1 diff -Nur --exclude '*.rej' --exclude '*.orig' linux-2.6.0-test5.org/include/linux/netfilter_ipv4/ip_conntrack_tuple.h linux-2.6.0-test5/include/linux/netfilter_ipv4/ip_conntrack_tuple.h
2 --- linux-2.6.0-test5.org/include/linux/netfilter_ipv4/ip_conntrack_tuple.h Mon Sep 8 19:50:18 2003
3 +++ linux-2.6.0-test5/include/linux/netfilter_ipv4/ip_conntrack_tuple.h Tue Sep 23 12:56:40 2003
8 +/* This is optimized opposed to a memset of the whole structure. Everything we
9 + * really care about is the source/destination unions */
10 +#define IP_CT_TUPLE_BLANK(tuple) \
12 + (tuple)->src.u.all = 0; \
13 + (tuple)->dst.u.all = 0; \
19 diff -Nur --exclude '*.rej' --exclude '*.orig' linux-2.6.0-test5.org/include/linux/netfilter_ipv4/ipt_sctp.h linux-2.6.0-test5/include/linux/netfilter_ipv4/ipt_sctp.h
20 --- linux-2.6.0-test5.org/include/linux/netfilter_ipv4/ipt_sctp.h Thu Jan 1 00:00:00 1970
21 +++ linux-2.6.0-test5/include/linux/netfilter_ipv4/ipt_sctp.h Tue Sep 23 12:56:47 2003
23 +/* iptables module for matching the SCTP header
25 + * (C) 2003 Harald Welte <laforge@gnumonks.org>
27 + * This software is distributed under GNU GPL v2, 1991
34 +struct ipt_sctp_info {
35 + u_int16_t spts[2]; /* Souce port range */
36 + u_int16_t dpts[2]; /* Destination port range */
37 + u_int32_t chunks; /* chunks to be matched */
38 + u_int32_t chunk_mask; /* chunk mask to be matched */
39 + u_int8_t invflags; /* Inverse flags */
42 +#define IPT_SCTP_INV_SRCPT 0x01 /* Invert the sense of source ports */
43 +#define IPT_SCTP_INV_DSTPT 0x02 /* Invert the sense of dest ports */
44 +#define IPT_SCTP_INV_CHUNKS 0x03 /* Invert the sense of chunks */
45 +#define IPT_SCTP_INV_MASK 0x03 /* All possible flags */
47 +#endif /* _IPT_SCTP_H */
48 diff -Nur --exclude '*.rej' --exclude '*.orig' linux-2.6.0-test5.org/net/ipv4/netfilter/Kconfig linux-2.6.0-test5/net/ipv4/netfilter/Kconfig
49 --- linux-2.6.0-test5.org/net/ipv4/netfilter/Kconfig Mon Sep 8 19:50:21 2003
50 +++ linux-2.6.0-test5/net/ipv4/netfilter/Kconfig Tue Sep 23 12:56:47 2003
52 If you want to compile it as a module, say M here and read
53 Documentation/modules.txt. If unsure, say `N'.
55 +config IP_NF_MATCH_SCTP
56 + tristate "SCTP match support"
57 + depends on IP_NF_IPTABLES
59 + This match allows iptables to match on the SCTP header.
61 + If you want to compile it as a module, say M here and read
62 + <file:Documentation/modules.txt>. If unsure, say `N'.
64 config IP_NF_MATCH_LENGTH
65 tristate "LENGTH match support"
66 depends on IP_NF_IPTABLES
67 diff -Nur --exclude '*.rej' --exclude '*.orig' linux-2.6.0-test5.org/net/ipv4/netfilter/Makefile linux-2.6.0-test5/net/ipv4/netfilter/Makefile
68 --- linux-2.6.0-test5.org/net/ipv4/netfilter/Makefile Mon Sep 8 19:49:57 2003
69 +++ linux-2.6.0-test5/net/ipv4/netfilter/Makefile Tue Sep 23 12:56:48 2003
71 obj-$(CONFIG_IP_NF_NAT) += iptable_nat.o
74 +obj-$(CONFIG_IP_NF_MATCH_SCTP) += ipt_sctp.o
75 obj-$(CONFIG_IP_NF_MATCH_HELPER) += ipt_helper.o
76 obj-$(CONFIG_IP_NF_MATCH_LIMIT) += ipt_limit.o
77 obj-$(CONFIG_IP_NF_MATCH_MARK) += ipt_mark.o
78 diff -Nur --exclude '*.rej' --exclude '*.orig' linux-2.6.0-test5.org/net/ipv4/netfilter/ip_conntrack_core.c linux-2.6.0-test5/net/ipv4/netfilter/ip_conntrack_core.c
79 --- linux-2.6.0-test5.org/net/ipv4/netfilter/ip_conntrack_core.c Mon Sep 8 19:49:50 2003
80 +++ linux-2.6.0-test5/net/ipv4/netfilter/ip_conntrack_core.c Tue Sep 23 12:56:40 2003
82 #include <linux/slab.h>
83 #include <linux/random.h>
84 #include <linux/jhash.h>
85 -/* For ERR_PTR(). Yeah, I know... --RR */
86 -#include <linux/fs.h>
87 +#include <linux/err.h>
89 /* This rwlock protects the main hash table, protocol/helper/expected
90 registrations, conntrack timers*/
91 diff -Nur --exclude '*.rej' --exclude '*.orig' linux-2.6.0-test5.org/net/ipv4/netfilter/ip_conntrack_tftp.c linux-2.6.0-test5/net/ipv4/netfilter/ip_conntrack_tftp.c
92 --- linux-2.6.0-test5.org/net/ipv4/netfilter/ip_conntrack_tftp.c Mon Sep 8 19:50:01 2003
93 +++ linux-2.6.0-test5/net/ipv4/netfilter/ip_conntrack_tftp.c Tue Sep 23 12:56:33 2003
96 for (i = 0 ; (i < MAX_PORTS) && ports[i] ; i++) {
97 /* Create helper structure */
98 - memset(&tftp[i], 0, sizeof(struct ip_conntrack_helper));
100 tftp[i].tuple.dst.protonum = IPPROTO_UDP;
101 tftp[i].tuple.src.u.udp.port = htons(ports[i]);
102 tftp[i].mask.dst.protonum = 0xFFFF;
103 diff -Nur --exclude '*.rej' --exclude '*.orig' linux-2.6.0-test5.org/net/ipv4/netfilter/ip_nat_amanda.c linux-2.6.0-test5/net/ipv4/netfilter/ip_nat_amanda.c
104 --- linux-2.6.0-test5.org/net/ipv4/netfilter/ip_nat_amanda.c Tue Sep 23 12:09:22 2003
105 +++ linux-2.6.0-test5/net/ipv4/netfilter/ip_nat_amanda.c Tue Sep 23 12:56:33 2003
107 struct ip_nat_helper *hlpr;
109 hlpr = &ip_nat_amanda_helper;
110 - memset(hlpr, 0, sizeof(struct ip_nat_helper));
112 hlpr->tuple.dst.protonum = IPPROTO_UDP;
113 hlpr->tuple.src.u.udp.port = htons(10080);
114 hlpr->mask.src.u.udp.port = 0xFFFF;
115 diff -Nur --exclude '*.rej' --exclude '*.orig' linux-2.6.0-test5.org/net/ipv4/netfilter/ip_nat_tftp.c linux-2.6.0-test5/net/ipv4/netfilter/ip_nat_tftp.c
116 --- linux-2.6.0-test5.org/net/ipv4/netfilter/ip_nat_tftp.c Tue Sep 23 12:09:22 2003
117 +++ linux-2.6.0-test5/net/ipv4/netfilter/ip_nat_tftp.c Tue Sep 23 12:56:33 2003
119 ports[0] = TFTP_PORT;
121 for (i = 0 ; (i < MAX_PORTS) && ports[i] ; i++) {
122 - memset(&tftp[i], 0, sizeof(struct ip_nat_helper));
124 tftp[i].tuple.dst.protonum = IPPROTO_UDP;
125 tftp[i].tuple.src.u.udp.port = htons(ports[i]);
126 tftp[i].mask.dst.protonum = 0xFFFF;
127 diff -Nur --exclude '*.rej' --exclude '*.orig' linux-2.6.0-test5.org/net/ipv4/netfilter/ipt_sctp.c linux-2.6.0-test5/net/ipv4/netfilter/ipt_sctp.c
128 --- linux-2.6.0-test5.org/net/ipv4/netfilter/ipt_sctp.c Thu Jan 1 00:00:00 1970
129 +++ linux-2.6.0-test5/net/ipv4/netfilter/ipt_sctp.c Tue Sep 23 12:56:47 2003
131 +/* IP tables module for matching the SCTP header
133 + * $ipt_sctp.c,v 1.3 2002/05/29 15:09:00 laforge Exp$
135 + * (C) 2003 by Harald Welte <laforge@gnumonks.org>
137 + * This software is distributed under the terms GNU GPL v2
140 +#include <linux/module.h>
141 +#include <linux/skbuff.h>
142 +#include <linux/sctp.h>
144 +#include <linux/netfilter_ipv4/ip_tables.h>
145 +#include <linux/netfilter_ipv4/ipt_sctp.h>
147 +MODULE_AUTHOR("Harald Welte <laforge@gnumonks.org>");
148 +MODULE_DESCRIPTION("IP tables SCTP matching module");
149 +MODULE_LICENSE("GPL");
151 +/* Returns 1 if the port is matched by the range, 0 otherwise */
153 +port_match(u_int16_t min, u_int16_t max, u_int16_t port, int invert)
157 + ret = (port >= min && port <= max) ^ invert;
161 +static int chunk_match(const struct sk_buff *skb, u_int32_t chunks, u_int32_t chunk_mask)
163 + sctp_chunkhdr_t *ch = (sctp_chunkhdr_t *) skb->data;
165 + u_int32_t chunks_present = 0;
169 + ch_end = ((u_int8_t *) ch) + WORD_ROUND(ntohs(ch->length));
172 + chunks_present |= (1 << ch_type);
173 + else if (ch->type == SCTP_CID_ASCONF)
174 + chunks_present |= (1 << 31);
175 + else if (ch->type == SCTP_CID_ASCONF_ACK)
176 + chunks_present |= (1 << 30);
178 + ch = (sctp_chunkhdr_t *) ch_end;
179 + } while (ch_end < skb->tail);
181 + return ((chunks_present& chunk_mask) == chunks);
184 +static int match(const struct sk_buff *skb, const struct net_device *in,
185 + const struct net_device *out, const void *matchinfo,
186 + int offset, const void *hdr, u_int16_t datalen,
189 + const struct ipt_sctp_info *info = matchinfo;
190 + const struct iphdr *iph = skb->nh.iph;
191 + const struct sctphdr *sh = (struct sctphdr *) skb->h.raw;
193 + if (iph->protocol != IPPROTO_SCTP)
197 + duprintf("Dropping evil SCTP offset=1 frag.\n");
200 + } else if (offset == 0 && datalen < sizeof(struct sctphdr)) {
201 + /* We've been askd o examine this packet, and we can't.
202 + * Hence, no choice but to drop. */
203 + duprintf("Dropping evil SCTP offset=0 tinygram.\n");
209 + && port_match(info->spts[0], info->spts[1],
211 + !!(info->invflags & IPT_SCTP_INV_SRCPT))
212 + && port_match(info->dpts[0], info->dpts[1],
214 + !!(info->invflags & IPT_SCTP_INV_DSTPT))
215 + && chunk_match(skb, info->chunks, info->chunk_mask)
219 +static int checkentry(const char *tablename, const struct ipt_ip *ip,
220 + void *matchinfo, unsigned int matchsize,
221 + unsigned int hook_mask)
223 + const struct ipt_sctp_info *info = matchinfo;
225 + if (matchsize != IPT_ALIGN(sizeof(struct ipt_sctp_info)))
228 + if (ip->proto != IPPROTO_SCTP && !(ip->invflags & IPT_INV_PROTO))
231 + if !(info->invflags & ~IPT_SCTP_INV_MASK)
237 +static struct ipt_match sctp_match = {
240 + .checkentry = &checkentry,
244 +static int __init init(void)
246 + return ipt_register_match(&sctp_match);
249 +static void __exit fini(void)
251 + ipt_unregister_match(&sctp_match);
256 diff -Nur --exclude '*.rej' --exclude '*.orig' linux-2.6.0-test5.org/netfilter-patch-o-matic/patches linux-2.6.0-test5/netfilter-patch-o-matic/patches
257 --- linux-2.6.0-test5.org/netfilter-patch-o-matic/patches Thu Jan 1 00:00:00 1970
258 +++ linux-2.6.0-test5/netfilter-patch-o-matic/patches Tue Sep 23 12:57:25 2003
260 +./base/01_sctp_match.patch
261 +./pending/23_REJECT-headroom-tcprst.patch
262 +./pending/24_rcu.patch
263 +./pending/25-err-ptr.patch
264 +./pending/26-memsets.patch
265 +./pending/27_getorigdst-tuple-zero.patch
266 +./submitted/02_REJECT-headroom-tcprst.patch
267 +./submitted/03_260t4-mirror-remove.patch
268 +./submitted/04_260t4-unclean-remove.patch
269 +./submitted/05_260t4-unexperimental.patch
270 +./submitted/06_260t4-cosmetic.patch
271 +./submitted/07_260t4-newmodules_iprange_SAME_NETMAP_CLASSIFY.patch
272 +./submitted/08_260t4_ipt-helper-kconfig.patch
273 +./submitted/09_260t4-cosmetic-physdev-author.patch