1 diff -Nur linux-2.6.0-test7.org/include/linux/netfilter.h linux-2.6.0-test7/include/linux/netfilter.h
2 --- linux-2.6.0-test7.org/include/linux/netfilter.h 2003-10-08 21:24:06.000000000 +0200
3 +++ linux-2.6.0-test7/include/linux/netfilter.h 2003-10-10 11:53:17.000000000 +0200
5 <= 0x2000 is used for protocol-flags. */
6 #define NFC_UNKNOWN 0x4000
7 #define NFC_ALTERED 0x8000
8 +#define NFC_TRACE 0x10000
11 #include <linux/config.h>
14 extern struct list_head nf_hooks[NPROTO][NF_MAX_HOOKS];
16 +typedef void nf_logfn(unsigned int hooknum,
17 + const struct sk_buff *skb,
18 + const struct net_device *in,
19 + const struct net_device *out,
20 + const char *prefix);
22 +/* Function to register/unregister log function. */
23 +int nf_log_register(int pf, nf_logfn *logfn);
24 +void nf_log_unregister(int pf, nf_logfn *logfn);
26 +/* Calls the registered backend logging function */
27 +void nf_log_packet(int pf,
28 + unsigned int hooknum,
29 + const struct sk_buff *skb,
30 + const struct net_device *in,
31 + const struct net_device *out,
32 + const char *fmt, ...);
34 /* Activate hook; either okfn or kfree_skb called, unless a hook
35 returns NF_STOLEN (in which case, it's up to the hook to deal with
37 diff -Nur linux-2.6.0-test7.org/include/linux/netfilter_ipv4/ip_conntrack.h linux-2.6.0-test7/include/linux/netfilter_ipv4/ip_conntrack.h
38 --- linux-2.6.0-test7.org/include/linux/netfilter_ipv4/ip_conntrack.h 2003-10-08 21:24:48.000000000 +0200
39 +++ linux-2.6.0-test7/include/linux/netfilter_ipv4/ip_conntrack.h 2003-10-10 11:53:17.000000000 +0200
42 extern unsigned int ip_conntrack_htable_size;
44 +/* A fake conntrack entry which never vanishes. */
45 +extern struct ip_conntrack ip_conntrack_untracked;
47 /* eg. PROVIDES_CONNTRACK(ftp); */
48 #define PROVIDES_CONNTRACK(name) \
49 int needs_ip_conntrack_##name; \
50 diff -Nur linux-2.6.0-test7.org/include/linux/netfilter_ipv4/ip_tables.h linux-2.6.0-test7/include/linux/netfilter_ipv4/ip_tables.h
51 --- linux-2.6.0-test7.org/include/linux/netfilter_ipv4/ip_tables.h 2003-10-08 21:24:07.000000000 +0200
52 +++ linux-2.6.0-test7/include/linux/netfilter_ipv4/ip_tables.h 2003-10-10 11:53:17.000000000 +0200
55 unsigned int comefrom;
57 + /* Name of the chain */
60 + /* Rule number in the chain. */
63 /* Packet and byte counters. */
64 struct ipt_counters counters;
66 diff -Nur linux-2.6.0-test7.org/include/linux/netfilter_ipv4/ipt_ULOG.h linux-2.6.0-test7/include/linux/netfilter_ipv4/ipt_ULOG.h
67 --- linux-2.6.0-test7.org/include/linux/netfilter_ipv4/ipt_ULOG.h 2003-10-08 21:24:04.000000000 +0200
68 +++ linux-2.6.0-test7/include/linux/netfilter_ipv4/ipt_ULOG.h 2003-10-10 11:52:57.000000000 +0200
70 #define NETLINK_NFLOG 5
73 +#define NFLOG_DEFAULT_NLGROUP 1
74 +#define NFLOG_DEFAULT_QTHRESHOLD 1
76 #define ULOG_MAC_LEN 80
77 #define ULOG_PREFIX_LEN 32
79 diff -Nur linux-2.6.0-test7.org/include/linux/netfilter_ipv4/ipt_conntrack.h linux-2.6.0-test7/include/linux/netfilter_ipv4/ipt_conntrack.h
80 --- linux-2.6.0-test7.org/include/linux/netfilter_ipv4/ipt_conntrack.h 2003-10-08 21:24:26.000000000 +0200
81 +++ linux-2.6.0-test7/include/linux/netfilter_ipv4/ipt_conntrack.h 2003-10-10 11:53:17.000000000 +0200
84 #define IPT_CONNTRACK_STATE_SNAT (1 << (IP_CT_NUMBER + 1))
85 #define IPT_CONNTRACK_STATE_DNAT (1 << (IP_CT_NUMBER + 2))
86 +#define IPT_CONNTRACK_STATE_UNTRACKED (1 << (IP_CT_NUMBER + 3))
88 /* flags, invflags: */
89 #define IPT_CONNTRACK_STATE 0x01
90 diff -Nur linux-2.6.0-test7.org/include/linux/netfilter_ipv4/ipt_sctp.h linux-2.6.0-test7/include/linux/netfilter_ipv4/ipt_sctp.h
91 --- linux-2.6.0-test7.org/include/linux/netfilter_ipv4/ipt_sctp.h 1970-01-01 01:00:00.000000000 +0100
92 +++ linux-2.6.0-test7/include/linux/netfilter_ipv4/ipt_sctp.h 2003-10-10 11:53:27.000000000 +0200
94 +/* iptables module for matching the SCTP header
96 + * (C) 2003 Harald Welte <laforge@gnumonks.org>
98 + * This software is distributed under GNU GPL v2, 1991
105 +struct ipt_sctp_info {
106 + u_int16_t spts[2]; /* Souce port range */
107 + u_int16_t dpts[2]; /* Destination port range */
108 + u_int32_t chunks; /* chunks to be matched */
109 + u_int32_t chunk_mask; /* chunk mask to be matched */
110 + u_int8_t invflags; /* Inverse flags */
113 +#define IPT_SCTP_INV_SRCPT 0x01 /* Invert the sense of source ports */
114 +#define IPT_SCTP_INV_DSTPT 0x02 /* Invert the sense of dest ports */
115 +#define IPT_SCTP_INV_CHUNKS 0x03 /* Invert the sense of chunks */
116 +#define IPT_SCTP_INV_MASK 0x03 /* All possible flags */
118 +#endif /* _IPT_SCTP_H */
119 diff -Nur linux-2.6.0-test7.org/include/linux/netfilter_ipv4/ipt_state.h linux-2.6.0-test7/include/linux/netfilter_ipv4/ipt_state.h
120 --- linux-2.6.0-test7.org/include/linux/netfilter_ipv4/ipt_state.h 2003-10-08 21:24:42.000000000 +0200
121 +++ linux-2.6.0-test7/include/linux/netfilter_ipv4/ipt_state.h 2003-10-10 11:53:17.000000000 +0200
123 #define IPT_STATE_BIT(ctinfo) (1 << ((ctinfo)%IP_CT_IS_REPLY+1))
124 #define IPT_STATE_INVALID (1 << 0)
126 +#define IPT_STATE_UNTRACKED (1 << (IP_CT_NUMBER + 1))
128 struct ipt_state_info
130 unsigned int statemask;
131 diff -Nur linux-2.6.0-test7.org/include/linux/netfilter_ipv4.h linux-2.6.0-test7/include/linux/netfilter_ipv4.h
132 --- linux-2.6.0-test7.org/include/linux/netfilter_ipv4.h 2003-10-08 21:24:32.000000000 +0200
133 +++ linux-2.6.0-test7/include/linux/netfilter_ipv4.h 2003-10-10 11:53:17.000000000 +0200
136 enum nf_ip_hook_priorities {
137 NF_IP_PRI_FIRST = INT_MIN,
138 + NF_IP_PRI_CONNTRACK_DEFRAG = -400,
139 + NF_IP_PRI_RAW = -300,
140 NF_IP_PRI_CONNTRACK = -200,
141 NF_IP_PRI_BRIDGE_SABOTAGE_FORWARD = -175,
142 NF_IP_PRI_MANGLE = -150,
143 diff -Nur linux-2.6.0-test7.org/include/linux/netfilter_ipv6/ip6_tables.h linux-2.6.0-test7/include/linux/netfilter_ipv6/ip6_tables.h
144 --- linux-2.6.0-test7.org/include/linux/netfilter_ipv6/ip6_tables.h 2003-10-08 21:24:51.000000000 +0200
145 +++ linux-2.6.0-test7/include/linux/netfilter_ipv6/ip6_tables.h 2003-10-10 11:53:17.000000000 +0200
148 unsigned int comefrom;
150 + /* Name of the chain */
153 + /* Rule number in the chain. */
156 /* Packet and byte counters. */
157 struct ip6t_counters counters;
159 diff -Nur linux-2.6.0-test7.org/net/core/netfilter.c linux-2.6.0-test7/net/core/netfilter.c
160 --- linux-2.6.0-test7.org/net/core/netfilter.c 2003-10-08 21:24:04.000000000 +0200
161 +++ linux-2.6.0-test7/net/core/netfilter.c 2003-10-10 11:52:57.000000000 +0200
164 * February 2000: Modified by James Morris to have 1 queue per protocol.
165 * 15-Mar-2000: Added NF_REPEAT --RR.
166 + * 08-May-2003: Internal logging interface added by Jozsef Kadlecsik.
168 #include <linux/config.h>
169 +#include <linux/kernel.h>
170 #include <linux/netfilter.h>
171 #include <net/protocol.h>
172 #include <linux/init.h>
174 EXPORT_SYMBOL(skb_ip_make_writable);
175 #endif /*CONFIG_INET*/
177 +/* Internal logging interface, which relies on the real
178 + LOG target modules */
180 +#define NF_LOG_PREFIXLEN 128
182 +static nf_logfn *nf_logging[NPROTO]; /* = NULL */
183 +static int reported = 0;
184 +static spinlock_t nf_log_lock = SPIN_LOCK_UNLOCKED;
186 +int nf_log_register(int pf, nf_logfn *logfn)
190 + /* Any setup of logging members must be done before
191 + * substituting pointer. */
193 + spin_lock(&nf_log_lock);
194 + if (!nf_logging[pf]) {
195 + nf_logging[pf] = logfn;
198 + spin_unlock(&nf_log_lock);
202 +void nf_log_unregister(int pf, nf_logfn *logfn)
204 + spin_lock(&nf_log_lock);
205 + if (nf_logging[pf] == logfn)
206 + nf_logging[pf] = NULL;
207 + spin_unlock(&nf_log_lock);
209 + /* Give time to concurrent readers. */
213 +void nf_log_packet(int pf,
214 + unsigned int hooknum,
215 + const struct sk_buff *skb,
216 + const struct net_device *in,
217 + const struct net_device *out,
218 + const char *fmt, ...)
221 + char prefix[NF_LOG_PREFIXLEN];
225 + logfn = nf_logging[pf];
227 + va_start(args, fmt);
228 + vsnprintf(prefix, sizeof(prefix), fmt, args);
230 + /* We must read logging before nf_logfn[pf] */
231 + smp_read_barrier_depends();
232 + logfn(hooknum, skb, in, out, prefix);
233 + } else if (!reported) {
234 + printk(KERN_WARNING "nf_log_packet: can\'t log yet, "
235 + "no backend logging module loaded in!\n");
241 /* This does not belong here, but ipt_REJECT needs it if connection
242 tracking in use: without this, connection may not be in hash table,
243 and hence manufactured ICMP or RST packets will not be associated
245 EXPORT_SYMBOL(nf_unregister_hook);
246 EXPORT_SYMBOL(nf_unregister_queue_handler);
247 EXPORT_SYMBOL(nf_unregister_sockopt);
248 +EXPORT_SYMBOL(nf_log_register);
249 +EXPORT_SYMBOL(nf_log_unregister);
250 +EXPORT_SYMBOL(nf_log_packet);
251 diff -Nur linux-2.6.0-test7.org/net/ipv4/netfilter/Kconfig linux-2.6.0-test7/net/ipv4/netfilter/Kconfig
252 --- linux-2.6.0-test7.org/net/ipv4/netfilter/Kconfig 2003-10-08 21:24:27.000000000 +0200
253 +++ linux-2.6.0-test7/net/ipv4/netfilter/Kconfig 2003-10-10 11:53:27.000000000 +0200
256 To compile it as a module, choose M here. If unsure, say N.
258 +config IP_NF_MATCH_SCTP
259 + tristate "SCTP match support"
260 + depends on IP_NF_IPTABLES
262 + This match allows iptables to match on the SCTP header.
264 + If you want to compile it as a module, say M here and read
265 + <file:Documentation/modules.txt>. If unsure, say `N'.
267 config IP_NF_MATCH_LENGTH
268 tristate "LENGTH match support"
269 depends on IP_NF_IPTABLES
272 To compile it as a module, choose M here. If unsure, say N.
275 + tristate "Raw table"
276 + depends on IP_NF_IPTABLES
278 + This option adds a `raw' table to iptables: see the man page for
279 + iptables(8). This table is the very first in the netfilter
280 + framework and hooks in at the PREROUTING and OUTPUT chains.
281 + The TRACE and NOTRACK targets can be used in this table only.
283 + To compile it as a module, choose M here. If unsure, say N.
285 +config IP_NF_TARGET_TRACE
286 + tristate "TRACE target support"
287 + depends on IP_NF_RAW
289 + The TRACE target allows packets to be traced as those matches
290 + any subsequent rule in any table/rule. The matched rule and
291 + the packet is logged with the prefix
293 + TRACE: tablename/chainname/rulenum
295 + if the ipt_LOG or ipt_ULOG targets are loaded in.
297 + To compile it as a module, choose M here. If unsure, say N.
299 +config IP_NF_TARGET_NOTRACK
300 + tristate "NOTRACK target support"
301 + depends on IP_NF_RAW
303 + The NOTRACK target allows a select rule to specify which
304 + packets *not* to enter the conntrack/NAT subsystems
305 + with all the consequences (no ICMP error tracking,
306 + no protocol helpers for the selected packets).
308 + To compile it as a module, choose M here. If unsure, say N.
310 config IP_NF_ARPTABLES
311 tristate "ARP tables support"
313 diff -Nur linux-2.6.0-test7.org/net/ipv4/netfilter/Makefile linux-2.6.0-test7/net/ipv4/netfilter/Makefile
314 --- linux-2.6.0-test7.org/net/ipv4/netfilter/Makefile 2003-10-08 21:24:02.000000000 +0200
315 +++ linux-2.6.0-test7/net/ipv4/netfilter/Makefile 2003-10-10 11:53:27.000000000 +0200
318 obj-$(CONFIG_IP_NF_IPTABLES) += ip_tables.o
320 -# the three instances of ip_tables
321 +# the four instances of ip_tables
322 obj-$(CONFIG_IP_NF_FILTER) += iptable_filter.o
323 obj-$(CONFIG_IP_NF_MANGLE) += iptable_mangle.o
324 obj-$(CONFIG_IP_NF_NAT) += iptable_nat.o
325 +obj-$(CONFIG_IP_NF_RAW) += iptable_raw.o
328 +obj-$(CONFIG_IP_NF_MATCH_SCTP) += ipt_sctp.o
329 obj-$(CONFIG_IP_NF_MATCH_HELPER) += ipt_helper.o
330 obj-$(CONFIG_IP_NF_MATCH_LIMIT) += ipt_limit.o
331 obj-$(CONFIG_IP_NF_MATCH_MARK) += ipt_mark.o
333 obj-$(CONFIG_IP_NF_TARGET_LOG) += ipt_LOG.o
334 obj-$(CONFIG_IP_NF_TARGET_ULOG) += ipt_ULOG.o
335 obj-$(CONFIG_IP_NF_TARGET_TCPMSS) += ipt_TCPMSS.o
336 +obj-$(CONFIG_IP_NF_TARGET_NOTRACK) += ipt_NOTRACK.o
337 +obj-$(CONFIG_IP_NF_TARGET_TRACE) += ipt_TRACE.o
340 obj-$(CONFIG_IP_NF_ARPTABLES) += arp_tables.o
341 diff -Nur linux-2.6.0-test7.org/net/ipv4/netfilter/ip_conntrack_core.c linux-2.6.0-test7/net/ipv4/netfilter/ip_conntrack_core.c
342 --- linux-2.6.0-test7.org/net/ipv4/netfilter/ip_conntrack_core.c 2003-10-08 21:24:00.000000000 +0200
343 +++ linux-2.6.0-test7/net/ipv4/netfilter/ip_conntrack_core.c 2003-10-10 11:53:17.000000000 +0200
345 #include <linux/slab.h>
346 #include <linux/random.h>
347 #include <linux/jhash.h>
348 -/* For ERR_PTR(). Yeah, I know... --RR */
349 -#include <linux/fs.h>
350 +#include <linux/err.h>
352 /* This rwlock protects the main hash table, protocol/helper/expected
353 registrations, conntrack timers*/
355 static atomic_t ip_conntrack_count = ATOMIC_INIT(0);
356 struct list_head *ip_conntrack_hash;
357 static kmem_cache_t *ip_conntrack_cachep;
358 +struct ip_conntrack ip_conntrack_untracked;
360 extern struct ip_conntrack_protocol ip_conntrack_generic_protocol;
362 @@ -808,18 +808,10 @@
366 - /* Previously seen (loopback)? Ignore. Do this before
368 + /* Previously seen (loopback or untracked)? Ignore. */
372 - /* Gather fragments. */
373 - if ((*pskb)->nh.iph->frag_off & htons(IP_MF|IP_OFFSET)) {
374 - *pskb = ip_ct_gather_frags(*pskb);
379 proto = ip_ct_find_proto((*pskb)->nh.iph->protocol);
381 /* It may be an icmp error... */
384 } else if (related_to->helper->max_expected &&
385 related_to->expecting >= related_to->helper->max_expected) {
386 - struct list_head *cur_item;
388 if (!(related_to->helper->flags &
389 IP_CT_HELPER_F_REUSE_EXPECT)) {
390 @@ -978,21 +969,14 @@
391 NIPQUAD(related_to->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.ip));
393 /* choose the the oldest expectation to evict */
394 - list_for_each(cur_item, &related_to->sibling_list) {
395 - struct ip_conntrack_expect *cur;
397 - cur = list_entry(cur_item,
398 - struct ip_conntrack_expect,
400 - if (cur->sibling == NULL) {
402 + list_for_each_entry(old, &related_to->sibling_list,
404 + if (old->sibling == NULL)
409 - /* (!old) cannot happen, since related_to->expecting is the
410 - * number of unconfirmed expects */
412 + /* We cannot fail since related_to->expecting is the number
413 + * of unconfirmed expectations */
414 + IP_NF_ASSERT(old && old->sibling == NULL);
416 /* newnat14 does not reuse the real allocated memory
417 * structures but rather unexpects the old and
418 @@ -1024,7 +1008,7 @@
419 atomic_set(&new->use, 1);
421 /* add to expected list for this connection */
422 - list_add(&new->expected_list, &related_to->sibling_list);
423 + list_add_tail(&new->expected_list, &related_to->sibling_list);
424 /* add to global list of expectations */
425 list_prepend(&ip_conntrack_expect_list, &new->list);
426 /* add and start timer if required */
427 @@ -1419,6 +1403,15 @@
429 /* For use by ipt_REJECT */
430 ip_ct_attach = ip_conntrack_attach;
432 + /* Set up fake conntrack:
433 + - to never be deleted, not in any hashes */
434 + atomic_set(&ip_conntrack_untracked.ct_general.use, 1);
435 + /* - and look it like as a confirmed connection */
436 + set_bit(IPS_CONFIRMED_BIT, &ip_conntrack_untracked.status);
437 + /* - and prepare the ctinfo field for NAT. */
438 + ip_conntrack_untracked.infos[IP_CT_NEW].master = &ip_conntrack_untracked.ct_general;
443 diff -Nur linux-2.6.0-test7.org/net/ipv4/netfilter/ip_conntrack_standalone.c linux-2.6.0-test7/net/ipv4/netfilter/ip_conntrack_standalone.c
444 --- linux-2.6.0-test7.org/net/ipv4/netfilter/ip_conntrack_standalone.c 2003-10-08 21:24:04.000000000 +0200
445 +++ linux-2.6.0-test7/net/ipv4/netfilter/ip_conntrack_standalone.c 2003-10-10 11:53:17.000000000 +0200
447 return ip_conntrack_confirm(*pskb);
450 +static unsigned int ip_conntrack_defrag(unsigned int hooknum,
451 + struct sk_buff **pskb,
452 + const struct net_device *in,
453 + const struct net_device *out,
454 + int (*okfn)(struct sk_buff *))
456 + /* Previously seen (loopback)? Ignore. Do this before
461 + /* Gather fragments. */
462 + if ((*pskb)->nh.iph->frag_off & htons(IP_MF|IP_OFFSET)) {
463 + *pskb = ip_ct_gather_frags(*pskb);
470 static unsigned int ip_refrag(unsigned int hooknum,
471 struct sk_buff **pskb,
472 const struct net_device *in,
474 return ip_conntrack_in(hooknum, pskb, in, out, okfn);
477 +/* At the very first: defragment */
478 +static struct nf_hook_ops ip_conntrack_defrag_ops = {
479 + .hook = ip_conntrack_defrag,
480 + .owner = THIS_MODULE,
482 + .hooknum = NF_IP_PRE_ROUTING,
483 + .priority = NF_IP_PRI_CONNTRACK_DEFRAG,
486 /* Connection tracking may drop packets, but never alters them, so
487 make it the first hook. */
488 static struct nf_hook_ops ip_conntrack_in_ops = {
489 @@ -367,10 +396,15 @@
490 if (!proc) goto cleanup_init;
491 proc->owner = THIS_MODULE;
493 + ret = nf_register_hook(&ip_conntrack_defrag_ops);
495 + printk("ip_conntrack: can't register pre-routing hook to defrag.\n");
498 ret = nf_register_hook(&ip_conntrack_in_ops);
500 printk("ip_conntrack: can't register pre-routing hook.\n");
502 + goto cleanup_defragops;
504 ret = nf_register_hook(&ip_conntrack_local_out_ops);
507 nf_unregister_hook(&ip_conntrack_local_out_ops);
509 nf_unregister_hook(&ip_conntrack_in_ops);
511 + nf_unregister_hook(&ip_conntrack_defrag_ops);
513 proc_net_remove("ip_conntrack");
516 EXPORT_SYMBOL(ip_conntrack_expect_list);
517 EXPORT_SYMBOL(ip_conntrack_lock);
518 EXPORT_SYMBOL(ip_conntrack_hash);
519 +EXPORT_SYMBOL(ip_conntrack_untracked);
520 EXPORT_SYMBOL_GPL(ip_conntrack_find_get);
521 EXPORT_SYMBOL_GPL(ip_conntrack_put);
522 diff -Nur linux-2.6.0-test7.org/net/ipv4/netfilter/ip_conntrack_tftp.c linux-2.6.0-test7/net/ipv4/netfilter/ip_conntrack_tftp.c
523 --- linux-2.6.0-test7.org/net/ipv4/netfilter/ip_conntrack_tftp.c 2003-10-08 21:24:03.000000000 +0200
524 +++ linux-2.6.0-test7/net/ipv4/netfilter/ip_conntrack_tftp.c 2003-10-10 11:52:47.000000000 +0200
527 for (i = 0 ; (i < MAX_PORTS) && ports[i] ; i++) {
528 /* Create helper structure */
529 - memset(&tftp[i], 0, sizeof(struct ip_conntrack_helper));
531 tftp[i].tuple.dst.protonum = IPPROTO_UDP;
532 tftp[i].tuple.src.u.udp.port = htons(ports[i]);
533 tftp[i].mask.dst.protonum = 0xFFFF;
534 diff -Nur linux-2.6.0-test7.org/net/ipv4/netfilter/ip_nat_amanda.c linux-2.6.0-test7/net/ipv4/netfilter/ip_nat_amanda.c
535 --- linux-2.6.0-test7.org/net/ipv4/netfilter/ip_nat_amanda.c 2003-10-08 21:24:02.000000000 +0200
536 +++ linux-2.6.0-test7/net/ipv4/netfilter/ip_nat_amanda.c 2003-10-10 11:52:47.000000000 +0200
538 struct ip_nat_helper *hlpr;
540 hlpr = &ip_nat_amanda_helper;
541 - memset(hlpr, 0, sizeof(struct ip_nat_helper));
543 hlpr->tuple.dst.protonum = IPPROTO_UDP;
544 hlpr->tuple.src.u.udp.port = htons(10080);
545 hlpr->mask.src.u.udp.port = 0xFFFF;
546 diff -Nur linux-2.6.0-test7.org/net/ipv4/netfilter/ip_nat_core.c linux-2.6.0-test7/net/ipv4/netfilter/ip_nat_core.c
547 --- linux-2.6.0-test7.org/net/ipv4/netfilter/ip_nat_core.c 2003-10-08 21:24:02.000000000 +0200
548 +++ linux-2.6.0-test7/net/ipv4/netfilter/ip_nat_core.c 2003-10-10 11:53:17.000000000 +0200
551 /* Have to grab read lock before sibling_list traversal */
552 READ_LOCK(&ip_conntrack_lock);
553 - list_for_each(cur_item, &ct->sibling_list) {
554 + list_for_each_prev(cur_item, &ct->sibling_list) {
555 exp = list_entry(cur_item, struct ip_conntrack_expect,
558 @@ -1009,7 +1009,11 @@
559 /* FIXME: Man, this is a hack. <SIGH> */
560 IP_NF_ASSERT(ip_conntrack_destroyed == NULL);
561 ip_conntrack_destroyed = &ip_nat_cleanup_conntrack;
564 + /* Initialize fake conntrack so that NAT will skip it */
565 + ip_conntrack_untracked.nat.info.initialized |=
566 + (1 << IP_NAT_MANIP_SRC) | (1 << IP_NAT_MANIP_DST);
571 diff -Nur linux-2.6.0-test7.org/net/ipv4/netfilter/ip_nat_rule.c linux-2.6.0-test7/net/ipv4/netfilter/ip_nat_rule.c
572 --- linux-2.6.0-test7.org/net/ipv4/netfilter/ip_nat_rule.c 2003-10-08 21:24:04.000000000 +0200
573 +++ linux-2.6.0-test7/net/ipv4/netfilter/ip_nat_rule.c 2003-10-10 11:53:17.000000000 +0200
576 sizeof(struct ipt_entry),
577 sizeof(struct ipt_standard),
578 - 0, { 0, 0 }, { } },
579 + 0, NULL, 0, { 0, 0 }, { } },
580 { { { { IPT_ALIGN(sizeof(struct ipt_standard_target)), "" } }, { } },
585 sizeof(struct ipt_entry),
586 sizeof(struct ipt_standard),
587 - 0, { 0, 0 }, { } },
588 + 0, NULL, 0, { 0, 0 }, { } },
589 { { { { IPT_ALIGN(sizeof(struct ipt_standard_target)), "" } }, { } },
594 sizeof(struct ipt_entry),
595 sizeof(struct ipt_standard),
596 - 0, { 0, 0 }, { } },
597 + 0, NULL, 0, { 0, 0 }, { } },
598 { { { { IPT_ALIGN(sizeof(struct ipt_standard_target)), "" } }, { } },
603 sizeof(struct ipt_entry),
604 sizeof(struct ipt_error),
605 - 0, { 0, 0 }, { } },
606 + 0, NULL, 0, { 0, 0 }, { } },
607 { { { { IPT_ALIGN(sizeof(struct ipt_error_target)), IPT_ERROR_TARGET } },
610 diff -Nur linux-2.6.0-test7.org/net/ipv4/netfilter/ip_nat_tftp.c linux-2.6.0-test7/net/ipv4/netfilter/ip_nat_tftp.c
611 --- linux-2.6.0-test7.org/net/ipv4/netfilter/ip_nat_tftp.c 2003-10-08 21:24:03.000000000 +0200
612 +++ linux-2.6.0-test7/net/ipv4/netfilter/ip_nat_tftp.c 2003-10-10 11:52:47.000000000 +0200
614 ports[0] = TFTP_PORT;
616 for (i = 0 ; (i < MAX_PORTS) && ports[i] ; i++) {
617 - memset(&tftp[i], 0, sizeof(struct ip_nat_helper));
619 tftp[i].tuple.dst.protonum = IPPROTO_UDP;
620 tftp[i].tuple.src.u.udp.port = htons(ports[i]);
621 tftp[i].mask.dst.protonum = 0xFFFF;
622 diff -Nur linux-2.6.0-test7.org/net/ipv4/netfilter/ip_tables.c linux-2.6.0-test7/net/ipv4/netfilter/ip_tables.c
623 --- linux-2.6.0-test7.org/net/ipv4/netfilter/ip_tables.c 2003-10-08 21:24:02.000000000 +0200
624 +++ linux-2.6.0-test7/net/ipv4/netfilter/ip_tables.c 2003-10-10 11:53:17.000000000 +0200
626 #include <linux/config.h>
627 #include <linux/cache.h>
628 #include <linux/skbuff.h>
629 +#include <linux/socket.h>
630 #include <linux/kmod.h>
631 #include <linux/vmalloc.h>
632 #include <linux/netdevice.h>
634 #include <asm/semaphore.h>
635 #include <linux/proc_fs.h>
637 +#include <linux/netfilter.h>
638 #include <linux/netfilter_ipv4/ip_tables.h>
640 +static const char *hooknames[] = {
641 + [NF_IP_PRE_ROUTING] "PREROUTING",
642 + [NF_IP_LOCAL_IN] "INPUT",
643 + [NF_IP_FORWARD] "FORWARD",
644 + [NF_IP_LOCAL_OUT] "OUTPUT",
645 + [NF_IP_POST_ROUTING] "POSTROUTING",
648 MODULE_LICENSE("GPL");
649 MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
650 MODULE_DESCRIPTION("IPv4 packet filter");
653 t = ipt_get_target(e);
654 IP_NF_ASSERT(t->u.kernel.target);
656 + /* The packet traced and the rule isn't an unconditional return/END. */
657 + if (((*pskb)->nfcache & NFC_TRACE) && e->rulenum) {
658 + nf_log_packet(AF_INET, hook, *pskb, in, out, "TRACE: %s/%s/%u ",
659 + table->name, e->chainname, e->rulenum);
661 /* Standard target? */
662 if (!t->u.kernel.target->target) {
665 return find_inlist_lock(&ipt_target, name, "ipt_", error, mutex);
669 +find_error_target(struct ipt_entry *s,
670 + struct ipt_entry *e,
673 + struct ipt_entry_target *t;
674 + static struct ipt_entry *found = NULL;
679 + t = ipt_get_target(found);
680 + if (strcmp(t->u.user.name,
681 + IPT_ERROR_TARGET) == 0) {
682 + *chainname = t->data;
691 /* All zeroes == unconditional rule. */
693 unconditional(const struct ipt_ip *ip)
695 mark_source_chains(struct ipt_table_info *newinfo, unsigned int valid_hooks)
698 + char *chainname = NULL;
701 /* No recursion; use packet counter to save back ptrs (reset
702 to 0 as we leave), and comefrom to save source hook bitmask */
705 /* Set initial back pointer. */
706 e->counters.pcnt = pos;
708 + chainname = (char *) hooknames[hook];
711 struct ipt_standard_target *t
715 |= ((1 << hook) | (1 << NF_IP_NUMHOOKS));
716 + e->rulenum = rulenum++;
717 + e->chainname = chainname;
719 /* Unconditional return/END. */
720 if (e->target_offset == sizeof(struct ipt_entry)
722 && unconditional(&e->ip)) {
723 unsigned int oldpos, size;
725 + /* Set unconditional rulenum to zero. */
727 + e->counters.bcnt = 0;
729 /* Return: backtrack through the last
733 (newinfo->entries + pos);
734 } while (oldpos == pos + e->next_offset);
736 + /* Restore chainname, rulenum. */
737 + chainname = e->chainname;
738 + rulenum = e->counters.bcnt;
739 + e->counters.bcnt = 0;
742 size = e->next_offset;
743 e = (struct ipt_entry *)
745 /* This a jump; chase it. */
746 duprintf("Jump rule %u -> %u\n",
748 + e->counters.bcnt = rulenum++;
750 + e = (struct ipt_entry *)
751 + (newinfo->entries + newpos);
752 + if (IPT_ENTRY_ITERATE(newinfo->entries,
755 + e, &chainname) == 0) {
756 + printk("ip_tables: table screwed up!\n");
760 /* ... this is a fallthru */
761 newpos = pos + e->next_offset;
762 diff -Nur linux-2.6.0-test7.org/net/ipv4/netfilter/ipt_LOG.c linux-2.6.0-test7/net/ipv4/netfilter/ipt_LOG.c
763 --- linux-2.6.0-test7.org/net/ipv4/netfilter/ipt_LOG.c 2003-10-08 21:24:43.000000000 +0200
764 +++ linux-2.6.0-test7/net/ipv4/netfilter/ipt_LOG.c 2003-10-10 11:52:57.000000000 +0200
766 #include <linux/module.h>
767 #include <linux/spinlock.h>
768 #include <linux/skbuff.h>
769 +#include <linux/socket.h>
770 #include <linux/ip.h>
771 #include <net/icmp.h>
774 #include <net/route.h>
776 +#include <linux/netfilter.h>
777 #include <linux/netfilter_ipv4/ip_tables.h>
778 #include <linux/netfilter_ipv4/ipt_LOG.h>
781 MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
782 MODULE_DESCRIPTION("iptables syslog logging module");
784 +static unsigned int nflog = 1;
785 +MODULE_PARM(nflog, "i");
786 +MODULE_PARM_DESC(nflog, "register as internal netfilter logging module");
789 #define DEBUGP printk
791 @@ -315,28 +321,25 @@
792 /* maxlen = 230+ 91 + 230 + 252 = 803 */
796 -ipt_log_target(struct sk_buff **pskb,
798 +ipt_log_packet(unsigned int hooknum,
799 + const struct sk_buff *skb,
800 const struct net_device *in,
801 const struct net_device *out,
802 - unsigned int hooknum,
803 - const void *targinfo,
805 + const struct ipt_log_info *loginfo,
806 + const char *level_string,
807 + const char *prefix)
809 - const struct ipt_log_info *loginfo = targinfo;
810 - char level_string[4] = "< >";
812 - level_string[1] = '0' + (loginfo->level % 8);
813 spin_lock_bh(&log_lock);
814 printk(level_string);
815 printk("%sIN=%s OUT=%s ",
817 + prefix == NULL ? loginfo->prefix : prefix,
819 out ? out->name : "");
820 #ifdef CONFIG_BRIDGE_NETFILTER
821 - if ((*pskb)->nf_bridge) {
822 - struct net_device *physindev = (*pskb)->nf_bridge->physindev;
823 - struct net_device *physoutdev = (*pskb)->nf_bridge->physoutdev;
824 + if (skb->nf_bridge) {
825 + struct net_device *physindev = skb->nf_bridge->physindev;
826 + struct net_device *physoutdev = skb->nf_bridge->physoutdev;
828 if (physindev && in != physindev)
829 printk("PHYSIN=%s ", physindev->name);
830 @@ -348,25 +351,56 @@
832 /* MAC logging for input chain only. */
834 - if ((*pskb)->dev && (*pskb)->dev->hard_header_len
835 - && (*pskb)->mac.raw != (void*)(*pskb)->nh.iph) {
836 + if (skb->dev && skb->dev->hard_header_len
837 + && skb->mac.raw != (void*)skb->nh.iph) {
839 - unsigned char *p = (*pskb)->mac.raw;
840 - for (i = 0; i < (*pskb)->dev->hard_header_len; i++,p++)
841 + unsigned char *p = skb->mac.raw;
842 + for (i = 0; i < skb->dev->hard_header_len; i++,p++)
844 - i==(*pskb)->dev->hard_header_len - 1
845 + i==skb->dev->hard_header_len - 1
851 - dump_packet(loginfo, *pskb, 0);
852 + dump_packet(loginfo, skb, 0);
854 spin_unlock_bh(&log_lock);
858 +ipt_log_target(struct sk_buff **pskb,
859 + const struct net_device *in,
860 + const struct net_device *out,
861 + unsigned int hooknum,
862 + const void *targinfo,
865 + const struct ipt_log_info *loginfo = targinfo;
866 + char level_string[4] = "< >";
868 + level_string[1] = '0' + (loginfo->level % 8);
869 + ipt_log_packet(hooknum, *pskb, in, out, loginfo, level_string, NULL);
875 +ipt_logfn(unsigned int hooknum,
876 + const struct sk_buff *skb,
877 + const struct net_device *in,
878 + const struct net_device *out,
879 + const char *prefix)
881 + struct ipt_log_info loginfo = {
883 + .logflags = IPT_LOG_MASK,
887 + ipt_log_packet(hooknum, skb, in, out, &loginfo, KERN_WARNING, prefix);
890 static int ipt_log_checkentry(const char *tablename,
891 const struct ipt_entry *e,
893 @@ -406,12 +440,17 @@
895 if (ipt_register_target(&ipt_log_reg))
898 + nf_log_register(PF_INET, &ipt_logfn);
903 static void __exit fini(void)
906 + nf_log_unregister(PF_INET, &ipt_logfn);
908 ipt_unregister_target(&ipt_log_reg);
911 diff -Nur linux-2.6.0-test7.org/net/ipv4/netfilter/ipt_NOTRACK.c linux-2.6.0-test7/net/ipv4/netfilter/ipt_NOTRACK.c
912 --- linux-2.6.0-test7.org/net/ipv4/netfilter/ipt_NOTRACK.c 1970-01-01 01:00:00.000000000 +0100
913 +++ linux-2.6.0-test7/net/ipv4/netfilter/ipt_NOTRACK.c 2003-10-10 11:53:17.000000000 +0200
915 +/* This is a module which is used for setting up fake conntracks
916 + * on packets so that they are not seen by the conntrack/NAT code.
918 +#include <linux/module.h>
919 +#include <linux/skbuff.h>
921 +#include <linux/netfilter_ipv4/ip_tables.h>
922 +#include <linux/netfilter_ipv4/ip_conntrack.h>
925 +target(struct sk_buff **pskb,
926 + const struct net_device *in,
927 + const struct net_device *out,
928 + unsigned int hooknum,
929 + const void *targinfo,
932 + /* Previously seen (loopback)? Ignore. */
933 + if ((*pskb)->nfct != NULL)
934 + return IPT_CONTINUE;
936 + /* Attach fake conntrack entry.
937 + If there is a real ct entry correspondig to this packet,
938 + it'll hang aroun till timing out. We don't deal with it
939 + for performance reasons. JK */
940 + (*pskb)->nfct = &ip_conntrack_untracked.infos[IP_CT_NEW];
941 + nf_conntrack_get((*pskb)->nfct);
943 + return IPT_CONTINUE;
947 +checkentry(const char *tablename,
948 + const struct ipt_entry *e,
950 + unsigned int targinfosize,
951 + unsigned int hook_mask)
953 + if (targinfosize != 0) {
954 + printk(KERN_WARNING "NOTRACK: targinfosize %u != 0\n",
959 + if (strcmp(tablename, "raw") != 0) {
960 + printk(KERN_WARNING "NOTRACK: can only be called from \"raw\" table, not \"%s\"\n", tablename);
967 +static struct ipt_target ipt_notrack_reg = {
970 + .checkentry = checkentry,
975 +static int __init init(void)
977 + if (ipt_register_target(&ipt_notrack_reg))
983 +static void __exit fini(void)
985 + ipt_unregister_target(&ipt_notrack_reg);
991 +MODULE_LICENSE("GPL");
992 +MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
993 +MODULE_DESCRIPTION("IPv4 NOTRACK target");
994 diff -Nur linux-2.6.0-test7.org/net/ipv4/netfilter/ipt_TRACE.c linux-2.6.0-test7/net/ipv4/netfilter/ipt_TRACE.c
995 --- linux-2.6.0-test7.org/net/ipv4/netfilter/ipt_TRACE.c 1970-01-01 01:00:00.000000000 +0100
996 +++ linux-2.6.0-test7/net/ipv4/netfilter/ipt_TRACE.c 2003-10-10 11:53:17.000000000 +0200
998 +/* This is a module which is used for setting
999 + * the NFC_TRACE flag in the nfcache field of an skb.
1001 +#include <linux/module.h>
1002 +#include <linux/skbuff.h>
1004 +#include <linux/netfilter_ipv4/ip_tables.h>
1006 +static unsigned int
1007 +target(struct sk_buff **pskb,
1008 + const struct net_device *in,
1009 + const struct net_device *out,
1010 + unsigned int hooknum,
1011 + const void *targinfo,
1014 + (*pskb)->nfcache |= NFC_TRACE;
1015 + return IPT_CONTINUE;
1019 +checkentry(const char *tablename,
1020 + const struct ipt_entry *e,
1022 + unsigned int targinfosize,
1023 + unsigned int hook_mask)
1025 + if (targinfosize != 0) {
1026 + printk(KERN_WARNING "TRACE: targinfosize %u != 0\n",
1031 + if (strcmp(tablename, "raw") != 0) {
1032 + printk(KERN_WARNING "TRACE: can only be called from \"raw\" table, not \"%s\"\n", tablename);
1039 +static struct ipt_target ipt_trace_reg = {
1042 + .checkentry = checkentry,
1044 + .me = THIS_MODULE,
1047 +static int __init init(void)
1049 + if (ipt_register_target(&ipt_trace_reg))
1055 +static void __exit fini(void)
1057 + ipt_unregister_target(&ipt_trace_reg);
1062 +MODULE_LICENSE("GPL");
1063 +MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
1064 +MODULE_DESCRIPTION("IPv4 TRACE target");
1065 diff -Nur linux-2.6.0-test7.org/net/ipv4/netfilter/ipt_ULOG.c linux-2.6.0-test7/net/ipv4/netfilter/ipt_ULOG.c
1066 --- linux-2.6.0-test7.org/net/ipv4/netfilter/ipt_ULOG.c 2003-10-08 21:24:03.000000000 +0200
1067 +++ linux-2.6.0-test7/net/ipv4/netfilter/ipt_ULOG.c 2003-10-10 11:52:57.000000000 +0200
1069 #include <linux/netlink.h>
1070 #include <linux/netdevice.h>
1071 #include <linux/mm.h>
1072 +#include <linux/netfilter.h>
1073 #include <linux/netfilter_ipv4/ip_tables.h>
1074 #include <linux/netfilter_ipv4/ipt_ULOG.h>
1075 #include <linux/netfilter_ipv4/lockhelp.h>
1077 MODULE_PARM(flushtimeout, "i");
1078 MODULE_PARM_DESC(flushtimeout, "buffer flush timeout");
1080 +static unsigned int nflog = 1;
1081 +MODULE_PARM(nflog, "i");
1082 +MODULE_PARM_DESC(nflog, "register as internal netfilter logging module");
1084 /* global data structures */
1087 @@ -152,17 +157,17 @@
1091 -static unsigned int ipt_ulog_target(struct sk_buff **pskb,
1092 - const struct net_device *in,
1093 - const struct net_device *out,
1094 - unsigned int hooknum,
1095 - const void *targinfo, void *userinfo)
1096 +static void ipt_ulog_packet(unsigned int hooknum,
1097 + const struct sk_buff *skb,
1098 + const struct net_device *in,
1099 + const struct net_device *out,
1100 + const struct ipt_ulog_info *loginfo,
1101 + const char *prefix)
1104 ulog_packet_msg_t *pm;
1105 size_t size, copy_len;
1106 struct nlmsghdr *nlh;
1107 - struct ipt_ulog_info *loginfo = (struct ipt_ulog_info *) targinfo;
1109 /* ffs == find first bit set, necessary because userspace
1110 * is already shifting groupnumber, but we need unshifted.
1113 /* calculate the size of the skb needed */
1114 if ((loginfo->copy_range == 0) ||
1115 - (loginfo->copy_range > (*pskb)->len)) {
1116 - copy_len = (*pskb)->len;
1117 + (loginfo->copy_range > skb->len)) {
1118 + copy_len = skb->len;
1120 copy_len = loginfo->copy_range;
1122 @@ -209,19 +214,21 @@
1124 /* copy hook, prefix, timestamp, payload, etc. */
1125 pm->data_len = copy_len;
1126 - pm->timestamp_sec = (*pskb)->stamp.tv_sec;
1127 - pm->timestamp_usec = (*pskb)->stamp.tv_usec;
1128 - pm->mark = (*pskb)->nfmark;
1129 + pm->timestamp_sec = skb->stamp.tv_sec;
1130 + pm->timestamp_usec = skb->stamp.tv_usec;
1131 + pm->mark = skb->nfmark;
1133 - if (loginfo->prefix[0] != '\0')
1134 + if (prefix != NULL)
1135 + strncpy(pm->prefix, prefix, sizeof(pm->prefix));
1136 + else if (loginfo->prefix[0] != '\0')
1137 strncpy(pm->prefix, loginfo->prefix, sizeof(pm->prefix));
1139 *(pm->prefix) = '\0';
1141 if (in && in->hard_header_len > 0
1142 - && (*pskb)->mac.raw != (void *) (*pskb)->nh.iph
1143 + && skb->mac.raw != (void *) skb->nh.iph
1144 && in->hard_header_len <= ULOG_MAC_LEN) {
1145 - memcpy(pm->mac, (*pskb)->mac.raw, in->hard_header_len);
1146 + memcpy(pm->mac, skb->mac.raw, in->hard_header_len);
1147 pm->mac_len = in->hard_header_len;
1152 pm->outdev_name[0] = '\0';
1154 - /* copy_len <= (*pskb)->len, so can't fail. */
1155 - if (skb_copy_bits(*pskb, 0, pm->payload, copy_len) < 0)
1156 + /* copy_len <= skb->len, so can't fail. */
1157 + if (skb_copy_bits(skb, 0, pm->payload, copy_len) < 0)
1160 /* check if we are building multi-part messages */
1163 UNLOCK_BH(&ulog_lock);
1165 - return IPT_CONTINUE;
1170 PRINTR("ipt_ULOG: error during NLMSG_PUT\n");
1171 @@ -271,8 +277,35 @@
1172 PRINTR("ipt_ULOG: Error building netlink message\n");
1174 UNLOCK_BH(&ulog_lock);
1177 +static unsigned int ipt_ulog_target(struct sk_buff **pskb,
1178 + const struct net_device *in,
1179 + const struct net_device *out,
1180 + unsigned int hooknum,
1181 + const void *targinfo, void *userinfo)
1183 + struct ipt_ulog_info *loginfo = (struct ipt_ulog_info *) targinfo;
1185 - return IPT_CONTINUE;
1186 + ipt_ulog_packet(hooknum, *pskb, in, out, loginfo, NULL);
1188 + return IPT_CONTINUE;
1191 +static void ipt_logfn(unsigned int hooknum,
1192 + const struct sk_buff *skb,
1193 + const struct net_device *in,
1194 + const struct net_device *out,
1195 + const char *prefix)
1197 + struct ipt_ulog_info loginfo = {
1198 + .nl_group = NFLOG_DEFAULT_NLGROUP,
1200 + .qthreshold = NFLOG_DEFAULT_QTHRESHOLD,
1204 + ipt_ulog_packet(hooknum, skb, in, out, &loginfo, prefix);
1207 static int ipt_ulog_checkentry(const char *tablename,
1213 + nf_log_register(PF_INET, &ipt_logfn);
1220 DEBUGP("ipt_ULOG: cleanup_module\n");
1223 + nf_log_unregister(PF_INET, &ipt_logfn);
1225 ipt_unregister_target(&ipt_ulog_reg);
1226 sock_release(nflognl->sk_socket);
1228 diff -Nur linux-2.6.0-test7.org/net/ipv4/netfilter/ipt_conntrack.c linux-2.6.0-test7/net/ipv4/netfilter/ipt_conntrack.c
1229 --- linux-2.6.0-test7.org/net/ipv4/netfilter/ipt_conntrack.c 2003-10-08 21:24:44.000000000 +0200
1230 +++ linux-2.6.0-test7/net/ipv4/netfilter/ipt_conntrack.c 2003-10-10 11:53:17.000000000 +0200
1233 #define FWINV(bool,invflg) ((bool) ^ !!(sinfo->invflags & invflg))
1236 + if (skb->nfct == &ip_conntrack_untracked.infos[IP_CT_NEW])
1237 + statebit = IPT_CONNTRACK_STATE_UNTRACKED;
1239 statebit = IPT_CONNTRACK_STATE_BIT(ctinfo);
1241 statebit = IPT_CONNTRACK_STATE_INVALID;
1242 diff -Nur linux-2.6.0-test7.org/net/ipv4/netfilter/ipt_sctp.c linux-2.6.0-test7/net/ipv4/netfilter/ipt_sctp.c
1243 --- linux-2.6.0-test7.org/net/ipv4/netfilter/ipt_sctp.c 1970-01-01 01:00:00.000000000 +0100
1244 +++ linux-2.6.0-test7/net/ipv4/netfilter/ipt_sctp.c 2003-10-10 11:53:27.000000000 +0200
1246 +/* IP tables module for matching the SCTP header
1248 + * $ipt_sctp.c,v 1.3 2002/05/29 15:09:00 laforge Exp$
1250 + * (C) 2003 by Harald Welte <laforge@gnumonks.org>
1252 + * This software is distributed under the terms GNU GPL v2
1255 +#include <linux/module.h>
1256 +#include <linux/skbuff.h>
1257 +#include <linux/sctp.h>
1259 +#include <linux/netfilter_ipv4/ip_tables.h>
1260 +#include <linux/netfilter_ipv4/ipt_sctp.h>
1262 +MODULE_AUTHOR("Harald Welte <laforge@gnumonks.org>");
1263 +MODULE_DESCRIPTION("IP tables SCTP matching module");
1264 +MODULE_LICENSE("GPL");
1266 +/* Returns 1 if the port is matched by the range, 0 otherwise */
1268 +port_match(u_int16_t min, u_int16_t max, u_int16_t port, int invert)
1272 + ret = (port >= min && port <= max) ^ invert;
1276 +static int chunk_match(const struct sk_buff *skb, u_int32_t chunks, u_int32_t chunk_mask)
1278 + sctp_chunkhdr_t *ch = (sctp_chunkhdr_t *) skb->data;
1280 + u_int32_t chunks_present = 0;
1284 + ch_end = ((u_int8_t *) ch) + WORD_ROUND(ntohs(ch->length));
1286 + if (ch->type < 32)
1287 + chunks_present |= (1 << ch_type);
1288 + else if (ch->type == SCTP_CID_ASCONF)
1289 + chunks_present |= (1 << 31);
1290 + else if (ch->type == SCTP_CID_ASCONF_ACK)
1291 + chunks_present |= (1 << 30);
1293 + ch = (sctp_chunkhdr_t *) ch_end;
1294 + } while (ch_end < skb->tail);
1296 + return ((chunks_present& chunk_mask) == chunks);
1299 +static int match(const struct sk_buff *skb, const struct net_device *in,
1300 + const struct net_device *out, const void *matchinfo,
1301 + int offset, const void *hdr, u_int16_t datalen,
1304 + const struct ipt_sctp_info *info = matchinfo;
1305 + const struct iphdr *iph = skb->nh.iph;
1306 + const struct sctphdr *sh = (struct sctphdr *) skb->h.raw;
1308 + if (iph->protocol != IPPROTO_SCTP)
1311 + if (offset == 1) {
1312 + duprintf("Dropping evil SCTP offset=1 frag.\n");
1315 + } else if (offset == 0 && datalen < sizeof(struct sctphdr)) {
1316 + /* We've been askd o examine this packet, and we can't.
1317 + * Hence, no choice but to drop. */
1318 + duprintf("Dropping evil SCTP offset=0 tinygram.\n");
1324 + && port_match(info->spts[0], info->spts[1],
1325 + ntohs(sh->source),
1326 + !!(info->invflags & IPT_SCTP_INV_SRCPT))
1327 + && port_match(info->dpts[0], info->dpts[1],
1329 + !!(info->invflags & IPT_SCTP_INV_DSTPT))
1330 + && chunk_match(skb, info->chunks, info->chunk_mask)
1334 +static int checkentry(const char *tablename, const struct ipt_ip *ip,
1335 + void *matchinfo, unsigned int matchsize,
1336 + unsigned int hook_mask)
1338 + const struct ipt_sctp_info *info = matchinfo;
1340 + if (matchsize != IPT_ALIGN(sizeof(struct ipt_sctp_info)))
1343 + if (ip->proto != IPPROTO_SCTP && !(ip->invflags & IPT_INV_PROTO))
1346 + if !(info->invflags & ~IPT_SCTP_INV_MASK)
1352 +static struct ipt_match sctp_match = {
1355 + .checkentry = &checkentry,
1356 + .me = THIS_MODULE,
1359 +static int __init init(void)
1361 + return ipt_register_match(&sctp_match);
1364 +static void __exit fini(void)
1366 + ipt_unregister_match(&sctp_match);
1371 diff -Nur linux-2.6.0-test7.org/net/ipv4/netfilter/ipt_state.c linux-2.6.0-test7/net/ipv4/netfilter/ipt_state.c
1372 --- linux-2.6.0-test7.org/net/ipv4/netfilter/ipt_state.c 2003-10-08 21:24:53.000000000 +0200
1373 +++ linux-2.6.0-test7/net/ipv4/netfilter/ipt_state.c 2003-10-10 11:53:17.000000000 +0200
1375 enum ip_conntrack_info ctinfo;
1376 unsigned int statebit;
1378 - if (!ip_conntrack_get((struct sk_buff *)skb, &ctinfo))
1379 - statebit = IPT_STATE_INVALID;
1381 + if (skb->nfct == &ip_conntrack_untracked.infos[IP_CT_NEW])
1382 + statebit = IPT_STATE_UNTRACKED;
1383 + else if (ip_conntrack_get((struct sk_buff *)skb, &ctinfo))
1384 statebit = IPT_STATE_BIT(ctinfo);
1386 + statebit = IPT_STATE_INVALID;
1388 return (sinfo->statemask & statebit);
1390 diff -Nur linux-2.6.0-test7.org/net/ipv4/netfilter/iptable_filter.c linux-2.6.0-test7/net/ipv4/netfilter/iptable_filter.c
1391 --- linux-2.6.0-test7.org/net/ipv4/netfilter/iptable_filter.c 2003-10-08 21:24:04.000000000 +0200
1392 +++ linux-2.6.0-test7/net/ipv4/netfilter/iptable_filter.c 2003-10-10 11:53:17.000000000 +0200
1395 sizeof(struct ipt_entry),
1396 sizeof(struct ipt_standard),
1397 - 0, { 0, 0 }, { } },
1398 + 0, NULL, 0, { 0, 0 }, { } },
1399 { { { { IPT_ALIGN(sizeof(struct ipt_standard_target)), "" } }, { } },
1404 sizeof(struct ipt_entry),
1405 sizeof(struct ipt_standard),
1406 - 0, { 0, 0 }, { } },
1407 + 0, NULL, 0, { 0, 0 }, { } },
1408 { { { { IPT_ALIGN(sizeof(struct ipt_standard_target)), "" } }, { } },
1413 sizeof(struct ipt_entry),
1414 sizeof(struct ipt_standard),
1415 - 0, { 0, 0 }, { } },
1416 + 0, NULL, 0, { 0, 0 }, { } },
1417 { { { { IPT_ALIGN(sizeof(struct ipt_standard_target)), "" } }, { } },
1422 sizeof(struct ipt_entry),
1423 sizeof(struct ipt_error),
1424 - 0, { 0, 0 }, { } },
1425 + 0, NULL, 0, { 0, 0 }, { } },
1426 { { { { IPT_ALIGN(sizeof(struct ipt_error_target)), IPT_ERROR_TARGET } },
1429 diff -Nur linux-2.6.0-test7.org/net/ipv4/netfilter/iptable_mangle.c linux-2.6.0-test7/net/ipv4/netfilter/iptable_mangle.c
1430 --- linux-2.6.0-test7.org/net/ipv4/netfilter/iptable_mangle.c 2003-10-08 21:24:43.000000000 +0200
1431 +++ linux-2.6.0-test7/net/ipv4/netfilter/iptable_mangle.c 2003-10-10 11:53:17.000000000 +0200
1434 sizeof(struct ipt_entry),
1435 sizeof(struct ipt_standard),
1436 - 0, { 0, 0 }, { } },
1437 + 0, NULL, 0, { 0, 0 }, { } },
1438 { { { { IPT_ALIGN(sizeof(struct ipt_standard_target)), "" } }, { } },
1443 sizeof(struct ipt_entry),
1444 sizeof(struct ipt_standard),
1445 - 0, { 0, 0 }, { } },
1446 + 0, NULL, 0, { 0, 0 }, { } },
1447 { { { { IPT_ALIGN(sizeof(struct ipt_standard_target)), "" } }, { } },
1452 sizeof(struct ipt_entry),
1453 sizeof(struct ipt_standard),
1454 - 0, { 0, 0 }, { } },
1455 + 0, NULL, 0, { 0, 0 }, { } },
1456 { { { { IPT_ALIGN(sizeof(struct ipt_standard_target)), "" } }, { } },
1461 sizeof(struct ipt_entry),
1462 sizeof(struct ipt_standard),
1463 - 0, { 0, 0 }, { } },
1464 + 0, NULL, 0, { 0, 0 }, { } },
1465 { { { { IPT_ALIGN(sizeof(struct ipt_standard_target)), "" } }, { } },
1470 sizeof(struct ipt_entry),
1471 sizeof(struct ipt_standard),
1472 - 0, { 0, 0 }, { } },
1473 + 0, NULL, 0, { 0, 0 }, { } },
1474 { { { { IPT_ALIGN(sizeof(struct ipt_standard_target)), "" } }, { } },
1479 sizeof(struct ipt_entry),
1480 sizeof(struct ipt_error),
1481 - 0, { 0, 0 }, { } },
1482 + 0, NULL, 0, { 0, 0 }, { } },
1483 { { { { IPT_ALIGN(sizeof(struct ipt_error_target)), IPT_ERROR_TARGET } },
1486 diff -Nur linux-2.6.0-test7.org/net/ipv4/netfilter/iptable_raw.c linux-2.6.0-test7/net/ipv4/netfilter/iptable_raw.c
1487 --- linux-2.6.0-test7.org/net/ipv4/netfilter/iptable_raw.c 1970-01-01 01:00:00.000000000 +0100
1488 +++ linux-2.6.0-test7/net/ipv4/netfilter/iptable_raw.c 2003-10-10 11:53:17.000000000 +0200
1491 + * 'raw' table, which is the very first hooked in at PRE_ROUTING and LOCAL_OUT .
1493 + * Copyright (C) 2003 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
1495 +#include <linux/module.h>
1496 +#include <linux/netfilter_ipv4/ip_tables.h>
1498 +#define RAW_VALID_HOOKS ((1 << NF_IP_PRE_ROUTING) | (1 << NF_IP_LOCAL_OUT))
1500 +/* Standard entry. */
1501 +struct ipt_standard
1503 + struct ipt_entry entry;
1504 + struct ipt_standard_target target;
1507 +struct ipt_error_target
1509 + struct ipt_entry_target target;
1510 + char errorname[IPT_FUNCTION_MAXNAMELEN];
1515 + struct ipt_entry entry;
1516 + struct ipt_error_target target;
1521 + struct ipt_replace repl;
1522 + struct ipt_standard entries[2];
1523 + struct ipt_error term;
1524 +} initial_table __initdata
1525 += { { "raw", RAW_VALID_HOOKS, 3,
1526 + sizeof(struct ipt_standard) * 2 + sizeof(struct ipt_error),
1527 + { [NF_IP_PRE_ROUTING] 0,
1528 + [NF_IP_LOCAL_OUT] sizeof(struct ipt_standard) },
1529 + { [NF_IP_PRE_ROUTING] 0,
1530 + [NF_IP_LOCAL_OUT] sizeof(struct ipt_standard) },
1534 + { { { { 0 }, { 0 }, { 0 }, { 0 }, "", "", { 0 }, { 0 }, 0, 0, 0 },
1536 + sizeof(struct ipt_entry),
1537 + sizeof(struct ipt_standard),
1538 + 0, NULL, 0, { 0, 0 }, { } },
1539 + { { { { IPT_ALIGN(sizeof(struct ipt_standard_target)), "" } }, { } },
1540 + -NF_ACCEPT - 1 } },
1542 + { { { { 0 }, { 0 }, { 0 }, { 0 }, "", "", { 0 }, { 0 }, 0, 0, 0 },
1544 + sizeof(struct ipt_entry),
1545 + sizeof(struct ipt_standard),
1546 + 0, NULL, 0, { 0, 0 }, { } },
1547 + { { { { IPT_ALIGN(sizeof(struct ipt_standard_target)), "" } }, { } },
1548 + -NF_ACCEPT - 1 } }
1551 + { { { { 0 }, { 0 }, { 0 }, { 0 }, "", "", { 0 }, { 0 }, 0, 0, 0 },
1553 + sizeof(struct ipt_entry),
1554 + sizeof(struct ipt_error),
1555 + 0, NULL, 0, { 0, 0 }, { } },
1556 + { { { { IPT_ALIGN(sizeof(struct ipt_error_target)), IPT_ERROR_TARGET } },
1563 +static struct ipt_table packet_raw = {
1565 + .table = &initial_table.repl,
1566 + .valid_hooks = RAW_VALID_HOOKS,
1567 + .lock = RW_LOCK_UNLOCKED,
1568 + .me = THIS_MODULE,
1571 +/* The work comes in here from netfilter.c. */
1572 +static unsigned int
1573 +ipt_hook(unsigned int hook,
1574 + struct sk_buff **pskb,
1575 + const struct net_device *in,
1576 + const struct net_device *out,
1577 + int (*okfn)(struct sk_buff *))
1579 + return ipt_do_table(pskb, hook, in, out, &packet_raw, NULL);
1582 +/* 'raw' is the very first table. */
1583 +static struct nf_hook_ops ipt_ops[] = {
1584 + { /* PRE_ROUTING hook */
1586 + .owner = THIS_MODULE,
1588 + .hooknum = NF_IP_PRE_ROUTING,
1589 + .priority = NF_IP_PRI_RAW,
1591 + { /* LOCAL_OUT hook */
1593 + .owner = THIS_MODULE,
1595 + .hooknum = NF_IP_LOCAL_OUT,
1596 + .priority = NF_IP_PRI_RAW,
1600 +static int __init init(void)
1604 + /* Register table */
1605 + ret = ipt_register_table(&packet_raw);
1609 + /* Register hooks */
1610 + ret = nf_register_hook(&ipt_ops[0]);
1612 + goto cleanup_table;
1614 + ret = nf_register_hook(&ipt_ops[1]);
1616 + goto cleanup_hook0;
1621 + nf_unregister_hook(&ipt_ops[0]);
1623 + ipt_unregister_table(&packet_raw);
1628 +static void __exit fini(void)
1632 + for (i = 0; i < sizeof(ipt_ops)/sizeof(struct nf_hook_ops); i++)
1633 + nf_unregister_hook(&ipt_ops[i]);
1635 + ipt_unregister_table(&packet_raw);
1640 +MODULE_LICENSE("GPL");
1641 +MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
1642 +MODULE_DESCRIPTION("IPv4 raw table");
1643 diff -Nur linux-2.6.0-test7.org/net/ipv6/netfilter/Kconfig linux-2.6.0-test7/net/ipv6/netfilter/Kconfig
1644 --- linux-2.6.0-test7.org/net/ipv6/netfilter/Kconfig 2003-10-08 21:24:43.000000000 +0200
1645 +++ linux-2.6.0-test7/net/ipv6/netfilter/Kconfig 2003-10-10 11:53:17.000000000 +0200
1646 @@ -217,6 +217,31 @@
1648 To compile it as a module, choose M here. If unsure, say N.
1651 + tristate "Raw table"
1652 + depends on IP6_NF_IPTABLES
1654 + This option adds a `raw' table to iptables: see the man page for
1655 + iptables(8). This table is the very first in the netfilter
1656 + framework and hooks in at the PREROUTING and OUTPUT chains.
1657 + The TRACE target can be used in this table only.
1659 + To compile it as a module, choose M here. If unsure, say N.
1661 +config IP6_NF_TARGET_TRACE
1662 + tristate "TRACE target support"
1663 + depends on IP6_NF_RAW
1665 + The TRACE target allows packets to be traced as those matches
1666 + any subsequent rule in any IPv6 netfilter table/rule. The matched
1667 + rule and the packet is logged with the prefix
1669 + TRACE: tablename/chainname/rulenum
1671 + if the ip6t_LOG target is loaded in.
1673 + To compile it as a module, choose M here. If unsure, say N.
1675 #dep_tristate ' LOG target support' CONFIG_IP6_NF_TARGET_LOG $CONFIG_IP6_NF_IPTABLES
1678 diff -Nur linux-2.6.0-test7.org/net/ipv6/netfilter/Makefile linux-2.6.0-test7/net/ipv6/netfilter/Makefile
1679 --- linux-2.6.0-test7.org/net/ipv6/netfilter/Makefile 2003-10-08 21:24:15.000000000 +0200
1680 +++ linux-2.6.0-test7/net/ipv6/netfilter/Makefile 2003-10-10 11:53:17.000000000 +0200
1682 obj-$(CONFIG_IP6_NF_MATCH_OWNER) += ip6t_owner.o
1683 obj-$(CONFIG_IP6_NF_FILTER) += ip6table_filter.o
1684 obj-$(CONFIG_IP6_NF_MANGLE) += ip6table_mangle.o
1685 +obj-$(CONFIG_IP6_NF_RAW) += ip6table_raw.o
1686 obj-$(CONFIG_IP6_NF_TARGET_MARK) += ip6t_MARK.o
1687 obj-$(CONFIG_IP6_NF_QUEUE) += ip6_queue.o
1688 obj-$(CONFIG_IP6_NF_TARGET_LOG) += ip6t_LOG.o
1689 +obj-$(CONFIG_IP6_NF_TARGET_TRACE) += ip6t_TRACE.o
1690 obj-$(CONFIG_IP6_NF_MATCH_HL) += ip6t_hl.o
1691 diff -Nur linux-2.6.0-test7.org/net/ipv6/netfilter/ip6_tables.c linux-2.6.0-test7/net/ipv6/netfilter/ip6_tables.c
1692 --- linux-2.6.0-test7.org/net/ipv6/netfilter/ip6_tables.c 2003-10-08 21:24:43.000000000 +0200
1693 +++ linux-2.6.0-test7/net/ipv6/netfilter/ip6_tables.c 2003-10-10 11:53:18.000000000 +0200
1696 #include <linux/config.h>
1697 #include <linux/skbuff.h>
1698 +#include <linux/socket.h>
1699 #include <linux/kmod.h>
1700 #include <linux/vmalloc.h>
1701 #include <linux/netdevice.h>
1703 #include <asm/semaphore.h>
1704 #include <linux/proc_fs.h>
1706 +#include <linux/netfilter.h>
1707 #include <linux/netfilter_ipv6/ip6_tables.h>
1709 +static const char *hook6names[] = {
1710 + [NF_IP6_PRE_ROUTING] "PREROUTING",
1711 + [NF_IP6_LOCAL_IN] "INPUT",
1712 + [NF_IP6_FORWARD] "FORWARD",
1713 + [NF_IP6_LOCAL_OUT] "OUTPUT",
1714 + [NF_IP6_POST_ROUTING] "POSTROUTING",
1717 MODULE_LICENSE("GPL");
1718 MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
1719 MODULE_DESCRIPTION("IPv6 packet filter");
1720 @@ -403,6 +413,12 @@
1722 t = ip6t_get_target(e);
1723 IP_NF_ASSERT(t->u.kernel.target);
1725 + /* The packet traced and the rule isn't an unconditional return/END. */
1726 + if (((*pskb)->nfcache & NFC_TRACE) && e->rulenum) {
1727 + nf_log_packet(AF_INET6, hook, *pskb, in, out, "TRACE: %s/%s/%u ",
1728 + table->name, e->chainname, e->rulenum);
1730 /* Standard target? */
1731 if (!t->u.kernel.target->target) {
1733 @@ -556,6 +572,29 @@
1734 return find_inlist_lock(&ip6t_target, name, "ip6t_", error, mutex);
1738 +find_error_target(struct ip6t_entry *s,
1739 + struct ip6t_entry *e,
1742 + struct ip6t_entry_target *t;
1743 + static struct ip6t_entry *found = NULL;
1748 + t = ip6t_get_target(found);
1749 + if (strcmp(t->u.user.name,
1750 + IP6T_ERROR_TARGET) == 0) {
1751 + *chainname = t->data;
1760 /* All zeroes == unconditional rule. */
1762 unconditional(const struct ip6t_ip6 *ipv6)
1764 mark_source_chains(struct ip6t_table_info *newinfo, unsigned int valid_hooks)
1767 + char *chainname = NULL;
1768 + u_int32_t rulenum;
1770 /* No recursion; use packet counter to save back ptrs (reset
1771 to 0 as we leave), and comefrom to save source hook bitmask */
1774 /* Set initial back pointer. */
1775 e->counters.pcnt = pos;
1777 + chainname = (char *) hook6names[hook];
1780 struct ip6t_standard_target *t
1784 |= ((1 << hook) | (1 << NF_IP6_NUMHOOKS));
1785 + e->rulenum = rulenum++;
1786 + e->chainname = chainname;
1788 /* Unconditional return/END. */
1789 if (e->target_offset == sizeof(struct ip6t_entry)
1790 @@ -609,6 +654,10 @@
1791 && unconditional(&e->ipv6)) {
1792 unsigned int oldpos, size;
1794 + /* Set unconditional rulenum to zero. */
1796 + e->counters.bcnt = 0;
1798 /* Return: backtrack through the last
1801 @@ -634,6 +683,11 @@
1802 (newinfo->entries + pos);
1803 } while (oldpos == pos + e->next_offset);
1805 + /* Restore chainname, rulenum. */
1806 + chainname = e->chainname;
1807 + rulenum = e->counters.bcnt;
1808 + e->counters.bcnt = 0;
1810 /* Move along one */
1811 size = e->next_offset;
1812 e = (struct ip6t_entry *)
1813 @@ -649,6 +703,17 @@
1814 /* This a jump; chase it. */
1815 duprintf("Jump rule %u -> %u\n",
1817 + e->counters.bcnt = rulenum++;
1819 + e = (struct ip6t_entry *)
1820 + (newinfo->entries + newpos);
1821 + if (IP6T_ENTRY_ITERATE(newinfo->entries,
1823 + find_error_target,
1824 + e, &chainname) == 0) {
1825 + printk("ip6_tables: table screwed up!\n");
1829 /* ... this is a fallthru */
1830 newpos = pos + e->next_offset;
1831 diff -Nur linux-2.6.0-test7.org/net/ipv6/netfilter/ip6t_LOG.c linux-2.6.0-test7/net/ipv6/netfilter/ip6t_LOG.c
1832 --- linux-2.6.0-test7.org/net/ipv6/netfilter/ip6t_LOG.c 2003-10-08 21:24:03.000000000 +0200
1833 +++ linux-2.6.0-test7/net/ipv6/netfilter/ip6t_LOG.c 2003-10-10 11:52:57.000000000 +0200
1836 #include <linux/module.h>
1837 #include <linux/skbuff.h>
1838 +#include <linux/socket.h>
1839 #include <linux/ip.h>
1840 #include <linux/spinlock.h>
1841 #include <linux/icmpv6.h>
1842 #include <net/udp.h>
1843 #include <net/tcp.h>
1844 #include <net/ipv6.h>
1845 +#include <linux/netfilter.h>
1846 #include <linux/netfilter_ipv6/ip6_tables.h>
1848 MODULE_AUTHOR("Jan Rekorajski <baggins@pld.org.pl>");
1849 MODULE_DESCRIPTION("IP6 tables LOG target module");
1850 MODULE_LICENSE("GPL");
1852 +static unsigned int nflog = 1;
1853 +MODULE_PARM(nflog, "i");
1854 +MODULE_PARM_DESC(nflog, "register as internal netfilter logging module");
1857 #include <net/route.h>
1858 #include <linux/netfilter_ipv6/ip6t_LOG.h>
1859 @@ -256,40 +262,38 @@
1863 -static unsigned int
1864 -ip6t_log_target(struct sk_buff **pskb,
1865 - unsigned int hooknum,
1866 - const struct net_device *in,
1867 - const struct net_device *out,
1868 - const void *targinfo,
1871 +ip6t_log_packet(unsigned int hooknum,
1872 + const struct sk_buff *skb,
1873 + const struct net_device *in,
1874 + const struct net_device *out,
1875 + const struct ip6t_log_info *loginfo,
1876 + const char *level_string,
1877 + const char *prefix)
1879 - struct ipv6hdr *ipv6h = (*pskb)->nh.ipv6h;
1880 - const struct ip6t_log_info *loginfo = targinfo;
1881 - char level_string[4] = "< >";
1882 + struct ipv6hdr *ipv6h = skb->nh.ipv6h;
1884 - level_string[1] = '0' + (loginfo->level % 8);
1885 spin_lock_bh(&log_lock);
1886 printk(level_string);
1887 printk("%sIN=%s OUT=%s ",
1889 + prefix == NULL ? loginfo->prefix : prefix,
1891 out ? out->name : "");
1893 /* MAC logging for input chain only. */
1895 - if ((*pskb)->dev && (*pskb)->dev->hard_header_len && (*pskb)->mac.raw != (void*)ipv6h) {
1896 - if ((*pskb)->dev->type != ARPHRD_SIT){
1897 + if (skb->dev && skb->dev->hard_header_len && skb->mac.raw != (void*)ipv6h) {
1898 + if (skb->dev->type != ARPHRD_SIT){
1900 - unsigned char *p = (*pskb)->mac.raw;
1901 - for (i = 0; i < (*pskb)->dev->hard_header_len; i++,p++)
1902 + unsigned char *p = skb->mac.raw;
1903 + for (i = 0; i < skb->dev->hard_header_len; i++,p++)
1904 printk("%02x%c", *p,
1905 - i==(*pskb)->dev->hard_header_len - 1
1906 + i==skb->dev->hard_header_len - 1
1910 - unsigned char *p = (*pskb)->mac.raw;
1911 - if ( p - (ETH_ALEN*2+2) > (*pskb)->head ){
1912 + unsigned char *p = skb->mac.raw;
1913 + if ( p - (ETH_ALEN*2+2) > skb->head ){
1915 for (i = 0; i < (ETH_ALEN); i++,p++)
1916 printk("%02x%s", *p,
1917 @@ -300,10 +304,10 @@
1918 i == ETH_ALEN-1 ? ' ' : ':');
1921 - if (((*pskb)->dev->addr_len == 4) &&
1922 - (*pskb)->dev->hard_header_len > 20){
1923 + if ((skb->dev->addr_len == 4) &&
1924 + skb->dev->hard_header_len > 20){
1926 - p = (*pskb)->mac.raw + 12;
1927 + p = skb->mac.raw + 12;
1928 for (i = 0; i < 4; i++,p++)
1930 i == 3 ? "->" : ".");
1931 @@ -319,10 +323,41 @@
1932 dump_packet(loginfo, ipv6h, 1);
1934 spin_unlock_bh(&log_lock);
1937 +static unsigned int
1938 +ip6t_log_target(struct sk_buff **pskb,
1939 + unsigned int hooknum,
1940 + const struct net_device *in,
1941 + const struct net_device *out,
1942 + const void *targinfo,
1945 + const struct ip6t_log_info *loginfo = targinfo;
1946 + char level_string[4] = "< >";
1948 + level_string[1] = '0' + (loginfo->level % 8);
1949 + ip6t_log_packet(hooknum, *pskb, in, out, loginfo, level_string, NULL);
1951 return IP6T_CONTINUE;
1955 +ip6t_logfn(unsigned int hooknum,
1956 + const struct sk_buff *skb,
1957 + const struct net_device *in,
1958 + const struct net_device *out,
1959 + const char *prefix)
1961 + struct ip6t_log_info loginfo = {
1963 + .logflags = IP6T_LOG_MASK,
1967 + ip6t_log_packet(hooknum, skb, in, out, &loginfo, KERN_WARNING, prefix);
1970 static int ip6t_log_checkentry(const char *tablename,
1971 const struct ip6t_entry *e,
1973 @@ -359,12 +394,17 @@
1975 if (ip6t_register_target(&ip6t_log_reg))
1978 + nf_log_register(PF_INET6, &ip6t_logfn);
1983 static void __exit fini(void)
1986 + nf_log_register(PF_INET6, &ip6t_logfn);
1988 ip6t_unregister_target(&ip6t_log_reg);
1991 diff -Nur linux-2.6.0-test7.org/net/ipv6/netfilter/ip6t_TRACE.c linux-2.6.0-test7/net/ipv6/netfilter/ip6t_TRACE.c
1992 --- linux-2.6.0-test7.org/net/ipv6/netfilter/ip6t_TRACE.c 1970-01-01 01:00:00.000000000 +0100
1993 +++ linux-2.6.0-test7/net/ipv6/netfilter/ip6t_TRACE.c 2003-10-10 11:53:18.000000000 +0200
1995 +/* This is a module which is used for setting
1996 + * the NFC_TRACE flag in the nfcache field of an skb.
1998 +#include <linux/module.h>
1999 +#include <linux/skbuff.h>
2001 +#include <linux/netfilter_ipv6/ip6_tables.h>
2003 +static unsigned int
2004 +target(struct sk_buff **pskb,
2005 + unsigned int hooknum,
2006 + const struct net_device *in,
2007 + const struct net_device *out,
2008 + const void *targinfo,
2011 + (*pskb)->nfcache |= NFC_TRACE;
2012 + return IP6T_CONTINUE;
2016 +checkentry(const char *tablename,
2017 + const struct ip6t_entry *e,
2019 + unsigned int targinfosize,
2020 + unsigned int hook_mask)
2022 + if (targinfosize != 0) {
2023 + printk(KERN_WARNING "TRACE: targinfosize %u != 0\n",
2028 + if (strcmp(tablename, "raw") != 0) {
2029 + printk(KERN_WARNING "TRACE: can only be called from \"raw\" table, not \"%s\"\n", tablename);
2036 +static struct ip6t_target ip6t_trace_reg = {
2039 + .checkentry = checkentry,
2041 + .me = THIS_MODULE,
2044 +static int __init init(void)
2046 + if (ip6t_register_target(&ip6t_trace_reg))
2052 +static void __exit fini(void)
2054 + ip6t_unregister_target(&ip6t_trace_reg);
2060 +MODULE_LICENSE("GPL");
2061 +MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
2062 +MODULE_DESCRIPTION("IPv6 TRACE target");
2064 \ No newline at end of file
2065 diff -Nur linux-2.6.0-test7.org/net/ipv6/netfilter/ip6table_filter.c linux-2.6.0-test7/net/ipv6/netfilter/ip6table_filter.c
2066 --- linux-2.6.0-test7.org/net/ipv6/netfilter/ip6table_filter.c 2003-10-08 21:24:01.000000000 +0200
2067 +++ linux-2.6.0-test7/net/ipv6/netfilter/ip6table_filter.c 2003-10-10 11:53:18.000000000 +0200
2070 sizeof(struct ip6t_entry),
2071 sizeof(struct ip6t_standard),
2072 - 0, { 0, 0 }, { } },
2073 + 0, NULL, 0, { 0, 0 }, { } },
2074 { { { { IP6T_ALIGN(sizeof(struct ip6t_standard_target)), "" } }, { } },
2079 sizeof(struct ip6t_entry),
2080 sizeof(struct ip6t_standard),
2081 - 0, { 0, 0 }, { } },
2082 + 0, NULL, 0, { 0, 0 }, { } },
2083 { { { { IP6T_ALIGN(sizeof(struct ip6t_standard_target)), "" } }, { } },
2088 sizeof(struct ip6t_entry),
2089 sizeof(struct ip6t_standard),
2090 - 0, { 0, 0 }, { } },
2091 + 0, NULL, 0, { 0, 0 }, { } },
2092 { { { { IP6T_ALIGN(sizeof(struct ip6t_standard_target)), "" } }, { } },
2097 sizeof(struct ip6t_entry),
2098 sizeof(struct ip6t_error),
2099 - 0, { 0, 0 }, { } },
2100 + 0, NULL, 0, { 0, 0 }, { } },
2101 { { { { IP6T_ALIGN(sizeof(struct ip6t_error_target)), IP6T_ERROR_TARGET } },
2104 diff -Nur linux-2.6.0-test7.org/net/ipv6/netfilter/ip6table_mangle.c linux-2.6.0-test7/net/ipv6/netfilter/ip6table_mangle.c
2105 --- linux-2.6.0-test7.org/net/ipv6/netfilter/ip6table_mangle.c 2003-10-08 21:24:04.000000000 +0200
2106 +++ linux-2.6.0-test7/net/ipv6/netfilter/ip6table_mangle.c 2003-10-10 11:53:18.000000000 +0200
2109 sizeof(struct ip6t_entry),
2110 sizeof(struct ip6t_standard),
2111 - 0, { 0, 0 }, { } },
2112 + 0, NULL, 0, { 0, 0 }, { } },
2113 { { { { IP6T_ALIGN(sizeof(struct ip6t_standard_target)), "" } }, { } },
2118 sizeof(struct ip6t_entry),
2119 sizeof(struct ip6t_standard),
2120 - 0, { 0, 0 }, { } },
2121 + 0, NULL, 0, { 0, 0 }, { } },
2122 { { { { IP6T_ALIGN(sizeof(struct ip6t_standard_target)), "" } }, { } },
2127 sizeof(struct ip6t_entry),
2128 sizeof(struct ip6t_standard),
2129 - 0, { 0, 0 }, { } },
2130 + 0, NULL, 0, { 0, 0 }, { } },
2131 { { { { IP6T_ALIGN(sizeof(struct ip6t_standard_target)), "" } }, { } },
2136 sizeof(struct ip6t_entry),
2137 sizeof(struct ip6t_standard),
2138 - 0, { 0, 0 }, { } },
2139 + 0, NULL, 0, { 0, 0 }, { } },
2140 { { { { IP6T_ALIGN(sizeof(struct ip6t_standard_target)), "" } }, { } },
2145 sizeof(struct ip6t_entry),
2146 sizeof(struct ip6t_standard),
2147 - 0, { 0, 0 }, { } },
2148 + 0, NULL, 0, { 0, 0 }, { } },
2149 { { { { IP6T_ALIGN(sizeof(struct ip6t_standard_target)), "" } }, { } },
2154 sizeof(struct ip6t_entry),
2155 sizeof(struct ip6t_error),
2156 - 0, { 0, 0 }, { } },
2157 + 0, NULL, 0, { 0, 0 }, { } },
2158 { { { { IP6T_ALIGN(sizeof(struct ip6t_error_target)), IP6T_ERROR_TARGET } },
2161 diff -Nur linux-2.6.0-test7.org/net/ipv6/netfilter/ip6table_raw.c linux-2.6.0-test7/net/ipv6/netfilter/ip6table_raw.c
2162 --- linux-2.6.0-test7.org/net/ipv6/netfilter/ip6table_raw.c 1970-01-01 01:00:00.000000000 +0100
2163 +++ linux-2.6.0-test7/net/ipv6/netfilter/ip6table_raw.c 2003-10-10 11:53:18.000000000 +0200
2166 + * IPv6 raw table, a port of the IPv4 raw table to IPv6
2168 + * Copyright (C) 2003 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
2170 +#include <linux/module.h>
2171 +#include <linux/netfilter_ipv6/ip6_tables.h>
2173 +#define RAW_VALID_HOOKS ((1 << NF_IP6_PRE_ROUTING) | (1 << NF_IP6_LOCAL_OUT))
2176 +#define DEBUGP(x, args...) printk(KERN_DEBUG x, ## args)
2178 +#define DEBUGP(x, args...)
2181 +/* Standard entry. */
2182 +struct ip6t_standard
2184 + struct ip6t_entry entry;
2185 + struct ip6t_standard_target target;
2188 +struct ip6t_error_target
2190 + struct ip6t_entry_target target;
2191 + char errorname[IP6T_FUNCTION_MAXNAMELEN];
2196 + struct ip6t_entry entry;
2197 + struct ip6t_error_target target;
2202 + struct ip6t_replace repl;
2203 + struct ip6t_standard entries[2];
2204 + struct ip6t_error term;
2205 +} initial_table __initdata
2206 += { { "raw", RAW_VALID_HOOKS, 3,
2207 + sizeof(struct ip6t_standard) * 2 + sizeof(struct ip6t_error),
2208 + { [NF_IP6_PRE_ROUTING] 0,
2209 + [NF_IP6_LOCAL_OUT] sizeof(struct ip6t_standard) },
2210 + { [NF_IP6_PRE_ROUTING] 0,
2211 + [NF_IP6_LOCAL_OUT] sizeof(struct ip6t_standard) },
2215 + { { { { { { 0 } } }, { { { 0 } } }, { { { 0 } } }, { { { 0 } } }, "", "", { 0 }, { 0 }, 0, 0, 0 },
2217 + sizeof(struct ip6t_entry),
2218 + sizeof(struct ip6t_standard),
2219 + 0, NULL, 0, { 0, 0 }, { } },
2220 + { { { { IP6T_ALIGN(sizeof(struct ip6t_standard_target)), "" } }, { } },
2221 + -NF_ACCEPT - 1 } },
2223 + { { { { { { 0 } } }, { { { 0 } } }, { { { 0 } } }, { { { 0 } } }, "", "", { 0 }, { 0 }, 0, 0, 0 },
2225 + sizeof(struct ip6t_entry),
2226 + sizeof(struct ip6t_standard),
2227 + 0, NULL, 0, { 0, 0 }, { } },
2228 + { { { { IP6T_ALIGN(sizeof(struct ip6t_standard_target)), "" } }, { } },
2229 + -NF_ACCEPT - 1 } },
2232 + { { { { { { 0 } } }, { { { 0 } } }, { { { 0 } } }, { { { 0 } } }, "", "", { 0 }, { 0 }, 0, 0, 0 },
2234 + sizeof(struct ip6t_entry),
2235 + sizeof(struct ip6t_error),
2236 + 0, NULL, 0, { 0, 0 }, { } },
2237 + { { { { IP6T_ALIGN(sizeof(struct ip6t_error_target)), IP6T_ERROR_TARGET } },
2244 +static struct ip6t_table packet_raw = {
2246 + .table = &initial_table.repl,
2247 + .valid_hooks = RAW_VALID_HOOKS,
2248 + .lock = RW_LOCK_UNLOCKED,
2252 +/* The work comes in here from netfilter.c. */
2253 +static unsigned int
2254 +ip6t_hook(unsigned int hook,
2255 + struct sk_buff **pskb,
2256 + const struct net_device *in,
2257 + const struct net_device *out,
2258 + int (*okfn)(struct sk_buff *))
2260 + return ip6t_do_table(pskb, hook, in, out, &packet_raw, NULL);
2263 +static struct nf_hook_ops ip6t_ops[] = {
2264 + { /* PRE_ROUTING */
2265 + .hook = ip6t_hook,
2266 + .owner = THIS_MODULE,
2268 + .hooknum = NF_IP6_PRE_ROUTING,
2269 + .priority = NF_IP6_PRI_FIRST,
2272 + .hook = ip6t_hook,
2273 + .owner = THIS_MODULE,
2275 + .hooknum = NF_IP6_LOCAL_OUT,
2276 + .priority = NF_IP6_PRI_FIRST,
2280 +static int __init init(void)
2284 + /* Register table */
2285 + ret = ip6t_register_table(&packet_raw);
2289 + /* Register hooks */
2290 + ret = nf_register_hook(&ip6t_ops[0]);
2292 + goto cleanup_table;
2294 + ret = nf_register_hook(&ip6t_ops[1]);
2296 + goto cleanup_hook0;
2301 + nf_unregister_hook(&ip6t_ops[0]);
2303 + ip6t_unregister_table(&packet_raw);
2308 +static void __exit fini(void)
2312 + for (i = 0; i < sizeof(ip6t_ops)/sizeof(struct nf_hook_ops); i++)
2313 + nf_unregister_hook(&ip6t_ops[i]);
2315 + ip6t_unregister_table(&packet_raw);
2320 +MODULE_LICENSE("GPL");
2321 +MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
2322 +MODULE_DESCRIPTION("IPv6 raw table");
2323 diff -Nur linux-2.6.0-test7.org/netfilter-patch-o-matic/patches linux-2.6.0-test7/netfilter-patch-o-matic/patches
2324 --- linux-2.6.0-test7.org/netfilter-patch-o-matic/patches 1970-01-01 01:00:00.000000000 +0100
2325 +++ linux-2.6.0-test7/netfilter-patch-o-matic/patches 2003-10-10 11:54:22.000000000 +0200
2327 +./base/01_sctp_match.patch
2328 +./pending/23_REJECT-headroom-tcprst.patch
2329 +./pending/24_rcu.patch
2330 +./pending/25-err-ptr.patch
2331 +./pending/26-memsets.patch
2332 +./pending/40_nf-log.patch
2333 +./pending/70_expect-evict-order.patch
2334 +./pending/71_raw.patch
2335 +./submitted/02_REJECT-headroom-tcprst.patch
2336 +./submitted/03_260t4-mirror-remove.patch
2337 +./submitted/03_physdev_bridged.patch
2338 +./submitted/04_260t4-unclean-remove.patch
2339 +./submitted/04_config-fix.patch
2340 +./submitted/75_nathelper-udp-csum.patch
2341 +./submitted/76_mangle_udp-sizecheck.patch
2342 +./submitted/77_destroy-conntrack.patch
2343 +./submitted/78_reject-localout.patch
2344 +./submitted/80_ip_conntrack-proc.patch
2345 +./submitted/82_irc-conntrack-mirc-serverlookup.patch
2346 +./submitted/83_nolocalout.patch
2347 +./submitted/84_local-nullbinding.patch
2348 +./submitted/85_ipv6header.patch
2349 +./submitted/86_getorigdst-tuple-zero.patch