- CSZ scheduler removed from kernel tree.

[packages/kernel.git] / 2.6.0-t5-netfilter-1.2.8_20030923.patch

diff -Nur --exclude '*.rej' --exclude '*.orig' linux-2.6.0-test5.org/include/linux/netfilter_ipv4/ip_conntrack_tuple.h linux-2.6.0-test5/include/linux/netfilter_ipv4/ip_conntrack_tuple.h
--- linux-2.6.0-test5.org/include/linux/netfilter_ipv4/ip_conntrack_tuple.h     Mon Sep  8 19:50:18 2003
+++ linux-2.6.0-test5/include/linux/netfilter_ipv4/ip_conntrack_tuple.h Tue Sep 23 12:56:40 2003
@@ -62,6 +62,14 @@
        } dst;
 };
 
+/* This is optimized opposed to a memset of the whole structure.  Everything we
+ * really care about is the  source/destination unions */
+#define IP_CT_TUPLE_BLANK(tuple)                               \
+       do {                                                    \
+               (tuple)->src.u.all = 0;                         \
+               (tuple)->dst.u.all = 0;                         \
+       } while (0)
+
 enum ip_conntrack_dir
 {
        IP_CT_DIR_ORIGINAL,
diff -Nur --exclude '*.rej' --exclude '*.orig' linux-2.6.0-test5.org/include/linux/netfilter_ipv4/ipt_sctp.h linux-2.6.0-test5/include/linux/netfilter_ipv4/ipt_sctp.h
--- linux-2.6.0-test5.org/include/linux/netfilter_ipv4/ipt_sctp.h       Thu Jan  1 00:00:00 1970
+++ linux-2.6.0-test5/include/linux/netfilter_ipv4/ipt_sctp.h   Tue Sep 23 12:56:47 2003
@@ -0,0 +1,25 @@
+/* iptables module for matching the SCTP header
+ *
+ * (C) 2003 Harald Welte <laforge@gnumonks.org>
+ *
+ * This software is distributed under GNU GPL v2, 1991
+ *
+ * $Id$
+ */
+#ifndef _IPT_SCTP_H
+#define _IPT_SCTP_H
+
+struct ipt_sctp_info {
+       u_int16_t spts[2];                      /* Souce port range */
+       u_int16_t dpts[2];                      /* Destination port range */
+       u_int32_t chunks;                       /* chunks to be matched */
+       u_int32_t chunk_mask;                   /* chunk mask to be matched */
+       u_int8_t invflags;                      /* Inverse flags */
+};
+
+#define IPT_SCTP_INV_SRCPT     0x01    /* Invert the sense of source ports */
+#define IPT_SCTP_INV_DSTPT     0x02    /* Invert the sense of dest ports */
+#define IPT_SCTP_INV_CHUNKS    0x03    /* Invert the sense of chunks */
+#define IPT_SCTP_INV_MASK      0x03    /* All possible flags */
+
+#endif /* _IPT_SCTP_H */
diff -Nur --exclude '*.rej' --exclude '*.orig' linux-2.6.0-test5.org/net/ipv4/netfilter/Kconfig linux-2.6.0-test5/net/ipv4/netfilter/Kconfig
--- linux-2.6.0-test5.org/net/ipv4/netfilter/Kconfig    Mon Sep  8 19:50:21 2003
+++ linux-2.6.0-test5/net/ipv4/netfilter/Kconfig        Tue Sep 23 12:56:47 2003
@@ -215,6 +215,15 @@
          If you want to compile it as a module, say M here and read
          Documentation/modules.txt.  If unsure, say `N'.
 
+config IP_NF_MATCH_SCTP
+       tristate "SCTP match support"
+       depends on IP_NF_IPTABLES
+       help
+         This match allows iptables to match on the SCTP header.
+
+         If you want to compile it as a module, say M here and read
+         <file:Documentation/modules.txt>. If unsure, say `N'.
+
 config IP_NF_MATCH_LENGTH
        tristate "LENGTH match support"
        depends on IP_NF_IPTABLES
diff -Nur --exclude '*.rej' --exclude '*.orig' linux-2.6.0-test5.org/net/ipv4/netfilter/Makefile linux-2.6.0-test5/net/ipv4/netfilter/Makefile
--- linux-2.6.0-test5.org/net/ipv4/netfilter/Makefile   Mon Sep  8 19:49:57 2003
+++ linux-2.6.0-test5/net/ipv4/netfilter/Makefile       Tue Sep 23 12:56:48 2003
@@ -40,6 +40,7 @@
 obj-$(CONFIG_IP_NF_NAT) += iptable_nat.o
 
 # matches
+obj-$(CONFIG_IP_NF_MATCH_SCTP) += ipt_sctp.o
 obj-$(CONFIG_IP_NF_MATCH_HELPER) += ipt_helper.o
 obj-$(CONFIG_IP_NF_MATCH_LIMIT) += ipt_limit.o
 obj-$(CONFIG_IP_NF_MATCH_MARK) += ipt_mark.o
diff -Nur --exclude '*.rej' --exclude '*.orig' linux-2.6.0-test5.org/net/ipv4/netfilter/ip_conntrack_core.c linux-2.6.0-test5/net/ipv4/netfilter/ip_conntrack_core.c
--- linux-2.6.0-test5.org/net/ipv4/netfilter/ip_conntrack_core.c        Mon Sep  8 19:49:50 2003
+++ linux-2.6.0-test5/net/ipv4/netfilter/ip_conntrack_core.c    Tue Sep 23 12:56:40 2003
@@ -29,8 +29,7 @@
 #include <linux/slab.h>
 #include <linux/random.h>
 #include <linux/jhash.h>
-/* For ERR_PTR().  Yeah, I know... --RR */
-#include <linux/fs.h>
+#include <linux/err.h>
 
 /* This rwlock protects the main hash table, protocol/helper/expected
    registrations, conntrack timers*/
diff -Nur --exclude '*.rej' --exclude '*.orig' linux-2.6.0-test5.org/net/ipv4/netfilter/ip_conntrack_tftp.c linux-2.6.0-test5/net/ipv4/netfilter/ip_conntrack_tftp.c
--- linux-2.6.0-test5.org/net/ipv4/netfilter/ip_conntrack_tftp.c        Mon Sep  8 19:50:01 2003
+++ linux-2.6.0-test5/net/ipv4/netfilter/ip_conntrack_tftp.c    Tue Sep 23 12:56:33 2003
@@ -97,8 +97,6 @@
 
        for (i = 0 ; (i < MAX_PORTS) && ports[i] ; i++) {
                /* Create helper structure */
-               memset(&tftp[i], 0, sizeof(struct ip_conntrack_helper));
-
                tftp[i].tuple.dst.protonum = IPPROTO_UDP;
                tftp[i].tuple.src.u.udp.port = htons(ports[i]);
                tftp[i].mask.dst.protonum = 0xFFFF;
diff -Nur --exclude '*.rej' --exclude '*.orig' linux-2.6.0-test5.org/net/ipv4/netfilter/ip_nat_amanda.c linux-2.6.0-test5/net/ipv4/netfilter/ip_nat_amanda.c
--- linux-2.6.0-test5.org/net/ipv4/netfilter/ip_nat_amanda.c    Tue Sep 23 12:09:22 2003
+++ linux-2.6.0-test5/net/ipv4/netfilter/ip_nat_amanda.c        Tue Sep 23 12:56:33 2003
@@ -195,8 +195,6 @@
        struct ip_nat_helper *hlpr;
 
        hlpr = &ip_nat_amanda_helper;
-       memset(hlpr, 0, sizeof(struct ip_nat_helper));
-
        hlpr->tuple.dst.protonum = IPPROTO_UDP;
        hlpr->tuple.src.u.udp.port = htons(10080);
        hlpr->mask.src.u.udp.port = 0xFFFF;
diff -Nur --exclude '*.rej' --exclude '*.orig' linux-2.6.0-test5.org/net/ipv4/netfilter/ip_nat_tftp.c linux-2.6.0-test5/net/ipv4/netfilter/ip_nat_tftp.c
--- linux-2.6.0-test5.org/net/ipv4/netfilter/ip_nat_tftp.c      Tue Sep 23 12:09:22 2003
+++ linux-2.6.0-test5/net/ipv4/netfilter/ip_nat_tftp.c  Tue Sep 23 12:56:33 2003
@@ -164,8 +164,6 @@
                ports[0] = TFTP_PORT;
 
        for (i = 0 ; (i < MAX_PORTS) && ports[i] ; i++) {
-               memset(&tftp[i], 0, sizeof(struct ip_nat_helper));
-
                tftp[i].tuple.dst.protonum = IPPROTO_UDP;
                tftp[i].tuple.src.u.udp.port = htons(ports[i]);
                tftp[i].mask.dst.protonum = 0xFFFF;
diff -Nur --exclude '*.rej' --exclude '*.orig' linux-2.6.0-test5.org/net/ipv4/netfilter/ipt_sctp.c linux-2.6.0-test5/net/ipv4/netfilter/ipt_sctp.c
--- linux-2.6.0-test5.org/net/ipv4/netfilter/ipt_sctp.c Thu Jan  1 00:00:00 1970
+++ linux-2.6.0-test5/net/ipv4/netfilter/ipt_sctp.c     Tue Sep 23 12:56:47 2003
@@ -0,0 +1,125 @@
+/* IP tables module for matching the SCTP header
+ *
+ * $ipt_sctp.c,v 1.3 2002/05/29 15:09:00 laforge Exp$
+ *
+ * (C) 2003 by Harald Welte <laforge@gnumonks.org>
+ *
+ * This software is distributed under the terms GNU GPL v2
+ */
+
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/sctp.h>
+
+#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter_ipv4/ipt_sctp.h>
+
+MODULE_AUTHOR("Harald Welte <laforge@gnumonks.org>");
+MODULE_DESCRIPTION("IP tables SCTP matching module");
+MODULE_LICENSE("GPL");
+
+/* Returns 1 if the port is matched by the range, 0 otherwise */
+static inline int
+port_match(u_int16_t min, u_int16_t max, u_int16_t port, int invert)
+{
+       int ret;
+
+       ret = (port >= min && port <= max) ^ invert;
+       return ret;
+}
+
+static int chunk_match(const struct sk_buff *skb, u_int32_t chunks, u_int32_t chunk_mask)
+{
+       sctp_chunkhdr_t *ch = (sctp_chunkhdr_t *) skb->data;
+
+       u_int32_t chunks_present = 0;
+
+       do {
+               u_int8_t *ch_end;
+               ch_end = ((u_int8_t *) ch) + WORD_ROUND(ntohs(ch->length));
+
+               if (ch->type < 32)
+                       chunks_present |= (1 << ch_type);
+               else if (ch->type == SCTP_CID_ASCONF)
+                       chunks_present |= (1 << 31);
+               else if (ch->type == SCTP_CID_ASCONF_ACK)
+                       chunks_present |= (1 << 30);
+
+               ch = (sctp_chunkhdr_t *) ch_end;
+       } while (ch_end < skb->tail);
+
+       return ((chunks_present& chunk_mask) == chunks);
+}
+
+static int match(const struct sk_buff *skb, const struct net_device *in,
+                const struct net_device *out, const void *matchinfo,
+                int offset, const void *hdr, u_int16_t datalen,
+                int *hotdrop)
+{
+       const struct ipt_sctp_info *info = matchinfo;
+       const struct iphdr *iph = skb->nh.iph;
+       const struct sctphdr *sh = (struct sctphdr *) skb->h.raw;
+
+       if (iph->protocol != IPPROTO_SCTP)
+               return 0;
+
+       if (offset == 1) {
+               duprintf("Dropping evil SCTP offset=1 frag.\n");
+               *hotdrop = 1;
+               return 0;
+       } else if (offset == 0 && datalen < sizeof(struct sctphdr)) {
+               /* We've been askd o examine this packet, and we can't.
+                * Hence, no choice but to drop. */
+               duprintf("Dropping evil SCTP offset=0 tinygram.\n");
+               *hotdrop = 1;
+               return 0;
+       }
+
+       return (!offset
+               && port_match(info->spts[0], info->spts[1],
+                             ntohs(sh->source),
+                             !!(info->invflags & IPT_SCTP_INV_SRCPT))
+               && port_match(info->dpts[0], info->dpts[1],
+                             ntohs(sh->dest),
+                             !!(info->invflags & IPT_SCTP_INV_DSTPT))
+               && chunk_match(skb, info->chunks, info->chunk_mask)
+              );
+}
+
+static int checkentry(const char *tablename, const struct ipt_ip *ip,
+                     void *matchinfo, unsigned int matchsize,
+                     unsigned int hook_mask)
+{
+       const struct ipt_sctp_info *info = matchinfo;
+
+       if (matchsize != IPT_ALIGN(sizeof(struct ipt_sctp_info)))
+               return 0;
+
+       if (ip->proto != IPPROTO_SCTP && !(ip->invflags & IPT_INV_PROTO))
+               return 0;
+
+       if !(info->invflags & ~IPT_SCTP_INV_MASK)
+               return 0;
+
+       return 1;
+}
+
+static struct ipt_match sctp_match = {
+       .name           = "sctp",
+       .match          = &match,
+       .checkentry     = &checkentry,
+       .me             = THIS_MODULE,
+};
+
+static int __init init(void)
+{
+       return ipt_register_match(&sctp_match);
+}
+
+static void __exit fini(void)
+{
+       ipt_unregister_match(&sctp_match);
+}
+
+module_init(init);
+module_exit(fini);
diff -Nur --exclude '*.rej' --exclude '*.orig' linux-2.6.0-test5.org/netfilter-patch-o-matic/patches linux-2.6.0-test5/netfilter-patch-o-matic/patches
--- linux-2.6.0-test5.org/netfilter-patch-o-matic/patches       Thu Jan  1 00:00:00 1970
+++ linux-2.6.0-test5/netfilter-patch-o-matic/patches   Tue Sep 23 12:57:25 2003
@@ -0,0 +1,14 @@
+./base/01_sctp_match.patch
+./pending/23_REJECT-headroom-tcprst.patch
+./pending/24_rcu.patch
+./pending/25-err-ptr.patch
+./pending/26-memsets.patch
+./pending/27_getorigdst-tuple-zero.patch
+./submitted/02_REJECT-headroom-tcprst.patch
+./submitted/03_260t4-mirror-remove.patch
+./submitted/04_260t4-unclean-remove.patch
+./submitted/05_260t4-unexperimental.patch
+./submitted/06_260t4-cosmetic.patch
+./submitted/07_260t4-newmodules_iprange_SAME_NETMAP_CLASSIFY.patch
+./submitted/08_260t4_ipt-helper-kconfig.patch
+./submitted/09_260t4-cosmetic-physdev-author.patch