From f1ddcaf3393b7a3871809b97fae90fac841a1f39 Mon Sep 17 00:00:00 2001 From: Herbert Xu Date: Sat, 27 Jan 2007 10:05:15 +1100 Subject: [CRYPTO] api: Remove deprecated interface This patch removes the old cipher interface and related code. Signed-off-by: Herbert Xu --- include/linux/crypto.h | 127 ------------------------------------------------- 1 file changed, 127 deletions(-) (limited to 'include/linux') diff --git a/include/linux/crypto.h b/include/linux/crypto.h index 4aa9046..95936a5 100644 --- a/include/linux/crypto.h +++ b/include/linux/crypto.h @@ -51,15 +51,9 @@ /* * Transform masks and values (for crt_flags). */ -#define CRYPTO_TFM_MODE_MASK 0x000000ff #define CRYPTO_TFM_REQ_MASK 0x000fff00 #define CRYPTO_TFM_RES_MASK 0xfff00000 -#define CRYPTO_TFM_MODE_ECB 0x00000001 -#define CRYPTO_TFM_MODE_CBC 0x00000002 -#define CRYPTO_TFM_MODE_CFB 0x00000004 -#define CRYPTO_TFM_MODE_CTR 0x00000008 - #define CRYPTO_TFM_REQ_WEAK_KEY 0x00000100 #define CRYPTO_TFM_REQ_MAY_SLEEP 0x00000200 #define CRYPTO_TFM_RES_WEAK_KEY 0x00100000 @@ -71,12 +65,8 @@ /* * Miscellaneous stuff. */ -#define CRYPTO_UNSPEC 0 #define CRYPTO_MAX_ALG_NAME 64 -#define CRYPTO_DIR_ENCRYPT 1 -#define CRYPTO_DIR_DECRYPT 0 - /* * The macro CRYPTO_MINALIGN_ATTR (along with the void * type in the actual * declaration) is used to ensure that the crypto_tfm context structure is @@ -148,19 +138,6 @@ struct cipher_alg { unsigned int keylen); void (*cia_encrypt)(struct crypto_tfm *tfm, u8 *dst, const u8 *src); void (*cia_decrypt)(struct crypto_tfm *tfm, u8 *dst, const u8 *src); - - unsigned int (*cia_encrypt_ecb)(const struct cipher_desc *desc, - u8 *dst, const u8 *src, - unsigned int nbytes) __deprecated; - unsigned int (*cia_decrypt_ecb)(const struct cipher_desc *desc, - u8 *dst, const u8 *src, - unsigned int nbytes) __deprecated; - unsigned int (*cia_encrypt_cbc)(const struct cipher_desc *desc, - u8 *dst, const u8 *src, - unsigned int nbytes) __deprecated; - unsigned int (*cia_decrypt_cbc)(const struct cipher_desc *desc, - u8 *dst, const u8 *src, - unsigned int nbytes) __deprecated; }; struct digest_alg { @@ -243,11 +220,6 @@ int crypto_unregister_alg(struct crypto_alg *alg); #ifdef CONFIG_CRYPTO int crypto_has_alg(const char *name, u32 type, u32 mask); #else -static inline int crypto_alg_available(const char *name, u32 flags) -{ - return 0; -} - static inline int crypto_has_alg(const char *name, u32 type, u32 mask) { return 0; @@ -395,40 +367,11 @@ static inline u32 crypto_tfm_alg_type(struct crypto_tfm *tfm) return tfm->__crt_alg->cra_flags & CRYPTO_ALG_TYPE_MASK; } -static unsigned int crypto_tfm_alg_min_keysize(struct crypto_tfm *tfm) - __deprecated; -static inline unsigned int crypto_tfm_alg_min_keysize(struct crypto_tfm *tfm) -{ - BUG_ON(crypto_tfm_alg_type(tfm) != CRYPTO_ALG_TYPE_CIPHER); - return tfm->__crt_alg->cra_cipher.cia_min_keysize; -} - -static unsigned int crypto_tfm_alg_max_keysize(struct crypto_tfm *tfm) - __deprecated; -static inline unsigned int crypto_tfm_alg_max_keysize(struct crypto_tfm *tfm) -{ - BUG_ON(crypto_tfm_alg_type(tfm) != CRYPTO_ALG_TYPE_CIPHER); - return tfm->__crt_alg->cra_cipher.cia_max_keysize; -} - -static unsigned int crypto_tfm_alg_ivsize(struct crypto_tfm *tfm) __deprecated; -static inline unsigned int crypto_tfm_alg_ivsize(struct crypto_tfm *tfm) -{ - BUG_ON(crypto_tfm_alg_type(tfm) != CRYPTO_ALG_TYPE_CIPHER); - return tfm->crt_cipher.cit_ivsize; -} - static inline unsigned int crypto_tfm_alg_blocksize(struct crypto_tfm *tfm) { return tfm->__crt_alg->cra_blocksize; } -static inline unsigned int crypto_tfm_alg_digestsize(struct crypto_tfm *tfm) -{ - BUG_ON(crypto_tfm_alg_type(tfm) != CRYPTO_ALG_TYPE_DIGEST); - return tfm->__crt_alg->cra_digest.dia_digestsize; -} - static inline unsigned int crypto_tfm_alg_alignmask(struct crypto_tfm *tfm) { return tfm->__crt_alg->cra_alignmask; @@ -809,76 +752,6 @@ static inline int crypto_hash_setkey(struct crypto_hash *hash, return crypto_hash_crt(hash)->setkey(hash, key, keylen); } -static int crypto_cipher_encrypt(struct crypto_tfm *tfm, - struct scatterlist *dst, - struct scatterlist *src, - unsigned int nbytes) __deprecated; -static inline int crypto_cipher_encrypt(struct crypto_tfm *tfm, - struct scatterlist *dst, - struct scatterlist *src, - unsigned int nbytes) -{ - BUG_ON(crypto_tfm_alg_type(tfm) != CRYPTO_ALG_TYPE_CIPHER); - return tfm->crt_cipher.cit_encrypt(tfm, dst, src, nbytes); -} - -static int crypto_cipher_encrypt_iv(struct crypto_tfm *tfm, - struct scatterlist *dst, - struct scatterlist *src, - unsigned int nbytes, u8 *iv) __deprecated; -static inline int crypto_cipher_encrypt_iv(struct crypto_tfm *tfm, - struct scatterlist *dst, - struct scatterlist *src, - unsigned int nbytes, u8 *iv) -{ - BUG_ON(crypto_tfm_alg_type(tfm) != CRYPTO_ALG_TYPE_CIPHER); - return tfm->crt_cipher.cit_encrypt_iv(tfm, dst, src, nbytes, iv); -} - -static int crypto_cipher_decrypt(struct crypto_tfm *tfm, - struct scatterlist *dst, - struct scatterlist *src, - unsigned int nbytes) __deprecated; -static inline int crypto_cipher_decrypt(struct crypto_tfm *tfm, - struct scatterlist *dst, - struct scatterlist *src, - unsigned int nbytes) -{ - BUG_ON(crypto_tfm_alg_type(tfm) != CRYPTO_ALG_TYPE_CIPHER); - return tfm->crt_cipher.cit_decrypt(tfm, dst, src, nbytes); -} - -static int crypto_cipher_decrypt_iv(struct crypto_tfm *tfm, - struct scatterlist *dst, - struct scatterlist *src, - unsigned int nbytes, u8 *iv) __deprecated; -static inline int crypto_cipher_decrypt_iv(struct crypto_tfm *tfm, - struct scatterlist *dst, - struct scatterlist *src, - unsigned int nbytes, u8 *iv) -{ - BUG_ON(crypto_tfm_alg_type(tfm) != CRYPTO_ALG_TYPE_CIPHER); - return tfm->crt_cipher.cit_decrypt_iv(tfm, dst, src, nbytes, iv); -} - -static void crypto_cipher_set_iv(struct crypto_tfm *tfm, - const u8 *src, unsigned int len) __deprecated; -static inline void crypto_cipher_set_iv(struct crypto_tfm *tfm, - const u8 *src, unsigned int len) -{ - BUG_ON(crypto_tfm_alg_type(tfm) != CRYPTO_ALG_TYPE_CIPHER); - memcpy(tfm->crt_cipher.cit_iv, src, len); -} - -static void crypto_cipher_get_iv(struct crypto_tfm *tfm, - u8 *dst, unsigned int len) __deprecated; -static inline void crypto_cipher_get_iv(struct crypto_tfm *tfm, - u8 *dst, unsigned int len) -{ - BUG_ON(crypto_tfm_alg_type(tfm) != CRYPTO_ALG_TYPE_CIPHER); - memcpy(dst, tfm->crt_cipher.cit_iv, len); -} - static inline struct crypto_comp *__crypto_comp_cast(struct crypto_tfm *tfm) { return (struct crypto_comp *)tfm; -- cgit v1.1 From 78a1fe4f242cbe6b4578e072b75e171b92745afa Mon Sep 17 00:00:00 2001 From: Herbert Xu Date: Sun, 24 Dec 2006 10:02:00 +1100 Subject: [CRYPTO] api: Use structs for cipher/compression Now that all cipher/compression users have switched over to the new allocation scheme, we can get rid of the compatility defines and use proper structs for them. Signed-off-by: Herbert Xu --- include/linux/crypto.h | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) (limited to 'include/linux') diff --git a/include/linux/crypto.h b/include/linux/crypto.h index 95936a5..779aa78 100644 --- a/include/linux/crypto.h +++ b/include/linux/crypto.h @@ -311,13 +311,18 @@ struct crypto_tfm { void *__crt_ctx[] CRYPTO_MINALIGN_ATTR; }; -#define crypto_cipher crypto_tfm -#define crypto_comp crypto_tfm - struct crypto_blkcipher { struct crypto_tfm base; }; +struct crypto_cipher { + struct crypto_tfm base; +}; + +struct crypto_comp { + struct crypto_tfm base; +}; + struct crypto_hash { struct crypto_tfm base; }; @@ -576,7 +581,7 @@ static inline struct crypto_cipher *crypto_alloc_cipher(const char *alg_name, static inline struct crypto_tfm *crypto_cipher_tfm(struct crypto_cipher *tfm) { - return tfm; + return &tfm->base; } static inline void crypto_free_cipher(struct crypto_cipher *tfm) @@ -776,7 +781,7 @@ static inline struct crypto_comp *crypto_alloc_comp(const char *alg_name, static inline struct crypto_tfm *crypto_comp_tfm(struct crypto_comp *tfm) { - return tfm; + return &tfm->base; } static inline void crypto_free_comp(struct crypto_comp *tfm) @@ -807,14 +812,16 @@ static inline int crypto_comp_compress(struct crypto_comp *tfm, const u8 *src, unsigned int slen, u8 *dst, unsigned int *dlen) { - return crypto_comp_crt(tfm)->cot_compress(tfm, src, slen, dst, dlen); + return crypto_comp_crt(tfm)->cot_compress(crypto_comp_tfm(tfm), + src, slen, dst, dlen); } static inline int crypto_comp_decompress(struct crypto_comp *tfm, const u8 *src, unsigned int slen, u8 *dst, unsigned int *dlen) { - return crypto_comp_crt(tfm)->cot_decompress(tfm, src, slen, dst, dlen); + return crypto_comp_crt(tfm)->cot_decompress(crypto_comp_tfm(tfm), + src, slen, dst, dlen); } #endif /* _LINUX_CRYPTO_H */ -- cgit v1.1 From 390fbd1bfaa7b561af8e4f385067c55bdf4100ba Mon Sep 17 00:00:00 2001 From: Noriaki TAKAMIYA Date: Sun, 22 Oct 2006 15:02:48 +1000 Subject: [IPSEC]: added the definition of Camellia cipher This patch adds the definitions used by pfkeyv2 interface for Camellia cipher algorithm. Signed-off-by: Noriaki TAKAMIYA Signed-off-by: Herbert Xu --- include/linux/pfkeyv2.h | 1 + 1 file changed, 1 insertion(+) (limited to 'include/linux') diff --git a/include/linux/pfkeyv2.h b/include/linux/pfkeyv2.h index 265bafa..52ed4a5 100644 --- a/include/linux/pfkeyv2.h +++ b/include/linux/pfkeyv2.h @@ -297,6 +297,7 @@ struct sadb_x_sec_ctx { #define SADB_X_EALG_BLOWFISHCBC 7 #define SADB_EALG_NULL 11 #define SADB_X_EALG_AESCBC 12 +#define SADB_X_EALG_CAMELLIACBC 22 #define SADB_EALG_MAX 253 /* last EALG */ /* private allocations should use 249-255 (RFC2407) */ #define SADB_X_EALG_SERPENTCBC 252 /* draft-ietf-ipsec-ciph-aes-cbc-00 */ -- cgit v1.1 From 8dc4194474159660d7f37c495e3fc3f10d0db8cc Mon Sep 17 00:00:00 2001 From: Herbert Xu Date: Sun, 4 Feb 2007 23:31:32 -0800 Subject: [PACKET]: Add optional checksum computation for recvmsg This patch is needed to make ISC's DHCP server (and probably other DHCP servers/clients using AF_PACKET) to be able to serve another client on the same Xen host. The problem is that packets between different domains on the same Xen host only have partial checksums. Unfortunately this piece of information is not passed along in AF_PACKET unless you're using the mmap interface. Since dhcpd doesn't support packet-mmap, UDP packets from the same host come out with apparently bogus checksums. This patch adds a mechanism for AF_PACKET recvmsg(2) to return the status along with the packet. It does so by adding a new cmsg that contains this information along with some other relevant data such as the original packet length. I didn't include the time stamp information since there is already a cmsg for that. This patch also changes the mmap code to set the CSUMNOTREADY flag on all packets instead of just outoing packets on cooked sockets. Signed-off-by: Herbert Xu Signed-off-by: David S. Miller --- include/linux/if_packet.h | 10 ++++++++++ 1 file changed, 10 insertions(+) (limited to 'include/linux') diff --git a/include/linux/if_packet.h b/include/linux/if_packet.h index 99393ef..f3de05c 100644 --- a/include/linux/if_packet.h +++ b/include/linux/if_packet.h @@ -41,6 +41,7 @@ struct sockaddr_ll #define PACKET_RX_RING 5 #define PACKET_STATISTICS 6 #define PACKET_COPY_THRESH 7 +#define PACKET_AUXDATA 8 struct tpacket_stats { @@ -48,6 +49,15 @@ struct tpacket_stats unsigned int tp_drops; }; +struct tpacket_auxdata +{ + __u32 tp_status; + __u32 tp_len; + __u32 tp_snaplen; + __u16 tp_mac; + __u16 tp_net; +}; + struct tpacket_hdr { unsigned long tp_status; -- cgit v1.1 From 6f74651ae626ec672028587bc700538076dfbefb Mon Sep 17 00:00:00 2001 From: Baruch Even Date: Sun, 4 Feb 2007 23:36:42 -0800 Subject: [TCP]: Seperate DSACK from SACK fast path Move DSACK code outside the SACK fast-path checking code. If the DSACK determined that the information was too old we stayed with a partial cache copied. Most likely this matters very little since the next packet will not be DSACK and we will find it in the cache. but it's still not good form and there is little reason to couple the two checks. Since the SACK receive cache doesn't need the data to be in host order we also remove the ntohl in the checking loop. Signed-off-by: Baruch Even Signed-off-by: David S. Miller --- include/linux/tcp.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'include/linux') diff --git a/include/linux/tcp.h b/include/linux/tcp.h index 3cc70d1..29d3089 100644 --- a/include/linux/tcp.h +++ b/include/linux/tcp.h @@ -316,7 +316,7 @@ struct tcp_sock { struct tcp_sack_block duplicate_sack[1]; /* D-SACK block */ struct tcp_sack_block selective_acks[4]; /* The SACKS themselves*/ - struct tcp_sack_block recv_sack_cache[4]; + struct tcp_sack_block_wire recv_sack_cache[4]; /* from STCP, retrans queue hinting */ struct sk_buff* lost_skb_hint; -- cgit v1.1 From 97353cb4c05c2edf260e9d1b19a29d3cc0060a09 Mon Sep 17 00:00:00 2001 From: Adrian Bunk Date: Mon, 5 Feb 2007 18:07:27 -0800 Subject: [NET] net/wanrouter/wanmain.c: cleanups This patch contains the following cleanups: - make the following needlessly global functions static: - lock_adapter_irq() - unlock_adapter_irq() - #if 0 the following unused global functions: - wanrouter_encapsulate() - wanrouter_type_trans() Signed-off-by: Adrian Bunk Signed-off-by: Andrew Morton Signed-off-by: David S. Miller --- include/linux/wanrouter.h | 8 -------- 1 file changed, 8 deletions(-) (limited to 'include/linux') diff --git a/include/linux/wanrouter.h b/include/linux/wanrouter.h index 2cd0501..3add874 100644 --- a/include/linux/wanrouter.h +++ b/include/linux/wanrouter.h @@ -516,9 +516,6 @@ struct wan_device { /* Public functions available for device drivers */ extern int register_wan_device(struct wan_device *wandev); extern int unregister_wan_device(char *name); -__be16 wanrouter_type_trans(struct sk_buff *skb, struct net_device *dev); -int wanrouter_encapsulate(struct sk_buff *skb, struct net_device *dev, - unsigned short type); /* Proc interface functions. These must not be called by the drivers! */ extern int wanrouter_proc_init(void); @@ -527,11 +524,6 @@ extern int wanrouter_proc_add(struct wan_device *wandev); extern int wanrouter_proc_delete(struct wan_device *wandev); extern int wanrouter_ioctl( struct inode *inode, struct file *file, unsigned int cmd, unsigned long arg); -extern void lock_adapter_irq(spinlock_t *lock, unsigned long *smp_flags); -extern void unlock_adapter_irq(spinlock_t *lock, unsigned long *smp_flags); - - - /* Public Data */ /* list of registered devices */ extern struct wan_device *wanrouter_router_devlist; -- cgit v1.1 From 22f8cde5bc336fd19603bb8c4572b33d14f14f87 Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Wed, 7 Feb 2007 00:09:58 -0800 Subject: [NET]: unregister_netdevice as void There was no real useful information from the unregister_netdevice() return code, the only error occurred in a situation that was a driver bug. So change it to a void function. Signed-off-by: Stephen Hemminger Signed-off-by: David S. Miller --- include/linux/netdevice.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'include/linux') diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h index 2e37f50..1a52854 100644 --- a/include/linux/netdevice.h +++ b/include/linux/netdevice.h @@ -589,7 +589,7 @@ extern int dev_open(struct net_device *dev); extern int dev_close(struct net_device *dev); extern int dev_queue_xmit(struct sk_buff *skb); extern int register_netdevice(struct net_device *dev); -extern int unregister_netdevice(struct net_device *dev); +extern void unregister_netdevice(struct net_device *dev); extern void free_netdev(struct net_device *dev); extern void synchronize_net(void); extern int register_netdevice_notifier(struct notifier_block *nb); -- cgit v1.1 From 6fecd1985116fb08bdee3b9db6719e159fe5e43d Mon Sep 17 00:00:00 2001 From: Michal Schmidt Date: Wed, 7 Feb 2007 15:05:12 -0800 Subject: [NETFILTER]: Add SANE connection tracking helper This is nf_conntrack_sane, a netfilter connection tracking helper module for the SANE protocol used by the 'saned' daemon to make scanners available via network. The SANE protocol uses separate control & data connections, similar to passive FTP. The helper module is needed to recognize the data connection as RELATED to the control one. Signed-off-by: Michal Schmidt Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller --- include/linux/netfilter/nf_conntrack_sane.h | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 include/linux/netfilter/nf_conntrack_sane.h (limited to 'include/linux') diff --git a/include/linux/netfilter/nf_conntrack_sane.h b/include/linux/netfilter/nf_conntrack_sane.h new file mode 100644 index 0000000..4767d6e --- /dev/null +++ b/include/linux/netfilter/nf_conntrack_sane.h @@ -0,0 +1,21 @@ +#ifndef _NF_CONNTRACK_SANE_H +#define _NF_CONNTRACK_SANE_H +/* SANE tracking. */ + +#ifdef __KERNEL__ + +#define SANE_PORT 6566 + +enum sane_state { + SANE_STATE_NORMAL, + SANE_STATE_START_REQUESTED, +}; + +/* This structure exists only once per master */ +struct nf_ct_sane_master { + enum sane_state state; +}; + +#endif /* __KERNEL__ */ + +#endif /* _NF_CONNTRACK_SANE_H */ -- cgit v1.1 From a09113c2c8ec59a5cc228efa5869aade2b8f13f7 Mon Sep 17 00:00:00 2001 From: Patrick McHardy Date: Wed, 7 Feb 2007 15:05:33 -0800 Subject: [NETFILTER]: tcp conntrack: do liberal tracking for picked up connections Do liberal tracking (only RSTs need to be in-window) for connections picked up without seeing a SYN to deal with window scaling. Also change logging of invalid packets not to log packets accepted by liberal tracking to avoid spamming the logs. Based on suggestion from James Ralston Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller --- include/linux/netfilter/nf_conntrack_tcp.h | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'include/linux') diff --git a/include/linux/netfilter/nf_conntrack_tcp.h b/include/linux/netfilter/nf_conntrack_tcp.h index 2f4e98b..007af4c 100644 --- a/include/linux/netfilter/nf_conntrack_tcp.h +++ b/include/linux/netfilter/nf_conntrack_tcp.h @@ -27,6 +27,9 @@ enum tcp_conntrack { /* This sender sent FIN first */ #define IP_CT_TCP_FLAG_CLOSE_INIT 0x04 +/* Be liberal in window checking */ +#define IP_CT_TCP_FLAG_BE_LIBERAL 0x08 + #ifdef __KERNEL__ struct ip_ct_tcp_state { @@ -34,7 +37,6 @@ struct ip_ct_tcp_state { u_int32_t td_maxend; /* max of ack + max(win, 1) */ u_int32_t td_maxwin; /* max(win) */ u_int8_t td_scale; /* window scale factor */ - u_int8_t loose; /* used when connection picked up from the middle */ u_int8_t flags; /* per direction options */ }; -- cgit v1.1 From cdd289a2f833b93e65b9a09a02c37f47a58140a8 Mon Sep 17 00:00:00 2001 From: Patrick McHardy Date: Wed, 7 Feb 2007 15:09:46 -0800 Subject: [NETFILTER]: add IPv6-capable TCPMSS target Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller --- include/linux/netfilter/Kbuild | 1 + include/linux/netfilter/xt_TCPMSS.h | 10 ++++++++++ include/linux/netfilter_ipv4/ipt_TCPMSS.h | 7 +++---- 3 files changed, 14 insertions(+), 4 deletions(-) create mode 100644 include/linux/netfilter/xt_TCPMSS.h (limited to 'include/linux') diff --git a/include/linux/netfilter/Kbuild b/include/linux/netfilter/Kbuild index 6328175..43397a4 100644 --- a/include/linux/netfilter/Kbuild +++ b/include/linux/netfilter/Kbuild @@ -33,6 +33,7 @@ header-y += xt_tcpmss.h header-y += xt_tcpudp.h header-y += xt_SECMARK.h header-y += xt_CONNSECMARK.h +header-y += xt_TCPMSS.h unifdef-y += nf_conntrack_common.h unifdef-y += nf_conntrack_ftp.h diff --git a/include/linux/netfilter/xt_TCPMSS.h b/include/linux/netfilter/xt_TCPMSS.h new file mode 100644 index 0000000..53a292c --- /dev/null +++ b/include/linux/netfilter/xt_TCPMSS.h @@ -0,0 +1,10 @@ +#ifndef _XT_TCPMSS_H +#define _XT_TCPMSS_H + +struct xt_tcpmss_info { + u_int16_t mss; +}; + +#define XT_TCPMSS_CLAMP_PMTU 0xffff + +#endif /* _XT_TCPMSS_H */ diff --git a/include/linux/netfilter_ipv4/ipt_TCPMSS.h b/include/linux/netfilter_ipv4/ipt_TCPMSS.h index aadb395..7a850f9 100644 --- a/include/linux/netfilter_ipv4/ipt_TCPMSS.h +++ b/include/linux/netfilter_ipv4/ipt_TCPMSS.h @@ -1,10 +1,9 @@ #ifndef _IPT_TCPMSS_H #define _IPT_TCPMSS_H -struct ipt_tcpmss_info { - u_int16_t mss; -}; +#include -#define IPT_TCPMSS_CLAMP_PMTU 0xffff +#define ipt_tcpmss_info xt_tcpmss_info +#define IPT_TCPMSS_CLAMP_PMTU XT_TCPMSS_CLAMP_PMTU #endif /*_IPT_TCPMSS_H*/ -- cgit v1.1 From 41f4689a7c8cd76b77864461b3c58fde8f322b2c Mon Sep 17 00:00:00 2001 From: Eric Leblond Date: Wed, 7 Feb 2007 15:10:09 -0800 Subject: [NETFILTER]: NAT: optional source port randomization support This patch adds support to NAT to randomize source ports. Signed-off-by: Eric Leblond Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller --- include/linux/netfilter_ipv4/ip_nat.h | 1 + 1 file changed, 1 insertion(+) (limited to 'include/linux') diff --git a/include/linux/netfilter_ipv4/ip_nat.h b/include/linux/netfilter_ipv4/ip_nat.h index bdf5536..bbca89a 100644 --- a/include/linux/netfilter_ipv4/ip_nat.h +++ b/include/linux/netfilter_ipv4/ip_nat.h @@ -16,6 +16,7 @@ enum ip_nat_manip_type #define IP_NAT_RANGE_MAP_IPS 1 #define IP_NAT_RANGE_PROTO_SPECIFIED 2 +#define IP_NAT_RANGE_PROTO_RANDOM 4 /* add randomness to "port" selection */ /* NAT sequence number modifications */ struct ip_nat_seq { -- cgit v1.1 From 6709dbbb1978abe039ea4b76c364bf003bf40de5 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Wed, 7 Feb 2007 15:11:19 -0800 Subject: [NETFILTER]: {ip,ip6}_tables: remove x_tables wrapper functions Use the x_tables functions directly to make it better visible which parts are shared between ip_tables and ip6_tables. Signed-off-by: Jan Engelhardt Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller --- include/linux/netfilter_ipv4/ip_tables.h | 12 +----------- include/linux/netfilter_ipv6/ip6_tables.h | 10 ---------- 2 files changed, 1 insertion(+), 21 deletions(-) (limited to 'include/linux') diff --git a/include/linux/netfilter_ipv4/ip_tables.h b/include/linux/netfilter_ipv4/ip_tables.h index 98d566c..c59bc6f 100644 --- a/include/linux/netfilter_ipv4/ip_tables.h +++ b/include/linux/netfilter_ipv4/ip_tables.h @@ -272,16 +272,6 @@ ipt_get_target(struct ipt_entry *e) #include extern void ipt_init(void) __init; -#define ipt_register_target(tgt) \ -({ (tgt)->family = AF_INET; \ - xt_register_target(tgt); }) -#define ipt_unregister_target(tgt) xt_unregister_target(tgt) - -#define ipt_register_match(mtch) \ -({ (mtch)->family = AF_INET; \ - xt_register_match(mtch); }) -#define ipt_unregister_match(mtch) xt_unregister_match(mtch) - //#define ipt_register_table(tbl, repl) xt_register_table(AF_INET, tbl, repl) //#define ipt_unregister_table(tbl) xt_unregister_table(AF_INET, tbl) @@ -290,7 +280,7 @@ extern int ipt_register_table(struct ipt_table *table, extern void ipt_unregister_table(struct ipt_table *table); /* net/sched/ipt.c: Gimme access to your targets! Gets target->me. */ -extern struct ipt_target *ipt_find_target(const char *name, u8 revision); +extern struct xt_target *ipt_find_target(const char *name, u8 revision); /* Standard entry. */ struct ipt_standard diff --git a/include/linux/netfilter_ipv6/ip6_tables.h b/include/linux/netfilter_ipv6/ip6_tables.h index 4aed340..2fbabab 100644 --- a/include/linux/netfilter_ipv6/ip6_tables.h +++ b/include/linux/netfilter_ipv6/ip6_tables.h @@ -286,16 +286,6 @@ ip6t_get_target(struct ip6t_entry *e) #include extern void ip6t_init(void) __init; -#define ip6t_register_target(tgt) \ -({ (tgt)->family = AF_INET6; \ - xt_register_target(tgt); }) -#define ip6t_unregister_target(tgt) xt_unregister_target(tgt) - -#define ip6t_register_match(match) \ -({ (match)->family = AF_INET6; \ - xt_register_match(match); }) -#define ip6t_unregister_match(match) xt_unregister_match(match) - extern int ip6t_register_table(struct ip6t_table *table, const struct ip6t_replace *repl); extern void ip6t_unregister_table(struct ip6t_table *table); -- cgit v1.1 From e60a13e030867078f3c9fef8dca6cd8a5b883478 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Wed, 7 Feb 2007 15:12:33 -0800 Subject: [NETFILTER]: {ip,ip6}_tables: use struct xt_table instead of redefined structure names Signed-off-by: Jan Engelhardt Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller --- include/linux/netfilter_ipv4/ip_tables.h | 9 +++------ include/linux/netfilter_ipv6/ip6_tables.h | 6 +++--- 2 files changed, 6 insertions(+), 9 deletions(-) (limited to 'include/linux') diff --git a/include/linux/netfilter_ipv4/ip_tables.h b/include/linux/netfilter_ipv4/ip_tables.h index c59bc6f..fccf4b8 100644 --- a/include/linux/netfilter_ipv4/ip_tables.h +++ b/include/linux/netfilter_ipv4/ip_tables.h @@ -272,12 +272,9 @@ ipt_get_target(struct ipt_entry *e) #include extern void ipt_init(void) __init; -//#define ipt_register_table(tbl, repl) xt_register_table(AF_INET, tbl, repl) -//#define ipt_unregister_table(tbl) xt_unregister_table(AF_INET, tbl) - -extern int ipt_register_table(struct ipt_table *table, +extern int ipt_register_table(struct xt_table *table, const struct ipt_replace *repl); -extern void ipt_unregister_table(struct ipt_table *table); +extern void ipt_unregister_table(struct xt_table *table); /* net/sched/ipt.c: Gimme access to your targets! Gets target->me. */ extern struct xt_target *ipt_find_target(const char *name, u8 revision); @@ -305,7 +302,7 @@ extern unsigned int ipt_do_table(struct sk_buff **pskb, unsigned int hook, const struct net_device *in, const struct net_device *out, - struct ipt_table *table); + struct xt_table *table); #define IPT_ALIGN(s) XT_ALIGN(s) diff --git a/include/linux/netfilter_ipv6/ip6_tables.h b/include/linux/netfilter_ipv6/ip6_tables.h index 2fbabab..e37698c 100644 --- a/include/linux/netfilter_ipv6/ip6_tables.h +++ b/include/linux/netfilter_ipv6/ip6_tables.h @@ -286,14 +286,14 @@ ip6t_get_target(struct ip6t_entry *e) #include extern void ip6t_init(void) __init; -extern int ip6t_register_table(struct ip6t_table *table, +extern int ip6t_register_table(struct xt_table *table, const struct ip6t_replace *repl); -extern void ip6t_unregister_table(struct ip6t_table *table); +extern void ip6t_unregister_table(struct xt_table *table); extern unsigned int ip6t_do_table(struct sk_buff **pskb, unsigned int hook, const struct net_device *in, const struct net_device *out, - struct ip6t_table *table); + struct xt_table *table); /* Check for an extension */ extern int ip6t_ext_hdr(u8 nexthdr); -- cgit v1.1 From a0ca215a730b2c4d5024143e64b0d80d50858667 Mon Sep 17 00:00:00 2001 From: Masahide NAKAMURA Date: Wed, 7 Feb 2007 15:12:57 -0800 Subject: [NETFILTER]: ip6_tables: support MH match This introduces match for Mobility Header (MH) described by Mobile IPv6 specification (RFC3775). User can specify the MH type or its range to be matched. Signed-off-by: Masahide NAKAMURA Signed-off-by: Yasuyuki Kozakai Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller --- include/linux/netfilter_ipv6/ip6t_mh.h | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 include/linux/netfilter_ipv6/ip6t_mh.h (limited to 'include/linux') diff --git a/include/linux/netfilter_ipv6/ip6t_mh.h b/include/linux/netfilter_ipv6/ip6t_mh.h new file mode 100644 index 0000000..b9ca9a5 --- /dev/null +++ b/include/linux/netfilter_ipv6/ip6t_mh.h @@ -0,0 +1,15 @@ +#ifndef _IP6T_MH_H +#define _IP6T_MH_H + +/* MH matching stuff */ +struct ip6t_mh +{ + u_int8_t types[2]; /* MH type range */ + u_int8_t invflags; /* Inverse flags */ +}; + +/* Values for "invflags" field in struct ip6t_mh. */ +#define IP6T_MH_INV_TYPE 0x01 /* Invert the sense of type. */ +#define IP6T_MH_INV_MASK 0x01 /* All possible flags. */ + +#endif /*_IP6T_MH_H*/ -- cgit v1.1 From c3e79c05b45c3d6115d8c46e3012939c71573f13 Mon Sep 17 00:00:00 2001 From: Patrick McHardy Date: Wed, 7 Feb 2007 15:13:20 -0800 Subject: [NETFILTER]: ip_tables: remove declaration of non-existant ipt_find_target function Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller --- include/linux/netfilter_ipv4/ip_tables.h | 3 --- 1 file changed, 3 deletions(-) (limited to 'include/linux') diff --git a/include/linux/netfilter_ipv4/ip_tables.h b/include/linux/netfilter_ipv4/ip_tables.h index fccf4b8..9527296 100644 --- a/include/linux/netfilter_ipv4/ip_tables.h +++ b/include/linux/netfilter_ipv4/ip_tables.h @@ -276,9 +276,6 @@ extern int ipt_register_table(struct xt_table *table, const struct ipt_replace *repl); extern void ipt_unregister_table(struct xt_table *table); -/* net/sched/ipt.c: Gimme access to your targets! Gets target->me. */ -extern struct xt_target *ipt_find_target(const char *name, u8 revision); - /* Standard entry. */ struct ipt_standard { -- cgit v1.1 From 9934e81c8c4981342dab3e386aff5d4499bea0d2 Mon Sep 17 00:00:00 2001 From: Patrick McHardy Date: Wed, 7 Feb 2007 15:14:28 -0800 Subject: [NETFILTER]: ip6_tables: remove redundant structure definitions Move ip6t_standard/ip6t_error_target/ip6t_error definitions to ip6_tables.h instead of defining them in each table individually. Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller --- include/linux/netfilter_ipv6/ip6_tables.h | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) (limited to 'include/linux') diff --git a/include/linux/netfilter_ipv6/ip6_tables.h b/include/linux/netfilter_ipv6/ip6_tables.h index e37698c..61aa104 100644 --- a/include/linux/netfilter_ipv6/ip6_tables.h +++ b/include/linux/netfilter_ipv6/ip6_tables.h @@ -104,6 +104,25 @@ struct ip6t_entry unsigned char elems[0]; }; +/* Standard entry */ +struct ip6t_standard +{ + struct ip6t_entry entry; + struct ip6t_standard_target target; +}; + +struct ip6t_error_target +{ + struct ip6t_entry_target target; + char errorname[IP6T_FUNCTION_MAXNAMELEN]; +}; + +struct ip6t_error +{ + struct ip6t_entry entry; + struct ip6t_error_target target; +}; + /* * New IP firewall options for [gs]etsockopt at the RAW IP level. * Unlike BSD Linux inherits IP options so you don't have to use -- cgit v1.1 From 80c9abaabf4283f7cf4a0b3597cd302506635b7f Mon Sep 17 00:00:00 2001 From: Shinta Sugimoto Date: Thu, 8 Feb 2007 13:11:42 -0800 Subject: [XFRM]: Extension for dynamic update of endpoint address(es) Extend the XFRM framework so that endpoint address(es) in the XFRM databases could be dynamically updated according to a request (MIGRATE message) from user application. Target XFRM policy is first identified by the selector in the MIGRATE message. Next, the endpoint addresses of the matching templates and XFRM states are updated according to the MIGRATE message. Signed-off-by: Shinta Sugimoto Signed-off-by: Masahide NAKAMURA Signed-off-by: YOSHIFUJI Hideaki Signed-off-by: David S. Miller --- include/linux/xfrm.h | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) (limited to 'include/linux') diff --git a/include/linux/xfrm.h b/include/linux/xfrm.h index 9529ea1..15ca89e 100644 --- a/include/linux/xfrm.h +++ b/include/linux/xfrm.h @@ -178,6 +178,9 @@ enum { XFRM_MSG_REPORT, #define XFRM_MSG_REPORT XFRM_MSG_REPORT + XFRM_MSG_MIGRATE, +#define XFRM_MSG_MIGRATE XFRM_MSG_MIGRATE + __XFRM_MSG_MAX }; #define XFRM_MSG_MAX (__XFRM_MSG_MAX - 1) @@ -256,6 +259,7 @@ enum xfrm_attr_type_t { XFRMA_COADDR, /* xfrm_address_t */ XFRMA_LASTUSED, XFRMA_POLICY_TYPE, /* struct xfrm_userpolicy_type */ + XFRMA_MIGRATE, __XFRMA_MAX #define XFRMA_MAX (__XFRMA_MAX - 1) @@ -351,6 +355,19 @@ struct xfrm_user_report { struct xfrm_selector sel; }; +struct xfrm_user_migrate { + xfrm_address_t old_daddr; + xfrm_address_t old_saddr; + xfrm_address_t new_daddr; + xfrm_address_t new_saddr; + __u8 proto; + __u8 mode; + __u16 reserved; + __u32 reqid; + __u16 old_family; + __u16 new_family; +}; + #ifndef __KERNEL__ /* backwards compatibility for userspace */ #define XFRMGRP_ACQUIRE 1 @@ -375,6 +392,8 @@ enum xfrm_nlgroups { #define XFRMNLGRP_AEVENTS XFRMNLGRP_AEVENTS XFRMNLGRP_REPORT, #define XFRMNLGRP_REPORT XFRMNLGRP_REPORT + XFRMNLGRP_MIGRATE, +#define XFRMNLGRP_MIGRATE XFRMNLGRP_MIGRATE __XFRMNLGRP_MAX }; #define XFRMNLGRP_MAX (__XFRMNLGRP_MAX - 1) -- cgit v1.1 From 08de61beab8a21c8e0b3906a97defda5f1f66ece Mon Sep 17 00:00:00 2001 From: Shinta Sugimoto Date: Thu, 8 Feb 2007 13:14:33 -0800 Subject: [PFKEYV2]: Extension for dynamic update of endpoint address(es) Extend PF_KEYv2 framework so that user application can take advantage of MIGRATE feature via PF_KEYv2 interface. User application can either send or receive an MIGRATE message to/from PF_KEY socket. Detail information can be found in the internet-draft . Signed-off-by: Shinta Sugimoto Signed-off-by: Masahide NAKAMURA Signed-off-by: YOSHIFUJI Hideaki Signed-off-by: David S. Miller --- include/linux/pfkeyv2.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'include/linux') diff --git a/include/linux/pfkeyv2.h b/include/linux/pfkeyv2.h index 265bafa..26a518b 100644 --- a/include/linux/pfkeyv2.h +++ b/include/linux/pfkeyv2.h @@ -251,7 +251,8 @@ struct sadb_x_sec_ctx { #define SADB_X_SPDEXPIRE 21 #define SADB_X_SPDDELETE2 22 #define SADB_X_NAT_T_NEW_MAPPING 23 -#define SADB_MAX 23 +#define SADB_X_MIGRATE 24 +#define SADB_MAX 24 /* Security Association flags */ #define SADB_SAFLAGS_PFS 1 -- cgit v1.1 From 39e21c0d34fe769d06839679fa920217359a58b0 Mon Sep 17 00:00:00 2001 From: Andrew Hendry Date: Thu, 8 Feb 2007 13:34:36 -0800 Subject: [X.25]: Adds /proc/sys/net/x25/x25_forward to control forwarding. echo "1" > /proc/sys/net/x25/x25_forward To turn on x25_forwarding, defaults to off Requires the previous patch. Signed-off-by: Andrew Hendry Signed-off-by: David S. Miller --- include/linux/sysctl.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'include/linux') diff --git a/include/linux/sysctl.h b/include/linux/sysctl.h index 81480e6..665412c 100644 --- a/include/linux/sysctl.h +++ b/include/linux/sysctl.h @@ -699,7 +699,8 @@ enum { NET_X25_CALL_REQUEST_TIMEOUT=2, NET_X25_RESET_REQUEST_TIMEOUT=3, NET_X25_CLEAR_REQUEST_TIMEOUT=4, - NET_X25_ACK_HOLD_BACK_TIMEOUT=5 + NET_X25_ACK_HOLD_BACK_TIMEOUT=5, + NET_X25_FORWARD=6 }; /* /proc/sys/net/token-ring */ -- cgit v1.1 From eac3731bd04c7131478722a3c148b78774553116 Mon Sep 17 00:00:00 2001 From: Jennifer Hunt Date: Thu, 8 Feb 2007 13:51:54 -0800 Subject: [S390]: Add AF_IUCV socket support From: Jennifer Hunt This patch adds AF_IUCV socket support. Signed-off-by: Frank Pavlic Signed-off-by: Martin Schwidefsky Signed-off-by: David S. Miller --- include/linux/net.h | 2 +- include/linux/socket.h | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) (limited to 'include/linux') diff --git a/include/linux/net.h b/include/linux/net.h index f28d8a2..4db21e6 100644 --- a/include/linux/net.h +++ b/include/linux/net.h @@ -24,7 +24,7 @@ struct poll_table_struct; struct inode; -#define NPROTO 32 /* should be enough for now.. */ +#define NPROTO 33 /* should be enough for now.. */ #define SYS_SOCKET 1 /* sys_socket(2) */ #define SYS_BIND 2 /* sys_bind(2) */ diff --git a/include/linux/socket.h b/include/linux/socket.h index 92cd38e..fcd35a2 100644 --- a/include/linux/socket.h +++ b/include/linux/socket.h @@ -187,7 +187,8 @@ struct ucred { #define AF_LLC 26 /* Linux LLC */ #define AF_TIPC 30 /* TIPC sockets */ #define AF_BLUETOOTH 31 /* Bluetooth sockets */ -#define AF_MAX 32 /* For now.. */ +#define AF_IUCV 32 /* IUCV sockets */ +#define AF_MAX 33 /* For now.. */ /* Protocol families, same as address families. */ #define PF_UNSPEC AF_UNSPEC @@ -220,6 +221,7 @@ struct ucred { #define PF_LLC AF_LLC #define PF_TIPC AF_TIPC #define PF_BLUETOOTH AF_BLUETOOTH +#define PF_IUCV AF_IUCV #define PF_MAX AF_MAX /* Maximum queue length specifiable by listen. */ -- cgit v1.1 From 42c05f6e6e3d57495054a4cae35850b3f7d1c343 Mon Sep 17 00:00:00 2001 From: "David S. Miller" Date: Thu, 8 Feb 2007 16:01:09 -0800 Subject: [ATM]: atmarp.h needs to always include linux/types.h To provide the __be* types, even for userspace includes. Reported by Andrew Walrond. Signed-off-by: David S. Miller --- include/linux/atmarp.h | 2 -- 1 file changed, 2 deletions(-) (limited to 'include/linux') diff --git a/include/linux/atmarp.h b/include/linux/atmarp.h index ee108f9..231f4bd 100644 --- a/include/linux/atmarp.h +++ b/include/linux/atmarp.h @@ -6,9 +6,7 @@ #ifndef _LINUX_ATMARP_H #define _LINUX_ATMARP_H -#ifdef __KERNEL__ #include -#endif #include #include -- cgit v1.1