]>
Commit | Line | Data |
---|---|---|
8622e1cf | 1 | diff -Nur --exclude '*.rej' --exclude '*.orig' linux-2.6.0-test5.org/include/linux/netfilter_ipv4/ip_conntrack_tuple.h linux-2.6.0-test5/include/linux/netfilter_ipv4/ip_conntrack_tuple.h |
2 | --- linux-2.6.0-test5.org/include/linux/netfilter_ipv4/ip_conntrack_tuple.h Mon Sep 8 19:50:18 2003 | |
3 | +++ linux-2.6.0-test5/include/linux/netfilter_ipv4/ip_conntrack_tuple.h Tue Sep 23 12:56:40 2003 | |
4 | @@ -62,6 +62,14 @@ | |
5 | } dst; | |
6 | }; | |
7 | ||
8 | +/* This is optimized opposed to a memset of the whole structure. Everything we | |
9 | + * really care about is the source/destination unions */ | |
10 | +#define IP_CT_TUPLE_BLANK(tuple) \ | |
11 | + do { \ | |
12 | + (tuple)->src.u.all = 0; \ | |
13 | + (tuple)->dst.u.all = 0; \ | |
14 | + } while (0) | |
15 | + | |
16 | enum ip_conntrack_dir | |
17 | { | |
18 | IP_CT_DIR_ORIGINAL, | |
19 | diff -Nur --exclude '*.rej' --exclude '*.orig' linux-2.6.0-test5.org/include/linux/netfilter_ipv4/ipt_sctp.h linux-2.6.0-test5/include/linux/netfilter_ipv4/ipt_sctp.h | |
20 | --- linux-2.6.0-test5.org/include/linux/netfilter_ipv4/ipt_sctp.h Thu Jan 1 00:00:00 1970 | |
21 | +++ linux-2.6.0-test5/include/linux/netfilter_ipv4/ipt_sctp.h Tue Sep 23 12:56:47 2003 | |
22 | @@ -0,0 +1,25 @@ | |
23 | +/* iptables module for matching the SCTP header | |
24 | + * | |
25 | + * (C) 2003 Harald Welte <laforge@gnumonks.org> | |
26 | + * | |
27 | + * This software is distributed under GNU GPL v2, 1991 | |
28 | + * | |
29 | + * $Id$ | |
30 | + */ | |
31 | +#ifndef _IPT_SCTP_H | |
32 | +#define _IPT_SCTP_H | |
33 | + | |
34 | +struct ipt_sctp_info { | |
35 | + u_int16_t spts[2]; /* Souce port range */ | |
36 | + u_int16_t dpts[2]; /* Destination port range */ | |
37 | + u_int32_t chunks; /* chunks to be matched */ | |
38 | + u_int32_t chunk_mask; /* chunk mask to be matched */ | |
39 | + u_int8_t invflags; /* Inverse flags */ | |
40 | +}; | |
41 | + | |
42 | +#define IPT_SCTP_INV_SRCPT 0x01 /* Invert the sense of source ports */ | |
43 | +#define IPT_SCTP_INV_DSTPT 0x02 /* Invert the sense of dest ports */ | |
44 | +#define IPT_SCTP_INV_CHUNKS 0x03 /* Invert the sense of chunks */ | |
45 | +#define IPT_SCTP_INV_MASK 0x03 /* All possible flags */ | |
46 | + | |
47 | +#endif /* _IPT_SCTP_H */ | |
48 | diff -Nur --exclude '*.rej' --exclude '*.orig' linux-2.6.0-test5.org/net/ipv4/netfilter/Kconfig linux-2.6.0-test5/net/ipv4/netfilter/Kconfig | |
49 | --- linux-2.6.0-test5.org/net/ipv4/netfilter/Kconfig Mon Sep 8 19:50:21 2003 | |
50 | +++ linux-2.6.0-test5/net/ipv4/netfilter/Kconfig Tue Sep 23 12:56:47 2003 | |
51 | @@ -215,6 +215,15 @@ | |
52 | If you want to compile it as a module, say M here and read | |
53 | Documentation/modules.txt. If unsure, say `N'. | |
54 | ||
55 | +config IP_NF_MATCH_SCTP | |
56 | + tristate "SCTP match support" | |
57 | + depends on IP_NF_IPTABLES | |
58 | + help | |
59 | + This match allows iptables to match on the SCTP header. | |
60 | + | |
61 | + If you want to compile it as a module, say M here and read | |
62 | + <file:Documentation/modules.txt>. If unsure, say `N'. | |
63 | + | |
64 | config IP_NF_MATCH_LENGTH | |
65 | tristate "LENGTH match support" | |
66 | depends on IP_NF_IPTABLES | |
67 | diff -Nur --exclude '*.rej' --exclude '*.orig' linux-2.6.0-test5.org/net/ipv4/netfilter/Makefile linux-2.6.0-test5/net/ipv4/netfilter/Makefile | |
68 | --- linux-2.6.0-test5.org/net/ipv4/netfilter/Makefile Mon Sep 8 19:49:57 2003 | |
69 | +++ linux-2.6.0-test5/net/ipv4/netfilter/Makefile Tue Sep 23 12:56:48 2003 | |
70 | @@ -40,6 +40,7 @@ | |
71 | obj-$(CONFIG_IP_NF_NAT) += iptable_nat.o | |
72 | ||
73 | # matches | |
74 | +obj-$(CONFIG_IP_NF_MATCH_SCTP) += ipt_sctp.o | |
75 | obj-$(CONFIG_IP_NF_MATCH_HELPER) += ipt_helper.o | |
76 | obj-$(CONFIG_IP_NF_MATCH_LIMIT) += ipt_limit.o | |
77 | obj-$(CONFIG_IP_NF_MATCH_MARK) += ipt_mark.o | |
78 | diff -Nur --exclude '*.rej' --exclude '*.orig' linux-2.6.0-test5.org/net/ipv4/netfilter/ip_conntrack_core.c linux-2.6.0-test5/net/ipv4/netfilter/ip_conntrack_core.c | |
79 | --- linux-2.6.0-test5.org/net/ipv4/netfilter/ip_conntrack_core.c Mon Sep 8 19:49:50 2003 | |
80 | +++ linux-2.6.0-test5/net/ipv4/netfilter/ip_conntrack_core.c Tue Sep 23 12:56:40 2003 | |
81 | @@ -29,8 +29,7 @@ | |
82 | #include <linux/slab.h> | |
83 | #include <linux/random.h> | |
84 | #include <linux/jhash.h> | |
85 | -/* For ERR_PTR(). Yeah, I know... --RR */ | |
86 | -#include <linux/fs.h> | |
87 | +#include <linux/err.h> | |
88 | ||
89 | /* This rwlock protects the main hash table, protocol/helper/expected | |
90 | registrations, conntrack timers*/ | |
91 | @@ -1276,11 +1275,14 @@ | |
92 | { | |
93 | struct inet_opt *inet = inet_sk(sk); | |
94 | struct ip_conntrack_tuple_hash *h; | |
95 | - struct ip_conntrack_tuple tuple = { { inet->rcv_saddr, | |
96 | - { .tcp = { inet->sport } } }, | |
97 | - { inet->daddr, | |
98 | - { .tcp = { inet->dport } }, | |
99 | - IPPROTO_TCP } }; | |
100 | + struct ip_conntrack_tuple tuple; | |
101 | + | |
102 | + IP_CT_TUPLE_BLANK(&tuple); | |
103 | + tuple.src.ip = inet->rcv_saddr; | |
104 | + tuple.src.u.tcp.port = inet->sport; | |
105 | + tuple.dst.ip = inet->daddr; | |
106 | + tuple.dst.u.tcp.port = inet->dport; | |
107 | + tuple.dst.protonum = IPPROTO_TCP; | |
108 | ||
109 | /* We only do TCP at the moment: is there a better way? */ | |
110 | if (strcmp(sk->sk_prot->name, "TCP")) { | |
111 | diff -Nur --exclude '*.rej' --exclude '*.orig' linux-2.6.0-test5.org/net/ipv4/netfilter/ip_conntrack_tftp.c linux-2.6.0-test5/net/ipv4/netfilter/ip_conntrack_tftp.c | |
112 | --- linux-2.6.0-test5.org/net/ipv4/netfilter/ip_conntrack_tftp.c Mon Sep 8 19:50:01 2003 | |
113 | +++ linux-2.6.0-test5/net/ipv4/netfilter/ip_conntrack_tftp.c Tue Sep 23 12:56:33 2003 | |
114 | @@ -97,8 +97,6 @@ | |
115 | ||
116 | for (i = 0 ; (i < MAX_PORTS) && ports[i] ; i++) { | |
117 | /* Create helper structure */ | |
118 | - memset(&tftp[i], 0, sizeof(struct ip_conntrack_helper)); | |
119 | - | |
120 | tftp[i].tuple.dst.protonum = IPPROTO_UDP; | |
121 | tftp[i].tuple.src.u.udp.port = htons(ports[i]); | |
122 | tftp[i].mask.dst.protonum = 0xFFFF; | |
123 | diff -Nur --exclude '*.rej' --exclude '*.orig' linux-2.6.0-test5.org/net/ipv4/netfilter/ip_nat_amanda.c linux-2.6.0-test5/net/ipv4/netfilter/ip_nat_amanda.c | |
124 | --- linux-2.6.0-test5.org/net/ipv4/netfilter/ip_nat_amanda.c Tue Sep 23 12:09:22 2003 | |
125 | +++ linux-2.6.0-test5/net/ipv4/netfilter/ip_nat_amanda.c Tue Sep 23 12:56:33 2003 | |
126 | @@ -195,8 +195,6 @@ | |
127 | struct ip_nat_helper *hlpr; | |
128 | ||
129 | hlpr = &ip_nat_amanda_helper; | |
130 | - memset(hlpr, 0, sizeof(struct ip_nat_helper)); | |
131 | - | |
132 | hlpr->tuple.dst.protonum = IPPROTO_UDP; | |
133 | hlpr->tuple.src.u.udp.port = htons(10080); | |
134 | hlpr->mask.src.u.udp.port = 0xFFFF; | |
135 | diff -Nur --exclude '*.rej' --exclude '*.orig' linux-2.6.0-test5.org/net/ipv4/netfilter/ip_nat_tftp.c linux-2.6.0-test5/net/ipv4/netfilter/ip_nat_tftp.c | |
136 | --- linux-2.6.0-test5.org/net/ipv4/netfilter/ip_nat_tftp.c Tue Sep 23 12:09:22 2003 | |
137 | +++ linux-2.6.0-test5/net/ipv4/netfilter/ip_nat_tftp.c Tue Sep 23 12:56:33 2003 | |
138 | @@ -164,8 +164,6 @@ | |
139 | ports[0] = TFTP_PORT; | |
140 | ||
141 | for (i = 0 ; (i < MAX_PORTS) && ports[i] ; i++) { | |
142 | - memset(&tftp[i], 0, sizeof(struct ip_nat_helper)); | |
143 | - | |
144 | tftp[i].tuple.dst.protonum = IPPROTO_UDP; | |
145 | tftp[i].tuple.src.u.udp.port = htons(ports[i]); | |
146 | tftp[i].mask.dst.protonum = 0xFFFF; | |
147 | diff -Nur --exclude '*.rej' --exclude '*.orig' linux-2.6.0-test5.org/net/ipv4/netfilter/ipt_sctp.c linux-2.6.0-test5/net/ipv4/netfilter/ipt_sctp.c | |
148 | --- linux-2.6.0-test5.org/net/ipv4/netfilter/ipt_sctp.c Thu Jan 1 00:00:00 1970 | |
149 | +++ linux-2.6.0-test5/net/ipv4/netfilter/ipt_sctp.c Tue Sep 23 12:56:47 2003 | |
150 | @@ -0,0 +1,125 @@ | |
151 | +/* IP tables module for matching the SCTP header | |
152 | + * | |
153 | + * $ipt_sctp.c,v 1.3 2002/05/29 15:09:00 laforge Exp$ | |
154 | + * | |
155 | + * (C) 2003 by Harald Welte <laforge@gnumonks.org> | |
156 | + * | |
157 | + * This software is distributed under the terms GNU GPL v2 | |
158 | + */ | |
159 | + | |
160 | +#include <linux/module.h> | |
161 | +#include <linux/skbuff.h> | |
162 | +#include <linux/sctp.h> | |
163 | + | |
164 | +#include <linux/netfilter_ipv4/ip_tables.h> | |
165 | +#include <linux/netfilter_ipv4/ipt_sctp.h> | |
166 | + | |
167 | +MODULE_AUTHOR("Harald Welte <laforge@gnumonks.org>"); | |
168 | +MODULE_DESCRIPTION("IP tables SCTP matching module"); | |
169 | +MODULE_LICENSE("GPL"); | |
170 | + | |
171 | +/* Returns 1 if the port is matched by the range, 0 otherwise */ | |
172 | +static inline int | |
173 | +port_match(u_int16_t min, u_int16_t max, u_int16_t port, int invert) | |
174 | +{ | |
175 | + int ret; | |
176 | + | |
177 | + ret = (port >= min && port <= max) ^ invert; | |
178 | + return ret; | |
179 | +} | |
180 | + | |
181 | +static int chunk_match(const struct sk_buff *skb, u_int32_t chunks, u_int32_t chunk_mask) | |
182 | +{ | |
183 | + sctp_chunkhdr_t *ch = (sctp_chunkhdr_t *) skb->data; | |
184 | + | |
185 | + u_int32_t chunks_present = 0; | |
186 | + | |
187 | + do { | |
188 | + u_int8_t *ch_end; | |
189 | + ch_end = ((u_int8_t *) ch) + WORD_ROUND(ntohs(ch->length)); | |
190 | + | |
191 | + if (ch->type < 32) | |
192 | + chunks_present |= (1 << ch_type); | |
193 | + else if (ch->type == SCTP_CID_ASCONF) | |
194 | + chunks_present |= (1 << 31); | |
195 | + else if (ch->type == SCTP_CID_ASCONF_ACK) | |
196 | + chunks_present |= (1 << 30); | |
197 | + | |
198 | + ch = (sctp_chunkhdr_t *) ch_end; | |
199 | + } while (ch_end < skb->tail); | |
200 | + | |
201 | + return ((chunks_present& chunk_mask) == chunks); | |
202 | +} | |
203 | + | |
204 | +static int match(const struct sk_buff *skb, const struct net_device *in, | |
205 | + const struct net_device *out, const void *matchinfo, | |
206 | + int offset, const void *hdr, u_int16_t datalen, | |
207 | + int *hotdrop) | |
208 | +{ | |
209 | + const struct ipt_sctp_info *info = matchinfo; | |
210 | + const struct iphdr *iph = skb->nh.iph; | |
211 | + const struct sctphdr *sh = (struct sctphdr *) skb->h.raw; | |
212 | + | |
213 | + if (iph->protocol != IPPROTO_SCTP) | |
214 | + return 0; | |
215 | + | |
216 | + if (offset == 1) { | |
217 | + duprintf("Dropping evil SCTP offset=1 frag.\n"); | |
218 | + *hotdrop = 1; | |
219 | + return 0; | |
220 | + } else if (offset == 0 && datalen < sizeof(struct sctphdr)) { | |
221 | + /* We've been askd o examine this packet, and we can't. | |
222 | + * Hence, no choice but to drop. */ | |
223 | + duprintf("Dropping evil SCTP offset=0 tinygram.\n"); | |
224 | + *hotdrop = 1; | |
225 | + return 0; | |
226 | + } | |
227 | + | |
228 | + return (!offset | |
229 | + && port_match(info->spts[0], info->spts[1], | |
230 | + ntohs(sh->source), | |
231 | + !!(info->invflags & IPT_SCTP_INV_SRCPT)) | |
232 | + && port_match(info->dpts[0], info->dpts[1], | |
233 | + ntohs(sh->dest), | |
234 | + !!(info->invflags & IPT_SCTP_INV_DSTPT)) | |
235 | + && chunk_match(skb, info->chunks, info->chunk_mask) | |
236 | + ); | |
237 | +} | |
238 | + | |
239 | +static int checkentry(const char *tablename, const struct ipt_ip *ip, | |
240 | + void *matchinfo, unsigned int matchsize, | |
241 | + unsigned int hook_mask) | |
242 | +{ | |
243 | + const struct ipt_sctp_info *info = matchinfo; | |
244 | + | |
245 | + if (matchsize != IPT_ALIGN(sizeof(struct ipt_sctp_info))) | |
246 | + return 0; | |
247 | + | |
248 | + if (ip->proto != IPPROTO_SCTP && !(ip->invflags & IPT_INV_PROTO)) | |
249 | + return 0; | |
250 | + | |
251 | + if !(info->invflags & ~IPT_SCTP_INV_MASK) | |
252 | + return 0; | |
253 | + | |
254 | + return 1; | |
255 | +} | |
256 | + | |
257 | +static struct ipt_match sctp_match = { | |
258 | + .name = "sctp", | |
259 | + .match = &match, | |
260 | + .checkentry = &checkentry, | |
261 | + .me = THIS_MODULE, | |
262 | +}; | |
263 | + | |
264 | +static int __init init(void) | |
265 | +{ | |
266 | + return ipt_register_match(&sctp_match); | |
267 | +} | |
268 | + | |
269 | +static void __exit fini(void) | |
270 | +{ | |
271 | + ipt_unregister_match(&sctp_match); | |
272 | +} | |
273 | + | |
274 | +module_init(init); | |
275 | +module_exit(fini); | |
276 | diff -Nur --exclude '*.rej' --exclude '*.orig' linux-2.6.0-test5.org/netfilter-patch-o-matic/patches linux-2.6.0-test5/netfilter-patch-o-matic/patches | |
277 | --- linux-2.6.0-test5.org/netfilter-patch-o-matic/patches Thu Jan 1 00:00:00 1970 | |
278 | +++ linux-2.6.0-test5/netfilter-patch-o-matic/patches Tue Sep 23 12:57:25 2003 | |
279 | @@ -0,0 +1,14 @@ | |
280 | +./base/01_sctp_match.patch | |
281 | +./pending/23_REJECT-headroom-tcprst.patch | |
282 | +./pending/24_rcu.patch | |
283 | +./pending/25-err-ptr.patch | |
284 | +./pending/26-memsets.patch | |
285 | +./pending/27_getorigdst-tuple-zero.patch | |
286 | +./submitted/02_REJECT-headroom-tcprst.patch | |
287 | +./submitted/03_260t4-mirror-remove.patch | |
288 | +./submitted/04_260t4-unclean-remove.patch | |
289 | +./submitted/05_260t4-unexperimental.patch | |
290 | +./submitted/06_260t4-cosmetic.patch | |
291 | +./submitted/07_260t4-newmodules_iprange_SAME_NETMAP_CLASSIFY.patch | |
292 | +./submitted/08_260t4_ipt-helper-kconfig.patch | |
293 | +./submitted/09_260t4-cosmetic-physdev-author.patch |