Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next

				const u32 *key,

				const struct nf_conntrack_tuple *tuple,

				const struct nf_conntrack_zone *zone);

unsigned int nf_conncount_lookup(struct net *net, struct hlist_head *head,

				 const struct nf_conntrack_tuple *tuple,

				 const struct nf_conntrack_zone *zone,

				 bool *addit);

bool nf_conncount_add(struct hlist_head *head,

		      const struct nf_conntrack_tuple *tuple);

void nf_conncount_cache_free(struct hlist_head *hhead);

#endif

#define _NF_SOCK_H_

#include <net/sock.h>

#include <net/inet_timewait_sock.h>

static inline bool nf_sk_is_transparent(struct sock *sk)

{

	switch (sk->sk_state) {

	case TCP_TIME_WAIT:

		return inet_twsk(sk)->tw_transparent;

	case TCP_NEW_SYN_RECV:

		return inet_rsk(inet_reqsk(sk))->no_srccheck;

	default:

		return inet_sk(sk)->transparent;

	}

}

struct sock *nf_sk_lookup_slow_v4(struct net *net, const struct sk_buff *skb,

				  const struct net_device *indev);

#include <linux/netfilter/x_tables.h>

#include <linux/netfilter/nf_tables.h>

#include <linux/u64_stats_sync.h>

#include <linux/rhashtable.h>

#include <net/netfilter/nf_flow_table.h>

#include <net/netlink.h>

						const struct nft_set_desc *desc,

						const struct nlattr * const nla[]);

	void				(*destroy)(const struct nft_set *set);

	void				(*gc_init)(const struct nft_set *set);

	unsigned int			elemsize;

};

 *

 *	@list: table set list node

 *	@bindings: list of set bindings

 *	@table: table this set belongs to

 *	@net: netnamespace this set belongs to

 * 	@name: name of the set

 *	@handle: unique handle of the set

 * 	@ktype: key type (numeric type defined by userspace, not used in the kernel)

struct nft_set {

	struct list_head		list;

	struct list_head		bindings;

	struct nft_table		*table;

	possible_net_t			net;

	char				*name;

	u64				handle;

	u32				ktype;

};

#define NFT_EXPR_STATEFUL		0x1

#define NFT_EXPR_GC			0x2

/**

 *	struct nft_expr_ops - nf_tables expression operations

						      const struct nft_expr *expr);

	void				(*destroy)(const struct nft_ctx *ctx,

						   const struct nft_expr *expr);

	void				(*destroy_clone)(const struct nft_ctx *ctx,

							 const struct nft_expr *expr);

	int				(*dump)(struct sk_buff *skb,

						const struct nft_expr *expr);

	int				(*validate)(const struct nft_ctx *ctx,

						    const struct nft_expr *expr,

						    const struct nft_data **data);

	bool				(*gc)(struct net *net,

					      const struct nft_expr *expr);

	const struct nft_expr_type	*type;

	void				*data;

};

 *

 *	@rules: list of rules in the chain

 *	@list: used internally

 *	@rhlhead: used internally

 *	@table: table that this chain belongs to

 *	@handle: chain handle

 *	@use: number of jump references to this chain

	struct nft_rule			*__rcu *rules_gen_1;

	struct list_head		rules;

	struct list_head		list;

	struct rhlist_head		rhlhead;

	struct nft_table		*table;

	u64				handle;

	u32				use;

 *	struct nft_table - nf_tables table

 *

 *	@list: used internally

 *	@chains: chains in the table

 *	@chains_ht: chains in the table

 *	@chains: same, for stable walks

 *	@sets: sets in the table

 *	@objects: stateful objects in the table

 *	@flowtables: flow tables in the table

 */

struct nft_table {

	struct list_head		list;

	struct rhltable			chains_ht;

	struct list_head		chains;

	struct list_head		sets;

	struct list_head		objects;

	int				(*init)(const struct nft_ctx *ctx,

						const struct nlattr *const tb[],

						struct nft_object *obj);

	void				(*destroy)(struct nft_object *obj);

	void				(*destroy)(const struct nft_ctx *ctx,

						   struct nft_object *obj);

	int				(*dump)(struct sk_buff *skb,

						struct nft_object *obj,

						bool reset);

#ifndef _NF_TPROXY_H_

#define _NF_TPROXY_H_

#include <net/tcp.h>

enum nf_tproxy_lookup_t {

	 NF_TPROXY_LOOKUP_LISTENER,

	 NF_TPROXY_LOOKUP_ESTABLISHED,

};

static inline bool nf_tproxy_sk_is_transparent(struct sock *sk)

{

	if (inet_sk_transparent(sk))

		return true;

	sock_gen_put(sk);

	return false;

}

__be32 nf_tproxy_laddr4(struct sk_buff *skb, __be32 user_laddr, __be32 daddr);

/**

 * nf_tproxy_handle_time_wait4 - handle IPv4 TCP TIME_WAIT reopen redirections

 * @skb:	The skb being processed.

 * @laddr:	IPv4 address to redirect to or zero.

 * @lport:	TCP port to redirect to or zero.

 * @sk:		The TIME_WAIT TCP socket found by the lookup.

 *

 * We have to handle SYN packets arriving to TIME_WAIT sockets

 * differently: instead of reopening the connection we should rather

 * redirect the new connection to the proxy if there's a listener

 * socket present.

 *

 * nf_tproxy_handle_time_wait4() consumes the socket reference passed in.

 *

 * Returns the listener socket if there's one, the TIME_WAIT socket if

 * no such listener is found, or NULL if the TCP header is incomplete.

 */

struct sock *

nf_tproxy_handle_time_wait4(struct net *net, struct sk_buff *skb,

			    __be32 laddr, __be16 lport, struct sock *sk);

/*

 * This is used when the user wants to intercept a connection matching

 * an explicit iptables rule. In this case the sockets are assumed

 * matching in preference order:

 *

 *   - match: if there's a fully established connection matching the

 *     _packet_ tuple, it is returned, assuming the redirection

 *     already took place and we process a packet belonging to an

 *     established connection

 *

 *   - match: if there's a listening socket matching the redirection

 *     (e.g. on-port & on-ip of the connection), it is returned,

 *     regardless if it was bound to 0.0.0.0 or an explicit

 *     address. The reasoning is that if there's an explicit rule, it

 *     does not really matter if the listener is bound to an interface

 *     or to 0. The user already stated that he wants redirection

 *     (since he added the rule).

 *

 * Please note that there's an overlap between what a TPROXY target

 * and a socket match will match. Normally if you have both rules the

 * "socket" match will be the first one, effectively all packets

 * belonging to established connections going through that one.

 */

struct sock *

nf_tproxy_get_sock_v4(struct net *net, struct sk_buff *skb, void *hp,

		      const u8 protocol,

		      const __be32 saddr, const __be32 daddr,

		      const __be16 sport, const __be16 dport,

		      const struct net_device *in,

		      const enum nf_tproxy_lookup_t lookup_type);

const struct in6_addr *

nf_tproxy_laddr6(struct sk_buff *skb, const struct in6_addr *user_laddr,

		 const struct in6_addr *daddr);

/**

 * nf_tproxy_handle_time_wait6 - handle IPv6 TCP TIME_WAIT reopen redirections

 * @skb:	The skb being processed.

 * @tproto:	Transport protocol.

 * @thoff:	Transport protocol header offset.

 * @net:	Network namespace.

 * @laddr:	IPv6 address to redirect to.

 * @lport:	TCP port to redirect to or zero.

 * @sk:		The TIME_WAIT TCP socket found by the lookup.

 *

 * We have to handle SYN packets arriving to TIME_WAIT sockets

 * differently: instead of reopening the connection we should rather

 * redirect the new connection to the proxy if there's a listener

 * socket present.

 *

 * nf_tproxy_handle_time_wait6() consumes the socket reference passed in.

 *

 * Returns the listener socket if there's one, the TIME_WAIT socket if

 * no such listener is found, or NULL if the TCP header is incomplete.

 */

struct sock *

nf_tproxy_handle_time_wait6(struct sk_buff *skb, int tproto, int thoff,

			    struct net *net,

			    const struct in6_addr *laddr,

			    const __be16 lport,

			    struct sock *sk);

struct sock *

nf_tproxy_get_sock_v6(struct net *net, struct sk_buff *skb, int thoff, void *hp,

		      const u8 protocol,

		      const struct in6_addr *saddr, const struct in6_addr *daddr,

		      const __be16 sport, const __be16 dport,

		      const struct net_device *in,

		      const enum nf_tproxy_lookup_t lookup_type);

#endif /* _NF_TPROXY_H_ */

};

#define NFTA_LIMIT_MAX		(__NFTA_LIMIT_MAX - 1)

enum nft_connlimit_flags {

	NFT_CONNLIMIT_F_INV	= (1 << 0),

};

/**

 * enum nft_connlimit_attributes - nf_tables connlimit expression netlink attributes

 *

 * @NFTA_CONNLIMIT_COUNT: number of connections (NLA_U32)

 * @NFTA_CONNLIMIT_FLAGS: flags (NLA_U32: enum nft_connlimit_flags)

 */

enum nft_connlimit_attributes {

	NFTA_CONNLIMIT_UNSPEC,

	NFTA_CONNLIMIT_COUNT,

	NFTA_CONNLIMIT_FLAGS,

	__NFTA_CONNLIMIT_MAX

};

#define NFTA_CONNLIMIT_MAX	(__NFTA_CONNLIMIT_MAX - 1)

/**

 * enum nft_counter_attributes - nf_tables counter expression netlink attributes

 *

#define NFT_OBJECT_QUOTA	2

#define NFT_OBJECT_CT_HELPER	3

#define NFT_OBJECT_LIMIT	4

#define __NFT_OBJECT_MAX	5

#define NFT_OBJECT_CONNLIMIT	5

#define __NFT_OBJECT_MAX	6

#define NFT_OBJECT_MAX		(__NFT_OBJECT_MAX - 1)

/**