1 diff -Nur --exclude '*.rej' --exclude '*.orig' linux-2.6.0-test5.org/include/linux/netfilter_ipv4/ip_conntrack_tuple.h linux-2.6.0-test5/include/linux/netfilter_ipv4/ip_conntrack_tuple.h
2 --- linux-2.6.0-test5.org/include/linux/netfilter_ipv4/ip_conntrack_tuple.h Mon Sep 8 19:50:18 2003
3 +++ linux-2.6.0-test5/include/linux/netfilter_ipv4/ip_conntrack_tuple.h Tue Sep 23 12:56:40 2003
8 +/* This is optimized opposed to a memset of the whole structure. Everything we
9 + * really care about is the source/destination unions */
10 +#define IP_CT_TUPLE_BLANK(tuple) \
12 + (tuple)->src.u.all = 0; \
13 + (tuple)->dst.u.all = 0; \
19 diff -Nur --exclude '*.rej' --exclude '*.orig' linux-2.6.0-test5.org/include/linux/netfilter_ipv4/ipt_sctp.h linux-2.6.0-test5/include/linux/netfilter_ipv4/ipt_sctp.h
20 --- linux-2.6.0-test5.org/include/linux/netfilter_ipv4/ipt_sctp.h Thu Jan 1 00:00:00 1970
21 +++ linux-2.6.0-test5/include/linux/netfilter_ipv4/ipt_sctp.h Tue Sep 23 12:56:47 2003
23 +/* iptables module for matching the SCTP header
25 + * (C) 2003 Harald Welte <laforge@gnumonks.org>
27 + * This software is distributed under GNU GPL v2, 1991
34 +struct ipt_sctp_info {
35 + u_int16_t spts[2]; /* Souce port range */
36 + u_int16_t dpts[2]; /* Destination port range */
37 + u_int32_t chunks; /* chunks to be matched */
38 + u_int32_t chunk_mask; /* chunk mask to be matched */
39 + u_int8_t invflags; /* Inverse flags */
42 +#define IPT_SCTP_INV_SRCPT 0x01 /* Invert the sense of source ports */
43 +#define IPT_SCTP_INV_DSTPT 0x02 /* Invert the sense of dest ports */
44 +#define IPT_SCTP_INV_CHUNKS 0x03 /* Invert the sense of chunks */
45 +#define IPT_SCTP_INV_MASK 0x03 /* All possible flags */
47 +#endif /* _IPT_SCTP_H */
48 diff -Nur --exclude '*.rej' --exclude '*.orig' linux-2.6.0-test5.org/net/ipv4/netfilter/Kconfig linux-2.6.0-test5/net/ipv4/netfilter/Kconfig
49 --- linux-2.6.0-test5.org/net/ipv4/netfilter/Kconfig Mon Sep 8 19:50:21 2003
50 +++ linux-2.6.0-test5/net/ipv4/netfilter/Kconfig Tue Sep 23 12:56:47 2003
52 If you want to compile it as a module, say M here and read
53 Documentation/modules.txt. If unsure, say `N'.
55 +config IP_NF_MATCH_SCTP
56 + tristate "SCTP match support"
57 + depends on IP_NF_IPTABLES
59 + This match allows iptables to match on the SCTP header.
61 + If you want to compile it as a module, say M here and read
62 + <file:Documentation/modules.txt>. If unsure, say `N'.
64 config IP_NF_MATCH_LENGTH
65 tristate "LENGTH match support"
66 depends on IP_NF_IPTABLES
67 diff -Nur --exclude '*.rej' --exclude '*.orig' linux-2.6.0-test5.org/net/ipv4/netfilter/Makefile linux-2.6.0-test5/net/ipv4/netfilter/Makefile
68 --- linux-2.6.0-test5.org/net/ipv4/netfilter/Makefile Mon Sep 8 19:49:57 2003
69 +++ linux-2.6.0-test5/net/ipv4/netfilter/Makefile Tue Sep 23 12:56:48 2003
71 obj-$(CONFIG_IP_NF_NAT) += iptable_nat.o
74 +obj-$(CONFIG_IP_NF_MATCH_SCTP) += ipt_sctp.o
75 obj-$(CONFIG_IP_NF_MATCH_HELPER) += ipt_helper.o
76 obj-$(CONFIG_IP_NF_MATCH_LIMIT) += ipt_limit.o
77 obj-$(CONFIG_IP_NF_MATCH_MARK) += ipt_mark.o
78 diff -Nur --exclude '*.rej' --exclude '*.orig' linux-2.6.0-test5.org/net/ipv4/netfilter/ip_conntrack_core.c linux-2.6.0-test5/net/ipv4/netfilter/ip_conntrack_core.c
79 --- linux-2.6.0-test5.org/net/ipv4/netfilter/ip_conntrack_core.c Mon Sep 8 19:49:50 2003
80 +++ linux-2.6.0-test5/net/ipv4/netfilter/ip_conntrack_core.c Tue Sep 23 12:56:40 2003
82 #include <linux/slab.h>
83 #include <linux/random.h>
84 #include <linux/jhash.h>
85 -/* For ERR_PTR(). Yeah, I know... --RR */
86 -#include <linux/fs.h>
87 +#include <linux/err.h>
89 /* This rwlock protects the main hash table, protocol/helper/expected
90 registrations, conntrack timers*/
91 @@ -1276,11 +1275,14 @@
93 struct inet_opt *inet = inet_sk(sk);
94 struct ip_conntrack_tuple_hash *h;
95 - struct ip_conntrack_tuple tuple = { { inet->rcv_saddr,
96 - { .tcp = { inet->sport } } },
98 - { .tcp = { inet->dport } },
100 + struct ip_conntrack_tuple tuple;
102 + IP_CT_TUPLE_BLANK(&tuple);
103 + tuple.src.ip = inet->rcv_saddr;
104 + tuple.src.u.tcp.port = inet->sport;
105 + tuple.dst.ip = inet->daddr;
106 + tuple.dst.u.tcp.port = inet->dport;
107 + tuple.dst.protonum = IPPROTO_TCP;
109 /* We only do TCP at the moment: is there a better way? */
110 if (strcmp(sk->sk_prot->name, "TCP")) {
111 diff -Nur --exclude '*.rej' --exclude '*.orig' linux-2.6.0-test5.org/net/ipv4/netfilter/ip_conntrack_tftp.c linux-2.6.0-test5/net/ipv4/netfilter/ip_conntrack_tftp.c
112 --- linux-2.6.0-test5.org/net/ipv4/netfilter/ip_conntrack_tftp.c Mon Sep 8 19:50:01 2003
113 +++ linux-2.6.0-test5/net/ipv4/netfilter/ip_conntrack_tftp.c Tue Sep 23 12:56:33 2003
116 for (i = 0 ; (i < MAX_PORTS) && ports[i] ; i++) {
117 /* Create helper structure */
118 - memset(&tftp[i], 0, sizeof(struct ip_conntrack_helper));
120 tftp[i].tuple.dst.protonum = IPPROTO_UDP;
121 tftp[i].tuple.src.u.udp.port = htons(ports[i]);
122 tftp[i].mask.dst.protonum = 0xFFFF;
123 diff -Nur --exclude '*.rej' --exclude '*.orig' linux-2.6.0-test5.org/net/ipv4/netfilter/ip_nat_amanda.c linux-2.6.0-test5/net/ipv4/netfilter/ip_nat_amanda.c
124 --- linux-2.6.0-test5.org/net/ipv4/netfilter/ip_nat_amanda.c Tue Sep 23 12:09:22 2003
125 +++ linux-2.6.0-test5/net/ipv4/netfilter/ip_nat_amanda.c Tue Sep 23 12:56:33 2003
127 struct ip_nat_helper *hlpr;
129 hlpr = &ip_nat_amanda_helper;
130 - memset(hlpr, 0, sizeof(struct ip_nat_helper));
132 hlpr->tuple.dst.protonum = IPPROTO_UDP;
133 hlpr->tuple.src.u.udp.port = htons(10080);
134 hlpr->mask.src.u.udp.port = 0xFFFF;
135 diff -Nur --exclude '*.rej' --exclude '*.orig' linux-2.6.0-test5.org/net/ipv4/netfilter/ip_nat_tftp.c linux-2.6.0-test5/net/ipv4/netfilter/ip_nat_tftp.c
136 --- linux-2.6.0-test5.org/net/ipv4/netfilter/ip_nat_tftp.c Tue Sep 23 12:09:22 2003
137 +++ linux-2.6.0-test5/net/ipv4/netfilter/ip_nat_tftp.c Tue Sep 23 12:56:33 2003
139 ports[0] = TFTP_PORT;
141 for (i = 0 ; (i < MAX_PORTS) && ports[i] ; i++) {
142 - memset(&tftp[i], 0, sizeof(struct ip_nat_helper));
144 tftp[i].tuple.dst.protonum = IPPROTO_UDP;
145 tftp[i].tuple.src.u.udp.port = htons(ports[i]);
146 tftp[i].mask.dst.protonum = 0xFFFF;
147 diff -Nur --exclude '*.rej' --exclude '*.orig' linux-2.6.0-test5.org/net/ipv4/netfilter/ipt_sctp.c linux-2.6.0-test5/net/ipv4/netfilter/ipt_sctp.c
148 --- linux-2.6.0-test5.org/net/ipv4/netfilter/ipt_sctp.c Thu Jan 1 00:00:00 1970
149 +++ linux-2.6.0-test5/net/ipv4/netfilter/ipt_sctp.c Tue Sep 23 12:56:47 2003
151 +/* IP tables module for matching the SCTP header
153 + * $ipt_sctp.c,v 1.3 2002/05/29 15:09:00 laforge Exp$
155 + * (C) 2003 by Harald Welte <laforge@gnumonks.org>
157 + * This software is distributed under the terms GNU GPL v2
160 +#include <linux/module.h>
161 +#include <linux/skbuff.h>
162 +#include <linux/sctp.h>
164 +#include <linux/netfilter_ipv4/ip_tables.h>
165 +#include <linux/netfilter_ipv4/ipt_sctp.h>
167 +MODULE_AUTHOR("Harald Welte <laforge@gnumonks.org>");
168 +MODULE_DESCRIPTION("IP tables SCTP matching module");
169 +MODULE_LICENSE("GPL");
171 +/* Returns 1 if the port is matched by the range, 0 otherwise */
173 +port_match(u_int16_t min, u_int16_t max, u_int16_t port, int invert)
177 + ret = (port >= min && port <= max) ^ invert;
181 +static int chunk_match(const struct sk_buff *skb, u_int32_t chunks, u_int32_t chunk_mask)
183 + sctp_chunkhdr_t *ch = (sctp_chunkhdr_t *) skb->data;
185 + u_int32_t chunks_present = 0;
189 + ch_end = ((u_int8_t *) ch) + WORD_ROUND(ntohs(ch->length));
192 + chunks_present |= (1 << ch_type);
193 + else if (ch->type == SCTP_CID_ASCONF)
194 + chunks_present |= (1 << 31);
195 + else if (ch->type == SCTP_CID_ASCONF_ACK)
196 + chunks_present |= (1 << 30);
198 + ch = (sctp_chunkhdr_t *) ch_end;
199 + } while (ch_end < skb->tail);
201 + return ((chunks_present& chunk_mask) == chunks);
204 +static int match(const struct sk_buff *skb, const struct net_device *in,
205 + const struct net_device *out, const void *matchinfo,
206 + int offset, const void *hdr, u_int16_t datalen,
209 + const struct ipt_sctp_info *info = matchinfo;
210 + const struct iphdr *iph = skb->nh.iph;
211 + const struct sctphdr *sh = (struct sctphdr *) skb->h.raw;
213 + if (iph->protocol != IPPROTO_SCTP)
217 + duprintf("Dropping evil SCTP offset=1 frag.\n");
220 + } else if (offset == 0 && datalen < sizeof(struct sctphdr)) {
221 + /* We've been askd o examine this packet, and we can't.
222 + * Hence, no choice but to drop. */
223 + duprintf("Dropping evil SCTP offset=0 tinygram.\n");
229 + && port_match(info->spts[0], info->spts[1],
231 + !!(info->invflags & IPT_SCTP_INV_SRCPT))
232 + && port_match(info->dpts[0], info->dpts[1],
234 + !!(info->invflags & IPT_SCTP_INV_DSTPT))
235 + && chunk_match(skb, info->chunks, info->chunk_mask)
239 +static int checkentry(const char *tablename, const struct ipt_ip *ip,
240 + void *matchinfo, unsigned int matchsize,
241 + unsigned int hook_mask)
243 + const struct ipt_sctp_info *info = matchinfo;
245 + if (matchsize != IPT_ALIGN(sizeof(struct ipt_sctp_info)))
248 + if (ip->proto != IPPROTO_SCTP && !(ip->invflags & IPT_INV_PROTO))
251 + if !(info->invflags & ~IPT_SCTP_INV_MASK)
257 +static struct ipt_match sctp_match = {
260 + .checkentry = &checkentry,
264 +static int __init init(void)
266 + return ipt_register_match(&sctp_match);
269 +static void __exit fini(void)
271 + ipt_unregister_match(&sctp_match);
276 diff -Nur --exclude '*.rej' --exclude '*.orig' linux-2.6.0-test5.org/netfilter-patch-o-matic/patches linux-2.6.0-test5/netfilter-patch-o-matic/patches
277 --- linux-2.6.0-test5.org/netfilter-patch-o-matic/patches Thu Jan 1 00:00:00 1970
278 +++ linux-2.6.0-test5/netfilter-patch-o-matic/patches Tue Sep 23 12:57:25 2003
280 +./base/01_sctp_match.patch
281 +./pending/23_REJECT-headroom-tcprst.patch
282 +./pending/24_rcu.patch
283 +./pending/25-err-ptr.patch
284 +./pending/26-memsets.patch
285 +./pending/27_getorigdst-tuple-zero.patch
286 +./submitted/02_REJECT-headroom-tcprst.patch
287 +./submitted/03_260t4-mirror-remove.patch
288 +./submitted/04_260t4-unclean-remove.patch
289 +./submitted/05_260t4-unexperimental.patch
290 +./submitted/06_260t4-cosmetic.patch
291 +./submitted/07_260t4-newmodules_iprange_SAME_NETMAP_CLASSIFY.patch
292 +./submitted/08_260t4_ipt-helper-kconfig.patch
293 +./submitted/09_260t4-cosmetic-physdev-author.patch