Implement TCPMSS target for IPv6 by shamelessly copying from
Marc Boucher's IPv4 implementation.
Signed-off-by: David A. Madore <[email protected]>
---
Note: The patch for ip6tables to make use of this module can be
obtained from <URL:
ftp://quatramaran.ens.fr/pub/madore/misc/ip6t-TCPMSS/
> (also contains a version of this same patch for 2.6.19.2).
include/linux/netfilter_ipv6/ip6t_TCPMSS.h | 10 ++
net/ipv6/netfilter/Kconfig | 26 ++++
net/ipv6/netfilter/Makefile | 1 +
net/ipv6/netfilter/ip6t_TCPMSS.c | 225 ++++++++++++++++++++++++++++
4 files changed, 262 insertions(+), 0 deletions(-)
diff --git a/include/linux/netfilter_ipv6/ip6t_TCPMSS.h b/include/linux/netfilter_ipv6/ip6t_TCPMSS.h
new file mode 100644
index 0000000..412d1cb
--- /dev/null
+++ b/include/linux/netfilter_ipv6/ip6t_TCPMSS.h
@@ -0,0 +1,10 @@
+#ifndef _IP6T_TCPMSS_H
+#define _IP6T_TCPMSS_H
+
+struct ip6t_tcpmss_info {
+ u_int16_t mss;
+};
+
+#define IP6T_TCPMSS_CLAMP_PMTU 0xffff
+
+#endif /*_IP6T_TCPMSS_H*/
diff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig
index adcd613..3890a59 100644
--- a/net/ipv6/netfilter/Kconfig
+++ b/net/ipv6/netfilter/Kconfig
@@ -154,6 +154,32 @@ config IP6_NF_TARGET_REJECT
To compile it as a module, choose M here. If unsure, say N.
+config IP6_NF_TARGET_TCPMSS
+ tristate "TCPMSS target support"
+ depends on IP6_NF_IPTABLES
+ ---help---
+ This option adds a `TCPMSS' target, which allows you to alter the
+ MSS value of TCP SYN packets, to control the maximum size for that
+ connection (usually limiting it to your outgoing interface's MTU
+ minus 60).
+
+ This is used to overcome criminally braindead ISPs or servers which
+ block ICMPv6 Packet Too Big packets. The symptoms of this
+ problem are that everything works fine from your Linux
+ firewall/router, but machines behind it can never exchange large
+ packets:
+ 1) Web browsers connect, then hang with no data received.
+ 2) Small mail works fine, but large emails hang.
+ 3) ssh works fine, but scp hangs after initial handshaking.
+
+ Workaround: activate this option and add a rule to your firewall
+ configuration like:
+
+ ip6tables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
+ -j TCPMSS --clamp-mss-to-pmtu
+
+ To compile it as a module, choose M here. If unsure, say N.
+
config IP6_NF_MANGLE
tristate "Packet mangling"
depends on IP6_NF_IPTABLES
diff --git a/net/ipv6/netfilter/Makefile b/net/ipv6/netfilter/Makefile
index ac1dfeb..616a006 100644
--- a/net/ipv6/netfilter/Makefile
+++ b/net/ipv6/netfilter/Makefile
@@ -19,6 +19,7 @@ obj-$(CONFIG_IP6_NF_TARGET_LOG) += ip6t_LOG.o
obj-$(CONFIG_IP6_NF_RAW) += ip6table_raw.o
obj-$(CONFIG_IP6_NF_MATCH_HL) += ip6t_hl.o
obj-$(CONFIG_IP6_NF_TARGET_REJECT) += ip6t_REJECT.o
+obj-$(CONFIG_IP6_NF_TARGET_TCPMSS) += ip6t_TCPMSS.o
# objects for l3 independent conntrack
nf_conntrack_ipv6-objs := nf_conntrack_l3proto_ipv6.o nf_conntrack_proto_icmpv6.o nf_conntrack_reasm.o
diff --git a/net/ipv6/netfilter/ip6t_TCPMSS.c b/net/ipv6/netfilter/ip6t_TCPMSS.c
new file mode 100644
index 0000000..ab492c3
--- /dev/null
+++ b/net/ipv6/netfilter/ip6t_TCPMSS.c
@@ -0,0 +1,225 @@
+/*
+ * This is a module which is used for setting the MSS option in TCP packets.
+ *
+ * Copyright (C) 2007 David Madore <[email protected]>
+ *
+ * Shamelessly based on net/ipv4/netfilter/ipt_TCPMSS.c
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+
+#include <linux/module.h>
+#include <linux/skbuff.h>
+
+#include <net/ipv6.h>
+#include <net/tcp.h>
+
+#include <linux/netfilter_ipv6/ip6_tables.h>
+#include <linux/netfilter_ipv6/ip6t_TCPMSS.h>
+
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("David Madore <[email protected]>");
+MODULE_DESCRIPTION("ip6tables TCP MSS modification module");
+
+static inline unsigned int
+optlen(const u_int8_t *opt, unsigned int offset)
+{
+ /* Beware zero-length options: make finite progress */
+ if (opt[offset] <= TCPOPT_NOP || opt[offset+1] == 0)
+ return 1;
+ else
+ return opt[offset+1];
+}
+
+static unsigned int
+ip6t_tcpmss_target(struct sk_buff **pskb,
+ const struct net_device *in,
+ const struct net_device *out,
+ unsigned int hooknum,
+ const struct xt_target *target,
+ const void *targinfo)
+{
+ const struct ip6t_tcpmss_info *tcpmssinfo = targinfo;
+ struct tcphdr *tcph;
+ struct ipv6hdr *ipv6h;
+ u_int8_t nexthdr;
+ int tcphoff;
+ u_int16_t tcplen, newmss;
+ __be16 newiplen, oldval;
+ unsigned int i;
+ u_int8_t *opt;
+
+ if (!skb_make_writable(pskb, (*pskb)->len))
+ return NF_DROP;
+
+ ipv6h = (*pskb)->nh.ipv6h;
+ nexthdr = ipv6h->nexthdr;
+ tcphoff = ipv6_skip_exthdr(*pskb, sizeof(struct ipv6hdr), &nexthdr);
+ if ((tcphoff < 0) || (tcphoff > (*pskb)->len)) {
+ if (net_ratelimit())
+ printk(KERN_ERR
+ "ip6t_tcpmss_target: can't find TCP header\n");
+ return NF_DROP;
+ }
+ tcplen = (*pskb)->len - tcphoff;
+ if ((nexthdr != IPPROTO_TCP) || (tcplen < sizeof(struct tcphdr))) {
+ /* Can't happen (see other comment below)? */
+ if (net_ratelimit())
+ printk(KERN_ERR
+ "ip6t_tcpmss_target: bad TCP header\n");
+ return NF_DROP;
+ }
+ tcph = (void *)ipv6h + tcphoff;
+
+ /* Since it passed flags test in tcp match, we know it is is
+ not a fragment, and has data >= tcp header length. SYN
+ packets should not contain data: if they did, then we risk
+ running over MTU, sending Frag Needed and breaking things
+ badly. --RR */
+ if (tcplen != tcph->doff*4) {
+ if (net_ratelimit())
+ printk(KERN_ERR
+ "ip6t_tcpmss_target: bad length (%d bytes)\n",
+ (*pskb)->len);
+ return NF_DROP;
+ }
+
+ if (tcpmssinfo->mss == IP6T_TCPMSS_CLAMP_PMTU) {
+ if (dst_mtu((*pskb)->dst) <= sizeof(struct ipv6hdr) +
+ sizeof(struct tcphdr)) {
+ if (net_ratelimit())
+ printk(KERN_ERR "ip6t_tcpmss_target: "
+ "unknown or invalid path-MTU (%d)\n",
+ dst_mtu((*pskb)->dst));
+ return NF_DROP; /* or IP6T_CONTINUE ?? */
+ }
+
+ newmss = dst_mtu((*pskb)->dst) - sizeof(struct ipv6hdr) -
+ sizeof(struct tcphdr);
+ } else
+ newmss = tcpmssinfo->mss;
+
+ opt = (u_int8_t *)tcph;
+ for (i = sizeof(struct tcphdr); i < tcph->doff*4; i += optlen(opt, i)) {
+ if (opt[i] == TCPOPT_MSS && tcph->doff*4 - i >= TCPOLEN_MSS &&
+ opt[i+1] == TCPOLEN_MSS) {
+ u_int16_t oldmss;
+
+ oldmss = (opt[i+2] << 8) | opt[i+3];
+
+ if (tcpmssinfo->mss == IP6T_TCPMSS_CLAMP_PMTU &&
+ oldmss <= newmss)
+ return IP6T_CONTINUE;
+
+ opt[i+2] = (newmss & 0xff00) >> 8;
+ opt[i+3] = (newmss & 0x00ff);
+
+ nf_proto_csum_replace2(&tcph->check, *pskb,
+ htons(oldmss), htons(newmss), 0);
+ return IP6T_CONTINUE;
+ }
+ }
+
+ /*
+ * MSS Option not found ?! add it..
+ */
+ if (skb_tailroom((*pskb)) < TCPOLEN_MSS) {
+ struct sk_buff *newskb;
+
+ newskb = skb_copy_expand(*pskb, skb_headroom(*pskb),
+ TCPOLEN_MSS, GFP_ATOMIC);
+ if (!newskb)
+ return NF_DROP;
+ kfree_skb(*pskb);
+ *pskb = newskb;
+ ipv6h = (*pskb)->nh.ipv6h;
+ tcph = (void *)ipv6h + tcphoff;
+ }
+
+ skb_put((*pskb), TCPOLEN_MSS);
+
+ opt = (u_int8_t *)tcph + sizeof(struct tcphdr);
+ memmove(opt + TCPOLEN_MSS, opt, tcplen - sizeof(struct tcphdr));
+
+ nf_proto_csum_replace2(&tcph->check, *pskb,
+ htons(tcplen), htons(tcplen + TCPOLEN_MSS), 1);
+ opt[0] = TCPOPT_MSS;
+ opt[1] = TCPOLEN_MSS;
+ opt[2] = (newmss & 0xff00) >> 8;
+ opt[3] = (newmss & 0x00ff);
+
+ nf_proto_csum_replace4(&tcph->check, *pskb, 0, *((__be32 *)opt), 0);
+
+ oldval = ((__be16 *)tcph)[6];
+ tcph->doff += TCPOLEN_MSS/4;
+ nf_proto_csum_replace2(&tcph->check, *pskb,
+ oldval, ((__be16 *)tcph)[6], 0);
+
+ newiplen = htons(ntohs(ipv6h->payload_len) + TCPOLEN_MSS);
+ ipv6h->payload_len = newiplen;
+ return IP6T_CONTINUE;
+}
+
+#define TH_SYN 0x02
+
+static inline int find_syn_match(const struct ip6t_entry_match *m)
+{
+ const struct ip6t_tcp *tcpinfo = (const struct ip6t_tcp *)m->data;
+
+ if (strcmp(m->u.kernel.match->name, "tcp") == 0 &&
+ tcpinfo->flg_cmp & TH_SYN &&
+ !(tcpinfo->invflags & IP6T_TCP_INV_FLAGS))
+ return 1;
+
+ return 0;
+}
+
+/* Must specify -p tcp --syn/--tcp-flags SYN */
+static int
+ip6t_tcpmss_checkentry(const char *tablename,
+ const void *e_void,
+ const struct xt_target *target,
+ void *targinfo,
+ unsigned int hook_mask)
+{
+ const struct ip6t_tcpmss_info *tcpmssinfo = targinfo;
+ const struct ip6t_entry *e = e_void;
+
+ if (tcpmssinfo->mss == IP6T_TCPMSS_CLAMP_PMTU &&
+ (hook_mask & ~((1 << NF_IP6_FORWARD) |
+ (1 << NF_IP6_LOCAL_OUT) |
+ (1 << NF_IP6_POST_ROUTING))) != 0) {
+ printk("TCPMSS: path-MTU clamping only supported in "
+ "FORWARD, OUTPUT and POSTROUTING hooks\n");
+ return 0;
+ }
+
+ if (IP6T_MATCH_ITERATE(e, find_syn_match))
+ return 1;
+ printk("TCPMSS: Only works on TCP SYN packets\n");
+ return 0;
+}
+
+static struct ip6t_target ip6t_tcpmss_reg = {
+ .name = "TCPMSS",
+ .target = ip6t_tcpmss_target,
+ .targetsize = sizeof(struct ip6t_tcpmss_info),
+ .proto = IPPROTO_TCP,
+ .checkentry = ip6t_tcpmss_checkentry,
+ .me = THIS_MODULE,
+};
+
+static int __init ip6t_tcpmss_init(void)
+{
+ return ip6t_register_target(&ip6t_tcpmss_reg);
+}
+
+static void __exit ip6t_tcpmss_fini(void)
+{
+ ip6t_unregister_target(&ip6t_tcpmss_reg);
+}
+
+module_init(ip6t_tcpmss_init);
+module_exit(ip6t_tcpmss_fini);
On Jan 14 2007 20:20, David Madore wrote:
>
>Implement TCPMSS target for IPv6 by shamelessly copying from
>Marc Boucher's IPv4 implementation.
>
>Signed-off-by: David A. Madore <[email protected]>
Would not it be worthwhile to merge ipt_TCPMSS and
ip6t_TCPMSS to xt_TCPMSS instead?
-`J'
--
On Sun, Jan 14, 2007 at 09:10:45PM +0100, Jan Engelhardt wrote:
> On Jan 14 2007 20:20, David Madore wrote:
> >Implement TCPMSS target for IPv6 by shamelessly copying from
> >Marc Boucher's IPv4 implementation.
>
> Would not it be worthwhile to merge ipt_TCPMSS and
> ip6t_TCPMSS to xt_TCPMSS instead?
It may be, but I'm afraid that's outside my competence. I happened to
need ip6t_TCPMSS badly and soon, so I went for the quickest solution.
Of course, I'd appreciate it if someone were to do it in a better way.
Happy hacking,
--
David A. Madore
([email protected],
http://www.madore.org/~david/ )
Jan Engelhardt wrote:
> On Jan 14 2007 20:20, David Madore wrote:
>
>>Implement TCPMSS target for IPv6 by shamelessly copying from
>>Marc Boucher's IPv4 implementation.
>>
>>Signed-off-by: David A. Madore <[email protected]>
>
>
> Would not it be worthwhile to merge ipt_TCPMSS and
> ip6t_TCPMSS to xt_TCPMSS instead?
I'm not sure how well that will work (the IPv4/IPv6-specific stuff
is spread over the entire target function), but its worth a try.
David Madore wrote:
> On Sun, Jan 14, 2007 at 09:10:45PM +0100, Jan Engelhardt wrote:
>
>>On Jan 14 2007 20:20, David Madore wrote:
>>
>>>Implement TCPMSS target for IPv6 by shamelessly copying from
>>>Marc Boucher's IPv4 implementation.
>>
>>Would not it be worthwhile to merge ipt_TCPMSS and
>>ip6t_TCPMSS to xt_TCPMSS instead?
>
>
> It may be, but I'm afraid that's outside my competence. I happened to
> need ip6t_TCPMSS badly and soon, so I went for the quickest solution.
> Of course, I'd appreciate it if someone were to do it in a better way.
I'll give it a shot.
On Jan 15 2007 09:39, Patrick McHardy wrote:
>> On Jan 14 2007 20:20, David Madore wrote:
>>
>>>Implement TCPMSS target for IPv6 by shamelessly copying from
>>>Marc Boucher's IPv4 implementation.
>>>
>>>Signed-off-by: David A. Madore <[email protected]>
>>
>>
>> Would not it be worthwhile to merge ipt_TCPMSS and
>> ip6t_TCPMSS to xt_TCPMSS instead?
>
>I'm not sure how well that will work (the IPv4/IPv6-specific stuff
>is spread over the entire target function), but its worth a try.
"Nothing is impossible." Since you happened to take that one for
yourself... well here's a q: would a patch be accepted that changes
all ipt and ip6t modules to the new xt? Even if a module is only for
ipv4 or ipv6, I think it makes sense to reduce the number of
different *t structures floating around.
-`J'
--
Jan Engelhardt wrote:
> On Jan 15 2007 09:39, Patrick McHardy wrote:
>
>>I'm not sure how well that will work (the IPv4/IPv6-specific stuff
>>is spread over the entire target function), but its worth a try.
>
>
> "Nothing is impossible." Since you happened to take that one for
> yourself... well here's a q: would a patch be accepted that changes
> all ipt and ip6t modules to the new xt? Even if a module is only for
> ipv4 or ipv6, I think it makes sense to reduce the number of
> different *t structures floating around.
If you're talking about using the xt-structures in net/ipv[46]/netfilter
and removing the ipt/ip6t-wrappers, that would make sense IMO.
On Jan 15 2007 11:18, Patrick McHardy wrote:
>Jan Engelhardt wrote:
>> On Jan 15 2007 09:39, Patrick McHardy wrote:
>>
>>>I'm not sure how well that will work (the IPv4/IPv6-specific stuff
>>>is spread over the entire target function), but its worth a try.
>>
>>
>> well here's a q: would a patch be accepted that changes
>> all ipt and ip6t modules to the new xt? Even if a module is only for
>> ipv4 or ipv6, I think it makes sense to reduce the number of
>> different *t structures floating around.
>
>If you're talking about using the xt-structures in net/ipv[46]/netfilter
>and removing the ipt/ip6t-wrappers, that would make sense IMO.
Yup. Should the files then be renamed/moved to net/netfilter/xt_[foobaz].c
in a second step?
Should I leave ipt_TCPMSS/ip6t_TCPMSS untouched while you are working on
that one?
-`J'
--
On Jan 15 2007 11:18, Patrick McHardy wrote:
>>
>>>I'm not sure how well that will work (the IPv4/IPv6-specific stuff
>>>is spread over the entire target function), but its worth a try.
>>
>>
>> "Nothing is impossible." Since you happened to take that one for
>> yourself... well here's a q: would a patch be accepted that changes
>> all ipt and ip6t modules to the new xt? Even if a module is only for
>> ipv4 or ipv6, I think it makes sense to reduce the number of
>> different *t structures floating around.
>
>If you're talking about using the xt-structures in net/ipv[46]/netfilter
>and removing the ipt/ip6t-wrappers, that would make sense IMO.
>
How about this for a start?
Signed-off-by: Jan Engelhardt <[email protected]>
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_CLUSTERIP.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_CLUSTERIP.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_CLUSTERIP.c
@@ -26,6 +26,7 @@
#include <linux/netfilter_arp.h>
+#include <linux/netfilter/x_tables.h>
#include <linux/netfilter_ipv4/ip_tables.h>
#include <linux/netfilter_ipv4/ipt_CLUSTERIP.h>
#include <net/netfilter/nf_conntrack_compat.h>
@@ -42,7 +43,7 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Harald Welte <[email protected]>");
-MODULE_DESCRIPTION("iptables target for CLUSTERIP");
+MODULE_DESCRIPTION("xtables target for CLUSTERIP");
struct clusterip_config {
struct list_head list; /* list of all configs */
@@ -329,7 +330,7 @@ target(struct sk_buff **pskb,
if ((*pskb)->nh.iph->protocol == IPPROTO_ICMP
&& (ctinfo == IP_CT_RELATED
|| ctinfo == IP_CT_RELATED+IP_CT_IS_REPLY))
- return IPT_CONTINUE;
+ return XT_CONTINUE;
/* ip_conntrack_icmp guarantees us that we only have ICMP_ECHO,
* TIMESTAMP, INFO_REQUEST or ADDRESS type icmp packets from here
@@ -367,7 +368,7 @@ target(struct sk_buff **pskb,
* actually a unicast IP packet. TCP doesn't like PACKET_MULTICAST */
(*pskb)->pkt_type = PACKET_HOST;
- return IPT_CONTINUE;
+ return XT_CONTINUE;
}
static int
@@ -470,8 +471,9 @@ static void destroy(const struct xt_targ
nf_ct_l3proto_module_put(target->family);
}
-static struct ipt_target clusterip_tgt = {
+static struct xt_target clusterip_tgt = {
.name = "CLUSTERIP",
+ .family = AF_INET,
.target = target,
.targetsize = sizeof(struct ipt_clusterip_tgt_info),
.checkentry = checkentry,
@@ -727,7 +729,7 @@ static int __init ipt_clusterip_init(voi
{
int ret;
- ret = ipt_register_target(&clusterip_tgt);
+ ret = xt_register_target(&clusterip_tgt);
if (ret < 0)
return ret;
@@ -753,7 +755,7 @@ cleanup_hook:
nf_unregister_hook(&cip_arp_ops);
#endif /* CONFIG_PROC_FS */
cleanup_target:
- ipt_unregister_target(&clusterip_tgt);
+ xt_unregister_target(&clusterip_tgt);
return ret;
}
@@ -765,7 +767,7 @@ static void __exit ipt_clusterip_fini(vo
remove_proc_entry(clusterip_procdir->name, clusterip_procdir->parent);
#endif
nf_unregister_hook(&cip_arp_ops);
- ipt_unregister_target(&clusterip_tgt);
+ xt_unregister_target(&clusterip_tgt);
}
module_init(ipt_clusterip_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_ECN.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_ECN.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_ECN.c
@@ -9,18 +9,20 @@
* ipt_ECN.c,v 1.5 2002/08/18 19:36:51 laforge Exp
*/
+#include <linux/in.h>
#include <linux/module.h>
#include <linux/skbuff.h>
#include <linux/ip.h>
#include <linux/tcp.h>
#include <net/checksum.h>
+#include <linux/netfilter/x_tables.h>
#include <linux/netfilter_ipv4/ip_tables.h>
#include <linux/netfilter_ipv4/ipt_ECN.h>
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Harald Welte <[email protected]>");
-MODULE_DESCRIPTION("iptables ECN modification module");
+MODULE_DESCRIPTION("xtables ECN modification module");
/* set ECT codepoint from IP header.
* return 0 if there was an error. */
@@ -95,7 +97,7 @@ target(struct sk_buff **pskb,
if (!set_ect_tcp(pskb, einfo))
return NF_DROP;
- return IPT_CONTINUE;
+ return XT_CONTINUE;
}
static int
@@ -119,7 +121,7 @@ checkentry(const char *tablename,
return 0;
}
if ((einfo->operation & (IPT_ECN_OP_SET_ECE|IPT_ECN_OP_SET_CWR))
- && (e->ip.proto != IPPROTO_TCP || (e->ip.invflags & IPT_INV_PROTO))) {
+ && (e->ip.proto != IPPROTO_TCP || (e->ip.invflags & XT_INV_PROTO))) {
printk(KERN_WARNING "ECN: cannot use TCP operations on a "
"non-tcp rule\n");
return 0;
@@ -127,8 +129,9 @@ checkentry(const char *tablename,
return 1;
}
-static struct ipt_target ipt_ecn_reg = {
+static struct xt_target ipt_ecn_reg = {
.name = "ECN",
+ .family = AF_INET,
.target = target,
.targetsize = sizeof(struct ipt_ECN_info),
.table = "mangle",
@@ -138,12 +141,12 @@ static struct ipt_target ipt_ecn_reg = {
static int __init ipt_ecn_init(void)
{
- return ipt_register_target(&ipt_ecn_reg);
+ return xt_register_target(&ipt_ecn_reg);
}
static void __exit ipt_ecn_fini(void)
{
- ipt_unregister_target(&ipt_ecn_reg);
+ xt_unregister_target(&ipt_ecn_reg);
}
module_init(ipt_ecn_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_LOG.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_LOG.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_LOG.c
@@ -20,12 +20,12 @@
#include <net/route.h>
#include <linux/netfilter.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
#include <linux/netfilter_ipv4/ipt_LOG.h>
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Netfilter Core Team <[email protected]>");
-MODULE_DESCRIPTION("iptables syslog logging module");
+MODULE_DESCRIPTION("xtables syslog logging module");
#if 0
#define DEBUGP printk
@@ -432,7 +432,7 @@ ipt_log_target(struct sk_buff **pskb,
ipt_log_packet(PF_INET, hooknum, *pskb, in, out, &li,
loginfo->prefix);
- return IPT_CONTINUE;
+ return XT_CONTINUE;
}
static int ipt_log_checkentry(const char *tablename,
@@ -455,8 +455,9 @@ static int ipt_log_checkentry(const char
return 1;
}
-static struct ipt_target ipt_log_reg = {
+static struct xt_target ipt_log_reg = {
.name = "LOG",
+ .family = AF_INET,
.target = ipt_log_target,
.targetsize = sizeof(struct ipt_log_info),
.checkentry = ipt_log_checkentry,
@@ -471,7 +472,7 @@ static struct nf_logger ipt_log_logger =
static int __init ipt_log_init(void)
{
- if (ipt_register_target(&ipt_log_reg))
+ if (xt_register_target(&ipt_log_reg))
return -EINVAL;
if (nf_log_register(PF_INET, &ipt_log_logger) < 0) {
printk(KERN_WARNING "ipt_LOG: not logging via system console "
@@ -486,7 +487,7 @@ static int __init ipt_log_init(void)
static void __exit ipt_log_fini(void)
{
nf_log_unregister_logger(&ipt_log_logger);
- ipt_unregister_target(&ipt_log_reg);
+ xt_unregister_target(&ipt_log_reg);
}
module_init(ipt_log_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_MASQUERADE.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_MASQUERADE.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_MASQUERADE.c
@@ -25,11 +25,11 @@
#else
#include <linux/netfilter_ipv4/ip_nat_rule.h>
#endif
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Netfilter Core Team <[email protected]>");
-MODULE_DESCRIPTION("iptables MASQUERADE target module");
+MODULE_DESCRIPTION("xtables MASQUERADE target module");
#if 0
#define DEBUGP printk
@@ -192,6 +192,7 @@ static struct notifier_block masq_inet_n
static struct ipt_target masquerade = {
.name = "MASQUERADE",
+ .family = AF_INET,
.target = masquerade_target,
.targetsize = sizeof(struct ip_nat_multi_range_compat),
.table = "nat",
@@ -204,7 +205,7 @@ static int __init ipt_masquerade_init(vo
{
int ret;
- ret = ipt_register_target(&masquerade);
+ ret = xt_register_target(&masquerade);
if (ret == 0) {
/* Register for device down reports */
@@ -218,7 +219,7 @@ static int __init ipt_masquerade_init(vo
static void __exit ipt_masquerade_fini(void)
{
- ipt_unregister_target(&masquerade);
+ xt_unregister_target(&masquerade);
unregister_netdevice_notifier(&masq_dev_notifier);
unregister_inetaddr_notifier(&masq_inet_notifier);
}
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_NETMAP.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_NETMAP.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_NETMAP.c
@@ -15,6 +15,7 @@
#include <linux/netdevice.h>
#include <linux/netfilter.h>
#include <linux/netfilter_ipv4.h>
+#include <linux/netfilter/x_tables.h>
#ifdef CONFIG_NF_NAT_NEEDED
#include <net/netfilter/nf_nat_rule.h>
#else
@@ -24,7 +25,7 @@
#define MODULENAME "NETMAP"
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Svenning Soerensen <[email protected]>");
-MODULE_DESCRIPTION("iptables 1:1 NAT mapping of IP networks target");
+MODULE_DESCRIPTION("xtables 1:1 NAT mapping of IP networks target");
#if 0
#define DEBUGP printk
@@ -90,6 +91,7 @@ target(struct sk_buff **pskb,
static struct ipt_target target_module = {
.name = MODULENAME,
+ .family = AF_INET,
.target = target,
.targetsize = sizeof(struct ip_nat_multi_range_compat),
.table = "nat",
@@ -101,12 +103,12 @@ static struct ipt_target target_module =
static int __init ipt_netmap_init(void)
{
- return ipt_register_target(&target_module);
+ return xt_register_target(&target_module);
}
static void __exit ipt_netmap_fini(void)
{
- ipt_unregister_target(&target_module);
+ xt_unregister_target(&target_module);
}
module_init(ipt_netmap_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_REDIRECT.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_REDIRECT.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_REDIRECT.c
@@ -18,6 +18,7 @@
#include <net/protocol.h>
#include <net/checksum.h>
#include <linux/netfilter_ipv4.h>
+#include <linux/netfilter/x_tables.h>
#ifdef CONFIG_NF_NAT_NEEDED
#include <net/netfilter/nf_nat_rule.h>
#else
@@ -26,7 +27,7 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Netfilter Core Team <[email protected]>");
-MODULE_DESCRIPTION("iptables REDIRECT target module");
+MODULE_DESCRIPTION("xtables REDIRECT target module");
#if 0
#define DEBUGP printk
@@ -106,6 +107,7 @@ redirect_target(struct sk_buff **pskb,
static struct ipt_target redirect_reg = {
.name = "REDIRECT",
+ .family = AF_INET,
.target = redirect_target,
.targetsize = sizeof(struct ip_nat_multi_range_compat),
.table = "nat",
@@ -116,12 +118,12 @@ static struct ipt_target redirect_reg =
static int __init ipt_redirect_init(void)
{
- return ipt_register_target(&redirect_reg);
+ return xt_register_target(&redirect_reg);
}
static void __exit ipt_redirect_fini(void)
{
- ipt_unregister_target(&redirect_reg);
+ xt_unregister_target(&redirect_reg);
}
module_init(ipt_redirect_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_REJECT.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_REJECT.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_REJECT.c
@@ -22,6 +22,7 @@
#include <net/tcp.h>
#include <net/route.h>
#include <net/dst.h>
+#include <linux/netfilter/x_tables.h>
#include <linux/netfilter_ipv4/ip_tables.h>
#include <linux/netfilter_ipv4/ipt_REJECT.h>
#ifdef CONFIG_BRIDGE_NETFILTER
@@ -30,7 +31,7 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Netfilter Core Team <[email protected]>");
-MODULE_DESCRIPTION("iptables REJECT target module");
+MODULE_DESCRIPTION("xtables REJECT target module");
#if 0
#define DEBUGP printk
@@ -230,7 +231,7 @@ static int check(const char *tablename,
} else if (rejinfo->with == IPT_TCP_RESET) {
/* Must specify that it's a TCP packet */
if (e->ip.proto != IPPROTO_TCP
- || (e->ip.invflags & IPT_INV_PROTO)) {
+ || (e->ip.invflags & XT_INV_PROTO)) {
DEBUGP("REJECT: TCP_RESET invalid for non-tcp\n");
return 0;
}
@@ -238,8 +239,9 @@ static int check(const char *tablename,
return 1;
}
-static struct ipt_target ipt_reject_reg = {
+static struct xt_target ipt_reject_reg = {
.name = "REJECT",
+ .family = AF_INET,
.target = reject,
.targetsize = sizeof(struct ipt_reject_info),
.table = "filter",
@@ -251,12 +253,12 @@ static struct ipt_target ipt_reject_reg
static int __init ipt_reject_init(void)
{
- return ipt_register_target(&ipt_reject_reg);
+ return xt_register_target(&ipt_reject_reg);
}
static void __exit ipt_reject_fini(void)
{
- ipt_unregister_target(&ipt_reject_reg);
+ xt_unregister_target(&ipt_reject_reg);
}
module_init(ipt_reject_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_SAME.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_SAME.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_SAME.c
@@ -34,6 +34,7 @@
#include <net/protocol.h>
#include <net/checksum.h>
#include <linux/netfilter_ipv4.h>
+#include <linux/netfilter/x_tables.h>
#ifdef CONFIG_NF_NAT_NEEDED
#include <net/netfilter/nf_nat_rule.h>
#else
@@ -43,7 +44,7 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Martin Josefsson <[email protected]>");
-MODULE_DESCRIPTION("iptables special SNAT module for consistent sourceip");
+MODULE_DESCRIPTION("xtables special SNAT module for consistent sourceip");
#if 0
#define DEBUGP printk
@@ -186,8 +187,9 @@ same_target(struct sk_buff **pskb,
return ip_nat_setup_info(ct, &newrange, hooknum);
}
-static struct ipt_target same_reg = {
+static struct xt_target same_reg = {
.name = "SAME",
+ .family = AF_INET,
.target = same_target,
.targetsize = sizeof(struct ipt_same_info),
.table = "nat",
@@ -199,12 +201,12 @@ static struct ipt_target same_reg = {
static int __init ipt_same_init(void)
{
- return ipt_register_target(&same_reg);
+ return xt_register_target(&same_reg);
}
static void __exit ipt_same_fini(void)
{
- ipt_unregister_target(&same_reg);
+ xt_unregister_target(&same_reg);
}
module_init(ipt_same_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_TOS.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_TOS.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_TOS.c
@@ -13,12 +13,12 @@
#include <linux/ip.h>
#include <net/checksum.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
#include <linux/netfilter_ipv4/ipt_TOS.h>
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Netfilter Core Team <[email protected]>");
-MODULE_DESCRIPTION("iptables TOS mangling module");
+MODULE_DESCRIPTION("xtables TOS mangling module");
static unsigned int
target(struct sk_buff **pskb,
@@ -40,7 +40,7 @@ target(struct sk_buff **pskb,
iph->tos = (iph->tos & IPTOS_PREC_MASK) | tosinfo->tos;
nf_csum_replace2(&iph->check, htons(oldtos), htons(iph->tos));
}
- return IPT_CONTINUE;
+ return XT_CONTINUE;
}
static int
@@ -63,8 +63,9 @@ checkentry(const char *tablename,
return 1;
}
-static struct ipt_target ipt_tos_reg = {
+static struct xt_target ipt_tos_reg = {
.name = "TOS",
+ .family = AF_INET,
.target = target,
.targetsize = sizeof(struct ipt_tos_target_info),
.table = "mangle",
@@ -74,12 +75,12 @@ static struct ipt_target ipt_tos_reg = {
static int __init ipt_tos_init(void)
{
- return ipt_register_target(&ipt_tos_reg);
+ return xt_register_target(&ipt_tos_reg);
}
static void __exit ipt_tos_fini(void)
{
- ipt_unregister_target(&ipt_tos_reg);
+ xt_unregister_target(&ipt_tos_reg);
}
module_init(ipt_tos_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_TTL.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_TTL.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_TTL.c
@@ -12,11 +12,11 @@
#include <linux/ip.h>
#include <net/checksum.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
#include <linux/netfilter_ipv4/ipt_TTL.h>
MODULE_AUTHOR("Harald Welte <[email protected]>");
-MODULE_DESCRIPTION("IP tables TTL modification module");
+MODULE_DESCRIPTION("xtables TTL modification module");
MODULE_LICENSE("GPL");
static unsigned int
@@ -59,7 +59,7 @@ ipt_ttl_target(struct sk_buff **pskb,
iph->ttl = new_ttl;
}
- return IPT_CONTINUE;
+ return XT_CONTINUE;
}
static int ipt_ttl_checkentry(const char *tablename,
@@ -80,8 +80,9 @@ static int ipt_ttl_checkentry(const char
return 1;
}
-static struct ipt_target ipt_TTL = {
+static struct xt_target ipt_TTL = {
.name = "TTL",
+ .family = AF_INET,
.target = ipt_ttl_target,
.targetsize = sizeof(struct ipt_TTL_info),
.table = "mangle",
@@ -91,12 +92,12 @@ static struct ipt_target ipt_TTL = {
static int __init ipt_ttl_init(void)
{
- return ipt_register_target(&ipt_TTL);
+ return xt_register_target(&ipt_TTL);
}
static void __exit ipt_ttl_fini(void)
{
- ipt_unregister_target(&ipt_TTL);
+ xt_unregister_target(&ipt_TTL);
}
module_init(ipt_ttl_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_ULOG.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_ULOG.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_ULOG.c
@@ -57,14 +57,14 @@
#include <linux/mm.h>
#include <linux/moduleparam.h>
#include <linux/netfilter.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
#include <linux/netfilter_ipv4/ipt_ULOG.h>
#include <net/sock.h>
#include <linux/bitops.h>
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Harald Welte <[email protected]>");
-MODULE_DESCRIPTION("iptables userspace logging module");
+MODULE_DESCRIPTION("xtables userspace logging module");
MODULE_ALIAS_NET_PF_PROTO(PF_NETLINK, NETLINK_NFLOG);
#define ULOG_NL_EVENT 111 /* Harald's favorite number */
@@ -132,7 +132,6 @@ static void ulog_send(unsigned int nlgro
ub->qlen = 0;
ub->skb = NULL;
ub->lastnlh = NULL;
-
}
@@ -314,7 +313,7 @@ static unsigned int ipt_ulog_target(stru
ipt_ulog_packet(hooknum, *pskb, in, out, loginfo, NULL);
- return IPT_CONTINUE;
+ return XT_CONTINUE;
}
static void ipt_logfn(unsigned int pf,
@@ -363,8 +362,9 @@ static int ipt_ulog_checkentry(const cha
return 1;
}
-static struct ipt_target ipt_ulog_reg = {
+static struct xt_target ipt_ulog_reg = {
.name = "ULOG",
+ .family = AF_INET,
.target = ipt_ulog_target,
.targetsize = sizeof(struct ipt_ulog_info),
.checkentry = ipt_ulog_checkentry,
@@ -400,7 +400,7 @@ static int __init ipt_ulog_init(void)
if (!nflognl)
return -ENOMEM;
- if (ipt_register_target(&ipt_ulog_reg) != 0) {
+ if (xt_register_target(&ipt_ulog_reg) != 0) {
sock_release(nflognl->sk_socket);
return -EINVAL;
}
@@ -419,7 +419,7 @@ static void __exit ipt_ulog_fini(void)
if (nflog)
nf_log_unregister_logger(&ipt_ulog_logger);
- ipt_unregister_target(&ipt_ulog_reg);
+ xt_unregister_target(&ipt_ulog_reg);
sock_release(nflognl->sk_socket);
/* remove pending timers and free allocated skb's */
@@ -435,7 +435,6 @@ static void __exit ipt_ulog_fini(void)
ub->skb = NULL;
}
}
-
}
module_init(ipt_ulog_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_addrtype.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_addrtype.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_addrtype.c
@@ -16,11 +16,11 @@
#include <net/route.h>
#include <linux/netfilter_ipv4/ipt_addrtype.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Patrick McHardy <[email protected]>");
-MODULE_DESCRIPTION("iptables addrtype match");
+MODULE_DESCRIPTION("xtables addrtype match");
static inline int match_type(__be32 addr, u_int16_t mask)
{
@@ -44,8 +44,9 @@ static int match(const struct sk_buff *s
return ret;
}
-static struct ipt_match addrtype_match = {
+static struct xt_match addrtype_match = {
.name = "addrtype",
+ .family = AF_INET,
.match = match,
.matchsize = sizeof(struct ipt_addrtype_info),
.me = THIS_MODULE
@@ -53,12 +54,12 @@ static struct ipt_match addrtype_match =
static int __init ipt_addrtype_init(void)
{
- return ipt_register_match(&addrtype_match);
+ return xt_register_match(&addrtype_match);
}
static void __exit ipt_addrtype_fini(void)
{
- ipt_unregister_match(&addrtype_match);
+ xt_unregister_match(&addrtype_match);
}
module_init(ipt_addrtype_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_ah.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_ah.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_ah.c
@@ -6,16 +6,17 @@
* published by the Free Software Foundation.
*/
+#include <linux/in.h>
#include <linux/module.h>
#include <linux/skbuff.h>
#include <linux/ip.h>
#include <linux/netfilter_ipv4/ipt_ah.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Yon Uriarte <[email protected]>");
-MODULE_DESCRIPTION("iptables AH SPI match module");
+MODULE_DESCRIPTION("xtables AH SPI match module");
#ifdef DEBUG_CONNTRACK
#define duprintf(format, args...) printk(format , ## args)
@@ -86,8 +87,9 @@ checkentry(const char *tablename,
return 1;
}
-static struct ipt_match ah_match = {
+static struct xt_match ah_match = {
.name = "ah",
+ .family = AF_INET,
.match = match,
.matchsize = sizeof(struct ipt_ah),
.proto = IPPROTO_AH,
@@ -97,12 +99,12 @@ static struct ipt_match ah_match = {
static int __init ipt_ah_init(void)
{
- return ipt_register_match(&ah_match);
+ return xt_register_match(&ah_match);
}
static void __exit ipt_ah_fini(void)
{
- ipt_unregister_match(&ah_match);
+ xt_unregister_match(&ah_match);
}
module_init(ipt_ah_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_ecn.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_ecn.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_ecn.c
@@ -9,15 +9,18 @@
* published by the Free Software Foundation.
*/
+#include <linux/in.h>
+#include <linux/ip.h>
#include <linux/module.h>
#include <linux/skbuff.h>
#include <linux/tcp.h>
+#include <linux/netfilter/x_tables.h>
#include <linux/netfilter_ipv4/ip_tables.h>
#include <linux/netfilter_ipv4/ipt_ecn.h>
MODULE_AUTHOR("Harald Welte <[email protected]>");
-MODULE_DESCRIPTION("iptables ECN matching module");
+MODULE_DESCRIPTION("xtables ECN matching module");
MODULE_LICENSE("GPL");
static inline int match_ip(const struct sk_buff *skb,
@@ -109,8 +112,10 @@ static int checkentry(const char *tablen
return 1;
}
-static struct ipt_match ecn_match = {
+static struct xt_match ecn_match = {
.name = "ecn",
+ .family = AF_INET,
+ .proto = IPPROTO_TCP,
.match = match,
.matchsize = sizeof(struct ipt_ecn_info),
.checkentry = checkentry,
@@ -119,12 +124,12 @@ static struct ipt_match ecn_match = {
static int __init ipt_ecn_init(void)
{
- return ipt_register_match(&ecn_match);
+ return xt_register_match(&ecn_match);
}
static void __exit ipt_ecn_fini(void)
{
- ipt_unregister_match(&ecn_match);
+ xt_unregister_match(&ecn_match);
}
module_init(ipt_ecn_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_iprange.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_iprange.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_iprange.c
@@ -10,12 +10,12 @@
#include <linux/module.h>
#include <linux/skbuff.h>
#include <linux/ip.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
#include <linux/netfilter_ipv4/ipt_iprange.h>
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Jozsef Kadlecsik <[email protected]>");
-MODULE_DESCRIPTION("iptables arbitrary IP range match module");
+MODULE_DESCRIPTION("xtables arbitrary IP range match module");
#if 0
#define DEBUGP printk
@@ -63,22 +63,22 @@ match(const struct sk_buff *skb,
return 1;
}
-static struct ipt_match iprange_match = {
+static struct xt_match iprange_match = {
.name = "iprange",
+ .family = AF_INET,
.match = match,
.matchsize = sizeof(struct ipt_iprange_info),
- .destroy = NULL,
.me = THIS_MODULE
};
static int __init ipt_iprange_init(void)
{
- return ipt_register_match(&iprange_match);
+ return xt_register_match(&iprange_match);
}
static void __exit ipt_iprange_fini(void)
{
- ipt_unregister_match(&iprange_match);
+ xt_unregister_match(&iprange_match);
}
module_init(ipt_iprange_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_owner.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_owner.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_owner.c
@@ -15,11 +15,11 @@
#include <net/sock.h>
#include <linux/netfilter_ipv4/ipt_owner.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Marc Boucher <[email protected]>");
-MODULE_DESCRIPTION("iptables owner match");
+MODULE_DESCRIPTION("xtables owner match");
static int
match(const struct sk_buff *skb,
@@ -68,8 +68,9 @@ checkentry(const char *tablename,
return 1;
}
-static struct ipt_match owner_match = {
+static struct xt_match owner_match = {
.name = "owner",
+ .family = AF_INET,
.match = match,
.matchsize = sizeof(struct ipt_owner_info),
.hooks = (1 << NF_IP_LOCAL_OUT) | (1 << NF_IP_POST_ROUTING),
@@ -79,12 +80,12 @@ static struct ipt_match owner_match = {
static int __init ipt_owner_init(void)
{
- return ipt_register_match(&owner_match);
+ return xt_register_match(&owner_match);
}
static void __exit ipt_owner_fini(void)
{
- ipt_unregister_match(&owner_match);
+ xt_unregister_match(&owner_match);
}
module_init(ipt_owner_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_recent.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_recent.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_recent.c
@@ -12,6 +12,7 @@
* Copyright 2002-2003, Stephen Frost, 2.5.x port by [email protected]
*/
#include <linux/init.h>
+#include <linux/ip.h>
#include <linux/moduleparam.h>
#include <linux/proc_fs.h>
#include <linux/seq_file.h>
@@ -24,11 +25,11 @@
#include <linux/skbuff.h>
#include <linux/inet.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
#include <linux/netfilter_ipv4/ipt_recent.h>
MODULE_AUTHOR("Patrick McHardy <[email protected]>");
-MODULE_DESCRIPTION("IP tables recently seen matching module");
+MODULE_DESCRIPTION("xtables recently seen matching module");
MODULE_LICENSE("GPL");
static unsigned int ip_list_tot = 100;
@@ -462,8 +463,9 @@ static struct file_operations recent_fop
};
#endif /* CONFIG_PROC_FS */
-static struct ipt_match recent_match = {
+static struct xt_match recent_match = {
.name = "recent",
+ .family = AF_INET,
.match = ipt_recent_match,
.matchsize = sizeof(struct ipt_recent_info),
.checkentry = ipt_recent_checkentry,
@@ -479,13 +481,13 @@ static int __init ipt_recent_init(void)
return -EINVAL;
ip_list_hash_size = 1 << fls(ip_list_tot);
- err = ipt_register_match(&recent_match);
+ err = xt_register_match(&recent_match);
#ifdef CONFIG_PROC_FS
if (err)
return err;
proc_dir = proc_mkdir("ipt_recent", proc_net);
if (proc_dir == NULL) {
- ipt_unregister_match(&recent_match);
+ xt_unregister_match(&recent_match);
err = -ENOMEM;
}
#endif
@@ -495,7 +497,7 @@ static int __init ipt_recent_init(void)
static void __exit ipt_recent_exit(void)
{
BUG_ON(!list_empty(&tables));
- ipt_unregister_match(&recent_match);
+ xt_unregister_match(&recent_match);
#ifdef CONFIG_PROC_FS
remove_proc_entry("ipt_recent", proc_net);
#endif
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_tos.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_tos.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_tos.c
@@ -8,14 +8,15 @@
* published by the Free Software Foundation.
*/
+#include <linux/ip.h>
#include <linux/module.h>
#include <linux/skbuff.h>
#include <linux/netfilter_ipv4/ipt_tos.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
MODULE_LICENSE("GPL");
-MODULE_DESCRIPTION("iptables TOS match module");
+MODULE_DESCRIPTION("xtables TOS match module");
static int
match(const struct sk_buff *skb,
@@ -32,8 +33,9 @@ match(const struct sk_buff *skb,
return (skb->nh.iph->tos == info->tos) ^ info->invert;
}
-static struct ipt_match tos_match = {
+static struct xt_match tos_match = {
.name = "tos",
+ .family = AF_INET,
.match = match,
.matchsize = sizeof(struct ipt_tos_info),
.me = THIS_MODULE,
@@ -41,12 +43,12 @@ static struct ipt_match tos_match = {
static int __init ipt_multiport_init(void)
{
- return ipt_register_match(&tos_match);
+ return xt_register_match(&tos_match);
}
static void __exit ipt_multiport_fini(void)
{
- ipt_unregister_match(&tos_match);
+ xt_unregister_match(&tos_match);
}
module_init(ipt_multiport_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_ttl.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_ttl.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_ttl.c
@@ -9,14 +9,15 @@
* published by the Free Software Foundation.
*/
+#include <linux/ip.h>
#include <linux/module.h>
#include <linux/skbuff.h>
#include <linux/netfilter_ipv4/ipt_ttl.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
MODULE_AUTHOR("Harald Welte <[email protected]>");
-MODULE_DESCRIPTION("IP tables TTL matching module");
+MODULE_DESCRIPTION("xtables TTL matching module");
MODULE_LICENSE("GPL");
static int match(const struct sk_buff *skb,
@@ -48,8 +49,9 @@ static int match(const struct sk_buff *s
return 0;
}
-static struct ipt_match ttl_match = {
+static struct xt_match ttl_match = {
.name = "ttl",
+ .family = AF_INET,
.match = match,
.matchsize = sizeof(struct ipt_ttl_info),
.me = THIS_MODULE,
@@ -57,13 +59,12 @@ static struct ipt_match ttl_match = {
static int __init ipt_ttl_init(void)
{
- return ipt_register_match(&ttl_match);
+ return xt_register_match(&ttl_match);
}
static void __exit ipt_ttl_fini(void)
{
- ipt_unregister_match(&ttl_match);
-
+ xt_unregister_match(&ttl_match);
}
module_init(ipt_ttl_init);
#<EOF>
-`J'
--