[packages/kernel.git] / 2.6.0-t5-netfilter-1.2.8_20030923.patch

diff -Nur --exclude '*.rej' --exclude '*.orig' linux-2.6.0-test5.org/include/linux/netfilter_ipv4/ip_conntrack_tuple.h linux-2.6.0-test5/include/linux/netfilter_ipv4/ip_conntrack_tuple.h
--- linux-2.6.0-test5.org/include/linux/netfilter_ipv4/ip_conntrack_tuple.h	Mon Sep  8 19:50:18 2003
+++ linux-2.6.0-test5/include/linux/netfilter_ipv4/ip_conntrack_tuple.h	Tue Sep 23 12:56:40 2003
@@ -62,6 +62,14 @@
 	} dst;
 };
 
+/* This is optimized opposed to a memset of the whole structure.  Everything we
+ * really care about is the  source/destination unions */
+#define IP_CT_TUPLE_BLANK(tuple) 				\
+	do {							\
+		(tuple)->src.u.all = 0;				\
+		(tuple)->dst.u.all = 0;				\
+	} while (0)
+
 enum ip_conntrack_dir
 {
 	IP_CT_DIR_ORIGINAL,
diff -Nur --exclude '*.rej' --exclude '*.orig' linux-2.6.0-test5.org/include/linux/netfilter_ipv4/ipt_sctp.h linux-2.6.0-test5/include/linux/netfilter_ipv4/ipt_sctp.h
--- linux-2.6.0-test5.org/include/linux/netfilter_ipv4/ipt_sctp.h	Thu Jan  1 00:00:00 1970
+++ linux-2.6.0-test5/include/linux/netfilter_ipv4/ipt_sctp.h	Tue Sep 23 12:56:47 2003
@@ -0,0 +1,25 @@
+/* iptables module for matching the SCTP header
+ *
+ * (C) 2003 Harald Welte <laforge@gnumonks.org>
+ *
+ * This software is distributed under GNU GPL v2, 1991
+ *
+ * $Id$
+ */
+#ifndef _IPT_SCTP_H
+#define _IPT_SCTP_H
+
+struct ipt_sctp_info {
+	u_int16_t spts[2];			/* Souce port range */
+	u_int16_t dpts[2];			/* Destination port range */
+	u_int32_t chunks;			/* chunks to be matched */
+	u_int32_t chunk_mask;			/* chunk mask to be matched */
+	u_int8_t invflags;			/* Inverse flags */
+};
+
+#define IPT_SCTP_INV_SRCPT	0x01	/* Invert the sense of source ports */
+#define IPT_SCTP_INV_DSTPT	0x02	/* Invert the sense of dest ports */
+#define IPT_SCTP_INV_CHUNKS	0x03	/* Invert the sense of chunks */
+#define IPT_SCTP_INV_MASK	0x03	/* All possible flags */
+
+#endif /* _IPT_SCTP_H */
diff -Nur --exclude '*.rej' --exclude '*.orig' linux-2.6.0-test5.org/net/ipv4/netfilter/Kconfig linux-2.6.0-test5/net/ipv4/netfilter/Kconfig
--- linux-2.6.0-test5.org/net/ipv4/netfilter/Kconfig	Mon Sep  8 19:50:21 2003
+++ linux-2.6.0-test5/net/ipv4/netfilter/Kconfig	Tue Sep 23 12:56:47 2003
@@ -215,6 +215,15 @@
 	  If you want to compile it as a module, say M here and read
 	  Documentation/modules.txt.  If unsure, say `N'.
 
+config IP_NF_MATCH_SCTP
+	tristate "SCTP match support"
+	depends on IP_NF_IPTABLES
+	help
+	  This match allows iptables to match on the SCTP header.
+
+	  If you want to compile it as a module, say M here and read
+	  <file:Documentation/modules.txt>. If unsure, say `N'.
+
 config IP_NF_MATCH_LENGTH
 	tristate "LENGTH match support"
 	depends on IP_NF_IPTABLES
diff -Nur --exclude '*.rej' --exclude '*.orig' linux-2.6.0-test5.org/net/ipv4/netfilter/Makefile linux-2.6.0-test5/net/ipv4/netfilter/Makefile
--- linux-2.6.0-test5.org/net/ipv4/netfilter/Makefile	Mon Sep  8 19:49:57 2003
+++ linux-2.6.0-test5/net/ipv4/netfilter/Makefile	Tue Sep 23 12:56:48 2003
@@ -40,6 +40,7 @@
 obj-$(CONFIG_IP_NF_NAT) += iptable_nat.o
 
 # matches
+obj-$(CONFIG_IP_NF_MATCH_SCTP) += ipt_sctp.o
 obj-$(CONFIG_IP_NF_MATCH_HELPER) += ipt_helper.o
 obj-$(CONFIG_IP_NF_MATCH_LIMIT) += ipt_limit.o
 obj-$(CONFIG_IP_NF_MATCH_MARK) += ipt_mark.o
diff -Nur --exclude '*.rej' --exclude '*.orig' linux-2.6.0-test5.org/net/ipv4/netfilter/ip_conntrack_core.c linux-2.6.0-test5/net/ipv4/netfilter/ip_conntrack_core.c
--- linux-2.6.0-test5.org/net/ipv4/netfilter/ip_conntrack_core.c	Mon Sep  8 19:49:50 2003
+++ linux-2.6.0-test5/net/ipv4/netfilter/ip_conntrack_core.c	Tue Sep 23 12:56:40 2003
@@ -29,8 +29,7 @@
 #include <linux/slab.h>
 #include <linux/random.h>
 #include <linux/jhash.h>
-/* For ERR_PTR().  Yeah, I know... --RR */
-#include <linux/fs.h>
+#include <linux/err.h>
 
 /* This rwlock protects the main hash table, protocol/helper/expected
    registrations, conntrack timers*/
@@ -1276,11 +1275,14 @@
 {
 	struct inet_opt *inet = inet_sk(sk);
 	struct ip_conntrack_tuple_hash *h;
-	struct ip_conntrack_tuple tuple = { { inet->rcv_saddr,
-						{ .tcp = { inet->sport } } },
-					    { inet->daddr,
-						{ .tcp = { inet->dport } },
-					      IPPROTO_TCP } };
+	struct ip_conntrack_tuple tuple;
+	
+	IP_CT_TUPLE_BLANK(&tuple);
+	tuple.src.ip = inet->rcv_saddr;
+	tuple.src.u.tcp.port = inet->sport;
+	tuple.dst.ip = inet->daddr;
+	tuple.dst.u.tcp.port = inet->dport;
+	tuple.dst.protonum = IPPROTO_TCP;
 
 	/* We only do TCP at the moment: is there a better way? */
 	if (strcmp(sk->sk_prot->name, "TCP")) {
diff -Nur --exclude '*.rej' --exclude '*.orig' linux-2.6.0-test5.org/net/ipv4/netfilter/ip_conntrack_tftp.c linux-2.6.0-test5/net/ipv4/netfilter/ip_conntrack_tftp.c
--- linux-2.6.0-test5.org/net/ipv4/netfilter/ip_conntrack_tftp.c	Mon Sep  8 19:50:01 2003
+++ linux-2.6.0-test5/net/ipv4/netfilter/ip_conntrack_tftp.c	Tue Sep 23 12:56:33 2003
@@ -97,8 +97,6 @@
 
 	for (i = 0 ; (i < MAX_PORTS) && ports[i] ; i++) {
 		/* Create helper structure */
-		memset(&tftp[i], 0, sizeof(struct ip_conntrack_helper));
-
 		tftp[i].tuple.dst.protonum = IPPROTO_UDP;
 		tftp[i].tuple.src.u.udp.port = htons(ports[i]);
 		tftp[i].mask.dst.protonum = 0xFFFF;
diff -Nur --exclude '*.rej' --exclude '*.orig' linux-2.6.0-test5.org/net/ipv4/netfilter/ip_nat_amanda.c linux-2.6.0-test5/net/ipv4/netfilter/ip_nat_amanda.c
--- linux-2.6.0-test5.org/net/ipv4/netfilter/ip_nat_amanda.c	Tue Sep 23 12:09:22 2003
+++ linux-2.6.0-test5/net/ipv4/netfilter/ip_nat_amanda.c	Tue Sep 23 12:56:33 2003
@@ -195,8 +195,6 @@
 	struct ip_nat_helper *hlpr;
 
 	hlpr = &ip_nat_amanda_helper;
-	memset(hlpr, 0, sizeof(struct ip_nat_helper));
-
 	hlpr->tuple.dst.protonum = IPPROTO_UDP;
 	hlpr->tuple.src.u.udp.port = htons(10080);
 	hlpr->mask.src.u.udp.port = 0xFFFF;
diff -Nur --exclude '*.rej' --exclude '*.orig' linux-2.6.0-test5.org/net/ipv4/netfilter/ip_nat_tftp.c linux-2.6.0-test5/net/ipv4/netfilter/ip_nat_tftp.c
--- linux-2.6.0-test5.org/net/ipv4/netfilter/ip_nat_tftp.c	Tue Sep 23 12:09:22 2003
+++ linux-2.6.0-test5/net/ipv4/netfilter/ip_nat_tftp.c	Tue Sep 23 12:56:33 2003
@@ -164,8 +164,6 @@
 		ports[0] = TFTP_PORT;
 
 	for (i = 0 ; (i < MAX_PORTS) && ports[i] ; i++) {
-		memset(&tftp[i], 0, sizeof(struct ip_nat_helper));
-
 		tftp[i].tuple.dst.protonum = IPPROTO_UDP;
 		tftp[i].tuple.src.u.udp.port = htons(ports[i]);
 		tftp[i].mask.dst.protonum = 0xFFFF;
diff -Nur --exclude '*.rej' --exclude '*.orig' linux-2.6.0-test5.org/net/ipv4/netfilter/ipt_sctp.c linux-2.6.0-test5/net/ipv4/netfilter/ipt_sctp.c
--- linux-2.6.0-test5.org/net/ipv4/netfilter/ipt_sctp.c	Thu Jan  1 00:00:00 1970
+++ linux-2.6.0-test5/net/ipv4/netfilter/ipt_sctp.c	Tue Sep 23 12:56:47 2003
@@ -0,0 +1,125 @@
+/* IP tables module for matching the SCTP header
+ *
+ * $ipt_sctp.c,v 1.3 2002/05/29 15:09:00 laforge Exp$
+ *
+ * (C) 2003 by Harald Welte <laforge@gnumonks.org>
+ *
+ * This software is distributed under the terms GNU GPL v2
+ */
+
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/sctp.h>
+
+#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter_ipv4/ipt_sctp.h>
+
+MODULE_AUTHOR("Harald Welte <laforge@gnumonks.org>");
+MODULE_DESCRIPTION("IP tables SCTP matching module");
+MODULE_LICENSE("GPL");
+
+/* Returns 1 if the port is matched by the range, 0 otherwise */
+static inline int
+port_match(u_int16_t min, u_int16_t max, u_int16_t port, int invert)
+{
+	int ret;
+
+	ret = (port >= min && port <= max) ^ invert;
+	return ret;
+}
+
+static int chunk_match(const struct sk_buff *skb, u_int32_t chunks, u_int32_t chunk_mask)
+{
+	sctp_chunkhdr_t *ch = (sctp_chunkhdr_t *) skb->data;
+
+	u_int32_t chunks_present = 0;
+
+	do {
+		u_int8_t *ch_end;
+		ch_end = ((u_int8_t *) ch) + WORD_ROUND(ntohs(ch->length));
+
+		if (ch->type < 32)
+			chunks_present |= (1 << ch_type);
+		else if (ch->type == SCTP_CID_ASCONF)
+			chunks_present |= (1 << 31);
+		else if (ch->type == SCTP_CID_ASCONF_ACK)
+			chunks_present |= (1 << 30);
+
+		ch = (sctp_chunkhdr_t *) ch_end;
+	} while (ch_end < skb->tail);
+
+	return ((chunks_present& chunk_mask) == chunks);
+}
+
+static int match(const struct sk_buff *skb, const struct net_device *in,
+		 const struct net_device *out, const void *matchinfo,
+		 int offset, const void *hdr, u_int16_t datalen,
+		 int *hotdrop)
+{
+	const struct ipt_sctp_info *info = matchinfo;
+	const struct iphdr *iph = skb->nh.iph;
+	const struct sctphdr *sh = (struct sctphdr *) skb->h.raw;
+
+	if (iph->protocol != IPPROTO_SCTP)
+		return 0;
+
+	if (offset == 1) {
+		duprintf("Dropping evil SCTP offset=1 frag.\n");
+		*hotdrop = 1;
+		return 0;
+	} else if (offset == 0 && datalen < sizeof(struct sctphdr)) {
+		/* We've been askd o examine this packet, and we can't.
+		 * Hence, no choice but to drop. */
+		duprintf("Dropping evil SCTP offset=0 tinygram.\n");
+		*hotdrop = 1;
+		return 0;
+	}
+
+	return (!offset
+		&& port_match(info->spts[0], info->spts[1],
+			      ntohs(sh->source),
+			      !!(info->invflags & IPT_SCTP_INV_SRCPT))
+		&& port_match(info->dpts[0], info->dpts[1],
+			      ntohs(sh->dest),
+			      !!(info->invflags & IPT_SCTP_INV_DSTPT))
+		&& chunk_match(skb, info->chunks, info->chunk_mask)
+	       );
+}
+
+static int checkentry(const char *tablename, const struct ipt_ip *ip,
+		      void *matchinfo, unsigned int matchsize,
+		      unsigned int hook_mask)
+{
+	const struct ipt_sctp_info *info = matchinfo;
+
+	if (matchsize != IPT_ALIGN(sizeof(struct ipt_sctp_info)))
+		return 0;
+
+	if (ip->proto != IPPROTO_SCTP && !(ip->invflags & IPT_INV_PROTO))
+		return 0;
+
+	if !(info->invflags & ~IPT_SCTP_INV_MASK)
+		return 0;
+
+	return 1;
+}
+
+static struct ipt_match sctp_match = {
+	.name		= "sctp",
+	.match		= &match,
+	.checkentry	= &checkentry,
+	.me		= THIS_MODULE,
+};
+
+static int __init init(void)
+{
+	return ipt_register_match(&sctp_match);
+}
+
+static void __exit fini(void)
+{
+	ipt_unregister_match(&sctp_match);
+}
+
+module_init(init);
+module_exit(fini);
diff -Nur --exclude '*.rej' --exclude '*.orig' linux-2.6.0-test5.org/netfilter-patch-o-matic/patches linux-2.6.0-test5/netfilter-patch-o-matic/patches
--- linux-2.6.0-test5.org/netfilter-patch-o-matic/patches	Thu Jan  1 00:00:00 1970
+++ linux-2.6.0-test5/netfilter-patch-o-matic/patches	Tue Sep 23 12:57:25 2003
@@ -0,0 +1,14 @@
+./base/01_sctp_match.patch
+./pending/23_REJECT-headroom-tcprst.patch
+./pending/24_rcu.patch
+./pending/25-err-ptr.patch
+./pending/26-memsets.patch
+./pending/27_getorigdst-tuple-zero.patch
+./submitted/02_REJECT-headroom-tcprst.patch
+./submitted/03_260t4-mirror-remove.patch
+./submitted/04_260t4-unclean-remove.patch
+./submitted/05_260t4-unexperimental.patch
+./submitted/06_260t4-cosmetic.patch
+./submitted/07_260t4-newmodules_iprange_SAME_NETMAP_CLASSIFY.patch
+./submitted/08_260t4_ipt-helper-kconfig.patch
+./submitted/09_260t4-cosmetic-physdev-author.patch
Commit	Line	Data
8622e1cf	1	diff -Nur --exclude '.rej' --exclude '.orig' linux-2.6.0-test5.org/include/linux/netfilter_ipv4/ip_conntrack_tuple.h linux-2.6.0-test5/include/linux/netfilter_ipv4/ip_conntrack_tuple.h
	2	--- linux-2.6.0-test5.org/include/linux/netfilter_ipv4/ip_conntrack_tuple.h Mon Sep 8 19:50:18 2003
	3	+++ linux-2.6.0-test5/include/linux/netfilter_ipv4/ip_conntrack_tuple.h Tue Sep 23 12:56:40 2003
	4	@@ -62,6 +62,14 @@
	5	} dst;
	6	};
	7
	8	+/* This is optimized opposed to a memset of the whole structure. Everything we
	9	+ * really care about is the source/destination unions */
	10	+#define IP_CT_TUPLE_BLANK(tuple) \
	11	+ do { \
	12	+ (tuple)->src.u.all = 0; \
	13	+ (tuple)->dst.u.all = 0; \
	14	+ } while (0)
	15	+
	16	enum ip_conntrack_dir
	17	{
	18	IP_CT_DIR_ORIGINAL,
	19	diff -Nur --exclude '.rej' --exclude '.orig' linux-2.6.0-test5.org/include/linux/netfilter_ipv4/ipt_sctp.h linux-2.6.0-test5/include/linux/netfilter_ipv4/ipt_sctp.h
	20	--- linux-2.6.0-test5.org/include/linux/netfilter_ipv4/ipt_sctp.h Thu Jan 1 00:00:00 1970
	21	+++ linux-2.6.0-test5/include/linux/netfilter_ipv4/ipt_sctp.h Tue Sep 23 12:56:47 2003
	22	@@ -0,0 +1,25 @@
	23	+/* iptables module for matching the SCTP header
	24	+ *
	25	+ * (C) 2003 Harald Welte <laforge@gnumonks.org>
	26	+ *
	27	+ * This software is distributed under GNU GPL v2, 1991
	28	+ *
	29	+ * $Id$
	30	+ */
	31	+#ifndef _IPT_SCTP_H
	32	+#define _IPT_SCTP_H
	33	+
	34	+struct ipt_sctp_info {
	35	+ u_int16_t spts[2]; /* Souce port range */
	36	+ u_int16_t dpts[2]; /* Destination port range */
	37	+ u_int32_t chunks; /* chunks to be matched */
	38	+ u_int32_t chunk_mask; /* chunk mask to be matched */
	39	+ u_int8_t invflags; /* Inverse flags */
	40	+};
	41	+
	42	+#define IPT_SCTP_INV_SRCPT 0x01 /* Invert the sense of source ports */
	43	+#define IPT_SCTP_INV_DSTPT 0x02 /* Invert the sense of dest ports */
	44	+#define IPT_SCTP_INV_CHUNKS 0x03 /* Invert the sense of chunks */
	45	+#define IPT_SCTP_INV_MASK 0x03 /* All possible flags */
	46	+
	47	+#endif /* _IPT_SCTP_H */
	48	diff -Nur --exclude '.rej' --exclude '.orig' linux-2.6.0-test5.org/net/ipv4/netfilter/Kconfig linux-2.6.0-test5/net/ipv4/netfilter/Kconfig
	49	--- linux-2.6.0-test5.org/net/ipv4/netfilter/Kconfig Mon Sep 8 19:50:21 2003
	50	+++ linux-2.6.0-test5/net/ipv4/netfilter/Kconfig Tue Sep 23 12:56:47 2003
	51	@@ -215,6 +215,15 @@
	52	If you want to compile it as a module, say M here and read
	53	Documentation/modules.txt. If unsure, say `N'.
	54
	55	+config IP_NF_MATCH_SCTP
	56	+ tristate "SCTP match support"
	57	+ depends on IP_NF_IPTABLES
	58	+ help
	59	+ This match allows iptables to match on the SCTP header.
	60	+
	61	+ If you want to compile it as a module, say M here and read
	62	+ <file:Documentation/modules.txt>. If unsure, say `N'.
	63	+
	64	config IP_NF_MATCH_LENGTH
65	tristate "LENGTH match support"
66	depends on IP_NF_IPTABLES
67	diff -Nur --exclude '.rej' --exclude '.orig' linux-2.6.0-test5.org/net/ipv4/netfilter/Makefile linux-2.6.0-test5/net/ipv4/netfilter/Makefile
68	--- linux-2.6.0-test5.org/net/ipv4/netfilter/Makefile Mon Sep 8 19:49:57 2003
69	+++ linux-2.6.0-test5/net/ipv4/netfilter/Makefile Tue Sep 23 12:56:48 2003
70	@@ -40,6 +40,7 @@
71	obj-$(CONFIG_IP_NF_NAT) += iptable_nat.o
72
73	# matches
74	+obj-$(CONFIG_IP_NF_MATCH_SCTP) += ipt_sctp.o
75	obj-$(CONFIG_IP_NF_MATCH_HELPER) += ipt_helper.o
76	obj-$(CONFIG_IP_NF_MATCH_LIMIT) += ipt_limit.o
77	obj-$(CONFIG_IP_NF_MATCH_MARK) += ipt_mark.o
78	diff -Nur --exclude '.rej' --exclude '.orig' linux-2.6.0-test5.org/net/ipv4/netfilter/ip_conntrack_core.c linux-2.6.0-test5/net/ipv4/netfilter/ip_conntrack_core.c
79	--- linux-2.6.0-test5.org/net/ipv4/netfilter/ip_conntrack_core.c Mon Sep 8 19:49:50 2003
80	+++ linux-2.6.0-test5/net/ipv4/netfilter/ip_conntrack_core.c Tue Sep 23 12:56:40 2003
81	@@ -29,8 +29,7 @@
82	#include <linux/slab.h>
83	#include <linux/random.h>
84	#include <linux/jhash.h>
85	-/* For ERR_PTR(). Yeah, I know... --RR */
86	-#include <linux/fs.h>
87	+#include <linux/err.h>
88
89	/* This rwlock protects the main hash table, protocol/helper/expected
90	registrations, conntrack timers*/
91	@@ -1276,11 +1275,14 @@
92	{
93	struct inet_opt *inet = inet_sk(sk);
94	struct ip_conntrack_tuple_hash *h;
95	- struct ip_conntrack_tuple tuple = { { inet->rcv_saddr,
96	- { .tcp = { inet->sport } } },
97	- { inet->daddr,
98	- { .tcp = { inet->dport } },
99	- IPPROTO_TCP } };
100	+ struct ip_conntrack_tuple tuple;
101	+
102	+ IP_CT_TUPLE_BLANK(&tuple);
103	+ tuple.src.ip = inet->rcv_saddr;
104	+ tuple.src.u.tcp.port = inet->sport;
105	+ tuple.dst.ip = inet->daddr;
106	+ tuple.dst.u.tcp.port = inet->dport;
107	+ tuple.dst.protonum = IPPROTO_TCP;
108
109	/* We only do TCP at the moment: is there a better way? */
110	if (strcmp(sk->sk_prot->name, "TCP")) {
111	diff -Nur --exclude '.rej' --exclude '.orig' linux-2.6.0-test5.org/net/ipv4/netfilter/ip_conntrack_tftp.c linux-2.6.0-test5/net/ipv4/netfilter/ip_conntrack_tftp.c
112	--- linux-2.6.0-test5.org/net/ipv4/netfilter/ip_conntrack_tftp.c Mon Sep 8 19:50:01 2003
113	+++ linux-2.6.0-test5/net/ipv4/netfilter/ip_conntrack_tftp.c Tue Sep 23 12:56:33 2003
114	@@ -97,8 +97,6 @@
115
116	for (i = 0 ; (i < MAX_PORTS) && ports[i] ; i++) {
117	/* Create helper structure */
118	- memset(&tftp[i], 0, sizeof(struct ip_conntrack_helper));
119	-
120	tftp[i].tuple.dst.protonum = IPPROTO_UDP;
121	tftp[i].tuple.src.u.udp.port = htons(ports[i]);
122	tftp[i].mask.dst.protonum = 0xFFFF;
123	diff -Nur --exclude '.rej' --exclude '.orig' linux-2.6.0-test5.org/net/ipv4/netfilter/ip_nat_amanda.c linux-2.6.0-test5/net/ipv4/netfilter/ip_nat_amanda.c
124	--- linux-2.6.0-test5.org/net/ipv4/netfilter/ip_nat_amanda.c Tue Sep 23 12:09:22 2003
125	+++ linux-2.6.0-test5/net/ipv4/netfilter/ip_nat_amanda.c Tue Sep 23 12:56:33 2003
126	@@ -195,8 +195,6 @@
127	struct ip_nat_helper *hlpr;
128
129	hlpr = &ip_nat_amanda_helper;
130	- memset(hlpr, 0, sizeof(struct ip_nat_helper));
131	-
132	hlpr->tuple.dst.protonum = IPPROTO_UDP;
133	hlpr->tuple.src.u.udp.port = htons(10080);
134	hlpr->mask.src.u.udp.port = 0xFFFF;
135	diff -Nur --exclude '.rej' --exclude '.orig' linux-2.6.0-test5.org/net/ipv4/netfilter/ip_nat_tftp.c linux-2.6.0-test5/net/ipv4/netfilter/ip_nat_tftp.c
136	--- linux-2.6.0-test5.org/net/ipv4/netfilter/ip_nat_tftp.c Tue Sep 23 12:09:22 2003
137	+++ linux-2.6.0-test5/net/ipv4/netfilter/ip_nat_tftp.c Tue Sep 23 12:56:33 2003
138	@@ -164,8 +164,6 @@
139	ports[0] = TFTP_PORT;
140
141	for (i = 0 ; (i < MAX_PORTS) && ports[i] ; i++) {
142	- memset(&tftp[i], 0, sizeof(struct ip_nat_helper));
143	-
144	tftp[i].tuple.dst.protonum = IPPROTO_UDP;
145	tftp[i].tuple.src.u.udp.port = htons(ports[i]);
146	tftp[i].mask.dst.protonum = 0xFFFF;
147	diff -Nur --exclude '.rej' --exclude '.orig' linux-2.6.0-test5.org/net/ipv4/netfilter/ipt_sctp.c linux-2.6.0-test5/net/ipv4/netfilter/ipt_sctp.c
148	--- linux-2.6.0-test5.org/net/ipv4/netfilter/ipt_sctp.c Thu Jan 1 00:00:00 1970
149	+++ linux-2.6.0-test5/net/ipv4/netfilter/ipt_sctp.c Tue Sep 23 12:56:47 2003
150	@@ -0,0 +1,125 @@
151	+/* IP tables module for matching the SCTP header
152	+ *
153	+ * $ipt_sctp.c,v 1.3 2002/05/29 15:09:00 laforge Exp$
154	+ *
155	+ * (C) 2003 by Harald Welte <laforge@gnumonks.org>
156	+ *
157	+ * This software is distributed under the terms GNU GPL v2
158	+ */
159	+
160	+#include <linux/module.h>
161	+#include <linux/skbuff.h>
162	+#include <linux/sctp.h>
163	+
164	+#include <linux/netfilter_ipv4/ip_tables.h>
165	+#include <linux/netfilter_ipv4/ipt_sctp.h>
166	+
167	+MODULE_AUTHOR("Harald Welte <laforge@gnumonks.org>");
168	+MODULE_DESCRIPTION("IP tables SCTP matching module");
169	+MODULE_LICENSE("GPL");
170	+
171	+/* Returns 1 if the port is matched by the range, 0 otherwise */
172	+static inline int
173	+port_match(u_int16_t min, u_int16_t max, u_int16_t port, int invert)
174	+{
175	+ int ret;
176	+
177	+ ret = (port >= min && port <= max) ^ invert;
178	+ return ret;
179	+}
180	+
181	+static int chunk_match(const struct sk_buff *skb, u_int32_t chunks, u_int32_t chunk_mask)
182	+{
183	+ sctp_chunkhdr_t ch = (sctp_chunkhdr_t ) skb->data;
184	+
185	+ u_int32_t chunks_present = 0;
186	+
187	+ do {
188	+ u_int8_t *ch_end;
189	+ ch_end = ((u_int8_t *) ch) + WORD_ROUND(ntohs(ch->length));
190	+
191	+ if (ch->type < 32)
192	+ chunks_present \|= (1 << ch_type);
193	+ else if (ch->type == SCTP_CID_ASCONF)
194	+ chunks_present \|= (1 << 31);
195	+ else if (ch->type == SCTP_CID_ASCONF_ACK)
196	+ chunks_present \|= (1 << 30);
197	+
198	+ ch = (sctp_chunkhdr_t *) ch_end;
199	+ } while (ch_end < skb->tail);
200	+
201	+ return ((chunks_present& chunk_mask) == chunks);
202	+}
203	+
204	+static int match(const struct sk_buff skb, const struct net_device in,
205	+ const struct net_device out, const void matchinfo,
206	+ int offset, const void *hdr, u_int16_t datalen,
207	+ int *hotdrop)
208	+{
209	+ const struct ipt_sctp_info *info = matchinfo;
210	+ const struct iphdr *iph = skb->nh.iph;
211	+ const struct sctphdr sh = (struct sctphdr ) skb->h.raw;
212	+
213	+ if (iph->protocol != IPPROTO_SCTP)
214	+ return 0;
215	+
216	+ if (offset == 1) {
217	+ duprintf("Dropping evil SCTP offset=1 frag.\n");
218	+ *hotdrop = 1;
219	+ return 0;
220	+ } else if (offset == 0 && datalen < sizeof(struct sctphdr)) {
221	+ /* We've been askd o examine this packet, and we can't.
222	+ * Hence, no choice but to drop. */
223	+ duprintf("Dropping evil SCTP offset=0 tinygram.\n");
224	+ *hotdrop = 1;
225	+ return 0;
226	+ }
227	+
228	+ return (!offset
229	+ && port_match(info->spts[0], info->spts[1],
230	+ ntohs(sh->source),
231	+ !!(info->invflags & IPT_SCTP_INV_SRCPT))
232	+ && port_match(info->dpts[0], info->dpts[1],
233	+ ntohs(sh->dest),
234	+ !!(info->invflags & IPT_SCTP_INV_DSTPT))
235	+ && chunk_match(skb, info->chunks, info->chunk_mask)
236	+ );
237	+}
238	+
239	+static int checkentry(const char tablename, const struct ipt_ip ip,
240	+ void *matchinfo, unsigned int matchsize,
241	+ unsigned int hook_mask)
242	+{
243	+ const struct ipt_sctp_info *info = matchinfo;
244	+
245	+ if (matchsize != IPT_ALIGN(sizeof(struct ipt_sctp_info)))
246	+ return 0;
247	+
248	+ if (ip->proto != IPPROTO_SCTP && !(ip->invflags & IPT_INV_PROTO))
249	+ return 0;
250	+
251	+ if !(info->invflags & ~IPT_SCTP_INV_MASK)
252	+ return 0;
253	+
254	+ return 1;
255	+}
256	+
257	+static struct ipt_match sctp_match = {
258	+ .name = "sctp",
259	+ .match = &match,
260	+ .checkentry = &checkentry,
261	+ .me = THIS_MODULE,
262	+};
263	+
264	+static int __init init(void)
265	+{
266	+ return ipt_register_match(&sctp_match);
267	+}
268	+
269	+static void __exit fini(void)
270	+{
271	+ ipt_unregister_match(&sctp_match);
272	+}
273	+
274	+module_init(init);
275	+module_exit(fini);
276	diff -Nur --exclude '.rej' --exclude '.orig' linux-2.6.0-test5.org/netfilter-patch-o-matic/patches linux-2.6.0-test5/netfilter-patch-o-matic/patches
277	--- linux-2.6.0-test5.org/netfilter-patch-o-matic/patches Thu Jan 1 00:00:00 1970
278	+++ linux-2.6.0-test5/netfilter-patch-o-matic/patches Tue Sep 23 12:57:25 2003
279	@@ -0,0 +1,14 @@
280	+./base/01_sctp_match.patch
281	+./pending/23_REJECT-headroom-tcprst.patch
282	+./pending/24_rcu.patch
283	+./pending/25-err-ptr.patch
284	+./pending/26-memsets.patch
285	+./pending/27_getorigdst-tuple-zero.patch
286	+./submitted/02_REJECT-headroom-tcprst.patch
287	+./submitted/03_260t4-mirror-remove.patch
288	+./submitted/04_260t4-unclean-remove.patch
289	+./submitted/05_260t4-unexperimental.patch
290	+./submitted/06_260t4-cosmetic.patch
291	+./submitted/07_260t4-newmodules_iprange_SAME_NETMAP_CLASSIFY.patch
292	+./submitted/08_260t4_ipt-helper-kconfig.patch
293	+./submitted/09_260t4-cosmetic-physdev-author.patch