1 diff -Nur linux-2.6.0-test9.org/include/linux/netfilter.h linux-2.6.0-test9/include/linux/netfilter.h
2 --- linux-2.6.0-test9.org/include/linux/netfilter.h 2003-10-25 20:43:40.000000000 +0200
3 +++ linux-2.6.0-test9/include/linux/netfilter.h 2003-10-26 12:44:33.000000000 +0100
5 <= 0x2000 is used for protocol-flags. */
6 #define NFC_UNKNOWN 0x4000
7 #define NFC_ALTERED 0x8000
8 +#define NFC_TRACE 0x10000
11 #include <linux/config.h>
14 extern struct list_head nf_hooks[NPROTO][NF_MAX_HOOKS];
16 +typedef void nf_logfn(unsigned int hooknum,
17 + const struct sk_buff *skb,
18 + const struct net_device *in,
19 + const struct net_device *out,
20 + const char *prefix);
22 +/* Function to register/unregister log function. */
23 +int nf_log_register(int pf, nf_logfn *logfn);
24 +void nf_log_unregister(int pf, nf_logfn *logfn);
26 +/* Calls the registered backend logging function */
27 +void nf_log_packet(int pf,
28 + unsigned int hooknum,
29 + const struct sk_buff *skb,
30 + const struct net_device *in,
31 + const struct net_device *out,
32 + const char *fmt, ...);
34 /* Activate hook; either okfn or kfree_skb called, unless a hook
35 returns NF_STOLEN (in which case, it's up to the hook to deal with
37 diff -Nur linux-2.6.0-test9.org/include/linux/netfilter_ipv4/ip_conntrack.h linux-2.6.0-test9/include/linux/netfilter_ipv4/ip_conntrack.h
38 --- linux-2.6.0-test9.org/include/linux/netfilter_ipv4/ip_conntrack.h 2003-10-25 20:44:44.000000000 +0200
39 +++ linux-2.6.0-test9/include/linux/netfilter_ipv4/ip_conntrack.h 2003-10-26 12:44:33.000000000 +0100
42 extern unsigned int ip_conntrack_htable_size;
44 +/* A fake conntrack entry which never vanishes. */
45 +extern struct ip_conntrack ip_conntrack_untracked;
47 /* eg. PROVIDES_CONNTRACK(ftp); */
48 #define PROVIDES_CONNTRACK(name) \
49 int needs_ip_conntrack_##name; \
50 diff -Nur linux-2.6.0-test9.org/include/linux/netfilter_ipv4/ip_tables.h linux-2.6.0-test9/include/linux/netfilter_ipv4/ip_tables.h
51 --- linux-2.6.0-test9.org/include/linux/netfilter_ipv4/ip_tables.h 2003-10-25 20:43:46.000000000 +0200
52 +++ linux-2.6.0-test9/include/linux/netfilter_ipv4/ip_tables.h 2003-10-26 12:44:33.000000000 +0100
55 unsigned int comefrom;
57 + /* Name of the chain */
60 + /* Rule number in the chain. */
63 /* Packet and byte counters. */
64 struct ipt_counters counters;
66 diff -Nur linux-2.6.0-test9.org/include/linux/netfilter_ipv4/ipt_ULOG.h linux-2.6.0-test9/include/linux/netfilter_ipv4/ipt_ULOG.h
67 --- linux-2.6.0-test9.org/include/linux/netfilter_ipv4/ipt_ULOG.h 2003-10-25 20:43:28.000000000 +0200
68 +++ linux-2.6.0-test9/include/linux/netfilter_ipv4/ipt_ULOG.h 2003-10-26 12:44:13.000000000 +0100
70 #define NETLINK_NFLOG 5
73 +#define NFLOG_DEFAULT_NLGROUP 1
74 +#define NFLOG_DEFAULT_QTHRESHOLD 1
76 #define ULOG_MAC_LEN 80
77 #define ULOG_PREFIX_LEN 32
79 diff -Nur linux-2.6.0-test9.org/include/linux/netfilter_ipv4/ipt_conntrack.h linux-2.6.0-test9/include/linux/netfilter_ipv4/ipt_conntrack.h
80 --- linux-2.6.0-test9.org/include/linux/netfilter_ipv4/ipt_conntrack.h 2003-10-25 20:44:16.000000000 +0200
81 +++ linux-2.6.0-test9/include/linux/netfilter_ipv4/ipt_conntrack.h 2003-10-26 12:44:33.000000000 +0100
84 #define IPT_CONNTRACK_STATE_SNAT (1 << (IP_CT_NUMBER + 1))
85 #define IPT_CONNTRACK_STATE_DNAT (1 << (IP_CT_NUMBER + 2))
86 +#define IPT_CONNTRACK_STATE_UNTRACKED (1 << (IP_CT_NUMBER + 3))
88 /* flags, invflags: */
89 #define IPT_CONNTRACK_STATE 0x01
90 diff -Nur linux-2.6.0-test9.org/include/linux/netfilter_ipv4/ipt_sctp.h linux-2.6.0-test9/include/linux/netfilter_ipv4/ipt_sctp.h
91 --- linux-2.6.0-test9.org/include/linux/netfilter_ipv4/ipt_sctp.h 1970-01-01 01:00:00.000000000 +0100
92 +++ linux-2.6.0-test9/include/linux/netfilter_ipv4/ipt_sctp.h 2003-10-26 12:44:43.000000000 +0100
94 +/* iptables module for matching the SCTP header
96 + * (C) 2003 Harald Welte <laforge@gnumonks.org>
98 + * This software is distributed under GNU GPL v2, 1991
105 +struct ipt_sctp_info {
106 + u_int16_t spts[2]; /* Souce port range */
107 + u_int16_t dpts[2]; /* Destination port range */
108 + u_int32_t chunks; /* chunks to be matched */
109 + u_int32_t chunk_mask; /* chunk mask to be matched */
110 + u_int8_t invflags; /* Inverse flags */
113 +#define IPT_SCTP_INV_SRCPT 0x01 /* Invert the sense of source ports */
114 +#define IPT_SCTP_INV_DSTPT 0x02 /* Invert the sense of dest ports */
115 +#define IPT_SCTP_INV_CHUNKS 0x03 /* Invert the sense of chunks */
116 +#define IPT_SCTP_INV_MASK 0x03 /* All possible flags */
118 +#endif /* _IPT_SCTP_H */
119 diff -Nur linux-2.6.0-test9.org/include/linux/netfilter_ipv4/ipt_state.h linux-2.6.0-test9/include/linux/netfilter_ipv4/ipt_state.h
120 --- linux-2.6.0-test9.org/include/linux/netfilter_ipv4/ipt_state.h 2003-10-25 20:44:36.000000000 +0200
121 +++ linux-2.6.0-test9/include/linux/netfilter_ipv4/ipt_state.h 2003-10-26 12:44:33.000000000 +0100
123 #define IPT_STATE_BIT(ctinfo) (1 << ((ctinfo)%IP_CT_IS_REPLY+1))
124 #define IPT_STATE_INVALID (1 << 0)
126 +#define IPT_STATE_UNTRACKED (1 << (IP_CT_NUMBER + 1))
128 struct ipt_state_info
130 unsigned int statemask;
131 diff -Nur linux-2.6.0-test9.org/include/linux/netfilter_ipv4.h linux-2.6.0-test9/include/linux/netfilter_ipv4.h
132 --- linux-2.6.0-test9.org/include/linux/netfilter_ipv4.h 2003-10-25 20:44:34.000000000 +0200
133 +++ linux-2.6.0-test9/include/linux/netfilter_ipv4.h 2003-10-26 12:44:33.000000000 +0100
136 enum nf_ip_hook_priorities {
137 NF_IP_PRI_FIRST = INT_MIN,
138 + NF_IP_PRI_CONNTRACK_DEFRAG = -400,
139 + NF_IP_PRI_RAW = -300,
140 NF_IP_PRI_CONNTRACK = -200,
141 NF_IP_PRI_BRIDGE_SABOTAGE_FORWARD = -175,
142 NF_IP_PRI_MANGLE = -150,
143 diff -Nur linux-2.6.0-test9.org/include/linux/netfilter_ipv6/ip6_tables.h linux-2.6.0-test9/include/linux/netfilter_ipv6/ip6_tables.h
144 --- linux-2.6.0-test9.org/include/linux/netfilter_ipv6/ip6_tables.h 2003-10-25 20:44:48.000000000 +0200
145 +++ linux-2.6.0-test9/include/linux/netfilter_ipv6/ip6_tables.h 2003-10-26 12:44:33.000000000 +0100
148 unsigned int comefrom;
150 + /* Name of the chain */
153 + /* Rule number in the chain. */
156 /* Packet and byte counters. */
157 struct ip6t_counters counters;
159 diff -Nur linux-2.6.0-test9.org/net/bridge/br_netfilter.c linux-2.6.0-test9/net/bridge/br_netfilter.c
160 --- linux-2.6.0-test9.org/net/bridge/br_netfilter.c 2003-10-25 20:44:49.000000000 +0200
161 +++ linux-2.6.0-test9/net/bridge/br_netfilter.c 2003-10-26 12:43:43.000000000 +0100
163 if (skb->pkt_type == PACKET_OTHERHOST) {
164 skb->pkt_type = PACKET_HOST;
165 nf_bridge->mask |= BRNF_PKT_TYPE;
166 + /* The physdev module checks on this */
167 + nf_bridge->mask |= BRNF_BRIDGED;
170 nf_bridge->mask |= BRNF_NF_BRIDGE_PREROUTING;
171 diff -Nur linux-2.6.0-test9.org/net/core/netfilter.c linux-2.6.0-test9/net/core/netfilter.c
172 --- linux-2.6.0-test9.org/net/core/netfilter.c 2003-10-25 20:43:34.000000000 +0200
173 +++ linux-2.6.0-test9/net/core/netfilter.c 2003-10-26 12:44:13.000000000 +0100
176 * February 2000: Modified by James Morris to have 1 queue per protocol.
177 * 15-Mar-2000: Added NF_REPEAT --RR.
178 + * 08-May-2003: Internal logging interface added by Jozsef Kadlecsik.
180 #include <linux/config.h>
181 +#include <linux/kernel.h>
182 #include <linux/netfilter.h>
183 #include <net/protocol.h>
184 #include <linux/init.h>
186 EXPORT_SYMBOL(skb_ip_make_writable);
187 #endif /*CONFIG_INET*/
189 +/* Internal logging interface, which relies on the real
190 + LOG target modules */
192 +#define NF_LOG_PREFIXLEN 128
194 +static nf_logfn *nf_logging[NPROTO]; /* = NULL */
195 +static int reported = 0;
196 +static spinlock_t nf_log_lock = SPIN_LOCK_UNLOCKED;
198 +int nf_log_register(int pf, nf_logfn *logfn)
202 + /* Any setup of logging members must be done before
203 + * substituting pointer. */
205 + spin_lock(&nf_log_lock);
206 + if (!nf_logging[pf]) {
207 + nf_logging[pf] = logfn;
210 + spin_unlock(&nf_log_lock);
214 +void nf_log_unregister(int pf, nf_logfn *logfn)
216 + spin_lock(&nf_log_lock);
217 + if (nf_logging[pf] == logfn)
218 + nf_logging[pf] = NULL;
219 + spin_unlock(&nf_log_lock);
221 + /* Give time to concurrent readers. */
225 +void nf_log_packet(int pf,
226 + unsigned int hooknum,
227 + const struct sk_buff *skb,
228 + const struct net_device *in,
229 + const struct net_device *out,
230 + const char *fmt, ...)
233 + char prefix[NF_LOG_PREFIXLEN];
237 + logfn = nf_logging[pf];
239 + va_start(args, fmt);
240 + vsnprintf(prefix, sizeof(prefix), fmt, args);
242 + /* We must read logging before nf_logfn[pf] */
243 + smp_read_barrier_depends();
244 + logfn(hooknum, skb, in, out, prefix);
245 + } else if (!reported) {
246 + printk(KERN_WARNING "nf_log_packet: can\'t log yet, "
247 + "no backend logging module loaded in!\n");
253 /* This does not belong here, but ipt_REJECT needs it if connection
254 tracking in use: without this, connection may not be in hash table,
255 and hence manufactured ICMP or RST packets will not be associated
257 EXPORT_SYMBOL(nf_unregister_hook);
258 EXPORT_SYMBOL(nf_unregister_queue_handler);
259 EXPORT_SYMBOL(nf_unregister_sockopt);
260 +EXPORT_SYMBOL(nf_log_register);
261 +EXPORT_SYMBOL(nf_log_unregister);
262 +EXPORT_SYMBOL(nf_log_packet);
263 diff -Nur linux-2.6.0-test9.org/net/ipv4/netfilter/Kconfig linux-2.6.0-test9/net/ipv4/netfilter/Kconfig
264 --- linux-2.6.0-test9.org/net/ipv4/netfilter/Kconfig 2003-10-25 20:44:33.000000000 +0200
265 +++ linux-2.6.0-test9/net/ipv4/netfilter/Kconfig 2003-10-26 12:44:43.000000000 +0100
268 To compile it as a module, choose M here. If unsure, say N.
270 +config IP_NF_MATCH_SCTP
271 + tristate "SCTP match support"
272 + depends on IP_NF_IPTABLES
274 + This match allows iptables to match on the SCTP header.
276 + If you want to compile it as a module, say M here and read
277 + <file:Documentation/modules.txt>. If unsure, say `N'.
279 config IP_NF_MATCH_LENGTH
280 tristate "LENGTH match support"
281 depends on IP_NF_IPTABLES
284 To compile it as a module, choose M here. If unsure, say N.
287 + tristate "Raw table"
288 + depends on IP_NF_IPTABLES
290 + This option adds a `raw' table to iptables: see the man page for
291 + iptables(8). This table is the very first in the netfilter
292 + framework and hooks in at the PREROUTING and OUTPUT chains.
293 + The TRACE and NOTRACK targets can be used in this table only.
295 + To compile it as a module, choose M here. If unsure, say N.
297 +config IP_NF_TARGET_TRACE
298 + tristate "TRACE target support"
299 + depends on IP_NF_RAW
301 + The TRACE target allows packets to be traced as those matches
302 + any subsequent rule in any table/rule. The matched rule and
303 + the packet is logged with the prefix
305 + TRACE: tablename/chainname/rulenum
307 + if the ipt_LOG or ipt_ULOG targets are loaded in.
309 + To compile it as a module, choose M here. If unsure, say N.
311 +config IP_NF_TARGET_NOTRACK
312 + tristate "NOTRACK target support"
313 + depends on IP_NF_RAW
315 + The NOTRACK target allows a select rule to specify which
316 + packets *not* to enter the conntrack/NAT subsystems
317 + with all the consequences (no ICMP error tracking,
318 + no protocol helpers for the selected packets).
320 + To compile it as a module, choose M here. If unsure, say N.
322 config IP_NF_ARPTABLES
323 tristate "ARP tables support"
325 diff -Nur linux-2.6.0-test9.org/net/ipv4/netfilter/Makefile linux-2.6.0-test9/net/ipv4/netfilter/Makefile
326 --- linux-2.6.0-test9.org/net/ipv4/netfilter/Makefile 2003-10-25 20:43:07.000000000 +0200
327 +++ linux-2.6.0-test9/net/ipv4/netfilter/Makefile 2003-10-26 12:44:44.000000000 +0100
330 obj-$(CONFIG_IP_NF_IPTABLES) += ip_tables.o
332 -# the three instances of ip_tables
333 +# the four instances of ip_tables
334 obj-$(CONFIG_IP_NF_FILTER) += iptable_filter.o
335 obj-$(CONFIG_IP_NF_MANGLE) += iptable_mangle.o
336 obj-$(CONFIG_IP_NF_NAT) += iptable_nat.o
337 +obj-$(CONFIG_IP_NF_RAW) += iptable_raw.o
340 +obj-$(CONFIG_IP_NF_MATCH_SCTP) += ipt_sctp.o
341 obj-$(CONFIG_IP_NF_MATCH_HELPER) += ipt_helper.o
342 obj-$(CONFIG_IP_NF_MATCH_LIMIT) += ipt_limit.o
343 obj-$(CONFIG_IP_NF_MATCH_MARK) += ipt_mark.o
345 obj-$(CONFIG_IP_NF_TARGET_LOG) += ipt_LOG.o
346 obj-$(CONFIG_IP_NF_TARGET_ULOG) += ipt_ULOG.o
347 obj-$(CONFIG_IP_NF_TARGET_TCPMSS) += ipt_TCPMSS.o
348 +obj-$(CONFIG_IP_NF_TARGET_NOTRACK) += ipt_NOTRACK.o
349 +obj-$(CONFIG_IP_NF_TARGET_TRACE) += ipt_TRACE.o
352 obj-$(CONFIG_IP_NF_ARPTABLES) += arp_tables.o
353 diff -Nur linux-2.6.0-test9.org/net/ipv4/netfilter/ip_conntrack_core.c linux-2.6.0-test9/net/ipv4/netfilter/ip_conntrack_core.c
354 --- linux-2.6.0-test9.org/net/ipv4/netfilter/ip_conntrack_core.c 2003-10-25 20:42:41.000000000 +0200
355 +++ linux-2.6.0-test9/net/ipv4/netfilter/ip_conntrack_core.c 2003-10-26 12:44:33.000000000 +0100
357 #include <linux/slab.h>
358 #include <linux/random.h>
359 #include <linux/jhash.h>
360 -/* For ERR_PTR(). Yeah, I know... --RR */
361 -#include <linux/fs.h>
362 +#include <linux/err.h>
364 /* This rwlock protects the main hash table, protocol/helper/expected
365 registrations, conntrack timers*/
367 static atomic_t ip_conntrack_count = ATOMIC_INIT(0);
368 struct list_head *ip_conntrack_hash;
369 static kmem_cache_t *ip_conntrack_cachep;
370 +struct ip_conntrack ip_conntrack_untracked;
372 extern struct ip_conntrack_protocol ip_conntrack_generic_protocol;
374 @@ -808,18 +808,10 @@
378 - /* Previously seen (loopback)? Ignore. Do this before
380 + /* Previously seen (loopback or untracked)? Ignore. */
384 - /* Gather fragments. */
385 - if ((*pskb)->nh.iph->frag_off & htons(IP_MF|IP_OFFSET)) {
386 - *pskb = ip_ct_gather_frags(*pskb);
391 proto = ip_ct_find_proto((*pskb)->nh.iph->protocol);
393 /* It may be an icmp error... */
396 } else if (related_to->helper->max_expected &&
397 related_to->expecting >= related_to->helper->max_expected) {
398 - struct list_head *cur_item;
400 if (!(related_to->helper->flags &
401 IP_CT_HELPER_F_REUSE_EXPECT)) {
402 @@ -978,21 +969,14 @@
403 NIPQUAD(related_to->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.ip));
405 /* choose the the oldest expectation to evict */
406 - list_for_each(cur_item, &related_to->sibling_list) {
407 - struct ip_conntrack_expect *cur;
409 - cur = list_entry(cur_item,
410 - struct ip_conntrack_expect,
412 - if (cur->sibling == NULL) {
414 + list_for_each_entry(old, &related_to->sibling_list,
416 + if (old->sibling == NULL)
421 - /* (!old) cannot happen, since related_to->expecting is the
422 - * number of unconfirmed expects */
424 + /* We cannot fail since related_to->expecting is the number
425 + * of unconfirmed expectations */
426 + IP_NF_ASSERT(old && old->sibling == NULL);
428 /* newnat14 does not reuse the real allocated memory
429 * structures but rather unexpects the old and
430 @@ -1024,7 +1008,7 @@
431 atomic_set(&new->use, 1);
433 /* add to expected list for this connection */
434 - list_add(&new->expected_list, &related_to->sibling_list);
435 + list_add_tail(&new->expected_list, &related_to->sibling_list);
436 /* add to global list of expectations */
437 list_prepend(&ip_conntrack_expect_list, &new->list);
438 /* add and start timer if required */
439 @@ -1419,6 +1403,15 @@
441 /* For use by ipt_REJECT */
442 ip_ct_attach = ip_conntrack_attach;
444 + /* Set up fake conntrack:
445 + - to never be deleted, not in any hashes */
446 + atomic_set(&ip_conntrack_untracked.ct_general.use, 1);
447 + /* - and look it like as a confirmed connection */
448 + set_bit(IPS_CONFIRMED_BIT, &ip_conntrack_untracked.status);
449 + /* - and prepare the ctinfo field for NAT. */
450 + ip_conntrack_untracked.infos[IP_CT_NEW].master = &ip_conntrack_untracked.ct_general;
455 diff -Nur linux-2.6.0-test9.org/net/ipv4/netfilter/ip_conntrack_standalone.c linux-2.6.0-test9/net/ipv4/netfilter/ip_conntrack_standalone.c
456 --- linux-2.6.0-test9.org/net/ipv4/netfilter/ip_conntrack_standalone.c 2003-10-25 20:43:32.000000000 +0200
457 +++ linux-2.6.0-test9/net/ipv4/netfilter/ip_conntrack_standalone.c 2003-10-26 12:44:33.000000000 +0100
459 return ip_conntrack_confirm(*pskb);
462 +static unsigned int ip_conntrack_defrag(unsigned int hooknum,
463 + struct sk_buff **pskb,
464 + const struct net_device *in,
465 + const struct net_device *out,
466 + int (*okfn)(struct sk_buff *))
468 + /* Previously seen (loopback)? Ignore. Do this before
473 + /* Gather fragments. */
474 + if ((*pskb)->nh.iph->frag_off & htons(IP_MF|IP_OFFSET)) {
475 + *pskb = ip_ct_gather_frags(*pskb);
482 static unsigned int ip_refrag(unsigned int hooknum,
483 struct sk_buff **pskb,
484 const struct net_device *in,
486 return ip_conntrack_in(hooknum, pskb, in, out, okfn);
489 +/* At the very first: defragment */
490 +static struct nf_hook_ops ip_conntrack_defrag_ops = {
491 + .hook = ip_conntrack_defrag,
492 + .owner = THIS_MODULE,
494 + .hooknum = NF_IP_PRE_ROUTING,
495 + .priority = NF_IP_PRI_CONNTRACK_DEFRAG,
498 /* Connection tracking may drop packets, but never alters them, so
499 make it the first hook. */
500 static struct nf_hook_ops ip_conntrack_in_ops = {
501 @@ -367,10 +396,15 @@
502 if (!proc) goto cleanup_init;
503 proc->owner = THIS_MODULE;
505 + ret = nf_register_hook(&ip_conntrack_defrag_ops);
507 + printk("ip_conntrack: can't register pre-routing hook to defrag.\n");
510 ret = nf_register_hook(&ip_conntrack_in_ops);
512 printk("ip_conntrack: can't register pre-routing hook.\n");
514 + goto cleanup_defragops;
516 ret = nf_register_hook(&ip_conntrack_local_out_ops);
519 nf_unregister_hook(&ip_conntrack_local_out_ops);
521 nf_unregister_hook(&ip_conntrack_in_ops);
523 + nf_unregister_hook(&ip_conntrack_defrag_ops);
525 proc_net_remove("ip_conntrack");
528 EXPORT_SYMBOL(ip_conntrack_expect_list);
529 EXPORT_SYMBOL(ip_conntrack_lock);
530 EXPORT_SYMBOL(ip_conntrack_hash);
531 +EXPORT_SYMBOL(ip_conntrack_untracked);
532 EXPORT_SYMBOL_GPL(ip_conntrack_find_get);
533 EXPORT_SYMBOL_GPL(ip_conntrack_put);
534 diff -Nur linux-2.6.0-test9.org/net/ipv4/netfilter/ip_conntrack_tftp.c linux-2.6.0-test9/net/ipv4/netfilter/ip_conntrack_tftp.c
535 --- linux-2.6.0-test9.org/net/ipv4/netfilter/ip_conntrack_tftp.c 2003-10-25 20:43:19.000000000 +0200
536 +++ linux-2.6.0-test9/net/ipv4/netfilter/ip_conntrack_tftp.c 2003-10-26 12:44:03.000000000 +0100
539 for (i = 0 ; (i < MAX_PORTS) && ports[i] ; i++) {
540 /* Create helper structure */
541 - memset(&tftp[i], 0, sizeof(struct ip_conntrack_helper));
543 tftp[i].tuple.dst.protonum = IPPROTO_UDP;
544 tftp[i].tuple.src.u.udp.port = htons(ports[i]);
545 tftp[i].mask.dst.protonum = 0xFFFF;
546 diff -Nur linux-2.6.0-test9.org/net/ipv4/netfilter/ip_nat_amanda.c linux-2.6.0-test9/net/ipv4/netfilter/ip_nat_amanda.c
547 --- linux-2.6.0-test9.org/net/ipv4/netfilter/ip_nat_amanda.c 2003-10-25 20:43:06.000000000 +0200
548 +++ linux-2.6.0-test9/net/ipv4/netfilter/ip_nat_amanda.c 2003-10-26 12:44:03.000000000 +0100
550 struct ip_nat_helper *hlpr;
552 hlpr = &ip_nat_amanda_helper;
553 - memset(hlpr, 0, sizeof(struct ip_nat_helper));
555 hlpr->tuple.dst.protonum = IPPROTO_UDP;
556 hlpr->tuple.src.u.udp.port = htons(10080);
557 hlpr->mask.src.u.udp.port = 0xFFFF;
558 diff -Nur linux-2.6.0-test9.org/net/ipv4/netfilter/ip_nat_core.c linux-2.6.0-test9/net/ipv4/netfilter/ip_nat_core.c
559 --- linux-2.6.0-test9.org/net/ipv4/netfilter/ip_nat_core.c 2003-10-25 20:43:01.000000000 +0200
560 +++ linux-2.6.0-test9/net/ipv4/netfilter/ip_nat_core.c 2003-10-26 12:44:33.000000000 +0100
563 /* Have to grab read lock before sibling_list traversal */
564 READ_LOCK(&ip_conntrack_lock);
565 - list_for_each(cur_item, &ct->sibling_list) {
566 + list_for_each_prev(cur_item, &ct->sibling_list) {
567 exp = list_entry(cur_item, struct ip_conntrack_expect,
570 @@ -1009,7 +1009,11 @@
571 /* FIXME: Man, this is a hack. <SIGH> */
572 IP_NF_ASSERT(ip_conntrack_destroyed == NULL);
573 ip_conntrack_destroyed = &ip_nat_cleanup_conntrack;
576 + /* Initialize fake conntrack so that NAT will skip it */
577 + ip_conntrack_untracked.nat.info.initialized |=
578 + (1 << IP_NAT_MANIP_SRC) | (1 << IP_NAT_MANIP_DST);
583 diff -Nur linux-2.6.0-test9.org/net/ipv4/netfilter/ip_nat_rule.c linux-2.6.0-test9/net/ipv4/netfilter/ip_nat_rule.c
584 --- linux-2.6.0-test9.org/net/ipv4/netfilter/ip_nat_rule.c 2003-10-25 20:43:27.000000000 +0200
585 +++ linux-2.6.0-test9/net/ipv4/netfilter/ip_nat_rule.c 2003-10-26 12:44:33.000000000 +0100
588 sizeof(struct ipt_entry),
589 sizeof(struct ipt_standard),
590 - 0, { 0, 0 }, { } },
591 + 0, NULL, 0, { 0, 0 }, { } },
592 { { { { IPT_ALIGN(sizeof(struct ipt_standard_target)), "" } }, { } },
597 sizeof(struct ipt_entry),
598 sizeof(struct ipt_standard),
599 - 0, { 0, 0 }, { } },
600 + 0, NULL, 0, { 0, 0 }, { } },
601 { { { { IPT_ALIGN(sizeof(struct ipt_standard_target)), "" } }, { } },
606 sizeof(struct ipt_entry),
607 sizeof(struct ipt_standard),
608 - 0, { 0, 0 }, { } },
609 + 0, NULL, 0, { 0, 0 }, { } },
610 { { { { IPT_ALIGN(sizeof(struct ipt_standard_target)), "" } }, { } },
615 sizeof(struct ipt_entry),
616 sizeof(struct ipt_error),
617 - 0, { 0, 0 }, { } },
618 + 0, NULL, 0, { 0, 0 }, { } },
619 { { { { IPT_ALIGN(sizeof(struct ipt_error_target)), IPT_ERROR_TARGET } },
622 diff -Nur linux-2.6.0-test9.org/net/ipv4/netfilter/ip_nat_tftp.c linux-2.6.0-test9/net/ipv4/netfilter/ip_nat_tftp.c
623 --- linux-2.6.0-test9.org/net/ipv4/netfilter/ip_nat_tftp.c 2003-10-25 20:43:18.000000000 +0200
624 +++ linux-2.6.0-test9/net/ipv4/netfilter/ip_nat_tftp.c 2003-10-26 12:44:03.000000000 +0100
626 ports[0] = TFTP_PORT;
628 for (i = 0 ; (i < MAX_PORTS) && ports[i] ; i++) {
629 - memset(&tftp[i], 0, sizeof(struct ip_nat_helper));
631 tftp[i].tuple.dst.protonum = IPPROTO_UDP;
632 tftp[i].tuple.src.u.udp.port = htons(ports[i]);
633 tftp[i].mask.dst.protonum = 0xFFFF;
634 diff -Nur linux-2.6.0-test9.org/net/ipv4/netfilter/ip_tables.c linux-2.6.0-test9/net/ipv4/netfilter/ip_tables.c
635 --- linux-2.6.0-test9.org/net/ipv4/netfilter/ip_tables.c 2003-10-25 20:43:11.000000000 +0200
636 +++ linux-2.6.0-test9/net/ipv4/netfilter/ip_tables.c 2003-10-26 12:44:33.000000000 +0100
638 #include <linux/config.h>
639 #include <linux/cache.h>
640 #include <linux/skbuff.h>
641 +#include <linux/socket.h>
642 #include <linux/kmod.h>
643 #include <linux/vmalloc.h>
644 #include <linux/netdevice.h>
646 #include <asm/semaphore.h>
647 #include <linux/proc_fs.h>
649 +#include <linux/netfilter.h>
650 #include <linux/netfilter_ipv4/ip_tables.h>
652 +static const char *hooknames[] = {
653 + [NF_IP_PRE_ROUTING] "PREROUTING",
654 + [NF_IP_LOCAL_IN] "INPUT",
655 + [NF_IP_FORWARD] "FORWARD",
656 + [NF_IP_LOCAL_OUT] "OUTPUT",
657 + [NF_IP_POST_ROUTING] "POSTROUTING",
660 MODULE_LICENSE("GPL");
661 MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
662 MODULE_DESCRIPTION("IPv4 packet filter");
665 t = ipt_get_target(e);
666 IP_NF_ASSERT(t->u.kernel.target);
668 + /* The packet traced and the rule isn't an unconditional return/END. */
669 + if (((*pskb)->nfcache & NFC_TRACE) && e->rulenum) {
670 + nf_log_packet(AF_INET, hook, *pskb, in, out, "TRACE: %s/%s/%u ",
671 + table->name, e->chainname, e->rulenum);
673 /* Standard target? */
674 if (!t->u.kernel.target->target) {
677 return find_inlist_lock(&ipt_target, name, "ipt_", error, mutex);
681 +find_error_target(struct ipt_entry *s,
682 + struct ipt_entry *e,
685 + struct ipt_entry_target *t;
686 + static struct ipt_entry *found = NULL;
691 + t = ipt_get_target(found);
692 + if (strcmp(t->u.user.name,
693 + IPT_ERROR_TARGET) == 0) {
694 + *chainname = t->data;
703 /* All zeroes == unconditional rule. */
705 unconditional(const struct ipt_ip *ip)
707 mark_source_chains(struct ipt_table_info *newinfo, unsigned int valid_hooks)
710 + char *chainname = NULL;
713 /* No recursion; use packet counter to save back ptrs (reset
714 to 0 as we leave), and comefrom to save source hook bitmask */
717 /* Set initial back pointer. */
718 e->counters.pcnt = pos;
720 + chainname = (char *) hooknames[hook];
723 struct ipt_standard_target *t
727 |= ((1 << hook) | (1 << NF_IP_NUMHOOKS));
728 + e->rulenum = rulenum++;
729 + e->chainname = chainname;
731 /* Unconditional return/END. */
732 if (e->target_offset == sizeof(struct ipt_entry)
734 && unconditional(&e->ip)) {
735 unsigned int oldpos, size;
737 + /* Set unconditional rulenum to zero. */
739 + e->counters.bcnt = 0;
741 /* Return: backtrack through the last
745 (newinfo->entries + pos);
746 } while (oldpos == pos + e->next_offset);
748 + /* Restore chainname, rulenum. */
749 + chainname = e->chainname;
750 + rulenum = e->counters.bcnt;
751 + e->counters.bcnt = 0;
754 size = e->next_offset;
755 e = (struct ipt_entry *)
757 /* This a jump; chase it. */
758 duprintf("Jump rule %u -> %u\n",
760 + e->counters.bcnt = rulenum++;
762 + e = (struct ipt_entry *)
763 + (newinfo->entries + newpos);
764 + if (IPT_ENTRY_ITERATE(newinfo->entries,
767 + e, &chainname) == 0) {
768 + printk("ip_tables: table screwed up!\n");
772 /* ... this is a fallthru */
773 newpos = pos + e->next_offset;
774 diff -Nur linux-2.6.0-test9.org/net/ipv4/netfilter/ipt_LOG.c linux-2.6.0-test9/net/ipv4/netfilter/ipt_LOG.c
775 --- linux-2.6.0-test9.org/net/ipv4/netfilter/ipt_LOG.c 2003-10-25 20:44:37.000000000 +0200
776 +++ linux-2.6.0-test9/net/ipv4/netfilter/ipt_LOG.c 2003-10-26 12:44:13.000000000 +0100
778 #include <linux/module.h>
779 #include <linux/spinlock.h>
780 #include <linux/skbuff.h>
781 +#include <linux/socket.h>
782 #include <linux/ip.h>
783 #include <net/icmp.h>
786 #include <net/route.h>
788 +#include <linux/netfilter.h>
789 #include <linux/netfilter_ipv4/ip_tables.h>
790 #include <linux/netfilter_ipv4/ipt_LOG.h>
793 MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
794 MODULE_DESCRIPTION("iptables syslog logging module");
796 +static unsigned int nflog = 1;
797 +MODULE_PARM(nflog, "i");
798 +MODULE_PARM_DESC(nflog, "register as internal netfilter logging module");
801 #define DEBUGP printk
803 @@ -315,28 +321,25 @@
804 /* maxlen = 230+ 91 + 230 + 252 = 803 */
808 -ipt_log_target(struct sk_buff **pskb,
810 +ipt_log_packet(unsigned int hooknum,
811 + const struct sk_buff *skb,
812 const struct net_device *in,
813 const struct net_device *out,
814 - unsigned int hooknum,
815 - const void *targinfo,
817 + const struct ipt_log_info *loginfo,
818 + const char *level_string,
819 + const char *prefix)
821 - const struct ipt_log_info *loginfo = targinfo;
822 - char level_string[4] = "< >";
824 - level_string[1] = '0' + (loginfo->level % 8);
825 spin_lock_bh(&log_lock);
826 printk(level_string);
827 printk("%sIN=%s OUT=%s ",
829 + prefix == NULL ? loginfo->prefix : prefix,
831 out ? out->name : "");
832 #ifdef CONFIG_BRIDGE_NETFILTER
833 - if ((*pskb)->nf_bridge) {
834 - struct net_device *physindev = (*pskb)->nf_bridge->physindev;
835 - struct net_device *physoutdev = (*pskb)->nf_bridge->physoutdev;
836 + if (skb->nf_bridge) {
837 + struct net_device *physindev = skb->nf_bridge->physindev;
838 + struct net_device *physoutdev = skb->nf_bridge->physoutdev;
840 if (physindev && in != physindev)
841 printk("PHYSIN=%s ", physindev->name);
842 @@ -348,25 +351,56 @@
844 /* MAC logging for input chain only. */
846 - if ((*pskb)->dev && (*pskb)->dev->hard_header_len
847 - && (*pskb)->mac.raw != (void*)(*pskb)->nh.iph) {
848 + if (skb->dev && skb->dev->hard_header_len
849 + && skb->mac.raw != (void*)skb->nh.iph) {
851 - unsigned char *p = (*pskb)->mac.raw;
852 - for (i = 0; i < (*pskb)->dev->hard_header_len; i++,p++)
853 + unsigned char *p = skb->mac.raw;
854 + for (i = 0; i < skb->dev->hard_header_len; i++,p++)
856 - i==(*pskb)->dev->hard_header_len - 1
857 + i==skb->dev->hard_header_len - 1
863 - dump_packet(loginfo, *pskb, 0);
864 + dump_packet(loginfo, skb, 0);
866 spin_unlock_bh(&log_lock);
870 +ipt_log_target(struct sk_buff **pskb,
871 + const struct net_device *in,
872 + const struct net_device *out,
873 + unsigned int hooknum,
874 + const void *targinfo,
877 + const struct ipt_log_info *loginfo = targinfo;
878 + char level_string[4] = "< >";
880 + level_string[1] = '0' + (loginfo->level % 8);
881 + ipt_log_packet(hooknum, *pskb, in, out, loginfo, level_string, NULL);
887 +ipt_logfn(unsigned int hooknum,
888 + const struct sk_buff *skb,
889 + const struct net_device *in,
890 + const struct net_device *out,
891 + const char *prefix)
893 + struct ipt_log_info loginfo = {
895 + .logflags = IPT_LOG_MASK,
899 + ipt_log_packet(hooknum, skb, in, out, &loginfo, KERN_WARNING, prefix);
902 static int ipt_log_checkentry(const char *tablename,
903 const struct ipt_entry *e,
905 @@ -406,12 +440,17 @@
907 if (ipt_register_target(&ipt_log_reg))
910 + nf_log_register(PF_INET, &ipt_logfn);
915 static void __exit fini(void)
918 + nf_log_unregister(PF_INET, &ipt_logfn);
920 ipt_unregister_target(&ipt_log_reg);
923 diff -Nur linux-2.6.0-test9.org/net/ipv4/netfilter/ipt_NOTRACK.c linux-2.6.0-test9/net/ipv4/netfilter/ipt_NOTRACK.c
924 --- linux-2.6.0-test9.org/net/ipv4/netfilter/ipt_NOTRACK.c 1970-01-01 01:00:00.000000000 +0100
925 +++ linux-2.6.0-test9/net/ipv4/netfilter/ipt_NOTRACK.c 2003-10-26 12:44:33.000000000 +0100
927 +/* This is a module which is used for setting up fake conntracks
928 + * on packets so that they are not seen by the conntrack/NAT code.
930 +#include <linux/module.h>
931 +#include <linux/skbuff.h>
933 +#include <linux/netfilter_ipv4/ip_tables.h>
934 +#include <linux/netfilter_ipv4/ip_conntrack.h>
937 +target(struct sk_buff **pskb,
938 + const struct net_device *in,
939 + const struct net_device *out,
940 + unsigned int hooknum,
941 + const void *targinfo,
944 + /* Previously seen (loopback)? Ignore. */
945 + if ((*pskb)->nfct != NULL)
946 + return IPT_CONTINUE;
948 + /* Attach fake conntrack entry.
949 + If there is a real ct entry correspondig to this packet,
950 + it'll hang aroun till timing out. We don't deal with it
951 + for performance reasons. JK */
952 + (*pskb)->nfct = &ip_conntrack_untracked.infos[IP_CT_NEW];
953 + nf_conntrack_get((*pskb)->nfct);
955 + return IPT_CONTINUE;
959 +checkentry(const char *tablename,
960 + const struct ipt_entry *e,
962 + unsigned int targinfosize,
963 + unsigned int hook_mask)
965 + if (targinfosize != 0) {
966 + printk(KERN_WARNING "NOTRACK: targinfosize %u != 0\n",
971 + if (strcmp(tablename, "raw") != 0) {
972 + printk(KERN_WARNING "NOTRACK: can only be called from \"raw\" table, not \"%s\"\n", tablename);
979 +static struct ipt_target ipt_notrack_reg = {
982 + .checkentry = checkentry,
987 +static int __init init(void)
989 + if (ipt_register_target(&ipt_notrack_reg))
995 +static void __exit fini(void)
997 + ipt_unregister_target(&ipt_notrack_reg);
1003 +MODULE_LICENSE("GPL");
1004 +MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
1005 +MODULE_DESCRIPTION("IPv4 NOTRACK target");
1006 diff -Nur linux-2.6.0-test9.org/net/ipv4/netfilter/ipt_TRACE.c linux-2.6.0-test9/net/ipv4/netfilter/ipt_TRACE.c
1007 --- linux-2.6.0-test9.org/net/ipv4/netfilter/ipt_TRACE.c 1970-01-01 01:00:00.000000000 +0100
1008 +++ linux-2.6.0-test9/net/ipv4/netfilter/ipt_TRACE.c 2003-10-26 12:44:33.000000000 +0100
1010 +/* This is a module which is used for setting
1011 + * the NFC_TRACE flag in the nfcache field of an skb.
1013 +#include <linux/module.h>
1014 +#include <linux/skbuff.h>
1016 +#include <linux/netfilter_ipv4/ip_tables.h>
1018 +static unsigned int
1019 +target(struct sk_buff **pskb,
1020 + const struct net_device *in,
1021 + const struct net_device *out,
1022 + unsigned int hooknum,
1023 + const void *targinfo,
1026 + (*pskb)->nfcache |= NFC_TRACE;
1027 + return IPT_CONTINUE;
1031 +checkentry(const char *tablename,
1032 + const struct ipt_entry *e,
1034 + unsigned int targinfosize,
1035 + unsigned int hook_mask)
1037 + if (targinfosize != 0) {
1038 + printk(KERN_WARNING "TRACE: targinfosize %u != 0\n",
1043 + if (strcmp(tablename, "raw") != 0) {
1044 + printk(KERN_WARNING "TRACE: can only be called from \"raw\" table, not \"%s\"\n", tablename);
1051 +static struct ipt_target ipt_trace_reg = {
1054 + .checkentry = checkentry,
1056 + .me = THIS_MODULE,
1059 +static int __init init(void)
1061 + if (ipt_register_target(&ipt_trace_reg))
1067 +static void __exit fini(void)
1069 + ipt_unregister_target(&ipt_trace_reg);
1074 +MODULE_LICENSE("GPL");
1075 +MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
1076 +MODULE_DESCRIPTION("IPv4 TRACE target");
1077 diff -Nur linux-2.6.0-test9.org/net/ipv4/netfilter/ipt_ULOG.c linux-2.6.0-test9/net/ipv4/netfilter/ipt_ULOG.c
1078 --- linux-2.6.0-test9.org/net/ipv4/netfilter/ipt_ULOG.c 2003-10-25 20:43:22.000000000 +0200
1079 +++ linux-2.6.0-test9/net/ipv4/netfilter/ipt_ULOG.c 2003-10-26 12:44:13.000000000 +0100
1081 #include <linux/netlink.h>
1082 #include <linux/netdevice.h>
1083 #include <linux/mm.h>
1084 +#include <linux/netfilter.h>
1085 #include <linux/netfilter_ipv4/ip_tables.h>
1086 #include <linux/netfilter_ipv4/ipt_ULOG.h>
1087 #include <linux/netfilter_ipv4/lockhelp.h>
1089 MODULE_PARM(flushtimeout, "i");
1090 MODULE_PARM_DESC(flushtimeout, "buffer flush timeout");
1092 +static unsigned int nflog = 1;
1093 +MODULE_PARM(nflog, "i");
1094 +MODULE_PARM_DESC(nflog, "register as internal netfilter logging module");
1096 /* global data structures */
1099 @@ -152,17 +157,17 @@
1103 -static unsigned int ipt_ulog_target(struct sk_buff **pskb,
1104 - const struct net_device *in,
1105 - const struct net_device *out,
1106 - unsigned int hooknum,
1107 - const void *targinfo, void *userinfo)
1108 +static void ipt_ulog_packet(unsigned int hooknum,
1109 + const struct sk_buff *skb,
1110 + const struct net_device *in,
1111 + const struct net_device *out,
1112 + const struct ipt_ulog_info *loginfo,
1113 + const char *prefix)
1116 ulog_packet_msg_t *pm;
1117 size_t size, copy_len;
1118 struct nlmsghdr *nlh;
1119 - struct ipt_ulog_info *loginfo = (struct ipt_ulog_info *) targinfo;
1121 /* ffs == find first bit set, necessary because userspace
1122 * is already shifting groupnumber, but we need unshifted.
1125 /* calculate the size of the skb needed */
1126 if ((loginfo->copy_range == 0) ||
1127 - (loginfo->copy_range > (*pskb)->len)) {
1128 - copy_len = (*pskb)->len;
1129 + (loginfo->copy_range > skb->len)) {
1130 + copy_len = skb->len;
1132 copy_len = loginfo->copy_range;
1134 @@ -209,19 +214,21 @@
1136 /* copy hook, prefix, timestamp, payload, etc. */
1137 pm->data_len = copy_len;
1138 - pm->timestamp_sec = (*pskb)->stamp.tv_sec;
1139 - pm->timestamp_usec = (*pskb)->stamp.tv_usec;
1140 - pm->mark = (*pskb)->nfmark;
1141 + pm->timestamp_sec = skb->stamp.tv_sec;
1142 + pm->timestamp_usec = skb->stamp.tv_usec;
1143 + pm->mark = skb->nfmark;
1145 - if (loginfo->prefix[0] != '\0')
1146 + if (prefix != NULL)
1147 + strncpy(pm->prefix, prefix, sizeof(pm->prefix));
1148 + else if (loginfo->prefix[0] != '\0')
1149 strncpy(pm->prefix, loginfo->prefix, sizeof(pm->prefix));
1151 *(pm->prefix) = '\0';
1153 if (in && in->hard_header_len > 0
1154 - && (*pskb)->mac.raw != (void *) (*pskb)->nh.iph
1155 + && skb->mac.raw != (void *) skb->nh.iph
1156 && in->hard_header_len <= ULOG_MAC_LEN) {
1157 - memcpy(pm->mac, (*pskb)->mac.raw, in->hard_header_len);
1158 + memcpy(pm->mac, skb->mac.raw, in->hard_header_len);
1159 pm->mac_len = in->hard_header_len;
1164 pm->outdev_name[0] = '\0';
1166 - /* copy_len <= (*pskb)->len, so can't fail. */
1167 - if (skb_copy_bits(*pskb, 0, pm->payload, copy_len) < 0)
1168 + /* copy_len <= skb->len, so can't fail. */
1169 + if (skb_copy_bits(skb, 0, pm->payload, copy_len) < 0)
1172 /* check if we are building multi-part messages */
1175 UNLOCK_BH(&ulog_lock);
1177 - return IPT_CONTINUE;
1182 PRINTR("ipt_ULOG: error during NLMSG_PUT\n");
1183 @@ -271,8 +277,35 @@
1184 PRINTR("ipt_ULOG: Error building netlink message\n");
1186 UNLOCK_BH(&ulog_lock);
1189 +static unsigned int ipt_ulog_target(struct sk_buff **pskb,
1190 + const struct net_device *in,
1191 + const struct net_device *out,
1192 + unsigned int hooknum,
1193 + const void *targinfo, void *userinfo)
1195 + struct ipt_ulog_info *loginfo = (struct ipt_ulog_info *) targinfo;
1197 - return IPT_CONTINUE;
1198 + ipt_ulog_packet(hooknum, *pskb, in, out, loginfo, NULL);
1200 + return IPT_CONTINUE;
1203 +static void ipt_logfn(unsigned int hooknum,
1204 + const struct sk_buff *skb,
1205 + const struct net_device *in,
1206 + const struct net_device *out,
1207 + const char *prefix)
1209 + struct ipt_ulog_info loginfo = {
1210 + .nl_group = NFLOG_DEFAULT_NLGROUP,
1212 + .qthreshold = NFLOG_DEFAULT_QTHRESHOLD,
1216 + ipt_ulog_packet(hooknum, skb, in, out, &loginfo, prefix);
1219 static int ipt_ulog_checkentry(const char *tablename,
1225 + nf_log_register(PF_INET, &ipt_logfn);
1232 DEBUGP("ipt_ULOG: cleanup_module\n");
1235 + nf_log_unregister(PF_INET, &ipt_logfn);
1237 ipt_unregister_target(&ipt_ulog_reg);
1238 sock_release(nflognl->sk_socket);
1240 diff -Nur linux-2.6.0-test9.org/net/ipv4/netfilter/ipt_conntrack.c linux-2.6.0-test9/net/ipv4/netfilter/ipt_conntrack.c
1241 --- linux-2.6.0-test9.org/net/ipv4/netfilter/ipt_conntrack.c 2003-10-25 20:44:42.000000000 +0200
1242 +++ linux-2.6.0-test9/net/ipv4/netfilter/ipt_conntrack.c 2003-10-26 12:44:33.000000000 +0100
1245 #define FWINV(bool,invflg) ((bool) ^ !!(sinfo->invflags & invflg))
1248 + if (skb->nfct == &ip_conntrack_untracked.infos[IP_CT_NEW])
1249 + statebit = IPT_CONNTRACK_STATE_UNTRACKED;
1251 statebit = IPT_CONNTRACK_STATE_BIT(ctinfo);
1253 statebit = IPT_CONNTRACK_STATE_INVALID;
1254 diff -Nur linux-2.6.0-test9.org/net/ipv4/netfilter/ipt_sctp.c linux-2.6.0-test9/net/ipv4/netfilter/ipt_sctp.c
1255 --- linux-2.6.0-test9.org/net/ipv4/netfilter/ipt_sctp.c 1970-01-01 01:00:00.000000000 +0100
1256 +++ linux-2.6.0-test9/net/ipv4/netfilter/ipt_sctp.c 2003-10-26 12:44:43.000000000 +0100
1258 +/* IP tables module for matching the SCTP header
1260 + * $ipt_sctp.c,v 1.3 2002/05/29 15:09:00 laforge Exp$
1262 + * (C) 2003 by Harald Welte <laforge@gnumonks.org>
1264 + * This software is distributed under the terms GNU GPL v2
1267 +#include <linux/module.h>
1268 +#include <linux/skbuff.h>
1269 +#include <linux/sctp.h>
1271 +#include <linux/netfilter_ipv4/ip_tables.h>
1272 +#include <linux/netfilter_ipv4/ipt_sctp.h>
1274 +MODULE_AUTHOR("Harald Welte <laforge@gnumonks.org>");
1275 +MODULE_DESCRIPTION("IP tables SCTP matching module");
1276 +MODULE_LICENSE("GPL");
1278 +/* Returns 1 if the port is matched by the range, 0 otherwise */
1280 +port_match(u_int16_t min, u_int16_t max, u_int16_t port, int invert)
1284 + ret = (port >= min && port <= max) ^ invert;
1288 +static int chunk_match(const struct sk_buff *skb, u_int32_t chunks, u_int32_t chunk_mask)
1290 + sctp_chunkhdr_t *ch = (sctp_chunkhdr_t *) skb->data;
1292 + u_int32_t chunks_present = 0;
1296 + ch_end = ((u_int8_t *) ch) + WORD_ROUND(ntohs(ch->length));
1298 + if (ch->type < 32)
1299 + chunks_present |= (1 << ch_type);
1300 + else if (ch->type == SCTP_CID_ASCONF)
1301 + chunks_present |= (1 << 31);
1302 + else if (ch->type == SCTP_CID_ASCONF_ACK)
1303 + chunks_present |= (1 << 30);
1305 + ch = (sctp_chunkhdr_t *) ch_end;
1306 + } while (ch_end < skb->tail);
1308 + return ((chunks_present& chunk_mask) == chunks);
1311 +static int match(const struct sk_buff *skb, const struct net_device *in,
1312 + const struct net_device *out, const void *matchinfo,
1313 + int offset, const void *hdr, u_int16_t datalen,
1316 + const struct ipt_sctp_info *info = matchinfo;
1317 + const struct iphdr *iph = skb->nh.iph;
1318 + const struct sctphdr *sh = (struct sctphdr *) skb->h.raw;
1320 + if (iph->protocol != IPPROTO_SCTP)
1323 + if (offset == 1) {
1324 + duprintf("Dropping evil SCTP offset=1 frag.\n");
1327 + } else if (offset == 0 && datalen < sizeof(struct sctphdr)) {
1328 + /* We've been askd o examine this packet, and we can't.
1329 + * Hence, no choice but to drop. */
1330 + duprintf("Dropping evil SCTP offset=0 tinygram.\n");
1336 + && port_match(info->spts[0], info->spts[1],
1337 + ntohs(sh->source),
1338 + !!(info->invflags & IPT_SCTP_INV_SRCPT))
1339 + && port_match(info->dpts[0], info->dpts[1],
1341 + !!(info->invflags & IPT_SCTP_INV_DSTPT))
1342 + && chunk_match(skb, info->chunks, info->chunk_mask)
1346 +static int checkentry(const char *tablename, const struct ipt_ip *ip,
1347 + void *matchinfo, unsigned int matchsize,
1348 + unsigned int hook_mask)
1350 + const struct ipt_sctp_info *info = matchinfo;
1352 + if (matchsize != IPT_ALIGN(sizeof(struct ipt_sctp_info)))
1355 + if (ip->proto != IPPROTO_SCTP && !(ip->invflags & IPT_INV_PROTO))
1358 + if !(info->invflags & ~IPT_SCTP_INV_MASK)
1364 +static struct ipt_match sctp_match = {
1367 + .checkentry = &checkentry,
1368 + .me = THIS_MODULE,
1371 +static int __init init(void)
1373 + return ipt_register_match(&sctp_match);
1376 +static void __exit fini(void)
1378 + ipt_unregister_match(&sctp_match);
1383 diff -Nur linux-2.6.0-test9.org/net/ipv4/netfilter/ipt_state.c linux-2.6.0-test9/net/ipv4/netfilter/ipt_state.c
1384 --- linux-2.6.0-test9.org/net/ipv4/netfilter/ipt_state.c 2003-10-25 20:44:59.000000000 +0200
1385 +++ linux-2.6.0-test9/net/ipv4/netfilter/ipt_state.c 2003-10-26 12:44:33.000000000 +0100
1387 enum ip_conntrack_info ctinfo;
1388 unsigned int statebit;
1390 - if (!ip_conntrack_get((struct sk_buff *)skb, &ctinfo))
1391 - statebit = IPT_STATE_INVALID;
1393 + if (skb->nfct == &ip_conntrack_untracked.infos[IP_CT_NEW])
1394 + statebit = IPT_STATE_UNTRACKED;
1395 + else if (ip_conntrack_get((struct sk_buff *)skb, &ctinfo))
1396 statebit = IPT_STATE_BIT(ctinfo);
1398 + statebit = IPT_STATE_INVALID;
1400 return (sinfo->statemask & statebit);
1402 diff -Nur linux-2.6.0-test9.org/net/ipv4/netfilter/iptable_filter.c linux-2.6.0-test9/net/ipv4/netfilter/iptable_filter.c
1403 --- linux-2.6.0-test9.org/net/ipv4/netfilter/iptable_filter.c 2003-10-25 20:43:23.000000000 +0200
1404 +++ linux-2.6.0-test9/net/ipv4/netfilter/iptable_filter.c 2003-10-26 12:44:33.000000000 +0100
1407 sizeof(struct ipt_entry),
1408 sizeof(struct ipt_standard),
1409 - 0, { 0, 0 }, { } },
1410 + 0, NULL, 0, { 0, 0 }, { } },
1411 { { { { IPT_ALIGN(sizeof(struct ipt_standard_target)), "" } }, { } },
1416 sizeof(struct ipt_entry),
1417 sizeof(struct ipt_standard),
1418 - 0, { 0, 0 }, { } },
1419 + 0, NULL, 0, { 0, 0 }, { } },
1420 { { { { IPT_ALIGN(sizeof(struct ipt_standard_target)), "" } }, { } },
1425 sizeof(struct ipt_entry),
1426 sizeof(struct ipt_standard),
1427 - 0, { 0, 0 }, { } },
1428 + 0, NULL, 0, { 0, 0 }, { } },
1429 { { { { IPT_ALIGN(sizeof(struct ipt_standard_target)), "" } }, { } },
1434 sizeof(struct ipt_entry),
1435 sizeof(struct ipt_error),
1436 - 0, { 0, 0 }, { } },
1437 + 0, NULL, 0, { 0, 0 }, { } },
1438 { { { { IPT_ALIGN(sizeof(struct ipt_error_target)), IPT_ERROR_TARGET } },
1441 diff -Nur linux-2.6.0-test9.org/net/ipv4/netfilter/iptable_mangle.c linux-2.6.0-test9/net/ipv4/netfilter/iptable_mangle.c
1442 --- linux-2.6.0-test9.org/net/ipv4/netfilter/iptable_mangle.c 2003-10-25 20:44:37.000000000 +0200
1443 +++ linux-2.6.0-test9/net/ipv4/netfilter/iptable_mangle.c 2003-10-26 12:44:33.000000000 +0100
1446 sizeof(struct ipt_entry),
1447 sizeof(struct ipt_standard),
1448 - 0, { 0, 0 }, { } },
1449 + 0, NULL, 0, { 0, 0 }, { } },
1450 { { { { IPT_ALIGN(sizeof(struct ipt_standard_target)), "" } }, { } },
1455 sizeof(struct ipt_entry),
1456 sizeof(struct ipt_standard),
1457 - 0, { 0, 0 }, { } },
1458 + 0, NULL, 0, { 0, 0 }, { } },
1459 { { { { IPT_ALIGN(sizeof(struct ipt_standard_target)), "" } }, { } },
1464 sizeof(struct ipt_entry),
1465 sizeof(struct ipt_standard),
1466 - 0, { 0, 0 }, { } },
1467 + 0, NULL, 0, { 0, 0 }, { } },
1468 { { { { IPT_ALIGN(sizeof(struct ipt_standard_target)), "" } }, { } },
1473 sizeof(struct ipt_entry),
1474 sizeof(struct ipt_standard),
1475 - 0, { 0, 0 }, { } },
1476 + 0, NULL, 0, { 0, 0 }, { } },
1477 { { { { IPT_ALIGN(sizeof(struct ipt_standard_target)), "" } }, { } },
1482 sizeof(struct ipt_entry),
1483 sizeof(struct ipt_standard),
1484 - 0, { 0, 0 }, { } },
1485 + 0, NULL, 0, { 0, 0 }, { } },
1486 { { { { IPT_ALIGN(sizeof(struct ipt_standard_target)), "" } }, { } },
1491 sizeof(struct ipt_entry),
1492 sizeof(struct ipt_error),
1493 - 0, { 0, 0 }, { } },
1494 + 0, NULL, 0, { 0, 0 }, { } },
1495 { { { { IPT_ALIGN(sizeof(struct ipt_error_target)), IPT_ERROR_TARGET } },
1498 diff -Nur linux-2.6.0-test9.org/net/ipv4/netfilter/iptable_raw.c linux-2.6.0-test9/net/ipv4/netfilter/iptable_raw.c
1499 --- linux-2.6.0-test9.org/net/ipv4/netfilter/iptable_raw.c 1970-01-01 01:00:00.000000000 +0100
1500 +++ linux-2.6.0-test9/net/ipv4/netfilter/iptable_raw.c 2003-10-26 12:44:33.000000000 +0100
1503 + * 'raw' table, which is the very first hooked in at PRE_ROUTING and LOCAL_OUT .
1505 + * Copyright (C) 2003 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
1507 +#include <linux/module.h>
1508 +#include <linux/netfilter_ipv4/ip_tables.h>
1510 +#define RAW_VALID_HOOKS ((1 << NF_IP_PRE_ROUTING) | (1 << NF_IP_LOCAL_OUT))
1512 +/* Standard entry. */
1513 +struct ipt_standard
1515 + struct ipt_entry entry;
1516 + struct ipt_standard_target target;
1519 +struct ipt_error_target
1521 + struct ipt_entry_target target;
1522 + char errorname[IPT_FUNCTION_MAXNAMELEN];
1527 + struct ipt_entry entry;
1528 + struct ipt_error_target target;
1533 + struct ipt_replace repl;
1534 + struct ipt_standard entries[2];
1535 + struct ipt_error term;
1536 +} initial_table __initdata
1537 += { { "raw", RAW_VALID_HOOKS, 3,
1538 + sizeof(struct ipt_standard) * 2 + sizeof(struct ipt_error),
1539 + { [NF_IP_PRE_ROUTING] 0,
1540 + [NF_IP_LOCAL_OUT] sizeof(struct ipt_standard) },
1541 + { [NF_IP_PRE_ROUTING] 0,
1542 + [NF_IP_LOCAL_OUT] sizeof(struct ipt_standard) },
1546 + { { { { 0 }, { 0 }, { 0 }, { 0 }, "", "", { 0 }, { 0 }, 0, 0, 0 },
1548 + sizeof(struct ipt_entry),
1549 + sizeof(struct ipt_standard),
1550 + 0, NULL, 0, { 0, 0 }, { } },
1551 + { { { { IPT_ALIGN(sizeof(struct ipt_standard_target)), "" } }, { } },
1552 + -NF_ACCEPT - 1 } },
1554 + { { { { 0 }, { 0 }, { 0 }, { 0 }, "", "", { 0 }, { 0 }, 0, 0, 0 },
1556 + sizeof(struct ipt_entry),
1557 + sizeof(struct ipt_standard),
1558 + 0, NULL, 0, { 0, 0 }, { } },
1559 + { { { { IPT_ALIGN(sizeof(struct ipt_standard_target)), "" } }, { } },
1560 + -NF_ACCEPT - 1 } }
1563 + { { { { 0 }, { 0 }, { 0 }, { 0 }, "", "", { 0 }, { 0 }, 0, 0, 0 },
1565 + sizeof(struct ipt_entry),
1566 + sizeof(struct ipt_error),
1567 + 0, NULL, 0, { 0, 0 }, { } },
1568 + { { { { IPT_ALIGN(sizeof(struct ipt_error_target)), IPT_ERROR_TARGET } },
1575 +static struct ipt_table packet_raw = {
1577 + .table = &initial_table.repl,
1578 + .valid_hooks = RAW_VALID_HOOKS,
1579 + .lock = RW_LOCK_UNLOCKED,
1580 + .me = THIS_MODULE,
1583 +/* The work comes in here from netfilter.c. */
1584 +static unsigned int
1585 +ipt_hook(unsigned int hook,
1586 + struct sk_buff **pskb,
1587 + const struct net_device *in,
1588 + const struct net_device *out,
1589 + int (*okfn)(struct sk_buff *))
1591 + return ipt_do_table(pskb, hook, in, out, &packet_raw, NULL);
1594 +/* 'raw' is the very first table. */
1595 +static struct nf_hook_ops ipt_ops[] = {
1596 + { /* PRE_ROUTING hook */
1598 + .owner = THIS_MODULE,
1600 + .hooknum = NF_IP_PRE_ROUTING,
1601 + .priority = NF_IP_PRI_RAW,
1603 + { /* LOCAL_OUT hook */
1605 + .owner = THIS_MODULE,
1607 + .hooknum = NF_IP_LOCAL_OUT,
1608 + .priority = NF_IP_PRI_RAW,
1612 +static int __init init(void)
1616 + /* Register table */
1617 + ret = ipt_register_table(&packet_raw);
1621 + /* Register hooks */
1622 + ret = nf_register_hook(&ipt_ops[0]);
1624 + goto cleanup_table;
1626 + ret = nf_register_hook(&ipt_ops[1]);
1628 + goto cleanup_hook0;
1633 + nf_unregister_hook(&ipt_ops[0]);
1635 + ipt_unregister_table(&packet_raw);
1640 +static void __exit fini(void)
1644 + for (i = 0; i < sizeof(ipt_ops)/sizeof(struct nf_hook_ops); i++)
1645 + nf_unregister_hook(&ipt_ops[i]);
1647 + ipt_unregister_table(&packet_raw);
1652 +MODULE_LICENSE("GPL");
1653 +MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
1654 +MODULE_DESCRIPTION("IPv4 raw table");
1655 diff -Nur linux-2.6.0-test9.org/net/ipv6/netfilter/Kconfig linux-2.6.0-test9/net/ipv6/netfilter/Kconfig
1656 --- linux-2.6.0-test9.org/net/ipv6/netfilter/Kconfig 2003-10-25 20:44:37.000000000 +0200
1657 +++ linux-2.6.0-test9/net/ipv6/netfilter/Kconfig 2003-10-26 12:44:33.000000000 +0100
1658 @@ -217,6 +217,31 @@
1660 To compile it as a module, choose M here. If unsure, say N.
1663 + tristate "Raw table"
1664 + depends on IP6_NF_IPTABLES
1666 + This option adds a `raw' table to iptables: see the man page for
1667 + iptables(8). This table is the very first in the netfilter
1668 + framework and hooks in at the PREROUTING and OUTPUT chains.
1669 + The TRACE target can be used in this table only.
1671 + To compile it as a module, choose M here. If unsure, say N.
1673 +config IP6_NF_TARGET_TRACE
1674 + tristate "TRACE target support"
1675 + depends on IP6_NF_RAW
1677 + The TRACE target allows packets to be traced as those matches
1678 + any subsequent rule in any IPv6 netfilter table/rule. The matched
1679 + rule and the packet is logged with the prefix
1681 + TRACE: tablename/chainname/rulenum
1683 + if the ip6t_LOG target is loaded in.
1685 + To compile it as a module, choose M here. If unsure, say N.
1687 #dep_tristate ' LOG target support' CONFIG_IP6_NF_TARGET_LOG $CONFIG_IP6_NF_IPTABLES
1690 diff -Nur linux-2.6.0-test9.org/net/ipv6/netfilter/Makefile linux-2.6.0-test9/net/ipv6/netfilter/Makefile
1691 --- linux-2.6.0-test9.org/net/ipv6/netfilter/Makefile 2003-10-25 20:43:53.000000000 +0200
1692 +++ linux-2.6.0-test9/net/ipv6/netfilter/Makefile 2003-10-26 12:44:33.000000000 +0100
1694 obj-$(CONFIG_IP6_NF_MATCH_OWNER) += ip6t_owner.o
1695 obj-$(CONFIG_IP6_NF_FILTER) += ip6table_filter.o
1696 obj-$(CONFIG_IP6_NF_MANGLE) += ip6table_mangle.o
1697 +obj-$(CONFIG_IP6_NF_RAW) += ip6table_raw.o
1698 obj-$(CONFIG_IP6_NF_TARGET_MARK) += ip6t_MARK.o
1699 obj-$(CONFIG_IP6_NF_QUEUE) += ip6_queue.o
1700 obj-$(CONFIG_IP6_NF_TARGET_LOG) += ip6t_LOG.o
1701 +obj-$(CONFIG_IP6_NF_TARGET_TRACE) += ip6t_TRACE.o
1702 obj-$(CONFIG_IP6_NF_MATCH_HL) += ip6t_hl.o
1703 diff -Nur linux-2.6.0-test9.org/net/ipv6/netfilter/ip6_tables.c linux-2.6.0-test9/net/ipv6/netfilter/ip6_tables.c
1704 --- linux-2.6.0-test9.org/net/ipv6/netfilter/ip6_tables.c 2003-10-25 20:44:39.000000000 +0200
1705 +++ linux-2.6.0-test9/net/ipv6/netfilter/ip6_tables.c 2003-10-26 12:44:33.000000000 +0100
1708 #include <linux/config.h>
1709 #include <linux/skbuff.h>
1710 +#include <linux/socket.h>
1711 #include <linux/kmod.h>
1712 #include <linux/vmalloc.h>
1713 #include <linux/netdevice.h>
1715 #include <asm/semaphore.h>
1716 #include <linux/proc_fs.h>
1718 +#include <linux/netfilter.h>
1719 #include <linux/netfilter_ipv6/ip6_tables.h>
1721 +static const char *hook6names[] = {
1722 + [NF_IP6_PRE_ROUTING] "PREROUTING",
1723 + [NF_IP6_LOCAL_IN] "INPUT",
1724 + [NF_IP6_FORWARD] "FORWARD",
1725 + [NF_IP6_LOCAL_OUT] "OUTPUT",
1726 + [NF_IP6_POST_ROUTING] "POSTROUTING",
1729 MODULE_LICENSE("GPL");
1730 MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
1731 MODULE_DESCRIPTION("IPv6 packet filter");
1732 @@ -403,6 +413,12 @@
1734 t = ip6t_get_target(e);
1735 IP_NF_ASSERT(t->u.kernel.target);
1737 + /* The packet traced and the rule isn't an unconditional return/END. */
1738 + if (((*pskb)->nfcache & NFC_TRACE) && e->rulenum) {
1739 + nf_log_packet(AF_INET6, hook, *pskb, in, out, "TRACE: %s/%s/%u ",
1740 + table->name, e->chainname, e->rulenum);
1742 /* Standard target? */
1743 if (!t->u.kernel.target->target) {
1745 @@ -556,6 +572,29 @@
1746 return find_inlist_lock(&ip6t_target, name, "ip6t_", error, mutex);
1750 +find_error_target(struct ip6t_entry *s,
1751 + struct ip6t_entry *e,
1754 + struct ip6t_entry_target *t;
1755 + static struct ip6t_entry *found = NULL;
1760 + t = ip6t_get_target(found);
1761 + if (strcmp(t->u.user.name,
1762 + IP6T_ERROR_TARGET) == 0) {
1763 + *chainname = t->data;
1772 /* All zeroes == unconditional rule. */
1774 unconditional(const struct ip6t_ip6 *ipv6)
1776 mark_source_chains(struct ip6t_table_info *newinfo, unsigned int valid_hooks)
1779 + char *chainname = NULL;
1780 + u_int32_t rulenum;
1782 /* No recursion; use packet counter to save back ptrs (reset
1783 to 0 as we leave), and comefrom to save source hook bitmask */
1786 /* Set initial back pointer. */
1787 e->counters.pcnt = pos;
1789 + chainname = (char *) hook6names[hook];
1792 struct ip6t_standard_target *t
1796 |= ((1 << hook) | (1 << NF_IP6_NUMHOOKS));
1797 + e->rulenum = rulenum++;
1798 + e->chainname = chainname;
1800 /* Unconditional return/END. */
1801 if (e->target_offset == sizeof(struct ip6t_entry)
1802 @@ -609,6 +654,10 @@
1803 && unconditional(&e->ipv6)) {
1804 unsigned int oldpos, size;
1806 + /* Set unconditional rulenum to zero. */
1808 + e->counters.bcnt = 0;
1810 /* Return: backtrack through the last
1813 @@ -634,6 +683,11 @@
1814 (newinfo->entries + pos);
1815 } while (oldpos == pos + e->next_offset);
1817 + /* Restore chainname, rulenum. */
1818 + chainname = e->chainname;
1819 + rulenum = e->counters.bcnt;
1820 + e->counters.bcnt = 0;
1822 /* Move along one */
1823 size = e->next_offset;
1824 e = (struct ip6t_entry *)
1825 @@ -649,6 +703,17 @@
1826 /* This a jump; chase it. */
1827 duprintf("Jump rule %u -> %u\n",
1829 + e->counters.bcnt = rulenum++;
1831 + e = (struct ip6t_entry *)
1832 + (newinfo->entries + newpos);
1833 + if (IP6T_ENTRY_ITERATE(newinfo->entries,
1835 + find_error_target,
1836 + e, &chainname) == 0) {
1837 + printk("ip6_tables: table screwed up!\n");
1841 /* ... this is a fallthru */
1842 newpos = pos + e->next_offset;
1843 diff -Nur linux-2.6.0-test9.org/net/ipv6/netfilter/ip6t_LOG.c linux-2.6.0-test9/net/ipv6/netfilter/ip6t_LOG.c
1844 --- linux-2.6.0-test9.org/net/ipv6/netfilter/ip6t_LOG.c 2003-10-25 20:43:18.000000000 +0200
1845 +++ linux-2.6.0-test9/net/ipv6/netfilter/ip6t_LOG.c 2003-10-26 12:44:13.000000000 +0100
1848 #include <linux/module.h>
1849 #include <linux/skbuff.h>
1850 +#include <linux/socket.h>
1851 #include <linux/ip.h>
1852 #include <linux/spinlock.h>
1853 #include <linux/icmpv6.h>
1854 #include <net/udp.h>
1855 #include <net/tcp.h>
1856 #include <net/ipv6.h>
1857 +#include <linux/netfilter.h>
1858 #include <linux/netfilter_ipv6/ip6_tables.h>
1860 MODULE_AUTHOR("Jan Rekorajski <baggins@pld.org.pl>");
1861 MODULE_DESCRIPTION("IP6 tables LOG target module");
1862 MODULE_LICENSE("GPL");
1864 +static unsigned int nflog = 1;
1865 +MODULE_PARM(nflog, "i");
1866 +MODULE_PARM_DESC(nflog, "register as internal netfilter logging module");
1869 #include <net/route.h>
1870 #include <linux/netfilter_ipv6/ip6t_LOG.h>
1871 @@ -256,40 +262,38 @@
1875 -static unsigned int
1876 -ip6t_log_target(struct sk_buff **pskb,
1877 - unsigned int hooknum,
1878 - const struct net_device *in,
1879 - const struct net_device *out,
1880 - const void *targinfo,
1883 +ip6t_log_packet(unsigned int hooknum,
1884 + const struct sk_buff *skb,
1885 + const struct net_device *in,
1886 + const struct net_device *out,
1887 + const struct ip6t_log_info *loginfo,
1888 + const char *level_string,
1889 + const char *prefix)
1891 - struct ipv6hdr *ipv6h = (*pskb)->nh.ipv6h;
1892 - const struct ip6t_log_info *loginfo = targinfo;
1893 - char level_string[4] = "< >";
1894 + struct ipv6hdr *ipv6h = skb->nh.ipv6h;
1896 - level_string[1] = '0' + (loginfo->level % 8);
1897 spin_lock_bh(&log_lock);
1898 printk(level_string);
1899 printk("%sIN=%s OUT=%s ",
1901 + prefix == NULL ? loginfo->prefix : prefix,
1903 out ? out->name : "");
1905 /* MAC logging for input chain only. */
1907 - if ((*pskb)->dev && (*pskb)->dev->hard_header_len && (*pskb)->mac.raw != (void*)ipv6h) {
1908 - if ((*pskb)->dev->type != ARPHRD_SIT){
1909 + if (skb->dev && skb->dev->hard_header_len && skb->mac.raw != (void*)ipv6h) {
1910 + if (skb->dev->type != ARPHRD_SIT){
1912 - unsigned char *p = (*pskb)->mac.raw;
1913 - for (i = 0; i < (*pskb)->dev->hard_header_len; i++,p++)
1914 + unsigned char *p = skb->mac.raw;
1915 + for (i = 0; i < skb->dev->hard_header_len; i++,p++)
1916 printk("%02x%c", *p,
1917 - i==(*pskb)->dev->hard_header_len - 1
1918 + i==skb->dev->hard_header_len - 1
1922 - unsigned char *p = (*pskb)->mac.raw;
1923 - if ( p - (ETH_ALEN*2+2) > (*pskb)->head ){
1924 + unsigned char *p = skb->mac.raw;
1925 + if ( p - (ETH_ALEN*2+2) > skb->head ){
1927 for (i = 0; i < (ETH_ALEN); i++,p++)
1928 printk("%02x%s", *p,
1929 @@ -300,10 +304,10 @@
1930 i == ETH_ALEN-1 ? ' ' : ':');
1933 - if (((*pskb)->dev->addr_len == 4) &&
1934 - (*pskb)->dev->hard_header_len > 20){
1935 + if ((skb->dev->addr_len == 4) &&
1936 + skb->dev->hard_header_len > 20){
1938 - p = (*pskb)->mac.raw + 12;
1939 + p = skb->mac.raw + 12;
1940 for (i = 0; i < 4; i++,p++)
1942 i == 3 ? "->" : ".");
1943 @@ -319,10 +323,41 @@
1944 dump_packet(loginfo, ipv6h, 1);
1946 spin_unlock_bh(&log_lock);
1949 +static unsigned int
1950 +ip6t_log_target(struct sk_buff **pskb,
1951 + unsigned int hooknum,
1952 + const struct net_device *in,
1953 + const struct net_device *out,
1954 + const void *targinfo,
1957 + const struct ip6t_log_info *loginfo = targinfo;
1958 + char level_string[4] = "< >";
1960 + level_string[1] = '0' + (loginfo->level % 8);
1961 + ip6t_log_packet(hooknum, *pskb, in, out, loginfo, level_string, NULL);
1963 return IP6T_CONTINUE;
1967 +ip6t_logfn(unsigned int hooknum,
1968 + const struct sk_buff *skb,
1969 + const struct net_device *in,
1970 + const struct net_device *out,
1971 + const char *prefix)
1973 + struct ip6t_log_info loginfo = {
1975 + .logflags = IP6T_LOG_MASK,
1979 + ip6t_log_packet(hooknum, skb, in, out, &loginfo, KERN_WARNING, prefix);
1982 static int ip6t_log_checkentry(const char *tablename,
1983 const struct ip6t_entry *e,
1985 @@ -359,12 +394,17 @@
1987 if (ip6t_register_target(&ip6t_log_reg))
1990 + nf_log_register(PF_INET6, &ip6t_logfn);
1995 static void __exit fini(void)
1998 + nf_log_register(PF_INET6, &ip6t_logfn);
2000 ip6t_unregister_target(&ip6t_log_reg);
2003 diff -Nur linux-2.6.0-test9.org/net/ipv6/netfilter/ip6t_TRACE.c linux-2.6.0-test9/net/ipv6/netfilter/ip6t_TRACE.c
2004 --- linux-2.6.0-test9.org/net/ipv6/netfilter/ip6t_TRACE.c 1970-01-01 01:00:00.000000000 +0100
2005 +++ linux-2.6.0-test9/net/ipv6/netfilter/ip6t_TRACE.c 2003-10-26 12:44:33.000000000 +0100
2007 +/* This is a module which is used for setting
2008 + * the NFC_TRACE flag in the nfcache field of an skb.
2010 +#include <linux/module.h>
2011 +#include <linux/skbuff.h>
2013 +#include <linux/netfilter_ipv6/ip6_tables.h>
2015 +static unsigned int
2016 +target(struct sk_buff **pskb,
2017 + unsigned int hooknum,
2018 + const struct net_device *in,
2019 + const struct net_device *out,
2020 + const void *targinfo,
2023 + (*pskb)->nfcache |= NFC_TRACE;
2024 + return IP6T_CONTINUE;
2028 +checkentry(const char *tablename,
2029 + const struct ip6t_entry *e,
2031 + unsigned int targinfosize,
2032 + unsigned int hook_mask)
2034 + if (targinfosize != 0) {
2035 + printk(KERN_WARNING "TRACE: targinfosize %u != 0\n",
2040 + if (strcmp(tablename, "raw") != 0) {
2041 + printk(KERN_WARNING "TRACE: can only be called from \"raw\" table, not \"%s\"\n", tablename);
2048 +static struct ip6t_target ip6t_trace_reg = {
2051 + .checkentry = checkentry,
2053 + .me = THIS_MODULE,
2056 +static int __init init(void)
2058 + if (ip6t_register_target(&ip6t_trace_reg))
2064 +static void __exit fini(void)
2066 + ip6t_unregister_target(&ip6t_trace_reg);
2072 +MODULE_LICENSE("GPL");
2073 +MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
2074 +MODULE_DESCRIPTION("IPv6 TRACE target");
2076 \ No newline at end of file
2077 diff -Nur linux-2.6.0-test9.org/net/ipv6/netfilter/ip6table_filter.c linux-2.6.0-test9/net/ipv6/netfilter/ip6table_filter.c
2078 --- linux-2.6.0-test9.org/net/ipv6/netfilter/ip6table_filter.c 2003-10-25 20:42:53.000000000 +0200
2079 +++ linux-2.6.0-test9/net/ipv6/netfilter/ip6table_filter.c 2003-10-26 12:44:33.000000000 +0100
2082 sizeof(struct ip6t_entry),
2083 sizeof(struct ip6t_standard),
2084 - 0, { 0, 0 }, { } },
2085 + 0, NULL, 0, { 0, 0 }, { } },
2086 { { { { IP6T_ALIGN(sizeof(struct ip6t_standard_target)), "" } }, { } },
2091 sizeof(struct ip6t_entry),
2092 sizeof(struct ip6t_standard),
2093 - 0, { 0, 0 }, { } },
2094 + 0, NULL, 0, { 0, 0 }, { } },
2095 { { { { IP6T_ALIGN(sizeof(struct ip6t_standard_target)), "" } }, { } },
2100 sizeof(struct ip6t_entry),
2101 sizeof(struct ip6t_standard),
2102 - 0, { 0, 0 }, { } },
2103 + 0, NULL, 0, { 0, 0 }, { } },
2104 { { { { IP6T_ALIGN(sizeof(struct ip6t_standard_target)), "" } }, { } },
2109 sizeof(struct ip6t_entry),
2110 sizeof(struct ip6t_error),
2111 - 0, { 0, 0 }, { } },
2112 + 0, NULL, 0, { 0, 0 }, { } },
2113 { { { { IP6T_ALIGN(sizeof(struct ip6t_error_target)), IP6T_ERROR_TARGET } },
2116 diff -Nur linux-2.6.0-test9.org/net/ipv6/netfilter/ip6table_mangle.c linux-2.6.0-test9/net/ipv6/netfilter/ip6table_mangle.c
2117 --- linux-2.6.0-test9.org/net/ipv6/netfilter/ip6table_mangle.c 2003-10-25 20:43:26.000000000 +0200
2118 +++ linux-2.6.0-test9/net/ipv6/netfilter/ip6table_mangle.c 2003-10-26 12:44:33.000000000 +0100
2121 sizeof(struct ip6t_entry),
2122 sizeof(struct ip6t_standard),
2123 - 0, { 0, 0 }, { } },
2124 + 0, NULL, 0, { 0, 0 }, { } },
2125 { { { { IP6T_ALIGN(sizeof(struct ip6t_standard_target)), "" } }, { } },
2130 sizeof(struct ip6t_entry),
2131 sizeof(struct ip6t_standard),
2132 - 0, { 0, 0 }, { } },
2133 + 0, NULL, 0, { 0, 0 }, { } },
2134 { { { { IP6T_ALIGN(sizeof(struct ip6t_standard_target)), "" } }, { } },
2139 sizeof(struct ip6t_entry),
2140 sizeof(struct ip6t_standard),
2141 - 0, { 0, 0 }, { } },
2142 + 0, NULL, 0, { 0, 0 }, { } },
2143 { { { { IP6T_ALIGN(sizeof(struct ip6t_standard_target)), "" } }, { } },
2148 sizeof(struct ip6t_entry),
2149 sizeof(struct ip6t_standard),
2150 - 0, { 0, 0 }, { } },
2151 + 0, NULL, 0, { 0, 0 }, { } },
2152 { { { { IP6T_ALIGN(sizeof(struct ip6t_standard_target)), "" } }, { } },
2157 sizeof(struct ip6t_entry),
2158 sizeof(struct ip6t_standard),
2159 - 0, { 0, 0 }, { } },
2160 + 0, NULL, 0, { 0, 0 }, { } },
2161 { { { { IP6T_ALIGN(sizeof(struct ip6t_standard_target)), "" } }, { } },
2166 sizeof(struct ip6t_entry),
2167 sizeof(struct ip6t_error),
2168 - 0, { 0, 0 }, { } },
2169 + 0, NULL, 0, { 0, 0 }, { } },
2170 { { { { IP6T_ALIGN(sizeof(struct ip6t_error_target)), IP6T_ERROR_TARGET } },
2173 diff -Nur linux-2.6.0-test9.org/net/ipv6/netfilter/ip6table_raw.c linux-2.6.0-test9/net/ipv6/netfilter/ip6table_raw.c
2174 --- linux-2.6.0-test9.org/net/ipv6/netfilter/ip6table_raw.c 1970-01-01 01:00:00.000000000 +0100
2175 +++ linux-2.6.0-test9/net/ipv6/netfilter/ip6table_raw.c 2003-10-26 12:44:33.000000000 +0100
2178 + * IPv6 raw table, a port of the IPv4 raw table to IPv6
2180 + * Copyright (C) 2003 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
2182 +#include <linux/module.h>
2183 +#include <linux/netfilter_ipv6/ip6_tables.h>
2185 +#define RAW_VALID_HOOKS ((1 << NF_IP6_PRE_ROUTING) | (1 << NF_IP6_LOCAL_OUT))
2188 +#define DEBUGP(x, args...) printk(KERN_DEBUG x, ## args)
2190 +#define DEBUGP(x, args...)
2193 +/* Standard entry. */
2194 +struct ip6t_standard
2196 + struct ip6t_entry entry;
2197 + struct ip6t_standard_target target;
2200 +struct ip6t_error_target
2202 + struct ip6t_entry_target target;
2203 + char errorname[IP6T_FUNCTION_MAXNAMELEN];
2208 + struct ip6t_entry entry;
2209 + struct ip6t_error_target target;
2214 + struct ip6t_replace repl;
2215 + struct ip6t_standard entries[2];
2216 + struct ip6t_error term;
2217 +} initial_table __initdata
2218 += { { "raw", RAW_VALID_HOOKS, 3,
2219 + sizeof(struct ip6t_standard) * 2 + sizeof(struct ip6t_error),
2220 + { [NF_IP6_PRE_ROUTING] 0,
2221 + [NF_IP6_LOCAL_OUT] sizeof(struct ip6t_standard) },
2222 + { [NF_IP6_PRE_ROUTING] 0,
2223 + [NF_IP6_LOCAL_OUT] sizeof(struct ip6t_standard) },
2227 + { { { { { { 0 } } }, { { { 0 } } }, { { { 0 } } }, { { { 0 } } }, "", "", { 0 }, { 0 }, 0, 0, 0 },
2229 + sizeof(struct ip6t_entry),
2230 + sizeof(struct ip6t_standard),
2231 + 0, NULL, 0, { 0, 0 }, { } },
2232 + { { { { IP6T_ALIGN(sizeof(struct ip6t_standard_target)), "" } }, { } },
2233 + -NF_ACCEPT - 1 } },
2235 + { { { { { { 0 } } }, { { { 0 } } }, { { { 0 } } }, { { { 0 } } }, "", "", { 0 }, { 0 }, 0, 0, 0 },
2237 + sizeof(struct ip6t_entry),
2238 + sizeof(struct ip6t_standard),
2239 + 0, NULL, 0, { 0, 0 }, { } },
2240 + { { { { IP6T_ALIGN(sizeof(struct ip6t_standard_target)), "" } }, { } },
2241 + -NF_ACCEPT - 1 } },
2244 + { { { { { { 0 } } }, { { { 0 } } }, { { { 0 } } }, { { { 0 } } }, "", "", { 0 }, { 0 }, 0, 0, 0 },
2246 + sizeof(struct ip6t_entry),
2247 + sizeof(struct ip6t_error),
2248 + 0, NULL, 0, { 0, 0 }, { } },
2249 + { { { { IP6T_ALIGN(sizeof(struct ip6t_error_target)), IP6T_ERROR_TARGET } },
2256 +static struct ip6t_table packet_raw = {
2258 + .table = &initial_table.repl,
2259 + .valid_hooks = RAW_VALID_HOOKS,
2260 + .lock = RW_LOCK_UNLOCKED,
2264 +/* The work comes in here from netfilter.c. */
2265 +static unsigned int
2266 +ip6t_hook(unsigned int hook,
2267 + struct sk_buff **pskb,
2268 + const struct net_device *in,
2269 + const struct net_device *out,
2270 + int (*okfn)(struct sk_buff *))
2272 + return ip6t_do_table(pskb, hook, in, out, &packet_raw, NULL);
2275 +static struct nf_hook_ops ip6t_ops[] = {
2276 + { /* PRE_ROUTING */
2277 + .hook = ip6t_hook,
2278 + .owner = THIS_MODULE,
2280 + .hooknum = NF_IP6_PRE_ROUTING,
2281 + .priority = NF_IP6_PRI_FIRST,
2284 + .hook = ip6t_hook,
2285 + .owner = THIS_MODULE,
2287 + .hooknum = NF_IP6_LOCAL_OUT,
2288 + .priority = NF_IP6_PRI_FIRST,
2292 +static int __init init(void)
2296 + /* Register table */
2297 + ret = ip6t_register_table(&packet_raw);
2301 + /* Register hooks */
2302 + ret = nf_register_hook(&ip6t_ops[0]);
2304 + goto cleanup_table;
2306 + ret = nf_register_hook(&ip6t_ops[1]);
2308 + goto cleanup_hook0;
2313 + nf_unregister_hook(&ip6t_ops[0]);
2315 + ip6t_unregister_table(&packet_raw);
2320 +static void __exit fini(void)
2324 + for (i = 0; i < sizeof(ip6t_ops)/sizeof(struct nf_hook_ops); i++)
2325 + nf_unregister_hook(&ip6t_ops[i]);
2327 + ip6t_unregister_table(&packet_raw);
2332 +MODULE_LICENSE("GPL");
2333 +MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
2334 +MODULE_DESCRIPTION("IPv6 raw table");
2335 diff -Nur linux-2.6.0-test9.org/netfilter-patch-o-matic/patches linux-2.6.0-test9/netfilter-patch-o-matic/patches
2336 --- linux-2.6.0-test9.org/netfilter-patch-o-matic/patches 1970-01-01 01:00:00.000000000 +0100
2337 +++ linux-2.6.0-test9/netfilter-patch-o-matic/patches 2003-10-26 12:45:17.000000000 +0100
2339 +./base/01_sctp_match.patch
2340 +./pending/40_nf-log.patch
2341 +./pending/25-err-ptr.patch
2342 +./pending/26-memsets.patch
2343 +./pending/70_expect-evict-order.patch
2344 +./pending/71_raw.patch
2345 +./submitted/02_REJECT-headroom-tcprst.patch
2346 +./submitted/03_260t4-mirror-remove.patch
2347 +./submitted/03_physdev_bridged.patch
2348 +./submitted/04_260t4-unclean-remove.patch