[netfilter-cvslog] r6801 - in trunk/iptables: extensions
include/linux include/linux/netfilter include/linux/netfilter_ipv4
kaber at trash.net
kaber at trash.net
Wed Apr 18 09:00:36 CEST 2007
Author: kaber at trash.net
Date: 2007-04-18 09:00:36 +0200 (Wed, 18 Apr 2007)
New Revision: 6801
Added:
trunk/iptables/include/linux/netfilter/
trunk/iptables/include/linux/netfilter/nf_conntrack_common.h
trunk/iptables/include/linux/netfilter/nf_conntrack_tuple.h
trunk/iptables/include/linux/netfilter/nf_conntrack_tuple_common.h
trunk/iptables/include/linux/netfilter/nf_nat.h
Modified:
trunk/iptables/extensions/libip6t_state.c
trunk/iptables/extensions/libipt_DNAT.c
trunk/iptables/extensions/libipt_MASQUERADE.c
trunk/iptables/extensions/libipt_NETMAP.c
trunk/iptables/extensions/libipt_REDIRECT.c
trunk/iptables/extensions/libipt_SAME.c
trunk/iptables/extensions/libipt_SNAT.c
trunk/iptables/extensions/libipt_connbytes.c
trunk/iptables/extensions/libipt_connrate.c
trunk/iptables/extensions/libipt_conntrack.c
trunk/iptables/extensions/libipt_state.c
trunk/iptables/include/linux/netfilter_ipv4/ipt_conntrack.h
Log:
Use nf_conntrack headers instead of ip_conntrack ones and add sanitized versions.
Modified: trunk/iptables/extensions/libip6t_state.c
===================================================================
--- trunk/iptables/extensions/libip6t_state.c 2007-04-18 06:29:14 UTC (rev 6800)
+++ trunk/iptables/extensions/libip6t_state.c 2007-04-18 07:00:36 UTC (rev 6801)
@@ -5,7 +5,7 @@
#include <stdlib.h>
#include <getopt.h>
#include <ip6tables.h>
-#include <linux/netfilter_ipv4/ip_conntrack.h>
+#include <linux/netfilter/nf_conntrack_common.h>
#include <linux/netfilter_ipv4/ipt_state.h>
#ifndef IPT_STATE_UNTRACKED
Modified: trunk/iptables/extensions/libipt_DNAT.c
===================================================================
--- trunk/iptables/extensions/libipt_DNAT.c 2007-04-18 06:29:14 UTC (rev 6800)
+++ trunk/iptables/extensions/libipt_DNAT.c 2007-04-18 07:00:36 UTC (rev 6801)
@@ -6,7 +6,7 @@
#include <getopt.h>
#include <iptables.h>
#include <linux/netfilter_ipv4/ip_tables.h>
-#include <linux/netfilter_ipv4/ip_nat_rule.h>
+#include <linux/netfilter/nf_nat.h>
/* Dest NAT data consists of a multi-range, indicating where to map
to. */
Modified: trunk/iptables/extensions/libipt_MASQUERADE.c
===================================================================
--- trunk/iptables/extensions/libipt_MASQUERADE.c 2007-04-18 06:29:14 UTC (rev 6800)
+++ trunk/iptables/extensions/libipt_MASQUERADE.c 2007-04-18 07:00:36 UTC (rev 6801)
@@ -6,7 +6,7 @@
#include <getopt.h>
#include <iptables.h>
#include <linux/netfilter_ipv4/ip_tables.h>
-#include <linux/netfilter_ipv4/ip_nat_rule.h>
+#include <linux/netfilter/nf_nat.h>
/* Function which prints out usage message. */
static void
Modified: trunk/iptables/extensions/libipt_NETMAP.c
===================================================================
--- trunk/iptables/extensions/libipt_NETMAP.c 2007-04-18 06:29:14 UTC (rev 6800)
+++ trunk/iptables/extensions/libipt_NETMAP.c 2007-04-18 07:00:36 UTC (rev 6801)
@@ -9,7 +9,7 @@
#include <getopt.h>
#include <iptables.h>
#include <linux/netfilter_ipv4/ip_tables.h>
-#include <linux/netfilter_ipv4/ip_nat_rule.h>
+#include <linux/netfilter/nf_nat.h>
#define MODULENAME "NETMAP"
Modified: trunk/iptables/extensions/libipt_REDIRECT.c
===================================================================
--- trunk/iptables/extensions/libipt_REDIRECT.c 2007-04-18 06:29:14 UTC (rev 6800)
+++ trunk/iptables/extensions/libipt_REDIRECT.c 2007-04-18 07:00:36 UTC (rev 6801)
@@ -6,7 +6,7 @@
#include <getopt.h>
#include <iptables.h>
#include <linux/netfilter_ipv4/ip_tables.h>
-#include <linux/netfilter_ipv4/ip_nat_rule.h>
+#include <linux/netfilter/nf_nat.h>
/* Function which prints out usage message. */
static void
Modified: trunk/iptables/extensions/libipt_SAME.c
===================================================================
--- trunk/iptables/extensions/libipt_SAME.c 2007-04-18 06:29:14 UTC (rev 6800)
+++ trunk/iptables/extensions/libipt_SAME.c 2007-04-18 07:00:36 UTC (rev 6801)
@@ -6,7 +6,7 @@
#include <getopt.h>
#include <iptables.h>
#include <linux/netfilter_ipv4/ip_tables.h>
-#include <linux/netfilter_ipv4/ip_nat_rule.h>
+#include <linux/netfilter/nf_nat.h>
/* For 64bit kernel / 32bit userspace */
#include "../include/linux/netfilter_ipv4/ipt_SAME.h"
Modified: trunk/iptables/extensions/libipt_SNAT.c
===================================================================
--- trunk/iptables/extensions/libipt_SNAT.c 2007-04-18 06:29:14 UTC (rev 6800)
+++ trunk/iptables/extensions/libipt_SNAT.c 2007-04-18 07:00:36 UTC (rev 6801)
@@ -6,7 +6,7 @@
#include <getopt.h>
#include <iptables.h>
#include <linux/netfilter_ipv4/ip_tables.h>
-#include <linux/netfilter_ipv4/ip_nat_rule.h>
+#include <linux/netfilter/nf_nat.h>
#define IPT_SNAT_OPT_SOURCE 0x01
#ifdef IP_NAT_RANGE_PROTO_RANDOM
Modified: trunk/iptables/extensions/libipt_connbytes.c
===================================================================
--- trunk/iptables/extensions/libipt_connbytes.c 2007-04-18 06:29:14 UTC (rev 6800)
+++ trunk/iptables/extensions/libipt_connbytes.c 2007-04-18 07:00:36 UTC (rev 6801)
@@ -5,7 +5,7 @@
#include <stdlib.h>
#include <getopt.h>
#include <iptables.h>
-#include <linux/netfilter_ipv4/ip_conntrack.h>
+#include <linux/netfilter/nf_conntrack_common.h>
#include <linux/netfilter_ipv4/ipt_connbytes.h>
/* Function which prints out usage message. */
Modified: trunk/iptables/extensions/libipt_connrate.c
===================================================================
--- trunk/iptables/extensions/libipt_connrate.c 2007-04-18 06:29:14 UTC (rev 6800)
+++ trunk/iptables/extensions/libipt_connrate.c 2007-04-18 07:00:36 UTC (rev 6801)
@@ -13,7 +13,7 @@
#include <stdlib.h>
#include <getopt.h>
#include <iptables.h>
-#include <linux/netfilter_ipv4/ip_conntrack.h>
+#include <linux/netfilter/nf_conntrack_common.h>
#include <linux/netfilter_ipv4/ipt_connrate.h>
/* Function which prints out usage message. */
Modified: trunk/iptables/extensions/libipt_conntrack.c
===================================================================
--- trunk/iptables/extensions/libipt_conntrack.c 2007-04-18 06:29:14 UTC (rev 6800)
+++ trunk/iptables/extensions/libipt_conntrack.c 2007-04-18 07:00:36 UTC (rev 6801)
@@ -9,7 +9,7 @@
#include <getopt.h>
#include <ctype.h>
#include <iptables.h>
-#include <linux/netfilter_ipv4/ip_conntrack.h>
+#include <linux/netfilter/nf_conntrack_common.h>
#include <linux/netfilter_ipv4/ip_conntrack_tuple.h>
/* For 64bit kernel / 32bit userspace */
#include "../include/linux/netfilter_ipv4/ipt_conntrack.h"
Modified: trunk/iptables/extensions/libipt_state.c
===================================================================
--- trunk/iptables/extensions/libipt_state.c 2007-04-18 06:29:14 UTC (rev 6800)
+++ trunk/iptables/extensions/libipt_state.c 2007-04-18 07:00:36 UTC (rev 6801)
@@ -5,7 +5,7 @@
#include <stdlib.h>
#include <getopt.h>
#include <iptables.h>
-#include <linux/netfilter_ipv4/ip_conntrack.h>
+#include <linux/netfilter/nf_conntrack_common.h>
#include <linux/netfilter_ipv4/ipt_state.h>
#ifndef IPT_STATE_UNTRACKED
Added: trunk/iptables/include/linux/netfilter/nf_conntrack_common.h
===================================================================
--- trunk/iptables/include/linux/netfilter/nf_conntrack_common.h (rev 0)
+++ trunk/iptables/include/linux/netfilter/nf_conntrack_common.h 2007-04-18 07:00:36 UTC (rev 6801)
@@ -0,0 +1,135 @@
+#ifndef _NF_CONNTRACK_COMMON_H
+#define _NF_CONNTRACK_COMMON_H
+/* Connection state tracking for netfilter. This is separated from,
+ but required by, the NAT layer; it can also be used by an iptables
+ extension. */
+enum ip_conntrack_info
+{
+ /* Part of an established connection (either direction). */
+ IP_CT_ESTABLISHED,
+
+ /* Like NEW, but related to an existing connection, or ICMP error
+ (in either direction). */
+ IP_CT_RELATED,
+
+ /* Started a new connection to track (only
+ IP_CT_DIR_ORIGINAL); may be a retransmission. */
+ IP_CT_NEW,
+
+ /* >= this indicates reply direction */
+ IP_CT_IS_REPLY,
+
+ /* Number of distinct IP_CT types (no NEW in reply dirn). */
+ IP_CT_NUMBER = IP_CT_IS_REPLY * 2 - 1
+};
+
+/* Bitset representing status of connection. */
+enum ip_conntrack_status {
+ /* It's an expected connection: bit 0 set. This bit never changed */
+ IPS_EXPECTED_BIT = 0,
+ IPS_EXPECTED = (1 << IPS_EXPECTED_BIT),
+
+ /* We've seen packets both ways: bit 1 set. Can be set, not unset. */
+ IPS_SEEN_REPLY_BIT = 1,
+ IPS_SEEN_REPLY = (1 << IPS_SEEN_REPLY_BIT),
+
+ /* Conntrack should never be early-expired. */
+ IPS_ASSURED_BIT = 2,
+ IPS_ASSURED = (1 << IPS_ASSURED_BIT),
+
+ /* Connection is confirmed: originating packet has left box */
+ IPS_CONFIRMED_BIT = 3,
+ IPS_CONFIRMED = (1 << IPS_CONFIRMED_BIT),
+
+ /* Connection needs src nat in orig dir. This bit never changed. */
+ IPS_SRC_NAT_BIT = 4,
+ IPS_SRC_NAT = (1 << IPS_SRC_NAT_BIT),
+
+ /* Connection needs dst nat in orig dir. This bit never changed. */
+ IPS_DST_NAT_BIT = 5,
+ IPS_DST_NAT = (1 << IPS_DST_NAT_BIT),
+
+ /* Both together. */
+ IPS_NAT_MASK = (IPS_DST_NAT | IPS_SRC_NAT),
+
+ /* Connection needs TCP sequence adjusted. */
+ IPS_SEQ_ADJUST_BIT = 6,
+ IPS_SEQ_ADJUST = (1 << IPS_SEQ_ADJUST_BIT),
+
+ /* NAT initialization bits. */
+ IPS_SRC_NAT_DONE_BIT = 7,
+ IPS_SRC_NAT_DONE = (1 << IPS_SRC_NAT_DONE_BIT),
+
+ IPS_DST_NAT_DONE_BIT = 8,
+ IPS_DST_NAT_DONE = (1 << IPS_DST_NAT_DONE_BIT),
+
+ /* Both together */
+ IPS_NAT_DONE_MASK = (IPS_DST_NAT_DONE | IPS_SRC_NAT_DONE),
+
+ /* Connection is dying (removed from lists), can not be unset. */
+ IPS_DYING_BIT = 9,
+ IPS_DYING = (1 << IPS_DYING_BIT),
+
+ /* Connection has fixed timeout. */
+ IPS_FIXED_TIMEOUT_BIT = 10,
+ IPS_FIXED_TIMEOUT = (1 << IPS_FIXED_TIMEOUT_BIT),
+};
+
+/* Connection tracking event bits */
+enum ip_conntrack_events
+{
+ /* New conntrack */
+ IPCT_NEW_BIT = 0,
+ IPCT_NEW = (1 << IPCT_NEW_BIT),
+
+ /* Expected connection */
+ IPCT_RELATED_BIT = 1,
+ IPCT_RELATED = (1 << IPCT_RELATED_BIT),
+
+ /* Destroyed conntrack */
+ IPCT_DESTROY_BIT = 2,
+ IPCT_DESTROY = (1 << IPCT_DESTROY_BIT),
+
+ /* Timer has been refreshed */
+ IPCT_REFRESH_BIT = 3,
+ IPCT_REFRESH = (1 << IPCT_REFRESH_BIT),
+
+ /* Status has changed */
+ IPCT_STATUS_BIT = 4,
+ IPCT_STATUS = (1 << IPCT_STATUS_BIT),
+
+ /* Update of protocol info */
+ IPCT_PROTOINFO_BIT = 5,
+ IPCT_PROTOINFO = (1 << IPCT_PROTOINFO_BIT),
+
+ /* Volatile protocol info */
+ IPCT_PROTOINFO_VOLATILE_BIT = 6,
+ IPCT_PROTOINFO_VOLATILE = (1 << IPCT_PROTOINFO_VOLATILE_BIT),
+
+ /* New helper for conntrack */
+ IPCT_HELPER_BIT = 7,
+ IPCT_HELPER = (1 << IPCT_HELPER_BIT),
+
+ /* Update of helper info */
+ IPCT_HELPINFO_BIT = 8,
+ IPCT_HELPINFO = (1 << IPCT_HELPINFO_BIT),
+
+ /* Volatile helper info */
+ IPCT_HELPINFO_VOLATILE_BIT = 9,
+ IPCT_HELPINFO_VOLATILE = (1 << IPCT_HELPINFO_VOLATILE_BIT),
+
+ /* NAT info */
+ IPCT_NATINFO_BIT = 10,
+ IPCT_NATINFO = (1 << IPCT_NATINFO_BIT),
+
+ /* Counter highest bit has been set */
+ IPCT_COUNTER_FILLING_BIT = 11,
+ IPCT_COUNTER_FILLING = (1 << IPCT_COUNTER_FILLING_BIT),
+};
+
+enum ip_conntrack_expect_events {
+ IPEXP_NEW_BIT = 0,
+ IPEXP_NEW = (1 << IPEXP_NEW_BIT),
+};
+
+#endif /* _NF_CONNTRACK_COMMON_H */
Added: trunk/iptables/include/linux/netfilter/nf_conntrack_tuple.h
===================================================================
--- trunk/iptables/include/linux/netfilter/nf_conntrack_tuple.h (rev 0)
+++ trunk/iptables/include/linux/netfilter/nf_conntrack_tuple.h 2007-04-18 07:00:36 UTC (rev 6801)
@@ -0,0 +1,103 @@
+/*
+ * Definitions and Declarations for tuple.
+ *
+ * 16 Dec 2003: Yasuyuki Kozakai @USAGI <yasuyuki.kozakai at toshiba.co.jp>
+ * - generalize L3 protocol dependent part.
+ *
+ * Derived from include/linux/netfiter_ipv4/ip_conntrack_tuple.h
+ */
+
+#ifndef _NF_CONNTRACK_TUPLE_H
+#define _NF_CONNTRACK_TUPLE_H
+
+#include <linux/netfilter/nf_conntrack_tuple_common.h>
+
+/* A `tuple' is a structure containing the information to uniquely
+ identify a connection. ie. if two packets have the same tuple, they
+ are in the same connection; if not, they are not.
+
+ We divide the structure along "manipulatable" and
+ "non-manipulatable" lines, for the benefit of the NAT code.
+*/
+
+#define NF_CT_TUPLE_L3SIZE 4
+
+/* The l3 protocol-specific manipulable parts of the tuple: always in
+ network order! */
+union nf_conntrack_address {
+ u_int32_t all[NF_CT_TUPLE_L3SIZE];
+ __be32 ip;
+ __be32 ip6[4];
+};
+
+/* The protocol-specific manipulable parts of the tuple: always in
+ network order! */
+union nf_conntrack_man_proto
+{
+ /* Add other protocols here. */
+ u_int16_t all;
+
+ struct {
+ __be16 port;
+ } tcp;
+ struct {
+ __be16 port;
+ } udp;
+ struct {
+ __be16 id;
+ } icmp;
+ struct {
+ __be16 port;
+ } sctp;
+ struct {
+ __be16 key; /* GRE key is 32bit, PPtP only uses 16bit */
+ } gre;
+};
+
+/* The manipulable part of the tuple. */
+struct nf_conntrack_man
+{
+ union nf_conntrack_address u3;
+ union nf_conntrack_man_proto u;
+ /* Layer 3 protocol */
+ u_int16_t l3num;
+};
+
+/* This contains the information to distinguish a connection. */
+struct nf_conntrack_tuple
+{
+ struct nf_conntrack_man src;
+
+ /* These are the parts of the tuple which are fixed. */
+ struct {
+ union nf_conntrack_address u3;
+ union {
+ /* Add other protocols here. */
+ u_int16_t all;
+
+ struct {
+ __be16 port;
+ } tcp;
+ struct {
+ __be16 port;
+ } udp;
+ struct {
+ u_int8_t type, code;
+ } icmp;
+ struct {
+ __be16 port;
+ } sctp;
+ struct {
+ __be16 key;
+ } gre;
+ } u;
+
+ /* The protocol. */
+ u_int8_t protonum;
+
+ /* The direction (for tuplehash) */
+ u_int8_t dir;
+ } dst;
+};
+
+#endif /* _NF_CONNTRACK_TUPLE_H */
Added: trunk/iptables/include/linux/netfilter/nf_conntrack_tuple_common.h
===================================================================
--- trunk/iptables/include/linux/netfilter/nf_conntrack_tuple_common.h (rev 0)
+++ trunk/iptables/include/linux/netfilter/nf_conntrack_tuple_common.h 2007-04-18 07:00:36 UTC (rev 6801)
@@ -0,0 +1,13 @@
+#ifndef _NF_CONNTRACK_TUPLE_COMMON_H
+#define _NF_CONNTRACK_TUPLE_COMMON_H
+
+enum ip_conntrack_dir
+{
+ IP_CT_DIR_ORIGINAL,
+ IP_CT_DIR_REPLY,
+ IP_CT_DIR_MAX
+};
+
+#define CTINFO2DIR(ctinfo) ((ctinfo) >= IP_CT_IS_REPLY ? IP_CT_DIR_REPLY : IP_CT_DIR_ORIGINAL)
+
+#endif /* _NF_CONNTRACK_TUPLE_COMMON_H */
Added: trunk/iptables/include/linux/netfilter/nf_nat.h
===================================================================
--- trunk/iptables/include/linux/netfilter/nf_nat.h (rev 0)
+++ trunk/iptables/include/linux/netfilter/nf_nat.h 2007-04-18 07:00:36 UTC (rev 6801)
@@ -0,0 +1,45 @@
+#ifndef _NF_NAT_H
+#define _NF_NAT_H
+#include <linux/netfilter_ipv4.h>
+#include <linux/netfilter/nf_conntrack_tuple.h>
+
+#define NF_NAT_MAPPING_TYPE_MAX_NAMELEN 16
+
+enum nf_nat_manip_type
+{
+ IP_NAT_MANIP_SRC,
+ IP_NAT_MANIP_DST
+};
+
+/* SRC manip occurs POST_ROUTING or LOCAL_IN */
+#define HOOK2MANIP(hooknum) ((hooknum) != NF_IP_POST_ROUTING && (hooknum) != NF_IP_LOCAL_IN)
+
+#define IP_NAT_RANGE_MAP_IPS 1
+#define IP_NAT_RANGE_PROTO_SPECIFIED 2
+#define IP_NAT_RANGE_PROTO_RANDOM 4
+
+/* Single range specification. */
+struct nf_nat_range
+{
+ /* Set to OR of flags above. */
+ unsigned int flags;
+
+ /* Inclusive: network order. */
+ __be32 min_ip, max_ip;
+
+ /* Inclusive: network order */
+ union nf_conntrack_man_proto min, max;
+};
+
+/* For backwards compat: don't use in modern code. */
+struct nf_nat_multi_range_compat
+{
+ unsigned int rangesize; /* Must be 1. */
+
+ /* hangs off end. */
+ struct nf_nat_range range[1];
+};
+
+#define ip_nat_range nf_nat_range
+#define ip_nat_multi_range nf_nat_multi_range_compat
+#endif
Modified: trunk/iptables/include/linux/netfilter_ipv4/ipt_conntrack.h
===================================================================
--- trunk/iptables/include/linux/netfilter_ipv4/ipt_conntrack.h 2007-04-18 06:29:14 UTC (rev 6800)
+++ trunk/iptables/include/linux/netfilter_ipv4/ipt_conntrack.h 2007-04-18 07:00:36 UTC (rev 6801)
@@ -5,7 +5,7 @@
#ifndef _IPT_CONNTRACK_H
#define _IPT_CONNTRACK_H
-#include <linux/netfilter_ipv4/ip_conntrack.h>
+#include <linux/netfilter/nf_conntrack_common.h>
/* backwards compatibility crap. only exists in userspace - HW */
#include <linux/version.h>
More information about the netfilter-cvslog
mailing list