diff options
Diffstat (limited to 'kernel-desktop-pom-ng-connlimit.patch')
| -rw-r--r-- | kernel-desktop-pom-ng-connlimit.patch | 213 |
1 files changed, 162 insertions, 51 deletions
diff --git a/kernel-desktop-pom-ng-connlimit.patch b/kernel-desktop-pom-ng-connlimit.patch index 5fb3d0c..d24885b 100644 --- a/kernel-desktop-pom-ng-connlimit.patch +++ b/kernel-desktop-pom-ng-connlimit.patch @@ -1,12 +1,6 @@ - include/linux/netfilter_ipv4/ipt_connlimit.h | 12 + - net/ipv4/netfilter/Kconfig | 10 + - net/ipv4/netfilter/Makefile | 1 - net/ipv4/netfilter/ipt_connlimit.c | 228 +++++++++++++++++++++++++++ - 4 files changed, 251 insertions(+) - -diff -Nur --exclude '*.orig' linux.org/include/linux/netfilter_ipv4/ipt_connlimit.h linux/include/linux/netfilter_ipv4/ipt_connlimit.h ---- linux.org/include/linux/netfilter_ipv4/ipt_connlimit.h 1970-01-01 01:00:00.000000000 +0100 -+++ linux/include/linux/netfilter_ipv4/ipt_connlimit.h 2006-05-04 10:02:23.000000000 +0200 +diff -Nru linux-2.6.22/include/linux/netfilter_ipv4/ipt_connlimit.h linux-2.6.22-pom2patch/include/linux/netfilter_ipv4/ipt_connlimit.h +--- linux-2.6.22/include/linux/netfilter_ipv4/ipt_connlimit.h 1970-01-01 01:00:00.000000000 +0100 ++++ linux-2.6.22-pom2patch/include/linux/netfilter_ipv4/ipt_connlimit.h 2007-08-07 18:38:25.000000000 +0200 @@ -0,0 +1,12 @@ +#ifndef _IPT_CONNLIMIT_H +#define _IPT_CONNLIMIT_H @@ -20,34 +14,10 @@ diff -Nur --exclude '*.orig' linux.org/include/linux/netfilter_ipv4/ipt_connlimi + struct ipt_connlimit_data *data; +}; +#endif /* _IPT_CONNLIMIT_H */ -diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/Kconfig linux/net/ipv4/netfilter/Kconfig ---- linux.org/net/ipv4/netfilter/Kconfig 2006-05-02 23:38:44.000000000 +0200 -+++ linux/net/ipv4/netfilter/Kconfig 2006-05-04 10:02:23.000000000 +0200 -@@ -606,5 +606,15 @@ - Allows altering the ARP packet payload: source and destination - hardware and network addresses. - -+config IP_NF_MATCH_CONNLIMIT -+ tristate 'Connections/IP limit match support' -+ depends on IP_NF_IPTABLES -+ help -+ This match allows you to restrict the number of parallel TCP -+ connections to a server per client IP address (or address block). -+ -+ If you want to compile it as a module, say M here and read -+ Documentation/modules.txt. If unsure, say `N'. -+ - endmenu - -diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/Makefile linux/net/ipv4/netfilter/Makefile ---- linux.org/net/ipv4/netfilter/Makefile 2006-05-02 23:38:44.000000000 +0200 -+++ linux/net/ipv4/netfilter/Makefile 2006-05-04 10:02:23.000000000 +0200 -@@ -0,0 +0,1 @@ -+obj-$(CONFIG_IP_NF_MATCH_CONNLIMIT) += ipt_connlimit.o -diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ipt_connlimit.c linux/net/ipv4/netfilter/ipt_connlimit.c ---- linux.org/net/ipv4/netfilter/ipt_connlimit.c 1970-01-01 01:00:00.000000000 +0100 -+++ linux/net/ipv4/netfilter/ipt_connlimit.c 2006-05-04 10:02:23.000000000 +0200 -@@ -0,0 +1,229 @@ +diff -Nru linux-2.6.22/net/ipv4/netfilter/ipt_connlimit.c linux-2.6.22-pom2patch/net/ipv4/netfilter/ipt_connlimit.c +--- linux-2.6.22/net/ipv4/netfilter/ipt_connlimit.c 1970-01-01 01:00:00.000000000 +0100 ++++ linux-2.6.22-pom2patch/net/ipv4/netfilter/ipt_connlimit.c 2007-08-07 18:38:25.000000000 +0200 +@@ -0,0 +1,340 @@ +/* + * netfilter module to limit the number of parallel tcp + * connections per IP address. @@ -62,10 +32,23 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ipt_connlimit.c linux/ + */ +#include <linux/module.h> +#include <linux/skbuff.h> ++#include <linux/version.h> +#include <linux/list.h> ++ ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,22) ++#define CONFIG_NF_CONNTRACK_SUPPORT ++#endif ++ ++#ifdef CONFIG_NF_CONNTRACK_SUPPORT ++#include <net/netfilter/nf_conntrack.h> ++#include <net/netfilter/nf_conntrack_core.h> ++#include <linux/netfilter/nf_conntrack_tcp.h> ++#else +#include <linux/netfilter_ipv4/ip_conntrack.h> +#include <linux/netfilter_ipv4/ip_conntrack_core.h> +#include <linux/netfilter_ipv4/ip_conntrack_tcp.h> ++#endif ++ +#include <linux/netfilter_ipv4/ip_tables.h> +#include <linux/netfilter_ipv4/ipt_connlimit.h> + @@ -77,7 +60,11 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ipt_connlimit.c linux/ +struct ipt_connlimit_conn +{ + struct list_head list; ++#ifndef CONFIG_NF_CONNTRACK_SUPPORT + struct ip_conntrack_tuple tuple; ++#else ++ struct nf_conntrack_tuple tuple; ++#endif +}; + +struct ipt_connlimit_data { @@ -92,7 +79,12 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ipt_connlimit.c linux/ + +static int count_them(struct ipt_connlimit_data *data, + u_int32_t addr, u_int32_t mask, ++#ifndef CONFIG_NF_CONNTRACK_SUPPORT + struct ip_conntrack *ct) ++#else ++ struct nf_conn *ct) ++#endif ++ +{ +#if DEBUG + const static char *tcp[] = { "none", "established", "syn_sent", "syn_recv", @@ -100,8 +92,13 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ipt_connlimit.c linux/ + "last_ack", "listen" }; +#endif + int addit = 1, matches = 0; ++#ifndef CONFIG_NF_CONNTRACK_SUPPORT + struct ip_conntrack_tuple tuple; + struct ip_conntrack_tuple_hash *found; ++#else ++ struct nf_conntrack_tuple tuple; ++ struct nf_conntrack_tuple_hash *found; ++#endif + struct ipt_connlimit_conn *conn; + struct list_head *hash,*lh; + @@ -111,11 +108,22 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ipt_connlimit.c linux/ + + /* check the saved connections */ + for (lh = hash->next; lh != hash; lh = lh->next) { ++#ifndef CONFIG_NF_CONNTRACK_SUPPORT + struct ip_conntrack *found_ct = NULL; -+ conn = list_entry(lh,struct ipt_connlimit_conn,list); -+ found = ip_conntrack_find_get(&conn->tuple,ct); ++ conn = list_entry(lh, struct ipt_connlimit_conn, list); ++ found = ip_conntrack_find_get(&conn->tuple, ct); ++#else ++ struct nf_conn *found_ct = NULL; ++ conn = list_entry(lh, struct ipt_connlimit_conn, list); ++ found = nf_conntrack_find_get(&conn->tuple, ct); ++#endif ++ + if (found != NULL ++#ifndef CONFIG_NF_CONNTRACK_SUPPORT + && (found_ct = tuplehash_to_ctrack(found)) != NULL ++#else ++ && (found_ct = nf_ct_tuplehash_to_ctrack(found)) != NULL ++#endif + && 0 == memcmp(&conn->tuple,&tuple,sizeof(tuple)) + && found_ct->proto.tcp.state != TCP_CONNTRACK_TIME_WAIT) { + /* Just to be sure we have it only once in the list. @@ -126,8 +134,13 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ipt_connlimit.c linux/ +#if DEBUG + printk("ipt_connlimit [%d]: src=%u.%u.%u.%u:%d dst=%u.%u.%u.%u:%d %s\n", + ipt_iphash(addr & mask), ++#ifndef CONFIG_NF_CONNTRACK_SUPPORT + NIPQUAD(conn->tuple.src.ip), ntohs(conn->tuple.src.u.tcp.port), + NIPQUAD(conn->tuple.dst.ip), ntohs(conn->tuple.dst.u.tcp.port), ++#else ++ NIPQUAD(conn->tuple.src.u3.ip), ntohs(conn->tuple.src.u.tcp.port), ++ NIPQUAD(conn->tuple.dst.u3.ip), ntohs(conn->tuple.dst.u.tcp.port), ++#endif + (NULL != found) ? tcp[found_ct->proto.tcp.state] : "gone"); +#endif + if (NULL == found) { @@ -146,7 +159,11 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ipt_connlimit.c linux/ + nf_conntrack_put(&found_ct->ct_general); + continue; + } ++#ifndef CONFIG_NF_CONNTRACK_SUPPORT + if ((addr & mask) == (conn->tuple.src.ip & mask)) { ++#else ++ if ((addr & mask) == (conn->tuple.src.u3.ip & mask)) { ++#endif + /* same source IP address -> be counted! */ + matches++; + } @@ -157,8 +174,14 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ipt_connlimit.c linux/ +#if DEBUG + printk("ipt_connlimit [%d]: src=%u.%u.%u.%u:%d dst=%u.%u.%u.%u:%d new\n", + ipt_iphash(addr & mask), ++#ifndef CONFIG_NF_CONNTRACK_SUPPORT + NIPQUAD(tuple.src.ip), ntohs(tuple.src.u.tcp.port), + NIPQUAD(tuple.dst.ip), ntohs(tuple.dst.u.tcp.port)); ++#else ++ NIPQUAD(tuple.src.u3.ip), ntohs(tuple.src.u.tcp.port), ++ NIPQUAD(tuple.dst.u3.ip), ntohs(tuple.dst.u.tcp.port)); ++#endif ++ +#endif + conn = kmalloc(sizeof(*conn),GFP_ATOMIC); + if (NULL == conn) { @@ -179,51 +202,83 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ipt_connlimit.c linux/ +match(const struct sk_buff *skb, + const struct net_device *in, + const struct net_device *out, ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,17) ++ const struct xt_match *match, ++#endif + const void *matchinfo, + int offset, ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,16) + unsigned int protoff, ++#endif + int *hotdrop) +{ + const struct ipt_connlimit_info *info = matchinfo; -+ int connections, match; ++ int connections, rv; ++#ifndef CONFIG_NF_CONNTRACK_SUPPORT + struct ip_conntrack *ct; + enum ip_conntrack_info ctinfo; + + ct = ip_conntrack_get((struct sk_buff *)skb, &ctinfo); ++#else ++ struct nf_conn *ct; ++ enum ip_conntrack_info ctinfo; ++ ++ ct = nf_ct_get((struct sk_buff *)skb, &ctinfo); ++#endif + if (NULL == ct) { + printk("ipt_connlimit: Oops: invalid ct state ?\n"); + *hotdrop = 1; + return 0; + } -+ connections = count_them(info->data,skb->nh.iph->saddr,info->mask,ct); ++ ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,22) ++ connections = count_them(info->data, ip_hdr(skb)->saddr, info->mask, ct); ++#else ++ connections = count_them(info->data, skb->nh.iph->saddr, info->mask, ct); ++#endif + if (-1 == connections) { + printk("ipt_connlimit: Hmm, kmalloc failed :-(\n"); + *hotdrop = 1; /* let's free some memory :-) */ + return 0; + } -+ match = (info->inverse) ? (connections <= info->limit) : (connections > info->limit); ++ rv = (info->inverse) ? (connections <= info->limit) : (connections > info->limit); +#if DEBUG + printk("ipt_connlimit: src=%u.%u.%u.%u mask=%u.%u.%u.%u " + "connections=%d limit=%d match=%s\n", + NIPQUAD(skb->nh.iph->saddr), NIPQUAD(info->mask), -+ connections, info->limit, match ? "yes" : "no"); ++ connections, info->limit, rv?"yes":"no"); +#endif + -+ return match; ++ return rv; +} + -+static int check(const char *tablename, ++static int checkentry(const char *tablename, ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,16) ++ const void *ip_void, ++#else + const struct ipt_ip *ip, ++#endif ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,17) ++ const struct xt_match *match, ++#endif + void *matchinfo, ++#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,19) + unsigned int matchsize, ++#endif + unsigned int hook_mask) +{ ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,16) ++ const struct ipt_ip *ip = ip_void; ++#endif ++ + struct ipt_connlimit_info *info = matchinfo; + int i; + ++#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,17) + /* verify size */ + if (matchsize != IPT_ALIGN(sizeof(struct ipt_connlimit_info))) + return 0; ++#endif + + /* refuse anything but tcp */ + if (ip->proto != IPPROTO_TCP) @@ -238,7 +293,15 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ipt_connlimit.c linux/ + return 1; +} + -+static void destroy(void *matchinfo, unsigned int matchinfosize) ++static void destroy( ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,17) ++ const struct xt_match *match, ++#endif ++#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,19) ++ void *matchinfo, unsigned int matchsize) ++#else ++ void *matchinfo) ++#endif +{ + struct ipt_connlimit_info *info = matchinfo; + struct ipt_connlimit_conn *conn; @@ -257,23 +320,71 @@ diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ipt_connlimit.c linux/ + kfree(info->data); +} + ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,21) ++static struct xt_match connlimit_match = { ++#else +static struct ipt_match connlimit_match = { -+ .name = "connlimit", -+ .match = &match, -+ .checkentry = &check, -+ .destroy = &destroy, -+ .me = THIS_MODULE ++#endif ++ .name = "connlimit", ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,21) ++ .family = AF_INET, ++#endif ++ .match = &match, ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,17) ++ .matchsize = sizeof(struct ipt_connlimit_info), ++#endif ++ .checkentry = &checkentry, ++ .destroy = &destroy, ++ .me = THIS_MODULE +}; + +static int __init init(void) +{ ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,21) ++ return xt_register_match(&connlimit_match); ++#else + return ipt_register_match(&connlimit_match); ++#endif +} + +static void __exit fini(void) +{ ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,21) ++ xt_unregister_match(&connlimit_match); ++#else + ipt_unregister_match(&connlimit_match); ++#endif +} + +module_init(init); +module_exit(fini); +diff -Nru linux-2.6.22/net/ipv4/netfilter/Kconfig linux-2.6.22-pom2patch/net/ipv4/netfilter/Kconfig +--- linux-2.6.22/net/ipv4/netfilter/Kconfig 2007-07-09 01:32:17.000000000 +0200 ++++ linux-2.6.22-pom2patch/net/ipv4/netfilter/Kconfig 2007-08-07 18:38:25.000000000 +0200 +@@ -402,5 +402,15 @@ + Allows altering the ARP packet payload: source and destination + hardware and network addresses. + ++config IP_NF_MATCH_CONNLIMIT ++ tristate 'Connections/IP limit match support' ++ depends on IP_NF_IPTABLES ++ help ++ This match allows you to restrict the number of parallel TCP ++ connections to a server per client IP address (or address block). ++ ++ If you want to compile it as a module, say M here and read ++ Documentation/modules.txt. If unsure, say `N'. ++ + endmenu + +diff -Nru linux-2.6.22/net/ipv4/netfilter/Makefile linux-2.6.22-pom2patch/net/ipv4/netfilter/Makefile +--- linux-2.6.22/net/ipv4/netfilter/Makefile 2007-07-09 01:32:17.000000000 +0200 ++++ linux-2.6.22-pom2patch/net/ipv4/netfilter/Makefile 2007-08-07 18:38:25.000000000 +0200 +@@ -44,6 +44,7 @@ + obj-$(CONFIG_IP_NF_MATCH_TOS) += ipt_tos.o + + obj-$(CONFIG_IP_NF_MATCH_IPV4OPTIONS) += ipt_ipv4options.o ++obj-$(CONFIG_IP_NF_MATCH_CONNLIMIT) += ipt_connlimit.o + + obj-$(CONFIG_IP_NF_MATCH_RECENT) += ipt_recent.o + obj-$(CONFIG_IP_NF_MATCH_ECN) += ipt_ecn.o |