Merge tag 'disintegrate-net-20121009' of git://git.infradead.org/users/dhowells/linux-headers

UAPI Disintegration 2012-10-09

Signed-off-by: David S. Miller <davem@davemloft.net>

include/linux/caif/Kbuild

@@ -1,2 +0,0 @@
-header-y += caif_socket.h
-header-y += if_caif.h

include/linux/netfilter/Kbuild

@@ -1,78 +1 @@
 header-y += ipset/
-
-header-y += nf_conntrack_common.h
-header-y += nf_conntrack_ftp.h
-header-y += nf_conntrack_sctp.h
-header-y += nf_conntrack_tcp.h
-header-y += nf_conntrack_tuple_common.h
-header-y += nf_nat.h
-header-y += nfnetlink.h
-header-y += nfnetlink_acct.h
-header-y += nfnetlink_compat.h
-header-y += nfnetlink_conntrack.h
-header-y += nfnetlink_cthelper.h
-header-y += nfnetlink_cttimeout.h
-header-y += nfnetlink_log.h
-header-y += nfnetlink_queue.h
-header-y += x_tables.h
-header-y += xt_AUDIT.h
-header-y += xt_CHECKSUM.h
-header-y += xt_CLASSIFY.h
-header-y += xt_CONNMARK.h
-header-y += xt_CONNSECMARK.h
-header-y += xt_CT.h
-header-y += xt_DSCP.h
-header-y += xt_IDLETIMER.h
-header-y += xt_LED.h
-header-y += xt_LOG.h
-header-y += xt_MARK.h
-header-y += xt_nfacct.h
-header-y += xt_NFLOG.h
-header-y += xt_NFQUEUE.h
-header-y += xt_RATEEST.h
-header-y += xt_SECMARK.h
-header-y += xt_TCPMSS.h
-header-y += xt_TCPOPTSTRIP.h
-header-y += xt_TEE.h
-header-y += xt_TPROXY.h
-header-y += xt_addrtype.h
-header-y += xt_cluster.h
-header-y += xt_comment.h
-header-y += xt_connbytes.h
-header-y += xt_connlimit.h
-header-y += xt_connmark.h
-header-y += xt_conntrack.h
-header-y += xt_cpu.h
-header-y += xt_dccp.h
-header-y += xt_devgroup.h
-header-y += xt_dscp.h
-header-y += xt_ecn.h
-header-y += xt_esp.h
-header-y += xt_hashlimit.h
-header-y += xt_helper.h
-header-y += xt_iprange.h
-header-y += xt_ipvs.h
-header-y += xt_length.h
-header-y += xt_limit.h
-header-y += xt_mac.h
-header-y += xt_mark.h
-header-y += xt_multiport.h
-header-y += xt_osf.h
-header-y += xt_owner.h
-header-y += xt_physdev.h
-header-y += xt_pkttype.h
-header-y += xt_policy.h
-header-y += xt_quota.h
-header-y += xt_rateest.h
-header-y += xt_realm.h
-header-y += xt_recent.h
-header-y += xt_set.h
-header-y += xt_sctp.h
-header-y += xt_socket.h
-header-y += xt_state.h
-header-y += xt_statistic.h
-header-y += xt_string.h
-header-y += xt_tcpmss.h
-header-y += xt_tcpudp.h
-header-y += xt_time.h
-header-y += xt_u32.h

include/linux/netfilter/ipset/Kbuild

@@ -1,4 +0,0 @@
-header-y += ip_set.h
-header-y += ip_set_bitmap.h
-header-y += ip_set_hash.h
-header-y += ip_set_list.h

include/linux/netfilter/ipset/ip_set.h

@@ -1,6 +1,3 @@
-#ifndef _IP_SET_H
-#define _IP_SET_H
-
 /* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu>
  *                         Patrick Schaaf <bof@bof.de>
  *                         Martin Josefsson <gandalf@wlug.westbo.se>
@@ -10,199 +7,9 @@
  * it under the terms of the GNU General Public License version 2 as
  * published by the Free Software Foundation.
  */
+#ifndef _IP_SET_H
+#define _IP_SET_H
 
-#include <linux/types.h>
-
-/* The protocol version */
-#define IPSET_PROTOCOL		6
-
-/* The max length of strings including NUL: set and type identifiers */
-#define IPSET_MAXNAMELEN	32
-
-/* Message types and commands */
-enum ipset_cmd {
-	IPSET_CMD_NONE,
-	IPSET_CMD_PROTOCOL,	/* 1: Return protocol version */
-	IPSET_CMD_CREATE,	/* 2: Create a new (empty) set */
-	IPSET_CMD_DESTROY,	/* 3: Destroy a (empty) set */
-	IPSET_CMD_FLUSH,	/* 4: Remove all elements from a set */
-	IPSET_CMD_RENAME,	/* 5: Rename a set */
-	IPSET_CMD_SWAP,		/* 6: Swap two sets */
-	IPSET_CMD_LIST,		/* 7: List sets */
-	IPSET_CMD_SAVE,		/* 8: Save sets */
-	IPSET_CMD_ADD,		/* 9: Add an element to a set */
-	IPSET_CMD_DEL,		/* 10: Delete an element from a set */
-	IPSET_CMD_TEST,		/* 11: Test an element in a set */
-	IPSET_CMD_HEADER,	/* 12: Get set header data only */
-	IPSET_CMD_TYPE,		/* 13: Get set type */
-	IPSET_MSG_MAX,		/* Netlink message commands */
-
-	/* Commands in userspace: */
-	IPSET_CMD_RESTORE = IPSET_MSG_MAX, /* 14: Enter restore mode */
-	IPSET_CMD_HELP,		/* 15: Get help */
-	IPSET_CMD_VERSION,	/* 16: Get program version */
-	IPSET_CMD_QUIT,		/* 17: Quit from interactive mode */
-
-	IPSET_CMD_MAX,
-
-	IPSET_CMD_COMMIT = IPSET_CMD_MAX, /* 18: Commit buffered commands */
-};
-
-/* Attributes at command level */
-enum {
-	IPSET_ATTR_UNSPEC,
-	IPSET_ATTR_PROTOCOL,	/* 1: Protocol version */
-	IPSET_ATTR_SETNAME,	/* 2: Name of the set */
-	IPSET_ATTR_TYPENAME,	/* 3: Typename */
-	IPSET_ATTR_SETNAME2 = IPSET_ATTR_TYPENAME, /* Setname at rename/swap */
-	IPSET_ATTR_REVISION,	/* 4: Settype revision */
-	IPSET_ATTR_FAMILY,	/* 5: Settype family */
-	IPSET_ATTR_FLAGS,	/* 6: Flags at command level */
-	IPSET_ATTR_DATA,	/* 7: Nested attributes */
-	IPSET_ATTR_ADT,		/* 8: Multiple data containers */
-	IPSET_ATTR_LINENO,	/* 9: Restore lineno */
-	IPSET_ATTR_PROTOCOL_MIN, /* 10: Minimal supported version number */
-	IPSET_ATTR_REVISION_MIN	= IPSET_ATTR_PROTOCOL_MIN, /* type rev min */
-	__IPSET_ATTR_CMD_MAX,
-};
-#define IPSET_ATTR_CMD_MAX	(__IPSET_ATTR_CMD_MAX - 1)
-
-/* CADT specific attributes */
-enum {
-	IPSET_ATTR_IP = IPSET_ATTR_UNSPEC + 1,
-	IPSET_ATTR_IP_FROM = IPSET_ATTR_IP,
-	IPSET_ATTR_IP_TO,	/* 2 */
-	IPSET_ATTR_CIDR,	/* 3 */
-	IPSET_ATTR_PORT,	/* 4 */
-	IPSET_ATTR_PORT_FROM = IPSET_ATTR_PORT,
-	IPSET_ATTR_PORT_TO,	/* 5 */
-	IPSET_ATTR_TIMEOUT,	/* 6 */
-	IPSET_ATTR_PROTO,	/* 7 */
-	IPSET_ATTR_CADT_FLAGS,	/* 8 */
-	IPSET_ATTR_CADT_LINENO = IPSET_ATTR_LINENO,	/* 9 */
-	/* Reserve empty slots */
-	IPSET_ATTR_CADT_MAX = 16,
-	/* Create-only specific attributes */
-	IPSET_ATTR_GC,
-	IPSET_ATTR_HASHSIZE,
-	IPSET_ATTR_MAXELEM,
-	IPSET_ATTR_NETMASK,
-	IPSET_ATTR_PROBES,
-	IPSET_ATTR_RESIZE,
-	IPSET_ATTR_SIZE,
-	/* Kernel-only */
-	IPSET_ATTR_ELEMENTS,
-	IPSET_ATTR_REFERENCES,
-	IPSET_ATTR_MEMSIZE,
-
-	__IPSET_ATTR_CREATE_MAX,
-};
-#define IPSET_ATTR_CREATE_MAX	(__IPSET_ATTR_CREATE_MAX - 1)
-
-/* ADT specific attributes */
-enum {
-	IPSET_ATTR_ETHER = IPSET_ATTR_CADT_MAX + 1,
-	IPSET_ATTR_NAME,
-	IPSET_ATTR_NAMEREF,
-	IPSET_ATTR_IP2,
-	IPSET_ATTR_CIDR2,
-	IPSET_ATTR_IP2_TO,
-	IPSET_ATTR_IFACE,
-	__IPSET_ATTR_ADT_MAX,
-};
-#define IPSET_ATTR_ADT_MAX	(__IPSET_ATTR_ADT_MAX - 1)
-
-/* IP specific attributes */
-enum {
-	IPSET_ATTR_IPADDR_IPV4 = IPSET_ATTR_UNSPEC + 1,
-	IPSET_ATTR_IPADDR_IPV6,
-	__IPSET_ATTR_IPADDR_MAX,
-};
-#define IPSET_ATTR_IPADDR_MAX	(__IPSET_ATTR_IPADDR_MAX - 1)
-
-/* Error codes */
-enum ipset_errno {
-	IPSET_ERR_PRIVATE = 4096,
-	IPSET_ERR_PROTOCOL,
-	IPSET_ERR_FIND_TYPE,
-	IPSET_ERR_MAX_SETS,
-	IPSET_ERR_BUSY,
-	IPSET_ERR_EXIST_SETNAME2,
-	IPSET_ERR_TYPE_MISMATCH,
-	IPSET_ERR_EXIST,
-	IPSET_ERR_INVALID_CIDR,
-	IPSET_ERR_INVALID_NETMASK,
-	IPSET_ERR_INVALID_FAMILY,
-	IPSET_ERR_TIMEOUT,
-	IPSET_ERR_REFERENCED,
-	IPSET_ERR_IPADDR_IPV4,
-	IPSET_ERR_IPADDR_IPV6,
-
-	/* Type specific error codes */
-	IPSET_ERR_TYPE_SPECIFIC = 4352,
-};
-
-/* Flags at command level */
-enum ipset_cmd_flags {
-	IPSET_FLAG_BIT_EXIST	= 0,
-	IPSET_FLAG_EXIST	= (1 << IPSET_FLAG_BIT_EXIST),
-	IPSET_FLAG_BIT_LIST_SETNAME = 1,
-	IPSET_FLAG_LIST_SETNAME	= (1 << IPSET_FLAG_BIT_LIST_SETNAME),
-	IPSET_FLAG_BIT_LIST_HEADER = 2,
-	IPSET_FLAG_LIST_HEADER	= (1 << IPSET_FLAG_BIT_LIST_HEADER),
-	IPSET_FLAG_CMD_MAX = 15,	/* Lower half */
-};
-
-/* Flags at CADT attribute level */
-enum ipset_cadt_flags {
-	IPSET_FLAG_BIT_BEFORE	= 0,
-	IPSET_FLAG_BEFORE	= (1 << IPSET_FLAG_BIT_BEFORE),
-	IPSET_FLAG_BIT_PHYSDEV	= 1,
-	IPSET_FLAG_PHYSDEV	= (1 << IPSET_FLAG_BIT_PHYSDEV),
-	IPSET_FLAG_BIT_NOMATCH	= 2,
-	IPSET_FLAG_NOMATCH	= (1 << IPSET_FLAG_BIT_NOMATCH),
-	IPSET_FLAG_CADT_MAX	= 15,	/* Upper half */
-};
-
-/* Commands with settype-specific attributes */
-enum ipset_adt {
-	IPSET_ADD,
-	IPSET_DEL,
-	IPSET_TEST,
-	IPSET_ADT_MAX,
-	IPSET_CREATE = IPSET_ADT_MAX,
-	IPSET_CADT_MAX,
-};
-
-/* Sets are identified by an index in kernel space. Tweak with ip_set_id_t
- * and IPSET_INVALID_ID if you want to increase the max number of sets.
- */
-typedef __u16 ip_set_id_t;
-
-#define IPSET_INVALID_ID		65535
-
-enum ip_set_dim {
-	IPSET_DIM_ZERO = 0,
-	IPSET_DIM_ONE,
-	IPSET_DIM_TWO,
-	IPSET_DIM_THREE,
-	/* Max dimension in elements.
-	 * If changed, new revision of iptables match/target is required.
-	 */
-	IPSET_DIM_MAX = 6,
-	IPSET_BIT_RETURN_NOMATCH = 7,
-};
-
-/* Option flags for kernel operations */
-enum ip_set_kopt {
-	IPSET_INV_MATCH = (1 << IPSET_DIM_ZERO),
-	IPSET_DIM_ONE_SRC = (1 << IPSET_DIM_ONE),
-	IPSET_DIM_TWO_SRC = (1 << IPSET_DIM_TWO),
-	IPSET_DIM_THREE_SRC = (1 << IPSET_DIM_THREE),
-	IPSET_RETURN_NOMATCH = (1 << IPSET_BIT_RETURN_NOMATCH),
-};
-
-#ifdef __KERNEL__
 #include <linux/ip.h>
 #include <linux/ipv6.h>
 #include <linux/netlink.h>
@@ -211,6 +18,7 @@ enum ip_set_kopt {
 #include <linux/stringify.h>
 #include <linux/vmalloc.h>
 #include <net/netlink.h>
+#include <uapi/linux/netfilter/ipset/ip_set.h>
 
 #define _IP_SET_MODULE_DESC(a, b, c)		\
 	MODULE_DESCRIPTION(a " type of IP sets, revisions " b "-" c)
@@ -476,31 +284,4 @@ bitmap_bytes(u32 a, u32 b)
 	return 4 * ((((b - a + 8) / 8) + 3) / 4);
 }
 
-#endif /* __KERNEL__ */
-
-/* Interface to iptables/ip6tables */
-
-#define SO_IP_SET		83
-
-union ip_set_name_index {
-	char name[IPSET_MAXNAMELEN];
-	ip_set_id_t index;
-};
-
-#define IP_SET_OP_GET_BYNAME	0x00000006	/* Get set index by name */
-struct ip_set_req_get_set {
-	unsigned int op;
-	unsigned int version;
-	union ip_set_name_index set;
-};
-
-#define IP_SET_OP_GET_BYINDEX	0x00000007	/* Get set name by index */
-/* Uses ip_set_req_get_set */
-
-#define IP_SET_OP_VERSION	0x00000100	/* Ask kernel version */
-struct ip_set_req_version {
-	unsigned int op;
-	unsigned int version;
-};
-
 #endif /*_IP_SET_H */

include/linux/netfilter/ipset/ip_set_bitmap.h

@@ -1,15 +1,8 @@
 #ifndef __IP_SET_BITMAP_H
 #define __IP_SET_BITMAP_H
 
-/* Bitmap type specific error codes */
-enum {
-	/* The element is out of the range of the set */
-	IPSET_ERR_BITMAP_RANGE = IPSET_ERR_TYPE_SPECIFIC,
-	/* The range exceeds the size limit of the set type */
-	IPSET_ERR_BITMAP_RANGE_SIZE,
-};
+#include <uapi/linux/netfilter/ipset/ip_set_bitmap.h>
 
-#ifdef __KERNEL__
 #define IPSET_BITMAP_MAX_RANGE	0x0000FFFF
 
 /* Common functions */
@@ -26,6 +19,4 @@ range_to_mask(u32 from, u32 to, u8 *bits)
 	return mask;
 }
 
-#endif /* __KERNEL__ */
-
 #endif /* __IP_SET_BITMAP_H */

include/linux/netfilter/ipset/ip_set_hash.h

@@ -1,23 +1,8 @@
 #ifndef __IP_SET_HASH_H
 #define __IP_SET_HASH_H
 
-/* Hash type specific error codes */
-enum {
-	/* Hash is full */
-	IPSET_ERR_HASH_FULL = IPSET_ERR_TYPE_SPECIFIC,
-	/* Null-valued element */
-	IPSET_ERR_HASH_ELEM,
-	/* Invalid protocol */
-	IPSET_ERR_INVALID_PROTO,
-	/* Protocol missing but must be specified */
-	IPSET_ERR_MISSING_PROTO,
-	/* Range not supported */
-	IPSET_ERR_HASH_RANGE_UNSUPPORTED,
-	/* Invalid range */
-	IPSET_ERR_HASH_RANGE,
-};
+#include <uapi/linux/netfilter/ipset/ip_set_hash.h>
 
-#ifdef __KERNEL__
 
 #define IPSET_DEFAULT_HASHSIZE		1024
 #define IPSET_MIMINAL_HASHSIZE		64
@@ -25,6 +10,4 @@ enum {
 #define IPSET_DEFAULT_PROBES		4
 #define IPSET_DEFAULT_RESIZE		100
 
-#endif /* __KERNEL__ */
-
 #endif /* __IP_SET_HASH_H */

include/linux/netfilter/ipset/ip_set_list.h

@@ -1,27 +1,10 @@
 #ifndef __IP_SET_LIST_H
 #define __IP_SET_LIST_H
 
-/* List type specific error codes */
-enum {
-	/* Set name to be added/deleted/tested does not exist. */
-	IPSET_ERR_NAME = IPSET_ERR_TYPE_SPECIFIC,
-	/* list:set type is not permitted to add */
-	IPSET_ERR_LOOP,
-	/* Missing reference set */
-	IPSET_ERR_BEFORE,
-	/* Reference set does not exist */
-	IPSET_ERR_NAMEREF,
-	/* Set is full */
-	IPSET_ERR_LIST_FULL,
-	/* Reference set is not added to the set */
-	IPSET_ERR_REF_EXIST,
-};
+#include <uapi/linux/netfilter/ipset/ip_set_list.h>
 
-#ifdef __KERNEL__
 
 #define IP_SET_LIST_DEFAULT_SIZE	8
 #define IP_SET_LIST_MIN_SIZE		4
 
-#endif /* __KERNEL__ */
-
 #endif /* __IP_SET_LIST_H */

include/linux/netfilter/nf_conntrack_common.h

@@ -1,119 +1,8 @@
 #ifndef _NF_CONNTRACK_COMMON_H
 #define _NF_CONNTRACK_COMMON_H
-/* Connection state tracking for netfilter.  This is separated from,
-   but required by, the NAT layer; it can also be used by an iptables
-   extension. */
-enum ip_conntrack_info {
-	/* Part of an established connection (either direction). */
-	IP_CT_ESTABLISHED,
 
-	/* Like NEW, but related to an existing connection, or ICMP error
-	   (in either direction). */
-	IP_CT_RELATED,
+#include <uapi/linux/netfilter/nf_conntrack_common.h>
 
-	/* Started a new connection to track (only
-           IP_CT_DIR_ORIGINAL); may be a retransmission. */
-	IP_CT_NEW,
-
-	/* >= this indicates reply direction */
-	IP_CT_IS_REPLY,
-
-	IP_CT_ESTABLISHED_REPLY = IP_CT_ESTABLISHED + IP_CT_IS_REPLY,
-	IP_CT_RELATED_REPLY = IP_CT_RELATED + IP_CT_IS_REPLY,
-	IP_CT_NEW_REPLY = IP_CT_NEW + IP_CT_IS_REPLY,	
-	/* Number of distinct IP_CT types (no NEW in reply dirn). */
-	IP_CT_NUMBER = IP_CT_IS_REPLY * 2 - 1
-};
-
-/* Bitset representing status of connection. */
-enum ip_conntrack_status {
-	/* It's an expected connection: bit 0 set.  This bit never changed */
-	IPS_EXPECTED_BIT = 0,
-	IPS_EXPECTED = (1 << IPS_EXPECTED_BIT),
-
-	/* We've seen packets both ways: bit 1 set.  Can be set, not unset. */
-	IPS_SEEN_REPLY_BIT = 1,
-	IPS_SEEN_REPLY = (1 << IPS_SEEN_REPLY_BIT),
-
-	/* Conntrack should never be early-expired. */
-	IPS_ASSURED_BIT = 2,
-	IPS_ASSURED = (1 << IPS_ASSURED_BIT),
-
-	/* Connection is confirmed: originating packet has left box */
-	IPS_CONFIRMED_BIT = 3,
-	IPS_CONFIRMED = (1 << IPS_CONFIRMED_BIT),
-
-	/* Connection needs src nat in orig dir.  This bit never changed. */
-	IPS_SRC_NAT_BIT = 4,
-	IPS_SRC_NAT = (1 << IPS_SRC_NAT_BIT),
-
-	/* Connection needs dst nat in orig dir.  This bit never changed. */
-	IPS_DST_NAT_BIT = 5,
-	IPS_DST_NAT = (1 << IPS_DST_NAT_BIT),
-
-	/* Both together. */
-	IPS_NAT_MASK = (IPS_DST_NAT | IPS_SRC_NAT),
-
-	/* Connection needs TCP sequence adjusted. */
-	IPS_SEQ_ADJUST_BIT = 6,
-	IPS_SEQ_ADJUST = (1 << IPS_SEQ_ADJUST_BIT),
-
-	/* NAT initialization bits. */
-	IPS_SRC_NAT_DONE_BIT = 7,
-	IPS_SRC_NAT_DONE = (1 << IPS_SRC_NAT_DONE_BIT),
-
-	IPS_DST_NAT_DONE_BIT = 8,
-	IPS_DST_NAT_DONE = (1 << IPS_DST_NAT_DONE_BIT),
-
-	/* Both together */
-	IPS_NAT_DONE_MASK = (IPS_DST_NAT_DONE | IPS_SRC_NAT_DONE),
-
-	/* Connection is dying (removed from lists), can not be unset. */
-	IPS_DYING_BIT = 9,
-	IPS_DYING = (1 << IPS_DYING_BIT),
-
-	/* Connection has fixed timeout. */
-	IPS_FIXED_TIMEOUT_BIT = 10,
-	IPS_FIXED_TIMEOUT = (1 << IPS_FIXED_TIMEOUT_BIT),
-
-	/* Conntrack is a template */
-	IPS_TEMPLATE_BIT = 11,
-	IPS_TEMPLATE = (1 << IPS_TEMPLATE_BIT),
-
-	/* Conntrack is a fake untracked entry */
-	IPS_UNTRACKED_BIT = 12,
-	IPS_UNTRACKED = (1 << IPS_UNTRACKED_BIT),
-
-	/* Conntrack got a helper explicitly attached via CT target. */
-	IPS_HELPER_BIT = 13,
-	IPS_HELPER = (1 << IPS_HELPER_BIT),
-};
-
-/* Connection tracking event types */
-enum ip_conntrack_events {
-	IPCT_NEW,		/* new conntrack */
-	IPCT_RELATED,		/* related conntrack */
-	IPCT_DESTROY,		/* destroyed conntrack */
-	IPCT_REPLY,		/* connection has seen two-way traffic */
-	IPCT_ASSURED,		/* connection status has changed to assured */
-	IPCT_PROTOINFO,		/* protocol information has changed */
-	IPCT_HELPER,		/* new helper has been set */
-	IPCT_MARK,		/* new mark has been set */
-	IPCT_NATSEQADJ,		/* NAT is doing sequence adjustment */
-	IPCT_SECMARK,		/* new security mark has been set */
-};
-
-enum ip_conntrack_expect_events {
-	IPEXP_NEW,		/* new expectation */
-	IPEXP_DESTROY,		/* destroyed expectation */
-};
-
-/* expectation flags */
-#define NF_CT_EXPECT_PERMANENT		0x1
-#define NF_CT_EXPECT_INACTIVE		0x2
-#define NF_CT_EXPECT_USERSPACE		0x4
-
-#ifdef __KERNEL__
 struct ip_conntrack_stat {
 	unsigned int searched;
 	unsigned int found;
@@ -136,6 +25,4 @@ struct ip_conntrack_stat {
 /* call to create an explicit dependency on nf_conntrack. */
 extern void need_conntrack(void);
 
-#endif /* __KERNEL__ */
-
 #endif /* _NF_CONNTRACK_COMMON_H */

include/linux/netfilter/nf_conntrack_ftp.h

@@ -1,20 +1,8 @@
 #ifndef _NF_CONNTRACK_FTP_H
 #define _NF_CONNTRACK_FTP_H
-/* FTP tracking. */
 
-/* This enum is exposed to userspace */
-enum nf_ct_ftp_type {
-	/* PORT command from client */
-	NF_CT_FTP_PORT,
-	/* PASV response from server */
-	NF_CT_FTP_PASV,
-	/* EPRT command from client */
-	NF_CT_FTP_EPRT,
-	/* EPSV response from server */
-	NF_CT_FTP_EPSV,
-};
+#include <uapi/linux/netfilter/nf_conntrack_ftp.h>
 
-#ifdef __KERNEL__
 
 #define FTP_PORT	21
 
@@ -42,6 +30,4 @@ extern unsigned int (*nf_nat_ftp_hook)(struct sk_buff *skb,
 				       unsigned int matchoff,
 				       unsigned int matchlen,
 				       struct nf_conntrack_expect *exp);
-#endif /* __KERNEL__ */
-
 #endif /* _NF_CONNTRACK_FTP_H */

include/linux/netfilter/nf_conntrack_tcp.h

@@ -1,53 +1,8 @@
 #ifndef _NF_CONNTRACK_TCP_H
 #define _NF_CONNTRACK_TCP_H
-/* TCP tracking. */
 
-#include <linux/types.h>
+#include <uapi/linux/netfilter/nf_conntrack_tcp.h>
 
-/* This is exposed to userspace (ctnetlink) */
-enum tcp_conntrack {
-	TCP_CONNTRACK_NONE,
-	TCP_CONNTRACK_SYN_SENT,
-	TCP_CONNTRACK_SYN_RECV,
-	TCP_CONNTRACK_ESTABLISHED,
-	TCP_CONNTRACK_FIN_WAIT,
-	TCP_CONNTRACK_CLOSE_WAIT,
-	TCP_CONNTRACK_LAST_ACK,
-	TCP_CONNTRACK_TIME_WAIT,
-	TCP_CONNTRACK_CLOSE,
-	TCP_CONNTRACK_LISTEN,	/* obsolete */
-#define TCP_CONNTRACK_SYN_SENT2	TCP_CONNTRACK_LISTEN
-	TCP_CONNTRACK_MAX,
-	TCP_CONNTRACK_IGNORE,
-	TCP_CONNTRACK_RETRANS,
-	TCP_CONNTRACK_UNACK,
-	TCP_CONNTRACK_TIMEOUT_MAX
-};
-
-/* Window scaling is advertised by the sender */
-#define IP_CT_TCP_FLAG_WINDOW_SCALE		0x01
-
-/* SACK is permitted by the sender */
-#define IP_CT_TCP_FLAG_SACK_PERM		0x02
-
-/* This sender sent FIN first */
-#define IP_CT_TCP_FLAG_CLOSE_INIT		0x04
-
-/* Be liberal in window checking */
-#define IP_CT_TCP_FLAG_BE_LIBERAL		0x08
-
-/* Has unacknowledged data */
-#define IP_CT_TCP_FLAG_DATA_UNACKNOWLEDGED	0x10
-
-/* The field td_maxack has been set */
-#define IP_CT_TCP_FLAG_MAXACK_SET		0x20
-
-struct nf_ct_tcp_flags {
-	__u8 flags;
-	__u8 mask;
-};
-
-#ifdef __KERNEL__
 
 struct ip_ct_tcp_state {
 	u_int32_t	td_end;		/* max of seq + len */
@@ -74,6 +29,4 @@ struct ip_ct_tcp {
 	u_int8_t	last_flags;	/* Last flags set */
 };
 
-#endif /* __KERNEL__ */
-
 #endif /* _NF_CONNTRACK_TCP_H */

include/linux/netfilter/nfnetlink.h

@@ -1,63 +1,11 @@
 #ifndef _NFNETLINK_H
 #define _NFNETLINK_H
-#include <linux/types.h>
-#include <linux/netfilter/nfnetlink_compat.h>
 
-enum nfnetlink_groups {
-	NFNLGRP_NONE,
-#define NFNLGRP_NONE			NFNLGRP_NONE
-	NFNLGRP_CONNTRACK_NEW,
-#define NFNLGRP_CONNTRACK_NEW		NFNLGRP_CONNTRACK_NEW
-	NFNLGRP_CONNTRACK_UPDATE,
-#define NFNLGRP_CONNTRACK_UPDATE	NFNLGRP_CONNTRACK_UPDATE
-	NFNLGRP_CONNTRACK_DESTROY,
-#define NFNLGRP_CONNTRACK_DESTROY	NFNLGRP_CONNTRACK_DESTROY
-	NFNLGRP_CONNTRACK_EXP_NEW,
-#define	NFNLGRP_CONNTRACK_EXP_NEW	NFNLGRP_CONNTRACK_EXP_NEW
-	NFNLGRP_CONNTRACK_EXP_UPDATE,
-#define NFNLGRP_CONNTRACK_EXP_UPDATE	NFNLGRP_CONNTRACK_EXP_UPDATE
-	NFNLGRP_CONNTRACK_EXP_DESTROY,
-#define NFNLGRP_CONNTRACK_EXP_DESTROY	NFNLGRP_CONNTRACK_EXP_DESTROY
-	__NFNLGRP_MAX,
-};
-#define NFNLGRP_MAX	(__NFNLGRP_MAX - 1)
-
-/* General form of address family dependent message.
- */
-struct nfgenmsg {
-	__u8  nfgen_family;		/* AF_xxx */
-	__u8  version;		/* nfnetlink version */
-	__be16    res_id;		/* resource id */
-};
-
-#define NFNETLINK_V0	0
-
-/* netfilter netlink message types are split in two pieces:
- * 8 bit subsystem, 8bit operation.
- */
-
-#define NFNL_SUBSYS_ID(x)	((x & 0xff00) >> 8)
-#define NFNL_MSG_TYPE(x)	(x & 0x00ff)
-
-/* No enum here, otherwise __stringify() trick of MODULE_ALIAS_NFNL_SUBSYS()
- * won't work anymore */
-#define NFNL_SUBSYS_NONE 		0
-#define NFNL_SUBSYS_CTNETLINK		1
-#define NFNL_SUBSYS_CTNETLINK_EXP	2
-#define NFNL_SUBSYS_QUEUE		3
-#define NFNL_SUBSYS_ULOG		4
-#define NFNL_SUBSYS_OSF			5
-#define NFNL_SUBSYS_IPSET		6
-#define NFNL_SUBSYS_ACCT		7
-#define NFNL_SUBSYS_CTNETLINK_TIMEOUT	8
-#define NFNL_SUBSYS_CTHELPER		9
-#define NFNL_SUBSYS_COUNT		10
-
-#ifdef __KERNEL__
 
 #include <linux/netlink.h>
 #include <linux/capability.h>
 #include <net/netlink.h>
+#include <uapi/linux/netfilter/nfnetlink.h>
 
 struct nfnl_callback {
 	int (*call)(struct sock *nl, struct sk_buff *skb, 
@@ -92,5 +40,4 @@ extern void nfnl_unlock(void);
 #define MODULE_ALIAS_NFNL_SUBSYS(subsys) \
 	MODULE_ALIAS("nfnetlink-subsys-" __stringify(subsys))
 
-#endif	/* __KERNEL__ */
 #endif	/* _NFNETLINK_H */

include/linux/netfilter/nfnetlink_acct.h

@@ -1,29 +1,8 @@
 #ifndef _NFNL_ACCT_H_
 #define _NFNL_ACCT_H_
 
-#ifndef NFACCT_NAME_MAX
-#define NFACCT_NAME_MAX		32
-#endif
+#include <uapi/linux/netfilter/nfnetlink_acct.h>
 
-enum nfnl_acct_msg_types {
-	NFNL_MSG_ACCT_NEW,
-	NFNL_MSG_ACCT_GET,
-	NFNL_MSG_ACCT_GET_CTRZERO,
-	NFNL_MSG_ACCT_DEL,
-	NFNL_MSG_ACCT_MAX
-};
-
-enum nfnl_acct_type {
-	NFACCT_UNSPEC,
-	NFACCT_NAME,
-	NFACCT_PKTS,
-	NFACCT_BYTES,
-	NFACCT_USE,
-	__NFACCT_MAX
-};
-#define NFACCT_MAX (__NFACCT_MAX - 1)
-
-#ifdef __KERNEL__
 
 struct nf_acct;
 
@@ -31,6 +10,4 @@ extern struct nf_acct *nfnl_acct_find_get(const char *filter_name);
 extern void nfnl_acct_put(struct nf_acct *acct);
 extern void nfnl_acct_update(const struct sk_buff *skb, struct nf_acct *nfacct);
 
-#endif /* __KERNEL__ */
-
 #endif /* _NFNL_ACCT_H */

include/linux/netfilter/x_tables.h

@@ -1,191 +1,9 @@
 #ifndef _X_TABLES_H
 #define _X_TABLES_H
-#include <linux/kernel.h>
-#include <linux/types.h>
 
-#define XT_FUNCTION_MAXNAMELEN 30
-#define XT_EXTENSION_MAXNAMELEN 29
-#define XT_TABLE_MAXNAMELEN 32
-
-struct xt_entry_match {
-	union {
-		struct {
-			__u16 match_size;
-
-			/* Used by userspace */
-			char name[XT_EXTENSION_MAXNAMELEN];
-			__u8 revision;
-		} user;
-		struct {
-			__u16 match_size;
-
-			/* Used inside the kernel */
-			struct xt_match *match;
-		} kernel;
-
-		/* Total length */
-		__u16 match_size;
-	} u;
-
-	unsigned char data[0];
-};
-
-struct xt_entry_target {
-	union {
-		struct {
-			__u16 target_size;
-
-			/* Used by userspace */
-			char name[XT_EXTENSION_MAXNAMELEN];
-			__u8 revision;
-		} user;
-		struct {
-			__u16 target_size;
-
-			/* Used inside the kernel */
-			struct xt_target *target;
-		} kernel;
-
-		/* Total length */
-		__u16 target_size;
-	} u;
-
-	unsigned char data[0];
-};
-
-#define XT_TARGET_INIT(__name, __size)					       \
-{									       \
-	.target.u.user = {						       \
-		.target_size	= XT_ALIGN(__size),			       \
-		.name		= __name,				       \
-	},								       \
-}
-
-struct xt_standard_target {
-	struct xt_entry_target target;
-	int verdict;
-};
-
-struct xt_error_target {
-	struct xt_entry_target target;
-	char errorname[XT_FUNCTION_MAXNAMELEN];
-};
-
-/* The argument to IPT_SO_GET_REVISION_*.  Returns highest revision
- * kernel supports, if >= revision. */
-struct xt_get_revision {
-	char name[XT_EXTENSION_MAXNAMELEN];
-	__u8 revision;
-};
-
-/* CONTINUE verdict for targets */
-#define XT_CONTINUE 0xFFFFFFFF
-
-/* For standard target */
-#define XT_RETURN (-NF_REPEAT - 1)
-
-/* this is a dummy structure to find out the alignment requirement for a struct
- * containing all the fundamental data types that are used in ipt_entry,
- * ip6t_entry and arpt_entry.  This sucks, and it is a hack.  It will be my
- * personal pleasure to remove it -HW
- */
-struct _xt_align {
-	__u8 u8;
-	__u16 u16;
-	__u32 u32;
-	__u64 u64;
-};
-
-#define XT_ALIGN(s) __ALIGN_KERNEL((s), __alignof__(struct _xt_align))
-
-/* Standard return verdict, or do jump. */
-#define XT_STANDARD_TARGET ""
-/* Error verdict. */
-#define XT_ERROR_TARGET "ERROR"
-
-#define SET_COUNTER(c,b,p) do { (c).bcnt = (b); (c).pcnt = (p); } while(0)
-#define ADD_COUNTER(c,b,p) do { (c).bcnt += (b); (c).pcnt += (p); } while(0)
-
-struct xt_counters {
-	__u64 pcnt, bcnt;			/* Packet and byte counters */
-};
-
-/* The argument to IPT_SO_ADD_COUNTERS. */
-struct xt_counters_info {
-	/* Which table. */
-	char name[XT_TABLE_MAXNAMELEN];
-
-	unsigned int num_counters;
-
-	/* The counters (actually `number' of these). */
-	struct xt_counters counters[0];
-};
-
-#define XT_INV_PROTO		0x40	/* Invert the sense of PROTO. */
-
-#ifndef __KERNEL__
-/* fn returns 0 to continue iteration */
-#define XT_MATCH_ITERATE(type, e, fn, args...)			\
-({								\
-	unsigned int __i;					\
-	int __ret = 0;						\
-	struct xt_entry_match *__m;				\
-								\
-	for (__i = sizeof(type);				\
-	     __i < (e)->target_offset;				\
-	     __i += __m->u.match_size) {			\
-		__m = (void *)e + __i;				\
-								\
-		__ret = fn(__m , ## args);			\
-		if (__ret != 0)					\
-			break;					\
-	}							\
-	__ret;							\
-})
-
-/* fn returns 0 to continue iteration */
-#define XT_ENTRY_ITERATE_CONTINUE(type, entries, size, n, fn, args...) \
-({								\
-	unsigned int __i, __n;					\
-	int __ret = 0;						\
-	type *__entry;						\
-								\
-	for (__i = 0, __n = 0; __i < (size);			\
-	     __i += __entry->next_offset, __n++) { 		\
-		__entry = (void *)(entries) + __i;		\
-		if (__n < n)					\
-			continue;				\
-								\
-		__ret = fn(__entry , ## args);			\
-		if (__ret != 0)					\
-			break;					\
-	}							\
-	__ret;							\
-})
-
-/* fn returns 0 to continue iteration */
-#define XT_ENTRY_ITERATE(type, entries, size, fn, args...) \
-	XT_ENTRY_ITERATE_CONTINUE(type, entries, size, 0, fn, args)
-
-#endif /* !__KERNEL__ */
-
-/* pos is normally a struct ipt_entry/ip6t_entry/etc. */
-#define xt_entry_foreach(pos, ehead, esize) \
-	for ((pos) = (typeof(pos))(ehead); \
-	     (pos) < (typeof(pos))((char *)(ehead) + (esize)); \
-	     (pos) = (typeof(pos))((char *)(pos) + (pos)->next_offset))
-
-/* can only be xt_entry_match, so no use of typeof here */
-#define xt_ematch_foreach(pos, entry) \
-	for ((pos) = (struct xt_entry_match *)entry->elems; \
-	     (pos) < (struct xt_entry_match *)((char *)(entry) + \
-	             (entry)->target_offset); \
-	     (pos) = (struct xt_entry_match *)((char *)(pos) + \
-	             (pos)->u.match_size))
-
-#ifdef __KERNEL__
 
 #include <linux/netdevice.h>
+#include <uapi/linux/netfilter/x_tables.h>
 
 /**
  * struct xt_action_param - parameters for matches/targets
@@ -617,6 +435,4 @@ extern int xt_compat_target_to_user(const struct xt_entry_target *t,
 				    void __user **dstptr, unsigned int *size);
 
 #endif /* CONFIG_COMPAT */
-#endif /* __KERNEL__ */
-
 #endif /* _X_TABLES_H */

include/linux/netfilter/xt_hashlimit.h

@@ -1,78 +1,9 @@
 #ifndef _XT_HASHLIMIT_H
 #define _XT_HASHLIMIT_H
 
-#include <linux/types.h>
+#include <uapi/linux/netfilter/xt_hashlimit.h>
 
-/* timings are in milliseconds. */
-#define XT_HASHLIMIT_SCALE 10000
-/* 1/10,000 sec period => max of 10,000/sec.  Min rate is then 429490
- * seconds, or one packet every 59 hours.
- */
-
-/* packet length accounting is done in 16-byte steps */
-#define XT_HASHLIMIT_BYTE_SHIFT 4
-
-/* details of this structure hidden by the implementation */
-struct xt_hashlimit_htable;
-
-enum {
-	XT_HASHLIMIT_HASH_DIP = 1 << 0,
-	XT_HASHLIMIT_HASH_DPT = 1 << 1,
-	XT_HASHLIMIT_HASH_SIP = 1 << 2,
-	XT_HASHLIMIT_HASH_SPT = 1 << 3,
-	XT_HASHLIMIT_INVERT   = 1 << 4,
-	XT_HASHLIMIT_BYTES    = 1 << 5,
-};
-#ifdef __KERNEL__
 #define XT_HASHLIMIT_ALL (XT_HASHLIMIT_HASH_DIP | XT_HASHLIMIT_HASH_DPT | \
 			  XT_HASHLIMIT_HASH_SIP | XT_HASHLIMIT_HASH_SPT | \
 			  XT_HASHLIMIT_INVERT | XT_HASHLIMIT_BYTES)
-#endif
-
-struct hashlimit_cfg {
-	__u32 mode;	  /* bitmask of XT_HASHLIMIT_HASH_* */
-	__u32 avg;    /* Average secs between packets * scale */
-	__u32 burst;  /* Period multiplier for upper limit. */
-
-	/* user specified */
-	__u32 size;		/* how many buckets */
-	__u32 max;		/* max number of entries */
-	__u32 gc_interval;	/* gc interval */
-	__u32 expire;	/* when do entries expire? */
-};
-
-struct xt_hashlimit_info {
-	char name [IFNAMSIZ];		/* name */
-	struct hashlimit_cfg cfg;
-
-	/* Used internally by the kernel */
-	struct xt_hashlimit_htable *hinfo;
-	union {
-		void *ptr;
-		struct xt_hashlimit_info *master;
-	} u;
-};
-
-struct hashlimit_cfg1 {
-	__u32 mode;	  /* bitmask of XT_HASHLIMIT_HASH_* */
-	__u32 avg;    /* Average secs between packets * scale */
-	__u32 burst;  /* Period multiplier for upper limit. */
-
-	/* user specified */
-	__u32 size;		/* how many buckets */
-	__u32 max;		/* max number of entries */
-	__u32 gc_interval;	/* gc interval */
-	__u32 expire;	/* when do entries expire? */
-
-	__u8 srcmask, dstmask;
-};
-
-struct xt_hashlimit_mtinfo1 {
-	char name[IFNAMSIZ];
-	struct hashlimit_cfg1 cfg;
-
-	/* Used internally by the kernel */
-	struct xt_hashlimit_htable *hinfo __attribute__((aligned(8)));
-};
-
 #endif /*_XT_HASHLIMIT_H*/

include/linux/netfilter/xt_physdev.h

@@ -1,26 +1,7 @@
 #ifndef _XT_PHYSDEV_H
 #define _XT_PHYSDEV_H
 
-#include <linux/types.h>
-
-#ifdef __KERNEL__
 #include <linux/if.h>
-#endif
-
-#define XT_PHYSDEV_OP_IN		0x01
-#define XT_PHYSDEV_OP_OUT		0x02
-#define XT_PHYSDEV_OP_BRIDGED		0x04
-#define XT_PHYSDEV_OP_ISIN		0x08
-#define XT_PHYSDEV_OP_ISOUT		0x10
-#define XT_PHYSDEV_OP_MASK		(0x20 - 1)
-
-struct xt_physdev_info {
-	char physindev[IFNAMSIZ];
-	char in_mask[IFNAMSIZ];
-	char physoutdev[IFNAMSIZ];
-	char out_mask[IFNAMSIZ];
-	__u8 invert;
-	__u8 bitmask;
-};
+#include <uapi/linux/netfilter/xt_physdev.h>
 
 #endif /*_XT_PHYSDEV_H*/

include/linux/netfilter_arp/Kbuild

@@ -1,2 +0,0 @@
-header-y += arp_tables.h
-header-y += arpt_mangle.h

include/linux/netfilter_arp/arp_tables.h

@@ -5,211 +5,14 @@
  *	network byte order.
  * 	flags are stored in host byte order (of course).
  */
-
 #ifndef _ARPTABLES_H
 #define _ARPTABLES_H
 
-#ifdef __KERNEL__
 #include <linux/if.h>
 #include <linux/in.h>
 #include <linux/if_arp.h>
 #include <linux/skbuff.h>
-#endif
-#include <linux/types.h>
-#include <linux/compiler.h>
-#include <linux/netfilter_arp.h>
-
-#include <linux/netfilter/x_tables.h>
-
-#ifndef __KERNEL__
-#define ARPT_FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN
-#define ARPT_TABLE_MAXNAMELEN XT_TABLE_MAXNAMELEN
-#define arpt_entry_target xt_entry_target
-#define arpt_standard_target xt_standard_target
-#define arpt_error_target xt_error_target
-#define ARPT_CONTINUE XT_CONTINUE
-#define ARPT_RETURN XT_RETURN
-#define arpt_counters_info xt_counters_info
-#define arpt_counters xt_counters
-#define ARPT_STANDARD_TARGET XT_STANDARD_TARGET
-#define ARPT_ERROR_TARGET XT_ERROR_TARGET
-#define ARPT_ENTRY_ITERATE(entries, size, fn, args...) \
-	XT_ENTRY_ITERATE(struct arpt_entry, entries, size, fn, ## args)
-#endif
-
-#define ARPT_DEV_ADDR_LEN_MAX 16
-
-struct arpt_devaddr_info {
-	char addr[ARPT_DEV_ADDR_LEN_MAX];
-	char mask[ARPT_DEV_ADDR_LEN_MAX];
-};
-
-/* Yes, Virginia, you have to zero the padding. */
-struct arpt_arp {
-	/* Source and target IP addr */
-	struct in_addr src, tgt;
-	/* Mask for src and target IP addr */
-	struct in_addr smsk, tmsk;
-
-	/* Device hw address length, src+target device addresses */
-	__u8 arhln, arhln_mask;
-	struct arpt_devaddr_info src_devaddr;
-	struct arpt_devaddr_info tgt_devaddr;
-
-	/* ARP operation code. */
-	__be16 arpop, arpop_mask;
-
-	/* ARP hardware address and protocol address format. */
-	__be16 arhrd, arhrd_mask;
-	__be16 arpro, arpro_mask;
-
-	/* The protocol address length is only accepted if it is 4
-	 * so there is no use in offering a way to do filtering on it.
-	 */
-
-	char iniface[IFNAMSIZ], outiface[IFNAMSIZ];
-	unsigned char iniface_mask[IFNAMSIZ], outiface_mask[IFNAMSIZ];
-
-	/* Flags word */
-	__u8 flags;
-	/* Inverse flags */
-	__u16 invflags;
-};
-
-/* Values for "flag" field in struct arpt_ip (general arp structure).
- * No flags defined yet.
- */
-#define ARPT_F_MASK		0x00	/* All possible flag bits mask. */
-
-/* Values for "inv" field in struct arpt_arp. */
-#define ARPT_INV_VIA_IN		0x0001	/* Invert the sense of IN IFACE. */
-#define ARPT_INV_VIA_OUT	0x0002	/* Invert the sense of OUT IFACE */
-#define ARPT_INV_SRCIP		0x0004	/* Invert the sense of SRC IP. */
-#define ARPT_INV_TGTIP		0x0008	/* Invert the sense of TGT IP. */
-#define ARPT_INV_SRCDEVADDR	0x0010	/* Invert the sense of SRC DEV ADDR. */
-#define ARPT_INV_TGTDEVADDR	0x0020	/* Invert the sense of TGT DEV ADDR. */
-#define ARPT_INV_ARPOP		0x0040	/* Invert the sense of ARP OP. */
-#define ARPT_INV_ARPHRD		0x0080	/* Invert the sense of ARP HRD. */
-#define ARPT_INV_ARPPRO		0x0100	/* Invert the sense of ARP PRO. */
-#define ARPT_INV_ARPHLN		0x0200	/* Invert the sense of ARP HLN. */
-#define ARPT_INV_MASK		0x03FF	/* All possible flag bits mask. */
-
-/* This structure defines each of the firewall rules.  Consists of 3
-   parts which are 1) general ARP header stuff 2) match specific
-   stuff 3) the target to perform if the rule matches */
-struct arpt_entry
-{
-	struct arpt_arp arp;
-
-	/* Size of arpt_entry + matches */
-	__u16 target_offset;
-	/* Size of arpt_entry + matches + target */
-	__u16 next_offset;
-
-	/* Back pointer */
-	unsigned int comefrom;
-
-	/* Packet and byte counters. */
-	struct xt_counters counters;
-
-	/* The matches (if any), then the target. */
-	unsigned char elems[0];
-};
-
-/*
- * New IP firewall options for [gs]etsockopt at the RAW IP level.
- * Unlike BSD Linux inherits IP options so you don't have to use a raw
- * socket for this. Instead we check rights in the calls.
- *
- * ATTENTION: check linux/in.h before adding new number here.
- */
-#define ARPT_BASE_CTL		96
-
-#define ARPT_SO_SET_REPLACE		(ARPT_BASE_CTL)
-#define ARPT_SO_SET_ADD_COUNTERS	(ARPT_BASE_CTL + 1)
-#define ARPT_SO_SET_MAX			ARPT_SO_SET_ADD_COUNTERS
-
-#define ARPT_SO_GET_INFO		(ARPT_BASE_CTL)
-#define ARPT_SO_GET_ENTRIES		(ARPT_BASE_CTL + 1)
-/* #define ARPT_SO_GET_REVISION_MATCH	(APRT_BASE_CTL + 2) */
-#define ARPT_SO_GET_REVISION_TARGET	(ARPT_BASE_CTL + 3)
-#define ARPT_SO_GET_MAX			(ARPT_SO_GET_REVISION_TARGET)
-
-/* The argument to ARPT_SO_GET_INFO */
-struct arpt_getinfo {
-	/* Which table: caller fills this in. */
-	char name[XT_TABLE_MAXNAMELEN];
-
-	/* Kernel fills these in. */
-	/* Which hook entry points are valid: bitmask */
-	unsigned int valid_hooks;
-
-	/* Hook entry points: one per netfilter hook. */
-	unsigned int hook_entry[NF_ARP_NUMHOOKS];
-
-	/* Underflow points. */
-	unsigned int underflow[NF_ARP_NUMHOOKS];
-
-	/* Number of entries */
-	unsigned int num_entries;
-
-	/* Size of entries. */
-	unsigned int size;
-};
-
-/* The argument to ARPT_SO_SET_REPLACE. */
-struct arpt_replace {
-	/* Which table. */
-	char name[XT_TABLE_MAXNAMELEN];
-
-	/* Which hook entry points are valid: bitmask.  You can't
-           change this. */
-	unsigned int valid_hooks;
-
-	/* Number of entries */
-	unsigned int num_entries;
-
-	/* Total size of new entries */
-	unsigned int size;
-
-	/* Hook entry points. */
-	unsigned int hook_entry[NF_ARP_NUMHOOKS];
-
-	/* Underflow points. */
-	unsigned int underflow[NF_ARP_NUMHOOKS];
-
-	/* Information about old entries: */
-	/* Number of counters (must be equal to current number of entries). */
-	unsigned int num_counters;
-	/* The old entries' counters. */
-	struct xt_counters __user *counters;
-
-	/* The entries (hang off end: not really an array). */
-	struct arpt_entry entries[0];
-};
-
-/* The argument to ARPT_SO_GET_ENTRIES. */
-struct arpt_get_entries {
-	/* Which table: user fills this in. */
-	char name[XT_TABLE_MAXNAMELEN];
-
-	/* User fills this in: total entry size. */
-	unsigned int size;
-
-	/* The entries. */
-	struct arpt_entry entrytable[0];
-};
-
-/* Helper functions */
-static __inline__ struct xt_entry_target *arpt_get_target(struct arpt_entry *e)
-{
-	return (void *)e + e->target_offset;
-}
-
-/*
- *	Main firewall chains definitions and global var's definitions.
- */
-#ifdef __KERNEL__
+#include <uapi/linux/netfilter_arp/arp_tables.h>
 
 /* Standard entry. */
 struct arpt_standard {
@@ -274,5 +77,4 @@ compat_arpt_get_target(struct compat_arpt_entry *e)
 }
 
 #endif /* CONFIG_COMPAT */
-#endif /*__KERNEL__*/
 #endif /* _ARPTABLES_H */

include/linux/netfilter_bridge/Kbuild

@@ -1,18 +0,0 @@
-header-y += ebt_802_3.h
-header-y += ebt_among.h
-header-y += ebt_arp.h
-header-y += ebt_arpreply.h
-header-y += ebt_ip.h
-header-y += ebt_ip6.h
-header-y += ebt_limit.h
-header-y += ebt_log.h
-header-y += ebt_mark_m.h
-header-y += ebt_mark_t.h
-header-y += ebt_nat.h
-header-y += ebt_nflog.h
-header-y += ebt_pkttype.h
-header-y += ebt_redirect.h
-header-y += ebt_stp.h
-header-y += ebt_ulog.h
-header-y += ebt_vlan.h
-header-y += ebtables.h

include/linux/netfilter_bridge/ebt_802_3.h

@@ -1,70 +1,11 @@
 #ifndef __LINUX_BRIDGE_EBT_802_3_H
 #define __LINUX_BRIDGE_EBT_802_3_H
 
-#include <linux/types.h>
-
-#define EBT_802_3_SAP 0x01
-#define EBT_802_3_TYPE 0x02
-
-#define EBT_802_3_MATCH "802_3"
-
-/*
- * If frame has DSAP/SSAP value 0xaa you must check the SNAP type
- * to discover what kind of packet we're carrying. 
- */
-#define CHECK_TYPE 0xaa
-
-/*
- * Control field may be one or two bytes.  If the first byte has
- * the value 0x03 then the entire length is one byte, otherwise it is two.
- * One byte controls are used in Unnumbered Information frames.
- * Two byte controls are used in Numbered Information frames.
- */
-#define IS_UI 0x03
-
-#define EBT_802_3_MASK (EBT_802_3_SAP | EBT_802_3_TYPE | EBT_802_3)
-
-/* ui has one byte ctrl, ni has two */
-struct hdr_ui {
-	__u8 dsap;
-	__u8 ssap;
-	__u8 ctrl;
-	__u8 orig[3];
-	__be16 type;
-};
-
-struct hdr_ni {
-	__u8 dsap;
-	__u8 ssap;
-	__be16 ctrl;
-	__u8  orig[3];
-	__be16 type;
-};
-
-struct ebt_802_3_hdr {
-	__u8  daddr[6];
-	__u8  saddr[6];
-	__be16 len;
-	union {
-		struct hdr_ui ui;
-		struct hdr_ni ni;
-	} llc;
-};
-
-#ifdef __KERNEL__
 #include <linux/skbuff.h>
+#include <uapi/linux/netfilter_bridge/ebt_802_3.h>
 
 static inline struct ebt_802_3_hdr *ebt_802_3_hdr(const struct sk_buff *skb)
 {
 	return (struct ebt_802_3_hdr *)skb_mac_header(skb);
 }
 #endif
-
-struct ebt_802_3_info {
-	__u8  sap;
-	__be16 type;
-	__u8  bitmask;
-	__u8  invflags;
-};
-
-#endif

include/linux/netfilter_bridge/ebtables.h

@@ -9,191 +9,11 @@
  *  This code is stongly inspired on the iptables code which is
  *  Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
  */
-
 #ifndef __LINUX_BRIDGE_EFF_H
 #define __LINUX_BRIDGE_EFF_H
-#include <linux/if.h>
-#include <linux/netfilter_bridge.h>
-#include <linux/if_ether.h>
-
-#define EBT_TABLE_MAXNAMELEN 32
-#define EBT_CHAIN_MAXNAMELEN EBT_TABLE_MAXNAMELEN
-#define EBT_FUNCTION_MAXNAMELEN EBT_TABLE_MAXNAMELEN
-
-/* verdicts >0 are "branches" */
-#define EBT_ACCEPT   -1
-#define EBT_DROP     -2
-#define EBT_CONTINUE -3
-#define EBT_RETURN   -4
-#define NUM_STANDARD_TARGETS   4
-/* ebtables target modules store the verdict inside an int. We can
- * reclaim a part of this int for backwards compatible extensions.
- * The 4 lsb are more than enough to store the verdict. */
-#define EBT_VERDICT_BITS 0x0000000F
-
-struct xt_match;
-struct xt_target;
-
-struct ebt_counter {
-	uint64_t pcnt;
-	uint64_t bcnt;
-};
 
-struct ebt_replace {
-	char name[EBT_TABLE_MAXNAMELEN];
-	unsigned int valid_hooks;
-	/* nr of rules in the table */
-	unsigned int nentries;
-	/* total size of the entries */
-	unsigned int entries_size;
-	/* start of the chains */
-	struct ebt_entries __user *hook_entry[NF_BR_NUMHOOKS];
-	/* nr of counters userspace expects back */
-	unsigned int num_counters;
-	/* where the kernel will put the old counters */
-	struct ebt_counter __user *counters;
-	char __user *entries;
-};
+#include <uapi/linux/netfilter_bridge/ebtables.h>
 
-struct ebt_replace_kernel {
-	char name[EBT_TABLE_MAXNAMELEN];
-	unsigned int valid_hooks;
-	/* nr of rules in the table */
-	unsigned int nentries;
-	/* total size of the entries */
-	unsigned int entries_size;
-	/* start of the chains */
-	struct ebt_entries *hook_entry[NF_BR_NUMHOOKS];
-	/* nr of counters userspace expects back */
-	unsigned int num_counters;
-	/* where the kernel will put the old counters */
-	struct ebt_counter *counters;
-	char *entries;
-};
-
-struct ebt_entries {
-	/* this field is always set to zero
-	 * See EBT_ENTRY_OR_ENTRIES.
-	 * Must be same size as ebt_entry.bitmask */
-	unsigned int distinguisher;
-	/* the chain name */
-	char name[EBT_CHAIN_MAXNAMELEN];
-	/* counter offset for this chain */
-	unsigned int counter_offset;
-	/* one standard (accept, drop, return) per hook */
-	int policy;
-	/* nr. of entries */
-	unsigned int nentries;
-	/* entry list */
-	char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace))));
-};
-
-/* used for the bitmask of struct ebt_entry */
-
-/* This is a hack to make a difference between an ebt_entry struct and an
- * ebt_entries struct when traversing the entries from start to end.
- * Using this simplifies the code a lot, while still being able to use
- * ebt_entries.
- * Contrary, iptables doesn't use something like ebt_entries and therefore uses
- * different techniques for naming the policy and such. So, iptables doesn't
- * need a hack like this.
- */
-#define EBT_ENTRY_OR_ENTRIES 0x01
-/* these are the normal masks */
-#define EBT_NOPROTO 0x02
-#define EBT_802_3 0x04
-#define EBT_SOURCEMAC 0x08
-#define EBT_DESTMAC 0x10
-#define EBT_F_MASK (EBT_NOPROTO | EBT_802_3 | EBT_SOURCEMAC | EBT_DESTMAC \
-   | EBT_ENTRY_OR_ENTRIES)
-
-#define EBT_IPROTO 0x01
-#define EBT_IIN 0x02
-#define EBT_IOUT 0x04
-#define EBT_ISOURCE 0x8
-#define EBT_IDEST 0x10
-#define EBT_ILOGICALIN 0x20
-#define EBT_ILOGICALOUT 0x40
-#define EBT_INV_MASK (EBT_IPROTO | EBT_IIN | EBT_IOUT | EBT_ILOGICALIN \
-   | EBT_ILOGICALOUT | EBT_ISOURCE | EBT_IDEST)
-
-struct ebt_entry_match {
-	union {
-		char name[EBT_FUNCTION_MAXNAMELEN];
-		struct xt_match *match;
-	} u;
-	/* size of data */
-	unsigned int match_size;
-	unsigned char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace))));
-};
-
-struct ebt_entry_watcher {
-	union {
-		char name[EBT_FUNCTION_MAXNAMELEN];
-		struct xt_target *watcher;
-	} u;
-	/* size of data */
-	unsigned int watcher_size;
-	unsigned char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace))));
-};
-
-struct ebt_entry_target {
-	union {
-		char name[EBT_FUNCTION_MAXNAMELEN];
-		struct xt_target *target;
-	} u;
-	/* size of data */
-	unsigned int target_size;
-	unsigned char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace))));
-};
-
-#define EBT_STANDARD_TARGET "standard"
-struct ebt_standard_target {
-	struct ebt_entry_target target;
-	int verdict;
-};
-
-/* one entry */
-struct ebt_entry {
-	/* this needs to be the first field */
-	unsigned int bitmask;
-	unsigned int invflags;
-	__be16 ethproto;
-	/* the physical in-dev */
-	char in[IFNAMSIZ];
-	/* the logical in-dev */
-	char logical_in[IFNAMSIZ];
-	/* the physical out-dev */
-	char out[IFNAMSIZ];
-	/* the logical out-dev */
-	char logical_out[IFNAMSIZ];
-	unsigned char sourcemac[ETH_ALEN];
-	unsigned char sourcemsk[ETH_ALEN];
-	unsigned char destmac[ETH_ALEN];
-	unsigned char destmsk[ETH_ALEN];
-	/* sizeof ebt_entry + matches */
-	unsigned int watchers_offset;
-	/* sizeof ebt_entry + matches + watchers */
-	unsigned int target_offset;
-	/* sizeof ebt_entry + matches + watchers + target */
-	unsigned int next_offset;
-	unsigned char elems[0] __attribute__ ((aligned (__alignof__(struct ebt_replace))));
-};
-
-/* {g,s}etsockopt numbers */
-#define EBT_BASE_CTL            128
-
-#define EBT_SO_SET_ENTRIES      (EBT_BASE_CTL)
-#define EBT_SO_SET_COUNTERS     (EBT_SO_SET_ENTRIES+1)
-#define EBT_SO_SET_MAX          (EBT_SO_SET_COUNTERS+1)
-
-#define EBT_SO_GET_INFO         (EBT_BASE_CTL)
-#define EBT_SO_GET_ENTRIES      (EBT_SO_GET_INFO+1)
-#define EBT_SO_GET_INIT_INFO    (EBT_SO_GET_ENTRIES+1)
-#define EBT_SO_GET_INIT_ENTRIES (EBT_SO_GET_INIT_INFO+1)
-#define EBT_SO_GET_MAX          (EBT_SO_GET_INIT_ENTRIES+1)
-
-#ifdef __KERNEL__
 
 /* return values for match() functions */
 #define EBT_MATCH 0
@@ -304,77 +124,4 @@ extern unsigned int ebt_do_table(unsigned int hook, struct sk_buff *skb,
 /* True if the target is not a standard target */
 #define INVALID_TARGET (info->target < -NUM_STANDARD_TARGETS || info->target >= 0)
 
-#endif /* __KERNEL__ */
-
-/* blatently stolen from ip_tables.h
- * fn returns 0 to continue iteration */
-#define EBT_MATCH_ITERATE(e, fn, args...)                   \
-({                                                          \
-	unsigned int __i;                                   \
-	int __ret = 0;                                      \
-	struct ebt_entry_match *__match;                    \
-	                                                    \
-	for (__i = sizeof(struct ebt_entry);                \
-	     __i < (e)->watchers_offset;                    \
-	     __i += __match->match_size +                   \
-	     sizeof(struct ebt_entry_match)) {              \
-		__match = (void *)(e) + __i;                \
-		                                            \
-		__ret = fn(__match , ## args);              \
-		if (__ret != 0)                             \
-			break;                              \
-	}                                                   \
-	if (__ret == 0) {                                   \
-		if (__i != (e)->watchers_offset)            \
-			__ret = -EINVAL;                    \
-	}                                                   \
-	__ret;                                              \
-})
-
-#define EBT_WATCHER_ITERATE(e, fn, args...)                 \
-({                                                          \
-	unsigned int __i;                                   \
-	int __ret = 0;                                      \
-	struct ebt_entry_watcher *__watcher;                \
-	                                                    \
-	for (__i = e->watchers_offset;                      \
-	     __i < (e)->target_offset;                      \
-	     __i += __watcher->watcher_size +               \
-	     sizeof(struct ebt_entry_watcher)) {            \
-		__watcher = (void *)(e) + __i;              \
-		                                            \
-		__ret = fn(__watcher , ## args);            \
-		if (__ret != 0)                             \
-			break;                              \
-	}                                                   \
-	if (__ret == 0) {                                   \
-		if (__i != (e)->target_offset)              \
-			__ret = -EINVAL;                    \
-	}                                                   \
-	__ret;                                              \
-})
-
-#define EBT_ENTRY_ITERATE(entries, size, fn, args...)       \
-({                                                          \
-	unsigned int __i;                                   \
-	int __ret = 0;                                      \
-	struct ebt_entry *__entry;                          \
-	                                                    \
-	for (__i = 0; __i < (size);) {                      \
-		__entry = (void *)(entries) + __i;          \
-		__ret = fn(__entry , ## args);              \
-		if (__ret != 0)                             \
-			break;                              \
-		if (__entry->bitmask != 0)                  \
-			__i += __entry->next_offset;        \
-		else                                        \
-			__i += sizeof(struct ebt_entries);  \
-	}                                                   \
-	if (__ret == 0) {                                   \
-		if (__i != (size))                          \
-			__ret = -EINVAL;                    \
-	}                                                   \
-	__ret;                                              \
-})
-
 #endif

include/linux/netfilter_ipv4/Kbuild

@@ -1,10 +0,0 @@
-header-y += ip_tables.h
-header-y += ipt_CLUSTERIP.h
-header-y += ipt_ECN.h
-header-y += ipt_LOG.h
-header-y += ipt_REJECT.h
-header-y += ipt_TTL.h
-header-y += ipt_ULOG.h
-header-y += ipt_ah.h
-header-y += ipt_ecn.h
-header-y += ipt_ttl.h

include/linux/netfilter_ipv4/ip_tables.h

@@ -11,230 +11,17 @@
  * 	flags are stored in host byte order (of course).
  * 	Port numbers are stored in HOST byte order.
  */
-
 #ifndef _IPTABLES_H
 #define _IPTABLES_H
 
-#ifdef __KERNEL__
 #include <linux/if.h>
 #include <linux/in.h>
 #include <linux/ip.h>
 #include <linux/skbuff.h>
-#endif
-#include <linux/types.h>
-#include <linux/compiler.h>
-#include <linux/netfilter_ipv4.h>
-
-#include <linux/netfilter/x_tables.h>
-
-#ifndef __KERNEL__
-#define IPT_FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN
-#define IPT_TABLE_MAXNAMELEN XT_TABLE_MAXNAMELEN
-#define ipt_match xt_match
-#define ipt_target xt_target
-#define ipt_table xt_table
-#define ipt_get_revision xt_get_revision
-#define ipt_entry_match xt_entry_match
-#define ipt_entry_target xt_entry_target
-#define ipt_standard_target xt_standard_target
-#define ipt_error_target xt_error_target
-#define ipt_counters xt_counters
-#define IPT_CONTINUE XT_CONTINUE
-#define IPT_RETURN XT_RETURN
-
-/* This group is older than old (iptables < v1.4.0-rc1~89) */
-#include <linux/netfilter/xt_tcpudp.h>
-#define ipt_udp xt_udp
-#define ipt_tcp xt_tcp
-#define IPT_TCP_INV_SRCPT	XT_TCP_INV_SRCPT
-#define IPT_TCP_INV_DSTPT	XT_TCP_INV_DSTPT
-#define IPT_TCP_INV_FLAGS	XT_TCP_INV_FLAGS
-#define IPT_TCP_INV_OPTION	XT_TCP_INV_OPTION
-#define IPT_TCP_INV_MASK	XT_TCP_INV_MASK
-#define IPT_UDP_INV_SRCPT	XT_UDP_INV_SRCPT
-#define IPT_UDP_INV_DSTPT	XT_UDP_INV_DSTPT
-#define IPT_UDP_INV_MASK	XT_UDP_INV_MASK
-
-/* The argument to IPT_SO_ADD_COUNTERS. */
-#define ipt_counters_info xt_counters_info
-/* Standard return verdict, or do jump. */
-#define IPT_STANDARD_TARGET XT_STANDARD_TARGET
-/* Error verdict. */
-#define IPT_ERROR_TARGET XT_ERROR_TARGET
-
-/* fn returns 0 to continue iteration */
-#define IPT_MATCH_ITERATE(e, fn, args...) \
-	XT_MATCH_ITERATE(struct ipt_entry, e, fn, ## args)
-
-/* fn returns 0 to continue iteration */
-#define IPT_ENTRY_ITERATE(entries, size, fn, args...) \
-	XT_ENTRY_ITERATE(struct ipt_entry, entries, size, fn, ## args)
-#endif
-
-/* Yes, Virginia, you have to zero the padding. */
-struct ipt_ip {
-	/* Source and destination IP addr */
-	struct in_addr src, dst;
-	/* Mask for src and dest IP addr */
-	struct in_addr smsk, dmsk;
-	char iniface[IFNAMSIZ], outiface[IFNAMSIZ];
-	unsigned char iniface_mask[IFNAMSIZ], outiface_mask[IFNAMSIZ];
-
-	/* Protocol, 0 = ANY */
-	__u16 proto;
-
-	/* Flags word */
-	__u8 flags;
-	/* Inverse flags */
-	__u8 invflags;
-};
-
-/* Values for "flag" field in struct ipt_ip (general ip structure). */
-#define IPT_F_FRAG		0x01	/* Set if rule is a fragment rule */
-#define IPT_F_GOTO		0x02	/* Set if jump is a goto */
-#define IPT_F_MASK		0x03	/* All possible flag bits mask. */
-
-/* Values for "inv" field in struct ipt_ip. */
-#define IPT_INV_VIA_IN		0x01	/* Invert the sense of IN IFACE. */
-#define IPT_INV_VIA_OUT		0x02	/* Invert the sense of OUT IFACE */
-#define IPT_INV_TOS		0x04	/* Invert the sense of TOS. */
-#define IPT_INV_SRCIP		0x08	/* Invert the sense of SRC IP. */
-#define IPT_INV_DSTIP		0x10	/* Invert the sense of DST OP. */
-#define IPT_INV_FRAG		0x20	/* Invert the sense of FRAG. */
-#define IPT_INV_PROTO		XT_INV_PROTO
-#define IPT_INV_MASK		0x7F	/* All possible flag bits mask. */
-
-/* This structure defines each of the firewall rules.  Consists of 3
-   parts which are 1) general IP header stuff 2) match specific
-   stuff 3) the target to perform if the rule matches */
-struct ipt_entry {
-	struct ipt_ip ip;
-
-	/* Mark with fields that we care about. */
-	unsigned int nfcache;
-
-	/* Size of ipt_entry + matches */
-	__u16 target_offset;
-	/* Size of ipt_entry + matches + target */
-	__u16 next_offset;
-
-	/* Back pointer */
-	unsigned int comefrom;
-
-	/* Packet and byte counters. */
-	struct xt_counters counters;
-
-	/* The matches (if any), then the target. */
-	unsigned char elems[0];
-};
-
-/*
- * New IP firewall options for [gs]etsockopt at the RAW IP level.
- * Unlike BSD Linux inherits IP options so you don't have to use a raw
- * socket for this. Instead we check rights in the calls.
- *
- * ATTENTION: check linux/in.h before adding new number here.
- */
-#define IPT_BASE_CTL		64
-
-#define IPT_SO_SET_REPLACE	(IPT_BASE_CTL)
-#define IPT_SO_SET_ADD_COUNTERS	(IPT_BASE_CTL + 1)
-#define IPT_SO_SET_MAX		IPT_SO_SET_ADD_COUNTERS
-
-#define IPT_SO_GET_INFO			(IPT_BASE_CTL)
-#define IPT_SO_GET_ENTRIES		(IPT_BASE_CTL + 1)
-#define IPT_SO_GET_REVISION_MATCH	(IPT_BASE_CTL + 2)
-#define IPT_SO_GET_REVISION_TARGET	(IPT_BASE_CTL + 3)
-#define IPT_SO_GET_MAX			IPT_SO_GET_REVISION_TARGET
-
-/* ICMP matching stuff */
-struct ipt_icmp {
-	__u8 type;				/* type to match */
-	__u8 code[2];				/* range of code */
-	__u8 invflags;				/* Inverse flags */
-};
-
-/* Values for "inv" field for struct ipt_icmp. */
-#define IPT_ICMP_INV	0x01	/* Invert the sense of type/code test */
-
-/* The argument to IPT_SO_GET_INFO */
-struct ipt_getinfo {
-	/* Which table: caller fills this in. */
-	char name[XT_TABLE_MAXNAMELEN];
-
-	/* Kernel fills these in. */
-	/* Which hook entry points are valid: bitmask */
-	unsigned int valid_hooks;
-
-	/* Hook entry points: one per netfilter hook. */
-	unsigned int hook_entry[NF_INET_NUMHOOKS];
-
-	/* Underflow points. */
-	unsigned int underflow[NF_INET_NUMHOOKS];
-
-	/* Number of entries */
-	unsigned int num_entries;
-
-	/* Size of entries. */
-	unsigned int size;
-};
-
-/* The argument to IPT_SO_SET_REPLACE. */
-struct ipt_replace {
-	/* Which table. */
-	char name[XT_TABLE_MAXNAMELEN];
-
-	/* Which hook entry points are valid: bitmask.  You can't
-           change this. */
-	unsigned int valid_hooks;
-
-	/* Number of entries */
-	unsigned int num_entries;
-
-	/* Total size of new entries */
-	unsigned int size;
-
-	/* Hook entry points. */
-	unsigned int hook_entry[NF_INET_NUMHOOKS];
-
-	/* Underflow points. */
-	unsigned int underflow[NF_INET_NUMHOOKS];
-
-	/* Information about old entries: */
-	/* Number of counters (must be equal to current number of entries). */
-	unsigned int num_counters;
-	/* The old entries' counters. */
-	struct xt_counters __user *counters;
-
-	/* The entries (hang off end: not really an array). */
-	struct ipt_entry entries[0];
-};
-
-/* The argument to IPT_SO_GET_ENTRIES. */
-struct ipt_get_entries {
-	/* Which table: user fills this in. */
-	char name[XT_TABLE_MAXNAMELEN];
-
-	/* User fills this in: total entry size. */
-	unsigned int size;
-
-	/* The entries. */
-	struct ipt_entry entrytable[0];
-};
-
-/* Helper functions */
-static __inline__ struct xt_entry_target *
-ipt_get_target(struct ipt_entry *e)
-{
-	return (void *)e + e->target_offset;
-}
-
-/*
- *	Main firewall chains definitions and global var's definitions.
- */
-#ifdef __KERNEL__
 
 #include <linux/init.h>
+#include <uapi/linux/netfilter_ipv4/ip_tables.h>
+
 extern void ipt_init(void) __init;
 
 extern struct xt_table *ipt_register_table(struct net *net,
@@ -303,5 +90,4 @@ compat_ipt_get_target(struct compat_ipt_entry *e)
 }
 
 #endif /* CONFIG_COMPAT */
-#endif /*__KERNEL__*/
 #endif /* _IPTABLES_H */

include/linux/netfilter_ipv6/Kbuild

@@ -1,12 +0,0 @@
-header-y += ip6_tables.h
-header-y += ip6t_HL.h
-header-y += ip6t_LOG.h
-header-y += ip6t_NPT.h
-header-y += ip6t_REJECT.h
-header-y += ip6t_ah.h
-header-y += ip6t_frag.h
-header-y += ip6t_hl.h
-header-y += ip6t_ipv6header.h
-header-y += ip6t_mh.h
-header-y += ip6t_opts.h
-header-y += ip6t_rt.h

include/linux/netfilter_ipv6/ip6_tables.h

@@ -11,268 +11,17 @@
  * 	flags are stored in host byte order (of course).
  * 	Port numbers are stored in HOST byte order.
  */
-
 #ifndef _IP6_TABLES_H
 #define _IP6_TABLES_H
 
-#ifdef __KERNEL__
 #include <linux/if.h>
 #include <linux/in6.h>
 #include <linux/ipv6.h>
 #include <linux/skbuff.h>
-#endif
-#include <linux/types.h>
-#include <linux/compiler.h>
-#include <linux/netfilter_ipv6.h>
-
-#include <linux/netfilter/x_tables.h>
-
-#ifndef __KERNEL__
-#define IP6T_FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN
-#define IP6T_TABLE_MAXNAMELEN XT_TABLE_MAXNAMELEN
-#define ip6t_match xt_match
-#define ip6t_target xt_target
-#define ip6t_table xt_table
-#define ip6t_get_revision xt_get_revision
-#define ip6t_entry_match xt_entry_match
-#define ip6t_entry_target xt_entry_target
-#define ip6t_standard_target xt_standard_target
-#define ip6t_error_target xt_error_target
-#define ip6t_counters xt_counters
-#define IP6T_CONTINUE XT_CONTINUE
-#define IP6T_RETURN XT_RETURN
-
-/* Pre-iptables-1.4.0 */
-#include <linux/netfilter/xt_tcpudp.h>
-#define ip6t_tcp xt_tcp
-#define ip6t_udp xt_udp
-#define IP6T_TCP_INV_SRCPT	XT_TCP_INV_SRCPT
-#define IP6T_TCP_INV_DSTPT	XT_TCP_INV_DSTPT
-#define IP6T_TCP_INV_FLAGS	XT_TCP_INV_FLAGS
-#define IP6T_TCP_INV_OPTION	XT_TCP_INV_OPTION
-#define IP6T_TCP_INV_MASK	XT_TCP_INV_MASK
-#define IP6T_UDP_INV_SRCPT	XT_UDP_INV_SRCPT
-#define IP6T_UDP_INV_DSTPT	XT_UDP_INV_DSTPT
-#define IP6T_UDP_INV_MASK	XT_UDP_INV_MASK
-
-#define ip6t_counters_info xt_counters_info
-#define IP6T_STANDARD_TARGET XT_STANDARD_TARGET
-#define IP6T_ERROR_TARGET XT_ERROR_TARGET
-#define IP6T_MATCH_ITERATE(e, fn, args...) \
-	XT_MATCH_ITERATE(struct ip6t_entry, e, fn, ## args)
-#define IP6T_ENTRY_ITERATE(entries, size, fn, args...) \
-	XT_ENTRY_ITERATE(struct ip6t_entry, entries, size, fn, ## args)
-#endif
-
-/* Yes, Virginia, you have to zero the padding. */
-struct ip6t_ip6 {
-	/* Source and destination IP6 addr */
-	struct in6_addr src, dst;		
-	/* Mask for src and dest IP6 addr */
-	struct in6_addr smsk, dmsk;
-	char iniface[IFNAMSIZ], outiface[IFNAMSIZ];
-	unsigned char iniface_mask[IFNAMSIZ], outiface_mask[IFNAMSIZ];
-
-	/* Upper protocol number
-	 * - The allowed value is 0 (any) or protocol number of last parsable
-	 *   header, which is 50 (ESP), 59 (No Next Header), 135 (MH), or
-	 *   the non IPv6 extension headers.
-	 * - The protocol numbers of IPv6 extension headers except of ESP and
-	 *   MH do not match any packets.
-	 * - You also need to set IP6T_FLAGS_PROTO to "flags" to check protocol.
-	 */
-	__u16 proto;
-	/* TOS to match iff flags & IP6T_F_TOS */
-	__u8 tos;
-
-	/* Flags word */
-	__u8 flags;
-	/* Inverse flags */
-	__u8 invflags;
-};
-
-/* Values for "flag" field in struct ip6t_ip6 (general ip6 structure). */
-#define IP6T_F_PROTO		0x01	/* Set if rule cares about upper 
-					   protocols */
-#define IP6T_F_TOS		0x02	/* Match the TOS. */
-#define IP6T_F_GOTO		0x04	/* Set if jump is a goto */
-#define IP6T_F_MASK		0x07	/* All possible flag bits mask. */
-
-/* Values for "inv" field in struct ip6t_ip6. */
-#define IP6T_INV_VIA_IN		0x01	/* Invert the sense of IN IFACE. */
-#define IP6T_INV_VIA_OUT		0x02	/* Invert the sense of OUT IFACE */
-#define IP6T_INV_TOS		0x04	/* Invert the sense of TOS. */
-#define IP6T_INV_SRCIP		0x08	/* Invert the sense of SRC IP. */
-#define IP6T_INV_DSTIP		0x10	/* Invert the sense of DST OP. */
-#define IP6T_INV_FRAG		0x20	/* Invert the sense of FRAG. */
-#define IP6T_INV_PROTO		XT_INV_PROTO
-#define IP6T_INV_MASK		0x7F	/* All possible flag bits mask. */
-
-/* This structure defines each of the firewall rules.  Consists of 3
-   parts which are 1) general IP header stuff 2) match specific
-   stuff 3) the target to perform if the rule matches */
-struct ip6t_entry {
-	struct ip6t_ip6 ipv6;
-
-	/* Mark with fields that we care about. */
-	unsigned int nfcache;
-
-	/* Size of ipt_entry + matches */
-	__u16 target_offset;
-	/* Size of ipt_entry + matches + target */
-	__u16 next_offset;
-
-	/* Back pointer */
-	unsigned int comefrom;
-
-	/* Packet and byte counters. */
-	struct xt_counters counters;
-
-	/* The matches (if any), then the target. */
-	unsigned char elems[0];
-};
-
-/* Standard entry */
-struct ip6t_standard {
-	struct ip6t_entry entry;
-	struct xt_standard_target target;
-};
-
-struct ip6t_error {
-	struct ip6t_entry entry;
-	struct xt_error_target target;
-};
-
-#define IP6T_ENTRY_INIT(__size)						       \
-{									       \
-	.target_offset	= sizeof(struct ip6t_entry),			       \
-	.next_offset	= (__size),					       \
-}
-
-#define IP6T_STANDARD_INIT(__verdict)					       \
-{									       \
-	.entry		= IP6T_ENTRY_INIT(sizeof(struct ip6t_standard)),       \
-	.target		= XT_TARGET_INIT(XT_STANDARD_TARGET,		       \
-					 sizeof(struct xt_standard_target)),   \
-	.target.verdict	= -(__verdict) - 1,				       \
-}
-
-#define IP6T_ERROR_INIT							       \
-{									       \
-	.entry		= IP6T_ENTRY_INIT(sizeof(struct ip6t_error)),	       \
-	.target		= XT_TARGET_INIT(XT_ERROR_TARGET,		       \
-					 sizeof(struct xt_error_target)),      \
-	.target.errorname = "ERROR",					       \
-}
-
-/*
- * New IP firewall options for [gs]etsockopt at the RAW IP level.
- * Unlike BSD Linux inherits IP options so you don't have to use
- * a raw socket for this. Instead we check rights in the calls.
- *
- * ATTENTION: check linux/in6.h before adding new number here.
- */
-#define IP6T_BASE_CTL			64
-
-#define IP6T_SO_SET_REPLACE		(IP6T_BASE_CTL)
-#define IP6T_SO_SET_ADD_COUNTERS	(IP6T_BASE_CTL + 1)
-#define IP6T_SO_SET_MAX			IP6T_SO_SET_ADD_COUNTERS
-
-#define IP6T_SO_GET_INFO		(IP6T_BASE_CTL)
-#define IP6T_SO_GET_ENTRIES		(IP6T_BASE_CTL + 1)
-#define IP6T_SO_GET_REVISION_MATCH	(IP6T_BASE_CTL + 4)
-#define IP6T_SO_GET_REVISION_TARGET	(IP6T_BASE_CTL + 5)
-#define IP6T_SO_GET_MAX			IP6T_SO_GET_REVISION_TARGET
-
-/* ICMP matching stuff */
-struct ip6t_icmp {
-	__u8 type;				/* type to match */
-	__u8 code[2];				/* range of code */
-	__u8 invflags;				/* Inverse flags */
-};
-
-/* Values for "inv" field for struct ipt_icmp. */
-#define IP6T_ICMP_INV	0x01	/* Invert the sense of type/code test */
-
-/* The argument to IP6T_SO_GET_INFO */
-struct ip6t_getinfo {
-	/* Which table: caller fills this in. */
-	char name[XT_TABLE_MAXNAMELEN];
-
-	/* Kernel fills these in. */
-	/* Which hook entry points are valid: bitmask */
-	unsigned int valid_hooks;
-
-	/* Hook entry points: one per netfilter hook. */
-	unsigned int hook_entry[NF_INET_NUMHOOKS];
-
-	/* Underflow points. */
-	unsigned int underflow[NF_INET_NUMHOOKS];
-
-	/* Number of entries */
-	unsigned int num_entries;
-
-	/* Size of entries. */
-	unsigned int size;
-};
-
-/* The argument to IP6T_SO_SET_REPLACE. */
-struct ip6t_replace {
-	/* Which table. */
-	char name[XT_TABLE_MAXNAMELEN];
-
-	/* Which hook entry points are valid: bitmask.  You can't
-           change this. */
-	unsigned int valid_hooks;
-
-	/* Number of entries */
-	unsigned int num_entries;
-
-	/* Total size of new entries */
-	unsigned int size;
-
-	/* Hook entry points. */
-	unsigned int hook_entry[NF_INET_NUMHOOKS];
-
-	/* Underflow points. */
-	unsigned int underflow[NF_INET_NUMHOOKS];
-
-	/* Information about old entries: */
-	/* Number of counters (must be equal to current number of entries). */
-	unsigned int num_counters;
-	/* The old entries' counters. */
-	struct xt_counters __user *counters;
-
-	/* The entries (hang off end: not really an array). */
-	struct ip6t_entry entries[0];
-};
-
-/* The argument to IP6T_SO_GET_ENTRIES. */
-struct ip6t_get_entries {
-	/* Which table: user fills this in. */
-	char name[XT_TABLE_MAXNAMELEN];
-
-	/* User fills this in: total entry size. */
-	unsigned int size;
-
-	/* The entries. */
-	struct ip6t_entry entrytable[0];
-};
-
-/* Helper functions */
-static __inline__ struct xt_entry_target *
-ip6t_get_target(struct ip6t_entry *e)
-{
-	return (void *)e + e->target_offset;
-}
-
-/*
- *	Main firewall chains definitions and global var's definitions.
- */
-
-#ifdef __KERNEL__
 
 #include <linux/init.h>
+#include <uapi/linux/netfilter_ipv6/ip6_tables.h>
+
 extern void ip6t_init(void) __init;
 
 extern void *ip6t_alloc_initial_table(const struct xt_table *);
@@ -327,5 +76,4 @@ compat_ip6t_get_target(struct compat_ip6t_entry *e)
 }
 
 #endif /* CONFIG_COMPAT */
-#endif /*__KERNEL__*/
 #endif /* _IP6_TABLES_H */

include/linux/tc_act/Kbuild

@@ -1,7 +0,0 @@
-header-y += tc_gact.h
-header-y += tc_ipt.h
-header-y += tc_mirred.h
-header-y += tc_pedit.h
-header-y += tc_nat.h
-header-y += tc_skbedit.h
-header-y += tc_csum.h

include/linux/tc_ematch/Kbuild

@@ -1,4 +0,0 @@
-header-y += tc_em_cmp.h
-header-y += tc_em_meta.h
-header-y += tc_em_nbyte.h
-header-y += tc_em_text.h

include/uapi/linux/caif/Kbuild

@@ -1 +1,3 @@
 # UAPI Header export list
+header-y += caif_socket.h
+header-y += if_caif.h

include/uapi/linux/netfilter/Kbuild

@@ -1,2 +1,78 @@
 # UAPI Header export list
 header-y += ipset/
+header-y += nf_conntrack_common.h
+header-y += nf_conntrack_ftp.h
+header-y += nf_conntrack_sctp.h
+header-y += nf_conntrack_tcp.h
+header-y += nf_conntrack_tuple_common.h
+header-y += nf_nat.h
+header-y += nfnetlink.h
+header-y += nfnetlink_acct.h
+header-y += nfnetlink_compat.h
+header-y += nfnetlink_conntrack.h
+header-y += nfnetlink_cthelper.h
+header-y += nfnetlink_cttimeout.h
+header-y += nfnetlink_log.h
+header-y += nfnetlink_queue.h
+header-y += x_tables.h
+header-y += xt_AUDIT.h
+header-y += xt_CHECKSUM.h
+header-y += xt_CLASSIFY.h
+header-y += xt_CONNMARK.h
+header-y += xt_CONNSECMARK.h
+header-y += xt_CT.h
+header-y += xt_DSCP.h
+header-y += xt_IDLETIMER.h
+header-y += xt_LED.h
+header-y += xt_LOG.h
+header-y += xt_MARK.h
+header-y += xt_NFLOG.h
+header-y += xt_NFQUEUE.h
+header-y += xt_RATEEST.h
+header-y += xt_SECMARK.h
+header-y += xt_TCPMSS.h
+header-y += xt_TCPOPTSTRIP.h
+header-y += xt_TEE.h
+header-y += xt_TPROXY.h
+header-y += xt_addrtype.h
+header-y += xt_cluster.h
+header-y += xt_comment.h
+header-y += xt_connbytes.h
+header-y += xt_connlimit.h
+header-y += xt_connmark.h
+header-y += xt_conntrack.h
+header-y += xt_cpu.h
+header-y += xt_dccp.h
+header-y += xt_devgroup.h
+header-y += xt_dscp.h
+header-y += xt_ecn.h
+header-y += xt_esp.h
+header-y += xt_hashlimit.h
+header-y += xt_helper.h
+header-y += xt_iprange.h
+header-y += xt_ipvs.h
+header-y += xt_length.h
+header-y += xt_limit.h
+header-y += xt_mac.h
+header-y += xt_mark.h
+header-y += xt_multiport.h
+header-y += xt_nfacct.h
+header-y += xt_osf.h
+header-y += xt_owner.h
+header-y += xt_physdev.h
+header-y += xt_pkttype.h
+header-y += xt_policy.h
+header-y += xt_quota.h
+header-y += xt_rateest.h
+header-y += xt_realm.h
+header-y += xt_recent.h
+header-y += xt_sctp.h
+header-y += xt_set.h
+header-y += xt_socket.h
+header-y += xt_state.h
+header-y += xt_statistic.h
+header-y += xt_string.h
+header-y += xt_tcpmss.h
+header-y += xt_tcpudp.h
+header-y += xt_time.h
+header-y += xt_u32.h

include/uapi/linux/netfilter/ipset/Kbuild

@@ -1 +1,5 @@
 # UAPI Header export list
+header-y += ip_set.h
+header-y += ip_set_bitmap.h
+header-y += ip_set_hash.h
+header-y += ip_set_list.h

include/uapi/linux/netfilter/ipset/ip_set.h

@@ -0,0 +1,231 @@
+/* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu>
+ *                         Patrick Schaaf <bof@bof.de>
+ *                         Martin Josefsson <gandalf@wlug.westbo.se>
+ * Copyright (C) 2003-2011 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+#ifndef _UAPI_IP_SET_H
+#define _UAPI_IP_SET_H
+
+
+#include <linux/types.h>
+
+/* The protocol version */
+#define IPSET_PROTOCOL		6
+
+/* The max length of strings including NUL: set and type identifiers */
+#define IPSET_MAXNAMELEN	32
+
+/* Message types and commands */
+enum ipset_cmd {
+	IPSET_CMD_NONE,
+	IPSET_CMD_PROTOCOL,	/* 1: Return protocol version */
+	IPSET_CMD_CREATE,	/* 2: Create a new (empty) set */
+	IPSET_CMD_DESTROY,	/* 3: Destroy a (empty) set */
+	IPSET_CMD_FLUSH,	/* 4: Remove all elements from a set */
+	IPSET_CMD_RENAME,	/* 5: Rename a set */
+	IPSET_CMD_SWAP,		/* 6: Swap two sets */
+	IPSET_CMD_LIST,		/* 7: List sets */
+	IPSET_CMD_SAVE,		/* 8: Save sets */
+	IPSET_CMD_ADD,		/* 9: Add an element to a set */
+	IPSET_CMD_DEL,		/* 10: Delete an element from a set */
+	IPSET_CMD_TEST,		/* 11: Test an element in a set */
+	IPSET_CMD_HEADER,	/* 12: Get set header data only */
+	IPSET_CMD_TYPE,		/* 13: Get set type */
+	IPSET_MSG_MAX,		/* Netlink message commands */
+
+	/* Commands in userspace: */
+	IPSET_CMD_RESTORE = IPSET_MSG_MAX, /* 14: Enter restore mode */
+	IPSET_CMD_HELP,		/* 15: Get help */
+	IPSET_CMD_VERSION,	/* 16: Get program version */
+	IPSET_CMD_QUIT,		/* 17: Quit from interactive mode */
+
+	IPSET_CMD_MAX,
+
+	IPSET_CMD_COMMIT = IPSET_CMD_MAX, /* 18: Commit buffered commands */
+};
+
+/* Attributes at command level */
+enum {
+	IPSET_ATTR_UNSPEC,
+	IPSET_ATTR_PROTOCOL,	/* 1: Protocol version */
+	IPSET_ATTR_SETNAME,	/* 2: Name of the set */
+	IPSET_ATTR_TYPENAME,	/* 3: Typename */
+	IPSET_ATTR_SETNAME2 = IPSET_ATTR_TYPENAME, /* Setname at rename/swap */
+	IPSET_ATTR_REVISION,	/* 4: Settype revision */
+	IPSET_ATTR_FAMILY,	/* 5: Settype family */
+	IPSET_ATTR_FLAGS,	/* 6: Flags at command level */
+	IPSET_ATTR_DATA,	/* 7: Nested attributes */
+	IPSET_ATTR_ADT,		/* 8: Multiple data containers */
+	IPSET_ATTR_LINENO,	/* 9: Restore lineno */
+	IPSET_ATTR_PROTOCOL_MIN, /* 10: Minimal supported version number */
+	IPSET_ATTR_REVISION_MIN	= IPSET_ATTR_PROTOCOL_MIN, /* type rev min */
+	__IPSET_ATTR_CMD_MAX,
+};
+#define IPSET_ATTR_CMD_MAX	(__IPSET_ATTR_CMD_MAX - 1)
+
+/* CADT specific attributes */
+enum {
+	IPSET_ATTR_IP = IPSET_ATTR_UNSPEC + 1,
+	IPSET_ATTR_IP_FROM = IPSET_ATTR_IP,
+	IPSET_ATTR_IP_TO,	/* 2 */
+	IPSET_ATTR_CIDR,	/* 3 */
+	IPSET_ATTR_PORT,	/* 4 */
+	IPSET_ATTR_PORT_FROM = IPSET_ATTR_PORT,
+	IPSET_ATTR_PORT_TO,	/* 5 */
+	IPSET_ATTR_TIMEOUT,	/* 6 */
+	IPSET_ATTR_PROTO,	/* 7 */
+	IPSET_ATTR_CADT_FLAGS,	/* 8 */
+	IPSET_ATTR_CADT_LINENO = IPSET_ATTR_LINENO,	/* 9 */
+	/* Reserve empty slots */
+	IPSET_ATTR_CADT_MAX = 16,
+	/* Create-only specific attributes */
+	IPSET_ATTR_GC,
+	IPSET_ATTR_HASHSIZE,
+	IPSET_ATTR_MAXELEM,
+	IPSET_ATTR_NETMASK,
+	IPSET_ATTR_PROBES,
+	IPSET_ATTR_RESIZE,
+	IPSET_ATTR_SIZE,
+	/* Kernel-only */
+	IPSET_ATTR_ELEMENTS,
+	IPSET_ATTR_REFERENCES,
+	IPSET_ATTR_MEMSIZE,
+
+	__IPSET_ATTR_CREATE_MAX,
+};
+#define IPSET_ATTR_CREATE_MAX	(__IPSET_ATTR_CREATE_MAX - 1)
+
+/* ADT specific attributes */
+enum {
+	IPSET_ATTR_ETHER = IPSET_ATTR_CADT_MAX + 1,
+	IPSET_ATTR_NAME,
+	IPSET_ATTR_NAMEREF,
+	IPSET_ATTR_IP2,
+	IPSET_ATTR_CIDR2,
+	IPSET_ATTR_IP2_TO,
+	IPSET_ATTR_IFACE,
+	__IPSET_ATTR_ADT_MAX,
+};
+#define IPSET_ATTR_ADT_MAX	(__IPSET_ATTR_ADT_MAX - 1)
+
+/* IP specific attributes */
+enum {
+	IPSET_ATTR_IPADDR_IPV4 = IPSET_ATTR_UNSPEC + 1,
+	IPSET_ATTR_IPADDR_IPV6,
+	__IPSET_ATTR_IPADDR_MAX,
+};
+#define IPSET_ATTR_IPADDR_MAX	(__IPSET_ATTR_IPADDR_MAX - 1)
+
+/* Error codes */
+enum ipset_errno {
+	IPSET_ERR_PRIVATE = 4096,
+	IPSET_ERR_PROTOCOL,
+	IPSET_ERR_FIND_TYPE,
+	IPSET_ERR_MAX_SETS,
+	IPSET_ERR_BUSY,
+	IPSET_ERR_EXIST_SETNAME2,
+	IPSET_ERR_TYPE_MISMATCH,
+	IPSET_ERR_EXIST,
+	IPSET_ERR_INVALID_CIDR,
+	IPSET_ERR_INVALID_NETMASK,
+	IPSET_ERR_INVALID_FAMILY,
+	IPSET_ERR_TIMEOUT,
+	IPSET_ERR_REFERENCED,
+	IPSET_ERR_IPADDR_IPV4,
+	IPSET_ERR_IPADDR_IPV6,
+
+	/* Type specific error codes */
+	IPSET_ERR_TYPE_SPECIFIC = 4352,
+};
+
+/* Flags at command level */
+enum ipset_cmd_flags {
+	IPSET_FLAG_BIT_EXIST	= 0,
+	IPSET_FLAG_EXIST	= (1 << IPSET_FLAG_BIT_EXIST),
+	IPSET_FLAG_BIT_LIST_SETNAME = 1,
+	IPSET_FLAG_LIST_SETNAME	= (1 << IPSET_FLAG_BIT_LIST_SETNAME),
+	IPSET_FLAG_BIT_LIST_HEADER = 2,
+	IPSET_FLAG_LIST_HEADER	= (1 << IPSET_FLAG_BIT_LIST_HEADER),
+	IPSET_FLAG_CMD_MAX = 15,	/* Lower half */
+};
+
+/* Flags at CADT attribute level */
+enum ipset_cadt_flags {
+	IPSET_FLAG_BIT_BEFORE	= 0,
+	IPSET_FLAG_BEFORE	= (1 << IPSET_FLAG_BIT_BEFORE),
+	IPSET_FLAG_BIT_PHYSDEV	= 1,
+	IPSET_FLAG_PHYSDEV	= (1 << IPSET_FLAG_BIT_PHYSDEV),
+	IPSET_FLAG_BIT_NOMATCH	= 2,
+	IPSET_FLAG_NOMATCH	= (1 << IPSET_FLAG_BIT_NOMATCH),
+	IPSET_FLAG_CADT_MAX	= 15,	/* Upper half */
+};
+
+/* Commands with settype-specific attributes */
+enum ipset_adt {
+	IPSET_ADD,
+	IPSET_DEL,
+	IPSET_TEST,
+	IPSET_ADT_MAX,
+	IPSET_CREATE = IPSET_ADT_MAX,
+	IPSET_CADT_MAX,
+};
+
+/* Sets are identified by an index in kernel space. Tweak with ip_set_id_t
+ * and IPSET_INVALID_ID if you want to increase the max number of sets.
+ */
+typedef __u16 ip_set_id_t;
+
+#define IPSET_INVALID_ID		65535
+
+enum ip_set_dim {
+	IPSET_DIM_ZERO = 0,
+	IPSET_DIM_ONE,
+	IPSET_DIM_TWO,
+	IPSET_DIM_THREE,
+	/* Max dimension in elements.
+	 * If changed, new revision of iptables match/target is required.
+	 */
+	IPSET_DIM_MAX = 6,
+	IPSET_BIT_RETURN_NOMATCH = 7,
+};
+
+/* Option flags for kernel operations */
+enum ip_set_kopt {
+	IPSET_INV_MATCH = (1 << IPSET_DIM_ZERO),
+	IPSET_DIM_ONE_SRC = (1 << IPSET_DIM_ONE),
+	IPSET_DIM_TWO_SRC = (1 << IPSET_DIM_TWO),
+	IPSET_DIM_THREE_SRC = (1 << IPSET_DIM_THREE),
+	IPSET_RETURN_NOMATCH = (1 << IPSET_BIT_RETURN_NOMATCH),
+};
+
+
+/* Interface to iptables/ip6tables */
+
+#define SO_IP_SET		83
+
+union ip_set_name_index {
+	char name[IPSET_MAXNAMELEN];
+	ip_set_id_t index;
+};
+
+#define IP_SET_OP_GET_BYNAME	0x00000006	/* Get set index by name */
+struct ip_set_req_get_set {
+	unsigned int op;
+	unsigned int version;
+	union ip_set_name_index set;
+};
+
+#define IP_SET_OP_GET_BYINDEX	0x00000007	/* Get set name by index */
+/* Uses ip_set_req_get_set */
+
+#define IP_SET_OP_VERSION	0x00000100	/* Ask kernel version */
+struct ip_set_req_version {
+	unsigned int op;
+	unsigned int version;
+};
+
+#endif /* _UAPI_IP_SET_H */

include/uapi/linux/netfilter/ipset/ip_set_bitmap.h

@@ -0,0 +1,13 @@
+#ifndef _UAPI__IP_SET_BITMAP_H
+#define _UAPI__IP_SET_BITMAP_H
+
+/* Bitmap type specific error codes */
+enum {
+	/* The element is out of the range of the set */
+	IPSET_ERR_BITMAP_RANGE = IPSET_ERR_TYPE_SPECIFIC,
+	/* The range exceeds the size limit of the set type */
+	IPSET_ERR_BITMAP_RANGE_SIZE,
+};
+
+
+#endif /* _UAPI__IP_SET_BITMAP_H */

include/uapi/linux/netfilter/ipset/ip_set_hash.h

@@ -0,0 +1,21 @@
+#ifndef _UAPI__IP_SET_HASH_H
+#define _UAPI__IP_SET_HASH_H
+
+/* Hash type specific error codes */
+enum {
+	/* Hash is full */
+	IPSET_ERR_HASH_FULL = IPSET_ERR_TYPE_SPECIFIC,
+	/* Null-valued element */
+	IPSET_ERR_HASH_ELEM,
+	/* Invalid protocol */
+	IPSET_ERR_INVALID_PROTO,
+	/* Protocol missing but must be specified */
+	IPSET_ERR_MISSING_PROTO,
+	/* Range not supported */
+	IPSET_ERR_HASH_RANGE_UNSUPPORTED,
+	/* Invalid range */
+	IPSET_ERR_HASH_RANGE,
+};
+
+
+#endif /* _UAPI__IP_SET_HASH_H */

include/uapi/linux/netfilter/ipset/ip_set_list.h

@@ -0,0 +1,21 @@
+#ifndef _UAPI__IP_SET_LIST_H
+#define _UAPI__IP_SET_LIST_H
+
+/* List type specific error codes */
+enum {
+	/* Set name to be added/deleted/tested does not exist. */
+	IPSET_ERR_NAME = IPSET_ERR_TYPE_SPECIFIC,
+	/* list:set type is not permitted to add */
+	IPSET_ERR_LOOP,
+	/* Missing reference set */
+	IPSET_ERR_BEFORE,
+	/* Reference set does not exist */
+	IPSET_ERR_NAMEREF,
+	/* Set is full */
+	IPSET_ERR_LIST_FULL,
+	/* Reference set is not added to the set */
+	IPSET_ERR_REF_EXIST,
+};
+
+
+#endif /* _UAPI__IP_SET_LIST_H */

include/uapi/linux/netfilter/nf_conntrack_common.h

@@ -0,0 +1,117 @@
+#ifndef _UAPI_NF_CONNTRACK_COMMON_H
+#define _UAPI_NF_CONNTRACK_COMMON_H
+/* Connection state tracking for netfilter.  This is separated from,
+   but required by, the NAT layer; it can also be used by an iptables
+   extension. */
+enum ip_conntrack_info {
+	/* Part of an established connection (either direction). */
+	IP_CT_ESTABLISHED,
+
+	/* Like NEW, but related to an existing connection, or ICMP error
+	   (in either direction). */
+	IP_CT_RELATED,
+
+	/* Started a new connection to track (only
+           IP_CT_DIR_ORIGINAL); may be a retransmission. */
+	IP_CT_NEW,
+
+	/* >= this indicates reply direction */
+	IP_CT_IS_REPLY,
+
+	IP_CT_ESTABLISHED_REPLY = IP_CT_ESTABLISHED + IP_CT_IS_REPLY,
+	IP_CT_RELATED_REPLY = IP_CT_RELATED + IP_CT_IS_REPLY,
+	IP_CT_NEW_REPLY = IP_CT_NEW + IP_CT_IS_REPLY,	
+	/* Number of distinct IP_CT types (no NEW in reply dirn). */
+	IP_CT_NUMBER = IP_CT_IS_REPLY * 2 - 1
+};
+
+/* Bitset representing status of connection. */
+enum ip_conntrack_status {
+	/* It's an expected connection: bit 0 set.  This bit never changed */
+	IPS_EXPECTED_BIT = 0,
+	IPS_EXPECTED = (1 << IPS_EXPECTED_BIT),
+
+	/* We've seen packets both ways: bit 1 set.  Can be set, not unset. */
+	IPS_SEEN_REPLY_BIT = 1,
+	IPS_SEEN_REPLY = (1 << IPS_SEEN_REPLY_BIT),
+
+	/* Conntrack should never be early-expired. */
+	IPS_ASSURED_BIT = 2,
+	IPS_ASSURED = (1 << IPS_ASSURED_BIT),
+
+	/* Connection is confirmed: originating packet has left box */
+	IPS_CONFIRMED_BIT = 3,
+	IPS_CONFIRMED = (1 << IPS_CONFIRMED_BIT),
+
+	/* Connection needs src nat in orig dir.  This bit never changed. */
+	IPS_SRC_NAT_BIT = 4,
+	IPS_SRC_NAT = (1 << IPS_SRC_NAT_BIT),
+
+	/* Connection needs dst nat in orig dir.  This bit never changed. */
+	IPS_DST_NAT_BIT = 5,
+	IPS_DST_NAT = (1 << IPS_DST_NAT_BIT),
+
+	/* Both together. */
+	IPS_NAT_MASK = (IPS_DST_NAT | IPS_SRC_NAT),
+
+	/* Connection needs TCP sequence adjusted. */
+	IPS_SEQ_ADJUST_BIT = 6,
+	IPS_SEQ_ADJUST = (1 << IPS_SEQ_ADJUST_BIT),
+
+	/* NAT initialization bits. */
+	IPS_SRC_NAT_DONE_BIT = 7,
+	IPS_SRC_NAT_DONE = (1 << IPS_SRC_NAT_DONE_BIT),
+
+	IPS_DST_NAT_DONE_BIT = 8,
+	IPS_DST_NAT_DONE = (1 << IPS_DST_NAT_DONE_BIT),
+
+	/* Both together */
+	IPS_NAT_DONE_MASK = (IPS_DST_NAT_DONE | IPS_SRC_NAT_DONE),
+
+	/* Connection is dying (removed from lists), can not be unset. */
+	IPS_DYING_BIT = 9,
+	IPS_DYING = (1 << IPS_DYING_BIT),
+
+	/* Connection has fixed timeout. */
+	IPS_FIXED_TIMEOUT_BIT = 10,
+	IPS_FIXED_TIMEOUT = (1 << IPS_FIXED_TIMEOUT_BIT),
+
+	/* Conntrack is a template */
+	IPS_TEMPLATE_BIT = 11,
+	IPS_TEMPLATE = (1 << IPS_TEMPLATE_BIT),
+
+	/* Conntrack is a fake untracked entry */
+	IPS_UNTRACKED_BIT = 12,
+	IPS_UNTRACKED = (1 << IPS_UNTRACKED_BIT),
+
+	/* Conntrack got a helper explicitly attached via CT target. */
+	IPS_HELPER_BIT = 13,
+	IPS_HELPER = (1 << IPS_HELPER_BIT),
+};
+
+/* Connection tracking event types */
+enum ip_conntrack_events {
+	IPCT_NEW,		/* new conntrack */
+	IPCT_RELATED,		/* related conntrack */
+	IPCT_DESTROY,		/* destroyed conntrack */
+	IPCT_REPLY,		/* connection has seen two-way traffic */
+	IPCT_ASSURED,		/* connection status has changed to assured */
+	IPCT_PROTOINFO,		/* protocol information has changed */
+	IPCT_HELPER,		/* new helper has been set */
+	IPCT_MARK,		/* new mark has been set */
+	IPCT_NATSEQADJ,		/* NAT is doing sequence adjustment */
+	IPCT_SECMARK,		/* new security mark has been set */
+};
+
+enum ip_conntrack_expect_events {
+	IPEXP_NEW,		/* new expectation */
+	IPEXP_DESTROY,		/* destroyed expectation */
+};
+
+/* expectation flags */
+#define NF_CT_EXPECT_PERMANENT		0x1
+#define NF_CT_EXPECT_INACTIVE		0x2
+#define NF_CT_EXPECT_USERSPACE		0x4
+
+
+#endif /* _UAPI_NF_CONNTRACK_COMMON_H */

include/uapi/linux/netfilter/nf_conntrack_ftp.h

@@ -0,0 +1,18 @@
+#ifndef _UAPI_NF_CONNTRACK_FTP_H
+#define _UAPI_NF_CONNTRACK_FTP_H
+/* FTP tracking. */
+
+/* This enum is exposed to userspace */
+enum nf_ct_ftp_type {
+	/* PORT command from client */
+	NF_CT_FTP_PORT,
+	/* PASV response from server */
+	NF_CT_FTP_PASV,
+	/* EPRT command from client */
+	NF_CT_FTP_EPRT,
+	/* EPSV response from server */
+	NF_CT_FTP_EPSV,
+};
+
+
+#endif /* _UAPI_NF_CONNTRACK_FTP_H */

include/uapi/linux/netfilter/nf_conntrack_tcp.h

@@ -0,0 +1,51 @@
+#ifndef _UAPI_NF_CONNTRACK_TCP_H
+#define _UAPI_NF_CONNTRACK_TCP_H
+/* TCP tracking. */
+
+#include <linux/types.h>
+
+/* This is exposed to userspace (ctnetlink) */
+enum tcp_conntrack {
+	TCP_CONNTRACK_NONE,
+	TCP_CONNTRACK_SYN_SENT,
+	TCP_CONNTRACK_SYN_RECV,
+	TCP_CONNTRACK_ESTABLISHED,
+	TCP_CONNTRACK_FIN_WAIT,
+	TCP_CONNTRACK_CLOSE_WAIT,
+	TCP_CONNTRACK_LAST_ACK,
+	TCP_CONNTRACK_TIME_WAIT,
+	TCP_CONNTRACK_CLOSE,
+	TCP_CONNTRACK_LISTEN,	/* obsolete */
+#define TCP_CONNTRACK_SYN_SENT2	TCP_CONNTRACK_LISTEN
+	TCP_CONNTRACK_MAX,
+	TCP_CONNTRACK_IGNORE,
+	TCP_CONNTRACK_RETRANS,
+	TCP_CONNTRACK_UNACK,
+	TCP_CONNTRACK_TIMEOUT_MAX
+};
+
+/* Window scaling is advertised by the sender */
+#define IP_CT_TCP_FLAG_WINDOW_SCALE		0x01
+
+/* SACK is permitted by the sender */
+#define IP_CT_TCP_FLAG_SACK_PERM		0x02
+
+/* This sender sent FIN first */
+#define IP_CT_TCP_FLAG_CLOSE_INIT		0x04
+
+/* Be liberal in window checking */
+#define IP_CT_TCP_FLAG_BE_LIBERAL		0x08
+
+/* Has unacknowledged data */
+#define IP_CT_TCP_FLAG_DATA_UNACKNOWLEDGED	0x10
+
+/* The field td_maxack has been set */
+#define IP_CT_TCP_FLAG_MAXACK_SET		0x20
+
+struct nf_ct_tcp_flags {
+	__u8 flags;
+	__u8 mask;
+};
+
+
+#endif /* _UAPI_NF_CONNTRACK_TCP_H */

include/uapi/linux/netfilter/nfnetlink.h

@@ -0,0 +1,56 @@
+#ifndef _UAPI_NFNETLINK_H
+#define _UAPI_NFNETLINK_H
+#include <linux/types.h>
+#include <linux/netfilter/nfnetlink_compat.h>
+
+enum nfnetlink_groups {
+	NFNLGRP_NONE,
+#define NFNLGRP_NONE			NFNLGRP_NONE
+	NFNLGRP_CONNTRACK_NEW,
+#define NFNLGRP_CONNTRACK_NEW		NFNLGRP_CONNTRACK_NEW
+	NFNLGRP_CONNTRACK_UPDATE,
+#define NFNLGRP_CONNTRACK_UPDATE	NFNLGRP_CONNTRACK_UPDATE
+	NFNLGRP_CONNTRACK_DESTROY,
+#define NFNLGRP_CONNTRACK_DESTROY	NFNLGRP_CONNTRACK_DESTROY
+	NFNLGRP_CONNTRACK_EXP_NEW,
+#define	NFNLGRP_CONNTRACK_EXP_NEW	NFNLGRP_CONNTRACK_EXP_NEW
+	NFNLGRP_CONNTRACK_EXP_UPDATE,
+#define NFNLGRP_CONNTRACK_EXP_UPDATE	NFNLGRP_CONNTRACK_EXP_UPDATE
+	NFNLGRP_CONNTRACK_EXP_DESTROY,
+#define NFNLGRP_CONNTRACK_EXP_DESTROY	NFNLGRP_CONNTRACK_EXP_DESTROY
+	__NFNLGRP_MAX,
+};
+#define NFNLGRP_MAX	(__NFNLGRP_MAX - 1)
+
+/* General form of address family dependent message.
+ */
+struct nfgenmsg {
+	__u8  nfgen_family;		/* AF_xxx */
+	__u8  version;		/* nfnetlink version */
+	__be16    res_id;		/* resource id */
+};
+
+#define NFNETLINK_V0	0
+
+/* netfilter netlink message types are split in two pieces:
+ * 8 bit subsystem, 8bit operation.
+ */
+
+#define NFNL_SUBSYS_ID(x)	((x & 0xff00) >> 8)
+#define NFNL_MSG_TYPE(x)	(x & 0x00ff)
+
+/* No enum here, otherwise __stringify() trick of MODULE_ALIAS_NFNL_SUBSYS()
+ * won't work anymore */
+#define NFNL_SUBSYS_NONE 		0
+#define NFNL_SUBSYS_CTNETLINK		1
+#define NFNL_SUBSYS_CTNETLINK_EXP	2
+#define NFNL_SUBSYS_QUEUE		3
+#define NFNL_SUBSYS_ULOG		4
+#define NFNL_SUBSYS_OSF			5
+#define NFNL_SUBSYS_IPSET		6
+#define NFNL_SUBSYS_ACCT		7
+#define NFNL_SUBSYS_CTNETLINK_TIMEOUT	8
+#define NFNL_SUBSYS_CTHELPER		9
+#define NFNL_SUBSYS_COUNT		10
+
+#endif /* _UAPI_NFNETLINK_H */

include/uapi/linux/netfilter/nfnetlink_acct.h

@@ -0,0 +1,27 @@
+#ifndef _UAPI_NFNL_ACCT_H_
+#define _UAPI_NFNL_ACCT_H_
+
+#ifndef NFACCT_NAME_MAX
+#define NFACCT_NAME_MAX		32
+#endif
+
+enum nfnl_acct_msg_types {
+	NFNL_MSG_ACCT_NEW,
+	NFNL_MSG_ACCT_GET,
+	NFNL_MSG_ACCT_GET_CTRZERO,
+	NFNL_MSG_ACCT_DEL,
+	NFNL_MSG_ACCT_MAX
+};
+
+enum nfnl_acct_type {
+	NFACCT_UNSPEC,
+	NFACCT_NAME,
+	NFACCT_PKTS,
+	NFACCT_BYTES,
+	NFACCT_USE,
+	__NFACCT_MAX
+};
+#define NFACCT_MAX (__NFACCT_MAX - 1)
+
+
+#endif /* _UAPI_NFNL_ACCT_H_ */

include/uapi/linux/netfilter/x_tables.h

@@ -0,0 +1,187 @@
+#ifndef _UAPI_X_TABLES_H
+#define _UAPI_X_TABLES_H
+#include <linux/kernel.h>
+#include <linux/types.h>
+
+#define XT_FUNCTION_MAXNAMELEN 30
+#define XT_EXTENSION_MAXNAMELEN 29
+#define XT_TABLE_MAXNAMELEN 32
+
+struct xt_entry_match {
+	union {
+		struct {
+			__u16 match_size;
+
+			/* Used by userspace */
+			char name[XT_EXTENSION_MAXNAMELEN];
+			__u8 revision;
+		} user;
+		struct {
+			__u16 match_size;
+
+			/* Used inside the kernel */
+			struct xt_match *match;
+		} kernel;
+
+		/* Total length */
+		__u16 match_size;
+	} u;
+
+	unsigned char data[0];
+};
+
+struct xt_entry_target {
+	union {
+		struct {
+			__u16 target_size;
+
+			/* Used by userspace */
+			char name[XT_EXTENSION_MAXNAMELEN];
+			__u8 revision;
+		} user;
+		struct {
+			__u16 target_size;
+
+			/* Used inside the kernel */
+			struct xt_target *target;
+		} kernel;
+
+		/* Total length */
+		__u16 target_size;
+	} u;
+
+	unsigned char data[0];
+};
+
+#define XT_TARGET_INIT(__name, __size)					       \
+{									       \
+	.target.u.user = {						       \
+		.target_size	= XT_ALIGN(__size),			       \
+		.name		= __name,				       \
+	},								       \
+}
+
+struct xt_standard_target {
+	struct xt_entry_target target;
+	int verdict;
+};
+
+struct xt_error_target {
+	struct xt_entry_target target;
+	char errorname[XT_FUNCTION_MAXNAMELEN];
+};
+
+/* The argument to IPT_SO_GET_REVISION_*.  Returns highest revision
+ * kernel supports, if >= revision. */
+struct xt_get_revision {
+	char name[XT_EXTENSION_MAXNAMELEN];
+	__u8 revision;
+};
+
+/* CONTINUE verdict for targets */
+#define XT_CONTINUE 0xFFFFFFFF
+
+/* For standard target */
+#define XT_RETURN (-NF_REPEAT - 1)
+
+/* this is a dummy structure to find out the alignment requirement for a struct
+ * containing all the fundamental data types that are used in ipt_entry,
+ * ip6t_entry and arpt_entry.  This sucks, and it is a hack.  It will be my
+ * personal pleasure to remove it -HW
+ */
+struct _xt_align {
+	__u8 u8;
+	__u16 u16;
+	__u32 u32;
+	__u64 u64;
+};
+
+#define XT_ALIGN(s) __ALIGN_KERNEL((s), __alignof__(struct _xt_align))
+
+/* Standard return verdict, or do jump. */
+#define XT_STANDARD_TARGET ""
+/* Error verdict. */
+#define XT_ERROR_TARGET "ERROR"
+
+#define SET_COUNTER(c,b,p) do { (c).bcnt = (b); (c).pcnt = (p); } while(0)
+#define ADD_COUNTER(c,b,p) do { (c).bcnt += (b); (c).pcnt += (p); } while(0)
+
+struct xt_counters {
+	__u64 pcnt, bcnt;			/* Packet and byte counters */
+};
+
+/* The argument to IPT_SO_ADD_COUNTERS. */
+struct xt_counters_info {
+	/* Which table. */
+	char name[XT_TABLE_MAXNAMELEN];
+
+	unsigned int num_counters;
+
+	/* The counters (actually `number' of these). */
+	struct xt_counters counters[0];
+};
+
+#define XT_INV_PROTO		0x40	/* Invert the sense of PROTO. */
+
+#ifndef __KERNEL__
+/* fn returns 0 to continue iteration */
+#define XT_MATCH_ITERATE(type, e, fn, args...)			\
+({								\
+	unsigned int __i;					\
+	int __ret = 0;						\
+	struct xt_entry_match *__m;				\
+								\
+	for (__i = sizeof(type);				\
+	     __i < (e)->target_offset;				\
+	     __i += __m->u.match_size) {			\
+		__m = (void *)e + __i;				\
+								\
+		__ret = fn(__m , ## args);			\
+		if (__ret != 0)					\
+			break;					\
+	}							\
+	__ret;							\
+})
+
+/* fn returns 0 to continue iteration */
+#define XT_ENTRY_ITERATE_CONTINUE(type, entries, size, n, fn, args...) \
+({								\
+	unsigned int __i, __n;					\
+	int __ret = 0;						\
+	type *__entry;						\
+								\
+	for (__i = 0, __n = 0; __i < (size);			\
+	     __i += __entry->next_offset, __n++) { 		\
+		__entry = (void *)(entries) + __i;		\
+		if (__n < n)					\
+			continue;				\
+								\
+		__ret = fn(__entry , ## args);			\
+		if (__ret != 0)					\
+			break;					\
+	}							\
+	__ret;							\
+})
+
+/* fn returns 0 to continue iteration */
+#define XT_ENTRY_ITERATE(type, entries, size, fn, args...) \
+	XT_ENTRY_ITERATE_CONTINUE(type, entries, size, 0, fn, args)
+
+#endif /* !__KERNEL__ */
+
+/* pos is normally a struct ipt_entry/ip6t_entry/etc. */
+#define xt_entry_foreach(pos, ehead, esize) \
+	for ((pos) = (typeof(pos))(ehead); \
+	     (pos) < (typeof(pos))((char *)(ehead) + (esize)); \
+	     (pos) = (typeof(pos))((char *)(pos) + (pos)->next_offset))
+
+/* can only be xt_entry_match, so no use of typeof here */
+#define xt_ematch_foreach(pos, entry) \
+	for ((pos) = (struct xt_entry_match *)entry->elems; \
+	     (pos) < (struct xt_entry_match *)((char *)(entry) + \
+	             (entry)->target_offset); \
+	     (pos) = (struct xt_entry_match *)((char *)(pos) + \
+	             (pos)->u.match_size))
+
+
+#endif /* _UAPI_X_TABLES_H */

include/uapi/linux/netfilter/xt_hashlimit.h

@@ -0,0 +1,73 @@
+#ifndef _UAPI_XT_HASHLIMIT_H
+#define _UAPI_XT_HASHLIMIT_H
+
+#include <linux/types.h>
+
+/* timings are in milliseconds. */
+#define XT_HASHLIMIT_SCALE 10000
+/* 1/10,000 sec period => max of 10,000/sec.  Min rate is then 429490
+ * seconds, or one packet every 59 hours.
+ */
+
+/* packet length accounting is done in 16-byte steps */
+#define XT_HASHLIMIT_BYTE_SHIFT 4
+
+/* details of this structure hidden by the implementation */
+struct xt_hashlimit_htable;
+
+enum {
+	XT_HASHLIMIT_HASH_DIP = 1 << 0,
+	XT_HASHLIMIT_HASH_DPT = 1 << 1,
+	XT_HASHLIMIT_HASH_SIP = 1 << 2,
+	XT_HASHLIMIT_HASH_SPT = 1 << 3,
+	XT_HASHLIMIT_INVERT   = 1 << 4,
+	XT_HASHLIMIT_BYTES    = 1 << 5,
+};
+
+struct hashlimit_cfg {
+	__u32 mode;	  /* bitmask of XT_HASHLIMIT_HASH_* */
+	__u32 avg;    /* Average secs between packets * scale */
+	__u32 burst;  /* Period multiplier for upper limit. */
+
+	/* user specified */
+	__u32 size;		/* how many buckets */
+	__u32 max;		/* max number of entries */
+	__u32 gc_interval;	/* gc interval */
+	__u32 expire;	/* when do entries expire? */
+};
+
+struct xt_hashlimit_info {
+	char name [IFNAMSIZ];		/* name */
+	struct hashlimit_cfg cfg;
+
+	/* Used internally by the kernel */
+	struct xt_hashlimit_htable *hinfo;
+	union {
+		void *ptr;
+		struct xt_hashlimit_info *master;
+	} u;
+};
+
+struct hashlimit_cfg1 {
+	__u32 mode;	  /* bitmask of XT_HASHLIMIT_HASH_* */
+	__u32 avg;    /* Average secs between packets * scale */
+	__u32 burst;  /* Period multiplier for upper limit. */
+
+	/* user specified */
+	__u32 size;		/* how many buckets */
+	__u32 max;		/* max number of entries */
+	__u32 gc_interval;	/* gc interval */
+	__u32 expire;	/* when do entries expire? */
+
+	__u8 srcmask, dstmask;
+};
+
+struct xt_hashlimit_mtinfo1 {
+	char name[IFNAMSIZ];
+	struct hashlimit_cfg1 cfg;
+
+	/* Used internally by the kernel */
+	struct xt_hashlimit_htable *hinfo __attribute__((aligned(8)));
+};
+
+#endif /* _UAPI_XT_HASHLIMIT_H */

include/uapi/linux/netfilter/xt_physdev.h

@@ -0,0 +1,23 @@
+#ifndef _UAPI_XT_PHYSDEV_H
+#define _UAPI_XT_PHYSDEV_H
+
+#include <linux/types.h>
+
+
+#define XT_PHYSDEV_OP_IN		0x01
+#define XT_PHYSDEV_OP_OUT		0x02
+#define XT_PHYSDEV_OP_BRIDGED		0x04
+#define XT_PHYSDEV_OP_ISIN		0x08
+#define XT_PHYSDEV_OP_ISOUT		0x10
+#define XT_PHYSDEV_OP_MASK		(0x20 - 1)
+
+struct xt_physdev_info {
+	char physindev[IFNAMSIZ];
+	char in_mask[IFNAMSIZ];
+	char physoutdev[IFNAMSIZ];
+	char out_mask[IFNAMSIZ];
+	__u8 invert;
+	__u8 bitmask;
+};
+
+#endif /* _UAPI_XT_PHYSDEV_H */