 +1,15 @@
+#ifndef _XT_ESP_H
+#define _XT_ESP_H
+
+#include <linux/types.h>
+
+struct xt_esp {
+       __u32 spis[2];  /* Security Parameter Index */
+       __u8  invflags; /* Inverse flags */
+};
+
+/* Values for "invflags" field in struct xt_esp. */
+#define XT_ESP_INV_SPI 0x01    /* Invert the sense of spi. */
+#define XT_ESP_INV_MASK        0x01    /* All possible flags. */
+
+#endif /*_XT_ESP_H*/

diff --git a/include/uapi/linux/netfilter/xt_hashlimit.h b/include/uapi/linux/netfilter/xt_hashlimit.h
new file mode 100644 (file)
index 0000000..cbfc43d
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_hashlimit.h
@@ -0,0 +1,73 @@
+#ifndef _UAPI_XT_HASHLIMIT_H
+#define _UAPI_XT_HASHLIMIT_H
+
+#include <linux/types.h>
+
+/* timings are in milliseconds. */
+#define XT_HASHLIMIT_SCALE 10000
+/* 1/10,000 sec period => max of 10,000/sec.  Min rate is then 429490
+ * seconds, or one packet every 59 hours.
+ */
+
+/* packet length accounting is done in 16-byte steps */
+#define XT_HASHLIMIT_BYTE_SHIFT 4
+
+/* details of this structure hidden by the implementation */
+struct xt_hashlimit_htable;
+
+enum {
+       XT_HASHLIMIT_HASH_DIP = 1 << 0,
+       XT_HASHLIMIT_HASH_DPT = 1 << 1,
+       XT_HASHLIMIT_HASH_SIP = 1 << 2,
+       XT_HASHLIMIT_HASH_SPT = 1 << 3,
+       XT_HASHLIMIT_INVERT   = 1 << 4,
+       XT_HASHLIMIT_BYTES    = 1 << 5,
+};
+
+struct hashlimit_cfg {
+       __u32 mode;       /* bitmask of XT_HASHLIMIT_HASH_* */
+       __u32 avg;    /* Average secs between packets * scale */
+       __u32 burst;  /* Period multiplier for upper limit. */
+
+       /* user specified */
+       __u32 size;             /* how many buckets */
+       __u32 max;              /* max number of entries */
+       __u32 gc_interval;      /* gc interval */
+       __u32 expire;   /* when do entries expire? */
+};
+
+struct xt_hashlimit_info {
+       char name [IFNAMSIZ];           /* name */
+       struct hashlimit_cfg cfg;
+
+       /* Used internally by the kernel */
+       struct xt_hashlimit_htable *hinfo;
+       union {
+               void *ptr;
+               struct xt_hashlimit_info *master;
+       } u;
+};
+
+struct hashlimit_cfg1 {
+       __u32 mode;       /* bitmask of XT_HASHLIMIT_HASH_* */
+       __u32 avg;    /* Average secs between packets * scale */
+       __u32 burst;  /* Period multiplier for upper limit. */
+
+       /* user specified */
+       __u32 size;             /* how many buckets */
+       __u32 max;              /* max number of entries */
+       __u32 gc_interval;      /* gc interval */
+       __u32 expire;   /* when do entries expire? */
+
+       __u8 srcmask, dstmask;
+};
+
+struct xt_hashlimit_mtinfo1 {
+       char name[IFNAMSIZ];
+       struct hashlimit_cfg1 cfg;
+
+       /* Used internally by the kernel */
+       struct xt_hashlimit_htable *hinfo __attribute__((aligned(8)));
+};
+
+#endif /* _UAPI_XT_HASHLIMIT_H */

diff --git a/include/uapi/linux/netfilter/xt_helper.h b/include/uapi/linux/netfilter/xt_helper.h
new file mode 100644 (file)
index 0000000..6b42763
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_helper.h
@@ -0,0 +1,8 @@
+#ifndef _XT_HELPER_H
+#define _XT_HELPER_H
+
+struct xt_helper_info {
+       int invert;
+       char name[30];
+};
+#endif /* _XT_HELPER_H */

diff --git a/include/uapi/linux/netfilter/xt_iprange.h b/include/uapi/linux/netfilter/xt_iprange.h
new file mode 100644 (file)
index 0000000..25fd7cf
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_iprange.h
@@ -0,0 +1,20 @@
+#ifndef _LINUX_NETFILTER_XT_IPRANGE_H
+#define _LINUX_NETFILTER_XT_IPRANGE_H 1
+
+#include <linux/types.h>
+#include <linux/netfilter.h>
+
+enum {
+       IPRANGE_SRC     = 1 << 0,       /* match source IP address */
+       IPRANGE_DST     = 1 << 1,       /* match destination IP address */
+       IPRANGE_SRC_INV = 1 << 4,       /* negate the condition */
+       IPRANGE_DST_INV = 1 << 5,       /* -"- */
+};
+
+struct xt_iprange_mtinfo {
+       union nf_inet_addr src_min, src_max;
+       union nf_inet_addr dst_min, dst_max;
+       __u8 flags;
+};
+
+#endif /* _LINUX_NETFILTER_XT_IPRANGE_H */

diff --git a/include/uapi/linux/netfilter/xt_ipvs.h b/include/uapi/linux/netfilter/xt_ipvs.h
new file mode 100644 (file)
index 0000000..eff34ac
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_ipvs.h
@@ -0,0 +1,29 @@
+#ifndef _XT_IPVS_H
+#define _XT_IPVS_H
+
+#include <linux/types.h>
+
+enum {
+       XT_IPVS_IPVS_PROPERTY = 1 << 0, /* all other options imply this one */
+       XT_IPVS_PROTO =         1 << 1,
+       XT_IPVS_VADDR =         1 << 2,
+       XT_IPVS_VPORT =         1 << 3,
+       XT_IPVS_DIR =           1 << 4,
+       XT_IPVS_METHOD =        1 << 5,
+       XT_IPVS_VPORTCTL =      1 << 6,
+       XT_IPVS_MASK =          (1 << 7) - 1,
+       XT_IPVS_ONCE_MASK =     XT_IPVS_MASK & ~XT_IPVS_IPVS_PROPERTY
+};
+
+struct xt_ipvs_mtinfo {
+       union nf_inet_addr      vaddr, vmask;
+       __be16                  vport;
+       __u8                    l4proto;
+       __u8                    fwd_method;
+       __be16                  vportctl;
+
+       __u8                    invert;
+       __u8                    bitmask;
+};
+
+#endif /* _XT_IPVS_H */

diff --git a/include/uapi/linux/netfilter/xt_length.h b/include/uapi/linux/netfilter/xt_length.h
new file mode 100644 (file)
index 0000000..b82ed7c
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_length.h
@@ -0,0 +1,11 @@
+#ifndef _XT_LENGTH_H
+#define _XT_LENGTH_H
+
+#include <linux/types.h>
+
+struct xt_length_info {
+    __u16      min, max;
+    __u8       invert;
+};
+
+#endif /*_XT_LENGTH_H*/

diff --git a/include/uapi/linux/netfilter/xt_limit.h b/include/uapi/linux/netfilter/xt_limit.h
new file mode 100644 (file)
index 0000000..bb47fc4
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_limit.h
@@ -0,0 +1,24 @@
+#ifndef _XT_RATE_H
+#define _XT_RATE_H
+
+#include <linux/types.h>
+
+/* timings are in milliseconds. */
+#define XT_LIMIT_SCALE 10000
+
+struct xt_limit_priv;
+
+/* 1/10,000 sec period => max of 10,000/sec.  Min rate is then 429490
+   seconds, or one every 59 hours. */
+struct xt_rateinfo {
+       __u32 avg;    /* Average secs between packets * scale */
+       __u32 burst;  /* Period multiplier for upper limit. */
+
+       /* Used internally by the kernel */
+       unsigned long prev; /* moved to xt_limit_priv */
+       __u32 credit; /* moved to xt_limit_priv */
+       __u32 credit_cap, cost;
+
+       struct xt_limit_priv *master;
+};
+#endif /*_XT_RATE_H*/

diff --git a/include/uapi/linux/netfilter/xt_mac.h b/include/uapi/linux/netfilter/xt_mac.h
new file mode 100644 (file)
index 0000000..b892cdc
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_mac.h
@@ -0,0 +1,8 @@
+#ifndef _XT_MAC_H
+#define _XT_MAC_H
+
+struct xt_mac_info {
+    unsigned char srcaddr[ETH_ALEN];
+    int invert;
+};
+#endif /*_XT_MAC_H*/

diff --git a/include/uapi/linux/netfilter/xt_mark.h b/include/uapi/linux/netfilter/xt_mark.h
new file mode 100644 (file)
index 0000000..ecadc40
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_mark.h
@@ -0,0 +1,15 @@
+#ifndef _XT_MARK_H
+#define _XT_MARK_H
+
+#include <linux/types.h>
+
+struct xt_mark_tginfo2 {
+       __u32 mark, mask;
+};
+
+struct xt_mark_mtinfo1 {
+       __u32 mark, mask;
+       __u8 invert;
+};
+
+#endif /*_XT_MARK_H*/

diff --git a/include/uapi/linux/netfilter/xt_multiport.h b/include/uapi/linux/netfilter/xt_multiport.h
new file mode 100644 (file)
index 0000000..5b7e72d
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_multiport.h
@@ -0,0 +1,29 @@
+#ifndef _XT_MULTIPORT_H
+#define _XT_MULTIPORT_H
+
+#include <linux/types.h>
+
+enum xt_multiport_flags {
+       XT_MULTIPORT_SOURCE,
+       XT_MULTIPORT_DESTINATION,
+       XT_MULTIPORT_EITHER
+};
+
+#define XT_MULTI_PORTS 15
+
+/* Must fit inside union xt_matchinfo: 16 bytes */
+struct xt_multiport {
+       __u8 flags;                             /* Type of comparison */
+       __u8 count;                             /* Number of ports */
+       __u16 ports[XT_MULTI_PORTS];    /* Ports */
+};
+
+struct xt_multiport_v1 {
+       __u8 flags;                             /* Type of comparison */
+       __u8 count;                             /* Number of ports */
+       __u16 ports[XT_MULTI_PORTS];    /* Ports */
+       __u8 pflags[XT_MULTI_PORTS];    /* Port flags */
+       __u8 invert;                    /* Invert flag */
+};
+
+#endif /*_XT_MULTIPORT_H*/

diff --git a/include/uapi/linux/netfilter/xt_nfacct.h b/include/uapi/linux/netfilter/xt_nfacct.h
new file mode 100644 (file)
index 0000000..3e19c8a
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_nfacct.h
@@ -0,0 +1,13 @@
+#ifndef _XT_NFACCT_MATCH_H
+#define _XT_NFACCT_MATCH_H
+
+#include <linux/netfilter/nfnetlink_acct.h>
+
+struct nf_acct;
+
+struct xt_nfacct_match_info {
+       char            name[NFACCT_NAME_MAX];
+       struct nf_acct  *nfacct;
+};
+
+#endif /* _XT_NFACCT_MATCH_H */

diff --git a/include/uapi/linux/netfilter/xt_osf.h b/include/uapi/linux/netfilter/xt_osf.h
new file mode 100644 (file)
index 0000000..18afa49
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_osf.h
@@ -0,0 +1,135 @@
+/*
+ * Copyright (c) 2003+ Evgeniy Polyakov <johnpol@2ka.mxt.ru>
+ *
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ */
+
+#ifndef _XT_OSF_H
+#define _XT_OSF_H
+
+#include <linux/types.h>
+
+#define MAXGENRELEN            32
+
+#define XT_OSF_GENRE           (1<<0)
+#define        XT_OSF_TTL              (1<<1)
+#define XT_OSF_LOG             (1<<2)
+#define XT_OSF_INVERT          (1<<3)
+
+#define XT_OSF_LOGLEVEL_ALL    0       /* log all matched fingerprints */
+#define XT_OSF_LOGLEVEL_FIRST  1       /* log only the first matced fingerprint */
+#define XT_OSF_LOGLEVEL_ALL_KNOWN      2 /* do not log unknown packets */
+
+#define XT_OSF_TTL_TRUE                0       /* True ip and fingerprint TTL comparison */
+#define XT_OSF_TTL_LESS                1       /* Check if ip TTL is less than fingerprint one */
+#define XT_OSF_TTL_NOCHECK     2       /* Do not compare ip and fingerprint TTL at all */
+
+struct xt_osf_info {
+       char                    genre[MAXGENRELEN];
+       __u32                   len;
+       __u32                   flags;
+       __u32                   loglevel;
+       __u32                   ttl;
+};
+
+/*
+ * Wildcard MSS (kind of).
+ * It is used to implement a state machine for the different wildcard values
+ * of the MSS and window sizes.
+ */
+struct xt_osf_wc {
+       __u32                   wc;
+       __u32                   val;
+};
+
+/*
+ * This struct represents IANA options
+ * http://www.iana.org/assignments/tcp-parameters
+ */
+struct xt_osf_opt {
+       __u16                   kind, length;
+       struct xt_osf_wc        wc;
+};
+
+struct xt_osf_user_finger {
+       struct xt_osf_wc        wss;
+
+       __u8                    ttl, df;
+       __u16                   ss, mss;
+       __u16                   opt_num;
+
+       char                    genre[MAXGENRELEN];
+       char                    version[MAXGENRELEN];
+       char                    subtype[MAXGENRELEN];
+
+       /* MAX_IPOPTLEN is maximum if all options are NOPs or EOLs */
+       struct xt_osf_opt       opt[MAX_IPOPTLEN];
+};
+
+struct xt_osf_nlmsg {
+       struct xt_osf_user_finger       f;
+       struct iphdr            ip;
+       struct tcphdr           tcp;
+};
+
+/* Defines for IANA option kinds */
+
+enum iana_options {
+       OSFOPT_EOL = 0,         /* End of options */
+       OSFOPT_NOP,             /* NOP */
+       OSFOPT_MSS,             /* Maximum segment size */
+       OSFOPT_WSO,             /* Window scale option */
+       OSFOPT_SACKP,           /* SACK permitted */
+       OSFOPT_SACK,            /* SACK */
+       OSFOPT_ECHO,
+       OSFOPT_ECHOREPLY,
+       OSFOPT_TS,              /* Timestamp option */
+       OSFOPT_POCP,            /* Partial Order Connection Permitted */
+       OSFOPT_POSP,            /* Partial Order Service Profile */
+
+       /* Others are not used in the current OSF */
+       OSFOPT_EMPTY = 255,
+};
+
+/*
+ * Initial window size option state machine: multiple of mss, mtu or
+ * plain numeric value. Can also be made as plain numeric value which
+ * is not a multiple of specified value.
+ */
+enum xt_osf_window_size_options {
+       OSF_WSS_PLAIN   = 0,
+       OSF_WSS_MSS,
+       OSF_WSS_MTU,
+       OSF_WSS_MODULO,
+       OSF_WSS_MAX,
+};
+
+/*
+ * Add/remove fingerprint from the kernel.
+ */
+enum xt_osf_msg_types {
+       OSF_MSG_ADD,
+       OSF_MSG_REMOVE,
+       OSF_MSG_MAX,
+};
+
+enum xt_osf_attr_type {
+       OSF_ATTR_UNSPEC,
+       OSF_ATTR_FINGER,
+       OSF_ATTR_MAX,
+};
+
+#endif                         /* _XT_OSF_H */

diff --git a/include/uapi/linux/netfilter/xt_owner.h b/include/uapi/linux/netfilter/xt_owner.h
new file mode 100644 (file)
index 0000000..2081761
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_owner.h
@@ -0,0 +1,18 @@
+#ifndef _XT_OWNER_MATCH_H
+#define _XT_OWNER_MATCH_H
+
+#include <linux/types.h>
+
+enum {
+       XT_OWNER_UID    = 1 << 0,
+       XT_OWNER_GID    = 1 << 1,
+       XT_OWNER_SOCKET = 1 << 2,
+};
+
+struct xt_owner_match_info {
+       __u32 uid_min, uid_max;
+       __u32 gid_min, gid_max;
+       __u8 match, invert;
+};
+
+#endif /* _XT_OWNER_MATCH_H */

diff --git a/include/uapi/linux/netfilter/xt_physdev.h b/include/uapi/linux/netfilter/xt_physdev.h
new file mode 100644 (file)
index 0000000..db7a298
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_physdev.h
@@ -0,0 +1,23 @@
+#ifndef _UAPI_XT_PHYSDEV_H
+#define _UAPI_XT_PHYSDEV_H
+
+#include <linux/types.h>
+
+
+#define XT_PHYSDEV_OP_IN               0x01
+#define XT_PHYSDEV_OP_OUT              0x02
+#define XT_PHYSDEV_OP_BRIDGED          0x04
+#define XT_PHYSDEV_OP_ISIN             0x08
+#define XT_PHYSDEV_OP_ISOUT            0x10
+#define XT_PHYSDEV_OP_MASK             (0x20 - 1)
+
+struct xt_physdev_info {
+       char physindev[IFNAMSIZ];
+       char in_mask[IFNAMSIZ];
+       char physoutdev[IFNAMSIZ];
+       char out_mask[IFNAMSIZ];
+       __u8 invert;
+       __u8 bitmask;
+};
+
+#endif /* _UAPI_XT_PHYSDEV_H */

diff --git a/include/uapi/linux/netfilter/xt_pkttype.h b/include/uapi/linux/netfilter/xt_pkttype.h
new file mode 100644 (file)
index 0000000..f265cf5
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_pkttype.h
@@ -0,0 +1,8 @@
+#ifndef _XT_PKTTYPE_H
+#define _XT_PKTTYPE_H
+
+struct xt_pkttype_info {
+       int     pkttype;
+       int     invert;
+};
+#endif /*_XT_PKTTYPE_H*/

diff --git a/include/uapi/linux/netfilter/xt_policy.h b/include/uapi/linux/netfilter/xt_policy.h
new file mode 100644 (file)
index 0000000..be8ead0
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_policy.h
@@ -0,0 +1,69 @@
+#ifndef _XT_POLICY_H
+#define _XT_POLICY_H
+
+#include <linux/types.h>
+
+#define XT_POLICY_MAX_ELEM     4
+
+enum xt_policy_flags {
+       XT_POLICY_MATCH_IN      = 0x1,
+       XT_POLICY_MATCH_OUT     = 0x2,
+       XT_POLICY_MATCH_NONE    = 0x4,
+       XT_POLICY_MATCH_STRICT  = 0x8,
+};
+
+enum xt_policy_modes {
+       XT_POLICY_MODE_TRANSPORT,
+       XT_POLICY_MODE_TUNNEL
+};
+
+struct xt_policy_spec {
+       __u8    saddr:1,
+                       daddr:1,
+                       proto:1,
+                       mode:1,
+                       spi:1,
+                       reqid:1;
+};
+
+#ifndef __KERNEL__
+union xt_policy_addr {
+       struct in_addr  a4;
+       struct in6_addr a6;
+};
+#endif
+
+struct xt_policy_elem {
+       union {
+#ifdef __KERNEL__
+               struct {
+                       union nf_inet_addr saddr;
+                       union nf_inet_addr smask;
+                       union nf_inet_addr daddr;
+                       union nf_inet_addr dmask;
+               };
+#else
+               struct {
+                       union xt_policy_addr saddr;
+                       union xt_policy_addr smask;
+                       union xt_policy_addr daddr;
+                       union xt_policy_addr dmask;
+               };
+#endif
+       };
+       __be32                  spi;
+       __u32           reqid;
+       __u8            proto;
+       __u8            mode;
+
+       struct xt_policy_spec   match;
+       struct xt_policy_spec   invert;
+};
+
+struct xt_policy_info {
+       struct xt_policy_elem pol[XT_POLICY_MAX_ELEM];
+       __u16 flags;
+       __u16 len;
+};
+
+#endif /* _XT_POLICY_H */

diff --git a/include/uapi/linux/netfilter/xt_quota.h b/include/uapi/linux/netfilter/xt_quota.h
new file mode 100644 (file)
index 0000000..9314723
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_quota.h
@@ -0,0 +1,22 @@
+#ifndef _XT_QUOTA_H
+#define _XT_QUOTA_H
+
+#include <linux/types.h>
+
+enum xt_quota_flags {
+       XT_QUOTA_INVERT         = 0x1,
+};
+#define XT_QUOTA_MASK          0x1
+
+struct xt_quota_priv;
+
+struct xt_quota_info {
+       __u32 flags;
+       __u32 pad;
+       __aligned_u64 quota;
+
+       /* Used internally by the kernel */
+       struct xt_quota_priv    *master;
+};
+
+#endif /* _XT_QUOTA_H */

diff --git a/include/uapi/linux/netfilter/xt_rateest.h b/include/uapi/linux/netfilter/xt_rateest.h
new file mode 100644 (file)
index 0000000..d40a619
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_rateest.h
@@ -0,0 +1,37 @@
+#ifndef _XT_RATEEST_MATCH_H
+#define _XT_RATEEST_MATCH_H
+
+#include <linux/types.h>
+
+enum xt_rateest_match_flags {
+       XT_RATEEST_MATCH_INVERT = 1<<0,
+       XT_RATEEST_MATCH_ABS    = 1<<1,
+       XT_RATEEST_MATCH_REL    = 1<<2,
+       XT_RATEEST_MATCH_DELTA  = 1<<3,
+       XT_RATEEST_MATCH_BPS    = 1<<4,
+       XT_RATEEST_MATCH_PPS    = 1<<5,
+};
+
+enum xt_rateest_match_mode {
+       XT_RATEEST_MATCH_NONE,
+       XT_RATEEST_MATCH_EQ,
+       XT_RATEEST_MATCH_LT,
+       XT_RATEEST_MATCH_GT,
+};
+
+struct xt_rateest_match_info {
+       char                    name1[IFNAMSIZ];
+       char                    name2[IFNAMSIZ];
+       __u16           flags;
+       __u16           mode;
+       __u32           bps1;
+       __u32           pps1;
+       __u32           bps2;
+       __u32           pps2;
+
+       /* Used internally by the kernel */
+       struct xt_rateest       *est1 __attribute__((aligned(8)));
+       struct xt_rateest       *est2 __attribute__((aligned(8)));
+};
+
+#endif /* _XT_RATEEST_MATCH_H */

diff --git a/include/uapi/linux/netfilter/xt_realm.h b/include/uapi/linux/netfilter/xt_realm.h
new file mode 100644 (file)
index 0000000..d4a82ee
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_realm.h
@@ -0,0 +1,12 @@
+#ifndef _XT_REALM_H
+#define _XT_REALM_H
+
+#include <linux/types.h>
+
+struct xt_realm_info {
+       __u32 id;
+       __u32 mask;
+       __u8 invert;
+};
+
+#endif /* _XT_REALM_H */

diff --git a/include/uapi/linux/netfilter/xt_recent.h b/include/uapi/linux/netfilter/xt_recent.h
new file mode 100644 (file)
index 0000000..6ef36c1
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_recent.h
@@ -0,0 +1,45 @@
+#ifndef _LINUX_NETFILTER_XT_RECENT_H
+#define _LINUX_NETFILTER_XT_RECENT_H 1
+
+#include <linux/types.h>
+
+enum {
+       XT_RECENT_CHECK    = 1 << 0,
+       XT_RECENT_SET      = 1 << 1,
+       XT_RECENT_UPDATE   = 1 << 2,
+       XT_RECENT_REMOVE   = 1 << 3,
+       XT_RECENT_TTL      = 1 << 4,
+       XT_RECENT_REAP     = 1 << 5,
+
+       XT_RECENT_SOURCE   = 0,
+       XT_RECENT_DEST     = 1,
+
+       XT_RECENT_NAME_LEN = 200,
+};
+
+/* Only allowed with --rcheck and --update */
+#define XT_RECENT_MODIFIERS (XT_RECENT_TTL|XT_RECENT_REAP)
+
+#define XT_RECENT_VALID_FLAGS (XT_RECENT_CHECK|XT_RECENT_SET|XT_RECENT_UPDATE|\
+                              XT_RECENT_REMOVE|XT_RECENT_TTL|XT_RECENT_REAP)
+
+struct xt_recent_mtinfo {
+       __u32 seconds;
+       __u32 hit_count;
+       __u8 check_set;
+       __u8 invert;
+       char name[XT_RECENT_NAME_LEN];
+       __u8 side;
+};
+
+struct xt_recent_mtinfo_v1 {
+       __u32 seconds;
+       __u32 hit_count;
+       __u8 check_set;
+       __u8 invert;
+       char name[XT_RECENT_NAME_LEN];
+       __u8 side;
+       union nf_inet_addr mask;
+};
+
+#endif /* _LINUX_NETFILTER_XT_RECENT_H */

diff --git a/include/uapi/linux/netfilter/xt_sctp.h b/include/uapi/linux/netfilter/xt_sctp.h
new file mode 100644 (file)
index 0000000..29287be
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_sctp.h
@@ -0,0 +1,92 @@
+#ifndef _XT_SCTP_H_
+#define _XT_SCTP_H_
+
+#include <linux/types.h>
+
+#define XT_SCTP_SRC_PORTS              0x01
+#define XT_SCTP_DEST_PORTS             0x02
+#define XT_SCTP_CHUNK_TYPES            0x04
+
+#define XT_SCTP_VALID_FLAGS            0x07
+
+struct xt_sctp_flag_info {
+       __u8 chunktype;
+       __u8 flag;
+       __u8 flag_mask;
+};
+
+#define XT_NUM_SCTP_FLAGS      4
+
+struct xt_sctp_info {
+       __u16 dpts[2];  /* Min, Max */
+       __u16 spts[2];  /* Min, Max */
+
+       __u32 chunkmap[256 / sizeof (__u32)];  /* Bit mask of chunks to be matched according to RFC 2960 */
+
+#define SCTP_CHUNK_MATCH_ANY   0x01  /* Match if any of the chunk types are present */
+#define SCTP_CHUNK_MATCH_ALL   0x02  /* Match if all of the chunk types are present */
+#define SCTP_CHUNK_MATCH_ONLY  0x04  /* Match if these are the only chunk types present */
+
+       __u32 chunk_match_type;
+       struct xt_sctp_flag_info flag_info[XT_NUM_SCTP_FLAGS];
+       int flag_count;
+
+       __u32 flags;
+       __u32 invflags;
+};
+
+#define bytes(type) (sizeof(type) * 8)
+
+#define SCTP_CHUNKMAP_SET(chunkmap, type)              \
+       do {                                            \
+               (chunkmap)[type / bytes(__u32)] |=      \
+                       1 << (type % bytes(__u32));     \
+       } while (0)
+
+#define SCTP_CHUNKMAP_CLEAR(chunkmap, type)                    \
+       do {                                                    \
+               (chunkmap)[type / bytes(__u32)] &=              \
+                       ~(1 << (type % bytes(__u32)));  \
+       } while (0)
+
+#define SCTP_CHUNKMAP_IS_SET(chunkmap, type)                   \
+({                                                             \
+       ((chunkmap)[type / bytes (__u32)] &             \
+               (1 << (type % bytes (__u32)))) ? 1: 0;  \
+})
+
+#define SCTP_CHUNKMAP_RESET(chunkmap) \
+       memset((chunkmap), 0, sizeof(chunkmap))
+
+#define SCTP_CHUNKMAP_SET_ALL(chunkmap) \
+       memset((chunkmap), ~0U, sizeof(chunkmap))
+
+#define SCTP_CHUNKMAP_COPY(destmap, srcmap) \
+       memcpy((destmap), (srcmap), sizeof(srcmap))
+
+#define SCTP_CHUNKMAP_IS_CLEAR(chunkmap) \
+       __sctp_chunkmap_is_clear((chunkmap), ARRAY_SIZE(chunkmap))
+static inline bool
+__sctp_chunkmap_is_clear(const __u32 *chunkmap, unsigned int n)
+{
+       unsigned int i;
+       for (i = 0; i < n; ++i)
+               if (chunkmap[i])
+                       return false;
+       return true;
+}
+
+#define SCTP_CHUNKMAP_IS_ALL_SET(chunkmap) \
+       __sctp_chunkmap_is_all_set((chunkmap), ARRAY_SIZE(chunkmap))
+static inline bool
+__sctp_chunkmap_is_all_set(const __u32 *chunkmap, unsigned int n)
+{
+       unsigned int i;
+       for (i = 0; i < n; ++i)
+               if (chunkmap[i] != ~0U)
+                       return false;
+       return true;
+}
+
+#endif /* _XT_SCTP_H_ */
+

diff --git a/include/uapi/linux/netfilter/xt_set.h b/include/uapi/linux/netfilter/xt_set.h
new file mode 100644 (file)
index 0000000..e3a9978
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_set.h
@@ -0,0 +1,65 @@
+#ifndef _XT_SET_H
+#define _XT_SET_H
+
+#include <linux/types.h>
+#include <linux/netfilter/ipset/ip_set.h>
+
+/* Revision 0 interface: backward compatible with netfilter/iptables */
+
+/*
+ * Option flags for kernel operations (xt_set_info_v0)
+ */
+#define IPSET_SRC              0x01    /* Source match/add */
+#define IPSET_DST              0x02    /* Destination match/add */
+#define IPSET_MATCH_INV                0x04    /* Inverse matching */
+
+struct xt_set_info_v0 {
+       ip_set_id_t index;
+       union {
+               __u32 flags[IPSET_DIM_MAX + 1];
+               struct {
+                       __u32 __flags[IPSET_DIM_MAX];
+                       __u8 dim;
+                       __u8 flags;
+               } compat;
+       } u;
+};
+
+/* match and target infos */
+struct xt_set_info_match_v0 {
+       struct xt_set_info_v0 match_set;
+};
+
+struct xt_set_info_target_v0 {
+       struct xt_set_info_v0 add_set;
+       struct xt_set_info_v0 del_set;
+};
+
+/* Revision 1  match and target */
+
+struct xt_set_info {
+       ip_set_id_t index;
+       __u8 dim;
+       __u8 flags;
+};
+
+/* match and target infos */
+struct xt_set_info_match_v1 {
+       struct xt_set_info match_set;
+};
+
+struct xt_set_info_target_v1 {
+       struct xt_set_info add_set;
+       struct xt_set_info del_set;
+};
+
+/* Revision 2 target */
+
+struct xt_set_info_target_v2 {
+       struct xt_set_info add_set;
+       struct xt_set_info del_set;
+       __u32 flags;
+       __u32 timeout;
+};
+
+#endif /*_XT_SET_H*/

diff --git a/include/uapi/linux/netfilter/xt_socket.h b/include/uapi/linux/netfilter/xt_socket.h
new file mode 100644 (file)
index 0000000..26d7217
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_socket.h
@@ -0,0 +1,14 @@
+#ifndef _XT_SOCKET_H
+#define _XT_SOCKET_H
+
+#include <linux/types.h>
+
+enum {
+       XT_SOCKET_TRANSPARENT = 1 << 0,
+};
+
+struct xt_socket_mtinfo1 {
+       __u8 flags;
+};
+
+#endif /* _XT_SOCKET_H */

diff --git a/include/uapi/linux/netfilter/xt_state.h b/include/uapi/linux/netfilter/xt_state.h
new file mode 100644 (file)
index 0000000..7b32de8
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_state.h
@@ -0,0 +1,12 @@
+#ifndef _XT_STATE_H
+#define _XT_STATE_H
+
+#define XT_STATE_BIT(ctinfo) (1 << ((ctinfo)%IP_CT_IS_REPLY+1))
+#define XT_STATE_INVALID (1 << 0)
+
+#define XT_STATE_UNTRACKED (1 << (IP_CT_NUMBER + 1))
+
+struct xt_state_info {
+       unsigned int statemask;
+};
+#endif /*_XT_STATE_H*/

diff --git a/include/uapi/linux/netfilter/xt_statistic.h b/include/uapi/linux/netfilter/xt_statistic.h
new file mode 100644 (file)
index 0000000..4e983ef
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_statistic.h
@@ -0,0 +1,36 @@
+#ifndef _XT_STATISTIC_H
+#define _XT_STATISTIC_H
+
+#include <linux/types.h>
+
+enum xt_statistic_mode {
+       XT_STATISTIC_MODE_RANDOM,
+       XT_STATISTIC_MODE_NTH,
+       __XT_STATISTIC_MODE_MAX
+};
+#define XT_STATISTIC_MODE_MAX (__XT_STATISTIC_MODE_MAX - 1)
+
+enum xt_statistic_flags {
+       XT_STATISTIC_INVERT             = 0x1,
+};
+#define XT_STATISTIC_MASK              0x1
+
+struct xt_statistic_priv;
+
+struct xt_statistic_info {
+       __u16                   mode;
+       __u16                   flags;
+       union {
+               struct {
+                       __u32   probability;
+               } random;
+               struct {
+                       __u32   every;
+                       __u32   packet;
+                       __u32   count; /* unused */
+               } nth;
+       } u;
+       struct xt_statistic_priv *master __attribute__((aligned(8)));
+};
+
+#endif /* _XT_STATISTIC_H */

diff --git a/include/uapi/linux/netfilter/xt_string.h b/include/uapi/linux/netfilter/xt_string.h
new file mode 100644 (file)
index 0000000..235347c
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_string.h
@@ -0,0 +1,34 @@
+#ifndef _XT_STRING_H
+#define _XT_STRING_H
+
+#include <linux/types.h>
+
+#define XT_STRING_MAX_PATTERN_SIZE 128
+#define XT_STRING_MAX_ALGO_NAME_SIZE 16
+
+enum {
+       XT_STRING_FLAG_INVERT           = 0x01,
+       XT_STRING_FLAG_IGNORECASE       = 0x02
+};
+
+struct xt_string_info {
+       __u16 from_offset;
+       __u16 to_offset;
+       char      algo[XT_STRING_MAX_ALGO_NAME_SIZE];
+       char      pattern[XT_STRING_MAX_PATTERN_SIZE];
+       __u8  patlen;
+       union {
+               struct {
+                       __u8  invert;
+               } v0;
+
+               struct {
+                       __u8  flags;
+               } v1;
+       } u;
+
+       /* Used internally by the kernel */
+       struct ts_config __attribute__((aligned(8))) *config;
+};
+
+#endif /*_XT_STRING_H*/

diff --git a/include/uapi/linux/netfilter/xt_tcpmss.h b/include/uapi/linux/netfilter/xt_tcpmss.h
new file mode 100644 (file)
index 0000000..fbac56b
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_tcpmss.h
@@ -0,0 +1,11 @@
+#ifndef _XT_TCPMSS_MATCH_H
+#define _XT_TCPMSS_MATCH_H
+
+#include <linux/types.h>
+
+struct xt_tcpmss_match_info {
+    __u16 mss_min, mss_max;
+    __u8 invert;
+};
+
+#endif /*_XT_TCPMSS_MATCH_H*/

diff --git a/include/uapi/linux/netfilter/xt_tcpudp.h b/include/uapi/linux/netfilter/xt_tcpudp.h
new file mode 100644 (file)
index 0000000..38aa7b3
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_tcpudp.h
@@ -0,0 +1,36 @@
+#ifndef _XT_TCPUDP_H
+#define _XT_TCPUDP_H
+
+#include <linux/types.h>
+
+/* TCP matching stuff */
+struct xt_tcp {
+       __u16 spts[2];                  /* Source port range. */
+       __u16 dpts[2];                  /* Destination port range. */
+       __u8 option;                    /* TCP Option iff non-zero*/
+       __u8 flg_mask;                  /* TCP flags mask byte */
+       __u8 flg_cmp;                   /* TCP flags compare byte */
+       __u8 invflags;                  /* Inverse flags */
+};
+
+/* Values for "inv" field in struct ipt_tcp. */
+#define XT_TCP_INV_SRCPT       0x01    /* Invert the sense of source ports. */
+#define XT_TCP_INV_DSTPT       0x02    /* Invert the sense of dest ports. */
+#define XT_TCP_INV_FLAGS       0x04    /* Invert the sense of TCP flags. */
+#define XT_TCP_INV_OPTION      0x08    /* Invert the sense of option test. */
+#define XT_TCP_INV_MASK                0x0F    /* All possible flags. */
+
+/* UDP matching stuff */
+struct xt_udp {
+       __u16 spts[2];                  /* Source port range. */
+       __u16 dpts[2];                  /* Destination port range. */
+       __u8 invflags;                  /* Inverse flags */
+};
+
+/* Values for "invflags" field in struct ipt_udp. */
+#define XT_UDP_INV_SRCPT       0x01    /* Invert the sense of source ports. */
+#define XT_UDP_INV_DSTPT       0x02    /* Invert the sense of dest ports. */
+#define XT_UDP_INV_MASK        0x03    /* All possible flags. */
+
+
+#endif

diff --git a/include/uapi/linux/netfilter/xt_time.h b/include/uapi/linux/netfilter/xt_time.h
new file mode 100644 (file)
index 0000000..0958860
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_time.h
@@ -0,0 +1,32 @@
+#ifndef _XT_TIME_H
+#define _XT_TIME_H 1
+
+#include <linux/types.h>
+
+struct xt_time_info {
+       __u32 date_start;
+       __u32 date_stop;
+       __u32 daytime_start;
+       __u32 daytime_stop;
+       __u32 monthdays_match;
+       __u8 weekdays_match;
+       __u8 flags;
+};
+
+enum {
+       /* Match against local time (instead of UTC) */
+       XT_TIME_LOCAL_TZ = 1 << 0,
+
+       /* treat timestart > timestop (e.g. 23:00-01:00) as single period */
+       XT_TIME_CONTIGUOUS = 1 << 1,
+
+       /* Shortcuts */
+       XT_TIME_ALL_MONTHDAYS = 0xFFFFFFFE,
+       XT_TIME_ALL_WEEKDAYS  = 0xFE,
+       XT_TIME_MIN_DAYTIME   = 0,
+       XT_TIME_MAX_DAYTIME   = 24 * 60 * 60 - 1,
+};
+
+#define XT_TIME_ALL_FLAGS (XT_TIME_LOCAL_TZ|XT_TIME_CONTIGUOUS)
+
+#endif /* _XT_TIME_H */

diff --git a/include/uapi/linux/netfilter/xt_u32.h b/include/uapi/linux/netfilter/xt_u32.h
new file mode 100644 (file)
index 0000000..04d1bfe
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_u32.h
@@ -0,0 +1,42 @@
+#ifndef _XT_U32_H
+#define _XT_U32_H 1
+
+#include <linux/types.h>
+
+enum xt_u32_ops {
+       XT_U32_AND,
+       XT_U32_LEFTSH,
+       XT_U32_RIGHTSH,
+       XT_U32_AT,
+};
+
+struct xt_u32_location_element {
+       __u32 number;
+       __u8 nextop;
+};
+
+struct xt_u32_value_element {
+       __u32 min;
+       __u32 max;
+};
+
+/*
+ * Any way to allow for an arbitrary number of elements?
+ * For now, I settle with a limit of 10 each.
+ */
+#define XT_U32_MAXSIZE 10
+
+struct xt_u32_test {
+       struct xt_u32_location_element location[XT_U32_MAXSIZE+1];
+       struct xt_u32_value_element value[XT_U32_MAXSIZE+1];
+       __u8 nnums;
+       __u8 nvalues;
+};
+
+struct xt_u32 {
+       struct xt_u32_test tests[XT_U32_MAXSIZE+1];
+       __u8 ntests;
+       __u8 invert;
+};
+
+#endif /* _XT_U32_H */