[packages/kernel.git] / 2.6.x-patch-o-matic-ng-base-20040216.patch

diff -Nur linux-2.6.3-rc3.org/include/linux/netfilter_ipv4/ip_pool.h linux-2.6.3-rc3/include/linux/netfilter_ipv4/ip_pool.h
--- linux-2.6.3-rc3.org/include/linux/netfilter_ipv4/ip_pool.h	1970-01-01 01:00:00.000000000 +0100
+++ linux-2.6.3-rc3/include/linux/netfilter_ipv4/ip_pool.h	2004-02-16 11:07:21.518803072 +0100
@@ -0,0 +1,64 @@
+#ifndef _IP_POOL_H
+#define _IP_POOL_H
+
+/***************************************************************************/
+/*  This program is free software; you can redistribute it and/or modify   */
+/*  it under the terms of the GNU General Public License as published by   */
+/*  the Free Software Foundation; either version 2 of the License, or	   */
+/*  (at your option) any later version.					   */
+/*									   */
+/*  This program is distributed in the hope that it will be useful,	   */
+/*  but WITHOUT ANY WARRANTY; without even the implied warranty of	   */
+/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the	   */
+/*  GNU General Public License for more details.			   */
+/*									   */
+/*  You should have received a copy of the GNU General Public License	   */
+/*  along with this program; if not, write to the Free Software	       	   */
+/*  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA*/
+/***************************************************************************/
+
+/* A sockopt of such quality has hardly ever been seen before on the open
+ * market!  This little beauty, hardly ever used: above 64, so it's
+ * traditionally used for firewalling, not touched (even once!) by the
+ * 2.0, 2.2 and 2.4 kernels!
+ *
+ * Comes with its own certificate of authenticity, valid anywhere in the
+ * Free world!
+ *
+ * Rusty, 19.4.2000
+ */
+#define SO_IP_POOL 81
+
+typedef int ip_pool_t;			/* pool index */
+#define IP_POOL_NONE	((ip_pool_t)-1)
+
+struct ip_pool_request {
+	int op;
+	ip_pool_t index;
+	u_int32_t addr;
+	u_int32_t addr2;
+};
+
+/* NOTE: I deliberately break the first cut ippool utility. Nobody uses it. */
+
+#define IP_POOL_BAD001		0x00000010
+
+#define IP_POOL_FLUSH		0x00000011	/* req.index, no arguments */
+#define IP_POOL_INIT		0x00000012	/* from addr to addr2 incl. */
+#define IP_POOL_DESTROY		0x00000013	/* req.index, no arguments */
+#define IP_POOL_ADD_ADDR	0x00000014	/* add addr to pool */
+#define IP_POOL_DEL_ADDR	0x00000015	/* del addr from pool */
+#define IP_POOL_HIGH_NR		0x00000016	/* result in req.index */
+#define IP_POOL_LOOKUP		0x00000017	/* result in addr and addr2 */
+#define IP_POOL_USAGE		0x00000018	/* result in addr */
+#define IP_POOL_TEST_ADDR	0x00000019	/* result (0/1) returned */
+
+#ifdef __KERNEL__
+
+/* NOTE: ip_pool_match() and ip_pool_mod() expect ADDR to be host byte order */
+extern int ip_pool_match(ip_pool_t pool, u_int32_t addr);
+extern int ip_pool_mod(ip_pool_t pool, u_int32_t addr, int isdel);
+
+#endif
+
+#endif /*_IP_POOL_H*/
diff -Nur linux-2.6.3-rc3.org/include/linux/netfilter_ipv4/ipt_NETLINK.h linux-2.6.3-rc3/include/linux/netfilter_ipv4/ipt_NETLINK.h
--- linux-2.6.3-rc3.org/include/linux/netfilter_ipv4/ipt_NETLINK.h	1970-01-01 01:00:00.000000000 +0100
+++ linux-2.6.3-rc3/include/linux/netfilter_ipv4/ipt_NETLINK.h	2004-02-16 11:07:05.880548139 +0100
@@ -0,0 +1,27 @@
+#ifndef _IPT_FWMON_H
+#define _IPT_FWMON_H
+
+/* Bitmask macros */
+#define MASK(x,y) (x & y)
+#define MASK_SET(x,y) x |= y
+#define MASK_UNSET(x,y) x &= ~y
+
+#define USE_MARK	0x00000001
+#define USE_DROP	0x00000002
+#define USE_SIZE	0x00000004
+
+struct ipt_nldata
+{	
+	unsigned int flags;
+	unsigned int mark;
+	unsigned int size;
+};
+
+/* Old header */
+struct netlink_t {
+	unsigned int len;
+	unsigned int mark;
+	char iface[IFNAMSIZ];
+};
+
+#endif /*_IPT_FWMON_H*/
diff -Nur linux-2.6.3-rc3.org/include/linux/netfilter_ipv4/ipt_TTL.h linux-2.6.3-rc3/include/linux/netfilter_ipv4/ipt_TTL.h
--- linux-2.6.3-rc3.org/include/linux/netfilter_ipv4/ipt_TTL.h	1970-01-01 01:00:00.000000000 +0100
+++ linux-2.6.3-rc3/include/linux/netfilter_ipv4/ipt_TTL.h	2004-02-16 11:07:09.253740328 +0100
@@ -0,0 +1,21 @@
+/* TTL modification module for IP tables
+ * (C) 2000 by Harald Welte <laforge@gnumonks.org> */
+
+#ifndef _IPT_TTL_H
+#define _IPT_TTL_H
+
+enum {
+	IPT_TTL_SET = 0,
+	IPT_TTL_INC,
+	IPT_TTL_DEC
+};
+
+#define IPT_TTL_MAXMODE	IPT_TTL_DEC
+
+struct ipt_TTL_info {
+	u_int8_t	mode;
+	u_int8_t	ttl;
+};
+
+
+#endif
diff -Nur linux-2.6.3-rc3.org/include/linux/netfilter_ipv4/ipt_connlimit.h linux-2.6.3-rc3/include/linux/netfilter_ipv4/ipt_connlimit.h
--- linux-2.6.3-rc3.org/include/linux/netfilter_ipv4/ipt_connlimit.h	1970-01-01 01:00:00.000000000 +0100
+++ linux-2.6.3-rc3/include/linux/netfilter_ipv4/ipt_connlimit.h	2004-02-16 11:07:11.549190614 +0100
@@ -0,0 +1,12 @@
+#ifndef _IPT_CONNLIMIT_H
+#define _IPT_CONNLIMIT_H
+
+struct ipt_connlimit_data;
+
+struct ipt_connlimit_info {
+	int limit;
+	int inverse;
+	u_int32_t mask;
+	struct ipt_connlimit_data *data;
+};
+#endif /* _IPT_CONNLIMIT_H */
diff -Nur linux-2.6.3-rc3.org/include/linux/netfilter_ipv4/ipt_dstlimit.h linux-2.6.3-rc3/include/linux/netfilter_ipv4/ipt_dstlimit.h
--- linux-2.6.3-rc3.org/include/linux/netfilter_ipv4/ipt_dstlimit.h	1970-01-01 01:00:00.000000000 +0100
+++ linux-2.6.3-rc3/include/linux/netfilter_ipv4/ipt_dstlimit.h	2004-02-16 11:07:13.230787904 +0100
@@ -0,0 +1,36 @@
+#ifndef _IPT_DSTLIMIT_H
+#define _IPT_DSTLIMIT_H
+
+/* timings are in milliseconds. */
+#define IPT_DSTLIMIT_SCALE 10000
+/* 1/10,000 sec period => max of 10,000/sec.  Min rate is then 429490
+   seconds, or one every 59 hours. */
+
+/* details of this structure hidden by the implementation */
+struct ipt_dstlimit_htable;
+
+#define IPT_DSTLIMIT_HASH_DIP	0x0001
+#define IPT_DSTLIMIT_HASH_DPT	0x0002
+#define IPT_DSTLIMIT_HASH_SIP	0x0004
+
+struct ipt_dstlimit_info {
+	u_int32_t mode;	  /* bitmask of IPT_DSTLIMIT_HASH_* */
+	u_int32_t avg;    /* Average secs between packets * scale */
+	u_int32_t burst;  /* Period multiplier for upper limit. */
+
+	/* user specified */
+	unsigned int size;		/* how many buckets */
+	unsigned int max;		/* max number of entries */
+	unsigned int gc_interval;	/* gc interval */
+	unsigned int expire;		/* when do entries expire? */
+	char name [IFNAMSIZ];		/* name */
+
+	struct ipt_dstlimit_htable *hinfo;
+
+	/* Used internally by the kernel */
+	union {
+		void *ptr;
+		struct ipt_dstlimit_info *master;
+	} u;
+};
+#endif /*_IPT_DSTLIMIT_H*/
diff -Nur linux-2.6.3-rc3.org/include/linux/netfilter_ipv4/ipt_fuzzy.h linux-2.6.3-rc3/include/linux/netfilter_ipv4/ipt_fuzzy.h
--- linux-2.6.3-rc3.org/include/linux/netfilter_ipv4/ipt_fuzzy.h	1970-01-01 01:00:00.000000000 +0100
+++ linux-2.6.3-rc3/include/linux/netfilter_ipv4/ipt_fuzzy.h	2004-02-16 11:07:14.925382080 +0100
@@ -0,0 +1,21 @@
+#ifndef _IPT_FUZZY_H
+#define _IPT_FUZZY_H
+
+#include <linux/param.h>
+#include <linux/types.h>
+
+#define MAXFUZZYRATE 10000000
+#define MINFUZZYRATE 3
+
+struct ipt_fuzzy_info {
+	u_int32_t minimum_rate;
+	u_int32_t maximum_rate;
+	u_int32_t packets_total;
+	u_int32_t bytes_total;
+	u_int32_t previous_time;
+	u_int32_t present_time;
+	u_int32_t mean_rate;
+	u_int8_t acceptance_rate;
+};
+
+#endif /*_IPT_FUZZY_H*/
diff -Nur linux-2.6.3-rc3.org/include/linux/netfilter_ipv4/ipt_ipv4options.h linux-2.6.3-rc3/include/linux/netfilter_ipv4/ipt_ipv4options.h
--- linux-2.6.3-rc3.org/include/linux/netfilter_ipv4/ipt_ipv4options.h	1970-01-01 01:00:00.000000000 +0100
+++ linux-2.6.3-rc3/include/linux/netfilter_ipv4/ipt_ipv4options.h	2004-02-16 11:07:16.164085433 +0100
@@ -0,0 +1,21 @@
+#ifndef __ipt_ipv4options_h_included__
+#define __ipt_ipv4options_h_included__
+
+#define IPT_IPV4OPTION_MATCH_SSRR		0x01  /* For strict source routing */
+#define IPT_IPV4OPTION_MATCH_LSRR		0x02  /* For loose source routing */
+#define IPT_IPV4OPTION_DONT_MATCH_SRR		0x04  /* any source routing */
+#define IPT_IPV4OPTION_MATCH_RR			0x08  /* For Record route */
+#define IPT_IPV4OPTION_DONT_MATCH_RR		0x10
+#define IPT_IPV4OPTION_MATCH_TIMESTAMP		0x20  /* For timestamp request */
+#define IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP	0x40
+#define IPT_IPV4OPTION_MATCH_ROUTER_ALERT	0x80  /* For router-alert */
+#define IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT	0x100
+#define IPT_IPV4OPTION_MATCH_ANY_OPT		0x200 /* match packet with any option */
+#define IPT_IPV4OPTION_DONT_MATCH_ANY_OPT	0x400 /* match packet with no option */
+
+struct ipt_ipv4options_info {
+	u_int16_t options;
+};
+
+
+#endif /* __ipt_ipv4options_h_included__ */
diff -Nur linux-2.6.3-rc3.org/include/linux/netfilter_ipv4/ipt_mport.h linux-2.6.3-rc3/include/linux/netfilter_ipv4/ipt_mport.h
--- linux-2.6.3-rc3.org/include/linux/netfilter_ipv4/ipt_mport.h	1970-01-01 01:00:00.000000000 +0100
+++ linux-2.6.3-rc3/include/linux/netfilter_ipv4/ipt_mport.h	2004-02-16 11:07:17.665725817 +0100
@@ -0,0 +1,24 @@
+#ifndef _IPT_MPORT_H
+#define _IPT_MPORT_H
+#include <linux/netfilter_ipv4/ip_tables.h>
+
+#define IPT_MPORT_SOURCE (1<<0)
+#define IPT_MPORT_DESTINATION (1<<1)
+#define IPT_MPORT_EITHER (IPT_MPORT_SOURCE|IPT_MPORT_DESTINATION)
+
+#define IPT_MULTI_PORTS	15
+
+/* Must fit inside union ipt_matchinfo: 32 bytes */
+/* every entry in ports[] except for the last one has one bit in pflags
+ * associated with it. If this bit is set, the port is the first port of
+ * a portrange, with the next entry being the last.
+ * End of list is marked with pflags bit set and port=65535.
+ * If 14 ports are used (last one does not have a pflag), the last port
+ * is repeated to fill the last entry in ports[] */
+struct ipt_mport
+{
+	u_int8_t flags:2;			/* Type of comparison */
+	u_int16_t pflags:14;			/* Port flags */
+	u_int16_t ports[IPT_MULTI_PORTS];	/* Ports */
+};
+#endif /*_IPT_MPORT_H*/
diff -Nur linux-2.6.3-rc3.org/include/linux/netfilter_ipv4/ipt_nth.h linux-2.6.3-rc3/include/linux/netfilter_ipv4/ipt_nth.h
--- linux-2.6.3-rc3.org/include/linux/netfilter_ipv4/ipt_nth.h	1970-01-01 01:00:00.000000000 +0100
+++ linux-2.6.3-rc3/include/linux/netfilter_ipv4/ipt_nth.h	2004-02-16 11:07:18.796455028 +0100
@@ -0,0 +1,19 @@
+#ifndef _IPT_NTH_H
+#define _IPT_NTH_H
+
+#include <linux/param.h>
+#include <linux/types.h>
+
+#ifndef IPT_NTH_NUM_COUNTERS
+#define IPT_NTH_NUM_COUNTERS 16
+#endif
+
+struct ipt_nth_info {
+	u_int8_t every;
+	u_int8_t not;
+	u_int8_t startat;
+	u_int8_t counter;
+	u_int8_t packet;
+};
+
+#endif /*_IPT_NTH_H*/
diff -Nur linux-2.6.3-rc3.org/include/linux/netfilter_ipv4/ipt_osf.h linux-2.6.3-rc3/include/linux/netfilter_ipv4/ipt_osf.h
--- linux-2.6.3-rc3.org/include/linux/netfilter_ipv4/ipt_osf.h	1970-01-01 01:00:00.000000000 +0100
+++ linux-2.6.3-rc3/include/linux/netfilter_ipv4/ipt_osf.h	2004-02-16 11:07:19.917186632 +0100
@@ -0,0 +1,130 @@
+/*
+ * ipt_osf.h
+ *
+ * Copyright (c) 2003 Evgeniy Polyakov <johnpol@2ka.mipt.ru>
+ *
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ */
+
+#ifndef _IPT_OSF_H
+#define _IPT_OSF_H
+
+#define MAXGENRELEN		32
+#define MAXDETLEN		64
+
+#define IPT_OSF_GENRE		1
+#define IPT_OSF_SMART		2
+#define IPT_OSF_LOG		4
+
+#define IPT_OSF_LOGLEVEL_ALL		0
+#define IPT_OSF_LOGLEVEL_FIRST	1
+
+#include <linux/list.h>
+
+struct ipt_osf_info
+{
+	char 			genre[MAXGENRELEN];
+	int			len;
+	unsigned long		flags;
+	int			loglevel;
+	int			invert; /* UNSUPPORTED */
+};
+
+struct osf_wc
+{
+	char			wc;
+	unsigned long		val;
+};
+
+/* This struct represents IANA options
+ * http://www.iana.org/assignments/tcp-parameters
+ */
+struct osf_opt
+{
+	unsigned char		kind;
+	unsigned char		length;
+	struct osf_wc		wc;
+};
+
+#ifdef __KERNEL__
+
+struct osf_finger
+{
+	struct list_head	flist;
+	struct osf_wc		wss;
+	unsigned char		ttl;
+	unsigned char		df;
+	unsigned long		ss;
+	char			genre[MAXGENRELEN];
+	char			version[MAXGENRELEN], subtype[MAXGENRELEN];
+	
+	/* Not needed, but for consistency with original table from Michal Zalewski */
+	char			details[MAXDETLEN]; 
+
+	int 			opt_num;
+	struct osf_opt		opt[MAX_IPOPTLEN]; /* In case it is all NOP or EOL */
+
+};
+
+/* Defines for IANA option kinds */
+
+#define OSFOPT_EOL		0	/* End of options */
+#define OSFOPT_NOP		1	/* NOP */
+#define OSFOPT_MSS		2	/* Maximum segment size */
+#define OSFOPT_WSO		3	/* Window scale option */
+#define OSFOPT_SACKP		4	/* SACK permitted */
+#define OSFOPT_SACK		5	/* SACK */
+#define OSFOPT_ECHO		6	
+#define OSFOPT_ECHOREPLY	7
+#define OSFOPT_TS		8	/* Timestamp option */
+#define OSFOPT_POCP		9	/* Partial Order Connection Permitted */
+#define OSFOPT_POSP		10	/* Partial Order Service Profile */
+/* Others are not used in current OSF */
+
+static struct osf_opt IANA_opts[] = 
+{
+	{0, 1,},
+	{1, 1,},
+	{2, 4,},
+	{3, 3,},
+	{4, 2,},
+	{5, 1 ,}, /* SACK length is not defined */
+	{6, 6,},
+	{7, 6,},
+	{8, 10,},
+	{9, 2,},
+	{10, 3,},
+	{11, 1,}, /* CC: Suppose 1 */
+	{12, 1,}, /* the same */
+	{13, 1,}, /* and here too */
+	{14, 3,},
+	{15, 1,}, /* TCP Alternate Checksum Data. Length is not defined */
+	{16, 1,},
+	{17, 1,},
+	{18, 3,},
+	{19, 18,},
+	{20, 1,},
+	{21, 1,},
+	{22, 1,},
+	{23, 1,},
+	{24, 1,},
+	{25, 1,},
+	{26, 1,},
+};
+
+#endif /* __KERNEL__ */
+
+#endif /* _IPT_OSF_H */
diff -Nur linux-2.6.3-rc3.org/include/linux/netfilter_ipv4/ipt_pool.h linux-2.6.3-rc3/include/linux/netfilter_ipv4/ipt_pool.h
--- linux-2.6.3-rc3.org/include/linux/netfilter_ipv4/ipt_pool.h	1970-01-01 01:00:00.000000000 +0100
+++ linux-2.6.3-rc3/include/linux/netfilter_ipv4/ipt_pool.h	2004-02-16 11:07:21.518803072 +0100
@@ -0,0 +1,25 @@
+#ifndef _IPT_POOL_H
+#define _IPT_POOL_H
+
+#include <linux/netfilter_ipv4/ip_pool.h>
+
+#define IPT_POOL_INV_SRC	0x00000001
+#define IPT_POOL_INV_DST	0x00000002
+#define IPT_POOL_DEL_SRC	0x00000004
+#define IPT_POOL_DEL_DST	0x00000008
+#define IPT_POOL_INV_MOD_SRC	0x00000010
+#define IPT_POOL_INV_MOD_DST	0x00000020
+#define IPT_POOL_MOD_SRC_ACCEPT	0x00000040
+#define IPT_POOL_MOD_DST_ACCEPT	0x00000080
+#define IPT_POOL_MOD_SRC_DROP	0x00000100
+#define IPT_POOL_MOD_DST_DROP	0x00000200
+
+/* match info */
+struct ipt_pool_info
+{
+	ip_pool_t src;
+	ip_pool_t dst;
+	unsigned flags;
+};
+
+#endif /*_IPT_POOL_H*/
diff -Nur linux-2.6.3-rc3.org/include/linux/netfilter_ipv4/ipt_psd.h linux-2.6.3-rc3/include/linux/netfilter_ipv4/ipt_psd.h
--- linux-2.6.3-rc3.org/include/linux/netfilter_ipv4/ipt_psd.h	1970-01-01 01:00:00.000000000 +0100
+++ linux-2.6.3-rc3/include/linux/netfilter_ipv4/ipt_psd.h	2004-02-16 11:07:22.387595011 +0100
@@ -0,0 +1,40 @@
+#ifndef _IPT_PSD_H
+#define _IPT_PSD_H
+
+#include <linux/param.h>
+#include <linux/types.h>
+
+/*
+ * High port numbers have a lower weight to reduce the frequency of false
+ * positives, such as from passive mode FTP transfers.
+ */
+#define PORT_WEIGHT_PRIV		3
+#define PORT_WEIGHT_HIGH		1
+
+/*
+ * Port scan detection thresholds: at least COUNT ports need to be scanned
+ * from the same source, with no longer than DELAY ticks between ports.
+ */
+#define SCAN_MIN_COUNT			7
+#define SCAN_MAX_COUNT			(SCAN_MIN_COUNT * PORT_WEIGHT_PRIV)
+#define SCAN_WEIGHT_THRESHOLD		SCAN_MAX_COUNT
+#define SCAN_DELAY_THRESHOLD		(HZ * 3)
+
+/*
+ * Keep track of up to LIST_SIZE source addresses, using a hash table of
+ * HASH_SIZE entries for faster lookups, but limiting hash collisions to
+ * HASH_MAX source addresses per the same hash value.
+ */
+#define LIST_SIZE			0x100
+#define HASH_LOG			9
+#define HASH_SIZE			(1 << HASH_LOG)
+#define HASH_MAX			0x10
+
+struct ipt_psd_info {
+	unsigned int weight_threshold;
+	unsigned int delay_threshold;
+	unsigned short lo_ports_weight;
+	unsigned short hi_ports_weight;
+};
+
+#endif /*_IPT_PSD_H*/
diff -Nur linux-2.6.3-rc3.org/include/linux/netfilter_ipv4/ipt_quota.h linux-2.6.3-rc3/include/linux/netfilter_ipv4/ipt_quota.h
--- linux-2.6.3-rc3.org/include/linux/netfilter_ipv4/ipt_quota.h	1970-01-01 01:00:00.000000000 +0100
+++ linux-2.6.3-rc3/include/linux/netfilter_ipv4/ipt_quota.h	2004-02-16 11:07:23.219395809 +0100
@@ -0,0 +1,11 @@
+#ifndef _IPT_QUOTA_H
+#define _IPT_QUOTA_H
+
+/* print debug info in both kernel/netfilter module & iptable library */
+//#define DEBUG_IPT_QUOTA
+
+struct ipt_quota_info {
+        u_int64_t quota;
+};
+
+#endif /*_IPT_QUOTA_H*/
diff -Nur linux-2.6.3-rc3.org/include/linux/netfilter_ipv4/ipt_random.h linux-2.6.3-rc3/include/linux/netfilter_ipv4/ipt_random.h
--- linux-2.6.3-rc3.org/include/linux/netfilter_ipv4/ipt_random.h	1970-01-01 01:00:00.000000000 +0100
+++ linux-2.6.3-rc3/include/linux/netfilter_ipv4/ipt_random.h	2004-02-16 11:07:24.378118313 +0100
@@ -0,0 +1,11 @@
+#ifndef _IPT_RAND_H
+#define _IPT_RAND_H
+
+#include <linux/param.h>
+#include <linux/types.h>
+
+struct ipt_rand_info {
+	u_int8_t average;
+};
+
+#endif /*_IPT_RAND_H*/
diff -Nur linux-2.6.3-rc3.org/include/linux/netfilter_ipv4/ipt_realm.h linux-2.6.3-rc3/include/linux/netfilter_ipv4/ipt_realm.h
--- linux-2.6.3-rc3.org/include/linux/netfilter_ipv4/ipt_realm.h	1970-01-01 01:00:00.000000000 +0100
+++ linux-2.6.3-rc3/include/linux/netfilter_ipv4/ipt_realm.h	2004-02-16 11:07:26.369641375 +0100
@@ -0,0 +1,9 @@
+#ifndef _IPT_REALM_H
+#define _IPT_REALM_H
+
+struct ipt_realm_info {
+	u_int32_t id;
+	u_int32_t mask;
+	u_int8_t invert;
+};
+#endif /*_IPT_REALM_H*/
diff -Nur linux-2.6.3-rc3.org/include/linux/netfilter_ipv4/ipt_time.h linux-2.6.3-rc3/include/linux/netfilter_ipv4/ipt_time.h
--- linux-2.6.3-rc3.org/include/linux/netfilter_ipv4/ipt_time.h	1970-01-01 01:00:00.000000000 +0100
+++ linux-2.6.3-rc3/include/linux/netfilter_ipv4/ipt_time.h	2004-02-16 11:07:27.150454383 +0100
@@ -0,0 +1,13 @@
+#ifndef __ipt_time_h_included__
+#define __ipt_time_h_included__
+
+
+struct ipt_time_info {
+	u_int8_t  days_match;   /* 1 bit per day. -SMTWTFS                      */
+	u_int16_t time_start;   /* 0 < time_start < 23*60+59 = 1439             */
+	u_int16_t time_stop;    /* 0:0 < time_stat < 23:59                      */
+	u_int8_t  kerneltime;   /* ignore skb time (and use kerneltime) or not. */
+};
+
+
+#endif /* __ipt_time_h_included__ */
diff -Nur linux-2.6.3-rc3.org/include/linux/netfilter_ipv4/ipt_u32.h linux-2.6.3-rc3/include/linux/netfilter_ipv4/ipt_u32.h
--- linux-2.6.3-rc3.org/include/linux/netfilter_ipv4/ipt_u32.h	1970-01-01 01:00:00.000000000 +0100
+++ linux-2.6.3-rc3/include/linux/netfilter_ipv4/ipt_u32.h	2004-02-16 11:07:28.175208970 +0100
@@ -0,0 +1,40 @@
+#ifndef _IPT_U32_H
+#define _IPT_U32_H
+#include <linux/netfilter_ipv4/ip_tables.h>
+
+enum ipt_u32_ops
+{
+	IPT_U32_AND,
+	IPT_U32_LEFTSH,
+	IPT_U32_RIGHTSH,
+	IPT_U32_AT
+};
+
+struct ipt_u32_location_element
+{
+	u_int32_t number;
+	u_int8_t nextop;
+};
+struct ipt_u32_value_element
+{
+	u_int32_t min;
+	u_int32_t max;
+};
+/* *** any way to allow for an arbitrary number of elements?
+   for now I settle for a limit of 10 of each */
+#define U32MAXSIZE 10
+struct ipt_u32_test
+{
+	u_int8_t nnums;
+	struct ipt_u32_location_element location[U32MAXSIZE+1];
+	u_int8_t nvalues;
+	struct ipt_u32_value_element value[U32MAXSIZE+1];
+};
+
+struct ipt_u32
+{
+	u_int8_t ntests;
+	struct ipt_u32_test tests[U32MAXSIZE+1];
+};
+
+#endif /*_IPT_U32_H*/
diff -Nur linux-2.6.3-rc3.org/include/linux/netfilter_ipv6/ip6t_HL.h linux-2.6.3-rc3/include/linux/netfilter_ipv6/ip6t_HL.h
--- linux-2.6.3-rc3.org/include/linux/netfilter_ipv6/ip6t_HL.h	1970-01-01 01:00:00.000000000 +0100
+++ linux-2.6.3-rc3/include/linux/netfilter_ipv6/ip6t_HL.h	2004-02-16 11:06:53.521507853 +0100
@@ -0,0 +1,22 @@
+/* Hop Limit modification module for ip6tables
+ * Maciej Soltysiak <solt@dns.toxicfilms.tv>
+ * Based on HW's TTL module */
+
+#ifndef _IP6T_HOPLIMIT_H
+#define _IP6T_HOPLIMIT_H
+
+enum {
+	IP6T_HOPLIMIT_SET = 0,
+	IP6T_HOPLIMIT_INC,
+	IP6T_HOPLIMIT_DEC
+};
+
+#define IP6T_HOPLIMIT_MAXMODE	IP6T_HOPLIMIT_DEC
+
+struct ip6t_HOPLIMIT_info {
+	u_int8_t	mode;
+	u_int8_t	hop_limit;
+};
+
+
+#endif
diff -Nur linux-2.6.3-rc3.org/include/linux/netfilter_ipv6/ip6t_REJECT.h linux-2.6.3-rc3/include/linux/netfilter_ipv6/ip6t_REJECT.h
--- linux-2.6.3-rc3.org/include/linux/netfilter_ipv6/ip6t_REJECT.h	2004-02-15 03:44:09.000000000 +0100
+++ linux-2.6.3-rc3/include/linux/netfilter_ipv6/ip6t_REJECT.h	2004-02-16 11:07:07.812085576 +0100
@@ -2,15 +2,17 @@
 #define _IP6T_REJECT_H
 
 enum ip6t_reject_with {
-	IP6T_ICMP_NET_UNREACHABLE,
-	IP6T_ICMP_HOST_UNREACHABLE,
-	IP6T_ICMP_PROT_UNREACHABLE,
-	IP6T_ICMP_PORT_UNREACHABLE,
-	IP6T_ICMP_ECHOREPLY
+	IP6T_ICMP6_NO_ROUTE,
+	IP6T_ICMP6_ADM_PROHIBITED,
+	IP6T_ICMP6_NOT_NEIGHBOUR,
+	IP6T_ICMP6_ADDR_UNREACH,
+	IP6T_ICMP6_PORT_UNREACH,
+	IP6T_ICMP6_ECHOREPLY,
+	IP6T_TCP_RESET
 };
 
 struct ip6t_reject_info {
 	enum ip6t_reject_with with;      /* reject type */
 };
 
-#endif /*_IPT_REJECT_H*/
+#endif /*_IP6T_REJECT_H*/
diff -Nur linux-2.6.3-rc3.org/include/linux/netfilter_ipv6/ip6t_fuzzy.h linux-2.6.3-rc3/include/linux/netfilter_ipv6/ip6t_fuzzy.h
--- linux-2.6.3-rc3.org/include/linux/netfilter_ipv6/ip6t_fuzzy.h	1970-01-01 01:00:00.000000000 +0100
+++ linux-2.6.3-rc3/include/linux/netfilter_ipv6/ip6t_fuzzy.h	2004-02-16 11:07:14.925382080 +0100
@@ -0,0 +1,21 @@
+#ifndef _IP6T_FUZZY_H
+#define _IP6T_FUZZY_H
+
+#include <linux/param.h>
+#include <linux/types.h>
+
+#define MAXFUZZYRATE 10000000
+#define MINFUZZYRATE 3
+
+struct ip6t_fuzzy_info {
+	u_int32_t minimum_rate;
+	u_int32_t maximum_rate;
+	u_int32_t packets_total;
+	u_int32_t bytes_total;
+	u_int32_t previous_time;
+	u_int32_t present_time;
+	u_int32_t mean_rate;
+	u_int8_t acceptance_rate;
+};
+
+#endif /*_IP6T_FUZZY_H*/
diff -Nur linux-2.6.3-rc3.org/include/linux/netfilter_ipv6/ip6t_nth.h linux-2.6.3-rc3/include/linux/netfilter_ipv6/ip6t_nth.h
--- linux-2.6.3-rc3.org/include/linux/netfilter_ipv6/ip6t_nth.h	1970-01-01 01:00:00.000000000 +0100
+++ linux-2.6.3-rc3/include/linux/netfilter_ipv6/ip6t_nth.h	2004-02-16 11:07:18.796455028 +0100
@@ -0,0 +1,19 @@
+#ifndef _IP6T_NTH_H
+#define _IP6T_NTH_H
+
+#include <linux/param.h>
+#include <linux/types.h>
+
+#ifndef IP6T_NTH_NUM_COUNTERS
+#define IP6T_NTH_NUM_COUNTERS 16
+#endif
+
+struct ip6t_nth_info {
+	u_int8_t every;
+	u_int8_t not;
+	u_int8_t startat;
+	u_int8_t counter;
+	u_int8_t packet;
+};
+
+#endif /*_IP6T_NTH_H*/
diff -Nur linux-2.6.3-rc3.org/include/linux/netfilter_ipv6/ip6t_random.h linux-2.6.3-rc3/include/linux/netfilter_ipv6/ip6t_random.h
--- linux-2.6.3-rc3.org/include/linux/netfilter_ipv6/ip6t_random.h	1970-01-01 01:00:00.000000000 +0100
+++ linux-2.6.3-rc3/include/linux/netfilter_ipv6/ip6t_random.h	2004-02-16 11:07:24.378118313 +0100
@@ -0,0 +1,11 @@
+#ifndef _IP6T_RAND_H
+#define _IP6T_RAND_H
+
+#include <linux/param.h>
+#include <linux/types.h>
+
+struct ip6t_rand_info {
+	u_int8_t average;
+};
+
+#endif /*_IP6T_RAND_H*/
diff -Nur linux-2.6.3-rc3.org/net/ipv4/netfilter/Kconfig linux-2.6.3-rc3/net/ipv4/netfilter/Kconfig
--- linux-2.6.3-rc3.org/net/ipv4/netfilter/Kconfig	2004-02-16 10:08:59.000000000 +0100
+++ linux-2.6.3-rc3/net/ipv4/netfilter/Kconfig	2004-02-16 11:07:28.178208252 +0100
@@ -588,5 +588,384 @@
 
 	  To compile it as a module, choose M here.  If unsure, say N.
 
+config IP_NF_TARGET_IPV4OPTSSTRIP
+	tristate  'IPV4OPTSSTRIP target support'
+	depends on IP_NF_MANGLE
+	  help
+	  This option adds CONFIG_IP_NF_TARGET_IPV4OPTSSTRIP, which supplies a target
+	  module that will allow you to strip all the IP options from a packet.
+	  
+	  The target doesn't take any option, and therefore is extremly easy to use :
+	  
+	  # iptables -t mangle -A PREROUTING -j IPV4OPTSSTRIP
+	  # iptables -t mangle --list -n
+	  Chain PREROUTING (policy ACCEPT)
+	  target     prot opt source               destination
+	  IPV4OPTSSTRIP  all  --  0.0.0.0/0            0.0.0.0/0
+	  
+	  Chain OUTPUT (policy ACCEPT)
+	  target     prot opt source               destination
+
+config IP_NF_TARGET_NETLINK
+	tristate  'NETLINK target support'
+	depends on IP_NF_FILTER
+	  help
+	  CONFIG_IP_NF_TARGET_NETLINK adds a NETLINK target that sends dropped packets to
+	  userspace via a netlink socket.  Apps such as fwmon
+	  (http://firestorm.geek-ware.co.uk) can then recieve and dislpay these packets.
+	  This option is basically a re-implementation of the ipchains -o option.
+
+config IP_NF_TARGET_TTL
+	tristate  'TTL target support'
+	depends on IP_NF_MANGLE
+	  help
+	  This adds an iptables TTL manipulation target, which enables the user
+	  to set the TTL value of an IP packet or to increment / decrement it 
+	  by a given value.
+
+config IP_NF_MATCH_CONNLIMIT
+	tristate  'Connections/IP limit match support'
+	depends on IP_NF_IPTABLES
+	  help
+	  This adds an iptables match which allows you to restrict the
+	  number of parallel TCP connections to a server per client IP address
+	  (or address block).
+	  
+	  Examples:
+	  
+	  # allow 2 telnet connections per client host
+	  iptables -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 -j REJECT
+	  
+	  # you can also match the other way around:
+	  iptables -p tcp --syn --dport 23 -m connlimit ! --connlimit-above 2 -j ACCEPT
+	  
+	  # limit the nr of parallel http requests to 16 per class C sized
+	  # network (24 bit netmask)
+	  iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 16 \
+	  	--connlimit-mask 24 -j REJECT
+
+config IP_NF_MATCH_DSTLIMIT
+	tristate  'dstlimit match support'
+	depends on IP_NF_IPTABLES
+	  help
+	  
+	  This patch adds a new match called 'dstlimit'.  
+	  The idea is to have something like 'limit', but either per 
+	  destination-ip or per (destip,destport) tuple.
+	  
+	  It gives you the ability to say 
+	  	'1000 packets per second for every host in 192.168.0.0/16'
+	  	'100 packets per second for every service of 192.168.1.1'
+	  
+	  Parameters are:
+	  	--dstlimit <rate>
+	  		A rate just like the limit match
+	  	--dstlimit-burst <num>
+	  		Burst value, just like limit match
+	  	--dstlimit-mode destip | destip-destport
+	  		Limit per IP or per port
+	  	--dstlimit-name foo
+	  		The name for the /proc/net/ipt_dstlimit/foo entry
+	  	--dstlimit-htable-size <num>
+	  		The number of buckets of the hash table
+	  	--dstlimit-htable-max <num>
+	  		Maximum entries in the hash
+	  	--dstlimit-htable-expire <num>
+	  		After how many miliseconds do hash entries expire
+	  	--dstlimit-htable-gcinterval <num>
+	  		How many miliseconds between garbage collection intervals
+	  
+
+config IP_NF_MATCH_FUZZY
+	tristate  'fuzzy match support'
+	depends on IP_NF_IPTABLES
+	  help
+	  This option adds a `fuzzy' match which allows you to match packets according to
+	  a dynamic profile implemented by means of a simple Fuzzy Logic Controller (FLC)
+
+config IP_NF_MATCH_IPV4OPTIONS
+	tristate  'IPV4OPTIONS match support'
+	depends on IP_NF_IPTABLES
+	  help
+	  This option adds an iptables 'ipv4options' match, which allows you to
+	  match on IPv4 header options like source routing, record route, timestamp and
+	  router-alert.
+	  
+	  Suppported options are:
+	  --ssrr
+	    To match packets with the flag strict source routing.
+	  --lsrr
+	    To match packets with the flag loose source routing.
+	  --no-srr
+	    To match packets with no flag for source routing.
+	  [!] --rr
+	    To match packets with the RR flag.
+	  [!] --ts
+	    To match packets with the TS flag.
+	  [!] --ra
+	    To match packets with the router-alert option.
+	  [!] --any-opt
+	    To match a packet with at least one IP option, or no IP option
+	    at all if ! is chosen.
+	  
+	  Example:
+	    $ iptables -A input -m ipv4options --rr -j DROP
+	    will drop packets with the record-route flag.
+	  
+	    $ iptables -A input -m ipv4options --ts -j DROP
+	    will drop packets with the timestamp flag.
+
+config IP_NF_MATCH_MPORT
+	tristate  'Multiple port with ranges match support'
+	depends on IP_NF_IPTABLES
+	  help
+	  This module is an enhanced multiport match. It has support for byte
+	  ranges as well as for single ports.
+	  Up to 15 ports are allowed. Note that a portrange uses up 2 port values.
+	  
+	  Examples:
+	  # iptables -A FORWARD -p tcp -m mport --ports 23:42,65
+
+config IP_NF_MATCH_NTH
+	tristate  'Nth match support'
+	depends on IP_NF_IPTABLES
+	  help
+	  This option adds an iptables `Nth' match, which allows you to match every Nth
+	  packet encountered.  By default there are 16 different counters that can be
+	  used.
+	  
+	  This match functions in one of two ways
+	  1) Match ever Nth packet, and only the Nth packet.
+	     example:
+	      iptables -t mangle -A PREROUTING -m nth --every 10 -j DROP
+	     This rule will drop every 10th packet.
+	  2) Unique rule for every packet.  This is an easy and quick
+	     method to produce load-balancing for both inbound and outbound.
+	     example:
+	      iptables -t nat -A POSTROUTING -o eth0 -m nth --counter 7 \
+	               --every 3 --packet 0 -j SNAT --to-source 10.0.0.5
+	      iptables -t nat -A POSTROUTING -o eth0 -m nth --counter 7 \
+	               --every 3 --packet 1 -j SNAT --to-source 10.0.0.6
+	      iptables -t nat -A POSTROUTING -o eth0 -m nth --counter 7 \
+	               --every 3 --packet 2 -j SNAT --to-source 10.0.0.7
+	     This example evenly splits connections between the three SNAT
+	     addresses.
+	  
+	     By using the mangle table and iproute2, you can setup complex
+	     load-balanced routing.  There's lot of other uses.  Be creative!
+	  
+	  Suppported options are:
+	     --every     Nth         Match every Nth packet
+	    [--counter]  num         Use counter 0-15 (default:0)
+	    [--start]    num         Initialize the counter at the number 'num'
+	                             instead of 0. Must be between 0 and Nth-1
+	    [--packet]   num         Match on 'num' packet. Must be between 0
+	                             and Nth-1.
+	                             If --packet is used for a counter than
+	                             there must be Nth number of --packet
+	                             rules, covering all values between 0 and
+	                             Nth-1 inclusively.
+
+config IP_NF_MATCH_OSF
+	tristate  'OSF match support'
+	depends on IP_NF_IPTABLES
+	  help
+	  The idea of passive OS fingerprint matching exists for quite a long time,
+	  but was created as extension fo OpenBSD pf only some weeks ago.
+	  Original idea was lurked in some OpenBSD mailing list (thanks
+	  grange@open...) and than adopted for Linux netfilter in form of this code.
+	  
+	  Original table was created by Michal Zalewski <lcamtuf@coredump.cx> for
+	  his excellent p0f and than changed a bit for more convenience.
+	  
+	  This module compares some data(WS, MSS, options and it's order, ttl,
+	  df and others) from first SYN packet (actually from packets with SYN
+	  bit set) with hardcoded in fingers[] table ones.
+	  
+	  Example: (Of course this only an example, do not get inspired by this)
+	  
+	  # iptables -N LINUX
+	  # iptables -A LINUX -j LOG --log-prefix "Linux"
+	  
+	  # iptables -A INPUT -p tcp -m osf --genre Linux -j LINUX
+	  # iptables -A INPUT -p tcp -m osf --genre FreeBSD -j REJECT
+	  
+	  NOTE: -p tcp is obviously required as it is a TCP match.
+	  
+	  OSF also has:
+	  --log 1/0. 
+	  	If present, OSF will log determined genres even if they don't match
+	  	desired one.	
+	  	0 - log all determined entries, 
+	  	1 - only first one.
+	  	
+	  	Example:
+	  	#iptables -I INPUT -j ACCEPT -p tcp -m osf --genre Linux --log 1 --smart
+	  
+	  	In syslog you find something like this:
+	  	ipt_osf: Windows [Windows XP Pro SP1, 2000 SP3]: 11.22.33.55:4024 -> 11.22.33.44:139
+	  	ipt_osf: Unknown: 16384:106:1:48:020405B401010402 44.33.22.11:1239 -> 11.22.33.44:80
+	  
+	    --smart
+	    	if present, OSF will use some smartness to determine remote OS.
+	  	Now only not use TTL( with it far remote machines can be determined).
+	  
+	  Fingerprints can be loaded through /proc/sys/net/ipv4/osf file.
+	  Only one fingerprint per open/close.
+	  
+	  Fingerprints can be downloaded from http://www.openbsd.org/cgi-bin/cvsweb/src/etc/pf.os
+
+config IP_POOL_STATISTICS
+	bool  'enable statistics on pool usage'
+	depends on IP_NF_POOL!=n
+
+config IP_NF_POOL
+	tristate  'IP address pool support'
+	depends on IP_NF_IPTABLES
+	  help
+	  CONFIG_IP_NF_POOL provides a match which lets you use bitmaps with one bit per
+	  address from some range of IP addresses; the match depends on whether a checked
+	  source or destination address has its bit set in the pool.  It also provides a
+	  POOL target, which can be used to add or remove the addresses of a packet
+	  to/from a pool.
+	  
+	  There is also a POOL netfilter target, which can be used to set or remove the
+	  addresses of a packet from a pool.
+	  
+	  To define and use pools, you need userlevel utilities: a patched iptables, and
+	  the program ippool(8), which defines the pools and their bounds.  The current
+	  release of pool matching is ippool-0.0.2, and can be found in the archives of
+	  the netfilter mailing list at http://lists.netfilter.org/.
+
+config IP_NF_MATCH_PSD
+	tristate  'psd match support'
+	depends on IP_NF_IPTABLES
+	  help
+	  This option adds a `psd' match, which supplies portscan
+	  detection match (psd). This match will attempt to detect TCP and UDP
+	  port scans. This match was derived from Solar Designer's scanlogd.
+	  
+	  Suppported options are:
+	  
+	  --psd-weight-threshold <threshold>
+	  
+	    Total weight of the latest TCP/UDP packets with different
+	    destination ports coming from the same host to be treated as port
+	    scan sequence.
+	  
+	  --psd-delay-threshold <delay>
+	  
+	    Delay (in hundredths of second) for the packets with different
+	    destination ports coming from the same host to be treated as
+	    possible port scan subsequence.
+	  
+	  --psd-lo-ports-weight <weight>
+	  
+	    Weight of the packet with privileged (<=1024) destination port.
+	  
+	  --psd-hi-ports-weight <weight>
+	  
+	    Weight of the packet with non-priviliged destination port.
+
+config IP_NF_MATCH_QUOTA
+	tristate  'quota match support'
+	depends on IP_NF_IPTABLES
+	  help
+	  This option adds CONFIG_IP_NF_MATCH_QUOTA, which implements network
+	  quotas by decrementing a byte counter with each packet.
+	  
+	  Supported options are:
+	  --quota <bytes>
+	    The quota in bytes.
+	  
+	  KNOWN BUGS: this does not work on SMP systems.
+	  
+
+config IP_NF_MATCH_RANDOM
+	tristate  'random match support'
+	depends on IP_NF_IPTABLES
+	  help
+	  This option adds a `random' match,
+	  which allow you to match packets randomly
+	  following a given probability. 
+	  
+	  Suppported options are:
+	  
+	  [--average] 	percent	will match randomly packets with a probability of
+	  		'percent'. default is 50%
+
+config IP_NF_MATCH_REALM
+	tristate  'realm match support'
+	depends on IP_NF_IPTABLES
+	  help
+	  realm match: uses realm key from routing as match criteria similiar to
+	               one in packet classifier
+	  
+	  /** snip from packet classifier documentation */
+	  Routing tables based classifier
+	  CONFIG_NET_CLS_ROUTE4
+	    If you say Y here, you will be able to classify outgoing packets
+	    according to the route table entry they matched. If unsure, say Y.
+	  /** end snip **/
+	  
+	  
+	  # Example
+	  # add route
+	  /sbin/ip route add 194.29.194.0/24 via 194.29.192.1 realm 10
+	  
+	  # source realm is in realm with mask 0xFFFF0000,
+	  # destination is in realm with mask 0x0000FFFF
+	  
+	  # match destination realm
+	  /usr/local/sbin/iptables -A OUTPUT -m realm --realm 10 -j LOG
+	  
+	  # match realm of source, this is also determinated by routing,
+	  /usr/local/sbin/iptables -A INPUT -m realm --realm 655360 -j LOG
+	  
+	  THIS PATCH REQUIRES CONFIG_NET_CLS_ROUTE TO BE SET
+
+config IP_NF_MATCH_TIME
+	tristate  'TIME match support'
+	depends on IP_NF_IPTABLES
+	  help
+	  
+	  This option adds CONFIG_IP_NF_MATCH_TIME, which supplies a time match module.
+	  This match allows you to filter based on the packet arrival time
+	  (arrival time at the machine which the netfilter is running on) or
+	  departure time (for locally generated packets).
+	  
+	  Supported options are:
+	  --timestart HH:MM
+	    The starting point of the time match frame.
+	  
+	  --timestop HH:MM
+	    The stopping point of the time match frame
+	  
+	  --days Tue,Mon...
+	    Days of the week to match separated by a coma, no space
+	    (one of Sun,Mon,Tue,Wed,Thu,Fri,Sat)
+	  
+	  Example:
+	    -A INPUT -m time --timestart 8:00 --timestop 18:00 --days Mon,Tue,Wed,Thu,Fri
+	    will match packets that have an arrival timestamp in the range 8:00->18:00 from Monday
+	    to Friday.
+	  
+	    -A OUTPUT -m time --timestart 8:00 --timestop 18:00 --Days Mon
+	    will match the packets (locally generated) that have a departure timestamp
+	    in the range 8:00->18:00 on Monday only.
+
+config IP_NF_MATCH_U32
+	tristate  'U32 match support'
+	depends on IP_NF_IPTABLES
+	  help
+	  
+	  U32 allows you to extract quantities of up to 4 bytes from a packet,
+	  AND them with specified masks, shift them by specified amounts and
+	  test whether the results are in any of a set of specified ranges.
+	  The specification of what to extract is general enough to skip over
+	  headers with lengths stored in the packet, as in IP or TCP header
+	  lengths.
+	  Details and examples are in the kernel module source.
+
 endmenu
 
diff -Nur linux-2.6.3-rc3.org/net/ipv4/netfilter/Makefile linux-2.6.3-rc3/net/ipv4/netfilter/Makefile
--- linux-2.6.3-rc3.org/net/ipv4/netfilter/Makefile	2004-02-16 10:08:59.000000000 +0100
+++ linux-2.6.3-rc3/net/ipv4/netfilter/Makefile	2004-02-16 11:07:28.178208252 +0100
@@ -42,15 +42,38 @@
 # matches
 obj-$(CONFIG_IP_NF_MATCH_HELPER) += ipt_helper.o
 obj-$(CONFIG_IP_NF_MATCH_LIMIT) += ipt_limit.o
+obj-$(CONFIG_IP_NF_MATCH_QUOTA) += ipt_quota.o
+obj-$(CONFIG_IP_NF_MATCH_DSTLIMIT) += ipt_dstlimit.o
 obj-$(CONFIG_IP_NF_MATCH_MARK) += ipt_mark.o
+obj-$(CONFIG_IP_NF_POOL) += ipt_pool.o ipt_POOL.o ip_pool.o
 obj-$(CONFIG_IP_NF_MATCH_MAC) += ipt_mac.o
 obj-$(CONFIG_IP_NF_MATCH_IPRANGE) += ipt_iprange.o
 
 obj-$(CONFIG_IP_NF_MATCH_PKTTYPE) += ipt_pkttype.o
 obj-$(CONFIG_IP_NF_MATCH_MULTIPORT) += ipt_multiport.o
+
+obj-$(CONFIG_IP_NF_MATCH_MPORT) += ipt_mport.o
+
 obj-$(CONFIG_IP_NF_MATCH_OWNER) += ipt_owner.o
 obj-$(CONFIG_IP_NF_MATCH_TOS) += ipt_tos.o
 
+obj-$(CONFIG_IP_NF_MATCH_TIME) += ipt_time.o
+
+
+obj-$(CONFIG_IP_NF_MATCH_RANDOM) += ipt_random.o
+
+obj-$(CONFIG_IP_NF_MATCH_PSD) += ipt_psd.o
+
+obj-$(CONFIG_IP_NF_MATCH_OSF) += ipt_osf.o
+
+
+obj-$(CONFIG_IP_NF_MATCH_NTH) += ipt_nth.o
+
+obj-$(CONFIG_IP_NF_MATCH_IPV4OPTIONS) += ipt_ipv4options.o
+
+
+obj-$(CONFIG_IP_NF_MATCH_FUZZY) += ipt_fuzzy.o
+
 obj-$(CONFIG_IP_NF_MATCH_RECENT) += ipt_recent.o
 
 obj-$(CONFIG_IP_NF_MATCH_ECN) += ipt_ecn.o
@@ -59,10 +82,15 @@
 
 obj-$(CONFIG_IP_NF_MATCH_LENGTH) += ipt_length.o
 
+obj-$(CONFIG_IP_NF_MATCH_U32) += ipt_u32.o
+
+
 obj-$(CONFIG_IP_NF_MATCH_TTL) += ipt_ttl.o
 obj-$(CONFIG_IP_NF_MATCH_STATE) += ipt_state.o
+obj-$(CONFIG_IP_NF_MATCH_CONNLIMIT) += ipt_connlimit.o
 obj-$(CONFIG_IP_NF_MATCH_CONNTRACK) += ipt_conntrack.o
 obj-$(CONFIG_IP_NF_MATCH_TCPMSS) += ipt_tcpmss.o
+obj-$(CONFIG_IP_NF_MATCH_REALM) += ipt_realm.o
 
 obj-$(CONFIG_IP_NF_MATCH_PHYSDEV) += ipt_physdev.o
 
@@ -80,6 +108,9 @@
 obj-$(CONFIG_IP_NF_TARGET_CLASSIFY) += ipt_CLASSIFY.o
 obj-$(CONFIG_IP_NF_NAT_SNMP_BASIC) += ip_nat_snmp_basic.o
 obj-$(CONFIG_IP_NF_TARGET_LOG) += ipt_LOG.o
+obj-$(CONFIG_IP_NF_TARGET_TTL) += ipt_TTL.o
+obj-$(CONFIG_IP_NF_TARGET_NETLINK) += ipt_NETLINK.o
+obj-$(CONFIG_IP_NF_TARGET_IPV4OPTSSTRIP) += ipt_IPV4OPTSSTRIP.o
 obj-$(CONFIG_IP_NF_TARGET_ULOG) += ipt_ULOG.o
 obj-$(CONFIG_IP_NF_TARGET_TCPMSS) += ipt_TCPMSS.o
 
diff -Nur linux-2.6.3-rc3.org/net/ipv4/netfilter/ip_pool.c linux-2.6.3-rc3/net/ipv4/netfilter/ip_pool.c
--- linux-2.6.3-rc3.org/net/ipv4/netfilter/ip_pool.c	1970-01-01 01:00:00.000000000 +0100
+++ linux-2.6.3-rc3/net/ipv4/netfilter/ip_pool.c	2004-02-16 11:07:21.518803072 +0100
@@ -0,0 +1,332 @@
+/* Kernel module for IP pool management */
+
+#include <linux/module.h>
+#include <linux/ip.h>
+#include <linux/skbuff.h>
+#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter_ipv4/ip_pool.h>
+#include <linux/errno.h>
+#include <asm/uaccess.h>
+#include <asm/bitops.h>
+#include <linux/interrupt.h>
+#include <linux/spinlock.h>
+
+#if 0
+#define DP printk
+#else
+#define DP(format, args...)
+#endif
+
+MODULE_LICENSE("GPL");
+
+#define NR_POOL 16
+static int nr_pool = NR_POOL;/* overwrite this when loading module */
+
+struct ip_pool {
+	u_int32_t first_ip;	/* host byte order, included in range */
+	u_int32_t last_ip;	/* host byte order, included in range */
+	void *members;		/* the bitmap proper */
+	int nr_use;		/* total nr. of tests through this */
+	int nr_match;		/* total nr. of matches through this */
+	rwlock_t lock;
+};
+
+static struct ip_pool *POOL;
+
+static inline struct ip_pool *lookup(ip_pool_t index)
+{
+	if (index < 0 || index >= nr_pool) {
+		DP("ip_pool:lookup: bad index %d\n", index);
+		return 0;
+	}
+	return POOL+index;
+}
+
+int ip_pool_match(ip_pool_t index, u_int32_t addr)
+{
+        struct ip_pool *pool = lookup(index);
+	int res = 0;
+
+	if (!pool || !pool->members)
+		return 0;
+	read_lock_bh(&pool->lock);
+	if (pool->members) {
+		if (addr >= pool->first_ip && addr <= pool->last_ip) {
+			addr -= pool->first_ip;
+			if (test_bit(addr, pool->members)) {
+				res = 1;
+#ifdef CONFIG_IP_POOL_STATISTICS
+				pool->nr_match++;
+#endif
+			}
+		}
+#ifdef CONFIG_IP_POOL_STATISTICS
+		pool->nr_use++;
+#endif
+	}
+	read_unlock_bh(&pool->lock);
+	return res;
+}
+
+static int pool_change(ip_pool_t index, u_int32_t addr, int isdel)
+{
+	struct ip_pool *pool;
+	int res = -1;
+
+	pool = lookup(index);
+	if (    !pool || !pool->members
+	     || addr < pool->first_ip || addr > pool->last_ip)
+		return -1;
+	read_lock_bh(&pool->lock);
+	if (pool->members && addr >= pool->first_ip && addr <= pool->last_ip) {
+		addr -= pool->first_ip;
+		res = isdel
+			? (0 != test_and_clear_bit(addr, pool->members))
+			: (0 != test_and_set_bit(addr, pool->members));
+	}
+	read_unlock_bh(&pool->lock);
+	return res;
+}
+
+int ip_pool_mod(ip_pool_t index, u_int32_t addr, int isdel)
+{
+	int res = pool_change(index,addr,isdel);
+
+	if (!isdel) res = !res;
+	return res;
+}
+
+static inline int bitmap_bytes(u_int32_t a, u_int32_t b)
+{
+	return 4*((((b-a+8)/8)+3)/4);
+}
+
+static inline int poolbytes(ip_pool_t index)
+{
+	struct ip_pool *pool = lookup(index);
+
+	return pool ? bitmap_bytes(pool->first_ip, pool->last_ip) : 0;
+}
+
+static int setpool(
+	struct sock *sk,
+	int optval,
+	void *user,
+	unsigned int len
+) {
+	struct ip_pool_request req;
+
+	DP("ip_pool:setpool: optval=%d, user=%p, len=%d\n", optval, user, len);
+	if (!capable(CAP_NET_ADMIN))
+		return -EPERM;
+	if (optval != SO_IP_POOL)
+		return -EBADF;
+	if (len != sizeof(req))
+		return -EINVAL;
+	if (copy_from_user(&req, user, sizeof(req)) != 0)
+		return -EFAULT;
+	printk("obsolete op - upgrade your ippool(8) utility.\n");
+	return -EINVAL;
+}
+
+static int getpool(
+	struct sock *sk,
+	int optval,
+	void *user,
+	int *len
+) {
+	struct ip_pool_request req;
+	struct ip_pool *pool;
+	ip_pool_t i;
+	int newbytes;
+	void *newmembers;
+	int res;
+
+	DP("ip_pool:getpool: optval=%d, user=%p\n", optval, user);
+	if (!capable(CAP_NET_ADMIN))
+		return -EINVAL;
+	if (optval != SO_IP_POOL)
+		return -EINVAL;
+	if (*len != sizeof(req)) {
+		return -EFAULT;
+	}
+	if (copy_from_user(&req, user, sizeof(req)) != 0)
+		return -EFAULT;
+	DP("ip_pool:getpool op=%d, index=%d\n", req.op, req.index);
+	if (req.op < IP_POOL_BAD001) {
+		printk("obsolete op - upgrade your ippool(8) utility.\n");
+		return -EFAULT;
+	}
+	switch(req.op) {
+	case IP_POOL_HIGH_NR:
+		DP("ip_pool HIGH_NR\n");
+		req.index = IP_POOL_NONE;
+		for (i=0; i<nr_pool; i++)
+			if (POOL[i].members)
+				req.index = i;
+		return copy_to_user(user, &req, sizeof(req));
+	case IP_POOL_LOOKUP:
+		DP("ip_pool LOOKUP\n");
+		pool = lookup(req.index);
+		if (!pool)
+			return -EINVAL;
+		if (!pool->members)
+			return -EBADF;
+		req.addr = htonl(pool->first_ip);
+		req.addr2 = htonl(pool->last_ip);
+		return copy_to_user(user, &req, sizeof(req));
+	case IP_POOL_USAGE:
+		DP("ip_pool USE\n");
+		pool = lookup(req.index);
+		if (!pool)
+			return -EINVAL;
+		if (!pool->members)
+			return -EBADF;
+		req.addr = pool->nr_use;
+		req.addr2 = pool->nr_match;
+		return copy_to_user(user, &req, sizeof(req));
+	case IP_POOL_TEST_ADDR:
+		DP("ip_pool TEST 0x%08x\n", req.addr);
+		pool = lookup(req.index);
+		if (!pool)
+			return -EINVAL;
+		res = 0;
+		read_lock_bh(&pool->lock);
+		if (!pool->members) {
+			DP("ip_pool TEST_ADDR no members in pool\n");
+			res = -EBADF;
+			goto unlock_and_return_res;
+		}
+		req.addr = ntohl(req.addr);
+		if (req.addr < pool->first_ip) {
+			DP("ip_pool TEST_ADDR address < pool bounds\n");
+			res = -ERANGE;
+			goto unlock_and_return_res;
+		}
+		if (req.addr > pool->last_ip) {
+			DP("ip_pool TEST_ADDR address > pool bounds\n");
+			res = -ERANGE;
+			goto unlock_and_return_res;
+		}
+		req.addr = (0 != test_bit((req.addr - pool->first_ip),
+					pool->members));
+		read_unlock_bh(&pool->lock);
+		return copy_to_user(user, &req, sizeof(req));
+	case IP_POOL_FLUSH:
+		DP("ip_pool FLUSH not yet implemented.\n");
+		return -EBUSY;
+	case IP_POOL_DESTROY:
+		DP("ip_pool DESTROY not yet implemented.\n");
+		return -EBUSY;
+	case IP_POOL_INIT:
+		DP("ip_pool INIT 0x%08x-0x%08x\n", req.addr, req.addr2);
+		pool = lookup(req.index);
+		if (!pool)
+			return -EINVAL;
+		req.addr = ntohl(req.addr);
+		req.addr2 = ntohl(req.addr2);
+		if (req.addr > req.addr2) {
+			DP("ip_pool INIT bad ip range\n");
+			return -EINVAL;
+		}
+		newbytes = bitmap_bytes(req.addr, req.addr2);
+		newmembers = kmalloc(newbytes, GFP_KERNEL);
+		if (!newmembers) {
+			DP("ip_pool INIT out of mem for %d bytes\n", newbytes);
+			return -ENOMEM;
+		}
+		memset(newmembers, 0, newbytes);
+		write_lock_bh(&pool->lock);
+		if (pool->members) {
+			DP("ip_pool INIT pool %d exists\n", req.index);
+			kfree(newmembers);
+			res = -EBUSY;
+			goto unlock_and_return_res;
+		}
+		pool->first_ip = req.addr;
+		pool->last_ip = req.addr2;
+		pool->nr_use = 0;
+		pool->nr_match = 0;
+		pool->members = newmembers;
+		write_unlock_bh(&pool->lock);
+		return 0;
+	case IP_POOL_ADD_ADDR:
+		DP("ip_pool ADD_ADDR 0x%08x\n", req.addr);
+		req.addr = pool_change(req.index, ntohl(req.addr), 0);
+		return copy_to_user(user, &req, sizeof(req));
+	case IP_POOL_DEL_ADDR:
+		DP("ip_pool DEL_ADDR 0x%08x\n", req.addr);
+		req.addr = pool_change(req.index, ntohl(req.addr), 1);
+		return copy_to_user(user, &req, sizeof(req));
+	default:
+		DP("ip_pool:getpool bad op %d\n", req.op);
+		return -EINVAL;
+	}
+	return -EINVAL;
+
+unlock_and_return_res:
+	if (pool)
+		read_unlock_bh(&pool->lock);
+	return res;
+}
+
+static struct nf_sockopt_ops so_pool
+= { { NULL, NULL }, PF_INET,
+    SO_IP_POOL, SO_IP_POOL+1, &setpool,
+    SO_IP_POOL, SO_IP_POOL+1, &getpool,
+    0, NULL };
+
+MODULE_PARM(nr_pool, "i");
+
+static int __init init(void)
+{
+	ip_pool_t i;
+	int res;
+
+	if (nr_pool < 1) {
+		printk("ip_pool module init: bad nr_pool %d\n", nr_pool);
+		return -EINVAL;
+	}
+	POOL = kmalloc(nr_pool * sizeof(*POOL), GFP_KERNEL);
+	if (!POOL) {
+		printk("ip_pool module init: out of memory for nr_pool %d\n",
+			nr_pool);
+		return -ENOMEM;
+	}
+	for (i=0; i<nr_pool; i++) {
+		POOL[i].first_ip = 0;
+		POOL[i].last_ip = 0;
+		POOL[i].members = 0;
+		POOL[i].nr_use = 0;
+		POOL[i].nr_match = 0;
+		POOL[i].lock = RW_LOCK_UNLOCKED;
+	}
+	res = nf_register_sockopt(&so_pool);
+	DP("ip_pool:init %d pools, result %d\n", nr_pool, res);
+	if (res != 0) {
+		kfree(POOL);
+		POOL = 0;
+	}
+	return res;
+}
+
+static void __exit fini(void)
+{
+	ip_pool_t i;
+
+	DP("ip_pool:fini BYEBYE\n");
+	nf_unregister_sockopt(&so_pool);
+	for (i=0; i<nr_pool; i++) {
+		if (POOL[i].members) {
+			kfree(POOL[i].members);
+			POOL[i].members = 0;
+		}
+	}
+	kfree(POOL);
+	POOL = 0;
+	DP("ip_pool:fini these are the famous last words\n");
+	return;
+}
+
+module_init(init);
+module_exit(fini);
diff -Nur linux-2.6.3-rc3.org/net/ipv4/netfilter/ipt_IPV4OPTSSTRIP.c linux-2.6.3-rc3/net/ipv4/netfilter/ipt_IPV4OPTSSTRIP.c
--- linux-2.6.3-rc3.org/net/ipv4/netfilter/ipt_IPV4OPTSSTRIP.c	1970-01-01 01:00:00.000000000 +0100
+++ linux-2.6.3-rc3/net/ipv4/netfilter/ipt_IPV4OPTSSTRIP.c	2004-02-16 11:06:57.518550655 +0100
@@ -0,0 +1,84 @@
+/**
+ * Strip all IP options in the IP packet header.
+ *
+ * (C) 2001 by Fabrice MARIE <fabrice@netfilter.org>
+ * This software is distributed under GNU GPL v2, 1991
+ */
+
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/ip.h>
+#include <net/checksum.h>
+
+#include <linux/netfilter_ipv4/ip_tables.h>
+
+MODULE_AUTHOR("Fabrice MARIE <fabrice@netfilter.org>");
+MODULE_DESCRIPTION("Strip all options in IPv4 packets");
+MODULE_LICENSE("GPL");
+
+static unsigned int
+target(struct sk_buff **pskb,
+       unsigned int hooknum,
+       const struct net_device *in,
+       const struct net_device *out,
+       const void *targinfo,
+       void *userinfo)
+{
+	struct iphdr *iph = (*pskb)->nh.iph;
+	struct sk_buff *skb = (*pskb);
+	struct ip_options * opt;
+	unsigned char * optiph = skb->nh.raw;
+	int l = ((struct ip_options *)(&(IPCB(skb)->opt)))->optlen;
+	
+
+	/* if no options in packet then nothing to clear. */
+	if (iph->ihl * 4 == sizeof(struct iphdr))
+		return IPT_CONTINUE;
+
+	/* else clear all options */
+	memset(&(IPCB(skb)->opt), 0, sizeof(struct ip_options));
+	memset(optiph+sizeof(struct iphdr), IPOPT_NOOP, l);
+	opt = &(IPCB(skb)->opt);
+	opt->is_data = 0;
+	opt->optlen = l;
+
+	skb->nfcache |= NFC_ALTERED;
+
+        return IPT_CONTINUE;
+}
+
+static int
+checkentry(const char *tablename,
+	   const struct ipt_entry *e,
+           void *targinfo,
+           unsigned int targinfosize,
+           unsigned int hook_mask)
+{
+	if (strcmp(tablename, "mangle")) {
+		printk(KERN_WARNING "IPV4OPTSSTRIP: can only be called from \"mangle\" table, not \"%s\"\n", tablename);
+		return 0;
+	}
+	/* nothing else to check because no parameters */
+	return 1;
+}
+
+static struct ipt_target ipt_ipv4optsstrip_reg
+= { { NULL, NULL }, "IPV4OPTSSTRIP", target, checkentry, NULL, THIS_MODULE };
+
+static int __init init(void)
+{
+	if (ipt_register_target(&ipt_ipv4optsstrip_reg))
+		return -EINVAL;
+	printk("ipt_IPV4OPTSSTRIP loaded\n");
+
+	return 0;
+}
+
+static void __exit fini(void)
+{
+	ipt_unregister_target(&ipt_ipv4optsstrip_reg);
+	printk("ipt_IPV4OPTSSTRIP unloaded\n");
+}
+
+module_init(init);
+module_exit(fini);
diff -Nur linux-2.6.3-rc3.org/net/ipv4/netfilter/ipt_NETLINK.c linux-2.6.3-rc3/net/ipv4/netfilter/ipt_NETLINK.c
--- linux-2.6.3-rc3.org/net/ipv4/netfilter/ipt_NETLINK.c	1970-01-01 01:00:00.000000000 +0100
+++ linux-2.6.3-rc3/net/ipv4/netfilter/ipt_NETLINK.c	2004-02-16 11:07:05.880548139 +0100
@@ -0,0 +1,119 @@
+#include <linux/module.h>
+#include <linux/version.h>
+#include <linux/config.h>
+#include <linux/socket.h>
+#include <linux/skbuff.h>
+#include <linux/kernel.h>
+#include <linux/netlink.h>
+#include <linux/netdevice.h>
+#include <linux/mm.h>
+#include <linux/socket.h>
+#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter_ipv4/ipt_NETLINK.h>
+#include <net/sock.h>
+
+MODULE_AUTHOR("Gianni Tedesco <gianni@ecsc.co.uk>");
+MODULE_DESCRIPTION("Provides iptables NETLINK target similar to ipchains -o");
+MODULE_LICENSE("GPL");
+
+#if 0
+#define DEBUGP	printk
+#else
+#define DEBUGP(format, args...)
+#endif
+
+static struct sock *ipfwsk;
+
+static unsigned int ipt_netlink_target(struct sk_buff **pskb,
+				    unsigned int hooknum,
+				    const struct net_device *in,
+				    const struct net_device *out,
+				    const void *targinfo, void *userinfo)
+{
+	struct ipt_nldata *nld = (struct ipt_nldata *)targinfo;
+	struct iphdr *ip = (*pskb)->nh.iph;
+	struct sk_buff *outskb;
+	struct netlink_t nlhdr;
+	size_t len=0;
+
+	/* Allocate a socket buffer */
+	if ( MASK(nld->flags, USE_SIZE) )
+		len = nld->size+sizeof(nlhdr);
+	else
+		len = ntohs(ip->tot_len)+sizeof(nlhdr);	
+
+	outskb=alloc_skb(len, GFP_ATOMIC);
+
+	if (outskb) {
+		nlhdr.len=len;
+		
+		if ( MASK(nld->flags, USE_MARK) )
+			nlhdr.mark=(*pskb)->nfmark=nld->mark;
+		else
+			nlhdr.mark=(*pskb)->nfmark;
+		
+		if ( in && in->name ) {
+			strncpy((char *)&nlhdr.iface, in->name, IFNAMSIZ);
+		}else if ( out && out->name ){
+			strncpy((char *)&nlhdr.iface, out->name, IFNAMSIZ);
+		}
+
+		skb_put(outskb, len);
+		memcpy(outskb->data, &nlhdr, sizeof(nlhdr));
+		memcpy((outskb->data)+sizeof(nlhdr), ip, len-sizeof(nlhdr));
+		netlink_broadcast(ipfwsk, outskb, 0, ~0, GFP_ATOMIC);
+	}else{
+		if (net_ratelimit())
+			printk(KERN_WARNING "ipt_NETLINK: packet drop due to netlink failure\n");
+	}
+
+	if ( MASK(nld->flags, USE_DROP) )
+		return NF_DROP;
+
+	return IPT_CONTINUE;
+}
+
+static int ipt_netlink_checkentry(const char *tablename,
+			       const struct ipt_entry *e,
+			       void *targinfo,
+			       unsigned int targinfosize,
+			       unsigned int hookmask)
+{
+	//struct ipt_nldata *nld = (struct ipt_nldata *)targinfo;
+
+	return 1;
+}
+
+static struct ipt_target ipt_netlink_reg = { 
+	{NULL, NULL},
+	"NETLINK",
+	ipt_netlink_target,
+	ipt_netlink_checkentry,
+	NULL,
+	THIS_MODULE
+};
+
+static int __init init(void)
+{
+	DEBUGP("ipt_NETLINK: init module\n");	
+
+	if (ipt_register_target(&ipt_netlink_reg) != 0) {
+		return -EINVAL;
+	}
+
+	if ( !(ipfwsk=netlink_kernel_create(NETLINK_FIREWALL, NULL)) ){
+		return -EINVAL;
+	}
+
+	return 0;
+}
+
+static void __exit fini(void)
+{
+	DEBUGP("ipt_NETLINK: cleanup_module\n");
+	ipt_unregister_target(&ipt_netlink_reg);
+//	if(ipfwsk->socket) sock_release(ipfwsk->socket);
+}
+
+module_init(init);
+module_exit(fini);
diff -Nur linux-2.6.3-rc3.org/net/ipv4/netfilter/ipt_POOL.c linux-2.6.3-rc3/net/ipv4/netfilter/ipt_POOL.c
--- linux-2.6.3-rc3.org/net/ipv4/netfilter/ipt_POOL.c	1970-01-01 01:00:00.000000000 +0100
+++ linux-2.6.3-rc3/net/ipv4/netfilter/ipt_POOL.c	2004-02-16 11:07:21.518803072 +0100
@@ -0,0 +1,116 @@
+/* ipt_POOL.c - netfilter target to manipulate IP pools
+ *
+ * This target can be used almost everywhere. It acts on some specified
+ * IP pool, adding or deleting some IP address in the pool. The address
+ * can be either the source (--addsrc, --delsrc), or destination (--add/deldst)
+ * of the packet under inspection.
+ *
+ * The target normally returns IPT_CONTINUE.
+ */
+
+#include <linux/types.h>
+#include <linux/ip.h>
+#include <linux/timer.h>
+#include <linux/module.h>
+#include <linux/netfilter.h>
+#include <linux/netdevice.h>
+#include <linux/if.h>
+#include <linux/inetdevice.h>
+#include <net/protocol.h>
+#include <net/checksum.h>
+#include <linux/netfilter_ipv4.h>
+#include <linux/netfilter_ipv4/ip_nat_rule.h>
+#include <linux/netfilter_ipv4/ipt_pool.h>
+
+#if 0
+#define DEBUGP printk
+#else
+#define DEBUGP(format, args...)
+#endif
+
+/*** NOTE NOTE NOTE NOTE ***
+**
+** By sheer luck, I get away with using the "struct ipt_pool_info", as defined
+** in <linux/netfilter_ipv4/ipt_pool.h>, both as the match and target info.
+** Here, in the target implementation, ipt_pool_info.src, if not IP_POOL_NONE,
+** is modified for the source IP address of the packet under inspection.
+** The same way, the ipt_pool_info.dst pool is modified for the destination.
+**
+** The address is added to the pool normally. However, if IPT_POOL_DEL_dir
+** flag is set in ipt_pool_info.flags, the address is deleted from the pool.
+**
+** If a modification was done to the pool, we possibly return ACCEPT or DROP,
+** if the right IPT_POOL_MOD_dir_ACCEPT or _MOD_dir_DROP flags are set.
+** The IPT_POOL_INV_MOD_dir flag inverts the sense of the check (i.e. the
+** ACCEPT and DROP flags are evaluated when the pool was not modified.)
+*/
+
+static int
+do_check(const char *tablename,
+	       const struct ipt_entry *e,
+	       void *targinfo,
+	       unsigned int targinfosize,
+	       unsigned int hook_mask)
+{
+	const struct ipt_pool_info *ipi = targinfo;
+
+	if (targinfosize != IPT_ALIGN(sizeof(*ipi))) {
+		DEBUGP("POOL_check: size %u.\n", targinfosize);
+		return 0;
+	}
+	DEBUGP("ipt_POOL:do_check(%d,%d,%d)\n",ipi->src,ipi->dst,ipi->flags);
+	return 1;
+}
+
+static unsigned int
+do_target(struct sk_buff **pskb,
+		unsigned int hooknum,
+		const struct net_device *in,
+		const struct net_device *out,
+		const void *targinfo,
+		void *userinfo)
+{
+	const struct ipt_pool_info *ipi = targinfo;
+	int modified;
+	unsigned int verdict = IPT_CONTINUE;
+
+	if (ipi->src != IP_POOL_NONE) {
+		modified = ip_pool_mod(ipi->src, ntohl((*pskb)->nh.iph->saddr),
+					ipi->flags & IPT_POOL_DEL_SRC);
+		if (!!modified ^ !!(ipi->flags & IPT_POOL_INV_MOD_SRC)) {
+			if (ipi->flags & IPT_POOL_MOD_SRC_ACCEPT)
+				verdict = NF_ACCEPT;
+			else if (ipi->flags & IPT_POOL_MOD_SRC_DROP)
+				verdict = NF_DROP;
+		}
+	}
+	if (verdict == IPT_CONTINUE && ipi->dst != IP_POOL_NONE) {
+		modified = ip_pool_mod(ipi->dst, ntohl((*pskb)->nh.iph->daddr),
+					ipi->flags & IPT_POOL_DEL_DST);
+		if (!!modified ^ !!(ipi->flags & IPT_POOL_INV_MOD_DST)) {
+			if (ipi->flags & IPT_POOL_MOD_DST_ACCEPT)
+				verdict = NF_ACCEPT;
+			else if (ipi->flags & IPT_POOL_MOD_DST_DROP)
+				verdict = NF_DROP;
+		}
+	}
+	return verdict;
+}
+
+static struct ipt_target pool_reg
+= { { NULL, NULL }, "POOL", do_target, do_check, NULL, THIS_MODULE };
+
+static int __init init(void)
+{
+	DEBUGP("init ipt_POOL\n");
+	return ipt_register_target(&pool_reg);
+}
+
+static void __exit fini(void)
+{
+	DEBUGP("fini ipt_POOL\n");
+	ipt_unregister_target(&pool_reg);
+}
+
+module_init(init);
+module_exit(fini);
diff -Nur linux-2.6.3-rc3.org/net/ipv4/netfilter/ipt_TTL.c linux-2.6.3-rc3/net/ipv4/netfilter/ipt_TTL.c
--- linux-2.6.3-rc3.org/net/ipv4/netfilter/ipt_TTL.c	1970-01-01 01:00:00.000000000 +0100
+++ linux-2.6.3-rc3/net/ipv4/netfilter/ipt_TTL.c	2004-02-16 11:07:09.253740328 +0100
@@ -0,0 +1,110 @@
+/* TTL modification target for IP tables
+ * (C) 2000 by Harald Welte <laforge@gnumonks.org>
+ *
+ * Version: 1.8
+ *
+ * This software is distributed under the terms of GNU GPL
+ */
+
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/ip.h>
+#include <net/checksum.h>
+
+#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter_ipv4/ipt_TTL.h>
+
+MODULE_AUTHOR("Harald Welte <laforge@gnumonks.org>");
+MODULE_DESCRIPTION("IP tables TTL modification module");
+MODULE_LICENSE("GPL");
+
+static unsigned int ipt_ttl_target(struct sk_buff **pskb, unsigned int hooknum,
+		const struct net_device *in, const struct net_device *out,
+		const void *targinfo, void *userinfo)
+{
+	struct iphdr *iph = (*pskb)->nh.iph;
+	const struct ipt_TTL_info *info = targinfo;
+	u_int16_t diffs[2];
+	int new_ttl;
+			 
+	switch (info->mode) {
+		case IPT_TTL_SET:
+			new_ttl = info->ttl;
+			break;
+		case IPT_TTL_INC:
+			new_ttl = iph->ttl + info->ttl;
+			if (new_ttl > 255)
+				new_ttl = 255;
+			break;
+		case IPT_TTL_DEC:
+			new_ttl = iph->ttl + info->ttl;
+			if (new_ttl < 0)
+				new_ttl = 0;
+			break;
+		default:
+			new_ttl = iph->ttl;
+			break;
+	}
+
+	if (new_ttl != iph->ttl) {
+		diffs[0] = htons(((unsigned)iph->ttl) << 8) ^ 0xFFFF;
+		iph->ttl = new_ttl;
+		diffs[1] = htons(((unsigned)iph->ttl) << 8);
+		iph->check = csum_fold(csum_partial((char *)diffs,
+						    sizeof(diffs),
+				 	            iph->check^0xFFFF));
+									                	(*pskb)->nfcache |= NFC_ALTERED;
+	}
+
+	return IPT_CONTINUE;
+}
+
+static int ipt_ttl_checkentry(const char *tablename,
+		const struct ipt_entry *e,
+		void *targinfo,
+		unsigned int targinfosize,
+		unsigned int hook_mask)
+{
+	struct ipt_TTL_info *info = targinfo;
+
+	if (targinfosize != IPT_ALIGN(sizeof(struct ipt_TTL_info))) {
+		printk(KERN_WARNING "TTL: targinfosize %u != %Zu\n",
+				targinfosize,
+				IPT_ALIGN(sizeof(struct ipt_TTL_info)));
+		return 0;	
+	}	
+
+	if (strcmp(tablename, "mangle")) {
+		printk(KERN_WARNING "TTL: can only be called from \"mangle\" table, not \"%s\"\n", tablename);
+		return 0;
+	}
+
+	if (info->mode > IPT_TTL_MAXMODE) {
+		printk(KERN_WARNING "TTL: invalid or unknown Mode %u\n", 
+			info->mode);
+		return 0;
+	}
+
+	if ((info->mode != IPT_TTL_SET) && (info->ttl == 0)) {
+		printk(KERN_WARNING "TTL: increment/decrement doesn't make sense with value 0\n");
+		return 0;
+	}
+	
+	return 1;
+}
+
+static struct ipt_target ipt_TTL = { { NULL, NULL }, "TTL", 
+	ipt_ttl_target, ipt_ttl_checkentry, NULL, THIS_MODULE };
+
+static int __init init(void)
+{
+	return ipt_register_target(&ipt_TTL);
+}
+
+static void __exit fini(void)
+{
+	ipt_unregister_target(&ipt_TTL);
+}
+
+module_init(init);
+module_exit(fini);
diff -Nur linux-2.6.3-rc3.org/net/ipv4/netfilter/ipt_connlimit.c linux-2.6.3-rc3/net/ipv4/netfilter/ipt_connlimit.c
--- linux-2.6.3-rc3.org/net/ipv4/netfilter/ipt_connlimit.c	1970-01-01 01:00:00.000000000 +0100
+++ linux-2.6.3-rc3/net/ipv4/netfilter/ipt_connlimit.c	2004-02-16 11:07:11.549190614 +0100
@@ -0,0 +1,227 @@
+/*
+ * netfilter module to limit the number of parallel tcp
+ * connections per IP address.
+ *   (c) 2000 Gerd Knorr <kraxel@bytesex.org>
+ *   Nov 2002: Martin Bene <martin.bene@icomedias.com>:
+ *		only ignore TIME_WAIT or gone connections
+ *
+ * based on ...
+ *
+ * Kernel module to match connection tracking information.
+ * GPL (C) 1999  Rusty Russell (rusty@rustcorp.com.au).
+ */
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/list.h>
+#include <linux/netfilter_ipv4/ip_conntrack.h>
+#include <linux/netfilter_ipv4/ip_conntrack_core.h>
+#include <linux/netfilter_ipv4/ip_conntrack_tcp.h>
+#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter_ipv4/ipt_connlimit.h>
+
+#define DEBUG 0
+
+MODULE_LICENSE("GPL");
+
+/* we'll save the tuples of all connections we care about */
+struct ipt_connlimit_conn
+{
+        struct list_head list;
+	struct ip_conntrack_tuple tuple;
+};
+
+struct ipt_connlimit_data {
+	spinlock_t lock;
+	struct list_head iphash[256];
+};
+
+static int ipt_iphash(u_int32_t addr)
+{
+	int hash;
+
+	hash  =  addr        & 0xff;
+	hash ^= (addr >>  8) & 0xff;
+	hash ^= (addr >> 16) & 0xff;
+	hash ^= (addr >> 24) & 0xff;
+	return hash;
+}
+
+static int count_them(struct ipt_connlimit_data *data,
+		      u_int32_t addr, u_int32_t mask,
+		      struct ip_conntrack *ct)
+{
+#if DEBUG
+	const static char *tcp[] = { "none", "established", "syn_sent", "syn_recv",
+				     "fin_wait", "time_wait", "close", "close_wait",
+				     "last_ack", "listen" };
+#endif
+	int addit = 1, matches = 0;
+	struct ip_conntrack_tuple tuple;
+	struct ip_conntrack_tuple_hash *found;
+	struct ipt_connlimit_conn *conn;
+	struct list_head *hash,*lh;
+
+	spin_lock(&data->lock);
+	tuple = ct->tuplehash[0].tuple;
+	hash = &data->iphash[ipt_iphash(addr & mask)];
+
+	/* check the saved connections */
+	for (lh = hash->next; lh != hash; lh = lh->next) {
+		conn = list_entry(lh,struct ipt_connlimit_conn,list);
+		found = ip_conntrack_find_get(&conn->tuple,ct);
+		if (0 == memcmp(&conn->tuple,&tuple,sizeof(tuple)) &&
+		    found != NULL &&
+		    found->ctrack->proto.tcp.state != TCP_CONNTRACK_TIME_WAIT) {
+			/* Just to be sure we have it only once in the list.
+			   We should'nt see tuples twice unless someone hooks this
+			   into a table without "-p tcp --syn" */
+			addit = 0;
+		}
+#if DEBUG
+		printk("ipt_connlimit [%d]: src=%u.%u.%u.%u:%d dst=%u.%u.%u.%u:%d %s\n",
+		       ipt_iphash(addr & mask),
+		       NIPQUAD(conn->tuple.src.ip), ntohs(conn->tuple.src.u.tcp.port),
+		       NIPQUAD(conn->tuple.dst.ip), ntohs(conn->tuple.dst.u.tcp.port),
+		       (NULL != found) ? tcp[found->ctrack->proto.tcp.state] : "gone");
+#endif
+		if (NULL == found) {
+			/* this one is gone */
+			lh = lh->prev;
+			list_del(lh->next);
+			kfree(conn);
+			continue;
+		}
+		if (found->ctrack->proto.tcp.state == TCP_CONNTRACK_TIME_WAIT) {
+			/* we don't care about connections which are
+			   closed already -> ditch it */
+			lh = lh->prev;
+			list_del(lh->next);
+			kfree(conn);
+			nf_conntrack_put(&found->ctrack->infos[0]);
+			continue;
+		}
+		if ((addr & mask) == (conn->tuple.src.ip & mask)) {
+			/* same source IP address -> be counted! */
+			matches++;
+		}
+		nf_conntrack_put(&found->ctrack->infos[0]);
+	}
+	if (addit) {
+		/* save the new connection in our list */
+#if DEBUG
+		printk("ipt_connlimit [%d]: src=%u.%u.%u.%u:%d dst=%u.%u.%u.%u:%d new\n",
+		       ipt_iphash(addr & mask),
+		       NIPQUAD(tuple.src.ip), ntohs(tuple.src.u.tcp.port),
+		       NIPQUAD(tuple.dst.ip), ntohs(tuple.dst.u.tcp.port));
+#endif
+		conn = kmalloc(sizeof(*conn),GFP_ATOMIC);
+		if (NULL == conn)
+			return -1;
+		memset(conn,0,sizeof(*conn));
+		INIT_LIST_HEAD(&conn->list);
+		conn->tuple = tuple;
+		list_add(&conn->list,hash);
+		matches++;
+	}
+	spin_unlock(&data->lock);
+	return matches;
+}
+
+static int
+match(const struct sk_buff *skb,
+      const struct net_device *in,
+      const struct net_device *out,
+      const void *matchinfo,
+      int offset,
+      const void *hdr,
+      u_int16_t datalen,
+      int *hotdrop)
+{
+	const struct ipt_connlimit_info *info = matchinfo;
+	int connections, match;
+	struct ip_conntrack *ct;
+	enum ip_conntrack_info ctinfo;
+
+	ct = ip_conntrack_get((struct sk_buff *)skb, &ctinfo);
+	if (NULL == ct) {
+		printk("ipt_connlimit: Oops: invalid ct state ?\n");
+		*hotdrop = 1;
+		return 0;
+	}
+	connections = count_them(info->data,skb->nh.iph->saddr,info->mask,ct);
+	if (-1 == connections) {
+		printk("ipt_connlimit: Hmm, kmalloc failed :-(\n");
+		*hotdrop = 1; /* let's free some memory :-) */
+		return 0;
+	}
+        match = (info->inverse) ? (connections <= info->limit) : (connections > info->limit);
+#if DEBUG
+	printk("ipt_connlimit: src=%u.%u.%u.%u mask=%u.%u.%u.%u "
+	       "connections=%d limit=%d match=%s\n",
+	       NIPQUAD(skb->nh.iph->saddr), NIPQUAD(info->mask),
+	       connections, info->limit, match ? "yes" : "no");
+#endif
+
+	return match;
+}
+
+static int check(const char *tablename,
+		 const struct ipt_ip *ip,
+		 void *matchinfo,
+		 unsigned int matchsize,
+		 unsigned int hook_mask)
+{
+	struct ipt_connlimit_info *info = matchinfo;
+	int i;
+
+	/* verify size */
+	if (matchsize != IPT_ALIGN(sizeof(struct ipt_connlimit_info)))
+		return 0;
+
+	/* refuse anything but tcp */
+	if (ip->proto != IPPROTO_TCP)
+		return 0;
+
+	/* init private data */
+	info->data = kmalloc(sizeof(struct ipt_connlimit_data),GFP_KERNEL);
+	spin_lock_init(&(info->data->lock));
+	for (i = 0; i < 256; i++)
+		INIT_LIST_HEAD(&(info->data->iphash[i]));
+	
+	return 1;
+}
+
+static void destroy(void *matchinfo, unsigned int matchinfosize)
+{
+	struct ipt_connlimit_info *info = matchinfo;
+	struct ipt_connlimit_conn *conn;
+	struct list_head *hash;
+	int i;
+
+	/* cleanup */
+	for (i = 0; i < 256; i++) {
+		hash = &(info->data->iphash[i]);
+		while (hash != hash->next) {
+			conn = list_entry(hash->next,struct ipt_connlimit_conn,list);
+			list_del(hash->next);
+			kfree(conn);
+		}
+	}
+	kfree(info->data);
+}
+
+static struct ipt_match connlimit_match
+= { { NULL, NULL }, "connlimit", &match, &check, &destroy, THIS_MODULE };
+
+static int __init init(void)
+{
+	return ipt_register_match(&connlimit_match);
+}
+
+static void __exit fini(void)
+{
+	ipt_unregister_match(&connlimit_match);
+}
+
+module_init(init);
+module_exit(fini);
diff -Nur linux-2.6.3-rc3.org/net/ipv4/netfilter/ipt_dstlimit.c linux-2.6.3-rc3/net/ipv4/netfilter/ipt_dstlimit.c
--- linux-2.6.3-rc3.org/net/ipv4/netfilter/ipt_dstlimit.c	1970-01-01 01:00:00.000000000 +0100
+++ linux-2.6.3-rc3/net/ipv4/netfilter/ipt_dstlimit.c	2004-02-16 11:07:13.230787904 +0100
@@ -0,0 +1,623 @@
+/* iptables match extension to limit the number of packets per second
+ * seperately for each destination.
+ *
+ * (C) 2003 by Harald Welte <laforge@netfilter.org>
+ *
+ * Development of this code was funded by Astaro AG, http://www.astaro.com/
+ *
+ * based on ipt_limit.c by: