diffstat for iptables-1.3.6.0debian1 iptables-1.3.6.0debian1 Makefile | 3 debian/changelog | 149 +++ debian/control | 4 debian/iptables.doc-base.nat | 2 debian/iptables.doc-base.packet-filter | 2 debian/iptables.install | 3 debian/rules | 51 + iptables/Makefile | 23 iptables/extensions/.CLUSTERIP-test | 3 iptables/extensions/Makefile | 2 iptables/extensions/libip6t_state.c | 2 iptables/extensions/libipt_DNAT.c | 2 iptables/extensions/libipt_MASQUERADE.c | 2 iptables/extensions/libipt_NETMAP.c | 2 iptables/extensions/libipt_REDIRECT.c | 2 iptables/extensions/libipt_SAME.c | 2 iptables/extensions/libipt_SNAT.c | 2 iptables/extensions/libipt_connbytes.c | 2 iptables/extensions/libipt_connlimit.c | 2 iptables/extensions/libipt_connrate.c | 2 iptables/extensions/libipt_conntrack.c | 3 iptables/extensions/libipt_set.c | 2 iptables/extensions/libipt_state.c | 2 iptables/include/linux/netfilter/nf_conntrack_common.h | 135 +++ iptables/include/linux/netfilter/nf_conntrack_tuple.h | 103 ++ iptables/include/linux/netfilter/nf_conntrack_tuple_common.h | 13 iptables/include/linux/netfilter/nf_nat.h | 45 + iptables/include/linux/netfilter_ipv4/ipt_conntrack.h | 2 patches/all/012-2.6.22-headers-fix.patch | 472 +++++++++++ patches/all/090-enable-ipv6-rt.patch | 11 30 files changed, 1007 insertions(+), 43 deletions(-) diff -Nru iptables-1.3.6.0debian1/Makefile iptables-1.3.6.0debian1/Makefile --- iptables-1.3.6.0debian1/Makefile 2006-10-21 17:24:17.000000000 +0000 +++ iptables-1.3.6.0debian1/Makefile 2007-12-04 14:50:39.000000000 +0000 @@ -8,7 +8,8 @@ @echo 'Linux 2.6.18' @echo 'patch-o-matic 20061021' -prep howtos build clean install binary-indep binary-arch binary: +#prep howtos build clean install binary-indep binary-arch binary: +prep build clean install binary-indep binary-arch binary: $(MAKE) -f $(CURDIR)/debian/rules $@ .PHONY: prep howtos clean binary build packitup diff -Nru iptables-1.3.6.0debian1/debian/changelog iptables-1.3.6.0debian1/debian/changelog --- iptables-1.3.6.0debian1/debian/changelog 2019-04-09 00:29:24.000000000 +0000 +++ iptables-1.3.6.0debian1/debian/changelog 2008-04-02 12:44:37.000000000 +0000 @@ -1,3 +1,76 @@ +iptables (1.3.6.0debian1-5ubuntu5osso4) unstable; urgency=low + + * Kernel header dependency changed for diablo release. Fixes: NB#83552 + + -- Jukka Rissanen Tue, 1 Apr 2008 16:07:10 +0300 + +iptables (1.3.6.0debian1-5ubuntu5osso3) unstable; urgency=low + + * manual pages, howtos etc documentation is not installed + * shared object modules that are not needed, are not installed + + -- Jukka Rissanen Tue, 4 Dec 2007 16:43:59 +0200 + +iptables (1.3.6.0debian1-5ubuntu5osso2) unstable; urgency=low + + * Removed original maintainer from control file because Nokia build + system got confused about it. + + -- Jukka Rissanen Tue, 20 Nov 2007 10:24:55 +0200 + +iptables (1.3.6.0debian1-5ubuntu5osso1) unstable; urgency=low + + * Version for Osso with IPv6 support + * Turned off selinux support + + -- Jukka Rissanen Mon, 19 Nov 2007 12:46:39 +0200 + +iptables (1.3.6.0debian1-5ubuntu5) gutsy; urgency=low + + * patches/all/090_enable-ipv6-rt.patch: include broken-out patch for + "rt" build, which was missed when applying the patch inline in the + previous version. + + -- Kees Cook Wed, 04 Jul 2007 17:11:52 -0700 + +iptables (1.3.6.0debian1-5ubuntu4) gutsy; urgency=low + + * iptables/extensions/Makefile: enable "rt" module for ip6tables + (LP: #114184). + + -- Kees Cook Wed, 04 Jul 2007 03:56:20 -0700 + +iptables (1.3.6.0debian1-5ubuntu3) gutsy; urgency=low + + * patches/all/012-2.6.22-headers-fix.patch: + + Fix FTBFS on gutsy due to renamed header files in linux-libc-dev. + Patch taken from upstream svn (rev 6001). (LP: #120908) + * iptables/extensions/.CLUSTERIP-test: + + Fix CLUSTERIP detection code to reenable the module (it was accidentally + removed when we started using linux-libc-dev instead of bundled headers). + (LP: #113863) + + -- Soren Hansen Mon, 18 Jun 2007 10:35:01 +0200 + +iptables (1.3.6.0debian1-5ubuntu2) feisty; urgency=low + + * Rebuild for changes in the amd64 toolchain. + * Set Ubuntu maintainer address. + + -- Matthias Klose Mon, 5 Mar 2007 01:19:06 +0000 + +iptables (1.3.6.0debian1-5ubuntu1) feisty; urgency=low + + * Merge from debian unstable. + * Remaining Ubuntu changes: + - Build with -fno-stack-protector to fix failing ICMP module (Malone: #66681) + - Took references to 2.4 kernel out of doc-base control files (Jordan + Mantha, Malone #25972). + - Use linux-libc-dev instead of local copy of kernel-headers (Fabio M. + Di Nitto). + + -- Andrew Mitchell Thu, 7 Dec 2006 01:25:07 +1300 + iptables (1.3.6.0debian1-5) unstable; urgency=high * cleaned dirty iptables/, fixes diff bloat and compilation problems @@ -20,6 +93,18 @@ -- Laurence J. Lane Thu, 9 Nov 2006 05:58:51 -0500 +iptables (1.3.6.0debian1-2ubuntu1) feisty; urgency=low + + * Merge from debian unstable. + * Remaining Ubuntu changes: + - Build with -fno-stack-protector to fix failing ICMP module (Malone: #66681) + - Took references to 2.4 kernel out of doc-base control files (Jordan + Mantha, Malone #25972). + - Use linux-libc-dev instead of local copy of kernel-headers (Fabio M. + Di Nitto). + + -- Andrew Mitchell Wed, 15 Nov 2006 14:56:29 +1300 + iptables (1.3.6.0debian1-2) unstable; urgency=low * physdev-truncated.man.patch: fixed misssed instance of the error @@ -60,6 +145,28 @@ -- Laurence J. Lane Fri, 27 Oct 2006 19:39:57 -0400 +iptables (1.3.5.0debian1-1ubuntu2) edgy; urgency=low + + * Build with -fno-stack-protector to fix failing ICMP module (Malone: #66681) + + -- Andrew Mitchell Mon, 23 Oct 2006 20:39:03 +1300 + +iptables (1.3.5.0debian1-1ubuntu1) edgy; urgency=low + + * Resynchronise with Debian (closes: Malone #30992, #40601, #51044). + * Switch from linux-kernel-headers to linux-libc-dev (closes: Malone + #65830). + * Drop patches/all/003-no-local-kernel-headers.patch; + includes IPT_F_GOTO since Linux + 2.6.14. + * Remaining Ubuntu changes: + - Took references to 2.4 kernel out of doc-base control files (Jordan + Mantha, Malone #25972). + - Use linux-libc-dev instead of local copy of kernel-headers (Fabio M. + Di Nitto). + + -- Colin Watson Fri, 13 Oct 2006 18:08:42 +0100 + iptables (1.3.5.0debian1-1) unstable; urgency=low * New upstream release @@ -87,6 +194,32 @@ -- Laurence J. Lane Sun, 20 Aug 2006 21:29:33 -0400 +iptables (1.3.3-2ubuntu4) dapper; urgency=low + + * Took references to 2.4 kernel out of doc-base control files + (closes:Malone #25972) + + -- Jordan Mantha Fri, 17 Mar 2006 04:13:06 -0800 + +iptables (1.3.3-2ubuntu3) dapper; urgency=low + + * Fix variable KERNEL_DIR. It is just '/usr'. not '/usr/include'. + This reenables nearly all extension modules (Ubuntu: #19978) + + -- Reinhard Tartler Wed, 23 Nov 2005 19:10:47 +0000 + +iptables (1.3.3-2ubuntu2) dapper; urgency=low + + * fixed borked merge. MoM does not deal with binary changes in debdiffs + + -- Reinhard Tartler Wed, 23 Nov 2005 10:16:49 +0100 + +iptables (1.3.3-2ubuntu1) dapper; urgency=low + + * Resynchronise with Debian. + + -- Scott James Remnant Tue, 08 Nov 2005 07:29:09 +0000 + iptables (1.3.3-2) unstable; urgency=low * added pomng exclude hack to prep.sh @@ -109,6 +242,21 @@ -- Laurence J. Lane Sun, 24 Jul 2005 21:03:39 -0400 +iptables (1.3.1-2ubuntu1) breezy; urgency=low + + * Drop ip_queue_vwmark from patch-o-matic-ng-20050618 tarball and ippool: + - These extensions require kernel patches that are not part of the + stock kernel. + * Switch to use linux-kernel-headers instead of local copy of + kernel-headers: + - Add patches/all/003-no-local-kernel-headers.patch to cope with a missing + define. + - Change debian/rules KERNEL_DIR to point to /usr/include. + - Add build-dep on linux-kernel-headers (>= 2.6.11.2-0ubuntu10) to ensure + we have recent enough headers to build. + + -- Fabio M. Di Nitto Tue, 12 Jul 2005 07:37:51 +0200 + iptables (1.3.1-2) unstable; urgency=low * added missing 2.6.12 kernel headers @@ -849,3 +997,4 @@ * Initial release. -- Christoph Lameter Sun, 26 Mar 2000 18:49:18 -0800 + diff -Nru iptables-1.3.6.0debian1/debian/control iptables-1.3.6.0debian1/debian/control --- iptables-1.3.6.0debian1/debian/control 2019-04-09 00:29:24.000000000 +0000 +++ iptables-1.3.6.0debian1/debian/control 2008-04-01 13:09:36.000000000 +0000 @@ -1,8 +1,8 @@ Source: iptables Section: net Priority: important -Maintainer: Laurence J. Lane -Build-Depends: debhelper (>>4.0), linuxdoc-tools, libselinux1-dev +Maintainer: Jukka Rissanen +Build-Depends: debhelper (>>4.0), linuxdoc-tools, kernel-diablo-headers Standards-Version: 3.7.2.0 Package: iptables diff -Nru iptables-1.3.6.0debian1/debian/iptables.doc-base.nat iptables-1.3.6.0debian1/debian/iptables.doc-base.nat --- iptables-1.3.6.0debian1/debian/iptables.doc-base.nat 2019-04-09 00:29:24.000000000 +0000 +++ iptables-1.3.6.0debian1/debian/iptables.doc-base.nat 2007-11-19 11:39:11.000000000 +0000 @@ -1,5 +1,5 @@ Document: nat -Title: Linux 2.4 NAT HOWTO +Title: Linux NAT HOWTO Author: Rusty Russell Abstract: This document describes how to do masquerading, transparent proxying, port forwarding, and other forms of Network Address diff -Nru iptables-1.3.6.0debian1/debian/iptables.doc-base.packet-filter iptables-1.3.6.0debian1/debian/iptables.doc-base.packet-filter --- iptables-1.3.6.0debian1/debian/iptables.doc-base.packet-filter 2019-04-09 00:29:24.000000000 +0000 +++ iptables-1.3.6.0debian1/debian/iptables.doc-base.packet-filter 2007-11-19 11:39:11.000000000 +0000 @@ -1,5 +1,5 @@ Document: packet-filter -Title: Linux 2.4 Packet Filtering HOWTO +Title: Linux Packet Filtering HOWTO Author: Rusty Russell Abstract: This document describes how to use iptables to filter IP packets for the 2.4+ Linux kernels. diff -Nru iptables-1.3.6.0debian1/debian/iptables.install iptables-1.3.6.0debian1/debian/iptables.install --- iptables-1.3.6.0debian1/debian/iptables.install 2019-04-09 00:29:24.000000000 +0000 +++ iptables-1.3.6.0debian1/debian/iptables.install 2007-12-04 14:50:39.000000000 +0000 @@ -1,5 +1,2 @@ -debian/build/iptables_profectio/*.8 usr/share/man/man8 debian/build/iptables_profectio/*-save sbin debian/build/iptables_profectio/*-restore sbin -debian/build/docs/NAT* usr/share/doc/iptables/html -debian/build/docs/packet-filtering* usr/share/doc/iptables/html diff -Nru iptables-1.3.6.0debian1/debian/rules iptables-1.3.6.0debian1/debian/rules --- iptables-1.3.6.0debian1/debian/rules 2019-04-09 00:29:24.000000000 +0000 +++ iptables-1.3.6.0debian1/debian/rules 2007-12-04 14:50:39.000000000 +0000 @@ -1,5 +1,8 @@ #!/usr/bin/make -f +DO_SELINUX=0 +export DO_SELINUX + IPTABLES = iptables_profectio KERNEL = kernel_profectio @@ -12,17 +15,28 @@ BINDIR := BINDIR=/sbin LIBDIR := LIBDIR=/lib DESTDIR := DESTDIR=$(CURDIR)/debian/iptables -KERNEL_DIR := KERNEL_DIR=$(BUILD_DIR)/$(KERNEL) +#KERNEL_DIR := KERNEL_DIR=$(BUILD_DIR)/$(KERNEL) +KERNEL_DIR := KERNEL_DIR=/usr BUILD_VARS := $(LIBDIR) $(KERNEL_DIR) INSTALL_VARS := $(DESTDIR) $(MANDIR) $(LIBDIR) $(BINDIR) $(KERNEL_DIR) -BUILD_TARGETS := all ip6tables-save ip6tables-restore iptables.8 ip6tables.8 +BUILD_TARGETS := all ip6tables-save ip6tables-restore # iptables.8 ip6tables.8 +KEEP_THESE = libipt_IDLETIMER.so libipt_REJECT.so libipt_icmp.so \ + libipt_limit.so libipt_standard.so libipt_tcp.so libipt_udp.so \ + libip6t_REJECT.so libip6t_icmp6.so libip6t_limit.so libip6t_standard.so \ + libip6t_tcp.so libip6t_udp.so build_howtos := $(foreach howto,$(wildcard $(CURDIR)/howtos/*.sgml),sgml2html $(howto);) manregex := $(SHELL) $(CURDIR)/scripts/manregex MAN_PAGES := $(SRC_DIR)/*.8 +links: $(STAMP_DIR)/links +$(STAMP_DIR)/links: + -mkdir -p $(STAMP_DIR) + -ln -s /usr/src/rx-34-kernel-headers /usr/src/linux + touch $@ + prep: $(STAMP_DIR)/prep $(STAMP_DIR)/prep: install -d $(STAMP_DIR) @@ -36,12 +50,12 @@ cd $(DOCS_DIR); $(build_howtos) touch $@ -build: prep howtos +build: links prep dh_testdir $(MAKE) -C $(SRC_DIR) $(BUILD_TARGETS) $(BUILD_VARS) - - $(manregex) $(MAN_PAGES) + + #$(manregex) $(MAN_PAGES) cd $(SRC_DIR); ar rcs libiptables.a iptables.o cd $(SRC_DIR); ar rcs libip6tables.a ip6tables.o @@ -56,8 +70,29 @@ dh_testroot $(MAKE) -C $(SRC_DIR) install $(INSTALL_VARS) - install -m0644 -D $(CURDIR)/debian/iptables.lintian \ - $(CURDIR)/debian/iptables/usr/share/lintian/overrides/iptables + + # Remove the modules we do not need + -for i in `ls $(CURDIR)/debian/iptables/lib/iptables/*.so`; \ + do \ + keep=0; \ + BASENAME=`basename $$i`; \ + for j in $(KEEP_THESE); \ + do \ + if [ "$$j" = "$$BASENAME" ]; then \ + keep=1; \ + echo "keeping $$i"; \ + break; \ + fi; \ + done; \ + if [ "$$keep" != "1" ]; then \ + echo "removing $$i"; \ + rm -f $$i; \ + fi; \ + done + + #install -m0644 -D $(CURDIR)/debian/iptables.lintian \ + # $(CURDIR)/debian/iptables/usr/share/lintian/overrides/iptables + binary-indep: build install @@ -65,7 +100,7 @@ dh_testdir dh_testroot dh_install - dh_installdocs + #dh_installdocs dh_installchangelogs dh_strip dh_compress diff -Nru iptables-1.3.6.0debian1/iptables/Makefile iptables-1.3.6.0debian1/iptables/Makefile --- iptables-1.3.6.0debian1/iptables/Makefile 2019-04-09 00:29:24.000000000 +0000 +++ iptables-1.3.6.0debian1/iptables/Makefile 2007-12-04 14:50:39.000000000 +0000 @@ -37,24 +37,24 @@ endif COPT_FLAGS:=-O2 -CFLAGS:=$(COPT_FLAGS) -Wall -Wunused -I$(KERNEL_DIR)/include -Iinclude/ -DIPTABLES_VERSION=\"$(IPTABLES_VERSION)\" #-g -DDEBUG #-pg # -DIPTC_DEBUG +CFLAGS:=$(COPT_FLAGS) -Wall -Wunused -I$(KERNEL_DIR)/include -Iinclude/ -DIPTABLES_VERSION=\"$(IPTABLES_VERSION)\" #-fno-stack-protector #-g -DDEBUG #-pg # -DIPTC_DEBUG ifdef NO_SHARED_LIBS CFLAGS += -DNO_SHARED_LIBS=1 endif -EXTRAS+=iptables iptables.o iptables.8 -EXTRA_INSTALLS+=$(DESTDIR)$(BINDIR)/iptables $(DESTDIR)$(MANDIR)/man8/iptables.8 +EXTRAS+=iptables iptables.o # iptables.8 +EXTRA_INSTALLS+=$(DESTDIR)$(BINDIR)/iptables # $(DESTDIR)$(MANDIR)/man8/iptables.8 # No longer experimental. ifneq ($(DO_MULTI), 1) EXTRAS+=iptables-save iptables-restore endif -EXTRA_INSTALLS+=$(DESTDIR)$(BINDIR)/iptables-save $(DESTDIR)$(BINDIR)/iptables-restore $(DESTDIR)$(MANDIR)/man8/iptables-restore.8 $(DESTDIR)$(MANDIR)/man8/iptables-save.8 +EXTRA_INSTALLS+=$(DESTDIR)$(BINDIR)/iptables-save $(DESTDIR)$(BINDIR)/iptables-restore # $(DESTDIR)$(MANDIR)/man8/iptables-restore.8 $(DESTDIR)$(MANDIR)/man8/iptables-save.8 ifeq ($(DO_IPV6), 1) -EXTRAS+=ip6tables ip6tables.o ip6tables.8 -EXTRA_INSTALLS+=$(DESTDIR)$(BINDIR)/ip6tables $(DESTDIR)$(MANDIR)/man8/ip6tables.8 +EXTRAS+=ip6tables ip6tables.o #ip6tables.8 +EXTRA_INSTALLS+=$(DESTDIR)$(BINDIR)/ip6tables # $(DESTDIR)$(MANDIR)/man8/ip6tables.8 EXTRAS_EXP+=ip6tables-save ip6tables-restore EXTRA_INSTALLS_EXP+=$(DESTDIR)$(BINDIR)/ip6tables-save $(DESTDIR)$(BINDIR)/ip6tables-restore # $(DESTDIR)$(MANDIR)/man8/iptables-restore.8 $(DESTDIR)$(MANDIR)/man8/iptables-save.8 $(DESTDIR)$(MANDIR)/man8/ip6tables-save.8 $(DESTDIR)$(MANDIR)/man8/ip6tables-restore.8 endif @@ -191,8 +191,9 @@ cp $< $@ $(DESTDIR)$(MANDIR)/man8/%.8: %.8 - @[ -d $(DESTDIR)$(MANDIR)/man8 ] || mkdir -p $(DESTDIR)$(MANDIR)/man8 - cp $< $@ + #@[ -d $(DESTDIR)$(MANDIR)/man8 ] || mkdir -p $(DESTDIR)$(MANDIR)/man8 + #cp $< $@ + @echo Not copying $< to $@ EXTRA_DEPENDS+=iptables-standalone.d iptables.d @@ -200,10 +201,12 @@ @-$(CC) -M -MG $(CFLAGS) $< | sed -e 's@^.*\.o:@$*.d $*.o:@' > $@ iptables.8: iptables.8.in extensions/libipt_matches.man extensions/libipt_targets.man - sed -e '/@MATCH@/ r extensions/libipt_matches.man' -e '/@TARGET@/ r extensions/libipt_targets.man' iptables.8.in >iptables.8 + #sed -e '/@MATCH@/ r extensions/libipt_matches.man' -e '/@TARGET@/ r extensions/libipt_targets.man' iptables.8.in >iptables.8 + @echo Will not generate $@ ip6tables.8: ip6tables.8.in extensions/libip6t_matches.man extensions/libip6t_targets.man - sed -e '/@MATCH@/ r extensions/libip6t_matches.man' -e '/@TARGET@/ r extensions/libip6t_targets.man' ip6tables.8.in >ip6tables.8 + #sed -e '/@MATCH@/ r extensions/libip6t_matches.man' -e '/@TARGET@/ r extensions/libip6t_targets.man' ip6tables.8.in >ip6tables.8 + @echo Will not generate $@ # Development Targets .PHONY: install-devel-man3 diff -Nru iptables-1.3.6.0debian1/iptables/extensions/.CLUSTERIP-test iptables-1.3.6.0debian1/iptables/extensions/.CLUSTERIP-test --- iptables-1.3.6.0debian1/iptables/extensions/.CLUSTERIP-test 2006-09-28 16:40:32.000000000 +0000 +++ iptables-1.3.6.0debian1/iptables/extensions/.CLUSTERIP-test 2007-11-19 11:39:11.000000000 +0000 @@ -1,2 +1,3 @@ #! /bin/sh -[ -f $KERNEL_DIR/net/ipv4/netfilter/ipt_CLUSTERIP.c ] && echo CLUSTERIP +[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_CLUSTERIP.h ] && echo CLUSTERIP + diff -Nru iptables-1.3.6.0debian1/iptables/extensions/Makefile iptables-1.3.6.0debian1/iptables/extensions/Makefile --- iptables-1.3.6.0debian1/iptables/extensions/Makefile 2019-04-09 00:29:24.000000000 +0000 +++ iptables-1.3.6.0debian1/iptables/extensions/Makefile 2007-11-19 11:39:11.000000000 +0000 @@ -6,7 +6,7 @@ # package (HW) # PF_EXT_SLIB:=ah addrtype comment connlimit connmark conntrack dscp ecn esp hashlimit helper icmp iprange length limit mac mark multiport owner physdev pkttype policy realm rpc sctp standard state tcp tcpmss tos ttl udp unclean CLASSIFY CONNMARK DNAT DSCP ECN LOG MARK MASQUERADE MIRROR NETMAP NFQUEUE NOTRACK REDIRECT REJECT SAME SNAT TARPIT TCPMSS TOS TRACE TTL ULOG -PF6_EXT_SLIB:=connmark eui64 hl icmp6 length limit mac mark multiport owner physdev policy standard state tcp udp CONNMARK HL LOG NFQUEUE MARK TRACE +PF6_EXT_SLIB:=connmark eui64 hl icmp6 length limit mac mark multiport owner physdev policy rt standard state tcp udp CONNMARK HL LOG NFQUEUE MARK TRACE ifeq ($(DO_SELINUX), 1) PF_EXT_SE_SLIB:=SECMARK CONNSECMARK diff -Nru iptables-1.3.6.0debian1/iptables/extensions/libip6t_state.c iptables-1.3.6.0debian1/iptables/extensions/libip6t_state.c --- iptables-1.3.6.0debian1/iptables/extensions/libip6t_state.c 2006-09-28 16:40:32.000000000 +0000 +++ iptables-1.3.6.0debian1/iptables/extensions/libip6t_state.c 2007-11-19 11:39:11.000000000 +0000 @@ -5,7 +5,7 @@ #include #include #include -#include +#include #include #ifndef IPT_STATE_UNTRACKED diff -Nru iptables-1.3.6.0debian1/iptables/extensions/libipt_DNAT.c iptables-1.3.6.0debian1/iptables/extensions/libipt_DNAT.c --- iptables-1.3.6.0debian1/iptables/extensions/libipt_DNAT.c 2006-09-28 16:40:33.000000000 +0000 +++ iptables-1.3.6.0debian1/iptables/extensions/libipt_DNAT.c 2007-11-19 11:39:11.000000000 +0000 @@ -6,7 +6,7 @@ #include #include #include -#include +#include /* Dest NAT data consists of a multi-range, indicating where to map to. */ diff -Nru iptables-1.3.6.0debian1/iptables/extensions/libipt_MASQUERADE.c iptables-1.3.6.0debian1/iptables/extensions/libipt_MASQUERADE.c --- iptables-1.3.6.0debian1/iptables/extensions/libipt_MASQUERADE.c 2006-09-28 16:40:31.000000000 +0000 +++ iptables-1.3.6.0debian1/iptables/extensions/libipt_MASQUERADE.c 2007-11-19 11:39:11.000000000 +0000 @@ -6,7 +6,7 @@ #include #include #include -#include +#include /* Function which prints out usage message. */ static void diff -Nru iptables-1.3.6.0debian1/iptables/extensions/libipt_NETMAP.c iptables-1.3.6.0debian1/iptables/extensions/libipt_NETMAP.c --- iptables-1.3.6.0debian1/iptables/extensions/libipt_NETMAP.c 2019-04-09 00:29:24.000000000 +0000 +++ iptables-1.3.6.0debian1/iptables/extensions/libipt_NETMAP.c 2007-11-19 11:39:11.000000000 +0000 @@ -9,7 +9,7 @@ #include #include #include -#include +#include #define MODULENAME "NETMAP" diff -Nru iptables-1.3.6.0debian1/iptables/extensions/libipt_REDIRECT.c iptables-1.3.6.0debian1/iptables/extensions/libipt_REDIRECT.c --- iptables-1.3.6.0debian1/iptables/extensions/libipt_REDIRECT.c 2006-09-28 16:40:31.000000000 +0000 +++ iptables-1.3.6.0debian1/iptables/extensions/libipt_REDIRECT.c 2007-11-19 11:39:11.000000000 +0000 @@ -6,7 +6,7 @@ #include #include #include -#include +#include /* Function which prints out usage message. */ static void diff -Nru iptables-1.3.6.0debian1/iptables/extensions/libipt_SAME.c iptables-1.3.6.0debian1/iptables/extensions/libipt_SAME.c --- iptables-1.3.6.0debian1/iptables/extensions/libipt_SAME.c 2006-09-28 16:40:32.000000000 +0000 +++ iptables-1.3.6.0debian1/iptables/extensions/libipt_SAME.c 2007-11-19 11:39:11.000000000 +0000 @@ -6,7 +6,7 @@ #include #include #include -#include +#include /* For 64bit kernel / 32bit userspace */ #include "../include/linux/netfilter_ipv4/ipt_SAME.h" diff -Nru iptables-1.3.6.0debian1/iptables/extensions/libipt_SNAT.c iptables-1.3.6.0debian1/iptables/extensions/libipt_SNAT.c --- iptables-1.3.6.0debian1/iptables/extensions/libipt_SNAT.c 2006-09-28 16:40:32.000000000 +0000 +++ iptables-1.3.6.0debian1/iptables/extensions/libipt_SNAT.c 2007-11-19 11:39:11.000000000 +0000 @@ -6,7 +6,7 @@ #include #include #include -#include +#include /* Source NAT data consists of a multi-range, indicating where to map to. */ diff -Nru iptables-1.3.6.0debian1/iptables/extensions/libipt_connbytes.c iptables-1.3.6.0debian1/iptables/extensions/libipt_connbytes.c --- iptables-1.3.6.0debian1/iptables/extensions/libipt_connbytes.c 2006-09-28 16:40:33.000000000 +0000 +++ iptables-1.3.6.0debian1/iptables/extensions/libipt_connbytes.c 2007-11-19 11:39:11.000000000 +0000 @@ -5,7 +5,7 @@ #include #include #include -#include +#include #include /* Function which prints out usage message. */ diff -Nru iptables-1.3.6.0debian1/iptables/extensions/libipt_connlimit.c iptables-1.3.6.0debian1/iptables/extensions/libipt_connlimit.c --- iptables-1.3.6.0debian1/iptables/extensions/libipt_connlimit.c 2006-09-28 16:40:33.000000000 +0000 +++ iptables-1.3.6.0debian1/iptables/extensions/libipt_connlimit.c 2007-11-19 11:39:11.000000000 +0000 @@ -6,7 +6,7 @@ #include #include #include -#include +#include #include /* Function which prints out usage message. */ diff -Nru iptables-1.3.6.0debian1/iptables/extensions/libipt_connrate.c iptables-1.3.6.0debian1/iptables/extensions/libipt_connrate.c --- iptables-1.3.6.0debian1/iptables/extensions/libipt_connrate.c 2006-09-28 16:40:34.000000000 +0000 +++ iptables-1.3.6.0debian1/iptables/extensions/libipt_connrate.c 2007-11-19 11:39:11.000000000 +0000 @@ -13,7 +13,7 @@ #include #include #include -#include +#include #include /* Function which prints out usage message. */ diff -Nru iptables-1.3.6.0debian1/iptables/extensions/libipt_conntrack.c iptables-1.3.6.0debian1/iptables/extensions/libipt_conntrack.c --- iptables-1.3.6.0debian1/iptables/extensions/libipt_conntrack.c 2006-09-28 16:40:31.000000000 +0000 +++ iptables-1.3.6.0debian1/iptables/extensions/libipt_conntrack.c 2007-11-19 11:39:11.000000000 +0000 @@ -9,8 +9,7 @@ #include #include #include -#include -#include +#include /* For 64bit kernel / 32bit userspace */ #include "../include/linux/netfilter_ipv4/ipt_conntrack.h" diff -Nru iptables-1.3.6.0debian1/iptables/extensions/libipt_set.c iptables-1.3.6.0debian1/iptables/extensions/libipt_set.c --- iptables-1.3.6.0debian1/iptables/extensions/libipt_set.c 2006-09-28 16:40:31.000000000 +0000 +++ iptables-1.3.6.0debian1/iptables/extensions/libipt_set.c 2007-11-19 11:39:11.000000000 +0000 @@ -18,7 +18,7 @@ #include #include -#include +#include #include #include "libipt_set.h" diff -Nru iptables-1.3.6.0debian1/iptables/extensions/libipt_state.c iptables-1.3.6.0debian1/iptables/extensions/libipt_state.c --- iptables-1.3.6.0debian1/iptables/extensions/libipt_state.c 2006-09-28 16:40:34.000000000 +0000 +++ iptables-1.3.6.0debian1/iptables/extensions/libipt_state.c 2007-11-19 11:39:11.000000000 +0000 @@ -5,7 +5,7 @@ #include #include #include -#include +#include #include #ifndef IPT_STATE_UNTRACKED diff -Nru iptables-1.3.6.0debian1/iptables/include/linux/netfilter/nf_conntrack_common.h iptables-1.3.6.0debian1/iptables/include/linux/netfilter/nf_conntrack_common.h --- iptables-1.3.6.0debian1/iptables/include/linux/netfilter/nf_conntrack_common.h 1970-01-01 00:00:00.000000000 +0000 +++ iptables-1.3.6.0debian1/iptables/include/linux/netfilter/nf_conntrack_common.h 2007-11-19 11:39:11.000000000 +0000 @@ -0,0 +1,135 @@ +#ifndef _NF_CONNTRACK_COMMON_H +#define _NF_CONNTRACK_COMMON_H +/* Connection state tracking for netfilter. This is separated from, + but required by, the NAT layer; it can also be used by an iptables + extension. */ +enum ip_conntrack_info +{ + /* Part of an established connection (either direction). */ + IP_CT_ESTABLISHED, + + /* Like NEW, but related to an existing connection, or ICMP error + (in either direction). */ + IP_CT_RELATED, + + /* Started a new connection to track (only + IP_CT_DIR_ORIGINAL); may be a retransmission. */ + IP_CT_NEW, + + /* >= this indicates reply direction */ + IP_CT_IS_REPLY, + + /* Number of distinct IP_CT types (no NEW in reply dirn). */ + IP_CT_NUMBER = IP_CT_IS_REPLY * 2 - 1 +}; + +/* Bitset representing status of connection. */ +enum ip_conntrack_status { + /* It's an expected connection: bit 0 set. This bit never changed */ + IPS_EXPECTED_BIT = 0, + IPS_EXPECTED = (1 << IPS_EXPECTED_BIT), + + /* We've seen packets both ways: bit 1 set. Can be set, not unset. */ + IPS_SEEN_REPLY_BIT = 1, + IPS_SEEN_REPLY = (1 << IPS_SEEN_REPLY_BIT), + + /* Conntrack should never be early-expired. */ + IPS_ASSURED_BIT = 2, + IPS_ASSURED = (1 << IPS_ASSURED_BIT), + + /* Connection is confirmed: originating packet has left box */ + IPS_CONFIRMED_BIT = 3, + IPS_CONFIRMED = (1 << IPS_CONFIRMED_BIT), + + /* Connection needs src nat in orig dir. This bit never changed. */ + IPS_SRC_NAT_BIT = 4, + IPS_SRC_NAT = (1 << IPS_SRC_NAT_BIT), + + /* Connection needs dst nat in orig dir. This bit never changed. */ + IPS_DST_NAT_BIT = 5, + IPS_DST_NAT = (1 << IPS_DST_NAT_BIT), + + /* Both together. */ + IPS_NAT_MASK = (IPS_DST_NAT | IPS_SRC_NAT), + + /* Connection needs TCP sequence adjusted. */ + IPS_SEQ_ADJUST_BIT = 6, + IPS_SEQ_ADJUST = (1 << IPS_SEQ_ADJUST_BIT), + + /* NAT initialization bits. */ + IPS_SRC_NAT_DONE_BIT = 7, + IPS_SRC_NAT_DONE = (1 << IPS_SRC_NAT_DONE_BIT), + + IPS_DST_NAT_DONE_BIT = 8, + IPS_DST_NAT_DONE = (1 << IPS_DST_NAT_DONE_BIT), + + /* Both together */ + IPS_NAT_DONE_MASK = (IPS_DST_NAT_DONE | IPS_SRC_NAT_DONE), + + /* Connection is dying (removed from lists), can not be unset. */ + IPS_DYING_BIT = 9, + IPS_DYING = (1 << IPS_DYING_BIT), + + /* Connection has fixed timeout. */ + IPS_FIXED_TIMEOUT_BIT = 10, + IPS_FIXED_TIMEOUT = (1 << IPS_FIXED_TIMEOUT_BIT), +}; + +/* Connection tracking event bits */ +enum ip_conntrack_events +{ + /* New conntrack */ + IPCT_NEW_BIT = 0, + IPCT_NEW = (1 << IPCT_NEW_BIT), + + /* Expected connection */ + IPCT_RELATED_BIT = 1, + IPCT_RELATED = (1 << IPCT_RELATED_BIT), + + /* Destroyed conntrack */ + IPCT_DESTROY_BIT = 2, + IPCT_DESTROY = (1 << IPCT_DESTROY_BIT), + + /* Timer has been refreshed */ + IPCT_REFRESH_BIT = 3, + IPCT_REFRESH = (1 << IPCT_REFRESH_BIT), + + /* Status has changed */ + IPCT_STATUS_BIT = 4, + IPCT_STATUS = (1 << IPCT_STATUS_BIT), + + /* Update of protocol info */ + IPCT_PROTOINFO_BIT = 5, + IPCT_PROTOINFO = (1 << IPCT_PROTOINFO_BIT), + + /* Volatile protocol info */ + IPCT_PROTOINFO_VOLATILE_BIT = 6, + IPCT_PROTOINFO_VOLATILE = (1 << IPCT_PROTOINFO_VOLATILE_BIT), + + /* New helper for conntrack */ + IPCT_HELPER_BIT = 7, + IPCT_HELPER = (1 << IPCT_HELPER_BIT), + + /* Update of helper info */ + IPCT_HELPINFO_BIT = 8, + IPCT_HELPINFO = (1 << IPCT_HELPINFO_BIT), + + /* Volatile helper info */ + IPCT_HELPINFO_VOLATILE_BIT = 9, + IPCT_HELPINFO_VOLATILE = (1 << IPCT_HELPINFO_VOLATILE_BIT), + + /* NAT info */ + IPCT_NATINFO_BIT = 10, + IPCT_NATINFO = (1 << IPCT_NATINFO_BIT), + + /* Counter highest bit has been set */ + IPCT_COUNTER_FILLING_BIT = 11, + IPCT_COUNTER_FILLING = (1 << IPCT_COUNTER_FILLING_BIT), +}; + +enum ip_conntrack_expect_events { + IPEXP_NEW_BIT = 0, + IPEXP_NEW = (1 << IPEXP_NEW_BIT), +}; + +#endif /* _NF_CONNTRACK_COMMON_H */ diff -Nru iptables-1.3.6.0debian1/iptables/include/linux/netfilter/nf_conntrack_tuple.h iptables-1.3.6.0debian1/iptables/include/linux/netfilter/nf_conntrack_tuple.h --- iptables-1.3.6.0debian1/iptables/include/linux/netfilter/nf_conntrack_tuple.h 1970-01-01 00:00:00.000000000 +0000 +++ iptables-1.3.6.0debian1/iptables/include/linux/netfilter/nf_conntrack_tuple.h 2007-11-19 11:39:11.000000000 +0000 @@ -0,0 +1,103 @@ +/* + * Definitions and Declarations for tuple. + * + * 16 Dec 2003: Yasuyuki Kozakai @USAGI + * - generalize L3 protocol dependent part. + * + * Derived from include/linux/netfiter_ipv4/ip_conntrack_tuple.h + */ + +#ifndef _NF_CONNTRACK_TUPLE_H +#define _NF_CONNTRACK_TUPLE_H + +#include + +/* A `tuple' is a structure containing the information to uniquely + identify a connection. ie. if two packets have the same tuple, they + are in the same connection; if not, they are not. + + We divide the structure along "manipulatable" and + "non-manipulatable" lines, for the benefit of the NAT code. +*/ + +#define NF_CT_TUPLE_L3SIZE 4 + +/* The l3 protocol-specific manipulable parts of the tuple: always in + network order! */ +union nf_conntrack_address { + u_int32_t all[NF_CT_TUPLE_L3SIZE]; + __be32 ip; + __be32 ip6[4]; +}; + +/* The protocol-specific manipulable parts of the tuple: always in + network order! */ +union nf_conntrack_man_proto +{ + /* Add other protocols here. */ + u_int16_t all; + + struct { + __be16 port; + } tcp; + struct { + __be16 port; + } udp; + struct { + __be16 id; + } icmp; + struct { + __be16 port; + } sctp; + struct { + __be16 key; /* GRE key is 32bit, PPtP only uses 16bit */ + } gre; +}; + +/* The manipulable part of the tuple. */ +struct nf_conntrack_man +{ + union nf_conntrack_address u3; + union nf_conntrack_man_proto u; + /* Layer 3 protocol */ + u_int16_t l3num; +}; + +/* This contains the information to distinguish a connection. */ +struct nf_conntrack_tuple +{ + struct nf_conntrack_man src; + + /* These are the parts of the tuple which are fixed. */ + struct { + union nf_conntrack_address u3; + union { + /* Add other protocols here. */ + u_int16_t all; + + struct { + __be16 port; + } tcp; + struct { + __be16 port; + } udp; + struct { + u_int8_t type, code; + } icmp; + struct { + __be16 port; + } sctp; + struct { + __be16 key; + } gre; + } u; + + /* The protocol. */ + u_int8_t protonum; + + /* The direction (for tuplehash) */ + u_int8_t dir; + } dst; +}; + +#endif /* _NF_CONNTRACK_TUPLE_H */ diff -Nru iptables-1.3.6.0debian1/iptables/include/linux/netfilter/nf_conntrack_tuple_common.h iptables-1.3.6.0debian1/iptables/include/linux/netfilter/nf_conntrack_tuple_common.h --- iptables-1.3.6.0debian1/iptables/include/linux/netfilter/nf_conntrack_tuple_common.h 1970-01-01 00:00:00.000000000 +0000 +++ iptables-1.3.6.0debian1/iptables/include/linux/netfilter/nf_conntrack_tuple_common.h 2007-11-19 11:39:11.000000000 +0000 @@ -0,0 +1,13 @@ +#ifndef _NF_CONNTRACK_TUPLE_COMMON_H +#define _NF_CONNTRACK_TUPLE_COMMON_H + +enum ip_conntrack_dir +{ + IP_CT_DIR_ORIGINAL, + IP_CT_DIR_REPLY, + IP_CT_DIR_MAX +}; + +#define CTINFO2DIR(ctinfo) ((ctinfo) >= IP_CT_IS_REPLY ? IP_CT_DIR_REPLY : IP_CT_DIR_ORIGINAL) + +#endif /* _NF_CONNTRACK_TUPLE_COMMON_H */ diff -Nru iptables-1.3.6.0debian1/iptables/include/linux/netfilter/nf_nat.h iptables-1.3.6.0debian1/iptables/include/linux/netfilter/nf_nat.h --- iptables-1.3.6.0debian1/iptables/include/linux/netfilter/nf_nat.h 1970-01-01 00:00:00.000000000 +0000 +++ iptables-1.3.6.0debian1/iptables/include/linux/netfilter/nf_nat.h 2007-11-19 11:39:11.000000000 +0000 @@ -0,0 +1,45 @@ +#ifndef _NF_NAT_H +#define _NF_NAT_H +#include +#include + +#define NF_NAT_MAPPING_TYPE_MAX_NAMELEN 16 + +enum nf_nat_manip_type +{ + IP_NAT_MANIP_SRC, + IP_NAT_MANIP_DST +}; + +/* SRC manip occurs POST_ROUTING or LOCAL_IN */ +#define HOOK2MANIP(hooknum) ((hooknum) != NF_IP_POST_ROUTING && (hooknum) != NF_IP_LOCAL_IN) + +#define IP_NAT_RANGE_MAP_IPS 1 +#define IP_NAT_RANGE_PROTO_SPECIFIED 2 +#define IP_NAT_RANGE_PROTO_RANDOM 4 + +/* Single range specification. */ +struct nf_nat_range +{ + /* Set to OR of flags above. */ + unsigned int flags; + + /* Inclusive: network order. */ + __be32 min_ip, max_ip; + + /* Inclusive: network order */ + union nf_conntrack_man_proto min, max; +}; + +/* For backwards compat: don't use in modern code. */ +struct nf_nat_multi_range_compat +{ + unsigned int rangesize; /* Must be 1. */ + + /* hangs off end. */ + struct nf_nat_range range[1]; +}; + +#define ip_nat_range nf_nat_range +#define ip_nat_multi_range nf_nat_multi_range_compat +#endif diff -Nru iptables-1.3.6.0debian1/iptables/include/linux/netfilter_ipv4/ipt_conntrack.h iptables-1.3.6.0debian1/iptables/include/linux/netfilter_ipv4/ipt_conntrack.h --- iptables-1.3.6.0debian1/iptables/include/linux/netfilter_ipv4/ipt_conntrack.h 2006-09-28 16:40:11.000000000 +0000 +++ iptables-1.3.6.0debian1/iptables/include/linux/netfilter_ipv4/ipt_conntrack.h 2007-11-19 11:39:11.000000000 +0000 @@ -5,7 +5,7 @@ #ifndef _IPT_CONNTRACK_H #define _IPT_CONNTRACK_H -#include +#include /* backwards compatibility crap. only exists in userspace - HW */ #include diff -Nru iptables-1.3.6.0debian1/patches/all/012-2.6.22-headers-fix.patch iptables-1.3.6.0debian1/patches/all/012-2.6.22-headers-fix.patch --- iptables-1.3.6.0debian1/patches/all/012-2.6.22-headers-fix.patch 1970-01-01 00:00:00.000000000 +0000 +++ iptables-1.3.6.0debian1/patches/all/012-2.6.22-headers-fix.patch 2007-11-19 11:39:11.000000000 +0000 @@ -0,0 +1,472 @@ +Index: include/linux/netfilter/nf_conntrack_common.h +=================================================================== +--- include/linux/netfilter/nf_conntrack_common.h (revision 0) ++++ include/linux/netfilter/nf_conntrack_common.h (revision 6801) +@@ -0,0 +1,135 @@ ++#ifndef _NF_CONNTRACK_COMMON_H ++#define _NF_CONNTRACK_COMMON_H ++/* Connection state tracking for netfilter. This is separated from, ++ but required by, the NAT layer; it can also be used by an iptables ++ extension. */ ++enum ip_conntrack_info ++{ ++ /* Part of an established connection (either direction). */ ++ IP_CT_ESTABLISHED, ++ ++ /* Like NEW, but related to an existing connection, or ICMP error ++ (in either direction). */ ++ IP_CT_RELATED, ++ ++ /* Started a new connection to track (only ++ IP_CT_DIR_ORIGINAL); may be a retransmission. */ ++ IP_CT_NEW, ++ ++ /* >= this indicates reply direction */ ++ IP_CT_IS_REPLY, ++ ++ /* Number of distinct IP_CT types (no NEW in reply dirn). */ ++ IP_CT_NUMBER = IP_CT_IS_REPLY * 2 - 1 ++}; ++ ++/* Bitset representing status of connection. */ ++enum ip_conntrack_status { ++ /* It's an expected connection: bit 0 set. This bit never changed */ ++ IPS_EXPECTED_BIT = 0, ++ IPS_EXPECTED = (1 << IPS_EXPECTED_BIT), ++ ++ /* We've seen packets both ways: bit 1 set. Can be set, not unset. */ ++ IPS_SEEN_REPLY_BIT = 1, ++ IPS_SEEN_REPLY = (1 << IPS_SEEN_REPLY_BIT), ++ ++ /* Conntrack should never be early-expired. */ ++ IPS_ASSURED_BIT = 2, ++ IPS_ASSURED = (1 << IPS_ASSURED_BIT), ++ ++ /* Connection is confirmed: originating packet has left box */ ++ IPS_CONFIRMED_BIT = 3, ++ IPS_CONFIRMED = (1 << IPS_CONFIRMED_BIT), ++ ++ /* Connection needs src nat in orig dir. This bit never changed. */ ++ IPS_SRC_NAT_BIT = 4, ++ IPS_SRC_NAT = (1 << IPS_SRC_NAT_BIT), ++ ++ /* Connection needs dst nat in orig dir. This bit never changed. */ ++ IPS_DST_NAT_BIT = 5, ++ IPS_DST_NAT = (1 << IPS_DST_NAT_BIT), ++ ++ /* Both together. */ ++ IPS_NAT_MASK = (IPS_DST_NAT | IPS_SRC_NAT), ++ ++ /* Connection needs TCP sequence adjusted. */ ++ IPS_SEQ_ADJUST_BIT = 6, ++ IPS_SEQ_ADJUST = (1 << IPS_SEQ_ADJUST_BIT), ++ ++ /* NAT initialization bits. */ ++ IPS_SRC_NAT_DONE_BIT = 7, ++ IPS_SRC_NAT_DONE = (1 << IPS_SRC_NAT_DONE_BIT), ++ ++ IPS_DST_NAT_DONE_BIT = 8, ++ IPS_DST_NAT_DONE = (1 << IPS_DST_NAT_DONE_BIT), ++ ++ /* Both together */ ++ IPS_NAT_DONE_MASK = (IPS_DST_NAT_DONE | IPS_SRC_NAT_DONE), ++ ++ /* Connection is dying (removed from lists), can not be unset. */ ++ IPS_DYING_BIT = 9, ++ IPS_DYING = (1 << IPS_DYING_BIT), ++ ++ /* Connection has fixed timeout. */ ++ IPS_FIXED_TIMEOUT_BIT = 10, ++ IPS_FIXED_TIMEOUT = (1 << IPS_FIXED_TIMEOUT_BIT), ++}; ++ ++/* Connection tracking event bits */ ++enum ip_conntrack_events ++{ ++ /* New conntrack */ ++ IPCT_NEW_BIT = 0, ++ IPCT_NEW = (1 << IPCT_NEW_BIT), ++ ++ /* Expected connection */ ++ IPCT_RELATED_BIT = 1, ++ IPCT_RELATED = (1 << IPCT_RELATED_BIT), ++ ++ /* Destroyed conntrack */ ++ IPCT_DESTROY_BIT = 2, ++ IPCT_DESTROY = (1 << IPCT_DESTROY_BIT), ++ ++ /* Timer has been refreshed */ ++ IPCT_REFRESH_BIT = 3, ++ IPCT_REFRESH = (1 << IPCT_REFRESH_BIT), ++ ++ /* Status has changed */ ++ IPCT_STATUS_BIT = 4, ++ IPCT_STATUS = (1 << IPCT_STATUS_BIT), ++ ++ /* Update of protocol info */ ++ IPCT_PROTOINFO_BIT = 5, ++ IPCT_PROTOINFO = (1 << IPCT_PROTOINFO_BIT), ++ ++ /* Volatile protocol info */ ++ IPCT_PROTOINFO_VOLATILE_BIT = 6, ++ IPCT_PROTOINFO_VOLATILE = (1 << IPCT_PROTOINFO_VOLATILE_BIT), ++ ++ /* New helper for conntrack */ ++ IPCT_HELPER_BIT = 7, ++ IPCT_HELPER = (1 << IPCT_HELPER_BIT), ++ ++ /* Update of helper info */ ++ IPCT_HELPINFO_BIT = 8, ++ IPCT_HELPINFO = (1 << IPCT_HELPINFO_BIT), ++ ++ /* Volatile helper info */ ++ IPCT_HELPINFO_VOLATILE_BIT = 9, ++ IPCT_HELPINFO_VOLATILE = (1 << IPCT_HELPINFO_VOLATILE_BIT), ++ ++ /* NAT info */ ++ IPCT_NATINFO_BIT = 10, ++ IPCT_NATINFO = (1 << IPCT_NATINFO_BIT), ++ ++ /* Counter highest bit has been set */ ++ IPCT_COUNTER_FILLING_BIT = 11, ++ IPCT_COUNTER_FILLING = (1 << IPCT_COUNTER_FILLING_BIT), ++}; ++ ++enum ip_conntrack_expect_events { ++ IPEXP_NEW_BIT = 0, ++ IPEXP_NEW = (1 << IPEXP_NEW_BIT), ++}; ++ ++#endif /* _NF_CONNTRACK_COMMON_H */ +Index: include/linux/netfilter/nf_conntrack_tuple.h +=================================================================== +--- include/linux/netfilter/nf_conntrack_tuple.h (revision 0) ++++ include/linux/netfilter/nf_conntrack_tuple.h (revision 6801) +@@ -0,0 +1,103 @@ ++/* ++ * Definitions and Declarations for tuple. ++ * ++ * 16 Dec 2003: Yasuyuki Kozakai @USAGI ++ * - generalize L3 protocol dependent part. ++ * ++ * Derived from include/linux/netfiter_ipv4/ip_conntrack_tuple.h ++ */ ++ ++#ifndef _NF_CONNTRACK_TUPLE_H ++#define _NF_CONNTRACK_TUPLE_H ++ ++#include ++ ++/* A `tuple' is a structure containing the information to uniquely ++ identify a connection. ie. if two packets have the same tuple, they ++ are in the same connection; if not, they are not. ++ ++ We divide the structure along "manipulatable" and ++ "non-manipulatable" lines, for the benefit of the NAT code. ++*/ ++ ++#define NF_CT_TUPLE_L3SIZE 4 ++ ++/* The l3 protocol-specific manipulable parts of the tuple: always in ++ network order! */ ++union nf_conntrack_address { ++ u_int32_t all[NF_CT_TUPLE_L3SIZE]; ++ __be32 ip; ++ __be32 ip6[4]; ++}; ++ ++/* The protocol-specific manipulable parts of the tuple: always in ++ network order! */ ++union nf_conntrack_man_proto ++{ ++ /* Add other protocols here. */ ++ u_int16_t all; ++ ++ struct { ++ __be16 port; ++ } tcp; ++ struct { ++ __be16 port; ++ } udp; ++ struct { ++ __be16 id; ++ } icmp; ++ struct { ++ __be16 port; ++ } sctp; ++ struct { ++ __be16 key; /* GRE key is 32bit, PPtP only uses 16bit */ ++ } gre; ++}; ++ ++/* The manipulable part of the tuple. */ ++struct nf_conntrack_man ++{ ++ union nf_conntrack_address u3; ++ union nf_conntrack_man_proto u; ++ /* Layer 3 protocol */ ++ u_int16_t l3num; ++}; ++ ++/* This contains the information to distinguish a connection. */ ++struct nf_conntrack_tuple ++{ ++ struct nf_conntrack_man src; ++ ++ /* These are the parts of the tuple which are fixed. */ ++ struct { ++ union nf_conntrack_address u3; ++ union { ++ /* Add other protocols here. */ ++ u_int16_t all; ++ ++ struct { ++ __be16 port; ++ } tcp; ++ struct { ++ __be16 port; ++ } udp; ++ struct { ++ u_int8_t type, code; ++ } icmp; ++ struct { ++ __be16 port; ++ } sctp; ++ struct { ++ __be16 key; ++ } gre; ++ } u; ++ ++ /* The protocol. */ ++ u_int8_t protonum; ++ ++ /* The direction (for tuplehash) */ ++ u_int8_t dir; ++ } dst; ++}; ++ ++#endif /* _NF_CONNTRACK_TUPLE_H */ +Index: include/linux/netfilter/nf_nat.h +=================================================================== +--- include/linux/netfilter/nf_nat.h (revision 0) ++++ include/linux/netfilter/nf_nat.h (revision 6801) +@@ -0,0 +1,45 @@ ++#ifndef _NF_NAT_H ++#define _NF_NAT_H ++#include ++#include ++ ++#define NF_NAT_MAPPING_TYPE_MAX_NAMELEN 16 ++ ++enum nf_nat_manip_type ++{ ++ IP_NAT_MANIP_SRC, ++ IP_NAT_MANIP_DST ++}; ++ ++/* SRC manip occurs POST_ROUTING or LOCAL_IN */ ++#define HOOK2MANIP(hooknum) ((hooknum) != NF_IP_POST_ROUTING && (hooknum) != NF_IP_LOCAL_IN) ++ ++#define IP_NAT_RANGE_MAP_IPS 1 ++#define IP_NAT_RANGE_PROTO_SPECIFIED 2 ++#define IP_NAT_RANGE_PROTO_RANDOM 4 ++ ++/* Single range specification. */ ++struct nf_nat_range ++{ ++ /* Set to OR of flags above. */ ++ unsigned int flags; ++ ++ /* Inclusive: network order. */ ++ __be32 min_ip, max_ip; ++ ++ /* Inclusive: network order */ ++ union nf_conntrack_man_proto min, max; ++}; ++ ++/* For backwards compat: don't use in modern code. */ ++struct nf_nat_multi_range_compat ++{ ++ unsigned int rangesize; /* Must be 1. */ ++ ++ /* hangs off end. */ ++ struct nf_nat_range range[1]; ++}; ++ ++#define ip_nat_range nf_nat_range ++#define ip_nat_multi_range nf_nat_multi_range_compat ++#endif +Index: include/linux/netfilter/nf_conntrack_tuple_common.h +=================================================================== +--- include/linux/netfilter/nf_conntrack_tuple_common.h (revision 0) ++++ include/linux/netfilter/nf_conntrack_tuple_common.h (revision 6801) +@@ -0,0 +1,13 @@ ++#ifndef _NF_CONNTRACK_TUPLE_COMMON_H ++#define _NF_CONNTRACK_TUPLE_COMMON_H ++ ++enum ip_conntrack_dir ++{ ++ IP_CT_DIR_ORIGINAL, ++ IP_CT_DIR_REPLY, ++ IP_CT_DIR_MAX ++}; ++ ++#define CTINFO2DIR(ctinfo) ((ctinfo) >= IP_CT_IS_REPLY ? IP_CT_DIR_REPLY : IP_CT_DIR_ORIGINAL) ++ ++#endif /* _NF_CONNTRACK_TUPLE_COMMON_H */ +Index: include/linux/netfilter_ipv4/ipt_conntrack.h +=================================================================== +--- include/linux/netfilter_ipv4/ipt_conntrack.h (revision 6800) ++++ include/linux/netfilter_ipv4/ipt_conntrack.h (revision 6801) +@@ -5,7 +5,7 @@ + #ifndef _IPT_CONNTRACK_H + #define _IPT_CONNTRACK_H + +-#include ++#include + + /* backwards compatibility crap. only exists in userspace - HW */ + #include +Index: extensions/libipt_conntrack.c +=================================================================== +--- extensions/libipt_conntrack.c (revision 6800) ++++ extensions/libipt_conntrack.c (revision 6801) +@@ -9,7 +9,7 @@ + #include + #include + #include +-#include ++#include + #include + /* For 64bit kernel / 32bit userspace */ + #include "../include/linux/netfilter_ipv4/ipt_conntrack.h" +Index: extensions/libipt_REDIRECT.c +=================================================================== +--- extensions/libipt_REDIRECT.c (revision 6800) ++++ extensions/libipt_REDIRECT.c (revision 6801) +@@ -6,7 +6,7 @@ + #include + #include + #include +-#include ++#include + + /* Function which prints out usage message. */ + static void +Index: extensions/libipt_MASQUERADE.c +=================================================================== +--- extensions/libipt_MASQUERADE.c (revision 6800) ++++ extensions/libipt_MASQUERADE.c (revision 6801) +@@ -6,7 +6,7 @@ + #include + #include + #include +-#include ++#include + + /* Function which prints out usage message. */ + static void +Index: extensions/libipt_connbytes.c +=================================================================== +--- extensions/libipt_connbytes.c (revision 6800) ++++ extensions/libipt_connbytes.c (revision 6801) +@@ -5,7 +5,7 @@ + #include + #include + #include +-#include ++#include + #include + + /* Function which prints out usage message. */ +Index: extensions/libipt_SNAT.c +=================================================================== +--- extensions/libipt_SNAT.c (revision 6800) ++++ extensions/libipt_SNAT.c (revision 6801) +@@ -6,7 +6,7 @@ + #include + #include + #include +-#include ++#include + + #define IPT_SNAT_OPT_SOURCE 0x01 + #ifdef IP_NAT_RANGE_PROTO_RANDOM +Index: extensions/libip6t_state.c +=================================================================== +--- extensions/libip6t_state.c (revision 6800) ++++ extensions/libip6t_state.c (revision 6801) +@@ -5,7 +5,7 @@ + #include + #include + #include +-#include ++#include + #include + + #ifndef IPT_STATE_UNTRACKED +Index: extensions/libipt_connrate.c +=================================================================== +--- extensions/libipt_connrate.c (revision 6800) ++++ extensions/libipt_connrate.c (revision 6801) +@@ -13,7 +13,7 @@ + #include + #include + #include +-#include ++#include + #include + + /* Function which prints out usage message. */ +Index: extensions/libipt_state.c +=================================================================== +--- extensions/libipt_state.c (revision 6800) ++++ extensions/libipt_state.c (revision 6801) +@@ -5,7 +5,7 @@ + #include + #include + #include +-#include ++#include + #include + + #ifndef IPT_STATE_UNTRACKED +Index: extensions/libipt_SAME.c +=================================================================== +--- extensions/libipt_SAME.c (revision 6800) ++++ extensions/libipt_SAME.c (revision 6801) +@@ -6,7 +6,7 @@ + #include + #include + #include +-#include ++#include + /* For 64bit kernel / 32bit userspace */ + #include "../include/linux/netfilter_ipv4/ipt_SAME.h" + +Index: extensions/libipt_NETMAP.c +=================================================================== +--- extensions/libipt_NETMAP.c (revision 6800) ++++ extensions/libipt_NETMAP.c (revision 6801) +@@ -9,7 +9,7 @@ + #include + #include + #include +-#include ++#include + + #define MODULENAME "NETMAP" + +Index: extensions/libipt_DNAT.c +=================================================================== +--- extensions/libipt_DNAT.c (revision 6800) ++++ extensions/libipt_DNAT.c (revision 6801) +@@ -6,7 +6,7 @@ + #include + #include + #include +-#include ++#include + + /* Dest NAT data consists of a multi-range, indicating where to map + to. */ diff -Nru iptables-1.3.6.0debian1/patches/all/090-enable-ipv6-rt.patch iptables-1.3.6.0debian1/patches/all/090-enable-ipv6-rt.patch --- iptables-1.3.6.0debian1/patches/all/090-enable-ipv6-rt.patch 1970-01-01 00:00:00.000000000 +0000 +++ iptables-1.3.6.0debian1/patches/all/090-enable-ipv6-rt.patch 2007-11-19 11:39:11.000000000 +0000 @@ -0,0 +1,11 @@ +--- old/iptables/extensions/Makefile 2007-07-04 17:06:44.000000000 -0700 ++++ new/iptables/extensions/Makefile 2007-07-04 17:06:38.000000000 -0700 +@@ -6,7 +6,7 @@ + # package (HW) + # + PF_EXT_SLIB:=ah addrtype comment connlimit connmark conntrack dscp ecn esp hashlimit helper icmp iprange length limit mac mark multiport owner physdev pkttype policy realm rpc sctp standard state tcp tcpmss tos ttl udp unclean CLASSIFY CONNMARK DNAT DSCP ECN LOG MARK MASQUERADE MIRROR NETMAP NFQUEUE NOTRACK REDIRECT REJECT SAME SNAT TARPIT TCPMSS TOS TRACE TTL ULOG +-PF6_EXT_SLIB:=connmark eui64 hl icmp6 length limit mac mark multiport owner physdev policy standard state tcp udp CONNMARK HL LOG NFQUEUE MARK TRACE ++PF6_EXT_SLIB:=connmark eui64 hl icmp6 length limit mac mark multiport owner physdev policy rt standard state tcp udp CONNMARK HL LOG NFQUEUE MARK TRACE + + ifeq ($(DO_SELINUX), 1) + PF_EXT_SE_SLIB:=SECMARK CONNSECMARK