]>
Commit | Line | Data |
---|---|---|
1aedc22c | 1 | diff -NurpP --minimal linux-2.6.19-pom-ng/include/linux/netfilter_ipv4/ip_conntrack_quake3.h linux-2.6.19/include/linux/netfilter_ipv4/ip_conntrack_quake3.h |
2 | --- linux-2.6.19-pom-ng/include/linux/netfilter_ipv4/ip_conntrack_quake3.h 1970-01-01 01:00:00.000000000 +0100 | |
3 | +++ linux-2.6.19/include/linux/netfilter_ipv4/ip_conntrack_quake3.h 2006-12-14 11:21:52.000000000 +0100 | |
4 | @@ -0,0 +1,22 @@ | |
5 | +#ifndef _IP_CT_QUAKE3 | |
6 | +#define _IP_CT_QUAKE3 | |
7 | + | |
8 | +/* Don't confuse with 27960, often used as the Server Port */ | |
9 | +#define QUAKE3_MASTER_PORT 27950 | |
10 | + | |
11 | +struct quake3_search { | |
12 | + const char marker[4]; /* always 0xff 0xff 0xff 0xff ? */ | |
13 | + const char *pattern; | |
14 | + size_t plen; | |
15 | +}; | |
16 | + | |
17 | +/* This structure is per expected connection */ | |
18 | +struct ip_ct_quake3_expect { | |
19 | +}; | |
20 | + | |
21 | +/* This structure exists only once per master */ | |
22 | +struct ip_ct_quake3_master { | |
23 | +}; | |
24 | + | |
25 | +extern unsigned int (*ip_nat_quake3_hook)(struct ip_conntrack_expect *exp); | |
26 | +#endif /* _IP_CT_QUAKE3 */ | |
27 | diff -NurpP --minimal linux-2.6.19-pom-ng/net/ipv4/netfilter/Kconfig linux-2.6.19/net/ipv4/netfilter/Kconfig | |
28 | --- linux-2.6.19-pom-ng/net/ipv4/netfilter/Kconfig 2006-12-14 11:13:22.000000000 +0100 | |
29 | +++ linux-2.6.19/net/ipv4/netfilter/Kconfig 2006-12-14 11:21:52.000000000 +0100 | |
30 | @@ -820,5 +820,23 @@ config IP_NF_MMS | |
31 | If you want to compile it as a module, say M here and read | |
32 | <file:Documentation/modules.txt>. If unsure, say `Y'. | |
33 | ||
34 | +config IP_NF_NAT_QUAKE3 | |
35 | + tristate | |
36 | + depends on IP_NF_CONNTRACK!=n && IP_NF_NAT !=n | |
37 | + default IP_NF_NAT if IP_NF_QUAKE3=y | |
38 | + default m if IP_NF_QUAKE3=m | |
39 | + | |
40 | +config IP_NF_QUAKE3 | |
41 | + tristate "Quake3 protocol support" | |
42 | + depends on IP_NF_CONNTRACK | |
43 | + help | |
44 | + Quake III Arena connection tracking helper. This module allows for a | |
45 | + stricter firewall rulebase if one only allows traffic to a master | |
46 | + server. Connections to Quake III server IP addresses and ports returned | |
47 | + by the master server will be tracked automatically. | |
48 | + | |
49 | + If you want to compile it as a module, say M here and read | |
50 | + <file:Documentation/modules.txt>. If unsure, say `Y'. | |
51 | + | |
52 | endmenu | |
53 | ||
54 | diff -NurpP --minimal linux-2.6.19-pom-ng/net/ipv4/netfilter/Makefile linux-2.6.19/net/ipv4/netfilter/Makefile | |
55 | --- linux-2.6.19-pom-ng/net/ipv4/netfilter/Makefile 2006-12-14 11:13:22.000000000 +0100 | |
56 | +++ linux-2.6.19/net/ipv4/netfilter/Makefile 2006-12-14 11:21:52.000000000 +0100 | |
57 | @@ -25,6 +25,7 @@ obj-$(CONFIG_IP_NF_CONNTRACK_NETLINK) += | |
58 | obj-$(CONFIG_IP_NF_CT_PROTO_SCTP) += ip_conntrack_proto_sctp.o | |
59 | ||
60 | # connection tracking helpers | |
61 | +obj-$(CONFIG_IP_NF_QUAKE3) += ip_conntrack_quake3.o | |
62 | obj-$(CONFIG_IP_NF_MMS) += ip_conntrack_mms.o | |
63 | obj-$(CONFIG_IP_NF_H323) += ip_conntrack_h323.o | |
64 | obj-$(CONFIG_IP_NF_PPTP) += ip_conntrack_pptp.o | |
65 | @@ -43,6 +44,7 @@ obj-$(CONFIG_IP_NF_NAT_AMANDA) += ip_nat | |
66 | obj-$(CONFIG_IP_NF_NAT_TFTP) += ip_nat_tftp.o | |
67 | obj-$(CONFIG_IP_NF_NAT_FTP) += ip_nat_ftp.o | |
68 | obj-$(CONFIG_IP_NF_NAT_IRC) += ip_nat_irc.o | |
69 | +obj-$(CONFIG_IP_NF_NAT_QUAKE3) += ip_nat_quake3.o | |
70 | obj-$(CONFIG_IP_NF_NAT_SIP) += ip_nat_sip.o | |
71 | ||
72 | # generic IP tables | |
73 | diff -NurpP --minimal linux-2.6.19-pom-ng/net/ipv4/netfilter/ip_conntrack_quake3.c linux-2.6.19/net/ipv4/netfilter/ip_conntrack_quake3.c | |
74 | --- linux-2.6.19-pom-ng/net/ipv4/netfilter/ip_conntrack_quake3.c 1970-01-01 01:00:00.000000000 +0100 | |
75 | +++ linux-2.6.19/net/ipv4/netfilter/ip_conntrack_quake3.c 2006-12-14 11:21:52.000000000 +0100 | |
76 | @@ -0,0 +1,201 @@ | |
77 | +/* Quake3 extension for IP connection tracking | |
78 | + * (C) 2002 by Filip Sneppe <filip.sneppe@cronos.be> | |
79 | + * (C) 2005 by Harald Welte <laforge@netfilter.org> | |
80 | + * based on ip_conntrack_ftp.c and ip_conntrack_tftp.c | |
81 | + * | |
82 | + * ip_conntrack_quake3.c v0.04 2002-08-31 | |
83 | + * | |
84 | + * This program is free software; you can redistribute it and/or | |
85 | + * modify it under the terms of the GNU General Public License | |
86 | + * as published by the Free Software Foundation; either version | |
87 | + * 2 of the License, or (at your option) any later version. | |
88 | + * | |
89 | + * Module load syntax: | |
90 | + * insmod ip_conntrack_quake3.o ports=port1,port2,...port<MAX_PORTS> | |
91 | + * | |
92 | + * please give the ports of all Quake3 master servers You wish to | |
93 | + * connect to. If you don't specify ports, the default will be UDP | |
94 | + * port 27950. | |
95 | + * | |
96 | + * Thanks to the Ethereal folks for their analysis of the Quake3 protocol. | |
97 | + */ | |
98 | + | |
99 | +#include <linux/module.h> | |
100 | +#include <linux/ip.h> | |
101 | +#include <linux/udp.h> | |
102 | + | |
103 | +#include <linux/netfilter.h> | |
104 | +#include <linux/netfilter_ipv4/ip_tables.h> | |
105 | +#include <linux/netfilter_ipv4/ip_conntrack_helper.h> | |
106 | +#include <linux/netfilter_ipv4/ip_conntrack_quake3.h> | |
107 | + | |
108 | +MODULE_AUTHOR("Filip Sneppe <filip.sneppe@cronos.be>"); | |
109 | +MODULE_DESCRIPTION("Netfilter connection tracking module for Quake III Arena"); | |
110 | +MODULE_LICENSE("GPL"); | |
111 | + | |
112 | +#define MAX_PORTS 8 | |
113 | +static int ports[MAX_PORTS]; | |
114 | +static int ports_c = 0; | |
115 | +module_param_array(ports, int, &ports_c, 0400); | |
116 | +MODULE_PARM_DESC(ports, "port numbers of Quake III master servers"); | |
117 | + | |
118 | +static char quake3_buffer[65536]; | |
119 | +static DECLARE_LOCK(quake3_buffer_lock); | |
120 | + | |
121 | +static unsigned int (*ip_nat_quake3_hook)(struct ip_conntrack_expect *exp); | |
122 | + | |
123 | +/* Quake3 master server reply will add > 100 expectations per reply packet; when | |
124 | + doing lots of printk's, klogd may not be able to read /proc/kmsg fast enough */ | |
125 | +#if 0 | |
126 | +#define DEBUGP printk | |
127 | +#else | |
128 | +#define DEBUGP(format, args...) | |
129 | +#endif | |
130 | + | |
131 | +struct quake3_search quake3s_conntrack = { "****", "getserversResponse", sizeof("getserversResponse") - 1 }; | |
132 | + | |
133 | +static int quake3_help(struct sk_buff **pskb, | |
134 | + struct ip_conntrack *ct, | |
135 | + enum ip_conntrack_info ctinfo) | |
136 | +{ | |
137 | + struct udphdr _udph, *uh; | |
138 | + struct ip_conntrack_expect *exp; | |
139 | + void *data, *qb_ptr; | |
140 | + int dir = CTINFO2DIR(ctinfo); | |
141 | + int i, dataoff; | |
142 | + int ret = NF_ACCEPT; | |
143 | + | |
144 | + | |
145 | + /* Until there's been traffic both ways, don't look in packets. note: | |
146 | + * it's UDP ! */ | |
147 | + if (ctinfo != IP_CT_ESTABLISHED | |
148 | + && ctinfo != IP_CT_IS_REPLY) { | |
149 | + DEBUGP("ip_conntrack_quake3: not ok ! Conntrackinfo = %u\n", | |
150 | + ctinfo); | |
151 | + return NF_ACCEPT; | |
152 | + } else { | |
153 | + DEBUGP("ip_conntrack_quake3: it's ok ! Conntrackinfo = %u\n", | |
154 | + ctinfo); | |
155 | + } | |
156 | + | |
157 | + /* Valid UDP header? */ | |
158 | + uh = skb_header_pointer(*pskb, (*pskb)->nh.iph->ihl*4, | |
159 | + sizeof(_udph), &_udph); | |
160 | + if (!uh) | |
161 | + return NF_ACCEPT; | |
162 | + | |
163 | + /* Any data? */ | |
164 | + dataoff = (*pskb)->nh.iph->ihl*4 + sizeof(struct udphdr); | |
165 | + if (dataoff >= (*pskb)->len) | |
166 | + return NF_ACCEPT; | |
167 | + | |
168 | + LOCK_BH(&quake3_buffer_lock); | |
169 | + qb_ptr = skb_header_pointer(*pskb, dataoff, | |
170 | + (*pskb)->len - dataoff, quake3_buffer); | |
171 | + BUG_ON(qb_ptr == NULL); | |
172 | + data = qb_ptr; | |
173 | + | |
174 | + | |
175 | + if (strnicmp(data + 4, quake3s_conntrack.pattern, | |
176 | + quake3s_conntrack.plen) == 0) { | |
177 | + for(i=23; /* 4 bytes filler, 18 bytes "getserversResponse", | |
178 | + 1 byte "\" */ | |
179 | + i+6 < ntohs(uh->len); | |
180 | + i+=7) { | |
181 | + u_int32_t *ip = data+i; | |
182 | + u_int16_t *port = data+i+4; | |
183 | +#if 0 | |
184 | + DEBUGP("ip_conntrack_quake3: adding server at offset " | |
185 | + "%u/%u %u.%u.%u.%u:%u\n", i, ntohs(uh->len), | |
186 | + NIPQUAD(*ip), ntohs(*port)); | |
187 | +#endif | |
188 | + | |
189 | + exp = ip_conntrack_expect_alloc(); | |
190 | + if (!exp) { | |
191 | + ret = NF_DROP; | |
192 | + goto out; | |
193 | + } | |
194 | + | |
195 | + memset(exp, 0, sizeof(*exp)); | |
196 | + | |
197 | + exp->tuple.src.ip = ct->tuplehash[!dir].tuple.src.ip; | |
198 | + exp->tuple.dst.ip = *ip; | |
199 | + exp->tuple.dst.u.udp.port = *port; | |
200 | + exp->tuple.dst.protonum = IPPROTO_UDP; | |
201 | + | |
202 | + exp->mask.src.ip = 0xffffffff; | |
203 | + exp->mask.dst.ip = 0xffffffff; | |
204 | + exp->mask.dst.u.udp.port = 0xffff; | |
205 | + exp->mask.dst.protonum = 0xff; | |
206 | + | |
207 | + if (ip_nat_quake3_hook) | |
208 | + ret = ip_nat_quake3_hook(exp); | |
209 | + else if (ip_conntrack_expect_related(exp) != 0) { | |
210 | + ip_conntrack_expect_free(exp); | |
211 | + ret = NF_DROP; | |
212 | + } | |
213 | + goto out; | |
214 | + } | |
215 | + } | |
216 | + | |
217 | +out: | |
218 | + return ret; | |
219 | +} | |
220 | + | |
221 | +static struct ip_conntrack_helper quake3[MAX_PORTS]; | |
222 | +static char quake3_names[MAX_PORTS][13]; /* quake3-65535 */ | |
223 | + | |
224 | +static void fini(void) | |
225 | +{ | |
226 | + int i; | |
227 | + | |
228 | + for(i = 0 ; (i < ports_c); i++) { | |
229 | + DEBUGP("ip_conntrack_quake3: unregistering helper for port %d\n", | |
230 | + ports[i]); | |
231 | + ip_conntrack_helper_unregister(&quake3[i]); | |
232 | + } | |
233 | +} | |
234 | + | |
235 | +static int __init init(void) | |
236 | +{ | |
237 | + int i, ret; | |
238 | + char *tmpname; | |
239 | + | |
240 | + if(!ports[0]) | |
241 | + ports[0]=QUAKE3_MASTER_PORT; | |
242 | + | |
243 | + for(i = 0 ; (i < MAX_PORTS) && ports[i] ; i++) { | |
244 | + /* Create helper structure */ | |
245 | + memset(&quake3[i], 0, sizeof(struct ip_conntrack_helper)); | |
246 | + | |
247 | + quake3[i].tuple.dst.protonum = IPPROTO_UDP; | |
248 | + quake3[i].tuple.src.u.udp.port = htons(ports[i]); | |
249 | + quake3[i].mask.dst.protonum = 0xFF; | |
250 | + quake3[i].mask.src.u.udp.port = 0xFFFF; | |
251 | + quake3[i].help = quake3_help; | |
252 | + quake3[i].me = THIS_MODULE; | |
253 | + quake3[i].timeout = 120; | |
254 | + | |
255 | + tmpname = &quake3_names[i][0]; | |
256 | + if (ports[i] == QUAKE3_MASTER_PORT) | |
257 | + sprintf(tmpname, "quake3"); | |
258 | + else | |
259 | + sprintf(tmpname, "quake3-%d", i); | |
260 | + quake3[i].name = tmpname; | |
261 | + | |
262 | + DEBUGP("ip_conntrack_quake3: registering helper for port %d\n", | |
263 | + ports[i]); | |
264 | + | |
265 | + ret=ip_conntrack_helper_register(&quake3[i]); | |
266 | + if(ret) { | |
267 | + fini(); | |
268 | + return(ret); | |
269 | + } | |
270 | + ports_c++; | |
271 | + } | |
272 | + | |
273 | + return(0); | |
274 | +} | |
275 | + | |
276 | +module_init(init); | |
277 | +module_exit(fini); | |
278 | diff -NurpP --minimal linux-2.6.19-pom-ng/net/ipv4/netfilter/ip_nat_quake3.c linux-2.6.19/net/ipv4/netfilter/ip_nat_quake3.c | |
279 | --- linux-2.6.19-pom-ng/net/ipv4/netfilter/ip_nat_quake3.c 1970-01-01 01:00:00.000000000 +0100 | |
280 | +++ linux-2.6.19/net/ipv4/netfilter/ip_nat_quake3.c 2006-12-14 11:21:52.000000000 +0100 | |
281 | @@ -0,0 +1,97 @@ | |
282 | +/* Quake3 extension for UDP NAT alteration. | |
283 | + * (C) 2002 by Filip Sneppe <filip.sneppe@cronos.be> | |
284 | + * (C) 2005 by Harald Welte <laforge@netfilter.org> | |
285 | + * based on ip_nat_ftp.c and ip_nat_tftp.c | |
286 | + * | |
287 | + * ip_nat_quake3.c v0.0.3 2002-08-31 | |
288 | + * | |
289 | + * This program is free software; you can redistribute it and/or | |
290 | + * modify it under the terms of the GNU General Public License | |
291 | + * as published by the Free Software Foundation; either version | |
292 | + * 2 of the License, or (at your option) any later version. | |
293 | + * | |
294 | + * Module load syntax: | |
295 | + * insmod ip_nat_quake3.o ports=port1,port2,...port<MAX_PORTS> | |
296 | + * | |
297 | + * please give the ports of all Quake3 master servers You wish to | |
298 | + * connect to. If you don't specify ports, the default will be UDP | |
299 | + * port 27950. | |
300 | + * | |
301 | + * Thanks to the Ethereal folks for their analysis of the Quake3 protocol. | |
302 | + * | |
303 | + * Notes: | |
304 | + * - If you're one of those people who would try anything to lower | |
305 | + * latency while playing Quake (and who isn't :-) ), you may want to | |
306 | + * consider not loading ip_nat_quake3 at all and just MASQUERADE all | |
307 | + * outgoing UDP traffic. | |
308 | + * This will make ip_conntrack_quake3 add the necessary expectations, | |
309 | + * but there will be no overhead for client->server UDP streams. If | |
310 | + * ip_nat_quake3 is loaded, quake3_nat_expected will be called per NAT | |
311 | + * hook for every packet in the client->server UDP stream. | |
312 | + * - Only SNAT/MASQUEARDE targets are useful for ip_nat_quake3. | |
313 | + * The IP addresses in the master connection payload (=IP addresses | |
314 | + * of Quake servers) have no relation with the master server so | |
315 | + * DNAT'ing the master connection to a server should not change the | |
316 | + * expected connections. | |
317 | + * - Not tested due to lack of equipment: | |
318 | + * - multiple Quake3 clients behind one MASQUERADE gateway | |
319 | + * - what if Quake3 client is running on router too | |
320 | + */ | |
321 | + | |
322 | +#include <linux/module.h> | |
323 | +#include <linux/netfilter_ipv4.h> | |
324 | +#include <linux/ip.h> | |
325 | +#include <linux/udp.h> | |
326 | + | |
327 | +#include <linux/netfilter.h> | |
328 | +#include <linux/netfilter_ipv4/ip_tables.h> | |
329 | +#include <linux/netfilter_ipv4/ip_conntrack_helper.h> | |
330 | +#include <linux/netfilter_ipv4/ip_conntrack_quake3.h> | |
331 | +#include <linux/netfilter_ipv4/ip_nat_helper.h> | |
332 | + | |
333 | +MODULE_AUTHOR("Filip Sneppe <filip.sneppe@cronos.be>"); | |
334 | +MODULE_DESCRIPTION("Netfilter NAT helper for Quake III Arena"); | |
335 | +MODULE_LICENSE("GPL"); | |
336 | + | |
337 | +/* Quake3 master server reply will add > 100 expectations per reply packet; when | |
338 | + doing lots of printk's, klogd may not be able to read /proc/kmsg fast enough */ | |
339 | +#if 0 | |
340 | +#define DEBUGP printk | |
341 | +#else | |
342 | +#define DEBUGP(format, args...) | |
343 | +#endif | |
344 | + | |
345 | +static unsigned int | |
346 | +quake3_nat_help(struct ip_conntrack_expect *exp) | |
347 | +{ | |
348 | + struct ip_conntrack *ct = exp->master; | |
349 | + | |
350 | + /* What is this? Why don't we try to alter the port? -HW */ | |
351 | + exp->tuple.src.ip = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.ip; | |
352 | + exp->saved_proto.udp.port = exp->tuple.dst.u.udp.port; | |
353 | + exp->expectfn = ip_nat_follow_master; | |
354 | + //exp->dir = !dir; | |
355 | + | |
356 | + if (ip_conntrack_expect_related(exp) != 0) { | |
357 | + ip_conntrack_expect_free(exp); | |
358 | + return NF_DROP; | |
359 | + } | |
360 | + | |
361 | + return NF_ACCEPT; | |
362 | +} | |
363 | + | |
364 | +static void fini(void) | |
365 | +{ | |
366 | + ip_nat_quake3_hook = NULL; | |
367 | + synchronize_net(); | |
368 | +} | |
369 | + | |
370 | +static int __init init(void) | |
371 | +{ | |
372 | + BUG_ON(ip_nat_quake3_hook); | |
373 | + ip_nat_quake3_hook = quake3_nat_help; | |
374 | + return 0; | |
375 | +} | |
376 | + | |
377 | +module_init(init); | |
378 | +module_exit(fini); |