diff -Nur --exclude '*.rej' --exclude '*.orig' linux-2.6.0-test5.org/include/linux/netfilter_ipv4/ip_conntrack_tuple.h linux-2.6.0-test5/include/linux/netfilter_ipv4/ip_conntrack_tuple.h --- linux-2.6.0-test5.org/include/linux/netfilter_ipv4/ip_conntrack_tuple.h Mon Sep 8 19:50:18 2003 +++ linux-2.6.0-test5/include/linux/netfilter_ipv4/ip_conntrack_tuple.h Tue Sep 23 12:56:40 2003 @@ -62,6 +62,14 @@ } dst; }; +/* This is optimized opposed to a memset of the whole structure. Everything we + * really care about is the source/destination unions */ +#define IP_CT_TUPLE_BLANK(tuple) \ + do { \ + (tuple)->src.u.all = 0; \ + (tuple)->dst.u.all = 0; \ + } while (0) + enum ip_conntrack_dir { IP_CT_DIR_ORIGINAL, diff -Nur --exclude '*.rej' --exclude '*.orig' linux-2.6.0-test5.org/include/linux/netfilter_ipv4/ipt_sctp.h linux-2.6.0-test5/include/linux/netfilter_ipv4/ipt_sctp.h --- linux-2.6.0-test5.org/include/linux/netfilter_ipv4/ipt_sctp.h Thu Jan 1 00:00:00 1970 +++ linux-2.6.0-test5/include/linux/netfilter_ipv4/ipt_sctp.h Tue Sep 23 12:56:47 2003 @@ -0,0 +1,25 @@ +/* iptables module for matching the SCTP header + * + * (C) 2003 Harald Welte + * + * This software is distributed under GNU GPL v2, 1991 + * + * $Id$ + */ +#ifndef _IPT_SCTP_H +#define _IPT_SCTP_H + +struct ipt_sctp_info { + u_int16_t spts[2]; /* Souce port range */ + u_int16_t dpts[2]; /* Destination port range */ + u_int32_t chunks; /* chunks to be matched */ + u_int32_t chunk_mask; /* chunk mask to be matched */ + u_int8_t invflags; /* Inverse flags */ +}; + +#define IPT_SCTP_INV_SRCPT 0x01 /* Invert the sense of source ports */ +#define IPT_SCTP_INV_DSTPT 0x02 /* Invert the sense of dest ports */ +#define IPT_SCTP_INV_CHUNKS 0x03 /* Invert the sense of chunks */ +#define IPT_SCTP_INV_MASK 0x03 /* All possible flags */ + +#endif /* _IPT_SCTP_H */ diff -Nur --exclude '*.rej' --exclude '*.orig' linux-2.6.0-test5.org/net/ipv4/netfilter/Kconfig linux-2.6.0-test5/net/ipv4/netfilter/Kconfig --- linux-2.6.0-test5.org/net/ipv4/netfilter/Kconfig Mon Sep 8 19:50:21 2003 +++ linux-2.6.0-test5/net/ipv4/netfilter/Kconfig Tue Sep 23 12:56:47 2003 @@ -215,6 +215,15 @@ If you want to compile it as a module, say M here and read Documentation/modules.txt. If unsure, say `N'. +config IP_NF_MATCH_SCTP + tristate "SCTP match support" + depends on IP_NF_IPTABLES + help + This match allows iptables to match on the SCTP header. + + If you want to compile it as a module, say M here and read + . If unsure, say `N'. + config IP_NF_MATCH_LENGTH tristate "LENGTH match support" depends on IP_NF_IPTABLES diff -Nur --exclude '*.rej' --exclude '*.orig' linux-2.6.0-test5.org/net/ipv4/netfilter/Makefile linux-2.6.0-test5/net/ipv4/netfilter/Makefile --- linux-2.6.0-test5.org/net/ipv4/netfilter/Makefile Mon Sep 8 19:49:57 2003 +++ linux-2.6.0-test5/net/ipv4/netfilter/Makefile Tue Sep 23 12:56:48 2003 @@ -40,6 +40,7 @@ obj-$(CONFIG_IP_NF_NAT) += iptable_nat.o # matches +obj-$(CONFIG_IP_NF_MATCH_SCTP) += ipt_sctp.o obj-$(CONFIG_IP_NF_MATCH_HELPER) += ipt_helper.o obj-$(CONFIG_IP_NF_MATCH_LIMIT) += ipt_limit.o obj-$(CONFIG_IP_NF_MATCH_MARK) += ipt_mark.o diff -Nur --exclude '*.rej' --exclude '*.orig' linux-2.6.0-test5.org/net/ipv4/netfilter/ip_conntrack_core.c linux-2.6.0-test5/net/ipv4/netfilter/ip_conntrack_core.c --- linux-2.6.0-test5.org/net/ipv4/netfilter/ip_conntrack_core.c Mon Sep 8 19:49:50 2003 +++ linux-2.6.0-test5/net/ipv4/netfilter/ip_conntrack_core.c Tue Sep 23 12:56:40 2003 @@ -29,8 +29,7 @@ #include #include #include -/* For ERR_PTR(). Yeah, I know... --RR */ -#include +#include /* This rwlock protects the main hash table, protocol/helper/expected registrations, conntrack timers*/ diff -Nur --exclude '*.rej' --exclude '*.orig' linux-2.6.0-test5.org/net/ipv4/netfilter/ip_conntrack_tftp.c linux-2.6.0-test5/net/ipv4/netfilter/ip_conntrack_tftp.c --- linux-2.6.0-test5.org/net/ipv4/netfilter/ip_conntrack_tftp.c Mon Sep 8 19:50:01 2003 +++ linux-2.6.0-test5/net/ipv4/netfilter/ip_conntrack_tftp.c Tue Sep 23 12:56:33 2003 @@ -97,8 +97,6 @@ for (i = 0 ; (i < MAX_PORTS) && ports[i] ; i++) { /* Create helper structure */ - memset(&tftp[i], 0, sizeof(struct ip_conntrack_helper)); - tftp[i].tuple.dst.protonum = IPPROTO_UDP; tftp[i].tuple.src.u.udp.port = htons(ports[i]); tftp[i].mask.dst.protonum = 0xFFFF; diff -Nur --exclude '*.rej' --exclude '*.orig' linux-2.6.0-test5.org/net/ipv4/netfilter/ip_nat_amanda.c linux-2.6.0-test5/net/ipv4/netfilter/ip_nat_amanda.c --- linux-2.6.0-test5.org/net/ipv4/netfilter/ip_nat_amanda.c Tue Sep 23 12:09:22 2003 +++ linux-2.6.0-test5/net/ipv4/netfilter/ip_nat_amanda.c Tue Sep 23 12:56:33 2003 @@ -195,8 +195,6 @@ struct ip_nat_helper *hlpr; hlpr = &ip_nat_amanda_helper; - memset(hlpr, 0, sizeof(struct ip_nat_helper)); - hlpr->tuple.dst.protonum = IPPROTO_UDP; hlpr->tuple.src.u.udp.port = htons(10080); hlpr->mask.src.u.udp.port = 0xFFFF; diff -Nur --exclude '*.rej' --exclude '*.orig' linux-2.6.0-test5.org/net/ipv4/netfilter/ip_nat_tftp.c linux-2.6.0-test5/net/ipv4/netfilter/ip_nat_tftp.c --- linux-2.6.0-test5.org/net/ipv4/netfilter/ip_nat_tftp.c Tue Sep 23 12:09:22 2003 +++ linux-2.6.0-test5/net/ipv4/netfilter/ip_nat_tftp.c Tue Sep 23 12:56:33 2003 @@ -164,8 +164,6 @@ ports[0] = TFTP_PORT; for (i = 0 ; (i < MAX_PORTS) && ports[i] ; i++) { - memset(&tftp[i], 0, sizeof(struct ip_nat_helper)); - tftp[i].tuple.dst.protonum = IPPROTO_UDP; tftp[i].tuple.src.u.udp.port = htons(ports[i]); tftp[i].mask.dst.protonum = 0xFFFF; diff -Nur --exclude '*.rej' --exclude '*.orig' linux-2.6.0-test5.org/net/ipv4/netfilter/ipt_sctp.c linux-2.6.0-test5/net/ipv4/netfilter/ipt_sctp.c --- linux-2.6.0-test5.org/net/ipv4/netfilter/ipt_sctp.c Thu Jan 1 00:00:00 1970 +++ linux-2.6.0-test5/net/ipv4/netfilter/ipt_sctp.c Tue Sep 23 12:56:47 2003 @@ -0,0 +1,125 @@ +/* IP tables module for matching the SCTP header + * + * $ipt_sctp.c,v 1.3 2002/05/29 15:09:00 laforge Exp$ + * + * (C) 2003 by Harald Welte + * + * This software is distributed under the terms GNU GPL v2 + */ + +#include +#include +#include + +#include +#include + +MODULE_AUTHOR("Harald Welte "); +MODULE_DESCRIPTION("IP tables SCTP matching module"); +MODULE_LICENSE("GPL"); + +/* Returns 1 if the port is matched by the range, 0 otherwise */ +static inline int +port_match(u_int16_t min, u_int16_t max, u_int16_t port, int invert) +{ + int ret; + + ret = (port >= min && port <= max) ^ invert; + return ret; +} + +static int chunk_match(const struct sk_buff *skb, u_int32_t chunks, u_int32_t chunk_mask) +{ + sctp_chunkhdr_t *ch = (sctp_chunkhdr_t *) skb->data; + + u_int32_t chunks_present = 0; + + do { + u_int8_t *ch_end; + ch_end = ((u_int8_t *) ch) + WORD_ROUND(ntohs(ch->length)); + + if (ch->type < 32) + chunks_present |= (1 << ch_type); + else if (ch->type == SCTP_CID_ASCONF) + chunks_present |= (1 << 31); + else if (ch->type == SCTP_CID_ASCONF_ACK) + chunks_present |= (1 << 30); + + ch = (sctp_chunkhdr_t *) ch_end; + } while (ch_end < skb->tail); + + return ((chunks_present& chunk_mask) == chunks); +} + +static int match(const struct sk_buff *skb, const struct net_device *in, + const struct net_device *out, const void *matchinfo, + int offset, const void *hdr, u_int16_t datalen, + int *hotdrop) +{ + const struct ipt_sctp_info *info = matchinfo; + const struct iphdr *iph = skb->nh.iph; + const struct sctphdr *sh = (struct sctphdr *) skb->h.raw; + + if (iph->protocol != IPPROTO_SCTP) + return 0; + + if (offset == 1) { + duprintf("Dropping evil SCTP offset=1 frag.\n"); + *hotdrop = 1; + return 0; + } else if (offset == 0 && datalen < sizeof(struct sctphdr)) { + /* We've been askd o examine this packet, and we can't. + * Hence, no choice but to drop. */ + duprintf("Dropping evil SCTP offset=0 tinygram.\n"); + *hotdrop = 1; + return 0; + } + + return (!offset + && port_match(info->spts[0], info->spts[1], + ntohs(sh->source), + !!(info->invflags & IPT_SCTP_INV_SRCPT)) + && port_match(info->dpts[0], info->dpts[1], + ntohs(sh->dest), + !!(info->invflags & IPT_SCTP_INV_DSTPT)) + && chunk_match(skb, info->chunks, info->chunk_mask) + ); +} + +static int checkentry(const char *tablename, const struct ipt_ip *ip, + void *matchinfo, unsigned int matchsize, + unsigned int hook_mask) +{ + const struct ipt_sctp_info *info = matchinfo; + + if (matchsize != IPT_ALIGN(sizeof(struct ipt_sctp_info))) + return 0; + + if (ip->proto != IPPROTO_SCTP && !(ip->invflags & IPT_INV_PROTO)) + return 0; + + if !(info->invflags & ~IPT_SCTP_INV_MASK) + return 0; + + return 1; +} + +static struct ipt_match sctp_match = { + .name = "sctp", + .match = &match, + .checkentry = &checkentry, + .me = THIS_MODULE, +}; + +static int __init init(void) +{ + return ipt_register_match(&sctp_match); +} + +static void __exit fini(void) +{ + ipt_unregister_match(&sctp_match); +} + +module_init(init); +module_exit(fini); diff -Nur --exclude '*.rej' --exclude '*.orig' linux-2.6.0-test5.org/netfilter-patch-o-matic/patches linux-2.6.0-test5/netfilter-patch-o-matic/patches --- linux-2.6.0-test5.org/netfilter-patch-o-matic/patches Thu Jan 1 00:00:00 1970 +++ linux-2.6.0-test5/netfilter-patch-o-matic/patches Tue Sep 23 12:57:25 2003 @@ -0,0 +1,14 @@ +./base/01_sctp_match.patch +./pending/23_REJECT-headroom-tcprst.patch +./pending/24_rcu.patch +./pending/25-err-ptr.patch +./pending/26-memsets.patch +./pending/27_getorigdst-tuple-zero.patch +./submitted/02_REJECT-headroom-tcprst.patch +./submitted/03_260t4-mirror-remove.patch +./submitted/04_260t4-unclean-remove.patch +./submitted/05_260t4-unexperimental.patch +./submitted/06_260t4-cosmetic.patch +./submitted/07_260t4-newmodules_iprange_SAME_NETMAP_CLASSIFY.patch +./submitted/08_260t4_ipt-helper-kconfig.patch +./submitted/09_260t4-cosmetic-physdev-author.patch