Merge branch 'master' of git://1984.lsi.us.es/nf-next

	 * If changed, new revision of iptables match/target is required.

	 * If changed, new revision of iptables match/target is required.

	 */

	 */

	IPSET_DIM_MAX = 6,

	IPSET_DIM_MAX = 6,

	IPSET_BIT_RETURN_NOMATCH = 7,

};

};

/* Option flags for kernel operations */

/* Option flags for kernel operations */

	IPSET_DIM_ONE_SRC = (1 << IPSET_DIM_ONE),

	IPSET_DIM_ONE_SRC = (1 << IPSET_DIM_ONE),

	IPSET_DIM_TWO_SRC = (1 << IPSET_DIM_TWO),

	IPSET_DIM_TWO_SRC = (1 << IPSET_DIM_TWO),

	IPSET_DIM_THREE_SRC = (1 << IPSET_DIM_THREE),

	IPSET_DIM_THREE_SRC = (1 << IPSET_DIM_THREE),

	IPSET_RETURN_NOMATCH = (1 << IPSET_BIT_RETURN_NOMATCH),

};

};

#ifdef __KERNEL__

#ifdef __KERNEL__

#include <linux/netlink.h>

#include <linux/netlink.h>

#include <linux/netfilter.h>

#include <linux/netfilter.h>

#include <linux/netfilter/x_tables.h>

#include <linux/netfilter/x_tables.h>

#include <linux/stringify.h>

#include <linux/vmalloc.h>

#include <linux/vmalloc.h>

#include <net/netlink.h>

#include <net/netlink.h>

#define _IP_SET_MODULE_DESC(a, b, c)		\

	MODULE_DESCRIPTION(a " type of IP sets, revisions " b "-" c)

#define IP_SET_MODULE_DESC(a, b, c)		\

	_IP_SET_MODULE_DESC(a, __stringify(b), __stringify(c))

/* Set features */

/* Set features */

enum ip_set_feature {

enum ip_set_feature {

	IPSET_TYPE_IP_FLAG = 0,

	IPSET_TYPE_IP_FLAG = 0,

	IPSET_TYPE_NAME = (1 << IPSET_TYPE_NAME_FLAG),

	IPSET_TYPE_NAME = (1 << IPSET_TYPE_NAME_FLAG),

	IPSET_TYPE_IFACE_FLAG = 5,

	IPSET_TYPE_IFACE_FLAG = 5,

	IPSET_TYPE_IFACE = (1 << IPSET_TYPE_IFACE_FLAG),

	IPSET_TYPE_IFACE = (1 << IPSET_TYPE_IFACE_FLAG),

	IPSET_TYPE_NOMATCH_FLAG = 6,

	IPSET_TYPE_NOMATCH = (1 << IPSET_TYPE_NOMATCH_FLAG),

	/* Strictly speaking not a feature, but a flag for dumping:

	/* Strictly speaking not a feature, but a flag for dumping:

	 * this settype must be dumped last */

	 * this settype must be dumped last */

	IPSET_DUMP_LAST_FLAG = 7,

	IPSET_DUMP_LAST_FLAG = 7,

	return ret;

	return ret;

}

}

static inline int nla_put_ipaddr6(struct sk_buff *skb, int type, const struct in6_addr *ipaddrptr)

static inline int nla_put_ipaddr6(struct sk_buff *skb, int type,

				  const struct in6_addr *ipaddrptr)

{

{

	struct nlattr *__nested = ipset_nest_start(skb, type);

	struct nlattr *__nested = ipset_nest_start(skb, type);

	int ret;

	int ret;

#endif

#endif

#define SET_HOST_MASK(family)	(family == AF_INET ? 32 : 128)

#define SET_HOST_MASK(family)	(family == AF_INET ? 32 : 128)

#ifdef IP_SET_HASH_WITH_MULTI

#define NETS_LENGTH(family)	(SET_HOST_MASK(family) + 1)

#else

#define NETS_LENGTH(family)	SET_HOST_MASK(family)

#endif

/* Network cidr size book keeping when the hash stores different

/* Network cidr size book keeping when the hash stores different

 * sized networks */

 * sized networks */

static void

static void

add_cidr(struct ip_set_hash *h, u8 cidr, u8 host_mask)

add_cidr(struct ip_set_hash *h, u8 cidr, u8 nets_length)

{

{

	u8 i;

	int i, j;

	++h->nets[cidr-1].nets;

	pr_debug("add_cidr added %u: %u\n", cidr, h->nets[cidr-1].nets);

	if (h->nets[cidr-1].nets > 1)

		return;

	/* New cidr size */

	for (i = 0; i < host_mask && h->nets[i].cidr; i++) {

	/* Add in increasing prefix order, so larger cidr first */

	/* Add in increasing prefix order, so larger cidr first */

		if (h->nets[i].cidr < cidr)

	for (i = 0, j = -1; i < nets_length && h->nets[i].nets; i++) {

			swap(h->nets[i].cidr, cidr);

		if (j != -1)

			continue;

		else if (h->nets[i].cidr < cidr)

			j = i;

		else if (h->nets[i].cidr == cidr) {

			h->nets[i].nets++;

			return;

		}

	}

	if (j != -1) {

		for (; i > j; i--) {

			h->nets[i].cidr = h->nets[i - 1].cidr;

			h->nets[i].nets = h->nets[i - 1].nets;

		}

	}

	}

	if (i < host_mask)

	h->nets[i].cidr = cidr;

	h->nets[i].cidr = cidr;

	h->nets[i].nets = 1;

}

}

static void

static void

del_cidr(struct ip_set_hash *h, u8 cidr, u8 host_mask)

del_cidr(struct ip_set_hash *h, u8 cidr, u8 nets_length)

{

{

	u8 i;

	u8 i, j;

	--h->nets[cidr-1].nets;

	pr_debug("del_cidr deleted %u: %u\n", cidr, h->nets[cidr-1].nets);

	for (i = 0; i < nets_length - 1 && h->nets[i].cidr != cidr; i++)

		;

	h->nets[i].nets--;

	if (h->nets[cidr-1].nets != 0)

	if (h->nets[i].nets != 0)

		return;

		return;

	/* All entries with this cidr size deleted, so cleanup h->cidr[] */

	for (j = i; j < nets_length - 1 && h->nets[j].nets; j++) {

	for (i = 0; i < host_mask - 1 && h->nets[i].cidr; i++) {

		h->nets[j].cidr = h->nets[j + 1].cidr;

		if (h->nets[i].cidr == cidr)

		h->nets[j].nets = h->nets[j + 1].nets;

			h->nets[i].cidr = cidr = h->nets[i+1].cidr;

	}

	}

	h->nets[i - 1].cidr = 0;

}

}

#else

#define NETS_LENGTH(family)		0

#endif

#endif

/* Destroy the hashtable part of the set */

/* Destroy the hashtable part of the set */

/* Calculate the actual memory size of the set data */

/* Calculate the actual memory size of the set data */

static size_t

static size_t

ahash_memsize(const struct ip_set_hash *h, size_t dsize, u8 host_mask)

ahash_memsize(const struct ip_set_hash *h, size_t dsize, u8 nets_length)

{

{

	u32 i;

	u32 i;

	struct htable *t = h->table;

	struct htable *t = h->table;

	size_t memsize = sizeof(*h)

	size_t memsize = sizeof(*h)

			 + sizeof(*t)

			 + sizeof(*t)

#ifdef IP_SET_HASH_WITH_NETS

#ifdef IP_SET_HASH_WITH_NETS

			 + sizeof(struct ip_set_hash_nets) * host_mask

			 + sizeof(struct ip_set_hash_nets) * nets_length

#endif

#endif

			 + jhash_size(t->htable_bits) * sizeof(struct hbucket);

			 + jhash_size(t->htable_bits) * sizeof(struct hbucket);

	}

	}

#ifdef IP_SET_HASH_WITH_NETS

#ifdef IP_SET_HASH_WITH_NETS

	memset(h->nets, 0, sizeof(struct ip_set_hash_nets)

	memset(h->nets, 0, sizeof(struct ip_set_hash_nets)

			   * SET_HOST_MASK(set->family));

			   * NETS_LENGTH(set->family));

#endif

#endif

	h->elements = 0;

	h->elements = 0;

}

}

(jhash2((u32 *)(data), HKEY_DATALEN/sizeof(u32), initval)	\

(jhash2((u32 *)(data), HKEY_DATALEN/sizeof(u32), initval)	\

	& jhash_mask(htable_bits))

	& jhash_mask(htable_bits))

#define CONCAT(a, b, c)		a##b##c

#define TOKEN(a, b, c)		CONCAT(a, b, c)

/* Type/family dependent function prototypes */

/* Type/family dependent function prototypes */

#define type_pf_data_equal	TOKEN(TYPE, PF, _data_equal)

#define type_pf_data_equal	TOKEN(TYPE, PF, _data_equal)

	}

	}

#ifdef IP_SET_HASH_WITH_NETS

#ifdef IP_SET_HASH_WITH_NETS

	add_cidr(h, CIDR(d->cidr), HOST_MASK);

	add_cidr(h, CIDR(d->cidr), NETS_LENGTH(set->family));

#endif

#endif

	h->elements++;

	h->elements++;

out:

out:

		n->pos--;

		n->pos--;

		h->elements--;

		h->elements--;

#ifdef IP_SET_HASH_WITH_NETS

#ifdef IP_SET_HASH_WITH_NETS

		del_cidr(h, CIDR(d->cidr), HOST_MASK);

		del_cidr(h, CIDR(d->cidr), NETS_LENGTH(set->family));

#endif

#endif

		if (n->pos + AHASH_INIT_SIZE < n->size) {

		if (n->pos + AHASH_INIT_SIZE < n->size) {

			void *tmp = kzalloc((n->size - AHASH_INIT_SIZE)

			void *tmp = kzalloc((n->size - AHASH_INIT_SIZE)

	const struct type_pf_elem *data;

	const struct type_pf_elem *data;

	int i, j = 0;

	int i, j = 0;

	u32 key, multi = 0;

	u32 key, multi = 0;

	u8 host_mask = SET_HOST_MASK(set->family);

	u8 nets_length = NETS_LENGTH(set->family);

	pr_debug("test by nets\n");

	pr_debug("test by nets\n");

	for (; j < host_mask && h->nets[j].cidr && !multi; j++) {

	for (; j < nets_length && h->nets[j].nets && !multi; j++) {

		type_pf_data_netmask(d, h->nets[j].cidr);

		type_pf_data_netmask(d, h->nets[j].cidr);

		key = HKEY(d, h->initval, t->htable_bits);

		key = HKEY(d, h->initval, t->htable_bits);

		n = hbucket(t, key);

		n = hbucket(t, key);

	memsize = ahash_memsize(h, with_timeout(h->timeout)

	memsize = ahash_memsize(h, with_timeout(h->timeout)

					? sizeof(struct type_pf_telem)

					? sizeof(struct type_pf_telem)

					: sizeof(struct type_pf_elem),

					: sizeof(struct type_pf_elem),

				set->family == AF_INET ? 32 : 128);

				NETS_LENGTH(set->family));

	read_unlock_bh(&set->lock);

	read_unlock_bh(&set->lock);

	nested = ipset_nest_start(skb, IPSET_ATTR_DATA);

	nested = ipset_nest_start(skb, IPSET_ATTR_DATA);

/* Delete expired elements from the hashtable */

/* Delete expired elements from the hashtable */

static void

static void

type_pf_expire(struct ip_set_hash *h)

type_pf_expire(struct ip_set_hash *h, u8 nets_length)

{

{

	struct htable *t = h->table;

	struct htable *t = h->table;

	struct hbucket *n;

	struct hbucket *n;

			if (type_pf_data_expired(data)) {

			if (type_pf_data_expired(data)) {

				pr_debug("expired %u/%u\n", i, j);

				pr_debug("expired %u/%u\n", i, j);

#ifdef IP_SET_HASH_WITH_NETS

#ifdef IP_SET_HASH_WITH_NETS

				del_cidr(h, CIDR(data->cidr), HOST_MASK);

				del_cidr(h, CIDR(data->cidr), nets_length);

#endif

#endif

				if (j != n->pos - 1)

				if (j != n->pos - 1)

					/* Not last one */

					/* Not last one */

	if (!retried) {

	if (!retried) {

		i = h->elements;

		i = h->elements;

		write_lock_bh(&set->lock);

		write_lock_bh(&set->lock);

		type_pf_expire(set->data);

		type_pf_expire(set->data, NETS_LENGTH(set->family));

		write_unlock_bh(&set->lock);

		write_unlock_bh(&set->lock);

		if (h->elements <  i)

		if (h->elements <  i)

			return 0;

			return 0;

	if (h->elements >= h->maxelem)

	if (h->elements >= h->maxelem)

		/* FIXME: when set is full, we slow down here */

		/* FIXME: when set is full, we slow down here */

		type_pf_expire(h);

		type_pf_expire(h, NETS_LENGTH(set->family));

	if (h->elements >= h->maxelem) {

	if (h->elements >= h->maxelem) {

		if (net_ratelimit())

		if (net_ratelimit())

			pr_warning("Set %s is full, maxelem %u reached\n",

			pr_warning("Set %s is full, maxelem %u reached\n",

	if (j != AHASH_MAX(h) + 1) {

	if (j != AHASH_MAX(h) + 1) {

		data = ahash_tdata(n, j);

		data = ahash_tdata(n, j);

#ifdef IP_SET_HASH_WITH_NETS

#ifdef IP_SET_HASH_WITH_NETS

		del_cidr(h, CIDR(data->cidr), HOST_MASK);

		del_cidr(h, CIDR(data->cidr), NETS_LENGTH(set->family));

		add_cidr(h, CIDR(d->cidr), HOST_MASK);

		add_cidr(h, CIDR(d->cidr), NETS_LENGTH(set->family));

#endif

#endif

		type_pf_data_copy(data, d);

		type_pf_data_copy(data, d);

		type_pf_data_timeout_set(data, timeout);

		type_pf_data_timeout_set(data, timeout);

	}

	}

#ifdef IP_SET_HASH_WITH_NETS

#ifdef IP_SET_HASH_WITH_NETS

	add_cidr(h, CIDR(d->cidr), HOST_MASK);

	add_cidr(h, CIDR(d->cidr), NETS_LENGTH(set->family));

#endif

#endif

	h->elements++;

	h->elements++;

out:

out:

		n->pos--;

		n->pos--;

		h->elements--;

		h->elements--;

#ifdef IP_SET_HASH_WITH_NETS

#ifdef IP_SET_HASH_WITH_NETS

		del_cidr(h, CIDR(d->cidr), HOST_MASK);

		del_cidr(h, CIDR(d->cidr), NETS_LENGTH(set->family));

#endif

#endif

		if (n->pos + AHASH_INIT_SIZE < n->size) {

		if (n->pos + AHASH_INIT_SIZE < n->size) {

			void *tmp = kzalloc((n->size - AHASH_INIT_SIZE)

			void *tmp = kzalloc((n->size - AHASH_INIT_SIZE)

	struct hbucket *n;

	struct hbucket *n;

	int i, j = 0;

	int i, j = 0;

	u32 key, multi = 0;

	u32 key, multi = 0;

	u8 host_mask = SET_HOST_MASK(set->family);

	u8 nets_length = NETS_LENGTH(set->family);

	for (; j < host_mask && h->nets[j].cidr && !multi; j++) {

	for (; j < nets_length && h->nets[j].nets && !multi; j++) {

		type_pf_data_netmask(d, h->nets[j].cidr);

		type_pf_data_netmask(d, h->nets[j].cidr);

		key = HKEY(d, h->initval, t->htable_bits);

		key = HKEY(d, h->initval, t->htable_bits);

		n = hbucket(t, key);

		n = hbucket(t, key);

	pr_debug("called\n");

	pr_debug("called\n");

	write_lock_bh(&set->lock);

	write_lock_bh(&set->lock);

	type_pf_expire(h);

	type_pf_expire(h, NETS_LENGTH(set->family));

	write_unlock_bh(&set->lock);

	write_unlock_bh(&set->lock);

	h->gc.expires = jiffies + IPSET_GC_PERIOD(h->timeout) * HZ;

	h->gc.expires = jiffies + IPSET_GC_PERIOD(h->timeout) * HZ;

#define FTP_PORT	21

#define FTP_PORT	21

#define NF_CT_FTP_SEQ_PICKUP	(1 << 0)

#define NUM_SEQ_TO_REMEMBER 2

#define NUM_SEQ_TO_REMEMBER 2

/* This structure exists only once per master */

/* This structure exists only once per master */

struct nf_ct_ftp_master {

struct nf_ct_ftp_master {

	/* Valid seq positions for cmd matching after newline */

	/* Valid seq positions for cmd matching after newline */

	u_int32_t seq_aft_nl[IP_CT_DIR_MAX][NUM_SEQ_TO_REMEMBER];

	u_int32_t seq_aft_nl[IP_CT_DIR_MAX][NUM_SEQ_TO_REMEMBER];

	/* 0 means seq_match_aft_nl not set */

	/* 0 means seq_match_aft_nl not set */

	int seq_aft_nl_num[IP_CT_DIR_MAX];

	u_int16_t seq_aft_nl_num[IP_CT_DIR_MAX];

	/* pickup sequence tracking, useful for conntrackd */

	u_int16_t flags[IP_CT_DIR_MAX];

};

};

struct nf_conntrack_expect;

struct nf_conntrack_expect;

	NFQA_PAYLOAD,			/* opaque data payload */

	NFQA_PAYLOAD,			/* opaque data payload */

	NFQA_CT,			/* nf_conntrack_netlink.h */

	NFQA_CT,			/* nf_conntrack_netlink.h */

	NFQA_CT_INFO,			/* enum ip_conntrack_info */

	NFQA_CT_INFO,			/* enum ip_conntrack_info */

	NFQA_CAP_LEN,			/* __u32 length of captured packet */

	__NFQA_MAX

	__NFQA_MAX

};

};

	/* Match against local time (instead of UTC) */

	/* Match against local time (instead of UTC) */

	XT_TIME_LOCAL_TZ = 1 << 0,

	XT_TIME_LOCAL_TZ = 1 << 0,

	/* treat timestart > timestop (e.g. 23:00-01:00) as single period */

	XT_TIME_CONTIGUOUS = 1 << 1,

	/* Shortcuts */

	/* Shortcuts */

	XT_TIME_ALL_MONTHDAYS = 0xFFFFFFFE,

	XT_TIME_ALL_MONTHDAYS = 0xFFFFFFFE,

	XT_TIME_ALL_WEEKDAYS  = 0xFE,

	XT_TIME_ALL_WEEKDAYS  = 0xFE,

	XT_TIME_MAX_DAYTIME   = 24 * 60 * 60 - 1,

	XT_TIME_MAX_DAYTIME   = 24 * 60 * 60 - 1,

};

};

#define XT_TIME_ALL_FLAGS (XT_TIME_LOCAL_TZ|XT_TIME_CONTIGUOUS)

#endif /* _XT_TIME_H */

#endif /* _XT_TIME_H */