diff options
| author | Adam Gołębiowski | 2007-08-18 17:43:48 (GMT) |
|---|---|---|
| committer | cvs2git | 2012-06-24 12:13:13 (GMT) |
| commit | 9a83d11c88bb9c656ea9e03e711516b368e11127 (patch) | |
| tree | 3d4d152ba74bcef6cd373de143fc9bb2f26b3b6d | |
| parent | 725d067d92b9a7d733816db3273723744028182a (diff) | |
| download | kernel-rcd-auto/ti/kernel-desktop-2_6_22_16-1.zip kernel-rcd-auto/ti/kernel-desktop-2_6_22_16-1.tar.gz | |
- netfilter update (taken from kernel.spec:LINUX_2_6)kernel-desktop-2_6_22_10-0_8auto/ti/kernel-desktop-2_6_22_19-2auto/ti/kernel-desktop-2_6_22_18-2auto/ti/kernel-desktop-2_6_22_18-1auto/ti/kernel-desktop-2_6_22_17-3auto/ti/kernel-desktop-2_6_22_17-1auto/ti/kernel-desktop-2_6_22_16-4auto/ti/kernel-desktop-2_6_22_16-3auto/ti/kernel-desktop-2_6_22_16-2auto/ti/kernel-desktop-2_6_22_16-1auto/ti/kernel-desktop-2_6_22_15-3auto/ti/kernel-desktop-2_6_22_13-1auto/ti/kernel-desktop-2_6_22_12-1auto/th/kernel-desktop-2_6_22_6-0_6auto/th/kernel-desktop-2_6_22_19-3auto/th/kernel-desktop-2_6_22_19-2auto/th/kernel-desktop-2_6_22_18-2auto/th/kernel-desktop-2_6_22_18-1auto/th/kernel-desktop-2_6_22_17-3auto/th/kernel-desktop-2_6_22_17-2auto/th/kernel-desktop-2_6_22_17-1auto/th/kernel-desktop-2_6_22_16-3auto/th/kernel-desktop-2_6_22_16-2auto/th/kernel-desktop-2_6_22_16-1auto/th/kernel-desktop-2_6_22_15-3auto/th/kernel-desktop-2_6_22_15-2auto/th/kernel-desktop-2_6_22_14-1auto/th/kernel-desktop-2_6_22_13-1auto/th/kernel-desktop-2_6_22_12-1auto/ac/kernel-desktop-2_6_22_19-5auto/ac/kernel-desktop-2_6_22_19-4auto/ac/kernel-desktop-2_6_22_19-3auto/ac/kernel-desktop-2_6_22_19-1auto/ac/kernel-desktop-2_6_22_18-1auto/ac/kernel-desktop-2_6_22_16-1auto/ac/kernel-desktop-2_6_22_15-1LINUX_2_6_22
Changed files:
kernel-desktop-pom-ng-IPMARK.patch -> 1.2
kernel-desktop-pom-ng-IPV4OPTSSTRIP.patch -> 1.2
kernel-desktop-pom-ng-ROUTE.patch -> 1.2
kernel-desktop-pom-ng-TARPIT.patch -> 1.2
kernel-desktop-pom-ng-connlimit.patch -> 1.2
kernel-desktop-pom-ng-ipp2p.patch -> 1.2
kernel-desktop-pom-ng-ipv4options.patch -> 1.2
kernel-desktop-pom-ng-rpc.patch -> 1.2
kernel-desktop-pom-ng-set.patch -> 1.2
kernel-desktop-pom-ng-time.patch -> 1.2
kernel-desktop-pom-ng-u32.patch -> 1.2
| -rw-r--r-- | kernel-desktop-pom-ng-IPMARK.patch | 89 | ||||
| -rw-r--r-- | kernel-desktop-pom-ng-IPV4OPTSSTRIP.patch | 51 | ||||
| -rw-r--r-- | kernel-desktop-pom-ng-ROUTE.patch | 185 | ||||
| -rw-r--r-- | kernel-desktop-pom-ng-TARPIT.patch | 171 | ||||
| -rw-r--r-- | kernel-desktop-pom-ng-connlimit.patch | 213 | ||||
| -rw-r--r-- | kernel-desktop-pom-ng-ipp2p.patch | 117 | ||||
| -rw-r--r-- | kernel-desktop-pom-ng-ipv4options.patch | 72 | ||||
| -rw-r--r-- | kernel-desktop-pom-ng-rpc.patch | 281 | ||||
| -rw-r--r-- | kernel-desktop-pom-ng-set.patch | 1027 | ||||
| -rw-r--r-- | kernel-desktop-pom-ng-time.patch | 162 | ||||
| -rw-r--r-- | kernel-desktop-pom-ng-u32.patch | 96 |
11 files changed, 1432 insertions, 1032 deletions
diff --git a/kernel-desktop-pom-ng-IPMARK.patch b/kernel-desktop-pom-ng-IPMARK.patch index 7efffa5..d8839ad 100644 --- a/kernel-desktop-pom-ng-IPMARK.patch +++ b/kernel-desktop-pom-ng-IPMARK.patch @@ -1,12 +1,6 @@ - include/linux/netfilter_ipv4/ipt_IPMARK.h | 13 ++++ - net/ipv4/netfilter/Kconfig | 18 ++++++ - net/ipv4/netfilter/Makefile | 1 - net/ipv4/netfilter/ipt_IPMARK.c | 79 ++++++++++++++++++++++++++++++ - 4 files changed, 111 insertions(+) - -diff -Nur --exclude '*.orig' linux.org/include/linux/netfilter_ipv4/ipt_IPMARK.h linux/include/linux/netfilter_ipv4/ipt_IPMARK.h ---- linux.org/include/linux/netfilter_ipv4/ipt_IPMARK.h 1970-01-01 01:00:00.000000000 +0100 -+++ linux/include/linux/netfilter_ipv4/ipt_IPMARK.h 2006-05-04 11:19:22.000000000 +0200 +diff -NurpP --minimal linux-2.6.21.a/include/linux/netfilter_ipv4/ipt_IPMARK.h linux-2.6.21.b/include/linux/netfilter_ipv4/ipt_IPMARK.h +--- linux-2.6.21.a/include/linux/netfilter_ipv4/ipt_IPMARK.h 1970-01-01 01:00:00.000000000 +0100 ++++ linux-2.6.21.b/include/linux/netfilter_ipv4/ipt_IPMARK.h 2007-05-30 12:01:20.000000000 +0200 @@ -0,0 +1,13 @@ +#ifndef _IPT_IPMARK_H_target +#define _IPT_IPMARK_H_target @@ -21,12 +15,12 @@ diff -Nur --exclude '*.orig' linux.org/include/linux/netfilter_ipv4/ipt_IPMARK.h +#define IPT_IPMARK_DST 1 + +#endif /*_IPT_IPMARK_H_target*/ -diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/Kconfig linux/net/ipv4/netfilter/Kconfig ---- linux.org/net/ipv4/netfilter/Kconfig 2006-05-02 23:38:44.000000000 +0200 -+++ linux/net/ipv4/netfilter/Kconfig 2006-05-04 11:19:22.000000000 +0200 -@@ -606,5 +606,23 @@ - Allows altering the ARP packet payload: source and destination - hardware and network addresses. +diff -NurpP --minimal linux-2.6.21.a/net/ipv4/netfilter/Kconfig linux-2.6.21.b/net/ipv4/netfilter/Kconfig +--- linux-2.6.21.a/net/ipv4/netfilter/Kconfig 2007-05-30 12:01:03.000000000 +0200 ++++ linux-2.6.21.b/net/ipv4/netfilter/Kconfig 2007-05-30 12:01:20.000000000 +0200 +@@ -893,5 +893,23 @@ config IP_NF_RSH + If you want to compile it as a module, say M here and read + <file:Documentation/modules.txt>. If unsure, say `N'. +config IP_NF_TARGET_IPMARK + tristate 'IPMARK target support' @@ -48,20 +42,27 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/Kconfig linux/net/ipv4 + endmenu -diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/Makefile linux/net/ipv4/netfilter/Makefile ---- linux.org/net/ipv4/netfilter/Makefile 2006-05-02 23:38:44.000000000 +0200 -+++ linux/net/ipv4/netfilter/Makefile 2006-05-04 11:19:22.000000000 +0200 -@@ -0,0 +0,1 @@ +diff -NurpP --minimal linux-2.6.21.a/net/ipv4/netfilter/Makefile linux-2.6.21.b/net/ipv4/netfilter/Makefile +--- linux-2.6.21.a/net/ipv4/netfilter/Makefile 2007-05-30 12:01:03.000000000 +0200 ++++ linux-2.6.21.b/net/ipv4/netfilter/Makefile 2007-05-30 12:01:21.000000000 +0200 +@@ -118,6 +118,7 @@ obj-$(CONFIG_IP_NF_TARGET_IPV4OPTSSTRIP) + obj-$(CONFIG_IP_NF_TARGET_ULOG) += ipt_ULOG.o + obj-$(CONFIG_IP_NF_TARGET_CLUSTERIP) += ipt_CLUSTERIP.o + obj-$(CONFIG_IP_NF_TARGET_TTL) += ipt_TTL.o +obj-$(CONFIG_IP_NF_TARGET_IPMARK) += ipt_IPMARK.o -diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ipt_IPMARK.c linux/net/ipv4/netfilter/ipt_IPMARK.c ---- linux.org/net/ipv4/netfilter/ipt_IPMARK.c 1970-01-01 01:00:00.000000000 +0100 -+++ linux/net/ipv4/netfilter/ipt_IPMARK.c 2006-05-04 11:19:22.000000000 +0200 -@@ -0,0 +1,79 @@ + + # generic ARP tables + obj-$(CONFIG_IP_NF_ARPTABLES) += arp_tables.o +diff -NurpP --minimal linux-2.6.21.a/net/ipv4/netfilter/ipt_IPMARK.c linux-2.6.21.b/net/ipv4/netfilter/ipt_IPMARK.c +--- linux-2.6.21.a/net/ipv4/netfilter/ipt_IPMARK.c 1970-01-01 01:00:00.000000000 +0100 ++++ linux-2.6.21.b/net/ipv4/netfilter/ipt_IPMARK.c 2007-05-30 12:01:21.000000000 +0200 +@@ -0,0 +1,96 @@ +#include <linux/module.h> +#include <linux/skbuff.h> ++#include <linux/version.h> +#include <linux/ip.h> +#include <net/checksum.h> -+ ++#include <linux/netfilter/x_tables.h> +#include <linux/netfilter_ipv4/ip_tables.h> +#include <linux/netfilter_ipv4/ipt_IPMARK.h> + @@ -74,11 +75,14 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ipt_IPMARK.c linux/net + const struct net_device *in, + const struct net_device *out, + unsigned int hooknum, -+ const void *targinfo, -+ void *userinfo) ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,17) ++ const struct xt_target *target, ++#endif ++ const void *targinfo ++ ) +{ + const struct ipt_ipmark_target_info *ipmarkinfo = targinfo; -+ struct iphdr *iph = (*pskb)->nh.iph; ++ struct iphdr *iph = ip_hdr(*pskb); + unsigned long mark; + + if (ipmarkinfo->addr == IPT_IPMARK_SRC) @@ -89,25 +93,35 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ipt_IPMARK.c linux/net + mark &= ipmarkinfo->andmask; + mark |= ipmarkinfo->ormask; + -+ if ((*pskb)->nfmark != mark) -+ (*pskb)->nfmark = mark; ++ if ((*pskb)->mark != mark) ++ (*pskb)->mark = mark; + + return IPT_CONTINUE; +} + +static int +checkentry(const char *tablename, ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,16) ++ const void *e, ++#else + const struct ipt_entry *e, ++#endif ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,17) ++ const struct xt_target *target, ++#endif + void *targinfo, -+ unsigned int targinfosize, ++ + unsigned int hook_mask) +{ ++ ++#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,17) + if (targinfosize != IPT_ALIGN(sizeof(struct ipt_ipmark_target_info))) { + printk(KERN_WARNING "IPMARK: targinfosize %u != %Zu\n", + targinfosize, + IPT_ALIGN(sizeof(struct ipt_ipmark_target_info))); + return 0; + } ++#endif + + if (strcmp(tablename, "mangle") != 0) { + printk(KERN_WARNING "IPMARK: can only be called from \"mangle\" table, not \"%s\"\n", tablename); @@ -118,20 +132,23 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ipt_IPMARK.c linux/net +} + +static struct ipt_target ipt_ipmark_reg = { -+ .name = "IPMARK", -+ .target = target, -+ .checkentry = checkentry, -+ .me = THIS_MODULE ++ .name = "IPMARK", ++ .target = target, ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,17) ++ .targetsize = sizeof(struct ipt_ipmark_target_info), ++#endif ++ .checkentry = checkentry, ++ .me = THIS_MODULE +}; + +static int __init init(void) +{ -+ return ipt_register_target(&ipt_ipmark_reg); ++ return xt_register_target(&ipt_ipmark_reg); +} + +static void __exit fini(void) +{ -+ ipt_unregister_target(&ipt_ipmark_reg); ++ xt_unregister_target(&ipt_ipmark_reg); +} + +module_init(init); diff --git a/kernel-desktop-pom-ng-IPV4OPTSSTRIP.patch b/kernel-desktop-pom-ng-IPV4OPTSSTRIP.patch index 03052b6..92895ac 100644 --- a/kernel-desktop-pom-ng-IPV4OPTSSTRIP.patch +++ b/kernel-desktop-pom-ng-IPV4OPTSSTRIP.patch @@ -1,12 +1,7 @@ - Kconfig | 10 +++++ - Makefile | 1 - ipt_IPV4OPTSSTRIP.c | 87 ++++++++++++++++++++++++++++++++++++++++++++++++++++ - 3 files changed, 98 insertions(+) - -diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/Kconfig linux/net/ipv4/netfilter/Kconfig ---- linux.org/net/ipv4/netfilter/Kconfig 2006-05-02 23:38:44.000000000 +0200 -+++ linux/net/ipv4/netfilter/Kconfig 2006-05-04 09:57:42.000000000 +0200 -@@ -606,5 +606,15 @@ +diff -NurpP --minimal linux-2.6.21.b/net/ipv4/netfilter/Kconfig linux-2.6.21.a/net/ipv4/netfilter/Kconfig +--- linux-2.6.21.b/net/ipv4/netfilter/Kconfig 2007-05-30 11:11:52.000000000 +0200 ++++ linux-2.6.21.a/net/ipv4/netfilter/Kconfig 2007-05-30 11:18:08.000000000 +0200 +@@ -668,5 +668,15 @@ config IP_NF_ARP_MANGLE Allows altering the ARP packet payload: source and destination hardware and network addresses. @@ -22,14 +17,20 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/Kconfig linux/net/ipv4 + endmenu -diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/Makefile linux/net/ipv4/netfilter/Makefile ---- linux.org/net/ipv4/netfilter/Makefile 2006-05-02 23:38:44.000000000 +0200 -+++ linux/net/ipv4/netfilter/Makefile 2006-05-04 09:57:42.000000000 +0200 -@@ -0,0 +0,1 @@ +diff -NurpP --minimal linux-2.6.21.b/net/ipv4/netfilter/Makefile linux-2.6.21.a/net/ipv4/netfilter/Makefile +--- linux-2.6.21.b/net/ipv4/netfilter/Makefile 2007-05-30 11:11:52.000000000 +0200 ++++ linux-2.6.21.a/net/ipv4/netfilter/Makefile 2007-05-30 11:18:08.000000000 +0200 +@@ -103,6 +103,7 @@ obj-$(CONFIG_IP_NF_TARGET_NETMAP) += ipt + obj-$(CONFIG_IP_NF_TARGET_SAME) += ipt_SAME.o + obj-$(CONFIG_IP_NF_NAT_SNMP_BASIC) += ip_nat_snmp_basic.o + obj-$(CONFIG_IP_NF_TARGET_LOG) += ipt_LOG.o +obj-$(CONFIG_IP_NF_TARGET_IPV4OPTSSTRIP) += ipt_IPV4OPTSSTRIP.o -diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ipt_IPV4OPTSSTRIP.c linux/net/ipv4/netfilter/ipt_IPV4OPTSSTRIP.c ---- linux.org/net/ipv4/netfilter/ipt_IPV4OPTSSTRIP.c 1970-01-01 01:00:00.000000000 +0100 -+++ linux/net/ipv4/netfilter/ipt_IPV4OPTSSTRIP.c 2006-05-04 09:57:42.000000000 +0200 + obj-$(CONFIG_IP_NF_TARGET_ULOG) += ipt_ULOG.o + obj-$(CONFIG_IP_NF_TARGET_CLUSTERIP) += ipt_CLUSTERIP.o + obj-$(CONFIG_IP_NF_TARGET_TTL) += ipt_TTL.o +diff -NurpP --minimal linux-2.6.21.b/net/ipv4/netfilter/ipt_IPV4OPTSSTRIP.c linux-2.6.21.a/net/ipv4/netfilter/ipt_IPV4OPTSSTRIP.c +--- linux-2.6.21.b/net/ipv4/netfilter/ipt_IPV4OPTSSTRIP.c 1970-01-01 01:00:00.000000000 +0100 ++++ linux-2.6.21.a/net/ipv4/netfilter/ipt_IPV4OPTSSTRIP.c 2007-05-30 11:18:08.000000000 +0200 @@ -0,0 +1,87 @@ +/** + * Strip all IP options in the IP packet header. @@ -42,7 +43,7 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ipt_IPV4OPTSSTRIP.c li +#include <linux/skbuff.h> +#include <net/ip.h> +#include <net/checksum.h> -+ ++#include <linux/netfilter/x_tables.h> +#include <linux/netfilter_ipv4/ip_tables.h> + +MODULE_AUTHOR("Fabrice MARIE <fabrice@netfilter.org>"); @@ -54,8 +55,8 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ipt_IPV4OPTSSTRIP.c li + const struct net_device *in, + const struct net_device *out, + unsigned int hooknum, -+ const void *targinfo, -+ void *userinfo) ++ const struct xt_target *target, ++ const void *targinfo) +{ + struct iphdr *iph; + struct sk_buff *skb; @@ -67,8 +68,8 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ipt_IPV4OPTSSTRIP.c li + return NF_DROP; + + skb = (*pskb); -+ iph = (*pskb)->nh.iph; -+ optiph = skb->nh.raw; ++ iph = ip_hdr(*pskb); ++ optiph = skb->network_header; + l = ((struct ip_options *)(&(IPCB(skb)->opt)))->optlen; + + /* if no options in packet then nothing to clear. */ @@ -87,9 +88,9 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ipt_IPV4OPTSSTRIP.c li + +static int +checkentry(const char *tablename, -+ const struct ipt_entry *e, ++ const void *e, ++ const struct xt_target *target, + void *targinfo, -+ unsigned int targinfosize, + unsigned int hook_mask) +{ + if (strcmp(tablename, "mangle")) { @@ -108,12 +109,12 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ipt_IPV4OPTSSTRIP.c li + +static int __init init(void) +{ -+ return ipt_register_target(&ipt_ipv4optsstrip_reg); ++ return xt_register_target(&ipt_ipv4optsstrip_reg); +} + +static void __exit fini(void) +{ -+ ipt_unregister_target(&ipt_ipv4optsstrip_reg); ++ xt_unregister_target(&ipt_ipv4optsstrip_reg); +} + +module_init(init); diff --git a/kernel-desktop-pom-ng-ROUTE.patch b/kernel-desktop-pom-ng-ROUTE.patch index ebe390f..f008f42 100644 --- a/kernel-desktop-pom-ng-ROUTE.patch +++ b/kernel-desktop-pom-ng-ROUTE.patch @@ -1,17 +1,6 @@ - include/linux/netfilter_ipv4/ipt_ROUTE.h | 23 + - include/linux/netfilter_ipv6/ip6t_ROUTE.h | 23 + - net/ipv4/netfilter/Kconfig | 17 + - net/ipv4/netfilter/Makefile | 1 - net/ipv4/netfilter/ipt_ROUTE.c | 464 ++++++++++++++++++++++++++++++ - net/ipv6/ipv6_syms.c | 1 - net/ipv6/netfilter/Kconfig | 13 - net/ipv6/netfilter/Makefile | 1 - net/ipv6/netfilter/ip6t_ROUTE.c | 308 +++++++++++++++++++ - 9 files changed, 851 insertions(+) - -diff -Nur --exclude '*.orig' linux.org/include/linux/netfilter_ipv4/ipt_ROUTE.h linux/include/linux/netfilter_ipv4/ipt_ROUTE.h ---- linux.org/include/linux/netfilter_ipv4/ipt_ROUTE.h 1970-01-01 01:00:00.000000000 +0100 -+++ linux/include/linux/netfilter_ipv4/ipt_ROUTE.h 2006-05-04 11:20:35.000000000 +0200 +diff -NurpP --minimal linux-2.6.21.a/include/linux/netfilter_ipv4/ipt_ROUTE.h linux-2.6.21.b/include/linux/netfilter_ipv4/ipt_ROUTE.h +--- linux-2.6.21.a/include/linux/netfilter_ipv4/ipt_ROUTE.h 1970-01-01 01:00:00.000000000 +0100 ++++ linux-2.6.21.b/include/linux/netfilter_ipv4/ipt_ROUTE.h 2007-05-30 11:40:37.000000000 +0200 @@ -0,0 +1,23 @@ +/* Header file for iptables ipt_ROUTE target + * @@ -36,9 +25,9 @@ diff -Nur --exclude '*.orig' linux.org/include/linux/netfilter_ipv4/ipt_ROUTE.h +#define IPT_ROUTE_TEE 0x02 + +#endif /*_IPT_ROUTE_H_target*/ -diff -Nur --exclude '*.orig' linux.org/include/linux/netfilter_ipv6/ip6t_ROUTE.h linux/include/linux/netfilter_ipv6/ip6t_ROUTE.h ---- linux.org/include/linux/netfilter_ipv6/ip6t_ROUTE.h 1970-01-01 01:00:00.000000000 +0100 -+++ linux/include/linux/netfilter_ipv6/ip6t_ROUTE.h 2006-05-04 11:20:35.000000000 +0200 +diff -NurpP --minimal linux-2.6.21.a/include/linux/netfilter_ipv6/ip6t_ROUTE.h linux-2.6.21.b/include/linux/netfilter_ipv6/ip6t_ROUTE.h +--- linux-2.6.21.a/include/linux/netfilter_ipv6/ip6t_ROUTE.h 1970-01-01 01:00:00.000000000 +0100 ++++ linux-2.6.21.b/include/linux/netfilter_ipv6/ip6t_ROUTE.h 2007-05-30 11:40:37.000000000 +0200 @@ -0,0 +1,23 @@ +/* Header file for iptables ip6t_ROUTE target + * @@ -63,12 +52,12 @@ diff -Nur --exclude '*.orig' linux.org/include/linux/netfilter_ipv6/ip6t_ROUTE.h +#define IP6T_ROUTE_TEE 0x02 + +#endif /*_IP6T_ROUTE_H_target*/ -diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/Kconfig linux/net/ipv4/netfilter/Kconfig ---- linux.org/net/ipv4/netfilter/Kconfig 2006-05-02 23:38:44.000000000 +0200 -+++ linux/net/ipv4/netfilter/Kconfig 2006-05-04 11:20:35.000000000 +0200 -@@ -606,5 +606,22 @@ - Allows altering the ARP packet payload: source and destination - hardware and network addresses. +diff -NurpP --minimal linux-2.6.21.a/net/ipv4/netfilter/Kconfig linux-2.6.21.b/net/ipv4/netfilter/Kconfig +--- linux-2.6.21.a/net/ipv4/netfilter/Kconfig 2007-05-30 11:39:28.000000000 +0200 ++++ linux-2.6.21.b/net/ipv4/netfilter/Kconfig 2007-05-30 11:40:37.000000000 +0200 +@@ -813,5 +813,22 @@ config IP_NF_MATCH_U32 + + Details and examples are in the kernel module source. +config IP_NF_TARGET_ROUTE + tristate 'ROUTE target support' @@ -89,15 +78,21 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/Kconfig linux/net/ipv4 + endmenu -diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/Makefile linux/net/ipv4/netfilter/Makefile ---- linux.org/net/ipv4/netfilter/Makefile 2006-05-02 23:38:44.000000000 +0200 -+++ linux/net/ipv4/netfilter/Makefile 2006-05-04 11:20:35.000000000 +0200 -@@ -0,0 +0,1 @@ +diff -NurpP --minimal linux-2.6.21.a/net/ipv4/netfilter/Makefile linux-2.6.21.b/net/ipv4/netfilter/Makefile +--- linux-2.6.21.a/net/ipv4/netfilter/Makefile 2007-05-30 11:39:28.000000000 +0200 ++++ linux-2.6.21.b/net/ipv4/netfilter/Makefile 2007-05-30 11:40:37.000000000 +0200 +@@ -104,6 +104,7 @@ obj-$(CONFIG_IP_NF_TARGET_ECN) += ipt_EC + obj-$(CONFIG_IP_NF_TARGET_IMQ) += ipt_IMQ.o + obj-$(CONFIG_IP_NF_TARGET_MASQUERADE) += ipt_MASQUERADE.o + obj-$(CONFIG_IP_NF_TARGET_REDIRECT) += ipt_REDIRECT.o +obj-$(CONFIG_IP_NF_TARGET_ROUTE) += ipt_ROUTE.o -diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ipt_ROUTE.c linux/net/ipv4/netfilter/ipt_ROUTE.c ---- linux.org/net/ipv4/netfilter/ipt_ROUTE.c 1970-01-01 01:00:00.000000000 +0100 -+++ linux/net/ipv4/netfilter/ipt_ROUTE.c 2006-05-04 11:20:35.000000000 +0200 -@@ -0,0 +1,464 @@ + obj-$(CONFIG_IP_NF_TARGET_NETMAP) += ipt_NETMAP.o + obj-$(CONFIG_IP_NF_TARGET_SAME) += ipt_SAME.o + obj-$(CONFIG_IP_NF_NAT_SNMP_BASIC) += ip_nat_snmp_basic.o +diff -NurpP --minimal linux-2.6.21.a/net/ipv4/netfilter/ipt_ROUTE.c linux-2.6.21.b/net/ipv4/netfilter/ipt_ROUTE.c +--- linux-2.6.21.a/net/ipv4/netfilter/ipt_ROUTE.c 1970-01-01 01:00:00.000000000 +0100 ++++ linux-2.6.21.b/net/ipv4/netfilter/ipt_ROUTE.c 2007-05-30 11:40:37.000000000 +0200 +@@ -0,0 +1,458 @@ +/* + * This implements the ROUTE target, which enables you to setup unusual + * routes not supported by the standard kernel routing table. @@ -112,8 +107,9 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ipt_ROUTE.c linux/net/ +#include <linux/module.h> +#include <linux/skbuff.h> +#include <linux/ip.h> ++#include <linux/netfilter/x_tables.h> +#include <linux/netfilter_ipv4/ip_tables.h> -+#include <linux/netfilter_ipv4/ip_conntrack.h> ++#include <net/netfilter/nf_conntrack.h> +#include <linux/netfilter_ipv4/ipt_ROUTE.h> +#include <linux/netdevice.h> +#include <linux/route.h> @@ -156,7 +152,7 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ipt_ROUTE.c linux/net/ +{ + int err; + struct rtable *rt; -+ struct iphdr *iph = skb->nh.iph; ++ struct iphdr *iph = ip_hdr(skb); + struct flowi fl = { + .oif = ifindex, + .nl_u = { @@ -234,14 +230,7 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ipt_ROUTE.c linux/net/ + } + + if (hh) { -+ int hh_alen; -+ -+ read_lock_bh(&hh->hh_lock); -+ hh_alen = HH_DATA_ALIGN(hh->hh_len); -+ memcpy(skb->data - hh_alen, hh->hh_data, hh_alen); -+ read_unlock_bh(&hh->hh_lock); -+ skb_push(skb, hh->hh_len); -+ hh->hh_output(skb); ++ neigh_hh_output(dst->hh, skb); + } else if (dst->neighbour) + dst->neighbour->output(skb); + else { @@ -374,14 +363,15 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ipt_ROUTE.c linux/net/ + * routing packets when we see they already have that ->nfct. + */ + -+static struct ip_conntrack route_tee_track; ++static struct nf_conn route_tee_track; + +static unsigned int ipt_route_target(struct sk_buff **pskb, + const struct net_device *in, + const struct net_device *out, + unsigned int hooknum, -+ const void *targinfo, -+ void *userinfo) ++ const struct xt_target *target, ++ const void *targinfo ++ ) +{ + const struct ipt_route_target_info *route_info = targinfo; + struct sk_buff *skb = *pskb; @@ -402,7 +392,7 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ipt_ROUTE.c linux/net/ + if (hooknum == NF_IP_PRE_ROUTING || + hooknum == NF_IP_LOCAL_IN) { + -+ struct iphdr *iph = skb->nh.iph; ++ struct iphdr *iph = ip_hdr(skb); + + if (iph->ttl <= 1) { + struct rtable *rt; @@ -478,9 +468,6 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ipt_ROUTE.c linux/net/ + skb->nfct = &route_tee_track.ct_general; + skb->nfctinfo = IP_CT_NEW; + nf_conntrack_get(skb->nfct); -+#ifdef CONFIG_NETFILTER_DEBUG -+ skb->nf_debug = 0; -+#endif + } + + if (route_info->oif[0] != '\0') { @@ -504,8 +491,9 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ipt_ROUTE.c linux/net/ + +static int ipt_route_checkentry(const char *tablename, + const void *e, ++ const struct xt_target *target, + void *targinfo, -+ unsigned int targinfosize, ++ + unsigned int hook_mask) +{ + if (strcmp(tablename, "mangle") != 0) { @@ -523,12 +511,12 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ipt_ROUTE.c linux/net/ + return 0; + } + -+ if (targinfosize != IPT_ALIGN(sizeof(struct ipt_route_target_info))) { -+ printk(KERN_WARNING "ipt_ROUTE: targinfosize %u != %Zu\n", -+ targinfosize, -+ IPT_ALIGN(sizeof(struct ipt_route_target_info))); -+ return 0; -+ } ++ ++ ++ ++ ++ ++ + + return 1; +} @@ -537,6 +525,7 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ipt_ROUTE.c linux/net/ +static struct ipt_target ipt_route_reg = { + .name = "ROUTE", + .target = ipt_route_target, ++ .targetsize = sizeof(struct ipt_route_target_info), + .checkentry = ipt_route_checkentry, + .me = THIS_MODULE, +}; @@ -551,37 +540,26 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ipt_ROUTE.c linux/net/ + /* Initialize fake conntrack so that NAT will skip it */ + route_tee_track.status |= IPS_NAT_DONE_MASK; + -+ return ipt_register_target(&ipt_route_reg); ++ return xt_register_target(&ipt_route_reg); +} + + +static void __exit fini(void) +{ -+ ipt_unregister_target(&ipt_route_reg); ++ xt_unregister_target(&ipt_route_reg); +} + +module_init(init); +module_exit(fini); -diff -Nur --exclude '*.orig' linux.org/net/ipv6/ipv6_syms.c linux/net/ipv6/ipv6_syms.c ---- linux.org/net/ipv6/ipv6_syms.c 2006-05-02 23:38:44.000000000 +0200 -+++ linux/net/ipv6/ipv6_syms.c 2006-05-04 11:20:35.000000000 +0200 -@@ -12,6 +12,7 @@ - EXPORT_SYMBOL(icmpv6_statistics); - EXPORT_SYMBOL(icmpv6_err_convert); - EXPORT_SYMBOL(ndisc_mc_map); -+EXPORT_SYMBOL(nd_tbl); - EXPORT_SYMBOL(register_inet6addr_notifier); - EXPORT_SYMBOL(unregister_inet6addr_notifier); - EXPORT_SYMBOL(ip6_route_output); -diff -Nur --exclude '*.orig' linux.org/net/ipv6/netfilter/Kconfig linux/net/ipv6/netfilter/Kconfig ---- linux.org/net/ipv6/netfilter/Kconfig 2006-05-02 23:38:44.000000000 +0200 -+++ linux/net/ipv6/netfilter/Kconfig 2006-05-04 11:20:35.000000000 +0200 -@@ -210,5 +210,18 @@ +diff -NurpP --minimal linux-2.6.21.a/net/ipv6/netfilter/Kconfig linux-2.6.21.b/net/ipv6/netfilter/Kconfig +--- linux-2.6.21.a/net/ipv6/netfilter/Kconfig 2007-05-30 11:13:04.000000000 +0200 ++++ linux-2.6.21.b/net/ipv6/netfilter/Kconfig 2007-05-30 11:40:37.000000000 +0200 +@@ -209,5 +209,18 @@ config IP6_NF_RAW If you want to compile it as a module, say M here and read <file:Documentation/modules.txt>. If unsure, say `N'. +config IP6_NF_TARGET_ROUTE -+ tristate ' ROUTE target support' ++ tristate 'ROUTE target support' + depends on IP6_NF_MANGLE + help + This option adds a `ROUTE' target, which enables you to setup unusual @@ -595,14 +573,20 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv6/netfilter/Kconfig linux/net/ipv6 + endmenu -diff -Nur --exclude '*.orig' linux.org/net/ipv6/netfilter/Makefile linux/net/ipv6/netfilter/Makefile ---- linux.org/net/ipv6/netfilter/Makefile 2006-05-02 23:38:44.000000000 +0200 -+++ linux/net/ipv6/netfilter/Makefile 2006-05-04 11:20:35.000000000 +0200 -@@ -0,0 +0,1 @@ +diff -NurpP --minimal linux-2.6.21.a/net/ipv6/netfilter/Makefile linux-2.6.21.b/net/ipv6/netfilter/Makefile +--- linux-2.6.21.a/net/ipv6/netfilter/Makefile 2007-05-30 11:13:04.000000000 +0200 ++++ linux-2.6.21.b/net/ipv6/netfilter/Makefile 2007-05-30 11:40:37.000000000 +0200 +@@ -21,6 +21,7 @@ obj-$(CONFIG_IP6_NF_RAW) += ip6table_raw + obj-$(CONFIG_IP6_NF_MATCH_HL) += ip6t_hl.o + obj-$(CONFIG_IP6_NF_TARGET_REJECT) += ip6t_REJECT.o + obj-$(CONFIG_IP6_NF_MATCH_MH) += ip6t_mh.o +obj-$(CONFIG_IP6_NF_TARGET_ROUTE) += ip6t_ROUTE.o -diff -Nur --exclude '*.orig' linux.org/net/ipv6/netfilter/ip6t_ROUTE.c linux/net/ipv6/netfilter/ip6t_ROUTE.c ---- linux.org/net/ipv6/netfilter/ip6t_ROUTE.c 1970-01-01 01:00:00.000000000 +0100 -+++ linux/net/ipv6/netfilter/ip6t_ROUTE.c 2006-05-04 11:20:35.000000000 +0200 + + # objects for l3 independent conntrack + nf_conntrack_ipv6-objs := nf_conntrack_l3proto_ipv6.o nf_conntrack_proto_icmpv6.o nf_conntrack_reasm.o +diff -NurpP --minimal linux-2.6.21.a/net/ipv6/netfilter/ip6t_ROUTE.c linux-2.6.21.b/net/ipv6/netfilter/ip6t_ROUTE.c +--- linux-2.6.21.a/net/ipv6/netfilter/ip6t_ROUTE.c 1970-01-01 01:00:00.000000000 +0100 ++++ linux-2.6.21.b/net/ipv6/netfilter/ip6t_ROUTE.c 2007-05-30 11:40:37.000000000 +0200 @@ -0,0 +1,308 @@ +/* + * This implements the ROUTE v6 target, which enables you to setup unusual @@ -618,6 +602,7 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv6/netfilter/ip6t_ROUTE.c linux/net +#include <linux/module.h> +#include <linux/skbuff.h> +#include <linux/ipv6.h> ++#include <linux/netfilter/x_tables.h> +#include <linux/netfilter_ipv6/ip6_tables.h> +#include <linux/netfilter_ipv6/ip6t_ROUTE.h> +#include <linux/netdevice.h> @@ -664,7 +649,7 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv6/netfilter/ip6t_ROUTE.c linux/net + const struct ip6t_route_target_info *route_info) +{ + struct rt6_info *rt = NULL; -+ struct ipv6hdr *ipv6h = skb->nh.ipv6h; ++ struct ipv6hdr *ipv6h = ipv6_hdr(skb); + struct in6_addr *gw = (struct in6_addr*)&route_info->gw; + + DEBUGP("ip6t_ROUTE: called with: "); @@ -727,11 +712,7 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv6/netfilter/ip6t_ROUTE.c linux/net + struct hh_cache *hh = dst->hh; + + if (hh) { -+ read_lock_bh(&hh->hh_lock); -+ memcpy(skb->data - 16, hh->hh_data, 16); -+ read_unlock_bh(&hh->hh_lock); -+ skb_push(skb, hh->hh_len); -+ hh->hh_output(skb); ++ neigh_hh_output(dst->hh, skb); + } else if (dst->neighbour) + dst->neighbour->output(skb); + else { @@ -798,8 +779,9 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv6/netfilter/ip6t_ROUTE.c linux/net + const struct net_device *in, + const struct net_device *out, + unsigned int hooknum, -+ const void *targinfo, -+ void *userinfo) ++ const struct xt_target *target, ++ const void *targinfo ++ ) +{ + const struct ip6t_route_target_info *route_info = targinfo; + struct sk_buff *skb = *pskb; @@ -815,7 +797,7 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv6/netfilter/ip6t_ROUTE.c linux/net + if (hooknum == NF_IP6_PRE_ROUTING || + hooknum == NF_IP6_LOCAL_IN) { + -+ struct ipv6hdr *ipv6h = skb->nh.ipv6h; ++ struct ipv6hdr *ipv6h = ipv6_hdr(skb); + + if (ipv6h->hop_limit <= 1) { + /* Force OUTPUT device used as source address */ @@ -865,9 +847,10 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv6/netfilter/ip6t_ROUTE.c linux/net + +static int +ip6t_route_checkentry(const char *tablename, -+ const struct ip6t_entry *e, ++ const void *entry, ++ const struct xt_target *target, + void *targinfo, -+ unsigned int targinfosize, ++ + unsigned int hook_mask) +{ + if (strcmp(tablename, "mangle") != 0) { @@ -875,12 +858,12 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv6/netfilter/ip6t_ROUTE.c linux/net + return 0; + } + -+ if (targinfosize != IP6T_ALIGN(sizeof(struct ip6t_route_target_info))) { ++ /* if (targinfosize != IP6T_ALIGN(sizeof(struct ip6t_route_target_info))) { + printk(KERN_WARNING "ip6t_ROUTE: targinfosize %u != %Zu\n", + targinfosize, + IP6T_ALIGN(sizeof(struct ip6t_route_target_info))); + return 0; -+ } ++ } */ + + return 1; +} @@ -889,6 +872,7 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv6/netfilter/ip6t_ROUTE.c linux/net +static struct ip6t_target ip6t_route_reg = { + .name = "ROUTE", + .target = ip6t_route_target, ++ .targetsize = sizeof(struct ip6t_route_target_info), + .checkentry = ip6t_route_checkentry, + .me = THIS_MODULE +}; @@ -897,7 +881,7 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv6/netfilter/ip6t_ROUTE.c linux/net +static int __init init(void) +{ + printk(KERN_DEBUG "registering ipv6 ROUTE target\n"); -+ if (ip6t_register_target(&ip6t_route_reg)) ++ if (xt_register_target(&ip6t_route_reg)) + return -EINVAL; + + return 0; @@ -906,9 +890,20 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv6/netfilter/ip6t_ROUTE.c linux/net + +static void __exit fini(void) +{ -+ ip6t_unregister_target(&ip6t_route_reg); ++ xt_unregister_target(&ip6t_route_reg); +} + +module_init(init); +module_exit(fini); +MODULE_LICENSE("GPL"); +--- a/net/ipv6/ndisc.c 2007-07-09 01:32:17.000000000 +0200 ++++ b/net/ipv6/ndisc.c 2007-08-02 13:23:26.000000000 +0200 +@@ -154,6 +154,8 @@ struct neigh_table nd_tbl = { + .gc_thresh3 = 1024, + }; + ++EXPORT_SYMBOL(nd_tbl); ++ + /* ND options */ + struct ndisc_options { + struct nd_opt_hdr *nd_opt_array[__ND_OPT_ARRAY_MAX]; diff --git a/kernel-desktop-pom-ng-TARPIT.patch b/kernel-desktop-pom-ng-TARPIT.patch index 174fd35..5438476 100644 --- a/kernel-desktop-pom-ng-TARPIT.patch +++ b/kernel-desktop-pom-ng-TARPIT.patch @@ -1,43 +1,7 @@ - Kconfig | 17 +++ - Makefile | 1 - ipt_TARPIT.c | 296 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ - 3 files changed, 314 insertions(+) - -diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/Kconfig linux/net/ipv4/netfilter/Kconfig ---- linux.org/net/ipv4/netfilter/Kconfig 2006-05-02 23:38:44.000000000 +0200 -+++ linux/net/ipv4/netfilter/Kconfig 2006-05-04 11:21:59.000000000 +0200 -@@ -606,5 +606,22 @@ - Allows altering the ARP packet payload: source and destination - hardware and network addresses. - -+config IP_NF_TARGET_TARPIT -+ tristate 'TARPIT target support' -+ depends on IP_NF_FILTER -+ help -+ Adds a TARPIT target to iptables, which captures and holds -+ incoming TCP connections using no local per-connection resources. -+ Connections are accepted, but immediately switched to the persist -+ state (0 byte window), in which the remote side stops sending data -+ and asks to continue every 60-240 seconds. Attempts to close the -+ connection are ignored, forcing the remote side to time out the -+ connection in 12-24 minutes. -+ -+ This offers similar functionality to LaBrea -+ <http://www.hackbusters.net/LaBrea/> but doesn't require dedicated -+ hardware or IPs. Any TCP port that you would normally DROP or REJECT -+ can instead become a tarpit. -+ - endmenu - -diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/Makefile linux/net/ipv4/netfilter/Makefile ---- linux.org/net/ipv4/netfilter/Makefile 2006-05-02 23:38:44.000000000 +0200 -+++ linux/net/ipv4/netfilter/Makefile 2006-05-04 11:21:59.000000000 +0200 -@@ -0,0 +0,1 @@ -+obj-$(CONFIG_IP_NF_TARGET_TARPIT) += ipt_TARPIT.o -diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ipt_TARPIT.c linux/net/ipv4/netfilter/ipt_TARPIT.c ---- linux.org/net/ipv4/netfilter/ipt_TARPIT.c 1970-01-01 01:00:00.000000000 +0100 -+++ linux/net/ipv4/netfilter/ipt_TARPIT.c 2006-05-04 11:21:59.000000000 +0200 -@@ -0,0 +1,296 @@ +diff -Nru linux-2.6.22/net/ipv4/netfilter/ipt_TARPIT.c linux-2.6.22-pom2patch/net/ipv4/netfilter/ipt_TARPIT.c +--- linux-2.6.22/net/ipv4/netfilter/ipt_TARPIT.c 1970-01-01 01:00:00.000000000 +0100 ++++ linux-2.6.22-pom2patch/net/ipv4/netfilter/ipt_TARPIT.c 2007-08-07 18:38:14.000000000 +0200 +@@ -0,0 +1,291 @@ +/* + * Kernel module to capture and hold incoming TCP connections using + * no local per-connection resources. @@ -75,7 +39,6 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ipt_TARPIT.c linux/net + * - Reply to TCP !SYN,!RST,!FIN with ACK, window 0 bytes, rate-limited + */ + -+#include <linux/config.h> +#include <linux/version.h> +#include <linux/module.h> +#include <linux/skbuff.h> @@ -101,16 +64,11 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ipt_TARPIT.c linux/net +static int ip_direct_send(struct sk_buff *skb) +{ + struct dst_entry *dst = skb->dst; -+ struct hh_cache *hh = dst->hh; + -+ if (hh) { -+ read_lock_bh(&hh->hh_lock); -+ memcpy(skb->data - 16, hh->hh_data, 16); -+ read_unlock_bh(&hh->hh_lock); -+ skb_push(skb, hh->hh_len); -+ return hh->hh_output(skb); -+ } else if (dst->neighbour) -+ return dst->neighbour->output(skb); ++ if (dst->hh) ++ return neigh_hh_output(dst->hh, skb); ++ else if (dst->neighbour) ++ return dst->neighbour->output(skb); + + if (net_ratelimit()) + printk(KERN_DEBUG "TARPIT ip_direct_send: no header cache and no neighbor!\n"); @@ -130,12 +88,12 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ipt_TARPIT.c linux/net + u_int16_t tmp; + + /* A truncated TCP header isn't going to be useful */ -+ if (oskb->len < (oskb->nh.iph->ihl*4) + sizeof(struct tcphdr)) ++ if (oskb->len < (ip_hdr(oskb)->ihl*4) + sizeof(struct tcphdr)) + return; + -+ otcph = (struct tcphdr *)((u_int32_t*)oskb->nh.iph -+ + oskb->nh.iph->ihl); -+ otcplen = oskb->len - oskb->nh.iph->ihl*4; ++ otcph = (struct tcphdr *)((u_int32_t*)ip_hdr(oskb) ++ + ip_hdr(oskb)->ihl); ++ otcplen = oskb->len - ip_hdr(oskb)->ihl*4; + + /* No replies for RST or FIN */ + if (otcph->rst || otcph->fin) @@ -146,8 +104,8 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ipt_TARPIT.c linux/net + return; + + /* Check checksum. */ -+ if (tcp_v4_check(otcph, otcplen, oskb->nh.iph->saddr, -+ oskb->nh.iph->daddr, ++ if (tcp_v4_check(otcplen, ip_hdr(oskb)->saddr, ++ ip_hdr(oskb)->daddr, + csum_partial((char *)otcph, otcplen, 0)) != 0) + return; + @@ -165,23 +123,23 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ipt_TARPIT.c linux/net + nskb->nf_debug = 0; +#endif + -+ ntcph = (struct tcphdr *)((u_int32_t*)nskb->nh.iph + nskb->nh.iph->ihl); ++ ntcph = (struct tcphdr *)((u_int32_t*)ip_hdr(nskb) + ip_hdr(nskb)->ihl); + + /* Truncate to length (no data) */ + ntcph->doff = sizeof(struct tcphdr)/4; -+ skb_trim(nskb, nskb->nh.iph->ihl*4 + sizeof(struct tcphdr)); -+ nskb->nh.iph->tot_len = htons(nskb->len); ++ skb_trim(nskb, ip_hdr(nskb)->ihl*4 + sizeof(struct tcphdr)); ++ ip_hdr(nskb)->tot_len = htons(nskb->len); + + /* Swap source and dest */ -+ nskb->nh.iph->daddr = xchg(&nskb->nh.iph->saddr, nskb->nh.iph->daddr); ++ ip_hdr(nskb)->daddr = xchg(&ip_hdr(nskb)->saddr, ip_hdr(nskb)->daddr); + tmp = ntcph->source; + ntcph->source = ntcph->dest; + ntcph->dest = tmp; + + /* Use supplied sequence number or make a new one */ + ntcph->seq = otcph->ack ? otcph->ack_seq -+ : htonl(secure_tcp_sequence_number(nskb->nh.iph->saddr, -+ nskb->nh.iph->daddr, ++ : htonl(secure_tcp_sequence_number(ip_hdr(nskb)->saddr, ++ ip_hdr(nskb)->daddr, + ntcph->source, + ntcph->dest)); + @@ -204,15 +162,15 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ipt_TARPIT.c linux/net + + /* Adjust TCP checksum */ + ntcph->check = 0; -+ ntcph->check = tcp_v4_check(ntcph, sizeof(struct tcphdr), -+ nskb->nh.iph->saddr, -+ nskb->nh.iph->daddr, ++ ntcph->check = tcp_v4_check(sizeof(struct tcphdr), ++ ip_hdr(nskb)->saddr, ++ ip_hdr(nskb)->daddr, + csum_partial((char *)ntcph, + sizeof(struct tcphdr), 0)); + -+ fl.nl_u.ip4_u.daddr = nskb->nh.iph->daddr; -+ fl.nl_u.ip4_u.saddr = local ? nskb->nh.iph->saddr : 0; -+ fl.nl_u.ip4_u.tos = RT_TOS(nskb->nh.iph->tos) | RTO_CONN; ++ fl.nl_u.ip4_u.daddr = ip_hdr(nskb)->daddr; ++ fl.nl_u.ip4_u.saddr = local ? ip_hdr(nskb)->saddr : 0; ++ fl.nl_u.ip4_u.tos = RT_TOS(ip_hdr(nskb)->tos) | RTO_CONN; + fl.oif = 0; + + if (ip_route_output_key(&nrt, &fl)) @@ -222,16 +180,16 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ipt_TARPIT.c linux/net + nskb->dst = &nrt->u.dst; + + /* Adjust IP TTL */ -+ nskb->nh.iph->ttl = dst_metric(nskb->dst, RTAX_HOPLIMIT); ++ ip_hdr(nskb)->ttl = dst_metric(nskb->dst, RTAX_HOPLIMIT); + + /* Set DF, id = 0 */ -+ nskb->nh.iph->frag_off = htons(IP_DF); -+ nskb->nh.iph->id = 0; ++ ip_hdr(nskb)->frag_off = htons(IP_DF); ++ ip_hdr(nskb)->id = 0; + + /* Adjust IP checksum */ -+ nskb->nh.iph->check = 0; -+ nskb->nh.iph->check = ip_fast_csum((unsigned char *)nskb->nh.iph, -+ nskb->nh.iph->ihl); ++ ip_hdr(nskb)->check = 0; ++ ip_hdr(nskb)->check = ip_fast_csum((unsigned char *)ip_hdr(nskb), ++ ip_hdr(nskb)->ihl); + + /* "Never happens" */ +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,12) @@ -254,8 +212,8 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ipt_TARPIT.c linux/net + const struct net_device *in, + const struct net_device *out, + unsigned int hooknum, -+ const void *targinfo, -+ void *userinfo) ++ const struct xt_target *target, ++ const void *targinfo) +{ + struct sk_buff *skb = *pskb; + struct rtable *rt = (struct rtable*)skb->dst; @@ -274,11 +232,11 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ipt_TARPIT.c linux/net + + /* Our naive response construction doesn't deal with IP + options, and probably shouldn't try. */ -+ if (skb->nh.iph->ihl*4 != sizeof(struct iphdr)) ++ if (ip_hdr(skb)->ihl*4 != sizeof(struct iphdr)) + return NF_DROP; + + /* We aren't interested in fragments */ -+ if (skb->nh.iph->frag_off & htons(IP_OFFSET)) ++ if (ip_hdr(skb)->frag_off & htons(IP_OFFSET)) + return NF_DROP; + + tarpit_tcp(skb,rt,hooknum == NF_IP_LOCAL_IN); @@ -289,8 +247,8 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ipt_TARPIT.c linux/net + +static int check(const char *tablename, + const void *e_void, ++ const struct xt_target *target, + void *targinfo, -+ unsigned int targinfosize, + unsigned int hook_mask) +{ + const struct ipt_entry *e = e_void; @@ -315,8 +273,9 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ipt_TARPIT.c linux/net + return 1; +} + -+static struct ipt_target ipt_tarpit_reg = { ++static struct xt_target ipt_tarpit_reg = { + .name = "TARPIT", ++ .family = AF_INET, + .target = tarpit, + .checkentry = check, + .me = THIS_MODULE @@ -324,13 +283,61 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ipt_TARPIT.c linux/net + +static int __init init(void) +{ -+ return ipt_register_target(&ipt_tarpit_reg); ++ return xt_register_target(&ipt_tarpit_reg); +} + +static void __exit fini(void) +{ -+ ipt_unregister_target(&ipt_tarpit_reg); ++ xt_unregister_target(&ipt_tarpit_reg); +} + +module_init(init); +module_exit(fini); +diff -Nru linux-2.6.22/net/ipv4/netfilter/Kconfig linux-2.6.22-pom2patch/net/ipv4/netfilter/Kconfig +--- linux-2.6.22/net/ipv4/netfilter/Kconfig 2007-07-09 01:32:17.000000000 +0200 ++++ linux-2.6.22-pom2patch/net/ipv4/netfilter/Kconfig 2007-08-07 18:38:14.000000000 +0200 +@@ -402,5 +402,22 @@ + Allows altering the ARP packet payload: source and destination + hardware and network addresses. + ++config IP_NF_TARGET_TARPIT ++ tristate 'TARPIT target support' ++ depends on IP_NF_FILTER ++ help ++ Adds a TARPIT target to iptables, which captures and holds ++ incoming TCP connections using no local per-connection resources. ++ Connections are accepted, but immediately switched to the persist ++ state (0 byte window), in which the remote side stops sending data ++ and asks to continue every 60-240 seconds. Attempts to close the ++ connection are ignored, forcing the remote side to time out the ++ connection in 12-24 minutes. ++ ++ This offers similar functionality to LaBrea ++ <http://www.hackbusters.net/LaBrea/> but doesn't require dedicated ++ hardware or IPs. Any TCP port that you would normally DROP or REJECT ++ can instead become a tarpit. ++ + endmenu + +diff -Nru linux-2.6.22/net/ipv4/netfilter/Makefile linux-2.6.22-pom2patch/net/ipv4/netfilter/Makefile +--- linux-2.6.22/net/ipv4/netfilter/Makefile 2007-07-09 01:32:17.000000000 +0200 ++++ linux-2.6.22-pom2patch/net/ipv4/netfilter/Makefile 2007-08-07 18:38:14.000000000 +0200 +@@ -52,6 +52,7 @@ + + # targets + obj-$(CONFIG_IP_NF_TARGET_REJECT) += ipt_REJECT.o ++obj-$(CONFIG_IP_NF_TARGET_TARPIT) += ipt_TARPIT.o + obj-$(CONFIG_IP_NF_TARGET_TOS) += ipt_TOS.o + obj-$(CONFIG_IP_NF_TARGET_ECN) += ipt_ECN.o + obj-$(CONFIG_IP_NF_TARGET_MASQUERADE) += ipt_MASQUERADE.o +--- linux-2.6.22/drivers/char/random.c~ 2007-08-10 21:18:33.000000000 +0200 ++++ linux-2.6.22/drivers/char/random.c 2007-08-10 22:02:26.079943000 +0200 +@@ -1569,6 +1569,8 @@ __u32 secure_tcp_sequence_number(__be32 + return seq; + } + ++EXPORT_SYMBOL(secure_tcp_sequence_number); ++ + /* Generate secure starting point for ephemeral IPV4 transport port search */ + u32 secure_ipv4_port_ephemeral(__be32 saddr, __be32 daddr, __be16 dport) + { diff --git a/kernel-desktop-pom-ng-connlimit.patch b/kernel-desktop-pom-ng-connlimit.patch index 5fb3d0c..d24885b 100644 --- a/kernel-desktop-pom-ng-connlimit.patch +++ b/kernel-desktop-pom-ng-connlimit.patch @@ -1,12 +1,6 @@ - include/linux/netfilter_ipv4/ipt_connlimit.h | 12 + - net/ipv4/netfilter/Kconfig | 10 + - net/ipv4/netfilter/Makefile | 1 - net/ipv4/netfilter/ipt_connlimit.c | 228 +++++++++++++++++++++++++++ - 4 files changed, 251 insertions(+) - -diff -Nur --exclude '*.orig' linux.org/include/linux/netfilter_ipv4/ipt_connlimit.h linux/include/linux/netfilter_ipv4/ipt_connlimit.h ---- linux.org/include/linux/netfilter_ipv4/ipt_connlimit.h 1970-01-01 01:00:00.000000000 +0100 -+++ linux/include/linux/netfilter_ipv4/ipt_connlimit.h 2006-05-04 10:02:23.000000000 +0200 +diff -Nru linux-2.6.22/include/linux/netfilter_ipv4/ipt_connlimit.h linux-2.6.22-pom2patch/include/linux/netfilter_ipv4/ipt_connlimit.h +--- linux-2.6.22/include/linux/netfilter_ipv4/ipt_connlimit.h 1970-01-01 01:00:00.000000000 +0100 ++++ linux-2.6.22-pom2patch/include/linux/netfilter_ipv4/ipt_connlimit.h 2007-08-07 18:38:25.000000000 +0200 @@ -0,0 +1,12 @@ +#ifndef _IPT_CONNLIMIT_H +#define _IPT_CONNLIMIT_H @@ -20,34 +14,10 @@ diff -Nur --exclude '*.orig' linux.org/include/linux/netfilter_ipv4/ipt_connlimi + struct ipt_connlimit_data *data; +}; +#endif /* _IPT_CONNLIMIT_H */ -diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/Kconfig linux/net/ipv4/netfilter/Kconfig ---- linux.org/net/ipv4/netfilter/Kconfig 2006-05-02 23:38:44.000000000 +0200 -+++ linux/net/ipv4/netfilter/Kconfig 2006-05-04 10:02:23.000000000 +0200 -@@ -606,5 +606,15 @@ - Allows altering the ARP packet payload: source and destination - hardware and network addresses. - -+config IP_NF_MATCH_CONNLIMIT -+ tristate 'Connections/IP limit match support' -+ depends on IP_NF_IPTABLES -+ help -+ This match allows you to restrict the number of parallel TCP -+ connections to a server per client IP address (or address block). -+ -+ If you want to compile it as a module, say M here and read -+ Documentation/modules.txt. If unsure, say `N'. -+ - endmenu - -diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/Makefile linux/net/ipv4/netfilter/Makefile ---- linux.org/net/ipv4/netfilter/Makefile 2006-05-02 23:38:44.000000000 +0200 -+++ linux/net/ipv4/netfilter/Makefile 2006-05-04 10:02:23.000000000 +0200 -@@ -0,0 +0,1 @@ -+obj-$(CONFIG_IP_NF_MATCH_CONNLIMIT) += ipt_connlimit.o -diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ipt_connlimit.c linux/net/ipv4/netfilter/ipt_connlimit.c ---- linux.org/net/ipv4/netfilter/ipt_connlimit.c 1970-01-01 01:00:00.000000000 +0100 -+++ linux/net/ipv4/netfilter/ipt_connlimit.c 2006-05-04 10:02:23.000000000 +0200 -@@ -0,0 +1,229 @@ +diff -Nru linux-2.6.22/net/ipv4/netfilter/ipt_connlimit.c linux-2.6.22-pom2patch/net/ipv4/netfilter/ipt_connlimit.c +--- linux-2.6.22/net/ipv4/netfilter/ipt_connlimit.c 1970-01-01 01:00:00.000000000 +0100 ++++ linux-2.6.22-pom2patch/net/ipv4/netfilter/ipt_connlimit.c 2007-08-07 18:38:25.000000000 +0200 +@@ -0,0 +1,340 @@ +/* + * netfilter module to limit the number of parallel tcp + * connections per IP address. @@ -62,10 +32,23 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ipt_connlimit.c linux/ + */ +#include <linux/module.h> +#include <linux/skbuff.h> ++#include <linux/version.h> +#include <linux/list.h> ++ ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,22) ++#define CONFIG_NF_CONNTRACK_SUPPORT ++#endif ++ ++#ifdef CONFIG_NF_CONNTRACK_SUPPORT ++#include <net/netfilter/nf_conntrack.h> ++#include <net/netfilter/nf_conntrack_core.h> ++#include <linux/netfilter/nf_conntrack_tcp.h> ++#else +#include <linux/netfilter_ipv4/ip_conntrack.h> +#include <linux/netfilter_ipv4/ip_conntrack_core.h> +#include <linux/netfilter_ipv4/ip_conntrack_tcp.h> ++#endif ++ +#include <linux/netfilter_ipv4/ip_tables.h> +#include <linux/netfilter_ipv4/ipt_connlimit.h> + @@ -77,7 +60,11 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ipt_connlimit.c linux/ +struct ipt_connlimit_conn +{ + struct list_head list; ++#ifndef CONFIG_NF_CONNTRACK_SUPPORT + struct ip_conntrack_tuple tuple; ++#else ++ struct nf_conntrack_tuple tuple; ++#endif +}; + +struct ipt_connlimit_data { @@ -92,7 +79,12 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ipt_connlimit.c linux/ + +static int count_them(struct ipt_connlimit_data *data, + u_int32_t addr, u_int32_t mask, ++#ifndef CONFIG_NF_CONNTRACK_SUPPORT + struct ip_conntrack *ct) ++#else ++ struct nf_conn *ct) ++#endif ++ +{ +#if DEBUG + const static char *tcp[] = { "none", "established", "syn_sent", "syn_recv", @@ -100,8 +92,13 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ipt_connlimit.c linux/ + "last_ack", "listen" }; +#endif + int addit = 1, matches = 0; ++#ifndef CONFIG_NF_CONNTRACK_SUPPORT + struct ip_conntrack_tuple tuple; + struct ip_conntrack_tuple_hash *found; ++#else ++ struct nf_conntrack_tuple tuple; ++ struct nf_conntrack_tuple_hash *found; ++#endif + struct ipt_connlimit_conn *conn; + struct list_head *hash,*lh; + @@ -111,11 +108,22 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ipt_connlimit.c linux/ + + /* check the saved connections */ + for (lh = hash->next; lh != hash; lh = lh->next) { ++#ifndef CONFIG_NF_CONNTRACK_SUPPORT + struct ip_conntrack *found_ct = NULL; -+ conn = list_entry(lh,struct ipt_connlimit_conn,list); -+ found = ip_conntrack_find_get(&conn->tuple,ct); ++ conn = list_entry(lh, struct ipt_connlimit_conn, list); ++ found = ip_conntrack_find_get(&conn->tuple, ct); ++#else ++ struct nf_conn *found_ct = NULL; ++ conn = list_entry(lh, struct ipt_connlimit_conn, list); ++ found = nf_conntrack_find_get(&conn->tuple, ct); ++#endif ++ + if (found != NULL ++#ifndef CONFIG_NF_CONNTRACK_SUPPORT + && (found_ct = tuplehash_to_ctrack(found)) != NULL ++#else ++ && (found_ct = nf_ct_tuplehash_to_ctrack(found)) != NULL ++#endif + && 0 == memcmp(&conn->tuple,&tuple,sizeof(tuple)) + && found_ct->proto.tcp.state != TCP_CONNTRACK_TIME_WAIT) { + /* Just to be sure we have it only once in the list. @@ -126,8 +134,13 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ipt_connlimit.c linux/ +#if DEBUG + printk("ipt_connlimit [%d]: src=%u.%u.%u.%u:%d dst=%u.%u.%u.%u:%d %s\n", + ipt_iphash(addr & mask), ++#ifndef CONFIG_NF_CONNTRACK_SUPPORT + NIPQUAD(conn->tuple.src.ip), ntohs(conn->tuple.src.u.tcp.port), + NIPQUAD(conn->tuple.dst.ip), ntohs(conn->tuple.dst.u.tcp.port), ++#else ++ NIPQUAD(conn->tuple.src.u3.ip), ntohs(conn->tuple.src.u.tcp.port), ++ NIPQUAD(conn->tuple.dst.u3.ip), ntohs(conn->tuple.dst.u.tcp.port), ++#endif + (NULL != found) ? tcp[found_ct->proto.tcp.state] : "gone"); +#endif + if (NULL == found) { @@ -146,7 +159,11 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ipt_connlimit.c linux/ + nf_conntrack_put(&found_ct->ct_general); + continue; + } ++#ifndef CONFIG_NF_CONNTRACK_SUPPORT + if ((addr & mask) == (conn->tuple.src.ip & mask)) { ++#else ++ if ((addr & mask) == (conn->tuple.src.u3.ip & mask)) { ++#endif + /* same source IP address -> be counted! */ + matches++; + } @@ -157,8 +174,14 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ipt_connlimit.c linux/ +#if DEBUG + printk("ipt_connlimit [%d]: src=%u.%u.%u.%u:%d dst=%u.%u.%u.%u:%d new\n", + ipt_iphash(addr & mask), ++#ifndef CONFIG_NF_CONNTRACK_SUPPORT + NIPQUAD(tuple.src.ip), ntohs(tuple.src.u.tcp.port), + NIPQUAD(tuple.dst.ip), ntohs(tuple.dst.u.tcp.port)); ++#else ++ NIPQUAD(tuple.src.u3.ip), ntohs(tuple.src.u.tcp.port), ++ NIPQUAD(tuple.dst.u3.ip), ntohs(tuple.dst.u.tcp.port)); ++#endif ++ +#endif + conn = kmalloc(sizeof(*conn),GFP_ATOMIC); + if (NULL == conn) { @@ -179,51 +202,83 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ipt_connlimit.c linux/ +match(const struct sk_buff *skb, + const struct net_device *in, + const struct net_device *out, ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,17) ++ const struct xt_match *match, ++#endif + const void *matchinfo, + int offset, ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,16) + unsigned int protoff, ++#endif + int *hotdrop) +{ + const struct ipt_connlimit_info *info = matchinfo; -+ int connections, match; ++ int connections, rv; ++#ifndef CONFIG_NF_CONNTRACK_SUPPORT + struct ip_conntrack *ct; + enum ip_conntrack_info ctinfo; + + ct = ip_conntrack_get((struct sk_buff *)skb, &ctinfo); ++#else ++ struct nf_conn *ct; ++ enum ip_conntrack_info ctinfo; ++ ++ ct = nf_ct_get((struct sk_buff *)skb, &ctinfo); ++#endif + if (NULL == ct) { + printk("ipt_connlimit: Oops: invalid ct state ?\n"); + *hotdrop = 1; + return 0; + } -+ connections = count_them(info->data,skb->nh.iph->saddr,info->mask,ct); ++ ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,22) ++ connections = count_them(info->data, ip_hdr(skb)->saddr, info->mask, ct); ++#else ++ connections = count_them(info->data, skb->nh.iph->saddr, info->mask, ct); ++#endif + if (-1 == connections) { + printk("ipt_connlimit: Hmm, kmalloc failed :-(\n"); + *hotdrop = 1; /* let's free some memory :-) */ + return 0; + } -+ match = (info->inverse) ? (connections <= info->limit) : (connections > info->limit); ++ rv = (info->inverse) ? (connections <= info->limit) : (connections > info->limit); +#if DEBUG + printk("ipt_connlimit: src=%u.%u.%u.%u mask=%u.%u.%u.%u " + "connections=%d limit=%d match=%s\n", + NIPQUAD(skb->nh.iph->saddr), NIPQUAD(info->mask), -+ connections, info->limit, match ? "yes" : "no"); ++ connections, info->limit, rv?"yes":"no"); +#endif + -+ return match; ++ return rv; +} + -+static int check(const char *tablename, ++static int checkentry(const char *tablename, ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,16) ++ const void *ip_void, ++#else + const struct ipt_ip *ip, ++#endif ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,17) ++ const struct xt_match *match, ++#endif + void *matchinfo, ++#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,19) + unsigned int matchsize, ++#endif + unsigned int hook_mask) +{ ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,16) ++ const struct ipt_ip *ip = ip_void; ++#endif ++ + struct ipt_connlimit_info *info = matchinfo; + int i; + ++#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,17) + /* verify size */ + if (matchsize != IPT_ALIGN(sizeof(struct ipt_connlimit_info))) + return 0; ++#endif + + /* refuse anything but tcp */ + if (ip->proto != IPPROTO_TCP) @@ -238,7 +293,15 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ipt_connlimit.c linux/ + return 1; +} + -+static void destroy(void *matchinfo, unsigned int matchinfosize) ++static void destroy( ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,17) ++ const struct xt_match *match, ++#endif ++#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,19) ++ void *matchinfo, unsigned int matchsize) ++#else ++ void *matchinfo) ++#endif +{ + struct ipt_connlimit_info *info = matchinfo; + struct ipt_connlimit_conn *conn; @@ -257,23 +320,71 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ipt_connlimit.c linux/ + kfree(info->data); +} + ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,21) ++static struct xt_match connlimit_match = { ++#else +static struct ipt_match connlimit_match = { -+ .name = "connlimit", -+ .match = &match, -+ .checkentry = &check, -+ .destroy = &destroy, -+ .me = THIS_MODULE ++#endif ++ .name = "connlimit", ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,21) ++ .family = AF_INET, ++#endif ++ .match = &match, ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,17) ++ .matchsize = sizeof(struct ipt_connlimit_info), ++#endif ++ .checkentry = &checkentry, ++ .destroy = &destroy, ++ .me = THIS_MODULE +}; + +static int __init init(void) +{ ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,21) ++ return xt_register_match(&connlimit_match); ++#else + return ipt_register_match(&connlimit_match); ++#endif +} + +static void __exit fini(void) +{ ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,21) ++ xt_unregister_match(&connlimit_match); ++#else + ipt_unregister_match(&connlimit_match); ++#endif +} + +module_init(init); +module_exit(fini); +diff -Nru linux-2.6.22/net/ipv4/netfilter/Kconfig linux-2.6.22-pom2patch/net/ipv4/netfilter/Kconfig +--- linux-2.6.22/net/ipv4/netfilter/Kconfig 2007-07-09 01:32:17.000000000 +0200 ++++ linux-2.6.22-pom2patch/net/ipv4/netfilter/Kconfig 2007-08-07 18:38:25.000000000 +0200 +@@ -402,5 +402,15 @@ + Allows altering the ARP packet payload: source and destination + hardware and network addresses. + ++config IP_NF_MATCH_CONNLIMIT ++ tristate 'Connections/IP limit match support' ++ depends on IP_NF_IPTABLES ++ help ++ This match allows you to restrict the number of parallel TCP ++ connections to a server per client IP address (or address block). ++ ++ If you want to compile it as a module, say M here and read ++ Documentation/modules.txt. If unsure, say `N'. ++ + endmenu + +diff -Nru linux-2.6.22/net/ipv4/netfilter/Makefile linux-2.6.22-pom2patch/net/ipv4/netfilter/Makefile +--- linux-2.6.22/net/ipv4/netfilter/Makefile 2007-07-09 01:32:17.000000000 +0200 ++++ linux-2.6.22-pom2patch/net/ipv4/netfilter/Makefile 2007-08-07 18:38:25.000000000 +0200 +@@ -44,6 +44,7 @@ + obj-$(CONFIG_IP_NF_MATCH_TOS) += ipt_tos.o + + obj-$(CONFIG_IP_NF_MATCH_IPV4OPTIONS) += ipt_ipv4options.o ++obj-$(CONFIG_IP_NF_MATCH_CONNLIMIT) += ipt_connlimit.o + + obj-$(CONFIG_IP_NF_MATCH_RECENT) += ipt_recent.o + obj-$(CONFIG_IP_NF_MATCH_ECN) += ipt_ecn.o diff --git a/kernel-desktop-pom-ng-ipp2p.patch b/kernel-desktop-pom-ng-ipp2p.patch index 0c5677c..2b617fb 100644 --- a/kernel-desktop-pom-ng-ipp2p.patch +++ b/kernel-desktop-pom-ng-ipp2p.patch @@ -1,12 +1,6 @@ - include/linux/netfilter_ipv4/ipt_ipp2p.h | 31 + - net/ipv4/netfilter/Kconfig | 10 - net/ipv4/netfilter/Makefile | 1 - net/ipv4/netfilter/ipt_ipp2p.c | 863 +++++++++++++++++++++++++++++++ - 4 files changed, 905 insertions(+) - -diff -Nur --exclude '*.orig' linux.org/include/linux/netfilter_ipv4/ipt_ipp2p.h linux/include/linux/netfilter_ipv4/ipt_ipp2p.h ---- linux.org/include/linux/netfilter_ipv4/ipt_ipp2p.h 1970-01-01 01:00:00.000000000 +0100 -+++ linux/include/linux/netfilter_ipv4/ipt_ipp2p.h 2006-05-04 11:24:36.000000000 +0200 +diff -Nru linux-2.6.22/include/linux/netfilter_ipv4/ipt_ipp2p.h linux-2.6.22-pom2patch/include/linux/netfilter_ipv4/ipt_ipp2p.h +--- linux-2.6.22/include/linux/netfilter_ipv4/ipt_ipp2p.h 1970-01-01 01:00:00.000000000 +0100 ++++ linux-2.6.22-pom2patch/include/linux/netfilter_ipv4/ipt_ipp2p.h 2007-08-07 18:38:54.000000000 +0200 @@ -0,0 +1,31 @@ +#ifndef __IPT_IPP2P_H +#define __IPT_IPP2P_H @@ -39,34 +33,10 @@ diff -Nur --exclude '*.orig' linux.org/include/linux/netfilter_ipv4/ipt_ipp2p.h +#define IPP2P_MUTE (1 << 14) +#define IPP2P_WASTE (1 << 15) +#define IPP2P_XDCC (1 << 16) -diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/Kconfig linux/net/ipv4/netfilter/Kconfig ---- linux.org/net/ipv4/netfilter/Kconfig 2006-05-02 23:38:44.000000000 +0200 -+++ linux/net/ipv4/netfilter/Kconfig 2006-05-04 11:24:36.000000000 +0200 -@@ -606,5 +606,15 @@ - Allows altering the ARP packet payload: source and destination - hardware and network addresses. - -+config IP_NF_MATCH_IPP2P -+ tristate 'IPP2P match support' -+ depends on IP_NF_IPTABLES -+ help -+ This option makes possible to match some P2P packets -+ therefore helps controlling such traffic. -+ -+ If you want to compile it as a module, say M here and read -+ <file:Documentation/modules.txt>. If unsure, say `N'. -+ - endmenu - -diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/Makefile linux/net/ipv4/netfilter/Makefile ---- linux.org/net/ipv4/netfilter/Makefile 2006-05-02 23:38:44.000000000 +0200 -+++ linux/net/ipv4/netfilter/Makefile 2006-05-04 11:24:36.000000000 +0200 -@@ -0,0 +0,1 @@ -+obj-$(CONFIG_IP_NF_MATCH_IPP2P) += ipt_ipp2p.o -diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ipt_ipp2p.c linux/net/ipv4/netfilter/ipt_ipp2p.c ---- linux.org/net/ipv4/netfilter/ipt_ipp2p.c 1970-01-01 01:00:00.000000000 +0100 -+++ linux/net/ipv4/netfilter/ipt_ipp2p.c 2006-05-04 11:24:36.000000000 +0200 -@@ -0,0 +1,863 @@ +diff -Nru linux-2.6.22/net/ipv4/netfilter/ipt_ipp2p.c linux-2.6.22-pom2patch/net/ipv4/netfilter/ipt_ipp2p.c +--- linux-2.6.22/net/ipv4/netfilter/ipt_ipp2p.c 1970-01-01 01:00:00.000000000 +0100 ++++ linux-2.6.22-pom2patch/net/ipv4/netfilter/ipt_ipp2p.c 2007-08-07 18:38:54.000000000 +0200 +@@ -0,0 +1,904 @@ +#if defined(MODVERSIONS) +#include <linux/modversions.h> +#endif @@ -797,14 +767,29 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ipt_ipp2p.c linux/net/ +match(const struct sk_buff *skb, + const struct net_device *in, + const struct net_device *out, ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,17) ++ const struct xt_match *match, ++#endif + const void *matchinfo, + int offset, ++ ++#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0) ++ const void *hdr, ++ u_int16_t datalen, ++#endif ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,16) + unsigned int protoff, ++#endif ++ + int *hotdrop) +{ + const struct ipt_p2p_info *info = matchinfo; + unsigned char *haystack; ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,22) ++ struct iphdr *ip = ip_hdr(skb); ++#else + struct iphdr *ip = skb->nh.iph; ++#endif + int p2p_result = 0, i = 0; +// int head_len; + int hlen = ntohs(ip->tot_len)-(ip->ihl*4); /*hlen = packet-data length*/ @@ -880,9 +865,18 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ipt_ipp2p.c linux/net/ + +static int +checkentry(const char *tablename, ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,16) + const void *ip, ++#else ++ const struct ipt_ip *ip, ++#endif ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,17) ++ const struct xt_match *match, ++#endif + void *matchinfo, ++#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,19) + unsigned int matchsize, ++#endif + unsigned int hook_mask) +{ + /* Must specify -p tcp */ @@ -895,8 +889,11 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ipt_ipp2p.c linux/net/ + + + -+ ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,21) ++static struct xt_match ipp2p_match = { ++#else +static struct ipt_match ipp2p_match = { ++#endif +#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0) + { NULL, NULL }, + "ipp2p", @@ -907,7 +904,13 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ipt_ipp2p.c linux/net/ +#endif +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) + .name = "ipp2p", ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,21) ++ .family = AF_INET, ++#endif + .match = &match, ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,17) ++ .matchsize = sizeof(struct ipt_p2p_info), ++#endif + .checkentry = &checkentry, + .me = THIS_MODULE, +#endif @@ -917,12 +920,20 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ipt_ipp2p.c linux/net/ +static int __init init(void) +{ + printk(KERN_INFO "IPP2P v%s loading\n", IPP2P_VERSION); ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,21) ++ return xt_register_match(&ipp2p_match); ++#else + return ipt_register_match(&ipp2p_match); ++#endif +} + +static void __exit fini(void) +{ ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,21) ++ xt_unregister_match(&ipp2p_match); ++#else + ipt_unregister_match(&ipp2p_match); ++#endif + printk(KERN_INFO "IPP2P v%s unloaded\n", IPP2P_VERSION); +} + @@ -930,3 +941,33 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ipt_ipp2p.c linux/net/ +module_exit(fini); + + +diff -Nru linux-2.6.22/net/ipv4/netfilter/Kconfig linux-2.6.22-pom2patch/net/ipv4/netfilter/Kconfig +--- linux-2.6.22/net/ipv4/netfilter/Kconfig 2007-07-09 01:32:17.000000000 +0200 ++++ linux-2.6.22-pom2patch/net/ipv4/netfilter/Kconfig 2007-08-07 18:38:54.000000000 +0200 +@@ -402,5 +402,15 @@ + Allows altering the ARP packet payload: source and destination + hardware and network addresses. + ++config IP_NF_MATCH_IPP2P ++ tristate 'IPP2P match support' ++ depends on IP_NF_IPTABLES ++ help ++ This option makes possible to match some P2P packets ++ therefore helps controlling such traffic. ++ ++ If you want to compile it as a module, say M here and read ++ <file:Documentation/modules.txt>. If unsure, say `N'. ++ + endmenu + +diff -Nru linux-2.6.22/net/ipv4/netfilter/Makefile linux-2.6.22-pom2patch/net/ipv4/netfilter/Makefile +--- linux-2.6.22/net/ipv4/netfilter/Makefile 2007-07-09 01:32:17.000000000 +0200 ++++ linux-2.6.22-pom2patch/net/ipv4/netfilter/Makefile 2007-08-07 18:38:54.000000000 +0200 +@@ -45,6 +45,7 @@ + + obj-$(CONFIG_IP_NF_MATCH_IPV4OPTIONS) += ipt_ipv4options.o + obj-$(CONFIG_IP_NF_MATCH_CONNLIMIT) += ipt_connlimit.o ++obj-$(CONFIG_IP_NF_MATCH_IPP2P) += ipt_ipp2p.o + + obj-$(CONFIG_IP_NF_MATCH_RECENT) += ipt_recent.o + obj-$(CONFIG_IP_NF_MATCH_GEOIP) += ipt_geoip.o diff --git a/kernel-desktop-pom-ng-ipv4options.patch b/kernel-desktop-pom-ng-ipv4options.patch index 72c97db..4d0977d 100644 --- a/kernel-desktop-pom-ng-ipv4options.patch +++ b/kernel-desktop-pom-ng-ipv4options.patch @@ -1,12 +1,6 @@ - include/linux/netfilter_ipv4/ipt_ipv4options.h | 21 +++ - net/ipv4/netfilter/Kconfig | 13 + - net/ipv4/netfilter/Makefile | 1 - net/ipv4/netfilter/ipt_ipv4options.c | 173 +++++++++++++++++++++++++ - 4 files changed, 208 insertions(+) - -diff -Nur --exclude '*.orig' linux.org/include/linux/netfilter_ipv4/ipt_ipv4options.h linux/include/linux/netfilter_ipv4/ipt_ipv4options.h ---- linux.org/include/linux/netfilter_ipv4/ipt_ipv4options.h 1970-01-01 01:00:00.000000000 +0100 -+++ linux/include/linux/netfilter_ipv4/ipt_ipv4options.h 2006-05-04 10:14:44.000000000 +0200 +diff -NurpP --minimal linux-2.6.21.a/include/linux/netfilter_ipv4/ipt_ipv4options.h linux-2.6.21.b/include/linux/netfilter_ipv4/ipt_ipv4options.h +--- linux-2.6.21.a/include/linux/netfilter_ipv4/ipt_ipv4options.h 1970-01-01 01:00:00.000000000 +0100 ++++ linux-2.6.21.b/include/linux/netfilter_ipv4/ipt_ipv4options.h 2007-05-30 11:22:30.000000000 +0200 @@ -0,0 +1,21 @@ +#ifndef __ipt_ipv4options_h_included__ +#define __ipt_ipv4options_h_included__ @@ -29,12 +23,12 @@ diff -Nur --exclude '*.orig' linux.org/include/linux/netfilter_ipv4/ipt_ipv4opti + + +#endif /* __ipt_ipv4options_h_included__ */ -diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/Kconfig linux/net/ipv4/netfilter/Kconfig ---- linux.org/net/ipv4/netfilter/Kconfig 2006-05-02 23:38:44.000000000 +0200 -+++ linux/net/ipv4/netfilter/Kconfig 2006-05-04 10:14:44.000000000 +0200 -@@ -606,5 +606,18 @@ - Allows altering the ARP packet payload: source and destination - hardware and network addresses. +diff -NurpP --minimal linux-2.6.21.a/net/ipv4/netfilter/Kconfig linux-2.6.21.b/net/ipv4/netfilter/Kconfig +--- linux-2.6.21.a/net/ipv4/netfilter/Kconfig 2007-05-30 11:18:08.000000000 +0200 ++++ linux-2.6.21.b/net/ipv4/netfilter/Kconfig 2007-05-30 11:22:30.000000000 +0200 +@@ -678,5 +678,18 @@ config IP_NF_TARGET_IPV4OPTSSTRIP + If you want to compile it as a module, say M here and read + Documentation/modules.txt. If unsure, say `N'. +config IP_NF_MATCH_IPV4OPTIONS + tristate 'IPV4OPTIONS match support' @@ -51,15 +45,23 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/Kconfig linux/net/ipv4 + endmenu -diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/Makefile linux/net/ipv4/netfilter/Makefile ---- linux.org/net/ipv4/netfilter/Makefile 2006-05-02 23:38:44.000000000 +0200 -+++ linux/net/ipv4/netfilter/Makefile 2006-05-04 10:14:44.000000000 +0200 -@@ -0,0 +0,1 @@ +diff -NurpP --minimal linux-2.6.21.a/net/ipv4/netfilter/Makefile linux-2.6.21.b/net/ipv4/netfilter/Makefile +--- linux-2.6.21.a/net/ipv4/netfilter/Makefile 2007-05-30 11:18:08.000000000 +0200 ++++ linux-2.6.21.b/net/ipv4/netfilter/Makefile 2007-05-30 11:22:30.000000000 +0200 +@@ -86,6 +86,9 @@ obj-$(CONFIG_IP_NF_RAW) += iptable_raw.o + obj-$(CONFIG_IP_NF_MATCH_IPRANGE) += ipt_iprange.o + obj-$(CONFIG_IP_NF_MATCH_OWNER) += ipt_owner.o + obj-$(CONFIG_IP_NF_MATCH_TOS) += ipt_tos.o ++ +obj-$(CONFIG_IP_NF_MATCH_IPV4OPTIONS) += ipt_ipv4options.o -diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ipt_ipv4options.c linux/net/ipv4/netfilter/ipt_ipv4options.c ---- linux.org/net/ipv4/netfilter/ipt_ipv4options.c 1970-01-01 01:00:00.000000000 +0100 -+++ linux/net/ipv4/netfilter/ipt_ipv4options.c 2006-05-04 10:14:44.000000000 +0200 -@@ -0,0 +1,173 @@ ++ + obj-$(CONFIG_IP_NF_MATCH_RECENT) += ipt_recent.o + obj-$(CONFIG_IP_NF_MATCH_ECN) += ipt_ecn.o + obj-$(CONFIG_IP_NF_MATCH_AH) += ipt_ah.o +diff -NurpP --minimal linux-2.6.21.a/net/ipv4/netfilter/ipt_ipv4options.c linux-2.6.21.b/net/ipv4/netfilter/ipt_ipv4options.c +--- linux-2.6.21.a/net/ipv4/netfilter/ipt_ipv4options.c 1970-01-01 01:00:00.000000000 +0100 ++++ linux-2.6.21.b/net/ipv4/netfilter/ipt_ipv4options.c 2007-05-30 11:22:30.000000000 +0200 +@@ -0,0 +1,177 @@ +/* + This is a module which is used to match ipv4 options. + This file is distributed under the terms of the GNU General Public @@ -76,7 +78,7 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ipt_ipv4options.c linu +#include <linux/module.h> +#include <linux/skbuff.h> +#include <net/ip.h> -+ ++#include <linux/netfilter/x_tables.h> +#include <linux/netfilter_ipv4/ip_tables.h> +#include <linux/netfilter_ipv4/ipt_ipv4options.h> + @@ -87,13 +89,14 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ipt_ipv4options.c linu +match(const struct sk_buff *skb, + const struct net_device *in, + const struct net_device *out, ++ const struct xt_match *match, + const void *matchinfo, + int offset, + unsigned int protoff, + int *hotdrop) +{ + const struct ipt_ipv4options_info *info = matchinfo; /* match info for rule */ -+ const struct iphdr *iph = skb->nh.iph; ++ const struct iphdr *iph = ip_hdr(skb); + const struct ip_options *opt; + + if (iph->ihl * 4 == sizeof(struct iphdr)) { @@ -168,15 +171,16 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ipt_ipv4options.c linu + +static int +checkentry(const char *tablename, -+ const struct ipt_ip *ip, ++ const void *ip, ++ const struct xt_match *match, + void *matchinfo, -+ unsigned int matchsize, ++ + unsigned int hook_mask) +{ + const struct ipt_ipv4options_info *info = matchinfo; /* match info for rule */ -+ /* Check the size */ -+ if (matchsize != IPT_ALIGN(sizeof(struct ipt_ipv4options_info))) -+ return 0; ++ ++ ++ + /* Now check the coherence of the data ... */ + if (((info->options & IPT_IPV4OPTION_MATCH_ANY_OPT) == IPT_IPV4OPTION_MATCH_ANY_OPT) && + (((info->options & IPT_IPV4OPTION_DONT_MATCH_SRR) == IPT_IPV4OPTION_DONT_MATCH_SRR) || @@ -214,21 +218,23 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ipt_ipv4options.c linu + return 1; +} + -+static struct ipt_match ipv4options_match = { ++static struct xt_match ipv4options_match = { + .name = "ipv4options", ++ .family = AF_INET, + .match = match, ++ .matchsize = sizeof(struct ipt_ipv4options_info), + .checkentry = checkentry, + .me = THIS_MODULE +}; + +static int __init init(void) +{ -+ return ipt_register_match(&ipv4options_match); ++ return xt_register_match(&ipv4options_match); +} + +static void __exit fini(void) +{ -+ ipt_unregister_match(&ipv4options_match); ++ xt_unregister_match(&ipv4options_match); +} + +module_init(init); diff --git a/kernel-desktop-pom-ng-rpc.patch b/kernel-desktop-pom-ng-rpc.patch index 1c30215..43a49f6 100644 --- a/kernel-desktop-pom-ng-rpc.patch +++ b/kernel-desktop-pom-ng-rpc.patch @@ -1,15 +1,6 @@ - include/linux/netfilter_ipv4/ip_conntrack_rpc.h | 71 +++ - include/linux/netfilter_ipv4/ipt_rpc.h | 35 + - net/ipv4/netfilter/Kconfig | 32 + - net/ipv4/netfilter/Makefile | 1 - net/ipv4/netfilter/ip_conntrack_rpc_tcp.c | 554 ++++++++++++++++++++++++ - net/ipv4/netfilter/ip_conntrack_rpc_udp.c | 527 ++++++++++++++++++++++ - net/ipv4/netfilter/ipt_rpc.c | 443 +++++++++++++++++++ - 7 files changed, 1663 insertions(+) - -diff -Nur --exclude '*.orig' linux.org/include/linux/netfilter_ipv4/ip_conntrack_rpc.h linux/include/linux/netfilter_ipv4/ip_conntrack_rpc.h ---- linux.org/include/linux/netfilter_ipv4/ip_conntrack_rpc.h 1970-01-01 01:00:00.000000000 +0100 -+++ linux/include/linux/netfilter_ipv4/ip_conntrack_rpc.h 2006-05-04 11:26:08.000000000 +0200 +diff -Nur --exclude '*.orig' linux/include/linux/netfilter/nf_conntrack_rpc.h linux/include/linux/netfilter/nf_conntrack_rpc.h +--- linux/include/linux/netfilter/nf_conntrack_rpc.h 1970-01-01 01:00:00.000000000 +0100 ++++ linux/include/linux/netfilter/nf_conntrack_rpc.h 2006-05-04 11:26:08.000000000 +0200 @@ -0,0 +1,71 @@ +/* RPC extension for IP connection tracking, Version 2.2 + * (C) 2000 by Marcelo Barbosa Lima <marcelo.lima@dcc.unicamp.br> @@ -41,7 +32,7 @@ diff -Nur --exclude '*.orig' linux.org/include/linux/netfilter_ipv4/ip_conntrack +#include <linux/stddef.h> +#include <linux/list.h> + -+#include <linux/netfilter_ipv4/ip_conntrack_helper.h> ++#include <net/netfilter/nf_conntrack_helper.h> + +#ifndef _IP_CONNTRACK_RPC_H +#define _IP_CONNTRACK_RPC_H @@ -82,8 +73,8 @@ diff -Nur --exclude '*.orig' linux.org/include/linux/netfilter_ipv4/ip_conntrack +} + +#endif /* _IP_CONNTRACK_RPC_H */ -diff -Nur --exclude '*.orig' linux.org/include/linux/netfilter_ipv4/ipt_rpc.h linux/include/linux/netfilter_ipv4/ipt_rpc.h ---- linux.org/include/linux/netfilter_ipv4/ipt_rpc.h 1970-01-01 01:00:00.000000000 +0100 +diff -Nur --exclude '*.orig' linux/include/linux/netfilter_ipv4/ipt_rpc.h linux/include/linux/netfilter_ipv4/ipt_rpc.h +--- linux/include/linux/netfilter_ipv4/ipt_rpc.h 1970-01-01 01:00:00.000000000 +0100 +++ linux/include/linux/netfilter_ipv4/ipt_rpc.h 2006-05-04 11:26:08.000000000 +0200 @@ -0,0 +1,35 @@ +/* RPC extension for IP netfilter matching, Version 2.2 @@ -121,8 +112,8 @@ diff -Nur --exclude '*.orig' linux.org/include/linux/netfilter_ipv4/ipt_rpc.h li +}; + +#endif /* _IPT_RPC_H */ -diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/Kconfig linux/net/ipv4/netfilter/Kconfig ---- linux.org/net/ipv4/netfilter/Kconfig 2006-05-02 23:38:44.000000000 +0200 +diff -Nur --exclude '*.orig' linux/net/ipv4/netfilter/Kconfig linux/net/ipv4/netfilter/Kconfig +--- linux/net/ipv4/netfilter/Kconfig 2006-05-02 23:38:44.000000000 +0200 +++ linux/net/ipv4/netfilter/Kconfig 2006-05-04 11:26:08.000000000 +0200 @@ -606,5 +606,37 @@ Allows altering the ARP packet payload: source and destination @@ -130,7 +121,7 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/Kconfig linux/net/ipv4 +config IP_NF_MATCH_RPC + tristate 'RPC match support' -+ depends on IP_NF_CONNTRACK && IP_NF_IPTABLES ++ depends on NF_CONNTRACK && IP_NF_IPTABLES + help + This adds CONFIG_IP_NF_MATCH_RPC, which is the RPC connection + matcher and tracker. @@ -162,15 +153,15 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/Kconfig linux/net/ipv4 + endmenu -diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/Makefile linux/net/ipv4/netfilter/Makefile ---- linux.org/net/ipv4/netfilter/Makefile 2006-05-02 23:38:44.000000000 +0200 +diff -Nur --exclude '*.orig' linux/net/ipv4/netfilter/Makefile linux/net/ipv4/netfilter/Makefile +--- linux/net/ipv4/netfilter/Makefile 2006-05-02 23:38:44.000000000 +0200 +++ linux/net/ipv4/netfilter/Makefile 2006-05-04 11:26:08.000000000 +0200 @@ -0,0 +0,1 @@ +obj-$(CONFIG_IP_NF_MATCH_RPC) += ip_conntrack_rpc_tcp.o ip_conntrack_rpc_udp.o ipt_rpc.o -diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_conntrack_rpc_tcp.c linux/net/ipv4/netfilter/ip_conntrack_rpc_tcp.c ---- linux.org/net/ipv4/netfilter/ip_conntrack_rpc_tcp.c 1970-01-01 01:00:00.000000000 +0100 -+++ linux/net/ipv4/netfilter/ip_conntrack_rpc_tcp.c 2006-05-04 11:26:08.000000000 +0200 -@@ -0,0 +1,554 @@ +diff -Nur --exclude '*.orig' linux/net/ipv4/netfilter/ip_conntrack_rpc_tcp.c linux/net/ipv4/netfilter/ip_conntrack_rpc_tcp.c +--- linux/net/ipv4/netfilter/ip_conntrack_rpc_tcp.c 1970-01-01 01:00:00.000000000 +0100 ++++ linux/net/ipv4/netfilter/ip_conntrack_rpc_tcp.c 2007-08-15 03:04:53.000000000 +0200 +@@ -0,0 +1,567 @@ +/* RPC extension for IP (TCP) connection tracking, Version 2.2 + * (C) 2000 by Marcelo Barbosa Lima <marcelo.lima@dcc.unicamp.br> + * - original rpc tracking module @@ -240,8 +231,9 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_conntrack_rpc_tcp.c +#include <linux/list.h> + +#include <linux/netfilter_ipv4/ip_tables.h> -+#include <linux/netfilter_ipv4/ip_conntrack_helper.h> -+#include <linux/netfilter_ipv4/ip_conntrack_rpc.h> ++#include <net/netfilter/nf_conntrack_expect.h> ++#include <net/netfilter/nf_conntrack_helper.h> ++#include <linux/netfilter/nf_conntrack_rpc.h> + +#define MAX_PORTS 8 +static int ports[MAX_PORTS]; @@ -271,10 +263,10 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_conntrack_rpc_tcp.c + +DEFINE_RWLOCK(ipct_rpc_tcp_lock); + -+#define ASSERT_READ_LOCK(x) -+#define ASSERT_WRITE_LOCK(x) ++//#define ASSERT_READ_LOCK(x) ++//#define ASSERT_WRITE_LOCK(x) + -+#include <linux/netfilter_ipv4/listhelp.h> ++//#include <linux/netfilter_ipv4/listhelp.h> + +/* For future conections RPC, using client's cache bindings + * I'll use ip_conntrack_lock to lock these lists */ @@ -287,7 +279,7 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_conntrack_rpc_tcp.c + struct request_p *p = (void *)request_p_ul; + + write_lock_bh(&ipct_rpc_tcp_lock); -+ LIST_DELETE(&request_p_list_tcp, p); ++ list_del(&p->list); + write_unlock_bh(&ipct_rpc_tcp_lock); + kfree(p); + return; @@ -298,7 +290,7 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_conntrack_rpc_tcp.c +{ + write_lock_bh(&ipct_rpc_tcp_lock); + del_timer(&r->timeout); -+ LIST_DELETE(&request_p_list_tcp, r); ++ list_del(&r->list); + write_unlock_bh(&ipct_rpc_tcp_lock); + kfree(r); + return; @@ -327,12 +319,16 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_conntrack_rpc_tcp.c +static void alloc_request_p(u_int32_t xid, u_int16_t proto, u_int32_t ip, + u_int16_t port) +{ -+ struct request_p *req_p; ++ struct request_p *req_p = NULL, *p; + + /* Verifies if entry already exists */ + write_lock_bh(&ipct_rpc_tcp_lock); -+ req_p = LIST_FIND(&request_p_list_tcp, request_p_cmp, -+ struct request_p *, xid, ip, port); ++// req_p = LIST_FIND(&request_p_list_tcp, request_p_cmp, ++// struct request_p *, xid, ip, port); ++ ++ list_for_each_entry(p, &request_p_list_tcp, list) ++ if (p->xid == xid && p->ip == ip && p->port == port) ++ req_p = p; + + if (req_p) { + /* Refresh timeout */ @@ -369,20 +365,20 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_conntrack_rpc_tcp.c + + /* Put in list */ + write_lock_bh(&ipct_rpc_tcp_lock); -+ list_prepend(&request_p_list_tcp, req_p); ++ list_add(req_p, &request_p_list_tcp); + write_unlock_bh(&ipct_rpc_tcp_lock); + return; +} + + +static int check_rpc_packet(const u_int32_t *data, -+ int dir, struct ip_conntrack *ct, ++ int dir, struct nf_conn *ct, + struct list_head request_p_list) +{ + u_int32_t xid; + int ret = NF_ACCEPT; -+ struct request_p *req_p; -+ struct ip_conntrack_expect *exp; ++ struct request_p *req_p = NULL, *p; ++ struct nf_conntrack_expect *exp; + + + if (ct == NULL) { @@ -426,12 +422,12 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_conntrack_rpc_tcp.c + + /* Get RPC protocol and store against client parameters */ + data = data + 2; -+ alloc_request_p(xid, IXDR_GET_INT32(data), ct->tuplehash[dir].tuple.src.ip, ++ alloc_request_p(xid, IXDR_GET_INT32(data), ct->tuplehash[dir].tuple.src.u3.ip, + ct->tuplehash[dir].tuple.src.u.all); + + DEBUGP("allocated RPC req_p for xid=%u proto=%u %u.%u.%u.%u:%u\n", + xid, IXDR_GET_INT32(data), -+ NIPQUAD(ct->tuplehash[dir].tuple.src.ip), ++ NIPQUAD(ct->tuplehash[dir].tuple.src.u3.ip), + ntohs(ct->tuplehash[dir].tuple.src.u.all)); + + DEBUGP("allocated RPC request for protocol %u. [done]\n", @@ -440,10 +436,17 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_conntrack_rpc_tcp.c + } else { + + /* Check for returning packet's stored counterpart */ -+ req_p = LIST_FIND(&request_p_list_tcp, request_p_cmp, ++ /* req_p = LIST_FIND(&request_p_list_tcp, request_p_cmp, + struct request_p *, xid, -+ ct->tuplehash[!dir].tuple.src.ip, ++ ct->tuplehash[!dir].tuple.src.u3.ip, + ct->tuplehash[!dir].tuple.src.u.all); ++ */ ++ ++ list_for_each_entry(p, &request_p_list_tcp, list) ++ if (p->xid == xid && ++ p->ip == ct->tuplehash[!dir].tuple.src.u3.ip && ++ p->port == ct->tuplehash[!dir].tuple.src.u.all) ++ req_p = p; + + /* Drop unexpected packets */ + if (!req_p) { @@ -486,17 +489,17 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_conntrack_rpc_tcp.c + if (port_buf && port_buf != nsrexec) { + DEBUGP("port found: %u\n", port_buf); + -+ exp = ip_conntrack_expect_alloc(ct); ++ exp = nf_conntrack_expect_alloc(ct); + if (!exp) { + ret = NF_DROP; + goto out; + } + + /* Watch out, Radioactive-Man! */ -+ exp->tuple.src.ip = ct->tuplehash[!dir].tuple.src.ip; -+ exp->tuple.dst.ip = ct->tuplehash[!dir].tuple.dst.ip; -+ exp->mask.src.ip = 0xffffffff; -+ exp->mask.dst.ip = 0xffffffff; ++ exp->tuple.src.u3.ip = ct->tuplehash[!dir].tuple.src.u3.ip; ++ exp->tuple.dst.u3.ip = ct->tuplehash[!dir].tuple.dst.u3.ip; ++ exp->mask.src.u3.ip = 0xffffffff; ++ exp->mask.dst.u3.ip = 0xffffffff; + + switch (req_p->proto) { + case IPPROTO_UDP: @@ -520,22 +523,23 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_conntrack_rpc_tcp.c + exp->expectfn = NULL; + exp->master = ct; + -+ if (exp->master->helper == NULL) { ++ struct nf_conn_help *m_help = nfct_help(exp->master); ++ if (m_help->helper == NULL) { + DEBUGP("master helper NULL"); + ret = NF_ACCEPT; + } + + DEBUGP("expect related ip %u.%u.%u.%u:0-%u.%u.%u.%u:%u proto=%u\n", -+ NIPQUAD(exp->tuple.src.ip), -+ NIPQUAD(exp->tuple.dst.ip), ++ NIPQUAD(exp->tuple.src.u3.ip), ++ NIPQUAD(exp->tuple.dst.u3.ip), + port_buf, req_p->proto); + + DEBUGP("expect related mask %u.%u.%u.%u:0-%u.%u.%u.%u:65535 proto=%u\n", -+ NIPQUAD(exp->mask.src.ip), -+ NIPQUAD(exp->mask.dst.ip), ++ NIPQUAD(exp->mask.src.u3.ip), ++ NIPQUAD(exp->mask.dst.u3.ip), + exp->mask.dst.protonum); + -+ if (ip_conntrack_expect_related(exp) != 0) { ++ if (nf_conntrack_expect_related(exp) != 0) { + ret = NF_DROP; + } + @@ -554,9 +558,9 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_conntrack_rpc_tcp.c + +/* RPC TCP helper */ +/* static int help(const struct iphdr *iph, size_t len, -+ struct ip_conntrack *ct, enum ip_conntrack_info ctinfo) */ ++ struct nf_conn *ct, enum ip_conntrack_info ctinfo) */ +static int help(struct sk_buff **pskb, -+ struct ip_conntrack *ct, enum ip_conntrack_info ctinfo) ++ struct nf_conn *ct, enum ip_conntrack_info ctinfo) +{ + int dir; + int crp_ret; @@ -567,7 +571,7 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_conntrack_rpc_tcp.c + size_t len; + + /* Not whole TCP header? */ -+ iph=(*pskb)->nh.iph; ++ iph=ip_hdr(*pskb); + tcph = skb_header_pointer(*pskb,iph->ihl*4,sizeof(_tcph),&_tcph); + if (!tcph) + return NF_ACCEPT; @@ -634,7 +638,7 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_conntrack_rpc_tcp.c +} + + -+static struct ip_conntrack_helper rpc_helpers[MAX_PORTS]; ++static struct nf_conntrack_helper rpc_helpers[MAX_PORTS]; +static char rpc_names[MAX_PORTS][10]; + +static void fini(void); @@ -649,7 +653,7 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_conntrack_rpc_tcp.c + ports[0] = RPC_PORT; + + for (port = 0; (port < MAX_PORTS) && ports[port]; port++) { -+ memset(&rpc_helpers[port], 0, sizeof(struct ip_conntrack_helper)); ++ memset(&rpc_helpers[port], 0, sizeof(struct nf_conntrack_helper)); + + tmpname = &rpc_names[port][0]; + if (ports[port] == RPC_PORT) @@ -674,17 +678,17 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_conntrack_rpc_tcp.c + + PRINTK("registering helper for port #%d: %d/TCP\n", port, ports[port]); + PRINTK("helper match ip %u.%u.%u.%u:%u->%u.%u.%u.%u:%u\n", -+ NIPQUAD(rpc_helpers[port].tuple.dst.ip), ++ NIPQUAD(rpc_helpers[port].tuple.dst.u3.ip), + ntohs(rpc_helpers[port].tuple.dst.u.tcp.port), -+ NIPQUAD(rpc_helpers[port].tuple.src.ip), ++ NIPQUAD(rpc_helpers[port].tuple.src.u3.ip), + ntohs(rpc_helpers[port].tuple.src.u.tcp.port)); + PRINTK("helper match mask %u.%u.%u.%u:%u->%u.%u.%u.%u:%u\n", -+ NIPQUAD(rpc_helpers[port].mask.dst.ip), ++ NIPQUAD(rpc_helpers[port].mask.dst.u3.ip), + ntohs(rpc_helpers[port].mask.dst.u.tcp.port), -+ NIPQUAD(rpc_helpers[port].mask.src.ip), ++ NIPQUAD(rpc_helpers[port].mask.src.u3.ip), + ntohs(rpc_helpers[port].mask.src.u.tcp.port)); + -+ ret = ip_conntrack_helper_register(&rpc_helpers[port]); ++ ret = nf_conntrack_helper_register(&rpc_helpers[port]); + + if (ret) { + printk("ERROR registering port %d\n", @@ -712,7 +716,7 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_conntrack_rpc_tcp.c + + for (port = 0; (port < ports_n_c) && ports[port]; port++) { + DEBUGP("unregistering port %d\n", ports[port]); -+ ip_conntrack_helper_unregister(&rpc_helpers[port]); ++ nf_conntrack_helper_unregister(&rpc_helpers[port]); + } +} + @@ -725,10 +729,10 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_conntrack_rpc_tcp.c +EXPORT_SYMBOL(ip_conntrack_rpc_tcp); +EXPORT_SYMBOL(ipct_rpc_tcp_lock); + -diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_conntrack_rpc_udp.c linux/net/ipv4/netfilter/ip_conntrack_rpc_udp.c ---- linux.org/net/ipv4/netfilter/ip_conntrack_rpc_udp.c 1970-01-01 01:00:00.000000000 +0100 -+++ linux/net/ipv4/netfilter/ip_conntrack_rpc_udp.c 2006-05-04 11:26:08.000000000 +0200 -@@ -0,0 +1,528 @@ +diff -Nur --exclude '*.orig' linux/net/ipv4/netfilter/ip_conntrack_rpc_udp.c linux/net/ipv4/netfilter/ip_conntrack_rpc_udp.c +--- linux/net/ipv4/netfilter/ip_conntrack_rpc_udp.c 1970-01-01 01:00:00.000000000 +0100 ++++ linux/net/ipv4/netfilter/ip_conntrack_rpc_udp.c 2007-08-15 01:44:02.000000000 +0200 +@@ -0,0 +1,540 @@ +/* RPC extension for IP (UDP) connection tracking, Version 2.2 + * (C) 2000 by Marcelo Barbosa Lima <marcelo.lima@dcc.unicamp.br> + * - original rpc tracking module @@ -793,8 +797,9 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_conntrack_rpc_udp.c +#include <linux/udp.h> + +#include <linux/netfilter_ipv4/ip_tables.h> -+#include <linux/netfilter_ipv4/ip_conntrack_helper.h> -+#include <linux/netfilter_ipv4/ip_conntrack_rpc.h> ++#include <net/netfilter/nf_conntrack_expect.h> ++#include <net/netfilter/nf_conntrack_helper.h> ++#include <linux/netfilter/nf_conntrack_rpc.h> + +#define MAX_PORTS 8 +static int ports[MAX_PORTS]; @@ -820,9 +825,9 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_conntrack_rpc_udp.c +#endif + +DEFINE_RWLOCK(ipct_rpc_udp_lock); -+#define ASSERT_READ_LOCK(x) -+#define ASSERT_WRITE_LOCK(x) -+#include <linux/netfilter_ipv4/listhelp.h> ++//#define ASSERT_READ_LOCK(x) ++//#define ASSERT_WRITE_LOCK(x) ++//#include <linux/netfilter_ipv4/listhelp.h> + +/* For future conections RPC, using client's cache bindings + * I'll use ip_conntrack_lock to lock these lists */ @@ -835,7 +840,7 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_conntrack_rpc_udp.c + struct request_p *p = (void *)request_p_ul; + + write_lock_bh(&ipct_rpc_udp_lock); -+ LIST_DELETE(&request_p_list_udp, p); ++ list_del(&p->list); + write_unlock_bh(&ipct_rpc_udp_lock); + kfree(p); + return; @@ -846,7 +851,7 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_conntrack_rpc_udp.c +{ + write_lock_bh(&ipct_rpc_udp_lock); + del_timer(&r->timeout); -+ LIST_DELETE(&request_p_list_udp, r); ++ list_del(&r->list); + write_unlock_bh(&ipct_rpc_udp_lock); + kfree(r); + return; @@ -875,12 +880,16 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_conntrack_rpc_udp.c +static void alloc_request_p(u_int32_t xid, u_int16_t proto, u_int32_t ip, + u_int16_t port) +{ -+ struct request_p *req_p; ++ struct request_p *req_p = NULL, *p; + + /* Verifies if entry already exists */ + write_lock_bh(&ipct_rpc_udp_lock); -+ req_p = LIST_FIND(&request_p_list_udp, request_p_cmp, -+ struct request_p *, xid, ip, port); ++// req_p = LIST_FIND(&request_p_list_udp, request_p_cmp, ++// struct request_p *, xid, ip, port); ++ ++ list_for_each_entry(p, &request_p_list_udp, list) ++ if (p->xid == xid && p->ip == ip && p->port == port) ++ req_p = p; + + if (req_p) { + /* Refresh timeout */ @@ -917,7 +926,7 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_conntrack_rpc_udp.c + + /* Put in list */ + write_lock_bh(&ipct_rpc_udp_lock); -+ list_prepend(&request_p_list_udp, req_p); ++ list_add(req_p, &request_p_list_udp); + write_unlock_bh(&ipct_rpc_udp_lock); + return; + @@ -925,13 +934,13 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_conntrack_rpc_udp.c + + +static int check_rpc_packet(const u_int32_t *data, -+ int dir, struct ip_conntrack *ct, ++ int dir, struct nf_conn *ct, + struct list_head request_p_list) +{ + int ret = NF_ACCEPT; + u_int32_t xid; -+ struct request_p *req_p; -+ struct ip_conntrack_expect *exp; ++ struct request_p *req_p = NULL, *p; ++ struct nf_conntrack_expect *exp; + + /* Translstion's buffer for XDR */ + u_int16_t port_buf; @@ -970,12 +979,12 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_conntrack_rpc_udp.c + + /* Get RPC protocol and store against client parameters */ + data = data + 2; -+ alloc_request_p(xid, IXDR_GET_INT32(data), ct->tuplehash[dir].tuple.src.ip, ++ alloc_request_p(xid, IXDR_GET_INT32(data), ct->tuplehash[dir].tuple.src.u3.ip, + ct->tuplehash[dir].tuple.src.u.all); + + DEBUGP("allocated RPC req_p for xid=%u proto=%u %u.%u.%u.%u:%u\n", + xid, IXDR_GET_INT32(data), -+ NIPQUAD(ct->tuplehash[dir].tuple.src.ip), ++ NIPQUAD(ct->tuplehash[dir].tuple.src.u3.ip), + ntohs(ct->tuplehash[dir].tuple.src.u.all)); + + DEBUGP("allocated RPC request for protocol %u. [done]\n", @@ -984,11 +993,18 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_conntrack_rpc_udp.c + } else { + + /* Check for returning packet's stored counterpart */ -+ req_p = LIST_FIND(&request_p_list_udp, request_p_cmp, ++ /* req_p = LIST_FIND(&request_p_list_udp, request_p_cmp, + struct request_p *, xid, -+ ct->tuplehash[!dir].tuple.src.ip, ++ ct->tuplehash[!dir].tuple.src.u3.ip, + ct->tuplehash[!dir].tuple.src.u.all); + ++ */ ++ list_for_each_entry(p, &request_p_list_udp, list) ++ if (p->xid == xid && ++ p->ip == ct->tuplehash[!dir].tuple.src.u3.ip && ++ p->port == ct->tuplehash[!dir].tuple.src.u.all) ++ req_p = p; ++ + /* Drop unexpected packets */ + if (!req_p) { + DEBUGP("packet is not expected. [skip]\n"); @@ -1030,17 +1046,17 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_conntrack_rpc_udp.c + if (port_buf) { + DEBUGP("port found: %u\n", port_buf); + -+ exp = ip_conntrack_expect_alloc(ct); ++ exp = nf_conntrack_expect_alloc(ct); + if (!exp) { + ret = NF_DROP; + goto out; + } + + /* Watch out, Radioactive-Man! */ -+ exp->tuple.src.ip = ct->tuplehash[!dir].tuple.src.ip; -+ exp->tuple.dst.ip = ct->tuplehash[!dir].tuple.dst.ip; -+ exp->mask.src.ip = 0xffffffff; -+ exp->mask.dst.ip = 0xffffffff; ++ exp->tuple.src.u3.ip = ct->tuplehash[!dir].tuple.src.u3.ip; ++ exp->tuple.dst.u3.ip = ct->tuplehash[!dir].tuple.dst.u3.ip; ++ exp->mask.src.u3.ip = 0xffffffff; ++ exp->mask.dst.u3.ip = 0xffffffff; + + switch (req_p->proto) { + case IPPROTO_UDP: @@ -1065,16 +1081,16 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_conntrack_rpc_udp.c + exp->master = ct; + + DEBUGP("expect related ip %u.%u.%u.%u:0-%u.%u.%u.%u:%u proto=%u\n", -+ NIPQUAD(exp->tuple.src.ip), -+ NIPQUAD(exp->tuple.dst.ip), ++ NIPQUAD(exp->tuple.src.u3.ip), ++ NIPQUAD(exp->tuple.dst.u3.ip), + port_buf, req_p->proto); + + DEBUGP("expect related mask %u.%u.%u.%u:0-%u.%u.%u.%u:65535 proto=%u\n", -+ NIPQUAD(exp->mask.src.ip), -+ NIPQUAD(exp->mask.dst.ip), ++ NIPQUAD(exp->mask.src.u3.ip), ++ NIPQUAD(exp->mask.dst.u3.ip), + exp->mask.dst.protonum); + -+ if (ip_conntrack_expect_related(exp) != 0) { ++ if (nf_conntrack_expect_related(exp) != 0) { + ret = NF_DROP; + } + } @@ -1091,9 +1107,9 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_conntrack_rpc_udp.c + +/* RPC UDP helper */ +/* static int help(const struct iphdr *iph, size_t len, -+ struct ip_conntrack *ct, enum ip_conntrack_info ctinfo) */ ++ struct nf_conn *ct, enum ip_conntrack_info ctinfo) */ +static int help(struct sk_buff **pskb, -+ struct ip_conntrack *ct, enum ip_conntrack_info ctinfo) ++ struct nf_conn *ct, enum ip_conntrack_info ctinfo) +{ + int dir; + int crp_ret; @@ -1105,7 +1121,7 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_conntrack_rpc_udp.c + const u_int16_t *chsm; + + /* Not whole UDP header? */ -+ iph=(*pskb)->nh.iph; ++ iph=ip_hdr(*pskb); + udph = skb_header_pointer(*pskb,iph->ihl*4,sizeof(_udph),&_udph); + if (!udph) + return NF_ACCEPT; @@ -1169,7 +1185,7 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_conntrack_rpc_udp.c +} + + -+static struct ip_conntrack_helper rpc_helpers[MAX_PORTS]; ++static struct nf_conntrack_helper rpc_helpers[MAX_PORTS]; +static char rpc_names[MAX_PORTS][10]; + +static void fini(void); @@ -1184,7 +1200,7 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_conntrack_rpc_udp.c + ports[0] = RPC_PORT; + + for (port = 0; (port < MAX_PORTS) && ports[port]; port++) { -+ memset(&rpc_helpers[port], 0, sizeof(struct ip_conntrack_helper)); ++ memset(&rpc_helpers[port], 0, sizeof(struct nf_conntrack_helper)); + + tmpname = &rpc_names[port][0]; + if (ports[port] == RPC_PORT) @@ -1209,17 +1225,17 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_conntrack_rpc_udp.c + + PRINTK("registering helper for port #%d: %d/UDP\n", port, ports[port]); + PRINTK("helper match ip %u.%u.%u.%u:%u->%u.%u.%u.%u:%u\n", -+ NIPQUAD(rpc_helpers[port].tuple.dst.ip), ++ NIPQUAD(rpc_helpers[port].tuple.dst.u3.ip), + ntohs(rpc_helpers[port].tuple.dst.u.udp.port), -+ NIPQUAD(rpc_helpers[port].tuple.src.ip), ++ NIPQUAD(rpc_helpers[port].tuple.src.u3.ip), + ntohs(rpc_helpers[port].tuple.src.u.udp.port)); + PRINTK("helper match mask %u.%u.%u.%u:%u->%u.%u.%u.%u:%u\n", -+ NIPQUAD(rpc_helpers[port].mask.dst.ip), ++ NIPQUAD(rpc_helpers[port].mask.dst.u3.ip), + ntohs(rpc_helpers[port].mask.dst.u.udp.port), -+ NIPQUAD(rpc_helpers[port].mask.src.ip), ++ NIPQUAD(rpc_helpers[port].mask.src.u3.ip), + ntohs(rpc_helpers[port].mask.src.u.udp.port)); + -+ ret = ip_conntrack_helper_register(&rpc_helpers[port]); ++ ret = nf_conntrack_helper_register(&rpc_helpers[port]); + + if (ret) { + printk("ERROR registering port %d\n", @@ -1244,7 +1260,7 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_conntrack_rpc_udp.c + + for (port = 0; (port < ports_n_c) && ports[port]; port++) { + DEBUGP("unregistering port %d\n", ports[port]); -+ ip_conntrack_helper_unregister(&rpc_helpers[port]); ++ nf_conntrack_helper_unregister(&rpc_helpers[port]); + } +} + @@ -1257,10 +1273,10 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_conntrack_rpc_udp.c +EXPORT_SYMBOL(ip_conntrack_rpc_udp); +EXPORT_SYMBOL(ipct_rpc_udp_lock); + -diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ipt_rpc.c linux/net/ipv4/netfilter/ipt_rpc.c ---- linux.org/net/ipv4/netfilter/ipt_rpc.c 1970-01-01 01:00:00.000000000 +0100 -+++ linux/net/ipv4/netfilter/ipt_rpc.c 2006-05-04 11:26:08.000000000 +0200 -@@ -0,0 +1,443 @@ +diff -Nur --exclude '*.orig' linux/net/ipv4/netfilter/ipt_rpc.c linux/net/ipv4/netfilter/ipt_rpc.c +--- linux/net/ipv4/netfilter/ipt_rpc.c 1970-01-01 01:00:00.000000000 +0100 ++++ linux/net/ipv4/netfilter/ipt_rpc.c 2007-08-15 01:40:43.000000000 +0200 +@@ -0,0 +1,448 @@ +/* RPC extension for IP connection matching, Version 2.2 + * (C) 2000 by Marcelo Barbosa Lima <marcelo.lima@dcc.unicamp.br> + * - original rpc tracking module @@ -1314,9 +1330,8 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ipt_rpc.c linux/net/ip +#include <linux/list.h> +#include <linux/udp.h> +#include <linux/tcp.h> -+#include <linux/netfilter_ipv4/ip_conntrack.h> +#include <linux/netfilter_ipv4/ip_tables.h> -+#include <linux/netfilter_ipv4/ip_conntrack_rpc.h> ++#include <linux/netfilter/nf_conntrack_rpc.h> +#include <linux/netfilter_ipv4/ipt_rpc.h> + +#define MAX_PORTS 8 @@ -1376,8 +1391,6 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ipt_rpc.c linux/net/ip +} while (0) +#endif + -+#include <linux/netfilter_ipv4/listhelp.h> -+ +const int IPT_RPC_CHAR_LEN = 11; + +static int k_atoi(char *string) @@ -1425,11 +1438,11 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ipt_rpc.c linux/net/ip + + +static int check_rpc_packet(const u_int32_t *data, const void *matchinfo, -+ int *hotdrop, int dir, struct ip_conntrack *ct, ++ int *hotdrop, int dir, struct nf_conn *ct, + int offset, struct list_head request_p_list) +{ + const struct ipt_rpc_info *rpcinfo = matchinfo; -+ struct request_p *req_p; ++ struct request_p *req_p = NULL, *p; + u_int32_t xid; + + @@ -1473,28 +1486,34 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ipt_rpc.c linux/net/ip + case IPPROTO_TCP: + write_lock_bh(&ipct_rpc_tcp_lock); + } -+ req_p = LIST_FIND(&request_p_list, request_p_cmp, ++/* req_p = LIST_FIND(&request_p_list, request_p_cmp, + struct request_p *, xid, -+ ct->tuplehash[dir].tuple.src.ip, ++ ct->tuplehash[dir].tuple.src.u3.ip, + ct->tuplehash[dir].tuple.src.u.all); ++*/ ++ list_for_each_entry(p, &request_p_list, list) ++ if (p->xid == xid && ++ p->ip == ct->tuplehash[!dir].tuple.src.u3.ip && ++ p->port == ct->tuplehash[!dir].tuple.src.u.all) ++ req_p = p; + + if (req_p) { + DEBUGP("found req_p for xid=%u proto=%u %u.%u.%u.%u:%u\n", + xid, ct->tuplehash[dir].tuple.dst.protonum, -+ NIPQUAD(ct->tuplehash[dir].tuple.src.ip), ++ NIPQUAD(ct->tuplehash[dir].tuple.src.u3.ip), + ntohs(ct->tuplehash[dir].tuple.src.u.all)); + + /* .. remove it */ + if (del_timer(&req_p->timeout)) + req_p->timeout.expires = 0; + -+ LIST_DELETE(&request_p_list, req_p); ++ list_del(&req_p->list); + DEBUGP("RPC req_p removed. [done]\n"); + + } else { + DEBUGP("no req_p found for xid=%u proto=%u %u.%u.%u.%u:%u\n", + xid, ct->tuplehash[dir].tuple.dst.protonum, -+ NIPQUAD(ct->tuplehash[dir].tuple.src.ip), ++ NIPQUAD(ct->tuplehash[dir].tuple.src.u3.ip), + ntohs(ct->tuplehash[dir].tuple.src.u.all)); + + } @@ -1525,7 +1544,7 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ipt_rpc.c linux/net/ip + const struct net_device *out, const void *matchinfo, + int offset, unsigned int protoff, int *hotdrop) +{ -+ struct ip_conntrack *ct; ++ struct nf_conn *ct; + enum ip_conntrack_info ctinfo; + const u_int32_t *data; + enum ip_conntrack_dir dir; @@ -1538,13 +1557,13 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ipt_rpc.c linux/net/ip + u_int16_t datalen; /* stes */ + + /* Initialization stes - see 2.4 ip_tables.c ipt_do_table() */ -+ ip = skb->nh.iph; ++ ip = ip_hdr(skb); + hdr = (u_int32_t *)ip + ip->ihl; + datalen = skb->len - ip->ihl * 4; + + DEBUGP("new packet to evaluate ..\n"); + -+ ct = ip_conntrack_get((struct sk_buff *)skb, &ctinfo); ++ ct = nf_ct_get((struct sk_buff *)skb, &ctinfo); + if (!ct) { + DEBUGP("no ct available [skip]\n"); + return 0; @@ -1669,10 +1688,12 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ipt_rpc.c linux/net/ip + return 1; +} + -+static struct ipt_match rpc_match = { ++static struct xt_match rpc_match = { + .name = "rpc", -+ .match = &match, -+ .checkentry = &checkentry, ++ .family = AF_INET, ++ .match = match, ++ .matchsize = sizeof(struct ipt_rpc_info), ++ .checkentry = checkentry, + .me = THIS_MODULE, +}; + @@ -1690,14 +1711,14 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ipt_rpc.c linux/net/ip + ports_n_c++; + } + -+ return ipt_register_match(&rpc_match); ++ return xt_register_match(&rpc_match); +} + + +static void fini(void) +{ + DEBUGP("unregistering match\n"); -+ ipt_unregister_match(&rpc_match); ++ xt_unregister_match(&rpc_match); +} + + diff --git a/kernel-desktop-pom-ng-set.patch b/kernel-desktop-pom-ng-set.patch index 92f861e..a3b819d 100644 --- a/kernel-desktop-pom-ng-set.patch +++ b/kernel-desktop-pom-ng-set.patch @@ -1,31 +1,6 @@ - include/linux/netfilter_ipv4/ip_set.h | 498 +++++ - include/linux/netfilter_ipv4/ip_set_iphash.h | 29 - include/linux/netfilter_ipv4/ip_set_ipmap.h | 56 - include/linux/netfilter_ipv4/ip_set_ipporthash.h | 33 - include/linux/netfilter_ipv4/ip_set_iptree.h | 39 - include/linux/netfilter_ipv4/ip_set_jhash.h | 148 + - include/linux/netfilter_ipv4/ip_set_macipmap.h | 38 - include/linux/netfilter_ipv4/ip_set_malloc.h | 116 + - include/linux/netfilter_ipv4/ip_set_nethash.h | 54 - include/linux/netfilter_ipv4/ip_set_portmap.h | 25 - include/linux/netfilter_ipv4/ipt_set.h | 21 - net/ipv4/netfilter/Kconfig | 109 + - net/ipv4/netfilter/Makefile | 12 - net/ipv4/netfilter/ip_set.c | 1992 +++++++++++++++++++++++ - net/ipv4/netfilter/ip_set_iphash.c | 398 ++++ - net/ipv4/netfilter/ip_set_ipmap.c | 327 +++ - net/ipv4/netfilter/ip_set_ipporthash.c | 524 ++++++ - net/ipv4/netfilter/ip_set_iptree.c | 544 ++++++ - net/ipv4/netfilter/ip_set_macipmap.c | 353 ++++ - net/ipv4/netfilter/ip_set_nethash.c | 466 +++++ - net/ipv4/netfilter/ip_set_portmap.c | 334 +++ - net/ipv4/netfilter/ipt_SET.c | 128 + - net/ipv4/netfilter/ipt_set.c | 113 + - 23 files changed, 6357 insertions(+) - -diff -Nur --exclude '*.orig' linux.org/include/linux/netfilter_ipv4/ip_set.h linux/include/linux/netfilter_ipv4/ip_set.h ---- linux.org/include/linux/netfilter_ipv4/ip_set.h 1970-01-01 01:00:00.000000000 +0100 -+++ linux/include/linux/netfilter_ipv4/ip_set.h 2006-05-04 10:26:33.000000000 +0200 +diff -Nru linux-2.6.22/include/linux/netfilter_ipv4/ip_set.h linux-2.6.22-pom2patch/include/linux/netfilter_ipv4/ip_set.h +--- linux-2.6.22/include/linux/netfilter_ipv4/ip_set.h 1970-01-01 01:00:00.000000000 +0100 ++++ linux-2.6.22-pom2patch/include/linux/netfilter_ipv4/ip_set.h 2007-08-07 18:39:55.000000000 +0200 @@ -0,0 +1,498 @@ +#ifndef _IP_SET_H +#define _IP_SET_H @@ -525,10 +500,10 @@ diff -Nur --exclude '*.orig' linux.org/include/linux/netfilter_ipv4/ip_set.h lin +#endif /* __KERNEL__ */ + +#endif /*_IP_SET_H*/ -diff -Nur --exclude '*.orig' linux.org/include/linux/netfilter_ipv4/ip_set_iphash.h linux/include/linux/netfilter_ipv4/ip_set_iphash.h ---- linux.org/include/linux/netfilter_ipv4/ip_set_iphash.h 1970-01-01 01:00:00.000000000 +0100 -+++ linux/include/linux/netfilter_ipv4/ip_set_iphash.h 2006-05-04 10:26:33.000000000 +0200 -@@ -0,0 +1,29 @@ +diff -Nru linux-2.6.22/include/linux/netfilter_ipv4/ip_set_iphash.h linux-2.6.22-pom2patch/include/linux/netfilter_ipv4/ip_set_iphash.h +--- linux-2.6.22/include/linux/netfilter_ipv4/ip_set_iphash.h 1970-01-01 01:00:00.000000000 +0100 ++++ linux-2.6.22-pom2patch/include/linux/netfilter_ipv4/ip_set_iphash.h 2007-08-07 18:39:55.000000000 +0200 +@@ -0,0 +1,30 @@ +#ifndef __IP_SET_IPHASH_H +#define __IP_SET_IPHASH_H + @@ -539,6 +514,7 @@ diff -Nur --exclude '*.orig' linux.org/include/linux/netfilter_ipv4/ip_set_iphas + +struct ip_set_iphash { + ip_set_ip_t *members; /* the iphash proper */ ++ uint32_t elements; /* number of elements */ + uint32_t hashsize; /* hash size */ + uint16_t probes; /* max number of probes */ + uint16_t resize; /* resize factor in percent */ @@ -558,9 +534,9 @@ diff -Nur --exclude '*.orig' linux.org/include/linux/netfilter_ipv4/ip_set_iphas +}; + +#endif /* __IP_SET_IPHASH_H */ -diff -Nur --exclude '*.orig' linux.org/include/linux/netfilter_ipv4/ip_set_ipmap.h linux/include/linux/netfilter_ipv4/ip_set_ipmap.h ---- linux.org/include/linux/netfilter_ipv4/ip_set_ipmap.h 1970-01-01 01:00:00.000000000 +0100 -+++ linux/include/linux/netfilter_ipv4/ip_set_ipmap.h 2006-05-04 10:26:33.000000000 +0200 +diff -Nru linux-2.6.22/include/linux/netfilter_ipv4/ip_set_ipmap.h linux-2.6.22-pom2patch/include/linux/netfilter_ipv4/ip_set_ipmap.h +--- linux-2.6.22/include/linux/netfilter_ipv4/ip_set_ipmap.h 1970-01-01 01:00:00.000000000 +0100 ++++ linux-2.6.22-pom2patch/include/linux/netfilter_ipv4/ip_set_ipmap.h 2007-08-07 18:39:55.000000000 +0200 @@ -0,0 +1,56 @@ +#ifndef __IP_SET_IPMAP_H +#define __IP_SET_IPMAP_H @@ -618,10 +594,10 @@ diff -Nur --exclude '*.orig' linux.org/include/linux/netfilter_ipv4/ip_set_ipmap +} + +#endif /* __IP_SET_IPMAP_H */ -diff -Nur --exclude '*.orig' linux.org/include/linux/netfilter_ipv4/ip_set_ipporthash.h linux/include/linux/netfilter_ipv4/ip_set_ipporthash.h ---- linux.org/include/linux/netfilter_ipv4/ip_set_ipporthash.h 1970-01-01 01:00:00.000000000 +0100 -+++ linux/include/linux/netfilter_ipv4/ip_set_ipporthash.h 2006-05-04 10:26:33.000000000 +0200 -@@ -0,0 +1,33 @@ +diff -Nru linux-2.6.22/include/linux/netfilter_ipv4/ip_set_ipporthash.h linux-2.6.22-pom2patch/include/linux/netfilter_ipv4/ip_set_ipporthash.h +--- linux-2.6.22/include/linux/netfilter_ipv4/ip_set_ipporthash.h 1970-01-01 01:00:00.000000000 +0100 ++++ linux-2.6.22-pom2patch/include/linux/netfilter_ipv4/ip_set_ipporthash.h 2007-08-07 18:39:55.000000000 +0200 +@@ -0,0 +1,34 @@ +#ifndef __IP_SET_IPPORTHASH_H +#define __IP_SET_IPPORTHASH_H + @@ -633,6 +609,7 @@ diff -Nur --exclude '*.orig' linux.org/include/linux/netfilter_ipv4/ip_set_ippor + +struct ip_set_ipporthash { + ip_set_ip_t *members; /* the ipporthash proper */ ++ uint32_t elements; /* number of elements */ + uint32_t hashsize; /* hash size */ + uint16_t probes; /* max number of probes */ + uint16_t resize; /* resize factor in percent */ @@ -655,10 +632,10 @@ diff -Nur --exclude '*.orig' linux.org/include/linux/netfilter_ipv4/ip_set_ippor +}; + +#endif /* __IP_SET_IPPORTHASH_H */ -diff -Nur --exclude '*.orig' linux.org/include/linux/netfilter_ipv4/ip_set_iptree.h linux/include/linux/netfilter_ipv4/ip_set_iptree.h ---- linux.org/include/linux/netfilter_ipv4/ip_set_iptree.h 1970-01-01 01:00:00.000000000 +0100 -+++ linux/include/linux/netfilter_ipv4/ip_set_iptree.h 2006-05-04 10:26:33.000000000 +0200 -@@ -0,0 +1,39 @@ +diff -Nru linux-2.6.22/include/linux/netfilter_ipv4/ip_set_iptree.h linux-2.6.22-pom2patch/include/linux/netfilter_ipv4/ip_set_iptree.h +--- linux-2.6.22/include/linux/netfilter_ipv4/ip_set_iptree.h 1970-01-01 01:00:00.000000000 +0100 ++++ linux-2.6.22-pom2patch/include/linux/netfilter_ipv4/ip_set_iptree.h 2007-08-07 18:39:55.000000000 +0200 +@@ -0,0 +1,40 @@ +#ifndef __IP_SET_IPTREE_H +#define __IP_SET_IPTREE_H + @@ -683,6 +660,7 @@ diff -Nur --exclude '*.orig' linux.org/include/linux/netfilter_ipv4/ip_set_iptre + unsigned int timeout; + unsigned int gc_interval; +#ifdef __KERNEL__ ++ uint32_t elements; /* number of elements */ + struct timer_list gc; + struct ip_set_iptreeb *tree[256]; /* ADDR.*.*.* */ +#endif @@ -698,9 +676,9 @@ diff -Nur --exclude '*.orig' linux.org/include/linux/netfilter_ipv4/ip_set_iptre +}; + +#endif /* __IP_SET_IPTREE_H */ -diff -Nur --exclude '*.orig' linux.org/include/linux/netfilter_ipv4/ip_set_jhash.h linux/include/linux/netfilter_ipv4/ip_set_jhash.h ---- linux.org/include/linux/netfilter_ipv4/ip_set_jhash.h 1970-01-01 01:00:00.000000000 +0100 -+++ linux/include/linux/netfilter_ipv4/ip_set_jhash.h 2006-05-04 10:26:33.000000000 +0200 +diff -Nru linux-2.6.22/include/linux/netfilter_ipv4/ip_set_jhash.h linux-2.6.22-pom2patch/include/linux/netfilter_ipv4/ip_set_jhash.h +--- linux-2.6.22/include/linux/netfilter_ipv4/ip_set_jhash.h 1970-01-01 01:00:00.000000000 +0100 ++++ linux-2.6.22-pom2patch/include/linux/netfilter_ipv4/ip_set_jhash.h 2007-08-07 18:39:55.000000000 +0200 @@ -0,0 +1,148 @@ +#ifndef _LINUX_IPSET_JHASH_H +#define _LINUX_IPSET_JHASH_H @@ -850,9 +828,9 @@ diff -Nur --exclude '*.orig' linux.org/include/linux/netfilter_ipv4/ip_set_jhash +} + +#endif /* _LINUX_IPSET_JHASH_H */ -diff -Nur --exclude '*.orig' linux.org/include/linux/netfilter_ipv4/ip_set_macipmap.h linux/include/linux/netfilter_ipv4/ip_set_macipmap.h ---- linux.org/include/linux/netfilter_ipv4/ip_set_macipmap.h 1970-01-01 01:00:00.000000000 +0100 -+++ linux/include/linux/netfilter_ipv4/ip_set_macipmap.h 2006-05-04 10:26:33.000000000 +0200 +diff -Nru linux-2.6.22/include/linux/netfilter_ipv4/ip_set_macipmap.h linux-2.6.22-pom2patch/include/linux/netfilter_ipv4/ip_set_macipmap.h +--- linux-2.6.22/include/linux/netfilter_ipv4/ip_set_macipmap.h 1970-01-01 01:00:00.000000000 +0100 ++++ linux-2.6.22-pom2patch/include/linux/netfilter_ipv4/ip_set_macipmap.h 2007-08-07 18:39:55.000000000 +0200 @@ -0,0 +1,38 @@ +#ifndef __IP_SET_MACIPMAP_H +#define __IP_SET_MACIPMAP_H @@ -892,9 +870,9 @@ diff -Nur --exclude '*.orig' linux.org/include/linux/netfilter_ipv4/ip_set_macip +}; + +#endif /* __IP_SET_MACIPMAP_H */ -diff -Nur --exclude '*.orig' linux.org/include/linux/netfilter_ipv4/ip_set_malloc.h linux/include/linux/netfilter_ipv4/ip_set_malloc.h ---- linux.org/include/linux/netfilter_ipv4/ip_set_malloc.h 1970-01-01 01:00:00.000000000 +0100 -+++ linux/include/linux/netfilter_ipv4/ip_set_malloc.h 2006-05-04 10:26:33.000000000 +0200 +diff -Nru linux-2.6.22/include/linux/netfilter_ipv4/ip_set_malloc.h linux-2.6.22-pom2patch/include/linux/netfilter_ipv4/ip_set_malloc.h +--- linux-2.6.22/include/linux/netfilter_ipv4/ip_set_malloc.h 1970-01-01 01:00:00.000000000 +0100 ++++ linux-2.6.22-pom2patch/include/linux/netfilter_ipv4/ip_set_malloc.h 2007-08-07 18:39:55.000000000 +0200 @@ -0,0 +1,116 @@ +#ifndef _IP_SET_MALLOC_H +#define _IP_SET_MALLOC_H @@ -1012,10 +990,10 @@ diff -Nur --exclude '*.orig' linux.org/include/linux/netfilter_ipv4/ip_set_mallo +#endif /* __KERNEL__ */ + +#endif /*_IP_SET_MALLOC_H*/ -diff -Nur --exclude '*.orig' linux.org/include/linux/netfilter_ipv4/ip_set_nethash.h linux/include/linux/netfilter_ipv4/ip_set_nethash.h ---- linux.org/include/linux/netfilter_ipv4/ip_set_nethash.h 1970-01-01 01:00:00.000000000 +0100 -+++ linux/include/linux/netfilter_ipv4/ip_set_nethash.h 2006-05-04 10:26:33.000000000 +0200 -@@ -0,0 +1,54 @@ +diff -Nru linux-2.6.22/include/linux/netfilter_ipv4/ip_set_nethash.h linux-2.6.22-pom2patch/include/linux/netfilter_ipv4/ip_set_nethash.h +--- linux-2.6.22/include/linux/netfilter_ipv4/ip_set_nethash.h 1970-01-01 01:00:00.000000000 +0100 ++++ linux-2.6.22-pom2patch/include/linux/netfilter_ipv4/ip_set_nethash.h 2007-08-07 18:39:55.000000000 +0200 +@@ -0,0 +1,55 @@ +#ifndef __IP_SET_NETHASH_H +#define __IP_SET_NETHASH_H + @@ -1026,6 +1004,7 @@ diff -Nur --exclude '*.orig' linux.org/include/linux/netfilter_ipv4/ip_set_netha + +struct ip_set_nethash { + ip_set_ip_t *members; /* the nethash proper */ ++ uint32_t elements; /* number of elements */ + uint32_t hashsize; /* hash size */ + uint16_t probes; /* max number of probes */ + uint16_t resize; /* resize factor in percent */ @@ -1070,9 +1049,9 @@ diff -Nur --exclude '*.orig' linux.org/include/linux/netfilter_ipv4/ip_set_netha +} + +#endif /* __IP_SET_NETHASH_H */ -diff -Nur --exclude '*.orig' linux.org/include/linux/netfilter_ipv4/ip_set_portmap.h linux/include/linux/netfilter_ipv4/ip_set_portmap.h ---- linux.org/include/linux/netfilter_ipv4/ip_set_portmap.h 1970-01-01 01:00:00.000000000 +0100 -+++ linux/include/linux/netfilter_ipv4/ip_set_portmap.h 2006-05-04 10:26:33.000000000 +0200 +diff -Nru linux-2.6.22/include/linux/netfilter_ipv4/ip_set_portmap.h linux-2.6.22-pom2patch/include/linux/netfilter_ipv4/ip_set_portmap.h +--- linux-2.6.22/include/linux/netfilter_ipv4/ip_set_portmap.h 1970-01-01 01:00:00.000000000 +0100 ++++ linux-2.6.22-pom2patch/include/linux/netfilter_ipv4/ip_set_portmap.h 2007-08-07 18:39:55.000000000 +0200 @@ -0,0 +1,25 @@ +#ifndef __IP_SET_PORTMAP_H +#define __IP_SET_PORTMAP_H @@ -1099,9 +1078,9 @@ diff -Nur --exclude '*.orig' linux.org/include/linux/netfilter_ipv4/ip_set_portm +}; + +#endif /* __IP_SET_PORTMAP_H */ -diff -Nur --exclude '*.orig' linux.org/include/linux/netfilter_ipv4/ipt_set.h linux/include/linux/netfilter_ipv4/ipt_set.h ---- linux.org/include/linux/netfilter_ipv4/ipt_set.h 1970-01-01 01:00:00.000000000 +0100 -+++ linux/include/linux/netfilter_ipv4/ipt_set.h 2006-05-04 10:26:33.000000000 +0200 +diff -Nru linux-2.6.22/include/linux/netfilter_ipv4/ipt_set.h linux-2.6.22-pom2patch/include/linux/netfilter_ipv4/ipt_set.h +--- linux-2.6.22/include/linux/netfilter_ipv4/ipt_set.h 1970-01-01 01:00:00.000000000 +0100 ++++ linux-2.6.22-pom2patch/include/linux/netfilter_ipv4/ipt_set.h 2007-08-07 18:39:55.000000000 +0200 @@ -0,0 +1,21 @@ +#ifndef _IPT_SET_H +#define _IPT_SET_H @@ -1124,144 +1103,10 @@ diff -Nur --exclude '*.orig' linux.org/include/linux/netfilter_ipv4/ipt_set.h li +}; + +#endif /*_IPT_SET_H*/ -diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/Kconfig linux/net/ipv4/netfilter/Kconfig ---- linux.org/net/ipv4/netfilter/Kconfig 2006-05-02 23:38:44.000000000 +0200 -+++ linux/net/ipv4/netfilter/Kconfig 2006-05-04 10:26:33.000000000 +0200 -@@ -606,5 +606,114 @@ - Allows altering the ARP packet payload: source and destination - hardware and network addresses. - -+config IP_NF_SET -+ tristate "IP set support" -+ depends on INET && NETFILTER -+ help -+ This option adds IP set support to the kernel. -+ In order to define and use sets, you need the userspace utility -+ ipset(8). -+ -+ To compile it as a module, choose M here. If unsure, say N. -+ -+config IP_NF_SET_MAX -+ int "Maximum number of IP sets" -+ default 256 -+ range 2 65534 -+ depends on IP_NF_SET -+ help -+ You can define here default value of the maximum number -+ of IP sets for the kernel. -+ -+ The value can be overriden by the 'max_sets' module -+ parameter of the 'ip_set' module. -+ -+config IP_NF_SET_HASHSIZE -+ int "Hash size for bindings of IP sets" -+ default 1024 -+ depends on IP_NF_SET -+ help -+ You can define here default value of the hash size for -+ bindings of IP sets. -+ -+ The value can be overriden by the 'hash_size' module -+ parameter of the 'ip_set' module. -+ -+config IP_NF_SET_IPMAP -+ tristate "ipmap set support" -+ depends on IP_NF_SET -+ help -+ This option adds the ipmap set type support. -+ -+ To compile it as a module, choose M here. If unsure, say N. -+ -+config IP_NF_SET_MACIPMAP -+ tristate "macipmap set support" -+ depends on IP_NF_SET -+ help -+ This option adds the macipmap set type support. -+ -+ To compile it as a module, choose M here. If unsure, say N. -+ -+config IP_NF_SET_PORTMAP -+ tristate "portmap set support" -+ depends on IP_NF_SET -+ help -+ This option adds the portmap set type support. -+ -+ To compile it as a module, choose M here. If unsure, say N. -+ -+config IP_NF_SET_IPHASH -+ tristate "iphash set support" -+ depends on IP_NF_SET -+ help -+ This option adds the iphash set type support. -+ -+ To compile it as a module, choose M here. If unsure, say N. -+ -+config IP_NF_SET_NETHASH -+ tristate "nethash set support" -+ depends on IP_NF_SET -+ help -+ This option adds the nethash set type support. -+ -+ To compile it as a module, choose M here. If unsure, say N. -+ -+config IP_NF_SET_IPPORTHASH -+ tristate "ipporthash set support" -+ depends on IP_NF_SET -+ help -+ This option adds the ipporthash set type support. -+ -+ To compile it as a module, choose M here. If unsure, say N. -+ -+config IP_NF_SET_IPTREE -+ tristate "iptree set support" -+ depends on IP_NF_SET -+ help -+ This option adds the iptree set type support. -+ -+ To compile it as a module, choose M here. If unsure, say N. -+ -+config IP_NF_MATCH_SET -+ tristate "set match support" -+ depends on IP_NF_SET -+ help -+ Set matching matches against given IP sets. -+ You need the ipset utility to create and set up the sets. -+ -+ To compile it as a module, choose M here. If unsure, say N. -+ -+config IP_NF_TARGET_SET -+ tristate "SET target support" -+ depends on IP_NF_SET -+ help -+ The SET target makes possible to add/delete entries -+ in IP sets. -+ You need the ipset utility to create and set up the sets. -+ -+ To compile it as a module, choose M here. If unsure, say N. -+ -+ - endmenu - -diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/Makefile linux/net/ipv4/netfilter/Makefile ---- linux.org/net/ipv4/netfilter/Makefile 2006-05-02 23:38:44.000000000 +0200 -+++ linux/net/ipv4/netfilter/Makefile 2006-05-04 10:26:33.000000000 +0200 -@@ -0,0 +0,12 @@ -+obj-$(CONFIG_IP_NF_MATCH_SET) += ipt_set.o -+obj-$(CONFIG_IP_NF_TARGET_SET) += ipt_SET.o -+ -+# sets -+obj-$(CONFIG_IP_NF_SET) += ip_set.o -+obj-$(CONFIG_IP_NF_SET_IPMAP) += ip_set_ipmap.o -+obj-$(CONFIG_IP_NF_SET_PORTMAP) += ip_set_portmap.o -+obj-$(CONFIG_IP_NF_SET_MACIPMAP) += ip_set_macipmap.o -+obj-$(CONFIG_IP_NF_SET_IPHASH) += ip_set_iphash.o -+obj-$(CONFIG_IP_NF_SET_NETHASH) += ip_set_nethash.o -+obj-$(CONFIG_IP_NF_SET_IPPORTHASH) += ip_set_ipporthash.o -+obj-$(CONFIG_IP_NF_SET_IPTREE) += ip_set_iptree.o -diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_set.c linux/net/ipv4/netfilter/ip_set.c ---- linux.org/net/ipv4/netfilter/ip_set.c 1970-01-01 01:00:00.000000000 +0100 -+++ linux/net/ipv4/netfilter/ip_set.c 2006-05-04 10:26:33.000000000 +0200 -@@ -0,0 +1,1992 @@ +diff -Nru linux-2.6.22/net/ipv4/netfilter/ip_set.c linux-2.6.22-pom2patch/net/ipv4/netfilter/ip_set.c +--- linux-2.6.22/net/ipv4/netfilter/ip_set.c 1970-01-01 01:00:00.000000000 +0100 ++++ linux-2.6.22-pom2patch/net/ipv4/netfilter/ip_set.c 2007-08-07 18:39:55.000000000 +0200 +@@ -0,0 +1,2001 @@ +/* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu> + * Patrick Schaaf <bof@bof.de> + * Copyright (C) 2003-2004 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> @@ -1273,14 +1118,17 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_set.c linux/net/ipv + +/* Kernel module for IP set management */ + ++#include <linux/version.h> ++#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,19) +#include <linux/config.h> ++#endif +#include <linux/module.h> +#include <linux/moduleparam.h> +#include <linux/kmod.h> +#include <linux/ip.h> +#include <linux/skbuff.h> +#include <linux/random.h> -+#include <linux/jhash.h> ++#include <linux/netfilter_ipv4/ip_set_jhash.h> +#include <linux/netfilter_ipv4/ip_tables.h> +#include <linux/errno.h> +#include <asm/uaccess.h> @@ -1289,9 +1137,8 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_set.c linux/net/ipv +#include <linux/spinlock.h> +#include <linux/vmalloc.h> + -+#define ASSERT_READ_LOCK(x) /* dont use that */ ++#define ASSERT_READ_LOCK(x) +#define ASSERT_WRITE_LOCK(x) -+#include <linux/netfilter_ipv4/listhelp.h> +#include <linux/netfilter_ipv4/ip_set.h> + +static struct list_head set_type_list; /* all registered sets */ @@ -1333,11 +1180,16 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_set.c linux/net/ipv + * Binding routines + */ + -+static inline int -+ip_hash_cmp(const struct ip_set_hash *set_hash, -+ ip_set_id_t id, ip_set_ip_t ip) ++static inline struct ip_set_hash * ++__ip_set_find(u_int32_t key, ip_set_id_t id, ip_set_ip_t ip) +{ -+ return set_hash->id == id && set_hash->ip == ip; ++ struct ip_set_hash *set_hash; ++ ++ list_for_each_entry(set_hash, &ip_set_hash[key], list) ++ if (set_hash->id == id && set_hash->ip == ip) ++ return set_hash; ++ ++ return NULL; +} + +static ip_set_id_t @@ -1351,8 +1203,7 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_set.c linux/net/ipv + IP_SET_ASSERT(ip_set_list[id]); + DP("set: %s, ip: %u.%u.%u.%u", ip_set_list[id]->name, HIPQUAD(ip)); + -+ set_hash = LIST_FIND(&ip_set_hash[key], ip_hash_cmp, -+ struct ip_set_hash *, id, ip); ++ set_hash = __ip_set_find(key, id, ip); + + DP("set: %s, ip: %u.%u.%u.%u, binding: %s", ip_set_list[id]->name, + HIPQUAD(ip), @@ -1382,8 +1233,7 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_set.c linux/net/ipv + IP_SET_ASSERT(ip_set_list[id]); + DP("set: %s, ip: %u.%u.%u.%u", ip_set_list[id]->name, HIPQUAD(ip)); + write_lock_bh(&ip_set_lock); -+ set_hash = LIST_FIND(&ip_set_hash[key], ip_hash_cmp, -+ struct ip_set_hash *, id, ip); ++ set_hash = __ip_set_find(key, id, ip); + DP("set: %s, ip: %u.%u.%u.%u, binding: %s", ip_set_list[id]->name, + HIPQUAD(ip), + set_hash != NULL ? ip_set_list[set_hash->binding]->name : ""); @@ -1407,10 +1257,9 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_set.c linux/net/ipv + DP("set: %s, ip: %u.%u.%u.%u, binding: %s", ip_set_list[id]->name, + HIPQUAD(ip), ip_set_list[binding]->name); + write_lock_bh(&ip_set_lock); -+ set_hash = LIST_FIND(&ip_set_hash[key], ip_hash_cmp, -+ struct ip_set_hash *, id, ip); ++ set_hash = __ip_set_find(key, id, ip); + if (!set_hash) { -+ set_hash = kmalloc(sizeof(struct ip_set_hash), GFP_KERNEL); ++ set_hash = kmalloc(sizeof(struct ip_set_hash), GFP_ATOMIC); + if (!set_hash) { + ret = -ENOMEM; + goto unlock; @@ -1418,7 +1267,7 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_set.c linux/net/ipv + INIT_LIST_HEAD(&set_hash->list); + set_hash->id = id; + set_hash->ip = ip; -+ list_add(&ip_set_hash[key], &set_hash->list); ++ list_add(&set_hash->list, &ip_set_hash[key]); + } else { + IP_SET_ASSERT(ip_set_list[set_hash->binding]); + DP("overwrite binding: %s", @@ -1427,6 +1276,9 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_set.c linux/net/ipv + } + set_hash->binding = binding; + __ip_set_get(set_hash->binding); ++ DP("stored: key %u, id %u (%s), ip %u.%u.%u.%u, binding %u (%s)", ++ key, id, ip_set_list[id]->name, ++ HIPQUAD(ip), binding, ip_set_list[binding]->name); + unlock: + write_unlock_bh(&ip_set_lock); + return ret; @@ -1549,19 +1401,15 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_set.c linux/net/ipv + +/* Register and deregister settype */ + -+static inline int -+set_type_equal(const struct ip_set_type *set_type, const char *str2) -+{ -+ return !strncmp(set_type->typename, str2, IP_SET_MAXNAMELEN - 1); -+} -+ +static inline struct ip_set_type * +find_set_type(const char *name) +{ -+ return LIST_FIND(&set_type_list, -+ set_type_equal, -+ struct ip_set_type *, -+ name); ++ struct ip_set_type *set_type; ++ ++ list_for_each_entry(set_type, &set_type_list, list) ++ if (!strncmp(set_type->typename, name, IP_SET_MAXNAMELEN - 1)) ++ return set_type; ++ return NULL; +} + +int @@ -1589,7 +1437,7 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_set.c linux/net/ipv + ret = -EFAULT; + goto unlock; + } -+ list_append(&set_type_list, set_type); ++ list_add(&set_type->list, &set_type_list); + DP("'%s' registered.", set_type->typename); + unlock: + write_unlock_bh(&ip_set_lock); @@ -1605,7 +1453,7 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_set.c linux/net/ipv + set_type->typename); + goto unlock; + } -+ LIST_DELETE(&set_type_list, set_type); ++ list_del(&set_type->list); + module_put(THIS_MODULE); + DP("'%s' unregistered.", set_type->typename); + unlock: @@ -2061,7 +1909,7 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_set.c linux/net/ipv + size_t size) +{ + struct ip_set *set; -+ ip_set_id_t index, id; ++ ip_set_id_t index = 0, id; + int res = 0; + + DP("setname: %s, typename: %s, id: %u", name, typename, restore); @@ -2425,8 +2273,8 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_set.c linux/net/ipv + set->type->list_header(set, data + *used); + *used += set_save->header_size; + -+ DP("set header filled: %s, used: %u %p %p", set->name, *used, -+ data, data + *used); ++ DP("set header filled: %s, used: %u(%u) %p %p", set->name, *used, ++ set_save->header_size, data, data + *used); + /* Get and ensure set specific members size */ + set_save->members_size = set->type->list_members_size(set); + if (*used + set_save->members_size > len) @@ -2436,8 +2284,8 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_set.c linux/net/ipv + set->type->list_members(set, data + *used); + *used += set_save->members_size; + read_unlock_bh(&set->lock); -+ DP("set members filled: %s, used: %u %p %p", set->name, *used, -+ data, data + *used); ++ DP("set members filled: %s, used: %u(%u) %p %p", set->name, *used, ++ set_save->members_size, data, data + *used); + return 0; + + unlock_set: @@ -2487,6 +2335,8 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_set.c linux/net/ipv + /* Marker */ + set_save = (struct ip_set_save *) (data + *used); + set_save->index = IP_SET_INVALID_ID; ++ set_save->header_size = 0; ++ set_save->members_size = 0; + *used += sizeof(struct ip_set_save); + + DP("marker added used %u, len %u", *used, len); @@ -2593,7 +2443,10 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_set.c linux/net/ipv + index, hash_save->id, hash_save->ip, hash_save->binding); + if (index != hash_save->id) + return line; -+ ++ if (ip_set_find_byindex(hash_save->binding) == IP_SET_INVALID_ID) { ++ DP("corrupt binding set index %u", hash_save->binding); ++ return line; ++ } + set = ip_set_list[hash_save->id]; + /* Null valued IP means default binding */ + if (hash_save->ip) @@ -2677,8 +2530,8 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_set.c linux/net/ipv + struct ip_set_req_create *req_create + = (struct ip_set_req_create *) data; + -+ if (len <= sizeof(struct ip_set_req_create)) { -+ ip_set_printk("short CREATE data (want >%zu, got %u)", ++ if (len < sizeof(struct ip_set_req_create)) { ++ ip_set_printk("short CREATE data (want >=%zu, got %u)", + sizeof(struct ip_set_req_create), len); + res = -EINVAL; + goto done; @@ -3032,8 +2885,9 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_set.c linux/net/ipv + req_setnames->size += sizeof(struct ip_set_list) + + set->type->header_size + + set->type->list_members_size(set); ++ /* Sets are identified by id in the hash */ + FOREACH_HASH_DO(__set_hash_bindings_size_list, -+ i, &req_setnames->size); ++ set->id, &req_setnames->size); + break; + } + case IP_SET_OP_SAVE_SIZE: { @@ -3041,7 +2895,7 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_set.c linux/net/ipv + + set->type->header_size + + set->type->list_members_size(set); + FOREACH_HASH_DO(__set_hash_bindings_size_save, -+ i, &req_setnames->size); ++ set->id, &req_setnames->size); + break; + } + default: @@ -3254,10 +3108,10 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_set.c linux/net/ipv + +module_init(init); +module_exit(fini); -diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_set_iphash.c linux/net/ipv4/netfilter/ip_set_iphash.c ---- linux.org/net/ipv4/netfilter/ip_set_iphash.c 1970-01-01 01:00:00.000000000 +0100 -+++ linux/net/ipv4/netfilter/ip_set_iphash.c 2006-05-04 10:26:33.000000000 +0200 -@@ -0,0 +1,398 @@ +diff -Nru linux-2.6.22/net/ipv4/netfilter/ip_set_iphash.c linux-2.6.22-pom2patch/net/ipv4/netfilter/ip_set_iphash.c +--- linux-2.6.22/net/ipv4/netfilter/ip_set_iphash.c 1970-01-01 01:00:00.000000000 +0100 ++++ linux-2.6.22-pom2patch/net/ipv4/netfilter/ip_set_iphash.c 2007-08-07 18:39:55.000000000 +0200 +@@ -0,0 +1,413 @@ +/* Copyright (C) 2003-2004 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> + * + * This program is free software; you can redistribute it and/or modify @@ -3285,6 +3139,8 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_set_iphash.c linux/ +#include <linux/netfilter_ipv4/ip_set_iphash.h> +#include <linux/netfilter_ipv4/ip_set_jhash.h> + ++static int limit = MAX_RANGE; ++ +static inline __u32 +jhash_ip(const struct ip_set_iphash *map, uint16_t i, ip_set_ip_t ip) +{ @@ -3318,7 +3174,7 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_set_iphash.c linux/ +static inline int +__testip(struct ip_set *set, ip_set_ip_t ip, ip_set_ip_t *hash_ip) +{ -+ return (hash_id(set, ip, hash_ip) != UINT_MAX); ++ return (ip && hash_id(set, ip, hash_ip) != UINT_MAX); +} + +static int @@ -3346,8 +3202,8 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_set_iphash.c linux/ +{ + return __testip(set, + ntohl(flags[index] & IPSET_SRC -+ ? skb->nh.iph->saddr -+ : skb->nh.iph->daddr), ++ ? ip_hdr(skb)->saddr ++ : ip_hdr(skb)->daddr), + hash_ip); +} + @@ -3357,6 +3213,9 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_set_iphash.c linux/ + __u32 probe; + u_int16_t i; + ip_set_ip_t *elem; ++ ++ if (!ip || map->elements > limit) ++ return -ERANGE; + + *hash_ip = ip & map->netmask; + @@ -3367,6 +3226,7 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_set_iphash.c linux/ + return -EEXIST; + if (!*elem) { + *elem = *hash_ip; ++ map->elements++; + return 0; + } + } @@ -3399,8 +3259,8 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_set_iphash.c linux/ +{ + return __addip((struct ip_set_iphash *) set->data, + ntohl(flags[index] & IPSET_SRC -+ ? skb->nh.iph->saddr -+ : skb->nh.iph->daddr), ++ ? ip_hdr(skb)->saddr ++ : ip_hdr(skb)->daddr), + hash_ip); +} + @@ -3443,6 +3303,7 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_set_iphash.c linux/ + return -ENOMEM; + } + tmp->hashsize = hashsize; ++ tmp->elements = 0; + tmp->probes = map->probes; + tmp->resize = map->resize; + tmp->netmask = map->netmask; @@ -3480,14 +3341,18 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_set_iphash.c linux/ +__delip(struct ip_set *set, ip_set_ip_t ip, ip_set_ip_t *hash_ip) +{ + struct ip_set_iphash *map = (struct ip_set_iphash *) set->data; -+ ip_set_ip_t id = hash_id(set, ip, hash_ip); -+ ip_set_ip_t *elem; ++ ip_set_ip_t id, *elem; ++ ++ if (!ip) ++ return -ERANGE; + ++ id = hash_id(set, ip, hash_ip); + if (id == UINT_MAX) + return -EEXIST; + + elem = HARRAY_ELEM(map->members, ip_set_ip_t *, id); + *elem = 0; ++ map->elements--; + + return 0; +} @@ -3517,8 +3382,8 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_set_iphash.c linux/ +{ + return __delip(set, + ntohl(flags[index] & IPSET_SRC -+ ? skb->nh.iph->saddr -+ : skb->nh.iph->daddr), ++ ? ip_hdr(skb)->saddr ++ : ip_hdr(skb)->daddr), + hash_ip); +} + @@ -3556,6 +3421,7 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_set_iphash.c linux/ + } + for (i = 0; i < req->probes; i++) + get_random_bytes(((uint32_t *) map->initval)+i, 4); ++ map->elements = 0; + map->hashsize = req->hashsize; + map->probes = req->probes; + map->resize = req->resize; @@ -3585,6 +3451,7 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_set_iphash.c linux/ +{ + struct ip_set_iphash *map = (struct ip_set_iphash *) set->data; + harray_flush(map->members, map->hashsize, sizeof(ip_set_ip_t)); ++ map->elements = 0; +} + +static void list_header(const struct ip_set *set, void *data) @@ -3642,6 +3509,8 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_set_iphash.c linux/ +MODULE_LICENSE("GPL"); +MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>"); +MODULE_DESCRIPTION("iphash type of IP sets"); ++module_param(limit, int, 0600); ++MODULE_PARM_DESC(limit, "maximal number of elements stored in the sets"); + +static int __init init(void) +{ @@ -3656,9 +3525,9 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_set_iphash.c linux/ + +module_init(init); +module_exit(fini); -diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_set_ipmap.c linux/net/ipv4/netfilter/ip_set_ipmap.c ---- linux.org/net/ipv4/netfilter/ip_set_ipmap.c 1970-01-01 01:00:00.000000000 +0100 -+++ linux/net/ipv4/netfilter/ip_set_ipmap.c 2006-05-04 10:26:33.000000000 +0200 +diff -Nru linux-2.6.22/net/ipv4/netfilter/ip_set_ipmap.c linux-2.6.22-pom2patch/net/ipv4/netfilter/ip_set_ipmap.c +--- linux-2.6.22/net/ipv4/netfilter/ip_set_ipmap.c 1970-01-01 01:00:00.000000000 +0100 ++++ linux-2.6.22-pom2patch/net/ipv4/netfilter/ip_set_ipmap.c 2007-08-07 18:39:55.000000000 +0200 @@ -0,0 +1,327 @@ +/* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu> + * Patrick Schaaf <bof@bof.de> @@ -3730,13 +3599,13 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_set_ipmap.c linux/n + + DP("flag: %s src: %u.%u.%u.%u dst: %u.%u.%u.%u", + flags[index] & IPSET_SRC ? "SRC" : "DST", -+ NIPQUAD(skb->nh.iph->saddr), -+ NIPQUAD(skb->nh.iph->daddr)); ++ NIPQUAD(ip_hdr(skb)->saddr), ++ NIPQUAD(ip_hdr(skb)->daddr)); + + res = __testip(set, + ntohl(flags[index] & IPSET_SRC -+ ? skb->nh.iph->saddr -+ : skb->nh.iph->daddr), ++ ? ip_hdr(skb)->saddr ++ : ip_hdr(skb)->daddr), + hash_ip); + return (res < 0 ? 0 : res); +} @@ -3783,8 +3652,8 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_set_ipmap.c linux/n +{ + return __addip(set, + ntohl(flags[index] & IPSET_SRC -+ ? skb->nh.iph->saddr -+ : skb->nh.iph->daddr), ++ ? ip_hdr(skb)->saddr ++ : ip_hdr(skb)->daddr), + hash_ip); +} + @@ -3829,8 +3698,8 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_set_ipmap.c linux/n +{ + return __delip(set, + ntohl(flags[index] & IPSET_SRC -+ ? skb->nh.iph->saddr -+ : skb->nh.iph->daddr), ++ ? ip_hdr(skb)->saddr ++ : ip_hdr(skb)->daddr), + hash_ip); +} + @@ -3987,10 +3856,10 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_set_ipmap.c linux/n + +module_init(init); +module_exit(fini); -diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_set_ipporthash.c linux/net/ipv4/netfilter/ip_set_ipporthash.c ---- linux.org/net/ipv4/netfilter/ip_set_ipporthash.c 1970-01-01 01:00:00.000000000 +0100 -+++ linux/net/ipv4/netfilter/ip_set_ipporthash.c 2006-05-04 10:26:33.000000000 +0200 -@@ -0,0 +1,524 @@ +diff -Nru linux-2.6.22/net/ipv4/netfilter/ip_set_ipporthash.c linux-2.6.22-pom2patch/net/ipv4/netfilter/ip_set_ipporthash.c +--- linux-2.6.22/net/ipv4/netfilter/ip_set_ipporthash.c 1970-01-01 01:00:00.000000000 +0100 ++++ linux-2.6.22-pom2patch/net/ipv4/netfilter/ip_set_ipporthash.c 2007-08-07 18:39:55.000000000 +0200 +@@ -0,0 +1,535 @@ +/* Copyright (C) 2003-2004 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> + * + * This program is free software; you can redistribute it and/or modify @@ -4020,11 +3889,13 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_set_ipporthash.c li +#include <linux/netfilter_ipv4/ip_set_ipporthash.h> +#include <linux/netfilter_ipv4/ip_set_jhash.h> + ++static int limit = MAX_RANGE; ++ +/* We must handle non-linear skbs */ +static inline ip_set_ip_t +get_port(const struct sk_buff *skb, u_int32_t flags) +{ -+ struct iphdr *iph = skb->nh.iph; ++ struct iphdr *iph = ip_hdr(skb); + u_int16_t offset = ntohs(iph->frag_off) & IP_OFFSET; + + switch (iph->protocol) { @@ -4035,7 +3906,7 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_set_ipporthash.c li + if (offset) + return INVALID_PORT; + -+ if (skb_copy_bits(skb, skb->nh.iph->ihl*4, &tcph, sizeof(tcph)) < 0) ++ if (skb_copy_bits(skb, ip_hdr(skb)->ihl*4, &tcph, sizeof(tcph)) < 0) + /* No choice either */ + return INVALID_PORT; + @@ -4048,7 +3919,7 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_set_ipporthash.c li + if (offset) + return INVALID_PORT; + -+ if (skb_copy_bits(skb, skb->nh.iph->ihl*4, &udph, sizeof(udph)) < 0) ++ if (skb_copy_bits(skb, ip_hdr(skb)->ihl*4, &udph, sizeof(udph)) < 0) + /* No choice either */ + return INVALID_PORT; + @@ -4138,8 +4009,8 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_set_ipporthash.c li + + DP("flag: %s src: %u.%u.%u.%u dst: %u.%u.%u.%u", + flags[index] & IPSET_SRC ? "SRC" : "DST", -+ NIPQUAD(skb->nh.iph->saddr), -+ NIPQUAD(skb->nh.iph->daddr)); ++ NIPQUAD(ip_hdr(skb)->saddr), ++ NIPQUAD(ip_hdr(skb)->daddr)); + DP("flag %s port %u", + flags[index+1] & IPSET_SRC ? "SRC" : "DST", + port); @@ -4148,8 +4019,8 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_set_ipporthash.c li + + return __testip(set, + ntohl(flags[index] & IPSET_SRC -+ ? skb->nh.iph->saddr -+ : skb->nh.iph->daddr), ++ ? ip_hdr(skb)->saddr ++ : ip_hdr(skb)->daddr), + port, + hash_ip); +} @@ -4168,6 +4039,7 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_set_ipporthash.c li + return -EEXIST; + if (!*elem) { + *elem = hash_ip; ++ map->elements++; + return 0; + } + } @@ -4179,6 +4051,8 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_set_ipporthash.c li +__addip(struct ip_set_ipporthash *map, ip_set_ip_t ip, ip_set_ip_t port, + ip_set_ip_t *hash_ip) +{ ++ if (map->elements > limit) ++ return -ERANGE; + if (ip < map->first_ip || ip > map->last_ip) + return -ERANGE; + @@ -4220,8 +4094,8 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_set_ipporthash.c li + + DP("flag: %s src: %u.%u.%u.%u dst: %u.%u.%u.%u", + flags[index] & IPSET_SRC ? "SRC" : "DST", -+ NIPQUAD(skb->nh.iph->saddr), -+ NIPQUAD(skb->nh.iph->daddr)); ++ NIPQUAD(ip_hdr(skb)->saddr), ++ NIPQUAD(ip_hdr(skb)->daddr)); + DP("flag %s port %u", + flags[index+1] & IPSET_SRC ? "SRC" : "DST", + port); @@ -4230,8 +4104,8 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_set_ipporthash.c li + + return __addip((struct ip_set_ipporthash *) set->data, + ntohl(flags[index] & IPSET_SRC -+ ? skb->nh.iph->saddr -+ : skb->nh.iph->daddr), ++ ? ip_hdr(skb)->saddr ++ : ip_hdr(skb)->daddr), + port, + hash_ip); +} @@ -4275,6 +4149,7 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_set_ipporthash.c li + return -ENOMEM; + } + tmp->hashsize = hashsize; ++ tmp->elements = 0; + tmp->probes = map->probes; + tmp->resize = map->resize; + tmp->first_ip = map->first_ip; @@ -4327,6 +4202,7 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_set_ipporthash.c li + + elem = HARRAY_ELEM(map->members, ip_set_ip_t *, id); + *elem = 0; ++ map->elements--; + + return 0; +} @@ -4363,8 +4239,8 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_set_ipporthash.c li + + DP("flag: %s src: %u.%u.%u.%u dst: %u.%u.%u.%u", + flags[index] & IPSET_SRC ? "SRC" : "DST", -+ NIPQUAD(skb->nh.iph->saddr), -+ NIPQUAD(skb->nh.iph->daddr)); ++ NIPQUAD(ip_hdr(skb)->saddr), ++ NIPQUAD(ip_hdr(skb)->daddr)); + DP("flag %s port %u", + flags[index+1] & IPSET_SRC ? "SRC" : "DST", + port); @@ -4373,8 +4249,8 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_set_ipporthash.c li + + return __delip(set, + ntohl(flags[index] & IPSET_SRC -+ ? skb->nh.iph->saddr -+ : skb->nh.iph->daddr), ++ ? ip_hdr(skb)->saddr ++ : ip_hdr(skb)->daddr), + port, + hash_ip); +} @@ -4413,6 +4289,7 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_set_ipporthash.c li + } + for (i = 0; i < req->probes; i++) + get_random_bytes(((uint32_t *) map->initval)+i, 4); ++ map->elements = 0; + map->hashsize = req->hashsize; + map->probes = req->probes; + map->resize = req->resize; @@ -4443,6 +4320,7 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_set_ipporthash.c li +{ + struct ip_set_ipporthash *map = (struct ip_set_ipporthash *) set->data; + harray_flush(map->members, map->hashsize, sizeof(ip_set_ip_t)); ++ map->elements = 0; +} + +static void list_header(const struct ip_set *set, void *data) @@ -4501,6 +4379,8 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_set_ipporthash.c li +MODULE_LICENSE("GPL"); +MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>"); +MODULE_DESCRIPTION("ipporthash type of IP sets"); ++module_param(limit, int, 0600); ++MODULE_PARM_DESC(limit, "maximal number of elements stored in the sets"); + +static int __init init(void) +{ @@ -4515,10 +4395,10 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_set_ipporthash.c li + +module_init(init); +module_exit(fini); -diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_set_iptree.c linux/net/ipv4/netfilter/ip_set_iptree.c ---- linux.org/net/ipv4/netfilter/ip_set_iptree.c 1970-01-01 01:00:00.000000000 +0100 -+++ linux/net/ipv4/netfilter/ip_set_iptree.c 2006-05-04 10:26:33.000000000 +0200 -@@ -0,0 +1,544 @@ +diff -Nru linux-2.6.22/net/ipv4/netfilter/ip_set_iptree.c linux-2.6.22-pom2patch/net/ipv4/netfilter/ip_set_iptree.c +--- linux-2.6.22/net/ipv4/netfilter/ip_set_iptree.c 1970-01-01 01:00:00.000000000 +0100 ++++ linux-2.6.22-pom2patch/net/ipv4/netfilter/ip_set_iptree.c 2007-08-07 18:39:55.000000000 +0200 +@@ -0,0 +1,571 @@ +/* Copyright (C) 2005 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> + * + * This program is free software; you can redistribute it and/or modify @@ -4528,6 +4408,7 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_set_iptree.c linux/ + +/* Kernel module implementing an IP set type: the iptree type */ + ++#include <linux/version.h> +#include <linux/module.h> +#include <linux/ip.h> +#include <linux/skbuff.h> @@ -4547,14 +4428,21 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_set_iptree.c linux/ + +#include <linux/netfilter_ipv4/ip_set_iptree.h> + ++static int limit = MAX_RANGE; ++ +/* Garbage collection interval in seconds: */ +#define IPTREE_GC_TIME 5*60 +/* Sleep so many milliseconds before trying again + * to delete the gc timer at destroying/flushing a set */ +#define IPTREE_DESTROY_SLEEP 100 + ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,21) ++static struct kmem_cache *branch_cachep; ++static struct kmem_cache *leaf_cachep; ++#else +static kmem_cache_t *branch_cachep; +static kmem_cache_t *leaf_cachep; ++#endif + +#define ABCD(a,b,c,d,addrp) do { \ + a = ((unsigned char *)addrp)[3]; \ @@ -4578,6 +4466,9 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_set_iptree.c linux/ + struct ip_set_iptreec *ctree; + struct ip_set_iptreed *dtree; + unsigned char a,b,c,d; ++ ++ if (!ip) ++ return -ERANGE; + + *hash_ip = ip; + ABCD(a, b, c, d, hash_ip); @@ -4617,13 +4508,13 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_set_iptree.c linux/ + + DP("flag: %s src: %u.%u.%u.%u dst: %u.%u.%u.%u", + flags[index] & IPSET_SRC ? "SRC" : "DST", -+ NIPQUAD(skb->nh.iph->saddr), -+ NIPQUAD(skb->nh.iph->daddr)); ++ NIPQUAD(ip_hdr(skb)->saddr), ++ NIPQUAD(ip_hdr(skb)->daddr)); + + res = __testip(set, + ntohl(flags[index] & IPSET_SRC -+ ? skb->nh.iph->saddr -+ : skb->nh.iph->daddr), ++ ? ip_hdr(skb)->saddr ++ : ip_hdr(skb)->daddr), + hash_ip); + return (res < 0 ? 0 : res); +} @@ -4655,6 +4546,11 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_set_iptree.c linux/ + unsigned char a,b,c,d; + int ret = 0; + ++ if (!ip || map->elements > limit) ++ /* We could call the garbage collector ++ * but it's probably overkill */ ++ return -ERANGE; ++ + *hash_ip = ip; + ABCD(a, b, c, d, hash_ip); + DP("%u %u %u %u timeout %u", a, b, c, d, timeout); @@ -4669,6 +4565,8 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_set_iptree.c linux/ + if (dtree->expires[d] == 0) + dtree->expires[d] = 1; + DP("%u %lu", d, dtree->expires[d]); ++ if (ret == 0) ++ map->elements++; + return ret; +} + @@ -4704,8 +4602,8 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_set_iptree.c linux/ + + return __addip(set, + ntohl(flags[index] & IPSET_SRC -+ ? skb->nh.iph->saddr -+ : skb->nh.iph->daddr), ++ ? ip_hdr(skb)->saddr ++ : ip_hdr(skb)->daddr), + map->timeout, + hash_ip, + GFP_ATOMIC); @@ -4727,6 +4625,9 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_set_iptree.c linux/ + struct ip_set_iptreed *dtree; + unsigned char a,b,c,d; + ++ if (!ip) ++ return -ERANGE; ++ + *hash_ip = ip; + ABCD(a, b, c, d, hash_ip); + DELIP_WALK(map, a, btree); @@ -4735,6 +4636,7 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_set_iptree.c linux/ + + if (dtree->expires[d]) { + dtree->expires[d] = 0; ++ map->elements--; + return 0; + } + return -EEXIST; @@ -4765,8 +4667,8 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_set_iptree.c linux/ +{ + return __delip(set, + ntohl(flags[index] & IPSET_SRC -+ ? skb->nh.iph->saddr -+ : skb->nh.iph->daddr), ++ ? ip_hdr(skb)->saddr ++ : ip_hdr(skb)->daddr), + hash_ip); +} + @@ -4800,9 +4702,10 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_set_iptree.c linux/ + a, b, c, d, + dtree->expires[d], jiffies); + if (map->timeout -+ && time_before(dtree->expires[d], jiffies)) ++ && time_before(dtree->expires[d], jiffies)) { + dtree->expires[d] = 0; -+ else ++ map->elements--; ++ } else + k = 1; + } + } @@ -4883,6 +4786,7 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_set_iptree.c linux/ + } + memset(map, 0, sizeof(*map)); + map->timeout = req->timeout; ++ map->elements = 0; + set->data = map; + + init_gc_timer(set); @@ -4906,6 +4810,7 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_set_iptree.c linux/ + LOOP_WALK_END; + kmem_cache_free(branch_cachep, btree); + LOOP_WALK_END; ++ map->elements = 0; +} + +static void destroy(struct ip_set *set) @@ -5021,6 +4926,8 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_set_iptree.c linux/ +MODULE_LICENSE("GPL"); +MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>"); +MODULE_DESCRIPTION("iptree type of IP sets"); ++module_param(limit, int, 0600); ++MODULE_PARM_DESC(limit, "maximal number of elements stored in the sets"); + +static int __init init(void) +{ @@ -5063,9 +4970,9 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_set_iptree.c linux/ + +module_init(init); +module_exit(fini); -diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_set_macipmap.c linux/net/ipv4/netfilter/ip_set_macipmap.c ---- linux.org/net/ipv4/netfilter/ip_set_macipmap.c 1970-01-01 01:00:00.000000000 +0100 -+++ linux/net/ipv4/netfilter/ip_set_macipmap.c 2006-05-04 10:26:33.000000000 +0200 +diff -Nru linux-2.6.22/net/ipv4/netfilter/ip_set_macipmap.c linux-2.6.22-pom2patch/net/ipv4/netfilter/ip_set_macipmap.c +--- linux-2.6.22/net/ipv4/netfilter/ip_set_macipmap.c 1970-01-01 01:00:00.000000000 +0100 ++++ linux-2.6.22-pom2patch/net/ipv4/netfilter/ip_set_macipmap.c 2007-08-07 18:39:55.000000000 +0200 @@ -0,0 +1,353 @@ +/* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu> + * Patrick Schaaf <bof@bof.de> @@ -5138,12 +5045,12 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_set_macipmap.c linu + ip_set_ip_t ip; + + ip = ntohl(flags[index] & IPSET_SRC -+ ? skb->nh.iph->saddr -+ : skb->nh.iph->daddr); ++ ? ip_hdr(skb)->saddr ++ : ip_hdr(skb)->daddr); + DP("flag: %s src: %u.%u.%u.%u dst: %u.%u.%u.%u", + flags[index] & IPSET_SRC ? "SRC" : "DST", -+ NIPQUAD(skb->nh.iph->saddr), -+ NIPQUAD(skb->nh.iph->daddr)); ++ NIPQUAD(ip_hdr(skb)->saddr), ++ NIPQUAD(ip_hdr(skb)->daddr)); + + if (ip < map->first_ip || ip > map->last_ip) + return 0; @@ -5155,8 +5062,8 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_set_macipmap.c linu + (void *) &table[ip - map->first_ip].flags)) { + /* Is mac pointer valid? + * If so, compare... */ -+ return (skb->mac.raw >= skb->head -+ && (skb->mac.raw + ETH_HLEN) <= skb->data ++ return (skb->mac_header >= skb->head ++ && (skb->mac_header + ETH_HLEN) <= skb->data + && (memcmp(eth_hdr(skb)->h_source, + &table[ip - map->first_ip].ethernet, + ETH_ALEN) == 0)); @@ -5213,11 +5120,11 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_set_macipmap.c linu + ip_set_ip_t ip; + + ip = ntohl(flags[index] & IPSET_SRC -+ ? skb->nh.iph->saddr -+ : skb->nh.iph->daddr); ++ ? ip_hdr(skb)->saddr ++ : ip_hdr(skb)->daddr); + -+ if (!(skb->mac.raw >= skb->head -+ && (skb->mac.raw + ETH_HLEN) <= skb->data)) ++ if (!(skb->mac_header >= skb->head ++ && (skb->mac_header + ETH_HLEN) <= skb->data)) + return -EINVAL; + + return __addip(set, ip, eth_hdr(skb)->h_source, hash_ip); @@ -5267,8 +5174,8 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_set_macipmap.c linu +{ + return __delip(set, + ntohl(flags[index] & IPSET_SRC -+ ? skb->nh.iph->saddr -+ : skb->nh.iph->daddr), ++ ? ip_hdr(skb)->saddr ++ : ip_hdr(skb)->daddr), + hash_ip); +} + @@ -5420,10 +5327,10 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_set_macipmap.c linu + +module_init(init); +module_exit(fini); -diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_set_nethash.c linux/net/ipv4/netfilter/ip_set_nethash.c ---- linux.org/net/ipv4/netfilter/ip_set_nethash.c 1970-01-01 01:00:00.000000000 +0100 -+++ linux/net/ipv4/netfilter/ip_set_nethash.c 2006-05-04 10:26:33.000000000 +0200 -@@ -0,0 +1,466 @@ +diff -Nru linux-2.6.22/net/ipv4/netfilter/ip_set_nethash.c linux-2.6.22-pom2patch/net/ipv4/netfilter/ip_set_nethash.c +--- linux-2.6.22/net/ipv4/netfilter/ip_set_nethash.c 1970-01-01 01:00:00.000000000 +0100 ++++ linux-2.6.22-pom2patch/net/ipv4/netfilter/ip_set_nethash.c 2007-08-07 18:39:55.000000000 +0200 +@@ -0,0 +1,481 @@ +/* Copyright (C) 2003-2004 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> + * + * This program is free software; you can redistribute it and/or modify @@ -5451,6 +5358,8 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_set_nethash.c linux +#include <linux/netfilter_ipv4/ip_set_nethash.h> +#include <linux/netfilter_ipv4/ip_set_jhash.h> + ++static int limit = MAX_RANGE; ++ +static inline __u32 +jhash_ip(const struct ip_set_nethash *map, uint16_t i, ip_set_ip_t ip) +{ @@ -5500,13 +5409,13 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_set_nethash.c linux +{ + struct ip_set_nethash *map = (struct ip_set_nethash *) set->data; + -+ return (hash_id_cidr(map, ip, cidr, hash_ip) != UINT_MAX); ++ return (ip && hash_id_cidr(map, ip, cidr, hash_ip) != UINT_MAX); +} + +static inline int +__testip(struct ip_set *set, ip_set_ip_t ip, ip_set_ip_t *hash_ip) +{ -+ return (hash_id(set, ip, hash_ip) != UINT_MAX); ++ return (ip && hash_id(set, ip, hash_ip) != UINT_MAX); +} + +static int @@ -5535,8 +5444,8 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_set_nethash.c linux +{ + return __testip(set, + ntohl(flags[index] & IPSET_SRC -+ ? skb->nh.iph->saddr -+ : skb->nh.iph->daddr), ++ ? ip_hdr(skb)->saddr ++ : ip_hdr(skb)->daddr), + hash_ip); +} + @@ -5554,6 +5463,7 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_set_nethash.c linux + return -EEXIST; + if (!*elem) { + *elem = ip; ++ map->elements++; + return 0; + } + } @@ -5565,6 +5475,9 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_set_nethash.c linux +__addip(struct ip_set_nethash *map, ip_set_ip_t ip, unsigned char cidr, + ip_set_ip_t *hash_ip) +{ ++ if (!ip || map->elements > limit) ++ return -ERANGE; ++ + *hash_ip = pack(ip, cidr); + DP("%u.%u.%u.%u/%u, %u.%u.%u.%u", HIPQUAD(ip), cidr, HIPQUAD(*hash_ip)); + @@ -5624,8 +5537,8 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_set_nethash.c linux + struct ip_set_nethash *map = (struct ip_set_nethash *) set->data; + int ret = -ERANGE; + ip_set_ip_t ip = ntohl(flags[index] & IPSET_SRC -+ ? skb->nh.iph->saddr -+ : skb->nh.iph->daddr); ++ ? ip_hdr(skb)->saddr ++ : ip_hdr(skb)->daddr); + + if (map->cidr[0]) + ret = __addip(map, ip, map->cidr[0], hash_ip); @@ -5672,6 +5585,7 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_set_nethash.c linux + return -ENOMEM; + } + tmp->hashsize = hashsize; ++ tmp->elements = 0; + tmp->probes = map->probes; + tmp->resize = map->resize; + memcpy(tmp->initval, map->initval, map->probes * sizeof(uint32_t)); @@ -5709,14 +5623,18 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_set_nethash.c linux +__delip(struct ip_set_nethash *map, ip_set_ip_t ip, unsigned char cidr, + ip_set_ip_t *hash_ip) +{ -+ ip_set_ip_t id = hash_id_cidr(map, ip, cidr, hash_ip); -+ ip_set_ip_t *elem; ++ ip_set_ip_t id, *elem; + ++ if (!ip) ++ return -ERANGE; ++ ++ id = hash_id_cidr(map, ip, cidr, hash_ip); + if (id == UINT_MAX) + return -EEXIST; + + elem = HARRAY_ELEM(map->members, ip_set_ip_t *, id); + *elem = 0; ++ map->elements--; + return 0; +} + @@ -5748,8 +5666,8 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_set_nethash.c linux + struct ip_set_nethash *map = (struct ip_set_nethash *) set->data; + int ret = -ERANGE; + ip_set_ip_t ip = ntohl(flags[index] & IPSET_SRC -+ ? skb->nh.iph->saddr -+ : skb->nh.iph->daddr); ++ ? ip_hdr(skb)->saddr ++ : ip_hdr(skb)->daddr); + + if (map->cidr[0]) + ret = __delip(map, ip, map->cidr[0], hash_ip); @@ -5790,6 +5708,7 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_set_nethash.c linux + } + for (i = 0; i < req->probes; i++) + get_random_bytes(((uint32_t *) map->initval)+i, 4); ++ map->elements = 0; + map->hashsize = req->hashsize; + map->probes = req->probes; + map->resize = req->resize; @@ -5820,6 +5739,7 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_set_nethash.c linux + struct ip_set_nethash *map = (struct ip_set_nethash *) set->data; + harray_flush(map->members, map->hashsize, sizeof(ip_set_ip_t)); + memset(map->cidr, 0, 30 * sizeof(unsigned char)); ++ map->elements = 0; +} + +static void list_header(const struct ip_set *set, void *data) @@ -5876,6 +5796,8 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_set_nethash.c linux +MODULE_LICENSE("GPL"); +MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>"); +MODULE_DESCRIPTION("nethash type of IP sets"); ++module_param(limit, int, 0600); ++MODULE_PARM_DESC(limit, "maximal number of elements stored in the sets"); + +static int __init init(void) +{ @@ -5890,9 +5812,9 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_set_nethash.c linux + +module_init(init); +module_exit(fini); -diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_set_portmap.c linux/net/ipv4/netfilter/ip_set_portmap.c ---- linux.org/net/ipv4/netfilter/ip_set_portmap.c 1970-01-01 01:00:00.000000000 +0100 -+++ linux/net/ipv4/netfilter/ip_set_portmap.c 2006-05-04 10:26:33.000000000 +0200 +diff -Nru linux-2.6.22/net/ipv4/netfilter/ip_set_portmap.c linux-2.6.22-pom2patch/net/ipv4/netfilter/ip_set_portmap.c +--- linux-2.6.22/net/ipv4/netfilter/ip_set_portmap.c 1970-01-01 01:00:00.000000000 +0100 ++++ linux-2.6.22-pom2patch/net/ipv4/netfilter/ip_set_portmap.c 2007-08-07 18:39:55.000000000 +0200 @@ -0,0 +1,334 @@ +/* Copyright (C) 2003-2004 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> + * @@ -5923,7 +5845,7 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_set_portmap.c linux +static inline ip_set_ip_t +get_port(const struct sk_buff *skb, u_int32_t flags) +{ -+ struct iphdr *iph = skb->nh.iph; ++ struct iphdr *iph = ip_hdr(skb); + u_int16_t offset = ntohs(iph->frag_off) & IP_OFFSET; + + switch (iph->protocol) { @@ -5934,7 +5856,7 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_set_portmap.c linux + if (offset) + return INVALID_PORT; + -+ if (skb_copy_bits(skb, skb->nh.iph->ihl*4, &tcph, sizeof(tcph)) < 0) ++ if (skb_copy_bits(skb, ip_hdr(skb)->ihl*4, &tcph, sizeof(tcph)) < 0) + /* No choice either */ + return INVALID_PORT; + @@ -5947,7 +5869,7 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_set_portmap.c linux + if (offset) + return INVALID_PORT; + -+ if (skb_copy_bits(skb, skb->nh.iph->ihl*4, &udph, sizeof(udph)) < 0) ++ if (skb_copy_bits(skb, ip_hdr(skb)->ihl*4, &udph, sizeof(udph)) < 0) + /* No choice either */ + return INVALID_PORT; + @@ -6228,10 +6150,164 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ip_set_portmap.c linux + +module_init(init); +module_exit(fini); -diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ipt_SET.c linux/net/ipv4/netfilter/ipt_SET.c ---- linux.org/net/ipv4/netfilter/ipt_SET.c 1970-01-01 01:00:00.000000000 +0100 -+++ linux/net/ipv4/netfilter/ipt_SET.c 2006-05-04 10:26:33.000000000 +0200 -@@ -0,0 +1,128 @@ +diff -Nru linux-2.6.22/net/ipv4/netfilter/ipt_set.c linux-2.6.22-pom2patch/net/ipv4/netfilter/ipt_set.c +--- linux-2.6.22/net/ipv4/netfilter/ipt_set.c 1970-01-01 01:00:00.000000000 +0100 ++++ linux-2.6.22-pom2patch/net/ipv4/netfilter/ipt_set.c 2007-08-07 18:39:55.000000000 +0200 +@@ -0,0 +1,150 @@ ++/* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu> ++ * Patrick Schaaf <bof@bof.de> ++ * Martin Josefsson <gandalf@wlug.westbo.se> ++ * Copyright (C) 2003-2004 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> ++ * ++ * This program is free software; you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License version 2 as ++ * published by the Free Software Foundation. ++ */ ++ ++/* Kernel module to match an IP set. */ ++ ++#include <linux/module.h> ++#include <linux/ip.h> ++#include <linux/skbuff.h> ++#include <linux/version.h> ++ ++#include <linux/netfilter_ipv4/ip_tables.h> ++#include <linux/netfilter_ipv4/ip_set.h> ++#include <linux/netfilter_ipv4/ipt_set.h> ++ ++static inline int ++match_set(const struct ipt_set_info *info, ++ const struct sk_buff *skb, ++ int inv) ++{ ++ if (ip_set_testip_kernel(info->index, skb, info->flags)) ++ inv = !inv; ++ return inv; ++} ++ ++static int ++match(const struct sk_buff *skb, ++ const struct net_device *in, ++ const struct net_device *out, ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,17) ++ const struct xt_match *match, ++#endif ++ const void *matchinfo, ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,16) ++ int offset, unsigned int protoff, int *hotdrop) ++#else ++ int offset, int *hotdrop) ++#endif ++{ ++ const struct ipt_set_info_match *info = matchinfo; ++ ++ return match_set(&info->match_set, ++ skb, ++ info->match_set.flags[0] & IPSET_MATCH_INV); ++} ++ ++static int ++checkentry(const char *tablename, ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,16) ++ const void *inf, ++#else ++ const struct ipt_ip *ip, ++#endif ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,17) ++ const struct xt_match *match, ++#endif ++ void *matchinfo, ++#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,19) ++ unsigned int matchsize, ++#endif ++ unsigned int hook_mask) ++{ ++ struct ipt_set_info_match *info = ++ (struct ipt_set_info_match *) matchinfo; ++ ip_set_id_t index; ++ ++#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,19) ++ if (matchsize != IPT_ALIGN(sizeof(struct ipt_set_info_match))) { ++ ip_set_printk("invalid matchsize %d", matchsize); ++ return 0; ++ } ++#endif ++ ++ index = ip_set_get_byindex(info->match_set.index); ++ ++ if (index == IP_SET_INVALID_ID) { ++ ip_set_printk("Cannot find set indentified by id %u to match", ++ info->match_set.index); ++ return 0; /* error */ ++ } ++ if (info->match_set.flags[IP_SET_MAX_BINDINGS] != 0) { ++ ip_set_printk("That's nasty!"); ++ return 0; /* error */ ++ } ++ ++ return 1; ++} ++ ++static void destroy( ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,17) ++ const struct xt_match *match, ++#endif ++#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,19) ++ void *matchinfo, unsigned int matchsize) ++#else ++ void *matchinfo) ++#endif ++{ ++ struct ipt_set_info_match *info = matchinfo; ++ ++#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,19) ++ if (matchsize != IPT_ALIGN(sizeof(struct ipt_set_info_match))) { ++ ip_set_printk("invalid matchsize %d", matchsize); ++ return; ++ } ++#endif ++ ip_set_put(info->match_set.index); ++} ++ ++static struct ipt_match set_match = { ++ .name = "set", ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,21) ++ .family = AF_INET, ++#endif ++ .match = &match, ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,17) ++ .matchsize = sizeof(struct ipt_set_info_match), ++#endif ++ .checkentry = &checkentry, ++ .destroy = &destroy, ++ .me = THIS_MODULE ++}; ++ ++MODULE_LICENSE("GPL"); ++MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>"); ++MODULE_DESCRIPTION("iptables IP set match module"); ++ ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,21) ++#define ipt_register_match xt_register_match ++#define ipt_unregister_match xt_unregister_match ++#endif ++ ++static int __init ipt_ipset_init(void) ++{ ++ return ipt_register_match(&set_match); ++} ++ ++static void __exit ipt_ipset_fini(void) ++{ ++ ipt_unregister_match(&set_match); ++} ++ ++module_init(ipt_ipset_init); ++module_exit(ipt_ipset_fini); +diff -Nru linux-2.6.22/net/ipv4/netfilter/ipt_SET.c linux-2.6.22-pom2patch/net/ipv4/netfilter/ipt_SET.c +--- linux-2.6.22/net/ipv4/netfilter/ipt_SET.c 1970-01-01 01:00:00.000000000 +0100 ++++ linux-2.6.22-pom2patch/net/ipv4/netfilter/ipt_SET.c 2007-08-07 18:39:55.000000000 +0200 +@@ -0,0 +1,168 @@ +/* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu> + * Patrick Schaaf <bof@bof.de> + * Martin Josefsson <gandalf@wlug.westbo.se> @@ -6252,10 +6328,11 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ipt_SET.c linux/net/ip +#include <linux/netdevice.h> +#include <linux/if.h> +#include <linux/inetdevice.h> ++#include <linux/version.h> +#include <net/protocol.h> +#include <net/checksum.h> ++#include <net/netfilter/nf_nat_rule.h> +#include <linux/netfilter_ipv4.h> -+#include <linux/netfilter_ipv4/ip_nat_rule.h> +#include <linux/netfilter_ipv4/ipt_set.h> + +static unsigned int @@ -6263,8 +6340,15 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ipt_SET.c linux/net/ip + const struct net_device *in, + const struct net_device *out, + unsigned int hooknum, ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,17) ++ const struct xt_target *target, ++#endif ++#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,19) + const void *targinfo, + void *userinfo) ++#else ++ const void *targinfo) ++#endif +{ + const struct ipt_set_info_target *info = targinfo; + @@ -6282,18 +6366,30 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ipt_SET.c linux/net/ip + +static int +checkentry(const char *tablename, ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,16) ++ const void *e, ++#else + const struct ipt_entry *e, ++#endif ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,17) ++ const struct xt_target *target, ++#endif + void *targinfo, -+ unsigned int targinfosize, unsigned int hook_mask) ++#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,19) ++ unsigned int targinfosize, ++#endif ++ unsigned int hook_mask) +{ + struct ipt_set_info_target *info = + (struct ipt_set_info_target *) targinfo; + ip_set_id_t index; + ++#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,19) + if (targinfosize != IPT_ALIGN(sizeof(*info))) { + DP("bad target info size %u", targinfosize); + return 0; + } ++#endif + + if (info->add_set.index != IP_SET_INVALID_ID) { + index = ip_set_get_byindex(info->add_set.index); @@ -6321,15 +6417,24 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ipt_SET.c linux/net/ip + return 1; +} + -+static void destroy(void *targetinfo, unsigned int targetsize) ++static void destroy( ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,17) ++ const struct xt_target *target, ++#endif ++#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,19) ++ void *targetinfo, unsigned int targetsize) ++#else ++ void *targetinfo) ++#endif +{ + struct ipt_set_info_target *info = targetinfo; + ++#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,19) + if (targetsize != IPT_ALIGN(sizeof(struct ipt_set_info_target))) { + ip_set_printk("invalid targetsize %d", targetsize); + return; + } -+ ++#endif + if (info->add_set.index != IP_SET_INVALID_ID) + ip_set_put(info->add_set.index); + if (info->del_set.index != IP_SET_INVALID_ID) @@ -6338,7 +6443,13 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ipt_SET.c linux/net/ip + +static struct ipt_target SET_target = { + .name = "SET", ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,21) ++ .family = AF_INET, ++#endif + .target = target, ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,17) ++ .targetsize = sizeof(struct ipt_set_info_target), ++#endif + .checkentry = checkentry, + .destroy = destroy, + .me = THIS_MODULE @@ -6348,131 +6459,167 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ipt_SET.c linux/net/ip +MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>"); +MODULE_DESCRIPTION("iptables IP set target module"); + -+static int __init init(void) ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,21) ++#define ipt_register_target xt_register_target ++#define ipt_unregister_target xt_unregister_target ++#endif ++ ++static int __init ipt_SET_init(void) +{ + return ipt_register_target(&SET_target); +} + -+static void __exit fini(void) ++static void __exit ipt_SET_fini(void) +{ + ipt_unregister_target(&SET_target); +} + -+module_init(init); -+module_exit(fini); -diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ipt_set.c linux/net/ipv4/netfilter/ipt_set.c ---- linux.org/net/ipv4/netfilter/ipt_set.c 1970-01-01 01:00:00.000000000 +0100 -+++ linux/net/ipv4/netfilter/ipt_set.c 2006-05-04 10:26:33.000000000 +0200 -@@ -0,0 +1,112 @@ -+/* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu> -+ * Patrick Schaaf <bof@bof.de> -+ * Martin Josefsson <gandalf@wlug.westbo.se> -+ * Copyright (C) 2003-2004 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> -+ * -+ * This program is free software; you can redistribute it and/or modify -+ * it under the terms of the GNU General Public License version 2 as -+ * published by the Free Software Foundation. -+ */ ++module_init(ipt_SET_init); ++module_exit(ipt_SET_fini); +diff -Nru linux-2.6.22/net/ipv4/netfilter/Kconfig linux-2.6.22-pom2patch/net/ipv4/netfilter/Kconfig +--- linux-2.6.22/net/ipv4/netfilter/Kconfig 2007-07-09 01:32:17.000000000 +0200 ++++ linux-2.6.22-pom2patch/net/ipv4/netfilter/Kconfig 2007-08-07 18:39:55.000000000 +0200 +@@ -402,5 +402,114 @@ + Allows altering the ARP packet payload: source and destination + hardware and network addresses. + ++config IP_NF_SET ++ tristate "IP set support" ++ depends on INET && NETFILTER ++ help ++ This option adds IP set support to the kernel. ++ In order to define and use sets, you need the userspace utility ++ ipset(8). + -+/* Kernel module to match an IP set. */ ++ To compile it as a module, choose M here. If unsure, say N. + -+#include <linux/module.h> -+#include <linux/ip.h> -+#include <linux/skbuff.h> ++config IP_NF_SET_MAX ++ int "Maximum number of IP sets" ++ default 256 ++ range 2 65534 ++ depends on IP_NF_SET ++ help ++ You can define here default value of the maximum number ++ of IP sets for the kernel. + -+#include <linux/netfilter_ipv4/ip_tables.h> -+#include <linux/netfilter_ipv4/ip_set.h> -+#include <linux/netfilter_ipv4/ipt_set.h> ++ The value can be overriden by the 'max_sets' module ++ parameter of the 'ip_set' module. + -+static inline int -+match_set(const struct ipt_set_info *info, -+ const struct sk_buff *skb, -+ int inv) -+{ -+ if (ip_set_testip_kernel(info->index, skb, info->flags)) -+ inv = !inv; -+ return inv; -+} ++config IP_NF_SET_HASHSIZE ++ int "Hash size for bindings of IP sets" ++ default 1024 ++ depends on IP_NF_SET ++ help ++ You can define here default value of the hash size for ++ bindings of IP sets. + -+static int -+match(const struct sk_buff *skb, -+ const struct net_device *in, -+ const struct net_device *out, -+ const void *matchinfo, -+ int offset, -+ int *hotdrop) -+{ -+ const struct ipt_set_info_match *info = matchinfo; -+ -+ return match_set(&info->match_set, -+ skb, -+ info->match_set.flags[0] & IPSET_MATCH_INV); -+} ++ The value can be overriden by the 'hash_size' module ++ parameter of the 'ip_set' module. + -+static int -+checkentry(const char *tablename, -+ const struct ipt_ip *ip, -+ void *matchinfo, -+ unsigned int matchsize, -+ unsigned int hook_mask) -+{ -+ struct ipt_set_info_match *info = -+ (struct ipt_set_info_match *) matchinfo; -+ ip_set_id_t index; ++config IP_NF_SET_IPMAP ++ tristate "ipmap set support" ++ depends on IP_NF_SET ++ help ++ This option adds the ipmap set type support. + -+ if (matchsize != IPT_ALIGN(sizeof(struct ipt_set_info_match))) { -+ ip_set_printk("invalid matchsize %d", matchsize); -+ return 0; -+ } ++ To compile it as a module, choose M here. If unsure, say N. + -+ index = ip_set_get_byindex(info->match_set.index); -+ -+ if (index == IP_SET_INVALID_ID) { -+ ip_set_printk("Cannot find set indentified by id %u to match", -+ info->match_set.index); -+ return 0; /* error */ -+ } -+ if (info->match_set.flags[IP_SET_MAX_BINDINGS] != 0) { -+ ip_set_printk("That's nasty!"); -+ return 0; /* error */ -+ } ++config IP_NF_SET_MACIPMAP ++ tristate "macipmap set support" ++ depends on IP_NF_SET ++ help ++ This option adds the macipmap set type support. + -+ return 1; -+} ++ To compile it as a module, choose M here. If unsure, say N. + -+static void destroy(void *matchinfo, unsigned int matchsize) -+{ -+ struct ipt_set_info_match *info = matchinfo; ++config IP_NF_SET_PORTMAP ++ tristate "portmap set support" ++ depends on IP_NF_SET ++ help ++ This option adds the portmap set type support. + -+ if (matchsize != IPT_ALIGN(sizeof(struct ipt_set_info_match))) { -+ ip_set_printk("invalid matchsize %d", matchsize); -+ return; -+ } ++ To compile it as a module, choose M here. If unsure, say N. + -+ ip_set_put(info->match_set.index); -+} ++config IP_NF_SET_IPHASH ++ tristate "iphash set support" ++ depends on IP_NF_SET ++ help ++ This option adds the iphash set type support. + -+static struct ipt_match set_match = { -+ .name = "set", -+ .match = &match, -+ .checkentry = &checkentry, -+ .destroy = &destroy, -+ .me = THIS_MODULE -+}; ++ To compile it as a module, choose M here. If unsure, say N. + -+MODULE_LICENSE("GPL"); -+MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>"); -+MODULE_DESCRIPTION("iptables IP set match module"); ++config IP_NF_SET_NETHASH ++ tristate "nethash set support" ++ depends on IP_NF_SET ++ help ++ This option adds the nethash set type support. + -+static int __init init(void) -+{ -+ return ipt_register_match(&set_match); -+} ++ To compile it as a module, choose M here. If unsure, say N. + -+static void __exit fini(void) -+{ -+ ipt_unregister_match(&set_match); -+} ++config IP_NF_SET_IPPORTHASH ++ tristate "ipporthash set support" ++ depends on IP_NF_SET ++ help ++ This option adds the ipporthash set type support. + -+module_init(init); -+module_exit(fini); ++ To compile it as a module, choose M here. If unsure, say N. ++ ++config IP_NF_SET_IPTREE ++ tristate "iptree set support" ++ depends on IP_NF_SET ++ help ++ This option adds the iptree set type support. ++ ++ To compile it as a module, choose M here. If unsure, say N. ++ ++config IP_NF_MATCH_SET ++ tristate "set match support" ++ depends on IP_NF_SET ++ help ++ Set matching matches against given IP sets. ++ You need the ipset utility to create and set up the sets. ++ ++ To compile it as a module, choose M here. If unsure, say N. ++ ++config IP_NF_TARGET_SET ++ tristate "SET target support" ++ depends on IP_NF_SET ++ help ++ The SET target makes possible to add/delete entries ++ in IP sets. ++ You need the ipset utility to create and set up the sets. ++ ++ To compile it as a module, choose M here. If unsure, say N. ++ ++ + endmenu + +diff -Nru linux-2.6.22/net/ipv4/netfilter/Makefile linux-2.6.22-pom2patch/net/ipv4/netfilter/Makefile +--- linux-2.6.22/net/ipv4/netfilter/Makefile 2007-07-09 01:32:17.000000000 +0200 ++++ linux-2.6.22-pom2patch/net/ipv4/netfilter/Makefile 2007-08-07 18:39:55.000000000 +0200 +@@ -48,6 +48,7 @@ + obj-$(CONFIG_IP_NF_MATCH_ECN) += ipt_ecn.o + obj-$(CONFIG_IP_NF_MATCH_AH) += ipt_ah.o + obj-$(CONFIG_IP_NF_MATCH_TTL) += ipt_ttl.o ++obj-$(CONFIG_IP_NF_MATCH_SET) += ipt_set.o + obj-$(CONFIG_IP_NF_MATCH_ADDRTYPE) += ipt_addrtype.o + + # targets +@@ -62,6 +63,17 @@ + obj-$(CONFIG_IP_NF_TARGET_CLUSTERIP) += ipt_CLUSTERIP.o + obj-$(CONFIG_IP_NF_TARGET_TTL) += ipt_TTL.o + obj-$(CONFIG_IP_NF_TARGET_IPMARK) += ipt_IPMARK.o ++obj-$(CONFIG_IP_NF_TARGET_SET) += ipt_SET.o ++ ++# sets ++obj-$(CONFIG_IP_NF_SET) += ip_set.o ++obj-$(CONFIG_IP_NF_SET_IPMAP) += ip_set_ipmap.o ++obj-$(CONFIG_IP_NF_SET_PORTMAP) += ip_set_portmap.o ++obj-$(CONFIG_IP_NF_SET_MACIPMAP) += ip_set_macipmap.o ++obj-$(CONFIG_IP_NF_SET_IPHASH) += ip_set_iphash.o ++obj-$(CONFIG_IP_NF_SET_NETHASH) += ip_set_nethash.o ++obj-$(CONFIG_IP_NF_SET_IPPORTHASH) += ip_set_ipporthash.o ++obj-$(CONFIG_IP_NF_SET_IPTREE) += ip_set_iptree.o + + # generic ARP tables + obj-$(CONFIG_IP_NF_ARPTABLES) += arp_tables.o diff --git a/kernel-desktop-pom-ng-time.patch b/kernel-desktop-pom-ng-time.patch index ef0194d..9b83465 100644 --- a/kernel-desktop-pom-ng-time.patch +++ b/kernel-desktop-pom-ng-time.patch @@ -1,12 +1,6 @@ - include/linux/netfilter_ipv4/ipt_time.h | 18 +++ - net/ipv4/netfilter/Kconfig | 14 ++ - net/ipv4/netfilter/Makefile | 1 - net/ipv4/netfilter/ipt_time.c | 179 ++++++++++++++++++++++++++++++++ - 4 files changed, 212 insertions(+) - -diff -Nur --exclude '*.orig' linux.org/include/linux/netfilter_ipv4/ipt_time.h linux/include/linux/netfilter_ipv4/ipt_time.h ---- linux.org/include/linux/netfilter_ipv4/ipt_time.h 1970-01-01 01:00:00.000000000 +0100 -+++ linux/include/linux/netfilter_ipv4/ipt_time.h 2006-05-04 10:29:15.000000000 +0200 +diff -Nru linux-2.6.22/include/linux/netfilter_ipv4/ipt_time.h linux-2.6.22-pom2patch/include/linux/netfilter_ipv4/ipt_time.h +--- linux-2.6.22/include/linux/netfilter_ipv4/ipt_time.h 1970-01-01 01:00:00.000000000 +0100 ++++ linux-2.6.22-pom2patch/include/linux/netfilter_ipv4/ipt_time.h 2007-08-07 18:40:04.000000000 +0200 @@ -0,0 +1,18 @@ +#ifndef __ipt_time_h_included__ +#define __ipt_time_h_included__ @@ -26,38 +20,10 @@ diff -Nur --exclude '*.orig' linux.org/include/linux/netfilter_ipv4/ipt_time.h l + + +#endif /* __ipt_time_h_included__ */ -diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/Kconfig linux/net/ipv4/netfilter/Kconfig ---- linux.org/net/ipv4/netfilter/Kconfig 2006-05-02 23:38:44.000000000 +0200 -+++ linux/net/ipv4/netfilter/Kconfig 2006-05-04 10:29:15.000000000 +0200 -@@ -606,5 +606,19 @@ - Allows altering the ARP packet payload: source and destination - hardware and network addresses. - -+config IP_NF_MATCH_TIME -+ tristate 'TIME match support' -+ depends on IP_NF_IPTABLES -+ help -+ This option adds a `time' match, which allows you -+ to match based on the packet arrival time/date -+ (arrival time/date at the machine which netfilter is running on) or -+ departure time/date (for locally generated packets). -+ -+ If you say Y here, try iptables -m time --help for more information. -+ -+ If you want to compile it as a module, say M here and read -+ Documentation/modules.txt. If unsure, say `N'. -+ - endmenu - -diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/Makefile linux/net/ipv4/netfilter/Makefile ---- linux.org/net/ipv4/netfilter/Makefile 2006-05-02 23:38:44.000000000 +0200 -+++ linux/net/ipv4/netfilter/Makefile 2006-05-04 10:29:15.000000000 +0200 -@@ -0,0 +0,1 @@ -+obj-$(CONFIG_IP_NF_MATCH_TIME) += ipt_time.o -diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ipt_time.c linux/net/ipv4/netfilter/ipt_time.c ---- linux.org/net/ipv4/netfilter/ipt_time.c 1970-01-01 01:00:00.000000000 +0100 -+++ linux/net/ipv4/netfilter/ipt_time.c 2006-05-04 10:29:15.000000000 +0200 -@@ -0,0 +1,179 @@ +diff -Nru linux-2.6.22/net/ipv4/netfilter/ipt_time.c linux-2.6.22-pom2patch/net/ipv4/netfilter/ipt_time.c +--- linux-2.6.22/net/ipv4/netfilter/ipt_time.c 1970-01-01 01:00:00.000000000 +0100 ++++ linux-2.6.22-pom2patch/net/ipv4/netfilter/ipt_time.c 2007-08-07 18:40:04.000000000 +0200 +@@ -0,0 +1,229 @@ +/* + This is a module which is used for time matching + It is using some modified code from dietlibc (localtime() function) @@ -75,6 +41,7 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ipt_time.c linux/net/i + +#include <linux/module.h> +#include <linux/skbuff.h> ++#include <linux/version.h> +#include <linux/netfilter_ipv4/ip_tables.h> +#include <linux/netfilter_ipv4/ipt_time.h> +#include <linux/time.h> @@ -106,35 +73,62 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ipt_time.c linux/net/i +match(const struct sk_buff *skb, + const struct net_device *in, + const struct net_device *out, ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,17) ++ const struct xt_match *match, ++#endif + const void *matchinfo, + int offset, ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,16) + unsigned int protoff, ++#endif + int *hotdrop) +{ + const struct ipt_time_info *info = matchinfo; /* match info for rule */ + struct tm currenttime; /* time human readable */ + u_int8_t days_of_week[7] = {64, 32, 16, 8, 4, 2, 1}; + u_int16_t packet_time; ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,22) ++ struct timeval tv; ++#endif + + /* We might not have a timestamp, get one */ ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,22) ++ if (skb->tstamp.tv64 == 0) ++#else + if (skb->tstamp.off_sec == 0) ++#endif + __net_timestamp((struct sk_buff *)skb); + + /* First we make sure we are in the date start-stop boundaries */ ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,22) ++ tv = ktime_to_timeval(skb->tstamp); ++ if ((tv.tv_sec < info->date_start) || (tv.tv_sec > info->date_stop)) ++#else + if ((skb->tstamp.off_sec < info->date_start) || (skb->tstamp.off_sec > info->date_stop)) ++#endif + return 0; /* We are outside the date boundaries */ + + /* Transform the timestamp of the packet, in a human readable form */ ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,22) ++ localtime(tv.tv_sec, ¤ttime); ++#else + localtime(skb->tstamp.off_sec, ¤ttime); ++#endif ++ + + /* check if we match this timestamp, we start by the days... */ + if ((days_of_week[currenttime.tm_wday] & info->days_match) != days_of_week[currenttime.tm_wday]) + return 0; /* the day doesn't match */ + -+ /* ... check the time now */ ++ /* ... check the time now, both vesions: "start < stop" and "start > stop" (midnight cross) */ + packet_time = (currenttime.tm_hour * 60) + currenttime.tm_min; -+ if ((packet_time < info->time_start) || (packet_time > info->time_stop)) -+ return 0; ++ if (info->time_start < info->time_stop) { ++ if ((packet_time < info->time_start) || (packet_time > info->time_stop)) ++ return 0; ++ } else { ++ if ((packet_time < info->time_start) && (packet_time > info->time_stop)) ++ return 0; ++ } + + /* here we match ! */ + return 1; @@ -142,51 +136,73 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ipt_time.c linux/net/i + +static int +checkentry(const char *tablename, ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,16) ++ const void *ip, ++#else + const struct ipt_ip *ip, ++#endif ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,17) ++ const struct xt_match *match, ++#endif + void *matchinfo, ++#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,19) + unsigned int matchsize, ++#endif + unsigned int hook_mask) +{ + struct ipt_time_info *info = matchinfo; /* match info for rule */ + -+ /* First, check that we are in the correct hooks */ -+ if (hook_mask -+ & ~((1 << NF_IP_PRE_ROUTING) | (1 << NF_IP_LOCAL_IN) | (1 << NF_IP_FORWARD) | (1 << NF_IP_LOCAL_OUT))) -+ { -+ printk("ipt_time: error, only valid for PRE_ROUTING, LOCAL_IN, FORWARD and OUTPUT)\n"); -+ return 0; -+ } -+ ++#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,17) + /* Check the size */ + if (matchsize != IPT_ALIGN(sizeof(struct ipt_time_info))) + return 0; ++#endif ++ + /* Now check the coherence of the data ... */ + if ((info->time_start > 1439) || /* 23*60+59 = 1439*/ + (info->time_stop > 1439)) + { -+ printk(KERN_WARNING "ipt_time: invalid argument\n"); ++ printk(KERN_WARNING "ipt_time: invalid argument - start or stop time greater than 23:59h\n"); + return 0; + } + + return 1; +} + ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,21) ++static struct xt_match time_match = { ++#else +static struct ipt_match time_match = { -+ .name = "time", -+ .match = &match, -+ .checkentry = &checkentry, ++#endif ++ .name = "time", ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,21) ++ .family = AF_INET, ++#endif ++ .match = &match, ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,17) ++ .matchsize = sizeof(struct ipt_time_info), ++#endif ++ .checkentry = &checkentry, + .me = THIS_MODULE +}; + +static int __init init(void) +{ + printk("ipt_time loading\n"); ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,21) ++ return xt_register_match(&time_match); ++#else + return ipt_register_match(&time_match); ++#endif +} + +static void __exit fini(void) +{ ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,21) ++ xt_unregister_match(&time_match); ++#else + ipt_unregister_match(&time_match); ++#endif + printk("ipt_time unloaded\n"); +} + @@ -237,3 +253,37 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ipt_time.c linux/net/i + r->tm_mon=i; + r->tm_mday=work-__spm[i]+1; +} +diff -Nru linux-2.6.22/net/ipv4/netfilter/Kconfig linux-2.6.22-pom2patch/net/ipv4/netfilter/Kconfig +--- linux-2.6.22/net/ipv4/netfilter/Kconfig 2007-07-09 01:32:17.000000000 +0200 ++++ linux-2.6.22-pom2patch/net/ipv4/netfilter/Kconfig 2007-08-07 18:40:04.000000000 +0200 +@@ -402,5 +402,19 @@ + Allows altering the ARP packet payload: source and destination + hardware and network addresses. + ++config IP_NF_MATCH_TIME ++ tristate 'TIME match support' ++ depends on IP_NF_IPTABLES ++ help ++ This option adds a `time' match, which allows you ++ to match based on the packet arrival time/date ++ (arrival time/date at the machine which netfilter is running on) or ++ departure time/date (for locally generated packets). ++ ++ If you say Y here, try iptables -m time --help for more information. ++ ++ If you want to compile it as a module, say M here and read ++ Documentation/modules.txt. If unsure, say `N'. ++ + endmenu + +diff -Nru linux-2.6.22/net/ipv4/netfilter/Makefile linux-2.6.22-pom2patch/net/ipv4/netfilter/Makefile +--- linux-2.6.22/net/ipv4/netfilter/Makefile 2007-07-09 01:32:17.000000000 +0200 ++++ linux-2.6.22-pom2patch/net/ipv4/netfilter/Makefile 2007-08-07 18:40:04.000000000 +0200 +@@ -44,6 +44,7 @@ + obj-$(CONFIG_IP_NF_MATCH_IPV4OPTIONS) += ipt_ipv4options.o + obj-$(CONFIG_IP_NF_MATCH_CONNLIMIT) += ipt_connlimit.o + obj-$(CONFIG_IP_NF_MATCH_IPP2P) += ipt_ipp2p.o ++obj-$(CONFIG_IP_NF_MATCH_TIME) += ipt_time.o + + obj-$(CONFIG_IP_NF_MATCH_RECENT) += ipt_recent.o + obj-$(CONFIG_IP_NF_MATCH_GEOIP) += ipt_geoip.o diff --git a/kernel-desktop-pom-ng-u32.patch b/kernel-desktop-pom-ng-u32.patch index bfebc62..aef1aee 100644 --- a/kernel-desktop-pom-ng-u32.patch +++ b/kernel-desktop-pom-ng-u32.patch @@ -1,12 +1,6 @@ - include/linux/netfilter_ipv4/ipt_u32.h | 40 +++++ - net/ipv4/netfilter/Kconfig | 13 + - net/ipv4/netfilter/Makefile | 1 - net/ipv4/netfilter/ipt_u32.c | 233 +++++++++++++++++++++++++++++++++ - 4 files changed, 287 insertions(+) - -diff -Nur --exclude '*.orig' linux.org/include/linux/netfilter_ipv4/ipt_u32.h linux/include/linux/netfilter_ipv4/ipt_u32.h ---- linux.org/include/linux/netfilter_ipv4/ipt_u32.h 1970-01-01 01:00:00.000000000 +0100 -+++ linux/include/linux/netfilter_ipv4/ipt_u32.h 2006-05-04 10:30:23.000000000 +0200 +diff -Nru linux-2.6.22/include/linux/netfilter_ipv4/ipt_u32.h linux-2.6.22-pom2patch/include/linux/netfilter_ipv4/ipt_u32.h +--- linux-2.6.22/include/linux/netfilter_ipv4/ipt_u32.h 1970-01-01 01:00:00.000000000 +0100 ++++ linux-2.6.22-pom2patch/include/linux/netfilter_ipv4/ipt_u32.h 2007-08-07 18:40:11.000000000 +0200 @@ -0,0 +1,40 @@ +#ifndef _IPT_U32_H +#define _IPT_U32_H @@ -48,37 +42,10 @@ diff -Nur --exclude '*.orig' linux.org/include/linux/netfilter_ipv4/ipt_u32.h li +}; + +#endif /*_IPT_U32_H*/ -diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/Kconfig linux/net/ipv4/netfilter/Kconfig ---- linux.org/net/ipv4/netfilter/Kconfig 2006-05-02 23:38:44.000000000 +0200 -+++ linux/net/ipv4/netfilter/Kconfig 2006-05-04 10:30:23.000000000 +0200 -@@ -606,5 +606,18 @@ - Allows altering the ARP packet payload: source and destination - hardware and network addresses. - -+config IP_NF_MATCH_U32 -+ tristate 'U32 match support' -+ depends on IP_NF_IPTABLES -+ help -+ U32 allows you to extract quantities of up to 4 bytes from a packet, -+ AND them with specified masks, shift them by specified amounts and -+ test whether the results are in any of a set of specified ranges. -+ The specification of what to extract is general enough to skip over -+ headers with lengths stored in the packet, as in IP or TCP header -+ lengths. -+ -+ Details and examples are in the kernel module source. -+ - endmenu - -diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/Makefile linux/net/ipv4/netfilter/Makefile ---- linux.org/net/ipv4/netfilter/Makefile 2006-05-02 23:38:44.000000000 +0200 -+++ linux/net/ipv4/netfilter/Makefile 2006-05-04 10:30:23.000000000 +0200 -@@ -0,0 +0,1 @@ -+obj-$(CONFIG_IP_NF_MATCH_U32) += ipt_u32.o -diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ipt_u32.c linux/net/ipv4/netfilter/ipt_u32.c ---- linux.org/net/ipv4/netfilter/ipt_u32.c 1970-01-01 01:00:00.000000000 +0100 -+++ linux/net/ipv4/netfilter/ipt_u32.c 2006-05-04 10:30:23.000000000 +0200 -@@ -0,0 +1,233 @@ +diff -Nru linux-2.6.22/net/ipv4/netfilter/ipt_u32.c linux-2.6.22-pom2patch/net/ipv4/netfilter/ipt_u32.c +--- linux-2.6.22/net/ipv4/netfilter/ipt_u32.c 1970-01-01 01:00:00.000000000 +0100 ++++ linux-2.6.22-pom2patch/net/ipv4/netfilter/ipt_u32.c 2007-08-07 18:40:11.000000000 +0200 +@@ -0,0 +1,237 @@ +/* Kernel module to match u32 packet content. */ + +/* @@ -201,6 +168,7 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ipt_u32.c linux/net/ip +match(const struct sk_buff *skb, + const struct net_device *in, + const struct net_device *out, ++ const struct xt_match *match, + const void *matchinfo, + int offset, + unsigned int protoff, @@ -283,32 +251,68 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ipt_u32.c linux/net/ip + +static int +checkentry(const char *tablename, -+ const struct ipt_ip *ip, ++ const void *ip, ++ const struct xt_match *match, + void *matchinfo, -+ unsigned int matchsize, ++ /* unsigned int matchsize, */ + unsigned int hook_mask) +{ -+ if (matchsize != IPT_ALIGN(sizeof(struct ipt_u32))) ++ if (sizeof(struct ipt_u32) != IPT_ALIGN(sizeof(struct ipt_u32))) + return 0; + return 1; +} + -+static struct ipt_match u32_match = { ++static struct xt_match u32_match = { + .name = "u32", ++ .family = AF_INET, + .match = &match, ++ .matchsize = sizeof(struct ipt_u32), + .checkentry = &checkentry, + .me = THIS_MODULE +}; + +static int __init init(void) +{ -+ return ipt_register_match(&u32_match); ++ return xt_register_match(&u32_match); +} + +static void __exit fini(void) +{ -+ ipt_unregister_match(&u32_match); ++ xt_unregister_match(&u32_match); +} + +module_init(init); +module_exit(fini); +diff -Nru linux-2.6.22/net/ipv4/netfilter/Kconfig linux-2.6.22-pom2patch/net/ipv4/netfilter/Kconfig +--- linux-2.6.22/net/ipv4/netfilter/Kconfig 2007-07-09 01:32:17.000000000 +0200 ++++ linux-2.6.22-pom2patch/net/ipv4/netfilter/Kconfig 2007-08-07 18:40:11.000000000 +0200 +@@ -402,5 +402,18 @@ + Allows altering the ARP packet payload: source and destination + hardware and network addresses. + ++config IP_NF_MATCH_U32 ++ tristate 'U32 match support' ++ depends on IP_NF_IPTABLES ++ help ++ U32 allows you to extract quantities of up to 4 bytes from a packet, ++ AND them with specified masks, shift them by specified amounts and ++ test whether the results are in any of a set of specified ranges. ++ The specification of what to extract is general enough to skip over ++ headers with lengths stored in the packet, as in IP or TCP header ++ lengths. ++ ++ Details and examples are in the kernel module source. ++ + endmenu + +diff -Nru linux-2.6.22/net/ipv4/netfilter/Makefile linux-2.6.22-pom2patch/net/ipv4/netfilter/Makefile +--- linux-2.6.22/net/ipv4/netfilter/Makefile 2007-07-09 01:32:17.000000000 +0200 ++++ linux-2.6.22-pom2patch/net/ipv4/netfilter/Makefile 2007-08-07 18:40:11.000000000 +0200 +@@ -45,6 +45,7 @@ + obj-$(CONFIG_IP_NF_MATCH_OWNER) += ipt_owner.o + obj-$(CONFIG_IP_NF_MATCH_TOS) += ipt_tos.o + obj-$(CONFIG_IP_NF_MATCH_RECENT) += ipt_recent.o ++obj-$(CONFIG_IP_NF_MATCH_U32) += ipt_u32.o + obj-$(CONFIG_IP_NF_MATCH_ECN) += ipt_ecn.o + obj-$(CONFIG_IP_NF_MATCH_AH) += ipt_ah.o + obj-$(CONFIG_IP_NF_MATCH_TTL) += ipt_ttl.o |