diff -Nru iptables-1.4.3.orig/extensions/libxt_connmark.c iptables-1.4.3/extensions/libxt_connmark.c --- iptables-1.4.3.orig/extensions/libxt_connmark.c 2012-11-16 13:46:13.652449059 +0100 +++ iptables-1.4.3/extensions/libxt_connmark.c 2012-11-16 13:46:21.704449466 +0100 @@ -28,6 +28,11 @@ #include #include +struct xt_connmark_info { + unsigned long mark, mask; + u_int8_t invert; +}; + enum { F_MARK = 1 << 0, }; diff -Nru iptables-1.4.3.orig/extensions/libxt_CONNMARK.c iptables-1.4.3/extensions/libxt_CONNMARK.c --- iptables-1.4.3.orig/extensions/libxt_CONNMARK.c 2012-11-16 13:46:13.652449059 +0100 +++ iptables-1.4.3/extensions/libxt_CONNMARK.c 2012-11-16 13:46:21.700449466 +0100 @@ -28,6 +28,12 @@ #include #include +struct xt_connmark_target_info { + unsigned long mark; + unsigned long mask; + u_int8_t mode; +}; + enum { F_MARK = 1 << 0, F_SR_MARK = 1 << 1, diff -Nru iptables-1.4.3.orig/extensions/libxt_conntrack.c iptables-1.4.3/extensions/libxt_conntrack.c --- iptables-1.4.3.orig/extensions/libxt_conntrack.c 2012-11-16 13:46:13.656449058 +0100 +++ iptables-1.4.3/extensions/libxt_conntrack.c 2012-11-16 13:46:21.704449466 +0100 @@ -21,6 +21,39 @@ #include #include +struct ip_conntrack_old_tuple { + struct { + __be32 ip; + union { + __u16 all; + } u; + } src; + + struct { + __be32 ip; + union { + __u16 all; + } u; + + /* The protocol. */ + __u16 protonum; + } dst; +}; + +struct xt_conntrack_info { + unsigned int statemask, statusmask; + + struct ip_conntrack_old_tuple tuple[IP_CT_DIR_MAX]; + struct in_addr sipmsk[IP_CT_DIR_MAX], dipmsk[IP_CT_DIR_MAX]; + + unsigned long expires_min, expires_max; + + /* Flags word */ + u_int8_t flags; + /* Inverse flags */ + u_int8_t invflags; +}; + static void conntrack_mt_help(void) { printf( diff -Nru iptables-1.4.3.orig/extensions/libxt_conntrack.c.orig iptables-1.4.3/extensions/libxt_conntrack.c.orig --- iptables-1.4.3.orig/extensions/libxt_conntrack.c.orig 1970-01-01 01:00:00.000000000 +0100 +++ iptables-1.4.3/extensions/libxt_conntrack.c.orig 2009-03-23 14:39:16.000000000 +0100 @@ -0,0 +1,1086 @@ +/* + * libxt_conntrack + * Shared library add-on to iptables for conntrack matching support. + * + * GPL (C) 2001 Marc Boucher (marc@mbsi.ca). + * Copyright © CC Computer Consultants GmbH, 2007 - 2008 + * Jan Engelhardt + */ +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +static void conntrack_mt_help(void) +{ + printf( +"conntrack match options:\n" +"[!] --ctstate {INVALID|ESTABLISHED|NEW|RELATED|UNTRACKED|SNAT|DNAT}[,...]\n" +" State(s) to match\n" +"[!] --ctproto proto Protocol to match; by number or name, e.g. \"tcp\"\n" +"[!] --ctorigsrc address[/mask]\n" +"[!] --ctorigdst address[/mask]\n" +"[!] --ctreplsrc address[/mask]\n" +"[!] --ctrepldst address[/mask]\n" +" Original/Reply source/destination address\n" +"[!] --ctorigsrcport port\n" +"[!] --ctorigdstport port\n" +"[!] --ctreplsrcport port\n" +"[!] --ctrepldstport port\n" +" TCP/UDP/SCTP orig./reply source/destination port\n" +"[!] --ctstatus {NONE|EXPECTED|SEEN_REPLY|ASSURED|CONFIRMED}[,...]\n" +" Status(es) to match\n" +"[!] --ctexpire time[:time] Match remaining lifetime in seconds against\n" +" value or range of values (inclusive)\n" +" --ctdir {ORIGINAL|REPLY} Flow direction of packet\n"); +} + +static const struct option conntrack_mt_opts_v0[] = { + {.name = "ctstate", .has_arg = true, .val = '1'}, + {.name = "ctproto", .has_arg = true, .val = '2'}, + {.name = "ctorigsrc", .has_arg = true, .val = '3'}, + {.name = "ctorigdst", .has_arg = true, .val = '4'}, + {.name = "ctreplsrc", .has_arg = true, .val = '5'}, + {.name = "ctrepldst", .has_arg = true, .val = '6'}, + {.name = "ctstatus", .has_arg = true, .val = '7'}, + {.name = "ctexpire", .has_arg = true, .val = '8'}, + { .name = NULL } +}; + +static const struct option conntrack_mt_opts[] = { + {.name = "ctstate", .has_arg = true, .val = '1'}, + {.name = "ctproto", .has_arg = true, .val = '2'}, + {.name = "ctorigsrc", .has_arg = true, .val = '3'}, + {.name = "ctorigdst", .has_arg = true, .val = '4'}, + {.name = "ctreplsrc", .has_arg = true, .val = '5'}, + {.name = "ctrepldst", .has_arg = true, .val = '6'}, + {.name = "ctstatus", .has_arg = true, .val = '7'}, + {.name = "ctexpire", .has_arg = true, .val = '8'}, + {.name = "ctorigsrcport", .has_arg = true, .val = 'a'}, + {.name = "ctorigdstport", .has_arg = true, .val = 'b'}, + {.name = "ctreplsrcport", .has_arg = true, .val = 'c'}, + {.name = "ctrepldstport", .has_arg = true, .val = 'd'}, + {.name = "ctdir", .has_arg = true, .val = 'e'}, + {.name = NULL}, +}; + +static int +parse_state(const char *state, size_t len, struct xt_conntrack_info *sinfo) +{ + if (strncasecmp(state, "INVALID", len) == 0) + sinfo->statemask |= XT_CONNTRACK_STATE_INVALID; + else if (strncasecmp(state, "NEW", len) == 0) + sinfo->statemask |= XT_CONNTRACK_STATE_BIT(IP_CT_NEW); + else if (strncasecmp(state, "ESTABLISHED", len) == 0) + sinfo->statemask |= XT_CONNTRACK_STATE_BIT(IP_CT_ESTABLISHED); + else if (strncasecmp(state, "RELATED", len) == 0) + sinfo->statemask |= XT_CONNTRACK_STATE_BIT(IP_CT_RELATED); + else if (strncasecmp(state, "UNTRACKED", len) == 0) + sinfo->statemask |= XT_CONNTRACK_STATE_UNTRACKED; + else if (strncasecmp(state, "SNAT", len) == 0) + sinfo->statemask |= XT_CONNTRACK_STATE_SNAT; + else if (strncasecmp(state, "DNAT", len) == 0) + sinfo->statemask |= XT_CONNTRACK_STATE_DNAT; + else + return 0; + return 1; +} + +static void +parse_states(const char *arg, struct xt_conntrack_info *sinfo) +{ + const char *comma; + + while ((comma = strchr(arg, ',')) != NULL) { + if (comma == arg || !parse_state(arg, comma-arg, sinfo)) + xtables_error(PARAMETER_PROBLEM, "Bad ctstate \"%s\"", arg); + arg = comma+1; + } + if (!*arg) + xtables_error(PARAMETER_PROBLEM, "\"--ctstate\" requires a list of " + "states with no spaces, e.g. " + "ESTABLISHED,RELATED"); + if (strlen(arg) == 0 || !parse_state(arg, strlen(arg), sinfo)) + xtables_error(PARAMETER_PROBLEM, "Bad ctstate \"%s\"", arg); +} + +static bool +conntrack_ps_state(struct xt_conntrack_mtinfo1 *info, const char *state, + size_t z) +{ + if (strncasecmp(state, "INVALID", z) == 0) + info->state_mask |= XT_CONNTRACK_STATE_INVALID; + else if (strncasecmp(state, "NEW", z) == 0) + info->state_mask |= XT_CONNTRACK_STATE_BIT(IP_CT_NEW); + else if (strncasecmp(state, "ESTABLISHED", z) == 0) + info->state_mask |= XT_CONNTRACK_STATE_BIT(IP_CT_ESTABLISHED); + else if (strncasecmp(state, "RELATED", z) == 0) + info->state_mask |= XT_CONNTRACK_STATE_BIT(IP_CT_RELATED); + else if (strncasecmp(state, "UNTRACKED", z) == 0) + info->state_mask |= XT_CONNTRACK_STATE_UNTRACKED; + else if (strncasecmp(state, "SNAT", z) == 0) + info->state_mask |= XT_CONNTRACK_STATE_SNAT; + else if (strncasecmp(state, "DNAT", z) == 0) + info->state_mask |= XT_CONNTRACK_STATE_DNAT; + else + return false; + return true; +} + +static void +conntrack_ps_states(struct xt_conntrack_mtinfo1 *info, const char *arg) +{ + const char *comma; + + while ((comma = strchr(arg, ',')) != NULL) { + if (comma == arg || !conntrack_ps_state(info, arg, comma - arg)) + xtables_error(PARAMETER_PROBLEM, + "Bad ctstate \"%s\"", arg); + arg = comma + 1; + } + + if (strlen(arg) == 0 || !conntrack_ps_state(info, arg, strlen(arg))) + xtables_error(PARAMETER_PROBLEM, "Bad ctstate \"%s\"", arg); +} + +static int +parse_status(const char *status, size_t len, struct xt_conntrack_info *sinfo) +{ + if (strncasecmp(status, "NONE", len) == 0) + sinfo->statusmask |= 0; + else if (strncasecmp(status, "EXPECTED", len) == 0) + sinfo->statusmask |= IPS_EXPECTED; + else if (strncasecmp(status, "SEEN_REPLY", len) == 0) + sinfo->statusmask |= IPS_SEEN_REPLY; + else if (strncasecmp(status, "ASSURED", len) == 0) + sinfo->statusmask |= IPS_ASSURED; +#ifdef IPS_CONFIRMED + else if (strncasecmp(status, "CONFIRMED", len) == 0) + sinfo->statusmask |= IPS_CONFIRMED; +#endif + else + return 0; + return 1; +} + +static void +parse_statuses(const char *arg, struct xt_conntrack_info *sinfo) +{ + const char *comma; + + while ((comma = strchr(arg, ',')) != NULL) { + if (comma == arg || !parse_status(arg, comma-arg, sinfo)) + xtables_error(PARAMETER_PROBLEM, "Bad ctstatus \"%s\"", arg); + arg = comma+1; + } + + if (strlen(arg) == 0 || !parse_status(arg, strlen(arg), sinfo)) + xtables_error(PARAMETER_PROBLEM, "Bad ctstatus \"%s\"", arg); +} + +static bool +conntrack_ps_status(struct xt_conntrack_mtinfo1 *info, const char *status, + size_t z) +{ + if (strncasecmp(status, "NONE", z) == 0) + info->status_mask |= 0; + else if (strncasecmp(status, "EXPECTED", z) == 0) + info->status_mask |= IPS_EXPECTED; + else if (strncasecmp(status, "SEEN_REPLY", z) == 0) + info->status_mask |= IPS_SEEN_REPLY; + else if (strncasecmp(status, "ASSURED", z) == 0) + info->status_mask |= IPS_ASSURED; + else if (strncasecmp(status, "CONFIRMED", z) == 0) + info->status_mask |= IPS_CONFIRMED; + else + return false; + return true; +} + +static void +conntrack_ps_statuses(struct xt_conntrack_mtinfo1 *info, const char *arg) +{ + const char *comma; + + while ((comma = strchr(arg, ',')) != NULL) { + if (comma == arg || !conntrack_ps_status(info, arg, comma - arg)) + xtables_error(PARAMETER_PROBLEM, + "Bad ctstatus \"%s\"", arg); + arg = comma + 1; + } + + if (strlen(arg) == 0 || !conntrack_ps_status(info, arg, strlen(arg))) + xtables_error(PARAMETER_PROBLEM, "Bad ctstatus \"%s\"", arg); +} + +static unsigned long +parse_expire(const char *s) +{ + unsigned int len; + + if (!xtables_strtoui(s, NULL, &len, 0, UINT32_MAX)) + xtables_error(PARAMETER_PROBLEM, "expire value invalid: \"%s\"\n", s); + else + return len; +} + +/* If a single value is provided, min and max are both set to the value */ +static void +parse_expires(const char *s, struct xt_conntrack_info *sinfo) +{ + char *buffer; + char *cp; + + buffer = strdup(s); + if ((cp = strchr(buffer, ':')) == NULL) + sinfo->expires_min = sinfo->expires_max = + parse_expire(buffer); + else { + *cp = '\0'; + cp++; + + sinfo->expires_min = buffer[0] ? parse_expire(buffer) : 0; + sinfo->expires_max = cp[0] + ? parse_expire(cp) + : (unsigned long)-1; + } + free(buffer); + + if (sinfo->expires_min > sinfo->expires_max) + xtables_error(PARAMETER_PROBLEM, + "expire min. range value `%lu' greater than max. " + "range value `%lu'", sinfo->expires_min, sinfo->expires_max); +} + +static void +conntrack_ps_expires(struct xt_conntrack_mtinfo1 *info, const char *s) +{ + unsigned int min, max; + char *end; + + if (!xtables_strtoui(s, &end, &min, 0, UINT32_MAX)) + xtables_param_act(XTF_BAD_VALUE, "conntrack", "--expires", s); + max = min; + if (*end == ':') + if (!xtables_strtoui(s, &end, &max, 0, UINT32_MAX)) + xtables_param_act(XTF_BAD_VALUE, "conntrack", "--expires", s); + if (*end != '\0') + xtables_param_act(XTF_BAD_VALUE, "conntrack", "--expires", s); + + if (min > max) + xtables_error(PARAMETER_PROBLEM, + "expire min. range value \"%u\" greater than max. " + "range value \"%u\"", min, max); + + info->expires_min = min; + info->expires_max = max; +} + +static int conntrack_parse(int c, char **argv, int invert, unsigned int *flags, + const void *entry, struct xt_entry_match **match) +{ + struct xt_conntrack_info *sinfo = (void *)(*match)->data; + char *protocol = NULL; + unsigned int naddrs = 0; + struct in_addr *addrs = NULL; + + + switch (c) { + case '1': + xtables_check_inverse(optarg, &invert, &optind, 0); + + parse_states(argv[optind-1], sinfo); + if (invert) { + sinfo->invflags |= XT_CONNTRACK_STATE; + } + sinfo->flags |= XT_CONNTRACK_STATE; + break; + + case '2': + xtables_check_inverse(optarg, &invert, &optind, 0); + + if(invert) + sinfo->invflags |= XT_CONNTRACK_PROTO; + + /* Canonicalize into lower case */ + for (protocol = argv[optind-1]; *protocol; protocol++) + *protocol = tolower(*protocol); + + protocol = argv[optind-1]; + sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.protonum = + xtables_parse_protocol(protocol); + + if (sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.protonum == 0 + && (sinfo->invflags & XT_INV_PROTO)) + xtables_error(PARAMETER_PROBLEM, + "rule would never match protocol"); + + sinfo->flags |= XT_CONNTRACK_PROTO; + break; + + case '3': + xtables_check_inverse(optarg, &invert, &optind, 0); + + if (invert) + sinfo->invflags |= XT_CONNTRACK_ORIGSRC; + + xtables_ipparse_any(argv[optind-1], &addrs, + &sinfo->sipmsk[IP_CT_DIR_ORIGINAL], + &naddrs); + if(naddrs > 1) + xtables_error(PARAMETER_PROBLEM, + "multiple IP addresses not allowed"); + + if(naddrs == 1) { + sinfo->tuple[IP_CT_DIR_ORIGINAL].src.ip = addrs[0].s_addr; + } + + sinfo->flags |= XT_CONNTRACK_ORIGSRC; + break; + + case '4': + xtables_check_inverse(optarg, &invert, &optind, 0); + + if (invert) + sinfo->invflags |= XT_CONNTRACK_ORIGDST; + + xtables_ipparse_any(argv[optind-1], &addrs, + &sinfo->dipmsk[IP_CT_DIR_ORIGINAL], + &naddrs); + if(naddrs > 1) + xtables_error(PARAMETER_PROBLEM, + "multiple IP addresses not allowed"); + + if(naddrs == 1) { + sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.ip = addrs[0].s_addr; + } + + sinfo->flags |= XT_CONNTRACK_ORIGDST; + break; + + case '5': + xtables_check_inverse(optarg, &invert, &optind, 0); + + if (invert) + sinfo->invflags |= XT_CONNTRACK_REPLSRC; + + xtables_ipparse_any(argv[optind-1], &addrs, + &sinfo->sipmsk[IP_CT_DIR_REPLY], + &naddrs); + if(naddrs > 1) + xtables_error(PARAMETER_PROBLEM, + "multiple IP addresses not allowed"); + + if(naddrs == 1) { + sinfo->tuple[IP_CT_DIR_REPLY].src.ip = addrs[0].s_addr; + } + + sinfo->flags |= XT_CONNTRACK_REPLSRC; + break; + + case '6': + xtables_check_inverse(optarg, &invert, &optind, 0); + + if (invert) + sinfo->invflags |= XT_CONNTRACK_REPLDST; + + xtables_ipparse_any(argv[optind-1], &addrs, + &sinfo->dipmsk[IP_CT_DIR_REPLY], + &naddrs); + if(naddrs > 1) + xtables_error(PARAMETER_PROBLEM, + "multiple IP addresses not allowed"); + + if(naddrs == 1) { + sinfo->tuple[IP_CT_DIR_REPLY].dst.ip = addrs[0].s_addr; + } + + sinfo->flags |= XT_CONNTRACK_REPLDST; + break; + + case '7': + xtables_check_inverse(optarg, &invert, &optind, 0); + + parse_statuses(argv[optind-1], sinfo); + if (invert) { + sinfo->invflags |= XT_CONNTRACK_STATUS; + } + sinfo->flags |= XT_CONNTRACK_STATUS; + break; + + case '8': + xtables_check_inverse(optarg, &invert, &optind, 0); + + parse_expires(argv[optind-1], sinfo); + if (invert) { + sinfo->invflags |= XT_CONNTRACK_EXPIRES; + } + sinfo->flags |= XT_CONNTRACK_EXPIRES; + break; + + default: + return 0; + } + + *flags = sinfo->flags; + return 1; +} + +static int +conntrack_mt_parse(int c, char **argv, int invert, unsigned int *flags, + struct xt_entry_match **match) +{ + struct xt_conntrack_mtinfo1 *info = (void *)(*match)->data; + unsigned int port; + char *p; + + switch (c) { + case '1': /* --ctstate */ + conntrack_ps_states(info, optarg); + info->match_flags |= XT_CONNTRACK_STATE; + if (invert) + info->invert_flags |= XT_CONNTRACK_STATE; + break; + + case '2': /* --ctproto */ + /* Canonicalize into lower case */ + for (p = optarg; *p != '\0'; ++p) + *p = tolower(*p); + info->l4proto = xtables_parse_protocol(optarg); + + if (info->l4proto == 0 && (info->invert_flags & XT_INV_PROTO)) + xtables_error(PARAMETER_PROBLEM, "conntrack: rule would " + "never match protocol"); + + info->match_flags |= XT_CONNTRACK_PROTO; + if (invert) + info->invert_flags |= XT_CONNTRACK_PROTO; + break; + + case '7': /* --ctstatus */ + conntrack_ps_statuses(info, optarg); + info->match_flags |= XT_CONNTRACK_STATUS; + if (invert) + info->invert_flags |= XT_CONNTRACK_STATUS; + break; + + case '8': /* --ctexpire */ + conntrack_ps_expires(info, optarg); + info->match_flags |= XT_CONNTRACK_EXPIRES; + if (invert) + info->invert_flags |= XT_CONNTRACK_EXPIRES; + break; + + case 'a': /* --ctorigsrcport */ + if (!xtables_strtoui(optarg, NULL, &port, 0, UINT16_MAX)) + xtables_param_act(XTF_BAD_VALUE, "conntrack", + "--ctorigsrcport", optarg); + info->match_flags |= XT_CONNTRACK_ORIGSRC_PORT; + info->origsrc_port = htons(port); + if (invert) + info->invert_flags |= XT_CONNTRACK_ORIGSRC_PORT; + break; + + case 'b': /* --ctorigdstport */ + if (!xtables_strtoui(optarg, NULL, &port, 0, UINT16_MAX)) + xtables_param_act(XTF_BAD_VALUE, "conntrack", + "--ctorigdstport", optarg); + info->match_flags |= XT_CONNTRACK_ORIGDST_PORT; + info->origdst_port = htons(port); + if (invert) + info->invert_flags |= XT_CONNTRACK_ORIGDST_PORT; + break; + + case 'c': /* --ctreplsrcport */ + if (!xtables_strtoui(optarg, NULL, &port, 0, UINT16_MAX)) + xtables_param_act(XTF_BAD_VALUE, "conntrack", + "--ctreplsrcport", optarg); + info->match_flags |= XT_CONNTRACK_REPLSRC_PORT; + info->replsrc_port = htons(port); + if (invert) + info->invert_flags |= XT_CONNTRACK_REPLSRC_PORT; + break; + + case 'd': /* --ctrepldstport */ + if (!xtables_strtoui(optarg, NULL, &port, 0, UINT16_MAX)) + xtables_param_act(XTF_BAD_VALUE, "conntrack", + "--ctrepldstport", optarg); + info->match_flags |= XT_CONNTRACK_REPLDST_PORT; + info->repldst_port = htons(port); + if (invert) + info->invert_flags |= XT_CONNTRACK_REPLDST_PORT; + break; + + case 'e': /* --ctdir */ + xtables_param_act(XTF_NO_INVERT, "conntrack", "--ctdir", invert); + if (strcasecmp(optarg, "ORIGINAL") == 0) { + info->match_flags |= XT_CONNTRACK_DIRECTION; + info->invert_flags &= ~XT_CONNTRACK_DIRECTION; + } else if (strcasecmp(optarg, "REPLY") == 0) { + info->match_flags |= XT_CONNTRACK_DIRECTION; + info->invert_flags |= XT_CONNTRACK_DIRECTION; + } else { + xtables_param_act(XTF_BAD_VALUE, "conntrack", "--ctdir", optarg); + } + break; + + default: + return false; + } + + *flags = info->match_flags; + return true; +} + +static int +conntrack_mt4_parse(int c, char **argv, int invert, unsigned int *flags, + const void *entry, struct xt_entry_match **match) +{ + struct xt_conntrack_mtinfo1 *info = (void *)(*match)->data; + struct in_addr *addr = NULL; + unsigned int naddrs = 0; + + switch (c) { + case '3': /* --ctorigsrc */ + xtables_ipparse_any(optarg, &addr, &info->origsrc_mask.in, + &naddrs); + if (naddrs > 1) + xtables_error(PARAMETER_PROBLEM, + "multiple IP addresses not allowed"); + if (naddrs == 1) + memcpy(&info->origsrc_addr.in, addr, sizeof(*addr)); + info->match_flags |= XT_CONNTRACK_ORIGSRC; + if (invert) + info->invert_flags |= XT_CONNTRACK_ORIGSRC; + break; + + case '4': /* --ctorigdst */ + xtables_ipparse_any(optarg, &addr, &info->origdst_mask.in, + &naddrs); + if (naddrs > 1) + xtables_error(PARAMETER_PROBLEM, + "multiple IP addresses not allowed"); + if (naddrs == 1) + memcpy(&info->origdst_addr.in, addr, sizeof(*addr)); + info->match_flags |= XT_CONNTRACK_ORIGDST; + if (invert) + info->invert_flags |= XT_CONNTRACK_ORIGDST; + break; + + case '5': /* --ctreplsrc */ + xtables_ipparse_any(optarg, &addr, &info->replsrc_mask.in, + &naddrs); + if (naddrs > 1) + xtables_error(PARAMETER_PROBLEM, + "multiple IP addresses not allowed"); + if (naddrs == 1) + memcpy(&info->replsrc_addr.in, addr, sizeof(*addr)); + info->match_flags |= XT_CONNTRACK_REPLSRC; + if (invert) + info->invert_flags |= XT_CONNTRACK_REPLSRC; + break; + + case '6': /* --ctrepldst */ + xtables_ipparse_any(optarg, &addr, &info->repldst_mask.in, + &naddrs); + if (naddrs > 1) + xtables_error(PARAMETER_PROBLEM, + "multiple IP addresses not allowed"); + if (naddrs == 1) + memcpy(&info->repldst_addr.in, addr, sizeof(*addr)); + info->match_flags |= XT_CONNTRACK_REPLDST; + if (invert) + info->invert_flags |= XT_CONNTRACK_REPLDST; + break; + + + default: + return conntrack_mt_parse(c, argv, invert, flags, match); + } + + *flags = info->match_flags; + return true; +} + +static int +conntrack_mt6_parse(int c, char **argv, int invert, unsigned int *flags, + const void *entry, struct xt_entry_match **match) +{ + struct xt_conntrack_mtinfo1 *info = (void *)(*match)->data; + struct in6_addr *addr = NULL; + unsigned int naddrs = 0; + + switch (c) { + case '3': /* --ctorigsrc */ + xtables_ip6parse_any(optarg, &addr, + &info->origsrc_mask.in6, &naddrs); + if (naddrs > 1) + xtables_error(PARAMETER_PROBLEM, + "multiple IP addresses not allowed"); + if (naddrs == 1) + memcpy(&info->origsrc_addr.in6, addr, sizeof(*addr)); + info->match_flags |= XT_CONNTRACK_ORIGSRC; + if (invert) + info->invert_flags |= XT_CONNTRACK_ORIGSRC; + break; + + case '4': /* --ctorigdst */ + xtables_ip6parse_any(optarg, &addr, + &info->origdst_mask.in6, &naddrs); + if (naddrs > 1) + xtables_error(PARAMETER_PROBLEM, + "multiple IP addresses not allowed"); + if (naddrs == 1) + memcpy(&info->origdst_addr.in, addr, sizeof(*addr)); + info->match_flags |= XT_CONNTRACK_ORIGDST; + if (invert) + info->invert_flags |= XT_CONNTRACK_ORIGDST; + break; + + case '5': /* --ctreplsrc */ + xtables_ip6parse_any(optarg, &addr, + &info->replsrc_mask.in6, &naddrs); + if (naddrs > 1) + xtables_error(PARAMETER_PROBLEM, + "multiple IP addresses not allowed"); + if (naddrs == 1) + memcpy(&info->replsrc_addr.in, addr, sizeof(*addr)); + info->match_flags |= XT_CONNTRACK_REPLSRC; + if (invert) + info->invert_flags |= XT_CONNTRACK_REPLSRC; + break; + + case '6': /* --ctrepldst */ + xtables_ip6parse_any(optarg, &addr, + &info->repldst_mask.in6, &naddrs); + if (naddrs > 1) + xtables_error(PARAMETER_PROBLEM, + "multiple IP addresses not allowed"); + if (naddrs == 1) + memcpy(&info->repldst_addr.in, addr, sizeof(*addr)); + info->match_flags |= XT_CONNTRACK_REPLDST; + if (invert) + info->invert_flags |= XT_CONNTRACK_REPLDST; + break; + + + default: + return conntrack_mt_parse(c, argv, invert, flags, match); + } + + *flags = info->match_flags; + return true; +} + +static void conntrack_mt_check(unsigned int flags) +{ + if (flags == 0) + xtables_error(PARAMETER_PROBLEM, "conntrack: At least one option " + "is required"); +} + +static void +print_state(unsigned int statemask) +{ + const char *sep = ""; + + if (statemask & XT_CONNTRACK_STATE_INVALID) { + printf("%sINVALID", sep); + sep = ","; + } + if (statemask & XT_CONNTRACK_STATE_BIT(IP_CT_NEW)) { + printf("%sNEW", sep); + sep = ","; + } + if (statemask & XT_CONNTRACK_STATE_BIT(IP_CT_RELATED)) { + printf("%sRELATED", sep); + sep = ","; + } + if (statemask & XT_CONNTRACK_STATE_BIT(IP_CT_ESTABLISHED)) { + printf("%sESTABLISHED", sep); + sep = ","; + } + if (statemask & XT_CONNTRACK_STATE_UNTRACKED) { + printf("%sUNTRACKED", sep); + sep = ","; + } + if (statemask & XT_CONNTRACK_STATE_SNAT) { + printf("%sSNAT", sep); + sep = ","; + } + if (statemask & XT_CONNTRACK_STATE_DNAT) { + printf("%sDNAT", sep); + sep = ","; + } + printf(" "); +} + +static void +print_status(unsigned int statusmask) +{ + const char *sep = ""; + + if (statusmask & IPS_EXPECTED) { + printf("%sEXPECTED", sep); + sep = ","; + } + if (statusmask & IPS_SEEN_REPLY) { + printf("%sSEEN_REPLY", sep); + sep = ","; + } + if (statusmask & IPS_ASSURED) { + printf("%sASSURED", sep); + sep = ","; + } + if (statusmask & IPS_CONFIRMED) { + printf("%sCONFIRMED", sep); + sep = ","; + } + if (statusmask == 0) + printf("%sNONE", sep); + printf(" "); +} + +static void +conntrack_dump_addr(const union nf_inet_addr *addr, + const union nf_inet_addr *mask, + unsigned int family, bool numeric) +{ + if (family == NFPROTO_IPV4) { + if (!numeric && addr->ip == 0) { + printf("anywhere "); + return; + } + if (numeric) + printf("%s ", xtables_ipaddr_to_numeric(&addr->in)); + else + printf("%s ", xtables_ipaddr_to_anyname(&addr->in)); + } else if (family == NFPROTO_IPV6) { + if (!numeric && addr->ip6[0] == 0 && addr->ip6[1] == 0 && + addr->ip6[2] == 0 && addr->ip6[3] == 0) { + printf("anywhere "); + return; + } + if (numeric) + printf("%s ", xtables_ip6addr_to_numeric(&addr->in6)); + else + printf("%s ", xtables_ip6addr_to_anyname(&addr->in6)); + } +} + +static void +print_addr(struct in_addr *addr, struct in_addr *mask, int inv, int numeric) +{ + char buf[BUFSIZ]; + + if (inv) + printf("! "); + + if (mask->s_addr == 0L && !numeric) + printf("%s ", "anywhere"); + else { + if (numeric) + strcpy(buf, xtables_ipaddr_to_numeric(addr)); + else + strcpy(buf, xtables_ipaddr_to_anyname(addr)); + strcat(buf, xtables_ipmask_to_numeric(mask)); + printf("%s ", buf); + } +} + +static void +matchinfo_print(const void *ip, const struct xt_entry_match *match, int numeric, const char *optpfx) +{ + struct xt_conntrack_info *sinfo = (void *)match->data; + + if(sinfo->flags & XT_CONNTRACK_STATE) { + if (sinfo->invflags & XT_CONNTRACK_STATE) + printf("! "); + printf("%sctstate ", optpfx); + print_state(sinfo->statemask); + } + + if(sinfo->flags & XT_CONNTRACK_PROTO) { + if (sinfo->invflags & XT_CONNTRACK_PROTO) + printf("! "); + printf("%sctproto ", optpfx); + printf("%u ", sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.protonum); + } + + if(sinfo->flags & XT_CONNTRACK_ORIGSRC) { + if (sinfo->invflags & XT_CONNTRACK_ORIGSRC) + printf("! "); + printf("%sctorigsrc ", optpfx); + + print_addr( + (struct in_addr *)&sinfo->tuple[IP_CT_DIR_ORIGINAL].src.ip, + &sinfo->sipmsk[IP_CT_DIR_ORIGINAL], + false, + numeric); + } + + if(sinfo->flags & XT_CONNTRACK_ORIGDST) { + if (sinfo->invflags & XT_CONNTRACK_ORIGDST) + printf("! "); + printf("%sctorigdst ", optpfx); + + print_addr( + (struct in_addr *)&sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.ip, + &sinfo->dipmsk[IP_CT_DIR_ORIGINAL], + false, + numeric); + } + + if(sinfo->flags & XT_CONNTRACK_REPLSRC) { + if (sinfo->invflags & XT_CONNTRACK_REPLSRC) + printf("! "); + printf("%sctreplsrc ", optpfx); + + print_addr( + (struct in_addr *)&sinfo->tuple[IP_CT_DIR_REPLY].src.ip, + &sinfo->sipmsk[IP_CT_DIR_REPLY], + false, + numeric); + } + + if(sinfo->flags & XT_CONNTRACK_REPLDST) { + if (sinfo->invflags & XT_CONNTRACK_REPLDST) + printf("! "); + printf("%sctrepldst ", optpfx); + + print_addr( + (struct in_addr *)&sinfo->tuple[IP_CT_DIR_REPLY].dst.ip, + &sinfo->dipmsk[IP_CT_DIR_REPLY], + false, + numeric); + } + + if(sinfo->flags & XT_CONNTRACK_STATUS) { + if (sinfo->invflags & XT_CONNTRACK_STATUS) + printf("! "); + printf("%sctstatus ", optpfx); + print_status(sinfo->statusmask); + } + + if(sinfo->flags & XT_CONNTRACK_EXPIRES) { + if (sinfo->invflags & XT_CONNTRACK_EXPIRES) + printf("! "); + printf("%sctexpire ", optpfx); + + if (sinfo->expires_max == sinfo->expires_min) + printf("%lu ", sinfo->expires_min); + else + printf("%lu:%lu ", sinfo->expires_min, sinfo->expires_max); + } + + if (sinfo->flags & XT_CONNTRACK_DIRECTION) { + if (sinfo->invflags & XT_CONNTRACK_DIRECTION) + printf("%sctdir REPLY", optpfx); + else + printf("%sctdir ORIGINAL", optpfx); + } + +} + +static void +conntrack_dump(const struct xt_conntrack_mtinfo1 *info, const char *prefix, + unsigned int family, bool numeric) +{ + if (info->match_flags & XT_CONNTRACK_STATE) { + if (info->invert_flags & XT_CONNTRACK_STATE) + printf("! "); + printf("%sctstate ", prefix); + print_state(info->state_mask); + } + + if (info->match_flags & XT_CONNTRACK_PROTO) { + if (info->invert_flags & XT_CONNTRACK_PROTO) + printf("! "); + printf("%sctproto %u ", prefix, info->l4proto); + } + + if (info->match_flags & XT_CONNTRACK_ORIGSRC) { + if (info->invert_flags & XT_CONNTRACK_PROTO) + printf("! "); + printf("%sctorigsrc ", prefix); + conntrack_dump_addr(&info->origsrc_addr, &info->origsrc_mask, + family, numeric); + } + + if (info->match_flags & XT_CONNTRACK_ORIGDST) { + if (info->invert_flags & XT_CONNTRACK_PROTO) + printf("! "); + printf("%sctorigdst ", prefix); + conntrack_dump_addr(&info->origdst_addr, &info->origdst_mask, + family, numeric); + } + + if (info->match_flags & XT_CONNTRACK_REPLSRC) { + if (info->invert_flags & XT_CONNTRACK_PROTO) + printf("! "); + printf("%sctreplsrc ", prefix); + conntrack_dump_addr(&info->replsrc_addr, &info->replsrc_mask, + family, numeric); + } + + if (info->match_flags & XT_CONNTRACK_REPLDST) { + if (info->invert_flags & XT_CONNTRACK_PROTO) + printf("! "); + printf("%sctrepldst ", prefix); + conntrack_dump_addr(&info->repldst_addr, &info->repldst_mask, + family, numeric); + } + + if (info->match_flags & XT_CONNTRACK_ORIGSRC_PORT) { + if (info->invert_flags & XT_CONNTRACK_ORIGSRC_PORT) + printf("! "); + printf("%sctorigsrcport %u ", prefix, + ntohs(info->origsrc_port)); + } + + if (info->match_flags & XT_CONNTRACK_ORIGDST_PORT) { + if (info->invert_flags & XT_CONNTRACK_ORIGDST_PORT) + printf("! "); + printf("%sctorigdstport %u ", prefix, + ntohs(info->origdst_port)); + } + + if (info->match_flags & XT_CONNTRACK_REPLSRC_PORT) { + if (info->invert_flags & XT_CONNTRACK_REPLSRC_PORT) + printf("! "); + printf("%sctreplsrcport %u ", prefix, + ntohs(info->replsrc_port)); + } + + if (info->match_flags & XT_CONNTRACK_REPLDST_PORT) { + if (info->invert_flags & XT_CONNTRACK_REPLDST_PORT) + printf("! "); + printf("%sctrepldstport %u ", prefix, + ntohs(info->repldst_port)); + } + + if (info->match_flags & XT_CONNTRACK_STATUS) { + if (info->invert_flags & XT_CONNTRACK_STATUS) + printf("! "); + printf("%sctstatus ", prefix); + print_status(info->status_mask); + } + + if (info->match_flags & XT_CONNTRACK_EXPIRES) { + if (info->invert_flags & XT_CONNTRACK_EXPIRES) + printf("! "); + printf("%sctexpire ", prefix); + + if (info->expires_max == info->expires_min) + printf("%u ", (unsigned int)info->expires_min); + else + printf("%u:%u ", (unsigned int)info->expires_min, + (unsigned int)info->expires_max); + } + + if (info->match_flags & XT_CONNTRACK_DIRECTION) { + if (info->invert_flags & XT_CONNTRACK_DIRECTION) + printf("%sctdir REPLY", prefix); + else + printf("%sctdir ORIGINAL", prefix); + } +} + +static void conntrack_print(const void *ip, const struct xt_entry_match *match, + int numeric) +{ + matchinfo_print(ip, match, numeric, ""); +} + +static void +conntrack_mt_print(const void *ip, const struct xt_entry_match *match, + int numeric) +{ + conntrack_dump((const void *)match->data, "", NFPROTO_IPV4, numeric); +} + +static void +conntrack_mt6_print(const void *ip, const struct xt_entry_match *match, + int numeric) +{ + conntrack_dump((const void *)match->data, "", NFPROTO_IPV6, numeric); +} + +static void conntrack_save(const void *ip, const struct xt_entry_match *match) +{ + matchinfo_print(ip, match, 1, "--"); +} + +static void conntrack_mt_save(const void *ip, + const struct xt_entry_match *match) +{ + conntrack_dump((const void *)match->data, "--", NFPROTO_IPV4, true); +} + +static void conntrack_mt6_save(const void *ip, + const struct xt_entry_match *match) +{ + conntrack_dump((const void *)match->data, "--", NFPROTO_IPV6, true); +} + +static struct xtables_match conntrack_match = { + .version = XTABLES_VERSION, + .name = "conntrack", + .revision = 0, + .family = NFPROTO_IPV4, + .size = XT_ALIGN(sizeof(struct xt_conntrack_info)), + .userspacesize = XT_ALIGN(sizeof(struct xt_conntrack_info)), + .help = conntrack_mt_help, + .parse = conntrack_parse, + .final_check = conntrack_mt_check, + .print = conntrack_print, + .save = conntrack_save, + .extra_opts = conntrack_mt_opts_v0, +}; + +static struct xtables_match conntrack_mt_reg = { + .version = XTABLES_VERSION, + .name = "conntrack", + .revision = 1, + .family = NFPROTO_IPV4, + .size = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo1)), + .userspacesize = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo1)), + .help = conntrack_mt_help, + .parse = conntrack_mt4_parse, + .final_check = conntrack_mt_check, + .print = conntrack_mt_print, + .save = conntrack_mt_save, + .extra_opts = conntrack_mt_opts, +}; + +static struct xtables_match conntrack_mt6_reg = { + .version = XTABLES_VERSION, + .name = "conntrack", + .revision = 1, + .family = NFPROTO_IPV6, + .size = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo1)), + .userspacesize = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo1)), + .help = conntrack_mt_help, + .parse = conntrack_mt6_parse, + .final_check = conntrack_mt_check, + .print = conntrack_mt6_print, + .save = conntrack_mt6_save, + .extra_opts = conntrack_mt_opts, +}; + +void _init(void) +{ + xtables_register_match(&conntrack_match); + xtables_register_match(&conntrack_mt_reg); + xtables_register_match(&conntrack_mt6_reg); +} diff -Nru iptables-1.4.3.orig/extensions/libxt_iprange.c iptables-1.4.3/extensions/libxt_iprange.c --- iptables-1.4.3.orig/extensions/libxt_iprange.c 2012-11-16 13:46:13.656449058 +0100 +++ iptables-1.4.3/extensions/libxt_iprange.c 2012-11-16 13:46:21.704449466 +0100 @@ -9,7 +9,19 @@ #include #include #include -#include + +struct ipt_iprange { + /* Inclusive: network order. */ + __be32 min_ip, max_ip; +}; + +struct ipt_iprange_info { + struct ipt_iprange src; + struct ipt_iprange dst; + + /* Flags from above */ + u_int8_t flags; +}; enum { F_SRCIP = 1 << 0, diff -Nru iptables-1.4.3.orig/extensions/libxt_mark.c iptables-1.4.3/extensions/libxt_mark.c --- iptables-1.4.3.orig/extensions/libxt_mark.c 2012-11-16 13:46:13.656449058 +0100 +++ iptables-1.4.3/extensions/libxt_mark.c 2012-11-16 13:46:21.704449466 +0100 @@ -9,6 +9,11 @@ #include #include +struct xt_mark_info { + unsigned long mark, mask; + u_int8_t invert; +}; + enum { F_MARK = 1 << 0, }; diff -Nru iptables-1.4.3.orig/extensions/libxt_MARK.c iptables-1.4.3/extensions/libxt_MARK.c --- iptables-1.4.3.orig/extensions/libxt_MARK.c 2012-11-16 13:46:13.656449058 +0100 +++ iptables-1.4.3/extensions/libxt_MARK.c 2012-11-16 13:46:21.704449466 +0100 @@ -9,6 +9,23 @@ #include #include +/* Version 0 */ +struct xt_mark_target_info { + unsigned long mark; +}; + +/* Version 1 */ +enum { + XT_MARK_SET=0, + XT_MARK_AND, + XT_MARK_OR, +}; + +struct xt_mark_target_info_v1 { + unsigned long mark; + u_int8_t mode; +}; + enum { F_MARK = 1 << 0, }; diff -Nru iptables-1.4.3.orig/extensions/libxt_owner.c iptables-1.4.3/extensions/libxt_owner.c --- iptables-1.4.3.orig/extensions/libxt_owner.c 2012-11-16 13:46:13.656449058 +0100 +++ iptables-1.4.3/extensions/libxt_owner.c 2012-11-16 13:46:21.704449466 +0100 @@ -16,8 +16,38 @@ #include #include -#include -#include + +/* match and invert flags */ +enum { + IPT_OWNER_UID = 0x01, + IPT_OWNER_GID = 0x02, + IPT_OWNER_PID = 0x04, + IPT_OWNER_SID = 0x08, + IPT_OWNER_COMM = 0x10, + IP6T_OWNER_UID = IPT_OWNER_UID, + IP6T_OWNER_GID = IPT_OWNER_GID, + IP6T_OWNER_PID = IPT_OWNER_PID, + IP6T_OWNER_SID = IPT_OWNER_SID, + IP6T_OWNER_COMM = IPT_OWNER_COMM, +}; + +struct ipt_owner_info { + uid_t uid; + gid_t gid; + pid_t pid; + pid_t sid; + char comm[16]; + u_int8_t match, invert; /* flags */ +}; + +struct ip6t_owner_info { + uid_t uid; + gid_t gid; + pid_t pid; + pid_t sid; + char comm[16]; + u_int8_t match, invert; /* flags */ +}; /* * Note: "UINT32_MAX - 1" is used in the code because -1 is a reserved diff -Nru iptables-1.4.3.orig/extensions/libxt_tos.c iptables-1.4.3/extensions/libxt_tos.c --- iptables-1.4.3.orig/extensions/libxt_tos.c 2012-11-16 13:46:13.656449058 +0100 +++ iptables-1.4.3/extensions/libxt_tos.c 2012-11-16 13:46:21.708449466 +0100 @@ -13,9 +13,13 @@ #include #include -#include #include "tos_values.c" +struct ipt_tos_info { + u_int8_t tos; + u_int8_t invert; +}; + enum { FLAG_TOS = 1 << 0, }; diff -Nru iptables-1.4.3.orig/extensions/libxt_TOS.c iptables-1.4.3/extensions/libxt_TOS.c --- iptables-1.4.3.orig/extensions/libxt_TOS.c 2012-11-16 13:46:13.656449058 +0100 +++ iptables-1.4.3/extensions/libxt_TOS.c 2012-11-16 13:46:21.704449466 +0100 @@ -12,9 +12,12 @@ #include #include -#include #include "tos_values.c" +struct ipt_tos_target_info { + u_int8_t tos; +}; + enum { FLAG_TOS = 1 << 0, }; diff -Nru iptables-1.4.3.orig/extensions/tos_values.c iptables-1.4.3/extensions/tos_values.c --- iptables-1.4.3.orig/extensions/tos_values.c 2012-11-16 13:46:13.652449059 +0100 +++ iptables-1.4.3/extensions/tos_values.c 2012-11-16 13:46:21.708449466 +0100 @@ -3,6 +3,10 @@ #include #include +#ifndef IPTOS_NORMALSVC +# define IPTOS_NORMALSVC 0 +#endif + struct tos_value_mask { uint8_t value, mask; }; diff -Nru iptables-1.4.3.orig/include/linux/netfilter/nf_conntrack_common.h iptables-1.4.3/include/linux/netfilter/nf_conntrack_common.h --- iptables-1.4.3.orig/include/linux/netfilter/nf_conntrack_common.h 2012-11-16 13:46:13.660449058 +0100 +++ iptables-1.4.3/include/linux/netfilter/nf_conntrack_common.h 2012-11-16 13:46:21.708449466 +0100 @@ -3,8 +3,7 @@ /* Connection state tracking for netfilter. This is separated from, but required by, the NAT layer; it can also be used by an iptables extension. */ -enum ip_conntrack_info -{ +enum ip_conntrack_info { /* Part of an established connection (either direction). */ IP_CT_ESTABLISHED, @@ -75,74 +74,5 @@ IPS_FIXED_TIMEOUT = (1 << IPS_FIXED_TIMEOUT_BIT), }; -/* Connection tracking event bits */ -enum ip_conntrack_events -{ - /* New conntrack */ - IPCT_NEW_BIT = 0, - IPCT_NEW = (1 << IPCT_NEW_BIT), - - /* Expected connection */ - IPCT_RELATED_BIT = 1, - IPCT_RELATED = (1 << IPCT_RELATED_BIT), - - /* Destroyed conntrack */ - IPCT_DESTROY_BIT = 2, - IPCT_DESTROY = (1 << IPCT_DESTROY_BIT), - - /* Timer has been refreshed */ - IPCT_REFRESH_BIT = 3, - IPCT_REFRESH = (1 << IPCT_REFRESH_BIT), - - /* Status has changed */ - IPCT_STATUS_BIT = 4, - IPCT_STATUS = (1 << IPCT_STATUS_BIT), - - /* Update of protocol info */ - IPCT_PROTOINFO_BIT = 5, - IPCT_PROTOINFO = (1 << IPCT_PROTOINFO_BIT), - - /* Volatile protocol info */ - IPCT_PROTOINFO_VOLATILE_BIT = 6, - IPCT_PROTOINFO_VOLATILE = (1 << IPCT_PROTOINFO_VOLATILE_BIT), - - /* New helper for conntrack */ - IPCT_HELPER_BIT = 7, - IPCT_HELPER = (1 << IPCT_HELPER_BIT), - - /* Update of helper info */ - IPCT_HELPINFO_BIT = 8, - IPCT_HELPINFO = (1 << IPCT_HELPINFO_BIT), - - /* Volatile helper info */ - IPCT_HELPINFO_VOLATILE_BIT = 9, - IPCT_HELPINFO_VOLATILE = (1 << IPCT_HELPINFO_VOLATILE_BIT), - - /* NAT info */ - IPCT_NATINFO_BIT = 10, - IPCT_NATINFO = (1 << IPCT_NATINFO_BIT), - - /* Counter highest bit has been set, unused */ - IPCT_COUNTER_FILLING_BIT = 11, - IPCT_COUNTER_FILLING = (1 << IPCT_COUNTER_FILLING_BIT), - - /* Mark is set */ - IPCT_MARK_BIT = 12, - IPCT_MARK = (1 << IPCT_MARK_BIT), - - /* NAT sequence adjustment */ - IPCT_NATSEQADJ_BIT = 13, - IPCT_NATSEQADJ = (1 << IPCT_NATSEQADJ_BIT), - - /* Secmark is set */ - IPCT_SECMARK_BIT = 14, - IPCT_SECMARK = (1 << IPCT_SECMARK_BIT), -}; - -enum ip_conntrack_expect_events { - IPEXP_NEW_BIT = 0, - IPEXP_NEW = (1 << IPEXP_NEW_BIT), -}; - #endif /* _NF_CONNTRACK_COMMON_H */ diff -Nru iptables-1.4.3.orig/include/linux/netfilter/x_tables.h iptables-1.4.3/include/linux/netfilter/x_tables.h --- iptables-1.4.3.orig/include/linux/netfilter/x_tables.h 2012-11-16 13:46:13.660449058 +0100 +++ iptables-1.4.3/include/linux/netfilter/x_tables.h 2012-11-16 13:46:21.708449466 +0100 @@ -1,54 +1,54 @@ #ifndef _X_TABLES_H #define _X_TABLES_H +#include + #define XT_FUNCTION_MAXNAMELEN 30 #define XT_TABLE_MAXNAMELEN 32 -struct xt_entry_match -{ +struct xt_entry_match { union { struct { - u_int16_t match_size; + __u16 match_size; /* Used by userspace */ char name[XT_FUNCTION_MAXNAMELEN-1]; - u_int8_t revision; + __u8 revision; } user; struct { - u_int16_t match_size; + __u16 match_size; /* Used inside the kernel */ struct xt_match *match; } kernel; /* Total length */ - u_int16_t match_size; + __u16 match_size; } u; unsigned char data[0]; }; -struct xt_entry_target -{ +struct xt_entry_target { union { struct { - u_int16_t target_size; + __u16 target_size; /* Used by userspace */ char name[XT_FUNCTION_MAXNAMELEN-1]; - u_int8_t revision; + __u8 revision; } user; struct { - u_int16_t target_size; + __u16 target_size; /* Used inside the kernel */ struct xt_target *target; } kernel; /* Total length */ - u_int16_t target_size; + __u16 target_size; } u; unsigned char data[0]; @@ -62,19 +62,17 @@ }, \ } -struct xt_standard_target -{ +struct xt_standard_target { struct xt_entry_target target; int verdict; }; /* The argument to IPT_SO_GET_REVISION_*. Returns highest revision * kernel supports, if >= revision. */ -struct xt_get_revision -{ +struct xt_get_revision { char name[XT_FUNCTION_MAXNAMELEN-1]; - u_int8_t revision; + __u8 revision; }; /* CONTINUE verdict for targets */ @@ -88,12 +86,11 @@ * ip6t_entry and arpt_entry. This sucks, and it is a hack. It will be my * personal pleasure to remove it -HW */ -struct _xt_align -{ - u_int8_t u8; - u_int16_t u16; - u_int32_t u32; - u_int64_t u64; +struct _xt_align { + __u8 u8; + __u16 u16; + __u32 u32; + __u64 u64; }; #define XT_ALIGN(s) (((s) + (__alignof__(struct _xt_align)-1)) \ @@ -107,14 +104,12 @@ #define SET_COUNTER(c,b,p) do { (c).bcnt = (b); (c).pcnt = (p); } while(0) #define ADD_COUNTER(c,b,p) do { (c).bcnt += (b); (c).pcnt += (p); } while(0) -struct xt_counters -{ - u_int64_t pcnt, bcnt; /* Packet and byte counters */ +struct xt_counters { + __u64 pcnt, bcnt; /* Packet and byte counters */ }; /* The argument to IPT_SO_ADD_COUNTERS. */ -struct xt_counters_info -{ +struct xt_counters_info { /* Which table. */ char name[XT_TABLE_MAXNAMELEN]; diff -Nru iptables-1.4.3.orig/include/linux/netfilter/xt_CLASSIFY.h iptables-1.4.3/include/linux/netfilter/xt_CLASSIFY.h --- iptables-1.4.3.orig/include/linux/netfilter/xt_CLASSIFY.h 2012-11-16 13:46:13.660449058 +0100 +++ iptables-1.4.3/include/linux/netfilter/xt_CLASSIFY.h 2012-11-16 13:46:21.708449466 +0100 @@ -1,8 +1,10 @@ #ifndef _XT_CLASSIFY_H #define _XT_CLASSIFY_H +#include + struct xt_classify_target_info { - u_int32_t priority; + __u32 priority; }; #endif /*_XT_CLASSIFY_H */ diff -Nru iptables-1.4.3.orig/include/linux/netfilter/xt_connbytes.h iptables-1.4.3/include/linux/netfilter/xt_connbytes.h --- iptables-1.4.3.orig/include/linux/netfilter/xt_connbytes.h 2012-11-16 13:46:13.660449058 +0100 +++ iptables-1.4.3/include/linux/netfilter/xt_connbytes.h 2012-11-16 13:46:21.708449466 +0100 @@ -1,6 +1,8 @@ #ifndef _XT_CONNBYTES_H #define _XT_CONNBYTES_H +#include + enum xt_connbytes_what { XT_CONNBYTES_PKTS, XT_CONNBYTES_BYTES, @@ -13,13 +15,12 @@ XT_CONNBYTES_DIR_BOTH, }; -struct xt_connbytes_info -{ +struct xt_connbytes_info { struct { aligned_u64 from; /* count to be matched */ aligned_u64 to; /* count to be matched */ } count; - u_int8_t what; /* ipt_connbytes_what */ - u_int8_t direction; /* ipt_connbytes_direction */ + __u8 what; /* ipt_connbytes_what */ + __u8 direction; /* ipt_connbytes_direction */ }; #endif diff -Nru iptables-1.4.3.orig/include/linux/netfilter/xt_connmark.h iptables-1.4.3/include/linux/netfilter/xt_connmark.h --- iptables-1.4.3.orig/include/linux/netfilter/xt_connmark.h 2012-11-16 13:46:13.660449058 +0100 +++ iptables-1.4.3/include/linux/netfilter/xt_connmark.h 2012-11-16 13:46:21.708449466 +0100 @@ -1,6 +1,8 @@ #ifndef _XT_CONNMARK_H #define _XT_CONNMARK_H +#include + /* Copyright (C) 2002,2004 MARA Systems AB * by Henrik Nordstrom * @@ -10,14 +12,9 @@ * (at your option) any later version. */ -struct xt_connmark_info { - unsigned long mark, mask; - u_int8_t invert; -}; - struct xt_connmark_mtinfo1 { - u_int32_t mark, mask; - u_int8_t invert; + __u32 mark, mask; + __u8 invert; }; #endif /*_XT_CONNMARK_H*/ diff -Nru iptables-1.4.3.orig/include/linux/netfilter/xt_CONNMARK.h iptables-1.4.3/include/linux/netfilter/xt_CONNMARK.h --- iptables-1.4.3.orig/include/linux/netfilter/xt_CONNMARK.h 2012-11-16 13:46:13.660449058 +0100 +++ iptables-1.4.3/include/linux/netfilter/xt_CONNMARK.h 2012-11-16 13:46:21.708449466 +0100 @@ -1,6 +1,8 @@ #ifndef _XT_CONNMARK_H_target #define _XT_CONNMARK_H_target +#include + /* Copyright (C) 2002,2004 MARA Systems AB * by Henrik Nordstrom * @@ -16,15 +18,9 @@ XT_CONNMARK_RESTORE }; -struct xt_connmark_target_info { - unsigned long mark; - unsigned long mask; - u_int8_t mode; -}; - struct xt_connmark_tginfo1 { - u_int32_t ctmark, ctmask, nfmask; - u_int8_t mode; + __u32 ctmark, ctmask, nfmask; + __u8 mode; }; #endif /*_XT_CONNMARK_H_target*/ diff -Nru iptables-1.4.3.orig/include/linux/netfilter/xt_CONNSECMARK.h iptables-1.4.3/include/linux/netfilter/xt_CONNSECMARK.h --- iptables-1.4.3.orig/include/linux/netfilter/xt_CONNSECMARK.h 2012-11-16 13:46:13.660449058 +0100 +++ iptables-1.4.3/include/linux/netfilter/xt_CONNSECMARK.h 2012-11-16 13:46:21.708449466 +0100 @@ -1,13 +1,15 @@ #ifndef _XT_CONNSECMARK_H_target #define _XT_CONNSECMARK_H_target +#include + enum { CONNSECMARK_SAVE = 1, CONNSECMARK_RESTORE, }; struct xt_connsecmark_target_info { - u_int8_t mode; + __u8 mode; }; #endif /*_XT_CONNSECMARK_H_target */ diff -Nru iptables-1.4.3.orig/include/linux/netfilter/xt_conntrack.h iptables-1.4.3/include/linux/netfilter/xt_conntrack.h --- iptables-1.4.3.orig/include/linux/netfilter/xt_conntrack.h 2012-11-16 13:46:13.660449058 +0100 +++ iptables-1.4.3/include/linux/netfilter/xt_conntrack.h 2012-11-16 13:46:21.708449466 +0100 @@ -32,53 +32,17 @@ XT_CONNTRACK_DIRECTION = 1 << 12, }; -/* This is exposed to userspace, so remains frozen in time. */ -struct ip_conntrack_old_tuple -{ - struct { - __be32 ip; - union { - __u16 all; - } u; - } src; - - struct { - __be32 ip; - union { - __u16 all; - } u; - - /* The protocol. */ - __u16 protonum; - } dst; -}; - -struct xt_conntrack_info -{ - unsigned int statemask, statusmask; - - struct ip_conntrack_old_tuple tuple[IP_CT_DIR_MAX]; - struct in_addr sipmsk[IP_CT_DIR_MAX], dipmsk[IP_CT_DIR_MAX]; - - unsigned long expires_min, expires_max; - - /* Flags word */ - u_int8_t flags; - /* Inverse flags */ - u_int8_t invflags; -}; - struct xt_conntrack_mtinfo1 { union nf_inet_addr origsrc_addr, origsrc_mask; union nf_inet_addr origdst_addr, origdst_mask; union nf_inet_addr replsrc_addr, replsrc_mask; union nf_inet_addr repldst_addr, repldst_mask; - u_int32_t expires_min, expires_max; - u_int16_t l4proto; + __u32 expires_min, expires_max; + __u16 l4proto; __be16 origsrc_port, origdst_port; __be16 replsrc_port, repldst_port; - u_int16_t match_flags, invert_flags; - u_int8_t state_mask, status_mask; + __u16 match_flags, invert_flags; + __u8 state_mask, status_mask; }; #endif /*_XT_CONNTRACK_H*/ diff -Nru iptables-1.4.3.orig/include/linux/netfilter/xt_conntrack.h.orig iptables-1.4.3/include/linux/netfilter/xt_conntrack.h.orig --- iptables-1.4.3.orig/include/linux/netfilter/xt_conntrack.h.orig 1970-01-01 01:00:00.000000000 +0100 +++ iptables-1.4.3/include/linux/netfilter/xt_conntrack.h.orig 2009-03-23 14:39:16.000000000 +0100 @@ -0,0 +1,84 @@ +/* Header file for kernel module to match connection tracking information. + * GPL (C) 2001 Marc Boucher (marc@mbsi.ca). + */ + +#ifndef _XT_CONNTRACK_H +#define _XT_CONNTRACK_H + +#include +#include + +#define XT_CONNTRACK_STATE_BIT(ctinfo) (1 << ((ctinfo)%IP_CT_IS_REPLY+1)) +#define XT_CONNTRACK_STATE_INVALID (1 << 0) + +#define XT_CONNTRACK_STATE_SNAT (1 << (IP_CT_NUMBER + 1)) +#define XT_CONNTRACK_STATE_DNAT (1 << (IP_CT_NUMBER + 2)) +#define XT_CONNTRACK_STATE_UNTRACKED (1 << (IP_CT_NUMBER + 3)) + +/* flags, invflags: */ +enum { + XT_CONNTRACK_STATE = 1 << 0, + XT_CONNTRACK_PROTO = 1 << 1, + XT_CONNTRACK_ORIGSRC = 1 << 2, + XT_CONNTRACK_ORIGDST = 1 << 3, + XT_CONNTRACK_REPLSRC = 1 << 4, + XT_CONNTRACK_REPLDST = 1 << 5, + XT_CONNTRACK_STATUS = 1 << 6, + XT_CONNTRACK_EXPIRES = 1 << 7, + XT_CONNTRACK_ORIGSRC_PORT = 1 << 8, + XT_CONNTRACK_ORIGDST_PORT = 1 << 9, + XT_CONNTRACK_REPLSRC_PORT = 1 << 10, + XT_CONNTRACK_REPLDST_PORT = 1 << 11, + XT_CONNTRACK_DIRECTION = 1 << 12, +}; + +/* This is exposed to userspace, so remains frozen in time. */ +struct ip_conntrack_old_tuple +{ + struct { + __be32 ip; + union { + __u16 all; + } u; + } src; + + struct { + __be32 ip; + union { + __u16 all; + } u; + + /* The protocol. */ + __u16 protonum; + } dst; +}; + +struct xt_conntrack_info +{ + unsigned int statemask, statusmask; + + struct ip_conntrack_old_tuple tuple[IP_CT_DIR_MAX]; + struct in_addr sipmsk[IP_CT_DIR_MAX], dipmsk[IP_CT_DIR_MAX]; + + unsigned long expires_min, expires_max; + + /* Flags word */ + u_int8_t flags; + /* Inverse flags */ + u_int8_t invflags; +}; + +struct xt_conntrack_mtinfo1 { + union nf_inet_addr origsrc_addr, origsrc_mask; + union nf_inet_addr origdst_addr, origdst_mask; + union nf_inet_addr replsrc_addr, replsrc_mask; + union nf_inet_addr repldst_addr, repldst_mask; + u_int32_t expires_min, expires_max; + u_int16_t l4proto; + __be16 origsrc_port, origdst_port; + __be16 replsrc_port, repldst_port; + u_int16_t match_flags, invert_flags; + u_int8_t state_mask, status_mask; +}; + +#endif /*_XT_CONNTRACK_H*/ diff -Nru iptables-1.4.3.orig/include/linux/netfilter/xt_dccp.h iptables-1.4.3/include/linux/netfilter/xt_dccp.h --- iptables-1.4.3.orig/include/linux/netfilter/xt_dccp.h 2012-11-16 13:46:13.660449058 +0100 +++ iptables-1.4.3/include/linux/netfilter/xt_dccp.h 2012-11-16 13:46:21.708449466 +0100 @@ -1,6 +1,8 @@ #ifndef _XT_DCCP_H_ #define _XT_DCCP_H_ +#include + #define XT_DCCP_SRC_PORTS 0x01 #define XT_DCCP_DEST_PORTS 0x02 #define XT_DCCP_TYPE 0x04 @@ -9,14 +11,14 @@ #define XT_DCCP_VALID_FLAGS 0x0f struct xt_dccp_info { - u_int16_t dpts[2]; /* Min, Max */ - u_int16_t spts[2]; /* Min, Max */ + __u16 dpts[2]; /* Min, Max */ + __u16 spts[2]; /* Min, Max */ - u_int16_t flags; - u_int16_t invflags; + __u16 flags; + __u16 invflags; - u_int16_t typemask; - u_int8_t option; + __u16 typemask; + __u8 option; }; #endif /* _XT_DCCP_H_ */ diff -Nru iptables-1.4.3.orig/include/linux/netfilter/xt_dscp.h iptables-1.4.3/include/linux/netfilter/xt_dscp.h --- iptables-1.4.3.orig/include/linux/netfilter/xt_dscp.h 2012-11-16 13:46:13.660449058 +0100 +++ iptables-1.4.3/include/linux/netfilter/xt_dscp.h 2012-11-16 13:46:21.708449466 +0100 @@ -10,20 +10,22 @@ #ifndef _XT_DSCP_H #define _XT_DSCP_H +#include + #define XT_DSCP_MASK 0xfc /* 11111100 */ #define XT_DSCP_SHIFT 2 #define XT_DSCP_MAX 0x3f /* 00111111 */ /* match info */ struct xt_dscp_info { - u_int8_t dscp; - u_int8_t invert; + __u8 dscp; + __u8 invert; }; struct xt_tos_match_info { - u_int8_t tos_mask; - u_int8_t tos_value; - u_int8_t invert; + __u8 tos_mask; + __u8 tos_value; + __u8 invert; }; #endif /* _XT_DSCP_H */ diff -Nru iptables-1.4.3.orig/include/linux/netfilter/xt_DSCP.h iptables-1.4.3/include/linux/netfilter/xt_DSCP.h --- iptables-1.4.3.orig/include/linux/netfilter/xt_DSCP.h 2012-11-16 13:46:13.660449058 +0100 +++ iptables-1.4.3/include/linux/netfilter/xt_DSCP.h 2012-11-16 13:46:21.708449466 +0100 @@ -11,15 +11,16 @@ #ifndef _XT_DSCP_TARGET_H #define _XT_DSCP_TARGET_H #include +#include /* target info */ struct xt_DSCP_info { - u_int8_t dscp; + __u8 dscp; }; struct xt_tos_target_info { - u_int8_t tos_value; - u_int8_t tos_mask; + __u8 tos_value; + __u8 tos_mask; }; #endif /* _XT_DSCP_TARGET_H */ diff -Nru iptables-1.4.3.orig/include/linux/netfilter/xt_esp.h iptables-1.4.3/include/linux/netfilter/xt_esp.h --- iptables-1.4.3.orig/include/linux/netfilter/xt_esp.h 2012-11-16 13:46:13.660449058 +0100 +++ iptables-1.4.3/include/linux/netfilter/xt_esp.h 2012-11-16 13:46:21.708449466 +0100 @@ -1,10 +1,11 @@ #ifndef _XT_ESP_H #define _XT_ESP_H -struct xt_esp -{ - u_int32_t spis[2]; /* Security Parameter Index */ - u_int8_t invflags; /* Inverse flags */ +#include + +struct xt_esp { + __u32 spis[2]; /* Security Parameter Index */ + __u8 invflags; /* Inverse flags */ }; /* Values for "invflags" field in struct xt_esp. */ diff -Nru iptables-1.4.3.orig/include/linux/netfilter/xt_hashlimit.h iptables-1.4.3/include/linux/netfilter/xt_hashlimit.h --- iptables-1.4.3.orig/include/linux/netfilter/xt_hashlimit.h 2012-11-16 13:46:13.660449058 +0100 +++ iptables-1.4.3/include/linux/netfilter/xt_hashlimit.h 2012-11-16 13:46:21.708449466 +0100 @@ -1,6 +1,8 @@ #ifndef _XT_HASHLIMIT_H #define _XT_HASHLIMIT_H +#include + /* timings are in milliseconds. */ #define XT_HASHLIMIT_SCALE 10000 /* 1/10,000 sec period => max of 10,000/sec. Min rate is then 429490 @@ -18,15 +20,15 @@ }; struct hashlimit_cfg { - u_int32_t mode; /* bitmask of XT_HASHLIMIT_HASH_* */ - u_int32_t avg; /* Average secs between packets * scale */ - u_int32_t burst; /* Period multiplier for upper limit. */ + __u32 mode; /* bitmask of XT_HASHLIMIT_HASH_* */ + __u32 avg; /* Average secs between packets * scale */ + __u32 burst; /* Period multiplier for upper limit. */ /* user specified */ - u_int32_t size; /* how many buckets */ - u_int32_t max; /* max number of entries */ - u_int32_t gc_interval; /* gc interval */ - u_int32_t expire; /* when do entries expire? */ + __u32 size; /* how many buckets */ + __u32 max; /* max number of entries */ + __u32 gc_interval; /* gc interval */ + __u32 expire; /* when do entries expire? */ }; struct xt_hashlimit_info { @@ -42,17 +44,17 @@ }; struct hashlimit_cfg1 { - u_int32_t mode; /* bitmask of XT_HASHLIMIT_HASH_* */ - u_int32_t avg; /* Average secs between packets * scale */ - u_int32_t burst; /* Period multiplier for upper limit. */ + __u32 mode; /* bitmask of XT_HASHLIMIT_HASH_* */ + __u32 avg; /* Average secs between packets * scale */ + __u32 burst; /* Period multiplier for upper limit. */ /* user specified */ - u_int32_t size; /* how many buckets */ - u_int32_t max; /* max number of entries */ - u_int32_t gc_interval; /* gc interval */ - u_int32_t expire; /* when do entries expire? */ + __u32 size; /* how many buckets */ + __u32 max; /* max number of entries */ + __u32 gc_interval; /* gc interval */ + __u32 expire; /* when do entries expire? */ - u_int8_t srcmask, dstmask; + __u8 srcmask, dstmask; }; struct xt_hashlimit_mtinfo1 { diff -Nru iptables-1.4.3.orig/include/linux/netfilter/xt_iprange.h iptables-1.4.3/include/linux/netfilter/xt_iprange.h --- iptables-1.4.3.orig/include/linux/netfilter/xt_iprange.h 2012-11-16 13:46:13.660449058 +0100 +++ iptables-1.4.3/include/linux/netfilter/xt_iprange.h 2012-11-16 13:46:21.708449466 +0100 @@ -1,6 +1,8 @@ #ifndef _LINUX_NETFILTER_XT_IPRANGE_H #define _LINUX_NETFILTER_XT_IPRANGE_H 1 +#include + enum { IPRANGE_SRC = 1 << 0, /* match source IP address */ IPRANGE_DST = 1 << 1, /* match destination IP address */ @@ -11,7 +13,7 @@ struct xt_iprange_mtinfo { union nf_inet_addr src_min, src_max; union nf_inet_addr dst_min, dst_max; - u_int8_t flags; + __u8 flags; }; #endif /* _LINUX_NETFILTER_XT_IPRANGE_H */ diff -Nru iptables-1.4.3.orig/include/linux/netfilter/xt_LED.h iptables-1.4.3/include/linux/netfilter/xt_LED.h --- iptables-1.4.3.orig/include/linux/netfilter/xt_LED.h 1970-01-01 01:00:00.000000000 +0100 +++ iptables-1.4.3/include/linux/netfilter/xt_LED.h 2012-11-16 13:46:21.708449466 +0100 @@ -0,0 +1,15 @@ +#ifndef _XT_LED_H +#define _XT_LED_H + +#include + +struct xt_led_info { + char id[27]; /* Unique ID for this trigger in the LED class */ + __u8 always_blink; /* Blink even if the LED is already on */ + __u32 delay; /* Delay until LED is switched off after trigger */ + + /* Kernel data used in the module */ + void *internal_data __attribute__((aligned(8))); +}; + +#endif /* _XT_LED_H */ diff -Nru iptables-1.4.3.orig/include/linux/netfilter/xt_length.h iptables-1.4.3/include/linux/netfilter/xt_length.h --- iptables-1.4.3.orig/include/linux/netfilter/xt_length.h 2012-11-16 13:46:13.660449058 +0100 +++ iptables-1.4.3/include/linux/netfilter/xt_length.h 2012-11-16 13:46:21.708449466 +0100 @@ -1,9 +1,11 @@ #ifndef _XT_LENGTH_H #define _XT_LENGTH_H +#include + struct xt_length_info { - u_int16_t min, max; - u_int8_t invert; + __u16 min, max; + __u8 invert; }; #endif /*_XT_LENGTH_H*/ diff -Nru iptables-1.4.3.orig/include/linux/netfilter/xt_limit.h iptables-1.4.3/include/linux/netfilter/xt_limit.h --- iptables-1.4.3.orig/include/linux/netfilter/xt_limit.h 2012-11-16 13:46:13.660449058 +0100 +++ iptables-1.4.3/include/linux/netfilter/xt_limit.h 2012-11-16 13:46:21.708449466 +0100 @@ -1,21 +1,24 @@ #ifndef _XT_RATE_H #define _XT_RATE_H +#include + /* timings are in milliseconds. */ #define XT_LIMIT_SCALE 10000 +struct xt_limit_priv; + /* 1/10,000 sec period => max of 10,000/sec. Min rate is then 429490 seconds, or one every 59 hours. */ struct xt_rateinfo { - u_int32_t avg; /* Average secs between packets * scale */ - u_int32_t burst; /* Period multiplier for upper limit. */ + __u32 avg; /* Average secs between packets * scale */ + __u32 burst; /* Period multiplier for upper limit. */ /* Used internally by the kernel */ - unsigned long prev; - u_int32_t credit; - u_int32_t credit_cap, cost; + unsigned long prev; /* moved to xt_limit_priv */ + __u32 credit; /* moved to xt_limit_priv */ + __u32 credit_cap, cost; - /* Ugly, ugly fucker. */ - struct xt_rateinfo *master; + struct xt_limit_priv *master; }; #endif /*_XT_RATE_H*/ diff -Nru iptables-1.4.3.orig/include/linux/netfilter/xt_mark.h iptables-1.4.3/include/linux/netfilter/xt_mark.h --- iptables-1.4.3.orig/include/linux/netfilter/xt_mark.h 2012-11-16 13:46:13.660449058 +0100 +++ iptables-1.4.3/include/linux/netfilter/xt_mark.h 2012-11-16 13:46:21.708449466 +0100 @@ -1,14 +1,11 @@ #ifndef _XT_MARK_H #define _XT_MARK_H -struct xt_mark_info { - unsigned long mark, mask; - u_int8_t invert; -}; +#include struct xt_mark_mtinfo1 { - u_int32_t mark, mask; - u_int8_t invert; + __u32 mark, mask; + __u8 invert; }; #endif /*_XT_MARK_H*/ diff -Nru iptables-1.4.3.orig/include/linux/netfilter/xt_MARK.h iptables-1.4.3/include/linux/netfilter/xt_MARK.h --- iptables-1.4.3.orig/include/linux/netfilter/xt_MARK.h 2012-11-16 13:46:13.660449058 +0100 +++ iptables-1.4.3/include/linux/netfilter/xt_MARK.h 2012-11-16 13:46:21.708449466 +0100 @@ -1,25 +1,10 @@ #ifndef _XT_MARK_H_target #define _XT_MARK_H_target -/* Version 0 */ -struct xt_mark_target_info { - unsigned long mark; -}; - -/* Version 1 */ -enum { - XT_MARK_SET=0, - XT_MARK_AND, - XT_MARK_OR, -}; - -struct xt_mark_target_info_v1 { - unsigned long mark; - u_int8_t mode; -}; +#include struct xt_mark_tginfo2 { - u_int32_t mark, mask; + __u32 mark, mask; }; #endif /*_XT_MARK_H_target */ diff -Nru iptables-1.4.3.orig/include/linux/netfilter/xt_multiport.h iptables-1.4.3/include/linux/netfilter/xt_multiport.h --- iptables-1.4.3.orig/include/linux/netfilter/xt_multiport.h 2012-11-16 13:46:13.660449058 +0100 +++ iptables-1.4.3/include/linux/netfilter/xt_multiport.h 2012-11-16 13:46:21.708449466 +0100 @@ -1,8 +1,9 @@ #ifndef _XT_MULTIPORT_H #define _XT_MULTIPORT_H -enum xt_multiport_flags -{ +#include + +enum xt_multiport_flags { XT_MULTIPORT_SOURCE, XT_MULTIPORT_DESTINATION, XT_MULTIPORT_EITHER @@ -11,20 +12,18 @@ #define XT_MULTI_PORTS 15 /* Must fit inside union xt_matchinfo: 16 bytes */ -struct xt_multiport -{ - u_int8_t flags; /* Type of comparison */ - u_int8_t count; /* Number of ports */ - u_int16_t ports[XT_MULTI_PORTS]; /* Ports */ +struct xt_multiport { + __u8 flags; /* Type of comparison */ + __u8 count; /* Number of ports */ + __u16 ports[XT_MULTI_PORTS]; /* Ports */ }; -struct xt_multiport_v1 -{ - u_int8_t flags; /* Type of comparison */ - u_int8_t count; /* Number of ports */ - u_int16_t ports[XT_MULTI_PORTS]; /* Ports */ - u_int8_t pflags[XT_MULTI_PORTS]; /* Port flags */ - u_int8_t invert; /* Invert flag */ +struct xt_multiport_v1 { + __u8 flags; /* Type of comparison */ + __u8 count; /* Number of ports */ + __u16 ports[XT_MULTI_PORTS]; /* Ports */ + __u8 pflags[XT_MULTI_PORTS]; /* Port flags */ + __u8 invert; /* Invert flag */ }; #endif /*_XT_MULTIPORT_H*/ diff -Nru iptables-1.4.3.orig/include/linux/netfilter/xt_NFLOG.h iptables-1.4.3/include/linux/netfilter/xt_NFLOG.h --- iptables-1.4.3.orig/include/linux/netfilter/xt_NFLOG.h 2012-11-16 13:46:13.660449058 +0100 +++ iptables-1.4.3/include/linux/netfilter/xt_NFLOG.h 2012-11-16 13:46:21.708449466 +0100 @@ -1,17 +1,19 @@ #ifndef _XT_NFLOG_TARGET #define _XT_NFLOG_TARGET +#include + #define XT_NFLOG_DEFAULT_GROUP 0x1 -#define XT_NFLOG_DEFAULT_THRESHOLD 1 +#define XT_NFLOG_DEFAULT_THRESHOLD 0 #define XT_NFLOG_MASK 0x0 struct xt_nflog_info { - u_int32_t len; - u_int16_t group; - u_int16_t threshold; - u_int16_t flags; - u_int16_t pad; + __u32 len; + __u16 group; + __u16 threshold; + __u16 flags; + __u16 pad; char prefix[64]; }; diff -Nru iptables-1.4.3.orig/include/linux/netfilter/xt_owner.h iptables-1.4.3/include/linux/netfilter/xt_owner.h --- iptables-1.4.3.orig/include/linux/netfilter/xt_owner.h 2012-11-16 13:46:13.660449058 +0100 +++ iptables-1.4.3/include/linux/netfilter/xt_owner.h 2012-11-16 13:46:21.708449466 +0100 @@ -1,6 +1,8 @@ #ifndef _XT_OWNER_MATCH_H #define _XT_OWNER_MATCH_H +#include + enum { XT_OWNER_UID = 1 << 0, XT_OWNER_GID = 1 << 1, @@ -8,9 +10,9 @@ }; struct xt_owner_match_info { - u_int32_t uid_min, uid_max; - u_int32_t gid_min, gid_max; - u_int8_t match, invert; + __u32 uid_min, uid_max; + __u32 gid_min, gid_max; + __u8 match, invert; }; #endif /* _XT_OWNER_MATCH_H */ diff -Nru iptables-1.4.3.orig/include/linux/netfilter/xt_physdev.h iptables-1.4.3/include/linux/netfilter/xt_physdev.h --- iptables-1.4.3.orig/include/linux/netfilter/xt_physdev.h 2012-11-16 13:46:13.660449058 +0100 +++ iptables-1.4.3/include/linux/netfilter/xt_physdev.h 2012-11-16 13:46:21.712449466 +0100 @@ -1,6 +1,8 @@ #ifndef _XT_PHYSDEV_H #define _XT_PHYSDEV_H +#include + #define XT_PHYSDEV_OP_IN 0x01 #define XT_PHYSDEV_OP_OUT 0x02 @@ -14,8 +16,8 @@ char in_mask[IFNAMSIZ]; char physoutdev[IFNAMSIZ]; char out_mask[IFNAMSIZ]; - u_int8_t invert; - u_int8_t bitmask; + __u8 invert; + __u8 bitmask; }; #endif /*_XT_PHYSDEV_H*/ diff -Nru iptables-1.4.3.orig/include/linux/netfilter/xt_policy.h iptables-1.4.3/include/linux/netfilter/xt_policy.h --- iptables-1.4.3.orig/include/linux/netfilter/xt_policy.h 2012-11-16 13:46:13.660449058 +0100 +++ iptables-1.4.3/include/linux/netfilter/xt_policy.h 2012-11-16 13:46:21.712449466 +0100 @@ -1,25 +1,24 @@ #ifndef _XT_POLICY_H #define _XT_POLICY_H +#include + #define XT_POLICY_MAX_ELEM 4 -enum xt_policy_flags -{ +enum xt_policy_flags { XT_POLICY_MATCH_IN = 0x1, XT_POLICY_MATCH_OUT = 0x2, XT_POLICY_MATCH_NONE = 0x4, XT_POLICY_MATCH_STRICT = 0x8, }; -enum xt_policy_modes -{ +enum xt_policy_modes { XT_POLICY_MODE_TRANSPORT, XT_POLICY_MODE_TUNNEL }; -struct xt_policy_spec -{ - u_int8_t saddr:1, +struct xt_policy_spec { + __u8 saddr:1, daddr:1, proto:1, mode:1, @@ -27,14 +26,12 @@ reqid:1; }; -union xt_policy_addr -{ +union xt_policy_addr { struct in_addr a4; struct in6_addr a6; }; -struct xt_policy_elem -{ +struct xt_policy_elem { union { struct { union xt_policy_addr saddr; @@ -44,19 +41,18 @@ }; }; __be32 spi; - u_int32_t reqid; - u_int8_t proto; - u_int8_t mode; + __u32 reqid; + __u8 proto; + __u8 mode; struct xt_policy_spec match; struct xt_policy_spec invert; }; -struct xt_policy_info -{ +struct xt_policy_info { struct xt_policy_elem pol[XT_POLICY_MAX_ELEM]; - u_int16_t flags; - u_int16_t len; + __u16 flags; + __u16 len; }; #endif /* _XT_POLICY_H */ diff -Nru iptables-1.4.3.orig/include/linux/netfilter/xt_quota.h iptables-1.4.3/include/linux/netfilter/xt_quota.h --- iptables-1.4.3.orig/include/linux/netfilter/xt_quota.h 2012-11-16 13:46:13.660449058 +0100 +++ iptables-1.4.3/include/linux/netfilter/xt_quota.h 2012-11-16 13:46:21.712449466 +0100 @@ -6,13 +6,15 @@ }; #define XT_QUOTA_MASK 0x1 +struct xt_quota_priv; + struct xt_quota_info { u_int32_t flags; u_int32_t pad; /* Used internally by the kernel */ aligned_u64 quota; - struct xt_quota_info *master; + struct xt_quota_priv *master; }; #endif /* _XT_QUOTA_H */ diff -Nru iptables-1.4.3.orig/include/linux/netfilter/xt_rateest.h iptables-1.4.3/include/linux/netfilter/xt_rateest.h --- iptables-1.4.3.orig/include/linux/netfilter/xt_rateest.h 2012-11-16 13:46:13.660449058 +0100 +++ iptables-1.4.3/include/linux/netfilter/xt_rateest.h 2012-11-16 13:46:21.712449466 +0100 @@ -1,6 +1,8 @@ #ifndef _XT_RATEEST_MATCH_H #define _XT_RATEEST_MATCH_H +#include + enum xt_rateest_match_flags { XT_RATEEST_MATCH_INVERT = 1<<0, XT_RATEEST_MATCH_ABS = 1<<1, @@ -20,12 +22,12 @@ struct xt_rateest_match_info { char name1[IFNAMSIZ]; char name2[IFNAMSIZ]; - u_int16_t flags; - u_int16_t mode; - u_int32_t bps1; - u_int32_t pps1; - u_int32_t bps2; - u_int32_t pps2; + __u16 flags; + __u16 mode; + __u32 bps1; + __u32 pps1; + __u32 bps2; + __u32 pps2; /* Used internally by the kernel */ struct xt_rateest *est1 __attribute__((aligned(8))); diff -Nru iptables-1.4.3.orig/include/linux/netfilter/xt_RATEEST.h iptables-1.4.3/include/linux/netfilter/xt_RATEEST.h --- iptables-1.4.3.orig/include/linux/netfilter/xt_RATEEST.h 2012-11-16 13:46:13.660449058 +0100 +++ iptables-1.4.3/include/linux/netfilter/xt_RATEEST.h 2012-11-16 13:46:21.708449466 +0100 @@ -1,10 +1,12 @@ #ifndef _XT_RATEEST_TARGET_H #define _XT_RATEEST_TARGET_H +#include + struct xt_rateest_target_info { char name[IFNAMSIZ]; - int8_t interval; - u_int8_t ewma_log; + __s8 interval; + __u8 ewma_log; /* Used internally by the kernel */ struct xt_rateest *est __attribute__((aligned(8))); diff -Nru iptables-1.4.3.orig/include/linux/netfilter/xt_realm.h iptables-1.4.3/include/linux/netfilter/xt_realm.h --- iptables-1.4.3.orig/include/linux/netfilter/xt_realm.h 2012-11-16 13:46:13.660449058 +0100 +++ iptables-1.4.3/include/linux/netfilter/xt_realm.h 2012-11-16 13:46:21.712449466 +0100 @@ -1,10 +1,12 @@ #ifndef _XT_REALM_H #define _XT_REALM_H +#include + struct xt_realm_info { - u_int32_t id; - u_int32_t mask; - u_int8_t invert; + __u32 id; + __u32 mask; + __u8 invert; }; #endif /* _XT_REALM_H */ diff -Nru iptables-1.4.3.orig/include/linux/netfilter/xt_recent.h iptables-1.4.3/include/linux/netfilter/xt_recent.h --- iptables-1.4.3.orig/include/linux/netfilter/xt_recent.h 2012-11-16 13:46:13.660449058 +0100 +++ iptables-1.4.3/include/linux/netfilter/xt_recent.h 2012-11-16 13:46:21.712449466 +0100 @@ -1,6 +1,8 @@ #ifndef _LINUX_NETFILTER_XT_RECENT_H #define _LINUX_NETFILTER_XT_RECENT_H 1 +#include + enum { XT_RECENT_CHECK = 1 << 0, XT_RECENT_SET = 1 << 1, @@ -15,12 +17,12 @@ }; struct xt_recent_mtinfo { - u_int32_t seconds; - u_int32_t hit_count; - u_int8_t check_set; - u_int8_t invert; + __u32 seconds; + __u32 hit_count; + __u8 check_set; + __u8 invert; char name[XT_RECENT_NAME_LEN]; - u_int8_t side; + __u8 side; }; #endif /* _LINUX_NETFILTER_XT_RECENT_H */ diff -Nru iptables-1.4.3.orig/include/linux/netfilter/xt_sctp.h iptables-1.4.3/include/linux/netfilter/xt_sctp.h --- iptables-1.4.3.orig/include/linux/netfilter/xt_sctp.h 2012-11-16 13:46:13.660449058 +0100 +++ iptables-1.4.3/include/linux/netfilter/xt_sctp.h 2012-11-16 13:46:21.712449466 +0100 @@ -1,6 +1,8 @@ #ifndef _XT_SCTP_H_ #define _XT_SCTP_H_ +#include + #define XT_SCTP_SRC_PORTS 0x01 #define XT_SCTP_DEST_PORTS 0x02 #define XT_SCTP_CHUNK_TYPES 0x04 @@ -8,49 +10,49 @@ #define XT_SCTP_VALID_FLAGS 0x07 struct xt_sctp_flag_info { - u_int8_t chunktype; - u_int8_t flag; - u_int8_t flag_mask; + __u8 chunktype; + __u8 flag; + __u8 flag_mask; }; #define XT_NUM_SCTP_FLAGS 4 struct xt_sctp_info { - u_int16_t dpts[2]; /* Min, Max */ - u_int16_t spts[2]; /* Min, Max */ + __u16 dpts[2]; /* Min, Max */ + __u16 spts[2]; /* Min, Max */ - u_int32_t chunkmap[256 / sizeof (u_int32_t)]; /* Bit mask of chunks to be matched according to RFC 2960 */ + __u32 chunkmap[256 / sizeof (__u32)]; /* Bit mask of chunks to be matched according to RFC 2960 */ #define SCTP_CHUNK_MATCH_ANY 0x01 /* Match if any of the chunk types are present */ #define SCTP_CHUNK_MATCH_ALL 0x02 /* Match if all of the chunk types are present */ #define SCTP_CHUNK_MATCH_ONLY 0x04 /* Match if these are the only chunk types present */ - u_int32_t chunk_match_type; + __u32 chunk_match_type; struct xt_sctp_flag_info flag_info[XT_NUM_SCTP_FLAGS]; int flag_count; - u_int32_t flags; - u_int32_t invflags; + __u32 flags; + __u32 invflags; }; #define bytes(type) (sizeof(type) * 8) #define SCTP_CHUNKMAP_SET(chunkmap, type) \ do { \ - (chunkmap)[type / bytes(u_int32_t)] |= \ - 1 << (type % bytes(u_int32_t)); \ + (chunkmap)[type / bytes(__u32)] |= \ + 1 << (type % bytes(__u32)); \ } while (0) #define SCTP_CHUNKMAP_CLEAR(chunkmap, type) \ do { \ - (chunkmap)[type / bytes(u_int32_t)] &= \ - ~(1 << (type % bytes(u_int32_t))); \ + (chunkmap)[type / bytes(__u32)] &= \ + ~(1 << (type % bytes(__u32))); \ } while (0) #define SCTP_CHUNKMAP_IS_SET(chunkmap, type) \ ({ \ - ((chunkmap)[type / bytes (u_int32_t)] & \ - (1 << (type % bytes (u_int32_t)))) ? 1: 0; \ + ((chunkmap)[type / bytes (__u32)] & \ + (1 << (type % bytes (__u32)))) ? 1: 0; \ }) #define SCTP_CHUNKMAP_RESET(chunkmap) \ @@ -65,7 +67,7 @@ #define SCTP_CHUNKMAP_IS_CLEAR(chunkmap) \ __sctp_chunkmap_is_clear((chunkmap), ARRAY_SIZE(chunkmap)) static __inline__ bool -__sctp_chunkmap_is_clear(const u_int32_t *chunkmap, unsigned int n) +__sctp_chunkmap_is_clear(const __u32 *chunkmap, unsigned int n) { unsigned int i; for (i = 0; i < n; ++i) @@ -77,7 +79,7 @@ #define SCTP_CHUNKMAP_IS_ALL_SET(chunkmap) \ __sctp_chunkmap_is_all_set((chunkmap), ARRAY_SIZE(chunkmap)) static __inline__ bool -__sctp_chunkmap_is_all_set(const u_int32_t *chunkmap, unsigned int n) +__sctp_chunkmap_is_all_set(const __u32 *chunkmap, unsigned int n) { unsigned int i; for (i = 0; i < n; ++i) diff -Nru iptables-1.4.3.orig/include/linux/netfilter/xt_SECMARK.h iptables-1.4.3/include/linux/netfilter/xt_SECMARK.h --- iptables-1.4.3.orig/include/linux/netfilter/xt_SECMARK.h 2012-11-16 13:46:13.660449058 +0100 +++ iptables-1.4.3/include/linux/netfilter/xt_SECMARK.h 2012-11-16 13:46:21.708449466 +0100 @@ -1,6 +1,8 @@ #ifndef _XT_SECMARK_H_target #define _XT_SECMARK_H_target +#include + /* * This is intended for use by various security subsystems (but not * at the same time). @@ -12,12 +14,12 @@ #define SECMARK_SELCTX_MAX 256 struct xt_secmark_target_selinux_info { - u_int32_t selsid; + __u32 selsid; char selctx[SECMARK_SELCTX_MAX]; }; struct xt_secmark_target_info { - u_int8_t mode; + __u8 mode; union { struct xt_secmark_target_selinux_info sel; } u; diff -Nru iptables-1.4.3.orig/include/linux/netfilter/xt_state.h iptables-1.4.3/include/linux/netfilter/xt_state.h --- iptables-1.4.3.orig/include/linux/netfilter/xt_state.h 2012-11-16 13:46:13.660449058 +0100 +++ iptables-1.4.3/include/linux/netfilter/xt_state.h 2012-11-16 13:46:21.712449466 +0100 @@ -6,8 +6,7 @@ #define XT_STATE_UNTRACKED (1 << (IP_CT_NUMBER + 1)) -struct xt_state_info -{ +struct xt_state_info { unsigned int statemask; }; #endif /*_XT_STATE_H*/ diff -Nru iptables-1.4.3.orig/include/linux/netfilter/xt_statistic.h iptables-1.4.3/include/linux/netfilter/xt_statistic.h --- iptables-1.4.3.orig/include/linux/netfilter/xt_statistic.h 2012-11-16 13:46:13.660449058 +0100 +++ iptables-1.4.3/include/linux/netfilter/xt_statistic.h 2012-11-16 13:46:21.712449466 +0100 @@ -1,6 +1,8 @@ #ifndef _XT_STATISTIC_H #define _XT_STATISTIC_H +#include + enum xt_statistic_mode { XT_STATISTIC_MODE_RANDOM, XT_STATISTIC_MODE_NTH, @@ -13,21 +15,22 @@ }; #define XT_STATISTIC_MASK 0x1 +struct xt_statistic_priv; + struct xt_statistic_info { - u_int16_t mode; - u_int16_t flags; + __u16 mode; + __u16 flags; union { struct { - u_int32_t probability; + __u32 probability; } random; struct { - u_int32_t every; - u_int32_t packet; - /* Used internally by the kernel */ - u_int32_t count; + __u32 every; + __u32 packet; + __u32 count; /* unused */ } nth; } u; - struct xt_statistic_info *master __attribute__((aligned(8))); + struct xt_statistic_priv *master __attribute__((aligned(8))); }; #endif /* _XT_STATISTIC_H */ diff -Nru iptables-1.4.3.orig/include/linux/netfilter/xt_string.h iptables-1.4.3/include/linux/netfilter/xt_string.h --- iptables-1.4.3.orig/include/linux/netfilter/xt_string.h 2012-11-16 13:46:13.660449058 +0100 +++ iptables-1.4.3/include/linux/netfilter/xt_string.h 2012-11-16 13:46:21.712449466 +0100 @@ -1,6 +1,8 @@ #ifndef _XT_STRING_H #define _XT_STRING_H +#include + #define XT_STRING_MAX_PATTERN_SIZE 128 #define XT_STRING_MAX_ALGO_NAME_SIZE 16 @@ -9,20 +11,19 @@ XT_STRING_FLAG_IGNORECASE = 0x02 }; -struct xt_string_info -{ - u_int16_t from_offset; - u_int16_t to_offset; +struct xt_string_info { + __u16 from_offset; + __u16 to_offset; char algo[XT_STRING_MAX_ALGO_NAME_SIZE]; char pattern[XT_STRING_MAX_PATTERN_SIZE]; - u_int8_t patlen; + __u8 patlen; union { struct { - u_int8_t invert; + __u8 invert; } v0; struct { - u_int8_t flags; + __u8 flags; } v1; } u; diff -Nru iptables-1.4.3.orig/include/linux/netfilter/xt_tcpmss.h iptables-1.4.3/include/linux/netfilter/xt_tcpmss.h --- iptables-1.4.3.orig/include/linux/netfilter/xt_tcpmss.h 2012-11-16 13:46:13.660449058 +0100 +++ iptables-1.4.3/include/linux/netfilter/xt_tcpmss.h 2012-11-16 13:46:21.712449466 +0100 @@ -1,9 +1,11 @@ #ifndef _XT_TCPMSS_MATCH_H #define _XT_TCPMSS_MATCH_H +#include + struct xt_tcpmss_match_info { - u_int16_t mss_min, mss_max; - u_int8_t invert; + __u16 mss_min, mss_max; + __u8 invert; }; #endif /*_XT_TCPMSS_MATCH_H*/ diff -Nru iptables-1.4.3.orig/include/linux/netfilter/xt_TCPMSS.h iptables-1.4.3/include/linux/netfilter/xt_TCPMSS.h --- iptables-1.4.3.orig/include/linux/netfilter/xt_TCPMSS.h 2012-11-16 13:46:13.660449058 +0100 +++ iptables-1.4.3/include/linux/netfilter/xt_TCPMSS.h 2012-11-16 13:46:21.708449466 +0100 @@ -1,8 +1,10 @@ #ifndef _XT_TCPMSS_H #define _XT_TCPMSS_H +#include + struct xt_tcpmss_info { - u_int16_t mss; + __u16 mss; }; #define XT_TCPMSS_CLAMP_PMTU 0xffff diff -Nru iptables-1.4.3.orig/include/linux/netfilter/xt_tcpudp.h iptables-1.4.3/include/linux/netfilter/xt_tcpudp.h --- iptables-1.4.3.orig/include/linux/netfilter/xt_tcpudp.h 2012-11-16 13:46:13.660449058 +0100 +++ iptables-1.4.3/include/linux/netfilter/xt_tcpudp.h 2012-11-16 13:46:21.712449466 +0100 @@ -1,15 +1,16 @@ #ifndef _XT_TCPUDP_H #define _XT_TCPUDP_H +#include + /* TCP matching stuff */ -struct xt_tcp -{ - u_int16_t spts[2]; /* Source port range. */ - u_int16_t dpts[2]; /* Destination port range. */ - u_int8_t option; /* TCP Option iff non-zero*/ - u_int8_t flg_mask; /* TCP flags mask byte */ - u_int8_t flg_cmp; /* TCP flags compare byte */ - u_int8_t invflags; /* Inverse flags */ +struct xt_tcp { + __u16 spts[2]; /* Source port range. */ + __u16 dpts[2]; /* Destination port range. */ + __u8 option; /* TCP Option iff non-zero*/ + __u8 flg_mask; /* TCP flags mask byte */ + __u8 flg_cmp; /* TCP flags compare byte */ + __u8 invflags; /* Inverse flags */ }; /* Values for "inv" field in struct ipt_tcp. */ @@ -20,11 +21,10 @@ #define XT_TCP_INV_MASK 0x0F /* All possible flags. */ /* UDP matching stuff */ -struct xt_udp -{ - u_int16_t spts[2]; /* Source port range. */ - u_int16_t dpts[2]; /* Destination port range. */ - u_int8_t invflags; /* Inverse flags */ +struct xt_udp { + __u16 spts[2]; /* Source port range. */ + __u16 dpts[2]; /* Destination port range. */ + __u8 invflags; /* Inverse flags */ }; /* Values for "invflags" field in struct ipt_udp. */ diff -Nru iptables-1.4.3.orig/include/linux/netfilter.h iptables-1.4.3/include/linux/netfilter.h --- iptables-1.4.3.orig/include/linux/netfilter.h 2012-11-16 13:46:13.660449058 +0100 +++ iptables-1.4.3/include/linux/netfilter.h 2012-11-16 13:46:21.708449466 +0100 @@ -1,6 +1,8 @@ #ifndef __LINUX_NETFILTER_H #define __LINUX_NETFILTER_H +#include + /* Responses from hook functions. */ #define NF_DROP 0 diff -Nru iptables-1.4.3.orig/include/linux/netfilter_ipv4/ip_tables.h iptables-1.4.3/include/linux/netfilter_ipv4/ip_tables.h --- iptables-1.4.3.orig/include/linux/netfilter_ipv4/ip_tables.h 2012-11-16 13:46:13.660449058 +0100 +++ iptables-1.4.3/include/linux/netfilter_ipv4/ip_tables.h 2012-11-16 13:46:21.712449466 +0100 @@ -70,8 +70,7 @@ /* This structure defines each of the firewall rules. Consists of 3 parts which are 1) general IP header stuff 2) match specific stuff 3) the target to perform if the rule matches */ -struct ipt_entry -{ +struct ipt_entry { struct ipt_ip ip; /* Mark with fields that we care about. */ @@ -129,8 +128,7 @@ #define IPT_UDP_INV_MASK XT_UDP_INV_MASK /* ICMP matching stuff */ -struct ipt_icmp -{ +struct ipt_icmp { u_int8_t type; /* type to match */ u_int8_t code[2]; /* range of code */ u_int8_t invflags; /* Inverse flags */ @@ -140,8 +138,7 @@ #define IPT_ICMP_INV 0x01 /* Invert the sense of type/code test */ /* The argument to IPT_SO_GET_INFO */ -struct ipt_getinfo -{ +struct ipt_getinfo { /* Which table: caller fills this in. */ char name[IPT_TABLE_MAXNAMELEN]; @@ -163,8 +160,7 @@ }; /* The argument to IPT_SO_SET_REPLACE. */ -struct ipt_replace -{ +struct ipt_replace { /* Which table. */ char name[IPT_TABLE_MAXNAMELEN]; @@ -198,8 +194,7 @@ #define ipt_counters_info xt_counters_info /* The argument to IPT_SO_GET_ENTRIES. */ -struct ipt_get_entries -{ +struct ipt_get_entries { /* Which table: user fills this in. */ char name[IPT_TABLE_MAXNAMELEN]; diff -Nru iptables-1.4.3.orig/include/linux/netfilter_ipv4/ipt_ah.h iptables-1.4.3/include/linux/netfilter_ipv4/ipt_ah.h --- iptables-1.4.3.orig/include/linux/netfilter_ipv4/ipt_ah.h 2012-11-16 13:46:13.660449058 +0100 +++ iptables-1.4.3/include/linux/netfilter_ipv4/ipt_ah.h 2012-11-16 13:46:21.712449466 +0100 @@ -1,8 +1,7 @@ #ifndef _IPT_AH_H #define _IPT_AH_H -struct ipt_ah -{ +struct ipt_ah { u_int32_t spis[2]; /* Security Parameter Index */ u_int8_t invflags; /* Inverse flags */ }; diff -Nru iptables-1.4.3.orig/include/linux/netfilter_ipv4/ipt_ecn.h iptables-1.4.3/include/linux/netfilter_ipv4/ipt_ecn.h --- iptables-1.4.3.orig/include/linux/netfilter_ipv4/ipt_ecn.h 2012-11-16 13:46:13.660449058 +0100 +++ iptables-1.4.3/include/linux/netfilter_ipv4/ipt_ecn.h 2012-11-16 13:46:21.712449466 +0100 @@ -8,9 +8,9 @@ */ #ifndef _IPT_ECN_H #define _IPT_ECN_H -#include +#include -#define IPT_ECN_IP_MASK (~IPT_DSCP_MASK) +#define IPT_ECN_IP_MASK (~XT_DSCP_MASK) #define IPT_ECN_OP_MATCH_IP 0x01 #define IPT_ECN_OP_MATCH_ECE 0x10 diff -Nru iptables-1.4.3.orig/include/linux/netfilter_ipv4/ipt_ECN.h iptables-1.4.3/include/linux/netfilter_ipv4/ipt_ECN.h --- iptables-1.4.3.orig/include/linux/netfilter_ipv4/ipt_ECN.h 2012-11-16 13:46:13.660449058 +0100 +++ iptables-1.4.3/include/linux/netfilter_ipv4/ipt_ECN.h 2012-11-16 13:46:21.712449466 +0100 @@ -8,9 +8,9 @@ */ #ifndef _IPT_ECN_TARGET_H #define _IPT_ECN_TARGET_H -#include +#include -#define IPT_ECN_IP_MASK (~IPT_DSCP_MASK) +#define IPT_ECN_IP_MASK (~XT_DSCP_MASK) #define IPT_ECN_OP_SET_IP 0x01 /* set ECN bits of IPv4 header */ #define IPT_ECN_OP_SET_ECE 0x10 /* set ECE bit of TCP header */ diff -Nru iptables-1.4.3.orig/include/linux/netfilter_ipv4/ipt_SAME.h iptables-1.4.3/include/linux/netfilter_ipv4/ipt_SAME.h --- iptables-1.4.3.orig/include/linux/netfilter_ipv4/ipt_SAME.h 2012-11-16 13:46:13.660449058 +0100 +++ iptables-1.4.3/include/linux/netfilter_ipv4/ipt_SAME.h 2012-11-16 13:46:21.712449466 +0100 @@ -5,8 +5,7 @@ #define IPT_SAME_NODST 0x01 -struct ipt_same_info -{ +struct ipt_same_info { unsigned char info; u_int32_t rangesize; u_int32_t ipnum; diff -Nru iptables-1.4.3.orig/include/linux/netfilter_ipv4.h iptables-1.4.3/include/linux/netfilter_ipv4.h --- iptables-1.4.3.orig/include/linux/netfilter_ipv4.h 2012-11-16 13:46:13.660449058 +0100 +++ iptables-1.4.3/include/linux/netfilter_ipv4.h 2012-11-16 13:46:21.712449466 +0100 @@ -58,6 +58,7 @@ NF_IP_PRI_MANGLE = -150, NF_IP_PRI_NAT_DST = -100, NF_IP_PRI_FILTER = 0, + NF_IP_PRI_SECURITY = 50, NF_IP_PRI_NAT_SRC = 100, NF_IP_PRI_SELINUX_LAST = 225, NF_IP_PRI_CONNTRACK_CONFIRM = INT_MAX, diff -Nru iptables-1.4.3.orig/include/linux/netfilter_ipv6/ip6_tables.h iptables-1.4.3/include/linux/netfilter_ipv6/ip6_tables.h --- iptables-1.4.3.orig/include/linux/netfilter_ipv6/ip6_tables.h 2012-11-16 13:46:13.660449058 +0100 +++ iptables-1.4.3/include/linux/netfilter_ipv6/ip6_tables.h 2012-11-16 13:46:21.712449466 +0100 @@ -82,8 +82,7 @@ /* This structure defines each of the firewall rules. Consists of 3 parts which are 1) general IP header stuff 2) match specific stuff 3) the target to perform if the rule matches */ -struct ip6t_entry -{ +struct ip6t_entry { struct ip6t_ip6 ipv6; /* Mark with fields that we care about. */ @@ -105,20 +104,17 @@ }; /* Standard entry */ -struct ip6t_standard -{ +struct ip6t_standard { struct ip6t_entry entry; struct ip6t_standard_target target; }; -struct ip6t_error_target -{ +struct ip6t_error_target { struct ip6t_entry_target target; char errorname[IP6T_FUNCTION_MAXNAMELEN]; }; -struct ip6t_error -{ +struct ip6t_error { struct ip6t_entry entry; struct ip6t_error_target target; }; @@ -189,8 +185,7 @@ #define IP6T_UDP_INV_MASK XT_UDP_INV_MASK /* ICMP matching stuff */ -struct ip6t_icmp -{ +struct ip6t_icmp { u_int8_t type; /* type to match */ u_int8_t code[2]; /* range of code */ u_int8_t invflags; /* Inverse flags */ @@ -200,8 +195,7 @@ #define IP6T_ICMP_INV 0x01 /* Invert the sense of type/code test */ /* The argument to IP6T_SO_GET_INFO */ -struct ip6t_getinfo -{ +struct ip6t_getinfo { /* Which table: caller fills this in. */ char name[IP6T_TABLE_MAXNAMELEN]; @@ -223,8 +217,7 @@ }; /* The argument to IP6T_SO_SET_REPLACE. */ -struct ip6t_replace -{ +struct ip6t_replace { /* Which table. */ char name[IP6T_TABLE_MAXNAMELEN]; @@ -258,8 +251,7 @@ #define ip6t_counters_info xt_counters_info /* The argument to IP6T_SO_GET_ENTRIES. */ -struct ip6t_get_entries -{ +struct ip6t_get_entries { /* Which table: user fills this in. */ char name[IP6T_TABLE_MAXNAMELEN]; diff -Nru iptables-1.4.3.orig/include/linux/netfilter_ipv6/ip6t_ah.h iptables-1.4.3/include/linux/netfilter_ipv6/ip6t_ah.h --- iptables-1.4.3.orig/include/linux/netfilter_ipv6/ip6t_ah.h 2012-11-16 13:46:13.660449058 +0100 +++ iptables-1.4.3/include/linux/netfilter_ipv6/ip6t_ah.h 2012-11-16 13:46:21.712449466 +0100 @@ -1,8 +1,7 @@ #ifndef _IP6T_AH_H #define _IP6T_AH_H -struct ip6t_ah -{ +struct ip6t_ah { u_int32_t spis[2]; /* Security Parameter Index */ u_int32_t hdrlen; /* Header Length */ u_int8_t hdrres; /* Test of the Reserved Filed */ diff -Nru iptables-1.4.3.orig/include/linux/netfilter_ipv6/ip6t_frag.h iptables-1.4.3/include/linux/netfilter_ipv6/ip6t_frag.h --- iptables-1.4.3.orig/include/linux/netfilter_ipv6/ip6t_frag.h 2012-11-16 13:46:13.660449058 +0100 +++ iptables-1.4.3/include/linux/netfilter_ipv6/ip6t_frag.h 2012-11-16 13:46:21.712449466 +0100 @@ -1,8 +1,7 @@ #ifndef _IP6T_FRAG_H #define _IP6T_FRAG_H -struct ip6t_frag -{ +struct ip6t_frag { u_int32_t ids[2]; /* Security Parameter Index */ u_int32_t hdrlen; /* Header Length */ u_int8_t flags; /* */ diff -Nru iptables-1.4.3.orig/include/linux/netfilter_ipv6/ip6t_ipv6header.h iptables-1.4.3/include/linux/netfilter_ipv6/ip6t_ipv6header.h --- iptables-1.4.3.orig/include/linux/netfilter_ipv6/ip6t_ipv6header.h 2012-11-16 13:46:13.660449058 +0100 +++ iptables-1.4.3/include/linux/netfilter_ipv6/ip6t_ipv6header.h 2012-11-16 13:46:21.824449471 +0100 @@ -8,8 +8,7 @@ #ifndef __IPV6HEADER_H #define __IPV6HEADER_H -struct ip6t_ipv6header_info -{ +struct ip6t_ipv6header_info { u_int8_t matchflags; u_int8_t invflags; u_int8_t modeflag; diff -Nru iptables-1.4.3.orig/include/linux/netfilter_ipv6/ip6t_mh.h iptables-1.4.3/include/linux/netfilter_ipv6/ip6t_mh.h --- iptables-1.4.3.orig/include/linux/netfilter_ipv6/ip6t_mh.h 2012-11-16 13:46:13.660449058 +0100 +++ iptables-1.4.3/include/linux/netfilter_ipv6/ip6t_mh.h 2012-11-16 13:46:21.824449471 +0100 @@ -2,8 +2,7 @@ #define _IP6T_MH_H /* MH matching stuff */ -struct ip6t_mh -{ +struct ip6t_mh { u_int8_t types[2]; /* MH type range */ u_int8_t invflags; /* Inverse flags */ }; diff -Nru iptables-1.4.3.orig/include/linux/netfilter_ipv6/ip6t_opts.h iptables-1.4.3/include/linux/netfilter_ipv6/ip6t_opts.h --- iptables-1.4.3.orig/include/linux/netfilter_ipv6/ip6t_opts.h 2012-11-16 13:46:13.660449058 +0100 +++ iptables-1.4.3/include/linux/netfilter_ipv6/ip6t_opts.h 2012-11-16 13:46:21.824449471 +0100 @@ -3,8 +3,7 @@ #define IP6T_OPTS_OPTSNR 16 -struct ip6t_opts -{ +struct ip6t_opts { u_int32_t hdrlen; /* Header Length */ u_int8_t flags; /* */ u_int8_t invflags; /* Inverse flags */ diff -Nru iptables-1.4.3.orig/include/linux/netfilter_ipv6/ip6t_rt.h iptables-1.4.3/include/linux/netfilter_ipv6/ip6t_rt.h --- iptables-1.4.3.orig/include/linux/netfilter_ipv6/ip6t_rt.h 2012-11-16 13:46:13.660449058 +0100 +++ iptables-1.4.3/include/linux/netfilter_ipv6/ip6t_rt.h 2012-11-16 13:46:21.824449471 +0100 @@ -5,8 +5,7 @@ #define IP6T_RT_HOPS 16 -struct ip6t_rt -{ +struct ip6t_rt { u_int32_t rt_type; /* Routing Type */ u_int32_t segsleft[2]; /* Segments Left */ u_int32_t hdrlen; /* Header Length */ diff -Nru iptables-1.4.3.orig/include/linux/netfilter_ipv6.h iptables-1.4.3/include/linux/netfilter_ipv6.h --- iptables-1.4.3.orig/include/linux/netfilter_ipv6.h 2012-11-16 13:46:13.660449058 +0100 +++ iptables-1.4.3/include/linux/netfilter_ipv6.h 2012-11-16 13:46:21.712449466 +0100 @@ -62,21 +62,11 @@ NF_IP6_PRI_MANGLE = -150, NF_IP6_PRI_NAT_DST = -100, NF_IP6_PRI_FILTER = 0, + NF_IP6_PRI_SECURITY = 50, NF_IP6_PRI_NAT_SRC = 100, NF_IP6_PRI_SELINUX_LAST = 225, NF_IP6_PRI_LAST = INT_MAX, }; -#ifdef CONFIG_NETFILTER -extern int ip6_route_me_harder(struct sk_buff *skb); -extern __sum16 nf_ip6_checksum(struct sk_buff *skb, unsigned int hook, - unsigned int dataoff, u_int8_t protocol); - -extern int ipv6_netfilter_init(void); -extern void ipv6_netfilter_fini(void); -#else /* CONFIG_NETFILTER */ -static __inline__ int ipv6_netfilter_init(void) { return 0; } -static __inline__ void ipv6_netfilter_fini(void) { return; } -#endif /* CONFIG_NETFILTER */ #endif /*__LINUX_IP6_NETFILTER_H*/ diff -Nru iptables-1.4.3.orig/include/linux/types.h iptables-1.4.3/include/linux/types.h --- iptables-1.4.3.orig/include/linux/types.h 2012-11-16 13:46:13.660449058 +0100 +++ iptables-1.4.3/include/linux/types.h 2012-11-16 13:46:41.548450467 +0100 @@ -1,133 +1,12 @@ #ifndef _LINUX_TYPES_H #define _LINUX_TYPES_H - -#include #include -#ifndef __KERNEL_STRICT_NAMES - -typedef __u32 __kernel_dev_t; - -typedef __kernel_fd_set fd_set; -typedef __kernel_dev_t dev_t; -typedef __kernel_ino_t ino_t; -typedef __kernel_mode_t mode_t; -typedef __kernel_nlink_t nlink_t; -typedef __kernel_off_t off_t; -typedef __kernel_pid_t pid_t; -typedef __kernel_daddr_t daddr_t; -typedef __kernel_key_t key_t; -typedef __kernel_suseconds_t suseconds_t; -typedef __kernel_timer_t timer_t; -typedef __kernel_clockid_t clockid_t; -typedef __kernel_mqd_t mqd_t; - -typedef __kernel_uid_t uid_t; -typedef __kernel_gid_t gid_t; - -#if defined(__GNUC__) -typedef __kernel_loff_t loff_t; -#endif - -/* - * The following typedefs are also protected by individual ifdefs for - * historical reasons: - */ -#ifndef _SIZE_T -#define _SIZE_T -typedef __kernel_size_t size_t; -#endif - -#ifndef _SSIZE_T -#define _SSIZE_T -typedef __kernel_ssize_t ssize_t; -#endif - -#ifndef _PTRDIFF_T -#define _PTRDIFF_T -typedef __kernel_ptrdiff_t ptrdiff_t; -#endif - -#ifndef _TIME_T -#define _TIME_T -typedef __kernel_time_t time_t; -#endif +#ifndef __ASSEMBLY__ -#ifndef _CLOCK_T -#define _CLOCK_T -typedef __kernel_clock_t clock_t; -#endif - -#ifndef _CADDR_T -#define _CADDR_T -typedef __kernel_caddr_t caddr_t; -#endif - -/* bsd */ -typedef unsigned char u_char; -typedef unsigned short u_short; -typedef unsigned int u_int; -typedef unsigned long u_long; - -/* sysv */ -typedef unsigned char unchar; -typedef unsigned short ushort; -typedef unsigned int uint; -typedef unsigned long ulong; - -#ifndef __BIT_TYPES_DEFINED__ -#define __BIT_TYPES_DEFINED__ - -typedef __u8 u_int8_t; -typedef __s8 int8_t; -typedef __u16 u_int16_t; -typedef __s16 int16_t; -typedef __u32 u_int32_t; -typedef __s32 int32_t; - -#endif /* !(__BIT_TYPES_DEFINED__) */ - -typedef __u8 uint8_t; -typedef __u16 uint16_t; -typedef __u32 uint32_t; - -#if defined(__GNUC__) -typedef __u64 uint64_t; -typedef __u64 u_int64_t; -typedef __s64 int64_t; -#endif - -/* this is a special 64bit data type that is 8-byte aligned */ -#define aligned_u64 __u64 __attribute__((aligned(8))) -#define aligned_be64 __be64 __attribute__((aligned(8))) -#define aligned_le64 __le64 __attribute__((aligned(8))) - -/** - * The type used for indexing onto a disc or disc partition. - * - * Linux always considers sectors to be 512 bytes long independently - * of the devices real block size. - * - * blkcnt_t is the type of the inode's block count. - */ -#ifdef CONFIG_LBD -typedef u64 sector_t; -typedef u64 blkcnt_t; -#else -typedef unsigned long sector_t; -typedef unsigned long blkcnt_t; -#endif - -/* - * The type of an index into the pagecache. Use a #define so asm/types.h - * can override it. - */ -#ifndef pgoff_t -#define pgoff_t unsigned long -#endif +#include -#endif /* __KERNEL_STRICT_NAMES */ /* * Below are truly Linux-specific types that should never collide with @@ -155,5 +34,18 @@ typedef __u16 __bitwise __sum16; typedef __u32 __bitwise __wsum; +/* + * aligned_u64 should be used in defining kernel<->userspace ABIs to avoid + * common 32/64-bit compat problems. + * 64-bit values align to 4-byte boundaries on x86_32 (and possibly other + * architectures) and to 8-byte boundaries on 64-bit architectures. The new + * aligned_64 type enforces 8-byte alignment so that structs containing + * aligned_64 values have the same alignment on 32-bit and 64-bit architectures. + * No conversions are necessary between 32-bit user-space and a 64-bit kernel. + */ +#define __aligned_u64 __u64 __attribute__((aligned(8))) +#define __aligned_be64 __be64 __attribute__((aligned(8))) +#define __aligned_le64 __le64 __attribute__((aligned(8))) +#endif /* __ASSEMBLY__ */ #endif /* _LINUX_TYPES_H */