diff -NurpP --minimal linux-2.6.19-pom-ng/include/linux/netfilter_ipv4/ip_conntrack_quake3.h linux-2.6.19/include/linux/netfilter_ipv4/ip_conntrack_quake3.h --- linux-2.6.19-pom-ng/include/linux/netfilter_ipv4/ip_conntrack_quake3.h 1970-01-01 01:00:00.000000000 +0100 +++ linux-2.6.19/include/linux/netfilter_ipv4/ip_conntrack_quake3.h 2006-12-14 11:21:52.000000000 +0100 @@ -0,0 +1,22 @@ +#ifndef _IP_CT_QUAKE3 +#define _IP_CT_QUAKE3 + +/* Don't confuse with 27960, often used as the Server Port */ +#define QUAKE3_MASTER_PORT 27950 + +struct quake3_search { + const char marker[4]; /* always 0xff 0xff 0xff 0xff ? */ + const char *pattern; + size_t plen; +}; + +/* This structure is per expected connection */ +struct ip_ct_quake3_expect { +}; + +/* This structure exists only once per master */ +struct ip_ct_quake3_master { +}; + +extern unsigned int (*ip_nat_quake3_hook)(struct ip_conntrack_expect *exp); +#endif /* _IP_CT_QUAKE3 */ diff -NurpP --minimal linux-2.6.19-pom-ng/net/ipv4/netfilter/Kconfig linux-2.6.19/net/ipv4/netfilter/Kconfig --- linux-2.6.19-pom-ng/net/ipv4/netfilter/Kconfig 2006-12-14 11:13:22.000000000 +0100 +++ linux-2.6.19/net/ipv4/netfilter/Kconfig 2006-12-14 11:21:52.000000000 +0100 @@ -820,5 +820,23 @@ config IP_NF_MMS If you want to compile it as a module, say M here and read . If unsure, say `Y'. +config IP_NF_NAT_QUAKE3 + tristate + depends on IP_NF_CONNTRACK!=n && IP_NF_NAT !=n + default IP_NF_NAT if IP_NF_QUAKE3=y + default m if IP_NF_QUAKE3=m + +config IP_NF_QUAKE3 + tristate "Quake3 protocol support" + depends on IP_NF_CONNTRACK + help + Quake III Arena connection tracking helper. This module allows for a + stricter firewall rulebase if one only allows traffic to a master + server. Connections to Quake III server IP addresses and ports returned + by the master server will be tracked automatically. + + If you want to compile it as a module, say M here and read + . If unsure, say `Y'. + endmenu diff -NurpP --minimal linux-2.6.19-pom-ng/net/ipv4/netfilter/Makefile linux-2.6.19/net/ipv4/netfilter/Makefile --- linux-2.6.19-pom-ng/net/ipv4/netfilter/Makefile 2006-12-14 11:13:22.000000000 +0100 +++ linux-2.6.19/net/ipv4/netfilter/Makefile 2006-12-14 11:21:52.000000000 +0100 @@ -25,6 +25,7 @@ obj-$(CONFIG_IP_NF_CONNTRACK_NETLINK) += obj-$(CONFIG_IP_NF_CT_PROTO_SCTP) += ip_conntrack_proto_sctp.o # connection tracking helpers +obj-$(CONFIG_IP_NF_QUAKE3) += ip_conntrack_quake3.o obj-$(CONFIG_IP_NF_MMS) += ip_conntrack_mms.o obj-$(CONFIG_IP_NF_H323) += ip_conntrack_h323.o obj-$(CONFIG_IP_NF_PPTP) += ip_conntrack_pptp.o @@ -43,6 +44,7 @@ obj-$(CONFIG_IP_NF_NAT_AMANDA) += ip_nat obj-$(CONFIG_IP_NF_NAT_TFTP) += ip_nat_tftp.o obj-$(CONFIG_IP_NF_NAT_FTP) += ip_nat_ftp.o obj-$(CONFIG_IP_NF_NAT_IRC) += ip_nat_irc.o +obj-$(CONFIG_IP_NF_NAT_QUAKE3) += ip_nat_quake3.o obj-$(CONFIG_IP_NF_NAT_SIP) += ip_nat_sip.o # generic IP tables diff -NurpP --minimal linux-2.6.19-pom-ng/net/ipv4/netfilter/ip_conntrack_quake3.c linux-2.6.19/net/ipv4/netfilter/ip_conntrack_quake3.c --- linux-2.6.19-pom-ng/net/ipv4/netfilter/ip_conntrack_quake3.c 1970-01-01 01:00:00.000000000 +0100 +++ linux-2.6.19/net/ipv4/netfilter/ip_conntrack_quake3.c 2006-12-14 11:21:52.000000000 +0100 @@ -0,0 +1,201 @@ +/* Quake3 extension for IP connection tracking + * (C) 2002 by Filip Sneppe + * (C) 2005 by Harald Welte + * based on ip_conntrack_ftp.c and ip_conntrack_tftp.c + * + * ip_conntrack_quake3.c v0.04 2002-08-31 + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License + * as published by the Free Software Foundation; either version + * 2 of the License, or (at your option) any later version. + * + * Module load syntax: + * insmod ip_conntrack_quake3.o ports=port1,port2,...port + * + * please give the ports of all Quake3 master servers You wish to + * connect to. If you don't specify ports, the default will be UDP + * port 27950. + * + * Thanks to the Ethereal folks for their analysis of the Quake3 protocol. + */ + +#include +#include +#include + +#include +#include +#include +#include + +MODULE_AUTHOR("Filip Sneppe "); +MODULE_DESCRIPTION("Netfilter connection tracking module for Quake III Arena"); +MODULE_LICENSE("GPL"); + +#define MAX_PORTS 8 +static int ports[MAX_PORTS]; +static int ports_c = 0; +module_param_array(ports, int, &ports_c, 0400); +MODULE_PARM_DESC(ports, "port numbers of Quake III master servers"); + +static char quake3_buffer[65536]; +static DECLARE_LOCK(quake3_buffer_lock); + +static unsigned int (*ip_nat_quake3_hook)(struct ip_conntrack_expect *exp); + +/* Quake3 master server reply will add > 100 expectations per reply packet; when + doing lots of printk's, klogd may not be able to read /proc/kmsg fast enough */ +#if 0 +#define DEBUGP printk +#else +#define DEBUGP(format, args...) +#endif + +struct quake3_search quake3s_conntrack = { "****", "getserversResponse", sizeof("getserversResponse") - 1 }; + +static int quake3_help(struct sk_buff **pskb, + struct ip_conntrack *ct, + enum ip_conntrack_info ctinfo) +{ + struct udphdr _udph, *uh; + struct ip_conntrack_expect *exp; + void *data, *qb_ptr; + int dir = CTINFO2DIR(ctinfo); + int i, dataoff; + int ret = NF_ACCEPT; + + + /* Until there's been traffic both ways, don't look in packets. note: + * it's UDP ! */ + if (ctinfo != IP_CT_ESTABLISHED + && ctinfo != IP_CT_IS_REPLY) { + DEBUGP("ip_conntrack_quake3: not ok ! Conntrackinfo = %u\n", + ctinfo); + return NF_ACCEPT; + } else { + DEBUGP("ip_conntrack_quake3: it's ok ! Conntrackinfo = %u\n", + ctinfo); + } + + /* Valid UDP header? */ + uh = skb_header_pointer(*pskb, (*pskb)->nh.iph->ihl*4, + sizeof(_udph), &_udph); + if (!uh) + return NF_ACCEPT; + + /* Any data? */ + dataoff = (*pskb)->nh.iph->ihl*4 + sizeof(struct udphdr); + if (dataoff >= (*pskb)->len) + return NF_ACCEPT; + + LOCK_BH(&quake3_buffer_lock); + qb_ptr = skb_header_pointer(*pskb, dataoff, + (*pskb)->len - dataoff, quake3_buffer); + BUG_ON(qb_ptr == NULL); + data = qb_ptr; + + + if (strnicmp(data + 4, quake3s_conntrack.pattern, + quake3s_conntrack.plen) == 0) { + for(i=23; /* 4 bytes filler, 18 bytes "getserversResponse", + 1 byte "\" */ + i+6 < ntohs(uh->len); + i+=7) { + u_int32_t *ip = data+i; + u_int16_t *port = data+i+4; +#if 0 + DEBUGP("ip_conntrack_quake3: adding server at offset " + "%u/%u %u.%u.%u.%u:%u\n", i, ntohs(uh->len), + NIPQUAD(*ip), ntohs(*port)); +#endif + + exp = ip_conntrack_expect_alloc(); + if (!exp) { + ret = NF_DROP; + goto out; + } + + memset(exp, 0, sizeof(*exp)); + + exp->tuple.src.ip = ct->tuplehash[!dir].tuple.src.ip; + exp->tuple.dst.ip = *ip; + exp->tuple.dst.u.udp.port = *port; + exp->tuple.dst.protonum = IPPROTO_UDP; + + exp->mask.src.ip = 0xffffffff; + exp->mask.dst.ip = 0xffffffff; + exp->mask.dst.u.udp.port = 0xffff; + exp->mask.dst.protonum = 0xff; + + if (ip_nat_quake3_hook) + ret = ip_nat_quake3_hook(exp); + else if (ip_conntrack_expect_related(exp) != 0) { + ip_conntrack_expect_free(exp); + ret = NF_DROP; + } + goto out; + } + } + +out: + return ret; +} + +static struct ip_conntrack_helper quake3[MAX_PORTS]; +static char quake3_names[MAX_PORTS][13]; /* quake3-65535 */ + +static void fini(void) +{ + int i; + + for(i = 0 ; (i < ports_c); i++) { + DEBUGP("ip_conntrack_quake3: unregistering helper for port %d\n", + ports[i]); + ip_conntrack_helper_unregister(&quake3[i]); + } +} + +static int __init init(void) +{ + int i, ret; + char *tmpname; + + if(!ports[0]) + ports[0]=QUAKE3_MASTER_PORT; + + for(i = 0 ; (i < MAX_PORTS) && ports[i] ; i++) { + /* Create helper structure */ + memset(&quake3[i], 0, sizeof(struct ip_conntrack_helper)); + + quake3[i].tuple.dst.protonum = IPPROTO_UDP; + quake3[i].tuple.src.u.udp.port = htons(ports[i]); + quake3[i].mask.dst.protonum = 0xFF; + quake3[i].mask.src.u.udp.port = 0xFFFF; + quake3[i].help = quake3_help; + quake3[i].me = THIS_MODULE; + quake3[i].timeout = 120; + + tmpname = &quake3_names[i][0]; + if (ports[i] == QUAKE3_MASTER_PORT) + sprintf(tmpname, "quake3"); + else + sprintf(tmpname, "quake3-%d", i); + quake3[i].name = tmpname; + + DEBUGP("ip_conntrack_quake3: registering helper for port %d\n", + ports[i]); + + ret=ip_conntrack_helper_register(&quake3[i]); + if(ret) { + fini(); + return(ret); + } + ports_c++; + } + + return(0); +} + +module_init(init); +module_exit(fini); diff -NurpP --minimal linux-2.6.19-pom-ng/net/ipv4/netfilter/ip_nat_quake3.c linux-2.6.19/net/ipv4/netfilter/ip_nat_quake3.c --- linux-2.6.19-pom-ng/net/ipv4/netfilter/ip_nat_quake3.c 1970-01-01 01:00:00.000000000 +0100 +++ linux-2.6.19/net/ipv4/netfilter/ip_nat_quake3.c 2006-12-14 11:21:52.000000000 +0100 @@ -0,0 +1,97 @@ +/* Quake3 extension for UDP NAT alteration. + * (C) 2002 by Filip Sneppe + * (C) 2005 by Harald Welte + * based on ip_nat_ftp.c and ip_nat_tftp.c + * + * ip_nat_quake3.c v0.0.3 2002-08-31 + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License + * as published by the Free Software Foundation; either version + * 2 of the License, or (at your option) any later version. + * + * Module load syntax: + * insmod ip_nat_quake3.o ports=port1,port2,...port + * + * please give the ports of all Quake3 master servers You wish to + * connect to. If you don't specify ports, the default will be UDP + * port 27950. + * + * Thanks to the Ethereal folks for their analysis of the Quake3 protocol. + * + * Notes: + * - If you're one of those people who would try anything to lower + * latency while playing Quake (and who isn't :-) ), you may want to + * consider not loading ip_nat_quake3 at all and just MASQUERADE all + * outgoing UDP traffic. + * This will make ip_conntrack_quake3 add the necessary expectations, + * but there will be no overhead for client->server UDP streams. If + * ip_nat_quake3 is loaded, quake3_nat_expected will be called per NAT + * hook for every packet in the client->server UDP stream. + * - Only SNAT/MASQUEARDE targets are useful for ip_nat_quake3. + * The IP addresses in the master connection payload (=IP addresses + * of Quake servers) have no relation with the master server so + * DNAT'ing the master connection to a server should not change the + * expected connections. + * - Not tested due to lack of equipment: + * - multiple Quake3 clients behind one MASQUERADE gateway + * - what if Quake3 client is running on router too + */ + +#include +#include +#include +#include + +#include +#include +#include +#include +#include + +MODULE_AUTHOR("Filip Sneppe "); +MODULE_DESCRIPTION("Netfilter NAT helper for Quake III Arena"); +MODULE_LICENSE("GPL"); + +/* Quake3 master server reply will add > 100 expectations per reply packet; when + doing lots of printk's, klogd may not be able to read /proc/kmsg fast enough */ +#if 0 +#define DEBUGP printk +#else +#define DEBUGP(format, args...) +#endif + +static unsigned int +quake3_nat_help(struct ip_conntrack_expect *exp) +{ + struct ip_conntrack *ct = exp->master; + + /* What is this? Why don't we try to alter the port? -HW */ + exp->tuple.src.ip = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.ip; + exp->saved_proto.udp.port = exp->tuple.dst.u.udp.port; + exp->expectfn = ip_nat_follow_master; + //exp->dir = !dir; + + if (ip_conntrack_expect_related(exp) != 0) { + ip_conntrack_expect_free(exp); + return NF_DROP; + } + + return NF_ACCEPT; +} + +static void fini(void) +{ + ip_nat_quake3_hook = NULL; + synchronize_net(); +} + +static int __init init(void) +{ + BUG_ON(ip_nat_quake3_hook); + ip_nat_quake3_hook = quake3_nat_help; + return 0; +} + +module_init(init); +module_exit(fini);