]>
Commit | Line | Data |
---|---|---|
1dc2fa68 | 1 | diff -Nur linux-2.6.4-rc2.org/include/linux/netfilter_ipv4/ip_conntrack_helper.h linux-2.6.4-rc2/include/linux/netfilter_ipv4/ip_conntrack_helper.h |
2 | --- linux-2.6.4-rc2.org/include/linux/netfilter_ipv4/ip_conntrack_helper.h 2004-03-04 06:16:37.000000000 +0000 | |
3 | +++ linux-2.6.4-rc2/include/linux/netfilter_ipv4/ip_conntrack_helper.h 2004-03-04 08:39:18.000000000 +0000 | |
4 | @@ -35,9 +35,13 @@ | |
5 | ||
6 | extern struct ip_conntrack_helper *ip_ct_find_helper(const struct ip_conntrack_tuple *tuple); | |
7 | ||
8 | + | |
9 | +/* Allocate space for an expectation: this is mandatory before calling | |
10 | + ip_conntrack_expect_related. */ | |
11 | +extern int ip_conntrack_expect_alloc(struct ip_conntrack_expect **new); | |
12 | /* Add an expected connection: can have more than one per connection */ | |
13 | -extern int ip_conntrack_expect_related(struct ip_conntrack *related_to, | |
14 | - struct ip_conntrack_expect *exp); | |
15 | +extern int ip_conntrack_expect_related(struct ip_conntrack_expect *exp, | |
16 | + struct ip_conntrack *related_to); | |
17 | extern int ip_conntrack_change_expect(struct ip_conntrack_expect *expect, | |
18 | struct ip_conntrack_tuple *newtuple); | |
19 | extern void ip_conntrack_unexpect_related(struct ip_conntrack_expect *exp); | |
20 | diff -Nur linux-2.6.4-rc2.org/include/linux/netfilter_ipv4/ipt_TTL.h linux-2.6.4-rc2/include/linux/netfilter_ipv4/ipt_TTL.h | |
21 | --- linux-2.6.4-rc2.org/include/linux/netfilter_ipv4/ipt_TTL.h 1970-01-01 00:00:00.000000000 +0000 | |
22 | +++ linux-2.6.4-rc2/include/linux/netfilter_ipv4/ipt_TTL.h 2004-03-04 08:39:28.000000000 +0000 | |
23 | @@ -0,0 +1,21 @@ | |
24 | +/* TTL modification module for IP tables | |
25 | + * (C) 2000 by Harald Welte <laforge@gnumonks.org> */ | |
26 | + | |
27 | +#ifndef _IPT_TTL_H | |
28 | +#define _IPT_TTL_H | |
29 | + | |
30 | +enum { | |
31 | + IPT_TTL_SET = 0, | |
32 | + IPT_TTL_INC, | |
33 | + IPT_TTL_DEC | |
34 | +}; | |
35 | + | |
36 | +#define IPT_TTL_MAXMODE IPT_TTL_DEC | |
37 | + | |
38 | +struct ipt_TTL_info { | |
39 | + u_int8_t mode; | |
40 | + u_int8_t ttl; | |
41 | +}; | |
42 | + | |
43 | + | |
44 | +#endif | |
45 | diff -Nur linux-2.6.4-rc2.org/include/linux/netfilter_ipv4/ipt_connlimit.h linux-2.6.4-rc2/include/linux/netfilter_ipv4/ipt_connlimit.h | |
46 | --- linux-2.6.4-rc2.org/include/linux/netfilter_ipv4/ipt_connlimit.h 1970-01-01 00:00:00.000000000 +0000 | |
47 | +++ linux-2.6.4-rc2/include/linux/netfilter_ipv4/ipt_connlimit.h 2004-03-04 08:39:29.000000000 +0000 | |
48 | @@ -0,0 +1,12 @@ | |
49 | +#ifndef _IPT_CONNLIMIT_H | |
50 | +#define _IPT_CONNLIMIT_H | |
51 | + | |
52 | +struct ipt_connlimit_data; | |
53 | + | |
54 | +struct ipt_connlimit_info { | |
55 | + int limit; | |
56 | + int inverse; | |
57 | + u_int32_t mask; | |
58 | + struct ipt_connlimit_data *data; | |
59 | +}; | |
60 | +#endif /* _IPT_CONNLIMIT_H */ | |
61 | diff -Nur linux-2.6.4-rc2.org/include/linux/netfilter_ipv4/ipt_dstlimit.h linux-2.6.4-rc2/include/linux/netfilter_ipv4/ipt_dstlimit.h | |
62 | --- linux-2.6.4-rc2.org/include/linux/netfilter_ipv4/ipt_dstlimit.h 1970-01-01 00:00:00.000000000 +0000 | |
63 | +++ linux-2.6.4-rc2/include/linux/netfilter_ipv4/ipt_dstlimit.h 2004-03-04 08:39:30.000000000 +0000 | |
64 | @@ -0,0 +1,39 @@ | |
65 | +#ifndef _IPT_DSTLIMIT_H | |
66 | +#define _IPT_DSTLIMIT_H | |
67 | + | |
68 | +/* timings are in milliseconds. */ | |
69 | +#define IPT_DSTLIMIT_SCALE 10000 | |
70 | +/* 1/10,000 sec period => max of 10,000/sec. Min rate is then 429490 | |
71 | + seconds, or one every 59 hours. */ | |
72 | + | |
73 | +/* details of this structure hidden by the implementation */ | |
74 | +struct ipt_dstlimit_htable; | |
75 | + | |
76 | +#define IPT_DSTLIMIT_HASH_DIP 0x0001 | |
77 | +#define IPT_DSTLIMIT_HASH_DPT 0x0002 | |
78 | +#define IPT_DSTLIMIT_HASH_SIP 0x0004 | |
79 | + | |
80 | +struct dstlimit_cfg { | |
81 | + u_int32_t mode; /* bitmask of IPT_DSTLIMIT_HASH_* */ | |
82 | + u_int32_t avg; /* Average secs between packets * scale */ | |
83 | + u_int32_t burst; /* Period multiplier for upper limit. */ | |
84 | + | |
85 | + /* user specified */ | |
86 | + u_int32_t size; /* how many buckets */ | |
87 | + u_int32_t max; /* max number of entries */ | |
88 | + u_int32_t gc_interval; /* gc interval */ | |
89 | + u_int32_t expire; /* when do entries expire? */ | |
90 | +}; | |
91 | + | |
92 | +struct ipt_dstlimit_info { | |
93 | + char name [IFNAMSIZ]; /* name */ | |
94 | + struct dstlimit_cfg cfg; | |
95 | + struct ipt_dstlimit_htable *hinfo; | |
96 | + | |
97 | + /* Used internally by the kernel */ | |
98 | + union { | |
99 | + void *ptr; | |
100 | + struct ipt_dstlimit_info *master; | |
101 | + } u; | |
102 | +}; | |
103 | +#endif /*_IPT_DSTLIMIT_H*/ | |
104 | diff -Nur linux-2.6.4-rc2.org/include/linux/netfilter_ipv4/ipt_fuzzy.h linux-2.6.4-rc2/include/linux/netfilter_ipv4/ipt_fuzzy.h | |
105 | --- linux-2.6.4-rc2.org/include/linux/netfilter_ipv4/ipt_fuzzy.h 1970-01-01 00:00:00.000000000 +0000 | |
106 | +++ linux-2.6.4-rc2/include/linux/netfilter_ipv4/ipt_fuzzy.h 2004-03-04 08:39:30.000000000 +0000 | |
107 | @@ -0,0 +1,21 @@ | |
108 | +#ifndef _IPT_FUZZY_H | |
109 | +#define _IPT_FUZZY_H | |
110 | + | |
111 | +#include <linux/param.h> | |
112 | +#include <linux/types.h> | |
113 | + | |
114 | +#define MAXFUZZYRATE 10000000 | |
115 | +#define MINFUZZYRATE 3 | |
116 | + | |
117 | +struct ipt_fuzzy_info { | |
118 | + u_int32_t minimum_rate; | |
119 | + u_int32_t maximum_rate; | |
120 | + u_int32_t packets_total; | |
121 | + u_int32_t bytes_total; | |
122 | + u_int32_t previous_time; | |
123 | + u_int32_t present_time; | |
124 | + u_int32_t mean_rate; | |
125 | + u_int8_t acceptance_rate; | |
126 | +}; | |
127 | + | |
128 | +#endif /*_IPT_FUZZY_H*/ | |
129 | diff -Nur linux-2.6.4-rc2.org/include/linux/netfilter_ipv4/ipt_ipv4options.h linux-2.6.4-rc2/include/linux/netfilter_ipv4/ipt_ipv4options.h | |
130 | --- linux-2.6.4-rc2.org/include/linux/netfilter_ipv4/ipt_ipv4options.h 1970-01-01 00:00:00.000000000 +0000 | |
131 | +++ linux-2.6.4-rc2/include/linux/netfilter_ipv4/ipt_ipv4options.h 2004-03-04 08:39:31.000000000 +0000 | |
132 | @@ -0,0 +1,21 @@ | |
133 | +#ifndef __ipt_ipv4options_h_included__ | |
134 | +#define __ipt_ipv4options_h_included__ | |
135 | + | |
136 | +#define IPT_IPV4OPTION_MATCH_SSRR 0x01 /* For strict source routing */ | |
137 | +#define IPT_IPV4OPTION_MATCH_LSRR 0x02 /* For loose source routing */ | |
138 | +#define IPT_IPV4OPTION_DONT_MATCH_SRR 0x04 /* any source routing */ | |
139 | +#define IPT_IPV4OPTION_MATCH_RR 0x08 /* For Record route */ | |
140 | +#define IPT_IPV4OPTION_DONT_MATCH_RR 0x10 | |
141 | +#define IPT_IPV4OPTION_MATCH_TIMESTAMP 0x20 /* For timestamp request */ | |
142 | +#define IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP 0x40 | |
143 | +#define IPT_IPV4OPTION_MATCH_ROUTER_ALERT 0x80 /* For router-alert */ | |
144 | +#define IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT 0x100 | |
145 | +#define IPT_IPV4OPTION_MATCH_ANY_OPT 0x200 /* match packet with any option */ | |
146 | +#define IPT_IPV4OPTION_DONT_MATCH_ANY_OPT 0x400 /* match packet with no option */ | |
147 | + | |
148 | +struct ipt_ipv4options_info { | |
149 | + u_int16_t options; | |
150 | +}; | |
151 | + | |
152 | + | |
153 | +#endif /* __ipt_ipv4options_h_included__ */ | |
154 | diff -Nur linux-2.6.4-rc2.org/include/linux/netfilter_ipv4/ipt_mport.h linux-2.6.4-rc2/include/linux/netfilter_ipv4/ipt_mport.h | |
155 | --- linux-2.6.4-rc2.org/include/linux/netfilter_ipv4/ipt_mport.h 1970-01-01 00:00:00.000000000 +0000 | |
156 | +++ linux-2.6.4-rc2/include/linux/netfilter_ipv4/ipt_mport.h 2004-03-04 08:39:33.000000000 +0000 | |
157 | @@ -0,0 +1,24 @@ | |
158 | +#ifndef _IPT_MPORT_H | |
159 | +#define _IPT_MPORT_H | |
160 | +#include <linux/netfilter_ipv4/ip_tables.h> | |
161 | + | |
162 | +#define IPT_MPORT_SOURCE (1<<0) | |
163 | +#define IPT_MPORT_DESTINATION (1<<1) | |
164 | +#define IPT_MPORT_EITHER (IPT_MPORT_SOURCE|IPT_MPORT_DESTINATION) | |
165 | + | |
166 | +#define IPT_MULTI_PORTS 15 | |
167 | + | |
168 | +/* Must fit inside union ipt_matchinfo: 32 bytes */ | |
169 | +/* every entry in ports[] except for the last one has one bit in pflags | |
170 | + * associated with it. If this bit is set, the port is the first port of | |
171 | + * a portrange, with the next entry being the last. | |
172 | + * End of list is marked with pflags bit set and port=65535. | |
173 | + * If 14 ports are used (last one does not have a pflag), the last port | |
174 | + * is repeated to fill the last entry in ports[] */ | |
175 | +struct ipt_mport | |
176 | +{ | |
177 | + u_int8_t flags:2; /* Type of comparison */ | |
178 | + u_int16_t pflags:14; /* Port flags */ | |
179 | + u_int16_t ports[IPT_MULTI_PORTS]; /* Ports */ | |
180 | +}; | |
181 | +#endif /*_IPT_MPORT_H*/ | |
182 | diff -Nur linux-2.6.4-rc2.org/include/linux/netfilter_ipv4/ipt_nth.h linux-2.6.4-rc2/include/linux/netfilter_ipv4/ipt_nth.h | |
183 | --- linux-2.6.4-rc2.org/include/linux/netfilter_ipv4/ipt_nth.h 1970-01-01 00:00:00.000000000 +0000 | |
184 | +++ linux-2.6.4-rc2/include/linux/netfilter_ipv4/ipt_nth.h 2004-03-04 08:39:34.000000000 +0000 | |
185 | @@ -0,0 +1,19 @@ | |
186 | +#ifndef _IPT_NTH_H | |
187 | +#define _IPT_NTH_H | |
188 | + | |
189 | +#include <linux/param.h> | |
190 | +#include <linux/types.h> | |
191 | + | |
192 | +#ifndef IPT_NTH_NUM_COUNTERS | |
193 | +#define IPT_NTH_NUM_COUNTERS 16 | |
194 | +#endif | |
195 | + | |
196 | +struct ipt_nth_info { | |
197 | + u_int8_t every; | |
198 | + u_int8_t not; | |
199 | + u_int8_t startat; | |
200 | + u_int8_t counter; | |
201 | + u_int8_t packet; | |
202 | +}; | |
203 | + | |
204 | +#endif /*_IPT_NTH_H*/ | |
205 | diff -Nur linux-2.6.4-rc2.org/include/linux/netfilter_ipv4/ipt_quota.h linux-2.6.4-rc2/include/linux/netfilter_ipv4/ipt_quota.h | |
206 | --- linux-2.6.4-rc2.org/include/linux/netfilter_ipv4/ipt_quota.h 1970-01-01 00:00:00.000000000 +0000 | |
207 | +++ linux-2.6.4-rc2/include/linux/netfilter_ipv4/ipt_quota.h 2004-03-04 08:39:36.000000000 +0000 | |
208 | @@ -0,0 +1,11 @@ | |
209 | +#ifndef _IPT_QUOTA_H | |
210 | +#define _IPT_QUOTA_H | |
211 | + | |
212 | +/* print debug info in both kernel/netfilter module & iptable library */ | |
213 | +//#define DEBUG_IPT_QUOTA | |
214 | + | |
215 | +struct ipt_quota_info { | |
216 | + u_int64_t quota; | |
217 | +}; | |
218 | + | |
219 | +#endif /*_IPT_QUOTA_H*/ | |
220 | diff -Nur linux-2.6.4-rc2.org/include/linux/netfilter_ipv4/ipt_realm.h linux-2.6.4-rc2/include/linux/netfilter_ipv4/ipt_realm.h | |
221 | --- linux-2.6.4-rc2.org/include/linux/netfilter_ipv4/ipt_realm.h 1970-01-01 00:00:00.000000000 +0000 | |
222 | +++ linux-2.6.4-rc2/include/linux/netfilter_ipv4/ipt_realm.h 2004-03-04 08:39:54.000000000 +0000 | |
223 | @@ -0,0 +1,9 @@ | |
224 | +#ifndef _IPT_REALM_H | |
225 | +#define _IPT_REALM_H | |
226 | + | |
227 | +struct ipt_realm_info { | |
228 | + u_int32_t id; | |
229 | + u_int32_t mask; | |
230 | + u_int8_t invert; | |
231 | +}; | |
232 | +#endif /*_IPT_REALM_H*/ | |
233 | diff -Nur linux-2.6.4-rc2.org/include/linux/netfilter_ipv4/ipt_sctp.h linux-2.6.4-rc2/include/linux/netfilter_ipv4/ipt_sctp.h | |
234 | --- linux-2.6.4-rc2.org/include/linux/netfilter_ipv4/ipt_sctp.h 1970-01-01 00:00:00.000000000 +0000 | |
235 | +++ linux-2.6.4-rc2/include/linux/netfilter_ipv4/ipt_sctp.h 2004-03-04 08:39:55.000000000 +0000 | |
236 | @@ -0,0 +1,107 @@ | |
237 | +#ifndef _IPT_SCTP_H_ | |
238 | +#define _IPT_SCTP_H_ | |
239 | + | |
240 | +#define IPT_SCTP_SRC_PORTS 0x01 | |
241 | +#define IPT_SCTP_DEST_PORTS 0x02 | |
242 | +#define IPT_SCTP_CHUNK_TYPES 0x04 | |
243 | + | |
244 | +#define IPT_SCTP_VALID_FLAGS 0x07 | |
245 | + | |
246 | +#define ELEMCOUNT(x) (sizeof(x)/sizeof(x[0])) | |
247 | + | |
248 | + | |
249 | +struct ipt_sctp_flag_info { | |
250 | + u_int8_t chunktype; | |
251 | + u_int8_t flag; | |
252 | + u_int8_t flag_mask; | |
253 | +}; | |
254 | + | |
255 | +#define IPT_NUM_SCTP_FLAGS 4 | |
256 | + | |
257 | +struct ipt_sctp_info { | |
258 | + u_int16_t dpts[2]; /* Min, Max */ | |
259 | + u_int16_t spts[2]; /* Min, Max */ | |
260 | + | |
261 | + u_int32_t chunkmap[256 / sizeof (u_int32_t)]; /* Bit mask of chunks to be matched according to RFC 2960 */ | |
262 | + | |
263 | +#define SCTP_CHUNK_MATCH_ANY 0x01 /* Match if any of the chunk types are present */ | |
264 | +#define SCTP_CHUNK_MATCH_ALL 0x02 /* Match if all of the chunk types are present */ | |
265 | +#define SCTP_CHUNK_MATCH_ONLY 0x04 /* Match if these are the only chunk types present */ | |
266 | + | |
267 | + u_int32_t chunk_match_type; | |
268 | + struct ipt_sctp_flag_info flag_info[IPT_NUM_SCTP_FLAGS]; | |
269 | + int flag_count; | |
270 | + | |
271 | + u_int32_t flags; | |
272 | + u_int32_t invflags; | |
273 | +}; | |
274 | + | |
275 | +#define bytes(type) (sizeof(type) * 8) | |
276 | + | |
277 | +#define SCTP_CHUNKMAP_SET(chunkmap, type) \ | |
278 | + do { \ | |
279 | + chunkmap[type / bytes(u_int32_t)] |= \ | |
280 | + 1 << (type % bytes(u_int32_t)); \ | |
281 | + } while (0) | |
282 | + | |
283 | +#define SCTP_CHUNKMAP_CLEAR(chunkmap, type) \ | |
284 | + do { \ | |
285 | + chunkmap[type / bytes(u_int32_t)] &= \ | |
286 | + ~(1 << (type % bytes(u_int32_t))); \ | |
287 | + } while (0) | |
288 | + | |
289 | +#define SCTP_CHUNKMAP_IS_SET(chunkmap, type) \ | |
290 | +({ \ | |
291 | + (chunkmap[type / bytes (u_int32_t)] & \ | |
292 | + (1 << (type % bytes (u_int32_t)))) ? 1: 0; \ | |
293 | +}) | |
294 | + | |
295 | +#define SCTP_CHUNKMAP_RESET(chunkmap) \ | |
296 | + do { \ | |
297 | + int i; \ | |
298 | + for (i = 0; i < ELEMCOUNT(chunkmap); i++) \ | |
299 | + chunkmap[i] = 0; \ | |
300 | + } while (0) | |
301 | + | |
302 | +#define SCTP_CHUNKMAP_SET_ALL(chunkmap) \ | |
303 | + do { \ | |
304 | + int i; \ | |
305 | + for (i = 0; i < ELEMCOUNT(chunkmap); i++) \ | |
306 | + chunkmap[i] = ~0; \ | |
307 | + } while (0) | |
308 | + | |
309 | +#define SCTP_CHUNKMAP_COPY(destmap, srcmap) \ | |
310 | + do { \ | |
311 | + int i; \ | |
312 | + for (i = 0; i < ELEMCOUNT(chunkmap); i++) \ | |
313 | + destmap[i] = srcmap[i]; \ | |
314 | + } while (0) | |
315 | + | |
316 | +#define SCTP_CHUNKMAP_IS_CLEAR(chunkmap) \ | |
317 | +({ \ | |
318 | + int i; \ | |
319 | + int flag = 1; \ | |
320 | + for (i = 0; i < ELEMCOUNT(chunkmap); i++) { \ | |
321 | + if (chunkmap[i]) { \ | |
322 | + flag = 0; \ | |
323 | + break; \ | |
324 | + } \ | |
325 | + } \ | |
326 | + flag; \ | |
327 | +}) | |
328 | + | |
329 | +#define SCTP_CHUNKMAP_IS_ALL_SET(chunkmap) \ | |
330 | +({ \ | |
331 | + int i; \ | |
332 | + int flag = 1; \ | |
333 | + for (i = 0; i < ELEMCOUNT(chunkmap); i++) { \ | |
334 | + if (chunkmap[i] != ~0) { \ | |
335 | + flag = 0; \ | |
336 | + break; \ | |
337 | + } \ | |
338 | + } \ | |
339 | + flag; \ | |
340 | +}) | |
341 | + | |
342 | +#endif /* _IPT_SCTP_H_ */ | |
343 | + | |
344 | diff -Nur linux-2.6.4-rc2.org/include/linux/netfilter_ipv6/ip6t_HL.h linux-2.6.4-rc2/include/linux/netfilter_ipv6/ip6t_HL.h | |
345 | --- linux-2.6.4-rc2.org/include/linux/netfilter_ipv6/ip6t_HL.h 1970-01-01 00:00:00.000000000 +0000 | |
346 | +++ linux-2.6.4-rc2/include/linux/netfilter_ipv6/ip6t_HL.h 2004-03-04 08:39:25.000000000 +0000 | |
347 | @@ -0,0 +1,22 @@ | |
348 | +/* Hop Limit modification module for ip6tables | |
349 | + * Maciej Soltysiak <solt@dns.toxicfilms.tv> | |
350 | + * Based on HW's TTL module */ | |
351 | + | |
352 | +#ifndef _IP6T_HOPLIMIT_H | |
353 | +#define _IP6T_HOPLIMIT_H | |
354 | + | |
355 | +enum { | |
356 | + IP6T_HOPLIMIT_SET = 0, | |
357 | + IP6T_HOPLIMIT_INC, | |
358 | + IP6T_HOPLIMIT_DEC | |
359 | +}; | |
360 | + | |
361 | +#define IP6T_HOPLIMIT_MAXMODE IP6T_HOPLIMIT_DEC | |
362 | + | |
363 | +struct ip6t_HOPLIMIT_info { | |
364 | + u_int8_t mode; | |
365 | + u_int8_t hop_limit; | |
366 | +}; | |
367 | + | |
368 | + | |
369 | +#endif | |
370 | diff -Nur linux-2.6.4-rc2.org/include/linux/netfilter_ipv6/ip6t_REJECT.h linux-2.6.4-rc2/include/linux/netfilter_ipv6/ip6t_REJECT.h | |
371 | --- linux-2.6.4-rc2.org/include/linux/netfilter_ipv6/ip6t_REJECT.h 2004-03-04 06:16:34.000000000 +0000 | |
372 | +++ linux-2.6.4-rc2/include/linux/netfilter_ipv6/ip6t_REJECT.h 2004-03-04 08:39:28.000000000 +0000 | |
373 | @@ -2,15 +2,17 @@ | |
374 | #define _IP6T_REJECT_H | |
375 | ||
376 | enum ip6t_reject_with { | |
377 | - IP6T_ICMP_NET_UNREACHABLE, | |
378 | - IP6T_ICMP_HOST_UNREACHABLE, | |
379 | - IP6T_ICMP_PROT_UNREACHABLE, | |
380 | - IP6T_ICMP_PORT_UNREACHABLE, | |
381 | - IP6T_ICMP_ECHOREPLY | |
382 | + IP6T_ICMP6_NO_ROUTE, | |
383 | + IP6T_ICMP6_ADM_PROHIBITED, | |
384 | + IP6T_ICMP6_NOT_NEIGHBOUR, | |
385 | + IP6T_ICMP6_ADDR_UNREACH, | |
386 | + IP6T_ICMP6_PORT_UNREACH, | |
387 | + IP6T_ICMP6_ECHOREPLY, | |
388 | + IP6T_TCP_RESET | |
389 | }; | |
390 | ||
391 | struct ip6t_reject_info { | |
392 | enum ip6t_reject_with with; /* reject type */ | |
393 | }; | |
394 | ||
395 | -#endif /*_IPT_REJECT_H*/ | |
396 | +#endif /*_IP6T_REJECT_H*/ | |
397 | diff -Nur linux-2.6.4-rc2.org/include/linux/netfilter_ipv6/ip6t_fuzzy.h linux-2.6.4-rc2/include/linux/netfilter_ipv6/ip6t_fuzzy.h | |
398 | --- linux-2.6.4-rc2.org/include/linux/netfilter_ipv6/ip6t_fuzzy.h 1970-01-01 00:00:00.000000000 +0000 | |
399 | +++ linux-2.6.4-rc2/include/linux/netfilter_ipv6/ip6t_fuzzy.h 2004-03-04 08:39:30.000000000 +0000 | |
400 | @@ -0,0 +1,21 @@ | |
401 | +#ifndef _IP6T_FUZZY_H | |
402 | +#define _IP6T_FUZZY_H | |
403 | + | |
404 | +#include <linux/param.h> | |
405 | +#include <linux/types.h> | |
406 | + | |
407 | +#define MAXFUZZYRATE 10000000 | |
408 | +#define MINFUZZYRATE 3 | |
409 | + | |
410 | +struct ip6t_fuzzy_info { | |
411 | + u_int32_t minimum_rate; | |
412 | + u_int32_t maximum_rate; | |
413 | + u_int32_t packets_total; | |
414 | + u_int32_t bytes_total; | |
415 | + u_int32_t previous_time; | |
416 | + u_int32_t present_time; | |
417 | + u_int32_t mean_rate; | |
418 | + u_int8_t acceptance_rate; | |
419 | +}; | |
420 | + | |
421 | +#endif /*_IP6T_FUZZY_H*/ | |
422 | diff -Nur linux-2.6.4-rc2.org/include/linux/netfilter_ipv6/ip6t_nth.h linux-2.6.4-rc2/include/linux/netfilter_ipv6/ip6t_nth.h | |
423 | --- linux-2.6.4-rc2.org/include/linux/netfilter_ipv6/ip6t_nth.h 1970-01-01 00:00:00.000000000 +0000 | |
424 | +++ linux-2.6.4-rc2/include/linux/netfilter_ipv6/ip6t_nth.h 2004-03-04 08:39:34.000000000 +0000 | |
425 | @@ -0,0 +1,19 @@ | |
426 | +#ifndef _IP6T_NTH_H | |
427 | +#define _IP6T_NTH_H | |
428 | + | |
429 | +#include <linux/param.h> | |
430 | +#include <linux/types.h> | |
431 | + | |
432 | +#ifndef IP6T_NTH_NUM_COUNTERS | |
433 | +#define IP6T_NTH_NUM_COUNTERS 16 | |
434 | +#endif | |
435 | + | |
436 | +struct ip6t_nth_info { | |
437 | + u_int8_t every; | |
438 | + u_int8_t not; | |
439 | + u_int8_t startat; | |
440 | + u_int8_t counter; | |
441 | + u_int8_t packet; | |
442 | +}; | |
443 | + | |
444 | +#endif /*_IP6T_NTH_H*/ | |
445 | diff -Nur linux-2.6.4-rc2.org/net/ipv4/netfilter/Kconfig linux-2.6.4-rc2/net/ipv4/netfilter/Kconfig | |
446 | --- linux-2.6.4-rc2.org/net/ipv4/netfilter/Kconfig 2004-03-04 06:16:58.000000000 +0000 | |
447 | +++ linux-2.6.4-rc2/net/ipv4/netfilter/Kconfig 2004-03-04 08:39:55.000000000 +0000 | |
448 | @@ -579,5 +579,60 @@ | |
449 | ||
450 | To compile it as a module, choose M here. If unsure, say N. | |
451 | ||
452 | +config IP_NF_TARGET_IPV4OPTSSTRIP | |
453 | + tristate 'IPV4OPTSSTRIP target support' | |
454 | + depends on IP_NF_MANGLE | |
455 | + help | |
456 | + | |
457 | +config IP_NF_TARGET_TTL | |
458 | + tristate 'TTL target support' | |
459 | + depends on IP_NF_MANGLE | |
460 | + help | |
461 | + | |
462 | +config IP_NF_MATCH_CONNLIMIT | |
463 | + tristate 'Connections/IP limit match support' | |
464 | + depends on IP_NF_IPTABLES | |
465 | + help | |
466 | + | |
467 | +config IP_NF_MATCH_DSTLIMIT | |
468 | + tristate 'dstlimit match support' | |
469 | + depends on IP_NF_IPTABLES | |
470 | + help | |
471 | + | |
472 | +config IP_NF_MATCH_FUZZY | |
473 | + tristate 'fuzzy match support' | |
474 | + depends on IP_NF_IPTABLES | |
475 | + help | |
476 | + | |
477 | +config IP_NF_MATCH_IPV4OPTIONS | |
478 | + tristate 'IPV4OPTIONS match support' | |
479 | + depends on IP_NF_IPTABLES | |
480 | + help | |
481 | + | |
482 | +config IP_NF_MATCH_MPORT | |
483 | + tristate 'Multiple port with ranges match support' | |
484 | + depends on IP_NF_IPTABLES | |
485 | + help | |
486 | + | |
487 | +config IP_NF_MATCH_NTH | |
488 | + tristate 'Nth match support' | |
489 | + depends on IP_NF_IPTABLES | |
490 | + help | |
491 | + | |
492 | +config IP_NF_MATCH_QUOTA | |
493 | + tristate 'quota match support' | |
494 | + depends on IP_NF_IPTABLES | |
495 | + help | |
496 | + | |
497 | +config IP_NF_MATCH_REALM | |
498 | + tristate 'realm match support' | |
499 | + depends on IP_NF_IPTABLES && NET_CLS_ROUTE | |
500 | + help | |
501 | + | |
502 | +config IP_NF_MATCH_SCTP | |
503 | + tristate 'SCTP protocol match support' | |
504 | + depends on IP_NF_IPTABLES | |
505 | + help | |
506 | + | |
507 | endmenu | |
508 | ||
509 | diff -Nur linux-2.6.4-rc2.org/net/ipv4/netfilter/Makefile linux-2.6.4-rc2/net/ipv4/netfilter/Makefile | |
510 | --- linux-2.6.4-rc2.org/net/ipv4/netfilter/Makefile 2004-03-04 06:16:38.000000000 +0000 | |
511 | +++ linux-2.6.4-rc2/net/ipv4/netfilter/Makefile 2004-03-04 08:39:55.000000000 +0000 | |
512 | @@ -42,15 +42,28 @@ | |
513 | # matches | |
514 | obj-$(CONFIG_IP_NF_MATCH_HELPER) += ipt_helper.o | |
515 | obj-$(CONFIG_IP_NF_MATCH_LIMIT) += ipt_limit.o | |
516 | +obj-$(CONFIG_IP_NF_MATCH_SCTP) += ipt_sctp.o | |
517 | +obj-$(CONFIG_IP_NF_MATCH_QUOTA) += ipt_quota.o | |
518 | +obj-$(CONFIG_IP_NF_MATCH_DSTLIMIT) += ipt_dstlimit.o | |
519 | obj-$(CONFIG_IP_NF_MATCH_MARK) += ipt_mark.o | |
520 | obj-$(CONFIG_IP_NF_MATCH_MAC) += ipt_mac.o | |
521 | obj-$(CONFIG_IP_NF_MATCH_IPRANGE) += ipt_iprange.o | |
522 | ||
523 | obj-$(CONFIG_IP_NF_MATCH_PKTTYPE) += ipt_pkttype.o | |
524 | obj-$(CONFIG_IP_NF_MATCH_MULTIPORT) += ipt_multiport.o | |
525 | + | |
526 | +obj-$(CONFIG_IP_NF_MATCH_MPORT) += ipt_mport.o | |
527 | + | |
528 | obj-$(CONFIG_IP_NF_MATCH_OWNER) += ipt_owner.o | |
529 | obj-$(CONFIG_IP_NF_MATCH_TOS) += ipt_tos.o | |
530 | ||
531 | +obj-$(CONFIG_IP_NF_MATCH_NTH) += ipt_nth.o | |
532 | + | |
533 | +obj-$(CONFIG_IP_NF_MATCH_IPV4OPTIONS) += ipt_ipv4options.o | |
534 | + | |
535 | + | |
536 | +obj-$(CONFIG_IP_NF_MATCH_FUZZY) += ipt_fuzzy.o | |
537 | + | |
538 | obj-$(CONFIG_IP_NF_MATCH_RECENT) += ipt_recent.o | |
539 | ||
540 | obj-$(CONFIG_IP_NF_MATCH_ECN) += ipt_ecn.o | |
541 | @@ -61,8 +74,10 @@ | |
542 | ||
543 | obj-$(CONFIG_IP_NF_MATCH_TTL) += ipt_ttl.o | |
544 | obj-$(CONFIG_IP_NF_MATCH_STATE) += ipt_state.o | |
545 | +obj-$(CONFIG_IP_NF_MATCH_CONNLIMIT) += ipt_connlimit.o | |
546 | obj-$(CONFIG_IP_NF_MATCH_CONNTRACK) += ipt_conntrack.o | |
547 | obj-$(CONFIG_IP_NF_MATCH_TCPMSS) += ipt_tcpmss.o | |
548 | +obj-$(CONFIG_IP_NF_MATCH_REALM) += ipt_realm.o | |
549 | ||
550 | obj-$(CONFIG_IP_NF_MATCH_PHYSDEV) += ipt_physdev.o | |
551 | ||
552 | @@ -79,6 +94,8 @@ | |
553 | obj-$(CONFIG_IP_NF_TARGET_CLASSIFY) += ipt_CLASSIFY.o | |
554 | obj-$(CONFIG_IP_NF_NAT_SNMP_BASIC) += ip_nat_snmp_basic.o | |
555 | obj-$(CONFIG_IP_NF_TARGET_LOG) += ipt_LOG.o | |
556 | +obj-$(CONFIG_IP_NF_TARGET_TTL) += ipt_TTL.o | |
557 | +obj-$(CONFIG_IP_NF_TARGET_IPV4OPTSSTRIP) += ipt_IPV4OPTSSTRIP.o | |
558 | obj-$(CONFIG_IP_NF_TARGET_ULOG) += ipt_ULOG.o | |
559 | obj-$(CONFIG_IP_NF_TARGET_TCPMSS) += ipt_TCPMSS.o | |
560 | ||
561 | diff -Nur linux-2.6.4-rc2.org/net/ipv4/netfilter/ip_conntrack_amanda.c linux-2.6.4-rc2/net/ipv4/netfilter/ip_conntrack_amanda.c | |
562 | --- linux-2.6.4-rc2.org/net/ipv4/netfilter/ip_conntrack_amanda.c 2004-03-04 06:16:50.000000000 +0000 | |
563 | +++ linux-2.6.4-rc2/net/ipv4/netfilter/ip_conntrack_amanda.c 2004-03-04 08:39:18.000000000 +0000 | |
564 | @@ -46,7 +46,7 @@ | |
565 | static int help(struct sk_buff *skb, | |
566 | struct ip_conntrack *ct, enum ip_conntrack_info ctinfo) | |
567 | { | |
568 | - struct ip_conntrack_expect exp; | |
569 | + struct ip_conntrack_expect *exp; | |
570 | struct ip_ct_amanda_expect *exp_amanda_info; | |
571 | char *data, *data_limit, *tmp; | |
572 | unsigned int dataoff, i; | |
573 | @@ -79,20 +79,22 @@ | |
574 | goto out; | |
575 | data += strlen("CONNECT "); | |
576 | ||
577 | - memset(&exp, 0, sizeof(exp)); | |
578 | - exp.tuple.src.ip = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.ip; | |
579 | - exp.tuple.dst.ip = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.ip; | |
580 | - exp.tuple.dst.protonum = IPPROTO_TCP; | |
581 | - exp.mask.src.ip = 0xFFFFFFFF; | |
582 | - exp.mask.dst.ip = 0xFFFFFFFF; | |
583 | - exp.mask.dst.protonum = 0xFFFF; | |
584 | - exp.mask.dst.u.tcp.port = 0xFFFF; | |
585 | + if (ip_conntrack_expect_alloc(&exp) < 0) | |
586 | + return -ENOMEM; | |
587 | + | |
588 | + exp->tuple.src.ip = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.ip; | |
589 | + exp->tuple.dst.ip = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.ip; | |
590 | + exp->tuple.dst.protonum = IPPROTO_TCP; | |
591 | + exp->mask.src.ip = 0xFFFFFFFF; | |
592 | + exp->mask.dst.ip = 0xFFFFFFFF; | |
593 | + exp->mask.dst.protonum = 0xFFFF; | |
594 | + exp->mask.dst.u.tcp.port = 0xFFFF; | |
595 | ||
596 | /* Only search first line. */ | |
597 | if ((tmp = strchr(data, '\n'))) | |
598 | *tmp = '\0'; | |
599 | ||
600 | - exp_amanda_info = &exp.help.exp_amanda_info; | |
601 | + exp_amanda_info = &exp->help.exp_amanda_info; | |
602 | for (i = 0; i < ARRAY_SIZE(conns); i++) { | |
603 | char *match = strstr(data, conns[i]); | |
604 | if (!match) | |
605 | @@ -104,8 +106,8 @@ | |
606 | if (exp_amanda_info->port == 0 || exp_amanda_info->len > 5) | |
607 | break; | |
608 | ||
609 | - exp.tuple.dst.u.tcp.port = htons(exp_amanda_info->port); | |
610 | - ip_conntrack_expect_related(ct, &exp); | |
611 | + exp->tuple.dst.u.tcp.port = htons(exp_amanda_info->port); | |
612 | + ip_conntrack_expect_related(exp, ct); | |
613 | } | |
614 | ||
615 | out: | |
616 | diff -Nur linux-2.6.4-rc2.org/net/ipv4/netfilter/ip_conntrack_core.c linux-2.6.4-rc2/net/ipv4/netfilter/ip_conntrack_core.c | |
617 | --- linux-2.6.4-rc2.org/net/ipv4/netfilter/ip_conntrack_core.c 2004-03-04 06:16:34.000000000 +0000 | |
618 | +++ linux-2.6.4-rc2/net/ipv4/netfilter/ip_conntrack_core.c 2004-03-04 08:39:20.000000000 +0000 | |
619 | @@ -691,42 +691,50 @@ | |
620 | struct ip_conntrack_expect *, tuple); | |
621 | READ_UNLOCK(&ip_conntrack_expect_tuple_lock); | |
622 | ||
623 | - /* If master is not in hash table yet (ie. packet hasn't left | |
624 | - this machine yet), how can other end know about expected? | |
625 | - Hence these are not the droids you are looking for (if | |
626 | - master ct never got confirmed, we'd hold a reference to it | |
627 | - and weird things would happen to future packets). */ | |
628 | - if (expected && !is_confirmed(expected->expectant)) | |
629 | - expected = NULL; | |
630 | - | |
631 | - /* Look up the conntrack helper for master connections only */ | |
632 | - if (!expected) | |
633 | - conntrack->helper = ip_ct_find_helper(&repl_tuple); | |
634 | - | |
635 | - /* If the expectation is dying, then this is a loser. */ | |
636 | - if (expected | |
637 | - && expected->expectant->helper->timeout | |
638 | - && ! del_timer(&expected->timeout)) | |
639 | - expected = NULL; | |
640 | - | |
641 | if (expected) { | |
642 | - DEBUGP("conntrack: expectation arrives ct=%p exp=%p\n", | |
643 | - conntrack, expected); | |
644 | - /* Welcome, Mr. Bond. We've been expecting you... */ | |
645 | - IP_NF_ASSERT(master_ct(conntrack)); | |
646 | - __set_bit(IPS_EXPECTED_BIT, &conntrack->status); | |
647 | - conntrack->master = expected; | |
648 | - expected->sibling = conntrack; | |
649 | - LIST_DELETE(&ip_conntrack_expect_list, expected); | |
650 | - expected->expectant->expecting--; | |
651 | - nf_conntrack_get(&master_ct(conntrack)->infos[0]); | |
652 | - } | |
653 | - atomic_inc(&ip_conntrack_count); | |
654 | + /* If master is not in hash table yet (ie. packet hasn't left | |
655 | + this machine yet), how can other end know about expected? | |
656 | + Hence these are not the droids you are looking for (if | |
657 | + master ct never got confirmed, we'd hold a reference to it | |
658 | + and weird things would happen to future packets). */ | |
659 | + if (!is_confirmed(expected->expectant)) { | |
660 | + | |
661 | + conntrack->helper = ip_ct_find_helper(&repl_tuple); | |
662 | + goto end; | |
663 | + } | |
664 | + | |
665 | + /* Expectation is dying... */ | |
666 | + if (expected->expectant->helper->timeout | |
667 | + && ! del_timer(&expected->timeout)) { | |
668 | + goto end; | |
669 | + } | |
670 | + | |
671 | + DEBUGP("conntrack: expectation arrives ct=%p exp=%p\n", | |
672 | + conntrack, expected); | |
673 | + /* Welcome, Mr. Bond. We've been expecting you... */ | |
674 | + IP_NF_ASSERT(master_ct(conntrack)); | |
675 | + __set_bit(IPS_EXPECTED_BIT, &conntrack->status); | |
676 | + conntrack->master = expected; | |
677 | + expected->sibling = conntrack; | |
678 | + LIST_DELETE(&ip_conntrack_expect_list, expected); | |
679 | + expected->expectant->expecting--; | |
680 | + nf_conntrack_get(&master_ct(conntrack)->infos[0]); | |
681 | + | |
682 | + /* this is a braindead... --pablo */ | |
683 | + atomic_inc(&ip_conntrack_count); | |
684 | + WRITE_UNLOCK(&ip_conntrack_lock); | |
685 | + | |
686 | + if (expected->expectfn) | |
687 | + expected->expectfn(conntrack); | |
688 | + | |
689 | + goto ret; | |
690 | + } else | |
691 | + conntrack->helper = ip_ct_find_helper(&repl_tuple); | |
692 | + | |
693 | +end: atomic_inc(&ip_conntrack_count); | |
694 | WRITE_UNLOCK(&ip_conntrack_lock); | |
695 | ||
696 | - if (expected && expected->expectfn) | |
697 | - expected->expectfn(conntrack); | |
698 | - return &conntrack->tuplehash[IP_CT_DIR_ORIGINAL]; | |
699 | +ret: return &conntrack->tuplehash[IP_CT_DIR_ORIGINAL]; | |
700 | } | |
701 | ||
702 | /* On success, returns conntrack ptr, sets skb->nfct and ctinfo */ | |
703 | @@ -917,11 +925,53 @@ | |
704 | WRITE_UNLOCK(&ip_conntrack_lock); | |
705 | } | |
706 | ||
707 | +int | |
708 | +ip_conntrack_expect_alloc(struct ip_conntrack_expect **new) | |
709 | +{ | |
710 | + *new = (struct ip_conntrack_expect *) | |
711 | + kmalloc(sizeof(struct ip_conntrack_expect), GFP_ATOMIC); | |
712 | + if (!*new) { | |
713 | + DEBUGP("expect_related: OOM allocating expect\n"); | |
714 | + return -ENOMEM; | |
715 | + } | |
716 | + | |
717 | + /* tuple_cmp compares whole union, we have to initialized cleanly */ | |
718 | + memset(*new, 0, sizeof(struct ip_conntrack_expect)); | |
719 | + | |
720 | + return 1; | |
721 | +} | |
722 | + | |
723 | +static void | |
724 | +ip_conntrack_expect_insert(struct ip_conntrack_expect *new, | |
725 | + struct ip_conntrack *related_to) | |
726 | +{ | |
727 | + DEBUGP("new expectation %p of conntrack %p\n", new, related_to); | |
728 | + new->expectant = related_to; | |
729 | + new->sibling = NULL; | |
730 | + atomic_set(&new->use, 1); | |
731 | + | |
732 | + /* add to expected list for this connection */ | |
733 | + list_add(&new->expected_list, &related_to->sibling_list); | |
734 | + /* add to global list of expectations */ | |
735 | + | |
736 | + list_prepend(&ip_conntrack_expect_list, &new->list); | |
737 | + /* add and start timer if required */ | |
738 | + if (related_to->helper->timeout) { | |
739 | + init_timer(&new->timeout); | |
740 | + new->timeout.data = (unsigned long)new; | |
741 | + new->timeout.function = expectation_timed_out; | |
742 | + new->timeout.expires = jiffies + | |
743 | + related_to->helper->timeout * HZ; | |
744 | + add_timer(&new->timeout); | |
745 | + } | |
746 | + related_to->expecting++; | |
747 | +} | |
748 | + | |
749 | /* Add a related connection. */ | |
750 | -int ip_conntrack_expect_related(struct ip_conntrack *related_to, | |
751 | - struct ip_conntrack_expect *expect) | |
752 | +int ip_conntrack_expect_related(struct ip_conntrack_expect *expect, | |
753 | + struct ip_conntrack *related_to) | |
754 | { | |
755 | - struct ip_conntrack_expect *old, *new; | |
756 | + struct ip_conntrack_expect *old; | |
757 | int ret = 0; | |
758 | ||
759 | WRITE_LOCK(&ip_conntrack_lock); | |
760 | @@ -943,7 +993,7 @@ | |
761 | if (related_to->helper->timeout) { | |
762 | if (!del_timer(&old->timeout)) { | |
763 | /* expectation is dying. Fall through */ | |
764 | - old = NULL; | |
765 | + goto out; | |
766 | } else { | |
767 | old->timeout.expires = jiffies + | |
768 | related_to->helper->timeout * HZ; | |
769 | @@ -951,10 +1001,10 @@ | |
770 | } | |
771 | } | |
772 | ||
773 | - if (old) { | |
774 | - WRITE_UNLOCK(&ip_conntrack_lock); | |
775 | - return -EEXIST; | |
776 | - } | |
777 | + WRITE_UNLOCK(&ip_conntrack_lock); | |
778 | + kfree(expect); | |
779 | + return -EEXIST; | |
780 | + | |
781 | } else if (related_to->helper->max_expected && | |
782 | related_to->expecting >= related_to->helper->max_expected) { | |
783 | struct list_head *cur_item; | |
784 | @@ -971,6 +1021,7 @@ | |
785 | related_to->helper->name, | |
786 | NIPQUAD(related_to->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.ip), | |
787 | NIPQUAD(related_to->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.ip)); | |
788 | + kfree(expect); | |
789 | return -EPERM; | |
790 | } | |
791 | DEBUGP("ip_conntrack: max number of expected " | |
792 | @@ -1010,37 +1061,12 @@ | |
793 | &expect->mask)) { | |
794 | WRITE_UNLOCK(&ip_conntrack_lock); | |
795 | DEBUGP("expect_related: busy!\n"); | |
796 | + | |
797 | + kfree(expect); | |
798 | return -EBUSY; | |
799 | } | |
800 | - | |
801 | - new = (struct ip_conntrack_expect *) | |
802 | - kmalloc(sizeof(struct ip_conntrack_expect), GFP_ATOMIC); | |
803 | - if (!new) { | |
804 | - WRITE_UNLOCK(&ip_conntrack_lock); | |
805 | - DEBUGP("expect_relaed: OOM allocating expect\n"); | |
806 | - return -ENOMEM; | |
807 | - } | |
808 | - | |
809 | - DEBUGP("new expectation %p of conntrack %p\n", new, related_to); | |
810 | - memcpy(new, expect, sizeof(*expect)); | |
811 | - new->expectant = related_to; | |
812 | - new->sibling = NULL; | |
813 | - atomic_set(&new->use, 1); | |
814 | - | |
815 | - /* add to expected list for this connection */ | |
816 | - list_add(&new->expected_list, &related_to->sibling_list); | |
817 | - /* add to global list of expectations */ | |
818 | - list_prepend(&ip_conntrack_expect_list, &new->list); | |
819 | - /* add and start timer if required */ | |
820 | - if (related_to->helper->timeout) { | |
821 | - init_timer(&new->timeout); | |
822 | - new->timeout.data = (unsigned long)new; | |
823 | - new->timeout.function = expectation_timed_out; | |
824 | - new->timeout.expires = jiffies + | |
825 | - related_to->helper->timeout * HZ; | |
826 | - add_timer(&new->timeout); | |
827 | - } | |
828 | - related_to->expecting++; | |
829 | + | |
830 | +out: ip_conntrack_expect_insert(expect, related_to); | |
831 | ||
832 | WRITE_UNLOCK(&ip_conntrack_lock); | |
833 | ||
834 | diff -Nur linux-2.6.4-rc2.org/net/ipv4/netfilter/ip_conntrack_ftp.c linux-2.6.4-rc2/net/ipv4/netfilter/ip_conntrack_ftp.c | |
835 | --- linux-2.6.4-rc2.org/net/ipv4/netfilter/ip_conntrack_ftp.c 2004-03-04 06:16:55.000000000 +0000 | |
836 | +++ linux-2.6.4-rc2/net/ipv4/netfilter/ip_conntrack_ftp.c 2004-03-04 08:39:18.000000000 +0000 | |
837 | @@ -256,8 +256,8 @@ | |
838 | int dir = CTINFO2DIR(ctinfo); | |
839 | unsigned int matchlen, matchoff; | |
840 | struct ip_ct_ftp_master *ct_ftp_info = &ct->help.ct_ftp_info; | |
841 | - struct ip_conntrack_expect expect, *exp = &expect; | |
842 | - struct ip_ct_ftp_expect *exp_ftp_info = &exp->help.exp_ftp_info; | |
843 | + struct ip_conntrack_expect *exp; | |
844 | + struct ip_ct_ftp_expect *exp_ftp_info; | |
845 | ||
846 | unsigned int i; | |
847 | int found = 0; | |
848 | @@ -346,8 +346,12 @@ | |
849 | DEBUGP("conntrack_ftp: match `%.*s' (%u bytes at %u)\n", | |
850 | (int)matchlen, data + matchoff, | |
851 | matchlen, ntohl(tcph.seq) + matchoff); | |
852 | - | |
853 | - memset(&expect, 0, sizeof(expect)); | |
854 | + | |
855 | + /* Allocate expectation which will be inserted */ | |
856 | + if (ip_conntrack_expect_alloc(&exp) < 0) | |
857 | + return -ENOMEM; | |
858 | + | |
859 | + exp_ftp_info = &exp->help.exp_ftp_info; | |
860 | ||
861 | /* Update the ftp info */ | |
862 | if (htonl((array[0] << 24) | (array[1] << 16) | (array[2] << 8) | array[3]) | |
863 | @@ -389,7 +393,7 @@ | |
864 | exp->expectfn = NULL; | |
865 | ||
866 | /* Ignore failure; should only happen with NAT */ | |
867 | - ip_conntrack_expect_related(ct, &expect); | |
868 | + ip_conntrack_expect_related(exp, ct); | |
869 | ret = NF_ACCEPT; | |
870 | out: | |
871 | UNLOCK_BH(&ip_ftp_lock); | |
872 | diff -Nur linux-2.6.4-rc2.org/net/ipv4/netfilter/ip_conntrack_irc.c linux-2.6.4-rc2/net/ipv4/netfilter/ip_conntrack_irc.c | |
873 | --- linux-2.6.4-rc2.org/net/ipv4/netfilter/ip_conntrack_irc.c 2004-03-04 06:16:55.000000000 +0000 | |
874 | +++ linux-2.6.4-rc2/net/ipv4/netfilter/ip_conntrack_irc.c 2004-03-04 08:39:18.000000000 +0000 | |
875 | @@ -106,8 +106,8 @@ | |
876 | struct tcphdr tcph; | |
877 | char *data, *data_limit; | |
878 | int dir = CTINFO2DIR(ctinfo); | |
879 | - struct ip_conntrack_expect expect, *exp = &expect; | |
880 | - struct ip_ct_irc_expect *exp_irc_info = &exp->help.exp_irc_info; | |
881 | + struct ip_conntrack_expect *exp; | |
882 | + struct ip_ct_irc_expect *exp_irc_info = NULL; | |
883 | ||
884 | u_int32_t dcc_ip; | |
885 | u_int16_t dcc_port; | |
886 | @@ -190,8 +190,11 @@ | |
887 | ||
888 | continue; | |
889 | } | |
890 | - | |
891 | - memset(&expect, 0, sizeof(expect)); | |
892 | + | |
893 | + if (ip_conntrack_expect_alloc(&exp) < 0) | |
894 | + return -ENOMEM; | |
895 | + | |
896 | + exp_irc_info = &exp->help.exp_irc_info; | |
897 | ||
898 | /* save position of address in dcc string, | |
899 | * necessary for NAT */ | |
900 | @@ -218,7 +221,7 @@ | |
901 | NIPQUAD(exp->tuple.dst.ip), | |
902 | ntohs(exp->tuple.dst.u.tcp.port)); | |
903 | ||
904 | - ip_conntrack_expect_related(ct, &expect); | |
905 | + ip_conntrack_expect_related(exp, ct); | |
906 | ||
907 | goto out; | |
908 | } /* for .. NUM_DCCPROTO */ | |
909 | diff -Nur linux-2.6.4-rc2.org/net/ipv4/netfilter/ip_conntrack_standalone.c linux-2.6.4-rc2/net/ipv4/netfilter/ip_conntrack_standalone.c | |
910 | --- linux-2.6.4-rc2.org/net/ipv4/netfilter/ip_conntrack_standalone.c 2004-03-04 06:16:44.000000000 +0000 | |
911 | +++ linux-2.6.4-rc2/net/ipv4/netfilter/ip_conntrack_standalone.c 2004-03-04 08:39:18.000000000 +0000 | |
912 | @@ -591,6 +591,7 @@ | |
913 | EXPORT_SYMBOL(ip_ct_find_proto); | |
914 | EXPORT_SYMBOL(__ip_ct_find_proto); | |
915 | EXPORT_SYMBOL(ip_ct_find_helper); | |
916 | +EXPORT_SYMBOL(ip_conntrack_expect_alloc); | |
917 | EXPORT_SYMBOL(ip_conntrack_expect_related); | |
918 | EXPORT_SYMBOL(ip_conntrack_change_expect); | |
919 | EXPORT_SYMBOL(ip_conntrack_unexpect_related); | |
920 | diff -Nur linux-2.6.4-rc2.org/net/ipv4/netfilter/ip_conntrack_standalone.c.orig linux-2.6.4-rc2/net/ipv4/netfilter/ip_conntrack_standalone.c.orig | |
921 | --- linux-2.6.4-rc2.org/net/ipv4/netfilter/ip_conntrack_standalone.c.orig 1970-01-01 00:00:00.000000000 +0000 | |
922 | +++ linux-2.6.4-rc2/net/ipv4/netfilter/ip_conntrack_standalone.c.orig 2004-03-04 06:16:44.000000000 +0000 | |
923 | @@ -0,0 +1,606 @@ | |
924 | +/* This file contains all the functions required for the standalone | |
925 | + ip_conntrack module. | |
926 | + | |
927 | + These are not required by the compatibility layer. | |
928 | +*/ | |
929 | + | |
930 | +/* (C) 1999-2001 Paul `Rusty' Russell | |
931 | + * (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org> | |
932 | + * | |
933 | + * This program is free software; you can redistribute it and/or modify | |
934 | + * it under the terms of the GNU General Public License version 2 as | |
935 | + * published by the Free Software Foundation. | |
936 | + */ | |
937 | + | |
938 | +#include <linux/config.h> | |
939 | +#include <linux/types.h> | |
940 | +#include <linux/ip.h> | |
941 | +#include <linux/netfilter.h> | |
942 | +#include <linux/netfilter_ipv4.h> | |
943 | +#include <linux/module.h> | |
944 | +#include <linux/skbuff.h> | |
945 | +#include <linux/proc_fs.h> | |
946 | +#ifdef CONFIG_SYSCTL | |
947 | +#include <linux/sysctl.h> | |
948 | +#endif | |
949 | +#include <net/checksum.h> | |
950 | + | |
951 | +#define ASSERT_READ_LOCK(x) MUST_BE_READ_LOCKED(&ip_conntrack_lock) | |
952 | +#define ASSERT_WRITE_LOCK(x) MUST_BE_WRITE_LOCKED(&ip_conntrack_lock) | |
953 | + | |
954 | +#include <linux/netfilter_ipv4/ip_conntrack.h> | |
955 | +#include <linux/netfilter_ipv4/ip_conntrack_protocol.h> | |
956 | +#include <linux/netfilter_ipv4/ip_conntrack_core.h> | |
957 | +#include <linux/netfilter_ipv4/ip_conntrack_helper.h> | |
958 | +#include <linux/netfilter_ipv4/listhelp.h> | |
959 | + | |
960 | +#if 0 | |
961 | +#define DEBUGP printk | |
962 | +#else | |
963 | +#define DEBUGP(format, args...) | |
964 | +#endif | |
965 | + | |
966 | +MODULE_LICENSE("GPL"); | |
967 | + | |
968 | +static int kill_proto(const struct ip_conntrack *i, void *data) | |
969 | +{ | |
970 | + return (i->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.protonum == | |
971 | + *((u_int8_t *) data)); | |
972 | +} | |
973 | + | |
974 | +static unsigned int | |
975 | +print_tuple(char *buffer, const struct ip_conntrack_tuple *tuple, | |
976 | + struct ip_conntrack_protocol *proto) | |
977 | +{ | |
978 | + int len; | |
979 | + | |
980 | + len = sprintf(buffer, "src=%u.%u.%u.%u dst=%u.%u.%u.%u ", | |
981 | + NIPQUAD(tuple->src.ip), NIPQUAD(tuple->dst.ip)); | |
982 | + | |
983 | + len += proto->print_tuple(buffer + len, tuple); | |
984 | + | |
985 | + return len; | |
986 | +} | |
987 | + | |
988 | +/* FIXME: Don't print source proto part. --RR */ | |
989 | +static unsigned int | |
990 | +print_expect(char *buffer, const struct ip_conntrack_expect *expect) | |
991 | +{ | |
992 | + unsigned int len; | |
993 | + | |
994 | + if (expect->expectant->helper->timeout) | |
995 | + len = sprintf(buffer, "EXPECTING: %lu ", | |
996 | + timer_pending(&expect->timeout) | |
997 | + ? (expect->timeout.expires - jiffies)/HZ : 0); | |
998 | + else | |
999 | + len = sprintf(buffer, "EXPECTING: - "); | |
1000 | + len += sprintf(buffer + len, "use=%u proto=%u ", | |
1001 | + atomic_read(&expect->use), expect->tuple.dst.protonum); | |
1002 | + len += print_tuple(buffer + len, &expect->tuple, | |
1003 | + __ip_ct_find_proto(expect->tuple.dst.protonum)); | |
1004 | + len += sprintf(buffer + len, "\n"); | |
1005 | + return len; | |
1006 | +} | |
1007 | + | |
1008 | +static unsigned int | |
1009 | +print_conntrack(char *buffer, struct ip_conntrack *conntrack) | |
1010 | +{ | |
1011 | + unsigned int len; | |
1012 | + struct ip_conntrack_protocol *proto | |
1013 | + = __ip_ct_find_proto(conntrack->tuplehash[IP_CT_DIR_ORIGINAL] | |
1014 | + .tuple.dst.protonum); | |
1015 | + | |
1016 | + len = sprintf(buffer, "%-8s %u %lu ", | |
1017 | + proto->name, | |
1018 | + conntrack->tuplehash[IP_CT_DIR_ORIGINAL] | |
1019 | + .tuple.dst.protonum, | |
1020 | + timer_pending(&conntrack->timeout) | |
1021 | + ? (conntrack->timeout.expires - jiffies)/HZ : 0); | |
1022 | + | |
1023 | + len += proto->print_conntrack(buffer + len, conntrack); | |
1024 | + len += print_tuple(buffer + len, | |
1025 | + &conntrack->tuplehash[IP_CT_DIR_ORIGINAL].tuple, | |
1026 | + proto); | |
1027 | + if (!(test_bit(IPS_SEEN_REPLY_BIT, &conntrack->status))) | |
1028 | + len += sprintf(buffer + len, "[UNREPLIED] "); | |
1029 | + len += print_tuple(buffer + len, | |
1030 | + &conntrack->tuplehash[IP_CT_DIR_REPLY].tuple, | |
1031 | + proto); | |
1032 | + if (test_bit(IPS_ASSURED_BIT, &conntrack->status)) | |
1033 | + len += sprintf(buffer + len, "[ASSURED] "); | |
1034 | + len += sprintf(buffer + len, "use=%u ", | |
1035 | + atomic_read(&conntrack->ct_general.use)); | |
1036 | + len += sprintf(buffer + len, "\n"); | |
1037 | + | |
1038 | + return len; | |
1039 | +} | |
1040 | + | |
1041 | +/* Returns true when finished. */ | |
1042 | +static inline int | |
1043 | +conntrack_iterate(const struct ip_conntrack_tuple_hash *hash, | |
1044 | + char *buffer, off_t offset, off_t *upto, | |
1045 | + unsigned int *len, unsigned int maxlen) | |
1046 | +{ | |
1047 | + unsigned int newlen; | |
1048 | + IP_NF_ASSERT(hash->ctrack); | |
1049 | + | |
1050 | + MUST_BE_READ_LOCKED(&ip_conntrack_lock); | |
1051 | + | |
1052 | + /* Only count originals */ | |
1053 | + if (DIRECTION(hash)) | |
1054 | + return 0; | |
1055 | + | |
1056 | + if ((*upto)++ < offset) | |
1057 | + return 0; | |
1058 | + | |
1059 | + newlen = print_conntrack(buffer + *len, hash->ctrack); | |
1060 | + if (*len + newlen > maxlen) | |
1061 | + return 1; | |
1062 | + else *len += newlen; | |
1063 | + | |
1064 | + return 0; | |
1065 | +} | |
1066 | + | |
1067 | +static int | |
1068 | +list_conntracks(char *buffer, char **start, off_t offset, int length) | |
1069 | +{ | |
1070 | + unsigned int i; | |
1071 | + unsigned int len = 0; | |
1072 | + off_t upto = 0; | |
1073 | + struct list_head *e; | |
1074 | + | |
1075 | + READ_LOCK(&ip_conntrack_lock); | |
1076 | + /* Traverse hash; print originals then reply. */ | |
1077 | + for (i = 0; i < ip_conntrack_htable_size; i++) { | |
1078 | + if (LIST_FIND(&ip_conntrack_hash[i], conntrack_iterate, | |
1079 | + struct ip_conntrack_tuple_hash *, | |
1080 | + buffer, offset, &upto, &len, length)) | |
1081 | + goto finished; | |
1082 | + } | |
1083 | + | |
1084 | + /* Now iterate through expecteds. */ | |
1085 | + READ_LOCK(&ip_conntrack_expect_tuple_lock); | |
1086 | + list_for_each(e, &ip_conntrack_expect_list) { | |
1087 | + unsigned int last_len; | |
1088 | + struct ip_conntrack_expect *expect | |
1089 | + = (struct ip_conntrack_expect *)e; | |
1090 | + if (upto++ < offset) continue; | |
1091 | + | |
1092 | + last_len = len; | |
1093 | + len += print_expect(buffer + len, expect); | |
1094 | + if (len > length) { | |
1095 | + len = last_len; | |
1096 | + goto finished_expects; | |
1097 | + } | |
1098 | + } | |
1099 | + | |
1100 | + finished_expects: | |
1101 | + READ_UNLOCK(&ip_conntrack_expect_tuple_lock); | |
1102 | + finished: | |
1103 | + READ_UNLOCK(&ip_conntrack_lock); | |
1104 | + | |
1105 | + /* `start' hack - see fs/proc/generic.c line ~165 */ | |
1106 | + *start = (char *)((unsigned int)upto - offset); | |
1107 | + return len; | |
1108 | +} | |
1109 | + | |
1110 | +static unsigned int ip_confirm(unsigned int hooknum, | |
1111 | + struct sk_buff **pskb, | |
1112 | + const struct net_device *in, | |
1113 | + const struct net_device *out, | |
1114 | + int (*okfn)(struct sk_buff *)) | |
1115 | +{ | |
1116 | + /* We've seen it coming out the other side: confirm it */ | |
1117 | + return ip_conntrack_confirm(*pskb); | |
1118 | +} | |
1119 | + | |
1120 | +static unsigned int ip_refrag(unsigned int hooknum, | |
1121 | + struct sk_buff **pskb, | |
1122 | + const struct net_device *in, | |
1123 | + const struct net_device *out, | |
1124 | + int (*okfn)(struct sk_buff *)) | |
1125 | +{ | |
1126 | + struct rtable *rt = (struct rtable *)(*pskb)->dst; | |
1127 | + | |
1128 | + /* We've seen it coming out the other side: confirm */ | |
1129 | + if (ip_confirm(hooknum, pskb, in, out, okfn) != NF_ACCEPT) | |
1130 | + return NF_DROP; | |
1131 | + | |
1132 | + /* Local packets are never produced too large for their | |
1133 | + interface. We degfragment them at LOCAL_OUT, however, | |
1134 | + so we have to refragment them here. */ | |
1135 | + if ((*pskb)->len > dst_pmtu(&rt->u.dst) && | |
1136 | + !skb_shinfo(*pskb)->tso_size) { | |
1137 | + /* No hook can be after us, so this should be OK. */ | |
1138 | + ip_fragment(*pskb, okfn); | |
1139 | + return NF_STOLEN; | |
1140 | + } | |
1141 | + return NF_ACCEPT; | |
1142 | +} | |
1143 | + | |
1144 | +static unsigned int ip_conntrack_local(unsigned int hooknum, | |
1145 | + struct sk_buff **pskb, | |
1146 | + const struct net_device *in, | |
1147 | + const struct net_device *out, | |
1148 | + int (*okfn)(struct sk_buff *)) | |
1149 | +{ | |
1150 | + /* root is playing with raw sockets. */ | |
1151 | + if ((*pskb)->len < sizeof(struct iphdr) | |
1152 | + || (*pskb)->nh.iph->ihl * 4 < sizeof(struct iphdr)) { | |
1153 | + if (net_ratelimit()) | |
1154 | + printk("ipt_hook: happy cracking.\n"); | |
1155 | + return NF_ACCEPT; | |
1156 | + } | |
1157 | + return ip_conntrack_in(hooknum, pskb, in, out, okfn); | |
1158 | +} | |
1159 | + | |
1160 | +/* Connection tracking may drop packets, but never alters them, so | |
1161 | + make it the first hook. */ | |
1162 | +static struct nf_hook_ops ip_conntrack_in_ops = { | |
1163 | + .hook = ip_conntrack_in, | |
1164 | + .owner = THIS_MODULE, | |
1165 | + .pf = PF_INET, | |
1166 | + .hooknum = NF_IP_PRE_ROUTING, | |
1167 | + .priority = NF_IP_PRI_CONNTRACK, | |
1168 | +}; | |
1169 | + | |
1170 | +static struct nf_hook_ops ip_conntrack_local_out_ops = { | |
1171 | + .hook = ip_conntrack_local, | |
1172 | + .owner = THIS_MODULE, | |
1173 | + .pf = PF_INET, | |
1174 | + .hooknum = NF_IP_LOCAL_OUT, | |
1175 | + .priority = NF_IP_PRI_CONNTRACK, | |
1176 | +}; | |
1177 | + | |
1178 | +/* Refragmenter; last chance. */ | |
1179 | +static struct nf_hook_ops ip_conntrack_out_ops = { | |
1180 | + .hook = ip_refrag, | |
1181 | + .owner = THIS_MODULE, | |
1182 | + .pf = PF_INET, | |
1183 | + .hooknum = NF_IP_POST_ROUTING, | |
1184 | + .priority = NF_IP_PRI_LAST, | |
1185 | +}; | |
1186 | + | |
1187 | +static struct nf_hook_ops ip_conntrack_local_in_ops = { | |
1188 | + .hook = ip_confirm, | |
1189 | + .owner = THIS_MODULE, | |
1190 | + .pf = PF_INET, | |
1191 | + .hooknum = NF_IP_LOCAL_IN, | |
1192 | + .priority = NF_IP_PRI_LAST-1, | |
1193 | +}; | |
1194 | + | |
1195 | +/* Sysctl support */ | |
1196 | + | |
1197 | +#ifdef CONFIG_SYSCTL | |
1198 | + | |
1199 | +/* From ip_conntrack_core.c */ | |
1200 | +extern int ip_conntrack_max; | |
1201 | +extern unsigned int ip_conntrack_htable_size; | |
1202 | + | |
1203 | +/* From ip_conntrack_proto_tcp.c */ | |
1204 | +extern unsigned long ip_ct_tcp_timeout_syn_sent; | |
1205 | +extern unsigned long ip_ct_tcp_timeout_syn_recv; | |
1206 | +extern unsigned long ip_ct_tcp_timeout_established; | |
1207 | +extern unsigned long ip_ct_tcp_timeout_fin_wait; | |
1208 | +extern unsigned long ip_ct_tcp_timeout_close_wait; | |
1209 | +extern unsigned long ip_ct_tcp_timeout_last_ack; | |
1210 | +extern unsigned long ip_ct_tcp_timeout_time_wait; | |
1211 | +extern unsigned long ip_ct_tcp_timeout_close; | |
1212 | + | |
1213 | +/* From ip_conntrack_proto_udp.c */ | |
1214 | +extern unsigned long ip_ct_udp_timeout; | |
1215 | +extern unsigned long ip_ct_udp_timeout_stream; | |
1216 | + | |
1217 | +/* From ip_conntrack_proto_icmp.c */ | |
1218 | +extern unsigned long ip_ct_icmp_timeout; | |
1219 | + | |
1220 | +/* From ip_conntrack_proto_icmp.c */ | |
1221 | +extern unsigned long ip_ct_generic_timeout; | |
1222 | + | |
1223 | +static struct ctl_table_header *ip_ct_sysctl_header; | |
1224 | + | |
1225 | +static ctl_table ip_ct_sysctl_table[] = { | |
1226 | + { | |
1227 | + .ctl_name = NET_IPV4_NF_CONNTRACK_MAX, | |
1228 | + .procname = "ip_conntrack_max", | |
1229 | + .data = &ip_conntrack_max, | |
1230 | + .maxlen = sizeof(int), | |
1231 | + .mode = 0644, | |
1232 | + .proc_handler = &proc_dointvec, | |
1233 | + }, | |
1234 | + { | |
1235 | + .ctl_name = NET_IPV4_NF_CONNTRACK_BUCKETS, | |
1236 | + .procname = "ip_conntrack_buckets", | |
1237 | + .data = &ip_conntrack_htable_size, | |
1238 | + .maxlen = sizeof(unsigned int), | |
1239 | + .mode = 0444, | |
1240 | + .proc_handler = &proc_dointvec, | |
1241 | + }, | |
1242 | + { | |
1243 | + .ctl_name = NET_IPV4_NF_CONNTRACK_TCP_TIMEOUT_SYN_SENT, | |
1244 | + .procname = "ip_conntrack_tcp_timeout_syn_sent", | |
1245 | + .data = &ip_ct_tcp_timeout_syn_sent, | |
1246 | + .maxlen = sizeof(unsigned int), | |
1247 | + .mode = 0644, | |
1248 | + .proc_handler = &proc_dointvec_jiffies, | |
1249 | + }, | |
1250 | + { | |
1251 | + .ctl_name = NET_IPV4_NF_CONNTRACK_TCP_TIMEOUT_SYN_RECV, | |
1252 | + .procname = "ip_conntrack_tcp_timeout_syn_recv", | |
1253 | + .data = &ip_ct_tcp_timeout_syn_recv, | |
1254 | + .maxlen = sizeof(unsigned int), | |
1255 | + .mode = 0644, | |
1256 | + .proc_handler = &proc_dointvec_jiffies, | |
1257 | + }, | |
1258 | + { | |
1259 | + .ctl_name = NET_IPV4_NF_CONNTRACK_TCP_TIMEOUT_ESTABLISHED, | |
1260 | + .procname = "ip_conntrack_tcp_timeout_established", | |
1261 | + .data = &ip_ct_tcp_timeout_established, | |
1262 | + .maxlen = sizeof(unsigned int), | |
1263 | + .mode = 0644, | |
1264 | + .proc_handler = &proc_dointvec_jiffies, | |
1265 | + }, | |
1266 | + { | |
1267 | + .ctl_name = NET_IPV4_NF_CONNTRACK_TCP_TIMEOUT_FIN_WAIT, | |
1268 | + .procname = "ip_conntrack_tcp_timeout_fin_wait", | |
1269 | + .data = &ip_ct_tcp_timeout_fin_wait, | |
1270 | + .maxlen = sizeof(unsigned int), | |
1271 | + .mode = 0644, | |
1272 | + .proc_handler = &proc_dointvec_jiffies, | |
1273 | + }, | |
1274 | + { | |
1275 | + .ctl_name = NET_IPV4_NF_CONNTRACK_TCP_TIMEOUT_CLOSE_WAIT, | |
1276 | + .procname = "ip_conntrack_tcp_timeout_close_wait", | |
1277 | + .data = &ip_ct_tcp_timeout_close_wait, | |
1278 | + .maxlen = sizeof(unsigned int), | |
1279 | + .mode = 0644, | |
1280 | + .proc_handler = &proc_dointvec_jiffies, | |
1281 | + }, | |
1282 | + { | |
1283 | + .ctl_name = NET_IPV4_NF_CONNTRACK_TCP_TIMEOUT_LAST_ACK, | |
1284 | + .procname = "ip_conntrack_tcp_timeout_last_ack", | |
1285 | + .data = &ip_ct_tcp_timeout_last_ack, | |
1286 | + .maxlen = sizeof(unsigned int), | |
1287 | + .mode = 0644, | |
1288 | + .proc_handler = &proc_dointvec_jiffies, | |
1289 | + }, | |
1290 | + { | |
1291 | + .ctl_name = NET_IPV4_NF_CONNTRACK_TCP_TIMEOUT_TIME_WAIT, | |
1292 | + .procname = "ip_conntrack_tcp_timeout_time_wait", | |
1293 | + .data = &ip_ct_tcp_timeout_time_wait, | |
1294 | + .maxlen = sizeof(unsigned int), | |
1295 | + .mode = 0644, | |
1296 | + .proc_handler = &proc_dointvec_jiffies, | |
1297 | + }, | |
1298 | + { | |
1299 | + .ctl_name = NET_IPV4_NF_CONNTRACK_TCP_TIMEOUT_CLOSE, | |
1300 | + .procname = "ip_conntrack_tcp_timeout_close", | |
1301 | + .data = &ip_ct_tcp_timeout_close, | |
1302 | + .maxlen = sizeof(unsigned int), | |
1303 | + .mode = 0644, | |
1304 | + .proc_handler = &proc_dointvec_jiffies, | |
1305 | + }, | |
1306 | + { | |
1307 | + .ctl_name = NET_IPV4_NF_CONNTRACK_UDP_TIMEOUT, | |
1308 | + .procname = "ip_conntrack_udp_timeout", | |
1309 | + .data = &ip_ct_udp_timeout, | |
1310 | + .maxlen = sizeof(unsigned int), | |
1311 | + .mode = 0644, | |
1312 | + .proc_handler = &proc_dointvec_jiffies, | |
1313 | + }, | |
1314 | + { | |
1315 | + .ctl_name = NET_IPV4_NF_CONNTRACK_UDP_TIMEOUT_STREAM, | |
1316 | + .procname = "ip_conntrack_udp_timeout_stream", | |
1317 | + .data = &ip_ct_udp_timeout_stream, | |
1318 | + .maxlen = sizeof(unsigned int), | |
1319 | + .mode = 0644, | |
1320 | + .proc_handler = &proc_dointvec_jiffies, | |
1321 | + }, | |
1322 | + { | |
1323 | + .ctl_name = NET_IPV4_NF_CONNTRACK_ICMP_TIMEOUT, | |
1324 | + .procname = "ip_conntrack_icmp_timeout", | |
1325 | + .data = &ip_ct_icmp_timeout, | |
1326 | + .maxlen = sizeof(unsigned int), | |
1327 | + .mode = 0644, | |
1328 | + .proc_handler = &proc_dointvec_jiffies, | |
1329 | + }, | |
1330 | + { | |
1331 | + .ctl_name = NET_IPV4_NF_CONNTRACK_GENERIC_TIMEOUT, | |
1332 | + .procname = "ip_conntrack_generic_timeout", | |
1333 | + .data = &ip_ct_generic_timeout, | |
1334 | + .maxlen = sizeof(unsigned int), | |
1335 | + .mode = 0644, | |
1336 | + .proc_handler = &proc_dointvec_jiffies, | |
1337 | + }, | |
1338 | + { .ctl_name = 0 } | |
1339 | +}; | |
1340 | + | |
1341 | +#define NET_IP_CONNTRACK_MAX 2089 | |
1342 | + | |
1343 | +static ctl_table ip_ct_netfilter_table[] = { | |
1344 | + { | |
1345 | + .ctl_name = NET_IPV4_NETFILTER, | |
1346 | + .procname = "netfilter", | |
1347 | + .mode = 0555, | |
1348 | + .child = ip_ct_sysctl_table, | |
1349 | + }, | |
1350 | + { | |
1351 | + .ctl_name = NET_IP_CONNTRACK_MAX, | |
1352 | + .procname = "ip_conntrack_max", | |
1353 | + .data = &ip_conntrack_max, | |
1354 | + .maxlen = sizeof(int), | |
1355 | + .mode = 0644, | |
1356 | + .proc_handler = &proc_dointvec | |
1357 | + }, | |
1358 | + { .ctl_name = 0 } | |
1359 | +}; | |
1360 | + | |
1361 | +static ctl_table ip_ct_ipv4_table[] = { | |
1362 | + { | |
1363 | + .ctl_name = NET_IPV4, | |
1364 | + .procname = "ipv4", | |
1365 | + .mode = 0555, | |
1366 | + .child = ip_ct_netfilter_table, | |
1367 | + }, | |
1368 | + { .ctl_name = 0 } | |
1369 | +}; | |
1370 | + | |
1371 | +static ctl_table ip_ct_net_table[] = { | |
1372 | + { | |
1373 | + .ctl_name = CTL_NET, | |
1374 | + .procname = "net", | |
1375 | + .mode = 0555, | |
1376 | + .child = ip_ct_ipv4_table, | |
1377 | + }, | |
1378 | + { .ctl_name = 0 } | |
1379 | +}; | |
1380 | +#endif | |
1381 | +static int init_or_cleanup(int init) | |
1382 | +{ | |
1383 | + struct proc_dir_entry *proc; | |
1384 | + int ret = 0; | |
1385 | + | |
1386 | + if (!init) goto cleanup; | |
1387 | + | |
1388 | + ret = ip_conntrack_init(); | |
1389 | + if (ret < 0) | |
1390 | + goto cleanup_nothing; | |
1391 | + | |
1392 | + proc = proc_net_create("ip_conntrack",0,list_conntracks); | |
1393 | + if (!proc) goto cleanup_init; | |
1394 | + proc->owner = THIS_MODULE; | |
1395 | + | |
1396 | + ret = nf_register_hook(&ip_conntrack_in_ops); | |
1397 | + if (ret < 0) { | |
1398 | + printk("ip_conntrack: can't register pre-routing hook.\n"); | |
1399 | + goto cleanup_proc; | |
1400 | + } | |
1401 | + ret = nf_register_hook(&ip_conntrack_local_out_ops); | |
1402 | + if (ret < 0) { | |
1403 | + printk("ip_conntrack: can't register local out hook.\n"); | |
1404 | + goto cleanup_inops; | |
1405 | + } | |
1406 | + ret = nf_register_hook(&ip_conntrack_out_ops); | |
1407 | + if (ret < 0) { | |
1408 | + printk("ip_conntrack: can't register post-routing hook.\n"); | |
1409 | + goto cleanup_inandlocalops; | |
1410 | + } | |
1411 | + ret = nf_register_hook(&ip_conntrack_local_in_ops); | |
1412 | + if (ret < 0) { | |
1413 | + printk("ip_conntrack: can't register local in hook.\n"); | |
1414 | + goto cleanup_inoutandlocalops; | |
1415 | + } | |
1416 | +#ifdef CONFIG_SYSCTL | |
1417 | + ip_ct_sysctl_header = register_sysctl_table(ip_ct_net_table, 0); | |
1418 | + if (ip_ct_sysctl_header == NULL) { | |
1419 | + printk("ip_conntrack: can't register to sysctl.\n"); | |
1420 | + goto cleanup; | |
1421 | + } | |
1422 | +#endif | |
1423 | + | |
1424 | + return ret; | |
1425 | + | |
1426 | + cleanup: | |
1427 | +#ifdef CONFIG_SYSCTL | |
1428 | + unregister_sysctl_table(ip_ct_sysctl_header); | |
1429 | +#endif | |
1430 | + nf_unregister_hook(&ip_conntrack_local_in_ops); | |
1431 | + cleanup_inoutandlocalops: | |
1432 | + nf_unregister_hook(&ip_conntrack_out_ops); | |
1433 | + cleanup_inandlocalops: | |
1434 | + nf_unregister_hook(&ip_conntrack_local_out_ops); | |
1435 | + cleanup_inops: | |
1436 | + nf_unregister_hook(&ip_conntrack_in_ops); | |
1437 | + cleanup_proc: | |
1438 | + proc_net_remove("ip_conntrack"); | |
1439 | + cleanup_init: | |
1440 | + ip_conntrack_cleanup(); | |
1441 | + cleanup_nothing: | |
1442 | + return ret; | |
1443 | +} | |
1444 | + | |
1445 | +/* FIXME: Allow NULL functions and sub in pointers to generic for | |
1446 | + them. --RR */ | |
1447 | +int ip_conntrack_protocol_register(struct ip_conntrack_protocol *proto) | |
1448 | +{ | |
1449 | + int ret = 0; | |
1450 | + struct list_head *i; | |
1451 | + | |
1452 | + WRITE_LOCK(&ip_conntrack_lock); | |
1453 | + list_for_each(i, &protocol_list) { | |
1454 | + if (((struct ip_conntrack_protocol *)i)->proto | |
1455 | + == proto->proto) { | |
1456 | + ret = -EBUSY; | |
1457 | + goto out; | |
1458 | + } | |
1459 | + } | |
1460 | + | |
1461 | + list_prepend(&protocol_list, proto); | |
1462 | + | |
1463 | + out: | |
1464 | + WRITE_UNLOCK(&ip_conntrack_lock); | |
1465 | + return ret; | |
1466 | +} | |
1467 | + | |
1468 | +void ip_conntrack_protocol_unregister(struct ip_conntrack_protocol *proto) | |
1469 | +{ | |
1470 | + WRITE_LOCK(&ip_conntrack_lock); | |
1471 | + | |
1472 | + /* ip_ct_find_proto() returns proto_generic in case there is no protocol | |
1473 | + * helper. So this should be enough - HW */ | |
1474 | + LIST_DELETE(&protocol_list, proto); | |
1475 | + WRITE_UNLOCK(&ip_conntrack_lock); | |
1476 | + | |
1477 | + /* Somebody could be still looking at the proto in bh. */ | |
1478 | + synchronize_net(); | |
1479 | + | |
1480 | + /* Remove all contrack entries for this protocol */ | |
1481 | + ip_ct_selective_cleanup(kill_proto, &proto->proto); | |
1482 | +} | |
1483 | + | |
1484 | +static int __init init(void) | |
1485 | +{ | |
1486 | + return init_or_cleanup(1); | |
1487 | +} | |
1488 | + | |
1489 | +static void __exit fini(void) | |
1490 | +{ | |
1491 | + init_or_cleanup(0); | |
1492 | +} | |
1493 | + | |
1494 | +module_init(init); | |
1495 | +module_exit(fini); | |
1496 | + | |
1497 | +/* Some modules need us, but don't depend directly on any symbol. | |
1498 | + They should call this. */ | |
1499 | +void need_ip_conntrack(void) | |
1500 | +{ | |
1501 | +} | |
1502 | + | |
1503 | +EXPORT_SYMBOL(ip_conntrack_protocol_register); | |
1504 | +EXPORT_SYMBOL(ip_conntrack_protocol_unregister); | |
1505 | +EXPORT_SYMBOL(invert_tuplepr); | |
1506 | +EXPORT_SYMBOL(ip_conntrack_alter_reply); | |
1507 | +EXPORT_SYMBOL(ip_conntrack_destroyed); | |
1508 | +EXPORT_SYMBOL(ip_conntrack_get); | |
1509 | +EXPORT_SYMBOL(need_ip_conntrack); | |
1510 | +EXPORT_SYMBOL(ip_conntrack_helper_register); | |
1511 | +EXPORT_SYMBOL(ip_conntrack_helper_unregister); | |
1512 | +EXPORT_SYMBOL(ip_ct_selective_cleanup); | |
1513 | +EXPORT_SYMBOL(ip_ct_refresh); | |
1514 | +EXPORT_SYMBOL(ip_ct_find_proto); | |
1515 | +EXPORT_SYMBOL(__ip_ct_find_proto); | |
1516 | +EXPORT_SYMBOL(ip_ct_find_helper); | |
1517 | +EXPORT_SYMBOL(ip_conntrack_expect_related); | |
1518 | +EXPORT_SYMBOL(ip_conntrack_change_expect); | |
1519 | +EXPORT_SYMBOL(ip_conntrack_unexpect_related); | |
1520 | +EXPORT_SYMBOL_GPL(ip_conntrack_expect_find_get); | |
1521 | +EXPORT_SYMBOL_GPL(ip_conntrack_expect_put); | |
1522 | +EXPORT_SYMBOL(ip_conntrack_tuple_taken); | |
1523 | +EXPORT_SYMBOL(ip_ct_gather_frags); | |
1524 | +EXPORT_SYMBOL(ip_conntrack_htable_size); | |
1525 | +EXPORT_SYMBOL(ip_conntrack_expect_list); | |
1526 | +EXPORT_SYMBOL(ip_conntrack_lock); | |
1527 | +EXPORT_SYMBOL(ip_conntrack_hash); | |
1528 | +EXPORT_SYMBOL_GPL(ip_conntrack_find_get); | |
1529 | +EXPORT_SYMBOL_GPL(ip_conntrack_put); | |
1530 | diff -Nur linux-2.6.4-rc2.org/net/ipv4/netfilter/ip_conntrack_tftp.c linux-2.6.4-rc2/net/ipv4/netfilter/ip_conntrack_tftp.c | |
1531 | --- linux-2.6.4-rc2.org/net/ipv4/netfilter/ip_conntrack_tftp.c 2004-03-04 06:16:41.000000000 +0000 | |
1532 | +++ linux-2.6.4-rc2/net/ipv4/netfilter/ip_conntrack_tftp.c 2004-03-04 08:39:18.000000000 +0000 | |
1533 | @@ -44,7 +44,7 @@ | |
1534 | enum ip_conntrack_info ctinfo) | |
1535 | { | |
1536 | struct tftphdr tftph; | |
1537 | - struct ip_conntrack_expect exp; | |
1538 | + struct ip_conntrack_expect *exp; | |
1539 | ||
1540 | if (skb_copy_bits(skb, skb->nh.iph->ihl * 4 + sizeof(struct udphdr), | |
1541 | &tftph, sizeof(tftph)) != 0) | |
1542 | @@ -57,19 +57,21 @@ | |
1543 | DEBUGP(""); | |
1544 | DUMP_TUPLE(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple); | |
1545 | DUMP_TUPLE(&ct->tuplehash[IP_CT_DIR_REPLY].tuple); | |
1546 | - memset(&exp, 0, sizeof(exp)); | |
1547 | ||
1548 | - exp.tuple = ct->tuplehash[IP_CT_DIR_REPLY].tuple; | |
1549 | - exp.mask.src.ip = 0xffffffff; | |
1550 | - exp.mask.dst.ip = 0xffffffff; | |
1551 | - exp.mask.dst.u.udp.port = 0xffff; | |
1552 | - exp.mask.dst.protonum = 0xffff; | |
1553 | - exp.expectfn = NULL; | |
1554 | + if (ip_conntrack_expect_alloc(&exp) < 0) | |
1555 | + return -ENOMEM; | |
1556 | + | |
1557 | + exp->tuple = ct->tuplehash[IP_CT_DIR_REPLY].tuple; | |
1558 | + exp->mask.src.ip = 0xffffffff; | |
1559 | + exp->mask.dst.ip = 0xffffffff; | |
1560 | + exp->mask.dst.u.udp.port = 0xffff; | |
1561 | + exp->mask.dst.protonum = 0xffff; | |
1562 | + exp->expectfn = NULL; | |
1563 | ||
1564 | DEBUGP("expect: "); | |
1565 | - DUMP_TUPLE(&exp.tuple); | |
1566 | - DUMP_TUPLE(&exp.mask); | |
1567 | - ip_conntrack_expect_related(ct, &exp); | |
1568 | + DUMP_TUPLE(&exp->tuple); | |
1569 | + DUMP_TUPLE(&exp->mask); | |
1570 | + ip_conntrack_expect_related(exp, ct); | |
1571 | break; | |
1572 | default: | |
1573 | DEBUGP("Unknown opcode\n"); | |
1574 | diff -Nur linux-2.6.4-rc2.org/net/ipv4/netfilter/ipt_IPV4OPTSSTRIP.c linux-2.6.4-rc2/net/ipv4/netfilter/ipt_IPV4OPTSSTRIP.c | |
1575 | --- linux-2.6.4-rc2.org/net/ipv4/netfilter/ipt_IPV4OPTSSTRIP.c 1970-01-01 00:00:00.000000000 +0000 | |
1576 | +++ linux-2.6.4-rc2/net/ipv4/netfilter/ipt_IPV4OPTSSTRIP.c 2004-03-04 08:39:26.000000000 +0000 | |
1577 | @@ -0,0 +1,89 @@ | |
1578 | +/** | |
1579 | + * Strip all IP options in the IP packet header. | |
1580 | + * | |
1581 | + * (C) 2001 by Fabrice MARIE <fabrice@netfilter.org> | |
1582 | + * This software is distributed under GNU GPL v2, 1991 | |
1583 | + */ | |
1584 | + | |
1585 | +#include <linux/module.h> | |
1586 | +#include <linux/skbuff.h> | |
1587 | +#include <linux/ip.h> | |
1588 | +#include <net/checksum.h> | |
1589 | + | |
1590 | +#include <linux/netfilter_ipv4/ip_tables.h> | |
1591 | + | |
1592 | +MODULE_AUTHOR("Fabrice MARIE <fabrice@netfilter.org>"); | |
1593 | +MODULE_DESCRIPTION("Strip all options in IPv4 packets"); | |
1594 | +MODULE_LICENSE("GPL"); | |
1595 | + | |
1596 | +static unsigned int | |
1597 | +target(struct sk_buff **pskb, | |
1598 | + const struct net_device *in, | |
1599 | + const struct net_device *out, | |
1600 | + unsigned int hooknum, | |
1601 | + const void *targinfo, | |
1602 | + void *userinfo) | |
1603 | +{ | |
1604 | + struct iphdr *iph; | |
1605 | + struct sk_buff *skb; | |
1606 | + struct ip_options *opt; | |
1607 | + unsigned char *optiph; | |
1608 | + int l; | |
1609 | + | |
1610 | + if (!skb_ip_make_writable(pskb, (*pskb)->len)) | |
1611 | + return NF_DROP; | |
1612 | + | |
1613 | + skb = (*pskb); | |
1614 | + iph = (*pskb)->nh.iph; | |
1615 | + optiph = skb->nh.raw; | |
1616 | + l = ((struct ip_options *)(&(IPCB(skb)->opt)))->optlen; | |
1617 | + | |
1618 | + /* if no options in packet then nothing to clear. */ | |
1619 | + if (iph->ihl * 4 == sizeof(struct iphdr)) | |
1620 | + return IPT_CONTINUE; | |
1621 | + | |
1622 | + /* else clear all options */ | |
1623 | + memset(&(IPCB(skb)->opt), 0, sizeof(struct ip_options)); | |
1624 | + memset(optiph+sizeof(struct iphdr), IPOPT_NOOP, l); | |
1625 | + opt = &(IPCB(skb)->opt); | |
1626 | + opt->is_data = 0; | |
1627 | + opt->optlen = l; | |
1628 | + | |
1629 | + skb->nfcache |= NFC_ALTERED; | |
1630 | + | |
1631 | + return IPT_CONTINUE; | |
1632 | +} | |
1633 | + | |
1634 | +static int | |
1635 | +checkentry(const char *tablename, | |
1636 | + const struct ipt_entry *e, | |
1637 | + void *targinfo, | |
1638 | + unsigned int targinfosize, | |
1639 | + unsigned int hook_mask) | |
1640 | +{ | |
1641 | + if (strcmp(tablename, "mangle")) { | |
1642 | + printk(KERN_WARNING "IPV4OPTSSTRIP: can only be called from \"mangle\" table, not \"%s\"\n", tablename); | |
1643 | + return 0; | |
1644 | + } | |
1645 | + /* nothing else to check because no parameters */ | |
1646 | + return 1; | |
1647 | +} | |
1648 | + | |
1649 | +static struct ipt_target ipt_ipv4optsstrip_reg = { | |
1650 | + .name = "IPV4OPTSSTRIP", | |
1651 | + .target = target, | |
1652 | + .checkentry = checkentry, | |
1653 | + .me = THIS_MODULE }; | |
1654 | + | |
1655 | +static int __init init(void) | |
1656 | +{ | |
1657 | + return ipt_register_target(&ipt_ipv4optsstrip_reg); | |
1658 | +} | |
1659 | + | |
1660 | +static void __exit fini(void) | |
1661 | +{ | |
1662 | + ipt_unregister_target(&ipt_ipv4optsstrip_reg); | |
1663 | +} | |
1664 | + | |
1665 | +module_init(init); | |
1666 | +module_exit(fini); | |
1667 | diff -Nur linux-2.6.4-rc2.org/net/ipv4/netfilter/ipt_TTL.c linux-2.6.4-rc2/net/ipv4/netfilter/ipt_TTL.c | |
1668 | --- linux-2.6.4-rc2.org/net/ipv4/netfilter/ipt_TTL.c 1970-01-01 00:00:00.000000000 +0000 | |
1669 | +++ linux-2.6.4-rc2/net/ipv4/netfilter/ipt_TTL.c 2004-03-04 08:39:28.000000000 +0000 | |
1670 | @@ -0,0 +1,120 @@ | |
1671 | +/* TTL modification target for IP tables | |
1672 | + * (C) 2000 by Harald Welte <laforge@gnumonks.org> | |
1673 | + * | |
1674 | + * Version: $Revision$ | |
1675 | + * | |
1676 | + * This software is distributed under the terms of GNU GPL | |
1677 | + */ | |
1678 | + | |
1679 | +#include <linux/module.h> | |
1680 | +#include <linux/skbuff.h> | |
1681 | +#include <linux/ip.h> | |
1682 | +#include <net/checksum.h> | |
1683 | + | |
1684 | +#include <linux/netfilter_ipv4/ip_tables.h> | |
1685 | +#include <linux/netfilter_ipv4/ipt_TTL.h> | |
1686 | + | |
1687 | +MODULE_AUTHOR("Harald Welte <laforge@gnumonks.org>"); | |
1688 | +MODULE_DESCRIPTION("IP tables TTL modification module"); | |
1689 | +MODULE_LICENSE("GPL"); | |
1690 | + | |
1691 | +static unsigned int | |
1692 | +ipt_ttl_target(struct sk_buff **pskb, const struct net_device *in, | |
1693 | + const struct net_device *out, unsigned int hooknum, | |
1694 | + const void *targinfo, void *userinfo) | |
1695 | +{ | |
1696 | + struct iphdr *iph; | |
1697 | + const struct ipt_TTL_info *info = targinfo; | |
1698 | + u_int16_t diffs[2]; | |
1699 | + int new_ttl; | |
1700 | + | |
1701 | + if (!skb_ip_make_writable(pskb, (*pskb)->len)) | |
1702 | + return NF_DROP; | |
1703 | + | |
1704 | + iph = (*pskb)->nh.iph; | |
1705 | + | |
1706 | + switch (info->mode) { | |
1707 | + case IPT_TTL_SET: | |
1708 | + new_ttl = info->ttl; | |
1709 | + break; | |
1710 | + case IPT_TTL_INC: | |
1711 | + new_ttl = iph->ttl + info->ttl; | |
1712 | + if (new_ttl > 255) | |
1713 | + new_ttl = 255; | |
1714 | + break; | |
1715 | + case IPT_TTL_DEC: | |
1716 | + new_ttl = iph->ttl + info->ttl; | |
1717 | + if (new_ttl < 0) | |
1718 | + new_ttl = 0; | |
1719 | + break; | |
1720 | + default: | |
1721 | + new_ttl = iph->ttl; | |
1722 | + break; | |
1723 | + } | |
1724 | + | |
1725 | + if (new_ttl != iph->ttl) { | |
1726 | + diffs[0] = htons(((unsigned)iph->ttl) << 8) ^ 0xFFFF; | |
1727 | + iph->ttl = new_ttl; | |
1728 | + diffs[1] = htons(((unsigned)iph->ttl) << 8); | |
1729 | + iph->check = csum_fold(csum_partial((char *)diffs, | |
1730 | + sizeof(diffs), | |
1731 | + iph->check^0xFFFF)); | |
1732 | + (*pskb)->nfcache |= NFC_ALTERED; | |
1733 | + } | |
1734 | + | |
1735 | + return IPT_CONTINUE; | |
1736 | +} | |
1737 | + | |
1738 | +static int ipt_ttl_checkentry(const char *tablename, | |
1739 | + const struct ipt_entry *e, | |
1740 | + void *targinfo, | |
1741 | + unsigned int targinfosize, | |
1742 | + unsigned int hook_mask) | |
1743 | +{ | |
1744 | + struct ipt_TTL_info *info = targinfo; | |
1745 | + | |
1746 | + if (targinfosize != IPT_ALIGN(sizeof(struct ipt_TTL_info))) { | |
1747 | + printk(KERN_WARNING "TTL: targinfosize %u != %Zu\n", | |
1748 | + targinfosize, | |
1749 | + IPT_ALIGN(sizeof(struct ipt_TTL_info))); | |
1750 | + return 0; | |
1751 | + } | |
1752 | + | |
1753 | + if (strcmp(tablename, "mangle")) { | |
1754 | + printk(KERN_WARNING "TTL: can only be called from \"mangle\" table, not \"%s\"\n", tablename); | |
1755 | + return 0; | |
1756 | + } | |
1757 | + | |
1758 | + if (info->mode > IPT_TTL_MAXMODE) { | |
1759 | + printk(KERN_WARNING "TTL: invalid or unknown Mode %u\n", | |
1760 | + info->mode); | |
1761 | + return 0; | |
1762 | + } | |
1763 | + | |
1764 | + if ((info->mode != IPT_TTL_SET) && (info->ttl == 0)) { | |
1765 | + printk(KERN_WARNING "TTL: increment/decrement doesn't make sense with value 0\n"); | |
1766 | + return 0; | |
1767 | + } | |
1768 | + | |
1769 | + return 1; | |
1770 | +} | |
1771 | + | |
1772 | +static struct ipt_target ipt_TTL = { | |
1773 | + .name = "TTL", | |
1774 | + .target = ipt_ttl_target, | |
1775 | + .checkentry = ipt_ttl_checkentry, | |
1776 | + .me = THIS_MODULE | |
1777 | +}; | |
1778 | + | |
1779 | +static int __init init(void) | |
1780 | +{ | |
1781 | + return ipt_register_target(&ipt_TTL); | |
1782 | +} | |
1783 | + | |
1784 | +static void __exit fini(void) | |
1785 | +{ | |
1786 | + ipt_unregister_target(&ipt_TTL); | |
1787 | +} | |
1788 | + | |
1789 | +module_init(init); | |
1790 | +module_exit(fini); | |
1791 | diff -Nur linux-2.6.4-rc2.org/net/ipv4/netfilter/ipt_connlimit.c linux-2.6.4-rc2/net/ipv4/netfilter/ipt_connlimit.c | |
1792 | --- linux-2.6.4-rc2.org/net/ipv4/netfilter/ipt_connlimit.c 1970-01-01 00:00:00.000000000 +0000 | |
1793 | +++ linux-2.6.4-rc2/net/ipv4/netfilter/ipt_connlimit.c 2004-03-04 08:39:29.000000000 +0000 | |
1794 | @@ -0,0 +1,230 @@ | |
1795 | +/* | |
1796 | + * netfilter module to limit the number of parallel tcp | |
1797 | + * connections per IP address. | |
1798 | + * (c) 2000 Gerd Knorr <kraxel@bytesex.org> | |
1799 | + * Nov 2002: Martin Bene <martin.bene@icomedias.com>: | |
1800 | + * only ignore TIME_WAIT or gone connections | |
1801 | + * | |
1802 | + * based on ... | |
1803 | + * | |
1804 | + * Kernel module to match connection tracking information. | |
1805 | + * GPL (C) 1999 Rusty Russell (rusty@rustcorp.com.au). | |
1806 | + */ | |
1807 | +#include <linux/module.h> | |
1808 | +#include <linux/skbuff.h> | |
1809 | +#include <linux/list.h> | |
1810 | +#include <linux/netfilter_ipv4/ip_conntrack.h> | |
1811 | +#include <linux/netfilter_ipv4/ip_conntrack_core.h> | |
1812 | +#include <linux/netfilter_ipv4/ip_conntrack_tcp.h> | |
1813 | +#include <linux/netfilter_ipv4/ip_tables.h> | |
1814 | +#include <linux/netfilter_ipv4/ipt_connlimit.h> | |
1815 | + | |
1816 | +#define DEBUG 0 | |
1817 | + | |
1818 | +MODULE_LICENSE("GPL"); | |
1819 | + | |
1820 | +/* we'll save the tuples of all connections we care about */ | |
1821 | +struct ipt_connlimit_conn | |
1822 | +{ | |
1823 | + struct list_head list; | |
1824 | + struct ip_conntrack_tuple tuple; | |
1825 | +}; | |
1826 | + | |
1827 | +struct ipt_connlimit_data { | |
1828 | + spinlock_t lock; | |
1829 | + struct list_head iphash[256]; | |
1830 | +}; | |
1831 | + | |
1832 | +static int ipt_iphash(u_int32_t addr) | |
1833 | +{ | |
1834 | + int hash; | |
1835 | + | |
1836 | + hash = addr & 0xff; | |
1837 | + hash ^= (addr >> 8) & 0xff; | |
1838 | + hash ^= (addr >> 16) & 0xff; | |
1839 | + hash ^= (addr >> 24) & 0xff; | |
1840 | + return hash; | |
1841 | +} | |
1842 | + | |
1843 | +static int count_them(struct ipt_connlimit_data *data, | |
1844 | + u_int32_t addr, u_int32_t mask, | |
1845 | + struct ip_conntrack *ct) | |
1846 | +{ | |
1847 | +#if DEBUG | |
1848 | + const static char *tcp[] = { "none", "established", "syn_sent", "syn_recv", | |
1849 | + "fin_wait", "time_wait", "close", "close_wait", | |
1850 | + "last_ack", "listen" }; | |
1851 | +#endif | |
1852 | + int addit = 1, matches = 0; | |
1853 | + struct ip_conntrack_tuple tuple; | |
1854 | + struct ip_conntrack_tuple_hash *found; | |
1855 | + struct ipt_connlimit_conn *conn; | |
1856 | + struct list_head *hash,*lh; | |
1857 | + | |
1858 | + spin_lock(&data->lock); | |
1859 | + tuple = ct->tuplehash[0].tuple; | |
1860 | + hash = &data->iphash[ipt_iphash(addr & mask)]; | |
1861 | + | |
1862 | + /* check the saved connections */ | |
1863 | + for (lh = hash->next; lh != hash; lh = lh->next) { | |
1864 | + conn = list_entry(lh,struct ipt_connlimit_conn,list); | |
1865 | + found = ip_conntrack_find_get(&conn->tuple,ct); | |
1866 | + if (0 == memcmp(&conn->tuple,&tuple,sizeof(tuple)) && | |
1867 | + found != NULL && | |
1868 | + found->ctrack->proto.tcp.state != TCP_CONNTRACK_TIME_WAIT) { | |
1869 | + /* Just to be sure we have it only once in the list. | |
1870 | + We should'nt see tuples twice unless someone hooks this | |
1871 | + into a table without "-p tcp --syn" */ | |
1872 | + addit = 0; | |
1873 | + } | |
1874 | +#if DEBUG | |
1875 | + printk("ipt_connlimit [%d]: src=%u.%u.%u.%u:%d dst=%u.%u.%u.%u:%d %s\n", | |
1876 | + ipt_iphash(addr & mask), | |
1877 | + NIPQUAD(conn->tuple.src.ip), ntohs(conn->tuple.src.u.tcp.port), | |
1878 | + NIPQUAD(conn->tuple.dst.ip), ntohs(conn->tuple.dst.u.tcp.port), | |
1879 | + (NULL != found) ? tcp[found->ctrack->proto.tcp.state] : "gone"); | |
1880 | +#endif | |
1881 | + if (NULL == found) { | |
1882 | + /* this one is gone */ | |
1883 | + lh = lh->prev; | |
1884 | + list_del(lh->next); | |
1885 | + kfree(conn); | |
1886 | + continue; | |
1887 | + } | |
1888 | + if (found->ctrack->proto.tcp.state == TCP_CONNTRACK_TIME_WAIT) { | |
1889 | + /* we don't care about connections which are | |
1890 | + closed already -> ditch it */ | |
1891 | + lh = lh->prev; | |
1892 | + list_del(lh->next); | |
1893 | + kfree(conn); | |
1894 | + nf_conntrack_put(&found->ctrack->infos[0]); | |
1895 | + continue; | |
1896 | + } | |
1897 | + if ((addr & mask) == (conn->tuple.src.ip & mask)) { | |
1898 | + /* same source IP address -> be counted! */ | |
1899 | + matches++; | |
1900 | + } | |
1901 | + nf_conntrack_put(&found->ctrack->infos[0]); | |
1902 | + } | |
1903 | + if (addit) { | |
1904 | + /* save the new connection in our list */ | |
1905 | +#if DEBUG | |
1906 | + printk("ipt_connlimit [%d]: src=%u.%u.%u.%u:%d dst=%u.%u.%u.%u:%d new\n", | |
1907 | + ipt_iphash(addr & mask), | |
1908 | + NIPQUAD(tuple.src.ip), ntohs(tuple.src.u.tcp.port), | |
1909 | + NIPQUAD(tuple.dst.ip), ntohs(tuple.dst.u.tcp.port)); | |
1910 | +#endif | |
1911 | + conn = kmalloc(sizeof(*conn),GFP_ATOMIC); | |
1912 | + if (NULL == conn) | |
1913 | + return -1; | |
1914 | + memset(conn,0,sizeof(*conn)); | |
1915 | + INIT_LIST_HEAD(&conn->list); | |
1916 | + conn->tuple = tuple; | |
1917 | + list_add(&conn->list,hash); | |
1918 | + matches++; | |
1919 | + } | |
1920 | + spin_unlock(&data->lock); | |
1921 | + return matches; | |
1922 | +} | |
1923 | + | |
1924 | +static int | |
1925 | +match(const struct sk_buff *skb, | |
1926 | + const struct net_device *in, | |
1927 | + const struct net_device *out, | |
1928 | + const void *matchinfo, | |
1929 | + int offset, | |
1930 | + int *hotdrop) | |
1931 | +{ | |
1932 | + const struct ipt_connlimit_info *info = matchinfo; | |
1933 | + int connections, match; | |
1934 | + struct ip_conntrack *ct; | |
1935 | + enum ip_conntrack_info ctinfo; | |
1936 | + | |
1937 | + ct = ip_conntrack_get((struct sk_buff *)skb, &ctinfo); | |
1938 | + if (NULL == ct) { | |
1939 | + printk("ipt_connlimit: Oops: invalid ct state ?\n"); | |
1940 | + *hotdrop = 1; | |
1941 | + return 0; | |
1942 | + } | |
1943 | + connections = count_them(info->data,skb->nh.iph->saddr,info->mask,ct); | |
1944 | + if (-1 == connections) { | |
1945 | + printk("ipt_connlimit: Hmm, kmalloc failed :-(\n"); | |
1946 | + *hotdrop = 1; /* let's free some memory :-) */ | |
1947 | + return 0; | |
1948 | + } | |
1949 | + match = (info->inverse) ? (connections <= info->limit) : (connections > info->limit); | |
1950 | +#if DEBUG | |
1951 | + printk("ipt_connlimit: src=%u.%u.%u.%u mask=%u.%u.%u.%u " | |
1952 | + "connections=%d limit=%d match=%s\n", | |
1953 | + NIPQUAD(skb->nh.iph->saddr), NIPQUAD(info->mask), | |
1954 | + connections, info->limit, match ? "yes" : "no"); | |
1955 | +#endif | |
1956 | + | |
1957 | + return match; | |
1958 | +} | |
1959 | + | |
1960 | +static int check(const char *tablename, | |
1961 | + const struct ipt_ip *ip, | |
1962 | + void *matchinfo, | |
1963 | + unsigned int matchsize, | |
1964 | + unsigned int hook_mask) | |
1965 | +{ | |
1966 | + struct ipt_connlimit_info *info = matchinfo; | |
1967 | + int i; | |
1968 | + | |
1969 | + /* verify size */ | |
1970 | + if (matchsize != IPT_ALIGN(sizeof(struct ipt_connlimit_info))) | |
1971 | + return 0; | |
1972 | + | |
1973 | + /* refuse anything but tcp */ | |
1974 | + if (ip->proto != IPPROTO_TCP) | |
1975 | + return 0; | |
1976 | + | |
1977 | + /* init private data */ | |
1978 | + info->data = kmalloc(sizeof(struct ipt_connlimit_data),GFP_KERNEL); | |
1979 | + spin_lock_init(&(info->data->lock)); | |
1980 | + for (i = 0; i < 256; i++) | |
1981 | + INIT_LIST_HEAD(&(info->data->iphash[i])); | |
1982 | + | |
1983 | + return 1; | |
1984 | +} | |
1985 | + | |
1986 | +static void destroy(void *matchinfo, unsigned int matchinfosize) | |
1987 | +{ | |
1988 | + struct ipt_connlimit_info *info = matchinfo; | |
1989 | + struct ipt_connlimit_conn *conn; | |
1990 | + struct list_head *hash; | |
1991 | + int i; | |
1992 | + | |
1993 | + /* cleanup */ | |
1994 | + for (i = 0; i < 256; i++) { | |
1995 | + hash = &(info->data->iphash[i]); | |
1996 | + while (hash != hash->next) { | |
1997 | + conn = list_entry(hash->next,struct ipt_connlimit_conn,list); | |
1998 | + list_del(hash->next); | |
1999 | + kfree(conn); | |
2000 | + } | |
2001 | + } | |
2002 | + kfree(info->data); | |
2003 | +} | |
2004 | + | |
2005 | +static struct ipt_match connlimit_match = { | |
2006 | + .name = "connlimit", | |
2007 | + .match = &match, | |
2008 | + .checkentry = &check, | |
2009 | + .destroy = &destroy, | |
2010 | + .me = THIS_MODULE | |
2011 | +}; | |
2012 | + | |
2013 | +static int __init init(void) | |
2014 | +{ | |
2015 | + return ipt_register_match(&connlimit_match); | |
2016 | +} | |
2017 | + | |
2018 | +static void __exit fini(void) | |
2019 | +{ | |
2020 | + ipt_unregister_match(&connlimit_match); | |
2021 | +} | |
2022 | + | |
2023 | +module_init(init); | |
2024 | +module_exit(fini); | |
2025 | diff -Nur linux-2.6.4-rc2.org/net/ipv4/netfilter/ipt_dstlimit.c linux-2.6.4-rc2/net/ipv4/netfilter/ipt_dstlimit.c | |
2026 | --- linux-2.6.4-rc2.org/net/ipv4/netfilter/ipt_dstlimit.c 1970-01-01 00:00:00.000000000 +0000 | |
2027 | +++ linux-2.6.4-rc2/net/ipv4/netfilter/ipt_dstlimit.c 2004-03-04 08:39:30.000000000 +0000 | |
2028 | @@ -0,0 +1,690 @@ | |
2029 | +/* iptables match extension to limit the number of packets per second | |
2030 | + * seperately for each destination. | |
2031 | + * | |
2032 | + * (C) 2003 by Harald Welte <laforge@netfilter.org> | |
2033 | + * | |
2034 | + * $Id$ | |
2035 | + * | |
2036 | + * Development of this code was funded by Astaro AG, http://www.astaro.com/ | |
2037 | + * | |
2038 | + * based on ipt_limit.c by: | |
2039 |