[packages/kernel.git] / pom-ng-quake3-conntrack-nat-20061213.patch

diff -NurpP --minimal linux-2.6.19-pom-ng/include/linux/netfilter_ipv4/ip_conntrack_quake3.h linux-2.6.19/include/linux/netfilter_ipv4/ip_conntrack_quake3.h
--- linux-2.6.19-pom-ng/include/linux/netfilter_ipv4/ip_conntrack_quake3.h	1970-01-01 01:00:00.000000000 +0100
+++ linux-2.6.19/include/linux/netfilter_ipv4/ip_conntrack_quake3.h	2006-12-14 11:21:52.000000000 +0100
@@ -0,0 +1,22 @@
+#ifndef _IP_CT_QUAKE3
+#define _IP_CT_QUAKE3
+
+/* Don't confuse with 27960, often used as the Server Port */
+#define QUAKE3_MASTER_PORT 27950
+
+struct quake3_search {
+	const char marker[4]; /* always 0xff 0xff 0xff 0xff ? */
+	const char *pattern;
+	size_t plen;
+}; 
+
+/* This structure is per expected connection */
+struct ip_ct_quake3_expect {
+};
+
+/* This structure exists only once per master */
+struct ip_ct_quake3_master {
+};
+
+extern unsigned int (*ip_nat_quake3_hook)(struct ip_conntrack_expect *exp);
+#endif /* _IP_CT_QUAKE3 */
diff -NurpP --minimal linux-2.6.19-pom-ng/net/ipv4/netfilter/Kconfig linux-2.6.19/net/ipv4/netfilter/Kconfig
--- linux-2.6.19-pom-ng/net/ipv4/netfilter/Kconfig	2006-12-14 11:13:22.000000000 +0100
+++ linux-2.6.19/net/ipv4/netfilter/Kconfig	2006-12-14 11:21:52.000000000 +0100
@@ -820,5 +820,23 @@ config IP_NF_MMS
 	  If you want to compile it as a module, say M here and read
 	  <file:Documentation/modules.txt>.  If unsure, say `Y'.
 
+config IP_NF_NAT_QUAKE3
+	tristate
+	depends on IP_NF_CONNTRACK!=n && IP_NF_NAT !=n
+	default IP_NF_NAT if IP_NF_QUAKE3=y
+	default m if IP_NF_QUAKE3=m
+
+config IP_NF_QUAKE3
+	tristate "Quake3 protocol support"
+	depends on IP_NF_CONNTRACK
+	help
+	  Quake III Arena  connection tracking helper. This module allows for a
+	  stricter firewall rulebase if one only allows traffic to a master
+	  server. Connections to Quake III server IP addresses and ports returned
+	  by the master server will be tracked automatically.
+	
+	  If you want to compile it as a module, say M here and read
+	  <file:Documentation/modules.txt>.  If unsure, say `Y'.
+
 endmenu
 
diff -NurpP --minimal linux-2.6.19-pom-ng/net/ipv4/netfilter/Makefile linux-2.6.19/net/ipv4/netfilter/Makefile
--- linux-2.6.19-pom-ng/net/ipv4/netfilter/Makefile	2006-12-14 11:13:22.000000000 +0100
+++ linux-2.6.19/net/ipv4/netfilter/Makefile	2006-12-14 11:21:52.000000000 +0100
@@ -25,6 +25,7 @@ obj-$(CONFIG_IP_NF_CONNTRACK_NETLINK) +=
 obj-$(CONFIG_IP_NF_CT_PROTO_SCTP) += ip_conntrack_proto_sctp.o
 
 # connection tracking helpers
+obj-$(CONFIG_IP_NF_QUAKE3) += ip_conntrack_quake3.o
 obj-$(CONFIG_IP_NF_MMS) += ip_conntrack_mms.o
 obj-$(CONFIG_IP_NF_H323) += ip_conntrack_h323.o
 obj-$(CONFIG_IP_NF_PPTP) += ip_conntrack_pptp.o
@@ -43,6 +44,7 @@ obj-$(CONFIG_IP_NF_NAT_AMANDA) += ip_nat
 obj-$(CONFIG_IP_NF_NAT_TFTP) += ip_nat_tftp.o
 obj-$(CONFIG_IP_NF_NAT_FTP) += ip_nat_ftp.o
 obj-$(CONFIG_IP_NF_NAT_IRC) += ip_nat_irc.o
+obj-$(CONFIG_IP_NF_NAT_QUAKE3) += ip_nat_quake3.o
 obj-$(CONFIG_IP_NF_NAT_SIP) += ip_nat_sip.o
 
 # generic IP tables 
diff -NurpP --minimal linux-2.6.19-pom-ng/net/ipv4/netfilter/ip_conntrack_quake3.c linux-2.6.19/net/ipv4/netfilter/ip_conntrack_quake3.c
--- linux-2.6.19-pom-ng/net/ipv4/netfilter/ip_conntrack_quake3.c	1970-01-01 01:00:00.000000000 +0100
+++ linux-2.6.19/net/ipv4/netfilter/ip_conntrack_quake3.c	2006-12-14 11:21:52.000000000 +0100
@@ -0,0 +1,201 @@
+/* Quake3 extension for IP connection tracking
+ * (C) 2002 by Filip Sneppe <filip.sneppe@cronos.be>
+ * (C) 2005 by Harald Welte <laforge@netfilter.org>
+ * based on ip_conntrack_ftp.c and ip_conntrack_tftp.c
+ *
+ * ip_conntrack_quake3.c v0.04 2002-08-31
+ *
+ *      This program is free software; you can redistribute it and/or
+ *      modify it under the terms of the GNU General Public License
+ *      as published by the Free Software Foundation; either version
+ *      2 of the License, or (at your option) any later version.
+ *
+ *      Module load syntax:
+ *      insmod ip_conntrack_quake3.o ports=port1,port2,...port<MAX_PORTS>
+ *
+ *      please give the ports of all Quake3 master servers You wish to 
+ *      connect to. If you don't specify ports, the default will be UDP 
+ *      port 27950.
+ *
+ *      Thanks to the Ethereal folks for their analysis of the Quake3 protocol.
+ */
+
+#include <linux/module.h>
+#include <linux/ip.h>
+#include <linux/udp.h>
+
+#include <linux/netfilter.h>
+#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter_ipv4/ip_conntrack_helper.h>
+#include <linux/netfilter_ipv4/ip_conntrack_quake3.h>
+
+MODULE_AUTHOR("Filip Sneppe <filip.sneppe@cronos.be>");
+MODULE_DESCRIPTION("Netfilter connection tracking module for Quake III Arena");
+MODULE_LICENSE("GPL");
+
+#define MAX_PORTS 8
+static int ports[MAX_PORTS];
+static int ports_c = 0;
+module_param_array(ports, int, &ports_c, 0400);
+MODULE_PARM_DESC(ports, "port numbers of Quake III master servers");
+
+static char quake3_buffer[65536];
+static DECLARE_LOCK(quake3_buffer_lock);
+
+static unsigned int (*ip_nat_quake3_hook)(struct ip_conntrack_expect *exp);
+
+/* Quake3 master server reply will add > 100 expectations per reply packet; when
+   doing lots of printk's, klogd may not be able to read /proc/kmsg fast enough */
+#if 0 
+#define DEBUGP printk
+#else
+#define DEBUGP(format, args...)
+#endif
+
+struct quake3_search quake3s_conntrack = { "****", "getserversResponse", sizeof("getserversResponse") - 1 };
+
+static int quake3_help(struct sk_buff **pskb,
+	struct ip_conntrack *ct,
+	enum ip_conntrack_info ctinfo)
+{
+	struct udphdr _udph, *uh;
+	struct ip_conntrack_expect *exp;
+	void *data, *qb_ptr;
+	int dir = CTINFO2DIR(ctinfo);
+	int i, dataoff;
+	int ret = NF_ACCEPT;
+
+	
+	/* Until there's been traffic both ways, don't look in packets. note:
+	 * it's UDP ! */
+	if (ctinfo != IP_CT_ESTABLISHED
+	    && ctinfo != IP_CT_IS_REPLY) {
+	        DEBUGP("ip_conntrack_quake3: not ok ! Conntrackinfo = %u\n",
+			ctinfo);
+	        return NF_ACCEPT;
+	} else { 
+		DEBUGP("ip_conntrack_quake3: it's ok ! Conntrackinfo = %u\n",
+			ctinfo);
+	}
+
+	/* Valid UDP header? */
+	uh = skb_header_pointer(*pskb, (*pskb)->nh.iph->ihl*4,
+				sizeof(_udph), &_udph);
+	if (!uh)
+		return NF_ACCEPT;
+
+	/* Any data? */
+	dataoff = (*pskb)->nh.iph->ihl*4 + sizeof(struct udphdr);
+	if (dataoff >= (*pskb)->len)
+		return NF_ACCEPT;
+
+	LOCK_BH(&quake3_buffer_lock);
+	qb_ptr = skb_header_pointer(*pskb, dataoff,
+				    (*pskb)->len - dataoff, quake3_buffer);
+	BUG_ON(qb_ptr == NULL);
+	data = qb_ptr;
+
+	
+	if (strnicmp(data + 4, quake3s_conntrack.pattern, 
+		     quake3s_conntrack.plen) == 0) {
+		for(i=23;    /* 4 bytes filler, 18 bytes "getserversResponse", 
+				1 byte "\" */
+		    i+6 < ntohs(uh->len);
+		    i+=7) {
+			u_int32_t *ip = data+i;
+			u_int16_t *port = data+i+4;
+#if 0
+			DEBUGP("ip_conntrack_quake3: adding server at offset "
+			       "%u/%u %u.%u.%u.%u:%u\n", i, ntohs(uh->len),
+			       NIPQUAD(*ip), ntohs(*port));
+#endif
+
+			exp = ip_conntrack_expect_alloc();
+			if (!exp) { 
+				ret = NF_DROP;
+				goto out;
+			}
+
+			memset(exp, 0, sizeof(*exp));
+
+			exp->tuple.src.ip = ct->tuplehash[!dir].tuple.src.ip;
+			exp->tuple.dst.ip = *ip;
+			exp->tuple.dst.u.udp.port = *port;
+			exp->tuple.dst.protonum = IPPROTO_UDP;
+
+			exp->mask.src.ip = 0xffffffff;
+			exp->mask.dst.ip = 0xffffffff;
+			exp->mask.dst.u.udp.port = 0xffff;
+			exp->mask.dst.protonum = 0xff;
+
+			if (ip_nat_quake3_hook) 
+				ret = ip_nat_quake3_hook(exp);
+			else if (ip_conntrack_expect_related(exp) != 0) {
+				ip_conntrack_expect_free(exp);
+				ret = NF_DROP;
+			}
+			goto out;
+		}
+	}
+	
+out:
+	return ret;
+}
+
+static struct ip_conntrack_helper quake3[MAX_PORTS];
+static char quake3_names[MAX_PORTS][13];  /* quake3-65535 */
+
+static void fini(void)
+{
+	int i;
+
+	for(i = 0 ; (i < ports_c); i++) {
+		DEBUGP("ip_conntrack_quake3: unregistering helper for port %d\n",
+					ports[i]);
+		ip_conntrack_helper_unregister(&quake3[i]);
+	} 
+}
+
+static int __init init(void)
+{
+	int i, ret;
+	char *tmpname;
+
+	if(!ports[0])
+		ports[0]=QUAKE3_MASTER_PORT;
+
+	for(i = 0 ; (i < MAX_PORTS) && ports[i] ; i++) {
+		/* Create helper structure */
+		memset(&quake3[i], 0, sizeof(struct ip_conntrack_helper));
+
+		quake3[i].tuple.dst.protonum = IPPROTO_UDP;
+		quake3[i].tuple.src.u.udp.port = htons(ports[i]);
+		quake3[i].mask.dst.protonum = 0xFF;
+		quake3[i].mask.src.u.udp.port = 0xFFFF;
+		quake3[i].help = quake3_help;
+		quake3[i].me = THIS_MODULE;
+		quake3[i].timeout = 120;
+
+		tmpname = &quake3_names[i][0];
+		if (ports[i] == QUAKE3_MASTER_PORT)
+			sprintf(tmpname, "quake3");
+		else
+			sprintf(tmpname, "quake3-%d", i);
+		quake3[i].name = tmpname;
+		
+		DEBUGP("ip_conntrack_quake3: registering helper for port %d\n",
+		       ports[i]);
+
+		ret=ip_conntrack_helper_register(&quake3[i]);
+		if(ret) {
+			fini();
+			return(ret);
+		}
+		ports_c++;
+	}
+
+	return(0);
+}
+
+module_init(init);
+module_exit(fini);
diff -NurpP --minimal linux-2.6.19-pom-ng/net/ipv4/netfilter/ip_nat_quake3.c linux-2.6.19/net/ipv4/netfilter/ip_nat_quake3.c
--- linux-2.6.19-pom-ng/net/ipv4/netfilter/ip_nat_quake3.c	1970-01-01 01:00:00.000000000 +0100
+++ linux-2.6.19/net/ipv4/netfilter/ip_nat_quake3.c	2006-12-14 11:21:52.000000000 +0100
@@ -0,0 +1,97 @@
+/* Quake3 extension for UDP NAT alteration.
+ * (C) 2002 by Filip Sneppe <filip.sneppe@cronos.be>
+ * (C) 2005 by Harald Welte <laforge@netfilter.org>
+ * based on ip_nat_ftp.c and ip_nat_tftp.c
+ *
+ * ip_nat_quake3.c v0.0.3 2002-08-31
+ *
+ *      This program is free software; you can redistribute it and/or
+ *      modify it under the terms of the GNU General Public License
+ *      as published by the Free Software Foundation; either version
+ *      2 of the License, or (at your option) any later version.
+ *
+ *      Module load syntax:
+ *      insmod ip_nat_quake3.o ports=port1,port2,...port<MAX_PORTS>
+ *
+ *      please give the ports of all Quake3 master servers You wish to
+ *      connect to. If you don't specify ports, the default will be UDP
+ *      port 27950.
+ *
+ *      Thanks to the Ethereal folks for their analysis of the Quake3 protocol.
+ *
+ *      Notes: 
+ *      - If you're one of those people who would try anything to lower
+ *        latency while playing Quake (and who isn't :-) ), you may want to
+ *        consider not loading ip_nat_quake3 at all and just MASQUERADE all
+ *        outgoing UDP traffic.
+ *        This will make ip_conntrack_quake3 add the necessary expectations,
+ *        but there will be no overhead for client->server UDP streams. If
+ *        ip_nat_quake3 is loaded, quake3_nat_expected will be called per NAT
+ *        hook for every packet in the client->server UDP stream.
+ *      - Only SNAT/MASQUEARDE targets are useful for ip_nat_quake3.
+ *        The IP addresses in the master connection payload (=IP addresses
+ *        of Quake servers) have no relation with the master server so
+ *        DNAT'ing the master connection to a server should not change the
+ *        expected connections.
+ *      - Not tested due to lack of equipment:
+ *        - multiple Quake3 clients behind one MASQUERADE gateway
+ *        - what if Quake3 client is running on router too
+ */
+
+#include <linux/module.h>
+#include <linux/netfilter_ipv4.h>
+#include <linux/ip.h>
+#include <linux/udp.h>
+
+#include <linux/netfilter.h>
+#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter_ipv4/ip_conntrack_helper.h>
+#include <linux/netfilter_ipv4/ip_conntrack_quake3.h>
+#include <linux/netfilter_ipv4/ip_nat_helper.h>
+
+MODULE_AUTHOR("Filip Sneppe <filip.sneppe@cronos.be>");
+MODULE_DESCRIPTION("Netfilter NAT helper for Quake III Arena");
+MODULE_LICENSE("GPL");
+
+/* Quake3 master server reply will add > 100 expectations per reply packet; when
+   doing lots of printk's, klogd may not be able to read /proc/kmsg fast enough */
+#if 0 
+#define DEBUGP printk
+#else
+#define DEBUGP(format, args...)
+#endif
+
+static unsigned int 
+quake3_nat_help(struct ip_conntrack_expect *exp)
+{
+	struct ip_conntrack *ct = exp->master;
+
+	/* What is this?  Why don't we try to alter the port? -HW */
+	exp->tuple.src.ip = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.ip;
+	exp->saved_proto.udp.port = exp->tuple.dst.u.udp.port;
+	exp->expectfn = ip_nat_follow_master;
+	//exp->dir = !dir;
+
+	if (ip_conntrack_expect_related(exp) != 0) {
+		ip_conntrack_expect_free(exp);
+		return NF_DROP;
+	}
+
+	return NF_ACCEPT;
+}
+
+static void fini(void)
+{
+	ip_nat_quake3_hook = NULL;
+	synchronize_net();
+}
+
+static int __init init(void)
+{
+	BUG_ON(ip_nat_quake3_hook);
+	ip_nat_quake3_hook = quake3_nat_help;
+	return 0;
+}
+	
+module_init(init);
+module_exit(fini);
Commit	Line	Data
1aedc22c	1	diff -NurpP --minimal linux-2.6.19-pom-ng/include/linux/netfilter_ipv4/ip_conntrack_quake3.h linux-2.6.19/include/linux/netfilter_ipv4/ip_conntrack_quake3.h
	2	--- linux-2.6.19-pom-ng/include/linux/netfilter_ipv4/ip_conntrack_quake3.h 1970-01-01 01:00:00.000000000 +0100
	3	+++ linux-2.6.19/include/linux/netfilter_ipv4/ip_conntrack_quake3.h 2006-12-14 11:21:52.000000000 +0100
	4	@@ -0,0 +1,22 @@
	5	+#ifndef _IP_CT_QUAKE3
	6	+#define _IP_CT_QUAKE3
	7	+
	8	+/* Don't confuse with 27960, often used as the Server Port */
	9	+#define QUAKE3_MASTER_PORT 27950
	10	+
	11	+struct quake3_search {
	12	+ const char marker[4]; /* always 0xff 0xff 0xff 0xff ? */
	13	+ const char *pattern;
	14	+ size_t plen;
	15	+};
	16	+
	17	+/* This structure is per expected connection */
	18	+struct ip_ct_quake3_expect {
	19	+};
	20	+
	21	+/* This structure exists only once per master */
	22	+struct ip_ct_quake3_master {
	23	+};
	24	+
	25	+extern unsigned int (ip_nat_quake3_hook)(struct ip_conntrack_expect exp);
	26	+#endif /* _IP_CT_QUAKE3 */
	27	diff -NurpP --minimal linux-2.6.19-pom-ng/net/ipv4/netfilter/Kconfig linux-2.6.19/net/ipv4/netfilter/Kconfig
	28	--- linux-2.6.19-pom-ng/net/ipv4/netfilter/Kconfig 2006-12-14 11:13:22.000000000 +0100
	29	+++ linux-2.6.19/net/ipv4/netfilter/Kconfig 2006-12-14 11:21:52.000000000 +0100
	30	@@ -820,5 +820,23 @@ config IP_NF_MMS
	31	If you want to compile it as a module, say M here and read
	32	<file:Documentation/modules.txt>. If unsure, say `Y'.
	33
	34	+config IP_NF_NAT_QUAKE3
	35	+ tristate
	36	+ depends on IP_NF_CONNTRACK!=n && IP_NF_NAT !=n
	37	+ default IP_NF_NAT if IP_NF_QUAKE3=y
	38	+ default m if IP_NF_QUAKE3=m
	39	+
	40	+config IP_NF_QUAKE3
	41	+ tristate "Quake3 protocol support"
	42	+ depends on IP_NF_CONNTRACK
	43	+ help
	44	+ Quake III Arena connection tracking helper. This module allows for a
	45	+ stricter firewall rulebase if one only allows traffic to a master
	46	+ server. Connections to Quake III server IP addresses and ports returned
	47	+ by the master server will be tracked automatically.
	48	+
	49	+ If you want to compile it as a module, say M here and read
	50	+ <file:Documentation/modules.txt>. If unsure, say `Y'.
	51	+
	52	endmenu
	53
	54	diff -NurpP --minimal linux-2.6.19-pom-ng/net/ipv4/netfilter/Makefile linux-2.6.19/net/ipv4/netfilter/Makefile
	55	--- linux-2.6.19-pom-ng/net/ipv4/netfilter/Makefile 2006-12-14 11:13:22.000000000 +0100
	56	+++ linux-2.6.19/net/ipv4/netfilter/Makefile 2006-12-14 11:21:52.000000000 +0100
	57	@@ -25,6 +25,7 @@ obj-$(CONFIG_IP_NF_CONNTRACK_NETLINK) +=
	58	obj-$(CONFIG_IP_NF_CT_PROTO_SCTP) += ip_conntrack_proto_sctp.o
	59
	60	# connection tracking helpers
	61	+obj-$(CONFIG_IP_NF_QUAKE3) += ip_conntrack_quake3.o
	62	obj-$(CONFIG_IP_NF_MMS) += ip_conntrack_mms.o
	63	obj-$(CONFIG_IP_NF_H323) += ip_conntrack_h323.o
	64	obj-$(CONFIG_IP_NF_PPTP) += ip_conntrack_pptp.o
65	@@ -43,6 +44,7 @@ obj-$(CONFIG_IP_NF_NAT_AMANDA) += ip_nat
66	obj-$(CONFIG_IP_NF_NAT_TFTP) += ip_nat_tftp.o
67	obj-$(CONFIG_IP_NF_NAT_FTP) += ip_nat_ftp.o
68	obj-$(CONFIG_IP_NF_NAT_IRC) += ip_nat_irc.o
69	+obj-$(CONFIG_IP_NF_NAT_QUAKE3) += ip_nat_quake3.o
70	obj-$(CONFIG_IP_NF_NAT_SIP) += ip_nat_sip.o
71
72	# generic IP tables
73	diff -NurpP --minimal linux-2.6.19-pom-ng/net/ipv4/netfilter/ip_conntrack_quake3.c linux-2.6.19/net/ipv4/netfilter/ip_conntrack_quake3.c
74	--- linux-2.6.19-pom-ng/net/ipv4/netfilter/ip_conntrack_quake3.c 1970-01-01 01:00:00.000000000 +0100
75	+++ linux-2.6.19/net/ipv4/netfilter/ip_conntrack_quake3.c 2006-12-14 11:21:52.000000000 +0100
76	@@ -0,0 +1,201 @@
77	+/* Quake3 extension for IP connection tracking
78	+ * (C) 2002 by Filip Sneppe <filip.sneppe@cronos.be>
79	+ * (C) 2005 by Harald Welte <laforge@netfilter.org>
80	+ * based on ip_conntrack_ftp.c and ip_conntrack_tftp.c
81	+ *
82	+ * ip_conntrack_quake3.c v0.04 2002-08-31
83	+ *
84	+ * This program is free software; you can redistribute it and/or
85	+ * modify it under the terms of the GNU General Public License
86	+ * as published by the Free Software Foundation; either version
87	+ * 2 of the License, or (at your option) any later version.
88	+ *
89	+ * Module load syntax:
90	+ * insmod ip_conntrack_quake3.o ports=port1,port2,...port<MAX_PORTS>
91	+ *
92	+ * please give the ports of all Quake3 master servers You wish to
93	+ * connect to. If you don't specify ports, the default will be UDP
94	+ * port 27950.
95	+ *
96	+ * Thanks to the Ethereal folks for their analysis of the Quake3 protocol.
97	+ */
98	+
99	+#include <linux/module.h>
100	+#include <linux/ip.h>
101	+#include <linux/udp.h>
102	+
103	+#include <linux/netfilter.h>
104	+#include <linux/netfilter_ipv4/ip_tables.h>
105	+#include <linux/netfilter_ipv4/ip_conntrack_helper.h>
106	+#include <linux/netfilter_ipv4/ip_conntrack_quake3.h>
107	+
108	+MODULE_AUTHOR("Filip Sneppe <filip.sneppe@cronos.be>");
109	+MODULE_DESCRIPTION("Netfilter connection tracking module for Quake III Arena");
110	+MODULE_LICENSE("GPL");
111	+
112	+#define MAX_PORTS 8
113	+static int ports[MAX_PORTS];
114	+static int ports_c = 0;
115	+module_param_array(ports, int, &ports_c, 0400);
116	+MODULE_PARM_DESC(ports, "port numbers of Quake III master servers");
117	+
118	+static char quake3_buffer[65536];
119	+static DECLARE_LOCK(quake3_buffer_lock);
120	+
121	+static unsigned int (ip_nat_quake3_hook)(struct ip_conntrack_expect exp);
122	+
123	+/* Quake3 master server reply will add > 100 expectations per reply packet; when
124	+ doing lots of printk's, klogd may not be able to read /proc/kmsg fast enough */
125	+#if 0
126	+#define DEBUGP printk
127	+#else
128	+#define DEBUGP(format, args...)
129	+#endif
130	+
131	+struct quake3_search quake3s_conntrack = { "****", "getserversResponse", sizeof("getserversResponse") - 1 };
132	+
133	+static int quake3_help(struct sk_buff **pskb,
134	+ struct ip_conntrack *ct,
135	+ enum ip_conntrack_info ctinfo)
136	+{
137	+ struct udphdr _udph, *uh;
138	+ struct ip_conntrack_expect *exp;
139	+ void data, qb_ptr;
140	+ int dir = CTINFO2DIR(ctinfo);
141	+ int i, dataoff;
142	+ int ret = NF_ACCEPT;
143	+
144	+
145	+ /* Until there's been traffic both ways, don't look in packets. note:
146	+ * it's UDP ! */
147	+ if (ctinfo != IP_CT_ESTABLISHED
148	+ && ctinfo != IP_CT_IS_REPLY) {
149	+ DEBUGP("ip_conntrack_quake3: not ok ! Conntrackinfo = %u\n",
150	+ ctinfo);
151	+ return NF_ACCEPT;
152	+ } else {
153	+ DEBUGP("ip_conntrack_quake3: it's ok ! Conntrackinfo = %u\n",
154	+ ctinfo);
155	+ }
156	+
157	+ /* Valid UDP header? */
158	+ uh = skb_header_pointer(pskb, (pskb)->nh.iph->ihl*4,
159	+ sizeof(_udph), &_udph);
160	+ if (!uh)
161	+ return NF_ACCEPT;
162	+
163	+ /* Any data? */
164	+ dataoff = (pskb)->nh.iph->ihl4 + sizeof(struct udphdr);
165	+ if (dataoff >= (*pskb)->len)
166	+ return NF_ACCEPT;
167	+
168	+ LOCK_BH(&quake3_buffer_lock);
169	+ qb_ptr = skb_header_pointer(*pskb, dataoff,
170	+ (*pskb)->len - dataoff, quake3_buffer);
171	+ BUG_ON(qb_ptr == NULL);
172	+ data = qb_ptr;
173	+
174	+
175	+ if (strnicmp(data + 4, quake3s_conntrack.pattern,
176	+ quake3s_conntrack.plen) == 0) {
177	+ for(i=23; /* 4 bytes filler, 18 bytes "getserversResponse",
178	+ 1 byte "\" */
179	+ i+6 < ntohs(uh->len);
180	+ i+=7) {
181	+ u_int32_t *ip = data+i;
182	+ u_int16_t *port = data+i+4;
183	+#if 0
184	+ DEBUGP("ip_conntrack_quake3: adding server at offset "
185	+ "%u/%u %u.%u.%u.%u:%u\n", i, ntohs(uh->len),
186	+ NIPQUAD(ip), ntohs(port));
187	+#endif
188	+
189	+ exp = ip_conntrack_expect_alloc();
190	+ if (!exp) {
191	+ ret = NF_DROP;
192	+ goto out;
193	+ }
194	+
195	+ memset(exp, 0, sizeof(*exp));
196	+
197	+ exp->tuple.src.ip = ct->tuplehash[!dir].tuple.src.ip;
198	+ exp->tuple.dst.ip = *ip;
199	+ exp->tuple.dst.u.udp.port = *port;
200	+ exp->tuple.dst.protonum = IPPROTO_UDP;
201	+
202	+ exp->mask.src.ip = 0xffffffff;
203	+ exp->mask.dst.ip = 0xffffffff;
204	+ exp->mask.dst.u.udp.port = 0xffff;
205	+ exp->mask.dst.protonum = 0xff;
206	+
207	+ if (ip_nat_quake3_hook)
208	+ ret = ip_nat_quake3_hook(exp);
209	+ else if (ip_conntrack_expect_related(exp) != 0) {
210	+ ip_conntrack_expect_free(exp);
211	+ ret = NF_DROP;
212	+ }
213	+ goto out;
214	+ }
215	+ }
216	+
217	+out:
218	+ return ret;
219	+}
220	+
221	+static struct ip_conntrack_helper quake3[MAX_PORTS];
222	+static char quake3_names[MAX_PORTS][13]; /* quake3-65535 */
223	+
224	+static void fini(void)
225	+{
226	+ int i;
227	+
228	+ for(i = 0 ; (i < ports_c); i++) {
229	+ DEBUGP("ip_conntrack_quake3: unregistering helper for port %d\n",
230	+ ports[i]);
231	+ ip_conntrack_helper_unregister(&quake3[i]);
232	+ }
233	+}
234	+
235	+static int __init init(void)
236	+{
237	+ int i, ret;
238	+ char *tmpname;
239	+
240	+ if(!ports[0])
241	+ ports[0]=QUAKE3_MASTER_PORT;
242	+
243	+ for(i = 0 ; (i < MAX_PORTS) && ports[i] ; i++) {
244	+ /* Create helper structure */
245	+ memset(&quake3[i], 0, sizeof(struct ip_conntrack_helper));
246	+
247	+ quake3[i].tuple.dst.protonum = IPPROTO_UDP;
248	+ quake3[i].tuple.src.u.udp.port = htons(ports[i]);
249	+ quake3[i].mask.dst.protonum = 0xFF;
250	+ quake3[i].mask.src.u.udp.port = 0xFFFF;
251	+ quake3[i].help = quake3_help;
252	+ quake3[i].me = THIS_MODULE;
253	+ quake3[i].timeout = 120;
254	+
255	+ tmpname = &quake3_names[i][0];
256	+ if (ports[i] == QUAKE3_MASTER_PORT)
257	+ sprintf(tmpname, "quake3");
258	+ else
259	+ sprintf(tmpname, "quake3-%d", i);
260	+ quake3[i].name = tmpname;
261	+
262	+ DEBUGP("ip_conntrack_quake3: registering helper for port %d\n",
263	+ ports[i]);
264	+
265	+ ret=ip_conntrack_helper_register(&quake3[i]);
266	+ if(ret) {
267	+ fini();
268	+ return(ret);
269	+ }
270	+ ports_c++;
271	+ }
272	+
273	+ return(0);
274	+}
275	+
276	+module_init(init);
277	+module_exit(fini);
278	diff -NurpP --minimal linux-2.6.19-pom-ng/net/ipv4/netfilter/ip_nat_quake3.c linux-2.6.19/net/ipv4/netfilter/ip_nat_quake3.c
279	--- linux-2.6.19-pom-ng/net/ipv4/netfilter/ip_nat_quake3.c 1970-01-01 01:00:00.000000000 +0100
280	+++ linux-2.6.19/net/ipv4/netfilter/ip_nat_quake3.c 2006-12-14 11:21:52.000000000 +0100
281	@@ -0,0 +1,97 @@
282	+/* Quake3 extension for UDP NAT alteration.
283	+ * (C) 2002 by Filip Sneppe <filip.sneppe@cronos.be>
284	+ * (C) 2005 by Harald Welte <laforge@netfilter.org>
285	+ * based on ip_nat_ftp.c and ip_nat_tftp.c
286	+ *
287	+ * ip_nat_quake3.c v0.0.3 2002-08-31
288	+ *
289	+ * This program is free software; you can redistribute it and/or
290	+ * modify it under the terms of the GNU General Public License
291	+ * as published by the Free Software Foundation; either version
292	+ * 2 of the License, or (at your option) any later version.
293	+ *
294	+ * Module load syntax:
295	+ * insmod ip_nat_quake3.o ports=port1,port2,...port<MAX_PORTS>
296	+ *
297	+ * please give the ports of all Quake3 master servers You wish to
298	+ * connect to. If you don't specify ports, the default will be UDP
299	+ * port 27950.
300	+ *
301	+ * Thanks to the Ethereal folks for their analysis of the Quake3 protocol.
302	+ *
303	+ * Notes:
304	+ * - If you're one of those people who would try anything to lower
305	+ * latency while playing Quake (and who isn't :-) ), you may want to
306	+ * consider not loading ip_nat_quake3 at all and just MASQUERADE all
307	+ * outgoing UDP traffic.
308	+ * This will make ip_conntrack_quake3 add the necessary expectations,
309	+ * but there will be no overhead for client->server UDP streams. If
310	+ * ip_nat_quake3 is loaded, quake3_nat_expected will be called per NAT
311	+ * hook for every packet in the client->server UDP stream.
312	+ * - Only SNAT/MASQUEARDE targets are useful for ip_nat_quake3.
313	+ * The IP addresses in the master connection payload (=IP addresses
314	+ * of Quake servers) have no relation with the master server so
315	+ * DNAT'ing the master connection to a server should not change the
316	+ * expected connections.
317	+ * - Not tested due to lack of equipment:
318	+ * - multiple Quake3 clients behind one MASQUERADE gateway
319	+ * - what if Quake3 client is running on router too
320	+ */
321	+
322	+#include <linux/module.h>
323	+#include <linux/netfilter_ipv4.h>
324	+#include <linux/ip.h>
325	+#include <linux/udp.h>
326	+
327	+#include <linux/netfilter.h>
328	+#include <linux/netfilter_ipv4/ip_tables.h>
329	+#include <linux/netfilter_ipv4/ip_conntrack_helper.h>
330	+#include <linux/netfilter_ipv4/ip_conntrack_quake3.h>
331	+#include <linux/netfilter_ipv4/ip_nat_helper.h>
332	+
333	+MODULE_AUTHOR("Filip Sneppe <filip.sneppe@cronos.be>");
334	+MODULE_DESCRIPTION("Netfilter NAT helper for Quake III Arena");
335	+MODULE_LICENSE("GPL");
336	+
337	+/* Quake3 master server reply will add > 100 expectations per reply packet; when
338	+ doing lots of printk's, klogd may not be able to read /proc/kmsg fast enough */
339	+#if 0
340	+#define DEBUGP printk
341	+#else
342	+#define DEBUGP(format, args...)
343	+#endif
344	+
345	+static unsigned int
346	+quake3_nat_help(struct ip_conntrack_expect *exp)
347	+{
348	+ struct ip_conntrack *ct = exp->master;
349	+
350	+ /* What is this? Why don't we try to alter the port? -HW */
351	+ exp->tuple.src.ip = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.ip;
352	+ exp->saved_proto.udp.port = exp->tuple.dst.u.udp.port;
353	+ exp->expectfn = ip_nat_follow_master;
354	+ //exp->dir = !dir;
355	+
356	+ if (ip_conntrack_expect_related(exp) != 0) {
357	+ ip_conntrack_expect_free(exp);
358	+ return NF_DROP;
359	+ }
360	+
361	+ return NF_ACCEPT;
362	+}
363	+
364	+static void fini(void)
365	+{
366	+ ip_nat_quake3_hook = NULL;
367	+ synchronize_net();
368	+}
369	+
370	+static int __init init(void)
371	+{
372	+ BUG_ON(ip_nat_quake3_hook);
373	+ ip_nat_quake3_hook = quake3_nat_help;
374	+ return 0;
375	+}
376	+
377	+module_init(init);
378	+module_exit(fini);