[packages/iptables.git] / iptables-prestate.patch

--- userspace/iptables.8.orig	Wed May  8 15:28:35 2002
+++ userspace/iptables.8	Wed May  8 15:31:54 2002
@@ -104,6 +104,11 @@
 (for altering packets as soon as they come in), OUTPUT (for altering
 locally-generated packets before routing), and POSTROUTING (for
 altering packets as they are about to go out).
+.BR "prestate"
+This table is consulted first as a packet enters the netfilter framework. 
+It contains two built-in chains: PREROUTING (for selecting incoming
+packets) and OUTPUT (for selecting locally-generated packets). It can
+be used to force conntrack/NAT to ignore the selected packets.
 .TP
 .B "mangle"
 This table is used for specialized packet alteration.  Until kernel
@@ -556,6 +561,13 @@
 meaning that the packet is starting a new connection, but is
 associated with an existing connection, such as an FTP data transfer,
 or an ICMP error.
+.B NONE
+meaning that the connection tracking code was forced to ignore the
+packet by the
+.B NOTRACK
+target of the
+.B prestate
+table and thus there is no state information available.
 .SS tos
 This module matches the 8 bits of Type of Service field in the IP
 header (ie. including the precedence bits). 
@@ -812,6 +824,23 @@
 accumulates ten packets inside the kernel and transmits them as one
 netlink multipart message to userspace.  Default is 1 (for backwards
 compatibility).
+.SS NOTRACK
+This target extension is built into the
+.B prestate
+table extension. It can be used to mark packets, so that those are
+ignored by the underlying conntrack module and the
+.B nat
+table. In consequence, those packets are not seen by the conntrack/NAT
+helpers and the state of their related packets (if those are not marked 
+by
+.B
+NOTRACK
+as well) are
+.B
+INVALID
+(!) instead of
+.B
+RELATED.
 .SS TCPMSS
 This target allows to alter the MSS value of TCP SYN packets, to control
 the maximum size for that connection (usually limiting it to your
diff -urN --exclude-from=diff.exclude userspace/extensions.orig/.NOTRACK-test userspace/extensions/.NOTRACK-test
--- userspace/extensions.orig/.NOTRACK-test	Thu Jan  1 01:00:00 1970
+++ userspace/extensions/.NOTRACK-test	Wed May  9 22:05:17 2001
@@ -0,0 +1,2 @@
+#! /bin/sh
+[ -n "`grep NFC_NOTRACK $KERNEL_DIR/include/linux/netfilter.h 2>/dev/null`" ] && echo NOTRACK
diff -urN --exclude-from=diff.exclude userspace/extensions.orig/libipt_NOTRACK.c userspace/extensions/libipt_NOTRACK.c
--- userspace/extensions.orig/libipt_NOTRACK.c	Thu Jan  1 01:00:00 1970
+++ userspace/extensions/libipt_NOTRACK.c	Wed May  9 22:05:17 2001
@@ -0,0 +1,75 @@
+/* Shared library add-on to iptables for the NOTRACK target,
+ *	the simplest target ever added to netfilter...
+ *
+ * (C) 2001 by Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+ *
+ * This program is distributed under the terms of GNU GPL
+ */
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+#include <iptables.h>
+
+#include <linux/netfilter_ipv4/ip_tables.h>
+
+static void init(struct ipt_entry_target *t, unsigned int *nfcache) 
+{
+}
+
+static void help(void) 
+{
+	printf(
+"NOTRACK target\n"		"No options\n"
+);
+}
+
+static int parse(int c, char **argv, int invert, unsigned int *flags,
+		const struct ipt_entry *entry,
+		struct ipt_entry_target **target)
+{
+	if (optarg) 
+		exit_error(PARAMETER_PROBLEM, 
+				"NOTRACK: You must not speficy an option");
+
+	if (check_inverse(optarg, &invert, NULL, 0))
+		exit_error(PARAMETER_PROBLEM,
+				"NOTRACK: unexpected `!'");
+	
+	return 1;
+}
+
+static void final_check(unsigned int flags)
+{
+}
+
+static void save(const struct ipt_ip *ip,
+		const struct ipt_entry_target *target)
+{
+}
+
+static void print(const struct ipt_ip *ip,
+		const struct ipt_entry_target *target, int numeric)
+{
+}
+
+static struct option opts[] = { };
+
+struct iptables_target NOTRACK = { NULL, 
+	"NOTRACK",
+	NETFILTER_VERSION,
+	IPT_ALIGN(0),
+	IPT_ALIGN(0),
+	&help,
+	&init,
+	&parse,
+	&final_check,
+	&print,
+	&save,
+	opts 
+};
+
+void _init(void)
+{
+	register_target(&NOTRACK);
+}
diff -urN --exclude-from=diff.exclude userspace/extensions.orig/libipt_state.c userspace/extensions/libipt_state.c
--- userspace/extensions.orig/libipt_state.c	Mon Jul  3 12:17:58 2000
+++ userspace/extensions/libipt_state.c	Thu May 10 07:38:24 2001
@@ -43,6 +43,8 @@
 		sinfo->statemask |= IPT_STATE_BIT(IP_CT_ESTABLISHED);
 	else if (strncasecmp(state, "RELATED", strlen) == 0)
 		sinfo->statemask |= IPT_STATE_BIT(IP_CT_RELATED);
+	else if (strncasecmp(state, "NONE", strlen) == 0)
+		sinfo->statemask |= IPT_STATE_NONE;
 	else
 		return 0;
 	return 1;
@@ -116,6 +118,10 @@
 	}
 	if (statemask & IPT_STATE_BIT(IP_CT_ESTABLISHED)) {
 		printf("%sESTABLISHED", sep);
+		sep = ",";
+	}
+	if (statemask & IPT_STATE_NONE) {
+		printf("%sNONE", sep);
 		sep = ",";
 	}
 	printf(" ");
diff -urN --exclude-from=diff.exclude userspace/libiptc.orig/libip4tc.c userspace/libiptc/libip4tc.c
--- userspace/libiptc.orig/libip4tc.c	Fri Jan  5 16:22:59 2001
+++ userspace/libiptc/libip4tc.c	Wed May  9 22:05:17 2001
@@ -401,6 +401,19 @@
 		assert(h->info.hook_entry[NF_IP_DROPPING] == 0);
 		user_offset = 0;
 #endif
+	} else if (strcmp(h->info.name, "prestate") == 0) {
+		assert(h->info.valid_hooks
+		       == (1 << NF_IP_PRE_ROUTING
+			   | 1 << NF_IP_LOCAL_OUT));
+
+		/* Hooks should be first two */
+		assert(h->info.hook_entry[NF_IP_PRE_ROUTING] == 0);
+
+		n = get_chain_end(h, 0);
+		n += get_entry(h, n)->next_offset;
+		assert(h->info.hook_entry[NF_IP_LOCAL_OUT] == n);
+
+		user_offset = h->info.hook_entry[NF_IP_LOCAL_OUT];
 	} else {
 		fprintf(stderr, "Unknown table `%s'\n", h->info.name);
 		abort();
Commit	Line	Data
d7cf13cc	1	--- userspace/iptables.8.orig Wed May 8 15:28:35 2002
	2	+++ userspace/iptables.8 Wed May 8 15:31:54 2002
	3	@@ -104,6 +104,11 @@
	4	(for altering packets as soon as they come in), OUTPUT (for altering
	5	locally-generated packets before routing), and POSTROUTING (for
	6	altering packets as they are about to go out).
3ec39b81 JR	7	+.BR "prestate"
	8	+This table is consulted first as a packet enters the netfilter framework.
	9	+It contains two built-in chains: PREROUTING (for selecting incoming
	10	+packets) and OUTPUT (for selecting locally-generated packets). It can
	11	+be used to force conntrack/NAT to ignore the selected packets.
d7cf13cc	12	.TP
	13	.B "mangle"
	14	This table is used for specialized packet alteration. Until kernel
	15	@@ -556,6 +561,13 @@
3ec39b81 JR	16	meaning that the packet is starting a new connection, but is
	17	associated with an existing connection, such as an FTP data transfer,
	18	or an ICMP error.
	19	+.B NONE
	20	+meaning that the connection tracking code was forced to ignore the
	21	+packet by the
	22	+.B NOTRACK
	23	+target of the
	24	+.B prestate
	25	+table and thus there is no state information available.
d7cf13cc	26	.SS tos
	27	This module matches the 8 bits of Type of Service field in the IP
	28	header (ie. including the precedence bits).
	29	@@ -812,6 +824,23 @@
3ec39b81	30	accumulates ten packets inside the kernel and transmits them as one
d7cf13cc	31	netlink multipart message to userspace. Default is 1 (for backwards
d7cf13cc	32	compatibility).
3ec39b81 JR	33	+.SS NOTRACK
	34	+This target extension is built into the
	35	+.B prestate
	36	+table extension. It can be used to mark packets, so that those are
	37	+ignored by the underlying conntrack module and the
	38	+.B nat
	39	+table. In consequence, those packets are not seen by the conntrack/NAT
	40	+helpers and the state of their related packets (if those are not marked
	41	+by
	42	+.B
	43	+NOTRACK
	44	+as well) are
	45	+.B
	46	+INVALID
	47	+(!) instead of
	48	+.B
	49	+RELATED.
d7cf13cc	50	.SS TCPMSS
	51	This target allows to alter the MSS value of TCP SYN packets, to control
	52	the maximum size for that connection (usually limiting it to your
3ec39b81 JR	53	diff -urN --exclude-from=diff.exclude userspace/extensions.orig/.NOTRACK-test userspace/extensions/.NOTRACK-test
	54	--- userspace/extensions.orig/.NOTRACK-test Thu Jan 1 01:00:00 1970
	55	+++ userspace/extensions/.NOTRACK-test Wed May 9 22:05:17 2001
	56	@@ -0,0 +1,2 @@
	57	+#! /bin/sh
	58	+[ -n "`grep NFC_NOTRACK $KERNEL_DIR/include/linux/netfilter.h 2>/dev/null`" ] && echo NOTRACK
	59	diff -urN --exclude-from=diff.exclude userspace/extensions.orig/libipt_NOTRACK.c userspace/extensions/libipt_NOTRACK.c
	60	--- userspace/extensions.orig/libipt_NOTRACK.c Thu Jan 1 01:00:00 1970
	61	+++ userspace/extensions/libipt_NOTRACK.c Wed May 9 22:05:17 2001
	62	@@ -0,0 +1,75 @@
	63	+/* Shared library add-on to iptables for the NOTRACK target,
	64	+ * the simplest target ever added to netfilter...
	65	+ *
	66	+ * (C) 2001 by Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
	67	+ *
	68	+ * This program is distributed under the terms of GNU GPL
	69	+ */
	70	+#include <stdio.h>
	71	+#include <string.h>
	72	+#include <stdlib.h>
	73	+#include <getopt.h>
	74	+#include <iptables.h>
	75	+
	76	+#include <linux/netfilter_ipv4/ip_tables.h>
	77	+
	78	+static void init(struct ipt_entry_target t, unsigned int nfcache)
	79	+{
	80	+}
	81	+
	82	+static void help(void)
	83	+{
	84	+ printf(
	85	+"NOTRACK target\n" "No options\n"
	86	+);
	87	+}
	88	+
	89	+static int parse(int c, char *argv, int invert, unsigned int flags,
	90	+ const struct ipt_entry *entry,
	91	+ struct ipt_entry_target **target)
	92	+{
	93	+ if (optarg)
	94	+ exit_error(PARAMETER_PROBLEM,
	95	+ "NOTRACK: You must not speficy an option");
	96	+
d7cf13cc	97	+ if (check_inverse(optarg, &invert, NULL, 0))
3ec39b81 JR	98	+ exit_error(PARAMETER_PROBLEM,
	99	+ "NOTRACK: unexpected `!'");
	100	+
	101	+ return 1;
	102	+}
	103	+
	104	+static void final_check(unsigned int flags)
	105	+{
	106	+}
	107	+
	108	+static void save(const struct ipt_ip *ip,
	109	+ const struct ipt_entry_target *target)
	110	+{
	111	+}
	112	+
	113	+static void print(const struct ipt_ip *ip,
	114	+ const struct ipt_entry_target *target, int numeric)
	115	+{
	116	+}
	117	+
	118	+static struct option opts[] = { };
	119	+
	120	+struct iptables_target NOTRACK = { NULL,
	121	+ "NOTRACK",
	122	+ NETFILTER_VERSION,
	123	+ IPT_ALIGN(0),
	124	+ IPT_ALIGN(0),
	125	+ &help,
	126	+ &init,
	127	+ &parse,
	128	+ &final_check,
	129	+ &print,
	130	+ &save,
	131	+ opts
	132	+};
	133	+
	134	+void _init(void)
	135	+{
	136	+ register_target(&NOTRACK);
	137	+}
	138	diff -urN --exclude-from=diff.exclude userspace/extensions.orig/libipt_state.c userspace/extensions/libipt_state.c
	139	--- userspace/extensions.orig/libipt_state.c Mon Jul 3 12:17:58 2000
	140	+++ userspace/extensions/libipt_state.c Thu May 10 07:38:24 2001
	141	@@ -43,6 +43,8 @@
	142	sinfo->statemask \|= IPT_STATE_BIT(IP_CT_ESTABLISHED);
	143	else if (strncasecmp(state, "RELATED", strlen) == 0)
	144	sinfo->statemask \|= IPT_STATE_BIT(IP_CT_RELATED);
	145	+ else if (strncasecmp(state, "NONE", strlen) == 0)
	146	+ sinfo->statemask \|= IPT_STATE_NONE;
	147	else
	148	return 0;
	149	return 1;
	150	@@ -116,6 +118,10 @@
	151	}
	152	if (statemask & IPT_STATE_BIT(IP_CT_ESTABLISHED)) {
	153	printf("%sESTABLISHED", sep);
	154	+ sep = ",";
	155	+ }
	156	+ if (statemask & IPT_STATE_NONE) {
	157	+ printf("%sNONE", sep);
	158	sep = ",";
	159	}
	160	printf(" ");
	161	diff -urN --exclude-from=diff.exclude userspace/libiptc.orig/libip4tc.c userspace/libiptc/libip4tc.c
162	--- userspace/libiptc.orig/libip4tc.c Fri Jan 5 16:22:59 2001
163	+++ userspace/libiptc/libip4tc.c Wed May 9 22:05:17 2001
164	@@ -401,6 +401,19 @@
165	assert(h->info.hook_entry[NF_IP_DROPPING] == 0);
166	user_offset = 0;
167	#endif
168	+ } else if (strcmp(h->info.name, "prestate") == 0) {
169	+ assert(h->info.valid_hooks
170	+ == (1 << NF_IP_PRE_ROUTING
171	+ \| 1 << NF_IP_LOCAL_OUT));
172	+
173	+ /* Hooks should be first two */
174	+ assert(h->info.hook_entry[NF_IP_PRE_ROUTING] == 0);
175	+
176	+ n = get_chain_end(h, 0);
177	+ n += get_entry(h, n)->next_offset;
178	+ assert(h->info.hook_entry[NF_IP_LOCAL_OUT] == n);
179	+
180	+ user_offset = h->info.hook_entry[NF_IP_LOCAL_OUT];
181	} else {
182	fprintf(stderr, "Unknown table `%s'\n", h->info.name);
183	abort();