[packages/iptables.git] / iptables-old-1.3.7.patch

--- /dev/null	2005-12-16 15:49:47.000000000 +0100
+++ iptables-1.3.8/extensions/libipt_rpc.c	2006-12-04 12:15:20.000000000 +0100
@@ -0,0 +1,372 @@
+/* RPC extension for IP connection matching, Version 2.2
+ * (C) 2000 by Marcelo Barbosa Lima <marcelo.lima@dcc.unicamp.br>
+ *	- original rpc tracking module
+ *	- "recent" connection handling for kernel 2.3+ netfilter
+ *
+ * (C) 2001 by Rusty Russell <rusty@rustcorp.com.au>
+ *	- upgraded conntrack modules to oldnat api - kernel 2.4.0+
+ *
+ * (C) 2002,2003 by Ian (Larry) Latter <Ian.Latter@mq.edu.au>
+ *	- upgraded conntrack modules to newnat api - kernel 2.4.20+
+ *	- extended matching to support filtering on procedures
+ *
+ * libipt_rpc.c,v 2.2 2003/01/12 18:30:00
+ *
+ *	This program is free software; you can redistribute it and/or
+ *	modify it under the terms of the GNU General Public License
+ *	as published by the Free Software Foundation; either version
+ *	2 of the License, or (at your option) any later version.
+ **
+ *	Userspace library syntax:
+ *	--rpc [--rpcs procedure1,procedure2,...procedure128] [--static]
+ *
+ *	Procedures can be supplied in either numeric or named formats.
+ *	Without --rpcs, this module will behave as the old record-rpc.
+ **
+ *	Note to all:
+ *
+ *	RPCs should not be exposed to the internet - ask the Pentagon;
+ *
+ *	  "The unidentified crackers pleaded guilty in July to charges
+ *	   of juvenile delinquency stemming from a string of Pentagon
+ *	   network intrusions in February.
+ *
+ *	   The youths, going by the names TooShort and Makaveli, used
+ *	   a common server security hole to break in, according to
+ *	   Dane Jasper, owner of the California Internet service
+ *	   provider, Sonic. They used the hole, known as the 'statd'
+ *	   exploit, to attempt more than 800 break-ins, Jasper said."
+ *
+ *	From: Wired News; "Pentagon Kids Kicked Off Grid" - Nov 6, 1998
+ *	URL:  http://www.wired.com/news/politics/0,1283,16098,00.html
+ **
+ */
+
+#include <stdio.h>
+#include <netdb.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+#include <rpc/rpc.h>
+
+#include <iptables.h>
+#include <linux/netfilter_ipv4/ipt_rpc.h>
+#include <time.h>
+
+
+const int IPT_RPC_RPCS = 1;
+const int IPT_RPC_STRC = 2;
+
+const int IPT_RPC_INT_LBL = 1;
+const int IPT_RPC_INT_NUM = 2;
+const int IPT_RPC_INT_BTH = 3;
+
+const int IPT_RPC_CHAR_LEN = 11;
+const int IPT_RPC_MAX_ENTS = 128;
+
+const char preerr[11] = "RPC match:";
+
+
+static int k_itoa(char *string, int number)
+{
+	int maxoctet = IPT_RPC_CHAR_LEN - 1;
+	int store[IPT_RPC_CHAR_LEN];
+	int counter;
+
+
+        for (counter=0 ; maxoctet != 0 && number != 0; counter++, maxoctet--) {
+		store[counter] = number / 10;
+		store[counter] = number - ( store[counter] * 10 );
+		number = number / 10;
+        }
+
+        for ( ; counter != 0; counter--, string++)
+		*string = store[counter - 1] + 48;
+
+	*string = 0;
+
+	return(0);
+}
+
+
+static int k_atoi(char *string)
+{
+	unsigned int result = 0;
+	int maxoctet = IPT_RPC_CHAR_LEN;
+
+
+        for ( ; *string != 0 && maxoctet != 0; maxoctet--, string++) {
+                if (*string < 0)
+                        return(0);
+                if (*string == 0)
+                        break;
+                if (*string < 48 || *string > 57) {
+                        return(0);
+                }
+                result = result * 10 + ( *string - 48 );
+        }
+
+	return(result);
+}
+
+
+static void print_rpcs(char *c_procs, int i_procs, int labels)
+{
+	int   proc_ctr;
+	char *proc_ptr;
+	unsigned int proc_num;
+	struct rpcent *rpcent;
+
+
+	for (proc_ctr=0; proc_ctr <= i_procs; proc_ctr++) {
+
+		if ( proc_ctr != 0 )
+			printf(",");
+
+		proc_ptr = c_procs;
+		proc_ptr += proc_ctr * IPT_RPC_CHAR_LEN;
+		proc_num = k_atoi(proc_ptr);
+
+		/* labels(1) == no labels, only numbers
+		 * labels(2) == no numbers, only labels
+		 * labels(3) == both labels and numbers
+		 */
+
+		if (labels == IPT_RPC_INT_LBL || labels == IPT_RPC_INT_BTH ) {
+			if ( (rpcent = getrpcbynumber(proc_num)) == NULL )
+				printf("unknown");
+			else
+				printf("%s", rpcent->r_name);
+		}
+
+		if (labels == IPT_RPC_INT_BTH )
+			printf("(");
+
+		if (labels == IPT_RPC_INT_NUM || labels == IPT_RPC_INT_BTH )
+			printf("%i", proc_num);
+
+		if (labels == IPT_RPC_INT_BTH )
+			printf(")");
+
+	}
+
+}
+
+
+static void help(void) 
+{
+	printf(
+		"RPC v%s options:\n"
+		"  --rpcs list,of,procedures"
+		"\ta list of rpc program numbers to apply\n"
+		"\t\t\t\tie. 100003,mountd,rquotad (numeric or\n"
+		"\t\t\t\tname form; see /etc/rpc).\n"
+		"  --strict"
+		"\t\t\ta flag to force the drop of packets\n"
+		"\t\t\t\tnot containing \"get\" portmapper requests.\n",
+		XTABLES_VERSION);
+}
+
+
+static struct option opts[] = {
+	{ "rpcs", 1, 0, '1'},
+	{ "strict", 0, 0, '2'},
+	{0}
+};
+
+
+static void init(struct xt_entry_match *match)
+{
+	struct ipt_rpc_info *rpcinfo = ((struct ipt_rpc_info *)match->data);
+
+
+
+	/* initialise those funky user vars */
+	rpcinfo->i_procs = -1;
+	rpcinfo->strict  =  0;
+	memset((char *)rpcinfo->c_procs, 0, sizeof(rpcinfo->c_procs));
+}
+
+
+static void parse_rpcs_string(char *string, struct xt_entry_match **match)
+{
+	char err1[64] = "%s invalid --rpcs option-set: `%s' (at character %i)";
+	char err2[64] = "%s unable to resolve rpc name entry: `%s'";
+	char err3[64] = "%s maximum number of --rpc options (%i) exceeded";
+	char buf[256];
+	char *dup = buf;
+	int idup = 0;
+	int term = 0;
+	char *src, *dst;
+	char *c_procs;
+	struct rpcent *rpcent_ptr;
+	struct ipt_rpc_info *rpcinfo = (struct ipt_rpc_info *)(*match)->data;
+
+
+	memset(buf, 0, sizeof(buf));
+
+	for (src=string, dst=buf; term != 1 ; src++, dst++) {
+
+		if ( *src != ',' && *src != '\0' ) {
+			if ( ( *src >= 65 && *src <= 90 ) || ( *src >= 97 && *src <= 122) ) {
+				*dst = *src;
+				idup = 1;
+
+			} else if ( *src >= 48 && *src <= 57 ) {
+				*dst = *src;
+
+			} else {
+				xtables_error(PARAMETER_PROBLEM, err1, preerr,
+					   string, src - string + 1);
+
+			}
+
+		} else {
+			*dst = '\0';
+			if ( idup == 1 ) {
+				if ( (rpcent_ptr = getrpcbyname(dup)) == NULL )
+					xtables_error(PARAMETER_PROBLEM, err2,
+						   preerr, dup);
+				idup = rpcent_ptr->r_number;
+			} else {
+				idup = k_atoi(dup);
+			}
+
+			rpcinfo->i_procs++;
+			if ( rpcinfo->i_procs > IPT_RPC_MAX_ENTS )
+				xtables_error(PARAMETER_PROBLEM, err3, preerr,
+					   IPT_RPC_MAX_ENTS);
+				
+			c_procs  = (char *)rpcinfo->c_procs;
+			c_procs += rpcinfo->i_procs * IPT_RPC_CHAR_LEN;
+			
+			memset(buf, 0, sizeof(buf));
+			k_itoa((char *)dup, idup);
+
+			strcpy(c_procs, dup);
+	
+			if ( *src == '\0')
+				term = 1;
+
+			idup = 0;
+			memset(buf, 0, sizeof(buf));
+			dst = (char *)buf - 1;
+		}
+	}
+
+	return;
+}
+
+
+static int parse(int c, char **argv, int invert, unsigned int *flags,
+		const void *entry,
+		struct xt_entry_match **match)
+{
+	struct ipt_rpc_info *rpcinfo = (struct ipt_rpc_info *)(*match)->data;
+
+
+	switch (c)
+	{
+	case '1':
+		if (invert)
+			xtables_error(PARAMETER_PROBLEM,
+                                   "%s unexpected '!' with --rpcs\n", preerr);
+		if (*flags & IPT_RPC_RPCS)
+                        xtables_error(PARAMETER_PROBLEM,
+                                   "%s repeated use of --rpcs\n", preerr);
+		parse_rpcs_string(optarg, match);
+
+		*flags |= IPT_RPC_RPCS;
+		break;
+
+	case '2':
+		if (invert)
+			xtables_error(PARAMETER_PROBLEM,
+                                   "%s unexpected '!' with --strict\n", preerr);
+		if (*flags & IPT_RPC_STRC)
+                        xtables_error(PARAMETER_PROBLEM,
+                                   "%s repeated use of --strict\n", preerr);
+		rpcinfo->strict = 1;
+		*flags |= IPT_RPC_STRC;
+		break;
+
+	default:
+		return 0;
+	}
+
+	return 1;
+
+}
+
+
+static void final_check(unsigned int flags)
+{
+	if (flags != (flags | IPT_RPC_RPCS)) {
+		printf("%s option \"--rpcs\" was not used ... reverting ", preerr);
+		printf("to old \"record-rpc\" functionality ..\n");
+	}
+}
+
+
+static void print(const void *ip,
+		const struct xt_entry_match *match,
+		int numeric)
+{
+	struct ipt_rpc_info *rpcinfo = ((struct ipt_rpc_info *)match->data);
+
+
+	printf("RPCs");
+	if(rpcinfo->strict == 1)
+		printf("[strict]");
+
+	printf(": ");
+
+	if(rpcinfo->i_procs == -1) {
+		printf("any(*)");
+
+	} else {
+		print_rpcs((char *)&rpcinfo->c_procs, rpcinfo->i_procs, IPT_RPC_INT_BTH);
+	}
+	printf(" ");
+
+}
+
+
+static void save(const void *ip, const struct xt_entry_match *match)
+{
+	struct ipt_rpc_info *rpcinfo = ((struct ipt_rpc_info *)match->data);
+
+
+	if(rpcinfo->i_procs > -1) {
+		printf("--rpcs ");
+		print_rpcs((char *)&rpcinfo->c_procs, rpcinfo->i_procs, IPT_RPC_INT_NUM);
+		printf(" ");
+	}
+
+	if(rpcinfo->strict == 1)
+		printf("--strict ");
+
+}
+
+
+static struct xtables_match rpcstruct = { 
+	.next		= NULL,
+	.name		= "rpc",
+	.version	= XTABLES_VERSION,
+	.size		= XT_ALIGN(sizeof(struct ipt_rpc_info)),
+	.userspacesize	= XT_ALIGN(sizeof(struct ipt_rpc_info)),
+	.help		= &help,
+	.init		= &init,
+	.parse		= &parse,
+	.final_check	= &final_check,
+	.print		= &print,
+	.save		= &save,
+	.extra_opts	= opts
+};
+
+
+void _init(void)
+{
+	xtables_register_match(&rpcstruct);
+}
+
--- iptables.orig/include/linux/netfilter_ipv4/ipt_rpc.h	1970-01-01 01:00:00.000000000 +0100
+++ iptables/include/linux/netfilter_ipv4/ipt_rpc.h	2006-05-04 11:26:08.000000000 +0200
@@ -0,0 +1,35 @@
+/* RPC extension for IP netfilter matching, Version 2.2
+ * (C) 2000 by Marcelo Barbosa Lima <marcelo.lima@dcc.unicamp.br>
+ *	- original rpc tracking module
+ *	- "recent" connection handling for kernel 2.3+ netfilter
+ *
+ * (C) 2001 by Rusty Russell <rusty@rustcorp.com.au>
+ *	- upgraded conntrack modules to oldnat api - kernel 2.4.0+
+ *
+ * (C) 2002 by Ian (Larry) Latter <Ian.Latter@mq.edu.au>
+ *	- upgraded conntrack modules to newnat api - kernel 2.4.20+
+ *	- extended matching to support filtering on procedures
+ *
+ * ipt_rpc.h.c,v 2.2 2003/01/12 18:30:00
+ *
+ *	This program is free software; you can redistribute it and/or
+ *	modify it under the terms of the GNU General Public License
+ *	as published by the Free Software Foundation; either version
+ *	2 of the License, or (at your option) any later version.
+ **
+ */
+
+#ifndef _IPT_RPC_H
+#define _IPT_RPC_H
+
+struct ipt_rpc_data;
+
+struct ipt_rpc_info {
+	int inverse;
+	int strict;
+	const char c_procs[1408];
+	int i_procs;
+	struct ipt_rpc_data *data;
+};
+
+#endif /* _IPT_RPC_H */
Commit	Line	Data
2af8cb4e	1	--- /dev/null 2005-12-16 15:49:47.000000000 +0100
2af8cb4e	2	+++ iptables-1.3.8/extensions/libipt_rpc.c 2006-12-04 12:15:20.000000000 +0100
7cf1e9ff	3	@@ -0,0 +1,372 @@
2af8cb4e	4	+/* RPC extension for IP connection matching, Version 2.2
	5	+ * (C) 2000 by Marcelo Barbosa Lima <marcelo.lima@dcc.unicamp.br>
	6	+ * - original rpc tracking module
	7	+ * - "recent" connection handling for kernel 2.3+ netfilter
	8	+ *
	9	+ * (C) 2001 by Rusty Russell <rusty@rustcorp.com.au>
	10	+ * - upgraded conntrack modules to oldnat api - kernel 2.4.0+
	11	+ *
	12	+ * (C) 2002,2003 by Ian (Larry) Latter <Ian.Latter@mq.edu.au>
	13	+ * - upgraded conntrack modules to newnat api - kernel 2.4.20+
	14	+ * - extended matching to support filtering on procedures
	15	+ *
	16	+ * libipt_rpc.c,v 2.2 2003/01/12 18:30:00
	17	+ *
	18	+ * This program is free software; you can redistribute it and/or
	19	+ * modify it under the terms of the GNU General Public License
	20	+ * as published by the Free Software Foundation; either version
	21	+ * 2 of the License, or (at your option) any later version.
	22	+ **
	23	+ * Userspace library syntax:
	24	+ * --rpc [--rpcs procedure1,procedure2,...procedure128] [--static]
	25	+ *
	26	+ * Procedures can be supplied in either numeric or named formats.
	27	+ * Without --rpcs, this module will behave as the old record-rpc.
	28	+ **
	29	+ * Note to all:
	30	+ *
	31	+ * RPCs should not be exposed to the internet - ask the Pentagon;
	32	+ *
	33	+ * "The unidentified crackers pleaded guilty in July to charges
	34	+ * of juvenile delinquency stemming from a string of Pentagon
	35	+ * network intrusions in February.
	36	+ *
	37	+ * The youths, going by the names TooShort and Makaveli, used
	38	+ * a common server security hole to break in, according to
	39	+ * Dane Jasper, owner of the California Internet service
	40	+ * provider, Sonic. They used the hole, known as the 'statd'
	41	+ * exploit, to attempt more than 800 break-ins, Jasper said."
	42	+ *
	43	+ * From: Wired News; "Pentagon Kids Kicked Off Grid" - Nov 6, 1998
	44	+ * URL: http://www.wired.com/news/politics/0,1283,16098,00.html
	45	+ **
	46	+ */
	47	+
	48	+#include <stdio.h>
	49	+#include <netdb.h>
	50	+#include <string.h>
	51	+#include <stdlib.h>
	52	+#include <getopt.h>
	53	+#include <rpc/rpc.h>
	54	+
	55	+#include <iptables.h>
	56	+#include <linux/netfilter_ipv4/ipt_rpc.h>
	57	+#include <time.h>
	58	+
	59	+
	60	+const int IPT_RPC_RPCS = 1;
	61	+const int IPT_RPC_STRC = 2;
	62	+
	63	+const int IPT_RPC_INT_LBL = 1;
	64	+const int IPT_RPC_INT_NUM = 2;
	65	+const int IPT_RPC_INT_BTH = 3;
	66	+
	67	+const int IPT_RPC_CHAR_LEN = 11;
68	+const int IPT_RPC_MAX_ENTS = 128;
69	+
70	+const char preerr[11] = "RPC match:";
71	+
72	+
73	+static int k_itoa(char *string, int number)
74	+{
75	+ int maxoctet = IPT_RPC_CHAR_LEN - 1;
76	+ int store[IPT_RPC_CHAR_LEN];
77	+ int counter;
78	+
79	+
80	+ for (counter=0 ; maxoctet != 0 && number != 0; counter++, maxoctet--) {
81	+ store[counter] = number / 10;
82	+ store[counter] = number - ( store[counter] * 10 );
83	+ number = number / 10;
84	+ }
85	+
86	+ for ( ; counter != 0; counter--, string++)
87	+ *string = store[counter - 1] + 48;
88	+
89	+ *string = 0;
90	+
91	+ return(0);
92	+}
93	+
94	+
95	+static int k_atoi(char *string)
96	+{
97	+ unsigned int result = 0;
98	+ int maxoctet = IPT_RPC_CHAR_LEN;
99	+
100	+
101	+ for ( ; *string != 0 && maxoctet != 0; maxoctet--, string++) {
102	+ if (*string < 0)
103	+ return(0);
104	+ if (*string == 0)
105	+ break;
106	+ if (string < 48 \|\| string > 57) {
107	+ return(0);
108	+ }
109	+ result = result * 10 + ( *string - 48 );
110	+ }
111	+
112	+ return(result);
113	+}
114	+
115	+
116	+static void print_rpcs(char *c_procs, int i_procs, int labels)
117	+{
118	+ int proc_ctr;
119	+ char *proc_ptr;
120	+ unsigned int proc_num;
121	+ struct rpcent *rpcent;
122	+
123	+
124	+ for (proc_ctr=0; proc_ctr <= i_procs; proc_ctr++) {
125	+
126	+ if ( proc_ctr != 0 )
127	+ printf(",");
128	+
129	+ proc_ptr = c_procs;
130	+ proc_ptr += proc_ctr * IPT_RPC_CHAR_LEN;
131	+ proc_num = k_atoi(proc_ptr);
132	+
133	+ /* labels(1) == no labels, only numbers
134	+ * labels(2) == no numbers, only labels
135	+ * labels(3) == both labels and numbers
136	+ */
137	+
138	+ if (labels == IPT_RPC_INT_LBL \|\| labels == IPT_RPC_INT_BTH ) {
139	+ if ( (rpcent = getrpcbynumber(proc_num)) == NULL )
140	+ printf("unknown");
141	+ else
142	+ printf("%s", rpcent->r_name);
143	+ }
144	+
145	+ if (labels == IPT_RPC_INT_BTH )
146	+ printf("(");
147	+
148	+ if (labels == IPT_RPC_INT_NUM \|\| labels == IPT_RPC_INT_BTH )
149	+ printf("%i", proc_num);
150	+
151	+ if (labels == IPT_RPC_INT_BTH )
152	+ printf(")");
153	+
154	+ }
155	+
156	+}
157	+
158	+
159	+static void help(void)
160	+{
161	+ printf(
162	+ "RPC v%s options:\n"
163	+ " --rpcs list,of,procedures"
164	+ "\ta list of rpc program numbers to apply\n"
165	+ "\t\t\t\tie. 100003,mountd,rquotad (numeric or\n"
166	+ "\t\t\t\tname form; see /etc/rpc).\n"
167	+ " --strict"
168	+ "\t\t\ta flag to force the drop of packets\n"
169	+ "\t\t\t\tnot containing \"get\" portmapper requests.\n",
cf6c4456	170	+ XTABLES_VERSION);
2af8cb4e	171	+}
	172	+
	173	+
	174	+static struct option opts[] = {
	175	+ { "rpcs", 1, 0, '1'},
	176	+ { "strict", 0, 0, '2'},
	177	+ {0}
	178	+};
	179	+
	180	+
7cf1e9ff	181	+static void init(struct xt_entry_match *match)
2af8cb4e	182	+{
	183	+ struct ipt_rpc_info rpcinfo = ((struct ipt_rpc_info )match->data);
	184	+
	185	+
	186	+
	187	+ /* initialise those funky user vars */
	188	+ rpcinfo->i_procs = -1;
	189	+ rpcinfo->strict = 0;
	190	+ memset((char *)rpcinfo->c_procs, 0, sizeof(rpcinfo->c_procs));
	191	+}
	192	+
	193	+
7cf1e9ff	194	+static void parse_rpcs_string(char string, struct xt_entry_match *match)
2af8cb4e	195	+{
	196	+ char err1[64] = "%s invalid --rpcs option-set: `%s' (at character %i)";
	197	+ char err2[64] = "%s unable to resolve rpc name entry: `%s'";
	198	+ char err3[64] = "%s maximum number of --rpc options (%i) exceeded";
	199	+ char buf[256];
	200	+ char *dup = buf;
	201	+ int idup = 0;
	202	+ int term = 0;
	203	+ char src, dst;
	204	+ char *c_procs;
	205	+ struct rpcent *rpcent_ptr;
	206	+ struct ipt_rpc_info rpcinfo = (struct ipt_rpc_info )(*match)->data;
	207	+
	208	+
	209	+ memset(buf, 0, sizeof(buf));
	210	+
	211	+ for (src=string, dst=buf; term != 1 ; src++, dst++) {
	212	+
	213	+ if ( src != ',' && src != '\0' ) {
	214	+ if ( ( src >= 65 && src <= 90 ) \|\| ( src >= 97 && src <= 122) ) {
	215	+ dst = src;
	216	+ idup = 1;
	217	+
	218	+ } else if ( src >= 48 && src <= 57 ) {
	219	+ dst = src;
	220	+
	221	+ } else {
fd6db329	222	+ xtables_error(PARAMETER_PROBLEM, err1, preerr,
2af8cb4e	223	+ string, src - string + 1);
	224	+
	225	+ }
	226	+
	227	+ } else {
	228	+ *dst = '\0';
	229	+ if ( idup == 1 ) {
	230	+ if ( (rpcent_ptr = getrpcbyname(dup)) == NULL )
fd6db329	231	+ xtables_error(PARAMETER_PROBLEM, err2,
2af8cb4e	232	+ preerr, dup);
	233	+ idup = rpcent_ptr->r_number;
	234	+ } else {
	235	+ idup = k_atoi(dup);
	236	+ }
	237	+
	238	+ rpcinfo->i_procs++;
	239	+ if ( rpcinfo->i_procs > IPT_RPC_MAX_ENTS )
fd6db329	240	+ xtables_error(PARAMETER_PROBLEM, err3, preerr,
2af8cb4e	241	+ IPT_RPC_MAX_ENTS);
	242	+
	243	+ c_procs = (char *)rpcinfo->c_procs;
	244	+ c_procs += rpcinfo->i_procs * IPT_RPC_CHAR_LEN;
	245	+
	246	+ memset(buf, 0, sizeof(buf));
	247	+ k_itoa((char *)dup, idup);
	248	+
	249	+ strcpy(c_procs, dup);
	250	+
	251	+ if ( *src == '\0')
	252	+ term = 1;
	253	+
	254	+ idup = 0;
	255	+ memset(buf, 0, sizeof(buf));
	256	+ dst = (char *)buf - 1;
	257	+ }
	258	+ }
	259	+
	260	+ return;
	261	+}
	262	+
	263	+
	264	+static int parse(int c, char *argv, int invert, unsigned int flags,
7cf1e9ff	265	+ const void *entry,
7cf1e9ff	266	+ struct xt_entry_match **match)
2af8cb4e	267	+{
	268	+ struct ipt_rpc_info rpcinfo = (struct ipt_rpc_info )(*match)->data;
	269	+
	270	+
	271	+ switch (c)
	272	+ {
	273	+ case '1':
	274	+ if (invert)
fd6db329	275	+ xtables_error(PARAMETER_PROBLEM,
2af8cb4e	276	+ "%s unexpected '!' with --rpcs\n", preerr);
2af8cb4e	277	+ if (*flags & IPT_RPC_RPCS)
fd6db329	278	+ xtables_error(PARAMETER_PROBLEM,
2af8cb4e	279	+ "%s repeated use of --rpcs\n", preerr);
	280	+ parse_rpcs_string(optarg, match);
	281	+
	282	+ *flags \|= IPT_RPC_RPCS;
	283	+ break;
	284	+
	285	+ case '2':
	286	+ if (invert)
fd6db329	287	+ xtables_error(PARAMETER_PROBLEM,
2af8cb4e	288	+ "%s unexpected '!' with --strict\n", preerr);
2af8cb4e	289	+ if (*flags & IPT_RPC_STRC)
fd6db329	290	+ xtables_error(PARAMETER_PROBLEM,
2af8cb4e	291	+ "%s repeated use of --strict\n", preerr);
	292	+ rpcinfo->strict = 1;
	293	+ *flags \|= IPT_RPC_STRC;
	294	+ break;
	295	+
	296	+ default:
	297	+ return 0;
	298	+ }
	299	+
	300	+ return 1;
	301	+
	302	+}
	303	+
	304	+
	305	+static void final_check(unsigned int flags)
	306	+{
	307	+ if (flags != (flags \| IPT_RPC_RPCS)) {
	308	+ printf("%s option \"--rpcs\" was not used ... reverting ", preerr);
	309	+ printf("to old \"record-rpc\" functionality ..\n");
	310	+ }
	311	+}
	312	+
	313	+
7cf1e9ff	314	+static void print(const void *ip,
7cf1e9ff	315	+ const struct xt_entry_match *match,
2af8cb4e	316	+ int numeric)
	317	+{
	318	+ struct ipt_rpc_info rpcinfo = ((struct ipt_rpc_info )match->data);
	319	+
	320	+
	321	+ printf("RPCs");
	322	+ if(rpcinfo->strict == 1)
	323	+ printf("[strict]");
	324	+
	325	+ printf(": ");
	326	+
	327	+ if(rpcinfo->i_procs == -1) {
	328	+ printf("any(*)");
	329	+
	330	+ } else {
	331	+ print_rpcs((char *)&rpcinfo->c_procs, rpcinfo->i_procs, IPT_RPC_INT_BTH);
	332	+ }
	333	+ printf(" ");
	334	+
	335	+}
	336	+
	337	+
7cf1e9ff	338	+static void save(const void ip, const struct xt_entry_match match)
2af8cb4e	339	+{
	340	+ struct ipt_rpc_info rpcinfo = ((struct ipt_rpc_info )match->data);
	341	+
	342	+
	343	+ if(rpcinfo->i_procs > -1) {
	344	+ printf("--rpcs ");
	345	+ print_rpcs((char *)&rpcinfo->c_procs, rpcinfo->i_procs, IPT_RPC_INT_NUM);
	346	+ printf(" ");
	347	+ }
	348	+
	349	+ if(rpcinfo->strict == 1)
	350	+ printf("--strict ");
	351	+
	352	+}
	353	+
	354	+
cf6c4456	355	+static struct xtables_match rpcstruct = {
2af8cb4e	356	+ .next = NULL,
2af8cb4e	357	+ .name = "rpc",
cf6c4456	358	+ .version = XTABLES_VERSION,
9b1e8e39 AM	359	+ .size = XT_ALIGN(sizeof(struct ipt_rpc_info)),
9b1e8e39 AM	360	+ .userspacesize = XT_ALIGN(sizeof(struct ipt_rpc_info)),
2af8cb4e	361	+ .help = &help,
	362	+ .init = &init,
	363	+ .parse = &parse,
	364	+ .final_check = &final_check,
	365	+ .print = &print,
	366	+ .save = &save,
	367	+ .extra_opts = opts
	368	+};
	369	+
	370	+
	371	+void _init(void)
	372	+{
cf6c4456	373	+ xtables_register_match(&rpcstruct);
2af8cb4e	374	+}
2af8cb4e	375	+
11e85ced JB	376	--- iptables.orig/include/linux/netfilter_ipv4/ipt_rpc.h 1970-01-01 01:00:00.000000000 +0100
	377	+++ iptables/include/linux/netfilter_ipv4/ipt_rpc.h 2006-05-04 11:26:08.000000000 +0200
	378	@@ -0,0 +1,35 @@
	379	+/* RPC extension for IP netfilter matching, Version 2.2
	380	+ * (C) 2000 by Marcelo Barbosa Lima <marcelo.lima@dcc.unicamp.br>
	381	+ * - original rpc tracking module
	382	+ * - "recent" connection handling for kernel 2.3+ netfilter
	383	+ *
	384	+ * (C) 2001 by Rusty Russell <rusty@rustcorp.com.au>
	385	+ * - upgraded conntrack modules to oldnat api - kernel 2.4.0+
	386	+ *
	387	+ * (C) 2002 by Ian (Larry) Latter <Ian.Latter@mq.edu.au>
	388	+ * - upgraded conntrack modules to newnat api - kernel 2.4.20+
	389	+ * - extended matching to support filtering on procedures
	390	+ *
	391	+ * ipt_rpc.h.c,v 2.2 2003/01/12 18:30:00
	392	+ *
	393	+ * This program is free software; you can redistribute it and/or
	394	+ * modify it under the terms of the GNU General Public License
	395	+ * as published by the Free Software Foundation; either version
	396	+ * 2 of the License, or (at your option) any later version.
	397	+ **
	398	+ */
	399	+
	400	+#ifndef _IPT_RPC_H
	401	+#define _IPT_RPC_H
	402	+
	403	+struct ipt_rpc_data;
	404	+
	405	+struct ipt_rpc_info {
	406	+ int inverse;
	407	+ int strict;
	408	+ const char c_procs[1408];
	409	+ int i_procs;
	410	+ struct ipt_rpc_data *data;
	411	+};
	412	+
	413	+#endif /* _IPT_RPC_H */