diff options
| author | Ralf Baechle <ralf@linux-mips.org> | 2000-03-23 02:25:38 +0000 |
|---|---|---|
| committer | Ralf Baechle <ralf@linux-mips.org> | 2000-03-23 02:25:38 +0000 |
| commit | 16b5d462f73eb29d1f67fa01cc1ea66afdc72569 (patch) | |
| tree | 5407bd573f4840e473ea27cbe61e5c7a07131fcd /include/linux | |
| parent | ce8a076e11e7e5ee36007f9a3eee5bb3744cb8f6 (diff) | |
Merge with Linux 2.3.99-pre2.
Diffstat (limited to 'include/linux')
55 files changed, 2288 insertions, 53 deletions
diff --git a/include/linux/ac97_codec.h b/include/linux/ac97_codec.h index 50c75c3a8..da8730aef 100644 --- a/include/linux/ac97_codec.h +++ b/include/linux/ac97_codec.h @@ -39,6 +39,21 @@ #define AC97_RESERVED_3A 0x003A /* Reserved */ /* range 0x3c-0x58 - MODEM */ +#define AC97_EXTENDED_MODEM_ID 0x003C +#define AC97_EXTEND_MODEM_STAT 0x003E +#define AC97_LINE1_RATE 0x0040 +#define AC97_LINE2_RATE 0x0042 +#define AC97_HANDSET_RATE 0x0044 +#define AC97_LINE1_LEVEL 0x0046 +#define AC97_LINE2_LEVEL 0x0048 +#define AC97_HANDSET_LEVEL 0x004A +#define AC97_GPIO_CONFIG 0x004C +#define AC97_GPIO_POLARITY 0x004E +#define AC97_GPIO_STICKY 0x0050 +#define AC97_GPIO_WAKE_UP 0x0052 +#define AC97_GPIO_STATUS 0x0054 +#define AC97_MISC_MODEM_STAT 0x0056 +#define AC97_RESERVED_58 0x0058 /* registers 0x005a - 0x007a are vendor reserved */ @@ -150,6 +165,9 @@ struct ac97_codec { /* saved OSS mixer states */ unsigned int mixer_state[SOUND_MIXER_NRDEVICES]; + + /* Software Modem interface */ + int (*modem_ioctl)(struct ac97_codec *codec, unsigned int cmd, unsigned long arg); }; extern int ac97_read_proc (char *page_out, char **start, off_t off, diff --git a/include/linux/binfmts.h b/include/linux/binfmts.h index 31721c101..14e163b0e 100644 --- a/include/linux/binfmts.h +++ b/include/linux/binfmts.h @@ -37,7 +37,7 @@ struct linux_binfmt { struct linux_binfmt * next; struct module *module; int (*load_binary)(struct linux_binprm *, struct pt_regs * regs); - int (*load_shlib)(int fd); + int (*load_shlib)(struct file *); int (*core_dump)(long signr, struct pt_regs * regs, struct file * file); unsigned long min_coredump; /* minimal dump size */ }; diff --git a/include/linux/fs.h b/include/linux/fs.h index bd37850b7..1001d5cba 100644 --- a/include/linux/fs.h +++ b/include/linux/fs.h @@ -589,6 +589,7 @@ struct super_block { struct list_head s_files; struct block_device *s_bdev; + struct quota_mount_options s_dquot; /* Diskquota specific options */ union { struct minix_sb_info minix_sb; @@ -730,7 +731,6 @@ struct file_system_type { struct file_system_type * next; }; -#ifdef MODULE #define DECLARE_FSTYPE(var,type,read,flags) \ struct file_system_type var = { \ name: type, \ @@ -738,14 +738,6 @@ struct file_system_type var = { \ fs_flags: flags, \ owner: THIS_MODULE, \ } -#else -#define DECLARE_FSTYPE(var,type,read,flags) \ -struct file_system_type var = { \ - name: type, \ - read_super: read, \ - fs_flags: flags, \ -} -#endif #define DECLARE_FSTYPE_DEV(var,type,read) \ DECLARE_FSTYPE(var,type,read,FS_REQUIRES_DEV) @@ -821,7 +813,7 @@ extern int do_truncate(struct dentry *, loff_t start); extern int get_unused_fd(void); extern void put_unused_fd(unsigned int); -extern struct file *filp_open(const char *, int, int); +extern struct file *filp_open(const char *, int, int, struct dentry *); extern int filp_close(struct file *, fl_owner_t id); extern char * getname(const char *); @@ -936,10 +928,15 @@ extern int notify_change(struct dentry *, struct iattr *); extern int permission(struct inode *, int); extern int get_write_access(struct inode *); extern void put_write_access(struct inode *); -extern struct dentry * open_namei(const char *, int, int); extern struct dentry * do_mknod(const char *, int, dev_t); extern int do_pipe(int *); -extern int do_unlink(const char * name); +extern int do_unlink(const char * name, struct dentry *); +extern struct dentry * __open_namei(const char *, int, int, struct dentry *); + +static inline struct dentry * open_namei(const char *pathname) +{ + return __open_namei(pathname, 0, 0, NULL); +} /* fs/dcache.c -- generic fs support functions */ extern int is_subdir(struct dentry *, struct dentry *); @@ -989,6 +986,7 @@ typedef int (*read_actor_t)(read_descriptor_t *, struct page *, unsigned long, u extern struct dentry * lookup_dentry(const char *, struct dentry *, unsigned int); +extern struct dentry * lookup_one(const char *, struct dentry *); extern struct dentry * __namei(const char *, unsigned int); #define namei(pathname) __namei(pathname, 1) diff --git a/include/linux/hdreg.h b/include/linux/hdreg.h index 3509c5cb9..94030b18d 100644 --- a/include/linux/hdreg.h +++ b/include/linux/hdreg.h @@ -193,6 +193,8 @@ struct hd_geometry { #define HDIO_SET_NICE 0x0329 /* set nice flags */ #define HDIO_UNREGISTER_HWIF 0x032a /* unregister interface */ +#define __NEW_HD_DRIVE_ID + /* structure returned by HDIO_GET_IDENTITY, as per ANSI ATA2 rev.2f spec */ struct hd_driveid { unsigned short config; /* lots of obsolete bit flags */ @@ -256,7 +258,7 @@ struct hd_driveid { unsigned short CurAPMvalues; /* current APM values */ unsigned short word92; /* reserved (word 92) */ unsigned short hw_config; /* hardware config */ - unsigned short words94_125[33];/* reserved words 94-125 */ + unsigned short words94_125[31];/* reserved words 94-125 */ unsigned short last_lun; /* reserved (word 126) */ unsigned short word127; /* reserved (word 127) */ unsigned short dlf; /* device lock function diff --git a/include/linux/highmem.h b/include/linux/highmem.h index 2e31d77f2..3049ad259 100644 --- a/include/linux/highmem.h +++ b/include/linux/highmem.h @@ -29,6 +29,15 @@ extern inline unsigned int nr_free_highpages(void) { return 0; } #endif /* CONFIG_HIGHMEM */ /* when CONFIG_HIGHMEM is not set these will be plain clear/copy_page */ +extern inline void clear_user_highpage(struct page *page, unsigned long vaddr) +{ + unsigned long kaddr; + + kaddr = kmap(page); + clear_user_page((void *)kaddr, vaddr); + kunmap(page); +} + extern inline void clear_highpage(struct page *page) { unsigned long kaddr; @@ -64,6 +73,17 @@ extern inline void memclear_highpage_flush(struct page *page, unsigned int offse kunmap(page); } +extern inline void copy_user_highpage(struct page *to, struct page *from, unsigned long vaddr) +{ + unsigned long vfrom, vto; + + vfrom = kmap(from); + vto = kmap(to); + copy_user_page((void *)vto, (void *)vfrom, vaddr); + kunmap(from); + kunmap(to); +} + extern inline void copy_highpage(struct page *to, struct page *from) { unsigned long vfrom, vto; diff --git a/include/linux/i2c-algo-pcf.h b/include/linux/i2c-algo-pcf.h index edb6ce644..892d737ca 100644 --- a/include/linux/i2c-algo-pcf.h +++ b/include/linux/i2c-algo-pcf.h @@ -22,10 +22,10 @@ /* With some changes from Kyösti Mälkki <kmalkki@cc.hut.fi> and even Frodo Looijaard <frodol@dds.nl> */ -/* $Id: i2c-algo-pcf.h,v 1.6 1999/12/21 23:45:58 frodo Exp $ */ +/* $Id: i2c-algo-pcf.h,v 1.7 2000/02/27 23:02:45 frodo Exp $ */ #ifndef I2C_ALGO_PCF_H -#define I2C_AGLO_PCF_H 1 +#define I2C_ALGO_PCF_H 1 /* --- Defines for pcf-adapters --------------------------------------- */ #include <linux/i2c.h> diff --git a/include/linux/i2c-dev.h b/include/linux/i2c-dev.h index 7588f626b..39ed2adfa 100644 --- a/include/linux/i2c-dev.h +++ b/include/linux/i2c-dev.h @@ -19,7 +19,7 @@ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. */ -/* $Id: i2c-dev.h,v 1.6 2000/01/24 21:56:58 frodo Exp $ */ +/* $Id: i2c-dev.h,v 1.7 2000/02/15 17:57:27 frodo Exp $ */ #ifndef I2C_DEV_H #define I2C_DEV_H @@ -39,6 +39,12 @@ struct i2c_smbus_ioctl_data { union i2c_smbus_data *data; }; +/* This is the structure as used in the I2C_RDWR ioctl call */ +struct i2c_rdwr_ioctl_data { + struct i2c_msg *msgs; /* pointers to i2c_msgs */ + int nmsgs; /* number of i2c_msgs */ +}; + #ifndef __KERNEL__ #include <sys/ioctl.h> diff --git a/include/linux/i2c-id.h b/include/linux/i2c-id.h index ed98106ed..ae788ce52 100644 --- a/include/linux/i2c-id.h +++ b/include/linux/i2c-id.h @@ -20,7 +20,7 @@ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. */ /* ------------------------------------------------------------------------- */ -/* $Id: i2c-id.h,v 1.10 2000/02/04 02:47:41 mds Exp $ */ +/* $Id: i2c-id.h,v 1.15 2000/03/16 14:01:57 frodo Exp $ */ #ifndef I2C_ID_H #define I2C_ID_H @@ -92,9 +92,7 @@ #define I2C_ALGO_ATI 0x030000 /* ATI video card */ #define I2C_ALGO_SMBUS 0x040000 #define I2C_ALGO_ISA 0x050000 /* lm_sensors ISA pseudo-adapter */ -#define I2C_ALGO_SAA714 0x060000 /* SAA 7146 video decoder bus */ -#define I2C_ALGO_SAA7146A 0x060001 /* SAA 7146A - enhanced version */ - +#define I2C_ALGO_SAA7146 0x060000 /* SAA 7146 video decoder bus */ #define I2C_ALGO_EXP 0x800000 /* experimental */ @@ -120,6 +118,7 @@ #define I2C_HW_B_HYDRA 0x08 /* Apple Hydra Mac I/O */ #define I2C_HW_B_G400 0x09 /* Matrox G400 */ #define I2C_HW_B_I810 0x0a /* Intel I810 */ +#define I2C_HW_B_VOO 0x0b /* 3dfx Voodoo 3 / Banshee */ #define I2C_HW_B_RIVA 0x10 /* Riva based graphics cards */ #define I2C_HW_B_IOC 0x11 /* IOC bit-wiggling */ diff --git a/include/linux/i2c.h b/include/linux/i2c.h index 3aa308bc2..f1f82a1c8 100644 --- a/include/linux/i2c.h +++ b/include/linux/i2c.h @@ -23,7 +23,7 @@ /* With some changes from Kyösti Mälkki <kmalkki@cc.hut.fi> and Frodo Looijaard <frodol@dds.nl> */ -/* $Id: i2c.h,v 1.36 2000/01/18 23:54:07 frodo Exp $ */ +/* $Id: i2c.h,v 1.37 2000/02/15 17:57:27 frodo Exp $ */ #ifndef I2C_H #define I2C_H @@ -441,6 +441,7 @@ union i2c_smbus_data { #define I2C_TENBIT 0x0704 /* 0 for 7 bit addrs, != 0 for 10 bit */ #define I2C_FUNCS 0x0705 /* Get the adapter functionality */ +#define I2C_RDWR 0x0707 /* Combined R/W transfer (one stop only)*/ #if 0 #define I2C_ACK_TEST 0x0710 /* See if a slave is at a specific adress */ #endif @@ -452,7 +453,6 @@ union i2c_smbus_data { /* written byte (except address) */ #define I2C_MDELAY 0x0706 /* millisec delay between written bytes */ - /* ----- I2C-DEV: char device interface stuff ------------------------- */ #define I2C_MAJOR 89 /* Device major number */ diff --git a/include/linux/icmp.h b/include/linux/icmp.h index fb4ed8b9a..292888923 100644 --- a/include/linux/icmp.h +++ b/include/linux/icmp.h @@ -82,10 +82,31 @@ struct icmphdr { #ifdef __KERNEL__ +#include <linux/ip.h> + struct icmp_err { int errno; unsigned fatal:1; }; + +/* + * Build xmit assembly blocks + */ + +struct icmp_bxm +{ + void *data_ptr; + int data_len; + struct icmphdr icmph; + unsigned long csum; + struct ip_options replyopts; + unsigned char optbuf[40]; +}; + +struct sk_buff; + +extern void icmp_reply(struct icmp_bxm *, struct sk_buff *); + #endif /* diff --git a/include/linux/kernel.h b/include/linux/kernel.h index d5b204c2c..02341868d 100644 --- a/include/linux/kernel.h +++ b/include/linux/kernel.h @@ -15,8 +15,10 @@ #define barrier() __asm__ __volatile__("": : :"memory") #define INT_MAX ((int)(~0U>>1)) +#define INT_MIN (-INT_MAX - 1) #define UINT_MAX (~0U) #define LONG_MAX ((long)(~0UL>>1)) +#define LONG_MIN (-LONG_MAX - 1) #define ULONG_MAX (~0UL) #define STACK_MAGIC 0xdeadbeef diff --git a/include/linux/module.h b/include/linux/module.h index 915342edd..7507d6add 100644 --- a/include/linux/module.h +++ b/include/linux/module.h @@ -207,15 +207,13 @@ extern struct module __this_module; #define MOD_DEC_USE_COUNT __MOD_DEC_USE_COUNT(THIS_MODULE) #define MOD_IN_USE __MOD_IN_USE(THIS_MODULE) -#ifndef __NO_VERSION__ #include <linux/version.h> -const char __module_kernel_version[] __attribute__((section(".modinfo"))) = +static const char __module_kernel_version[] __attribute__((section(".modinfo"))) = "kernel_version=" UTS_RELEASE; #ifdef MODVERSIONS -const char __module_using_checksums[] __attribute__((section(".modinfo"))) = +static const char __module_using_checksums[] __attribute__((section(".modinfo"))) = "using_checksums=1"; #endif -#endif #else /* MODULE */ diff --git a/include/linux/mount.h b/include/linux/mount.h index 86dc89c47..c2dcfe93f 100644 --- a/include/linux/mount.h +++ b/include/linux/mount.h @@ -30,14 +30,10 @@ struct vfsmount kdev_t mnt_dev; /* Device this applies to */ char *mnt_devname; /* Name of device e.g. /dev/dsk/hda1 */ char *mnt_dirname; /* Name of directory mounted on */ - unsigned int mnt_flags; /* Flags of this device */ struct super_block *mnt_sb; /* pointer to superblock */ - struct quota_mount_options mnt_dquot; /* Diskquota specific mount options */ struct vfsmount *mnt_next; /* pointer to next in linkedlist */ }; -struct vfsmount *lookup_vfsmnt(kdev_t dev); - /* * Umount options */ diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h index 9b72c14de..c18810e52 100644 --- a/include/linux/netfilter.h +++ b/include/linux/netfilter.h @@ -16,7 +16,8 @@ #define NF_ACCEPT 1 #define NF_STOLEN 2 #define NF_QUEUE 3 -#define NF_MAX_VERDICT NF_QUEUE +#define NF_REPEAT 4 +#define NF_MAX_VERDICT NF_REPEAT /* Generic cache responses from hook functions. */ #define NFC_ALTERED 0x8000 @@ -66,6 +67,10 @@ struct nf_sockopt_ops int get_optmin; int get_optmax; int (*get)(struct sock *sk, int optval, void *user, int *len); + + /* Number of users inside set() or get(). */ + unsigned int use; + struct task_struct *cleanup_task; }; /* Each queued (to userspace) skbuff has one of these. */ @@ -173,12 +178,4 @@ extern void nf_invalidate_cache(int pf); #define SUMIN(a,b) ((size_t)(a)<(size_t)(b) ? (ssize_t)(a) : (ssize_t)(b)) #endif /*__KERNEL__*/ -enum nf_reason { - /* Do not, NOT, reorder these. Add at end. */ - NF_REASON_NONE, - NF_REASON_SET_BY_IPCHAINS, - NF_REASON_FOR_ROUTING, - NF_REASON_FOR_CLS_FW, -}; - #endif /*__LINUX_NETFILTER_H*/ diff --git a/include/linux/netfilter_ipv4.h b/include/linux/netfilter_ipv4.h index 6111c47d8..3a41356db 100644 --- a/include/linux/netfilter_ipv4.h +++ b/include/linux/netfilter_ipv4.h @@ -49,6 +49,16 @@ #define NF_IP_POST_ROUTING 4 #define NF_IP_NUMHOOKS 5 +enum nf_ip_hook_priorities { + NF_IP_PRI_FIRST = INT_MIN, + NF_IP_PRI_CONNTRACK = -200, + NF_IP_PRI_MANGLE = -150, + NF_IP_PRI_NAT_DST = -100, + NF_IP_PRI_FILTER = 0, + NF_IP_PRI_NAT_SRC = 100, + NF_IP_PRI_LAST = INT_MAX, +}; + #ifdef CONFIG_NETFILTER_DEBUG #ifdef __KERNEL__ void nf_debug_ip_local_deliver(struct sk_buff *skb); diff --git a/include/linux/netfilter_ipv4/compat_firewall.h b/include/linux/netfilter_ipv4/compat_firewall.h new file mode 100644 index 000000000..ed07ff91c --- /dev/null +++ b/include/linux/netfilter_ipv4/compat_firewall.h @@ -0,0 +1,45 @@ +/* Minor modifications to fit on compatibility framework: + Rusty.Russell@rustcorp.com.au +*/ + +#ifndef __LINUX_FIREWALL_H +#define __LINUX_FIREWALL_H + +/* + * Definitions for loadable firewall modules + */ + +#define FW_QUEUE 0 +#define FW_BLOCK 1 +#define FW_ACCEPT 2 +#define FW_REJECT (-1) +#define FW_REDIRECT 3 +#define FW_MASQUERADE 4 +#define FW_SKIP 5 + +struct firewall_ops +{ + struct firewall_ops *next; + int (*fw_forward)(struct firewall_ops *this, int pf, + struct net_device *dev, void *phdr, void *arg, + struct sk_buff **pskb); + int (*fw_input)(struct firewall_ops *this, int pf, + struct net_device *dev, void *phdr, void *arg, + struct sk_buff **pskb); + int (*fw_output)(struct firewall_ops *this, int pf, + struct net_device *dev, void *phdr, void *arg, + struct sk_buff **pskb); + /* These may be NULL. */ + int (*fw_acct_in)(struct firewall_ops *this, int pf, + struct net_device *dev, void *phdr, void *arg, + struct sk_buff **pskb); + int (*fw_acct_out)(struct firewall_ops *this, int pf, + struct net_device *dev, void *phdr, void *arg, + struct sk_buff **pskb); +}; + +extern int register_firewall(int pf, struct firewall_ops *fw); +extern int unregister_firewall(int pf, struct firewall_ops *fw); + +extern int ip_fw_masq_timeouts(void *user, int len); +#endif /* __LINUX_FIREWALL_H */ diff --git a/include/linux/netfilter_ipv4/ip_conntrack.h b/include/linux/netfilter_ipv4/ip_conntrack.h new file mode 100644 index 000000000..12cf75136 --- /dev/null +++ b/include/linux/netfilter_ipv4/ip_conntrack.h @@ -0,0 +1,177 @@ +#ifndef _IP_CONNTRACK_H +#define _IP_CONNTRACK_H +/* Connection state tracking for netfilter. This is separated from, + but required by, the NAT layer; it can also be used by an iptables + extension. */ + +#include <linux/config.h> +#include <linux/netfilter_ipv4/ip_conntrack_tuple.h> + +enum ip_conntrack_info +{ + /* Part of an established connection (either direction). */ + IP_CT_ESTABLISHED, + + /* Like NEW, but related to an existing connection, or ICMP error + (in either direction). */ + IP_CT_RELATED, + + /* Started a new connection to track (only + IP_CT_DIR_ORIGINAL); may be a retransmission. */ + IP_CT_NEW, + + /* >= this indicates reply direction */ + IP_CT_IS_REPLY, + + /* Number of distinct IP_CT types (no NEW in reply dirn). */ + IP_CT_NUMBER = IP_CT_IS_REPLY * 2 - 1 +}; + +#ifdef __KERNEL__ + +#include <linux/types.h> +#include <linux/skbuff.h> + +#ifdef CONFIG_NF_DEBUG +#define IP_NF_ASSERT(x) \ +do { \ + if (!(x)) \ + /* Wooah! I'm tripping my conntrack in a frenzy of \ + netplay... */ \ + printk("NF_IP_ASSERT: %s:%i(%s)\n", \ + __FILE__, __LINE__, __FUNCTION__); \ +} while(0) +#else +#define IP_NF_ASSERT(x) +#endif + +/* Bitset representing status of connection. */ +enum ip_conntrack_status { + /* It's an expected connection: bit 0 set. This bit never changed */ + IPS_EXPECTED = 0x01, + + /* We've seen packets both ways: bit 1 set. Can be set, not unset. */ + IPS_SEEN_REPLY = 0x02 +}; + +struct ip_conntrack_expect +{ + /* Internal linked list */ + struct list_head list; + + /* We expect this tuple, but DON'T CARE ABOUT THE SOURCE + per-protocol part. */ + struct ip_conntrack_tuple tuple; + + /* The conntrack we are part of (set iff we're live) */ + struct ip_conntrack *expectant; +}; + +#if defined(CONFIG_IP_NF_NAT) || defined(CONFIG_IP_NF_NAT_MODULE) +#include <linux/netfilter_ipv4/ip_nat.h> +#endif + +#if defined(CONFIG_IP_NF_FTP) || defined(CONFIG_IP_NF_FTP_MODULE) +#include <linux/netfilter_ipv4/ip_conntrack_ftp.h> +#if defined(CONFIG_IP_NF_NAT) || defined(CONFIG_IP_NF_NAT_MODULE) +#include <linux/netfilter_ipv4/ip_nat_ftp.h> +#endif +#endif + +struct ip_conntrack +{ + /* Usage count in here is 1 for destruct timer, 1 per skb, + plus 1 for any connection(s) we are `master' for */ + struct nf_conntrack ct_general; + + /* These are my tuples; original and reply */ + struct ip_conntrack_tuple_hash tuplehash[IP_CT_DIR_MAX]; + + /* Have we seen traffic both ways yet? (bitset) */ + unsigned int status; + + /* Timer function; drops refcnt when it goes off. */ + struct timer_list timeout; + + /* If we're expecting another related connection, this will be + in expected linked list */ + struct ip_conntrack_expect expected; + + /* If we were expected by another connection, this will be it */ + struct nf_ct_info master; + + /* Helper, if any. */ + struct ip_conntrack_helper *helper; + + /* Our various nf_ct_info structs specify *what* relation this + packet has to the conntrack */ + struct nf_ct_info infos[IP_CT_NUMBER]; + + /* Storage reserved for other modules: */ + + union { + int /*enum tcp_conntrack*/ tcp_state; + } proto; + + union { +#if defined(CONFIG_IP_NF_FTP) || defined(CONFIG_IP_NF_FTP_MODULE) + struct ip_ct_ftp ct_ftp_info; +#endif + } help; + +#if defined(CONFIG_IP_NF_NAT) || defined(CONFIG_IP_NF_NAT_MODULE) + struct { + struct ip_nat_info info; + union { +#if defined(CONFIG_IP_NF_FTP) || defined(CONFIG_IP_NF_FTP_MODULE) + struct ip_nat_ftp_info ftp_info[IP_CT_DIR_MAX]; +#endif + } help; +#if defined(CONFIG_IP_NF_TARGET_MASQUERADE) || \ + defined(CONFIG_IP_NF_TARGET_MASQUERADE_MODULE) + int masq_index; +#endif + } nat; +#endif /* CONFIG_IP_NF_NAT || CONFIG_IP_NF_NAT_MODULE */ + +}; + +/* Alter reply tuple (maybe alter helper). If it's already taken, + return 0 and don't do alteration. */ +extern int +ip_conntrack_alter_reply(struct ip_conntrack *conntrack, + const struct ip_conntrack_tuple *newreply); + +/* Is this tuple taken? (ignoring any belonging to the given + conntrack). */ +extern int +ip_conntrack_tuple_taken(const struct ip_conntrack_tuple *tuple, + const struct ip_conntrack *ignored_conntrack); + +/* Return conntrack_info and tuple hash for given skb. */ +extern struct ip_conntrack * +ip_conntrack_get(struct sk_buff *skb, enum ip_conntrack_info *ctinfo); + +extern struct module *ip_conntrack_module; + +extern int invert_tuplepr(struct ip_conntrack_tuple *inverse, + const struct ip_conntrack_tuple *orig); + +/* Refresh conntrack for this many jiffies */ +extern void ip_ct_refresh(struct ip_conntrack *ct, + unsigned long extra_jiffies); + +/* These are for NAT. Icky. */ +/* Call me when a conntrack is destroyed. */ +extern void (*ip_conntrack_destroyed)(struct ip_conntrack *conntrack); + +/* Returns new sk_buff, or NULL */ +struct sk_buff * +ip_ct_gather_frags(struct sk_buff *skb); + +/* Delete all conntracks which match. */ +extern void +ip_ct_selective_cleanup(int (*kill)(const struct ip_conntrack *i, void *data), + void *data); +#endif /* __KERNEL__ */ +#endif /* _IP_CONNTRACK_H */ diff --git a/include/linux/netfilter_ipv4/ip_conntrack_core.h b/include/linux/netfilter_ipv4/ip_conntrack_core.h new file mode 100644 index 000000000..9cb49afaf --- /dev/null +++ b/include/linux/netfilter_ipv4/ip_conntrack_core.h @@ -0,0 +1,39 @@ +#ifndef _IP_CONNTRACK_CORE_H +#define _IP_CONNTRACK_CORE_H +#include <linux/netfilter_ipv4/lockhelp.h> + +/* This header is used to share core functionality between the + standalone connection tracking module, and the compatibility layer's use + of connection tracking. */ +extern unsigned int ip_conntrack_in(unsigned int hooknum, + struct sk_buff **pskb, + const struct net_device *in, + const struct net_device *out, + int (*okfn)(struct sk_buff *)); + +extern int ip_conntrack_init(void); +extern void ip_conntrack_cleanup(void); + +struct ip_conntrack_protocol; +extern struct ip_conntrack_protocol *find_proto(u_int8_t protocol); +/* Like above, but you already have conntrack read lock. */ +extern struct ip_conntrack_protocol *__find_proto(u_int8_t protocol); +extern struct list_head protocol_list; + +/* Returns TRUE if it dealt with ICMP, and filled in skb->nfct */ +int icmp_error_track(struct sk_buff *skb); +extern int get_tuple(const struct iphdr *iph, size_t len, + struct ip_conntrack_tuple *tuple, + struct ip_conntrack_protocol *protocol); + +/* Find a connection corresponding to a tuple. */ +struct ip_conntrack_tuple_hash * +ip_conntrack_find_get(const struct ip_conntrack_tuple *tuple, + const struct ip_conntrack *ignored_conntrack); + +extern unsigned int ip_conntrack_htable_size; +extern struct list_head *ip_conntrack_hash; +extern struct list_head expect_list; +DECLARE_RWLOCK_EXTERN(ip_conntrack_lock); +#endif /* _IP_CONNTRACK_CORE_H */ + diff --git a/include/linux/netfilter_ipv4/ip_conntrack_ftp.h b/include/linux/netfilter_ipv4/ip_conntrack_ftp.h new file mode 100644 index 000000000..a164aed4f --- /dev/null +++ b/include/linux/netfilter_ipv4/ip_conntrack_ftp.h @@ -0,0 +1,41 @@ +#ifndef _IP_CONNTRACK_FTP_H +#define _IP_CONNTRACK_FTP_H +/* FTP tracking. */ + +#ifndef __KERNEL__ +#error Only in kernel. +#endif + +#include <linux/netfilter_ipv4/lockhelp.h> + +/* Protects ftp part of conntracks */ +DECLARE_LOCK_EXTERN(ip_ftp_lock); + +enum ip_ct_ftp_type +{ + /* PORT command from client */ + IP_CT_FTP_PORT = IP_CT_DIR_ORIGINAL, + /* PASV response from server */ + IP_CT_FTP_PASV = IP_CT_DIR_REPLY +}; + +/* Protected by ip_conntrack_lock */ +/* We record seq number and length of ftp ip/port text here: all in + host order. */ +struct ip_ct_ftp +{ + /* This tells NAT that this is an ftp connection */ + int is_ftp; + u_int32_t seq; + /* 0 means not found yet */ + u_int32_t len; + enum ip_ct_ftp_type ftptype; + /* Port that was to be used */ + u_int16_t port; + /* Next valid seq position for cmd matching after newline */ + u_int32_t seq_aft_nl[IP_CT_DIR_MAX]; + /* 0 means seq_match_aft_nl not set */ + int seq_aft_nl_set[IP_CT_DIR_MAX]; +}; + +#endif /* _IP_CONNTRACK_FTP_H */ diff --git a/include/linux/netfilter_ipv4/ip_conntrack_helper.h b/include/linux/netfilter_ipv4/ip_conntrack_helper.h new file mode 100644 index 000000000..006cedef5 --- /dev/null +++ b/include/linux/netfilter_ipv4/ip_conntrack_helper.h @@ -0,0 +1,30 @@ +/* IP connection tracking helpers. */ +#ifndef _IP_CONNTRACK_HELPER_H +#define _IP_CONNTRACK_HELPER_H +#include <linux/netfilter_ipv4/ip_conntrack.h> + +struct module; + +struct ip_conntrack_helper +{ + /* Internal use. */ + struct list_head list; + + /* Returns TRUE if it wants to help this connection (tuple is + the tuple of REPLY packets from server). */ + int (*will_help)(const struct ip_conntrack_tuple *rtuple); + + /* Function to call when data passes; return verdict, or -1 to + invalidate. */ + int (*help)(const struct iphdr *, size_t len, + struct ip_conntrack *ct, + enum ip_conntrack_info conntrackinfo); +}; + +extern int ip_conntrack_helper_register(struct ip_conntrack_helper *); +extern void ip_conntrack_helper_unregister(struct ip_conntrack_helper *); + +/* Add an expected connection. */ +extern int ip_conntrack_expect_related(struct ip_conntrack *related_to, + const struct ip_conntrack_tuple *tuple); +#endif /*_IP_CONNTRACK_HELPER_H*/ diff --git a/include/linux/netfilter_ipv4/ip_conntrack_protocol.h b/include/linux/netfilter_ipv4/ip_conntrack_protocol.h new file mode 100644 index 000000000..3c1b4a4c6 --- /dev/null +++ b/include/linux/netfilter_ipv4/ip_conntrack_protocol.h @@ -0,0 +1,58 @@ +/* Header for use in defining a given protocol for connection tracking. */ +#ifndef _IP_CONNTRACK_PROTOCOL_H +#define _IP_CONNTRACK_PROTOCOL_H +#include <linux/netfilter_ipv4/ip_conntrack.h> + +struct ip_conntrack_protocol +{ + /* Next pointer. */ + struct list_head list; + + /* Protocol number. */ + u_int8_t proto; + + /* Protocol name */ + const char *name; + + /* Try to fill in the third arg; return true if possible. */ + int (*pkt_to_tuple)(const void *datah, size_t datalen, + struct ip_conntrack_tuple *tuple); + + /* Invert the per-proto part of the tuple: ie. turn xmit into reply. + * Some packets can't be inverted: return 0 in that case. + */ + int (*invert_tuple)(struct ip_conntrack_tuple *inverse, + const struct ip_conntrack_tuple *orig); + + /* Print out the per-protocol part of the tuple. */ + unsigned int (*print_tuple)(char *buffer, + const struct ip_conntrack_tuple *); + + /* Print out the private part of the conntrack. */ + unsigned int (*print_conntrack)(char *buffer, + const struct ip_conntrack *); + + /* Returns verdict for packet, or -1 for invalid. */ + int (*packet)(struct ip_conntrack *conntrack, + struct iphdr *iph, size_t len, + enum ip_conntrack_info ctinfo); + + /* Called when a new connection for this protocol found; returns + * TRUE if it's OK. If so, packet() called next. */ + int (*new)(struct ip_conntrack *conntrack, + struct iphdr *iph, size_t len); + + /* Module (if any) which this is connected to. */ + struct module *me; +}; + +/* Protocol registration. */ +extern int ip_conntrack_protocol_register(struct ip_conntrack_protocol *proto); +extern void ip_conntrack_protocol_unregister(struct ip_conntrack_protocol *proto); + +/* Existing built-in protocols */ +extern struct ip_conntrack_protocol ip_conntrack_protocol_tcp; +extern struct ip_conntrack_protocol ip_conntrack_protocol_udp; +extern struct ip_conntrack_protocol ip_conntrack_protocol_icmp; +extern int ip_conntrack_protocol_tcp_init(void); +#endif /*_IP_CONNTRACK_PROTOCOL_H*/ diff --git a/include/linux/netfilter_ipv4/ip_conntrack_tuple.h b/include/linux/netfilter_ipv4/ip_conntrack_tuple.h new file mode 100644 index 000000000..c0a845caf --- /dev/null +++ b/include/linux/netfilter_ipv4/ip_conntrack_tuple.h @@ -0,0 +1,105 @@ +#ifndef _IP_CONNTRACK_TUPLE_H +#define _IP_CONNTRACK_TUPLE_H + +/* A `tuple' is a structure containing the information to uniquely + identify a connection. ie. if two packets have the same tuple, they + are in the same connection; if not, they are not. + + We divide the structure along "manipulatable" and + "non-manipulatable" lines, for the benefit of the NAT code. +*/ + +/* The protocol-specific manipulable parts of the tuple. */ +union ip_conntrack_manip_proto +{ + /* Add other protocols here. */ + u_int16_t all; + + struct { + u_int16_t port; + } tcp; + struct { + u_int16_t port; + } udp; + struct { + u_int16_t id; + } icmp; +}; + +/* The manipulable part of the tuple. */ +struct ip_conntrack_manip +{ + u_int32_t ip; + union ip_conntrack_manip_proto u; + u_int16_t pad; /* Must be set to 0 for memcmp. */ +}; + +/* This contains the information to distinguish a connection. */ +struct ip_conntrack_tuple +{ + struct ip_conntrack_manip src; + + /* These are the parts of the tuple which are fixed. */ + struct { + u_int32_t ip; + union { + /* Add other protocols here. */ + u_int16_t all; + + struct { + u_int16_t port; + } tcp; + struct { + u_int16_t port; + } udp; + struct { + u_int8_t type, code; + } icmp; + } u; + + /* The protocol. */ + u_int16_t protonum; + } dst; +}; + +#define IP_PARTS_NATIVE(n) \ +(unsigned int)((n)>>24)&0xFF, \ +(unsigned int)((n)>>16)&0xFF, \ +(unsigned int)((n)>>8)&0xFF, \ +(unsigned int)((n)&0xFF) + +#define IP_PARTS(n) IP_PARTS_NATIVE(ntohl(n)) + +#ifdef __KERNEL__ + +#define DUMP_TUPLE(tp) \ +DEBUGP("tuple %p: %u %u.%u.%u.%u:%u -> %u.%u.%u.%u:%u\n", \ + (tp), (tp)->dst.protonum, \ + IP_PARTS((tp)->src.ip), ntohs((tp)->src.u.all), \ + IP_PARTS((tp)->dst.ip), ntohs((tp)->dst.u.all)) + +#define CTINFO2DIR(ctinfo) ((ctinfo) == IP_CT_IS_REPLY ? IP_CT_DIR_REPLY : IP_CT_DIR_ORIGINAL) + +/* If we're the first tuple, it's the original dir. */ +#define DIRECTION(h) ((enum ip_conntrack_dir)(&(h)->ctrack->tuplehash[1] == (h))) + +enum ip_conntrack_dir +{ + IP_CT_DIR_ORIGINAL, + IP_CT_DIR_REPLY, + IP_CT_DIR_MAX +}; + +/* Connections have two entries in the hash table: one for each way */ +struct ip_conntrack_tuple_hash +{ + struct list_head list; + + struct ip_conntrack_tuple tuple; + + /* this == &ctrack->tuplehash[DIRECTION(this)]. */ + struct ip_conntrack *ctrack; +}; + +#endif /* __KERNEL__ */ +#endif /* _IP_CONNTRACK_TUPLE_H */ diff --git a/include/linux/netfilter_ipv4/ip_nat.h b/include/linux/netfilter_ipv4/ip_nat.h new file mode 100644 index 000000000..8eb37d6d5 --- /dev/null +++ b/include/linux/netfilter_ipv4/ip_nat.h @@ -0,0 +1,117 @@ +#ifndef _IP_NAT_H +#define _IP_NAT_H +#include <linux/netfilter_ipv4.h> +#include <linux/netfilter_ipv4/ip_conntrack_tuple.h> + +#define IP_NAT_MAPPING_TYPE_MAX_NAMELEN 16 + +enum ip_nat_manip_type +{ + IP_NAT_MANIP_SRC, + IP_NAT_MANIP_DST +}; + +/* SRC manip occurs only on POST_ROUTING */ +#define HOOK2MANIP(hooknum) ((hooknum) != NF_IP_POST_ROUTING) + +/* 2.3.19 (I hope) will define this in linux/netfilter_ipv4.h. */ +#ifndef SO_ORIGINAL_DST +#define SO_ORIGINAL_DST 80 +#endif + +#define IP_NAT_RANGE_MAP_IPS 1 +#define IP_NAT_RANGE_PROTO_SPECIFIED 2 +/* Used internally by get_unique_tuple(). */ +#define IP_NAT_RANGE_FULL 4 + +/* Single range specification. */ +struct ip_nat_range +{ + /* Set to OR of flags above. */ + unsigned int flags; + + /* Inclusive: network order. */ + u_int32_t min_ip, max_ip; + + /* Inclusive: network order */ + union ip_conntrack_manip_proto min, max; +}; + +/* A range consists of an array of 1 or more ip_nat_range */ +struct ip_nat_multi_range +{ + unsigned int rangesize; + + /* hangs off end. */ + struct ip_nat_range range[1]; +}; + +#ifdef __KERNEL__ +#include <linux/list.h> +#include <linux/netfilter_ipv4/lockhelp.h> + +/* Protects NAT hash tables, and NAT-private part of conntracks. */ +DECLARE_RWLOCK_EXTERN(ip_nat_lock); + +/* Hashes for by-source and IP/protocol. */ +struct ip_nat_hash +{ + struct list_head list; + + /* conntrack we're embedded in: NULL if not in hash. */ + struct ip_conntrack *conntrack; +}; + +/* Worst case: local-out manip + 1 post-routing, and reverse dirn. */ +#define IP_NAT_MAX_MANIPS (2*3) + +struct ip_nat_info_manip +{ + /* The direction. */ + u_int8_t direction; + + /* Which hook the manipulation happens on. */ + u_int8_t hooknum; + + /* The manipulation type. */ + u_int8_t maniptype; + + /* Manipulations to occur at each conntrack in this dirn. */ + struct ip_conntrack_manip manip; +}; + +/* The structure embedded in the conntrack structure. */ +struct ip_nat_info +{ + /* Set to zero when conntrack created: bitmask of maniptypes */ + int initialized; + + unsigned int num_manips; + + /* Manipulations to be done on this conntrack. */ + struct ip_nat_info_manip manips[IP_NAT_MAX_MANIPS]; + + /* The mapping type which created us (NULL for null mapping). */ + const struct ip_nat_mapping_type *mtype; + + struct ip_nat_hash bysource, byipsproto; + + /* Helper (NULL if none). */ + struct ip_nat_helper *helper; +}; + +/* Set up the info structure to map into this range. */ +extern unsigned int ip_nat_setup_info(struct ip_conntrack *conntrack, + const struct ip_nat_multi_range *mr, + unsigned int hooknum); + +/* Is this tuple already taken? (not by us)*/ +extern int ip_nat_used_tuple(const struct ip_conntrack_tuple *tuple, + const struct ip_conntrack *ignored_conntrack); + +/* Calculate relative checksum. */ +extern u_int16_t ip_nat_cheat_check(u_int32_t oldvalinv, + u_int32_t newval, + u_int16_t oldcheck); +#endif /*__KERNEL__*/ +#endif diff --git a/include/linux/netfilter_ipv4/ip_nat_core.h b/include/linux/netfilter_ipv4/ip_nat_core.h new file mode 100644 index 000000000..28735e0c1 --- /dev/null +++ b/include/linux/netfilter_ipv4/ip_nat_core.h @@ -0,0 +1,33 @@ +#ifndef _IP_NAT_CORE_H +#define _IP_NAT_CORE_H +#include <linux/list.h> +#include <linux/netfilter_ipv4/ip_conntrack.h> + +/* This header used to share core functionality between the standalone + NAT module, and the compatibility layer's use of NAT for masquerading. */ +extern int ip_nat_init(void); +extern void ip_nat_cleanup(void); + +extern unsigned int do_bindings(struct ip_conntrack *ct, + enum ip_conntrack_info conntrackinfo, + struct ip_nat_info *info, + unsigned int hooknum, + struct sk_buff **pskb); + +extern struct list_head protos; + +extern void icmp_reply_translation(struct sk_buff *skb, + struct ip_conntrack *conntrack, + unsigned int hooknum, + int dir); + +extern void replace_in_hashes(struct ip_conntrack *conntrack, + struct ip_nat_info *info); +extern void place_in_hashes(struct ip_conntrack *conntrack, + struct ip_nat_info *info); + +/* Built-in protocols. */ +extern struct ip_nat_protocol ip_nat_protocol_tcp; +extern struct ip_nat_protocol ip_nat_protocol_udp; +extern struct ip_nat_protocol ip_nat_protocol_icmp; +#endif /* _IP_NAT_CORE_H */ diff --git a/include/linux/netfilter_ipv4/ip_nat_ftp.h b/include/linux/netfilter_ipv4/ip_nat_ftp.h new file mode 100644 index 000000000..d84015529 --- /dev/null +++ b/include/linux/netfilter_ipv4/ip_nat_ftp.h @@ -0,0 +1,21 @@ +#ifndef _IP_NAT_FTP_H +#define _IP_NAT_FTP_H +/* FTP extension for TCP NAT alteration. */ + +#ifndef __KERNEL__ +#error Only in kernel. +#endif + +/* Protects ftp part of conntracks */ +DECLARE_LOCK_EXTERN(ip_ftp_lock); + +/* We keep track of where the last SYN correction was, and the SYN + offsets before and after that correction. Two of these (indexed by + direction). */ +struct ip_nat_ftp_info +{ + u_int32_t syn_correction_pos; + int32_t syn_offset_before, syn_offset_after; +}; + +#endif /* _IP_NAT_FTP_H */ diff --git a/include/linux/netfilter_ipv4/ip_nat_helper.h b/include/linux/netfilter_ipv4/ip_nat_helper.h new file mode 100644 index 000000000..1578d6efc --- /dev/null +++ b/include/linux/netfilter_ipv4/ip_nat_helper.h @@ -0,0 +1,30 @@ +#ifndef _IP_NAT_HELPER_H +#define _IP_NAT_HELPER_H +/* NAT protocol helper routines. */ + +#include <linux/netfilter_ipv4/ip_conntrack.h> + +struct sk_buff; + +struct ip_nat_helper +{ + /* Internal use */ + struct list_head list; + + /* Here's the protocol and dst we care about. */ + u_int16_t protocol; + u_int16_t protocol_dst; + + /* Helper function: returns verdict */ + unsigned int (*help)(struct ip_conntrack *ct, + struct ip_nat_info *info, + enum ip_conntrack_info ctinfo, + unsigned int hooknum, + struct sk_buff **pskb); + + const char *name; +}; + +extern int ip_nat_helper_register(struct ip_nat_helper *me); +extern void ip_nat_helper_unregister(struct ip_nat_helper *me); +#endif diff --git a/include/linux/netfilter_ipv4/ip_nat_protocol.h b/include/linux/netfilter_ipv4/ip_nat_protocol.h new file mode 100644 index 000000000..42e2ebf33 --- /dev/null +++ b/include/linux/netfilter_ipv4/ip_nat_protocol.h @@ -0,0 +1,57 @@ +/* Header for use in defining a given protocol. */ +#ifndef _IP_NAT_PROTOCOL_H +#define _IP_NAT_PROTOCOL_H +#include <linux/init.h> +#include <linux/list.h> + +struct iphdr; +struct ip_nat_range; + +struct ip_nat_protocol +{ + struct list_head list; + + /* Protocol name */ + const char *name; + + /* Protocol number. */ + unsigned int protonum; + + /* Do a packet translation according to the ip_nat_proto_manip + * and manip type. */ + void (*manip_pkt)(struct iphdr *iph, size_t len, + const struct ip_conntrack_manip *manip, + enum ip_nat_manip_type maniptype); + + /* Is the manipable part of the tuple between min and max incl? */ + int (*in_range)(const struct ip_conntrack_tuple *tuple, + enum ip_nat_manip_type maniptype, + const union ip_conntrack_manip_proto *min, + const union ip_conntrack_manip_proto *max); + + /* Alter the per-proto part of the tuple (depending on + maniptype), to give a unique tuple in the given range if + possible; return false if not. Per-protocol part of tuple + is initialized to the incoming packet. */ + int (*unique_tuple)(struct ip_conntrack_tuple *tuple, + const struct ip_nat_range *range, + enum ip_nat_manip_type maniptype, + const struct ip_conntrack *conntrack); + + unsigned int (*print)(char *buffer, + const struct ip_conntrack_tuple *match, + const struct ip_conntrack_tuple *mask); + + unsigned int (*print_range)(char *buffer, + const struct ip_nat_range *range); +}; + +/* Protocol registration. */ +extern int ip_nat_protocol_register(struct ip_nat_protocol *proto); +extern void ip_nat_protocol_unregister(struct ip_nat_protocol *proto); + +extern int init_protocols(void) __init; +extern void cleanup_protocols(void); +extern struct ip_nat_protocol *find_nat_proto(u_int16_t protonum); + +#endif /*_IP_NAT_PROTO_H*/ diff --git a/include/linux/netfilter_ipv4/ip_nat_rule.h b/include/linux/netfilter_ipv4/ip_nat_rule.h new file mode 100644 index 000000000..6c92b285d --- /dev/null +++ b/include/linux/netfilter_ipv4/ip_nat_rule.h @@ -0,0 +1,35 @@ +#ifndef _IP_NAT_RULE_H +#define _IP_NAT_RULE_H +#include <linux/netfilter_ipv4/ip_conntrack.h> +#include <linux/netfilter_ipv4/ip_tables.h> +#include <linux/netfilter_ipv4/ip_nat.h> + +#ifdef __KERNEL__ +/* Want to be told when we first NAT an expected packet for a conntrack? */ +struct ip_nat_expect +{ + struct list_head list; + + /* Returns 1 (and sets verdict) if it has setup NAT for this + connection */ + int (*expect)(struct sk_buff **pskb, + unsigned int hooknum, + struct ip_conntrack *ct, + struct ip_nat_info *info, + struct ip_conntrack *master, + struct ip_nat_info *masterinfo, + unsigned int *verdict); +}; + +extern int ip_nat_expect_register(struct ip_nat_expect *expect); +extern void ip_nat_expect_unregister(struct ip_nat_expect *expect); +extern int ip_nat_rule_init(void) __init; +extern void ip_nat_rule_cleanup(void); +extern int ip_nat_rule_find(struct sk_buff **pskb, + unsigned int hooknum, + const struct net_device *in, + const struct net_device *out, + struct ip_conntrack *ct, + struct ip_nat_info *info); +#endif +#endif /* _IP_NAT_RULE_H */ diff --git a/include/linux/netfilter_ipv4/ip_queue.h b/include/linux/netfilter_ipv4/ip_queue.h new file mode 100644 index 000000000..8bbd6230f --- /dev/null +++ b/include/linux/netfilter_ipv4/ip_queue.h @@ -0,0 +1,86 @@ +/* + * This is a module which is used for queueing IPv4 packets and + * communicating with userspace via netlink. + * + * (C) 2000 James Morris + */ +#ifndef _IP_QUEUE_H +#define _IP_QUEUE_H + +#ifdef __KERNEL__ +#ifdef DEBUG_IPQ +#define QDEBUG(x...) printk(KERN_DEBUG ## x) +#else +#define QDEBUG(x...) +#endif /* DEBUG_IPQ */ +#else +#include <net/if.h> +#endif /* ! __KERNEL__ */ + +/* Messages sent from kernel */ +typedef struct ipq_packet_msg { + unsigned long packet_id; /* ID of queued packet */ + unsigned long mark; /* Netfilter mark value */ + long timestamp_sec; /* Packet arrival time (seconds) */ + long timestamp_usec; /* Packet arrvial time (+useconds) */ + unsigned int hook; /* Netfilter hook we rode in on */ + char indev_name[IFNAMSIZ]; /* Name of incoming interface */ + char outdev_name[IFNAMSIZ]; /* Name of outgoing interface */ + size_t data_len; /* Length of packet data */ + /* Optional packet data follows */ +} ipq_packet_msg_t; + +/* Messages sent from userspace */ +typedef struct ipq_mode_msg { + unsigned char value; /* Requested mode */ + size_t range; /* Optional range of packet requested */ +} ipq_mode_msg_t; + +typedef struct ipq_verdict_msg { + unsigned int value; /* Verdict to hand to netfilter */ + unsigned long id; /* Packet ID for this verdict */ + size_t data_len; /* Length of replacement data */ + /* Optional replacement data follows */ +} ipq_verdict_msg_t; + +typedef struct ipq_peer_msg { + union { + ipq_verdict_msg_t verdict; + ipq_mode_msg_t mode; + } msg; +} ipq_peer_msg_t; + +/* Each queued packet has one of these states */ +enum { + IPQ_PS_NEW, /* Newly arrived packet */ + IPQ_PS_WAITING, /* User has been notified of packet, + we're waiting for a verdict */ + IPQ_PS_VERDICT /* Packet has been assigned verdict, + waiting to be reinjected */ +}; +#define IPQ_PS_MAX IPQ_PS_VERDICT + +/* The queue operates in one of these states */ +enum { + IPQ_QS_HOLD, /* Hold all packets in queue */ + IPQ_QS_COPY, /* Copy metadata and/or packets to user */ + IPQ_QS_FLUSH /* Flush and drop all queue entries */ +}; +#define IPQ_QS_MAX IPQ_QS_FLUSH + +/* Modes requested by peer */ +enum { + IPQ_COPY_NONE, /* Copy nothing */ + IPQ_COPY_META, /* Copy metadata */ + IPQ_COPY_PACKET /* Copy metadata + packet (range) */ +}; +#define IPQ_COPY_MAX IPQ_COPY_PACKET + +/* Types of messages */ +#define IPQM_BASE 0x10 /* standard netlink messages below this */ +#define IPQM_MODE (IPQM_BASE + 1) /* Mode request from peer */ +#define IPQM_VERDICT (IPQM_BASE + 2) /* Verdict from peer */ +#define IPQM_PACKET (IPQM_BASE + 3) /* Packet from kernel */ +#define IPQM_MAX (IPQM_BASE + 4) + +#endif /*_IP_QUEUE_H*/ diff --git a/include/linux/netfilter_ipv4/ip_tables.h b/include/linux/netfilter_ipv4/ip_tables.h new file mode 100644 index 000000000..20361b064 --- /dev/null +++ b/include/linux/netfilter_ipv4/ip_tables.h @@ -0,0 +1,420 @@ +/* + * 25-Jul-1998 Major changes to allow for ip chain table + * + * 3-Jan-2000 Named tables to allow packet selection for different uses. + */ + +/* + * Format of an IP firewall descriptor + * + * src, dst, src_mask, dst_mask are always stored in network byte order. + * flags are stored in host byte order (of course). + * Port numbers are stored in HOST byte order. + */ + +#ifndef _IPTABLES_H +#define _IPTABLES_H + +#ifdef __KERNEL__ +#include <linux/if.h> +#include <linux/types.h> +#include <linux/in.h> +#include <linux/ip.h> +#include <linux/skbuff.h> +#endif +#include <linux/netfilter_ipv4.h> + +#define IPT_FUNCTION_MAXNAMELEN 32 +#define IPT_TABLE_MAXNAMELEN 32 + +/* Yes, Virginia, you have to zero the padding. */ +struct ipt_ip { + /* Source and destination IP addr */ + struct in_addr src, dst; + /* Mask for src and dest IP addr */ + struct in_addr smsk, dmsk; + char iniface[IFNAMSIZ], outiface[IFNAMSIZ]; + unsigned char iniface_mask[IFNAMSIZ], outiface_mask[IFNAMSIZ]; + + /* Protocol, 0 = ANY */ + u_int16_t proto; + + /* Flags word */ + u_int8_t flags; + /* Inverse flags */ + u_int8_t invflags; +}; + +struct ipt_entry_match +{ + /* Total length */ + u_int16_t match_size; + union { + /* Used by userspace */ + char name[IPT_FUNCTION_MAXNAMELEN]; + /* Used inside the kernel */ + struct ipt_match *match; + } u; + + unsigned char data[0]; +}; + +struct ipt_entry_target +{ + /* Total length */ + u_int16_t target_size; + union { + /* Used by userspace */ + char name[IPT_FUNCTION_MAXNAMELEN]; + /* Used inside the kernel */ + struct ipt_target *target; + } u; + + unsigned char data[0]; +}; + +struct ipt_standard_target +{ + struct ipt_entry_target target; + int verdict; +}; + +struct ipt_counters +{ + u_int64_t pcnt, bcnt; /* Packet and byte counters */ +}; + +/* Values for "flag" field in struct ipt_ip (general ip structure). */ +#define IPT_F_FRAG 0x01 /* Set if rule is a fragment rule */ +#define IPT_F_MASK 0x01 /* All possible flag bits mask. */ + +/* Values for "inv" field in struct ipt_ip. */ +#define IPT_INV_VIA_IN 0x01 /* Invert the sense of IN IFACE. */ +#define IPT_INV_VIA_OUT 0x02 /* Invert the sense of OUT IFACE */ +#define IPT_INV_TOS 0x04 /* Invert the sense of TOS. */ +#define IPT_INV_SRCIP 0x08 /* Invert the sense of SRC IP. */ +#define IPT_INV_DSTIP 0x10 /* Invert the sense of DST OP. */ +#define IPT_INV_FRAG 0x20 /* Invert the sense of FRAG. */ +#define IPT_INV_PROTO 0x40 /* Invert the sense of PROTO. */ +#define IPT_INV_MASK 0x7F /* All possible flag bits mask. */ + +/* This structure defines each of the firewall rules. Consists of 3 + parts which are 1) general IP header stuff 2) match specific + stuff 3) the target to perform if the rule matches */ +struct ipt_entry +{ + struct ipt_ip ip; + + /* Mark with fields that we care about. */ + unsigned int nfcache; + + /* Size of ipt_entry + matches */ + u_int16_t target_offset; + /* Size of ipt_entry + matches + target */ + u_int16_t next_offset; + + /* Back pointer */ + unsigned int comefrom; + + /* Packet and byte counters. */ + struct ipt_counters counters; + + /* The matches (if any), then the target. */ + unsigned char elems[0]; +}; + +/* + * New IP firewall options for [gs]etsockopt at the RAW IP level. + * Unlike BSD Linux inherits IP options so you don't have to use a raw + * socket for this. Instead we check rights in the calls. */ +#define IPT_BASE_CTL 64 /* base for firewall socket options */ + +#define IPT_SO_SET_REPLACE (IPT_BASE_CTL) +#define IPT_SO_SET_ADD_COUNTERS (IPT_BASE_CTL + 1) +#define IPT_SO_SET_MAX IPT_SO_SET_ADD_COUNTERS + +#define IPT_SO_GET_INFO (IPT_BASE_CTL) +#define IPT_SO_GET_ENTRIES (IPT_BASE_CTL + 1) +#define IPT_SO_GET_MAX IPT_SO_GET_ENTRIES + +/* CONTINUE verdict for targets */ +#define IPT_CONTINUE 0xFFFFFFFF + +/* For standard target */ +#define IPT_RETURN (-NF_MAX_VERDICT - 1) + +/* TCP matching stuff */ +struct ipt_tcp +{ + u_int16_t spts[2]; /* Source port range. */ + u_int16_t dpts[2]; /* Destination port range. */ + u_int8_t option; /* TCP Option iff non-zero*/ + u_int8_t flg_mask; /* TCP flags mask byte */ + u_int8_t flg_cmp; /* TCP flags compare byte */ + u_int8_t invflags; /* Inverse flags */ +}; + +/* Values for "inv" field in struct ipt_tcp. */ +#define IPT_TCP_INV_SRCPT 0x01 /* Invert the sense of source ports. */ +#define IPT_TCP_INV_DSTPT 0x02 /* Invert the sense of dest ports. */ +#define IPT_TCP_INV_FLAGS 0x04 /* Invert the sense of TCP flags. */ +#define IPT_TCP_INV_OPTION 0x08 /* Invert the sense of option test. */ +#define IPT_TCP_INV_MASK 0x0F /* All possible flags. */ + +/* UDP matching stuff */ +struct ipt_udp +{ + u_int16_t spts[2]; /* Source port range. */ + u_int16_t dpts[2]; /* Destination port range. */ + u_int8_t invflags; /* Inverse flags */ +}; + +/* Values for "invflags" field in struct ipt_udp. */ +#define IPT_UDP_INV_SRCPT 0x01 /* Invert the sense of source ports. */ +#define IPT_UDP_INV_DSTPT 0x02 /* Invert the sense of dest ports. */ +#define IPT_UDP_INV_MASK 0x03 /* All possible flags. */ + +/* ICMP matching stuff */ +struct ipt_icmp +{ + u_int8_t type; /* type to match */ + u_int8_t code[2]; /* range of code */ + u_int8_t invflags; /* Inverse flags */ +}; + +/* Values for "inv" field for struct ipt_icmp. */ +#define IPT_ICMP_INV 0x01 /* Invert the sense of type/code test */ + +/* The argument to IPT_SO_GET_INFO */ +struct ipt_getinfo +{ + /* Which table: caller fills this in. */ + char name[IPT_TABLE_MAXNAMELEN]; + + /* Kernel fills these in. */ + /* Which hook entry points are valid: bitmask */ + unsigned int valid_hooks; + + /* Hook entry points: one per netfilter hook. */ + unsigned int hook_entry[NF_IP_NUMHOOKS]; + + /* Underflow points. */ + unsigned int underflow[NF_IP_NUMHOOKS]; + + /* Number of entries */ + unsigned int num_entries; + + /* Size of entries. */ + unsigned int size; +}; + +/* The argument to IPT_SO_SET_REPLACE. */ +struct ipt_replace +{ + /* Which table. */ + char name[IPT_TABLE_MAXNAMELEN]; + + /* Which hook entry points are valid: bitmask. You can't + change this. */ + unsigned int valid_hooks; + + /* Number of entries */ + unsigned int num_entries; + + /* Total size of new entries */ + unsigned int size; + + /* Hook entry points. */ + unsigned int hook_entry[NF_IP_NUMHOOKS]; + + /* Underflow points. */ + unsigned int underflow[NF_IP_NUMHOOKS]; + + /* Information about old entries: */ + /* Number of counters (must be equal to current number of entries). */ + unsigned int num_counters; + /* The old entries' counters. */ + struct ipt_counters *counters; + + /* The entries (hang off end: not really an array). */ + struct ipt_entry entries[0]; +}; + +/* The argument to IPT_SO_ADD_COUNTERS. */ +struct ipt_counters_info +{ + /* Which table. */ + char name[IPT_TABLE_MAXNAMELEN]; + + unsigned int num_counters; + + /* The counters (actually `number' of these). */ + struct ipt_counters counters[0]; +}; + +/* The argument to IPT_SO_GET_ENTRIES. */ +struct ipt_get_entries +{ + /* Which table: user fills this in. */ + char name[IPT_TABLE_MAXNAMELEN]; + + /* User fills this in: total entry size. */ + unsigned int size; + + /* The entries. */ + unsigned char entries[0]; +}; + +/* Standard return verdict, or do jump. */ +#define IPT_STANDARD_TARGET "" +/* Error verdict. */ +#define IPT_ERROR_TARGET "ERROR" + +/* Helper functions */ +extern __inline__ struct ipt_entry_target * +ipt_get_target(struct ipt_entry *e) +{ + return (void *)e + e->target_offset; +} + +/* fn returns 0 to continue iteration */ +#define IPT_MATCH_ITERATE(e, fn, args...) \ +({ \ + unsigned int __i; \ + int __ret = 0; \ + struct ipt_entry_match *__m; \ + \ + for (__i = sizeof(struct ipt_entry); \ + __i < (e)->target_offset; \ + __i += __m->match_size) { \ + __m = (void *)(e) + __i; \ + \ + __ret = fn(__m , ## args); \ + if (__ret != 0) \ + break; \ + } \ + __ret; \ +}) + +/* fn returns 0 to continue iteration */ +#define IPT_ENTRY_ITERATE(entries, size, fn, args...) \ +({ \ + unsigned int __i; \ + int __ret = 0; \ + struct ipt_entry *__e; \ + \ + for (__i = 0; __i < (size); __i += __e->next_offset) { \ + __e = (void *)(entries) + __i; \ + \ + __ret = fn(__e , ## args); \ + if (__ret != 0) \ + break; \ + } \ + __ret; \ +}) + +/* + * Main firewall chains definitions and global var's definitions. + */ +#ifdef __KERNEL__ + +#include <linux/init.h> +extern void ipt_init(void) __init; + +struct ipt_match +{ + struct list_head list; + + const char name[IPT_FUNCTION_MAXNAMELEN]; + + /* Return true or false: return FALSE and set *hotdrop = 1 to + force immediate packet drop. */ + int (*match)(const struct sk_buff *skb, + const struct net_device *in, + const struct net_device *out, + const void *matchinfo, + int offset, + const void *hdr, + u_int16_t datalen, + int *hotdrop); + + /* Called when user tries to insert an entry of this type. */ + /* Should return true or false. */ + int (*checkentry)(const char *tablename, + const struct ipt_ip *ip, + void *matchinfo, + unsigned int matchinfosize, + unsigned int hook_mask); + + /* Set this to THIS_MODULE if you are a module, otherwise NULL */ + struct module *me; +}; + +/* Registration hooks for targets. */ +struct ipt_target +{ + struct list_head list; + + const char name[IPT_FUNCTION_MAXNAMELEN]; + + /* Returns verdict. */ + unsigned int (*target)(struct sk_buff **pskb, + unsigned int hooknum, + const struct net_device *in, + const struct net_device *out, + const void *targinfo, + void *userdata); + + /* Called when user tries to insert an entry of this type: + hook_mask is a bitmask of hooks from which it can be + called. */ + /* Should return true or false. */ + int (*checkentry)(const char *tablename, + const struct ipt_entry *e, + void *targinfo, + unsigned int targinfosize, + unsigned int hook_mask); + + /* Set this to THIS_MODULE if you are a module, otherwise NULL */ + struct module *me; +}; + +extern int ipt_register_target(struct ipt_target *target); +extern void ipt_unregister_target(struct ipt_target *target); + +extern int ipt_register_match(struct ipt_match *match); +extern void ipt_unregister_match(struct ipt_match *match); + +/* Furniture shopping... */ +struct ipt_table +{ + struct list_head list; + + /* A unique name... */ + char name[IPT_TABLE_MAXNAMELEN]; + + /* Seed table: copied in register_table */ + struct ipt_replace *table; + + /* What hooks you will enter on */ + unsigned int valid_hooks; + + /* Lock for the curtain */ + rwlock_t lock; + + /* Man behind the curtain... */ + struct ipt_table_info *private; +}; + +extern int ipt_register_table(struct ipt_table *table); +extern void ipt_unregister_table(struct ipt_table *table); +extern unsigned int ipt_do_table(struct sk_buff **pskb, + unsigned int hook, + const struct net_device *in, + const struct net_device *out, + struct ipt_table *table, + void *userdata); + +#define IPT_ALIGN(s) (((s) + (__alignof__(struct ipt_match)-1)) & ~(__alignof__(struct ipt_match)-1)) +#endif /*__KERNEL__*/ +#endif /* _IPTABLES_H */ diff --git a/include/linux/netfilter_ipv4/ipchains_core.h b/include/linux/netfilter_ipv4/ipchains_core.h new file mode 100644 index 000000000..13546ff8d --- /dev/null +++ b/include/linux/netfilter_ipv4/ipchains_core.h @@ -0,0 +1,193 @@ +/* + * This code is heavily based on the code in ip_fw.h; see that file for + * copyrights and attributions. This code is basically GPL. + * + * 15-Feb-1997: Major changes to allow graphs for firewall rules. + * Paul Russell <Paul.Russell@rustcorp.com.au> and + * Michael Neuling <Michael.Neuling@rustcorp.com.au> + * 2-Nov-1997: Changed types to __u16, etc. + * Removed IP_FW_F_TCPACK & IP_FW_F_BIDIR. + * Added inverse flags field. + * Removed multiple port specs. + */ + +/* + * Format of an IP firewall descriptor + * + * src, dst, src_mask, dst_mask are always stored in network byte order. + * flags are stored in host byte order (of course). + * Port numbers are stored in HOST byte order. + */ + +#ifndef _IP_FWCHAINS_H +#define _IP_FWCHAINS_H + +#ifdef __KERNEL__ +#include <linux/icmp.h> +#include <linux/in.h> +#include <linux/ip.h> +#include <linux/tcp.h> +#include <linux/udp.h> +#endif /* __KERNEL__ */ +#define IP_FW_MAX_LABEL_LENGTH 8 +typedef char ip_chainlabel[IP_FW_MAX_LABEL_LENGTH+1]; + +struct ip_fw +{ + struct in_addr fw_src, fw_dst; /* Source and destination IP addr */ + struct in_addr fw_smsk, fw_dmsk; /* Mask for src and dest IP addr */ + __u32 fw_mark; /* ID to stamp on packet */ + __u16 fw_proto; /* Protocol, 0 = ANY */ + __u16 fw_flg; /* Flags word */ + __u16 fw_invflg; /* Inverse flags */ + __u16 fw_spts[2]; /* Source port range. */ + __u16 fw_dpts[2]; /* Destination port range. */ + __u16 fw_redirpt; /* Port to redirect to. */ + __u16 fw_outputsize; /* Max amount to output to + NETLINK */ + char fw_vianame[IFNAMSIZ]; /* name of interface "via" */ + __u8 fw_tosand, fw_tosxor; /* Revised packet priority */ +}; + +struct ip_fwuser +{ + struct ip_fw ipfw; + ip_chainlabel label; +}; + +/* Values for "fw_flg" field . */ +#define IP_FW_F_PRN 0x0001 /* Print packet if it matches */ +#define IP_FW_F_TCPSYN 0x0002 /* For tcp packets-check SYN only */ +#define IP_FW_F_FRAG 0x0004 /* Set if rule is a fragment rule */ +#define IP_FW_F_MARKABS 0x0008 /* Set the mark to fw_mark, not add. */ +#define IP_FW_F_WILDIF 0x0010 /* Need only match start of interface name. */ +#define IP_FW_F_NETLINK 0x0020 /* Redirect to netlink: 2.1.x only */ +#define IP_FW_F_MASK 0x003F /* All possible flag bits mask */ + +/* Values for "fw_invflg" field. */ +#define IP_FW_INV_SRCIP 0x0001 /* Invert the sense of fw_src. */ +#define IP_FW_INV_DSTIP 0x0002 /* Invert the sense of fw_dst. */ +#define IP_FW_INV_PROTO 0x0004 /* Invert the sense of fw_proto. */ +#define IP_FW_INV_SRCPT 0x0008 /* Invert the sense of source ports. */ +#define IP_FW_INV_DSTPT 0x0010 /* Invert the sense of destination ports. */ +#define IP_FW_INV_VIA 0x0020 /* Invert the sense of fw_vianame. */ +#define IP_FW_INV_SYN 0x0040 /* Invert the sense of IP_FW_F_TCPSYN. */ +#define IP_FW_INV_FRAG 0x0080 /* Invert the sense of IP_FW_F_FRAG. */ + +/* + * New IP firewall options for [gs]etsockopt at the RAW IP level. + * Unlike BSD Linux inherits IP options so you don't have to use + * a raw socket for this. Instead we check rights in the calls. */ + +#define IP_FW_BASE_CTL 64 /* base for firewall socket options */ + +#define IP_FW_APPEND (IP_FW_BASE_CTL) /* Takes ip_fwchange */ +#define IP_FW_REPLACE (IP_FW_BASE_CTL+1) /* Takes ip_fwnew */ +#define IP_FW_DELETE_NUM (IP_FW_BASE_CTL+2) /* Takes ip_fwdelnum */ +#define IP_FW_DELETE (IP_FW_BASE_CTL+3) /* Takes ip_fwchange */ +#define IP_FW_INSERT (IP_FW_BASE_CTL+4) /* Takes ip_fwnew */ +#define IP_FW_FLUSH (IP_FW_BASE_CTL+5) /* Takes ip_chainlabel */ +#define IP_FW_ZERO (IP_FW_BASE_CTL+6) /* Takes ip_chainlabel */ +#define IP_FW_CHECK (IP_FW_BASE_CTL+7) /* Takes ip_fwtest */ +#define IP_FW_MASQ_TIMEOUTS (IP_FW_BASE_CTL+8) /* Takes 3 ints */ +#define IP_FW_CREATECHAIN (IP_FW_BASE_CTL+9) /* Takes ip_chainlabel */ +#define IP_FW_DELETECHAIN (IP_FW_BASE_CTL+10) /* Takes ip_chainlabel */ +#define IP_FW_POLICY (IP_FW_BASE_CTL+11) /* Takes ip_fwpolicy */ +/* Masquerade control, only 1 optname */ + +#define IP_FW_MASQ_CTL (IP_FW_BASE_CTL+12) /* General ip_masq ctl */ + +/* Builtin chain labels */ +#define IP_FW_LABEL_FORWARD "forward" +#define IP_FW_LABEL_INPUT "input" +#define IP_FW_LABEL_OUTPUT "output" + +/* Special targets */ +#define IP_FW_LABEL_MASQUERADE "MASQ" +#define IP_FW_LABEL_REDIRECT "REDIRECT" +#define IP_FW_LABEL_ACCEPT "ACCEPT" +#define IP_FW_LABEL_BLOCK "DENY" +#define IP_FW_LABEL_REJECT "REJECT" +#define IP_FW_LABEL_RETURN "RETURN" +#define IP_FW_LABEL_QUEUE "QUEUE" + +/* Files in /proc/net */ +#define IP_FW_PROC_CHAINS "ip_fwchains" +#define IP_FW_PROC_CHAIN_NAMES "ip_fwnames" + + +struct ip_fwpkt +{ + struct iphdr fwp_iph; /* IP header */ + union { + struct tcphdr fwp_tcph; /* TCP header or */ + struct udphdr fwp_udph; /* UDP header */ + struct icmphdr fwp_icmph; /* ICMP header */ + } fwp_protoh; + struct in_addr fwp_via; /* interface address */ + char fwp_vianame[IFNAMSIZ]; /* interface name */ +}; + +/* The argument to IP_FW_DELETE and IP_FW_APPEND */ +struct ip_fwchange +{ + struct ip_fwuser fwc_rule; + ip_chainlabel fwc_label; +}; + +/* The argument to IP_FW_CHECK. */ +struct ip_fwtest +{ + struct ip_fwpkt fwt_packet; /* Packet to be tested */ + ip_chainlabel fwt_label; /* Block to start test in */ +}; + +/* The argument to IP_FW_DELETE_NUM */ +struct ip_fwdelnum +{ + __u32 fwd_rulenum; + ip_chainlabel fwd_label; +}; + +/* The argument to IP_FW_REPLACE and IP_FW_INSERT */ +struct ip_fwnew +{ + __u32 fwn_rulenum; + struct ip_fwuser fwn_rule; + ip_chainlabel fwn_label; +}; + +/* The argument to IP_FW_POLICY */ +struct ip_fwpolicy +{ + ip_chainlabel fwp_policy; + ip_chainlabel fwp_label; +}; +/* + * timeouts for ip masquerading + */ + +extern int ip_fw_masq_timeouts(void *, int); + + +/* + * Main firewall chains definitions and global var's definitions. + */ + +#ifdef __KERNEL__ + +#include <linux/config.h> +#include <linux/version.h> +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,1,0) +#include <linux/init.h> +extern void ip_fw_init(void) __init; +#else /* 2.0.x */ +extern void ip_fw_init(void); +#endif /* 2.1.x */ +extern int ip_fw_ctl(int, void *, int); +#ifdef CONFIG_IP_MASQUERADE +extern int ip_masq_uctl(int, char *, int); +#endif +#endif /* KERNEL */ + +#endif /* _IP_FWCHAINS_H */ diff --git a/include/linux/netfilter_ipv4/ipfwadm_core.h b/include/linux/netfilter_ipv4/ipfwadm_core.h new file mode 100644 index 000000000..8294efd7e --- /dev/null +++ b/include/linux/netfilter_ipv4/ipfwadm_core.h @@ -0,0 +1,256 @@ +#ifndef _IPFWADM_CORE_H +#define _IPFWADM_CORE_H +/* Minor modifications to fit on compatibility framework: + Rusty.Russell@rustcorp.com.au +*/ + +/* + * IP firewalling code. This is taken from 4.4BSD. Please note the + * copyright message below. As per the GPL it must be maintained + * and the licenses thus do not conflict. While this port is subject + * to the GPL I also place my modifications under the original + * license in recognition of the original copyright. + * + * Ported from BSD to Linux, + * Alan Cox 22/Nov/1994. + * Merged and included the FreeBSD-Current changes at Ugen's request + * (but hey it's a lot cleaner now). Ugen would prefer in some ways + * we waited for his final product but since Linux 1.2.0 is about to + * appear it's not practical - Read: It works, it's not clean but please + * don't consider it to be his standard of finished work. + * Alan. + * + * Fixes: + * Pauline Middelink : Added masquerading. + * Jos Vos : Separate input and output firewall + * chains, new "insert" and "append" + * commands to replace "add" commands, + * add ICMP header to struct ip_fwpkt. + * Jos Vos : Add support for matching device names. + * Willy Konynenberg : Add transparent proxying support. + * Jos Vos : Add options for input/output accounting. + * + * All the real work was done by ..... + */ + +/* + * Copyright (c) 1993 Daniel Boulet + * Copyright (c) 1994 Ugen J.S.Antsilevich + * + * Redistribution and use in source forms, with and without modification, + * are permitted provided that this entire comment appears intact. + * + * Redistribution in binary form may occur without any restrictions. + * Obviously, it would be nice if you gave credit where credit is due + * but requiring it would be too onerous. + * + * This software is provided ``AS IS'' without any warranties of any kind. + */ + +/* + * Format of an IP firewall descriptor + * + * src, dst, src_mask, dst_mask are always stored in network byte order. + * flags and num_*_ports are stored in host byte order (of course). + * Port numbers are stored in HOST byte order. + */ + +#ifdef __KERNEL__ +#include <linux/icmp.h> +#include <linux/in.h> +#include <linux/ip.h> +#include <linux/tcp.h> +#include <linux/udp.h> +#endif + +struct ip_fw +{ + struct ip_fw *fw_next; /* Next firewall on chain */ + struct in_addr fw_src, fw_dst; /* Source and destination IP addr */ + struct in_addr fw_smsk, fw_dmsk; /* Mask for src and dest IP addr */ + struct in_addr fw_via; /* IP address of interface "via" */ + struct net_device *fw_viadev; /* device of interface "via" */ + __u16 fw_flg; /* Flags word */ + __u16 fw_nsp, fw_ndp; /* N'of src ports and # of dst ports */ + /* in ports array (dst ports follow */ + /* src ports; max of 10 ports in all; */ + /* count of 0 means match all ports) */ +#define IP_FW_MAX_PORTS 10 /* A reasonable maximum */ + __u16 fw_pts[IP_FW_MAX_PORTS]; /* Array of port numbers to match */ + unsigned long fw_pcnt,fw_bcnt; /* Packet and byte counters */ + __u8 fw_tosand, fw_tosxor; /* Revised packet priority */ + char fw_vianame[IFNAMSIZ]; /* name of interface "via" */ +}; + +/* + * Values for "flags" field . + */ + +#define IP_FW_F_ALL 0x0000 /* This is a universal packet firewall*/ +#define IP_FW_F_TCP 0x0001 /* This is a TCP packet firewall */ +#define IP_FW_F_UDP 0x0002 /* This is a UDP packet firewall */ +#define IP_FW_F_ICMP 0x0003 /* This is a ICMP packet firewall */ +#define IP_FW_F_KIND 0x0003 /* Mask to isolate firewall kind */ +#define IP_FW_F_ACCEPT 0x0004 /* This is an accept firewall (as * + * opposed to a deny firewall)* + * */ +#define IP_FW_F_SRNG 0x0008 /* The first two src ports are a min * + * and max range (stored in host byte * + * order). * + * */ +#define IP_FW_F_DRNG 0x0010 /* The first two dst ports are a min * + * and max range (stored in host byte * + * order). * + * (ports[0] <= port <= ports[1]) * + * */ +#define IP_FW_F_PRN 0x0020 /* In verbose mode print this firewall*/ +#define IP_FW_F_BIDIR 0x0040 /* For bidirectional firewalls */ +#define IP_FW_F_TCPSYN 0x0080 /* For tcp packets-check SYN only */ +#define IP_FW_F_ICMPRPL 0x0100 /* Send back icmp unreachable packet */ +#define IP_FW_F_MASQ 0x0200 /* Masquerading */ +#define IP_FW_F_TCPACK 0x0400 /* For tcp-packets match if ACK is set*/ +#define IP_FW_F_REDIR 0x0800 /* Redirect to local port fw_pts[n] */ +#define IP_FW_F_ACCTIN 0x1000 /* Account incoming packets only. */ +#define IP_FW_F_ACCTOUT 0x2000 /* Account outgoing packets only. */ + +#define IP_FW_F_MASK 0x3FFF /* All possible flag bits mask */ + +/* + * New IP firewall options for [gs]etsockopt at the RAW IP level. + * Unlike BSD Linux inherits IP options so you don't have to use + * a raw socket for this. Instead we check rights in the calls. + */ + +#define IP_FW_BASE_CTL 64 /* base for firewall socket options */ + +#define IP_FW_COMMAND 0x00FF /* mask for command without chain */ +#define IP_FW_TYPE 0x0300 /* mask for type (chain) */ +#define IP_FW_SHIFT 8 /* shift count for type (chain) */ + +#define IP_FW_FWD 0 +#define IP_FW_IN 1 +#define IP_FW_OUT 2 +#define IP_FW_ACCT 3 +#define IP_FW_CHAINS 4 /* total number of ip_fw chains */ +#define IP_FW_MASQ 5 + +#define IP_FW_INSERT (IP_FW_BASE_CTL) +#define IP_FW_APPEND (IP_FW_BASE_CTL+1) +#define IP_FW_DELETE (IP_FW_BASE_CTL+2) +#define IP_FW_FLUSH (IP_FW_BASE_CTL+3) +#define IP_FW_ZERO (IP_FW_BASE_CTL+4) +#define IP_FW_POLICY (IP_FW_BASE_CTL+5) +#define IP_FW_CHECK (IP_FW_BASE_CTL+6) +#define IP_FW_MASQ_TIMEOUTS (IP_FW_BASE_CTL+7) + +#define IP_FW_INSERT_FWD (IP_FW_INSERT | (IP_FW_FWD << IP_FW_SHIFT)) +#define IP_FW_APPEND_FWD (IP_FW_APPEND | (IP_FW_FWD << IP_FW_SHIFT)) +#define IP_FW_DELETE_FWD (IP_FW_DELETE | (IP_FW_FWD << IP_FW_SHIFT)) +#define IP_FW_FLUSH_FWD (IP_FW_FLUSH | (IP_FW_FWD << IP_FW_SHIFT)) +#define IP_FW_ZERO_FWD (IP_FW_ZERO | (IP_FW_FWD << IP_FW_SHIFT)) +#define IP_FW_POLICY_FWD (IP_FW_POLICY | (IP_FW_FWD << IP_FW_SHIFT)) +#define IP_FW_CHECK_FWD (IP_FW_CHECK | (IP_FW_FWD << IP_FW_SHIFT)) + +#define IP_FW_INSERT_IN (IP_FW_INSERT | (IP_FW_IN << IP_FW_SHIFT)) +#define IP_FW_APPEND_IN (IP_FW_APPEND | (IP_FW_IN << IP_FW_SHIFT)) +#define IP_FW_DELETE_IN (IP_FW_DELETE | (IP_FW_IN << IP_FW_SHIFT)) +#define IP_FW_FLUSH_IN (IP_FW_FLUSH | (IP_FW_IN << IP_FW_SHIFT)) +#define IP_FW_ZERO_IN (IP_FW_ZERO | (IP_FW_IN << IP_FW_SHIFT)) +#define IP_FW_POLICY_IN (IP_FW_POLICY | (IP_FW_IN << IP_FW_SHIFT)) +#define IP_FW_CHECK_IN (IP_FW_CHECK | (IP_FW_IN << IP_FW_SHIFT)) + +#define IP_FW_INSERT_OUT (IP_FW_INSERT | (IP_FW_OUT << IP_FW_SHIFT)) +#define IP_FW_APPEND_OUT (IP_FW_APPEND | (IP_FW_OUT << IP_FW_SHIFT)) +#define IP_FW_DELETE_OUT (IP_FW_DELETE | (IP_FW_OUT << IP_FW_SHIFT)) +#define IP_FW_FLUSH_OUT (IP_FW_FLUSH | (IP_FW_OUT << IP_FW_SHIFT)) +#define IP_FW_ZERO_OUT (IP_FW_ZERO | (IP_FW_OUT << IP_FW_SHIFT)) +#define IP_FW_POLICY_OUT (IP_FW_POLICY | (IP_FW_OUT << IP_FW_SHIFT)) +#define IP_FW_CHECK_OUT (IP_FW_CHECK | (IP_FW_OUT << IP_FW_SHIFT)) + +#define IP_ACCT_INSERT (IP_FW_INSERT | (IP_FW_ACCT << IP_FW_SHIFT)) +#define IP_ACCT_APPEND (IP_FW_APPEND | (IP_FW_ACCT << IP_FW_SHIFT)) +#define IP_ACCT_DELETE (IP_FW_DELETE | (IP_FW_ACCT << IP_FW_SHIFT)) +#define IP_ACCT_FLUSH (IP_FW_FLUSH | (IP_FW_ACCT << IP_FW_SHIFT)) +#define IP_ACCT_ZERO (IP_FW_ZERO | (IP_FW_ACCT << IP_FW_SHIFT)) + +#define IP_FW_MASQ_INSERT (IP_FW_INSERT | (IP_FW_MASQ << IP_FW_SHIFT)) +#define IP_FW_MASQ_ADD (IP_FW_APPEND | (IP_FW_MASQ << IP_FW_SHIFT)) +#define IP_FW_MASQ_DEL (IP_FW_DELETE | (IP_FW_MASQ << IP_FW_SHIFT)) +#define IP_FW_MASQ_FLUSH (IP_FW_FLUSH | (IP_FW_MASQ << IP_FW_SHIFT)) + +#define IP_FW_MASQ_INSERT (IP_FW_INSERT | (IP_FW_MASQ << IP_FW_SHIFT)) +#define IP_FW_MASQ_ADD (IP_FW_APPEND | (IP_FW_MASQ << IP_FW_SHIFT)) +#define IP_FW_MASQ_DEL (IP_FW_DELETE | (IP_FW_MASQ << IP_FW_SHIFT)) +#define IP_FW_MASQ_FLUSH (IP_FW_FLUSH | (IP_FW_MASQ << IP_FW_SHIFT)) + +struct ip_fwpkt +{ + struct iphdr fwp_iph; /* IP header */ + union { + struct tcphdr fwp_tcph; /* TCP header or */ + struct udphdr fwp_udph; /* UDP header */ + struct icmphdr fwp_icmph; /* ICMP header */ + } fwp_protoh; + struct in_addr fwp_via; /* interface address */ + char fwp_vianame[IFNAMSIZ]; /* interface name */ +}; + +#define IP_FW_MASQCTL_MAX 256 +#define IP_MASQ_MOD_NMAX 32 + +struct ip_fw_masqctl +{ + int mctl_action; + union { + struct { + char name[IP_MASQ_MOD_NMAX]; + char data[1]; + } mod; + } u; +}; + +/* + * timeouts for ip masquerading + */ + +struct ip_fw_masq; + +/* + * Main firewall chains definitions and global var's definitions. + */ + +#ifdef __KERNEL__ + +/* Modes used in the ip_fw_chk() routine. */ +#define IP_FW_MODE_FW 0x00 /* kernel firewall check */ +#define IP_FW_MODE_ACCT_IN 0x01 /* accounting (incoming) */ +#define IP_FW_MODE_ACCT_OUT 0x02 /* accounting (outgoing) */ +#define IP_FW_MODE_CHK 0x04 /* check requested by user */ + +#include <linux/config.h> +#ifdef CONFIG_IP_FIREWALL +extern struct ip_fw *ip_fw_in_chain; +extern struct ip_fw *ip_fw_out_chain; +extern struct ip_fw *ip_fw_fwd_chain; +extern int ip_fw_in_policy; +extern int ip_fw_out_policy; +extern int ip_fw_fwd_policy; +extern int ip_fw_ctl(int, void *, int); +#endif +#ifdef CONFIG_IP_ACCT +extern struct ip_fw *ip_acct_chain; +extern int ip_acct_ctl(int, void *, int); +#endif +#ifdef CONFIG_IP_MASQUERADE +extern int ip_masq_ctl(int, void *, int); +#endif +#ifdef CONFIG_IP_MASQUERADE +extern int ip_masq_ctl(int, void *, int); +#endif + +extern int ip_fw_masq_timeouts(void *user, int len); + +extern int ip_fw_chk(struct iphdr *, struct net_device *, __u16 *, + struct ip_fw *, int, int); +#endif /* KERNEL */ +#endif /* _IP_FW_H */ diff --git a/include/linux/netfilter_ipv4/ipt_LOG.h b/include/linux/netfilter_ipv4/ipt_LOG.h new file mode 100644 index 000000000..481e12846 --- /dev/null +++ b/include/linux/netfilter_ipv4/ipt_LOG.h @@ -0,0 +1,15 @@ +#ifndef _IPT_LOG_H +#define _IPT_LOG_H + +#define IPT_LOG_TCPSEQ 0x01 /* Log TCP sequence numbers */ +#define IPT_LOG_TCPOPT 0x02 /* Log TCP options */ +#define IPT_LOG_IPOPT 0x04 /* Log IP options */ +#define IPT_LOG_MASK 0x07 + +struct ipt_log_info { + unsigned char level; + unsigned char logflags; + char prefix[30]; +}; + +#endif /*_IPT_LOG_H*/ diff --git a/include/linux/netfilter_ipv4/ipt_MARK.h b/include/linux/netfilter_ipv4/ipt_MARK.h new file mode 100644 index 000000000..cc57ae7a3 --- /dev/null +++ b/include/linux/netfilter_ipv4/ipt_MARK.h @@ -0,0 +1,8 @@ +#ifndef _IPT_MARK_H_target +#define _IPT_MARK_H_target + +struct ipt_mark_target_info { + unsigned long mark; +}; + +#endif /*_IPT_MARK_H_target*/ diff --git a/include/linux/netfilter_ipv4/ipt_REJECT.h b/include/linux/netfilter_ipv4/ipt_REJECT.h new file mode 100644 index 000000000..1ceebe211 --- /dev/null +++ b/include/linux/netfilter_ipv4/ipt_REJECT.h @@ -0,0 +1,17 @@ +#ifndef _IPT_REJECT_H +#define _IPT_REJECT_H + +enum ipt_reject_with { + IPT_ICMP_NET_UNREACHABLE, + IPT_ICMP_HOST_UNREACHABLE, + IPT_ICMP_PROT_UNREACHABLE, + IPT_ICMP_PORT_UNREACHABLE, + IPT_ICMP_ECHOREPLY, + IPT_TCP_RESET, +}; + +struct ipt_reject_info { + enum ipt_reject_with with; /* reject type */ +}; + +#endif /*_IPT_REJECT_H*/ diff --git a/include/linux/netfilter_ipv4/ipt_TOS.h b/include/linux/netfilter_ipv4/ipt_TOS.h new file mode 100644 index 000000000..6bf9e1fdf --- /dev/null +++ b/include/linux/netfilter_ipv4/ipt_TOS.h @@ -0,0 +1,12 @@ +#ifndef _IPT_TOS_H_target +#define _IPT_TOS_H_target + +#ifndef IPTOS_NORMALSVC +#define IPTOS_NORMALSVC 0 +#endif + +struct ipt_tos_target_info { + u_int8_t tos; +}; + +#endif /*_IPT_TOS_H_target*/ diff --git a/include/linux/netfilter_ipv4/ipt_limit.h b/include/linux/netfilter_ipv4/ipt_limit.h new file mode 100644 index 000000000..256453409 --- /dev/null +++ b/include/linux/netfilter_ipv4/ipt_limit.h @@ -0,0 +1,21 @@ +#ifndef _IPT_RATE_H +#define _IPT_RATE_H + +/* timings are in milliseconds. */ +#define IPT_LIMIT_SCALE 10000 + +/* 1/10,000 sec period => max of 10,000/sec. Min rate is then 429490 + seconds, or one every 59 hours. */ +struct ipt_rateinfo { + u_int32_t avg; /* Average secs between packets * scale */ + u_int32_t burst; /* Period multiplier for upper limit. */ + + /* Used internally by the kernel */ + unsigned long prev; + u_int32_t credit; + u_int32_t credit_cap, cost; + + /* Ugly, ugly fucker. */ + struct ipt_rateinfo *master; +}; +#endif /*_IPT_RATE_H*/ diff --git a/include/linux/netfilter_ipv4/ipt_mac.h b/include/linux/netfilter_ipv4/ipt_mac.h new file mode 100644 index 000000000..f8d5b8e7c --- /dev/null +++ b/include/linux/netfilter_ipv4/ipt_mac.h @@ -0,0 +1,8 @@ +#ifndef _IPT_MAC_H +#define _IPT_MAC_H + +struct ipt_mac_info { + unsigned char srcaddr[ETH_ALEN]; + int invert; +}; +#endif /*_IPT_MAC_H*/ diff --git a/include/linux/netfilter_ipv4/ipt_mark.h b/include/linux/netfilter_ipv4/ipt_mark.h new file mode 100644 index 000000000..f3952b563 --- /dev/null +++ b/include/linux/netfilter_ipv4/ipt_mark.h @@ -0,0 +1,9 @@ +#ifndef _IPT_MARK_H +#define _IPT_MARK_H + +struct ipt_mark_info { + unsigned long mark, mask; + u_int8_t invert; +}; + +#endif /*_IPT_MARK_H*/ diff --git a/include/linux/netfilter_ipv4/ipt_multiport.h b/include/linux/netfilter_ipv4/ipt_multiport.h new file mode 100644 index 000000000..f6e50ae92 --- /dev/null +++ b/include/linux/netfilter_ipv4/ipt_multiport.h @@ -0,0 +1,21 @@ +#ifndef _IPT_MULTIPORT_H +#define _IPT_MULTIPORT_H +#include <linux/netfilter_ipv4/ip_tables.h> + +enum ipt_multiport_flags +{ + IPT_MULTIPORT_SOURCE, + IPT_MULTIPORT_DESTINATION, + IPT_MULTIPORT_EITHER +}; + +#define IPT_MULTI_PORTS 15 + +/* Must fit inside union ipt_matchinfo: 16 bytes */ +struct ipt_multiport +{ + u_int8_t flags; /* Type of comparison */ + u_int8_t count; /* Number of ports */ + u_int16_t ports[IPT_MULTI_PORTS]; /* Ports */ +}; +#endif /*_IPT_MULTIPORT_H*/ diff --git a/include/linux/netfilter_ipv4/ipt_owner.h b/include/linux/netfilter_ipv4/ipt_owner.h new file mode 100644 index 000000000..b014ef8b3 --- /dev/null +++ b/include/linux/netfilter_ipv4/ipt_owner.h @@ -0,0 +1,18 @@ +#ifndef _IPT_OWNER_H +#define _IPT_OWNER_H + +/* match and invert flags */ +#define IPT_OWNER_UID 0x01 +#define IPT_OWNER_GID 0x02 +#define IPT_OWNER_PID 0x04 +#define IPT_OWNER_SID 0x08 + +struct ipt_owner_info { + uid_t uid; + gid_t gid; + pid_t pid; + pid_t sid; + u_int8_t match, invert; /* flags */ +}; + +#endif /*_IPT_OWNER_H*/ diff --git a/include/linux/netfilter_ipv4/ipt_state.h b/include/linux/netfilter_ipv4/ipt_state.h new file mode 100644 index 000000000..ad11d316a --- /dev/null +++ b/include/linux/netfilter_ipv4/ipt_state.h @@ -0,0 +1,12 @@ +#ifndef _IPT_STATE_H +#define _IPT_STATE_H + +#define _IPT_STATE_BIT(ctinfo) (1 << ((ctinfo)+1)) +#define IPT_STATE_BIT(ctinfo) ((ctinfo) >= IP_CT_IS_REPLY ? _IPT_STATE_BIT((ctinfo)-IP_CT_IS_REPLY) : _IPT_STATE_BIT(ctinfo)) +#define IPT_STATE_INVALID (1 << 0) + +struct ipt_state_info +{ + unsigned int statemask; +}; +#endif /*_IPT_STATE_H*/ diff --git a/include/linux/netfilter_ipv4/ipt_tos.h b/include/linux/netfilter_ipv4/ipt_tos.h new file mode 100644 index 000000000..a21f5df23 --- /dev/null +++ b/include/linux/netfilter_ipv4/ipt_tos.h @@ -0,0 +1,13 @@ +#ifndef _IPT_TOS_H +#define _IPT_TOS_H + +struct ipt_tos_info { + u_int8_t tos; + u_int8_t invert; +}; + +#ifndef IPTOS_NORMALSVC +#define IPTOS_NORMALSVC 0 +#endif + +#endif /*_IPT_TOS_H*/ diff --git a/include/linux/netfilter_ipv4/listhelp.h b/include/linux/netfilter_ipv4/listhelp.h new file mode 100644 index 000000000..e64a0eeb8 --- /dev/null +++ b/include/linux/netfilter_ipv4/listhelp.h @@ -0,0 +1,115 @@ +#ifndef _LISTHELP_H +#define _LISTHELP_H +#include <linux/config.h> +#include <linux/list.h> +#include <linux/netfilter_ipv4/lockhelp.h> + +/* Header to do more comprehensive job than linux/list.h; assume list + is first entry in structure. */ + +/* Return pointer to first true entry, if any, or NULL. A macro + required to allow inlining of cmpfn. */ +#define LIST_FIND(head, cmpfn, type, args...) \ +({ \ + const struct list_head *__i = (head); \ + \ + ASSERT_READ_LOCK(head); \ + do { \ + __i = __i->next; \ + if (__i == (head)) { \ + __i = NULL; \ + break; \ + } \ + } while (!cmpfn((const type)__i , ## args)); \ + (type)__i; \ +}) + +#define LIST_FIND_W(head, cmpfn, type, args...) \ +({ \ + const struct list_head *__i = (head); \ + \ + ASSERT_WRITE_LOCK(head); \ + do { \ + __i = __i->next; \ + if (__i == (head)) { \ + __i = NULL; \ + break; \ + } \ + } while (!cmpfn((type)__i , ## args)); \ + (type)__i; \ +}) + +extern inline int +__list_cmp_same(const void *p1, const void *p2) { return p1 == p2; } + +/* Is this entry in the list? */ +extern inline int +list_inlist(struct list_head *head, const void *entry) +{ + return LIST_FIND(head, __list_cmp_same, void *, entry) != NULL; +} + +/* Delete from list. */ +#ifdef CONFIG_NETFILTER_DEBUG +#define LIST_DELETE(head, oldentry) \ +do { \ + ASSERT_WRITE_LOCK(head); \ + if (!list_inlist(head, oldentry)) \ + printk("LIST_DELETE: %s:%u `%s'(%p) not in %s.\n", \ + __FILE__, __LINE__, #oldentry, oldentry, #head); \ + else list_del((struct list_head *)oldentry); \ +} while(0) +#else +#define LIST_DELETE(head, oldentry) list_del((struct list_head *)oldentry) +#endif + +/* Append. */ +extern inline void +list_append(struct list_head *head, void *new) +{ + ASSERT_WRITE_LOCK(head); + list_add((new), (head)->prev); +} + +/* Prepend. */ +extern inline void +list_prepend(struct list_head *head, void *new) +{ + ASSERT_WRITE_LOCK(head); + list_add(new, head); +} + +/* Insert according to ordering function; insert before first true. */ +#define LIST_INSERT(head, new, cmpfn) \ +do { \ + struct list_head *__i; \ + ASSERT_WRITE_LOCK(head); \ + for (__i = (head)->next; \ + !cmpfn((new), (typeof (new))__i) && __i != (head); \ + __i = __i->next); \ + list_add((struct list_head *)(new), __i->prev); \ +} while(0) + +/* If the field after the list_head is a nul-terminated string, you + can use these functions. */ +extern inline int __list_cmp_name(const void *i, const char *name) +{ + return strcmp(name, i+sizeof(struct list_head)) == 0; +} + +/* Returns false if same name already in list, otherwise does insert. */ +extern inline int +list_named_insert(struct list_head *head, void *new) +{ + if (LIST_FIND(head, __list_cmp_name, void *, + new + sizeof(struct list_head))) + return 0; + list_prepend(head, new); + return 1; +} + +/* Find this named element in the list. */ +#define list_named_find(head, name) \ +LIST_FIND(head, __list_cmp_name, void *, name) + +#endif /*_LISTHELP_H*/ diff --git a/include/linux/netfilter_ipv4/lockhelp.h b/include/linux/netfilter_ipv4/lockhelp.h new file mode 100644 index 000000000..89dd63f9f --- /dev/null +++ b/include/linux/netfilter_ipv4/lockhelp.h @@ -0,0 +1,129 @@ +#ifndef _LOCKHELP_H +#define _LOCKHELP_H +#include <linux/config.h> + +#include <linux/spinlock.h> +#include <asm/atomic.h> +#include <linux/interrupt.h> +#include <linux/smp.h> + +/* Header to do help in lock debugging. */ + +#ifdef CONFIG_NETFILTER_DEBUG +struct spinlock_debug +{ + spinlock_t l; + atomic_t locked_by; +}; + +struct rwlock_debug +{ + rwlock_t l; + int read_locked_map; + int write_locked_map; +}; + +#define DECLARE_LOCK(l) \ +struct spinlock_debug l = { SPIN_LOCK_UNLOCKED, ATOMIC_INIT(-1) } +#define DECLARE_LOCK_EXTERN(l) \ +extern struct spinlock_debug l +#define DECLARE_RWLOCK(l) \ +struct rwlock_debug l = { RW_LOCK_UNLOCKED, 0, 0 } +#define DECLARE_RWLOCK_EXTERN(l) \ +extern struct rwlock_debug l + +#define MUST_BE_LOCKED(l) \ +do { if (atomic_read(&(l)->locked_by) != smp_processor_id()) \ + printk("ASSERT %s:%u %s unlocked\n", __FILE__, __LINE__, #l); \ +} while(0) + +#define MUST_BE_UNLOCKED(l) \ +do { if (atomic_read(&(l)->locked_by) == smp_processor_id()) \ + printk("ASSERT %s:%u %s locked\n", __FILE__, __LINE__, #l); \ +} while(0) + +/* Write locked OK as well. */ \ +#define MUST_BE_READ_LOCKED(l) \ +do { if (!((l)->read_locked_map & (1 << smp_processor_id())) \ + && !((l)->write_locked_map & (1 << smp_processor_id()))) \ + printk("ASSERT %s:%u %s not readlocked\n", __FILE__, __LINE__, #l); \ +} while(0) + +#define MUST_BE_WRITE_LOCKED(l) \ +do { if (!((l)->write_locked_map & (1 << smp_processor_id()))) \ + printk("ASSERT %s:%u %s not writelocked\n", __FILE__, __LINE__, #l); \ +} while(0) + +#define MUST_BE_READ_WRITE_UNLOCKED(l) \ +do { if ((l)->read_locked_map & (1 << smp_processor_id())) \ + printk("ASSERT %s:%u %s readlocked\n", __FILE__, __LINE__, #l); \ + else if ((l)->write_locked_map & (1 << smp_processor_id())) \ + printk("ASSERT %s:%u %s writelocked\n", __FILE__, __LINE__, #l); \ +} while(0) + +#define LOCK_BH(lk) \ +do { \ + MUST_BE_UNLOCKED(lk); \ + spin_lock_bh(&(lk)->l); \ + atomic_set(&(lk)->locked_by, smp_processor_id()); \ +} while(0) + +#define UNLOCK_BH(lk) \ +do { \ + MUST_BE_LOCKED(lk); \ + atomic_set(&(lk)->locked_by, -1); \ + spin_unlock_bh(&(lk)->l); \ +} while(0) + +#define READ_LOCK(lk) \ +do { \ + MUST_BE_READ_WRITE_UNLOCKED(lk); \ + read_lock_bh(&(lk)->l); \ + set_bit(smp_processor_id(), &(lk)->read_locked_map); \ +} while(0) + +#define WRITE_LOCK(lk) \ +do { \ + MUST_BE_READ_WRITE_UNLOCKED(lk); \ + write_lock_bh(&(lk)->l); \ + set_bit(smp_processor_id(), &(lk)->write_locked_map); \ +} while(0) + +#define READ_UNLOCK(lk) \ +do { \ + if (!((lk)->read_locked_map & (1 << smp_processor_id()))) \ + printk("ASSERT: %s:%u %s not readlocked\n", \ + __FILE__, __LINE__, #lk); \ + clear_bit(smp_processor_id(), &(lk)->read_locked_map); \ + read_unlock_bh(&(lk)->l); \ +} while(0) + +#define WRITE_UNLOCK(lk) \ +do { \ + MUST_BE_WRITE_LOCKED(lk); \ + clear_bit(smp_processor_id(), &(lk)->write_locked_map); \ + write_unlock_bh(&(lk)->l); \ +} while(0) + +#else +#define DECLARE_LOCK(l) spinlock_t l = SPIN_LOCK_UNLOCKED +#define DECLARE_LOCK_EXTERN(l) extern spinlock_t l +#define DECLARE_RWLOCK(l) rwlock_t l = RW_LOCK_UNLOCKED +#define DECLARE_RWLOCK_EXTERN(l) extern rwlock_t l + +#define MUST_BE_LOCKED(l) +#define MUST_BE_UNLOCKED(l) +#define MUST_BE_READ_LOCKED(l) +#define MUST_BE_WRITE_LOCKED(l) +#define MUST_BE_READ_WRITE_UNLOCKED(l) + +#define LOCK_BH(l) spin_lock_bh(l) +#define UNLOCK_BH(l) spin_unlock_bh(l) + +#define READ_LOCK(l) read_lock_bh(l) +#define WRITE_LOCK(l) write_lock_bh(l) +#define READ_UNLOCK(l) read_unlock_bh(l) +#define WRITE_UNLOCK(l) write_unlock_bh(l) +#endif /*CONFIG_NETFILTER_DEBUG*/ + +#endif /* _LOCKHELP_H */ diff --git a/include/linux/nfsd/nfsd.h b/include/linux/nfsd/nfsd.h index a2f4897fc..42663e79b 100644 --- a/include/linux/nfsd/nfsd.h +++ b/include/linux/nfsd/nfsd.h @@ -172,6 +172,9 @@ void nfsd_lockd_unexport(struct svc_client *); #define nfserr_badtype __constant_htonl(NFSERR_BADTYPE) #define nfserr_jukebox __constant_htonl(NFSERR_JUKEBOX) +/* Check for dir entries '.' and '..' */ +#define isdotent(n, l) (l < 3 && n[0] == '.' && (l == 1 || n[1] == '.')) + /* * Time of server startup */ diff --git a/include/linux/pci.h b/include/linux/pci.h index 413def0a9..472c9d87e 100644 --- a/include/linux/pci.h +++ b/include/linux/pci.h @@ -293,8 +293,6 @@ #define PCI_DMA_FROMDEVICE 2 #define PCI_DMA_NONE 3 -#include <asm/pci.h> - #define DEVICE_COUNT_COMPATIBLE 4 #define DEVICE_COUNT_IRQ 2 #define DEVICE_COUNT_DMA 2 @@ -542,6 +540,10 @@ void pci_remove_device(struct pci_dev *); struct pci_driver *pci_dev_driver(const struct pci_dev *); const struct pci_device_id *pci_match_device(const struct pci_device_id *ids, const struct pci_dev *dev); +/* Include architecture-dependent settings and functions */ + +#include <asm/pci.h> + /* * If the system does not have PCI, clearly these return errors. Define * these as simple inline functions to avoid hair in drivers. @@ -580,6 +582,7 @@ extern inline int pci_module_init(struct pci_driver *drv) { return -ENODEV; } extern inline int pci_assign_resource(struct pci_dev *dev, int i) { return -EBUSY;} extern inline int pci_register_driver(struct pci_driver *drv) { return 0;} extern inline void pci_unregister_driver(struct pci_driver *drv) { } +extern inline int scsi_to_pci_dma_dir(unsigned char scsi_dir) { return scsi_dir; } #else diff --git a/include/linux/ppp_channel.h b/include/linux/ppp_channel.h index fdcfb8f75..d9ba188a0 100644 --- a/include/linux/ppp_channel.h +++ b/include/linux/ppp_channel.h @@ -61,8 +61,8 @@ extern int ppp_register_channel(struct ppp_channel *); /* Detach a channel from its PPP unit (e.g. on hangup). */ extern void ppp_unregister_channel(struct ppp_channel *); -/* Get the channel number for a channel */ -extern int ppp_channel_index(struct ppp_channel *); +/* Get the unit number associated with a channel */ +extern int ppp_unit_number(struct ppp_channel *); /* * SMP locking notes: diff --git a/include/linux/prctl.h b/include/linux/prctl.h index ca7a8cd8b..c6c42a55b 100644 --- a/include/linux/prctl.h +++ b/include/linux/prctl.h @@ -16,4 +16,8 @@ # define PR_UNALIGN_NOPRINT 1 /* silently fix up unaligned user accesses */ # define PR_UNALIGN_SIGBUS 2 /* generate SIGBUS on unaligned user access */ +/* Get/set whether or not to drop capabilities on setuid() away from uid 0 */ +#define PR_GET_KEEPCAPS 7 +#define PR_SET_KEEPCAPS 8 + #endif /* _LINUX_PRCTL_H */ diff --git a/include/linux/quota.h b/include/linux/quota.h index ad2380019..9324b9a02 100644 --- a/include/linux/quota.h +++ b/include/linux/quota.h @@ -174,7 +174,7 @@ struct dquot { int dq_count; /* Reference count */ /* fields after this point are cleared when invalidating */ - struct vfsmount *dq_mnt; /* VFS_mount_point this applies to */ + struct super_block *dq_sb; /* superblock this applies to */ unsigned int dq_id; /* ID this applies to (uid, gid) */ kdev_t dq_dev; /* Device this applies to */ short dq_type; /* Type of quota */ diff --git a/include/linux/quotaops.h b/include/linux/quotaops.h index 17371e58c..14ad1b7ca 100644 --- a/include/linux/quotaops.h +++ b/include/linux/quotaops.h @@ -20,7 +20,7 @@ extern void dquot_initialize(struct inode *inode, short type); extern void dquot_drop(struct inode *inode); extern void invalidate_dquots(kdev_t dev, short type); -extern int quota_off(kdev_t dev, short type); +extern int quota_off(struct super_block *sb, short type); extern int sync_dquots(kdev_t dev, short type); extern int dquot_alloc_block(const struct inode *inode, unsigned long number, char prealloc); @@ -103,7 +103,7 @@ extern __inline__ int DQUOT_TRANSFER(struct dentry *dentry, struct iattr *iattr) } #define DQUOT_SYNC(dev) sync_dquots(dev, -1) -#define DQUOT_OFF(dev) quota_off(dev, -1) +#define DQUOT_OFF(sb) quota_off(sb, -1) #else @@ -118,7 +118,7 @@ extern __inline__ int DQUOT_TRANSFER(struct dentry *dentry, struct iattr *iattr) #define DQUOT_FREE_BLOCK(sb, inode, nr) do { } while(0) #define DQUOT_FREE_INODE(sb, inode) do { } while(0) #define DQUOT_SYNC(dev) do { } while(0) -#define DQUOT_OFF(dev) do { } while(0) +#define DQUOT_OFF(sb) do { } while(0) /* * Special case expands to a simple notify_change. diff --git a/include/linux/sched.h b/include/linux/sched.h index 48050ccb0..75d010ca4 100644 --- a/include/linux/sched.h +++ b/include/linux/sched.h @@ -326,6 +326,7 @@ struct task_struct { int ngroups; gid_t groups[NGROUPS]; kernel_cap_t cap_effective, cap_inheritable, cap_permitted; + int keep_capabilities:1; struct user_struct *user; /* limits */ struct rlimit rlim[RLIM_NLIMITS]; @@ -414,6 +415,7 @@ struct task_struct { cap_effective: CAP_INIT_EFF_SET, \ cap_inheritable: CAP_INIT_INH_SET, \ cap_permitted: CAP_FULL_SET, \ + keep_capabilities: 0, \ rlim: INIT_RLIMITS, \ comm: "swapper", \ thread: INIT_THREAD, \ diff --git a/include/linux/shm.h b/include/linux/shm.h index c1ab5240b..bc56c5e20 100644 --- a/include/linux/shm.h +++ b/include/linux/shm.h @@ -11,8 +11,8 @@ #define SHMMAX 0x2000000 /* max shared seg size (bytes) */ #define SHMMIN 0 /* min shared seg size (bytes) */ -#define SHMMNI 128 /* max num of segs system wide */ -#define SHMALL (SHMMAX/PAGE_SIZE*SHMMNI) /* max shm system wide (pages) */ +#define SHMMNI 4096 /* max num of segs system wide */ +#define SHMALL (SHMMAX/PAGE_SIZE*(SHMMNI/16)) /* max shm system wide (pages) */ #define SHMSEG SHMMNI /* max shared segs per process */ #include <asm/shmparam.h> diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h index 6081b0890..429089cc5 100644 --- a/include/linux/skbuff.h +++ b/include/linux/skbuff.h @@ -122,8 +122,6 @@ struct sk_buff { #ifdef CONFIG_NETFILTER /* Can be used for communication between hooks. */ unsigned long nfmark; - /* Reason for doing this to the packet (see netfilter.h) */ - __u32 nfreason; /* Cache info */ __u32 nfcache; /* Associated connection, if any */ diff --git a/include/linux/soundcard.h b/include/linux/soundcard.h index 2d5128dc4..ca8ad780d 100644 --- a/include/linux/soundcard.h +++ b/include/linux/soundcard.h @@ -552,6 +552,7 @@ typedef struct { # define AFMT_U16_LE 0x00000080 /* Little endian U16 */ # define AFMT_U16_BE 0x00000100 /* Big endian U16 */ # define AFMT_MPEG 0x00000200 /* MPEG (2) audio */ +# define AFMT_AC3 0x00000400 /* Dolby Digital AC3 */ /* * Buffer status queries. @@ -581,11 +582,14 @@ typedef struct audio_buf_info { /* but usually not */ # define DSP_CAP_TRIGGER 0x00001000 /* Supports SETTRIGGER */ # define DSP_CAP_MMAP 0x00002000 /* Supports mmap() */ +# define DSP_CAP_MULTI 0x00004000 /* support multiple open */ +# define DSP_CAP_BIND 0x00008000 /* channel binding to front/rear/cneter/lfe */ + #define SNDCTL_DSP_GETTRIGGER _SIOR ('P',16, int) #define SNDCTL_DSP_SETTRIGGER _SIOW ('P',16, int) # define PCM_ENABLE_INPUT 0x00000001 -# define PCM_ENABLE_OUTPUT 0x00000002 +# define PCM_ENABLE_OUTPUT 0x00000002 typedef struct count_info { int bytes; /* Total # of bytes processed */ @@ -606,6 +610,19 @@ typedef struct buffmem_desc { #define SNDCTL_DSP_SETDUPLEX _SIO ('P', 22) #define SNDCTL_DSP_GETODELAY _SIOR ('P', 23, int) +#define SNDCTL_DSP_GETCHANNELMASK _SIOWR('P', 64, int) +#define SNDCTL_DSP_BIND_CHANNEL _SIOWR('P', 65, int) +# define DSP_BIND_QUERY 0x00000000 +# define DSP_BIND_FRONT 0x00000001 +# define DSP_BIND_SURR 0x00000002 +# define DSP_BIND_CENTER_LFE 0x00000004 +# define DSP_BIND_HANDSET 0x00000008 +# define DSP_BIND_MIC 0x00000010 +# define DSP_BIND_MODEM1 0x00000020 +# define DSP_BIND_MODEM2 0x00000040 +# define DSP_BIND_I2S 0x00000080 +# define DSP_BIND_SPDIF 0x00000100 + /* * Application's profile defines the way how playback underrun situations should be handled. * |